2018 files changed, 600014 insertions, 843 deletions

diff --git a/crypto/README b/crypto/README
new file mode 100644
index 0000000..a3c5ccf
--- /dev/null
+++ b/crypto/README
@@ -0,0 +1,9 @@
+$FreeBSD$
+
+This directory is for the EXACT same use as src/contrib, except it
+holds crypto sources.  In other words, this holds raw sources obtained
+from various third party vendors, with FreeBSD patches applied.  No
+compilation is done from this directory, it is all done from the
+src/secure directory.  The separation between src/contrib and src/crypto
+is the result of an old USA law, which made these sources export
+controlled, so they had to be kept separate.
diff --git a/crypto/heimdal/ChangeLog b/crypto/heimdal/ChangeLog
new file mode 100644
index 0000000..bab7d0b
--- /dev/null
+++ b/crypto/heimdal/ChangeLog
@@ -0,0 +1,487 @@
+2001-05-17  Assar Westerlund  <assar@sics.se>
+
+	* Release 0.3f
+
+2001-05-17  Assar Westerlund  <assar@sics.se>
+
+	* lib/krb5/Makefile.am: bump version to 16:0:0
+	* lib/hdb/Makefile.am: bump version to 7:1:0
+	* lib/asn1/Makefile.am: bump version to 5:0:0
+	* lib/krb5/keytab_krb4.c: add SRVTAB as an alias for krb4
+	* lib/krb5/codec.c: remove dead code
+
+2001-05-15  Assar Westerlund  <assar@sics.se>
+
+	* lib/krb5/rd_error.c (krb5_error_from_rd_error): use correct
+	parenthesis
+
+	* lib/krb5/eai_to_heim_errno.c (krb5_eai_to_heim_errno): add
+	`errno' (called system_error) to allow callers to make sure they
+	pass the current and relevant value.  update callers
+
+2001-05-14  Johan Danielsson  <joda@pdc.kth.se>
+
+	* kdc/kerberos5.c: pass context to krb5_domain_x500_decode
+
+2001-05-14  Assar Westerlund  <assar@sics.se>
+
+	* kpasswd/kpasswdd.c: adapt to new address functions
+	* kdc/kerberos5.c: adapt to changing address functions use LR_TYPE
+	* kdc/connect.c: adapt to changing address functions
+	* kdc/config.c: new krb5_config_parse_file
+	* kdc/524.c: new krb5_sockaddr2address
+	* lib/krb5/*: add some krb5_{set,clear}_error_string
+
+	* lib/asn1/k5.asn1 (LR_TYPE): add
+	* lib/asn1/Makefile.am (gen_files): add asn1_LR_TYPE.x
+
+2001-05-11  Assar Westerlund  <assar@sics.se>
+
+	* kdc/kerberos5.c (tsg_rep): fix typo in variable name
+
+	* kpasswd/kpasswd-generator.c (nop_prompter): update prototype
+	* lib/krb5/init_creds_pw.c: update to new prompter, use prompter
+	types and send two prompts at once when changning password
+	* lib/krb5/prompter_posix.c (krb5_prompter_posix): add name
+	* lib/krb5/krb5.h (krb5_prompt): add type
+	(krb5_prompter_fct): add anem
+
+	* lib/krb5/cache.c (krb5_cc_next_cred): transpose last two
+	paramaters to krb5_cc_next_cred (as MIT does, and not as they
+	document).  From "Jacques A. Vidrine" <n@nectar.com>
+
+2001-05-11  Johan Danielsson  <joda@pdc.kth.se>
+
+	* lib/krb5/Makefile.am: store-test
+
+	* lib/krb5/store-test.c: simple bit storage test
+
+	* lib/krb5/store.c: add more byteorder storage flags
+	
+	* lib/krb5/krb5.h: add more byteorder storage flags
+	
+	* kdc/kerberos5.c: don't use NULL where we mean 0
+
+	* kdc/kerberos5.c: put referral test code in separate function,
+	and test for KRB5_NT_SRV_INST
+
+2001-05-10  Assar Westerlund  <assar@sics.se>
+
+	* admin/list.c (do_list): do not close the keytab if opening it
+	failed
+	* admin/list.c (do_list): always print complete names.  print
+	everything to stdout.
+	* admin/list.c: print both v5 and v4 list by default
+	* admin/remove.c (kt_remove): reorganize some.  open the keytab
+	(defaulting to the modify one).
+	* admin/purge.c (kt_purge): reorganize some.  open the keytab
+	(defaulting to the modify one). correct usage strings
+	* admin/list.c (kt_list): reorganize some.  open the keytab
+	* admin/get.c (kt_get): reorganize some.  open the keytab
+	(defaulting to the modify one)
+	* admin/copy.c (kt_copy): default to modify key name.  re-organise
+	* admin/change.c (kt_change): reorganize some.  open the keytab
+	(defaulting to the modify one)
+	* admin/add.c (kt_add): reorganize some.  open the keytab
+	(defaulting to the modify one)
+	* admin/ktutil.c (main): do not open the keytab, let every
+	sub-function handle it
+
+	* kdc/config.c (configure): call free_getarg_strings
+
+	* lib/krb5/get_in_tkt.c (krb5_get_in_cred): set error strings for
+	a few more errors
+
+	* lib/krb5/get_host_realm.c (krb5_get_host_realm_int): make
+	`use_dns' parameter boolean
+
+	* lib/krb5/krb5.h (krb5_context_data): add default_keytab_modify
+	* lib/krb5/context.c (init_context_from_config_file): set
+	default_keytab_modify
+	* lib/krb5/krb5_locl.h (KEYTAB_DEFAULT): change to
+	ANY:FILE:/etc/krb5.keytab,krb4:/etc/srvtab
+	(KEYTAB_DEFAULT_MODIFY): add
+	* lib/krb5/keytab.c (krb5_kt_default_modify_name): add
+	(krb5_kt_resolve): set error string for failed keytab type
+
+2001-05-08  Assar Westerlund  <assar@sics.se>
+
+	* lib/krb5/crypto.c (encryption_type): make field names more
+	consistent
+	(create_checksum): separate usage and type
+	(krb5_create_checksum): add a separate type parameter
+	(encrypt_internal): only free once on mismatched checksum length
+
+	* lib/krb5/send_to_kdc.c (krb5_sendto_kdc2): try to tell what
+	realm we didn't manage to reach any KDC for in the error string
+
+	* lib/krb5/generate_seq_number.c (krb5_generate_seq_number): free
+	the entire subkey.  from <tmartin@mirapoint.com>
+
+2001-05-07  Johan Danielsson  <joda@pdc.kth.se>
+
+	* lib/krb5/keytab_keyfile.c (akf_start_seq_get): return
+	KT_NOTFOUND if the file is empty
+
+2001-05-07  Assar Westerlund  <assar@sics.se>
+
+	* lib/krb5/fcache.c: call krb5_set_error_string when open fails
+	fatally
+	* lib/krb5/keytab_file.c: call krb5_set_error_string when open
+	fails fatally
+
+	* lib/krb5/warn.c (_warnerr): print error_string in context in
+	preference to error string derived from error code
+	* kuser/kinit.c (main): try to print the error string
+	* lib/krb5/get_in_tkt.c (krb5_get_in_cred): set some sensible
+	error strings for errors
+
+	* lib/krb5/krb5.h (krb5_context_data): add error_string and
+	error_buf
+	* lib/krb5/Makefile.am (libkrb5_la_SOURCES): add error_string.c
+	* lib/krb5/error_string.c: new file
+
+2001-05-02  Johan Danielsson  <joda@pdc.kth.se>
+
+	* lib/krb5/time.c: krb5_string_to_deltat
+
+	* lib/krb5/sock_principal.c: one less data copy
+
+	* lib/krb5/eai_to_heim_errno.c: conversion function for h_errno's
+
+	* lib/krb5/get_default_principal.c: change this slightly
+
+	* lib/krb5/crypto.c: make checksum_types into an array of pointers
+
+	* lib/krb5/convert_creds.c: make sure we always use a des-cbc-crc
+	ticket
+
+2001-04-29  Assar Westerlund  <assar@sics.se>
+
+	* kdc/kerberos5.c (tgs_rep2): return a reference to a krbtgt for
+	the right realm if we fail to find a non-krbtgt service in the
+	database and the second component does a succesful non-dns lookup
+	to get the real realm (which has to be different from the
+	originally-supplied realm).  this should help windows 2000 clients
+	that always start their lookups in `their' realm and do not have
+	any idea of how to map hostnames into realms
+	* kdc/kerberos5.c (is_krbtgt): rename to get_krbtgt_realm
+
+2001-04-27  Johan Danielsson  <joda@pdc.kth.se>
+
+	* lib/krb5/get_host_realm.c (krb5_get_host_realm_int): add extra
+	parameter to request use of dns or not
+
+2001-04-25  Assar Westerlund  <assar@sics.se>
+
+	* admin/get.c (kt_get): allow specification of encryption types
+	* lib/krb5/verify_init.c (krb5_verify_init_creds): do not try to
+	close an unopened ccache, noted by <marc@mit.edu>
+
+	* lib/krb5/krb5.h (krb5_any_ops): add declaration
+	* lib/krb5/context.c (init_context_from_config_file): register
+	krb5_any_ops
+
+	* lib/krb5/keytab_any.c: new file, implementing union of keytabs
+	* lib/krb5/Makefile.am (libkrb5_la_SOURCES): add keytab_any.c
+	
+	* lib/krb5/init_creds_pw.c (get_init_creds_common): handle options
+	== NULL.  noted by <marc@mit.edu>
+
+2001-04-19  Johan Danielsson  <joda@pdc.kth.se>
+
+	* lib/krb5/rd_cred.c: set ret_creds to NULL before doing anything
+	else, from Jacques Vidrine
+
+2001-04-18  Johan Danielsson  <joda@pdc.kth.se>
+
+	* lib/hdb/libasn1.h: asn1.h -> krb5_asn1.h
+
+	* lib/asn1/Makefile.am: add asn1_ENCTYPE.x
+
+	* lib/krb5/krb5.h: adapt to asn1 changes
+
+	* lib/asn1/k5.asn1: move enctypes here
+
+	* lib/asn1/libasn1.h: rename asn1.h to krb5_asn1.h to avoid
+	conflicts
+
+	* lib/asn1/Makefile.am: rename asn1.h to krb5_asn1.h to avoid
+	conflicts
+
+	* lib/asn1/lex.l: use strtol to parse constants
+
+2001-04-06  Johan Danielsson  <joda@pdc.kth.se>
+
+	* kuser/kinit.c: add simple support for running commands
+
+2001-03-26  Assar Westerlund  <assar@sics.se>
+
+	* lib/hdb/hdb-ldap.c: change order of includes to allow it to work
+	with more versions of openldap
+
+	* kdc/kerberos5.c (tgs_rep2): try to set sec and usec in error
+	replies
+	(*): update callers of krb5_km_error
+	(check_tgs_flags): handle renews requesting non-renewable tickets
+
+	* lib/krb5/mk_error.c (krb5_mk_error): allow specifying both ctime
+	and cusec
+
+	* lib/krb5/krb5.h (krb5_checksum, krb5_keyusage): add
+	compatibility names
+
+	* lib/krb5/crypto.c (create_checksum): change so that `type == 0'
+	means pick from the `crypto' (context) and otherwise use that
+	type.  this is not a large change in practice and allows callers
+	to specify the exact checksum algorithm to use
+
+2001-03-13  Assar Westerlund  <assar@sics.se>
+
+	* lib/krb5/get_cred.c (get_cred_kdc): add support for falling back
+	to KRB5_KU_AP_REQ_AUTH when KRB5_KU_TGS_REQ_AUTH gives `bad
+	integrity'.  this helps for talking to old (pre 0.3d) KDCs
+
+2001-03-12  Assar Westerlund  <assar@pdc.kth.se>
+
+	* lib/krb5/crypto.c (krb5_derive_key): new function, used by
+	derived-key-test.c
+	* lib/krb5/string-to-key-test.c: add new test vectors posted by
+	Ken Raeburn <raeburn@mit.edu> in <tx1bsra8919.fsf@raeburn.org> to
+	ietf-krb-wg@anl.gov
+	* lib/krb5/n-fold-test.c: more test vectors from same source
+	* lib/krb5/derived-key-test.c: more tests from same source
+
+2001-03-06  Assar Westerlund  <assar@sics.se>
+
+	* acconfig.h: include roken_rename.h when appropriate
+
+2001-03-06  Assar Westerlund  <assar@sics.se>
+
+	* lib/krb5/krb5.h (krb5_enctype): remove trailing comma
+
+2001-03-04  Assar Westerlund  <assar@sics.se>
+
+	* lib/krb5/krb5.h (krb5_enctype): add ENCTYPE_* aliases for
+	compatibility with MIT krb5
+
+2001-03-02  Assar Westerlund  <assar@sics.se>
+
+	* kuser/kinit.c (main): only request a renewable ticket when
+	explicitly requested.  it still gets a renewable one if the renew
+	life is specified
+	* kuser/kinit.c (renew_validate): treat -1 as flags not being set
+
+2001-02-28  Johan Danielsson  <joda@pdc.kth.se>
+
+	* lib/krb5/context.c (krb5_init_ets): use krb5_add_et_list
+
+2001-02-27  Johan Danielsson  <joda@pdc.kth.se>
+
+	* lib/krb5/get_cred.c: implement krb5_get_cred_from_kdc_opt
+
+2001-02-25  Assar Westerlund  <assar@sics.se>
+
+	* configure.in: do not use -R when testing for des functions
+
+2001-02-14  Assar Westerlund  <assar@sics.se>
+
+	* configure.in: test for lber.h when trying to link against
+ 	openldap to handle openldap v1, from Sumit Bose
+ 	<sumit.bose@suse.de>
+
+2001-02-19  Assar Westerlund  <assar@sics.se>
+
+	* lib/asn1/libasn1.h: add string.h (for memset)
+
+2001-02-15  Assar Westerlund  <assar@sics.se>
+
+	* lib/krb5/warn.c (_warnerr): add printf attributes
+	* lib/krb5/send_to_kdc.c (krb5_sendto): loop over all address
+	returned by getaddrinfo before trying the next kdc.  from
+	thorpej@netbsd.org
+
+	* lib/krb5/krb5.conf.5: fix default_realm in example
+
+	* kdc/connect.c: fix a few kdc_log format types
+
+	* configure.in: try to handle libdes/libcrypto ont requiring -L
+
+2001-02-10  Assar Westerlund  <assar@sics.se>
+
+	* lib/asn1/gen_decode.c (generate_type_decode): zero the data at
+	the beginning of the generated function, and add a label `fail'
+	that the code jumps to in case of errors that frees all allocated
+	data
+
+2001-02-07  Assar Westerlund  <assar@sics.se>
+
+	* configure.in: aix dce: fix misquotes, from Ake Sandgren
+	<ake@cs.umu.se>
+
+	* configure.in (dpagaix_LDFLAGS): try to add export file
+
+2001-02-05  Assar Westerlund  <assar@sics.se>
+
+	* lib/krb5/krb5_keytab.3: new man page, contributed by
+	<lha@stacken.kth.se>
+
+	* kdc/kaserver.c: update to new db_fetch4
+
+2001-02-05  Assar Westerlund  <assar@assaris.sics.se>
+
+	* Release 0.3e
+
+2001-01-30  Assar Westerlund  <assar@sics.se>
+
+	* kdc/hprop.c (v4_get_masterkey): check kdb_verify_master_key
+	properly
+	(kdb_prop): decrypt key properly
+	* kdc/hprop.c: handle building with KRB4 always try to decrypt v4
+	data with the master key leave it up to the v5 how to encrypt with
+	that master key
+
+	* kdc/kstash.c: include file name in error messages
+	* kdc/hprop.c: fix a typo and check some more return values
+	* lib/hdb/hdb-ldap.c (LDAP__lookup_princ): call ldap_search_s
+	correctly.  From Jacques Vidrine <n@nectar.com>
+	* kdc/misc.c (db_fetch): HDB_ERR_NOENTRY makes more sense than
+	ENOENT
+
+	* lib/krb5/Makefile.am (libkrb5_la_LDFLAGS): bump version to
+	15:0:0
+	* lib/hdb/Makefile.am (libhdb_la_LDFLAGS): bump version to 7:0:0
+	* lib/asn1/Makefile.am (libasn1_la_LDFLAGS): bump version to 4:0:2
+	* kdc/misc.c (db_fetch): return an error code.  change callers to
+	look at this and try to print it in log messages
+
+	* lib/krb5/crypto.c (decrypt_internal_derived): check that there's
+	enough data
+
+2001-01-29  Assar Westerlund  <assar@sics.se>
+
+	* kdc/hprop.c (realm_buf): move it so it becomes properly
+	conditional on KRB4
+
+	* lib/hdb/mkey.c (hdb_unseal_keys_mkey, hdb_seal_keys_mkey,
+	hdb_unseal_keys, hdb_seal_keys): check that we have the correct
+	master key and that we manage to decrypt the key properly,
+	returning an error code.  fix all callers to check return value.
+
+	* tools/krb5-config.in: use @LIB_des_appl@
+	* tools/Makefile.am (krb5-config): add LIB_des_appl
+	* configure.in (LIB_des): set correctly
+	(LIB_des_appl): add for the use by krb5-config.in
+
+	* lib/krb5/store_fd.c (fd_fetch, fd_store): use net_{read,write}
+	to make sure of not dropping data when doing it over a socket.
+	(this might break when used with ordinary files on win32)
+
+	* lib/hdb/hdb_err.et (NO_MKEY): add
+
+	* kdc/kerberos5.c (as_rep): be paranoid and check
+	krb5_enctype_to_string for failure, noted by <lha@stacken.kth.se>
+
+	* lib/krb5/krb5_init_context.3, lib/krb5/krb5_context.3,
+	lib/krb5/krb5_auth_context.3: add new man pages, contributed by
+	<lha@stacken.kth.se>
+
+	* use the openssl api for md4/md5/sha and handle openssl/*.h
+
+	* kdc/kaserver.c (do_getticket): check length of ticket.  noted by
+ 	<lha@stacken.kth.se>
+
+2001-01-28  Assar Westerlund  <assar@sics.se>
+
+	* configure.in: send -R instead of -rpath to libtool to set
+	runtime library paths
+
+	* lib/krb5/Makefile.am: remove all dependencies on libkrb
+
+2001-01-27  Assar Westerlund  <assar@sics.se>
+
+	* appl/rcp: add port of bsd rcp changed to use existing rsh,
+	contributed by Richard Nyberg <rnyberg@it.su.se>
+
+2001-01-27  Johan Danielsson  <joda@pdc.kth.se>
+
+	* lib/krb5/get_port.c: don't warn if the port name can't be found,
+	nobody cares anyway
+
+2001-01-26  Johan Danielsson  <joda@pdc.kth.se>
+
+	* kdc/hprop.c: make it possible to convert a v4 dump file without
+	having any v4 libraries; the kdb backend still require them
+
+	* kdc/v4_dump.c: include shadow definition of kdb Principal, so we
+	don't have to depend on any v4 libraries
+
+	* kdc/hprop.h: include shadow definition of kdb Principal, so we
+	don't have to depend on any v4 libraries
+
+	* lib/hdb/print.c: reduce number of memory allocations
+
+	* lib/hdb/mkey.c: add support for reading krb4 /.k files
+
+2001-01-19  Assar Westerlund  <assar@sics.se>
+
+	* lib/krb5/krb5.conf.5: document admin_server and kpasswd_server
+	for realms document capath better
+
+	* lib/krb5/krbhst.c (krb5_get_krb_changepw_hst): preferably look
+	at kpasswd_server before admin_server
+
+	* lib/krb5/get_cred.c (get_cred_from_kdc_flags): look in
+	[libdefaults]capath for better hint of realm to send request to.
+	this allows the client to specify `realm routing information' in
+	case it cannot be done at the server (which is preferred)
+
+	* lib/krb5/rd_priv.c (krb5_rd_priv): handle no sequence number as
+	zero when we were expecting a sequence number.  MIT krb5 cannot
+	generate a sequence number of zero, instead generating no sequence
+	number
+	* lib/krb5/rd_safe.c (krb5_rd_safe): dito
+
+2001-01-11  Assar Westerlund  <assar@sics.se>
+
+	* kpasswd/kpasswdd.c: add --port option
+
+2001-01-10  Assar Westerlund  <assar@sics.se>
+
+	* lib/krb5/appdefault.c (krb5_appdefault_string): fix condition
+	just before returning
+
+2001-01-09  Assar Westerlund  <assar@sics.se>
+
+	* appl/kf/kfd.c (proto): use krb5_rd_cred2 instead of krb5_rd_cred
+
+2001-01-05  Johan Danielsson  <joda@pdc.kth.se>
+
+	* kuser/kinit.c: call a time `time', and not `seconds'
+
+	* lib/krb5/init_creds.c: not much point in setting the anonymous
+	flag here
+
+	* lib/krb5/krb5_appdefault.3: document appdefault_time
+
+2001-01-04  Johan Danielsson  <joda@pdc.kth.se>
+
+	* lib/krb5/verify_user.c: use
+	krb5_get_init_creds_opt_set_default_flags
+
+	* kuser/kinit.c: use krb5_get_init_creds_opt_set_default_flags
+
+	* lib/krb5/init_creds.c: new function
+	krb5_get_init_creds_opt_set_default_flags to set options from
+	krb5.conf
+
+	* lib/krb5/rd_cred.c: make this match the MIT function
+	
+	* lib/krb5/appdefault.c (krb5_appdefault_string): handle NULL
+	def_val
+	(krb5_appdefault_time): new function
+
+2001-01-03  Assar Westerlund  <assar@sics.se>
+
+	* kdc/hpropd.c (main): handle EOF when reading from stdin
+
diff --git a/crypto/heimdal/ChangeLog.1998 b/crypto/heimdal/ChangeLog.1998
new file mode 100644
index 0000000..f26dba7
--- /dev/null
+++ b/crypto/heimdal/ChangeLog.1998
@@ -0,0 +1,3201 @@
+Sat Dec  5 19:49:34 1998  Johan Danielsson  <joda@hella.pdc.kth.se>
+
+	* lib/krb5/context.c: remove ktype_is_etype
+
+	* lib/krb5/crypto.c, lib/krb5/krb5.h, acconfig.h: NEW_DES3_CODE
+
+	* configure.in: fix for AIX install; better tests for AIX dynamic
+ 	AFS libs; `--enable-new-des3-code'
+
+Tue Dec  1 14:44:44 1998  Johan Danielsson  <joda@hella.pdc.kth.se>
+
+	* appl/afsutil/Makefile.am: link with extra libs for aix
+
+	* kuser/Makefile.am: link with extra libs for aix
+
+Sun Nov 29 01:56:21 1998  Assar Westerlund  <assar@sics.se>
+
+	* lib/krb5/get_addrs.c (krb5_get_all_server_addrs): add.  almost
+ 	the same as krb5_get_all_client_addrs except that it includes
+ 	loopback addresses
+
+	* kdc/connect.c (init_socket): bind to a particular address
+	(init_sockets): get all local addresses and bind to them all
+
+	* lib/krb5/addr_families.c (addr2sockaddr, print_addr): new
+ 	methods
+	(find_af, find_atype): new functions.  use them.
+
+	* configure.in: add hesiod
+
+Wed Nov 25 11:37:48 1998  Johan Danielsson  <joda@hella.pdc.kth.se>
+
+	* lib/krb5/krb5_err.et: add some codes from kerberos-revisions-03
+
+Mon Nov 23 12:53:48 1998  Assar Westerlund  <assar@sics.se>
+
+	* lib/kadm5/log.c: rename delete -> remove
+
+	* lib/kadm5/delete_s.c: rename delete -> remove
+
+	* lib/hdb/common.c: rename delete -> remove
+
+Sun Nov 22 12:26:26 1998  Assar Westerlund  <assar@sics.se>
+
+	* configure.in: check for environ and `struct spwd'
+
+Sun Nov 22 11:42:45 1998  Johan Danielsson  <joda@blubb.pdc.kth.se>
+
+	* kdc/kerberos5.c (as_rep): set keytype to sess_ktype if
+ 	ktype_is_etype
+
+	* lib/krb5/encrypt.c (krb5_keytype_to_etypes): zero terminate
+ 	etypes
+	(em): sort entries
+
+Sun Nov 22 06:54:48 1998  Assar Westerlund  <assar@sics.se>
+
+	* lib/krb5/init_creds_pw.c: more type correctness
+
+	* lib/krb5/get_cred.c: re-structure code.  remove limits on ASN1
+ 	generated bits.
+
+Sun Nov 22 01:49:50 1998  Johan Danielsson  <joda@hella.pdc.kth.se>
+
+	* kdc/hprop.c (v4_prop): fix bogus indexing
+
+Sat Nov 21 21:39:20 1998  Assar Westerlund  <assar@sics.se>
+
+	* lib/krb5/verify_init.c (fail_verify_is_ok): new function
+	(krb5_verify_init_creds): if we cannot get a ticket for
+	host/`hostname` and fail_verify_is_ok just return.  use
+ 	krb5_rd_req
+
+Sat Nov 21 23:12:27 1998  Assar Westerlund  <assar@sics.se>
+
+	* lib/krb5/free.c (krb5_xfree): new function
+
+	* lib/krb5/creds.c (krb5_free_creds_contents): new function
+
+	* lib/krb5/context.c: more type correctness
+
+	* lib/krb5/checksum.c: more type correctness
+
+	* lib/krb5/auth_context.c (krb5_auth_con_init): more type
+ 	correctness
+
+	* lib/asn1/der_get.c (der_get_length): fix test of len
+	(der_get_tag): more type correctness
+
+	* kuser/klist.c (usage): void-ize
+
+	* admin/ktutil.c (kt_remove): some more type correctness.
+
+Sat Nov 21 16:49:20 1998  Johan Danielsson  <joda@hella.pdc.kth.se>
+
+	* kuser/klist.c: try to list enctypes as keytypes
+
+	* kuser/kinit.c: remove extra `--cache' option, add `--enctypes'
+ 	to set list of enctypes to use
+
+	* kadmin/load.c: load strings as hex
+
+	* kadmin/dump.c: dump hex as string is possible
+
+	* admin/ktutil.c: use print_version()
+
+	* configure.in, acconfig.h: test for hesiod
+
+Sun Nov 15 17:28:19 1998  Johan Danielsson  <joda@hella.pdc.kth.se>
+
+	* lib/krb5/crypto.c: add some crypto debug code
+
+	* lib/krb5/get_in_tkt.c (_krb5_extract_ticket): don't use fixed
+ 	buffer when encoding ticket
+
+	* lib/krb5/auth_context.c (re-)implement `krb5_auth_setenctype'
+
+	* kdc/kerberos5.c: allow mis-match of tgt session key, and service
+ 	session key
+
+	* admin/ktutil.c: keytype -> enctype
+
+Fri Nov 13 05:35:48 1998  Assar Westerlund  <assar@sics.se>
+
+	* lib/krb5/krb5.h (KRB5_TGS_NAME, KRB5_TGS_NAME_SIZE): added
+	
+Sat Nov  7 19:56:31 1998  Assar Westerlund  <assar@sics.se>
+
+	* lib/krb5/get_cred.c (add_cred): add termination NULL pointer
+
+Mon Nov  2 01:15:06 1998  Assar Westerlund  <assar@sics.se>
+
+	* lib/krb5/rd_req.c: adapt to new crypto api
+
+	* lib/krb5/rd_rep.c: adapt to new crypto api
+
+	* lib/krb5/rd_priv.c: adopt to new crypto api
+
+	* lib/krb5/rd_cred.c: adopt to new crypto api
+
+	* lib/krb5/principal.c: ENOMEM -> ERANGE
+
+	* lib/krb5/mk_safe.c: cleanup and adopt to new crypto api
+
+	* lib/krb5/mk_req_ext.c: adopt to new crypto api
+
+	* lib/krb5/mk_req.c: get enctype from auth_context keyblock
+
+	* lib/krb5/mk_rep.c: cleanup and adopt to new crypto api
+
+	* lib/krb5/mk_priv.c: adopt to new crypto api
+
+	* lib/krb5/keytab.c: adopt to new crypto api
+
+	* lib/krb5/get_in_tkt_with_skey.c: adopt to new crypto api
+
+	* lib/krb5/get_in_tkt_with_keytab.c: adopt to new crypto api
+
+	* lib/krb5/get_in_tkt_pw.c: adopt to new crypto api
+
+	* lib/krb5/get_in_tkt.c: adopt to new crypto api
+
+	* lib/krb5/get_cred.c: adopt to new crypto api
+
+	* lib/krb5/generate_subkey.c: use new crypto api
+
+	* lib/krb5/context.c: rename etype functions to enctype ditto
+
+	* lib/krb5/build_auth.c: use new crypto api
+
+	* lib/krb5/auth_context.c: remove enctype and cksumtype from
+ 	auth_context
+
+Mon Nov  2 01:15:06 1998  Assar Westerlund  <assar@sics.se>
+
+	* kdc/connect.c (handle_udp, handle_tcp): correct type of `n'
+
+Tue Sep 15 18:41:38 1998  Johan Danielsson  <joda@hella.pdc.kth.se>
+
+	* admin/ktutil.c: fix printing of unrecognized keytypes
+
+Tue Sep 15 17:02:33 1998  Johan Danielsson  <joda@hella.pdc.kth.se>
+
+	* lib/kadm5/set_keys.c: add KEYTYPE_USE_AFS3_SALT to keytype if
+ 	using AFS3 salt
+
+Tue Aug 25 23:30:52 1998  Assar Westerlund  <assar@sics.se>
+
+	* lib/krb5/send_to_kdc.c (krb5_sendto_kdc): care about
+ 	`use_admin_kdc'
+
+	* lib/krb5/changepw.c (get_kdc_address): use
+ 	krb5_get_krb_admin_hst
+
+	* lib/krb5/krbhst.c (krb5_get_krb_admin_hst): new function
+
+	* lib/krb5/krb5.h (krb5_context_data): add `use_admin_kdc'
+
+	* lib/krb5/context.c (krb5_get_use_admin_kdc,
+ 	krb5_set_use_admin_kdc): new functions
+
+Tue Aug 18 22:24:12 1998  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* lib/krb5/crypto.c: remove all calls to abort(); check return
+ 	value from _key_schedule;
+	(RSA_MD[45]_DES_verify): zero tmp and res;
+	(RSA_MD5_DES3_{verify,checksum}): implement
+
+Mon Aug 17 20:18:46 1998  Assar Westerlund  <assar@sics.se>
+
+	* kdc/kerberos4.c (swap32): conditionalize
+
+	* lib/krb5/mk_req_ext.c (krb5_mk_req_internal): new function
+
+	* lib/krb5/get_host_realm.c (krb5_get_host_realm): if the hostname
+ 	returned from gethostby*() isn't a FQDN, try with the original
+ 	hostname
+
+	* lib/krb5/get_cred.c (make_pa_tgs_req): use krb5_mk_req_internal
+ 	and correct key usage
+
+	* lib/krb5/crypto.c (verify_checksum): make static
+
+	* admin/ktutil.c (kt_list): use krb5_enctype_to_string
+
+Sun Aug 16 20:57:56 1998  Assar Westerlund  <assar@sics.se>
+
+	* kadmin/cpw.c (do_cpw_entry): use asprintf for the prompt
+
+	* kadmin/ank.c (ank): print principal name in prompt
+
+	* lib/krb5/crypto.c (hmac): always allocate space for checksum.
+  	never trust c.checksum.length
+	(_get_derived_key): try to return the derived key
+
+Sun Aug 16 19:48:42 1998  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* lib/krb5/crypto.c (hmac): fix some peculiarities and bugs
+	(get_checksum_key): assume usage is `formatted'
+	(create_checksum,verify_checksum): moved the guts of the krb5_*
+	functions here, both take `formatted' key-usages
+	(encrypt_internal_derived): fix various bogosities
+	(derive_key): drop key_type parameter (already given by the
+	encryption_type)
+
+	* kdc/kerberos5.c (check_flags): handle case where client is NULL
+
+	* kdc/connect.c (process_request): return zero after processing
+ 	kerberos 4 request
+
+Sun Aug 16 18:38:15 1998  Johan Danielsson  <joda@blubb.pdc.kth.se>
+
+	* lib/krb5/crypto.c: merge x-*.[ch] into one file
+
+	* lib/krb5/cache.c: remove residual from krb5_ccache_data
+
+Fri Aug 14 16:28:23 1998  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* lib/krb5/x-crypto.c (derive_key): move DES3 specific code to
+ 	separate function (will eventually end up someplace else)
+
+	* lib/krb5/x-crypto.c (krb5_string_to_key_derived): allocate key
+
+	* configure.in, acconfig.h: test for four valued krb_put_int
+
+Thu Aug 13 23:46:29 1998  Assar Westerlund  <assar@emma.pdc.kth.se>
+
+	* Release 0.0t
+
+Thu Aug 13 22:40:17 1998  Assar Westerlund  <assar@sics.se>
+
+	* lib/krb5/config_file.c (parse_binding): remove trailing
+ 	whitespace
+
+Wed Aug 12 20:15:11 1998  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* lib/krb5/x-checksum.c (krb5_verify_checksum): pass checksum type
+ 	to krb5_create_checksum
+
+	* lib/krb5/x-key.c: implement DES3_string_to_key_derived; fix a
+ 	few typos
+
+Wed Aug  5 12:39:54 1998  Assar Westerlund  <assar@emma.pdc.kth.se>
+
+	* Release 0.0s
+
+Thu Jul 30 23:12:17 1998  Assar Westerlund  <assar@sics.se>
+
+	* lib/krb5/mk_error.c (krb5_mk_error): realloc until you die
+
+Thu Jul 23 19:49:03 1998  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* kdc/kdc_locl.h: proto for `get_des_key'
+
+	* configure.in: test for four valued el_init
+
+	* kuser/klist.c: keytype -> enctype
+
+	* kpasswd/kpasswdd.c (change): use new `krb5_string_to_key*'
+
+	* kdc/hprop.c (v4_prop, ka_convert): convert to a set of keys
+
+	* kdc/kaserver.c: use `get_des_key'
+
+	* kdc/524.c: use new crypto api
+
+	* kdc/kerberos4.c: use new crypto api
+
+	* kdc/kerberos5.c: always treat keytypes as enctypes; use new
+ 	crypto api
+
+	* kdc/kstash.c: adapt to new crypto api
+
+	* kdc/string2key.c: adapt to new crypto api
+
+	* admin/srvconvert.c: add keys for all possible enctypes
+
+	* admin/ktutil.c: keytype -> enctype
+
+	* lib/gssapi/init_sec_context.c: get enctype from auth_context
+ 	keyblock
+
+	* lib/hdb/hdb.c: remove hdb_*_keytype2key
+
+	* lib/kadm5/set_keys.c: adapt to new crypto api
+
+	* lib/kadm5/rename_s.c: adapt to new crypto api
+
+	* lib/kadm5/get_s.c: adapt to new crypto api
+
+	* lib/kadm5/create_s.c: add keys for des-cbc-crc, des-cbc-md4,
+ 	des-cbc-md5, and des3-cbc-sha1
+
+	* lib/krb5/heim_err.et: error message for unsupported salt
+
+	* lib/krb5/codec.c: short-circuit these functions, since they are
+ 	not needed any more
+
+	* lib/krb5/rd_safe.c: cleanup and adapt to new crypto api
+
+Mon Jul 13 23:00:59 1998  Assar Westerlund  <assar@sics.se>
+
+	* lib/krb5/send_to_kdc.c (krb5_sendto_kdc): don't advance
+ 	hostent->h_addr_list, use a copy instead
+
+Mon Jul 13 15:00:31 1998  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* lib/krb5/config_file.c (parse_binding, parse_section): make sure
+ 	everything is ok before adding to linked list
+
+	* lib/krb5/config_file.c: skip ws before checking for comment
+
+Wed Jul  8 10:45:45 1998  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* lib/asn1/k5.asn1: hmac-sha1-des3 = 12
+
+Tue Jun 30 18:08:05 1998  Assar Westerlund  <assar@sics.se>
+
+	* lib/krb5/send_to_kdc.c (krb5_sendto_kdc): do not close the
+ 	unopened file
+
+	* lib/krb5/mk_priv.c: realloc correctly
+
+	* lib/krb5/get_addrs.c (find_all_addresses): init j
+
+	* lib/krb5/context.c (krb5_init_context): print error if parsing
+ 	of config file produced an error.
+
+	* lib/krb5/config_file.c (parse_list, krb5_config_parse_file):
+ 	ignore more spaces
+
+	* lib/krb5/codec.c (krb5_encode_EncKrbCredPart,
+ 	krb5_encode_ETYPE_INFO): initialize `ret'
+
+	* lib/krb5/build_auth.c (krb5_build_authenticator): realloc
+ 	correctly
+
+	* lib/kadm5/set_keys.c (_kadm5_set_keys): initialize `ret'
+
+	* lib/kadm5/init_c.c (get_cred_cache): try to do the right thing
+ 	with default_client
+
+	* kuser/kinit.c (main): initialize `ticket_life'
+
+	* kdc/kerberos5.c (get_pa_etype_info): initialize `ret'
+	(tgs_rep2): initialize `krbtgt'
+
+	* kdc/connect.c (do_request): check for errors from `sendto'
+
+	* kdc/524.c (do_524): initialize `ret'
+
+	* kadmin/util.c (foreach_principal): don't clobber `ret'
+
+	* kadmin/del.c (del_entry): don't apply on zeroth argument
+
+	* kadmin/cpw.c (do_cpw_entry): initialize `ret'
+
+Sat Jun 13 04:14:01 1998  Assar Westerlund  <assar@juguete.sics.se>
+
+	* Release 0.0r
+
+Sun Jun  7 04:13:14 1998  Assar Westerlund  <assar@sics.se>
+
+	* lib/krb5/addr_families.c: fall-back definition of
+ 	IN6_ADDR_V6_TO_V4
+
+	* configure.in: only set CFLAGS if it wasn't set look for
+ 	dn_expand and res_search
+
+Mon Jun  1 21:28:07 1998  Assar Westerlund  <assar@sics.se>
+
+	* configure.in: remove duplicate seteuid
+
+Sat May 30 00:19:51 1998  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* lib/krb5/convert_creds.c: import _krb_time_to_life, to avoid
+ 	runtime dependencies on libkrb with some shared library
+ 	implementations
+
+Fri May 29 00:09:02 1998  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* kuser/kinit_options.c: Default options for kinit.
+
+	* kuser/kauth_options.c: Default options for kauth.
+
+	* kuser/kinit.c: Implement lots a new options.
+
+	* kdc/kerberos5.c (check_tgs_flags): make sure kdc-req-body->rtime
+ 	is not NULL; set endtime to min of new starttime + old_life, and
+ 	requested endtime
+
+	* lib/krb5/init_creds_pw.c (get_init_creds_common): if the
+ 	forwardable or proxiable flags are set in options, set the
+ 	kdc-flags to the value specified, and not always to one
+
+Thu May 28 21:28:06 1998  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* kdc/kerberos5.c: Optionally compare client address to addresses
+ 	in ticket.
+
+	* kdc/connect.c: Pass client address to as_rep() and tgs_rep().
+
+	* kdc/config.c: Add check_ticket_addresses, and
+ 	allow_null_ticket_addresses variables.
+
+Tue May 26 14:03:42 1998  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* lib/kadm5/create_s.c: possibly make DES keys version 4 salted
+
+	* lib/kadm5/set_keys.c: check config file for kadmin/use_v4_salt
+ 	before zapping version 4 salts
+
+Sun May 24 05:22:17 1998  Assar Westerlund  <assar@sics.se>
+
+	* Release 0.0q
+
+	* lib/krb5/aname_to_localname.c: new file
+
+	* lib/gssapi/init_sec_context.c (repl_mutual): no output token
+
+	* lib/gssapi/display_name.c (gss_display_name): zero terminate
+ 	output.
+
+Sat May 23 19:11:07 1998  Assar Westerlund  <assar@sics.se>
+
+	* lib/gssapi/display_status.c: new file
+
+	* Makefile.am: send -I to aclocal
+
+	* configure.in: remove duplicate setenv
+
+Sat May 23 04:55:19 1998  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* kadmin/util.c (foreach_principal): Check for expression before
+ 	wading through the whole database.
+
+	* kadmin/kadmin.c: Pass NULL password to
+ 	kadm5_*_init_with_password.
+
+	* lib/kadm5/init_c.c: Implement init_with_{skey,creds}*. Make use
+ 	of `password' parameter to init_with_password.
+
+	* lib/kadm5/init_s.c: implement init_with_{skey,creds}*
+
+	* lib/kadm5/server.c: Better arguments for
+ 	kadm5_init_with_password.
+
+Sat May 16 07:10:36 1998  Assar Westerlund  <assar@sics.se>
+
+	* kdc/hprop.c: conditionalize ka-server reading support on
+ 	KASERVER_DB
+
+	* configure.in: new option `--enable-kaserver-db'
+
+Fri May 15 19:39:18 1998  Johan Danielsson  <joda@blubb.pdc.kth.se>
+
+	* lib/krb5/get_cred.c: Better error if local tgt couldn't be
+ 	found.
+
+Tue May 12 21:11:02 1998  Assar Westerlund  <assar@sics.se>
+
+	* Release 0.0p
+
+	* lib/krb5/mk_req_ext.c (krb5_mk_req_extended): only set
+ 	encryption type in auth_context if it's compatible with the type
+ 	of the session key
+
+Mon May 11 21:11:14 1998  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* kdc/hprop.c: add support for ka-server databases
+
+	* appl/ftp/ftpd: link with -lcrypt, if needed
+
+Fri May  1 07:29:52 1998  Assar Westerlund  <assar@sics.se>
+
+	* configure.in: don't test for winsock.h
+
+Sat Apr 18 21:43:11 1998  Johan Danielsson  <joda@puffer.pdc.kth.se>
+
+	* Release 0.0o
+
+Sat Apr 18 00:31:11 1998  Johan Danielsson  <joda@blubb.pdc.kth.se>
+
+	* lib/krb5/sock_principal.c: Save hostname.
+
+Sun Apr  5 11:29:45 1998  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* lib/krb5/mk_req_ext.c: Use same enctype as in ticket.
+
+	* kdc/hprop.c (v4_prop): Check for null key.
+
+Fri Apr  3 03:54:54 1998  Johan Danielsson  <joda@blubb.pdc.kth.se>
+
+	* lib/krb5/str2key.c: Fix DES3 string-to-key.
+
+	* lib/krb5/keytab.c: Get default keytab name from context.
+
+	* lib/krb5/context.c: Get `default_keytab_name' value.
+
+	* kadmin/util.c (foreach_principal): Print error message if
+ 	`kadm5_get_principals' fails.
+
+	* kadmin/kadmind.c: Use `kadmind_loop'.
+
+	* lib/kadm5/server.c: Replace several other functions with
+ 	`kadmind_loop'.
+
+Sat Mar 28 09:49:18 1998  Assar Westerlund  <assar@sics.se>
+
+	* lib/krb5/keytab.c (fkt_add_entry): use an explicit seek instead
+ 	of O_APPEND
+
+	* configure.in: generate ftp Makefiles
+
+	* kuser/klist.c (print_cred_verbose): print IPv4-address in a
+ 	portable way.
+
+	* admin/srvconvert.c (srvconv): return 0 if successful
+
+Tue Mar 24 00:40:33 1998  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* lib/krb5/keytab.c: MIT compatible changes: add and use sizes to
+ 	keytab entries, and change default keytab to `/etc/krb5.keytab'.
+
+Mon Mar 23 23:43:59 1998  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* lib/gssapi/wrap.c: Use `gss_krb5_getsomekey'.
+
+	* lib/gssapi/unwrap.c: Implement and use `gss_krb5_getsomekey'.
+  	Fix bug in checking of pad.
+
+	* lib/gssapi/{un,}wrap.c: Add support for just integrity
+ 	protecting data.
+ 	
+	* lib/gssapi/accept_sec_context.c: Use
+ 	`gssapi_krb5_verify_8003_checksum'.
+
+	* lib/gssapi/8003.c: Implement `gssapi_krb5_verify_8003_checksum'.
+
+	* lib/gssapi/init_sec_context.c: Zero cred, and store session key
+ 	properly in auth-context.
+
+Sun Mar 22 00:47:22 1998  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* lib/kadm5/delete_s.c: Check immutable bit.
+
+	* kadmin/kadmin.c: Pass client name to kadm5_init.
+
+	* lib/kadm5/init_c.c: Get creds for client name passed in.
+
+	* kdc/hprop.c (v4_prop): Check for `changepw.kerberos'.
+
+Sat Mar 21 22:57:13 1998  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* lib/krb5/mk_error.c: Verify that error_code is in the range
+ 	[0,127].
+
+	* kdc/kerberos5.c: Move checking of principal flags to new
+ 	function `check_flags'.
+
+Sat Mar 21 14:38:51 1998  Assar Westerlund  <assar@sics.se>
+
+	* lib/kadm5/get_s.c (kadm5_s_get_principal): handle an empty salt
+
+	* configure.in: define SunOS if running solaris
+
+Sat Mar 21 00:26:34 1998  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* lib/kadm5/server.c: Unifdef test for same principal when
+ 	changing password.
+
+	* kadmin/util.c: If kadm5_get_principals failes, we might still be
+ 	able to perform the requested opreration (for instance someone if
+ 	trying to change his own password).
+
+	* lib/kadm5/init_c.c: Try to get ticket via initial request, if
+ 	not possible via tgt.
+
+	* lib/kadm5/server.c: Check for principals changing their own
+ 	passwords.
+
+	* kdc/kerberos5.c (tgs_rep2): check for interesting flags on
+ 	involved principals.
+
+	* kadmin/util.c: Fix order of flags.
+
+Thu Mar 19 16:54:10 1998  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* kdc/kerberos4.c: Return sane error code if krb_rd_req fails.
+
+Wed Mar 18 17:11:47 1998  Assar Westerlund  <assar@sics.se>
+
+	* acconfig.h: rename HAVE_STRUCT_SOCKADDR_IN6 to HAVE_IPV6
+
+Wed Mar 18 09:58:18 1998  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* lib/krb5/get_in_tkt_with_keytab.c (krb5_keytab_key_proc): don't
+ 	free keyseed; use correct keytab
+
+Tue Mar 10 09:56:16 1998  Assar Westerlund  <assar@sics.se>
+
+	* acinclude.m4 (AC_KRB_IPV6): rewrote to avoid false positives
+
+Mon Mar 16 23:58:23 1998  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* Release 0.0n
+
+Fri Mar  6 00:41:30 1998  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* lib/gssapi/{accept_sec_context,release_cred}.c: Use
+	krb5_kt_close/krb5_kt_resolve.
+	
+	* lib/krb5/principal.c (krb5_425_conv_principal_ext): Use resolver
+ 	to lookup hosts, so CNAMEs can be ignored.
+
+	* lib/krb5/send_to_kdc.c (krb5_sendto_kdc, send_and_recv_http):
+ 	Add support for using proxy.
+
+	* lib/krb5/context.c: Initialize `http_proxy' from
+ 	`libdefaults/http_proxy'.
+
+	* lib/krb5/krb5.h: Add `http_proxy' to context.
+
+	* lib/krb5/send_to_kdc.c: Recognize `http/' and `udp/' as protocol
+ 	specifications.
+
+Wed Mar  4 01:47:29 1998  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* admin/ktutil.c: Implement `add' and `remove' functions. Make
+ 	`--keytab' a global option.
+
+	* lib/krb5/keytab.c: Implement remove with files. Add memory
+ 	operations.
+
+Tue Mar  3 20:09:59 1998  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* lib/krb5/keytab.c: Use function pointers.
+
+	* admin: Remove kdb_edit.
+
+Sun Mar  1 03:28:42 1998  Assar Westerlund  <assar@sics.se>
+
+	* lib/kadm5/dump_log.c: print operation names
+
+Sun Mar  1 03:04:12 1998  Assar Westerlund  <assar@sics.se>
+
+	* configure.in: add X-tests, and {bin,...}dir appl/{kx,kauth}
+	
+	* lib/krb5/build_auth.c,mk_priv.c,rd_safe.c,mk_safe.c,mk_rep.c:
+ 	remove arbitrary limit
+
+	* kdc/hprop-common.c: use krb5_{read,write}_message
+
+	* lib/kadm5/ipropd_master.c (send_diffs): more careful use
+ 	krb5_{write,read}_message
+
+	* lib/kadm5/ipropd_slave.c (get_creds): get credentials for
+ 	`iprop/master' directly.
+	(main): use `krb5_read_message'
+
+Sun Mar  1 02:05:11 1998  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* kadmin/kadmin.c: Cleanup commands list, and add help strings.
+
+	* kadmin/get.c: Add long, short, and terse (equivalent to `list')
+ 	output formats. Short is the default.
+
+	* kadmin/util.c: Add `include_time' flag to timeval2str.
+
+	* kadmin/init.c: Max-life and max-renew can, infact, be zero.
+
+	* kadmin/{cpw,del,ext,get}.c: Use `foreach_principal'.
+
+	* kadmin/util.c: Add function `foreach_principal', that loops over
+ 	all principals matching an expression.
+
+	* kadmin/kadmin.c: Add usage string to `privileges'.
+
+	* lib/kadm5/get_princs_s.c: Also try to match aganist the
+ 	expression appended with `@default-realm'.
+
+	* lib/krb5/principal.c: Add `krb5_unparse_name_fixed_short', that
+ 	excludes the realm if it's the same as the default realm.
+
+Fri Feb 27 05:02:21 1998  Assar Westerlund  <assar@sics.se>
+
+	* configure.in: more WFLAGS and WFLAGS_NOUNUSED added missing
+ 	headers and functions error -> com_err
+
+ 	(krb5_get_init_creds_keytab): use krb5_keytab_key_proc
+
+	* lib/krb5/get_in_tkt_with_keytab.c: make `krb5_keytab_key_proc'
+ 	global
+
+	* lib/kadm5/marshall.c (ret_principal_ent): set `n_tl_data'
+
+	* lib/hdb/ndbm.c: use `struct ndbm_db' everywhere.
+
+Fri Feb 27 04:49:24 1998  Assar Westerlund  <assar@sics.se>
+
+	* lib/krb5/mk_priv.c (krb5_mk_priv): bump static limit to 10240.
+  	This should be fixed the correct way.
+
+	* lib/kadm5/ipropd_master.c (check_acl:) truncate buf correctly
+	(send_diffs): compare versions correctly
+	(main): reorder handling of events
+
+	* lib/kadm5/log.c (kadm5_log_previous): avoid bad type conversion
+
+Thu Feb 26 02:22:35 1998  Assar Westerlund  <assar@sics.se>
+
+	* lib/kadm5/ipropd_{slave,master}.c: new files
+
+	* lib/kadm5/log.c (kadm5_log_get_version): take an `fd' as
+ 	argument
+
+	* lib/krb5/krb5.h (krb5_context_data): `et_list' should be `struct
+ 	et_list *'
+
+	* aux/make-proto.pl: Should work with perl4
+
+Mon Feb 16 17:20:22 1998  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* lib/krb5/krb5_locl.h: Remove <error.h> (it gets included via
+ 	{asn1,krb5}_err.h).
+
+Thu Feb 12 03:28:40 1998  Assar Westerlund  <assar@sics.se>
+
+	* lib/krb5/get_in_tkt.c (_krb5_extract_ticket): if time difference
+ 	is larger than max_skew, return KRB5KRB_AP_ERR_SKEW
+
+	* lib/kadm5/log.c (get_version): globalize
+
+	* lib/kadm5/kadm5_locl.h: include <sys/file.h>
+
+	* lib/asn1/Makefile.am: add PA_KEY_INFO and PA_KEY_INFO_ENTRY
+
+	* kdc/kerberos5.c (get_pa_etype_info): remove gcc-ism of
+ 	initializing local struct in declaration.
+
+Sat Jan 31 17:28:58 1998  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* kdc/524.c: Use krb5_decode_EncTicketPart.
+
+	* kdc/kerberos5.c: Check at runtime whether to use enctypes
+ 	instead of keytypes. If so use the same value to encrypt ticket,
+ 	and kdc-rep as well as `keytype' for session key. Fix some obvious
+ 	bugs with the handling of additional tickets.
+
+	* lib/krb5/rd_req.c: Use krb5_decode_EncTicketPart, and
+ 	krb5_decode_Authenticator.
+
+	* lib/krb5/rd_rep.c: Use krb5_decode_EncAPRepPart.
+
+	* lib/krb5/rd_cred.c: Use krb5_decode_EncKrbCredPart.
+
+	* lib/krb5/mk_rep.c: Make sure enc_part.etype is an encryption
+ 	type, and not a key type.  Use krb5_encode_EncAPRepPart.
+
+	* lib/krb5/init_creds_pw.c: Use krb5_decode_PA_KEY_INFO.
+
+	* lib/krb5/get_in_tkt.c: Use krb5_decode_Enc{AS,TGS}RepPart.
+
+	* lib/krb5/get_for_creds.c: Use krb5_encode_EncKrbCredPart.
+
+	* lib/krb5/get_cred.c: Use krb5_decode_Enc{AS,TGS}RepPart.
+
+	* lib/krb5/build_auth.c: Use krb5_encode_Authenticator.
+
+	* lib/krb5/codec.c: Enctype conversion stuff.
+
+	* lib/krb5/context.c: Ignore KRB5_CONFIG if *not* running
+ 	setuid. Get configuration for libdefaults ktype_is_etype, and
+ 	default_etypes.
+
+	* lib/krb5/encrypt.c: Add krb5_string_to_etype, rename
+ 	krb5_convert_etype to krb5_decode_keytype, and add
+ 	krb5_decode_keyblock.
+
+Fri Jan 23 00:32:09 1998  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* lib/krb5/{get_in_tkt,rd_req}.c: Use krb5_convert_etype.
+
+	* lib/krb5/encrypt.c: Add krb5_convert_etype function - converts
+ 	from protocol keytypes (that really are enctypes) to internal
+ 	representation.
+
+Thu Jan 22 21:24:36 1998  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* lib/asn1/k5.asn1: Add PA-KEY-INFO structure to hold information
+ 	on keys in the database; and also a new `pa-key-info' padata-type.
+
+	* kdc/kerberos5.c: If pre-authentication fails, return a list of
+ 	keytypes, salttypes, and salts.
+
+	* lib/krb5/init_creds_pw.c: Add better support for
+ 	pre-authentication, by looking at hints from the KDC.
+
+	* lib/krb5/get_in_tkt.c: Add better support for specifying what
+ 	pre-authentication to use.
+
+	* lib/krb5/str2key.c: Merge entries for KEYTYPE_DES and
+ 	KEYTYPE_DES_AFS3.
+
+	* lib/krb5/krb5.h: Add pre-authentication structures.
+
+	* kdc/connect.c: Don't fail if realloc(X, 0) returns NULL.
+
+Wed Jan 21 06:20:40 1998  Assar Westerlund  <assar@sics.se>
+
+	* lib/kadm5/init_s.c (kadm5_s_init_with_password_ctx): initialize
+ 	`log_context.socket_name' and `log_context.socket_fd'
+
+	* lib/kadm5/log.c (kadm5_log_flush): send a unix domain datagram
+ 	to inform the possible running ipropd of an update.
+
+Wed Jan 21 01:34:09 1998  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* lib/krb5/get_in_tkt.c: Return error-packet to caller.
+
+	* lib/krb5/free.c (krb5_free_kdc_rep): Free krb5_kdc_rep->error.
+
+	* kdc/kerberos5.c: Add some support for using enctypes instead of
+ 	keytypes.
+
+	* lib/krb5/get_cred.c: Fixes to send authorization-data to the
+ 	KDC.
+
+	* lib/krb5/build_auth.c: Only generate local subkey if there is
+ 	none.
+
+	* lib/krb5/krb5.h: Add krb5_authdata type.
+
+	* lib/krb5/auth_context.c: Add
+ 	krb5_auth_con_set{,localsub,remotesub}key.
+
+	* lib/krb5/init_creds_pw.c: Return some error if prompter
+ 	functions return failure.
+
+Wed Jan 21 01:16:13 1998  Assar Westerlund  <assar@sics.se>
+
+	* kpasswd/kpasswd.c: detect bad password.  use krb5_err.
+
+	* kadmin/util.c (edit_entry): remove unused variables
+
+Tue Jan 20 22:58:31 1998  Assar Westerlund  <assar@sics.se>
+
+	* kuser/kinit.c: rename `-s' to `-S' to be MIT-compatible.
+
+	* lib/kadm5/kadm5_locl.h: add kadm5_log_context and
+ 	kadm5_log*-functions
+
+	* lib/kadm5/create_s.c (kadm5_s_create_principal): add change to
+ 	log
+
+	* lib/kadm5/rename_s.c (kadm5_s_rename_principal): add change to
+ 	log
+
+	* lib/kadm5/init_s.c (kadm5_s_init_with_password_ctx): initialize
+ 	log_context
+
+	* lib/kadm5/delete_s.c (kadm5_s_delete_principal): add change to
+ 	log
+
+	* lib/kadm5/modify_s.c (kadm5_s_modify_principal): add change to
+ 	log
+
+	* lib/kadm5/randkey_s.c (kadm5_s_randkey_principal): add change to
+ 	log
+
+	* lib/kadm5/chpass_s.c (kadm5_s_chpass_principal): add change to
+ 	log
+
+	* lib/kadm5/Makefile.am: add log.c, dump_log and replay_log
+
+	* lib/kadm5/replay_log.c: new file
+
+	* lib/kadm5/dump_log.c: new file
+
+	* lib/kadm5/log.c: new file
+
+	* lib/krb5/str2key.c (get_str): initialize pad space to zero
+
+	* lib/krb5/config_file.c (krb5_config_vget_next): handle c == NULL
+
+	* kpasswd/kpasswdd.c: rewritten to use the kadm5 API
+
+	* kpasswd/Makefile.am: link with kadm5srv
+
+	* kdc/kerberos5.c (tgs_rep): initialize `i'
+
+	* kadmin/kadmind.c (main): use kadm5_server_{send,recv}_sp
+
+	* include/Makefile.am: added admin.h
+
+Sun Jan 18 01:41:34 1998  Johan Danielsson  <joda@blubb.pdc.kth.se>
+
+	* lib/asn1/gen_copy.c: Don't return ENOMEM if allocating 0 bytes.
+
+	* lib/krb5/mcache.c (mcc_store_cred): restore linked list if
+ 	copy_creds fails.
+
+Tue Jan  6 04:17:56 1998  Assar Westerlund  <assar@sics.se>
+
+	* lib/kadm5/server.c: add kadm5_server_{send,recv}{,_sp}
+
+	* lib/kadm5/marshall.c: add kadm5_{store,ret}_principal_ent_mask.
+
+	* lib/kadm5/init_c.c (kadm5_c_init_with_password_ctx): use
+ 	krb5_getportbyname
+
+	* kadmin/kadmind.c (main): htons correctly.
+	moved kadm5_server_{recv,send}
+
+	* kadmin/kadmin.c (main): only set admin_server if explicitly
+ 	given
+
+Mon Jan  5 23:34:44 1998  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* lib/hdb/ndbm.c: Implement locking of database.
+
+	* kdc/kerberos5.c: Process AuthorizationData.
+
+Sat Jan  3 22:07:07 1998  Johan Danielsson  <joda@blubb.pdc.kth.se>
+
+	* kdc/string2key.c: Use AFS string-to-key from libkrb5.
+
+	* lib/krb5/get_in_tkt.c: Handle pa-afs3-salt case.
+
+	* lib/krb5/krb5.h: Add value for AFS salts.
+
+	* lib/krb5/str2key.c: Add support for AFS string-to-key.
+
+	* lib/kadm5/rename_s.c: Use correct salt.
+
+	* lib/kadm5/ent_setup.c: Always enable client. Only set max-life
+ 	and max-renew if != 0.
+
+	* lib/krb5/config_file.c: Add context to all krb5_config_*get_*.
+
+Thu Dec 25 17:03:25 1997  Assar Westerlund  <assar@sics.se>
+
+	* kadmin/ank.c (ank): don't zero password if --random-key was
+ 	given.
+
+Tue Dec 23 01:56:45 1997  Assar Westerlund  <assar@sics.se>
+
+	* Release 0.0m
+
+	* lib/kadm5/ent_setup.c (attr_to_flags): try to set `client'
+
+	* kadmin/util.c (edit_time): only set mask if != 0
+	(edit_attributes): only set mask if != 0
+
+	* kadmin/init.c (init): create `default'
+
+Sun Dec 21 09:44:05 1997  Assar Westerlund  <assar@sics.se>
+
+	* kadmin/util.c (str2deltat, str2attr, get_deltat): return value
+ 	as pointer and have return value indicate success.
+	
+	(get_response): check NULL from fgets
+	
+	(edit_time, edit_attributes): new functions for reading values and
+	offering list of answers on '?'
+	
+	(edit_entry): use edit_time and edit_attributes
+
+	* kadmin/ank.c (add_new_key): test the return value of
+ 	`krb5_parse_name'
+
+	* kdc/kerberos5.c (tgs_check_authenticator): RFC1510 doesn't say
+ 	that the checksum has to be keyed, even though later drafts do.
+  	Accept unkeyed checksums to be compatible with MIT.
+
+	* kadmin/kadmin_locl.h: add some prototypes.
+
+	* kadmin/util.c (edit_entry): return a value
+
+	* appl/afsutil/afslog.c (main): return a exit code.
+
+	* lib/krb5/get_cred.c (init_tgs_req): use krb5_keytype_to_enctypes
+
+	* lib/krb5/encrypt.c (krb5_keytype_to_enctypes): new function.
+
+	* lib/krb5/build_auth.c (krb5_build_authenticator): use
+ 	krb5_{free,copy}_keyblock instead of the _contents versions
+
+Fri Dec 12 14:20:58 1997  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* lib/krb5/{mk,rd}_priv.c: fix check for local/remote subkey
+
+Mon Dec  8 08:48:09 1997  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* lib/krb5/context.c: don't look at KRB5_CONFIG if running setuid
+
+Sat Dec  6 10:09:40 1997  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* lib/krb5/keyblock.c (krb5_free_keyblock): check for NULL
+	keyblock
+
+Sat Dec  6 08:26:10 1997  Assar Westerlund  <assar@sics.se>
+
+	* Release 0.0l
+
+Thu Dec  4 03:38:12 1997  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* lib/krb5/send_to_kdc.c: Add TCP client support.
+
+	* lib/krb5/store.c: Add k_{put,get}_int.
+
+	* kadmin/ank.c: Set initial kvno to 1.
+
+	* kdc/connect.c: Send version 5 TCP-reply as length+data.
+
+Sat Nov 29 07:10:11 1997  Assar Westerlund  <assar@sics.se>
+
+	* lib/krb5/rd_req.c (krb5_rd_req): fixed obvious bug
+
+	* kdc/kaserver.c (create_reply_ticket): use a random nonce in the
+ 	reply packet.
+
+	* kdc/connect.c (init_sockets): less reallocing.
+
+	* **/*.c: changed `struct fd_set' to `fd_set'
+
+Sat Nov 29 05:12:01 1997  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* lib/krb5/get_default_principal.c: More guessing.
+
+Thu Nov 20 02:55:09 1997  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* lib/krb5/rd_req.c: Use principal from ticket if no server is
+ 	given.
+
+Tue Nov 18 02:58:02 1997  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* kuser/klist.c: Use krb5_err*().
+
+Sun Nov 16 11:57:43 1997  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* kadmin/kadmin.c: Add local `init', `load', `dump', and `merge'
+ 	commands.
+
+Sun Nov 16 02:52:20 1997  Assar Westerlund  <assar@sics.se>
+
+	* lib/krb5/mk_req_ext.c (krb5_mk_req_ext): figure out the correct
+ 	`enctype'
+
+	* lib/krb5/mk_req.c (krb5_mk_req): use `(*auth_context)->enctype'
+ 	if set.
+
+	* lib/krb5/get_cred.c: handle the case of a specific keytype
+
+	* lib/krb5/build_auth.c (krb5_build_authenticator): enctype as a
+ 	parameter instead of guessing it.
+
+	* lib/krb5/build_ap_req.c (krb5_build_ap_req): new parameter
+ 	`enctype'
+
+	* appl/test/common.c (common_setup): don't use `optarg'
+
+	* lib/krb5/keytab.c (krb5_kt_copy_entry_contents): new function
+	(krb5_kt_get_entry): retrieve the latest version if kvno == 0
+
+	* lib/krb5/krb5.h: define KRB5_TC_MATCH_KEYTYPE
+
+	* lib/krb5/creds.c (krb5_compare_creds): check for
+ 	KRB5_TC_MATCH_KEYTYPE
+
+	* lib/gssapi/8003.c (gssapi_krb5_create_8003_checksum): remove
+ 	unused variable
+
+	* lib/krb5/creds.c (krb5_copy_creds_contents): only free the
+ 	contents if we fail.
+
+Sun Nov 16 00:32:48 1997  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* kpasswd/kpasswdd.c: Get password expiration time from config
+ 	file.
+
+	* lib/asn1/{der_get,gen_decode}.c: Allow passing NULL size.
+
+Wed Nov 12 02:35:57 1997  Assar Westerlund  <assar@sics.se>
+
+	* lib/krb5/get_for_creds.c (krb5_get_forwarded_creds):
+ 	restructured and fixed.
+
+	* lib/krb5/addr_families.c (krb5_h_addr2addr): new function.
+
+Wed Nov 12 01:36:01 1997  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* lib/krb5/get_addrs.c: Fall back to hostname's addresses if other
+ 	methods fail.
+
+Tue Nov 11 22:22:12 1997  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* kadmin/kadmin.c: Add `-l' flag to use local database.
+
+	* lib/kadm5/acl.c: Use KADM5_PRIV_ALL.
+
+	* lib/kadm5: Use function pointer trampoline for easier dual use
+ 	(without radiation-hardening capability).
+
+Tue Nov 11 05:15:22 1997  Assar Westerlund  <assar@sics.se>
+
+	* lib/krb5/encrypt.c (krb5_etype_valid): new function
+
+	* lib/krb5/creds.c (krb5_copy_creds_contents): zero target
+
+	* lib/krb5/context.c (valid_etype): remove
+
+	* lib/krb5/checksum.c: remove dead code
+
+	* lib/krb5/changepw.c (send_request): free memory on error.
+
+	* lib/krb5/build_ap_req.c (krb5_build_ap_req): check return value
+ 	from malloc.
+
+	* lib/krb5/auth_context.c (krb5_auth_con_init): free memory on
+ 	failure correctly.
+	(krb5_auth_con_setaddrs_from_fd): return error correctly.
+
+	* lib/krb5/get_in_tkt_with_{keytab,skey}.c: new files
+
+Tue Nov 11 02:53:19 1997  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* lib/krb5/auth_context.c: Implement auth_con_setuserkey.
+
+	* lib/gssapi/init_sec_context.c: Use krb5_auth_con_getkey.
+
+	* lib/krb5/keyblock.c: Rename krb5_free_keyblock to
+ 	krb5_free_keyblock_contents, and reimplement krb5_free_keyblock.
+
+	* lib/krb5/rd_req.c: Use auth_context->keyblock if
+ 	ap_options.use_session_key.
+
+Tue Nov 11 02:35:17 1997  Assar Westerlund  <assar@sics.se>
+
+	* lib/krb5/net_{read,write}.c: change `int fd' to `void *p_fd'.
+	fix callers.
+
+	* lib/krb5/krb5_locl.h: include <asn1.h> and <der.h>
+
+	* include/Makefile.am: add xdbm.h
+
+Tue Nov 11 01:58:22 1997  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* lib/krb5/get_cred.c: Implement krb5_get_cred_from_kdc.
+
+Mon Nov 10 22:41:53 1997  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* lib/krb5/ticket.c: Implement copy_ticket.
+
+	* lib/krb5/get_in_tkt.c: Make `options' parameter MIT-compatible.
+
+	* lib/krb5/data.c: Implement free_data and copy_data.
+
+Sun Nov  9 02:17:27 1997  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* lib/kadm5: Implement kadm5_get_privs, and kadm5_get_principals.
+
+	* kadmin/kadmin.c: Add get_privileges function.
+
+	* lib/kadm5: Rename KADM5_ACL_* -> KADM5_PRIV_* to conform with
+ 	specification.
+
+	* kdc/connect.c: Exit if no sockets could be bound.
+
+	* kadmin/kadmind.c: Check return value from krb5_net_read().
+
+	* lib/kadm5,kadmin: Fix memory leaks.
+
+Fri Nov  7 02:45:26 1997  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* lib/kadm5/create_s.c: Get some default values from `default'
+ 	principal.
+
+	* lib/kadm5/ent_setup.c: Add optional default entry to get some
+ 	values from.
+
+Thu Nov  6 00:20:41 1997  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* lib/error/compile_et.awk: Remove generated destroy_*_error_table
+ 	prototype
+
+	* kadmin/kadmind.c: Crude admin server.
+
+	* kadmin/kadmin.c: Update to use remote protocol.
+
+	* kadmin/get.c: Fix principal formatting.
+
+	* lib/kadm5: Add client support.
+
+	* lib/kadm5/error.c: Error code mapping.
+
+	* lib/kadm5/server.c: Kadmind support function.
+
+	* lib/kadm5/marshall.c: Kadm5 marshalling.
+
+	* lib/kadm5/acl.c: Simple acl system.
+
+	* lib/kadm5/kadm5_locl.h: Add client stuff.
+
+	* lib/kadm5/init_s.c: Initialize acl.
+
+	* lib/kadm5/*:  Return values.
+
+	* lib/kadm5/create_s.c: Correct kvno.
+
+Wed Nov  5 22:06:50 1997  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* lib/krb5/log.c: Fix parsing of log destinations.
+
+Mon Nov  3 20:33:55 1997  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* lib/krb5/principal.c: Reduce number of reallocs in unparse_name.
+
+Sat Nov  1 01:40:53 1997  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* kadmin: Simple kadmin utility.
+
+	* admin/ktutil.c: Print keytype.
+
+	* lib/kadm5/get_s.c: Set correct n_key_data.
+
+	* lib/kadm5/init_s.c: Add kadm5_s_init_with_password_ctx. Use
+ 	master key.
+
+	* lib/kadm5/destroy_s.c: Check for allocated context.
+
+	* lib/kadm5/{create,chpass}_s.c: Use _kadm5_set_keys().
+
+Sat Nov  1 00:21:00 1997  Assar Westerlund  <assar@sics.se>
+
+	* configure.in: test for readv, writev
+
+Wed Oct 29 23:41:26 1997  Assar Westerlund  <assar@sics.se>
+
+	* lib/krb5/warn.c (_warnerr): handle the case of an illegal error
+ 	code
+
+	* kdc/kerberos5.c (encode_reply): return success
+
+Wed Oct 29 18:01:59 1997  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* kdc/kerberos5.c (find_etype) Return correct index of selected
+ 	etype.
+
+Wed Oct 29 04:07:06 1997  Assar Westerlund  <assar@sics.se>
+
+	* Release 0.0k
+
+	* lib/krb5/context.c (krb5_init_context): support `KRB5_CONFIG'
+ 	environment variable
+
+	* *: use the roken_get*-macros from roken.h for the benefit of
+ 	Crays.
+
+	* configure.in: add --{enable,disable}-otp.  check for compatible
+ 	prototypes for gethostbyname, gethostbyaddr, getservbyname, and
+ 	openlog (they have strange prototypes on Crays)
+
+	* acinclude.m4: new macro `AC_PROTO_COMPAT'
+
+Tue Oct 28 00:11:22 1997  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* kdc/connect.c: Log bad requests.
+
+	* kdc/kerberos5.c: Move stuff that's in common between as_rep and
+ 	tgs_rep to separate functions.
+
+	* kdc/kerberos5.c: Fix user-to-user authentication.
+
+	* lib/krb5/get_cred.c: Some restructuring of krb5_get_credentials:
+ 	  - add a kdc-options argument to krb5_get_credentials, and rename
+	    it to krb5_get_credentials_with_flags
+	  - honour the KRB5_GC_CACHED, and KRB5_GC_USER_USER options
+	  - add some more user-to-user glue
+
+	* lib/krb5/rd_req.c: Move parts of krb5_verify_ap_req into a new
+ 	function, krb5_decrypt_ticket, so it is easier to decrypt and
+ 	check a ticket without having an ap-req.
+
+	* lib/krb5/krb5.h: Add KRB5_GC_CACHED, and KRB5_GC_USER_USER
+ 	flags.
+
+	* lib/krb5/crc.c (crc_init_table): Check if table is already
+ 	inited.
+
+Sun Oct 26 04:51:02 1997  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* lib/asn1/der_get.c (der_get_length, fix_dce): Special-case
+ 	indefinite encoding.
+
+	* lib/asn1/gen_glue.c (generate_units): Check for empty
+ 	member-list.
+
+Sat Oct 25 07:24:57 1997  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* lib/error/compile_et.awk: Allow specifying table-base.
+
+Tue Oct 21 20:21:40 1997  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* kdc/kerberos5.c: Check version number of krbtgt.
+
+Mon Oct 20 01:14:53 1997  Assar Westerlund  <assar@sics.se>
+
+	* lib/krb5/prompter_posix.c (krb5_prompter_posix): implement the
+ 	case of unhidden prompts.
+
+	* lib/krb5/str2key.c (string_to_key_internal): return error
+ 	instead of aborting.  always free memory
+
+	* admin/ktutil.c: add `help' command
+
+	* admin/kdb_edit.c: implement new commands: add_random_key(ark),
+ 	change_password(cpw), change_random_key(crk)
+
+Thu Oct 16 05:16:36 1997  Assar Westerlund  <assar@sics.se>
+
+	* kpasswd/kpasswdd.c: change all the keys in the database
+
+	* kdc: removed all unsealing, now done by the hdb layer
+
+	* lib/hdb/hdb.c: new functions `hdb_create', `hdb_set_master_key'
+ 	and `hdb_clear_master_key'
+
+	* admin/misc.c: removed
+
+Wed Oct 15 22:47:31 1997  Assar Westerlund  <assar@sics.se>
+
+	* kuser/klist.c: print year as YYYY iff verbose
+
+Wed Oct 15 20:02:13 1997  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* kuser/klist.c: print etype from ticket
+
+Mon Oct 13 17:18:57 1997  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* Release 0.0j
+
+	* lib/krb5/get_cred.c: Get the subkey from mk_req so it can be
+ 	used to decrypt the reply from DCE secds.
+
+	* lib/krb5/auth_context.c: Add {get,set}enctype.
+
+	* lib/krb5/get_cred.c: Fix for DCE secd.
+
+	* lib/krb5/store.c: Store keytype twice, as MIT does.
+
+	* lib/krb5/get_in_tkt.c: Use etype from reply.
+
+Fri Oct 10 00:39:48 1997  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* kdc/connect.c: check for leading '/' in http request
+
+Tue Sep 30 21:50:18 1997  Assar Westerlund  <assar@assaris.pdc.kth.se>
+
+	* Release 0.0i
+
+Mon Sep 29 15:58:43 1997  Assar Westerlund  <assar@sics.se>
+
+	* lib/krb5/rd_req.c (krb5_rd_req): redone because we don't know
+ 	the kvno or keytype before receiving the AP-REQ
+
+	* lib/krb5/mk_safe.c (krb5_mk_safe): figure out what cksumtype to
+ 	use from the keytype.
+
+	* lib/krb5/mk_req_ext.c (krb5_mk_req_extended): figure out what
+ 	cksumtype to use from the keytype.
+
+	* lib/krb5/mk_priv.c (krb5_mk_priv): figure out what etype to use
+ 	from the keytype.
+
+	* lib/krb5/keytab.c (krb5_kt_get_entry): check the keytype
+
+	* lib/krb5/get_for_creds.c (krb5_get_forwarded_creds): figure out
+ 	what etype to use from the keytype.
+
+	* lib/krb5/generate_seq_number.c (krb5_generate_seq_number):
+ 	handle other key types than DES
+
+	* lib/krb5/encrypt.c (key_type): add `best_cksumtype'
+	(krb5_keytype_to_cksumtype): new function
+
+	* lib/krb5/build_auth.c (krb5_build_authenticator): figure out
+ 	what etype to use from the keytype.
+
+	* lib/krb5/auth_context.c (krb5_auth_con_init): set `cksumtype'
+ 	and `enctype' to 0
+
+	* admin/extkeytab.c (ext_keytab): extract all keys
+
+	* appl/telnet/telnet/commands.c: INET6_ADDRSTRLEN kludge
+
+	* configure.in: check for <netinet6/in6.h>. check for -linet6
+	
+Tue Sep 23 03:00:53 1997  Assar Westerlund  <assar@sics.se>
+
+	* lib/krb5/encrypt.c: fix checksumtype for des3-cbc-sha1
+
+	* lib/krb5/rd_safe.c: fix check for keyed and collision-proof
+ 	checksum
+
+	* lib/krb5/context.c (valid_etype): remove hard-coded constants
+	(default_etypes): include DES3
+
+	* kdc/kerberos5.c: fix check for keyed and collision-proof
+ 	checksum
+
+	* admin/util.c (init_des_key, set_password): DES3 keys also
+
+ 	* lib/krb/send_to_kdc.c (krb5_sendto_kdc): no data returned means
+ 	no contact?
+
+	* lib/krb5/addr_families.c: fix typo in `ipv6_anyaddr'
+
+Mon Sep 22 11:44:27 1997  Johan Danielsson  <joda@blubb.pdc.kth.se>
+
+	* kdc/kerberos5.c: Somewhat fix the etype usage. The list sent by
+ 	the client is used to select wich key to encrypt the kdc rep with
+ 	(in case of as-req), and with the server info to select the
+ 	session key type. The server key the ticket is encrypted is based
+ 	purely on the keys in the database.
+
+	* kdc/string2key.c: Add keytype support. Default to version 5
+ 	keys.
+
+	* lib/krb5/get_in_tkt.c: Fix a lot of etype/keytype misuse.
+
+	* lib/krb5/encrypt.c: Add des3-cbc-md5, and des3-cbc-sha1. Add
+ 	many *_to_* functions.
+
+	* lib/krb5/str2key.c: Add des3 string-to-key. Add ktype argument
+ 	to krb5_string_to_key().
+
+	* lib/krb5/checksum.c: Some cleanup, and added: 
+	  - rsa-md5-des3 
+	  - hmac-sha1-des3 
+	  - keyed and collision proof flags to each checksum method
+	  - checksum<->string functions.
+
+	* lib/krb5/generate_subkey.c: Use krb5_generate_random_keyblock.
+
+Sun Sep 21 15:19:23 1997  Assar Westerlund  <assar@sics.se>
+
+	* kdc/connect.c: use new addr_families functions
+
+	* kpasswd/kpasswdd.c: use new addr_families functions.  Now works
+ 	over IPv6
+
+	* kuser/klist.c: use correct symbols for address families
+
+	* lib/krb5/sock_principal.c: use new addr_families functions
+
+	* lib/krb5/send_to_kdc.c: use new addr_families functions
+
+	* lib/krb5/krb5.h: add KRB5_ADDRESS_INET6
+
+	* lib/krb5/get_addrs.c: use new addr_families functions
+
+	* lib/krb5/changepw.c: use new addr_families functions.  Now works
+ 	over IPv6
+
+	* lib/krb5/auth_context.c: use new addr_families functions
+
+	* lib/krb5/addr_families.c: new file
+
+	* acconfig.h: AC_SOCKADDR_IN6 -> AC_STRUCT_SOCKADDR_IN6.  Updated
+ 	uses.
+
+	* acinclude.m4: new macro `AC_KRB_IPV6'.  Use it.
+
+Sat Sep 13 23:04:23 1997  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* kdc/hprop.c: Don't encrypt twice. Complain on non-convertable
+ 	principals.
+
+Sat Sep 13 00:59:36 1997  Assar Westerlund  <assar@sics.se>
+
+	* Release 0.0h
+	
+	* appl/telnet/telnet/commands.c: AF_INET6 support
+
+	* admin/misc.c: new file
+
+	* lib/krb5/context.c: new configuration variable `max_retries'
+
+	* lib/krb5/get_addrs.c: fixes and better #ifdef's
+
+	* lib/krb5/config_file.c: implement krb5_config_get_int
+
+	* lib/krb5/auth_context.c, send_to_kdc.c, sock_principal.c:
+ 	AF_INET6 support
+
+	* kuser/klist.c: support for printing IPv6-addresses
+
+	* kdc/connect.c: support AF_INET6
+
+	* configure.in: test for gethostbyname2 and struct sockaddr_in6
+
+Thu Sep 11 07:25:28 1997  Assar Westerlund  <assar@sics.se>
+
+	* lib/asn1/k5.asn1: Use `METHOD-DATA' instead of `SEQUENCE OF
+ 	PA-DATA'
+
+Wed Sep 10 21:20:17 1997  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* kdc/kerberos5.c: Fixes for cross-realm, including (but not
+ 	limited to):
+	  - allow client to be non-existant (should probably check for
+	    "local realm")
+	  - if server isn't found and it is a request for a krbtgt, try to
+ 	    find a realm on the way to the requested realm
+	  - update the transited encoding iff 
+	    client-realm != server-realm != tgt-realm
+
+	* lib/krb5/get_cred.c: Several fixes for cross-realm.
+
+Tue Sep  9 15:59:20 1997  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* kdc/string2key.c: Fix password handling.
+
+	* lib/krb5/encrypt.c: krb5_key_to_string
+
+Tue Sep  9 07:46:05 1997  Assar Westerlund  <assar@sics.se>
+
+	* lib/krb5/get_addrs.c: rewrote.  Now should be able to handle
+ 	aliases and IPv6 addresses
+
+	* kuser/klist.c: try printing IPv6 addresses
+
+	* kdc/kerberos5.c: increase the arbitrary limit from 1024 to 8192
+
+	* configure.in: check for <netinet/in6_var.h>
+
+Mon Sep  8 02:57:14 1997  Assar Westerlund  <assar@sics.se>
+
+	* doc: fixes
+
+	* admin/util.c (init_des_key): increase kvno
+	(set_password): return -1 if `des_read_pw_string' failed
+
+	* admin/mod.c (doit2): check the return value from `set_password'
+
+	* admin/ank.c (doit): don't add a new entry if `set_password'
+ 	failed
+
+Mon Sep  8 02:20:16 1997  Johan Danielsson  <joda@blubb.pdc.kth.se>
+
+	* lib/krb5/verify_init.c: fix ap_req_nofail semantics
+
+	* lib/krb5/transited.c: something that might resemble
+ 	domain-x500-compress
+
+Mon Sep  8 01:24:42 1997  Assar Westerlund  <assar@sics.se>
+
+	* kdc/hpropd.c (main): check number of arguments
+
+	* appl/popper/pop_init.c (pop_init): check number of arguments
+
+	* kpasswd/kpasswd.c (main): check number of arguments
+
+	* kdc/string2key.c (main): check number of arguments
+
+	* kuser/kdestroy.c (main): check number of arguments
+
+	* kuser/kinit.c (main): check number of arguments
+
+	* kpasswd/kpasswdd.c (main): use sigaction without SA_RESTART to
+ 	break out of select when a signal arrives
+
+	* kdc/main.c (main): use sigaction without SA_RESTART to break out
+ 	of select when a signal arrives
+
+	* kdc/kstash.c: default to HDB_DB_DIR "/m-key"
+
+	* kdc/config.c (configure): add `--version'.  Check the number of
+ 	arguments. Handle the case of there being no specification of port
+ 	numbers.
+
+	* admin/util.c: seal and unseal key at appropriate places
+
+	* admin/kdb_edit.c (main): parse arguments, config file and read
+ 	master key iff there's one.
+
+	* admin/extkeytab.c (ext_keytab): unseal key while extracting
+
+Sun Sep  7 20:41:01 1997  Assar Westerlund  <assar@sics.se>
+
+	* lib/roken/roken.h: include <fcntl.h>
+
+	* kdc/kerberos5.c (set_salt_padata): new function
+
+	* appl/telnet/telnetd/telnetd.c: Rename some variables that
+ 	conflict with cpp symbols on HP-UX 10.20
+
+	* change all calls of `gethostbyaddr' to cast argument 1 to `const
+ 	char *'
+
+	* acconfig.h: only use SGTTY on nextstep
+
+Sun Sep  7 14:33:50 1997  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* kdc/kerberos5.c: Check invalid flag.
+
+Fri Sep  5 14:19:38 1997  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* lib/krb5/verify_user.c: Use get_init_creds/verify_init_creds.
+
+	* lib/kafs: Move functions common to krb/krb5 modules to new file,
+ 	and make things more modular.
+
+	* lib/krb5/krb5.h: rename STRING -> krb5_config_string, and LIST
+ 	-> krb5_config_list
+
+Thu Sep  4 23:39:43 1997  Johan Danielsson  <joda@blubb.pdc.kth.se>
+
+	* lib/krb5/get_addrs.c: Fix loopback test.
+
+Thu Sep  4 04:45:49 1997  Assar Westerlund  <assar@sics.se>
+
+	* lib/roken/roken.h: fallback definition of `O_ACCMODE'
+
+	* lib/krb5/get_in_tkt.c (krb5_get_in_cred): be more careful when
+ 	checking for a v4 reply
+
+Wed Sep  3 18:20:14 1997  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* kdc/hprop.c: Add `--decrypt' and `--encrypt' flags.
+
+	* lib/hdb/hdb.c: new {seal,unseal}_keys functions
+
+	* kdc/{hprop,hpropd}.c: Add support to dump database to stdout.
+
+	* kdc/hprop.c: Don't use same master key as version 4.
+
+	* admin/util.c: Don't dump core if no `default' is found.
+
+Wed Sep  3 16:01:07 1997  Johan Danielsson  <joda@blubb.pdc.kth.se>
+
+	* kdc/connect.c: Allow run time port specification.
+
+	* kdc/config.c: Add flags for http support, and port
+ 	specifications.
+
+Tue Sep  2 02:00:03 1997  Assar Westerlund  <assar@sics.se>
+
+	* include/bits.c: Don't generate ifndef's in bits.h.  Instead, use
+ 	them when building the program.  This makes it possible to include
+ 	bits.h without having defined all HAVE_INT17_T symbols.
+	
+	* configure.in: test for sigaction
+
+	* doc: updated documentation.
+	
+Tue Sep  2 00:20:31 1997  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* Release 0.0g
+
+Mon Sep  1 17:42:14 1997  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* lib/krb5/data.c: don't return ENOMEM if len == 0
+
+Sun Aug 31 17:15:49 1997  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* lib/hdb/hdb.asn1: Include salt type in salt.
+
+	* kdc/hprop.h: Change port to 754.
+
+	* kdc/hpropd.c: Verify who tries to transmit a database.
+
+	* appl/popper: Use getarg and krb5_log.
+
+	* lib/krb5/get_port.c: Add context parameter. Now takes port in
+ 	host byte order.
+
+Sat Aug 30 18:48:19 1997  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* kdc/connect.c: Add timeout to select, and log about expired tcp
+ 	connections.
+
+	* kdc/config.c: Add `database' option.
+
+	* kdc/hpropd.c: Log about duplicate entries.
+
+	* lib/hdb/{db,ndbm}.c: Use common routines.
+
+	* lib/hdb/common.c: Implement more generic fetch/store/delete
+ 	functions.
+
+	* lib/hdb/hdb.h: Add `replace' parameter to store.
+	
+	* kdc/connect.c: Set filedecriptor to -1 on allocated decriptor
+ 	entries.
+
+Fri Aug 29 03:13:23 1997  Assar Westerlund  <assar@sics.se>
+
+	* lib/krb5/get_in_tkt.c: extract_ticket -> _krb5_extract_ticket
+
+	* aux/make-proto.pl: fix __P for stone age mode
+
+Fri Aug 29 02:45:46 1997  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* lib/45/mk_req.c: implementation of krb_mk_req that uses 524
+ 	protocol
+
+	* lib/krb5/init_creds_pw.c: make change_password and
+ 	get_init_creds_common static
+
+	* lib/krb5/krb5.h: Merge stuff from removed headerfiles.
+
+	* lib/krb5/fcache.c: fcc_ops -> krb5_fcc_ops
+
+	* lib/krb5/mcache.c: mcc_ops -> krb5_mcc_ops
+
+Fri Aug 29 01:45:25 1997  Johan Danielsson  <joda@blubb.pdc.kth.se>
+
+	* lib/krb5/krb5.h: Remove all prototypes.
+
+	* lib/krb5/convert_creds.c: Use `struct credentials' instead of
+ 	`CREDENTIALS'.
+
+Fri Aug 29 00:08:18 1997  Assar Westerlund  <assar@sics.se>
+
+	* lib/asn1/gen_glue.c: new file. generates 2int and int2 functions
+	and units for bit strings.
+
+	* admin/util.c: flags2int, int2flags, and flag_units are now
+ 	generated by asn1_compile
+
+	* lib/roken/parse_units.c: generalised `parse_units' and
+ 	`unparse_units' and added new functions `parse_flags' and
+ 	`unparse_flags' that use these
+
+	* lib/krb5/krb5_locl.h: moved krb5_data* functions to krb5.h
+
+	* admin/util.c: Use {un,}parse_flags for printing and parsing
+ 	hdbflags.
+
+Thu Aug 28 03:26:12 1997  Assar Westerlund  <assar@sics.se>
+
+	* lib/krb5/get_addrs.c: restructured
+
+	* lib/krb5/warn.c (_warnerr): leak less memory
+
+	* lib/hdb/hdb.c (hdb_free_entry): zero keys
+	(hdb_check_db_format): leak less memory
+
+	* lib/hdb/ndbm.c (NDBM_seq): check for valid hdb_entries implement
+ 	NDBM__get, NDBM__put
+
+	* lib/hdb/db.c (DB_seq): check for valid hdb_entries
+
+Thu Aug 28 02:06:58 1997  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* lib/krb5/send_to_kdc.c: Don't use sendto on connected sockets.
+
+Thu Aug 28 01:13:17 1997  Assar Westerlund  <assar@sics.se>
+
+	* kuser/kinit.1, klist.1, kdestroy.1: new man pages
+
+	* kpasswd/kpasswd.1, kpasswdd.8: new man pages
+
+	* kdc/kstash.8, hprop.8, hpropd.8: new man pages
+
+	* admin/ktutil.8, admin/kdb_edit.8: new man pages
+
+	* admin/mod.c: new file
+
+	* admin/life.c: renamed gettime and puttime to getlife and putlife
+	and moved them to life.c
+
+	* admin/util.c: add print_flags, parse_flags, init_entry,
+ 	set_created_by, set_modified_by, edit_entry, set_password.  Use
+ 	them.
+
+	* admin/get.c: use print_flags
+
+	* admin: removed unused stuff.  use krb5_{warn,err}*
+
+	* admin/ank.c: re-organized and abstracted.
+
+	* admin/gettime.c: removed
+
+Thu Aug 28 00:37:39 1997  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* lib/krb5/{get_cred,get_in_tkt}.c: Check for v4 reply.
+
+	* lib/roken/base64.c: Add base64 functions.
+
+	* kdc/connect.c lib/krb5/send_to_kdc.c: Add http support.
+
+Wed Aug 27 00:29:20 1997  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* include/Makefile.am: Don't make links to built files.
+
+	* admin/kdb_edit.c: Add command to set the database path.
+
+	* lib/hdb: Include version number in database.
+
+Tue Aug 26 20:14:54 1997  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* admin/ktutil: Merged v4 srvtab conversion.
+
+Mon Aug 25 23:02:18 1997  Assar Westerlund  <assar@sics.se>
+
+	* lib/roken/roken.h: add F_OK
+
+	* lib/gssapi/acquire_creds.c: fix typo
+
+	* configure.in: call AC_TYPE_MODE_T
+
+	* acinclude.m4: Add AC_TYPE_MODE_T
+
+Sun Aug 24 16:46:53 1997  Assar Westerlund  <assar@sics.se>
+
+	* Release 0.0f
+
+Sun Aug 24 08:06:54 1997  Assar Westerlund  <assar@sics.se>
+
+	* appl/popper/pop_pass.c: log poppers
+
+	* kdc/kaserver.c: some more checks
+
+	* kpasswd/kpasswd.c: removed `-p'
+
+	* kuser/kinit.c: removed `-p'
+
+	* lib/krb5/init_creds_pw.c (krb5_get_init_creds_password): If
+ 	KDC_ERR_PREUATH_REQUIRED, add preauthentication and try again.
+
+	* lib/krb5/get_in_tkt.c (krb5_get_in_cred): don't print out
+ 	krb-error text
+
+	* lib/gssapi/import_name.c (input_name): more names types.
+
+	* admin/load.c (parse_keys): handle the case of an empty salt
+
+	* kdc/kaserver.c: fix up memory deallocation
+
+	* kdc/kaserver.c: quick hack at talking kaserver protocol
+
+	* kdc/kerberos4.c: Make `db-fetch4' global
+
+	* configure.in: add --enable-kaserver
+
+	* kdc/rx.h, kdc/kerberos4.h: new header files
+
+	* lib/krb5/principal.c: fix krb5_build_principal_ext & c:o
+
+Sun Aug 24 03:52:44 1997  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* lib/krb5/{get_in_tkt,mk_safe,mk_priv}.c: Fix some Cray specific
+ 	type conflicts.
+
+	* lib/krb5/{get_cred,get_in_tkt}.c: Mask nonce to 32 bits.
+
+	* lib/des/{md4,md5,sha}.c: Now works on Crays.
+
+Sat Aug 23 18:15:01 1997  Johan Danielsson  <joda@blubb.pdc.kth.se>
+
+	* appl/afsutil/afslog.c: If no cells or files specified, get
+ 	tokens for all local cells. Better test for files.
+
+Thu Aug 21 23:33:38 1997  Assar Westerlund  <assar@sics.se>
+
+	* lib/gssapi/v1.c: new file with v1 compatibility functions.
+
+Thu Aug 21 20:36:13 1997  Johan Danielsson  <joda@blubb.pdc.kth.se>
+
+	* lib/kafs/afskrb5.c: Don't check ticket file for afs ticket.
+
+	* kdc/kerberos4.c: Check database when converting v4 principals.
+
+	* kdc/kerberos5.c: Include kvno in Ticket.
+
+	* lib/krb5/encrypt.c: Add kvno parameter to encrypt_EncryptedData.
+
+	* kuser/klist.c: Print version number of ticket, include more
+ 	flags.
+
+Wed Aug 20 21:26:58 1997  Johan Danielsson  <joda@blubb.pdc.kth.se>
+
+	* lib/kafs/afskrb5.c (get_cred): Check cached afs tickets for
+ 	expiration.
+
+Wed Aug 20 17:40:31 1997  Assar Westerlund  <assar@sics.se>
+
+	* lib/krb5/recvauth.c (krb5_recvauth): Send a KRB-ERROR iff
+ 	there's an error.
+
+	* lib/krb5/sendauth.c (krb5_sendauth): correct the protocol
+ 	documentation and process KRB-ERROR's
+
+Tue Aug 19 20:41:30 1997  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* kdc/kerberos4.c: Fix memory leak in v4 protocol handler.
+
+Mon Aug 18 05:15:09 1997  Assar Westerlund  <assar@sics.se>
+
+	* lib/gssapi/accept_sec_context.c: Added
+ 	`gsskrb5_register_acceptor_identity'
+
+Sun Aug 17 01:40:20 1997  Assar Westerlund  <assar@sics.se>
+
+	* lib/gssapi/accept_sec_context.c (gss_accept_sec_context): don't
+ 	always pass server == NULL to krb5_rd_req.
+
+	* lib/gssapi: new files: canonicalize_name.c export_name.c
+ 	context_time.c compare_name.c release_cred.c acquire_cred.c
+ 	inquire_cred.c, from Luke Howard <lukeh@xedoc.com.au>
+
+	* lib/krb5/config_file.c: Add netinfo support from Luke Howard
+ 	<lukeh@xedoc.com.au>
+
+	* lib/editline/sysunix.c: sgtty-support from Luke Howard
+ 	<lukeh@xedoc.com.au>
+
+	* lib/krb5/principal.c: krb5_sname_to_principal fix from Luke
+ 	Howard <lukeh@xedoc.com.au>
+
+Sat Aug 16 00:44:47 1997  Assar Westerlund  <assar@koi.pdc.kth.se>
+
+	* Release 0.0e
+
+Sat Aug 16 00:23:46 1997  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* appl/afsutil/afslog.c: Use new libkafs.
+
+	* lib/kafs/afskrb5.c: Get AFS tokens via 524 protocol.
+
+	* lib/krb5/warn.c: Fix format string for *x type.
+
+Fri Aug 15 22:15:01 1997  Assar Westerlund  <assar@sics.se>
+
+	* admin/get.c (get_entry): print more information about the entry
+
+	* lib/des/Makefile.am: build destest, mdtest, des, rpw, speed
+
+	* lib/krb5/config_file.c: new functions `krb5_config_get_time' and
+ 	`krb5_config_vget_time'.  Use them.
+
+Fri Aug 15 00:09:37 1997  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* admin/ktutil.c: Keytab manipulation program.
+
+	* lib/krb5/keytab.c: Return sane values from resolve and
+ 	start_seq_get.
+
+	* kdc/kerberos5.c: Fix for old clients passing 0 for `no endtime'.
+
+	* lib/45/get_ad_tkt.c: Kerberos 4 get_ad_tkt using
+ 	krb524_convert_creds_kdc.
+
+	* lib/krb5/convert_creds.c: Implementation of
+ 	krb524_convert_creds_kdc.
+
+	* lib/asn1/k5.asn1: Make kdc-req-body.till OPTIONAL
+
+	* kdc/524.c: A somewhat working 524-protocol module.
+
+	* kdc/kerberos4.c: Add version 4 ticket encoding and encryption
+ 	functions.
+
+	* lib/krb5/context.c: Fix kdc_timeout.
+
+	* lib/hdb/{ndbm,db}.c: Free name in close.
+
+	* kdc/kerberos5.c (tgs_check_autenticator): Return error code
+
+Thu Aug 14 21:29:03 1997  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* kdc/kerberos5.c (tgs_make_reply): Fix endtime in reply.
+
+	* lib/krb5/store_emem.c: Fix reallocation bug.
+
+Tue Aug 12 01:29:46 1997  Assar Westerlund  <assar@sics.se>
+
+	* appl/telnet/libtelnet/kerberos5.c, appl/popper/pop_init.c: Use
+ 	`krb5_sock_to_principal'.  Send server parameter to
+ 	krb5_rd_req/krb5_recvauth.  Set addresses in auth_context.
+
+	* lib/krb5/recvauth.c: Set addresses in auth_context if there
+ 	aren't any
+
+	* lib/krb5/auth_context.c: New function
+ 	`krb5_auth_con_setaddrs_from_fd'
+
+	* lib/krb5/sock_principal.c: new function
+	`krb5_sock_to_principal'
+	
+	* lib/krb5/time.c: new file with `krb5_timeofday' and
+ 	`krb5_us_timeofday'.  Use these functions.
+
+	* kuser/klist.c: print KDC offset iff verbose
+
+	* lib/krb5/get_in_tkt.c: implement KDC time offset and use it if
+ 	[libdefaults]kdc_timesync is set.
+	
+	* lib/krb5/fcache.c: Implement version 4 of the ccache format.
+
+Mon Aug 11 05:34:43 1997  Assar Westerlund  <assar@sics.se>
+
+	* lib/krb5/rd_rep.c (krb5_free_ap_rep_enc_part): free all memory
+
+	* lib/krb5/principal.c (krb5_unparse_name): allocate memory
+ 	properly
+
+	* kpasswd/kpasswd.c: Use `krb5_change_password'
+
+	* lib/krb5/init_creds_pw.c (init_cred): set realm of server
+ 	correctly.
+
+	* lib/krb5/init_creds_pw.c: support changing of password when it
+ 	has expired
+
+	* lib/krb5/changepw.c: new file
+
+	* kuser/klist.c: use getarg
+
+	* admin/init.c (init): add `kadmin/changepw'
+
+Mon Aug 11 04:30:47 1997  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* lib/krb5/get_cred.c: Make get_credentials handle cross-realm.
+
+Mon Aug 11 00:03:24 1997  Assar Westerlund  <assar@sics.se>
+
+	* lib/krb5/config_file.c: implement support for #-comments
+
+Sat Aug  9 02:21:46 1997  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* kdc/hprop*.c: Add database propagation programs.
+
+	* kdc/connect.c: Max request size.
+
+Sat Aug  9 00:47:28 1997  Assar Westerlund  <assar@sics.se>
+
+	* lib/otp: resurrected from krb4
+
+	* appl/push: new program for fetching mail with POP.
+
+	* appl/popper/popper.h: new include files.  new fields in `POP'
+
+	* appl/popper/pop_pass.c: Implement both v4 and v5.
+
+	* appl/popper/pop_init.c: Implement both v4 and v5.
+
+	* appl/popper/pop_debug.c: use getarg.  Talk both v4 and v5
+
+	* appl/popper: Popper from krb4.
+
+	* configure.in: check for inline and <netinet/tcp.h> generate
+ 	files in appl/popper, appl/push, and lib/otp
+
+Fri Aug  8 05:51:02 1997  Assar Westerlund  <assar@sics.se>
+
+	* lib/krb5/get_cred.c: clean-up and try to free memory even when
+ 	there're errors
+
+	* lib/krb5/get_cred.c: adapt to new `extract_ticket'
+
+	* lib/krb5/get_in_tkt.c: reorganize.  check everything and try to
+ 	return memory even if there are errors.
+
+	* kuser/kverify.c: new file
+
+	* lib/krb5/free_host_realm.c: new file
+
+	* lib/krb5/principal.c (krb5_sname_to_principal): implement
+ 	different nametypes.  Also free memory.
+
+	* lib/krb5/verify_init.c: more functionality
+
+	* lib/krb5/mk_req_ext.c (krb5_mk_req_extended): free the checksum
+
+	* lib/krb5/get_in_tkt.c (extract_ticket): don't copy over the
+ 	principals in creds.  Should also compare them with that received
+ 	from the KDC
+
+	* lib/krb5/cache.c (krb5_cc_gen_new): copy the newly allocated
+ 	krb5_ccache
+	(krb5_cc_destroy): call krb5_cc_close
+	(krb5_cc_retrieve_cred): delete the unused creds
+
+Fri Aug  8 02:30:40 1997  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* lib/krb5/log.c: Allow better control of destinations of logging
+ 	(like passing explicit destinations, and log-functions).
+
+Fri Aug  8 01:20:39 1997  Assar Westerlund  <assar@sics.se>
+
+	* lib/krb5/get_default_principal.c: new file
+
+	* kpasswd/kpasswdd.c: use krb5_log*
+
+Fri Aug  8 00:37:47 1997  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* lib/krb5/init_creds_pw.c: Implement krb5_get_init_creds_keytab.
+
+Fri Aug  8 00:37:17 1997  Assar Westerlund  <assar@sics.se>
+
+	* lib/krb5/init_creds_pw.c: Use `krb5_get_default_principal'.
+  	Print password expire information.
+
+	* kdc/config.c: new variable `kdc_warn_pwexpire'
+
+	* kpasswd/kpasswd.c: converted to getarg and get_init_creds
+
+Thu Aug  7 22:17:09 1997  Assar Westerlund  <assar@sics.se>
+
+	* lib/krb5/mcache.c: new file
+
+	* admin/gettime.c: new function puttime.  Use it.
+
+	* lib/krb5/keyblock.c: Added krb5_free_keyblock and
+ 	krb5_copy_keyblock
+
+	* lib/krb5/init_creds_pw.c: more functionality
+
+	* lib/krb5/creds.c: Added krb5_free_creds_contents and
+ 	krb5_copy_creds.  Changed callers.
+
+	* lib/krb5/config_file.c: new functions krb5_config_get and
+ 	krb5_config_vget
+
+	* lib/krb5/cache.c: cleanup added mcache
+	
+	* kdc/kerberos5.c: include last-req's of type 6 and 7, if
+ 	applicable
+
+Wed Aug  6 20:38:23 1997  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* lib/krb5/log.c: New parameter `log-level'. Default to `SYSLOG'.
+
+Tue Aug  5 22:53:54 1997  Assar Westerlund  <assar@sics.se>
+
+	* lib/krb5/verify_init.c, init_creds_pw.c, init_creds.c,
+	prompter_posix.c: the beginning of an implementation of the cygnus
+	initial-ticket API.
+
+	* lib/krb5/get_in_tkt_pw.c: make `krb5_password_key_proc' global
+
+	* lib/krb5/get_in_tkt.c (krb5_get_in_cred): new function that is
+ 	almost krb5_get_in_tkt but doesn't write the creds to the ccache.
+  	Small fixes in krb5_get_in_tkt
+
+	* lib/krb5/get_addrs.c (krb5_get_all_client_addrs): don't include
+ 	loopback.
+
+Mon Aug  4 20:20:48 1997  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* kdc: Make context global.
+
+Fri Aug  1 17:23:56 1997  Assar Westerlund  <assar@sics.se>
+
+	* Release 0.0d
+
+	* lib/roken/flock.c: new file
+
+	* kuser/kinit.c: check for and print expiry information in the
+ 	`kdc_rep'
+
+	* lib/krb5/get_in_tkt.c: Set `ret_as_reply' if != NULL
+
+	* kdc/kerberos5.c: Check the valid times on client and server.
+  	Check the password expiration.
+	Check the require_preauth flag.
+  	Send an lr_type == 6 with pw_end.
+	Set key.expiration to min(valid_end, pw_end)
+	
+	* lib/hdb/hdb.asn1: new flags `require_preauth' and `change_pw'
+
+	* admin/util.c, admin/load.c: handle the new flags.
+
+Fri Aug  1 16:56:12 1997  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* lib/hdb: Add some simple locking.
+
+Sun Jul 27 04:44:31 1997  Johan Danielsson  <joda@blubb.pdc.kth.se>
+
+	* lib/krb5/log.c: Add some general logging functions.
+
+	* kdc/kerberos4.c: Add version 4 protocol handler. The requrement
+ 	for this to work is that all involved principals has a des key in
+ 	the database, and that the client has a version 4 (un-)salted
+ 	key. Furthermore krb5_425_conv_principal has to do it's job, as
+ 	present it's not very clever.
+
+	* lib/krb5/principal.c: Quick patch to make 425_conv work
+ 	somewhat.
+
+	* lib/hdb/hdb.c: Add keytype->key and next key functions.
+
+Fri Jul 25 17:32:12 1997  Assar Westerlund  <assar@sics.se>
+
+	* lib/krb5/build_auth.c (krb5_build_authenticator): don't free
+ 	`cksum'.  It's allocated and freed by the caller
+
+	* lib/krb5/get_cred.c (krb5_get_kdc_cred): Don't free `addresses'.
+
+	* kdc/kerberos5.c (tgs_rep2): make sure we also have an defined
+ 	`client' to return as part of the KRB-ERROR
+
+Thu Jul 24 08:13:59 1997  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* kdc/kerberos5.c: Unseal keys from database before use.
+
+	* kdc/misc.c: New functions set_master_key, unseal_key and
+ 	free_key.
+
+	* lib/roken/getarg.c: Handle `-f arg' correctly.
+
+Thu Jul 24 01:54:43 1997  Assar Westerlund  <assar@sics.se>
+
+	* kuser/kinit.c: implement `-l' aka `--lifetime'
+
+	* lib/roken/parse_units.c, parse_time.c: new files
+
+	* admin/gettime.c (gettime): use `parse_time'
+
+	* kdc/kerberos5.c (as_rep): Use `METHOD-DATA' when sending
+ 	KRB5KDC_ERR_PREAUTH_REQUIRED, not PA-DATA.
+
+	* kpasswd/kpasswdd.c: fix freeing bug use sequence numbers set
+ 	addresses in auth_context bind one socket per interface.
+	
+	* kpasswd/kpasswd.c: use sequence numbers
+
+	* lib/krb5/rd_req.c (krb5_verify_ap_req): do abs when verifying
+ 	the timestamps
+
+	* lib/krb5/rd_priv.c (krb5_rd_priv): Fetch the correct session key
+ 	from auth_context
+
+	* lib/krb5/mk_priv.c (krb5_mk_priv): Fetch the correct session key
+ 	from auth_context
+
+	* lib/krb5/mk_error.c (krb5_mk_error): return an error number and
+ 	not a comerr'd number.
+
+	* lib/krb5/get_in_tkt.c (krb5_get_in_tkt): interpret the error
+ 	number in KRB-ERROR correctly.
+
+	* lib/krb5/get_cred.c (krb5_get_kdc_cred): interpret the error
+ 	number in KRB-ERROR correctly.
+
+	* lib/asn1/k5.asn1: Add `METHOD-DATA'
+
+	* removed some memory leaks.
+
+Wed Jul 23 07:53:18 1997  Assar Westerlund  <assar@sics.se>
+
+	* Release 0.0c
+
+	* lib/krb5/rd_cred.c, get_for_creds.c: new files
+
+	* lib/krb5/get_host_realm.c: try default realm as last chance
+
+	* kpasswd/kpasswdd.c: updated to hdb changes
+
+	* appl/telnet/libtelnet/kerberos5.c: Implement forwarding
+
+	* appl/telnet/libtelnet: removed totally unused files
+
+	* admin/ank.c: fix prompts and generation of random keys
+
+Wed Jul 23 04:02:32 1997  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* admin/dump.c: Include salt in dump.
+
+	* admin: Mostly updated for new db-format.
+
+	* kdc/kerberos5.c: Update to use new db format. Better checking of
+ 	flags and such. More logging.
+
+	* lib/hdb/hdb.c: Use generated encode and decode functions.
+
+	* lib/hdb/hdb.h: Get hdb_entry from ASN.1 generated code.
+
+	* lib/krb5/get_cred.c: Get addresses from krbtgt if there are none
+ 	in the reply.
+
+Sun Jul 20 16:22:30 1997  Assar Westerlund  <assar@sics.se>
+
+	* kuser/kinit.c: break if des_read_pw_string() != 0
+
+	* kpasswd/kpasswdd.c: send a reply
+
+	* kpasswd/kpasswd.c: restructured code.  better report on
+ 	krb-error break if des_read_pw_string() != 0
+
+	* kdc/kerberos5.c: Check `require_enc_timestamp' malloc space for
+ 	starttime and renew_till
+
+	* appl/telnet/libtelnet/kerberos5.c (kerberos5_is): Send a
+ 	keyblock to krb5_verify_chekcsum
+
+Sun Jul 20 06:35:46 1997  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* Release 0.0b
+
+	* kpasswd/kpasswd.c: Avoid using non-standard struct names.
+
+Sat Jul 19 19:26:23 1997  Assar Westerlund  <assar@sics.se>
+
+	* lib/krb5/keytab.c (krb5_kt_get_entry): check return from
+ 	`krb5_kt_start_seq_get'.  From <map@stacken.kth.se>
+
+Sat Jul 19 04:07:39 1997  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* lib/asn1/k5.asn1: Update with more pa-data types from
+ 	draft-ietf-cat-kerberos-revisions-00.txt
+
+	* admin/load.c: Update to match current db-format.
+
+	* kdc/kerberos5.c (as_rep): Try all valid pa-datas before giving
+ 	up. Send back an empty pa-data if the client has the v4 flag set.
+
+	* lib/krb5/get_in_tkt.c: Pass both version5 and version4 salted
+ 	pa-data. DTRT if there is any pa-data in the reply.
+
+	* lib/krb5/str2key.c: XOR with some sane value.
+
+	* lib/hdb/hdb.h: Add `version 4 salted key' flag.
+
+	* kuser/kinit.c: Ask for password before calling get_in_tkt. This
+ 	makes it possible to call key_proc more than once.
+
+	* kdc/string2key.c: Add flags to output version 5 (DES only),
+ 	version 4, and AFS string-to-key of a password.
+
+	* lib/asn1/gen_copy.c: copy_* functions now returns an int (0 or
+ 	ENOMEM).
+
+Fri Jul 18 02:54:58 1997  Assar Westerlund  <assar@sics.se>
+
+	* lib/krb5/get_host_realm.c (krb5_get_host_realm): do the
+ 	name2name thing
+
+	* kdc/misc.c: check result of hdb_open
+
+	* admin/kdb_edit: updated to new sl
+
+	* lib/sl: sl_func now returns an int. != 0 means to exit.
+
+	* kpasswd/kpasswdd: A crude (but somewhat working) implementation
+ 	of `draft-ietf-cat-kerb-chg-password-00.txt'
+
+Fri Jul 18 00:55:39 1997  Johan Danielsson  <joda@blubb.pdc.kth.se>
+
+	* kuser/krenew.c: Crude ticket renewing program.
+
+	* kdc/kerberos5.c: Rewritten flags parsing, it now might work to
+ 	get forwarded and renewed tickets.
+
+	* kuser/kinit.c: Add `-r' flag.
+
+	* lib/krb5/get_cred.c: Move most of contents of get_creds to new
+ 	function get_kdc_cred, that always contacts the kdc and doesn't
+ 	save in the cache. This is a hack.
+
+	* lib/krb5/get_in_tkt.c: Pass starttime and renew_till in request
+ 	(a bit kludgy).
+
+	* lib/krb5/mk_req_ext.c: Make an auth_context if none passed in.
+
+	* lib/krb5/send_to_kdc.c: Get timeout from context.
+
+	* lib/krb5/context.c: Add kdc_timeout to context struct.
+
+Thu Jul 17 20:35:45 1997  Johan Danielsson  <joda@blubb.pdc.kth.se>
+
+	* kuser/klist.c: Print start time of ticket if available.
+
+	* lib/krb5/get_host_realm.c: Return error if no realm was found.
+
+Thu Jul 17 20:28:21 1997  Assar Westerlund  <assar@sics.se>
+
+	* kpasswd: non-working kpasswd added
+
+Thu Jul 17 00:21:22 1997  Johan Danielsson  <joda@blubb.pdc.kth.se>
+
+	* Release 0.0a
+
+	* kdc/main.c: Add -p flag to disable pa-enc-timestamp requirement.
+
+Wed Jul 16 03:37:41 1997  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* kdc/kerberos5.c (tgs_rep2): Free ticket and ap_req.
+
+	* lib/krb5/auth_context.c (krb5_auth_con_free): Free remote
+ 	subkey.
+
+	* lib/krb5/principal.c (krb5_free_principal): Check for NULL.
+
+	* lib/krb5/send_to_kdc.c: Check for NULL return from
+ 	gethostbyname.
+
+	* lib/krb5/set_default_realm.c: Try to get realm of local host if
+ 	no default realm is available.
+
+	* Remove non ASN.1 principal code.
+
+Wed Jul 16 03:17:30 1997  Johan Danielsson  <joda@blubb.pdc.kth.se>
+
+	* kdc/kerberos5.c: Split tgs_rep in smaller functions. Add better
+ 	error handing. Do some logging.
+
+	* kdc/log.c: Some simple logging facilities.
+
+	* kdc/misc.c (db_fetch): Take a krb5_principal.
+
+	* kdc/connect.c: Pass address of request to as_rep and
+ 	tgs_rep. Send KRB-ERROR.
+
+	* lib/krb5/mk_error.c: Add more fields.
+
+	* lib/krb5/get_cred.c: Print normal error code if no e_text is
+ 	available.
+
+Wed Jul 16 03:07:50 1997  Assar Westerlund  <assar@sics.se>
+
+	* lib/krb5/get_in_tkt.c: implement `krb5_init_etype'.
+ 	Change encryption type of pa_enc_timestamp to DES-CBC-MD5
+
+	* lib/krb5/context.c: recognize all encryption types actually
+ 	implemented
+
+	* lib/krb5/auth_context.c (krb5_auth_con_init): Change default
+ 	encryption type to `DES_CBC_MD5'
+
+	*  lib/krb5/read_message.c, write_message.c: new files
+
+Tue Jul 15 17:14:21 1997  Assar Westerlund  <assar@sics.se>
+
+	* lib/asn1: replaced asn1_locl.h by `der_locl.h' and `gen_locl.h'.
+
+	* lib/error/compile_et.awk: generate a prototype for the
+ 	`destroy_foo_error_table' function.
+
+Mon Jul 14 12:24:40 1997  Assar Westerlund  <assar@sics.se>
+
+	* lib/krb5/krbhst.c (krb5_get_krbhst): Get all kdc's and try also
+ 	with `kerberos.REALM'
+
+	* kdc/kerberos5.c, lib/krb5/rd_priv.c, lib/krb5/rd_safe.c: use
+ 	`max_skew'
+
+	* lib/krb5/rd_req.c (krb5_verify_ap_req): record authenticator
+ 	subkey
+
+	* lib/krb5/build_auth.c (krb5_build_authenticator): always
+ 	generate a subkey.
+
+	* lib/krb5/address.c: implement `krb5_address_order'
+
+	* lib/gssapi/import_name.c: Implement `gss_import_name'
+
+	* lib/gssapi/external.c: Use new OID
+
+	* lib/gssapi/encapsulate.c: New functions
+ 	`gssapi_krb5_encap_length' and `gssapi_krb5_make_header'.  Changed
+	callers.
+
+	* lib/gssapi/decapsulate.c: New function
+ 	`gssaspi_krb5_verify_header'.  Changed callers.
+
+	* lib/asn1/gen*.c: Give tags to generated structs.
+	Use `err' and `asprintf'
+
+	* appl/test/gss_common.c: new file
+
+	* appl/test/gssapi_server.c: removed all krb5 calls
+
+	* appl/telnet/libtelnet/kerberos5.c: Add support for genering and
+ 	verifying checksums.  Also start using session subkeys.
+
+Mon Jul 14 12:08:25 1997  Johan Danielsson  <joda@blubb.pdc.kth.se>
+
+	* lib/krb5/rd_req.c (krb5_rd_req_with_keyblock): Split up.
+
+Sun Jul 13 03:07:44 1997  Assar Westerlund  <assar@sics.se>
+
+	* lib/krb5/rd_safe.c, mk_safe.c: made bug-compatible with MIT
+
+	* lib/krb5/encrypt.c: new functions `DES_encrypt_null_ivec' and
+ 	`DES_encrypt_key_ivec'
+
+	* lib/krb5/checksum.c: implement rsa-md4-des and rsa-md5-des
+
+	* kdc/kerberos5.c (tgs_rep): support keyed checksums
+
+	* lib/krb5/creds.c: new file
+
+	* lib/krb5/get_in_tkt.c: better freeing
+
+	* lib/krb5/context.c (krb5_free_context): more freeing
+
+	* lib/krb5/config_file.c: New function `krb5_config_file_free'
+
+	* lib/error/compile_et.awk: Generate a `destroy_' function.
+
+	* kuser/kinit.c, klist.c: Don't leak memory.
+
+Sun Jul 13 02:46:27 1997  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* kdc/connect.c: Check filedescriptor in select.
+
+	* kdc/kerberos5.c: Remove most of the most common memory leaks.
+
+	* lib/krb5/rd_req.c: Free allocated data.
+
+	* lib/krb5/auth_context.c (krb5_auth_con_free): Free a lot of
+ 	fields.
+
+Sun Jul 13 00:32:16 1997  Assar Westerlund  <assar@sics.se>
+
+	* appl/telnet: Conditionalize the krb4-support.
+
+	* configure.in: Test for krb4
+
+Sat Jul 12 17:14:12 1997  Assar Westerlund  <assar@sics.se>
+
+	* kdc/kerberos5.c: check if the pre-auth was decrypted properly.
+  	set the `pre_authent' flag
+
+	* lib/krb5/get_cred.c, lib/krb5/get_in_tkt.c: generate a random nonce.
+
+	* lib/krb5/encrypt.c: Made `generate_random_block' global.
+
+	* appl/test: Added gssapi_client and gssapi_server.
+
+	* lib/krb5/data.c: Add `krb5_data_zero'
+
+	* appl/test/tcp_client.c: try `mk_safe' and `mk_priv'
+
+	* appl/test/tcp_server.c: try `rd_safe' and `rd_priv'
+
+Sat Jul 12 16:45:58 1997  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* lib/krb5/get_addrs.c: Fix for systems that has sa_len, but
+ 	returns zero length from SIOCGIFCONF.
+
+Sat Jul 12 16:38:34 1997  Assar Westerlund  <assar@sics.se>
+
+	* appl/test: new programs
+	
+	* lib/krb5/rd_req.c: add address compare
+
+	* lib/krb5/mk_req_ext.c: allow no checksum
+
+	* lib/krb5/keytab.c (krb5_kt_ret_string): 0-terminate string
+
+	* lib/krb5/address.c: fix `krb5_address_compare'
+
+Sat Jul 12 15:03:16 1997  Johan Danielsson  <joda@blubb.pdc.kth.se>
+
+	* lib/krb5/get_addrs.c: Fix ip4 address extraction.
+
+	* kuser/klist.c: Add verbose flag, and split main into smaller
+ 	pieces.
+
+	* lib/krb5/fcache.c: Save ticket flags.
+
+	* lib/krb5/get_in_tkt.c (extract_ticket): Extract addresses and
+ 	flags.
+
+	* lib/krb5/krb5.h: Add ticket_flags to krb5_creds.
+
+Sat Jul 12 13:12:48 1997  Assar Westerlund  <assar@sics.se>
+
+	* configure.in: Call `AC_KRB_PROG_LN_S'
+
+	* acinclude.m4: Add `AC_KRB_PROG_LN_S' from krb4
+
+Sat Jul 12 00:57:01 1997  Johan Danielsson  <joda@blubb.pdc.kth.se>
+
+	* lib/krb5/get_in_tkt.c: Use union of krb5_flags and KDCOptions to
+ 	pass options.
+
+Fri Jul 11 15:04:22 1997  Assar Westerlund  <assar@sics.se>
+
+	* appl/telnet: telnet & telnetd seems to be working.
+	
+	* lib/krb5/config_file.c: Added krb5_config_v?get_list Fixed
+ 	krb5_config_vget_next
+
+	* appl/telnet/libtelnet/kerberos5.c: update to current API
+
+Thu Jul 10 14:54:39 1997  Assar Westerlund  <assar@sics.se>
+
+	* appl/telnet/libtelnet/kerberos5.c (kerberos5_status): call
+ 	`krb5_kuserok'
+
+	* appl/telnet: Added.
+
+Thu Jul 10 05:09:25 1997  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* lib/error/compile_et.awk: Remove usage of sub, gsub, and
+ 	functions for compatibility with awk.
+
+	* include/bits.c: Must use signed char.
+
+	* lib/krb5/context.c: Move krb5_get_err_text, and krb5_init_ets
+ 	here.
+
+	* lib/error/error.c: Replace krb5_get_err_text with new function
+ 	com_right.
+
+	* lib/error/compile_et.awk: Avoid using static variables.
+
+	* lib/error/error.c: Don't use krb5_locl.h
+
+	* lib/error/error.h: Move definitions of error_table and
+ 	error_list from krb5.h.
+
+	* lib/error: Moved from lib/krb5.
+
+Wed Jul  9 07:42:04 1997  Johan Danielsson  <joda@blubb.pdc.kth.se>
+
+	* lib/krb5/encrypt.c: Temporary hack to avoid des_rand_data.
+
+Wed Jul  9 06:58:00 1997  Assar Westerlund  <assar@sics.se>
+
+	* lib/krb5/{rd,mk}_{*}.c: more checking for addresses and stuff
+	according to pseudocode from 1510
+
+Wed Jul  9 06:06:06 1997  Johan Danielsson  <joda@blubb.pdc.kth.se>
+
+	* lib/hdb/hdb.c: Add hdb_etype2key.
+
+	* kdc/kerberos5.c: Check authenticator. Use more general etype
+ 	functions.
+	
+Wed Jul  9 03:51:12 1997  Assar Westerlund  <assar@sics.se>
+
+	* lib/asn1/k5.asn1: Made all `s_address' OPTIONAL according to
+ 	draft-ietf-cat-kerberos-r-00.txt
+
+	* lib/krb5/principal.c (krb5_parse_name): default to local realm
+ 	if none given
+	
+	* kuser/kinit.c: New option `-p' and prompt
+
+Wed Jul  9 02:30:06 1997  Johan Danielsson  <joda@blubb.pdc.kth.se>
+
+	* lib/krb5/keyblock.c: Keyblock generation functions.
+
+	* lib/krb5/encrypt.c: Use functions from checksum.c.
+
+	* lib/krb5/checksum.c: Move checksum functions here. Add
+ 	krb5_cksumsize function.
+
+Wed Jul  9 01:15:38 1997  Assar Westerlund  <assar@sics.se>
+
+	* lib/krb5/get_host_realm.c: implemented
+
+	* lib/krb5/config_file.c: Redid part.  New functions:
+ 	krb5_config_v?get_next
+
+	* kuser/kdestroy.c: new program
+
+	* kuser/kinit.c: new flag `-f'
+
+	* lib/asn1/k5.asn1: Made HostAddresses = SEQUENCE OF HostAddress
+
+	* acinclude.m4: Added AC_KRB_STRUCT_SOCKADDR_SA_LEN
+
+	* lib/krb5/krb5.h: krb5_addresses == HostAddresses.  Changed all
+ 	users.
+
+	* lib/krb5/get_addrs.c: figure out all local addresses, possibly
+ 	even IPv6!
+
+	* lib/krb5/checksum.c: table-driven checksum
+
+Mon Jul  7 21:13:28 1997  Johan Danielsson  <joda@blubb.pdc.kth.se>
+
+	* lib/krb5/encrypt.c: Make krb5_decrypt use the same struct as
+ 	krb5_encrypt.
+
+Mon Jul  7 11:15:51 1997  Assar Westerlund  <assar@sics.se>
+
+	* lib/roken/vsyslog.c: new file
+
+	* lib/krb5/encrypt.c: add des-cbc-md4.
+	adjust krb5_encrypt and krb5_decrypt to reality
+
+Mon Jul  7 02:46:31 1997  Johan Danielsson  <joda@blubb.pdc.kth.se>
+
+	* lib/krb5/encrypt.c: Implement as a vector of function pointers.
+
+	* lib/krb5/{decrypt,encrypt}.c: Implement des-cbc-crc, and
+ 	des-cbc-md5 in separate functions.
+
+	* lib/krb5/krb5.h: Add more checksum and encryption types.
+
+	* lib/krb5/krb5_locl.h: Add etype to krb5_decrypt.
+
+Sun Jul  6 23:02:59 1997  Assar Westerlund  <assar@sics.se>
+
+	* lib/krb5/[gs]et_default_realm.c, kuserok.c: new files
+
+	* lib/krb5/config_file.[ch]: new c-based configuration reading
+ 	stuff
+
+Wed Jul  2 23:12:56 1997  Assar Westerlund  <assar@sics.se>
+
+	* configure.in: Set WFLAGS if using gcc
+
+Wed Jul  2 17:47:03 1997  Johan Danielsson  <joda@blubb.pdc.kth.se>
+
+	* lib/asn1/der_put.c (der_put_int): Return size correctly.
+
+	* admin/ank.c: Be compatible with the asn1 principal format.
+
+Wed Jul  1 23:52:20 1997  Johan Danielsson  <joda@blubb.pdc.kth.se>
+
+	* lib/asn1: Now all decode_* and encode_* functions now take a
+ 	final size_t* argument, that they return the size in. Return
+ 	values are zero for success, and anything else (such as some
+ 	ASN1_* constant) for error.
+
+Mon Jun 30 06:08:14 1997  Assar Westerlund  <assar@sics.se>
+
+	* lib/krb5/keytab.c (krb5_kt_add_entry): change open mode to
+ 	O_WRONLY | O_APPEND
+
+	* lib/krb5/get_cred.c: removed stale prototype for
+ 	`extract_ticket' and corrected call.
+
+	* lib/asn1/gen_length.c (length_type): Make the length functions
+ 	for SequenceOf non-destructive
+
+	* admin/ank.c (doit): Fix reading of `y/n'.
+
+Mon Jun 16 05:41:43 1997  Assar Westerlund  <assar@sics.se>
+
+	* lib/gssapi/wrap.c, unwrap.c: do encrypt and add sequence number
+
+	* lib/gssapi/get_mic.c, verify_mic.c: Add sequence number.
+
+	* lib/gssapi/accept_sec_context.c (gss_accept_sec_context): Set
+ 	KRB5_AUTH_CONTEXT_DO_SEQUENCE.  Verify 8003 checksum.
+
+	* lib/gssapi/8003.c: New file.
+
+	* lib/krb/krb5.h: Define a `krb_authenticator' as an ASN.1
+ 	Authenticator.
+
+	* lib/krb5/auth_context.c: New functions
+ 	`krb5_auth_setlocalseqnumber' and `krb5_auth_setremoteseqnumber'
+
+Tue Jun 10 00:35:54 1997  Johan Danielsson  <joda@blubb.pdc.kth.se>
+
+	* lib/krb5: Preapre for use of some asn1-types.
+
+	* lib/asn1/*.c (copy_*): Constness.
+
+	* lib/krb5/krb5.h: Include asn1.h; krb5_data is now an
+ 	octet_string.
+
+	* lib/asn1/der*,gen.c: krb5_data -> octet_string, char * ->
+ 	general_string
+
+	* lib/asn1/libasn1.h: Moved stuff from asn1_locl.h that doesn't
+ 	have anything to do with asn1_compile.
+
+	* lib/asn1/asn1_locl.h: Remove der.h. Add some prototypes.
+
+Sun Jun  8 03:51:55 1997  Assar Westerlund  <assar@sics.se>
+
+	* kdc/kerberos5.c: Fix PA-ENC-TS-ENC
+
+ 	* kdc/connect.c(process_request): Set `new'
+	
+	* lib/krb5/get_in_tkt.c: Do PA-ENC-TS-ENC the correct way.
+
+	* lib: Added editline,sl,roken.
+
+Mon Jun  2 00:37:48 1997  Johan Danielsson  <joda@blubb.pdc.kth.se>
+
+	* lib/krb5/fcache.c: Move file cache from cache.c.
+
+	* lib/krb5/cache.c: Allow more than one cache type.
+
+Sun Jun  1 23:45:33 1997  Johan Danielsson  <joda@blubb.pdc.kth.se>
+
+	* admin/extkeytab.c: Merged with kdb_edit.
+
+Sun Jun  1 23:23:08 1997  Assar Westerlund  <assar@sics.se>
+
+	* kdc/kdc.c: more support for ENC-TS-ENC
+
+	* lib/krb5/get_in_tkt.c: redone to enable pre-authentication
+
+Sun Jun  1 22:45:11 1997  Johan Danielsson  <joda@blubb.pdc.kth.se>
+
+	* lib/hdb/db.c: Merge fetch and store.
+
+	* admin: Merge to one program.
+
+	* lib/krb5/str2key.c: Fill in keytype and length.
+
+Sun Jun  1 16:31:23 1997  Assar Westerlund  <assar@sics.se>
+
+	* lib/krb5/rd_safe.c, lib/krb5/rd_priv.c, lib/krb5/mk_rep.c,
+ 	lib/krb5/mk_priv.c, lib/krb5/build_auth.c: Some support for
+ 	KRB5_AUTH_CONTEXT_DO_SEQUENCE
+
+	* lib/krb5/get_in_tkt.c (get_in_tkt): be prepared to parse an
+ 	KRB_ERROR.  Some support for PA_ENC_TS_ENC.
+
+	* lib/krb5/auth_context.c: implemented seq_number functions
+
+	* lib/krb5/generate_subkey.c, generate_seq_number.c: new files
+
+	* lib/gssapi/gssapi.h: avoid including <krb5.h>
+
+	* lib/asn1/Makefile.am: SUFFIXES as a variable to make automake
+ 	happy
+
+	* kdc/kdc.c: preliminary PREAUTH_ENC_TIMESTAMP
+
+	* configure.in: adapted to automake 1.1p
+
+Mon May 26 22:26:21 1997  Johan Danielsson  <joda@blubb.pdc.kth.se>
+
+	* lib/krb5/principal.c: Add contexts to many functions.
+
+Thu May 15 20:25:37 1997  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* lib/krb5/verify_user.c: First stab at a verify user.
+
+	* lib/auth/sia/sia5.c: SIA module for Kerberos 5.
+
+Mon Apr 14 00:09:03 1997  Assar Westerlund  <assar@sics.se>
+
+	* lib/gssapi: Enough of a gssapi-over-krb5 implementation to be
+	able to (mostly) run gss-client and gss-server.
+	
+	* lib/krb5/keytab.c: implemented krb5_kt_add_entry,
+ 	krb5_kt_store_principal, krb5_kt_store_keyblock
+
+	* lib/des/md5.[ch], sha.[ch]: new files
+
+	* lib/asn1/der_get.c (generalizedtime2time): use `timegm'
+
+	* lib/asn1/timegm.c: new file
+
+	* admin/extkeytab.c: new program
+
+	* admin/admin_locl.h: new file
+
+	* admin/Makefile.am: Added extkeytab
+
+	* configure.in: moved config to include
+	removed timezone garbage
+	added lib/gssapi and admin
+
+	* Makefile.am: Added admin
+
+Mon Mar 17 11:34:05 1997  Johan Danielsson  <joda@blubb.pdc.kth.se>
+
+	* kdc/kdc.c: Use new copying functions, and free some data.
+
+	* lib/asn1/Makefile.am: Try to not always rebuild generated files.
+
+	* lib/asn1/der_put.c: Add fix_dce().
+
+	* lib/asn1/der_{get,length,put}.c: Fix include files.
+
+	* lib/asn1/der_free.c: Remove unused functions.
+	
+	* lib/asn1/gen.c: Split into gen_encode, gen_decode, gen_free,
+ 	gen_length, and gen_copy.
+
+Sun Mar 16 18:13:52 1997  Assar Westerlund  <assar@sics.se>
+
+	* lib/krb5/sendauth.c: implemented functionality
+
+	* lib/krb5/rd_rep.c: Use `krb5_decrypt'
+
+	* lib/krb5/cache.c (krb5_cc_get_name): return default if `id' ==
+ 	NULL
+
+	* lib/krb5/principal.c (krb5_free_principal): added `context'
+ 	argument.  Changed all callers.
+	
+	(krb5_sname_to_principal): new function
+
+	* lib/krb5/auth_context.c (krb5_free_authenticator): add `context'
+ 	argument.  Changed all callers
+
+	* lib/krb5/{net_write.c,net_read.c,recvauth.c}: new files
+
+	* lib/asn1/gen.c: Fix encoding and decoding of BitStrings
+
+Fri Mar 14 11:29:00 1997  Assar Westerlund  <assar@sics.se>
+
+	* configure.in: look for *dbm?
+
+	* lib/asn1/gen.c: Fix filename in generated files. Check fopens.
+  	Put trailing newline in asn1_files.
+
+Fri Mar 14 05:06:44 1997  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* lib/krb5/get_in_tkt.c: Fix some memory leaks.
+
+	* lib/krb5/krbhst.c: Properly free hostlist.
+
+	* lib/krb5/decrypt.c: CRCs are 32 bits.
+
+Fri Mar 14 04:39:15 1997  Johan Danielsson  <joda@blubb.pdc.kth.se>
+
+	* lib/asn1/gen.c: Generate one file for each type.
+
+Fri Mar 14 04:13:47 1997  Assar Westerlund  <assar@sics.se>
+
+	* lib/asn1/gen.c: Generate `length_FOO' functions
+
+	* lib/asn1/der_length.c: new file
+
+	* kuser/klist.c: renamed stime -> printable_time to avoid conflict
+ 	on HP/UX
+
+Fri Mar 14 03:37:23 1997  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* lib/hdb/ndbm.c: Return NOENTRY if fetch fails. Don't free
+ 	datums. Don't add .db to filename.
+
+Fri Mar 14 02:49:51 1997  Johan Danielsson  <joda@blubb.pdc.kth.se>
+
+	* kdc/dump.c: Database dump program.
+
+	* kdc/ank.c: Trivial database editing program.
+
+	* kdc/{kdc.c, load.c}: Use libhdb.
+
+	* lib/hdb: New database routine library.
+
+	* lib/krb5/error/Makefile.am: Add hdb_err.
+
+Wed Mar 12 17:41:14 1997  Johan Danielsson  <joda@blubb.pdc.kth.se>
+
+	* kdc/kdc.c: Rewritten AS, and somewhat more working TGS support.
+
+	* lib/asn1/gen.c: Generate free functions.
+
+	* Some specific free functions.
+
+Wed Mar 12 12:30:13 1997  Assar Westerlund  <assar@sics.se>
+
+	* lib/krb5/krb5_mk_req_ext.c: new file
+
+	* lib/asn1/gen.c: optimize the case with a simple type
+
+	* lib/krb5/get_cred.c (krb5_get_credentials): Use
+ 	`mk_req_extended' and remove old code.
+
+	* lib/krb5/get_in_tkt.c (decrypt_tkt): First try with an
+ 	EncASRepPart, then with an EncTGSRepPart.
+
+Wed Mar 12 08:26:04 1997  Johan Danielsson  <joda@blubb.pdc.kth.se>
+
+	* lib/krb5/store_emem.c: New resizable memory storage.
+
+	* lib/krb5/{store.c, store_fd.c, store_mem.c}: Split of store.c
+
+	* lib/krb5/krb5.h: Add free entry to krb5_storage.
+
+	* lib/krb5/decrypt.c: Make keyblock const.
+
+Tue Mar 11 20:22:17 1997  Johan Danielsson  <joda@blubb.pdc.kth.se>
+
+	* lib/krb5/krb5.h: Add EncTicketPart to krb5_ticket.
+
+	* lib/krb5/rd_req.c: Return whole asn.1 ticket in
+ 	krb5_ticket->tkt.
+
+	* lib/krb5/get_in_tkt.c: TGS -> AS
+
+	* kuser/kfoo.c: Print error string rather than number.
+
+	* kdc/kdc.c: Some kind of non-working TGS support.
+
+Mon Mar 10 01:43:22 1997  Assar Westerlund  <assar@sics.se>
+
+	* lib/asn1/gen.c: reduced generated code by 1/5
+
+ 	* lib/asn1/der_put.c: (der_put_length_and_tag): new function
+
+	* lib/asn1/der_get.c (der_match_tag_and_length): new function
+
+	* lib/asn1/der.h: added prototypes
+
+Mon Mar 10 01:15:43 1997  Johan Danielsson  <joda@blubb.pdc.kth.se>
+
+	* lib/krb5/krb5.h: Include <asn1_err.h>. Add prototype for
+ 	krb5_rd_req_with_keyblock.
+
+	* lib/krb5/rd_req.c: Add function krb5_rd_req_with_keyblock that
+ 	takes a precomputed keyblock.
+
+	* lib/krb5/get_cred.c: Use krb5_mk_req rather than inlined code.
+
+	* lib/krb5/mk_req.c: Calculate checksum of in_data.
+
+Sun Mar  9 21:17:58 1997  Johan Danielsson  <joda@blubb.pdc.kth.se>
+
+	* lib/krb5/error/compile_et.awk: Add a declaration of struct
+ 	error_list, and multiple inclusion block to header files.
+
+Sun Mar  9 21:01:12 1997  Assar Westerlund  <assar@sics.se>
+
+	* lib/krb5/rd_req.c: do some checks on times
+
+	* lib/krb/{mk_priv.c, rd_priv.c, sendauth.c, decrypt.c,
+	address.c}: new files
+
+	* lib/krb5/auth_context.c: more code
+
+	* configure.in: try to figure out timezone
+
+Sat Mar  8 11:41:07 1997  Johan Danielsson  <joda@blubb.pdc.kth.se>
+
+	* lib/krb5/error/error.c: Try strerror if error code wasn't found.
+
+	* lib/krb5/get_in_tkt.c: Remove realm parameter from
+ 	krb5_get_salt.
+
+	* lib/krb5/context.c: Initialize error table.
+
+	* kdc: The beginnings of a kdc.
+
+Sat Mar  8 08:16:28 1997  Assar Westerlund  <assar@sics.se>
+
+	* lib/krb5/rd_safe.c: new file
+
+	* lib/krb5/checksum.c (krb5_verify_checksum): New function
+
+	* lib/krb5/get_cred.c: use krb5_create_checksum
+
+	* lib/krb5/checksum.c: new file
+
+	* lib/krb5/store.c: no more arithmetic with void*
+
+	* lib/krb5/cache.c: now seems to work again
+
+Sat Mar  8 06:58:09 1997  Johan Danielsson  <joda@blubb.pdc.kth.se>
+
+	* lib/krb5/Makefile.am: Add asn1_glue.c and error/*.c to libkrb5.
+
+	* lib/krb5/get_in_tkt.c: Moved some functions to asn1_glue.c.
+
+	* lib/krb5/asn1_glue.c: Moved some asn1-stuff here.
+	
+	* lib/krb5/{cache,keytab}.c: Use new storage functions.
+
+	* lib/krb5/krb5.h: Protypes for new storage functions.
+
+	* lib/krb5/krb5.h: Make krb5_{ret,store}_* functions able to write
+ 	data to more than file descriptors.
+
+Sat Mar  8 01:01:17 1997  Assar Westerlund  <assar@sics.se>
+
+	* lib/krb5/encrypt.c: New file.
+
+	* lib/krb5/Makefile.am: More -I
+
+	* configure.in: Test for big endian, random, rand, setitimer
+
+	* lib/asn1/gen.c: perhaps even decodes bitstrings
+
+Thu Mar  6 19:05:29 1997  Johan Danielsson  <joda@blubb.pdc.kth.se>
+
+	* lib/krb5/config_file.y: Better return values on error.
+
+Sat Feb  8 15:59:56 1997  Assar Westerlund  <assar@pdc.kth.se>
+
+	* lib/asn1/parse.y: ifdef HAVE_STRDUP
+
+	* lib/asn1/lex.l: ifdef strdup
+	brange-dead version of list of special characters to make stupid
+ 	lex accept it.
+
+	* lib/asn1/gen.c: A DER integer should really be a `unsigned'
+
+	* lib/asn1/der_put.c: A DER integer should really be a `unsigned'
+
+	* lib/asn1/der_get.c: A DER integer should really be a `unsigned'
+
+	* lib/krb5/error/Makefile.am: It seems "$(SHELL) ./compile_et" is
+ 	needed.
+
+	* lib/krb/mk_rep.c, lib/krb/rd_req.c, lib/krb/store.c,
+ 	lib/krb/store.h: new files.
+
+	* lib/krb5/keytab.c: now even with some functionality.
+
+	* lib/asn1/gen.c: changed paramater from void * to Foo *
+
+	* lib/asn1/der_get.c (der_get_octet_string): Fixed bug with empty
+ 	string.
+
+Sun Jan 19 06:17:39 1997  Assar Westerlund  <assar@pdc.kth.se>
+
+	* lib/krb5/get_cred.c (krb5_get_credentials): Check for creds in
+ 	cc before getting new ones.
+
+	* lib/krb5/krb5.h (krb5_free_keyblock): Fix prototype.
+
+	* lib/krb5/build_auth.c (krb5_build_authenticator): It seems the
+ 	CRC should be stored LSW first. (?)
+
+	* lib/krb5/auth_context.c: Implement `krb5_auth_con_getkey' and
+ 	`krb5_free_keyblock'
+
+	* lib/**/Makefile.am: Rename foo libfoo.a
+
+	* include/Makefile.in: Use test instead of [
+	-e does not work with /bin/sh on psoriasis
+
+	* configure.in: Search for awk
+	create lib/krb/error/compile_et
+	
+Tue Jan 14 03:46:26 1997  Assar Westerlund  <assar@pdc.kth.se>
+
+	* lib/krb5/Makefile.am: replaced mit-crc.c by crc.c
+
+Wed Dec 18 00:53:55 1996  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* kuser/kinit.c: Guess principal.
+
+	* lib/krb5/error/compile_et.awk: Don't include krb5.h. Fix some
+ 	warnings.
+
+	* lib/krb5/error/asn1_err.et: Add ASN.1 error messages.
+
+	* lib/krb5/mk_req.c: Get client from cache.
+
+	* lib/krb5/cache.c: Add better error checking some useful return
+ 	values.
+
+	* lib/krb5/krb5.h: Fix krb5_auth_context.
+
+	* lib/asn1/der.h: Make krb5_data compatible with krb5.h
+
+Tue Dec 17 01:32:36 1996  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* lib/krb5/error: Add primitive error library.
+
+Mon Dec 16 16:30:20 1996  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* lib/krb5/cache.c: Get correct address type from cache.
+
+	* lib/krb5/krb5.h: Change int16 to int to be compatible with asn1.
+
diff --git a/crypto/heimdal/ChangeLog.1999 b/crypto/heimdal/ChangeLog.1999
new file mode 100644
index 0000000..e022b96
--- /dev/null
+++ b/crypto/heimdal/ChangeLog.1999
@@ -0,0 +1,2194 @@
+1999-12-30  Assar Westerlund  <assar@sics.se>
+
+	* configure.in (krb4): use `-ldes' in tests
+
+1999-12-26  Assar Westerlund  <assar@sics.se>
+
+	* lib/hdb/print.c (event2string): handle events without principal.
+  	From Luke Howard <lukeh@PADL.COM>
+
+1999-12-25  Assar Westerlund  <assar@sics.se>
+
+	* Release 0.2j
+
+Tue Dec 21 18:03:17 1999  Assar Westerlund  <assar@sics.se>
+
+	* lib/hdb/Makefile.am (asn1_files): add $(EXEEXT) for cygwin and
+ 	related systems
+
+	* lib/asn1/Makefile.am (asn1_files): add $(EXEEXT) for cygwin and
+ 	related systems
+
+	* include/Makefile.am (krb5-types.h): add $(EXEEXT) for cygwin and
+ 	related systems
+
+1999-12-20  Assar Westerlund  <assar@sics.se>
+
+	* Release 0.2i
+
+1999-12-20  Assar Westerlund  <assar@sics.se>
+
+	* lib/krb5/Makefile.am (libkrb5_la_LDFLAGS): bump version to 6:3:1
+
+	* lib/krb5/send_to_kdc.c (send_via_proxy): free data
+	* lib/krb5/send_to_kdc.c (send_via_proxy): new function use
+	getaddrinfo instead of gethostbyname{,2}
+	* lib/krb5/get_for_creds.c: use getaddrinfo instead of
+	getnodebyname{,2}
+
+1999-12-17  Assar Westerlund  <assar@sics.se>
+
+	* Release 0.2h
+
+1999-12-17  Assar Westerlund  <assar@sics.se>
+
+	* Release 0.2g
+
+1999-12-16  Assar Westerlund  <assar@sics.se>
+
+	* lib/krb5/Makefile.am: bump version to 6:2:1
+
+	* lib/krb5/principal.c (krb5_sname_to_principal): handle
+	ai_canonname not being set
+	* lib/krb5/expand_hostname.c (krb5_expand_hostname): handle
+	ai_canonname not being set
+
+	* appl/test/uu_server.c: print messages to stderr
+	* appl/test/tcp_server.c: print messages to stderr
+	* appl/test/nt_gss_server.c: print messages to stderr
+	* appl/test/gssapi_server.c: print messages to stderr
+
+	* appl/test/tcp_client.c (proto): remove shadowing `context'
+	* appl/test/common.c (client_doit): add forgotten ntohs
+
+1999-12-13  Assar Westerlund  <assar@sics.se>
+
+	* configure.in (VERISON): bump to 0.2g-pre
+
+1999-12-12  Assar Westerlund  <assar@sics.se>
+
+	* lib/krb5/principal.c (krb5_425_conv_principal_ext): be more
+ 	robust and handle extra dot at the beginning of default_domain
+
+1999-12-12  Assar Westerlund  <assar@sics.se>
+
+	* Release 0.2f
+
+1999-12-12  Assar Westerlund  <assar@sics.se>
+
+	* lib/krb5/Makefile.am: bump version to 6:1:1
+	
+	* lib/krb5/changepw.c (get_kdc_address): use
+ 	`krb5_get_krb_changepw_hst'
+
+	* lib/krb5/krbhst.c (krb5_get_krb_changepw_hst): add
+
+	* lib/krb5/get_host_realm.c: add support for _kerberos.domain
+ 	(according to draft-ietf-cat-krb-dns-locate-01.txt)
+
+1999-12-06  Assar Westerlund  <assar@sics.se>
+
+	* Release 0.2e
+
+1999-12-06  Assar Westerlund  <assar@sics.se>
+
+	* lib/krb5/changepw.c (krb5_change_password): use the correct
+ 	address
+
+	* lib/krb5/Makefile.am: bump version to 6:0:1
+
+	* lib/asn1/Makefile.am: bump version to 1:4:0
+
+1999-12-04  Assar Westerlund  <assar@sics.se>
+
+	* configure.in: move AC_KRB_IPv6 to make sure it's performed
+ 	before AC_BROKEN
+	(el_init): use new feature of AC_FIND_FUNC_NO_LIBS
+
+	* appl/test/uu_client.c: use client_doit
+	* appl/test/test_locl.h (client_doit): add prototype
+	* appl/test/tcp_client.c: use client_doit
+	* appl/test/nt_gss_client.c: use client_doit
+	* appl/test/gssapi_client.c: use client_doit
+	* appl/test/common.c (client_doit): move identical code here and
+	start using getaddrinfo
+
+	* appl/kf/kf.c (doit): rewrite to use getaddrinfo
+	* kdc/hprop.c: re-write to use getaddrinfo
+	* lib/krb5/principal.c (krb5_sname_to_principal): use getaddrinfo
+	* lib/krb5/expand_hostname.c (krb5_expand_hostname): use
+	getaddrinfo
+	* lib/krb5/changepw.c: re-write to use getaddrinfo
+	* lib/krb5/addr_families.c (krb5_parse_address): use getaddrinfo
+
+1999-12-03  Assar Westerlund  <assar@sics.se>
+
+	* configure.in (BROKEN): check for freeaddrinfo, getaddrinfo,
+	getnameinfo, gai_strerror
+	(socklen_t): check for
+
+1999-12-02  Johan Danielsson  <joda@pdc.kth.se>
+
+	* lib/krb5/crypto.c: ARCFOUR_set_key -> RC4_set_key
+
+1999-11-23  Assar Westerlund  <assar@sics.se>
+
+	* lib/krb5/crypto.c (ARCFOUR_string_to_key): change order of bytes
+ 	within unicode characters.  this should probably be done in some
+ 	arbitrarly complex way to do it properly and you would have to
+ 	know what character encoding was used for the password and salt
+ 	string.
+
+	* lib/krb5/addr_families.c (ipv4_uninteresting): ignore 0.0.0.0
+	(INADDR_ANY)
+	(ipv6_uninteresting): remove unused macro
+
+1999-11-22  Johan Danielsson  <joda@pdc.kth.se>
+
+	* lib/krb5/krb5.h: rc4->arcfour
+
+	* lib/krb5/crypto.c: rc4->arcfour
+
+1999-11-17  Assar Westerlund  <assar@sics.se>
+
+	* lib/krb5/krb5_locl.h: add <rc4.h>
+	* lib/krb5/krb5.h (krb5_keytype): add KEYTYPE_RC4
+	* lib/krb5/crypto.c: some code for doing RC4/MD5/HMAC which might
+	not be totally different from some small company up in the
+	north-west corner of the US
+
+	* lib/krb5/get_addrs.c (find_all_addresses): change code to
+ 	actually increment buf_size
+
+1999-11-14  Assar Westerlund  <assar@sics.se>
+
+	* lib/krb5/krb5.h (krb5_context_data): add `scan_interfaces'
+	* lib/krb5/get_addrs.c (krb5_get_all_client_addrs): make interaces
+ 	scanning optional
+	* lib/krb5/context.c (init_context_from_config_file): set
+ 	`scan_interfaces'
+
+	* lib/krb5/Makefile.am (libkrb5_la_SOURCES): add add_et_list.c
+	* lib/krb5/add_et_list.c (krb5_add_et_list): new function
+
+1999-11-12  Assar Westerlund  <assar@sics.se>
+
+	* lib/krb5/get_default_realm.c (krb5_get_default_realm,
+	krb5_get_default_realms): set realms if they were unset
+	* lib/krb5/context.c (init_context_from_config_file): don't
+	initialize default realms here.  it's done lazily instead.
+	
+	* lib/krb5/krb5.h (KRB5_TC_*): make constants unsigned
+	* lib/asn1/gen_glue.c (generate_2int, generate_units): make sure
+	bit constants are unsigned
+	* lib/asn1/gen.c (define_type): make length in sequences be
+	unsigned.
+
+	* configure.in: remove duplicate test for setsockopt test for
+	struct tm.tm_isdst
+
+	* lib/krb5/get_in_tkt.c (krb5_get_in_cred): generate
+	preauthentication information if we get back ERR_PREAUTH_REQUIRED
+	* lib/krb5/init_creds_pw.c (krb5_get_init_creds_password): remove
+	preauthentication generation code.  it's now in krb5_get_in_cred
+	
+	* configure.in (AC_BROKEN_SNPRINTF): add strptime check for struct
+	tm.tm_gmtoff and timezone
+	
+1999-11-11  Johan Danielsson  <joda@pdc.kth.se>
+
+	* kdc/main.c: make this work with multi-db
+
+	* kdc/kdc_locl.h: make this work with multi-db
+
+	* kdc/config.c: make this work with multi-db
+
+1999-11-09  Johan Danielsson  <joda@pdc.kth.se>
+
+	* kdc/misc.c: update for multi-database code
+
+	* kdc/main.c: update for multi-database code
+
+	* kdc/kdc_locl.h: update
+
+	* kdc/config.c: allow us to have more than one database
+
+1999-11-04  Assar Westerlund  <assar@sics.se>
+
+	* Release 0.2d
+
+	* lib/krb5/Makefile.am: bump version to 5:0:0 to be safe
+ 	(krb5_context_data has changed and some code do (might) access
+ 	fields directly)
+
+	* lib/krb5/krb5.h (krb5_context_data): add `etypes_des'
+
+	* lib/krb5/get_cred.c (init_tgs_req): use
+ 	krb5_keytype_to_enctypes_default
+
+	* lib/krb5/crypto.c (krb5_keytype_to_enctypes_default): new
+ 	function
+
+	* lib/krb5/context.c (set_etypes): new function
+	(init_context_from_config_file): set both `etypes' and `etypes_des'
+
+1999-11-02  Assar Westerlund  <assar@sics.se>
+
+	* configure.in (VERSION): bump to 0.2d-pre
+
+1999-10-29  Assar Westerlund  <assar@sics.se>
+
+	* lib/krb5/principal.c (krb5_parse_name): check memory allocations
+
+1999-10-28  Assar Westerlund  <assar@sics.se>
+
+	* Release 0.2c
+
+	* lib/krb5/dump_config.c (print_tree): check for empty tree
+
+	* lib/krb5/string-to-key-test.c (tests): update the test cases
+ 	with empty principals so that they actually use an empty realm and
+ 	not the default.  use the correct etype for 3DES
+
+	* lib/krb5/Makefile.am: bump version to 4:1:0
+
+	* kdc/config.c (configure): more careful with the port string
+
+1999-10-26  Assar Westerlund  <assar@sics.se>
+
+	* Release 0.2b
+
+1999-10-20  Assar Westerlund  <assar@sics.se>
+
+	* lib/krb5/Makefile.am: bump version to 4:0:0
+ 	(krb524_convert_creds_kdc and potentially some other functions
+ 	have changed prototypes)
+
+	* lib/hdb/Makefile.am: bump version to 4:0:1
+
+	* lib/asn1/Makefile.am: bump version to 1:3:0
+
+	* configure.in (LIB_roken): add dbopen.  getcap in roken
+ 	references dbopen and with shared libraries we need to add this
+ 	dependency.
+
+	* lib/krb5/verify_krb5_conf.c (main): support speicifying the
+ 	configuration file to test on the command line
+
+	* lib/krb5/config_file.c (parse_binding): handle line with no
+ 	whitespace before =
+	(krb5_config_parse_file_debug): set lineno earlier so that we don't
+	use it unitialized
+
+	* configure.in (AM_INIT_AUTOMAKE): bump to 0.2b-pre opt*: need
+ 	more include files for these tests
+
+	* lib/krb5/set_default_realm.c (krb5_set_default_realm): use
+ 	krb5_config_get_strings, which means that your configuration file
+ 	should look like:
+	
+	[libdefaults]
+	  default_realm = realm1 realm2 realm3
+
+	* lib/krb5/set_default_realm.c (config_binding_to_list): fix
+ 	copy-o.  From Michal Vocu <michal@karlin.mff.cuni.cz>
+
+	* kdc/config.c (configure): add a missing strdup.  From Michal
+ 	Vocu <michal@karlin.mff.cuni.cz>
+
+1999-10-17  Assar Westerlund  <assar@sics.se>
+
+	* Release 0.2a
+
+	* configure.in: only test for db.h with using berkeley_db. remember
+ 	to link with LIB_tgetent when checking for el_init. add xnlock
+
+	* appl/Makefile.am: add xnlock
+
+	* kdc/kerberos5.c (find_etype): support null keys
+
+	* kdc/kerberos4.c (get_des_key): support null keys
+
+	* lib/krb5/crypto.c (krb5_get_wrapped_length): more correct
+ 	calculation
+
+1999-10-16  Johan Danielsson  <joda@pdc.kth.se>
+
+	* kuser/kinit.c (main): pass ccache to krb524_convert_creds_kdc
+
+1999-10-12  Johan Danielsson  <joda@pdc.kth.se>
+
+	* lib/krb5/crypto.c (krb5_enctype_to_keytype): remove warning
+
+1999-10-10  Assar Westerlund  <assar@sics.se>
+
+	* lib/krb5/mk_req.c (krb5_mk_req): use krb5_free_host_realm
+
+	* lib/krb5/krb5.h (krb5_ccache_data): make `ops' const
+
+	* lib/krb5/crypto.c (krb5_string_to_salttype): new function
+
+	* **/*.[ch]: const-ize
+
+1999-10-06  Assar Westerlund  <assar@sics.se>
+	
+	* lib/krb5/creds.c (krb5_compare_creds): const-ify
+	
+	* lib/krb5/cache.c: clean-up and comment-up
+
+	* lib/krb5/copy_host_realm.c (krb5_copy_host_realm): copy all the
+ 	strings
+
+	* lib/krb5/verify_user.c (krb5_verify_user_lrealm): free the
+ 	correct realm part
+
+	* kdc/connect.c (handle_tcp): things work much better when ret is
+ 	initialized
+
+1999-10-03  Assar Westerlund  <assar@sics.se>
+
+	* lib/krb5/convert_creds.c (krb524_convert_creds_kdc): look at the
+ 	type of the session key
+
+	* lib/krb5/crypto.c (krb5_enctypes_compatible_keys): spell
+ 	correctly
+
+	* lib/krb5/creds.c (krb5_compare_creds): fix spelling of
+ 	krb5_enctypes_compatible_keys
+
+	* lib/krb5/convert_creds.c (krb524_convert_creds_kdc): get new
+ 	credentials from the KDC if the existing one doesn't have a DES
+ 	session key.
+
+	* lib/45/get_ad_tkt.c (get_ad_tkt): update to new
+ 	krb524_convert_creds_kdc
+
+1999-10-03  Johan Danielsson  <joda@pdc.kth.se>
+
+	* lib/krb5/keytab_keyfile.c: make krb5_akf_ops const
+
+	* lib/krb5/keytab_memory.c: make krb5_mkt_ops const
+
+	* lib/krb5/keytab_file.c: make krb5_fkt_ops const
+
+1999-10-01  Assar Westerlund  <assar@sics.se>
+
+	* lib/krb5/config_file.c: rewritten to allow error messages
+
+	* lib/krb5/Makefile.am (bin_PROGRAMS): add verify_krb5_conf
+	(libkrb5_la_SOURCES): add config_file_netinfo.c
+
+	* lib/krb5/verify_krb5_conf.c: new program for verifying that
+	krb5.conf is corret
+
+	* lib/krb5/config_file_netinfo.c: moved netinfo code here from
+ 	config_file.c
+
+1999-09-28  Assar Westerlund  <assar@sics.se>
+
+	* kdc/hpropd.c (dump_krb4): kludge default_realm
+
+	* lib/asn1/check-der.c: add test cases for Generalized time and
+ 	make sure we return the correct value
+
+	* lib/asn1/der_put.c: simplify by using der_put_length_and_tag
+
+	* lib/krb5/verify_user.c (krb5_verify_user_lrealm): ariant of
+ 	krb5_verify_user that tries in all the local realms
+
+	* lib/krb5/set_default_realm.c: add support for having several
+ 	default realms
+
+	* lib/krb5/kuserok.c (krb5_kuserok): use `krb5_get_default_realms'
+
+	* lib/krb5/get_default_realm.c (krb5_get_default_realms): add
+
+	* lib/krb5/krb5.h (krb5_context_data): change `default_realm' to
+ 	`default_realms'
+
+	* lib/krb5/context.c: change from `default_realm' to
+ 	`default_realms'
+
+	* lib/krb5/aname_to_localname.c (krb5_aname_to_localname): use
+ 	krb5_get_default_realms
+
+	* lib/krb5/Makefile.am (libkrb5_la_SOURCES): add copy_host_realm.c
+
+	* lib/krb5/copy_host_realm.c: new file
+
+1999-09-27  Johan Danielsson  <joda@pdc.kth.se>
+
+	* lib/asn1/der_put.c (encode_generalized_time): encode length
+
+	* lib/krb5/recvauth.c: new function `krb5_recvauth_match_version'
+	that allows more intelligent matching of the application version
+
+1999-09-26  Assar Westerlund  <assar@sics.se>
+
+	* lib/asn1/asn1_print.c: add err.h
+
+	* kdc/config.c (configure): use parse_bytes
+
+	* appl/test/nt_gss_common.c: use the correct header file
+
+1999-09-24  Johan Danielsson  <joda@pdc.kth.se>
+
+	* kuser/klist.c: add a `--cache' flag
+
+	* kuser/kinit.c (main): only get default value for `get_v4_tgt' if
+	it's explicitly set in krb5.conf
+
+1999-09-23  Assar Westerlund  <assar@sics.se>
+
+	* lib/asn1/asn1_print.c (tag_names); add another univeral tag
+
+	* lib/asn1/der.h: update universal tags
+
+1999-09-22  Assar Westerlund  <assar@sics.se>
+
+	* lib/asn1/asn1_print.c (loop): print length of octet string
+
+1999-09-21  Johan Danielsson  <joda@pdc.kth.se>
+
+	* admin/ktutil.c (kt_get): add `--help'
+
+1999-09-21  Assar Westerlund  <assar@sics.se>
+
+	* kuser/Makefile.am: add kdecode_ticket
+
+	* kuser/kdecode_ticket.c: new debug program
+
+	* appl/test/nt_gss_server.c: new program to test against `Sample *
+ 	SSPI Code' in Windows 2000 RC1 SDK.
+
+	* appl/test/Makefile.am: add nt_gss_client and nt_gss_server
+
+	* lib/asn1/der_get.c (decode_general_string): remember to advance
+ 	ret over the length-len
+
+	* lib/asn1/Makefile.am: add asn1_print
+
+	* lib/asn1/asn1_print.c: new program for printing DER-structures
+
+	* lib/asn1/der_put.c: make functions more consistent
+
+	* lib/asn1/der_get.c: make functions more consistent
+
+1999-09-20  Johan Danielsson  <joda@pdc.kth.se>
+
+	* kdc/kerberos5.c: be more informative in pa-data error messages
+
+1999-09-16  Assar Westerlund  <assar@sics.se>
+
+	* configure.in: test for strlcpy, strlcat
+
+1999-09-14  Assar Westerlund  <assar@sics.se>
+
+	* lib/krb5/init_creds_pw.c (krb5_get_init_creds_password): return
+ 	KRB5_LIBOS_PWDINTR when interrupted
+
+	* lib/krb5/get_in_tkt_pw.c (krb5_password_key_proc): check return
+ 	value from des_read_pw_string
+
+	* kuser/kinit.c (main): don't print any error if reading the
+ 	password was interrupted
+
+	* kpasswd/kpasswd.c (main): don't print any error if reading the
+ 	password was interrupted
+
+	* kdc/string2key.c (main): check the return value from fgets
+
+	* kdc/kstash.c (main): check return value from des_read_pw_string
+
+	* admin/ktutil.c (kt_add): check the return-value from fgets and
+ 	overwrite the password for paranoid reasons
+
+	* lib/krb5/keytab_keyfile.c (get_cell_and_realm): only remove the
+ 	newline if it's there
+
+1999-09-13  Assar Westerlund  <assar@sics.se>
+
+	* kdc/hpropd.c (main): remove bogus error with `--print'.  remove
+ 	sysloging of number of principals transferred
+
+	* kdc/hprop.c (ka_convert): set flags correctly for krbtgt/CELL
+ 	principals
+	(main): get rid of bogus opening of hdb database when propagating
+	ka-server database
+
+1999-09-12  Assar Westerlund  <assar@sics.se>
+
+	* lib/krb5/krb5_locl.h (O_BINARY): add fallback definition
+
+	* lib/krb5/krb5.h (krb5_context_data): add keytab types
+
+	* configure.in: revert back awk test, not worked around in
+ 	roken.awk
+
+	* lib/krb5/keytab_krb4.c: remove O_BINARY
+
+	* lib/krb5/keytab_keyfile.c: some support for AFS KeyFile's.  From
+	Love <lha@e.kth.se>
+
+	* lib/krb5/keytab_file.c: remove O_BINARY
+
+	* lib/krb5/keytab.c: move the list of keytab types to the context
+
+	* lib/krb5/fcache.c: remove O_BINARY
+
+	* lib/krb5/context.c (init_context_from_config_file): register all
+ 	standard cache and keytab types
+	(krb5_free_context): free `kt_types'
+
+	* lib/krb5/cache.c (krb5_cc_resolve): move the registration of the
+ 	standard types of credential caches to context
+
+	* lib/krb5/Makefile.am (libkrb5_la_SOURCES): add keytab_keyfile.c
+
+1999-09-10  Assar Westerlund  <assar@sics.se>
+
+	* lib/krb5/keytab.c: add comments and clean-up
+
+	* admin/ktutil.c: add `ktutil copy'
+
+	* lib/krb5/keytab_krb4.c: new file
+
+	* lib/krb5/krb5.h (krb5_kt_cursor): add a `data' field
+
+	* lib/krb5/Makefile.am: add keytab_krb4.c
+
+	* lib/krb5/keytab.c: add krb4 and correct some if's
+
+	* admin/srvconvert.c (srvconv): move common code
+
+	* lib/krb5/krb5.h (krb5_fkt_ops, krb5_mkt_ops): new variables
+
+	* lib/krb5/keytab.c: move out file and memory functions
+
+	* lib/krb5/Makefile.am (libkrb5_la_SOURCES): add keytab_file.c,
+ 	keytab_memory.c
+
+	* lib/krb5/keytab_memory.c: new file
+
+	* lib/krb5/keytab_file.c: new file
+
+	* kpasswd/kpasswdd.c: move out password quality functions
+
+1999-09-07  Assar Westerlund  <assar@sics.se>
+
+	* lib/hdb/Makefile.am (libhdb_la_SOURCES): add keytab.c.  From
+ 	Love <lha@e.kth.se>
+
+	* lib/krb5/convert_creds.c (krb524_convert_creds_kdc): check
+ 	return value from `krb5_sendto_kdc'
+
+1999-09-06  Assar Westerlund  <assar@sics.se>
+
+	* lib/krb5/send_to_kdc.c (send_and_recv): rename to recv_loop and
+ 	remove the sending of data.  add a parameter `limit'.  let callers
+ 	send the date themselves (and preferably with net_write on tcp
+ 	sockets)
+	(send_and_recv_tcp): read first the length field and then only that
+	many bytes
+
+1999-09-05  Assar Westerlund  <assar@sics.se>
+
+	* kdc/connect.c (handle_tcp): try to print warning `TCP data of
+ 	strange type' less often
+
+	* lib/krb5/send_to_kdc.c (send_and_recv): handle EINTR properly.
+  	return on EOF.  always free data.  check return value from
+ 	realloc.
+	(send_and_recv_tcp, send_and_recv_http): check advertised length
+	against actual length
+
+1999-09-01  Johan Danielsson  <joda@pdc.kth.se>
+
+	* configure.in: check for sgi capabilities
+
+1999-08-27  Johan Danielsson  <joda@pdc.kth.se>
+
+	* lib/krb5/get_addrs.c: krb5_get_all_server_addrs shouldn't return
+	extra addresses
+
+	* kpasswd/kpasswdd.c: use HDB keytabs; change some error messages;
+	add --realm flag
+
+	* lib/krb5/address.c (krb5_append_addresses): remove duplicates
+
+1999-08-26  Johan Danielsson  <joda@pdc.kth.se>
+
+	* lib/hdb/keytab.c: HDB keytab backend
+
+1999-08-25  Johan Danielsson  <joda@pdc.kth.se>
+
+	* lib/krb5/keytab.c
+	(krb5_kt_{start_seq_get,next_entry,end_seq_get}): check for NULL
+	pointer
+
+1999-08-24  Johan Danielsson  <joda@pdc.kth.se>
+
+	* kpasswd/kpasswdd.c: add `--keytab' flag
+
+1999-08-23  Assar Westerlund  <assar@sics.se>
+
+	* lib/krb5/addr_families.c (IN6_ADDR_V6_TO_V4): use `s6_addr'
+ 	instead of the non-standard `s6_addr32'.  From Yoshinobu Inoue
+ 	<shin@kame.net> by way of the KAME repository
+
+1999-08-18  Assar Westerlund  <assar@sics.se>
+
+	* configure.in (--enable-new-des3-code): remove check for `struct
+ 	addrinfo'
+
+	* lib/krb5/crypto.c (etypes): remove NEW_DES3_CODE, enable
+ 	des3-cbc-sha1 and keep old-des3-cbc-sha1 for backwards
+ 	compatability
+
+	* lib/krb5/krb5.h (krb5_enctype): des3-cbc-sha1 (with key
+ 	derivation) just got assigned etype 16 by <bcn@isi.edu>.  keep the
+ 	old etype at 7.
+
+1999-08-16  Assar Westerlund  <assar@sics.se>
+
+	* lib/krb5/sendauth.c (krb5_sendauth): only look at errno if
+ 	krb5_net_read actually returns -1
+
+	* lib/krb5/recvauth.c (krb5_recvauth): only look at errno if
+ 	krb5_net_read actually returns -1
+
+	* appl/kf/kf.c (proto): don't trust errno if krb5_net_read hasn't
+ 	returned -1
+
+	* appl/test/tcp_server.c (proto): only trust errno if
+ 	krb5_net_read actually returns -1
+
+	* appl/kf/kfd.c (proto): be more careful with the return value
+ 	from krb5_net_read
+
+1999-08-13  Assar Westerlund  <assar@sics.se>
+
+	* lib/krb5/get_addrs.c (get_addrs_int): try the different ways
+ 	sequentially instead of just one.  this helps if your heimdal was
+ 	built with v6-support but your kernel doesn't have it, for
+ 	example.
+
+1999-08-12  Assar Westerlund  <assar@sics.se>
+
+	* kdc/hpropd.c: add inetd flag.  default means try to figure out
+ 	if stdin is a socket or not.
+
+	* Makefile.am (ACLOCAL): just use `cf', this variable is only used
+ 	when the current directory is $(top_srcdir) anyways and having
+ 	$(top_srcdir) there breaks if it's a relative path
+
+1999-08-09  Johan Danielsson  <joda@pdc.kth.se>
+
+	* configure.in: check for setproctitle
+
+1999-08-05  Assar Westerlund  <assar@sics.se>
+
+	* lib/krb5/principal.c (krb5_sname_to_principal): remember to call
+ 	freehostent
+
+	* appl/test/tcp_client.c: call freehostent
+
+	* appl/kf/kf.c (doit): call freehostent
+
+	* appl/kf/kf.c: make v6 friendly and simplify
+
+	* appl/kf/kfd.c: make v6 friendly and simplify
+
+	* appl/test/tcp_server.c: simplify by using krb5_err instead of
+ 	errx
+	
+	* appl/test/tcp_client.c: simplify by using krb5_err instead of
+ 	errx
+
+	* appl/test/tcp_server.c: make v6 friendly and simplify
+
+	* appl/test/tcp_client.c: make v6 friendly and simplify
+
+1999-08-04  Assar Westerlund  <assar@sics.se>
+
+	* Release 0.1m
+
+1999-08-04  Assar Westerlund  <assar@sics.se>
+
+	* kuser/kinit.c (main): some more KRB4-conditionalizing
+
+	* lib/krb5/get_in_tkt.c: type correctness
+
+	* lib/krb5/get_for_creds.c (krb5_fwd_tgs_creds): set forwarded in
+ 	flags.  From Miroslav Ruda <ruda@ics.muni.cz>
+
+	* kuser/kinit.c (main): add config file support for forwardable
+ 	and krb4 support.  From Miroslav Ruda <ruda@ics.muni.cz>
+
+	* kdc/kerberos5.c (as_rep): add an empty X500-compress string as
+ 	transited.
+	(fix_transited_encoding): check length.
+	From Miroslav Ruda <ruda@ics.muni.cz>
+
+	* kdc/hpropd.c (dump_krb4): check the realm so that we don't dump
+ 	principals in some other realm. From Miroslav Ruda
+ 	<ruda@ics.muni.cz>
+	(main): rename sa_len -> sin_len, sa_lan is a define on some
+	platforms.
+
+	* appl/kf/kfd.c: add regpag support. From Miroslav Ruda
+ 	<ruda@ics.muni.cz>
+
+	* appl/kf/kf.c: add `-G' and forwardable option in krb5.conf.
+  	From Miroslav Ruda <ruda@ics.muni.cz>
+
+	* lib/krb5/config_file.c (parse_list): don't run past end of line
+
+	* appl/test/gss_common.h: new prototypes
+
+	* appl/test/gssapi_client.c: use gss_err instead of abort
+
+	* appl/test/gss_common.c (gss_verr, gss_err): add
+
+1999-08-03  Assar Westerlund  <assar@sics.se>
+
+	* lib/krb5/Makefile.am (n_fold_test_LDADD): need to set this
+ 	otherwise it doesn't build with shared libraries
+
+	* kdc/hpropd.c: v6-ify
+
+	* kdc/hprop.c: v6-ify
+
+1999-08-01  Assar Westerlund  <assar@sics.se>
+
+	* lib/krb5/mk_req.c (krb5_mk_req): use krb5_expand_hostname
+
+1999-07-31  Assar Westerlund  <assar@sics.se>
+
+	* lib/krb5/get_host_realm.c (krb5_get_host_realm_int): new
+ 	function that takes a FQDN
+
+	* lib/krb5/Makefile.am (libkrb5_la_SOURCES): add exapnd_hostname.c
+
+	* lib/krb5/expand_hostname.c: new file
+
+1999-07-28  Assar Westerlund  <assar@sics.se>
+
+	* Release 0.1l
+
+1999-07-28  Assar Westerlund  <assar@sics.se>
+
+	* lib/asn1/Makefile.am: bump version to 1:2:0
+
+	* lib/krb5/Makefile.am: bump version to 3:1:0
+
+	* configure.in: more inet_pton to roken
+
+	* lib/krb5/principal.c (krb5_sname_to_principal): use
+ 	getipnodebyname
+
+1999-07-26  Assar Westerlund  <assar@sics.se>
+
+	* Release 0.1k
+
+1999-07-26  Johan Danielsson  <joda@pdc.kth.se>
+
+	* lib/krb5/Makefile.am: bump version number (changed function
+	signatures)
+
+	* lib/hdb/Makefile.am: bump version number (changes to some
+	function signatures)
+
+1999-07-26  Assar Westerlund  <assar@sics.se>
+
+	* lib/krb5/Makefile.am: bump version to 3:0:2
+
+	* lib/hdb/Makefile.am: bump version to 2:1:0
+
+	* lib/asn1/Makefile.am: bump version to 1:1:0
+
+1999-07-26  Assar Westerlund  <assar@sics.se>
+
+	* Release 0.1j
+
+1999-07-26  Assar Westerlund  <assar@sics.se>
+
+	* configure.in: rokenize inet_ntop
+
+	* lib/krb5/store_fd.c: lots of changes from size_t to ssize_t
+	
+	* lib/krb5/store_mem.c: lots of changes from size_t to ssize_t
+	
+	* lib/krb5/store_emem.c: lots of changes from size_t to ssize_t
+	
+	* lib/krb5/store.c: lots of changes from size_t to ssize_t
+	(krb5_ret_stringz): check return value from realloc
+
+	* lib/krb5/mk_safe.c: some type correctness
+	
+	* lib/krb5/mk_priv.c: some type correctness
+	
+	* lib/krb5/krb5.h (krb5_storage): change return values of
+	functions from size_t to ssize_t
+	
+1999-07-24  Assar Westerlund  <assar@sics.se>
+
+	* Release 0.1i
+
+	* configure.in (AC_PROG_AWK): disable. mawk seems to mishandle \#
+ 	in lib/roken/roken.awk
+
+	* lib/krb5/get_addrs.c (find_all_addresses): try to use SA_LEN to
+ 	step over addresses if there's no `sa_lan' field
+
+	* lib/krb5/sock_principal.c (krb5_sock_to_principal): simplify by
+ 	using `struct sockaddr_storage'
+
+	* lib/krb5/send_to_kdc.c (krb5_sendto_kdc): simplify by using
+ 	`struct sockaddr_storage'
+
+	* lib/krb5/changepw.c (krb5_change_password): simplify by using
+ 	`struct sockaddr_storage'
+
+	* lib/krb5/auth_context.c (krb5_auth_con_setaddrs_from_fd):
+ 	simplify by using `struct sockaddr_storage'
+
+	* kpasswd/kpasswdd.c (*): simplify by using `struct
+ 	sockaddr_storage'
+
+	* kdc/connect.c (*): simplify by using `struct sockaddr_storage'
+
+	* configure.in (sa_family_t): just test for existence
+	(sockaddr_storage): also specify include file
+
+	* configure.in (AM_INIT_AUTOMAKE): bump version to 0.1i
+	(sa_family_t): test for
+	(struct	sockaddr_storage): test for
+
+	* kdc/hprop.c (propagate_database): typo, NULL should be
+ 	auth_context
+
+	* lib/krb5/get_addrs.c: conditionalize on HAVE_IPV6 instead of
+ 	AF_INET6
+
+	* appl/kf/kf.c (main): use warnx
+
+	* appl/kf/kf.c (proto): remove shadowing context
+
+	* lib/krb5/get_addrs.c (find_all_addresses): try to handle the
+ 	case of getting back an `sockaddr_in6' address when sizeof(struct
+ 	sockaddr_in6) > sizeof(struct sockaddr) and we have no sa_len to
+ 	tell us how large the address is.  This obviously doesn't work
+ 	with unknown protocol types.
+
+1999-07-24  Assar Westerlund  <assar@sics.se>
+
+	* Release 0.1h
+
+1999-07-23  Assar Westerlund  <assar@sics.se>
+
+	* appl/kf/kfd.c: clean-up and more paranoia
+
+	* etc/services.append: add kf
+
+	* appl/kf/kf.c: rename tk_file to ccache for consistency.  clean-up
+
+1999-07-22  Assar Westerlund  <assar@sics.se>
+
+	* lib/krb5/n-fold-test.c (main): print the correct data
+
+	* appl/Makefile.am (SUBDIRS): add kf
+
+	* appl/kf: new program.  From Miroslav Ruda <ruda@ics.muni.cz>
+
+	* kdc/hprop.c: declare some variables unconditionally to simplify
+ 	things
+
+	* kpasswd/kpasswdd.c: initialize kadm5 connection for every change
+ 	(otherwise the modifier in the database doesn't get set)
+
+	* kdc/hpropd.c: clean-up and re-organize
+
+	* kdc/hprop.c: clean-up and re-organize
+
+ 	* configure.in (SunOS): define to xy for SunOS x.y
+
+1999-07-19  Assar Westerlund  <assar@sics.se>
+
+	* configure.in (AC_BROKEN): test for copyhostent, freehostent,
+ 	getipnodebyaddr, getipnodebyname
+
+1999-07-15  Assar Westerlund  <assar@sics.se>
+
+	* lib/asn1/check-der.c: more test cases for integers
+
+	* lib/asn1/der_length.c (length_int): handle the case of the
+ 	largest negative integer by not calling abs
+
+1999-07-14  Assar Westerlund  <assar@sics.se>
+
+	* lib/asn1/check-der.c (generic_test): check malloc return value
+ 	properly
+
+	* lib/krb5/Makefile.am: add string_to_key_test
+
+	* lib/krb5/prog_setup.c (krb5_program_setup): always initialize
+ 	the context
+
+	* lib/krb5/n-fold-test.c (main): return a relevant return value
+
+	* lib/krb5/krbhst.c: do SRV lookups for admin server as well.
+  	some clean-up.
+
+1999-07-12  Assar Westerlund  <assar@sics.se>
+
+	* configure.in: handle not building X programs
+
+1999-07-06  Assar Westerlund  <assar@sics.se>
+
+	* lib/krb5/addr_families.c (ipv6_parse_addr): remove duplicate
+ 	variable
+	(ipv6_sockaddr2port): fix typo
+
+	* etc/services.append: beginning of a file with services
+
+	* lib/krb5/cache.c (krb5_cc_resolve): fall-back to files if
+ 	there's no prefix.  also clean-up a little bit.
+
+	* kdc/hprop.c (--kaspecials): new flag for handling special KA
+ 	server entries.  From "Brandon S. Allbery KF8NH"
+ 	<allbery@kf8nh.apk.net>
+
+1999-07-05  Assar Westerlund  <assar@sics.se>
+
+	* kdc/connect.c (handle_tcp): make sure we have data before
+ 	starting to look for HTTP
+
+	* kdc/connect.c (handle_tcp): always do getpeername, we can't
+ 	trust recvfrom to return anything sensible
+
+1999-07-04  Assar Westerlund  <assar@sics.se>
+
+	* lib/krb5/get_in_tkt.c (add_padat): encrypt pre-auth data with
+ 	all enctypes
+
+	* kpasswd/kpasswdd.c (change): fetch the salt-type from the entry
+
+	* admin/srvconvert.c (srvconv): better error messages
+
+1999-07-03  Assar Westerlund  <assar@sics.se>
+
+	* lib/krb5/principal.c (unparse_name): error check malloc properly
+
+	* lib/krb5/get_in_tkt.c (krb5_init_etype): error check malloc
+ 	properly
+
+	* lib/krb5/crypto.c (*): do some malloc return-value checks
+ 	properly
+
+	* lib/hdb/hdb.c (hdb_process_master_key): simplify by using
+ 	krb5_data_alloc
+
+	* lib/hdb/hdb.c (hdb_process_master_key): check return value from
+ 	malloc
+
+	* lib/asn1/gen_decode.c (decode_type): fix generation of decoding
+ 	information for TSequenceOf.
+
+	* kdc/kerberos5.c (get_pa_etype_info): check return value from
+ 	malloc
+
+1999-07-02  Assar Westerlund  <assar@sics.se>
+
+	* lib/asn1/der_copy.c (copy_octet_string): don't fail if length ==
+ 	0 and malloc returns NULL
+
+1999-06-29  Assar Westerlund  <assar@sics.se>
+
+	* lib/krb5/addr_families.c (ipv6_parse_addr): implement
+
+1999-06-24  Assar Westerlund  <assar@sics.se>
+
+	* lib/krb5/rd_cred.c (krb5_rd_cred): compare the sender's address
+ 	as an addrport one
+
+	* lib/krb5/krb5.h (KRB5_ADDRESS_ADDRPORT, KRB5_ADDRESS_IPPORT):
+ 	add
+	(krb5_auth_context): add local and remote port
+
+	* lib/krb5/get_for_creds.c (krb5_get_forwarded_creds): get the
+ 	local and remote address and add them to the krb-cred packet
+
+	* lib/krb5/auth_context.c: save the local and remove ports in the
+ 	auth_context
+
+	* lib/krb5/address.c (krb5_make_addrport): create an address of
+ 	type KRB5_ADDRESS_ADDRPORT from (addr, port)
+
+	* lib/krb5/addr_families.c (krb5_sockaddr2port): new function for
+ 	grabbing the port number out of the sockaddr
+
+1999-06-23  Assar Westerlund  <assar@sics.se>
+
+	* admin/srvcreate.c (srvcreate): always take the DES-CBC-MD5 key.
+  	increase possible verbosity.
+
+	* lib/krb5/config_file.c (parse_list): handle blank lines at
+ 	another place
+	
+	* kdc/connect.c (add_port_string): don't return a value
+
+ 	* lib/kadm5/init_c.c (get_cred_cache): you cannot reuse the cred
+ 	cache if the principals are different.  close and NULL the old one
+ 	so that we create a new one.
+
+	* configure.in: move around cgywin et al
+	(LIB_kdb): set at the end of krb4-block
+	(krb4): test for krb_enable_debug and krb_disable_debug
+
+1999-06-16  Assar Westerlund  <assar@sics.se>
+
+	* kuser/kdestroy.c (main): try to destroy v4 ticket even if the
+ 	destruction of the v5 one fails
+
+	* lib/krb5/crypto.c (DES3_postproc): new version that does the
+ 	right thing
+	(*): don't put and recover length in 3DES encoding
+	other small fixes
+
+1999-06-15  Assar Westerlund  <assar@sics.se>
+
+	* lib/krb5/get_default_principal.c: rewrite to use
+ 	get_default_username
+
+	* lib/krb5/Makefile.am: add n-fold-test
+
+	* kdc/connect.c: add fallbacks for all lookups by service name
+	(handle_tcp): break-up and clean-up
+
+1999-06-09  Assar Westerlund  <assar@sics.se>
+
+	* lib/krb5/addr_families.c (ipv6_uninteresting): don't consider
+ 	the loopback address as uninteresting
+
+	* lib/krb5/get_addrs.c: new magic flag to get loopback address if
+ 	there are no other addresses.
+	(krb5_get_all_client_addrs): use that flag
+
+1999-06-04  Assar Westerlund  <assar@sics.se>
+
+	* lib/krb5/crypto.c (HMAC_SHA1_DES3_checksum): don't include the
+ 	length
+	(checksum_sha1, checksum_hmac_sha1_des3): blocksize should be 64
+	(encrypt_internal_derived): don't include the length and don't
+	decrease by the checksum size twice
+	(_get_derived_key): the constant should be 5 bytes
+
+1999-06-02  Johan Danielsson  <joda@pdc.kth.se>
+
+	* configure.in: use KRB_CHECK_X
+	
+	* configure.in: check for netinet/ip.h
+	
+1999-05-31  Assar Westerlund  <assar@sics.se>
+
+	* kpasswd/kpasswdd.c (setup_passwd_quality_check): conditionalize
+ 	on RTLD_NOW
+
+1999-05-23  Assar Westerlund  <assar@sics.se>
+
+	* appl/test/uu_server.c: removed unused stuff
+
+	* appl/test/uu_client.c: removed unused stuff
+
+1999-05-21  Assar Westerlund  <assar@sics.se>
+
+	* kuser/kgetcred.c (main): correct error message
+
+	* lib/krb5/crypto.c (verify_checksum): call (*ct->checksum)
+ 	directly, avoiding redundant lookups and memory leaks
+
+	* lib/krb5/auth_context.c (krb5_auth_con_setaddrs_from_fd): free
+ 	local and remote addresses
+
+	* lib/krb5/get_default_principal.c (get_logname): also try
+ 	$USERNAME
+	
+	* lib/asn1/Makefile.am (asn1_files): add $(EXEEXT)
+
+	* lib/krb5/principal.c (USE_RESOLVER): try to define only if we
+	have a libresolv (currently by checking for res_search)
+
+1999-05-18  Johan Danielsson  <joda@pdc.kth.se>
+
+	* kdc/connect.c (handle_tcp): remove %-escapes in request
+
+1999-05-14  Assar Westerlund  <assar@sics.se>
+
+	* Release 0.1g
+
+	* admin/ktutil.c (kt_remove): -t should be -e
+
+	* configure.in (CHECK_NETINET_IP_AND_TCP): use
+
+	* kdc/hpropd.c: support for dumping to krb4.  From Miroslav Ruda
+ 	<ruda@ics.muni.cz>
+
+	* admin/ktutil.c (kt_add): new option `--no-salt'.  From Miroslav
+ 	Ruda <ruda@ics.muni.cz>
+
+	* configure.in: add cygwin and DOS tests replace sendmsg, recvmsg,
+ 	and innetgr with roken versions
+
+	* kuser/kgetcred.c: new program
+
+Tue May 11 14:09:33 1999  Johan Danielsson  <joda@pdc.kth.se>
+
+	* lib/krb5/mcache.c: fix paste-o
+	
+1999-05-10  Johan Danielsson  <joda@pdc.kth.se>
+
+	* configure.in: don't use uname
+
+1999-05-10  Assar Westerlund  <assar@sics.se>
+
+	* acconfig.h (KRB_PUT_INT): if we don't have KRB4 use four
+	arguments :-)
+
+	* appl/test/uu_server.c (setsockopt): cast to get rid of a warning
+	
+	* appl/test/tcp_server.c (setsockopt): cast to get rid of a
+	warning
+
+	* appl/test/tcp_client.c (proto): call krb5_sendauth with ccache
+	== NULL
+
+	* appl/test/gssapi_server.c (setsockopt): cast to get rid of a
+	warning
+
+	* lib/krb5/sendauth.c (krb5_sendauth): handle ccache == NULL by
+	setting the default ccache.
+
+	* configure.in (getsockopt, setsockopt): test for
+	(AM_INIT_AUTOMAKE): bump version to 0.1g
+
+	* appl/Makefile.am (SUBDIRS): add kx
+	
+	* lib/hdb/convert_db.c (main): handle the case of no master key
+	
+1999-05-09  Assar Westerlund  <assar@sics.se>
+
+	* Release 0.1f
+
+	* kuser/kinit.c: add --noaddresses
+	
+	* lib/krb5/get_in_tkt.c (init_as_req): interpret `addrs' being an
+	empty sit of list as to not ask for any addresses.
+	
+1999-05-08  Assar Westerlund  <assar@sics.se>
+
+	* acconfig.h (_GNU_SOURCE): define this to enable (used)
+ 	extensions on glibc-based systems such as linux
+
+1999-05-03  Assar Westerlund  <assar@sics.se>
+
+	* lib/krb5/get_cred.c (get_cred_from_kdc_flags): allocate and free
+	`*out_creds' properly
+
+	* lib/krb5/creds.c (krb5_compare_creds): just verify that the
+	keytypes/enctypes are compatible, not that they are the same
+
+	* kuser/kdestroy.c (cache): const-correctness
+
+1999-05-03  Johan Danielsson  <joda@pdc.kth.se>
+
+	* lib/hdb/hdb.c (hdb_set_master_key): initialise master key
+	version
+
+	* lib/hdb/convert_db.c: add support for upgrading database
+	versions
+
+	* kdc/misc.c: add flags to fetch
+
+	* kdc/kstash.c: unlink keyfile on failure, chmod to 400
+
+	* kdc/hpropd.c: add --print option
+
+	* kdc/hprop.c: pass flags to hdb_foreach
+
+	* lib/hdb/convert_db.c: add some flags
+
+	* lib/hdb/Makefile.am: remove extra LDFLAGS, update version to 2;
+	build prototype headers
+	
+	* lib/hdb/hdb_locl.h: update prototypes
+
+	* lib/hdb/print.c: move printable version of entry from kadmin
+
+	* lib/hdb/hdb.c: change hdb_{seal,unseal}_* to check if the key is
+	sealed or not; add flags to hdb_foreach
+
+	* lib/hdb/ndbm.c: add flags to NDBM_seq, NDBM_firstkey, and
+	NDBM_nextkey
+
+	* lib/hdb/db.c: add flags to DB_seq, DB_firstkey, and DB_nextkey
+
+	* lib/hdb/common.c: add flags to _hdb_{fetch,store}
+
+	* lib/hdb/hdb.h: add master_key_version to struct hdb, update
+	prototypes
+
+	* lib/hdb/hdb.asn1: make mkvno optional, update version to 2
+
+	* configure.in: --enable-netinfo
+
+	* lib/krb5/config_file.c: HAVE_NETINFO_NI_H -> HAVE_NETINFO
+
+	* config.sub: fix for crays
+
+	* config.guess: new version from automake 1.4
+	
+	* config.sub: new version from automake 1.4
+
+Wed Apr 28 00:21:17 1999  Assar Westerlund  <assar@sics.se>
+
+	* Release 0.1e
+
+	* lib/krb5/mcache.c (mcc_get_next): get the current cursor
+ 	correctly
+
+	* acconfig.h: correct definition of KRB_PUT_INT for old krb4 code.
+  	From Ake Sandgren <ake@cs.umu.se>
+
+1999-04-27  Johan Danielsson  <joda@pdc.kth.se>
+
+	* kdc/kerberos5.c: fix arguments to decrypt_ticket
+	
+1999-04-25  Assar Westerlund  <assar@sics.se>
+
+	* lib/krb5/mk_req_ext.c (krb5_mk_req_internal): try to handle old
+	DCE secd's that are not able to handle MD5 checksums by defaulting
+	to MD4 if the keytype was DES-CBC-CRC
+	
+	* lib/krb5/mk_req.c (krb5_mk_req): use auth_context->keytype
+	
+	* lib/krb5/krb5.h (krb5_auth_context_data): add `keytype' and
+	`cksumtype'
+
+	* lib/krb5/get_cred.c (make_pa_tgs_req): remove old kludge for
+	secd
+	(init_tgs_req): add all supported enctypes for the keytype in
+	`in_creds->session.keytype' if it's set
+
+	* lib/krb5/crypto.c (F_PSEUDO): new flag for non-protocol
+	encryption types
+	(do_checksum): new function
+	(verify_checksum): take the checksum to use from the checksum message
+	and not from the crypto struct
+	(etypes): add F_PSEUDO flags
+	(krb5_keytype_to_enctypes): new function
+
+	* lib/krb5/auth_context.c (krb5_auth_con_init): initalize keytype
+	and cksumtype
+	(krb5_auth_setcksumtype, krb5_auth_getcksumtype): implement
+	(krb5_auth_setkeytype, krb5_auth_getkeytype): implement
+	(krb5_auth_setenctype): comment out, it's rather bogus anyway
+
+Sun Apr 25 16:55:50 1999  Johan Danielsson  <joda@pdc.kth.se>
+
+	* lib/krb5/krb5_locl.h: fix for stupid aix warnings
+
+	* lib/krb5/fcache.c (erase_file): don't malloc
+	
+Sat Apr 24 18:35:21 1999  Johan Danielsson  <joda@pdc.kth.se>
+
+	* kdc/config.c: pass context to krb5_config_file_free
+
+	* kuser/kinit.c: add `--fcache-version' to set cache version to
+	create
+
+	* kuser/klist.c: print cache version if verbose
+
+	* lib/krb5/transited.c (krb5_domain_x500_decode): don't abort
+
+	* lib/krb5/principal.c: abort -> krb5_abortx
+
+	* lib/krb5/mk_rep.c: abort -> krb5_abortx
+
+	* lib/krb5/config_file.c: abort -> krb5_abortx
+
+	* lib/krb5/context.c (init_context_from_config_file): init
+	fcache_version; add krb5_{get,set}_fcache_version
+
+	* lib/krb5/keytab.c: add support for reading (and writing?) old
+	version keytabs
+
+	* lib/krb5/cache.c: add krb5_cc_get_version
+
+	* lib/krb5/fcache.c: add support for reading and writing old
+	version cache files
+
+	* lib/krb5/store_mem.c (krb5_storage_from_mem): zero flags
+
+	* lib/krb5/store_emem.c (krb5_storage_emem): zero flags
+
+	* lib/krb5/store_fd.c (krb5_storage_from_fd): zero flags
+
+	* lib/krb5/store.c: add flags to change how various fields are
+	stored, used for old cache version support
+	
+	* lib/krb5/krb5.h: add support for reading and writing old version
+	cache files, and keytabs
+	
+Wed Apr 21 00:09:26 1999  Assar Westerlund  <assar@sics.se>
+
+	* configure.in: fix test for readline.h remember to link with
+ 	$LIB_tgetent when trying linking with readline
+
+	* lib/krb5/init_creds_pw.c (get_init_creds_common): if start_time
+ 	is given, request a postdated ticket.
+
+	* lib/krb5/data.c (krb5_data_free): free data as long as it's not
+ 	NULL
+
+Tue Apr 20 20:18:14 1999  Assar Westerlund  <assar@sics.se>
+
+	* kpasswd/Makefile.am (kpasswdd_LDADD): add LIB_dlopen
+
+	* lib/krb5/krb5.h (KRB5_VERIFY_AP_REQ_IGNORE_INVALID): add
+
+	* lib/krb5/rd_req.c (krb5_decrypt_ticket): add `flags` and
+ 	KRB5_VERIFY_AP_REQ_IGNORE_INVALID for ignoring that the ticket is
+ 	invalid
+
+Tue Apr 20 12:42:08 1999  Johan Danielsson  <joda@hella.pdc.kth.se>
+
+	* kpasswd/kpasswdd.c: don't try to load library by default; get
+ 	library and function name from krb5.conf
+
+	* kpasswd/sample_passwd_check.c: sample password checking
+ 	functions
+
+Mon Apr 19 22:22:19 1999  Assar Westerlund  <assar@sics.se>
+
+	* lib/krb5/store.c (krb5_storage_to_data, krb5_ret_data): use
+ 	krb5_data_alloc and be careful with checking allocation and sizes.
+
+	* kuser/klist.c (--tokens): conditionalize on KRB4
+
+	* kuser/kinit.c (renew_validate): set all flags
+	(main): fix cut-n-paste error when setting start-time
+
+	* kdc/kerberos5.c (check_tgs_flags): starttime of a validate
+ 	ticket should be > than current time
+	(*): send flags to krb5_verify_ap_req and krb5_decrypt_ticket
+
+	* kuser/kinit.c (renew_validate): use the client realm instead of
+ 	the local realm when renewing tickets.
+
+	* lib/krb5/get_for_creds.c (krb5_fwd_tgs_creds): compat function
+	(krb5_get_forwarded_creds): correct freeing of out_creds
+
+	* kuser/kinit.c (renew_validate): hopefully fix up freeing of
+ 	memory
+
+	* configure.in: do all the krb4 tests with "$krb4" != "no"
+
+	* lib/krb5/keyblock.c (krb5_free_keyblock_contents): don't zero
+ 	keyvalue if it's NULL.  noticed by Ake Sandgren <ake@cs.umu.se>
+
+	* lib/krb5/get_in_tkt.c (add_padata): loop over all enctypes
+ 	instead of just taking the first one.  fix all callers.  From
+ 	"Brandon S. Allbery KF8NH" <allbery@kf8nh.apk.net>
+
+	* kdc/kdc_locl.h (enable_kaserver): declaration
+	
+	* kdc/hprop.c (ka_convert): print the failing principal.  AFS 3.4a
+ 	creates krbtgt.REALMOFCELL as NOTGS+NOSEAL, work around.  From
+ 	"Brandon S. Allbery KF8NH" <allbery@kf8nh.apk.net>
+
+	* kdc/hpropd.c (open_socket): stupid cast to get rid of a warning
+
+	* kdc/connect.c (add_standard_ports, process_request): look at
+ 	enable_kaserver.  From "Brandon S. Allbery KF8NH"
+ 	<allbery@kf8nh.apk.net>
+
+	* kdc/config.c: new flag --kaserver and config file option
+ 	enable-kaserver.  From "Brandon S. Allbery KF8NH"
+ 	<allbery@kf8nh.apk.net>
+
+Mon Apr 19 12:32:04 1999  Johan Danielsson  <joda@hella.pdc.kth.se>
+
+	* configure.in: check for dlopen, and dlfcn.h
+
+	* kpasswd/kpasswdd.c: add support for dlopen:ing password quality
+ 	check library
+
+	* configure.in: add appl/su
+
+Sun Apr 18 15:46:53 1999  Johan Danielsson  <joda@blubb.pdc.kth.se>
+
+	* lib/krb5/cache.c: add krb5_cc_get_type that returns type of a
+ 	cache
+
+Fri Apr 16 17:58:51 1999  Assar Westerlund  <assar@sics.se>
+
+	* configure.in: LIB_kdb: -L should be before -lkdb
+	test for prototype of strsep
+	
+Thu Apr 15 11:34:38 1999  Johan Danielsson  <joda@hella.pdc.kth.se>
+
+	* lib/krb5/Makefile.am: update version
+
+	* lib/krb5/get_for_creds.c (krb5_get_forwarded_creds): use
+ 	ALLOC_SEQ
+
+	* lib/krb5/fcache.c: add some support for reading and writing old
+ 	cache formats;
+	(fcc_store_cred): use krb5_store_creds; (fcc_read_cred): use
+	krb5_ret_creds
+
+	* lib/krb5/store_mem.c (krb5_storage_from_mem): check malloc,
+ 	initialize host_byteorder
+
+	* lib/krb5/store_fd.c (krb5_storage_from_fd): initialize
+ 	host_byteorder
+
+	* lib/krb5/store_emem.c (krb5_storage_emem): initialize
+ 	host_byteorder
+
+	* lib/krb5/store.c (krb5_storage_set_host_byteorder): add;
+	(krb5_store_int32,krb5_ret_int32,krb5_store_int16,krb5_ret_int16):
+ 	check host_byteorder flag; (krb5_store_creds): add;
+ 	(krb5_ret_creds): add
+
+	* lib/krb5/krb5.h (krb5_storage): add `host_byteorder' flag for
+ 	storage of numbers
+
+	* lib/krb5/heim_err.et: add `host not found' error
+
+	* kdc/connect.c: don't use data after clearing decriptor
+
+	* lib/krb5/auth_context.c: abort -> krb5_abortx
+
+	* lib/krb5/warn.c: add __attribute__; add *abort functions
+
+	* configure.in: check for __attribute__
+
+	* kdc/connect.c: log bogus requests
+
+Tue Apr 13 18:38:05 1999  Johan Danielsson  <joda@hella.pdc.kth.se>
+
+	* lib/kadm5/create_s.c (kadm5_s_create_principal): create v4 salts
+ 	for all DES keys
+
+1999-04-12  Assar Westerlund  <assar@sics.se>
+
+	* lib/krb5/get_cred.c (init_tgs_req): re-structure a little bit
+
+	* lib/krb5/get_cred.c (init_tgs_req): some more error checking
+
+	* lib/krb5/generate_subkey.c (krb5_generate_subkey): check return
+	value from malloc
+
+Sun Apr 11 03:47:23 1999  Johan Danielsson  <joda@hella.pdc.kth.se>
+
+	* lib/krb5/krb5.conf.5: update to reality
+
+	* lib/krb5/krb5_425_conv_principal.3: update to reality
+
+1999-04-11  Assar Westerlund  <assar@sics.se>
+
+	* lib/krb5/get_host_realm.c: handle more than one realm for a host
+
+	* kpasswd/kpasswd.c (main): use krb5_program_setup and
+	print_version
+
+	* kdc/string2key.c (main): use krb5_program_setup and
+	print_version
+
+Sun Apr 11 02:35:58 1999  Johan Danielsson  <joda@hella.pdc.kth.se>
+
+	* lib/krb5/principal.c (krb5_524_conv_principal): make it actually
+ 	work, and check built-in list of host-type first-components
+
+	* lib/krb5/krbhst.c: lookup SRV-records to find a kdc for a realm
+
+	* lib/krb5/context.c: add srv_* flags to context
+
+	* lib/krb5/principal.c: add default v4_name_convert entries
+
+	* lib/krb5/krb5.h: add srv_* flags to context
+
+Sat Apr 10 22:52:28 1999  Johan Danielsson  <joda@hella.pdc.kth.se>
+
+	* kadmin/kadmin.c: complain about un-recognised commands
+
+	* admin/ktutil.c: complain about un-recognised commands
+
+Sat Apr 10 15:41:49 1999  Assar Westerlund  <assar@sics.se>
+
+	* kadmin/load.c (doit): fix error message
+
+	* lib/krb5/crypto.c (encrypt_internal): free checksum if lengths
+ 	fail to match.
+	(krb5_get_wrapped_length): new function
+
+	* configure.in: security/pam_modules.h: check for
+
+	* lib/krb5/init_creds_pw.c (krb5_get_init_creds_password): kludge
+ 	around `ret_as_reply' semantics by only freeing it when ret == 0
+
+Fri Apr  9 20:24:04 1999  Assar Westerlund  <assar@sics.se>
+
+	* kuser/klist.c (print_cred_verbose): handle the case of a bad
+ 	enctype
+
+	* configure.in: test for more header files
+	(LIB_roken): set
+
+Thu Apr  8 15:01:59 1999  Johan Danielsson  <joda@hella.pdc.kth.se>
+
+	* configure.in: fixes for building w/o krb4
+
+	* ltmain.sh: update to libtool 1.2d
+
+	* ltconfig: update to libtool 1.2d
+
+Wed Apr  7 23:37:26 1999  Assar Westerlund  <assar@sics.se>
+
+	* kdc/hpropd.c: fix some error messages to be more understandable.
+
+	* kdc/hprop.c (ka_dump): remove unused variables
+
+	* appl/test/tcp_server.c: remove unused variables
+
+	* appl/test/gssapi_server.c: remove unused variables
+
+	* appl/test/gssapi_client.c: remove unused variables
+
+Wed Apr  7 14:05:15 1999  Johan Danielsson  <joda@hella.pdc.kth.se>
+
+	* lib/krb5/context.c (krb5_get_err_text): long -> krb5_error_code
+
+	* kuser/klist.c: make it compile w/o krb4
+
+	* kuser/kdestroy.c: make it compile w/o krb4
+
+	* admin/ktutil.c: fix {srv,key}2{srv,key}tab confusion; add help
+ 	strings
+
+Mon Apr  5 16:13:46 1999  Johan Danielsson  <joda@hella.pdc.kth.se>
+
+	* configure.in: test for MIPS ABI; new test_package
+
+Thu Apr  1 11:00:40 1999  Johan Danielsson  <joda@hella.pdc.kth.se>
+
+	* include/Makefile.am: clean krb5-private.h
+
+	* Release 0.1d
+
+	* kpasswd/kpasswdd.c (doit): pass context to
+ 	krb5_get_all_client_addrs
+
+	* kdc/connect.c (init_sockets): pass context to
+ 	krb5_get_all_server_addrs
+
+	* lib/krb5/get_in_tkt.c (init_as_req): pass context to
+ 	krb5_get_all_client_addrs
+
+	* lib/krb5/get_cred.c (get_cred_kdc_la): pass context to
+ 	krb5_get_all_client_addrs
+
+	* lib/krb5/get_addrs.c (get_addrs_int): add extra host addresses
+
+	* lib/krb5/krb5.h: add support for adding an extra set of
+ 	addresses
+
+	* lib/krb5/context.c: add support for adding an extra set of
+ 	addresses
+
+	* lib/krb5/addr_families.c: add krb5_parse_address
+
+	* lib/krb5/address.c: krb5_append_addresses
+
+	* lib/krb5/config_file.c (parse_binding): don't zap everything
+ 	after first whitespace
+
+	* kuser/kinit.c (renew_validate): don't allocate out
+
+	* lib/krb5/get_for_creds.c (krb5_get_forwarded_creds): don't
+ 	allocate out_creds
+
+	* lib/krb5/get_cred.c (get_cred_kdc, get_cred_kdc_la): make
+ 	out_creds pointer;
+	(krb5_get_kdc_cred): allocate out_creds; (get_cred_from_kdc_flags):
+	free more memory
+
+	* lib/krb5/crypto.c (encrypt_internal): free checksum
+
+	* lib/krb5/convert_creds.c (krb524_convert_creds_kdc): free reply,
+ 	and ticket
+
+	* kuser/Makefile.am: remove kfoo
+
+	* lib/Makefile.am: add auth
+
+	* lib/kadm5/iprop.h: getarg.h
+
+	* lib/kadm5/replay_log.c: use getarg
+
+	* lib/kadm5/ipropd_slave.c: use getarg
+
+	* lib/kadm5/ipropd_master.c: use getarg
+
+	* lib/kadm5/dump_log.c: use getarg
+
+	* kpasswd/kpasswdd.c: use getarg
+
+	* Makefile.am.common: make a more working check-local target
+
+	* lib/asn1/main.c: use getargs
+
+Mon Mar 29 20:19:57 1999  Johan Danielsson  <joda@hella.pdc.kth.se>
+
+	* kuser/klist.c (print_cred_verbose): use krb5_print_address
+
+	* lib/kadm5/server.c: k_{put,get}_int -> _krb5_{put,get}_int
+
+	* lib/krb5/addr_families.c (krb5_print_address): handle unknown
+ 	address types; (ipv6_print_addr): print in 16-bit groups (as it
+ 	should)
+
+	* lib/krb5/crc.c: crc_{init_table,update} ->
+ 	_krb5_crc_{init_table,update}
+
+	* lib/krb5/crypto.c: k_{put,get}_int -> _krb5_{put,get}_int
+ 	crc_{init_table,update} -> _krb5_crc_{init_table,update}
+
+	* lib/krb5/send_to_kdc.c: k_{put,get}_int -> _krb5_{put,get}_int
+
+	* lib/krb5/store.c: k_{put,get}_int -> _krb5_{put,get}_int
+
+	* lib/krb5/krb5_locl.h: include krb5-private.h
+
+	* kdc/connect.c (addr_to_string): use krb5_print_address
+
+	* lib/krb5/addr_families.c (krb5_print_address): int -> size_t
+
+	* lib/krb5/addr_families.c: add support for printing ipv6
+ 	addresses, either with inet_ntop, or ugly for-loop
+
+	* kdc/524.c: check that the ticket came from a valid address; use
+ 	the address of the connection as the address to put in the v4
+ 	ticket (if this address is AF_INET)
+
+	* kdc/connect.c: pass addr to do_524
+
+	* kdc/kdc_locl.h: prototype for do_524
+
+Sat Mar 27 17:48:31 1999  Johan Danielsson  <joda@hella.pdc.kth.se>
+
+	* configure.in: check for OSF C2; bind/bitypes.h, getudbnam,
+ 	setlim; check for auth modules; siad.h, getpwnam_r;
+ 	lib/auth/Makefile, lib/auth/sia/Makefile
+
+	* lib/krb5/crypto.c: n_fold -> _krb5_n_fold
+
+	* lib/krb5/n-fold.c: n_fold -> _krb5_n_fold
+
+Thu Mar 25 04:35:21 1999  Assar Westerlund  <assar@sics.se>
+
+	* lib/kadm5/set_keys.c (_kadm5_set_keys): free salt when zapping
+ 	it
+
+	* lib/kadm5/free.c (kadm5_free_principal_ent): free `key_data'
+
+	* lib/hdb/ndbm.c (NDBM_destroy): clear master key
+
+	* lib/hdb/db.c (DB_destroy): clear master key
+	(DB_open): check malloc
+
+	* kdc/connect.c (init_sockets): free addresses
+
+	* kadmin/kadmin.c (main): make code more consistent.  always free
+ 	configuration information.
+
+	* kadmin/init.c (create_random_entry): free the entry
+
+Wed Mar 24 04:02:03 1999  Assar Westerlund  <assar@sics.se>
+
+	* lib/krb5/init_creds_pw.c (krb5_get_init_creds_password):
+ 	re-organize the code to always free `kdc_reply'
+
+	* lib/krb5/get_in_tkt.c (krb5_get_in_cred): be more careful about
+ 	freeing memory
+
+	* lib/krb5/fcache.c (fcc_destroy): don't call fcc_close
+
+	* lib/krb5/crypto.c (krb5_crypto_destroy): free `crypto'
+
+	* lib/hdb/hdb_locl.h: try db_185.h first in case db.h is a DB 2.0
+ 	header
+
+	* configure.in (db_185.h): check for
+
+	* admin/srvcreate.c: new file. contributed by Daniel Kouril
+ 	<kouril@informatics.muni.cz>
+
+	* admin/ktutil.c: srvcreate: new command
+
+	* kuser/klist.c: add support for printing AFS tokens
+
+	* kuser/kdestroy.c: add support for destroying v4 tickets and AFS
+ 	tokens.  based on code by Love <lha@stacken.kth.se>
+
+	* kuser/Makefile.am (kdestroy_LDADD, klist_LDADD): more libraries
+
+	* configure.in: sys/ioccom.h: test for
+
+	* kuser/klist.c (main): don't print `no ticket file' with --test.
+  	From: Love <lha@e.kth.se>
+
+	* kpasswd/kpasswdd.c (doit): more braces to make gcc happy
+
+	* kdc/connect.c (init_socket): get rid of a stupid warning
+
+	* include/bits.c (my_strupr): cast away some stupid warnings
+
+Tue Mar 23 14:34:44 1999  Johan Danielsson  <joda@hella.pdc.kth.se>
+
+	* lib/krb5/get_host_realm.c (krb5_get_host_realm): no infinite
+ 	loops, please
+
+Tue Mar 23 00:00:45 1999  Assar Westerlund  <assar@sics.se>
+
+	* lib/kadm5/Makefile.am (install_build_headers): recover from make
+ 	rewriting the names of the headers kludge to help solaris make
+
+	* lib/krb5/Makefile.am: kludge to help solaris make
+
+	* lib/hdb/Makefile.am: kludge to help solaris make
+
+	* configure.in (LIB_kdb): make sure there's a -L option in here by
+ 	adding $(LIB_krb4)
+
+	* lib/asn1/gen_glue.c (generate_2int, generate_int2): int ->
+ 	unsigned
+
+	* configure.in (SunOS): set to a number KRB4, KRB5 conditionals:
+ 	remove the `dnl' to work around an automake flaw
+
+Sun Mar 21 15:08:49 1999  Johan Danielsson  <joda@blubb.pdc.kth.se>
+
+	* lib/krb5/get_default_realm.c: char* -> krb5_realm
+
+Sun Mar 21 14:08:30 1999  Johan Danielsson  <joda@hella.pdc.kth.se>
+
+	* include/bits.c: <bind/bitypes.h>
+
+	* lib/krb5/Makefile.am: create krb5-private.h
+
+Sat Mar 20 00:08:59 1999  Assar Westerlund  <assar@sics.se>
+
+	* configure.in (gethostname): remove duplicate
+
+Fri Mar 19 14:48:03 1999  Johan Danielsson  <joda@hella.pdc.kth.se>
+
+	* lib/hdb/Makefile.am: add version-info
+
+	* lib/gssapi/Makefile.am: add version-info
+
+	* lib/asn1/Makefile.am: use $(x:y=z) make syntax; move check-der
+ 	to check_PROGRAMS
+
+	* lib/Makefile.am: add 45
+
+	* lib/kadm5/Makefile.am: split in client and server libraries
+ 	(breaks shared libraries otherwise)
+
+Thu Mar 18 11:33:30 1999  Johan Danielsson  <joda@hella.pdc.kth.se>
+
+	* include/kadm5/Makefile.am: clean a lot of header files (since
+ 	automake lacks a clean-hook)
+
+	* include/Makefile.am: clean a lot of header files (since automake
+ 	lacks a clean-hook)
+
+	* lib/kadm5/Makefile.am: fix build-installation of headers
+
+	* lib/krb5/Makefile.am: remove include_dir hack
+
+	* lib/hdb/Makefile.am: remove include_dir hack
+
+	* lib/asn1/Makefile.am: remove include_dir hack
+
+	* include/Makefile.am: remove include_dir hack
+
+	* doc/whatis.texi: define sub for html
+
+	* configure.in: LIB_kdb, have_err_h, have_fnmatch_h, have_glob_h
+
+	* lib/asn1/Makefile.am: der.h
+
+	* kpasswd/kpasswdd.c: admin.h -> kadm5/admin.h
+
+	* kdc/Makefile.am: remove junk
+
+	* kadmin/Makefile.am: sl.a -> sl.la
+
+	* appl/afsutil/Makefile.am: remove EXTRA_bin_PROGRAMS
+
+	* admin/Makefile.am: sl.a -> sl.la
+
+	* configure.in: condition KRB5; AC_CHECK_XAU
+
+	* Makefile.am: include Makefile.am.common
+
+	* include/kadm5/Makefile.am: include Makefile.am.common; don't
+ 	install headers from here
+
+	* include/Makefile.am: include Makefile.am.common; don't install
+ 	headers from here
+
+	* doc/Makefile.am: include Makefile.am.common
+
+	* lib/krb5/Makefile.am: include Makefile.am.common
+
+	* lib/kadm5/Makefile.am: include Makefile.am.common
+
+	* lib/hdb/Makefile.am: include Makefile.am.common
+
+	* lib/gssapi/Makefile.am: include Makefile.am.common
+
+	* lib/asn1/Makefile.am: include Makefile.am.common
+
+	* lib/Makefile.am: include Makefile.am.common
+
+	* lib/45/Makefile.am: include Makefile.am.common
+
+	* kuser/Makefile.am: include Makefile.am.common
+
+	* kpasswd/Makefile.am: include Makefile.am.common
+
+	* kdc/Makefile.am: include Makefile.am.common
+
+	* kadmin/Makefile.am: include Makefile.am.common
+
+	* appl/test/Makefile.am: include Makefile.am.common
+
+	* appl/afsutil/Makefile.am: include Makefile.am.common
+
+	* appl/Makefile.am: include Makefile.am.common
+
+	* admin/Makefile.am: include Makefile.am.common
+
+Wed Mar 17 03:04:38 1999  Assar Westerlund  <assar@sics.se>
+
+	* lib/krb5/store.c (krb5_store_stringz): braces fix
+
+	* lib/kadm5/get_s.c (kadm5_s_get_principal): braces fix
+
+	* lib/kadm5/ent_setup.c (_kadm5_setup_entry): braces fix
+
+	* kdc/connect.c (loop): braces fix
+
+	* lib/krb5/config_file.c: cast to unsigned char to make is* happy
+
+	* lib/krb5/log.c (krb5_addlog_dest): more braces to make gcc happy
+
+	* lib/krb5/crypto.c (krb5_verify_checksum): rename C -> cksum to
+ 	be consistent
+
+	* kadmin/util.c (timeval2str): more braces to make gcc happy
+
+	* kadmin/load.c: cast in is* to get rid of stupid warning
+
+	* kadmin/dump.c (append_hex): cast in isalnum to get rid of stupid
+ 	warning
+
+	* kdc/kaserver.c: malloc checks and fixes
+
+	* lib/krb5/get_host_realm.c (krb5_get_host_realm): include leading
+ 	dot (if any) when looking up realms.
+
+Fri Mar 12 13:57:56 1999  Johan Danielsson  <joda@blubb.pdc.kth.se>
+
+	* lib/krb5/get_host_realm.c: add dns support
+
+	* lib/krb5/set_default_realm.c: use krb5_free_host_realm
+
+	* lib/krb5/free_host_realm.c: check for NULL realmlist
+
+	* lib/krb5/context.c: don't print warning if there is no krb5.conf
+
+Wed Mar 10 19:29:46 1999  Johan Danielsson  <joda@hella.pdc.kth.se>
+
+	* configure.in: use AC_WFLAGS
+
+Mon Mar  8 11:49:43 1999  Johan Danielsson  <joda@hella.pdc.kth.se>
+
+	* Release 0.1c
+
+	* kuser/klist.c: use print_version
+
+	* kuser/kdestroy.c: use print_version
+
+	* kdc/hpropd.c: use print_version
+
+	* kdc/hprop.c: use print_version
+
+	* kdc/config.c: use print_version
+
+	* kadmin/kadmind.c: use print_version
+
+	* kadmin/kadmin.c: use print_version
+
+	* appl/test/common.c: use print_version
+
+	* appl/afsutil/afslog.c: use print_version
+
+Mon Mar  1 10:49:14 1999  Johan Danielsson  <joda@hella.pdc.kth.se>
+
+	* lib/krb5/get_addrs.c: SOCKADDR_HAS_SA_LEN ->
+ 	HAVE_STRUCT_SOCKADDR_SA_LEN
+
+	* configure.in, acconfig.h, cf/*: update to automake 1.4/autoconf 2.13
+
+Sun Feb 28 18:19:20 1999  Johan Danielsson  <joda@hella.pdc.kth.se>
+
+	* lib/asn1/gen.c: make `BIT STRING's unsigned
+
+	* lib/asn1/{symbol.h,gen.c}: add TUInteger type
+
+	* lib/krb5/verify_user.c (krb5_verify_user): pass prompter to
+ 	krb5_get_init_creds_password
+
+	* lib/krb5/fcache.c (fcc_gen_new): implement
+
+Sat Feb 27 22:41:23 1999  Johan Danielsson  <joda@hella.pdc.kth.se>
+
+	* doc/install.texi: krb4 is now automatically detected
+
+	* doc/misc.texi: update procedure to set supported encryption
+ 	types
+
+	* doc/setup.texi: change some silly wordings
+
+Sat Feb 27 22:17:30 1999  Johan Danielsson  <joda@blubb.pdc.kth.se>
+
+	* lib/krb5/keytab.c (fkt_remove_entry): make this work
+
+	* admin/ktutil.c: add minimally working `get' command
+
+Sat Feb 27 19:44:49 1999  Johan Danielsson  <joda@hella.pdc.kth.se>
+
+	* lib/hdb/convert_db.c: more typos
+
+	* include/Makefile.am: remove EXTRA_DATA (as of autoconf
+ 	2.13/automake 1.4)
+
+	* appl/Makefile.am: OTP_dir
+
+Fri Feb 26 17:37:00 1999  Johan Danielsson  <joda@hella.pdc.kth.se>
+
+	* doc/setup.texi: add kadmin section
+
+	* lib/asn1/check-der.c: fix printf warnings
+
+Thu Feb 25 11:16:49 1999  Johan Danielsson  <joda@hella.pdc.kth.se>
+
+	* configure.in: -O does not belong in WFLAGS
+
+Thu Feb 25 11:05:57 1999  Johan Danielsson  <joda@blubb.pdc.kth.se>
+
+	* lib/asn1/der_put.c: fix der_put_int
+
+Tue Feb 23 20:35:12 1999  Johan Danielsson  <joda@hella.pdc.kth.se>
+
+	* configure.in: use AC_BROKEN_GLOB
+
+Mon Feb 22 15:12:44 1999  Johan Danielsson  <joda@blubb.pdc.kth.se>
+
+	* configure.in: check for glob
+
+Mon Feb 22 11:32:42 1999  Johan Danielsson  <joda@hella.pdc.kth.se>
+
+	* Release 0.1b
+
+Sat Feb 20 15:48:06 1999  Johan Danielsson  <joda@blubb.pdc.kth.se>
+
+	* lib/hdb/convert_db.c: convert DES3 keys to des3-cbc-sha1, and
+ 	des3-cbc-md5
+
+	* lib/krb5/crypto.c (DES3_string_to_key): make this actually do
+ 	what the draft said it should
+
+	* lib/hdb/convert_db.c: little program for database conversion
+
+	* lib/hdb/db.c (DB_open): try to open database w/o .db extension
+
+	* lib/hdb/ndbm.c (NDBM_open): add test for database format
+
+	* lib/hdb/db.c (DB_open): add test for database format
+
+	* lib/asn1/gen_glue.c (generate_2int): don't depend on flags being
+ 	unsigned
+
+	* lib/hdb/hdb.c: change `hdb_set_master_key' to take an
+ 	EncryptionKey, and add a new function `hdb_set_master_keyfile' to
+ 	do what `hdb_set_master_key' used to do
+
+	* kdc/kstash.c: add `--convert-file' option to change keytype of
+ 	existing master key file
+
+Fri Feb 19 07:04:14 1999  Assar Westerlund  <assar@squid.pdc.kth.se>
+
+	* Release 0.1a
+
+Sat Feb 13 17:12:53 1999  Assar Westerlund  <assar@sics.se>
+
+	* lib/krb5/mk_safe.c (krb5_mk_safe): sizeof(buf) -> buf_size, buf
+ 	is now a `u_char *'
+
+	* lib/krb5/get_in_tkt.c (krb5_init_etype): etypes are now `int'
+
+	* lib/krb5/get_host_realm.c (krb5_get_host_realm): constize
+ 	orig_host
+
+ 	(krb5_salttype_to_string): new function (RSA_MD5_DES_verify,
+ 	RSA_MD5_DES3_verify): initialize ret
+
+	* lib/gssapi/init_sec_context.c (init_auth): remove unnecessary
+ 	gssapi_krb5_init.  ask for KEYTYPE_DES credentials
+
+	* kadmin/get.c (print_entry_long): print the keytypes and salts
+ 	available for the principal
+
+	* configure.in (WFLAGS): add `-O' to catch unitialized variables
+ 	and such
+	(gethostname, mkstemp, getusershell, inet_aton): more tests
+
+	* lib/hdb/hdb.h: update prototypes
+
+	* configure.in: homogenize broken detection with krb4
+
+	* lib/kadm5/init_c.c (kadm5_c_init_with_context): remove unused
+ 	`error'
+
+	* lib/asn1/Makefile.am (check-der): add
+
+	* lib/asn1/gen.c (define_type): map ASN1 Integer to `int' instead
+ 	of `unsigned'
+
+	* lib/asn1/der_length.c (length_unsigned): new function
+	(length_int): handle signed integers
+
+	* lib/asn1/der_put.c (der_put_unsigned): new function
+	(der_put_int): handle signed integers
+
+ 	* lib/asn1/der_get.c (der_get_unsigned): new function
+ 	(der_get_int): handle signed integers
+
+	* lib/asn1/der.h: all integer functions take `int' instead of
+ 	`unsigned'
+
+	* lib/asn1/lex.l (filename): unused. remove.
+
+	* lib/asn1/check-der.c: new test program for der encoding and
+ 	decoding.
+
+Mon Feb  1 04:09:06 1999  Assar Westerlund  <assar@sics.se>
+
+	* lib/krb5/send_to_kdc.c (krb5_sendto_kdc): only call
+ 	gethostbyname2 with AF_INET6 if we actually have IPv6.  From
+ 	"Brandon S. Allbery KF8NH" <allbery@kf8nh.apk.net>
+
+ 	* lib/krb5/changepw.c (get_kdc_address): dito
+
+Sun Jan 31 06:26:36 1999  Assar Westerlund  <assar@sics.se>
+
+	* kdc/connect.c (parse_prots): always bind to AF_INET, there are
+ 	v6-implementations without support for `mapped V4 addresses'.
+  	From Jun-ichiro itojun Hagino <itojun@kame.net>
+
+Sat Jan 30 22:38:27 1999  Assar Westerlund  <assar@juguete.sics.se>
+
+	* Release 0.0u
+
+Sat Jan 30 13:43:02 1999  Assar Westerlund  <assar@sics.se>
+
+	* lib/krb5/Makefile.am: explicit rules for *.et files
+
+ 	* lib/kadm5/init_c.c (get_kadm_ticket): only remove creds if
+ 	krb5_get_credentials was succesful.
+ 	(get_new_cache): return better error codes and return earlier.
+ 	(get_cred_cache): only delete default_client if it's different
+ 	from client
+ 	(kadm5_c_init_with_context): return a more descriptive error.
+
+	* kdc/kerberos5.c (check_flags): handle NULL client or server
+
+	* lib/krb5/sendauth.c (krb5_sendauth): return the error in
+ 	`ret_error' iff != NULL
+
+	* lib/krb5/rd_error.c (krb5_free_error, krb5_free_error_contents):
+ 	new functions
+
+	* lib/krb5/mk_req_ext.c (krb5_mk_req_extended): more
+ 	type-correctness
+
+	* lib/krb5/krb5.h (krb5_error): typedef to KRB_ERROR
+
+	* lib/krb5/init_creds_pw.c: KRB5_TGS_NAME: use
+
+	* lib/krb5/get_cred.c: KRB5_TGS_NAME: use
+
+ 	* lib/kafs/afskrb5.c (afslog_uid_int): update to changes
+
+	* lib/kadm5/rename_s.c (kadm5_s_rename_principal): call remove
+ 	instead of rename, but shouldn't this just call rename?
+
+ 	* lib/kadm5/get_s.c (kadm5_s_get_principal): always return an
+ 	error if the principal wasn't found.
+
+	* lib/hdb/ndbm.c (NDBM_seq): unseal key
+
+	* lib/hdb/db.c (DB_seq): unseal key
+
+	* lib/asn1/Makefile.am: added explicit rules for asn1_err.[ch]
+
+	* kdc/hprop.c (v4_prop): add krbtgt/THISREALM@OTHERREALM when
+ 	finding cross-realm tgts in the v4 database
+
+	* kadmin/mod.c (mod_entry): check the number of arguments.  check
+ 	that kadm5_get_principal worked.
+
+	* lib/krb5/keytab.c (fkt_remove_entry): remove KRB5_KT_NOTFOUND if
+ 	we weren't able to remove it.
+
+	* admin/ktutil.c: less drive-by-deleting.  From Love
+ 	<lha@e.kth.se>
+
+	* kdc/connect.c (parse_ports): copy the string before mishandling
+ 	it with strtok_r
+
+	* kdc/kerberos5.c (tgs_rep2): print the principal with mismatching
+ 	kvnos
+
+	* kadmin/kadmind.c (main): convert `debug_port' to network byte
+ 	order
+
+	* kadmin/kadmin.c: allow specification of port number.
+
+	* lib/kadm5/kadm5_locl.h (kadm5_client_context): add
+ 	`kadmind_port'.
+
+	* lib/kadm5/init_c.c (_kadm5_c_init_context): move up
+ 	initalize_kadm5_error_table_r.
+	allow specification of port number.
+	
+  	From Love <lha@stacken.kth.se>
+
+	* kuser/klist.c: add option -t | --test
+
diff --git a/crypto/heimdal/ChangeLog.2000 b/crypto/heimdal/ChangeLog.2000
new file mode 100644
index 0000000..a1cb687
--- /dev/null
+++ b/crypto/heimdal/ChangeLog.2000
@@ -0,0 +1,1320 @@
+2000-12-31  Assar Westerlund  <assar@sics.se>
+
+	* lib/krb5/test_get_addrs.c (main): handle krb5_init_context
+	failure consistently
+	* lib/krb5/string-to-key-test.c (main): handle krb5_init_context
+	failure consistently
+	* lib/krb5/prog_setup.c (krb5_program_setup): handle
+	krb5_init_context failure consistently
+	* lib/hdb/convert_db.c (main): handle krb5_init_context failure
+	consistently
+	* kuser/kverify.c (main): handle krb5_init_context failure
+	consistently
+	* kuser/klist.c (main): handle krb5_init_context failure
+	consistently
+	* kuser/kinit.c (main): handle krb5_init_context failure
+	consistently
+	* kuser/kgetcred.c (main): handle krb5_init_context failure
+	consistently
+	* kuser/kdestroy.c (main): handle krb5_init_context failure
+	consistently
+	* kuser/kdecode_ticket.c (main): handle krb5_init_context failure
+	consistently
+	* kuser/generate-requests.c (generate_requests): handle
+	krb5_init_context failure consistently
+	* kpasswd/kpasswd.c (main): handle krb5_init_context failure
+	consistently
+	* kpasswd/kpasswd-generator.c (generate_requests): handle
+	krb5_init_context failure consistently
+	* kdc/main.c (main): handle krb5_init_context failure consistently
+	* appl/test/uu_client.c (proto): handle krb5_init_context failure
+	consistently
+	* appl/kf/kf.c (main): handle krb5_init_context failure
+	consistently
+	* admin/ktutil.c (main): handle krb5_init_context failure
+	consistently
+
+	* admin/get.c (kt_get): more error checking
+
+2000-12-29  Assar Westerlund  <assar@sics.se>
+
+	* lib/asn1/asn1_print.c (loop): check for length longer than data.
+	inspired by lha@stacken.kth.se
+
+2000-12-16  Johan Danielsson  <joda@pdc.kth.se>
+
+	* admin/ktutil.8: reflect recent changes
+
+	* admin/copy.c: don't copy an entry that already exists in the
+	keytab, and warn if the keyblock differs
+
+2000-12-15  Johan Danielsson  <joda@pdc.kth.se>
+
+	* admin/Makefile.am: merge srvconvert and srvcreate with copy
+
+	* admin/copy.c: merge srvconvert and srvcreate with copy
+
+	* lib/krb5/Makefile.am: always build keytab_krb4.c
+
+	* lib/krb5/context.c: always register the krb4 keytab functions
+
+	* lib/krb5/krb5.h: declare krb4_ftk_ops
+
+	* lib/krb5/keytab_krb4.c: We don't really need to include krb.h
+	here, since we only use the principal size macros, so define these
+	here. Theoretically someone could have a krb4 system where these
+	values are != 40, but this is unlikely, and
+	krb5_524_conv_principal also assume they are 40.
+
+2000-12-13  Johan Danielsson  <joda@pdc.kth.se>
+
+	* lib/krb5/krb5.h: s/krb5_donot_reply/krb5_donot_replay/
+
+	* lib/krb5/replay.c: fix query-replace-o from MD5 API change, and
+	the struct is called krb5_donot_replay
+
+2000-12-12  Assar Westerlund  <assar@sics.se>
+
+	* admin/srvconvert.c (srvconvert): do not use data after free:ing
+	it
+
+2000-12-11  Assar Westerlund  <assar@sics.se>
+
+	* Release 0.3d
+
+2000-12-11  Assar Westerlund  <assar@sics.se>
+
+	* lib/krb5/Makefile.am (libkrb5_la_LDFLAGS): set version to 14:0:0
+	* lib/hdb/Makefile.am (libhdb_la_LDFLAGS): update to 6:3:0
+	* lib/krb5/Makefile.am (libkrb5_la_LIBADD): add library
+	dependencies
+
+2000-12-10  Johan Danielsson  <joda@pdc.kth.se>
+
+	* lib/krb5/auth_context.c: implement krb5_auth_con_{get,set}rcache
+
+2000-12-08  Assar Westerlund  <assar@sics.se>
+
+	* lib/krb5/krb5.h (krb5_enctype): add ETYPE_DES3_CBC_NONE_IVEC as
+	a new pseudo-type
+
+	* lib/krb5/crypto.c (DES_AFS3_CMU_string_to_key): always treat
+	cell names as lower case
+	(krb5_encrypt_ivec, krb5_decrypt_ivec): new functions that allow an
+	explicit ivec to be specified.  fix all sub-functions.
+	(DES3_CBC_encrypt_ivec): new function that takes an explicit ivec
+
+2000-12-06  Johan Danielsson  <joda@pdc.kth.se>
+
+	* lib/krb5/Makefile.am: actually build replay cache code
+
+	* lib/krb5/replay.c: implement krb5_get_server_rcache
+
+	* kpasswd/kpasswdd.c: de-pointerise auth_context parameter to
+	krb5_mk_rep
+
+	* lib/krb5/recvauth.c: de-pointerise auth_context parameter to
+	krb5_mk_rep
+
+	* lib/krb5/mk_rep.c: auth_context should not be a pointer
+
+	* lib/krb5/auth_context.c: implement krb5_auth_con_genaddrs, and
+	make setaddrs_from_fd use that
+
+	* lib/krb5/krb5.h: add some more KRB5_AUTH_CONTEXT_* flags
+
+2000-12-05  Johan Danielsson  <joda@pdc.kth.se>
+
+	* lib/krb5/Makefile.am: add kerberos.8 manpage
+
+	* lib/krb5/cache.c: check for NULL remove_cred function
+
+	* lib/krb5/fcache.c: pretend that empty files are non-existant
+
+	* lib/krb5/get_addrs.c (find_all_addresses): use getifaddrs, from
+	Jason Thorpe <thorpej@netbsd.org>
+
+2000-12-01  Assar Westerlund  <assar@sics.se>
+
+	* configure.in: remove configure-time generation of krb5-config
+	* tools/Makefile.am: add generation of krb5-config at make-time
+	instead of configure-time
+
+	* tools/krb5-config.in: add --prefix and --exec-prefix
+
+2000-11-30  Assar Westerlund  <assar@sics.se>
+
+	* tools/Makefile.am: add krb5-config.1
+	* tools/krb5-config.in: add kadm-client and kadm5-server as
+	libraries
+
+2000-11-29  Assar Westerlund  <assar@sics.se>
+
+	* tools/krb5-config.in: add --prefix, --exec-prefix and gssapi
+
+2000-11-29  Johan Danielsson  <joda@pdc.kth.se>
+
+	* configure.in: add roken/Makefile here, since it can't live in
+	rk_ROKEN
+
+2000-11-16  Assar Westerlund  <assar@sics.se>
+
+	* configure.in: use the libtool -rpath, do not rely on ld
+	understanding -rpath
+
+	* configure.in: fix the -Wl stuff for krb4 linking add some
+	gratuitous extra options when linking with an existing libdes
+
+2000-11-15  Assar Westerlund  <assar@sics.se>
+
+	* lib/hdb/hdb.c (hdb_next_enctype2key): const-ize a little bit
+	* lib/Makefile.am (SUBDIRS): try to only build des when needed
+	* kuser/klist.c: print key versions numbers of v4 tickets in
+	verbose mode
+
+	* kdc/kerberos5.c (tgs_rep2): adapt to new krb5_verify_ap_req2
+	* appl/test/gss_common.c (read_token): remove unused variable
+
+	* configure.in (krb4): add -Wl
+	(MD4Init et al): look for these in more libraries
+	(getmsg): only run test if we have the function
+	(AC_OUTPUT): create tools/krb5-config
+
+	* tools/krb5-config.in: new script for storing flags to use
+	* Makefile.am (SUBDIRS): add tools
+
+	* lib/krb5/get_cred.c (make_pa_tgs_req): update to new
+	krb5_mk_req_internal
+	* lib/krb5/mk_req_ext.c (krb5_mk_req_internal): allow different
+	usages for the encryption.  change callers
+	* lib/krb5/rd_req.c (decrypt_authenticator): add an encryption
+	`usage'.  also try the old
+	(and wrong) usage of KRB5_KU_AP_REQ_AUTH for backwards compatibility
+	(krb5_verify_ap_req2): new function for specifying the usage different
+	from the default (KRB5_KU_AP_REQ_AUTH)
+	* lib/krb5/build_auth.c (krb5_build_authenticator): add a `usage'
+	parameter to permit the generation of authenticators with
+	different crypto usage
+
+	* lib/krb5/mk_req.c (krb5_mk_req_exact): new function that takes a
+	krb5_principal
+	(krb5_mk_req): use krb5_mk_req_exact
+
+	* lib/krb5/mcache.c (mcc_close): free data
+	(mcc_destroy): don't free data
+
+2000-11-13  Assar Westerlund  <assar@sics.se>
+
+	* lib/hdb/ndbm.c: handle both ndbm.h and gdbm/ndbm.h
+	* lib/hdb/hdb.c: handle both ndbm.h and gdbm/ndbm.h
+
+2000-11-12  Johan Danielsson  <joda@pdc.kth.se>
+
+	* kdc/hpropd.8: remove extra .Xc
+
+2000-10-27  Johan Danielsson  <joda@pdc.kth.se>
+
+	* kuser/kinit.c: fix v4 fallback lifetime calculation
+
+2000-10-10  Johan Danielsson  <joda@pdc.kth.se>
+
+	* kdc/524.c: fix log messge
+
+2000-10-08  Assar Westerlund  <assar@sics.se>
+
+	* lib/krb5/changepw.c (krb5_change_password): check for fd's being
+	too large to select on
+	* kpasswd/kpasswdd.c (add_new_tcp): check for the socket fd being
+	too large to select on
+	* kdc/connect.c (add_new_tcp): check for the socket fd being too
+	large to selct on
+	* kdc/connect.c (loop): check that the socket fd is not too large
+	to select on
+	* lib/krb5/send_to_kdc.c (recv_loop): check `fd' for being too
+	large to be able to select on
+
+	* kdc/kaserver.c (do_authenticate): check for time skew
+
+2000-10-01  Assar Westerlund  <assar@sics.se>
+
+	* kdc/524.c (set_address): allocate memory for storing addresses
+	in if the original request had an empty set of addresses
+	* kdc/524.c (set_address): fix bad return of pointer to automatic
+	data
+
+	* config.sub: update to version 2000-09-11 (aka 1.181) from
+	subversions.gnu.org
+
+	* config.guess: update to version 2000-09-05 (aka 1.156) from
+	subversions.gnu.org plus some minor tweaks
+
+2000-09-20  Assar Westerlund  <assar@juguete.sics.se>
+
+	* Release 0.3c
+
+2000-09-19  Assar Westerlund  <assar@sics.se>
+
+	* lib/krb5/Makefile.am (libkrb5_la_LDFLAGS): bump version to
+	13:1:0
+
+	* lib/hdb/Makefile.am (libhdb_la_LDFLAGS): bump version to 6:2:0
+
+2000-09-17  Assar Westerlund  <assar@sics.se>
+
+	* lib/krb5/rd_req.c (krb5_decrypt_ticket): plug some memory leak
+	(krb5_rd_req): try not to return an allocated auth_context on error
+
+	* lib/krb5/log.c (krb5_vlog_msg): fix const-ness
+
+2000-09-10  Assar Westerlund  <assar@sics.se>
+
+	* kdc/524.c: re-organize
+	* kdc/kerberos5.c (tgs_rep2): try to avoid leaking auth_context
+	* kdc/kerberos4.c (valid_princ): check return value of functions
+	(encode_v4_ticket): add some const
+	* kdc/misc.c (db_fetch): check malloc
+	(free_ent): new function
+
+	* lib/krb5/log.c (krb5_vlog_msg): log just the format string it we
+	fail to allocate the actual string to log, should at least provide
+	some hint as to where things went wrong
+
+2000-09-10  Johan Danielsson  <joda@pdc.kth.se>
+
+	* kdc/log.c: use DEFAULT_LOG_DEST
+
+	* kdc/config.c: use _PATH_KDC_CONF
+
+	* kdc/kdc_locl.h: add macro constants for kdc.conf, and kdc.log
+
+2000-09-09  Assar Westerlund  <assar@sics.se>
+
+	* lib/krb5/crypto.c (_key_schedule): re-use an existing schedule
+
+2000-09-06  Johan Danielsson  <joda@pdc.kth.se>
+
+	* configure.in: fix dpagaix test
+
+2000-09-05  Assar Westerlund  <assar@sics.se>
+
+	* configure.in: with_dce -> enable_dce.  noticed by Ake Sandgren
+ 	<ake@cs.umu.se>
+
+2000-09-01  Johan Danielsson  <joda@pdc.kth.se>
+
+	* kdc/kstash.8: update manual page
+
+	* kdc/kstash.c: fix typo, and remove unused option
+
+	* lib/krb5/kerberos.7: short kerberos intro page
+
+2000-08-27  Assar Westerlund  <assar@sics.se>
+
+	* include/bits.c: add __attribute__ for gcc's pleasure
+	* lib/hdb/keytab.c: re-write to delay the opening of the database
+	till it's known which principal is being sought, thereby allowing
+	the usage of multiple databases, however they need to be specified
+	in /etc/krb5.conf since all the programs using this keytab do not
+	read kdc.conf
+
+	* appl/test/test_locl.h (keytab): add
+	* appl/test/common.c: add --keytab
+	* lib/krb5/crypto.c: remove trailing commas
+	(KRB5_KU_USAGE_SEQ): renamed from KRB5_KU_USAGE_MIC
+
+2000-08-26  Assar Westerlund  <assar@sics.se>
+
+	* lib/krb5/send_to_kdc.c (send_via_proxy): handle `http://' at the
+	beginning of the proxy specification.  use getaddrinfo correctly
+	(krb5_sendto): always return a return code
+
+	* lib/krb5/krb5.h (KRB5_KU_USAGE_MIC): rename to KRB5_KU_USAGE_SEQ
+	* lib/krb5/auth_context.c (krb5_auth_con_free): handle
+	auth_context == NULL
+
+2000-08-23  Assar Westerlund  <assar@sics.se>
+
+	* kdc/kerberos5.c (find_type): make sure of always setting
+	`ret_etype' correctly.  clean-up structure some
+
+2000-08-23  Johan Danielsson  <joda@pdc.kth.se>
+
+	* lib/krb5/mcache.c: implement resolve
+
+2000-08-18  Assar Westerlund  <assar@sics.se>
+
+	* kuser/kdecode_ticket.c: check return value from krb5_crypto_init
+	* kdc/kerberos5.c, kdc/524.c: check return value from krb5_crypto_init
+	* lib/krb5/*.c: check return value from krb5_crypto_init
+
+2000-08-16  Assar Westerlund  <assar@sics.se>
+
+	* Release 0.3b
+
+2000-08-16  Assar Westerlund  <assar@sics.se>
+
+	* lib/krb5/Makefile.am: bump version to 13:0:0
+
+	* lib/hdb/Makefile.am: set version to 6:1:0
+
+	* configure.in: do getmsg testing the same way as in krb4
+
+	* lib/krb5/config_file.c (krb5_config_parse_file_debug): make sure
+ 	of closing the file on error
+
+	* lib/krb5/crypto.c (encrypt_internal_derived): free the checksum
+ 	after use
+
+	* lib/krb5/warn.c (_warnerr): initialize args to make third,
+ 	purify et al happy
+
+2000-08-13  Assar Westerlund  <assar@sics.se>
+
+	* kdc/kerberos5.c: re-write search for keys code.  loop over all
+	supported enctypes in order, looping over all keys of each type,
+	and picking the one with the v5 default salt preferably
+
+2000-08-10  Assar Westerlund  <assar@sics.se>
+
+	* appl/test/gss_common.c (enet_read): add and use
+	* lib/krb5/krb5.h (heimdal_version, heimdal_long_version): make
+	const
+
+	* lib/krb5/mk_req_ext.c (krb5_mk_req_internal): add comment on
+	checksum type selection
+
+	* lib/krb5/context.c (krb5_init_context): do not leak memory on
+	failure
+	(default_etypes): prefer arcfour-hmac-md5 to des-cbc-md5
+
+	* lib/krb5/principal.c: add fnmatch.h
+
+2000-08-09  Assar Westerlund  <assar@sics.se>
+
+	* configure.in: call AC_PROG_CC and AC_PROG_CPP to make sure later
+	checks that should require them don't fail
+	* acconfig.h: add HAVE_UINT17_T
+
+2000-08-09  Johan Danielsson  <joda@pdc.kth.se>
+
+	* kdc/mit_dump.c: handle all sorts of weird MIT salt types
+
+2000-08-08  Johan Danielsson  <joda@pdc.kth.se>
+
+	* doc/setup.texi: port 212 -> 2121
+
+	* lib/krb5/principal.c: krb5_principal_match
+
+2000-08-04  Johan Danielsson  <joda@pdc.kth.se>
+
+	* lib/asn1/der_get.c: add comment on *why* DCE sometimes used BER
+	encoding
+
+	* kpasswd/Makefile.am: link with pidfile library
+
+	* kpasswd/kpasswdd.c: write a pid file
+
+	* kpasswd/kpasswd_locl.h: util.h
+
+	* kdc/Makefile.am: link with pidfile library
+
+	* kdc/main.c: write a pid file
+
+	* kdc/headers.h: util.h
+
+2000-08-04  Assar Westerlund  <assar@sics.se>
+
+	* lib/krb5/principal.c (krb5_425_conv_principal_ext): always put
+	hostnames in lower case
+	(default_v4_name_convert): add imap
+
+2000-08-03  Assar Westerlund  <assar@sics.se>
+
+	* lib/krb5/crc.c (_krb5_crc_update): const-ize (finally)
+
+2000-07-31  Johan Danielsson  <joda@pdc.kth.se>
+
+	* configure.in: check for uint*_t
+	* include/bits.c: define uint*_t
+	
+2000-07-29  Assar Westerlund  <assar@sics.se>
+
+	* kdc/kerberos5.c (check_tgs_flags): set endtime correctly when
+	renewing, From Derrick J Brashear <shadow@dementia.org>
+
+2000-07-28  Assar Westerlund  <assar@juguete.sics.se>
+
+	* Release 0.3a
+
+2000-07-27  Assar Westerlund  <assar@sics.se>
+
+	* kdc/hprop.c (dump_database): write an empty message to signal
+	end of dump
+
+2000-07-26  Assar Westerlund  <assar@sics.se>
+
+	* lib/krb5/changepw.c (krb5_change_password): try to be more
+	careful when not to resend
+
+	* lib/hdb/db3.c: always create a cursor with db3.  From Derrick J
+	Brashear <shadow@dementia.org>
+
+2000-07-25  Johan Danielsson  <joda@pdc.kth.se>
+
+	* lib/hdb/Makefile.am: bump version to 6:0:0
+
+	* lib/asn1/Makefile.am: bump version to 3:0:1
+
+	* lib/krb5/Makefile.am: bump version to 12:0:1
+
+	* lib/krb5/krb5_config.3: manpage
+
+	* lib/krb5/krb5_appdefault.3: manpage
+
+	* lib/krb5/appdefault.c: implementation of the krb5_appdefault set
+	of functions
+
+2000-07-23  Assar Westerlund  <assar@sics.se>
+
+	* lib/krb5/init_creds_pw.c (change_password): reset forwardable
+	and proxiable.  copy preauthentication list correctly from
+	supplied options
+
+	* kdc/hpropd.c (main): check that the ticket was for `hprop/' for
+	paranoid reasons
+
+	* lib/krb5/sock_principal.c (krb5_sock_to_principal): look in
+	aliases for the real name
+
+2000-07-22  Johan Danielsson  <joda@pdc.kth.se>
+
+	* doc/setup.texi: say something about starting kadmind from the
+	command line
+
+2000-07-22  Assar Westerlund  <assar@sics.se>
+
+	* kpasswd/kpasswdd.c: use kadm5_s_chpass_principal_cond instead of
+	mis-doing it here
+
+	* lib/krb5/changepw.c (krb5_change_password): make timeout 1 +
+	2^{0,1,...}.  also keep track if we got an old packet back and
+	then just wait without sending a new packet
+	* lib/krb5/changepw.c: use a datagram socket and remove the
+	sequence numbers
+	* lib/krb5/changepw.c (krb5_change_password): clarify an
+	expression, avoiding a warning
+
+2000-07-22  Johan Danielsson  <joda@pdc.kth.se>
+
+	* kuser/klist.c: make -a and -n aliases for -v
+
+	* lib/krb5/write_message.c: ws
+
+	* kdc/hprop-common.c: nuke extra definitions of
+	krb5_read_priv_message et.al
+
+	* lib/krb5/read_message.c (krb5_read_message): return error if EOF
+
+2000-07-20  Assar Westerlund  <assar@sics.se>
+
+	* kpasswd/kpasswd.c: print usage consistently
+	* kdc/hprop.h (HPROP_KEYTAB): use HDB for the keytab
+	* kdc/hpropd.c: add --keytab
+	* kdc/hpropd.c: don't care what principal we recvauth as
+
+	* lib/krb5/get_cred.c: be more careful of not returning creds at
+	all when an error is returned
+	* lib/krb5/fcache.c (fcc_gen_new): do mkstemp correctly
+
+2000-07-19  Johan Danielsson  <joda@pdc.kth.se>
+
+	* fix-export: use autoreconf
+
+	* configure.in: remove stuff that belong in roken, and remove some
+	obsolete constructs
+
+2000-07-18  Johan Danielsson  <joda@pdc.kth.se>
+
+	* configure.in: fix some typos
+
+	* appl/Makefile.am: dceutil*s*
+
+	* missing: update to missing from automake 1.4a
+
+2000-07-17  Johan Danielsson  <joda@pdc.kth.se>
+
+	* configure.in: try to get xlc flags from ibmcxx.cfg use
+	conditional for X use readline cf macro
+
+	* configure.in: subst AIX compiler flags
+
+2000-07-15  Johan Danielsson  <joda@pdc.kth.se>
+
+	* configure.in: pass sixth parameter to test-package; use some
+	newer autoconf constructs
+
+	* ltmain.sh: update to libtool 1.3c
+
+	* ltconfig: update to libtool 1.3c
+
+	* configure.in: update this to newer auto*/libtool
+
+	* appl/Makefile.am: use conditional for dce
+	
+	* lib/Makefile.am: use conditional for dce
+	
+2000-07-11  Johan Danielsson  <joda@pdc.kth.se>
+
+	* lib/krb5/write_message.c: krb5_write_{priv,save}_message
+	* lib/krb5/read_message.c: krb5_read_{priv,save}_message
+	* lib/krb5/convert_creds.c: try port kerberos/88 if no response on
+	krb524/4444
+
+	* lib/krb5/convert_creds.c: use krb5_sendto
+
+	* lib/krb5/send_to_kdc.c: add more generic krb5_sendto that send
+	to a port at arbitrary list of hosts
+
+2000-07-10  Johan Danielsson  <joda@pdc.kth.se>
+
+	* doc/misc.texi: language; say something about kadmin del_enctype
+
+2000-07-10  Assar Westerlund  <assar@sics.se>
+
+	* appl/kf/Makefile.am: actually install
+
+2000-07-08  Assar Westerlund  <assar@sics.se>
+
+	* configure.in (AM_INIT_AUTOMAKE): bump to 0.3a-pre
+	(AC_ROKEN): roken is now at 10
+
+	* lib/krb5/string-to-key-test.c: add a arcfour-hmac-md5 test case
+	* kdc/Makefile.am (INCLUDES): add ../lib/krb5
+	* configure.in: update for standalone roken
+	* lib/Makefile.am (SUBDIRS): make roken conditional
+	* kdc/hprop.c: update to new hdb_seal_keys_mkey
+	* lib/hdb/mkey.c (_hdb_unseal_keys_int, _hdb_seal_keys_int):
+	rename and export them
+
+	* kdc/headers.h: add krb5_locl.h (since we just use some stuff
+	from there)
+
+2000-07-08  Johan Danielsson  <joda@pdc.kth.se>
+
+	* kuser/klist.1: update for -f and add some more text for -v
+
+	* kuser/klist.c: use rtbl to format cred listing, add -f and -s
+
+	* lib/krb5/crypto.c: fix type in des3-cbc-none
+
+	* lib/hdb/mkey.c: add key usage
+
+	* kdc/kstash.c: remove writing of old keyfile, and treat
+	--convert-file as just reading and writing the keyfile without
+	asking for a new key
+	
+	* lib/hdb/mkey.c (read_master_encryptionkey): handle old keytype
+	based files, and convert the key to cfb64
+
+	* lib/hdb/mkey.c (hdb_read_master_key): set mkey to NULL before
+	doing anything else
+
+	* lib/krb5/send_to_kdc.c: use krb5_eai_to_heim_errno
+
+	* lib/krb5/get_for_creds.c: use krb5_eai_to_heim_errno
+
+	* lib/krb5/changepw.c: use krb5_eai_to_heim_errno
+
+	* lib/krb5/addr_families.c: use krb5_eai_to_heim_errno
+
+	* lib/krb5/eai_to_heim_errno.c: convert getaddrinfo error codes to
+	something that can be passed to get_err_text
+
+2000-07-07  Assar Westerlund  <assar@sics.se>
+
+	* lib/hdb/hdb.c (hdb_next_enctype2key): make sure of skipping
+	`*key'
+
+	* kdc/kerberos4.c (get_des_key): rewrite some, be more careful
+
+2000-07-06  Assar Westerlund  <assar@sics.se>
+
+	* kdc/kerberos5.c (as_rep): be careful as to now overflowing when
+	calculating the end of lifetime of a ticket.
+
+	* lib/krb5/context.c (default_etypes): add ETYPE_ARCFOUR_HMAC_MD5
+
+	* lib/hdb/db3.c: only use a cursor when needed, from Derrick J
+	Brashear <shadow@dementia.org>
+
+	* lib/krb5/crypto.c: introduce the `special' encryption methods
+	that are not like all other encryption methods and implement
+	arcfour-hmac-md5
+
+2000-07-05  Johan Danielsson  <joda@pdc.kth.se>
+
+	* kdc/mit_dump.c: set initial master key version number to 0
+	instead of 1; if we lated bump the mkvno we don't risk using the
+	wrong key to decrypt
+
+	* kdc/hprop.c: only get master key if we're actually going to use
+	it; enable reading of MIT krb5 dump files
+	
+	* kdc/mit_dump.c: read MIT krb5 dump files
+	
+	* lib/hdb/mkey.c (read_master_mit): fix this
+	
+	* kdc/kstash.c: make this work with the new mkey code
+	
+	* lib/hdb/Makefile.am: add mkey.c, and bump version number
+	
+	* lib/hdb/hdb.h: rewrite master key handling
+	
+	* lib/hdb/mkey.c: rewrite master key handling
+	
+	* lib/krb5/crypto.c: add some more pseudo crypto types
+	
+	* lib/krb5/krb5.h: change some funny etypes to use negative
+	numbers, and add some more
+
+2000-07-04  Assar Westerlund  <assar@sics.se>
+
+	* lib/krb5/krbhst.c (get_krbhst): only try SRV lookup if there are
+	none in the configuration file
+
+2000-07-02  Assar Westerlund  <assar@sics.se>
+
+	* lib/krb5/keytab_keyfile.c (akf_add_entry): remove unused
+	variable
+
+	* kpasswd/kpasswd-generator.c: new test program
+	* kpasswd/Makefile.am: add kpasswd-generator
+
+	* include/Makefile.am (CLEANFILES): add rc4.h
+
+	* kuser/generate-requests.c: new test program
+	* kuser/Makefile.am (noinst_PROGRAMS): add generate-requests
+
+2000-07-01  Assar Westerlund  <assar@sics.se>
+
+	* configure.in: add --enable-dce and related stuff
+	* appl/Makefile.am (SUBDIRS): add $(APPL_dce)
+
+2000-06-29  Assar Westerlund  <assar@sics.se>
+
+	* kdc/kerberos4.c (get_des_key): fix thinkos/typos
+
+2000-06-29  Johan Danielsson  <joda@pdc.kth.se>
+
+	* admin/purge.c: use parse_time to parse age
+
+	* lib/krb5/log.c (krb5_vlog_msg): use krb5_format_time
+
+	* admin/list.c: add printing of timestamp and key data; some
+	cleanup
+
+	* lib/krb5/time.c (krb5_format_time): new function to format time
+
+	* lib/krb5/context.c (init_context_from_config_file): init
+	date_fmt, also do some cleanup
+
+	* lib/krb5/krb5.h: add date_fmt to context
+
+2000-06-28  Johan Danielsson  <joda@pdc.kth.se>
+
+	* kdc/{kerberos4,kaserver,524}.c (get_des_key): change to return
+	v4 or afs keys if possible
+
+2000-06-25  Johan Danielsson  <joda@pdc.kth.se>
+
+	* kdc/hprop.c (ka_convert): allow using null salt, and treat 0
+	pw_expire as never (from Derrick Brashear)
+
+2000-06-24  Johan Danielsson  <joda@pdc.kth.se>
+
+	* kdc/connect.c (add_standard_ports): only listen to port 750 if
+	serving v4 requests
+
+2000-06-22  Assar Westerlund  <assar@sics.se>
+
+	* lib/asn1/lex.l: fix includes, and lex stuff
+	* lib/asn1/lex.h (error_message): update prototype
+	(yylex): add
+	* lib/asn1/gen_length.c (length_type): fail on malloc error
+	* lib/asn1/gen_decode.c (decode_type): fail on malloc error
+
+2000-06-21  Assar Westerlund  <assar@sics.se>
+
+	* lib/krb5/get_for_creds.c: be more compatible with MIT code.
+	From Daniel Kouril <kouril@ics.muni.cz>
+	* lib/krb5/rd_cred.c: be more compatible with MIT code.  From
+	Daniel Kouril <kouril@ics.muni.cz>
+	* kdc/kerberos5.c (get_pa_etype_info): do not set salttype if it's
+	vanilla pw-salt, that keeps win2k happy.  also do the malloc check
+	correctly.  From Daniel Kouril <kouril@ics.muni.cz>
+
+2000-06-21  Johan Danielsson  <joda@pdc.kth.se>
+
+	* kdc/hprop.c: add hdb keytabs
+
+2000-06-20  Johan Danielsson  <joda@pdc.kth.se>
+
+	* lib/krb5/principal.c: back out rev. 1.64
+
+2000-06-19  Johan Danielsson  <joda@pdc.kth.se>
+
+	* kdc/kerberos5.c: pa_* -> KRB5_PADATA_*
+
+	* kdc/hpropd.c: add realm override flag
+	
+	* kdc/v4_dump.c: code for reading krb4 dump files
+	
+	* kdc/hprop.c: generalize source database handing, add support for
+	non-standard local realms (from by Daniel Kouril
+	<kouril@ics.muni.cz> and Miroslav Ruda <ruda@ics.muni.cz>), and
+	support for using different ports (requested by the Czechs, but
+	implemented differently)
+
+	* lib/krb5/get_cred.c: pa_* -> KRB5_PADATA_*
+	
+	* lib/krb5/get_in_tkt.c: pa_* -> KRB5_PADATA_*
+	
+	* lib/krb5/krb5.h: use some definitions from asn1.h
+
+	* lib/hdb/hdb.asn1: use new import syntax
+	
+	* lib/asn1/k5.asn1: use distinguished value integers
+	
+	* lib/asn1/gen_length.c: support for distinguished value integers
+	
+	* lib/asn1/gen_encode.c: support for distinguished value integers
+	
+	* lib/asn1/gen_decode.c: support for distinguished value integers
+	
+	* lib/asn1/gen.c: support for distinguished value integers
+
+	* lib/asn1/lex.l: add support for more standards like import
+	statements
+
+	* lib/asn1/parse.y: add support for more standards like import
+	statements, and distinguished value integers
+	
+2000-06-11  Assar Westerlund  <assar@sics.se>
+
+	* lib/krb5/get_for_creds.c (add_addrs): ignore addresses of
+	unknown type
+	* lib/krb5/get_for_creds.c (add_addrs): zero memory before
+	starting to copy memory
+
+2000-06-10  Assar Westerlund  <assar@sics.se>
+
+	* lib/krb5/test_get_addrs.c: test program for get_addrs
+	* lib/krb5/get_addrs.c (find_all_addresses): remember to add in
+ 	the size of ifr->ifr_name when using SA_LEN.  noticed by Ken
+ 	Raeburn <raeburn@MIT.EDU>
+
+2000-06-07  Assar Westerlund  <assar@sics.se>
+
+	* configure.in: add db3 detection stuff do not use streamsptys on
+	HP-UX 11
+	* lib/hdb/hdb.h (HDB): add dbc for db3
+	* kdc/connect.c (add_standard_ports): also listen on krb524 aka
+	4444
+	* etc/services.append (krb524): add
+	* lib/hdb/db3.c: add berkeley db3 interface.  contributed by
+	Derrick J Brashear <shadow@dementia.org>
+	* lib/hdb/hdb.h (struct HDB): add
+
+2000-06-07  Johan Danielsson  <joda@pdc.kth.se>
+
+	* kdc/524.c: if 524 is not enabled, just generate error reply and
+	exit
+
+	* kdc/kerberos4.c: if v4 is not enabled, just generate error reply
+	and exit
+
+	* kdc/connect.c: only listen to port 4444 if 524 is enabled
+	
+	* kdc/config.c: add options to enable/disable v4 and 524 requests
+	
+2000-06-06  Johan Danielsson  <joda@pdc.kth.se>
+
+	* kdc/524.c: handle non-existant server principals (from Daniel
+	Kouril)
+
+2000-06-03  Assar Westerlund  <assar@sics.se>
+
+	* admin/ktutil.c: print name when failing to open keytab
+
+	* kuser/kinit.c: try also to fallback to v4 when no KDC is found
+
+2000-05-28  Assar Westerlund  <assar@sics.se>
+
+	* kuser/klist.c: continue even we have no v5 ccache.  make showing
+	your krb4 tickets the default (if build with krb4 support)
+	* kuser/kinit.c: add a fallback that tries to get a v4 ticket if
+	built with krb4 support and we got back a version error from the
+	KDC
+
+2000-05-23  Johan Danielsson  <joda@pdc.kth.se>
+
+	* lib/krb5/keytab_keyfile.c: make this actually work
+
+2000-05-19  Assar Westerlund  <assar@sics.se>
+
+	* lib/krb5/store_emem.c (emem_store): make it write-compatible
+	* lib/krb5/store_fd.c (fd_store): make it write-compatible
+	* lib/krb5/store_mem.c (mem_store): make it write-compatible
+	* lib/krb5/krb5.h (krb5_storage): make store write-compatible
+
+2000-05-18  Assar Westerlund  <assar@sics.se>
+
+	* configure.in: add stdio.h in dbopen test
+
+2000-05-16  Assar Westerlund  <assar@assaris.sics.se>
+
+	* Release 0.2t
+
+2000-05-16  Assar Westerlund  <assar@sics.se>
+
+	* lib/krb5/Makefile.am (libkrb5_la_LDFLAGS): set version to 11:1:0
+	* lib/krb5/fcache.c: fix second lseek
+	* lib/krb5/principal.c (krb5_524_conv_principal): fix typo
+
+2000-05-15  Assar Westerlund  <assar@sics.se>
+
+	* Release 0.2s
+
+2000-05-15  Assar Westerlund  <assar@sics.se>
+
+	* lib/krb5/Makefile.am (libkrb5_la_LDFLAGS): set version to 11:0:0
+	* lib/hdb/Makefile.am (libhdb_la_LDFLAGS): set version to 4:2:1
+	* lib/asn1/Makefile.am (libasn1_la_LDFLAGS): bump to 2:0:0
+	* lib/krb5/principal.c (krb5_524_conv_principal): comment-ize, and
+	simplify string copying
+
+2000-05-12  Assar Westerlund  <assar@sics.se>
+
+	* lib/krb5/fcache.c (scrub_file): new function
+	(erase_file): re-write, use scrub_file
+	* lib/krb5/krb5.h (KRB5_DEFAULT_CCFILE_ROOT): add
+
+	* configure.in (dbopen): add header files
+
+	* lib/krb5/krb5.h (krb5_key_usage): add some more
+	* lib/krb5/fcache.c (erase_file): try to detect symlink games.
+	also call revoke.
+	* lib/krb5/changepw.c (krb5_change_password): remember to close
+	the socket on error
+
+	* kdc/main.c (main): also call sigterm on SIGTERM
+
+2000-05-06  Assar Westerlund  <assar@sics.se>
+
+	* lib/krb5/config_file.c (krb5_config_vget_string_default,
+ 	krb5_config_get_string_default): add
+
+2000-04-25  Assar Westerlund  <assar@sics.se>
+
+	* lib/krb5/fcache.c (fcc_initialize): just forget about
+	over-writing the old cred cache.  it's too much of a hazzle trying
+	to do this safely.
+
+2000-04-11  Assar Westerlund  <assar@sics.se>
+
+	* lib/krb5/crypto.c (krb5_get_wrapped_length): rewrite into
+	different parts for the derived and non-derived cases
+	* lib/krb5/crypto.c (krb5_get_wrapped_length): the padding should
+	be done after having added confounder and checksum
+
+2000-04-09  Assar Westerlund  <assar@sics.se>
+
+	* lib/krb5/get_addrs.c (find_all_addresses): apperently solaris
+	can return EINVAL when the buffer is too small.  cope.
+	* lib/asn1/Makefile.am (gen_files): add asn1_UNSIGNED.x
+	* lib/asn1/gen_locl.h (filename): add prototype
+	(init_generate): const-ize
+	* lib/asn1/gen.c (filename): new function clean-up a little bit.
+	* lib/asn1/parse.y: be more tolerant in ranges
+	* lib/asn1/lex.l: count lines correctly.
+	(error_message): print filename in messages
+
+2000-04-08  Assar Westerlund  <assar@sics.se>
+
+	* lib/krb5/rd_safe.c (krb5_rd_safe): increment sequence number
+	after comparing
+	* lib/krb5/rd_priv.c (krb5_rd_priv): increment sequence number
+	after comparing
+	* lib/krb5/mk_safe.c (krb5_mk_safe): make `tmp_seq' unsigned
+	* lib/krb5/mk_priv.c (krb5_mk_priv): make `tmp_seq' unsigned
+	* lib/krb5/generate_seq_number.c (krb5_generate_seq_number): make
+	`seqno' be unsigned
+	* lib/krb5/mk_safe.c (krb5_mk_safe): increment local sequence
+	number after the fact and only increment it if we were successful
+	* lib/krb5/mk_priv.c (krb5_mk_priv): increment local sequence
+	number after the fact and only increment it if we were successful
+	* lib/krb5/krb5.h (krb5_auth_context_data): make sequence number
+	unsigned
+
+	* lib/krb5/init_creds_pw.c (krb5_get_init_creds_password):
+	`in_tkt_service' can be NULL
+
+2000-04-06  Assar Westerlund  <assar@sics.se>
+
+	* lib/asn1/parse.y: regonize INTEGER (0..UNIT_MAX).
+	(DOTDOT): add
+	* lib/asn1/lex.l (DOTDOT): add
+	* lib/asn1/k5.asn1 (UNSIGNED): add.  use UNSIGNED for all sequence
+	numbers.
+	* lib/asn1/gen_length.c (length_type): add TUInteger
+	* lib/asn1/gen_free.c (free_type): add TUInteger
+	* lib/asn1/gen_encode.c (encode_type, generate_type_encode): add
+	TUInteger
+	* lib/asn1/gen_decode.c (decode_type, generate_type_decode): add
+	TUInteger
+	* lib/asn1/gen_copy.c (copy_type): add TUInteger
+	* lib/asn1/gen.c (define_asn1): add TUInteger
+	* lib/asn1/der_put.c (encode_unsigned): add
+	* lib/asn1/der_length.c (length_unsigned): add
+	* lib/asn1/der_get.c (decode_unsigned): add
+	* lib/asn1/der.h (decode_unsigned, encode_unsigned,
+	length_unsigned): add prototypes
+
+	* lib/asn1/k5.asn1: update pre-authentication types
+	* lib/krb5/krb5_err.et: add some error codes from pkinit
+
+2000-04-05  Assar Westerlund  <assar@sics.se>
+
+	* lib/hdb/hdb.c: add support for hdb methods (aka back-ends).
+	include ldap.
+	* lib/hdb/hdb-ldap.c: tweak the ifdef to OPENLDAP
+	* lib/hdb/Makefile.am: add hdb-ldap.c and openldap
+	* kdc/Makefile.am, kpasswd/Makefile.am, kadmin/Makefile.am: add
+	* configure.in: bump version to 0.2s-pre add options and testing
+	for (open)ldap
+
+2000-04-04  Assar Westerlund  <assar@sics.se>
+
+	* configure.in (krb4): fix the krb_mk_req test
+
+2000-04-03  Assar Westerlund  <assar@sics.se>
+
+	* configure.in (krb4): add test for const arguments to krb_mk_req
+	* lib/45/mk_req.c (krb_mk_req): conditionalize const-ness of
+	arguments
+
+2000-04-03  Assar Westerlund  <assar@sics.se>
+
+	* Release 0.2r
+
+2000-04-03  Assar Westerlund  <assar@sics.se>
+
+	* lib/krb5/Makefile.am: set version to 10:0:0
+	* lib/45/mk_req.c (krb_mk_req): const-ize the arguments
+	
+2000-03-30  Assar Westerlund  <assar@sics.se>
+
+	* lib/krb5/principal.c (krb5_425_conv_principal_ext): add some
+	comments.  add fall-back on adding the realm name in lower case.
+
+2000-03-29  Assar Westerlund  <assar@sics.se>
+
+	* kdc/connect.c: remember to repoint all descr->sa to _ss after
+	realloc as this might have moved the memory around.  problem
+	discovered and diagnosed by Brandon S. Allbery
+
+2000-03-27  Assar Westerlund  <assar@sics.se>
+
+	* configure.in: recognize solaris 2.8
+	* config.guess, config.sub: update to current version from
+	:pserver:anoncvs@subversions.gnu.org:/home/cvs
+
+	* lib/krb5/init_creds_pw.c (print_expire): do not assume anything
+	about the size of time_t, i.e. make it 64-bit happy
+
+2000-03-13  Assar Westerlund  <assar@sics.se>
+
+	* kuser/klist.c: add support for display v4 tickets
+
+2000-03-11  Assar Westerlund  <assar@sics.se>
+
+	* kdc/kaserver.c (do_authenticate, do_getticket): call check_flags
+	* kdc/kerberos4.c (do_version4): call check_flags.
+	* kdc/kerberos5.c (check_flags): make global
+
+2000-03-10  Assar Westerlund  <assar@sics.se>
+
+	* lib/krb5/init_creds_pw.c (krb5_get_init_creds_password): evil
+	hack to avoid recursion
+
+2000-03-04  Assar Westerlund  <assar@sics.se>
+
+	* kuser/kinit.c: add `krb4_get_tickets' per realm. add --anonymous
+	* lib/krb5/krb5.h (krb5_get_init_creds_opt): add `anonymous' and
+	KRB5_GET_INIT_CREDS_OPT_ANONYMOUS
+	* lib/krb5/init_creds_pw.c (get_init_creds_common): set
+	request_anonymous flag appropriatly
+	* lib/krb5/init_creds.c (krb5_get_init_creds_opt_set_anonymous):
+	add
+
+	* lib/krb5/get_in_tkt.c (_krb5_extract_ticket): new parameter to
+	determine whetever to ignore client name of not.  always copy
+	client name from kdc.  fix callers.
+
+	* kdc: add support for anonymous tickets
+
+	* kdc/string2key.8: add man-page for string2key
+
+2000-03-03  Assar Westerlund  <assar@sics.se>
+
+	* kdc/hpropd.c (dump_krb4): get expiration date from `valid_end'
+	and not `pw_end'
+
+	* kdc/kadb.h (ka_entry): fix name pw_end -> valid_end.  add some
+	more fields
+
+	* kdc/hprop.c (v4_prop): set the `valid_end' from the v4
+	expiration date instead of the `pw_expire'
+	(ka_convert): set `valid_end' from ka expiration data and `pw_expire'
+	from pw_change + pw_expire
+	(main): add a default database for ka dumping
+
+2000-02-28  Assar Westerlund  <assar@sics.se>
+
+	* lib/krb5/context.c (init_context_from_config_file): change
+	rfc2052 default to no.  2782 says that underscore should be used.
+
+2000-02-24  Assar Westerlund  <assar@sics.se>
+
+	* lib/krb5/fcache.c (fcc_initialize, fcc_store_cred): verify that
+	stores and close succeed
+	* lib/krb5/store.c (krb5_store_creds): check to see that the
+	stores are succesful.
+
+2000-02-23  Assar Westerlund  <assar@sics.se>
+
+	* Release 0.2q
+
+2000-02-22  Assar Westerlund  <assar@sics.se>
+
+	* lib/krb5/Makefile.am: set version to 9:2:0
+	
+	* lib/krb5/expand_hostname.c (krb5_expand_hostname_realms): copy
+	the correct hostname
+
+	* kdc/connect.c (add_new_tcp): use the correct entries in the
+	descriptor table
+	* kdc/connect.c: initialize `descr' uniformly and correctly
+
+2000-02-20  Assar Westerlund  <assar@sics.se>
+
+	* Release 0.2p
+
+2000-02-19  Assar Westerlund  <assar@sics.se>
+
+	* lib/krb5/Makefile.am: set version to 9:1:0
+	
+	* lib/krb5/expand_hostname.c (krb5_expand_hostname): make sure
+	that realms is filled in even when getaddrinfo fails or does not
+	return any canonical name
+
+	* kdc/connect.c (descr): add sockaddr and string representation
+	(*): re-write to use the above mentioned
+
+2000-02-16  Assar Westerlund  <assar@sics.se>
+
+	* lib/krb5/addr_families.c (krb5_parse_address): use
+	krb5_sockaddr2address to copy the result from getaddrinfo.
+
+2000-02-14  Assar Westerlund  <assar@sics.se>
+
+	* Release 0.2o
+
+2000-02-13  Assar Westerlund  <assar@sics.se>
+
+	* lib/krb5/Makefile.am: set version to 9:0:0
+
+	* kdc/kaserver.c (do_authenticate): return the kvno of the server
+	and not the client.  Thanks to Brandon S. Allbery KF8NH
+	<allbery@kf8nh.apk.net> and Chaskiel M Grundman
+	<cg2v@andrew.cmu.edu> for debugging.
+
+	* kdc/kerberos4.c (do_version4): if an tgs-req is received with an
+	old kvno, return an error reply and write a message in the log.
+	
+2000-02-12  Assar Westerlund  <assar@sics.se>
+
+	* appl/test/gssapi_server.c (proto): with `--fork', create a child
+	and send over/receive creds with export/import_sec_context
+	* appl/test/gssapi_client.c (proto): with `--fork', create a child
+	and send over/receive creds with export/import_sec_context
+	* appl/test/common.c: add `--fork' / `-f' (only used by gssapi)
+
+2000-02-11  Assar Westerlund  <assar@sics.se>
+
+	* kdc/kdc_locl.h: remove keyfile add explicit_addresses
+	* kdc/connect.c (init_sockets): pay attention to
+	explicit_addresses some more comments.  better error messages.
+	* kdc/config.c: add some comments.
+	remove --key-file.
+	add --addresses.
+
+	* lib/krb5/context.c (krb5_set_extra_addresses): const-ize and use
+	proper abstraction
+
+2000-02-07  Johan Danielsson  <joda@pdc.kth.se>
+
+	* lib/krb5/changepw.c: use roken_getaddrinfo_hostspec
+
+2000-02-07  Assar Westerlund  <assar@sics.se>
+
+	* Release 0.2n
+
+2000-02-07  Assar Westerlund  <assar@sics.se>
+
+	* lib/krb5/Makefile.am: set version to 8:0:0
+	* lib/krb5/keytab.c (krb5_kt_default_name): use strlcpy
+	(krb5_kt_add_entry): set timestamp
+
+2000-02-06  Assar Westerlund  <assar@sics.se>
+
+	* lib/krb5/krb5.h: add macros for accessing krb5_realm
+	* lib/krb5/time.c (krb5_timeofday): use `krb5_timestamp' instead
+	of `int32_t'
+
+	* lib/krb5/replay.c (checksum_authenticator): update to new API
+	for md5
+
+	* lib/krb5/krb5.h: remove des.h, it's not needed and applications
+	should not have to make sure to find it.
+
+2000-02-03  Assar Westerlund  <assar@sics.se>
+
+	* lib/krb5/rd_req.c (get_key_from_keytab): rename parameter to
+	`out_key' to avoid conflicting with label.  reported by Sean Doran
+	<smd@ebone.net>
+
+2000-02-02  Assar Westerlund  <assar@sics.se>
+
+	* lib/krb5/expand_hostname.c: remember to lower-case host names.
+	bug reported by <amu@mit.edu>
+
+	* kdc/kerberos4.c (do_version4): look at check_ticket_addresses
+	and emulate that by setting krb_ignore_ip_address (not a great
+	interface but it doesn't seem like the time to go around fixing
+	libkrb stuff now)
+
+2000-02-01  Johan Danielsson  <joda@pdc.kth.se>
+
+	* kuser/kinit.c: change --noaddresses into --no-addresses
+
+2000-01-28  Assar Westerlund  <assar@sics.se>
+
+	* kpasswd/kpasswd.c (main): make sure the ticket is not
+	forwardable and not proxiable
+
+2000-01-26  Assar Westerlund  <assar@sics.se>
+
+	* lib/krb5/crypto.c: update to pseudo-standard APIs for
+	md4,md5,sha.  some changes to libdes calls to make them more
+	portable.
+
+2000-01-21  Assar Westerlund  <assar@sics.se>
+
+	* lib/krb5/verify_init.c (krb5_verify_init_creds): make sure to
+ 	clean up the correct creds.
+
+2000-01-16  Assar Westerlund  <assar@sics.se>
+
+	* lib/krb5/principal.c (append_component): change parameter to
+	`const char *'.  check malloc
+	* lib/krb5/principal.c (append_component, va_ext_princ, va_princ):
+	const-ize
+	* lib/krb5/mk_req.c (krb5_mk_req): make `service' and `hostname'
+	const
+	* lib/krb5/principal.c (replace_chars): also add space here
+	* lib/krb5/principal.c: (quotable_chars): add space
+
+2000-01-12  Assar Westerlund  <assar@sics.se>
+
+	* kdc/kerberos4.c (do_version4): check if preauth was required and
+	bail-out if so since there's no way that could be done in v4.
+	Return NULL_KEY as an error to the client (which is non-obvious,
+	but what can you do?)
+
+2000-01-09  Assar Westerlund  <assar@sics.se>
+
+	* lib/krb5/principal.c (krb5_sname_to_principal): use
+	krb5_expand_hostname_realms
+	* lib/krb5/mk_req.c (krb5_km_req): use krb5_expand_hostname_realms
+	* lib/krb5/expand_hostname.c (krb5_expand_hostname_realms): new
+	variant of krb5_expand_hostname that tries until it expands into
+	something that's digestable by krb5_get_host_realm, returning also
+	the result from that function.
+
+2000-01-08  Assar Westerlund  <assar@sics.se>
+
+	* Release 0.2m
+
+2000-01-08  Assar Westerlund  <assar@sics.se>
+
+	* configure.in: replace AC_C_BIGENDIAN with KRB_C_BIGENDIAN
+
+	* lib/krb5/Makefile.am: bump version to 7:1:0
+
+	* lib/krb5/principal.c (krb5_sname_to_principal): use
+	krb5_expand_hostname
+	* lib/krb5/expand_hostname.c (krb5_expand_hostname): handle
+	ai_canonname being set in any of the addresses returnedby
+	getaddrinfo.  glibc apparently returns the reverse lookup of every
+	address in ai_canonname.
+
+2000-01-06  Assar Westerlund  <assar@sics.se>
+
+	* Release 0.2l
+
+2000-01-06  Assar Westerlund  <assar@sics.se>
+
+	* lib/krb5/Makefile.am: set version to 7:0:0
+	* lib/krb5/principal.c (krb5_sname_to_principal): remove `hp'
+
+	* lib/hdb/Makefile.am: set version to 4:1:1
+
+	* kdc/hpropd.c (dump_krb4): use `krb5_get_default_realms'
+	* lib/krb5/get_in_tkt.c (add_padata): change types to make
+	everything work out
+	(krb5_get_in_cred): remove const to make types match
+	* lib/krb5/crypto.c (ARCFOUR_string_to_key): correct signature
+	* lib/krb5/principal.c (krb5_sname_to_principal): handle not
+	getting back a canonname
+
+2000-01-06  Assar Westerlund  <assar@sics.se>
+
+	* Release 0.2k
+
+2000-01-06  Assar Westerlund  <assar@sics.se>
+
+	* lib/krb5/send_to_kdc.c (krb5_sendto_kdc): advance colon so that
+	we actually parse the port number.  based on a patch from Leif
+	Johansson <leifj@it.su.se>
+
+2000-01-02  Assar Westerlund  <assar@sics.se>
+
+	* admin/purge.c: remove all non-current and old entries from a
+	keytab
+
+	* admin: break up ktutil.c into files
+
+	* admin/ktutil.c (list): support --verbose (also listning time
+	stamps)
+	(kt_add, kt_get): set timestamp in newly created entries
+	(kt_change): add `change' command
+
+	* admin/srvconvert.c (srvconv): set timestamp in newly created
+	entries
+	* lib/krb5/keytab_keyfile.c (akf_next_entry): set timetsamp,
+	always go the a predicatble position on error
+	* lib/krb5/keytab.c (krb5_kt_copy_entry_contents): copy timestamp
+	* lib/krb5/keytab_file.c (fkt_add_entry): store timestamp
+	(fkt_next_entry_int): return timestamp
+	* lib/krb5/krb5.h (krb5_keytab_entry): add timestamp
diff --git a/crypto/heimdal/Makefile.am b/crypto/heimdal/Makefile.am
new file mode 100644
index 0000000..f3d5441
--- /dev/null
+++ b/crypto/heimdal/Makefile.am
@@ -0,0 +1,10 @@
+# $Id: Makefile.am,v 1.16 2000/11/15 22:54:15 assar Exp $
+
+include $(top_srcdir)/Makefile.am.common
+
+SUBDIRS	= include lib kuser kdc admin kadmin kpasswd appl doc tools
+
+## ACLOCAL = @ACLOCAL@ -I cf
+ACLOCAL_AMFLAGS = -I cf
+
+EXTRA_DIST = Makefile.am.common krb5.conf
diff --git a/crypto/heimdal/Makefile.am.common b/crypto/heimdal/Makefile.am.common
new file mode 100644
index 0000000..d8452bd
--- /dev/null
+++ b/crypto/heimdal/Makefile.am.common
@@ -0,0 +1,35 @@
+# $Id: Makefile.am.common,v 1.3 1999/04/01 14:58:43 joda Exp $
+
+include $(top_srcdir)/cf/Makefile.am.common
+
+SUFFIXES += .x
+
+.x.c:
+	@cmp -s $< $@ 2> /dev/null || cp $< $@
+
+CHECK_LOCAL = $(PROGRAMS)
+
+check-local::
+	@foo='$(CHECK_LOCAL)'; \
+	  if test "$$foo"; then \
+	  failed=0; all=0; \
+	  for i in $$foo; do \
+	    all=`expr $$all + 1`; \
+	    if ./$$i --version > /dev/null 2>&1; then \
+	      echo "PASS: $$i"; \
+	    else \
+	      echo "FAIL: $$i"; \
+	      failed=`expr $$failed + 1`; \
+	    fi; \
+	  done; \
+	  if test "$$failed" -eq 0; then \
+	    banner="All $$all tests passed"; \
+	  else \
+	    banner="$$failed of $$all tests failed"; \
+	  fi; \
+	  dashes=`echo "$$banner" | sed s/./=/g`; \
+	  echo "$$dashes"; \
+	  echo "$$banner"; \
+	  echo "$$dashes"; \
+	  test "$$failed" -eq 0; \
+	fi
diff --git a/crypto/heimdal/Makefile.in b/crypto/heimdal/Makefile.in
new file mode 100644
index 0000000..ad1b47c
--- /dev/null
+++ b/crypto/heimdal/Makefile.in
@@ -0,0 +1,641 @@
+# Makefile.in generated automatically by automake 1.4b from Makefile.am
+
+# Copyright 1994, 1995, 1996, 1997, 1998, 1999, 2000
+# Free Software Foundation, Inc.
+# This Makefile.in is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+
+SHELL = @SHELL@
+
+srcdir = @srcdir@
+top_srcdir = @top_srcdir@
+VPATH = @srcdir@
+prefix = @prefix@
+exec_prefix = @exec_prefix@
+
+bindir = @bindir@
+sbindir = @sbindir@
+libexecdir = @libexecdir@
+datadir = @datadir@
+sysconfdir = @sysconfdir@
+sharedstatedir = @sharedstatedir@
+localstatedir = @localstatedir@
+libdir = @libdir@
+infodir = @infodir@
+mandir = @mandir@
+includedir = @includedir@
+oldincludedir = /usr/include
+
+pkgdatadir = $(datadir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkgincludedir = $(includedir)/@PACKAGE@
+
+top_builddir = .
+
+ACLOCAL = @ACLOCAL@
+AUTOCONF = @AUTOCONF@
+AUTOMAKE = @AUTOMAKE@
+AUTOHEADER = @AUTOHEADER@
+
+INSTALL = @INSTALL@
+INSTALL_PROGRAM = @INSTALL_PROGRAM@
+INSTALL_DATA = @INSTALL_DATA@
+INSTALL_SCRIPT = @INSTALL_SCRIPT@
+INSTALL_STRIP_FLAG =
+transform = @program_transform_name@
+
+NORMAL_INSTALL = :
+PRE_INSTALL = :
+POST_INSTALL = :
+NORMAL_UNINSTALL = :
+PRE_UNINSTALL = :
+POST_UNINSTALL = :
+
+@SET_MAKE@
+host_alias = @host_alias@
+host_triplet = @host@
+AIX_EXTRA_KAFS = @AIX_EXTRA_KAFS@
+AMDEP = @AMDEP@
+AMTAR = @AMTAR@
+AS = @AS@
+AWK = @AWK@
+CANONICAL_HOST = @CANONICAL_HOST@
+CATMAN = @CATMAN@
+CATMANEXT = @CATMANEXT@
+CC = @CC@
+CPP = @CPP@
+CXX = @CXX@
+CXXCPP = @CXXCPP@
+DBLIB = @DBLIB@
+DEPDIR = @DEPDIR@
+DIR_des = @DIR_des@
+DIR_roken = @DIR_roken@
+DLLTOOL = @DLLTOOL@
+EXEEXT = @EXEEXT@
+EXTRA_LIB45 = @EXTRA_LIB45@
+GROFF = @GROFF@
+INCLUDES_roken = @INCLUDES_roken@
+INCLUDE_ = @INCLUDE_@
+LEX = @LEX@
+LIBOBJS = @LIBOBJS@
+LIBTOOL = @LIBTOOL@
+LIB_ = @LIB_@
+LIB_AUTH_SUBDIRS = @LIB_AUTH_SUBDIRS@
+LIB_des = @LIB_des@
+LIB_des_appl = @LIB_des_appl@
+LIB_kdb = @LIB_kdb@
+LIB_otp = @LIB_otp@
+LIB_roken = @LIB_roken@
+LIB_security = @LIB_security@
+LN_S = @LN_S@
+LTLIBOBJS = @LTLIBOBJS@
+MAKEINFO = @MAKEINFO@
+NEED_WRITEAUTH_FALSE = @NEED_WRITEAUTH_FALSE@
+NEED_WRITEAUTH_TRUE = @NEED_WRITEAUTH_TRUE@
+NROFF = @NROFF@
+OBJDUMP = @OBJDUMP@
+OBJEXT = @OBJEXT@
+PACKAGE = @PACKAGE@
+RANLIB = @RANLIB@
+STRIP = @STRIP@
+VERSION = @VERSION@
+VOID_RETSIGTYPE = @VOID_RETSIGTYPE@
+WFLAGS = @WFLAGS@
+WFLAGS_NOIMPLICITINT = @WFLAGS_NOIMPLICITINT@
+WFLAGS_NOUNUSED = @WFLAGS_NOUNUSED@
+YACC = @YACC@
+dpagaix_CFLAGS = @dpagaix_CFLAGS@
+dpagaix_LDADD = @dpagaix_LDADD@
+install_sh = @install_sh@
+
+# $Id: Makefile.am,v 1.16 2000/11/15 22:54:15 assar Exp $
+
+
+# $Id: Makefile.am.common,v 1.3 1999/04/01 14:58:43 joda Exp $
+
+
+# $Id: Makefile.am.common,v 1.26 2001/05/21 13:27:48 joda Exp $
+
+
+AUTOMAKE_OPTIONS = foreign no-dependencies
+
+SUFFIXES = .et .h .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .x
+
+INCLUDES = -I$(top_builddir)/include $(INCLUDES_roken)
+
+AM_CFLAGS =  $(WFLAGS)
+
+CP = cp
+
+COMPILE_ET = $(top_builddir)/lib/com_err/compile_et
+
+buildinclude = $(top_builddir)/include
+
+LIB_XauReadAuth = @LIB_XauReadAuth@
+LIB_crypt = @LIB_crypt@
+LIB_dbm_firstkey = @LIB_dbm_firstkey@
+LIB_dbopen = @LIB_dbopen@
+LIB_dlopen = @LIB_dlopen@
+LIB_dn_expand = @LIB_dn_expand@
+LIB_el_init = @LIB_el_init@
+LIB_getattr = @LIB_getattr@
+LIB_gethostbyname = @LIB_gethostbyname@
+LIB_getpwent_r = @LIB_getpwent_r@
+LIB_getpwnam_r = @LIB_getpwnam_r@
+LIB_getsockopt = @LIB_getsockopt@
+LIB_logout = @LIB_logout@
+LIB_logwtmp = @LIB_logwtmp@
+LIB_odm_initialize = @LIB_odm_initialize@
+LIB_pidfile = @LIB_pidfile@
+LIB_readline = @LIB_readline@
+LIB_res_search = @LIB_res_search@
+LIB_setpcred = @LIB_setpcred@
+LIB_setsockopt = @LIB_setsockopt@
+LIB_socket = @LIB_socket@
+LIB_syslog = @LIB_syslog@
+LIB_tgetent = @LIB_tgetent@
+
+LIBS = @LIBS@
+
+HESIODLIB = @HESIODLIB@
+HESIODINCLUDE = @HESIODINCLUDE@
+INCLUDE_hesiod = @INCLUDE_hesiod@
+LIB_hesiod = @LIB_hesiod@
+
+INCLUDE_krb4 = @INCLUDE_krb4@
+LIB_krb4 = @LIB_krb4@
+
+INCLUDE_openldap = @INCLUDE_openldap@
+LIB_openldap = @LIB_openldap@
+
+INCLUDE_readline = @INCLUDE_readline@
+
+LEXLIB = @LEXLIB@
+
+NROFF_MAN = groff -mandoc -Tascii
+
+@KRB4_TRUE@LIB_kafs = @KRB4_TRUE@$(top_builddir)/lib/kafs/libkafs.la $(AIX_EXTRA_KAFS)
+
+@KRB5_TRUE@LIB_krb5 = @KRB5_TRUE@$(top_builddir)/lib/krb5/libkrb5.la \
+@KRB5_TRUE@	$(top_builddir)/lib/asn1/libasn1.la
+@KRB5_TRUE@LIB_gssapi = @KRB5_TRUE@$(top_builddir)/lib/gssapi/libgssapi.la
+
+@DCE_TRUE@LIB_kdfs = @DCE_TRUE@$(top_builddir)/lib/kdfs/libkdfs.la
+
+CHECK_LOCAL = $(PROGRAMS)
+
+SUBDIRS = include lib kuser kdc admin kadmin kpasswd appl doc tools
+
+ACLOCAL_AMFLAGS = -I cf
+
+EXTRA_DIST = Makefile.am.common krb5.conf
+subdir = .
+ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
+mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs
+CONFIG_HEADER = ./include/config.h
+CONFIG_CLEAN_FILES = 
+CFLAGS = @CFLAGS@
+COMPILE = $(CC) $(DEFS) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) --mode=compile $(CC) $(DEFS) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+CCLD = $(CC)
+LINK = $(LIBTOOL) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) $(LDFLAGS) -o $@
+DIST_SOURCES = 
+depcomp = 
+DIST_COMMON =  README ChangeLog Makefile.am Makefile.in NEWS TODO \
+acconfig.h acinclude.m4 aclocal.m4 config.guess config.sub configure \
+configure.in install-sh ltconfig ltmain.sh missing mkinstalldirs
+
+
+DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
+
+GZIP_ENV = --best
+DIST_SUBDIRS =  $(SUBDIRS)
+all: all-redirect
+.SUFFIXES:
+.SUFFIXES: .et .h .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .x
+$(srcdir)/Makefile.in: Makefile.am $(top_srcdir)/configure.in $(ACLOCAL_M4) $(top_srcdir)/Makefile.am.common $(top_srcdir)/cf/Makefile.am.common
+	cd $(top_srcdir) && $(AUTOMAKE) --foreign Makefile
+
+Makefile: $(srcdir)/Makefile.in  $(top_builddir)/config.status
+	cd $(top_builddir) \
+	  && CONFIG_FILES=$@ CONFIG_HEADERS= $(SHELL) ./config.status
+
+$(ACLOCAL_M4):  configure.in  acinclude.m4 cf/aix.m4 cf/auth-modules.m4 \
+		cf/broken-getnameinfo.m4 cf/broken-glob.m4 \
+		cf/broken-realloc.m4 cf/broken-snprintf.m4 cf/broken.m4 \
+		cf/broken2.m4 cf/c-attribute.m4 cf/c-function.m4 \
+		cf/capabilities.m4 cf/check-declaration.m4 \
+		cf/check-getpwnam_r-posix.m4 cf/check-man.m4 \
+		cf/check-netinet-ip-and-tcp.m4 cf/check-type-extra.m4 \
+		cf/check-var.m4 cf/check-x.m4 cf/check-xau.m4 cf/db.m4 \
+		cf/find-func-no-libs.m4 cf/find-func-no-libs2.m4 \
+		cf/find-func.m4 cf/find-if-not-broken.m4 \
+		cf/grok-type.m4 cf/have-pragma-weak.m4 \
+		cf/have-struct-field.m4 cf/have-type.m4 \
+		cf/have-types.m4 cf/krb-bigendian.m4 cf/krb-find-db.m4 \
+		cf/krb-func-getcwd-broken.m4 cf/krb-func-getlogin.m4 \
+		cf/krb-ipv6.m4 cf/krb-irix.m4 cf/krb-prog-ln-s.m4 \
+		cf/krb-prog-ranlib.m4 cf/krb-prog-yacc.m4 \
+		cf/krb-readline.m4 cf/krb-struct-spwd.m4 \
+		cf/krb-struct-winsize.m4 cf/krb-sys-aix.m4 \
+		cf/krb-sys-nextstep.m4 cf/krb-version.m4 cf/mips-abi.m4 \
+		cf/misc.m4 cf/need-proto.m4 cf/osfc2.m4 \
+		cf/proto-compat.m4 cf/retsigtype.m4 cf/roken-frag.m4 \
+		cf/roken.m4 cf/shared-libs.m4 cf/test-package.m4 \
+		cf/wflags.m4
+	cd $(srcdir) && $(ACLOCAL) $(ACLOCAL_AMFLAGS)
+
+config.status: $(srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
+	$(SHELL) ./config.status --recheck
+$(srcdir)/configure: $(srcdir)/configure.in $(ACLOCAL_M4) $(CONFIGURE_DEPENDENCIES)
+	cd $(srcdir) && $(AUTOCONF)
+
+# This directory's subdirectories are mostly independent; you can cd
+# into them and run `make' without going through this Makefile.
+# To change the values of `make' variables: instead of editing Makefiles,
+# (1) if the variable is set in `config.status', edit `config.status'
+#     (which will cause the Makefiles to be regenerated when you run `make');
+# (2) otherwise, pass the desired values on the `make' command line.
+
+all-recursive install-data-recursive install-exec-recursive \
+installdirs-recursive install-recursive uninstall-recursive  \
+check-recursive installcheck-recursive info-recursive dvi-recursive:
+	@set fnord $(MAKEFLAGS); amf=$$2; \
+	dot_seen=no; \
+	target=`echo $@ | sed s/-recursive//`; \
+	list='$(SUBDIRS)'; for subdir in $$list; do \
+	  echo "Making $$target in $$subdir"; \
+	  if test "$$subdir" = "."; then \
+	    dot_seen=yes; \
+	    local_target="$$target-am"; \
+	  else \
+	    local_target="$$target"; \
+	  fi; \
+	  (cd $$subdir && $(MAKE) $(AM_MAKEFLAGS) $$local_target) \
+	   || case "$$amf" in *=*) exit 1;; *k*) fail=yes;; *) exit 1;; esac; \
+	done; \
+	if test "$$dot_seen" = "no"; then \
+	  $(MAKE) $(AM_MAKEFLAGS) "$$target-am" || exit 1; \
+	fi; test -z "$$fail"
+
+mostlyclean-recursive clean-recursive distclean-recursive \
+maintainer-clean-recursive:
+	@set fnord $(MAKEFLAGS); amf=$$2; \
+	dot_seen=no; \
+	case "$@" in \
+	  distclean-* | maintainer-clean-*) list='$(DIST_SUBDIRS)' ;; \
+	  *) list='$(SUBDIRS)' ;; \
+	esac; \
+	rev=''; for subdir in $$list; do \
+	  if test "$$subdir" = "."; then :; else \
+	    rev="$$subdir $$rev"; \
+	  fi; \
+	done; \
+	rev="$$rev ."; \
+	target=`echo $@ | sed s/-recursive//`; \
+	for subdir in $$rev; do \
+	  echo "Making $$target in $$subdir"; \
+	  if test "$$subdir" = "."; then \
+	    local_target="$$target-am"; \
+	  else \
+	    local_target="$$target"; \
+	  fi; \
+	  (cd $$subdir && $(MAKE) $(AM_MAKEFLAGS) $$local_target) \
+	   || case "$$amf" in *=*) exit 1;; *k*) fail=yes;; *) exit 1;; esac; \
+	done && test -z "$$fail"
+tags-recursive:
+	list='$(SUBDIRS)'; for subdir in $$list; do \
+	  test "$$subdir" = . || (cd $$subdir && $(MAKE) $(AM_MAKEFLAGS) tags); \
+	done
+
+tags: TAGS
+
+ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
+	list='$(SOURCES) $(HEADERS) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '    { files[$$0] = 1; } \
+	       END { for (i in files) print i; }'`; \
+	mkid -fID $$unique $(LISP)
+
+TAGS: tags-recursive $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	tags=; \
+	here=`pwd`; \
+	list='$(SUBDIRS)'; for subdir in $$list; do \
+   if test "$$subdir" = .; then :; else \
+	    test -f $$subdir/TAGS && tags="$$tags -i $$here/$$subdir/TAGS"; \
+   fi; \
+	done; \
+	list='$(SOURCES) $(HEADERS) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '    { files[$$0] = 1; } \
+	       END { for (i in files) print i; }'`; \
+	test -z "$(ETAGS_ARGS)$$unique$(LISP)$$tags" \
+	  || etags $(ETAGS_ARGS) $$tags  $$unique $(LISP)
+
+GTAGS:
+	here=`CDPATH=: && cd $(top_builddir) && pwd` \
+	  && cd $(top_srcdir) \
+	  && gtags -i $$here
+
+mostlyclean-tags:
+
+clean-tags:
+
+distclean-tags:
+	-rm -f TAGS ID
+
+maintainer-clean-tags:
+
+distdir = $(PACKAGE)-$(VERSION)
+top_distdir = $(distdir)
+
+
+# This target untars the dist file and tries a VPATH configuration.  Then
+# it guarantees that the distribution is self-contained by making another
+# tarfile.
+distcheck: dist
+	-chmod -R a+w $(distdir) > /dev/null 2>&1; rm -rf $(distdir)
+	GZIP=$(GZIP_ENV) gunzip -c $(distdir).tar.gz | $(AMTAR) xf -
+	chmod -R a-w $(distdir); chmod a+w $(distdir)
+	mkdir $(distdir)/=build
+	mkdir $(distdir)/=inst
+	chmod a-w $(distdir)
+	dc_install_base=`CDPATH=: && cd $(distdir)/=inst && pwd` \
+	  && cd $(distdir)/=build \
+	  && ../configure --srcdir=.. --prefix=$$dc_install_base \
+	  && $(MAKE) $(AM_MAKEFLAGS) \
+	  && $(MAKE) $(AM_MAKEFLAGS) dvi \
+	  && $(MAKE) $(AM_MAKEFLAGS) check \
+	  && $(MAKE) $(AM_MAKEFLAGS) install \
+	  && $(MAKE) $(AM_MAKEFLAGS) installcheck \
+	  && $(MAKE) $(AM_MAKEFLAGS) uninstall \
+	  && test `find $$dc_install_base -type f -print | wc -l` -le 1 \
+	  && $(MAKE) $(AM_MAKEFLAGS) dist \
+	  && $(MAKE) $(AM_MAKEFLAGS) distclean \
+	  && rm -f $(distdir).tar.gz \
+	  && test `find . -type f -print | wc -l` -eq 0
+	-chmod -R a+w $(distdir) > /dev/null 2>&1; rm -rf $(distdir)
+	@banner="$(distdir).tar.gz is ready for distribution"; \
+	dashes=`echo "$$banner" | sed s/./=/g`; \
+	echo "$$dashes"; \
+	echo "$$banner"; \
+	echo "$$dashes"
+dist: distdir
+	-find $(distdir) -type d ! -perm -777 -exec chmod a+rwx {} \; -o \
+	  ! -type d ! -perm -444 -links 1 -exec chmod a+r {} \; -o \
+	  ! -type d ! -perm -400 -exec chmod a+r {} \; -o \
+	  ! -type d ! -perm -444 -exec $(SHELL) $(install_sh) -c -m a+r {} {} \; \
+	|| chmod -R a+r $(distdir)
+	$(AMTAR) chof - $(distdir) | GZIP=$(GZIP_ENV) gzip -c > $(distdir).tar.gz
+	-chmod -R a+w $(distdir) > /dev/null 2>&1; rm -rf $(distdir)
+dist-all: distdir
+	-find $(distdir) -type d ! -perm -777 -exec chmod a+rwx {} \; -o \
+	  ! -type d ! -perm -444 -links 1 -exec chmod a+r {} \; -o \
+	  ! -type d ! -perm -400 -exec chmod a+r {} \; -o \
+	  ! -type d ! -perm -444 -exec $(SHELL) $(install_sh) -c -m a+r {} {} \; \
+	|| chmod -R a+r $(distdir)
+	$(AMTAR) chof - $(distdir) | GZIP=$(GZIP_ENV) gzip -c > $(distdir).tar.gz
+	-chmod -R a+w $(distdir) > /dev/null 2>&1; rm -rf $(distdir)
+distdir: $(DISTFILES)
+	-chmod -R a+w $(distdir) > /dev/null 2>&1; rm -rf $(distdir)
+	mkdir $(distdir)
+	@for file in $(DISTFILES); do \
+	  d=$(srcdir); \
+	  if test -d $$d/$$file; then \
+	    cp -pR $$d/$$file $(distdir) \
+	    || exit 1; \
+	  else \
+	    test -f $(distdir)/$$file \
+	    || cp -p $$d/$$file $(distdir)/$$file \
+	    || exit 1; \
+	  fi; \
+	done
+	for subdir in $(SUBDIRS); do \
+	  if test "$$subdir" = .; then :; else \
+	    test -d $(distdir)/$$subdir \
+	    || mkdir $(distdir)/$$subdir \
+	    || exit 1; \
+	    (cd $$subdir && $(MAKE) $(AM_MAKEFLAGS) top_distdir=../$(distdir) distdir=../$(distdir)/$$subdir distdir) \
+	      || exit 1; \
+	  fi; \
+	done
+	$(MAKE) $(AM_MAKEFLAGS) top_distdir="$(top_distdir)" distdir="$(distdir)" dist-hook
+info-am:
+info: info-recursive
+dvi-am:
+dvi: dvi-recursive
+check-am: all-am
+	$(MAKE) $(AM_MAKEFLAGS) check-local
+check: check-recursive
+installcheck-am:
+installcheck: installcheck-recursive
+install-exec-am:
+	@$(NORMAL_INSTALL)
+	$(MAKE) $(AM_MAKEFLAGS) install-exec-hook
+install-exec: install-exec-recursive
+
+install-data-am: install-data-local
+install-data: install-data-recursive
+
+install-am: all-am
+	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
+install: install-recursive
+uninstall-am:
+uninstall: uninstall-recursive
+all-am: Makefile all-local
+all-redirect: all-recursive
+install-strip:
+	$(MAKE) $(AM_MAKEFLAGS) INSTALL_STRIP_FLAG=-s install
+installdirs: installdirs-recursive
+installdirs-am:
+
+
+mostlyclean-generic:
+
+clean-generic:
+
+distclean-generic:
+	-rm -f Makefile $(CONFIG_CLEAN_FILES)
+	-rm -f config.cache config.log stamp-h stamp-h[0-9]*
+
+maintainer-clean-generic:
+	-rm -f Makefile.in
+mostlyclean-am:  mostlyclean-tags mostlyclean-generic
+
+mostlyclean: mostlyclean-recursive
+
+clean-am:  clean-tags clean-generic mostlyclean-am
+
+clean: clean-recursive
+
+distclean-am:  distclean-tags distclean-generic clean-am
+	-rm -f libtool
+
+distclean: distclean-recursive
+	-rm -f config.status
+
+maintainer-clean-am:  maintainer-clean-tags maintainer-clean-generic \
+		distclean-am
+	@echo "This command is intended for maintainers to use;"
+	@echo "it deletes files that may require special tools to rebuild."
+
+maintainer-clean: maintainer-clean-recursive
+	-rm -f config.status
+
+.PHONY: install-recursive uninstall-recursive install-data-recursive \
+uninstall-data-recursive install-exec-recursive \
+uninstall-exec-recursive installdirs-recursive uninstalldirs-recursive \
+all-recursive check-recursive installcheck-recursive info-recursive \
+dvi-recursive mostlyclean-recursive distclean-recursive clean-recursive \
+maintainer-clean-recursive tags tags-recursive mostlyclean-tags \
+distclean-tags clean-tags maintainer-clean-tags distdir info-am info \
+dvi-am dvi check-local check check-am installcheck-am installcheck \
+install-exec-am install-exec install-data-local install-data-am \
+install-data install-am install uninstall-am uninstall all-local \
+all-redirect all-am all install-strip installdirs-am installdirs \
+mostlyclean-generic distclean-generic clean-generic \
+maintainer-clean-generic clean mostlyclean distclean maintainer-clean
+
+
+install-suid-programs:
+	@foo='$(bin_SUIDS)'; \
+	for file in $$foo; do \
+	x=$(DESTDIR)$(bindir)/$$file; \
+	if chown 0:0 $$x && chmod u+s $$x; then :; else \
+	echo "*"; \
+	echo "* Failed to install $$x setuid root"; \
+	echo "*"; \
+	fi; done
+
+install-exec-hook: install-suid-programs
+
+install-build-headers:: $(include_HEADERS) $(build_HEADERZ)
+	@foo='$(include_HEADERS) $(build_HEADERZ)'; \
+	for f in $$foo; do \
+		f=`basename $$f`; \
+		if test -f "$(srcdir)/$$f"; then file="$(srcdir)/$$f"; \
+		else file="$$f"; fi; \
+		if cmp -s  $$file $(buildinclude)/$$f 2> /dev/null ; then \
+		: ; else \
+			echo " $(CP) $$file $(buildinclude)/$$f"; \
+			$(CP) $$file $(buildinclude)/$$f; \
+		fi ; \
+	done
+
+all-local: install-build-headers
+#NROFF_MAN = nroff -man
+.1.cat1:
+	$(NROFF_MAN) $< > $@
+.3.cat3:
+	$(NROFF_MAN) $< > $@
+.5.cat5:
+	$(NROFF_MAN) $< > $@
+.8.cat8:
+	$(NROFF_MAN) $< > $@
+
+dist-cat1-mans:
+	@foo='$(man1_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.1) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat1/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-cat3-mans:
+	@foo='$(man3_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.3) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat3/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-cat5-mans:
+	@foo='$(man5_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.5) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat5/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-cat8-mans:
+	@foo='$(man8_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.8) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat8/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-hook: dist-cat1-mans dist-cat3-mans dist-cat5-mans dist-cat8-mans
+
+install-cat-mans:
+	$(SHELL) $(top_srcdir)/cf/install-catman.sh "$(INSTALL_DATA)" "$(mkinstalldirs)" "$(srcdir)" "$(DESTDIR)$(mandir)" '$(CATMANEXT)' $(man_MANS) $(man1_MANS) $(man3_MANS) $(man5_MANS) $(man8_MANS)
+
+install-data-local: install-cat-mans
+
+.et.h:
+	$(COMPILE_ET) $<
+.et.c:
+	$(COMPILE_ET) $<
+
+.x.c:
+	@cmp -s $< $@ 2> /dev/null || cp $< $@
+
+check-local::
+	@foo='$(CHECK_LOCAL)'; \
+	  if test "$$foo"; then \
+	  failed=0; all=0; \
+	  for i in $$foo; do \
+	    all=`expr $$all + 1`; \
+	    if ./$$i --version > /dev/null 2>&1; then \
+	      echo "PASS: $$i"; \
+	    else \
+	      echo "FAIL: $$i"; \
+	      failed=`expr $$failed + 1`; \
+	    fi; \
+	  done; \
+	  if test "$$failed" -eq 0; then \
+	    banner="All $$all tests passed"; \
+	  else \
+	    banner="$$failed of $$all tests failed"; \
+	  fi; \
+	  dashes=`echo "$$banner" | sed s/./=/g`; \
+	  echo "$$dashes"; \
+	  echo "$$banner"; \
+	  echo "$$dashes"; \
+	  test "$$failed" -eq 0; \
+	fi
+
+# Tell versions [3.59,3.63) of GNU make to not export all variables.
+# Otherwise a system limit (for SysV at least) may be exceeded.
+.NOEXPORT:
diff --git a/crypto/heimdal/NEWS b/crypto/heimdal/NEWS
new file mode 100644
index 0000000..a53da3a
--- /dev/null
+++ b/crypto/heimdal/NEWS
@@ -0,0 +1,463 @@
+Changes in release 0.3f
+
+ * change default keytab to ANY:FILE:/etc/krb5.keytab,krb4:/etc/srvtab,
+   the new keytab type that tries both of these in order (SRVTAB is
+   also an alias for krb4:)
+
+ * improve error reporting and error handling (error messages should
+   be more detailed and more useful)
+
+ * improve building with openssl
+
+ * add kadmin -K, rcp -F 
+
+ * fix two incorrect weak DES keys
+
+ * fix building of kaserver compat in KDC
+
+ * the API is closer to what MIT krb5 is using
+
+ * more compatible with windows 2000
+
+ * removed some memory leaks
+
+ * bug fixes
+
+Changes in release 0.3e
+
+ * rcp program included
+
+ * fix buffer overrun in ftpd
+
+ * handle omitted sequence numbers as zeroes to handle MIT krb5 that
+   cannot generate zero sequence numbers
+
+ * handle v4 /.k files better
+
+ * configure/portability fixes
+
+ * fixes in parsing of options to kadmin (sub-)commands
+
+ * handle errors in kadmin load better
+
+ * bug fixes
+
+Changes in release 0.3d
+
+ * add krb5-config
+
+ * fix a bug in 3des gss-api mechanism, making it compatible with the
+   specification and the MIT implementation
+
+ * make telnetd only allow a specific list of environment variables to
+   stop it from setting `sensitive' variables
+
+ * try to use an existing libdes
+
+ * lib/krb5, kdc: use correct usage type for ap-req messages.  This
+   should improve compatability with MIT krb5 when using 3DES
+   encryption types
+
+ * kdc: fix memory allocation problem
+
+ * update config.guess and config.sub
+
+ * lib/roken: more stuff implemented
+
+ * bug fixes and portability enhancements
+
+Changes in release 0.3c
+
+ * lib/krb5: memory caches now support the resolve operation
+
+ * appl/login: set PATH to some sane default
+
+ * kadmind: handle several realms
+
+ * bug fixes (including memory leaks)
+
+Changes in release 0.3b
+
+ * kdc: prefer default-salted keys on v5 requests
+
+ * kdc: lowercase hostnames in v4 mode
+
+ * hprop: handle more types of MIT salts
+
+ * lib/krb5: fix memory leak
+
+ * bug fixes
+
+Changes in release 0.3a:
+
+ * implement arcfour-hmac-md5 to interoperate with W2K
+
+ * modularise the handling of the master key, and allow for other
+   encryption types. This makes it easier to import a database from
+   some other source without having to re-encrypt all keys.
+
+ * allow for better control over which encryption types are created
+
+ * make kinit fallback to v4 if given a v4 KDC
+
+ * make klist work better with v4 and v5, and add some more MIT
+   compatibility options
+
+ * make the kdc listen on the krb524 (4444) port for compatibility
+   with MIT krb5 clients
+
+ * implement more DCE/DFS support, enabled with --enable-dce, see
+   lib/kdfs and appl/dceutils
+
+ * make the sequence numbers work correctly
+
+ * bug fixes
+
+Changes in release 0.2t:
+
+ * bug fixes
+
+Changes in release 0.2s:
+
+ * add OpenLDAP support in hdb
+
+ * login will get v4 tickets when it receives forwarded tickets
+
+ * xnlock supports both v5 and v4
+
+ * repair source routing for telnet
+
+ * fix building problems with krb4 (krb_mk_req)
+
+ * bug fixes
+
+Changes in release 0.2r:
+
+ * fix realloc memory corruption bug in kdc
+
+ * `add --key' and `cpw --key' in kadmin
+
+ * klist supports listing v4 tickets
+
+ * update config.guess and config.sub
+
+ * make v4 -> v5 principal name conversion more robust
+
+ * support for anonymous tickets
+
+ * new man-pages
+
+ * telnetd: do not negotiate KERBEROS5 authentication if there's no keytab.
+
+ * use and set expiration and not password expiration when dumping
+   to/from ka server databases / krb4 databases
+
+ * make the code happier with 64-bit time_t
+
+ * follow RFC2782 and by default do not look for non-underscore SRV names
+
+Changes in release 0.2q:
+
+ * bug fix in tcp-handling in kdc
+
+ * bug fix in expand_hostname
+
+Changes in release 0.2p:
+
+ * bug fix in `kadmin load/merge'
+
+ * bug fix in krb5_parse_address
+
+Changes in release 0.2o:
+
+ * gss_{import,export}_sec_context added to libgssapi
+
+ * new option --addresses to kdc (for listening on an explicit set of
+   addresses)
+
+ * bug fixes in the krb4 and kaserver emulation part of the kdc
+
+ * other bug fixes
+
+Changes in release 0.2n:
+
+ * more robust parsing of dump files in kadmin
+ * changed default timestamp format for log messages to extended ISO
+   8601 format (Y-M-DTH:M:S)
+ * changed md4/md5/sha1 APIes to be de-facto `standard'
+ * always make hostname into lower-case before creating principal
+ * small bits of more MIT-compatability
+ * bug fixes
+
+Changes in release 0.2m:
+
+ * handle glibc's getaddrinfo() that returns several ai_canonname
+
+ * new endian test
+
+ * man pages fixes
+
+Changes in release 0.2l:
+
+ * bug fixes
+
+Changes in release 0.2k:
+
+ * better IPv6 test
+
+ * make struct sockaddr_storage in roken work better on alphas
+
+ * some missing [hn]to[hn]s fixed.
+
+ * allow users to change their own passwords with kadmin (with initial
+   tickets)
+
+ * fix stupid bug in parsing KDC specification
+
+ * add `ktutil change' and `ktutil purge'
+
+Changes in release 0.2j:
+
+ * builds on Irix
+
+ * ftpd works in passive mode
+
+ * should build on cygwin
+
+ * work around broken IPv6-code on OpenBSD 2.6, also add configure
+   option --disable-ipv6
+
+Changes in release 0.2i:
+
+ * use getaddrinfo in the missing places.
+
+ * fix SRV lookup for admin server
+
+ * use get{addr,name}info everywhere.  and implement it in terms of
+   getipnodeby{name,addr} (which uses gethostbyname{,2} and
+   gethostbyaddr)
+
+Changes in release 0.2h:
+
+ * fix typo in kx (now compiles)
+
+Changes in release 0.2g:
+
+ * lots of bug fixes:
+   * push works
+   * repair appl/test programs
+   * sockaddr_storage works on solaris (alignment issues)
+   * works better with non-roken getaddrinfo
+   * rsh works
+   * some non standard C constructs removed
+
+Changes in release 0.2f:
+
+ * support SRV records for kpasswd
+ * look for both _kerberos and krb5-realm when doing host -> realm mapping
+
+Changes in release 0.2e:
+
+ * changed copyright notices to remove `advertising'-clause.
+ * get{addr,name}info added to roken and used in the other code
+   (this makes things work much better with hosts with both v4 and v6
+    addresses, among other things)
+ * do pre-auth for both password and key-based get_in_tkt
+ * support for having several databases
+ * new command `del_enctype' in kadmin
+ * strptime (and new strftime) add to roken
+ * more paranoia about finding libdb
+ * bug fixes
+
+Changes in release 0.2d:
+
+ * new configuration option [libdefaults]default_etypes_des
+ * internal ls in ftpd builds without KRB4
+ * kx/rsh/push/pop_debug tries v5 and v4 consistenly
+ * build bug fixes
+ * other bug fixes
+
+Changes in release 0.2c:
+
+ * bug fixes (see ChangeLog's for details)
+
+Changes in release 0.2b:
+
+ * bug fixes
+ * actually bump shared library versions
+
+Changes in release 0.2a:
+
+ * a new program verify_krb5_conf for checking your /etc/krb5.conf
+ * add 3DES keys when changing password
+ * support null keys in database
+ * support multiple local realms
+ * implement a keytab backend for AFS KeyFile's
+ * implement a keytab backend for v4 srvtabs
+ * implement `ktutil copy'
+ * support password quality control in v4 kadmind
+ * improvements in v4 compat kadmind
+ * handle the case of having the correct cred in the ccache but with
+   the wrong encryption type better
+ * v6-ify the remaining programs.
+ * internal ls in ftpd
+ * rename strcpy_truncate/strcat_truncate to strlcpy/strlcat
+ * add `ank --random-password' and `cpw --random-password' in kadmin
+ * some programs and documentation for trying to talk to a W2K KDC
+ * bug fixes
+
+Changes in release 0.1m:
+
+ * support for getting default from krb5.conf for kinit/kf/rsh/telnet.
+   From Miroslav Ruda <ruda@ics.muni.cz>
+ * v6-ify hprop and hpropd
+ * support numeric addresses in krb5_mk_req
+ * shadow support in login and su. From Miroslav Ruda <ruda@ics.muni.cz>
+ * make rsh/rshd IPv6-aware
+ * make the gssapi sample applications better at reporting errors
+ * lots of bug fixes
+ * handle systems with v6-aware libc and non-v6 kernels (like Linux
+   with glibc 2.1) better
+ * hide failure of ERPT in ftp
+ * lots of bug fixes
+
+Changes in release 0.1l:
+
+ * make ftp and ftpd IPv6-aware
+ * add inet_pton to roken
+ * more IPv6-awareness
+ * make mini_inetd v6 aware
+
+Changes in release 0.1k:
+
+ * bump shared libraries versions
+ * add roken version of inet_ntop
+ * merge more changes to rshd
+
+Changes in release 0.1j:
+
+ * restore back to the `old' 3DES code.  This was supposed to be done
+   in 0.1h and 0.1i but I did a CVS screw-up.
+ * make telnetd handle v6 connections
+
+Changes in release 0.1i:
+
+ * start using `struct sockaddr_storage' which simplifies the code
+   (with a fallback definition if it's not defined)
+ * bug fixes (including in hprop and kf)
+ * don't use mawk which seems to mishandle roken.awk
+ * get_addrs should be able to handle v6 addresses on Linux (with the
+   required patch to the Linux kernel -- ask within)
+ * rshd builds with shadow passwords
+
+Changes in release 0.1h:
+
+ * kf: new program for forwarding credentials
+ * portability fixes
+ * make forwarding credentials work with MIT code
+ * better conversion of ka database
+ * add etc/services.append
+ * correct `modified by' from kpasswdd
+ * lots of bug fixes
+
+Changes in release 0.1g:
+
+ * kgetcred: new program for explicitly obtaining tickets
+ * configure fixes
+ * krb5-aware kx
+ * bug fixes
+
+Changes in release 0.1f;
+
+ * experimental support for v4 kadmin protokoll in kadmind
+ * bug fixes
+
+Changes in release 0.1e:
+
+ * try to handle old DCE and MIT kdcs
+ * support for older versions of credential cache files and keytabs
+ * postdated tickets work
+ * support for password quality checks in kpasswdd
+ * new flag --enable-kaserver for kdc
+ * renew fixes
+ * prototype su program
+ * updated (some) manpages
+ * support for KDC resource records
+ * should build with --without-krb4
+ * bug fixes
+
+Changes in release 0.1d:
+
+ * Support building with DB2 (uses 1.85-compat API)
+ * Support krb5-realm.DOMAIN in DNS
+ * new `ktutil srvcreate'
+ * v4/kafs support in klist/kdestroy
+ * bug fixes
+
+Changes in release 0.1c:
+
+ * fix ASN.1 encoding of signed integers
+ * somewhat working `ktutil get'
+ * some documentation updates
+ * update to Autoconf 2.13 and Automake 1.4
+ * the usual bug fixes
+
+Changes in release 0.1b:
+
+ * some old -> new crypto conversion utils
+ * bug fixes
+
+Changes in release 0.1a:
+
+ * new crypto code
+ * more bug fixes
+ * make sure we ask for DES keys in gssapi
+ * support signed ints in ASN1
+ * IPv6-bug fixes
+
+Changes in release 0.0u:
+
+ * lots of bug fixes
+
+Changes in release 0.0t:
+
+ * more robust parsing of krb5.conf
+ * include net{read,write} in lib/roken
+ * bug fixes
+
+Changes in release 0.0s:
+
+ * kludges for parsing options to rsh
+ * more robust parsing of krb5.conf
+ * removed some arbitrary limits
+ * bug fixes
+
+Changes in release 0.0r:
+
+ * default options for some programs
+ * bug fixes
+
+Changes in release 0.0q:
+
+ * support for building shared libraries with libtool
+ * bug fixes
+
+Changes in release 0.0p:
+
+ * keytab moved to /etc/krb5.keytab
+ * avoid false detection of IPv6 on Linux
+ * Lots of more functionality in the gssapi-library
+ * hprop can now read ka-server databases
+ * bug fixes
+
+Changes in release 0.0o:
+
+ * FTP with GSSAPI support.
+ * Bug fixes.
+
+Changes in release 0.0n:
+
+ * Incremental database propagation.
+ * Somewhat improved kadmin ui; the stuff in admin is now removed.
+ * Some support for using enctypes instead of keytypes.
+ * Lots of other improvement and bug fixes, see ChangeLog for details.
diff --git a/crypto/heimdal/README b/crypto/heimdal/README
new file mode 100644
index 0000000..f27b67f
--- /dev/null
+++ b/crypto/heimdal/README
@@ -0,0 +1,19 @@
+$Id: README,v 1.1 2000/07/27 02:33:54 assar Exp $
+
+Heimdal is a Kerberos 5 implementation.
+
+Please see the manual in doc, by default installed in
+/usr/heimdal/info/heimdal.info for information on how to install.
+There are also briefer man pages for most of the commands.
+
+Bug reports and bugs are appreciated, see more under Bug reports in
+the manual on how we prefer them.
+
+For more information see the web-page at
+<http://www.pdc.kth.se/heimdal/> or the mailing lists:
+
+heimdal-announce@sics.se	low-volume announcement
+heimdal-discuss@sics.se		high-volume discussion
+
+send a mail to heimdal-announce-request@sics.se and
+heimdal-discuss-request@sics.se respectively to subscribe.
diff --git a/crypto/heimdal/TODO b/crypto/heimdal/TODO
new file mode 100644
index 0000000..0396339
--- /dev/null
+++ b/crypto/heimdal/TODO
@@ -0,0 +1,90 @@
+-*- indented-text -*-
+
+$Id: TODO,v 1.55 2001/01/30 22:51:32 assar Exp $
+
+* configure
+
+use more careful checking before starting to use berkeley db.  it only
+makes sense to do so if we have the appropriate library and the header
+file.
+
+handle readline hiding in readline/readline.h
+
+* appl
+
+** appl/popper
+
+Implement RFC1731 and 1734, pop over GSS-API
+
+* doc
+
+* kdc
+
+* kadmin
+
+make it happy with reading and parsing kdc.conf
+
+is in need of a major cleanup
+
+* kpasswdd
+
+figure out what's the deal with do_sequence and the MIT client
+
+* lib
+
+** lib/asn1
+
+prepend a prefix on all generated symbols
+
+** lib/auth
+
+PAM
+
+** lib/com_err
+
+write a man-page
+
+** lib/des
+
+make everything work with openssl and make prototypes compatible
+
+** lib/gssapi
+
+process_context_token, add_cred, inquire_cred_by_mech,
+inquire_names_for_mech, and
+inquire_mechs_for_name not implemented.
+
+set minor_status in all functions
+
+anonymous credentials not implemented
+
+add rc4
+
+** lib/hdb
+
+** lib/kadm5
+
+add policies?
+
+fix to use rpc?
+
+** lib/krb5
+
+rewrite the lookup of KDCs to handle kerberos-<n> and not do any DNS
+requests if the information can be found locally.  this requires stop
+using krb5_get_krbhst.
+
+the replay cache is, in its current state, not very useful
+
+always generates a new subkey in an authenticator
+
+should the sequence numbers be XORed?
+
+OTP?
+
+make checksum/encryption type configuration more realm-specific.  make
+some simple way of handling the w2k situtation
+
+crypto: allow scather/gather creation of checksums
+
+** lib/roken
diff --git a/crypto/heimdal/acconfig.h b/crypto/heimdal/acconfig.h
new file mode 100644
index 0000000..4ef0398
--- /dev/null
+++ b/crypto/heimdal/acconfig.h
@@ -0,0 +1,104 @@
+@BOTTOM@
+
+#undef BINDIR 
+#undef LIBDIR
+#undef LIBEXECDIR
+#undef SBINDIR
+
+#undef HAVE_INT8_T
+#undef HAVE_INT16_T
+#undef HAVE_INT32_T
+#undef HAVE_INT64_T
+#undef HAVE_U_INT8_T
+#undef HAVE_U_INT16_T
+#undef HAVE_U_INT32_T
+#undef HAVE_U_INT64_T
+#undef HAVE_UINT8_T
+#undef HAVE_UINT16_T
+#undef HAVE_UINT32_T
+#undef HAVE_UINT64_T
+
+#if defined(HAVE_FOUR_VALUED_KRB_PUT_INT) || !defined(KRB4)
+#define KRB_PUT_INT(F, T, L, S) krb_put_int((F), (T), (L), (S))
+#else
+#define KRB_PUT_INT(F, T, L, S) krb_put_int((F), (T), (S))
+#endif
+
+#ifdef BROKEN_REALLOC
+#define realloc(X, Y) isoc_realloc((X), (Y))
+#define isoc_realloc(X, Y) ((X) ? realloc((X), (Y)) : malloc(Y))
+#endif
+
+#ifdef VOID_RETSIGTYPE
+#define SIGRETURN(x) return
+#else
+#define SIGRETURN(x) return (RETSIGTYPE)(x)
+#endif
+
+#define RCSID(msg) \
+static /**/const char *const rcsid[] = { (const char *)rcsid, "\100(#)" msg }
+
+#undef PROTOTYPES
+
+/* Maximum values on all known systems */
+#define MaxHostNameLen (64+4)
+#define MaxPathLen (1024+4)
+
+#if defined(HAVE_SGTTY_H) && defined(__NeXT__)
+#define SGTTY
+#endif
+
+/*
+ * Define NDBM if you are using the 4.3 ndbm library (which is part of
+ * libc).  If not defined, 4.2 dbm will be assumed.
+ */
+#if defined(HAVE_DBM_FIRSTKEY)
+#define NDBM
+#endif
+
+/* telnet stuff ----------------------------------------------- */
+
+#if defined(ENCRYPTION) && !defined(AUTHENTICATION)
+#define AUTHENTICATION 1
+#endif
+
+/* Set this to the default system lead string for telnetd 
+ * can contain %-escapes: %s=sysname, %m=machine, %r=os-release
+ * %v=os-version, %t=tty, %h=hostname, %d=date and time
+ */
+#undef USE_IM
+
+/* Used with login -p */
+#undef LOGIN_ARGS
+
+/* set this to a sensible login */
+#ifndef LOGIN_PATH
+#define LOGIN_PATH BINDIR "/login"
+#endif
+
+/* random defines */
+
+/*
+ * Defining this enables lots of useful (and used) extensions on
+ * glibc-based systems such as Linux
+ */
+
+#define _GNU_SOURCE
+
+/*
+ * this assumes that KRB_C_BIGENDIAN is used.
+ * if we can find out endianess at compile-time, do so,
+ * otherwise WORDS_BIGENDIAN should already have been defined
+ */
+
+#if ENDIANESS_IN_SYS_PARAM_H
+#  include <sys/types.h>
+#  include <sys/param.h>
+#  if BYTE_ORDER == BIG_ENDIAN
+#  define WORDS_BIGENDIAN 1
+#  endif
+#endif
+
+#ifdef ROKEN_RENAME
+#include "roken_rename.h"
+#endif
diff --git a/crypto/heimdal/acinclude.m4 b/crypto/heimdal/acinclude.m4
new file mode 100644
index 0000000..ff87042
--- /dev/null
+++ b/crypto/heimdal/acinclude.m4
@@ -0,0 +1,9 @@
+dnl $Id: acinclude.m4,v 1.15 1998/05/23 14:54:53 joda Exp $
+dnl
+dnl Only put things that for some reason can't live in the `cf'
+dnl directory in this file.
+dnl
+
+dnl $xId: misc.m4,v 1.1 1997/12/14 15:59:04 joda Exp $
+dnl
+define(upcase,`echo $1 | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`)dnl
diff --git a/crypto/heimdal/aclocal.m4 b/crypto/heimdal/aclocal.m4
new file mode 100644
index 0000000..2c04f7f
--- /dev/null
+++ b/crypto/heimdal/aclocal.m4
@@ -0,0 +1,3174 @@
+# ./aclocal.m4 generated automatically by aclocal 1.4b
+
+# Copyright 1994, 1995, 1996, 1997, 1998, 1999, 2000
+# Free Software Foundation, Inc.
+# This file is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+
+dnl $Id: acinclude.m4,v 1.15 1998/05/23 14:54:53 joda Exp $
+dnl
+dnl Only put things that for some reason can't live in the `cf'
+dnl directory in this file.
+dnl
+
+dnl $xId: misc.m4,v 1.1 1997/12/14 15:59:04 joda Exp $
+dnl
+define(upcase,`echo $1 | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`)dnl
+
+dnl $Id: misc.m4,v 1.2 2000/07/19 15:04:00 joda Exp $
+dnl
+AC_DEFUN([upcase],[`echo $1 | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`])dnl
+AC_DEFUN([rk_CONFIG_HEADER],[AH_TOP([#ifndef RCSID
+#define RCSID(msg) \
+static /**/const char *const rcsid[] = { (const char *)rcsid, "\100(#)" msg }
+#endif
+
+#undef BINDIR 
+#undef LIBDIR
+#undef LIBEXECDIR
+#undef SBINDIR
+
+#undef HAVE_INT8_T
+#undef HAVE_INT16_T
+#undef HAVE_INT32_T
+#undef HAVE_INT64_T
+#undef HAVE_U_INT8_T
+#undef HAVE_U_INT16_T
+#undef HAVE_U_INT32_T
+#undef HAVE_U_INT64_T
+
+/* Maximum values on all known systems */
+#define MaxHostNameLen (64+4)
+#define MaxPathLen (1024+4)
+
+])])
+# Like AC_CONFIG_HEADER, but automatically create stamp file.
+
+# serial 3
+
+# When config.status generates a header, we must update the stamp-h file.
+# This file resides in the same directory as the config header
+# that is generated.  We must strip everything past the first ":",
+# and everything past the last "/".
+
+AC_PREREQ([2.12])
+
+AC_DEFUN([AM_CONFIG_HEADER],
+[AC_CONFIG_HEADER([$1])
+  AC_OUTPUT_COMMANDS(
+   ifelse(patsubst([$1], [[^ ]], []),
+	  [],
+	  [test -z "$CONFIG_HEADERS" || echo timestamp >dnl
+	   patsubst([$1], [^\([^:]*/\)?.*], [\1])stamp-h]),
+  [am_indx=1
+  for am_file in $1; do
+    case " $CONFIG_HEADERS " in
+    *" $am_file "*)
+      echo timestamp > `echo $am_file | sed 's%:.*%%;s%[^/]*$%%'`stamp-h$am_indx
+      ;;
+    esac
+    am_indx=\`expr \$am_indx + 1\`
+  done])
+])
+
+# Do all the work for Automake.  This macro actually does too much --
+# some checks are only needed if your package does certain things.
+# But this isn't really a big deal.
+
+# serial 3
+
+AC_PREREQ([2.13])
+
+# AC_PROVIDE_IFELSE(MACRO-NAME, IF-PROVIDED, IF-NOT-PROVIDED)
+# -----------------------------------------------------------
+# If MACRO-NAME is provided do IF-PROVIDED, else IF-NOT-PROVIDED.
+# The purpose of this macro is to provide the user with a means to
+# check macros which are provided without letting her know how the
+# information is coded.
+# If this macro is not defined by Autoconf, define it here.
+ifdef([AC_PROVIDE_IFELSE],
+      [],
+      [define([AC_PROVIDE_IFELSE],
+              [ifdef([AC_PROVIDE_$1],
+                     [$2], [$3])])])
+
+
+# AM_INIT_AUTOMAKE(PACKAGE,VERSION, [NO-DEFINE])
+# ----------------------------------------------
+AC_DEFUN([AM_INIT_AUTOMAKE],
+[dnl We require 2.13 because we rely on SHELL being computed by configure.
+AC_REQUIRE([AC_PROG_INSTALL])dnl
+# test to see if srcdir already configured
+if test "`CDPATH=:; cd $srcdir && pwd`" != "`pwd`" &&
+   test -f $srcdir/config.status; then
+  AC_MSG_ERROR([source directory already configured; run "make distclean" there first])
+fi
+
+# Define the identity of the package.
+PACKAGE=$1
+AC_SUBST(PACKAGE)dnl
+VERSION=$2
+AC_SUBST(VERSION)dnl
+ifelse([$3],,
+[AC_DEFINE_UNQUOTED(PACKAGE, "$PACKAGE", [Name of package])
+AC_DEFINE_UNQUOTED(VERSION, "$VERSION", [Version number of package])])
+
+# Some tools Automake needs.
+AC_REQUIRE([AM_SANITY_CHECK])dnl
+AC_REQUIRE([AC_ARG_PROGRAM])dnl
+AM_MISSING_PROG(ACLOCAL, aclocal)
+AM_MISSING_PROG(AUTOCONF, autoconf)
+AM_MISSING_PROG(AUTOMAKE, automake)
+AM_MISSING_PROG(AUTOHEADER, autoheader)
+AM_MISSING_PROG(MAKEINFO, makeinfo)
+AM_MISSING_PROG(AMTAR, tar)
+AM_MISSING_INSTALL_SH
+# We need awk for the "check" target.  The system "awk" is bad on
+# some platforms.
+AC_REQUIRE([AC_PROG_AWK])dnl
+AC_REQUIRE([AC_PROG_MAKE_SET])dnl
+AC_REQUIRE([AM_DEP_TRACK])dnl
+AC_REQUIRE([AM_SET_DEPDIR])dnl
+AC_PROVIDE_IFELSE([AC_PROG_CC],
+                  [AM_DEPENDENCIES(CC)],
+                  [define([AC_PROG_CC],
+                          defn([AC_PROG_CC])[AM_DEPENDENCIES(CC)])])dnl
+AC_PROVIDE_IFELSE([AC_PROG_CXX],
+                  [AM_DEPENDENCIES(CXX)],
+                  [define([AC_PROG_CXX],
+                          defn([AC_PROG_CXX])[AM_DEPENDENCIES(CXX)])])dnl
+])
+
+#
+# Check to make sure that the build environment is sane.
+#
+
+AC_DEFUN([AM_SANITY_CHECK],
+[AC_MSG_CHECKING([whether build environment is sane])
+# Just in case
+sleep 1
+echo timestamp > conftestfile
+# Do `set' in a subshell so we don't clobber the current shell's
+# arguments.  Must try -L first in case configure is actually a
+# symlink; some systems play weird games with the mod time of symlinks
+# (eg FreeBSD returns the mod time of the symlink's containing
+# directory).
+if (
+   set X `ls -Lt $srcdir/configure conftestfile 2> /dev/null`
+   if test "[$]*" = "X"; then
+      # -L didn't work.
+      set X `ls -t $srcdir/configure conftestfile`
+   fi
+   if test "[$]*" != "X $srcdir/configure conftestfile" \
+      && test "[$]*" != "X conftestfile $srcdir/configure"; then
+
+      # If neither matched, then we have a broken ls.  This can happen
+      # if, for instance, CONFIG_SHELL is bash and it inherits a
+      # broken ls alias from the environment.  This has actually
+      # happened.  Such a system could not be considered "sane".
+      AC_MSG_ERROR([ls -t appears to fail.  Make sure there is not a broken
+alias in your environment])
+   fi
+
+   test "[$]2" = conftestfile
+   )
+then
+   # Ok.
+   :
+else
+   AC_MSG_ERROR([newly created file is older than distributed files!
+Check your system clock])
+fi
+rm -f conftest*
+AC_MSG_RESULT(yes)])
+
+# AM_MISSING_PROG(NAME, PROGRAM)
+AC_DEFUN([AM_MISSING_PROG], [
+AC_REQUIRE([AM_MISSING_HAS_RUN])
+$1=${$1-"${am_missing_run}$2"}
+AC_SUBST($1)])
+
+# Like AM_MISSING_PROG, but only looks for install-sh.
+# AM_MISSING_INSTALL_SH()
+AC_DEFUN([AM_MISSING_INSTALL_SH], [
+AC_REQUIRE([AM_MISSING_HAS_RUN])
+if test -z "$install_sh"; then
+   install_sh="$ac_aux_dir/install-sh"
+   test -f "$install_sh" || install_sh="$ac_aux_dir/install.sh"
+   test -f "$install_sh" || install_sh="${am_missing_run}${ac_auxdir}/install-sh"
+   dnl FIXME: an evil hack: we remove the SHELL invocation from
+   dnl install_sh because automake adds it back in.  Sigh.
+   install_sh="`echo $install_sh | sed -e 's/\${SHELL}//'`"
+fi
+AC_SUBST(install_sh)])
+
+# AM_MISSING_HAS_RUN.
+# Define MISSING if not defined so far and test if it supports --run.
+# If it does, set am_missing_run to use it, otherwise, to nothing.
+AC_DEFUN([AM_MISSING_HAS_RUN], [
+test x"${MISSING+set}" = xset || \
+  MISSING="\${SHELL} `CDPATH=:; cd $ac_aux_dir && pwd`/missing"
+# Use eval to expand $SHELL
+if eval "$MISSING --run :"; then
+  am_missing_run="$MISSING --run "
+else
+  am_missing_run=
+  am_backtick='`'
+  AC_MSG_WARN([${am_backtick}missing' script is too old or missing])
+fi
+])
+
+# See how the compiler implements dependency checking.
+# Usage:
+# AM_DEPENDENCIES(NAME)
+# NAME is "CC", "CXX" or "OBJC".
+
+# We try a few techniques and use that to set a single cache variable.
+
+AC_DEFUN([AM_DEPENDENCIES],[
+AC_REQUIRE([AM_SET_DEPDIR])
+AC_REQUIRE([AM_OUTPUT_DEPENDENCY_COMMANDS])
+ifelse([$1],CC,[
+AC_REQUIRE([AC_PROG_CC])
+AC_REQUIRE([AC_PROG_CPP])
+depcc="$CC"
+depcpp="$CPP"],[$1],CXX,[
+AC_REQUIRE([AC_PROG_CXX])
+AC_REQUIRE([AC_PROG_CXXCPP])
+depcc="$CXX"
+depcpp="$CXXCPP"],[$1],OBJC,[
+am_cv_OBJC_dependencies_compiler_type=gcc],[
+AC_REQUIRE([AC_PROG_][$1])
+depcc="$[$1]"
+depcpp=""])
+AC_MSG_CHECKING([dependency style of $depcc])
+AC_CACHE_VAL(am_cv_[$1]_dependencies_compiler_type,[
+if test -z "$AMDEP"; then
+  echo '#include "conftest.h"' > conftest.c
+  echo 'int i;' > conftest.h
+
+  am_cv_[$1]_dependencies_compiler_type=none
+  for depmode in `sed -n 's/^#*\([a-zA-Z0-9]*\))$/\1/p' < "$am_depcomp"`; do
+    case "$depmode" in
+    nosideeffect)
+      # after this tag, mechanisms are not by side-effect, so they'll
+      # only be used when explicitly requested
+      if test "x$enable_dependency_tracking" = xyes; then
+	continue
+      else
+	break
+      fi
+      ;;
+    none) break ;;
+    esac
+    # We check with `-c' and `-o' for the sake of the "dashmstdout"
+    # mode.  It turns out that the SunPro C++ compiler does not properly
+    # handle `-M -o', and we need to detect this.
+    if depmode="$depmode" \
+       source=conftest.c object=conftest.o \
+       depfile=conftest.Po tmpdepfile=conftest.TPo \
+       $SHELL $am_depcomp $depcc -c conftest.c -o conftest.o >/dev/null 2>&1 &&
+       grep conftest.h conftest.Po > /dev/null 2>&1; then
+      am_cv_[$1]_dependencies_compiler_type="$depmode"
+      break
+    fi
+  done
+
+  rm -f conftest.*
+else
+  am_cv_[$1]_dependencies_compiler_type=none
+fi
+])
+AC_MSG_RESULT($am_cv_[$1]_dependencies_compiler_type)
+[$1]DEPMODE="depmode=$am_cv_[$1]_dependencies_compiler_type"
+AC_SUBST([$1]DEPMODE)
+])
+
+# Choose a directory name for dependency files.
+# This macro is AC_REQUIREd in AM_DEPENDENCIES
+
+AC_DEFUN([AM_SET_DEPDIR],[
+if test -d .deps || mkdir .deps 2> /dev/null || test -d .deps; then
+  DEPDIR=.deps
+  # We redirect because .deps might already exist and be populated.
+  # In this situation we don't want to see an error.
+  rmdir .deps > /dev/null 2>&1
+else
+  DEPDIR=_deps
+fi
+AC_SUBST(DEPDIR)
+])
+
+AC_DEFUN([AM_DEP_TRACK],[
+AC_ARG_ENABLE(dependency-tracking,
+[  --disable-dependency-tracking Speeds up one-time builds
+  --enable-dependency-tracking  Do not reject slow dependency extractors])
+if test "x$enable_dependency_tracking" = xno; then
+  AMDEP="#"
+else
+  am_depcomp="$ac_aux_dir/depcomp"
+  if test ! -f "$am_depcomp"; then
+    AMDEP="#"
+  else
+    AMDEP=
+  fi
+fi
+AC_SUBST(AMDEP)
+if test -z "$AMDEP"; then
+  AMDEPBACKSLASH='\'
+else
+  AMDEPBACKSLASH=
+fi
+pushdef([subst], defn([AC_SUBST]))
+subst(AMDEPBACKSLASH)
+popdef([subst])
+])
+
+# Generate code to set up dependency tracking.
+# This macro should only be invoked once -- use via AC_REQUIRE.
+# Usage:
+# AM_OUTPUT_DEPENDENCY_COMMANDS
+
+#
+# This code is only required when automatic dependency tracking
+# is enabled.  FIXME.  This creates each `.P' file that we will
+# need in order to bootstrap the dependency handling code.
+AC_DEFUN([AM_OUTPUT_DEPENDENCY_COMMANDS],[
+AC_OUTPUT_COMMANDS([
+test x"$AMDEP" != x"" ||
+for mf in $CONFIG_FILES; do
+  case "$mf" in
+  Makefile) dirpart=.;;
+  */Makefile) dirpart=`echo "$mf" | sed -e 's|/[^/]*$||'`;;
+  *) continue;;
+  esac
+  grep '^DEP_FILES *= *[^ #]' < "$mf" > /dev/null || continue
+  # Extract the definition of DEP_FILES from the Makefile without
+  # running `make'.
+  DEPDIR=`sed -n -e '/^DEPDIR = / s///p' < "$mf"`
+  test -z "$DEPDIR" && continue
+  # When using ansi2knr, U may be empty or an underscore; expand it
+  U=`sed -n -e '/^U = / s///p' < "$mf"`
+  test -d "$dirpart/$DEPDIR" || mkdir "$dirpart/$DEPDIR"
+  # We invoke sed twice because it is the simplest approach to
+  # changing $(DEPDIR) to its actual value in the expansion.
+  for file in `sed -n -e '
+    /^DEP_FILES = .*\\\\$/ {
+      s/^DEP_FILES = //
+      :loop
+	s/\\\\$//
+	p
+	n
+	/\\\\$/ b loop
+      p
+    }
+    /^DEP_FILES = / s/^DEP_FILES = //p' < "$mf" | \
+       sed -e 's/\$(DEPDIR)/'"$DEPDIR"'/g' -e 's/\$U/'"$U"'/g'`; do
+    # Make sure the directory exists.
+    test -f "$dirpart/$file" && continue
+    fdir=`echo "$file" | sed -e 's|/[^/]*$||'`
+    $ac_aux_dir/mkinstalldirs "$dirpart/$fdir" > /dev/null 2>&1
+    # echo "creating $dirpart/$file"
+    echo '# dummy' > "$dirpart/$file"
+  done
+done
+], [AMDEP="$AMDEP"
+ac_aux_dir="$ac_aux_dir"])])
+
+
+# AM_PROG_LEX
+# Look for flex, lex or missing, then run AC_PROG_LEX and AC_DECL_YYTEXT
+AC_DEFUN([AM_PROG_LEX],
+[AC_REQUIRE([AM_MISSING_HAS_RUN])
+AC_CHECK_PROGS(LEX, flex lex, [${am_missing_run}flex])
+AC_PROG_LEX
+AC_DECL_YYTEXT])
+
+dnl $Id: krb-prog-ln-s.m4,v 1.1 1997/12/14 15:59:01 joda Exp $
+dnl
+dnl
+dnl Better test for ln -s, ln or cp
+dnl
+
+AC_DEFUN(AC_KRB_PROG_LN_S,
+[AC_MSG_CHECKING(for ln -s or something else)
+AC_CACHE_VAL(ac_cv_prog_LN_S,
+[rm -f conftestdata
+if ln -s X conftestdata 2>/dev/null
+then
+  rm -f conftestdata
+  ac_cv_prog_LN_S="ln -s"
+else
+  touch conftestdata1
+  if ln conftestdata1 conftestdata2; then
+    rm -f conftestdata*
+    ac_cv_prog_LN_S=ln
+  else
+    ac_cv_prog_LN_S=cp
+  fi
+fi])dnl
+LN_S="$ac_cv_prog_LN_S"
+AC_MSG_RESULT($ac_cv_prog_LN_S)
+AC_SUBST(LN_S)dnl
+])
+
+
+dnl $Id: mips-abi.m4,v 1.5 2000/07/18 15:01:42 joda Exp $
+dnl
+dnl
+dnl Check for MIPS/IRIX ABI flags. Sets $abi and $abilibdirext to some
+dnl value.
+
+AC_DEFUN(AC_MIPS_ABI, [
+AC_ARG_WITH(mips_abi,
+[  --with-mips-abi=abi     ABI to use for IRIX (32, n32, or 64)])
+
+case "$host_os" in
+irix*)
+with_mips_abi="${with_mips_abi:-yes}"
+if test -n "$GCC"; then
+
+# GCC < 2.8 only supports the O32 ABI. GCC >= 2.8 has a flag to select
+# which ABI to use, but only supports (as of 2.8.1) the N32 and 64 ABIs.
+#
+# Default to N32, but if GCC doesn't grok -mabi=n32, we assume an old
+# GCC and revert back to O32. The same goes if O32 is asked for - old
+# GCCs doesn't like the -mabi option, and new GCCs can't output O32.
+#
+# Don't you just love *all* the different SGI ABIs?
+
+case "${with_mips_abi}" in 
+        32|o32) abi='-mabi=32';  abilibdirext=''     ;;
+       n32|yes) abi='-mabi=n32'; abilibdirext='32'  ;;
+        64) abi='-mabi=64';  abilibdirext='64'   ;;
+	no) abi=''; abilibdirext='';;
+         *) AC_MSG_ERROR("Invalid ABI specified") ;;
+esac
+if test -n "$abi" ; then
+ac_foo=krb_cv_gcc_`echo $abi | tr =- __`
+dnl
+dnl can't use AC_CACHE_CHECK here, since it doesn't quote CACHE-ID to
+dnl AC_MSG_RESULT
+dnl
+AC_MSG_CHECKING([if $CC supports the $abi option])
+AC_CACHE_VAL($ac_foo, [
+save_CFLAGS="$CFLAGS"
+CFLAGS="$CFLAGS $abi"
+AC_TRY_COMPILE(,int x;, eval $ac_foo=yes, eval $ac_foo=no)
+CFLAGS="$save_CFLAGS"
+])
+ac_res=`eval echo \\\$$ac_foo`
+AC_MSG_RESULT($ac_res)
+if test $ac_res = no; then
+# Try to figure out why that failed...
+case $abi in
+	-mabi=32) 
+	save_CFLAGS="$CFLAGS"
+	CFLAGS="$CFLAGS -mabi=n32"
+	AC_TRY_COMPILE(,int x;, ac_res=yes, ac_res=no)
+	CLAGS="$save_CFLAGS"
+	if test $ac_res = yes; then
+		# New GCC
+		AC_MSG_ERROR([$CC does not support the $with_mips_abi ABI])
+	fi
+	# Old GCC
+	abi=''
+	abilibdirext=''
+	;;
+	-mabi=n32|-mabi=64)
+		if test $with_mips_abi = yes; then
+			# Old GCC, default to O32
+			abi=''
+			abilibdirext=''
+		else
+			# Some broken GCC
+			AC_MSG_ERROR([$CC does not support the $with_mips_abi ABI])
+		fi
+	;;
+esac
+fi #if test $ac_res = no; then
+fi #if test -n "$abi" ; then
+else
+case "${with_mips_abi}" in
+        32|o32) abi='-32'; abilibdirext=''     ;;
+       n32|yes) abi='-n32'; abilibdirext='32'  ;;
+        64) abi='-64'; abilibdirext='64'   ;;
+	no) abi=''; abilibdirext='';;
+         *) AC_MSG_ERROR("Invalid ABI specified") ;;
+esac
+fi #if test -n "$GCC"; then
+;;
+esac
+])
+
+dnl
+dnl $Id: c-attribute.m4,v 1.2 1999/03/01 09:52:23 joda Exp $
+dnl
+
+dnl
+dnl Test for __attribute__
+dnl
+
+AC_DEFUN(AC_C___ATTRIBUTE__, [
+AC_MSG_CHECKING(for __attribute__)
+AC_CACHE_VAL(ac_cv___attribute__, [
+AC_TRY_COMPILE([
+#include <stdlib.h>
+],
+[
+static void foo(void) __attribute__ ((noreturn));
+
+static void
+foo(void)
+{
+  exit(1);
+}
+],
+ac_cv___attribute__=yes,
+ac_cv___attribute__=no)])
+if test "$ac_cv___attribute__" = "yes"; then
+  AC_DEFINE(HAVE___ATTRIBUTE__, 1, [define if your compiler has __attribute__])
+fi
+AC_MSG_RESULT($ac_cv___attribute__)
+])
+
+
+
+# serial 44 AC_PROG_LIBTOOL
+AC_DEFUN(AC_PROG_LIBTOOL,[AC_REQUIRE([_AC_PROG_LIBTOOL])])
+AC_DEFUN(_AC_PROG_LIBTOOL,
+[AC_REQUIRE([AC_LIBTOOL_SETUP])dnl
+
+# Save cache, so that ltconfig can load it
+AC_CACHE_SAVE
+
+# Actually configure libtool.  ac_aux_dir is where install-sh is found.
+AR="$AR" CC="$CC" CFLAGS="$CFLAGS" CPPFLAGS="$CPPFLAGS" \
+MAGIC="$MAGIC" LD="$LD" LDFLAGS="$LDFLAGS" LIBS="$LIBS" \
+LN_S="$LN_S" NM="$NM" RANLIB="$RANLIB" STRIP="$STRIP" \
+AS="$AS" DLLTOOL="$DLLTOOL" OBJDUMP="$OBJDUMP" \
+objext="$OBJEXT" exeext="$EXEEXT" reload_flag="$reload_flag" \
+deplibs_check_method="$deplibs_check_method" file_magic_cmd="$file_magic_cmd" \
+${CONFIG_SHELL-/bin/sh} $ac_aux_dir/ltconfig --no-reexec \
+$libtool_flags --no-verify --build="$build" $ac_aux_dir/ltmain.sh $host \
+|| AC_MSG_ERROR([libtool configure failed])
+
+# Reload cache, that may have been modified by ltconfig
+AC_CACHE_LOAD
+
+# This can be used to rebuild libtool when needed
+LIBTOOL_DEPS="$ac_aux_dir/ltconfig $ac_aux_dir/ltmain.sh"
+
+# Always use our own libtool.
+LIBTOOL='$(SHELL) $(top_builddir)/libtool'
+AC_SUBST(LIBTOOL)dnl
+
+# Redirect the config.log output again, so that the ltconfig log is not
+# clobbered by the next message.
+exec 5>>./config.log
+])
+
+AC_DEFUN(AC_LIBTOOL_SETUP,
+[AC_PREREQ(2.13)dnl
+AC_REQUIRE([AC_ENABLE_SHARED])dnl
+AC_REQUIRE([AC_ENABLE_STATIC])dnl
+AC_REQUIRE([AC_ENABLE_FAST_INSTALL])dnl
+AC_REQUIRE([AC_CANONICAL_HOST])dnl
+AC_REQUIRE([AC_CANONICAL_BUILD])dnl
+AC_REQUIRE([AC_PROG_CC])dnl
+AC_REQUIRE([AC_PROG_LD])dnl
+AC_REQUIRE([AC_PROG_LD_RELOAD_FLAG])dnl
+AC_REQUIRE([AC_PROG_NM])dnl
+AC_REQUIRE([AC_PROG_LN_S])dnl
+AC_REQUIRE([AC_DEPLIBS_CHECK_METHOD])dnl
+AC_REQUIRE([AC_OBJEXT])dnl
+AC_REQUIRE([AC_EXEEXT])dnl
+dnl
+
+# Only perform the check for file, if the check method requires it
+case "$deplibs_check_method" in
+file_magic*)
+  if test "$file_magic_cmd" = '${MAGIC}'; then
+    AC_PATH_MAGIC
+  fi
+  ;;
+esac
+
+AC_CHECK_TOOL(RANLIB, ranlib, :)
+AC_CHECK_TOOL(STRIP, strip, :)
+
+# Check for any special flags to pass to ltconfig.
+libtool_flags="--cache-file=$cache_file"
+test "$enable_shared" = no && libtool_flags="$libtool_flags --disable-shared"
+test "$enable_static" = no && libtool_flags="$libtool_flags --disable-static"
+test "$enable_fast_install" = no && libtool_flags="$libtool_flags --disable-fast-install"
+test "$ac_cv_prog_gcc" = yes && libtool_flags="$libtool_flags --with-gcc"
+test "$ac_cv_prog_gnu_ld" = yes && libtool_flags="$libtool_flags --with-gnu-ld"
+ifdef([AC_PROVIDE_AC_LIBTOOL_DLOPEN],
+[libtool_flags="$libtool_flags --enable-dlopen"])
+ifdef([AC_PROVIDE_AC_LIBTOOL_WIN32_DLL],
+[libtool_flags="$libtool_flags --enable-win32-dll"])
+AC_ARG_ENABLE(libtool-lock,
+  [  --disable-libtool-lock  avoid locking (might break parallel builds)])
+test "x$enable_libtool_lock" = xno && libtool_flags="$libtool_flags --disable-lock"
+test x"$silent" = xyes && libtool_flags="$libtool_flags --silent"
+
+AC_ARG_WITH(pic,
+  [  --with-pic              try to use only PIC/non-PIC objects [default=use both]],
+     pic_mode="$withval", pic_mode=default)
+test x"$pic_mode" = xyes && libtool_flags="$libtool_flags --prefer-pic"
+test x"$pic_mode" = xno && libtool_flags="$libtool_flags --prefer-non-pic"
+
+# Some flags need to be propagated to the compiler or linker for good
+# libtool support.
+case "$host" in
+*-*-irix6*)
+  # Find out which ABI we are using.
+  echo '[#]line __oline__ "configure"' > conftest.$ac_ext
+  if AC_TRY_EVAL(ac_compile); then
+    case "`/usr/bin/file conftest.o`" in
+    *32-bit*)
+      LD="${LD-ld} -32"
+      ;;
+    *N32*)
+      LD="${LD-ld} -n32"
+      ;;
+    *64-bit*)
+      LD="${LD-ld} -64"
+      ;;
+    esac
+  fi
+  rm -rf conftest*
+  ;;
+
+*-*-sco3.2v5*)
+  # On SCO OpenServer 5, we need -belf to get full-featured binaries.
+  SAVE_CFLAGS="$CFLAGS"
+  CFLAGS="$CFLAGS -belf"
+  AC_CACHE_CHECK([whether the C compiler needs -belf], lt_cv_cc_needs_belf,
+    [AC_LANG_SAVE
+     AC_LANG_C
+     AC_TRY_LINK([],[],[lt_cv_cc_needs_belf=yes],[lt_cv_cc_needs_belf=no])
+     AC_LANG_RESTORE])
+  if test x"$lt_cv_cc_needs_belf" != x"yes"; then
+    # this is probably gcc 2.8.0, egcs 1.0 or newer; no need for -belf
+    CFLAGS="$SAVE_CFLAGS"
+  fi
+  ;;
+
+ifdef([AC_PROVIDE_AC_LIBTOOL_WIN32_DLL],
+[*-*-cygwin* | *-*-mingw*)
+  AC_CHECK_TOOL(DLLTOOL, dlltool, false)
+  AC_CHECK_TOOL(AS, as, false)
+  AC_CHECK_TOOL(OBJDUMP, objdump, false)
+
+  # recent cygwin and mingw systems supply a stub DllMain which the user
+  # can override, but on older systems we have to supply one
+  AC_CACHE_CHECK([if libtool should supply DllMain function], lt_cv_need_dllmain,
+    [AC_TRY_LINK([],
+      [extern int __attribute__((__stdcall__)) DllMain(void*, int, void*);
+      DllMain (0, 0, 0);],
+      [lt_cv_need_dllmain=no],[lt_cv_need_dllmain=yes])])
+
+  case "$host/$CC" in
+  *-*-cygwin*/gcc*-mno-cygwin*|*-*-mingw*)
+    # old mingw systems require "-dll" to link a DLL, while more recent ones
+    # require "-mdll"
+    SAVE_CFLAGS="$CFLAGS"
+    CFLAGS="$CFLAGS -mdll"
+    AC_CACHE_CHECK([how to link DLLs], lt_cv_cc_dll_switch,
+      [AC_TRY_LINK([], [], [lt_cv_cc_dll_switch=-mdll],[lt_cv_cc_dll_switch=-dll])])
+    CFLAGS="$SAVE_CFLAGS" ;;
+  *-*-cygwin*)
+    # cygwin systems need to pass --dll to the linker, and not link
+    # crt.o which will require a WinMain@16 definition.
+    lt_cv_cc_dll_switch="-Wl,--dll -nostartfiles" ;;
+  esac
+  ;;
+  ])
+esac
+])
+
+# AC_LIBTOOL_DLOPEN - enable checks for dlopen support
+AC_DEFUN(AC_LIBTOOL_DLOPEN, [AC_BEFORE([$0],[AC_LIBTOOL_SETUP])])
+
+# AC_LIBTOOL_WIN32_DLL - declare package support for building win32 dll's
+AC_DEFUN(AC_LIBTOOL_WIN32_DLL, [AC_BEFORE([$0], [AC_LIBTOOL_SETUP])])
+
+# AC_ENABLE_SHARED - implement the --enable-shared flag
+# Usage: AC_ENABLE_SHARED[(DEFAULT)]
+#   Where DEFAULT is either `yes' or `no'.  If omitted, it defaults to
+#   `yes'.
+AC_DEFUN(AC_ENABLE_SHARED, [dnl
+define([AC_ENABLE_SHARED_DEFAULT], ifelse($1, no, no, yes))dnl
+AC_ARG_ENABLE(shared,
+changequote(<<, >>)dnl
+<<  --enable-shared[=PKGS]  build shared libraries [default=>>AC_ENABLE_SHARED_DEFAULT],
+changequote([, ])dnl
+[p=${PACKAGE-default}
+case "$enableval" in
+yes) enable_shared=yes ;;
+no) enable_shared=no ;;
+*)
+  enable_shared=no
+  # Look at the argument we got.  We use all the common list separators.
+  IFS="${IFS= 	}"; ac_save_ifs="$IFS"; IFS="${IFS}:,"
+  for pkg in $enableval; do
+    if test "X$pkg" = "X$p"; then
+      enable_shared=yes
+    fi
+  done
+  IFS="$ac_save_ifs"
+  ;;
+esac],
+enable_shared=AC_ENABLE_SHARED_DEFAULT)dnl
+])
+
+# AC_DISABLE_SHARED - set the default shared flag to --disable-shared
+AC_DEFUN(AC_DISABLE_SHARED, [AC_BEFORE([$0],[AC_LIBTOOL_SETUP])dnl
+AC_ENABLE_SHARED(no)])
+
+# AC_ENABLE_STATIC - implement the --enable-static flag
+# Usage: AC_ENABLE_STATIC[(DEFAULT)]
+#   Where DEFAULT is either `yes' or `no'.  If omitted, it defaults to
+#   `yes'.
+AC_DEFUN(AC_ENABLE_STATIC, [dnl
+define([AC_ENABLE_STATIC_DEFAULT], ifelse($1, no, no, yes))dnl
+AC_ARG_ENABLE(static,
+changequote(<<, >>)dnl
+<<  --enable-static[=PKGS]  build static libraries [default=>>AC_ENABLE_STATIC_DEFAULT],
+changequote([, ])dnl
+[p=${PACKAGE-default}
+case "$enableval" in
+yes) enable_static=yes ;;
+no) enable_static=no ;;
+*)
+  enable_static=no
+  # Look at the argument we got.  We use all the common list separators.
+  IFS="${IFS= 	}"; ac_save_ifs="$IFS"; IFS="${IFS}:,"
+  for pkg in $enableval; do
+    if test "X$pkg" = "X$p"; then
+      enable_static=yes
+    fi
+  done
+  IFS="$ac_save_ifs"
+  ;;
+esac],
+enable_static=AC_ENABLE_STATIC_DEFAULT)dnl
+])
+
+# AC_DISABLE_STATIC - set the default static flag to --disable-static
+AC_DEFUN(AC_DISABLE_STATIC, [AC_BEFORE([$0],[AC_LIBTOOL_SETUP])dnl
+AC_ENABLE_STATIC(no)])
+
+
+# AC_ENABLE_FAST_INSTALL - implement the --enable-fast-install flag
+# Usage: AC_ENABLE_FAST_INSTALL[(DEFAULT)]
+#   Where DEFAULT is either `yes' or `no'.  If omitted, it defaults to
+#   `yes'.
+AC_DEFUN(AC_ENABLE_FAST_INSTALL, [dnl
+define([AC_ENABLE_FAST_INSTALL_DEFAULT], ifelse($1, no, no, yes))dnl
+AC_ARG_ENABLE(fast-install,
+changequote(<<, >>)dnl
+<<  --enable-fast-install[=PKGS]  optimize for fast installation [default=>>AC_ENABLE_FAST_INSTALL_DEFAULT],
+changequote([, ])dnl
+[p=${PACKAGE-default}
+case "$enableval" in
+yes) enable_fast_install=yes ;;
+no) enable_fast_install=no ;;
+*)
+  enable_fast_install=no
+  # Look at the argument we got.  We use all the common list separators.
+  IFS="${IFS= 	}"; ac_save_ifs="$IFS"; IFS="${IFS}:,"
+  for pkg in $enableval; do
+    if test "X$pkg" = "X$p"; then
+      enable_fast_install=yes
+    fi
+  done
+  IFS="$ac_save_ifs"
+  ;;
+esac],
+enable_fast_install=AC_ENABLE_FAST_INSTALL_DEFAULT)dnl
+])
+
+# AC_DISABLE_FAST_INSTALL - set the default to --disable-fast-install
+AC_DEFUN(AC_DISABLE_FAST_INSTALL, [AC_BEFORE([$0],[AC_LIBTOOL_SETUP])dnl
+AC_ENABLE_FAST_INSTALL(no)])
+
+# AC_LIBTOOL_PICMODE - implement the --with-pic flag
+# Usage: AC_LIBTOOL_PICMODE[(MODE)]
+#   Where MODE is either `yes' or `no'.  If omitted, it defaults to
+#   `both'.
+AC_DEFUN(AC_LIBTOOL_PICMODE, [AC_BEFORE([$0],[AC_LIBTOOL_SETUP])dnl
+pic_mode=ifelse($#,1,$1,default)])
+
+
+# AC_PATH_TOOL_PREFIX - find a file program which can recognise shared library
+AC_DEFUN(AC_PATH_TOOL_PREFIX,
+[AC_MSG_CHECKING([for $1])
+AC_CACHE_VAL(lt_cv_path_MAGIC,
+[case "$MAGIC" in
+  /*)
+  lt_cv_path_MAGIC="$MAGIC" # Let the user override the test with a path.
+  ;;
+  ?:/*)
+  ac_cv_path_MAGIC="$MAGIC" # Let the user override the test with a dos path.
+  ;;
+  *)
+  ac_save_MAGIC="$MAGIC"
+  IFS="${IFS=   }"; ac_save_ifs="$IFS"; IFS=":"
+dnl $ac_dummy forces splitting on constant user-supplied paths.
+dnl POSIX.2 word splitting is done only on the output of word expansions,
+dnl not every word.  This closes a longstanding sh security hole.
+  ac_dummy="ifelse([$2], , $PATH, [$2])"
+  for ac_dir in $ac_dummy; do
+    test -z "$ac_dir" && ac_dir=.
+    if test -f $ac_dir/$1; then
+      lt_cv_path_MAGIC="$ac_dir/$1"
+      if test -n "$file_magic_test_file"; then
+	case "$deplibs_check_method" in
+	"file_magic "*)
+	  file_magic_regex="`expr \"$deplibs_check_method\" : \"file_magic \(.*\)\"`"
+	  MAGIC="$lt_cv_path_MAGIC"
+	  if eval $file_magic_cmd \$file_magic_test_file 2> /dev/null |
+	    egrep "$file_magic_regex" > /dev/null; then
+	    :
+	  else
+	    cat <<EOF 1>&2
+
+*** Warning: the command libtool uses to detect shared libraries,
+*** $file_magic_cmd, produces output that libtool cannot recognize.
+*** The result is that libtool may fail to recognize shared libraries
+*** as such.  This will affect the creation of libtool libraries that
+*** depend on shared libraries, but programs linked with such libtool
+*** libraries will work regardless of this problem.  Nevertheless, you
+*** may want to report the problem to your system manager and/or to
+*** bug-libtool@gnu.org
+
+EOF
+	  fi ;;
+	esac
+      fi
+      break
+    fi
+  done
+  IFS="$ac_save_ifs"
+  MAGIC="$ac_save_MAGIC"
+  ;;
+esac])
+MAGIC="$lt_cv_path_MAGIC"
+if test -n "$MAGIC"; then
+  AC_MSG_RESULT($MAGIC)
+else
+  AC_MSG_RESULT(no)
+fi
+])
+
+
+# AC_PATH_MAGIC - find a file program which can recognise a shared library
+AC_DEFUN(AC_PATH_MAGIC,
+[AC_REQUIRE([AC_CHECK_TOOL_PREFIX])dnl
+AC_PATH_TOOL_PREFIX(${ac_tool_prefix}file, /usr/bin:$PATH)
+if test -z "$lt_cv_path_MAGIC"; then
+  if test -n "$ac_tool_prefix"; then
+    AC_PATH_TOOL_PREFIX(file, /usr/bin:$PATH)
+  else
+    MAGIC=:
+  fi
+fi
+])
+
+
+# AC_PROG_LD - find the path to the GNU or non-GNU linker
+AC_DEFUN(AC_PROG_LD,
+[AC_ARG_WITH(gnu-ld,
+[  --with-gnu-ld           assume the C compiler uses GNU ld [default=no]],
+test "$withval" = no || with_gnu_ld=yes, with_gnu_ld=no)
+AC_REQUIRE([AC_PROG_CC])dnl
+AC_REQUIRE([AC_CANONICAL_HOST])dnl
+AC_REQUIRE([AC_CANONICAL_BUILD])dnl
+ac_prog=ld
+if test "$ac_cv_prog_gcc" = yes; then
+  # Check if gcc -print-prog-name=ld gives a path.
+  AC_MSG_CHECKING([for ld used by GCC])
+  case $host in
+  *-*-mingw*)
+    # gcc leaves a trailing carriage return which upsets mingw
+    ac_prog=`($CC -print-prog-name=ld) 2>&5 | tr -d '\015'` ;;
+  *)
+    ac_prog=`($CC -print-prog-name=ld) 2>&5` ;;
+  esac
+  case "$ac_prog" in
+    # Accept absolute paths.
+changequote(,)dnl
+    [\\/]* | [A-Za-z]:[\\/]*)
+      re_direlt='/[^/][^/]*/\.\./'
+changequote([,])dnl
+      # Canonicalize the path of ld
+      ac_prog=`echo $ac_prog| sed 's%\\\\%/%g'`
+      while echo $ac_prog | grep "$re_direlt" > /dev/null 2>&1; do
+	ac_prog=`echo $ac_prog| sed "s%$re_direlt%/%"`
+      done
+      test -z "$LD" && LD="$ac_prog"
+      ;;
+  "")
+    # If it fails, then pretend we aren't using GCC.
+    ac_prog=ld
+    ;;
+  *)
+    # If it is relative, then search for the first ld in PATH.
+    with_gnu_ld=unknown
+    ;;
+  esac
+elif test "$with_gnu_ld" = yes; then
+  AC_MSG_CHECKING([for GNU ld])
+else
+  AC_MSG_CHECKING([for non-GNU ld])
+fi
+AC_CACHE_VAL(ac_cv_path_LD,
+[if test -z "$LD"; then
+  IFS="${IFS= 	}"; ac_save_ifs="$IFS"; IFS="${IFS}${PATH_SEPARATOR-:}"
+  for ac_dir in $PATH; do
+    test -z "$ac_dir" && ac_dir=.
+    if test -f "$ac_dir/$ac_prog" || test -f "$ac_dir/$ac_prog$ac_exeext"; then
+      ac_cv_path_LD="$ac_dir/$ac_prog"
+      # Check to see if the program is GNU ld.  I'd rather use --version,
+      # but apparently some GNU ld's only accept -v.
+      # Break only if it was the GNU/non-GNU ld that we prefer.
+      if "$ac_cv_path_LD" -v 2>&1 < /dev/null | egrep '(GNU|with BFD)' > /dev/null; then
+	test "$with_gnu_ld" != no && break
+      else
+	test "$with_gnu_ld" != yes && break
+      fi
+    fi
+  done
+  IFS="$ac_save_ifs"
+else
+  ac_cv_path_LD="$LD" # Let the user override the test with a path.
+fi])
+LD="$ac_cv_path_LD"
+if test -n "$LD"; then
+  AC_MSG_RESULT($LD)
+else
+  AC_MSG_RESULT(no)
+fi
+test -z "$LD" && AC_MSG_ERROR([no acceptable ld found in \$PATH])
+AC_PROG_LD_GNU
+])
+
+AC_DEFUN(AC_PROG_LD_GNU,
+[AC_CACHE_CHECK([if the linker ($LD) is GNU ld], ac_cv_prog_gnu_ld,
+[# I'd rather use --version here, but apparently some GNU ld's only accept -v.
+if $LD -v 2>&1 </dev/null | egrep '(GNU|with BFD)' 1>&5; then
+  ac_cv_prog_gnu_ld=yes
+else
+  ac_cv_prog_gnu_ld=no
+fi])
+with_gnu_ld=$ac_cv_prog_gnu_ld
+])
+
+# AC_PROG_LD_RELOAD_FLAG - find reload flag for linker
+#   -- PORTME Some linkers may need a different reload flag.
+AC_DEFUN(AC_PROG_LD_RELOAD_FLAG,
+[AC_CACHE_CHECK([for $LD option to reload object files], lt_cv_ld_reload_flag,
+[lt_cv_ld_reload_flag='-r'])
+reload_flag=$lt_cv_ld_reload_flag
+test -n "$reload_flag" && reload_flag=" $reload_flag"
+])
+
+# AC_DEPLIBS_CHECK_METHOD - how to check for library dependencies
+#  -- PORTME fill in with the dynamic library characteristics
+AC_DEFUN(AC_DEPLIBS_CHECK_METHOD,
+[AC_CACHE_CHECK([how to recognise dependant libraries],
+lt_cv_deplibs_check_method,
+[lt_cv_file_magic_cmd='${MAGIC}'
+lt_cv_file_magic_test_file=
+lt_cv_deplibs_check_method='unknown'
+# Need to set the preceding variable on all platforms that support
+# interlibrary dependencies.
+# 'none' -- dependencies not supported.
+# `unknown' -- same as none, but documents that we really don't know.
+# 'pass_all' -- all dependencies passed with no checks.
+# 'test_compile' -- check by making test program.
+# 'file_magic [regex]' -- check by looking for files in library path
+# which responds to the $file_magic_cmd with a given egrep regex.
+# If you have `file' or equivalent on your system and you're not sure
+# whether `pass_all' will *always* work, you probably want this one.
+
+case "$host_os" in
+aix4*)
+  lt_cv_deplibs_check_method=pass_all
+  ;;
+
+beos*)
+  lt_cv_deplibs_check_method=pass_all
+  ;;
+
+bsdi4*)
+  changequote(,)dnl
+  lt_cv_deplibs_check_method='file_magic ELF [0-9][0-9]*-bit [ML]SB (shared object|dynamic lib)'
+  changequote([, ])dnl
+  lt_cv_file_magic_cmd='/usr/bin/file -L'
+  lt_cv_file_magic_test_file=/shlib/libc.so
+  ;;
+
+cygwin* | mingw*)
+  lt_cv_deplibs_check_method='file_magic file format pei*-i386(.*architecture: i386)?'
+  lt_cv_file_magic_cmd='${OBJDUMP} -f'
+  ;;
+
+freebsd*)
+  if echo __ELF__ | $CC -E - | grep __ELF__ > /dev/null; then
+    case "$host_cpu" in
+    i*86 )
+      changequote(,)dnl
+      lt_cv_deplibs_check_method=='file_magic OpenBSD/i[3-9]86 demand paged shared library'
+      changequote([, ])dnl
+      lt_cv_file_magic_cmd=/usr/bin/file
+      lt_cv_file_magic_test_file=`echo /usr/lib/libc.so.*`
+      ;;
+    esac
+  else
+    lt_cv_deplibs_check_method=pass_all
+  fi
+  ;;
+
+gnu*)
+  lt_cv_deplibs_check_method=pass_all
+  ;;
+
+hpux10.20*)
+  # TODO:  Does this work for hpux-11 too?
+  lt_cv_deplibs_check_method='file_magic (s[0-9][0-9][0-9]|PA-RISC[0-9].[0-9]) shared library'
+  lt_cv_file_magic_cmd=/usr/bin/file
+  lt_cv_file_magic_test_file=/usr/lib/libc.sl
+  ;;
+
+irix5* | irix6*)
+  case "$host_os" in
+  irix5*)
+    # this will be overridden with pass_all, but let us keep it just in case
+    lt_cv_deplibs_check_method="file_magic ELF 32-bit MSB dynamic lib MIPS - version 1"
+    ;;
+  *)
+    case "$LD" in
+    *-32|*"-32 ") libmagic=32-bit;;
+    *-n32|*"-n32 ") libmagic=N32;;
+    *-64|*"-64 ") libmagic=64-bit;;
+    *) libmagic=never-match;;
+    esac
+    # this will be overridden with pass_all, but let us keep it just in case
+    changequote(,)dnl
+    lt_cv_deplibs_check_method="file_magic ELF ${libmagic} MSB mips-[1234] dynamic lib MIPS - version 1"
+    changequote([, ])dnl
+    ;;
+  esac
+  lt_cv_file_magic_test_file=`echo /lib${libsuff}/libc.so*`
+  lt_cv_deplibs_check_method=pass_all
+  ;;
+
+# This must be Linux ELF.
+linux-gnu*)
+  case "$host_cpu" in
+  alpha* | i*86 | powerpc* | sparc* | ia64* )
+    lt_cv_deplibs_check_method=pass_all ;;
+  *)
+    # glibc up to 2.1.1 does not perform some relocations on ARM
+    changequote(,)dnl
+    lt_cv_deplibs_check_method='file_magic ELF [0-9][0-9]*-bit [LM]SB (shared object|dynamic lib )' ;;
+    changequote([, ])dnl
+  esac
+  lt_cv_file_magic_test_file=`echo /lib/libc.so* /lib/libc-*.so`
+  ;;
+
+netbsd*)
+  if echo __ELF__ | $CC -E - | grep __ELF__ > /dev/null; then :
+  else
+    changequote(,)dnl
+    lt_cv_deplibs_check_method='file_magic ELF [0-9][0-9]*-bit [LM]SB shared object'
+    changequote([, ])dnl
+    lt_cv_file_magic_cmd='/usr/bin/file -L'
+    lt_cv_file_magic_test_file=`echo /usr/lib/libc.so*`
+  fi
+  ;;
+
+osf3* | osf4* | osf5*)
+  # this will be overridden with pass_all, but let us keep it just in case
+  lt_cv_deplibs_check_method='file_magic COFF format alpha shared library'
+  lt_cv_file_magic_test_file=/shlib/libc.so
+  lt_cv_deplibs_check_method=pass_all
+  ;;
+
+sco3.2v5*)
+  lt_cv_deplibs_check_method=pass_all
+  ;;
+
+solaris*)
+  lt_cv_deplibs_check_method=pass_all
+  lt_cv_file_magic_test_file=/lib/libc.so
+  ;;
+
+sysv4 | sysv4.2uw2* | sysv4.3* | sysv5*)
+  case "$host_vendor" in
+  ncr)
+    lt_cv_deplibs_check_method=pass_all
+    ;;
+  motorola)
+    changequote(,)dnl
+    lt_cv_deplibs_check_method='file_magic ELF [0-9][0-9]*-bit [ML]SB (shared object|dynamic lib) M[0-9][0-9]* Version [0-9]'
+    changequote([, ])dnl
+    lt_cv_file_magic_test_file=`echo /usr/lib/libc.so*`
+    ;;
+  esac
+  ;;
+esac
+])
+file_magic_cmd=$lt_cv_file_magic_cmd
+deplibs_check_method=$lt_cv_deplibs_check_method
+])
+
+
+# AC_PROG_NM - find the path to a BSD-compatible name lister
+AC_DEFUN(AC_PROG_NM,
+[AC_MSG_CHECKING([for BSD-compatible nm])
+AC_CACHE_VAL(ac_cv_path_NM,
+[if test -n "$NM"; then
+  # Let the user override the test.
+  ac_cv_path_NM="$NM"
+else
+  IFS="${IFS= 	}"; ac_save_ifs="$IFS"; IFS="${IFS}${PATH_SEPARATOR-:}"
+  for ac_dir in $PATH /usr/ccs/bin /usr/ucb /bin; do
+    test -z "$ac_dir" && ac_dir=.
+    tmp_nm=$ac_dir/${ac_tool_prefix}nm
+    if test -f $tmp_nm || test -f $tmp_nm$ac_exeext ; then
+      # Check to see if the nm accepts a BSD-compat flag.
+      # Adding the `sed 1q' prevents false positives on HP-UX, which says:
+      #   nm: unknown option "B" ignored
+      if ($tmp_nm -B /dev/null 2>&1 | sed '1q'; exit 0) | egrep /dev/null >/dev/null; then
+	ac_cv_path_NM="$tmp_nm -B"
+	break
+      elif ($tmp_nm -p /dev/null 2>&1 | sed '1q'; exit 0) | egrep /dev/null >/dev/null; then
+	ac_cv_path_NM="$tmp_nm -p"
+	break
+      else
+	ac_cv_path_NM=${ac_cv_path_NM="$tmp_nm"} # keep the first match, but
+	continue # so that we can try to find one that supports BSD flags
+      fi
+    fi
+  done
+  IFS="$ac_save_ifs"
+  test -z "$ac_cv_path_NM" && ac_cv_path_NM=nm
+fi])
+NM="$ac_cv_path_NM"
+AC_MSG_RESULT([$NM])
+])
+
+# AC_CHECK_LIBM - check for math library
+AC_DEFUN(AC_CHECK_LIBM,
+[AC_REQUIRE([AC_CANONICAL_HOST])dnl
+LIBM=
+case "$host" in
+*-*-beos* | *-*-cygwin*)
+  # These system don't have libm
+  ;;
+*-ncr-sysv4.3*)
+  AC_CHECK_LIB(mw, _mwvalidcheckl, LIBM="-lmw")
+  AC_CHECK_LIB(m, main, LIBM="$LIBM -lm")
+  ;;
+*)
+  AC_CHECK_LIB(m, main, LIBM="-lm")
+  ;;
+esac
+])
+
+# AC_LIBLTDL_CONVENIENCE[(dir)] - sets LIBLTDL to the link flags for
+# the libltdl convenience library and INCLTDL to the include flags for
+# the libltdl header and adds --enable-ltdl-convenience to the
+# configure arguments.  Note that LIBLTDL and INCLTDL are not
+# AC_SUBSTed, nor is AC_CONFIG_SUBDIRS called.  If DIR is not
+# provided, it is assumed to be `libltdl'.  LIBLTDL will be prefixed
+# with '${top_builddir}/' and INCLTDL will be prefixed with
+# '${top_srcdir}/' (note the single quotes!).  If your package is not
+# flat and you're not using automake, define top_builddir and
+# top_srcdir appropriately in the Makefiles.
+AC_DEFUN(AC_LIBLTDL_CONVENIENCE, [AC_BEFORE([$0],[AC_LIBTOOL_SETUP])dnl
+  case "$enable_ltdl_convenience" in
+  no) AC_MSG_ERROR([this package needs a convenience libltdl]) ;;
+  "") enable_ltdl_convenience=yes
+      ac_configure_args="$ac_configure_args --enable-ltdl-convenience" ;;
+  esac
+  LIBLTDL='${top_builddir}/'ifelse($#,1,[$1],['libltdl'])/libltdlc.la
+  INCLTDL='-I${top_srcdir}/'ifelse($#,1,[$1],['libltdl'])
+])
+
+# AC_LIBLTDL_INSTALLABLE[(dir)] - sets LIBLTDL to the link flags for
+# the libltdl installable library and INCLTDL to the include flags for
+# the libltdl header and adds --enable-ltdl-install to the configure
+# arguments.  Note that LIBLTDL and INCLTDL are not AC_SUBSTed, nor is
+# AC_CONFIG_SUBDIRS called.  If DIR is not provided and an installed
+# libltdl is not found, it is assumed to be `libltdl'.  LIBLTDL will
+# be prefixed with '${top_builddir}/' and INCLTDL will be prefixed
+# with '${top_srcdir}/' (note the single quotes!).  If your package is
+# not flat and you're not using automake, define top_builddir and
+# top_srcdir appropriately in the Makefiles.
+# In the future, this macro may have to be called after AC_PROG_LIBTOOL.
+AC_DEFUN(AC_LIBLTDL_INSTALLABLE, [AC_BEFORE([$0],[AC_LIBTOOL_SETUP])dnl
+  AC_CHECK_LIB(ltdl, main,
+  [test x"$enable_ltdl_install" != xyes && enable_ltdl_install=no],
+  [if test x"$enable_ltdl_install" = xno; then
+     AC_MSG_WARN([libltdl not installed, but installation disabled])
+   else
+     enable_ltdl_install=yes
+   fi
+  ])
+  if test x"$enable_ltdl_install" = x"yes"; then
+    ac_configure_args="$ac_configure_args --enable-ltdl-install"
+    LIBLTDL='${top_builddir}/'ifelse($#,1,[$1],['libltdl'])/libltdl.la
+    INCLTDL='-I${top_srcdir}/'ifelse($#,1,[$1],['libltdl'])
+  else
+    ac_configure_args="$ac_configure_args --enable-ltdl-install=no"
+    LIBLTDL="-lltdl"
+    INCLTDL=
+  fi
+])
+
+dnl old names
+AC_DEFUN(AM_PROG_LIBTOOL, [indir([AC_PROG_LIBTOOL])])dnl
+AC_DEFUN(AM_ENABLE_SHARED, [indir([AC_ENABLE_SHARED], $@)])dnl
+AC_DEFUN(AM_ENABLE_STATIC, [indir([AC_ENABLE_STATIC], $@)])dnl
+AC_DEFUN(AM_DISABLE_SHARED, [indir([AC_DISABLE_SHARED], $@)])dnl
+AC_DEFUN(AM_DISABLE_STATIC, [indir([AC_DISABLE_STATIC], $@)])dnl
+AC_DEFUN(AM_PROG_LD, [indir([AC_PROG_LD])])dnl
+AC_DEFUN(AM_PROG_NM, [indir([AC_PROG_NM])])dnl
+
+dnl This is just to silence aclocal about the macro not being used
+ifelse([AC_DISABLE_FAST_INSTALL])dnl
+
+dnl $Id: wflags.m4,v 1.3 1999/03/11 12:11:41 joda Exp $
+dnl
+dnl set WFLAGS
+
+AC_DEFUN(AC_WFLAGS,[
+WFLAGS_NOUNUSED=""
+WFLAGS_NOIMPLICITINT=""
+if test -z "$WFLAGS" -a "$GCC" = "yes"; then
+  # -Wno-implicit-int for broken X11 headers
+  # leave these out for now:
+  #   -Wcast-align doesn't work well on alpha osf/1
+  #   -Wmissing-prototypes -Wpointer-arith -Wbad-function-cast
+  #   -Wmissing-declarations -Wnested-externs
+  WFLAGS="ifelse($#, 0,-Wall, $1)"
+  WFLAGS_NOUNUSED="-Wno-unused"
+  WFLAGS_NOIMPLICITINT="-Wno-implicit-int"
+fi
+AC_SUBST(WFLAGS)dnl
+AC_SUBST(WFLAGS_NOUNUSED)dnl
+AC_SUBST(WFLAGS_NOIMPLICITINT)dnl
+])
+
+dnl $Id: db.m4,v 1.1 2000/07/19 11:21:07 joda Exp $
+dnl
+dnl tests for various db libraries
+dnl
+AC_DEFUN([rk_DB],[berkeley_db=db
+AC_ARG_WITH(berkeley-db,
+[  --without-berkeley-db   if you don't want berkeley db],[
+if test "$withval" = no; then
+	berkeley_db=""
+fi
+])
+if test "$berkeley_db"; then
+  AC_CHECK_HEADERS([				\
+	db.h					\
+	db_185.h				\
+  ])
+fi
+
+AC_FIND_FUNC_NO_LIBS2(dbopen, $berkeley_db, [
+#include <stdio.h>
+#if defined(HAVE_DB_185_H)
+#include <db_185.h>
+#elif defined(HAVE_DB_H)
+#include <db.h>
+#endif
+],[NULL, 0, 0, 0, NULL])
+
+AC_FIND_FUNC_NO_LIBS(dbm_firstkey, $berkeley_db gdbm ndbm)
+AC_FIND_FUNC_NO_LIBS(db_create, $berkeley_db)
+
+DBLIB="$LIB_dbopen"
+if test "$LIB_dbopen" != "$LIB_db_create"; then
+        DBLIB="$DBLIB $LIB_db_create"
+fi
+if test "$LIB_dbopen" != "$LIB_dbm_firstkey"; then
+	DBLIB="$DBLIB $LIB_dbm_firstkey"
+fi
+AC_SUBST(DBLIB)dnl
+
+])
+
+dnl $Id: find-func-no-libs2.m4,v 1.4 2000/07/15 18:10:19 joda Exp $
+dnl
+dnl
+dnl Look for function in any of the specified libraries
+dnl
+
+dnl AC_FIND_FUNC_NO_LIBS2(func, libraries, includes, arguments, extra libs, extra args)
+AC_DEFUN(AC_FIND_FUNC_NO_LIBS2, [
+
+AC_MSG_CHECKING([for $1])
+AC_CACHE_VAL(ac_cv_funclib_$1,
+[
+if eval "test \"\$ac_cv_func_$1\" != yes" ; then
+	ac_save_LIBS="$LIBS"
+	for ac_lib in $2; do
+		if test -n "$ac_lib"; then 
+			ac_lib="-l$ac_lib"
+		else
+			ac_lib=""
+		fi
+		LIBS="$6 $ac_lib $5 $ac_save_LIBS"
+		AC_TRY_LINK([$3],[$1($4)],eval "if test -n \"$ac_lib\";then ac_cv_funclib_$1=$ac_lib; else ac_cv_funclib_$1=yes; fi";break)
+	done
+	eval "ac_cv_funclib_$1=\${ac_cv_funclib_$1-no}"
+	LIBS="$ac_save_LIBS"
+fi
+])
+
+eval "ac_res=\$ac_cv_funclib_$1"
+
+if false; then
+	AC_CHECK_FUNCS($1)
+dnl	AC_CHECK_LIBS($2, foo)
+fi
+# $1
+eval "ac_tr_func=HAVE_[]upcase($1)"
+eval "ac_tr_lib=HAVE_LIB[]upcase($ac_res | sed -e 's/-l//')"
+eval "LIB_$1=$ac_res"
+
+case "$ac_res" in
+	yes)
+	eval "ac_cv_func_$1=yes"
+	eval "LIB_$1="
+	AC_DEFINE_UNQUOTED($ac_tr_func)
+	AC_MSG_RESULT([yes])
+	;;
+	no)
+	eval "ac_cv_func_$1=no"
+	eval "LIB_$1="
+	AC_MSG_RESULT([no])
+	;;
+	*)
+	eval "ac_cv_func_$1=yes"
+	eval "ac_cv_lib_`echo "$ac_res" | sed 's/-l//'`=yes"
+	AC_DEFINE_UNQUOTED($ac_tr_func)
+	AC_DEFINE_UNQUOTED($ac_tr_lib)
+	AC_MSG_RESULT([yes, in $ac_res])
+	;;
+esac
+AC_SUBST(LIB_$1)
+])
+
+dnl $Id: find-func-no-libs.m4,v 1.5 1999/10/30 21:08:18 assar Exp $
+dnl
+dnl
+dnl Look for function in any of the specified libraries
+dnl
+
+dnl AC_FIND_FUNC_NO_LIBS(func, libraries, includes, arguments, extra libs, extra args)
+AC_DEFUN(AC_FIND_FUNC_NO_LIBS, [
+AC_FIND_FUNC_NO_LIBS2([$1], ["" $2], [$3], [$4], [$5], [$6])])
+
+dnl $Id: roken-frag.m4,v 1.21 2001/05/11 13:58:21 joda Exp $
+dnl
+dnl some code to get roken working
+dnl
+dnl rk_ROKEN(subdir)
+dnl
+AC_DEFUN(rk_ROKEN, [
+
+AC_REQUIRE([rk_CONFIG_HEADER])
+
+DIR_roken=roken
+LIB_roken='$(top_builddir)/$1/libroken.la'
+INCLUDES_roken='-I$(top_builddir)/$1 -I$(top_srcdir)/$1'
+
+dnl Checks for programs
+AC_REQUIRE([AC_PROG_CC])
+AC_REQUIRE([AC_PROG_AWK])
+AC_REQUIRE([AC_OBJEXT])
+AC_REQUIRE([AC_EXEEXT])
+AC_REQUIRE([AC_PROG_LIBTOOL])
+
+AC_REQUIRE([AC_MIPS_ABI])
+
+dnl C characteristics
+
+AC_REQUIRE([AC_C___ATTRIBUTE__])
+AC_REQUIRE([AC_C_INLINE])
+AC_REQUIRE([AC_C_CONST])
+AC_WFLAGS(-Wall -Wmissing-prototypes -Wpointer-arith -Wbad-function-cast -Wmissing-declarations -Wnested-externs)
+
+AC_REQUIRE([rk_DB])
+
+dnl C types
+
+AC_REQUIRE([AC_TYPE_SIZE_T])
+AC_CHECK_TYPE_EXTRA(ssize_t, int, [#include <unistd.h>])
+AC_REQUIRE([AC_TYPE_PID_T])
+AC_REQUIRE([AC_TYPE_UID_T])
+AC_HAVE_TYPE([long long])
+
+AC_REQUIRE([rk_RETSIGTYPE])
+
+dnl Checks for header files.
+AC_REQUIRE([AC_HEADER_STDC])
+AC_REQUIRE([AC_HEADER_TIME])
+
+AC_CHECK_HEADERS([\
+	arpa/inet.h				\
+	arpa/nameser.h				\
+	config.h				\
+	crypt.h					\
+	dbm.h					\
+	db.h					\
+	dirent.h				\
+	errno.h					\
+	err.h					\
+	fcntl.h					\
+	gdbm/ndbm.h				\
+	grp.h					\
+	ifaddrs.h				\
+	ndbm.h					\
+	net/if.h				\
+	netdb.h					\
+	netinet/in.h				\
+	netinet/in6.h				\
+	netinet/in_systm.h			\
+	netinet6/in6.h				\
+	netinet6/in6_var.h			\
+	paths.h					\
+	pwd.h					\
+	resolv.h				\
+	rpcsvc/dbm.h				\
+	rpcsvc/ypclnt.h				\
+	shadow.h				\
+	sys/bswap.h				\
+	sys/ioctl.h				\
+	sys/param.h				\
+	sys/proc.h				\
+	sys/resource.h				\
+	sys/socket.h				\
+	sys/sockio.h				\
+	sys/stat.h				\
+	sys/sysctl.h				\
+	sys/time.h				\
+	sys/tty.h				\
+	sys/types.h				\
+	sys/uio.h				\
+	sys/utsname.h				\
+	sys/wait.h				\
+	syslog.h				\
+	termios.h				\
+	unistd.h				\
+	userconf.h				\
+	usersec.h				\
+	util.h					\
+	vis.h					\
+	winsock.h				\
+])
+	
+AC_REQUIRE([CHECK_NETINET_IP_AND_TCP])
+
+AM_CONDITIONAL(have_err_h, test "$ac_cv_header_err_h" = yes)
+AM_CONDITIONAL(have_fnmatch_h, test "$ac_cv_header_fnmatch_h" = yes)
+AM_CONDITIONAL(have_ifaddrs_h, test "$ac_cv_header_ifaddrs_h" = yes)
+AM_CONDITIONAL(have_vis_h, test "$ac_cv_header_vis_h" = yes)
+
+dnl Check for functions and libraries
+
+AC_KRB_IPV6
+
+AC_FIND_FUNC(socket, socket)
+AC_FIND_FUNC(gethostbyname, nsl)
+AC_FIND_FUNC(syslog, syslog)
+AC_FIND_FUNC(gethostbyname2, inet6 ip6)
+
+AC_FIND_FUNC(res_search, resolv,
+[
+#include <stdio.h>
+#ifdef HAVE_SYS_TYPES_H
+#include <sys/types.h>
+#endif
+#ifdef HAVE_NETINET_IN_H
+#include <netinet/in.h>
+#endif
+#ifdef HAVE_ARPA_NAMESER_H
+#include <arpa/nameser.h>
+#endif
+#ifdef HAVE_RESOLV_H
+#include <resolv.h>
+#endif
+],
+[0,0,0,0,0])
+
+AC_FIND_FUNC(dn_expand, resolv,
+[
+#include <stdio.h>
+#ifdef HAVE_SYS_TYPES_H
+#include <sys/types.h>
+#endif
+#ifdef HAVE_NETINET_IN_H
+#include <netinet/in.h>
+#endif
+#ifdef HAVE_ARPA_NAMESER_H
+#include <arpa/nameser.h>
+#endif
+#ifdef HAVE_RESOLV_H
+#include <resolv.h>
+#endif
+],
+[0,0,0,0,0])
+
+AC_BROKEN_SNPRINTF
+AC_BROKEN_VSNPRINTF
+
+AC_BROKEN_GLOB
+if test "$ac_cv_func_glob_working" != yes; then
+	LIBOBJS="$LIBOBJS glob.o"
+fi
+AM_CONDITIONAL(have_glob_h, test "$ac_cv_func_glob_working" = yes)
+
+
+AC_CHECK_FUNCS([				\
+	asnprintf				\
+	asprintf				\
+	cgetent					\
+	getconfattr				\
+	getprogname				\
+	getrlimit				\
+	getspnam				\
+	setprogname				\
+	strsvis					\
+	strunvis				\
+	strvis					\
+	strvisx					\
+	svis					\
+	sysconf					\
+	sysctl					\
+	uname					\
+	unvis					\
+	vasnprintf				\
+	vasprintf				\
+	vis					\
+])
+
+if test "$ac_cv_func_cgetent" = no; then
+	LIBOBJS="$LIBOBJS getcap.o"
+fi
+
+AC_REQUIRE([AC_FUNC_GETLOGIN])
+
+AC_FIND_FUNC_NO_LIBS(getsockopt,,
+[#ifdef HAVE_SYS_TYPES_H
+#include <sys/types.h>
+#endif
+#ifdef HAVE_SYS_SOCKET_H
+#include <sys/socket.h>
+#endif],
+[0,0,0,0,0])
+AC_FIND_FUNC_NO_LIBS(setsockopt,,
+[#ifdef HAVE_SYS_TYPES_H
+#include <sys/types.h>
+#endif
+#ifdef HAVE_SYS_SOCKET_H
+#include <sys/socket.h>
+#endif],
+[0,0,0,0,0])
+
+AC_FIND_IF_NOT_BROKEN(hstrerror, resolv,
+[#ifdef HAVE_NETDB_H
+#include <netdb.h>
+#endif],
+17)
+if test "$ac_cv_func_hstrerror" = yes; then
+AC_NEED_PROTO([
+#ifdef HAVE_NETDB_H
+#include <netdb.h>
+#endif],
+hstrerror)
+fi
+
+dnl sigh, wish this could be done in a loop
+if test "$ac_cv_func_asprintf" = yes; then
+AC_NEED_PROTO([
+#include <stdio.h>
+#include <string.h>],
+asprintf)dnl
+fi
+if test "$ac_cv_func_vasprintf" = yes; then
+AC_NEED_PROTO([
+#include <stdio.h>
+#include <string.h>],
+vasprintf)dnl
+fi
+if test "$ac_cv_func_asnprintf" = yes; then
+AC_NEED_PROTO([
+#include <stdio.h>
+#include <string.h>],
+asnprintf)dnl
+fi
+if test "$ac_cv_func_vasnprintf" = yes; then
+AC_NEED_PROTO([
+#include <stdio.h>
+#include <string.h>],
+vasnprintf)dnl
+fi
+
+AC_FIND_FUNC_NO_LIBS(bswap16,,
+[#ifdef HAVE_SYS_BSWAP_H
+#include <sys/bswap.h>
+#endif],0)
+
+AC_FIND_FUNC_NO_LIBS(bswap32,,
+[#ifdef HAVE_SYS_BSWAP_H
+#include <sys/bswap.h>
+#endif],0)
+
+AC_FIND_FUNC_NO_LIBS(pidfile,util,
+[#ifdef HAVE_UTIL_H
+#include <util.h>
+#endif],0)
+
+AC_BROKEN([					\
+	chown					\
+	copyhostent				\
+	daemon					\
+	err					\
+	errx					\
+	fchown					\
+	flock					\
+	fnmatch					\
+	freeaddrinfo				\
+	freehostent				\
+	gai_strerror				\
+	getaddrinfo				\
+	getcwd					\
+	getdtablesize				\
+	getegid					\
+	geteuid					\
+	getgid					\
+	gethostname				\
+	getifaddrs				\
+	getipnodebyaddr				\
+	getipnodebyname				\
+	getnameinfo				\
+	getopt					\
+	gettimeofday				\
+	getuid					\
+	getusershell				\
+	initgroups				\
+	innetgr					\
+	iruserok				\
+	lstat					\
+	memmove					\
+	mkstemp					\
+	putenv					\
+	rcmd					\
+	readv					\
+	recvmsg					\
+	sendmsg					\
+	setegid					\
+	setenv					\
+	seteuid					\
+	strcasecmp				\
+	strdup					\
+	strerror				\
+	strftime				\
+	strlcat					\
+	strlcpy					\
+	strlwr					\
+	strncasecmp				\
+	strndup					\
+	strnlen					\
+	strptime				\
+	strsep					\
+	strsep_copy				\
+	strtok_r				\
+	strupr					\
+	swab					\
+	unsetenv				\
+	verr					\
+	verrx					\
+	vsyslog					\
+	vwarn					\
+	vwarnx					\
+	warn					\
+	warnx					\
+	writev					\
+])
+
+AC_BROKEN2(inet_aton,
+[#ifdef HAVE_SYS_TYPES_H
+#include <sys/types.h>
+#endif
+#ifdef HAVE_SYS_SOCKET_H
+#include <sys/socket.h>
+#endif
+#ifdef HAVE_NETINET_IN_H
+#include <netinet/in.h>
+#endif
+#ifdef HAVE_ARPA_INET_H
+#include <arpa/inet.h>
+#endif],
+[0,0])
+
+AC_BROKEN2(inet_ntop,
+[#ifdef HAVE_SYS_TYPES_H
+#include <sys/types.h>
+#endif
+#ifdef HAVE_SYS_SOCKET_H
+#include <sys/socket.h>
+#endif
+#ifdef HAVE_NETINET_IN_H
+#include <netinet/in.h>
+#endif
+#ifdef HAVE_ARPA_INET_H
+#include <arpa/inet.h>
+#endif],
+[0, 0, 0, 0])
+
+AC_BROKEN2(inet_pton,
+[#ifdef HAVE_SYS_TYPES_H
+#include <sys/types.h>
+#endif
+#ifdef HAVE_SYS_SOCKET_H
+#include <sys/socket.h>
+#endif
+#ifdef HAVE_NETINET_IN_H
+#include <netinet/in.h>
+#endif
+#ifdef HAVE_ARPA_INET_H
+#include <arpa/inet.h>
+#endif],
+[0,0,0])
+
+dnl
+dnl Check for sa_len in struct sockaddr, 
+dnl needs to come before the getnameinfo test
+dnl
+AC_HAVE_STRUCT_FIELD(struct sockaddr, sa_len, [#include <sys/types.h>
+#include <sys/socket.h>])
+
+if test "$ac_cv_func_getnameinfo" = "yes"; then
+  rk_BROKEN_GETNAMEINFO
+  if test "$ac_cv_func_getnameinfo_broken" = yes; then
+    LIBOBJS="$LIBOBJS getnameinfo.o"
+  fi
+fi
+
+AC_NEED_PROTO([#include <stdlib.h>], setenv)
+AC_NEED_PROTO([#include <stdlib.h>], unsetenv)
+AC_NEED_PROTO([#include <unistd.h>], gethostname)
+AC_NEED_PROTO([#include <unistd.h>], mkstemp)
+AC_NEED_PROTO([#include <unistd.h>], getusershell)
+
+AC_NEED_PROTO([
+#ifdef HAVE_SYS_TYPES_H
+#include <sys/types.h>
+#endif
+#ifdef HAVE_SYS_SOCKET_H
+#include <sys/socket.h>
+#endif
+#ifdef HAVE_NETINET_IN_H
+#include <netinet/in.h>
+#endif
+#ifdef HAVE_ARPA_INET_H
+#include <arpa/inet.h>
+#endif],
+inet_aton)
+
+AC_FIND_FUNC_NO_LIBS(crypt, crypt)dnl
+
+AC_REQUIRE([rk_BROKEN_REALLOC])dnl
+
+dnl AC_KRB_FUNC_GETCWD_BROKEN
+
+dnl
+dnl Checks for prototypes and declarations
+dnl
+
+AC_PROTO_COMPAT([
+#ifdef HAVE_SYS_TYPES_H
+#include <sys/types.h>
+#endif
+#ifdef HAVE_SYS_SOCKET_H
+#include <sys/socket.h>
+#endif
+#ifdef HAVE_NETINET_IN_H
+#include <netinet/in.h>
+#endif
+#ifdef HAVE_ARPA_INET_H
+#include <arpa/inet.h>
+#endif
+#ifdef HAVE_NETDB_H
+#include <netdb.h>
+#endif
+],
+gethostbyname, struct hostent *gethostbyname(const char *))
+
+AC_PROTO_COMPAT([
+#ifdef HAVE_SYS_TYPES_H
+#include <sys/types.h>
+#endif
+#ifdef HAVE_SYS_SOCKET_H
+#include <sys/socket.h>
+#endif
+#ifdef HAVE_NETINET_IN_H
+#include <netinet/in.h>
+#endif
+#ifdef HAVE_ARPA_INET_H
+#include <arpa/inet.h>
+#endif
+#ifdef HAVE_NETDB_H
+#include <netdb.h>
+#endif
+],
+gethostbyaddr, struct hostent *gethostbyaddr(const void *, size_t, int))
+
+AC_PROTO_COMPAT([
+#ifdef HAVE_SYS_TYPES_H
+#include <sys/types.h>
+#endif
+#ifdef HAVE_SYS_SOCKET_H
+#include <sys/socket.h>
+#endif
+#ifdef HAVE_NETINET_IN_H
+#include <netinet/in.h>
+#endif
+#ifdef HAVE_ARPA_INET_H
+#include <arpa/inet.h>
+#endif
+#ifdef HAVE_NETDB_H
+#include <netdb.h>
+#endif
+],
+getservbyname, struct servent *getservbyname(const char *, const char *))
+
+AC_PROTO_COMPAT([
+#ifdef HAVE_SYS_TYPES_H
+#include <sys/types.h>
+#endif
+#ifdef HAVE_SYS_SOCKET_H
+#include <sys/socket.h>
+#endif
+],
+getsockname, int getsockname(int, struct sockaddr*, socklen_t*))
+
+AC_PROTO_COMPAT([
+#ifdef HAVE_SYSLOG_H
+#include <syslog.h>
+#endif
+],
+openlog, void openlog(const char *, int, int))
+
+AC_NEED_PROTO([
+#ifdef HAVE_CRYPT_H
+#include <crypt.h>
+#endif
+#ifdef HAVE_UNISTD_H
+#include <unistd.h>
+#endif
+],
+crypt)
+
+AC_NEED_PROTO([
+#include <string.h>
+],
+strtok_r)
+
+AC_NEED_PROTO([
+#include <string.h>
+],
+strsep)
+
+dnl variables
+
+rk_CHECK_VAR(h_errno, 
+[#ifdef HAVE_SYS_TYPES_H
+#include <sys/types.h>
+#endif
+#ifdef HAVE_NETDB_H
+#include <netdb.h>
+#endif])
+
+rk_CHECK_VAR(h_errlist, 
+[#ifdef HAVE_NETDB_H
+#include <netdb.h>
+#endif])
+
+rk_CHECK_VAR(h_nerr, 
+[#ifdef HAVE_NETDB_H
+#include <netdb.h>
+#endif])
+
+rk_CHECK_VAR([__progname], 
+[#ifdef HAVE_ERR_H
+#include <err.h>
+#endif])
+
+AC_CHECK_DECLARATION([#include <stdlib.h>
+#ifdef HAVE_UNISTD_H
+#include <unistd.h>
+#endif], optarg)
+AC_CHECK_DECLARATION([#include <stdlib.h>
+#ifdef HAVE_UNISTD_H
+#include <unistd.h>
+#endif], optind)
+AC_CHECK_DECLARATION([#include <stdlib.h>
+#ifdef HAVE_UNISTD_H
+#include <unistd.h>
+#endif], opterr)
+AC_CHECK_DECLARATION([#include <stdlib.h>
+#ifdef HAVE_UNISTD_H
+#include <unistd.h>
+#endif], optopt)
+
+AC_CHECK_DECLARATION([#include <stdlib.h>], environ)
+
+dnl
+dnl Check for fields in struct tm
+dnl
+
+AC_HAVE_STRUCT_FIELD(struct tm, tm_gmtoff, [#include <time.h>])
+AC_HAVE_STRUCT_FIELD(struct tm, tm_zone, [#include <time.h>])
+
+dnl
+dnl or do we have a variable `timezone' ?
+dnl
+
+rk_CHECK_VAR(timezone,[#include <time.h>])
+
+AC_HAVE_TYPE([sa_family_t],[#include <sys/socket.h>])
+AC_HAVE_TYPE([socklen_t],[#include <sys/socket.h>])
+AC_HAVE_TYPE([struct sockaddr], [#include <sys/socket.h>])
+AC_HAVE_TYPE([struct sockaddr_storage], [#include <sys/socket.h>])
+AC_HAVE_TYPE([struct addrinfo], [#include <netdb.h>])
+AC_HAVE_TYPE([struct ifaddrs], [#include <ifaddrs.h>])
+
+dnl
+dnl Check for struct winsize
+dnl
+
+AC_KRB_STRUCT_WINSIZE
+
+dnl
+dnl Check for struct spwd
+dnl
+
+AC_KRB_STRUCT_SPWD
+
+dnl won't work with automake
+dnl moved to AC_OUTPUT in configure.in
+dnl AC_CONFIG_FILES($1/Makefile)
+
+LIB_roken="${LIB_roken} \$(LIB_crypt) \$(LIB_dbopen)"
+
+AC_SUBST(DIR_roken)dnl
+AC_SUBST(LIB_roken)dnl
+AC_SUBST(INCLUDES_roken)dnl
+])
+dnl $Id: check-type-extra.m4,v 1.2 1999/03/01 09:52:23 joda Exp $
+dnl
+dnl ac_check_type + extra headers
+
+dnl AC_CHECK_TYPE_EXTRA(TYPE, DEFAULT, HEADERS)
+AC_DEFUN(AC_CHECK_TYPE_EXTRA,
+[AC_REQUIRE([AC_HEADER_STDC])dnl
+AC_MSG_CHECKING(for $1)
+AC_CACHE_VAL(ac_cv_type_$1,
+[AC_EGREP_CPP(dnl
+changequote(<<,>>)dnl
+<<$1[^a-zA-Z_0-9]>>dnl
+changequote([,]), [#include <sys/types.h>
+#if STDC_HEADERS
+#include <stdlib.h>
+#include <stddef.h>
+#endif
+$3], ac_cv_type_$1=yes, ac_cv_type_$1=no)])dnl
+AC_MSG_RESULT($ac_cv_type_$1)
+if test $ac_cv_type_$1 = no; then
+  AC_DEFINE($1, $2, [Define this to what the type $1 should be.])
+fi
+])
+
+dnl $Id: have-type.m4,v 1.6 2000/07/15 18:10:00 joda Exp $
+dnl
+dnl check for existance of a type
+
+dnl AC_HAVE_TYPE(TYPE,INCLUDES)
+AC_DEFUN(AC_HAVE_TYPE, [
+AC_REQUIRE([AC_HEADER_STDC])
+cv=`echo "$1" | sed 'y%./+- %__p__%'`
+AC_MSG_CHECKING(for $1)
+AC_CACHE_VAL([ac_cv_type_$cv],
+AC_TRY_COMPILE(
+[#include <sys/types.h>
+#if STDC_HEADERS
+#include <stdlib.h>
+#include <stddef.h>
+#endif
+$2],
+[$1 foo;],
+eval "ac_cv_type_$cv=yes",
+eval "ac_cv_type_$cv=no"))dnl
+ac_foo=`eval echo \\$ac_cv_type_$cv`
+AC_MSG_RESULT($ac_foo)
+if test "$ac_foo" = yes; then
+  ac_tr_hdr=HAVE_`echo $1 | sed 'y%abcdefghijklmnopqrstuvwxyz./- %ABCDEFGHIJKLMNOPQRSTUVWXYZ____%'`
+if false; then
+	AC_CHECK_TYPES($1)
+fi
+  AC_DEFINE_UNQUOTED($ac_tr_hdr, 1, [Define if you have type `$1'])
+fi
+])
+
+dnl
+dnl $Id: retsigtype.m4,v 1.1 2000/07/15 18:05:56 joda Exp $
+dnl
+dnl Figure out return type of signal handlers, and define SIGRETURN macro
+dnl that can be used to return from one
+dnl
+AC_DEFUN(rk_RETSIGTYPE,[
+AC_TYPE_SIGNAL
+if test "$ac_cv_type_signal" = "void" ; then
+	AC_DEFINE(VOID_RETSIGTYPE, 1, [Define if signal handlers return void.])
+fi
+AC_SUBST(VOID_RETSIGTYPE)
+AH_BOTTOM([#ifdef VOID_RETSIGTYPE
+#define SIGRETURN(x) return
+#else
+#define SIGRETURN(x) return (RETSIGTYPE)(x)
+#endif])
+])
+dnl
+dnl $Id: check-netinet-ip-and-tcp.m4,v 1.3 2000/07/18 10:33:02 joda Exp $
+dnl
+
+dnl extra magic check for netinet/{ip.h,tcp.h} because on irix 6.5.3
+dnl you have to include standards.h before including these files
+
+AC_DEFUN(CHECK_NETINET_IP_AND_TCP,
+[
+AC_CHECK_HEADERS(standards.h)
+for i in netinet/ip.h netinet/tcp.h; do
+
+cv=`echo "$i" | sed 'y%./+-%__p_%'`
+
+AC_CACHE_CHECK([for $i],ac_cv_header_$cv,
+[AC_TRY_CPP([\
+#ifdef HAVE_STANDARDS_H
+#include <standards.h>
+#endif
+#include <$i>
+],
+eval "ac_cv_header_$cv=yes",
+eval "ac_cv_header_$cv=no")])
+ac_res=`eval echo \\$ac_cv_header_$cv`
+if test "$ac_res" = yes; then
+	ac_tr_hdr=HAVE_`echo $i | sed 'y%abcdefghijklmnopqrstuvwxyz./-%ABCDEFGHIJKLMNOPQRSTUVWXYZ___%'`
+	AC_DEFINE_UNQUOTED($ac_tr_hdr, 1)
+fi
+done
+if false;then
+	AC_CHECK_HEADERS(netinet/ip.h netinet/tcp.h)
+fi
+])
+
+# Define a conditional.
+
+AC_DEFUN([AM_CONDITIONAL],
+[AC_SUBST($1_TRUE)
+AC_SUBST($1_FALSE)
+if $2; then
+  $1_TRUE=
+  $1_FALSE='#'
+else
+  $1_TRUE='#'
+  $1_FALSE=
+fi])
+
+dnl $Id: krb-ipv6.m4,v 1.10 2001/03/26 03:28:03 assar Exp $
+dnl
+dnl test for IPv6
+dnl
+AC_DEFUN(AC_KRB_IPV6, [
+AC_ARG_WITH(ipv6,
+[  --without-ipv6	do not enable IPv6 support],[
+if test "$withval" = "no"; then
+	ac_cv_lib_ipv6=no
+fi])
+save_CFLAGS="${CFLAGS}"
+AC_CACHE_VAL(ac_cv_lib_ipv6,
+[dnl check for different v6 implementations (by itojun)
+v6type=unknown
+v6lib=none
+
+AC_MSG_CHECKING([ipv6 stack type])
+for i in v6d toshiba kame inria zeta linux; do
+	case $i in
+	v6d)
+		AC_EGREP_CPP(yes, [
+#include </usr/local/v6/include/sys/types.h>
+#ifdef __V6D__
+yes
+#endif],
+			[v6type=$i; v6lib=v6;
+			v6libdir=/usr/local/v6/lib;
+			CFLAGS="-I/usr/local/v6/include $CFLAGS"])
+		;;
+	toshiba)
+		AC_EGREP_CPP(yes, [
+#include <sys/param.h>
+#ifdef _TOSHIBA_INET6
+yes
+#endif],
+			[v6type=$i; v6lib=inet6;
+			v6libdir=/usr/local/v6/lib;
+			CFLAGS="-DINET6 $CFLAGS"])
+		;;
+	kame)
+		AC_EGREP_CPP(yes, [
+#include <netinet/in.h>
+#ifdef __KAME__
+yes
+#endif],
+			[v6type=$i; v6lib=inet6;
+			v6libdir=/usr/local/v6/lib;
+			CFLAGS="-DINET6 $CFLAGS"])
+		;;
+	inria)
+		AC_EGREP_CPP(yes, [
+#include <netinet/in.h>
+#ifdef IPV6_INRIA_VERSION
+yes
+#endif],
+			[v6type=$i; CFLAGS="-DINET6 $CFLAGS"])
+		;;
+	zeta)
+		AC_EGREP_CPP(yes, [
+#include <sys/param.h>
+#ifdef _ZETA_MINAMI_INET6
+yes
+#endif],
+			[v6type=$i; v6lib=inet6;
+			v6libdir=/usr/local/v6/lib;
+			CFLAGS="-DINET6 $CFLAGS"])
+		;;
+	linux)
+		if test -d /usr/inet6; then
+			v6type=$i
+			v6lib=inet6
+			v6libdir=/usr/inet6
+			CFLAGS="-DINET6 $CFLAGS"
+		fi
+		;;
+	esac
+	if test "$v6type" != "unknown"; then
+		break
+	fi
+done
+AC_MSG_RESULT($v6type)
+
+if test "$v6lib" != "none"; then
+	for dir in $v6libdir /usr/local/v6/lib /usr/local/lib; do
+		if test -d $dir -a -f $dir/lib$v6lib.a; then
+			LIBS="-L$dir -l$v6lib $LIBS"
+			break
+		fi
+	done
+fi
+AC_TRY_LINK([
+#ifdef HAVE_SYS_TYPES_H
+#include <sys/types.h>
+#endif
+#ifdef HAVE_SYS_SOCKET_H
+#include <sys/socket.h>
+#endif
+#ifdef HAVE_NETINET_IN_H
+#include <netinet/in.h>
+#endif
+#ifdef HAVE_NETINET_IN6_H
+#include <netinet/in6.h>
+#endif
+],
+[
+ struct sockaddr_in6 sin6;
+ int s;
+
+ s = socket(AF_INET6, SOCK_DGRAM, 0);
+
+ sin6.sin6_family = AF_INET6;
+ sin6.sin6_port = htons(17);
+ sin6.sin6_addr = in6addr_any;
+ bind(s, (struct sockaddr *)&sin6, sizeof(sin6));
+],
+ac_cv_lib_ipv6=yes,
+ac_cv_lib_ipv6=no)])
+AC_MSG_CHECKING(for IPv6)
+AC_MSG_RESULT($ac_cv_lib_ipv6)
+if test "$ac_cv_lib_ipv6" = yes; then
+  AC_DEFINE(HAVE_IPV6, 1, [Define if you have IPv6.])
+else
+  CFLAGS="${save_CFLAGS}"
+fi
+])
+
+dnl $Id: find-func.m4,v 1.1 1997/12/14 15:58:58 joda Exp $
+dnl
+dnl AC_FIND_FUNC(func, libraries, includes, arguments)
+AC_DEFUN(AC_FIND_FUNC, [
+AC_FIND_FUNC_NO_LIBS([$1], [$2], [$3], [$4])
+if test -n "$LIB_$1"; then
+	LIBS="$LIB_$1 $LIBS"
+fi
+])
+
+dnl $Id: broken-snprintf.m4,v 1.3 1999/03/01 09:52:22 joda Exp $
+dnl
+AC_DEFUN(AC_BROKEN_SNPRINTF, [
+AC_CACHE_CHECK(for working snprintf,ac_cv_func_snprintf_working,
+ac_cv_func_snprintf_working=yes
+AC_TRY_RUN([
+#include <stdio.h>
+#include <string.h>
+int main()
+{
+changequote(`,')dnl
+	char foo[3];
+changequote([,])dnl
+	snprintf(foo, 2, "12");
+	return strcmp(foo, "1");
+}],:,ac_cv_func_snprintf_working=no,:))
+
+if test "$ac_cv_func_snprintf_working" = yes; then
+	AC_DEFINE_UNQUOTED(HAVE_SNPRINTF, 1, [define if you have a working snprintf])
+fi
+if test "$ac_cv_func_snprintf_working" = yes; then
+AC_NEED_PROTO([#include <stdio.h>],snprintf)
+fi
+])
+
+AC_DEFUN(AC_BROKEN_VSNPRINTF,[
+AC_CACHE_CHECK(for working vsnprintf,ac_cv_func_vsnprintf_working,
+ac_cv_func_vsnprintf_working=yes
+AC_TRY_RUN([
+#include <stdio.h>
+#include <string.h>
+#include <stdarg.h>
+
+int foo(int num, ...)
+{
+changequote(`,')dnl
+	char bar[3];
+changequote([,])dnl
+	va_list arg;
+	va_start(arg, num);
+	vsnprintf(bar, 2, "%s", arg);
+	va_end(arg);
+	return strcmp(bar, "1");
+}
+
+
+int main()
+{
+	return foo(0, "12");
+}],:,ac_cv_func_vsnprintf_working=no,:))
+
+if test "$ac_cv_func_vsnprintf_working" = yes; then
+	AC_DEFINE_UNQUOTED(HAVE_VSNPRINTF, 1, [define if you have a working vsnprintf])
+fi
+if test "$ac_cv_func_vsnprintf_working" = yes; then
+AC_NEED_PROTO([#include <stdio.h>],vsnprintf)
+fi
+])
+
+dnl $Id: need-proto.m4,v 1.2 1999/03/01 09:52:24 joda Exp $
+dnl
+dnl
+dnl Check if we need the prototype for a function
+dnl
+
+dnl AC_NEED_PROTO(includes, function)
+
+AC_DEFUN(AC_NEED_PROTO, [
+if test "$ac_cv_func_$2+set" != set -o "$ac_cv_func_$2" = yes; then
+AC_CACHE_CHECK([if $2 needs a prototype], ac_cv_func_$2_noproto,
+AC_TRY_COMPILE([$1],
+[struct foo { int foo; } xx;
+extern int $2 (struct foo*);
+$2(&xx);
+],
+eval "ac_cv_func_$2_noproto=yes",
+eval "ac_cv_func_$2_noproto=no"))
+define([foo], [NEED_]translit($2, [a-z], [A-Z])[_PROTO])
+if test "$ac_cv_func_$2_noproto" = yes; then
+	AC_DEFINE(foo, 1, [define if the system is missing a prototype for $2()])
+fi
+undefine([foo])
+fi
+])
+
+dnl $Id: broken-glob.m4,v 1.3 2001/03/26 11:40:24 assar Exp $
+dnl
+dnl check for glob(3)
+dnl
+AC_DEFUN(AC_BROKEN_GLOB,[
+AC_CACHE_CHECK(for working glob, ac_cv_func_glob_working,
+ac_cv_func_glob_working=yes
+AC_TRY_LINK([
+#include <stdio.h>
+#include <glob.h>],[
+glob(NULL, GLOB_BRACE|GLOB_NOCHECK|GLOB_QUOTE|GLOB_TILDE|GLOB_LIMIT,
+NULL, NULL);
+],:,ac_cv_func_glob_working=no,:))
+
+if test "$ac_cv_func_glob_working" = yes; then
+	AC_DEFINE(HAVE_GLOB, 1, [define if you have a glob() that groks 
+	GLOB_BRACE, GLOB_NOCHECK, GLOB_QUOTE, GLOB_TILDE, and GLOB_LIMIT])
+fi
+if test "$ac_cv_func_glob_working" = yes; then
+AC_NEED_PROTO([#include <stdio.h>
+#include <glob.h>],glob)
+fi
+])
+
+dnl
+dnl $Id: krb-func-getlogin.m4,v 1.1 1999/07/13 17:45:30 assar Exp $
+dnl
+dnl test for POSIX (broken) getlogin
+dnl
+
+
+AC_DEFUN(AC_FUNC_GETLOGIN, [
+AC_CHECK_FUNCS(getlogin setlogin)
+if test "$ac_cv_func_getlogin" = yes; then
+AC_CACHE_CHECK(if getlogin is posix, ac_cv_func_getlogin_posix, [
+if test "$ac_cv_func_getlogin" = yes -a "$ac_cv_func_setlogin" = yes; then
+	ac_cv_func_getlogin_posix=no
+else
+	ac_cv_func_getlogin_posix=yes
+fi
+])
+if test "$ac_cv_func_getlogin_posix" = yes; then
+	AC_DEFINE(POSIX_GETLOGIN, 1, [Define if getlogin has POSIX flavour (and not BSD).])
+fi
+fi
+])
+
+dnl $Id: find-if-not-broken.m4,v 1.2 1998/03/16 22:16:27 joda Exp $
+dnl
+dnl
+dnl Mix between AC_FIND_FUNC and AC_BROKEN
+dnl
+
+AC_DEFUN(AC_FIND_IF_NOT_BROKEN,
+[AC_FIND_FUNC([$1], [$2], [$3], [$4])
+if eval "test \"$ac_cv_func_$1\" != yes"; then
+LIBOBJS[]="$LIBOBJS $1.o"
+fi
+AC_SUBST(LIBOBJS)dnl
+])
+
+dnl $Id: broken.m4,v 1.4 2000/07/15 18:06:36 joda Exp $
+dnl
+dnl
+dnl Same as AC _REPLACE_FUNCS, just define HAVE_func if found in normal
+dnl libraries 
+
+AC_DEFUN(AC_BROKEN,
+[for ac_func in $1
+do
+AC_CHECK_FUNC($ac_func, [
+ac_tr_func=HAVE_[]upcase($ac_func)
+AC_DEFINE_UNQUOTED($ac_tr_func)],[LIBOBJS[]="$LIBOBJS ${ac_func}.o"])
+if false; then
+	AC_CHECK_FUNCS($1)
+fi
+done
+AC_SUBST(LIBOBJS)dnl
+])
+
+dnl $Id: broken2.m4,v 1.1 2000/12/15 14:27:33 assar Exp $
+dnl
+dnl AC_BROKEN but with more arguments
+
+dnl AC_BROKEN2(func, includes, arguments)
+AC_DEFUN(AC_BROKEN2,
+[for ac_func in $1
+do
+AC_MSG_CHECKING([for $ac_func])
+AC_CACHE_VAL(ac_cv_func_$ac_func,
+[AC_TRY_LINK([$2],
+[
+/* The GNU C library defines this for functions which it implements
+    to always fail with ENOSYS.  Some functions are actually named
+    something starting with __ and the normal name is an alias.  */
+#if defined (__stub_$1) || defined (__stub___$1)
+choke me
+#else
+$ac_func($3)
+#endif
+], [eval "ac_cv_func_$ac_func=yes"], [eval "ac_cv_func_$ac_func=no"])])
+if eval "test \"\${ac_cv_func_$ac_func}\" = yes"; then
+  ac_tr_func=HAVE_[]upcase($ac_func)
+  AC_DEFINE_UNQUOTED($ac_tr_func)
+  AC_MSG_RESULT(yes)
+else
+  AC_MSG_RESULT(no)
+  LIBOBJS[]="$LIBOBJS ${ac_func}.o"
+fi
+done
+if false; then
+	AC_CHECK_FUNCS($1)
+fi
+AC_SUBST(LIBOBJS)dnl
+])
+
+dnl $Id: have-struct-field.m4,v 1.6 1999/07/29 01:44:32 assar Exp $
+dnl
+dnl check for fields in a structure
+dnl
+dnl AC_HAVE_STRUCT_FIELD(struct, field, headers)
+
+AC_DEFUN(AC_HAVE_STRUCT_FIELD, [
+define(cache_val, translit(ac_cv_type_$1_$2, [A-Z ], [a-z_]))
+AC_CACHE_CHECK([for $2 in $1], cache_val,[
+AC_TRY_COMPILE([$3],[$1 x; x.$2;],
+cache_val=yes,
+cache_val=no)])
+if test "$cache_val" = yes; then
+	define(foo, translit(HAVE_$1_$2, [a-z ], [A-Z_]))
+	AC_DEFINE(foo, 1, [Define if $1 has field $2.])
+	undefine([foo])
+fi
+undefine([cache_val])
+])
+
+dnl $Id: broken-getnameinfo.m4,v 1.2 2000/12/05 09:09:00 joda Exp $
+dnl
+dnl test for broken AIX getnameinfo
+
+AC_DEFUN(rk_BROKEN_GETNAMEINFO,[
+AC_CACHE_CHECK([if getnameinfo is broken], ac_cv_func_getnameinfo_broken,
+AC_TRY_RUN([[#include <stdio.h>
+#include <sys/types.h>
+#include <sys/socket.h>
+#include <netinet/in.h>
+#include <netdb.h>
+
+int
+main(int argc, char **argv)
+{
+  struct sockaddr_in sin;
+  char host[256];
+  memset(&sin, 0, sizeof(sin));
+#ifdef HAVE_STRUCT_SOCKADDR_SA_LEN
+  sin.sin_len = sizeof(sin);
+#endif
+  sin.sin_family = AF_INET;
+  sin.sin_addr.s_addr = 0xffffffff;
+  sin.sin_port = 0;
+  return getnameinfo((struct sockaddr*)&sin, sizeof(sin), host, sizeof(host),
+	      NULL, 0, 0);
+}
+]], ac_cv_func_getnameinfo_broken=no, ac_cv_func_getnameinfo_broken=yes))])
+
+dnl
+dnl $Id: broken-realloc.m4,v 1.1 2000/07/15 18:05:36 joda Exp $
+dnl
+dnl Test for realloc that doesn't handle NULL as first parameter
+dnl
+AC_DEFUN(rk_BROKEN_REALLOC, [
+AC_CACHE_CHECK(if realloc if broken, ac_cv_func_realloc_broken, [
+ac_cv_func_realloc_broken=no
+AC_TRY_RUN([
+#include <stddef.h>
+#include <stdlib.h>
+
+int main()
+{
+	return realloc(NULL, 17) == NULL;
+}
+],:, ac_cv_func_realloc_broken=yes, :)
+])
+if test "$ac_cv_func_realloc_broken" = yes ; then
+	AC_DEFINE(BROKEN_REALLOC, 1, [Define if realloc(NULL) doesn't work.])
+fi
+AH_BOTTOM([#ifdef BROKEN_REALLOC
+#define realloc(X, Y) isoc_realloc((X), (Y))
+#define isoc_realloc(X, Y) ((X) ? realloc((X), (Y)) : malloc(Y))
+#endif])
+])
+
+dnl $Id: proto-compat.m4,v 1.3 1999/03/01 13:03:48 joda Exp $
+dnl
+dnl
+dnl Check if the prototype of a function is compatible with another one
+dnl
+
+dnl AC_PROTO_COMPAT(includes, function, prototype)
+
+AC_DEFUN(AC_PROTO_COMPAT, [
+AC_CACHE_CHECK([if $2 is compatible with system prototype],
+ac_cv_func_$2_proto_compat,
+AC_TRY_COMPILE([$1],
+[$3;],
+eval "ac_cv_func_$2_proto_compat=yes",
+eval "ac_cv_func_$2_proto_compat=no"))
+define([foo], translit($2, [a-z], [A-Z])[_PROTO_COMPATIBLE])
+if test "$ac_cv_func_$2_proto_compat" = yes; then
+	AC_DEFINE(foo, 1, [define if prototype of $2 is compatible with
+	$3])
+fi
+undefine([foo])
+])
+dnl $Id: check-var.m4,v 1.5 2000/12/15 04:54:06 assar Exp $
+dnl
+dnl rk_CHECK_VAR(variable, includes)
+AC_DEFUN([rk_CHECK_VAR], [
+AC_MSG_CHECKING(for $1)
+AC_CACHE_VAL(ac_cv_var_$1, [
+AC_TRY_LINK([extern int $1;
+int foo() { return $1; }],
+	    [foo()],
+	    ac_cv_var_$1=yes, ac_cv_var_$1=no)
+])
+ac_foo=`eval echo \\$ac_cv_var_$1`
+AC_MSG_RESULT($ac_foo)
+if test "$ac_foo" = yes; then
+	AC_DEFINE_UNQUOTED(AC_TR_CPP(HAVE_[]$1), 1, 
+		[Define if you have the `]$1[' variable.])
+	m4_ifval([$2], AC_CHECK_DECLARATION([$2],[$1]))
+fi
+])
+
+AC_WARNING_ENABLE([obsolete])
+AU_DEFUN([AC_CHECK_VAR], [rk_CHECK_VAR([$2], [$1])], [foo])
+dnl $Id: check-declaration.m4,v 1.3 1999/03/01 13:03:08 joda Exp $
+dnl
+dnl
+dnl Check if we need the declaration of a variable
+dnl
+
+dnl AC_HAVE_DECLARATION(includes, variable)
+AC_DEFUN(AC_CHECK_DECLARATION, [
+AC_MSG_CHECKING([if $2 is properly declared])
+AC_CACHE_VAL(ac_cv_var_$2_declaration, [
+AC_TRY_COMPILE([$1
+extern struct { int foo; } $2;],
+[$2.foo = 1;],
+eval "ac_cv_var_$2_declaration=no",
+eval "ac_cv_var_$2_declaration=yes")
+])
+
+define(foo, [HAVE_]translit($2, [a-z], [A-Z])[_DECLARATION])
+
+AC_MSG_RESULT($ac_cv_var_$2_declaration)
+if eval "test \"\$ac_cv_var_$2_declaration\" = yes"; then
+	AC_DEFINE(foo, 1, [define if your system declares $2])
+fi
+undefine([foo])
+])
+
+dnl $Id: krb-struct-winsize.m4,v 1.2 1999/03/01 09:52:23 joda Exp $
+dnl
+dnl
+dnl Search for struct winsize
+dnl
+
+AC_DEFUN(AC_KRB_STRUCT_WINSIZE, [
+AC_MSG_CHECKING(for struct winsize)
+AC_CACHE_VAL(ac_cv_struct_winsize, [
+ac_cv_struct_winsize=no
+for i in sys/termios.h sys/ioctl.h; do
+AC_EGREP_HEADER(
+changequote(, )dnl
+struct[ 	]*winsize,dnl
+changequote([,])dnl
+$i, ac_cv_struct_winsize=yes; break)dnl
+done
+])
+if test "$ac_cv_struct_winsize" = "yes"; then
+  AC_DEFINE(HAVE_STRUCT_WINSIZE, 1, [define if struct winsize is declared in sys/termios.h])
+fi
+AC_MSG_RESULT($ac_cv_struct_winsize)
+AC_EGREP_HEADER(ws_xpixel, termios.h, 
+	AC_DEFINE(HAVE_WS_XPIXEL, 1, [define if struct winsize has ws_xpixel]))
+AC_EGREP_HEADER(ws_ypixel, termios.h, 
+	AC_DEFINE(HAVE_WS_YPIXEL, 1, [define if struct winsize has ws_ypixel]))
+])
+
+dnl $Id: krb-struct-spwd.m4,v 1.3 1999/07/13 21:04:11 assar Exp $
+dnl
+dnl Test for `struct spwd'
+
+AC_DEFUN(AC_KRB_STRUCT_SPWD, [
+AC_MSG_CHECKING(for struct spwd)
+AC_CACHE_VAL(ac_cv_struct_spwd, [
+AC_TRY_COMPILE(
+[#include <pwd.h>
+#ifdef HAVE_SHADOW_H
+#include <shadow.h>
+#endif],
+[struct spwd foo;],
+ac_cv_struct_spwd=yes,
+ac_cv_struct_spwd=no)
+])
+AC_MSG_RESULT($ac_cv_struct_spwd)
+
+if test "$ac_cv_struct_spwd" = "yes"; then
+  AC_DEFINE(HAVE_STRUCT_SPWD, 1, [define if you have struct spwd])
+fi
+])
+
+dnl $Id: test-package.m4,v 1.9 2000/12/15 04:54:24 assar Exp $
+dnl
+dnl AC_TEST_PACKAGE_NEW(package,headers,libraries,extra libs,default locations, conditional)
+
+AC_DEFUN(AC_TEST_PACKAGE,[AC_TEST_PACKAGE_NEW($1,[#include <$2>],$4,,$5)])
+
+AC_DEFUN(AC_TEST_PACKAGE_NEW,[
+AC_ARG_WITH($1,
+[  --with-$1=dir                use $1 in dir])
+AC_ARG_WITH($1-lib,
+[  --with-$1-lib=dir            use $1 libraries in dir],
+[if test "$withval" = "yes" -o "$withval" = "no"; then
+  AC_MSG_ERROR([No argument for --with-$1-lib])
+elif test "X$with_$1" = "X"; then
+  with_$1=yes
+fi])
+AC_ARG_WITH($1-include,
+[  --with-$1-include=dir        use $1 headers in dir],
+[if test "$withval" = "yes" -o "$withval" = "no"; then
+  AC_MSG_ERROR([No argument for --with-$1-include])
+elif test "X$with_$1" = "X"; then
+  with_$1=yes
+fi])
+
+AC_MSG_CHECKING(for $1)
+
+case "$with_$1" in
+yes)	;;
+no)	;;
+"")	;;
+*)	if test "$with_$1_include" = ""; then
+		with_$1_include="$with_$1/include"
+	fi
+	if test "$with_$1_lib" = ""; then
+		with_$1_lib="$with_$1/lib$abilibdirext"
+	fi
+	;;
+esac
+header_dirs=
+lib_dirs=
+d='$5'
+for i in $d; do
+	header_dirs="$header_dirs $i/include"
+	lib_dirs="$lib_dirs $i/lib$abilibdirext"
+done
+
+case "$with_$1_include" in
+yes) ;;
+no)  ;;
+*)   header_dirs="$with_$1_include $header_dirs";;
+esac
+case "$with_$1_lib" in
+yes) ;;
+no)  ;;
+*)   lib_dirs="$with_$1_lib $lib_dirs";;
+esac
+
+save_CFLAGS="$CFLAGS"
+save_LIBS="$LIBS"
+ires= lres=
+for i in $header_dirs; do
+	CFLAGS="-I$i $save_CFLAGS"
+	AC_TRY_COMPILE([$2],,ires=$i;break)
+done
+for i in $lib_dirs; do
+	LIBS="-L$i $3 $4 $save_LIBS"
+	AC_TRY_LINK([$2],,lres=$i;break)
+done
+CFLAGS="$save_CFLAGS"
+LIBS="$save_LIBS"
+
+if test "$ires" -a "$lres" -a "$with_$1" != "no"; then
+	$1_includedir="$ires"
+	$1_libdir="$lres"
+	INCLUDE_$1="-I$$1_includedir"
+	LIB_$1="-L$$1_libdir $3"
+	m4_ifval([$6],
+		AC_DEFINE_UNQUOTED($6,1,[Define if you have the $1 package.]),
+		AC_DEFINE_UNQUOTED(upcase($1),1,[Define if you have the $1 package.]))
+	with_$1=yes
+	AC_MSG_RESULT([headers $ires, libraries $lres])
+else
+	INCLUDE_$1=
+	LIB_$1=
+	with_$1=no
+	AC_MSG_RESULT($with_$1)
+fi
+dnl m4_ifval([$6],
+dnl 	AM_CONDITIONAL($6, test "$with_$1" = yes)
+dnl 	AM_CONDITIONAL(upcase($1), test "$with_$1" = yes))
+AC_SUBST(INCLUDE_$1)
+AC_SUBST(LIB_$1)
+])
+
+dnl $Id: osfc2.m4,v 1.2 1999/03/27 17:28:16 joda Exp $
+dnl
+dnl enable OSF C2 stuff
+
+AC_DEFUN(AC_CHECK_OSFC2,[
+AC_ARG_ENABLE(osfc2,
+[  --enable-osfc2          enable some OSF C2 support])
+LIB_security=
+if test "$enable_osfc2" = yes; then
+	AC_DEFINE(HAVE_OSFC2, 1, [Define to enable basic OSF C2 support.])
+	LIB_security=-lsecurity
+fi
+AC_SUBST(LIB_security)
+])
+
+dnl $Id: check-man.m4,v 1.3 2000/11/30 01:47:17 joda Exp $
+dnl check how to format manual pages
+dnl
+
+AC_DEFUN(rk_CHECK_MAN,
+[AC_PATH_PROG(NROFF, nroff)
+AC_PATH_PROG(GROFF, groff)
+AC_CACHE_CHECK(how to format man pages,ac_cv_sys_man_format,
+[cat > conftest.1 << END
+.Dd January 1, 1970
+.Dt CONFTEST 1
+.Sh NAME
+.Nm conftest
+.Nd
+foobar
+END
+
+if test "$NROFF" ; then
+	for i in "-mdoc" "-mandoc"; do
+		if "$NROFF" $i conftest.1 2> /dev/null | \
+			grep Jan > /dev/null 2>&1 ; then
+			ac_cv_sys_man_format="$NROFF $i"
+			break
+		fi
+	done
+fi
+if test "$ac_cv_sys_man_format" = "" -a "$GROFF" ; then
+	for i in "-mdoc" "-mandoc"; do
+		if "$GROFF" -Tascii $i conftest.1 2> /dev/null | \
+			grep Jan > /dev/null 2>&1 ; then
+			ac_cv_sys_man_format="$GROFF -Tascii $i"
+			break
+		fi
+	done
+fi
+if test "$ac_cv_sys_man_format"; then
+	ac_cv_sys_man_format="$ac_cv_sys_man_format \[$]< > \[$]@"
+fi
+])
+if test "$ac_cv_sys_man_format"; then
+	CATMAN="$ac_cv_sys_man_format"
+	AC_SUBST(CATMAN)
+fi
+AM_CONDITIONAL(CATMAN, test "$CATMAN")
+AC_CACHE_CHECK(extension of pre-formatted manual pages,ac_cv_sys_catman_ext,
+[if grep _suffix /etc/man.conf > /dev/null 2>&1; then
+	ac_cv_sys_catman_ext=0
+else
+	ac_cv_sys_catman_ext=number
+fi
+])
+if test "$ac_cv_sys_catman_ext" = number; then
+	CATMANEXT='$$section'
+else
+	CATMANEXT=0
+fi
+AC_SUBST(CATMANEXT)
+])
+dnl
+dnl $Id: krb-bigendian.m4,v 1.6 2000/08/19 15:37:00 assar Exp $
+dnl
+
+dnl check if this computer is little or big-endian
+dnl if we can figure it out at compile-time then don't define the cpp symbol
+dnl otherwise test for it and define it.  also allow options for overriding
+dnl it when cross-compiling
+
+AC_DEFUN(KRB_C_BIGENDIAN, [
+AC_ARG_ENABLE(bigendian,
+[  --enable-bigendian	the target is big endian],
+krb_cv_c_bigendian=yes)
+AC_ARG_ENABLE(littleendian,
+[  --enable-littleendian	the target is little endian],
+krb_cv_c_bigendian=no)
+AC_CACHE_CHECK(whether byte order is known at compile time,
+krb_cv_c_bigendian_compile,
+[AC_TRY_COMPILE([
+#include <sys/types.h>
+#include <sys/param.h>],[
+#if !BYTE_ORDER || !BIG_ENDIAN || !LITTLE_ENDIAN
+ bogus endian macros
+#endif], krb_cv_c_bigendian_compile=yes, krb_cv_c_bigendian_compile=no)])
+AC_CACHE_CHECK(whether byte ordering is bigendian, krb_cv_c_bigendian,[
+  if test "$krb_cv_c_bigendian_compile" = "yes"; then
+    AC_TRY_COMPILE([
+#include <sys/types.h>
+#include <sys/param.h>],[
+#if BYTE_ORDER != BIG_ENDIAN
+  not big endian
+#endif], krb_cv_c_bigendian=yes, krb_cv_c_bigendian=no)
+  else
+    AC_TRY_RUN([main () {
+      /* Are we little or big endian?  From Harbison&Steele.  */
+      union
+      {
+	long l;
+	char c[sizeof (long)];
+    } u;
+    u.l = 1;
+    exit (u.c[sizeof (long) - 1] == 1);
+  }], krb_cv_c_bigendian=no, krb_cv_c_bigendian=yes,
+  AC_MSG_ERROR([specify either --enable-bigendian or --enable-littleendian]))
+  fi
+])
+if test "$krb_cv_c_bigendian" = "yes"; then
+  AC_DEFINE(WORDS_BIGENDIAN, 1, [define if target is big endian])dnl
+fi
+if test "$krb_cv_c_bigendian_compile" = "yes"; then
+  AC_DEFINE(ENDIANESS_IN_SYS_PARAM_H, 1, [define if sys/param.h defines the endiness])dnl
+fi
+])
+
+dnl
+dnl $Id: aix.m4,v 1.5 2000/11/05 17:15:46 joda Exp $
+dnl
+
+AC_DEFUN(KRB_AIX,[
+aix=no
+case "$host" in 
+*-*-aix3*)
+	aix=3
+	;;
+*-*-aix4*)
+	aix=4
+	;;
+esac
+AM_CONDITIONAL(AIX, test "$aix" != no)dnl
+AM_CONDITIONAL(AIX4, test "$aix" = 4)
+aix_dynamic_afs=yes
+AM_CONDITIONAL(AIX_DYNAMIC_AFS, test "$aix_dynamic_afs" = yes)dnl
+
+AC_FIND_FUNC_NO_LIBS(dlopen, dl)
+
+if test "$aix" != no; then
+	if test "$aix_dynamic_afs" = yes; then
+		if test "$ac_cv_funclib_dlopen" = yes; then
+			AIX_EXTRA_KAFS=
+		elif test "$ac_cv_funclib_dlopen" != no; then
+			AIX_EXTRA_KAFS="$ac_cv_funclib_dlopen"
+		else
+			AIX_EXTRA_KAFS=-lld
+		fi
+	else
+		AIX_EXTRA_KAFS=
+	fi
+fi
+
+AM_CONDITIONAL(HAVE_DLOPEN, test "$ac_cv_funclib_dlopen" != no)dnl
+AC_SUBST(AIX_EXTRA_KAFS)dnl
+
+])
+dnl
+dnl $Id: krb-irix.m4,v 1.2 2000/12/13 12:48:45 assar Exp $
+dnl
+
+dnl requires AC_CANONICAL_HOST
+AC_DEFUN(KRB_IRIX,[
+irix=no
+case "$host_os" in
+irix*) irix=yes ;;
+esac
+AM_CONDITIONAL(IRIX, test "$irix" != no)dnl
+])
+
+dnl 
+dnl See if there is any X11 present
+dnl
+dnl $Id: check-x.m4,v 1.2 1999/11/05 04:25:23 assar Exp $
+
+AC_DEFUN(KRB_CHECK_X,[
+AC_PATH_XTRA
+
+# try to figure out if we need any additional ld flags, like -R
+# and yes, the autoconf X test is utterly broken
+if test "$no_x" != yes; then
+	AC_CACHE_CHECK(for special X linker flags,krb_cv_sys_x_libs_rpath,[
+	ac_save_libs="$LIBS"
+	ac_save_cflags="$CFLAGS"
+	CFLAGS="$CFLAGS $X_CFLAGS"
+	krb_cv_sys_x_libs_rpath=""
+	krb_cv_sys_x_libs=""
+	for rflag in "" "-R" "-R " "-rpath "; do
+		if test "$rflag" = ""; then
+			foo="$X_LIBS"
+		else
+			foo=""
+			for flag in $X_LIBS; do
+			case $flag in
+			-L*)
+				foo="$foo $flag `echo $flag | sed \"s/-L/$rflag/\"`"
+				;;
+			*)
+				foo="$foo $flag"
+				;;
+			esac
+			done
+		fi
+		LIBS="$ac_save_libs $foo $X_PRE_LIBS -lX11 $X_EXTRA_LIBS"
+		AC_TRY_RUN([
+		#include <X11/Xlib.h>
+		foo()
+		{
+		XOpenDisplay(NULL);
+		}
+		main()
+		{
+		return 0;
+		}
+		], krb_cv_sys_x_libs_rpath="$rflag"; krb_cv_sys_x_libs="$foo"; break,:)
+	done
+	LIBS="$ac_save_libs"
+	CFLAGS="$ac_save_cflags"
+	])
+	X_LIBS="$krb_cv_sys_x_libs"
+fi
+])
+
+dnl $Id: check-xau.m4,v 1.3 1999/05/14 01:17:06 assar Exp $
+dnl
+dnl check for Xau{Read,Write}Auth and XauFileName
+dnl
+AC_DEFUN(AC_CHECK_XAU,[
+save_CFLAGS="$CFLAGS"
+CFLAGS="$X_CFLAGS $CFLAGS"
+save_LIBS="$LIBS"
+dnl LIBS="$X_LIBS $X_PRE_LIBS $X_EXTRA_LIBS $LIBS"
+LIBS="$X_PRE_LIBS $X_EXTRA_LIBS $LIBS"
+save_LDFLAGS="$LDFLAGS"
+LDFLAGS="$LDFLAGS $X_LIBS"
+
+
+AC_FIND_FUNC_NO_LIBS(XauWriteAuth, X11 Xau)
+ac_xxx="$LIBS"
+LIBS="$LIB_XauWriteAuth $LIBS"
+AC_FIND_FUNC_NO_LIBS(XauReadAuth, X11 Xau)
+LIBS="$LIB_XauReadAauth $LIBS"
+AC_FIND_FUNC_NO_LIBS(XauFileName, X11 Xau)
+LIBS="$ac_xxx"
+
+case "$ac_cv_funclib_XauWriteAuth" in
+yes)	;;
+no)	;;
+*)	if test "$ac_cv_funclib_XauReadAuth" = yes; then
+		if test "$ac_cv_funclib_XauFileName" = yes; then
+			LIB_XauReadAuth="$LIB_XauWriteAuth"
+		else
+			LIB_XauReadAuth="$LIB_XauWriteAuth $LIB_XauFileName"
+		fi
+	else
+		if test "$ac_cv_funclib_XauFileName" = yes; then
+			LIB_XauReadAuth="$LIB_XauReadAuth $LIB_XauWriteAuth"
+		else
+			LIB_XauReadAuth="$LIB_XauReadAuth $LIB_XauWriteAuth $LIB_XauFileName"
+		fi
+	fi
+	;;
+esac
+
+if test "$AUTOMAKE" != ""; then
+	AM_CONDITIONAL(NEED_WRITEAUTH, test "$ac_cv_func_XauWriteAuth" != "yes")
+else
+	AC_SUBST(NEED_WRITEAUTH_TRUE)
+	AC_SUBST(NEED_WRITEAUTH_FALSE)
+	if test "$ac_cv_func_XauWriteAuth" != "yes"; then
+		NEED_WRITEAUTH_TRUE=
+		NEED_WRITEAUTH_FALSE='#'
+	else
+		NEED_WRITEAUTH_TRUE='#'
+		NEED_WRITEAUTH_FALSE=
+	fi
+fi
+CFLAGS=$save_CFLAGS
+LIBS=$save_LIBS
+LDFLAGS=$save_LDFLAGS
+])
+
+dnl
+dnl $Id: capabilities.m4,v 1.2 1999/09/01 11:02:26 joda Exp $
+dnl
+
+dnl
+dnl Test SGI capabilities
+dnl
+
+AC_DEFUN(KRB_CAPABILITIES,[
+
+AC_CHECK_HEADERS(capability.h sys/capability.h)
+
+AC_CHECK_FUNCS(sgi_getcapabilitybyname cap_set_proc)
+])
+
+dnl $Id: check-getpwnam_r-posix.m4,v 1.2 1999/03/23 16:47:31 joda Exp $
+dnl
+dnl check for getpwnam_r, and if it's posix or not
+
+AC_DEFUN(AC_CHECK_GETPWNAM_R_POSIX,[
+AC_FIND_FUNC_NO_LIBS(getpwnam_r,c_r)
+if test "$ac_cv_func_getpwnam_r" = yes; then
+	AC_CACHE_CHECK(if getpwnam_r is posix,ac_cv_func_getpwnam_r_posix,
+	ac_libs="$LIBS"
+	LIBS="$LIBS $LIB_getpwnam_r"
+	AC_TRY_RUN([
+#include <pwd.h>
+int main()
+{
+	struct passwd pw, *pwd;
+	return getpwnam_r("", &pw, NULL, 0, &pwd) < 0;
+}
+],ac_cv_func_getpwnam_r_posix=yes,ac_cv_func_getpwnam_r_posix=no,:)
+LIBS="$ac_libs")
+if test "$ac_cv_func_getpwnam_r_posix" = yes; then
+	AC_DEFINE(POSIX_GETPWNAM_R, 1, [Define if getpwnam_r has POSIX flavour.])
+fi
+fi
+])
+dnl $Id: grok-type.m4,v 1.4 1999/11/29 11:16:48 joda Exp $
+dnl
+AC_DEFUN(AC_GROK_TYPE, [
+AC_CACHE_VAL(ac_cv_type_$1, 
+AC_TRY_COMPILE([
+#ifdef HAVE_INTTYPES_H
+#include <inttypes.h>
+#endif
+#ifdef HAVE_SYS_TYPES_H
+#include <sys/types.h>
+#endif
+#ifdef HAVE_SYS_BITYPES_H
+#include <sys/bitypes.h>
+#endif
+#ifdef HAVE_BIND_BITYPES_H
+#include <bind/bitypes.h>
+#endif
+#ifdef HAVE_NETINET_IN6_MACHTYPES_H
+#include <netinet/in6_machtypes.h>
+#endif
+],
+$i x;
+,
+eval ac_cv_type_$1=yes,
+eval ac_cv_type_$1=no))])
+
+AC_DEFUN(AC_GROK_TYPES, [
+for i in $1; do
+	AC_MSG_CHECKING(for $i)
+	AC_GROK_TYPE($i)
+	eval ac_res=\$ac_cv_type_$i
+	if test "$ac_res" = yes; then
+		type=HAVE_[]upcase($i)
+		AC_DEFINE_UNQUOTED($type)
+	fi
+	AC_MSG_RESULT($ac_res)
+done
+])
+
+dnl $Id: krb-readline.m4,v 1.2 2000/11/15 00:47:08 assar Exp $
+dnl
+dnl Tests for readline functions
+dnl
+
+dnl el_init
+
+AC_DEFUN(KRB_READLINE,[
+AC_FIND_FUNC_NO_LIBS(el_init, edit, [], [], [$LIB_tgetent])
+if test "$ac_cv_func_el_init" = yes ; then
+	AC_CACHE_CHECK(for four argument el_init, ac_cv_func_el_init_four,[
+		AC_TRY_COMPILE([#include <stdio.h>
+			#include <histedit.h>],
+			[el_init("", NULL, NULL, NULL);],
+			ac_cv_func_el_init_four=yes,
+			ac_cv_func_el_init_four=no)])
+	if test "$ac_cv_func_el_init_four" = yes; then
+		AC_DEFINE(HAVE_FOUR_VALUED_EL_INIT, 1, [Define if el_init takes four arguments.])
+	fi
+fi
+
+dnl readline
+
+ac_foo=no
+if test "$with_readline" = yes; then
+	:
+elif test "$ac_cv_func_readline" = yes; then
+	:
+elif test "$ac_cv_func_el_init" = yes; then
+	ac_foo=yes
+	LIB_readline="\$(top_builddir)/lib/editline/libel_compat.la $LIB_el_init"
+else
+	LIB_readline='$(top_builddir)/lib/editline/libeditline.la'
+fi
+AM_CONDITIONAL(el_compat, test "$ac_foo" = yes)
+if test "$readline_libdir"; then
+	LIB_readline="-rpath $readline_libdir $LIB_readline"
+fi
+LIB_readline="$LIB_readline \$(LIB_tgetent)"
+AC_DEFINE(HAVE_READLINE, 1, 
+	[Define if you have a readline compatible library.])dnl
+
+])
+dnl $Id: auth-modules.m4,v 1.1 1999/03/21 13:48:00 joda Exp $
+dnl
+dnl Figure what authentication modules should be built
+
+AC_DEFUN(AC_AUTH_MODULES,[
+AC_MSG_CHECKING(which authentication modules should be built)
+
+LIB_AUTH_SUBDIRS=
+
+if test "$ac_cv_header_siad_h" = yes; then
+	LIB_AUTH_SUBDIRS="$LIB_AUTH_SUBDIRS sia"
+fi
+
+if test "$ac_cv_header_security_pam_modules_h" = yes -a "$enable_shared" = yes; then
+	LIB_AUTH_SUBDIRS="$LIB_AUTH_SUBDIRS pam"
+fi
+
+case "${host}" in
+changequote(,)dnl
+*-*-irix[56]*) LIB_AUTH_SUBDIRS="$LIB_AUTH_SUBDIRS afskauthlib" ;;
+changequote([,])dnl
+esac
+
+AC_MSG_RESULT($LIB_AUTH_SUBDIRS)
+
+AC_SUBST(LIB_AUTH_SUBDIRS)dnl
+])
+
diff --git a/crypto/heimdal/admin/Makefile.am b/crypto/heimdal/admin/Makefile.am
new file mode 100644
index 0000000..f6eca74
--- /dev/null
+++ b/crypto/heimdal/admin/Makefile.am
@@ -0,0 +1,27 @@
+# $Id: Makefile.am,v 1.33 2000/12/16 00:16:45 joda Exp $
+
+include $(top_srcdir)/Makefile.am.common
+
+INCLUDES += $(INCLUDE_readline)
+
+man_MANS = ktutil.8
+
+sbin_PROGRAMS = ktutil
+
+ktutil_SOURCES = add.c				\
+		 change.c			\
+		 copy.c				\
+		 get.c				\
+		 ktutil.c			\
+		 list.c				\
+		 purge.c			\
+		 remove.c
+
+LDADD = \
+	$(top_builddir)/lib/kadm5/libkadm5clnt.la \
+	$(top_builddir)/lib/krb5/libkrb5.la \
+	$(LIB_des) \
+	$(top_builddir)/lib/asn1/libasn1.la \
+	$(top_builddir)/lib/sl/libsl.la \
+	$(LIB_readline) \
+	$(LIB_roken)
diff --git a/crypto/heimdal/admin/Makefile.in b/crypto/heimdal/admin/Makefile.in
new file mode 100644
index 0000000..44df52e
--- /dev/null
+++ b/crypto/heimdal/admin/Makefile.in
@@ -0,0 +1,634 @@
+# Makefile.in generated automatically by automake 1.4b from Makefile.am
+
+# Copyright 1994, 1995, 1996, 1997, 1998, 1999, 2000
+# Free Software Foundation, Inc.
+# This Makefile.in is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+
+SHELL = @SHELL@
+
+srcdir = @srcdir@
+top_srcdir = @top_srcdir@
+VPATH = @srcdir@
+prefix = @prefix@
+exec_prefix = @exec_prefix@
+
+bindir = @bindir@
+sbindir = @sbindir@
+libexecdir = @libexecdir@
+datadir = @datadir@
+sysconfdir = @sysconfdir@
+sharedstatedir = @sharedstatedir@
+localstatedir = @localstatedir@
+libdir = @libdir@
+infodir = @infodir@
+mandir = @mandir@
+includedir = @includedir@
+oldincludedir = /usr/include
+
+pkgdatadir = $(datadir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkgincludedir = $(includedir)/@PACKAGE@
+
+top_builddir = ..
+
+ACLOCAL = @ACLOCAL@
+AUTOCONF = @AUTOCONF@
+AUTOMAKE = @AUTOMAKE@
+AUTOHEADER = @AUTOHEADER@
+
+INSTALL = @INSTALL@
+INSTALL_PROGRAM = @INSTALL_PROGRAM@
+INSTALL_DATA = @INSTALL_DATA@
+INSTALL_SCRIPT = @INSTALL_SCRIPT@
+INSTALL_STRIP_FLAG =
+transform = @program_transform_name@
+
+NORMAL_INSTALL = :
+PRE_INSTALL = :
+POST_INSTALL = :
+NORMAL_UNINSTALL = :
+PRE_UNINSTALL = :
+POST_UNINSTALL = :
+
+@SET_MAKE@
+host_alias = @host_alias@
+host_triplet = @host@
+AIX_EXTRA_KAFS = @AIX_EXTRA_KAFS@
+AMDEP = @AMDEP@
+AMTAR = @AMTAR@
+AS = @AS@
+AWK = @AWK@
+CANONICAL_HOST = @CANONICAL_HOST@
+CATMAN = @CATMAN@
+CATMANEXT = @CATMANEXT@
+CC = @CC@
+CPP = @CPP@
+CXX = @CXX@
+CXXCPP = @CXXCPP@
+DBLIB = @DBLIB@
+DEPDIR = @DEPDIR@
+DIR_des = @DIR_des@
+DIR_roken = @DIR_roken@
+DLLTOOL = @DLLTOOL@
+EXEEXT = @EXEEXT@
+EXTRA_LIB45 = @EXTRA_LIB45@
+GROFF = @GROFF@
+INCLUDES_roken = @INCLUDES_roken@
+INCLUDE_ = @INCLUDE_@
+LEX = @LEX@
+LIBOBJS = @LIBOBJS@
+LIBTOOL = @LIBTOOL@
+LIB_ = @LIB_@
+LIB_AUTH_SUBDIRS = @LIB_AUTH_SUBDIRS@
+LIB_des = @LIB_des@
+LIB_des_appl = @LIB_des_appl@
+LIB_kdb = @LIB_kdb@
+LIB_otp = @LIB_otp@
+LIB_roken = @LIB_roken@
+LIB_security = @LIB_security@
+LN_S = @LN_S@
+LTLIBOBJS = @LTLIBOBJS@
+MAKEINFO = @MAKEINFO@
+NEED_WRITEAUTH_FALSE = @NEED_WRITEAUTH_FALSE@
+NEED_WRITEAUTH_TRUE = @NEED_WRITEAUTH_TRUE@
+NROFF = @NROFF@
+OBJDUMP = @OBJDUMP@
+OBJEXT = @OBJEXT@
+PACKAGE = @PACKAGE@
+RANLIB = @RANLIB@
+STRIP = @STRIP@
+VERSION = @VERSION@
+VOID_RETSIGTYPE = @VOID_RETSIGTYPE@
+WFLAGS = @WFLAGS@
+WFLAGS_NOIMPLICITINT = @WFLAGS_NOIMPLICITINT@
+WFLAGS_NOUNUSED = @WFLAGS_NOUNUSED@
+YACC = @YACC@
+dpagaix_CFLAGS = @dpagaix_CFLAGS@
+dpagaix_LDADD = @dpagaix_LDADD@
+install_sh = @install_sh@
+
+# $Id: Makefile.am,v 1.33 2000/12/16 00:16:45 joda Exp $
+
+
+# $Id: Makefile.am.common,v 1.3 1999/04/01 14:58:43 joda Exp $
+
+
+# $Id: Makefile.am.common,v 1.26 2001/05/21 13:27:48 joda Exp $
+
+
+AUTOMAKE_OPTIONS = foreign no-dependencies
+
+SUFFIXES = .et .h .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .x
+
+INCLUDES = -I$(top_builddir)/include $(INCLUDES_roken) $(INCLUDE_readline)
+
+AM_CFLAGS =  $(WFLAGS)
+
+CP = cp
+
+COMPILE_ET = $(top_builddir)/lib/com_err/compile_et
+
+buildinclude = $(top_builddir)/include
+
+LIB_XauReadAuth = @LIB_XauReadAuth@
+LIB_crypt = @LIB_crypt@
+LIB_dbm_firstkey = @LIB_dbm_firstkey@
+LIB_dbopen = @LIB_dbopen@
+LIB_dlopen = @LIB_dlopen@
+LIB_dn_expand = @LIB_dn_expand@
+LIB_el_init = @LIB_el_init@
+LIB_getattr = @LIB_getattr@
+LIB_gethostbyname = @LIB_gethostbyname@
+LIB_getpwent_r = @LIB_getpwent_r@
+LIB_getpwnam_r = @LIB_getpwnam_r@
+LIB_getsockopt = @LIB_getsockopt@
+LIB_logout = @LIB_logout@
+LIB_logwtmp = @LIB_logwtmp@
+LIB_odm_initialize = @LIB_odm_initialize@
+LIB_pidfile = @LIB_pidfile@
+LIB_readline = @LIB_readline@
+LIB_res_search = @LIB_res_search@
+LIB_setpcred = @LIB_setpcred@
+LIB_setsockopt = @LIB_setsockopt@
+LIB_socket = @LIB_socket@
+LIB_syslog = @LIB_syslog@
+LIB_tgetent = @LIB_tgetent@
+
+LIBS = @LIBS@
+
+HESIODLIB = @HESIODLIB@
+HESIODINCLUDE = @HESIODINCLUDE@
+INCLUDE_hesiod = @INCLUDE_hesiod@
+LIB_hesiod = @LIB_hesiod@
+
+INCLUDE_krb4 = @INCLUDE_krb4@
+LIB_krb4 = @LIB_krb4@
+
+INCLUDE_openldap = @INCLUDE_openldap@
+LIB_openldap = @LIB_openldap@
+
+INCLUDE_readline = @INCLUDE_readline@
+
+LEXLIB = @LEXLIB@
+
+NROFF_MAN = groff -mandoc -Tascii
+
+@KRB4_TRUE@LIB_kafs = @KRB4_TRUE@$(top_builddir)/lib/kafs/libkafs.la $(AIX_EXTRA_KAFS)
+
+@KRB5_TRUE@LIB_krb5 = @KRB5_TRUE@$(top_builddir)/lib/krb5/libkrb5.la \
+@KRB5_TRUE@	$(top_builddir)/lib/asn1/libasn1.la
+@KRB5_TRUE@LIB_gssapi = @KRB5_TRUE@$(top_builddir)/lib/gssapi/libgssapi.la
+
+@DCE_TRUE@LIB_kdfs = @DCE_TRUE@$(top_builddir)/lib/kdfs/libkdfs.la
+
+CHECK_LOCAL = $(PROGRAMS)
+
+man_MANS = ktutil.8
+
+sbin_PROGRAMS = ktutil
+
+ktutil_SOURCES = add.c				\
+		 change.c			\
+		 copy.c				\
+		 get.c				\
+		 ktutil.c			\
+		 list.c				\
+		 purge.c			\
+		 remove.c
+
+
+LDADD = \
+	$(top_builddir)/lib/kadm5/libkadm5clnt.la \
+	$(top_builddir)/lib/krb5/libkrb5.la \
+	$(LIB_des) \
+	$(top_builddir)/lib/asn1/libasn1.la \
+	$(top_builddir)/lib/sl/libsl.la \
+	$(LIB_readline) \
+	$(LIB_roken)
+
+subdir = admin
+mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs
+CONFIG_HEADER = ../include/config.h
+CONFIG_CLEAN_FILES = 
+sbin_PROGRAMS =  ktutil$(EXEEXT)
+PROGRAMS =  $(sbin_PROGRAMS)
+
+
+DEFS = @DEFS@ -I. -I$(srcdir) -I../include
+CPPFLAGS = @CPPFLAGS@
+LDFLAGS = @LDFLAGS@
+X_CFLAGS = @X_CFLAGS@
+X_LIBS = @X_LIBS@
+X_EXTRA_LIBS = @X_EXTRA_LIBS@
+X_PRE_LIBS = @X_PRE_LIBS@
+am_ktutil_OBJECTS =  add.$(OBJEXT) change.$(OBJEXT) copy.$(OBJEXT) \
+get.$(OBJEXT) ktutil.$(OBJEXT) list.$(OBJEXT) purge.$(OBJEXT) \
+remove.$(OBJEXT)
+ktutil_OBJECTS =  $(am_ktutil_OBJECTS)
+ktutil_LDADD = $(LDADD)
+ktutil_DEPENDENCIES =  $(top_builddir)/lib/kadm5/libkadm5clnt.la \
+$(top_builddir)/lib/krb5/libkrb5.la $(top_builddir)/lib/asn1/libasn1.la \
+$(top_builddir)/lib/sl/libsl.la
+ktutil_LDFLAGS = 
+COMPILE = $(CC) $(DEFS) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) --mode=compile $(CC) $(DEFS) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+CFLAGS = @CFLAGS@
+CCLD = $(CC)
+LINK = $(LIBTOOL) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) $(LDFLAGS) -o $@
+DIST_SOURCES =  $(ktutil_SOURCES)
+man8dir = $(mandir)/man8
+MANS = $(man_MANS)
+depcomp = 
+DIST_COMMON =  Makefile.am Makefile.in
+
+
+DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
+
+GZIP_ENV = --best
+SOURCES = $(ktutil_SOURCES)
+OBJECTS = $(am_ktutil_OBJECTS)
+
+all: all-redirect
+.SUFFIXES:
+.SUFFIXES: .et .h .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .x .c .lo .o .obj
+$(srcdir)/Makefile.in: Makefile.am $(top_srcdir)/configure.in $(ACLOCAL_M4) $(top_srcdir)/Makefile.am.common $(top_srcdir)/cf/Makefile.am.common
+	cd $(top_srcdir) && $(AUTOMAKE) --foreign admin/Makefile
+
+Makefile: $(srcdir)/Makefile.in  $(top_builddir)/config.status
+	cd $(top_builddir) \
+	  && CONFIG_FILES=$(subdir)/$@ CONFIG_HEADERS= $(SHELL) ./config.status
+
+
+mostlyclean-sbinPROGRAMS:
+
+clean-sbinPROGRAMS:
+	-test -z "$(sbin_PROGRAMS)" || rm -f $(sbin_PROGRAMS)
+
+distclean-sbinPROGRAMS:
+
+maintainer-clean-sbinPROGRAMS:
+
+install-sbinPROGRAMS: $(sbin_PROGRAMS)
+	@$(NORMAL_INSTALL)
+	$(mkinstalldirs) $(DESTDIR)$(sbindir)
+	@list='$(sbin_PROGRAMS)'; for p in $$list; do \
+	  if test -f $$p; then \
+	    f="`echo $$p|sed -e 's/$(EXEEXT)$$//' -e '$(transform)' -e 's/$$/$(EXEEXT)/'`"; \
+	    echo " $(LIBTOOL)  --mode=install $(INSTALL_PROGRAM) $(INSTALL_STRIP_FLAG) $$p $(DESTDIR)$(sbindir)/$$f"; \
+	    $(LIBTOOL)  --mode=install $(INSTALL_PROGRAM) $(INSTALL_STRIP_FLAG) $$p $(DESTDIR)$(sbindir)/$$f; \
+	  else :; fi; \
+	done
+
+uninstall-sbinPROGRAMS:
+	@$(NORMAL_UNINSTALL)
+	@list='$(sbin_PROGRAMS)'; for p in $$list; do \
+	  f="`echo $$p|sed -e 's/$(EXEEXT)$$//' -e '$(transform)' -e 's/$$/$(EXEEXT)/'`"; \
+	  echo " rm -f $(DESTDIR)$(sbindir)/$$f"; \
+	  rm -f $(DESTDIR)$(sbindir)/$$f; \
+	done
+
+mostlyclean-compile:
+	-rm -f *.o core *.core
+	-rm -f *.$(OBJEXT)
+
+clean-compile:
+
+distclean-compile:
+	-rm -f *.tab.c
+
+maintainer-clean-compile:
+
+mostlyclean-libtool:
+	-rm -f *.lo
+
+clean-libtool:
+	-rm -rf .libs _libs
+
+distclean-libtool:
+
+maintainer-clean-libtool:
+
+ktutil$(EXEEXT): $(ktutil_OBJECTS) $(ktutil_DEPENDENCIES)
+	@rm -f ktutil$(EXEEXT)
+	$(LINK) $(ktutil_LDFLAGS) $(ktutil_OBJECTS) $(ktutil_LDADD) $(LIBS)
+.c.o:
+	$(COMPILE) -c $<
+.c.obj:
+	$(COMPILE) -c `cygpath -w $<`
+.c.lo:
+	$(LTCOMPILE) -c -o $@ $<
+
+install-man8:
+	$(mkinstalldirs) $(DESTDIR)$(man8dir)
+	@list='$(man8_MANS)'; \
+	l2='$(man_MANS)'; for i in $$l2; do \
+	  case "$$i" in \
+	    *.8*) list="$$list $$i" ;; \
+	  esac; \
+	done; \
+	for i in $$list; do \
+	  if test -f $(srcdir)/$$i; then file=$(srcdir)/$$i; \
+	  else file=$$i; fi; \
+	  ext=`echo $$i | sed -e 's/^.*\\.//'`; \
+	  inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \
+	  inst=`echo $$inst | sed -e 's/^.*\///'`; \
+	  inst=`echo $$inst | sed '$(transform)'`.$$ext; \
+	  echo " $(INSTALL_DATA) $$file $(DESTDIR)$(man8dir)/$$inst"; \
+	  $(INSTALL_DATA) $$file $(DESTDIR)$(man8dir)/$$inst; \
+	done
+
+uninstall-man8:
+	@list='$(man8_MANS)'; \
+	l2='$(man_MANS)'; for i in $$l2; do \
+	  case "$$i" in \
+	    *.8*) list="$$list $$i" ;; \
+	  esac; \
+	done; \
+	for i in $$list; do \
+	  ext=`echo $$i | sed -e 's/^.*\\.//'`; \
+	  inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \
+	  inst=`echo $$inst | sed -e 's/^.*\///'`; \
+	  inst=`echo $$inst | sed '$(transform)'`.$$ext; \
+	  echo " rm -f $(DESTDIR)$(man8dir)/$$inst"; \
+	  rm -f $(DESTDIR)$(man8dir)/$$inst; \
+	done
+install-man: $(MANS)
+	@$(NORMAL_INSTALL)
+	$(MAKE) $(AM_MAKEFLAGS) install-man8
+uninstall-man:
+	@$(NORMAL_UNINSTALL)
+	$(MAKE) $(AM_MAKEFLAGS) uninstall-man8
+
+tags: TAGS
+
+ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
+	list='$(SOURCES) $(HEADERS) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '    { files[$$0] = 1; } \
+	       END { for (i in files) print i; }'`; \
+	mkid -fID $$unique $(LISP)
+
+TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	tags=; \
+	here=`pwd`; \
+	list='$(SOURCES) $(HEADERS) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '    { files[$$0] = 1; } \
+	       END { for (i in files) print i; }'`; \
+	test -z "$(ETAGS_ARGS)$$unique$(LISP)$$tags" \
+	  || etags $(ETAGS_ARGS) $$tags  $$unique $(LISP)
+
+GTAGS:
+	here=`CDPATH=: && cd $(top_builddir) && pwd` \
+	  && cd $(top_srcdir) \
+	  && gtags -i $$here
+
+mostlyclean-tags:
+
+clean-tags:
+
+distclean-tags:
+	-rm -f TAGS ID
+
+maintainer-clean-tags:
+
+distdir = $(top_builddir)/$(PACKAGE)-$(VERSION)/$(subdir)
+
+distdir: $(DISTFILES)
+	@for file in $(DISTFILES); do \
+	  d=$(srcdir); \
+	  if test -d $$d/$$file; then \
+	    cp -pR $$d/$$file $(distdir) \
+	    || exit 1; \
+	  else \
+	    test -f $(distdir)/$$file \
+	    || cp -p $$d/$$file $(distdir)/$$file \
+	    || exit 1; \
+	  fi; \
+	done
+	$(MAKE) $(AM_MAKEFLAGS) top_distdir="$(top_distdir)" distdir="$(distdir)" dist-hook
+info-am:
+info: info-am
+dvi-am:
+dvi: dvi-am
+check-am: all-am
+	$(MAKE) $(AM_MAKEFLAGS) check-local
+check: check-am
+installcheck-am:
+installcheck: installcheck-am
+install-exec-am: install-sbinPROGRAMS
+	@$(NORMAL_INSTALL)
+	$(MAKE) $(AM_MAKEFLAGS) install-exec-hook
+install-exec: install-exec-am
+
+install-data-am: install-man install-data-local
+install-data: install-data-am
+
+install-am: all-am
+	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
+install: install-am
+uninstall-am: uninstall-sbinPROGRAMS uninstall-man
+uninstall: uninstall-am
+all-am: Makefile $(PROGRAMS) $(MANS) all-local
+all-redirect: all-am
+install-strip:
+	$(MAKE) $(AM_MAKEFLAGS) INSTALL_STRIP_FLAG=-s install
+installdirs:
+	$(mkinstalldirs)  $(DESTDIR)$(sbindir) $(DESTDIR)$(mandir)/man8
+
+
+mostlyclean-generic:
+
+clean-generic:
+
+distclean-generic:
+	-rm -f Makefile $(CONFIG_CLEAN_FILES)
+	-rm -f config.cache config.log stamp-h stamp-h[0-9]*
+
+maintainer-clean-generic:
+	-rm -f Makefile.in
+mostlyclean-am:  mostlyclean-sbinPROGRAMS mostlyclean-compile \
+		mostlyclean-libtool mostlyclean-tags \
+		mostlyclean-generic
+
+mostlyclean: mostlyclean-am
+
+clean-am:  clean-sbinPROGRAMS clean-compile clean-libtool clean-tags \
+		clean-generic mostlyclean-am
+
+clean: clean-am
+
+distclean-am:  distclean-sbinPROGRAMS distclean-compile \
+		distclean-libtool distclean-tags distclean-generic \
+		clean-am
+	-rm -f libtool
+
+distclean: distclean-am
+
+maintainer-clean-am:  maintainer-clean-sbinPROGRAMS \
+		maintainer-clean-compile maintainer-clean-libtool \
+		maintainer-clean-tags maintainer-clean-generic \
+		distclean-am
+	@echo "This command is intended for maintainers to use;"
+	@echo "it deletes files that may require special tools to rebuild."
+
+maintainer-clean: maintainer-clean-am
+
+.PHONY: mostlyclean-sbinPROGRAMS distclean-sbinPROGRAMS \
+clean-sbinPROGRAMS maintainer-clean-sbinPROGRAMS uninstall-sbinPROGRAMS \
+install-sbinPROGRAMS mostlyclean-compile distclean-compile \
+clean-compile maintainer-clean-compile mostlyclean-libtool \
+distclean-libtool clean-libtool maintainer-clean-libtool install-man8 \
+uninstall-man8 install-man uninstall-man tags mostlyclean-tags \
+distclean-tags clean-tags maintainer-clean-tags distdir info-am info \
+dvi-am dvi check-local check check-am installcheck-am installcheck \
+install-exec-am install-exec install-data-local install-data-am \
+install-data install-am install uninstall-am uninstall all-local \
+all-redirect all-am all install-strip installdirs mostlyclean-generic \
+distclean-generic clean-generic maintainer-clean-generic clean \
+mostlyclean distclean maintainer-clean
+
+
+install-suid-programs:
+	@foo='$(bin_SUIDS)'; \
+	for file in $$foo; do \
+	x=$(DESTDIR)$(bindir)/$$file; \
+	if chown 0:0 $$x && chmod u+s $$x; then :; else \
+	echo "*"; \
+	echo "* Failed to install $$x setuid root"; \
+	echo "*"; \
+	fi; done
+
+install-exec-hook: install-suid-programs
+
+install-build-headers:: $(include_HEADERS) $(build_HEADERZ)
+	@foo='$(include_HEADERS) $(build_HEADERZ)'; \
+	for f in $$foo; do \
+		f=`basename $$f`; \
+		if test -f "$(srcdir)/$$f"; then file="$(srcdir)/$$f"; \
+		else file="$$f"; fi; \
+		if cmp -s  $$file $(buildinclude)/$$f 2> /dev/null ; then \
+		: ; else \
+			echo " $(CP) $$file $(buildinclude)/$$f"; \
+			$(CP) $$file $(buildinclude)/$$f; \
+		fi ; \
+	done
+
+all-local: install-build-headers
+#NROFF_MAN = nroff -man
+.1.cat1:
+	$(NROFF_MAN) $< > $@
+.3.cat3:
+	$(NROFF_MAN) $< > $@
+.5.cat5:
+	$(NROFF_MAN) $< > $@
+.8.cat8:
+	$(NROFF_MAN) $< > $@
+
+dist-cat1-mans:
+	@foo='$(man1_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.1) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat1/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-cat3-mans:
+	@foo='$(man3_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.3) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat3/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-cat5-mans:
+	@foo='$(man5_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.5) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat5/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-cat8-mans:
+	@foo='$(man8_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.8) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat8/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-hook: dist-cat1-mans dist-cat3-mans dist-cat5-mans dist-cat8-mans
+
+install-cat-mans:
+	$(SHELL) $(top_srcdir)/cf/install-catman.sh "$(INSTALL_DATA)" "$(mkinstalldirs)" "$(srcdir)" "$(DESTDIR)$(mandir)" '$(CATMANEXT)' $(man_MANS) $(man1_MANS) $(man3_MANS) $(man5_MANS) $(man8_MANS)
+
+install-data-local: install-cat-mans
+
+.et.h:
+	$(COMPILE_ET) $<
+.et.c:
+	$(COMPILE_ET) $<
+
+.x.c:
+	@cmp -s $< $@ 2> /dev/null || cp $< $@
+
+check-local::
+	@foo='$(CHECK_LOCAL)'; \
+	  if test "$$foo"; then \
+	  failed=0; all=0; \
+	  for i in $$foo; do \
+	    all=`expr $$all + 1`; \
+	    if ./$$i --version > /dev/null 2>&1; then \
+	      echo "PASS: $$i"; \
+	    else \
+	      echo "FAIL: $$i"; \
+	      failed=`expr $$failed + 1`; \
+	    fi; \
+	  done; \
+	  if test "$$failed" -eq 0; then \
+	    banner="All $$all tests passed"; \
+	  else \
+	    banner="$$failed of $$all tests failed"; \
+	  fi; \
+	  dashes=`echo "$$banner" | sed s/./=/g`; \
+	  echo "$$dashes"; \
+	  echo "$$banner"; \
+	  echo "$$dashes"; \
+	  test "$$failed" -eq 0; \
+	fi
+
+# Tell versions [3.59,3.63) of GNU make to not export all variables.
+# Otherwise a system limit (for SysV at least) may be exceeded.
+.NOEXPORT:
diff --git a/crypto/heimdal/admin/add.c b/crypto/heimdal/admin/add.c
new file mode 100644
index 0000000..5ad6517
--- /dev/null
+++ b/crypto/heimdal/admin/add.c
@@ -0,0 +1,170 @@
+/*
+ * Copyright (c) 1997 - 2001 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "ktutil_locl.h"
+
+RCSID("$Id: add.c,v 1.2 2001/05/10 15:39:15 assar Exp $");
+
+int
+kt_add(int argc, char **argv)
+{
+    krb5_error_code ret;
+    krb5_keytab keytab;
+    krb5_keytab_entry entry;
+    char buf[128];
+    char *principal_string = NULL;
+    int kvno = -1;
+    char *enctype_string = NULL;
+    krb5_enctype enctype;
+    char *password_string = NULL;
+    int salt_flag = 1;
+    int random_flag = 0;
+    int help_flag = 0;
+    struct getargs args[] = {
+	{ "principal", 'p', arg_string, NULL, "principal of key", "principal"},
+	{ "kvno", 'V', arg_integer, NULL, "key version of key" },
+	{ "enctype", 'e', arg_string, NULL, "encryption type of key" },
+	{ "password", 'w', arg_string, NULL, "password for key"},
+	{ "salt", 's',	arg_negative_flag, NULL, "no salt" },
+	{ "random",  'r', arg_flag, NULL, "generate random key" },
+	{ "help", 'h', arg_flag, NULL }
+    };
+    int num_args = sizeof(args) / sizeof(args[0]);
+    int optind = 0;
+    int i = 0;
+    args[i++].value = &principal_string;
+    args[i++].value = &kvno;
+    args[i++].value = &enctype_string;
+    args[i++].value = &password_string;
+    args[i++].value = &salt_flag;
+    args[i++].value = &random_flag;
+    args[i++].value = &help_flag;
+
+    if(getarg(args, num_args, argc, argv, &optind)) {
+	arg_printusage(args, num_args, "ktutil add", "");
+	return 1;
+    }
+    if(help_flag) {
+	arg_printusage(args, num_args, "ktutil add", "");
+	return 1;
+    }
+    if (keytab_string == NULL) {
+	ret = krb5_kt_default_modify_name (context, keytab_buf,
+					   sizeof(keytab_buf));
+	if (ret) {
+	    krb5_warn(context, ret, "krb5_kt_default_modify_name");
+	    return 1;
+	}
+	keytab_string = keytab_buf;
+    }
+    ret = krb5_kt_resolve(context, keytab_string, &keytab);
+    if (ret) {
+	krb5_warn(context, ret, "resolving keytab %s", keytab_string);
+	return 1;
+    }
+
+    if (verbose_flag)
+	fprintf (stderr, "Using keytab %s\n", keytab_string);
+	
+    memset(&entry, 0, sizeof(entry));
+    if(principal_string == NULL) {
+	printf("Principal: ");
+	if (fgets(buf, sizeof(buf), stdin) == NULL)
+	    return 1;
+	buf[strcspn(buf, "\r\n")] = '\0';
+	principal_string = buf;
+    }
+    ret = krb5_parse_name(context, principal_string, &entry.principal);
+    if(ret) {
+	krb5_warn(context, ret, "%s", principal_string);
+	goto out;
+    }
+    if(enctype_string == NULL) {
+	printf("Encryption type: ");
+	if (fgets(buf, sizeof(buf), stdin) == NULL)
+	    goto out;
+	buf[strcspn(buf, "\r\n")] = '\0';
+	enctype_string = buf;
+    }
+    ret = krb5_string_to_enctype(context, enctype_string, &enctype);
+    if(ret) {
+	int t;
+	if(sscanf(enctype_string, "%d", &t) == 1)
+	    enctype = t;
+	else {
+	    krb5_warn(context, ret, "%s", enctype_string);
+	    goto out;
+	}
+    }
+    if(kvno == -1) {
+	printf("Key version: ");
+	if (fgets(buf, sizeof(buf), stdin) == NULL)
+	    goto out;
+	buf[strcspn(buf, "\r\n")] = '\0';
+	kvno = atoi(buf);
+    }
+    if(password_string == NULL && random_flag == 0) {
+	if(des_read_pw_string(buf, sizeof(buf), "Password: ", 1))
+	    goto out;
+	password_string = buf;
+    }
+    if(password_string) {
+	if (!salt_flag) {
+	    krb5_salt salt;
+	    krb5_data pw;
+
+	    salt.salttype         = KRB5_PW_SALT;
+	    salt.saltvalue.data   = NULL;
+	    salt.saltvalue.length = 0;
+	    pw.data = (void*)password_string;
+	    pw.length = strlen(password_string);
+	    krb5_string_to_key_data_salt(context, enctype, pw, salt,
+					 &entry.keyblock);
+        } else {
+	    krb5_string_to_key(context, enctype, password_string, 
+			       entry.principal, &entry.keyblock);
+	}
+	memset (password_string, 0, strlen(password_string));
+    } else {
+	krb5_generate_random_keyblock(context, enctype, &entry.keyblock);
+    }
+    entry.vno = kvno;
+    entry.timestamp = time (NULL);
+    ret = krb5_kt_add_entry(context, keytab, &entry);
+    if(ret)
+	krb5_warn(context, ret, "add");
+ out:
+    krb5_kt_free_entry(context, &entry);
+    krb5_kt_close(context, keytab);
+    return 0;
+}
diff --git a/crypto/heimdal/admin/change.c b/crypto/heimdal/admin/change.c
new file mode 100644
index 0000000..c523dc4
--- /dev/null
+++ b/crypto/heimdal/admin/change.c
@@ -0,0 +1,247 @@
+/*
+ * Copyright (c) 1997 - 2001 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "ktutil_locl.h"
+
+RCSID("$Id: change.c,v 1.3 2001/05/10 15:40:07 assar Exp $");
+
+static void
+change_entry (krb5_context context, krb5_keytab keytab,
+	      krb5_keytab_entry *entry,
+	      const char *realm, const char *admin_server, int server_port)
+{
+    krb5_error_code ret;
+    kadm5_config_params conf;
+    void *kadm_handle;
+    char *client_name;
+    krb5_keyblock *keys;
+    int num_keys;
+    int i;
+
+    ret = krb5_unparse_name (context, entry->principal, &client_name);
+    if (ret) {
+	krb5_warn (context, ret, "krb5_unparse_name");
+	return;
+    }
+
+    memset (&conf, 0, sizeof(conf));
+
+    if(realm)
+	conf.realm = (char *)realm;
+    else
+	conf.realm = *krb5_princ_realm (context, entry->principal);
+    conf.mask |= KADM5_CONFIG_REALM;
+    
+    if (admin_server) {
+	conf.admin_server = (char *)admin_server;
+	conf.mask |= KADM5_CONFIG_ADMIN_SERVER;
+    }
+
+    if (server_port) {
+	conf.kadmind_port = htons(server_port);
+	conf.mask |= KADM5_CONFIG_KADMIND_PORT;
+    }
+
+    ret = kadm5_init_with_skey_ctx (context,
+				    client_name,
+				    keytab_string,
+				    KADM5_ADMIN_SERVICE,
+				    &conf, 0, 0,
+				    &kadm_handle);
+    free (client_name);
+    if (ret) {
+	krb5_warn (context, ret, "kadm5_c_init_with_skey_ctx");
+	return;
+    }
+    ret = kadm5_randkey_principal (kadm_handle, entry->principal,
+				   &keys, &num_keys);
+    kadm5_destroy (kadm_handle);
+    if (ret) {
+	krb5_warn(context, ret, "kadm5_randkey_principal");
+	return;
+    }
+    for (i = 0; i < num_keys; ++i) {
+	krb5_keytab_entry new_entry;
+
+	new_entry = *entry;
+	new_entry.timestamp = time (NULL);
+	++new_entry.vno;
+	new_entry.keyblock  = keys[i];
+
+	ret = krb5_kt_add_entry (context, keytab, &new_entry);
+	if (ret)
+	    krb5_warn (context, ret, "krb5_kt_add_entry");
+	krb5_free_keyblock_contents (context, &keys[i]);
+    }
+}
+
+/*
+ * loop over all the entries in the keytab (or those given) and change
+ * their keys, writing the new keys
+ */
+
+int
+kt_change (int argc, char **argv)
+{
+    krb5_error_code ret;
+    krb5_keytab keytab;
+    krb5_kt_cursor cursor;
+    krb5_keytab_entry entry;
+    char *realm = NULL;
+    char *admin_server = NULL;
+    int server_port = 0;
+    int help_flag = 0;
+    int optind = 0;
+    int j, max;
+    krb5_principal *princs;
+    
+    struct getargs args[] = {
+	{ "realm",	'r',	arg_string,   NULL, 
+	  "realm to use", "realm" 
+	},
+	{ "admin-server",	'a',	arg_string, NULL,
+	  "server to contact", "host" 
+	},
+	{ "server-port",	's',	arg_integer, NULL,
+	  "port to contact", "port number" 
+	},
+	{ "help",		'h',	arg_flag,    NULL }
+    };
+
+    args[0].value = &realm;
+    args[1].value = &admin_server;
+    args[2].value = &server_port;
+    args[3].value = &help_flag;
+
+    if(getarg(args, sizeof(args) / sizeof(args[0]), argc, argv, &optind)
+       || help_flag) {
+	arg_printusage(args, sizeof(args) / sizeof(args[0]), 
+		       "ktutil change", "principal...");
+	return 1;
+    }
+    
+    if (keytab_string == NULL) {
+	ret = krb5_kt_default_modify_name (context, keytab_buf,
+					   sizeof(keytab_buf));
+	if (ret) {
+	    krb5_warn(context, ret, "krb5_kt_default_modify_name");
+	    return 1;
+	}
+	keytab_string = keytab_buf;
+    }
+    ret = krb5_kt_resolve(context, keytab_string, &keytab);
+    if (ret) {
+	krb5_warn(context, ret, "resolving keytab %s", keytab_string);
+	return 1;
+    }
+
+    if (verbose_flag)
+	fprintf (stderr, "Using keytab %s\n", keytab_string);
+	
+    j = 0;
+    max = 10;
+    princs = malloc (max * sizeof(*princs));
+    if (princs == NULL) {
+	krb5_warnx (context, "malloc: out of memory");
+	goto out;
+    }
+
+    ret = krb5_kt_start_seq_get(context, keytab, &cursor);
+    if(ret){
+	krb5_warn(context, ret, "krb5_kt_start_seq_get %s", keytab_string);
+	goto out;
+    }
+
+    while((ret = krb5_kt_next_entry(context, keytab, &entry, &cursor)) == 0) {
+	int i;
+	int done = 0;
+
+	for (i = 0; i < j; ++i)
+	    if (krb5_principal_compare (context, princs[i],
+					entry.principal))
+		break;
+	if (i < j)
+	    continue;
+
+	if (optind == argc) {
+	    change_entry (context, keytab, &entry, realm, admin_server,
+			  server_port);
+	    done = 1;
+	} else {
+	    for (i = optind; i < argc; ++i) {
+		krb5_principal princ;
+
+		ret = krb5_parse_name (context, argv[i], &princ);
+		if (ret) {
+		    krb5_warn (context, ret, "krb5_parse_name %s", argv[i]);
+		    continue;
+		}
+		if (krb5_principal_compare (context, princ, entry.principal)) {
+		    change_entry (context, keytab, &entry,
+				  realm, admin_server, server_port);
+		    done = 1;
+		}
+		krb5_free_principal (context, princ);
+	    }
+	}
+	if (done) {
+	    if (j >= max) {
+		void *tmp;
+
+		max *= 2;
+		tmp = realloc (princs, max * sizeof(*princs));
+		if (tmp == NULL) {
+		    krb5_kt_free_entry (context, &entry);
+		    krb5_warnx (context, "realloc: out of memory");
+		    break;
+		}
+		princs = tmp;
+	    }
+	    ret = krb5_copy_principal (context, entry.principal, &princs[j]);
+	    if (ret) {
+		krb5_warn (context, ret, "krb5_copy_principal");
+		krb5_kt_free_entry (context, &entry);
+		break;
+	    }
+	    ++j;
+	}
+	krb5_kt_free_entry (context, &entry);
+    }
+    while (j-- > 0)
+	krb5_free_principal (context, princs[j]);
+    free (princs);
+    ret = krb5_kt_end_seq_get(context, keytab, &cursor);
+ out:
+    krb5_kt_close(context, keytab);
+    return 0;
+}
diff --git a/crypto/heimdal/admin/copy.c b/crypto/heimdal/admin/copy.c
new file mode 100644
index 0000000..a446d09
--- /dev/null
+++ b/crypto/heimdal/admin/copy.c
@@ -0,0 +1,248 @@
+/*
+ * Copyright (c) 1997 - 2001 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "ktutil_locl.h"
+
+RCSID("$Id: copy.c,v 1.7 2001/05/11 00:54:01 assar Exp $");
+
+
+static krb5_boolean
+compare_keyblock(const krb5_keyblock *a, const krb5_keyblock *b)
+{
+    if(a->keytype != b->keytype ||
+       a->keyvalue.length != b->keyvalue.length ||
+       memcmp(a->keyvalue.data, b->keyvalue.data, a->keyvalue.length) != 0)
+	return FALSE;
+    return TRUE;
+}
+
+static int
+kt_copy_int (const char *from, const char *to)
+{
+    krb5_error_code ret;
+    krb5_keytab src_keytab, dst_keytab;
+    krb5_kt_cursor cursor;
+    krb5_keytab_entry entry, dummy;
+
+    ret = krb5_kt_resolve (context, from, &src_keytab);
+    if (ret) {
+	krb5_warn (context, ret, "resolving src keytab `%s'", from);
+	return 1;
+    }
+
+    ret = krb5_kt_resolve (context, to, &dst_keytab);
+    if (ret) {
+	krb5_kt_close (context, src_keytab);
+	krb5_warn (context, ret, "resolving dst keytab `%s'", to);
+	return 1;
+    }
+
+    ret = krb5_kt_start_seq_get (context, src_keytab, &cursor);
+    if (ret) {
+	krb5_warn (context, ret, "krb5_kt_start_seq_get %s", keytab_string);
+	goto out;
+    }
+
+    if (verbose_flag)
+	fprintf(stderr, "copying %s to %s\n", from, to);
+
+    while((ret = krb5_kt_next_entry(context, src_keytab,
+				    &entry, &cursor)) == 0) {
+	char *name_str;
+	char *etype_str;
+	krb5_unparse_name (context, entry.principal, &name_str);
+	krb5_enctype_to_string(context, entry.keyblock.keytype, &etype_str);
+	ret = krb5_kt_get_entry(context, dst_keytab, 
+				entry.principal, 
+				entry.vno, 
+				entry.keyblock.keytype,
+				&dummy);
+	if(ret == 0) {
+	    /* this entry is already in the new keytab, so no need to
+               copy it; if the keyblocks are not the same, something
+               is weird, so complain about that */
+	    if(!compare_keyblock(&entry.keyblock, &dummy.keyblock)) {
+		krb5_warnx(context, "entry with different keyvalue "
+			   "already exists for %s, keytype %s, kvno %d", 
+			   name_str, etype_str, entry.vno);
+	    }
+	    krb5_kt_free_entry(context, &dummy);
+	    krb5_kt_free_entry (context, &entry);
+	    free(name_str);
+	    free(etype_str);
+	    continue;
+	} else if(ret != KRB5_KT_NOTFOUND) {
+	    krb5_warn(context, ret, "krb5_kt_get_entry(%s)", name_str);
+	    krb5_kt_free_entry (context, &entry);
+	    free(name_str);
+	    free(etype_str);
+	    break;
+	}
+	if (verbose_flag)
+	    fprintf (stderr, "copying %s, keytype %s, kvno %d\n", name_str, 
+		     etype_str, entry.vno);
+	ret = krb5_kt_add_entry (context, dst_keytab, &entry);
+	krb5_kt_free_entry (context, &entry);
+	if (ret) {
+	    krb5_warn (context, ret, "krb5_kt_add_entry(%s)", name_str);
+	    free(name_str);
+	    free(etype_str);
+	    break;
+	}
+	free(name_str);
+	free(etype_str);
+    }
+    krb5_kt_end_seq_get (context, src_keytab, &cursor);
+
+  out:
+    krb5_kt_close (context, src_keytab);
+    krb5_kt_close (context, dst_keytab);
+    return 0;
+}
+
+int
+kt_copy (int argc, char **argv)
+{
+    int help_flag = 0;
+    int optind = 0;
+
+    struct getargs args[] = {
+	{ "help", 'h', arg_flag, NULL}
+    };
+
+    int num_args = sizeof(args) / sizeof(args[0]);
+    int i = 0;
+
+    args[i++].value = &help_flag;
+    args[i++].value = &verbose_flag;
+
+    if(getarg(args, num_args, argc, argv, &optind)) {
+	arg_printusage(args, num_args, "ktutil copy",
+		       "keytab-src keytab-dest");
+	return 1;
+    }
+    if (help_flag) {
+	arg_printusage(args, num_args, "ktutil copy",
+		       "keytab-src keytab-dest");
+	return 1;
+    }
+
+    argv += optind;
+    argc -= optind;
+
+    if (argc != 2) {
+	arg_printusage(args, num_args, "ktutil copy",
+		       "keytab-src keytab-dest");
+	return 1;
+    }
+
+    return kt_copy_int(argv[0], argv[1]);
+}
+
+#ifndef KEYFILE
+#define KEYFILE "/etc/srvtab"
+#endif
+
+/* copy to from v4 srvtab, just short for copy */
+static int
+conv(int srvconv, int argc, char **argv)
+{
+    int help_flag = 0;
+    char *srvtab = KEYFILE;
+    int optind = 0;
+    char kt4[1024], kt5[1024];
+
+    char *name;
+
+    struct getargs args[] = {
+	{ "srvtab", 's', arg_string, NULL},
+	{ "help", 'h', arg_flag, NULL}
+    };
+
+    int num_args = sizeof(args) / sizeof(args[0]);
+    int i = 0;
+
+    args[i++].value = &srvtab;
+    args[i++].value = &help_flag;
+
+    if(srvconv)
+	name = "ktutil srvconvert";
+    else 
+	name = "ktutil srvcreate";
+
+    if(getarg(args, num_args, argc, argv, &optind)){
+	arg_printusage(args, num_args, name, "");
+	return 1;
+    }
+    if(help_flag){
+	arg_printusage(args, num_args, name, "");
+	return 0;
+    }
+
+    argc -= optind;
+    argv += optind;
+
+    if (argc != 0) {
+	arg_printusage(args, num_args, name, "");
+	return 1;
+    }
+
+    snprintf(kt4, sizeof(kt4), "krb4:%s", srvtab);
+
+    if(srvconv) {
+	if(keytab_string != NULL)
+	    return kt_copy_int(kt4, keytab_string);
+	else {
+	    krb5_kt_default_modify_name(context, kt5, sizeof(kt5));
+	    return kt_copy_int(kt4, kt5);
+	}
+    } else {
+	if(keytab_string != NULL)
+	    return kt_copy_int(keytab_string, kt4);
+
+	krb5_kt_default_name(context, kt5, sizeof(kt5));
+	return kt_copy_int(kt5, kt4);
+    }
+}
+
+int
+srvconv(int argc, char **argv)
+{
+    return conv(1, argc, argv);
+}
+
+int
+srvcreate(int argc, char **argv)
+{
+    return conv(0, argc, argv);
+}
diff --git a/crypto/heimdal/admin/get.c b/crypto/heimdal/admin/get.c
new file mode 100644
index 0000000..c9d49dd
--- /dev/null
+++ b/crypto/heimdal/admin/get.c
@@ -0,0 +1,245 @@
+/*
+ * Copyright (c) 1997 - 2001 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "ktutil_locl.h"
+
+RCSID("$Id: get.c,v 1.18 2001/05/10 15:42:01 assar Exp $");
+
+int
+kt_get(int argc, char **argv)
+{
+    krb5_error_code ret = 0;
+    krb5_keytab keytab;
+    kadm5_config_params conf;
+    void *kadm_handle = NULL;
+    char *principal = NULL;
+    char *realm = NULL;
+    char *admin_server = NULL;
+    int server_port = 0;
+    int help_flag = 0;
+    int optind = 0;
+    int i, j;
+    struct getarg_strings etype_strs = {0, NULL};
+    krb5_enctype *etypes = NULL;
+    size_t netypes = 0;
+    
+    struct getargs args[] = {
+	{ "principal",	'p',	arg_string,   NULL, 
+	  "admin principal", "principal" 
+	},
+	{ "enctypes",	'e',	arg_strings,	NULL,
+	  "encryption types to use", "enctypes" },
+	{ "realm",	'r',	arg_string,   NULL, 
+	  "realm to use", "realm" 
+	},
+	{ "admin-server",	'a',	arg_string, NULL,
+	  "server to contact", "host" 
+	},
+	{ "server-port",	's',	arg_integer, NULL,
+	  "port to contact", "port number" 
+	},
+	{ "help",		'h',	arg_flag,    NULL }
+    };
+
+    args[0].value = &principal;
+    args[1].value = &etype_strs;
+    args[2].value = &realm;
+    args[3].value = &admin_server;
+    args[4].value = &server_port;
+    args[5].value = &help_flag;
+
+    memset(&conf, 0, sizeof(conf));
+
+    if(getarg(args, sizeof(args) / sizeof(args[0]), argc, argv, &optind)
+       || help_flag) {
+	arg_printusage(args, sizeof(args) / sizeof(args[0]), 
+		       "ktutil get", "principal...");
+	return 1;
+    }
+    
+    if (keytab_string == NULL) {
+	ret = krb5_kt_default_modify_name (context, keytab_buf,
+					   sizeof(keytab_buf));
+	if (ret) {
+	    krb5_warn(context, ret, "krb5_kt_default_modify_name");
+	    return 1;
+	}
+	keytab_string = keytab_buf;
+    }
+    ret = krb5_kt_resolve(context, keytab_string, &keytab);
+    if (ret) {
+	krb5_warn(context, ret, "resolving keytab %s", keytab_string);
+	return 1;
+    }
+
+    if (etype_strs.num_strings) {
+	int i;
+
+	etypes = malloc (etype_strs.num_strings * sizeof(*etypes));
+	if (etypes == NULL) {
+	    krb5_warnx(context, "malloc failed");
+	    goto out;
+	}
+	netypes = etype_strs.num_strings;
+	for(i = 0; i < netypes; i++) {
+	    ret = krb5_string_to_enctype(context, 
+					 etype_strs.strings[i], 
+					 &etypes[i]);
+	    if(ret) {
+		krb5_warnx(context, "unrecognized enctype: %s",
+			   etype_strs.strings[i]);
+		goto out;
+	    }
+	}
+    }
+
+    if(realm) {
+	krb5_set_default_realm(context, realm); /* XXX should be fixed
+						   some other way */
+	conf.realm = realm;
+	conf.mask |= KADM5_CONFIG_REALM;
+    }
+    
+    if (admin_server) {
+	conf.admin_server = admin_server;
+	conf.mask |= KADM5_CONFIG_ADMIN_SERVER;
+    }
+
+    if (server_port) {
+	conf.kadmind_port = htons(server_port);
+	conf.mask |= KADM5_CONFIG_KADMIND_PORT;
+    }
+
+    ret = kadm5_init_with_password_ctx(context, 
+				       principal,
+				       NULL,
+				       KADM5_ADMIN_SERVICE,
+				       &conf, 0, 0, 
+				       &kadm_handle);
+    if(ret) {
+	krb5_warn(context, ret, "kadm5_init_with_password");
+	goto out;
+    }
+    
+    for(i = optind; i < argc; i++){
+	krb5_principal princ_ent;
+	kadm5_principal_ent_rec princ;
+	int mask = 0;
+	krb5_keyblock *keys;
+	int n_keys;
+	int created = 0;
+	krb5_keytab_entry entry;
+
+	ret = krb5_parse_name(context, argv[i], &princ_ent);
+	memset(&princ, 0, sizeof(princ));
+	princ.principal = princ_ent;
+	mask |= KADM5_PRINCIPAL;
+	princ.attributes |= KRB5_KDB_DISALLOW_ALL_TIX;
+	mask |= KADM5_ATTRIBUTES;
+	princ.princ_expire_time = 0;
+	mask |= KADM5_PRINC_EXPIRE_TIME;
+	
+	ret = kadm5_create_principal(kadm_handle, &princ, mask, "x");
+	if(ret == 0)
+	    created++;
+	else if(ret != KADM5_DUP) {
+	    krb5_warn(context, ret, "kadm5_create_principal(%s)", argv[i]);
+	    krb5_free_principal(context, princ_ent);
+	    continue;
+	}
+	ret = kadm5_randkey_principal(kadm_handle, princ_ent, &keys, &n_keys);
+	if (ret) {
+	    krb5_warn(context, ret, "kadm5_randkey_principal(%s)", argv[i]);
+	    krb5_free_principal(context, princ_ent);
+	    continue;
+	}
+	
+	ret = kadm5_get_principal(kadm_handle, princ_ent, &princ, 
+			      KADM5_PRINCIPAL | KADM5_KVNO | KADM5_ATTRIBUTES);
+	if (ret) {
+	    krb5_warn(context, ret, "kadm5_get_principal(%s)", argv[i]);
+	    for (j = 0; j < n_keys; j++)
+		krb5_free_keyblock_contents(context, &keys[j]);
+	    krb5_free_principal(context, princ_ent);
+	    continue;
+	}
+	princ.attributes &= (~KRB5_KDB_DISALLOW_ALL_TIX);
+	mask = KADM5_ATTRIBUTES;
+	if(created) {
+	    princ.kvno = 1;
+	    mask |= KADM5_KVNO;
+	}
+	ret = kadm5_modify_principal(kadm_handle, &princ, mask);
+	if (ret) {
+	    krb5_warn(context, ret, "kadm5_modify_principal(%s)", argv[i]);
+	    for (j = 0; j < n_keys; j++)
+		krb5_free_keyblock_contents(context, &keys[j]);
+	    krb5_free_principal(context, princ_ent);
+	    continue;
+	}
+	for(j = 0; j < n_keys; j++) {
+	    int do_add = TRUE;
+
+	    if (netypes) {
+		int i;
+
+		do_add = FALSE;
+		for (i = 0; i < netypes; ++i)
+		    if (keys[j].keytype == etypes[i]) {
+			do_add = TRUE;
+			break;
+		    }
+	    }
+	    if (do_add) {
+		entry.principal = princ_ent;
+		entry.vno = princ.kvno;
+		entry.keyblock = keys[j];
+		entry.timestamp = time (NULL);
+		ret = krb5_kt_add_entry(context, keytab, &entry);
+		if (ret)
+		    krb5_warn(context, ret, "krb5_kt_add_entry");
+	    }
+	    krb5_free_keyblock_contents(context, &keys[j]);
+	}
+	
+	kadm5_free_principal_ent(kadm_handle, &princ);
+	krb5_free_principal(context, princ_ent);
+    }
+ out:
+    free_getarg_strings(&etype_strs);
+    free(etypes);
+    if (kadm_handle)
+	kadm5_destroy(kadm_handle);
+    krb5_kt_close(context, keytab);
+    return ret != 0;
+}
diff --git a/crypto/heimdal/admin/ktutil.8 b/crypto/heimdal/admin/ktutil.8
new file mode 100644
index 0000000..48095c4
--- /dev/null
+++ b/crypto/heimdal/admin/ktutil.8
@@ -0,0 +1,138 @@
+.\" $Id: ktutil.8,v 1.12 2001/06/08 21:35:31 joda Exp $
+.\"
+.Dd December 16, 2000
+.Dt KTUTIL 8
+.Os HEIMDAL
+.Sh NAME
+.Nm ktutil
+.Nd manage Kerberos keytabs
+.Sh SYNOPSIS
+.Nm
+.Oo Fl k Ar keytab \*(Ba Xo
+.Fl -keytab= Ns Ar keytab 
+.Xc
+.Oc
+.Op Fl v | Fl -verbose
+.Op Fl -version
+.Op Fl h | Fl -help
+.Ar command 
+.Op Ar args
+.Sh DESCRIPTION
+.Nm
+is a program for managing keytabs.
+.Ar command
+can be one of the following:
+.Bl -tag -width Ds
+.It add Xo
+.Op Fl p Ar principal
+.Op Fl -principal= Ns Ar principal
+.Op Fl V Ar kvno
+.Op Fl -kvno= Ns Ar kvno
+.Op Fl e Ar encype
+.Op Fl -enctype= Ns Ar enctype
+.Op Fl w Ar password
+.Op Fl -password= Ns Ar password
+.Op Fl r
+.Op Fl -random
+.Op Fl s
+.Op Fl -no-salt
+.Xc
+Adds a key to the keytab. Options that are not specified will be
+prompted for.
+.It change Xo
+.Op Fl r Ar realm
+.Op Fl -realm= Ns Ar realm
+.Op Fl -a Ar host
+.Op Fl -admin-server= Ns Ar host
+.Op Fl -s Ar port
+.Op Fl -server-port= Ns Ar port
+.Xc
+Update one or several keys to new versions.  By default, use the admin
+server for the realm of an keytab entry.  Otherwise it will use the
+values specified by the options.
+.Pp
+If no principals are given, all the ones in the keytab are updated.
+.It copy Xo
+.Ar keytab-src
+.Ar keytab-dest
+.Xc
+Copies all the entries from
+.Ar keytab-src
+to
+.Ar keytab-dest .
+.It get Xo
+.Op Fl p Ar admin principal
+.Op Fl -principal= Ns Ar admin principal
+.Oo Fl e Ar enctype \*(Ba Xo
+.Fl -enctypes= Ns Ar enctype
+.Xc
+.Oc
+.Op Fl r Ar realm
+.Op Fl -realm= Ns Ar realm
+.Op Fl a Ar admin server
+.Op Fl -admin-server= Ns Ar admin server
+.Op Fl s Ar server port
+.Op Fl -server-port= Ns Ar server port
+.Ar principal
+.Xc
+Get a key for
+.Nm principal
+and store it in a keytab.
+.It list Xo
+.Op Fl -keys
+.Op Fl -timestamp
+.Xc
+List the keys stored in the keytab.
+.It remove Xo
+.Op Fl p Ar principal
+.Op Fl -principal= Ns Ar principal
+.Op Fl V kvno
+.Op Fl -kvno= Ns Ar kvno
+.Op Fl e enctype
+.Op Fl -enctype= Ns Ar enctype
+.Xc
+Removes the specified key or keys. Not specifying a
+.Ar kvno
+removes keys with any version number. Not specifying a
+.Ar enctype
+removes keys of any type.
+.It purge Xo
+.Op Fl -age= Ns Ar age
+.Xc
+Removes all old entries (for which there is a newer version) that are
+older than
+.Ar age 
+(default one week).
+.It srvconvert
+.It srv2keytab Xo
+.Op Fl s Ar srvtab
+.Op Fl -srvtab= Ns Ar srvtab
+.Xc
+Converts the version 4 srvtab in
+.Ar srvtab
+to a version 5 keytab and stores it in
+.Ar keytab . 
+Identical to:
+.Bd -ragged -offset indent
+.Li ktutil copy 
+.Li krb4: Ns Ar srvtab
+.Ar keytab 
+.Ed
+.It srvcreate
+.It key2srvtab Xo
+.Op Fl s Ar srvtab
+.Op Fl -srvtab= Ns Ar srvtab
+.Xc
+Converts the version 5 keytab in
+.Ar keytab
+to a version 4 srvtab and stores it in
+.Ar srvtab .
+Identical to:
+.Bd -ragged -offset indent
+.Li ktutil copy 
+.Ar keytab 
+.Li krb4: Ns Ar srvtab
+.Ed
+.El
+.Sh SEE ALSO
+.Xr kadmin 8
diff --git a/crypto/heimdal/admin/ktutil.c b/crypto/heimdal/admin/ktutil.c
new file mode 100644
index 0000000..36f7cd8
--- /dev/null
+++ b/crypto/heimdal/admin/ktutil.c
@@ -0,0 +1,150 @@
+/*
+ * Copyright (c) 1997 - 2001 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "ktutil_locl.h"
+#include <err.h>
+
+RCSID("$Id: ktutil.c,v 1.33 2001/05/10 16:04:27 assar Exp $");
+
+static int help_flag;
+static int version_flag;
+int verbose_flag;
+char *keytab_string; 
+char keytab_buf[256];
+
+static int help(int argc, char **argv);
+
+static SL_cmd cmds[] = {
+    { "add", 		kt_add,		"add",
+      "adds key to keytab" },
+    { "change",		kt_change,	"change [principal...]",
+      "get new key for principals (all)" },
+    { "copy",		kt_copy,	"copy src dst",
+      "copy one keytab to another" },
+    { "get", 		kt_get,		"get [principal...]",
+      "create key in database and add to keytab" },
+    { "list",		kt_list,	"list",
+      "shows contents of a keytab" },
+    { "purge",		kt_purge,	"purge",
+      "remove old and superceeded entries" },
+    { "remove", 	kt_remove,	"remove",
+      "remove key from keytab" },
+    { "srvconvert",	srvconv,	"srvconvert [flags]",
+      "convert v4 srvtab to keytab" },
+    { "srv2keytab" },
+    { "srvcreate",	srvcreate,	"srvcreate [flags]",
+      "convert keytab to v4 srvtab" },
+    { "key2srvtab" },
+    { "help",		help,		"help",			"" },
+    { NULL, 	NULL,		NULL, 			NULL }
+};
+
+static struct getargs args[] = {
+    { 
+	"version",
+	0,
+	arg_flag,
+	&version_flag,
+	NULL,
+	NULL 
+    },
+    { 
+	"help",	    
+	'h',   
+	arg_flag, 
+	&help_flag, 
+	NULL, 
+	NULL
+    },
+    { 
+	"keytab",	    
+	'k',   
+	arg_string, 
+	&keytab_string, 
+	"keytab", 
+	"keytab to operate on" 
+    },
+    {
+	"verbose",
+	'v',
+	arg_flag,
+	&verbose_flag,
+	"verbose",
+	"run verbosely"
+    }
+};
+
+static int num_args = sizeof(args) / sizeof(args[0]);
+
+krb5_context context;
+
+static int
+help(int argc, char **argv)
+{
+    sl_help(cmds, argc, argv);
+    return 0;
+}
+
+static void
+usage(int status)
+{
+    arg_printusage(args, num_args, NULL, "command");
+    exit(status);
+}
+
+int
+main(int argc, char **argv)
+{
+    int optind = 0;
+    krb5_error_code ret;
+    setprogname(argv[0]);
+    ret = krb5_init_context(&context);
+    if (ret)
+	errx (1, "krb5_init_context failed: %d", ret);
+    if(getarg(args, num_args, argc, argv, &optind))
+	usage(1);
+    if(help_flag)
+	usage(0);
+    if(version_flag) {
+	print_version(NULL);
+	exit(0);
+    }
+    argc -= optind;
+    argv += optind;
+    if(argc == 0)
+	usage(1);
+    ret = sl_command(cmds, argc, argv);
+    if(ret == -1)
+	krb5_warnx (context, "unrecognized command: %s", argv[0]);
+    return ret;
+}
diff --git a/crypto/heimdal/admin/ktutil.cat8 b/crypto/heimdal/admin/ktutil.cat8
new file mode 100644
index 0000000..f349f61
--- /dev/null
+++ b/crypto/heimdal/admin/ktutil.cat8
@@ -0,0 +1,71 @@
+
+KTUTIL(8)                UNIX System Manager's Manual                KTUTIL(8)
+
+NNAAMMEE
+     kkttuuttiill - manage Kerberos keytabs
+
+SSYYNNOOPPSSIISS
+     kkttuuttiill [--kk _k_e_y_t_a_b | ----kkeeyyttaabb==_k_e_y_t_a_b] [--vv | ----vveerrbboossee] [----vveerrssiioonn] [--hh |
+     ----hheellpp] _c_o_m_m_a_n_d [_a_r_g_s]
+
+DDEESSCCRRIIPPTTIIOONN
+     kkttuuttiill is a program for managing keytabs.  _c_o_m_m_a_n_d can be one of the fol-
+     lowing:
+
+     add [--pp _p_r_i_n_c_i_p_a_l] [----pprriinncciippaall==_p_r_i_n_c_i_p_a_l] [--VV _k_v_n_o] [----kkvvnnoo==_k_v_n_o] [--ee
+             _e_n_c_y_p_e] [----eennccttyyppee==_e_n_c_t_y_p_e] [--ww _p_a_s_s_w_o_r_d] [----ppaasssswwoorrdd==_p_a_s_s_w_o_r_d]
+             [--rr] [----rraannddoomm] [--ss] [----nnoo--ssaalltt]
+             Adds a key to the keytab. Options that are not specified will be
+             prompted for.
+
+     change [--rr _r_e_a_l_m] [----rreeaallmm==_r_e_a_l_m] [----aa _h_o_s_t] [----aaddmmiinn--sseerrvveerr==_h_o_s_t] [----ss
+             _p_o_r_t] [----sseerrvveerr--ppoorrtt==_p_o_r_t]
+             Update one or several keys to new versions.  By default, use the
+             admin server for the realm of an keytab entry.  Otherwise it will
+             use the values specified by the options.
+
+             If no principals are given, all the ones in the keytab are updat-
+             ed.
+
+     copy _k_e_y_t_a_b_-_s_r_c _k_e_y_t_a_b_-_d_e_s_t
+             Copies all the entries from _k_e_y_t_a_b_-_s_r_c to _k_e_y_t_a_b_-_d_e_s_t.
+
+     get [--pp _a_d_m_i_n _p_r_i_n_c_i_p_a_l] [----pprriinncciippaall==_a_d_m_i_n _p_r_i_n_c_i_p_a_l] [--ee _e_n_c_t_y_p_e |
+             ----eennccttyyppeess==_e_n_c_t_y_p_e
+             sseerrvveerr==_a_d_m_i_n _s_e_r_v_e_r] [--ss _s_e_r_v_e_r _p_o_r_t] [----sseerrvveerr--ppoorrtt==_s_e_r_v_e_r _p_o_r_t]
+             _p_r_i_n_c_i_p_a_l ][--rr   _r_e_a_l_m]   [----rreeaallmm==_r_e_a_l_m]   [--aa   _a_d_m_i_n   _s_e_r_v_e_r]
+             [----aaddmmiinn-- Get a key for pprriinncciippaall and store it in a keytab.
+
+     list [----kkeeyyss] [----ttiimmeessttaammpp]
+             List the keys stored in the keytab.
+
+     remove [--pp _p_r_i_n_c_i_p_a_l] [----pprriinncciippaall==_p_r_i_n_c_i_p_a_l] [--VV --kkvvnnoo] [----kkvvnnoo==_k_v_n_o]
+             [--ee --eennccttyyppee] [----eennccttyyppee==_e_n_c_t_y_p_e]
+             Removes the specified key or keys. Not specifying a _k_v_n_o removes
+             keys with any version number. Not specifying a _e_n_c_t_y_p_e removes
+             keys of any type.
+
+     purge [----aaggee==_a_g_e]
+             Removes all old entries (for which there is a newer version) that
+             are older than _a_g_e (default one week).
+
+     srvconvert
+
+     srv2keytab [--ss _s_r_v_t_a_b] [----ssrrvvttaabb==_s_r_v_t_a_b]
+             Converts the version 4 srvtab in _s_r_v_t_a_b to a version 5 keytab and
+             stores it in _k_e_y_t_a_b. Identical to:
+
+                   ktutil copy krb4:_s_r_v_t_a_b _k_e_y_t_a_b
+
+     srvcreate
+
+     key2srvtab [--ss _s_r_v_t_a_b] [----ssrrvvttaabb==_s_r_v_t_a_b]
+             Converts the version 5 keytab in _k_e_y_t_a_b to a version 4 srvtab and
+             stores it in _s_r_v_t_a_b. Identical to:
+
+                   ktutil copy _k_e_y_t_a_b krb4:_s_r_v_t_a_b
+
+SSEEEE AALLSSOO
+     kadmin(8)
+
+ HEIMDAL                       December 16, 2000                             2
diff --git a/crypto/heimdal/admin/ktutil_locl.h b/crypto/heimdal/admin/ktutil_locl.h
new file mode 100644
index 0000000..25f7f25
--- /dev/null
+++ b/crypto/heimdal/admin/ktutil_locl.h
@@ -0,0 +1,87 @@
+/*
+ * Copyright (c) 1997 - 2001 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+/* 
+ * $Id: ktutil_locl.h,v 1.14 2001/05/10 15:42:45 assar Exp $
+ * $FreeBSD$
+ */
+
+#ifndef __KTUTIL_LOCL_H__
+#define __KTUTIL_LOCL_H__
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+#endif
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <errno.h>
+#ifdef HAVE_FCNTL_H
+#include <fcntl.h>
+#endif
+#ifdef HAVE_UNISTD_H
+#include <unistd.h>
+#endif
+#include <parse_time.h>
+#include <roken.h>
+
+#ifdef HAVE_OPENSSL_DES_H
+#include <openssl/des.h>
+#else
+#include <des.h>
+#endif
+
+#include <krb5.h>
+#include <kadm5/admin.h>
+#include <kadm5/kadm5_err.h>
+
+#include <sl.h>
+#include <getarg.h>
+
+extern krb5_context context;
+
+extern int verbose_flag;
+extern char *keytab_string; 
+extern char keytab_buf[256];
+
+int kt_add (int argc, char **argv);
+int kt_change (int argc, char **argv);
+int kt_copy (int argc, char **argv);
+int kt_get (int argc, char **argv);
+int kt_list(int argc, char **argv);
+int kt_purge(int argc, char **argv);
+int kt_remove(int argc, char **argv);
+int srvconv(int argc, char **argv);
+int srvcreate(int argc, char **argv);
+
+#endif /* __KTUTIL_LOCL_H__ */
diff --git a/crypto/heimdal/admin/list.c b/crypto/heimdal/admin/list.c
new file mode 100644
index 0000000..3640e4f
--- /dev/null
+++ b/crypto/heimdal/admin/list.c
@@ -0,0 +1,197 @@
+/*
+ * Copyright (c) 1997 - 2001 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "ktutil_locl.h"
+
+RCSID("$Id: list.c,v 1.8 2001/05/11 00:54:01 assar Exp $");
+
+static int help_flag;
+static int list_keys;
+static int list_timestamp;
+
+static struct getargs args[] = {
+    { "help",      'h', arg_flag, &help_flag },
+    { "keys",	   0,   arg_flag, &list_keys, "show key value" },
+    { "timestamp", 0,   arg_flag, &list_timestamp, "show timestamp" },
+};
+
+static int num_args = sizeof(args) / sizeof(args[0]);
+
+struct key_info {
+    char *version;
+    char *etype;
+    char *principal;
+    char *timestamp;
+    char *key;
+    struct key_info *next;
+};
+
+static int
+do_list(const char *keytab_string)
+{
+    krb5_error_code ret;
+    krb5_keytab keytab;
+    krb5_keytab_entry entry;
+    krb5_kt_cursor cursor;
+    struct key_info *ki, **kie = &ki, *kp;
+
+    int max_version = sizeof("Vno") - 1;
+    int max_etype = sizeof("Type") - 1;
+    int max_principal = sizeof("Principal") - 1;
+    int max_timestamp = sizeof("Date") - 1;
+    int max_key = sizeof("Key") - 1;
+
+    ret = krb5_kt_resolve(context, keytab_string, &keytab);
+    if (ret) {
+	krb5_warn(context, ret, "resolving keytab %s", keytab_string);
+	return 0;
+    }
+
+    ret = krb5_kt_start_seq_get(context, keytab, &cursor);
+    if(ret){
+	krb5_warn(context, ret, "krb5_kt_start_seq_get %s", keytab_string);
+	goto out;
+    }
+
+    printf ("%s:\n\n", keytab_string);
+	
+    while((ret = krb5_kt_next_entry(context, keytab, &entry, &cursor)) == 0){
+#define CHECK_MAX(F) if(max_##F < strlen(kp->F)) max_##F = strlen(kp->F)
+
+	kp = malloc(sizeof(*kp));
+	if (kp == NULL) {
+	    krb5_kt_free_entry(context, &entry);
+	    krb5_kt_end_seq_get(context, keytab, &cursor);
+	    krb5_warn(context, ret, "malloc failed");
+	    goto out;
+	}
+
+	asprintf(&kp->version, "%d", entry.vno);
+	CHECK_MAX(version);
+	ret = krb5_enctype_to_string(context, 
+				     entry.keyblock.keytype, &kp->etype);
+	if (ret != 0) 
+	    asprintf(&kp->etype, "unknown (%d)", entry.keyblock.keytype);
+	CHECK_MAX(etype);
+	krb5_unparse_name(context, entry.principal, &kp->principal);
+	CHECK_MAX(principal);
+	if (list_timestamp) {
+	    char tstamp[256];
+
+	    krb5_format_time(context, entry.timestamp, 
+			     tstamp, sizeof(tstamp), FALSE);
+
+	    kp->timestamp = strdup(tstamp);
+	    CHECK_MAX(timestamp);
+	}
+	if(list_keys) {
+	    int i;
+	    kp->key = malloc(2 * entry.keyblock.keyvalue.length + 1);
+	    for(i = 0; i < entry.keyblock.keyvalue.length; i++)
+		snprintf(kp->key + 2 * i, 3, "%02x", 
+			 ((unsigned char*)entry.keyblock.keyvalue.data)[i]);
+	    CHECK_MAX(key);
+	}
+	kp->next = NULL;
+	*kie = kp;
+	kie = &kp->next;
+	krb5_kt_free_entry(context, &entry);
+    }
+    ret = krb5_kt_end_seq_get(context, keytab, &cursor);
+
+    printf("%-*s  %-*s  %-*s", max_version, "Vno", 
+	   max_etype, "Type", 
+	   max_principal, "Principal");
+    if(list_timestamp)
+	printf("  %-*s", max_timestamp, "Date");
+    if(list_keys)
+	printf("  %s", "Key");
+    printf("\n");
+
+    for(kp = ki; kp; ) {
+	printf("%*s  %-*s  %-*s", max_version, kp->version, 
+	       max_etype, kp->etype, 
+	       max_principal, kp->principal);
+	if(list_timestamp)
+	    printf("  %-*s", max_timestamp, kp->timestamp);
+	if(list_keys)
+	    printf("  %s", kp->key);
+	printf("\n");
+
+	/* free entries */
+	free(kp->version);
+	free(kp->etype);
+	free(kp->principal);
+	if(list_timestamp)
+	    free(kp->timestamp);
+	if(list_keys) {
+	    memset(kp->key, 0, strlen(kp->key));
+	    free(kp->key);
+	}
+	ki = kp;
+	kp = kp->next;
+	free(ki);
+    }
+out:
+    krb5_kt_close(context, keytab);
+    return 0;
+}
+
+int
+kt_list(int argc, char **argv)
+{
+    int optind = 0;
+
+    if(verbose_flag)
+	list_timestamp = 1;
+
+    if(getarg(args, num_args, argc, argv, &optind)){
+	arg_printusage(args, num_args, "ktutil list", "");
+	return 1;
+    }
+    if(help_flag){
+	arg_printusage(args, num_args, "ktutil list", "");
+	return 0;
+    }
+
+    if (keytab_string == NULL) {
+	do_list("FILE:/etc/krb5.keytab");
+#ifdef KRB4
+	printf ("\n");
+	do_list("krb4:/etc/srvtab");
+#endif
+    } else {
+	do_list(keytab_string);
+    }
+    return 0;
+}
diff --git a/crypto/heimdal/admin/purge.c b/crypto/heimdal/admin/purge.c
new file mode 100644
index 0000000..c99f3bf
--- /dev/null
+++ b/crypto/heimdal/admin/purge.c
@@ -0,0 +1,203 @@
+/*
+ * Copyright (c) 1997 - 2001 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "ktutil_locl.h"
+
+RCSID("$Id: purge.c,v 1.5 2001/05/11 00:54:01 assar Exp $");
+
+/*
+ * keep track of the highest version for every principal.
+ */
+
+struct e {
+    krb5_principal principal;
+    int max_vno;
+    struct e *next;
+};
+
+static struct e *
+get_entry (krb5_principal princ, struct e *head)
+{
+    struct e *e;
+
+    for (e = head; e != NULL; e = e->next)
+	if (krb5_principal_compare (context, princ, e->principal))
+	    return e;
+    return NULL;
+}
+
+static void
+add_entry (krb5_principal princ, int vno, struct e **head)
+{
+    krb5_error_code ret;
+    struct e *e;
+
+    e = get_entry (princ, *head);
+    if (e != NULL) {
+	e->max_vno = max (e->max_vno, vno);
+	return;
+    }
+    e = malloc (sizeof (*e));
+    if (e == NULL)
+	krb5_errx (context, 1, "malloc: out of memory");
+    ret = krb5_copy_principal (context, princ, &e->principal);
+    if (ret)
+	krb5_err (context, 1, ret, "krb5_copy_principal");
+    e->max_vno = vno;
+    e->next    = *head;
+    *head      = e;
+}
+
+static void
+delete_list (struct e *head)
+{
+    while (head != NULL) {
+	struct e *next = head->next;
+	krb5_free_principal (context, head->principal);
+	free (head);
+	head = next;
+    }
+}
+
+/*
+ * Remove all entries that have newer versions and that are older
+ * than `age'
+ */
+
+int
+kt_purge(int argc, char **argv)
+{
+    krb5_error_code ret = 0;
+    krb5_kt_cursor cursor;
+    krb5_keytab keytab;
+    krb5_keytab_entry entry;
+    int help_flag = 0;
+    char *age_str = "1 week";
+    int age;
+    struct getargs args[] = {
+	{ "age",   0,  arg_string, NULL, "age to retire" },
+	{ "help", 'h', arg_flag, NULL }
+    };
+    int num_args = sizeof(args) / sizeof(args[0]);
+    int optind = 0;
+    int i = 0;
+    struct e *head = NULL;
+    time_t judgement_day;
+
+    args[i++].value = &age_str;
+    args[i++].value = &help_flag;
+
+    if(getarg(args, num_args, argc, argv, &optind)) {
+	arg_printusage(args, num_args, "ktutil purge", "");
+	return 1;
+    }
+    if(help_flag) {
+	arg_printusage(args, num_args, "ktutil purge", "");
+	return 1;
+    }
+
+    age = parse_time(age_str, "s");
+    if(age < 0) {
+	krb5_warnx(context, "unparasable time `%s'", age_str);
+	return 1;
+    }
+
+    if (keytab_string == NULL) {
+	ret = krb5_kt_default_modify_name (context, keytab_buf,
+					   sizeof(keytab_buf));
+	if (ret) {
+	    krb5_warn(context, ret, "krb5_kt_default_modify_name");
+	    return 1;
+	}
+	keytab_string = keytab_buf;
+    }
+    ret = krb5_kt_resolve(context, keytab_string, &keytab);
+    if (ret) {
+	krb5_warn(context, ret, "resolving keytab %s", keytab_string);
+	return 1;
+    }
+
+    ret = krb5_kt_start_seq_get(context, keytab, &cursor);
+    if(ret){
+	krb5_warn(context, ret, "krb5_kt_start_seq_get %s", keytab_string);
+	goto out;
+    }
+
+    if (verbose_flag)
+	fprintf (stderr, "Using keytab %s\n", keytab_string);
+	
+    while((ret = krb5_kt_next_entry(context, keytab, &entry, &cursor)) == 0) {
+	add_entry (entry.principal, entry.vno, &head);
+	krb5_kt_free_entry(context, &entry);
+    }
+    ret = krb5_kt_end_seq_get(context, keytab, &cursor);
+
+    judgement_day = time (NULL);
+
+    ret = krb5_kt_start_seq_get(context, keytab, &cursor);
+    if(ret){
+	krb5_warn(context, ret, "krb5_kt_start_seq_get, %s", keytab_string);
+	goto out;
+    }
+
+    while((ret = krb5_kt_next_entry(context, keytab, &entry, &cursor)) == 0) {
+	struct e *e = get_entry (entry.principal, head);
+
+	if (e == NULL) {
+	    krb5_warnx (context, "ignoring extra entry");
+	    continue;
+	}
+
+	if (entry.vno < e->max_vno
+	    && judgement_day - entry.timestamp > age) {
+	    if (verbose_flag) {
+		char *name_str;
+
+		krb5_unparse_name (context, entry.principal, &name_str);
+		printf ("removing %s vno %d\n", name_str, entry.vno);
+		free (name_str);
+	    }
+	    ret = krb5_kt_remove_entry (context, keytab, &entry);
+	    if (ret)
+		krb5_warn (context, ret, "remove");
+	}
+	krb5_kt_free_entry(context, &entry);
+    }
+    ret = krb5_kt_end_seq_get(context, keytab, &cursor);
+
+    delete_list (head);
+
+ out:
+    krb5_kt_close (context, keytab);
+    return ret != 0;
+}
diff --git a/crypto/heimdal/admin/remove.c b/crypto/heimdal/admin/remove.c
new file mode 100644
index 0000000..c6f64db
--- /dev/null
+++ b/crypto/heimdal/admin/remove.c
@@ -0,0 +1,128 @@
+/*
+ * Copyright (c) 1997 - 2001 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "ktutil_locl.h"
+
+RCSID("$Id: remove.c,v 1.2 2001/05/10 15:44:58 assar Exp $");
+
+int
+kt_remove(int argc, char **argv)
+{
+    krb5_error_code ret = 0;
+    krb5_keytab_entry entry;
+    krb5_keytab keytab;
+    char *principal_string = NULL;
+    krb5_principal principal = NULL;
+    int kvno = 0;
+    char *keytype_string = NULL;
+    krb5_enctype enctype = 0;
+    int help_flag = 0;
+    struct getargs args[] = {
+	{ "principal", 'p', arg_string, NULL, "principal to remove" },
+	{ "kvno", 'V', arg_integer, NULL, "key version to remove" },
+	{ "enctype", 'e', arg_string, NULL, "enctype to remove" },
+	{ "help", 'h', arg_flag, NULL }
+    };
+    int num_args = sizeof(args) / sizeof(args[0]);
+    int optind = 0;
+    int i = 0;
+    args[i++].value = &principal_string;
+    args[i++].value = &kvno;
+    args[i++].value = &keytype_string;
+    args[i++].value = &help_flag;
+    if(getarg(args, num_args, argc, argv, &optind)) {
+	arg_printusage(args, num_args, "ktutil remove", "");
+	return 1;
+    }
+    if(help_flag) {
+	arg_printusage(args, num_args, "ktutil remove", "");
+	return 0;
+    }
+    if(principal_string) {
+	ret = krb5_parse_name(context, principal_string, &principal);
+	if(ret) {
+	    krb5_warn(context, ret, "%s", principal_string);
+	    return 1;
+	}
+    }
+    if(keytype_string) {
+	ret = krb5_string_to_enctype(context, keytype_string, &enctype);
+	if(ret) {
+	    int t;
+	    if(sscanf(keytype_string, "%d", &t) == 1)
+		enctype = t;
+	    else {
+		krb5_warn(context, ret, "%s", keytype_string);
+		if(principal)
+		    krb5_free_principal(context, principal);
+		return 1;
+	    }
+	}
+    }
+    if (!principal && !enctype && !kvno) {
+	krb5_warnx(context, 
+		   "You must give at least one of "
+		   "principal, enctype or kvno.");
+	return 1;
+    }
+
+    if (keytab_string == NULL) {
+	ret = krb5_kt_default_modify_name (context, keytab_buf,
+					   sizeof(keytab_buf));
+	if (ret) {
+	    krb5_warn(context, ret, "krb5_kt_default_modify_name");
+	    return 1;
+	}
+	keytab_string = keytab_buf;
+    }
+    ret = krb5_kt_resolve(context, keytab_string, &keytab);
+    if (ret) {
+	krb5_warn(context, ret, "resolving keytab %s", keytab_string);
+	return 1;
+    }
+
+    if (verbose_flag)
+	fprintf (stderr, "Using keytab %s\n", keytab_string);
+	
+    entry.principal = principal;
+    entry.keyblock.keytype = enctype;
+    entry.vno = kvno;
+    ret = krb5_kt_remove_entry(context, keytab, &entry);
+    krb5_kt_close(context, keytab);
+    if(ret)
+	krb5_warn(context, ret, "remove");
+    if(principal)
+	krb5_free_principal(context, principal);
+    return 0;
+}
+
diff --git a/crypto/heimdal/admin/srvconvert.c b/crypto/heimdal/admin/srvconvert.c
new file mode 100644
index 0000000..e4a2b11
--- /dev/null
+++ b/crypto/heimdal/admin/srvconvert.c
@@ -0,0 +1,181 @@
+/*
+ * Copyright (c) 1997, 1998, 1999 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "ktutil_locl.h"
+
+RCSID("$Id: srvconvert.c,v 1.11 2000/01/02 03:56:21 assar Exp $");
+
+/* convert a version 4 srvtab to a version 5 keytab */
+
+#ifndef KEYFILE
+#define KEYFILE "/etc/srvtab"
+#endif
+
+static char *srvtab = KEYFILE;
+static int help_flag;
+static int verbose;
+
+static struct getargs args[] = {
+    { "srvtab", 's', arg_string, &srvtab, "srvtab to convert", "file" },
+    { "help", 'h', arg_flag, &help_flag },
+    { "verbose", 'v', arg_flag, &verbose },
+};
+
+static int num_args = sizeof(args) / sizeof(args[0]);
+
+int
+srvconv(int argc, char **argv)
+{
+    krb5_error_code ret;
+    int optind = 0;
+    int fd;
+    krb5_storage *sp;
+
+    if(getarg(args, num_args, argc, argv, &optind)){
+	arg_printusage(args, num_args, "ktutil srvconvert", "");
+	return 1;
+    }
+    if(help_flag){
+	arg_printusage(args, num_args, "ktutil srvconvert", "");
+	return 0;
+    }
+
+    argc -= optind;
+    argv += optind;
+
+    if (argc != 0) {
+	arg_printusage(args, num_args, "ktutil srvconvert", "");
+	return 1;
+    }
+
+    fd = open(srvtab, O_RDONLY);
+    if(fd < 0){
+	krb5_warn(context, errno, "%s", srvtab);
+	return 1;
+    }
+    sp = krb5_storage_from_fd(fd);
+    if(sp == NULL){
+	close(fd);
+	return 1;
+    }
+    while(1){
+	char *service, *instance, *realm;
+	int8_t kvno;
+	des_cblock key;
+	krb5_keytab_entry entry;
+	
+	ret = krb5_ret_stringz(sp, &service);
+	if(ret == KRB5_CC_END) {
+	    ret = 0;
+	    break;
+	}
+	if(ret) {
+	    krb5_warn(context, ret, "reading service");
+	    break;
+	}
+	ret = krb5_ret_stringz(sp, &instance);
+	if(ret) {
+	    krb5_warn(context, ret, "reading instance");
+	    free(service);
+	    break;
+	}
+	ret = krb5_ret_stringz(sp, &realm);
+	if(ret) {
+	    krb5_warn(context, ret, "reading realm");
+	    free(service);
+	    free(instance);
+	    break;
+	}
+	ret = krb5_425_conv_principal(context, service, instance, realm,
+				      &entry.principal);
+	free(service);
+	free(instance);
+	free(realm);
+	if (ret) {
+	    krb5_warn(context, ret, "krb5_425_conv_principal (%s.%s@%s)",
+		      service, instance, realm);
+	    break;
+	}
+	
+	ret = krb5_ret_int8(sp, &kvno);
+	if(ret) {
+	    krb5_warn(context, ret, "reading kvno");
+	    krb5_free_principal(context, entry.principal);
+	    break;
+	}
+	ret = sp->fetch(sp, key, 8);
+	if(ret < 0){
+	    krb5_warn(context, errno, "reading key");
+	    krb5_free_principal(context, entry.principal);
+	    break;
+	}
+	if(ret < 8) {
+	    krb5_warn(context, errno, "end of file while reading key");
+	    krb5_free_principal(context, entry.principal);
+	    break;
+	}
+	
+	entry.vno = kvno;
+	entry.timestamp = time (NULL);
+	entry.keyblock.keyvalue.data = key;
+	entry.keyblock.keyvalue.length = 8;
+	
+	if(verbose){
+	    char *p;
+	    ret = krb5_unparse_name(context, entry.principal, &p);
+	    if(ret){
+		krb5_warn(context, ret, "krb5_unparse_name");
+		krb5_free_principal(context, entry.principal);
+		break;
+	    } else{
+		fprintf(stderr, "Storing keytab for %s\n", p);
+		free(p);
+	    }
+				    
+	}
+	entry.keyblock.keytype = ETYPE_DES_CBC_MD5;
+	ret = krb5_kt_add_entry(context, keytab, &entry);
+	entry.keyblock.keytype = ETYPE_DES_CBC_MD4;
+	ret = krb5_kt_add_entry(context, keytab, &entry);
+	entry.keyblock.keytype = ETYPE_DES_CBC_CRC;
+	ret = krb5_kt_add_entry(context, keytab, &entry);
+	krb5_free_principal(context, entry.principal);
+	if(ret) {
+	    krb5_warn(context, ret, "krb5_kt_add_entry");
+	    break;
+	}
+    }
+    krb5_storage_free(sp);
+    close(fd);
+    return ret;
+}
diff --git a/crypto/heimdal/admin/srvcreate.c b/crypto/heimdal/admin/srvcreate.c
new file mode 100644
index 0000000..bc86bc8
--- /dev/null
+++ b/crypto/heimdal/admin/srvcreate.c
@@ -0,0 +1,124 @@
+/*
+ * Copyright (c) 1997, 1998, 1999 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "ktutil_locl.h"
+
+RCSID("$Id: srvcreate.c,v 1.3 1999/12/02 17:04:53 joda Exp $");
+
+/* convert a version 5 keytab to a version 4 srvtab */
+
+#ifndef KEYFILE
+#define KEYFILE "/etc/srvtab"
+#endif
+
+static char *srvtab = KEYFILE;
+static int help_flag;
+static int verbose;
+
+static struct getargs args[] = {
+    { "srvtab", 's', arg_string, &srvtab, "srvtab to create", "file" },
+    { "help", 'h', arg_flag, &help_flag },
+    { "verbose", 'v', arg_flag, &verbose },
+};
+
+static int num_args = sizeof(args) / sizeof(args[0]);
+
+int
+srvcreate(int argc, char **argv)
+{
+    krb5_error_code ret;
+    int optind = 0;
+    int fd;
+    krb5_kt_cursor cursor;
+    krb5_keytab_entry entry;
+    char service[100], instance[100], realm[100];
+    int8_t kvno;
+
+    if(getarg(args, num_args, argc, argv, &optind)){
+	arg_printusage(args, num_args, "ktutil srvcreate", "");
+	return 1;
+    }
+    if(help_flag){
+	arg_printusage(args, num_args, "ktutil srvcreate", "");
+	return 0;
+    }
+
+    argc -= optind;
+    argv += optind;
+
+    if (argc != 0) {
+	arg_printusage(args, num_args, "ktutil srvcreate", "");
+	return 1;
+    }
+
+    ret = krb5_kt_start_seq_get(context, keytab, &cursor);
+    if(ret){
+        krb5_warn(context, ret, "krb5_kt_start_seq_get");
+        return 1;
+    }
+
+    fd = open(srvtab, O_WRONLY |O_APPEND |O_CREAT, 0600);
+    if(fd < 0){
+	krb5_warn(context, errno, "%s", srvtab);
+	return 1;
+    }
+
+    while((ret = krb5_kt_next_entry(context, keytab, &entry, &cursor)) == 0){
+      ret = krb5_524_conv_principal(context, entry.principal,
+				    service, instance, realm);
+      if(ret) {
+        krb5_warn(context, ret, "krb5_524_conv_principal");
+        close(fd);
+        return 1;
+      }
+      if ( (entry.keyblock.keyvalue.length == 8) && 
+           (entry.keyblock.keytype == ETYPE_DES_CBC_MD5) ) {
+	  if (verbose) {
+	      printf ("%s.%s@%s vno %d\n", service, instance, realm,
+		      entry.vno);
+	  }
+
+	  write(fd, service, strlen(service)+1);
+          write(fd, instance, strlen(instance)+1);
+          write(fd, realm, strlen(realm)+1);
+          kvno = entry.vno;
+          write(fd, &kvno, sizeof(kvno));
+          write(fd, entry.keyblock. keyvalue.data, 8);
+      }
+      krb5_kt_free_entry(context, &entry);
+    }
+
+    close(fd);
+    ret = krb5_kt_end_seq_get(context, keytab, &cursor);
+    return ret;
+}
diff --git a/crypto/heimdal/appl/Makefile.am b/crypto/heimdal/appl/Makefile.am
new file mode 100644
index 0000000..e867521
--- /dev/null
+++ b/crypto/heimdal/appl/Makefile.am
@@ -0,0 +1,26 @@
+# $Id: Makefile.am,v 1.24 2001/01/27 18:34:39 assar Exp $
+
+include $(top_srcdir)/Makefile.am.common
+
+if OTP
+dir_otp = otp
+endif
+if DCE
+dir_dce = dceutils
+endif
+SUBDIRS = 					\
+	  afsutil				\
+	  ftp					\
+	  login					\
+	  $(dir_otp)				\
+	  popper				\
+	  push					\
+	  rsh					\
+	  rcp					\
+	  su					\
+	  xnlock				\
+	  telnet				\
+	  test					\
+	  kx					\
+	  kf					\
+	  $(dir_dce)
diff --git a/crypto/heimdal/appl/Makefile.in b/crypto/heimdal/appl/Makefile.in
new file mode 100644
index 0000000..ae89497
--- /dev/null
+++ b/crypto/heimdal/appl/Makefile.in
@@ -0,0 +1,572 @@
+# Makefile.in generated automatically by automake 1.4b from Makefile.am
+
+# Copyright 1994, 1995, 1996, 1997, 1998, 1999, 2000
+# Free Software Foundation, Inc.
+# This Makefile.in is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+
+SHELL = @SHELL@
+
+srcdir = @srcdir@
+top_srcdir = @top_srcdir@
+VPATH = @srcdir@
+prefix = @prefix@
+exec_prefix = @exec_prefix@
+
+bindir = @bindir@
+sbindir = @sbindir@
+libexecdir = @libexecdir@
+datadir = @datadir@
+sysconfdir = @sysconfdir@
+sharedstatedir = @sharedstatedir@
+localstatedir = @localstatedir@
+libdir = @libdir@
+infodir = @infodir@
+mandir = @mandir@
+includedir = @includedir@
+oldincludedir = /usr/include
+
+pkgdatadir = $(datadir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkgincludedir = $(includedir)/@PACKAGE@
+
+top_builddir = ..
+
+ACLOCAL = @ACLOCAL@
+AUTOCONF = @AUTOCONF@
+AUTOMAKE = @AUTOMAKE@
+AUTOHEADER = @AUTOHEADER@
+
+INSTALL = @INSTALL@
+INSTALL_PROGRAM = @INSTALL_PROGRAM@
+INSTALL_DATA = @INSTALL_DATA@
+INSTALL_SCRIPT = @INSTALL_SCRIPT@
+INSTALL_STRIP_FLAG =
+transform = @program_transform_name@
+
+NORMAL_INSTALL = :
+PRE_INSTALL = :
+POST_INSTALL = :
+NORMAL_UNINSTALL = :
+PRE_UNINSTALL = :
+POST_UNINSTALL = :
+
+@SET_MAKE@
+host_alias = @host_alias@
+host_triplet = @host@
+AIX_EXTRA_KAFS = @AIX_EXTRA_KAFS@
+AMDEP = @AMDEP@
+AMTAR = @AMTAR@
+AS = @AS@
+AWK = @AWK@
+CANONICAL_HOST = @CANONICAL_HOST@
+CATMAN = @CATMAN@
+CATMANEXT = @CATMANEXT@
+CC = @CC@
+CPP = @CPP@
+CXX = @CXX@
+CXXCPP = @CXXCPP@
+DBLIB = @DBLIB@
+DEPDIR = @DEPDIR@
+DIR_des = @DIR_des@
+DIR_roken = @DIR_roken@
+DLLTOOL = @DLLTOOL@
+EXEEXT = @EXEEXT@
+EXTRA_LIB45 = @EXTRA_LIB45@
+GROFF = @GROFF@
+INCLUDES_roken = @INCLUDES_roken@
+INCLUDE_ = @INCLUDE_@
+LEX = @LEX@
+LIBOBJS = @LIBOBJS@
+LIBTOOL = @LIBTOOL@
+LIB_ = @LIB_@
+LIB_AUTH_SUBDIRS = @LIB_AUTH_SUBDIRS@
+LIB_des = @LIB_des@
+LIB_des_appl = @LIB_des_appl@
+LIB_kdb = @LIB_kdb@
+LIB_otp = @LIB_otp@
+LIB_roken = @LIB_roken@
+LIB_security = @LIB_security@
+LN_S = @LN_S@
+LTLIBOBJS = @LTLIBOBJS@
+MAKEINFO = @MAKEINFO@
+NEED_WRITEAUTH_FALSE = @NEED_WRITEAUTH_FALSE@
+NEED_WRITEAUTH_TRUE = @NEED_WRITEAUTH_TRUE@
+NROFF = @NROFF@
+OBJDUMP = @OBJDUMP@
+OBJEXT = @OBJEXT@
+PACKAGE = @PACKAGE@
+RANLIB = @RANLIB@
+STRIP = @STRIP@
+VERSION = @VERSION@
+VOID_RETSIGTYPE = @VOID_RETSIGTYPE@
+WFLAGS = @WFLAGS@
+WFLAGS_NOIMPLICITINT = @WFLAGS_NOIMPLICITINT@
+WFLAGS_NOUNUSED = @WFLAGS_NOUNUSED@
+YACC = @YACC@
+dpagaix_CFLAGS = @dpagaix_CFLAGS@
+dpagaix_LDADD = @dpagaix_LDADD@
+install_sh = @install_sh@
+
+# $Id: Makefile.am,v 1.24 2001/01/27 18:34:39 assar Exp $
+
+
+# $Id: Makefile.am.common,v 1.3 1999/04/01 14:58:43 joda Exp $
+
+
+# $Id: Makefile.am.common,v 1.26 2001/05/21 13:27:48 joda Exp $
+
+
+AUTOMAKE_OPTIONS = foreign no-dependencies
+
+SUFFIXES = .et .h .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .x
+
+INCLUDES = -I$(top_builddir)/include $(INCLUDES_roken)
+
+AM_CFLAGS =  $(WFLAGS)
+
+CP = cp
+
+COMPILE_ET = $(top_builddir)/lib/com_err/compile_et
+
+buildinclude = $(top_builddir)/include
+
+LIB_XauReadAuth = @LIB_XauReadAuth@
+LIB_crypt = @LIB_crypt@
+LIB_dbm_firstkey = @LIB_dbm_firstkey@
+LIB_dbopen = @LIB_dbopen@
+LIB_dlopen = @LIB_dlopen@
+LIB_dn_expand = @LIB_dn_expand@
+LIB_el_init = @LIB_el_init@
+LIB_getattr = @LIB_getattr@
+LIB_gethostbyname = @LIB_gethostbyname@
+LIB_getpwent_r = @LIB_getpwent_r@
+LIB_getpwnam_r = @LIB_getpwnam_r@
+LIB_getsockopt = @LIB_getsockopt@
+LIB_logout = @LIB_logout@
+LIB_logwtmp = @LIB_logwtmp@
+LIB_odm_initialize = @LIB_odm_initialize@
+LIB_pidfile = @LIB_pidfile@
+LIB_readline = @LIB_readline@
+LIB_res_search = @LIB_res_search@
+LIB_setpcred = @LIB_setpcred@
+LIB_setsockopt = @LIB_setsockopt@
+LIB_socket = @LIB_socket@
+LIB_syslog = @LIB_syslog@
+LIB_tgetent = @LIB_tgetent@
+
+LIBS = @LIBS@
+
+HESIODLIB = @HESIODLIB@
+HESIODINCLUDE = @HESIODINCLUDE@
+INCLUDE_hesiod = @INCLUDE_hesiod@
+LIB_hesiod = @LIB_hesiod@
+
+INCLUDE_krb4 = @INCLUDE_krb4@
+LIB_krb4 = @LIB_krb4@
+
+INCLUDE_openldap = @INCLUDE_openldap@
+LIB_openldap = @LIB_openldap@
+
+INCLUDE_readline = @INCLUDE_readline@
+
+LEXLIB = @LEXLIB@
+
+NROFF_MAN = groff -mandoc -Tascii
+
+@KRB4_TRUE@LIB_kafs = @KRB4_TRUE@$(top_builddir)/lib/kafs/libkafs.la $(AIX_EXTRA_KAFS)
+
+@KRB5_TRUE@LIB_krb5 = @KRB5_TRUE@$(top_builddir)/lib/krb5/libkrb5.la \
+@KRB5_TRUE@	$(top_builddir)/lib/asn1/libasn1.la
+@KRB5_TRUE@LIB_gssapi = @KRB5_TRUE@$(top_builddir)/lib/gssapi/libgssapi.la
+
+@DCE_TRUE@LIB_kdfs = @DCE_TRUE@$(top_builddir)/lib/kdfs/libkdfs.la
+
+CHECK_LOCAL = $(PROGRAMS)
+
+@OTP_TRUE@dir_otp = @OTP_TRUE@otp
+@DCE_TRUE@dir_dce = @DCE_TRUE@dceutils
+SUBDIRS = \
+	  afsutil				\
+	  ftp					\
+	  login					\
+	  $(dir_otp)				\
+	  popper				\
+	  push					\
+	  rsh					\
+	  rcp					\
+	  su					\
+	  xnlock				\
+	  telnet				\
+	  test					\
+	  kx					\
+	  kf					\
+	  $(dir_dce)
+
+subdir = appl
+mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs
+CONFIG_HEADER = ../include/config.h
+CONFIG_CLEAN_FILES = 
+CFLAGS = @CFLAGS@
+COMPILE = $(CC) $(DEFS) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) --mode=compile $(CC) $(DEFS) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+CCLD = $(CC)
+LINK = $(LIBTOOL) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) $(LDFLAGS) -o $@
+DIST_SOURCES = 
+depcomp = 
+DIST_COMMON =  Makefile.am Makefile.in
+
+
+DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
+
+GZIP_ENV = --best
+DIST_SUBDIRS =  afsutil ftp login otp popper push rsh rcp su xnlock \
+telnet test kx kf dceutils
+all: all-redirect
+.SUFFIXES:
+.SUFFIXES: .et .h .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .x
+$(srcdir)/Makefile.in: Makefile.am $(top_srcdir)/configure.in $(ACLOCAL_M4) $(top_srcdir)/Makefile.am.common $(top_srcdir)/cf/Makefile.am.common
+	cd $(top_srcdir) && $(AUTOMAKE) --foreign appl/Makefile
+
+Makefile: $(srcdir)/Makefile.in  $(top_builddir)/config.status
+	cd $(top_builddir) \
+	  && CONFIG_FILES=$(subdir)/$@ CONFIG_HEADERS= $(SHELL) ./config.status
+
+
+# This directory's subdirectories are mostly independent; you can cd
+# into them and run `make' without going through this Makefile.
+# To change the values of `make' variables: instead of editing Makefiles,
+# (1) if the variable is set in `config.status', edit `config.status'
+#     (which will cause the Makefiles to be regenerated when you run `make');
+# (2) otherwise, pass the desired values on the `make' command line.
+
+all-recursive install-data-recursive install-exec-recursive \
+installdirs-recursive install-recursive uninstall-recursive  \
+check-recursive installcheck-recursive info-recursive dvi-recursive:
+	@set fnord $(MAKEFLAGS); amf=$$2; \
+	dot_seen=no; \
+	target=`echo $@ | sed s/-recursive//`; \
+	list='$(SUBDIRS)'; for subdir in $$list; do \
+	  echo "Making $$target in $$subdir"; \
+	  if test "$$subdir" = "."; then \
+	    dot_seen=yes; \
+	    local_target="$$target-am"; \
+	  else \
+	    local_target="$$target"; \
+	  fi; \
+	  (cd $$subdir && $(MAKE) $(AM_MAKEFLAGS) $$local_target) \
+	   || case "$$amf" in *=*) exit 1;; *k*) fail=yes;; *) exit 1;; esac; \
+	done; \
+	if test "$$dot_seen" = "no"; then \
+	  $(MAKE) $(AM_MAKEFLAGS) "$$target-am" || exit 1; \
+	fi; test -z "$$fail"
+
+mostlyclean-recursive clean-recursive distclean-recursive \
+maintainer-clean-recursive:
+	@set fnord $(MAKEFLAGS); amf=$$2; \
+	dot_seen=no; \
+	case "$@" in \
+	  distclean-* | maintainer-clean-*) list='$(DIST_SUBDIRS)' ;; \
+	  *) list='$(SUBDIRS)' ;; \
+	esac; \
+	rev=''; for subdir in $$list; do \
+	  if test "$$subdir" = "."; then :; else \
+	    rev="$$subdir $$rev"; \
+	  fi; \
+	done; \
+	rev="$$rev ."; \
+	target=`echo $@ | sed s/-recursive//`; \
+	for subdir in $$rev; do \
+	  echo "Making $$target in $$subdir"; \
+	  if test "$$subdir" = "."; then \
+	    local_target="$$target-am"; \
+	  else \
+	    local_target="$$target"; \
+	  fi; \
+	  (cd $$subdir && $(MAKE) $(AM_MAKEFLAGS) $$local_target) \
+	   || case "$$amf" in *=*) exit 1;; *k*) fail=yes;; *) exit 1;; esac; \
+	done && test -z "$$fail"
+tags-recursive:
+	list='$(SUBDIRS)'; for subdir in $$list; do \
+	  test "$$subdir" = . || (cd $$subdir && $(MAKE) $(AM_MAKEFLAGS) tags); \
+	done
+
+tags: TAGS
+
+ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
+	list='$(SOURCES) $(HEADERS) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '    { files[$$0] = 1; } \
+	       END { for (i in files) print i; }'`; \
+	mkid -fID $$unique $(LISP)
+
+TAGS: tags-recursive $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	tags=; \
+	here=`pwd`; \
+	list='$(SUBDIRS)'; for subdir in $$list; do \
+   if test "$$subdir" = .; then :; else \
+	    test -f $$subdir/TAGS && tags="$$tags -i $$here/$$subdir/TAGS"; \
+   fi; \
+	done; \
+	list='$(SOURCES) $(HEADERS) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '    { files[$$0] = 1; } \
+	       END { for (i in files) print i; }'`; \
+	test -z "$(ETAGS_ARGS)$$unique$(LISP)$$tags" \
+	  || etags $(ETAGS_ARGS) $$tags  $$unique $(LISP)
+
+GTAGS:
+	here=`CDPATH=: && cd $(top_builddir) && pwd` \
+	  && cd $(top_srcdir) \
+	  && gtags -i $$here
+
+mostlyclean-tags:
+
+clean-tags:
+
+distclean-tags:
+	-rm -f TAGS ID
+
+maintainer-clean-tags:
+
+distdir = $(top_builddir)/$(PACKAGE)-$(VERSION)/$(subdir)
+
+distdir: $(DISTFILES)
+	@for file in $(DISTFILES); do \
+	  d=$(srcdir); \
+	  if test -d $$d/$$file; then \
+	    cp -pR $$d/$$file $(distdir) \
+	    || exit 1; \
+	  else \
+	    test -f $(distdir)/$$file \
+	    || cp -p $$d/$$file $(distdir)/$$file \
+	    || exit 1; \
+	  fi; \
+	done
+	for subdir in $(DIST_SUBDIRS); do \
+	  if test "$$subdir" = .; then :; else \
+	    test -d $(distdir)/$$subdir \
+	    || mkdir $(distdir)/$$subdir \
+	    || exit 1; \
+	    (cd $$subdir && $(MAKE) $(AM_MAKEFLAGS) top_distdir=../$(top_distdir) distdir=../$(distdir)/$$subdir distdir) \
+	      || exit 1; \
+	  fi; \
+	done
+	$(MAKE) $(AM_MAKEFLAGS) top_distdir="$(top_distdir)" distdir="$(distdir)" dist-hook
+info-am:
+info: info-recursive
+dvi-am:
+dvi: dvi-recursive
+check-am: all-am
+	$(MAKE) $(AM_MAKEFLAGS) check-local
+check: check-recursive
+installcheck-am:
+installcheck: installcheck-recursive
+install-exec-am:
+	@$(NORMAL_INSTALL)
+	$(MAKE) $(AM_MAKEFLAGS) install-exec-hook
+install-exec: install-exec-recursive
+
+install-data-am: install-data-local
+install-data: install-data-recursive
+
+install-am: all-am
+	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
+install: install-recursive
+uninstall-am:
+uninstall: uninstall-recursive
+all-am: Makefile all-local
+all-redirect: all-recursive
+install-strip:
+	$(MAKE) $(AM_MAKEFLAGS) INSTALL_STRIP_FLAG=-s install
+installdirs: installdirs-recursive
+installdirs-am:
+
+
+mostlyclean-generic:
+
+clean-generic:
+
+distclean-generic:
+	-rm -f Makefile $(CONFIG_CLEAN_FILES)
+	-rm -f config.cache config.log stamp-h stamp-h[0-9]*
+
+maintainer-clean-generic:
+	-rm -f Makefile.in
+mostlyclean-am:  mostlyclean-tags mostlyclean-generic
+
+mostlyclean: mostlyclean-recursive
+
+clean-am:  clean-tags clean-generic mostlyclean-am
+
+clean: clean-recursive
+
+distclean-am:  distclean-tags distclean-generic clean-am
+	-rm -f libtool
+
+distclean: distclean-recursive
+
+maintainer-clean-am:  maintainer-clean-tags maintainer-clean-generic \
+		distclean-am
+	@echo "This command is intended for maintainers to use;"
+	@echo "it deletes files that may require special tools to rebuild."
+
+maintainer-clean: maintainer-clean-recursive
+
+.PHONY: install-recursive uninstall-recursive install-data-recursive \
+uninstall-data-recursive install-exec-recursive \
+uninstall-exec-recursive installdirs-recursive uninstalldirs-recursive \
+all-recursive check-recursive installcheck-recursive info-recursive \
+dvi-recursive mostlyclean-recursive distclean-recursive clean-recursive \
+maintainer-clean-recursive tags tags-recursive mostlyclean-tags \
+distclean-tags clean-tags maintainer-clean-tags distdir info-am info \
+dvi-am dvi check-local check check-am installcheck-am installcheck \
+install-exec-am install-exec install-data-local install-data-am \
+install-data install-am install uninstall-am uninstall all-local \
+all-redirect all-am all install-strip installdirs-am installdirs \
+mostlyclean-generic distclean-generic clean-generic \
+maintainer-clean-generic clean mostlyclean distclean maintainer-clean
+
+
+install-suid-programs:
+	@foo='$(bin_SUIDS)'; \
+	for file in $$foo; do \
+	x=$(DESTDIR)$(bindir)/$$file; \
+	if chown 0:0 $$x && chmod u+s $$x; then :; else \
+	echo "*"; \
+	echo "* Failed to install $$x setuid root"; \
+	echo "*"; \
+	fi; done
+
+install-exec-hook: install-suid-programs
+
+install-build-headers:: $(include_HEADERS) $(build_HEADERZ)
+	@foo='$(include_HEADERS) $(build_HEADERZ)'; \
+	for f in $$foo; do \
+		f=`basename $$f`; \
+		if test -f "$(srcdir)/$$f"; then file="$(srcdir)/$$f"; \
+		else file="$$f"; fi; \
+		if cmp -s  $$file $(buildinclude)/$$f 2> /dev/null ; then \
+		: ; else \
+			echo " $(CP) $$file $(buildinclude)/$$f"; \
+			$(CP) $$file $(buildinclude)/$$f; \
+		fi ; \
+	done
+
+all-local: install-build-headers
+#NROFF_MAN = nroff -man
+.1.cat1:
+	$(NROFF_MAN) $< > $@
+.3.cat3:
+	$(NROFF_MAN) $< > $@
+.5.cat5:
+	$(NROFF_MAN) $< > $@
+.8.cat8:
+	$(NROFF_MAN) $< > $@
+
+dist-cat1-mans:
+	@foo='$(man1_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.1) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat1/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-cat3-mans:
+	@foo='$(man3_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.3) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat3/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-cat5-mans:
+	@foo='$(man5_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.5) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat5/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-cat8-mans:
+	@foo='$(man8_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.8) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat8/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-hook: dist-cat1-mans dist-cat3-mans dist-cat5-mans dist-cat8-mans
+
+install-cat-mans:
+	$(SHELL) $(top_srcdir)/cf/install-catman.sh "$(INSTALL_DATA)" "$(mkinstalldirs)" "$(srcdir)" "$(DESTDIR)$(mandir)" '$(CATMANEXT)' $(man_MANS) $(man1_MANS) $(man3_MANS) $(man5_MANS) $(man8_MANS)
+
+install-data-local: install-cat-mans
+
+.et.h:
+	$(COMPILE_ET) $<
+.et.c:
+	$(COMPILE_ET) $<
+
+.x.c:
+	@cmp -s $< $@ 2> /dev/null || cp $< $@
+
+check-local::
+	@foo='$(CHECK_LOCAL)'; \
+	  if test "$$foo"; then \
+	  failed=0; all=0; \
+	  for i in $$foo; do \
+	    all=`expr $$all + 1`; \
+	    if ./$$i --version > /dev/null 2>&1; then \
+	      echo "PASS: $$i"; \
+	    else \
+	      echo "FAIL: $$i"; \
+	      failed=`expr $$failed + 1`; \
+	    fi; \
+	  done; \
+	  if test "$$failed" -eq 0; then \
+	    banner="All $$all tests passed"; \
+	  else \
+	    banner="$$failed of $$all tests failed"; \
+	  fi; \
+	  dashes=`echo "$$banner" | sed s/./=/g`; \
+	  echo "$$dashes"; \
+	  echo "$$banner"; \
+	  echo "$$dashes"; \
+	  test "$$failed" -eq 0; \
+	fi
+
+# Tell versions [3.59,3.63) of GNU make to not export all variables.
+# Otherwise a system limit (for SysV at least) may be exceeded.
+.NOEXPORT:
diff --git a/crypto/heimdal/appl/afsutil/ChangeLog b/crypto/heimdal/appl/afsutil/ChangeLog
new file mode 100644
index 0000000..8dfd532
--- /dev/null
+++ b/crypto/heimdal/appl/afsutil/ChangeLog
@@ -0,0 +1,35 @@
+2001-05-17  Assar Westerlund  <assar@sics.se>
+
+	* afslog.c (main): call free_getarg_strings
+
+2000-12-31  Assar Westerlund  <assar@sics.se>
+
+	* afslog.c (main): handle krb5_init_context failure consistently
+
+2000-12-25  Assar Westerlund  <assar@sics.se>
+
+	* afslog.c: clarify usage strings
+
+1999-08-04  Assar Westerlund  <assar@sics.se>
+
+	* pagsh.c (main): use mkstemp to generate temporary file names.
+  	From Miroslav Ruda <ruda@ics.muni.cz>
+
+1999-07-04  Assar Westerlund  <assar@sics.se>
+
+	* afslog.c (expand_cell_name): terminate on #.  From Miroslav Ruda
+ 	<ruda@ics.muni.cz>
+
+1999-06-27  Assar Westerlund  <assar@sics.se>
+
+	* Makefile.am (bin_PROGRAMS): only include pagsh if KRB4
+
+1999-06-26  Assar Westerlund  <assar@sics.se>
+
+	* Makefile.am: add pagsh
+
+	* pagsh.c: new file.  contributed by Miroslav Ruda <ruda@ics.muni.cz>
+
+Sat Mar 27 12:49:43 1999  Johan Danielsson  <joda@blubb.pdc.kth.se>
+
+	* afslog.c: cleanup option parsing
diff --git a/crypto/heimdal/appl/afsutil/Makefile.am b/crypto/heimdal/appl/afsutil/Makefile.am
new file mode 100644
index 0000000..8b0ca8c
--- /dev/null
+++ b/crypto/heimdal/appl/afsutil/Makefile.am
@@ -0,0 +1,21 @@
+# $Id: Makefile.am,v 1.12 2000/11/15 22:51:07 assar Exp $
+
+include $(top_srcdir)/Makefile.am.common
+
+INCLUDES += $(INCLUDE_krb4)
+
+if KRB4
+AFSPROGS = afslog pagsh
+endif
+bin_PROGRAMS = $(AFSPROGS)
+
+afslog_SOURCES = afslog.c
+
+pagsh_SOURCES  = pagsh.c
+
+LDADD = $(LIB_kafs) \
+	$(LIB_krb4) \
+	$(top_builddir)/lib/krb5/libkrb5.la \
+	$(top_builddir)/lib/asn1/libasn1.la \
+	$(LIB_des) \
+	$(LIB_roken)
diff --git a/crypto/heimdal/appl/afsutil/Makefile.in b/crypto/heimdal/appl/afsutil/Makefile.in
new file mode 100644
index 0000000..44d5b58
--- /dev/null
+++ b/crypto/heimdal/appl/afsutil/Makefile.in
@@ -0,0 +1,594 @@
+# Makefile.in generated automatically by automake 1.4b from Makefile.am
+
+# Copyright 1994, 1995, 1996, 1997, 1998, 1999, 2000
+# Free Software Foundation, Inc.
+# This Makefile.in is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+
+SHELL = @SHELL@
+
+srcdir = @srcdir@
+top_srcdir = @top_srcdir@
+VPATH = @srcdir@
+prefix = @prefix@
+exec_prefix = @exec_prefix@
+
+bindir = @bindir@
+sbindir = @sbindir@
+libexecdir = @libexecdir@
+datadir = @datadir@
+sysconfdir = @sysconfdir@
+sharedstatedir = @sharedstatedir@
+localstatedir = @localstatedir@
+libdir = @libdir@
+infodir = @infodir@
+mandir = @mandir@
+includedir = @includedir@
+oldincludedir = /usr/include
+
+pkgdatadir = $(datadir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkgincludedir = $(includedir)/@PACKAGE@
+
+top_builddir = ../..
+
+ACLOCAL = @ACLOCAL@
+AUTOCONF = @AUTOCONF@
+AUTOMAKE = @AUTOMAKE@
+AUTOHEADER = @AUTOHEADER@
+
+INSTALL = @INSTALL@
+INSTALL_PROGRAM = @INSTALL_PROGRAM@
+INSTALL_DATA = @INSTALL_DATA@
+INSTALL_SCRIPT = @INSTALL_SCRIPT@
+INSTALL_STRIP_FLAG =
+transform = @program_transform_name@
+
+NORMAL_INSTALL = :
+PRE_INSTALL = :
+POST_INSTALL = :
+NORMAL_UNINSTALL = :
+PRE_UNINSTALL = :
+POST_UNINSTALL = :
+
+@SET_MAKE@
+host_alias = @host_alias@
+host_triplet = @host@
+AIX_EXTRA_KAFS = @AIX_EXTRA_KAFS@
+AMDEP = @AMDEP@
+AMTAR = @AMTAR@
+AS = @AS@
+AWK = @AWK@
+CANONICAL_HOST = @CANONICAL_HOST@
+CATMAN = @CATMAN@
+CATMANEXT = @CATMANEXT@
+CC = @CC@
+CPP = @CPP@
+CXX = @CXX@
+CXXCPP = @CXXCPP@
+DBLIB = @DBLIB@
+DEPDIR = @DEPDIR@
+DIR_des = @DIR_des@
+DIR_roken = @DIR_roken@
+DLLTOOL = @DLLTOOL@
+EXEEXT = @EXEEXT@
+EXTRA_LIB45 = @EXTRA_LIB45@
+GROFF = @GROFF@
+INCLUDES_roken = @INCLUDES_roken@
+INCLUDE_ = @INCLUDE_@
+LEX = @LEX@
+LIBOBJS = @LIBOBJS@
+LIBTOOL = @LIBTOOL@
+LIB_ = @LIB_@
+LIB_AUTH_SUBDIRS = @LIB_AUTH_SUBDIRS@
+LIB_des = @LIB_des@
+LIB_des_appl = @LIB_des_appl@
+LIB_kdb = @LIB_kdb@
+LIB_otp = @LIB_otp@
+LIB_roken = @LIB_roken@
+LIB_security = @LIB_security@
+LN_S = @LN_S@
+LTLIBOBJS = @LTLIBOBJS@
+MAKEINFO = @MAKEINFO@
+NEED_WRITEAUTH_FALSE = @NEED_WRITEAUTH_FALSE@
+NEED_WRITEAUTH_TRUE = @NEED_WRITEAUTH_TRUE@
+NROFF = @NROFF@
+OBJDUMP = @OBJDUMP@
+OBJEXT = @OBJEXT@
+PACKAGE = @PACKAGE@
+RANLIB = @RANLIB@
+STRIP = @STRIP@
+VERSION = @VERSION@
+VOID_RETSIGTYPE = @VOID_RETSIGTYPE@
+WFLAGS = @WFLAGS@
+WFLAGS_NOIMPLICITINT = @WFLAGS_NOIMPLICITINT@
+WFLAGS_NOUNUSED = @WFLAGS_NOUNUSED@
+YACC = @YACC@
+dpagaix_CFLAGS = @dpagaix_CFLAGS@
+dpagaix_LDADD = @dpagaix_LDADD@
+install_sh = @install_sh@
+
+# $Id: Makefile.am,v 1.12 2000/11/15 22:51:07 assar Exp $
+
+
+# $Id: Makefile.am.common,v 1.3 1999/04/01 14:58:43 joda Exp $
+
+
+# $Id: Makefile.am.common,v 1.26 2001/05/21 13:27:48 joda Exp $
+
+
+AUTOMAKE_OPTIONS = foreign no-dependencies
+
+SUFFIXES = .et .h .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .x
+
+INCLUDES = -I$(top_builddir)/include $(INCLUDES_roken) $(INCLUDE_krb4)
+
+AM_CFLAGS =  $(WFLAGS)
+
+CP = cp
+
+COMPILE_ET = $(top_builddir)/lib/com_err/compile_et
+
+buildinclude = $(top_builddir)/include
+
+LIB_XauReadAuth = @LIB_XauReadAuth@
+LIB_crypt = @LIB_crypt@
+LIB_dbm_firstkey = @LIB_dbm_firstkey@
+LIB_dbopen = @LIB_dbopen@
+LIB_dlopen = @LIB_dlopen@
+LIB_dn_expand = @LIB_dn_expand@
+LIB_el_init = @LIB_el_init@
+LIB_getattr = @LIB_getattr@
+LIB_gethostbyname = @LIB_gethostbyname@
+LIB_getpwent_r = @LIB_getpwent_r@
+LIB_getpwnam_r = @LIB_getpwnam_r@
+LIB_getsockopt = @LIB_getsockopt@
+LIB_logout = @LIB_logout@
+LIB_logwtmp = @LIB_logwtmp@
+LIB_odm_initialize = @LIB_odm_initialize@
+LIB_pidfile = @LIB_pidfile@
+LIB_readline = @LIB_readline@
+LIB_res_search = @LIB_res_search@
+LIB_setpcred = @LIB_setpcred@
+LIB_setsockopt = @LIB_setsockopt@
+LIB_socket = @LIB_socket@
+LIB_syslog = @LIB_syslog@
+LIB_tgetent = @LIB_tgetent@
+
+LIBS = @LIBS@
+
+HESIODLIB = @HESIODLIB@
+HESIODINCLUDE = @HESIODINCLUDE@
+INCLUDE_hesiod = @INCLUDE_hesiod@
+LIB_hesiod = @LIB_hesiod@
+
+INCLUDE_krb4 = @INCLUDE_krb4@
+LIB_krb4 = @LIB_krb4@
+
+INCLUDE_openldap = @INCLUDE_openldap@
+LIB_openldap = @LIB_openldap@
+
+INCLUDE_readline = @INCLUDE_readline@
+
+LEXLIB = @LEXLIB@
+
+NROFF_MAN = groff -mandoc -Tascii
+
+@KRB4_TRUE@LIB_kafs = @KRB4_TRUE@$(top_builddir)/lib/kafs/libkafs.la $(AIX_EXTRA_KAFS)
+
+@KRB5_TRUE@LIB_krb5 = @KRB5_TRUE@$(top_builddir)/lib/krb5/libkrb5.la \
+@KRB5_TRUE@	$(top_builddir)/lib/asn1/libasn1.la
+@KRB5_TRUE@LIB_gssapi = @KRB5_TRUE@$(top_builddir)/lib/gssapi/libgssapi.la
+
+@DCE_TRUE@LIB_kdfs = @DCE_TRUE@$(top_builddir)/lib/kdfs/libkdfs.la
+
+CHECK_LOCAL = $(PROGRAMS)
+
+@KRB4_TRUE@AFSPROGS = @KRB4_TRUE@afslog pagsh
+bin_PROGRAMS = $(AFSPROGS)
+
+afslog_SOURCES = afslog.c
+
+pagsh_SOURCES = pagsh.c
+
+LDADD = $(LIB_kafs) \
+	$(LIB_krb4) \
+	$(top_builddir)/lib/krb5/libkrb5.la \
+	$(top_builddir)/lib/asn1/libasn1.la \
+	$(LIB_des) \
+	$(LIB_roken)
+
+subdir = appl/afsutil
+mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs
+CONFIG_HEADER = ../../include/config.h
+CONFIG_CLEAN_FILES = 
+@KRB4_FALSE@bin_PROGRAMS = 
+@KRB4_TRUE@bin_PROGRAMS =  afslog$(EXEEXT) pagsh$(EXEEXT)
+PROGRAMS =  $(bin_PROGRAMS)
+
+
+DEFS = @DEFS@ -I. -I$(srcdir) -I../../include
+CPPFLAGS = @CPPFLAGS@
+LDFLAGS = @LDFLAGS@
+X_CFLAGS = @X_CFLAGS@
+X_LIBS = @X_LIBS@
+X_EXTRA_LIBS = @X_EXTRA_LIBS@
+X_PRE_LIBS = @X_PRE_LIBS@
+am_afslog_OBJECTS =  afslog.$(OBJEXT)
+afslog_OBJECTS =  $(am_afslog_OBJECTS)
+afslog_LDADD = $(LDADD)
+@KRB4_FALSE@afslog_DEPENDENCIES =  $(top_builddir)/lib/krb5/libkrb5.la \
+@KRB4_FALSE@$(top_builddir)/lib/asn1/libasn1.la
+@KRB4_TRUE@afslog_DEPENDENCIES =  $(top_builddir)/lib/kafs/libkafs.la \
+@KRB4_TRUE@$(top_builddir)/lib/krb5/libkrb5.la \
+@KRB4_TRUE@$(top_builddir)/lib/asn1/libasn1.la
+afslog_LDFLAGS = 
+am_pagsh_OBJECTS =  pagsh.$(OBJEXT)
+pagsh_OBJECTS =  $(am_pagsh_OBJECTS)
+pagsh_LDADD = $(LDADD)
+@KRB4_FALSE@pagsh_DEPENDENCIES =  $(top_builddir)/lib/krb5/libkrb5.la \
+@KRB4_FALSE@$(top_builddir)/lib/asn1/libasn1.la
+@KRB4_TRUE@pagsh_DEPENDENCIES =  $(top_builddir)/lib/kafs/libkafs.la \
+@KRB4_TRUE@$(top_builddir)/lib/krb5/libkrb5.la \
+@KRB4_TRUE@$(top_builddir)/lib/asn1/libasn1.la
+pagsh_LDFLAGS = 
+COMPILE = $(CC) $(DEFS) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) --mode=compile $(CC) $(DEFS) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+CFLAGS = @CFLAGS@
+CCLD = $(CC)
+LINK = $(LIBTOOL) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) $(LDFLAGS) -o $@
+DIST_SOURCES =  $(afslog_SOURCES) $(pagsh_SOURCES)
+depcomp = 
+DIST_COMMON =  ChangeLog Makefile.am Makefile.in
+
+
+DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
+
+GZIP_ENV = --best
+SOURCES = $(afslog_SOURCES) $(pagsh_SOURCES)
+OBJECTS = $(am_afslog_OBJECTS) $(am_pagsh_OBJECTS)
+
+all: all-redirect
+.SUFFIXES:
+.SUFFIXES: .et .h .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .x .c .lo .o .obj
+$(srcdir)/Makefile.in: Makefile.am $(top_srcdir)/configure.in $(ACLOCAL_M4) $(top_srcdir)/Makefile.am.common $(top_srcdir)/cf/Makefile.am.common
+	cd $(top_srcdir) && $(AUTOMAKE) --foreign appl/afsutil/Makefile
+
+Makefile: $(srcdir)/Makefile.in  $(top_builddir)/config.status
+	cd $(top_builddir) \
+	  && CONFIG_FILES=$(subdir)/$@ CONFIG_HEADERS= $(SHELL) ./config.status
+
+
+mostlyclean-binPROGRAMS:
+
+clean-binPROGRAMS:
+	-test -z "$(bin_PROGRAMS)" || rm -f $(bin_PROGRAMS)
+
+distclean-binPROGRAMS:
+
+maintainer-clean-binPROGRAMS:
+
+install-binPROGRAMS: $(bin_PROGRAMS)
+	@$(NORMAL_INSTALL)
+	$(mkinstalldirs) $(DESTDIR)$(bindir)
+	@list='$(bin_PROGRAMS)'; for p in $$list; do \
+	  if test -f $$p; then \
+	    f="`echo $$p|sed -e 's/$(EXEEXT)$$//' -e '$(transform)' -e 's/$$/$(EXEEXT)/'`"; \
+	    echo " $(LIBTOOL)  --mode=install $(INSTALL_PROGRAM) $(INSTALL_STRIP_FLAG) $$p $(DESTDIR)$(bindir)/$$f"; \
+	    $(LIBTOOL)  --mode=install $(INSTALL_PROGRAM) $(INSTALL_STRIP_FLAG) $$p $(DESTDIR)$(bindir)/$$f; \
+	  else :; fi; \
+	done
+
+uninstall-binPROGRAMS:
+	@$(NORMAL_UNINSTALL)
+	@list='$(bin_PROGRAMS)'; for p in $$list; do \
+	  f="`echo $$p|sed -e 's/$(EXEEXT)$$//' -e '$(transform)' -e 's/$$/$(EXEEXT)/'`"; \
+	  echo " rm -f $(DESTDIR)$(bindir)/$$f"; \
+	  rm -f $(DESTDIR)$(bindir)/$$f; \
+	done
+
+mostlyclean-compile:
+	-rm -f *.o core *.core
+	-rm -f *.$(OBJEXT)
+
+clean-compile:
+
+distclean-compile:
+	-rm -f *.tab.c
+
+maintainer-clean-compile:
+
+mostlyclean-libtool:
+	-rm -f *.lo
+
+clean-libtool:
+	-rm -rf .libs _libs
+
+distclean-libtool:
+
+maintainer-clean-libtool:
+
+afslog$(EXEEXT): $(afslog_OBJECTS) $(afslog_DEPENDENCIES)
+	@rm -f afslog$(EXEEXT)
+	$(LINK) $(afslog_LDFLAGS) $(afslog_OBJECTS) $(afslog_LDADD) $(LIBS)
+
+pagsh$(EXEEXT): $(pagsh_OBJECTS) $(pagsh_DEPENDENCIES)
+	@rm -f pagsh$(EXEEXT)
+	$(LINK) $(pagsh_LDFLAGS) $(pagsh_OBJECTS) $(pagsh_LDADD) $(LIBS)
+.c.o:
+	$(COMPILE) -c $<
+.c.obj:
+	$(COMPILE) -c `cygpath -w $<`
+.c.lo:
+	$(LTCOMPILE) -c -o $@ $<
+
+tags: TAGS
+
+ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
+	list='$(SOURCES) $(HEADERS) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '    { files[$$0] = 1; } \
+	       END { for (i in files) print i; }'`; \
+	mkid -fID $$unique $(LISP)
+
+TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	tags=; \
+	here=`pwd`; \
+	list='$(SOURCES) $(HEADERS) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '    { files[$$0] = 1; } \
+	       END { for (i in files) print i; }'`; \
+	test -z "$(ETAGS_ARGS)$$unique$(LISP)$$tags" \
+	  || etags $(ETAGS_ARGS) $$tags  $$unique $(LISP)
+
+GTAGS:
+	here=`CDPATH=: && cd $(top_builddir) && pwd` \
+	  && cd $(top_srcdir) \
+	  && gtags -i $$here
+
+mostlyclean-tags:
+
+clean-tags:
+
+distclean-tags:
+	-rm -f TAGS ID
+
+maintainer-clean-tags:
+
+distdir = $(top_builddir)/$(PACKAGE)-$(VERSION)/$(subdir)
+
+distdir: $(DISTFILES)
+	@for file in $(DISTFILES); do \
+	  d=$(srcdir); \
+	  if test -d $$d/$$file; then \
+	    cp -pR $$d/$$file $(distdir) \
+	    || exit 1; \
+	  else \
+	    test -f $(distdir)/$$file \
+	    || cp -p $$d/$$file $(distdir)/$$file \
+	    || exit 1; \
+	  fi; \
+	done
+	$(MAKE) $(AM_MAKEFLAGS) top_distdir="$(top_distdir)" distdir="$(distdir)" dist-hook
+info-am:
+info: info-am
+dvi-am:
+dvi: dvi-am
+check-am: all-am
+	$(MAKE) $(AM_MAKEFLAGS) check-local
+check: check-am
+installcheck-am:
+installcheck: installcheck-am
+install-exec-am: install-binPROGRAMS
+	@$(NORMAL_INSTALL)
+	$(MAKE) $(AM_MAKEFLAGS) install-exec-hook
+install-exec: install-exec-am
+
+install-data-am: install-data-local
+install-data: install-data-am
+
+install-am: all-am
+	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
+install: install-am
+uninstall-am: uninstall-binPROGRAMS
+uninstall: uninstall-am
+all-am: Makefile $(PROGRAMS) all-local
+all-redirect: all-am
+install-strip:
+	$(MAKE) $(AM_MAKEFLAGS) INSTALL_STRIP_FLAG=-s install
+installdirs:
+	$(mkinstalldirs)  $(DESTDIR)$(bindir)
+
+
+mostlyclean-generic:
+
+clean-generic:
+
+distclean-generic:
+	-rm -f Makefile $(CONFIG_CLEAN_FILES)
+	-rm -f config.cache config.log stamp-h stamp-h[0-9]*
+
+maintainer-clean-generic:
+	-rm -f Makefile.in
+mostlyclean-am:  mostlyclean-binPROGRAMS mostlyclean-compile \
+		mostlyclean-libtool mostlyclean-tags \
+		mostlyclean-generic
+
+mostlyclean: mostlyclean-am
+
+clean-am:  clean-binPROGRAMS clean-compile clean-libtool clean-tags \
+		clean-generic mostlyclean-am
+
+clean: clean-am
+
+distclean-am:  distclean-binPROGRAMS distclean-compile distclean-libtool \
+		distclean-tags distclean-generic clean-am
+	-rm -f libtool
+
+distclean: distclean-am
+
+maintainer-clean-am:  maintainer-clean-binPROGRAMS \
+		maintainer-clean-compile maintainer-clean-libtool \
+		maintainer-clean-tags maintainer-clean-generic \
+		distclean-am
+	@echo "This command is intended for maintainers to use;"
+	@echo "it deletes files that may require special tools to rebuild."
+
+maintainer-clean: maintainer-clean-am
+
+.PHONY: mostlyclean-binPROGRAMS distclean-binPROGRAMS clean-binPROGRAMS \
+maintainer-clean-binPROGRAMS uninstall-binPROGRAMS install-binPROGRAMS \
+mostlyclean-compile distclean-compile clean-compile \
+maintainer-clean-compile mostlyclean-libtool distclean-libtool \
+clean-libtool maintainer-clean-libtool tags mostlyclean-tags \
+distclean-tags clean-tags maintainer-clean-tags distdir info-am info \
+dvi-am dvi check-local check check-am installcheck-am installcheck \
+install-exec-am install-exec install-data-local install-data-am \
+install-data install-am install uninstall-am uninstall all-local \
+all-redirect all-am all install-strip installdirs mostlyclean-generic \
+distclean-generic clean-generic maintainer-clean-generic clean \
+mostlyclean distclean maintainer-clean
+
+
+install-suid-programs:
+	@foo='$(bin_SUIDS)'; \
+	for file in $$foo; do \
+	x=$(DESTDIR)$(bindir)/$$file; \
+	if chown 0:0 $$x && chmod u+s $$x; then :; else \
+	echo "*"; \
+	echo "* Failed to install $$x setuid root"; \
+	echo "*"; \
+	fi; done
+
+install-exec-hook: install-suid-programs
+
+install-build-headers:: $(include_HEADERS) $(build_HEADERZ)
+	@foo='$(include_HEADERS) $(build_HEADERZ)'; \
+	for f in $$foo; do \
+		f=`basename $$f`; \
+		if test -f "$(srcdir)/$$f"; then file="$(srcdir)/$$f"; \
+		else file="$$f"; fi; \
+		if cmp -s  $$file $(buildinclude)/$$f 2> /dev/null ; then \
+		: ; else \
+			echo " $(CP) $$file $(buildinclude)/$$f"; \
+			$(CP) $$file $(buildinclude)/$$f; \
+		fi ; \
+	done
+
+all-local: install-build-headers
+#NROFF_MAN = nroff -man
+.1.cat1:
+	$(NROFF_MAN) $< > $@
+.3.cat3:
+	$(NROFF_MAN) $< > $@
+.5.cat5:
+	$(NROFF_MAN) $< > $@
+.8.cat8:
+	$(NROFF_MAN) $< > $@
+
+dist-cat1-mans:
+	@foo='$(man1_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.1) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat1/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-cat3-mans:
+	@foo='$(man3_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.3) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat3/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-cat5-mans:
+	@foo='$(man5_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.5) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat5/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-cat8-mans:
+	@foo='$(man8_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.8) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat8/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-hook: dist-cat1-mans dist-cat3-mans dist-cat5-mans dist-cat8-mans
+
+install-cat-mans:
+	$(SHELL) $(top_srcdir)/cf/install-catman.sh "$(INSTALL_DATA)" "$(mkinstalldirs)" "$(srcdir)" "$(DESTDIR)$(mandir)" '$(CATMANEXT)' $(man_MANS) $(man1_MANS) $(man3_MANS) $(man5_MANS) $(man8_MANS)
+
+install-data-local: install-cat-mans
+
+.et.h:
+	$(COMPILE_ET) $<
+.et.c:
+	$(COMPILE_ET) $<
+
+.x.c:
+	@cmp -s $< $@ 2> /dev/null || cp $< $@
+
+check-local::
+	@foo='$(CHECK_LOCAL)'; \
+	  if test "$$foo"; then \
+	  failed=0; all=0; \
+	  for i in $$foo; do \
+	    all=`expr $$all + 1`; \
+	    if ./$$i --version > /dev/null 2>&1; then \
+	      echo "PASS: $$i"; \
+	    else \
+	      echo "FAIL: $$i"; \
+	      failed=`expr $$failed + 1`; \
+	    fi; \
+	  done; \
+	  if test "$$failed" -eq 0; then \
+	    banner="All $$all tests passed"; \
+	  else \
+	    banner="$$failed of $$all tests failed"; \
+	  fi; \
+	  dashes=`echo "$$banner" | sed s/./=/g`; \
+	  echo "$$dashes"; \
+	  echo "$$banner"; \
+	  echo "$$dashes"; \
+	  test "$$failed" -eq 0; \
+	fi
+
+# Tell versions [3.59,3.63) of GNU make to not export all variables.
+# Otherwise a system limit (for SysV at least) may be exceeded.
+.NOEXPORT:
diff --git a/crypto/heimdal/appl/afsutil/afslog.c b/crypto/heimdal/appl/afsutil/afslog.c
new file mode 100644
index 0000000..5451b22
--- /dev/null
+++ b/crypto/heimdal/appl/afsutil/afslog.c
@@ -0,0 +1,231 @@
+/*
+ * Copyright (c) 1997-2001 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+RCSID("$Id: afslog.c,v 1.16 2001/05/16 22:10:15 assar Exp $");
+#endif
+#include <ctype.h>
+#include <krb5.h>
+#include <kafs.h>
+#include <roken.h>
+#include <getarg.h>
+#include <err.h>
+
+static int help_flag;
+static int version_flag;
+#if 0
+static int create_user;
+#endif
+static getarg_strings cells;
+static char *realm;
+static getarg_strings files;
+static int unlog_flag;
+static int verbose;
+
+struct getargs args[] = {
+    { "cell",	'c', arg_strings, &cells, "cells to get tokens for", "cells" },
+    { "file",	'p', arg_strings, &files, "files to get tokens for", "paths" },
+    { "realm",	'k', arg_string, &realm, "realm for afs cell", "realm" },
+    { "unlog",	'u', arg_flag, &unlog_flag, "remove tokens" },
+#if 0
+    { "create-user", 0, arg_flag, &create_user, "create user if not found" },
+#endif
+    { "verbose",'v', arg_flag, &verbose },
+    { "version", 0,  arg_flag, &version_flag },
+    { "help",	'h', arg_flag, &help_flag },
+};
+
+static int num_args = sizeof(args) / sizeof(args[0]);
+
+static const char *
+expand_cell_name(const char *cell)
+{
+    FILE *f;
+    static char buf[128];
+    char *p;
+
+    f = fopen(_PATH_CELLSERVDB, "r");
+    if(f == NULL)
+	return cell;
+    while (fgets (buf, sizeof(buf), f) != NULL) {
+	if(buf[0] == '>'){
+	    for(p=buf; *p && !isspace((unsigned char)*p) && *p != '#'; p++)
+		;
+	    *p = '\0';
+	    if(strstr(buf, cell)){
+		fclose(f);
+		return buf + 1;
+	    }
+	}
+	buf[0] = 0;
+    }
+    fclose(f);
+    return cell;
+}
+
+#if 0
+static int
+createuser (char *cell)
+{
+    char cellbuf[64];
+    char name[ANAME_SZ];
+    char instance[INST_SZ];
+    char realm[REALM_SZ];
+    char cmd[1024];
+
+    if (cell == NULL) {
+	FILE *f;
+	int len;
+
+	f = fopen (_PATH_THISCELL, "r");
+	if (f == NULL)
+	    err (1, "open(%s)", _PATH_THISCELL);
+	if (fgets (cellbuf, sizeof(cellbuf), f) == NULL)
+	    err (1, "read cellname from %s", _PATH_THISCELL);
+	len = strlen(cellbuf);
+	if (cellbuf[len-1] == '\n')
+	    cellbuf[len-1] = '\0';
+	cell = cellbuf;
+    }
+
+    if(krb_get_default_principal(name, instance, realm))
+	errx (1, "Could not even figure out who you are");
+
+    snprintf (cmd, sizeof(cmd),
+	      "pts createuser %s%s%s@%s -cell %s",
+	      name, *instance ? "." : "", instance, strlwr(realm),
+	      cell);
+    DEBUG("Executing %s", cmd);
+    return system(cmd);
+}
+#endif
+
+static void
+usage(int ecode)
+{
+    arg_printusage(args, num_args, NULL, "[cell]... [path]...");
+    exit(ecode);
+}
+
+static int
+afslog_cell(krb5_context context, krb5_ccache id,
+	    const char *cell, int expand)
+{
+    const char *c = cell;
+    if(expand){
+	c = expand_cell_name(cell);
+	if(c == NULL){
+	    krb5_warnx(context, "No cell matching \"%s\" found.", cell);
+	    return -1;
+	}
+	if(verbose)
+	    krb5_warnx(context, "Cell \"%s\" expanded to \"%s\"", cell, c);
+    }
+    return krb5_afslog(context, id, c, realm);
+}
+
+static int
+afslog_file(krb5_context context, krb5_ccache id,
+	    const char *path)
+{
+    char cell[64];
+    if(k_afs_cell_of_file(path, cell, sizeof(cell))){
+	krb5_warnx(context, "No cell found for file \"%s\".", path);
+	return -1;
+    }
+    if(verbose)
+	krb5_warnx(context, "File \"%s\" lives in cell \"%s\"", path, cell);
+    return afslog_cell(context, id, cell, 0);
+}
+
+int
+main(int argc, char **argv)
+{
+    int optind = 0;
+    krb5_context context;
+    krb5_ccache id;
+    int i;
+    int num;
+    int ret = 0;
+    
+    setprogname(argv[0]);
+
+    if(getarg(args, num_args, argc, argv, &optind))
+	usage(1);
+    if(help_flag)
+	usage(0);
+    if(version_flag) {
+	print_version(NULL);
+	exit(0);
+    }
+
+    ret = krb5_init_context(&context);
+    if (ret)
+	errx (1, "krb5_init_context failed: %d", ret);
+    if(!k_hasafs())
+	krb5_errx(context, 1, 
+		  "AFS doesn't seem to be present on this machine");
+
+    if(unlog_flag){
+	k_unlog();
+	exit(0);
+    }
+    krb5_cc_default(context, &id);
+    num = 0;
+    for(i = 0; i < files.num_strings; i++){
+	afslog_file(context, id, files.strings[i]);
+	num++;
+	free_getarg_strings (&files);
+    }
+    for(i = 0; i < cells.num_strings; i++){
+	afslog_cell(context, id, cells.strings[i], 1);
+	num++;
+	free_getarg_strings (&cells);
+    }
+    for(i = optind; i < argc; i++){
+	num++;
+	if(strcmp(argv[i], ".") == 0 ||
+	   strcmp(argv[i], "..") == 0 ||
+	   strchr(argv[i], '/') ||
+	   access(argv[i], F_OK) == 0)
+	    afslog_file(context, id, argv[i]);
+	else
+	    afslog_cell(context, id, argv[i], 1);
+    }    
+    if(num == 0) {
+	krb5_afslog(context, id, NULL, NULL);
+    }
+
+    return ret;
+}
diff --git a/crypto/heimdal/appl/afsutil/pagsh.c b/crypto/heimdal/appl/afsutil/pagsh.c
new file mode 100644
index 0000000..006b357
--- /dev/null
+++ b/crypto/heimdal/appl/afsutil/pagsh.c
@@ -0,0 +1,152 @@
+/*
+ * Copyright (c) 1995, 1996, 1997, 1998, 1999 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+#endif
+
+RCSID("$Id: pagsh.c,v 1.4 2000/10/02 05:05:53 assar Exp $");
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+#ifdef HAVE_SYS_TYPES_H
+#include <sys/types.h>
+#endif
+#include <time.h>
+#ifdef HAVE_FCNTL_H
+#include <fcntl.h>
+#endif
+#ifdef HAVE_PWD_H
+#include <pwd.h>
+#endif
+
+#ifdef KRB5
+#include <krb5.h>
+#endif
+#ifdef KRB4
+#include <krb.h>
+#endif
+#include <kafs.h>
+
+#include <err.h>
+#include <roken.h>
+
+/*
+ * Run command with a new ticket file / credentials cache / token
+ */
+
+int
+main(int argc, char **argv)
+{
+  int f;
+  char tf[1024];
+  char *p;
+
+  char *path;
+  char **args;
+  int i;
+
+#ifdef KRB5
+  snprintf (tf, sizeof(tf), "%sXXXXXX", KRB5_DEFAULT_CCROOT);
+  f = mkstemp (tf + 5);
+  close (f);
+  unlink (tf + 5);
+  esetenv("KRB5CCNAME", tf, 1);
+#endif
+
+#ifdef KRB4
+  snprintf (tf, sizeof(tf), "%s_XXXXXX", TKT_ROOT);
+  f = mkstemp (tf);
+  close (f);
+  unlink (tf);
+  esetenv("KRBTKFILE", tf, 1);
+#endif
+
+  i = 0;
+
+  args = (char **) malloc((argc + 10)*sizeof(char *));
+  if (args == NULL)
+      errx (1, "Out of memory allocating %lu bytes",
+	    (unsigned long)((argc + 10)*sizeof(char *)));
+  
+  argv++;
+
+  if(*argv == NULL) {
+    path = getenv("SHELL");
+    if(path == NULL){
+      struct passwd *pw = k_getpwuid(geteuid());
+      path = strdup(pw->pw_shell);
+    }
+  } else {
+    if(strcmp(*argv, "-c") ==  0) argv++;
+    path = strdup(*argv++);
+  }
+  if (path == NULL)
+      errx (1, "Out of memory copying path");
+  
+  p=strrchr(path, '/');
+  if(p)
+    args[i] = strdup(p+1);
+  else
+    args[i] = strdup(path);
+
+  if (args[i++] == NULL)
+      errx (1, "Out of memory copying arguments");
+  
+  while(*argv)
+    args[i++] = *argv++;
+
+  args[i++] = NULL;
+
+  if(k_hasafs())
+    k_setpag();
+
+  unsetenv("PAGPID");
+  execvp(path, args);
+  if (errno == ENOENT) {
+      char **sh_args = malloc ((i + 2) * sizeof(char *));
+      int j;
+
+      if (sh_args == NULL)
+	  errx (1, "Out of memory copying sh arguments");
+      for (j = 1; j < i; ++j)
+	  sh_args[j + 2] = args[j];
+      sh_args[0] = "sh";
+      sh_args[1] = "-c";
+      sh_args[2] = path;
+      execv ("/bin/sh", sh_args);
+  }
+  err (1, "execvp");
+}
diff --git a/crypto/heimdal/appl/dceutils/ChangeLog b/crypto/heimdal/appl/dceutils/ChangeLog
new file mode 100644
index 0000000..8d991ca
--- /dev/null
+++ b/crypto/heimdal/appl/dceutils/ChangeLog
@@ -0,0 +1,18 @@
+2001-02-07  Assar Westerlund  <assar@sics.se>
+
+	* Makefile.am (dpagaix): needs to be linked with ld, add an
+	explicit command for it.  from Ake Sandgren <ake@cs.umu.se>
+
+2000-10-02  Assar Westerlund  <assar@sics.se>
+
+	* Makefile.am: link with roken on everything except irix, where
+	apperently it fails.  reported by Ake Sandgren <ake@cs.umu.se>
+
+2000-07-17  Johan Danielsson  <joda@pdc.kth.se>
+
+	* Makefile.am: set compiler flags
+
+2000-07-01  Assar Westerlund  <assar@sics.se>
+
+	* imported stuff from Ake Sandgren <ake@cs.umu.se>
+
diff --git a/crypto/heimdal/appl/dceutils/Makefile.am b/crypto/heimdal/appl/dceutils/Makefile.am
new file mode 100644
index 0000000..bc7ebef
--- /dev/null
+++ b/crypto/heimdal/appl/dceutils/Makefile.am
@@ -0,0 +1,30 @@
+# $Id: Makefile.am,v 1.6 2001/02/07 22:45:37 assar Exp $
+
+include $(top_srcdir)/Makefile.am.common
+
+
+DFSPROGS = k5dcecon
+if AIX
+AIX_DFSPROGS = dpagaix
+endif
+
+libexec_PROGRAMS = $(DFSPROGS) $(AIX_DFSPROGS)
+
+dpagaix_CFLAGS = @dpagaix_CFLAGS@
+dpagaix_LDFLAGS = @dpagaix_LDFLAGS@
+dpagaix_LDADD = @dpagaix_LDADD@
+
+dpagaix: $(dpagaix_OBJECTS)
+	ld -edpagaix -o dpagaix $(dpagaix_OBJECTS) $(srcdir)/dfspag.exp
+
+LIB_dce = -ldce
+
+k5dcecon_SOURCES  = k5dcecon.c k5dce.h
+
+dpagaix_SOURCES = dpagaix.c
+
+if IRIX
+LDADD = $(LIB_dce)
+else
+LDADD = $(LIB_roken) $(LIB_dce)
+endif
diff --git a/crypto/heimdal/appl/dceutils/Makefile.in b/crypto/heimdal/appl/dceutils/Makefile.in
new file mode 100644
index 0000000..4138b1c
--- /dev/null
+++ b/crypto/heimdal/appl/dceutils/Makefile.in
@@ -0,0 +1,594 @@
+# Makefile.in generated automatically by automake 1.4b from Makefile.am
+
+# Copyright 1994, 1995, 1996, 1997, 1998, 1999, 2000
+# Free Software Foundation, Inc.
+# This Makefile.in is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+
+SHELL = @SHELL@
+
+srcdir = @srcdir@
+top_srcdir = @top_srcdir@
+VPATH = @srcdir@
+prefix = @prefix@
+exec_prefix = @exec_prefix@
+
+bindir = @bindir@
+sbindir = @sbindir@
+libexecdir = @libexecdir@
+datadir = @datadir@
+sysconfdir = @sysconfdir@
+sharedstatedir = @sharedstatedir@
+localstatedir = @localstatedir@
+libdir = @libdir@
+infodir = @infodir@
+mandir = @mandir@
+includedir = @includedir@
+oldincludedir = /usr/include
+
+pkgdatadir = $(datadir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkgincludedir = $(includedir)/@PACKAGE@
+
+top_builddir = ../..
+
+ACLOCAL = @ACLOCAL@
+AUTOCONF = @AUTOCONF@
+AUTOMAKE = @AUTOMAKE@
+AUTOHEADER = @AUTOHEADER@
+
+INSTALL = @INSTALL@
+INSTALL_PROGRAM = @INSTALL_PROGRAM@
+INSTALL_DATA = @INSTALL_DATA@
+INSTALL_SCRIPT = @INSTALL_SCRIPT@
+INSTALL_STRIP_FLAG =
+transform = @program_transform_name@
+
+NORMAL_INSTALL = :
+PRE_INSTALL = :
+POST_INSTALL = :
+NORMAL_UNINSTALL = :
+PRE_UNINSTALL = :
+POST_UNINSTALL = :
+
+@SET_MAKE@
+host_alias = @host_alias@
+host_triplet = @host@
+AIX_EXTRA_KAFS = @AIX_EXTRA_KAFS@
+AMDEP = @AMDEP@
+AMTAR = @AMTAR@
+AS = @AS@
+AWK = @AWK@
+CANONICAL_HOST = @CANONICAL_HOST@
+CATMAN = @CATMAN@
+CATMANEXT = @CATMANEXT@
+CC = @CC@
+CPP = @CPP@
+CXX = @CXX@
+CXXCPP = @CXXCPP@
+DBLIB = @DBLIB@
+DEPDIR = @DEPDIR@
+DIR_des = @DIR_des@
+DIR_roken = @DIR_roken@
+DLLTOOL = @DLLTOOL@
+EXEEXT = @EXEEXT@
+EXTRA_LIB45 = @EXTRA_LIB45@
+GROFF = @GROFF@
+INCLUDES_roken = @INCLUDES_roken@
+INCLUDE_ = @INCLUDE_@
+LEX = @LEX@
+LIBOBJS = @LIBOBJS@
+LIBTOOL = @LIBTOOL@
+LIB_ = @LIB_@
+LIB_AUTH_SUBDIRS = @LIB_AUTH_SUBDIRS@
+LIB_des = @LIB_des@
+LIB_des_appl = @LIB_des_appl@
+LIB_kdb = @LIB_kdb@
+LIB_otp = @LIB_otp@
+LIB_roken = @LIB_roken@
+LIB_security = @LIB_security@
+LN_S = @LN_S@
+LTLIBOBJS = @LTLIBOBJS@
+MAKEINFO = @MAKEINFO@
+NEED_WRITEAUTH_FALSE = @NEED_WRITEAUTH_FALSE@
+NEED_WRITEAUTH_TRUE = @NEED_WRITEAUTH_TRUE@
+NROFF = @NROFF@
+OBJDUMP = @OBJDUMP@
+OBJEXT = @OBJEXT@
+PACKAGE = @PACKAGE@
+RANLIB = @RANLIB@
+STRIP = @STRIP@
+VERSION = @VERSION@
+VOID_RETSIGTYPE = @VOID_RETSIGTYPE@
+WFLAGS = @WFLAGS@
+WFLAGS_NOIMPLICITINT = @WFLAGS_NOIMPLICITINT@
+WFLAGS_NOUNUSED = @WFLAGS_NOUNUSED@
+YACC = @YACC@
+dpagaix_CFLAGS = @dpagaix_CFLAGS@
+dpagaix_LDADD = @dpagaix_LDADD@
+install_sh = @install_sh@
+
+# $Id: Makefile.am,v 1.6 2001/02/07 22:45:37 assar Exp $
+
+
+# $Id: Makefile.am.common,v 1.3 1999/04/01 14:58:43 joda Exp $
+
+
+# $Id: Makefile.am.common,v 1.26 2001/05/21 13:27:48 joda Exp $
+
+
+AUTOMAKE_OPTIONS = foreign no-dependencies
+
+SUFFIXES = .et .h .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .x
+
+INCLUDES = -I$(top_builddir)/include $(INCLUDES_roken)
+
+AM_CFLAGS =  $(WFLAGS)
+
+CP = cp
+
+COMPILE_ET = $(top_builddir)/lib/com_err/compile_et
+
+buildinclude = $(top_builddir)/include
+
+LIB_XauReadAuth = @LIB_XauReadAuth@
+LIB_crypt = @LIB_crypt@
+LIB_dbm_firstkey = @LIB_dbm_firstkey@
+LIB_dbopen = @LIB_dbopen@
+LIB_dlopen = @LIB_dlopen@
+LIB_dn_expand = @LIB_dn_expand@
+LIB_el_init = @LIB_el_init@
+LIB_getattr = @LIB_getattr@
+LIB_gethostbyname = @LIB_gethostbyname@
+LIB_getpwent_r = @LIB_getpwent_r@
+LIB_getpwnam_r = @LIB_getpwnam_r@
+LIB_getsockopt = @LIB_getsockopt@
+LIB_logout = @LIB_logout@
+LIB_logwtmp = @LIB_logwtmp@
+LIB_odm_initialize = @LIB_odm_initialize@
+LIB_pidfile = @LIB_pidfile@
+LIB_readline = @LIB_readline@
+LIB_res_search = @LIB_res_search@
+LIB_setpcred = @LIB_setpcred@
+LIB_setsockopt = @LIB_setsockopt@
+LIB_socket = @LIB_socket@
+LIB_syslog = @LIB_syslog@
+LIB_tgetent = @LIB_tgetent@
+
+LIBS = @LIBS@
+
+HESIODLIB = @HESIODLIB@
+HESIODINCLUDE = @HESIODINCLUDE@
+INCLUDE_hesiod = @INCLUDE_hesiod@
+LIB_hesiod = @LIB_hesiod@
+
+INCLUDE_krb4 = @INCLUDE_krb4@
+LIB_krb4 = @LIB_krb4@
+
+INCLUDE_openldap = @INCLUDE_openldap@
+LIB_openldap = @LIB_openldap@
+
+INCLUDE_readline = @INCLUDE_readline@
+
+LEXLIB = @LEXLIB@
+
+NROFF_MAN = groff -mandoc -Tascii
+
+@KRB4_TRUE@LIB_kafs = @KRB4_TRUE@$(top_builddir)/lib/kafs/libkafs.la $(AIX_EXTRA_KAFS)
+
+@KRB5_TRUE@LIB_krb5 = @KRB5_TRUE@$(top_builddir)/lib/krb5/libkrb5.la \
+@KRB5_TRUE@	$(top_builddir)/lib/asn1/libasn1.la
+@KRB5_TRUE@LIB_gssapi = @KRB5_TRUE@$(top_builddir)/lib/gssapi/libgssapi.la
+
+@DCE_TRUE@LIB_kdfs = @DCE_TRUE@$(top_builddir)/lib/kdfs/libkdfs.la
+
+CHECK_LOCAL = $(PROGRAMS)
+
+DFSPROGS = k5dcecon
+@AIX_TRUE@AIX_DFSPROGS = @AIX_TRUE@dpagaix
+
+libexec_PROGRAMS = $(DFSPROGS) $(AIX_DFSPROGS)
+
+dpagaix_CFLAGS = @dpagaix_CFLAGS@
+dpagaix_LDFLAGS = @dpagaix_LDFLAGS@
+dpagaix_LDADD = @dpagaix_LDADD@
+
+LIB_dce = -ldce
+
+k5dcecon_SOURCES = k5dcecon.c k5dce.h
+
+dpagaix_SOURCES = dpagaix.c
+@IRIX_TRUE@LDADD = @IRIX_TRUE@$(LIB_dce)
+@IRIX_FALSE@LDADD = @IRIX_FALSE@$(LIB_roken) $(LIB_dce)
+subdir = appl/dceutils
+mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs
+CONFIG_HEADER = ../../include/config.h
+CONFIG_CLEAN_FILES = 
+@AIX_FALSE@libexec_PROGRAMS =  k5dcecon$(EXEEXT)
+@AIX_TRUE@libexec_PROGRAMS =  k5dcecon$(EXEEXT) dpagaix$(EXEEXT)
+PROGRAMS =  $(libexec_PROGRAMS)
+
+
+DEFS = @DEFS@ -I. -I$(srcdir) -I../../include
+CPPFLAGS = @CPPFLAGS@
+LDFLAGS = @LDFLAGS@
+X_CFLAGS = @X_CFLAGS@
+X_LIBS = @X_LIBS@
+X_EXTRA_LIBS = @X_EXTRA_LIBS@
+X_PRE_LIBS = @X_PRE_LIBS@
+am_dpagaix_OBJECTS =  dpagaix-dpagaix.$(OBJEXT)
+dpagaix_OBJECTS =  $(am_dpagaix_OBJECTS)
+dpagaix_DEPENDENCIES = 
+am_k5dcecon_OBJECTS =  k5dcecon.$(OBJEXT)
+k5dcecon_OBJECTS =  $(am_k5dcecon_OBJECTS)
+k5dcecon_LDADD = $(LDADD)
+@IRIX_FALSE@k5dcecon_DEPENDENCIES = 
+@IRIX_TRUE@k5dcecon_DEPENDENCIES = 
+k5dcecon_LDFLAGS = 
+COMPILE = $(CC) $(DEFS) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) --mode=compile $(CC) $(DEFS) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+CFLAGS = @CFLAGS@
+CCLD = $(CC)
+LINK = $(LIBTOOL) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) $(LDFLAGS) -o $@
+DIST_SOURCES =  $(dpagaix_SOURCES) $(k5dcecon_SOURCES)
+depcomp = 
+DIST_COMMON =  ChangeLog Makefile.am Makefile.in compile
+
+
+DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
+
+GZIP_ENV = --best
+SOURCES = $(dpagaix_SOURCES) $(k5dcecon_SOURCES)
+OBJECTS = $(am_dpagaix_OBJECTS) $(am_k5dcecon_OBJECTS)
+
+all: all-redirect
+.SUFFIXES:
+.SUFFIXES: .et .h .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .x .c .lo .o .obj
+$(srcdir)/Makefile.in: Makefile.am $(top_srcdir)/configure.in $(ACLOCAL_M4) $(top_srcdir)/Makefile.am.common $(top_srcdir)/cf/Makefile.am.common
+	cd $(top_srcdir) && $(AUTOMAKE) --foreign appl/dceutils/Makefile
+
+Makefile: $(srcdir)/Makefile.in  $(top_builddir)/config.status
+	cd $(top_builddir) \
+	  && CONFIG_FILES=$(subdir)/$@ CONFIG_HEADERS= $(SHELL) ./config.status
+
+
+mostlyclean-libexecPROGRAMS:
+
+clean-libexecPROGRAMS:
+	-test -z "$(libexec_PROGRAMS)" || rm -f $(libexec_PROGRAMS)
+
+distclean-libexecPROGRAMS:
+
+maintainer-clean-libexecPROGRAMS:
+
+install-libexecPROGRAMS: $(libexec_PROGRAMS)
+	@$(NORMAL_INSTALL)
+	$(mkinstalldirs) $(DESTDIR)$(libexecdir)
+	@list='$(libexec_PROGRAMS)'; for p in $$list; do \
+	  if test -f $$p; then \
+	    f="`echo $$p|sed -e 's/$(EXEEXT)$$//' -e '$(transform)' -e 's/$$/$(EXEEXT)/'`"; \
+	    echo " $(LIBTOOL)  --mode=install $(INSTALL_PROGRAM) $(INSTALL_STRIP_FLAG) $$p $(DESTDIR)$(libexecdir)/$$f"; \
+	    $(LIBTOOL)  --mode=install $(INSTALL_PROGRAM) $(INSTALL_STRIP_FLAG) $$p $(DESTDIR)$(libexecdir)/$$f; \
+	  else :; fi; \
+	done
+
+uninstall-libexecPROGRAMS:
+	@$(NORMAL_UNINSTALL)
+	@list='$(libexec_PROGRAMS)'; for p in $$list; do \
+	  f="`echo $$p|sed -e 's/$(EXEEXT)$$//' -e '$(transform)' -e 's/$$/$(EXEEXT)/'`"; \
+	  echo " rm -f $(DESTDIR)$(libexecdir)/$$f"; \
+	  rm -f $(DESTDIR)$(libexecdir)/$$f; \
+	done
+
+mostlyclean-compile:
+	-rm -f *.o core *.core
+	-rm -f *.$(OBJEXT)
+
+clean-compile:
+
+distclean-compile:
+	-rm -f *.tab.c
+
+maintainer-clean-compile:
+
+mostlyclean-libtool:
+	-rm -f *.lo
+
+clean-libtool:
+	-rm -rf .libs _libs
+
+distclean-libtool:
+
+maintainer-clean-libtool:
+dpagaix-dpagaix.$(OBJEXT): dpagaix.c
+	$(CC) $(DEFS) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(dpagaix_CFLAGS) $(CFLAGS) -c -o dpagaix-dpagaix.$(OBJEXT) `test -f dpagaix.c || echo '$(srcdir)/'`dpagaix.c
+
+dpagaix$(EXEEXT): $(dpagaix_OBJECTS) $(dpagaix_DEPENDENCIES)
+	@rm -f dpagaix$(EXEEXT)
+	$(LINK) $(dpagaix_LDFLAGS) $(dpagaix_OBJECTS) $(dpagaix_LDADD) $(LIBS)
+
+k5dcecon$(EXEEXT): $(k5dcecon_OBJECTS) $(k5dcecon_DEPENDENCIES)
+	@rm -f k5dcecon$(EXEEXT)
+	$(LINK) $(k5dcecon_LDFLAGS) $(k5dcecon_OBJECTS) $(k5dcecon_LDADD) $(LIBS)
+.c.o:
+	$(COMPILE) -c $<
+.c.obj:
+	$(COMPILE) -c `cygpath -w $<`
+.c.lo:
+	$(LTCOMPILE) -c -o $@ $<
+
+tags: TAGS
+
+ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
+	list='$(SOURCES) $(HEADERS) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '    { files[$$0] = 1; } \
+	       END { for (i in files) print i; }'`; \
+	mkid -fID $$unique $(LISP)
+
+TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	tags=; \
+	here=`pwd`; \
+	list='$(SOURCES) $(HEADERS) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '    { files[$$0] = 1; } \
+	       END { for (i in files) print i; }'`; \
+	test -z "$(ETAGS_ARGS)$$unique$(LISP)$$tags" \
+	  || etags $(ETAGS_ARGS) $$tags  $$unique $(LISP)
+
+GTAGS:
+	here=`CDPATH=: && cd $(top_builddir) && pwd` \
+	  && cd $(top_srcdir) \
+	  && gtags -i $$here
+
+mostlyclean-tags:
+
+clean-tags:
+
+distclean-tags:
+	-rm -f TAGS ID
+
+maintainer-clean-tags:
+
+distdir = $(top_builddir)/$(PACKAGE)-$(VERSION)/$(subdir)
+
+distdir: $(DISTFILES)
+	@for file in $(DISTFILES); do \
+	  d=$(srcdir); \
+	  if test -d $$d/$$file; then \
+	    cp -pR $$d/$$file $(distdir) \
+	    || exit 1; \
+	  else \
+	    test -f $(distdir)/$$file \
+	    || cp -p $$d/$$file $(distdir)/$$file \
+	    || exit 1; \
+	  fi; \
+	done
+	$(MAKE) $(AM_MAKEFLAGS) top_distdir="$(top_distdir)" distdir="$(distdir)" dist-hook
+info-am:
+info: info-am
+dvi-am:
+dvi: dvi-am
+check-am: all-am
+	$(MAKE) $(AM_MAKEFLAGS) check-local
+check: check-am
+installcheck-am:
+installcheck: installcheck-am
+install-exec-am: install-libexecPROGRAMS
+	@$(NORMAL_INSTALL)
+	$(MAKE) $(AM_MAKEFLAGS) install-exec-hook
+install-exec: install-exec-am
+
+install-data-am: install-data-local
+install-data: install-data-am
+
+install-am: all-am
+	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
+install: install-am
+uninstall-am: uninstall-libexecPROGRAMS
+uninstall: uninstall-am
+all-am: Makefile $(PROGRAMS) all-local
+all-redirect: all-am
+install-strip:
+	$(MAKE) $(AM_MAKEFLAGS) INSTALL_STRIP_FLAG=-s install
+installdirs:
+	$(mkinstalldirs)  $(DESTDIR)$(libexecdir)
+
+
+mostlyclean-generic:
+
+clean-generic:
+
+distclean-generic:
+	-rm -f Makefile $(CONFIG_CLEAN_FILES)
+	-rm -f config.cache config.log stamp-h stamp-h[0-9]*
+
+maintainer-clean-generic:
+	-rm -f Makefile.in
+mostlyclean-am:  mostlyclean-libexecPROGRAMS mostlyclean-compile \
+		mostlyclean-libtool mostlyclean-tags \
+		mostlyclean-generic
+
+mostlyclean: mostlyclean-am
+
+clean-am:  clean-libexecPROGRAMS clean-compile clean-libtool clean-tags \
+		clean-generic mostlyclean-am
+
+clean: clean-am
+
+distclean-am:  distclean-libexecPROGRAMS distclean-compile \
+		distclean-libtool distclean-tags distclean-generic \
+		clean-am
+	-rm -f libtool
+
+distclean: distclean-am
+
+maintainer-clean-am:  maintainer-clean-libexecPROGRAMS \
+		maintainer-clean-compile maintainer-clean-libtool \
+		maintainer-clean-tags maintainer-clean-generic \
+		distclean-am
+	@echo "This command is intended for maintainers to use;"
+	@echo "it deletes files that may require special tools to rebuild."
+
+maintainer-clean: maintainer-clean-am
+
+.PHONY: mostlyclean-libexecPROGRAMS distclean-libexecPROGRAMS \
+clean-libexecPROGRAMS maintainer-clean-libexecPROGRAMS \
+uninstall-libexecPROGRAMS install-libexecPROGRAMS mostlyclean-compile \
+distclean-compile clean-compile maintainer-clean-compile \
+mostlyclean-libtool distclean-libtool clean-libtool \
+maintainer-clean-libtool tags mostlyclean-tags distclean-tags \
+clean-tags maintainer-clean-tags distdir info-am info dvi-am dvi \
+check-local check check-am installcheck-am installcheck install-exec-am \
+install-exec install-data-local install-data-am install-data install-am \
+install uninstall-am uninstall all-local all-redirect all-am all \
+install-strip installdirs mostlyclean-generic distclean-generic \
+clean-generic maintainer-clean-generic clean mostlyclean distclean \
+maintainer-clean
+
+
+install-suid-programs:
+	@foo='$(bin_SUIDS)'; \
+	for file in $$foo; do \
+	x=$(DESTDIR)$(bindir)/$$file; \
+	if chown 0:0 $$x && chmod u+s $$x; then :; else \
+	echo "*"; \
+	echo "* Failed to install $$x setuid root"; \
+	echo "*"; \
+	fi; done
+
+install-exec-hook: install-suid-programs
+
+install-build-headers:: $(include_HEADERS) $(build_HEADERZ)
+	@foo='$(include_HEADERS) $(build_HEADERZ)'; \
+	for f in $$foo; do \
+		f=`basename $$f`; \
+		if test -f "$(srcdir)/$$f"; then file="$(srcdir)/$$f"; \
+		else file="$$f"; fi; \
+		if cmp -s  $$file $(buildinclude)/$$f 2> /dev/null ; then \
+		: ; else \
+			echo " $(CP) $$file $(buildinclude)/$$f"; \
+			$(CP) $$file $(buildinclude)/$$f; \
+		fi ; \
+	done
+
+all-local: install-build-headers
+#NROFF_MAN = nroff -man
+.1.cat1:
+	$(NROFF_MAN) $< > $@
+.3.cat3:
+	$(NROFF_MAN) $< > $@
+.5.cat5:
+	$(NROFF_MAN) $< > $@
+.8.cat8:
+	$(NROFF_MAN) $< > $@
+
+dist-cat1-mans:
+	@foo='$(man1_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.1) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat1/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-cat3-mans:
+	@foo='$(man3_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.3) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat3/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-cat5-mans:
+	@foo='$(man5_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.5) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat5/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-cat8-mans:
+	@foo='$(man8_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.8) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat8/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-hook: dist-cat1-mans dist-cat3-mans dist-cat5-mans dist-cat8-mans
+
+install-cat-mans:
+	$(SHELL) $(top_srcdir)/cf/install-catman.sh "$(INSTALL_DATA)" "$(mkinstalldirs)" "$(srcdir)" "$(DESTDIR)$(mandir)" '$(CATMANEXT)' $(man_MANS) $(man1_MANS) $(man3_MANS) $(man5_MANS) $(man8_MANS)
+
+install-data-local: install-cat-mans
+
+.et.h:
+	$(COMPILE_ET) $<
+.et.c:
+	$(COMPILE_ET) $<
+
+.x.c:
+	@cmp -s $< $@ 2> /dev/null || cp $< $@
+
+check-local::
+	@foo='$(CHECK_LOCAL)'; \
+	  if test "$$foo"; then \
+	  failed=0; all=0; \
+	  for i in $$foo; do \
+	    all=`expr $$all + 1`; \
+	    if ./$$i --version > /dev/null 2>&1; then \
+	      echo "PASS: $$i"; \
+	    else \
+	      echo "FAIL: $$i"; \
+	      failed=`expr $$failed + 1`; \
+	    fi; \
+	  done; \
+	  if test "$$failed" -eq 0; then \
+	    banner="All $$all tests passed"; \
+	  else \
+	    banner="$$failed of $$all tests failed"; \
+	  fi; \
+	  dashes=`echo "$$banner" | sed s/./=/g`; \
+	  echo "$$dashes"; \
+	  echo "$$banner"; \
+	  echo "$$dashes"; \
+	  test "$$failed" -eq 0; \
+	fi
+
+dpagaix: $(dpagaix_OBJECTS)
+	ld -edpagaix -o dpagaix $(dpagaix_OBJECTS) $(srcdir)/dfspag.exp
+
+# Tell versions [3.59,3.63) of GNU make to not export all variables.
+# Otherwise a system limit (for SysV at least) may be exceeded.
+.NOEXPORT:
diff --git a/crypto/heimdal/appl/dceutils/README.dcedfs b/crypto/heimdal/appl/dceutils/README.dcedfs
new file mode 100644
index 0000000..80a06fe
--- /dev/null
+++ b/crypto/heimdal/appl/dceutils/README.dcedfs
@@ -0,0 +1,59 @@
+This is a set of patches and files to get a DFS ticket from a k5 ticket.
+This code comes from Doug Engert, Argonne Nat. Lab (See dce/README.original
+for more info)
+
+The files in dce are;
+testpag: for testing if this is at all possible.
+k5dfspag: included in libkrb5
+k5dcecon: Creates (or searches for) the actual DFSPAG ticketfile.
+dpagaix: An AIX syscall stub.
+README.original: Original README file from Doug Engert
+
+
+Certain applications (rshd/telnetd) have been patched to call the
+functions in k5dfspag when the situation is right. They are ifdef
+with DCE. The patches are also originally from Doug but they
+where against MIT krb5 code and have been merged into heimdal by me.
+I will try to fix ftpd soon...
+
+There is also an ifdefs for DCE && AIX that can be used to make AIX
+use DCE for getting group/passwd entries. This is needed if one is running
+with a bare bones passwd/group file and AUTHSTATE set to DCE (This will be
+more or less clear to people doing this...) I have forced this on for now.
+
+k5dfspag.c is in lib/krb5
+k5dfspag.c is dependent on DCE only.
+It is also POSIX systems only. There are defines for the location of
+k5dcecon and dpagaix that needs a correct configure setting.
+
+k5dcecon needs no special things for the compile except whatever is needed
+on the target system to compile dce programs.
+(On aix the dce compile flags are: -D_THREAD_SAFE -D_AIX32_THREADS=1 -D_AIX41 -D_AES_SOURCE or one can use xlc_r4 if it is version 3.6.4 or later)
+
+k5dcecon wants the following libs (on aix 4.3):
+-ldce (and setenv from somewhere)
+
+dpagaix is only needed on AIX (see k5dfspag.c).
+dpagaix needs dfspag.exp and is linked with
+ld -edpagaix -o dpagaix dpagaix.o dfspag.exp
+
+
+Hope to get this into heimdal soon :-) although I know that you will have to
+change some things to get it cleanly into configure. Since I don't know the
+structure of the code (heimdal), nor enough of configure, good enough I
+just won't try it myself.
+
+One more thing, to get this to work one has to put fcache_version = x in
+krb5.conf where x = whatever the DCE implementation understands, (usually
+1 or 2).
+Thanks for adding that...
+
+
+Åke Sandgren (ake@hpc2n.umu.se)
+HPC2N
+Umeå University
+Sweden
+
+PS
+I have now added patches for configure.in and some Makefile.am's to get this
+all cleanly (I hope) into heimdal.
diff --git a/crypto/heimdal/appl/dceutils/README.original b/crypto/heimdal/appl/dceutils/README.original
new file mode 100644
index 0000000..7283c38
--- /dev/null
+++ b/crypto/heimdal/appl/dceutils/README.original
@@ -0,0 +1,335 @@
+KERBEROS and DCE INTEROPERABILITY ROUTINES
+
+WHAT'S NEW
+
+When k5dcecon was examining the ticket caches looking to 
+update one with a newer TGT, it might update the wrong
+one for the correct user.  This problem was reported by PNNL,
+and is now fixed.
+
+Any Kerberized application can now use a forwarded TGT to establish a
+DCE context, or can use a previously established DCE context. This is
+both a functional improvement and a performance improvement.
+
+BACKGROUND
+
+The MIT Kerberos 5 Release 1.x and DCE 1.1 can interoperate in a
+number of ways. This is possible because:
+
+ o DCE used Kerberos 5 internally. Based on the MIT code as of beta 4
+   or so, with additional changes. 
+
+ o The DCE security server can act as a K5 KDC, as defined in RFC 1510
+   and responds on port 88. 
+
+ o On the clients, DCE and Kerberos use the same format for the ticket
+   cache, and then can share it. The KRB5CCNAME environment variable points
+   at the cache.   
+ 
+ o On the clients, DCE and Kerberos use the same format for the srvtab
+   file. DCE refers to is a /krb5/v5srvtab and Kerberos as
+   /etc/krb5.keytab. They can be symlinked.  
+
+ o MIT has added many options to the krb5.conf configuration file
+   which allows newer features of Release 1.0 to be turned off to match
+   the earlier version of Kerberos upon which DCE is based. 
+
+ o DCE will accept a externally obtained Kerberos TGT in place of a
+   password when establishing a DCE context. 
+
+There are some areas where they differ, including the following:
+ 
+ o Administration of the database and the keytab files is done by the
+   DCE routines, rather the the Kerberos kadmin.
+
+ o User password changes must be done using the DCE commands. Kpasswd
+   does not work. (But there are mods to Kerberos to use the v5passwd 
+   with DCE.  
+
+ o DCE goes beyond authentication only, and provides authorization via
+   the PAC, and the dce-ptgt tickets stored in the cache. Thus a
+   Kerberos KDC can not act as a DCE security server. 
+
+ o A DCE cell and Kerberos realm can cross-realm authenticate, but 
+   there can be no intermediate realms. (There are other problems
+   in this area as well. But directly connected realms/cells do work.)
+
+ o You can't link a module with the DCE library and the Kerberos
+   library. They have conflicting routines, static data and structures.  
+ 
+One of the main features of DCE is the Distributed File System
+DFS. Access to DFS requires authentication and authorization, and when
+one uses a Kerberized network utility such as telnet, a forwarded
+Kerberos ticket can be used to establish the DCE context to allow
+access to DFS.  
+
+
+NEW TO THIS RELEASE
+
+This release introduces sharing of a DCE context, and PAG, and allows
+any Kerberized application to establish or share the context. This is
+made possible by using an undocumented feature of DCE which is on at
+least the Transarc and IBM releases of DCE 1.1.
+
+I am in the process of trying to get this contributed to the general
+DCE 1.2.2 release as a patch, so it could be included in other vendors
+products.  HP has expressed interest in doing this, as well as the
+OpenGroup if the modification is contributed. You can help by
+requesting Transarc and/or IBM to submit this modification to the
+OpenGroup and ask your vendor to adopt this modification.
+
+The feature is a modification to the setpag() system call which will
+allow an authorized process to set the PAG to a specific value, and
+thus allow unrelated processes to share the same PAG.
+
+This then allows the Kerberized daemons such as kshd, to exec a DCE
+module which established the DCE context. Kshd then sets the
+KRB5CCNAME environment variable and then issues the setpag() to use
+this context. This solves the linking problem. This is done via the
+k5dfspag.c routine.
+
+The k5dfspag.c code is compiled with the lib/krb5/os routines and
+included in the libkrb5. A daemon calls krb5_dfs_pag after the
+krb5_kuserok has determined that the Kerberos principal and local
+userid pair are acceptable. This should be done early so as to give
+the daemon access to the home directory which may be located on DFS.  
+If the .k5login file is used by krb5_kuserok it will need to be
+accessed by the daemon and will need special ACL handling.  
+
+The krb5_dfs_pag routine will exec the k5dcecon module to do all the
+real work. Upon return, if a PAG is obtained, krb5_dfs_pag with set
+the PAG for the current process to the returned PAG value. It will
+also set the KRB5CCNAME environment as well. Under DCE the PAG value
+is the nnnnnnn part of the name of the cache:
+FILE:/opt/dcelocal/var/security/creds/dcecred_nnnnnnnn. 
+
+The k5dcecon routine will attempt to use TGT which may have been
+forwarded, to convert it to a DCE context. If there is no TGT, an
+attempt will be made to join an existing PAG for the local userid, and
+Kerberos principal. If there are existing PAGs, and a forwarded TGT,
+k5dcecon will check the lifetime of the forwarded TGT, and if it is
+less then the lifetime of the PAG, it will just join the PAG. If it
+is greater, it will refresh the PAG using the forwarded TGT. 
+This approach has the advantage of not requiring many new tickets from
+having to be obtained, and allows one to refresh a DCE context, or use
+an already established context. 
+
+If the system also has AFS, the AFS krb5_afs_pag should be called
+after the krb5_dfs_pag, since cache pointed at via the KRB5CCNAME may
+have changed, such as if a DFS PAG has been joined. The AFS code does
+not have the capability to join an existing AFS PAG, but can use the
+same cache which might already had a
+afsx/<afs.cell.name>@<k5.realm.name> service ticket.
+
+
+WHAT'S IN THIS RELEASE
+
+The k5prelogin, k5dcelogin, k5afslogin (with ak5log) were designed to
+be slipped in between telnetd or klogind and login.krb5. They would
+use a forwarded Kerberos ticket to establish a DCE context.  They are
+the older programs which are included here. They work on all DCE
+platforms, and don't take advantage of the undocumented setpag
+feature. (A version of k5dcelogin is being included with DCE 1.2.2)
+ 
+K5dcecon is the new program which can be used to create, update or
+join a DCE context. k5dcecon returns KRB5CCNAME string which contains
+the PAG.
+
+k5dfspag.c is to be built in the MIT Kerberos 5 release 1.0 patchlevel
+1 and added to the libkrb5. It will exec k5dcecon and upon return set
+the KRB5CCNAME and PAG. Mods to Kerberized klogind, rshd, telnetd,
+ftpd are available to use the k5dfspag. 
+
+Testpag.c is a test programs to see if the PAG can be set.
+
+The cpwkey.c routine can be used to change a key in the DCE registry,
+by adding the key directly, or by setting the salt/pepper and password
+or by providing the key and the pepper. This could be useful when
+coping keys from a K4 or AFS database to DCE. It can also be used when
+setting a DCE to K5 cross-cell key.  This program is a test program
+For mass inserts, it should be rewritten to read from stdin.
+
+K5dcelogin can also be called directly, much like dce_login.
+I use the following commands in effect do the same thing as dce_login
+and get a forwardable ticket, DCE context and an AFS token:
+
+  #!/bin/csh
+  # simulate a dce_login using krb5 kinit and k5dcelogin
+  #
+  setenv KRB5CCNAME FILE:/tmp/krb5cc_p$$
+  /krb5/bin/kinit -f
+  exec /krb5/sbin/k5dcelogin /krb5/sbin/k5afslogin /bin/csh
+  #exec /krb5/sbin/k5dcelogin  /bin/csh
+
+This could be useful in a mixed cell where "AS_REQ" messages are
+handled by a K5 KDC, but DCE RPCs are handled by the DCE security
+server.
+
+TESTING THE SETPAG
+
+The krb5_dfs_pag routine relies on an undocumented feature which is
+in the AIX and Transarc Solaris ports of DCE and has been recently
+added to the SGI version.  To test if this feature is present 
+on some other DFS implementation use the testpag routine. 
+
+The testpag routine attempts to set a PAG value to one you supply. It
+uses the afs_syscall with the afs_setpag, and passes the supplied 
+PAG value as the next parameter. On an unmodifed system, this 
+will be ignored, and a new will be set. You should also check that
+if run as a user, you cannot join a PAG owned by another user. 
+When run as root, any PAG should be usable. 
+
+On a machine with DFS running, do a dce_login to get a DCE context and
+PAG. ECHO the KRB5CCNAME and look at the nnnnnnnn at the end. It
+should look like an 8 char hex value, which may be 41ffxxxx on some
+systems. 
+
+Su to root and unsetenv KRB5CCNAME. Do a testpag -n nnnnnnnn where
+nnnnnnnn is the PAG obtained for the above name. 
+
+It should look like this example on an AIX 4.1.4 system:
+
+   pembroke# ./testpag -n 63dc9997
+   calling k5dcepag newpag=63dc9997
+   PAG returned = 63dc9997
+
+You will be running under a new shell with the PAG and KRB5CCNAME set.
+If the PAG returned is the same as the newpag, then it worked. You can
+further verify this by doing a DCE klist, cd to DFS and a DCE klist
+again. The klist should show some tickets for DFS servers.
+
+If the PAG returned is not the same, and repeated attempts show a
+returned PAG decremented by 1 from the previous returned PAG, then
+this system does not have the modification For example: 
+ 
+   # ./testpag -n 41fffff9
+   calling k5dcepag newpag=41fffff9
+   PAG returned = 41fffff8
+   # ./testpag -n 41fffff9
+   calling k5dcepag newpag=41fffff9
+   PAG returned = 41fffff7
+
+In this case the syscall is ignoring the newpag parameter. 
+
+Running it with -n 0 should get the next PAG value with or without
+this modification. 
+
+If the DFS kernel extensions are not installed, you would get
+something like this:
+
+  caliban.ctd.anl.gov% ./testpag -n 012345678
+  calling k5dcepag newpag=012345678
+  Setpag failed with a system error
+  PAG returned = ffffffff
+  Not a good pag value
+
+If you DFS implementation does not have this modification, you could
+attempt to install it yourself. But this requires source and requires
+modifications to the kernel extensions. At the end of this note is an
+untested sample using the DCE 1.2.2 source code. You can also contact
+your system vendor and ask for this modification.
+
+UNICOS has a similar function setppag(newpag) which can be used to set
+the PAG of the parent. Contact me if you are interested. 
+
+HOW TO INSTALL
+
+Examine the k5dfspag.c file to make sure the DFS syscalls are correct
+for your platform. See the /opt/dcelocal/share/include/dcedfs/syscall.h
+on Solaris for example. 
+
+You should build the testpag routine and make sure it works before 
+adding all the other mods. If it fails you can still use the klogind
+and telnetd with the k5prelogin and k5dcelogin code. 
+
+If you intend to install with a prefix other then /krb5, change:
+DPAGAIX and K5DCECON in k5dfspag.c; the three references in
+k5prelogin.c; and the DESTDIR in the Makefile.
+
+Get k5101.cdiff.xxxxxx.tar file and install the mods for ANL_DFS_PAG
+and ANL_DCE to the MIT Kerberos 5 source. These mods turn on some DCE
+related changes and the calls to krb5_dfs_pag. 
+
+Symlink or copy the k5dfspag.c to the src/lib/krb5/os directory. 
+
+Add the -DANL_DFS_PAG and -DANL_DCE flags to the configuration. 
+
+Configure and Build the Kerberos v5. 
+
+Modify the k5dce Makefile for your system. 
+
+Build the k5dcecon and related programs. 
+
+Install both the MIT Kerberos v5 and the k5dcecon and dpagaix if AIX.    
+
+The makefile can also build k5dcelogin and k5prelogin.  The install
+can install k5dcelogin, k5prelogin and update the links for login.krb5
+-> k5prelogin and moving login.krb5 to login.k5. If you will be using
+the k5dcecon/k5dfspag with the Kerberos mods, you don't need
+k5prelogin, or the links changed, and may not need k5dcelogin.
+
+Note that Transarc has obfuscated the entries to the lib, and 
+the 1.0.3a is different from the 1.1. You may need to build two
+versions of the k5dcelogin and/or k5dcecon one for each. 
+
+AIX ONLY
+
+The dpagaix routine is needed for AIX because of the way they do the 
+syscalls. 
+
+The following fix.aix.libdce.mk is not needed if dce 2.1.0.21
+has been installed. This PTF exposed the needed entrypoints. 
+
+The fix.aix.libdce.mk is a Makefile for AIX 4.x to add the required
+external entry points to the libdce.a.  These are needed by k5dcecon
+and k5dcelogin.  A bug report was submitted to IBM on this, and it was
+rejected. But since DCE 1.2.2 will have a k5dcelogin, this should not
+be needed with 1.2.2
+
+Copy /usr/lib/libdce.a to /usr/libdce.a.orig before starting. Copy the
+makefile to its own directory. It will create a new libdce.a which you
+need to copy back to /usr/lib/libdce.a You will need to reboot the
+machine.  See the /usr/lpp/dce/examples/inst/README.AIX for a similar
+procedure.  IBM was not responsive in a request to have these added.
+
+UNTESTED KERNEL EXTENSION FOR SETPAG
+
+*** src/file/osi/,osi_pag.c  Wed Oct  2 13:03:05 1996
+--- src/file/osi/osi_pag.c   Mon Jul 28 13:53:13 1997
+***************
+*** 293,298 ****
+--- 293,302 ----
+      int code;
+  
+      osi_MakePreemptionRight();
++    /* allow sharing of a PAG by non child processes DEE- 6/6/97 */
++    if (unused && osi_GetUID(osi_getucred()) == 0) {
++     newpag = unused;
++    } else {
+      osi_mutex_enter(&osi_pagLock);
+      now = osi_Time();
+      soonest = osi_firstPagTime +
+***************
+*** 309,314 ****
+--- 313,319 ----
+      }
+      osi_mutex_exit(&osi_pagLock);
+      newpag = osi_genpag();
++    }
+      osi_pcred_lock(p);
+      credp = crcopy(osi_getucred());
+      code = osi_SetPagInCred(credp, newpag);
+
+Created     07/08/96
+Modified    09/30/96
+Modified    11/19/96
+Modified    12/19/96
+Modified    06/20/97
+Modified    07/28/97
+Modified    02/18/98
+
+ Douglas E. Engert  <DEEngert@anl.gov>
+ Argonne National Laboratory
+ 9700 South Cass Avenue
+ Argonne, Illinois  60439 
+ (630) 252-5444
diff --git a/crypto/heimdal/appl/dceutils/compile b/crypto/heimdal/appl/dceutils/compile
new file mode 100755
index 0000000..d4a34aa
--- /dev/null
+++ b/crypto/heimdal/appl/dceutils/compile
@@ -0,0 +1,82 @@
+#! /bin/sh
+
+# Wrapper for compilers which do not understand `-c -o'.
+
+# Copyright 1999, 2000 Free Software Foundation, Inc.
+# Written by Tom Tromey <tromey@cygnus.com>.
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 2, or (at your option)
+# any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
+
+# Usage:
+# compile PROGRAM [ARGS]...
+# `-o FOO.o' is removed from the args passed to the actual compile.
+
+prog=$1
+shift
+
+ofile=
+cfile=
+args=
+while test $# -gt 0; do
+   case "$1" in
+    -o)
+       ofile=$2
+       shift
+       ;;
+    *.c)
+       cfile=$1
+       args="$args $1"
+       ;;
+    *)
+       args="$args $1"
+       ;;
+   esac
+   shift
+done
+
+test -z "$ofile" && {
+   echo "compile: no \`-o' option seen" 1>&2
+   exit 1
+}
+
+test -z "$cfile" && {
+   echo "compile: no \`.c' file seen" 1>&2
+   exit 1
+}
+
+# Name of file we expect compiler to create.
+cofile=`echo $cfile | sed -e 's|^.*/||' -e 's/\.c$/.o/'`
+
+# Create the lock directory.
+lockdir=`echo $ofile | sed -e 's|/|_|g'`
+while true; do
+   if mkdir $lockdir > /dev/null 2>&1; then
+      break
+   fi
+   sleep 1
+done
+# FIXME: race condition here if user kills between mkdir and trap.
+trap "rmdir $lockdir; exit 1" 1 2 15
+
+# Run the compile.
+"$prog" $args
+status=$?
+
+if test -f "$cofile"; then
+   mv "$cofile" "$ofile"
+fi
+
+rmdir $lockdir
+exit $status
diff --git a/crypto/heimdal/appl/dceutils/dfspag.exp b/crypto/heimdal/appl/dceutils/dfspag.exp
new file mode 100644
index 0000000..ed39788
--- /dev/null
+++ b/crypto/heimdal/appl/dceutils/dfspag.exp
@@ -0,0 +1,3 @@
+#!/unix
+* kernel extentions used to get the pag
+kafs_syscall syscall
diff --git a/crypto/heimdal/appl/dceutils/dpagaix.c b/crypto/heimdal/appl/dceutils/dpagaix.c
new file mode 100644
index 0000000..cbc23cb
--- /dev/null
+++ b/crypto/heimdal/appl/dceutils/dpagaix.c
@@ -0,0 +1,23 @@
+/*
+ * dpagaix.c
+ * On AIX we need to get the kernel extentions
+ * with the DFS kafs_syscall in it. 
+ * We might be running on a system
+ * where DFS is not active. 
+ * So we use this dummy routine which 
+ * might not load to do the dirty work
+ *
+ * DCE does this with the /usr/lib/drivers/dfsloadobj 
+ *
+ */
+ 
+ int dpagaix(parm1, parm2, parm3, parm4, parm5, parm6)
+   int parm1;
+   int parm2;
+   int parm3;
+   int parm4;
+   int parm5;
+   int parm6;
+ {
+   return(kafs_syscall(parm1, parm2, parm3, parm4, parm5, parm6));
+ }
diff --git a/crypto/heimdal/appl/dceutils/k5dce.h b/crypto/heimdal/appl/dceutils/k5dce.h
new file mode 100644
index 0000000..424ebdc
--- /dev/null
+++ b/crypto/heimdal/appl/dceutils/k5dce.h
@@ -0,0 +1,165 @@
+/* dummy K5 routines which are needed to get this to 
+ * compile without having access ti the DCE versions 
+ * of the header files.
+ * Thiis is very crude, and OSF needs to expose the K5
+ * API.
+ */
+
+#ifdef sun
+/* Transarc obfascates these routines */
+#ifdef DCE_1_1
+
+#define krb5_init_ets                   _dce_PkjKqOaklP 
+#define krb5_copy_creds                 _dce_LuFxPiITzD
+#define krb5_unparse_name               _dce_LWHtAuNgRV
+#define krb5_get_default_realm          _dce_vDruhprWGh
+#define krb5_build_principal            _dce_qwAalSzTtF
+#define krb5_build_principal_ext        _dce_vhafIQlejW
+#define krb5_build_principal_va         _dce_alsqToMmuJ
+#define krb5_cc_default                 _dce_KZRshhTXhE
+#define krb5_cc_default_name            _dce_bzJVAjHXVQ
+#define sec_login_krb5_add_cred			_dce_ePDtOJTZvU
+
+#else /* DCE 1.0.3a */
+
+#define krb5_init_ets                   _dce_BmLRpOVsBo
+#define krb5_copy_creds                 _dce_VGwSEBNwaf
+#define krb5_unparse_name               _dce_PgAOkJoMXA
+#define krb5_get_default_realm          _dce_plVOzStKyK
+#define krb5_build_principal            _dce_uAKSsluIFy
+#define krb5_build_principal_ext        _dce_tRMpPiRada
+#define krb5_build_principal_va         _dce_SxnLejZemH
+#define krb5_cc_default                 _dce_SeKosWFnsv
+#define krb5_cc_default_name            _dce_qJeaphJWVc
+#define sec_login_krb5_add_cred         _dce_uHwRasumsN
+
+#endif
+#endif
+
+/* Define the bare minimum k5 structures which are needed
+ * by this program. Since the krb5 includes are not supplied 
+ * with DCE, these were based on the MIT Kerberos 5 beta 3
+ * which should match the DCE as of 1.0.3 at least.
+ * The tricky one is the krb5_creds, since one is allocated
+ * by this program, and it needs access to the client principal
+ * in it.
+ * Note that there are no function prototypes, so there is no 
+ * compile time checking.
+ * DEE 07/11/95
+ */
+#define     NPROTOTYPE(x) () 
+typedef int krb5_int32;  /* assuming all DCE systems are 32 bit */
+typedef short krb5short; /* assuming short is 16 bit */
+typedef krb5_int32      krb5_error_code;
+typedef unsigned char   krb5_octet;
+typedef krb5_octet      krb5_boolean;
+typedef krb5short       krb5_keytype; /* in k5.2 it's a short */
+typedef krb5_int32      krb5_flags;
+typedef krb5_int32  krb5_timestamp;
+
+typedef char * krb5_pointer;  /* pointer to unexposed data */
+
+typedef struct _krb5_ccache {
+    struct _krb5_cc_ops *ops;
+    krb5_pointer data;
+} *krb5_ccache;
+
+typedef struct _krb5_cc_ops {
+    char *prefix;
+    char *(*get_name) NPROTOTYPE((krb5_ccache));
+    krb5_error_code (*resolve) NPROTOTYPE((krb5_ccache *, char *));
+    krb5_error_code (*gen_new) NPROTOTYPE((krb5_ccache *));
+    krb5_error_code (*init) NPROTOTYPE((krb5_ccache, krb5_principal));
+    krb5_error_code (*destroy) NPROTOTYPE((krb5_ccache));
+    krb5_error_code (*close) NPROTOTYPE((krb5_ccache));
+    krb5_error_code (*store) NPROTOTYPE((krb5_ccache, krb5_creds *));
+    krb5_error_code (*retrieve) NPROTOTYPE((krb5_ccache, krb5_flags,
+                   krb5_creds *, krb5_creds *));
+    krb5_error_code (*get_princ) NPROTOTYPE((krb5_ccache,
+                        krb5_principal *));
+    krb5_error_code (*get_first) NPROTOTYPE((krb5_ccache,
+                        krb5_cc_cursor *));
+    krb5_error_code (*get_next) NPROTOTYPE((krb5_ccache, krb5_cc_cursor *,
+                   krb5_creds *));
+    krb5_error_code (*end_get) NPROTOTYPE((krb5_ccache, krb5_cc_cursor *));
+    krb5_error_code (*remove_cred) NPROTOTYPE((krb5_ccache, krb5_flags,
+                      krb5_creds *));
+    krb5_error_code (*set_flags) NPROTOTYPE((krb5_ccache, krb5_flags));
+} krb5_cc_ops;
+
+typedef struct _krb5_keyblock {
+	krb5_keytype keytype;
+	int length;
+	krb5_octet *contents;
+} krb5_keyblock;
+
+typedef struct _krb5_ticket_times {
+	krb5_timestamp authtime;
+	krb5_timestamp starttime;
+	krb5_timestamp endtime;
+	krb5_timestamp renew_till;
+} krb5_ticket_times;
+
+typedef krb5_pointer krb5_cc_cursor;
+
+typedef struct _krb5_data {
+   int length;
+   char *data;
+} krb5_data;
+
+typedef struct _krb5_authdata {
+   int ad_type;
+   int length;
+   krb5_octet *contents;
+} krb5_authdata;
+
+typedef struct _krb5_creds {
+    krb5_pointer client;
+    krb5_pointer server;
+    krb5_keyblock keyblock;
+    krb5_ticket_times times;
+    krb5_boolean is_skey;
+    krb5_flags ticket_flags;
+    krb5_pointer **addresses;
+    krb5_data ticket;
+    krb5_data second_ticket;
+    krb5_pointer **authdata;
+} krb5_creds;
+
+typedef krb5_pointer krb5_principal; 
+ 
+#define KRB5_CC_END                              336760974
+#define KRB5_TC_OPENCLOSE              0x00000001
+
+/* Ticket flags */
+/* flags are 32 bits; each host is responsible to put the 4 bytes
+   representing these bits into net order before transmission */
+/* #define  TKT_FLG_RESERVED    0x80000000 */
+#define TKT_FLG_FORWARDABLE     0x40000000
+#define TKT_FLG_FORWARDED       0x20000000
+#define TKT_FLG_PROXIABLE       0x10000000
+#define TKT_FLG_PROXY           0x08000000
+#define TKT_FLG_MAY_POSTDATE    0x04000000
+#define TKT_FLG_POSTDATED       0x02000000
+#define TKT_FLG_INVALID         0x01000000
+#define TKT_FLG_RENEWABLE       0x00800000
+#define TKT_FLG_INITIAL         0x00400000
+#define TKT_FLG_PRE_AUTH        0x00200000
+#define TKT_FLG_HW_AUTH         0x00100000
+#ifdef PK_INIT
+#define TKT_FLG_PUBKEY_PREAUTH          0x00080000
+#define TKT_FLG_DIGSIGN_PREAUTH         0x00040000
+#define TKT_FLG_PRIVKEY_PREAUTH         0x00020000
+#endif
+
+
+#define krb5_cc_get_principal(cache, principal) (*(cache)->ops->get_princ)(cache, principal)
+#define krb5_cc_set_flags(cache, flags) (*(cache)->ops->set_flags)(cache, flags)
+#define krb5_cc_get_name(cache) (*(cache)->ops->get_name)(cache)
+#define krb5_cc_start_seq_get(cache, cursor) (*(cache)->ops->get_first)(cache, cursor)
+#define krb5_cc_next_cred(cache, cursor, creds) (*(cache)->ops->get_next)(cache, cursor, creds)
+#define krb5_cc_destroy(cache) (*(cache)->ops->destroy)(cache)
+#define krb5_cc_end_seq_get(cache, cursor) (*(cache)->ops->end_get)(cache, cursor)
+
+/* end of k5 dummy typedefs */
+
diff --git a/crypto/heimdal/appl/dceutils/k5dcecon.c b/crypto/heimdal/appl/dceutils/k5dcecon.c
new file mode 100644
index 0000000..38acee9
--- /dev/null
+++ b/crypto/heimdal/appl/dceutils/k5dcecon.c
@@ -0,0 +1,791 @@
+/*
+ * (c) Copyright 1995 HEWLETT-PACKARD COMPANY
+ * 
+ * To anyone who acknowledges that this file is provided 
+ * "AS IS" without any express or implied warranty:
+ * permission to use, copy, modify, and distribute this 
+ * file for any purpose is hereby granted without fee, 
+ * provided that the above copyright notice and this 
+ * notice appears in all copies, and that the name of 
+ * Hewlett-Packard Company not be used in advertising or 
+ * publicity pertaining to distribution of the software 
+ * without specific, written prior permission.  Hewlett-
+ * Packard Company makes no representations about the 
+ * suitability of this software for any purpose.
+ *
+ */
+/*
+ * k5dcecon - Program to convert a K5 TGT to a DCE context,
+ * for use with DFS and its PAG.
+ * 
+ * The program is designed to be called as a sub process, 
+ * and return via stdout the name of the cache which implies 
+ * the PAG which should be used. This program itself does not 
+ * use the cache or PAG itself, so the PAG in the kernel for 
+ * this program may not be set. 
+ * 
+ * The calling program can then use the name of the cache
+ * to set the KRB5CCNAME and PAG for its self and its children. 
+ *
+ * If no ticket was passed, an attemplt to join an existing
+ * PAG will be made. 
+ * 
+ * If a forwarded K5 TGT is passed in, either a new DCE 
+ * context will be created, or an existing one will be updated.
+ * If the same ticket was already used to create an existing
+ * context, it will be joined instead. 
+ * 
+ * Parts of this program are based on k5dceauth,c which was
+ * given to me by HP and by the k5dcelogin.c which I developed. 
+ * A slightly different version of k5dcelogin.c, was added to
+ * DCE 1.2.2
+ * 
+ * D. E. Engert 6/17/97 ANL
+ */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <fcntl.h>
+#include <sys/types.h>
+#include <dirent.h>
+#include <sys/stat.h>
+#include <locale.h>
+#include <pwd.h>
+#include <string.h>
+#include <time.h>
+
+#include <errno.h>
+#include "k5dce.h"
+
+#include <dce/sec_login.h>
+#include <dce/dce_error.h>
+#include <dce/passwd.h>
+
+/* #define DEBUG */
+#if defined(DEBUG)
+#define DEEDEBUG(A) fprintf(stderr,A); fflush(stderr)
+#define DEEDEBUG2(A,B) fprintf(stderr,A,B); fflush(stderr)
+#else
+#define DEEDEBUG(A)
+#define DEEDEBUG2(A,B)
+#endif
+
+#ifdef __hpux
+#define seteuid(A)		setresuid(-1,A,-1);
+#endif
+
+
+int k5dcecreate (uid_t, char *, char*, krb5_creds **);
+int k5dcecon (uid_t, char *, char *);
+int k5dcegettgt (krb5_ccache *, char *, char *, krb5_creds **);
+int k5dcematch (uid_t, char *, char *, off_t *, krb5_creds **);
+int k5dcesession (uid_t, char *, krb5_creds **, int *,krb5_flags);
+
+
+char *progname = "k5dcecon";
+static time_t now;
+
+#ifdef notdef
+#ifdef _AIX
+/*---------------------------------------------*/
+ /* AIX with DCE 1.1 does not have the com_err in the libdce.a
+  * do a half hearted job of substituting for it. 
+  */ 
+void com_err(char *p1, int code, ...) 
+{
+    int lst;
+    dce_error_string_t  err_string;
+    dce_error_inq_text(code, err_string, &lst);
+    fprintf(stderr,"Error %d in %s: %s\n", code, p1, err_string );
+}
+
+/*---------------------------------------------*/
+void krb5_init_ets()
+{
+
+}
+#endif
+#endif
+
+
+/*------------------------------------------------*/
+/* find a cache to use  for our new pag           */
+/* Since there is no simple way to determine which
+ * caches are associated with a pag, we will have
+ * do look around and see what makes most sense on 
+ * different systems. 
+ * on a Solaris system, and in the DCE source, 
+ * the pags always start with a 41. 
+ * this is not true on the IBM, where there does not
+ * appear to be any pattern. 
+ * 
+ * But since we are always certifing our creds when
+ * they are received, we can us that fact, and look
+ * at the first word of the associated data file
+ * to see that it has a "5". If not don't use. 
+ */
+
+int k5dcesession(luid, pname, tgt, ppag, tflags)
+  uid_t luid;
+  char *pname;
+  krb5_creds **tgt;
+  int *ppag;
+  krb5_flags tflags;
+{
+  DIR *dirp;
+  struct dirent *direntp;
+  off_t size;
+  krb5_timestamp endtime;
+  int better = 0;
+  krb5_creds *xtgt;
+
+  char prev_name[17] = "";  
+  krb5_timestamp prev_endtime;
+  off_t prev_size;
+  u_long prev_pag = 0;
+
+  char ccname[64] = "FILE:/opt/dcelocal/var/security/creds/";
+ 
+  error_status_t st;
+  sec_login_handle_t lcontext = 0;
+  dce_error_string_t  err_string;
+  int lst;
+
+  DEEDEBUG2("k5dcesession looking for flags %8.8x\n",tflags);
+
+  dirp = opendir("/opt/dcelocal/var/security/creds/");
+  if (dirp == NULL) {
+	return 1;
+  }
+
+  while ( (direntp = readdir( dirp )) != NULL ) {
+
+/*  
+ * (but root has the ffffffff which we are not interested in)
+ */
+    if (!strncmp(direntp->d_name,"dcecred_",8)
+         && (strlen(direntp->d_name) == 16)) {
+
+      /* looks like a cache name, lets do the stat, etc */
+
+      strcpy(ccname+38,direntp->d_name);
+      if (!k5dcematch(luid, pname, ccname, &size, &xtgt))  {
+
+        /* its one of our caches, see if it is better  
+         * i.e. the endtime is farther, and if the endtimes
+         * are the same, take the larger, as he who has the 
+         * most tickets wins.
+         * it must also had the same set of flags at least
+         * i.e. if the forwarded TGT is forwardable, this one must 
+         * be as well.   
+         */
+
+        DEEDEBUG2("Cache:%s",direntp->d_name);
+        DEEDEBUG2(" size:%d",size);
+		DEEDEBUG2(" flags:%8.8x",xtgt->ticket_flags);
+		DEEDEBUG2(" %s",ctime((time_t *)&xtgt->times.endtime));
+ 
+        if ((xtgt->ticket_flags & tflags) == tflags ) {
+          if (prev_name[0]) {
+            if (xtgt->times.endtime > prev_endtime) {
+              better = 1;
+            } else if ((xtgt->times.endtime = prev_endtime) 
+                  && (size > prev_size)){
+              better = 1;
+	        }
+          } else {   /* the first */
+            if (xtgt->times.endtime >= now) {
+            better = 1;
+	        }
+          }
+          if (better) {
+            strcpy(prev_name, direntp->d_name);
+	  	    prev_endtime = xtgt->times.endtime;
+            prev_size = size;
+            sscanf(prev_name+8,"%8X",&prev_pag);
+			*tgt = xtgt;
+            better = 0;
+          }
+        }
+      } 
+    }
+  }
+  (void)closedir( dirp );
+
+  if (!prev_name[0])  
+	 return 1; /* failed to find one */
+
+   DEEDEBUG2("Best: %s\n",prev_name);
+
+   if (ppag)
+      *ppag = prev_pag;
+
+   strcpy(ccname+38,prev_name);
+   setenv("KRB5CCNAME",ccname,1);
+ 
+   return(0);
+}
+
+
+/*----------------------------------------------*/
+/* see if this cache is for this this principal */
+
+int k5dcematch(luid, pname, ccname, sizep, tgt) 
+  uid_t luid;
+  char *pname;
+  char *ccname;
+  off_t *sizep;  /* size of the file */
+  krb5_creds **tgt;
+{
+
+  krb5_ccache cache;
+  struct stat stbuf;
+  char ccdata[256];
+  int fd;
+  int status;
+
+  /* DEEDEBUG2("k5dcematch called: cache=%s\n",ccname+38); */
+
+  if (!strncmp(ccname,"FILE:",5)) {
+
+    strcpy(ccdata,ccname+5);
+    strcat(ccdata,".data");
+
+    /* DEEDEBUG2("Checking the .data file for %s\n",ccdata); */
+
+    if (stat(ccdata, &stbuf))
+      return(1);
+ 
+    if (stbuf.st_uid != luid)
+      return(1);
+
+    if ((fd = open(ccdata,O_RDONLY)) == -1)
+      return(1);
+    
+    if ((read(fd,&status,4)) != 4) {
+      close(fd);
+      return(1);
+    }
+    
+    /* DEEDEBUG2(".data file status = %d\n", status); */
+
+    if (status != 5)
+     return(1);
+
+    if (stat(ccname+5, &stbuf))
+      return(1);
+
+    if (stbuf.st_uid != luid)
+      return(1);
+
+    *sizep = stbuf.st_size;
+  }
+
+  return(k5dcegettgt(&cache, ccname, pname, tgt));
+}
+
+
+/*----------------------------------------*/
+/* k5dcegettgt - get the tgt from a cache */
+
+int k5dcegettgt(pcache, ccname, pname, tgt)
+  krb5_ccache *pcache;
+  char *ccname;
+  char *pname;
+  krb5_creds **tgt;
+
+{
+  krb5_ccache cache;
+  krb5_cc_cursor cur;
+  krb5_creds creds;
+  int code;
+  int found = 1;
+  krb5_principal princ;
+  char *kusername;
+  krb5_flags flags;
+  char *sname, *realm, *tgtname = NULL;
+
+  /* Since DCE does not expose much of the Kerberos interface,
+   * we will have to use what we can. This means setting the 
+   * KRB5CCNAME for each file we want to test
+   * We will also not worry about freeing extra cache structures
+   * as this this routine is also not exposed, and this should not 
+   * effect this module. 
+   * We should also free the creds contents, but that is not exposed
+   * either. 
+   */
+
+  setenv("KRB5CCNAME",ccname,1);
+  cache = NULL;
+  *tgt = NULL;
+
+  if (code = krb5_cc_default(pcache)) {
+     com_err(progname, code, "while getting ccache");
+     goto return2;
+  }
+
+  DEEDEBUG("Got cache\n");
+  flags = 0;
+  if (code = krb5_cc_set_flags(*pcache, flags)) {
+    com_err(progname, code,"While setting flags"); 
+    goto return2;
+  }
+  DEEDEBUG("Set flags\n");
+  if (code = krb5_cc_get_principal(*pcache, &princ)) {
+	com_err(progname, code, "While getting princ");
+    goto return1;
+  }
+  DEEDEBUG("Got principal\n");
+  if (code = krb5_unparse_name(princ, &kusername)) {
+    com_err(progname, code, "While unparsing principal");
+    goto return1;
+  }
+
+  DEEDEBUG2("Unparsed to \"%s\"\n", kusername);
+  DEEDEBUG2("pname is \"%s\"\n", pname);
+  if (strcmp(kusername, pname)) {
+   DEEDEBUG("Principals not equal\n");
+   goto return1;
+  }
+  DEEDEBUG("Principals equal\n");
+
+  realm = strchr(pname,'@');
+  realm++;
+
+  if ((tgtname = malloc(9 + 2 * strlen(realm))) == 0) {
+       fprintf(stderr,"Malloc failed for tgtname\n");
+       goto return1;
+  }
+
+  strcpy(tgtname,"krbtgt/");
+  strcat(tgtname,realm);
+  strcat(tgtname,"@");
+  strcat(tgtname,realm);
+ 
+  DEEDEBUG2("Getting tgt %s\n", tgtname);
+  if (code = krb5_cc_start_seq_get(*pcache, &cur)) {
+    com_err(progname, code, "while starting to retrieve tickets");
+    goto return1;
+  }
+
+  while (!(code = krb5_cc_next_cred(*pcache, &cur, &creds))) {
+    krb5_creds *cred = &creds;
+
+    if (code = krb5_unparse_name(cred->server, &sname)) {
+      com_err(progname, code, "while unparsing server name");
+      continue;
+    }
+
+    if (strncmp(sname, tgtname, strlen(tgtname)) == 0) {
+      DEEDEBUG("FOUND\n");
+      if (code = krb5_copy_creds(&creds, tgt)) {
+        com_err(progname, code, "while copying TGT");
+        goto return1;
+      }
+      found = 0;
+      break;
+    } 
+    /* we should do a krb5_free_cred_contents(creds); */
+  }
+
+  if (code = krb5_cc_end_seq_get(*pcache, &cur)) {
+    com_err(progname, code, "while finishing retrieval"); 
+    goto return2;
+  }
+
+return1:
+  flags = KRB5_TC_OPENCLOSE; 
+  krb5_cc_set_flags(*pcache, flags); /* force a close */
+   
+return2:
+  if (tgtname)
+    free(tgtname);
+
+  return(found);
+}
+
+
+/*------------------------------------------*/
+/* Convert a forwarded TGT to a DCE context */
+int k5dcecon(luid, luser, pname)
+  uid_t luid;
+  char *luser;
+  char *pname;
+{
+
+  krb5_creds *ftgt = NULL;
+  krb5_creds *tgt = NULL;
+  unsigned32 dfspag;
+  boolean32 reset_passwd = 0;
+  int lst;
+  dce_error_string_t  err_string;
+  char *shell_prog;
+  krb5_ccache fcache;
+  char *ccname;
+  char *kusername;
+  char *urealm;
+  char *cp;
+  int pag;
+  int code;
+  krb5_timestamp endtime;
+
+
+  /* If there is no cache to be converted, we should not be here */
+
+  if ((ccname = getenv("KRB5CCNAME")) == NULL) {
+    DEEDEBUG("No KRB5CCNAME\n");
+    return(1);
+  }
+
+  if (k5dcegettgt(&fcache, ccname, pname, &ftgt)) {
+    fprintf(stderr, "%s: Did not find TGT\n", progname);
+    return(1);
+  }
+
+ 
+  DEEDEBUG2("flags=%x\n",ftgt->ticket_flags);
+  if (!(ftgt->ticket_flags & TKT_FLG_FORWARDABLE)){
+    fprintf(stderr,"Ticket not forwardable\n");
+    return(0); /* but OK to continue */
+  }
+
+  setenv("KRB5CCNAME","",1);
+    
+#define TKT_ACCEPTABLE (TKT_FLG_FORWARDABLE | TKT_FLG_PROXIABLE \
+         | TKT_FLG_MAY_POSTDATE | TKT_FLG_RENEWABLE | TKT_FLG_HW_AUTH \
+         | TKT_FLG_PRE_AUTH)
+
+  if (!k5dcesession(luid, pname, &tgt, &pag, 
+        (ftgt->ticket_flags & TKT_ACCEPTABLE))) {
+    if (ftgt->times.endtime > tgt->times.endtime) {
+      DEEDEBUG("Updating existing cache\n"); 
+      return(k5dceupdate(&ftgt, pag));
+    } else {
+      DEEDEBUG("Using existing cache\n");
+      return(0); /* use the original one */
+    }
+  } 
+    /* see if the tgts match up */
+
+  if ((code = k5dcecreate(luid, luser, pname, &ftgt))) {
+	return (code);
+  }
+
+  /*
+   * Destroy the Kerberos5 cred cache file.
+   * but dont care aout the return code. 
+   */
+
+  DEEDEBUG("Destroying the old cache\n");
+  if ((code = krb5_cc_destroy(fcache))) {
+    com_err(progname, code, "while destroying Kerberos5 ccache");
+  }
+  return (0);
+}
+
+
+/*--------------------------------------------------*/
+/* k5dceupdate - update the cache with a new TGT    */
+/* Assumed that the KRB5CCNAME has been set         */
+
+int k5dceupdate(krbtgt, pag) 
+   krb5_creds **krbtgt;
+   int pag;
+{
+ 
+  krb5_ccache ccache;
+  int code;
+
+  if (code = krb5_cc_default(&ccache)) {
+    com_err(progname, code, "while opening cache for update");
+    return(2);
+   }
+
+  if (code = ccache->ops->init(ccache,(*krbtgt)->client)) {
+    com_err(progname, code, "while reinitilizing cache");
+    return(3);
+  } 
+
+    /* krb5_cc_store_cred */
+  if (code = ccache->ops->store(ccache, *krbtgt)) {
+    com_err(progname, code, "while updating cache");
+    return(2);
+  }
+
+  sec_login_pag_new_tgt(pag, (*krbtgt)->times.endtime);
+  return(0);
+}
+/*--------------------------------------------------*/
+/* k5dcecreate - create a new DCE context           */
+
+int k5dcecreate(luid, luser, pname, krbtgt)
+   uid_t luid;
+   char *luser;
+   char *pname;
+   krb5_creds **krbtgt;
+{
+   
+    char *cp;
+    char *urealm;
+    char *username;
+    char *defrealm;
+    uid_t uid;
+
+    error_status_t st;
+    sec_login_handle_t lcontext = 0;
+    sec_login_auth_src_t auth_src = 0;
+    boolean32 reset_passwd = 0;
+    int lst;
+    dce_error_string_t  err_string;
+
+	setenv("KRB5CCNAME","",1); /* make sure it not misused */
+
+	uid = getuid();
+	DEEDEBUG2("uid=%d\n",uid);
+    
+	/* if run as root, change to user, so as to have the
+	 * cache created for the local user even if cross-cell
+	 * If run as a user, let standard file protection work.
+	 */
+
+	if (uid == 0) {
+		seteuid(luid);
+	}  
+
+	cp = strchr(pname,'@');
+	*cp = '\0';
+	urealm = ++cp;
+
+ DEEDEBUG2("basename=%s\n",cp);
+ DEEDEBUG2("realm=%s\n",urealm);
+
+    /* now build the username as a single string or a /.../cell/user
+     * if this is a cross cell
+     */
+
+	if ((username = malloc(7+strlen(pname)+strlen(urealm))) == 0) {
+         fprintf(stderr,"Malloc failed for username\n");
+         goto abort;
+    }
+    if (krb5_get_default_realm(&defrealm)) {
+        DEEDEBUG("krb5_get_default_realm failed\n");
+        goto abort;
+    }
+
+
+    if (!strcmp(urealm,defrealm)) {
+        strcpy(username,pname);
+    } else {
+        strcpy(username,"/.../");
+        strcat(username,urealm);
+        strcat(username,"/");
+        strcat(username,pname);
+    }
+
+    /*
+     * Setup a DCE login context
+     */
+
+    if (sec_login_setup_identity((unsigned_char_p_t)username, 
+				 (sec_login_external_tgt|sec_login_proxy_cred),
+				 &lcontext, &st)) {
+	/*
+	 * Add our TGT.
+	 */
+	  DEEDEBUG("Adding our new TGT\n");
+	  sec_login_krb5_add_cred(lcontext, *krbtgt, &st);
+	  if (st) {
+	    dce_error_inq_text(st, err_string, &lst);
+	    fprintf(stderr,
+				"Error while adding credentials for %s because %s\n", 
+				username, err_string);
+	    goto abort;
+	  }	
+	  DEEDEBUG("validating and certifying\n");
+	  /*
+	   * Now "validate" and certify the identity,
+	   *  usually we would pass a password here, but...
+	   * sec_login_valid_and_cert_ident
+	   * sec_login_validate_identity
+	   */
+
+	  if (sec_login_validate_identity(lcontext, 0, &reset_passwd,
+		 &auth_src, &st)) {
+	    DEEDEBUG2("validate_identity st=%d\n",st);
+	    if (st) {
+		  dce_error_inq_text(st, err_string, &lst);
+		  fprintf(stderr, "Validation error for %s because %s\n",
+				 username, err_string);
+		  goto abort;
+	    }
+		if (!sec_login_certify_identity(lcontext,&st)) {
+			dce_error_inq_text(st, err_string, &lst);
+			fprintf(stderr,
+			"Credentials not certified because %s\n",err_string);
+		}
+	    if (reset_passwd) {
+		 fprintf(stderr,
+                "Password must be changed for %s\n", username);
+	    }
+	    if (auth_src == sec_login_auth_src_local) {
+		fprintf(stderr,
+			 "Credentials obtained from local registry for %s\n", 
+			 username);
+	    }
+	    if (auth_src == sec_login_auth_src_overridden) {
+		  fprintf(stderr, "Validated %s from local override entry, no network credentials obtained\n", username);
+		  goto abort; 
+
+	    }
+	    /*
+	     * Actually create the cred files.
+	     */
+		DEEDEBUG("Ceating new cred files.\n");
+	    sec_login_set_context(lcontext, &st);
+	    if (st) {
+		  dce_error_inq_text(st, err_string, &lst);
+		  fprintf(stderr, 
+                "Unable to set context for %s because %s\n",
+		    username, err_string);
+		  goto abort;
+	    }
+
+        /*
+         * Now free up the local context and leave the 
+         * network context with its pag
+         */
+#if 0
+        sec_login_release_context(&lcontext, &st);
+        if (st) {
+          dce_error_inq_text(st, err_string, &lst);
+          fprintf(stderr,
+               "Unable to release context for %s because %s\n",
+            username, err_string);
+          goto abort;
+        }
+#endif
+	}
+	else {
+	  DEEDEBUG2("validate failed %d\n",st);
+	  dce_error_inq_text(st, err_string, &lst);
+	  fprintf(stderr,
+             "Unable to validate %s because %s\n", username, 
+			err_string);
+	  goto abort;
+	}
+  }
+  else {
+	dce_error_inq_text(st, err_string, &lst);
+	fprintf(stderr, 
+          "Unable to setup login entry for %s because %s\n",
+       username, err_string);
+	  goto abort;
+  }
+
+ done:
+    /* if we were root, get back to root */
+
+    DEEDEBUG2("sec_login_inq_pag %8.8x\n",
+             sec_login_inq_pag(lcontext, &st));
+
+    if (uid == 0) {
+      seteuid(0);
+    }  
+
+	DEEDEBUG("completed\n");
+	return(0);
+
+ abort:
+    if (uid == 0) {
+      seteuid(0);
+    }  
+
+    DEEDEBUG("Aborting\n");
+    return(2);
+}
+
+
+
+/*-------------------------------------------------*/
+main(argc, argv)
+  int argc;
+  char *argv[];
+{
+  int status;
+  extern int optind;
+  extern char *optarg;
+  int rv;
+
+  char *lusername = NULL;
+  char *pname = NULL;
+  int fflag = 0;
+  struct passwd *pw;
+  uid_t luid;
+  uid_t myuid;
+  char *ccname;
+  krb5_creds *tgt = NULL;
+
+#ifdef DEBUG
+  close(2);
+  open("/tmp/k5dce.debug",O_WRONLY|O_CREAT|O_APPEND);
+#endif
+
+  if (myuid = getuid()) {
+    DEEDEBUG2("UID = %d\n",myuid);
+    exit(33); /* must be root to run this, get out now */
+  }
+
+  while ((rv = getopt(argc,argv,"l:p:fs")) != -1) {
+    DEEDEBUG2("Arg = %c\n", rv);
+    switch(rv) {
+      case 'l':         /* user name */
+	lusername = optarg;
+	DEEDEBUG2("Optarg = %s\n", optarg);
+	break;
+      case 'p':         /* principal name */
+        pname = optarg; 
+	DEEDEBUG2("Optarg = %s\n", optarg);
+        break;
+      case 'f':         /* convert a forwarded TGT to a context */
+        fflag++;
+        break;
+      case 's':      /* old test parameter, ignore it */
+        break; 
+    }
+  }
+
+  setlocale(LC_ALL, "");
+  krb5_init_ets();
+  time(&now); /* set time to check expired tickets */
+
+  /* if lusername == NULL, Then user is passed as the USER= variable */ 
+
+  if (!lusername) {
+    lusername = getenv("USER");
+    if (!lusername) {
+      fprintf(stderr, "USER not in environment\n");
+      return(3);
+    }
+  }
+
+  if ((pw = getpwnam(lusername)) == NULL) {
+    fprintf(stderr, "Who are you?\n");
+    return(44);
+  }
+
+  luid = pw->pw_uid;
+
+  if (fflag) {  
+    status = k5dcecon(luid, lusername, pname); 
+  } else {
+    status = k5dcesession(luid, pname, &tgt, NULL, 0);
+  }
+ 
+  if (!status) {
+    printf("%s",getenv("KRB5CCNAME")); /* return via stdout to caller */
+    DEEDEBUG2("KRB5CCNAME=%s\n",getenv("KRB5CCNAME"));
+  }
+
+  DEEDEBUG2("Returning status %d\n",status);
+  return (status);
+}
diff --git a/crypto/heimdal/appl/dceutils/testpag.c b/crypto/heimdal/appl/dceutils/testpag.c
new file mode 100644
index 0000000..4613fba
--- /dev/null
+++ b/crypto/heimdal/appl/dceutils/testpag.c
@@ -0,0 +1,150 @@
+/* Test the k5dcepag routine by setting a pag, and 
+ * and execing a shell under this pag. 
+ * 
+ * This allows you to join a PAG which was created  
+ * earlier by some other means. 
+ * for example k5dcecon
+ * 
+ * Must be run as root for testing only. 
+ *
+ */
+
+#include <stdio.h>
+#include <sys/stat.h>
+#include <sys/wait.h>
+#include <fcntl.h>
+#include <signal.h>
+#include <setjmp.h>
+#include <errno.h>
+
+#define POSIX_SETJMP
+#define POSIX_SIGNALS
+
+#ifdef POSIX_SIGNALS
+typedef struct sigaction handler;
+#define handler_init(H,F)       (sigemptyset(&(H).sa_mask), \
+                     (H).sa_flags=0, \
+                     (H).sa_handler=(F))
+#define handler_swap(S,NEW,OLD)     sigaction(S, &NEW, &OLD)
+#define handler_set(S,OLD)      sigaction(S, &OLD, NULL)
+#else
+typedef sigtype (*handler)();
+#define handler_init(H,F)       ((H) = (F))
+#define handler_swap(S,NEW,OLD)     ((OLD) = signal ((S), (NEW)))
+
+#define handler_set(S,OLD)      (signal ((S), (OLD)))
+#endif
+
+typedef void sigtype;
+
+/*
+ * We could include the dcedfs/syscall.h which should have these
+ * numbers, but it has extra baggage. So for
+ * simplicity sake now, we define these here.
+ */
+
+
+#define AFSCALL_SETPAG 2
+#define AFSCALL_GETPAG 11
+
+#if defined(sun)
+#define AFS_SYSCALL  72
+
+#elif defined(hpux)
+/* assume HPUX 10 +  or is it 50 */
+#define AFS_SYSCALL 326
+
+#elif defined(_AIX)
+#define DPAGAIX "dpagaix"
+/* #define DPAGAIX "/krb5/sbin/dpagaix" */
+
+#elif defined(sgi) || defined(_sgi)
+#define AFS_SYSCALL  206+1000
+
+#else
+#define AFS_SYSCALL (Unknown_DFS_AFS_SYSCALL)
+#endif
+
+static sigjmp_buf setpag_buf;
+
+static sigtype mysig()
+{
+  siglongjmp(setpag_buf, 1);
+}
+
+
+int  krb5_dfs_newpag(new_pag)
+  int new_pag;
+{
+  handler sa1, osa1;
+  handler sa2, osa2;
+  int pag = -1;
+
+  handler_init (sa1, mysig);
+  handler_init (sa2, mysig);
+  handler_swap (SIGSYS, sa1, osa1);
+  handler_swap (SIGSEGV, sa2, osa2);
+ 
+  if (sigsetjmp(setpag_buf, 1) == 0) {
+#if defined(_AIX)
+    int (*dpagaix)(int, int, int, int, int, int);
+
+    if (dpagaix = load(DPAGAIX, 0, 0)) 
+      pag = (*dpagaix)(AFSCALL_SETPAG, new_pag, 0, 0, 0, 0);
+#else
+    pag = syscall(AFS_SYSCALL,AFSCALL_SETPAG, new_pag, 0, 0, 0, 0);
+#endif
+    handler_set (SIGSYS, osa1);
+    handler_set (SIGSEGV, osa2);
+    return(pag);
+  }
+
+  fprintf(stderr,"Setpag failed with a system error\n");
+  /* syscall failed! return 0 */
+  handler_set (SIGSYS, osa1);
+  handler_set (SIGSEGV, osa2);
+  return(-1);
+}
+
+main(argc, argv)
+	int argc;
+	char *argv[];
+{
+  extern int optind;
+  extern char *optarg;
+  int rv;
+  int rc;
+  unsigned int pag;
+  unsigned int newpag = 0;
+  char ccname[256];
+  int nflag = 0;
+  
+  while((rv = getopt(argc,argv,"n:")) != -1) {
+    switch(rv) {
+     case 'n':
+       nflag++;
+       sscanf(optarg,"%8x",&newpag);
+       break;
+     default:
+       printf("Usage: k5dcepagt -n pag \n");
+       exit(1);
+    }
+  }
+
+  if (nflag) {
+    fprintf (stderr,"calling k5dcepag newpag=%8.8x\n",newpag);
+    pag = krb5_dfs_newpag(newpag);
+
+    fprintf (stderr,"PAG returned = %8.8x\n",pag);
+    if ((pag != 0) && (pag != -1)) {
+      sprintf (ccname,
+        "FILE:/opt/dcelocal/var/security/creds/dcecred_%8.8x", 
+        pag);
+      esetenv("KRB5CCNAME",ccname,1);
+      execl("/bin/csh","csh",0);
+    }
+    else {
+      fprintf(stderr," Not a good pag value\n");
+    }
+  }
+}
diff --git a/crypto/heimdal/appl/ftp/ChangeLog b/crypto/heimdal/appl/ftp/ChangeLog
new file mode 100644
index 0000000..226902f
--- /dev/null
+++ b/crypto/heimdal/appl/ftp/ChangeLog
@@ -0,0 +1,594 @@
+2001-04-19  Johan Danielsson  <joda@pdc.kth.se>
+
+	* ftpd/ftpd.c (do_store): call closefunc before claiming that
+	everything went ok, if the close fails the file might not have
+	been stored properly
+
+2001-03-26  Assar Westerlund  <assar@sics.se>
+
+	* ftpd/ftpd.c, ftpd/popen.c: always use GLOB_LIMIT
+	* ftpd/popen.c (ftpd_popen): use GLOB_LIMIT if defined
+	* ftpd/ftpd.c (send_file_list): use GLOB_LIMIT if defined
+
+2001-02-15  Assar Westerlund  <assar@sics.se>
+
+	* ftp/cmds.c (setpeer): handle both service names and port numbers
+	for the second optional argument.  also make parsing more robust
+
+2001-02-07  Assar Westerlund  <assar@sics.se>
+
+	* ftp/security.c (sec_end): only clean app_data if there is any
+	(*): do realloc consistently
+
+2001-02-05  Assar Westerlund  <assar@sics.se>
+
+	* ftpd/popen.c (ftpd_popen): avoid overwriting the bounds of argv
+	and gargv
+
+2001-01-30  Assar Westerlund  <assar@sics.se>
+
+	* ftpd/gss_userok.c: use gss_krb5_copy_ccache
+
+2001-01-29  Assar Westerlund  <assar@sics.se>
+
+	* ftpd/Makefile.am: move up LIB_otp so we do not end up picking
+ 	one from /usr/athena
+
+2001-01-25  Johan Danielsson  <joda@pdc.kth.se>
+
+	* ftpd/ls.c: fix bug in previous; make it easier to build test
+	version
+
+2001-01-19  Johan Danielsson  <joda@pdc.kth.se>
+
+	* ftpd/ls.c (lstat_file): handle case where file lives in `/'
+
+2001-01-18  Johan Danielsson  <joda@pdc.kth.se>
+
+	* ftpd/ftpd.c (pasv): close already open passive port
+
+2000-12-14  Johan Danielsson  <joda@pdc.kth.se>
+
+	* ftpd/ls.c: reverse time and size sort order (pointed out by
+	tege)
+
+2000-12-11  Johan Danielsson  <joda@pdc.kth.se>
+
+	* ftpd/ftpd.c: make it possible to set list of good filename
+	characters from command line
+
+2000-12-10  Johan Danielsson  <joda@pdc.kth.se>
+
+	* ftpd/ftpd.c: some spec-violating mirror software assumes that
+	you can do things like `LIST -CF'; don't pass `--' to ls so this
+	actually works
+
+	* ftpd/ls.c: implement -1CFx flags
+
+2000-12-08  Assar Westerlund  <assar@sics.se>
+
+	* ftpd/gss_userok.c (gss_userok): handle getpwnam failing
+	* ftp/gssapi.c (gss_auth): be more explicit in error message
+
+2000-11-29  Johan Danielsson  <joda@pdc.kth.se>
+
+	* ftpd/ftpd.8: close list
+
+2000-11-15  Assar Westerlund  <assar@sics.se>
+
+	* ftp/main.c: add `-l' for no line-editing
+	* ftp/globals.c (readline): add
+	* ftp/ftp_var.h (lineedit): add variable indicated if we should
+	use readline
+
+2000-11-09  Johan Danielsson  <joda@pdc.kth.se>
+
+	* ftp/security.c (sec_read): fix bug in previous (from Jacques A.
+	Vidrine <n@nectar.com>)
+
+2000-11-05  Johan Danielsson  <joda@pdc.kth.se>
+
+	* ftpd/ftpcmd.y: only allow pasv if logged in
+
+2000-10-23  Johan Danielsson  <joda@pdc.kth.se>
+
+	* ftpd/ftpd.c: change bad filename message slightly
+
+	* common/buffer.c: HAVE_ST_BLKSIZE -> HAVE_STRUCT_STAT_ST_BLKSIZE
+
+2000-10-08  Assar Westerlund  <assar@sics.se>
+
+	* ftp/ftp.c (*): check that fds are not too large to select on
+	* ftp/main.c (cmdscanner): print a newline upon EOF
+
+2000-09-19  Assar Westerlund  <assar@sics.se>
+
+	* ftp/security.h: add some attributes to prototypes of sec*
+	* ftp/extern.h (command): add attributes
+
+2000-08-31  Johan Danielsson  <joda@pdc.kth.se>
+
+	* ftpd/ftpd.c: change redundant password message to something
+	people can understand
+
+2000-07-27  Assar Westerlund  <assar@sics.se>
+
+	* ftpd/gss_userok.c (gss_userok): only do AFS iff KRB4
+	* ftpd/ftpd.c (krb5_verify): only do AFS stuff if KRB4
+
+2000-07-07  Assar Westerlund  <assar@sics.se>
+
+	* ftpd/ftpd.c: do not call setproctitle with a variable as the
+	format string
+
+2000-07-01  Assar Westerlund  <assar@sics.se>
+
+	* ftpd/ftpd_locl.h: krb5.h before kafs.h
+	* ftpd/ftpd.c (krb5_verify): static-ize
+	* ftpd/ftpd.c (krb5_verify): conditionalize on KRB5
+
+2000-06-21  Assar Westerlund  <assar@sics.se>
+
+	* ftpd: support for authenticating passwords with krb5, by Daniel
+	Kouril <kouril@ics.muni.cz>
+
+2000-06-06  Johan Danielsson  <joda@pdc.kth.se>
+
+	* ftpd/ftpcmd.y: change unix test to be negative
+	
+2000-05-18  Assar Westerlund  <assar@sics.se>
+
+	* ftpd/ftpd.c (args): should use `debug'.  From Onno van der
+	Linden <onno@simplex.nl>.
+
+2000-04-25  Assar Westerlund  <assar@sics.se>
+
+	* ftp/ftp.c (login): re-structure code so that we prompt for
+	password for ftp/anonymous
+
+2000-04-11  Assar Westerlund  <assar@sics.se>
+
+	* ftp/ftp.c (login): initialize tmp before calling fgets
+
+2000-04-02  Assar Westerlund  <assar@sics.se>
+
+	* ftpd/ls.c: rename all st_mtime variables to avoid conflict with
+	#define.
+	* ftpd/ftpcmd.y: rename all st_mtime variables to avoid conflict
+	with #define.
+	* ftp/cmds.c: rename all st_mtime variables to avoid conflict with
+	#define.
+
+2000-03-26  Assar Westerlund  <assar@sics.se>
+
+	* ftpd/ls.c, ftpd/ftpcmd.y, ftp/cmds.c: make sure to always call
+	time, ctime, and gmtime with `time_t's.  there were some types
+	(like in lastlog) that we believed to always be time_t.  this has
+	proven wrong on Solaris 8 in 64-bit mode, where they are stored as
+	32-bit quantities but time_t has gone up to 64 bits
+
+2000-03-09  Johan Danielsson  <joda@pdc.kth.se>
+
+	* call list_file for broken usages of nlst too
+
+	* ftpd/ftpd.c: call list_file for broken usages of nlst too
+
+2000-02-07  Assar Westerlund  <assar@sics.se>
+
+	* ftp/security.c (sec_read): more paranoia with return value from
+	sec_get_data
+
+2000-01-08  Assar Westerlund  <assar@sics.se>
+
+	* ftp/ftp.c (hookup): handle ai_canonname being set in any of the
+	addresses returnedby getaddrinfo.  glibc apparently returns the
+	reverse lookup of every address in ai_canonname.
+	* ftp/ruserpass.c (guess_domain): dito
+
+1999-12-21  Assar Westerlund  <assar@sics.se>
+
+	* ftpd/ftpd.c: don't use sa_len as a parameter, it's defined on
+ 	Irix
+
+1999-12-21  Johan Danielsson  <joda@pdc.kth.se>
+
+	* ftpd/ftpd.c (dataconn): make sure from points to actual data
+
+1999-12-16  Assar Westerlund  <assar@sics.se>
+
+	* ftp/ruserpass.c (guess_domain): handle ai_canonname not being
+	set
+	* ftp/ftp.c (hookup): handle ai_canonname not being set
+
+1999-12-06  Assar Westerlund  <assar@sics.se>
+
+	* ftp/krb4.c (krb4_auth): the nat-IP address might not be realm
+	bounded.
+
+1999-12-05  Assar Westerlund  <assar@sics.se>
+
+	* ftpd/ftpd.c (dolog): update prototype
+	* ftpd/ftpd.c (dolog): use getnameinfo_verified
+	* ftpd/ftpd.c: replace inaddr2str by getnameinfo
+
+1999-12-04  Assar Westerlund  <assar@sics.se>
+
+	* ftp/ruserpass.c (guess_domain): re-write to use getaddrinfo
+	* ftp/ftp.c (hookup): re-write to use getaddrinfo
+	
+1999-11-30  Assar Westerlund  <assar@sics.se>
+
+	* ftpd/ftpd.c (getdatasock): make sure to keep the port-number of
+ 	the outgoing connections.  It has to be `ftp-data' or some people
+ 	might get upset.
+
+	* ftpd/ftpd.c (args): set correct variable when `-l' so that
+ 	logging actually works
+
+1999-11-29  Assar Westerlund  <assar@sics.se>
+
+	* ftp/security.c (sec_login): check return value from realloc
+	(sec_end): set app_data to NULL
+
+1999-11-25  Assar Westerlund  <assar@sics.se>
+
+	* ftp/krb4.c (krb4_auth): obtain the `local' address when doing
+	NAT.  also turn on passive mode.  From <thn@stacken.kth.se>
+
+1999-11-20  Assar Westerlund  <assar@sics.se>
+
+	* ftpd/ls.c (make_fileinfo): cast to allow for non-const
+ 	prototypes of readlink
+
+1999-11-12  Assar Westerlund  <assar@sics.se>
+
+	* ftpd/ftpd.c (args): use arg_counter for `l'
+	
+1999-11-04  Assar Westerlund  <assar@sics.se>
+
+	* ftpd/ls.c (S_ISSOCK, S_ISLNK): fallback definitions for systems
+ 	that don't have them (such as ultrix)
+
+1999-10-29  Assar Westerlund  <assar@sics.se>
+
+	* ftpd/ls.c (make_fileinfo): cast uid's and gid's to unsigned in
+ 	printf, we don't know what types they might be.
+	(lstat_file): conditionalize the kafs part on KRB4
+
+	* ftpd/ftpd_locl.h: <sys/ioccom.h> is needed for kafs.h
+
+1999-10-28  Assar Westerlund  <assar@sics.se>
+
+	* ftpd/ls.c (lstat_file): don't set st_mode, it should already be
+ 	correct
+
+	* ftpd/ls.c: don't use warnx to print errors
+
+	* ftpd/ls.c (builtin_ls): fix typo, 'd' shouldn't imply 'f'
+
+	* ftpd/ls.c (lstat_file): new function for avoiding stating AFS
+ 	mount points.  From Love <lha@s3.kth.se>
+	(list_files): use `lstat_file'
+
+	* ftpd/ftpd.c: some const-poisoning
+
+	* ftpd/ftpd.c (args): add `-B' as an alias for `--builtin-ls' to
+ 	allow for stupid inetds that only support two arguments.  From
+ 	Love <lha@s3.kth.se>
+
+1999-10-26  Assar Westerlund  <assar@sics.se>
+
+	* ftpd/ftpcmd.y (help): it's unnecessary to interpret help strings
+ 	as printf commands
+
+	* ftpd/ftpd.c (show_issue): don't interpret contents of
+ 	/etc/issue* as printf commands.  From Brian A May
+ 	<bmay@dgs.monash.edu.au>
+
+1999-10-21  Johan Danielsson  <joda@pdc.kth.se>
+
+	* ftpd/kauth.c (kauth): complain if protection level isn't
+	`private'
+
+	* ftp/krb4.c (krb4_decode): syslog failure reason
+
+	* ftp/kauth.c (kauth): set private level earlier
+
+	* ftp/security.c: get_command_prot; (sec_prot): partially match
+	`command' and `data'
+
+1999-10-18  Johan Danielsson  <joda@pdc.kth.se>
+
+	* ftpd/ftpd.c: change `-l' flag to use arg_collect (this makes
+	`-ll' work again)
+
+	* ftpd/ftpd.c (list_file): pass filename to ls
+
+1999-10-04  Johan Danielsson  <joda@pdc.kth.se>
+
+	* ftpd/ftpcmd.y: FEAT
+
+1999-10-03  Assar Westerlund  <assar@sics.se>
+
+	* ftpd/ls.c: fall-back definitions for constans and casts for
+ 	printfs
+
+1999-10-03  Johan Danielsson  <joda@pdc.kth.se>
+
+	* ftpd/ftpd.c (main): make this use getarg; add `list_file'
+
+	* ftpd/ftpcmd.y (LIST): call list_file
+
+	* ftpd/ls.c: add simple built-in ls
+
+	* ftp/security.c: add `sec_vfprintf2' and `sec_fprintf2' that
+	prints to the data stream
+
+	* ftp/kauth.c (kauth): make sure we're using private protection
+	level
+
+	* ftp/security.c (set_command_prot): set command protection level
+
+	* ftp/security.c: make it possible to set the command protection
+	level with `prot'
+
+1999-09-30  Assar Westerlund  <assar@sics.se>
+
+	* ftpd/ftpd_locl.h: add prototype for fclose to make sunos happy
+
+1999-08-19  Johan Danielsson  <joda@pdc.kth.se>
+
+	* ftpd/ftpd.c (do_login): show issue-file
+	(send_data): change handling of zero-byte files
+
+1999-08-18  Assar Westerlund  <assar@sics.se>
+
+	* ftp/cmds.c (getit): be more suspicious when parsing the result
+ 	of MDTM.  Do the comparison of timestamps correctly.
+
+1999-08-13  Assar Westerlund  <assar@sics.se>
+
+	* ftpd/ftpd.c (send_data): avoid calling mmap with `len == 0'.
+  	Some mmap:s rather dislike that (Solaris) and some munmap (Linux)
+ 	get grumpy later.
+
+	* ftp/ftp.c (copy_stream): avoid calling mmap with `len == 0'.
+  	Some mmap:s rather dislike that (Solaris) and some munmap (Linux)
+ 	get grumpy later.
+
+1999-08-03  Assar Westerlund  <assar@sics.se>
+
+	* ftp/ftp.c (active_mode): hide failure of EPRT by setting verbose
+
+	* ftp/gssapi.c (gss_auth): initialize application_data in bindings
+
+1999-08-02  Assar Westerlund  <assar@sics.se>
+
+	* ftpd/ftpcmd.y: save file names when doing commands that might
+ 	get aborted (and longjmp:ed out of) to avoid overwriting them also
+ 	remove extra closing brace
+
+1999-08-01  Johan Danielsson  <joda@pdc.kth.se>
+
+	* ftpd/ftpcmd.y: change `site find' to `site locate' (to match
+	what it does, and other implementations) keep find as an alias
+
+1999-07-28  Assar Westerlund  <assar@sics.se>
+
+	* common/socket.c: moved to roken
+
+	* common/socket.c: new file with generic socket functions
+
+	* ftpd/ftpd.c: make it more AF-neutral and v6-capable
+
+	* ftpd/ftpcmd.y: add EPRT and EPSV
+
+	* ftpd/extern.h: update prototypes and variables
+
+	* ftp/krb4.c: update to new types of addresses
+
+	* ftp/gssapi.c: add support for both AF_INET and AF_INET6
+ 	addresses
+
+	* ftp/ftp.c: make it more AF-neutral and v6-capable
+
+	* ftp/extern.h (hookup): change prototype
+
+	* common/common.h: add prototypes for functions in socket.c
+
+	* common/Makefile.am (libcommon_a_SOURCES): add socket.c
+
+	* ftp/gssapi.c (gss_auth): check return value from
+ 	`gss_import_name' and print error messages if it fails
+
+1999-06-15  Assar Westerlund  <assar@sics.se>
+
+	* ftp/krb4.c (krb4_auth): type correctness
+
+1999-06-02  Johan Danielsson  <joda@pdc.kth.se>
+
+	* ftp/ftp.c (sendrequest): lmode != rmode
+	
+1999-05-21  Assar Westerlund  <assar@sics.se>
+
+	* ftp/extern.h (sendrequest): update prototype
+
+	* ftp/cmds.c: update calls to sendrequest and recvrequest to send
+ 	"b" when appropriate
+
+	* ftp/ftp.c (sendrequest): add argument for mode to open file in.
+
+1999-05-08  Assar Westerlund  <assar@sics.se>
+
+	* ftpd/ftpcmd.y: rename getline -> ftpd_getline
+
+	* ftp/main.c (makeargv): fill in unused slots with NULL
+
+Thu Apr  8 15:06:40 1999  Johan Danielsson  <joda@hella.pdc.kth.se>
+
+	* ftpd/ftpd.c: remove definition of KRB_VERIFY_USER (moved to
+ 	config.h)
+
+Wed Apr  7 16:15:21 1999  Johan Danielsson  <joda@hella.pdc.kth.se>
+
+	* ftp/gssapi.c (gss_auth): call gss_display_status to get a sane
+ 	error message; return AUTH_{CONTINUE,ERROR}, where appropriate
+
+	* ftp/krb4.c: return AUTH_{CONTINUE,ERROR}, where appropriate
+
+	* ftp/security.c (sec_login): if mechanism returns AUTH_CONTINUE,
+ 	just continue with the next mechanism, this fixes the case of
+ 	having GSSAPI fail because of non-existant of expired tickets
+
+	* ftp/security.h: add AUTH_{OK,CONTINUE,ERROR}
+
+Thu Apr  1 16:59:04 1999  Johan Danielsson  <joda@hella.pdc.kth.se>
+
+	* ftpd/Makefile.am: don't run check-local
+
+	* ftp/Makefile.am: don't run check-local
+
+Mon Mar 22 22:15:18 1999  Assar Westerlund  <assar@sics.se>
+
+	* ftpd/ftpd.c (pass): fall-back for KRB_VERIFY_SECURE
+
+	* ftpd/ftpd.c (pass): 1 -> KRB_VERIFY_SECURE
+
+Thu Mar 18 12:07:09 1999  Johan Danielsson  <joda@hella.pdc.kth.se>
+
+	* ftpd/Makefile.am: clean ftpcmd.c
+
+	* ftpd/ftpd_locl.h: remove krb5.h (breaks in ftpcmd.y)
+
+	* ftpd/ftpd.c: move include of krb5.h here
+
+	* ftpd/Makefile.am: include Makefile.am.common
+
+	* Makefile.am: include Makefile.am.common
+
+	* ftp/Makefile.am: include Makefile.am.common
+
+	* common/Makefile.am: include Makefile.am.common
+
+Tue Mar 16 22:28:37 1999  Assar Westerlund  <assar@sics.se>
+
+	* ftpd/ftpd_locl.h: add krb5.h to get heimdal_version
+
+	* ftpd/ftpd.c: krb_verify_user_multiple -> krb_verify_user
+
+Thu Mar 11 14:54:59 1999  Johan Danielsson  <joda@hella.pdc.kth.se>
+
+	* ftp/Makefile.in: WFLAGS
+
+	* ftp/ruserpass.c: add some if-braces
+
+Wed Mar 10 20:02:55 1999  Johan Danielsson  <joda@hella.pdc.kth.se>
+
+	* ftpd/ftpd_locl.h: remove ifdef HAVE_FNMATCH
+
+Mon Mar  8 21:29:24 1999  Johan Danielsson  <joda@hella.pdc.kth.se>
+
+	* ftpd/ftpd.c: re-add version in greeting message
+
+Mon Mar  1 10:49:38 1999  Johan Danielsson  <joda@hella.pdc.kth.se>
+
+	* ftpd/logwtmp.c: HAVE_UT_* -> HAVE_STRUCT_UTMP*_UT_*
+
+Mon Feb 22 19:20:51 1999  Johan Danielsson  <joda@hella.pdc.kth.se>
+
+	* common/Makefile.in: remove glob
+
+Sat Feb 13 17:19:35 1999  Assar Westerlund  <assar@sics.se>
+
+	* ftpd/ftpd.c (match): remove #ifdef HAVE_FNMATCH.  We have a
+ 	fnmatch implementation in roken and therefore always have it.
+
+	* ftp/ftp.c (copy_stream): initialize `werr'
+
+Wed Jan 13 23:52:57 1999  Assar Westerlund  <assar@sics.se>
+
+	* ftpd/ftpcmd.y: moved all check_login and check_login_no_guest to
+ 	the end of the rules to ensure we don't generate several
+ 	(independent) error messages.  once again, having a yacc-grammar
+ 	for FTP with embedded actions doesn't strike me as the most
+ 	optimal way of doing it.
+
+Tue Dec  1 14:44:29 1998  Johan Danielsson  <joda@hella.pdc.kth.se>
+
+	* ftpd/Makefile.am: link with extra libs for aix
+
+Sun Nov 22 10:28:20 1998  Assar Westerlund  <assar@sics.se>
+
+	* ftpd/ftpd.c (retrying): support on-the-fly decompression
+
+	* ftpd/Makefile.in (WFLAGS): set
+
+	* ftp/ruserpass.c (guess_domain): new function
+	(ruserpass): use it
+
+	* common/Makefile.in (WFLAGS): set
+
+	* Makefile.in (WFLAGS): set
+
+Sat Nov 21 23:13:03 1998  Assar Westerlund  <assar@sics.se>
+
+	* ftp/security.c: some more type correctness.
+
+	* ftp/gssapi.c (gss_adat): more braces to shut up warnings
+
+Wed Nov 18 21:47:55 1998  Assar Westerlund  <assar@sics.se>
+
+	* ftp/main.c (main): new option `-p' for enable passive mode.
+
+Mon Nov  2 01:57:49 1998  Assar Westerlund  <assar@sics.se>
+
+	* ftp/ftp.c (getreply): remove extra `break'
+
+	* ftp/gssapi.c (gss_auth): fixo typo(copyo?)
+
+	* ftp/security.c (sec_login): fix loop and return value
+
+Tue Sep  1 16:56:42 1998  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* ftp/cmds.c (quote1): fix % quoting bug
+
+Fri Aug 14 17:10:06 1998  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* ftp/krb4.c: krb_put_int -> KRB_PUT_INT
+
+Tue Jun 30 18:07:15 1998  Assar Westerlund  <assar@sics.se>
+
+	* ftp/security.c (auth): free `app_data'
+	(sec_end): only destroy if it was initialized
+
+Tue Jun  9 21:01:59 1998  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* ftp/krb4.c: pass client address to krb_rd_req
+
+Sat May 16 00:02:07 1998  Assar Westerlund  <assar@sics.se>
+
+	* ftpd/Makefile.am: link with DBLIB
+
+Tue May 12 14:15:32 1998  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* ftp/gssapi.c: Save client name for userok().
+
+	* ftpd/gss_userok.c: Userok for gssapi.
+
+Fri May  1 07:15:01 1998  Assar Westerlund  <assar@sics.se>
+
+	* ftp/ftp.c: unifdef -DHAVE_H_ERRNO
+
+Fri Mar 27 00:46:07 1998  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* Make compile w/o krb4.
+
+Thu Mar 26 03:49:12 1998  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* ftp/*, ftpd/*: Changes for new framework.
+
+	* ftp/gssapi.c: GSS-API backend for the new security framework.
+
+	* ftp/krb4.c: Updated for new framework.
+
+	* ftp/security.{c,h}: New unified security framework.
diff --git a/crypto/heimdal/appl/ftp/Makefile.am b/crypto/heimdal/appl/ftp/Makefile.am
new file mode 100644
index 0000000..f8831a3
--- /dev/null
+++ b/crypto/heimdal/appl/ftp/Makefile.am
@@ -0,0 +1,5 @@
+# $Id: Makefile.am,v 1.5 1999/03/20 13:58:14 joda Exp $
+
+include $(top_srcdir)/Makefile.am.common
+
+SUBDIRS = common ftp ftpd
diff --git a/crypto/heimdal/appl/ftp/Makefile.in b/crypto/heimdal/appl/ftp/Makefile.in
new file mode 100644
index 0000000..d704ee8
--- /dev/null
+++ b/crypto/heimdal/appl/ftp/Makefile.in
@@ -0,0 +1,553 @@
+# Makefile.in generated automatically by automake 1.4b from Makefile.am
+
+# Copyright 1994, 1995, 1996, 1997, 1998, 1999, 2000
+# Free Software Foundation, Inc.
+# This Makefile.in is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+
+SHELL = @SHELL@
+
+srcdir = @srcdir@
+top_srcdir = @top_srcdir@
+VPATH = @srcdir@
+prefix = @prefix@
+exec_prefix = @exec_prefix@
+
+bindir = @bindir@
+sbindir = @sbindir@
+libexecdir = @libexecdir@
+datadir = @datadir@
+sysconfdir = @sysconfdir@
+sharedstatedir = @sharedstatedir@
+localstatedir = @localstatedir@
+libdir = @libdir@
+infodir = @infodir@
+mandir = @mandir@
+includedir = @includedir@
+oldincludedir = /usr/include
+
+pkgdatadir = $(datadir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkgincludedir = $(includedir)/@PACKAGE@
+
+top_builddir = ../..
+
+ACLOCAL = @ACLOCAL@
+AUTOCONF = @AUTOCONF@
+AUTOMAKE = @AUTOMAKE@
+AUTOHEADER = @AUTOHEADER@
+
+INSTALL = @INSTALL@
+INSTALL_PROGRAM = @INSTALL_PROGRAM@
+INSTALL_DATA = @INSTALL_DATA@
+INSTALL_SCRIPT = @INSTALL_SCRIPT@
+INSTALL_STRIP_FLAG =
+transform = @program_transform_name@
+
+NORMAL_INSTALL = :
+PRE_INSTALL = :
+POST_INSTALL = :
+NORMAL_UNINSTALL = :
+PRE_UNINSTALL = :
+POST_UNINSTALL = :
+
+@SET_MAKE@
+host_alias = @host_alias@
+host_triplet = @host@
+AIX_EXTRA_KAFS = @AIX_EXTRA_KAFS@
+AMDEP = @AMDEP@
+AMTAR = @AMTAR@
+AS = @AS@
+AWK = @AWK@
+CANONICAL_HOST = @CANONICAL_HOST@
+CATMAN = @CATMAN@
+CATMANEXT = @CATMANEXT@
+CC = @CC@
+CPP = @CPP@
+CXX = @CXX@
+CXXCPP = @CXXCPP@
+DBLIB = @DBLIB@
+DEPDIR = @DEPDIR@
+DIR_des = @DIR_des@
+DIR_roken = @DIR_roken@
+DLLTOOL = @DLLTOOL@
+EXEEXT = @EXEEXT@
+EXTRA_LIB45 = @EXTRA_LIB45@
+GROFF = @GROFF@
+INCLUDES_roken = @INCLUDES_roken@
+INCLUDE_ = @INCLUDE_@
+LEX = @LEX@
+LIBOBJS = @LIBOBJS@
+LIBTOOL = @LIBTOOL@
+LIB_ = @LIB_@
+LIB_AUTH_SUBDIRS = @LIB_AUTH_SUBDIRS@
+LIB_des = @LIB_des@
+LIB_des_appl = @LIB_des_appl@
+LIB_kdb = @LIB_kdb@
+LIB_otp = @LIB_otp@
+LIB_roken = @LIB_roken@
+LIB_security = @LIB_security@
+LN_S = @LN_S@
+LTLIBOBJS = @LTLIBOBJS@
+MAKEINFO = @MAKEINFO@
+NEED_WRITEAUTH_FALSE = @NEED_WRITEAUTH_FALSE@
+NEED_WRITEAUTH_TRUE = @NEED_WRITEAUTH_TRUE@
+NROFF = @NROFF@
+OBJDUMP = @OBJDUMP@
+OBJEXT = @OBJEXT@
+PACKAGE = @PACKAGE@
+RANLIB = @RANLIB@
+STRIP = @STRIP@
+VERSION = @VERSION@
+VOID_RETSIGTYPE = @VOID_RETSIGTYPE@
+WFLAGS = @WFLAGS@
+WFLAGS_NOIMPLICITINT = @WFLAGS_NOIMPLICITINT@
+WFLAGS_NOUNUSED = @WFLAGS_NOUNUSED@
+YACC = @YACC@
+dpagaix_CFLAGS = @dpagaix_CFLAGS@
+dpagaix_LDADD = @dpagaix_LDADD@
+install_sh = @install_sh@
+
+# $Id: Makefile.am,v 1.5 1999/03/20 13:58:14 joda Exp $
+
+
+# $Id: Makefile.am.common,v 1.3 1999/04/01 14:58:43 joda Exp $
+
+
+# $Id: Makefile.am.common,v 1.26 2001/05/21 13:27:48 joda Exp $
+
+
+AUTOMAKE_OPTIONS = foreign no-dependencies
+
+SUFFIXES = .et .h .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .x
+
+INCLUDES = -I$(top_builddir)/include $(INCLUDES_roken)
+
+AM_CFLAGS =  $(WFLAGS)
+
+CP = cp
+
+COMPILE_ET = $(top_builddir)/lib/com_err/compile_et
+
+buildinclude = $(top_builddir)/include
+
+LIB_XauReadAuth = @LIB_XauReadAuth@
+LIB_crypt = @LIB_crypt@
+LIB_dbm_firstkey = @LIB_dbm_firstkey@
+LIB_dbopen = @LIB_dbopen@
+LIB_dlopen = @LIB_dlopen@
+LIB_dn_expand = @LIB_dn_expand@
+LIB_el_init = @LIB_el_init@
+LIB_getattr = @LIB_getattr@
+LIB_gethostbyname = @LIB_gethostbyname@
+LIB_getpwent_r = @LIB_getpwent_r@
+LIB_getpwnam_r = @LIB_getpwnam_r@
+LIB_getsockopt = @LIB_getsockopt@
+LIB_logout = @LIB_logout@
+LIB_logwtmp = @LIB_logwtmp@
+LIB_odm_initialize = @LIB_odm_initialize@
+LIB_pidfile = @LIB_pidfile@
+LIB_readline = @LIB_readline@
+LIB_res_search = @LIB_res_search@
+LIB_setpcred = @LIB_setpcred@
+LIB_setsockopt = @LIB_setsockopt@
+LIB_socket = @LIB_socket@
+LIB_syslog = @LIB_syslog@
+LIB_tgetent = @LIB_tgetent@
+
+LIBS = @LIBS@
+
+HESIODLIB = @HESIODLIB@
+HESIODINCLUDE = @HESIODINCLUDE@
+INCLUDE_hesiod = @INCLUDE_hesiod@
+LIB_hesiod = @LIB_hesiod@
+
+INCLUDE_krb4 = @INCLUDE_krb4@
+LIB_krb4 = @LIB_krb4@
+
+INCLUDE_openldap = @INCLUDE_openldap@
+LIB_openldap = @LIB_openldap@
+
+INCLUDE_readline = @INCLUDE_readline@
+
+LEXLIB = @LEXLIB@
+
+NROFF_MAN = groff -mandoc -Tascii
+
+@KRB4_TRUE@LIB_kafs = @KRB4_TRUE@$(top_builddir)/lib/kafs/libkafs.la $(AIX_EXTRA_KAFS)
+
+@KRB5_TRUE@LIB_krb5 = @KRB5_TRUE@$(top_builddir)/lib/krb5/libkrb5.la \
+@KRB5_TRUE@	$(top_builddir)/lib/asn1/libasn1.la
+@KRB5_TRUE@LIB_gssapi = @KRB5_TRUE@$(top_builddir)/lib/gssapi/libgssapi.la
+
+@DCE_TRUE@LIB_kdfs = @DCE_TRUE@$(top_builddir)/lib/kdfs/libkdfs.la
+
+CHECK_LOCAL = $(PROGRAMS)
+
+SUBDIRS = common ftp ftpd
+subdir = appl/ftp
+mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs
+CONFIG_HEADER = ../../include/config.h
+CONFIG_CLEAN_FILES = 
+CFLAGS = @CFLAGS@
+COMPILE = $(CC) $(DEFS) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) --mode=compile $(CC) $(DEFS) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+CCLD = $(CC)
+LINK = $(LIBTOOL) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) $(LDFLAGS) -o $@
+DIST_SOURCES = 
+depcomp = 
+DIST_COMMON =  ChangeLog Makefile.am Makefile.in
+
+
+DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
+
+GZIP_ENV = --best
+DIST_SUBDIRS =  $(SUBDIRS)
+all: all-redirect
+.SUFFIXES:
+.SUFFIXES: .et .h .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .x
+$(srcdir)/Makefile.in: Makefile.am $(top_srcdir)/configure.in $(ACLOCAL_M4) $(top_srcdir)/Makefile.am.common $(top_srcdir)/cf/Makefile.am.common
+	cd $(top_srcdir) && $(AUTOMAKE) --foreign appl/ftp/Makefile
+
+Makefile: $(srcdir)/Makefile.in  $(top_builddir)/config.status
+	cd $(top_builddir) \
+	  && CONFIG_FILES=$(subdir)/$@ CONFIG_HEADERS= $(SHELL) ./config.status
+
+
+# This directory's subdirectories are mostly independent; you can cd
+# into them and run `make' without going through this Makefile.
+# To change the values of `make' variables: instead of editing Makefiles,
+# (1) if the variable is set in `config.status', edit `config.status'
+#     (which will cause the Makefiles to be regenerated when you run `make');
+# (2) otherwise, pass the desired values on the `make' command line.
+
+all-recursive install-data-recursive install-exec-recursive \
+installdirs-recursive install-recursive uninstall-recursive  \
+check-recursive installcheck-recursive info-recursive dvi-recursive:
+	@set fnord $(MAKEFLAGS); amf=$$2; \
+	dot_seen=no; \
+	target=`echo $@ | sed s/-recursive//`; \
+	list='$(SUBDIRS)'; for subdir in $$list; do \
+	  echo "Making $$target in $$subdir"; \
+	  if test "$$subdir" = "."; then \
+	    dot_seen=yes; \
+	    local_target="$$target-am"; \
+	  else \
+	    local_target="$$target"; \
+	  fi; \
+	  (cd $$subdir && $(MAKE) $(AM_MAKEFLAGS) $$local_target) \
+	   || case "$$amf" in *=*) exit 1;; *k*) fail=yes;; *) exit 1;; esac; \
+	done; \
+	if test "$$dot_seen" = "no"; then \
+	  $(MAKE) $(AM_MAKEFLAGS) "$$target-am" || exit 1; \
+	fi; test -z "$$fail"
+
+mostlyclean-recursive clean-recursive distclean-recursive \
+maintainer-clean-recursive:
+	@set fnord $(MAKEFLAGS); amf=$$2; \
+	dot_seen=no; \
+	case "$@" in \
+	  distclean-* | maintainer-clean-*) list='$(DIST_SUBDIRS)' ;; \
+	  *) list='$(SUBDIRS)' ;; \
+	esac; \
+	rev=''; for subdir in $$list; do \
+	  if test "$$subdir" = "."; then :; else \
+	    rev="$$subdir $$rev"; \
+	  fi; \
+	done; \
+	rev="$$rev ."; \
+	target=`echo $@ | sed s/-recursive//`; \
+	for subdir in $$rev; do \
+	  echo "Making $$target in $$subdir"; \
+	  if test "$$subdir" = "."; then \
+	    local_target="$$target-am"; \
+	  else \
+	    local_target="$$target"; \
+	  fi; \
+	  (cd $$subdir && $(MAKE) $(AM_MAKEFLAGS) $$local_target) \
+	   || case "$$amf" in *=*) exit 1;; *k*) fail=yes;; *) exit 1;; esac; \
+	done && test -z "$$fail"
+tags-recursive:
+	list='$(SUBDIRS)'; for subdir in $$list; do \
+	  test "$$subdir" = . || (cd $$subdir && $(MAKE) $(AM_MAKEFLAGS) tags); \
+	done
+
+tags: TAGS
+
+ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
+	list='$(SOURCES) $(HEADERS) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '    { files[$$0] = 1; } \
+	       END { for (i in files) print i; }'`; \
+	mkid -fID $$unique $(LISP)
+
+TAGS: tags-recursive $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	tags=; \
+	here=`pwd`; \
+	list='$(SUBDIRS)'; for subdir in $$list; do \
+   if test "$$subdir" = .; then :; else \
+	    test -f $$subdir/TAGS && tags="$$tags -i $$here/$$subdir/TAGS"; \
+   fi; \
+	done; \
+	list='$(SOURCES) $(HEADERS) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '    { files[$$0] = 1; } \
+	       END { for (i in files) print i; }'`; \
+	test -z "$(ETAGS_ARGS)$$unique$(LISP)$$tags" \
+	  || etags $(ETAGS_ARGS) $$tags  $$unique $(LISP)
+
+GTAGS:
+	here=`CDPATH=: && cd $(top_builddir) && pwd` \
+	  && cd $(top_srcdir) \
+	  && gtags -i $$here
+
+mostlyclean-tags:
+
+clean-tags:
+
+distclean-tags:
+	-rm -f TAGS ID
+
+maintainer-clean-tags:
+
+distdir = $(top_builddir)/$(PACKAGE)-$(VERSION)/$(subdir)
+
+distdir: $(DISTFILES)
+	@for file in $(DISTFILES); do \
+	  d=$(srcdir); \
+	  if test -d $$d/$$file; then \
+	    cp -pR $$d/$$file $(distdir) \
+	    || exit 1; \
+	  else \
+	    test -f $(distdir)/$$file \
+	    || cp -p $$d/$$file $(distdir)/$$file \
+	    || exit 1; \
+	  fi; \
+	done
+	for subdir in $(SUBDIRS); do \
+	  if test "$$subdir" = .; then :; else \
+	    test -d $(distdir)/$$subdir \
+	    || mkdir $(distdir)/$$subdir \
+	    || exit 1; \
+	    (cd $$subdir && $(MAKE) $(AM_MAKEFLAGS) top_distdir=../$(top_distdir) distdir=../$(distdir)/$$subdir distdir) \
+	      || exit 1; \
+	  fi; \
+	done
+	$(MAKE) $(AM_MAKEFLAGS) top_distdir="$(top_distdir)" distdir="$(distdir)" dist-hook
+info-am:
+info: info-recursive
+dvi-am:
+dvi: dvi-recursive
+check-am: all-am
+	$(MAKE) $(AM_MAKEFLAGS) check-local
+check: check-recursive
+installcheck-am:
+installcheck: installcheck-recursive
+install-exec-am:
+	@$(NORMAL_INSTALL)
+	$(MAKE) $(AM_MAKEFLAGS) install-exec-hook
+install-exec: install-exec-recursive
+
+install-data-am: install-data-local
+install-data: install-data-recursive
+
+install-am: all-am
+	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
+install: install-recursive
+uninstall-am:
+uninstall: uninstall-recursive
+all-am: Makefile all-local
+all-redirect: all-recursive
+install-strip:
+	$(MAKE) $(AM_MAKEFLAGS) INSTALL_STRIP_FLAG=-s install
+installdirs: installdirs-recursive
+installdirs-am:
+
+
+mostlyclean-generic:
+
+clean-generic:
+
+distclean-generic:
+	-rm -f Makefile $(CONFIG_CLEAN_FILES)
+	-rm -f config.cache config.log stamp-h stamp-h[0-9]*
+
+maintainer-clean-generic:
+	-rm -f Makefile.in
+mostlyclean-am:  mostlyclean-tags mostlyclean-generic
+
+mostlyclean: mostlyclean-recursive
+
+clean-am:  clean-tags clean-generic mostlyclean-am
+
+clean: clean-recursive
+
+distclean-am:  distclean-tags distclean-generic clean-am
+	-rm -f libtool
+
+distclean: distclean-recursive
+
+maintainer-clean-am:  maintainer-clean-tags maintainer-clean-generic \
+		distclean-am
+	@echo "This command is intended for maintainers to use;"
+	@echo "it deletes files that may require special tools to rebuild."
+
+maintainer-clean: maintainer-clean-recursive
+
+.PHONY: install-recursive uninstall-recursive install-data-recursive \
+uninstall-data-recursive install-exec-recursive \
+uninstall-exec-recursive installdirs-recursive uninstalldirs-recursive \
+all-recursive check-recursive installcheck-recursive info-recursive \
+dvi-recursive mostlyclean-recursive distclean-recursive clean-recursive \
+maintainer-clean-recursive tags tags-recursive mostlyclean-tags \
+distclean-tags clean-tags maintainer-clean-tags distdir info-am info \
+dvi-am dvi check-local check check-am installcheck-am installcheck \
+install-exec-am install-exec install-data-local install-data-am \
+install-data install-am install uninstall-am uninstall all-local \
+all-redirect all-am all install-strip installdirs-am installdirs \
+mostlyclean-generic distclean-generic clean-generic \
+maintainer-clean-generic clean mostlyclean distclean maintainer-clean
+
+
+install-suid-programs:
+	@foo='$(bin_SUIDS)'; \
+	for file in $$foo; do \
+	x=$(DESTDIR)$(bindir)/$$file; \
+	if chown 0:0 $$x && chmod u+s $$x; then :; else \
+	echo "*"; \
+	echo "* Failed to install $$x setuid root"; \
+	echo "*"; \
+	fi; done
+
+install-exec-hook: install-suid-programs
+
+install-build-headers:: $(include_HEADERS) $(build_HEADERZ)
+	@foo='$(include_HEADERS) $(build_HEADERZ)'; \
+	for f in $$foo; do \
+		f=`basename $$f`; \
+		if test -f "$(srcdir)/$$f"; then file="$(srcdir)/$$f"; \
+		else file="$$f"; fi; \
+		if cmp -s  $$file $(buildinclude)/$$f 2> /dev/null ; then \
+		: ; else \
+			echo " $(CP) $$file $(buildinclude)/$$f"; \
+			$(CP) $$file $(buildinclude)/$$f; \
+		fi ; \
+	done
+
+all-local: install-build-headers
+#NROFF_MAN = nroff -man
+.1.cat1:
+	$(NROFF_MAN) $< > $@
+.3.cat3:
+	$(NROFF_MAN) $< > $@
+.5.cat5:
+	$(NROFF_MAN) $< > $@
+.8.cat8:
+	$(NROFF_MAN) $< > $@
+
+dist-cat1-mans:
+	@foo='$(man1_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.1) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat1/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-cat3-mans:
+	@foo='$(man3_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.3) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat3/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-cat5-mans:
+	@foo='$(man5_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.5) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat5/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-cat8-mans:
+	@foo='$(man8_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.8) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat8/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-hook: dist-cat1-mans dist-cat3-mans dist-cat5-mans dist-cat8-mans
+
+install-cat-mans:
+	$(SHELL) $(top_srcdir)/cf/install-catman.sh "$(INSTALL_DATA)" "$(mkinstalldirs)" "$(srcdir)" "$(DESTDIR)$(mandir)" '$(CATMANEXT)' $(man_MANS) $(man1_MANS) $(man3_MANS) $(man5_MANS) $(man8_MANS)
+
+install-data-local: install-cat-mans
+
+.et.h:
+	$(COMPILE_ET) $<
+.et.c:
+	$(COMPILE_ET) $<
+
+.x.c:
+	@cmp -s $< $@ 2> /dev/null || cp $< $@
+
+check-local::
+	@foo='$(CHECK_LOCAL)'; \
+	  if test "$$foo"; then \
+	  failed=0; all=0; \
+	  for i in $$foo; do \
+	    all=`expr $$all + 1`; \
+	    if ./$$i --version > /dev/null 2>&1; then \
+	      echo "PASS: $$i"; \
+	    else \
+	      echo "FAIL: $$i"; \
+	      failed=`expr $$failed + 1`; \
+	    fi; \
+	  done; \
+	  if test "$$failed" -eq 0; then \
+	    banner="All $$all tests passed"; \
+	  else \
+	    banner="$$failed of $$all tests failed"; \
+	  fi; \
+	  dashes=`echo "$$banner" | sed s/./=/g`; \
+	  echo "$$dashes"; \
+	  echo "$$banner"; \
+	  echo "$$dashes"; \
+	  test "$$failed" -eq 0; \
+	fi
+
+# Tell versions [3.59,3.63) of GNU make to not export all variables.
+# Otherwise a system limit (for SysV at least) may be exceeded.
+.NOEXPORT:
diff --git a/crypto/heimdal/appl/ftp/common/Makefile.am b/crypto/heimdal/appl/ftp/common/Makefile.am
new file mode 100644
index 0000000..4fab07b
--- /dev/null
+++ b/crypto/heimdal/appl/ftp/common/Makefile.am
@@ -0,0 +1,12 @@
+# $Id: Makefile.am,v 1.9 1999/07/28 21:15:06 assar Exp $
+
+include $(top_srcdir)/Makefile.am.common
+
+INCLUDES += $(INCLUDE_krb4) 
+
+noinst_LIBRARIES = libcommon.a
+
+libcommon_a_SOURCES = \
+	sockbuf.c \
+	buffer.c \
+	common.h
diff --git a/crypto/heimdal/appl/ftp/common/Makefile.in b/crypto/heimdal/appl/ftp/common/Makefile.in
new file mode 100644
index 0000000..525c6bd
--- /dev/null
+++ b/crypto/heimdal/appl/ftp/common/Makefile.in
@@ -0,0 +1,550 @@
+# Makefile.in generated automatically by automake 1.4b from Makefile.am
+
+# Copyright 1994, 1995, 1996, 1997, 1998, 1999, 2000
+# Free Software Foundation, Inc.
+# This Makefile.in is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+
+SHELL = @SHELL@
+
+srcdir = @srcdir@
+top_srcdir = @top_srcdir@
+VPATH = @srcdir@
+prefix = @prefix@
+exec_prefix = @exec_prefix@
+
+bindir = @bindir@
+sbindir = @sbindir@
+libexecdir = @libexecdir@
+datadir = @datadir@
+sysconfdir = @sysconfdir@
+sharedstatedir = @sharedstatedir@
+localstatedir = @localstatedir@
+libdir = @libdir@
+infodir = @infodir@
+mandir = @mandir@
+includedir = @includedir@
+oldincludedir = /usr/include
+
+pkgdatadir = $(datadir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkgincludedir = $(includedir)/@PACKAGE@
+
+top_builddir = ../../..
+
+ACLOCAL = @ACLOCAL@
+AUTOCONF = @AUTOCONF@
+AUTOMAKE = @AUTOMAKE@
+AUTOHEADER = @AUTOHEADER@
+
+INSTALL = @INSTALL@
+INSTALL_PROGRAM = @INSTALL_PROGRAM@
+INSTALL_DATA = @INSTALL_DATA@
+INSTALL_SCRIPT = @INSTALL_SCRIPT@
+INSTALL_STRIP_FLAG =
+transform = @program_transform_name@
+
+NORMAL_INSTALL = :
+PRE_INSTALL = :
+POST_INSTALL = :
+NORMAL_UNINSTALL = :
+PRE_UNINSTALL = :
+POST_UNINSTALL = :
+
+@SET_MAKE@
+host_alias = @host_alias@
+host_triplet = @host@
+AIX_EXTRA_KAFS = @AIX_EXTRA_KAFS@
+AMDEP = @AMDEP@
+AMTAR = @AMTAR@
+AS = @AS@
+AWK = @AWK@
+CANONICAL_HOST = @CANONICAL_HOST@
+CATMAN = @CATMAN@
+CATMANEXT = @CATMANEXT@
+CC = @CC@
+CPP = @CPP@
+CXX = @CXX@
+CXXCPP = @CXXCPP@
+DBLIB = @DBLIB@
+DEPDIR = @DEPDIR@
+DIR_des = @DIR_des@
+DIR_roken = @DIR_roken@
+DLLTOOL = @DLLTOOL@
+EXEEXT = @EXEEXT@
+EXTRA_LIB45 = @EXTRA_LIB45@
+GROFF = @GROFF@
+INCLUDES_roken = @INCLUDES_roken@
+INCLUDE_ = @INCLUDE_@
+LEX = @LEX@
+LIBOBJS = @LIBOBJS@
+LIBTOOL = @LIBTOOL@
+LIB_ = @LIB_@
+LIB_AUTH_SUBDIRS = @LIB_AUTH_SUBDIRS@
+LIB_des = @LIB_des@
+LIB_des_appl = @LIB_des_appl@
+LIB_kdb = @LIB_kdb@
+LIB_otp = @LIB_otp@
+LIB_roken = @LIB_roken@
+LIB_security = @LIB_security@
+LN_S = @LN_S@
+LTLIBOBJS = @LTLIBOBJS@
+MAKEINFO = @MAKEINFO@
+NEED_WRITEAUTH_FALSE = @NEED_WRITEAUTH_FALSE@
+NEED_WRITEAUTH_TRUE = @NEED_WRITEAUTH_TRUE@
+NROFF = @NROFF@
+OBJDUMP = @OBJDUMP@
+OBJEXT = @OBJEXT@
+PACKAGE = @PACKAGE@
+RANLIB = @RANLIB@
+STRIP = @STRIP@
+VERSION = @VERSION@
+VOID_RETSIGTYPE = @VOID_RETSIGTYPE@
+WFLAGS = @WFLAGS@
+WFLAGS_NOIMPLICITINT = @WFLAGS_NOIMPLICITINT@
+WFLAGS_NOUNUSED = @WFLAGS_NOUNUSED@
+YACC = @YACC@
+dpagaix_CFLAGS = @dpagaix_CFLAGS@
+dpagaix_LDADD = @dpagaix_LDADD@
+install_sh = @install_sh@
+
+# $Id: Makefile.am,v 1.9 1999/07/28 21:15:06 assar Exp $
+
+
+# $Id: Makefile.am.common,v 1.3 1999/04/01 14:58:43 joda Exp $
+
+
+# $Id: Makefile.am.common,v 1.26 2001/05/21 13:27:48 joda Exp $
+
+
+AUTOMAKE_OPTIONS = foreign no-dependencies
+
+SUFFIXES = .et .h .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .x
+
+INCLUDES = -I$(top_builddir)/include $(INCLUDES_roken) $(INCLUDE_krb4) 
+
+AM_CFLAGS =  $(WFLAGS)
+
+CP = cp
+
+COMPILE_ET = $(top_builddir)/lib/com_err/compile_et
+
+buildinclude = $(top_builddir)/include
+
+LIB_XauReadAuth = @LIB_XauReadAuth@
+LIB_crypt = @LIB_crypt@
+LIB_dbm_firstkey = @LIB_dbm_firstkey@
+LIB_dbopen = @LIB_dbopen@
+LIB_dlopen = @LIB_dlopen@
+LIB_dn_expand = @LIB_dn_expand@
+LIB_el_init = @LIB_el_init@
+LIB_getattr = @LIB_getattr@
+LIB_gethostbyname = @LIB_gethostbyname@
+LIB_getpwent_r = @LIB_getpwent_r@
+LIB_getpwnam_r = @LIB_getpwnam_r@
+LIB_getsockopt = @LIB_getsockopt@
+LIB_logout = @LIB_logout@
+LIB_logwtmp = @LIB_logwtmp@
+LIB_odm_initialize = @LIB_odm_initialize@
+LIB_pidfile = @LIB_pidfile@
+LIB_readline = @LIB_readline@
+LIB_res_search = @LIB_res_search@
+LIB_setpcred = @LIB_setpcred@
+LIB_setsockopt = @LIB_setsockopt@
+LIB_socket = @LIB_socket@
+LIB_syslog = @LIB_syslog@
+LIB_tgetent = @LIB_tgetent@
+
+LIBS = @LIBS@
+
+HESIODLIB = @HESIODLIB@
+HESIODINCLUDE = @HESIODINCLUDE@
+INCLUDE_hesiod = @INCLUDE_hesiod@
+LIB_hesiod = @LIB_hesiod@
+
+INCLUDE_krb4 = @INCLUDE_krb4@
+LIB_krb4 = @LIB_krb4@
+
+INCLUDE_openldap = @INCLUDE_openldap@
+LIB_openldap = @LIB_openldap@
+
+INCLUDE_readline = @INCLUDE_readline@
+
+LEXLIB = @LEXLIB@
+
+NROFF_MAN = groff -mandoc -Tascii
+
+@KRB4_TRUE@LIB_kafs = @KRB4_TRUE@$(top_builddir)/lib/kafs/libkafs.la $(AIX_EXTRA_KAFS)
+
+@KRB5_TRUE@LIB_krb5 = @KRB5_TRUE@$(top_builddir)/lib/krb5/libkrb5.la \
+@KRB5_TRUE@	$(top_builddir)/lib/asn1/libasn1.la
+@KRB5_TRUE@LIB_gssapi = @KRB5_TRUE@$(top_builddir)/lib/gssapi/libgssapi.la
+
+@DCE_TRUE@LIB_kdfs = @DCE_TRUE@$(top_builddir)/lib/kdfs/libkdfs.la
+
+CHECK_LOCAL = $(PROGRAMS)
+
+noinst_LIBRARIES = libcommon.a
+
+libcommon_a_SOURCES = \
+	sockbuf.c \
+	buffer.c \
+	common.h
+
+subdir = appl/ftp/common
+mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs
+CONFIG_HEADER = ../../../include/config.h
+CONFIG_CLEAN_FILES = 
+LIBRARIES =  $(noinst_LIBRARIES)
+
+
+DEFS = @DEFS@ -I. -I$(srcdir) -I../../../include
+CPPFLAGS = @CPPFLAGS@
+LDFLAGS = @LDFLAGS@
+X_CFLAGS = @X_CFLAGS@
+X_LIBS = @X_LIBS@
+X_EXTRA_LIBS = @X_EXTRA_LIBS@
+X_PRE_LIBS = @X_PRE_LIBS@
+libcommon_a_AR = $(AR) cru
+libcommon_a_LIBADD = 
+am_libcommon_a_OBJECTS =  sockbuf.$(OBJEXT) buffer.$(OBJEXT)
+libcommon_a_OBJECTS =  $(am_libcommon_a_OBJECTS)
+AR = ar
+COMPILE = $(CC) $(DEFS) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) --mode=compile $(CC) $(DEFS) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+CFLAGS = @CFLAGS@
+CCLD = $(CC)
+LINK = $(LIBTOOL) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) $(LDFLAGS) -o $@
+DIST_SOURCES =  $(libcommon_a_SOURCES)
+depcomp = 
+DIST_COMMON =  Makefile.am Makefile.in
+
+
+DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
+
+GZIP_ENV = --best
+SOURCES = $(libcommon_a_SOURCES)
+OBJECTS = $(am_libcommon_a_OBJECTS)
+
+all: all-redirect
+.SUFFIXES:
+.SUFFIXES: .et .h .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .x .c .lo .o .obj
+$(srcdir)/Makefile.in: Makefile.am $(top_srcdir)/configure.in $(ACLOCAL_M4) $(top_srcdir)/Makefile.am.common $(top_srcdir)/cf/Makefile.am.common
+	cd $(top_srcdir) && $(AUTOMAKE) --foreign appl/ftp/common/Makefile
+
+Makefile: $(srcdir)/Makefile.in  $(top_builddir)/config.status
+	cd $(top_builddir) \
+	  && CONFIG_FILES=$(subdir)/$@ CONFIG_HEADERS= $(SHELL) ./config.status
+
+
+mostlyclean-noinstLIBRARIES:
+
+clean-noinstLIBRARIES:
+	-test -z "$(noinst_LIBRARIES)" || rm -f $(noinst_LIBRARIES)
+
+distclean-noinstLIBRARIES:
+
+maintainer-clean-noinstLIBRARIES:
+
+mostlyclean-compile:
+	-rm -f *.o core *.core
+	-rm -f *.$(OBJEXT)
+
+clean-compile:
+
+distclean-compile:
+	-rm -f *.tab.c
+
+maintainer-clean-compile:
+
+mostlyclean-libtool:
+	-rm -f *.lo
+
+clean-libtool:
+	-rm -rf .libs _libs
+
+distclean-libtool:
+
+maintainer-clean-libtool:
+
+libcommon.a: $(libcommon_a_OBJECTS) $(libcommon_a_DEPENDENCIES)
+	-rm -f libcommon.a
+	$(libcommon_a_AR) libcommon.a $(libcommon_a_OBJECTS) $(libcommon_a_LIBADD)
+	$(RANLIB) libcommon.a
+.c.o:
+	$(COMPILE) -c $<
+.c.obj:
+	$(COMPILE) -c `cygpath -w $<`
+.c.lo:
+	$(LTCOMPILE) -c -o $@ $<
+
+tags: TAGS
+
+ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
+	list='$(SOURCES) $(HEADERS) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '    { files[$$0] = 1; } \
+	       END { for (i in files) print i; }'`; \
+	mkid -fID $$unique $(LISP)
+
+TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	tags=; \
+	here=`pwd`; \
+	list='$(SOURCES) $(HEADERS) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '    { files[$$0] = 1; } \
+	       END { for (i in files) print i; }'`; \
+	test -z "$(ETAGS_ARGS)$$unique$(LISP)$$tags" \
+	  || etags $(ETAGS_ARGS) $$tags  $$unique $(LISP)
+
+GTAGS:
+	here=`CDPATH=: && cd $(top_builddir) && pwd` \
+	  && cd $(top_srcdir) \
+	  && gtags -i $$here
+
+mostlyclean-tags:
+
+clean-tags:
+
+distclean-tags:
+	-rm -f TAGS ID
+
+maintainer-clean-tags:
+
+distdir = $(top_builddir)/$(PACKAGE)-$(VERSION)/$(subdir)
+
+distdir: $(DISTFILES)
+	@for file in $(DISTFILES); do \
+	  d=$(srcdir); \
+	  if test -d $$d/$$file; then \
+	    cp -pR $$d/$$file $(distdir) \
+	    || exit 1; \
+	  else \
+	    test -f $(distdir)/$$file \
+	    || cp -p $$d/$$file $(distdir)/$$file \
+	    || exit 1; \
+	  fi; \
+	done
+	$(MAKE) $(AM_MAKEFLAGS) top_distdir="$(top_distdir)" distdir="$(distdir)" dist-hook
+info-am:
+info: info-am
+dvi-am:
+dvi: dvi-am
+check-am: all-am
+	$(MAKE) $(AM_MAKEFLAGS) check-local
+check: check-am
+installcheck-am:
+installcheck: installcheck-am
+install-exec-am:
+	@$(NORMAL_INSTALL)
+	$(MAKE) $(AM_MAKEFLAGS) install-exec-hook
+install-exec: install-exec-am
+
+install-data-am: install-data-local
+install-data: install-data-am
+
+install-am: all-am
+	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
+install: install-am
+uninstall-am:
+uninstall: uninstall-am
+all-am: Makefile $(LIBRARIES) all-local
+all-redirect: all-am
+install-strip:
+	$(MAKE) $(AM_MAKEFLAGS) INSTALL_STRIP_FLAG=-s install
+installdirs:
+
+
+mostlyclean-generic:
+
+clean-generic:
+
+distclean-generic:
+	-rm -f Makefile $(CONFIG_CLEAN_FILES)
+	-rm -f config.cache config.log stamp-h stamp-h[0-9]*
+
+maintainer-clean-generic:
+	-rm -f Makefile.in
+mostlyclean-am:  mostlyclean-noinstLIBRARIES mostlyclean-compile \
+		mostlyclean-libtool mostlyclean-tags \
+		mostlyclean-generic
+
+mostlyclean: mostlyclean-am
+
+clean-am:  clean-noinstLIBRARIES clean-compile clean-libtool clean-tags \
+		clean-generic mostlyclean-am
+
+clean: clean-am
+
+distclean-am:  distclean-noinstLIBRARIES distclean-compile \
+		distclean-libtool distclean-tags distclean-generic \
+		clean-am
+	-rm -f libtool
+
+distclean: distclean-am
+
+maintainer-clean-am:  maintainer-clean-noinstLIBRARIES \
+		maintainer-clean-compile maintainer-clean-libtool \
+		maintainer-clean-tags maintainer-clean-generic \
+		distclean-am
+	@echo "This command is intended for maintainers to use;"
+	@echo "it deletes files that may require special tools to rebuild."
+
+maintainer-clean: maintainer-clean-am
+
+.PHONY: mostlyclean-noinstLIBRARIES distclean-noinstLIBRARIES \
+clean-noinstLIBRARIES maintainer-clean-noinstLIBRARIES \
+mostlyclean-compile distclean-compile clean-compile \
+maintainer-clean-compile mostlyclean-libtool distclean-libtool \
+clean-libtool maintainer-clean-libtool tags mostlyclean-tags \
+distclean-tags clean-tags maintainer-clean-tags distdir info-am info \
+dvi-am dvi check-local check check-am installcheck-am installcheck \
+install-exec-am install-exec install-data-local install-data-am \
+install-data install-am install uninstall-am uninstall all-local \
+all-redirect all-am all install-strip installdirs mostlyclean-generic \
+distclean-generic clean-generic maintainer-clean-generic clean \
+mostlyclean distclean maintainer-clean
+
+
+install-suid-programs:
+	@foo='$(bin_SUIDS)'; \
+	for file in $$foo; do \
+	x=$(DESTDIR)$(bindir)/$$file; \
+	if chown 0:0 $$x && chmod u+s $$x; then :; else \
+	echo "*"; \
+	echo "* Failed to install $$x setuid root"; \
+	echo "*"; \
+	fi; done
+
+install-exec-hook: install-suid-programs
+
+install-build-headers:: $(include_HEADERS) $(build_HEADERZ)
+	@foo='$(include_HEADERS) $(build_HEADERZ)'; \
+	for f in $$foo; do \
+		f=`basename $$f`; \
+		if test -f "$(srcdir)/$$f"; then file="$(srcdir)/$$f"; \
+		else file="$$f"; fi; \
+		if cmp -s  $$file $(buildinclude)/$$f 2> /dev/null ; then \
+		: ; else \
+			echo " $(CP) $$file $(buildinclude)/$$f"; \
+			$(CP) $$file $(buildinclude)/$$f; \
+		fi ; \
+	done
+
+all-local: install-build-headers
+#NROFF_MAN = nroff -man
+.1.cat1:
+	$(NROFF_MAN) $< > $@
+.3.cat3:
+	$(NROFF_MAN) $< > $@
+.5.cat5:
+	$(NROFF_MAN) $< > $@
+.8.cat8:
+	$(NROFF_MAN) $< > $@
+
+dist-cat1-mans:
+	@foo='$(man1_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.1) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat1/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-cat3-mans:
+	@foo='$(man3_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.3) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat3/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-cat5-mans:
+	@foo='$(man5_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.5) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat5/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-cat8-mans:
+	@foo='$(man8_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.8) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat8/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-hook: dist-cat1-mans dist-cat3-mans dist-cat5-mans dist-cat8-mans
+
+install-cat-mans:
+	$(SHELL) $(top_srcdir)/cf/install-catman.sh "$(INSTALL_DATA)" "$(mkinstalldirs)" "$(srcdir)" "$(DESTDIR)$(mandir)" '$(CATMANEXT)' $(man_MANS) $(man1_MANS) $(man3_MANS) $(man5_MANS) $(man8_MANS)
+
+install-data-local: install-cat-mans
+
+.et.h:
+	$(COMPILE_ET) $<
+.et.c:
+	$(COMPILE_ET) $<
+
+.x.c:
+	@cmp -s $< $@ 2> /dev/null || cp $< $@
+
+check-local::
+	@foo='$(CHECK_LOCAL)'; \
+	  if test "$$foo"; then \
+	  failed=0; all=0; \
+	  for i in $$foo; do \
+	    all=`expr $$all + 1`; \
+	    if ./$$i --version > /dev/null 2>&1; then \
+	      echo "PASS: $$i"; \
+	    else \
+	      echo "FAIL: $$i"; \
+	      failed=`expr $$failed + 1`; \
+	    fi; \
+	  done; \
+	  if test "$$failed" -eq 0; then \
+	    banner="All $$all tests passed"; \
+	  else \
+	    banner="$$failed of $$all tests failed"; \
+	  fi; \
+	  dashes=`echo "$$banner" | sed s/./=/g`; \
+	  echo "$$dashes"; \
+	  echo "$$banner"; \
+	  echo "$$dashes"; \
+	  test "$$failed" -eq 0; \
+	fi
+
+# Tell versions [3.59,3.63) of GNU make to not export all variables.
+# Otherwise a system limit (for SysV at least) may be exceeded.
+.NOEXPORT:
diff --git a/crypto/heimdal/appl/ftp/common/buffer.c b/crypto/heimdal/appl/ftp/common/buffer.c
new file mode 100644
index 0000000..ba7773b
--- /dev/null
+++ b/crypto/heimdal/appl/ftp/common/buffer.c
@@ -0,0 +1,69 @@
+/*
+ * Copyright (c) 1995-2000 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#include "common.h"
+#include <stdio.h>
+#include <err.h>
+#include "roken.h"
+
+RCSID("$Id: buffer.c,v 1.4 2000/10/23 04:49:25 joda Exp $");
+
+/*
+ * Allocate a buffer enough to handle st->st_blksize, if
+ * there is such a field, otherwise BUFSIZ.
+ */
+
+void *
+alloc_buffer (void *oldbuf, size_t *sz, struct stat *st)
+{
+    size_t new_sz;
+
+    new_sz = BUFSIZ;
+#ifdef HAVE_STRUCT_STAT_ST_BLKSIZE
+    if (st)
+	new_sz = max(BUFSIZ, st->st_blksize);
+#endif
+    if(new_sz > *sz) {
+	if (oldbuf)
+	    free (oldbuf);
+	oldbuf = malloc (new_sz);
+	if (oldbuf == NULL) {
+	    warn ("malloc");
+	    *sz = 0;
+	    return NULL;
+	}
+	*sz = new_sz;
+    }
+    return oldbuf;
+}
+
diff --git a/crypto/heimdal/appl/ftp/common/common.h b/crypto/heimdal/appl/ftp/common/common.h
new file mode 100644
index 0000000..5949b25
--- /dev/null
+++ b/crypto/heimdal/appl/ftp/common/common.h
@@ -0,0 +1,60 @@
+/*
+ * Copyright (c) 1995, 1996, 1997, 1998, 1999 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+/* $Id: common.h,v 1.12 1999/12/02 16:58:29 joda Exp $ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+#endif
+
+#ifndef __COMMON_H__
+#define __COMMON_H__
+
+#include "base64.h"
+
+void set_buffer_size(int, int);
+
+#include <stdlib.h>
+#ifdef HAVE_SYS_TYPES_H
+#include <sys/types.h>
+#endif
+#ifdef HAVE_SYS_STAT_H
+#include <sys/stat.h>
+#endif
+#ifdef HAVE_SYS_SOCKET_H
+#include <sys/socket.h>
+#endif
+
+void *alloc_buffer (void *oldbuf, size_t *sz, struct stat *st);
+
+#endif /* __COMMON_H__ */
diff --git a/crypto/heimdal/appl/ftp/common/sockbuf.c b/crypto/heimdal/appl/ftp/common/sockbuf.c
new file mode 100644
index 0000000..460cc6f
--- /dev/null
+++ b/crypto/heimdal/appl/ftp/common/sockbuf.c
@@ -0,0 +1,56 @@
+/*
+ * Copyright (c) 1995, 1996, 1997 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#include "common.h"
+#ifdef HAVE_SYS_TYPES_H
+#include <sys/types.h>
+#endif
+#ifdef HAVE_SYS_SOCKET_H
+#include <sys/socket.h>
+#endif
+
+RCSID("$Id: sockbuf.c,v 1.3 1999/12/02 16:58:29 joda Exp $");
+
+void
+set_buffer_size(int fd, int read)
+{
+#if defined(SO_RCVBUF) && defined(SO_SNDBUF) && defined(HAVE_SETSOCKOPT)
+    size_t size = 4194304;
+    while(size >= 131072 && 
+	  setsockopt(fd, SOL_SOCKET, read ? SO_RCVBUF : SO_SNDBUF, 
+		     (void *)&size, sizeof(size)) < 0)
+	size /= 2;
+#endif
+}
+
+
diff --git a/crypto/heimdal/appl/ftp/ftp/Makefile.am b/crypto/heimdal/appl/ftp/ftp/Makefile.am
new file mode 100644
index 0000000..9a77c0b
--- /dev/null
+++ b/crypto/heimdal/appl/ftp/ftp/Makefile.am
@@ -0,0 +1,46 @@
+# $Id: Makefile.am,v 1.14 2000/11/15 22:51:07 assar Exp $
+
+include $(top_srcdir)/Makefile.am.common
+
+INCLUDES += -I$(srcdir)/../common $(INCLUDE_readline) $(INCLUDE_krb4)
+
+bin_PROGRAMS = ftp
+
+CHECK_LOCAL = 
+
+if KRB4
+krb4_sources = krb4.c kauth.c
+endif
+if KRB5
+krb5_sources = gssapi.c
+endif
+
+ftp_SOURCES = \
+	cmds.c \
+	cmdtab.c \
+	extern.h \
+	ftp.c \
+	ftp_locl.h \
+	ftp_var.h \
+	main.c \
+	pathnames.h \
+	ruserpass.c \
+	domacro.c \
+	globals.c \
+	security.c \
+	security.h \
+	$(krb4_sources) \
+	$(krb5_sources)
+
+EXTRA_ftp_SOURCES = krb4.c kauth.c gssapi.c
+
+man_MANS = ftp.1
+
+LDADD = \
+	../common/libcommon.a \
+	$(LIB_gssapi) \
+	$(LIB_krb5) \
+	$(LIB_krb4) \
+	$(LIB_des) \
+	$(LIB_roken) \
+	$(LIB_readline)
diff --git a/crypto/heimdal/appl/ftp/ftp/Makefile.in b/crypto/heimdal/appl/ftp/ftp/Makefile.in
new file mode 100644
index 0000000..1986d3e
--- /dev/null
+++ b/crypto/heimdal/appl/ftp/ftp/Makefile.in
@@ -0,0 +1,663 @@
+# Makefile.in generated automatically by automake 1.4b from Makefile.am
+
+# Copyright 1994, 1995, 1996, 1997, 1998, 1999, 2000
+# Free Software Foundation, Inc.
+# This Makefile.in is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+
+SHELL = @SHELL@
+
+srcdir = @srcdir@
+top_srcdir = @top_srcdir@
+VPATH = @srcdir@
+prefix = @prefix@
+exec_prefix = @exec_prefix@
+
+bindir = @bindir@
+sbindir = @sbindir@
+libexecdir = @libexecdir@
+datadir = @datadir@
+sysconfdir = @sysconfdir@
+sharedstatedir = @sharedstatedir@
+localstatedir = @localstatedir@
+libdir = @libdir@
+infodir = @infodir@
+mandir = @mandir@
+includedir = @includedir@
+oldincludedir = /usr/include
+
+pkgdatadir = $(datadir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkgincludedir = $(includedir)/@PACKAGE@
+
+top_builddir = ../../..
+
+ACLOCAL = @ACLOCAL@
+AUTOCONF = @AUTOCONF@
+AUTOMAKE = @AUTOMAKE@
+AUTOHEADER = @AUTOHEADER@
+
+INSTALL = @INSTALL@
+INSTALL_PROGRAM = @INSTALL_PROGRAM@
+INSTALL_DATA = @INSTALL_DATA@
+INSTALL_SCRIPT = @INSTALL_SCRIPT@
+INSTALL_STRIP_FLAG =
+transform = @program_transform_name@
+
+NORMAL_INSTALL = :
+PRE_INSTALL = :
+POST_INSTALL = :
+NORMAL_UNINSTALL = :
+PRE_UNINSTALL = :
+POST_UNINSTALL = :
+
+@SET_MAKE@
+host_alias = @host_alias@
+host_triplet = @host@
+AIX_EXTRA_KAFS = @AIX_EXTRA_KAFS@
+AMDEP = @AMDEP@
+AMTAR = @AMTAR@
+AS = @AS@
+AWK = @AWK@
+CANONICAL_HOST = @CANONICAL_HOST@
+CATMAN = @CATMAN@
+CATMANEXT = @CATMANEXT@
+CC = @CC@
+CPP = @CPP@
+CXX = @CXX@
+CXXCPP = @CXXCPP@
+DBLIB = @DBLIB@
+DEPDIR = @DEPDIR@
+DIR_des = @DIR_des@
+DIR_roken = @DIR_roken@
+DLLTOOL = @DLLTOOL@
+EXEEXT = @EXEEXT@
+EXTRA_LIB45 = @EXTRA_LIB45@
+GROFF = @GROFF@
+INCLUDES_roken = @INCLUDES_roken@
+INCLUDE_ = @INCLUDE_@
+LEX = @LEX@
+LIBOBJS = @LIBOBJS@
+LIBTOOL = @LIBTOOL@
+LIB_ = @LIB_@
+LIB_AUTH_SUBDIRS = @LIB_AUTH_SUBDIRS@
+LIB_des = @LIB_des@
+LIB_des_appl = @LIB_des_appl@
+LIB_kdb = @LIB_kdb@
+LIB_otp = @LIB_otp@
+LIB_roken = @LIB_roken@
+LIB_security = @LIB_security@
+LN_S = @LN_S@
+LTLIBOBJS = @LTLIBOBJS@
+MAKEINFO = @MAKEINFO@
+NEED_WRITEAUTH_FALSE = @NEED_WRITEAUTH_FALSE@
+NEED_WRITEAUTH_TRUE = @NEED_WRITEAUTH_TRUE@
+NROFF = @NROFF@
+OBJDUMP = @OBJDUMP@
+OBJEXT = @OBJEXT@
+PACKAGE = @PACKAGE@
+RANLIB = @RANLIB@
+STRIP = @STRIP@
+VERSION = @VERSION@
+VOID_RETSIGTYPE = @VOID_RETSIGTYPE@
+WFLAGS = @WFLAGS@
+WFLAGS_NOIMPLICITINT = @WFLAGS_NOIMPLICITINT@
+WFLAGS_NOUNUSED = @WFLAGS_NOUNUSED@
+YACC = @YACC@
+dpagaix_CFLAGS = @dpagaix_CFLAGS@
+dpagaix_LDADD = @dpagaix_LDADD@
+install_sh = @install_sh@
+
+# $Id: Makefile.am,v 1.14 2000/11/15 22:51:07 assar Exp $
+
+
+# $Id: Makefile.am.common,v 1.3 1999/04/01 14:58:43 joda Exp $
+
+
+# $Id: Makefile.am.common,v 1.26 2001/05/21 13:27:48 joda Exp $
+
+
+AUTOMAKE_OPTIONS = foreign no-dependencies
+
+SUFFIXES = .et .h .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .x
+
+INCLUDES = -I$(top_builddir)/include $(INCLUDES_roken) -I$(srcdir)/../common $(INCLUDE_readline) $(INCLUDE_krb4)
+
+AM_CFLAGS =  $(WFLAGS)
+
+CP = cp
+
+COMPILE_ET = $(top_builddir)/lib/com_err/compile_et
+
+buildinclude = $(top_builddir)/include
+
+LIB_XauReadAuth = @LIB_XauReadAuth@
+LIB_crypt = @LIB_crypt@
+LIB_dbm_firstkey = @LIB_dbm_firstkey@
+LIB_dbopen = @LIB_dbopen@
+LIB_dlopen = @LIB_dlopen@
+LIB_dn_expand = @LIB_dn_expand@
+LIB_el_init = @LIB_el_init@
+LIB_getattr = @LIB_getattr@
+LIB_gethostbyname = @LIB_gethostbyname@
+LIB_getpwent_r = @LIB_getpwent_r@
+LIB_getpwnam_r = @LIB_getpwnam_r@
+LIB_getsockopt = @LIB_getsockopt@
+LIB_logout = @LIB_logout@
+LIB_logwtmp = @LIB_logwtmp@
+LIB_odm_initialize = @LIB_odm_initialize@
+LIB_pidfile = @LIB_pidfile@
+LIB_readline = @LIB_readline@
+LIB_res_search = @LIB_res_search@
+LIB_setpcred = @LIB_setpcred@
+LIB_setsockopt = @LIB_setsockopt@
+LIB_socket = @LIB_socket@
+LIB_syslog = @LIB_syslog@
+LIB_tgetent = @LIB_tgetent@
+
+LIBS = @LIBS@
+
+HESIODLIB = @HESIODLIB@
+HESIODINCLUDE = @HESIODINCLUDE@
+INCLUDE_hesiod = @INCLUDE_hesiod@
+LIB_hesiod = @LIB_hesiod@
+
+INCLUDE_krb4 = @INCLUDE_krb4@
+LIB_krb4 = @LIB_krb4@
+
+INCLUDE_openldap = @INCLUDE_openldap@
+LIB_openldap = @LIB_openldap@
+
+INCLUDE_readline = @INCLUDE_readline@
+
+LEXLIB = @LEXLIB@
+
+NROFF_MAN = groff -mandoc -Tascii
+
+@KRB4_TRUE@LIB_kafs = @KRB4_TRUE@$(top_builddir)/lib/kafs/libkafs.la $(AIX_EXTRA_KAFS)
+
+@KRB5_TRUE@LIB_krb5 = @KRB5_TRUE@$(top_builddir)/lib/krb5/libkrb5.la \
+@KRB5_TRUE@	$(top_builddir)/lib/asn1/libasn1.la
+@KRB5_TRUE@LIB_gssapi = @KRB5_TRUE@$(top_builddir)/lib/gssapi/libgssapi.la
+
+@DCE_TRUE@LIB_kdfs = @DCE_TRUE@$(top_builddir)/lib/kdfs/libkdfs.la
+
+CHECK_LOCAL = 
+
+bin_PROGRAMS = ftp
+
+@KRB4_TRUE@krb4_sources = @KRB4_TRUE@krb4.c kauth.c
+@KRB5_TRUE@krb5_sources = @KRB5_TRUE@gssapi.c
+
+ftp_SOURCES = \
+	cmds.c \
+	cmdtab.c \
+	extern.h \
+	ftp.c \
+	ftp_locl.h \
+	ftp_var.h \
+	main.c \
+	pathnames.h \
+	ruserpass.c \
+	domacro.c \
+	globals.c \
+	security.c \
+	security.h \
+	$(krb4_sources) \
+	$(krb5_sources)
+
+
+EXTRA_ftp_SOURCES = krb4.c kauth.c gssapi.c
+
+man_MANS = ftp.1
+
+LDADD = \
+	../common/libcommon.a \
+	$(LIB_gssapi) \
+	$(LIB_krb5) \
+	$(LIB_krb4) \
+	$(LIB_des) \
+	$(LIB_roken) \
+	$(LIB_readline)
+
+subdir = appl/ftp/ftp
+mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs
+CONFIG_HEADER = ../../../include/config.h
+CONFIG_CLEAN_FILES = 
+bin_PROGRAMS =  ftp$(EXEEXT)
+PROGRAMS =  $(bin_PROGRAMS)
+
+
+DEFS = @DEFS@ -I. -I$(srcdir) -I../../../include
+CPPFLAGS = @CPPFLAGS@
+LDFLAGS = @LDFLAGS@
+X_CFLAGS = @X_CFLAGS@
+X_LIBS = @X_LIBS@
+X_EXTRA_LIBS = @X_EXTRA_LIBS@
+X_PRE_LIBS = @X_PRE_LIBS@
+@KRB4_FALSE@@KRB5_FALSE@am_ftp_OBJECTS =  cmds.$(OBJEXT) \
+@KRB4_FALSE@@KRB5_FALSE@cmdtab.$(OBJEXT) ftp.$(OBJEXT) main.$(OBJEXT) \
+@KRB4_FALSE@@KRB5_FALSE@ruserpass.$(OBJEXT) domacro.$(OBJEXT) \
+@KRB4_FALSE@@KRB5_FALSE@globals.$(OBJEXT) security.$(OBJEXT)
+@KRB4_FALSE@@KRB5_TRUE@am_ftp_OBJECTS =  cmds.$(OBJEXT) cmdtab.$(OBJEXT) \
+@KRB4_FALSE@@KRB5_TRUE@ftp.$(OBJEXT) main.$(OBJEXT) ruserpass.$(OBJEXT) \
+@KRB4_FALSE@@KRB5_TRUE@domacro.$(OBJEXT) globals.$(OBJEXT) \
+@KRB4_FALSE@@KRB5_TRUE@security.$(OBJEXT) gssapi.$(OBJEXT)
+@KRB4_TRUE@@KRB5_FALSE@am_ftp_OBJECTS =  cmds.$(OBJEXT) cmdtab.$(OBJEXT) \
+@KRB4_TRUE@@KRB5_FALSE@ftp.$(OBJEXT) main.$(OBJEXT) ruserpass.$(OBJEXT) \
+@KRB4_TRUE@@KRB5_FALSE@domacro.$(OBJEXT) globals.$(OBJEXT) \
+@KRB4_TRUE@@KRB5_FALSE@security.$(OBJEXT) krb4.$(OBJEXT) \
+@KRB4_TRUE@@KRB5_FALSE@kauth.$(OBJEXT)
+@KRB4_TRUE@@KRB5_TRUE@am_ftp_OBJECTS =  cmds.$(OBJEXT) cmdtab.$(OBJEXT) \
+@KRB4_TRUE@@KRB5_TRUE@ftp.$(OBJEXT) main.$(OBJEXT) ruserpass.$(OBJEXT) \
+@KRB4_TRUE@@KRB5_TRUE@domacro.$(OBJEXT) globals.$(OBJEXT) \
+@KRB4_TRUE@@KRB5_TRUE@security.$(OBJEXT) krb4.$(OBJEXT) kauth.$(OBJEXT) \
+@KRB4_TRUE@@KRB5_TRUE@gssapi.$(OBJEXT)
+ftp_OBJECTS =  $(am_ftp_OBJECTS)
+ftp_LDADD = $(LDADD)
+@KRB5_FALSE@ftp_DEPENDENCIES =  ../common/libcommon.a
+@KRB5_TRUE@ftp_DEPENDENCIES =  ../common/libcommon.a \
+@KRB5_TRUE@$(top_builddir)/lib/gssapi/libgssapi.la \
+@KRB5_TRUE@$(top_builddir)/lib/krb5/libkrb5.la \
+@KRB5_TRUE@$(top_builddir)/lib/asn1/libasn1.la
+ftp_LDFLAGS = 
+COMPILE = $(CC) $(DEFS) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) --mode=compile $(CC) $(DEFS) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+CFLAGS = @CFLAGS@
+CCLD = $(CC)
+LINK = $(LIBTOOL) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) $(LDFLAGS) -o $@
+DIST_SOURCES =  $(ftp_SOURCES) $(EXTRA_ftp_SOURCES)
+man1dir = $(mandir)/man1
+MANS = $(man_MANS)
+depcomp = 
+DIST_COMMON =  Makefile.am Makefile.in
+
+
+DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
+
+GZIP_ENV = --best
+SOURCES = $(ftp_SOURCES) $(EXTRA_ftp_SOURCES)
+OBJECTS = $(am_ftp_OBJECTS)
+
+all: all-redirect
+.SUFFIXES:
+.SUFFIXES: .et .h .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .x .c .lo .o .obj
+$(srcdir)/Makefile.in: Makefile.am $(top_srcdir)/configure.in $(ACLOCAL_M4) $(top_srcdir)/Makefile.am.common $(top_srcdir)/cf/Makefile.am.common
+	cd $(top_srcdir) && $(AUTOMAKE) --foreign appl/ftp/ftp/Makefile
+
+Makefile: $(srcdir)/Makefile.in  $(top_builddir)/config.status
+	cd $(top_builddir) \
+	  && CONFIG_FILES=$(subdir)/$@ CONFIG_HEADERS= $(SHELL) ./config.status
+
+
+mostlyclean-binPROGRAMS:
+
+clean-binPROGRAMS:
+	-test -z "$(bin_PROGRAMS)" || rm -f $(bin_PROGRAMS)
+
+distclean-binPROGRAMS:
+
+maintainer-clean-binPROGRAMS:
+
+install-binPROGRAMS: $(bin_PROGRAMS)
+	@$(NORMAL_INSTALL)
+	$(mkinstalldirs) $(DESTDIR)$(bindir)
+	@list='$(bin_PROGRAMS)'; for p in $$list; do \
+	  if test -f $$p; then \
+	    f="`echo $$p|sed -e 's/$(EXEEXT)$$//' -e '$(transform)' -e 's/$$/$(EXEEXT)/'`"; \
+	    echo " $(LIBTOOL)  --mode=install $(INSTALL_PROGRAM) $(INSTALL_STRIP_FLAG) $$p $(DESTDIR)$(bindir)/$$f"; \
+	    $(LIBTOOL)  --mode=install $(INSTALL_PROGRAM) $(INSTALL_STRIP_FLAG) $$p $(DESTDIR)$(bindir)/$$f; \
+	  else :; fi; \
+	done
+
+uninstall-binPROGRAMS:
+	@$(NORMAL_UNINSTALL)
+	@list='$(bin_PROGRAMS)'; for p in $$list; do \
+	  f="`echo $$p|sed -e 's/$(EXEEXT)$$//' -e '$(transform)' -e 's/$$/$(EXEEXT)/'`"; \
+	  echo " rm -f $(DESTDIR)$(bindir)/$$f"; \
+	  rm -f $(DESTDIR)$(bindir)/$$f; \
+	done
+
+mostlyclean-compile:
+	-rm -f *.o core *.core
+	-rm -f *.$(OBJEXT)
+
+clean-compile:
+
+distclean-compile:
+	-rm -f *.tab.c
+
+maintainer-clean-compile:
+
+mostlyclean-libtool:
+	-rm -f *.lo
+
+clean-libtool:
+	-rm -rf .libs _libs
+
+distclean-libtool:
+
+maintainer-clean-libtool:
+
+ftp$(EXEEXT): $(ftp_OBJECTS) $(ftp_DEPENDENCIES)
+	@rm -f ftp$(EXEEXT)
+	$(LINK) $(ftp_LDFLAGS) $(ftp_OBJECTS) $(ftp_LDADD) $(LIBS)
+.c.o:
+	$(COMPILE) -c $<
+.c.obj:
+	$(COMPILE) -c `cygpath -w $<`
+.c.lo:
+	$(LTCOMPILE) -c -o $@ $<
+
+install-man1:
+	$(mkinstalldirs) $(DESTDIR)$(man1dir)
+	@list='$(man1_MANS)'; \
+	l2='$(man_MANS)'; for i in $$l2; do \
+	  case "$$i" in \
+	    *.1*) list="$$list $$i" ;; \
+	  esac; \
+	done; \
+	for i in $$list; do \
+	  if test -f $(srcdir)/$$i; then file=$(srcdir)/$$i; \
+	  else file=$$i; fi; \
+	  ext=`echo $$i | sed -e 's/^.*\\.//'`; \
+	  inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \
+	  inst=`echo $$inst | sed -e 's/^.*\///'`; \
+	  inst=`echo $$inst | sed '$(transform)'`.$$ext; \
+	  echo " $(INSTALL_DATA) $$file $(DESTDIR)$(man1dir)/$$inst"; \
+	  $(INSTALL_DATA) $$file $(DESTDIR)$(man1dir)/$$inst; \
+	done
+
+uninstall-man1:
+	@list='$(man1_MANS)'; \
+	l2='$(man_MANS)'; for i in $$l2; do \
+	  case "$$i" in \
+	    *.1*) list="$$list $$i" ;; \
+	  esac; \
+	done; \
+	for i in $$list; do \
+	  ext=`echo $$i | sed -e 's/^.*\\.//'`; \
+	  inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \
+	  inst=`echo $$inst | sed -e 's/^.*\///'`; \
+	  inst=`echo $$inst | sed '$(transform)'`.$$ext; \
+	  echo " rm -f $(DESTDIR)$(man1dir)/$$inst"; \
+	  rm -f $(DESTDIR)$(man1dir)/$$inst; \
+	done
+install-man: $(MANS)
+	@$(NORMAL_INSTALL)
+	$(MAKE) $(AM_MAKEFLAGS) install-man1
+uninstall-man:
+	@$(NORMAL_UNINSTALL)
+	$(MAKE) $(AM_MAKEFLAGS) uninstall-man1
+
+tags: TAGS
+
+ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
+	list='$(SOURCES) $(HEADERS) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '    { files[$$0] = 1; } \
+	       END { for (i in files) print i; }'`; \
+	mkid -fID $$unique $(LISP)
+
+TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	tags=; \
+	here=`pwd`; \
+	list='$(SOURCES) $(HEADERS) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '    { files[$$0] = 1; } \
+	       END { for (i in files) print i; }'`; \
+	test -z "$(ETAGS_ARGS)$$unique$(LISP)$$tags" \
+	  || etags $(ETAGS_ARGS) $$tags  $$unique $(LISP)
+
+GTAGS:
+	here=`CDPATH=: && cd $(top_builddir) && pwd` \
+	  && cd $(top_srcdir) \
+	  && gtags -i $$here
+
+mostlyclean-tags:
+
+clean-tags:
+
+distclean-tags:
+	-rm -f TAGS ID
+
+maintainer-clean-tags:
+
+distdir = $(top_builddir)/$(PACKAGE)-$(VERSION)/$(subdir)
+
+distdir: $(DISTFILES)
+	@for file in $(DISTFILES); do \
+	  d=$(srcdir); \
+	  if test -d $$d/$$file; then \
+	    cp -pR $$d/$$file $(distdir) \
+	    || exit 1; \
+	  else \
+	    test -f $(distdir)/$$file \
+	    || cp -p $$d/$$file $(distdir)/$$file \
+	    || exit 1; \
+	  fi; \
+	done
+	$(MAKE) $(AM_MAKEFLAGS) top_distdir="$(top_distdir)" distdir="$(distdir)" dist-hook
+info-am:
+info: info-am
+dvi-am:
+dvi: dvi-am
+check-am: all-am
+	$(MAKE) $(AM_MAKEFLAGS) check-local
+check: check-am
+installcheck-am:
+installcheck: installcheck-am
+install-exec-am: install-binPROGRAMS
+	@$(NORMAL_INSTALL)
+	$(MAKE) $(AM_MAKEFLAGS) install-exec-hook
+install-exec: install-exec-am
+
+install-data-am: install-man install-data-local
+install-data: install-data-am
+
+install-am: all-am
+	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
+install: install-am
+uninstall-am: uninstall-binPROGRAMS uninstall-man
+uninstall: uninstall-am
+all-am: Makefile $(PROGRAMS) $(MANS) all-local
+all-redirect: all-am
+install-strip:
+	$(MAKE) $(AM_MAKEFLAGS) INSTALL_STRIP_FLAG=-s install
+installdirs:
+	$(mkinstalldirs)  $(DESTDIR)$(bindir) $(DESTDIR)$(mandir)/man1
+
+
+mostlyclean-generic:
+
+clean-generic:
+
+distclean-generic:
+	-rm -f Makefile $(CONFIG_CLEAN_FILES)
+	-rm -f config.cache config.log stamp-h stamp-h[0-9]*
+
+maintainer-clean-generic:
+	-rm -f Makefile.in
+mostlyclean-am:  mostlyclean-binPROGRAMS mostlyclean-compile \
+		mostlyclean-libtool mostlyclean-tags \
+		mostlyclean-generic
+
+mostlyclean: mostlyclean-am
+
+clean-am:  clean-binPROGRAMS clean-compile clean-libtool clean-tags \
+		clean-generic mostlyclean-am
+
+clean: clean-am
+
+distclean-am:  distclean-binPROGRAMS distclean-compile distclean-libtool \
+		distclean-tags distclean-generic clean-am
+	-rm -f libtool
+
+distclean: distclean-am
+
+maintainer-clean-am:  maintainer-clean-binPROGRAMS \
+		maintainer-clean-compile maintainer-clean-libtool \
+		maintainer-clean-tags maintainer-clean-generic \
+		distclean-am
+	@echo "This command is intended for maintainers to use;"
+	@echo "it deletes files that may require special tools to rebuild."
+
+maintainer-clean: maintainer-clean-am
+
+.PHONY: mostlyclean-binPROGRAMS distclean-binPROGRAMS clean-binPROGRAMS \
+maintainer-clean-binPROGRAMS uninstall-binPROGRAMS install-binPROGRAMS \
+mostlyclean-compile distclean-compile clean-compile \
+maintainer-clean-compile mostlyclean-libtool distclean-libtool \
+clean-libtool maintainer-clean-libtool install-man1 uninstall-man1 \
+install-man uninstall-man tags mostlyclean-tags distclean-tags \
+clean-tags maintainer-clean-tags distdir info-am info dvi-am dvi \
+check-local check check-am installcheck-am installcheck install-exec-am \
+install-exec install-data-local install-data-am install-data install-am \
+install uninstall-am uninstall all-local all-redirect all-am all \
+install-strip installdirs mostlyclean-generic distclean-generic \
+clean-generic maintainer-clean-generic clean mostlyclean distclean \
+maintainer-clean
+
+
+install-suid-programs:
+	@foo='$(bin_SUIDS)'; \
+	for file in $$foo; do \
+	x=$(DESTDIR)$(bindir)/$$file; \
+	if chown 0:0 $$x && chmod u+s $$x; then :; else \
+	echo "*"; \
+	echo "* Failed to install $$x setuid root"; \
+	echo "*"; \
+	fi; done
+
+install-exec-hook: install-suid-programs
+
+install-build-headers:: $(include_HEADERS) $(build_HEADERZ)
+	@foo='$(include_HEADERS) $(build_HEADERZ)'; \
+	for f in $$foo; do \
+		f=`basename $$f`; \
+		if test -f "$(srcdir)/$$f"; then file="$(srcdir)/$$f"; \
+		else file="$$f"; fi; \
+		if cmp -s  $$file $(buildinclude)/$$f 2> /dev/null ; then \
+		: ; else \
+			echo " $(CP) $$file $(buildinclude)/$$f"; \
+			$(CP) $$file $(buildinclude)/$$f; \
+		fi ; \
+	done
+
+all-local: install-build-headers
+#NROFF_MAN = nroff -man
+.1.cat1:
+	$(NROFF_MAN) $< > $@
+.3.cat3:
+	$(NROFF_MAN) $< > $@
+.5.cat5:
+	$(NROFF_MAN) $< > $@
+.8.cat8:
+	$(NROFF_MAN) $< > $@
+
+dist-cat1-mans:
+	@foo='$(man1_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.1) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat1/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-cat3-mans:
+	@foo='$(man3_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.3) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat3/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-cat5-mans:
+	@foo='$(man5_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.5) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat5/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-cat8-mans:
+	@foo='$(man8_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.8) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat8/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-hook: dist-cat1-mans dist-cat3-mans dist-cat5-mans dist-cat8-mans
+
+install-cat-mans:
+	$(SHELL) $(top_srcdir)/cf/install-catman.sh "$(INSTALL_DATA)" "$(mkinstalldirs)" "$(srcdir)" "$(DESTDIR)$(mandir)" '$(CATMANEXT)' $(man_MANS) $(man1_MANS) $(man3_MANS) $(man5_MANS) $(man8_MANS)
+
+install-data-local: install-cat-mans
+
+.et.h:
+	$(COMPILE_ET) $<
+.et.c:
+	$(COMPILE_ET) $<
+
+.x.c:
+	@cmp -s $< $@ 2> /dev/null || cp $< $@
+
+check-local::
+	@foo='$(CHECK_LOCAL)'; \
+	  if test "$$foo"; then \
+	  failed=0; all=0; \
+	  for i in $$foo; do \
+	    all=`expr $$all + 1`; \
+	    if ./$$i --version > /dev/null 2>&1; then \
+	      echo "PASS: $$i"; \
+	    else \
+	      echo "FAIL: $$i"; \
+	      failed=`expr $$failed + 1`; \
+	    fi; \
+	  done; \
+	  if test "$$failed" -eq 0; then \
+	    banner="All $$all tests passed"; \
+	  else \
+	    banner="$$failed of $$all tests failed"; \
+	  fi; \
+	  dashes=`echo "$$banner" | sed s/./=/g`; \
+	  echo "$$dashes"; \
+	  echo "$$banner"; \
+	  echo "$$dashes"; \
+	  test "$$failed" -eq 0; \
+	fi
+
+# Tell versions [3.59,3.63) of GNU make to not export all variables.
+# Otherwise a system limit (for SysV at least) may be exceeded.
+.NOEXPORT:
diff --git a/crypto/heimdal/appl/ftp/ftp/cmds.c b/crypto/heimdal/appl/ftp/ftp/cmds.c
new file mode 100644
index 0000000..3f1933e
--- /dev/null
+++ b/crypto/heimdal/appl/ftp/ftp/cmds.c
@@ -0,0 +1,2127 @@
+/*
+ * Copyright (c) 1985, 1989, 1993, 1994
+ *	The Regents of the University of California.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *	This product includes software developed by the University of
+ *	California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+/*
+ * FTP User Program -- Command Routines.
+ */
+
+#include "ftp_locl.h"
+RCSID("$Id: cmds.c,v 1.42 2001/02/15 04:17:09 assar Exp $");
+
+typedef void (*sighand)(int);
+
+jmp_buf	jabort;
+char   *mname;
+char   *home = "/";
+
+/*
+ * `Another' gets another argument, and stores the new argc and argv.
+ * It reverts to the top level (via main.c's intr()) on EOF/error.
+ *
+ * Returns false if no new arguments have been added.
+ */
+int
+another(int *pargc, char ***pargv, char *prompt)
+{
+	int len = strlen(line), ret;
+
+	if (len >= sizeof(line) - 3) {
+		printf("sorry, arguments too long\n");
+		intr(0);
+	}
+	printf("(%s) ", prompt);
+	line[len++] = ' ';
+	if (fgets(&line[len], sizeof(line) - len, stdin) == NULL)
+		intr(0);
+	len += strlen(&line[len]);
+	if (len > 0 && line[len - 1] == '\n')
+		line[len - 1] = '\0';
+	makeargv();
+	ret = margc > *pargc;
+	*pargc = margc;
+	*pargv = margv;
+	return (ret);
+}
+
+/*
+ * Connect to peer server and
+ * auto-login, if possible.
+ */
+void
+setpeer(int argc, char **argv)
+{
+	char *host;
+	u_short port;
+	struct servent *sp;
+
+	if (connected) {
+		printf("Already connected to %s, use close first.\n",
+			hostname);
+		code = -1;
+		return;
+	}
+	if (argc < 2)
+		another(&argc, &argv, "to");
+	if (argc < 2 || argc > 3) {
+		printf("usage: %s host-name [port]\n", argv[0]);
+		code = -1;
+		return;
+	}
+	sp = getservbyname("ftp", "tcp");
+	if (sp == NULL)
+		errx(1, "You bastard. You removed ftp/tcp from services");
+	port = sp->s_port;
+	if (argc > 2) {
+		sp = getservbyname(argv[2], "tcp");
+		if (sp != NULL) {
+			port = sp->s_port;
+		} else {
+			char *ep;
+
+			port = strtol(argv[2], &ep, 0);
+			if (argv[2] == ep) {
+				printf("%s: bad port number-- %s\n",
+				       argv[1], argv[2]);
+				printf ("usage: %s host-name [port]\n",
+					argv[0]);
+				code = -1;
+				return;
+			}
+			port = htons(port);
+		}
+	}
+	host = hookup(argv[1], port);
+	if (host) {
+		int overbose;
+
+		connected = 1;
+		/*
+		 * Set up defaults for FTP.
+		 */
+		strlcpy(typename, "ascii", sizeof(typename));
+		type = TYPE_A;
+		curtype = TYPE_A;
+		strlcpy(formname, "non-print", sizeof(formname));
+		form = FORM_N;
+		strlcpy(modename, "stream", sizeof(modename));
+		mode = MODE_S;
+		strlcpy(structname, "file", sizeof(structname));
+		stru = STRU_F;
+		strlcpy(bytename, "8", sizeof(bytename));
+		bytesize = 8;
+		if (autologin)
+			login(argv[1]);
+
+#if (defined(unix) || defined(__unix__) || defined(__unix) || defined(_AIX) || defined(_CRAY)) && NBBY == 8
+/*
+ * this ifdef is to keep someone form "porting" this to an incompatible
+ * system and not checking this out. This way they have to think about it.
+ */
+		overbose = verbose;
+		if (debug == 0)
+			verbose = -1;
+		if (command("SYST") == COMPLETE && overbose) {
+			char *cp, c;
+			cp = strchr(reply_string+4, ' ');
+			if (cp == NULL)
+				cp = strchr(reply_string+4, '\r');
+			if (cp) {
+				if (cp[-1] == '.')
+					cp--;
+				c = *cp;
+				*cp = '\0';
+			}
+
+			printf("Remote system type is %s.\n",
+				reply_string+4);
+			if (cp)
+				*cp = c;
+		}
+		if (!strncmp(reply_string, "215 UNIX Type: L8", 17)) {
+			if (proxy)
+				unix_proxy = 1;
+			else
+				unix_server = 1;
+			/*
+			 * Set type to 0 (not specified by user),
+			 * meaning binary by default, but don't bother
+			 * telling server.  We can use binary
+			 * for text files unless changed by the user.
+			 */
+			type = 0;
+			strlcpy(typename, "binary", sizeof(typename));
+			if (overbose)
+			    printf("Using %s mode to transfer files.\n",
+				typename);
+		} else {
+			if (proxy)
+				unix_proxy = 0;
+			else
+				unix_server = 0;
+			if (overbose && 
+			    !strncmp(reply_string, "215 TOPS20", 10))
+				printf(
+"Remember to set tenex mode when transfering binary files from this machine.\n");
+		}
+		verbose = overbose;
+#endif /* unix */
+	}
+}
+
+struct	types {
+	char	*t_name;
+	char	*t_mode;
+	int	t_type;
+	char	*t_arg;
+} types[] = {
+	{ "ascii",	"A",	TYPE_A,	0 },
+	{ "binary",	"I",	TYPE_I,	0 },
+	{ "image",	"I",	TYPE_I,	0 },
+	{ "ebcdic",	"E",	TYPE_E,	0 },
+	{ "tenex",	"L",	TYPE_L,	bytename },
+	{ NULL }
+};
+
+/*
+ * Set transfer type.
+ */
+void
+settype(int argc, char **argv)
+{
+	struct types *p;
+	int comret;
+
+	if (argc > 2) {
+		char *sep;
+
+		printf("usage: %s [", argv[0]);
+		sep = " ";
+		for (p = types; p->t_name; p++) {
+			printf("%s%s", sep, p->t_name);
+			sep = " | ";
+		}
+		printf(" ]\n");
+		code = -1;
+		return;
+	}
+	if (argc < 2) {
+		printf("Using %s mode to transfer files.\n", typename);
+		code = 0;
+		return;
+	}
+	for (p = types; p->t_name; p++)
+		if (strcmp(argv[1], p->t_name) == 0)
+			break;
+	if (p->t_name == 0) {
+		printf("%s: unknown mode\n", argv[1]);
+		code = -1;
+		return;
+	}
+	if ((p->t_arg != NULL) && (*(p->t_arg) != '\0'))
+		comret = command ("TYPE %s %s", p->t_mode, p->t_arg);
+	else
+		comret = command("TYPE %s", p->t_mode);
+	if (comret == COMPLETE) {
+		strlcpy(typename, p->t_name, sizeof(typename));
+		curtype = type = p->t_type;
+	}
+}
+
+/*
+ * Internal form of settype; changes current type in use with server
+ * without changing our notion of the type for data transfers.
+ * Used to change to and from ascii for listings.
+ */
+void
+changetype(int newtype, int show)
+{
+	struct types *p;
+	int comret, oldverbose = verbose;
+
+	if (newtype == 0)
+		newtype = TYPE_I;
+	if (newtype == curtype)
+		return;
+	if (debug == 0 && show == 0)
+		verbose = 0;
+	for (p = types; p->t_name; p++)
+		if (newtype == p->t_type)
+			break;
+	if (p->t_name == 0) {
+		printf("ftp: internal error: unknown type %d\n", newtype);
+		return;
+	}
+	if (newtype == TYPE_L && bytename[0] != '\0')
+		comret = command("TYPE %s %s", p->t_mode, bytename);
+	else
+		comret = command("TYPE %s", p->t_mode);
+	if (comret == COMPLETE)
+		curtype = newtype;
+	verbose = oldverbose;
+}
+
+char *stype[] = {
+	"type",
+	"",
+	0
+};
+
+/*
+ * Set binary transfer type.
+ */
+/*VARARGS*/
+void
+setbinary(int argc, char **argv)
+{
+
+	stype[1] = "binary";
+	settype(2, stype);
+}
+
+/*
+ * Set ascii transfer type.
+ */
+/*VARARGS*/
+void
+setascii(int argc, char **argv)
+{
+
+	stype[1] = "ascii";
+	settype(2, stype);
+}
+
+/*
+ * Set tenex transfer type.
+ */
+/*VARARGS*/
+void
+settenex(int argc, char **argv)
+{
+
+	stype[1] = "tenex";
+	settype(2, stype);
+}
+
+/*
+ * Set file transfer mode.
+ */
+/*ARGSUSED*/
+void
+setftmode(int argc, char **argv)
+{
+
+	printf("We only support %s mode, sorry.\n", modename);
+	code = -1;
+}
+
+/*
+ * Set file transfer format.
+ */
+/*ARGSUSED*/
+void
+setform(int argc, char **argv)
+{
+
+	printf("We only support %s format, sorry.\n", formname);
+	code = -1;
+}
+
+/*
+ * Set file transfer structure.
+ */
+/*ARGSUSED*/
+void
+setstruct(int argc, char **argv)
+{
+
+	printf("We only support %s structure, sorry.\n", structname);
+	code = -1;
+}
+
+/*
+ * Send a single file.
+ */
+void
+put(int argc, char **argv)
+{
+	char *cmd;
+	int loc = 0;
+	char *oldargv1, *oldargv2;
+
+	if (argc == 2) {
+		argc++;
+		argv[2] = argv[1];
+		loc++;
+	}
+	if (argc < 2 && !another(&argc, &argv, "local-file"))
+		goto usage;
+	if (argc < 3 && !another(&argc, &argv, "remote-file")) {
+usage:
+		printf("usage: %s local-file remote-file\n", argv[0]);
+		code = -1;
+		return;
+	}
+	oldargv1 = argv[1];
+	oldargv2 = argv[2];
+	if (!globulize(&argv[1])) {
+		code = -1;
+		return;
+	}
+	/*
+	 * If "globulize" modifies argv[1], and argv[2] is a copy of
+	 * the old argv[1], make it a copy of the new argv[1].
+	 */
+	if (argv[1] != oldargv1 && argv[2] == oldargv1) {
+		argv[2] = argv[1];
+	}
+	cmd = (argv[0][0] == 'a') ? "APPE" : ((sunique) ? "STOU" : "STOR");
+	if (loc && ntflag) {
+		argv[2] = dotrans(argv[2]);
+	}
+	if (loc && mapflag) {
+		argv[2] = domap(argv[2]);
+	}
+	sendrequest(cmd, argv[1], argv[2],
+		    curtype == TYPE_I ? "rb" : "r",
+		    argv[1] != oldargv1 || argv[2] != oldargv2);
+}
+
+/* ARGSUSED */
+static RETSIGTYPE
+mabort(int signo)
+{
+	int ointer;
+
+	printf("\n");
+	fflush(stdout);
+	if (mflag && fromatty) {
+		ointer = interactive;
+		interactive = 1;
+		if (confirm("Continue with", mname)) {
+			interactive = ointer;
+			longjmp(jabort,0);
+		}
+		interactive = ointer;
+	}
+	mflag = 0;
+	longjmp(jabort,0);
+}
+
+/*
+ * Send multiple files.
+ */
+void
+mput(int argc, char **argv)
+{
+    int i;
+    RETSIGTYPE (*oldintr)(int);
+    int ointer;
+    char *tp;
+
+    if (argc < 2 && !another(&argc, &argv, "local-files")) {
+	printf("usage: %s local-files\n", argv[0]);
+	code = -1;
+	return;
+    }
+    mname = argv[0];
+    mflag = 1;
+    oldintr = signal(SIGINT, mabort);
+    setjmp(jabort);
+    if (proxy) {
+	char *cp, *tp2, tmpbuf[MaxPathLen];
+
+	while ((cp = remglob(argv,0)) != NULL) {
+	    if (*cp == 0) {
+		mflag = 0;
+		continue;
+	    }
+	    if (mflag && confirm(argv[0], cp)) {
+		tp = cp;
+		if (mcase) {
+		    while (*tp && !islower(*tp)) {
+			tp++;
+		    }
+		    if (!*tp) {
+			tp = cp;
+			tp2 = tmpbuf;
+			while ((*tp2 = *tp) != '\0') {
+			    if (isupper(*tp2)) {
+				*tp2 = 'a' + *tp2 - 'A';
+			    }
+			    tp++;
+			    tp2++;
+			}
+		    }
+		    tp = tmpbuf;
+		}
+		if (ntflag) {
+		    tp = dotrans(tp);
+		}
+		if (mapflag) {
+		    tp = domap(tp);
+		}
+		sendrequest((sunique) ? "STOU" : "STOR",
+			    cp, tp,
+			    curtype == TYPE_I ? "rb" : "r",
+			    cp != tp || !interactive);
+		if (!mflag && fromatty) {
+		    ointer = interactive;
+		    interactive = 1;
+		    if (confirm("Continue with","mput")) {
+			mflag++;
+		    }
+		    interactive = ointer;
+		}
+	    }
+	}
+	signal(SIGINT, oldintr);
+	mflag = 0;
+	return;
+    }
+    for (i = 1; i < argc; i++) {
+	char **cpp;
+	glob_t gl;
+	int flags;
+
+	if (!doglob) {
+	    if (mflag && confirm(argv[0], argv[i])) {
+		tp = (ntflag) ? dotrans(argv[i]) : argv[i];
+		tp = (mapflag) ? domap(tp) : tp;
+		sendrequest((sunique) ? "STOU" : "STOR",
+			    argv[i],
+			    curtype == TYPE_I ? "rb" : "r",
+			    tp, tp != argv[i] || !interactive);
+		if (!mflag && fromatty) {
+		    ointer = interactive;
+		    interactive = 1;
+		    if (confirm("Continue with","mput")) {
+			mflag++;
+		    }
+		    interactive = ointer;
+		}
+	    }
+	    continue;
+	}
+
+	memset(&gl, 0, sizeof(gl));
+	flags = GLOB_BRACE|GLOB_NOCHECK|GLOB_QUOTE|GLOB_TILDE;
+	if (glob(argv[i], flags, NULL, &gl) || gl.gl_pathc == 0) {
+	    warnx("%s: not found", argv[i]);
+	    globfree(&gl);
+	    continue;
+	}
+	for (cpp = gl.gl_pathv; cpp && *cpp != NULL; cpp++) {
+	    if (mflag && confirm(argv[0], *cpp)) {
+		tp = (ntflag) ? dotrans(*cpp) : *cpp;
+		tp = (mapflag) ? domap(tp) : tp;
+		sendrequest((sunique) ? "STOU" : "STOR",
+			    *cpp, tp,
+			    curtype == TYPE_I ? "rb" : "r",
+			    *cpp != tp || !interactive);
+		if (!mflag && fromatty) {
+		    ointer = interactive;
+		    interactive = 1;
+		    if (confirm("Continue with","mput")) {
+			mflag++;
+		    }
+		    interactive = ointer;
+		}
+	    }
+	}
+	globfree(&gl);
+    }
+    signal(SIGINT, oldintr);
+    mflag = 0;
+}
+
+void
+reget(int argc, char **argv)
+{
+    getit(argc, argv, 1, curtype == TYPE_I ? "r+wb" : "r+w");
+}
+
+void
+get(int argc, char **argv)
+{
+    char *mode;
+
+    if (restart_point) {
+	if (curtype == TYPE_I)
+	    mode = "r+wb";
+	else
+	    mode = "r+w";
+    } else {
+	if (curtype == TYPE_I)
+	    mode = "wb";
+	else
+	    mode = "w";
+    }
+
+    getit(argc, argv, 0, mode);
+}
+
+/*
+ * Receive one file.
+ */
+int
+getit(int argc, char **argv, int restartit, char *mode)
+{
+	int loc = 0;
+	int local_given = 1;
+	char *oldargv1, *oldargv2;
+
+	if (argc == 2) {
+		argc++;
+		local_given = 0;
+		argv[2] = argv[1];
+		loc++;
+	}
+	if ((argc < 2 && !another(&argc, &argv, "remote-file")) ||
+	    (argc < 3 && !another(&argc, &argv, "local-file"))) {
+		printf("usage: %s remote-file [ local-file ]\n", argv[0]);
+		code = -1;
+		return (0);
+	}
+	oldargv1 = argv[1];
+	oldargv2 = argv[2];
+	if (!globulize(&argv[2])) {
+		code = -1;
+		return (0);
+	}
+	if (loc && mcase) {
+		char *tp = argv[1], *tp2, tmpbuf[MaxPathLen];
+
+		while (*tp && !islower(*tp)) {
+			tp++;
+		}
+		if (!*tp) {
+			tp = argv[2];
+			tp2 = tmpbuf;
+			while ((*tp2 = *tp) != '\0') {
+				if (isupper(*tp2)) {
+					*tp2 = 'a' + *tp2 - 'A';
+				}
+				tp++;
+				tp2++;
+			}
+			argv[2] = tmpbuf;
+		}
+	}
+	if (loc && ntflag)
+		argv[2] = dotrans(argv[2]);
+	if (loc && mapflag)
+		argv[2] = domap(argv[2]);
+	if (restartit) {
+		struct stat stbuf;
+		int ret;
+
+		ret = stat(argv[2], &stbuf);
+		if (restartit == 1) {
+			if (ret < 0) {
+				warn("local: %s", argv[2]);
+				return (0);
+			}
+			restart_point = stbuf.st_size;
+		} else if (ret == 0) {
+			int overbose;
+			int cmdret;
+			int yy, mo, day, hour, min, sec;
+			struct tm *tm;
+			time_t mtime = stbuf.st_mtime;
+
+			overbose = verbose;
+			if (debug == 0)
+				verbose = -1;
+			cmdret = command("MDTM %s", argv[1]);
+			verbose = overbose;
+			if (cmdret != COMPLETE) {
+				printf("%s\n", reply_string);
+				return (0);
+			}
+			if (sscanf(reply_string,
+				   "%*s %04d%02d%02d%02d%02d%02d",
+				   &yy, &mo, &day, &hour, &min, &sec)
+			    != 6) {
+				printf ("bad MDTM result\n");
+				return (0);
+			}
+
+			tm = gmtime(&mtime);
+			tm->tm_mon++;
+			tm->tm_year += 1900;
+
+			if ((tm->tm_year > yy) ||
+			    (tm->tm_year == yy && 
+			     tm->tm_mon > mo) ||
+			    (tm->tm_mon == mo && 
+			     tm->tm_mday > day) ||
+			    (tm->tm_mday == day && 
+			     tm->tm_hour > hour) ||
+			    (tm->tm_hour == hour && 
+			     tm->tm_min > min) ||
+			    (tm->tm_min == min && 
+			     tm->tm_sec > sec))
+				return (1);
+		}
+	}
+
+	recvrequest("RETR", argv[2], argv[1], mode,
+		    argv[1] != oldargv1 || argv[2] != oldargv2, local_given);
+	restart_point = 0;
+	return (0);
+}
+
+static int
+suspicious_filename(const char *fn)
+{
+    return strstr(fn, "../") != NULL || *fn == '/';
+}
+
+/*
+ * Get multiple files.
+ */
+void
+mget(int argc, char **argv)
+{
+	sighand oldintr;
+	int ch, ointer;
+	char *cp, *tp, *tp2, tmpbuf[MaxPathLen];
+
+	if (argc < 2 && !another(&argc, &argv, "remote-files")) {
+		printf("usage: %s remote-files\n", argv[0]);
+		code = -1;
+		return;
+	}
+	mname = argv[0];
+	mflag = 1;
+	oldintr = signal(SIGINT, mabort);
+	setjmp(jabort);
+	while ((cp = remglob(argv,proxy)) != NULL) {
+		if (*cp == '\0') {
+			mflag = 0;
+			continue;
+		}
+		if (mflag && suspicious_filename(cp))
+		    printf("*** Suspicious filename: %s\n", cp);
+		if (mflag && confirm(argv[0], cp)) {
+			tp = cp;
+			if (mcase) {
+				for (tp2 = tmpbuf; (ch = *tp++);)
+					*tp2++ = isupper(ch) ? tolower(ch) : ch;
+				*tp2 = '\0';
+				tp = tmpbuf;
+			}
+			if (ntflag) {
+				tp = dotrans(tp);
+			}
+			if (mapflag) {
+				tp = domap(tp);
+			}
+			recvrequest("RETR", tp, cp,
+				    curtype == TYPE_I ? "wb" : "w",
+				    tp != cp || !interactive, 0);
+			if (!mflag && fromatty) {
+				ointer = interactive;
+				interactive = 1;
+				if (confirm("Continue with","mget")) {
+					mflag++;
+				}
+				interactive = ointer;
+			}
+		}
+	}
+	signal(SIGINT,oldintr);
+	mflag = 0;
+}
+
+char *
+remglob(char **argv, int doswitch)
+{
+    char temp[16];
+    static char buf[MaxPathLen];
+    static FILE *ftemp = NULL;
+    static char **args;
+    int oldverbose, oldhash;
+    char *cp, *mode;
+
+    if (!mflag) {
+	if (!doglob) {
+	    args = NULL;
+	}
+	else {
+	    if (ftemp) {
+		fclose(ftemp);
+		ftemp = NULL;
+	    }
+	}
+	return (NULL);
+    }
+    if (!doglob) {
+	if (args == NULL)
+	    args = argv;
+	if ((cp = *++args) == NULL)
+	    args = NULL;
+	return (cp);
+    }
+    if (ftemp == NULL) {
+	int fd;
+	strlcpy(temp, _PATH_TMP_XXX, sizeof(temp));
+	fd = mkstemp(temp);
+	if(fd < 0){
+	    warn("unable to create temporary file %s", temp);
+	    return NULL;
+	}
+	close(fd);
+	oldverbose = verbose, verbose = 0;
+	oldhash = hash, hash = 0;
+	if (doswitch) {
+	    pswitch(!proxy);
+	}
+	for (mode = "w"; *++argv != NULL; mode = "a")
+	    recvrequest ("NLST", temp, *argv, mode, 0, 0);
+	if (doswitch) {
+	    pswitch(!proxy);
+	}
+	verbose = oldverbose; hash = oldhash;
+	ftemp = fopen(temp, "r");
+	unlink(temp);
+	if (ftemp == NULL) {
+	    printf("can't find list of remote files, oops\n");
+	    return (NULL);
+	}
+    }
+    while(fgets(buf, sizeof (buf), ftemp)) {
+	if ((cp = strchr(buf, '\n')) != NULL)
+	    *cp = '\0';
+	if(!interactive && suspicious_filename(buf)){
+	    printf("Ignoring remote globbed file `%s'\n", buf);
+	    continue;
+	}
+	return buf;
+    }
+    fclose(ftemp);
+    ftemp = NULL;
+    return (NULL);
+}
+
+char *
+onoff(int bool)
+{
+
+	return (bool ? "on" : "off");
+}
+
+/*
+ * Show status.
+ */
+/*ARGSUSED*/
+void
+status(int argc, char **argv)
+{
+	int i;
+
+	if (connected)
+		printf("Connected to %s.\n", hostname);
+	else
+		printf("Not connected.\n");
+	if (!proxy) {
+		pswitch(1);
+		if (connected) {
+			printf("Connected for proxy commands to %s.\n", hostname);
+		}
+		else {
+			printf("No proxy connection.\n");
+		}
+		pswitch(0);
+	}
+	sec_status();
+	printf("Mode: %s; Type: %s; Form: %s; Structure: %s\n",
+		modename, typename, formname, structname);
+	printf("Verbose: %s; Bell: %s; Prompting: %s; Globbing: %s\n", 
+		onoff(verbose), onoff(bell), onoff(interactive),
+		onoff(doglob));
+	printf("Store unique: %s; Receive unique: %s\n", onoff(sunique),
+		onoff(runique));
+	printf("Case: %s; CR stripping: %s\n",onoff(mcase),onoff(crflag));
+	if (ntflag) {
+		printf("Ntrans: (in) %s (out) %s\n", ntin,ntout);
+	}
+	else {
+		printf("Ntrans: off\n");
+	}
+	if (mapflag) {
+		printf("Nmap: (in) %s (out) %s\n", mapin, mapout);
+	}
+	else {
+		printf("Nmap: off\n");
+	}
+	printf("Hash mark printing: %s; Use of PORT cmds: %s\n",
+		onoff(hash), onoff(sendport));
+	if (macnum > 0) {
+		printf("Macros:\n");
+		for (i=0; i<macnum; i++) {
+			printf("\t%s\n",macros[i].mac_name);
+		}
+	}
+	code = 0;
+}
+
+/*
+ * Set beep on cmd completed mode.
+ */
+/*VARARGS*/
+void
+setbell(int argc, char **argv)
+{
+
+	bell = !bell;
+	printf("Bell mode %s.\n", onoff(bell));
+	code = bell;
+}
+
+/*
+ * Turn on packet tracing.
+ */
+/*VARARGS*/
+void
+settrace(int argc, char **argv)
+{
+
+	trace = !trace;
+	printf("Packet tracing %s.\n", onoff(trace));
+	code = trace;
+}
+
+/*
+ * Toggle hash mark printing during transfers.
+ */
+/*VARARGS*/
+void
+sethash(int argc, char **argv)
+{
+
+	hash = !hash;
+	printf("Hash mark printing %s", onoff(hash));
+	code = hash;
+	if (hash)
+		printf(" (%d bytes/hash mark)", 1024);
+	printf(".\n");
+}
+
+/*
+ * Turn on printing of server echo's.
+ */
+/*VARARGS*/
+void
+setverbose(int argc, char **argv)
+{
+
+	verbose = !verbose;
+	printf("Verbose mode %s.\n", onoff(verbose));
+	code = verbose;
+}
+
+/*
+ * Toggle PORT cmd use before each data connection.
+ */
+/*VARARGS*/
+void
+setport(int argc, char **argv)
+{
+
+	sendport = !sendport;
+	printf("Use of PORT cmds %s.\n", onoff(sendport));
+	code = sendport;
+}
+
+/*
+ * Turn on interactive prompting
+ * during mget, mput, and mdelete.
+ */
+/*VARARGS*/
+void
+setprompt(int argc, char **argv)
+{
+
+	interactive = !interactive;
+	printf("Interactive mode %s.\n", onoff(interactive));
+	code = interactive;
+}
+
+/*
+ * Toggle metacharacter interpretation
+ * on local file names.
+ */
+/*VARARGS*/
+void
+setglob(int argc, char **argv)
+{
+	
+	doglob = !doglob;
+	printf("Globbing %s.\n", onoff(doglob));
+	code = doglob;
+}
+
+/*
+ * Set debugging mode on/off and/or
+ * set level of debugging.
+ */
+/*VARARGS*/
+void
+setdebug(int argc, char **argv)
+{
+	int val;
+
+	if (argc > 1) {
+		val = atoi(argv[1]);
+		if (val < 0) {
+			printf("%s: bad debugging value.\n", argv[1]);
+			code = -1;
+			return;
+		}
+	} else
+		val = !debug;
+	debug = val;
+	if (debug)
+		options |= SO_DEBUG;
+	else
+		options &= ~SO_DEBUG;
+	printf("Debugging %s (debug=%d).\n", onoff(debug), debug);
+	code = debug > 0;
+}
+
+/*
+ * Set current working directory
+ * on remote machine.
+ */
+void
+cd(int argc, char **argv)
+{
+
+	if (argc < 2 && !another(&argc, &argv, "remote-directory")) {
+		printf("usage: %s remote-directory\n", argv[0]);
+		code = -1;
+		return;
+	}
+	if (command("CWD %s", argv[1]) == ERROR && code == 500) {
+		if (verbose)
+			printf("CWD command not recognized, trying XCWD\n");
+		command("XCWD %s", argv[1]);
+	}
+}
+
+/*
+ * Set current working directory
+ * on local machine.
+ */
+void
+lcd(int argc, char **argv)
+{
+	char buf[MaxPathLen];
+
+	if (argc < 2)
+		argc++, argv[1] = home;
+	if (argc != 2) {
+		printf("usage: %s local-directory\n", argv[0]);
+		code = -1;
+		return;
+	}
+	if (!globulize(&argv[1])) {
+		code = -1;
+		return;
+	}
+	if (chdir(argv[1]) < 0) {
+		warn("local: %s", argv[1]);
+		code = -1;
+		return;
+	}
+	if (getcwd(buf, sizeof(buf)) != NULL)
+		printf("Local directory now %s\n", buf);
+	else
+		warnx("getwd: %s", buf);
+	code = 0;
+}
+
+/*
+ * Delete a single file.
+ */
+void
+delete(int argc, char **argv)
+{
+
+	if (argc < 2 && !another(&argc, &argv, "remote-file")) {
+		printf("usage: %s remote-file\n", argv[0]);
+		code = -1;
+		return;
+	}
+	command("DELE %s", argv[1]);
+}
+
+/*
+ * Delete multiple files.
+ */
+void
+mdelete(int argc, char **argv)
+{
+    sighand oldintr;
+    int ointer;
+    char *cp;
+
+    if (argc < 2 && !another(&argc, &argv, "remote-files")) {
+	printf("usage: %s remote-files\n", argv[0]);
+	code = -1;
+	return;
+    }
+    mname = argv[0];
+    mflag = 1;
+    oldintr = signal(SIGINT, mabort);
+    setjmp(jabort);
+    while ((cp = remglob(argv,0)) != NULL) {
+	if (*cp == '\0') {
+	    mflag = 0;
+	    continue;
+	}
+	if (mflag && confirm(argv[0], cp)) {
+	    command("DELE %s", cp);
+	    if (!mflag && fromatty) {
+		ointer = interactive;
+		interactive = 1;
+		if (confirm("Continue with", "mdelete")) {
+		    mflag++;
+		}
+		interactive = ointer;
+	    }
+	}
+    }
+    signal(SIGINT, oldintr);
+    mflag = 0;
+}
+
+/*
+ * Rename a remote file.
+ */
+void
+renamefile(int argc, char **argv)
+{
+
+	if (argc < 2 && !another(&argc, &argv, "from-name"))
+		goto usage;
+	if (argc < 3 && !another(&argc, &argv, "to-name")) {
+usage:
+		printf("%s from-name to-name\n", argv[0]);
+		code = -1;
+		return;
+	}
+	if (command("RNFR %s", argv[1]) == CONTINUE)
+		command("RNTO %s", argv[2]);
+}
+
+/*
+ * Get a directory listing
+ * of remote files.
+ */
+void
+ls(int argc, char **argv)
+{
+	char *cmd;
+
+	if (argc < 2)
+		argc++, argv[1] = NULL;
+	if (argc < 3)
+		argc++, argv[2] = "-";
+	if (argc > 3) {
+		printf("usage: %s remote-directory local-file\n", argv[0]);
+		code = -1;
+		return;
+	}
+	cmd = argv[0][0] == 'n' ? "NLST" : "LIST";
+	if (strcmp(argv[2], "-") && !globulize(&argv[2])) {
+		code = -1;
+		return;
+	}
+	if (strcmp(argv[2], "-") && *argv[2] != '|')
+	    if (!globulize(&argv[2]) || !confirm("output to local-file:", 
+						 argv[2])) {
+		code = -1;
+		return;
+	    }
+	recvrequest(cmd, argv[2], argv[1], "w", 0, 1);
+}
+
+/*
+ * Get a directory listing
+ * of multiple remote files.
+ */
+void
+mls(int argc, char **argv)
+{
+	sighand oldintr;
+	int ointer, i;
+	char *cmd, mode[1], *dest;
+
+	if (argc < 2 && !another(&argc, &argv, "remote-files"))
+		goto usage;
+	if (argc < 3 && !another(&argc, &argv, "local-file")) {
+usage:
+		printf("usage: %s remote-files local-file\n", argv[0]);
+		code = -1;
+		return;
+	}
+	dest = argv[argc - 1];
+	argv[argc - 1] = NULL;
+	if (strcmp(dest, "-") && *dest != '|')
+		if (!globulize(&dest) ||
+		    !confirm("output to local-file:", dest)) {
+			code = -1;
+			return;
+	}
+	cmd = argv[0][1] == 'l' ? "NLST" : "LIST";
+	mname = argv[0];
+	mflag = 1;
+	oldintr = signal(SIGINT, mabort);
+	setjmp(jabort);
+	for (i = 1; mflag && i < argc-1; ++i) {
+		*mode = (i == 1) ? 'w' : 'a';
+		recvrequest(cmd, dest, argv[i], mode, 0, 1);
+		if (!mflag && fromatty) {
+			ointer = interactive;
+			interactive = 1;
+			if (confirm("Continue with", argv[0])) {
+				mflag ++;
+			}
+			interactive = ointer;
+		}
+	}
+	signal(SIGINT, oldintr);
+	mflag = 0;
+}
+
+/*
+ * Do a shell escape
+ */
+/*ARGSUSED*/
+void
+shell(int argc, char **argv)
+{
+	pid_t pid;
+	RETSIGTYPE (*old1)(int), (*old2)(int);
+	char shellnam[40], *shell, *namep; 
+	int status;
+
+	old1 = signal (SIGINT, SIG_IGN);
+	old2 = signal (SIGQUIT, SIG_IGN);
+	if ((pid = fork()) == 0) {
+		for (pid = 3; pid < 20; pid++)
+			close(pid);
+		signal(SIGINT, SIG_DFL);
+		signal(SIGQUIT, SIG_DFL);
+		shell = getenv("SHELL");
+		if (shell == NULL)
+			shell = _PATH_BSHELL;
+		namep = strrchr(shell,'/');
+		if (namep == NULL)
+			namep = shell;
+		snprintf (shellnam, sizeof(shellnam),
+			  "-%s", ++namep);
+		if (strcmp(namep, "sh") != 0)
+			shellnam[0] = '+';
+		if (debug) {
+			printf ("%s\n", shell);
+			fflush (stdout);
+		}
+		if (argc > 1) {
+			execl(shell,shellnam,"-c",altarg,(char *)0);
+		}
+		else {
+			execl(shell,shellnam,(char *)0);
+		}
+		warn("%s", shell);
+		code = -1;
+		exit(1);
+	}
+	if (pid > 0)
+		while (waitpid(-1, &status, 0) != pid)
+			;
+	signal(SIGINT, old1);
+	signal(SIGQUIT, old2);
+	if (pid == -1) {
+		warn("%s", "Try again later");
+		code = -1;
+	}
+	else {
+		code = 0;
+	}
+}
+
+/*
+ * Send new user information (re-login)
+ */
+void
+user(int argc, char **argv)
+{
+	char acct[80];
+	int n, aflag = 0;
+	char tmp[256];
+
+	if (argc < 2)
+		another(&argc, &argv, "username");
+	if (argc < 2 || argc > 4) {
+		printf("usage: %s username [password] [account]\n", argv[0]);
+		code = -1;
+		return;
+	}
+	n = command("USER %s", argv[1]);
+	if (n == CONTINUE) {
+	    if (argc < 3 ) {
+		des_read_pw_string (tmp,
+				    sizeof(tmp),
+				    "Password: ", 0);
+		argv[2] = tmp;
+		argc++;
+	    }
+	    n = command("PASS %s", argv[2]);
+	}
+	if (n == CONTINUE) {
+		if (argc < 4) {
+			printf("Account: "); fflush(stdout);
+			fgets(acct, sizeof(acct) - 1, stdin);
+			acct[strlen(acct) - 1] = '\0';
+			argv[3] = acct; argc++;
+		}
+		n = command("ACCT %s", argv[3]);
+		aflag++;
+	}
+	if (n != COMPLETE) {
+		fprintf(stdout, "Login failed.\n");
+		return;
+	}
+	if (!aflag && argc == 4) {
+		command("ACCT %s", argv[3]);
+	}
+}
+
+/*
+ * Print working directory.
+ */
+/*VARARGS*/
+void
+pwd(int argc, char **argv)
+{
+	int oldverbose = verbose;
+
+	/*
+	 * If we aren't verbose, this doesn't do anything!
+	 */
+	verbose = 1;
+	if (command("PWD") == ERROR && code == 500) {
+		printf("PWD command not recognized, trying XPWD\n");
+		command("XPWD");
+	}
+	verbose = oldverbose;
+}
+
+/*
+ * Make a directory.
+ */
+void
+makedir(int argc, char **argv)
+{
+
+	if (argc < 2 && !another(&argc, &argv, "directory-name")) {
+		printf("usage: %s directory-name\n", argv[0]);
+		code = -1;
+		return;
+	}
+	if (command("MKD %s", argv[1]) == ERROR && code == 500) {
+		if (verbose)
+			printf("MKD command not recognized, trying XMKD\n");
+		command("XMKD %s", argv[1]);
+	}
+}
+
+/*
+ * Remove a directory.
+ */
+void
+removedir(int argc, char **argv)
+{
+
+	if (argc < 2 && !another(&argc, &argv, "directory-name")) {
+		printf("usage: %s directory-name\n", argv[0]);
+		code = -1;
+		return;
+	}
+	if (command("RMD %s", argv[1]) == ERROR && code == 500) {
+		if (verbose)
+			printf("RMD command not recognized, trying XRMD\n");
+		command("XRMD %s", argv[1]);
+	}
+}
+
+/*
+ * Send a line, verbatim, to the remote machine.
+ */
+void
+quote(int argc, char **argv)
+{
+
+	if (argc < 2 && !another(&argc, &argv, "command line to send")) {
+		printf("usage: %s line-to-send\n", argv[0]);
+		code = -1;
+		return;
+	}
+	quote1("", argc, argv);
+}
+
+/*
+ * Send a SITE command to the remote machine.  The line
+ * is sent verbatim to the remote machine, except that the
+ * word "SITE" is added at the front.
+ */
+void
+site(int argc, char **argv)
+{
+
+	if (argc < 2 && !another(&argc, &argv, "arguments to SITE command")) {
+		printf("usage: %s line-to-send\n", argv[0]);
+		code = -1;
+		return;
+	}
+	quote1("SITE ", argc, argv);
+}
+
+/*
+ * Turn argv[1..argc) into a space-separated string, then prepend initial text.
+ * Send the result as a one-line command and get response.
+ */
+void
+quote1(char *initial, int argc, char **argv)
+{
+    int i;
+    char buf[BUFSIZ];		/* must be >= sizeof(line) */
+
+    strlcpy(buf, initial, sizeof(buf));
+    for(i = 1; i < argc; i++) {
+	if(i > 1)
+	    strlcat(buf, " ", sizeof(buf));
+	strlcat(buf, argv[i], sizeof(buf));
+    }
+    if (command("%s", buf) == PRELIM) {
+	while (getreply(0) == PRELIM)
+	    continue;
+    }
+}
+
+void
+do_chmod(int argc, char **argv)
+{
+
+	if (argc < 2 && !another(&argc, &argv, "mode"))
+		goto usage;
+	if (argc < 3 && !another(&argc, &argv, "file-name")) {
+usage:
+		printf("usage: %s mode file-name\n", argv[0]);
+		code = -1;
+		return;
+	}
+	command("SITE CHMOD %s %s", argv[1], argv[2]);
+}
+
+void
+do_umask(int argc, char **argv)
+{
+	int oldverbose = verbose;
+
+	verbose = 1;
+	command(argc == 1 ? "SITE UMASK" : "SITE UMASK %s", argv[1]);
+	verbose = oldverbose;
+}
+
+void
+ftp_idle(int argc, char **argv)
+{
+	int oldverbose = verbose;
+
+	verbose = 1;
+	command(argc == 1 ? "SITE IDLE" : "SITE IDLE %s", argv[1]);
+	verbose = oldverbose;
+}
+
+/*
+ * Ask the other side for help.
+ */
+void
+rmthelp(int argc, char **argv)
+{
+	int oldverbose = verbose;
+
+	verbose = 1;
+	command(argc == 1 ? "HELP" : "HELP %s", argv[1]);
+	verbose = oldverbose;
+}
+
+/*
+ * Terminate session and exit.
+ */
+/*VARARGS*/
+void
+quit(int argc, char **argv)
+{
+
+	if (connected)
+		disconnect(0, 0);
+	pswitch(1);
+	if (connected) {
+		disconnect(0, 0);
+	}
+	exit(0);
+}
+
+/*
+ * Terminate session, but don't exit.
+ */
+void
+disconnect(int argc, char **argv)
+{
+
+	if (!connected)
+		return;
+	command("QUIT");
+	if (cout) {
+		fclose(cout);
+	}
+	cout = NULL;
+	connected = 0;
+	sec_end();
+	data = -1;
+	if (!proxy) {
+		macnum = 0;
+	}
+}
+
+int
+confirm(char *cmd, char *file)
+{
+	char line[BUFSIZ];
+
+	if (!interactive)
+		return (1);
+	printf("%s %s? ", cmd, file);
+	fflush(stdout);
+	if (fgets(line, sizeof line, stdin) == NULL)
+		return (0);
+	return (*line == 'y' || *line == 'Y');
+}
+
+void
+fatal(char *msg)
+{
+
+	errx(1, "%s", msg);
+}
+
+/*
+ * Glob a local file name specification with
+ * the expectation of a single return value.
+ * Can't control multiple values being expanded
+ * from the expression, we return only the first.
+ */
+int
+globulize(char **cpp)
+{
+	glob_t gl;
+	int flags;
+
+	if (!doglob)
+		return (1);
+
+	flags = GLOB_BRACE|GLOB_NOCHECK|GLOB_QUOTE|GLOB_TILDE;
+	memset(&gl, 0, sizeof(gl));
+	if (glob(*cpp, flags, NULL, &gl) ||
+	    gl.gl_pathc == 0) {
+		warnx("%s: not found", *cpp);
+		globfree(&gl);
+		return (0);
+	}
+	*cpp = strdup(gl.gl_pathv[0]);	/* XXX - wasted memory */
+	globfree(&gl);
+	return (1);
+}
+
+void
+account(int argc, char **argv)
+{
+	char acct[50];
+
+	if (argc > 1) {
+		++argv;
+		--argc;
+		strlcpy (acct, *argv, sizeof(acct));
+		while (argc > 1) {
+			--argc;
+			++argv;
+			strlcat(acct, *argv, sizeof(acct));
+		}
+	}
+	else {
+	    des_read_pw_string(acct, sizeof(acct), "Account:", 0);
+	}
+	command("ACCT %s", acct);
+}
+
+jmp_buf abortprox;
+
+static RETSIGTYPE
+proxabort(int sig)
+{
+
+	if (!proxy) {
+		pswitch(1);
+	}
+	if (connected) {
+		proxflag = 1;
+	}
+	else {
+		proxflag = 0;
+	}
+	pswitch(0);
+	longjmp(abortprox,1);
+}
+
+void
+doproxy(int argc, char **argv)
+{
+	struct cmd *c;
+	RETSIGTYPE (*oldintr)(int);
+
+	if (argc < 2 && !another(&argc, &argv, "command")) {
+		printf("usage: %s command\n", argv[0]);
+		code = -1;
+		return;
+	}
+	c = getcmd(argv[1]);
+	if (c == (struct cmd *) -1) {
+		printf("?Ambiguous command\n");
+		fflush(stdout);
+		code = -1;
+		return;
+	}
+	if (c == 0) {
+		printf("?Invalid command\n");
+		fflush(stdout);
+		code = -1;
+		return;
+	}
+	if (!c->c_proxy) {
+		printf("?Invalid proxy command\n");
+		fflush(stdout);
+		code = -1;
+		return;
+	}
+	if (setjmp(abortprox)) {
+		code = -1;
+		return;
+	}
+	oldintr = signal(SIGINT, proxabort);
+	pswitch(1);
+	if (c->c_conn && !connected) {
+		printf("Not connected\n");
+		fflush(stdout);
+		pswitch(0);
+		signal(SIGINT, oldintr);
+		code = -1;
+		return;
+	}
+	(*c->c_handler)(argc-1, argv+1);
+	if (connected) {
+		proxflag = 1;
+	}
+	else {
+		proxflag = 0;
+	}
+	pswitch(0);
+	signal(SIGINT, oldintr);
+}
+
+void
+setcase(int argc, char **argv)
+{
+
+	mcase = !mcase;
+	printf("Case mapping %s.\n", onoff(mcase));
+	code = mcase;
+}
+
+void
+setcr(int argc, char **argv)
+{
+
+	crflag = !crflag;
+	printf("Carriage Return stripping %s.\n", onoff(crflag));
+	code = crflag;
+}
+
+void
+setntrans(int argc, char **argv)
+{
+	if (argc == 1) {
+		ntflag = 0;
+		printf("Ntrans off.\n");
+		code = ntflag;
+		return;
+	}
+	ntflag++;
+	code = ntflag;
+	strlcpy (ntin, argv[1], 17);
+	if (argc == 2) {
+		ntout[0] = '\0';
+		return;
+	}
+	strlcpy (ntout, argv[2], 17);
+}
+
+char *
+dotrans(char *name)
+{
+	static char new[MaxPathLen];
+	char *cp1, *cp2 = new;
+	int i, ostop, found;
+
+	for (ostop = 0; *(ntout + ostop) && ostop < 16; ostop++)
+		continue;
+	for (cp1 = name; *cp1; cp1++) {
+		found = 0;
+		for (i = 0; *(ntin + i) && i < 16; i++) {
+			if (*cp1 == *(ntin + i)) {
+				found++;
+				if (i < ostop) {
+					*cp2++ = *(ntout + i);
+				}
+				break;
+			}
+		}
+		if (!found) {
+			*cp2++ = *cp1;
+		}
+	}
+	*cp2 = '\0';
+	return (new);
+}
+
+void
+setnmap(int argc, char **argv)
+{
+	char *cp;
+
+	if (argc == 1) {
+		mapflag = 0;
+		printf("Nmap off.\n");
+		code = mapflag;
+		return;
+	}
+	if (argc < 3 && !another(&argc, &argv, "mapout")) {
+		printf("Usage: %s [mapin mapout]\n",argv[0]);
+		code = -1;
+		return;
+	}
+	mapflag = 1;
+	code = 1;
+	cp = strchr(altarg, ' ');
+	if (proxy) {
+		while(*++cp == ' ')
+			continue;
+		altarg = cp;
+		cp = strchr(altarg, ' ');
+	}
+	*cp = '\0';
+	strlcpy(mapin, altarg, MaxPathLen);
+	while (*++cp == ' ')
+		continue;
+	strlcpy(mapout, cp, MaxPathLen);
+}
+
+char *
+domap(char *name)
+{
+	static char new[MaxPathLen];
+	char *cp1 = name, *cp2 = mapin;
+	char *tp[9], *te[9];
+	int i, toks[9], toknum = 0, match = 1;
+
+	for (i=0; i < 9; ++i) {
+		toks[i] = 0;
+	}
+	while (match && *cp1 && *cp2) {
+		switch (*cp2) {
+			case '\\':
+				if (*++cp2 != *cp1) {
+					match = 0;
+				}
+				break;
+			case '$':
+				if (*(cp2+1) >= '1' && (*cp2+1) <= '9') {
+					if (*cp1 != *(++cp2+1)) {
+						toks[toknum = *cp2 - '1']++;
+						tp[toknum] = cp1;
+						while (*++cp1 && *(cp2+1)
+							!= *cp1);
+						te[toknum] = cp1;
+					}
+					cp2++;
+					break;
+				}
+				/* FALLTHROUGH */
+			default:
+				if (*cp2 != *cp1) {
+					match = 0;
+				}
+				break;
+		}
+		if (match && *cp1) {
+			cp1++;
+		}
+		if (match && *cp2) {
+			cp2++;
+		}
+	}
+	if (!match && *cp1) /* last token mismatch */
+	{
+		toks[toknum] = 0;
+	}
+	cp1 = new;
+	*cp1 = '\0';
+	cp2 = mapout;
+	while (*cp2) {
+		match = 0;
+		switch (*cp2) {
+			case '\\':
+				if (*(cp2 + 1)) {
+					*cp1++ = *++cp2;
+				}
+				break;
+			case '[':
+LOOP:
+				if (*++cp2 == '$' && isdigit(*(cp2+1))) { 
+					if (*++cp2 == '0') {
+						char *cp3 = name;
+
+						while (*cp3) {
+							*cp1++ = *cp3++;
+						}
+						match = 1;
+					}
+					else if (toks[toknum = *cp2 - '1']) {
+						char *cp3 = tp[toknum];
+
+						while (cp3 != te[toknum]) {
+							*cp1++ = *cp3++;
+						}
+						match = 1;
+					}
+				}
+				else {
+					while (*cp2 && *cp2 != ',' && 
+					    *cp2 != ']') {
+						if (*cp2 == '\\') {
+							cp2++;
+						}
+						else if (*cp2 == '$' &&
+   						        isdigit(*(cp2+1))) {
+							if (*++cp2 == '0') {
+							   char *cp3 = name;
+
+							   while (*cp3) {
+								*cp1++ = *cp3++;
+							   }
+							}
+							else if (toks[toknum =
+							    *cp2 - '1']) {
+							   char *cp3=tp[toknum];
+
+							   while (cp3 !=
+								  te[toknum]) {
+								*cp1++ = *cp3++;
+							   }
+							}
+						}
+						else if (*cp2) {
+							*cp1++ = *cp2++;
+						}
+					}
+					if (!*cp2) {
+						printf("nmap: unbalanced brackets\n");
+						return (name);
+					}
+					match = 1;
+					cp2--;
+				}
+				if (match) {
+					while (*++cp2 && *cp2 != ']') {
+					      if (*cp2 == '\\' && *(cp2 + 1)) {
+							cp2++;
+					      }
+					}
+					if (!*cp2) {
+						printf("nmap: unbalanced brackets\n");
+						return (name);
+					}
+					break;
+				}
+				switch (*++cp2) {
+					case ',':
+						goto LOOP;
+					case ']':
+						break;
+					default:
+						cp2--;
+						goto LOOP;
+				}
+				break;
+			case '$':
+				if (isdigit(*(cp2 + 1))) {
+					if (*++cp2 == '0') {
+						char *cp3 = name;
+
+						while (*cp3) {
+							*cp1++ = *cp3++;
+						}
+					}
+					else if (toks[toknum = *cp2 - '1']) {
+						char *cp3 = tp[toknum];
+
+						while (cp3 != te[toknum]) {
+							*cp1++ = *cp3++;
+						}
+					}
+					break;
+				}
+				/* intentional drop through */
+			default:
+				*cp1++ = *cp2;
+				break;
+		}
+		cp2++;
+	}
+	*cp1 = '\0';
+	if (!*new) {
+		return (name);
+	}
+	return (new);
+}
+
+void
+setpassive(int argc, char **argv)
+{
+
+	passivemode = !passivemode;
+	printf("Passive mode %s.\n", onoff(passivemode));
+	code = passivemode;
+}
+
+void
+setsunique(int argc, char **argv)
+{
+
+	sunique = !sunique;
+	printf("Store unique %s.\n", onoff(sunique));
+	code = sunique;
+}
+
+void
+setrunique(int argc, char **argv)
+{
+
+	runique = !runique;
+	printf("Receive unique %s.\n", onoff(runique));
+	code = runique;
+}
+
+/* change directory to perent directory */
+void
+cdup(int argc, char **argv)
+{
+
+	if (command("CDUP") == ERROR && code == 500) {
+		if (verbose)
+			printf("CDUP command not recognized, trying XCUP\n");
+		command("XCUP");
+	}
+}
+
+/* restart transfer at specific point */
+void
+restart(int argc, char **argv)
+{
+
+    if (argc != 2)
+	printf("restart: offset not specified\n");
+    else {
+	restart_point = atol(argv[1]);
+	printf("restarting at %ld. %s\n", (long)restart_point,
+	       "execute get, put or append to initiate transfer");
+    }
+}
+
+/* show remote system type */
+void
+syst(int argc, char **argv)
+{
+
+	command("SYST");
+}
+
+void
+macdef(int argc, char **argv)
+{
+	char *tmp;
+	int c;
+
+	if (macnum == 16) {
+		printf("Limit of 16 macros have already been defined\n");
+		code = -1;
+		return;
+	}
+	if (argc < 2 && !another(&argc, &argv, "macro name")) {
+		printf("Usage: %s macro_name\n",argv[0]);
+		code = -1;
+		return;
+	}
+	if (interactive) {
+		printf("Enter macro line by line, terminating it with a null line\n");
+	}
+	strlcpy(macros[macnum].mac_name,
+			argv[1],
+			sizeof(macros[macnum].mac_name));
+	if (macnum == 0) {
+		macros[macnum].mac_start = macbuf;
+	}
+	else {
+		macros[macnum].mac_start = macros[macnum - 1].mac_end + 1;
+	}
+	tmp = macros[macnum].mac_start;
+	while (tmp != macbuf+4096) {
+		if ((c = getchar()) == EOF) {
+			printf("macdef:end of file encountered\n");
+			code = -1;
+			return;
+		}
+		if ((*tmp = c) == '\n') {
+			if (tmp == macros[macnum].mac_start) {
+				macros[macnum++].mac_end = tmp;
+				code = 0;
+				return;
+			}
+			if (*(tmp-1) == '\0') {
+				macros[macnum++].mac_end = tmp - 1;
+				code = 0;
+				return;
+			}
+			*tmp = '\0';
+		}
+		tmp++;
+	}
+	while (1) {
+		while ((c = getchar()) != '\n' && c != EOF)
+			/* LOOP */;
+		if (c == EOF || getchar() == '\n') {
+			printf("Macro not defined - 4k buffer exceeded\n");
+			code = -1;
+			return;
+		}
+	}
+}
+
+/*
+ * get size of file on remote machine
+ */
+void
+sizecmd(int argc, char **argv)
+{
+
+	if (argc < 2 && !another(&argc, &argv, "filename")) {
+		printf("usage: %s filename\n", argv[0]);
+		code = -1;
+		return;
+	}
+	command("SIZE %s", argv[1]);
+}
+
+/*
+ * get last modification time of file on remote machine
+ */
+void
+modtime(int argc, char **argv)
+{
+	int overbose;
+
+	if (argc < 2 && !another(&argc, &argv, "filename")) {
+		printf("usage: %s filename\n", argv[0]);
+		code = -1;
+		return;
+	}
+	overbose = verbose;
+	if (debug == 0)
+		verbose = -1;
+	if (command("MDTM %s", argv[1]) == COMPLETE) {
+		int yy, mo, day, hour, min, sec;
+		sscanf(reply_string, "%*s %04d%02d%02d%02d%02d%02d", &yy, &mo,
+			&day, &hour, &min, &sec);
+		/* might want to print this in local time */
+		printf("%s\t%02d/%02d/%04d %02d:%02d:%02d GMT\n", argv[1],
+			mo, day, yy, hour, min, sec);
+	} else
+		printf("%s\n", reply_string);
+	verbose = overbose;
+}
+
+/*
+ * show status on reomte machine
+ */
+void
+rmtstatus(int argc, char **argv)
+{
+
+	command(argc > 1 ? "STAT %s" : "STAT" , argv[1]);
+}
+
+/*
+ * get file if modtime is more recent than current file
+ */
+void
+newer(int argc, char **argv)
+{
+
+	if (getit(argc, argv, -1, curtype == TYPE_I ? "wb" : "w"))
+		printf("Local file \"%s\" is newer than remote file \"%s\"\n",
+			argv[2], argv[1]);
+}
diff --git a/crypto/heimdal/appl/ftp/ftp/cmdtab.c b/crypto/heimdal/appl/ftp/ftp/cmdtab.c
new file mode 100644
index 0000000..5dc96ef
--- /dev/null
+++ b/crypto/heimdal/appl/ftp/ftp/cmdtab.c
@@ -0,0 +1,202 @@
+/*
+ * Copyright (c) 1985, 1989, 1993, 1994
+ *	The Regents of the University of California.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *	This product includes software developed by the University of
+ *	California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#include "ftp_locl.h"
+
+/*
+ * User FTP -- Command Tables.
+ */
+
+char	accounthelp[] =	"send account command to remote server";
+char	appendhelp[] =	"append to a file";
+char	asciihelp[] =	"set ascii transfer type";
+char	beephelp[] =	"beep when command completed";
+char	binaryhelp[] =	"set binary transfer type";
+char	casehelp[] =	"toggle mget upper/lower case id mapping";
+char	cdhelp[] =	"change remote working directory";
+char	cduphelp[] = 	"change remote working directory to parent directory";
+char	chmodhelp[] =	"change file permissions of remote file";
+char	connecthelp[] =	"connect to remote tftp";
+char	crhelp[] =	"toggle carriage return stripping on ascii gets";
+char	deletehelp[] =	"delete remote file";
+char	debughelp[] =	"toggle/set debugging mode";
+char	dirhelp[] =	"list contents of remote directory";
+char	disconhelp[] =	"terminate ftp session";
+char	domachelp[] = 	"execute macro";
+char	formhelp[] =	"set file transfer format";
+char	globhelp[] =	"toggle metacharacter expansion of local file names";
+char	hashhelp[] =	"toggle printing `#' for each buffer transferred";
+char	helphelp[] =	"print local help information";
+char	idlehelp[] =	"get (set) idle timer on remote side";
+char	lcdhelp[] =	"change local working directory";
+char	lshelp[] =	"list contents of remote directory";
+char	macdefhelp[] =  "define a macro";
+char	mdeletehelp[] =	"delete multiple files";
+char	mdirhelp[] =	"list contents of multiple remote directories";
+char	mgethelp[] =	"get multiple files";
+char	mkdirhelp[] =	"make directory on the remote machine";
+char	mlshelp[] =	"list contents of multiple remote directories";
+char	modtimehelp[] = "show last modification time of remote file";
+char	modehelp[] =	"set file transfer mode";
+char	mputhelp[] =	"send multiple files";
+char	newerhelp[] =	"get file if remote file is newer than local file ";
+char	nlisthelp[] =	"nlist contents of remote directory";
+char	nmaphelp[] =	"set templates for default file name mapping";
+char	ntranshelp[] =	"set translation table for default file name mapping";
+char	porthelp[] =	"toggle use of PORT cmd for each data connection";
+char	prompthelp[] =	"force interactive prompting on multiple commands";
+char	proxyhelp[] =	"issue command on alternate connection";
+char	pwdhelp[] =	"print working directory on remote machine";
+char	quithelp[] =	"terminate ftp session and exit";
+char	quotehelp[] =	"send arbitrary ftp command";
+char	receivehelp[] =	"receive file";
+char	regethelp[] =	"get file restarting at end of local file";
+char	remotehelp[] =	"get help from remote server";
+char	renamehelp[] =	"rename file";
+char	restarthelp[]=	"restart file transfer at bytecount";
+char	rmdirhelp[] =	"remove directory on the remote machine";
+char	rmtstatushelp[]="show status of remote machine";
+char	runiquehelp[] = "toggle store unique for local files";
+char	resethelp[] =	"clear queued command replies";
+char	sendhelp[] =	"send one file";
+char	passivehelp[] =	"enter passive transfer mode";
+char	sitehelp[] =	"send site specific command to remote server\n\t\tTry \"rhelp site\" or \"site help\" for more information";
+char	shellhelp[] =	"escape to the shell";
+char	sizecmdhelp[] = "show size of remote file";
+char	statushelp[] =	"show current status";
+char	structhelp[] =	"set file transfer structure";
+char	suniquehelp[] = "toggle store unique on remote machine";
+char	systemhelp[] =  "show remote system type";
+char	tenexhelp[] =	"set tenex file transfer type";
+char	tracehelp[] =	"toggle packet tracing";
+char	typehelp[] =	"set file transfer type";
+char	umaskhelp[] =	"get (set) umask on remote side";
+char	userhelp[] =	"send new user information";
+char	verbosehelp[] =	"toggle verbose mode";
+
+char	prothelp[] = 	"set protection level";
+#ifdef KRB4
+char	kauthhelp[] = 	"get remote tokens";
+char	klisthelp[] =	"show remote tickets";
+char	kdestroyhelp[] = "destroy remote tickets";
+char	krbtkfilehelp[] = "set filename of remote tickets";
+char	afsloghelp[] = 	"obtain remote AFS tokens";
+#endif
+
+struct cmd cmdtab[] = {
+	{ "!",		shellhelp,	0,	0,	0,	shell },
+	{ "$",		domachelp,	1,	0,	0,	domacro },
+	{ "account",	accounthelp,	0,	1,	1,	account},
+	{ "append",	appendhelp,	1,	1,	1,	put },
+	{ "ascii",	asciihelp,	0,	1,	1,	setascii },
+	{ "bell",	beephelp,	0,	0,	0,	setbell },
+	{ "binary",	binaryhelp,	0,	1,	1,	setbinary },
+	{ "bye",	quithelp,	0,	0,	0,	quit },
+	{ "case",	casehelp,	0,	0,	1,	setcase },
+	{ "cd",		cdhelp,		0,	1,	1,	cd },
+	{ "cdup",	cduphelp,	0,	1,	1,	cdup },
+	{ "chmod",	chmodhelp,	0,	1,	1,	do_chmod },
+	{ "close",	disconhelp,	0,	1,	1,	disconnect },
+	{ "cr",		crhelp,		0,	0,	0,	setcr },
+	{ "delete",	deletehelp,	0,	1,	1,	delete },
+	{ "debug",	debughelp,	0,	0,	0,	setdebug },
+	{ "dir",	dirhelp,	1,	1,	1,	ls },
+	{ "disconnect",	disconhelp,	0,	1,	1,	disconnect },
+	{ "form",	formhelp,	0,	1,	1,	setform },
+	{ "get",	receivehelp,	1,	1,	1,	get },
+	{ "glob",	globhelp,	0,	0,	0,	setglob },
+	{ "hash",	hashhelp,	0,	0,	0,	sethash },
+	{ "help",	helphelp,	0,	0,	1,	help },
+	{ "idle",	idlehelp,	0,	1,	1,	ftp_idle },
+	{ "image",	binaryhelp,	0,	1,	1,	setbinary },
+	{ "lcd",	lcdhelp,	0,	0,	0,	lcd },
+	{ "ls",		lshelp,		1,	1,	1,	ls },
+	{ "macdef",	macdefhelp,	0,	0,	0,	macdef },
+	{ "mdelete",	mdeletehelp,	1,	1,	1,	mdelete },
+	{ "mdir",	mdirhelp,	1,	1,	1,	mls },
+	{ "mget",	mgethelp,	1,	1,	1,	mget },
+	{ "mkdir",	mkdirhelp,	0,	1,	1,	makedir },
+	{ "mls",	mlshelp,	1,	1,	1,	mls },
+	{ "mode",	modehelp,	0,	1,	1,	setftmode },
+	{ "modtime",	modtimehelp,	0,	1,	1,	modtime },
+	{ "mput",	mputhelp,	1,	1,	1,	mput },
+	{ "newer",	newerhelp,	1,	1,	1,	newer },
+	{ "nmap",	nmaphelp,	0,	0,	1,	setnmap },
+	{ "nlist",	nlisthelp,	1,	1,	1,	ls },
+	{ "ntrans",	ntranshelp,	0,	0,	1,	setntrans },
+	{ "open",	connecthelp,	0,	0,	1,	setpeer },
+	{ "passive",	passivehelp,	0,	0,	0,	setpassive },
+	{ "prompt",	prompthelp,	0,	0,	0,	setprompt },
+	{ "proxy",	proxyhelp,	0,	0,	1,	doproxy },
+	{ "sendport",	porthelp,	0,	0,	0,	setport },
+	{ "put",	sendhelp,	1,	1,	1,	put },
+	{ "pwd",	pwdhelp,	0,	1,	1,	pwd },
+	{ "quit",	quithelp,	0,	0,	0,	quit },
+	{ "quote",	quotehelp,	1,	1,	1,	quote },
+	{ "recv",	receivehelp,	1,	1,	1,	get },
+	{ "reget",	regethelp,	1,	1,	1,	reget },
+	{ "rstatus",	rmtstatushelp,	0,	1,	1,	rmtstatus },
+	{ "rhelp",	remotehelp,	0,	1,	1,	rmthelp },
+	{ "rename",	renamehelp,	0,	1,	1,	renamefile },
+	{ "reset",	resethelp,	0,	1,	1,	reset },
+	{ "restart",	restarthelp,	1,	1,	1,	restart },
+	{ "rmdir",	rmdirhelp,	0,	1,	1,	removedir },
+	{ "runique",	runiquehelp,	0,	0,	1,	setrunique },
+	{ "send",	sendhelp,	1,	1,	1,	put },
+	{ "site",	sitehelp,	0,	1,	1,	site },
+	{ "size",	sizecmdhelp,	1,	1,	1,	sizecmd },
+	{ "status",	statushelp,	0,	0,	1,	status },
+	{ "struct",	structhelp,	0,	1,	1,	setstruct },
+	{ "system",	systemhelp,	0,	1,	1,	syst },
+	{ "sunique",	suniquehelp,	0,	0,	1,	setsunique },
+	{ "tenex",	tenexhelp,	0,	1,	1,	settenex },
+	{ "trace",	tracehelp,	0,	0,	0,	settrace },
+	{ "type",	typehelp,	0,	1,	1,	settype },
+	{ "user",	userhelp,	0,	1,	1,	user },
+	{ "umask",	umaskhelp,	0,	1,	1,	do_umask },
+	{ "verbose",	verbosehelp,	0,	0,	0,	setverbose },
+	{ "?",		helphelp,	0,	0,	1,	help },
+
+	{ "prot", 	prothelp, 	0, 	1, 	0,	sec_prot },
+#ifdef KRB4
+	{ "kauth", 	kauthhelp, 	0, 	1, 	0,	kauth },
+	{ "klist", 	klisthelp, 	0, 	1, 	0,	klist },
+	{ "kdestroy",	kdestroyhelp,	0,	1,	0,	kdestroy },
+	{ "krbtkfile",	krbtkfilehelp,	0,	1,	0,	krbtkfile },
+	{ "afslog",	afsloghelp,	0,	1,	0,	afslog },
+#endif
+	
+	{ 0 },
+};
+
+int	NCMDS = (sizeof (cmdtab) / sizeof (cmdtab[0])) - 1;
diff --git a/crypto/heimdal/appl/ftp/ftp/domacro.c b/crypto/heimdal/appl/ftp/ftp/domacro.c
new file mode 100644
index 0000000..d91660d
--- /dev/null
+++ b/crypto/heimdal/appl/ftp/ftp/domacro.c
@@ -0,0 +1,138 @@
+/*
+ * Copyright (c) 1985, 1993, 1994
+ *	The Regents of the University of California.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *	This product includes software developed by the University of
+ *	California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#include "ftp_locl.h"
+RCSID("$Id: domacro.c,v 1.7 1999/09/16 20:37:29 assar Exp $");
+
+void
+domacro(int argc, char **argv)
+{
+	int i, j, count = 2, loopflg = 0;
+	char *cp1, *cp2, line2[200];
+	struct cmd *c;
+
+	if (argc < 2 && !another(&argc, &argv, "macro name")) {
+		printf("Usage: %s macro_name.\n", argv[0]);
+		code = -1;
+		return;
+	}
+	for (i = 0; i < macnum; ++i) {
+		if (!strncmp(argv[1], macros[i].mac_name, 9)) {
+			break;
+		}
+	}
+	if (i == macnum) {
+		printf("'%s' macro not found.\n", argv[1]);
+		code = -1;
+		return;
+	}
+	strlcpy(line2, line, sizeof(line2));
+TOP:
+	cp1 = macros[i].mac_start;
+	while (cp1 != macros[i].mac_end) {
+		while (isspace(*cp1)) {
+			cp1++;
+		}
+		cp2 = line;
+		while (*cp1 != '\0') {
+		      switch(*cp1) {
+		   	    case '\\':
+				 *cp2++ = *++cp1;
+				 break;
+			    case '$':
+				 if (isdigit(*(cp1+1))) {
+				    j = 0;
+				    while (isdigit(*++cp1)) {
+					  j = 10*j +  *cp1 - '0';
+				    }
+				    cp1--;
+				    if (argc - 2 >= j) {
+					strcpy(cp2, argv[j+1]);
+					cp2 += strlen(argv[j+1]);
+				    }
+				    break;
+				 }
+				 if (*(cp1+1) == 'i') {
+					loopflg = 1;
+					cp1++;
+					if (count < argc) {
+					   strcpy(cp2, argv[count]);
+					   cp2 += strlen(argv[count]);
+					}
+					break;
+				}
+				/* intentional drop through */
+			    default:
+				*cp2++ = *cp1;
+				break;
+		      }
+		      if (*cp1 != '\0') {
+			 cp1++;
+		      }
+		}
+		*cp2 = '\0';
+		makeargv();
+		c = getcmd(margv[0]);
+		if (c == (struct cmd *)-1) {
+			printf("?Ambiguous command\n");
+			code = -1;
+		}
+		else if (c == 0) {
+			printf("?Invalid command\n");
+			code = -1;
+		}
+		else if (c->c_conn && !connected) {
+			printf("Not connected.\n");
+			code = -1;
+		}
+		else {
+			if (verbose) {
+				printf("%s\n",line);
+			}
+			(*c->c_handler)(margc, margv);
+			if (bell && c->c_bell) {
+				putchar('\007');
+			}
+			strcpy(line, line2);
+			makeargv();
+			argc = margc;
+			argv = margv;
+		}
+		if (cp1 != macros[i].mac_end) {
+			cp1++;
+		}
+	}
+	if (loopflg && ++count < argc) {
+		goto TOP;
+	}
+}
diff --git a/crypto/heimdal/appl/ftp/ftp/extern.h b/crypto/heimdal/appl/ftp/ftp/extern.h
new file mode 100644
index 0000000..337bed6
--- /dev/null
+++ b/crypto/heimdal/appl/ftp/ftp/extern.h
@@ -0,0 +1,174 @@
+/*-
+ * Copyright (c) 1994 The Regents of the University of California.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *	This product includes software developed by the University of
+ *	California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ *	@(#)extern.h	8.3 (Berkeley) 10/9/94
+ */
+
+/* $Id: extern.h,v 1.19 2000/09/19 13:15:12 assar Exp $ */
+
+#include <setjmp.h>
+#include <stdlib.h>
+#ifdef TIME_WITH_SYS_TIME
+#include <sys/time.h>
+#include <time.h>
+#elif defined(HAVE_SYS_TIME_H)
+#include <sys/time.h>
+#else
+#include <time.h>
+#endif
+#ifdef HAVE_SYS_SELECT_H
+#include <sys/select.h>
+#endif
+
+void    abort_remote (FILE *);
+void    abortpt (int);
+void    abortrecv (int);
+void	account (int, char **);
+int	another (int *, char ***, char *);
+void	blkfree (char **);
+void	cd (int, char **);
+void	cdup (int, char **);
+void	changetype (int, int);
+void	cmdabort (int);
+void	cmdscanner (int);
+int	command (char *fmt, ...)
+    __attribute__ ((format (printf, 1,2)));
+int	confirm (char *, char *);
+FILE   *dataconn (const char *);
+void	delete (int, char **);
+void	disconnect (int, char **);
+void	do_chmod (int, char **);
+void	do_umask (int, char **);
+void	domacro (int, char **);
+char   *domap (char *);
+void	doproxy (int, char **);
+char   *dotrans (char *);
+int     empty (fd_set *, int);
+void	fatal (char *);
+void	get (int, char **);
+struct cmd *getcmd (char *);
+int	getit (int, char **, int, char *);
+int	getreply (int);
+int	globulize (char **);
+char   *gunique (char *);
+void	help (int, char **);
+char   *hookup (const char *, int);
+void	ftp_idle (int, char **);
+int     initconn (void);
+void	intr (int);
+void	lcd (int, char **);
+int	login (char *);
+RETSIGTYPE	lostpeer (int);
+void	ls (int, char **);
+void	macdef (int, char **);
+void	makeargv (void);
+void	makedir (int, char **);
+void	mdelete (int, char **);
+void	mget (int, char **);
+void	mls (int, char **);
+void	modtime (int, char **);
+void	mput (int, char **);
+char   *onoff (int);
+void	newer (int, char **);
+void    proxtrans (char *, char *, char *);
+void    psabort (int);
+void    pswitch (int);
+void    ptransfer (char *, long, struct timeval *, struct timeval *);
+void	put (int, char **);
+void	pwd (int, char **);
+void	quit (int, char **);
+void	quote (int, char **);
+void	quote1 (char *, int, char **);
+void    recvrequest (char *, char *, char *, char *, int, int);
+void	reget (int, char **);
+char   *remglob (char **, int);
+void	removedir (int, char **);
+void	renamefile (int, char **);
+void    reset (int, char **);
+void	restart (int, char **);
+void	rmthelp (int, char **);
+void	rmtstatus (int, char **);
+int	ruserpass (char *, char **, char **, char **);
+void    sendrequest (char *, char *, char *, char *, int);
+void	setascii (int, char **);
+void	setbell (int, char **);
+void	setbinary (int, char **);
+void	setcase (int, char **);
+void	setcr (int, char **);
+void	setdebug (int, char **);
+void	setform (int, char **);
+void	setftmode (int, char **);
+void	setglob (int, char **);
+void	sethash (int, char **);
+void	setnmap (int, char **);
+void	setntrans (int, char **);
+void	setpassive (int, char **);
+void	setpeer (int, char **);
+void	setport (int, char **);
+void	setprompt (int, char **);
+void	setrunique (int, char **);
+void	setstruct (int, char **);
+void	setsunique (int, char **);
+void	settenex (int, char **);
+void	settrace (int, char **);
+void	settype (int, char **);
+void	setverbose (int, char **);
+void	shell (int, char **);
+void	site (int, char **);
+void	sizecmd (int, char **);
+char   *slurpstring (void);
+void	status (int, char **);
+void	syst (int, char **);
+void    tvsub (struct timeval *, struct timeval *, struct timeval *);
+void	user (int, char **);
+
+extern jmp_buf	abortprox;
+extern int	abrtflag;
+extern struct	cmd cmdtab[];
+extern FILE	*cout;
+extern int	data;
+extern char    *home;
+extern jmp_buf	jabort;
+extern int	proxy;
+extern char	reply_string[];
+extern off_t	restart_point;
+extern int	NCMDS;
+
+extern char 	username[32];
+extern char	myhostname[];
+extern char	*mydomain;
+
+void afslog (int, char **);
+void kauth (int, char **);
+void kdestroy (int, char **);
+void klist (int, char **);
+void krbtkfile (int, char **);
diff --git a/crypto/heimdal/appl/ftp/ftp/ftp.1 b/crypto/heimdal/appl/ftp/ftp/ftp.1
new file mode 100644
index 0000000..9534d9e
--- /dev/null
+++ b/crypto/heimdal/appl/ftp/ftp/ftp.1
@@ -0,0 +1,1196 @@
+.\" 	$NetBSD: ftp.1,v 1.11 1995/09/08 01:06:24 tls Exp $
+.\"
+.\" Copyright (c) 1985, 1989, 1990, 1993
+.\"	The Regents of the University of California.  All rights reserved.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\" 1. Redistributions of source code must retain the above copyright
+.\"    notice, this list of conditions and the following disclaimer.
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\"    notice, this list of conditions and the following disclaimer in the
+.\"    documentation and/or other materials provided with the distribution.
+.\" 3. All advertising materials mentioning features or use of this software
+.\"    must display the following acknowledgement:
+.\"	This product includes software developed by the University of
+.\"	California, Berkeley and its contributors.
+.\" 4. Neither the name of the University nor the names of its contributors
+.\"    may be used to endorse or promote products derived from this software
+.\"    without specific prior written permission.
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+.\" SUCH DAMAGE.
+.\"
+.\"	@(#)ftp.1	8.3 (Berkeley) 10/9/94
+.\"
+.Dd April 27, 1996
+.Dt FTP 1
+.Os BSD 4.2
+.Sh NAME
+.Nm ftp
+.Nd
+.Tn ARPANET
+file transfer program
+.Sh SYNOPSIS
+.Nm ftp
+.Op Fl t
+.Op Fl v
+.Op Fl d
+.Op Fl i
+.Op Fl n
+.Op Fl g
+.Op Fl p
+.Op Fl l
+.Op Ar host
+.Sh DESCRIPTION
+.Nm Ftp
+is the user interface to the
+.Tn ARPANET
+standard File Transfer Protocol.
+The program allows a user to transfer files to and from a
+remote network site.
+.Pp
+Modifications has been made so that it almost follows the ftpsec
+Internet draft.
+.Pp
+Options may be specified at the command line, or to the
+command interpreter.
+.Bl -tag -width flag
+.It Fl t
+Enables packet tracing.
+.It Fl v
+Verbose option forces
+.Nm ftp
+to show all responses from the remote server, as well
+as report on data transfer statistics.
+.It Fl n
+Restrains
+.Nm ftp
+from attempting \*(Lqauto-login\*(Rq upon initial connection.
+If auto-login is enabled,
+.Nm ftp
+will check the
+.Pa .netrc
+(see below) file in the user's home directory for an entry describing
+an account on the remote machine.
+If no entry exists,
+.Nm ftp
+will prompt for the remote machine login name (default is the user
+identity on the local machine), and, if necessary, prompt for a password
+and an account with which to login.
+.It Fl i
+Turns off interactive prompting during
+multiple file transfers.
+.It Fl p
+Turn on passive mode.
+.It Fl d
+Enables debugging.
+.It Fl g
+Disables file name globbing.
+.It Fl l
+Disables command line editing.
+.El
+.Pp
+The client host with which
+.Nm ftp
+is to communicate may be specified on the command line.
+If this is done,
+.Nm ftp
+will immediately attempt to establish a connection to an
+.Tn FTP
+server on that host; otherwise,
+.Nm ftp
+will enter its command interpreter and await instructions
+from the user.
+When
+.Nm ftp
+is awaiting commands from the user the prompt
+.Ql ftp>
+is provided to the user.
+The following commands are recognized
+by
+.Nm ftp  :
+.Bl -tag -width Fl
+.It Ic \&! Op Ar command Op Ar args
+Invoke an interactive shell on the local machine.
+If there are arguments, the first is taken to be a command to execute
+directly, with the rest of the arguments as its arguments.
+.It Ic \&$ Ar macro-name Op Ar args
+Execute the macro
+.Ar macro-name
+that was defined with the
+.Ic macdef
+command.
+Arguments are passed to the macro unglobbed.
+.It Ic account Op Ar passwd
+Supply a supplemental password required by a remote system for access
+to resources once a login has been successfully completed.
+If no argument is included, the user will be prompted for an account
+password in a non-echoing input mode.
+.It Ic append Ar local-file Op Ar remote-file
+Append a local file to a file on the remote machine.
+If
+.Ar remote-file
+is left unspecified, the local file name is used in naming the
+remote file after being altered by any
+.Ic ntrans
+or
+.Ic nmap
+setting.
+File transfer uses the current settings for
+.Ic type  ,
+.Ic format ,
+.Ic mode  ,
+and
+.Ic structure .
+.It Ic ascii
+Set the file transfer
+.Ic type
+to network
+.Tn ASCII .
+This is the default type.
+.It Ic bell
+Arrange that a bell be sounded after each file transfer
+command is completed.
+.It Ic binary
+Set the file transfer
+.Ic type
+to support binary image transfer.
+.It Ic bye
+Terminate the
+.Tn FTP
+session with the remote server
+and exit
+.Nm ftp  .
+An end of file will also terminate the session and exit.
+.It Ic case
+Toggle remote computer file name case mapping during
+.Ic mget
+commands.
+When
+.Ic case
+is on (default is off), remote computer file names with all letters in
+upper case are written in the local directory with the letters mapped
+to lower case.
+.It Ic \&cd Ar remote-directory
+Change the working directory on the remote machine
+to
+.Ar remote-directory  .
+.It Ic cdup
+Change the remote machine working directory to the parent of the
+current remote machine working directory.
+.It Ic chmod Ar mode file-name
+Change the permission modes of the file
+.Ar file-name
+on the remote
+sytem to
+.Ar mode  .
+.It Ic close
+Terminate the
+.Tn FTP
+session with the remote server, and
+return to the command interpreter.
+Any defined macros are erased.
+.It Ic \&cr
+Toggle carriage return stripping during
+ascii type file retrieval.
+Records are denoted by a carriage return/linefeed sequence
+during ascii type file transfer.
+When
+.Ic \&cr
+is on (the default), carriage returns are stripped from this
+sequence to conform with the
+.Ux
+single linefeed record
+delimiter.
+Records on
+.Pf non\- Ns Ux
+remote systems may contain single linefeeds;
+when an ascii type transfer is made, these linefeeds may be
+distinguished from a record delimiter only when
+.Ic \&cr
+is off.
+.It Ic delete Ar remote-file
+Delete the file
+.Ar remote-file
+on the remote machine.
+.It Ic debug Op Ar debug-value
+Toggle debugging mode.
+If an optional
+.Ar debug-value
+is specified it is used to set the debugging level.
+When debugging is on,
+.Nm ftp
+prints each command sent to the remote machine, preceded
+by the string
+.Ql \-\->
+.It Xo
+.Ic dir
+.Op Ar remote-directory
+.Op Ar local-file
+.Xc
+Print a listing of the directory contents in the
+directory,
+.Ar remote-directory  ,
+and, optionally, placing the output in
+.Ar local-file  .
+If interactive prompting is on,
+.Nm ftp
+will prompt the user to verify that the last argument is indeed the
+target local file for receiving
+.Ic dir
+output.
+If no directory is specified, the current working
+directory on the remote machine is used.
+If no local
+file is specified, or
+.Ar local-file
+is
+.Fl  ,
+output comes to the terminal.
+.It Ic disconnect
+A synonym for
+.Ar close  .
+.It Ic form Ar format
+Set the file transfer
+.Ic form
+to
+.Ar format  .
+The default format is \*(Lqfile\*(Rq.
+.It Ic get Ar remote-file Op Ar local-file
+Retrieve the
+.Ar remote-file
+and store it on the local machine.
+If the local
+file name is not specified, it is given the same
+name it has on the remote machine, subject to
+alteration by the current
+.Ic case  ,
+.Ic ntrans ,
+and
+.Ic nmap
+settings.
+The current settings for
+.Ic type  ,
+.Ic form ,
+.Ic mode  ,
+and
+.Ic structure
+are used while transferring the file.
+.It Ic glob
+Toggle filename expansion for
+.Ic mdelete  ,
+.Ic mget
+and
+.Ic mput  .
+If globbing is turned off with
+.Ic glob  ,
+the file name arguments
+are taken literally and not expanded.
+Globbing for
+.Ic mput
+is done as in
+.Xr csh 1 .
+For
+.Ic mdelete
+and
+.Ic mget  ,
+each remote file name is expanded
+separately on the remote machine and the lists are not merged.
+Expansion of a directory name is likely to be
+different from expansion of the name of an ordinary file:
+the exact result depends on the foreign operating system and ftp server,
+and can be previewed by doing
+.Ql mls remote-files \- .
+As a security measure, remotely globbed files that starts with
+.Sq /
+or contains
+.Sq ../ ,
+will not be automatically received. If you have interactive prompting
+turned off, these filenames will be ignored.  Note:
+.Ic mget
+and
+.Ic mput
+are not meant to transfer
+entire directory subtrees of files.
+That can be done by
+transferring a
+.Xr tar 1
+archive of the subtree (in binary mode).
+.It Ic hash
+Toggle hash-sign (``#'') printing for each data block
+transferred.
+The size of a data block is 1024 bytes.
+.It Ic help Op Ar command
+Print an informative message about the meaning of
+.Ar command  .
+If no argument is given,
+.Nm ftp
+prints a list of the known commands.
+.It Ic idle Op Ar seconds
+Set the inactivity timer on the remote server to
+.Ar seconds
+seconds.
+If
+.Ar seconds
+is omitted, the current inactivity timer is printed.
+.It Ic lcd Op Ar directory
+Change the working directory on the local machine.
+If
+no
+.Ar directory
+is specified, the user's home directory is used.
+.It Xo
+.Ic \&ls
+.Op Ar remote-directory
+.Op Ar local-file
+.Xc
+Print a listing of the contents of a
+directory on the remote machine.
+The listing includes any system-dependent information that the server
+chooses to include; for example, most
+.Ux
+systems will produce
+output from the command
+.Ql ls \-l .
+(See also
+.Ic nlist . )
+If
+.Ar remote-directory
+is left unspecified, the current working directory is used.
+If interactive prompting is on,
+.Nm ftp
+will prompt the user to verify that the last argument is indeed the
+target local file for receiving
+.Ic \&ls
+output.
+If no local file is specified, or if
+.Ar local-file
+is
+.Sq Fl ,
+the output is sent to the terminal.
+.It Ic macdef Ar macro-name
+Define a macro.
+Subsequent lines are stored as the macro
+.Ar macro-name  ;
+a null line (consecutive newline characters
+in a file or
+carriage returns from the terminal) terminates macro input mode.
+There is a limit of 16 macros and 4096 total characters in all
+defined macros.
+Macros remain defined until a
+.Ic close
+command is executed.
+The macro processor interprets `$' and `\e' as special characters.
+A `$' followed by a number (or numbers) is replaced by the
+corresponding argument on the macro invocation command line.
+A `$' followed by an `i' signals that macro processor that the
+executing macro is to be looped.
+On the first pass `$i' is
+replaced by the first argument on the macro invocation command line,
+on the second pass it is replaced by the second argument, and so on.
+A `\e' followed by any character is replaced by that character.
+Use the `\e' to prevent special treatment of the `$'.
+.It Ic mdelete Op Ar remote-files
+Delete the
+.Ar remote-files
+on the remote machine.
+.It Ic mdir Ar remote-files local-file
+Like
+.Ic dir  ,
+except multiple remote files may be specified.
+If interactive prompting is on,
+.Nm ftp
+will prompt the user to verify that the last argument is indeed the
+target local file for receiving
+.Ic mdir
+output.
+.It Ic mget Ar remote-files
+Expand the
+.Ar remote-files
+on the remote machine
+and do a
+.Ic get
+for each file name thus produced.
+See
+.Ic glob
+for details on the filename expansion.
+Resulting file names will then be processed according to
+.Ic case  ,
+.Ic ntrans ,
+and
+.Ic nmap
+settings.
+Files are transferred into the local working directory,
+which can be changed with
+.Ql lcd directory ;
+new local directories can be created with
+.Ql "\&! mkdir directory" .
+.It Ic mkdir Ar directory-name
+Make a directory on the remote machine.
+.It Ic mls Ar remote-files local-file
+Like
+.Ic nlist  ,
+except multiple remote files may be specified,
+and the
+.Ar local-file
+must be specified.
+If interactive prompting is on,
+.Nm ftp
+will prompt the user to verify that the last argument is indeed the
+target local file for receiving
+.Ic mls
+output.
+.It Ic mode Op Ar mode-name
+Set the file transfer
+.Ic mode
+to
+.Ar mode-name  .
+The default mode is \*(Lqstream\*(Rq mode.
+.It Ic modtime Ar file-name
+Show the last modification time of the file on the remote machine.
+.It Ic mput Ar local-files
+Expand wild cards in the list of local files given as arguments
+and do a
+.Ic put
+for each file in the resulting list.
+See
+.Ic glob
+for details of filename expansion.
+Resulting file names will then be processed according to
+.Ic ntrans
+and
+.Ic nmap
+settings.
+.It Ic newer Ar file-name
+Get the file only if the modification time of the remote file is more
+recent that the file on the current system.
+If the file does not
+exist on the current system, the remote file is considered
+.Ic newer  .
+Otherwise, this command is identical to
+.Ar get  .
+.It Xo
+.Ic nlist
+.Op Ar remote-directory
+.Op Ar local-file
+.Xc
+Print a  list of the files in a
+directory on the remote machine.
+If
+.Ar remote-directory
+is left unspecified, the current working directory is used.
+If interactive prompting is on,
+.Nm ftp
+will prompt the user to verify that the last argument is indeed the
+target local file for receiving
+.Ic nlist
+output.
+If no local file is specified, or if
+.Ar local-file
+is
+.Fl  ,
+the output is sent to the terminal.
+.It Ic nmap Op Ar inpattern outpattern
+Set or unset the filename mapping mechanism.
+If no arguments are specified, the filename mapping mechanism is unset.
+If arguments are specified, remote filenames are mapped during
+.Ic mput
+commands and
+.Ic put
+commands issued without a specified remote target filename.
+If arguments are specified, local filenames are mapped during
+.Ic mget
+commands and
+.Ic get
+commands issued without a specified local target filename.
+This command is useful when connecting to a
+.No non\- Ns Ux
+remote computer
+with different file naming conventions or practices.
+The mapping follows the pattern set by
+.Ar inpattern
+and
+.Ar outpattern  .
+.Op Ar Inpattern
+is a template for incoming filenames (which may have already been
+processed according to the
+.Ic ntrans
+and
+.Ic case
+settings).
+Variable templating is accomplished by including the
+sequences `$1', `$2', ..., `$9' in
+.Ar inpattern  .
+Use `\\' to prevent this special treatment of the `$' character.
+All other characters are treated literally, and are used to determine the
+.Ic nmap
+.Op Ar inpattern
+variable values.
+For example, given
+.Ar inpattern
+$1.$2 and the remote file name "mydata.data", $1 would have the value
+"mydata", and $2 would have the value "data".
+The
+.Ar outpattern
+determines the resulting mapped filename.
+The sequences `$1', `$2', ...., `$9' are replaced by any value resulting
+from the
+.Ar inpattern
+template.
+The sequence `$0' is replace by the original filename.
+Additionally, the sequence
+.Ql Op Ar seq1 , Ar seq2
+is replaced by
+.Op Ar seq1
+if
+.Ar seq1
+is not a null string; otherwise it is replaced by
+.Ar seq2 .
+For example, the command
+.Pp
+.Bd -literal -offset indent -compact
+nmap $1.$2.$3 [$1,$2].[$2,file]
+.Ed
+.Pp
+would yield
+the output filename "myfile.data" for input filenames "myfile.data" and
+"myfile.data.old", "myfile.file" for the input filename "myfile", and
+"myfile.myfile" for the input filename ".myfile".
+Spaces may be included in
+.Ar outpattern  ,
+as in the example: `nmap $1 sed "s/  *$//" > $1' .
+Use the `\e' character to prevent special treatment
+of the `$','[','[', and `,' characters.
+.It Ic ntrans Op Ar inchars Op Ar outchars
+Set or unset the filename character translation mechanism.
+If no arguments are specified, the filename character
+translation mechanism is unset.
+If arguments are specified, characters in
+remote filenames are translated during
+.Ic mput
+commands and
+.Ic put
+commands issued without a specified remote target filename.
+If arguments are specified, characters in
+local filenames are translated during
+.Ic mget
+commands and
+.Ic get
+commands issued without a specified local target filename.
+This command is useful when connecting to a
+.No non\- Ns Ux
+remote computer
+with different file naming conventions or practices.
+Characters in a filename matching a character in
+.Ar inchars
+are replaced with the corresponding character in
+.Ar outchars  .
+If the character's position in
+.Ar inchars
+is longer than the length of
+.Ar outchars  ,
+the character is deleted from the file name.
+.It Ic open Ar host Op Ar port
+Establish a connection to the specified
+.Ar host
+.Tn FTP
+server.
+An optional port number may be supplied,
+in which case,
+.Nm ftp
+will attempt to contact an
+.Tn FTP
+server at that port.
+If the
+.Ic auto-login
+option is on (default),
+.Nm ftp
+will also attempt to automatically log the user in to
+the
+.Tn FTP
+server (see below).
+.It Ic passive
+Toggle passive mode.  If passive mode is turned on
+(default is off), the ftp client will
+send a
+.Dv PASV
+command for all data connections instead of the usual
+.Dv PORT
+command.  The
+.Dv PASV
+command requests that the remote server open a port for the data connection
+and return the address of that port.  The remote server listens on that
+port and the client connects to it.  When using the more traditional
+.Dv PORT
+command, the client listens on a port and sends that address to the remote
+server, who connects back to it.  Passive mode is useful when using
+.Nm ftp
+through a gateway router or host that controls the directionality of
+traffic.
+(Note that though ftp servers are required to support the
+.Dv PASV
+command by RFC 1123, some do not.)
+.It Ic prompt
+Toggle interactive prompting.
+Interactive prompting
+occurs during multiple file transfers to allow the
+user to selectively retrieve or store files.
+If prompting is turned off (default is on), any
+.Ic mget
+or
+.Ic mput
+will transfer all files, and any
+.Ic mdelete
+will delete all files.
+.It Ic proxy Ar ftp-command
+Execute an ftp command on a secondary control connection.
+This command allows simultaneous connection to two remote ftp
+servers for transferring files between the two servers.
+The first
+.Ic proxy
+command should be an
+.Ic open  ,
+to establish the secondary control connection.
+Enter the command "proxy ?" to see other ftp commands executable on the
+secondary connection.
+The following commands behave differently when prefaced by
+.Ic proxy  :
+.Ic open
+will not define new macros during the auto-login process,
+.Ic close
+will not erase existing macro definitions,
+.Ic get
+and
+.Ic mget
+transfer files from the host on the primary control connection
+to the host on the secondary control connection, and
+.Ic put  ,
+.Ic mput ,
+and
+.Ic append
+transfer files from the host on the secondary control connection
+to the host on the primary control connection.
+Third party file transfers depend upon support of the ftp protocol
+.Dv PASV
+command by the server on the secondary control connection.
+.It Ic put Ar local-file Op Ar remote-file
+Store a local file on the remote machine.
+If
+.Ar remote-file
+is left unspecified, the local file name is used
+after processing according to any
+.Ic ntrans
+or
+.Ic nmap
+settings
+in naming the remote file.
+File transfer uses the
+current settings for
+.Ic type  ,
+.Ic format ,
+.Ic mode  ,
+and
+.Ic structure  .
+.It Ic pwd
+Print the name of the current working directory on the remote
+machine.
+.It Ic quit
+A synonym for
+.Ic bye  .
+.It Ic quote Ar arg1 arg2 ...
+The arguments specified are sent, verbatim, to the remote
+.Tn FTP
+server.
+.It Ic recv Ar remote-file Op Ar local-file
+A synonym for get.
+.It Ic reget Ar remote-file Op Ar local-file
+Reget acts like get, except that if
+.Ar local-file
+exists and is
+smaller than
+.Ar remote-file  ,
+.Ar local-file
+is presumed to be
+a partially transferred copy of
+.Ar remote-file
+and the transfer
+is continued from the apparent point of failure.
+This command
+is useful when transferring very large files over networks that
+are prone to dropping connections.
+.It Ic remotehelp Op Ar command-name
+Request help from the remote
+.Tn FTP
+server.
+If a
+.Ar command-name
+is specified it is supplied to the server as well.
+.It Ic remotestatus Op Ar file-name
+With no arguments, show status of remote machine.
+If
+.Ar file-name
+is specified, show status of
+.Ar file-name
+on remote machine.
+.It Xo
+.Ic rename
+.Op Ar from
+.Op Ar to
+.Xc
+Rename the file
+.Ar from
+on the remote machine, to the file
+.Ar to  .
+.It Ic reset
+Clear reply queue.
+This command re-synchronizes command/reply sequencing with the remote
+ftp server.
+Resynchronization may be necessary following a violation of the ftp protocol
+by the remote server.
+.It Ic restart Ar marker
+Restart the immediately following
+.Ic get
+or
+.Ic put
+at the
+indicated
+.Ar marker  .
+On
+.Ux
+systems, marker is usually a byte
+offset into the file.
+.It Ic rmdir Ar directory-name
+Delete a directory on the remote machine.
+.It Ic runique
+Toggle storing of files on the local system with unique filenames.
+If a file already exists with a name equal to the target
+local filename for a
+.Ic get
+or
+.Ic mget
+command, a ".1" is appended to the name.
+If the resulting name matches another existing file,
+a ".2" is appended to the original name.
+If this process continues up to ".99", an error
+message is printed, and the transfer does not take place.
+The generated unique filename will be reported.
+Note that
+.Ic runique
+will not affect local files generated from a shell command
+(see below).
+The default value is off.
+.It Ic send Ar local-file Op Ar remote-file
+A synonym for put.
+.It Ic sendport
+Toggle the use of
+.Dv PORT
+commands.
+By default,
+.Nm ftp
+will attempt to use a
+.Dv PORT
+command when establishing
+a connection for each data transfer.
+The use of
+.Dv PORT
+commands can prevent delays
+when performing multiple file transfers.
+If the
+.Dv PORT
+command fails,
+.Nm ftp
+will use the default data port.
+When the use of
+.Dv PORT
+commands is disabled, no attempt will be made to use
+.Dv PORT
+commands for each data transfer.
+This is useful
+for certain
+.Tn FTP
+implementations which do ignore
+.Dv PORT
+commands but, incorrectly, indicate they've been accepted.
+.It Ic site Ar arg1 arg2 ...
+The arguments specified are sent, verbatim, to the remote
+.Tn FTP
+server as a
+.Dv SITE
+command.
+.It Ic size Ar file-name
+Return size of
+.Ar file-name
+on remote machine.
+.It Ic status
+Show the current status of
+.Nm ftp  .
+.It Ic struct Op Ar struct-name
+Set the file transfer
+.Ar structure
+to
+.Ar struct-name .
+By default \*(Lqstream\*(Rq structure is used.
+.It Ic sunique
+Toggle storing of files on remote machine under unique file names.
+Remote ftp server must support ftp protocol
+.Dv STOU
+command for
+successful completion.
+The remote server will report unique name.
+Default value is off.
+.It Ic system
+Show the type of operating system running on the remote machine.
+.It Ic tenex
+Set the file transfer type to that needed to
+talk to
+.Tn TENEX
+machines.
+.It Ic trace
+Toggle packet tracing.
+.It Ic type Op Ar type-name
+Set the file transfer
+.Ic type
+to
+.Ar type-name  .
+If no type is specified, the current type
+is printed.
+The default type is network
+.Tn ASCII .
+.It Ic umask Op Ar newmask
+Set the default umask on the remote server to
+.Ar newmask  .
+If
+.Ar newmask
+is omitted, the current umask is printed.
+.It Xo
+.Ic user Ar user-name
+.Op Ar password
+.Op Ar account
+.Xc
+Identify yourself to the remote
+.Tn FTP
+server.
+If the
+.Ar password
+is not specified and the server requires it,
+.Nm ftp
+will prompt the user for it (after disabling local echo).
+If an
+.Ar account
+field is not specified, and the
+.Tn FTP
+server
+requires it, the user will be prompted for it.
+If an
+.Ar account
+field is specified, an account command will
+be relayed to the remote server after the login sequence
+is completed if the remote server did not require it
+for logging in.
+Unless
+.Nm ftp
+is invoked with \*(Lqauto-login\*(Rq disabled, this
+process is done automatically on initial connection to
+the
+.Tn FTP
+server.
+.It Ic verbose
+Toggle verbose mode.
+In verbose mode, all responses from
+the
+.Tn FTP
+server are displayed to the user.
+In addition,
+if verbose is on, when a file transfer completes, statistics
+regarding the efficiency of the transfer are reported.
+By default,
+verbose is on.
+.It Ic \&? Op Ar command
+A synonym for help.
+.El
+.Pp
+The following command can be used with ftpsec-aware servers.
+.Bl -tag -width Fl
+.It Xo
+.Ic prot 
+.Ar clear | 
+.Ar safe | 
+.Ar confidential | 
+.Ar private
+.Xc
+Set the data protection level to the requested level.
+.El
+.Pp
+The following command can be used with ftp servers that has
+implemented the KAUTH site command.
+.Bl -tag -width Fl
+.It Ic kauth Op Ar principal
+Obtain remote tickets.
+.El
+.Pp
+Command arguments which have embedded spaces may be quoted with
+quote `"' marks.
+.Sh ABORTING A FILE TRANSFER
+To abort a file transfer, use the terminal interrupt key
+(usually Ctrl-C).
+Sending transfers will be immediately halted.
+Receiving transfers will be halted by sending a ftp protocol
+.Dv ABOR
+command to the remote server, and discarding any further data received.
+The speed at which this is accomplished depends upon the remote
+server's support for
+.Dv ABOR
+processing.
+If the remote server does not support the
+.Dv ABOR
+command, an
+.Ql ftp>
+prompt will not appear until the remote server has completed
+sending the requested file.
+.Pp
+The terminal interrupt key sequence will be ignored when
+.Nm ftp
+has completed any local processing and is awaiting a reply
+from the remote server.
+A long delay in this mode may result from the ABOR processing described
+above, or from unexpected behavior by the remote server, including
+violations of the ftp protocol.
+If the delay results from unexpected remote server behavior, the local
+.Nm ftp
+program must be killed by hand.
+.Sh FILE NAMING CONVENTIONS
+Files specified as arguments to
+.Nm ftp
+commands are processed according to the following rules.
+.Bl -enum
+.It
+If the file name
+.Sq Fl
+is specified, the
+.Ar stdin
+(for reading) or
+.Ar stdout
+(for writing) is used.
+.It
+If the first character of the file name is
+.Sq \&| ,
+the
+remainder of the argument is interpreted as a shell command.
+.Nm Ftp
+then forks a shell, using
+.Xr popen 3
+with the argument supplied, and reads (writes) from the stdout
+(stdin).
+If the shell command includes spaces, the argument
+must be quoted; e.g.
+\*(Lq" ls -lt"\*(Rq.
+A particularly
+useful example of this mechanism is: \*(Lqdir more\*(Rq.
+.It
+Failing the above checks, if ``globbing'' is enabled,
+local file names are expanded
+according to the rules used in the
+.Xr csh  1  ;
+c.f. the
+.Ic glob
+command.
+If the
+.Nm ftp
+command expects a single local file (.e.g.
+.Ic put  ) ,
+only the first filename generated by the "globbing" operation is used.
+.It
+For
+.Ic mget
+commands and
+.Ic get
+commands with unspecified local file names, the local filename is
+the remote filename, which may be altered by a
+.Ic case  ,
+.Ic ntrans ,
+or
+.Ic nmap
+setting.
+The resulting filename may then be altered if
+.Ic runique
+is on.
+.It
+For
+.Ic mput
+commands and
+.Ic put
+commands with unspecified remote file names, the remote filename is
+the local filename, which may be altered by a
+.Ic ntrans
+or
+.Ic nmap
+setting.
+The resulting filename may then be altered by the remote server if
+.Ic sunique
+is on.
+.El
+.Sh FILE TRANSFER PARAMETERS
+The FTP specification specifies many parameters which may
+affect a file transfer.
+The
+.Ic type
+may be one of \*(Lqascii\*(Rq, \*(Lqimage\*(Rq (binary),
+\*(Lqebcdic\*(Rq, and \*(Lqlocal byte size\*(Rq (for
+.Tn PDP Ns -10's
+and
+.Tn PDP Ns -20's
+mostly).
+.Nm Ftp
+supports the ascii and image types of file transfer,
+plus local byte size 8 for
+.Ic tenex
+mode transfers.
+.Pp
+.Nm Ftp
+supports only the default values for the remaining
+file transfer parameters:
+.Ic mode  ,
+.Ic form ,
+and
+.Ic struct  .
+.Sh THE .netrc FILE
+The
+.Pa .netrc
+file contains login and initialization information
+used by the auto-login process.
+It resides in the user's home directory.
+The following tokens are recognized; they may be separated by spaces,
+tabs, or new-lines:
+.Bl -tag -width password
+.It Ic machine Ar name
+Identify a remote machine
+.Ar name .
+The auto-login process searches the
+.Pa .netrc
+file for a
+.Ic machine
+token that matches the remote machine specified on the
+.Nm ftp
+command line or as an
+.Ic open
+command argument.
+Once a match is made, the subsequent
+.Pa .netrc
+tokens are processed,
+stopping when the end of file is reached or another
+.Ic machine
+or a
+.Ic default
+token is encountered.
+.It Ic default
+This is the same as
+.Ic machine
+.Ar name
+except that
+.Ic default
+matches any name.
+There can be only one
+.Ic default
+token, and it must be after all
+.Ic machine
+tokens.
+This is normally used as:
+.Pp
+.Dl default login anonymous password user@site
+.Pp
+thereby giving the user
+.Ar automatic
+anonymous ftp login to
+machines not specified in
+.Pa .netrc .
+This can be overridden
+by using the
+.Fl n
+flag to disable auto-login.
+.It Ic login Ar name
+Identify a user on the remote machine.
+If this token is present, the auto-login process will initiate
+a login using the specified
+.Ar name .
+.It Ic password Ar string
+Supply a password.
+If this token is present, the auto-login process will supply the
+specified string if the remote server requires a password as part
+of the login process.
+Note that if this token is present in the
+.Pa .netrc
+file for any user other
+than
+.Ar anonymous  ,
+.Nm ftp
+will abort the auto-login process if the
+.Pa .netrc
+is readable by
+anyone besides the user.
+.It Ic account Ar string
+Supply an additional account password.
+If this token is present, the auto-login process will supply the
+specified string if the remote server requires an additional
+account password, or the auto-login process will initiate an
+.Dv ACCT
+command if it does not.
+.It Ic macdef Ar name
+Define a macro.
+This token functions like the
+.Nm ftp
+.Ic macdef
+command functions.
+A macro is defined with the specified name; its contents begin with the
+next
+.Pa .netrc
+line and continue until a null line (consecutive new-line
+characters) is encountered.
+If a macro named
+.Ic init
+is defined, it is automatically executed as the last step in the
+auto-login process.
+.El
+.Sh ENVIRONMENT
+.Nm Ftp
+utilizes the following environment variables.
+.Bl -tag -width Fl
+.It Ev HOME
+For default location of a
+.Pa .netrc
+file, if one exists.
+.It Ev SHELL
+For default shell.
+.El
+.Sh SEE ALSO
+.Xr ftpd 8 ,
+.%T RFC2228
+.Sh HISTORY
+The
+.Nm ftp
+command appeared in
+.Bx 4.2 .
+.Sh BUGS
+Correct execution of many commands depends upon proper behavior
+by the remote server.
+.Pp
+An error in the treatment of carriage returns
+in the
+.Bx 4.2
+ascii-mode transfer code
+has been corrected.
+This correction may result in incorrect transfers of binary files
+to and from
+.Bx 4.2
+servers using the ascii type.
+Avoid this problem by using the binary image type.
diff --git a/crypto/heimdal/appl/ftp/ftp/ftp.c b/crypto/heimdal/appl/ftp/ftp/ftp.c
new file mode 100644
index 0000000..2f630f3
--- /dev/null
+++ b/crypto/heimdal/appl/ftp/ftp/ftp.c
@@ -0,0 +1,1760 @@
+/*
+ * Copyright (c) 1985, 1989, 1993, 1994
+ *	The Regents of the University of California.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *	This product includes software developed by the University of
+ *	California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#include "ftp_locl.h"
+RCSID ("$Id: ftp.c,v 1.69 2000/10/08 13:15:33 assar Exp $");
+
+struct sockaddr_storage hisctladdr_ss;
+struct sockaddr *hisctladdr = (struct sockaddr *)&hisctladdr_ss;
+struct sockaddr_storage data_addr_ss;
+struct sockaddr *data_addr  = (struct sockaddr *)&data_addr_ss;
+struct sockaddr_storage myctladdr_ss;
+struct sockaddr *myctladdr = (struct sockaddr *)&myctladdr_ss;
+int data = -1;
+int abrtflag = 0;
+jmp_buf ptabort;
+int ptabflg;
+int ptflag = 0;
+off_t restart_point = 0;
+
+
+FILE *cin, *cout;
+
+typedef void (*sighand) (int);
+
+char *
+hookup (const char *host, int port)
+{
+    static char hostnamebuf[MaxHostNameLen];
+    struct addrinfo *ai, *a;
+    struct addrinfo hints;
+    int error;
+    char portstr[NI_MAXSERV];
+    socklen_t len;
+    int s;
+
+    memset (&hints, 0, sizeof(hints));
+    hints.ai_socktype = SOCK_STREAM;
+    hints.ai_protocol = IPPROTO_TCP;
+    hints.ai_flags    = AI_CANONNAME;
+
+    snprintf (portstr, sizeof(portstr), "%u", ntohs(port));
+
+    error = getaddrinfo (host, portstr, &hints, &ai);
+    if (error) {
+	warnx ("%s: %s", host, gai_strerror(error));
+	code = -1;
+	return NULL;
+    }
+    strlcpy (hostnamebuf, host, sizeof(hostnamebuf));
+    hostname = hostnamebuf;
+
+    for (a = ai; a != NULL; a = a->ai_next) {
+	s = socket (a->ai_family, a->ai_socktype, a->ai_protocol);
+	if (s < 0)
+	    continue;
+
+	if (a->ai_canonname != NULL)
+	    strlcpy (hostnamebuf, a->ai_canonname, sizeof(hostnamebuf));
+
+	memcpy (hisctladdr, a->ai_addr, a->ai_addrlen);
+	
+	error = connect (s, a->ai_addr, a->ai_addrlen);
+	if (error < 0) {
+	    char addrstr[256];
+
+	    if (getnameinfo (a->ai_addr, a->ai_addrlen,
+			     addrstr, sizeof(addrstr),
+			     NULL, 0, NI_NUMERICHOST) != 0)
+		strlcpy (addrstr, "unknown address", sizeof(addrstr));
+			     
+	    warn ("connect %s", addrstr);
+	    close (s);
+	    continue;
+	}
+	break;
+    }
+    freeaddrinfo (ai);
+    if (error < 0) {
+	warnx ("failed to contact %s", host);
+	code = -1;
+	return NULL;
+    }
+
+    len = sizeof(myctladdr_ss);
+    if (getsockname (s, myctladdr, &len) < 0) {
+	warn ("getsockname");
+	code = -1;
+	close (s);
+	return NULL;
+    }
+#ifdef IPTOS_LOWDELAY
+    socket_set_tos (s, IPTOS_LOWDELAY);
+#endif
+    cin = fdopen (s, "r");
+    cout = fdopen (s, "w");
+    if (cin == NULL || cout == NULL) {
+	warnx ("fdopen failed.");
+	if (cin)
+	    fclose (cin);
+	if (cout)
+	    fclose (cout);
+	code = -1;
+	goto bad;
+    }
+    if (verbose)
+	printf ("Connected to %s.\n", hostname);
+    if (getreply (0) > 2) {	/* read startup message from server */
+	if (cin)
+	    fclose (cin);
+	if (cout)
+	    fclose (cout);
+	code = -1;
+	goto bad;
+    }
+#if defined(SO_OOBINLINE) && defined(HAVE_SETSOCKOPT)
+    {
+	int on = 1;
+
+	if (setsockopt (s, SOL_SOCKET, SO_OOBINLINE, (char *) &on, sizeof (on))
+	    < 0 && debug) {
+	    warn ("setsockopt");
+	}
+    }
+#endif				/* SO_OOBINLINE */
+
+    return (hostname);
+bad:
+    close (s);
+    return NULL;
+}
+
+int
+login (char *host)
+{
+    char tmp[80];
+    char defaultpass[128];
+    char *user, *pass, *acct;
+    int n, aflag = 0;
+
+    char *myname = NULL;
+    struct passwd *pw = k_getpwuid(getuid());
+
+    if (pw != NULL)
+	myname = pw->pw_name;
+
+    user = pass = acct = 0;
+
+    if(sec_login(host))
+	printf("\n*** Using plaintext user and password ***\n\n");
+    else{
+	printf("Authentication successful.\n\n");
+    }
+
+    if (ruserpass (host, &user, &pass, &acct) < 0) {
+	code = -1;
+	return (0);
+    }
+    while (user == NULL) {
+	if (myname)
+	    printf ("Name (%s:%s): ", host, myname);
+	else
+	    printf ("Name (%s): ", host);
+	*tmp = '\0';
+	if (fgets (tmp, sizeof (tmp) - 1, stdin) != NULL)
+	    tmp[strlen (tmp) - 1] = '\0';
+	if (*tmp == '\0')
+	    user = myname;
+	else
+	    user = tmp;
+    }
+    strlcpy(username, user, sizeof(username));
+    n = command("USER %s", user);
+    if (n == COMPLETE) 
+       n = command("PASS dummy"); /* DK: Compatibility with gssftp daemon */
+    else if(n == CONTINUE) {
+	if (pass == NULL) {
+	    char prompt[128];
+	    if(myname && 
+	       (!strcmp(user, "ftp") || !strcmp(user, "anonymous"))) {
+		snprintf(defaultpass, sizeof(defaultpass), 
+			 "%s@%s", myname, mydomain);
+		snprintf(prompt, sizeof(prompt), 
+			 "Password (%s): ", defaultpass);
+	    } else if (sec_complete) {
+		pass = myname;
+	    } else {
+		*defaultpass = '\0';
+		snprintf(prompt, sizeof(prompt), "Password: ");
+	    }
+	    if (pass == NULL) {
+		pass = defaultpass;
+		des_read_pw_string (tmp, sizeof (tmp), prompt, 0);
+		if (tmp[0])
+		    pass = tmp;
+	    }
+	}
+	n = command ("PASS %s", pass);
+    }
+    if (n == CONTINUE) {
+	aflag++;
+	acct = tmp;
+	des_read_pw_string (acct, 128, "Account:", 0);
+	n = command ("ACCT %s", acct);
+    }
+    if (n != COMPLETE) {
+	warnx ("Login failed.");
+	return (0);
+    }
+    if (!aflag && acct != NULL)
+	command ("ACCT %s", acct);
+    if (proxy)
+	return (1);
+    for (n = 0; n < macnum; ++n) {
+	if (!strcmp("init", macros[n].mac_name)) {
+	    strlcpy (line, "$init", sizeof (line));
+	    makeargv();
+	    domacro(margc, margv);
+	    break;
+	}
+    }
+    sec_set_protection_level ();
+    return (1);
+}
+
+void
+cmdabort (int sig)
+{
+
+    printf ("\n");
+    fflush (stdout);
+    abrtflag++;
+    if (ptflag)
+	longjmp (ptabort, 1);
+}
+
+int
+command (char *fmt,...)
+{
+    va_list ap;
+    int r;
+    sighand oldintr;
+
+    abrtflag = 0;
+    if (cout == NULL) {
+	warn ("No control connection for command");
+	code = -1;
+	return (0);
+    }
+    oldintr = signal(SIGINT, cmdabort);
+    va_start(ap, fmt);
+    if(debug){
+	printf("---> ");
+	if (strncmp("PASS ", fmt, 5) == 0)
+	    printf("PASS XXXX");
+	else 
+	    vfprintf(stdout, fmt, ap);
+	va_start(ap, fmt);
+    }
+    sec_vfprintf(cout, fmt, ap);
+    va_end(ap);
+    if(debug){
+	printf("\n");
+	fflush(stdout);
+    }
+    fprintf (cout, "\r\n");
+    fflush (cout);
+    cpend = 1;
+    r = getreply (!strcmp (fmt, "QUIT"));
+    if (abrtflag && oldintr != SIG_IGN)
+	(*oldintr) (SIGINT);
+    signal (SIGINT, oldintr);
+    return (r);
+}
+
+char reply_string[BUFSIZ];	/* last line of previous reply */
+
+int
+getreply (int expecteof)
+{
+    char *p;
+    char *lead_string;
+    int c;
+    struct sigaction sa, osa;
+    char buf[1024];
+
+    sigemptyset (&sa.sa_mask);
+    sa.sa_flags = 0;
+    sa.sa_handler = cmdabort;
+    sigaction (SIGINT, &sa, &osa);
+
+    p = buf;
+
+    while (1) {
+	c = getc (cin);
+	switch (c) {
+	case EOF:
+	    if (expecteof) {
+		sigaction (SIGINT, &osa, NULL);
+		code = 221;
+		return 0;
+	    }
+	    lostpeer (0);
+	    if (verbose) {
+		printf ("421 Service not available, "
+			"remote server has closed connection\n");
+		fflush (stdout);
+	    }
+	    code = 421;
+	    return (4);
+	case IAC:
+	    c = getc (cin);
+	    if (c == WILL || c == WONT)
+		fprintf (cout, "%c%c%c", IAC, DONT, getc (cin));
+	    if (c == DO || c == DONT)
+		fprintf (cout, "%c%c%c", IAC, WONT, getc (cin));
+	    continue;
+	case '\n':
+	    *p++ = '\0';
+	    if(isdigit(buf[0])){
+		sscanf(buf, "%d", &code);
+		if(code == 631){
+		    sec_read_msg(buf, prot_safe);
+		    sscanf(buf, "%d", &code);
+		    lead_string = "S:";
+		} else if(code == 632){
+		    sec_read_msg(buf, prot_private);
+		    sscanf(buf, "%d", &code);
+		    lead_string = "P:";
+		}else if(code == 633){
+		    sec_read_msg(buf, prot_confidential);
+		    sscanf(buf, "%d", &code);
+		    lead_string = "C:";
+		}else if(sec_complete)
+		    lead_string = "!!";
+		else
+		    lead_string = "";
+		if (verbose > 0 || (verbose > -1 && code > 499))
+		    fprintf (stdout, "%s%s\n", lead_string, buf);
+		if (buf[3] == ' ') {
+		    strcpy (reply_string, buf);
+		    if (code >= 200)
+			cpend = 0;
+		    sigaction (SIGINT, &osa, NULL);
+		    if (code == 421)
+			lostpeer (0);
+#if 1
+		    if (abrtflag &&
+			osa.sa_handler != cmdabort &&
+			osa.sa_handler != SIG_IGN)
+			osa.sa_handler (SIGINT);
+#endif
+		    if (code == 227 || code == 229) {
+			char *p, *q;
+
+			pasv[0] = 0;
+			p = strchr (reply_string, '(');
+			if (p) {
+			    p++;
+			    q = strchr(p, ')');
+			    if(q){
+				memcpy (pasv, p, q - p);
+				pasv[q - p] = 0;
+			    }
+			}
+		    }
+		    return code / 100;
+		}
+	    }else{
+		if(verbose > 0 || (verbose > -1 && code > 499)){
+		    if(sec_complete)
+			fprintf(stdout, "!!");
+		    fprintf(stdout, "%s\n", buf);
+		}
+	    }
+	    p = buf;
+	    continue;
+	default:
+	    *p++ = c;
+	}
+    }
+
+}
+
+
+#if 0
+int
+getreply (int expecteof)
+{
+    int c, n;
+    int dig;
+    int originalcode = 0, continuation = 0;
+    sighand oldintr;
+    int pflag = 0;
+    char *cp, *pt = pasv;
+
+    oldintr = signal (SIGINT, cmdabort);
+    for (;;) {
+	dig = n = code = 0;
+	cp = reply_string;
+	while ((c = getc (cin)) != '\n') {
+	    if (c == IAC) {	/* handle telnet commands */
+		switch (c = getc (cin)) {
+		case WILL:
+		case WONT:
+		    c = getc (cin);
+		    fprintf (cout, "%c%c%c", IAC, DONT, c);
+		    fflush (cout);
+		    break;
+		case DO:
+		case DONT:
+		    c = getc (cin);
+		    fprintf (cout, "%c%c%c", IAC, WONT, c);
+		    fflush (cout);
+		    break;
+		default:
+		    break;
+		}
+		continue;
+	    }
+	    dig++;
+	    if (c == EOF) {
+		if (expecteof) {
+		    signal (SIGINT, oldintr);
+		    code = 221;
+		    return (0);
+		}
+		lostpeer (0);
+		if (verbose) {
+		    printf ("421 Service not available, remote server has closed connection\n");
+		    fflush (stdout);
+		}
+		code = 421;
+		return (4);
+	    }
+	    if (c != '\r' && (verbose > 0 ||
+			      (verbose > -1 && n == '5' && dig > 4))) {
+		if (proxflag &&
+		    (dig == 1 || dig == 5 && verbose == 0))
+		    printf ("%s:", hostname);
+		putchar (c);
+	    }
+	    if (dig < 4 && isdigit (c))
+		code = code * 10 + (c - '0');
+	    if (!pflag && code == 227)
+		pflag = 1;
+	    if (dig > 4 && pflag == 1 && isdigit (c))
+		pflag = 2;
+	    if (pflag == 2) {
+		if (c != '\r' && c != ')')
+		    *pt++ = c;
+		else {
+		    *pt = '\0';
+		    pflag = 3;
+		}
+	    }
+	    if (dig == 4 && c == '-') {
+		if (continuation)
+		    code = 0;
+		continuation++;
+	    }
+	    if (n == 0)
+		n = c;
+	    if (cp < &reply_string[sizeof (reply_string) - 1])
+		*cp++ = c;
+	}
+	if (verbose > 0 || verbose > -1 && n == '5') {
+	    putchar (c);
+	    fflush (stdout);
+	}
+	if (continuation && code != originalcode) {
+	    if (originalcode == 0)
+		originalcode = code;
+	    continue;
+	}
+	*cp = '\0';
+	if(sec_complete){
+	    if(code == 631)
+		sec_read_msg(reply_string, prot_safe);
+	    else if(code == 632)
+		sec_read_msg(reply_string, prot_private);
+	    else if(code == 633)
+		sec_read_msg(reply_string, prot_confidential);
+	    n = code / 100 + '0';
+	}
+	if (n != '1')
+	    cpend = 0;
+	signal (SIGINT, oldintr);
+	if (code == 421 || originalcode == 421)
+	    lostpeer (0);
+	if (abrtflag && oldintr != cmdabort && oldintr != SIG_IGN)
+	    (*oldintr) (SIGINT);
+	return (n - '0');
+    }
+}
+
+#endif
+
+int
+empty (fd_set * mask, int sec)
+{
+    struct timeval t;
+
+    t.tv_sec = sec;
+    t.tv_usec = 0;
+    return (select (FD_SETSIZE, mask, NULL, NULL, &t));
+}
+
+jmp_buf sendabort;
+
+static RETSIGTYPE
+abortsend (int sig)
+{
+
+    mflag = 0;
+    abrtflag = 0;
+    printf ("\nsend aborted\nwaiting for remote to finish abort\n");
+    fflush (stdout);
+    longjmp (sendabort, 1);
+}
+
+#define HASHBYTES 1024
+
+static int
+copy_stream (FILE * from, FILE * to)
+{
+    static size_t bufsize;
+    static char *buf;
+    int n;
+    int bytes = 0;
+    int werr = 0;
+    int hashbytes = HASHBYTES;
+    struct stat st;
+
+#if defined(HAVE_MMAP) && !defined(NO_MMAP)
+    void *chunk;
+
+#ifndef MAP_FAILED
+#define MAP_FAILED (-1)
+#endif
+
+    if (fstat (fileno (from), &st) == 0 && S_ISREG (st.st_mode)) {
+	/*
+	 * mmap zero bytes has potential of loosing, don't do it.
+	 */
+	if (st.st_size == 0)
+	    return 0;
+	chunk = mmap (0, st.st_size, PROT_READ, MAP_SHARED, fileno (from), 0);
+	if (chunk != (void *) MAP_FAILED) {
+	    int res;
+
+	    res = sec_write (fileno (to), chunk, st.st_size);
+	    if (munmap (chunk, st.st_size) < 0)
+		warn ("munmap");
+	    sec_fflush (to);
+	    return res;
+	}
+    }
+#endif
+
+    buf = alloc_buffer (buf, &bufsize,
+			fstat (fileno (from), &st) >= 0 ? &st : NULL);
+    if (buf == NULL)
+	return -1;
+
+    while ((n = read (fileno (from), buf, bufsize)) > 0) {
+	werr = sec_write (fileno (to), buf, n);
+	if (werr < 0)
+	    break;
+	bytes += werr;
+	while (hash && bytes > hashbytes) {
+	    putchar ('#');
+	    hashbytes += HASHBYTES;
+	}
+    }
+    sec_fflush (to);
+    if (n < 0)
+	warn ("local");
+
+    if (werr < 0) {
+	if (errno != EPIPE)
+	    warn ("netout");
+	bytes = -1;
+    }
+    return bytes;
+}
+
+void
+sendrequest (char *cmd, char *local, char *remote, char *lmode, int printnames)
+{
+    struct stat st;
+    struct timeval start, stop;
+    int c, d;
+    FILE *fin, *dout = 0;
+    int (*closefunc) (FILE *);
+    RETSIGTYPE (*oldintr)(int), (*oldintp)(int);
+    long bytes = 0, hashbytes = HASHBYTES;
+    char *rmode = "w";
+
+    if (verbose && printnames) {
+	if (local && strcmp (local, "-") != 0)
+	    printf ("local: %s ", local);
+	if (remote)
+	    printf ("remote: %s\n", remote);
+    }
+    if (proxy) {
+	proxtrans (cmd, local, remote);
+	return;
+    }
+    if (curtype != type)
+	changetype (type, 0);
+    closefunc = NULL;
+    oldintr = NULL;
+    oldintp = NULL;
+
+    if (setjmp (sendabort)) {
+	while (cpend) {
+	    getreply (0);
+	}
+	if (data >= 0) {
+	    close (data);
+	    data = -1;
+	}
+	if (oldintr)
+	    signal (SIGINT, oldintr);
+	if (oldintp)
+	    signal (SIGPIPE, oldintp);
+	code = -1;
+	return;
+    }
+    oldintr = signal (SIGINT, abortsend);
+    if (strcmp (local, "-") == 0)
+	fin = stdin;
+    else if (*local == '|') {
+	oldintp = signal (SIGPIPE, SIG_IGN);
+	fin = popen (local + 1, lmode);
+	if (fin == NULL) {
+	    warn ("%s", local + 1);
+	    signal (SIGINT, oldintr);
+	    signal (SIGPIPE, oldintp);
+	    code = -1;
+	    return;
+	}
+	closefunc = pclose;
+    } else {
+	fin = fopen (local, lmode);
+	if (fin == NULL) {
+	    warn ("local: %s", local);
+	    signal (SIGINT, oldintr);
+	    code = -1;
+	    return;
+	}
+	closefunc = fclose;
+	if (fstat (fileno (fin), &st) < 0 ||
+	    (st.st_mode & S_IFMT) != S_IFREG) {
+	    fprintf (stdout, "%s: not a plain file.\n", local);
+	    signal (SIGINT, oldintr);
+	    fclose (fin);
+	    code = -1;
+	    return;
+	}
+    }
+    if (initconn ()) {
+	signal (SIGINT, oldintr);
+	if (oldintp)
+	    signal (SIGPIPE, oldintp);
+	code = -1;
+	if (closefunc != NULL)
+	    (*closefunc) (fin);
+	return;
+    }
+    if (setjmp (sendabort))
+	goto abort;
+
+    if (restart_point &&
+	(strcmp (cmd, "STOR") == 0 || strcmp (cmd, "APPE") == 0)) {
+	int rc;
+
+	switch (curtype) {
+	case TYPE_A:
+	    rc = fseek (fin, (long) restart_point, SEEK_SET);
+	    break;
+	case TYPE_I:
+	case TYPE_L:
+	    rc = lseek (fileno (fin), restart_point, SEEK_SET);
+	    break;
+	}
+	if (rc < 0) {
+	    warn ("local: %s", local);
+	    restart_point = 0;
+	    if (closefunc != NULL)
+		(*closefunc) (fin);
+	    return;
+	}
+	if (command ("REST %ld", (long) restart_point)
+	    != CONTINUE) {
+	    restart_point = 0;
+	    if (closefunc != NULL)
+		(*closefunc) (fin);
+	    return;
+	}
+	restart_point = 0;
+	rmode = "r+w";
+    }
+    if (remote) {
+	if (command ("%s %s", cmd, remote) != PRELIM) {
+	    signal (SIGINT, oldintr);
+	    if (oldintp)
+		signal (SIGPIPE, oldintp);
+	    if (closefunc != NULL)
+		(*closefunc) (fin);
+	    return;
+	}
+    } else if (command ("%s", cmd) != PRELIM) {
+	    signal(SIGINT, oldintr);
+	    if (oldintp)
+		signal(SIGPIPE, oldintp);
+	    if (closefunc != NULL)
+		(*closefunc)(fin);
+	    return;
+	}
+    dout = dataconn(rmode);
+    if (dout == NULL)
+	goto abort;
+    set_buffer_size (fileno (dout), 0);
+    gettimeofday (&start, (struct timezone *) 0);
+    oldintp = signal (SIGPIPE, SIG_IGN);
+    switch (curtype) {
+
+    case TYPE_I:
+    case TYPE_L:
+	errno = d = c = 0;
+	bytes = copy_stream (fin, dout);
+	break;
+
+    case TYPE_A:
+	while ((c = getc (fin)) != EOF) {
+	    if (c == '\n') {
+		while (hash && (bytes >= hashbytes)) {
+		    putchar ('#');
+		    fflush (stdout);
+		    hashbytes += HASHBYTES;
+		}
+		if (ferror (dout))
+		    break;
+		sec_putc ('\r', dout);
+		bytes++;
+	    }
+	    sec_putc (c, dout);
+	    bytes++;
+	}
+	sec_fflush (dout);
+	if (hash) {
+	    if (bytes < hashbytes)
+		putchar ('#');
+	    putchar ('\n');
+	    fflush (stdout);
+	}
+	if (ferror (fin))
+	    warn ("local: %s", local);
+	if (ferror (dout)) {
+	    if (errno != EPIPE)
+		warn ("netout");
+	    bytes = -1;
+	}
+	break;
+    }
+    if (closefunc != NULL)
+	(*closefunc) (fin);
+    fclose (dout);
+    gettimeofday (&stop, (struct timezone *) 0);
+    getreply (0);
+    signal (SIGINT, oldintr);
+    if (oldintp)
+	signal (SIGPIPE, oldintp);
+    if (bytes > 0)
+	ptransfer ("sent", bytes, &start, &stop);
+    return;
+abort:
+    signal (SIGINT, oldintr);
+    if (oldintp)
+	signal (SIGPIPE, oldintp);
+    if (!cpend) {
+	code = -1;
+	return;
+    }
+    if (data >= 0) {
+	close (data);
+	data = -1;
+    }
+    if (dout)
+	fclose (dout);
+    getreply (0);
+    code = -1;
+    if (closefunc != NULL && fin != NULL)
+	(*closefunc) (fin);
+    gettimeofday (&stop, (struct timezone *) 0);
+    if (bytes > 0)
+	ptransfer ("sent", bytes, &start, &stop);
+}
+
+jmp_buf recvabort;
+
+void
+abortrecv (int sig)
+{
+
+    mflag = 0;
+    abrtflag = 0;
+    printf ("\nreceive aborted\nwaiting for remote to finish abort\n");
+    fflush (stdout);
+    longjmp (recvabort, 1);
+}
+
+void
+recvrequest (char *cmd, char *local, char *remote,
+	     char *lmode, int printnames, int local_given)
+{
+    FILE *fout, *din = 0;
+    int (*closefunc) (FILE *);
+    sighand oldintr, oldintp;
+    int c, d, is_retr, tcrflag, bare_lfs = 0;
+    static size_t bufsize;
+    static char *buf;
+    long bytes = 0, hashbytes = HASHBYTES;
+    struct timeval start, stop;
+    struct stat st;
+
+    is_retr = strcmp (cmd, "RETR") == 0;
+    if (is_retr && verbose && printnames) {
+	if (local && strcmp (local, "-") != 0)
+	    printf ("local: %s ", local);
+	if (remote)
+	    printf ("remote: %s\n", remote);
+    }
+    if (proxy && is_retr) {
+	proxtrans (cmd, local, remote);
+	return;
+    }
+    closefunc = NULL;
+    oldintr = NULL;
+    oldintp = NULL;
+    tcrflag = !crflag && is_retr;
+    if (setjmp (recvabort)) {
+	while (cpend) {
+	    getreply (0);
+	}
+	if (data >= 0) {
+	    close (data);
+	    data = -1;
+	}
+	if (oldintr)
+	    signal (SIGINT, oldintr);
+	code = -1;
+	return;
+    }
+    oldintr = signal (SIGINT, abortrecv);
+    if (!local_given || (strcmp (local, "-") && *local != '|')) {
+	if (access (local, 2) < 0) {
+	    char *dir = strrchr (local, '/');
+
+	    if (errno != ENOENT && errno != EACCES) {
+		warn ("local: %s", local);
+		signal (SIGINT, oldintr);
+		code = -1;
+		return;
+	    }
+	    if (dir != NULL)
+		*dir = 0;
+	    d = access (dir ? local : ".", 2);
+	    if (dir != NULL)
+		*dir = '/';
+	    if (d < 0) {
+		warn ("local: %s", local);
+		signal (SIGINT, oldintr);
+		code = -1;
+		return;
+	    }
+	    if (!runique && errno == EACCES &&
+		chmod (local, 0600) < 0) {
+		warn ("local: %s", local);
+		signal (SIGINT, oldintr);
+		signal (SIGINT, oldintr);
+		code = -1;
+		return;
+	    }
+	    if (runique && errno == EACCES &&
+		(local = gunique (local)) == NULL) {
+		signal (SIGINT, oldintr);
+		code = -1;
+		return;
+	    }
+	} else if (runique && (local = gunique (local)) == NULL) {
+	    signal(SIGINT, oldintr);
+	    code = -1;
+	    return;
+	}
+    }
+    if (!is_retr) {
+	if (curtype != TYPE_A)
+	    changetype (TYPE_A, 0);
+    } else if (curtype != type)
+	changetype (type, 0);
+    if (initconn ()) {
+	signal (SIGINT, oldintr);
+	code = -1;
+	return;
+    }
+    if (setjmp (recvabort))
+	goto abort;
+    if (is_retr && restart_point &&
+	command ("REST %ld", (long) restart_point) != CONTINUE)
+	return;
+    if (remote) {
+	if (command ("%s %s", cmd, remote) != PRELIM) {
+	    signal (SIGINT, oldintr);
+	    return;
+	}
+    } else {
+	if (command ("%s", cmd) != PRELIM) {
+	    signal (SIGINT, oldintr);
+	    return;
+	}
+    }
+    din = dataconn ("r");
+    if (din == NULL)
+	goto abort;
+    set_buffer_size (fileno (din), 1);
+    if (local_given && strcmp (local, "-") == 0)
+	fout = stdout;
+    else if (local_given && *local == '|') {
+	oldintp = signal (SIGPIPE, SIG_IGN);
+	fout = popen (local + 1, "w");
+	if (fout == NULL) {
+	    warn ("%s", local + 1);
+	    goto abort;
+	}
+	closefunc = pclose;
+    } else {
+	fout = fopen (local, lmode);
+	if (fout == NULL) {
+	    warn ("local: %s", local);
+	    goto abort;
+	}
+	closefunc = fclose;
+    }
+    buf = alloc_buffer (buf, &bufsize,
+			fstat (fileno (fout), &st) >= 0 ? &st : NULL);
+    if (buf == NULL)
+	goto abort;
+
+    gettimeofday (&start, (struct timezone *) 0);
+    switch (curtype) {
+
+    case TYPE_I:
+    case TYPE_L:
+	if (restart_point &&
+	    lseek (fileno (fout), restart_point, SEEK_SET) < 0) {
+	    warn ("local: %s", local);
+	    if (closefunc != NULL)
+		(*closefunc) (fout);
+	    return;
+	}
+	errno = d = 0;
+	while ((c = sec_read (fileno (din), buf, bufsize)) > 0) {
+	    if ((d = write (fileno (fout), buf, c)) != c)
+		break;
+	    bytes += c;
+	    if (hash) {
+		while (bytes >= hashbytes) {
+		    putchar ('#');
+		    hashbytes += HASHBYTES;
+		}
+		fflush (stdout);
+	    }
+	}
+	if (hash && bytes > 0) {
+	    if (bytes < HASHBYTES)
+		putchar ('#');
+	    putchar ('\n');
+	    fflush (stdout);
+	}
+	if (c < 0) {
+	    if (errno != EPIPE)
+		warn ("netin");
+	    bytes = -1;
+	}
+	if (d < c) {
+	    if (d < 0)
+		warn ("local: %s", local);
+	    else
+		warnx ("%s: short write", local);
+	}
+	break;
+
+    case TYPE_A:
+	if (restart_point) {
+	    int i, n, ch;
+
+	    if (fseek (fout, 0L, SEEK_SET) < 0)
+		goto done;
+	    n = restart_point;
+	    for (i = 0; i++ < n;) {
+		if ((ch = sec_getc (fout)) == EOF)
+		    goto done;
+		if (ch == '\n')
+		    i++;
+	    }
+	    if (fseek (fout, 0L, SEEK_CUR) < 0) {
+	done:
+		warn ("local: %s", local);
+		if (closefunc != NULL)
+		    (*closefunc) (fout);
+		return;
+	    }
+	}
+	while ((c = sec_getc(din)) != EOF) {
+	    if (c == '\n')
+		bare_lfs++;
+	    while (c == '\r') {
+		while (hash && (bytes >= hashbytes)) {
+		    putchar ('#');
+		    fflush (stdout);
+		    hashbytes += HASHBYTES;
+		}
+		bytes++;
+		if ((c = sec_getc (din)) != '\n' || tcrflag) {
+		    if (ferror (fout))
+			goto break2;
+		    putc ('\r', fout);
+		    if (c == '\0') {
+			bytes++;
+			goto contin2;
+		    }
+		    if (c == EOF)
+			goto contin2;
+		}
+	    }
+	    putc (c, fout);
+	    bytes++;
+    contin2:;
+	}
+break2:
+	if (bare_lfs) {
+	    printf ("WARNING! %d bare linefeeds received in ASCII mode\n",
+		    bare_lfs);
+	    printf ("File may not have transferred correctly.\n");
+	}
+	if (hash) {
+	    if (bytes < hashbytes)
+		putchar ('#');
+	    putchar ('\n');
+	    fflush (stdout);
+	}
+	if (ferror (din)) {
+	    if (errno != EPIPE)
+		warn ("netin");
+	    bytes = -1;
+	}
+	if (ferror (fout))
+	    warn ("local: %s", local);
+	break;
+    }
+    if (closefunc != NULL)
+	(*closefunc) (fout);
+    signal (SIGINT, oldintr);
+    if (oldintp)
+	signal (SIGPIPE, oldintp);
+    fclose (din);
+    gettimeofday (&stop, (struct timezone *) 0);
+    getreply (0);
+    if (bytes > 0 && is_retr)
+	ptransfer ("received", bytes, &start, &stop);
+    return;
+abort:
+
+    /* abort using RFC959 recommended IP,SYNC sequence  */
+
+    if (oldintp)
+	signal (SIGPIPE, oldintr);
+    signal (SIGINT, SIG_IGN);
+    if (!cpend) {
+	code = -1;
+	signal (SIGINT, oldintr);
+	return;
+    }
+    abort_remote(din);
+    code = -1;
+    if (data >= 0) {
+	close (data);
+	data = -1;
+    }
+    if (closefunc != NULL && fout != NULL)
+	(*closefunc) (fout);
+    if (din)
+	fclose (din);
+    gettimeofday (&stop, (struct timezone *) 0);
+    if (bytes > 0)
+	ptransfer ("received", bytes, &start, &stop);
+    signal (SIGINT, oldintr);
+}
+
+static int
+parse_epsv (const char *str)
+{
+    char sep;
+    char *end;
+    int port;
+
+    if (*str == '\0')
+	return -1;
+    sep = *str++;
+    if (sep != *str++)
+	return -1;
+    if (sep != *str++)
+	return -1;
+    port = strtol (str, &end, 0);
+    if (str == end)
+	return -1;
+    if (end[0] != sep || end[1] != '\0')
+	return -1;
+    return htons(port);
+}
+
+static int
+parse_pasv (struct sockaddr_in *sin, const char *str)
+{
+    int a0, a1, a2, a3, p0, p1;
+
+    /*
+     * What we've got at this point is a string of comma separated
+     * one-byte unsigned integer values. The first four are the an IP
+     * address. The fifth is the MSB of the port number, the sixth is the
+     * LSB. From that we'll prepare a sockaddr_in.
+     */
+
+    if (sscanf (str, "%d,%d,%d,%d,%d,%d",
+		&a0, &a1, &a2, &a3, &p0, &p1) != 6) {
+	printf ("Passive mode address scan failure. "
+		"Shouldn't happen!\n");
+	return -1;
+    }
+    if (a0 < 0 || a0 > 255 ||
+	a1 < 0 || a1 > 255 ||
+	a2 < 0 || a2 > 255 ||
+	a3 < 0 || a3 > 255 ||
+	p0 < 0 || p0 > 255 ||
+	p1 < 0 || p1 > 255) {
+	printf ("Can't parse passive mode string.\n");
+	return -1;
+    }
+    memset (sin, 0, sizeof(*sin));
+    sin->sin_family      = AF_INET;
+    sin->sin_addr.s_addr = htonl ((a0 << 24) | (a1 << 16) |
+				  (a2 << 8) | a3);
+    sin->sin_port = htons ((p0 << 8) | p1);
+    return 0;
+}
+
+static int
+passive_mode (void)
+{
+    int port;
+
+    data = socket (myctladdr->sa_family, SOCK_STREAM, 0);
+    if (data < 0) {
+	warn ("socket");
+	return (1);
+    }
+    if (options & SO_DEBUG)
+	socket_set_debug (data);
+    if (command ("EPSV") != COMPLETE) {
+	if (command ("PASV") != COMPLETE) {
+	    printf ("Passive mode refused.\n");
+	    goto bad;
+	}
+    }
+
+    /*
+     * Parse the reply to EPSV or PASV
+     */
+
+    port = parse_epsv (pasv);
+    if (port > 0) {
+	data_addr->sa_family = myctladdr->sa_family;
+	socket_set_address_and_port (data_addr,
+				     socket_get_address (hisctladdr),
+				     port);
+    } else {
+	if (parse_pasv ((struct sockaddr_in *)data_addr, pasv) < 0)
+	    goto bad;
+    }
+
+    if (connect (data, data_addr, socket_sockaddr_size (data_addr)) < 0) {
+	warn ("connect");
+	goto bad;
+    }
+#ifdef IPTOS_THROUGHPUT
+    socket_set_tos (data, IPTOS_THROUGHPUT);
+#endif
+    return (0);
+bad:
+    close (data);
+    data = -1;
+    sendport = 1;
+    return (1);
+}
+
+
+static int
+active_mode (void)
+{
+    int tmpno = 0;
+    socklen_t len;
+    int result;
+
+noport:
+    data_addr->sa_family = myctladdr->sa_family;
+    socket_set_address_and_port (data_addr, socket_get_address (myctladdr),
+				 sendport ? 0 : socket_get_port (myctladdr));
+
+    if (data != -1)
+	close (data);
+    data = socket (data_addr->sa_family, SOCK_STREAM, 0);
+    if (data < 0) {
+	warn ("socket");
+	if (tmpno)
+	    sendport = 1;
+	return (1);
+    }
+    if (!sendport)
+	socket_set_reuseaddr (data, 1);
+    if (bind (data, data_addr, socket_sockaddr_size (data_addr)) < 0) {
+	warn ("bind");
+	goto bad;
+    }
+    if (options & SO_DEBUG)
+	socket_set_debug (data);
+    len = sizeof (data_addr_ss);
+    if (getsockname (data, data_addr, &len) < 0) {
+	warn ("getsockname");
+	goto bad;
+    }
+    if (listen (data, 1) < 0)
+	warn ("listen");
+    if (sendport) {
+	char *cmd;
+	char addr_str[256];
+	int inet_af;
+	int overbose;
+
+	if (inet_ntop (data_addr->sa_family, socket_get_address (data_addr),
+		       addr_str, sizeof(addr_str)) == NULL)
+	    errx (1, "inet_ntop failed");
+	switch (data_addr->sa_family) {
+	case AF_INET :
+	    inet_af = 1;
+	    break;
+#ifdef HAVE_IPV6
+	case AF_INET6 :
+	    inet_af = 2;
+	    break;
+#endif
+	default :
+	    errx (1, "bad address family %d", data_addr->sa_family);
+	}
+
+	asprintf (&cmd, "EPRT |%d|%s|%d|",
+		  inet_af, addr_str, ntohs(socket_get_port (data_addr)));
+
+	overbose = verbose;
+	if (debug == 0)
+	    verbose  = -1;
+
+	result = command (cmd);
+
+	verbose = overbose;
+
+	if (result == ERROR) {
+	    struct sockaddr_in *sin = (struct sockaddr_in *)data_addr;
+
+	    unsigned int a = ntohl(sin->sin_addr.s_addr);
+	    unsigned int p = ntohs(sin->sin_port);
+
+	    if (data_addr->sa_family != AF_INET) {
+		warnx ("remote server doesn't support EPRT");
+		goto bad;
+	    }
+
+	    result = command("PORT %d,%d,%d,%d,%d,%d", 
+			     (a >> 24) & 0xff,
+			     (a >> 16) & 0xff,
+			     (a >> 8) & 0xff,
+			     a & 0xff,
+			     (p >> 8) & 0xff,
+			     p & 0xff);
+	    if (result == ERROR && sendport == -1) {
+		sendport = 0;
+		tmpno = 1;
+		goto noport;
+	    }
+	    return (result != COMPLETE);
+	}
+	return result != COMPLETE;
+    }
+    if (tmpno)
+	sendport = 1;
+
+
+#ifdef IPTOS_THROUGHPUT
+    socket_set_tos (data, IPTOS_THROUGHPUT);
+#endif
+    return (0);
+bad:
+    close (data);
+    data = -1;
+    if (tmpno)
+	sendport = 1;
+    return (1);
+}
+
+/*
+ * Need to start a listen on the data channel before we send the command,
+ * otherwise the server's connect may fail.
+ */
+int
+initconn (void)
+{
+    if (passivemode) 
+	return passive_mode ();
+    else
+	return active_mode ();
+}
+
+FILE *
+dataconn (const char *lmode)
+{
+    struct sockaddr_storage from_ss;
+    struct sockaddr *from = (struct sockaddr *)&from_ss;
+    socklen_t fromlen = sizeof(from_ss);
+    int s;
+
+    if (passivemode)
+	return (fdopen (data, lmode));
+
+    s = accept (data, from, &fromlen);
+    if (s < 0) {
+	warn ("accept");
+	close (data), data = -1;
+	return (NULL);
+    }
+    close (data);
+    data = s;
+#ifdef IPTOS_THROUGHPUT
+    socket_set_tos (s, IPTOS_THROUGHPUT);
+#endif
+    return (fdopen (data, lmode));
+}
+
+void
+ptransfer (char *direction, long int bytes,
+	   struct timeval * t0, struct timeval * t1)
+{
+    struct timeval td;
+    float s;
+    float bs;
+    int prec;
+    char *unit;
+
+    if (verbose) {
+	td.tv_sec = t1->tv_sec - t0->tv_sec;
+	td.tv_usec = t1->tv_usec - t0->tv_usec;
+	if (td.tv_usec < 0) {
+	    td.tv_sec--;
+	    td.tv_usec += 1000000;
+	}
+	s = td.tv_sec + (td.tv_usec / 1000000.);
+	bs = bytes / (s ? s : 1);
+	if (bs >= 1048576) {
+	    bs /= 1048576;
+	    unit = "M";
+	    prec = 2;
+	} else if (bs >= 1024) {
+	    bs /= 1024;
+	    unit = "k";
+	    prec = 1;
+	} else {
+	    unit = "";
+	    prec = 0;
+	}
+
+	printf ("%ld bytes %s in %.3g seconds (%.*f %sbyte/s)\n",
+		bytes, direction, s, prec, bs, unit);
+    }
+}
+
+void
+psabort (int sig)
+{
+
+    abrtflag++;
+}
+
+void
+pswitch (int flag)
+{
+    sighand oldintr;
+    static struct comvars {
+	int connect;
+	char name[MaxHostNameLen];
+	struct sockaddr_storage mctl;
+	struct sockaddr_storage hctl;
+	FILE *in;
+	FILE *out;
+	int tpe;
+	int curtpe;
+	int cpnd;
+	int sunqe;
+	int runqe;
+	int mcse;
+	int ntflg;
+	char nti[17];
+	char nto[17];
+	int mapflg;
+	char mi[MaxPathLen];
+	char mo[MaxPathLen];
+    } proxstruct, tmpstruct;
+    struct comvars *ip, *op;
+
+    abrtflag = 0;
+    oldintr = signal (SIGINT, psabort);
+    if (flag) {
+	if (proxy)
+	    return;
+	ip = &tmpstruct;
+	op = &proxstruct;
+	proxy++;
+    } else {
+	if (!proxy)
+	    return;
+	ip = &proxstruct;
+	op = &tmpstruct;
+	proxy = 0;
+    }
+    ip->connect = connected;
+    connected = op->connect;
+    if (hostname) {
+	strlcpy (ip->name, hostname, sizeof (ip->name));
+    } else
+	ip->name[0] = 0;
+    hostname = op->name;
+    ip->hctl = hisctladdr_ss;
+    hisctladdr_ss = op->hctl;
+    ip->mctl = myctladdr_ss;
+    myctladdr_ss = op->mctl;
+    ip->in = cin;
+    cin = op->in;
+    ip->out = cout;
+    cout = op->out;
+    ip->tpe = type;
+    type = op->tpe;
+    ip->curtpe = curtype;
+    curtype = op->curtpe;
+    ip->cpnd = cpend;
+    cpend = op->cpnd;
+    ip->sunqe = sunique;
+    sunique = op->sunqe;
+    ip->runqe = runique;
+    runique = op->runqe;
+    ip->mcse = mcase;
+    mcase = op->mcse;
+    ip->ntflg = ntflag;
+    ntflag = op->ntflg;
+    strlcpy (ip->nti, ntin, sizeof (ip->nti));
+    strlcpy (ntin, op->nti, 17);
+    strlcpy (ip->nto, ntout, sizeof (ip->nto));
+    strlcpy (ntout, op->nto, 17);
+    ip->mapflg = mapflag;
+    mapflag = op->mapflg;
+    strlcpy (ip->mi, mapin, MaxPathLen);
+    strlcpy (mapin, op->mi, MaxPathLen);
+    strlcpy (ip->mo, mapout, MaxPathLen);
+    strlcpy (mapout, op->mo, MaxPathLen);
+    signal(SIGINT, oldintr);
+    if (abrtflag) {
+	abrtflag = 0;
+	(*oldintr) (SIGINT);
+    }
+}
+
+void
+abortpt (int sig)
+{
+
+    printf ("\n");
+    fflush (stdout);
+    ptabflg++;
+    mflag = 0;
+    abrtflag = 0;
+    longjmp (ptabort, 1);
+}
+
+void
+proxtrans (char *cmd, char *local, char *remote)
+{
+    sighand oldintr;
+    int secndflag = 0, prox_type, nfnd;
+    char *cmd2;
+    fd_set mask;
+
+    if (strcmp (cmd, "RETR"))
+	cmd2 = "RETR";
+    else
+	cmd2 = runique ? "STOU" : "STOR";
+    if ((prox_type = type) == 0) {
+	if (unix_server && unix_proxy)
+	    prox_type = TYPE_I;
+	else
+	    prox_type = TYPE_A;
+    }
+    if (curtype != prox_type)
+	changetype (prox_type, 1);
+    if (command ("PASV") != COMPLETE) {
+	printf ("proxy server does not support third party transfers.\n");
+	return;
+    }
+    pswitch (0);
+    if (!connected) {
+	printf ("No primary connection\n");
+	pswitch (1);
+	code = -1;
+	return;
+    }
+    if (curtype != prox_type)
+	changetype (prox_type, 1);
+    if (command ("PORT %s", pasv) != COMPLETE) {
+	pswitch (1);
+	return;
+    }
+    if (setjmp (ptabort))
+	goto abort;
+    oldintr = signal (SIGINT, abortpt);
+    if (command ("%s %s", cmd, remote) != PRELIM) {
+	signal (SIGINT, oldintr);
+	pswitch (1);
+	return;
+    }
+    sleep (2);
+    pswitch (1);
+    secndflag++;
+    if (command ("%s %s", cmd2, local) != PRELIM)
+	goto abort;
+    ptflag++;
+    getreply (0);
+    pswitch (0);
+    getreply (0);
+    signal (SIGINT, oldintr);
+    pswitch (1);
+    ptflag = 0;
+    printf ("local: %s remote: %s\n", local, remote);
+    return;
+abort:
+    signal (SIGINT, SIG_IGN);
+    ptflag = 0;
+    if (strcmp (cmd, "RETR") && !proxy)
+	pswitch (1);
+    else if (!strcmp (cmd, "RETR") && proxy)
+	pswitch (0);
+    if (!cpend && !secndflag) {	/* only here if cmd = "STOR" (proxy=1) */
+	if (command ("%s %s", cmd2, local) != PRELIM) {
+	    pswitch (0);
+	    if (cpend)
+		abort_remote ((FILE *) NULL);
+	}
+	pswitch (1);
+	if (ptabflg)
+	    code = -1;
+	signal (SIGINT, oldintr);
+	return;
+    }
+    if (cpend)
+	abort_remote ((FILE *) NULL);
+    pswitch (!proxy);
+    if (!cpend && !secndflag) {	/* only if cmd = "RETR" (proxy=1) */
+	if (command ("%s %s", cmd2, local) != PRELIM) {
+	    pswitch (0);
+	    if (cpend)
+		abort_remote ((FILE *) NULL);
+	    pswitch (1);
+	    if (ptabflg)
+		code = -1;
+	    signal (SIGINT, oldintr);
+	    return;
+	}
+    }
+    if (cpend)
+	abort_remote ((FILE *) NULL);
+    pswitch (!proxy);
+    if (cpend) {
+	FD_ZERO (&mask);
+	if (fileno(cin) >= FD_SETSIZE)
+	    errx (1, "fd too large");
+	FD_SET (fileno (cin), &mask);
+	if ((nfnd = empty (&mask, 10)) <= 0) {
+	    if (nfnd < 0) {
+		warn ("abort");
+	    }
+	    if (ptabflg)
+		code = -1;
+	    lostpeer (0);
+	}
+	getreply (0);
+	getreply (0);
+    }
+    if (proxy)
+	pswitch (0);
+    pswitch (1);
+    if (ptabflg)
+	code = -1;
+    signal (SIGINT, oldintr);
+}
+
+void
+reset (int argc, char **argv)
+{
+    fd_set mask;
+    int nfnd = 1;
+
+    FD_ZERO (&mask);
+    while (nfnd > 0) {
+	if (fileno (cin) >= FD_SETSIZE)
+	    errx (1, "fd too large");
+	FD_SET (fileno (cin), &mask);
+	if ((nfnd = empty (&mask, 0)) < 0) {
+	    warn ("reset");
+	    code = -1;
+	    lostpeer(0);
+	} else if (nfnd) {
+	    getreply(0);
+	}
+    }
+}
+
+char *
+gunique (char *local)
+{
+    static char new[MaxPathLen];
+    char *cp = strrchr (local, '/');
+    int d, count = 0;
+    char ext = '1';
+
+    if (cp)
+	*cp = '\0';
+    d = access (cp ? local : ".", 2);
+    if (cp)
+	*cp = '/';
+    if (d < 0) {
+	warn ("local: %s", local);
+	return NULL;
+    }
+    strlcpy (new, local, sizeof(new));
+    cp = new + strlen(new);
+    *cp++ = '.';
+    while (!d) {
+	if (++count == 100) {
+	    printf ("runique: can't find unique file name.\n");
+	    return NULL;
+	}
+	*cp++ = ext;
+	*cp = '\0';
+	if (ext == '9')
+	    ext = '0';
+	else
+	    ext++;
+	if ((d = access (new, 0)) < 0)
+	    break;
+	if (ext != '0')
+	    cp--;
+	else if (*(cp - 2) == '.')
+	    *(cp - 1) = '1';
+	else {
+	    *(cp - 2) = *(cp - 2) + 1;
+	    cp--;
+	}
+    }
+    return (new);
+}
+
+void
+abort_remote (FILE * din)
+{
+    char buf[BUFSIZ];
+    int nfnd;
+    fd_set mask;
+
+    /*
+     * send IAC in urgent mode instead of DM because 4.3BSD places oob mark
+     * after urgent byte rather than before as is protocol now
+     */
+    snprintf (buf, sizeof (buf), "%c%c%c", IAC, IP, IAC);
+    if (send (fileno (cout), buf, 3, MSG_OOB) != 3)
+	warn ("abort");
+    fprintf (cout, "%cABOR\r\n", DM);
+    fflush (cout);
+    FD_ZERO (&mask);
+    if (fileno (cin) >= FD_SETSIZE)
+	errx (1, "fd too large");
+    FD_SET (fileno (cin), &mask);
+    if (din) {
+    if (fileno (din) >= FD_SETSIZE)
+	errx (1, "fd too large");
+	FD_SET (fileno (din), &mask);
+    }
+    if ((nfnd = empty (&mask, 10)) <= 0) {
+	if (nfnd < 0) {
+	    warn ("abort");
+	}
+	if (ptabflg)
+	    code = -1;
+	lostpeer (0);
+    }
+    if (din && FD_ISSET (fileno (din), &mask)) {
+	while (read (fileno (din), buf, BUFSIZ) > 0)
+	     /* LOOP */ ;
+    }
+    if (getreply (0) == ERROR && code == 552) {
+	/* 552 needed for nic style abort */
+	getreply (0);
+    }
+    getreply (0);
+}
diff --git a/crypto/heimdal/appl/ftp/ftp/ftp.cat1 b/crypto/heimdal/appl/ftp/ftp/ftp.cat1
new file mode 100644
index 0000000..66262de
--- /dev/null
+++ b/crypto/heimdal/appl/ftp/ftp/ftp.cat1
@@ -0,0 +1,650 @@
+
+FTP(1)                       UNIX Reference Manual                      FTP(1)
+
+NNAAMMEE
+     ffttpp - ARPANET file transfer program
+
+SSYYNNOOPPSSIISS
+     ffttpp [--tt] [--vv] [--dd] [--ii] [--nn] [--gg] [--pp] [--ll] [_h_o_s_t]
+
+DDEESSCCRRIIPPTTIIOONN
+     FFttpp is the user interface to the ARPANET standard File Transfer Protocol.
+     The program allows a user to transfer files to and from a remote network
+     site.
+
+     Modifications has been made so that it almost follows the ftpsec Internet
+     draft.
+
+     Options may be specified at the command line, or to the command inter-
+     preter.
+
+     --tt    Enables packet tracing.
+
+     --vv    Verbose option forces ffttpp to show all responses from the remote
+           server, as well as report on data transfer statistics.
+
+     --nn    Restrains ffttpp from attempting ``auto-login'' upon initial connec-
+           tion.  If auto-login is enabled, ffttpp will check the _._n_e_t_r_c (see be-
+           low) file in the user's home directory for an entry describing an
+           account on the remote machine.  If no entry exists, ffttpp will prompt
+           for the remote machine login name (default is the user identity on
+           the local machine), and, if necessary, prompt for a password and an
+           account with which to login.
+
+     --ii    Turns off interactive prompting during multiple file transfers.
+
+     --pp    Turn on passive mode.
+
+     --dd    Enables debugging.
+
+     --gg    Disables file name globbing.
+
+     --ll    Disables command line editing.
+
+     The client host with which ffttpp is to communicate may be specified on the
+     command line.  If this is done, ffttpp will immediately attempt to establish
+     a connection to an FTP server on that host; otherwise, ffttpp will enter its
+     command interpreter and await instructions from the user.  When ffttpp is
+     awaiting commands from the user the prompt `ftp>' is provided to the us-
+     er.  The following commands are recognized by ffttpp:
+
+     !! [_c_o_m_m_a_n_d [_a_r_g_s]]
+                 Invoke an interactive shell on the local machine.  If there
+                 are arguments, the first is taken to be a command to execute
+                 directly, with the rest of the arguments as its arguments.
+
+     $$ _m_a_c_r_o_-_n_a_m_e [_a_r_g_s]
+                 Execute the macro _m_a_c_r_o_-_n_a_m_e that was defined with the mmaaccddeeff
+                 command.  Arguments are passed to the macro unglobbed.
+
+     aaccccoouunntt [_p_a_s_s_w_d]
+                 Supply a supplemental password required by a remote system
+                 for access to resources once a login has been successfully
+                 completed.  If no argument is included, the user will be
+
+
+                 prompted for an account password in a non-echoing input mode.
+
+     aappppeenndd _l_o_c_a_l_-_f_i_l_e [_r_e_m_o_t_e_-_f_i_l_e]
+                 Append a local file to a file on the remote machine.  If
+                 _r_e_m_o_t_e_-_f_i_l_e is left unspecified, the local file name is used
+                 in naming the remote file after being altered by any nnttrraannss
+                 or nnmmaapp setting.  File transfer uses the current settings for
+                 ttyyppee, ffoorrmmaatt, mmooddee, and ssttrruuccttuurree.
+
+     aasscciiii       Set the file transfer ttyyppee to network ASCII. This is the de-
+                 fault type.
+
+     bbeellll        Arrange that a bell be sounded after each file transfer com-
+                 mand is completed.
+
+     bbiinnaarryy      Set the file transfer ttyyppee to support binary image transfer.
+
+     bbyyee         Terminate the FTP session with the remote server and exit
+                 ffttpp. An end of file will also terminate the session and exit.
+
+     ccaassee        Toggle remote computer file name case mapping during mmggeett
+                 commands.  When ccaassee is on (default is off), remote computer
+                 file names with all letters in upper case are written in the
+                 local directory with the letters mapped to lower case.
+
+     ccdd _r_e_m_o_t_e_-_d_i_r_e_c_t_o_r_y
+                 Change the working directory on the remote machine to _r_e_m_o_t_e_-
+                 _d_i_r_e_c_t_o_r_y.
+
+     ccdduupp        Change the remote machine working directory to the parent of
+                 the current remote machine working directory.
+
+     cchhmmoodd _m_o_d_e _f_i_l_e_-_n_a_m_e
+                 Change the permission modes of the file _f_i_l_e_-_n_a_m_e on the re-
+                 mote sytem to _m_o_d_e.
+
+     cclloossee       Terminate the FTP session with the remote server, and return
+                 to the command interpreter.  Any defined macros are erased.
+
+     ccrr          Toggle carriage return stripping during ascii type file re-
+                 trieval.  Records are denoted by a carriage return/linefeed
+                 sequence during ascii type file transfer.  When ccrr is on (the
+                 default), carriage returns are stripped from this sequence to
+                 conform with the UNIX single linefeed record delimiter.
+                 Records on non-UNIX remote systems may contain single line-
+                 feeds; when an ascii type transfer is made, these linefeeds
+                 may be distinguished from a record delimiter only when ccrr is
+                 off.
+
+     ddeelleettee _r_e_m_o_t_e_-_f_i_l_e
+                 Delete the file _r_e_m_o_t_e_-_f_i_l_e on the remote machine.
+
+     ddeebbuugg [_d_e_b_u_g_-_v_a_l_u_e]
+                 Toggle debugging mode.  If an optional _d_e_b_u_g_-_v_a_l_u_e is speci-
+                 fied it is used to set the debugging level.  When debugging
+                 is on, ffttpp prints each command sent to the remote machine,
+                 preceded by the string `-->'
+
+     ddiirr [_r_e_m_o_t_e_-_d_i_r_e_c_t_o_r_y] [_l_o_c_a_l_-_f_i_l_e]
+                 Print a listing of the directory contents in the directory,
+                 _r_e_m_o_t_e_-_d_i_r_e_c_t_o_r_y, and, optionally, placing the output in
+                 _l_o_c_a_l_-_f_i_l_e. If interactive prompting is on, ffttpp will prompt
+                 the user to verify that the last argument is indeed the tar-
+                 get local file for receiving ddiirr output.  If no directory is
+                 specified, the current working directory on the remote ma-
+                 chine is used.  If no local file is specified, or _l_o_c_a_l_-_f_i_l_e
+
+                 is --, output comes to the terminal.
+
+     ddiissccoonnnneecctt  A synonym for _c_l_o_s_e.
+
+     ffoorrmm _f_o_r_m_a_t
+                 Set the file transfer ffoorrmm to _f_o_r_m_a_t. The default format is
+                 ``file''.
+
+     ggeett _r_e_m_o_t_e_-_f_i_l_e [_l_o_c_a_l_-_f_i_l_e]
+                 Retrieve the _r_e_m_o_t_e_-_f_i_l_e and store it on the local machine.
+                 If the local file name is not specified, it is given the same
+                 name it has on the remote machine, subject to alteration by
+                 the current ccaassee, nnttrraannss, and nnmmaapp settings.  The current
+                 settings for ttyyppee, ffoorrmm, mmooddee, and ssttrruuccttuurree are used while
+                 transferring the file.
+
+     gglloobb        Toggle filename expansion for mmddeelleettee, mmggeett and mmppuutt. If
+                 globbing is turned off with gglloobb, the file name arguments are
+                 taken literally and not expanded.  Globbing for mmppuutt is done
+                 as in csh(1).  For mmddeelleettee and mmggeett, each remote file name is
+                 expanded separately on the remote machine and the lists are
+                 not merged.  Expansion of a directory name is likely to be
+                 different from expansion of the name of an ordinary file: the
+                 exact result depends on the foreign operating system and ftp
+                 server, and can be previewed by doing `mls remote-files -'.
+                 As a security measure, remotely globbed files that starts
+                 with `/' or contains `../', will not be automatically re-
+                 ceived. If you have interactive prompting turned off, these
+                 filenames will be ignored.  Note: mmggeett and mmppuutt are not meant
+                 to transfer entire directory subtrees of files.  That can be
+                 done by transferring a tar(1) archive of the subtree (in bi-
+                 nary mode).
+
+     hhaasshh        Toggle hash-sign (``#'') printing for each data block trans-
+                 ferred.  The size of a data block is 1024 bytes.
+
+     hheellpp [_c_o_m_m_a_n_d]
+                 Print an informative message about the meaning of _c_o_m_m_a_n_d. If
+                 no argument is given, ffttpp prints a list of the known com-
+                 mands.
+
+     iiddllee [_s_e_c_o_n_d_s]
+                 Set the inactivity timer on the remote server to _s_e_c_o_n_d_s sec-
+                 onds.  If _s_e_c_o_n_d_s is omitted, the current inactivity timer is
+                 printed.
+
+     llccdd [_d_i_r_e_c_t_o_r_y]
+                 Change the working directory on the local machine.  If no
+                 _d_i_r_e_c_t_o_r_y is specified, the user's home directory is used.
+
+     llss [_r_e_m_o_t_e_-_d_i_r_e_c_t_o_r_y] [_l_o_c_a_l_-_f_i_l_e]
+                 Print a listing of the contents of a directory on the remote
+                 machine.  The listing includes any system-dependent informa-
+                 tion that the server chooses to include; for example, most
+                 UNIX systems will produce output from the command `ls -l'.
+                 (See also nnlliisstt.) If _r_e_m_o_t_e_-_d_i_r_e_c_t_o_r_y is left unspecified,
+                 the current working directory is used.  If interactive
+                 prompting is on, ffttpp will prompt the user to verify that the
+                 last argument is indeed the target local file for receiving
+                 llss output.  If no local file is specified, or if _l_o_c_a_l_-_f_i_l_e
+                 is `--', the output is sent to the terminal.
+
+     mmaaccddeeff _m_a_c_r_o_-_n_a_m_e
+                 Define a macro.  Subsequent lines are stored as the macro
+                 _m_a_c_r_o_-_n_a_m_e; a null line (consecutive newline characters in a
+                 file or carriage returns from the terminal) terminates macro
+                 input mode.  There is a limit of 16 macros and 4096 total
+                 characters in all defined macros.  Macros remain defined un-
+                 til a cclloossee command is executed.  The macro processor inter-
+                 prets `$' and `\' as special characters.  A `$' followed by a
+                 number (or numbers) is replaced by the corresponding argument
+                 on the macro invocation command line.  A `$' followed by an
+                 `i' signals that macro processor that the executing macro is
+                 to be looped.  On the first pass `$i' is replaced by the
+                 first argument on the macro invocation command line, on the
+                 second pass it is replaced by the second argument, and so on.
+                 A `\' followed by any character is replaced by that charac-
+                 ter.  Use the `\' to prevent special treatment of the `$'.
+
+     mmddeelleettee [_r_e_m_o_t_e_-_f_i_l_e_s]
+                 Delete the _r_e_m_o_t_e_-_f_i_l_e_s on the remote machine.
+
+     mmddiirr _r_e_m_o_t_e_-_f_i_l_e_s _l_o_c_a_l_-_f_i_l_e
+                 Like ddiirr, except multiple remote files may be specified.  If
+                 interactive prompting is on, ffttpp will prompt the user to ver-
+                 ify that the last argument is indeed the target local file
+                 for receiving mmddiirr output.
+
+     mmggeett _r_e_m_o_t_e_-_f_i_l_e_s
+                 Expand the _r_e_m_o_t_e_-_f_i_l_e_s on the remote machine and do a ggeett
+                 for each file name thus produced.  See gglloobb for details on
+                 the filename expansion.  Resulting file names will then be
+                 processed according to ccaassee, nnttrraannss, and nnmmaapp settings.
+                 Files are transferred into the local working directory, which
+                 can be changed with `lcd directory'; new local directories
+                 can be created with `! mkdir directory'.
+
+     mmkkddiirr _d_i_r_e_c_t_o_r_y_-_n_a_m_e
+                 Make a directory on the remote machine.
+
+     mmllss _r_e_m_o_t_e_-_f_i_l_e_s _l_o_c_a_l_-_f_i_l_e
+                 Like nnlliisstt, except multiple remote files may be specified,
+                 and the _l_o_c_a_l_-_f_i_l_e must be specified.  If interactive prompt-
+                 ing is on, ffttpp will prompt the user to verify that the last
+                 argument is indeed the target local file for receiving mmllss
+                 output.
+
+     mmooddee [_m_o_d_e_-_n_a_m_e]
+                 Set the file transfer mmooddee to _m_o_d_e_-_n_a_m_e. The default mode is
+                 ``stream'' mode.
+
+     mmooddttiimmee _f_i_l_e_-_n_a_m_e
+                 Show the last modification time of the file on the remote ma-
+                 chine.
+
+     mmppuutt _l_o_c_a_l_-_f_i_l_e_s
+                 Expand wild cards in the list of local files given as argu-
+                 ments and do a ppuutt for each file in the resulting list.  See
+                 gglloobb for details of filename expansion.  Resulting file names
+                 will then be processed according to nnttrraannss and nnmmaapp settings.
+
+     nneewweerr _f_i_l_e_-_n_a_m_e
+                 Get the file only if the modification time of the remote file
+                 is more recent that the file on the current system.  If the
+                 file does not exist on the current system, the remote file is
+                 considered nneewweerr. Otherwise, this command is identical to
+                 _g_e_t.
+
+     nnlliisstt [_r_e_m_o_t_e_-_d_i_r_e_c_t_o_r_y] [_l_o_c_a_l_-_f_i_l_e]
+                 Print a  list of the files in a directory on the remote ma-
+                 chine.  If _r_e_m_o_t_e_-_d_i_r_e_c_t_o_r_y is left unspecified, the current
+                 working directory is used.  If interactive prompting is on,
+                 ffttpp will prompt the user to verify that the last argument is
+                 indeed the target local file for receiving nnlliisstt output.  If
+                 no local file is specified, or if _l_o_c_a_l_-_f_i_l_e is --, the output
+                 is sent to the terminal.
+
+     nnmmaapp [_i_n_p_a_t_t_e_r_n _o_u_t_p_a_t_t_e_r_n]
+                 Set or unset the filename mapping mechanism.  If no arguments
+                 are specified, the filename mapping mechanism is unset.  If
+                 arguments are specified, remote filenames are mapped during
+                 mmppuutt commands and ppuutt commands issued without a specified re-
+                 mote target filename.  If arguments are specified, local
+                 filenames are mapped during mmggeett commands and ggeett commands
+                 issued without a specified local target filename.  This com-
+                 mand is useful when connecting to a non-UNIX remote computer
+                 with different file naming conventions or practices.  The
+                 mapping follows the pattern set by _i_n_p_a_t_t_e_r_n and _o_u_t_p_a_t_t_e_r_n.
+                 [_I_n_p_a_t_t_e_r_n] is a template for incoming filenames (which may
+                 have already been processed according to the nnttrraannss and ccaassee
+                 settings).  Variable templating is accomplished by including
+                 the sequences `$1', `$2', ..., `$9' in _i_n_p_a_t_t_e_r_n. Use `\' to
+                 prevent this special treatment of the `$' character.  All
+                 other characters are treated literally, and are used to de-
+                 termine the nnmmaapp [_i_n_p_a_t_t_e_r_n] variable values.  For example,
+                 given _i_n_p_a_t_t_e_r_n $1.$2 and the remote file name "mydata.data",
+                 $1 would have the value "mydata", and $2 would have the value
+                 "data".  The _o_u_t_p_a_t_t_e_r_n determines the resulting mapped file-
+                 name.  The sequences `$1', `$2', ...., `$9' are replaced by
+                 any value resulting from the _i_n_p_a_t_t_e_r_n template.  The se-
+                 quence `$0' is replace by the original filename.  Additional-
+                 ly, the sequence `[_s_e_q_1, _s_e_q_2]' is replaced by [_s_e_q_1] if _s_e_q_1
+                 is not a null string; otherwise it is replaced by _s_e_q_2. For
+                 example, the command
+
+                       nmap $1.$2.$3 [$1,$2].[$2,file]
+
+                 would yield the output filename "myfile.data" for input file-
+                 names "myfile.data" and "myfile.data.old", "myfile.file" for
+                 the input filename "myfile", and "myfile.myfile" for the in-
+                 put filename ".myfile".  Spaces may be included in
+                 _o_u_t_p_a_t_t_e_r_n, as in the example: `nmap $1 sed "s/  *$//" > $1'
+                 .  Use the `\' character to prevent special treatment of the
+                 `$','[','[', and `,' characters.
+
+     nnttrraannss [_i_n_c_h_a_r_s [_o_u_t_c_h_a_r_s]]
+                 Set or unset the filename character translation mechanism.
+                 If no arguments are specified, the filename character trans-
+                 lation mechanism is unset.  If arguments are specified, char-
+                 acters in remote filenames are translated during mmppuutt com-
+                 mands and ppuutt commands issued without a specified remote tar-
+                 get filename.  If arguments are specified, characters in lo-
+                 cal filenames are translated during mmggeett commands and ggeett
+                 commands issued without a specified local target filename.
+                 This command is useful when connecting to a non-UNIX remote
+                 computer with different file naming conventions or practices.
+                 Characters in a filename matching a character in _i_n_c_h_a_r_s are
+                 replaced with the corresponding character in _o_u_t_c_h_a_r_s. If the
+                 character's position in _i_n_c_h_a_r_s is longer than the length of
+                 _o_u_t_c_h_a_r_s, the character is deleted from the file name.
+
+     ooppeenn _h_o_s_t [_p_o_r_t]
+                 Establish a connection to the specified _h_o_s_t FTP server.  An
+                 optional port number may be supplied, in which case, ffttpp will
+                 attempt to contact an FTP server at that port.  If the aauuttoo--
+                 llooggiinn option is on (default), ffttpp will also attempt to auto-
+
+                 matically log the user in to the FTP server (see below).
+
+     ppaassssiivvee     Toggle passive mode.  If passive mode is turned on (default
+                 is off), the ftp client will send a PASV command for all data
+                 connections instead of the usual PORT command.  The PASV com-
+                 mand requests that the remote server open a port for the data
+                 connection and return the address of that port.  The remote
+                 server listens on that port and the client connects to it.
+                 When using the more traditional PORT command, the client lis-
+                 tens on a port and sends that address to the remote server,
+                 who connects back to it.  Passive mode is useful when using
+                 ffttpp through a gateway router or host that controls the direc-
+                 tionality of traffic.  (Note that though ftp servers are re-
+                 quired to support the PASV command by RFC 1123, some do not.)
+
+     pprroommpptt      Toggle interactive prompting.  Interactive prompting occurs
+                 during multiple file transfers to allow the user to selec-
+                 tively retrieve or store files.  If prompting is turned off
+                 (default is on), any mmggeett or mmppuutt will transfer all files,
+                 and any mmddeelleettee will delete all files.
+
+     pprrooxxyy _f_t_p_-_c_o_m_m_a_n_d
+                 Execute an ftp command on a secondary control connection.
+                 This command allows simultaneous connection to two remote ftp
+                 servers for transferring files between the two servers.  The
+                 first pprrooxxyy command should be an ooppeenn, to establish the sec-
+                 ondary control connection.  Enter the command "proxy ?" to
+                 see other ftp commands executable on the secondary connec-
+                 tion.  The following commands behave differently when pref-
+                 aced by pprrooxxyy: ooppeenn will not define new macros during the au-
+                 to-login process, cclloossee will not erase existing macro defini-
+                 tions, ggeett and mmggeett transfer files from the host on the pri-
+                 mary control connection to the host on the secondary control
+                 connection, and ppuutt, mmppuutt, and aappppeenndd transfer files from the
+                 host on the secondary control connection to the host on the
+                 primary control connection.  Third party file transfers de-
+                 pend upon support of the ftp protocol PASV command by the
+                 server on the secondary control connection.
+
+     ppuutt _l_o_c_a_l_-_f_i_l_e [_r_e_m_o_t_e_-_f_i_l_e]
+                 Store a local file on the remote machine.  If _r_e_m_o_t_e_-_f_i_l_e is
+                 left unspecified, the local file name is used after process-
+                 ing according to any nnttrraannss or nnmmaapp settings in naming the
+                 remote file.  File transfer uses the current settings for
+                 ttyyppee, ffoorrmmaatt, mmooddee, and ssttrruuccttuurree.
+
+     ppwwdd         Print the name of the current working directory on the remote
+                 machine.
+
+     qquuiitt        A synonym for bbyyee.
+
+     qquuoottee _a_r_g_1 _a_r_g_2 _._._.
+                 The arguments specified are sent, verbatim, to the remote FTP
+                 server.
+
+     rreeccvv _r_e_m_o_t_e_-_f_i_l_e [_l_o_c_a_l_-_f_i_l_e]
+                 A synonym for get.
+
+     rreeggeett _r_e_m_o_t_e_-_f_i_l_e [_l_o_c_a_l_-_f_i_l_e]
+                 Reget acts like get, except that if _l_o_c_a_l_-_f_i_l_e exists and is
+                 smaller than _r_e_m_o_t_e_-_f_i_l_e, _l_o_c_a_l_-_f_i_l_e is presumed to be a par-
+                 tially transferred copy of _r_e_m_o_t_e_-_f_i_l_e and the transfer is
+                 continued from the apparent point of failure.  This command
+                 is useful when transferring very large files over networks
+
+
+                 that are prone to dropping connections.
+
+     rreemmootteehheellpp [_c_o_m_m_a_n_d_-_n_a_m_e]
+                 Request help from the remote FTP server.  If a _c_o_m_m_a_n_d_-_n_a_m_e
+                 is specified it is supplied to the server as well.
+
+     rreemmootteessttaattuuss [_f_i_l_e_-_n_a_m_e]
+                 With no arguments, show status of remote machine.  If _f_i_l_e_-
+                 _n_a_m_e is specified, show status of _f_i_l_e_-_n_a_m_e on remote ma-
+                 chine.
+
+     rreennaammee [_f_r_o_m] [_t_o]
+                 Rename the file _f_r_o_m on the remote machine, to the file _t_o.
+
+     rreesseett       Clear reply queue.  This command re-synchronizes command/re-
+                 ply sequencing with the remote ftp server.  Resynchronization
+                 may be necessary following a violation of the ftp protocol by
+                 the remote server.
+
+     rreessttaarrtt _m_a_r_k_e_r
+                 Restart the immediately following ggeett or ppuutt at the indicated
+                 _m_a_r_k_e_r. On UNIX systems, marker is usually a byte offset into
+                 the file.
+
+     rrmmddiirr _d_i_r_e_c_t_o_r_y_-_n_a_m_e
+                 Delete a directory on the remote machine.
+
+     rruunniiqquuee     Toggle storing of files on the local system with unique file-
+                 names.  If a file already exists with a name equal to the
+                 target local filename for a ggeett or mmggeett command, a ".1" is
+                 appended to the name.  If the resulting name matches another
+                 existing file, a ".2" is appended to the original name.  If
+                 this process continues up to ".99", an error message is
+                 printed, and the transfer does not take place.  The generated
+                 unique filename will be reported.  Note that rruunniiqquuee will not
+                 affect local files generated from a shell command (see be-
+                 low).  The default value is off.
+
+     sseenndd _l_o_c_a_l_-_f_i_l_e [_r_e_m_o_t_e_-_f_i_l_e]
+                 A synonym for put.
+
+     sseennddppoorrtt    Toggle the use of PORT commands.  By default, ffttpp will at-
+                 tempt to use a PORT command when establishing a connection
+                 for each data transfer.  The use of PORT commands can prevent
+                 delays when performing multiple file transfers.  If the PORT
+                 command fails, ffttpp will use the default data port.  When the
+                 use of PORT commands is disabled, no attempt will be made to
+                 use PORT commands for each data transfer.  This is useful for
+                 certain FTP implementations which do ignore PORT commands
+                 but, incorrectly, indicate they've been accepted.
+
+     ssiittee _a_r_g_1 _a_r_g_2 _._._.
+                 The arguments specified are sent, verbatim, to the remote FTP
+                 server as a SITE command.
+
+     ssiizzee _f_i_l_e_-_n_a_m_e
+                 Return size of _f_i_l_e_-_n_a_m_e on remote machine.
+
+     ssttaattuuss      Show the current status of ffttpp.
+
+     ssttrruucctt [_s_t_r_u_c_t_-_n_a_m_e]
+                 Set the file transfer _s_t_r_u_c_t_u_r_e to _s_t_r_u_c_t_-_n_a_m_e. By default
+                 ``stream'' structure is used.
+
+     ssuunniiqquuee     Toggle storing of files on remote machine under unique file
+                 names.  Remote ftp server must support ftp protocol STOU com-
+                 mand for successful completion.  The remote server will re-
+                 port unique name.  Default value is off.
+
+     ssyysstteemm      Show the type of operating system running on the remote ma-
+                 chine.
+
+     tteenneexx       Set the file transfer type to that needed to talk to TENEX
+                 machines.
+
+     ttrraaccee       Toggle packet tracing.
+
+     ttyyppee [_t_y_p_e_-_n_a_m_e]
+                 Set the file transfer ttyyppee to _t_y_p_e_-_n_a_m_e. If no type is speci-
+                 fied, the current type is printed.  The default type is net-
+                 work ASCII.
+
+     uummaasskk [_n_e_w_m_a_s_k]
+                 Set the default umask on the remote server to _n_e_w_m_a_s_k. If
+                 _n_e_w_m_a_s_k is omitted, the current umask is printed.
+
+     uusseerr _u_s_e_r_-_n_a_m_e [_p_a_s_s_w_o_r_d] [_a_c_c_o_u_n_t]
+                 Identify yourself to the remote FTP server.  If the _p_a_s_s_w_o_r_d
+                 is not specified and the server requires it, ffttpp will prompt
+                 the user for it (after disabling local echo).  If an _a_c_c_o_u_n_t
+                 field is not specified, and the FTP server requires it, the
+                 user will be prompted for it.  If an _a_c_c_o_u_n_t field is speci-
+                 fied, an account command will be relayed to the remote server
+                 after the login sequence is completed if the remote server
+                 did not require it for logging in.  Unless ffttpp is invoked
+                 with ``auto-login'' disabled, this process is done automati-
+                 cally on initial connection to the FTP server.
+
+     vveerrbboossee     Toggle verbose mode.  In verbose mode, all responses from the
+                 FTP server are displayed to the user.  In addition, if ver-
+                 bose is on, when a file transfer completes, statistics re-
+                 garding the efficiency of the transfer are reported.  By de-
+                 fault, verbose is on.
+
+     ?? [_c_o_m_m_a_n_d]
+                 A synonym for help.
+
+     The following command can be used with ftpsec-aware servers.
+
+     pprroott _c_l_e_a_r | _s_a_f_e | _c_o_n_f_i_d_e_n_t_i_a_l | _p_r_i_v_a_t_e
+                 Set the data protection level to the requested level.
+
+     The following command can be used with ftp servers that has implemented
+     the KAUTH site command.
+
+     kkaauutthh [_p_r_i_n_c_i_p_a_l]
+                 Obtain remote tickets.
+
+     Command arguments which have embedded spaces may be quoted with quote `"'
+     marks.
+
+AABBOORRTTIINNGG AA FFIILLEE TTRRAANNSSFFEERR
+     To abort a file transfer, use the terminal interrupt key (usually Ctrl-
+     C).  Sending transfers will be immediately halted.  Receiving transfers
+     will be halted by sending a ftp protocol ABOR command to the remote serv-
+     er, and discarding any further data received.  The speed at which this is
+     accomplished depends upon the remote server's support for ABOR process-
+     ing.  If the remote server does not support the ABOR command, an `ftp>'
+     prompt will not appear until the remote server has completed sending the
+     requested file.
+
+
+     The terminal interrupt key sequence will be ignored when ffttpp has complet-
+     ed any local processing and is awaiting a reply from the remote server.
+     A long delay in this mode may result from the ABOR processing described
+     above, or from unexpected behavior by the remote server, including viola-
+     tions of the ftp protocol.  If the delay results from unexpected remote
+     server behavior, the local ffttpp program must be killed by hand.
+
+FFIILLEE NNAAMMIINNGG CCOONNVVEENNTTIIOONNSS
+     Files specified as arguments to ffttpp commands are processed according to
+     the following rules.
+
+     1.   If the file name `--' is specified, the _s_t_d_i_n (for reading) or _s_t_d_o_u_t
+          (for writing) is used.
+
+     2.   If the first character of the file name is `|', the remainder of the
+          argument is interpreted as a shell command.  FFttpp then forks a shell,
+          using popen(3) with the argument supplied, and reads (writes) from
+          the stdout (stdin).  If the shell command includes spaces, the argu-
+          ment must be quoted; e.g.  ``" ls -lt"''.  A particularly useful ex-
+          ample of this mechanism is: ``dir more''.
+
+     3.   Failing the above checks, if ``globbing'' is enabled, local file
+          names are expanded according to the rules used in the csh(1);  c.f.
+          the gglloobb command.  If the ffttpp command expects a single local file
+          (.e.g.  ppuutt), only the first filename generated by the "globbing"
+          operation is used.
+
+     4.   For mmggeett commands and ggeett commands with unspecified local file
+          names, the local filename is the remote filename, which may be al-
+          tered by a ccaassee, nnttrraannss, or nnmmaapp setting.  The resulting filename
+          may then be altered if rruunniiqquuee is on.
+
+     5.   For mmppuutt commands and ppuutt commands with unspecified remote file
+          names, the remote filename is the local filename, which may be al-
+          tered by a nnttrraannss or nnmmaapp setting.  The resulting filename may then
+          be altered by the remote server if ssuunniiqquuee is on.
+
+FFIILLEE TTRRAANNSSFFEERR PPAARRAAMMEETTEERRSS
+     The FTP specification specifies many parameters which may affect a file
+     transfer.  The ttyyppee may be one of ``ascii'', ``image'' (binary),
+     ``ebcdic'', and ``local byte size'' (for PDP-10's and PDP-20's mostly).
+     FFttpp supports the ascii and image types of file transfer, plus local byte
+     size 8 for tteenneexx mode transfers.
+
+     FFttpp supports only the default values for the remaining file transfer pa-
+     rameters: mmooddee, ffoorrmm, and ssttrruucctt.
+
+TTHHEE ..nneettrrcc FFIILLEE
+     The _._n_e_t_r_c file contains login and initialization information used by the
+     auto-login process.  It resides in the user's home directory.  The fol-
+     lowing tokens are recognized; they may be separated by spaces, tabs, or
+     new-lines:
+
+     mmaacchhiinnee _n_a_m_e
+               Identify a remote machine _n_a_m_e. The auto-login process searches
+               the _._n_e_t_r_c file for a mmaacchhiinnee token that matches the remote ma-
+               chine specified on the ffttpp command line or as an ooppeenn command
+               argument.  Once a match is made, the subsequent _._n_e_t_r_c tokens
+               are processed, stopping when the end of file is reached or an-
+               other mmaacchhiinnee or a ddeeffaauulltt token is encountered.
+
+     ddeeffaauulltt   This is the same as mmaacchhiinnee _n_a_m_e except that ddeeffaauulltt matches
+               any name.  There can be only one ddeeffaauulltt token, and it must be
+               after all mmaacchhiinnee tokens.  This is normally used as:
+
+
+                     default login anonymous password user@site
+
+               thereby giving the user _a_u_t_o_m_a_t_i_c anonymous ftp login to ma-
+               chines not specified in _._n_e_t_r_c. This can be overridden by using
+               the --nn flag to disable auto-login.
+
+     llooggiinn _n_a_m_e
+               Identify a user on the remote machine.  If this token is pre-
+               sent, the auto-login process will initiate a login using the
+               specified _n_a_m_e.
+
+     ppaasssswwoorrdd _s_t_r_i_n_g
+               Supply a password.  If this token is present, the auto-login
+               process will supply the specified string if the remote server
+               requires a password as part of the login process.  Note that if
+               this token is present in the _._n_e_t_r_c file for any user other
+               than _a_n_o_n_y_m_o_u_s, ffttpp will abort the auto-login process if the
+               _._n_e_t_r_c is readable by anyone besides the user.
+
+     aaccccoouunntt _s_t_r_i_n_g
+               Supply an additional account password.  If this token is pre-
+               sent, the auto-login process will supply the specified string
+               if the remote server requires an additional account password,
+               or the auto-login process will initiate an ACCT command if it
+               does not.
+
+     mmaaccddeeff _n_a_m_e
+               Define a macro.  This token functions like the ffttpp mmaaccddeeff com-
+               mand functions.  A macro is defined with the specified name;
+               its contents begin with the next _._n_e_t_r_c line and continue until
+               a null line (consecutive new-line characters) is encountered.
+               If a macro named iinniitt is defined, it is automatically executed
+               as the last step in the auto-login process.
+
+EENNVVIIRROONNMMEENNTT
+     FFttpp utilizes the following environment variables.
+
+     HOME        For default location of a _._n_e_t_r_c file, if one exists.
+
+     SHELL       For default shell.
+
+SSEEEE AALLSSOO
+     ftpd(8),  _R_F_C_2_2_2_8
+
+HHIISSTTOORRYY
+     The ffttpp command appeared in 4.2BSD.
+
+BBUUGGSS
+     Correct execution of many commands depends upon proper behavior by the
+     remote server.
+
+     An error in the treatment of carriage returns in the 4.2BSD ascii-mode
+     transfer code has been corrected.  This correction may result in incor-
+     rect transfers of binary files to and from 4.2BSD servers using the ascii
+     type.  Avoid this problem by using the binary image type.
+
+4.2 Berkeley Distribution       April 27, 1996                              10
diff --git a/crypto/heimdal/appl/ftp/ftp/ftp_locl.h b/crypto/heimdal/appl/ftp/ftp/ftp_locl.h
new file mode 100644
index 0000000..63dc1dd
--- /dev/null
+++ b/crypto/heimdal/appl/ftp/ftp/ftp_locl.h
@@ -0,0 +1,146 @@
+/*
+ * Copyright (c) 1995, 1996, 1997, 1998 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+/* $Id: ftp_locl.h,v 1.35 2001/02/15 04:20:51 assar Exp $ */
+/* $FreeBSD$ */
+
+#ifndef __FTP_LOCL_H__
+#define __FTP_LOCL_H__
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+#endif
+
+#ifdef HAVE_PWD_H
+#include <pwd.h>
+#endif
+#include <signal.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <stdarg.h>
+#include <string.h>
+#ifdef TIME_WITH_SYS_TIME
+#include <sys/time.h>
+#include <time.h>
+#elif defined(HAVE_SYS_TIME_H)
+#include <sys/time.h>
+#else
+#include <time.h>
+#endif
+#ifdef HAVE_UNISTD_H
+#include <unistd.h>
+#endif
+
+#ifdef HAVE_SYS_TYPES_H
+#include <sys/types.h>
+#endif
+#ifdef HAVE_SYS_PARAM_H
+#include <sys/param.h>
+#endif
+#ifdef HAVE_SYS_RESOURCE_H
+#include <sys/resource.h>
+#endif
+#ifdef HAVE_SYS_WAIT_H
+#include <sys/wait.h>
+#endif
+#ifdef HAVE_SYS_STAT_H
+#include <sys/stat.h>
+#endif
+#ifdef HAVE_SYS_SOCKET_H
+#include <sys/socket.h>
+#endif
+
+#ifdef HAVE_NETINET_IN_H
+#include <netinet/in.h>
+#endif
+#ifdef HAVE_NETINET_IN_SYSTM_H
+#include <netinet/in_systm.h>
+#endif
+#ifdef HAVE_NETINET_IP_H
+#include <netinet/ip.h>
+#endif
+
+#ifdef HAVE_ARPA_FTP_H
+#include <arpa/ftp.h>
+#endif
+#ifdef HAVE_ARPA_INET_H
+#include <arpa/inet.h>
+#endif
+#ifdef HAVE_ARPA_TELNET_H
+#include <arpa/telnet.h>
+#endif
+
+#include <errno.h>
+#include <ctype.h>
+#include <glob.h>
+#ifdef HAVE_NETDB_H
+#include <netdb.h>
+#endif
+
+#ifdef HAVE_SYS_MMAN_H
+#include <sys/mman.h>
+#endif
+
+#include <err.h>
+
+#ifdef SOCKS
+#include <socks.h>
+extern int LIBPREFIX(fclose)      (FILE *);
+
+/* This doesn't belong here. */
+struct tm *localtime(const time_t *);
+struct hostent  *gethostbyname(const char *);
+
+#endif
+
+#include "ftp_var.h"
+#include "extern.h"
+#include "common.h"
+#include "pathnames.h"
+
+#include "roken.h"
+#include "security.h"
+
+/* des_read_pw_string */
+#ifdef HAVE_OPENSSL_DES_H
+#include <openssl/des.h>
+#else
+#include <des.h>
+#endif
+
+#if defined(__sun__) && !defined(__svr4)
+int fclose(FILE*);
+int pclose(FILE*);
+#endif
+
+#endif /* __FTP_LOCL_H__ */
diff --git a/crypto/heimdal/appl/ftp/ftp/ftp_var.h b/crypto/heimdal/appl/ftp/ftp/ftp_var.h
new file mode 100644
index 0000000..3dbe6b4
--- /dev/null
+++ b/crypto/heimdal/appl/ftp/ftp/ftp_var.h
@@ -0,0 +1,129 @@
+/*
+ * Copyright (c) 1985, 1989, 1993, 1994
+ *	The Regents of the University of California.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *	This product includes software developed by the University of
+ *	California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ *	@(#)ftp_var.h	8.4 (Berkeley) 10/9/94
+ */
+
+/*
+ * FTP global variables.
+ */
+
+#ifdef HAVE_SYS_PARAM_H
+#include <sys/param.h>
+#endif
+#include <setjmp.h>
+
+/*
+ * Options and other state info.
+ */
+extern int	trace;			/* trace packets exchanged */
+extern int	hash;			/* print # for each buffer transferred */
+extern int	sendport;		/* use PORT cmd for each data connection */
+extern int	verbose;		/* print messages coming back from server */
+extern int	connected;		/* connected to server */
+extern int	fromatty;		/* input is from a terminal */
+extern int	interactive;		/* interactively prompt on m* cmds */
+extern int	lineedit;		/* use line-editing */
+extern int	debug;			/* debugging level */
+extern int	bell;			/* ring bell on cmd completion */
+extern int	doglob;			/* glob local file names */
+extern int	autologin;		/* establish user account on connection */
+extern int	proxy;			/* proxy server connection active */
+extern int	proxflag;		/* proxy connection exists */
+extern int	sunique;		/* store files on server with unique name */
+extern int	runique;		/* store local files with unique name */
+extern int	mcase;			/* map upper to lower case for mget names */
+extern int	ntflag;			/* use ntin ntout tables for name translation */
+extern int	mapflag;		/* use mapin mapout templates on file names */
+extern int	code;			/* return/reply code for ftp command */
+extern int	crflag;			/* if 1, strip car. rets. on ascii gets */
+extern char	pasv[64];		/* passive port for proxy data connection */
+extern int	passivemode;		/* passive mode enabled */
+extern char	*altarg;		/* argv[1] with no shell-like preprocessing  */
+extern char	ntin[17];		/* input translation table */
+extern char	ntout[17];		/* output translation table */
+extern char	mapin[MaxPathLen];	/* input map template */
+extern char	mapout[MaxPathLen];	/* output map template */
+extern char	typename[32];		/* name of file transfer type */
+extern int	type;			/* requested file transfer type */
+extern int	curtype;		/* current file transfer type */
+extern char	structname[32];		/* name of file transfer structure */
+extern int	stru;			/* file transfer structure */
+extern char	formname[32];		/* name of file transfer format */
+extern int	form;			/* file transfer format */
+extern char	modename[32];		/* name of file transfer mode */
+extern int	mode;			/* file transfer mode */
+extern char	bytename[32];		/* local byte size in ascii */
+extern int	bytesize;		/* local byte size in binary */
+
+extern char	*hostname;		/* name of host connected to */
+extern int	unix_server;		/* server is unix, can use binary for ascii */
+extern int	unix_proxy;		/* proxy is unix, can use binary for ascii */
+
+extern jmp_buf	toplevel;		/* non-local goto stuff for cmd scanner */
+
+extern char	line[200];		/* input line buffer */
+extern char	*stringbase;		/* current scan point in line buffer */
+extern char	argbuf[200];		/* argument storage buffer */
+extern char	*argbase;		/* current storage point in arg buffer */
+extern int	margc;			/* count of arguments on input line */
+extern char	**margv;		/* args parsed from input line */
+extern int	margvlen;		/* how large margv is currently */
+extern int     cpend;                  /* flag: if != 0, then pending server reply */
+extern int	mflag;			/* flag: if != 0, then active multi command */
+
+extern int	options;		/* used during socket creation */
+extern int      use_kerberos;           /* use Kerberos authentication */
+
+/*
+ * Format of command table.
+ */
+struct cmd {
+	char	*c_name;	/* name of command */
+	char	*c_help;	/* help string */
+	char	c_bell;		/* give bell when command completes */
+	char	c_conn;		/* must be connected to use command */
+	char	c_proxy;	/* proxy server may execute */
+	void	(*c_handler) (int, char **); /* function to call */
+};
+
+struct macel {
+	char mac_name[9];	/* macro name */
+	char *mac_start;	/* start of macro in macbuf */
+	char *mac_end;		/* end of macro in macbuf */
+};
+
+extern int macnum;			/* number of defined macros */
+extern struct macel macros[16];
+extern char macbuf[4096];
+
+
diff --git a/crypto/heimdal/appl/ftp/ftp/globals.c b/crypto/heimdal/appl/ftp/ftp/globals.c
new file mode 100644
index 0000000..8a0e1c9
--- /dev/null
+++ b/crypto/heimdal/appl/ftp/ftp/globals.c
@@ -0,0 +1,78 @@
+#include "ftp_locl.h"
+RCSID("$Id: globals.c,v 1.8 2000/11/15 22:56:08 assar Exp $");
+
+/*
+ * Options and other state info.
+ */
+int	trace;			/* trace packets exchanged */
+int	hash;			/* print # for each buffer transferred */
+int	sendport;		/* use PORT cmd for each data connection */
+int	verbose;		/* print messages coming back from server */
+int	connected;		/* connected to server */
+int	fromatty;		/* input is from a terminal */
+int	interactive;		/* interactively prompt on m* cmds */
+int	lineedit;		/* use line-editing */
+int	debug;			/* debugging level */
+int	bell;			/* ring bell on cmd completion */
+int	doglob;			/* glob local file names */
+int	autologin;		/* establish user account on connection */
+int	proxy;			/* proxy server connection active */
+int	proxflag;		/* proxy connection exists */
+int	sunique;		/* store files on server with unique name */
+int	runique;		/* store local files with unique name */
+int	mcase;			/* map upper to lower case for mget names */
+int	ntflag;			/* use ntin ntout tables for name translation */
+int	mapflag;		/* use mapin mapout templates on file names */
+int	code;			/* return/reply code for ftp command */
+int	crflag;			/* if 1, strip car. rets. on ascii gets */
+char	pasv[64];		/* passive port for proxy data connection */
+int	passivemode;		/* passive mode enabled */
+char	*altarg;		/* argv[1] with no shell-like preprocessing  */
+char	ntin[17];		/* input translation table */
+char	ntout[17];		/* output translation table */
+char	mapin[MaxPathLen];	/* input map template */
+char	mapout[MaxPathLen];	/* output map template */
+char	typename[32];		/* name of file transfer type */
+int	type;			/* requested file transfer type */
+int	curtype;		/* current file transfer type */
+char	structname[32];		/* name of file transfer structure */
+int	stru;			/* file transfer structure */
+char	formname[32];		/* name of file transfer format */
+int	form;			/* file transfer format */
+char	modename[32];		/* name of file transfer mode */
+int	mode;			/* file transfer mode */
+char	bytename[32];		/* local byte size in ascii */
+int	bytesize;		/* local byte size in binary */
+
+char	*hostname;		/* name of host connected to */
+int	unix_server;		/* server is unix, can use binary for ascii */
+int	unix_proxy;		/* proxy is unix, can use binary for ascii */
+
+jmp_buf	toplevel;		/* non-local goto stuff for cmd scanner */
+
+char	line[200];		/* input line buffer */
+char	*stringbase;		/* current scan point in line buffer */
+char	argbuf[200];		/* argument storage buffer */
+char	*argbase;		/* current storage point in arg buffer */
+int	margc;			/* count of arguments on input line */
+char	**margv;		/* args parsed from input line */
+int	margvlen;		/* how large margv is currently */
+int     cpend;                  /* flag: if != 0, then pending server reply */
+int	mflag;			/* flag: if != 0, then active multi command */
+
+int	options;		/* used during socket creation */
+int     use_kerberos;           /* use Kerberos authentication */
+
+/*
+ * Format of command table.
+ */
+
+int macnum;			/* number of defined macros */
+struct macel macros[16];
+char macbuf[4096];
+
+char username[32];
+
+/* these are set in ruserpass */
+char myhostname[MaxHostNameLen];
+char *mydomain;
diff --git a/crypto/heimdal/appl/ftp/ftp/gssapi.c b/crypto/heimdal/appl/ftp/ftp/gssapi.c
new file mode 100644
index 0000000..f875c4a
--- /dev/null
+++ b/crypto/heimdal/appl/ftp/ftp/gssapi.c
@@ -0,0 +1,401 @@
+/*
+ * Copyright (c) 1998 - 2000 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#ifdef FTP_SERVER
+#include "ftpd_locl.h"
+#else
+#include "ftp_locl.h"
+#endif
+#include <gssapi.h>
+
+RCSID("$Id: gssapi.c,v 1.15 2000/12/08 05:07:49 assar Exp $");
+
+struct gss_data {
+    gss_ctx_id_t context_hdl;
+    char *client_name;
+    gss_cred_id_t delegated_cred_handle;
+};
+
+static int
+gss_init(void *app_data)
+{
+    struct gss_data *d = app_data;
+    d->context_hdl = GSS_C_NO_CONTEXT;
+    d->delegated_cred_handle = NULL;
+#if defined(FTP_SERVER)
+    return 0;
+#else
+    /* XXX Check the gss mechanism; with  gss_indicate_mechs() ? */
+#ifdef KRB5
+    return !use_kerberos;
+#else
+    return 0
+#endif /* KRB5 */
+#endif /* FTP_SERVER */
+}
+
+static int
+gss_check_prot(void *app_data, int level)
+{
+    if(level == prot_confidential)
+	return -1;
+    return 0;
+}
+
+static int
+gss_decode(void *app_data, void *buf, int len, int level)
+{
+    OM_uint32 maj_stat, min_stat;
+    gss_buffer_desc input, output;
+    gss_qop_t qop_state;
+    int conf_state;
+    struct gss_data *d = app_data;
+
+    input.length = len;
+    input.value = buf;
+    maj_stat = gss_unwrap (&min_stat,
+			   d->context_hdl,
+			   &input,
+			   &output,
+			   &conf_state,
+			   &qop_state);
+    if(GSS_ERROR(maj_stat))
+	return -1;
+    memmove(buf, output.value, output.length);
+    return output.length;
+}
+
+static int
+gss_overhead(void *app_data, int level, int len)
+{
+    return 100; /* dunno? */
+}
+
+
+static int
+gss_encode(void *app_data, void *from, int length, int level, void **to)
+{
+    OM_uint32 maj_stat, min_stat;
+    gss_buffer_desc input, output;
+    int conf_state;
+    struct gss_data *d = app_data;
+
+    input.length = length;
+    input.value = from;
+    maj_stat = gss_wrap (&min_stat,
+			 d->context_hdl,
+			 level == prot_private,
+			 GSS_C_QOP_DEFAULT,
+			 &input,
+			 &conf_state,
+			 &output);
+    *to = output.value;
+    return output.length;
+}
+
+static void
+sockaddr_to_gss_address (const struct sockaddr *sa,
+			 OM_uint32 *addr_type,
+			 gss_buffer_desc *gss_addr)
+{
+    switch (sa->sa_family) {
+#ifdef HAVE_IPV6
+    case AF_INET6 : {
+	struct sockaddr_in6 *sin6 = (struct sockaddr_in6 *)sa;
+
+	gss_addr->length = 16;
+	gss_addr->value  = &sin6->sin6_addr;
+	*addr_type       = GSS_C_AF_INET6;
+	break;
+    }
+#endif
+    case AF_INET : {
+	struct sockaddr_in *sin = (struct sockaddr_in *)sa;
+
+	gss_addr->length = 4;
+	gss_addr->value  = &sin->sin_addr;
+	*addr_type       = GSS_C_AF_INET;
+	break;
+    }
+    default :
+	errx (1, "unknown address family %d", sa->sa_family);
+	
+    }
+}
+
+/* end common stuff */
+
+#ifdef FTP_SERVER
+
+static int
+gss_adat(void *app_data, void *buf, size_t len)
+{
+    char *p = NULL;
+    gss_buffer_desc input_token, output_token;
+    OM_uint32 maj_stat, min_stat;
+    gss_name_t client_name;
+    struct gss_data *d = app_data;
+
+    gss_channel_bindings_t bindings = malloc(sizeof(*bindings));
+    sockaddr_to_gss_address (his_addr,
+			     &bindings->initiator_addrtype,
+			     &bindings->initiator_address);
+    sockaddr_to_gss_address (ctrl_addr,
+			     &bindings->acceptor_addrtype,
+			     &bindings->acceptor_address);
+
+    bindings->application_data.length = 0;
+    bindings->application_data.value = NULL;
+
+    input_token.value = buf;
+    input_token.length = len;
+
+    d->delegated_cred_handle = malloc(sizeof(*d->delegated_cred_handle));
+    if (d->delegated_cred_handle == NULL) {
+       reply(500, "Out of memory");
+       goto out;
+    }
+
+    memset ((char*)d->delegated_cred_handle, 0,
+            sizeof(*d->delegated_cred_handle));
+    
+    maj_stat = gss_accept_sec_context (&min_stat,
+				       &d->context_hdl,
+				       GSS_C_NO_CREDENTIAL,
+				       &input_token,
+				       bindings,
+				       &client_name,
+				       NULL,
+				       &output_token,
+				       NULL,
+				       NULL,
+                                       &d->delegated_cred_handle);
+
+    if(output_token.length) {
+	if(base64_encode(output_token.value, output_token.length, &p) < 0) {
+	    reply(535, "Out of memory base64-encoding.");
+	    return -1;
+	}
+    }
+    if(maj_stat == GSS_S_COMPLETE){
+	char *name;
+	gss_buffer_desc export_name;
+	maj_stat = gss_export_name(&min_stat, client_name, &export_name);
+	if(maj_stat != 0) {
+	    reply(500, "Error exporting name");
+	    goto out;
+	}
+	name = realloc(export_name.value, export_name.length + 1);
+	if(name == NULL) {
+	    reply(500, "Out of memory");
+	    free(export_name.value);
+	    goto out;
+	}
+	name[export_name.length] = '\0';
+	d->client_name = name;
+	if(p)
+	    reply(235, "ADAT=%s", p);
+	else
+	    reply(235, "ADAT Complete");
+	sec_complete = 1;
+
+    } else if(maj_stat == GSS_S_CONTINUE_NEEDED) {
+	if(p)
+	    reply(335, "ADAT=%s", p);
+	else
+	    reply(335, "OK, need more data");
+    } else
+	reply(535, "foo?");
+out:
+    free(p);
+    return 0;
+}
+
+int gss_userok(void*, char*);
+
+struct sec_server_mech gss_server_mech = {
+    "GSSAPI",
+    sizeof(struct gss_data),
+    gss_init, /* init */
+    NULL, /* end */
+    gss_check_prot,
+    gss_overhead,
+    gss_encode,
+    gss_decode,
+    /* */
+    NULL,
+    gss_adat,
+    NULL, /* pbsz */
+    NULL, /* ccc */
+    gss_userok
+};
+
+#else /* FTP_SERVER */
+
+extern struct sockaddr *hisctladdr, *myctladdr;
+
+static int
+gss_auth(void *app_data, char *host)
+{
+    
+    OM_uint32 maj_stat, min_stat;
+    gss_buffer_desc name;
+    gss_name_t target_name;
+    gss_buffer_desc input, output_token;
+    int context_established = 0;
+    char *p;
+    int n;
+    gss_channel_bindings_t bindings;
+    struct gss_data *d = app_data;
+	    
+    name.length = asprintf((char**)&name.value, "ftp@%s", host);
+    maj_stat = gss_import_name(&min_stat,
+			       &name,
+			       GSS_C_NT_HOSTBASED_SERVICE,
+			       &target_name);
+    if (GSS_ERROR(maj_stat)) {
+	OM_uint32 new_stat;
+	OM_uint32 msg_ctx = 0;
+	gss_buffer_desc status_string;
+	    
+	gss_display_status(&new_stat,
+			   min_stat,
+			   GSS_C_MECH_CODE,
+			   GSS_C_NO_OID,
+			   &msg_ctx,
+			   &status_string);
+	printf("Error importing name %s: %s\n", 
+	       (char *)name.value,
+	       (char *)status_string.value);
+	gss_release_buffer(&new_stat, &status_string);
+	return AUTH_ERROR;
+    }
+    free(name.value);
+    
+
+    input.length = 0;
+    input.value = NULL;
+
+    bindings = malloc(sizeof(*bindings));
+
+    sockaddr_to_gss_address (myctladdr,
+			     &bindings->initiator_addrtype,
+			     &bindings->initiator_address);
+    sockaddr_to_gss_address (hisctladdr,
+			     &bindings->acceptor_addrtype,
+			     &bindings->acceptor_address);
+
+    bindings->application_data.length = 0;
+    bindings->application_data.value = NULL;
+
+    while(!context_established) {
+	maj_stat = gss_init_sec_context(&min_stat,
+					GSS_C_NO_CREDENTIAL,
+					&d->context_hdl,
+					target_name,
+					GSS_C_NO_OID,
+                                        GSS_C_MUTUAL_FLAG | GSS_C_SEQUENCE_FLAG
+                                          | GSS_C_DELEG_FLAG,
+					0,
+					bindings,
+					&input,
+					NULL,
+					&output_token,
+					NULL,
+					NULL);
+	if (GSS_ERROR(maj_stat)) {
+	    OM_uint32 new_stat;
+	    OM_uint32 msg_ctx = 0;
+	    gss_buffer_desc status_string;
+	    
+	    gss_display_status(&new_stat,
+			       min_stat,
+			       GSS_C_MECH_CODE,
+			       GSS_C_NO_OID,
+			       &msg_ctx,
+			       &status_string);
+	    printf("Error initializing security context: %s\n", 
+		   (char*)status_string.value);
+	    gss_release_buffer(&new_stat, &status_string);
+	    return AUTH_CONTINUE;
+	}
+
+	gss_release_buffer(&min_stat, &input);
+	if (output_token.length != 0) {
+	    base64_encode(output_token.value, output_token.length, &p);
+	    gss_release_buffer(&min_stat, &output_token);
+	    n = command("ADAT %s", p);
+	    free(p);
+	}
+	if (GSS_ERROR(maj_stat)) {
+	    if (d->context_hdl != GSS_C_NO_CONTEXT)
+		gss_delete_sec_context (&min_stat,
+					&d->context_hdl,
+					GSS_C_NO_BUFFER);
+	    break;
+	}
+	if (maj_stat & GSS_S_CONTINUE_NEEDED) {
+	    p = strstr(reply_string, "ADAT=");
+	    if(p == NULL){
+		printf("Error: expected ADAT in reply. got: %s\n",
+		       reply_string);
+		return AUTH_ERROR;
+	    } else {
+		p+=5;
+		input.value = malloc(strlen(p));
+		input.length = base64_decode(p, input.value);
+	    }
+	} else {
+	    if(code != 235) {
+		printf("Unrecognized response code: %d\n", code);
+		return AUTH_ERROR;
+	    }
+	    context_established = 1;
+	}
+    }
+    return AUTH_OK;
+}
+
+struct sec_client_mech gss_client_mech = {
+    "GSSAPI",
+    sizeof(struct gss_data),
+    gss_init,
+    gss_auth,
+    NULL, /* end */
+    gss_check_prot,
+    gss_overhead,
+    gss_encode,
+    gss_decode,
+};
+
+#endif /* FTP_SERVER */
diff --git a/crypto/heimdal/appl/ftp/ftp/kauth.c b/crypto/heimdal/appl/ftp/ftp/kauth.c
new file mode 100644
index 0000000..613593a
--- /dev/null
+++ b/crypto/heimdal/appl/ftp/ftp/kauth.c
@@ -0,0 +1,198 @@
+/*
+ * Copyright (c) 1995-1999 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#include "ftp_locl.h"
+#include <krb.h>
+RCSID("$Id: kauth.c,v 1.20 1999/12/02 16:58:29 joda Exp $");
+
+void
+kauth(int argc, char **argv)
+{
+    int ret;
+    char buf[1024];
+    des_cblock key;
+    des_key_schedule schedule;
+    KTEXT_ST tkt, tktcopy;
+    char *name;
+    char *p;
+    int overbose;
+    char passwd[100];
+    int tmp;
+	
+    int save;
+
+    if(argc > 2){
+	printf("usage: %s [principal]\n", argv[0]);
+	code = -1;
+	return;
+    }
+    if(argc == 2)
+	name = argv[1];
+    else
+	name = username;
+
+    overbose = verbose;
+    verbose = 0;
+
+    save = set_command_prot(prot_private);
+    ret = command("SITE KAUTH %s", name);
+    if(ret != CONTINUE){
+	verbose = overbose;
+	set_command_prot(save);
+	code = -1;
+	return;
+    }
+    verbose = overbose;
+    p = strstr(reply_string, "T=");
+    if(!p){
+	printf("Bad reply from server.\n");
+	set_command_prot(save);
+	code = -1;
+	return;
+    }
+    p += 2;
+    tmp = base64_decode(p, &tkt.dat);
+    if(tmp < 0){
+	printf("Failed to decode base64 in reply.\n");
+	set_command_prot(save);
+	code = -1;
+	return;
+    }
+    tkt.length = tmp;
+    tktcopy.length = tkt.length;
+    
+    p = strstr(reply_string, "P=");
+    if(!p){
+	printf("Bad reply from server.\n");
+	verbose = overbose;
+	set_command_prot(save);
+	code = -1;
+	return;
+    }
+    name = p + 2;
+    for(; *p && *p != ' ' && *p != '\r' && *p != '\n'; p++);
+    *p = 0;
+    
+    snprintf(buf, sizeof(buf), "Password for %s:", name);
+    if (des_read_pw_string (passwd, sizeof(passwd)-1, buf, 0))
+        *passwd = '\0';
+    des_string_to_key (passwd, &key);
+
+    des_key_sched(&key, schedule);
+    
+    des_pcbc_encrypt((des_cblock*)tkt.dat, (des_cblock*)tktcopy.dat,
+		     tkt.length,
+		     schedule, &key, DES_DECRYPT);
+    if (strcmp ((char*)tktcopy.dat + 8,
+		KRB_TICKET_GRANTING_TICKET) != 0) {
+        afs_string_to_key (passwd, krb_realmofhost(hostname), &key);
+	des_key_sched (&key, schedule);
+	des_pcbc_encrypt((des_cblock*)tkt.dat, (des_cblock*)tktcopy.dat,
+			 tkt.length,
+			 schedule, &key, DES_DECRYPT);
+    }
+    memset(key, 0, sizeof(key));
+    memset(schedule, 0, sizeof(schedule));
+    memset(passwd, 0, sizeof(passwd));
+    if(base64_encode(tktcopy.dat, tktcopy.length, &p) < 0) {
+	printf("Out of memory base64-encoding.\n");
+	set_command_prot(save);
+	code = -1;
+	return;
+    }
+    memset (tktcopy.dat, 0, tktcopy.length);
+    ret = command("SITE KAUTH %s %s", name, p);
+    free(p);
+    set_command_prot(save);
+    if(ret != COMPLETE){
+	code = -1;
+	return;
+    }
+    code = 0;
+}
+
+void
+klist(int argc, char **argv)
+{
+    int ret;
+    if(argc != 1){
+	printf("usage: %s\n", argv[0]);
+	code = -1;
+	return;
+    }
+    
+    ret = command("SITE KLIST");
+    code = (ret == COMPLETE);
+}
+
+void
+kdestroy(int argc, char **argv)
+{
+    int ret;
+    if (argc != 1) {
+	printf("usage: %s\n", argv[0]);
+	code = -1;
+	return;
+    }
+    ret = command("SITE KDESTROY");
+    code = (ret == COMPLETE);
+}
+
+void
+krbtkfile(int argc, char **argv)
+{
+    int ret;
+    if(argc != 2) {
+	printf("usage: %s tktfile\n", argv[0]);
+	code = -1;
+	return;
+    }
+    ret = command("SITE KRBTKFILE %s", argv[1]);
+    code = (ret == COMPLETE);
+}
+
+void
+afslog(int argc, char **argv)
+{
+    int ret;
+    if(argc > 2) {
+	printf("usage: %s [cell]\n", argv[0]);
+	code = -1;
+	return;
+    }
+    if(argc == 2)
+	ret = command("SITE AFSLOG %s", argv[1]);
+    else
+	ret = command("SITE AFSLOG");
+    code = (ret == COMPLETE);
+}
diff --git a/crypto/heimdal/appl/ftp/ftp/krb4.c b/crypto/heimdal/appl/ftp/ftp/krb4.c
new file mode 100644
index 0000000..d057ed7
--- /dev/null
+++ b/crypto/heimdal/appl/ftp/ftp/krb4.c
@@ -0,0 +1,340 @@
+/*
+ * Copyright (c) 1995, 1996, 1997, 1998, 1999 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#ifdef FTP_SERVER
+#include "ftpd_locl.h"
+#else
+#include "ftp_locl.h"
+#endif
+#include <krb.h>
+
+RCSID("$Id: krb4.c,v 1.38 2000/06/21 02:46:09 assar Exp $");
+
+#ifdef FTP_SERVER
+#define LOCAL_ADDR ctrl_addr
+#define REMOTE_ADDR his_addr
+#else
+#define LOCAL_ADDR myctladdr
+#define REMOTE_ADDR hisctladdr
+#endif
+
+extern struct sockaddr *LOCAL_ADDR, *REMOTE_ADDR;
+
+struct krb4_data {
+    des_cblock key;
+    des_key_schedule schedule;
+    char name[ANAME_SZ];
+    char instance[INST_SZ];
+    char realm[REALM_SZ];
+};
+
+static int
+krb4_check_prot(void *app_data, int level)
+{
+    if(level == prot_confidential)
+	return -1;
+    return 0;
+}
+
+static int
+krb4_decode(void *app_data, void *buf, int len, int level)
+{
+    MSG_DAT m;
+    int e;
+    struct krb4_data *d = app_data;
+    
+    if(level == prot_safe)
+	e = krb_rd_safe(buf, len, &d->key,
+			(struct sockaddr_in *)REMOTE_ADDR,
+			(struct sockaddr_in *)LOCAL_ADDR, &m);
+    else
+	e = krb_rd_priv(buf, len, d->schedule, &d->key, 
+			(struct sockaddr_in *)REMOTE_ADDR,
+			(struct sockaddr_in *)LOCAL_ADDR, &m);
+    if(e){
+	syslog(LOG_ERR, "krb4_decode: %s", krb_get_err_text(e));
+	return -1;
+    }
+    memmove(buf, m.app_data, m.app_length);
+    return m.app_length;
+}
+
+static int
+krb4_overhead(void *app_data, int level, int len)
+{
+    return 31;
+}
+
+static int
+krb4_encode(void *app_data, void *from, int length, int level, void **to)
+{
+    struct krb4_data *d = app_data;
+    *to = malloc(length + 31);
+    if(level == prot_safe)
+	return krb_mk_safe(from, *to, length, &d->key, 
+			   (struct sockaddr_in *)LOCAL_ADDR,
+			   (struct sockaddr_in *)REMOTE_ADDR);
+    else if(level == prot_private)
+	return krb_mk_priv(from, *to, length, d->schedule, &d->key, 
+			   (struct sockaddr_in *)LOCAL_ADDR,
+			   (struct sockaddr_in *)REMOTE_ADDR);
+    else
+	return -1;
+}
+
+#ifdef FTP_SERVER
+
+static int
+krb4_adat(void *app_data, void *buf, size_t len)
+{
+    KTEXT_ST tkt;
+    AUTH_DAT auth_dat;
+    char *p;
+    int kerror;
+    u_int32_t cs;
+    char msg[35]; /* size of encrypted block */
+    int tmp_len;
+    struct krb4_data *d = app_data;
+    char inst[INST_SZ];
+    struct sockaddr_in *his_addr_sin = (struct sockaddr_in *)his_addr;
+
+    memcpy(tkt.dat, buf, len);
+    tkt.length = len;
+
+    k_getsockinst(0, inst, sizeof(inst));
+    kerror = krb_rd_req(&tkt, "ftp", inst, 
+			his_addr_sin->sin_addr.s_addr, &auth_dat, "");
+    if(kerror == RD_AP_UNDEC){
+	k_getsockinst(0, inst, sizeof(inst));
+	kerror = krb_rd_req(&tkt, "rcmd", inst, 
+			    his_addr_sin->sin_addr.s_addr, &auth_dat, "");
+    }
+
+    if(kerror){
+	reply(535, "Error reading request: %s.", krb_get_err_text(kerror));
+	return -1;
+    }
+    
+    memcpy(d->key, auth_dat.session, sizeof(d->key));
+    des_set_key(&d->key, d->schedule);
+
+    strlcpy(d->name, auth_dat.pname, sizeof(d->name));
+    strlcpy(d->instance, auth_dat.pinst, sizeof(d->instance));
+    strlcpy(d->realm, auth_dat.prealm, sizeof(d->instance));
+
+    cs = auth_dat.checksum + 1;
+    {
+	unsigned char tmp[4];
+	KRB_PUT_INT(cs, tmp, 4, sizeof(tmp));
+	tmp_len = krb_mk_safe(tmp, msg, 4, &d->key,
+			      (struct sockaddr_in *)LOCAL_ADDR,
+			      (struct sockaddr_in *)REMOTE_ADDR);
+    }
+    if(tmp_len < 0){
+	reply(535, "Error creating reply: %s.", strerror(errno));
+	return -1;
+    }
+    len = tmp_len;
+    if(base64_encode(msg, len, &p) < 0) {
+	reply(535, "Out of memory base64-encoding.");
+	return -1;
+    }
+    reply(235, "ADAT=%s", p);
+    sec_complete = 1;
+    free(p);
+    return 0;
+}
+
+static int
+krb4_userok(void *app_data, char *user)
+{
+    struct krb4_data *d = app_data;
+    return krb_kuserok(d->name, d->instance, d->realm, user);
+}
+
+struct sec_server_mech krb4_server_mech = {
+    "KERBEROS_V4",
+    sizeof(struct krb4_data),
+    NULL, /* init */
+    NULL, /* end */
+    krb4_check_prot,
+    krb4_overhead,
+    krb4_encode,
+    krb4_decode,
+    /* */
+    NULL,
+    krb4_adat,
+    NULL, /* pbsz */
+    NULL, /* ccc */
+    krb4_userok
+};
+
+#else /* FTP_SERVER */
+
+static int
+krb4_init(void *app_data)
+{
+   return !use_kerberos;
+}
+
+static int
+mk_auth(struct krb4_data *d, KTEXT adat, 
+	char *service, char *host, int checksum)
+{
+    int ret;
+    CREDENTIALS cred;
+    char sname[SNAME_SZ], inst[INST_SZ], realm[REALM_SZ];
+
+    strlcpy(sname, service, sizeof(sname));
+    strlcpy(inst, krb_get_phost(host), sizeof(inst));
+    strlcpy(realm, krb_realmofhost(host), sizeof(realm));
+    ret = krb_mk_req(adat, sname, inst, realm, checksum);
+    if(ret)
+	return ret;
+    strlcpy(sname, service, sizeof(sname));
+    strlcpy(inst, krb_get_phost(host), sizeof(inst));
+    strlcpy(realm, krb_realmofhost(host), sizeof(realm));
+    ret = krb_get_cred(sname, inst, realm, &cred);
+    memmove(&d->key, &cred.session, sizeof(des_cblock));
+    des_key_sched(&d->key, d->schedule);
+    memset(&cred, 0, sizeof(cred));
+    return ret;
+}
+
+static int
+krb4_auth(void *app_data, char *host)
+{
+    int ret;
+    char *p;
+    int len;
+    KTEXT_ST adat;
+    MSG_DAT msg_data;
+    int checksum;
+    u_int32_t cs;
+    struct krb4_data *d = app_data;
+    struct sockaddr_in *localaddr  = (struct sockaddr_in *)LOCAL_ADDR;
+    struct sockaddr_in *remoteaddr = (struct sockaddr_in *)REMOTE_ADDR;
+
+    checksum = getpid();
+    ret = mk_auth(d, &adat, "ftp", host, checksum);
+    if(ret == KDC_PR_UNKNOWN)
+	ret = mk_auth(d, &adat, "rcmd", host, checksum);
+    if(ret){
+	printf("%s\n", krb_get_err_text(ret));
+	return AUTH_CONTINUE;
+    }
+
+#ifdef HAVE_KRB_GET_OUR_IP_FOR_REALM
+    if (krb_get_config_bool("nat_in_use")) {
+      struct in_addr natAddr;
+
+      if (krb_get_our_ip_for_realm(krb_realmofhost(host),
+				   &natAddr) != KSUCCESS
+	  && krb_get_our_ip_for_realm(NULL, &natAddr) != KSUCCESS)
+	printf("Can't get address for realm %s\n",
+	       krb_realmofhost(host));
+      else {
+	if (natAddr.s_addr != localaddr->sin_addr.s_addr) {
+	  printf("Using NAT IP address (%s) for kerberos 4\n",
+		 inet_ntoa(natAddr));
+	  localaddr->sin_addr = natAddr;
+	  
+	  /*
+	   * This not the best place to do this, but it
+	   * is here we know that (probably) NAT is in
+	   * use!
+	   */
+
+	  passivemode = 1;
+	  printf("Setting: Passive mode on.\n");
+	}
+      }
+    }
+#endif
+
+    printf("Local address is %s\n", inet_ntoa(localaddr->sin_addr));
+    printf("Remote address is %s\n", inet_ntoa(remoteaddr->sin_addr));
+
+   if(base64_encode(adat.dat, adat.length, &p) < 0) {
+	printf("Out of memory base64-encoding.\n");
+	return AUTH_CONTINUE;
+    }
+    ret = command("ADAT %s", p);
+    free(p);
+
+    if(ret != COMPLETE){
+	printf("Server didn't accept auth data.\n");
+	return AUTH_ERROR;
+    }
+
+    p = strstr(reply_string, "ADAT=");
+    if(!p){
+	printf("Remote host didn't send adat reply.\n");
+	return AUTH_ERROR;
+    }
+    p += 5;
+    len = base64_decode(p, adat.dat);
+    if(len < 0){
+	printf("Failed to decode base64 from server.\n");
+	return AUTH_ERROR;
+    }
+    adat.length = len;
+    ret = krb_rd_safe(adat.dat, adat.length, &d->key, 
+		      (struct sockaddr_in *)hisctladdr, 
+		      (struct sockaddr_in *)myctladdr, &msg_data);
+    if(ret){
+	printf("Error reading reply from server: %s.\n", 
+	       krb_get_err_text(ret));
+	return AUTH_ERROR;
+    }
+    krb_get_int(msg_data.app_data, &cs, 4, 0);
+    if(cs - checksum != 1){
+	printf("Bad checksum returned from server.\n");
+	return AUTH_ERROR;
+    }
+    return AUTH_OK;
+}
+
+struct sec_client_mech krb4_client_mech = {
+    "KERBEROS_V4",
+    sizeof(struct krb4_data),
+    krb4_init, /* init */
+    krb4_auth,
+    NULL, /* end */
+    krb4_check_prot,
+    krb4_overhead,
+    krb4_encode,
+    krb4_decode
+};
+
+#endif /* FTP_SERVER */
diff --git a/crypto/heimdal/appl/ftp/ftp/main.c b/crypto/heimdal/appl/ftp/ftp/main.c
new file mode 100644
index 0000000..3531579
--- /dev/null
+++ b/crypto/heimdal/appl/ftp/ftp/main.c
@@ -0,0 +1,571 @@
+/*
+ * Copyright (c) 1985, 1989, 1993, 1994
+ *	The Regents of the University of California.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *	This product includes software developed by the University of
+ *	California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+/*
+ * FTP User Program -- Command Interface.
+ */
+
+#include "ftp_locl.h"
+RCSID("$Id: main.c,v 1.31 2001/02/20 01:44:43 assar Exp $");
+
+int
+main(int argc, char **argv)
+{
+	int ch, top;
+	struct passwd *pw = NULL;
+	char homedir[MaxPathLen];
+	struct servent *sp;
+
+	setprogname(argv[0]);
+
+	sp = getservbyname("ftp", "tcp");
+	if (sp == 0)
+		errx(1, "ftp/tcp: unknown service");
+	doglob = 1;
+	interactive = 1;
+	autologin = 1;
+	lineedit = 1;
+	passivemode = 0; /* passive mode not active */
+        use_kerberos = 1;
+
+	while ((ch = getopt(argc, argv, "dgilnptvK")) != -1) {
+		switch (ch) {
+		case 'd':
+			options |= SO_DEBUG;
+			debug++;
+			break;
+			
+		case 'g':
+			doglob = 0;
+			break;
+
+		case 'i':
+			interactive = 0;
+			break;
+
+		case 'l':
+			lineedit = 0;
+			break;
+		case 'n':
+			autologin = 0;
+			break;
+
+		case 'p':
+		        passivemode = 1;
+			break;
+		case 't':
+			trace++;
+			break;
+
+		case 'v':
+			verbose++;
+			break;
+
+                case 'K':
+                        /* Disable Kerberos authentication */
+                        use_kerberos = 0;
+                        break;
+
+		default:
+		    fprintf(stderr,
+                            "usage: ftp [-dgilnptvK] [host [port]]\n");
+		    exit(1);
+		}
+	}
+	argc -= optind;
+	argv += optind;
+
+	fromatty = isatty(fileno(stdin));
+	if (fromatty)
+		verbose++;
+	cpend = 0;	/* no pending replies */
+	proxy = 0;	/* proxy not active */
+	crflag = 1;	/* strip c.r. on ascii gets */
+	sendport = -1;	/* not using ports */
+	/*
+	 * Set up the home directory in case we're globbing.
+	 */
+	pw = k_getpwuid(getuid());
+	if (pw != NULL) {
+		strlcpy(homedir, pw->pw_dir, sizeof(homedir));
+		home = homedir;
+	}
+	if (argc > 0) {
+	    char *xargv[5];
+	    
+	    if (setjmp(toplevel))
+		exit(0);
+	    signal(SIGINT, intr);
+	    signal(SIGPIPE, lostpeer);
+	    xargv[0] = (char*)getprogname();
+	    xargv[1] = argv[0];
+	    xargv[2] = argv[1];
+	    xargv[3] = argv[2];
+	    xargv[4] = NULL;
+	    setpeer(argc+1, xargv);
+	}
+	if(setjmp(toplevel) == 0)
+	    top = 1;
+	else
+	    top = 0;
+	if (top) {
+	    signal(SIGINT, intr);
+	    signal(SIGPIPE, lostpeer);
+	}
+	for (;;) {
+	    cmdscanner(top);
+	    top = 1;
+	}
+}
+
+void
+intr(int sig)
+{
+
+	longjmp(toplevel, 1);
+}
+
+#ifndef SHUT_RDWR
+#define SHUT_RDWR 2
+#endif
+
+RETSIGTYPE
+lostpeer(int sig)
+{
+
+    if (connected) {
+	if (cout != NULL) {
+	    shutdown(fileno(cout), SHUT_RDWR);
+	    fclose(cout);
+	    cout = NULL;
+	}
+	if (data >= 0) {
+	    shutdown(data, SHUT_RDWR);
+	    close(data);
+	    data = -1;
+	}
+	connected = 0;
+    }
+    pswitch(1);
+    if (connected) {
+	if (cout != NULL) {
+	    shutdown(fileno(cout), SHUT_RDWR);
+	    fclose(cout);
+	    cout = NULL;
+	}
+	connected = 0;
+    }
+    proxflag = 0;
+    pswitch(0);
+    sec_end();
+    SIGRETURN(0);
+}
+
+/*
+char *
+tail(filename)
+	char *filename;
+{
+	char *s;
+	
+	while (*filename) {
+		s = strrchr(filename, '/');
+		if (s == NULL)
+			break;
+		if (s[1])
+			return (s + 1);
+		*s = '\0';
+	}
+	return (filename);
+}
+*/
+
+static char *
+simple_readline(char *prompt)
+{
+    char buf[BUFSIZ];
+    printf ("%s", prompt);
+    fflush (stdout);
+    if(fgets(buf, sizeof(buf), stdin) == NULL)
+	return NULL;
+    if (buf[strlen(buf) - 1] == '\n')
+	buf[strlen(buf) - 1] = '\0';
+    return strdup(buf);
+}
+
+#ifndef HAVE_READLINE
+
+static char *
+readline(char *prompt)
+{
+    return simple_readline (prompt);
+}
+
+static void
+add_history(char *p)
+{
+}
+
+#else
+
+/* These should not really be here */
+
+char *readline(char *);
+void add_history(char *);
+
+#endif
+
+/*
+ * Command parser.
+ */
+void
+cmdscanner(int top)
+{
+    struct cmd *c;
+    int l;
+
+    if (!top)
+	putchar('\n');
+    for (;;) {
+	if (fromatty) {
+	    char *p;
+	    if (lineedit)
+		p = readline("ftp> ");
+	    else
+		p = simple_readline("ftp> ");
+	    if(p == NULL) {
+		printf("\n");
+		quit(0, 0);
+	    }
+	    strlcpy(line, p, sizeof(line));
+	    if (lineedit)
+		add_history(p);
+	    free(p);
+	} else{
+	    if (fgets(line, sizeof line, stdin) == NULL)
+		quit(0, 0);
+	}
+	/* XXX will break on long lines */
+	l = strlen(line);
+	if (l == 0)
+	    break;
+	if (line[--l] == '\n') {
+	    if (l == 0)
+		break;
+	    line[l] = '\0';
+	} else if (l == sizeof(line) - 2) {
+	    printf("sorry, input line too long\n");
+	    while ((l = getchar()) != '\n' && l != EOF)
+		/* void */;
+	    break;
+	} /* else it was a line without a newline */
+	makeargv();
+	if (margc == 0) {
+	    continue;
+	}
+	c = getcmd(margv[0]);
+	if (c == (struct cmd *)-1) {
+	    printf("?Ambiguous command\n");
+	    continue;
+	}
+	if (c == 0) {
+	    printf("?Invalid command\n");
+	    continue;
+	}
+	if (c->c_conn && !connected) {
+	    printf("Not connected.\n");
+	    continue;
+	}
+	(*c->c_handler)(margc, margv);
+	if (bell && c->c_bell)
+	    putchar('\007');
+	if (c->c_handler != help)
+	    break;
+    }
+    signal(SIGINT, intr);
+    signal(SIGPIPE, lostpeer);
+}
+
+struct cmd *
+getcmd(char *name)
+{
+	char *p, *q;
+	struct cmd *c, *found;
+	int nmatches, longest;
+
+	longest = 0;
+	nmatches = 0;
+	found = 0;
+	for (c = cmdtab; (p = c->c_name); c++) {
+		for (q = name; *q == *p++; q++)
+			if (*q == 0)		/* exact match? */
+				return (c);
+		if (!*q) {			/* the name was a prefix */
+			if (q - name > longest) {
+				longest = q - name;
+				nmatches = 1;
+				found = c;
+			} else if (q - name == longest)
+				nmatches++;
+		}
+	}
+	if (nmatches > 1)
+		return ((struct cmd *)-1);
+	return (found);
+}
+
+/*
+ * Slice a string up into argc/argv.
+ */
+
+int slrflag;
+
+void
+makeargv(void)
+{
+	char **argp;
+
+	argp = margv;
+	stringbase = line;		/* scan from first of buffer */
+	argbase = argbuf;		/* store from first of buffer */
+	slrflag = 0;
+	for (margc = 0; ; margc++) {
+		/* Expand array if necessary */
+		if (margc == margvlen) {
+			int i;
+
+			margv = (margvlen == 0)
+				? (char **)malloc(20 * sizeof(char *))
+				: (char **)realloc(margv,
+					(margvlen + 20)*sizeof(char *));
+			if (margv == NULL)
+				errx(1, "cannot realloc argv array");
+			for(i = margvlen; i < margvlen + 20; ++i)
+				margv[i] = NULL;
+			margvlen += 20;
+			argp = margv + margc;
+		}
+
+		if ((*argp++ = slurpstring()) == NULL)
+			break;
+	}
+
+}
+
+/*
+ * Parse string into argbuf;
+ * implemented with FSM to
+ * handle quoting and strings
+ */
+char *
+slurpstring(void)
+{
+	int got_one = 0;
+	char *sb = stringbase;
+	char *ap = argbase;
+	char *tmp = argbase;		/* will return this if token found */
+
+	if (*sb == '!' || *sb == '$') {	/* recognize ! as a token for shell */
+		switch (slrflag) {	/* and $ as token for macro invoke */
+			case 0:
+				slrflag++;
+				stringbase++;
+				return ((*sb == '!') ? "!" : "$");
+				/* NOTREACHED */
+			case 1:
+				slrflag++;
+				altarg = stringbase;
+				break;
+			default:
+				break;
+		}
+	}
+
+S0:
+	switch (*sb) {
+
+	case '\0':
+		goto OUT;
+
+	case ' ':
+	case '\t':
+		sb++; goto S0;
+
+	default:
+		switch (slrflag) {
+			case 0:
+				slrflag++;
+				break;
+			case 1:
+				slrflag++;
+				altarg = sb;
+				break;
+			default:
+				break;
+		}
+		goto S1;
+	}
+
+S1:
+	switch (*sb) {
+
+	case ' ':
+	case '\t':
+	case '\0':
+		goto OUT;	/* end of token */
+
+	case '\\':
+		sb++; goto S2;	/* slurp next character */
+
+	case '"':
+		sb++; goto S3;	/* slurp quoted string */
+
+	default:
+		*ap++ = *sb++;	/* add character to token */
+		got_one = 1;
+		goto S1;
+	}
+
+S2:
+	switch (*sb) {
+
+	case '\0':
+		goto OUT;
+
+	default:
+		*ap++ = *sb++;
+		got_one = 1;
+		goto S1;
+	}
+
+S3:
+	switch (*sb) {
+
+	case '\0':
+		goto OUT;
+
+	case '"':
+		sb++; goto S1;
+
+	default:
+		*ap++ = *sb++;
+		got_one = 1;
+		goto S3;
+	}
+
+OUT:
+	if (got_one)
+		*ap++ = '\0';
+	argbase = ap;			/* update storage pointer */
+	stringbase = sb;		/* update scan pointer */
+	if (got_one) {
+		return (tmp);
+	}
+	switch (slrflag) {
+		case 0:
+			slrflag++;
+			break;
+		case 1:
+			slrflag++;
+			altarg = (char *) 0;
+			break;
+		default:
+			break;
+	}
+	return NULL;
+}
+
+#define HELPINDENT ((int) sizeof ("directory"))
+
+/*
+ * Help command.
+ * Call each command handler with argc == 0 and argv[0] == name.
+ */
+void
+help(int argc, char **argv)
+{
+	struct cmd *c;
+
+	if (argc == 1) {
+		int i, j, w, k;
+		int columns, width = 0, lines;
+
+		printf("Commands may be abbreviated.  Commands are:\n\n");
+		for (c = cmdtab; c < &cmdtab[NCMDS]; c++) {
+			int len = strlen(c->c_name);
+
+			if (len > width)
+				width = len;
+		}
+		width = (width + 8) &~ 7;
+		columns = 80 / width;
+		if (columns == 0)
+			columns = 1;
+		lines = (NCMDS + columns - 1) / columns;
+		for (i = 0; i < lines; i++) {
+			for (j = 0; j < columns; j++) {
+				c = cmdtab + j * lines + i;
+				if (c->c_name && (!proxy || c->c_proxy)) {
+					printf("%s", c->c_name);
+				}
+				else if (c->c_name) {
+					for (k=0; k < strlen(c->c_name); k++) {
+						putchar(' ');
+					}
+				}
+				if (c + lines >= &cmdtab[NCMDS]) {
+					printf("\n");
+					break;
+				}
+				w = strlen(c->c_name);
+				while (w < width) {
+					w = (w + 8) &~ 7;
+					putchar('\t');
+				}
+			}
+		}
+		return;
+	}
+	while (--argc > 0) {
+		char *arg;
+		arg = *++argv;
+		c = getcmd(arg);
+		if (c == (struct cmd *)-1)
+			printf("?Ambiguous help command %s\n", arg);
+		else if (c == (struct cmd *)0)
+			printf("?Invalid help command %s\n", arg);
+		else
+			printf("%-*s\t%s\n", HELPINDENT,
+				c->c_name, c->c_help);
+	}
+}
diff --git a/crypto/heimdal/appl/ftp/ftp/pathnames.h b/crypto/heimdal/appl/ftp/ftp/pathnames.h
new file mode 100644
index 0000000..f7c1fb3
--- /dev/null
+++ b/crypto/heimdal/appl/ftp/ftp/pathnames.h
@@ -0,0 +1,44 @@
+/*
+ * Copyright (c) 1989, 1993
+ *	The Regents of the University of California.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *	This product includes software developed by the University of
+ *	California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ *	@(#)pathnames.h	8.1 (Berkeley) 6/6/93
+ */
+
+#ifdef HAVE_PATHS_H
+#include <paths.h>
+#endif
+
+#define	_PATH_TMP_XXX	"/tmp/ftpXXXXXX"
+
+#ifndef _PATH_BSHELL
+#define _PATH_BSHELL	"/bin/sh"
+#endif
diff --git a/crypto/heimdal/appl/ftp/ftp/ruserpass.c b/crypto/heimdal/appl/ftp/ftp/ruserpass.c
new file mode 100644
index 0000000..b22f699
--- /dev/null
+++ b/crypto/heimdal/appl/ftp/ftp/ruserpass.c
@@ -0,0 +1,313 @@
+/*
+ * Copyright (c) 1985, 1993, 1994
+ *	The Regents of the University of California.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *	This product includes software developed by the University of
+ *	California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#include "ftp_locl.h"
+RCSID("$Id: ruserpass.c,v 1.19 2000/01/08 07:45:11 assar Exp $");
+
+static	int token (void);
+static	FILE *cfile;
+
+#define	DEFAULT	1
+#define	LOGIN	2
+#define	PASSWD	3
+#define	ACCOUNT 4
+#define MACDEF  5
+#define PROT	6
+#define	ID	10
+#define	MACH	11
+
+static char tokval[100];
+
+static struct toktab {
+	char *tokstr;
+	int tval;
+} toktab[]= {
+	{ "default",	DEFAULT },
+	{ "login",	LOGIN },
+	{ "password",	PASSWD },
+	{ "passwd",	PASSWD },
+	{ "account",	ACCOUNT },
+	{ "machine",	MACH },
+	{ "macdef",	MACDEF },
+	{ "prot", 	PROT }, 
+	{ NULL,		0 }
+};
+
+/*
+ * Write a copy of the hostname into `hostname, sz' and return a guess
+ * as to the `domain' of that hostname.
+ */
+
+static char *
+guess_domain (char *hostname, size_t sz)
+{
+    struct addrinfo *ai, *a;
+    struct addrinfo hints;
+    int error;
+    char *dot;
+
+    if (gethostname (hostname, sz) < 0) {
+	strlcpy (hostname, "", sz);
+	return "";
+    }
+    dot = strchr (hostname, '.');
+    if (dot != NULL)
+	return dot + 1;
+
+    memset (&hints, 0, sizeof(hints));
+    hints.ai_flags = AI_CANONNAME;
+
+    error = getaddrinfo (hostname, NULL, &hints, &ai);
+    if (error)
+	return hostname;
+
+    for (a = ai; a != NULL; a = a->ai_next)
+	if (a->ai_canonname != NULL) {
+	    strlcpy (hostname, ai->ai_canonname, sz);
+	    break;
+	}
+    freeaddrinfo (ai);
+    dot = strchr (hostname, '.');
+    if (dot != NULL)
+	return dot + 1;
+    else
+	return hostname;
+}
+
+int
+ruserpass(char *host, char **aname, char **apass, char **aacct)
+{
+    char *hdir, buf[BUFSIZ], *tmp;
+    int t, i, c, usedefault = 0;
+    struct stat stb;
+
+    mydomain = guess_domain (myhostname, MaxHostNameLen);
+
+    hdir = getenv("HOME");
+    if (hdir == NULL)
+	hdir = ".";
+    snprintf(buf, sizeof(buf), "%s/.netrc", hdir);
+    cfile = fopen(buf, "r");
+    if (cfile == NULL) {
+	if (errno != ENOENT)
+	    warn("%s", buf);
+	return (0);
+    }
+
+next:
+    while ((t = token())) switch(t) {
+
+    case DEFAULT:
+	usedefault = 1;
+	/* FALL THROUGH */
+
+    case MACH:
+	if (!usedefault) {
+	    if (token() != ID)
+		continue;
+	    /*
+	     * Allow match either for user's input host name
+	     * or official hostname.  Also allow match of 
+	     * incompletely-specified host in local domain.
+	     */
+	    if (strcasecmp(host, tokval) == 0)
+		goto match;
+	    if (strcasecmp(hostname, tokval) == 0)
+		goto match;
+	    if ((tmp = strchr(hostname, '.')) != NULL &&
+		tmp++ &&
+		strcasecmp(tmp, mydomain) == 0 &&
+		strncasecmp(hostname, tokval, tmp-hostname) == 0 &&
+		tokval[tmp - hostname] == '\0')
+		goto match;
+	    if ((tmp = strchr(host, '.')) != NULL &&
+		tmp++ &&
+		strcasecmp(tmp, mydomain) == 0 &&
+		strncasecmp(host, tokval, tmp - host) == 0 &&
+		tokval[tmp - host] == '\0')
+		goto match;
+	    continue;
+	}
+    match:
+	while ((t = token()) && t != MACH && t != DEFAULT) switch(t) {
+
+	case LOGIN:
+	    if (token()) {
+		if (*aname == 0) { 
+		    *aname = strdup(tokval);
+		} else {
+		    if (strcmp(*aname, tokval))
+			goto next;
+		}
+	    }
+	    break;
+	case PASSWD:
+	    if ((*aname == NULL || strcmp(*aname, "anonymous")) &&
+		fstat(fileno(cfile), &stb) >= 0 &&
+		(stb.st_mode & 077) != 0) {
+		warnx("Error: .netrc file is readable by others.");
+		warnx("Remove password or make file unreadable by others.");
+		goto bad;
+	    }
+	    if (token() && *apass == 0) {
+		*apass = strdup(tokval);
+	    }
+	    break;
+	case ACCOUNT:
+	    if (fstat(fileno(cfile), &stb) >= 0
+		&& (stb.st_mode & 077) != 0) {
+		warnx("Error: .netrc file is readable by others.");
+		warnx("Remove account or make file unreadable by others.");
+		goto bad;
+	    }
+	    if (token() && *aacct == 0) {
+		*aacct = strdup(tokval);
+	    }
+	    break;
+	case MACDEF:
+	    if (proxy) {
+		fclose(cfile);
+		return (0);
+	    }
+	    while ((c=getc(cfile)) != EOF && 
+		   (c == ' ' || c == '\t'));
+	    if (c == EOF || c == '\n') {
+		printf("Missing macdef name argument.\n");
+		goto bad;
+	    }
+	    if (macnum == 16) {
+		printf("Limit of 16 macros have already been defined\n");
+		goto bad;
+	    }
+	    tmp = macros[macnum].mac_name;
+	    *tmp++ = c;
+	    for (i=0; i < 8 && (c=getc(cfile)) != EOF &&
+		     !isspace(c); ++i) {
+		*tmp++ = c;
+	    }
+	    if (c == EOF) {
+		printf("Macro definition missing null line terminator.\n");
+		goto bad;
+	    }
+	    *tmp = '\0';
+	    if (c != '\n') {
+		while ((c=getc(cfile)) != EOF && c != '\n');
+	    }
+	    if (c == EOF) {
+		printf("Macro definition missing null line terminator.\n");
+		goto bad;
+	    }
+	    if (macnum == 0) {
+		macros[macnum].mac_start = macbuf;
+	    }
+	    else {
+		macros[macnum].mac_start = macros[macnum-1].mac_end + 1;
+	    }
+	    tmp = macros[macnum].mac_start;
+	    while (tmp != macbuf + 4096) {
+		if ((c=getc(cfile)) == EOF) {
+		    printf("Macro definition missing null line terminator.\n");
+		    goto bad;
+		}
+		*tmp = c;
+		if (*tmp == '\n') {
+		    if (*(tmp-1) == '\0') {
+			macros[macnum++].mac_end = tmp - 1;
+			break;
+		    }
+		    *tmp = '\0';
+		}
+		tmp++;
+	    }
+	    if (tmp == macbuf + 4096) {
+		printf("4K macro buffer exceeded\n");
+		goto bad;
+	    }
+	    break;
+	case PROT:
+	    token();
+	    if(sec_request_prot(tokval) < 0)
+		warnx("Unknown protection level \"%s\"", tokval);
+	    break;
+	default:
+	    warnx("Unknown .netrc keyword %s", tokval);
+	    break;
+	}
+	goto done;
+    }
+done:
+    fclose(cfile);
+    return (0);
+bad:
+    fclose(cfile);
+    return (-1);
+}
+
+static int
+token(void)
+{
+	char *cp;
+	int c;
+	struct toktab *t;
+
+	if (feof(cfile) || ferror(cfile))
+		return (0);
+	while ((c = getc(cfile)) != EOF &&
+	    (c == '\n' || c == '\t' || c == ' ' || c == ','))
+		continue;
+	if (c == EOF)
+		return (0);
+	cp = tokval;
+	if (c == '"') {
+		while ((c = getc(cfile)) != EOF && c != '"') {
+			if (c == '\\')
+				c = getc(cfile);
+			*cp++ = c;
+		}
+	} else {
+		*cp++ = c;
+		while ((c = getc(cfile)) != EOF
+		    && c != '\n' && c != '\t' && c != ' ' && c != ',') {
+			if (c == '\\')
+				c = getc(cfile);
+			*cp++ = c;
+		}
+	}
+	*cp = 0;
+	if (tokval[0] == 0)
+		return (0);
+	for (t = toktab; t->tokstr; t++)
+		if (!strcmp(t->tokstr, tokval))
+			return (t->tval);
+	return (ID);
+}
diff --git a/crypto/heimdal/appl/ftp/ftp/security.c b/crypto/heimdal/appl/ftp/ftp/security.c
new file mode 100644
index 0000000..a8fff1d
--- /dev/null
+++ b/crypto/heimdal/appl/ftp/ftp/security.c
@@ -0,0 +1,803 @@
+/*
+ * Copyright (c) 1998-2001 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#ifdef FTP_SERVER
+#include "ftpd_locl.h"
+#else
+#include "ftp_locl.h"
+#endif
+
+RCSID("$Id: security.c,v 1.18 2001/02/07 10:49:43 assar Exp $");
+
+static enum protection_level command_prot;
+static enum protection_level data_prot;
+static size_t buffer_size;
+
+struct buffer {
+    void *data;
+    size_t size;
+    size_t index;
+    int eof_flag;
+};
+
+static struct buffer in_buffer, out_buffer;
+int sec_complete;
+
+static struct {
+    enum protection_level level;
+    const char *name;
+} level_names[] = {
+    { prot_clear, "clear" },
+    { prot_safe, "safe" },
+    { prot_confidential, "confidential" },
+    { prot_private, "private" }
+};
+
+static const char *
+level_to_name(enum protection_level level)
+{
+    int i;
+    for(i = 0; i < sizeof(level_names) / sizeof(level_names[0]); i++)
+	if(level_names[i].level == level)
+	    return level_names[i].name;
+    return "unknown";
+}
+
+#ifndef FTP_SERVER /* not used in server */
+static enum protection_level 
+name_to_level(const char *name)
+{
+    int i;
+    for(i = 0; i < sizeof(level_names) / sizeof(level_names[0]); i++)
+	if(!strncasecmp(level_names[i].name, name, strlen(name)))
+	    return level_names[i].level;
+    return (enum protection_level)-1;
+}
+#endif
+
+#ifdef FTP_SERVER
+
+static struct sec_server_mech *mechs[] = {
+#ifdef KRB5
+    &gss_server_mech,
+#endif
+#ifdef KRB4
+    &krb4_server_mech,
+#endif
+    NULL
+};
+
+static struct sec_server_mech *mech;
+
+#else
+
+static struct sec_client_mech *mechs[] = {
+#ifdef KRB5
+    &gss_client_mech,
+#endif
+#ifdef KRB4
+    &krb4_client_mech,
+#endif
+    NULL
+};
+
+static struct sec_client_mech *mech;
+
+#endif
+
+static void *app_data;
+
+int
+sec_getc(FILE *F)
+{
+    if(sec_complete && data_prot) {
+	char c;
+	if(sec_read(fileno(F), &c, 1) <= 0)
+	    return EOF;
+	return c;
+    } else
+	return getc(F);
+}
+
+static int
+block_read(int fd, void *buf, size_t len)
+{
+    unsigned char *p = buf;
+    int b;
+    while(len) {
+	b = read(fd, p, len);
+	if (b == 0)
+	    return 0;
+	else if (b < 0)
+	    return -1;
+	len -= b;
+	p += b;
+    }
+    return p - (unsigned char*)buf;
+}
+
+static int
+block_write(int fd, void *buf, size_t len)
+{
+    unsigned char *p = buf;
+    int b;
+    while(len) {
+	b = write(fd, p, len);
+	if(b < 0)
+	    return -1;
+	len -= b;
+	p += b;
+    }
+    return p - (unsigned char*)buf;
+}
+
+static int
+sec_get_data(int fd, struct buffer *buf, int level)
+{
+    int len;
+    int b;
+    void *tmp;
+
+    b = block_read(fd, &len, sizeof(len));
+    if (b == 0)
+	return 0;
+    else if (b < 0)
+	return -1;
+    len = ntohl(len);
+    tmp = realloc(buf->data, len);
+    if (tmp == NULL)
+	return -1;
+    buf->data = tmp;
+    b = block_read(fd, buf->data, len);
+    if (b == 0)
+	return 0;
+    else if (b < 0)
+	return -1;
+    buf->size = (*mech->decode)(app_data, buf->data, len, data_prot);
+    buf->index = 0;
+    return 0;
+}
+
+static size_t
+buffer_read(struct buffer *buf, void *data, size_t len)
+{
+    len = min(len, buf->size - buf->index);
+    memcpy(data, (char*)buf->data + buf->index, len);
+    buf->index += len;
+    return len;
+}
+
+static size_t
+buffer_write(struct buffer *buf, void *data, size_t len)
+{
+    if(buf->index + len > buf->size) {
+	void *tmp;
+	if(buf->data == NULL)
+	    tmp = malloc(1024);
+	else
+	    tmp = realloc(buf->data, buf->index + len);
+	if(tmp == NULL)
+	    return -1;
+	buf->data = tmp;
+	buf->size = buf->index + len;
+    }
+    memcpy((char*)buf->data + buf->index, data, len);
+    buf->index += len;
+    return len;
+}
+
+int
+sec_read(int fd, void *data, int length)
+{
+    size_t len;
+    int rx = 0;
+
+    if(sec_complete == 0 || data_prot == 0)
+	return read(fd, data, length);
+
+    if(in_buffer.eof_flag){
+	in_buffer.eof_flag = 0;
+	return 0;
+    }
+    
+    len = buffer_read(&in_buffer, data, length);
+    length -= len;
+    rx += len;
+    data = (char*)data + len;
+    
+    while(length){
+	int ret;
+
+	ret = sec_get_data(fd, &in_buffer, data_prot);
+	if (ret < 0)
+	    return -1;
+	if(ret == 0 && in_buffer.size == 0) {
+	    if(rx)
+		in_buffer.eof_flag = 1;
+	    return rx;
+	}
+	len = buffer_read(&in_buffer, data, length);
+	length -= len;
+	rx += len;
+	data = (char*)data + len;
+    }
+    return rx;
+}
+
+static int
+sec_send(int fd, char *from, int length)
+{
+    int bytes;
+    void *buf;
+    bytes = (*mech->encode)(app_data, from, length, data_prot, &buf);
+    bytes = htonl(bytes);
+    block_write(fd, &bytes, sizeof(bytes));
+    block_write(fd, buf, ntohl(bytes));
+    free(buf);
+    return length;
+}
+
+int
+sec_fflush(FILE *F)
+{
+    if(data_prot != prot_clear) {
+	if(out_buffer.index > 0){
+	    sec_write(fileno(F), out_buffer.data, out_buffer.index);
+	    out_buffer.index = 0;
+	}
+	sec_send(fileno(F), NULL, 0);
+    }
+    fflush(F);
+    return 0;
+}
+
+int
+sec_write(int fd, char *data, int length)
+{
+    int len = buffer_size;
+    int tx = 0;
+      
+    if(data_prot == prot_clear)
+	return write(fd, data, length);
+
+    len -= (*mech->overhead)(app_data, data_prot, len);
+    while(length){
+	if(length < len)
+	    len = length;
+	sec_send(fd, data, len);
+	length -= len;
+	data += len;
+	tx += len;
+    }
+    return tx;
+}
+
+int
+sec_vfprintf2(FILE *f, const char *fmt, va_list ap)
+{
+    char *buf;
+    int ret;
+    if(data_prot == prot_clear)
+	return vfprintf(f, fmt, ap);
+    else {
+	vasprintf(&buf, fmt, ap);
+	ret = buffer_write(&out_buffer, buf, strlen(buf));
+	free(buf);
+	return ret;
+    }
+}
+
+int
+sec_fprintf2(FILE *f, const char *fmt, ...)
+{
+    int ret;
+    va_list ap;
+    va_start(ap, fmt);
+    ret = sec_vfprintf2(f, fmt, ap);
+    va_end(ap);
+    return ret;
+}
+
+int
+sec_putc(int c, FILE *F)
+{
+    char ch = c;
+    if(data_prot == prot_clear)
+	return putc(c, F);
+    
+    buffer_write(&out_buffer, &ch, 1);
+    if(c == '\n' || out_buffer.index >= 1024 /* XXX */) {
+	sec_write(fileno(F), out_buffer.data, out_buffer.index);
+	out_buffer.index = 0;
+    }
+    return c;
+}
+
+int
+sec_read_msg(char *s, int level)
+{
+    int len;
+    char *buf;
+    int code;
+    
+    buf = malloc(strlen(s));
+    len = base64_decode(s + 4, buf); /* XXX */
+    
+    len = (*mech->decode)(app_data, buf, len, level);
+    if(len < 0)
+	return -1;
+    
+    buf[len] = '\0';
+
+    if(buf[3] == '-')
+	code = 0;
+    else
+	sscanf(buf, "%d", &code);
+    if(buf[len-1] == '\n')
+	buf[len-1] = '\0';
+    strcpy(s, buf);
+    free(buf);
+    return code;
+}
+
+int
+sec_vfprintf(FILE *f, const char *fmt, va_list ap)
+{
+    char *buf;
+    void *enc;
+    int len;
+    if(!sec_complete)
+	return vfprintf(f, fmt, ap);
+    
+    vasprintf(&buf, fmt, ap);
+    len = (*mech->encode)(app_data, buf, strlen(buf), command_prot, &enc);
+    free(buf);
+    if(len < 0) {
+	printf("Failed to encode command.\n");
+	return -1;
+    }
+    if(base64_encode(enc, len, &buf) < 0){
+	printf("Out of memory base64-encoding.\n");
+	return -1;
+    }
+#ifdef FTP_SERVER
+    if(command_prot == prot_safe)
+	fprintf(f, "631 %s\r\n", buf);
+    else if(command_prot == prot_private)
+	fprintf(f, "632 %s\r\n", buf);
+    else if(command_prot == prot_confidential)
+	fprintf(f, "633 %s\r\n", buf);
+#else
+    if(command_prot == prot_safe)
+	fprintf(f, "MIC %s", buf);
+    else if(command_prot == prot_private)
+	fprintf(f, "ENC %s", buf);
+    else if(command_prot == prot_confidential)
+	fprintf(f, "CONF %s", buf);
+#endif
+    free(buf);
+    return 0;
+}
+
+int
+sec_fprintf(FILE *f, const char *fmt, ...)
+{
+    va_list ap;
+    int ret;
+    va_start(ap, fmt);
+    ret = sec_vfprintf(f, fmt, ap);
+    va_end(ap);
+    return ret;
+}
+
+/* end common stuff */
+
+#ifdef FTP_SERVER
+
+void
+auth(char *auth_name)
+{
+    int i;
+    void *tmp;
+
+    for(i = 0; (mech = mechs[i]) != NULL; i++){
+	if(!strcasecmp(auth_name, mech->name)){
+	    tmp = realloc(app_data, mech->size);
+	    if (tmp == NULL) {
+		reply(431, "Unable to accept %s at this time", mech->name);
+		return;
+	    }
+	    app_data = tmp;
+
+	    if(mech->init && (*mech->init)(app_data) != 0) {
+		reply(431, "Unable to accept %s at this time", mech->name);
+		return;
+	    }
+	    if(mech->auth) {
+		(*mech->auth)(app_data);
+		return;
+	    }
+	    if(mech->adat)
+		reply(334, "Send authorization data.");
+	    else
+		reply(234, "Authorization complete.");
+	    return;
+	}
+    }
+    free (app_data);
+    app_data = NULL;
+    reply(504, "%s is unknown to me", auth_name);
+}
+
+void
+adat(char *auth_data)
+{
+    if(mech && !sec_complete) {
+	void *buf = malloc(strlen(auth_data));
+	size_t len;
+	len = base64_decode(auth_data, buf);
+	(*mech->adat)(app_data, buf, len);
+	free(buf);
+    } else
+	reply(503, "You must %sissue an AUTH first.", mech ? "re-" : "");
+}
+
+void pbsz(int size)
+{
+    size_t new = size;
+    if(!sec_complete)
+	reply(503, "Incomplete security data exchange.");
+    if(mech->pbsz)
+	new = (*mech->pbsz)(app_data, size);
+    if(buffer_size != new){
+	buffer_size = size;
+    }
+    if(new != size)
+	reply(200, "PBSZ=%lu", (unsigned long)new);
+    else
+	reply(200, "OK");
+}
+
+void
+prot(char *pl)
+{
+    int p = -1;
+
+    if(buffer_size == 0){
+	reply(503, "No protection buffer size negotiated.");
+	return;
+    }
+
+    if(!strcasecmp(pl, "C"))
+	p = prot_clear;
+    else if(!strcasecmp(pl, "S"))
+	p = prot_safe;
+    else if(!strcasecmp(pl, "E"))
+	p = prot_confidential;
+    else if(!strcasecmp(pl, "P"))
+	p = prot_private;
+    else {
+	reply(504, "Unrecognized protection level.");
+	return;
+    }
+    
+    if(sec_complete){
+	if((*mech->check_prot)(app_data, p)){
+	    reply(536, "%s does not support %s protection.", 
+		  mech->name, level_to_name(p));
+	}else{
+	    data_prot = (enum protection_level)p;
+	    reply(200, "Data protection is %s.", level_to_name(p));
+	}
+    }else{
+	reply(503, "Incomplete security data exchange.");
+    }
+}
+
+void ccc(void)
+{
+    if(sec_complete){
+	if(mech->ccc && (*mech->ccc)(app_data) == 0)
+	    command_prot = data_prot = prot_clear;
+	else
+	    reply(534, "You must be joking.");
+    }else
+	reply(503, "Incomplete security data exchange.");
+}
+
+void mec(char *msg, enum protection_level level)
+{
+    void *buf;
+    size_t len;
+    if(!sec_complete) {
+	reply(503, "Incomplete security data exchange.");
+	return;
+    }
+    buf = malloc(strlen(msg) + 2); /* XXX go figure out where that 2
+				      comes from :-) */
+    len = base64_decode(msg, buf);
+    command_prot = level;
+    if(len == (size_t)-1) {
+	reply(501, "Failed to base64-decode command");
+	return;
+    }
+    len = (*mech->decode)(app_data, buf, len, level);
+    if(len == (size_t)-1) {
+	reply(535, "Failed to decode command");
+	return;
+    }
+    ((char*)buf)[len] = '\0';
+    if(strstr((char*)buf, "\r\n") == NULL)
+	strcat((char*)buf, "\r\n");
+    new_ftp_command(buf);
+}
+
+/* ------------------------------------------------------------ */
+
+int
+sec_userok(char *user)
+{
+    if(sec_complete)
+	return (*mech->userok)(app_data, user);
+    return 0;
+}
+
+char *ftp_command;
+
+void
+new_ftp_command(char *command)
+{
+    ftp_command = command;
+}
+
+void
+delete_ftp_command(void)
+{
+    free(ftp_command);
+    ftp_command = NULL;
+}
+
+int
+secure_command(void)
+{
+    return ftp_command != NULL;
+}
+
+enum protection_level
+get_command_prot(void)
+{
+    return command_prot;
+}
+
+#else /* FTP_SERVER */
+
+void
+sec_status(void)
+{
+    if(sec_complete){
+	printf("Using %s for authentication.\n", mech->name);
+	printf("Using %s command channel.\n", level_to_name(command_prot));
+	printf("Using %s data channel.\n", level_to_name(data_prot));
+	if(buffer_size > 0)
+	    printf("Protection buffer size: %lu.\n", 
+		   (unsigned long)buffer_size);
+    }else{
+	printf("Not using any security mechanism.\n");
+    }
+}
+
+static int
+sec_prot_internal(int level)
+{
+    int ret;
+    char *p;
+    unsigned int s = 1048576;
+
+    int old_verbose = verbose;
+    verbose = 0;
+
+    if(!sec_complete){
+	printf("No security data exchange has taken place.\n");
+	return -1;
+    }
+
+    if(level){
+	ret = command("PBSZ %u", s);
+	if(ret != COMPLETE){
+	    printf("Failed to set protection buffer size.\n");
+	    return -1;
+	}
+	buffer_size = s;
+	p = strstr(reply_string, "PBSZ=");
+	if(p)
+	    sscanf(p, "PBSZ=%u", &s);
+	if(s < buffer_size)
+	    buffer_size = s;
+    }
+    verbose = old_verbose;
+    ret = command("PROT %c", level["CSEP"]); /* XXX :-) */
+    if(ret != COMPLETE){
+	printf("Failed to set protection level.\n");
+	return -1;
+    }
+    
+    data_prot = (enum protection_level)level;
+    return 0;
+}
+
+enum protection_level
+set_command_prot(enum protection_level level)
+{
+    enum protection_level old = command_prot;
+    command_prot = level;
+    return old;
+}
+
+void
+sec_prot(int argc, char **argv)
+{
+    int level = -1;
+
+    if(argc < 2 || argc > 3)
+	goto usage;
+    if(!sec_complete) {
+	printf("No security data exchange has taken place.\n");
+	code = -1;
+	return;
+    }
+    level = name_to_level(argv[argc - 1]);
+    
+    if(level == -1)
+	goto usage;
+    
+    if((*mech->check_prot)(app_data, level)) {
+	printf("%s does not implement %s protection.\n", 
+	       mech->name, level_to_name(level));
+	code = -1;
+	return;
+    }
+    
+    if(argc == 2 || strncasecmp(argv[1], "data", strlen(argv[1])) == 0) {
+	if(sec_prot_internal(level) < 0){
+	    code = -1;
+	    return;
+	}
+    } else if(strncasecmp(argv[1], "command", strlen(argv[1])) == 0)
+	set_command_prot(level);
+    else
+	goto usage;
+    code = 0;
+    return;
+ usage:
+    printf("usage: %s [command|data] [clear|safe|confidential|private]\n",
+	   argv[0]);
+    code = -1;
+}
+
+static enum protection_level request_data_prot;
+
+void
+sec_set_protection_level(void)
+{
+    if(sec_complete && data_prot != request_data_prot)
+	sec_prot_internal(request_data_prot);
+}
+
+
+int
+sec_request_prot(char *level)
+{
+    int l = name_to_level(level);
+    if(l == -1)
+	return -1;
+    request_data_prot = (enum protection_level)l;
+    return 0;
+}
+
+int
+sec_login(char *host)
+{
+    int ret;
+    struct sec_client_mech **m;
+    int old_verbose = verbose;
+
+    verbose = -1; /* shut up all messages this will produce (they
+		     are usually not very user friendly) */
+    
+    for(m = mechs; *m && (*m)->name; m++) {
+	void *tmp;
+
+	tmp = realloc(app_data, (*m)->size);
+	if (tmp == NULL) {
+	    warnx ("realloc %u failed", (*m)->size);
+	    return -1;
+	}
+	app_data = tmp;
+	    
+	if((*m)->init && (*(*m)->init)(app_data) != 0) {
+	    printf("Skipping %s...\n", (*m)->name);
+	    continue;
+	}
+	printf("Trying %s...\n", (*m)->name);
+	ret = command("AUTH %s", (*m)->name);
+	if(ret != CONTINUE){
+	    if(code == 504){
+		printf("%s is not supported by the server.\n", (*m)->name);
+	    }else if(code == 534){
+		printf("%s rejected as security mechanism.\n", (*m)->name);
+	    }else if(ret == ERROR) {
+		printf("The server doesn't support the FTP "
+		       "security extensions.\n");
+		verbose = old_verbose;
+		return -1;
+	    }
+	    continue;
+	}
+
+	ret = (*(*m)->auth)(app_data, host);
+	
+	if(ret == AUTH_CONTINUE)
+	    continue;
+	else if(ret != AUTH_OK){
+	    /* mechanism is supposed to output error string */
+	    verbose = old_verbose;
+	    return -1;
+	}
+	mech = *m;
+	sec_complete = 1;
+	command_prot = prot_safe;
+	break;
+    }
+    
+    verbose = old_verbose;
+    return *m == NULL;
+}
+
+void
+sec_end(void)
+{
+    if (mech != NULL) {
+	if(mech->end)
+	    (*mech->end)(app_data);
+	if (app_data != NULL) {
+	    memset(app_data, 0, mech->size);
+	    free(app_data);
+	    app_data = NULL;
+	}
+    }
+    sec_complete = 0;
+    data_prot = (enum protection_level)0;
+}
+
+#endif /* FTP_SERVER */
+
diff --git a/crypto/heimdal/appl/ftp/ftp/security.h b/crypto/heimdal/appl/ftp/ftp/security.h
new file mode 100644
index 0000000..47e7084
--- /dev/null
+++ b/crypto/heimdal/appl/ftp/ftp/security.h
@@ -0,0 +1,135 @@
+/*
+ * Copyright (c) 1998 - 2000 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+/* $Id: security.h,v 1.9 2000/10/04 06:07:52 assar Exp $ */
+
+#ifndef __security_h__
+#define __security_h__
+
+enum protection_level { 
+    prot_clear, 
+    prot_safe, 
+    prot_confidential, 
+    prot_private 
+};
+
+struct sec_client_mech {
+    char *name;
+    size_t size;
+    int (*init)(void *);
+    int (*auth)(void *, char*);
+    void (*end)(void *);
+    int (*check_prot)(void *, int);
+    int (*overhead)(void *, int, int);
+    int (*encode)(void *, void*, int, int, void**);
+    int (*decode)(void *, void*, int, int);
+};
+
+struct sec_server_mech {
+    char *name;
+    size_t size;
+    int (*init)(void *);
+    void (*end)(void *);
+    int (*check_prot)(void *, int);
+    int (*overhead)(void *, int, int);
+    int (*encode)(void *, void*, int, int, void**);
+    int (*decode)(void *, void*, int, int);
+
+    int (*auth)(void *);
+    int (*adat)(void *, void*, size_t);
+    size_t (*pbsz)(void *, size_t);
+    int (*ccc)(void*);
+    int (*userok)(void*, char*);
+};
+
+#define AUTH_OK		0
+#define AUTH_CONTINUE	1
+#define AUTH_ERROR	2
+
+#ifdef FTP_SERVER
+extern struct sec_server_mech krb4_server_mech, gss_server_mech;
+#else
+extern struct sec_client_mech krb4_client_mech, gss_client_mech;
+#endif
+
+extern int sec_complete;
+
+#ifdef FTP_SERVER
+extern char *ftp_command;
+void new_ftp_command(char*);
+void delete_ftp_command(void);
+#endif
+
+/* ---- */
+
+
+int sec_fflush (FILE *);
+int sec_fprintf (FILE *, const char *, ...)
+    __attribute__ ((format (printf, 2,3)));
+int sec_getc (FILE *);
+int sec_putc (int, FILE *);
+int sec_read (int, void *, int);
+int sec_read_msg (char *, int);
+int sec_vfprintf (FILE *, const char *, va_list)
+    __attribute__ ((format (printf, 2,0)));
+int sec_fprintf2(FILE *f, const char *fmt, ...)
+    __attribute__ ((format (printf, 2,3)));
+int sec_vfprintf2(FILE *, const char *, va_list)
+    __attribute__ ((format (printf, 2,0)));
+int sec_write (int, char *, int);
+
+#ifdef FTP_SERVER
+void adat (char *);
+void auth (char *);
+void ccc (void);
+void mec (char *, enum protection_level);
+void pbsz (int);
+void prot (char *);
+void delete_ftp_command (void);
+void new_ftp_command (char *);
+int sec_userok (char *);
+int secure_command (void);
+enum protection_level get_command_prot(void);
+#else
+void sec_end (void);
+int sec_login (char *);
+void sec_prot (int, char **);
+int sec_request_prot (char *);
+void sec_set_protection_level (void);
+void sec_status (void);
+
+enum protection_level set_command_prot(enum protection_level);
+
+#endif
+
+#endif /* __security_h__ */  
diff --git a/crypto/heimdal/appl/ftp/ftpd/Makefile.am b/crypto/heimdal/appl/ftp/ftpd/Makefile.am
new file mode 100644
index 0000000..8753739
--- /dev/null
+++ b/crypto/heimdal/appl/ftp/ftpd/Makefile.am
@@ -0,0 +1,56 @@
+# $Id: Makefile.am,v 1.23 2001/01/28 23:17:36 assar Exp $
+
+include $(top_srcdir)/Makefile.am.common
+
+INCLUDES += -I$(srcdir)/../common $(INCLUDE_krb4) -DFTP_SERVER
+
+libexec_PROGRAMS = ftpd
+
+CHECK_LOCAL = 
+
+if KRB4
+krb4_sources = krb4.c kauth.c
+endif
+if KRB5
+krb5_sources = gssapi.c gss_userok.c
+endif
+
+ftpd_SOURCES =		\
+	extern.h	\
+	ftpcmd.y	\
+	ftpd.c		\
+	ftpd_locl.h	\
+	logwtmp.c	\
+	ls.c		\
+	pathnames.h	\
+	popen.c		\
+	security.c	\
+	$(krb4_sources) \
+	$(krb5_sources)
+
+EXTRA_ftpd_SOURCES = krb4.c kauth.c gssapi.c gss_userok.c
+
+$(ftpd_OBJECTS): security.h
+
+security.c:
+	@test -f security.c || $(LN_S) $(srcdir)/../ftp/security.c .
+security.h:
+	@test -f security.h || $(LN_S) $(srcdir)/../ftp/security.h .
+krb4.c:
+	@test -f krb4.c || $(LN_S) $(srcdir)/../ftp/krb4.c .
+gssapi.c:
+	@test -f gssapi.c || $(LN_S) $(srcdir)/../ftp/gssapi.c .
+
+CLEANFILES = security.c security.h krb4.c gssapi.c ftpcmd.c
+
+man_MANS = ftpd.8 ftpusers.5
+
+LDADD = ../common/libcommon.a \
+	$(LIB_kafs) \
+	$(LIB_gssapi) \
+	$(LIB_otp) \
+	$(LIB_krb5) \
+	$(LIB_krb4) \
+	$(LIB_des) \
+	$(LIB_roken) \
+	$(DBLIB)
diff --git a/crypto/heimdal/appl/ftp/ftpd/Makefile.in b/crypto/heimdal/appl/ftp/ftpd/Makefile.in
new file mode 100644
index 0000000..cd67376
--- /dev/null
+++ b/crypto/heimdal/appl/ftp/ftpd/Makefile.in
@@ -0,0 +1,724 @@
+# Makefile.in generated automatically by automake 1.4b from Makefile.am
+
+# Copyright 1994, 1995, 1996, 1997, 1998, 1999, 2000
+# Free Software Foundation, Inc.
+# This Makefile.in is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+
+SHELL = @SHELL@
+
+srcdir = @srcdir@
+top_srcdir = @top_srcdir@
+VPATH = @srcdir@
+prefix = @prefix@
+exec_prefix = @exec_prefix@
+
+bindir = @bindir@
+sbindir = @sbindir@
+libexecdir = @libexecdir@
+datadir = @datadir@
+sysconfdir = @sysconfdir@
+sharedstatedir = @sharedstatedir@
+localstatedir = @localstatedir@
+libdir = @libdir@
+infodir = @infodir@
+mandir = @mandir@
+includedir = @includedir@
+oldincludedir = /usr/include
+
+pkgdatadir = $(datadir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkgincludedir = $(includedir)/@PACKAGE@
+
+top_builddir = ../../..
+
+ACLOCAL = @ACLOCAL@
+AUTOCONF = @AUTOCONF@
+AUTOMAKE = @AUTOMAKE@
+AUTOHEADER = @AUTOHEADER@
+
+INSTALL = @INSTALL@
+INSTALL_PROGRAM = @INSTALL_PROGRAM@
+INSTALL_DATA = @INSTALL_DATA@
+INSTALL_SCRIPT = @INSTALL_SCRIPT@
+INSTALL_STRIP_FLAG =
+transform = @program_transform_name@
+
+NORMAL_INSTALL = :
+PRE_INSTALL = :
+POST_INSTALL = :
+NORMAL_UNINSTALL = :
+PRE_UNINSTALL = :
+POST_UNINSTALL = :
+
+@SET_MAKE@
+host_alias = @host_alias@
+host_triplet = @host@
+AIX_EXTRA_KAFS = @AIX_EXTRA_KAFS@
+AMDEP = @AMDEP@
+AMTAR = @AMTAR@
+AS = @AS@
+AWK = @AWK@
+CANONICAL_HOST = @CANONICAL_HOST@
+CATMAN = @CATMAN@
+CATMANEXT = @CATMANEXT@
+CC = @CC@
+CPP = @CPP@
+CXX = @CXX@
+CXXCPP = @CXXCPP@
+DBLIB = @DBLIB@
+DEPDIR = @DEPDIR@
+DIR_des = @DIR_des@
+DIR_roken = @DIR_roken@
+DLLTOOL = @DLLTOOL@
+EXEEXT = @EXEEXT@
+EXTRA_LIB45 = @EXTRA_LIB45@
+GROFF = @GROFF@
+INCLUDES_roken = @INCLUDES_roken@
+INCLUDE_ = @INCLUDE_@
+LEX = @LEX@
+LIBOBJS = @LIBOBJS@
+LIBTOOL = @LIBTOOL@
+LIB_ = @LIB_@
+LIB_AUTH_SUBDIRS = @LIB_AUTH_SUBDIRS@
+LIB_des = @LIB_des@
+LIB_des_appl = @LIB_des_appl@
+LIB_kdb = @LIB_kdb@
+LIB_otp = @LIB_otp@
+LIB_roken = @LIB_roken@
+LIB_security = @LIB_security@
+LN_S = @LN_S@
+LTLIBOBJS = @LTLIBOBJS@
+MAKEINFO = @MAKEINFO@
+NEED_WRITEAUTH_FALSE = @NEED_WRITEAUTH_FALSE@
+NEED_WRITEAUTH_TRUE = @NEED_WRITEAUTH_TRUE@
+NROFF = @NROFF@
+OBJDUMP = @OBJDUMP@
+OBJEXT = @OBJEXT@
+PACKAGE = @PACKAGE@
+RANLIB = @RANLIB@
+STRIP = @STRIP@
+VERSION = @VERSION@
+VOID_RETSIGTYPE = @VOID_RETSIGTYPE@
+WFLAGS = @WFLAGS@
+WFLAGS_NOIMPLICITINT = @WFLAGS_NOIMPLICITINT@
+WFLAGS_NOUNUSED = @WFLAGS_NOUNUSED@
+YACC = @YACC@
+dpagaix_CFLAGS = @dpagaix_CFLAGS@
+dpagaix_LDADD = @dpagaix_LDADD@
+install_sh = @install_sh@
+
+# $Id: Makefile.am,v 1.23 2001/01/28 23:17:36 assar Exp $
+
+
+# $Id: Makefile.am.common,v 1.3 1999/04/01 14:58:43 joda Exp $
+
+
+# $Id: Makefile.am.common,v 1.26 2001/05/21 13:27:48 joda Exp $
+
+
+AUTOMAKE_OPTIONS = foreign no-dependencies
+
+SUFFIXES = .et .h .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .x
+
+INCLUDES = -I$(top_builddir)/include $(INCLUDES_roken) -I$(srcdir)/../common $(INCLUDE_krb4) -DFTP_SERVER
+
+AM_CFLAGS =  $(WFLAGS)
+
+CP = cp
+
+COMPILE_ET = $(top_builddir)/lib/com_err/compile_et
+
+buildinclude = $(top_builddir)/include
+
+LIB_XauReadAuth = @LIB_XauReadAuth@
+LIB_crypt = @LIB_crypt@
+LIB_dbm_firstkey = @LIB_dbm_firstkey@
+LIB_dbopen = @LIB_dbopen@
+LIB_dlopen = @LIB_dlopen@
+LIB_dn_expand = @LIB_dn_expand@
+LIB_el_init = @LIB_el_init@
+LIB_getattr = @LIB_getattr@
+LIB_gethostbyname = @LIB_gethostbyname@
+LIB_getpwent_r = @LIB_getpwent_r@
+LIB_getpwnam_r = @LIB_getpwnam_r@
+LIB_getsockopt = @LIB_getsockopt@
+LIB_logout = @LIB_logout@
+LIB_logwtmp = @LIB_logwtmp@
+LIB_odm_initialize = @LIB_odm_initialize@
+LIB_pidfile = @LIB_pidfile@
+LIB_readline = @LIB_readline@
+LIB_res_search = @LIB_res_search@
+LIB_setpcred = @LIB_setpcred@
+LIB_setsockopt = @LIB_setsockopt@
+LIB_socket = @LIB_socket@
+LIB_syslog = @LIB_syslog@
+LIB_tgetent = @LIB_tgetent@
+
+LIBS = @LIBS@
+
+HESIODLIB = @HESIODLIB@
+HESIODINCLUDE = @HESIODINCLUDE@
+INCLUDE_hesiod = @INCLUDE_hesiod@
+LIB_hesiod = @LIB_hesiod@
+
+INCLUDE_krb4 = @INCLUDE_krb4@
+LIB_krb4 = @LIB_krb4@
+
+INCLUDE_openldap = @INCLUDE_openldap@
+LIB_openldap = @LIB_openldap@
+
+INCLUDE_readline = @INCLUDE_readline@
+
+LEXLIB = @LEXLIB@
+
+NROFF_MAN = groff -mandoc -Tascii
+
+@KRB4_TRUE@LIB_kafs = @KRB4_TRUE@$(top_builddir)/lib/kafs/libkafs.la $(AIX_EXTRA_KAFS)
+
+@KRB5_TRUE@LIB_krb5 = @KRB5_TRUE@$(top_builddir)/lib/krb5/libkrb5.la \
+@KRB5_TRUE@	$(top_builddir)/lib/asn1/libasn1.la
+@KRB5_TRUE@LIB_gssapi = @KRB5_TRUE@$(top_builddir)/lib/gssapi/libgssapi.la
+
+@DCE_TRUE@LIB_kdfs = @DCE_TRUE@$(top_builddir)/lib/kdfs/libkdfs.la
+
+CHECK_LOCAL = 
+
+libexec_PROGRAMS = ftpd
+
+@KRB4_TRUE@krb4_sources = @KRB4_TRUE@krb4.c kauth.c
+@KRB5_TRUE@krb5_sources = @KRB5_TRUE@gssapi.c gss_userok.c
+
+ftpd_SOURCES = \
+	extern.h	\
+	ftpcmd.y	\
+	ftpd.c		\
+	ftpd_locl.h	\
+	logwtmp.c	\
+	ls.c		\
+	pathnames.h	\
+	popen.c		\
+	security.c	\
+	$(krb4_sources) \
+	$(krb5_sources)
+
+
+EXTRA_ftpd_SOURCES = krb4.c kauth.c gssapi.c gss_userok.c
+
+CLEANFILES = security.c security.h krb4.c gssapi.c ftpcmd.c
+
+man_MANS = ftpd.8 ftpusers.5
+
+LDADD = ../common/libcommon.a \
+	$(LIB_kafs) \
+	$(LIB_gssapi) \
+	$(LIB_otp) \
+	$(LIB_krb5) \
+	$(LIB_krb4) \
+	$(LIB_des) \
+	$(LIB_roken) \
+	$(DBLIB)
+
+subdir = appl/ftp/ftpd
+mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs
+CONFIG_HEADER = ../../../include/config.h
+CONFIG_CLEAN_FILES = 
+libexec_PROGRAMS =  ftpd$(EXEEXT)
+PROGRAMS =  $(libexec_PROGRAMS)
+
+
+DEFS = @DEFS@ -I. -I$(srcdir) -I../../../include
+CPPFLAGS = @CPPFLAGS@
+LDFLAGS = @LDFLAGS@
+X_CFLAGS = @X_CFLAGS@
+X_LIBS = @X_LIBS@
+X_EXTRA_LIBS = @X_EXTRA_LIBS@
+X_PRE_LIBS = @X_PRE_LIBS@
+@KRB4_FALSE@@KRB5_FALSE@am_ftpd_OBJECTS =  ftpcmd.$(OBJEXT) \
+@KRB4_FALSE@@KRB5_FALSE@ftpd.$(OBJEXT) logwtmp.$(OBJEXT) ls.$(OBJEXT) \
+@KRB4_FALSE@@KRB5_FALSE@popen.$(OBJEXT) security.$(OBJEXT)
+@KRB4_FALSE@@KRB5_TRUE@am_ftpd_OBJECTS =  ftpcmd.$(OBJEXT) \
+@KRB4_FALSE@@KRB5_TRUE@ftpd.$(OBJEXT) logwtmp.$(OBJEXT) ls.$(OBJEXT) \
+@KRB4_FALSE@@KRB5_TRUE@popen.$(OBJEXT) security.$(OBJEXT) \
+@KRB4_FALSE@@KRB5_TRUE@gssapi.$(OBJEXT) gss_userok.$(OBJEXT)
+@KRB4_TRUE@@KRB5_FALSE@am_ftpd_OBJECTS =  ftpcmd.$(OBJEXT) \
+@KRB4_TRUE@@KRB5_FALSE@ftpd.$(OBJEXT) logwtmp.$(OBJEXT) ls.$(OBJEXT) \
+@KRB4_TRUE@@KRB5_FALSE@popen.$(OBJEXT) security.$(OBJEXT) \
+@KRB4_TRUE@@KRB5_FALSE@krb4.$(OBJEXT) kauth.$(OBJEXT)
+@KRB4_TRUE@@KRB5_TRUE@am_ftpd_OBJECTS =  ftpcmd.$(OBJEXT) ftpd.$(OBJEXT) \
+@KRB4_TRUE@@KRB5_TRUE@logwtmp.$(OBJEXT) ls.$(OBJEXT) popen.$(OBJEXT) \
+@KRB4_TRUE@@KRB5_TRUE@security.$(OBJEXT) krb4.$(OBJEXT) kauth.$(OBJEXT) \
+@KRB4_TRUE@@KRB5_TRUE@gssapi.$(OBJEXT) gss_userok.$(OBJEXT)
+ftpd_OBJECTS =  $(am_ftpd_OBJECTS)
+ftpd_LDADD = $(LDADD)
+@KRB4_FALSE@@KRB5_FALSE@ftpd_DEPENDENCIES =  ../common/libcommon.a
+@KRB4_FALSE@@KRB5_TRUE@ftpd_DEPENDENCIES =  ../common/libcommon.a \
+@KRB4_FALSE@@KRB5_TRUE@$(top_builddir)/lib/gssapi/libgssapi.la \
+@KRB4_FALSE@@KRB5_TRUE@$(top_builddir)/lib/krb5/libkrb5.la \
+@KRB4_FALSE@@KRB5_TRUE@$(top_builddir)/lib/asn1/libasn1.la
+@KRB4_TRUE@@KRB5_FALSE@ftpd_DEPENDENCIES =  ../common/libcommon.a \
+@KRB4_TRUE@@KRB5_FALSE@$(top_builddir)/lib/kafs/libkafs.la
+@KRB4_TRUE@@KRB5_TRUE@ftpd_DEPENDENCIES =  ../common/libcommon.a \
+@KRB4_TRUE@@KRB5_TRUE@$(top_builddir)/lib/kafs/libkafs.la \
+@KRB4_TRUE@@KRB5_TRUE@$(top_builddir)/lib/gssapi/libgssapi.la \
+@KRB4_TRUE@@KRB5_TRUE@$(top_builddir)/lib/krb5/libkrb5.la \
+@KRB4_TRUE@@KRB5_TRUE@$(top_builddir)/lib/asn1/libasn1.la
+ftpd_LDFLAGS = 
+COMPILE = $(CC) $(DEFS) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) --mode=compile $(CC) $(DEFS) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+CFLAGS = @CFLAGS@
+CCLD = $(CC)
+LINK = $(LIBTOOL) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) $(LDFLAGS) -o $@
+DIST_SOURCES =  $(ftpd_SOURCES) $(EXTRA_ftpd_SOURCES)
+man5dir = $(mandir)/man5
+man8dir = $(mandir)/man8
+MANS = $(man_MANS)
+depcomp = 
+DIST_COMMON =  Makefile.am Makefile.in ftpcmd.c
+
+
+DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
+
+GZIP_ENV = --best
+SOURCES = $(ftpd_SOURCES) $(EXTRA_ftpd_SOURCES)
+OBJECTS = $(am_ftpd_OBJECTS)
+
+all: all-redirect
+.SUFFIXES:
+.SUFFIXES: .et .h .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .x .c .lo .o .obj .y
+$(srcdir)/Makefile.in: Makefile.am $(top_srcdir)/configure.in $(ACLOCAL_M4) $(top_srcdir)/Makefile.am.common $(top_srcdir)/cf/Makefile.am.common
+	cd $(top_srcdir) && $(AUTOMAKE) --foreign appl/ftp/ftpd/Makefile
+
+Makefile: $(srcdir)/Makefile.in  $(top_builddir)/config.status
+	cd $(top_builddir) \
+	  && CONFIG_FILES=$(subdir)/$@ CONFIG_HEADERS= $(SHELL) ./config.status
+
+
+mostlyclean-libexecPROGRAMS:
+
+clean-libexecPROGRAMS:
+	-test -z "$(libexec_PROGRAMS)" || rm -f $(libexec_PROGRAMS)
+
+distclean-libexecPROGRAMS:
+
+maintainer-clean-libexecPROGRAMS:
+
+install-libexecPROGRAMS: $(libexec_PROGRAMS)
+	@$(NORMAL_INSTALL)
+	$(mkinstalldirs) $(DESTDIR)$(libexecdir)
+	@list='$(libexec_PROGRAMS)'; for p in $$list; do \
+	  if test -f $$p; then \
+	    f="`echo $$p|sed -e 's/$(EXEEXT)$$//' -e '$(transform)' -e 's/$$/$(EXEEXT)/'`"; \
+	    echo " $(LIBTOOL)  --mode=install $(INSTALL_PROGRAM) $(INSTALL_STRIP_FLAG) $$p $(DESTDIR)$(libexecdir)/$$f"; \
+	    $(LIBTOOL)  --mode=install $(INSTALL_PROGRAM) $(INSTALL_STRIP_FLAG) $$p $(DESTDIR)$(libexecdir)/$$f; \
+	  else :; fi; \
+	done
+
+uninstall-libexecPROGRAMS:
+	@$(NORMAL_UNINSTALL)
+	@list='$(libexec_PROGRAMS)'; for p in $$list; do \
+	  f="`echo $$p|sed -e 's/$(EXEEXT)$$//' -e '$(transform)' -e 's/$$/$(EXEEXT)/'`"; \
+	  echo " rm -f $(DESTDIR)$(libexecdir)/$$f"; \
+	  rm -f $(DESTDIR)$(libexecdir)/$$f; \
+	done
+
+mostlyclean-compile:
+	-rm -f *.o core *.core
+	-rm -f *.$(OBJEXT)
+
+clean-compile:
+
+distclean-compile:
+	-rm -f *.tab.c
+
+maintainer-clean-compile:
+
+mostlyclean-libtool:
+	-rm -f *.lo
+
+clean-libtool:
+	-rm -rf .libs _libs
+
+distclean-libtool:
+
+maintainer-clean-libtool:
+
+ftpd$(EXEEXT): $(ftpd_OBJECTS) $(ftpd_DEPENDENCIES)
+	@rm -f ftpd$(EXEEXT)
+	$(LINK) $(ftpd_LDFLAGS) $(ftpd_OBJECTS) $(ftpd_LDADD) $(LIBS)
+.c.o:
+	$(COMPILE) -c $<
+.c.obj:
+	$(COMPILE) -c `cygpath -w $<`
+.c.lo:
+	$(LTCOMPILE) -c -o $@ $<
+.y.c:
+	$(YACC) $(AM_YFLAGS) $(YFLAGS) $< && mv y.tab.c $*.c
+	if test -f y.tab.h; then \
+	if cmp -s y.tab.h $*.h; then rm -f y.tab.h; else mv y.tab.h $*.h; fi; \
+	else :; fi
+
+
+install-man5:
+	$(mkinstalldirs) $(DESTDIR)$(man5dir)
+	@list='$(man5_MANS)'; \
+	l2='$(man_MANS)'; for i in $$l2; do \
+	  case "$$i" in \
+	    *.5*) list="$$list $$i" ;; \
+	  esac; \
+	done; \
+	for i in $$list; do \
+	  if test -f $(srcdir)/$$i; then file=$(srcdir)/$$i; \
+	  else file=$$i; fi; \
+	  ext=`echo $$i | sed -e 's/^.*\\.//'`; \
+	  inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \
+	  inst=`echo $$inst | sed -e 's/^.*\///'`; \
+	  inst=`echo $$inst | sed '$(transform)'`.$$ext; \
+	  echo " $(INSTALL_DATA) $$file $(DESTDIR)$(man5dir)/$$inst"; \
+	  $(INSTALL_DATA) $$file $(DESTDIR)$(man5dir)/$$inst; \
+	done
+
+uninstall-man5:
+	@list='$(man5_MANS)'; \
+	l2='$(man_MANS)'; for i in $$l2; do \
+	  case "$$i" in \
+	    *.5*) list="$$list $$i" ;; \
+	  esac; \
+	done; \
+	for i in $$list; do \
+	  ext=`echo $$i | sed -e 's/^.*\\.//'`; \
+	  inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \
+	  inst=`echo $$inst | sed -e 's/^.*\///'`; \
+	  inst=`echo $$inst | sed '$(transform)'`.$$ext; \
+	  echo " rm -f $(DESTDIR)$(man5dir)/$$inst"; \
+	  rm -f $(DESTDIR)$(man5dir)/$$inst; \
+	done
+
+install-man8:
+	$(mkinstalldirs) $(DESTDIR)$(man8dir)
+	@list='$(man8_MANS)'; \
+	l2='$(man_MANS)'; for i in $$l2; do \
+	  case "$$i" in \
+	    *.8*) list="$$list $$i" ;; \
+	  esac; \
+	done; \
+	for i in $$list; do \
+	  if test -f $(srcdir)/$$i; then file=$(srcdir)/$$i; \
+	  else file=$$i; fi; \
+	  ext=`echo $$i | sed -e 's/^.*\\.//'`; \
+	  inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \
+	  inst=`echo $$inst | sed -e 's/^.*\///'`; \
+	  inst=`echo $$inst | sed '$(transform)'`.$$ext; \
+	  echo " $(INSTALL_DATA) $$file $(DESTDIR)$(man8dir)/$$inst"; \
+	  $(INSTALL_DATA) $$file $(DESTDIR)$(man8dir)/$$inst; \
+	done
+
+uninstall-man8:
+	@list='$(man8_MANS)'; \
+	l2='$(man_MANS)'; for i in $$l2; do \
+	  case "$$i" in \
+	    *.8*) list="$$list $$i" ;; \
+	  esac; \
+	done; \
+	for i in $$list; do \
+	  ext=`echo $$i | sed -e 's/^.*\\.//'`; \
+	  inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \
+	  inst=`echo $$inst | sed -e 's/^.*\///'`; \
+	  inst=`echo $$inst | sed '$(transform)'`.$$ext; \
+	  echo " rm -f $(DESTDIR)$(man8dir)/$$inst"; \
+	  rm -f $(DESTDIR)$(man8dir)/$$inst; \
+	done
+install-man: $(MANS)
+	@$(NORMAL_INSTALL)
+	$(MAKE) $(AM_MAKEFLAGS) install-man5 install-man8
+uninstall-man:
+	@$(NORMAL_UNINSTALL)
+	$(MAKE) $(AM_MAKEFLAGS) uninstall-man5 uninstall-man8
+
+tags: TAGS
+
+ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
+	list='$(SOURCES) $(HEADERS) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '    { files[$$0] = 1; } \
+	       END { for (i in files) print i; }'`; \
+	mkid -fID $$unique $(LISP)
+
+TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	tags=; \
+	here=`pwd`; \
+	list='$(SOURCES) $(HEADERS) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '    { files[$$0] = 1; } \
+	       END { for (i in files) print i; }'`; \
+	test -z "$(ETAGS_ARGS)$$unique$(LISP)$$tags" \
+	  || etags $(ETAGS_ARGS) $$tags  $$unique $(LISP)
+
+GTAGS:
+	here=`CDPATH=: && cd $(top_builddir) && pwd` \
+	  && cd $(top_srcdir) \
+	  && gtags -i $$here
+
+mostlyclean-tags:
+
+clean-tags:
+
+distclean-tags:
+	-rm -f TAGS ID
+
+maintainer-clean-tags:
+
+distdir = $(top_builddir)/$(PACKAGE)-$(VERSION)/$(subdir)
+
+distdir: $(DISTFILES)
+	@for file in $(DISTFILES); do \
+	  d=$(srcdir); \
+	  if test -d $$d/$$file; then \
+	    cp -pR $$d/$$file $(distdir) \
+	    || exit 1; \
+	  else \
+	    test -f $(distdir)/$$file \
+	    || cp -p $$d/$$file $(distdir)/$$file \
+	    || exit 1; \
+	  fi; \
+	done
+	$(MAKE) $(AM_MAKEFLAGS) top_distdir="$(top_distdir)" distdir="$(distdir)" dist-hook
+info-am:
+info: info-am
+dvi-am:
+dvi: dvi-am
+check-am: all-am
+	$(MAKE) $(AM_MAKEFLAGS) check-local
+check: check-am
+installcheck-am:
+installcheck: installcheck-am
+install-exec-am: install-libexecPROGRAMS
+	@$(NORMAL_INSTALL)
+	$(MAKE) $(AM_MAKEFLAGS) install-exec-hook
+install-exec: install-exec-am
+
+install-data-am: install-man install-data-local
+install-data: install-data-am
+
+install-am: all-am
+	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
+install: install-am
+uninstall-am: uninstall-libexecPROGRAMS uninstall-man
+uninstall: uninstall-am
+all-am: Makefile $(PROGRAMS) $(MANS) all-local
+all-redirect: all-am
+install-strip:
+	$(MAKE) $(AM_MAKEFLAGS) INSTALL_STRIP_FLAG=-s install
+installdirs:
+	$(mkinstalldirs)  $(DESTDIR)$(libexecdir) $(DESTDIR)$(mandir)/man5 \
+		$(DESTDIR)$(mandir)/man8
+
+
+mostlyclean-generic:
+
+clean-generic:
+	-test -z "$(CLEANFILES)" || rm -f $(CLEANFILES)
+
+distclean-generic:
+	-rm -f Makefile $(CONFIG_CLEAN_FILES)
+	-rm -f config.cache config.log stamp-h stamp-h[0-9]*
+
+maintainer-clean-generic:
+	-rm -f Makefile.in
+	-test -z "ftpcmd.c" || rm -f ftpcmd.c
+mostlyclean-am:  mostlyclean-libexecPROGRAMS mostlyclean-compile \
+		mostlyclean-libtool mostlyclean-tags \
+		mostlyclean-generic
+
+mostlyclean: mostlyclean-am
+
+clean-am:  clean-libexecPROGRAMS clean-compile clean-libtool clean-tags \
+		clean-generic mostlyclean-am
+
+clean: clean-am
+
+distclean-am:  distclean-libexecPROGRAMS distclean-compile \
+		distclean-libtool distclean-tags distclean-generic \
+		clean-am
+	-rm -f libtool
+
+distclean: distclean-am
+
+maintainer-clean-am:  maintainer-clean-libexecPROGRAMS \
+		maintainer-clean-compile maintainer-clean-libtool \
+		maintainer-clean-tags maintainer-clean-generic \
+		distclean-am
+	@echo "This command is intended for maintainers to use;"
+	@echo "it deletes files that may require special tools to rebuild."
+
+maintainer-clean: maintainer-clean-am
+
+.PHONY: mostlyclean-libexecPROGRAMS distclean-libexecPROGRAMS \
+clean-libexecPROGRAMS maintainer-clean-libexecPROGRAMS \
+uninstall-libexecPROGRAMS install-libexecPROGRAMS mostlyclean-compile \
+distclean-compile clean-compile maintainer-clean-compile \
+mostlyclean-libtool distclean-libtool clean-libtool \
+maintainer-clean-libtool install-man5 uninstall-man5 install-man8 \
+uninstall-man8 install-man uninstall-man tags mostlyclean-tags \
+distclean-tags clean-tags maintainer-clean-tags distdir info-am info \
+dvi-am dvi check-local check check-am installcheck-am installcheck \
+install-exec-am install-exec install-data-local install-data-am \
+install-data install-am install uninstall-am uninstall all-local \
+all-redirect all-am all install-strip installdirs mostlyclean-generic \
+distclean-generic clean-generic maintainer-clean-generic clean \
+mostlyclean distclean maintainer-clean
+
+
+install-suid-programs:
+	@foo='$(bin_SUIDS)'; \
+	for file in $$foo; do \
+	x=$(DESTDIR)$(bindir)/$$file; \
+	if chown 0:0 $$x && chmod u+s $$x; then :; else \
+	echo "*"; \
+	echo "* Failed to install $$x setuid root"; \
+	echo "*"; \
+	fi; done
+
+install-exec-hook: install-suid-programs
+
+install-build-headers:: $(include_HEADERS) $(build_HEADERZ)
+	@foo='$(include_HEADERS) $(build_HEADERZ)'; \
+	for f in $$foo; do \
+		f=`basename $$f`; \
+		if test -f "$(srcdir)/$$f"; then file="$(srcdir)/$$f"; \
+		else file="$$f"; fi; \
+		if cmp -s  $$file $(buildinclude)/$$f 2> /dev/null ; then \
+		: ; else \
+			echo " $(CP) $$file $(buildinclude)/$$f"; \
+			$(CP) $$file $(buildinclude)/$$f; \
+		fi ; \
+	done
+
+all-local: install-build-headers
+#NROFF_MAN = nroff -man
+.1.cat1:
+	$(NROFF_MAN) $< > $@
+.3.cat3:
+	$(NROFF_MAN) $< > $@
+.5.cat5:
+	$(NROFF_MAN) $< > $@
+.8.cat8:
+	$(NROFF_MAN) $< > $@
+
+dist-cat1-mans:
+	@foo='$(man1_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.1) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat1/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-cat3-mans:
+	@foo='$(man3_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.3) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat3/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-cat5-mans:
+	@foo='$(man5_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.5) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat5/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-cat8-mans:
+	@foo='$(man8_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.8) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat8/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-hook: dist-cat1-mans dist-cat3-mans dist-cat5-mans dist-cat8-mans
+
+install-cat-mans:
+	$(SHELL) $(top_srcdir)/cf/install-catman.sh "$(INSTALL_DATA)" "$(mkinstalldirs)" "$(srcdir)" "$(DESTDIR)$(mandir)" '$(CATMANEXT)' $(man_MANS) $(man1_MANS) $(man3_MANS) $(man5_MANS) $(man8_MANS)
+
+install-data-local: install-cat-mans
+
+.et.h:
+	$(COMPILE_ET) $<
+.et.c:
+	$(COMPILE_ET) $<
+
+.x.c:
+	@cmp -s $< $@ 2> /dev/null || cp $< $@
+
+check-local::
+	@foo='$(CHECK_LOCAL)'; \
+	  if test "$$foo"; then \
+	  failed=0; all=0; \
+	  for i in $$foo; do \
+	    all=`expr $$all + 1`; \
+	    if ./$$i --version > /dev/null 2>&1; then \
+	      echo "PASS: $$i"; \
+	    else \
+	      echo "FAIL: $$i"; \
+	      failed=`expr $$failed + 1`; \
+	    fi; \
+	  done; \
+	  if test "$$failed" -eq 0; then \
+	    banner="All $$all tests passed"; \
+	  else \
+	    banner="$$failed of $$all tests failed"; \
+	  fi; \
+	  dashes=`echo "$$banner" | sed s/./=/g`; \
+	  echo "$$dashes"; \
+	  echo "$$banner"; \
+	  echo "$$dashes"; \
+	  test "$$failed" -eq 0; \
+	fi
+
+$(ftpd_OBJECTS): security.h
+
+security.c:
+	@test -f security.c || $(LN_S) $(srcdir)/../ftp/security.c .
+security.h:
+	@test -f security.h || $(LN_S) $(srcdir)/../ftp/security.h .
+krb4.c:
+	@test -f krb4.c || $(LN_S) $(srcdir)/../ftp/krb4.c .
+gssapi.c:
+	@test -f gssapi.c || $(LN_S) $(srcdir)/../ftp/gssapi.c .
+
+# Tell versions [3.59,3.63) of GNU make to not export all variables.
+# Otherwise a system limit (for SysV at least) may be exceeded.
+.NOEXPORT:
diff --git a/crypto/heimdal/appl/ftp/ftpd/extern.h b/crypto/heimdal/appl/ftp/ftpd/extern.h
new file mode 100644
index 0000000..e976b55
--- /dev/null
+++ b/crypto/heimdal/appl/ftp/ftpd/extern.h
@@ -0,0 +1,148 @@
+/*-
+ * Copyright (c) 1992, 1993
+ *	The Regents of the University of California.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *	This product includes software developed by the University of
+ *	California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ *	@(#)extern.h	8.2 (Berkeley) 4/4/94
+ */
+
+#ifndef _EXTERN_H_
+#define _EXTERN_H_
+
+#ifdef HAVE_SYS_TYPES_H
+#include <sys/types.h>
+#endif
+#ifdef HAVE_NETINET_IN_H
+#include <netinet/in.h>
+#endif
+#ifdef HAVE_NETDB_H
+#include <netdb.h>
+#endif
+
+#include <stdio.h>
+#include <stdarg.h>
+#include <setjmp.h>
+#ifdef HAVE_PWD_H
+#include <pwd.h>
+#endif
+
+#ifdef HAVE_LIMITS_H
+#include <limits.h>
+#endif
+
+#ifndef NBBY
+#define NBBY CHAR_BIT
+#endif
+
+void	abor(void);
+void	blkfree(char **);
+char  **copyblk(char **);
+void	cwd(char *);
+void	do_delete(char *);
+void	dologout(int);
+void	eprt(char *);
+void	epsv(char *);
+void	fatal(char *);
+int	filename_check(char *);
+int	ftpd_pclose(FILE *);
+FILE   *ftpd_popen(char *, char *, int, int);
+char   *ftpd_getline(char *, int);
+void	ftpd_logwtmp(char *, char *, char *);
+void	lreply(int, const char *, ...)
+    __attribute__ ((format (printf, 2, 3)));
+void	makedir(char *);
+void	nack(char *);
+void	nreply(const char *, ...)
+    __attribute__ ((format (printf, 1, 2)));
+void	pass(char *);
+void	pasv(void);
+void	perror_reply(int, const char *);
+void	pwd(void);
+void	removedir(char *);
+void	renamecmd(char *, char *);
+char   *renamefrom(char *);
+void	reply(int, const char *, ...)
+    __attribute__ ((format (printf, 2, 3)));
+void	retrieve(const char *, char *);
+void	send_file_list(char *);
+void	setproctitle(const char *, ...)
+    __attribute__ ((format (printf, 1, 2)));
+void	statcmd(void);
+void	statfilecmd(char *);
+void	do_store(char *, char *, int);
+void	upper(char *);
+void	user(char *);
+void	yyerror(char *);
+
+void	list_file(char*);
+
+void	kauth(char *, char*);
+void	klist(void);
+void	cond_kdestroy(void);
+void	kdestroy(void);
+void	krbtkfile(const char *tkfile);
+void	afslog(const char *cell);
+void	afsunlog(void);
+
+int	find(char *);
+
+void	builtin_ls(FILE*, const char*);
+
+int	do_login(int code, char *passwd);
+int	klogin(char *name, char *password);
+
+const char *ftp_rooted(const char *path);
+
+extern struct sockaddr *ctrl_addr, *his_addr;
+extern char hostname[];
+
+extern	struct sockaddr *data_dest;
+extern	int logged_in;
+extern	struct passwd *pw;
+extern	int guest;
+extern	int logging;
+extern	int type;
+extern	int oobflag;
+extern off_t file_size;
+extern off_t byte_count;
+extern jmp_buf urgcatch;
+
+extern	int form;
+extern	int debug;
+extern	int ftpd_timeout;
+extern	int maxtimeout;
+extern  int pdata;
+extern	char hostname[], remotehost[];
+extern	char proctitle[];
+extern	int usedefault;
+extern  int transflag;
+extern  char tmpline[];
+
+#endif /* _EXTERN_H_ */
diff --git a/crypto/heimdal/appl/ftp/ftpd/ftpcmd.y b/crypto/heimdal/appl/ftp/ftpd/ftpcmd.y
new file mode 100644
index 0000000..8a67a61
--- /dev/null
+++ b/crypto/heimdal/appl/ftp/ftpd/ftpcmd.y
@@ -0,0 +1,1460 @@
+/*	$NetBSD: ftpcmd.y,v 1.6 1995/06/03 22:46:45 mycroft Exp $	*/
+
+/*
+ * Copyright (c) 1985, 1988, 1993, 1994
+ *	The Regents of the University of California.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *	This product includes software developed by the University of
+ *	California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ *	@(#)ftpcmd.y	8.3 (Berkeley) 4/6/94
+ */
+
+/*
+ * Grammar for FTP commands.
+ * See RFC 959.
+ */
+
+%{
+
+#include "ftpd_locl.h"
+RCSID("$Id: ftpcmd.y,v 1.60 2000/11/05 16:53:20 joda Exp $");
+
+off_t	restart_point;
+
+static	int cmd_type;
+static	int cmd_form;
+static	int cmd_bytesz;
+char	cbuf[2048];
+char	*fromname;
+
+struct tab {
+	char	*name;
+	short	token;
+	short	state;
+	short	implemented;	/* 1 if command is implemented */
+	char	*help;
+};
+
+extern struct tab cmdtab[];
+extern struct tab sitetab[];
+
+static char		*copy (char *);
+static void		 help (struct tab *, char *);
+static struct tab *
+			 lookup (struct tab *, char *);
+static void		 sizecmd (char *);
+static RETSIGTYPE	 toolong (int);
+static int		 yylex (void);
+
+/* This is for bison */
+
+#if !defined(alloca) && !defined(HAVE_ALLOCA)
+#define alloca(x) malloc(x)
+#endif
+
+%}
+
+%union {
+	int	i;
+	char   *s;
+}
+
+%token
+	A	B	C	E	F	I
+	L	N	P	R	S	T
+
+	SP	CRLF	COMMA
+
+	USER	PASS	ACCT	REIN	QUIT	PORT
+	PASV	TYPE	STRU	MODE	RETR	STOR
+	APPE	MLFL	MAIL	MSND	MSOM	MSAM
+	MRSQ	MRCP	ALLO	REST	RNFR	RNTO
+	ABOR	DELE	CWD	LIST	NLST	SITE
+	sTAT	HELP	NOOP	MKD	RMD	PWD
+	CDUP	STOU	SMNT	SYST	SIZE	MDTM
+	EPRT	EPSV
+
+	UMASK	IDLE	CHMOD
+
+	AUTH	ADAT	PROT	PBSZ	CCC	MIC
+	CONF	ENC
+
+	KAUTH	KLIST	KDESTROY KRBTKFILE AFSLOG
+	LOCATE	URL
+
+	FEAT	OPTS
+
+	LEXERR
+
+%token	<s> STRING
+%token	<i> NUMBER
+
+%type	<i> check_login check_login_no_guest check_secure octal_number byte_size
+%type	<i> struct_code mode_code type_code form_code
+%type	<s> pathstring pathname password username
+
+%start	cmd_list
+
+%%
+
+cmd_list
+	: /* empty */
+	| cmd_list cmd
+		{
+			fromname = (char *) 0;
+			restart_point = (off_t) 0;
+		}
+	| cmd_list rcmd
+	;
+
+cmd
+	: USER SP username CRLF
+		{
+			user($3);
+			free($3);
+		}
+	| PASS SP password CRLF
+		{
+			pass($3);
+			memset ($3, 0, strlen($3));
+			free($3);
+		}
+	| PORT SP host_port CRLF
+		{
+			usedefault = 0;
+			if (pdata >= 0) {
+				close(pdata);
+				pdata = -1;
+			}
+			reply(200, "PORT command successful.");
+		}
+	| EPRT SP STRING CRLF
+		{
+			eprt ($3);
+			free ($3);
+		}
+	| PASV CRLF check_login
+		{
+		    if($3)
+			pasv ();
+		}
+	| EPSV CRLF check_login
+		{
+		    if($3)
+			epsv (NULL);
+		}
+	| EPSV SP STRING CRLF check_login
+		{
+		    if($5)
+			epsv ($3);
+		    free ($3);
+		}
+	| TYPE SP type_code CRLF
+		{
+			switch (cmd_type) {
+
+			case TYPE_A:
+				if (cmd_form == FORM_N) {
+					reply(200, "Type set to A.");
+					type = cmd_type;
+					form = cmd_form;
+				} else
+					reply(504, "Form must be N.");
+				break;
+
+			case TYPE_E:
+				reply(504, "Type E not implemented.");
+				break;
+
+			case TYPE_I:
+				reply(200, "Type set to I.");
+				type = cmd_type;
+				break;
+
+			case TYPE_L:
+#if NBBY == 8
+				if (cmd_bytesz == 8) {
+					reply(200,
+					    "Type set to L (byte size 8).");
+					type = cmd_type;
+				} else
+					reply(504, "Byte size must be 8.");
+#else /* NBBY == 8 */
+				UNIMPLEMENTED for NBBY != 8
+#endif /* NBBY == 8 */
+			}
+		}
+	| STRU SP struct_code CRLF
+		{
+			switch ($3) {
+
+			case STRU_F:
+				reply(200, "STRU F ok.");
+				break;
+
+			default:
+				reply(504, "Unimplemented STRU type.");
+			}
+		}
+	| MODE SP mode_code CRLF
+		{
+			switch ($3) {
+
+			case MODE_S:
+				reply(200, "MODE S ok.");
+				break;
+
+			default:
+				reply(502, "Unimplemented MODE type.");
+			}
+		}
+	| ALLO SP NUMBER CRLF
+		{
+			reply(202, "ALLO command ignored.");
+		}
+	| ALLO SP NUMBER SP R SP NUMBER CRLF
+		{
+			reply(202, "ALLO command ignored.");
+		}
+	| RETR SP pathname CRLF check_login
+		{
+			char *name = $3;
+
+			if ($5 && name != NULL)
+				retrieve(0, name);
+			if (name != NULL)
+				free(name);
+		}
+	| STOR SP pathname CRLF check_login
+		{
+			char *name = $3;
+
+			if ($5 && name != NULL)
+				do_store(name, "w", 0);
+			if (name != NULL)
+				free(name);
+		}
+	| APPE SP pathname CRLF check_login
+		{
+			char *name = $3;
+
+			if ($5 && name != NULL)
+				do_store(name, "a", 0);
+			if (name != NULL)
+				free(name);
+		}
+	| NLST CRLF check_login
+		{
+			if ($3)
+				send_file_list(".");
+		}
+	| NLST SP STRING CRLF check_login
+		{
+			char *name = $3;
+
+			if ($5 && name != NULL)
+				send_file_list(name);
+			if (name != NULL)
+				free(name);
+		}
+	| LIST CRLF check_login
+		{
+		    if($3)
+			list_file(".");
+		}
+	| LIST SP pathname CRLF check_login
+		{
+		    if($5)
+			list_file($3);
+		    free($3);
+		}
+	| sTAT SP pathname CRLF check_login
+		{
+			if ($5 && $3 != NULL)
+				statfilecmd($3);
+			if ($3 != NULL)
+				free($3);
+		}
+	| sTAT CRLF
+		{
+		    if(oobflag){
+			if (file_size != (off_t) -1)
+			    reply(213, "Status: %lu of %lu bytes transferred",
+				  (unsigned long)byte_count, 
+				  (unsigned long)file_size);
+			else
+			    reply(213, "Status: %lu bytes transferred", 
+				  (unsigned long)byte_count);
+		    }else
+			statcmd();
+	}
+	| DELE SP pathname CRLF check_login_no_guest
+		{
+			if ($5 && $3 != NULL)
+				do_delete($3);
+			if ($3 != NULL)
+				free($3);
+		}
+	| RNTO SP pathname CRLF check_login_no_guest
+		{
+			if($5){
+				if (fromname) {
+					renamecmd(fromname, $3);
+					free(fromname);
+					fromname = (char *) 0;
+				} else {
+					reply(503, "Bad sequence of commands.");
+				}
+			}
+			if ($3 != NULL)
+				free($3);
+		}
+	| ABOR CRLF
+		{
+			if(oobflag){
+				reply(426, "Transfer aborted. Data connection closed.");
+				reply(226, "Abort successful");
+				oobflag = 0;
+				longjmp(urgcatch, 1);
+			}else
+				reply(225, "ABOR command successful.");
+		}
+	| CWD CRLF check_login
+		{
+			if ($3)
+				cwd(pw->pw_dir);
+		}
+	| CWD SP pathname CRLF check_login
+		{
+			if ($5 && $3 != NULL)
+				cwd($3);
+			if ($3 != NULL)
+				free($3);
+		}
+	| HELP CRLF
+		{
+			help(cmdtab, (char *) 0);
+		}
+	| HELP SP STRING CRLF
+		{
+			char *cp = $3;
+
+			if (strncasecmp(cp, "SITE", 4) == 0) {
+				cp = $3 + 4;
+				if (*cp == ' ')
+					cp++;
+				if (*cp)
+					help(sitetab, cp);
+				else
+					help(sitetab, (char *) 0);
+			} else
+				help(cmdtab, $3);
+		}
+	| NOOP CRLF
+		{
+			reply(200, "NOOP command successful.");
+		}
+	| MKD SP pathname CRLF check_login
+		{
+			if ($5 && $3 != NULL)
+				makedir($3);
+			if ($3 != NULL)
+				free($3);
+		}
+	| RMD SP pathname CRLF check_login_no_guest
+		{
+			if ($5 && $3 != NULL)
+				removedir($3);
+			if ($3 != NULL)
+				free($3);
+		}
+	| PWD CRLF check_login
+		{
+			if ($3)
+				pwd();
+		}
+	| CDUP CRLF check_login
+		{
+			if ($3)
+				cwd("..");
+		}
+	| FEAT CRLF
+		{
+			lreply(211, "Supported features:");
+			lreply(0, " MDTM");
+			lreply(0, " REST STREAM");
+			lreply(0, " SIZE");
+			reply(211, "End");
+		}
+	| OPTS SP STRING CRLF
+		{
+			free ($3);
+			reply(501, "Bad options");
+		}
+
+	| SITE SP HELP CRLF
+		{
+			help(sitetab, (char *) 0);
+		}
+	| SITE SP HELP SP STRING CRLF
+		{
+			help(sitetab, $5);
+		}
+	| SITE SP UMASK CRLF check_login
+		{
+			if ($5) {
+				int oldmask = umask(0);
+				umask(oldmask);
+				reply(200, "Current UMASK is %03o", oldmask);
+			}
+		}
+	| SITE SP UMASK SP octal_number CRLF check_login_no_guest
+		{
+			if ($7) {
+				if (($5 == -1) || ($5 > 0777)) {
+					reply(501, "Bad UMASK value");
+				} else {
+					int oldmask = umask($5);
+					reply(200,
+					      "UMASK set to %03o (was %03o)",
+					      $5, oldmask);
+				}
+			}
+		}
+	| SITE SP CHMOD SP octal_number SP pathname CRLF check_login_no_guest
+		{
+			if ($9 && $7 != NULL) {
+				if ($5 > 0777)
+					reply(501,
+				"CHMOD: Mode value must be between 0 and 0777");
+				else if (chmod($7, $5) < 0)
+					perror_reply(550, $7);
+				else
+					reply(200, "CHMOD command successful.");
+			}
+			if ($7 != NULL)
+				free($7);
+		}
+	| SITE SP IDLE CRLF
+		{
+			reply(200,
+			    "Current IDLE time limit is %d seconds; max %d",
+				ftpd_timeout, maxtimeout);
+		}
+	| SITE SP IDLE SP NUMBER CRLF
+		{
+			if ($5 < 30 || $5 > maxtimeout) {
+				reply(501,
+			"Maximum IDLE time must be between 30 and %d seconds",
+				    maxtimeout);
+			} else {
+				ftpd_timeout = $5;
+				alarm((unsigned) ftpd_timeout);
+				reply(200,
+				    "Maximum IDLE time set to %d seconds",
+				    ftpd_timeout);
+			}
+		}
+
+	| SITE SP KAUTH SP STRING CRLF check_login
+		{
+#ifdef KRB4
+			char *p;
+			
+			if(guest)
+				reply(500, "Can't be done as guest.");
+			else{
+				if($7 && $5 != NULL){
+				    p = strpbrk($5, " \t");
+				    if(p){
+					*p++ = 0;
+					kauth($5, p + strspn(p, " \t"));
+				    }else
+					kauth($5, NULL);
+				}
+			}
+			if($5 != NULL)
+			    free($5);
+#else
+			reply(500, "Command not implemented.");
+#endif
+		}
+	| SITE SP KLIST CRLF check_login
+		{
+#ifdef KRB4
+		    if($5)
+			klist();
+#else
+		    reply(500, "Command not implemented.");
+#endif
+		}
+	| SITE SP KDESTROY CRLF check_login
+		{
+#ifdef KRB4
+		    if($5)
+			kdestroy();
+#else
+		    reply(500, "Command not implemented.");
+#endif
+		}
+	| SITE SP KRBTKFILE SP STRING CRLF check_login
+		{
+#ifdef KRB4
+		    if(guest)
+			reply(500, "Can't be done as guest.");
+		    else if($7 && $5)
+			krbtkfile($5);
+		    if($5)
+			free($5);
+#else
+		    reply(500, "Command not implemented.");
+#endif
+		}
+	| SITE SP AFSLOG CRLF check_login
+		{
+#ifdef KRB4
+		    if(guest)
+			reply(500, "Can't be done as guest.");
+		    else if($5)
+			afslog(NULL);
+#else
+		    reply(500, "Command not implemented.");
+#endif
+		}
+	| SITE SP AFSLOG SP STRING CRLF check_login
+		{
+#ifdef KRB4
+		    if(guest)
+			reply(500, "Can't be done as guest.");
+		    else if($7)
+			afslog($5);
+		    if($5)
+			free($5);
+#else
+		    reply(500, "Command not implemented.");
+#endif
+		}
+	| SITE SP LOCATE SP STRING CRLF check_login
+		{
+		    if($7 && $5 != NULL)
+			find($5);
+		    if($5 != NULL)
+			free($5);
+		}
+	| SITE SP URL CRLF
+		{
+			reply(200, "http://www.pdc.kth.se/kth-krb/");
+		}
+	| STOU SP pathname CRLF check_login
+		{
+			if ($5 && $3 != NULL)
+				do_store($3, "w", 1);
+			if ($3 != NULL)
+				free($3);
+		}
+	| SYST CRLF
+		{
+#if !defined(WIN32) && !defined(__EMX__) && !defined(__OS2__) && !defined(__CYGWIN32__)
+		    reply(215, "UNIX Type: L%d", NBBY);
+#else
+		    reply(215, "UNKNOWN Type: L%d", NBBY);
+#endif
+		}
+
+		/*
+		 * SIZE is not in RFC959, but Postel has blessed it and
+		 * it will be in the updated RFC.
+		 *
+		 * Return size of file in a format suitable for
+		 * using with RESTART (we just count bytes).
+		 */
+	| SIZE SP pathname CRLF check_login
+		{
+			if ($5 && $3 != NULL)
+				sizecmd($3);
+			if ($3 != NULL)
+				free($3);
+		}
+
+		/*
+		 * MDTM is not in RFC959, but Postel has blessed it and
+		 * it will be in the updated RFC.
+		 *
+		 * Return modification time of file as an ISO 3307
+		 * style time. E.g. YYYYMMDDHHMMSS or YYYYMMDDHHMMSS.xxx
+		 * where xxx is the fractional second (of any precision,
+		 * not necessarily 3 digits)
+		 */
+	| MDTM SP pathname CRLF check_login
+		{
+			if ($5 && $3 != NULL) {
+				struct stat stbuf;
+				if (stat($3, &stbuf) < 0)
+					reply(550, "%s: %s",
+					    $3, strerror(errno));
+				else if (!S_ISREG(stbuf.st_mode)) {
+					reply(550,
+					      "%s: not a plain file.", $3);
+				} else {
+					struct tm *t;
+					time_t mtime = stbuf.st_mtime;
+
+					t = gmtime(&mtime);
+					reply(213,
+					      "%04d%02d%02d%02d%02d%02d",
+					      t->tm_year + 1900,
+					      t->tm_mon + 1,
+					      t->tm_mday,
+					      t->tm_hour,
+					      t->tm_min,
+					      t->tm_sec);
+				}
+			}
+			if ($3 != NULL)
+				free($3);
+		}
+	| QUIT CRLF
+		{
+			reply(221, "Goodbye.");
+			dologout(0);
+		}
+	| error CRLF
+		{
+			yyerrok;
+		}
+	;
+rcmd
+	: RNFR SP pathname CRLF check_login_no_guest
+		{
+			restart_point = (off_t) 0;
+			if ($5 && $3) {
+				fromname = renamefrom($3);
+				if (fromname == (char *) 0 && $3) {
+					free($3);
+				}
+			}
+		}
+	| REST SP byte_size CRLF
+		{
+			fromname = (char *) 0;
+			restart_point = $3;	/* XXX $3 is only "int" */
+			reply(350, "Restarting at %ld. %s",
+			      (long)restart_point,
+			      "Send STORE or RETRIEVE to initiate transfer.");
+		}
+	| AUTH SP STRING CRLF
+		{
+			auth($3);
+			free($3);
+		}
+	| ADAT SP STRING CRLF
+		{
+			adat($3);
+			free($3);
+		}
+	| PBSZ SP NUMBER CRLF
+		{
+			pbsz($3);
+		}
+	| PROT SP STRING CRLF
+		{
+			prot($3);
+		}
+	| CCC CRLF
+		{
+			ccc();
+		}
+	| MIC SP STRING CRLF
+		{
+			mec($3, prot_safe);
+			free($3);
+		}
+	| CONF SP STRING CRLF
+		{
+			mec($3, prot_confidential);
+			free($3);
+		}
+	| ENC SP STRING CRLF
+		{
+			mec($3, prot_private);
+			free($3);
+		}
+	;
+
+username
+	: STRING
+	;
+
+password
+	: /* empty */
+		{
+			$$ = (char *)calloc(1, sizeof(char));
+		}
+	| STRING
+	;
+
+byte_size
+	: NUMBER
+	;
+
+host_port
+	: NUMBER COMMA NUMBER COMMA NUMBER COMMA NUMBER COMMA
+		NUMBER COMMA NUMBER
+		{
+			struct sockaddr_in *sin = (struct sockaddr_in *)data_dest;
+
+			sin->sin_family = AF_INET;
+			sin->sin_port = htons($9 * 256 + $11);
+			sin->sin_addr.s_addr = 
+			    htonl(($1 << 24) | ($3 << 16) | ($5 << 8) | $7);
+		}
+	;
+
+form_code
+	: N
+		{
+			$$ = FORM_N;
+		}
+	| T
+		{
+			$$ = FORM_T;
+		}
+	| C
+		{
+			$$ = FORM_C;
+		}
+	;
+
+type_code
+	: A
+		{
+			cmd_type = TYPE_A;
+			cmd_form = FORM_N;
+		}
+	| A SP form_code
+		{
+			cmd_type = TYPE_A;
+			cmd_form = $3;
+		}
+	| E
+		{
+			cmd_type = TYPE_E;
+			cmd_form = FORM_N;
+		}
+	| E SP form_code
+		{
+			cmd_type = TYPE_E;
+			cmd_form = $3;
+		}
+	| I
+		{
+			cmd_type = TYPE_I;
+		}
+	| L
+		{
+			cmd_type = TYPE_L;
+			cmd_bytesz = NBBY;
+		}
+	| L SP byte_size
+		{
+			cmd_type = TYPE_L;
+			cmd_bytesz = $3;
+		}
+		/* this is for a bug in the BBN ftp */
+	| L byte_size
+		{
+			cmd_type = TYPE_L;
+			cmd_bytesz = $2;
+		}
+	;
+
+struct_code
+	: F
+		{
+			$$ = STRU_F;
+		}
+	| R
+		{
+			$$ = STRU_R;
+		}
+	| P
+		{
+			$$ = STRU_P;
+		}
+	;
+
+mode_code
+	: S
+		{
+			$$ = MODE_S;
+		}
+	| B
+		{
+			$$ = MODE_B;
+		}
+	| C
+		{
+			$$ = MODE_C;
+		}
+	;
+
+pathname
+	: pathstring
+		{
+			/*
+			 * Problem: this production is used for all pathname
+			 * processing, but only gives a 550 error reply.
+			 * This is a valid reply in some cases but not in others.
+			 */
+			if (logged_in && $1 && *$1 == '~') {
+				glob_t gl;
+				int flags =
+				 GLOB_BRACE|GLOB_NOCHECK|GLOB_QUOTE|GLOB_TILDE;
+
+				memset(&gl, 0, sizeof(gl));
+				if (glob($1, flags, NULL, &gl) ||
+				    gl.gl_pathc == 0) {
+					reply(550, "not found");
+					$$ = NULL;
+				} else {
+					$$ = strdup(gl.gl_pathv[0]);
+				}
+				globfree(&gl);
+				free($1);
+			} else
+				$$ = $1;
+		}
+	;
+
+pathstring
+	: STRING
+	;
+
+octal_number
+	: NUMBER
+		{
+			int ret, dec, multby, digit;
+
+			/*
+			 * Convert a number that was read as decimal number
+			 * to what it would be if it had been read as octal.
+			 */
+			dec = $1;
+			multby = 1;
+			ret = 0;
+			while (dec) {
+				digit = dec%10;
+				if (digit > 7) {
+					ret = -1;
+					break;
+				}
+				ret += digit * multby;
+				multby *= 8;
+				dec /= 10;
+			}
+			$$ = ret;
+		}
+	;
+
+
+check_login_no_guest : check_login
+		{
+			$$ = $1 && !guest;
+			if($1 && !$$)
+				reply(550, "Permission denied");
+		}
+	;
+
+check_login : check_secure
+		{
+		    if($1) {
+			if(($$ = logged_in) == 0)
+			    reply(530, "Please login with USER and PASS.");
+		    } else
+			$$ = 0;
+		}
+	;
+
+check_secure : /* empty */
+		{
+		    $$ = 1;
+		    if(sec_complete && !secure_command()) {
+			$$ = 0;
+			reply(533, "Command protection level denied "
+			      "for paranoid reasons.");
+		    }
+		}
+	;
+
+%%
+
+extern jmp_buf errcatch;
+
+#define	CMD	0	/* beginning of command */
+#define	ARGS	1	/* expect miscellaneous arguments */
+#define	STR1	2	/* expect SP followed by STRING */
+#define	STR2	3	/* expect STRING */
+#define	OSTR	4	/* optional SP then STRING */
+#define	ZSTR1	5	/* SP then optional STRING */
+#define	ZSTR2	6	/* optional STRING after SP */
+#define	SITECMD	7	/* SITE command */
+#define	NSTR	8	/* Number followed by a string */
+
+struct tab cmdtab[] = {		/* In order defined in RFC 765 */
+	{ "USER", USER, STR1, 1,	"<sp> username" },
+	{ "PASS", PASS, ZSTR1, 1,	"<sp> password" },
+	{ "ACCT", ACCT, STR1, 0,	"(specify account)" },
+	{ "SMNT", SMNT, ARGS, 0,	"(structure mount)" },
+	{ "REIN", REIN, ARGS, 0,	"(reinitialize server state)" },
+	{ "QUIT", QUIT, ARGS, 1,	"(terminate service)", },
+	{ "PORT", PORT, ARGS, 1,	"<sp> b0, b1, b2, b3, b4" },
+	{ "EPRT", EPRT, STR1, 1,	"<sp> string" },
+	{ "PASV", PASV, ARGS, 1,	"(set server in passive mode)" },
+	{ "EPSV", EPSV, OSTR, 1,	"[<sp> foo]" },
+	{ "TYPE", TYPE, ARGS, 1,	"<sp> [ A | E | I | L ]" },
+	{ "STRU", STRU, ARGS, 1,	"(specify file structure)" },
+	{ "MODE", MODE, ARGS, 1,	"(specify transfer mode)" },
+	{ "RETR", RETR, STR1, 1,	"<sp> file-name" },
+	{ "STOR", STOR, STR1, 1,	"<sp> file-name" },
+	{ "APPE", APPE, STR1, 1,	"<sp> file-name" },
+	{ "MLFL", MLFL, OSTR, 0,	"(mail file)" },
+	{ "MAIL", MAIL, OSTR, 0,	"(mail to user)" },
+	{ "MSND", MSND, OSTR, 0,	"(mail send to terminal)" },
+	{ "MSOM", MSOM, OSTR, 0,	"(mail send to terminal or mailbox)" },
+	{ "MSAM", MSAM, OSTR, 0,	"(mail send to terminal and mailbox)" },
+	{ "MRSQ", MRSQ, OSTR, 0,	"(mail recipient scheme question)" },
+	{ "MRCP", MRCP, STR1, 0,	"(mail recipient)" },
+	{ "ALLO", ALLO, ARGS, 1,	"allocate storage (vacuously)" },
+	{ "REST", REST, ARGS, 1,	"<sp> offset (restart command)" },
+	{ "RNFR", RNFR, STR1, 1,	"<sp> file-name" },
+	{ "RNTO", RNTO, STR1, 1,	"<sp> file-name" },
+	{ "ABOR", ABOR, ARGS, 1,	"(abort operation)" },
+	{ "DELE", DELE, STR1, 1,	"<sp> file-name" },
+	{ "CWD",  CWD,  OSTR, 1,	"[ <sp> directory-name ]" },
+	{ "XCWD", CWD,	OSTR, 1,	"[ <sp> directory-name ]" },
+	{ "LIST", LIST, OSTR, 1,	"[ <sp> path-name ]" },
+	{ "NLST", NLST, OSTR, 1,	"[ <sp> path-name ]" },
+	{ "SITE", SITE, SITECMD, 1,	"site-cmd [ <sp> arguments ]" },
+	{ "SYST", SYST, ARGS, 1,	"(get type of operating system)" },
+	{ "STAT", sTAT, OSTR, 1,	"[ <sp> path-name ]" },
+	{ "HELP", HELP, OSTR, 1,	"[ <sp> <string> ]" },
+	{ "NOOP", NOOP, ARGS, 1,	"" },
+	{ "MKD",  MKD,  STR1, 1,	"<sp> path-name" },
+	{ "XMKD", MKD,  STR1, 1,	"<sp> path-name" },
+	{ "RMD",  RMD,  STR1, 1,	"<sp> path-name" },
+	{ "XRMD", RMD,  STR1, 1,	"<sp> path-name" },
+	{ "PWD",  PWD,  ARGS, 1,	"(return current directory)" },
+	{ "XPWD", PWD,  ARGS, 1,	"(return current directory)" },
+	{ "CDUP", CDUP, ARGS, 1,	"(change to parent directory)" },
+	{ "XCUP", CDUP, ARGS, 1,	"(change to parent directory)" },
+	{ "STOU", STOU, STR1, 1,	"<sp> file-name" },
+	{ "SIZE", SIZE, OSTR, 1,	"<sp> path-name" },
+	{ "MDTM", MDTM, OSTR, 1,	"<sp> path-name" },
+
+	/* extensions from RFC2228 */
+	{ "AUTH", AUTH,	STR1, 1,	"<sp> auth-type" },
+	{ "ADAT", ADAT,	STR1, 1,	"<sp> auth-data" },
+	{ "PBSZ", PBSZ,	ARGS, 1,	"<sp> buffer-size" },
+	{ "PROT", PROT,	STR1, 1,	"<sp> prot-level" },
+	{ "CCC",  CCC,	ARGS, 1,	"" },
+	{ "MIC",  MIC,	STR1, 1,	"<sp> integrity command" },
+	{ "CONF", CONF,	STR1, 1,	"<sp> confidentiality command" },
+	{ "ENC",  ENC,	STR1, 1,	"<sp> privacy command" },
+
+	/* RFC2389 */
+	{ "FEAT", FEAT, ARGS, 1,	"" },
+	{ "OPTS", OPTS, ARGS, 1,	"<sp> command [<sp> options]" },
+
+	{ NULL,   0,    0,    0,	0 }
+};
+
+struct tab sitetab[] = {
+	{ "UMASK", UMASK, ARGS, 1,	"[ <sp> umask ]" },
+	{ "IDLE", IDLE, ARGS, 1,	"[ <sp> maximum-idle-time ]" },
+	{ "CHMOD", CHMOD, NSTR, 1,	"<sp> mode <sp> file-name" },
+	{ "HELP", HELP, OSTR, 1,	"[ <sp> <string> ]" },
+
+	{ "KAUTH", KAUTH, STR1, 1,	"<sp> principal [ <sp> ticket ]" },
+	{ "KLIST", KLIST, ARGS, 1,	"(show ticket file)" },
+	{ "KDESTROY", KDESTROY, ARGS, 1, "(destroy tickets)" },
+	{ "KRBTKFILE", KRBTKFILE, STR1, 1, "<sp> ticket-file" },
+	{ "AFSLOG", AFSLOG, OSTR, 1,	"[<sp> cell]" },
+
+	{ "LOCATE", LOCATE, STR1, 1,	"<sp> globexpr" },
+	{ "FIND", LOCATE, STR1, 1,	"<sp> globexpr" },
+
+	{ "URL",  URL,  ARGS, 1,	"?" },
+	
+	{ NULL,   0,    0,    0,	0 }
+};
+
+static struct tab *
+lookup(struct tab *p, char *cmd)
+{
+
+	for (; p->name != NULL; p++)
+		if (strcmp(cmd, p->name) == 0)
+			return (p);
+	return (0);
+}
+
+/*
+ * ftpd_getline - a hacked up version of fgets to ignore TELNET escape codes.
+ */
+char *
+ftpd_getline(char *s, int n)
+{
+	int c;
+	char *cs;
+
+	cs = s;
+/* tmpline may contain saved command from urgent mode interruption */
+	if(ftp_command){
+	  strlcpy(s, ftp_command, n);
+	  if (debug)
+	    syslog(LOG_DEBUG, "command: %s", s);
+#ifdef XXX
+	  fprintf(stderr, "%s\n", s);
+#endif
+	  return s;
+	}
+	while ((c = getc(stdin)) != EOF) {
+		c &= 0377;
+		if (c == IAC) {
+		    if ((c = getc(stdin)) != EOF) {
+			c &= 0377;
+			switch (c) {
+			case WILL:
+			case WONT:
+				c = getc(stdin);
+				printf("%c%c%c", IAC, DONT, 0377&c);
+				fflush(stdout);
+				continue;
+			case DO:
+			case DONT:
+				c = getc(stdin);
+				printf("%c%c%c", IAC, WONT, 0377&c);
+				fflush(stdout);
+				continue;
+			case IAC:
+				break;
+			default:
+				continue;	/* ignore command */
+			}
+		    }
+		}
+		*cs++ = c;
+		if (--n <= 0 || c == '\n')
+			break;
+	}
+	if (c == EOF && cs == s)
+		return (NULL);
+	*cs++ = '\0';
+	if (debug) {
+		if (!guest && strncasecmp("pass ", s, 5) == 0) {
+			/* Don't syslog passwords */
+			syslog(LOG_DEBUG, "command: %.5s ???", s);
+		} else {
+			char *cp;
+			int len;
+
+			/* Don't syslog trailing CR-LF */
+			len = strlen(s);
+			cp = s + len - 1;
+			while (cp >= s && (*cp == '\n' || *cp == '\r')) {
+				--cp;
+				--len;
+			}
+			syslog(LOG_DEBUG, "command: %.*s", len, s);
+		}
+	}
+#ifdef XXX
+	fprintf(stderr, "%s\n", s);
+#endif
+	return (s);
+}
+
+static RETSIGTYPE
+toolong(int signo)
+{
+
+	reply(421,
+	    "Timeout (%d seconds): closing control connection.",
+	      ftpd_timeout);
+	if (logging)
+		syslog(LOG_INFO, "User %s timed out after %d seconds",
+		    (pw ? pw -> pw_name : "unknown"), ftpd_timeout);
+	dologout(1);
+	SIGRETURN(0);
+}
+
+static int
+yylex(void)
+{
+	static int cpos, state;
+	char *cp, *cp2;
+	struct tab *p;
+	int n;
+	char c;
+
+	for (;;) {
+		switch (state) {
+
+		case CMD:
+			signal(SIGALRM, toolong);
+			alarm((unsigned) ftpd_timeout);
+			if (ftpd_getline(cbuf, sizeof(cbuf)-1) == NULL) {
+				reply(221, "You could at least say goodbye.");
+				dologout(0);
+			}
+			alarm(0);
+#ifdef HAVE_SETPROCTITLE
+			if (strncasecmp(cbuf, "PASS", 4) != NULL)
+				setproctitle("%s: %s", proctitle, cbuf);
+#endif /* HAVE_SETPROCTITLE */
+			if ((cp = strchr(cbuf, '\r'))) {
+				*cp++ = '\n';
+				*cp = '\0';
+			}
+			if ((cp = strpbrk(cbuf, " \n")))
+				cpos = cp - cbuf;
+			if (cpos == 0)
+				cpos = 4;
+			c = cbuf[cpos];
+			cbuf[cpos] = '\0';
+			strupr(cbuf);
+			p = lookup(cmdtab, cbuf);
+			cbuf[cpos] = c;
+			if (p != 0) {
+				if (p->implemented == 0) {
+					nack(p->name);
+					longjmp(errcatch,0);
+					/* NOTREACHED */
+				}
+				state = p->state;
+				yylval.s = p->name;
+				return (p->token);
+			}
+			break;
+
+		case SITECMD:
+			if (cbuf[cpos] == ' ') {
+				cpos++;
+				return (SP);
+			}
+			cp = &cbuf[cpos];
+			if ((cp2 = strpbrk(cp, " \n")))
+				cpos = cp2 - cbuf;
+			c = cbuf[cpos];
+			cbuf[cpos] = '\0';
+			strupr(cp);
+			p = lookup(sitetab, cp);
+			cbuf[cpos] = c;
+			if (p != 0) {
+				if (p->implemented == 0) {
+					state = CMD;
+					nack(p->name);
+					longjmp(errcatch,0);
+					/* NOTREACHED */
+				}
+				state = p->state;
+				yylval.s = p->name;
+				return (p->token);
+			}
+			state = CMD;
+			break;
+
+		case OSTR:
+			if (cbuf[cpos] == '\n') {
+				state = CMD;
+				return (CRLF);
+			}
+			/* FALLTHROUGH */
+
+		case STR1:
+		case ZSTR1:
+		dostr1:
+			if (cbuf[cpos] == ' ') {
+				cpos++;
+				if(state == OSTR)
+				    state = STR2;
+				else
+				    state++;
+				return (SP);
+			}
+			break;
+
+		case ZSTR2:
+			if (cbuf[cpos] == '\n') {
+				state = CMD;
+				return (CRLF);
+			}
+			/* FALLTHROUGH */
+
+		case STR2:
+			cp = &cbuf[cpos];
+			n = strlen(cp);
+			cpos += n - 1;
+			/*
+			 * Make sure the string is nonempty and \n terminated.
+			 */
+			if (n > 1 && cbuf[cpos] == '\n') {
+				cbuf[cpos] = '\0';
+				yylval.s = copy(cp);
+				cbuf[cpos] = '\n';
+				state = ARGS;
+				return (STRING);
+			}
+			break;
+
+		case NSTR:
+			if (cbuf[cpos] == ' ') {
+				cpos++;
+				return (SP);
+			}
+			if (isdigit(cbuf[cpos])) {
+				cp = &cbuf[cpos];
+				while (isdigit(cbuf[++cpos]))
+					;
+				c = cbuf[cpos];
+				cbuf[cpos] = '\0';
+				yylval.i = atoi(cp);
+				cbuf[cpos] = c;
+				state = STR1;
+				return (NUMBER);
+			}
+			state = STR1;
+			goto dostr1;
+
+		case ARGS:
+			if (isdigit(cbuf[cpos])) {
+				cp = &cbuf[cpos];
+				while (isdigit(cbuf[++cpos]))
+					;
+				c = cbuf[cpos];
+				cbuf[cpos] = '\0';
+				yylval.i = atoi(cp);
+				cbuf[cpos] = c;
+				return (NUMBER);
+			}
+			switch (cbuf[cpos++]) {
+
+			case '\n':
+				state = CMD;
+				return (CRLF);
+
+			case ' ':
+				return (SP);
+
+			case ',':
+				return (COMMA);
+
+			case 'A':
+			case 'a':
+				return (A);
+
+			case 'B':
+			case 'b':
+				return (B);
+
+			case 'C':
+			case 'c':
+				return (C);
+
+			case 'E':
+			case 'e':
+				return (E);
+
+			case 'F':
+			case 'f':
+				return (F);
+
+			case 'I':
+			case 'i':
+				return (I);
+
+			case 'L':
+			case 'l':
+				return (L);
+
+			case 'N':
+			case 'n':
+				return (N);
+
+			case 'P':
+			case 'p':
+				return (P);
+
+			case 'R':
+			case 'r':
+				return (R);
+
+			case 'S':
+			case 's':
+				return (S);
+
+			case 'T':
+			case 't':
+				return (T);
+
+			}
+			break;
+
+		default:
+			fatal("Unknown state in scanner.");
+		}
+		yyerror((char *) 0);
+		state = CMD;
+		longjmp(errcatch,0);
+	}
+}
+
+static char *
+copy(char *s)
+{
+	char *p;
+
+	p = strdup(s);
+	if (p == NULL)
+		fatal("Ran out of memory.");
+	return p;
+}
+
+static void
+help(struct tab *ctab, char *s)
+{
+	struct tab *c;
+	int width, NCMDS;
+	char *type;
+	char buf[1024];
+
+	if (ctab == sitetab)
+		type = "SITE ";
+	else
+		type = "";
+	width = 0, NCMDS = 0;
+	for (c = ctab; c->name != NULL; c++) {
+		int len = strlen(c->name);
+
+		if (len > width)
+			width = len;
+		NCMDS++;
+	}
+	width = (width + 8) &~ 7;
+	if (s == 0) {
+		int i, j, w;
+		int columns, lines;
+
+		lreply(214, "The following %scommands are recognized %s.",
+		    type, "(* =>'s unimplemented)");
+		columns = 76 / width;
+		if (columns == 0)
+			columns = 1;
+		lines = (NCMDS + columns - 1) / columns;
+		for (i = 0; i < lines; i++) {
+		    strlcpy (buf, "   ", sizeof(buf));
+		    for (j = 0; j < columns; j++) {
+			c = ctab + j * lines + i;
+			snprintf (buf + strlen(buf),
+				  sizeof(buf) - strlen(buf),
+				  "%s%c",
+				  c->name,
+				  c->implemented ? ' ' : '*');
+			if (c + lines >= &ctab[NCMDS])
+			    break;
+			w = strlen(c->name) + 1;
+			while (w < width) {
+			    strlcat (buf,
+					     " ",
+					     sizeof(buf));
+			    w++;
+			}
+		    }
+		    lreply(214, "%s", buf);
+		}
+		reply(214, "Direct comments to kth-krb-bugs@pdc.kth.se");
+		return;
+	}
+	strupr(s);
+	c = lookup(ctab, s);
+	if (c == (struct tab *)0) {
+		reply(502, "Unknown command %s.", s);
+		return;
+	}
+	if (c->implemented)
+		reply(214, "Syntax: %s%s %s", type, c->name, c->help);
+	else
+		reply(214, "%s%-*s\t%s; unimplemented.", type, width,
+		    c->name, c->help);
+}
+
+static void
+sizecmd(char *filename)
+{
+	switch (type) {
+	case TYPE_L:
+	case TYPE_I: {
+		struct stat stbuf;
+		if (stat(filename, &stbuf) < 0 || !S_ISREG(stbuf.st_mode))
+			reply(550, "%s: not a plain file.", filename);
+		else
+			reply(213, "%lu", (unsigned long)stbuf.st_size);
+		break;
+	}
+	case TYPE_A: {
+		FILE *fin;
+		int c;
+		size_t count;
+		struct stat stbuf;
+		fin = fopen(filename, "r");
+		if (fin == NULL) {
+			perror_reply(550, filename);
+			return;
+		}
+		if (fstat(fileno(fin), &stbuf) < 0 || !S_ISREG(stbuf.st_mode)) {
+			reply(550, "%s: not a plain file.", filename);
+			fclose(fin);
+			return;
+		}
+
+		count = 0;
+		while((c=getc(fin)) != EOF) {
+			if (c == '\n')	/* will get expanded to \r\n */
+				count++;
+			count++;
+		}
+		fclose(fin);
+
+		reply(213, "%lu", (unsigned long)count);
+		break;
+	}
+	default:
+		reply(504, "SIZE not implemented for Type %c.", "?AEIL"[type]);
+	}
+}
diff --git a/crypto/heimdal/appl/ftp/ftpd/ftpd.8 b/crypto/heimdal/appl/ftp/ftpd/ftpd.8
new file mode 100644
index 0000000..32d5002
--- /dev/null
+++ b/crypto/heimdal/appl/ftp/ftpd/ftpd.8
@@ -0,0 +1,484 @@
+.\"	$NetBSD: ftpd.8,v 1.7 1995/04/11 02:44:53 cgd Exp $
+.\"
+.\" Copyright (c) 1985, 1988, 1991, 1993
+.\"	The Regents of the University of California.  All rights reserved.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\" 1. Redistributions of source code must retain the above copyright
+.\"    notice, this list of conditions and the following disclaimer.
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\"    notice, this list of conditions and the following disclaimer in the
+.\"    documentation and/or other materials provided with the distribution.
+.\" 3. All advertising materials mentioning features or use of this software
+.\"    must display the following acknowledgement:
+.\"	This product includes software developed by the University of
+.\"	California, Berkeley and its contributors.
+.\" 4. Neither the name of the University nor the names of its contributors
+.\"    may be used to endorse or promote products derived from this software
+.\"    without specific prior written permission.
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+.\" SUCH DAMAGE.
+.\"
+.\"     @(#)ftpd.8	8.2 (Berkeley) 4/19/94
+.\"
+.Dd April 19, 1997
+.Dt FTPD 8
+.Os BSD 4.2
+.Sh NAME
+.Nm ftpd
+.Nd Internet File Transfer Protocol server
+.Sh SYNOPSIS
+.Nm
+.Op Fl a Ar authmode
+.Op Fl dilv
+.Op Fl g Ar umask
+.Op Fl p Ar port 
+.Op Fl T Ar maxtimeout
+.Op Fl t Ar timeout
+.Op Fl u Ar default umask
+.Op Fl B | Fl -builtin-ls
+.Op Fl -good-chars= Ns Ar string
+.Sh DESCRIPTION
+.Nm Ftpd
+is the
+Internet File Transfer Protocol
+server process.  The server uses the
+.Tn TCP
+protocol
+and listens at the port specified in the
+.Dq ftp
+service specification; see
+.Xr services 5 .
+.Pp
+Available options:
+.Bl -tag -width Ds
+.It Fl a
+Select the level of authentication required.  Kerberised login can not
+be turned off. The default is to only allow kerberised login.  Other
+possibilities can be turned on by giving a string of comma separated
+flags as argument to
+.Fl a .
+Recognised flags are:
+.Bl -tag -width plain
+.It Ar plain
+Allow logging in with plaintext password. The password can be a(n) OTP
+or an ordinary password.
+.It Ar otp
+Same as
+.Ar plain ,
+but only OTP is allowed.
+.It Ar ftp
+Allow anonymous login.
+.El
+.Pp
+The following combination modes exists for backwards compatibility:
+.Bl -tag -width plain
+.It Ar none
+Same as
+.Ar plain,ftp .
+.It Ar safe
+Same as 
+.Ar ftp .
+.It Ar user
+Ignored.
+.El
+.It Fl d
+Debugging information is written to the syslog using LOG_FTP.
+.It Fl g
+Anonymous users will get a umask of
+.Ar umask .
+.It Fl i
+Open a socket and wait for a connection. This is mainly used for
+debugging when ftpd isn't started by inetd.
+.It Fl l
+Each successful and failed 
+.Xr ftp 1
+session is logged using syslog with a facility of LOG_FTP.
+If this option is specified twice, the retrieve (get), store (put), append,
+delete, make directory, remove directory and rename operations and
+their filename arguments are also logged.
+.It Fl p
+Use
+.Ar port
+(a service name or number) instead of the default 
+.Ar ftp/tcp .
+.It Fl T
+A client may also request a different timeout period;
+the maximum period allowed may be set to
+.Ar timeout
+seconds with the
+.Fl T
+option.
+The default limit is 2 hours.
+.It Fl t
+The inactivity timeout period is set to
+.Ar timeout
+seconds (the default is 15 minutes).
+.It Fl u
+Set the initial umask to something else than the default 027.
+.It Fl v
+Verbose mode.
+.It Xo
+.Fl B Ns ,
+.Fl -builtin-ls
+.Xc
+use built-in ls to list files
+.It Xo
+.Fl -good-chars= Ns Ar string
+.Xc
+allowed anonymous upload filename chars
+.El
+.Pp
+The file
+.Pa /etc/nologin
+can be used to disable ftp access.
+If the file exists,
+.Nm
+displays it and exits.
+If the file
+.Pa /etc/ftpwelcome
+exists,
+.Nm
+prints it before issuing the 
+.Dq ready
+message.
+If the file
+.Pa /etc/motd
+exists,
+.Nm
+prints it after a successful login.
+.Pp
+The ftp server currently supports the following ftp requests.
+The case of the requests is ignored.
+.Bl -column "Request" -offset indent
+.It Request Ta "Description"
+.It ABOR Ta "abort previous command"
+.It ACCT Ta "specify account (ignored)"
+.It ALLO Ta "allocate storage (vacuously)"
+.It APPE Ta "append to a file"
+.It CDUP Ta "change to parent of current working directory"
+.It CWD Ta "change working directory"
+.It DELE Ta "delete a file"
+.It HELP Ta "give help information"
+.It LIST Ta "give list files in a directory" Pq Dq Li "ls -lgA"
+.It MKD Ta "make a directory"
+.It MDTM Ta "show last modification time of file"
+.It MODE Ta "specify data transfer" Em mode
+.It NLST Ta "give name list of files in directory"
+.It NOOP Ta "do nothing"
+.It PASS Ta "specify password"
+.It PASV Ta "prepare for server-to-server transfer"
+.It PORT Ta "specify data connection port"
+.It PWD Ta "print the current working directory"
+.It QUIT Ta "terminate session"
+.It REST Ta "restart incomplete transfer"
+.It RETR Ta "retrieve a file"
+.It RMD Ta "remove a directory"
+.It RNFR Ta "specify rename-from file name"
+.It RNTO Ta "specify rename-to file name"
+.It SITE Ta "non-standard commands (see next section)"
+.It SIZE Ta "return size of file"
+.It STAT Ta "return status of server"
+.It STOR Ta "store a file"
+.It STOU Ta "store a file with a unique name"
+.It STRU Ta "specify data transfer" Em structure
+.It SYST Ta "show operating system type of server system"
+.It TYPE Ta "specify data transfer" Em type
+.It USER Ta "specify user name"
+.It XCUP Ta "change to parent of current working directory (deprecated)"
+.It XCWD Ta "change working directory (deprecated)"
+.It XMKD Ta "make a directory (deprecated)"
+.It XPWD Ta "print the current working directory (deprecated)"
+.It XRMD Ta "remove a directory (deprecated)"
+.El
+.Pp
+The following commands are specified by RFC2228.
+.Bl -column Request -offset indent
+.It AUTH Ta "authentication/security mechanism"
+.It ADAT Ta "authentication/security data"
+.It PROT Ta "data channel protection level"
+.It PBSZ Ta "protection buffer size"
+.It MIC Ta "integrity protected command"
+.It CONF Ta "confidentiality protected command"
+.It ENC Ta "privacy protected command"
+.It CCC Ta "clear command channel"
+.El
+.Pp
+The following non-standard or
+.Tn UNIX
+specific commands are supported
+by the
+SITE request.
+.Pp
+.Bl -column Request -offset indent
+.It UMASK Ta change umask, (e.g. 
+.Ic "SITE UMASK 002" )
+.It IDLE Ta set idle-timer, (e.g. 
+.Ic "SITE IDLE 60" )
+.It CHMOD Ta change mode of a file (e.g. 
+.Ic "SITE CHMOD 755 filename" )
+.It FIND Ta quickly find a specific file with GNU 
+.Xr locate 1 .
+.It HELP Ta give help information.
+.El
+.Pp
+The following Kerberos related site commands are understood.
+.Bl -column Request -offset indent
+.It KAUTH Ta obtain remote tickets.
+.It KLIST Ta show remote tickets
+.El
+.Pp
+The remaining ftp requests specified in Internet RFC 959
+are
+recognized, but not implemented.
+MDTM and SIZE are not specified in RFC 959, but will appear in the
+next updated FTP RFC.
+.Pp
+The ftp server will abort an active file transfer only when the
+ABOR
+command is preceded by a Telnet "Interrupt Process" (IP)
+signal and a Telnet "Synch" signal in the command Telnet stream,
+as described in Internet RFC 959.
+If a
+STAT
+command is received during a data transfer, preceded by a Telnet IP
+and Synch, transfer status will be returned.
+.Pp
+.Nm Ftpd
+interprets file names according to the
+.Dq globbing
+conventions used by
+.Xr csh 1 .
+This allows users to utilize the metacharacters
+.Dq Li \&*?[]{}~ .
+.Pp
+.Nm Ftpd
+authenticates users according to these rules. 
+.Pp
+.Bl -enum -offset indent
+.It
+If Kerberos authentication is used, the user must pass valid tickets
+and the principal must be allowed to login as the remote user.
+.It
+The login name must be in the password data base, and not have a null
+password (if kerberos is used the password field is not checked).  In
+this case a password must be provided by the client before any file
+operations may be performed.  If the user has an OTP key, the response
+from a successful USER command will include an OTP challenge. The
+client may choose to respond with a PASS command giving either a
+standard password or an OTP one-time password. The server will
+automatically determine which type of password it has been given and
+attempt to authenticate accordingly. See
+.Xr otp 1
+for more information on OTP authentication.
+.It
+The login name must not appear in the file
+.Pa /etc/ftpusers .
+.It
+The user must have a standard shell returned by 
+.Xr getusershell 3 .
+.It
+If the user name appears in the file
+.Pa /etc/ftpchroot
+the session's root will be changed to the user's login directory by
+.Xr chroot 2
+as for an
+.Dq anonymous
+or
+.Dq ftp
+account (see next item).  However, the user must still supply a password.
+This feature is intended as a compromise between a fully anonymous account 
+and a fully privileged account.  The account should also be set up as for an
+anonymous account.
+.It
+If the user name is
+.Dq anonymous
+or
+.Dq ftp ,
+an
+anonymous ftp account must be present in the password
+file (user
+.Dq ftp ) .
+In this case the user is allowed
+to log in by specifying any password (by convention an email address for
+the user should be used as the password).
+.El
+.Pp
+In the last case, 
+.Nm ftpd
+takes special measures to restrict the client's access privileges.
+The server performs a 
+.Xr chroot 2
+to the home directory of the
+.Dq ftp
+user.
+In order that system security is not breached, it is recommended
+that the
+.Dq ftp
+subtree be constructed with care, consider following these guidelines
+for anonymous ftp.
+.Pp
+In general all files should be owned by
+.Dq root ,
+and have non-write permissions (644 or 755 depending on the kind of
+file). No files should be owned or writable by
+.Dq ftp
+(possibly with exception for the
+.Pa ~ftp/incoming ,
+as specified below).
+.Bl -tag -width "~ftp/pub" -offset indent
+.It Pa ~ftp
+The 
+.Dq ftp
+homedirectory should be owned by root.
+.It Pa ~ftp/bin
+The directory for external programs (such as 
+.Xr ls 1 ) .
+These programs must either be statically linked, or you must setup an
+environment for dynamic linking when running chrooted.  
+These programs will be used if present:
+.Bl -tag -width "locate" -offset indent
+.It ls
+Used when listing files.
+.It compress
+When retrieving a filename that ends in
+.Pa .Z ,
+and that file isn't present,
+.Nm
+will try to find the filename without
+.Pa .Z
+and compress it on the fly.
+.It gzip
+Same as compress, just with files ending in
+.Pa .gz .
+.It gtar
+Enables retrieval of whole directories as files ending in
+.Pa .tar .
+Can also be combined with compression. You must use GNU Tar (or some
+other that supports the
+.Fl z 
+and
+.Fl Z
+flags).
+.It locate
+Will enable ``fast find'' with the 
+.Ic SITE FIND
+command. You must also create a 
+.Pa locatedb
+file in 
+.Pa ~ftp/etc .
+.El
+.It Pa ~ftp/etc
+If you put copies of the
+.Xr passwd 5
+and 
+.Xr group 5
+files here, ls will be able to produce owner names rather than
+numbers. Remember to remove any passwords from these files.  
+.Pp
+The file
+.Pa motd ,
+if present, will be printed after a successful login.
+.It Pa ~ftp/dev 
+Put a copy of
+.Xr /dev/null 7
+here.
+.It Pa ~ftp/pub
+Traditional place to put whatever you want to make public.
+.El
+.Pp
+If you want guests to be able to upload files, create a
+.Pa ~ftp/incoming
+directory owned by 
+.Dq root ,
+and group
+.Dq ftp
+with mode 730 (make sure 
+.Dq ftp 
+is member of group
+.Dq ftp ) .
+The following restrictions apply to anonymous users:
+.Bl -bullet
+.It
+Directories created will have mode 700.
+.It
+Uploaded files will be created with an umask of 777, if not changed
+with the
+.Fl g
+option.
+.It
+These command are not accessible: 
+.Ic DELE , RMD , RNTO , RNFR , 
+.Ic SITE UMASK ,
+and
+.Ic SITE CHMOD .
+.It
+Filenames must start with an alpha-numeric character, and consist of
+alpha-numeric characters or any of the following: 
+.Li \&+  
+(plus),
+.Li \&-  
+(minus),
+.Li \&=  
+(equal),
+.Li \&_  
+(underscore),
+.Li \&.  
+(period), and
+.Li \&,  
+(comma).
+.El
+.Sh FILES
+.Bl -tag -width /etc/ftpwelcome -compact
+.It Pa /etc/ftpusers
+Access list for users.
+.It Pa /etc/ftpchroot
+List of normal users who should be chroot'd.
+.It Pa /etc/ftpwelcome
+Welcome notice.
+.It Pa /etc/motd
+Welcome notice after login.
+.It Pa /etc/nologin
+Displayed and access refused.
+.It Pa ~/.klogin
+Login access for Kerberos.
+.El
+.Sh SEE ALSO
+.Xr ftp 1 ,
+.Xr otp 1 ,
+.Xr getusershell 3 ,
+.Xr ftpusers 5 ,
+.Xr syslogd 8 ,
+.Sh STANDARDS
+.Bl -tag -compact -width "RFC 1938"
+.It Cm RFC 959
+FTP PROTOCOL SPECIFICATION
+.It Cm RFC 1938
+OTP Specification
+.It Cm RFC 2228
+FTP Security Extensions.
+.El
+.Sh BUGS
+The server must run as the super-user
+to create sockets with privileged port numbers.  It maintains
+an effective user id of the logged in user, reverting to
+the super-user only when binding addresses to sockets.  The
+possible security holes have been extensively
+scrutinized, but are possibly incomplete.
+.Sh HISTORY
+The
+.Nm
+command appeared in
+.Bx 4.2 .
diff --git a/crypto/heimdal/appl/ftp/ftpd/ftpd.c b/crypto/heimdal/appl/ftp/ftpd/ftpd.c
new file mode 100644
index 0000000..faf07ff
--- /dev/null
+++ b/crypto/heimdal/appl/ftp/ftpd/ftpd.c
@@ -0,0 +1,2312 @@
+/*
+ * Copyright (c) 1985, 1988, 1990, 1992, 1993, 1994
+ *	The Regents of the University of California.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *	This product includes software developed by the University of
+ *	California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#define	FTP_NAMES
+#include "ftpd_locl.h"
+#ifdef KRB5
+#include <krb5.h>
+#endif
+#include "getarg.h"
+
+RCSID("$Id: ftpd.c,v 1.157 2001/04/19 14:41:29 joda Exp $");
+
+static char version[] = "Version 6.00";
+
+extern	off_t restart_point;
+extern	char cbuf[];
+
+struct  sockaddr_storage ctrl_addr_ss;
+struct  sockaddr *ctrl_addr = (struct sockaddr *)&ctrl_addr_ss;
+
+struct  sockaddr_storage data_source_ss;
+struct  sockaddr *data_source = (struct sockaddr *)&data_source_ss;
+
+struct  sockaddr_storage data_dest_ss;
+struct  sockaddr *data_dest = (struct sockaddr *)&data_dest_ss;
+
+struct  sockaddr_storage his_addr_ss;
+struct  sockaddr *his_addr = (struct sockaddr *)&his_addr_ss;
+
+struct  sockaddr_storage pasv_addr_ss;
+struct  sockaddr *pasv_addr = (struct sockaddr *)&pasv_addr_ss;
+
+int	data;
+jmp_buf	errcatch, urgcatch;
+int	oobflag;
+int	logged_in;
+struct	passwd *pw;
+int	debug = 0;
+int	ftpd_timeout = 900;    /* timeout after 15 minutes of inactivity */
+int	maxtimeout = 7200;/* don't allow idle time to be set beyond 2 hours */
+int	logging;
+int	guest;
+int	dochroot;
+int	type;
+int	form;
+int	stru;			/* avoid C keyword */
+int	mode;
+int	usedefault = 1;		/* for data transfers */
+int	pdata = -1;		/* for passive mode */
+int	transflag;
+off_t	file_size;
+off_t	byte_count;
+#if !defined(CMASK) || CMASK == 0
+#undef CMASK
+#define CMASK 027
+#endif
+int	defumask = CMASK;		/* default umask value */
+int	guest_umask = 0777;	/* Paranoia for anonymous users */
+char	tmpline[10240];
+char	hostname[MaxHostNameLen];
+char	remotehost[MaxHostNameLen];
+static char ttyline[20];
+
+#define AUTH_PLAIN	(1 << 0) /* allow sending passwords */
+#define AUTH_OTP	(1 << 1) /* passwords are one-time */
+#define AUTH_FTP	(1 << 2) /* allow anonymous login */
+
+static int auth_level = 0; /* Only allow kerberos login by default */
+
+/*
+ * Timeout intervals for retrying connections
+ * to hosts that don't accept PORT cmds.  This
+ * is a kludge, but given the problems with TCP...
+ */
+#define	SWAITMAX	90	/* wait at most 90 seconds */
+#define	SWAITINT	5	/* interval between retries */
+
+int	swaitmax = SWAITMAX;
+int	swaitint = SWAITINT;
+
+#ifdef HAVE_SETPROCTITLE
+char	proctitle[BUFSIZ];	/* initial part of title */
+#endif /* HAVE_SETPROCTITLE */
+
+#define LOGCMD(cmd, file) \
+	if (logging > 1) \
+	    syslog(LOG_INFO,"%s %s%s", cmd, \
+		*(file) == '/' ? "" : curdir(), file);
+#define LOGCMD2(cmd, file1, file2) \
+	 if (logging > 1) \
+	    syslog(LOG_INFO,"%s %s%s %s%s", cmd, \
+		*(file1) == '/' ? "" : curdir(), file1, \
+		*(file2) == '/' ? "" : curdir(), file2);
+#define LOGBYTES(cmd, file, cnt) \
+	if (logging > 1) { \
+		if (cnt == (off_t)-1) \
+		    syslog(LOG_INFO,"%s %s%s", cmd, \
+			*(file) == '/' ? "" : curdir(), file); \
+		else \
+		    syslog(LOG_INFO, "%s %s%s = %ld bytes", \
+			cmd, (*(file) == '/') ? "" : curdir(), file, (long)cnt); \
+	}
+
+static void	 ack (char *);
+static void	 myoob (int);
+static int	 checkuser (char *, char *);
+static int	 checkaccess (char *);
+static FILE	*dataconn (const char *, off_t, const char *);
+static void	 dolog (struct sockaddr *sa, int len);
+static void	 end_login (void);
+static FILE	*getdatasock (const char *);
+static char	*gunique (char *);
+static RETSIGTYPE	 lostconn (int);
+static int	 receive_data (FILE *, FILE *);
+static void	 send_data (FILE *, FILE *);
+static struct passwd * sgetpwnam (char *);
+
+static char *
+curdir(void)
+{
+	static char path[MaxPathLen+1];	/* path + '/' + '\0' */
+
+	if (getcwd(path, sizeof(path)-1) == NULL)
+		return ("");
+	if (path[1] != '\0')		/* special case for root dir. */
+		strlcat(path, "/", sizeof(path));
+	/* For guest account, skip / since it's chrooted */
+	return (guest ? path+1 : path);
+}
+
+#ifndef LINE_MAX
+#define LINE_MAX 1024
+#endif
+
+static int
+parse_auth_level(char *str)
+{
+    char *p;
+    int ret = 0;
+    char *foo = NULL;
+
+    for(p = strtok_r(str, ",", &foo);
+	p;
+	p = strtok_r(NULL, ",", &foo)) {
+	if(strcmp(p, "user") == 0)
+	    ;
+#ifdef OTP
+	else if(strcmp(p, "otp") == 0)
+	    ret |= AUTH_PLAIN|AUTH_OTP;
+#endif
+	else if(strcmp(p, "ftp") == 0 ||
+		strcmp(p, "safe") == 0)
+	    ret |= AUTH_FTP;
+	else if(strcmp(p, "plain") == 0)
+	    ret |= AUTH_PLAIN;
+	else if(strcmp(p, "none") == 0)
+	    ret |= AUTH_PLAIN|AUTH_FTP;
+	else
+	    warnx("bad value for -a: `%s'", p);
+    }
+    return ret;	    
+}
+
+/*
+ * Print usage and die.
+ */
+
+static int interactive_flag;
+static char *guest_umask_string;
+static char *port_string;
+static char *umask_string;
+static char *auth_string;
+
+int use_builtin_ls = -1;
+
+static int help_flag;
+static int version_flag;
+
+static const char *good_chars = "+-=_,.";
+
+struct getargs args[] = {
+    { NULL, 'a', arg_string, &auth_string, "required authentication" },
+    { NULL, 'i', arg_flag, &interactive_flag, "don't assume stdin is a socket" },
+    { NULL, 'p', arg_string, &port_string, "what port to listen to" },
+    { NULL, 'g', arg_string, &guest_umask_string, "umask for guest logins" },
+    { NULL, 'l', arg_counter, &logging, "log more stuff", "" },
+    { NULL, 't', arg_integer, &ftpd_timeout, "initial timeout" },
+    { NULL, 'T', arg_integer, &maxtimeout, "max timeout" },
+    { NULL, 'u', arg_string, &umask_string, "umask for user logins" },
+    { NULL, 'd', arg_flag, &debug, "enable debugging" },
+    { NULL, 'v', arg_flag, &debug, "enable debugging" },
+    { "builtin-ls", 'B', arg_flag, &use_builtin_ls, "use built-in ls to list files" },
+    { "good-chars", 0, arg_string, &good_chars, "allowed anonymous upload filename chars" },
+    { "version", 0, arg_flag, &version_flag },
+    { "help", 'h', arg_flag, &help_flag }
+};
+
+static int num_args = sizeof(args) / sizeof(args[0]);
+
+static void
+usage (int code)
+{
+    arg_printusage(args, num_args, NULL, "");
+    exit (code);
+}
+
+/* output contents of a file */
+static int
+show_file(const char *file, int code)
+{
+    FILE *f;
+    char buf[128];
+
+    f = fopen(file, "r");
+    if(f == NULL)
+	return -1;
+    while(fgets(buf, sizeof(buf), f)){
+	buf[strcspn(buf, "\r\n")] = '\0';
+	lreply(code, "%s", buf);
+    }
+    fclose(f);
+    return 0;
+}
+
+int
+main(int argc, char **argv)
+{
+    socklen_t his_addr_len, ctrl_addr_len;
+    int on = 1;
+    int port;
+    struct servent *sp;
+
+    int optind = 0;
+
+    setprogname (argv[0]);
+
+    /* detach from any tickets and tokens */
+    {
+#ifdef KRB4
+	char tkfile[1024];
+	snprintf(tkfile, sizeof(tkfile),
+		 "/tmp/ftp_%u", (unsigned)getpid());
+	krb_set_tkt_string(tkfile);
+#endif
+#if defined(KRB4) && defined(KRB5)
+	if(k_hasafs())
+	    k_setpag();
+#endif
+    }
+
+    if(getarg(args, num_args, argc, argv, &optind))
+	usage(1);
+
+    if(help_flag)
+	usage(0);
+	
+    if(version_flag) {
+	print_version(NULL);
+	exit(0);
+    }
+
+    if(auth_string)
+	auth_level = parse_auth_level(auth_string);
+    {
+	char *p;
+	long val = 0;
+	    
+	if(guest_umask_string) {
+	    val = strtol(guest_umask_string, &p, 8);
+	    if (*p != '\0' || val < 0)
+		warnx("bad value for -g");
+	    else
+		guest_umask = val;
+	}
+	if(umask_string) {
+	    val = strtol(umask_string, &p, 8);
+	    if (*p != '\0' || val < 0)
+		warnx("bad value for -u");
+	    else
+		defumask = val;
+	}
+    }
+    if(port_string) {
+	sp = getservbyname(port_string, "tcp");
+	if(sp)
+	    port = sp->s_port;
+	else
+	    if(isdigit(port_string[0]))
+		port = htons(atoi(port_string));
+	    else
+		warnx("bad value for -p");
+    } else {
+	sp = getservbyname("ftp", "tcp");
+	if(sp)
+	    port = sp->s_port;
+	else
+	    port = htons(21);
+    }
+		    
+    if (maxtimeout < ftpd_timeout)
+	maxtimeout = ftpd_timeout;
+
+#if 0
+    if (ftpd_timeout > maxtimeout)
+	ftpd_timeout = maxtimeout;
+#endif
+
+    if(interactive_flag)
+	mini_inetd (port);
+
+    /*
+     * LOG_NDELAY sets up the logging connection immediately,
+     * necessary for anonymous ftp's that chroot and can't do it later.
+     */
+    openlog("ftpd", LOG_PID | LOG_NDELAY, LOG_FTP);
+    his_addr_len = sizeof(his_addr_ss);
+    if (getpeername(STDIN_FILENO, his_addr, &his_addr_len) < 0) {
+	syslog(LOG_ERR, "getpeername (%s): %m",argv[0]);
+	exit(1);
+    }
+    ctrl_addr_len = sizeof(ctrl_addr_ss);
+    if (getsockname(STDIN_FILENO, ctrl_addr, &ctrl_addr_len) < 0) {
+	syslog(LOG_ERR, "getsockname (%s): %m",argv[0]);
+	exit(1);
+    }
+#if defined(IP_TOS) && defined(HAVE_SETSOCKOPT)
+    {
+	int tos = IPTOS_LOWDELAY;
+
+	if (setsockopt(STDIN_FILENO, IPPROTO_IP, IP_TOS,
+		       (void *)&tos, sizeof(int)) < 0)
+	    syslog(LOG_WARNING, "setsockopt (IP_TOS): %m");
+    }
+#endif
+    data_source->sa_family = ctrl_addr->sa_family;
+    socket_set_port (data_source,
+		     htons(ntohs(socket_get_port(ctrl_addr)) - 1));
+
+    /* set this here so it can be put in wtmp */
+    snprintf(ttyline, sizeof(ttyline), "ftp%u", (unsigned)getpid());
+
+
+    /*	freopen(_PATH_DEVNULL, "w", stderr); */
+    signal(SIGPIPE, lostconn);
+    signal(SIGCHLD, SIG_IGN);
+#ifdef SIGURG
+    if (signal(SIGURG, myoob) == SIG_ERR)
+	syslog(LOG_ERR, "signal: %m");
+#endif
+
+    /* Try to handle urgent data inline */
+#if defined(SO_OOBINLINE) && defined(HAVE_SETSOCKOPT)
+    if (setsockopt(0, SOL_SOCKET, SO_OOBINLINE, (void *)&on,
+		   sizeof(on)) < 0)
+	syslog(LOG_ERR, "setsockopt: %m");
+#endif
+
+#ifdef	F_SETOWN
+    if (fcntl(fileno(stdin), F_SETOWN, getpid()) == -1)
+	syslog(LOG_ERR, "fcntl F_SETOWN: %m");
+#endif
+    dolog(his_addr, his_addr_len);
+    /*
+     * Set up default state
+     */
+    data = -1;
+    type = TYPE_A;
+    form = FORM_N;
+    stru = STRU_F;
+    mode = MODE_S;
+    tmpline[0] = '\0';
+
+    /* If logins are disabled, print out the message. */
+    if(show_file(_PATH_NOLOGIN, 530) == 0) {
+	reply(530, "System not available.");
+	exit(0);
+    }
+    show_file(_PATH_FTPWELCOME, 220);
+    /* reply(220,) must follow */
+    gethostname(hostname, sizeof(hostname));
+	
+    reply(220, "%s FTP server (%s"
+#ifdef KRB5
+	  "+%s"
+#endif
+#ifdef KRB4
+	  "+%s"
+#endif
+	  ") ready.", hostname, version
+#ifdef KRB5
+	  ,heimdal_version
+#endif
+#ifdef KRB4
+	  ,krb4_version
+#endif
+	  );
+
+    setjmp(errcatch);
+    for (;;)
+	yyparse();
+    /* NOTREACHED */
+}
+
+static RETSIGTYPE
+lostconn(int signo)
+{
+
+	if (debug)
+		syslog(LOG_DEBUG, "lost connection");
+	dologout(-1);
+}
+
+/*
+ * Helper function for sgetpwnam().
+ */
+static char *
+sgetsave(char *s)
+{
+	char *new = strdup(s);
+
+	if (new == NULL) {
+		perror_reply(421, "Local resource failure: malloc");
+		dologout(1);
+		/* NOTREACHED */
+	}
+	return new;
+}
+
+/*
+ * Save the result of a getpwnam.  Used for USER command, since
+ * the data returned must not be clobbered by any other command
+ * (e.g., globbing).
+ */
+static struct passwd *
+sgetpwnam(char *name)
+{
+	static struct passwd save;
+	struct passwd *p;
+
+	if ((p = k_getpwnam(name)) == NULL)
+		return (p);
+	if (save.pw_name) {
+		free(save.pw_name);
+		free(save.pw_passwd);
+		free(save.pw_gecos);
+		free(save.pw_dir);
+		free(save.pw_shell);
+	}
+	save = *p;
+	save.pw_name = sgetsave(p->pw_name);
+	save.pw_passwd = sgetsave(p->pw_passwd);
+	save.pw_gecos = sgetsave(p->pw_gecos);
+	save.pw_dir = sgetsave(p->pw_dir);
+	save.pw_shell = sgetsave(p->pw_shell);
+	return (&save);
+}
+
+static int login_attempts;	/* number of failed login attempts */
+static int askpasswd;		/* had user command, ask for passwd */
+static char curname[10];	/* current USER name */
+#ifdef OTP
+OtpContext otp_ctx;
+#endif
+
+/*
+ * USER command.
+ * Sets global passwd pointer pw if named account exists and is acceptable;
+ * sets askpasswd if a PASS command is expected.  If logged in previously,
+ * need to reset state.  If name is "ftp" or "anonymous", the name is not in
+ * _PATH_FTPUSERS, and ftp account exists, set guest and pw, then just return.
+ * If account doesn't exist, ask for passwd anyway.  Otherwise, check user
+ * requesting login privileges.  Disallow anyone who does not have a standard
+ * shell as returned by getusershell().  Disallow anyone mentioned in the file
+ * _PATH_FTPUSERS to allow people such as root and uucp to be avoided.
+ */
+void
+user(char *name)
+{
+	char *cp, *shell;
+
+	if(auth_level == 0 && !sec_complete){
+	    reply(530, "No login allowed without authorization.");
+	    return;
+	}
+
+	if (logged_in) {
+		if (guest) {
+			reply(530, "Can't change user from guest login.");
+			return;
+		} else if (dochroot) {
+			reply(530, "Can't change user from chroot user.");
+			return;
+		}
+		end_login();
+	}
+
+	guest = 0;
+	if (strcmp(name, "ftp") == 0 || strcmp(name, "anonymous") == 0) {
+	    if ((auth_level & AUTH_FTP) == 0 ||
+		checkaccess("ftp") || 
+		checkaccess("anonymous"))
+		reply(530, "User %s access denied.", name);
+	    else if ((pw = sgetpwnam("ftp")) != NULL) {
+		guest = 1;
+		defumask = guest_umask;	/* paranoia for incoming */
+		askpasswd = 1;
+		reply(331, "Guest login ok, type your name as password.");
+	    } else
+		reply(530, "User %s unknown.", name);
+	    if (!askpasswd && logging) {
+		char data_addr[256];
+
+		if (inet_ntop (his_addr->sa_family,
+			       socket_get_address(his_addr),
+			       data_addr, sizeof(data_addr)) == NULL)
+			strlcpy (data_addr, "unknown address",
+					 sizeof(data_addr));
+
+		syslog(LOG_NOTICE,
+		       "ANONYMOUS FTP LOGIN REFUSED FROM %s(%s)",
+		       remotehost, data_addr);
+	    }
+	    return;
+	}
+	if((auth_level & AUTH_PLAIN) == 0 && !sec_complete){
+	    reply(530, "Only authorized and anonymous login allowed.");
+	    return;
+	}
+	if ((pw = sgetpwnam(name))) {
+		if ((shell = pw->pw_shell) == NULL || *shell == 0)
+			shell = _PATH_BSHELL;
+		while ((cp = getusershell()) != NULL)
+			if (strcmp(cp, shell) == 0)
+				break;
+		endusershell();
+
+		if (cp == NULL || checkaccess(name)) {
+			reply(530, "User %s access denied.", name);
+			if (logging) {
+				char data_addr[256];
+
+				if (inet_ntop (his_addr->sa_family,
+					       socket_get_address(his_addr),
+					       data_addr,
+					       sizeof(data_addr)) == NULL)
+					strlcpy (data_addr,
+							 "unknown address",
+							 sizeof(data_addr));
+
+				syslog(LOG_NOTICE,
+				       "FTP LOGIN REFUSED FROM %s(%s), %s",
+				       remotehost,
+				       data_addr,
+				       name);
+			}
+			pw = (struct passwd *) NULL;
+			return;
+		}
+	}
+	if (logging)
+	    strlcpy(curname, name, sizeof(curname));
+	if(sec_complete) {
+	    if(sec_userok(name) == 0)
+		do_login(232, name);
+	    else
+		reply(530, "User %s access denied.", name);
+	} else {
+		char ss[256];
+
+#ifdef OTP
+		if (otp_challenge(&otp_ctx, name, ss, sizeof(ss)) == 0) {
+			reply(331, "Password %s for %s required.",
+			      ss, name);
+			askpasswd = 1;
+		} else
+#endif
+		if ((auth_level & AUTH_OTP) == 0) {
+		    reply(331, "Password required for %s.", name);
+		    askpasswd = 1;
+		} else {
+		    char *s;
+		    
+#ifdef OTP
+		    if ((s = otp_error (&otp_ctx)) != NULL)
+			lreply(530, "OTP: %s", s);
+#endif
+		    reply(530,
+			  "Only authorized, anonymous"
+#ifdef OTP
+			  " and OTP "
+#endif
+			  "login allowed.");
+		}
+
+	}
+	/*
+	 * Delay before reading passwd after first failed
+	 * attempt to slow down passwd-guessing programs.
+	 */
+	if (login_attempts)
+		sleep(login_attempts);
+}
+
+/*
+ * Check if a user is in the file "fname"
+ */
+static int
+checkuser(char *fname, char *name)
+{
+	FILE *fd;
+	int found = 0;
+	char *p, line[BUFSIZ];
+
+	if ((fd = fopen(fname, "r")) != NULL) {
+		while (fgets(line, sizeof(line), fd) != NULL)
+			if ((p = strchr(line, '\n')) != NULL) {
+				*p = '\0';
+				if (line[0] == '#')
+					continue;
+				if (strcmp(line, name) == 0) {
+					found = 1;
+					break;
+				}
+			}
+		fclose(fd);
+	}
+	return (found);
+}
+
+
+/*
+ * Determine whether a user has access, based on information in 
+ * _PATH_FTPUSERS. The users are listed one per line, with `allow'
+ * or `deny' after the username. If anything other than `allow', or
+ * just nothing, is given after the username, `deny' is assumed.
+ *
+ * If the user is not found in the file, but the pseudo-user `*' is,
+ * the permission is taken from that line.
+ *
+ * This preserves the old semantics where if a user was listed in the
+ * file he was denied, otherwise he was allowed.
+ *
+ * Return 1 if the user is denied, or 0 if he is allowed.  */
+
+static int
+match(const char *pattern, const char *string)
+{
+    return fnmatch(pattern, string, FNM_NOESCAPE);
+}
+
+static int
+checkaccess(char *name)
+{
+#define ALLOWED		0
+#define	NOT_ALLOWED	1
+    FILE *fd;
+    int allowed = ALLOWED;
+    char *user, *perm, line[BUFSIZ];
+    char *foo;
+    
+    fd = fopen(_PATH_FTPUSERS, "r");
+    
+    if(fd == NULL)
+	return allowed;
+
+    while (fgets(line, sizeof(line), fd) != NULL)  {
+	foo = NULL;
+	user = strtok_r(line, " \t\n", &foo);
+	if (user == NULL || user[0] == '#')
+	    continue;
+	perm = strtok_r(NULL, " \t\n", &foo);
+	if (match(user, name) == 0){
+	    if(perm && strcmp(perm, "allow") == 0)
+		allowed = ALLOWED;
+	    else
+		allowed = NOT_ALLOWED;
+	    break;
+	}
+    }
+    fclose(fd);
+    return allowed;
+}
+#undef	ALLOWED
+#undef	NOT_ALLOWED
+
+
+int do_login(int code, char *passwd)
+{
+    login_attempts = 0;		/* this time successful */
+    if (setegid((gid_t)pw->pw_gid) < 0) {
+	reply(550, "Can't set gid.");
+	return -1;
+    }
+    initgroups(pw->pw_name, pw->pw_gid);
+
+    /* open wtmp before chroot */
+    ftpd_logwtmp(ttyline, pw->pw_name, remotehost);
+    logged_in = 1;
+
+    dochroot = checkuser(_PATH_FTPCHROOT, pw->pw_name);
+    if (guest) {
+	/*
+	 * We MUST do a chdir() after the chroot. Otherwise
+	 * the old current directory will be accessible as "."
+	 * outside the new root!
+	 */
+	if (chroot(pw->pw_dir) < 0 || chdir("/") < 0) {
+	    reply(550, "Can't set guest privileges.");
+	    return -1;
+	}
+    } else if (dochroot) {
+	if (chroot(pw->pw_dir) < 0 || chdir("/") < 0) {
+	    reply(550, "Can't change root.");
+	    return -1;
+	}
+    } else if (chdir(pw->pw_dir) < 0) {
+	if (chdir("/") < 0) {
+	    reply(530, "User %s: can't change directory to %s.",
+		  pw->pw_name, pw->pw_dir);
+	    return -1;
+	} else
+	    lreply(code, "No directory! Logging in with home=/");
+    }
+    if (seteuid((uid_t)pw->pw_uid) < 0) {
+	reply(550, "Can't set uid.");
+	return -1;
+    }
+
+    if(use_builtin_ls == -1) {
+	struct stat st;
+	/* if /bin/ls exist and is a regular file, use it, otherwise
+           use built-in ls */
+	if(stat("/bin/ls", &st) == 0 &&
+	   S_ISREG(st.st_mode))
+	    use_builtin_ls = 0;
+	else
+	    use_builtin_ls = 1;
+    }
+
+    /*
+     * Display a login message, if it exists.
+     * N.B. reply(code,) must follow the message.
+     */
+    show_file(_PATH_FTPLOGINMESG, code);
+    if(show_file(_PATH_ISSUE_NET, code) != 0)
+	show_file(_PATH_ISSUE, code);
+    if (guest) {
+	reply(code, "Guest login ok, access restrictions apply.");
+#ifdef HAVE_SETPROCTITLE
+	snprintf (proctitle, sizeof(proctitle),
+		  "%s: anonymous/%s",
+		  remotehost,
+		  passwd);
+	setproctitle("%s", proctitle);
+#endif /* HAVE_SETPROCTITLE */
+	if (logging) {
+	    char data_addr[256];
+
+	    if (inet_ntop (his_addr->sa_family,
+			   socket_get_address(his_addr),
+			   data_addr, sizeof(data_addr)) == NULL)
+		strlcpy (data_addr, "unknown address",
+				 sizeof(data_addr));
+
+	    syslog(LOG_INFO, "ANONYMOUS FTP LOGIN FROM %s(%s), %s",
+		   remotehost, 
+		   data_addr,
+		   passwd);
+	}
+    } else {
+	reply(code, "User %s logged in.", pw->pw_name);
+#ifdef HAVE_SETPROCTITLE
+	snprintf(proctitle, sizeof(proctitle), "%s: %s", remotehost, pw->pw_name);
+	setproctitle("%s", proctitle);
+#endif /* HAVE_SETPROCTITLE */
+	if (logging) {
+	    char data_addr[256];
+
+	    if (inet_ntop (his_addr->sa_family,
+			   socket_get_address(his_addr),
+			   data_addr, sizeof(data_addr)) == NULL)
+		strlcpy (data_addr, "unknown address",
+				 sizeof(data_addr));
+
+	    syslog(LOG_INFO, "FTP LOGIN FROM %s(%s) as %s",
+		   remotehost,
+		   data_addr,
+		   pw->pw_name);
+	}
+    }
+    umask(defumask);
+    return 0;
+}
+
+/*
+ * Terminate login as previous user, if any, resetting state;
+ * used when USER command is given or login fails.
+ */
+static void
+end_login(void)
+{
+
+	seteuid((uid_t)0);
+	if (logged_in)
+		ftpd_logwtmp(ttyline, "", "");
+	pw = NULL;
+	logged_in = 0;
+	guest = 0;
+	dochroot = 0;
+}
+
+#ifdef KRB5
+static int
+krb5_verify(struct passwd *pwd, char *passwd)
+{
+   krb5_context context;  
+   krb5_ccache  id;
+   krb5_principal princ;
+   krb5_error_code ret;
+  
+   ret = krb5_init_context(&context);
+   if(ret)
+        return ret;
+
+  ret = krb5_parse_name(context, pwd->pw_name, &princ);
+  if(ret){
+        krb5_free_context(context);
+        return ret;
+  }
+  ret = krb5_cc_gen_new(context, &krb5_mcc_ops, &id);
+  if(ret){
+        krb5_free_principal(context, princ);
+        krb5_free_context(context);
+        return ret;
+  }
+  ret = krb5_verify_user(context,
+                         princ,
+                         id,
+                         passwd,
+                         1,
+                         NULL);
+  krb5_free_principal(context, princ);
+#ifdef KRB4
+  if (k_hasafs()) {
+      k_setpag();
+      krb5_afslog_uid_home(context, id,NULL, NULL,pwd->pw_uid, pwd->pw_dir);
+  }
+#endif /* KRB4 */
+  krb5_cc_destroy(context, id);
+  krb5_free_context (context);
+  if(ret) 
+      return ret;
+  return 0;
+}
+#endif /* KRB5 */
+
+void
+pass(char *passwd)
+{
+	int rval;
+
+	/* some clients insists on sending a password */
+	if (logged_in && askpasswd == 0){
+	    reply(230, "Password not necessary");
+	    return;
+	}
+
+	if (logged_in || askpasswd == 0) {
+		reply(503, "Login with USER first.");
+		return;
+	}
+	askpasswd = 0;
+	rval = 1;
+	if (!guest) {		/* "ftp" is only account allowed no password */
+		if (pw == NULL)
+			rval = 1;	/* failure below */
+#ifdef OTP
+		else if (otp_verify_user (&otp_ctx, passwd) == 0) {
+		    rval = 0;
+		}
+#endif
+		else if((auth_level & AUTH_OTP) == 0) {
+#ifdef KRB5
+		    rval = krb5_verify(pw, passwd);
+#endif
+#ifdef KRB4
+		    if (rval) {
+			char realm[REALM_SZ];
+			if((rval = krb_get_lrealm(realm, 1)) == KSUCCESS)
+			    rval = krb_verify_user(pw->pw_name,
+						   "", realm, 
+						   passwd, 
+						   KRB_VERIFY_SECURE, NULL);
+			if (rval == KSUCCESS ) {
+			    chown (tkt_string(), pw->pw_uid, pw->pw_gid);
+			    if(k_hasafs())
+				krb_afslog(0, 0);
+			}
+		    }
+#endif
+		    if (rval)
+			rval = unix_verify_user(pw->pw_name, passwd);
+		} else {
+		    char *s;
+		    
+#ifdef OTP
+		    if ((s = otp_error(&otp_ctx)) != NULL)
+			lreply(530, "OTP: %s", s);
+#endif
+		}
+		memset (passwd, 0, strlen(passwd));
+
+		/*
+		 * If rval == 1, the user failed the authentication
+		 * check above.  If rval == 0, either Kerberos or
+		 * local authentication succeeded.
+		 */
+		if (rval) {
+			char data_addr[256];
+
+			if (inet_ntop (his_addr->sa_family,
+				       socket_get_address(his_addr),
+				       data_addr, sizeof(data_addr)) == NULL)
+				strlcpy (data_addr, "unknown address",
+						 sizeof(data_addr));
+
+			reply(530, "Login incorrect.");
+			if (logging)
+				syslog(LOG_NOTICE,
+				    "FTP LOGIN FAILED FROM %s(%s), %s",
+				       remotehost,
+				       data_addr,
+				       curname);
+			pw = NULL;
+			if (login_attempts++ >= 5) {
+				syslog(LOG_NOTICE,
+				       "repeated login failures from %s(%s)",
+				       remotehost,
+				       data_addr);
+				exit(0);
+			}
+			return;
+		}
+	}
+	if(!do_login(230, passwd))
+	  return;
+	
+	/* Forget all about it... */
+	end_login();
+}
+
+void
+retrieve(const char *cmd, char *name)
+{
+	FILE *fin = NULL, *dout;
+	struct stat st;
+	int (*closefunc) (FILE *);
+	char line[BUFSIZ];
+
+
+	if (cmd == 0) {
+		fin = fopen(name, "r");
+		closefunc = fclose;
+		st.st_size = 0;
+		if(fin == NULL){
+		    int save_errno = errno;
+		    struct cmds {
+			const char *ext;
+			const char *cmd;
+		        const char *rev_cmd;
+		    } cmds[] = {
+			{".tar", "/bin/gtar cPf - %s", NULL},
+			{".tar.gz", "/bin/gtar zcPf - %s", NULL},
+			{".tar.Z", "/bin/gtar ZcPf - %s", NULL},
+			{".gz", "/bin/gzip -c -- %s", "/bin/gzip -c -d -- %s"},
+			{".Z", "/bin/compress -c -- %s", "/bin/uncompress -c -- %s"},
+			{NULL, NULL}
+		    };
+		    struct cmds *p;
+		    for(p = cmds; p->ext; p++){
+			char *tail = name + strlen(name) - strlen(p->ext);
+			char c = *tail;
+			
+			if(strcmp(tail, p->ext) == 0 &&
+			   (*tail  = 0) == 0 &&
+			   access(name, R_OK) == 0){
+			    snprintf (line, sizeof(line), p->cmd, name);
+			    *tail  = c;
+			    break;
+			}
+			*tail = c;
+			if (p->rev_cmd != NULL) {
+			    char *ext;
+
+			    asprintf(&ext, "%s%s", name, p->ext);
+			    if (ext != NULL) { 
+  			        if (access(ext, R_OK) == 0) {
+				    snprintf (line, sizeof(line),
+					      p->rev_cmd, ext);
+				    free(ext);
+				    break;
+				}
+			        free(ext);
+			    }
+			}
+			
+		    }
+		    if(p->ext){
+			fin = ftpd_popen(line, "r", 0, 0);
+			closefunc = ftpd_pclose;
+			st.st_size = -1;
+			cmd = line;
+		    } else
+			errno = save_errno;
+		}
+	} else {
+		snprintf(line, sizeof(line), cmd, name);
+		name = line;
+		fin = ftpd_popen(line, "r", 1, 0);
+		closefunc = ftpd_pclose;
+		st.st_size = -1;
+	}
+	if (fin == NULL) {
+		if (errno != 0) {
+			perror_reply(550, name);
+			if (cmd == 0) {
+				LOGCMD("get", name);
+			}
+		}
+		return;
+	}
+	byte_count = -1;
+	if (cmd == 0){
+	    if(fstat(fileno(fin), &st) < 0 || !S_ISREG(st.st_mode)) {
+		reply(550, "%s: not a plain file.", name);
+		goto done;
+	    }
+	}
+	if (restart_point) {
+		if (type == TYPE_A) {
+			off_t i, n;
+			int c;
+
+			n = restart_point;
+			i = 0;
+			while (i++ < n) {
+				if ((c=getc(fin)) == EOF) {
+					perror_reply(550, name);
+					goto done;
+				}
+				if (c == '\n')
+					i++;
+			}
+		} else if (lseek(fileno(fin), restart_point, SEEK_SET) < 0) {
+			perror_reply(550, name);
+			goto done;
+		}
+	}
+	dout = dataconn(name, st.st_size, "w");
+	if (dout == NULL)
+		goto done;
+	set_buffer_size(fileno(dout), 0);
+	send_data(fin, dout);
+	fclose(dout);
+	data = -1;
+	pdata = -1;
+done:
+	if (cmd == 0)
+		LOGBYTES("get", name, byte_count);
+	(*closefunc)(fin);
+}
+
+/* filename sanity check */
+
+int 
+filename_check(char *filename)
+{
+    char *p;
+
+    p = strrchr(filename, '/');
+    if(p)
+	filename = p + 1;
+
+    p = filename;
+
+    if(isalnum(*p)){
+	p++;
+	while(*p && (isalnum(*p) || strchr(good_chars, *p)))
+	    p++;
+	if(*p == '\0')
+	    return 0;
+    }
+    lreply(553, "\"%s\" is not an acceptable filename.", filename);
+    lreply(553, "The filename must start with an alphanumeric "
+	   "character and must only");
+    reply(553, "consist of alphanumeric characters or any of the following: %s", 
+	  good_chars);
+    return 1;
+}
+
+void
+do_store(char *name, char *mode, int unique)
+{
+	FILE *fout, *din;
+	struct stat st;
+	int (*closefunc) (FILE *);
+
+	if(guest && filename_check(name))
+	    return;
+	if (unique && stat(name, &st) == 0 &&
+	    (name = gunique(name)) == NULL) {
+		LOGCMD(*mode == 'w' ? "put" : "append", name);
+		return;
+	}
+
+	if (restart_point)
+		mode = "r+";
+	fout = fopen(name, mode);
+	closefunc = fclose;
+	if (fout == NULL) {
+		perror_reply(553, name);
+		LOGCMD(*mode == 'w' ? "put" : "append", name);
+		return;
+	}
+	byte_count = -1;
+	if (restart_point) {
+		if (type == TYPE_A) {
+			off_t i, n;
+			int c;
+
+			n = restart_point;
+			i = 0;
+			while (i++ < n) {
+				if ((c=getc(fout)) == EOF) {
+					perror_reply(550, name);
+					goto done;
+				}
+				if (c == '\n')
+					i++;
+			}
+			/*
+			 * We must do this seek to "current" position
+			 * because we are changing from reading to
+			 * writing.
+			 */
+			if (fseek(fout, 0L, SEEK_CUR) < 0) {
+				perror_reply(550, name);
+				goto done;
+			}
+		} else if (lseek(fileno(fout), restart_point, SEEK_SET) < 0) {
+			perror_reply(550, name);
+			goto done;
+		}
+	}
+	din = dataconn(name, (off_t)-1, "r");
+	if (din == NULL)
+		goto done;
+	set_buffer_size(fileno(din), 1);
+	if (receive_data(din, fout) == 0) {
+	    if((*closefunc)(fout) < 0)
+		perror_reply(552, name);
+	    else {
+		if (unique)
+			reply(226, "Transfer complete (unique file name:%s).",
+			    name);
+		else
+			reply(226, "Transfer complete.");
+	    }
+	} else
+	    (*closefunc)(fout);
+	fclose(din);
+	data = -1;
+	pdata = -1;
+done:
+	LOGBYTES(*mode == 'w' ? "put" : "append", name, byte_count);
+}
+
+static FILE *
+getdatasock(const char *mode)
+{
+	int s, t, tries;
+
+	if (data >= 0)
+		return (fdopen(data, mode));
+	seteuid(0);
+	s = socket(ctrl_addr->sa_family, SOCK_STREAM, 0);
+	if (s < 0)
+		goto bad;
+	socket_set_reuseaddr (s, 1);
+	/* anchor socket to avoid multi-homing problems */
+	socket_set_address_and_port (data_source,
+				     socket_get_address (ctrl_addr),
+				     socket_get_port (data_source));
+
+	for (tries = 1; ; tries++) {
+		if (bind(s, data_source,
+			 socket_sockaddr_size (data_source)) >= 0)
+			break;
+		if (errno != EADDRINUSE || tries > 10)
+			goto bad;
+		sleep(tries);
+	}
+	seteuid(pw->pw_uid);
+#ifdef IPTOS_THROUGHPUT
+	socket_set_tos (s, IPTOS_THROUGHPUT);
+#endif
+	return (fdopen(s, mode));
+bad:
+	/* Return the real value of errno (close may change it) */
+	t = errno;
+	seteuid((uid_t)pw->pw_uid);
+	close(s);
+	errno = t;
+	return (NULL);
+}
+
+static FILE *
+dataconn(const char *name, off_t size, const char *mode)
+{
+	char sizebuf[32];
+	FILE *file;
+	int retry = 0;
+
+	file_size = size;
+	byte_count = 0;
+	if (size >= 0)
+	    snprintf(sizebuf, sizeof(sizebuf), " (%ld bytes)", (long)size);
+	else
+	    *sizebuf = '\0';
+	if (pdata >= 0) {
+		struct sockaddr_storage from_ss;
+		struct sockaddr *from = (struct sockaddr *)&from_ss;
+		int s;
+		socklen_t fromlen = sizeof(from_ss);
+
+		s = accept(pdata, from, &fromlen);
+		if (s < 0) {
+			reply(425, "Can't open data connection.");
+			close(pdata);
+			pdata = -1;
+			return (NULL);
+		}
+		close(pdata);
+		pdata = s;
+#if defined(IP_TOS) && defined(HAVE_SETSOCKOPT)
+		{
+		    int tos = IPTOS_THROUGHPUT;
+		    
+		    setsockopt(s, IPPROTO_IP, IP_TOS, (void *)&tos,
+			       sizeof(tos));
+		}
+#endif
+		reply(150, "Opening %s mode data connection for '%s'%s.",
+		     type == TYPE_A ? "ASCII" : "BINARY", name, sizebuf);
+		return (fdopen(pdata, mode));
+	}
+	if (data >= 0) {
+		reply(125, "Using existing data connection for '%s'%s.",
+		    name, sizebuf);
+		usedefault = 1;
+		return (fdopen(data, mode));
+	}
+	if (usedefault)
+		data_dest = his_addr;
+	usedefault = 1;
+	file = getdatasock(mode);
+	if (file == NULL) {
+		char data_addr[256];
+
+		if (inet_ntop (data_source->sa_family,
+			       socket_get_address(data_source),
+			       data_addr, sizeof(data_addr)) == NULL)
+			strlcpy (data_addr, "unknown address",
+					 sizeof(data_addr));
+
+		reply(425, "Can't create data socket (%s,%d): %s.",
+		      data_addr,
+		      socket_get_port (data_source),
+		      strerror(errno));
+		return (NULL);
+	}
+	data = fileno(file);
+	while (connect(data, data_dest,
+		       socket_sockaddr_size(data_dest)) < 0) {
+		if (errno == EADDRINUSE && retry < swaitmax) {
+			sleep(swaitint);
+			retry += swaitint;
+			continue;
+		}
+		perror_reply(425, "Can't build data connection");
+		fclose(file);
+		data = -1;
+		return (NULL);
+	}
+	reply(150, "Opening %s mode data connection for '%s'%s.",
+	     type == TYPE_A ? "ASCII" : "BINARY", name, sizebuf);
+	return (file);
+}
+
+/*
+ * Tranfer the contents of "instr" to "outstr" peer using the appropriate
+ * encapsulation of the data subject * to Mode, Structure, and Type.
+ *
+ * NB: Form isn't handled.
+ */
+static void
+send_data(FILE *instr, FILE *outstr)
+{
+	int c, cnt, filefd, netfd;
+	static char *buf;
+	static size_t bufsize;
+
+	transflag++;
+	if (setjmp(urgcatch)) {
+		transflag = 0;
+		return;
+	}
+	switch (type) {
+
+	case TYPE_A:
+	    while ((c = getc(instr)) != EOF) {
+		byte_count++;
+		if(c == '\n')
+		    sec_putc('\r', outstr);
+		sec_putc(c, outstr);
+	    }
+	    sec_fflush(outstr);
+	    transflag = 0;
+	    if (ferror(instr))
+		goto file_err;
+	    if (ferror(outstr))
+		goto data_err;
+	    reply(226, "Transfer complete.");
+	    return;
+		
+	case TYPE_I:
+	case TYPE_L:
+#if defined(HAVE_MMAP) && !defined(NO_MMAP)
+#ifndef MAP_FAILED
+#define MAP_FAILED (-1)
+#endif
+	    {
+		struct stat st;
+		char *chunk;
+		int in = fileno(instr);
+		if(fstat(in, &st) == 0 && S_ISREG(st.st_mode) 
+		   && st.st_size > 0) {
+		    /*
+		     * mmap zero bytes has potential of loosing, don't do it.
+		     */
+		    chunk = mmap(0, st.st_size, PROT_READ,
+				 MAP_SHARED, in, 0);
+		    if((void *)chunk != (void *)MAP_FAILED) {
+			cnt = st.st_size - restart_point;
+			sec_write(fileno(outstr), chunk + restart_point, cnt);
+			if (munmap(chunk, st.st_size) < 0)
+			    warn ("munmap");
+			sec_fflush(outstr);
+			byte_count = cnt;
+			transflag = 0;
+		    }
+		}
+	    }
+#endif
+	if(transflag) {
+	    struct stat st;
+
+	    netfd = fileno(outstr);
+	    filefd = fileno(instr);
+	    buf = alloc_buffer (buf, &bufsize,
+				fstat(filefd, &st) >= 0 ? &st : NULL);
+	    if (buf == NULL) {
+		transflag = 0;
+		perror_reply(451, "Local resource failure: malloc");
+		return;
+	    }
+	    while ((cnt = read(filefd, buf, bufsize)) > 0 &&
+		   sec_write(netfd, buf, cnt) == cnt)
+		byte_count += cnt;
+	    sec_fflush(outstr); /* to end an encrypted stream */
+	    transflag = 0;
+	    if (cnt != 0) {
+		if (cnt < 0)
+		    goto file_err;
+		goto data_err;
+	    }
+	}
+	reply(226, "Transfer complete.");
+	return;
+	default:
+	    transflag = 0;
+	    reply(550, "Unimplemented TYPE %d in send_data", type);
+	    return;
+	}
+
+data_err:
+	transflag = 0;
+	perror_reply(426, "Data connection");
+	return;
+
+file_err:
+	transflag = 0;
+	perror_reply(551, "Error on input file");
+}
+
+/*
+ * Transfer data from peer to "outstr" using the appropriate encapulation of
+ * the data subject to Mode, Structure, and Type.
+ *
+ * N.B.: Form isn't handled.
+ */
+static int
+receive_data(FILE *instr, FILE *outstr)
+{
+    int cnt, bare_lfs = 0;
+    static char *buf;
+    static size_t bufsize;
+    struct stat st;
+
+    transflag++;
+    if (setjmp(urgcatch)) {
+	transflag = 0;
+	return (-1);
+    }
+
+    buf = alloc_buffer (buf, &bufsize,
+			fstat(fileno(outstr), &st) >= 0 ? &st : NULL);
+    if (buf == NULL) {
+	transflag = 0;
+	perror_reply(451, "Local resource failure: malloc");
+	return -1;
+    }
+    
+    switch (type) {
+
+    case TYPE_I:
+    case TYPE_L:
+	while ((cnt = sec_read(fileno(instr), buf, bufsize)) > 0) {
+	    if (write(fileno(outstr), buf, cnt) != cnt)
+		goto file_err;
+	    byte_count += cnt;
+	}
+	if (cnt < 0)
+	    goto data_err;
+	transflag = 0;
+	return (0);
+
+    case TYPE_E:
+	reply(553, "TYPE E not implemented.");
+	transflag = 0;
+	return (-1);
+
+    case TYPE_A:
+    {
+	char *p, *q;
+	int cr_flag = 0;
+	while ((cnt = sec_read(fileno(instr),
+				buf + cr_flag, 
+				bufsize - cr_flag)) > 0){
+	    byte_count += cnt;
+	    cnt += cr_flag;
+	    cr_flag = 0;
+	    for(p = buf, q = buf; p < buf + cnt;) {
+		if(*p == '\n')
+		    bare_lfs++;
+		if(*p == '\r') {
+		    if(p == buf + cnt - 1){
+			cr_flag = 1;
+			p++;
+			continue;
+		    }else if(p[1] == '\n'){
+			*q++ = '\n';
+			p += 2;
+			continue;
+		    }
+		}
+		*q++ = *p++;
+	    }
+	    fwrite(buf, q - buf, 1, outstr);
+	    if(cr_flag)
+		buf[0] = '\r';
+	}
+	if(cr_flag)
+	    putc('\r', outstr);
+	fflush(outstr);
+	if (ferror(instr))
+	    goto data_err;
+	if (ferror(outstr))
+	    goto file_err;
+	transflag = 0;
+	if (bare_lfs) {
+	    lreply(226, "WARNING! %d bare linefeeds received in ASCII mode\r\n"
+		   "    File may not have transferred correctly.\r\n",
+		   bare_lfs);
+	}
+	return (0);
+    }
+    default:
+	reply(550, "Unimplemented TYPE %d in receive_data", type);
+	transflag = 0;
+	return (-1);
+    }
+	
+data_err:
+    transflag = 0;
+    perror_reply(426, "Data Connection");
+    return (-1);
+	
+file_err:
+    transflag = 0;
+    perror_reply(452, "Error writing file");
+    return (-1);
+}
+
+void
+statfilecmd(char *filename)
+{
+	FILE *fin;
+	int c;
+	char line[LINE_MAX];
+
+	snprintf(line, sizeof(line), "/bin/ls -la -- %s", filename);
+	fin = ftpd_popen(line, "r", 1, 0);
+	lreply(211, "status of %s:", filename);
+	while ((c = getc(fin)) != EOF) {
+		if (c == '\n') {
+			if (ferror(stdout)){
+				perror_reply(421, "control connection");
+				ftpd_pclose(fin);
+				dologout(1);
+				/* NOTREACHED */
+			}
+			if (ferror(fin)) {
+				perror_reply(551, filename);
+				ftpd_pclose(fin);
+				return;
+			}
+			putc('\r', stdout);
+		}
+		putc(c, stdout);
+	}
+	ftpd_pclose(fin);
+	reply(211, "End of Status");
+}
+
+void
+statcmd(void)
+{
+#if 0
+	struct sockaddr_in *sin;
+	u_char *a, *p;
+
+	lreply(211, "%s FTP server (%s) status:", hostname, version);
+	printf("     %s\r\n", version);
+	printf("     Connected to %s", remotehost);
+	if (!isdigit(remotehost[0]))
+		printf(" (%s)", inet_ntoa(his_addr.sin_addr));
+	printf("\r\n");
+	if (logged_in) {
+		if (guest)
+			printf("     Logged in anonymously\r\n");
+		else
+			printf("     Logged in as %s\r\n", pw->pw_name);
+	} else if (askpasswd)
+		printf("     Waiting for password\r\n");
+	else
+		printf("     Waiting for user name\r\n");
+	printf("     TYPE: %s", typenames[type]);
+	if (type == TYPE_A || type == TYPE_E)
+		printf(", FORM: %s", formnames[form]);
+	if (type == TYPE_L)
+#if NBBY == 8
+		printf(" %d", NBBY);
+#else
+		printf(" %d", bytesize);	/* need definition! */
+#endif
+	printf("; STRUcture: %s; transfer MODE: %s\r\n",
+	    strunames[stru], modenames[mode]);
+	if (data != -1)
+		printf("     Data connection open\r\n");
+	else if (pdata != -1) {
+		printf("     in Passive mode");
+		sin = &pasv_addr;
+		goto printaddr;
+	} else if (usedefault == 0) {
+		printf("     PORT");
+		sin = &data_dest;
+printaddr:
+		a = (u_char *) &sin->sin_addr;
+		p = (u_char *) &sin->sin_port;
+#define UC(b) (((int) b) & 0xff)
+		printf(" (%d,%d,%d,%d,%d,%d)\r\n", UC(a[0]),
+			UC(a[1]), UC(a[2]), UC(a[3]), UC(p[0]), UC(p[1]));
+#undef UC
+	} else
+		printf("     No data connection\r\n");
+#endif
+	reply(211, "End of status");
+}
+
+void
+fatal(char *s)
+{
+
+	reply(451, "Error in server: %s\n", s);
+	reply(221, "Closing connection due to server error.");
+	dologout(0);
+	/* NOTREACHED */
+}
+
+static void
+int_reply(int, char *, const char *, va_list)
+#ifdef __GNUC__
+__attribute__ ((format (printf, 3, 0)))
+#endif
+;
+
+static void
+int_reply(int n, char *c, const char *fmt, va_list ap)
+{
+    char buf[10240];
+    char *p;
+    p=buf;
+    if(n){
+	snprintf(p, sizeof(buf), "%d%s", n, c);
+	p+=strlen(p);
+    }
+    vsnprintf(p, sizeof(buf) - strlen(p), fmt, ap);
+    p+=strlen(p);
+    snprintf(p, sizeof(buf) - strlen(p), "\r\n");
+    p+=strlen(p);
+    sec_fprintf(stdout, "%s", buf);
+    fflush(stdout);
+    if (debug)
+	syslog(LOG_DEBUG, "<--- %s- ", buf);
+}
+
+void
+reply(int n, const char *fmt, ...)
+{
+  va_list ap;
+  va_start(ap, fmt);
+  int_reply(n, " ", fmt, ap);
+  delete_ftp_command();
+  va_end(ap);
+}
+
+void
+lreply(int n, const char *fmt, ...)
+{
+  va_list ap;
+  va_start(ap, fmt);
+  int_reply(n, "-", fmt, ap);
+  va_end(ap);
+}
+
+void
+nreply(const char *fmt, ...)
+{
+  va_list ap;
+  va_start(ap, fmt);
+  int_reply(0, NULL, fmt, ap);
+  va_end(ap);
+}
+
+static void
+ack(char *s)
+{
+
+	reply(250, "%s command successful.", s);
+}
+
+void
+nack(char *s)
+{
+
+	reply(502, "%s command not implemented.", s);
+}
+
+/* ARGSUSED */
+void
+yyerror(char *s)
+{
+	char *cp;
+
+	if ((cp = strchr(cbuf,'\n')))
+		*cp = '\0';
+	reply(500, "'%s': command not understood.", cbuf);
+}
+
+void
+do_delete(char *name)
+{
+	struct stat st;
+
+	LOGCMD("delete", name);
+	if (stat(name, &st) < 0) {
+		perror_reply(550, name);
+		return;
+	}
+	if ((st.st_mode&S_IFMT) == S_IFDIR) {
+		if (rmdir(name) < 0) {
+			perror_reply(550, name);
+			return;
+		}
+		goto done;
+	}
+	if (unlink(name) < 0) {
+		perror_reply(550, name);
+		return;
+	}
+done:
+	ack("DELE");
+}
+
+void
+cwd(char *path)
+{
+
+	if (chdir(path) < 0)
+		perror_reply(550, path);
+	else
+		ack("CWD");
+}
+
+void
+makedir(char *name)
+{
+
+	LOGCMD("mkdir", name);
+	if(guest && filename_check(name))
+	    return;
+	if (mkdir(name, 0777) < 0)
+		perror_reply(550, name);
+	else{
+	    if(guest)
+		chmod(name, 0700); /* guest has umask 777 */
+	    reply(257, "MKD command successful.");
+	}
+}
+
+void
+removedir(char *name)
+{
+
+	LOGCMD("rmdir", name);
+	if (rmdir(name) < 0)
+		perror_reply(550, name);
+	else
+		ack("RMD");
+}
+
+void
+pwd(void)
+{
+    char path[MaxPathLen];
+    char *ret;
+
+    /* SunOS has a broken getcwd that does popen(pwd) (!!!), this
+     * failes miserably when running chroot 
+     */
+    ret = getcwd(path, sizeof(path));
+    if (ret == NULL)
+	reply(550, "%s.", strerror(errno));
+    else
+	reply(257, "\"%s\" is current directory.", path);
+}
+
+char *
+renamefrom(char *name)
+{
+	struct stat st;
+
+	if (stat(name, &st) < 0) {
+		perror_reply(550, name);
+		return NULL;
+	}
+	reply(350, "File exists, ready for destination name");
+	return (name);
+}
+
+void
+renamecmd(char *from, char *to)
+{
+
+	LOGCMD2("rename", from, to);
+	if(guest && filename_check(to))
+	    return;
+	if (rename(from, to) < 0)
+		perror_reply(550, "rename");
+	else
+		ack("RNTO");
+}
+
+static void
+dolog(struct sockaddr *sa, int len)
+{
+	getnameinfo_verified (sa, len, remotehost, sizeof(remotehost),
+			      NULL, 0, 0);
+#ifdef HAVE_SETPROCTITLE
+	snprintf(proctitle, sizeof(proctitle), "%s: connected", remotehost);
+	setproctitle("%s", proctitle);
+#endif /* HAVE_SETPROCTITLE */
+
+	if (logging) {
+		char data_addr[256];
+
+		if (inet_ntop (his_addr->sa_family,
+			       socket_get_address(his_addr),
+			       data_addr, sizeof(data_addr)) == NULL)
+			strlcpy (data_addr, "unknown address",
+					 sizeof(data_addr));
+
+
+		syslog(LOG_INFO, "connection from %s(%s)",
+		       remotehost,
+		       data_addr);
+	}
+}
+
+/*
+ * Record logout in wtmp file
+ * and exit with supplied status.
+ */
+void
+dologout(int status)
+{
+    transflag = 0;
+    if (logged_in) {
+	seteuid((uid_t)0);
+	ftpd_logwtmp(ttyline, "", "");
+#ifdef KRB4
+	cond_kdestroy();
+#endif
+    }
+    /* beware of flushing buffers after a SIGPIPE */
+#ifdef XXX
+    exit(status);
+#else
+    _exit(status);
+#endif	
+}
+
+void abor(void)
+{
+}
+
+static void
+myoob(int signo)
+{
+#if 0
+	char *cp;
+#endif
+
+	/* only process if transfer occurring */
+	if (!transflag)
+		return;
+
+	/* This is all XXX */
+	oobflag = 1;
+	/* if the command resulted in a new command, 
+	   parse that as well */
+	do{
+	    yyparse();
+	} while(ftp_command);
+	oobflag = 0;
+
+#if 0 
+	cp = tmpline;
+	if (ftpd_getline(cp, 7) == NULL) {
+		reply(221, "You could at least say goodbye.");
+		dologout(0);
+	}
+	upper(cp);
+	if (strcmp(cp, "ABOR\r\n") == 0) {
+		tmpline[0] = '\0';
+		reply(426, "Transfer aborted. Data connection closed.");
+		reply(226, "Abort successful");
+		longjmp(urgcatch, 1);
+	}
+	if (strcmp(cp, "STAT\r\n") == 0) {
+		if (file_size != (off_t) -1)
+			reply(213, "Status: %ld of %ld bytes transferred",
+			      (long)byte_count,
+			      (long)file_size);
+		else
+			reply(213, "Status: %ld bytes transferred"
+			      (long)byte_count);
+	}
+#endif
+}
+
+/*
+ * Note: a response of 425 is not mentioned as a possible response to
+ *	the PASV command in RFC959. However, it has been blessed as
+ *	a legitimate response by Jon Postel in a telephone conversation
+ *	with Rick Adams on 25 Jan 89.
+ */
+void
+pasv(void)
+{
+	socklen_t len;
+	char *p, *a;
+	struct sockaddr_in *sin;
+
+	if (ctrl_addr->sa_family != AF_INET) {
+		reply(425,
+		      "You cannot do PASV with something that's not IPv4");
+		return;
+	}
+
+	if(pdata != -1)
+	    close(pdata);
+
+	pdata = socket(ctrl_addr->sa_family, SOCK_STREAM, 0);
+	if (pdata < 0) {
+		perror_reply(425, "Can't open passive connection");
+		return;
+	}
+	pasv_addr->sa_family = ctrl_addr->sa_family;
+	socket_set_address_and_port (pasv_addr,
+				     socket_get_address (ctrl_addr),
+				     0);
+	seteuid(0);
+	if (bind(pdata, pasv_addr, socket_sockaddr_size (pasv_addr)) < 0) {
+		seteuid(pw->pw_uid);
+		goto pasv_error;
+	}
+	seteuid(pw->pw_uid);
+	len = sizeof(pasv_addr_ss);
+	if (getsockname(pdata, pasv_addr, &len) < 0)
+		goto pasv_error;
+	if (listen(pdata, 1) < 0)
+		goto pasv_error;
+	sin = (struct sockaddr_in *)pasv_addr;
+	a = (char *) &sin->sin_addr;
+	p = (char *) &sin->sin_port;
+
+#define UC(b) (((int) b) & 0xff)
+
+	reply(227, "Entering Passive Mode (%d,%d,%d,%d,%d,%d)", UC(a[0]),
+		UC(a[1]), UC(a[2]), UC(a[3]), UC(p[0]), UC(p[1]));
+	return;
+
+pasv_error:
+	close(pdata);
+	pdata = -1;
+	perror_reply(425, "Can't open passive connection");
+	return;
+}
+
+void
+epsv(char *proto)
+{
+	socklen_t len;
+
+	pdata = socket(ctrl_addr->sa_family, SOCK_STREAM, 0);
+	if (pdata < 0) {
+		perror_reply(425, "Can't open passive connection");
+		return;
+	}
+	pasv_addr->sa_family = ctrl_addr->sa_family;
+	socket_set_address_and_port (pasv_addr,
+				     socket_get_address (ctrl_addr),
+				     0);
+	seteuid(0);
+	if (bind(pdata, pasv_addr, socket_sockaddr_size (pasv_addr)) < 0) {
+		seteuid(pw->pw_uid);
+		goto pasv_error;
+	}
+	seteuid(pw->pw_uid);
+	len = sizeof(pasv_addr_ss);
+	if (getsockname(pdata, pasv_addr, &len) < 0)
+		goto pasv_error;
+	if (listen(pdata, 1) < 0)
+		goto pasv_error;
+
+	reply(229, "Entering Extended Passive Mode (|||%d|)",
+	      ntohs(socket_get_port (pasv_addr)));
+	return;
+
+pasv_error:
+	close(pdata);
+	pdata = -1;
+	perror_reply(425, "Can't open passive connection");
+	return;
+}
+
+void
+eprt(char *str)
+{
+	char *end;
+	char sep;
+	int af;
+	int ret;
+	int port;
+
+	usedefault = 0;
+	if (pdata >= 0) {
+	    close(pdata);
+	    pdata = -1;
+	}
+
+	sep = *str++;
+	if (sep == '\0') {
+		reply(500, "Bad syntax in EPRT");
+		return;
+	}
+	af = strtol (str, &end, 0);
+	if (af == 0 || *end != sep) {
+		reply(500, "Bad syntax in EPRT");
+		return;
+	}
+	str = end + 1;
+	switch (af) {
+#ifdef HAVE_IPV6
+	case 2 :
+	    data_dest->sa_family = AF_INET6;
+	    break;
+#endif		
+	case 1 :
+	    data_dest->sa_family = AF_INET;
+		break;
+	default :
+		reply(522, "Network protocol %d not supported, use (1"
+#ifdef HAVE_IPV6
+		      ",2"
+#endif
+		      ")", af);
+		return;
+	}
+	end = strchr (str, sep);
+	if (end == NULL) {
+		reply(500, "Bad syntax in EPRT");
+		return;
+	}
+	*end = '\0';
+	ret = inet_pton (data_dest->sa_family, str,
+			 socket_get_address (data_dest));
+
+	if (ret != 1) {
+		reply(500, "Bad address syntax in EPRT");
+		return;
+	}
+	str = end + 1;
+	port = strtol (str, &end, 0);
+	if (port == 0 || *end != sep) {
+		reply(500, "Bad port syntax in EPRT");
+		return;
+	}
+	socket_set_port (data_dest, htons(port));
+	reply(200, "EPRT command successful.");
+}
+
+/*
+ * Generate unique name for file with basename "local".
+ * The file named "local" is already known to exist.
+ * Generates failure reply on error.
+ */
+static char *
+gunique(char *local)
+{
+	static char new[MaxPathLen];
+	struct stat st;
+	int count;
+	char *cp;
+
+	cp = strrchr(local, '/');
+	if (cp)
+		*cp = '\0';
+	if (stat(cp ? local : ".", &st) < 0) {
+		perror_reply(553, cp ? local : ".");
+		return NULL;
+	}
+	if (cp)
+		*cp = '/';
+	for (count = 1; count < 100; count++) {
+		snprintf (new, sizeof(new), "%s.%d", local, count);
+		if (stat(new, &st) < 0)
+			return (new);
+	}
+	reply(452, "Unique file name cannot be created.");
+	return (NULL);
+}
+
+/*
+ * Format and send reply containing system error number.
+ */
+void
+perror_reply(int code, const char *string)
+{
+	reply(code, "%s: %s.", string, strerror(errno));
+}
+
+static char *onefile[] = {
+	"",
+	0
+};
+
+void
+list_file(char *file)
+{
+    if(use_builtin_ls) {
+	FILE *dout;
+	dout = dataconn(file, -1, "w");
+	if (dout == NULL)
+	    return;
+	set_buffer_size(fileno(dout), 0);
+	builtin_ls(dout, file);
+	reply(226, "Transfer complete.");
+	fclose(dout);
+	data = -1;
+	pdata = -1;
+    } else {
+#ifdef HAVE_LS_A
+	const char *cmd = "/bin/ls -lA %s";
+#else
+	const char *cmd = "/bin/ls -la %s";
+#endif
+	retrieve(cmd, file);
+    }
+}
+
+void
+send_file_list(char *whichf)
+{
+  struct stat st;
+  DIR *dirp = NULL;
+  struct dirent *dir;
+  FILE *dout = NULL;
+  char **dirlist, *dirname;
+  int simple = 0;
+  int freeglob = 0;
+  glob_t gl;
+  char buf[MaxPathLen];
+
+  if (strpbrk(whichf, "~{[*?") != NULL) {
+    int flags = GLOB_BRACE|GLOB_NOCHECK|GLOB_QUOTE|GLOB_TILDE|GLOB_LIMIT;
+
+    memset(&gl, 0, sizeof(gl));
+    freeglob = 1;
+    if (glob(whichf, flags, 0, &gl)) {
+      reply(550, "not found");
+      goto out;
+    } else if (gl.gl_pathc == 0) {
+      errno = ENOENT;
+      perror_reply(550, whichf);
+      goto out;
+    }
+    dirlist = gl.gl_pathv;
+  } else {
+    onefile[0] = whichf;
+    dirlist = onefile;
+    simple = 1;
+  }
+
+  if (setjmp(urgcatch)) {
+    transflag = 0;
+    goto out;
+  }
+  while ((dirname = *dirlist++)) {
+    if (stat(dirname, &st) < 0) {
+      /*
+       * If user typed "ls -l", etc, and the client
+       * used NLST, do what the user meant.
+       */
+      if (dirname[0] == '-' && *dirlist == NULL &&
+	  transflag == 0) {
+	  list_file(dirname);
+	  goto out;
+      }
+      perror_reply(550, whichf);
+      if (dout != NULL) {
+	fclose(dout);
+	transflag = 0;
+	data = -1;
+	pdata = -1;
+      }
+      goto out;
+    }
+
+    if (S_ISREG(st.st_mode)) {
+      if (dout == NULL) {
+	dout = dataconn("file list", (off_t)-1, "w");
+	if (dout == NULL)
+	  goto out;
+	transflag++;
+      }
+      snprintf(buf, sizeof(buf), "%s%s\n", dirname,
+	      type == TYPE_A ? "\r" : "");
+      sec_write(fileno(dout), buf, strlen(buf));
+      byte_count += strlen(dirname) + 1;
+      continue;
+    } else if (!S_ISDIR(st.st_mode))
+      continue;
+
+    if ((dirp = opendir(dirname)) == NULL)
+      continue;
+
+    while ((dir = readdir(dirp)) != NULL) {
+      char nbuf[MaxPathLen];
+
+      if (!strcmp(dir->d_name, "."))
+	continue;
+      if (!strcmp(dir->d_name, ".."))
+	continue;
+
+      snprintf(nbuf, sizeof(nbuf), "%s/%s", dirname, dir->d_name);
+
+      /*
+       * We have to do a stat to insure it's
+       * not a directory or special file.
+       */
+      if (simple || (stat(nbuf, &st) == 0 &&
+		     S_ISREG(st.st_mode))) {
+	if (dout == NULL) {
+	  dout = dataconn("file list", (off_t)-1, "w");
+	  if (dout == NULL)
+	    goto out;
+	  transflag++;
+	}
+	if(strncmp(nbuf, "./", 2) == 0)
+	  snprintf(buf, sizeof(buf), "%s%s\n", nbuf +2,
+		   type == TYPE_A ? "\r" : "");
+	else
+	  snprintf(buf, sizeof(buf), "%s%s\n", nbuf,
+		   type == TYPE_A ? "\r" : "");
+	sec_write(fileno(dout), buf, strlen(buf));
+	byte_count += strlen(nbuf) + 1;
+      }
+    }
+    closedir(dirp);
+  }
+  if (dout == NULL)
+    reply(550, "No files found.");
+  else if (ferror(dout) != 0)
+    perror_reply(550, "Data connection");
+  else
+    reply(226, "Transfer complete.");
+
+  transflag = 0;
+  if (dout != NULL){
+    sec_write(fileno(dout), buf, 0); /* XXX flush */
+	    
+    fclose(dout);
+  }
+  data = -1;
+  pdata = -1;
+out:
+  if (freeglob) {
+    freeglob = 0;
+    globfree(&gl);
+  }
+}
+
+
+int
+find(char *pattern)
+{
+    char line[1024];
+    FILE *f;
+
+    snprintf(line, sizeof(line),
+	     "/bin/locate -d %s -- %s",
+	     ftp_rooted("/etc/locatedb"),
+	     pattern);
+    f = ftpd_popen(line, "r", 1, 1);
+    if(f == NULL){
+	perror_reply(550, "/bin/locate");
+	return 1;
+    }
+    lreply(200, "Output from find.");
+    while(fgets(line, sizeof(line), f)){
+	if(line[strlen(line)-1] == '\n')
+	    line[strlen(line)-1] = 0;
+	nreply("%s", line);
+    }
+    reply(200, "Done");
+    ftpd_pclose(f);
+    return 0;
+}
+
diff --git a/crypto/heimdal/appl/ftp/ftpd/ftpd.cat8 b/crypto/heimdal/appl/ftp/ftpd/ftpd.cat8
new file mode 100644
index 0000000..d4af02e
--- /dev/null
+++ b/crypto/heimdal/appl/ftp/ftpd/ftpd.cat8
@@ -0,0 +1,296 @@
+
+FTPD(8)                  UNIX System Manager's Manual                  FTPD(8)
+
+NNAAMMEE
+     ffttppdd - Internet File Transfer Protocol server
+
+SSYYNNOOPPSSIISS
+     ffttppdd [--aa _a_u_t_h_m_o_d_e] [--ddiillvv] [--gg _u_m_a_s_k] [--pp _p_o_r_t] [--TT _m_a_x_t_i_m_e_o_u_t] [--tt
+     _t_i_m_e_o_u_t] [--uu _d_e_f_a_u_l_t _u_m_a_s_k] [--BB | ----bbuuiillttiinn--llss] [----ggoooodd--cchhaarrss==_s_t_r_i_n_g]
+
+DDEESSCCRRIIPPTTIIOONN
+     FFttppdd is the Internet File Transfer Protocol server process.  The server
+     uses the TCP protocol and listens at the port specified in the ``ftp''
+     service specification; see services(5).
+
+     Available options:
+
+     --aa      Select the level of authentication required.  Kerberised login
+             can not be turned off. The default is to only allow kerberised
+             login.  Other possibilities can be turned on by giving a string
+             of comma separated flags as argument to --aa. Recognised flags are:
+
+             _p_l_a_i_n  Allow logging in with plaintext password. The password can
+                    be a(n) OTP or an ordinary password.
+
+             _o_t_p    Same as _p_l_a_i_n, but only OTP is allowed.
+
+             _f_t_p    Allow anonymous login.
+
+             The following combination modes exists for backwards compatibili-
+             ty:
+
+             _n_o_n_e   Same as _p_l_a_i_n_,_f_t_p.
+
+             _s_a_f_e   Same as _f_t_p.
+
+             _u_s_e_r   Ignored.
+
+     --dd      Debugging information is written to the syslog using LOG_FTP.
+
+     --gg      Anonymous users will get a umask of _u_m_a_s_k.
+
+     --ii      Open a socket and wait for a connection. This is mainly used for
+             debugging when ftpd isn't started by inetd.
+
+     --ll      Each successful and failed ftp(1) session is logged using syslog
+             with a facility of LOG_FTP.  If this option is specified twice,
+             the retrieve (get), store (put), append, delete, make directory,
+             remove directory and rename operations and their filename argu-
+             ments are also logged.
+
+     --pp      Use _p_o_r_t (a service name or number) instead of the default
+             _f_t_p_/_t_c_p.
+
+     --TT      A client may also request a different timeout period; the maximum
+             period allowed may be set to _t_i_m_e_o_u_t seconds with the --TT option.
+             The default limit is 2 hours.
+
+     --tt      The inactivity timeout period is set to _t_i_m_e_o_u_t seconds (the de-
+             fault is 15 minutes).
+
+     --uu      Set the initial umask to something else than the default 027.
+
+
+
+     --vv      Verbose mode.
+
+     --BB, ----bbuuiillttiinn--llss
+             use built-in ls to list files
+
+     ----ggoooodd--cchhaarrss==_s_t_r_i_n_g
+             allowed anonymous upload filename chars
+
+     The file _/_e_t_c_/_n_o_l_o_g_i_n can be used to disable ftp access.  If the file ex-
+     ists, ffttppdd displays it and exits.  If the file _/_e_t_c_/_f_t_p_w_e_l_c_o_m_e exists,
+     ffttppdd prints it before issuing the ``ready'' message.  If the file
+     _/_e_t_c_/_m_o_t_d exists, ffttppdd prints it after a successful login.
+
+     The ftp server currently supports the following ftp requests.  The case
+     of the requests is ignored.
+
+           Request    Description
+           ABOR       abort previous command
+           ACCT       specify account (ignored)
+           ALLO       allocate storage (vacuously)
+           APPE       append to a file
+           CDUP       change to parent of current working directory
+           CWD        change working directory
+           DELE       delete a file
+           HELP       give help information
+           LIST       give list files in a directory (``ls -lgA'')
+           MKD        make a directory
+           MDTM       show last modification time of file
+           MODE       specify data transfer _m_o_d_e
+           NLST       give name list of files in directory
+           NOOP       do nothing
+           PASS       specify password
+           PASV       prepare for server-to-server transfer
+           PORT       specify data connection port
+           PWD        print the current working directory
+           QUIT       terminate session
+           REST       restart incomplete transfer
+           RETR       retrieve a file
+           RMD        remove a directory
+           RNFR       specify rename-from file name
+           RNTO       specify rename-to file name
+           SITE       non-standard commands (see next section)
+           SIZE       return size of file
+           STAT       return status of server
+           STOR       store a file
+           STOU       store a file with a unique name
+           STRU       specify data transfer _s_t_r_u_c_t_u_r_e
+           SYST       show operating system type of server system
+           TYPE       specify data transfer _t_y_p_e
+           USER       specify user name
+           XCUP       change to parent of current working directory
+                      (deprecated)
+           XCWD       change working directory (deprecated)
+           XMKD       make a directory (deprecated)
+           XPWD       print the current working directory (deprecated)
+           XRMD       remove a directory (deprecated)
+
+     The following commands are specified by RFC2228.
+
+           AUTH       authentication/security mechanism
+           ADAT       authentication/security data
+           PROT       data channel protection level
+           PBSZ       protection buffer size
+           MIC        integrity protected command
+
+
+           CONF       confidentiality protected command
+           ENC        privacy protected command
+           CCC        clear command channel
+
+     The following non-standard or UNIX specific commands are supported by the
+     SITE request.
+
+           UMASK      change umask, (e.g. SSIITTEE UUMMAASSKK 000022)
+           IDLE       set idle-timer, (e.g. SSIITTEE IIDDLLEE 6600)
+           CHMOD      change mode of a file (e.g. SSIITTEE CCHHMMOODD 775555 ffiilleennaammee)
+           FIND       quickly find a specific file with GNU locate(1).
+           HELP       give help information.
+
+     The following Kerberos related site commands are understood.
+
+           KAUTH      obtain remote tickets.
+           KLIST      show remote tickets
+
+     The remaining ftp requests specified in Internet RFC 959 are recognized,
+     but not implemented.  MDTM and SIZE are not specified in RFC 959, but
+     will appear in the next updated FTP RFC.
+
+     The ftp server will abort an active file transfer only when the ABOR com-
+     mand is preceded by a Telnet "Interrupt Process" (IP) signal and a Telnet
+     "Synch" signal in the command Telnet stream, as described in Internet RFC
+     959.  If a STAT command is received during a data transfer, preceded by a
+     Telnet IP and Synch, transfer status will be returned.
+
+     FFttppdd interprets file names according to the ``globbing'' conventions used
+     by csh(1).  This allows users to utilize the metacharacters ``*?[]{}~''.
+
+     FFttppdd authenticates users according to these rules.
+
+           1.   If Kerberos authentication is used, the user must pass valid
+                tickets and the principal must be allowed to login as the re-
+                mote user.
+
+           2.   The login name must be in the password data base, and not have
+                a null password (if kerberos is used the password field is not
+                checked).  In this case a password must be provided by the
+                client before any file operations may be performed.  If the
+                user has an OTP key, the response from a successful USER com-
+                mand will include an OTP challenge. The client may choose to
+                respond with a PASS command giving either a standard password
+                or an OTP one-time password. The server will automatically de-
+                termine which type of password it has been given and attempt
+                to authenticate accordingly. See otp(1) for more information
+                on OTP authentication.
+
+           3.   The login name must not appear in the file _/_e_t_c_/_f_t_p_u_s_e_r_s.
+
+           4.   The user must have a standard shell returned by
+                getusershell(3).
+
+           5.   If the user name appears in the file _/_e_t_c_/_f_t_p_c_h_r_o_o_t the ses-
+                sion's root will be changed to the user's login directory by
+                chroot(2) as for an ``anonymous'' or ``ftp'' account (see next
+                item).  However, the user must still supply a password.  This
+                feature is intended as a compromise between a fully anonymous
+                account and a fully privileged account.  The account should
+                also be set up as for an anonymous account.
+
+           6.   If the user name is ``anonymous'' or ``ftp'', an anonymous ftp
+                account must be present in the password file (user ``ftp'').
+                In this case the user is allowed to log in by specifying any
+                password (by convention an email address for the user should
+                be used as the password).
+
+     In the last case, ffttppdd takes special measures to restrict the client's
+     access privileges.  The server performs a chroot(2) to the home directory
+     of the ``ftp'' user.  In order that system security is not breached, it
+     is recommended that the ``ftp'' subtree be constructed with care, consid-
+     er following these guidelines for anonymous ftp.
+
+     In general all files should be owned by ``root'', and have non-write per-
+     missions (644 or 755 depending on the kind of file). No files should be
+     owned or writable by ``ftp'' (possibly with exception for the
+     _~_f_t_p_/_i_n_c_o_m_i_n_g, as specified below).
+
+           _~_f_t_p      The ``ftp'' homedirectory should be owned by root.
+
+           _~_f_t_p_/_b_i_n  The directory for external programs (such as ls(1)).
+                     These programs must either be statically linked, or you
+                     must setup an environment for dynamic linking when run-
+                     ning chrooted.  These programs will be used if present:
+
+                           ls      Used when listing files.
+
+                           compress
+                                   When retrieving a filename that ends in _._Z,
+                                   and that file isn't present, ffttppdd will try
+                                   to find the filename without _._Z and com-
+                                   press it on the fly.
+
+                           gzip    Same as compress, just with files ending in
+                                   _._g_z.
+
+                           gtar    Enables retrieval of whole directories as
+                                   files ending in _._t_a_r. Can also be combined
+                                   with compression. You must use GNU Tar (or
+                                   some other that supports the --zz and --ZZ
+                                   flags).
+
+                           locate  Will enable ``fast find'' with the SSIITTEE
+                                   FFIINNDD command. You must also create a
+                                   _l_o_c_a_t_e_d_b file in _~_f_t_p_/_e_t_c.
+
+           _~_f_t_p_/_e_t_c  If you put copies of the passwd(5) and group(5) files
+                     here, ls will be able to produce owner names rather than
+                     numbers. Remember to remove any passwords from these
+                     files.
+
+                     The file _m_o_t_d, if present, will be printed after a suc-
+                     cessful login.
+
+           _~_f_t_p_/_d_e_v  Put a copy of /dev/null(7) here.
+
+           _~_f_t_p_/_p_u_b  Traditional place to put whatever you want to make pub-
+                     lic.
+
+     If you want guests to be able to upload files, create a _~_f_t_p_/_i_n_c_o_m_i_n_g di-
+     rectory owned by ``root'', and group ``ftp'' with mode 730 (make sure
+     ``ftp'' is member of group ``ftp''). The following restrictions apply to
+     anonymous users:
+
+     ++oo   Directories created will have mode 700.
+
+     ++oo   Uploaded files will be created with an umask of 777, if not changed
+         with the --gg option.
+
+     ++oo   These command are not accessible: DDEELLEE, RRMMDD, RRNNTTOO, RRNNFFRR, SSIITTEE UUMMAASSKK,
+
+         and SSIITTEE CCHHMMOODD.
+
+     ++oo   Filenames must start with an alpha-numeric character, and consist of
+         alpha-numeric characters or any of the following: + (plus), - (mi-
+         nus), = (equal), _ (underscore), . (period), and , (comma).
+
+FFIILLEESS
+     /etc/ftpusers    Access list for users.
+     /etc/ftpchroot   List of normal users who should be chroot'd.
+     /etc/ftpwelcome  Welcome notice.
+     /etc/motd        Welcome notice after login.
+     /etc/nologin     Displayed and access refused.
+     ~/.klogin        Login access for Kerberos.
+
+SSEEEE AALLSSOO
+     ftp(1),  otp(1),  getusershell(3),  ftpusers(5),  syslogd(8),
+
+SSTTAANNDDAARRDDSS
+     RRFFCC 995599   FTP PROTOCOL SPECIFICATION
+     RRFFCC 11993388  OTP Specification
+     RRFFCC 22222288  FTP Security Extensions.
+
+BBUUGGSS
+     The server must run as the super-user to create sockets with privileged
+     port numbers.  It maintains an effective user id of the logged in user,
+     reverting to the super-user only when binding addresses to sockets.  The
+     possible security holes have been extensively scrutinized, but are possi-
+     bly incomplete.
+
+HHIISSTTOORRYY
+     The ffttppdd command appeared in 4.2BSD.
+
+4.2 Berkeley Distribution       April 19, 1997                               5
diff --git a/crypto/heimdal/appl/ftp/ftpd/ftpd_locl.h b/crypto/heimdal/appl/ftp/ftpd/ftpd_locl.h
new file mode 100644
index 0000000..1497b43
--- /dev/null
+++ b/crypto/heimdal/appl/ftp/ftpd/ftpd_locl.h
@@ -0,0 +1,173 @@
+/*
+ * Copyright (c) 1998 - 2000 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+/* $Id: ftpd_locl.h,v 1.12 2000/09/19 13:16:44 assar Exp $ */
+
+#ifndef __ftpd_locl_h__
+#define __ftpd_locl_h__
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+#endif
+
+/*
+ * FTP server.
+ */
+#ifdef HAVE_SYS_TYPES_H
+#include <sys/types.h>
+#endif
+#ifdef HAVE_SYS_PARAM_H
+#include <sys/param.h>
+#endif
+#ifdef HAVE_SYS_STAT_H
+#include <sys/stat.h>
+#endif
+#ifdef HAVE_SYS_SOCKET_H
+#include <sys/socket.h>
+#endif
+#if defined(HAVE_SYS_IOCTL_H) && SunOS != 40
+#include <sys/ioctl.h>
+#endif
+#ifdef HAVE_SYS_IOCCOM_H
+#include <sys/ioccom.h>
+#endif
+#ifdef TIME_WITH_SYS_TIME
+#include <sys/time.h>
+#include <time.h>
+#elif defined(HAVE_SYS_TIME_H)
+#include <sys/time.h>
+#else
+#include <time.h>
+#endif
+#ifdef HAVE_SYS_RESOURCE_H
+#include <sys/resource.h>
+#endif
+#ifdef HAVE_SYS_WAIT_H
+#include <sys/wait.h>
+#endif
+
+#ifdef HAVE_NETINET_IN_H
+#include <netinet/in.h>
+#endif
+#ifdef HAVE_NETINET_IN_SYSTM_H
+#include <netinet/in_systm.h>
+#endif
+#ifdef HAVE_NETINET_IP_H
+#include <netinet/ip.h>
+#endif
+
+#ifdef HAVE_SYS_MMAN_H
+#include <sys/mman.h>
+#endif
+
+#include <arpa/ftp.h>
+#ifdef HAVE_ARPA_INET_H
+#include <arpa/inet.h>
+#endif
+#ifdef HAVE_ARPA_TELNET_H
+#include <arpa/telnet.h>
+#endif
+
+#include <ctype.h>
+#ifdef HAVE_DIRENT_H
+#include <dirent.h>
+#endif
+#include <errno.h>
+#ifdef HAVE_FCNTL_H
+#include <fcntl.h>
+#endif
+#include <glob.h>
+#include <limits.h>
+#ifdef HAVE_PWD_H
+#include <pwd.h>
+#endif
+#include <setjmp.h>
+#include <signal.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <stdarg.h>
+#include <string.h>
+#ifdef HAVE_SYSLOG_H
+#include <syslog.h>
+#endif
+#include <time.h>
+#ifdef HAVE_UNISTD_H
+#include <unistd.h>
+#endif
+#ifdef HAVE_GRP_H
+#include <grp.h>
+#endif
+#include <fnmatch.h>
+
+#ifdef HAVE_BSD_BSD_H
+#include <bsd/bsd.h>
+#endif
+
+#include <err.h>
+#include "roken.h"
+
+#include "pathnames.h"
+#include "extern.h"
+#include "common.h"
+
+#include "security.h"
+
+#ifdef KRB5
+#include <krb5.h>
+#endif /* KRB5 */
+
+#ifdef KRB4
+#include <krb.h>
+#include <kafs.h>
+#endif
+ 
+#ifdef OTP
+#include <otp.h>
+#endif
+
+#ifdef SOCKS
+#include <socks.h>
+extern int LIBPREFIX(fclose)      (FILE *);
+#endif
+
+/* SunOS doesn't have any declaration of fclose */
+
+int fclose(FILE *stream);
+
+int yyparse();
+
+#ifndef LOG_FTP
+#define LOG_FTP LOG_DAEMON
+#endif
+
+#endif /* __ftpd_locl_h__ */
diff --git a/crypto/heimdal/appl/ftp/ftpd/ftpusers.5 b/crypto/heimdal/appl/ftp/ftpd/ftpusers.5
new file mode 100644
index 0000000..631f11b
--- /dev/null
+++ b/crypto/heimdal/appl/ftp/ftpd/ftpusers.5
@@ -0,0 +1,37 @@
+.\"	$Id: ftpusers.5,v 1.4 2001/05/02 08:59:20 assar Exp $
+.\"
+.Dd May 7, 1997
+.Dt FTPUSERS 5
+.Os KTH-KRB
+.Sh NAME
+.Pa /etc/ftpusers
+.Nd FTP access list file
+.Sh DESCRIPTION
+.Pa /etc/ftpusers
+contains a list of users that should be allowed or denied FTP
+access. Each line contains a user, optionally followed by
+.Dq allow 
+(anything but
+.Dq allow
+is ignored).  The semi-user
+.Dq *
+matches any user.  Users that has an explicit
+.Dq allow ,
+or that does not match any line, are allowed access. Anyone else is
+denied access.
+.Pp
+Note that this is compatible with the old format, where this file
+contained a list of users that should be denied access.
+.Sh EXAMPLES
+This will deny anyone but
+.Dq foo
+and
+.Dq bar
+to use FTP:
+.Bd -literal
+foo allow
+bar allow
+*
+.Ed
+.Sh SEE ALSO
+.Xr ftpd 8
diff --git a/crypto/heimdal/appl/ftp/ftpd/ftpusers.cat5 b/crypto/heimdal/appl/ftp/ftpd/ftpusers.cat5
new file mode 100644
index 0000000..d2ee3d3
--- /dev/null
+++ b/crypto/heimdal/appl/ftp/ftpd/ftpusers.cat5
@@ -0,0 +1,27 @@
+
+FTPUSERS(5)                UNIX Programmer's Manual                FTPUSERS(5)
+
+NNAAMMEE
+     _/_e_t_c_/_f_t_p_u_s_e_r_s - FTP access list file
+
+DDEESSCCRRIIPPTTIIOONN
+     _/_e_t_c_/_f_t_p_u_s_e_r_s contains a list of users that should be allowed or denied
+     FTP access. Each line contains a user, optionally followed by ``allow''
+     (anything but ``allow'' is ignored).  The semi-user ``*'' matches any us-
+     er.  Users that has an explicit ``allow'', or that does not match any
+     line, are allowed access. Anyone else is denied access.
+
+     Note that this is compatible with the old format, where this file con-
+     tained a list of users that should be denied access.
+
+EEXXAAMMPPLLEESS
+     This will deny anyone but ``foo'' and ``bar'' to use FTP:
+
+     foo allow
+     bar allow
+     *
+
+SSEEEE AALLSSOO
+     ftpd(8)
+
+ KTH-KRB                          May 7, 1997                                1
diff --git a/crypto/heimdal/appl/ftp/ftpd/gss_userok.c b/crypto/heimdal/appl/ftp/ftpd/gss_userok.c
new file mode 100644
index 0000000..7b3caf2
--- /dev/null
+++ b/crypto/heimdal/appl/ftp/ftpd/gss_userok.c
@@ -0,0 +1,125 @@
+/*
+ * Copyright (c) 1998 - 2001 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "ftpd_locl.h"
+#include <gssapi.h>
+#include <krb5.h>
+
+RCSID("$Id: gss_userok.c,v 1.7 2001/01/30 00:36:58 assar Exp $");
+
+/* XXX a bit too much of krb5 dependency here... 
+   What is the correct way to do this? 
+   */
+
+extern krb5_context gssapi_krb5_context;
+
+/* XXX sync with gssapi.c */
+struct gss_data {
+    gss_ctx_id_t context_hdl;
+    char *client_name;
+    gss_cred_id_t delegated_cred_handle;
+};
+
+int gss_userok(void*, char*); /* to keep gcc happy */
+
+int
+gss_userok(void *app_data, char *username)
+{
+    struct gss_data *data = app_data;
+    if(gssapi_krb5_context) {
+	krb5_principal client;
+	krb5_error_code ret;
+        
+	ret = krb5_parse_name(gssapi_krb5_context, data->client_name, &client);
+	if(ret)
+	    return 1;
+	ret = krb5_kuserok(gssapi_krb5_context, client, username);
+        if (!ret) {
+           krb5_free_principal(gssapi_krb5_context, client);
+           return 1;
+        }
+        
+        ret = 0;
+        
+        /* more of krb-depend stuff :-( */
+	/* gss_add_cred() ? */
+        if (data->delegated_cred_handle && 
+            data->delegated_cred_handle->ccache ) {
+            
+           krb5_ccache ccache = NULL; 
+           char* ticketfile;
+           struct passwd *pw;
+	   OM_uint32 minor_status;
+           
+           pw = getpwnam(username);
+           
+	   if (pw == NULL) {
+	       ret = 1;
+	       goto fail;
+	   }
+
+           asprintf (&ticketfile, "%s%u", KRB5_DEFAULT_CCROOT, pw->pw_uid);
+        
+           ret = krb5_cc_resolve(gssapi_krb5_context, ticketfile, &ccache);
+           if (ret)
+              goto fail;
+           
+           ret = gss_krb5_copy_ccache(&minor_status,
+				      data->delegated_cred_handle,
+				      ccache);
+           if (ret)
+              goto fail;
+           
+           chown (ticketfile+5, pw->pw_uid, pw->pw_gid);
+           
+#ifdef KRB4
+           if (k_hasafs()) {
+              krb5_afslog(gssapi_krb5_context, ccache, 0, 0);
+           }
+#endif
+           esetenv ("KRB5CCNAME", ticketfile, 1);
+           
+fail:
+           if (ccache)
+              krb5_cc_close(gssapi_krb5_context, ccache); 
+           krb5_cc_destroy(gssapi_krb5_context, 
+                           data->delegated_cred_handle->ccache);
+           data->delegated_cred_handle->ccache = NULL;
+           free(ticketfile);
+        }
+           
+	krb5_free_principal(gssapi_krb5_context, client);
+        return ret;
+    }
+    return 1;
+}
diff --git a/crypto/heimdal/appl/ftp/ftpd/kauth.c b/crypto/heimdal/appl/ftp/ftpd/kauth.c
new file mode 100644
index 0000000..dad4de5
--- /dev/null
+++ b/crypto/heimdal/appl/ftp/ftpd/kauth.c
@@ -0,0 +1,365 @@
+/*
+ * Copyright (c) 1995, 1996, 1997, 1998 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#include "ftpd_locl.h"
+
+RCSID("$Id: kauth.c,v 1.25 1999/12/02 16:58:31 joda Exp $");
+
+static KTEXT_ST cip;
+static unsigned int lifetime;
+static time_t local_time;
+
+static krb_principal pr;
+
+static int do_destroy_tickets = 1;
+
+static int
+save_tkt(const char *user,
+	 const char *instance,
+	 const char *realm,
+	 const void *arg, 
+	 key_proc_t key_proc,
+	 KTEXT *cipp)
+{
+    local_time = time(0);
+    memmove(&cip, *cipp, sizeof(cip));
+    return -1;
+}
+
+static int
+store_ticket(KTEXT cip)
+{
+    char *ptr;
+    des_cblock session;
+    krb_principal sp;
+    unsigned char kvno;
+    KTEXT_ST tkt;
+    int left = cip->length;
+    int len;
+    int kerror;
+    
+    ptr = (char *) cip->dat;
+
+    /* extract session key */
+    memmove(session, ptr, 8);
+    ptr += 8;
+    left -= 8;
+
+    len = strnlen(ptr, left);
+    if (len == left)
+	return(INTK_BADPW);
+    
+    /* extract server's name */
+    strlcpy(sp.name, ptr, sizeof(sp.name));
+    ptr += len + 1;
+    left -= len + 1;
+
+    len = strnlen(ptr, left);
+    if (len == left)
+	return(INTK_BADPW);
+    
+    /* extract server's instance */
+    strlcpy(sp.instance, ptr, sizeof(sp.instance));
+    ptr += len + 1;
+    left -= len + 1;
+
+    len = strnlen(ptr, left);
+    if (len == left)
+	return(INTK_BADPW);
+    
+    /* extract server's realm */
+    strlcpy(sp.realm, ptr, sizeof(sp.realm));
+    ptr += len + 1;
+    left -= len + 1;
+
+    if(left < 3)
+	return INTK_BADPW;
+    /* extract ticket lifetime, server key version, ticket length */
+    /* be sure to avoid sign extension on lifetime! */
+    lifetime = (unsigned char) ptr[0];
+    kvno = (unsigned char) ptr[1];
+    tkt.length = (unsigned char) ptr[2];
+    ptr += 3;
+    left -= 3;
+    
+    if (tkt.length > left)
+	return(INTK_BADPW);
+
+    /* extract ticket itself */
+    memmove(tkt.dat, ptr, tkt.length);
+    ptr += tkt.length;
+    left -= tkt.length;
+
+    /* Here is where the time should be verified against the KDC.
+     * Unfortunately everything is sent in host byte order (receiver
+     * makes wrong) , and at this stage there is no way for us to know
+     * which byteorder the KDC has. So we simply ignore the time,
+     * there are no security risks with this, the only thing that can
+     * happen is that we might receive a replayed ticket, which could
+     * at most be useless.
+     */
+    
+#if 0
+    /* check KDC time stamp */
+    {
+	time_t kdc_time;
+
+	memmove(&kdc_time, ptr, sizeof(kdc_time));
+	if (swap_bytes) swap_u_long(kdc_time);
+
+	ptr += 4;
+    
+	if (abs((int)(local_time - kdc_time)) > CLOCK_SKEW) {
+	    return(RD_AP_TIME);		/* XXX should probably be better
+					   code */
+	}
+    }
+#endif
+
+    /* initialize ticket cache */
+
+    if (tf_create(TKT_FILE) != KSUCCESS)
+	return(INTK_ERR);
+
+    if (tf_put_pname(pr.name) != KSUCCESS ||
+	tf_put_pinst(pr.instance) != KSUCCESS) {
+	tf_close();
+	return(INTK_ERR);
+    }
+
+    
+    kerror = tf_save_cred(sp.name, sp.instance, sp.realm, session, 
+			  lifetime, kvno, &tkt, local_time);
+    tf_close();
+
+    return(kerror);
+}
+
+void
+kauth(char *principal, char *ticket)
+{
+    char *p;
+    int ret;
+  
+    if(get_command_prot() != prot_private) {
+	reply(500, "Request denied (bad protection level)");
+	return;
+    }
+    ret = krb_parse_name(principal, &pr);
+    if(ret){
+	reply(500, "Bad principal: %s.", krb_get_err_text(ret));
+	return;
+    }
+    if(pr.realm[0] == 0)
+	krb_get_lrealm(pr.realm, 1);
+
+    if(ticket){
+	cip.length = base64_decode(ticket, &cip.dat);
+	if(cip.length == -1){
+	    reply(500, "Failed to decode data.");
+	    return;
+	}
+	ret = store_ticket(&cip);
+	if(ret){
+	    reply(500, "Kerberos error: %s.", krb_get_err_text(ret));
+	    memset(&cip, 0, sizeof(cip));
+	    return;
+	}
+	do_destroy_tickets = 1;
+
+	if(k_hasafs())
+	    krb_afslog(0, 0);
+	reply(200, "Tickets will be destroyed on exit.");
+	return;
+    }
+    
+    ret = krb_get_in_tkt (pr.name,
+			  pr.instance,
+			  pr.realm,
+			  KRB_TICKET_GRANTING_TICKET,
+			  pr.realm,
+			  DEFAULT_TKT_LIFE,
+			  NULL, save_tkt, NULL);
+    if(ret != INTK_BADPW){
+	reply(500, "Kerberos error: %s.", krb_get_err_text(ret));
+	return;
+    }
+    if(base64_encode(cip.dat, cip.length, &p) < 0) {
+	reply(500, "Out of memory while base64-encoding.");
+	return;
+    }
+    reply(300, "P=%s T=%s", krb_unparse_name(&pr), p);
+    free(p);
+    memset(&cip, 0, sizeof(cip));
+}
+
+
+static char *
+short_date(int32_t dp)
+{
+    char *cp;
+    time_t t = (time_t)dp;
+
+    if (t == (time_t)(-1L)) return "***  Never  *** ";
+    cp = ctime(&t) + 4;
+    cp[15] = '\0';
+    return (cp);
+}
+
+void
+klist(void)
+{
+    int err;
+
+    char *file = tkt_string();
+
+    krb_principal pr;
+    
+    char buf1[128], buf2[128];
+    int header = 1;
+    CREDENTIALS c;
+
+    
+
+    err = tf_init(file, R_TKT_FIL);
+    if(err != KSUCCESS){
+	reply(500, "%s", krb_get_err_text(err));
+	return;
+    }
+    tf_close();
+
+    /* 
+     * We must find the realm of the ticket file here before calling
+     * tf_init because since the realm of the ticket file is not
+     * really stored in the principal section of the file, the
+     * routine we use must itself call tf_init and tf_close.
+     */
+    err = krb_get_tf_realm(file, pr.realm);
+    if(err != KSUCCESS){
+	reply(500, "%s", krb_get_err_text(err));
+	return;
+    }
+
+    err = tf_init(file, R_TKT_FIL);
+    if(err != KSUCCESS){
+	reply(500, "%s", krb_get_err_text(err));
+	return;
+    }
+
+    err = tf_get_pname(pr.name);
+    if(err != KSUCCESS){
+	reply(500, "%s", krb_get_err_text(err));
+	return;
+    }
+    err = tf_get_pinst(pr.instance);
+    if(err != KSUCCESS){
+	reply(500, "%s", krb_get_err_text(err));
+	return;
+    }
+
+    /* 
+     * You may think that this is the obvious place to get the
+     * realm of the ticket file, but it can't be done here as the
+     * routine to do this must open the ticket file.  This is why 
+     * it was done before tf_init.
+     */
+       
+    lreply(200, "Ticket file: %s", tkt_string());
+
+    lreply(200, "Principal: %s", krb_unparse_name(&pr));
+    while ((err = tf_get_cred(&c)) == KSUCCESS) {
+	if (header) {
+	    lreply(200, "%-15s  %-15s  %s",
+		   "  Issued", "  Expires", "  Principal (kvno)");
+	    header = 0;
+	}
+	strlcpy(buf1, short_date(c.issue_date), sizeof(buf1));
+	c.issue_date = krb_life_to_time(c.issue_date, c.lifetime);
+	if (time(0) < (unsigned long) c.issue_date)
+	    strlcpy(buf2, short_date(c.issue_date), sizeof(buf2));
+	else
+	    strlcpy(buf2, ">>> Expired <<< ", sizeof(buf2));
+	lreply(200, "%s  %s  %s (%d)", buf1, buf2,
+	       krb_unparse_name_long(c.service, c.instance, c.realm), c.kvno); 
+    }
+    if (header && err == EOF) {
+	lreply(200, "No tickets in file.");
+    }
+    reply(200, " ");
+}
+
+/*
+ * Only destroy if we created the tickets
+ */
+
+void
+cond_kdestroy(void)
+{
+    if (do_destroy_tickets)
+	dest_tkt();
+    afsunlog();
+}
+
+void
+kdestroy(void)
+{
+    dest_tkt();
+    afsunlog();
+    reply(200, "Tickets destroyed");
+}
+
+void
+krbtkfile(const char *tkfile)
+{
+    do_destroy_tickets = 0;
+    krb_set_tkt_string(tkfile);
+    reply(200, "Using ticket file %s", tkfile);
+}
+
+void
+afslog(const char *cell)
+{
+    if(k_hasafs()) {
+	krb_afslog(cell, 0);
+	reply(200, "afslog done");
+    } else {
+	reply(200, "no AFS present");
+    }
+}
+
+void
+afsunlog(void)
+{
+    if(k_hasafs())
+	k_unlog();
+}
diff --git a/crypto/heimdal/appl/ftp/ftpd/logwtmp.c b/crypto/heimdal/appl/ftp/ftpd/logwtmp.c
new file mode 100644
index 0000000..51139a8
--- /dev/null
+++ b/crypto/heimdal/appl/ftp/ftpd/logwtmp.c
@@ -0,0 +1,138 @@
+/*
+ * Copyright (c) 1995 - 2000 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+RCSID("$Id: logwtmp.c,v 1.15 2000/09/19 13:17:05 assar Exp $");
+#endif
+
+#include <stdio.h>
+#include <string.h>
+#ifdef TIME_WITH_SYS_TIME
+#include <sys/time.h>
+#include <time.h>
+#elif defined(HAVE_SYS_TIME_H)
+#include <sys/time.h>
+#else
+#include <time.h>
+#endif
+#ifdef HAVE_UNISTD_H
+#include <unistd.h>
+#endif
+#ifdef HAVE_FCNTL_H
+#include <fcntl.h>
+#endif
+#ifdef HAVE_UTMP_H
+#include <utmp.h>
+#endif
+#ifdef HAVE_UTMPX_H
+#include <utmpx.h>
+#endif
+#include <roken.h>
+#include "extern.h"
+
+#ifndef WTMP_FILE
+#ifdef _PATH_WTMP
+#define WTMP_FILE _PATH_WTMP
+#else
+#define WTMP_FILE "/var/adm/wtmp"
+#endif
+#endif
+
+void
+ftpd_logwtmp(char *line, char *name, char *host)
+{
+    static int init = 0;
+    static int fd;
+#ifdef WTMPX_FILE
+    static int fdx;
+#endif
+    struct utmp ut;
+#ifdef WTMPX_FILE
+    struct utmpx utx;
+#endif
+
+    memset(&ut, 0, sizeof(struct utmp));
+#ifdef HAVE_STRUCT_UTMP_UT_TYPE
+    if(name[0])
+	ut.ut_type = USER_PROCESS;
+    else
+	ut.ut_type = DEAD_PROCESS;
+#endif
+    strncpy(ut.ut_line, line, sizeof(ut.ut_line));
+    strncpy(ut.ut_name, name, sizeof(ut.ut_name));
+#ifdef HAVE_STRUCT_UTMP_UT_PID
+    ut.ut_pid = getpid();
+#endif
+#ifdef HAVE_STRUCT_UTMP_UT_HOST
+    strncpy(ut.ut_host, host, sizeof(ut.ut_host));
+#endif
+    ut.ut_time = time(NULL);
+
+#ifdef WTMPX_FILE
+    strncpy(utx.ut_line, line, sizeof(utx.ut_line));
+    strncpy(utx.ut_user, name, sizeof(utx.ut_user));
+    strncpy(utx.ut_host, host, sizeof(utx.ut_host));
+#ifdef HAVE_STRUCT_UTMPX_UT_SYSLEN
+    utx.ut_syslen = strlen(host) + 1;
+    if (utx.ut_syslen > sizeof(utx.ut_host))
+        utx.ut_syslen = sizeof(utx.ut_host);
+#endif
+    {
+	struct timeval tv;
+
+	gettimeofday (&tv, 0);
+	utx.ut_tv.tv_sec = tv.tv_sec;
+	utx.ut_tv.tv_usec = tv.tv_usec;
+    }
+
+    if(name[0])
+	utx.ut_type = USER_PROCESS;
+    else
+	utx.ut_type = DEAD_PROCESS;
+#endif
+
+    if(!init){
+	fd = open(WTMP_FILE, O_WRONLY|O_APPEND, 0);
+#ifdef WTMPX_FILE
+	fdx = open(WTMPX_FILE, O_WRONLY|O_APPEND, 0);
+#endif
+	init = 1;
+    }
+    if(fd >= 0) {
+	write(fd, &ut, sizeof(struct utmp)); /* XXX */
+#ifdef WTMPX_FILE
+	write(fdx, &utx, sizeof(struct utmpx));
+#endif	
+    }
+}
diff --git a/crypto/heimdal/appl/ftp/ftpd/ls.c b/crypto/heimdal/appl/ftp/ftpd/ls.c
new file mode 100644
index 0000000..9311119
--- /dev/null
+++ b/crypto/heimdal/appl/ftp/ftpd/ls.c
@@ -0,0 +1,716 @@
+/*
+ * Copyright (c) 1999 - 2000 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of KTH nor the names of its contributors may be
+ *    used to endorse or promote products derived from this software without
+ *    specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY KTH AND ITS CONTRIBUTORS ``AS IS'' AND ANY
+ * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL KTH OR ITS CONTRIBUTORS BE
+ * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+ * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+ * WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
+ * OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
+ * ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */
+
+#ifndef TEST
+#include "ftpd_locl.h"
+
+RCSID("$Id: ls.c,v 1.20 2001/01/25 01:33:15 joda Exp $");
+
+#else
+#include <stdio.h>
+#include <string.h>
+#include <stdlib.h>
+#include <time.h>
+#include <dirent.h>
+#include <sys/stat.h>
+#include <unistd.h>
+#include <pwd.h>
+#include <grp.h>
+#include <errno.h>
+
+#define sec_fprintf2 fprintf
+#define sec_fflush fflush
+void
+builtin_ls(FILE *out, const char *file);
+int
+main(int argc, char **argv)
+{
+    int i;
+    for(i = 1; i < argc; i++)
+	builtin_ls(stdout, argv[i]);
+    return 0;
+}
+#endif
+
+struct fileinfo {
+    struct stat st;
+    int inode;
+    int bsize;
+    char mode[11];
+    int n_link;
+    char *user;
+    char *group;
+    char *size;
+    char *major;
+    char *minor;
+    char *date;
+    char *filename;
+    char *link;
+};
+
+static void
+free_fileinfo(struct fileinfo *f)
+{
+    free(f->user);
+    free(f->group);
+    free(f->size);
+    free(f->major);
+    free(f->minor);
+    free(f->date);
+    free(f->filename);
+    free(f->link);
+}
+
+#define LS_DIRS		(1 << 0)
+#define LS_IGNORE_DOT	(1 << 1)
+#define LS_SORT_MODE	(3 << 2)
+#define SORT_MODE(f) ((f) & LS_SORT_MODE)
+#define LS_SORT_NAME	(1 << 2)
+#define LS_SORT_MTIME	(2 << 2)
+#define LS_SORT_SIZE	(3 << 2)
+#define LS_SORT_REVERSE	(1 << 4)
+
+#define LS_SIZE		(1 << 5)
+#define LS_INODE	(1 << 6)
+#define LS_TYPE		(1 << 7)
+#define LS_DISP_MODE	(3 << 8)
+#define DISP_MODE(f) ((f) & LS_DISP_MODE)
+#define LS_DISP_LONG	(1 << 8)
+#define LS_DISP_COLUMN	(2 << 8)
+#define LS_DISP_CROSS	(3 << 8)
+
+#ifndef S_ISTXT
+#define S_ISTXT S_ISVTX
+#endif
+
+#ifndef S_ISSOCK
+#define S_ISSOCK(mode)  (((mode) & _S_IFMT) == S_IFSOCK)
+#endif
+
+#ifndef S_ISLNK
+#define S_ISLNK(mode)   (((mode) & _S_IFMT) == S_IFLNK)
+#endif
+
+static void
+make_fileinfo(const char *filename, struct fileinfo *file, int flags)
+{
+    char buf[128];
+    int file_type = 0;
+    struct stat *st = &file->st;
+
+    file->inode = st->st_ino;
+#ifdef S_BLKSIZE
+    file->bsize = st->st_blocks * S_BLKSIZE / 1024;
+#else
+    file->bsize = st->st_blocks * 512 / 1024;
+#endif
+
+    if(S_ISDIR(st->st_mode)) {
+	file->mode[0] = 'd';
+	file_type = '/';
+    }
+    else if(S_ISCHR(st->st_mode))
+	file->mode[0] = 'c';
+    else if(S_ISBLK(st->st_mode))
+	file->mode[0] = 'b';
+    else if(S_ISREG(st->st_mode)) {
+	file->mode[0] = '-';
+	if(st->st_mode & (S_IXUSR | S_IXGRP | S_IXOTH))
+	    file_type = '*';
+    }
+    else if(S_ISFIFO(st->st_mode)) {
+	file->mode[0] = 'p';
+	file_type = '|';
+    }
+    else if(S_ISLNK(st->st_mode)) {
+	file->mode[0] = 'l';
+	file_type = '@';
+    }
+    else if(S_ISSOCK(st->st_mode)) {
+	file->mode[0] = 's';
+	file_type = '=';
+    }
+#ifdef S_ISWHT
+    else if(S_ISWHT(st->st_mode)) {
+	file->mode[0] = 'w';
+	file_type = '%';
+    }
+#endif
+    else 
+	file->mode[0] = '?';
+    {
+	char *x[] = { "---", "--x", "-w-", "-wx", 
+		      "r--", "r-x", "rw-", "rwx" };
+	strcpy(file->mode + 1, x[(st->st_mode & S_IRWXU) >> 6]);
+	strcpy(file->mode + 4, x[(st->st_mode & S_IRWXG) >> 3]);
+	strcpy(file->mode + 7, x[(st->st_mode & S_IRWXO) >> 0]);
+	if((st->st_mode & S_ISUID)) {
+	    if((st->st_mode & S_IXUSR))
+		file->mode[3] = 's';
+	    else
+		file->mode[3] = 'S';
+	}
+	if((st->st_mode & S_ISGID)) {
+	    if((st->st_mode & S_IXGRP))
+		file->mode[6] = 's';
+	    else
+		file->mode[6] = 'S';
+	}
+	if((st->st_mode & S_ISTXT)) {
+	    if((st->st_mode & S_IXOTH))
+		file->mode[9] = 't';
+	    else
+		file->mode[9] = 'T';
+	}
+    }
+    file->n_link = st->st_nlink;
+    {
+	struct passwd *pwd;
+	pwd = getpwuid(st->st_uid);
+	if(pwd == NULL)
+	    asprintf(&file->user, "%u", (unsigned)st->st_uid);
+	else
+	    file->user = strdup(pwd->pw_name);
+    }
+    {
+	struct group *grp;
+	grp = getgrgid(st->st_gid);
+	if(grp == NULL)
+	    asprintf(&file->group, "%u", (unsigned)st->st_gid);
+	else
+	    file->group = strdup(grp->gr_name);
+    }
+    
+    if(S_ISCHR(st->st_mode) || S_ISBLK(st->st_mode)) {
+#if defined(major) && defined(minor)
+	asprintf(&file->major, "%u", (unsigned)major(st->st_rdev));
+	asprintf(&file->minor, "%u", (unsigned)minor(st->st_rdev));
+#else
+	/* Don't want to use the DDI/DKI crap. */
+	asprintf(&file->major, "%u", (unsigned)st->st_rdev);
+	asprintf(&file->minor, "%u", 0);
+#endif
+    } else
+	asprintf(&file->size, "%lu", (unsigned long)st->st_size);
+
+    {
+	time_t t = time(NULL);
+	time_t mtime = st->st_mtime;
+	struct tm *tm = localtime(&mtime);
+	if((t - mtime > 6*30*24*60*60) ||
+	   (mtime - t > 6*30*24*60*60))
+	    strftime(buf, sizeof(buf), "%b %e  %Y", tm);
+	else
+	    strftime(buf, sizeof(buf), "%b %e %H:%M", tm);
+	file->date = strdup(buf);
+    }
+    {
+	const char *p = strrchr(filename, '/');
+	if(p)
+	    p++;
+	else
+	    p = filename;
+	if((flags & LS_TYPE) && file_type != 0)
+	    asprintf(&file->filename, "%s%c", p, file_type);
+	else
+	    file->filename = strdup(p);
+    }
+    if(S_ISLNK(st->st_mode)) {
+	int n;
+	n = readlink((char *)filename, buf, sizeof(buf));
+	if(n >= 0) {
+	    buf[n] = '\0';
+	    file->link = strdup(buf);
+	} else
+	    warn("%s: readlink", filename);
+    }
+}
+
+static void
+print_file(FILE *out,
+	   int flags,
+	   struct fileinfo *f,
+	   int max_inode,
+	   int max_bsize,
+	   int max_n_link,
+	   int max_user,
+	   int max_group,
+	   int max_size,
+	   int max_major,
+	   int max_minor,
+	   int max_date)
+{
+    if(f->filename == NULL)
+	return;
+
+    if(flags & LS_INODE) {
+	sec_fprintf2(out, "%*d", max_inode, f->inode);
+	sec_fprintf2(out, "  ");
+    }
+    if(flags & LS_SIZE) {
+	sec_fprintf2(out, "%*d", max_bsize, f->bsize);
+	sec_fprintf2(out, "  ");
+    }
+    sec_fprintf2(out, "%s", f->mode);
+    sec_fprintf2(out, "  ");
+    sec_fprintf2(out, "%*d", max_n_link, f->n_link);
+    sec_fprintf2(out, " ");
+    sec_fprintf2(out, "%-*s", max_user, f->user);
+    sec_fprintf2(out, "  ");
+    sec_fprintf2(out, "%-*s", max_group, f->group);
+    sec_fprintf2(out, "  ");
+    if(f->major != NULL && f->minor != NULL)
+	sec_fprintf2(out, "%*s, %*s", max_major, f->major, max_minor, f->minor);
+    else
+	sec_fprintf2(out, "%*s", max_size, f->size);
+    sec_fprintf2(out, " ");
+    sec_fprintf2(out, "%*s", max_date, f->date);
+    sec_fprintf2(out, " ");
+    sec_fprintf2(out, "%s", f->filename);
+    if(f->link)
+	sec_fprintf2(out, " -> %s", f->link);
+    sec_fprintf2(out, "\r\n");
+}
+
+static int
+compare_filename(struct fileinfo *a, struct fileinfo *b)
+{
+    if(a->filename == NULL)
+	return 1;
+    if(b->filename == NULL)
+	return -1;
+    return strcmp(a->filename, b->filename);
+}
+
+static int
+compare_mtime(struct fileinfo *a, struct fileinfo *b)
+{
+    if(a->filename == NULL)
+	return 1;
+    if(b->filename == NULL)
+	return -1;
+    return b->st.st_mtime - a->st.st_mtime;
+}
+
+static int
+compare_size(struct fileinfo *a, struct fileinfo *b)
+{
+    if(a->filename == NULL)
+	return 1;
+    if(b->filename == NULL)
+	return -1;
+    return b->st.st_size - a->st.st_size;
+}
+
+static void
+list_dir(FILE *out, const char *directory, int flags);
+
+static int
+log10(int num)
+{
+    int i = 1;
+    while(num > 10) {
+	i++;
+	num /= 10;
+    }
+    return i;
+}
+
+/*
+ * Operate as lstat but fake up entries for AFS mount points so we don't
+ * have to fetch them.
+ */
+
+#ifdef KRB4
+static int do_the_afs_dance = 1;
+#endif
+
+static int
+lstat_file (const char *file, struct stat *sb)
+{
+#ifdef KRB4
+    if (do_the_afs_dance &&
+	k_hasafs() 
+	&& strcmp(file, ".")
+	&& strcmp(file, "..")
+	&& strcmp(file, "/"))
+    {
+	struct ViceIoctl    a_params;
+	char               *dir, *last;
+	char               *path_bkp;
+	static ino_t	   ino_counter = 0, ino_last = 0;
+	int		   ret;
+	const int	   maxsize = 2048;
+	
+	path_bkp = strdup (file);
+	if (path_bkp == NULL)
+	    return -1;
+	
+	a_params.out = malloc (maxsize);
+	if (a_params.out == NULL) { 
+	    free (path_bkp);
+	    return -1;
+	}
+	
+	/* If path contains more than the filename alone - split it */
+	
+	last = strrchr (path_bkp, '/');
+	if (last != NULL) {
+	    if(last[1] == '\0')
+		/* if path ended in /, replace with `.' */
+		a_params.in = ".";
+	    else
+		a_params.in = last + 1;
+	    while(last > path_bkp && *--last == '/');
+	    if(*last != '/' || last != path_bkp) {
+		*++last = '\0';
+		dir = path_bkp;
+	    } else
+		/* we got to the start, so this must be the root dir */
+		dir = "/";
+	} else {
+	    /* file is relative to cdir */
+	    dir = ".";
+	    a_params.in = path_bkp;
+	}
+	
+	a_params.in_size  = strlen (a_params.in) + 1;
+	a_params.out_size = maxsize;
+	
+	ret = k_pioctl (dir, VIOC_AFS_STAT_MT_PT, &a_params, 0);
+	free (a_params.out);
+	if (ret < 0) {
+	    free (path_bkp);
+
+	    if (errno != EINVAL)
+		return ret;
+	    else
+		/* if we get EINVAL this is probably not a mountpoint */
+		return lstat (file, sb);
+	}
+
+	/* 
+	 * wow this was a mountpoint, lets cook the struct stat
+	 * use . as a prototype
+	 */
+
+	ret = lstat (dir, sb);
+	free (path_bkp);
+	if (ret < 0)
+	    return ret;
+
+	if (ino_last == sb->st_ino)
+	    ino_counter++;
+	else {
+	    ino_last    = sb->st_ino;
+	    ino_counter = 0;
+	}
+	sb->st_ino += ino_counter;
+	sb->st_nlink = 3;
+
+	return 0;
+    }
+#endif /* KRB4 */
+    return lstat (file, sb);
+}
+
+static void
+list_files(FILE *out, const char **files, int n_files, int flags)
+{
+    struct fileinfo *fi;
+    int i;
+
+    fi = calloc(n_files, sizeof(*fi));
+    if (fi == NULL) {
+	sec_fprintf2(out, "ouf of memory\r\n");
+	return;
+    }
+    for(i = 0; i < n_files; i++) {
+	if(lstat_file(files[i], &fi[i].st) < 0) {
+	    sec_fprintf2(out, "%s: %s\r\n", files[i], strerror(errno));
+	    fi[i].filename = NULL;
+	} else {
+	    if((flags & LS_DIRS) == 0 && S_ISDIR(fi[i].st.st_mode)) {
+		if(n_files > 1)
+		    sec_fprintf2(out, "%s:\r\n", files[i]);
+		list_dir(out, files[i], flags);
+	    } else {
+		make_fileinfo(files[i], &fi[i], flags);
+	    }
+	}
+    }
+    switch(SORT_MODE(flags)) {
+    case LS_SORT_NAME:
+	qsort(fi, n_files, sizeof(*fi), 
+	      (int (*)(const void*, const void*))compare_filename);
+	break;
+    case LS_SORT_MTIME:
+	qsort(fi, n_files, sizeof(*fi), 
+	      (int (*)(const void*, const void*))compare_mtime);
+	break;
+    case LS_SORT_SIZE:
+	qsort(fi, n_files, sizeof(*fi), 
+	      (int (*)(const void*, const void*))compare_size);
+	break;
+    }
+    if(DISP_MODE(flags) == LS_DISP_LONG) {
+	int max_inode = 0;
+	int max_bsize = 0;
+	int max_n_link = 0;
+	int max_user = 0;
+	int max_group = 0;
+	int max_size = 0;
+	int max_major = 0;
+	int max_minor = 0;
+	int max_date = 0;
+	for(i = 0; i < n_files; i++) {
+	    if(fi[i].filename == NULL)
+		continue;
+	    if(fi[i].inode > max_inode)
+		max_inode = fi[i].inode;
+	    if(fi[i].bsize > max_bsize)
+		max_bsize = fi[i].bsize;
+	    if(fi[i].n_link > max_n_link)
+		max_n_link = fi[i].n_link;
+	    if(strlen(fi[i].user) > max_user)
+		max_user = strlen(fi[i].user);
+	    if(strlen(fi[i].group) > max_group)
+		max_group = strlen(fi[i].group);
+	    if(fi[i].major != NULL && strlen(fi[i].major) > max_major)
+		max_major = strlen(fi[i].major);
+	    if(fi[i].minor != NULL && strlen(fi[i].minor) > max_minor)
+		max_minor = strlen(fi[i].minor);
+	    if(fi[i].size != NULL && strlen(fi[i].size) > max_size)
+		max_size = strlen(fi[i].size);
+	    if(strlen(fi[i].date) > max_date)
+		max_date = strlen(fi[i].date);
+	}
+	if(max_size < max_major + max_minor + 2)
+	    max_size = max_major + max_minor + 2;
+	else if(max_size - max_minor - 2 > max_major)
+	    max_major = max_size - max_minor - 2;
+	max_inode = log10(max_inode);
+	max_bsize = log10(max_bsize);
+	max_n_link = log10(max_n_link);
+
+	if(flags & LS_SORT_REVERSE)
+	    for(i = n_files - 1; i >= 0; i--)
+		print_file(out,
+			   flags,
+			   &fi[i],
+			   max_inode,
+			   max_bsize,
+			   max_n_link,
+			   max_user,
+			   max_group,
+			   max_size,
+			   max_major,
+			   max_minor,
+			   max_date);
+	else
+	    for(i = 0; i < n_files; i++)
+		print_file(out,
+			   flags,
+			   &fi[i],
+			   max_inode,
+			   max_bsize,
+			   max_n_link,
+			   max_user,
+			   max_group,
+			   max_size,
+			   max_major,
+			   max_minor,
+			   max_date);
+    } else if(DISP_MODE(flags) == LS_DISP_COLUMN || 
+	      DISP_MODE(flags) == LS_DISP_CROSS) {
+	int max_len = 0;
+	int num_files = n_files;
+	int columns;
+	int j;
+	for(i = 0; i < n_files; i++) {
+	    if(fi[i].filename == NULL) {
+		num_files--;
+		continue;
+	    }
+	    if(strlen(fi[i].filename) > max_len)
+		max_len = strlen(fi[i].filename);
+	}
+	columns = 80 / (max_len + 1); /* get space between columns */
+	max_len = 80 / columns;
+	if(DISP_MODE(flags) == LS_DISP_CROSS) {
+	    for(i = 0, j = 0; i < n_files; i++) {
+		if(fi[i].filename == NULL)
+		    continue;
+		sec_fprintf2(out, "%-*s", max_len, fi[i].filename);
+		j++;
+		if(j == columns) {
+		    sec_fprintf2(out, "\r\n");
+		    j = 0;
+		}
+	    }
+	    if(j > 0)
+		    sec_fprintf2(out, "\r\n");
+	} else {
+	    int skip = (num_files + columns - 1) / columns;
+	    j = 0;
+	    for(i = 0; i < skip; i++) {
+		for(j = i; j < n_files;) {
+		    while(j < n_files && fi[j].filename == NULL)
+			j++;
+		    sec_fprintf2(out, "%-*s", max_len, fi[j].filename);
+		    j += skip;
+		}
+		sec_fprintf2(out, "\r\n");
+	    }
+	}
+    } else {
+	for(i = 0; i < n_files; i++) {
+	    if(fi[i].filename == NULL)
+		continue;
+	    sec_fprintf2(out, "%s\r\n", fi[i].filename);
+	}
+    }
+    for(i = 0; i < n_files; i++)
+	free_fileinfo(&fi[i]);
+    free(fi);
+}
+
+static void
+free_files (char **files, int n)
+{
+    int i;
+
+    for (i = 0; i < n; ++i)
+	free (files[i]);
+    free (files);
+}
+
+static void
+list_dir(FILE *out, const char *directory, int flags)
+{
+    DIR *d = opendir(directory);
+    struct dirent *ent;
+    char **files = NULL;
+    int n_files = 0;
+
+    if(d == NULL) {
+	sec_fprintf2(out, "%s: %s\r\n", directory, strerror(errno));
+	return;
+    }
+    while((ent = readdir(d)) != NULL) {
+	void *tmp;
+
+	if(ent->d_name[0] == '.') {
+	    if (flags & LS_IGNORE_DOT)
+	        continue;
+	    if (ent->d_name[1] == 0) /* Ignore . */
+	        continue;
+	    if (ent->d_name[1] == '.' && ent->d_name[2] == 0) /* Ignore .. */
+	        continue;
+	}
+	tmp = realloc(files, (n_files + 1) * sizeof(*files));
+	if (tmp == NULL) {
+	    sec_fprintf2(out, "%s: out of memory\r\n", directory);
+	    free_files (files, n_files);
+	    closedir (d);
+	    return;
+	}
+	files = tmp;
+	asprintf(&files[n_files], "%s/%s", directory, ent->d_name);
+	if (files[n_files] == NULL) {
+	    sec_fprintf2(out, "%s: out of memory\r\n", directory);
+	    free_files (files, n_files);
+	    closedir (d);
+	    return;
+	}
+	++n_files;
+    }
+    closedir(d);
+    list_files(out, (const char**)files, n_files, flags | LS_DIRS);
+}
+
+void
+builtin_ls(FILE *out, const char *file)
+{
+    int flags = LS_SORT_NAME | LS_IGNORE_DOT | LS_DISP_LONG;
+
+    if(*file == '-') {
+	const char *p;
+	for(p = file + 1; *p; p++) {
+	    switch(*p) {
+	    case '1':
+		flags = (flags & ~LS_DISP_MODE);
+		break;
+	    case 'a':
+	    case 'A':
+		flags &= ~LS_IGNORE_DOT;
+		break;
+	    case 'C':
+		flags = (flags & ~LS_DISP_MODE) | LS_DISP_COLUMN;
+		break;
+	    case 'd':
+		flags |= LS_DIRS;
+		break;
+	    case 'f':
+		flags = (flags & ~LS_SORT_MODE);
+		break;
+	    case 'F':
+		flags |= LS_TYPE;
+		break;
+	    case 'i':
+		flags |= LS_INODE;
+		break;
+	    case 'l':
+		flags = (flags & ~LS_DISP_MODE) | LS_DISP_LONG;
+		break;
+	    case 't':
+		flags = (flags & ~LS_SORT_MODE) | LS_SORT_MTIME;
+		break;
+	    case 's':
+		flags |= LS_SIZE;
+		break;
+	    case 'S':
+		flags = (flags & ~LS_SORT_MODE) | LS_SORT_SIZE;
+		break;
+	    case 'r':
+		flags |= LS_SORT_REVERSE;
+		break;
+	    case 'x':
+		flags = (flags & ~LS_DISP_MODE) | LS_DISP_CROSS;
+		break;
+	    }
+	}
+	file = ".";
+    }
+    list_files(out, &file, 1, flags);
+    sec_fflush(out);
+}
diff --git a/crypto/heimdal/appl/ftp/ftpd/pathnames.h b/crypto/heimdal/appl/ftp/ftpd/pathnames.h
new file mode 100644
index 0000000..ff2041b
--- /dev/null
+++ b/crypto/heimdal/appl/ftp/ftpd/pathnames.h
@@ -0,0 +1,58 @@
+/*
+ * Copyright (c) 1989, 1993
+ *	The Regents of the University of California.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *	This product includes software developed by the University of
+ *	California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ *	@(#)pathnames.h	8.1 (Berkeley) 6/4/93
+ */
+
+#ifdef HAVE_PATHS_H
+#include <paths.h>
+#endif
+
+#ifndef _PATH_DEVNULL
+#define _PATH_DEVNULL "/dev/null"
+#endif
+
+#ifndef _PATH_NOLOGIN
+#define _PATH_NOLOGIN "/etc/nologin"
+#endif
+
+#ifndef _PATH_BSHELL
+#define _PATH_BSHELL "/bin/sh"
+#endif
+
+#define	_PATH_FTPUSERS		"/etc/ftpusers"
+#define	_PATH_FTPCHROOT		"/etc/ftpchroot"
+#define	_PATH_FTPWELCOME	"/etc/ftpwelcome"
+#define	_PATH_FTPLOGINMESG	"/etc/motd"
+
+#define _PATH_ISSUE		"/etc/issue"
+#define _PATH_ISSUE_NET		"/etc/issue.net"
diff --git a/crypto/heimdal/appl/ftp/ftpd/popen.c b/crypto/heimdal/appl/ftp/ftpd/popen.c
new file mode 100644
index 0000000..52c8824
--- /dev/null
+++ b/crypto/heimdal/appl/ftp/ftpd/popen.c
@@ -0,0 +1,230 @@
+/*
+ * Copyright (c) 1988, 1993, 1994
+ *	The Regents of the University of California.  All rights reserved.
+ *
+ * This code is derived from software written by Ken Arnold and
+ * published in UNIX Review, Vol. 6, No. 8.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *	This product includes software developed by the University of
+ *	California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+RCSID("$Id: popen.c,v 1.24 2001/03/26 11:41:02 assar Exp $");
+#endif
+
+#include <sys/types.h>
+#ifdef TIME_WITH_SYS_TIME
+#include <sys/time.h>
+#include <time.h>
+#elif defined(HAVE_SYS_TIME_H)
+#include <sys/time.h>
+#else
+#include <time.h>
+#endif
+#ifdef HAVE_SYS_RESOURCE_H
+#include <sys/resource.h>
+#endif
+#include <sys/wait.h>
+
+#include <errno.h>
+#include <glob.h>
+#include <signal.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+#include <roken.h>
+#include "extern.h"
+
+
+/* 
+ * Special version of popen which avoids call to shell.  This ensures
+ * no one may create a pipe to a hidden program as a side effect of a
+ * list or dir command.
+ */
+static int *pids;
+static int fds;
+
+extern int dochroot;
+
+/* return path prepended with ~ftp if that file exists, otherwise
+ * return path unchanged
+ */
+
+const char *
+ftp_rooted(const char *path)
+{
+    static char home[MaxPathLen] = "";
+    static char newpath[MaxPathLen];
+    struct passwd *pwd;
+
+    if(!home[0])
+	if((pwd = k_getpwnam("ftp")))
+	    strlcpy(home, pwd->pw_dir, sizeof(home));
+    snprintf(newpath, sizeof(newpath), "%s/%s", home, path);
+    if(access(newpath, X_OK))
+	strlcpy(newpath, path, sizeof(newpath));
+    return newpath;
+}
+
+
+#define MAXARGS	100
+#define MAXGLOBS 1000
+
+FILE *
+ftpd_popen(char *program, char *type, int do_stderr, int no_glob)
+{
+	char *cp;
+	FILE *iop;
+	int argc, gargc, pdes[2], pid;
+	char **pop, *argv[MAXARGS], *gargv[MAXGLOBS];
+	char *foo;
+
+	if (strcmp(type, "r") && strcmp(type, "w"))
+		return (NULL);
+
+	if (!pids) {
+
+	    /* This function is ugly and should be rewritten, in
+	     * modern unices there is no such thing as a maximum
+	     * filedescriptor.
+	     */
+
+	    fds = getdtablesize();
+	    pids = (int*)calloc(fds, sizeof(int));
+	    if(!pids)
+		return NULL;
+	}
+	if (pipe(pdes) < 0)
+		return (NULL);
+
+	/* break up string into pieces */
+	foo = NULL;
+	for (argc = 0, cp = program; argc < MAXARGS - 1; cp = NULL) {
+		if (!(argv[argc++] = strtok_r(cp, " \t\n", &foo)))
+			break;
+	}
+	argv[MAXARGS - 1] = NULL;
+
+	gargv[0] = (char*)ftp_rooted(argv[0]);
+	/* glob each piece */
+	for (gargc = argc = 1; argv[argc] && gargc < MAXGLOBS - 1; argc++) {
+		glob_t gl;
+		int flags = GLOB_BRACE|GLOB_NOCHECK|GLOB_QUOTE|GLOB_TILDE
+		    | GLOB_LIMIT;
+
+		memset(&gl, 0, sizeof(gl));
+		if (no_glob || glob(argv[argc], flags, NULL, &gl))
+			gargv[gargc++] = strdup(argv[argc]);
+		else
+			for (pop = gl.gl_pathv;
+			     *pop && gargc < MAXGLOBS - 1;
+			     pop++)
+				gargv[gargc++] = strdup(*pop);
+		globfree(&gl);
+	}
+	gargv[gargc] = NULL;
+
+	iop = NULL;
+	switch(pid = fork()) {
+	case -1:			/* error */
+		close(pdes[0]);
+		close(pdes[1]);
+		goto pfree;
+		/* NOTREACHED */
+	case 0:				/* child */
+		if (*type == 'r') {
+			if (pdes[1] != STDOUT_FILENO) {
+				dup2(pdes[1], STDOUT_FILENO);
+				close(pdes[1]);
+			}
+			if(do_stderr)
+			    dup2(STDOUT_FILENO, STDERR_FILENO);
+			close(pdes[0]);
+		} else {
+			if (pdes[0] != STDIN_FILENO) {
+				dup2(pdes[0], STDIN_FILENO);
+				close(pdes[0]);
+			}
+			close(pdes[1]);
+		}
+		execv(gargv[0], gargv);
+		gargv[0] = argv[0];
+		execv(gargv[0], gargv);
+		_exit(1);
+	}
+	/* parent; assume fdopen can't fail...  */
+	if (*type == 'r') {
+		iop = fdopen(pdes[0], type);
+		close(pdes[1]);
+	} else {
+		iop = fdopen(pdes[1], type);
+		close(pdes[0]);
+	}
+	pids[fileno(iop)] = pid;
+	
+pfree:	
+	for (argc = 1; gargv[argc] != NULL; argc++)
+	    free(gargv[argc]);
+
+
+	return (iop);
+}
+
+int
+ftpd_pclose(FILE *iop)
+{
+	int fdes, status;
+	pid_t pid;
+	sigset_t sigset, osigset;
+
+	/*
+	 * pclose returns -1 if stream is not associated with a
+	 * `popened' command, or, if already `pclosed'.
+	 */
+	if (pids == 0 || pids[fdes = fileno(iop)] == 0)
+		return (-1);
+	fclose(iop);
+	sigemptyset(&sigset);
+	sigaddset(&sigset, SIGINT);
+	sigaddset(&sigset, SIGQUIT);
+	sigaddset(&sigset, SIGHUP);
+	sigprocmask(SIG_BLOCK, &sigset, &osigset);
+	while ((pid = waitpid(pids[fdes], &status, 0)) < 0 && errno == EINTR)
+		continue;
+	sigprocmask(SIG_SETMASK, &osigset, NULL);
+	pids[fdes] = 0;
+	if (pid < 0)
+		return (pid);
+	if (WIFEXITED(status))
+		return (WEXITSTATUS(status));
+	return (1);
+}
diff --git a/crypto/heimdal/appl/kauth/ChangeLog b/crypto/heimdal/appl/kauth/ChangeLog
new file mode 100644
index 0000000..ac0491f
--- /dev/null
+++ b/crypto/heimdal/appl/kauth/ChangeLog
@@ -0,0 +1,39 @@
+1999-12-06  Assar Westerlund  <assar@sics.se>
+
+	* rkinit.c (doit_host): NAT work-around
+	* kauthd.c (doit): type correctness
+
+1999-12-05  Assar Westerlund  <assar@sics.se>
+
+	* kauthd.c: use getnameinfo instead of inaddr2str and inet_ntoa
+
+1999-08-31  Johan Danielsson  <joda@pdc.kth.se>
+
+	* kauth.c: cleanup usage string; handle `kauth -h' gracefully
+	(print usage); add `-a' flag to get the ticket address (useful for
+	firewall configurations)
+
+Thu Apr 15 15:05:33 1999  Johan Danielsson  <joda@hella.pdc.kth.se>
+
+	* kauth.c: add `-v'
+
+Thu Mar 18 11:17:14 1999  Johan Danielsson  <joda@hella.pdc.kth.se>
+
+	* Makefile.am: include Makefile.am.common
+
+Sun Nov 22 10:30:47 1998  Assar Westerlund  <assar@sics.se>
+
+	* Makefile.in (WFLAGS): set
+
+Tue May 26 17:41:47 1998  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* kauth.c: use krb_enable_debug
+
+Fri May  1 07:15:18 1998  Assar Westerlund  <assar@sics.se>
+
+	* rkinit.c: unifdef -DHAVE_H_ERRNO
+
+Thu Mar 19 16:07:18 1998  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* kauth.c: Check for negative return value from krb_afslog().
+
diff --git a/crypto/heimdal/appl/kauth/Makefile.am b/crypto/heimdal/appl/kauth/Makefile.am
new file mode 100644
index 0000000..a5bf0fdaca
--- /dev/null
+++ b/crypto/heimdal/appl/kauth/Makefile.am
@@ -0,0 +1,42 @@
+# $Id: Makefile.am,v 1.7 1999/04/09 18:22:45 assar Exp $
+
+include $(top_srcdir)/Makefile.am.common
+
+INCLUDES += $(INCLUDE_krb4)
+
+bin_PROGRAMS = kauth
+bin_SCRIPTS = ksrvtgt
+libexec_PROGRAMS = kauthd
+
+EXTRA_DIST = zrefresh ksrvtgt.in
+
+kauth_SOURCES = \
+	kauth.c \
+	kauth.h \
+	rkinit.c \
+	marshall.c \
+	encdata.c
+
+kauthd_SOURCES = \
+	kauthd.c \
+	kauth.h \
+	marshall.c \
+	encdata.c
+
+ksrvtgt: ksrvtgt.in
+	sed -e "s!%bindir%!$(bindir)!" $(srcdir)/ksrvtgt.in > $@
+	chmod +x $@
+
+install-exec-local:
+	if test -f $(bindir)/zrefresh -o -r  $(bindir)/zrefresh; then \
+	  true; \
+	else \
+	  $(INSTALL_PROGRAM) $(srcdir)/zrefresh $(bindir)/`echo zrefresh | sed '$(transform)'`; \
+	fi
+
+LDADD = \
+	$(LIB_kafs)				\
+	$(LIB_krb5)				\
+	$(LIB_krb4)				\
+	$(top_builddir)/lib/des/libdes.la	\
+	$(LIB_roken)
diff --git a/crypto/heimdal/appl/kauth/Makefile.in b/crypto/heimdal/appl/kauth/Makefile.in
new file mode 100644
index 0000000..f9c005f
--- /dev/null
+++ b/crypto/heimdal/appl/kauth/Makefile.in
@@ -0,0 +1,739 @@
+# Makefile.in generated automatically by automake 1.4 from Makefile.am
+
+# Copyright (C) 1994, 1995-8, 1999 Free Software Foundation, Inc.
+# This Makefile.in is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+
+# $Id: Makefile.am,v 1.7 1999/04/09 18:22:45 assar Exp $
+
+
+# $Id: Makefile.am.common,v 1.3 1999/04/01 14:58:43 joda Exp $
+
+
+# $Id: Makefile.am.common,v 1.13 1999/11/01 03:19:58 assar Exp $
+
+
+SHELL = @SHELL@
+
+srcdir = @srcdir@
+top_srcdir = @top_srcdir@
+VPATH = @srcdir@
+prefix = @prefix@
+exec_prefix = @exec_prefix@
+
+bindir = @bindir@
+sbindir = @sbindir@
+libexecdir = @libexecdir@
+datadir = @datadir@
+sysconfdir = @sysconfdir@
+sharedstatedir = @sharedstatedir@
+localstatedir = @localstatedir@
+libdir = @libdir@
+infodir = @infodir@
+mandir = @mandir@
+includedir = @includedir@
+oldincludedir = /usr/include
+
+DESTDIR =
+
+pkgdatadir = $(datadir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkgincludedir = $(includedir)/@PACKAGE@
+
+top_builddir = ../..
+
+ACLOCAL = @ACLOCAL@
+AUTOCONF = @AUTOCONF@
+AUTOMAKE = @AUTOMAKE@
+AUTOHEADER = @AUTOHEADER@
+
+INSTALL = @INSTALL@
+INSTALL_PROGRAM = @INSTALL_PROGRAM@ $(AM_INSTALL_PROGRAM_FLAGS)
+INSTALL_DATA = @INSTALL_DATA@
+INSTALL_SCRIPT = @INSTALL_SCRIPT@
+transform = @program_transform_name@
+
+NORMAL_INSTALL = :
+PRE_INSTALL = :
+POST_INSTALL = :
+NORMAL_UNINSTALL = :
+PRE_UNINSTALL = :
+POST_UNINSTALL = :
+host_alias = @host_alias@
+host_triplet = @host@
+AFS_EXTRA_LD = @AFS_EXTRA_LD@
+AIX_EXTRA_KAFS = @AIX_EXTRA_KAFS@
+AWK = @AWK@
+CANONICAL_HOST = @CANONICAL_HOST@
+CATMAN = @CATMAN@
+CATMANEXT = @CATMANEXT@
+CC = @CC@
+DBLIB = @DBLIB@
+EXEEXT = @EXEEXT@
+EXTRA_LIB45 = @EXTRA_LIB45@
+GROFF = @GROFF@
+INCLUDE_ = @INCLUDE_@
+LD = @LD@
+LEX = @LEX@
+LIBOBJS = @LIBOBJS@
+LIBTOOL = @LIBTOOL@
+LIB_ = @LIB_@
+LIB_AUTH_SUBDIRS = @LIB_AUTH_SUBDIRS@
+LIB_kdb = @LIB_kdb@
+LIB_otp = @LIB_otp@
+LIB_roken = @LIB_roken@
+LIB_security = @LIB_security@
+LN_S = @LN_S@
+LTLIBOBJS = @LTLIBOBJS@
+MAKEINFO = @MAKEINFO@
+MAKE_X_PROGS_BIN_PROGS = @MAKE_X_PROGS_BIN_PROGS@
+MAKE_X_PROGS_BIN_SCRPTS = @MAKE_X_PROGS_BIN_SCRPTS@
+MAKE_X_PROGS_LIBEXEC_PROGS = @MAKE_X_PROGS_LIBEXEC_PROGS@
+NEED_WRITEAUTH_FALSE = @NEED_WRITEAUTH_FALSE@
+NEED_WRITEAUTH_TRUE = @NEED_WRITEAUTH_TRUE@
+NM = @NM@
+NROFF = @NROFF@
+OBJEXT = @OBJEXT@
+PACKAGE = @PACKAGE@
+RANLIB = @RANLIB@
+VERSION = @VERSION@
+VOID_RETSIGTYPE = @VOID_RETSIGTYPE@
+WFLAGS = @WFLAGS@
+WFLAGS_NOIMPLICITINT = @WFLAGS_NOIMPLICITINT@
+WFLAGS_NOUNUSED = @WFLAGS_NOUNUSED@
+YACC = @YACC@
+
+AUTOMAKE_OPTIONS = foreign no-dependencies
+
+SUFFIXES = .et .h .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .x
+
+INCLUDES = -I$(top_builddir)/include $(INCLUDE_krb4)
+
+AM_CFLAGS =  $(WFLAGS)
+
+COMPILE_ET = $(top_builddir)/lib/com_err/compile_et
+
+buildinclude = $(top_builddir)/include
+
+LIB_XauReadAuth = @LIB_XauReadAuth@
+LIB_crypt = @LIB_crypt@
+LIB_dbm_firstkey = @LIB_dbm_firstkey@
+LIB_dbopen = @LIB_dbopen@
+LIB_dlopen = @LIB_dlopen@
+LIB_dn_expand = @LIB_dn_expand@
+LIB_el_init = @LIB_el_init@
+LIB_getattr = @LIB_getattr@
+LIB_gethostbyname = @LIB_gethostbyname@
+LIB_getpwent_r = @LIB_getpwent_r@
+LIB_getpwnam_r = @LIB_getpwnam_r@
+LIB_getsockopt = @LIB_getsockopt@
+LIB_logout = @LIB_logout@
+LIB_logwtmp = @LIB_logwtmp@
+LIB_odm_initialize = @LIB_odm_initialize@
+LIB_readline = @LIB_readline@
+LIB_res_search = @LIB_res_search@
+LIB_setpcred = @LIB_setpcred@
+LIB_setsockopt = @LIB_setsockopt@
+LIB_socket = @LIB_socket@
+LIB_syslog = @LIB_syslog@
+LIB_tgetent = @LIB_tgetent@
+
+HESIODLIB = @HESIODLIB@
+HESIODINCLUDE = @HESIODINCLUDE@
+INCLUDE_hesiod = @INCLUDE_hesiod@
+LIB_hesiod = @LIB_hesiod@
+
+INCLUDE_krb4 = @INCLUDE_krb4@
+LIB_krb4 = @LIB_krb4@
+
+INCLUDE_readline = @INCLUDE_readline@
+
+LEXLIB = @LEXLIB@
+
+cat1dir = $(mandir)/cat1
+cat3dir = $(mandir)/cat3
+cat5dir = $(mandir)/cat5
+cat8dir = $(mandir)/cat8
+
+MANRX = \(.*\)\.\([0-9]\)
+CATSUFFIX = @CATSUFFIX@
+
+NROFF_MAN = groff -mandoc -Tascii
+
+@KRB4_TRUE@LIB_kafs = $(top_builddir)/lib/kafs/libkafs.la $(AIX_EXTRA_KAFS)
+
+@KRB5_TRUE@LIB_krb5 = $(top_builddir)/lib/krb5/libkrb5.la 	$(top_builddir)/lib/asn1/libasn1.la
+@KRB5_TRUE@LIB_gssapi = $(top_builddir)/lib/gssapi/libgssapi.la
+
+CHECK_LOCAL = $(PROGRAMS)
+
+bin_PROGRAMS = kauth
+bin_SCRIPTS = ksrvtgt
+libexec_PROGRAMS = kauthd
+
+EXTRA_DIST = zrefresh ksrvtgt.in
+
+kauth_SOURCES =  	kauth.c 	kauth.h 	rkinit.c 	marshall.c 	encdata.c
+
+
+kauthd_SOURCES =  	kauthd.c 	kauth.h 	marshall.c 	encdata.c
+
+
+LDADD =  	$(LIB_kafs)					$(LIB_krb5)					$(LIB_krb4)					$(top_builddir)/lib/des/libdes.la		$(LIB_roken)
+
+mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs
+CONFIG_HEADER = ../../include/config.h
+CONFIG_CLEAN_FILES = 
+bin_PROGRAMS =  kauth$(EXEEXT)
+libexec_PROGRAMS =  kauthd$(EXEEXT)
+PROGRAMS =  $(bin_PROGRAMS) $(libexec_PROGRAMS)
+
+
+DEFS = @DEFS@ -I. -I$(srcdir) -I../../include
+CPPFLAGS = @CPPFLAGS@
+LDFLAGS = @LDFLAGS@
+LIBS = @LIBS@
+X_CFLAGS = @X_CFLAGS@
+X_LIBS = @X_LIBS@
+X_EXTRA_LIBS = @X_EXTRA_LIBS@
+X_PRE_LIBS = @X_PRE_LIBS@
+kauth_OBJECTS =  kauth.$(OBJEXT) rkinit.$(OBJEXT) marshall.$(OBJEXT) \
+encdata.$(OBJEXT)
+kauth_LDADD = $(LDADD)
+@KRB4_TRUE@@KRB5_FALSE@kauth_DEPENDENCIES =  \
+@KRB4_TRUE@@KRB5_FALSE@$(top_builddir)/lib/kafs/libkafs.la \
+@KRB4_TRUE@@KRB5_FALSE@$(top_builddir)/lib/des/libdes.la
+@KRB4_FALSE@@KRB5_TRUE@kauth_DEPENDENCIES =  \
+@KRB4_FALSE@@KRB5_TRUE@$(top_builddir)/lib/krb5/libkrb5.la \
+@KRB4_FALSE@@KRB5_TRUE@$(top_builddir)/lib/asn1/libasn1.la \
+@KRB4_FALSE@@KRB5_TRUE@$(top_builddir)/lib/des/libdes.la
+@KRB4_FALSE@@KRB5_FALSE@kauth_DEPENDENCIES =  \
+@KRB4_FALSE@@KRB5_FALSE@$(top_builddir)/lib/des/libdes.la
+@KRB4_TRUE@@KRB5_TRUE@kauth_DEPENDENCIES =  \
+@KRB4_TRUE@@KRB5_TRUE@$(top_builddir)/lib/kafs/libkafs.la \
+@KRB4_TRUE@@KRB5_TRUE@$(top_builddir)/lib/krb5/libkrb5.la \
+@KRB4_TRUE@@KRB5_TRUE@$(top_builddir)/lib/asn1/libasn1.la \
+@KRB4_TRUE@@KRB5_TRUE@$(top_builddir)/lib/des/libdes.la
+kauth_LDFLAGS = 
+kauthd_OBJECTS =  kauthd.$(OBJEXT) marshall.$(OBJEXT) encdata.$(OBJEXT)
+kauthd_LDADD = $(LDADD)
+@KRB4_TRUE@@KRB5_FALSE@kauthd_DEPENDENCIES =  \
+@KRB4_TRUE@@KRB5_FALSE@$(top_builddir)/lib/kafs/libkafs.la \
+@KRB4_TRUE@@KRB5_FALSE@$(top_builddir)/lib/des/libdes.la
+@KRB4_FALSE@@KRB5_TRUE@kauthd_DEPENDENCIES =  \
+@KRB4_FALSE@@KRB5_TRUE@$(top_builddir)/lib/krb5/libkrb5.la \
+@KRB4_FALSE@@KRB5_TRUE@$(top_builddir)/lib/asn1/libasn1.la \
+@KRB4_FALSE@@KRB5_TRUE@$(top_builddir)/lib/des/libdes.la
+@KRB4_FALSE@@KRB5_FALSE@kauthd_DEPENDENCIES =  \
+@KRB4_FALSE@@KRB5_FALSE@$(top_builddir)/lib/des/libdes.la
+@KRB4_TRUE@@KRB5_TRUE@kauthd_DEPENDENCIES =  \
+@KRB4_TRUE@@KRB5_TRUE@$(top_builddir)/lib/kafs/libkafs.la \
+@KRB4_TRUE@@KRB5_TRUE@$(top_builddir)/lib/krb5/libkrb5.la \
+@KRB4_TRUE@@KRB5_TRUE@$(top_builddir)/lib/asn1/libasn1.la \
+@KRB4_TRUE@@KRB5_TRUE@$(top_builddir)/lib/des/libdes.la
+kauthd_LDFLAGS = 
+SCRIPTS =  $(bin_SCRIPTS)
+
+CFLAGS = @CFLAGS@
+COMPILE = $(CC) $(DEFS) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) --mode=compile $(CC) $(DEFS) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+CCLD = $(CC)
+LINK = $(LIBTOOL) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(LDFLAGS) -o $@
+DIST_COMMON =  ChangeLog Makefile.am Makefile.in
+
+
+DISTFILES = $(DIST_COMMON) $(SOURCES) $(HEADERS) $(TEXINFOS) $(EXTRA_DIST)
+
+TAR = tar
+GZIP_ENV = --best
+SOURCES = $(kauth_SOURCES) $(kauthd_SOURCES)
+OBJECTS = $(kauth_OBJECTS) $(kauthd_OBJECTS)
+
+all: all-redirect
+.SUFFIXES:
+.SUFFIXES: .1 .3 .5 .8 .S .c .cat1 .cat3 .cat5 .cat8 .et .h .lo .o .obj .s .x
+$(srcdir)/Makefile.in: Makefile.am $(top_srcdir)/configure.in $(ACLOCAL_M4) $(top_srcdir)/Makefile.am.common $(top_srcdir)/cf/Makefile.am.common
+	cd $(top_srcdir) && $(AUTOMAKE) --foreign appl/kauth/Makefile
+
+Makefile: $(srcdir)/Makefile.in  $(top_builddir)/config.status
+	cd $(top_builddir) \
+	  && CONFIG_FILES=$(subdir)/$@ CONFIG_HEADERS= $(SHELL) ./config.status
+
+
+mostlyclean-binPROGRAMS:
+
+clean-binPROGRAMS:
+	-test -z "$(bin_PROGRAMS)" || rm -f $(bin_PROGRAMS)
+
+distclean-binPROGRAMS:
+
+maintainer-clean-binPROGRAMS:
+
+install-binPROGRAMS: $(bin_PROGRAMS)
+	@$(NORMAL_INSTALL)
+	$(mkinstalldirs) $(DESTDIR)$(bindir)
+	@list='$(bin_PROGRAMS)'; for p in $$list; do \
+	  if test -f $$p; then \
+	    echo " $(LIBTOOL)  --mode=install $(INSTALL_PROGRAM) $$p $(DESTDIR)$(bindir)/`echo $$p|sed 's/$(EXEEXT)$$//'|sed '$(transform)'|sed 's/$$/$(EXEEXT)/'`"; \
+	    $(LIBTOOL)  --mode=install $(INSTALL_PROGRAM) $$p $(DESTDIR)$(bindir)/`echo $$p|sed 's/$(EXEEXT)$$//'|sed '$(transform)'|sed 's/$$/$(EXEEXT)/'`; \
+	  else :; fi; \
+	done
+
+uninstall-binPROGRAMS:
+	@$(NORMAL_UNINSTALL)
+	list='$(bin_PROGRAMS)'; for p in $$list; do \
+	  rm -f $(DESTDIR)$(bindir)/`echo $$p|sed 's/$(EXEEXT)$$//'|sed '$(transform)'|sed 's/$$/$(EXEEXT)/'`; \
+	done
+
+mostlyclean-libexecPROGRAMS:
+
+clean-libexecPROGRAMS:
+	-test -z "$(libexec_PROGRAMS)" || rm -f $(libexec_PROGRAMS)
+
+distclean-libexecPROGRAMS:
+
+maintainer-clean-libexecPROGRAMS:
+
+install-libexecPROGRAMS: $(libexec_PROGRAMS)
+	@$(NORMAL_INSTALL)
+	$(mkinstalldirs) $(DESTDIR)$(libexecdir)
+	@list='$(libexec_PROGRAMS)'; for p in $$list; do \
+	  if test -f $$p; then \
+	    echo " $(LIBTOOL)  --mode=install $(INSTALL_PROGRAM) $$p $(DESTDIR)$(libexecdir)/`echo $$p|sed 's/$(EXEEXT)$$//'|sed '$(transform)'|sed 's/$$/$(EXEEXT)/'`"; \
+	    $(LIBTOOL)  --mode=install $(INSTALL_PROGRAM) $$p $(DESTDIR)$(libexecdir)/`echo $$p|sed 's/$(EXEEXT)$$//'|sed '$(transform)'|sed 's/$$/$(EXEEXT)/'`; \
+	  else :; fi; \
+	done
+
+uninstall-libexecPROGRAMS:
+	@$(NORMAL_UNINSTALL)
+	list='$(libexec_PROGRAMS)'; for p in $$list; do \
+	  rm -f $(DESTDIR)$(libexecdir)/`echo $$p|sed 's/$(EXEEXT)$$//'|sed '$(transform)'|sed 's/$$/$(EXEEXT)/'`; \
+	done
+
+.c.o:
+	$(COMPILE) -c $<
+
+# FIXME: We should only use cygpath when building on Windows,
+# and only if it is available.
+.c.obj:
+	$(COMPILE) -c `cygpath -w $<`
+
+.s.o:
+	$(COMPILE) -c $<
+
+.S.o:
+	$(COMPILE) -c $<
+
+mostlyclean-compile:
+	-rm -f *.o core *.core
+	-rm -f *.$(OBJEXT)
+
+clean-compile:
+
+distclean-compile:
+	-rm -f *.tab.c
+
+maintainer-clean-compile:
+
+.c.lo:
+	$(LIBTOOL) --mode=compile $(COMPILE) -c $<
+
+.s.lo:
+	$(LIBTOOL) --mode=compile $(COMPILE) -c $<
+
+.S.lo:
+	$(LIBTOOL) --mode=compile $(COMPILE) -c $<
+
+mostlyclean-libtool:
+	-rm -f *.lo
+
+clean-libtool:
+	-rm -rf .libs _libs
+
+distclean-libtool:
+
+maintainer-clean-libtool:
+
+kauth$(EXEEXT): $(kauth_OBJECTS) $(kauth_DEPENDENCIES)
+	@rm -f kauth$(EXEEXT)
+	$(LINK) $(kauth_LDFLAGS) $(kauth_OBJECTS) $(kauth_LDADD) $(LIBS)
+
+kauthd$(EXEEXT): $(kauthd_OBJECTS) $(kauthd_DEPENDENCIES)
+	@rm -f kauthd$(EXEEXT)
+	$(LINK) $(kauthd_LDFLAGS) $(kauthd_OBJECTS) $(kauthd_LDADD) $(LIBS)
+
+install-binSCRIPTS: $(bin_SCRIPTS)
+	@$(NORMAL_INSTALL)
+	$(mkinstalldirs) $(DESTDIR)$(bindir)
+	@list='$(bin_SCRIPTS)'; for p in $$list; do \
+	  if test -f $$p; then \
+	    echo " $(INSTALL_SCRIPT) $$p $(DESTDIR)$(bindir)/`echo $$p|sed '$(transform)'`"; \
+	    $(INSTALL_SCRIPT) $$p $(DESTDIR)$(bindir)/`echo $$p|sed '$(transform)'`; \
+	  else if test -f $(srcdir)/$$p; then \
+	    echo " $(INSTALL_SCRIPT) $(srcdir)/$$p $(DESTDIR)$(bindir)/`echo $$p|sed '$(transform)'`"; \
+	    $(INSTALL_SCRIPT) $(srcdir)/$$p $(DESTDIR)$(bindir)/`echo $$p|sed '$(transform)'`; \
+	  else :; fi; fi; \
+	done
+
+uninstall-binSCRIPTS:
+	@$(NORMAL_UNINSTALL)
+	list='$(bin_SCRIPTS)'; for p in $$list; do \
+	  rm -f $(DESTDIR)$(bindir)/`echo $$p|sed '$(transform)'`; \
+	done
+
+tags: TAGS
+
+ID: $(HEADERS) $(SOURCES) $(LISP)
+	list='$(SOURCES) $(HEADERS)'; \
+	unique=`for i in $$list; do echo $$i; done | \
+	  awk '    { files[$$0] = 1; } \
+	       END { for (i in files) print i; }'`; \
+	here=`pwd` && cd $(srcdir) \
+	  && mkid -f$$here/ID $$unique $(LISP)
+
+TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) $(LISP)
+	tags=; \
+	here=`pwd`; \
+	list='$(SOURCES) $(HEADERS)'; \
+	unique=`for i in $$list; do echo $$i; done | \
+	  awk '    { files[$$0] = 1; } \
+	       END { for (i in files) print i; }'`; \
+	test -z "$(ETAGS_ARGS)$$unique$(LISP)$$tags" \
+	  || (cd $(srcdir) && etags $(ETAGS_ARGS) $$tags  $$unique $(LISP) -o $$here/TAGS)
+
+mostlyclean-tags:
+
+clean-tags:
+
+distclean-tags:
+	-rm -f TAGS ID
+
+maintainer-clean-tags:
+
+distdir = $(top_builddir)/$(PACKAGE)-$(VERSION)/$(subdir)
+
+subdir = appl/kauth
+
+distdir: $(DISTFILES)
+	@for file in $(DISTFILES); do \
+	  d=$(srcdir); \
+	  if test -d $$d/$$file; then \
+	    cp -pr $$/$$file $(distdir)/$$file; \
+	  else \
+	    test -f $(distdir)/$$file \
+	    || ln $$d/$$file $(distdir)/$$file 2> /dev/null \
+	    || cp -p $$d/$$file $(distdir)/$$file || :; \
+	  fi; \
+	done
+	$(MAKE) $(AM_MAKEFLAGS) top_distdir="$(top_distdir)" distdir="$(distdir)" dist-hook
+info-am:
+info: info-am
+dvi-am:
+dvi: dvi-am
+check-am: all-am
+	$(MAKE) $(AM_MAKEFLAGS) check-local
+check: check-am
+installcheck-am:
+installcheck: installcheck-am
+install-exec-am: install-binPROGRAMS install-libexecPROGRAMS \
+		install-binSCRIPTS install-exec-local
+	@$(NORMAL_INSTALL)
+	$(MAKE) $(AM_MAKEFLAGS) install-exec-hook
+install-exec: install-exec-am
+
+install-data-am: install-data-local
+install-data: install-data-am
+
+install-am: all-am
+	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
+install: install-am
+uninstall-am: uninstall-binPROGRAMS uninstall-libexecPROGRAMS \
+		uninstall-binSCRIPTS
+uninstall: uninstall-am
+all-am: Makefile $(PROGRAMS) $(SCRIPTS) all-local
+all-redirect: all-am
+install-strip:
+	$(MAKE) $(AM_MAKEFLAGS) AM_INSTALL_PROGRAM_FLAGS=-s install
+installdirs:
+	$(mkinstalldirs)  $(DESTDIR)$(bindir) $(DESTDIR)$(libexecdir) \
+		$(DESTDIR)$(bindir)
+
+
+mostlyclean-generic:
+
+clean-generic:
+
+distclean-generic:
+	-rm -f Makefile $(CONFIG_CLEAN_FILES)
+	-rm -f config.cache config.log stamp-h stamp-h[0-9]*
+
+maintainer-clean-generic:
+mostlyclean-am:  mostlyclean-binPROGRAMS mostlyclean-libexecPROGRAMS \
+		mostlyclean-compile mostlyclean-libtool \
+		mostlyclean-tags mostlyclean-generic
+
+mostlyclean: mostlyclean-am
+
+clean-am:  clean-binPROGRAMS clean-libexecPROGRAMS clean-compile \
+		clean-libtool clean-tags clean-generic mostlyclean-am
+
+clean: clean-am
+
+distclean-am:  distclean-binPROGRAMS distclean-libexecPROGRAMS \
+		distclean-compile distclean-libtool distclean-tags \
+		distclean-generic clean-am
+	-rm -f libtool
+
+distclean: distclean-am
+
+maintainer-clean-am:  maintainer-clean-binPROGRAMS \
+		maintainer-clean-libexecPROGRAMS \
+		maintainer-clean-compile maintainer-clean-libtool \
+		maintainer-clean-tags maintainer-clean-generic \
+		distclean-am
+	@echo "This command is intended for maintainers to use;"
+	@echo "it deletes files that may require special tools to rebuild."
+
+maintainer-clean: maintainer-clean-am
+
+.PHONY: mostlyclean-binPROGRAMS distclean-binPROGRAMS clean-binPROGRAMS \
+maintainer-clean-binPROGRAMS uninstall-binPROGRAMS install-binPROGRAMS \
+mostlyclean-libexecPROGRAMS distclean-libexecPROGRAMS \
+clean-libexecPROGRAMS maintainer-clean-libexecPROGRAMS \
+uninstall-libexecPROGRAMS install-libexecPROGRAMS mostlyclean-compile \
+distclean-compile clean-compile maintainer-clean-compile \
+mostlyclean-libtool distclean-libtool clean-libtool \
+maintainer-clean-libtool uninstall-binSCRIPTS install-binSCRIPTS tags \
+mostlyclean-tags distclean-tags clean-tags maintainer-clean-tags \
+distdir info-am info dvi-am dvi check-local check check-am \
+installcheck-am installcheck install-exec-local install-exec-am \
+install-exec install-data-local install-data-am install-data install-am \
+install uninstall-am uninstall all-local all-redirect all-am all \
+installdirs mostlyclean-generic distclean-generic clean-generic \
+maintainer-clean-generic clean mostlyclean distclean maintainer-clean
+
+
+install-suid-programs:
+	@foo='$(bin_SUIDS)'; \
+	for file in $$foo; do \
+	x=$(DESTDIR)$(bindir)/$$file; \
+	if chown 0:0 $$x && chmod u+s $$x; then :; else \
+	chmod 0 $$x; fi; done
+
+install-exec-hook: install-suid-programs
+
+install-build-headers:: $(include_HEADERS) $(build_HEADERZ)
+	@foo='$(include_HEADERS) $(build_HEADERZ)'; \
+	for f in $$foo; do \
+		f=`basename $$f`; \
+		if test -f "$(srcdir)/$$f"; then file="$(srcdir)/$$f"; \
+		else file="$$f"; fi; \
+		if cmp -s  $$file $(buildinclude)/$$f 2> /dev/null ; then \
+		: ; else \
+			echo " cp $$file $(buildinclude)/$$f"; \
+			cp $$file $(buildinclude)/$$f; \
+		fi ; \
+	done
+
+all-local: install-build-headers
+#NROFF_MAN = nroff -man
+.1.cat1:
+	$(NROFF_MAN) $< > $@
+.3.cat3:
+	$(NROFF_MAN) $< > $@
+.5.cat5:
+	$(NROFF_MAN) $< > $@
+.8.cat8:
+	$(NROFF_MAN) $< > $@
+
+dist-cat1-mans:
+	@foo='$(man1_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.1) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat1/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-cat3-mans:
+	@foo='$(man3_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.3) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat3/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-cat5-mans:
+	@foo='$(man5_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.5) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat5/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-cat8-mans:
+	@foo='$(man8_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.8) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat8/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-hook: dist-cat1-mans dist-cat3-mans dist-cat5-mans dist-cat8-mans
+
+install-cat1-mans:
+	@ext=1;\
+	foo='$(man1_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.1) foo="$$foo $$i";; \
+	esac; done; \
+	if test "$$foo"; then \
+		$(mkinstalldirs) $(DESTDIR)$(cat1dir); \
+		for x in $$foo; do \
+			f=`echo $$x | sed 's/\.[^.]*$$/.cat1/'`; \
+			if test -f "$(srcdir)/$$f"; then \
+				b=`echo $$x | sed 's!$(MANRX)!\1!'`; \
+				echo "$(INSTALL_DATA) $(srcdir)/$$f $(DESTDIR)$(cat1dir)/$$b.$(CATSUFFIX)";\
+				$(INSTALL_DATA) $(srcdir)/$$g $(DESTDIR)$(cat1dir)/$$b.$(CATSUFFIX);\
+			 fi; \
+		done ;\
+	fi
+
+install-cat3-mans:
+	@ext=3;\
+	foo='$(man3_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.3) foo="$$foo $$i";; \
+	esac; done; \
+	if test "$$foo"; then \
+		$(mkinstalldirs) $(DESTDIR)$(cat3dir); \
+		for x in $$foo; do \
+			f=`echo $$x | sed 's/\.[^.]*$$/.cat3/'`; \
+			if test -f "$(srcdir)/$$f"; then \
+				b=`echo $$x | sed 's!$(MANRX)!\1!'`; \
+				echo "$(INSTALL_DATA) $(srcdir)/$$f $(DESTDIR)$(cat3dir)/$$b.$(CATSUFFIX)";\
+				$(INSTALL_DATA) $(srcdir)/$$g $(DESTDIR)$(cat3dir)/$$b.$(CATSUFFIX);\
+			 fi; \
+		done ;\
+	fi
+
+install-cat5-mans:
+	@ext=5;\
+	foo='$(man5_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.5) foo="$$foo $$i";; \
+	esac; done; \
+	if test "$$foo"; then \
+		$(mkinstalldirs) $(DESTDIR)$(cat5dir); \
+		for x in $$foo; do \
+			f=`echo $$x | sed 's/\.[^.]*$$/.cat5/'`; \
+			if test -f "$(srcdir)/$$f"; then \
+				b=`echo $$x | sed 's!$(MANRX)!\1!'`; \
+				echo "$(INSTALL_DATA) $(srcdir)/$$f $(DESTDIR)$(cat5dir)/$$b.$(CATSUFFIX)";\
+				$(INSTALL_DATA) $(srcdir)/$$g $(DESTDIR)$(cat5dir)/$$b.$(CATSUFFIX);\
+			 fi; \
+		done ;\
+	fi
+
+install-cat8-mans:
+	@ext=8;\
+	foo='$(man8_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.8) foo="$$foo $$i";; \
+	esac; done; \
+	if test "$$foo"; then \
+		$(mkinstalldirs) $(DESTDIR)$(cat8dir); \
+		for x in $$foo; do \
+			f=`echo $$x | sed 's/\.[^.]*$$/.cat8/'`; \
+			if test -f "$(srcdir)/$$f"; then \
+				b=`echo $$x | sed 's!$(MANRX)!\1!'`; \
+				echo "$(INSTALL_DATA) $(srcdir)/$$f $(DESTDIR)$(cat8dir)/$$b.$(CATSUFFIX)";\
+				$(INSTALL_DATA) $(srcdir)/$$g $(DESTDIR)$(cat8dir)/$$b.$(CATSUFFIX);\
+			 fi; \
+		done ;\
+	fi
+
+install-cat-mans: install-cat1-mans install-cat3-mans install-cat5-mans install-cat8-mans
+
+install-data-local: install-cat-mans
+
+.et.h:
+	$(COMPILE_ET) $<
+.et.c:
+	$(COMPILE_ET) $<
+
+.x.c:
+	@cmp -s $< $@ 2> /dev/null || cp $< $@
+
+check-local::
+	@foo='$(CHECK_LOCAL)'; \
+	  if test "$$foo"; then \
+	  failed=0; all=0; \
+	  for i in $$foo; do \
+	    all=`expr $$all + 1`; \
+	    if ./$$i --version > /dev/null 2>&1; then \
+	      echo "PASS: $$i"; \
+	    else \
+	      echo "FAIL: $$i"; \
+	      failed=`expr $$failed + 1`; \
+	    fi; \
+	  done; \
+	  if test "$$failed" -eq 0; then \
+	    banner="All $$all tests passed"; \
+	  else \
+	    banner="$$failed of $$all tests failed"; \
+	  fi; \
+	  dashes=`echo "$$banner" | sed s/./=/g`; \
+	  echo "$$dashes"; \
+	  echo "$$banner"; \
+	  echo "$$dashes"; \
+	  test "$$failed" -eq 0; \
+	fi
+
+ksrvtgt: ksrvtgt.in
+	sed -e "s!%bindir%!$(bindir)!" $(srcdir)/ksrvtgt.in > $@
+	chmod +x $@
+
+install-exec-local:
+	if test -f $(bindir)/zrefresh -o -r  $(bindir)/zrefresh; then \
+	  true; \
+	else \
+	  $(INSTALL_PROGRAM) $(srcdir)/zrefresh $(bindir)/`echo zrefresh | sed '$(transform)'`; \
+	fi
+
+# Tell versions [3.59,3.63) of GNU make to not export all variables.
+# Otherwise a system limit (for SysV at least) may be exceeded.
+.NOEXPORT:
diff --git a/crypto/heimdal/appl/kauth/encdata.c b/crypto/heimdal/appl/kauth/encdata.c
new file mode 100644
index 0000000..886f549
--- /dev/null
+++ b/crypto/heimdal/appl/kauth/encdata.c
@@ -0,0 +1,96 @@
+/*
+ * Copyright (c) 1995, 1996, 1997 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#include "kauth.h"
+
+RCSID("$Id: encdata.c,v 1.10 1999/12/02 16:58:31 joda Exp $");
+
+int
+write_encrypted (int fd, void *buf, size_t len, des_key_schedule schedule,
+		 des_cblock *session, struct sockaddr_in *me,
+		 struct sockaddr_in *him)
+{
+     void *outbuf;
+     int32_t outlen, l;
+     int i;
+     unsigned char tmp[4];
+
+     outbuf = malloc(len + 30);
+     if (outbuf == NULL)
+	  return -1;
+     outlen = krb_mk_priv (buf, outbuf, len, schedule, session, me, him);
+     if (outlen < 0) {
+	  free(outbuf);
+	  return -1;
+     }
+     l = outlen;
+     for(i = 3; i >= 0; i--, l = l >> 8)
+	 tmp[i] = l & 0xff;
+     if (krb_net_write (fd, tmp, 4) != 4 ||
+	 krb_net_write (fd, outbuf, outlen) != outlen) {
+	  free(outbuf);
+	  return -1;
+     }
+     
+     free(outbuf);
+     return 0;
+}
+
+
+int
+read_encrypted (int fd, void *buf, size_t len, void **ret,
+		des_key_schedule schedule, des_cblock *session,
+		struct sockaddr_in *him, struct sockaddr_in *me)
+{
+     int status;
+     int32_t l;
+     MSG_DAT msg;
+     unsigned char tmp[4];
+
+     l = krb_net_read (fd, tmp, 4);
+     if (l != 4)
+	 return l;
+     l = (tmp[0] << 24) | (tmp[1] << 16) | (tmp[2] << 8) | tmp[3];
+     if (l > len)
+	  return -1;
+     if (krb_net_read (fd, buf, l) != l)
+	  return -1;
+     status = krb_rd_priv (buf, l, schedule, session, him, me, &msg);
+     if (status != RD_AP_OK) {
+	  fprintf (stderr, "read_encrypted: %s\n",
+		   krb_get_err_text(status));
+	  return -1;
+     }
+     *ret  = msg.app_data;
+     return  msg.app_length;
+}
diff --git a/crypto/heimdal/appl/kauth/kauth.c b/crypto/heimdal/appl/kauth/kauth.c
new file mode 100644
index 0000000..13448a0
--- /dev/null
+++ b/crypto/heimdal/appl/kauth/kauth.c
@@ -0,0 +1,385 @@
+/*
+ * Copyright (c) 1995, 1996, 1997, 1998, 1999 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+/*
+ * Little program that reads an srvtab or password and
+ * creates a suitable ticketfile and associated AFS tokens.
+ *
+ * If an optional command is given the command is executed in a
+ * new PAG and when the command exits the tickets are destroyed.
+ */
+
+#include "kauth.h"
+
+RCSID("$Id: kauth.c,v 1.97 1999/12/02 16:58:31 joda Exp $");
+
+krb_principal princ;
+static char srvtab[MaxPathLen];
+static int lifetime = DEFAULT_TKT_LIFE;
+static char remote_tktfile[MaxPathLen];
+static char remoteuser[100];
+static char *cell = 0;
+
+static void
+usage(void)
+{
+    fprintf(stderr,
+	    "Usage:\n"
+	    "  %s [name]\n"
+	    "or\n"
+	    "  %s [-ad] [-n name] [-r remoteuser] [-t remote ticketfile]\n"
+	    "        [-l lifetime (in minutes) ] [-f srvtab ] [-c AFS cell name ]\n"
+	    "        [-h hosts... [--]] [command ... ]\n\n",
+	    __progname, __progname);
+    fprintf(stderr, 
+	    "A fully qualified name can be given: user[.instance][@realm]\n"
+	    "Realm is converted to uppercase!\n");
+    exit(1);
+}
+
+#define EX_NOEXEC	126
+#define EX_NOTFOUND	127
+
+static int
+doexec(int argc, char **argv)
+{
+    int ret = simple_execvp(argv[0], argv);
+    if(ret == -2)
+	warn ("fork");
+    if(ret == -3)
+	warn("waitpid");
+    if(ret < 0)
+	return EX_NOEXEC;
+    if(ret == EX_NOEXEC || ret == EX_NOTFOUND)
+	warnx("Can't exec program ``%s''", argv[0]);
+	
+    return ret;
+}
+
+static RETSIGTYPE
+renew(int sig)
+{
+    int code;
+
+    signal(SIGALRM, renew);
+
+    code = krb_get_svc_in_tkt(princ.name, princ.instance, princ.realm,
+			      KRB_TICKET_GRANTING_TICKET,
+			      princ.realm, lifetime, srvtab);
+    if (code)
+	warnx ("%s", krb_get_err_text(code));
+    else if (k_hasafs())
+	{
+	    if ((code = krb_afslog(cell, NULL)) != 0 && code != KDC_PR_UNKNOWN) {
+		warnx ("%s", krb_get_err_text(code));
+	    }
+	}
+
+    alarm(krb_life_to_time(0, lifetime)/2 - 60);
+    SIGRETURN(0);
+}
+
+static int
+zrefresh(void)
+{
+    switch (fork()) {
+    case -1:
+	err (1, "Warning: Failed to fork zrefresh");
+	return -1;
+    case 0:
+	/* Child */
+	execlp("zrefresh", "zrefresh", 0);
+	execl(BINDIR "/zrefresh", "zrefresh", 0);
+	exit(1);
+    default:
+	/* Parent */
+	break;
+    }
+    return 0;
+}
+
+static int
+key_to_key(const char *user,
+	   char *instance,
+	   const char *realm,
+	   const void *arg,
+	   des_cblock *key)
+{
+    memcpy(key, arg, sizeof(des_cblock));
+    return 0;
+}
+
+static int
+get_ticket_address(krb_principal *princ, des_cblock *key)
+{
+    int code;
+    unsigned char flags;
+    krb_principal service;
+    u_int32_t addr;
+    struct in_addr addr2;
+    des_cblock session;
+    int life;
+    u_int32_t time_sec;
+    des_key_schedule schedule;
+    CREDENTIALS c;
+	
+    code = get_ad_tkt(princ->name, princ->instance, princ->realm, 0);
+    if(code) {
+	warnx("get_ad_tkt: %s\n", krb_get_err_text(code));
+	return code;
+    }
+    code = krb_get_cred(princ->name, princ->instance, princ->realm, &c);
+    if(code) {
+	warnx("krb_get_cred: %s\n", krb_get_err_text(code));
+	return code;
+    }
+
+    des_set_key(key, schedule);
+    code = decomp_ticket(&c.ticket_st, 
+			 &flags,
+			 princ->name,
+			 princ->instance,
+			 princ->realm,
+			 &addr,
+			 session,
+			 &life,
+			 &time_sec,
+			 service.name,
+			 service.instance,
+			 key,
+			 schedule);
+    if(code) {
+	warnx("decomp_ticket: %s\n", krb_get_err_text(code));
+	return code;
+    }
+    memset(&session, 0, sizeof(session));
+    memset(schedule, 0, sizeof(schedule));
+    addr2.s_addr = addr;
+    fprintf(stdout, "ticket address = %s\n", inet_ntoa(addr2));
+} 
+
+
+int
+main(int argc, char **argv)
+{
+    int code, more_args;
+    int ret;
+    int c;
+    char *file;
+    int pflag = 0;
+    int aflag = 0;
+    int version_flag = 0;
+    char passwd[100];
+    des_cblock key;
+    char **host;
+    int nhost;
+    char tf[MaxPathLen];
+
+    set_progname (argv[0]);
+
+    if ((file =  getenv("KRBTKFILE")) == 0)
+	file = TKT_FILE;  
+
+    memset(&princ, 0, sizeof(princ));
+    memset(srvtab, 0, sizeof(srvtab));
+    *remoteuser = '\0';
+    nhost = 0;
+    host = NULL;
+  
+    /* Look for kerberos name */
+    if (argc > 1 &&
+	argv[1][0] != '-' &&
+	krb_parse_name(argv[1], &princ) == 0)
+      {
+	argc--; argv++;
+	strupr(princ.realm);
+      }
+
+    while ((c = getopt(argc, argv, "ar:t:f:hdl:n:c:v")) != -1)
+	switch (c) {
+	case 'a':
+	    aflag++;
+	    break;
+	case 'd':
+	    krb_enable_debug();
+	    _kafs_debug = 1;
+	    aflag++;
+	    break;
+	case 'f':
+	    strlcpy(srvtab, optarg, sizeof(srvtab));
+	    break;
+	case 't':
+	    strlcpy(remote_tktfile, optarg, sizeof(remote_tktfile));
+	    break;
+	case 'r':
+	    strlcpy(remoteuser, optarg, sizeof(remoteuser));
+	    break;
+	case 'l':
+	    lifetime = atoi(optarg);
+	    if (lifetime == -1)
+		lifetime = 255;
+	    else if (lifetime < 5)
+		lifetime = 1;
+	    else
+		lifetime = krb_time_to_life(0, lifetime*60);
+	    if (lifetime > 255)
+		lifetime = 255;
+	    break;
+	case 'n':
+	    if ((code = krb_parse_name(optarg, &princ)) != 0) {
+		warnx ("%s", krb_get_err_text(code));
+		usage();
+	    }
+	    strupr(princ.realm);
+	    pflag = 1;
+	    break;
+	case 'c':
+	    cell = optarg;
+	    break;
+	case 'h':
+	    host = argv + optind;
+	    for(nhost = 0; optind < argc && *argv[optind] != '-'; ++optind)
+		++nhost;
+	    if(nhost == 0)
+		usage();
+	    break;
+	case 'v':
+	    version_flag++;
+	    print_version(NULL);
+	    break;
+	case '?':
+	default:
+	    usage();
+	    break;
+	}
+  
+    if(version_flag) {
+	print_version(NULL);
+	exit(0);
+    }
+    if (princ.name[0] == '\0' && krb_get_default_principal (princ.name, 
+							    princ.instance, 
+							    princ.realm) < 0)
+	errx (1, "Could not get default principal");
+  
+    /* With root tickets assume remote user is root */
+    if (*remoteuser == '\0') {
+      if (strcmp(princ.instance, "root") == 0)
+	strlcpy(remoteuser, princ.instance, sizeof(remoteuser));
+      else
+	strlcpy(remoteuser, princ.name, sizeof(remoteuser));
+    }
+
+    more_args = argc - optind;
+  
+    if (princ.realm[0] == '\0')
+	if (krb_get_lrealm(princ.realm, 1) != KSUCCESS)
+	    strlcpy(princ.realm, KRB_REALM, REALM_SZ);
+  
+    if (more_args) {
+	int f;
+      
+	do{
+	    snprintf(tf, sizeof(tf), "%s%u_%u", TKT_ROOT, (unsigned)getuid(),
+		     (unsigned)(getpid()*time(0)));
+	    f = open(tf, O_CREAT|O_EXCL|O_RDWR);
+	}while(f < 0);
+	close(f);
+	unlink(tf);
+	setenv("KRBTKFILE", tf, 1);
+	krb_set_tkt_string (tf);
+    }
+    
+    if (srvtab[0])
+	{
+	    signal(SIGALRM, renew);
+
+	    code = read_service_key (princ.name, princ.instance, princ.realm, 0, 
+				     srvtab, (char *)&key);
+	    if (code == KSUCCESS)
+		code = krb_get_in_tkt(princ.name, princ.instance, princ.realm,
+				      KRB_TICKET_GRANTING_TICKET,
+				      princ.realm, lifetime,
+				      key_to_key, NULL, key);
+	    alarm(krb_life_to_time(0, lifetime)/2 - 60);
+	}
+    else {
+	char prompt[128];
+	  
+	snprintf(prompt, sizeof(prompt), "%s's Password: ", krb_unparse_name(&princ));
+	if (des_read_pw_string(passwd, sizeof(passwd)-1, prompt, 0)){
+	    memset(passwd, 0, sizeof(passwd));
+	    exit(1);
+	}
+	code = krb_get_pw_in_tkt2(princ.name, princ.instance, princ.realm, 
+				  KRB_TICKET_GRANTING_TICKET, princ.realm, 
+				  lifetime, passwd, &key);
+	
+	memset(passwd, 0, sizeof(passwd));
+    }
+    if (code) {
+	memset (key, 0, sizeof(key));
+	errx (1, "%s", krb_get_err_text(code));
+    }
+
+    if(aflag)
+	get_ticket_address(&princ, &key);
+
+    if (k_hasafs()) {
+	if (more_args)
+	    k_setpag();
+	if ((code = krb_afslog(cell, NULL)) != 0 && code != KDC_PR_UNKNOWN) {
+	    if(code > 0)
+		warnx ("%s", krb_get_err_text(code));
+	    else
+		warnx ("failed to store AFS token");
+	}
+    }
+
+    for(ret = 0; nhost-- > 0; host++)
+	ret += rkinit(&princ, lifetime, remoteuser, remote_tktfile, &key, *host);
+  
+    if (ret)
+	return ret;
+
+    if (more_args) {
+	ret = doexec(more_args, &argv[optind]);
+	dest_tkt();
+	if (k_hasafs())
+	    k_unlog();	 
+    }
+    else
+	zrefresh();
+  
+    return ret;
+}
diff --git a/crypto/heimdal/appl/kauth/kauth.h b/crypto/heimdal/appl/kauth/kauth.h
new file mode 100644
index 0000000..32243c7
--- /dev/null
+++ b/crypto/heimdal/appl/kauth/kauth.h
@@ -0,0 +1,116 @@
+/*
+ * Copyright (c) 1995, 1996, 1997 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+/* $Id: kauth.h,v 1.21 1999/12/02 16:58:31 joda Exp $ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+#endif /* HAVE_CONFIG_H */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <ctype.h>
+#include <string.h>
+#include <signal.h>
+#ifdef HAVE_FCNTL_H
+#include <fcntl.h>
+#endif
+#include <errno.h>
+#ifdef HAVE_UNISTD_H
+#include <unistd.h>
+#endif
+#ifdef HAVE_PWD_H
+#include <pwd.h>
+#endif
+#ifdef HAVE_GRP_H
+#include <grp.h>
+#endif
+
+#ifdef TIME_WITH_SYS_TIME
+#include <sys/time.h>
+#include <time.h>
+#elif defined(HAVE_SYS_TIME_H)
+#include <sys/time.h>
+#else
+#include <time.h>
+#endif
+#ifdef HAVE_SYS_RESOURCE_H
+#include <sys/resource.h>
+#endif /* HAVE_SYS_RESOURCE_H */
+#ifdef HAVE_SYS_WAIT_H
+#include <sys/wait.h>
+#endif
+#ifdef HAVE_SYS_TYPES_H
+#include <sys/types.h>
+#endif
+#ifdef HAVE_SYS_SOCKET_H
+#include <sys/socket.h>
+#endif
+#ifdef HAVE_NETINET_IN_H
+#include <netinet/in.h>
+#endif
+#ifdef HAVE_ARPA_INET_H
+#include <arpa/inet.h>
+#endif
+#ifdef HAVE_NETDB_H
+#include <netdb.h>
+#endif
+#ifdef SOCKS
+#include <socks.h>
+/* This doesn't belong here. */
+struct tm *localtime(const time_t *);
+struct hostent  *gethostbyname(const char *);
+#endif
+
+#include <err.h>
+
+#include <krb.h>
+#include <kafs.h>
+
+#include <roken.h>
+
+#define KAUTH_PORT 2120
+
+#define KAUTH_VERSION "RKINIT.0"
+
+int rkinit (krb_principal*, int, char*, char*, des_cblock*, char*);
+
+int write_encrypted (int, void*, size_t, des_key_schedule,
+		     des_cblock*, struct sockaddr_in*, struct sockaddr_in*);
+
+int read_encrypted (int, void*, size_t, void **, des_key_schedule,
+		    des_cblock*, struct sockaddr_in*, struct sockaddr_in*);
+
+int pack_args (char *, size_t, krb_principal*, int, const char*, const char*);
+
+int unpack_args (const char*, krb_principal*, int*, char*, char*);
diff --git a/crypto/heimdal/appl/kauth/kauthd.c b/crypto/heimdal/appl/kauth/kauthd.c
new file mode 100644
index 0000000..fe0ceb2
--- /dev/null
+++ b/crypto/heimdal/appl/kauth/kauthd.c
@@ -0,0 +1,207 @@
+/*
+ * Copyright (c) 1995, 1996, 1997, 1998 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#include "kauth.h"
+
+RCSID("$Id: kauthd.c,v 1.27 1999/12/06 16:46:05 assar Exp $");
+
+krb_principal princ;
+static char locuser[SNAME_SZ];
+static int  lifetime;
+static char tktfile[MaxPathLen];
+
+struct remote_args {
+     int sock;
+     des_key_schedule *schedule;
+     des_cblock *session;
+     struct sockaddr_in *me, *her;
+};
+
+static int
+decrypt_remote_tkt (const char *user,
+		    const char *inst,
+		    const char *realm,
+		    const void *varg,
+		    key_proc_t key_proc,
+		    KTEXT *cipp)
+{
+     char buf[BUFSIZ];
+     void *ptr;
+     int len;
+     KTEXT cip  = *cipp;
+     struct remote_args *args = (struct remote_args *)varg;
+
+     write_encrypted (args->sock, cip->dat, cip->length,
+		      *args->schedule, args->session, args->me,
+		      args->her);
+     len = read_encrypted (args->sock, buf, sizeof(buf), &ptr, *args->schedule,
+			   args->session, args->her, args->me);
+     memcpy(cip->dat, ptr, cip->length);
+	  
+     return 0;
+}
+
+static int
+doit(int sock)
+{
+     int status;
+     KTEXT_ST ticket;
+     AUTH_DAT auth;
+     char instance[INST_SZ];
+     des_key_schedule schedule;
+     struct sockaddr_in thisaddr, thataddr;
+     int addrlen;
+     int len;
+     char buf[BUFSIZ];
+     void *data;
+     struct passwd *passwd;
+     char version[KRB_SENDAUTH_VLEN + 1];
+     char remotehost[MaxHostNameLen];
+
+     addrlen = sizeof(thisaddr);
+     if (getsockname (sock, (struct sockaddr *)&thisaddr, &addrlen) < 0 ||
+	 addrlen != sizeof(thisaddr)) {
+	  return 1;
+     }
+     addrlen = sizeof(thataddr);
+     if (getpeername (sock, (struct sockaddr *)&thataddr, &addrlen) < 0 ||
+	 addrlen != sizeof(thataddr)) {
+	  return 1;
+     }
+
+     getnameinfo_verified ((struct sockaddr *)&thataddr, sizeof(thataddr),
+			   remotehost, sizeof(remotehost),
+			   NULL, 0, 0);
+
+     k_getsockinst (sock, instance, sizeof(instance));
+     status = krb_recvauth (KOPT_DO_MUTUAL, sock, &ticket, "rcmd", instance,
+			    &thataddr, &thisaddr, &auth, "", schedule,
+			    version);
+     if (status != KSUCCESS ||
+	 strncmp(version, KAUTH_VERSION, KRB_SENDAUTH_VLEN) != 0) {
+	  return 1;
+     }
+     len = read_encrypted (sock, buf, sizeof(buf), &data, schedule,
+			   &auth.session, &thataddr, &thisaddr);
+     if (len < 0) {
+	  write_encrypted (sock, "read_enc failed",
+			   sizeof("read_enc failed") - 1, schedule,
+			   &auth.session, &thisaddr, &thataddr);
+	  return 1;
+     }
+     if (unpack_args(data, &princ, &lifetime, locuser,
+		     tktfile)) {
+	  write_encrypted (sock, "unpack_args failed",
+			   sizeof("unpack_args failed") - 1, schedule,
+			   &auth.session, &thisaddr, &thataddr);
+	  return 1;
+     }
+
+     if( kuserok(&auth, locuser) != 0) {
+	 snprintf(buf, sizeof(buf), "%s cannot get tickets for %s",
+		  locuser, krb_unparse_name(&princ));
+	 syslog (LOG_ERR, "%s", buf);
+	 write_encrypted (sock, buf, strlen(buf), schedule,
+			  &auth.session, &thisaddr, &thataddr);
+	 return 1;
+     }
+     passwd = k_getpwnam (locuser);
+     if (passwd == NULL) {
+	  snprintf (buf, sizeof(buf), "No user '%s'", locuser);
+	  syslog (LOG_ERR, "%s", buf);
+	  write_encrypted (sock, buf, strlen(buf), schedule,
+			   &auth.session, &thisaddr, &thataddr);
+	  return 1;
+     }
+     if (setgid (passwd->pw_gid) ||
+	 initgroups(passwd->pw_name, passwd->pw_gid) ||
+	 setuid(passwd->pw_uid)) {
+	  snprintf (buf, sizeof(buf), "Could not change user");
+	  syslog (LOG_ERR, "%s", buf);
+	  write_encrypted (sock, buf, strlen(buf), schedule,
+			   &auth.session, &thisaddr, &thataddr);
+	  return 1;
+     }
+     write_encrypted (sock, "ok", sizeof("ok") - 1, schedule,
+		      &auth.session, &thisaddr, &thataddr);
+
+     if (*tktfile == 0)
+	 snprintf(tktfile, sizeof(tktfile), "%s%u", TKT_ROOT, (unsigned)getuid());
+     krb_set_tkt_string (tktfile);
+
+     {
+	  struct remote_args arg;
+
+	  arg.sock     = sock;
+	  arg.schedule = &schedule;
+	  arg.session  = &auth.session;
+	  arg.me       = &thisaddr;
+	  arg.her      = &thataddr;
+
+	  status = krb_get_in_tkt (princ.name, princ.instance, princ.realm,
+				   KRB_TICKET_GRANTING_TICKET,
+				   princ.realm,
+				   lifetime, NULL, decrypt_remote_tkt, &arg);
+     }
+     if (status == KSUCCESS) {
+	 char remoteaddr[INET6_ADDRSTRLEN];
+
+	 getnameinfo ((struct sockaddr *)&thataddr, sizeof(thataddr),
+		      remoteaddr, sizeof(remoteaddr),
+		      NULL, 0, NI_NUMERICHOST);
+
+	 syslog (LOG_INFO, "from %s(%s): %s -> %s",
+		 remotehost, remoteaddr,
+		 locuser,
+		 krb_unparse_name (&princ));
+	  write_encrypted (sock, "ok", sizeof("ok") - 1, schedule,
+			   &auth.session, &thisaddr, &thataddr);
+	  return 0;
+     } else {
+	  snprintf (buf, sizeof(buf), "TGT failed: %s", krb_get_err_text(status));
+	  syslog (LOG_NOTICE, "%s", buf);
+	  write_encrypted (sock, buf, strlen(buf), schedule,
+			   &auth.session, &thisaddr, &thataddr);
+	  return 1;
+     }
+}
+
+int
+main (int argc, char **argv)
+{
+    openlog ("kauthd", LOG_ODELAY, LOG_AUTH);
+
+    if(argc > 1 && strcmp(argv[1], "-i") == 0)
+	mini_inetd (k_getportbyname("kauth", "tcp", htons(KAUTH_PORT)));
+    return doit(STDIN_FILENO);
+}
diff --git a/crypto/heimdal/appl/kauth/ksrvtgt.in b/crypto/heimdal/appl/kauth/ksrvtgt.in
new file mode 100755
index 0000000..c2f33bb
--- /dev/null
+++ b/crypto/heimdal/appl/kauth/ksrvtgt.in
@@ -0,0 +1,14 @@
+#! /bin/sh
+# $Id: ksrvtgt.in,v 1.3 1997/09/13 03:39:03 joda Exp $
+
+usage="Usage: `basename $0` name instance [[realm] srvtab]"
+
+if [ $# -lt 2 -o $# -gt 4 ]; then
+	echo "$usage"
+	exit 1
+fi
+
+srvtab="${4-${3-/etc/srvtab}}"
+realm="${4+@$3}"
+
+%bindir%/kauth -n "$1.$2$realm" -l 5 -f "$srvtab"
diff --git a/crypto/heimdal/appl/kauth/marshall.c b/crypto/heimdal/appl/kauth/marshall.c
new file mode 100644
index 0000000..e37b8c9
--- /dev/null
+++ b/crypto/heimdal/appl/kauth/marshall.c
@@ -0,0 +1,126 @@
+/*
+ * Copyright (c) 1995, 1996, 1997 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#include "kauth.h"
+
+RCSID("$Id: marshall.c,v 1.10 1999/12/02 16:58:31 joda Exp $");
+
+int
+pack_args (char *buf,
+	   size_t sz,
+	   krb_principal *pr,
+	   int lifetime,
+	   const char *locuser,
+	   const char *tktfile)
+{
+    char *p = buf;
+    int len;
+
+    p = buf;
+
+    len = strlen(pr->name);
+    if (len >= sz)
+	return -1;
+    memcpy (p, pr->name, len + 1);
+    p += len + 1;
+    sz -= len + 1;
+
+    len = strlen(pr->instance);
+    if (len >= sz)
+	return -1;
+    memcpy (p, pr->instance, len + 1);
+    p += len + 1;
+    sz -= len + 1;
+
+    len = strlen(pr->realm);
+    if (len >= sz)
+	return -1;
+    memcpy(p, pr->realm, len + 1);
+    p += len + 1;
+    sz -= len + 1;
+
+    if (sz < 1)
+	return -1;
+    *p++ = (unsigned char)lifetime;
+
+    len = strlen(locuser);
+    if (len >= sz)
+	return -1;
+    memcpy (p, locuser, len + 1);
+    p += len + 1;
+    sz -= len + 1;
+
+    len = strlen(tktfile);
+    if (len >= sz)
+	return -1;
+    memcpy (p, tktfile, len + 1);
+    p += len + 1;
+    sz -= len + 1;
+
+    return p - buf;
+}
+
+int
+unpack_args (const char *buf, krb_principal *pr, int *lifetime,
+	     char *locuser, char *tktfile)
+{
+    int len;
+
+    len = strlen(buf);
+    if (len >= SNAME_SZ)
+	return -1;
+    strlcpy (pr->name, buf, ANAME_SZ);
+    buf += len + 1;
+    len = strlen (buf);
+    if (len >= INST_SZ)
+	return -1;
+    strlcpy (pr->instance, buf, INST_SZ);
+    buf += len + 1;
+    len = strlen (buf);
+    if (len >= REALM_SZ)
+	return -1;
+    strlcpy (pr->realm, buf, REALM_SZ);
+    buf += len + 1;
+    *lifetime = (unsigned char)*buf++;
+    len = strlen(buf);
+    if (len >= SNAME_SZ)
+	return -1;
+    strlcpy (locuser, buf, SNAME_SZ);
+    buf += len + 1;
+    len = strlen(buf);
+    if (len >= MaxPathLen)
+	return -1;
+    strlcpy (tktfile, buf, MaxPathLen);
+    buf += len + 1;
+    return 0;
+}
diff --git a/crypto/heimdal/appl/kauth/rkinit.c b/crypto/heimdal/appl/kauth/rkinit.c
new file mode 100644
index 0000000..d4b07c6
--- /dev/null
+++ b/crypto/heimdal/appl/kauth/rkinit.c
@@ -0,0 +1,226 @@
+/*
+ * Copyright (c) 1995, 1996, 1997 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#include "kauth.h"
+
+RCSID("$Id: rkinit.c,v 1.23 1999/12/06 17:07:20 assar Exp $");
+
+static struct in_addr *
+getalladdrs (char *hostname, unsigned *count)
+{
+    struct hostent *hostent;
+    struct in_addr **h;
+    struct in_addr *addr;
+    unsigned naddr;
+    unsigned maxaddr;
+
+    hostent = gethostbyname (hostname);
+    if (hostent == NULL) {
+	warnx ("gethostbyname '%s' failed: %s\n",
+	       hostname,
+	       hstrerror(h_errno));
+	return NULL;
+    }
+    maxaddr = 1;
+    naddr = 0;
+    addr = malloc(sizeof(*addr) * maxaddr);
+    if (addr == NULL) {
+	warnx ("out of memory");
+	return NULL;
+    }
+    for (h = (struct in_addr **)(hostent->h_addr_list);
+	 *h != NULL;
+	 h++) {
+	if (naddr >= maxaddr) {
+	    maxaddr *= 2;
+	    addr = realloc (addr, sizeof(*addr) * maxaddr);
+	    if (addr == NULL) {
+		warnx ("out of memory");
+		return NULL;
+	    }
+	}
+	addr[naddr++] = **h;
+    }
+    addr = realloc (addr, sizeof(*addr) * naddr);
+    if (addr == NULL) {
+	warnx ("out of memory");
+	return NULL;
+    }
+    *count = naddr;
+    return addr;
+}
+
+static int
+doit_host (krb_principal *princ, int lifetime, char *locuser, 
+	   char *tktfile, des_cblock *key, int s, char *hostname)
+{
+    char buf[BUFSIZ];
+    int inlen;
+    KTEXT_ST text;
+    CREDENTIALS cred;
+    MSG_DAT msg;
+    int status;
+    des_key_schedule schedule;
+    struct sockaddr_in thisaddr, thataddr;
+    int addrlen;
+    void *ret;
+
+    addrlen = sizeof(thisaddr);
+    if (getsockname (s, (struct sockaddr *)&thisaddr, &addrlen) < 0 ||
+	addrlen != sizeof(thisaddr)) {
+	warn ("getsockname(%s)", hostname);
+	return 1;
+    }
+    addrlen = sizeof(thataddr);
+    if (getpeername (s, (struct sockaddr *)&thataddr, &addrlen) < 0 ||
+	addrlen != sizeof(thataddr)) {
+	warn ("getpeername(%s)", hostname);
+	return 1;
+    }
+
+    if (krb_get_config_bool("nat_in_use")) {
+	struct in_addr natAddr;
+
+	if (krb_get_our_ip_for_realm(krb_realmofhost(hostname),
+				     &natAddr) == KSUCCESS
+	    || krb_get_our_ip_for_realm (NULL, &natAddr) == KSUCCESS)
+	    thisaddr.sin_addr = natAddr;
+    }
+
+    status = krb_sendauth (KOPT_DO_MUTUAL, s, &text, "rcmd",
+			   hostname, krb_realmofhost (hostname),
+			   getpid(), &msg, &cred, schedule,
+			   &thisaddr, &thataddr, KAUTH_VERSION);
+    if (status != KSUCCESS) {
+	warnx ("%s: %s\n", hostname, krb_get_err_text(status));
+	return 1;
+    }
+    inlen = pack_args (buf, sizeof(buf),
+		       princ, lifetime, locuser, tktfile);
+    if (inlen < 0) {
+	warn ("cannot marshall arguments to %s", hostname);
+	return 1;
+    }
+
+    if (write_encrypted(s, buf, inlen, schedule, &cred.session,
+			&thisaddr, &thataddr) < 0) {
+	warn ("write to %s", hostname);
+	return 1;
+    }
+
+    inlen = read_encrypted (s, buf, sizeof(buf), &ret, schedule,
+			    &cred.session, &thataddr, &thisaddr);
+    if (inlen < 0) {
+	warn ("read from %s failed", hostname);
+	return 1;
+    }
+
+    if (strncmp(ret, "ok", inlen) != 0) {
+	warnx ("error from %s: %.*s\n",
+	       hostname, inlen, (char *)ret);
+	return 1;
+    }
+
+    inlen = read_encrypted (s, buf, sizeof(buf), &ret, schedule,
+			    &cred.session, &thataddr, &thisaddr);
+    if (inlen < 0) {
+	warn ("read from %s", hostname);
+	return 1;
+    }
+     
+    {
+	des_key_schedule key_s;
+
+	des_key_sched(key, key_s);
+	des_pcbc_encrypt(ret, ret, inlen, key_s, key, DES_DECRYPT);
+	memset(key_s, 0, sizeof(key_s));
+    }
+    write_encrypted (s, ret, inlen, schedule, &cred.session,
+		     &thisaddr, &thataddr);
+
+    inlen = read_encrypted (s, buf, sizeof(buf), &ret, schedule,
+			    &cred.session, &thataddr, &thisaddr);
+    if (inlen < 0) {
+	warn ("read from %s", hostname);
+	return 1;
+    }
+
+    if (strncmp(ret, "ok", inlen) != 0) {
+	warnx ("error from %s: %.*s\n",
+	       hostname, inlen, (char *)ret);
+	return 1;
+    }
+    return 0;
+}
+
+int
+rkinit (krb_principal *princ, int lifetime, char *locuser, 
+	char *tktfile, des_cblock *key, char *hostname)
+{
+    struct in_addr *addr;
+    unsigned naddr;
+    unsigned i;
+    int port;
+    int success;
+
+    addr = getalladdrs (hostname, &naddr);
+    if (addr == NULL)
+	return 1;
+    port = k_getportbyname ("kauth", "tcp", htons(KAUTH_PORT));
+    success = 0;
+    for (i = 0; !success && i < naddr; ++i) {
+	struct sockaddr_in a;
+	int s;
+
+	memset(&a, 0, sizeof(a));
+	a.sin_family = AF_INET;
+	a.sin_port   = port;
+	a.sin_addr   = addr[i];
+
+	s = socket (AF_INET, SOCK_STREAM, 0);
+	if (s < 0) {
+	    warn("socket");
+	    return 1;
+	}
+	if (connect(s, (struct sockaddr *)&a, sizeof(a)) < 0) {
+	    warn("connect(%s)", hostname);
+	    continue;
+	}
+
+	success = success || !doit_host (princ, lifetime,
+					 locuser, tktfile, key,
+					 s, hostname);
+	close (s);
+    }
+    return !success;
+}
diff --git a/crypto/heimdal/appl/kauth/zrefresh b/crypto/heimdal/appl/kauth/zrefresh
new file mode 100755
index 0000000..8347a1b
--- /dev/null
+++ b/crypto/heimdal/appl/kauth/zrefresh
@@ -0,0 +1,12 @@
+#!/bin/sh
+# 
+# @(#) $Id: zrefresh,v 1.3 1996/06/09 19:21:59 joda Exp $
+#
+# Substitute this script with a real zrefresh if running Zephyr. For
+# instance:
+#
+# if [ -f "$WGFILE" ] ; then
+#     zctl load
+# fi
+
+exit 0
diff --git a/crypto/heimdal/appl/kf/Makefile.am b/crypto/heimdal/appl/kf/Makefile.am
new file mode 100644
index 0000000..c145e07
--- /dev/null
+++ b/crypto/heimdal/appl/kf/Makefile.am
@@ -0,0 +1,18 @@
+# $Id: Makefile.am,v 1.5 2000/11/15 22:51:08 assar Exp $
+
+include $(top_srcdir)/Makefile.am.common
+
+bin_PROGRAMS = kf
+
+libexec_PROGRAMS = kfd
+
+man_MANS = kf.1 kfd.8
+
+kf_SOURCES = kf.c kf_locl.h
+
+kfd_SOURCES = kfd.c kf_locl.h
+
+LDADD = $(top_builddir)/lib/krb5/libkrb5.la \
+	$(LIB_des) \
+	$(top_builddir)/lib/asn1/libasn1.la \
+	$(LIB_roken)
diff --git a/crypto/heimdal/appl/kf/Makefile.in b/crypto/heimdal/appl/kf/Makefile.in
new file mode 100644
index 0000000..16a599c
--- /dev/null
+++ b/crypto/heimdal/appl/kf/Makefile.in
@@ -0,0 +1,704 @@
+# Makefile.in generated automatically by automake 1.4b from Makefile.am
+
+# Copyright 1994, 1995, 1996, 1997, 1998, 1999, 2000
+# Free Software Foundation, Inc.
+# This Makefile.in is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+
+SHELL = @SHELL@
+
+srcdir = @srcdir@
+top_srcdir = @top_srcdir@
+VPATH = @srcdir@
+prefix = @prefix@
+exec_prefix = @exec_prefix@
+
+bindir = @bindir@
+sbindir = @sbindir@
+libexecdir = @libexecdir@
+datadir = @datadir@
+sysconfdir = @sysconfdir@
+sharedstatedir = @sharedstatedir@
+localstatedir = @localstatedir@
+libdir = @libdir@
+infodir = @infodir@
+mandir = @mandir@
+includedir = @includedir@
+oldincludedir = /usr/include
+
+pkgdatadir = $(datadir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkgincludedir = $(includedir)/@PACKAGE@
+
+top_builddir = ../..
+
+ACLOCAL = @ACLOCAL@
+AUTOCONF = @AUTOCONF@
+AUTOMAKE = @AUTOMAKE@
+AUTOHEADER = @AUTOHEADER@
+
+INSTALL = @INSTALL@
+INSTALL_PROGRAM = @INSTALL_PROGRAM@
+INSTALL_DATA = @INSTALL_DATA@
+INSTALL_SCRIPT = @INSTALL_SCRIPT@
+INSTALL_STRIP_FLAG =
+transform = @program_transform_name@
+
+NORMAL_INSTALL = :
+PRE_INSTALL = :
+POST_INSTALL = :
+NORMAL_UNINSTALL = :
+PRE_UNINSTALL = :
+POST_UNINSTALL = :
+
+@SET_MAKE@
+host_alias = @host_alias@
+host_triplet = @host@
+AIX_EXTRA_KAFS = @AIX_EXTRA_KAFS@
+AMDEP = @AMDEP@
+AMTAR = @AMTAR@
+AS = @AS@
+AWK = @AWK@
+CANONICAL_HOST = @CANONICAL_HOST@
+CATMAN = @CATMAN@
+CATMANEXT = @CATMANEXT@
+CC = @CC@
+CPP = @CPP@
+CXX = @CXX@
+CXXCPP = @CXXCPP@
+DBLIB = @DBLIB@
+DEPDIR = @DEPDIR@
+DIR_des = @DIR_des@
+DIR_roken = @DIR_roken@
+DLLTOOL = @DLLTOOL@
+EXEEXT = @EXEEXT@
+EXTRA_LIB45 = @EXTRA_LIB45@
+GROFF = @GROFF@
+INCLUDES_roken = @INCLUDES_roken@
+INCLUDE_ = @INCLUDE_@
+LEX = @LEX@
+LIBOBJS = @LIBOBJS@
+LIBTOOL = @LIBTOOL@
+LIB_ = @LIB_@
+LIB_AUTH_SUBDIRS = @LIB_AUTH_SUBDIRS@
+LIB_des = @LIB_des@
+LIB_des_appl = @LIB_des_appl@
+LIB_kdb = @LIB_kdb@
+LIB_otp = @LIB_otp@
+LIB_roken = @LIB_roken@
+LIB_security = @LIB_security@
+LN_S = @LN_S@
+LTLIBOBJS = @LTLIBOBJS@
+MAKEINFO = @MAKEINFO@
+NEED_WRITEAUTH_FALSE = @NEED_WRITEAUTH_FALSE@
+NEED_WRITEAUTH_TRUE = @NEED_WRITEAUTH_TRUE@
+NROFF = @NROFF@
+OBJDUMP = @OBJDUMP@
+OBJEXT = @OBJEXT@
+PACKAGE = @PACKAGE@
+RANLIB = @RANLIB@
+STRIP = @STRIP@
+VERSION = @VERSION@
+VOID_RETSIGTYPE = @VOID_RETSIGTYPE@
+WFLAGS = @WFLAGS@
+WFLAGS_NOIMPLICITINT = @WFLAGS_NOIMPLICITINT@
+WFLAGS_NOUNUSED = @WFLAGS_NOUNUSED@
+YACC = @YACC@
+dpagaix_CFLAGS = @dpagaix_CFLAGS@
+dpagaix_LDADD = @dpagaix_LDADD@
+install_sh = @install_sh@
+
+# $Id: Makefile.am,v 1.5 2000/11/15 22:51:08 assar Exp $
+
+
+# $Id: Makefile.am.common,v 1.3 1999/04/01 14:58:43 joda Exp $
+
+
+# $Id: Makefile.am.common,v 1.26 2001/05/21 13:27:48 joda Exp $
+
+
+AUTOMAKE_OPTIONS = foreign no-dependencies
+
+SUFFIXES = .et .h .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .x
+
+INCLUDES = -I$(top_builddir)/include $(INCLUDES_roken)
+
+AM_CFLAGS =  $(WFLAGS)
+
+CP = cp
+
+COMPILE_ET = $(top_builddir)/lib/com_err/compile_et
+
+buildinclude = $(top_builddir)/include
+
+LIB_XauReadAuth = @LIB_XauReadAuth@
+LIB_crypt = @LIB_crypt@
+LIB_dbm_firstkey = @LIB_dbm_firstkey@
+LIB_dbopen = @LIB_dbopen@
+LIB_dlopen = @LIB_dlopen@
+LIB_dn_expand = @LIB_dn_expand@
+LIB_el_init = @LIB_el_init@
+LIB_getattr = @LIB_getattr@
+LIB_gethostbyname = @LIB_gethostbyname@
+LIB_getpwent_r = @LIB_getpwent_r@
+LIB_getpwnam_r = @LIB_getpwnam_r@
+LIB_getsockopt = @LIB_getsockopt@
+LIB_logout = @LIB_logout@
+LIB_logwtmp = @LIB_logwtmp@
+LIB_odm_initialize = @LIB_odm_initialize@
+LIB_pidfile = @LIB_pidfile@
+LIB_readline = @LIB_readline@
+LIB_res_search = @LIB_res_search@
+LIB_setpcred = @LIB_setpcred@
+LIB_setsockopt = @LIB_setsockopt@
+LIB_socket = @LIB_socket@
+LIB_syslog = @LIB_syslog@
+LIB_tgetent = @LIB_tgetent@
+
+LIBS = @LIBS@
+
+HESIODLIB = @HESIODLIB@
+HESIODINCLUDE = @HESIODINCLUDE@
+INCLUDE_hesiod = @INCLUDE_hesiod@
+LIB_hesiod = @LIB_hesiod@
+
+INCLUDE_krb4 = @INCLUDE_krb4@
+LIB_krb4 = @LIB_krb4@
+
+INCLUDE_openldap = @INCLUDE_openldap@
+LIB_openldap = @LIB_openldap@
+
+INCLUDE_readline = @INCLUDE_readline@
+
+LEXLIB = @LEXLIB@
+
+NROFF_MAN = groff -mandoc -Tascii
+
+@KRB4_TRUE@LIB_kafs = @KRB4_TRUE@$(top_builddir)/lib/kafs/libkafs.la $(AIX_EXTRA_KAFS)
+
+@KRB5_TRUE@LIB_krb5 = @KRB5_TRUE@$(top_builddir)/lib/krb5/libkrb5.la \
+@KRB5_TRUE@	$(top_builddir)/lib/asn1/libasn1.la
+@KRB5_TRUE@LIB_gssapi = @KRB5_TRUE@$(top_builddir)/lib/gssapi/libgssapi.la
+
+@DCE_TRUE@LIB_kdfs = @DCE_TRUE@$(top_builddir)/lib/kdfs/libkdfs.la
+
+CHECK_LOCAL = $(PROGRAMS)
+
+bin_PROGRAMS = kf
+
+libexec_PROGRAMS = kfd
+
+man_MANS = kf.1 kfd.8
+
+kf_SOURCES = kf.c kf_locl.h
+
+kfd_SOURCES = kfd.c kf_locl.h
+
+LDADD = $(top_builddir)/lib/krb5/libkrb5.la \
+	$(LIB_des) \
+	$(top_builddir)/lib/asn1/libasn1.la \
+	$(LIB_roken)
+
+subdir = appl/kf
+mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs
+CONFIG_HEADER = ../../include/config.h
+CONFIG_CLEAN_FILES = 
+bin_PROGRAMS =  kf$(EXEEXT)
+libexec_PROGRAMS =  kfd$(EXEEXT)
+PROGRAMS =  $(bin_PROGRAMS) $(libexec_PROGRAMS)
+
+
+DEFS = @DEFS@ -I. -I$(srcdir) -I../../include
+CPPFLAGS = @CPPFLAGS@
+LDFLAGS = @LDFLAGS@
+X_CFLAGS = @X_CFLAGS@
+X_LIBS = @X_LIBS@
+X_EXTRA_LIBS = @X_EXTRA_LIBS@
+X_PRE_LIBS = @X_PRE_LIBS@
+am_kf_OBJECTS =  kf.$(OBJEXT)
+kf_OBJECTS =  $(am_kf_OBJECTS)
+kf_LDADD = $(LDADD)
+kf_DEPENDENCIES =  $(top_builddir)/lib/krb5/libkrb5.la \
+$(top_builddir)/lib/asn1/libasn1.la
+kf_LDFLAGS = 
+am_kfd_OBJECTS =  kfd.$(OBJEXT)
+kfd_OBJECTS =  $(am_kfd_OBJECTS)
+kfd_LDADD = $(LDADD)
+kfd_DEPENDENCIES =  $(top_builddir)/lib/krb5/libkrb5.la \
+$(top_builddir)/lib/asn1/libasn1.la
+kfd_LDFLAGS = 
+COMPILE = $(CC) $(DEFS) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) --mode=compile $(CC) $(DEFS) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+CFLAGS = @CFLAGS@
+CCLD = $(CC)
+LINK = $(LIBTOOL) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) $(LDFLAGS) -o $@
+DIST_SOURCES =  $(kf_SOURCES) $(kfd_SOURCES)
+man1dir = $(mandir)/man1
+man8dir = $(mandir)/man8
+MANS = $(man_MANS)
+depcomp = 
+DIST_COMMON =  Makefile.am Makefile.in
+
+
+DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
+
+GZIP_ENV = --best
+SOURCES = $(kf_SOURCES) $(kfd_SOURCES)
+OBJECTS = $(am_kf_OBJECTS) $(am_kfd_OBJECTS)
+
+all: all-redirect
+.SUFFIXES:
+.SUFFIXES: .et .h .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .x .c .lo .o .obj
+$(srcdir)/Makefile.in: Makefile.am $(top_srcdir)/configure.in $(ACLOCAL_M4) $(top_srcdir)/Makefile.am.common $(top_srcdir)/cf/Makefile.am.common
+	cd $(top_srcdir) && $(AUTOMAKE) --foreign appl/kf/Makefile
+
+Makefile: $(srcdir)/Makefile.in  $(top_builddir)/config.status
+	cd $(top_builddir) \
+	  && CONFIG_FILES=$(subdir)/$@ CONFIG_HEADERS= $(SHELL) ./config.status
+
+
+mostlyclean-binPROGRAMS:
+
+clean-binPROGRAMS:
+	-test -z "$(bin_PROGRAMS)" || rm -f $(bin_PROGRAMS)
+
+distclean-binPROGRAMS:
+
+maintainer-clean-binPROGRAMS:
+
+install-binPROGRAMS: $(bin_PROGRAMS)
+	@$(NORMAL_INSTALL)
+	$(mkinstalldirs) $(DESTDIR)$(bindir)
+	@list='$(bin_PROGRAMS)'; for p in $$list; do \
+	  if test -f $$p; then \
+	    f="`echo $$p|sed -e 's/$(EXEEXT)$$//' -e '$(transform)' -e 's/$$/$(EXEEXT)/'`"; \
+	    echo " $(LIBTOOL)  --mode=install $(INSTALL_PROGRAM) $(INSTALL_STRIP_FLAG) $$p $(DESTDIR)$(bindir)/$$f"; \
+	    $(LIBTOOL)  --mode=install $(INSTALL_PROGRAM) $(INSTALL_STRIP_FLAG) $$p $(DESTDIR)$(bindir)/$$f; \
+	  else :; fi; \
+	done
+
+uninstall-binPROGRAMS:
+	@$(NORMAL_UNINSTALL)
+	@list='$(bin_PROGRAMS)'; for p in $$list; do \
+	  f="`echo $$p|sed -e 's/$(EXEEXT)$$//' -e '$(transform)' -e 's/$$/$(EXEEXT)/'`"; \
+	  echo " rm -f $(DESTDIR)$(bindir)/$$f"; \
+	  rm -f $(DESTDIR)$(bindir)/$$f; \
+	done
+
+mostlyclean-libexecPROGRAMS:
+
+clean-libexecPROGRAMS:
+	-test -z "$(libexec_PROGRAMS)" || rm -f $(libexec_PROGRAMS)
+
+distclean-libexecPROGRAMS:
+
+maintainer-clean-libexecPROGRAMS:
+
+install-libexecPROGRAMS: $(libexec_PROGRAMS)
+	@$(NORMAL_INSTALL)
+	$(mkinstalldirs) $(DESTDIR)$(libexecdir)
+	@list='$(libexec_PROGRAMS)'; for p in $$list; do \
+	  if test -f $$p; then \
+	    f="`echo $$p|sed -e 's/$(EXEEXT)$$//' -e '$(transform)' -e 's/$$/$(EXEEXT)/'`"; \
+	    echo " $(LIBTOOL)  --mode=install $(INSTALL_PROGRAM) $(INSTALL_STRIP_FLAG) $$p $(DESTDIR)$(libexecdir)/$$f"; \
+	    $(LIBTOOL)  --mode=install $(INSTALL_PROGRAM) $(INSTALL_STRIP_FLAG) $$p $(DESTDIR)$(libexecdir)/$$f; \
+	  else :; fi; \
+	done
+
+uninstall-libexecPROGRAMS:
+	@$(NORMAL_UNINSTALL)
+	@list='$(libexec_PROGRAMS)'; for p in $$list; do \
+	  f="`echo $$p|sed -e 's/$(EXEEXT)$$//' -e '$(transform)' -e 's/$$/$(EXEEXT)/'`"; \
+	  echo " rm -f $(DESTDIR)$(libexecdir)/$$f"; \
+	  rm -f $(DESTDIR)$(libexecdir)/$$f; \
+	done
+
+mostlyclean-compile:
+	-rm -f *.o core *.core
+	-rm -f *.$(OBJEXT)
+
+clean-compile:
+
+distclean-compile:
+	-rm -f *.tab.c
+
+maintainer-clean-compile:
+
+mostlyclean-libtool:
+	-rm -f *.lo
+
+clean-libtool:
+	-rm -rf .libs _libs
+
+distclean-libtool:
+
+maintainer-clean-libtool:
+
+kf$(EXEEXT): $(kf_OBJECTS) $(kf_DEPENDENCIES)
+	@rm -f kf$(EXEEXT)
+	$(LINK) $(kf_LDFLAGS) $(kf_OBJECTS) $(kf_LDADD) $(LIBS)
+
+kfd$(EXEEXT): $(kfd_OBJECTS) $(kfd_DEPENDENCIES)
+	@rm -f kfd$(EXEEXT)
+	$(LINK) $(kfd_LDFLAGS) $(kfd_OBJECTS) $(kfd_LDADD) $(LIBS)
+.c.o:
+	$(COMPILE) -c $<
+.c.obj:
+	$(COMPILE) -c `cygpath -w $<`
+.c.lo:
+	$(LTCOMPILE) -c -o $@ $<
+
+install-man1:
+	$(mkinstalldirs) $(DESTDIR)$(man1dir)
+	@list='$(man1_MANS)'; \
+	l2='$(man_MANS)'; for i in $$l2; do \
+	  case "$$i" in \
+	    *.1*) list="$$list $$i" ;; \
+	  esac; \
+	done; \
+	for i in $$list; do \
+	  if test -f $(srcdir)/$$i; then file=$(srcdir)/$$i; \
+	  else file=$$i; fi; \
+	  ext=`echo $$i | sed -e 's/^.*\\.//'`; \
+	  inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \
+	  inst=`echo $$inst | sed -e 's/^.*\///'`; \
+	  inst=`echo $$inst | sed '$(transform)'`.$$ext; \
+	  echo " $(INSTALL_DATA) $$file $(DESTDIR)$(man1dir)/$$inst"; \
+	  $(INSTALL_DATA) $$file $(DESTDIR)$(man1dir)/$$inst; \
+	done
+
+uninstall-man1:
+	@list='$(man1_MANS)'; \
+	l2='$(man_MANS)'; for i in $$l2; do \
+	  case "$$i" in \
+	    *.1*) list="$$list $$i" ;; \
+	  esac; \
+	done; \
+	for i in $$list; do \
+	  ext=`echo $$i | sed -e 's/^.*\\.//'`; \
+	  inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \
+	  inst=`echo $$inst | sed -e 's/^.*\///'`; \
+	  inst=`echo $$inst | sed '$(transform)'`.$$ext; \
+	  echo " rm -f $(DESTDIR)$(man1dir)/$$inst"; \
+	  rm -f $(DESTDIR)$(man1dir)/$$inst; \
+	done
+
+install-man8:
+	$(mkinstalldirs) $(DESTDIR)$(man8dir)
+	@list='$(man8_MANS)'; \
+	l2='$(man_MANS)'; for i in $$l2; do \
+	  case "$$i" in \
+	    *.8*) list="$$list $$i" ;; \
+	  esac; \
+	done; \
+	for i in $$list; do \
+	  if test -f $(srcdir)/$$i; then file=$(srcdir)/$$i; \
+	  else file=$$i; fi; \
+	  ext=`echo $$i | sed -e 's/^.*\\.//'`; \
+	  inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \
+	  inst=`echo $$inst | sed -e 's/^.*\///'`; \
+	  inst=`echo $$inst | sed '$(transform)'`.$$ext; \
+	  echo " $(INSTALL_DATA) $$file $(DESTDIR)$(man8dir)/$$inst"; \
+	  $(INSTALL_DATA) $$file $(DESTDIR)$(man8dir)/$$inst; \
+	done
+
+uninstall-man8:
+	@list='$(man8_MANS)'; \
+	l2='$(man_MANS)'; for i in $$l2; do \
+	  case "$$i" in \
+	    *.8*) list="$$list $$i" ;; \
+	  esac; \
+	done; \
+	for i in $$list; do \
+	  ext=`echo $$i | sed -e 's/^.*\\.//'`; \
+	  inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \
+	  inst=`echo $$inst | sed -e 's/^.*\///'`; \
+	  inst=`echo $$inst | sed '$(transform)'`.$$ext; \
+	  echo " rm -f $(DESTDIR)$(man8dir)/$$inst"; \
+	  rm -f $(DESTDIR)$(man8dir)/$$inst; \
+	done
+install-man: $(MANS)
+	@$(NORMAL_INSTALL)
+	$(MAKE) $(AM_MAKEFLAGS) install-man1 install-man8
+uninstall-man:
+	@$(NORMAL_UNINSTALL)
+	$(MAKE) $(AM_MAKEFLAGS) uninstall-man1 uninstall-man8
+
+tags: TAGS
+
+ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
+	list='$(SOURCES) $(HEADERS) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '    { files[$$0] = 1; } \
+	       END { for (i in files) print i; }'`; \
+	mkid -fID $$unique $(LISP)
+
+TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	tags=; \
+	here=`pwd`; \
+	list='$(SOURCES) $(HEADERS) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '    { files[$$0] = 1; } \
+	       END { for (i in files) print i; }'`; \
+	test -z "$(ETAGS_ARGS)$$unique$(LISP)$$tags" \
+	  || etags $(ETAGS_ARGS) $$tags  $$unique $(LISP)
+
+GTAGS:
+	here=`CDPATH=: && cd $(top_builddir) && pwd` \
+	  && cd $(top_srcdir) \
+	  && gtags -i $$here
+
+mostlyclean-tags:
+
+clean-tags:
+
+distclean-tags:
+	-rm -f TAGS ID
+
+maintainer-clean-tags:
+
+distdir = $(top_builddir)/$(PACKAGE)-$(VERSION)/$(subdir)
+
+distdir: $(DISTFILES)
+	@for file in $(DISTFILES); do \
+	  d=$(srcdir); \
+	  if test -d $$d/$$file; then \
+	    cp -pR $$d/$$file $(distdir) \
+	    || exit 1; \
+	  else \
+	    test -f $(distdir)/$$file \
+	    || cp -p $$d/$$file $(distdir)/$$file \
+	    || exit 1; \
+	  fi; \
+	done
+	$(MAKE) $(AM_MAKEFLAGS) top_distdir="$(top_distdir)" distdir="$(distdir)" dist-hook
+info-am:
+info: info-am
+dvi-am:
+dvi: dvi-am
+check-am: all-am
+	$(MAKE) $(AM_MAKEFLAGS) check-local
+check: check-am
+installcheck-am:
+installcheck: installcheck-am
+install-exec-am: install-binPROGRAMS install-libexecPROGRAMS
+	@$(NORMAL_INSTALL)
+	$(MAKE) $(AM_MAKEFLAGS) install-exec-hook
+install-exec: install-exec-am
+
+install-data-am: install-man install-data-local
+install-data: install-data-am
+
+install-am: all-am
+	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
+install: install-am
+uninstall-am: uninstall-binPROGRAMS uninstall-libexecPROGRAMS \
+		uninstall-man
+uninstall: uninstall-am
+all-am: Makefile $(PROGRAMS) $(MANS) all-local
+all-redirect: all-am
+install-strip:
+	$(MAKE) $(AM_MAKEFLAGS) INSTALL_STRIP_FLAG=-s install
+installdirs:
+	$(mkinstalldirs)  $(DESTDIR)$(bindir) $(DESTDIR)$(libexecdir) \
+		$(DESTDIR)$(mandir)/man1 $(DESTDIR)$(mandir)/man8
+
+
+mostlyclean-generic:
+
+clean-generic:
+
+distclean-generic:
+	-rm -f Makefile $(CONFIG_CLEAN_FILES)
+	-rm -f config.cache config.log stamp-h stamp-h[0-9]*
+
+maintainer-clean-generic:
+	-rm -f Makefile.in
+mostlyclean-am:  mostlyclean-binPROGRAMS mostlyclean-libexecPROGRAMS \
+		mostlyclean-compile mostlyclean-libtool \
+		mostlyclean-tags mostlyclean-generic
+
+mostlyclean: mostlyclean-am
+
+clean-am:  clean-binPROGRAMS clean-libexecPROGRAMS clean-compile \
+		clean-libtool clean-tags clean-generic mostlyclean-am
+
+clean: clean-am
+
+distclean-am:  distclean-binPROGRAMS distclean-libexecPROGRAMS \
+		distclean-compile distclean-libtool distclean-tags \
+		distclean-generic clean-am
+	-rm -f libtool
+
+distclean: distclean-am
+
+maintainer-clean-am:  maintainer-clean-binPROGRAMS \
+		maintainer-clean-libexecPROGRAMS \
+		maintainer-clean-compile maintainer-clean-libtool \
+		maintainer-clean-tags maintainer-clean-generic \
+		distclean-am
+	@echo "This command is intended for maintainers to use;"
+	@echo "it deletes files that may require special tools to rebuild."
+
+maintainer-clean: maintainer-clean-am
+
+.PHONY: mostlyclean-binPROGRAMS distclean-binPROGRAMS clean-binPROGRAMS \
+maintainer-clean-binPROGRAMS uninstall-binPROGRAMS install-binPROGRAMS \
+mostlyclean-libexecPROGRAMS distclean-libexecPROGRAMS \
+clean-libexecPROGRAMS maintainer-clean-libexecPROGRAMS \
+uninstall-libexecPROGRAMS install-libexecPROGRAMS mostlyclean-compile \
+distclean-compile clean-compile maintainer-clean-compile \
+mostlyclean-libtool distclean-libtool clean-libtool \
+maintainer-clean-libtool install-man1 uninstall-man1 install-man8 \
+uninstall-man8 install-man uninstall-man tags mostlyclean-tags \
+distclean-tags clean-tags maintainer-clean-tags distdir info-am info \
+dvi-am dvi check-local check check-am installcheck-am installcheck \
+install-exec-am install-exec install-data-local install-data-am \
+install-data install-am install uninstall-am uninstall all-local \
+all-redirect all-am all install-strip installdirs mostlyclean-generic \
+distclean-generic clean-generic maintainer-clean-generic clean \
+mostlyclean distclean maintainer-clean
+
+
+install-suid-programs:
+	@foo='$(bin_SUIDS)'; \
+	for file in $$foo; do \
+	x=$(DESTDIR)$(bindir)/$$file; \
+	if chown 0:0 $$x && chmod u+s $$x; then :; else \
+	echo "*"; \
+	echo "* Failed to install $$x setuid root"; \
+	echo "*"; \
+	fi; done
+
+install-exec-hook: install-suid-programs
+
+install-build-headers:: $(include_HEADERS) $(build_HEADERZ)
+	@foo='$(include_HEADERS) $(build_HEADERZ)'; \
+	for f in $$foo; do \
+		f=`basename $$f`; \
+		if test -f "$(srcdir)/$$f"; then file="$(srcdir)/$$f"; \
+		else file="$$f"; fi; \
+		if cmp -s  $$file $(buildinclude)/$$f 2> /dev/null ; then \
+		: ; else \
+			echo " $(CP) $$file $(buildinclude)/$$f"; \
+			$(CP) $$file $(buildinclude)/$$f; \
+		fi ; \
+	done
+
+all-local: install-build-headers
+#NROFF_MAN = nroff -man
+.1.cat1:
+	$(NROFF_MAN) $< > $@
+.3.cat3:
+	$(NROFF_MAN) $< > $@
+.5.cat5:
+	$(NROFF_MAN) $< > $@
+.8.cat8:
+	$(NROFF_MAN) $< > $@
+
+dist-cat1-mans:
+	@foo='$(man1_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.1) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat1/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-cat3-mans:
+	@foo='$(man3_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.3) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat3/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-cat5-mans:
+	@foo='$(man5_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.5) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat5/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-cat8-mans:
+	@foo='$(man8_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.8) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat8/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-hook: dist-cat1-mans dist-cat3-mans dist-cat5-mans dist-cat8-mans
+
+install-cat-mans:
+	$(SHELL) $(top_srcdir)/cf/install-catman.sh "$(INSTALL_DATA)" "$(mkinstalldirs)" "$(srcdir)" "$(DESTDIR)$(mandir)" '$(CATMANEXT)' $(man_MANS) $(man1_MANS) $(man3_MANS) $(man5_MANS) $(man8_MANS)
+
+install-data-local: install-cat-mans
+
+.et.h:
+	$(COMPILE_ET) $<
+.et.c:
+	$(COMPILE_ET) $<
+
+.x.c:
+	@cmp -s $< $@ 2> /dev/null || cp $< $@
+
+check-local::
+	@foo='$(CHECK_LOCAL)'; \
+	  if test "$$foo"; then \
+	  failed=0; all=0; \
+	  for i in $$foo; do \
+	    all=`expr $$all + 1`; \
+	    if ./$$i --version > /dev/null 2>&1; then \
+	      echo "PASS: $$i"; \
+	    else \
+	      echo "FAIL: $$i"; \
+	      failed=`expr $$failed + 1`; \
+	    fi; \
+	  done; \
+	  if test "$$failed" -eq 0; then \
+	    banner="All $$all tests passed"; \
+	  else \
+	    banner="$$failed of $$all tests failed"; \
+	  fi; \
+	  dashes=`echo "$$banner" | sed s/./=/g`; \
+	  echo "$$dashes"; \
+	  echo "$$banner"; \
+	  echo "$$dashes"; \
+	  test "$$failed" -eq 0; \
+	fi
+
+# Tell versions [3.59,3.63) of GNU make to not export all variables.
+# Otherwise a system limit (for SysV at least) may be exceeded.
+.NOEXPORT:
diff --git a/crypto/heimdal/appl/kf/kf.1 b/crypto/heimdal/appl/kf/kf.1
new file mode 100644
index 0000000..3836a07
--- /dev/null
+++ b/crypto/heimdal/appl/kf/kf.1
@@ -0,0 +1,84 @@
+.\" Things to fix:
+.\"   * correct section, and operating system
+.\"   * remove Op from mandatory flags
+.\"   * use better macros for arguments (like .Pa for files)
+.\"
+.Dd July  2, 2000
+.Dt KF 1
+.Os Heimdal
+.Sh NAME
+.Nm kf
+.Nd securly forward tickets
+.Sh SYNOPSIS
+.Nm
+.Oo
+.Fl p Ar port |
+.Fl -port Ns = Ns Ar port
+.Oc
+.Oo
+.Fl l Ar login |
+.Fl -login Ns = Ns Ar login
+.Oc
+.Oo
+.Fl c Ar ccache |
+.Fl -ccache Ns = Ns Ar ccache
+.Oc
+.Op Fl F | -forwardable
+.Op Fl G | -no-forwardable
+.Op Fl h | -help
+.Op Fl -version
+.Ar host ...
+.Sh DESCRIPTION
+The
+.Nm
+program forwards tickets to a remove host through an authenticated
+and encrypted stream.
+Options supported are:
+.Bl -tag -width indent
+.It Xo
+.Fl p Ar port ,
+.Fl -port Ns = Ns Ar port
+.Xc
+port to connect to
+.It Xo
+.Fl l Ar login ,
+.Fl -login Ns = Ns Ar login
+.Xc
+remote login name
+.It Xo
+.Fl c Ar ccache ,
+.Fl -ccache Ns = Ns Ar ccache
+.Xc
+remote cred cache
+.It Fl F , -forwardable
+forward forwardable credentials
+.It Fl G , -no-forwardable
+do not forward forwardable credentials
+.It Fl h , -help
+.It Fl -version
+.El
+.Pp
+.Nm
+is useful when you do not want to enter your password on a remote host
+but want to have your tickets one for example afs.
+.Pp
+In order for
+.Nm
+to work you will need to acquire your initial ticket with forwardable
+flag, ie
+.Nm kinit Fl -forwardable .
+.Pp
+.Nm telnet
+is able to forward ticket by itself.
+.\".Sh ENVIRONMENT
+.\".Sh FILES
+.\".Sh EXAMPLES
+.\".Sh DIAGNOSTICS
+.Sh SEE ALSO
+.Xr kinit 1 ,
+.Xr telnet 1 ,
+.Xr kfd 8
+.\".Sh STANDARDS
+.\".Sh HISTORY
+.\".Sh AUTHORS
+.\".Sh BUGS
diff --git a/crypto/heimdal/appl/kf/kf.c b/crypto/heimdal/appl/kf/kf.c
new file mode 100644
index 0000000..3288dae
--- /dev/null
+++ b/crypto/heimdal/appl/kf/kf.c
@@ -0,0 +1,361 @@
+/*
+ * Copyright (c) 1997 - 2000 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "kf_locl.h"
+RCSID("$Id: kf.c,v 1.15 2001/02/20 01:44:44 assar Exp $");
+
+krb5_context context;
+static int help_flag;
+static int version_flag;
+static char *port_str;
+const char *service     = SERVICE;
+const char *remote_name = NULL;
+int forwardable   = 0;
+const char *ccache_name = NULL;
+
+static struct getargs args[] = {
+    { "port", 'p', arg_string, &port_str, "port to connect to", "port" },
+    { "login", 'l',arg_string, &remote_name,"remote login name","login"},
+    { "ccache", 'c',arg_string, &ccache_name, "remote cred cache","ccache"},
+    { "forwardable",'F',arg_flag,&forwardable,
+       "Forward forwardable credentials", NULL },
+    { "forwardable",'G',arg_negative_flag,&forwardable,
+       "Don't forward forwardable credentials", NULL },
+    { "help", 'h', arg_flag, &help_flag },
+    { "version", 0, arg_flag, &version_flag }
+};
+
+static int num_args = sizeof(args) / sizeof(args[0]);
+
+static void
+usage(int code, struct getargs *args, int num_args)
+{
+    arg_printusage(args, num_args, NULL, "hosts");
+    exit(code);
+}
+
+static int
+client_setup(krb5_context *context, int *argc, char **argv)
+{
+    int optind = 0;
+    int port = 0;
+    int status;
+
+    setprogname (argv[0]);
+ 
+    status = krb5_init_context (context);
+    if (status)
+	errx(1, "krb5_init_context failed: %d", status);
+ 
+    forwardable = krb5_config_get_bool (*context, NULL,
+					"libdefaults",
+					"forwardable",
+					NULL); 
+ 
+    if (getarg (args, num_args, *argc, argv, &optind))
+	usage(1, args, num_args);
+
+    if(help_flag)
+	usage (0, args, num_args);
+    if(version_flag) {
+	print_version(NULL);
+	exit(0);
+    }
+    
+    if(port_str) {
+	struct servent *s = roken_getservbyname(port_str, "tcp");
+	if(s)
+	    port = s->s_port;
+	else {
+	    char *ptr;
+
+	    port = strtol (port_str, &ptr, 10);
+	    if (port == 0 && ptr == port_str)
+		errx (1, "Bad port `%s'", port_str);
+	    port = htons(port);
+	}
+    }
+
+    if (port == 0)
+	port = krb5_getportbyname (*context, PORT, "tcp", PORT_NUM);
+   
+    if(*argc - optind < 1)
+        usage(1, args, num_args);
+    *argc = optind;
+
+    return port;
+}
+
+/*
+ * forward creds to `hostname'/`service' over `sock'
+ * return 0 iff OK
+ */
+
+static int
+proto (int sock, const char *hostname, const char *service)
+{
+    krb5_auth_context auth_context;
+    krb5_error_code status;
+    krb5_principal server;
+    krb5_data data;
+    krb5_data packet;
+    krb5_data data_send;
+    u_int32_t len, net_len;
+
+    krb5_ccache     ccache;
+    krb5_creds      creds;
+    krb5_kdc_flags  flags;
+    krb5_principal  principal;
+    char	    ret_string[10];
+    ssize_t	    n;
+
+    status = krb5_auth_con_init (context, &auth_context);
+    if (status) {
+	krb5_warn (context, status, "krb5_auth_con_init");
+	return 1;
+    }
+
+    status = krb5_auth_con_setaddrs_from_fd (context,
+					     auth_context,
+					     &sock);
+    if (status) {
+	krb5_warn (context, status, "krb5_auth_con_setaddr");
+	return 1;
+    }
+
+    status = krb5_sname_to_principal (context,
+				      hostname,
+				      service,
+				      KRB5_NT_SRV_HST,
+				      &server);
+    if (status) {
+	krb5_warn (context, status, "krb5_sname_to_principal");
+	return 1;
+    }
+
+    status = krb5_sendauth (context,
+			    &auth_context,
+			    &sock,
+			    VERSION,
+			    NULL,
+			    server,
+			    AP_OPTS_MUTUAL_REQUIRED,
+			    NULL,
+			    NULL,
+			    NULL,
+			    NULL,
+			    NULL,
+			    NULL);
+    if (status) {
+	krb5_warn(context, status, "krb5_sendauth");
+	return 1;
+    }
+
+    if (remote_name == NULL) {
+	remote_name = get_default_username ();
+	if (remote_name == NULL)
+	    errx (1, "who are you?");
+    }
+
+    krb5_data_zero(&data_send);
+    data_send.data   = (void *)remote_name;
+    data_send.length = strlen(remote_name) + 1;
+    status = krb5_write_message(context, &sock, &data_send);
+    if (status) {
+	krb5_warn (context, status, "krb5_write_message");
+	return 1;
+    }
+  
+    if (ccache_name == NULL)
+	ccache_name = "";
+
+    data_send.data   = (void *)ccache_name;
+    data_send.length = strlen(ccache_name)+1;
+    status = krb5_write_message(context, &sock, &data_send);
+    if (status) {
+	krb5_warn (context, status, "krb5_write_message");
+	return 1;
+    }
+
+    memset (&creds, 0, sizeof(creds));
+
+    status = krb5_cc_default (context, &ccache);
+    if (status) {
+	krb5_warn (context, status, "krb5_cc_default");
+	return 1;
+    }
+
+    status = krb5_cc_get_principal (context, ccache, &principal);
+    if (status) {
+	krb5_warn (context, status, "krb5_cc_get_principal");
+	return 1;
+    }
+
+    creds.client = principal;
+    
+    status = krb5_build_principal (context,
+				   &creds.server,
+				   strlen(principal->realm),
+				   principal->realm,
+				   KRB5_TGS_NAME,
+				   principal->realm,
+				   NULL);
+
+    if (status) {
+	krb5_warn (context, status, "krb5_build_principal");
+	return 1;
+    }
+
+    creds.times.endtime = 0;
+
+    flags.i = 0;
+    flags.b.forwarded   = 1;
+    flags.b.forwardable = forwardable;
+
+    status = krb5_get_forwarded_creds (context,
+				       auth_context,
+				       ccache,
+				       flags.i,
+				       hostname,
+				       &creds,
+				       &data);
+    if (status) {
+	krb5_warn (context, status, "krb5_get_forwarded_creds");
+	return 1;
+    }
+
+    status = krb5_mk_priv (context,
+                           auth_context,
+                           &data,
+                           &packet,
+                           NULL);
+    if (status) {
+	krb5_warn (context, status, "krb5_mk_priv");
+	return 1;
+    }
+    
+    len = packet.length;
+    net_len = htonl(len);
+
+    if (krb5_net_write (context, &sock, &net_len, 4) != 4) {
+	krb5_warn (context, errno, "krb5_net_write");
+	return 1;
+    }
+    if (krb5_net_write (context, &sock, packet.data, len) != len) {
+	krb5_warn (context, errno, "krb5_net_write");
+	return 1;
+    }
+
+    krb5_data_free (&data);
+
+    n = krb5_net_read (context, &sock, &net_len, 4);
+    if (n == 0) {
+	krb5_warnx (context, "EOF in krb5_net_read");
+	return 1;
+    }
+    if (n < 0) {
+	krb5_warn (context, errno, "krb5_net_read");
+	return 1;
+    }
+    len = ntohl(net_len);
+    if (len >= sizeof(ret_string)) {
+	krb5_warnx (context, "too long string back from %s", hostname);
+	return 1;
+    }
+    n = krb5_net_read (context, &sock, ret_string, len);
+    if (n == 0) {
+	krb5_warnx (context, "EOF in krb5_net_read");
+	return 1;
+    }
+    if (n < 0) {
+	krb5_warn (context, errno, "krb5_net_read");
+	return 1;
+    }
+    ret_string[sizeof(ret_string) - 1] = '\0';
+
+    return(strcmp(ret_string,"ok"));
+}
+
+static int
+doit (const char *hostname, int port, const char *service)
+{
+    struct addrinfo *ai, *a;
+    struct addrinfo hints;
+    int error;
+    char portstr[NI_MAXSERV];
+
+    memset (&hints, 0, sizeof(hints));
+    hints.ai_socktype = SOCK_STREAM;
+    hints.ai_protocol = IPPROTO_TCP;
+
+    snprintf (portstr, sizeof(portstr), "%u", ntohs(port));
+
+    error = getaddrinfo (hostname, portstr, &hints, &ai);
+    if (error) {
+	errx (1, "getaddrinfo(%s): %s", hostname, gai_strerror(error));
+    }
+
+    for (a = ai; a != NULL; a = a->ai_next) {
+	int s;
+
+	s = socket (a->ai_family, a->ai_socktype, a->ai_protocol);
+	if (s < 0)
+	    continue;
+	if (connect (s, a->ai_addr, a->ai_addrlen) < 0) {
+	    warn ("connect(%s)", hostname);
+	    close (s);
+	    continue;
+	}
+	freeaddrinfo (ai);
+	return proto (s, hostname, service);
+    }
+    warnx ("failed to contact %s", hostname);
+    freeaddrinfo (ai);
+    return 1;
+}
+
+int
+main(int argc, char **argv)
+{
+    int argcc,port,i;
+    int ret=0;
+ 
+    argcc = argc;
+    port = client_setup(&context, &argcc, argv);
+
+    for (i = argcc;i < argc; i++) {
+	ret = doit (argv[i], port, service);
+	warnx ("%s %s", argv[i], ret ? "failed" : "ok");
+    }
+    return(ret);
+}
diff --git a/crypto/heimdal/appl/kf/kf.cat1 b/crypto/heimdal/appl/kf/kf.cat1
new file mode 100644
index 0000000..b87ed85
--- /dev/null
+++ b/crypto/heimdal/appl/kf/kf.cat1
@@ -0,0 +1,46 @@
+
+KF(1)                        UNIX Reference Manual                       KF(1)
+
+NNAAMMEE
+     kkff - securly forward tickets
+
+SSYYNNOOPPSSIISS
+     kkff [--pp _p_o_r_t | ----ppoorrtt=_p_o_r_t] [--ll _l_o_g_i_n | ----llooggiinn=_l_o_g_i_n] [--cc _c_c_a_c_h_e |
+     ----ccccaacchhee=_c_c_a_c_h_e] [--FF | ----ffoorrwwaarrddaabbllee] [--GG | ----nnoo--ffoorrwwaarrddaabbllee] [--hh |
+     ----hheellpp] [----vveerrssiioonn] _h_o_s_t _._._.
+
+DDEESSCCRRIIPPTTIIOONN
+     The kkff program forwards tickets to a remove host through an authenticated
+     and encrypted stream.  Options supported are:
+
+     --pp _p_o_r_t, ----ppoorrtt=_p_o_r_t
+             port to connect to
+
+     --ll _l_o_g_i_n, ----llooggiinn=_l_o_g_i_n
+             remote login name
+
+     --cc _c_c_a_c_h_e, ----ccccaacchhee=_c_c_a_c_h_e
+             remote cred cache
+
+     --FF, ----ffoorrwwaarrddaabbllee
+             forward forwardable credentials
+
+     --GG, ----nnoo--ffoorrwwaarrddaabbllee
+             do not forward forwardable credentials
+
+     --hh, ----hheellpp
+
+     ----vveerrssiioonn
+
+     kkff is useful when you do not want to enter your password on a remote host
+     but want to have your tickets one for example afs.
+
+     In order for kkff to work you will need to acquire your initial ticket with
+     forwardable flag, ie kkiinniitt ----ffoorrwwaarrddaabbllee.
+
+     tteellnneett is able to forward ticket by itself.
+
+SSEEEE AALLSSOO
+     kinit(1),  telnet(1),  kfd(8)
+
+ Heimdal                         July 2, 2000                                1
diff --git a/crypto/heimdal/appl/kf/kf_locl.h b/crypto/heimdal/appl/kf/kf_locl.h
new file mode 100644
index 0000000..29f5941
--- /dev/null
+++ b/crypto/heimdal/appl/kf/kf_locl.h
@@ -0,0 +1,80 @@
+/*
+ * Copyright (c) 1997 - 1999 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+/* $Id: kf_locl.h,v 1.2 1999/12/02 17:04:55 joda Exp $ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+#endif
+
+#include <stdio.h>
+#include <stdarg.h>
+#include <ctype.h>
+#ifdef HAVE_SYS_TYPES_H
+#include <sys/types.h>
+#endif
+#ifdef HAVE_UNISTD_H
+#include <unistd.h>
+#endif
+#ifdef HAVE_SYS_SOCKET_H
+#include <sys/socket.h>
+#endif
+#ifdef HAVE_NETINET_IN_H
+#include <netinet/in.h>
+#endif
+#ifdef HAVE_NETINET_IN6_H
+#include <netinet/in6.h>
+#endif
+#ifdef HAVE_NETINET6_IN6_H
+#include <netinet6/in6.h>
+#endif
+
+#ifdef HAVE_PWD_H
+#include <pwd.h>
+#endif
+#ifdef HAVE_NETDB_H
+#include <netdb.h>
+#endif
+#ifdef HAVE_SYS_PARAM_H
+#include <sys/param.h>
+#endif
+#include <errno.h>
+#include <roken.h>
+#include <getarg.h>
+#include <err.h>
+#include <krb5.h>
+
+#define SERVICE "host"
+
+#define PORT "kf"
+#define PORT_NUM 2110
diff --git a/crypto/heimdal/appl/kf/kfd.8 b/crypto/heimdal/appl/kf/kfd.8
new file mode 100644
index 0000000..c678c8d
--- /dev/null
+++ b/crypto/heimdal/appl/kf/kfd.8
@@ -0,0 +1,57 @@
+.\" Things to fix:
+.\"   * correct section, and operating system
+.\"   * remove Op from mandatory flags
+.\"   * use better macros for arguments (like .Pa for files)
+.\"
+.Dd July  2, 2000
+.Dt KFD 8
+.Os Heimdal
+.Sh NAME
+.Nm kfd
+.Nd receive forwarded tickets
+.Sh SYNOPSIS
+.Nm
+.Oo
+.Fl p Ar port |
+.Fl -port Ns = Ns Ar port
+.Oc
+.Op Fl i | -inetd
+.Oo
+.Fl R Ar regpag |
+.Fl -regpag Ns = Ns Ar regpag
+.Oc
+.Op Fl h | -help
+.Op Fl -version
+.Sh DESCRIPTION
+This is the daemon for
+.Xr kf 1 .
+Supported options:
+.Bl -tag -width indent
+.It Xo
+.Fl p Ar port ,
+.Fl -port Ns = Ns Ar port
+.Xc
+port to listen to
+.It Fl i , -inetd
+not started from inetd
+.It Xo
+.Fl R Ar regpag Ns ,
+.Fl -regpag= Ns Ar regpag
+.Xc
+path to regpag binary
+.El
+.\".Sh ENVIRONMENT
+.\".Sh FILES
+.Sh EXAMPLES
+Put the following in
+.Pa /etc/inetd.conf :
+.Bd -literal
+kf	stream	tcp	nowait	root	/usr/heimdal/libexec/kfd	kfd
+.Ed
+.\".Sh DIAGNOSTICS
+.Sh SEE ALSO
+.Xr kf 1
+.\".Sh STANDARDS
+.\".Sh HISTORY
+.\".Sh AUTHORS
+.\".Sh BUGS
diff --git a/crypto/heimdal/appl/kf/kfd.c b/crypto/heimdal/appl/kf/kfd.c
new file mode 100644
index 0000000..6dc2666
--- /dev/null
+++ b/crypto/heimdal/appl/kf/kfd.c
@@ -0,0 +1,326 @@
+/*
+ * Copyright (c) 1997 - 2001 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "kf_locl.h"
+RCSID("$Id: kfd.c,v 1.9 2001/02/20 01:44:44 assar Exp $");
+
+krb5_context context;
+char krb5_tkfile[MAXPATHLEN];
+
+static int help_flag;
+static int version_flag;
+static char *port_str;
+char *service = SERVICE;
+int do_inetd = 0;
+static char *regpag_str=NULL;
+
+static struct getargs args[] = {
+    { "port", 'p', arg_string, &port_str, "port to listen to", "port" },
+    { "inetd",'i',arg_flag, &do_inetd,
+       "Not started from inetd", NULL },
+    { "regpag",'R',arg_string,&regpag_str,"path to regpag binary","regpag"},
+    { "help", 'h', arg_flag, &help_flag },
+    { "version", 0, arg_flag, &version_flag }
+};
+
+static int num_args = sizeof(args) / sizeof(args[0]);
+
+static void
+usage(int code, struct getargs *args, int num_args)
+{
+    arg_printusage(args, num_args, NULL, "");
+    exit(code);
+}
+
+static int
+server_setup(krb5_context *context, int argc, char **argv)
+{
+    int port = 0;
+    int local_argc;
+
+    local_argc = krb5_program_setup(context, argc, argv, args, num_args, usage);
+
+    if(help_flag)
+	(*usage)(0, args, num_args);
+    if(version_flag) {
+	print_version(NULL);
+	exit(0);
+    }
+    
+    if(port_str){
+	struct servent *s = roken_getservbyname(port_str, "tcp");
+	if(s)
+	    port = s->s_port;
+	else {
+	    char *ptr;
+
+	    port = strtol (port_str, &ptr, 10);
+	    if (port == 0 && ptr == port_str)
+		errx (1, "Bad port `%s'", port_str);
+	    port = htons(port);
+	}
+    }
+
+    if (port == 0)
+	port = krb5_getportbyname (*context, PORT, "tcp", PORT_NUM);
+
+    if(argv[local_argc] != NULL)
+        usage(1, args, num_args);
+    
+    return port;
+}
+
+static void
+syslog_and_die (const char *m, ...)
+{
+    va_list args;
+
+    va_start(args, m);
+    vsyslog (LOG_ERR, m, args);
+    va_end(args);
+    exit (1);
+}
+
+static void
+syslog_and_cont (const char *m, ...)
+{
+    va_list args;
+
+    va_start(args, m);
+    vsyslog (LOG_ERR, m, args);
+    va_end(args);
+    return; 
+}
+
+static int
+proto (int sock, const char *service)
+{
+    krb5_auth_context auth_context;
+    krb5_error_code status;
+    krb5_principal server;
+    krb5_ticket *ticket;
+    char *name;
+    char ret_string[10];
+    char hostname[MAXHOSTNAMELEN];
+    krb5_data packet;
+    krb5_data data;
+    krb5_data remotename;
+    krb5_data tk_file;
+
+    u_int32_t len, net_len;
+    krb5_ccache ccache;
+    char ccname[MAXPATHLEN];
+    struct passwd *pwd;
+    ssize_t n;
+
+    status = krb5_auth_con_init (context, &auth_context);
+    if (status)
+	syslog_and_die("krb5_auth_con_init: %s",
+	      krb5_get_err_text(context, status));
+
+    status = krb5_auth_con_setaddrs_from_fd (context,
+					     auth_context,
+					     &sock);
+    if (status)
+	syslog_and_die("krb5_auth_con_setaddr: %s",
+	      krb5_get_err_text(context, status));
+
+    if(gethostname (hostname, sizeof(hostname)) < 0)
+	syslog_and_die("gethostname: %s",strerror(errno));
+
+    status = krb5_sname_to_principal (context,
+				      hostname,
+				      service,
+				      KRB5_NT_SRV_HST,
+				      &server);
+    if (status)
+	syslog_and_die("krb5_sname_to_principal: %s",
+	      krb5_get_err_text(context, status));
+
+    status = krb5_recvauth (context,
+			    &auth_context,
+			    &sock,
+			    VERSION,
+			    server,
+			    0,
+			    NULL,
+			    &ticket);
+    if (status)
+	syslog_and_die("krb5_recvauth: %s",
+	      krb5_get_err_text(context, status));
+
+    status = krb5_unparse_name (context,
+				ticket->client,
+				&name);
+    if (status)
+	syslog_and_die("krb5_unparse_name: %s",
+	      krb5_get_err_text(context, status));
+
+    status=krb5_read_message (context, &sock, &remotename);
+    if (status) {
+	syslog_and_die("krb5_read_message: %s",
+		       krb5_get_err_text(context, status));
+    }
+    status=krb5_read_message (context, &sock, &tk_file);
+    if (status) {
+	syslog_and_die("krb5_read_message: %s",
+		       krb5_get_err_text(context, status));
+    }
+
+    krb5_data_zero (&data);
+    krb5_data_zero (&packet);
+
+    n = krb5_net_read (context, &sock, &net_len, 4);
+    if (n < 0)
+        syslog_and_die("krb5_net_read: %s", strerror(errno));
+    if (n == 0)
+        syslog_and_die("EOF in krb5_net_read");
+
+    len = ntohl(net_len);
+    krb5_data_alloc (&packet, len);
+    n = krb5_net_read (context, &sock, packet.data, len);
+    if (n < 0)
+        syslog_and_die("krb5_net_read: %s", strerror(errno));
+    if (n == 0)
+        syslog_and_die("EOF in krb5_net_read");
+
+    status = krb5_rd_priv (context,
+                           auth_context,
+                           &packet,
+                           &data,
+                           NULL);
+    if (status) {
+	syslog_and_cont("krb5_rd_priv: %s",
+			krb5_get_err_text(context, status));
+	goto out;
+    }
+
+    pwd = getpwnam ((char *)(remotename.data));
+    if (pwd == NULL) {
+	status=1;
+	syslog_and_cont("getpwnam: %s failed",(char *)(remotename.data));
+	goto out;
+    }
+
+    if(!krb5_kuserok (context,
+                     ticket->client,
+                     (char *)(remotename.data))) {
+	status=1;
+	syslog_and_cont("krb5_kuserok: permission denied");
+	goto out;
+    }
+
+    if (setgid(pwd->pw_gid) < 0) {
+	syslog_and_cont ("setgid: %s", strerror(errno));
+	goto out;
+    }
+    if (setuid(pwd->pw_uid) < 0) {
+	syslog_and_cont ("setuid: %s", strerror(errno));
+	goto out;
+    }
+
+    if (tk_file.length != 1)
+	snprintf (ccname, sizeof(ccname), "%s", (char *)(tk_file.data));
+    else
+	snprintf (ccname, sizeof(ccname), "FILE:/tmp/krb5cc_%u",pwd->pw_uid);
+
+    status = krb5_cc_resolve (context, ccname, &ccache);
+    if (status) {
+	syslog_and_cont("krb5_cc_resolve: %s",
+			krb5_get_err_text(context, status));
+        goto out;
+    }
+    status = krb5_cc_initialize (context, ccache, ticket->client);
+    if (status) {
+	syslog_and_cont("krb5_cc_initialize: %s",
+			krb5_get_err_text(context, status));
+        goto out;
+    }
+    status = krb5_rd_cred2 (context, auth_context, ccache, &data);
+    krb5_cc_close (context, ccache);
+    if (status) {
+	syslog_and_cont("krb5_rd_cred: %s",
+			krb5_get_err_text(context, status));
+        goto out;
+
+    }
+    strlcpy(krb5_tkfile,ccname,sizeof(krb5_tkfile));
+    syslog_and_cont("%s forwarded ticket to %s,%s",
+		    name,
+		    (char *)(remotename.data),ccname);
+out:
+    if (status) {
+	strcpy(ret_string, "no");
+	syslog_and_cont("failed");
+    } else  {
+	strcpy(ret_string, "ok");
+    }
+
+    krb5_data_free (&tk_file);
+    krb5_data_free (&remotename);
+    krb5_data_free (&packet);
+    krb5_data_free (&data);
+    free(name);
+
+    len = strlen(ret_string) + 1;
+    net_len = htonl(len);
+    if (krb5_net_write (context, &sock, &net_len, 4) != 4)
+         return 1;
+    if (krb5_net_write (context, &sock, ret_string, len) != len)
+         return 1;
+    return status;
+}
+
+static int
+doit (int port, const char *service)
+{
+    if (do_inetd)
+	mini_inetd(port);
+    return proto (STDIN_FILENO, service);
+}
+
+int
+main(int argc, char **argv)
+{
+    int port;
+    int ret;
+
+    setprogname (argv[0]);
+    roken_openlog (argv[0], LOG_ODELAY | LOG_PID,LOG_AUTH);
+    port = server_setup(&context, argc, argv);
+    ret = doit (port, service);
+    closelog();
+    if (ret == 0 && regpag_str != NULL)
+        ret = execl(regpag_str, "regpag", "-t", krb5_tkfile, "-r", NULL);
+    return ret;
+}
diff --git a/crypto/heimdal/appl/kf/kfd.cat8 b/crypto/heimdal/appl/kf/kfd.cat8
new file mode 100644
index 0000000..396ffdc
--- /dev/null
+++ b/crypto/heimdal/appl/kf/kfd.cat8
@@ -0,0 +1,31 @@
+
+KFD(8)                   UNIX System Manager's Manual                   KFD(8)
+
+NNAAMMEE
+     kkffdd - receive forwarded tickets
+
+SSYYNNOOPPSSIISS
+     kkffdd [--pp _p_o_r_t | ----ppoorrtt=_p_o_r_t] [--ii | ----iinneettdd] [--RR _r_e_g_p_a_g | ----rreeggppaagg=_r_e_g_p_a_g]
+     [--hh | ----hheellpp] [----vveerrssiioonn]
+
+DDEESSCCRRIIPPTTIIOONN
+     This is the daemon for kf(1).  Supported options:
+
+     --pp _p_o_r_t, ----ppoorrtt=_p_o_r_t
+             port to listen to
+
+     --ii, ----iinneettdd
+             not started from inetd
+
+     --RR _r_e_g_p_a_g, ----rreeggppaagg==_r_e_g_p_a_g
+             path to regpag binary
+
+EEXXAAMMPPLLEESS
+     Put the following in _/_e_t_c_/_i_n_e_t_d_._c_o_n_f:
+
+     kf      stream  tcp     nowait  root    /usr/heimdal/libexec/kfd        kfd
+
+SSEEEE AALLSSOO
+     kf(1)
+
+ Heimdal                         July 2, 2000                                1
diff --git a/crypto/heimdal/appl/kx/ChangeLog b/crypto/heimdal/appl/kx/ChangeLog
new file mode 100644
index 0000000..3050e2e
--- /dev/null
+++ b/crypto/heimdal/appl/kx/ChangeLog
@@ -0,0 +1,317 @@
+2001-01-17  Johan Danielsson  <joda@pdc.kth.se>
+
+	* common.c: don't write to string constants
+
+2000-12-31  Assar Westerlund  <assar@sics.se>
+
+	* krb5.c (krb5_make_context): handle krb5_init_context failure
+	consistently
+
+2000-10-08  Assar Westerlund  <assar@sics.se>
+
+	* kxd.c (doit_passive): check that fds are not too large to select
+	on
+	* kx.c (doit_active): check that fds are not too large to select
+	on
+	* krb5.c (krb5_copy_encrypted): check that fds are not too large
+	to select on
+	* krb4.c (krb4_copy_encrypted): check that fds are not too large
+	to select on
+
+2000-06-10  Assar Westerlund  <assar@sics.se>
+
+	* Makefile.in: use INSTALL_SCRIPT for installing rxterm, rxtelnet,
+	tenletxr
+
+2000-04-19  Assar Westerlund  <assar@sics.se>
+
+	* common.c: try hostname uncanonified if getaddrinfo() fails
+
+2000-02-06  Assar Westerlund  <assar@sics.se>
+
+	* kx.h: remove old prorotypes
+
+2000-01-08  Assar Westerlund  <assar@sics.se>
+
+	* common.c (match_local_auth): handle ai_canonname being set in
+	any of the addresses returnedby getaddrinfo.  glibc apparently
+	returns the reverse lookup of every address in ai_canonname.
+
+1999-12-28  Assar Westerlund  <assar@sics.se>
+
+	* kxd.c (main): call krb5_getportbyname with the default in
+ 	host-byte-order
+
+1999-12-17  Assar Westerlund  <assar@sics.se>
+
+	* common.c (match_local_auth): remove extra brace.  spotted by
+ 	Jakob Schlyter <jakob@cdg.chalmers.se>
+
+1999-12-16  Assar Westerlund  <assar@sics.se>
+
+	* common.c (match_local_auth): handle ai_canonname not being set
+
+1999-12-06  Assar Westerlund  <assar@sics.se>
+
+	* krb4.c (krb4_authenticate): the NAT address might not be the one
+	for the relevant realm, try anyway.
+	* kxd.c (recv_conn): type correctness
+	* kx.c (connect_host): typo
+
+1999-12-05  Assar Westerlund  <assar@sics.se>
+
+	* common.c (INADDR_LOOPBACK): remove.  now in roken.
+
+	* kxd.c (recv_conn): use getnameinfo_verified
+	* kxd.c (recv_conn): replace inaddr2str with getnameinfo
+
+1999-12-04  Assar Westerlund  <assar@sics.se>
+
+	* kx.c (connect_host): use getaddrinfo
+	* common.c (find_auth_cookie, match_local_auth): re-write to use
+	getaddrinfo
+
+1999-11-27  Assar Westerlund  <assar@sics.se>
+
+	* kxd.c (recv_conn): better errors when getting unrecognized data
+
+1999-11-25  Assar Westerlund  <assar@sics.se>
+
+	* krb4.c (krb4_authenticate): obtain the `local' address when
+	doing NAT.  also turn on passive mode.  From <thn@stacken.kth.se>
+	
+1999-11-18  Assar Westerlund  <assar@sics.se>
+
+	* krb5.c (krb5_destroy): free the correct part of the context
+	
+1999-11-02  Assar Westerlund  <assar@sics.se>
+
+	* kx.c (main): redo the v4/v5 selection for consistency.  -4 ->
+ 	try only v4 -5 -> try only v5 none, -45 -> try v5, v4
+
+1999-10-10  Assar Westerlund  <assar@sics.se>
+
+	* Makefile.am (CLEANFILES): add generated files so that they get
+ 	cleaned away
+
+1999-09-29  Assar Westerlund  <assar@sics.se>
+
+	* common.c (match_local_auth): only look for FamilyLocal (and
+ 	FamilyWild) cookies.  This will not work when we start talking tcp
+ 	to the local X-server but `connect_local_xsocket' and the rest of
+ 	the code doesn't handle it anyway and the old code could (and did)
+ 	pick up the wrong cookie sometimes.  If we have to match
+ 	FamilyInternet cookies, the search order has to be changed anyway
+
+1999-09-02  Assar Westerlund  <assar@sics.se>
+
+	* kxd.c (childhandler): watch for child `wait_on_pid' to die.
+	(recv_conn): set `wait_on_pid' instead of looping on waitpid here
+	also.  This should solve the problem of kxd looping which was
+ 	caused by the signal handler getting invoked before this waitpid
+ 	and reaping the child leaving this poor loop without any child
+
+1999-08-19  Assar Westerlund  <assar@sics.se>
+
+	* kxd.c (recv_conn): give better error message
+	(doit_active): don't die if fork gives EAGAIN
+
+1999-08-19  Johan Danielsson  <joda@pdc.kth.se>
+
+	* kxd.c (recv_conn): call setjob on crays;
+	(doit_passive): if fork fails with EAGAIN, don't shutdown, just close
+	the connection re-implement `-t' flag
+
+1999-07-12  Assar Westerlund  <assar@sics.se>
+
+	* Makefile.am: handle not building X programs
+
+1999-06-23  Assar Westerlund  <assar@sics.se>
+
+	* kx.c: conditionalize krb_enable_debug
+
+1999-06-20  Assar Westerlund  <assar@sics.se>
+
+	* kxd.c (main): hopefully do inetd confusion right
+
+1999-06-15  Assar Westerlund  <assar@sics.se>
+
+	* krb4.c (krb4_authenticate): get rid of a warning
+
+	* kx.h: const-pollution
+
+	* kx.c: use get_default_username and resulting const pollution
+
+	* context.c (context_set): const pollution
+
+1999-05-22  Assar Westerlund  <assar@sics.se>
+
+	* kxd.c (recv_conn): fix syslog messages
+	(main): fix inetd_flag thinko
+
+1999-05-21  Assar Westerlund  <assar@sics.se>
+
+	* kx.c (main): don't byte-swap the argument to krb5_getportbyname
+
+	* kx.c (main): try to use $USERNAME
+
+1999-05-10  Assar Westerlund  <assar@sics.se>
+
+	* Makefile.in (SOURCES*): update sources list
+	
+	* kx.c (main): forgot to conditionalize some KRB5 code
+	
+	* kxd.c (main): use getarg
+	(*): handle v4 and/or v5
+
+	* kx.h: update
+	
+	* kx.c (main): use getarg.
+	(*): handle v4 and/or v5
+
+	* common.c (do_enccopy, copy_encrypted): remove use
+	net_{read,write} instead of krb_net_{read,write}
+	(krb_get_int, krb_put_int): include fallback of these for when we
+	compile without krb4
+	
+	* Makefile.am (*_SOURCES): remove encdata, add krb[45].c,
+	context.c
+	(LDADD): add krb5
+
+	* krb4.c, krb5.c, context.c: new files
+
+1999-05-08  Assar Westerlund  <assar@sics.se>
+
+	* kxd.c (doit_passive): handle error code from
+ 	create_and_write_cookie
+
+	* kx.c (doit_active): handle error code from
+ 	create_and_write_cookie
+
+	* common.c (create_and_write_cookie): try to return better (and
+ 	correct) errors.  Based on a patch from Love <lha@e.kth.se>
+
+	* common.c (try_pie): more braces
+	(match_local_auth): new function
+	(find_auth_cookie): new function
+	(replace_cookie): don't just take the first auth cookie.  based on
+	patch from Ake Sandgren <ake@@cs.umu.se>
+
+Wed Apr  7 23:39:23 1999  Assar Westerlund  <assar@sics.se>
+	
+	* common.c (get_xsockets): init local variable to get rid of a gcc
+ 	warning
+
+Thu Apr  1 21:11:36 1999  Johan Danielsson  <joda@hella.pdc.kth.se>
+
+	* Makefile.in: fix for writeauth.o
+
+Fri Mar 19 15:12:31 1999  Johan Danielsson  <joda@hella.pdc.kth.se>
+
+	* kx.c: add gcc-braces
+
+Thu Mar 18 11:18:20 1999  Johan Danielsson  <joda@hella.pdc.kth.se>
+
+	* Makefile.am: include Makefile.am.common
+
+Thu Mar 11 14:58:32 1999  Johan Danielsson  <joda@hella.pdc.kth.se>
+
+	* writeauth.c: protoize
+
+	* common.c: fix some warnings
+
+Wed Mar 10 19:33:39 1999  Johan Danielsson  <joda@hella.pdc.kth.se>
+
+	* kxd.c: openlog -> roken_openlog
+
+Wed Feb  3 22:01:55 1999  Assar Westerlund  <assar@sics.se>
+
+	* rxtelnet.in: print out what telnet program we are running.  From
+ 	<nissej@pdc.kth.se>
+
+	* tenletxr.in: add --version, [-h | --help], -v
+
+	* rxterm.in: add --version, [-h | --help], -v
+
+	* rxtelnet.in: add --version, [-h | --help], -v
+
+	* Makefile.in (rxterm, rxtelnet, telnetxr): substitute VERSION and
+ 	PACKAGE
+
+	* rxtelnet.in: update usage string
+
+Fri Jan 22 23:51:05 1999  Assar Westerlund  <assar@sics.se>
+
+	* common.c (verify_and_remove_cookies): give back a meaningful
+ 	error message if we're using the wrong cookie
+
+Fri Dec 18 17:42:02 1998  Assar Westerlund  <assar@sics.se>
+
+	* common.c (replace_cookie): try to handle the case of not finding
+ 	any cookies
+
+Sun Nov 22 10:31:53 1998  Assar Westerlund  <assar@sics.se>
+
+	* Makefile.in (WFLAGS): set
+
+Wed Nov 18 20:25:37 1998  Assar Westerlund  <assar@sics.se>
+
+	* rxtelnet.in: new argument -n for not starting any terminal
+ 	emulator
+
+	* kx.c (doit_passive): parse $DISPLAY correctly
+
+Fri Oct  2 06:34:51 1998  Assar Westerlund  <assar@sics.se>
+
+	* kx.c (doit_active): check DISPLAY to figure out what local
+ 	socket to connect to.  From Åke Sandgren <ake@cs.umu.se>
+
+Thu Oct  1 23:02:29 1998  Johan Danielsson  <joda@hella.pdc.kth.se>
+
+	* kx.h: case MAY_HAVE_X11_PIPES with Solaris
+
+Tue Sep 29 02:22:44 1998  Assar Westerlund  <assar@sics.se>
+
+	* kx.c: fix from Ake Sandgren <ake@cs.umu.se>
+
+Mon Sep 28 18:04:03 1998  Johan Danielsson  <joda@hella.pdc.kth.se>
+
+	* common.c (try_pipe): return -1 if I_PUSH fails with ENOSYS
+
+Sat Sep 26 17:34:21 1998  Assar Westerlund  <assar@sics.se>
+
+	* kxd.c: create sockets before setuid to handle Solaris' strange
+ 	permissions on /tmp/.X11-{unix,pipe}
+
+	* common.c (chown_xsockets): new function
+
+	* kx.h (chown_xsockets): new prototype
+
+Sun Aug 16 18:34:30 1998  Assar Westerlund  <assar@sics.se>
+
+	* kxd.c (doit_passive): conditionalize stream pipe code
+
+	* implement support for Solaris's named-pipe X transport
+
+Thu May 28 17:20:39 1998  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* common.c: fix for (compiler?) bug in solaris 2.4 bind
+
+	* kx.c: get_xsockets returns int, not unsigned
+
+Wed May 27 04:20:20 1998  Assar Westerlund  <assar@sics.se>
+
+	* kxd.c (doit): better error reporting
+
+Tue May 26 17:41:23 1998  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* kx.c: use krb_enable_debug
+
+Mon May 25 05:22:18 1998  Assar Westerlund  <assar@sics.se>
+
+	* Makefile.in (clean): remove encdata.c
+
+Fri May  1 07:16:36 1998  Assar Westerlund  <assar@sics.se>
+
+	* kx.c: unifdef -DHAVE_H_ERRNO
+
diff --git a/crypto/heimdal/appl/kx/Makefile.am b/crypto/heimdal/appl/kx/Makefile.am
new file mode 100644
index 0000000..ec3f249
--- /dev/null
+++ b/crypto/heimdal/appl/kx/Makefile.am
@@ -0,0 +1,73 @@
+# $Id: Makefile.am,v 1.12 2000/11/15 22:51:08 assar Exp $
+
+include $(top_srcdir)/Makefile.am.common
+
+INCLUDES += $(INCLUDE_krb4) $(X_CFLAGS)
+
+WFLAGS += $(WFLAGS_NOIMPLICITINT)
+
+if HAVE_X
+
+bin_PROGRAMS = kx
+bin_SCRIPTS = rxterm rxtelnet tenletxr
+libexec_PROGRAMS = kxd
+
+else
+
+bin_PROGRAMS = 
+bin_SCRIPTS = 
+libexec_PROGRAMS = 
+
+endif
+
+CLEANFILES = rxterm rxtelnet tenletxr
+
+if NEED_WRITEAUTH
+XauWriteAuth_c = writeauth.c
+endif
+
+kx_SOURCES = \
+	kx.c \
+	kx.h \
+	common.c \
+	context.c \
+	krb4.c \
+	krb5.c \
+	$(XauWriteAuth_c)
+
+EXTRA_kx_SOURCES = writeauth.c
+
+kxd_SOURCES = \
+	kxd.c \
+	kx.h \
+	common.c \
+	context.c \
+	krb4.c \
+	krb5.c \
+	$(XauWriteAuth_c)
+
+EXTRA_kxd_SOURCES = writeauth.c
+
+EXTRA_DIST = rxterm.in rxtelnet.in tenletxr.in
+
+man_MANS = kx.1 rxtelnet.1 rxterm.1 tenletxr.1 kxd.8
+
+rxterm: rxterm.in
+	sed -e "s!%bindir%!$(bindir)!" $(srcdir)/rxterm.in > $@
+	chmod +x $@
+
+rxtelnet: rxtelnet.in
+	sed -e "s!%bindir%!$(bindir)!" $(srcdir)/rxtelnet.in > $@
+	chmod +x $@
+
+tenletxr: tenletxr.in
+	sed -e "s!%bindir%!$(bindir)!" $(srcdir)/tenletxr.in > $@
+	chmod +x $@
+
+LDADD = \
+	$(LIB_kafs)				\
+	$(LIB_krb5) \
+	$(LIB_krb4)				\
+	$(LIB_des)	\
+	$(LIB_roken)				\
+	$(X_LIBS) $(LIB_XauReadAuth) $(X_PRE_LIBS) $(X_EXTRA_LIBS)
diff --git a/crypto/heimdal/appl/kx/Makefile.in b/crypto/heimdal/appl/kx/Makefile.in
new file mode 100644
index 0000000..9d327ec
--- /dev/null
+++ b/crypto/heimdal/appl/kx/Makefile.in
@@ -0,0 +1,801 @@
+# Makefile.in generated automatically by automake 1.4b from Makefile.am
+
+# Copyright 1994, 1995, 1996, 1997, 1998, 1999, 2000
+# Free Software Foundation, Inc.
+# This Makefile.in is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+
+SHELL = @SHELL@
+
+srcdir = @srcdir@
+top_srcdir = @top_srcdir@
+VPATH = @srcdir@
+prefix = @prefix@
+exec_prefix = @exec_prefix@
+
+bindir = @bindir@
+sbindir = @sbindir@
+libexecdir = @libexecdir@
+datadir = @datadir@
+sysconfdir = @sysconfdir@
+sharedstatedir = @sharedstatedir@
+localstatedir = @localstatedir@
+libdir = @libdir@
+infodir = @infodir@
+mandir = @mandir@
+includedir = @includedir@
+oldincludedir = /usr/include
+
+pkgdatadir = $(datadir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkgincludedir = $(includedir)/@PACKAGE@
+
+top_builddir = ../..
+
+ACLOCAL = @ACLOCAL@
+AUTOCONF = @AUTOCONF@
+AUTOMAKE = @AUTOMAKE@
+AUTOHEADER = @AUTOHEADER@
+
+INSTALL = @INSTALL@
+INSTALL_PROGRAM = @INSTALL_PROGRAM@
+INSTALL_DATA = @INSTALL_DATA@
+INSTALL_SCRIPT = @INSTALL_SCRIPT@
+INSTALL_STRIP_FLAG =
+transform = @program_transform_name@
+
+NORMAL_INSTALL = :
+PRE_INSTALL = :
+POST_INSTALL = :
+NORMAL_UNINSTALL = :
+PRE_UNINSTALL = :
+POST_UNINSTALL = :
+
+@SET_MAKE@
+host_alias = @host_alias@
+host_triplet = @host@
+AIX_EXTRA_KAFS = @AIX_EXTRA_KAFS@
+AMDEP = @AMDEP@
+AMTAR = @AMTAR@
+AS = @AS@
+AWK = @AWK@
+CANONICAL_HOST = @CANONICAL_HOST@
+CATMAN = @CATMAN@
+CATMANEXT = @CATMANEXT@
+CC = @CC@
+CPP = @CPP@
+CXX = @CXX@
+CXXCPP = @CXXCPP@
+DBLIB = @DBLIB@
+DEPDIR = @DEPDIR@
+DIR_des = @DIR_des@
+DIR_roken = @DIR_roken@
+DLLTOOL = @DLLTOOL@
+EXEEXT = @EXEEXT@
+EXTRA_LIB45 = @EXTRA_LIB45@
+GROFF = @GROFF@
+INCLUDES_roken = @INCLUDES_roken@
+INCLUDE_ = @INCLUDE_@
+LEX = @LEX@
+LIBOBJS = @LIBOBJS@
+LIBTOOL = @LIBTOOL@
+LIB_ = @LIB_@
+LIB_AUTH_SUBDIRS = @LIB_AUTH_SUBDIRS@
+LIB_des = @LIB_des@
+LIB_des_appl = @LIB_des_appl@
+LIB_kdb = @LIB_kdb@
+LIB_otp = @LIB_otp@
+LIB_roken = @LIB_roken@
+LIB_security = @LIB_security@
+LN_S = @LN_S@
+LTLIBOBJS = @LTLIBOBJS@
+MAKEINFO = @MAKEINFO@
+NEED_WRITEAUTH_FALSE = @NEED_WRITEAUTH_FALSE@
+NEED_WRITEAUTH_TRUE = @NEED_WRITEAUTH_TRUE@
+NROFF = @NROFF@
+OBJDUMP = @OBJDUMP@
+OBJEXT = @OBJEXT@
+PACKAGE = @PACKAGE@
+RANLIB = @RANLIB@
+STRIP = @STRIP@
+VERSION = @VERSION@
+VOID_RETSIGTYPE = @VOID_RETSIGTYPE@
+WFLAGS_NOIMPLICITINT = @WFLAGS_NOIMPLICITINT@
+WFLAGS_NOUNUSED = @WFLAGS_NOUNUSED@
+YACC = @YACC@
+dpagaix_CFLAGS = @dpagaix_CFLAGS@
+dpagaix_LDADD = @dpagaix_LDADD@
+install_sh = @install_sh@
+
+# $Id: Makefile.am,v 1.12 2000/11/15 22:51:08 assar Exp $
+
+
+# $Id: Makefile.am.common,v 1.3 1999/04/01 14:58:43 joda Exp $
+
+
+# $Id: Makefile.am.common,v 1.26 2001/05/21 13:27:48 joda Exp $
+
+
+AUTOMAKE_OPTIONS = foreign no-dependencies
+
+SUFFIXES = .et .h .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .x
+
+INCLUDES = -I$(top_builddir)/include $(INCLUDES_roken) $(INCLUDE_krb4) $(X_CFLAGS)
+
+AM_CFLAGS =  $(WFLAGS)
+
+CP = cp
+
+COMPILE_ET = $(top_builddir)/lib/com_err/compile_et
+
+buildinclude = $(top_builddir)/include
+
+LIB_XauReadAuth = @LIB_XauReadAuth@
+LIB_crypt = @LIB_crypt@
+LIB_dbm_firstkey = @LIB_dbm_firstkey@
+LIB_dbopen = @LIB_dbopen@
+LIB_dlopen = @LIB_dlopen@
+LIB_dn_expand = @LIB_dn_expand@
+LIB_el_init = @LIB_el_init@
+LIB_getattr = @LIB_getattr@
+LIB_gethostbyname = @LIB_gethostbyname@
+LIB_getpwent_r = @LIB_getpwent_r@
+LIB_getpwnam_r = @LIB_getpwnam_r@
+LIB_getsockopt = @LIB_getsockopt@
+LIB_logout = @LIB_logout@
+LIB_logwtmp = @LIB_logwtmp@
+LIB_odm_initialize = @LIB_odm_initialize@
+LIB_pidfile = @LIB_pidfile@
+LIB_readline = @LIB_readline@
+LIB_res_search = @LIB_res_search@
+LIB_setpcred = @LIB_setpcred@
+LIB_setsockopt = @LIB_setsockopt@
+LIB_socket = @LIB_socket@
+LIB_syslog = @LIB_syslog@
+LIB_tgetent = @LIB_tgetent@
+
+LIBS = @LIBS@
+
+HESIODLIB = @HESIODLIB@
+HESIODINCLUDE = @HESIODINCLUDE@
+INCLUDE_hesiod = @INCLUDE_hesiod@
+LIB_hesiod = @LIB_hesiod@
+
+INCLUDE_krb4 = @INCLUDE_krb4@
+LIB_krb4 = @LIB_krb4@
+
+INCLUDE_openldap = @INCLUDE_openldap@
+LIB_openldap = @LIB_openldap@
+
+INCLUDE_readline = @INCLUDE_readline@
+
+LEXLIB = @LEXLIB@
+
+NROFF_MAN = groff -mandoc -Tascii
+
+@KRB4_TRUE@LIB_kafs = @KRB4_TRUE@$(top_builddir)/lib/kafs/libkafs.la $(AIX_EXTRA_KAFS)
+
+@KRB5_TRUE@LIB_krb5 = @KRB5_TRUE@$(top_builddir)/lib/krb5/libkrb5.la \
+@KRB5_TRUE@	$(top_builddir)/lib/asn1/libasn1.la
+@KRB5_TRUE@LIB_gssapi = @KRB5_TRUE@$(top_builddir)/lib/gssapi/libgssapi.la
+
+@DCE_TRUE@LIB_kdfs = @DCE_TRUE@$(top_builddir)/lib/kdfs/libkdfs.la
+
+CHECK_LOCAL = $(PROGRAMS)
+
+WFLAGS = @WFLAGS@ $(WFLAGS_NOIMPLICITINT)
+
+@HAVE_X_TRUE@bin_PROGRAMS = @HAVE_X_TRUE@kx
+@HAVE_X_FALSE@bin_PROGRAMS = 
+@HAVE_X_TRUE@bin_SCRIPTS = @HAVE_X_TRUE@rxterm rxtelnet tenletxr
+@HAVE_X_FALSE@bin_SCRIPTS = 
+@HAVE_X_TRUE@libexec_PROGRAMS = @HAVE_X_TRUE@kxd
+@HAVE_X_FALSE@libexec_PROGRAMS = 
+
+CLEANFILES = rxterm rxtelnet tenletxr
+
+@NEED_WRITEAUTH_TRUE@XauWriteAuth_c = @NEED_WRITEAUTH_TRUE@writeauth.c
+
+kx_SOURCES = \
+	kx.c \
+	kx.h \
+	common.c \
+	context.c \
+	krb4.c \
+	krb5.c \
+	$(XauWriteAuth_c)
+
+
+EXTRA_kx_SOURCES = writeauth.c
+
+kxd_SOURCES = \
+	kxd.c \
+	kx.h \
+	common.c \
+	context.c \
+	krb4.c \
+	krb5.c \
+	$(XauWriteAuth_c)
+
+
+EXTRA_kxd_SOURCES = writeauth.c
+
+EXTRA_DIST = rxterm.in rxtelnet.in tenletxr.in
+
+man_MANS = kx.1 rxtelnet.1 rxterm.1 tenletxr.1 kxd.8
+
+LDADD = \
+	$(LIB_kafs)				\
+	$(LIB_krb5) \
+	$(LIB_krb4)				\
+	$(LIB_des)	\
+	$(LIB_roken)				\
+	$(X_LIBS) $(LIB_XauReadAuth) $(X_PRE_LIBS) $(X_EXTRA_LIBS)
+
+subdir = appl/kx
+mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs
+CONFIG_HEADER = ../../include/config.h
+CONFIG_CLEAN_FILES = 
+@HAVE_X_FALSE@bin_PROGRAMS = 
+@HAVE_X_FALSE@libexec_PROGRAMS = 
+PROGRAMS =  $(bin_PROGRAMS) $(libexec_PROGRAMS)
+
+
+DEFS = @DEFS@ -I. -I$(srcdir) -I../../include
+CPPFLAGS = @CPPFLAGS@
+LDFLAGS = @LDFLAGS@
+X_CFLAGS = @X_CFLAGS@
+X_LIBS = @X_LIBS@
+X_EXTRA_LIBS = @X_EXTRA_LIBS@
+X_PRE_LIBS = @X_PRE_LIBS@
+@NEED_WRITEAUTH_FALSE@am_kx_OBJECTS =  kx.$(OBJEXT) common.$(OBJEXT) \
+@NEED_WRITEAUTH_FALSE@context.$(OBJEXT) krb4.$(OBJEXT) krb5.$(OBJEXT)
+@NEED_WRITEAUTH_TRUE@am_kx_OBJECTS =  kx.$(OBJEXT) common.$(OBJEXT) \
+@NEED_WRITEAUTH_TRUE@context.$(OBJEXT) krb4.$(OBJEXT) krb5.$(OBJEXT) \
+@NEED_WRITEAUTH_TRUE@writeauth.$(OBJEXT)
+kx_OBJECTS =  $(am_kx_OBJECTS)
+kx_LDADD = $(LDADD)
+@KRB4_FALSE@@KRB5_FALSE@kx_DEPENDENCIES = 
+@KRB4_FALSE@@KRB5_TRUE@kx_DEPENDENCIES =  \
+@KRB4_FALSE@@KRB5_TRUE@$(top_builddir)/lib/krb5/libkrb5.la \
+@KRB4_FALSE@@KRB5_TRUE@$(top_builddir)/lib/asn1/libasn1.la
+@KRB4_TRUE@@KRB5_FALSE@kx_DEPENDENCIES =  \
+@KRB4_TRUE@@KRB5_FALSE@$(top_builddir)/lib/kafs/libkafs.la
+@KRB4_TRUE@@KRB5_TRUE@kx_DEPENDENCIES =  \
+@KRB4_TRUE@@KRB5_TRUE@$(top_builddir)/lib/kafs/libkafs.la \
+@KRB4_TRUE@@KRB5_TRUE@$(top_builddir)/lib/krb5/libkrb5.la \
+@KRB4_TRUE@@KRB5_TRUE@$(top_builddir)/lib/asn1/libasn1.la
+kx_LDFLAGS = 
+@NEED_WRITEAUTH_FALSE@am_kxd_OBJECTS =  kxd.$(OBJEXT) common.$(OBJEXT) \
+@NEED_WRITEAUTH_FALSE@context.$(OBJEXT) krb4.$(OBJEXT) krb5.$(OBJEXT)
+@NEED_WRITEAUTH_TRUE@am_kxd_OBJECTS =  kxd.$(OBJEXT) common.$(OBJEXT) \
+@NEED_WRITEAUTH_TRUE@context.$(OBJEXT) krb4.$(OBJEXT) krb5.$(OBJEXT) \
+@NEED_WRITEAUTH_TRUE@writeauth.$(OBJEXT)
+kxd_OBJECTS =  $(am_kxd_OBJECTS)
+kxd_LDADD = $(LDADD)
+@KRB4_FALSE@@KRB5_FALSE@kxd_DEPENDENCIES = 
+@KRB4_FALSE@@KRB5_TRUE@kxd_DEPENDENCIES =  \
+@KRB4_FALSE@@KRB5_TRUE@$(top_builddir)/lib/krb5/libkrb5.la \
+@KRB4_FALSE@@KRB5_TRUE@$(top_builddir)/lib/asn1/libasn1.la
+@KRB4_TRUE@@KRB5_FALSE@kxd_DEPENDENCIES =  \
+@KRB4_TRUE@@KRB5_FALSE@$(top_builddir)/lib/kafs/libkafs.la
+@KRB4_TRUE@@KRB5_TRUE@kxd_DEPENDENCIES =  \
+@KRB4_TRUE@@KRB5_TRUE@$(top_builddir)/lib/kafs/libkafs.la \
+@KRB4_TRUE@@KRB5_TRUE@$(top_builddir)/lib/krb5/libkrb5.la \
+@KRB4_TRUE@@KRB5_TRUE@$(top_builddir)/lib/asn1/libasn1.la
+kxd_LDFLAGS = 
+SCRIPTS =  $(bin_SCRIPTS)
+
+COMPILE = $(CC) $(DEFS) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) --mode=compile $(CC) $(DEFS) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+CFLAGS = @CFLAGS@
+CCLD = $(CC)
+LINK = $(LIBTOOL) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) $(LDFLAGS) -o $@
+DIST_SOURCES =  $(kx_SOURCES) $(EXTRA_kx_SOURCES) $(kxd_SOURCES) \
+$(EXTRA_kxd_SOURCES)
+man1dir = $(mandir)/man1
+man8dir = $(mandir)/man8
+MANS = $(man_MANS)
+depcomp = 
+DIST_COMMON =  ChangeLog Makefile.am Makefile.in
+
+
+DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
+
+GZIP_ENV = --best
+SOURCES = $(kx_SOURCES) $(EXTRA_kx_SOURCES) $(kxd_SOURCES) $(EXTRA_kxd_SOURCES)
+OBJECTS = $(am_kx_OBJECTS) $(am_kxd_OBJECTS)
+
+all: all-redirect
+.SUFFIXES:
+.SUFFIXES: .et .h .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .x .c .lo .o .obj
+$(srcdir)/Makefile.in: Makefile.am $(top_srcdir)/configure.in $(ACLOCAL_M4) $(top_srcdir)/Makefile.am.common $(top_srcdir)/cf/Makefile.am.common
+	cd $(top_srcdir) && $(AUTOMAKE) --foreign appl/kx/Makefile
+
+Makefile: $(srcdir)/Makefile.in  $(top_builddir)/config.status
+	cd $(top_builddir) \
+	  && CONFIG_FILES=$(subdir)/$@ CONFIG_HEADERS= $(SHELL) ./config.status
+
+
+mostlyclean-binPROGRAMS:
+
+clean-binPROGRAMS:
+	-test -z "$(bin_PROGRAMS)" || rm -f $(bin_PROGRAMS)
+
+distclean-binPROGRAMS:
+
+maintainer-clean-binPROGRAMS:
+
+install-binPROGRAMS: $(bin_PROGRAMS)
+	@$(NORMAL_INSTALL)
+	$(mkinstalldirs) $(DESTDIR)$(bindir)
+	@list='$(bin_PROGRAMS)'; for p in $$list; do \
+	  if test -f $$p; then \
+	    f="`echo $$p|sed -e 's/$(EXEEXT)$$//' -e '$(transform)' -e 's/$$/$(EXEEXT)/'`"; \
+	    echo " $(LIBTOOL)  --mode=install $(INSTALL_PROGRAM) $(INSTALL_STRIP_FLAG) $$p $(DESTDIR)$(bindir)/$$f"; \
+	    $(LIBTOOL)  --mode=install $(INSTALL_PROGRAM) $(INSTALL_STRIP_FLAG) $$p $(DESTDIR)$(bindir)/$$f; \
+	  else :; fi; \
+	done
+
+uninstall-binPROGRAMS:
+	@$(NORMAL_UNINSTALL)
+	@list='$(bin_PROGRAMS)'; for p in $$list; do \
+	  f="`echo $$p|sed -e 's/$(EXEEXT)$$//' -e '$(transform)' -e 's/$$/$(EXEEXT)/'`"; \
+	  echo " rm -f $(DESTDIR)$(bindir)/$$f"; \
+	  rm -f $(DESTDIR)$(bindir)/$$f; \
+	done
+
+mostlyclean-libexecPROGRAMS:
+
+clean-libexecPROGRAMS:
+	-test -z "$(libexec_PROGRAMS)" || rm -f $(libexec_PROGRAMS)
+
+distclean-libexecPROGRAMS:
+
+maintainer-clean-libexecPROGRAMS:
+
+install-libexecPROGRAMS: $(libexec_PROGRAMS)
+	@$(NORMAL_INSTALL)
+	$(mkinstalldirs) $(DESTDIR)$(libexecdir)
+	@list='$(libexec_PROGRAMS)'; for p in $$list; do \
+	  if test -f $$p; then \
+	    f="`echo $$p|sed -e 's/$(EXEEXT)$$//' -e '$(transform)' -e 's/$$/$(EXEEXT)/'`"; \
+	    echo " $(LIBTOOL)  --mode=install $(INSTALL_PROGRAM) $(INSTALL_STRIP_FLAG) $$p $(DESTDIR)$(libexecdir)/$$f"; \
+	    $(LIBTOOL)  --mode=install $(INSTALL_PROGRAM) $(INSTALL_STRIP_FLAG) $$p $(DESTDIR)$(libexecdir)/$$f; \
+	  else :; fi; \
+	done
+
+uninstall-libexecPROGRAMS:
+	@$(NORMAL_UNINSTALL)
+	@list='$(libexec_PROGRAMS)'; for p in $$list; do \
+	  f="`echo $$p|sed -e 's/$(EXEEXT)$$//' -e '$(transform)' -e 's/$$/$(EXEEXT)/'`"; \
+	  echo " rm -f $(DESTDIR)$(libexecdir)/$$f"; \
+	  rm -f $(DESTDIR)$(libexecdir)/$$f; \
+	done
+
+mostlyclean-compile:
+	-rm -f *.o core *.core
+	-rm -f *.$(OBJEXT)
+
+clean-compile:
+
+distclean-compile:
+	-rm -f *.tab.c
+
+maintainer-clean-compile:
+
+mostlyclean-libtool:
+	-rm -f *.lo
+
+clean-libtool:
+	-rm -rf .libs _libs
+
+distclean-libtool:
+
+maintainer-clean-libtool:
+
+kx$(EXEEXT): $(kx_OBJECTS) $(kx_DEPENDENCIES)
+	@rm -f kx$(EXEEXT)
+	$(LINK) $(kx_LDFLAGS) $(kx_OBJECTS) $(kx_LDADD) $(LIBS)
+
+kxd$(EXEEXT): $(kxd_OBJECTS) $(kxd_DEPENDENCIES)
+	@rm -f kxd$(EXEEXT)
+	$(LINK) $(kxd_LDFLAGS) $(kxd_OBJECTS) $(kxd_LDADD) $(LIBS)
+
+install-binSCRIPTS: $(bin_SCRIPTS)
+	@$(NORMAL_INSTALL)
+	$(mkinstalldirs) $(DESTDIR)$(bindir)
+	@list='$(bin_SCRIPTS)'; for p in $$list; do \
+	  f="`echo $$p|sed '$(transform)'`"; \
+	  if test -f $$p; then \
+	    echo " $(INSTALL_SCRIPT) $$p $(DESTDIR)$(bindir)/$$f"; \
+	    $(INSTALL_SCRIPT) $$p $(DESTDIR)$(bindir)/$$f; \
+	  elif test -f $(srcdir)/$$p; then \
+	    echo " $(INSTALL_SCRIPT) $(srcdir)/$$p $(DESTDIR)$(bindir)/$$f"; \
+	    $(INSTALL_SCRIPT) $(srcdir)/$$p $(DESTDIR)$(bindir)/$$f; \
+	  else :; fi; \
+	done
+
+uninstall-binSCRIPTS:
+	@$(NORMAL_UNINSTALL)
+	@list='$(bin_SCRIPTS)'; for p in $$list; do \
+	  f="`echo $$p|sed '$(transform)'`"; \
+	  echo " rm -f $(DESTDIR)$(bindir)/$$f"; \
+	  rm -f $(DESTDIR)$(bindir)/$$f; \
+	done
+.c.o:
+	$(COMPILE) -c $<
+.c.obj:
+	$(COMPILE) -c `cygpath -w $<`
+.c.lo:
+	$(LTCOMPILE) -c -o $@ $<
+
+install-man1:
+	$(mkinstalldirs) $(DESTDIR)$(man1dir)
+	@list='$(man1_MANS)'; \
+	l2='$(man_MANS)'; for i in $$l2; do \
+	  case "$$i" in \
+	    *.1*) list="$$list $$i" ;; \
+	  esac; \
+	done; \
+	for i in $$list; do \
+	  if test -f $(srcdir)/$$i; then file=$(srcdir)/$$i; \
+	  else file=$$i; fi; \
+	  ext=`echo $$i | sed -e 's/^.*\\.//'`; \
+	  inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \
+	  inst=`echo $$inst | sed -e 's/^.*\///'`; \
+	  inst=`echo $$inst | sed '$(transform)'`.$$ext; \
+	  echo " $(INSTALL_DATA) $$file $(DESTDIR)$(man1dir)/$$inst"; \
+	  $(INSTALL_DATA) $$file $(DESTDIR)$(man1dir)/$$inst; \
+	done
+
+uninstall-man1:
+	@list='$(man1_MANS)'; \
+	l2='$(man_MANS)'; for i in $$l2; do \
+	  case "$$i" in \
+	    *.1*) list="$$list $$i" ;; \
+	  esac; \
+	done; \
+	for i in $$list; do \
+	  ext=`echo $$i | sed -e 's/^.*\\.//'`; \
+	  inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \
+	  inst=`echo $$inst | sed -e 's/^.*\///'`; \
+	  inst=`echo $$inst | sed '$(transform)'`.$$ext; \
+	  echo " rm -f $(DESTDIR)$(man1dir)/$$inst"; \
+	  rm -f $(DESTDIR)$(man1dir)/$$inst; \
+	done
+
+install-man8:
+	$(mkinstalldirs) $(DESTDIR)$(man8dir)
+	@list='$(man8_MANS)'; \
+	l2='$(man_MANS)'; for i in $$l2; do \
+	  case "$$i" in \
+	    *.8*) list="$$list $$i" ;; \
+	  esac; \
+	done; \
+	for i in $$list; do \
+	  if test -f $(srcdir)/$$i; then file=$(srcdir)/$$i; \
+	  else file=$$i; fi; \
+	  ext=`echo $$i | sed -e 's/^.*\\.//'`; \
+	  inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \
+	  inst=`echo $$inst | sed -e 's/^.*\///'`; \
+	  inst=`echo $$inst | sed '$(transform)'`.$$ext; \
+	  echo " $(INSTALL_DATA) $$file $(DESTDIR)$(man8dir)/$$inst"; \
+	  $(INSTALL_DATA) $$file $(DESTDIR)$(man8dir)/$$inst; \
+	done
+
+uninstall-man8:
+	@list='$(man8_MANS)'; \
+	l2='$(man_MANS)'; for i in $$l2; do \
+	  case "$$i" in \
+	    *.8*) list="$$list $$i" ;; \
+	  esac; \
+	done; \
+	for i in $$list; do \
+	  ext=`echo $$i | sed -e 's/^.*\\.//'`; \
+	  inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \
+	  inst=`echo $$inst | sed -e 's/^.*\///'`; \
+	  inst=`echo $$inst | sed '$(transform)'`.$$ext; \
+	  echo " rm -f $(DESTDIR)$(man8dir)/$$inst"; \
+	  rm -f $(DESTDIR)$(man8dir)/$$inst; \
+	done
+install-man: $(MANS)
+	@$(NORMAL_INSTALL)
+	$(MAKE) $(AM_MAKEFLAGS) install-man1 install-man8
+uninstall-man:
+	@$(NORMAL_UNINSTALL)
+	$(MAKE) $(AM_MAKEFLAGS) uninstall-man1 uninstall-man8
+
+tags: TAGS
+
+ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
+	list='$(SOURCES) $(HEADERS) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '    { files[$$0] = 1; } \
+	       END { for (i in files) print i; }'`; \
+	mkid -fID $$unique $(LISP)
+
+TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	tags=; \
+	here=`pwd`; \
+	list='$(SOURCES) $(HEADERS) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '    { files[$$0] = 1; } \
+	       END { for (i in files) print i; }'`; \
+	test -z "$(ETAGS_ARGS)$$unique$(LISP)$$tags" \
+	  || etags $(ETAGS_ARGS) $$tags  $$unique $(LISP)
+
+GTAGS:
+	here=`CDPATH=: && cd $(top_builddir) && pwd` \
+	  && cd $(top_srcdir) \
+	  && gtags -i $$here
+
+mostlyclean-tags:
+
+clean-tags:
+
+distclean-tags:
+	-rm -f TAGS ID
+
+maintainer-clean-tags:
+
+distdir = $(top_builddir)/$(PACKAGE)-$(VERSION)/$(subdir)
+
+distdir: $(DISTFILES)
+	@for file in $(DISTFILES); do \
+	  d=$(srcdir); \
+	  if test -d $$d/$$file; then \
+	    cp -pR $$d/$$file $(distdir) \
+	    || exit 1; \
+	  else \
+	    test -f $(distdir)/$$file \
+	    || cp -p $$d/$$file $(distdir)/$$file \
+	    || exit 1; \
+	  fi; \
+	done
+	$(MAKE) $(AM_MAKEFLAGS) top_distdir="$(top_distdir)" distdir="$(distdir)" dist-hook
+info-am:
+info: info-am
+dvi-am:
+dvi: dvi-am
+check-am: all-am
+	$(MAKE) $(AM_MAKEFLAGS) check-local
+check: check-am
+installcheck-am:
+installcheck: installcheck-am
+install-exec-am: install-binPROGRAMS install-libexecPROGRAMS \
+		install-binSCRIPTS
+	@$(NORMAL_INSTALL)
+	$(MAKE) $(AM_MAKEFLAGS) install-exec-hook
+install-exec: install-exec-am
+
+install-data-am: install-man install-data-local
+install-data: install-data-am
+
+install-am: all-am
+	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
+install: install-am
+uninstall-am: uninstall-binPROGRAMS uninstall-libexecPROGRAMS \
+		uninstall-binSCRIPTS uninstall-man
+uninstall: uninstall-am
+all-am: Makefile $(PROGRAMS) $(SCRIPTS) $(MANS) all-local
+all-redirect: all-am
+install-strip:
+	$(MAKE) $(AM_MAKEFLAGS) INSTALL_STRIP_FLAG=-s install
+installdirs:
+	$(mkinstalldirs)  $(DESTDIR)$(bindir) $(DESTDIR)$(libexecdir) \
+		$(DESTDIR)$(bindir) $(DESTDIR)$(mandir)/man1 \
+		$(DESTDIR)$(mandir)/man8
+
+
+mostlyclean-generic:
+
+clean-generic:
+	-test -z "$(CLEANFILES)" || rm -f $(CLEANFILES)
+
+distclean-generic:
+	-rm -f Makefile $(CONFIG_CLEAN_FILES)
+	-rm -f config.cache config.log stamp-h stamp-h[0-9]*
+
+maintainer-clean-generic:
+	-rm -f Makefile.in
+mostlyclean-am:  mostlyclean-binPROGRAMS mostlyclean-libexecPROGRAMS \
+		mostlyclean-compile mostlyclean-libtool \
+		mostlyclean-tags mostlyclean-generic
+
+mostlyclean: mostlyclean-am
+
+clean-am:  clean-binPROGRAMS clean-libexecPROGRAMS clean-compile \
+		clean-libtool clean-tags clean-generic mostlyclean-am
+
+clean: clean-am
+
+distclean-am:  distclean-binPROGRAMS distclean-libexecPROGRAMS \
+		distclean-compile distclean-libtool distclean-tags \
+		distclean-generic clean-am
+	-rm -f libtool
+
+distclean: distclean-am
+
+maintainer-clean-am:  maintainer-clean-binPROGRAMS \
+		maintainer-clean-libexecPROGRAMS \
+		maintainer-clean-compile maintainer-clean-libtool \
+		maintainer-clean-tags maintainer-clean-generic \
+		distclean-am
+	@echo "This command is intended for maintainers to use;"
+	@echo "it deletes files that may require special tools to rebuild."
+
+maintainer-clean: maintainer-clean-am
+
+.PHONY: mostlyclean-binPROGRAMS distclean-binPROGRAMS clean-binPROGRAMS \
+maintainer-clean-binPROGRAMS uninstall-binPROGRAMS install-binPROGRAMS \
+mostlyclean-libexecPROGRAMS distclean-libexecPROGRAMS \
+clean-libexecPROGRAMS maintainer-clean-libexecPROGRAMS \
+uninstall-libexecPROGRAMS install-libexecPROGRAMS mostlyclean-compile \
+distclean-compile clean-compile maintainer-clean-compile \
+mostlyclean-libtool distclean-libtool clean-libtool \
+maintainer-clean-libtool uninstall-binSCRIPTS install-binSCRIPTS \
+install-man1 uninstall-man1 install-man8 uninstall-man8 install-man \
+uninstall-man tags mostlyclean-tags distclean-tags clean-tags \
+maintainer-clean-tags distdir info-am info dvi-am dvi check-local check \
+check-am installcheck-am installcheck install-exec-am install-exec \
+install-data-local install-data-am install-data install-am install \
+uninstall-am uninstall all-local all-redirect all-am all install-strip \
+installdirs mostlyclean-generic distclean-generic clean-generic \
+maintainer-clean-generic clean mostlyclean distclean maintainer-clean
+
+
+install-suid-programs:
+	@foo='$(bin_SUIDS)'; \
+	for file in $$foo; do \
+	x=$(DESTDIR)$(bindir)/$$file; \
+	if chown 0:0 $$x && chmod u+s $$x; then :; else \
+	echo "*"; \
+	echo "* Failed to install $$x setuid root"; \
+	echo "*"; \
+	fi; done
+
+install-exec-hook: install-suid-programs
+
+install-build-headers:: $(include_HEADERS) $(build_HEADERZ)
+	@foo='$(include_HEADERS) $(build_HEADERZ)'; \
+	for f in $$foo; do \
+		f=`basename $$f`; \
+		if test -f "$(srcdir)/$$f"; then file="$(srcdir)/$$f"; \
+		else file="$$f"; fi; \
+		if cmp -s  $$file $(buildinclude)/$$f 2> /dev/null ; then \
+		: ; else \
+			echo " $(CP) $$file $(buildinclude)/$$f"; \
+			$(CP) $$file $(buildinclude)/$$f; \
+		fi ; \
+	done
+
+all-local: install-build-headers
+#NROFF_MAN = nroff -man
+.1.cat1:
+	$(NROFF_MAN) $< > $@
+.3.cat3:
+	$(NROFF_MAN) $< > $@
+.5.cat5:
+	$(NROFF_MAN) $< > $@
+.8.cat8:
+	$(NROFF_MAN) $< > $@
+
+dist-cat1-mans:
+	@foo='$(man1_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.1) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat1/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-cat3-mans:
+	@foo='$(man3_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.3) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat3/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-cat5-mans:
+	@foo='$(man5_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.5) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat5/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-cat8-mans:
+	@foo='$(man8_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.8) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat8/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-hook: dist-cat1-mans dist-cat3-mans dist-cat5-mans dist-cat8-mans
+
+install-cat-mans:
+	$(SHELL) $(top_srcdir)/cf/install-catman.sh "$(INSTALL_DATA)" "$(mkinstalldirs)" "$(srcdir)" "$(DESTDIR)$(mandir)" '$(CATMANEXT)' $(man_MANS) $(man1_MANS) $(man3_MANS) $(man5_MANS) $(man8_MANS)
+
+install-data-local: install-cat-mans
+
+.et.h:
+	$(COMPILE_ET) $<
+.et.c:
+	$(COMPILE_ET) $<
+
+.x.c:
+	@cmp -s $< $@ 2> /dev/null || cp $< $@
+
+check-local::
+	@foo='$(CHECK_LOCAL)'; \
+	  if test "$$foo"; then \
+	  failed=0; all=0; \
+	  for i in $$foo; do \
+	    all=`expr $$all + 1`; \
+	    if ./$$i --version > /dev/null 2>&1; then \
+	      echo "PASS: $$i"; \
+	    else \
+	      echo "FAIL: $$i"; \
+	      failed=`expr $$failed + 1`; \
+	    fi; \
+	  done; \
+	  if test "$$failed" -eq 0; then \
+	    banner="All $$all tests passed"; \
+	  else \
+	    banner="$$failed of $$all tests failed"; \
+	  fi; \
+	  dashes=`echo "$$banner" | sed s/./=/g`; \
+	  echo "$$dashes"; \
+	  echo "$$banner"; \
+	  echo "$$dashes"; \
+	  test "$$failed" -eq 0; \
+	fi
+
+rxterm: rxterm.in
+	sed -e "s!%bindir%!$(bindir)!" $(srcdir)/rxterm.in > $@
+	chmod +x $@
+
+rxtelnet: rxtelnet.in
+	sed -e "s!%bindir%!$(bindir)!" $(srcdir)/rxtelnet.in > $@
+	chmod +x $@
+
+tenletxr: tenletxr.in
+	sed -e "s!%bindir%!$(bindir)!" $(srcdir)/tenletxr.in > $@
+	chmod +x $@
+
+# Tell versions [3.59,3.63) of GNU make to not export all variables.
+# Otherwise a system limit (for SysV at least) may be exceeded.
+.NOEXPORT:
diff --git a/crypto/heimdal/appl/kx/common.c b/crypto/heimdal/appl/kx/common.c
new file mode 100644
index 0000000..0d23169
--- /dev/null
+++ b/crypto/heimdal/appl/kx/common.c
@@ -0,0 +1,794 @@
+/*
+ * Copyright (c) 1995 - 2001 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#include "kx.h"
+
+RCSID("$Id: common.c,v 1.62 2001/02/15 04:20:51 assar Exp $");
+
+char x_socket[MaxPathLen];
+
+u_int32_t display_num;
+char display[MaxPathLen];
+int display_size = sizeof(display);
+char xauthfile[MaxPathLen];
+int xauthfile_size = sizeof(xauthfile);
+u_char cookie[16];
+size_t cookie_len = sizeof(cookie);
+
+#ifndef X_UNIX_PATH
+#define X_UNIX_PATH "/tmp/.X11-unix/X"
+#endif
+
+#ifndef X_PIPE_PATH
+#define X_PIPE_PATH "/tmp/.X11-pipe/X"
+#endif
+
+/*
+ * Allocate a unix domain socket in `s' for display `dpy' and with
+ * filename `pattern'
+ *
+ * 0 if all is OK
+ * -1 if bind failed badly
+ * 1 if dpy is already used */
+
+static int
+try_socket (struct x_socket *s, int dpy, const char *pattern)
+{
+    struct sockaddr_un addr;
+    int fd;
+
+    fd = socket (AF_UNIX, SOCK_STREAM, 0);
+    if (fd < 0)
+	err (1, "socket AF_UNIX");
+    memset (&addr, 0, sizeof(addr));
+    addr.sun_family = AF_UNIX;
+    snprintf (addr.sun_path, sizeof(addr.sun_path), pattern, dpy);
+    if(bind(fd,
+	    (struct sockaddr *)&addr,
+	    sizeof(addr)) < 0) {
+	close (fd);
+	if (errno == EADDRINUSE ||
+	    errno == EACCES  /* Cray return EACCESS */
+#ifdef ENOTUNIQ
+	    || errno == ENOTUNIQ /* bug in Solaris 2.4 */
+#endif
+	    )
+	    return 1;
+	else
+	    return -1;
+    }
+    s->fd = fd;
+    s->pathname = strdup (addr.sun_path);
+    if (s->pathname == NULL)
+	errx (1, "strdup: out of memory");
+    s->flags = UNIX_SOCKET;
+    return 0;
+}
+
+#ifdef MAY_HAVE_X11_PIPES
+/*
+ * Allocate a stream (masqueraded as a named pipe)
+ *
+ * 0 if all is OK
+ * -1 if bind failed badly
+ * 1 if dpy is already used
+ */
+
+static int
+try_pipe (struct x_socket *s, int dpy, const char *pattern)
+{
+    char path[MAXPATHLEN];
+    int ret;
+    int fd;
+    int pipefd[2];
+    
+    snprintf (path, sizeof(path), pattern, dpy);
+    fd = open (path, O_WRONLY | O_CREAT | O_EXCL, 0600);
+    if (fd < 0) {
+	if (errno == EEXIST)
+	    return 1;
+	else
+	    return -1;
+    }
+
+    close (fd);
+
+    ret = pipe (pipefd);
+    if (ret < 0)
+	err (1, "pipe");
+
+    ret = ioctl (pipefd[1], I_PUSH, "connld");
+    if (ret < 0) {
+	if(errno == ENOSYS)
+	    return -1;
+	err (1, "ioctl I_PUSH");
+    }
+
+    ret = fattach (pipefd[1], path);
+    if (ret < 0)
+	err (1, "fattach %s", path);
+
+    s->fd  = pipefd[0];
+    close (pipefd[1]);
+    s->pathname = strdup (path);
+    if (s->pathname == NULL)
+	errx (1, "strdup: out of memory");
+    s->flags = STREAM_PIPE;
+    return 0;
+}
+#endif /* MAY_HAVE_X11_PIPES */
+
+/*
+ * Try to create a TCP socket in `s' corresponding to display `dpy'.
+ *
+ * 0 if all is OK
+ * -1 if bind failed badly
+ * 1 if dpy is already used
+ */
+
+static int
+try_tcp (struct x_socket *s, int dpy)
+{
+    struct sockaddr_in tcpaddr;
+    struct in_addr local;
+    int one = 1;
+    int fd;
+
+    memset(&local, 0, sizeof(local));
+    local.s_addr = htonl(INADDR_LOOPBACK);
+
+    fd = socket (AF_INET, SOCK_STREAM, 0);
+    if (fd < 0)
+	err (1, "socket AF_INET");
+#if defined(TCP_NODELAY) && defined(HAVE_SETSOCKOPT)
+    setsockopt (fd, IPPROTO_TCP, TCP_NODELAY, (void *)&one,
+		sizeof(one));
+#endif
+    memset (&tcpaddr, 0, sizeof(tcpaddr));
+    tcpaddr.sin_family = AF_INET;
+    tcpaddr.sin_addr = local;
+    tcpaddr.sin_port = htons(6000 + dpy);
+    if (bind (fd, (struct sockaddr *)&tcpaddr,
+	      sizeof(tcpaddr)) < 0) {
+	close (fd);
+	if (errno == EADDRINUSE)
+	    return 1;
+	else
+	    return -1;
+    }
+    s->fd = fd;
+    s->pathname = NULL;
+    s->flags = TCP;
+    return 0;
+}
+
+/*
+ * The potential places to create unix sockets.
+ */
+
+static char *x_sockets[] = {
+X_UNIX_PATH "%u",
+"/var/X/.X11-unix/X" "%u",
+"/usr/spool/sockets/X11/" "%u",
+NULL
+};
+
+/*
+ * Dito for stream pipes.
+ */
+
+#ifdef MAY_HAVE_X11_PIPES
+static char *x_pipes[] = {
+X_PIPE_PATH "%u",
+"/var/X/.X11-pipe/X" "%u",
+NULL
+};
+#endif
+
+/*
+ * Create the directory corresponding to dirname of `path' or fail.
+ */
+
+static void
+try_mkdir (const char *path)
+{
+    char *dir;
+    char *p;
+    int oldmask;
+
+    if((dir = strdup (path)) == NULL)
+	errx (1, "strdup: out of memory");
+    p = strrchr (dir, '/');
+    if (p)
+	*p = '\0';
+
+    oldmask = umask(0);
+    mkdir (dir, 01777);
+    umask (oldmask);
+    free (dir);
+}
+
+/*
+ * Allocate a display, returning the number of sockets in `number' and
+ * all the corresponding sockets in `sockets'.  If `tcp_socket' is
+ * true, also allcoaet a TCP socket.
+ *
+ * The return value is the display allocated or -1 if an error occurred.
+ */
+
+int
+get_xsockets (int *number, struct x_socket **sockets, int tcp_socket)
+{
+     int dpy;
+     struct x_socket *s;
+     int n;
+     int i;
+
+     s = malloc (sizeof(*s) * 5);
+     if (s == NULL)
+	 errx (1, "malloc: out of memory");
+
+     try_mkdir (X_UNIX_PATH);
+     try_mkdir (X_PIPE_PATH);
+
+     for(dpy = 4; dpy < 256; ++dpy) {
+	 char **path;
+	 int tmp = 0;
+
+	 n = 0;
+	 for (path = x_sockets; *path; ++path) {
+	     tmp = try_socket (&s[n], dpy, *path);
+	     if (tmp == -1) {
+		 if (errno != ENOTDIR && errno != ENOENT)
+		     return -1;
+	     } else if (tmp == 1) {
+		 while(--n >= 0) {
+		     close (s[n].fd);
+		     free (s[n].pathname);
+		 }
+		 break;
+	     } else if (tmp == 0)
+		 ++n;
+	 }
+	 if (tmp == 1)
+	     continue;
+
+#ifdef MAY_HAVE_X11_PIPES
+	 for (path = x_pipes; *path; ++path) {
+	     tmp = try_pipe (&s[n], dpy, *path);
+	     if (tmp == -1) {
+		 if (errno != ENOTDIR && errno != ENOENT && errno != ENOSYS)
+		     return -1;
+	     } else if (tmp == 1) {
+		 while (--n >= 0) {
+		     close (s[n].fd);
+		     free (s[n].pathname);
+		 }
+		 break;
+	     } else if (tmp == 0)
+		 ++n;
+	 }
+
+	 if (tmp == 1)
+	     continue;
+#endif
+
+	 if (tcp_socket) {
+	     tmp = try_tcp (&s[n], dpy);
+	     if (tmp == -1)
+		 return -1;
+	     else if (tmp == 1) {
+		 while (--n >= 0) {
+		     close (s[n].fd);
+		     free (s[n].pathname);
+		 }
+		 break;
+	     } else if (tmp == 0)
+		 ++n;
+	 }
+	 break;
+     }
+     if (dpy == 256)
+	 errx (1, "no free x-servers");
+     for (i = 0; i < n; ++i)
+	 if (s[i].flags & LISTENP
+	     && listen (s[i].fd, SOMAXCONN) < 0)
+	     err (1, "listen %s", s[i].pathname ? s[i].pathname : "tcp");
+     *number = n;
+     *sockets = s;
+     return dpy;
+}
+
+/*
+ * Change owner on the `n' sockets in `sockets' to `uid', `gid'.
+ * Return 0 is succesful or -1 if an error occurred.
+ */
+
+int
+chown_xsockets (int n, struct x_socket *sockets, uid_t uid, gid_t gid)
+{
+    int i;
+
+    for (i = 0; i < n; ++i)
+	if (sockets[i].pathname != NULL)
+	    if (chown (sockets[i].pathname, uid, gid) < 0)
+		return -1;
+    return 0;
+}
+
+/*
+ * Connect to local display `dnr' with local transport.
+ * Return a file descriptor.
+ */
+
+int
+connect_local_xsocket (unsigned dnr)
+{
+     int fd;
+     struct sockaddr_un addr;
+     char **path;
+
+     for (path = x_sockets; *path; ++path) {
+	 fd = socket (AF_UNIX, SOCK_STREAM, 0);
+	 if (fd < 0)
+	     err (1, "socket AF_UNIX");
+	 memset (&addr, 0, sizeof(addr));
+	 addr.sun_family = AF_UNIX;
+	 snprintf (addr.sun_path, sizeof(addr.sun_path), *path, dnr);
+	 if (connect (fd, (struct sockaddr *)&addr, sizeof(addr)) == 0)
+	     return fd;
+     }
+     err (1, "connecting to local display %u", dnr);
+}
+
+/*
+ * Create a cookie file with a random cookie for the localhost.  The
+ * file name will be stored in `xauthfile' (but not larger than
+ * `xauthfile_size'), and the cookie returned in `cookie', `cookie_sz'.
+ * Return 0 if succesful, or errno.
+ */
+
+int
+create_and_write_cookie (char *xauthfile,
+			 size_t xauthfile_size,
+			 u_char *cookie,
+			 size_t cookie_sz)
+{
+     Xauth auth;
+     char tmp[64];
+     int fd;
+     FILE *f;
+     char hostname[MaxHostNameLen];
+     struct in_addr loopback;
+     int saved_errno;
+
+     gethostname (hostname, sizeof(hostname));
+     loopback.s_addr = htonl(INADDR_LOOPBACK);
+     
+     auth.family = FamilyLocal;
+     auth.address = hostname;
+     auth.address_length = strlen(auth.address);
+     snprintf (tmp, sizeof(tmp), "%d", display_num);
+     auth.number_length = strlen(tmp);
+     auth.number = tmp;
+     auth.name = COOKIE_TYPE;
+     auth.name_length = strlen(auth.name);
+     auth.data_length = cookie_sz;
+     auth.data = (char*)cookie;
+#ifdef HAVE_OPENSSL_DES_H
+     krb5_generate_random_block (cookie, cookie_sz);
+#else
+     des_rand_data (cookie, cookie_sz);
+#endif
+
+     strlcpy(xauthfile, "/tmp/AXXXXXX", xauthfile_size);
+     fd = mkstemp(xauthfile);
+     if(fd < 0) {
+	 saved_errno = errno;
+	 syslog(LOG_ERR, "create_and_write_cookie: mkstemp: %m");
+         return saved_errno;
+     }
+     f = fdopen(fd, "r+");
+     if(f == NULL){
+	 saved_errno = errno;
+	 close(fd);
+	 return errno;
+     }
+     if(XauWriteAuth(f, &auth) == 0) {
+	 saved_errno = errno;
+	 fclose(f);
+	 return saved_errno;
+     }
+
+     /*
+      * I would like to write a cookie for localhost:n here, but some
+      * stupid code in libX11 will not look for cookies of that type,
+      * so we are forced to use FamilyWild instead.
+      */
+
+     auth.family  = FamilyWild;
+     auth.address_length = 0;
+
+#if 0 /* XXX */
+     auth.address = (char *)&loopback;
+     auth.address_length = sizeof(loopback);
+#endif
+
+     if (XauWriteAuth(f, &auth) == 0) {
+	 saved_errno = errno;
+	 fclose (f);
+	 return saved_errno;
+     }
+
+     if(fclose(f))
+	 return errno;
+     return 0;
+}
+
+/*
+ * Verify and remove cookies.  Read and parse a X-connection from
+ * `fd'. Check the cookie used is the same as in `cookie'.  Remove the
+ * cookie and copy the rest of it to `sock'.
+ * Expect cookies iff cookiesp.
+ * Return 0 iff ok.
+ *
+ * The protocol is as follows:
+ *
+ * C->S:	[Bl]				1
+ *		unused				1
+ *		protocol major version		2
+ *		protocol minor version		2
+ *		length of auth protocol name(n)	2
+ *		length of auth protocol data	2
+ *		unused				2
+ *		authorization protocol name	n
+ *		pad				pad(n)
+ *		authorization protocol data	d
+ *		pad				pad(d)
+ *
+ * S->C:	Failed
+ *		0				1
+ *		length of reason		1
+ *		protocol major version		2
+ *		protocol minor version		2
+ *		length in 4 bytes unit of
+ *		additional data (n+p)/4		2
+ *		reason				n
+ *		unused				p = pad(n)
+ */
+
+int
+verify_and_remove_cookies (int fd, int sock, int cookiesp)
+{
+     u_char beg[12];
+     int bigendianp;
+     unsigned n, d, npad, dpad;
+     char *protocol_name, *protocol_data;
+     u_char zeros[6] = {0, 0, 0, 0, 0, 0};
+     u_char refused[20] = {0, 10, 
+			   0, 0, /* protocol major version  */
+			   0, 0, /* protocol minor version */
+			   0, 0, /* length of additional data / 4 */
+			   'b', 'a', 'd', ' ', 'c', 'o', 'o', 'k', 'i', 'e',
+			   0, 0};
+
+     if (net_read (fd, beg, sizeof(beg)) != sizeof(beg))
+	  return 1;
+     if (net_write (sock, beg, 6) != 6)
+	  return 1;
+     bigendianp = beg[0] == 'B';
+     if (bigendianp) {
+	  n = (beg[6] << 8) | beg[7];
+	  d = (beg[8] << 8) | beg[9];
+     } else {
+	  n = (beg[7] << 8) | beg[6];
+	  d = (beg[9] << 8) | beg[8];
+     }
+     npad = (4 - (n % 4)) % 4;
+     dpad = (4 - (d % 4)) % 4;
+     protocol_name = malloc(n + npad);
+     if (n + npad != 0 && protocol_name == NULL)
+	 return 1;
+     protocol_data = malloc(d + dpad);
+     if (d + dpad != 0 && protocol_data == NULL) {
+	 free (protocol_name);
+	 return 1;
+     }
+     if (net_read (fd, protocol_name, n + npad) != n + npad)
+	 goto fail;
+     if (net_read (fd, protocol_data, d + dpad) != d + dpad)
+	 goto fail;
+     if (cookiesp) {
+	 if (strncmp (protocol_name, COOKIE_TYPE, strlen(COOKIE_TYPE)) != 0)
+	     goto refused;
+	 if (d != cookie_len ||
+	     memcmp (protocol_data, cookie, cookie_len) != 0)
+	     goto refused;
+     }
+     free (protocol_name);
+     free (protocol_data);
+     if (net_write (sock, zeros, 6) != 6)
+	  return 1;
+     return 0;
+refused:
+     refused[2] = beg[2];
+     refused[3] = beg[3];
+     refused[4] = beg[4];
+     refused[5] = beg[5];
+     if (bigendianp)
+	 refused[7] = 3;
+     else
+	 refused[6] = 3;
+
+     net_write (fd, refused, sizeof(refused));
+fail:
+     free (protocol_name);
+     free (protocol_data);
+     return 1;
+}
+
+/* 
+ * Return 0 iff `cookie' is compatible with the cookie for the
+ * localhost with name given in `ai' (or `hostname') and display
+ * number in `disp_nr'.
+ */
+
+static int
+match_local_auth (Xauth* auth,
+		  struct addrinfo *ai, const char *hostname, int disp_nr)
+{
+    int auth_disp;
+    char *tmp_disp;
+    struct addrinfo *a;
+    
+    tmp_disp = strndup (auth->number, auth->number_length);
+    if (tmp_disp == NULL)
+	return -1;
+    auth_disp = atoi(tmp_disp);
+    free (tmp_disp);
+    if (auth_disp != disp_nr)
+	return 1;
+    for (a = ai; a != NULL; a = a->ai_next) {
+	if ((auth->family == FamilyLocal
+	     || auth->family == FamilyWild)
+	    && a->ai_canonname != NULL
+	    && strncmp (auth->address,
+			a->ai_canonname,
+			auth->address_length) == 0)
+	    return 0;
+    }
+    if (hostname != NULL
+	&& (auth->family    == FamilyLocal
+	    || auth->family == FamilyWild)
+	&& strncmp (auth->address, hostname, auth->address_length) == 0)
+	return 0;
+    return 1;
+}
+
+/*
+ * Find `our' cookie from the cookie file `f' and return it or NULL.
+ */
+
+static Xauth*
+find_auth_cookie (FILE *f)
+{
+    Xauth *ret = NULL;
+    char local_hostname[MaxHostNameLen];
+    char *display = getenv("DISPLAY");
+    char d[MaxHostNameLen + 4];
+    char *colon;
+    struct addrinfo *ai;
+    struct addrinfo hints;
+    int disp;
+    int error;
+
+    if(display == NULL)
+	display = ":0";
+    strlcpy(d, display, sizeof(d));
+    display = d;
+    colon = strchr (display, ':');
+    if (colon == NULL)
+	disp = 0;
+    else {
+	*colon = '\0';
+	disp = atoi (colon + 1);
+    }
+    if (strcmp (display, "") == 0
+	|| strncmp (display, "unix", 4) == 0
+	|| strncmp (display, "localhost", 9) == 0) {
+	gethostname (local_hostname, sizeof(local_hostname));
+	display = local_hostname;
+    }
+    memset (&hints, 0, sizeof(hints));
+    hints.ai_flags    = AI_CANONNAME;
+    hints.ai_socktype = SOCK_STREAM;
+    hints.ai_protocol = IPPROTO_TCP;
+
+    error = getaddrinfo (display, NULL, &hints, &ai);
+    if (error)
+	ai = NULL;
+
+    for (; (ret = XauReadAuth (f)) != NULL; XauDisposeAuth(ret)) {
+	if (match_local_auth (ret, ai, display, disp) == 0) {
+	    if (ai != NULL)
+		freeaddrinfo (ai);
+	    return ret;
+	}
+    }
+    if (ai != NULL)
+	freeaddrinfo (ai);
+    return NULL;
+}
+
+/*
+ * Get rid of the cookie that we were sent and get the correct one
+ * from our own cookie file instead.
+ */
+
+int
+replace_cookie(int xserver, int fd, char *filename, int cookiesp) /* XXX */
+{
+     u_char beg[12];
+     int bigendianp;
+     unsigned n, d, npad, dpad;
+     FILE *f;
+     u_char zeros[6] = {0, 0, 0, 0, 0, 0};
+
+     if (net_read (fd, beg, sizeof(beg)) != sizeof(beg))
+	  return 1;
+     if (net_write (xserver, beg, 6) != 6)
+	  return 1;
+     bigendianp = beg[0] == 'B';
+     if (bigendianp) {
+	  n = (beg[6] << 8) | beg[7];
+	  d = (beg[8] << 8) | beg[9];
+     } else {
+	  n = (beg[7] << 8) | beg[6];
+	  d = (beg[9] << 8) | beg[8];
+     }
+     if (n != 0 || d != 0)
+	  return 1;
+     f = fopen(filename, "r");
+     if (f != NULL) {
+	 Xauth *auth = find_auth_cookie (f);
+	 u_char len[6] = {0, 0, 0, 0, 0, 0};
+	 
+	 fclose (f);
+
+	 if (auth != NULL) {
+	     n = auth->name_length;
+	     d = auth->data_length;
+	 } else {
+	     n = 0;
+	     d = 0;
+	 }
+	 if (bigendianp) {
+	     len[0] = n >> 8;
+	     len[1] = n & 0xFF;
+	     len[2] = d >> 8;
+	     len[3] = d & 0xFF;
+	 } else {
+	     len[0] = n & 0xFF;
+	     len[1] = n >> 8;
+	     len[2] = d & 0xFF;
+	     len[3] = d >> 8;
+	 }
+	 if (net_write (xserver, len, 6) != 6) {
+	     XauDisposeAuth(auth);
+	     return 1;
+	 }
+	 if(n != 0 && net_write (xserver, auth->name, n) != n) {
+	     XauDisposeAuth(auth);
+	     return 1;
+	 }
+	 npad = (4 - (n % 4)) % 4;
+	 if (npad && net_write (xserver, zeros, npad) != npad) {
+	     XauDisposeAuth(auth);
+	     return 1;
+	 }
+	 if (d != 0 && net_write (xserver, auth->data, d) != d) {
+	     XauDisposeAuth(auth);
+	     return 1;
+	 }
+	 XauDisposeAuth(auth);
+	 dpad = (4 - (d % 4)) % 4;
+	 if (dpad && net_write (xserver, zeros, dpad) != dpad)
+	     return 1;
+     } else {
+	 if(net_write(xserver, zeros, 6) != 6)
+	     return 1;
+     }
+     return 0;
+}
+
+/*
+ * Some simple controls on the address and corresponding socket
+ */
+
+int
+suspicious_address (int sock, struct sockaddr_in addr)
+{
+    char data[40];
+    socklen_t len = sizeof(data);
+
+    return addr.sin_addr.s_addr != htonl(INADDR_LOOPBACK)
+#if defined(IP_OPTIONS) && defined(HAVE_GETSOCKOPT)
+	|| getsockopt (sock, IPPROTO_IP, IP_OPTIONS, data, &len) < 0
+	|| len != 0
+#endif
+    ;
+}
+
+/*
+ * This really sucks, but these functions are used and if we're not
+ * linking against libkrb they don't exist.  Using the heimdal storage
+ * functions will not work either cause we do not always link with
+ * libkrb5 either.
+ */
+
+#ifndef KRB4
+
+int
+krb_get_int(void *f, u_int32_t *to, int size, int lsb)
+{
+    int i;
+    unsigned char *from = (unsigned char *)f;
+
+    *to = 0;
+    if(lsb){
+	for(i = size-1; i >= 0; i--)
+	    *to = (*to << 8) | from[i];
+    }else{
+	for(i = 0; i < size; i++)
+	    *to = (*to << 8) | from[i];
+    }
+    return size;
+}
+
+int
+krb_put_int(u_int32_t from, void *to, size_t rem, int size)
+{
+    int i;
+    unsigned char *p = (unsigned char *)to;
+
+    if (rem < size)
+	return -1;
+
+    for(i = size - 1; i >= 0; i--){
+	p[i] = from & 0xff;
+	from >>= 8;
+    }
+    return size;
+}
+
+#endif /* !KRB4 */
diff --git a/crypto/heimdal/appl/kx/context.c b/crypto/heimdal/appl/kx/context.c
new file mode 100644
index 0000000..bbc8da9
--- /dev/null
+++ b/crypto/heimdal/appl/kx/context.c
@@ -0,0 +1,92 @@
+/*
+ * Copyright (c) 1995 - 1999 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#include "kx.h"
+
+RCSID("$Id: context.c,v 1.4 1999/12/02 16:58:32 joda Exp $");
+
+/*
+ * Set the common part of the context `kc'
+ */
+
+void
+context_set (kx_context *kc, const char *host, const char *user, int port,
+	     int debug_flag, int keepalive_flag, int tcp_flag)
+{
+    kc->host		= host;
+    kc->user		= user;
+    kc->port		= port;
+    kc->debug_flag	= debug_flag;
+    kc->keepalive_flag	= keepalive_flag;
+    kc->tcp_flag	= tcp_flag;
+}
+
+/*
+ * dispatch functions
+ */
+
+void
+context_destroy (kx_context *kc)
+{
+    (*kc->destroy)(kc);
+}
+
+int
+context_authenticate (kx_context *kc, int s)
+{
+    return (*kc->authenticate)(kc, s);
+}
+
+int
+context_userok (kx_context *kc, char *user)
+{
+    return (*kc->userok)(kc, user);
+}
+
+ssize_t
+kx_read (kx_context *kc, int fd, void *buf, size_t len)
+{
+    return (*kc->read)(kc, fd, buf, len);
+}
+
+ssize_t
+kx_write (kx_context *kc, int fd, const void *buf, size_t len)
+{
+    return (*kc->write)(kc, fd, buf, len);
+}
+
+int
+copy_encrypted (kx_context *kc, int fd1, int fd2)
+{
+    return (*kc->copy_encrypted)(kc, fd1, fd2);
+}
diff --git a/crypto/heimdal/appl/kx/krb4.c b/crypto/heimdal/appl/kx/krb4.c
new file mode 100644
index 0000000..07852c9
--- /dev/null
+++ b/crypto/heimdal/appl/kx/krb4.c
@@ -0,0 +1,361 @@
+/*
+ * Copyright (c) 1995 - 2000 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#include "kx.h"
+
+RCSID("$Id: krb4.c,v 1.8 2000/10/08 13:19:22 assar Exp $");
+
+#ifdef KRB4
+
+struct krb4_kx_context {
+    des_cblock key;
+    des_key_schedule schedule;
+    AUTH_DAT auth;
+};
+
+typedef struct krb4_kx_context krb4_kx_context;
+
+/*
+ * Destroy the krb4 context in `c'.
+ */
+
+static void
+krb4_destroy (kx_context *c)
+{
+    memset (c->data, 0, sizeof(krb4_kx_context));
+    free (c->data);
+}
+
+/*
+ * Read the authentication information from `s' and return 0 if
+ * succesful, else -1.
+ */
+
+static int
+krb4_authenticate (kx_context *kc, int s)
+{
+    CREDENTIALS cred;
+    KTEXT_ST text;
+    MSG_DAT msg;
+    int status;
+    krb4_kx_context *c = (krb4_kx_context *)kc->data;
+    const char *host = kc->host;
+
+#ifdef HAVE_KRB_GET_OUR_IP_FOR_REALM
+    if (krb_get_config_bool("nat_in_use")) {
+	struct in_addr natAddr;
+
+	if (krb_get_our_ip_for_realm(krb_realmofhost(kc->host),
+				     &natAddr) == KSUCCESS
+	    || krb_get_our_ip_for_realm (NULL, &natAddr) == KSUCCESS)
+	    kc->thisaddr.sin_addr = natAddr;
+    }
+#endif
+
+    status = krb_sendauth (KOPT_DO_MUTUAL, s, &text, "rcmd",
+			   (char *)host, krb_realmofhost (host),
+			   getpid(), &msg, &cred, c->schedule,
+			   &kc->thisaddr, &kc->thataddr, KX_VERSION);
+    if (status != KSUCCESS) {
+	warnx ("%s: %s\n", host, krb_get_err_text(status));
+	return -1;
+    }
+    memcpy (c->key, cred.session, sizeof(des_cblock));
+    return 0;
+}
+
+/*
+ * Read a krb4 priv packet from `fd' into `buf' (of size `len').
+ * Return the number of bytes read or 0 on EOF or -1 on error.
+ */
+
+static ssize_t
+krb4_read (kx_context *kc,
+	   int fd, void *buf, size_t len)
+{
+    unsigned char tmp[4];
+    ssize_t ret;
+    size_t l;
+    int status;
+    krb4_kx_context *c = (krb4_kx_context *)kc->data;
+    MSG_DAT msg;
+
+    ret = krb_net_read (fd, tmp, 4);
+    if (ret == 0)
+	return ret;
+    if (ret != 4)
+	return -1;
+    l = (tmp[0] << 24) | (tmp[1] << 16) | (tmp[2] << 8) | tmp[3];
+    if (l > len)
+	return -1;
+    if (krb_net_read (fd, buf, l) != l)
+	return -1;
+    status = krb_rd_priv (buf, l, c->schedule, &c->key,
+			  &kc->thataddr, &kc->thisaddr, &msg);
+    if (status != RD_AP_OK) {
+	warnx ("krb4_read: %s", krb_get_err_text(status));
+	return -1;
+    }
+    memmove (buf, msg.app_data, msg.app_length);
+    return msg.app_length;
+}
+
+/*
+ * Write a krb4 priv packet on `fd' with the data in `buf, len'.
+ * Return len or -1 on error
+ */
+
+static ssize_t
+krb4_write(kx_context *kc,
+	   int fd, const void *buf, size_t len)
+{
+    void *outbuf;
+    krb4_kx_context *c = (krb4_kx_context *)kc->data;
+    int outlen;
+    unsigned char tmp[4];
+
+    outbuf = malloc (len + 30);
+    if (outbuf == NULL)
+	return -1;
+    outlen = krb_mk_priv ((void *)buf, outbuf, len, c->schedule, &c->key,
+			  &kc->thisaddr, &kc->thataddr);
+    if (outlen < 0) {
+	free (outbuf);
+	return -1;
+    }
+    tmp[0] = (outlen >> 24) & 0xFF;
+    tmp[1] = (outlen >> 16) & 0xFF;
+    tmp[2] = (outlen >>  8) & 0xFF;
+    tmp[3] = (outlen >>  0) & 0xFF;
+
+    if (krb_net_write (fd, tmp, 4) != 4 ||
+	krb_net_write (fd, outbuf, outlen) != outlen) {
+	free (outbuf);
+	return -1;
+    }
+    free (outbuf);
+    return len;
+}
+
+/*
+ * Copy data from `fd1' to `fd2', {en,de}crypting with cfb64
+ * with `mode' and state stored in `iv', `schedule', and `num'.
+ * Return -1 if error, 0 if eof, else 1
+ */
+
+static int
+do_enccopy (int fd1, int fd2, int mode, des_cblock *iv,
+	    des_key_schedule schedule, int *num)
+{
+     int ret;
+     u_char buf[BUFSIZ];
+
+     ret = read (fd1, buf, sizeof(buf));
+     if (ret == 0)
+	  return 0;
+     if (ret < 0) {
+	 warn ("read");
+	 return ret;
+     }
+#ifndef NOENCRYPTION
+     des_cfb64_encrypt (buf, buf, ret, schedule, iv,
+			num, mode);
+#endif
+     ret = krb_net_write (fd2, buf, ret);
+     if (ret < 0) {
+	 warn ("write");
+	 return ret;
+     }
+     return 1;
+}
+
+/*
+ * Copy data between fd1 and fd2, encrypting one way and decrypting
+ * the other.
+ */
+
+static int
+krb4_copy_encrypted (kx_context *kc,
+		     int fd1, int fd2)
+{
+    krb4_kx_context *c = (krb4_kx_context *)kc->data;
+    des_cblock iv1, iv2;
+    int num1 = 0, num2 = 0;
+
+    memcpy (iv1, c->key, sizeof(iv1));
+    memcpy (iv2, c->key, sizeof(iv2));
+    for (;;) {
+	fd_set fdset;
+	int ret;
+
+	if (fd1 >= FD_SETSIZE || fd2 >= FD_SETSIZE) {
+	    warnx ("fd too large");
+	    return 1;
+	}
+
+	FD_ZERO(&fdset);
+	FD_SET(fd1, &fdset);
+	FD_SET(fd2, &fdset);
+
+	ret = select (max(fd1, fd2)+1, &fdset, NULL, NULL, NULL);
+	if (ret < 0 && errno != EINTR) {
+	    warn ("select");
+	    return 1;
+	}
+	if (FD_ISSET(fd1, &fdset)) {
+	    ret = do_enccopy (fd1, fd2, DES_ENCRYPT, &iv1, c->schedule, &num1);
+	    if (ret <= 0)
+		return ret;
+	}
+	if (FD_ISSET(fd2, &fdset)) {
+	    ret = do_enccopy (fd2, fd1, DES_DECRYPT, &iv2, c->schedule, &num2);
+	    if (ret <= 0)
+		return ret;
+	}
+    }
+}
+
+/*
+ * Return 0 if the user authenticated on `kc' is allowed to login as
+ * `user'.
+ */
+
+static int
+krb4_userok (kx_context *kc, char *user)
+{
+    krb4_kx_context *c = (krb4_kx_context *)kc->data;
+    char *tmp;
+
+    tmp = krb_unparse_name_long (c->auth.pname,
+				 c->auth.pinst,
+				 c->auth.prealm);
+    kc->user = strdup (tmp);
+    if (kc->user == NULL)
+	err (1, "malloc");
+
+
+    return kuserok (&c->auth, user);
+}
+
+/*
+ * Create an instance of an krb4 context.
+ */
+
+void
+krb4_make_context (kx_context *kc)
+{
+    kc->authenticate	= krb4_authenticate;
+    kc->userok		= krb4_userok;
+    kc->read		= krb4_read;
+    kc->write		= krb4_write;
+    kc->copy_encrypted	= krb4_copy_encrypted;
+    kc->destroy		= krb4_destroy;
+    kc->user		= NULL;
+    kc->data		= malloc(sizeof(krb4_kx_context));
+
+    if (kc->data == NULL)
+	err (1, "malloc");
+}
+
+/*
+ * Receive authentication information on `sock' (first four bytes
+ * in `buf').
+ */
+
+int
+recv_v4_auth (kx_context *kc, int sock, u_char *buf)
+{
+    int status;
+    KTEXT_ST ticket;
+    char instance[INST_SZ + 1];
+    char version[KRB_SENDAUTH_VLEN + 1];
+    krb4_kx_context *c;
+    AUTH_DAT auth;
+    des_key_schedule schedule;
+
+    if (memcmp (buf, KRB_SENDAUTH_VERS, 4) != 0)
+	return -1;
+    if (net_read (sock, buf + 4, KRB_SENDAUTH_VLEN - 4) !=
+	KRB_SENDAUTH_VLEN - 4) {
+	syslog (LOG_ERR, "read: %m");
+	exit (1);
+    }
+    if (memcmp (buf, KRB_SENDAUTH_VERS, KRB_SENDAUTH_VLEN) != 0) {
+	syslog (LOG_ERR, "unrecognized auth protocol: %.8s", buf);
+	exit (1);
+    }
+
+    k_getsockinst (sock, instance, sizeof(instance));
+    status = krb_recvauth (KOPT_IGNORE_PROTOCOL | KOPT_DO_MUTUAL,
+			   sock,
+			   &ticket,
+			   "rcmd",
+			   instance,
+			   &kc->thataddr,
+			   &kc->thisaddr,
+			   &auth,
+			   "",
+			   schedule,
+			   version);
+    if (status != KSUCCESS) {
+	syslog (LOG_ERR, "krb_recvauth: %s", krb_get_err_text(status));
+	exit (1);
+    }
+    if (strncmp (version, KX_VERSION, KRB_SENDAUTH_VLEN) != 0) {
+	 /* Try to be nice to old kx's */
+	 if (strncmp (version, KX_OLD_VERSION, KRB_SENDAUTH_VLEN) == 0) {
+	     char *old_errmsg = "\001Old version of kx. Please upgrade.";
+	     char user[64];
+
+	     syslog (LOG_ERR, "Old version client (%s)", version);
+
+	     krb_net_read (sock, user, sizeof(user));
+	     krb_net_write (sock, old_errmsg, strlen(old_errmsg) + 1);
+	     exit (1);
+	 } else {
+	     syslog (LOG_ERR, "bad version: %s", version);
+	     exit (1);
+	 }
+    }
+
+    krb4_make_context (kc);
+    c = (krb4_kx_context *)kc->data;
+
+    c->auth     = auth;
+    memcpy (c->key, &auth.session, sizeof(des_cblock));
+    memcpy (c->schedule, schedule, sizeof(schedule));
+
+    return 0;
+}
+
+#endif /* KRB4 */
diff --git a/crypto/heimdal/appl/kx/krb5.c b/crypto/heimdal/appl/kx/krb5.c
new file mode 100644
index 0000000..0b4a083
--- /dev/null
+++ b/crypto/heimdal/appl/kx/krb5.c
@@ -0,0 +1,421 @@
+/*
+ * Copyright (c) 1995 - 2000 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#include "kx.h"
+
+RCSID("$Id: krb5.c,v 1.7 2000/12/31 07:32:03 assar Exp $");
+
+#ifdef KRB5
+
+struct krb5_kx_context {
+    krb5_context context;
+    krb5_keyblock *keyblock;
+    krb5_crypto crypto;
+    krb5_principal client;
+};
+
+typedef struct krb5_kx_context krb5_kx_context;
+
+/*
+ * Destroy the krb5 context in `c'.
+ */
+
+static void
+krb5_destroy (kx_context *c)
+{
+    krb5_kx_context *kc = (krb5_kx_context *)c->data;
+
+    if (kc->keyblock)
+	krb5_free_keyblock (kc->context, kc->keyblock);
+    if (kc->crypto)
+	krb5_crypto_destroy (kc->context, kc->crypto);
+    if (kc->client)
+	krb5_free_principal (kc->context, kc->client);
+    if (kc->context)
+	krb5_free_context (kc->context);
+    free (kc);
+}
+
+/*
+ * Read the authentication information from `s' and return 0 if
+ * succesful, else -1.
+ */
+
+static int
+krb5_authenticate (kx_context *kc, int s)
+{
+    krb5_kx_context *c = (krb5_kx_context *)kc->data;
+    krb5_context context = c->context;
+    krb5_auth_context auth_context = NULL;
+    krb5_error_code ret;
+    krb5_principal server;
+    const char *host = kc->host;
+
+    ret = krb5_sname_to_principal (context,
+				   host, "host", KRB5_NT_SRV_HST, &server);
+    if (ret) {
+	warnx ("krb5_sname_to_principal: %s: %s", host,
+	       krb5_get_err_text(context, ret));
+	return 1;
+    }
+
+    ret = krb5_sendauth (context,
+			 &auth_context,
+			 &s,
+			 KX_VERSION,
+			 NULL,
+			 server,
+			 AP_OPTS_MUTUAL_REQUIRED,
+			 NULL,
+			 NULL,
+			 NULL,
+			 NULL,
+			 NULL,
+			 NULL);
+    if (ret) {
+	warnx ("krb5_sendauth: %s: %s", host,
+	       krb5_get_err_text(context, ret));
+	return 1;
+    }
+
+    ret = krb5_auth_con_getkey (context, auth_context, &c->keyblock);
+    if (ret) {
+	warnx ("krb5_auth_con_getkey: %s: %s", host,
+	       krb5_get_err_text(context, ret));
+	krb5_auth_con_free (context, auth_context);
+	return 1;
+    }
+    
+    ret = krb5_crypto_init (context, c->keyblock, 0, &c->crypto);
+    if (ret) {
+	warnx ("krb5_crypto_init: %s", krb5_get_err_text (context, ret));
+	krb5_auth_con_free (context, auth_context);
+	return 1;
+    }
+    return 0;
+}
+
+/*
+ * Read an encapsulated krb5 packet from `fd' into `buf' (of size
+ * `len').  Return the number of bytes read or 0 on EOF or -1 on
+ * error.
+ */
+
+static ssize_t
+krb5_read (kx_context *kc,
+	   int fd, void *buf, size_t len)
+{
+    krb5_kx_context *c = (krb5_kx_context *)kc->data;
+    krb5_context context = c->context;
+    size_t data_len, outer_len;
+    krb5_error_code ret;
+    unsigned char tmp[4];
+    krb5_data data;
+    int l;
+
+    l = krb5_net_read (context, &fd, tmp, 4);
+    if (l == 0)
+	return l;
+    if (l != 4)
+	return -1;
+    data_len  = (tmp[0] << 24) | (tmp[1] << 16) | (tmp[2] << 8) | tmp[3];
+    outer_len = krb5_get_wrapped_length (context, c->crypto, data_len);
+    if (outer_len > len)
+	return -1;
+    if (krb5_net_read (context, &fd, buf, outer_len) != outer_len)
+	return -1;
+
+    ret = krb5_decrypt (context, c->crypto, KRB5_KU_OTHER_ENCRYPTED,
+			buf, outer_len, &data);
+    if (ret) {
+	warnx ("krb5_decrypt: %s", krb5_get_err_text(context, ret));
+	return -1;
+    }
+    if (data_len > data.length) {
+	krb5_data_free (&data);
+	return -1;
+    }
+    memmove (buf, data.data, data_len);
+    krb5_data_free (&data);
+    return data_len;
+}
+
+/*
+ * Write an encapsulated krb5 packet on `fd' with the data in `buf,
+ * len'.  Return len or -1 on error.
+ */
+
+static ssize_t
+krb5_write(kx_context *kc,
+	   int fd, const void *buf, size_t len)
+{
+    krb5_kx_context *c = (krb5_kx_context *)kc->data;
+    krb5_context context = c->context;
+    krb5_data data;
+    krb5_error_code ret;
+    unsigned char tmp[4];
+    size_t outlen;
+
+    ret = krb5_encrypt (context, c->crypto, KRB5_KU_OTHER_ENCRYPTED,
+			(void *)buf, len, &data);
+    if (ret){
+	warnx ("krb5_write: %s", krb5_get_err_text (context, ret));
+	return -1;
+    }
+
+    outlen = data.length;
+    tmp[0] = (len >> 24) & 0xFF;
+    tmp[1] = (len >> 16) & 0xFF;
+    tmp[2] = (len >>  8) & 0xFF;
+    tmp[3] = (len >>  0) & 0xFF;
+
+    if (krb5_net_write (context, &fd, tmp, 4) != 4 ||
+	krb5_net_write (context, &fd, data.data, outlen) != outlen) {
+	krb5_data_free (&data);
+	return -1;
+    }
+    krb5_data_free (&data);
+    return len;
+}
+
+/*
+ * Copy from the unix socket `from_fd' encrypting to `to_fd'.
+ * Return 0, -1 or len.
+ */
+
+static int
+copy_out (kx_context *kc, int from_fd, int to_fd)
+{
+    char buf[32768];
+    ssize_t len;
+
+    len = read (from_fd, buf, sizeof(buf));
+    if (len == 0)
+	return 0;
+    if (len < 0) {
+	warn ("read");
+	return len;
+    }
+    return krb5_write (kc, to_fd, buf, len);
+}
+	
+/*
+ * Copy from the socket `from_fd' decrypting to `to_fd'.
+ * Return 0, -1 or len.
+ */
+
+static int
+copy_in (kx_context *kc, int from_fd, int to_fd)
+{
+    krb5_kx_context *c = (krb5_kx_context *)kc->data;
+    char buf[33000];		/* XXX */
+
+    ssize_t len;
+
+    len = krb5_read (kc, from_fd, buf, sizeof(buf));
+    if (len == 0)
+	return 0;
+    if (len < 0) {
+	warn ("krb5_read");
+	return len;
+    }
+
+    return krb5_net_write (c->context, &to_fd, buf, len);
+}
+
+/*
+ * Copy data between `fd1' and `fd2', encrypting in one direction and
+ * decrypting in the other.
+ */
+
+static int
+krb5_copy_encrypted (kx_context *kc, int fd1, int fd2)
+{
+    for (;;) {
+	fd_set fdset;
+	int ret;
+
+	if (fd1 >= FD_SETSIZE || fd2 >= FD_SETSIZE) {
+	    warnx ("fd too large");
+	    return 1;
+	}
+
+	FD_ZERO(&fdset);
+	FD_SET(fd1, &fdset);
+	FD_SET(fd2, &fdset);
+
+	ret = select (max(fd1, fd2)+1, &fdset, NULL, NULL, NULL);
+	if (ret < 0 && errno != EINTR) {
+	    warn ("select");
+	    return 1;
+	}
+	if (FD_ISSET(fd1, &fdset)) {
+	    ret = copy_out (kc, fd1, fd2);
+	    if (ret <= 0)
+		return ret;
+	}
+	if (FD_ISSET(fd2, &fdset)) {
+	    ret = copy_in (kc, fd2, fd1);
+	    if (ret <= 0)
+		return ret;
+	}
+    }
+}
+
+/*
+ * Return 0 if the user authenticated on `kc' is allowed to login as
+ * `user'.
+ */
+
+static int
+krb5_userok (kx_context *kc, char *user)
+{
+    krb5_kx_context *c = (krb5_kx_context *)kc->data;
+    krb5_context context = c->context;
+    krb5_error_code ret;
+    char *tmp;
+
+    ret = krb5_unparse_name (context, c->client, &tmp);
+    if (ret)
+	krb5_err (context, 1, ret, "krb5_unparse_name");
+    kc->user = tmp;
+
+    return !krb5_kuserok (context, c->client, user);
+}
+
+/*
+ * Create an instance of an krb5 context.
+ */
+
+void
+krb5_make_context (kx_context *kc)
+{
+    krb5_kx_context *c;
+    krb5_error_code ret;
+
+    kc->authenticate	= krb5_authenticate;
+    kc->userok		= krb5_userok;
+    kc->read		= krb5_read;
+    kc->write		= krb5_write;
+    kc->copy_encrypted	= krb5_copy_encrypted;
+    kc->destroy		= krb5_destroy;
+    kc->user		= NULL;
+    kc->data		= malloc(sizeof(krb5_kx_context));
+
+    if (kc->data == NULL)
+	err (1, "malloc");
+    memset (kc->data, 0, sizeof(krb5_kx_context));
+    c = (krb5_kx_context *)kc->data;
+    ret = krb5_init_context (&c->context);
+    if (ret)
+	errx (1, "krb5_init_context failed: %d", ret);
+}
+
+/*
+ * Receive authentication information on `sock' (first four bytes
+ * in `buf').
+ */
+
+int
+recv_v5_auth (kx_context *kc, int sock, u_char *buf)
+{
+    u_int32_t len;
+    krb5_error_code ret;
+    krb5_kx_context *c;
+    krb5_context context;
+    krb5_principal server;
+    krb5_auth_context auth_context = NULL;
+    krb5_ticket *ticket;
+
+    if (memcmp (buf, "\x00\x00\x00\x13", 4) != 0)
+	return 1;
+    len = (buf[0] << 24) | (buf[1] << 16) | (buf[2] << 8) | (buf[3]);
+    if (net_read(sock, buf, len) != len) {
+	syslog (LOG_ERR, "read: %m");
+	exit (1);
+    }
+    if (len != sizeof(KRB5_SENDAUTH_VERSION)
+	|| memcmp (buf, KRB5_SENDAUTH_VERSION, len) != 0) {
+	syslog (LOG_ERR, "bad sendauth version: %.8s", buf);
+	exit (1);
+    }
+
+    krb5_make_context (kc);
+    c = (krb5_kx_context *)kc->data;
+    context = c->context;
+
+    ret = krb5_sock_to_principal (context, sock, "host",
+				  KRB5_NT_SRV_HST, &server);
+    if (ret) {
+	syslog (LOG_ERR, "krb5_sock_to_principal: %s",
+		krb5_get_err_text (context, ret));
+	exit (1);
+    }
+
+    ret = krb5_recvauth (context,
+			 &auth_context,
+			 &sock,
+			 KX_VERSION,
+			 server,
+			 KRB5_RECVAUTH_IGNORE_VERSION,
+			 NULL,
+			 &ticket);
+    krb5_free_principal (context, server);
+    if (ret) {
+	syslog (LOG_ERR, "krb5_sock_to_principal: %s",
+		krb5_get_err_text (context, ret));
+	exit (1);
+    }
+
+    ret = krb5_auth_con_getkey (context, auth_context, &c->keyblock);
+    if (ret) {
+	syslog (LOG_ERR, "krb5_auth_con_getkey: %s",
+		krb5_get_err_text (context, ret));
+	exit (1);
+    }
+
+    ret = krb5_crypto_init (context, c->keyblock, 0, &c->crypto);
+    if (ret) {
+	syslog (LOG_ERR, "krb5_crypto_init: %s",
+		krb5_get_err_text (context, ret));
+	exit (1);
+    }
+
+    c->client = ticket->client;
+    ticket->client = NULL;
+    krb5_free_ticket (context, ticket);
+
+    return 0;
+}
+
+#endif /* KRB5 */
diff --git a/crypto/heimdal/appl/kx/kx.1 b/crypto/heimdal/appl/kx/kx.1
new file mode 100644
index 0000000..fe621d8
--- /dev/null
+++ b/crypto/heimdal/appl/kx/kx.1
@@ -0,0 +1,62 @@
+.\" $Id: kx.1,v 1.7 1997/09/01 15:59:07 assar Exp $
+.\"
+.Dd September 27, 1996
+.Dt KX 1
+.Os KTH-KRB
+.Sh NAME
+.Nm kx
+.Nd
+securely forward X conections
+.Sh SYNOPSIS
+.Ar kx
+.Op Fl l Ar username
+.Op Fl k
+.Op Fl d
+.Op Fl t
+.Op Fl p Ar port
+.Op Fl P
+.Ar host
+.Sh DESCRIPTION
+The
+.Nm
+program forwards a X connection from a remote client to a local screen
+through an authenticated and encrypted stream.  Options supported by
+.Nm kx :
+.Bl -tag -width Ds
+.It Fl l
+Log in on remote the host as user
+.Ar username .
+.It Fl k
+Do not enable keep-alives on the TCP connections.
+.It Fl d
+Do not fork. This is mainly useful for debugging.
+.It Fl t
+Listen not only on a UNIX-domain socket but on a TCP socket as well.
+.It Fl p
+Use the port
+.Ar port .
+.It Fl P
+Force passive mode.
+.El
+.Pp
+This program is used by
+.Nm rxtelnet
+and
+.Nm rxterm
+and you should not need to run it directly.
+.Pp
+It connects to a
+.Nm kxd
+on the host
+.Ar host
+and then will relay the traffic from the remote X clients to the local
+server.  When started, it prints the display and Xauthority-file to be
+used on host
+.Ar host
+and then goes to the background, waiting for connections from the
+remote
+.Nm kxd.
+.Sh SEE ALSO
+.Xr rxtelnet 1 ,
+.Xr rxterm 1 ,
+.Xr kxd 8
diff --git a/crypto/heimdal/appl/kx/kx.c b/crypto/heimdal/appl/kx/kx.c
new file mode 100644
index 0000000..63e1595
--- /dev/null
+++ b/crypto/heimdal/appl/kx/kx.c
@@ -0,0 +1,765 @@
+/*
+ * Copyright (c) 1995 - 2000 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#include "kx.h"
+
+RCSID("$Id: kx.c,v 1.68 2001/02/20 01:44:45 assar Exp $");
+
+static int nchild;
+static int donep;
+
+/*
+ * Signal handler that justs waits for the children when they die.
+ */
+
+static RETSIGTYPE
+childhandler (int sig)
+{
+     pid_t pid;
+     int status;
+
+     do { 
+	 pid = waitpid (-1, &status, WNOHANG|WUNTRACED);
+	 if (pid > 0 && (WIFEXITED(status) || WIFSIGNALED(status)))
+	     if (--nchild == 0 && donep)
+		 exit (0);
+     } while(pid > 0);
+     signal (SIGCHLD, childhandler);
+     SIGRETURN(0);
+}
+
+/*
+ * Handler for SIGUSR1.
+ * This signal means that we should wait until there are no children
+ * left and then exit.
+ */
+
+static RETSIGTYPE
+usr1handler (int sig)
+{
+    donep = 1;
+
+    SIGRETURN(0);
+}
+
+/*
+ * Almost the same as for SIGUSR1, except we should exit immediately
+ * if there are no active children.
+ */
+
+static RETSIGTYPE
+usr2handler (int sig)
+{
+    donep = 1;
+    if (nchild == 0)
+	exit (0);
+
+    SIGRETURN(0);
+}
+
+/*
+ * Establish authenticated connection.  Return socket or -1.
+ */
+
+static int
+connect_host (kx_context *kc)
+{
+    struct addrinfo *ai, *a;
+    struct addrinfo hints;
+    int error;
+    char portstr[NI_MAXSERV];
+    socklen_t addrlen;
+    int s;
+    struct sockaddr_storage thisaddr_ss;
+    struct sockaddr *thisaddr = (struct sockaddr *)&thisaddr_ss;
+
+    memset (&hints, 0, sizeof(hints));
+    hints.ai_socktype = SOCK_STREAM;
+    hints.ai_protocol = IPPROTO_TCP;
+
+    snprintf (portstr, sizeof(portstr), "%u", ntohs(kc->port));
+
+    error = getaddrinfo (kc->host, portstr, &hints, &ai);
+    if (error) {
+	warnx ("%s: %s", kc->host, gai_strerror(error));
+	return -1;
+    }
+    
+    for (a = ai; a != NULL; a = a->ai_next) {
+	s = socket (a->ai_family, a->ai_socktype, a->ai_protocol);
+	if (s < 0)
+	    continue;
+	if (connect (s, a->ai_addr, a->ai_addrlen) < 0) {
+	    warn ("connect(%s)", kc->host);
+	    close (s);
+	    continue;
+	}
+	break;
+    }
+
+    if (a == NULL) {
+	freeaddrinfo (ai);
+	return -1;
+    }
+
+    addrlen = a->ai_addrlen;
+    if (getsockname (s, thisaddr, &addrlen) < 0 ||
+	addrlen != a->ai_addrlen)
+	err(1, "getsockname(%s)", kc->host);
+    memcpy (&kc->thisaddr, thisaddr, sizeof(kc->thisaddr));
+    memcpy (&kc->thataddr, a->ai_addr, sizeof(kc->thataddr));
+    freeaddrinfo (ai);
+    if ((*kc->authenticate)(kc, s))
+	return -1;
+    return s;
+}
+
+/*
+ * Get rid of the cookie that we were sent and get the correct one
+ * from our own cookie file instead and then just copy data in both
+ * directions.
+ */
+
+static int
+passive_session (int xserver, int fd, kx_context *kc)
+{
+    if (replace_cookie (xserver, fd, XauFileName(), 1))
+	return 1;
+    else
+	return copy_encrypted (kc, xserver, fd);
+}
+
+static int
+active_session (int xserver, int fd, kx_context *kc)
+{
+    if (verify_and_remove_cookies (xserver, fd, 1))
+	return 1;
+    else
+	return copy_encrypted (kc, xserver, fd);
+}
+
+/*
+ * fork (unless debugp) and print the output that will be used by the
+ * script to capture the display, xauth cookie and pid.
+ */
+
+static void
+status_output (int debugp)
+{
+    if(debugp)
+	printf ("%u\t%s\t%s\n", (unsigned)getpid(), display, xauthfile);
+    else {
+	pid_t pid;
+	
+	pid = fork();
+	if (pid < 0) {
+	    err(1, "fork");
+	} else if (pid > 0) {
+	    printf ("%u\t%s\t%s\n", (unsigned)pid, display, xauthfile);
+	    exit (0);
+	} else {
+	    fclose(stdout);
+	}
+    }
+}
+
+/*
+ * Obtain an authenticated connection on `kc'.  Send a kx message
+ * saying we are `kc->user' and want to use passive mode.  Wait for
+ * answer on that connection and fork of a child for every new
+ * connection we have to make.
+ */
+
+static int
+doit_passive (kx_context *kc)
+{
+     int otherside;
+     u_char msg[1024], *p;
+     int len;
+     u_int32_t tmp;
+     const char *host = kc->host;
+
+     otherside = connect_host (kc);
+
+     if (otherside < 0)
+	 return 1;
+#if defined(SO_KEEPALIVE) && defined(HAVE_SETSOCKOPT)
+     if (kc->keepalive_flag) {
+	 int one = 1;
+
+	 setsockopt (otherside, SOL_SOCKET, SO_KEEPALIVE, (void *)&one,
+		     sizeof(one));
+     }
+#endif
+
+     p = msg;
+     *p++ = INIT;
+     len = strlen(kc->user);
+     p += KRB_PUT_INT (len, p, sizeof(msg) - 1, 4);
+     memcpy(p, kc->user, len);
+     p += len;
+     *p++ = PASSIVE | (kc->keepalive_flag ? KEEP_ALIVE : 0);
+     if (kx_write (kc, otherside, msg, p - msg) != p - msg)
+	 err (1, "write to %s", host);
+     len = kx_read (kc, otherside, msg, sizeof(msg));
+     if (len <= 0)
+	 errx (1,
+	       "error reading initial message from %s: "
+	       "this probably means it's using an old version.",
+	       host);
+     p = (u_char *)msg;
+     if (*p == ERROR) {
+	 p++;
+	 p += krb_get_int (p, &tmp, 4, 0);
+	 errx (1, "%s: %.*s", host, (int)tmp, p);
+     } else if (*p != ACK) {
+	 errx (1, "%s: strange msg %d", host, *p);
+     } else
+	 p++;
+     p += krb_get_int (p, &tmp, 4, 0);
+     memcpy(display, p, tmp);
+     display[tmp] = '\0';
+     p += tmp;
+
+     p += krb_get_int (p, &tmp, 4, 0);
+     memcpy(xauthfile, p, tmp);
+     xauthfile[tmp] = '\0';
+     p += tmp;
+
+     status_output (kc->debug_flag);
+     for (;;) {
+	 pid_t child;
+
+	 len = kx_read (kc, otherside, msg, sizeof(msg));
+	 if (len < 0)
+	     err (1, "read from %s", host);
+	 else if (len == 0)
+	     return 0;
+
+	 p = (u_char *)msg;
+	 if (*p == ERROR) {
+	     p++;
+	     p += krb_get_int (p, &tmp, 4, 0);
+	     errx (1, "%s: %.*s", host, (int)tmp, p);
+	 } else if(*p != NEW_CONN) {
+	     errx (1, "%s: strange msg %d", host, *p);
+	 } else {
+	     p++;
+	     p += krb_get_int (p, &tmp, 4, 0);
+	 }
+	 
+	 ++nchild;
+	 child = fork ();
+	 if (child < 0) {
+	     warn("fork");
+	     continue;
+	 } else if (child == 0) {
+	     struct sockaddr_in addr;
+	     int fd;
+	     int xserver;
+
+	     addr = kc->thataddr;
+	     close (otherside);
+
+	     addr.sin_port = htons(tmp);
+	     fd = socket (AF_INET, SOCK_STREAM, 0);
+	     if (fd < 0)
+		 err(1, "socket");
+#if defined(TCP_NODELAY) && defined(HAVE_SETSOCKOPT)
+	     {
+		 int one = 1;
+
+		 setsockopt (fd, IPPROTO_TCP, TCP_NODELAY, (void *)&one,
+			     sizeof(one));
+	     }
+#endif
+#if defined(SO_KEEPALIVE) && defined(HAVE_SETSOCKOPT)
+	     if (kc->keepalive_flag) {
+		 int one = 1;
+
+		 setsockopt (fd, SOL_SOCKET, SO_KEEPALIVE, (void *)&one,
+			     sizeof(one));
+	     }
+#endif
+
+	     if (connect (fd, (struct sockaddr *)&addr, sizeof(addr)) < 0)
+		 err(1, "connect(%s)", host);
+	     {
+		 int d = 0;
+		 char *s;
+
+		 s = getenv ("DISPLAY");
+		 if (s != NULL) {
+		     s = strchr (s, ':');
+		     if (s != NULL)
+			 d = atoi (s + 1);
+		 }
+
+		 xserver = connect_local_xsocket (d);
+		 if (xserver < 0)
+		     return 1;
+	     }
+	     return passive_session (xserver, fd, kc);
+	 } else {
+	 }
+     }
+}
+
+/*
+ * Allocate a local pseudo-xserver and wait for connections 
+ */
+
+static int
+doit_active (kx_context *kc)
+{
+    int otherside;
+    int nsockets;
+    struct x_socket *sockets;
+    u_char msg[1024], *p;
+    int len = strlen(kc->user);
+    int tmp, tmp2;
+    char *s;
+    int i;
+    size_t rem;
+    u_int32_t other_port;
+    int error;
+    const char *host = kc->host;
+
+    otherside = connect_host (kc);
+    if (otherside < 0)
+	return 1;
+#if defined(SO_KEEPALIVE) && defined(HAVE_SETSOCKOPT)
+    if (kc->keepalive_flag) {
+	int one = 1;
+
+	setsockopt (otherside, SOL_SOCKET, SO_KEEPALIVE, (void *)&one,
+		    sizeof(one));
+    }
+#endif
+    p = msg;
+    rem = sizeof(msg);
+    *p++ = INIT;
+    --rem;
+    len = strlen(kc->user);
+    tmp = KRB_PUT_INT (len, p, rem, 4);
+    if (tmp < 0)
+	return 1;
+    p += tmp;
+    rem -= tmp;
+    memcpy(p, kc->user, len);
+    p += len;
+    rem -= len;
+    *p++ = (kc->keepalive_flag ? KEEP_ALIVE : 0);
+    --rem;
+
+    s = getenv("DISPLAY");
+    if (s == NULL || (s = strchr(s, ':')) == NULL) 
+	s = ":0";
+    len = strlen (s);
+    tmp = KRB_PUT_INT (len, p, rem, 4);
+    if (tmp < 0)
+	return 1;
+    rem -= tmp;
+    p += tmp;
+    memcpy (p, s, len);
+    p += len;
+    rem -= len;
+
+    s = getenv("XAUTHORITY");
+    if (s == NULL)
+	s = "";
+    len = strlen (s);
+    tmp = KRB_PUT_INT (len, p, rem, 4);
+    if (tmp < 0)
+	return 1;
+    p += len;
+    rem -= len;
+    memcpy (p, s, len);
+    p += len;
+    rem -= len;
+
+    if (kx_write (kc, otherside, msg, p - msg) != p - msg)
+	err (1, "write to %s", host);
+
+    len = kx_read (kc, otherside, msg, sizeof(msg));
+    if (len < 0)
+	err (1, "read from %s", host);
+    p = (u_char *)msg;
+    if (*p == ERROR) {
+	u_int32_t u32;
+
+	p++;
+	p += krb_get_int (p, &u32, 4, 0);
+	errx (1, "%s: %.*s", host, (int)u32, p);
+    } else if (*p != ACK) {
+	errx (1, "%s: strange msg %d", host, *p);
+    } else
+	p++;
+
+    tmp2 = get_xsockets (&nsockets, &sockets, kc->tcp_flag);
+    if (tmp2 < 0)
+	return 1;
+    display_num = tmp2;
+    if (kc->tcp_flag)
+	snprintf (display, display_size, "localhost:%u", display_num);
+    else
+	snprintf (display, display_size, ":%u", display_num);
+    error = create_and_write_cookie (xauthfile, xauthfile_size,
+				     cookie, cookie_len);
+    if (error) {
+	warnx ("failed creating cookie file: %s", strerror(error));
+	return 1;
+    }
+    status_output (kc->debug_flag);
+    for (;;) {
+	fd_set fdset;
+	pid_t child;
+	int fd, thisfd = -1;
+	socklen_t zero = 0;
+
+	FD_ZERO(&fdset);
+	for (i = 0; i < nsockets; ++i) {
+	    if (sockets[i].fd >= FD_SETSIZE) 
+		errx (1, "fd too large");
+	    FD_SET(sockets[i].fd, &fdset);
+	}
+	if (select(FD_SETSIZE, &fdset, NULL, NULL, NULL) <= 0)
+	    continue;
+	for (i = 0; i < nsockets; ++i)
+	    if (FD_ISSET(sockets[i].fd, &fdset)) {
+		thisfd = sockets[i].fd;
+		break;
+	    }
+	fd = accept (thisfd, NULL, &zero);
+	if (fd < 0) {
+	    if (errno == EINTR)
+		continue;
+	    else
+		err(1, "accept");
+	}
+
+	p = msg;
+	*p++ = NEW_CONN;
+	if (kx_write (kc, otherside, msg, p - msg) != p - msg)
+	    err (1, "write to %s", host);
+	len = kx_read (kc, otherside, msg, sizeof(msg));
+	if (len < 0)
+	    err (1, "read from %s", host);
+	p = (u_char *)msg;
+	if (*p == ERROR) {
+	    u_int32_t val;
+
+	    p++;
+	    p += krb_get_int (p, &val, 4, 0);
+	    errx (1, "%s: %.*s", host, (int)val, p);
+	} else if (*p != NEW_CONN) {
+	    errx (1, "%s: strange msg %d", host, *p);
+	} else {
+	    p++;
+	    p += krb_get_int (p, &other_port, 4, 0);
+	}
+
+	++nchild;
+	child = fork ();
+	if (child < 0) {
+	    warn("fork");
+	    continue;
+	} else if (child == 0) {
+	    int s;
+	    struct sockaddr_in addr;
+
+	    for (i = 0; i < nsockets; ++i)
+		close (sockets[i].fd);
+
+	    addr = kc->thataddr;
+	    close (otherside);
+
+	    addr.sin_port = htons(other_port);
+	    s = socket (AF_INET, SOCK_STREAM, 0);
+	    if (s < 0)
+		err(1, "socket");
+#if defined(TCP_NODELAY) && defined(HAVE_SETSOCKOPT)
+	    {
+		int one = 1;
+
+		setsockopt (s, IPPROTO_TCP, TCP_NODELAY, (void *)&one,
+			    sizeof(one));
+	    }
+#endif
+#if defined(SO_KEEPALIVE) && defined(HAVE_SETSOCKOPT)
+	    if (kc->keepalive_flag) {
+		int one = 1;
+
+		setsockopt (s, SOL_SOCKET, SO_KEEPALIVE, (void *)&one,
+			    sizeof(one));
+	    }
+#endif
+
+	    if (connect (s, (struct sockaddr *)&addr, sizeof(addr)) < 0)
+		err(1, "connect");
+
+	    return active_session (fd, s, kc);
+	} else {
+	    close (fd);
+	}
+    }
+}
+
+/*
+ * Should we interpret `disp' as this being a passive call?
+ */
+
+static int
+check_for_passive (const char *disp)
+{
+    char local_hostname[MaxHostNameLen];
+
+    gethostname (local_hostname, sizeof(local_hostname));
+
+    return disp != NULL &&
+	(*disp == ':'
+	 || strncmp(disp, "unix", 4) == 0
+	 || strncmp(disp, "localhost", 9) == 0
+	 || strncmp(disp, local_hostname, strlen(local_hostname)) == 0);
+}
+
+/*
+ * Set up signal handlers and then call the functions.
+ */
+
+static int
+doit (kx_context *kc, int passive_flag)
+{
+    signal (SIGCHLD, childhandler);
+    signal (SIGUSR1, usr1handler);
+    signal (SIGUSR2, usr2handler);
+    if (passive_flag)
+	return doit_passive (kc);
+    else
+	return doit_active  (kc);
+}
+
+#ifdef KRB4
+
+/*
+ * Start a v4-authenticatated kx connection.
+ */
+
+static int
+doit_v4 (const char *host, int port, const char *user, 
+	 int passive_flag, int debug_flag, int keepalive_flag, int tcp_flag)
+{
+    int ret;
+    kx_context context;
+
+    krb4_make_context (&context);
+    context_set (&context,
+		 host, user, port, debug_flag, keepalive_flag, tcp_flag);
+
+    ret = doit (&context, passive_flag);
+    context_destroy (&context);
+    return ret;
+}
+#endif /* KRB4 */
+
+#ifdef KRB5
+
+/*
+ * Start a v5-authenticatated kx connection.
+ */
+
+static int
+doit_v5 (const char *host, int port, const char *user,
+	 int passive_flag, int debug_flag, int keepalive_flag, int tcp_flag)
+{
+    int ret;
+    kx_context context;
+
+    krb5_make_context (&context);
+    context_set (&context,
+		 host, user, port, debug_flag, keepalive_flag, tcp_flag);
+
+    ret = doit (&context, passive_flag);
+    context_destroy (&context);
+    return ret;
+}
+#endif /* KRB5 */
+
+/*
+ * Variables set from the arguments
+ */
+
+#ifdef KRB4
+static int use_v4		= -1;
+#ifdef HAVE_KRB_ENABLE_DEBUG
+static int krb_debug_flag	= 0;
+#endif /* HAVE_KRB_ENABLE_DEBUG */
+#endif /* KRB4 */
+#ifdef KRB5
+static int use_v5		= -1;
+#endif
+static char *port_str		= NULL;
+static const char *user		= NULL;
+static int tcp_flag		= 0;
+static int passive_flag		= 0;
+static int keepalive_flag	= 1;
+static int debug_flag		= 0;
+static int version_flag		= 0;
+static int help_flag		= 0;
+
+struct getargs args[] = {
+#ifdef KRB4
+    { "krb4",	'4', arg_flag,		&use_v4,	"Use Kerberos V4",
+      NULL },
+#ifdef HAVE_KRB_ENABLE_DEBUG
+    { "krb4-debug", 'D', arg_flag,	&krb_debug_flag,
+      "enable krb4 debugging" },
+#endif /* HAVE_KRB_ENABLE_DEBUG */
+#endif /* KRB4 */
+#ifdef KRB5
+    { "krb5",	'5', arg_flag,		&use_v5,	"Use Kerberos V5",
+      NULL },
+#endif
+    { "port",	'p', arg_string,	&port_str,	"Use this port",
+      "number-of-service" },
+    { "user",	'l', arg_string,	&user,		"Run as this user",
+      NULL },
+    { "tcp",	't', arg_flag,		&tcp_flag,
+      "Use a TCP connection for X11" },
+    { "passive", 'P', arg_flag,		&passive_flag,
+      "Force a passive connection" },
+    { "keepalive", 'k', arg_negative_flag, &keepalive_flag,
+      "disable keep-alives" },
+    { "debug",	'd',	arg_flag,	&debug_flag,
+      "Enable debug information" },
+    { "version", 0,  arg_flag,		&version_flag,	"Print version",
+      NULL },
+    { "help",	 0,  arg_flag,		&help_flag,	NULL,
+      NULL }
+};
+
+static void
+usage(int ret)
+{
+    arg_printusage (args,
+		    sizeof(args) / sizeof(args[0]),
+		    NULL,
+		    "host");
+    exit (ret);
+}
+
+/*
+ * kx - forward an x-connection over a kerberos-encrypted channel.
+ */
+
+int
+main(int argc, char **argv)
+{
+    int port	= 0;
+    int optind	= 0;
+    int ret	= 1;
+    char *host	= NULL;
+
+    setprogname (argv[0]);
+
+    if (getarg (args, sizeof(args) / sizeof(args[0]), argc, argv,
+		&optind))
+	usage (1);
+
+    if (help_flag)
+	usage (0);
+
+    if (version_flag) {
+	print_version (NULL);
+	return 0;
+    }
+
+    if (optind != argc - 1)
+	usage (1);
+
+    host = argv[optind];
+
+    if (port_str) {
+	struct servent *s = roken_getservbyname (port_str, "tcp");
+
+	if (s)
+	    port = s->s_port;
+	else {
+	    char *ptr;
+
+	    port = strtol (port_str, &ptr, 10);
+	    if (port == 0 && ptr == port_str)
+		errx (1, "Bad port `%s'", port_str);
+	    port = htons(port);
+	}
+    }
+
+    if (user == NULL) {
+	user = get_default_username ();
+	if (user == NULL)
+	    errx (1, "who are you?");
+    }
+
+    if (!passive_flag)
+	passive_flag = check_for_passive (getenv("DISPLAY"));
+
+#if defined(HAVE_KERNEL_ENABLE_DEBUG)
+    if (krb_debug_flag)
+	krb_enable_debug ();
+#endif
+
+#if defined(KRB4) && defined(KRB5)
+    if(use_v4 == -1 && use_v5 == 1)
+	use_v4 = 0;
+    if(use_v5 == -1 && use_v4 == 1)
+	use_v5 = 0;
+#endif    
+
+#ifdef KRB5
+    if (ret && use_v5) {
+	if (port == 0)
+	    port = krb5_getportbyname(NULL, "kx", "tcp", KX_PORT);
+	ret = doit_v5 (host, port, user,
+		       passive_flag, debug_flag, keepalive_flag, tcp_flag);
+    }
+#endif
+#ifdef KRB4
+    if (ret && use_v4) {
+	if (port == 0)
+	    port = k_getportbyname("kx", "tcp", htons(KX_PORT));
+	ret = doit_v4 (host, port, user, 
+		       passive_flag, debug_flag, keepalive_flag, tcp_flag);
+    }
+#endif
+    return ret;
+}
diff --git a/crypto/heimdal/appl/kx/kx.cat1 b/crypto/heimdal/appl/kx/kx.cat1
new file mode 100644
index 0000000..ce22926
--- /dev/null
+++ b/crypto/heimdal/appl/kx/kx.cat1
@@ -0,0 +1,39 @@
+
+KX(1)                        UNIX Reference Manual                       KX(1)
+
+NNAAMMEE
+     kkxx - securely forward X conections
+
+SSYYNNOOPPSSIISS
+     _k_x [--ll _u_s_e_r_n_a_m_e] [--kk] [--dd] [--tt] [--pp _p_o_r_t] [--PP] _h_o_s_t
+
+DDEESSCCRRIIPPTTIIOONN
+     The kkxx program forwards a X connection from a remote client to a local
+     screen through an authenticated and encrypted stream.  Options supported
+     by kkxx:
+
+     --ll      Log in on remote the host as user _u_s_e_r_n_a_m_e.
+
+     --kk      Do not enable keep-alives on the TCP connections.
+
+     --dd      Do not fork. This is mainly useful for debugging.
+
+     --tt      Listen not only on a UNIX-domain socket but on a TCP socket as
+             well.
+
+     --pp      Use the port _p_o_r_t.
+
+     --PP      Force passive mode.
+
+     This program is used by rrxxtteellnneett and rrxxtteerrmm and you should not need to
+     run it directly.
+
+     It connects to a kkxxdd on the host _h_o_s_t and then will relay the traffic
+     from the remote X clients to the local server.  When started, it prints
+     the display and Xauthority-file to be used on host _h_o_s_t and then goes to
+     the background, waiting for connections from the remote kkxxdd..
+
+SSEEEE AALLSSOO
+     rxtelnet(1),  rxterm(1),  kxd(8)
+
+ KTH-KRB                      September 27, 1996                             1
diff --git a/crypto/heimdal/appl/kx/kx.h b/crypto/heimdal/appl/kx/kx.h
new file mode 100644
index 0000000..fdda414
--- /dev/null
+++ b/crypto/heimdal/appl/kx/kx.h
@@ -0,0 +1,259 @@
+/*
+ * Copyright (c) 1995 - 2000 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+/* $Id: kx.h,v 1.38 2000/02/06 05:52:03 assar Exp $ */
+
+#ifdef HAVE_CONFIG_H
+#include "config.h"
+#endif /* HAVE_CONFIG_H */
+
+#include <stdio.h>
+#include <stdarg.h>
+#include <stdlib.h>
+#include <string.h>
+#include <signal.h>
+#include <errno.h>
+#ifdef HAVE_UNISTD_H
+#include <unistd.h>
+#endif
+#ifdef HAVE_PWD_H
+#include <pwd.h>
+#endif
+#ifdef HAVE_GRP_H
+#include <grp.h>
+#endif
+#ifdef HAVE_SYSLOG_H
+#include <syslog.h>
+#endif
+#ifdef HAVE_SYS_TYPES_H
+#include <sys/types.h>
+#endif
+#ifdef TIME_WITH_SYS_TIME
+#include <sys/time.h>
+#include <time.h>
+#elif defined(HAVE_SYS_TIME_H)
+#include <sys/time.h>
+#else
+#include <time.h>
+#endif
+#ifdef HAVE_SYS_RESOURCE_H
+#include <sys/resource.h>
+#endif
+#ifdef HAVE_SYS_SELECT_H
+#include <sys/select.h>
+#endif
+#ifdef HAVE_SYS_WAIT_H
+#include <sys/wait.h>
+#endif
+#ifdef HAVE_SYS_STAT_H
+#include <sys/stat.h>
+#endif
+#ifdef HAVE_SYS_SOCKET_H
+#include <sys/socket.h>
+#endif
+#ifdef HAVE_NETINET_IN_H
+#include <netinet/in.h>
+#endif
+#ifdef HAVE_NETINET_TCP_H
+#include <netinet/tcp.h>
+#endif
+#ifdef HAVE_ARPA_INET_H
+#include <arpa/inet.h>
+#endif
+#ifdef HAVE_NETDB_H
+#include <netdb.h>
+#endif
+#ifdef HAVE_SYS_UN_H
+#include <sys/un.h>
+#endif
+#include <X11/X.h>
+#include <X11/Xlib.h>
+#include <X11/Xauth.h>
+
+#ifdef HAVE_SYS_STREAM_H
+#include <sys/stream.h>
+#endif
+#ifdef HAVE_SYS_STROPTS_H
+#include <sys/stropts.h>
+#endif
+
+/* as far as we know, this is only used with later versions of Slowlaris */
+#if SunOS >= 50 && defined(HAVE_SYS_STROPTS_H) && defined(HAVE_FATTACH) && defined(I_PUSH)
+#define MAY_HAVE_X11_PIPES
+#endif
+
+#ifdef SOCKS
+#include <socks.h>
+/* This doesn't belong here. */
+struct tm *localtime(const time_t *);
+struct hostent  *gethostbyname(const char *);
+#endif
+
+#ifdef KRB4
+#include <krb.h>
+#include <prot.h>
+#endif
+#ifdef KRB5
+#include <krb5.h>
+#endif
+
+#include <err.h>
+#include <getarg.h>
+#include <roken.h>
+
+struct x_socket {
+    char *pathname;
+    int fd;
+    enum {
+	LISTENP     = 0x80,
+	TCP         = LISTENP | 1,
+	UNIX_SOCKET = LISTENP | 2,
+	STREAM_PIPE = 3
+    } flags;
+};
+
+extern char x_socket[];
+extern u_int32_t display_num;
+extern char display[];
+extern int display_size;
+extern char xauthfile[];
+extern int xauthfile_size;
+extern u_char cookie[];
+extern size_t cookie_len;
+
+int get_xsockets (int *number, struct x_socket **sockets, int tcpp);
+int chown_xsockets (int n, struct x_socket *sockets, uid_t uid, gid_t gid);
+
+int connect_local_xsocket (unsigned dnr);
+int create_and_write_cookie (char *xauthfile,
+			     size_t size,
+			     u_char *cookie,
+			     size_t sz);
+int verify_and_remove_cookies (int fd, int sock, int cookiesp);
+int replace_cookie(int xserver, int fd, char *filename, int cookiesp);
+
+int suspicious_address (int sock, struct sockaddr_in addr);
+
+#define KX_PORT 2111
+
+#define KX_OLD_VERSION "KXSERV.1"
+#define KX_VERSION "KXSERV.2"
+
+#define COOKIE_TYPE "MIT-MAGIC-COOKIE-1"
+
+enum { INIT = 0, ACK = 1, NEW_CONN = 2, ERROR = 3 };
+
+enum kx_flags { PASSIVE = 1, KEEP_ALIVE = 2 };
+
+typedef enum kx_flags kx_flags;
+
+struct kx_context {
+    int (*authenticate)(struct kx_context *kc, int s);
+    int (*userok)(struct kx_context *kc, char *user);
+    ssize_t (*read)(struct kx_context *kc,
+		    int fd, void *buf, size_t len);
+    ssize_t (*write)(struct kx_context *kc,
+		     int fd, const void *buf, size_t len);
+    int (*copy_encrypted)(struct kx_context *kc,
+			  int fd1, int fd2);
+    void (*destroy)(struct kx_context *kc);
+    const char *host;
+    const char *user;
+    int port;
+    int debug_flag;
+    int keepalive_flag;
+    int tcp_flag;
+    struct sockaddr_in thisaddr, thataddr;
+    void *data;
+};
+
+typedef struct kx_context kx_context;
+
+void
+context_set (kx_context *kc, const char *host, const char *user, int port,
+	     int debug_flag, int keepalive_flag, int tcp_flag);
+
+void
+context_destroy (kx_context *kc);
+
+int
+context_authenticate (kx_context *kc, int s);
+
+int
+context_userok (kx_context *kc, char *user);
+
+ssize_t
+kx_read (kx_context *kc, int fd, void *buf, size_t len);
+
+ssize_t
+kx_write (kx_context *kc, int fd, const void *buf, size_t len);
+
+int
+copy_encrypted (kx_context *kc, int fd1, int fd2);
+
+#ifdef KRB4
+
+void
+krb4_make_context (kx_context *c);
+
+int
+recv_v4_auth (kx_context *kc, int sock, u_char *buf);
+
+#endif
+
+#ifdef KRB5
+
+void
+krb5_make_context (kx_context *c);
+
+int
+recv_v5_auth (kx_context *kc, int sock, u_char *buf);
+
+#endif
+
+void
+fatal (kx_context *kc, int fd, char *format, ...)
+#ifdef __GNUC__
+__attribute__ ((format (printf, 3, 4)))
+#endif
+;
+
+#ifndef KRB4
+
+int
+krb_get_int(void *f, u_int32_t *to, int size, int lsb);
+
+int
+krb_put_int(u_int32_t from, void *to, size_t rem, int size);
+
+#endif
diff --git a/crypto/heimdal/appl/kx/kxd.8 b/crypto/heimdal/appl/kx/kxd.8
new file mode 100644
index 0000000..04b7db5
--- /dev/null
+++ b/crypto/heimdal/appl/kx/kxd.8
@@ -0,0 +1,53 @@
+.\" $Id: kxd.8,v 1.5 2001/01/11 16:16:26 assar Exp $
+.\"
+.Dd September 27, 1996
+.Dt KXD 8
+.Os KTH-KRB
+.Sh NAME
+.Nm kxd
+.Nd
+securely forward X conections
+.Sh SYNOPSIS
+.Ar kxd
+.Op Fl t
+.Op Fl i
+.Op Fl p Ar port
+.Sh DESCRIPTION
+This is the daemon for
+.Nm kx .
+.Pp
+Options supported by
+.Nm kxd :
+.Bl -tag -width Ds
+.It Fl t
+TCP.  Normally
+.Nm kxd
+will only listen for X connections on a UNIX socket, but some machines
+(for example, Cray) have X libraries that are not able to use UNIX
+sockets and thus you need to use TCP to talk to the pseudo-xserver
+created by
+.Nm kxd.
+This option decreases the security significantly and should only be
+used when it is necessary and you have considered the consequences of
+doing so.
+.It Fl i
+Interactive.  Do not expect to be started by
+.Nm inetd,
+but allocate and listen to the socket yourself.  Handy for testing
+and debugging.
+.It Fl p
+Port.  Listen on the port
+.Ar port .
+Only usable with
+.Fl i .
+.El
+.Sh EXAMPLES
+Put the following in
+.Pa /etc/inetd.conf :
+.Bd -literal
+kx	stream	tcp	nowait	root	/usr/athena/libexec/kxd	kxd
+.Ed
+.Sh SEE ALSO
+.Xr kx 1 ,
+.Xr rxtelnet 1 ,
+.Xr rxterm 1
diff --git a/crypto/heimdal/appl/kx/kxd.c b/crypto/heimdal/appl/kx/kxd.c
new file mode 100644
index 0000000..65f6165
--- /dev/null
+++ b/crypto/heimdal/appl/kx/kxd.c
@@ -0,0 +1,754 @@
+/*
+ * Copyright (c) 1995, 1996, 1997, 1998, 1999 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#include "kx.h"
+
+RCSID("$Id: kxd.c,v 1.69 2001/02/20 01:44:45 assar Exp $");
+
+static pid_t wait_on_pid = -1;
+static int   done        = 0;
+
+/*
+ * Signal handler that justs waits for the children when they die.
+ */
+
+static RETSIGTYPE
+childhandler (int sig)
+{
+     pid_t pid;
+     int status;
+
+     do { 
+       pid = waitpid (-1, &status, WNOHANG|WUNTRACED);
+       if (pid > 0 && pid == wait_on_pid)
+	   done = 1;
+     } while(pid > 0);
+     signal (SIGCHLD, childhandler);
+     SIGRETURN(0);
+}
+
+/*
+ * Print the error message `format' and `...' on fd and die.
+ */
+
+void
+fatal (kx_context *kc, int fd, char *format, ...)
+{
+    u_char msg[1024];
+    u_char *p;
+    va_list args;
+    int len;
+
+    va_start(args, format);
+    p = msg;
+    *p++ = ERROR;
+    vsnprintf ((char *)p + 4, sizeof(msg) - 5, format, args);
+    syslog (LOG_ERR, "%s", (char *)p + 4);
+    len = strlen ((char *)p + 4);
+    p += KRB_PUT_INT (len, p, 4, 4);
+    p += len;
+    kx_write (kc, fd, msg, p - msg);
+    va_end(args);
+    exit (1);
+}
+
+/*
+ * Remove all sockets and cookie files.
+ */
+
+static void
+cleanup(int nsockets, struct x_socket *sockets)
+{
+    int i;
+
+    if(xauthfile[0])
+	unlink(xauthfile);
+    for (i = 0; i < nsockets; ++i) {
+	if (sockets[i].pathname != NULL) {
+	    unlink (sockets[i].pathname);
+	    free (sockets[i].pathname);
+	}
+    }
+}
+
+/*
+ * Prepare to receive a connection on `sock'.
+ */
+
+static int
+recv_conn (int sock, kx_context *kc,
+	   int *dispnr, int *nsockets, struct x_socket **sockets,
+	   int tcp_flag)
+{
+     u_char msg[1024], *p;
+     char user[256];
+     socklen_t addrlen;
+     struct passwd *passwd;
+     struct sockaddr_in thisaddr, thataddr;
+     char remotehost[MaxHostNameLen];
+     char remoteaddr[INET6_ADDRSTRLEN];
+     int ret = 1;
+     int flags;
+     int len;
+     u_int32_t tmp32;
+
+     addrlen = sizeof(thisaddr);
+     if (getsockname (sock, (struct sockaddr *)&thisaddr, &addrlen) < 0 ||
+	 addrlen != sizeof(thisaddr)) {
+	 syslog (LOG_ERR, "getsockname: %m");
+	 exit (1);
+     }
+     addrlen = sizeof(thataddr);
+     if (getpeername (sock, (struct sockaddr *)&thataddr, &addrlen) < 0 ||
+	 addrlen != sizeof(thataddr)) {
+	 syslog (LOG_ERR, "getpeername: %m");
+	 exit (1);
+     }
+
+     kc->thisaddr = thisaddr;
+     kc->thataddr = thataddr;
+
+     getnameinfo_verified ((struct sockaddr *)&thataddr, addrlen,
+			   remotehost, sizeof(remotehost),
+			   NULL, 0, 0);
+
+     if (net_read (sock, msg, 4) != 4) {
+	 syslog (LOG_ERR, "read: %m");
+	 exit (1);
+     }
+
+#ifdef KRB5
+     if (ret && recv_v5_auth (kc, sock, msg) == 0)
+	 ret = 0;
+#endif
+#ifdef KRB4
+     if (ret && recv_v4_auth (kc, sock, msg) == 0)
+	 ret = 0;
+#endif
+     if (ret) {
+	 syslog (LOG_ERR, "unrecognized auth protocol: %x %x %x %x",
+		 msg[0], msg[1], msg[2], msg[3]);
+	 exit (1);
+     }
+
+     len = kx_read (kc, sock, msg, sizeof(msg));
+     if (len < 0) {
+	 syslog (LOG_ERR, "kx_read failed");
+	 exit (1);
+     }
+     p = (u_char *)msg;
+     if (*p != INIT)
+	 fatal(kc, sock, "Bad message");
+     p++;
+     p += krb_get_int (p, &tmp32, 4, 0);
+     len = min(sizeof(user), tmp32);
+     memcpy (user, p, len);
+     p += tmp32;
+     user[len] = '\0';
+
+     passwd = k_getpwnam (user);
+     if (passwd == NULL)
+	 fatal (kc, sock, "cannot find uid for %s", user);
+
+     if (context_userok (kc, user) != 0)
+	 fatal (kc, sock, "%s not allowed to login as %s",
+		kc->user, user);
+
+     flags = *p++;
+
+     if (flags & PASSIVE) {
+	 pid_t pid;
+	 int tmp;
+
+	 tmp = get_xsockets (nsockets, sockets, tcp_flag);
+	 if (tmp < 0) {
+	     fatal (kc, sock, "Cannot create X socket(s): %s",
+		    strerror(errno));
+	 }
+	 *dispnr = tmp;
+
+	 if (chown_xsockets (*nsockets, *sockets,
+			    passwd->pw_uid, passwd->pw_gid)) {
+	     cleanup (*nsockets, *sockets);
+	     fatal (kc, sock, "Cannot chown sockets: %s",
+		    strerror(errno));
+	 }
+
+	 pid = fork();
+	 if (pid == -1) {
+	     cleanup (*nsockets, *sockets);
+	     fatal (kc, sock, "fork: %s", strerror(errno));
+	 } else if (pid != 0) {
+	     wait_on_pid = pid;
+	     while (!done)
+		 pause ();
+	     cleanup (*nsockets, *sockets);
+	     exit (0);
+	 }
+     }
+
+     if (setgid (passwd->pw_gid) ||
+	 initgroups(passwd->pw_name, passwd->pw_gid) ||
+#ifdef HAVE_GETUDBNAM /* XXX this happens on crays */
+	 setjob(passwd->pw_uid, 0) == -1 ||
+#endif
+	 setuid(passwd->pw_uid)) {
+	 syslog(LOG_ERR, "setting uid/groups: %m");
+	 fatal (kc, sock, "cannot set uid");
+     }
+     inet_ntop (thataddr.sin_family,
+		&thataddr.sin_addr, remoteaddr, sizeof(remoteaddr));
+
+     syslog (LOG_INFO, "from %s(%s): %s -> %s",
+	     remotehost, remoteaddr,
+	     kc->user, user);
+     umask(077);
+     if (!(flags & PASSIVE)) {
+	 p += krb_get_int (p, &tmp32, 4, 0);
+	 len = min(tmp32, display_size);
+	 memcpy (display, p, len);
+	 display[len] = '\0';
+	 p += tmp32;
+	 p += krb_get_int (p, &tmp32, 4, 0);
+	 len = min(tmp32, xauthfile_size);
+	 memcpy (xauthfile, p, len);
+	 xauthfile[len] = '\0';
+	 p += tmp32;
+     }
+#if defined(SO_KEEPALIVE) && defined(HAVE_SETSOCKOPT)
+     if (flags & KEEP_ALIVE) {
+	 int one = 1;
+
+	 setsockopt (sock, SOL_SOCKET, SO_KEEPALIVE, (void *)&one,
+		     sizeof(one));
+     }
+#endif
+     return flags;
+}
+
+/*
+ *
+ */
+
+static int
+passive_session (kx_context *kc, int fd, int sock, int cookiesp)
+{
+    if (verify_and_remove_cookies (fd, sock, cookiesp))
+	return 1;
+    else
+	return copy_encrypted (kc, fd, sock);
+}
+
+/*
+ *
+ */
+
+static int
+active_session (kx_context *kc, int fd, int sock, int cookiesp)
+{
+    fd = connect_local_xsocket(0);
+
+    if (replace_cookie (fd, sock, xauthfile, cookiesp))
+	return 1;
+    else
+	return copy_encrypted (kc, fd, sock);
+}
+
+/*
+ * Handle a new connection.
+ */
+
+static int
+doit_conn (kx_context *kc,
+	   int fd, int meta_sock, int flags, int cookiesp)
+{
+    int sock, sock2;
+    struct sockaddr_in addr;
+    struct sockaddr_in thisaddr;
+    socklen_t addrlen;
+    u_char msg[1024], *p;
+
+    sock = socket (AF_INET, SOCK_STREAM, 0);
+    if (sock < 0) {
+	syslog (LOG_ERR, "socket: %m");
+	return 1;
+    }
+#if defined(TCP_NODELAY) && defined(HAVE_SETSOCKOPT)
+    {
+	int one = 1;
+	setsockopt (sock, IPPROTO_TCP, TCP_NODELAY, (void *)&one, sizeof(one));
+    }
+#endif
+#if defined(SO_KEEPALIVE) && defined(HAVE_SETSOCKOPT)
+     if (flags & KEEP_ALIVE) {
+	 int one = 1;
+
+	 setsockopt (sock, SOL_SOCKET, SO_KEEPALIVE, (void *)&one,
+		     sizeof(one));
+     }
+#endif
+    memset (&addr, 0, sizeof(addr));
+    addr.sin_family = AF_INET;
+    if (bind (sock, (struct sockaddr *)&addr, sizeof(addr)) < 0) {
+	syslog (LOG_ERR, "bind: %m");
+	return 1;
+    }
+    addrlen = sizeof(addr);
+    if (getsockname (sock, (struct sockaddr *)&addr, &addrlen) < 0) {
+	syslog (LOG_ERR, "getsockname: %m");
+	return 1;
+    }
+    if (listen (sock, SOMAXCONN) < 0) {
+	syslog (LOG_ERR, "listen: %m");
+	return 1;
+    }
+    p = msg;
+    *p++ = NEW_CONN;
+    p += KRB_PUT_INT (ntohs(addr.sin_port), p, 4, 4);
+
+    if (kx_write (kc, meta_sock, msg, p - msg) < 0) {
+	syslog (LOG_ERR, "write: %m");
+	return 1;
+    }
+
+    addrlen = sizeof(thisaddr);
+    sock2 = accept (sock, (struct sockaddr *)&thisaddr, &addrlen);
+    if (sock2 < 0) {
+	syslog (LOG_ERR, "accept: %m");
+	return 1;
+    }
+    close (sock);
+    close (meta_sock);
+
+    if (flags & PASSIVE)
+	return passive_session (kc, fd, sock2, cookiesp);
+    else
+	return active_session (kc, fd, sock2, cookiesp);
+}
+
+/*
+ *  Is the current user the owner of the console?
+ */
+
+static void
+check_user_console (kx_context *kc, int fd)
+{
+     struct stat sb;
+
+     if (stat ("/dev/console", &sb) < 0)
+	 fatal (kc, fd, "Cannot stat /dev/console: %s", strerror(errno));
+     if (getuid() != sb.st_uid)
+	 fatal (kc, fd, "Permission denied");
+}
+
+/* close down the new connection with a reasonable error message */
+static void
+close_connection(int fd, const char *message)
+{
+    char buf[264]; /* max message */
+    char *p;
+    int lsb = 0;
+    size_t mlen;
+
+    mlen = strlen(message);
+    if(mlen > 255)
+	mlen = 255;
+    
+    /* read first part of connection packet, to get byte order */
+    if(read(fd, buf, 6) != 6) {
+	close(fd);
+	return;
+    }
+    if(buf[0] == 0x6c)
+	lsb++;
+    p = buf;
+    *p++ = 0;				/* failed */
+    *p++ = mlen;			/* length of message */
+    p += 4;				/* skip protocol version */
+    p += 2;				/* skip additional length */
+    memcpy(p, message, mlen);		/* copy message */
+    p += mlen;
+    while((p - buf) % 4)		/* pad to multiple of 4 bytes */
+	*p++ = 0;
+	
+    /* now fill in length of additional data */
+    if(lsb) { 
+	buf[6] = (p - buf - 8) / 4;
+	buf[7] = 0;
+    }else{
+	buf[6] = 0;
+	buf[7] = (p - buf - 8) / 4;
+    }
+    write(fd, buf, p - buf);
+    close(fd);
+}
+
+
+/*
+ * Handle a passive session on `sock'
+ */
+
+static int
+doit_passive (kx_context *kc,
+	      int sock,
+	      int flags,
+	      int dispnr,
+	      int nsockets,
+	      struct x_socket *sockets,
+	      int tcp_flag)
+{
+    int tmp;
+    int len;
+    size_t rem;
+    u_char msg[1024], *p;
+    int error;
+
+    display_num = dispnr;
+    if (tcp_flag)
+	snprintf (display, display_size, "localhost:%u", display_num);
+    else
+	snprintf (display, display_size, ":%u", display_num);
+    error = create_and_write_cookie (xauthfile, xauthfile_size, 
+				     cookie, cookie_len);
+    if (error) {
+	cleanup(nsockets, sockets);
+	fatal (kc, sock, "Cookie-creation failed: %s", strerror(error));
+	return 1;
+    }
+
+    p = msg;
+    rem = sizeof(msg);
+    *p++ = ACK;
+    --rem;
+
+    len = strlen (display);
+    tmp = KRB_PUT_INT (len, p, rem, 4);
+    if (tmp < 0 || rem < len + 4) {
+	syslog (LOG_ERR, "doit: buffer too small");
+	cleanup(nsockets, sockets);
+	return 1;
+    }
+    p += tmp;
+    rem -= tmp;
+
+    memcpy (p, display, len);
+    p += len;
+    rem -= len;
+
+    len = strlen (xauthfile);
+    tmp = KRB_PUT_INT (len, p, rem, 4);
+    if (tmp < 0 || rem < len + 4) {
+	syslog (LOG_ERR, "doit: buffer too small");
+	cleanup(nsockets, sockets);
+	return 1;
+    }
+    p += tmp;
+    rem -= tmp;
+
+    memcpy (p, xauthfile, len);
+    p += len;
+    rem -= len;
+	  
+    if(kx_write (kc, sock, msg, p - msg) < 0) {
+	syslog (LOG_ERR, "write: %m");
+	cleanup(nsockets, sockets);
+	return 1;
+    }
+    for (;;) {
+	pid_t child;
+	int fd = -1;
+	fd_set fds;
+	int i;
+	int ret;
+	int cookiesp = TRUE;
+	       
+	FD_ZERO(&fds);
+	if (sock >= FD_SETSIZE) {
+	    syslog (LOG_ERR, "fd too large");
+	    cleanup(nsockets, sockets);
+	    return 1;
+	}
+
+	FD_SET(sock, &fds);
+	for (i = 0; i < nsockets; ++i) {
+	    if (sockets[i].fd >= FD_SETSIZE) {
+		syslog (LOG_ERR, "fd too large");
+		cleanup(nsockets, sockets);
+		return 1;
+	    }
+	    FD_SET(sockets[i].fd, &fds);
+	}
+	ret = select(FD_SETSIZE, &fds, NULL, NULL, NULL);
+	if(ret <= 0)
+	    continue;
+	if(FD_ISSET(sock, &fds)){
+	    /* there are no processes left on the remote side
+	     */
+	    cleanup(nsockets, sockets);
+	    exit(0);
+	} else if(ret) {
+	    for (i = 0; i < nsockets; ++i) {
+		if (FD_ISSET(sockets[i].fd, &fds)) {
+		    if (sockets[i].flags == TCP) {
+			struct sockaddr_in peer;
+			socklen_t len = sizeof(peer);
+
+			fd = accept (sockets[i].fd,
+				     (struct sockaddr *)&peer,
+				     &len);
+			if (fd < 0 && errno != EINTR)
+			    syslog (LOG_ERR, "accept: %m");
+
+			/* XXX */
+			if (fd >= 0 && suspicious_address (fd, peer)) {
+			    close (fd);
+			    fd = -1;
+			    errno = EINTR;
+			}
+		    } else if(sockets[i].flags == UNIX_SOCKET) {
+			socklen_t zero = 0;
+
+			fd = accept (sockets[i].fd, NULL, &zero);
+
+			if (fd < 0 && errno != EINTR)
+			    syslog (LOG_ERR, "accept: %m");
+#ifdef MAY_HAVE_X11_PIPES
+		    } else if(sockets[i].flags == STREAM_PIPE) {
+			/*
+			 * this code tries to handle the
+			 * send fd-over-pipe stuff for
+			 * solaris
+			 */
+
+			struct strrecvfd strrecvfd;
+
+			ret = ioctl (sockets[i].fd,
+				     I_RECVFD, &strrecvfd);
+			if (ret < 0 && errno != EINTR) {
+			    syslog (LOG_ERR, "ioctl I_RECVFD: %m");
+			}
+
+			/* XXX */
+			if (ret == 0) {
+			    if (strrecvfd.uid != getuid()) {
+				close (strrecvfd.fd);
+				fd = -1;
+				errno = EINTR;
+			    } else {
+				fd = strrecvfd.fd;
+				cookiesp = FALSE;
+			    }
+			}
+#endif /* MAY_HAVE_X11_PIPES */
+		    } else
+			abort ();
+		    break;
+		}
+	    }
+	}
+	if (fd < 0) {
+	    if (errno == EINTR)
+		continue;
+	    else
+		return 1;
+	}
+
+	child = fork ();
+	if (child < 0) {
+	    syslog (LOG_ERR, "fork: %m");
+	    if(errno != EAGAIN)
+		return 1;
+	    close_connection(fd, strerror(errno));
+	} else if (child == 0) {
+	    for (i = 0; i < nsockets; ++i)
+		close (sockets[i].fd);
+	    return doit_conn (kc, fd, sock, flags, cookiesp);
+	} else {
+	    close (fd);
+	}
+    }
+}
+
+/*
+ * Handle an active session on `sock'
+ */
+
+static int
+doit_active (kx_context *kc,
+	     int sock,
+	     int flags,
+	     int tcp_flag)
+{
+    u_char msg[1024], *p;
+
+    check_user_console (kc, sock);
+
+    p = msg;
+    *p++ = ACK;
+	  
+    if(kx_write (kc, sock, msg, p - msg) < 0) {
+	syslog (LOG_ERR, "write: %m");
+	return 1;
+    }
+    for (;;) {
+	pid_t child;
+	int len;
+	      
+	len = kx_read (kc, sock, msg, sizeof(msg));
+	if (len < 0) {
+	    syslog (LOG_ERR, "read: %m");
+	    return 1;
+	}
+	p = (u_char *)msg;
+	if (*p != NEW_CONN) {
+	    syslog (LOG_ERR, "bad_message: %d", *p);
+	    return 1;
+	}
+
+	child = fork ();
+	if (child < 0) {
+	    syslog (LOG_ERR, "fork: %m");
+	    if (errno != EAGAIN)
+		return 1;
+	} else if (child == 0) {
+	    return doit_conn (kc, sock, sock, flags, 1);
+	} else {
+	}
+    }
+}
+
+/*
+ * Receive a connection on `sock' and process it.
+ */
+
+static int
+doit(int sock, int tcp_flag)
+{
+    int ret;
+    kx_context context;
+    int dispnr;
+    int nsockets;
+    struct x_socket *sockets;
+    int flags;
+
+    flags = recv_conn (sock, &context, &dispnr, &nsockets, &sockets, tcp_flag);
+
+    if (flags & PASSIVE)
+	ret = doit_passive (&context, sock, flags, dispnr,
+			    nsockets, sockets, tcp_flag);
+    else
+	ret = doit_active (&context, sock, flags, tcp_flag);
+    context_destroy (&context);
+    return ret;
+}
+
+static char *port_str		= NULL;
+static int inetd_flag		= 1;
+static int tcp_flag		= 0;
+static int version_flag		= 0;
+static int help_flag		= 0;
+
+struct getargs args[] = {
+    { "inetd",		'i',	arg_negative_flag,	&inetd_flag,
+      "Not started from inetd" },
+    { "tcp",		't',	arg_flag,	&tcp_flag,	"Use TCP" },
+    { "port",		'p',	arg_string,	&port_str,	"Use this port",
+      "port" },
+    { "version",	0, 	arg_flag,		&version_flag },
+    { "help",		0, 	arg_flag,		&help_flag }
+};
+
+static void
+usage(int ret)
+{
+    arg_printusage (args,
+		    sizeof(args) / sizeof(args[0]),
+		    NULL,
+		    "host");
+    exit (ret);
+}
+
+/*
+ * kxd - receive a forwarded X conncection
+ */
+
+int
+main (int argc, char **argv)
+{
+    int port;
+    int optind = 0;
+
+    setprogname (argv[0]);
+    roken_openlog ("kxd", LOG_ODELAY | LOG_PID, LOG_DAEMON);
+
+    if (getarg (args, sizeof(args) / sizeof(args[0]), argc, argv,
+		&optind))
+	usage (1);
+
+    if (help_flag)
+	usage (0);
+
+    if (version_flag) {
+	print_version (NULL);
+	return 0;
+    }
+
+    if(port_str) {
+	struct servent *s = roken_getservbyname (port_str, "tcp");
+
+	if (s)
+	    port = s->s_port;
+	else {
+	    char *ptr;
+
+	    port = strtol (port_str, &ptr, 10);
+	    if (port == 0 && ptr == port_str)
+		errx (1, "bad port `%s'", port_str);
+	    port = htons(port);
+	}
+    } else {
+#if defined(KRB5)
+	port = krb5_getportbyname(NULL, "kx", "tcp", KX_PORT);
+#elif defined(KRB4)
+	port = k_getportbyname ("kx", "tcp", htons(KX_PORT));
+#else
+#error define KRB4 or KRB5
+#endif
+    }
+
+    if (!inetd_flag)
+	mini_inetd (port);
+
+     signal (SIGCHLD, childhandler);
+     return doit(STDIN_FILENO, tcp_flag);
+}
diff --git a/crypto/heimdal/appl/kx/kxd.cat8 b/crypto/heimdal/appl/kx/kxd.cat8
new file mode 100644
index 0000000..e033cee
--- /dev/null
+++ b/crypto/heimdal/appl/kx/kxd.cat8
@@ -0,0 +1,37 @@
+
+KXD(8)                   UNIX System Manager's Manual                   KXD(8)
+
+NNAAMMEE
+     kkxxdd - securely forward X conections
+
+SSYYNNOOPPSSIISS
+     _k_x_d [--tt] [--ii] [--pp _p_o_r_t]
+
+DDEESSCCRRIIPPTTIIOONN
+     This is the daemon for kkxx.
+
+     Options supported by kkxxdd:
+
+     --tt      TCP.  Normally kkxxdd will only listen for X connections on a UNIX
+             socket, but some machines (for example, Cray) have X libraries
+             that are not able to use UNIX sockets and thus you need to use
+             TCP to talk to the pseudo-xserver created by kkxxdd.. This option de-
+             creases the security significantly and should only be used when
+             it is necessary and you have considered the consequences of doing
+             so.
+
+     --ii      Interactive.  Do not expect to be started by iinneettdd,, but allocate
+             and listen to the socket yourself.  Handy for testing and debug-
+             ging.
+
+     --pp      Port.  Listen on the port _p_o_r_t. Only usable with --ii.
+
+EEXXAAMMPPLLEESS
+     Put the following in _/_e_t_c_/_i_n_e_t_d_._c_o_n_f:
+
+     kx      stream  tcp     nowait  root    /usr/athena/libexec/kxd kxd
+
+SSEEEE AALLSSOO
+     kx(1),  rxtelnet(1),  rxterm(1)
+
+ KTH-KRB                      September 27, 1996                             1
diff --git a/crypto/heimdal/appl/kx/rxtelnet.1 b/crypto/heimdal/appl/kx/rxtelnet.1
new file mode 100644
index 0000000..7c37a7a
--- /dev/null
+++ b/crypto/heimdal/appl/kx/rxtelnet.1
@@ -0,0 +1,80 @@
+.\" $Id: rxtelnet.1,v 1.6 2001/01/11 16:16:26 assar Exp $
+.\"
+.Dd September 27, 1996
+.Dt RXTELNET 1
+.Os KTH_KRB
+.Sh NAME
+.Nm rxtelnet
+.Nd
+start a telnet and forward X-connections.
+.Sh SYNOPSIS
+.Nm rxtelnet
+.Op Fl l Ar username
+.Op Fl k
+.Op Fl t Ar telnet_args
+.Op Fl x Ar xterm_args
+.Op Fl w Ar term_emulator
+.Op Fl n
+.Ar host
+.Op Ar port
+.Sh DESCRIPTION
+The
+.Nm
+program starts a
+.Nm xterm
+window with a telnet to host
+.Ar host .
+From this window you will also be able to run X clients that will be
+able to connect securily to your X server. If
+.Ar port
+is given, that port will be used instead of the default.
+.Pp
+The supported options are:
+.Bl -tag -width Ds
+.It Fl l
+Log in on the remote host as user
+.Ar username
+.It Fl k
+Disables keep-alives
+.It Fl t
+Send
+.Ar telnet_args
+as arguments to
+.Nm telnet
+.It Fl x
+Send
+.Ar xterm_args
+as arguments to
+.Nm xterm
+.It Fl w
+Use
+.Ar term_emulator
+instead of xterm.
+.It Fl n
+Do not start any terminal emulator.
+.El
+.Sh EXAMPLE
+To login from host
+.Va foo
+(where your display is)
+to host
+.Va bar ,
+you might do the following.
+.Bl -enum
+.It
+On foo: 
+.Nm
+.Va bar
+.It
+You will get a new window with a
+.Nm telnet
+to
+.Va bar .
+In this window you will be able to start X clients.
+.El
+.Sh SEE ALSO
+.Xr rxterm 1 ,
+.Xr tenletxr 1 ,
+.Xr kx 1 ,
+.Xr kxd 8 ,
+.Xr telnet 1
diff --git a/crypto/heimdal/appl/kx/rxtelnet.cat1 b/crypto/heimdal/appl/kx/rxtelnet.cat1
new file mode 100644
index 0000000..ad3f420
--- /dev/null
+++ b/crypto/heimdal/appl/kx/rxtelnet.cat1
@@ -0,0 +1,43 @@
+
+RXTELNET(1)                  UNIX Reference Manual                 RXTELNET(1)
+
+NNAAMMEE
+     rrxxtteellnneett - start a telnet and forward X-connections.
+
+SSYYNNOOPPSSIISS
+     rrxxtteellnneett [--ll _u_s_e_r_n_a_m_e] [--kk] [--tt _t_e_l_n_e_t___a_r_g_s] [--xx _x_t_e_r_m___a_r_g_s] [--ww
+              _t_e_r_m___e_m_u_l_a_t_o_r] [--nn] _h_o_s_t [_p_o_r_t]
+
+DDEESSCCRRIIPPTTIIOONN
+     The rrxxtteellnneett program starts a xxtteerrmm window with a telnet to host _h_o_s_t.
+     From this window you will also be able to run X clients that will be able
+     to connect securily to your X server. If _p_o_r_t is given, that port will be
+     used instead of the default.
+
+     The supported options are:
+
+     --ll      Log in on the remote host as user _u_s_e_r_n_a_m_e
+
+     --kk      Disables keep-alives
+
+     --tt      Send _t_e_l_n_e_t___a_r_g_s as arguments to tteellnneett
+
+     --xx      Send _x_t_e_r_m___a_r_g_s as arguments to xxtteerrmm
+
+     --ww      Use _t_e_r_m___e_m_u_l_a_t_o_r instead of xterm.
+
+     --nn      Do not start any terminal emulator.
+
+EEXXAAMMPPLLEE
+     To login from host _f_o_o (where your display is) to host _b_a_r, you might do
+     the following.
+
+     1.   On foo: rrxxtteellnneett _b_a_r
+
+     2.   You will get a new window with a tteellnneett to _b_a_r. In this window you
+          will be able to start X clients.
+
+SSEEEE AALLSSOO
+     rxterm(1),  tenletxr(1),  kx(1),  kxd(8),  telnet(1)
+
+ KTH_KRB                      September 27, 1996                             1
diff --git a/crypto/heimdal/appl/kx/rxtelnet.in b/crypto/heimdal/appl/kx/rxtelnet.in
new file mode 100644
index 0000000..233f10b
--- /dev/null
+++ b/crypto/heimdal/appl/kx/rxtelnet.in
@@ -0,0 +1,63 @@
+#!/bin/sh
+# $Id: rxtelnet.in,v 1.26 1999/02/04 21:19:50 assar Exp $
+#
+usage="Usage: $0 [-l username] [-k] [-t args_to_telnet] [-x args_to_xterm] [-w term_emulator] [-n] [-v] [-h | --help] [--version] host [port]"
+term=
+kx_args=-P
+while true
+do
+  case $1 in
+  -l) telnet_args="${telnet_args} -l $2 "; kx_args="${kx_args} -l $2"; title="${2}@"; shift 2;;
+  -t) telnet_args="${telnet_args} $2 "; shift 2;;
+  -x) xterm_args="${xterm_args} $2 "; shift 2;;
+  -k) kx_args="${kx_args} -k"; shift;;
+  -n) term=none; shift;;
+  -w) term=$2; shift 2;;
+  --version) echo "$0: %PACKAGE% %VERSION%"; exit 0;;
+  -h) echo $usage; exit 0;;
+  --help) echo $usage; exit 0;;
+  -v) set -x; verb=1; shift;;
+  -*) echo "$0: Bad option $1"; echo $usage; exit 1;;
+  *) break;;
+  esac
+done
+if test $# -lt 1; then
+  echo $usage
+  exit 1
+fi
+host=$1
+port=$2
+title="${title}${host}"
+bindir=%bindir%
+pdc_trams=`dirname $0`
+PATH=$pdc_trams:$bindir:$PATH
+export PATH
+set -- `kx $kx_args $host`
+if test $# -ne 3; then
+  exit 1
+fi
+screen=`echo $DISPLAY | sed -ne 's/[^:]*:[0-9]*\(\.[0-9]*\)/\1/p'`
+pid=$1
+disp=${2}${screen}
+auth=$3
+oldifs=$IFS
+IFS=:
+set -- $PATH
+IFS=$oldifs
+if test -z "$term"; then
+  for j in xterm dtterm aixterm dxterm hpterm; do
+    for i in $*; do
+      test -n "$i" || i="."
+      if test -x $i/$j; then
+	term=$j; break 2
+      fi
+    done
+  done
+fi
+test "$verb" && echo "Telnet command used is `type telnet`."
+if test -n "$term" -a "$term" != "none"; then
+  ($term -title $title -n $title $xterm_args -e env DISPLAY=$disp XAUTHORITY=$auth telnet -D $telnet_args $host $port; kill -USR2 $pid) &
+else
+  env DISPLAY=$disp XAUTHORITY=$auth telnet -D $telnet_args $host $port
+  kill -USR2 $pid
+fi
diff --git a/crypto/heimdal/appl/kx/rxterm.1 b/crypto/heimdal/appl/kx/rxterm.1
new file mode 100644
index 0000000..e8dd0c8
--- /dev/null
+++ b/crypto/heimdal/appl/kx/rxterm.1
@@ -0,0 +1,77 @@
+.\" $Id: rxterm.1,v 1.4 1997/06/03 00:58:23 assar Exp $
+.\"
+.Dd September 27, 1996
+.Dt RXTERM 1
+.Os KTH_KRB
+.Sh NAME
+.Nm rxterm
+.Nd
+start a secure remote xterm
+.Sh SYNOPSIS
+.Nm rxterm
+.Op Fl l Ar username
+.Op Fl k
+.Op Fl r Ar rsh_args
+.Op Fl x Ar xterm_args
+.Op Fl w Ar term_emulator
+.Ar host
+.Op Ar port
+.Sh DESCRIPTION
+The
+.Nm
+program starts a
+.Nm xterm
+window on host
+.Ar host .
+From this window you will also be able to run X clients that will be
+able to connect securily to your X server. If
+.Ar port
+is given, that port will be used instead of the default.
+.Pp
+The supported options are:
+.Bl -tag -width Ds
+.It Fl l
+Log in on the remote host as user
+.Ar username
+.It Fl k
+Disable keep-alives
+.It Fl r
+Send
+.Ar rsh_args
+as arguments to
+.Nm rsh
+.It Fl x
+Send
+.Ar xterm_args
+as arguments to
+.Nm xterm
+.It Fl w
+Use
+.Ar term_emulator
+instead of xterm.
+.El
+.Sh EXAMPLE
+To login from host
+.Va foo
+(where your display is)
+to host
+.Va bar ,
+you might do the following.
+.Bl -enum
+.It
+On foo: 
+.Nm
+.Va bar
+.It
+You will get a new window running an
+.Nm xterm
+on host
+.Va bar .
+In this window you will be able to start X clients.
+.El
+.Sh SEE ALSO
+.Xr rxtelnet 1 ,
+.Xr tenletxr 1 ,
+.Xr kx 1 ,
+.Xr kxd 8 ,
+.Xr rsh 1
diff --git a/crypto/heimdal/appl/kx/rxterm.cat1 b/crypto/heimdal/appl/kx/rxterm.cat1
new file mode 100644
index 0000000..56eec66
--- /dev/null
+++ b/crypto/heimdal/appl/kx/rxterm.cat1
@@ -0,0 +1,41 @@
+
+RXTERM(1)                    UNIX Reference Manual                   RXTERM(1)
+
+NNAAMMEE
+     rrxxtteerrmm - start a secure remote xterm
+
+SSYYNNOOPPSSIISS
+     rrxxtteerrmm [--ll _u_s_e_r_n_a_m_e] [--kk] [--rr _r_s_h___a_r_g_s] [--xx _x_t_e_r_m___a_r_g_s] [--ww
+            _t_e_r_m___e_m_u_l_a_t_o_r] _h_o_s_t [_p_o_r_t]
+
+DDEESSCCRRIIPPTTIIOONN
+     The rrxxtteerrmm program starts a xxtteerrmm window on host _h_o_s_t. From this window
+     you will also be able to run X clients that will be able to connect se-
+     curily to your X server. If _p_o_r_t is given, that port will be used instead
+     of the default.
+
+     The supported options are:
+
+     --ll      Log in on the remote host as user _u_s_e_r_n_a_m_e
+
+     --kk      Disable keep-alives
+
+     --rr      Send _r_s_h___a_r_g_s as arguments to rrsshh
+
+     --xx      Send _x_t_e_r_m___a_r_g_s as arguments to xxtteerrmm
+
+     --ww      Use _t_e_r_m___e_m_u_l_a_t_o_r instead of xterm.
+
+EEXXAAMMPPLLEE
+     To login from host _f_o_o (where your display is) to host _b_a_r, you might do
+     the following.
+
+     1.   On foo: rrxxtteerrmm _b_a_r
+
+     2.   You will get a new window running an xxtteerrmm on host _b_a_r. In this win-
+          dow you will be able to start X clients.
+
+SSEEEE AALLSSOO
+     rxtelnet(1),  tenletxr(1),  kx(1),  kxd(8),  rsh(1)
+
+ KTH_KRB                      September 27, 1996                             1
diff --git a/crypto/heimdal/appl/kx/rxterm.in b/crypto/heimdal/appl/kx/rxterm.in
new file mode 100644
index 0000000..dab3645
--- /dev/null
+++ b/crypto/heimdal/appl/kx/rxterm.in
@@ -0,0 +1,41 @@
+#!/bin/sh
+# $Id: rxterm.in,v 1.20 1999/02/04 09:29:49 assar Exp $
+#
+usage="Usage: $0 [-l username] [-k] [-r rsh_args] [-x xterm_args] [-w term_emulator] [-v] [-h | --help] [--version] host"
+term=xterm
+while true
+do
+  case $1 in
+  -l) rsh_args="${rsh_args} -l $2 "; kx_args="${kx_args} -l $2"; title="${2}@"; shift 2;;
+  -r) rsh_args="${rsh_args} $2 "; shift 2;;
+  -x) xterm_args="${xterm_args} $2 "; shift 2;;
+  -k) kx_args="${kx_args} -k"; shift;;
+  -w) term=$2; shift 2;;
+  --version) echo "$0: %PACKAGE% %VERSION%"; exit 0;;
+  -h) echo $usage; exit 0;;
+  --help) echo $usage; exit 0;;
+  -v) set -x; shift;;
+  -*) echo "$0: Bad option $1"; echo $usage; exit 1;;
+  *) break;;
+  esac
+done
+if test $# -lt 1; then
+  echo "Usage: $0 host [arguments to $term]"
+  exit 1
+fi
+host=$1
+title="${title}${host}"
+bindir=%bindir%
+pdc_trams=`dirname $0`
+PATH=$pdc_trams:$bindir:$PATH
+export PATH
+set -- `kx $kx_args $host`
+if test $# -ne 3; then
+  exit 1
+fi
+screen=`echo $DISPLAY | sed -ne 's/[^:]*:[0-9]*\(\.[0-9]*\)/\1/p'`
+pid=$1
+disp=${2}${screen}
+auth=$3
+kill -USR1 $pid
+rsh -n $rsh_args $host "/bin/sh -c 'DISPLAY=$disp XAUTHORITY=$auth $term -T $title -n $title $xterm_args </dev/null >/dev/null 2>/dev/null &'"
diff --git a/crypto/heimdal/appl/kx/tenletxr.1 b/crypto/heimdal/appl/kx/tenletxr.1
new file mode 100644
index 0000000..ae7c858
--- /dev/null
+++ b/crypto/heimdal/appl/kx/tenletxr.1
@@ -0,0 +1,61 @@
+.\" $Id: tenletxr.1,v 1.2 1997/03/31 03:43:33 assar Exp $
+.\"
+.Dd March 31, 1997
+.Dt TENLETXR 1
+.Os KTH_KRB
+.Sh NAME
+.Nm tenletxr
+.Nd
+forward X-connections backwards.
+.Sh SYNOPSIS
+.Nm tenletxr
+.Op Fl l Ar username
+.Op Fl k
+.Ar host
+.Op Ar port
+.Sh DESCRIPTION
+The
+.Nm
+program
+enables forwarding of X-connections from this machine to host
+.Ar host .
+If
+.Ar port
+is given, that port will be used instead of the default.
+.Pp
+The supported options are:
+.Bl -tag -width Ds
+.It Fl l
+Log in on the remote host as user
+.Ar username
+.It Fl k
+Disables keep-alives.
+.El
+.Sh EXAMPLE
+To login from host
+.Va foo
+to host
+.Va bar
+(where your display is),
+you might do the following.
+.Bl -enum
+.It
+On foo: 
+.Nm
+.Va bar
+.It
+You will get a new shell where you will be able to start X clients
+that will show their windows on
+.Va bar .
+.El
+.Sh BUGS
+It currently checks if you have permission to run it by checking if
+you own
+.Pa /dev/console
+on the remote host.
+.Sh SEE ALSO
+.Xr rxtelnet 1 ,
+.Xr rxterm 1 ,
+.Xr kx 1 ,
+.Xr kxd 8 ,
+.Xr telnet 1
diff --git a/crypto/heimdal/appl/kx/tenletxr.cat1 b/crypto/heimdal/appl/kx/tenletxr.cat1
new file mode 100644
index 0000000..c1714e7
--- /dev/null
+++ b/crypto/heimdal/appl/kx/tenletxr.cat1
@@ -0,0 +1,37 @@
+
+TENLETXR(1)                  UNIX Reference Manual                 TENLETXR(1)
+
+NNAAMMEE
+     tteennlleettxxrr - forward X-connections backwards.
+
+SSYYNNOOPPSSIISS
+     tteennlleettxxrr [--ll _u_s_e_r_n_a_m_e] [--kk] _h_o_s_t [_p_o_r_t]
+
+DDEESSCCRRIIPPTTIIOONN
+     The tteennlleettxxrr program enables forwarding of X-connections from this ma-
+     chine to host _h_o_s_t. If _p_o_r_t is given, that port will be used instead of
+     the default.
+
+     The supported options are:
+
+     --ll      Log in on the remote host as user _u_s_e_r_n_a_m_e
+
+     --kk      Disables keep-alives.
+
+EEXXAAMMPPLLEE
+     To login from host _f_o_o to host _b_a_r (where your display is), you might do
+     the following.
+
+     1.   On foo: tteennlleettxxrr _b_a_r
+
+     2.   You will get a new shell where you will be able to start X clients
+          that will show their windows on _b_a_r.
+
+BBUUGGSS
+     It currently checks if you have permission to run it by checking if you
+     own _/_d_e_v_/_c_o_n_s_o_l_e on the remote host.
+
+SSEEEE AALLSSOO
+     rxtelnet(1),  rxterm(1),  kx(1),  kxd(8),  telnet(1)
+
+ KTH_KRB                        March 31, 1997                               1
diff --git a/crypto/heimdal/appl/kx/tenletxr.in b/crypto/heimdal/appl/kx/tenletxr.in
new file mode 100644
index 0000000..5c05dc9
--- /dev/null
+++ b/crypto/heimdal/appl/kx/tenletxr.in
@@ -0,0 +1,37 @@
+#!/bin/sh
+# $Id: tenletxr.in,v 1.3 1999/02/04 09:29:59 assar Exp $
+#
+usage="Usage: $0 [-l username] [-k] [-v] [-h | --help] [--version] host [port]"
+while true
+do
+  case $1 in
+  -l) kx_args="${kx_args} -l $2"; shift 2;;
+  -k) kx_args="${kx_args} -k"; shift;;
+  --version) echo "$0: %PACKAGE% %VERSION%"; exit 0;;
+  -h) echo $usage; exit 0;;
+  --help) echo $usage; exit 0;;
+  -v) set -x; shift;;
+  -*) echo "$0: Bad option $1"; echo $usage; exit 1;;
+  *) break;;
+  esac
+done
+if test $# -lt 1; then
+  echo $usage
+  exit 1
+fi
+host=$1
+port=$2
+bindir=%bindir%
+pdc_trams=`dirname $0`
+PATH=$pdc_trams:$bindir:$PATH
+export PATH
+set -- `kx $kx_args $host`
+if test $# -ne 3; then
+  exit 1
+fi
+screen=`echo $DISPLAY | sed -ne 's/[^:]*:[0-9]*\(\.[0-9]*\)/\1/p'`
+pid=$1
+disp=${2}${screen}
+auth=$3
+env DISPLAY=$disp XAUTHORITY=$auth $SHELL
+kill -USR2 $pid
diff --git a/crypto/heimdal/appl/kx/writeauth.c b/crypto/heimdal/appl/kx/writeauth.c
new file mode 100644
index 0000000..11dc72d
--- /dev/null
+++ b/crypto/heimdal/appl/kx/writeauth.c
@@ -0,0 +1,73 @@
+/* $XConsortium: AuWrite.c,v 1.6 94/04/17 20:15:45 gildea Exp $ */
+
+/*
+
+Copyright (c) 1988  X Consortium
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.  IN NO EVENT SHALL THE
+X CONSORTIUM BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN
+AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
+CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+
+Except as contained in this notice, the name of the X Consortium shall not be
+used in advertising or otherwise to promote the sale, use or other dealings
+in this Software without prior written authorization from the X Consortium.
+
+*/
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+RCSID("$Id: writeauth.c,v 1.4 1999/05/12 17:59:44 assar Exp $");
+#endif
+
+#include <X11/Xauth.h>
+
+static int
+write_short (unsigned short s, FILE *file)
+{
+    unsigned char   file_short[2];
+
+    file_short[0] = (s & (unsigned)0xff00) >> 8;
+    file_short[1] = s & 0xff;
+    if (fwrite (file_short, sizeof (file_short), 1, file) != 1)
+	return 0;
+    return 1;
+}
+
+static int
+write_counted_string (unsigned short count, char *string, FILE *file)
+{
+    if (write_short (count, file) == 0)
+	return 0;
+    if (fwrite (string, (int) sizeof (char), (int) count, file) != count)
+	return 0;
+    return 1;
+}
+
+int
+XauWriteAuth (FILE *auth_file, Xauth *auth)
+{
+    if (write_short (auth->family, auth_file) == 0)
+	return 0;
+    if (write_counted_string (auth->address_length, auth->address, auth_file) == 0)
+	return 0;
+    if (write_counted_string (auth->number_length, auth->number, auth_file) == 0)
+	return 0;
+    if (write_counted_string (auth->name_length, auth->name, auth_file) == 0)
+	return 0;
+    if (write_counted_string (auth->data_length, auth->data, auth_file) == 0)
+	return 0;
+    return 1;
+}
diff --git a/crypto/heimdal/appl/login/ChangeLog b/crypto/heimdal/appl/login/ChangeLog
new file mode 100644
index 0000000..15d01be
--- /dev/null
+++ b/crypto/heimdal/appl/login/ChangeLog
@@ -0,0 +1,221 @@
+2001-02-08  Assar Westerlund  <assar@sics.se>
+
+	* utmp_login.c, utmpx_login.c: try to write a useful string as
+	host in utmp, using the same algoritm as telnetd
+
+2001-01-29  Assar Westerlund  <assar@sics.se>
+
+	* login.c: remove some krb5_free_context that might happen at
+	unappropriate times
+
+2000-12-31  Assar Westerlund  <assar@sics.se>
+
+	* login.c (main): handle krb5_init_context failure consistently
+
+2000-12-11  Assar Westerlund  <assar@sics.se>
+
+	* login.c (do_login): set the group on the tty.
+	(r_flag): comment out
+	* login.c (krb5_to4): always return a value
+
+2000-10-15  Assar Westerlund  <assar@sics.se>
+
+	* login.c (krb5_to4): check another return code
+
+2000-08-22  Johan Danielsson  <joda@pdc.kth.se>
+
+	* login.c (do_login): set PATH to something sane;
+	(start_logout_process): avoid getting signals sent to the parent
+
+	* login_locl.h: _PATH_DEFPATH
+
+2000-07-01  Assar Westerlund  <assar@sics.se>
+
+	* login.c (login_timeout): add back
+
+2000-06-28  Johan Danielsson  <joda@pdc.kth.se>
+
+	* env.c: new file for environment related functions
+
+	* login.c: move environment stuff to separate file, allow
+	specifying list of environment files via login.conf
+
+2000-06-21  Assar Westerlund  <assar@sics.se>
+
+	* Makefile.am (LDADD): add otp
+	* login.c: add reading of /etc/environment.  From Ake Sandgren
+	<ake@cs.umu.se>
+	add otp support. From Daniel Kouril <kouril@ics.muni.cz>
+
+2000-06-09  Assar Westerlund  <assar@sics.se>
+
+	* login.c (do_login): work-around for setuid and capabilities bug
+	fixed in Linux 2.2.16
+
+2000-04-09  Assar Westerlund  <assar@sics.se>
+
+	* login.c: allow conversion of v5 -> v4 tickets when logging in
+	with forwarded tickets
+
+1999-11-09  Johan Danielsson  <joda@pdc.kth.se>
+
+	* conf.c: remove case for not having cgetent, since it's in roken
+
+1999-11-05  Assar Westerlund  <assar@sics.se>
+
+	* login.c (do_login): conditionalize shadow stuff on getspnam
+
+1999-10-30  Assar Westerlund  <assar@sics.se>
+
+	* Makefile.am (login_DEPENDENCIES): remove, it's not entirely
+ 	correct and was causing problems with non-GNU make
+
+1999-10-28  Assar Westerlund  <assar@sics.se>
+
+	* login.c (start_logout_proceess): don't examine `prog' before
+ 	setting it.
+
+1999-10-27  Assar Westerlund  <assar@sics.se>
+
+	* login.c (do_login): chown and chmod the tty.  some clean-up.
+
+1999-10-03  Assar Westerlund  <assar@sics.se>
+
+	* login.c (krb5_start_session): correct the ccache to
+ 	krb524_convert_creds_kdc
+
+1999-09-28  Assar Westerlund  <assar@sics.se>
+
+	* login.c (krb5_verify): use krb5_verify_user_lrealm
+
+1999-09-01  Johan Danielsson  <joda@pdc.kth.se>
+
+	* login.c: SGI capability mumbo-jumbo
+
+1999-08-09  Johan Danielsson  <joda@pdc.kth.se>
+
+	* login.c (start_logout_process): call setproctitle
+
+	* login_locl.h: declare struct spwd
+
+	* login.c: add support for starting extra processes at login and
+	logout; always preserve TERM and TZ
+
+	* conf.c: add configuration file support
+
+1999-08-07  Assar Westerlund  <assar@sics.se>
+
+	* shadow.c (check_shadow): check for a NULL sp
+
+1999-08-05  Assar Westerlund  <assar@sics.se>
+
+	* login.c (main): move down login incorrect to disallow account
+ 	guessing
+
+1999-08-04  Assar Westerlund  <assar@sics.se>
+
+	* utmpx_login.c (utmpx_login): fix for Solaris.  From Miroslav
+ 	Ruda <ruda@ics.muni.cz>
+
+	* login_locl.h: add <shadow.h> and some prototypes
+
+	* login.c: fixes with v4 and shadow support.  From Miroslav Ruda
+ 	<ruda@ics.muni.cz>
+
+	* shadow.c: new file with functions for handling shadow passwords
+
+	* Makefile.am: add shadow
+
+1999-07-22  Assar Westerlund  <assar@sics.se>
+
+	* login.c (main): generate a better tty name
+
+1999-05-25  Johan Danielsson  <joda@pdc.kth.se>
+
+	* login.c (do_login): set $SHELL
+
+1999-05-18  Assar Westerlund  <assar@sics.se>
+
+	* add login-access
+
+1999-05-11  Assar Westerlund  <assar@sics.se>
+
+	* login.c: copy the v5 ccache to a file after having done setuid
+
+1999-05-09  Assar Westerlund  <assar@sics.se>
+
+	* login.c (krb5_verify): check seteuid for errors
+	
+Mon Apr 19 22:30:55 1999  Assar Westerlund  <assar@sics.se>
+
+	* login.c: conditionalize the kafs calls on KRB4
+
+	* Makefile.am (LDADD): add kafs
+
+	* login.c: add support for getting afs tokens with v4 and v5
+
+Sun Apr 18 14:12:28 1999  Johan Danielsson  <joda@hella.pdc.kth.se>
+
+	* login.c: check _PATH_NOLOGIN
+
+	* login_locl.h: _PATH_NOLOGIN
+
+1999-04-11  Assar Westerlund  <assar@sics.se>
+
+	* login.c (main): use print_version
+
+Thu Apr  8 15:03:55 1999  Johan Danielsson  <joda@hella.pdc.kth.se>
+
+	* login.c: remove definition of KRB_VERIFY_USER et.al. (moved to
+ 	config.h)
+
+	* login_locl.h: include udb.h, sys/resource.h, and sys/category.h
+
+Sat Mar 27 17:58:37 1999  Johan Danielsson  <joda@hella.pdc.kth.se>
+
+	* Makefile.am: osfc2.c
+
+	* login.c: magic for OSF C2, and Crays
+
+	* login_locl.h: do_osfc2_magic proto
+
+	* osfc2.c: bsd_locl -> login_locl
+
+	* osfc2.c: OSF C2 magic
+
+Tue Mar 23 14:17:40 1999  Johan Danielsson  <joda@hella.pdc.kth.se>
+
+	* login_locl.h: _PATH_UTMP
+
+Sun Mar 21 15:02:31 1999  Johan Danielsson  <joda@blubb.pdc.kth.se>
+
+	* login.c: `-h' is host, not help
+
+Sat Mar 20 00:11:13 1999  Assar Westerlund  <assar@sics.se>
+
+	* login_locl.h: krb.h: add
+
+	* login.c: static-size
+	(krb4_verify): add
+
+Thu Mar 18 11:36:10 1999  Johan Danielsson  <joda@hella.pdc.kth.se>
+
+	* Makefile.am: include Makefile.am.common
+
+Thu Mar 11 17:53:36 1999  Johan Danielsson  <joda@hella.pdc.kth.se>
+
+	* utmpx_login.c: add some consts
+
+	* utmp_login.c: add some consts
+
+	* login.c: staticize
+
+	* login_locl.h: add prototypes, and defaults for
+ 	_PATH_*
+
+Mon Mar  1 10:49:14 1999  Johan Danielsson  <joda@hella.pdc.kth.se>
+
+	* utmpx_login.c: HAVE_UT_* -> HAVE_STRUCT_UTMP*_UT_*
+
+	* utmp_login.c: HAVE_UT_* -> HAVE_STRUCT_UTMP*_UT_*
+
diff --git a/crypto/heimdal/appl/login/Makefile.am b/crypto/heimdal/appl/login/Makefile.am
new file mode 100644
index 0000000..1f458e9
--- /dev/null
+++ b/crypto/heimdal/appl/login/Makefile.am
@@ -0,0 +1,37 @@
+# $Id: Makefile.am,v 1.19 2000/11/15 22:51:08 assar Exp $
+
+include $(top_srcdir)/Makefile.am.common
+
+INCLUDES += $(INCLUDE_krb4)
+
+bin_PROGRAMS = login
+
+login_SOURCES =					\
+		conf.c				\
+		env.c				\
+		login.c				\
+		login_access.c			\
+		login_locl.h			\
+		login_protos.h			\
+		osfc2.c				\
+		read_string.c			\
+		shadow.c			\
+		stty_default.c			\
+		tty.c				\
+		utmp_login.c			\
+		utmpx_login.c
+
+LDADD = $(LIB_otp) \
+	$(LIB_kafs) \
+	$(top_builddir)/lib/krb5/libkrb5.la \
+	$(LIB_krb4) \
+	$(LIB_des) \
+	$(top_builddir)/lib/asn1/libasn1.la \
+	$(LIB_roken) \
+	$(LIB_security) \
+	$(DBLIB)
+
+$(srcdir)/login_protos.h:
+	cd $(srcdir); perl ../../cf/make-proto.pl -o login_protos.h $(login_SOURCES) || rm -f login_protos.h
+
+$(login_OBJECTS): $(srcdir)/login_protos.h
diff --git a/crypto/heimdal/appl/login/Makefile.in b/crypto/heimdal/appl/login/Makefile.in
new file mode 100644
index 0000000..64f94b3
--- /dev/null
+++ b/crypto/heimdal/appl/login/Makefile.in
@@ -0,0 +1,602 @@
+# Makefile.in generated automatically by automake 1.4b from Makefile.am
+
+# Copyright 1994, 1995, 1996, 1997, 1998, 1999, 2000
+# Free Software Foundation, Inc.
+# This Makefile.in is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+
+SHELL = @SHELL@
+
+srcdir = @srcdir@
+top_srcdir = @top_srcdir@
+VPATH = @srcdir@
+prefix = @prefix@
+exec_prefix = @exec_prefix@
+
+bindir = @bindir@
+sbindir = @sbindir@
+libexecdir = @libexecdir@
+datadir = @datadir@
+sysconfdir = @sysconfdir@
+sharedstatedir = @sharedstatedir@
+localstatedir = @localstatedir@
+libdir = @libdir@
+infodir = @infodir@
+mandir = @mandir@
+includedir = @includedir@
+oldincludedir = /usr/include
+
+pkgdatadir = $(datadir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkgincludedir = $(includedir)/@PACKAGE@
+
+top_builddir = ../..
+
+ACLOCAL = @ACLOCAL@
+AUTOCONF = @AUTOCONF@
+AUTOMAKE = @AUTOMAKE@
+AUTOHEADER = @AUTOHEADER@
+
+INSTALL = @INSTALL@
+INSTALL_PROGRAM = @INSTALL_PROGRAM@
+INSTALL_DATA = @INSTALL_DATA@
+INSTALL_SCRIPT = @INSTALL_SCRIPT@
+INSTALL_STRIP_FLAG =
+transform = @program_transform_name@
+
+NORMAL_INSTALL = :
+PRE_INSTALL = :
+POST_INSTALL = :
+NORMAL_UNINSTALL = :
+PRE_UNINSTALL = :
+POST_UNINSTALL = :
+
+@SET_MAKE@
+host_alias = @host_alias@
+host_triplet = @host@
+AIX_EXTRA_KAFS = @AIX_EXTRA_KAFS@
+AMDEP = @AMDEP@
+AMTAR = @AMTAR@
+AS = @AS@
+AWK = @AWK@
+CANONICAL_HOST = @CANONICAL_HOST@
+CATMAN = @CATMAN@
+CATMANEXT = @CATMANEXT@
+CC = @CC@
+CPP = @CPP@
+CXX = @CXX@
+CXXCPP = @CXXCPP@
+DBLIB = @DBLIB@
+DEPDIR = @DEPDIR@
+DIR_des = @DIR_des@
+DIR_roken = @DIR_roken@
+DLLTOOL = @DLLTOOL@
+EXEEXT = @EXEEXT@
+EXTRA_LIB45 = @EXTRA_LIB45@
+GROFF = @GROFF@
+INCLUDES_roken = @INCLUDES_roken@
+INCLUDE_ = @INCLUDE_@
+LEX = @LEX@
+LIBOBJS = @LIBOBJS@
+LIBTOOL = @LIBTOOL@
+LIB_ = @LIB_@
+LIB_AUTH_SUBDIRS = @LIB_AUTH_SUBDIRS@
+LIB_des = @LIB_des@
+LIB_des_appl = @LIB_des_appl@
+LIB_kdb = @LIB_kdb@
+LIB_otp = @LIB_otp@
+LIB_roken = @LIB_roken@
+LIB_security = @LIB_security@
+LN_S = @LN_S@
+LTLIBOBJS = @LTLIBOBJS@
+MAKEINFO = @MAKEINFO@
+NEED_WRITEAUTH_FALSE = @NEED_WRITEAUTH_FALSE@
+NEED_WRITEAUTH_TRUE = @NEED_WRITEAUTH_TRUE@
+NROFF = @NROFF@
+OBJDUMP = @OBJDUMP@
+OBJEXT = @OBJEXT@
+PACKAGE = @PACKAGE@
+RANLIB = @RANLIB@
+STRIP = @STRIP@
+VERSION = @VERSION@
+VOID_RETSIGTYPE = @VOID_RETSIGTYPE@
+WFLAGS = @WFLAGS@
+WFLAGS_NOIMPLICITINT = @WFLAGS_NOIMPLICITINT@
+WFLAGS_NOUNUSED = @WFLAGS_NOUNUSED@
+YACC = @YACC@
+dpagaix_CFLAGS = @dpagaix_CFLAGS@
+dpagaix_LDADD = @dpagaix_LDADD@
+install_sh = @install_sh@
+
+# $Id: Makefile.am,v 1.19 2000/11/15 22:51:08 assar Exp $
+
+
+# $Id: Makefile.am.common,v 1.3 1999/04/01 14:58:43 joda Exp $
+
+
+# $Id: Makefile.am.common,v 1.26 2001/05/21 13:27:48 joda Exp $
+
+
+AUTOMAKE_OPTIONS = foreign no-dependencies
+
+SUFFIXES = .et .h .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .x
+
+INCLUDES = -I$(top_builddir)/include $(INCLUDES_roken) $(INCLUDE_krb4)
+
+AM_CFLAGS =  $(WFLAGS)
+
+CP = cp
+
+COMPILE_ET = $(top_builddir)/lib/com_err/compile_et
+
+buildinclude = $(top_builddir)/include
+
+LIB_XauReadAuth = @LIB_XauReadAuth@
+LIB_crypt = @LIB_crypt@
+LIB_dbm_firstkey = @LIB_dbm_firstkey@
+LIB_dbopen = @LIB_dbopen@
+LIB_dlopen = @LIB_dlopen@
+LIB_dn_expand = @LIB_dn_expand@
+LIB_el_init = @LIB_el_init@
+LIB_getattr = @LIB_getattr@
+LIB_gethostbyname = @LIB_gethostbyname@
+LIB_getpwent_r = @LIB_getpwent_r@
+LIB_getpwnam_r = @LIB_getpwnam_r@
+LIB_getsockopt = @LIB_getsockopt@
+LIB_logout = @LIB_logout@
+LIB_logwtmp = @LIB_logwtmp@
+LIB_odm_initialize = @LIB_odm_initialize@
+LIB_pidfile = @LIB_pidfile@
+LIB_readline = @LIB_readline@
+LIB_res_search = @LIB_res_search@
+LIB_setpcred = @LIB_setpcred@
+LIB_setsockopt = @LIB_setsockopt@
+LIB_socket = @LIB_socket@
+LIB_syslog = @LIB_syslog@
+LIB_tgetent = @LIB_tgetent@
+
+LIBS = @LIBS@
+
+HESIODLIB = @HESIODLIB@
+HESIODINCLUDE = @HESIODINCLUDE@
+INCLUDE_hesiod = @INCLUDE_hesiod@
+LIB_hesiod = @LIB_hesiod@
+
+INCLUDE_krb4 = @INCLUDE_krb4@
+LIB_krb4 = @LIB_krb4@
+
+INCLUDE_openldap = @INCLUDE_openldap@
+LIB_openldap = @LIB_openldap@
+
+INCLUDE_readline = @INCLUDE_readline@
+
+LEXLIB = @LEXLIB@
+
+NROFF_MAN = groff -mandoc -Tascii
+
+@KRB4_TRUE@LIB_kafs = @KRB4_TRUE@$(top_builddir)/lib/kafs/libkafs.la $(AIX_EXTRA_KAFS)
+
+@KRB5_TRUE@LIB_krb5 = @KRB5_TRUE@$(top_builddir)/lib/krb5/libkrb5.la \
+@KRB5_TRUE@	$(top_builddir)/lib/asn1/libasn1.la
+@KRB5_TRUE@LIB_gssapi = @KRB5_TRUE@$(top_builddir)/lib/gssapi/libgssapi.la
+
+@DCE_TRUE@LIB_kdfs = @DCE_TRUE@$(top_builddir)/lib/kdfs/libkdfs.la
+
+CHECK_LOCAL = $(PROGRAMS)
+
+bin_PROGRAMS = login
+
+login_SOURCES = \
+		conf.c				\
+		env.c				\
+		login.c				\
+		login_access.c			\
+		login_locl.h			\
+		login_protos.h			\
+		osfc2.c				\
+		read_string.c			\
+		shadow.c			\
+		stty_default.c			\
+		tty.c				\
+		utmp_login.c			\
+		utmpx_login.c
+
+
+LDADD = $(LIB_otp) \
+	$(LIB_kafs) \
+	$(top_builddir)/lib/krb5/libkrb5.la \
+	$(LIB_krb4) \
+	$(LIB_des) \
+	$(top_builddir)/lib/asn1/libasn1.la \
+	$(LIB_roken) \
+	$(LIB_security) \
+	$(DBLIB)
+
+subdir = appl/login
+mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs
+CONFIG_HEADER = ../../include/config.h
+CONFIG_CLEAN_FILES = 
+bin_PROGRAMS =  login$(EXEEXT)
+PROGRAMS =  $(bin_PROGRAMS)
+
+
+DEFS = @DEFS@ -I. -I$(srcdir) -I../../include
+CPPFLAGS = @CPPFLAGS@
+LDFLAGS = @LDFLAGS@
+X_CFLAGS = @X_CFLAGS@
+X_LIBS = @X_LIBS@
+X_EXTRA_LIBS = @X_EXTRA_LIBS@
+X_PRE_LIBS = @X_PRE_LIBS@
+am_login_OBJECTS =  conf.$(OBJEXT) env.$(OBJEXT) login.$(OBJEXT) \
+login_access.$(OBJEXT) osfc2.$(OBJEXT) read_string.$(OBJEXT) \
+shadow.$(OBJEXT) stty_default.$(OBJEXT) tty.$(OBJEXT) \
+utmp_login.$(OBJEXT) utmpx_login.$(OBJEXT)
+login_OBJECTS =  $(am_login_OBJECTS)
+login_LDADD = $(LDADD)
+@KRB4_FALSE@login_DEPENDENCIES =  $(top_builddir)/lib/krb5/libkrb5.la \
+@KRB4_FALSE@$(top_builddir)/lib/asn1/libasn1.la
+@KRB4_TRUE@login_DEPENDENCIES =  $(top_builddir)/lib/kafs/libkafs.la \
+@KRB4_TRUE@$(top_builddir)/lib/krb5/libkrb5.la \
+@KRB4_TRUE@$(top_builddir)/lib/asn1/libasn1.la
+login_LDFLAGS = 
+COMPILE = $(CC) $(DEFS) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) --mode=compile $(CC) $(DEFS) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+CFLAGS = @CFLAGS@
+CCLD = $(CC)
+LINK = $(LIBTOOL) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) $(LDFLAGS) -o $@
+DIST_SOURCES =  $(login_SOURCES)
+depcomp = 
+DIST_COMMON =  ChangeLog Makefile.am Makefile.in
+
+
+DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
+
+GZIP_ENV = --best
+SOURCES = $(login_SOURCES)
+OBJECTS = $(am_login_OBJECTS)
+
+all: all-redirect
+.SUFFIXES:
+.SUFFIXES: .et .h .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .x .c .lo .o .obj
+$(srcdir)/Makefile.in: Makefile.am $(top_srcdir)/configure.in $(ACLOCAL_M4) $(top_srcdir)/Makefile.am.common $(top_srcdir)/cf/Makefile.am.common
+	cd $(top_srcdir) && $(AUTOMAKE) --foreign appl/login/Makefile
+
+Makefile: $(srcdir)/Makefile.in  $(top_builddir)/config.status
+	cd $(top_builddir) \
+	  && CONFIG_FILES=$(subdir)/$@ CONFIG_HEADERS= $(SHELL) ./config.status
+
+
+mostlyclean-binPROGRAMS:
+
+clean-binPROGRAMS:
+	-test -z "$(bin_PROGRAMS)" || rm -f $(bin_PROGRAMS)
+
+distclean-binPROGRAMS:
+
+maintainer-clean-binPROGRAMS:
+
+install-binPROGRAMS: $(bin_PROGRAMS)
+	@$(NORMAL_INSTALL)
+	$(mkinstalldirs) $(DESTDIR)$(bindir)
+	@list='$(bin_PROGRAMS)'; for p in $$list; do \
+	  if test -f $$p; then \
+	    f="`echo $$p|sed -e 's/$(EXEEXT)$$//' -e '$(transform)' -e 's/$$/$(EXEEXT)/'`"; \
+	    echo " $(LIBTOOL)  --mode=install $(INSTALL_PROGRAM) $(INSTALL_STRIP_FLAG) $$p $(DESTDIR)$(bindir)/$$f"; \
+	    $(LIBTOOL)  --mode=install $(INSTALL_PROGRAM) $(INSTALL_STRIP_FLAG) $$p $(DESTDIR)$(bindir)/$$f; \
+	  else :; fi; \
+	done
+
+uninstall-binPROGRAMS:
+	@$(NORMAL_UNINSTALL)
+	@list='$(bin_PROGRAMS)'; for p in $$list; do \
+	  f="`echo $$p|sed -e 's/$(EXEEXT)$$//' -e '$(transform)' -e 's/$$/$(EXEEXT)/'`"; \
+	  echo " rm -f $(DESTDIR)$(bindir)/$$f"; \
+	  rm -f $(DESTDIR)$(bindir)/$$f; \
+	done
+
+mostlyclean-compile:
+	-rm -f *.o core *.core
+	-rm -f *.$(OBJEXT)
+
+clean-compile:
+
+distclean-compile:
+	-rm -f *.tab.c
+
+maintainer-clean-compile:
+
+mostlyclean-libtool:
+	-rm -f *.lo
+
+clean-libtool:
+	-rm -rf .libs _libs
+
+distclean-libtool:
+
+maintainer-clean-libtool:
+
+login$(EXEEXT): $(login_OBJECTS) $(login_DEPENDENCIES)
+	@rm -f login$(EXEEXT)
+	$(LINK) $(login_LDFLAGS) $(login_OBJECTS) $(login_LDADD) $(LIBS)
+.c.o:
+	$(COMPILE) -c $<
+.c.obj:
+	$(COMPILE) -c `cygpath -w $<`
+.c.lo:
+	$(LTCOMPILE) -c -o $@ $<
+
+tags: TAGS
+
+ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
+	list='$(SOURCES) $(HEADERS) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '    { files[$$0] = 1; } \
+	       END { for (i in files) print i; }'`; \
+	mkid -fID $$unique $(LISP)
+
+TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	tags=; \
+	here=`pwd`; \
+	list='$(SOURCES) $(HEADERS) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '    { files[$$0] = 1; } \
+	       END { for (i in files) print i; }'`; \
+	test -z "$(ETAGS_ARGS)$$unique$(LISP)$$tags" \
+	  || etags $(ETAGS_ARGS) $$tags  $$unique $(LISP)
+
+GTAGS:
+	here=`CDPATH=: && cd $(top_builddir) && pwd` \
+	  && cd $(top_srcdir) \
+	  && gtags -i $$here
+
+mostlyclean-tags:
+
+clean-tags:
+
+distclean-tags:
+	-rm -f TAGS ID
+
+maintainer-clean-tags:
+
+distdir = $(top_builddir)/$(PACKAGE)-$(VERSION)/$(subdir)
+
+distdir: $(DISTFILES)
+	@for file in $(DISTFILES); do \
+	  d=$(srcdir); \
+	  if test -d $$d/$$file; then \
+	    cp -pR $$d/$$file $(distdir) \
+	    || exit 1; \
+	  else \
+	    test -f $(distdir)/$$file \
+	    || cp -p $$d/$$file $(distdir)/$$file \
+	    || exit 1; \
+	  fi; \
+	done
+	$(MAKE) $(AM_MAKEFLAGS) top_distdir="$(top_distdir)" distdir="$(distdir)" dist-hook
+info-am:
+info: info-am
+dvi-am:
+dvi: dvi-am
+check-am: all-am
+	$(MAKE) $(AM_MAKEFLAGS) check-local
+check: check-am
+installcheck-am:
+installcheck: installcheck-am
+install-exec-am: install-binPROGRAMS
+	@$(NORMAL_INSTALL)
+	$(MAKE) $(AM_MAKEFLAGS) install-exec-hook
+install-exec: install-exec-am
+
+install-data-am: install-data-local
+install-data: install-data-am
+
+install-am: all-am
+	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
+install: install-am
+uninstall-am: uninstall-binPROGRAMS
+uninstall: uninstall-am
+all-am: Makefile $(PROGRAMS) all-local
+all-redirect: all-am
+install-strip:
+	$(MAKE) $(AM_MAKEFLAGS) INSTALL_STRIP_FLAG=-s install
+installdirs:
+	$(mkinstalldirs)  $(DESTDIR)$(bindir)
+
+
+mostlyclean-generic:
+
+clean-generic:
+
+distclean-generic:
+	-rm -f Makefile $(CONFIG_CLEAN_FILES)
+	-rm -f config.cache config.log stamp-h stamp-h[0-9]*
+
+maintainer-clean-generic:
+	-rm -f Makefile.in
+mostlyclean-am:  mostlyclean-binPROGRAMS mostlyclean-compile \
+		mostlyclean-libtool mostlyclean-tags \
+		mostlyclean-generic
+
+mostlyclean: mostlyclean-am
+
+clean-am:  clean-binPROGRAMS clean-compile clean-libtool clean-tags \
+		clean-generic mostlyclean-am
+
+clean: clean-am
+
+distclean-am:  distclean-binPROGRAMS distclean-compile distclean-libtool \
+		distclean-tags distclean-generic clean-am
+	-rm -f libtool
+
+distclean: distclean-am
+
+maintainer-clean-am:  maintainer-clean-binPROGRAMS \
+		maintainer-clean-compile maintainer-clean-libtool \
+		maintainer-clean-tags maintainer-clean-generic \
+		distclean-am
+	@echo "This command is intended for maintainers to use;"
+	@echo "it deletes files that may require special tools to rebuild."
+
+maintainer-clean: maintainer-clean-am
+
+.PHONY: mostlyclean-binPROGRAMS distclean-binPROGRAMS clean-binPROGRAMS \
+maintainer-clean-binPROGRAMS uninstall-binPROGRAMS install-binPROGRAMS \
+mostlyclean-compile distclean-compile clean-compile \
+maintainer-clean-compile mostlyclean-libtool distclean-libtool \
+clean-libtool maintainer-clean-libtool tags mostlyclean-tags \
+distclean-tags clean-tags maintainer-clean-tags distdir info-am info \
+dvi-am dvi check-local check check-am installcheck-am installcheck \
+install-exec-am install-exec install-data-local install-data-am \
+install-data install-am install uninstall-am uninstall all-local \
+all-redirect all-am all install-strip installdirs mostlyclean-generic \
+distclean-generic clean-generic maintainer-clean-generic clean \
+mostlyclean distclean maintainer-clean
+
+
+install-suid-programs:
+	@foo='$(bin_SUIDS)'; \
+	for file in $$foo; do \
+	x=$(DESTDIR)$(bindir)/$$file; \
+	if chown 0:0 $$x && chmod u+s $$x; then :; else \
+	echo "*"; \
+	echo "* Failed to install $$x setuid root"; \
+	echo "*"; \
+	fi; done
+
+install-exec-hook: install-suid-programs
+
+install-build-headers:: $(include_HEADERS) $(build_HEADERZ)
+	@foo='$(include_HEADERS) $(build_HEADERZ)'; \
+	for f in $$foo; do \
+		f=`basename $$f`; \
+		if test -f "$(srcdir)/$$f"; then file="$(srcdir)/$$f"; \
+		else file="$$f"; fi; \
+		if cmp -s  $$file $(buildinclude)/$$f 2> /dev/null ; then \
+		: ; else \
+			echo " $(CP) $$file $(buildinclude)/$$f"; \
+			$(CP) $$file $(buildinclude)/$$f; \
+		fi ; \
+	done
+
+all-local: install-build-headers
+#NROFF_MAN = nroff -man
+.1.cat1:
+	$(NROFF_MAN) $< > $@
+.3.cat3:
+	$(NROFF_MAN) $< > $@
+.5.cat5:
+	$(NROFF_MAN) $< > $@
+.8.cat8:
+	$(NROFF_MAN) $< > $@
+
+dist-cat1-mans:
+	@foo='$(man1_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.1) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat1/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-cat3-mans:
+	@foo='$(man3_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.3) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat3/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-cat5-mans:
+	@foo='$(man5_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.5) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat5/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-cat8-mans:
+	@foo='$(man8_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.8) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat8/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-hook: dist-cat1-mans dist-cat3-mans dist-cat5-mans dist-cat8-mans
+
+install-cat-mans:
+	$(SHELL) $(top_srcdir)/cf/install-catman.sh "$(INSTALL_DATA)" "$(mkinstalldirs)" "$(srcdir)" "$(DESTDIR)$(mandir)" '$(CATMANEXT)' $(man_MANS) $(man1_MANS) $(man3_MANS) $(man5_MANS) $(man8_MANS)
+
+install-data-local: install-cat-mans
+
+.et.h:
+	$(COMPILE_ET) $<
+.et.c:
+	$(COMPILE_ET) $<
+
+.x.c:
+	@cmp -s $< $@ 2> /dev/null || cp $< $@
+
+check-local::
+	@foo='$(CHECK_LOCAL)'; \
+	  if test "$$foo"; then \
+	  failed=0; all=0; \
+	  for i in $$foo; do \
+	    all=`expr $$all + 1`; \
+	    if ./$$i --version > /dev/null 2>&1; then \
+	      echo "PASS: $$i"; \
+	    else \
+	      echo "FAIL: $$i"; \
+	      failed=`expr $$failed + 1`; \
+	    fi; \
+	  done; \
+	  if test "$$failed" -eq 0; then \
+	    banner="All $$all tests passed"; \
+	  else \
+	    banner="$$failed of $$all tests failed"; \
+	  fi; \
+	  dashes=`echo "$$banner" | sed s/./=/g`; \
+	  echo "$$dashes"; \
+	  echo "$$banner"; \
+	  echo "$$dashes"; \
+	  test "$$failed" -eq 0; \
+	fi
+
+$(srcdir)/login_protos.h:
+	cd $(srcdir); perl ../../cf/make-proto.pl -o login_protos.h $(login_SOURCES) || rm -f login_protos.h
+
+$(login_OBJECTS): $(srcdir)/login_protos.h
+
+# Tell versions [3.59,3.63) of GNU make to not export all variables.
+# Otherwise a system limit (for SysV at least) may be exceeded.
+.NOEXPORT:
diff --git a/crypto/heimdal/appl/login/conf.c b/crypto/heimdal/appl/login/conf.c
new file mode 100644
index 0000000..85cfc00
--- /dev/null
+++ b/crypto/heimdal/appl/login/conf.c
@@ -0,0 +1,55 @@
+/*
+ * Copyright (c) 1999 - 2000 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of KTH nor the names of its contributors may be
+ *    used to endorse or promote products derived from this software without
+ *    specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY KTH AND ITS CONTRIBUTORS ``AS IS'' AND ANY
+ * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL KTH OR ITS CONTRIBUTORS BE
+ * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+ * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+ * WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
+ * OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
+ * ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */
+
+#include "login_locl.h"
+
+RCSID("$Id: conf.c,v 1.3 2000/05/29 16:52:24 assar Exp $");
+
+static char *confbuf;
+
+static int
+login_conf_init(void)
+{
+    char *files[] = { _PATH_LOGIN_CONF, NULL };
+    return cgetent(&confbuf, files, "default");
+}
+
+char *
+login_conf_get_string(const char *str)
+{
+    char *value;
+    if(login_conf_init() != 0)
+	return NULL;
+    if(cgetstr(confbuf, (char *)str, &value) < 0)
+	return NULL;
+    return value;
+}
diff --git a/crypto/heimdal/appl/login/env.c b/crypto/heimdal/appl/login/env.c
new file mode 100644
index 0000000..57f68b1
--- /dev/null
+++ b/crypto/heimdal/appl/login/env.c
@@ -0,0 +1,98 @@
+/*
+ * Copyright (c) 2000 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "login_locl.h"
+RCSID("$Id: env.c,v 1.1 2000/06/28 12:27:38 joda Exp $");
+
+/*
+ * the environment we will send to execle and the shell.
+ */
+
+char **env;
+int num_env;
+
+void
+extend_env(char *str)
+{
+    env = realloc(env, (num_env + 1) * sizeof(*env));
+    if(env == NULL)
+	errx(1, "Out of memory!");
+    env[num_env++] = str;
+}
+
+void
+add_env(const char *var, const char *value)
+{
+    int i;
+    char *str;
+    asprintf(&str, "%s=%s", var, value);
+    if(str == NULL)
+	errx(1, "Out of memory!");
+    for(i = 0; i < num_env; i++)
+	if(strncmp(env[i], var, strlen(var)) == 0 && 
+	   env[i][strlen(var)] == '='){
+	    free(env[i]);
+	    env[i] = str;
+	    return;
+	}
+    
+    extend_env(str);
+}
+
+void
+copy_env(void)
+{
+    char **p;
+    for(p = environ; *p; p++)
+	extend_env(*p);
+}
+
+int
+login_read_env(const char *file)
+{
+    char **newenv;
+    char *p;
+    int i, j;
+    
+    newenv = NULL;
+    i = read_environment(file, &newenv);
+    for (j = 0; j < i; j++) {
+	p = strchr(newenv[j], '=');
+	*p++ = 0;
+	add_env(newenv[j], p);
+	*--p = '=';
+	free(newenv[j]);
+    }
+    free(newenv);
+    return 0;
+}
diff --git a/crypto/heimdal/appl/login/login.c b/crypto/heimdal/appl/login/login.c
new file mode 100644
index 0000000..7cd405b
--- /dev/null
+++ b/crypto/heimdal/appl/login/login.c
@@ -0,0 +1,803 @@
+/*
+ * Copyright (c) 1997 - 2001 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "login_locl.h"
+#ifdef HAVE_CAPABILITY_H
+#include <capability.h>
+#endif
+#ifdef HAVE_SYS_CAPABILITY_H
+#include <sys/capability.h>
+#endif
+
+RCSID("$Id: login.c,v 1.47 2001/02/20 01:44:45 assar Exp $");
+
+static int login_timeout = 60;
+
+static int
+start_login_process(void)
+{
+    char *prog, *argv0;
+    prog = login_conf_get_string("login_program");
+    if(prog == NULL)
+	return 0;
+    argv0 = strrchr(prog, '/');
+
+    if(argv0)
+	argv0++;
+    else
+	argv0 = prog;
+
+    return simple_execle(prog, argv0, NULL, env);
+}
+
+static int
+start_logout_process(void)
+{
+    char *prog, *argv0;
+    pid_t pid;
+
+    prog = login_conf_get_string("logout_program");
+    if(prog == NULL)
+	return 0;
+    argv0 = strrchr(prog, '/');
+
+    if(argv0)
+	argv0++;
+    else
+	argv0 = prog;
+
+    pid = fork();
+    if(pid == 0) {
+	/* avoid getting signals sent to the shell */
+	setpgid(0, getpid());
+	return 0;
+    }
+    if(pid == -1)
+	err(1, "fork");
+    /* wait for the real login process to exit */
+#ifdef HAVE_SETPROCTITLE
+    setproctitle("waitpid %d", pid);
+#endif
+    while(1) {
+	int status;
+	int ret;
+	ret = waitpid(pid, &status, 0);
+	if(ret > 0) {
+	    if(WIFEXITED(status) || WIFSIGNALED(status)) {
+		execle(prog, argv0, NULL, env);
+		err(1, "exec %s", prog);
+	    }
+	} else if(ret < 0) 
+	    err(1, "waitpid");
+    }
+}
+
+static void
+exec_shell(const char *shell, int fallback)
+{
+    char *sh;
+    const char *p;
+    
+    extend_env(NULL);
+    if(start_login_process() < 0)
+	warn("login process");
+    start_logout_process();
+
+    p = strrchr(shell, '/');
+    if(p)
+	p++;
+    else
+	p = shell;
+    asprintf(&sh, "-%s", p);
+    execle(shell, sh, NULL, env);
+    if(fallback){
+	warnx("Can't exec %s, trying %s", 
+	      shell, _PATH_BSHELL);
+	execle(_PATH_BSHELL, "-sh", NULL, env);
+	err(1, "%s", _PATH_BSHELL);
+    }
+    err(1, "%s", shell);
+}
+
+static enum { NONE = 0, AUTH_KRB4 = 1, AUTH_KRB5 = 2, AUTH_OTP = 3 } auth;
+
+#ifdef OTP
+static OtpContext otp_ctx;
+
+static int
+otp_verify(struct passwd *pwd, const char *password)
+{
+   return (otp_verify_user (&otp_ctx, password));
+}
+#endif /* OTP */
+
+
+#ifdef KRB5
+static krb5_context context;
+static krb5_ccache  id, id2;
+
+static int
+krb5_verify(struct passwd *pwd, const char *password)
+{
+    krb5_error_code ret;
+    krb5_principal princ;
+
+    ret = krb5_parse_name(context, pwd->pw_name, &princ);
+    if(ret)
+	return 1;
+    ret = krb5_cc_gen_new(context, &krb5_mcc_ops, &id);
+    if(ret) {
+	krb5_free_principal(context, princ);
+	return 1;
+    }
+    ret = krb5_verify_user_lrealm(context,
+				  princ, 
+				  id,
+				  password, 
+				  1,
+				  NULL);
+    krb5_free_principal(context, princ);
+    return ret;
+}
+
+#ifdef KRB4
+static krb5_error_code
+krb5_to4 (krb5_ccache id)
+{
+    if (krb5_config_get_bool(context, NULL,
+			     "libdefaults",
+			     "krb4_get_tickets",
+			     NULL)) {
+        CREDENTIALS c;
+        krb5_creds mcred, cred;
+        char krb4tkfile[MAXPATHLEN];
+	krb5_error_code ret;
+	krb5_principal princ;
+
+	ret = krb5_cc_get_principal (context, id, &princ);
+	if (ret)
+	    return ret;
+
+	ret = krb5_make_principal(context, &mcred.server,
+				  princ->realm,
+				  "krbtgt",
+				  princ->realm,
+				  NULL);
+	krb5_free_principal (context, princ);
+	if (ret)
+	    return ret;
+
+	ret = krb5_cc_retrieve_cred(context, id, 0, &mcred, &cred);
+	if(ret == 0) {
+	    ret = krb524_convert_creds_kdc(context, id, &cred, &c);
+	    if(ret == 0) {
+		snprintf(krb4tkfile,sizeof(krb4tkfile),"%s%d",TKT_ROOT,
+			 getuid());
+		krb_set_tkt_string(krb4tkfile);
+		tf_setup(&c, c.pname, c.pinst);
+	    }
+	    memset(&c, 0, sizeof(c));
+	    krb5_free_creds_contents(context, &cred);
+	}
+	krb5_free_principal(context, mcred.server);
+    }
+    return 0;
+}
+#endif /* KRB4 */
+
+static int
+krb5_start_session (const struct passwd *pwd)
+{
+    krb5_error_code ret;
+    char residual[64];
+
+    /* copy credentials to file cache */
+    snprintf(residual, sizeof(residual), "FILE:/tmp/krb5cc_%u", 
+	     (unsigned)pwd->pw_uid);
+    krb5_cc_resolve(context, residual, &id2);
+    ret = krb5_cc_copy_cache(context, id, id2);
+    if (ret == 0)
+	add_env("KRB5CCNAME", residual);
+    else {
+	krb5_cc_destroy (context, id2);
+	return ret;
+    }
+#ifdef KRB4
+    krb5_to4 (id2);
+#endif
+    krb5_cc_close(context, id2);
+    krb5_cc_destroy(context, id);
+    return 0;
+}
+
+static void
+krb5_finish (void)
+{
+    krb5_free_context(context);
+}
+
+#ifdef KRB4
+
+static int pag_set = 0;
+
+static void
+krb5_get_afs_tokens (const struct passwd *pwd)
+{
+    char cell[64];
+    char *pw_dir;
+    krb5_error_code ret;
+
+    if (!k_hasafs ())
+	return;
+
+    ret = krb5_cc_default(context, &id2);
+ 
+    if (ret == 0) {
+	pw_dir = pwd->pw_dir;
+
+	if (!pag_set) {
+	    k_setpag();
+	    pag_set = 1;
+	}
+
+	if(k_afs_cell_of_file(pw_dir, cell, sizeof(cell)) == 0)
+	    krb5_afslog_uid_home (context, id2,
+				  cell, NULL, pwd->pw_uid, pwd->pw_dir);
+	krb5_afslog_uid_home (context, id2, NULL, NULL,
+			      pwd->pw_uid, pwd->pw_dir);
+	krb5_cc_close (context, id2);
+    }
+}
+
+#endif /* KRB4 */
+
+#endif /* KRB5 */
+
+#ifdef KRB4
+
+static int
+krb4_verify(struct passwd *pwd, const char *password)
+{
+    char lrealm[REALM_SZ];
+    int ret;
+    char ticket_file[MaxPathLen];
+
+    ret = krb_get_lrealm (lrealm, 1);
+    if (ret)
+	return 1;
+
+    snprintf (ticket_file, sizeof(ticket_file),
+	      "%s%u_%u",
+	      TKT_ROOT, (unsigned)pwd->pw_uid, (unsigned)getpid());
+
+    krb_set_tkt_string (ticket_file);
+
+    ret = krb_verify_user (pwd->pw_name, "", lrealm, (char *)password,
+			   KRB_VERIFY_SECURE_FAIL, NULL);
+    if (ret)
+	return 1;
+
+    if (chown (ticket_file, pwd->pw_uid, pwd->pw_gid) < 0) {
+	dest_tkt();
+	return 1;
+    }
+	
+    add_env ("KRBTKFILE", ticket_file);
+    return 0;
+}
+
+static void
+krb4_get_afs_tokens (const struct passwd *pwd)
+{
+    char cell[64];
+    char *pw_dir;
+
+    if (!k_hasafs ())
+	return;
+
+    pw_dir = pwd->pw_dir;
+
+    if (!pag_set) {
+	k_setpag();
+	pag_set = 1;
+    }
+
+    if(k_afs_cell_of_file(pw_dir, cell, sizeof(cell)) == 0)
+	krb_afslog_uid_home (cell, NULL, pwd->pw_uid, pwd->pw_dir);
+
+    krb_afslog_uid_home (NULL, NULL, pwd->pw_uid, pwd->pw_dir);
+}
+
+#endif /* KRB4 */
+
+static int f_flag;
+static int p_flag;
+#if 0
+static int r_flag;
+#endif
+static int version_flag;
+static int help_flag;
+static char *remote_host;
+static char *auth_level = NULL;
+
+struct getargs args[] = {
+    { NULL, 'a', arg_string,    &auth_level,    "authentication mode" },
+#if 0
+    { NULL, 'd' },
+#endif
+    { NULL, 'f', arg_flag,	&f_flag,	"pre-authenticated" },
+    { NULL, 'h', arg_string,	&remote_host,	"remote host", "hostname" },
+    { NULL, 'p', arg_flag,	&p_flag,	"don't purge environment" },
+#if 0
+    { NULL, 'r', arg_flag,	&r_flag,	"rlogin protocol" },
+#endif
+    { "version", 0,  arg_flag,	&version_flag },
+    { "help",	 0,  arg_flag,&help_flag, }
+};
+
+int nargs = sizeof(args) / sizeof(args[0]);
+
+static void
+update_utmp(const char *username, const char *hostname,
+	    char *tty, char *ttyn)
+{
+    /*
+     * Update the utmp files, both BSD and SYSV style.
+     */
+    if (utmpx_login(tty, username, hostname) != 0 && !f_flag) {
+	printf("No utmpx entry.  You must exec \"login\" from the "
+	       "lowest level shell.\n");
+	exit(1);
+    }
+    utmp_login(ttyn, username, hostname);
+}
+
+static void
+checknologin(void)
+{
+    FILE *f;
+    char buf[1024];
+
+    f = fopen(_PATH_NOLOGIN, "r");
+    if(f == NULL)
+	return;
+    while(fgets(buf, sizeof(buf), f))
+	fputs(buf, stdout);
+    fclose(f);
+    exit(0);
+}
+
+/* 
+ * Actually log in the user.  `pwd' contains all the relevant
+ * information about the user.  `ttyn' is the complete name of the tty
+ * and `tty' the short name.
+ */
+
+static void
+do_login(const struct passwd *pwd, char *tty, char *ttyn)
+{
+#ifdef HAVE_GETSPNAM
+    struct spwd *sp;
+#endif
+    int rootlogin = (pwd->pw_uid == 0);
+    gid_t tty_gid;
+    struct group *gr;
+    const char *home_dir;
+
+    if(!rootlogin)
+	checknologin();
+    
+#ifdef HAVE_GETSPNAM
+    sp = getspnam(pwd->pw_name);
+#endif
+
+    update_utmp(pwd->pw_name, remote_host ? remote_host : "",
+		tty, ttyn);
+
+    gr = getgrnam ("tty");
+    if (gr != NULL)
+	tty_gid = gr->gr_gid;
+    else
+	tty_gid = pwd->pw_gid;
+
+    if (chown (ttyn, pwd->pw_uid, tty_gid) < 0) {
+	warn("chown %s", ttyn);
+	if (rootlogin == 0)
+	    exit (1);
+    }
+
+    if (chmod (ttyn, S_IRUSR | S_IWUSR | S_IWGRP) < 0) {
+	warn("chmod %s", ttyn);
+	if (rootlogin == 0)
+	    exit (1);
+    }
+
+#ifdef HAVE_SETLOGIN
+    if(setlogin(pwd->pw_name)){
+	warn("setlogin(%s)", pwd->pw_name);
+	if(rootlogin == 0)
+	    exit(1);
+    }
+#endif
+#ifdef HAVE_INITGROUPS
+    if(initgroups(pwd->pw_name, pwd->pw_gid)){
+	warn("initgroups(%s, %u)", pwd->pw_name, (unsigned)pwd->pw_gid);
+	if(rootlogin == 0)
+	    exit(1);
+    }
+#endif
+    if(setgid(pwd->pw_gid)){
+	warn("setgid(%u)", (unsigned)pwd->pw_gid);
+	if(rootlogin == 0)
+	    exit(1);
+    }
+    if(setuid(pwd->pw_uid) || (pwd->pw_uid != 0 && setuid(0) == 0)) {
+	warn("setuid(%u)", (unsigned)pwd->pw_uid);
+	if(rootlogin == 0)
+	    exit(1);
+    }
+    /* all kinds of different magic */
+
+#ifdef HAVE_GETSPNAM
+    check_shadow(pwd, sp);
+#endif
+
+    if(do_osfc2_magic(pwd->pw_uid))
+	exit(1);
+#if defined(HAVE_GETUDBNAM) && defined(HAVE_SETLIM)
+    {
+	struct udb *udb;
+	long t;
+	const long maxcpu = 46116860184; /* some random constant */
+	udb = getudbnam(pwd->pw_name);
+	if(udb == UDB_NULL)
+	    errx(1, "Failed to get UDB entry.");
+	t = udb->ue_pcpulim[UDBRC_INTER];
+	if(t == 0 || t > maxcpu)
+	    t = CPUUNLIM;
+	else
+	    t *= 100 * CLOCKS_PER_SEC;
+
+	if(limit(C_PROC, 0, L_CPU, t) < 0)
+	    warn("limit C_PROC");
+
+	t = udb->ue_jcpulim[UDBRC_INTER];
+	if(t == 0 || t > maxcpu)
+	    t = CPUUNLIM;
+	else
+	    t *= 100 * CLOCKS_PER_SEC;
+
+	if(limit(C_JOBPROCS, 0, L_CPU, t) < 0)
+	    warn("limit C_JOBPROCS");
+
+	nice(udb->ue_nice[UDBRC_INTER]);
+    }
+#endif
+#if defined(HAVE_SGI_GETCAPABILITYBYNAME) && defined(HAVE_CAP_SET_PROC)
+	/* XXX SGI capability hack IRIX 6.x (x >= 0?) has something
+	   called capabilities, that allow you to give away
+	   permissions (such as chown) to specific processes. From 6.5
+	   this is default on, and the default capability set seems to
+	   not always be the empty set. The problem is that the
+	   runtime linker refuses to do just about anything if the
+	   process has *any* capabilities set, so we have to remove
+	   them here (unless otherwise instructed by /etc/capability).
+	   In IRIX < 6.5, these functions was called sgi_cap_setproc,
+	   etc, but we ignore this fact (it works anyway). */
+	{
+	    struct user_cap *ucap = sgi_getcapabilitybyname(pwd->pw_name);
+	    cap_t cap;
+	    if(ucap == NULL)
+		cap = cap_from_text("all=");
+	    else
+		cap = cap_from_text(ucap->ca_default);
+	    if(cap == NULL)
+		err(1, "cap_from_text");
+	    if(cap_set_proc(cap) < 0)
+		err(1, "cap_set_proc");
+	    cap_free(cap);
+	    free(ucap);
+	}
+#endif
+    home_dir = pwd->pw_dir;
+    if (chdir(home_dir) < 0) {
+	fprintf(stderr, "No home directory \"%s\"!\n", pwd->pw_dir);
+	if (chdir("/"))
+	    exit(0);
+	home_dir = "/";
+	fprintf(stderr, "Logging in with home = \"/\".\n");
+    }
+#ifdef KRB5
+    if (auth == AUTH_KRB5) {
+	krb5_start_session (pwd);
+    }
+#ifdef KRB4
+    else if (auth == 0) {
+	krb5_error_code ret;
+	krb5_ccache id;
+
+	ret = krb5_cc_default (context, &id);
+	if (ret == 0) {
+	    krb5_to4 (id);
+	    krb5_cc_close (context, id);
+	}
+    }
+
+    krb5_get_afs_tokens (pwd);
+#endif /* KRB4 */
+    krb5_finish ();
+#endif /* KRB5 */
+
+#ifdef KRB4
+    krb4_get_afs_tokens (pwd);
+#endif /* KRB4 */
+
+    add_env("PATH", _PATH_DEFPATH);
+
+    {
+	const char *str = login_conf_get_string("environment");
+	char buf[MAXPATHLEN];
+
+	if(str == NULL) {
+	    login_read_env(_PATH_ETC_ENVIRONMENT);
+	} else {
+	    while(strsep_copy(&str, ",", buf, sizeof(buf)) != -1) {
+		if(buf[0] == '\0')
+		    continue;
+		login_read_env(buf);
+	    }
+	}
+    }
+    add_env("HOME", home_dir);
+    add_env("USER", pwd->pw_name);
+    add_env("LOGNAME", pwd->pw_name);
+    add_env("SHELL", pwd->pw_shell);
+    exec_shell(pwd->pw_shell, rootlogin);
+}
+
+static int
+check_password(struct passwd *pwd, const char *password)
+{
+    if(pwd->pw_passwd == NULL)
+	return 1;
+    if(pwd->pw_passwd[0] == '\0'){
+#ifdef ALLOW_NULL_PASSWORD
+	return password[0] != '\0';
+#else
+	return 1;
+#endif
+    }
+    if(strcmp(pwd->pw_passwd, crypt(password, pwd->pw_passwd)) == 0)
+	return 0;
+#ifdef KRB5
+    if(krb5_verify(pwd, password) == 0) {
+	auth = AUTH_KRB5;
+	return 0;
+    }
+#endif
+#ifdef KRB4
+    if (krb4_verify (pwd, password) == 0) {
+	auth = AUTH_KRB4;
+	return 0;
+    }
+#endif
+#ifdef OTP
+    if (otp_verify (pwd, password) == 0) {
+       auth = AUTH_OTP;
+       return 0;
+    }
+#endif
+    return 1;
+}
+
+static void
+usage(int status)
+{
+    arg_printusage(args, nargs, NULL, "[username]");
+    exit(status);
+}
+
+static RETSIGTYPE
+sig_handler(int sig)
+{
+    if (sig == SIGALRM)
+         fprintf(stderr, "Login timed out after %d seconds\n",
+                login_timeout);
+      else
+         fprintf(stderr, "Login received signal, exiting\n");
+    exit(0);
+}
+
+int
+main(int argc, char **argv)
+{
+    int max_tries = 5;
+    int try;
+
+    char username[32];
+    int optind = 0;
+
+    int ask = 1;
+    struct sigaction sa;
+    
+    setprogname(argv[0]);
+
+#ifdef KRB5
+    {
+	krb5_error_code ret;
+
+	ret = krb5_init_context(&context);
+	if (ret)
+	    errx (1, "krb5_init_context failed: %d", ret);
+    }
+#endif
+
+    openlog("login", LOG_ODELAY, LOG_AUTH);
+
+    if (getarg (args, sizeof(args) / sizeof(args[0]), argc, argv,
+		&optind))
+	usage (1);
+    argc -= optind;
+    argv += optind;
+
+    if(help_flag)
+	usage(0);
+    if (version_flag) {
+	print_version (NULL);
+	return 0;
+    }
+	
+    if (geteuid() != 0)
+	errx(1, "only root may use login, use su");
+
+    /* Default tty settings. */
+    stty_default();
+
+    if(p_flag)
+	copy_env();
+    else {
+	/* this set of variables is always preserved by BSD login */
+	if(getenv("TERM"))
+	    add_env("TERM", getenv("TERM"));
+	if(getenv("TZ"))
+	    add_env("TZ", getenv("TZ"));
+    }
+
+    if(*argv){
+	if(strchr(*argv, '=') == NULL && strcmp(*argv, "-") != 0){
+	    strlcpy (username, *argv, sizeof(username));
+	    ask = 0;
+	}
+    }
+
+#if defined(DCE) && defined(AIX)
+    esetenv("AUTHSTATE", "DCE", 1);
+#endif
+
+    /* XXX should we care about environment on the command line? */
+
+    memset(&sa, 0, sizeof(sa));
+    sa.sa_handler = sig_handler;
+    sigemptyset(&sa.sa_mask);
+    sa.sa_flags = 0;
+    sigaction(SIGALRM, &sa, NULL);
+    alarm(login_timeout);
+
+    for(try = 0; try < max_tries; try++){
+	struct passwd *pwd;
+	char password[128];
+	int ret;
+	char ttname[32];
+	char *tty, *ttyn;
+        char prompt[128];
+#ifdef OTP
+        char otp_str[256];
+#endif
+
+	if(ask){
+	    f_flag = 0;
+#if 0
+	    r_flag = 0;
+#endif
+	    ret = read_string("login: ", username, sizeof(username), 1);
+	    if(ret == -3)
+		exit(0);
+	    if(ret == -2)
+		sig_handler(0); /* exit */
+	}
+        pwd = k_getpwnam(username);
+#ifdef ALLOW_NULL_PASSWORD
+        if (pwd != NULL && (pwd->pw_passwd[0] == '\0')) {
+            strcpy(password,"");
+        }
+        else
+#endif
+
+        {
+#ifdef OTP
+           if(auth_level && strcmp(auth_level, "otp") == 0 &&
+                 otp_challenge(&otp_ctx, username,
+                            otp_str, sizeof(otp_str)) == 0)
+                 snprintf (prompt, sizeof(prompt), "%s's %s Password: ",
+                            username, otp_str);
+            else
+#endif
+                 strncpy(prompt, "Password: ", sizeof(prompt));
+
+	    if (f_flag == 0) {
+	       ret = read_string(prompt, password, sizeof(password), 0);
+               if (ret == -3) {
+                  ask = 1;
+                  continue;
+               }
+               if (ret == -2)
+                  sig_handler(0);
+            }
+         }
+	
+	if(pwd == NULL){
+	    fprintf(stderr, "Login incorrect.\n");
+	    ask = 1;
+	    continue;
+	}
+
+	if(f_flag == 0 && check_password(pwd, password)){
+	    fprintf(stderr, "Login incorrect.\n");
+            ask = 1;
+	    continue;
+	}
+	ttyn = ttyname(STDIN_FILENO);
+	if(ttyn == NULL){
+	    snprintf(ttname, sizeof(ttname), "%s??", _PATH_TTY);
+	    ttyn = ttname;
+	}
+	if (strncmp (ttyn, _PATH_DEV, strlen(_PATH_DEV)) == 0)
+	    tty = ttyn + strlen(_PATH_DEV);
+	else
+	    tty = ttyn;
+    
+	if (login_access (pwd, remote_host ? remote_host : tty) == 0) {
+	    fprintf(stderr, "Permission denied\n");
+	    if (remote_host)
+		syslog(LOG_NOTICE, "%s LOGIN REFUSED FROM %s",
+		       pwd->pw_name, remote_host);
+	    else
+		syslog(LOG_NOTICE, "%s LOGIN REFUSED ON %s",
+		       pwd->pw_name, tty);
+	    exit (1);
+	}
+        alarm(0);
+	do_login(pwd, tty, ttyn);
+    }
+    exit(1);
+}
diff --git a/crypto/heimdal/appl/login/login_access.c b/crypto/heimdal/appl/login/login_access.c
new file mode 100644
index 0000000..86d691e
--- /dev/null
+++ b/crypto/heimdal/appl/login/login_access.c
@@ -0,0 +1,261 @@
+ /*
+  * This module implements a simple but effective form of login access
+  * control based on login names and on host (or domain) names, internet
+  * addresses (or network numbers), or on terminal line names in case of
+  * non-networked logins. Diagnostics are reported through syslog(3).
+  *
+  * Author: Wietse Venema, Eindhoven University of Technology, The Netherlands.
+  */
+
+#include "login_locl.h"
+
+RCSID("$Id: login_access.c,v 1.1 1999/05/17 22:40:05 assar Exp $");
+
+ /* Delimiters for fields and for lists of users, ttys or hosts. */
+
+static char fs[] = ":";			/* field separator */
+static char sep[] = ", \t";		/* list-element separator */
+
+ /* Constants to be used in assignments only, not in comparisons... */
+
+#define YES             1
+#define NO              0
+
+ /*
+  * A structure to bundle up all login-related information to keep the
+  * functional interfaces as generic as possible.
+  */
+struct login_info {
+    struct passwd *user;
+    char   *from;
+};
+
+static int list_match(char *list, struct login_info *item,
+		      int (*match_fn)(char *, struct login_info *));
+static int user_match(char *tok, struct login_info *item);
+static int from_match(char *tok, struct login_info *item);
+static int string_match(char *tok, char *string);
+
+/* login_access - match username/group and host/tty with access control file */
+
+int login_access(struct passwd *user, char *from)
+{
+    struct login_info item;
+    FILE   *fp;
+    char    line[BUFSIZ];
+    char   *perm;			/* becomes permission field */
+    char   *users;			/* becomes list of login names */
+    char   *froms;			/* becomes list of terminals or hosts */
+    int     match = NO;
+    int     end;
+    int     lineno = 0;			/* for diagnostics */
+    char   *foo;
+
+    /*
+     * Bundle up the arguments to avoid unnecessary clumsiness lateron.
+     */
+    item.user = user;
+    item.from = from;
+
+    /*
+     * Process the table one line at a time and stop at the first match.
+     * Blank lines and lines that begin with a '#' character are ignored.
+     * Non-comment lines are broken at the ':' character. All fields are
+     * mandatory. The first field should be a "+" or "-" character. A
+     * non-existing table means no access control.
+     */
+
+    if ((fp = fopen(_PATH_LOGACCESS, "r")) != 0) {
+	while (!match && fgets(line, sizeof(line), fp)) {
+	    lineno++;
+	    if (line[end = strlen(line) - 1] != '\n') {
+		syslog(LOG_ERR, "%s: line %d: missing newline or line too long",
+		       _PATH_LOGACCESS, lineno);
+		continue;
+	    }
+	    if (line[0] == '#')
+		continue;			/* comment line */
+	    while (end > 0 && isspace((unsigned char)line[end - 1]))
+		end--;
+	    line[end] = 0;			/* strip trailing whitespace */
+	    if (line[0] == 0)			/* skip blank lines */
+		continue;
+	    foo = NULL;
+	    if (!(perm = strtok_r(line, fs, &foo))
+		|| !(users = strtok_r(NULL, fs, &foo))
+		|| !(froms = strtok_r(NULL, fs, &foo))
+		|| strtok_r(NULL, fs, &foo)) {
+		syslog(LOG_ERR, "%s: line %d: bad field count", 
+		       _PATH_LOGACCESS,
+		       lineno);
+		continue;
+	    }
+	    if (perm[0] != '+' && perm[0] != '-') {
+		syslog(LOG_ERR, "%s: line %d: bad first field", 
+		       _PATH_LOGACCESS,
+		       lineno);
+		continue;
+	    }
+	    match = (list_match(froms, &item, from_match)
+		     && list_match(users, &item, user_match));
+	}
+	fclose(fp);
+    } else if (errno != ENOENT) {
+	syslog(LOG_ERR, "cannot open %s: %m", _PATH_LOGACCESS);
+    }
+    return (match == 0 || (line[0] == '+'));
+}
+
+/* list_match - match an item against a list of tokens with exceptions */
+
+static int
+list_match(char *list,
+	   struct login_info *item,
+	   int (*match_fn)(char *, struct login_info *))
+{
+    char   *tok;
+    int     match = NO;
+    char   *foo = NULL;
+
+    /*
+     * Process tokens one at a time. We have exhausted all possible matches
+     * when we reach an "EXCEPT" token or the end of the list. If we do find
+     * a match, look for an "EXCEPT" list and recurse to determine whether
+     * the match is affected by any exceptions.
+     */
+
+    for (tok = strtok_r(list, sep, &foo);
+	 tok != NULL;
+	 tok = strtok_r(NULL, sep, &foo)) {
+	if (strcasecmp(tok, "EXCEPT") == 0)	/* EXCEPT: give up */
+	    break;
+	if ((match = (*match_fn) (tok, item)) != 0)	/* YES */
+	    break;
+    }
+    /* Process exceptions to matches. */
+
+    if (match != NO) {
+	while ((tok = strtok_r(NULL, sep, &foo)) && strcasecmp(tok, "EXCEPT"))
+	     /* VOID */ ;
+	if (tok == 0 || list_match(NULL, item, match_fn) == NO)
+	    return (match);
+    }
+    return (NO);
+}
+
+/* myhostname - figure out local machine name */
+
+static char *myhostname(void)
+{
+    static char name[MAXHOSTNAMELEN + 1] = "";
+
+    if (name[0] == 0) {
+	gethostname(name, sizeof(name));
+	name[MAXHOSTNAMELEN] = 0;
+    }
+    return (name);
+}
+
+/* netgroup_match - match group against machine or user */
+
+static int netgroup_match(char *group, char *machine, char *user)
+{
+#ifdef HAVE_YP_GET_DEFAULT_DOMAIN
+    static char *mydomain = 0;
+
+    if (mydomain == 0)
+	yp_get_default_domain(&mydomain);
+    return (innetgr(group, machine, user, mydomain));
+#else
+    syslog(LOG_ERR, "NIS netgroup support not configured");
+    return 0;
+#endif
+}
+
+/* user_match - match a username against one token */
+
+static int user_match(char *tok, struct login_info *item)
+{
+    char   *string = item->user->pw_name;
+    struct login_info fake_item;
+    struct group *group;
+    int     i;
+    char   *at;
+
+    /*
+     * If a token has the magic value "ALL" the match always succeeds.
+     * Otherwise, return YES if the token fully matches the username, if the
+     * token is a group that contains the username, or if the token is the
+     * name of the user's primary group.
+     */
+
+    if ((at = strchr(tok + 1, '@')) != 0) {	/* split user@host pattern */
+	*at = 0;
+	fake_item.from = myhostname();
+	return (user_match(tok, item) && from_match(at + 1, &fake_item));
+    } else if (tok[0] == '@') {			/* netgroup */
+	return (netgroup_match(tok + 1, (char *) 0, string));
+    } else if (string_match(tok, string)) {	/* ALL or exact match */
+	return (YES);
+    } else if ((group = getgrnam(tok)) != 0) { /* try group membership */
+	if (item->user->pw_gid == group->gr_gid)
+	    return (YES);
+	for (i = 0; group->gr_mem[i]; i++)
+	    if (strcasecmp(string, group->gr_mem[i]) == 0)
+		return (YES);
+    }
+    return (NO);
+}
+
+/* from_match - match a host or tty against a list of tokens */
+
+static int from_match(char *tok, struct login_info *item)
+{
+    char   *string = item->from;
+    int     tok_len;
+    int     str_len;
+
+    /*
+     * If a token has the magic value "ALL" the match always succeeds. Return
+     * YES if the token fully matches the string. If the token is a domain
+     * name, return YES if it matches the last fields of the string. If the
+     * token has the magic value "LOCAL", return YES if the string does not
+     * contain a "." character. If the token is a network number, return YES
+     * if it matches the head of the string.
+     */
+
+    if (tok[0] == '@') {			/* netgroup */
+	return (netgroup_match(tok + 1, string, (char *) 0));
+    } else if (string_match(tok, string)) {	/* ALL or exact match */
+	return (YES);
+    } else if (tok[0] == '.') {			/* domain: match last fields */
+	if ((str_len = strlen(string)) > (tok_len = strlen(tok))
+	    && strcasecmp(tok, string + str_len - tok_len) == 0)
+	    return (YES);
+    } else if (strcasecmp(tok, "LOCAL") == 0) {	/* local: no dots */
+	if (strchr(string, '.') == 0)
+	    return (YES);
+    } else if (tok[(tok_len = strlen(tok)) - 1] == '.'	/* network */
+	       && strncmp(tok, string, tok_len) == 0) {
+	return (YES);
+    }
+    return (NO);
+}
+
+/* string_match - match a string against one token */
+
+static int string_match(char *tok, char *string)
+{
+
+    /*
+     * If the token has the magic value "ALL" the match always succeeds.
+     * Otherwise, return YES if the token fully matches the string.
+     */
+
+    if (strcasecmp(tok, "ALL") == 0) {		/* all: always matches */
+	return (YES);
+    } else if (strcasecmp(tok, string) == 0) {	/* try exact match */
+	return (YES);
+    }
+    return (NO);
+}
diff --git a/crypto/heimdal/appl/login/login_locl.h b/crypto/heimdal/appl/login/login_locl.h
new file mode 100644
index 0000000..6c5857b
--- /dev/null
+++ b/crypto/heimdal/appl/login/login_locl.h
@@ -0,0 +1,143 @@
+/*
+ * Copyright (c) 1997 - 2000 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+/* $Id: login_locl.h,v 1.20 2000/08/22 14:05:35 joda Exp $ */
+
+#ifndef __LOGIN_LOCL_H__
+#define __LOGIN_LOCL_H__
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+#endif
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <ctype.h>
+#include <unistd.h>
+#include <syslog.h>
+#include <signal.h>
+#include <termios.h>
+#include <err.h>
+#include <pwd.h>
+#include <roken.h>
+#include <getarg.h>
+#ifdef HAVE_NETDB_H
+#include <netdb.h>
+#endif
+#ifdef HAVE_PATHS_H
+#include <paths.h>
+#endif
+#ifdef HAVE_UTMP_H
+#include <utmp.h>
+#endif
+#ifdef HAVE_UTMPX_H
+#include <utmpx.h>
+#endif
+#ifdef HAVE_UDB_H
+#include <udb.h>
+#endif
+#ifdef HAVE_SYS_RESOURCE_H
+#include <sys/resource.h>
+#endif
+#ifdef HAVE_SYS_CATEGORY_H
+#include <sys/category.h>
+#endif
+#ifdef HAVE_SYS_WAIT_H
+#include <sys/wait.h>
+#endif
+#ifdef HAVE_SHADOW_H
+#include <shadow.h>
+#endif
+#ifdef KRB4
+#include <krb.h>
+#endif
+#ifdef KRB5
+#include <krb5.h>
+#endif
+#include <kafs.h>
+
+#ifdef OTP
+#include <otp.h>
+#endif
+
+#ifndef _PATH_BSHELL
+#define _PATH_BSHELL "/bin/sh"
+#endif
+#ifndef _PATH_TTY
+#define _PATH_TTY "/dev/tty"
+#endif
+#ifndef _PATH_DEV
+#define _PATH_DEV "/dev/"
+#endif
+#ifndef _PATH_NOLOGIN
+#define _PATH_NOLOGIN "/etc/nologin"
+#endif
+#ifndef _PATH_WTMP
+#ifdef WTMP_FILE
+#define _PATH_WTMP WTMP_FILE
+#else
+#define _PATH_WTMP "/var/adm/wtmp"
+#endif
+#endif
+#ifndef _PATH_UTMP
+#ifdef UTMP_FILE
+#define _PATH_UTMP UTMP_FILE
+#else
+#define _PATH_UTMP "/var/adm/utmp"
+#endif
+#endif
+
+#ifndef _PATH_LOGACCESS
+#define _PATH_LOGACCESS "/etc/login.access"
+#endif /* _PATH_LOGACCESS */
+
+#ifndef _PATH_LOGIN_CONF
+#define _PATH_LOGIN_CONF "/etc/login.conf"
+#endif /* _PATH_LOGIN_CONF */
+
+#ifndef _PATH_ETC_ENVIRONMENT
+#define _PATH_ETC_ENVIRONMENT "/etc/environment"
+#endif
+
+#ifndef _PATH_DEFPATH
+#define _PATH_DEFPATH "/usr/bin:/bin"
+#endif
+
+struct spwd;
+
+extern char **env;
+extern int num_env;
+
+#include "login_protos.h"
+
+#endif /* __LOGIN_LOCL_H__ */
diff --git a/crypto/heimdal/appl/login/login_protos.h b/crypto/heimdal/appl/login/login_protos.h
new file mode 100644
index 0000000..4bb8207
--- /dev/null
+++ b/crypto/heimdal/appl/login/login_protos.h
@@ -0,0 +1,87 @@
+/* This is a generated file */
+#ifndef __login_protos_h__
+#define __login_protos_h__
+
+#ifdef __STDC__
+#include <stdarg.h>
+#ifndef __P
+#define __P(x) x
+#endif
+#else
+#ifndef __P
+#define __P(x) ()
+#endif
+#endif
+
+void
+add_env __P((
+	const char *var,
+	const char *value));
+
+void
+check_shadow __P((
+	const struct passwd *pw,
+	const struct spwd *sp));
+
+char *
+clean_ttyname __P((char *tty));
+
+void
+copy_env __P((void));
+
+int
+do_osfc2_magic __P((uid_t uid));
+
+void
+extend_env __P((char *str));
+
+int
+login_access __P((
+	struct passwd *user,
+	char *from));
+
+char *
+login_conf_get_string __P((const char *str));
+
+int
+login_read_env __P((const char *file));
+
+char *
+make_id __P((char *tty));
+
+void
+prepare_utmp __P((
+	struct utmp *utmp,
+	char *tty,
+	const char *username,
+	const char *hostname));
+
+int
+read_string __P((
+	const char *prompt,
+	char *buf,
+	size_t len,
+	int echo));
+
+void
+shrink_hostname __P((
+	const char *hostname,
+	char *dst,
+	size_t dst_sz));
+
+void
+stty_default __P((void));
+
+void
+utmp_login __P((
+	char *tty,
+	const char *username,
+	const char *hostname));
+
+int
+utmpx_login __P((
+	char *line,
+	const char *user,
+	const char *host));
+
+#endif /* __login_protos_h__ */
diff --git a/crypto/heimdal/appl/login/osfc2.c b/crypto/heimdal/appl/login/osfc2.c
new file mode 100644
index 0000000..056484c
--- /dev/null
+++ b/crypto/heimdal/appl/login/osfc2.c
@@ -0,0 +1,79 @@
+/*
+ * Copyright (c) 1998 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "login_locl.h"
+RCSID("$Id: osfc2.c,v 1.4 2001/02/20 01:44:46 assar Exp $");
+
+int
+do_osfc2_magic(uid_t uid)
+{
+#ifdef HAVE_OSFC2
+    struct es_passwd *epw;
+    char *argv[2];
+    
+    /* fake */
+    argv[0] = (char*)getprogname();
+    argv[1] = NULL;
+    set_auth_parameters(1, argv);
+    
+    epw = getespwuid(uid);
+    if(epw == NULL) {
+	syslog(LOG_AUTHPRIV|LOG_NOTICE, 
+	       "getespwuid failed for %d", uid);
+	printf("Sorry.\n");
+	return 1;
+    }
+    /* We don't check for auto-retired, foo-retired,
+       bar-retired, or any other kind of retired accounts
+       here; neither do we check for time-locked accounts, or
+       any other kind of serious C2 mumbo-jumbo. We do,
+       however, call setluid, since failing to do so is not
+       very good (take my word for it). */
+    
+    if(!epw->uflg->fg_uid) {
+	syslog(LOG_AUTHPRIV|LOG_NOTICE, 
+	       "attempted login by %s (has no uid)", epw->ufld->fd_name);
+	printf("Sorry.\n");
+	return 1;
+    }
+    setluid(epw->ufld->fd_uid);
+    if(getluid() != epw->ufld->fd_uid) {
+	syslog(LOG_AUTHPRIV|LOG_NOTICE, 
+	       "failed to set LUID for %s (%d)", 
+	       epw->ufld->fd_name, epw->ufld->fd_uid);
+	printf("Sorry.\n");
+	return 1;
+    }
+#endif /* HAVE_OSFC2 */
+    return 0;
+}
diff --git a/crypto/heimdal/appl/login/read_string.c b/crypto/heimdal/appl/login/read_string.c
new file mode 100644
index 0000000..f3cee14
--- /dev/null
+++ b/crypto/heimdal/appl/login/read_string.c
@@ -0,0 +1,127 @@
+/*
+ * Copyright (c) 1997 - 2000 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "login_locl.h"
+
+RCSID("$Id: read_string.c,v 1.4 2000/06/21 02:09:36 assar Exp $");
+
+static sig_atomic_t intr_flag;
+
+static void
+intr(int sig)
+{
+    intr_flag++;
+}
+
+int
+read_string(const char *prompt, char *buf, size_t len, int echo)
+{
+    struct sigaction sigs[47];
+    struct sigaction sa;
+    FILE *tty;
+    int ret = 0;
+    int of = 0;
+    int i;
+    int c;
+    char *p;
+
+    struct termios t_new, t_old;
+
+    memset(&sa, 0, sizeof(sa));
+    sa.sa_handler = intr;
+    sigemptyset(&sa.sa_mask);
+    sa.sa_flags = 0;
+    for(i = 0; i < sizeof(sigs) / sizeof(sigs[0]); i++)
+	if (i != SIGALRM) sigaction(i, &sa, &sigs[i]);
+
+    if((tty = fopen("/dev/tty", "r")) == NULL)
+	tty = stdin;
+       
+    fprintf(stderr, "%s", prompt);
+    fflush(stderr);
+
+    if(echo == 0){
+	tcgetattr(fileno(tty), &t_old);
+	memcpy(&t_new, &t_old, sizeof(t_new));
+	t_new.c_lflag &= ~ECHO;
+	tcsetattr(fileno(tty), TCSANOW, &t_new);
+    }
+    intr_flag = 0;
+    p = buf;
+    while(intr_flag == 0){
+	c = getc(tty);
+	if(c == EOF){
+	    if(!ferror(tty))
+		ret = 1;
+	    break;
+	}
+	if(c == '\n')
+	    break;
+	if(of == 0)
+	    *p++ = c;
+	of = (p == buf + len);
+    }
+    if(of)
+	p--;
+    *p = 0;
+    
+    if(echo == 0){
+	printf("\n");
+	tcsetattr(fileno(tty), TCSANOW, &t_old);
+    }
+    
+    if(tty != stdin)
+	fclose(tty);
+
+    for(i = 0; i < sizeof(sigs) / sizeof(sigs[0]); i++)
+	if (i != SIGALRM) sigaction(i, &sigs[i], NULL);
+    
+    if(ret)
+	return -3;
+    if(intr_flag)
+	return -2;
+    if(of)
+	return -1;
+    return 0;
+}
+
+
+#if 0
+int main()
+{
+    char s[128];
+    int ret;
+    ret = read_string("foo: ", s, sizeof(s), 0);
+    printf("%d ->%s<-\n", ret, s);
+}
+#endif
diff --git a/crypto/heimdal/appl/login/shadow.c b/crypto/heimdal/appl/login/shadow.c
new file mode 100644
index 0000000..0923831
--- /dev/null
+++ b/crypto/heimdal/appl/login/shadow.c
@@ -0,0 +1,95 @@
+/*
+ * Copyright (c) 1997, 1998, 1999 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "login_locl.h"
+
+RCSID("$Id: shadow.c,v 1.5 1999/12/02 17:04:56 joda Exp $");
+
+#ifdef HAVE_SHADOW_H
+
+#ifndef _PATH_CHPASS
+#define _PATH_CHPASS "/usr/bin/passwd"
+#endif
+
+static int
+change_passwd(const struct passwd *who)
+{
+    int status;
+    pid_t pid;
+
+    switch (pid = fork()) {
+    case -1:
+        printf("fork /bin/passwd");
+        exit(1);
+    case 0:
+        execlp(_PATH_CHPASS, "passwd", who->pw_name, (char *) 0);
+        exit(1);
+    default:
+        waitpid(pid, &status, 0);
+        return (status);
+    }
+}
+
+void 
+check_shadow(const struct passwd *pw, const struct spwd *sp)
+{
+  long today;
+
+  today = time(0)/(24L * 60 * 60);
+  
+  if (sp == NULL)
+      return;
+
+  if (sp->sp_expire > 0) {
+        if (today >= sp->sp_expire) {
+            printf("Your account has expired.\n");
+            sleep(1);
+            exit(0);
+        } else if (sp->sp_expire - today < 14) {
+            printf("Your account will expire in %d days.\n",
+                   (int)(sp->sp_expire - today));
+        }
+  }
+
+  if (sp->sp_max > 0) {
+        if (today >= (sp->sp_lstchg + sp->sp_max)) {
+            printf("Your password has expired. Choose a new one.\n");
+            change_passwd(pw);
+        } else if (sp->sp_warn > 0
+            && (today > (sp->sp_lstchg + sp->sp_max - sp->sp_warn))) {
+            printf("Your password will expire in %d days.\n",
+                   (int)(sp->sp_lstchg + sp->sp_max - today));
+        }
+  }
+}
+#endif /* HAVE_SHADOW_H */
diff --git a/crypto/heimdal/appl/login/stty_default.c b/crypto/heimdal/appl/login/stty_default.c
new file mode 100644
index 0000000..5e38566
--- /dev/null
+++ b/crypto/heimdal/appl/login/stty_default.c
@@ -0,0 +1,100 @@
+/*
+ * Copyright (c) 1995, 1996, 1997 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#include "login_locl.h"
+
+RCSID("$Id: stty_default.c,v 1.8 1999/12/02 17:04:56 joda Exp $");
+
+#include <termios.h>
+
+/* HP-UX 9.0 termios doesn't define these */
+#ifndef FLUSHO
+#define	FLUSHO	0
+#endif
+
+#ifndef XTABS
+#define	XTABS	0
+#endif
+
+#ifndef OXTABS
+#define OXTABS	XTABS
+#endif
+
+/* Ultrix... */
+#ifndef ECHOPRT
+#define ECHOPRT	0
+#endif
+
+#ifndef ECHOCTL
+#define ECHOCTL	0
+#endif
+
+#ifndef ECHOKE
+#define ECHOKE	0
+#endif
+
+#ifndef IMAXBEL
+#define IMAXBEL	0
+#endif
+
+#define Ctl(x) ((x) ^ 0100)
+
+void
+stty_default(void)
+{
+    struct	termios termios;
+
+    /*
+     * Finalize the terminal settings. Some systems default to 8 bits,
+     * others to 7, so we should leave that alone.
+     */
+    tcgetattr(0, &termios);
+
+    termios.c_iflag |= (BRKINT|IGNPAR|ICRNL|IXON|IMAXBEL);
+    termios.c_iflag &= ~IXANY;
+
+    termios.c_lflag |= (ISIG|IEXTEN|ICANON|ECHO|ECHOE|ECHOK|ECHOCTL|ECHOKE);
+    termios.c_lflag &= ~(ECHOPRT|TOSTOP|FLUSHO);
+
+    termios.c_oflag |= (OPOST|ONLCR);
+    termios.c_oflag &= ~OXTABS;
+
+    termios.c_cc[VINTR] = Ctl('C');
+    termios.c_cc[VERASE] = Ctl('H');
+    termios.c_cc[VKILL] = Ctl('U');
+    termios.c_cc[VEOF] = Ctl('D');
+
+    termios.c_cc[VSUSP] = Ctl('Z');
+    
+    tcsetattr(0, TCSANOW, &termios);
+}
diff --git a/crypto/heimdal/appl/login/tty.c b/crypto/heimdal/appl/login/tty.c
new file mode 100644
index 0000000..0ffea72
--- /dev/null
+++ b/crypto/heimdal/appl/login/tty.c
@@ -0,0 +1,70 @@
+/*
+ * Copyright (c) 1995, 1996, 1997 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#include "login_locl.h"
+
+RCSID("$Id: tty.c,v 1.4 1999/12/02 17:04:56 joda Exp $");
+
+/*
+ * Clean the tty name.  Return a pointer to the cleaned version.
+ */
+
+char *
+clean_ttyname (char *tty)
+{
+  char *res = tty;
+
+  if (strncmp (res, _PATH_DEV, strlen(_PATH_DEV)) == 0)
+    res += strlen(_PATH_DEV);
+  if (strncmp (res, "pty/", 4) == 0)
+    res += 4;
+  if (strncmp (res, "ptym/", 5) == 0)
+    res += 5;
+  return res;
+}
+
+/*
+ * Generate a name usable as an `ut_id', typically without `tty'.
+ */
+
+char *
+make_id (char *tty)
+{
+  char *res = tty;
+  
+  if (strncmp (res, "pts/", 4) == 0)
+    res += 4;
+  if (strncmp (res, "tty", 3) == 0)
+    res += 3;
+  return res;
+}
diff --git a/crypto/heimdal/appl/login/utmp_login.c b/crypto/heimdal/appl/login/utmp_login.c
new file mode 100644
index 0000000..0be6cdb
--- /dev/null
+++ b/crypto/heimdal/appl/login/utmp_login.c
@@ -0,0 +1,162 @@
+/*
+ * Copyright (c) 1995 - 2001 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#include "login_locl.h"
+
+RCSID("$Id: utmp_login.c,v 1.18 2001/02/08 16:08:26 assar Exp $");
+
+/* try to put something useful from hostname into dst, dst_sz:
+ * full name, first component or address */
+
+void
+shrink_hostname (const char *hostname,
+		 char *dst, size_t dst_sz)
+{
+    char local_hostname[MaxHostNameLen];
+    char *ld, *hd;
+    int ret;
+    struct addrinfo *ai;
+
+    if (strlen(hostname) < dst_sz) {
+	strlcpy (dst, hostname, dst_sz);
+	return;
+    }
+    gethostname (local_hostname, sizeof(local_hostname));
+    hd = strchr (hostname, '.');
+    ld = strchr (local_hostname, '.');
+    if (hd != NULL && ld != NULL && strcmp(hd, ld) == 0
+	&& hd - hostname < dst_sz) {
+	strlcpy (dst, hostname, dst_sz);
+	dst[hd - hostname] = '\0';
+	return;
+    }
+
+    ret = getaddrinfo (hostname, NULL, NULL, &ai);
+    if (ret) {
+	strncpy (dst, hostname, dst_sz);
+	return;
+    }
+    ret = getnameinfo (ai->ai_addr, ai->ai_addrlen,
+		       dst, dst_sz,
+		       NULL, 0,
+		       NI_NUMERICHOST);
+    freeaddrinfo (ai);
+    if (ret) {
+	strncpy (dst, hostname, dst_sz);
+	return;
+    }
+}
+
+void
+prepare_utmp (struct utmp *utmp, char *tty, 
+	      const char *username, const char *hostname)
+{
+    char *ttyx = clean_ttyname (tty);
+
+    memset(utmp, 0, sizeof(*utmp));
+    utmp->ut_time = time(NULL);
+    strncpy(utmp->ut_line, ttyx, sizeof(utmp->ut_line));
+    strncpy(utmp->ut_name, username, sizeof(utmp->ut_name));
+
+# ifdef HAVE_STRUCT_UTMP_UT_USER
+    strncpy(utmp->ut_user, username, sizeof(utmp->ut_user));
+# endif
+
+# ifdef HAVE_STRUCT_UTMP_UT_ADDR
+    if (hostname[0]) {
+        struct hostent *he;
+	if ((he = gethostbyname(hostname)))
+	    memcpy(&utmp->ut_addr, he->h_addr_list[0],
+		   sizeof(utmp->ut_addr));
+    }
+# endif
+
+# ifdef HAVE_STRUCT_UTMP_UT_HOST
+    shrink_hostname (hostname, utmp->ut_host, sizeof(utmp->ut_host));
+# endif
+
+# ifdef HAVE_STRUCT_UTMP_UT_TYPE
+    utmp->ut_type = USER_PROCESS;
+# endif
+
+# ifdef HAVE_STRUCT_UTMP_UT_PID
+    utmp->ut_pid = getpid();
+# endif
+
+# ifdef HAVE_STRUCT_UTMP_UT_ID
+    strncpy(utmp->ut_id, make_id(ttyx), sizeof(utmp->ut_id));
+# endif
+}
+
+#ifdef HAVE_UTMPX_H
+void utmp_login(char *tty, const char *username, const char *hostname)
+{ 
+    return;
+}
+#else
+
+/* update utmp and wtmp - the BSD way */
+
+void utmp_login(char *tty, const char *username, const char *hostname)
+{
+    struct utmp utmp;
+    int fd;
+
+    prepare_utmp (&utmp, tty, username, hostname);
+
+#ifdef HAVE_SETUTENT
+    utmpname(_PATH_UTMP);
+    setutent();
+    pututline(&utmp);
+    endutent();
+#else
+
+#ifdef HAVE_TTYSLOT
+    {
+      int ttyno;
+      ttyno = ttyslot();
+      if (ttyno > 0 && (fd = open(_PATH_UTMP, O_WRONLY, 0)) >= 0) {
+	lseek(fd, (long)(ttyno * sizeof(struct utmp)), SEEK_SET);
+	write(fd, &utmp, sizeof(struct utmp));
+	close(fd);
+      }
+    }
+#endif /* HAVE_TTYSLOT */
+#endif /* HAVE_SETUTENT */
+
+    if ((fd = open(_PATH_WTMP, O_WRONLY|O_APPEND, 0)) >= 0) {
+	write(fd, &utmp, sizeof(struct utmp));
+	close(fd);
+    }
+}
+#endif /* !HAVE_UTMPX_H */
diff --git a/crypto/heimdal/appl/login/utmpx_login.c b/crypto/heimdal/appl/login/utmpx_login.c
new file mode 100644
index 0000000..46d7f15
--- /dev/null
+++ b/crypto/heimdal/appl/login/utmpx_login.c
@@ -0,0 +1,89 @@
+/* Author: Wietse Venema <wietse@wzv.win.tue.nl> */
+
+#include "login_locl.h"
+
+RCSID("$Id: utmpx_login.c,v 1.25 2001/02/08 16:08:47 assar Exp $");
+
+/* utmpx_login - update utmp and wtmp after login */
+
+#ifndef HAVE_UTMPX_H
+int utmpx_login(char *line, const char *user, const char *host) { return 0; }
+#else
+
+static void
+utmpx_update(struct utmpx *ut, char *line, const char *user, const char *host)
+{
+    struct timeval tmp;
+    char *clean_tty = clean_ttyname(line);
+
+    strncpy(ut->ut_line, clean_tty, sizeof(ut->ut_line));
+#ifdef HAVE_STRUCT_UTMPX_UT_ID
+    strncpy(ut->ut_id, make_id(clean_tty), sizeof(ut->ut_id));
+#endif
+    strncpy(ut->ut_user, user, sizeof(ut->ut_user));
+    shrink_hostname (host, ut->ut_host, sizeof(ut->ut_host));
+#ifdef HAVE_STRUCT_UTMPX_UT_SYSLEN
+    ut->ut_syslen = strlen(host) + 1;
+    if (ut->ut_syslen > sizeof(ut->ut_host))
+        ut->ut_syslen = sizeof(ut->ut_host);
+#endif
+    ut->ut_type = USER_PROCESS;
+    gettimeofday (&tmp, 0);
+    ut->ut_tv.tv_sec = tmp.tv_sec;
+    ut->ut_tv.tv_usec = tmp.tv_usec;
+    pututxline(ut);
+#ifdef WTMPX_FILE
+    updwtmpx(WTMPX_FILE, ut);
+#elif defined(WTMP_FILE)
+    {
+	struct utmp utmp;
+	int fd;
+
+	prepare_utmp (&utmp, line, user, host);
+	if ((fd = open(_PATH_WTMP, O_WRONLY|O_APPEND, 0)) >= 0) {
+	    write(fd, &utmp, sizeof(struct utmp));
+	    close(fd);
+	}
+    }
+#endif
+}
+
+int
+utmpx_login(char *line, const char *user, const char *host)
+{
+    struct utmpx *ut, save_ut;
+    pid_t   mypid = getpid();
+    int     ret = (-1);
+
+    /*
+     * SYSV4 ttymon and login use tty port names with the "/dev/" prefix
+     * stripped off. Rlogind and telnetd, on the other hand, make utmpx
+     * entries with device names like /dev/pts/nnn. We therefore cannot use
+     * getutxline(). Return nonzero if no utmp entry was found with our own
+     * process ID for a login or user process.
+     */
+
+    while ((ut = getutxent())) {
+        /* Try to find a reusable entry */
+	if (ut->ut_pid == mypid
+	    && (   ut->ut_type == INIT_PROCESS
+		|| ut->ut_type == LOGIN_PROCESS
+		|| ut->ut_type == USER_PROCESS)) {
+	    save_ut = *ut;
+	    utmpx_update(&save_ut, line, user, host);
+	    ret = 0;
+	    break;
+	}
+    }
+    if (ret == -1) {
+        /* Grow utmpx file by one record. */
+        struct utmpx newut;
+	memset(&newut, 0, sizeof(newut));
+	newut.ut_pid = mypid;
+        utmpx_update(&newut, line, user, host);
+	ret = 0;
+    }
+    endutxent();
+    return (ret);
+}
+#endif /* HAVE_UTMPX_H */
diff --git a/crypto/heimdal/appl/otp/ChangeLog b/crypto/heimdal/appl/otp/ChangeLog
new file mode 100644
index 0000000..cffff9e
--- /dev/null
+++ b/crypto/heimdal/appl/otp/ChangeLog
@@ -0,0 +1,40 @@
+2000-11-29  Johan Danielsson  <joda@pdc.kth.se>
+
+	* otpprint.1: sort parameters and close a list
+
+	* otp.1: sort parameters and close a list
+
+1999-09-14  Assar Westerlund  <assar@sics.se>
+
+	* otp.c (verify_user_otp): check return value from
+ 	des_read_pw_string
+
+Thu Apr  1 16:51:07 1999  Johan Danielsson  <joda@hella.pdc.kth.se>
+
+	* otpprint.c: use getarg
+
+	* otp.c: use getarg
+
+Thu Mar 18 12:08:58 1999  Johan Danielsson  <joda@hella.pdc.kth.se>
+
+	* Makefile.am: include Makefile.am.common
+
+Thu Mar  4 19:45:40 1999  Johan Danielsson  <joda@hella.pdc.kth.se>
+
+	* Makefile.am: DESTDIR
+
+Sat Feb 27 19:44:25 1999  Johan Danielsson  <joda@hella.pdc.kth.se>
+
+	* Makefile.am: add
+
+Sun Nov 22 10:32:50 1998  Assar Westerlund  <assar@sics.se>
+
+	* otpprint.c: more braces
+
+	* Makefile.in (WFLAGS): set
+
+Sun Dec 21 09:31:30 1997  Assar Westerlund  <assar@sics.se>
+
+	* otp.c (renew): don't set the OTP if the reading of the string
+ 	fails.
+
diff --git a/crypto/heimdal/appl/otp/Makefile.am b/crypto/heimdal/appl/otp/Makefile.am
new file mode 100644
index 0000000..0597a73
--- /dev/null
+++ b/crypto/heimdal/appl/otp/Makefile.am
@@ -0,0 +1,16 @@
+# $Id: Makefile.am,v 1.9 2000/11/15 22:51:09 assar Exp $
+
+include $(top_srcdir)/Makefile.am.common
+
+bin_PROGRAMS = otp otpprint
+bin_SUIDS = otp
+otp_SOURCES = otp.c otp_locl.h
+otpprint_SOURCES = otpprint.c otp_locl.h
+
+man_MANS = otp.1  otpprint.1
+
+LDADD = \
+	$(top_builddir)/lib/otp/libotp.la \
+	$(LIB_des) \
+	$(LIB_roken) \
+	$(DBLIB)
diff --git a/crypto/heimdal/appl/otp/Makefile.in b/crypto/heimdal/appl/otp/Makefile.in
new file mode 100644
index 0000000..7c576b8
--- /dev/null
+++ b/crypto/heimdal/appl/otp/Makefile.in
@@ -0,0 +1,628 @@
+# Makefile.in generated automatically by automake 1.4b from Makefile.am
+
+# Copyright 1994, 1995, 1996, 1997, 1998, 1999, 2000
+# Free Software Foundation, Inc.
+# This Makefile.in is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+
+SHELL = @SHELL@
+
+srcdir = @srcdir@
+top_srcdir = @top_srcdir@
+VPATH = @srcdir@
+prefix = @prefix@
+exec_prefix = @exec_prefix@
+
+bindir = @bindir@
+sbindir = @sbindir@
+libexecdir = @libexecdir@
+datadir = @datadir@
+sysconfdir = @sysconfdir@
+sharedstatedir = @sharedstatedir@
+localstatedir = @localstatedir@
+libdir = @libdir@
+infodir = @infodir@
+mandir = @mandir@
+includedir = @includedir@
+oldincludedir = /usr/include
+
+pkgdatadir = $(datadir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkgincludedir = $(includedir)/@PACKAGE@
+
+top_builddir = ../..
+
+ACLOCAL = @ACLOCAL@
+AUTOCONF = @AUTOCONF@
+AUTOMAKE = @AUTOMAKE@
+AUTOHEADER = @AUTOHEADER@
+
+INSTALL = @INSTALL@
+INSTALL_PROGRAM = @INSTALL_PROGRAM@
+INSTALL_DATA = @INSTALL_DATA@
+INSTALL_SCRIPT = @INSTALL_SCRIPT@
+INSTALL_STRIP_FLAG =
+transform = @program_transform_name@
+
+NORMAL_INSTALL = :
+PRE_INSTALL = :
+POST_INSTALL = :
+NORMAL_UNINSTALL = :
+PRE_UNINSTALL = :
+POST_UNINSTALL = :
+
+@SET_MAKE@
+host_alias = @host_alias@
+host_triplet = @host@
+AIX_EXTRA_KAFS = @AIX_EXTRA_KAFS@
+AMDEP = @AMDEP@
+AMTAR = @AMTAR@
+AS = @AS@
+AWK = @AWK@
+CANONICAL_HOST = @CANONICAL_HOST@
+CATMAN = @CATMAN@
+CATMANEXT = @CATMANEXT@
+CC = @CC@
+CPP = @CPP@
+CXX = @CXX@
+CXXCPP = @CXXCPP@
+DBLIB = @DBLIB@
+DEPDIR = @DEPDIR@
+DIR_des = @DIR_des@
+DIR_roken = @DIR_roken@
+DLLTOOL = @DLLTOOL@
+EXEEXT = @EXEEXT@
+EXTRA_LIB45 = @EXTRA_LIB45@
+GROFF = @GROFF@
+INCLUDES_roken = @INCLUDES_roken@
+INCLUDE_ = @INCLUDE_@
+LEX = @LEX@
+LIBOBJS = @LIBOBJS@
+LIBTOOL = @LIBTOOL@
+LIB_ = @LIB_@
+LIB_AUTH_SUBDIRS = @LIB_AUTH_SUBDIRS@
+LIB_des = @LIB_des@
+LIB_des_appl = @LIB_des_appl@
+LIB_kdb = @LIB_kdb@
+LIB_otp = @LIB_otp@
+LIB_roken = @LIB_roken@
+LIB_security = @LIB_security@
+LN_S = @LN_S@
+LTLIBOBJS = @LTLIBOBJS@
+MAKEINFO = @MAKEINFO@
+NEED_WRITEAUTH_FALSE = @NEED_WRITEAUTH_FALSE@
+NEED_WRITEAUTH_TRUE = @NEED_WRITEAUTH_TRUE@
+NROFF = @NROFF@
+OBJDUMP = @OBJDUMP@
+OBJEXT = @OBJEXT@
+PACKAGE = @PACKAGE@
+RANLIB = @RANLIB@
+STRIP = @STRIP@
+VERSION = @VERSION@
+VOID_RETSIGTYPE = @VOID_RETSIGTYPE@
+WFLAGS = @WFLAGS@
+WFLAGS_NOIMPLICITINT = @WFLAGS_NOIMPLICITINT@
+WFLAGS_NOUNUSED = @WFLAGS_NOUNUSED@
+YACC = @YACC@
+dpagaix_CFLAGS = @dpagaix_CFLAGS@
+dpagaix_LDADD = @dpagaix_LDADD@
+install_sh = @install_sh@
+
+# $Id: Makefile.am,v 1.9 2000/11/15 22:51:09 assar Exp $
+
+
+# $Id: Makefile.am.common,v 1.3 1999/04/01 14:58:43 joda Exp $
+
+
+# $Id: Makefile.am.common,v 1.26 2001/05/21 13:27:48 joda Exp $
+
+
+AUTOMAKE_OPTIONS = foreign no-dependencies
+
+SUFFIXES = .et .h .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .x
+
+INCLUDES = -I$(top_builddir)/include $(INCLUDES_roken)
+
+AM_CFLAGS =  $(WFLAGS)
+
+CP = cp
+
+COMPILE_ET = $(top_builddir)/lib/com_err/compile_et
+
+buildinclude = $(top_builddir)/include
+
+LIB_XauReadAuth = @LIB_XauReadAuth@
+LIB_crypt = @LIB_crypt@
+LIB_dbm_firstkey = @LIB_dbm_firstkey@
+LIB_dbopen = @LIB_dbopen@
+LIB_dlopen = @LIB_dlopen@
+LIB_dn_expand = @LIB_dn_expand@
+LIB_el_init = @LIB_el_init@
+LIB_getattr = @LIB_getattr@
+LIB_gethostbyname = @LIB_gethostbyname@
+LIB_getpwent_r = @LIB_getpwent_r@
+LIB_getpwnam_r = @LIB_getpwnam_r@
+LIB_getsockopt = @LIB_getsockopt@
+LIB_logout = @LIB_logout@
+LIB_logwtmp = @LIB_logwtmp@
+LIB_odm_initialize = @LIB_odm_initialize@
+LIB_pidfile = @LIB_pidfile@
+LIB_readline = @LIB_readline@
+LIB_res_search = @LIB_res_search@
+LIB_setpcred = @LIB_setpcred@
+LIB_setsockopt = @LIB_setsockopt@
+LIB_socket = @LIB_socket@
+LIB_syslog = @LIB_syslog@
+LIB_tgetent = @LIB_tgetent@
+
+LIBS = @LIBS@
+
+HESIODLIB = @HESIODLIB@
+HESIODINCLUDE = @HESIODINCLUDE@
+INCLUDE_hesiod = @INCLUDE_hesiod@
+LIB_hesiod = @LIB_hesiod@
+
+INCLUDE_krb4 = @INCLUDE_krb4@
+LIB_krb4 = @LIB_krb4@
+
+INCLUDE_openldap = @INCLUDE_openldap@
+LIB_openldap = @LIB_openldap@
+
+INCLUDE_readline = @INCLUDE_readline@
+
+LEXLIB = @LEXLIB@
+
+NROFF_MAN = groff -mandoc -Tascii
+
+@KRB4_TRUE@LIB_kafs = @KRB4_TRUE@$(top_builddir)/lib/kafs/libkafs.la $(AIX_EXTRA_KAFS)
+
+@KRB5_TRUE@LIB_krb5 = @KRB5_TRUE@$(top_builddir)/lib/krb5/libkrb5.la \
+@KRB5_TRUE@	$(top_builddir)/lib/asn1/libasn1.la
+@KRB5_TRUE@LIB_gssapi = @KRB5_TRUE@$(top_builddir)/lib/gssapi/libgssapi.la
+
+@DCE_TRUE@LIB_kdfs = @DCE_TRUE@$(top_builddir)/lib/kdfs/libkdfs.la
+
+CHECK_LOCAL = $(PROGRAMS)
+
+bin_PROGRAMS = otp otpprint
+bin_SUIDS = otp
+otp_SOURCES = otp.c otp_locl.h
+otpprint_SOURCES = otpprint.c otp_locl.h
+
+man_MANS = otp.1  otpprint.1
+
+LDADD = \
+	$(top_builddir)/lib/otp/libotp.la \
+	$(LIB_des) \
+	$(LIB_roken) \
+	$(DBLIB)
+
+subdir = appl/otp
+mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs
+CONFIG_HEADER = ../../include/config.h
+CONFIG_CLEAN_FILES = 
+bin_PROGRAMS =  otp$(EXEEXT) otpprint$(EXEEXT)
+PROGRAMS =  $(bin_PROGRAMS)
+
+
+DEFS = @DEFS@ -I. -I$(srcdir) -I../../include
+CPPFLAGS = @CPPFLAGS@
+LDFLAGS = @LDFLAGS@
+X_CFLAGS = @X_CFLAGS@
+X_LIBS = @X_LIBS@
+X_EXTRA_LIBS = @X_EXTRA_LIBS@
+X_PRE_LIBS = @X_PRE_LIBS@
+am_otp_OBJECTS =  otp.$(OBJEXT)
+otp_OBJECTS =  $(am_otp_OBJECTS)
+otp_LDADD = $(LDADD)
+otp_DEPENDENCIES =  $(top_builddir)/lib/otp/libotp.la
+otp_LDFLAGS = 
+am_otpprint_OBJECTS =  otpprint.$(OBJEXT)
+otpprint_OBJECTS =  $(am_otpprint_OBJECTS)
+otpprint_LDADD = $(LDADD)
+otpprint_DEPENDENCIES =  $(top_builddir)/lib/otp/libotp.la
+otpprint_LDFLAGS = 
+COMPILE = $(CC) $(DEFS) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) --mode=compile $(CC) $(DEFS) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+CFLAGS = @CFLAGS@
+CCLD = $(CC)
+LINK = $(LIBTOOL) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) $(LDFLAGS) -o $@
+DIST_SOURCES =  $(otp_SOURCES) $(otpprint_SOURCES)
+man1dir = $(mandir)/man1
+MANS = $(man_MANS)
+depcomp = 
+DIST_COMMON =  ChangeLog Makefile.am Makefile.in
+
+
+DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
+
+GZIP_ENV = --best
+SOURCES = $(otp_SOURCES) $(otpprint_SOURCES)
+OBJECTS = $(am_otp_OBJECTS) $(am_otpprint_OBJECTS)
+
+all: all-redirect
+.SUFFIXES:
+.SUFFIXES: .et .h .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .x .c .lo .o .obj
+$(srcdir)/Makefile.in: Makefile.am $(top_srcdir)/configure.in $(ACLOCAL_M4) $(top_srcdir)/Makefile.am.common $(top_srcdir)/cf/Makefile.am.common
+	cd $(top_srcdir) && $(AUTOMAKE) --foreign appl/otp/Makefile
+
+Makefile: $(srcdir)/Makefile.in  $(top_builddir)/config.status
+	cd $(top_builddir) \
+	  && CONFIG_FILES=$(subdir)/$@ CONFIG_HEADERS= $(SHELL) ./config.status
+
+
+mostlyclean-binPROGRAMS:
+
+clean-binPROGRAMS:
+	-test -z "$(bin_PROGRAMS)" || rm -f $(bin_PROGRAMS)
+
+distclean-binPROGRAMS:
+
+maintainer-clean-binPROGRAMS:
+
+install-binPROGRAMS: $(bin_PROGRAMS)
+	@$(NORMAL_INSTALL)
+	$(mkinstalldirs) $(DESTDIR)$(bindir)
+	@list='$(bin_PROGRAMS)'; for p in $$list; do \
+	  if test -f $$p; then \
+	    f="`echo $$p|sed -e 's/$(EXEEXT)$$//' -e '$(transform)' -e 's/$$/$(EXEEXT)/'`"; \
+	    echo " $(LIBTOOL)  --mode=install $(INSTALL_PROGRAM) $(INSTALL_STRIP_FLAG) $$p $(DESTDIR)$(bindir)/$$f"; \
+	    $(LIBTOOL)  --mode=install $(INSTALL_PROGRAM) $(INSTALL_STRIP_FLAG) $$p $(DESTDIR)$(bindir)/$$f; \
+	  else :; fi; \
+	done
+
+uninstall-binPROGRAMS:
+	@$(NORMAL_UNINSTALL)
+	@list='$(bin_PROGRAMS)'; for p in $$list; do \
+	  f="`echo $$p|sed -e 's/$(EXEEXT)$$//' -e '$(transform)' -e 's/$$/$(EXEEXT)/'`"; \
+	  echo " rm -f $(DESTDIR)$(bindir)/$$f"; \
+	  rm -f $(DESTDIR)$(bindir)/$$f; \
+	done
+
+mostlyclean-compile:
+	-rm -f *.o core *.core
+	-rm -f *.$(OBJEXT)
+
+clean-compile:
+
+distclean-compile:
+	-rm -f *.tab.c
+
+maintainer-clean-compile:
+
+mostlyclean-libtool:
+	-rm -f *.lo
+
+clean-libtool:
+	-rm -rf .libs _libs
+
+distclean-libtool:
+
+maintainer-clean-libtool:
+
+otp$(EXEEXT): $(otp_OBJECTS) $(otp_DEPENDENCIES)
+	@rm -f otp$(EXEEXT)
+	$(LINK) $(otp_LDFLAGS) $(otp_OBJECTS) $(otp_LDADD) $(LIBS)
+
+otpprint$(EXEEXT): $(otpprint_OBJECTS) $(otpprint_DEPENDENCIES)
+	@rm -f otpprint$(EXEEXT)
+	$(LINK) $(otpprint_LDFLAGS) $(otpprint_OBJECTS) $(otpprint_LDADD) $(LIBS)
+.c.o:
+	$(COMPILE) -c $<
+.c.obj:
+	$(COMPILE) -c `cygpath -w $<`
+.c.lo:
+	$(LTCOMPILE) -c -o $@ $<
+
+install-man1:
+	$(mkinstalldirs) $(DESTDIR)$(man1dir)
+	@list='$(man1_MANS)'; \
+	l2='$(man_MANS)'; for i in $$l2; do \
+	  case "$$i" in \
+	    *.1*) list="$$list $$i" ;; \
+	  esac; \
+	done; \
+	for i in $$list; do \
+	  if test -f $(srcdir)/$$i; then file=$(srcdir)/$$i; \
+	  else file=$$i; fi; \
+	  ext=`echo $$i | sed -e 's/^.*\\.//'`; \
+	  inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \
+	  inst=`echo $$inst | sed -e 's/^.*\///'`; \
+	  inst=`echo $$inst | sed '$(transform)'`.$$ext; \
+	  echo " $(INSTALL_DATA) $$file $(DESTDIR)$(man1dir)/$$inst"; \
+	  $(INSTALL_DATA) $$file $(DESTDIR)$(man1dir)/$$inst; \
+	done
+
+uninstall-man1:
+	@list='$(man1_MANS)'; \
+	l2='$(man_MANS)'; for i in $$l2; do \
+	  case "$$i" in \
+	    *.1*) list="$$list $$i" ;; \
+	  esac; \
+	done; \
+	for i in $$list; do \
+	  ext=`echo $$i | sed -e 's/^.*\\.//'`; \
+	  inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \
+	  inst=`echo $$inst | sed -e 's/^.*\///'`; \
+	  inst=`echo $$inst | sed '$(transform)'`.$$ext; \
+	  echo " rm -f $(DESTDIR)$(man1dir)/$$inst"; \
+	  rm -f $(DESTDIR)$(man1dir)/$$inst; \
+	done
+install-man: $(MANS)
+	@$(NORMAL_INSTALL)
+	$(MAKE) $(AM_MAKEFLAGS) install-man1
+uninstall-man:
+	@$(NORMAL_UNINSTALL)
+	$(MAKE) $(AM_MAKEFLAGS) uninstall-man1
+
+tags: TAGS
+
+ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
+	list='$(SOURCES) $(HEADERS) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '    { files[$$0] = 1; } \
+	       END { for (i in files) print i; }'`; \
+	mkid -fID $$unique $(LISP)
+
+TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	tags=; \
+	here=`pwd`; \
+	list='$(SOURCES) $(HEADERS) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '    { files[$$0] = 1; } \
+	       END { for (i in files) print i; }'`; \
+	test -z "$(ETAGS_ARGS)$$unique$(LISP)$$tags" \
+	  || etags $(ETAGS_ARGS) $$tags  $$unique $(LISP)
+
+GTAGS:
+	here=`CDPATH=: && cd $(top_builddir) && pwd` \
+	  && cd $(top_srcdir) \
+	  && gtags -i $$here
+
+mostlyclean-tags:
+
+clean-tags:
+
+distclean-tags:
+	-rm -f TAGS ID
+
+maintainer-clean-tags:
+
+distdir = $(top_builddir)/$(PACKAGE)-$(VERSION)/$(subdir)
+
+distdir: $(DISTFILES)
+	@for file in $(DISTFILES); do \
+	  d=$(srcdir); \
+	  if test -d $$d/$$file; then \
+	    cp -pR $$d/$$file $(distdir) \
+	    || exit 1; \
+	  else \
+	    test -f $(distdir)/$$file \
+	    || cp -p $$d/$$file $(distdir)/$$file \
+	    || exit 1; \
+	  fi; \
+	done
+	$(MAKE) $(AM_MAKEFLAGS) top_distdir="$(top_distdir)" distdir="$(distdir)" dist-hook
+info-am:
+info: info-am
+dvi-am:
+dvi: dvi-am
+check-am: all-am
+	$(MAKE) $(AM_MAKEFLAGS) check-local
+check: check-am
+installcheck-am:
+installcheck: installcheck-am
+install-exec-am: install-binPROGRAMS
+	@$(NORMAL_INSTALL)
+	$(MAKE) $(AM_MAKEFLAGS) install-exec-hook
+install-exec: install-exec-am
+
+install-data-am: install-man install-data-local
+install-data: install-data-am
+
+install-am: all-am
+	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
+install: install-am
+uninstall-am: uninstall-binPROGRAMS uninstall-man
+uninstall: uninstall-am
+all-am: Makefile $(PROGRAMS) $(MANS) all-local
+all-redirect: all-am
+install-strip:
+	$(MAKE) $(AM_MAKEFLAGS) INSTALL_STRIP_FLAG=-s install
+installdirs:
+	$(mkinstalldirs)  $(DESTDIR)$(bindir) $(DESTDIR)$(mandir)/man1
+
+
+mostlyclean-generic:
+
+clean-generic:
+
+distclean-generic:
+	-rm -f Makefile $(CONFIG_CLEAN_FILES)
+	-rm -f config.cache config.log stamp-h stamp-h[0-9]*
+
+maintainer-clean-generic:
+	-rm -f Makefile.in
+mostlyclean-am:  mostlyclean-binPROGRAMS mostlyclean-compile \
+		mostlyclean-libtool mostlyclean-tags \
+		mostlyclean-generic
+
+mostlyclean: mostlyclean-am
+
+clean-am:  clean-binPROGRAMS clean-compile clean-libtool clean-tags \
+		clean-generic mostlyclean-am
+
+clean: clean-am
+
+distclean-am:  distclean-binPROGRAMS distclean-compile distclean-libtool \
+		distclean-tags distclean-generic clean-am
+	-rm -f libtool
+
+distclean: distclean-am
+
+maintainer-clean-am:  maintainer-clean-binPROGRAMS \
+		maintainer-clean-compile maintainer-clean-libtool \
+		maintainer-clean-tags maintainer-clean-generic \
+		distclean-am
+	@echo "This command is intended for maintainers to use;"
+	@echo "it deletes files that may require special tools to rebuild."
+
+maintainer-clean: maintainer-clean-am
+
+.PHONY: mostlyclean-binPROGRAMS distclean-binPROGRAMS clean-binPROGRAMS \
+maintainer-clean-binPROGRAMS uninstall-binPROGRAMS install-binPROGRAMS \
+mostlyclean-compile distclean-compile clean-compile \
+maintainer-clean-compile mostlyclean-libtool distclean-libtool \
+clean-libtool maintainer-clean-libtool install-man1 uninstall-man1 \
+install-man uninstall-man tags mostlyclean-tags distclean-tags \
+clean-tags maintainer-clean-tags distdir info-am info dvi-am dvi \
+check-local check check-am installcheck-am installcheck install-exec-am \
+install-exec install-data-local install-data-am install-data install-am \
+install uninstall-am uninstall all-local all-redirect all-am all \
+install-strip installdirs mostlyclean-generic distclean-generic \
+clean-generic maintainer-clean-generic clean mostlyclean distclean \
+maintainer-clean
+
+
+install-suid-programs:
+	@foo='$(bin_SUIDS)'; \
+	for file in $$foo; do \
+	x=$(DESTDIR)$(bindir)/$$file; \
+	if chown 0:0 $$x && chmod u+s $$x; then :; else \
+	echo "*"; \
+	echo "* Failed to install $$x setuid root"; \
+	echo "*"; \
+	fi; done
+
+install-exec-hook: install-suid-programs
+
+install-build-headers:: $(include_HEADERS) $(build_HEADERZ)
+	@foo='$(include_HEADERS) $(build_HEADERZ)'; \
+	for f in $$foo; do \
+		f=`basename $$f`; \
+		if test -f "$(srcdir)/$$f"; then file="$(srcdir)/$$f"; \
+		else file="$$f"; fi; \
+		if cmp -s  $$file $(buildinclude)/$$f 2> /dev/null ; then \
+		: ; else \
+			echo " $(CP) $$file $(buildinclude)/$$f"; \
+			$(CP) $$file $(buildinclude)/$$f; \
+		fi ; \
+	done
+
+all-local: install-build-headers
+#NROFF_MAN = nroff -man
+.1.cat1:
+	$(NROFF_MAN) $< > $@
+.3.cat3:
+	$(NROFF_MAN) $< > $@
+.5.cat5:
+	$(NROFF_MAN) $< > $@
+.8.cat8:
+	$(NROFF_MAN) $< > $@
+
+dist-cat1-mans:
+	@foo='$(man1_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.1) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat1/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-cat3-mans:
+	@foo='$(man3_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.3) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat3/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-cat5-mans:
+	@foo='$(man5_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.5) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat5/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-cat8-mans:
+	@foo='$(man8_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.8) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat8/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-hook: dist-cat1-mans dist-cat3-mans dist-cat5-mans dist-cat8-mans
+
+install-cat-mans:
+	$(SHELL) $(top_srcdir)/cf/install-catman.sh "$(INSTALL_DATA)" "$(mkinstalldirs)" "$(srcdir)" "$(DESTDIR)$(mandir)" '$(CATMANEXT)' $(man_MANS) $(man1_MANS) $(man3_MANS) $(man5_MANS) $(man8_MANS)
+
+install-data-local: install-cat-mans
+
+.et.h:
+	$(COMPILE_ET) $<
+.et.c:
+	$(COMPILE_ET) $<
+
+.x.c:
+	@cmp -s $< $@ 2> /dev/null || cp $< $@
+
+check-local::
+	@foo='$(CHECK_LOCAL)'; \
+	  if test "$$foo"; then \
+	  failed=0; all=0; \
+	  for i in $$foo; do \
+	    all=`expr $$all + 1`; \
+	    if ./$$i --version > /dev/null 2>&1; then \
+	      echo "PASS: $$i"; \
+	    else \
+	      echo "FAIL: $$i"; \
+	      failed=`expr $$failed + 1`; \
+	    fi; \
+	  done; \
+	  if test "$$failed" -eq 0; then \
+	    banner="All $$all tests passed"; \
+	  else \
+	    banner="$$failed of $$all tests failed"; \
+	  fi; \
+	  dashes=`echo "$$banner" | sed s/./=/g`; \
+	  echo "$$dashes"; \
+	  echo "$$banner"; \
+	  echo "$$dashes"; \
+	  test "$$failed" -eq 0; \
+	fi
+
+# Tell versions [3.59,3.63) of GNU make to not export all variables.
+# Otherwise a system limit (for SysV at least) may be exceeded.
+.NOEXPORT:
diff --git a/crypto/heimdal/appl/otp/otp.1 b/crypto/heimdal/appl/otp/otp.1
new file mode 100644
index 0000000..473a4b0
--- /dev/null
+++ b/crypto/heimdal/appl/otp/otp.1
@@ -0,0 +1,60 @@
+.\" $Id: otp.1,v 1.2 2000/11/29 18:18:22 joda Exp $
+.\"
+.Dd November 17, 1996
+.Dt OTP 1
+.Os KTH-KRB
+.Sh NAME
+.Nm otp
+.Nd
+manages one-time passwords
+.Sh SYNOPSIS
+.Nm otp
+.Op Fl dhlor
+.Op Fl f Ar algorithm
+.Op Fl u Ar user
+.Ar sequence-number
+.Ar seed
+.Sh DESCRIPTION
+The
+.Nm
+program initializes and updates your current series of one-time
+passwords (OTPs).
+.Pp
+Use this to set a new series of one-time passwords.  Only perform this
+on the console or over an encrypted link as you will have to supply
+your pass-phrase.  The other two parameters are
+.Ar sequence-number
+and
+.Ar seed .
+.Pp
+Options are:
+.Bl -tag -width Ds
+.It Fl d
+To delete a one-time password.
+.It Fl f
+Choose a different
+.Ar algorithm
+from the default md5.  Pick any of: md4, md5, and sha.
+.It Fl h
+For getting a help message.
+.It Fl l
+List the current table of one-time passwords.
+.It Fl o
+To open (unlock) the otp-entry for a user.
+.It Fl r
+To renew a one-time password series.  This operation can be performed
+over an potentially eavesdropped link because you do not supply the
+pass-phrase.  First you need to supply the current one-time password
+and then the new one corresponding to the supplied
+.Ar sequence-number
+and
+.Ar seed .
+.It Fl u
+To choose a different
+.Ar user
+to set one-time passwords for.  This only works when running
+.Nm
+as root.
+.El
+.Sh SEE ALSO
+.Xr otpprint 1
diff --git a/crypto/heimdal/appl/otp/otp.c b/crypto/heimdal/appl/otp/otp.c
new file mode 100644
index 0000000..66de4e0
--- /dev/null
+++ b/crypto/heimdal/appl/otp/otp.c
@@ -0,0 +1,366 @@
+/*
+ * Copyright (c) 1995-1997, 1999 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#include "otp_locl.h"
+#include <getarg.h>
+
+RCSID("$Id: otp.c,v 1.33 2001/02/20 01:44:46 assar Exp $");
+
+static int listp;
+static int deletep;
+static int openp;
+static int renewp;
+static char* alg_string;
+static char *user;
+static int version_flag;
+static int help_flag;
+
+struct getargs args[] = {
+    { "list", 'l', arg_flag, &listp, "list OTP status" },
+    { "delete", 'd', arg_flag, &deletep, "delete OTP" },
+    { "open", 'o', arg_flag, &openp, "open a locked OTP" },
+    { "renew", 'r', arg_flag, &renewp, "securely renew OTP" },
+    { "hash", 'f', arg_string, &alg_string, 
+      "hash algorithm (md4, md5, or sha)", "algorithm"},
+    { "user", 'u', arg_string, &user, 
+      "user other than current user (root only)", "user" },
+    { "version", 0, arg_flag, &version_flag },
+    { "help", 'h', arg_flag, &help_flag }
+};
+
+int num_args = sizeof(args) / sizeof(args[0]);
+
+static void
+usage(int code)
+{
+    arg_printusage(args, num_args, NULL, "[num seed]");
+    exit(code);
+}
+
+/* 
+ * Renew the OTP for a user. 
+ * The pass-phrase is not required (RFC 1938/8.0)
+ */
+
+static int
+renew (int argc, char **argv, OtpAlgorithm *alg, char *user)
+{
+    OtpContext newctx, *ctx;
+    char prompt[128];
+    char pw[64];
+    void *dbm;
+    int ret;
+
+    newctx.alg = alg;
+    newctx.user = user;
+    newctx.n = atoi (argv[0]);
+    strlcpy (newctx.seed, argv[1], sizeof(newctx.seed));
+    strlwr(newctx.seed);
+    snprintf (prompt, sizeof(prompt),
+	      "[ otp-%s %u %s ]",
+	      newctx.alg->name,
+	      newctx.n, 
+	      newctx.seed);
+    if (des_read_pw_string (pw, sizeof(pw), prompt, 0) == 0 &&
+	otp_parse (newctx.key, pw, alg) == 0) {
+	ctx = &newctx;
+	ret = 0;
+    } else
+	return 1;
+
+    dbm = otp_db_open ();
+    if (dbm == NULL) {
+	warnx ("otp_db_open failed");
+	return 1;
+    }
+    otp_put (dbm, ctx);
+    otp_db_close (dbm);
+    return ret;
+}
+
+/*
+ * Return 0 if the user could enter the next OTP.
+ * I would rather have returned !=0 but it's shell-like here around.
+ */
+
+static int 
+verify_user_otp(char *username)
+{
+    OtpContext ctx;
+    char passwd[OTP_MAX_PASSPHRASE + 1];
+    char prompt[128], ss[256];
+
+    if (otp_challenge (&ctx, username, ss, sizeof(ss)) != 0) {
+	warnx("no otp challenge found for %s", username);
+	return 1; 
+    }
+
+    snprintf (prompt, sizeof(prompt), "%s's %s Password: ", username, ss);
+    if(des_read_pw_string(passwd, sizeof(passwd)-1, prompt, 0))
+	return 1;
+    return otp_verify_user (&ctx, passwd);
+}
+
+/* 
+ * Set the OTP for a user
+ */
+
+static int
+set (int argc, char **argv, OtpAlgorithm *alg, char *user)
+{
+    void *db;
+    OtpContext ctx;
+    char pw[OTP_MAX_PASSPHRASE + 1];
+    int ret;
+    int i;
+
+    ctx.alg = alg;
+    ctx.user = strdup (user);
+    if (ctx.user == NULL)
+	err (1, "out of memory");
+
+    ctx.n = atoi (argv[0]);
+    strlcpy (ctx.seed, argv[1], sizeof(ctx.seed));
+    strlwr(ctx.seed);
+    do {
+	if (des_read_pw_string (pw, sizeof(pw), "Pass-phrase: ", 1))
+	    return 1;
+	if (strlen (pw) < OTP_MIN_PASSPHRASE)
+	    printf ("Too short pass-phrase.  Use at least %d characters\n",
+		    OTP_MIN_PASSPHRASE);
+    } while(strlen(pw) < OTP_MIN_PASSPHRASE);
+    ctx.alg->init (ctx.key, pw, ctx.seed);
+    for (i = 0; i < ctx.n; ++i)
+	ctx.alg->next (ctx.key);
+    db = otp_db_open ();
+    if(db == NULL) {
+	free (ctx.user);
+	err (1, "otp_db_open failed");
+    }
+    ret = otp_put (db, &ctx);
+    otp_db_close (db);
+    free (ctx.user);
+    return ret;
+}
+
+/*
+ * Delete otp of user from the database
+ */
+
+static int
+delete_otp (int argc, char **argv, char *user)
+{
+    void *db;
+    OtpContext ctx;
+    int ret;
+
+    db = otp_db_open ();
+    if(db == NULL)
+	errx (1, "otp_db_open failed");
+
+    ctx.user = user;
+    ret = otp_delete(db, &ctx);
+    otp_db_close (db);
+    return ret;
+}
+
+/* 
+ * Tell whether the user has an otp
+ */
+
+static int
+has_an_otp(char *user)
+{
+    void *db;
+    OtpContext ctx;
+    int ret;
+
+    db = otp_db_open ();
+    if(db == NULL) {
+	warnx ("otp_db_open failed");
+	return 0; /* if no db no otp! */
+    }
+  
+    ctx.user = user;
+    ret = otp_simple_get(db, &ctx); 
+
+    otp_db_close (db);
+    return !ret;
+}
+
+/*
+ * Get and print out the otp entry for some user
+ */
+
+static void
+print_otp_entry_for_name (void *db, char *user)
+{
+    OtpContext ctx;
+
+    ctx.user = user;
+    if (!otp_simple_get(db, &ctx)) {
+	fprintf(stdout,
+		"%s\totp-%s %d %s",
+		ctx.user, ctx.alg->name, ctx.n, ctx.seed);
+	if (ctx.lock_time)
+	    fprintf(stdout,
+		    "\tlocked since %s",
+		    ctime(&ctx.lock_time));
+	else
+	    fprintf(stdout, "\n");
+    }
+}
+
+static int
+open_otp (int argc, char **argv, char *user)
+{
+    void *db;
+    OtpContext ctx;
+    int ret;
+
+    db = otp_db_open ();
+    if (db == NULL)
+	errx (1, "otp_db_open failed");
+  
+    ctx.user = user;
+    ret = otp_simple_get (db, &ctx);
+    if (ret == 0)
+	ret = otp_put (db, &ctx);
+    otp_db_close (db);
+    return ret;
+}
+
+/*
+ * Print otp entries for one or all users
+ */
+
+static int
+list_otps (int argc, char **argv, char *user)
+{
+    void *db;
+    struct passwd *pw;
+
+    db = otp_db_open ();
+    if(db == NULL)
+	errx (1, "otp_db_open failed");
+
+    if (user)
+	print_otp_entry_for_name(db, user);
+    else
+	/* scans all users... so as to get a deterministic order */
+	while ((pw = getpwent()))
+	    print_otp_entry_for_name(db, pw->pw_name);
+
+    otp_db_close (db);
+    return 0;
+}
+
+int
+main (int argc, char **argv)
+{
+    int defaultp = 0;
+    int uid = getuid();
+    OtpAlgorithm *alg = otp_find_alg (OTP_ALG_DEFAULT);
+    int optind = 0;
+  
+    setprogname (argv[0]);
+    if(getarg(args, num_args, argc, argv, &optind))
+	usage(1);
+    if(help_flag)
+	usage(0);
+    if(version_flag) {
+	print_version(NULL);
+	exit(0);
+    }
+
+    if(deletep && uid != 0)
+	errx (1, "Only root can delete OTPs");
+    if(alg_string) {
+	alg = otp_find_alg (alg_string);
+	if (alg == NULL)
+	    errx (1, "Unknown algorithm: %s", alg_string);
+    }
+    if (user && uid != 0)
+	errx (1, "Only root can use `-u'");
+    argc -= optind;
+    argv += optind;
+
+    if (!(listp || deletep || renewp || openp))
+	defaultp = 1;
+
+    if ( listp + deletep + renewp + defaultp + openp != 1) 
+	usage(1); /* one of -d or -l or -r or none */
+
+    if(deletep || openp || listp) {
+	if(argc != 0)
+	    errx(1, "delete, open, and list requires no arguments\n");
+    } else {
+	if(argc != 2)
+	    errx(1, "setup, and renew requires `num', and `seed'");
+    }
+    if (listp)
+	return list_otps (argc, argv, user);
+
+    if (user == NULL) {
+	struct passwd *pwd;
+
+	pwd = k_getpwuid(uid);
+	if (pwd == NULL)
+	    err (1, "You don't exist");
+	user = pwd->pw_name;
+    }
+  
+    /*
+     * users other that root must provide the next OTP to update the sequence.
+     * it avoids someone to use a pending session to change an OTP sequence.
+     * see RFC 1938/8.0.
+     */
+    if (uid != 0 && (defaultp || renewp)) {
+	if (!has_an_otp(user)) {
+	    errx (1, "Only root can set an initial OTP");
+	} else { /* Check the next OTP (RFC 1938/8.0: SHOULD) */
+	    if (verify_user_otp(user) != 0) {
+		errx (1, "User authentification failed");
+	    }
+	}
+    }
+
+    if (deletep)
+	return delete_otp (argc, argv, user);
+    else if (renewp)
+	return renew (argc, argv, alg, user);
+    else if (openp)
+	return open_otp (argc, argv, user);
+    else
+	return set (argc, argv, alg, user);
+}
diff --git a/crypto/heimdal/appl/otp/otp.cat1 b/crypto/heimdal/appl/otp/otp.cat1
new file mode 100644
index 0000000..588bcc2
--- /dev/null
+++ b/crypto/heimdal/appl/otp/otp.cat1
@@ -0,0 +1,43 @@
+
+OTP(1)                       UNIX Reference Manual                      OTP(1)
+
+NNAAMMEE
+     oottpp - manages one-time passwords
+
+SSYYNNOOPPSSIISS
+     oottpp [--ddhhlloorr] [--ff _a_l_g_o_r_i_t_h_m] [--uu _u_s_e_r] _s_e_q_u_e_n_c_e_-_n_u_m_b_e_r _s_e_e_d
+
+DDEESSCCRRIIPPTTIIOONN
+     The oottpp program initializes and updates your current series of one-time
+     passwords (OTPs).
+
+     Use this to set a new series of one-time passwords.  Only perform this on
+     the console or over an encrypted link as you will have to supply your
+     pass-phrase.  The other two parameters are _s_e_q_u_e_n_c_e_-_n_u_m_b_e_r and _s_e_e_d.
+
+     Options are:
+
+     --dd      To delete a one-time password.
+
+     --ff      Choose a different _a_l_g_o_r_i_t_h_m from the default md5.  Pick any of:
+             md4, md5, and sha.
+
+     --hh      For getting a help message.
+
+     --ll      List the current table of one-time passwords.
+
+     --oo      To open (unlock) the otp-entry for a user.
+
+     --rr      To renew a one-time password series.  This operation can be per-
+             formed over an potentially eavesdropped link because you do not
+             supply the pass-phrase.  First you need to supply the current
+             one-time password and then the new one corresponding to the sup-
+             plied _s_e_q_u_e_n_c_e_-_n_u_m_b_e_r and _s_e_e_d.
+
+     --uu      To choose a different _u_s_e_r to set one-time passwords for.  This
+             only works when running oottpp as root.
+
+SSEEEE AALLSSOO
+     otpprint(1)
+
+ KTH-KRB                       November 17, 1996                             1
diff --git a/crypto/heimdal/appl/otp/otp_locl.h b/crypto/heimdal/appl/otp/otp_locl.h
new file mode 100644
index 0000000..971ec68
--- /dev/null
+++ b/crypto/heimdal/appl/otp/otp_locl.h
@@ -0,0 +1,60 @@
+/*
+ * Copyright (c) 1995, 1996, 1997 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+/* $Id: otp_locl.h,v 1.8 2001/02/15 04:20:51 assar Exp $ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+#endif
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <ctype.h>
+#ifdef HAVE_SYS_TYPES_H
+#include <sys/types.h>
+#endif
+#ifdef HAVE_UNISTD_H
+#include <unistd.h>
+#endif
+#ifdef HAVE_PWD_H
+#include <pwd.h>
+#endif
+#include <roken.h>
+#include <err.h>
+#ifdef HAVE_OPENSSL_DES_H
+#include <openssl/des.h>
+#else
+#include <des.h>
+#endif
+#include <otp.h>
diff --git a/crypto/heimdal/appl/otp/otpprint.1 b/crypto/heimdal/appl/otp/otpprint.1
new file mode 100644
index 0000000..7f7d5be
--- /dev/null
+++ b/crypto/heimdal/appl/otp/otpprint.1
@@ -0,0 +1,52 @@
+.\" $Id: otpprint.1,v 1.4 2001/06/08 20:44:46 assar Exp $
+.\"
+.Dd November 17, 1996
+.Dt OTP 1
+.Os KTH-KRB
+.Sh NAME
+.Nm otpprint
+.Nd
+print lists of one-time passwords
+.Sh SYNOPSIS
+.Nm otp
+.Op Fl n Ar count
+.Op Fl e
+.Op Fl h
+.Op Fl f Ar algorithm
+.Ar sequence-number
+.Ar seed
+.Sh DESCRIPTION
+The
+.Nm
+program prints lists of OTPs.
+.Pp
+Use this to print out a series of one-time passwords.  You will have
+to supply the
+.Ar sequence number
+and the
+.Ar seed
+as arguments and then the program will prompt you for your pass-phrase.
+.Pp
+There are several different print formats.  The default is to print
+each password with six short english words.
+.Pp
+Options are:
+.Bl -tag -width Ds
+.It Fl e
+Print the passwords in ``extended'' format.  In this format a prefix
+that says ``hex:'' or ``word:'' is included.
+.It Fl f
+To choose a different
+.Ar algorithm
+from the default md5.  Pick any of: md4, md5, and sha.
+.It Fl h
+Print the passwords in hex.
+.It Fl n
+Print
+.Ar count
+one-time passwords, starting at
+.Ar sequence-number
+and going backwards. The default is 10.
+.El
+.Sh SEE ALSO
+.Xr otp 1
diff --git a/crypto/heimdal/appl/otp/otpprint.c b/crypto/heimdal/appl/otp/otpprint.c
new file mode 100644
index 0000000..b1d0a84
--- /dev/null
+++ b/crypto/heimdal/appl/otp/otpprint.c
@@ -0,0 +1,135 @@
+/*
+ * Copyright (c) 1995-1999 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#include "otp_locl.h"
+#include <getarg.h>
+
+RCSID("$Id: otpprint.c,v 1.14 2001/02/20 01:44:46 assar Exp $");
+
+static int extendedp;
+static int count = 10;
+static int hexp;
+static char* alg_string;
+static int version_flag;
+static int help_flag;
+
+struct getargs args[] = {
+    { "extended", 'e', arg_flag, &extendedp, "print keys in extended format" },
+    { "count", 'n', arg_integer, &count, "number of keys to print" },
+    { "hexadecimal", 'h', arg_flag, &hexp, "output in hexadecimal" },
+    { "hash", 'f', arg_string, &alg_string, 
+      "hash algorithm (md4, md5, or sha)", "algorithm"},
+    { "version", 0, arg_flag, &version_flag },
+    { "help", 0, arg_flag, &help_flag }
+};
+
+int num_args = sizeof(args) / sizeof(args[0]);
+
+static void
+usage(int code)
+{
+    arg_printusage(args, num_args, NULL, "num seed");
+    exit(code);
+}
+
+static int
+print (int argc,
+       char **argv,
+       int count,
+       OtpAlgorithm *alg,
+       void (*print_fn)(OtpKey, char *, size_t))
+{
+  char pw[64];
+  OtpKey key;
+  int n;
+  int i;
+  char *seed;
+
+  if (argc != 2)
+      usage (1);
+  n = atoi(argv[0]);
+  seed = argv[1];
+  if (des_read_pw_string (pw, sizeof(pw), "Pass-phrase: ", 0))
+    return 1;
+  alg->init (key, pw, seed);
+  for (i = 0; i < n; ++i) {
+    char s[64];
+
+    alg->next (key);
+    if (i >= n - count) {
+      (*print_fn)(key, s, sizeof(s));
+      printf ("%d: %s\n", i + 1, s);
+    }
+  }
+  return 0;
+}
+
+int
+main (int argc, char **argv)
+{
+    int optind = 0;
+    void (*fn)(OtpKey, char *, size_t);
+    OtpAlgorithm *alg = otp_find_alg (OTP_ALG_DEFAULT);
+
+    setprogname (argv[0]);
+    if(getarg(args, num_args, argc, argv, &optind))
+	usage(1);
+    if(help_flag)
+	usage(0);
+    if(version_flag) {
+	print_version(NULL);
+	exit(0);
+    }
+
+    if(alg_string) {
+	alg = otp_find_alg (alg_string);
+	if (alg == NULL)
+	    errx(1, "Unknown algorithm: %s", alg_string);
+    }
+    argc -= optind;
+    argv += optind;
+
+    if (hexp) {
+	if (extendedp)
+	    fn = otp_print_hex_extended;
+	else
+	    fn = otp_print_hex;
+    } else {
+	if (extendedp)
+	    fn = otp_print_stddict_extended;
+	else
+	    fn = otp_print_stddict;
+    }
+
+    return print (argc, argv, count, alg, fn);
+}
diff --git a/crypto/heimdal/appl/otp/otpprint.cat1 b/crypto/heimdal/appl/otp/otpprint.cat1
new file mode 100644
index 0000000..1c4d244
--- /dev/null
+++ b/crypto/heimdal/appl/otp/otpprint.cat1
@@ -0,0 +1,36 @@
+
+OTP(1)                       UNIX Reference Manual                      OTP(1)
+
+NNAAMMEE
+     oottpppprriinntt - print lists of one-time passwords
+
+SSYYNNOOPPSSIISS
+     oottpp [--nn _c_o_u_n_t] [--ee] [--hh] [--ff _a_l_g_o_r_i_t_h_m] _s_e_q_u_e_n_c_e_-_n_u_m_b_e_r _s_e_e_d
+
+DDEESSCCRRIIPPTTIIOONN
+     The oottpppprriinntt program prints lists of OTPs.
+
+     Use this to print out a series of one-time passwords.  You will have to
+     supply the _s_e_q_u_e_n_c_e _n_u_m_b_e_r and the _s_e_e_d as arguments and then the program
+     will prompt you for your pass-phrase.
+
+     There are several different print formats.  The default is to print each
+     password with six short english words.
+
+     Options are:
+
+     --ee      Print the passwords in ``extended'' format.  In this format a
+             prefix that says ``hex:'' or ``word:'' is included.
+
+     --ff      To choose a different _a_l_g_o_r_i_t_h_m from the default md5.  Pick any
+             of: md4, md5, and sha.
+
+     --hh      Print the passwords in hex.
+
+     --nn      Print _c_o_u_n_t one-time passwords, starting at _s_e_q_u_e_n_c_e_-_n_u_m_b_e_r and
+             going backwards. The default is 10.
+
+SSEEEE AALLSSOO
+     otp(1)
+
+ KTH-KRB                       November 17, 1996                             1
diff --git a/crypto/heimdal/appl/popper/ChangeLog b/crypto/heimdal/appl/popper/ChangeLog
new file mode 100644
index 0000000..8c85793
--- /dev/null
+++ b/crypto/heimdal/appl/popper/ChangeLog
@@ -0,0 +1,169 @@
+2000-12-31  Assar Westerlund  <assar@sics.se>
+
+	* pop_init.c (pop_init): handle krb5_init_context failure
+	consistently
+	* pop_debug.c (doit_v5): handle krb5_init_context failure
+	consistently
+
+2000-06-10  Assar Westerlund  <assar@sics.se>
+
+	* pop_init.c (krb4_authenticate): do not exit on failure, just
+	return
+	(krb5_authenticate): log errors from krb5_recvauth
+
+2000-04-12  Assar Westerlund  <assar@sics.se>
+
+	* *.c: replace all erroneous calls to pop_log with POP_FAILURE
+	with POP_PRIORITY.  reported by Janne Johansson <jj@it.kth.se>'
+
+2000-01-27  Assar Westerlund  <assar@sics.se>
+
+	* pop_debug.c (main): figure out port number
+
+1999-12-20  Assar Westerlund  <assar@sics.se>
+
+	* pop_init.c (pop_init): use getnameinfo_verified
+
+	* pop_debug.c (get_socket): use getaddrinfo
+
+1999-12-03  Johan Danielsson  <joda@pdc.kth.se>
+
+	* pop_init.c: optionally trace connected addresses to a file
+
+1999-11-02  Assar Westerlund  <assar@sics.se>
+
+	* pop_debug.c (main): redo the v4/v5 selection for consistency.
+  	-4 -> try only v4 -5 -> try only v5 none, -45 -> try v5, v4
+
+1999-10-16  Johan Danielsson  <joda@pdc.kth.se>
+
+	* pop_init.c (krb5_authenticate): don't use the principal
+	associated with the socket for authentication, instead let
+	krb5_rd_req pick the correct one from the ticket; just check that
+	it actually was a pop-ticket
+
+1999-08-12  Johan Danielsson  <joda@pdc.kth.se>
+
+	* pop_init.c (pop_init): don't freehostent if ch == NULL
+
+	* pop_dele.c: implement XDELE to delete a range of messages
+
+1999-08-05  Assar Westerlund  <assar@sics.se>
+
+	* pop_init.c: v6-ify
+
+	* pop_debug.c: v6-ify
+
+1999-05-10  Assar Westerlund  <assar@sics.se>
+
+	* pop_debug.c (doit_v5): call krb5_sendauth with ccache == NULL
+	
+1999-04-11  Assar Westerlund  <assar@sics.se>
+
+	* pop_debug.c (main): use print_version
+
+Thu Apr  8 15:07:11 1999  Johan Danielsson  <joda@hella.pdc.kth.se>
+
+	* pop_pass.c: remove definition of KRB_VERIFY_USER (moved to
+ 	config.h)
+
+Thu Mar 18 12:55:42 1999  Johan Danielsson  <joda@hella.pdc.kth.se>
+
+	* pop_pass.c: define KRB_VERIFY_SECURE if not defined
+
+	* Makefile.am: include Makefile.am.common
+
+Wed Mar 17 23:36:21 1999  Assar Westerlund  <assar@sics.se>
+
+	* pop_pass.c (krb4_verify_password): use KRB_VERIFY_SECURE instead
+ 	of 1
+
+Tue Mar 16 22:28:52 1999  Assar Westerlund  <assar@sics.se>
+
+	* pop_pass.c: krb_verify_user_multiple -> krb_verify_user
+
+Sat Mar 13 22:17:29 1999  Assar Westerlund  <assar@sics.se>
+
+	* pop_parse.c (pop_parse): cast when calling is* to get rid of a
+ 	warning
+
+Mon Mar  8 11:50:06 1999  Johan Danielsson  <joda@hella.pdc.kth.se>
+
+	* pop_init.c: use print_version
+
+Fri Mar  5 15:14:29 1999  Johan Danielsson  <joda@hella.pdc.kth.se>
+
+	* pop_send.c: fix handling of messages w/o body
+
+Sun Nov 22 10:33:29 1998  Assar Westerlund  <assar@sics.se>
+
+	* pop_pass.c (pop_pass): try to always log
+
+	* Makefile.in (WFLAGS): set
+
+Fri Jul 10 01:14:25 1998  Assar Westerlund  <assar@sics.se>
+
+	* pop_init.c: s/net_read/pop_net_read/
+
+Tue Jun  2 17:33:54 1998  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* pop_send.c: add missing newlines
+
+Sun May 24 20:59:45 1998  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* maildir.c (make_path): fix reversed args
+
+Sat May 16 00:02:18 1998  Assar Westerlund  <assar@sics.se>
+
+	* Makefile.am: link with DBLIB
+
+Sun Apr 26 11:47:58 1998  Assar Westerlund  <assar@sics.se>
+
+	* pop_pass.c (pop_pass): check return value from changeuser
+
+	* pop_dropcopy.c (changeuser): check that `setuid' and `setgid'
+ 	succeeded.
+
+	* popper.h: changeuser now returns int
+
+Thu Apr 23 00:54:38 1998  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* Add support for maildir spoolfiles.
+
+	* popper.h (MsgInfoList): replace `del_flag' and `retr_flag' with
+	single `flags'
+
+	* pop_dropcopy.c: Fix mismatched parenthesis.
+
+Sat Apr  4 15:13:56 1998  Assar Westerlund  <assar@sics.se>
+
+	* pop_dropcopy.c (pop_dropcopy): first do mkstemp and then fdopen.
+  	Originally from <map@stacken.kth.se>
+
+	* popper.h: include <io.h>
+
+Sat Feb  7 10:07:39 1998  Assar Westerlund  <assar@sics.se>
+
+	* pop_pass.c(krb4_verify_password: Don't use REALM_SZ + 1, just
+ 	REALM_SZ
+
+Mon Dec 29 16:37:26 1997  Assar Westerlund  <assar@sics.se>
+
+	* pop_updt.c (pop_updt): lseek before ftruncating the file.  From
+ 	<map@stacken.kth.se>
+
+Sat Nov 22 13:46:39 1997  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* pop_pass.c: Destroy tickets after verification.
+
+Sun Nov  9 09:11:14 1997  Assar Westerlund  <assar@sics.se>
+
+	* pop_dropinfo.c: be careful with mails without msg-id, subject,
+ 	or from
+
+Wed Oct 29 02:09:24 1997  Assar Westerlund  <assar@sics.se>
+
+	* pop_pass.c: conditionalize OTP-support
+
+	* pop_init.c: conditionalize OTP-support
+
diff --git a/crypto/heimdal/appl/popper/Makefile.am b/crypto/heimdal/appl/popper/Makefile.am
new file mode 100644
index 0000000..d52d0cf
--- /dev/null
+++ b/crypto/heimdal/appl/popper/Makefile.am
@@ -0,0 +1,29 @@
+# $Id: Makefile.am,v 1.13 2000/11/15 22:51:09 assar Exp $
+
+include $(top_srcdir)/Makefile.am.common
+
+INCLUDES += $(INCLUDE_krb4)
+
+noinst_PROGRAMS = pop_debug
+
+libexec_PROGRAMS = popper
+
+popper_SOURCES = \
+	pop_dele.c pop_dropcopy.c pop_dropinfo.c \
+	pop_get_command.c pop_init.c \
+	pop_last.c pop_list.c pop_log.c \
+	pop_msg.c pop_parse.c pop_pass.c pop_quit.c \
+	pop_rset.c pop_send.c pop_stat.c pop_updt.c \
+	pop_user.c pop_uidl.c pop_xover.c popper.c \
+	maildir.c popper.h version.h
+
+EXTRA_DIST = pop3.rfc1081 pop3e.rfc1082 \
+	popper.README.release README-FIRST README-KRB4
+
+LDADD = \
+	$(LIB_otp) \
+	$(LIB_krb5) \
+	$(LIB_krb4) \
+	$(LIB_des) \
+	$(LIB_roken) \
+	$(DBLIB)
diff --git a/crypto/heimdal/appl/popper/Makefile.in b/crypto/heimdal/appl/popper/Makefile.in
new file mode 100644
index 0000000..0185f12
--- /dev/null
+++ b/crypto/heimdal/appl/popper/Makefile.in
@@ -0,0 +1,623 @@
+# Makefile.in generated automatically by automake 1.4b from Makefile.am
+
+# Copyright 1994, 1995, 1996, 1997, 1998, 1999, 2000
+# Free Software Foundation, Inc.
+# This Makefile.in is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+
+SHELL = @SHELL@
+
+srcdir = @srcdir@
+top_srcdir = @top_srcdir@
+VPATH = @srcdir@
+prefix = @prefix@
+exec_prefix = @exec_prefix@
+
+bindir = @bindir@
+sbindir = @sbindir@
+libexecdir = @libexecdir@
+datadir = @datadir@
+sysconfdir = @sysconfdir@
+sharedstatedir = @sharedstatedir@
+localstatedir = @localstatedir@
+libdir = @libdir@
+infodir = @infodir@
+mandir = @mandir@
+includedir = @includedir@
+oldincludedir = /usr/include
+
+pkgdatadir = $(datadir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkgincludedir = $(includedir)/@PACKAGE@
+
+top_builddir = ../..
+
+ACLOCAL = @ACLOCAL@
+AUTOCONF = @AUTOCONF@
+AUTOMAKE = @AUTOMAKE@
+AUTOHEADER = @AUTOHEADER@
+
+INSTALL = @INSTALL@
+INSTALL_PROGRAM = @INSTALL_PROGRAM@
+INSTALL_DATA = @INSTALL_DATA@
+INSTALL_SCRIPT = @INSTALL_SCRIPT@
+INSTALL_STRIP_FLAG =
+transform = @program_transform_name@
+
+NORMAL_INSTALL = :
+PRE_INSTALL = :
+POST_INSTALL = :
+NORMAL_UNINSTALL = :
+PRE_UNINSTALL = :
+POST_UNINSTALL = :
+
+@SET_MAKE@
+host_alias = @host_alias@
+host_triplet = @host@
+AIX_EXTRA_KAFS = @AIX_EXTRA_KAFS@
+AMDEP = @AMDEP@
+AMTAR = @AMTAR@
+AS = @AS@
+AWK = @AWK@
+CANONICAL_HOST = @CANONICAL_HOST@
+CATMAN = @CATMAN@
+CATMANEXT = @CATMANEXT@
+CC = @CC@
+CPP = @CPP@
+CXX = @CXX@
+CXXCPP = @CXXCPP@
+DBLIB = @DBLIB@
+DEPDIR = @DEPDIR@
+DIR_des = @DIR_des@
+DIR_roken = @DIR_roken@
+DLLTOOL = @DLLTOOL@
+EXEEXT = @EXEEXT@
+EXTRA_LIB45 = @EXTRA_LIB45@
+GROFF = @GROFF@
+INCLUDES_roken = @INCLUDES_roken@
+INCLUDE_ = @INCLUDE_@
+LEX = @LEX@
+LIBOBJS = @LIBOBJS@
+LIBTOOL = @LIBTOOL@
+LIB_ = @LIB_@
+LIB_AUTH_SUBDIRS = @LIB_AUTH_SUBDIRS@
+LIB_des = @LIB_des@
+LIB_des_appl = @LIB_des_appl@
+LIB_kdb = @LIB_kdb@
+LIB_otp = @LIB_otp@
+LIB_roken = @LIB_roken@
+LIB_security = @LIB_security@
+LN_S = @LN_S@
+LTLIBOBJS = @LTLIBOBJS@
+MAKEINFO = @MAKEINFO@
+NEED_WRITEAUTH_FALSE = @NEED_WRITEAUTH_FALSE@
+NEED_WRITEAUTH_TRUE = @NEED_WRITEAUTH_TRUE@
+NROFF = @NROFF@
+OBJDUMP = @OBJDUMP@
+OBJEXT = @OBJEXT@
+PACKAGE = @PACKAGE@
+RANLIB = @RANLIB@
+STRIP = @STRIP@
+VERSION = @VERSION@
+VOID_RETSIGTYPE = @VOID_RETSIGTYPE@
+WFLAGS = @WFLAGS@
+WFLAGS_NOIMPLICITINT = @WFLAGS_NOIMPLICITINT@
+WFLAGS_NOUNUSED = @WFLAGS_NOUNUSED@
+YACC = @YACC@
+dpagaix_CFLAGS = @dpagaix_CFLAGS@
+dpagaix_LDADD = @dpagaix_LDADD@
+install_sh = @install_sh@
+
+# $Id: Makefile.am,v 1.13 2000/11/15 22:51:09 assar Exp $
+
+
+# $Id: Makefile.am.common,v 1.3 1999/04/01 14:58:43 joda Exp $
+
+
+# $Id: Makefile.am.common,v 1.26 2001/05/21 13:27:48 joda Exp $
+
+
+AUTOMAKE_OPTIONS = foreign no-dependencies
+
+SUFFIXES = .et .h .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .x
+
+INCLUDES = -I$(top_builddir)/include $(INCLUDES_roken) $(INCLUDE_krb4)
+
+AM_CFLAGS =  $(WFLAGS)
+
+CP = cp
+
+COMPILE_ET = $(top_builddir)/lib/com_err/compile_et
+
+buildinclude = $(top_builddir)/include
+
+LIB_XauReadAuth = @LIB_XauReadAuth@
+LIB_crypt = @LIB_crypt@
+LIB_dbm_firstkey = @LIB_dbm_firstkey@
+LIB_dbopen = @LIB_dbopen@
+LIB_dlopen = @LIB_dlopen@
+LIB_dn_expand = @LIB_dn_expand@
+LIB_el_init = @LIB_el_init@
+LIB_getattr = @LIB_getattr@
+LIB_gethostbyname = @LIB_gethostbyname@
+LIB_getpwent_r = @LIB_getpwent_r@
+LIB_getpwnam_r = @LIB_getpwnam_r@
+LIB_getsockopt = @LIB_getsockopt@
+LIB_logout = @LIB_logout@
+LIB_logwtmp = @LIB_logwtmp@
+LIB_odm_initialize = @LIB_odm_initialize@
+LIB_pidfile = @LIB_pidfile@
+LIB_readline = @LIB_readline@
+LIB_res_search = @LIB_res_search@
+LIB_setpcred = @LIB_setpcred@
+LIB_setsockopt = @LIB_setsockopt@
+LIB_socket = @LIB_socket@
+LIB_syslog = @LIB_syslog@
+LIB_tgetent = @LIB_tgetent@
+
+LIBS = @LIBS@
+
+HESIODLIB = @HESIODLIB@
+HESIODINCLUDE = @HESIODINCLUDE@
+INCLUDE_hesiod = @INCLUDE_hesiod@
+LIB_hesiod = @LIB_hesiod@
+
+INCLUDE_krb4 = @INCLUDE_krb4@
+LIB_krb4 = @LIB_krb4@
+
+INCLUDE_openldap = @INCLUDE_openldap@
+LIB_openldap = @LIB_openldap@
+
+INCLUDE_readline = @INCLUDE_readline@
+
+LEXLIB = @LEXLIB@
+
+NROFF_MAN = groff -mandoc -Tascii
+
+@KRB4_TRUE@LIB_kafs = @KRB4_TRUE@$(top_builddir)/lib/kafs/libkafs.la $(AIX_EXTRA_KAFS)
+
+@KRB5_TRUE@LIB_krb5 = @KRB5_TRUE@$(top_builddir)/lib/krb5/libkrb5.la \
+@KRB5_TRUE@	$(top_builddir)/lib/asn1/libasn1.la
+@KRB5_TRUE@LIB_gssapi = @KRB5_TRUE@$(top_builddir)/lib/gssapi/libgssapi.la
+
+@DCE_TRUE@LIB_kdfs = @DCE_TRUE@$(top_builddir)/lib/kdfs/libkdfs.la
+
+CHECK_LOCAL = $(PROGRAMS)
+
+noinst_PROGRAMS = pop_debug
+
+libexec_PROGRAMS = popper
+
+popper_SOURCES = \
+	pop_dele.c pop_dropcopy.c pop_dropinfo.c \
+	pop_get_command.c pop_init.c \
+	pop_last.c pop_list.c pop_log.c \
+	pop_msg.c pop_parse.c pop_pass.c pop_quit.c \
+	pop_rset.c pop_send.c pop_stat.c pop_updt.c \
+	pop_user.c pop_uidl.c pop_xover.c popper.c \
+	maildir.c popper.h version.h
+
+
+EXTRA_DIST = pop3.rfc1081 pop3e.rfc1082 \
+	popper.README.release README-FIRST README-KRB4
+
+
+LDADD = \
+	$(LIB_otp) \
+	$(LIB_krb5) \
+	$(LIB_krb4) \
+	$(LIB_des) \
+	$(LIB_roken) \
+	$(DBLIB)
+
+subdir = appl/popper
+mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs
+CONFIG_HEADER = ../../include/config.h
+CONFIG_CLEAN_FILES = 
+libexec_PROGRAMS =  popper$(EXEEXT)
+noinst_PROGRAMS =  pop_debug$(EXEEXT)
+PROGRAMS =  $(libexec_PROGRAMS) $(noinst_PROGRAMS)
+
+
+DEFS = @DEFS@ -I. -I$(srcdir) -I../../include
+CPPFLAGS = @CPPFLAGS@
+LDFLAGS = @LDFLAGS@
+X_CFLAGS = @X_CFLAGS@
+X_LIBS = @X_LIBS@
+X_EXTRA_LIBS = @X_EXTRA_LIBS@
+X_PRE_LIBS = @X_PRE_LIBS@
+pop_debug_SOURCES = pop_debug.c
+pop_debug_OBJECTS =  pop_debug.$(OBJEXT)
+pop_debug_LDADD = $(LDADD)
+@KRB5_FALSE@pop_debug_DEPENDENCIES = 
+@KRB5_TRUE@pop_debug_DEPENDENCIES =  $(top_builddir)/lib/krb5/libkrb5.la \
+@KRB5_TRUE@$(top_builddir)/lib/asn1/libasn1.la
+pop_debug_LDFLAGS = 
+am_popper_OBJECTS =  pop_dele.$(OBJEXT) pop_dropcopy.$(OBJEXT) \
+pop_dropinfo.$(OBJEXT) pop_get_command.$(OBJEXT) pop_init.$(OBJEXT) \
+pop_last.$(OBJEXT) pop_list.$(OBJEXT) pop_log.$(OBJEXT) \
+pop_msg.$(OBJEXT) pop_parse.$(OBJEXT) pop_pass.$(OBJEXT) \
+pop_quit.$(OBJEXT) pop_rset.$(OBJEXT) pop_send.$(OBJEXT) \
+pop_stat.$(OBJEXT) pop_updt.$(OBJEXT) pop_user.$(OBJEXT) \
+pop_uidl.$(OBJEXT) pop_xover.$(OBJEXT) popper.$(OBJEXT) \
+maildir.$(OBJEXT)
+popper_OBJECTS =  $(am_popper_OBJECTS)
+popper_LDADD = $(LDADD)
+@KRB5_FALSE@popper_DEPENDENCIES = 
+@KRB5_TRUE@popper_DEPENDENCIES =  $(top_builddir)/lib/krb5/libkrb5.la \
+@KRB5_TRUE@$(top_builddir)/lib/asn1/libasn1.la
+popper_LDFLAGS = 
+COMPILE = $(CC) $(DEFS) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) --mode=compile $(CC) $(DEFS) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+CFLAGS = @CFLAGS@
+CCLD = $(CC)
+LINK = $(LIBTOOL) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) $(LDFLAGS) -o $@
+DIST_SOURCES =  pop_debug.c $(popper_SOURCES)
+depcomp = 
+DIST_COMMON =  README ChangeLog Makefile.am Makefile.in
+
+
+DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
+
+GZIP_ENV = --best
+SOURCES = pop_debug.c $(popper_SOURCES)
+OBJECTS = pop_debug.$(OBJEXT) $(am_popper_OBJECTS)
+
+all: all-redirect
+.SUFFIXES:
+.SUFFIXES: .et .h .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .x .c .lo .o .obj
+$(srcdir)/Makefile.in: Makefile.am $(top_srcdir)/configure.in $(ACLOCAL_M4) $(top_srcdir)/Makefile.am.common $(top_srcdir)/cf/Makefile.am.common
+	cd $(top_srcdir) && $(AUTOMAKE) --foreign appl/popper/Makefile
+
+Makefile: $(srcdir)/Makefile.in  $(top_builddir)/config.status
+	cd $(top_builddir) \
+	  && CONFIG_FILES=$(subdir)/$@ CONFIG_HEADERS= $(SHELL) ./config.status
+
+
+mostlyclean-libexecPROGRAMS:
+
+clean-libexecPROGRAMS:
+	-test -z "$(libexec_PROGRAMS)" || rm -f $(libexec_PROGRAMS)
+
+distclean-libexecPROGRAMS:
+
+maintainer-clean-libexecPROGRAMS:
+
+install-libexecPROGRAMS: $(libexec_PROGRAMS)
+	@$(NORMAL_INSTALL)
+	$(mkinstalldirs) $(DESTDIR)$(libexecdir)
+	@list='$(libexec_PROGRAMS)'; for p in $$list; do \
+	  if test -f $$p; then \
+	    f="`echo $$p|sed -e 's/$(EXEEXT)$$//' -e '$(transform)' -e 's/$$/$(EXEEXT)/'`"; \
+	    echo " $(LIBTOOL)  --mode=install $(INSTALL_PROGRAM) $(INSTALL_STRIP_FLAG) $$p $(DESTDIR)$(libexecdir)/$$f"; \
+	    $(LIBTOOL)  --mode=install $(INSTALL_PROGRAM) $(INSTALL_STRIP_FLAG) $$p $(DESTDIR)$(libexecdir)/$$f; \
+	  else :; fi; \
+	done
+
+uninstall-libexecPROGRAMS:
+	@$(NORMAL_UNINSTALL)
+	@list='$(libexec_PROGRAMS)'; for p in $$list; do \
+	  f="`echo $$p|sed -e 's/$(EXEEXT)$$//' -e '$(transform)' -e 's/$$/$(EXEEXT)/'`"; \
+	  echo " rm -f $(DESTDIR)$(libexecdir)/$$f"; \
+	  rm -f $(DESTDIR)$(libexecdir)/$$f; \
+	done
+
+mostlyclean-noinstPROGRAMS:
+
+clean-noinstPROGRAMS:
+	-test -z "$(noinst_PROGRAMS)" || rm -f $(noinst_PROGRAMS)
+
+distclean-noinstPROGRAMS:
+
+maintainer-clean-noinstPROGRAMS:
+
+mostlyclean-compile:
+	-rm -f *.o core *.core
+	-rm -f *.$(OBJEXT)
+
+clean-compile:
+
+distclean-compile:
+	-rm -f *.tab.c
+
+maintainer-clean-compile:
+
+mostlyclean-libtool:
+	-rm -f *.lo
+
+clean-libtool:
+	-rm -rf .libs _libs
+
+distclean-libtool:
+
+maintainer-clean-libtool:
+
+pop_debug$(EXEEXT): $(pop_debug_OBJECTS) $(pop_debug_DEPENDENCIES)
+	@rm -f pop_debug$(EXEEXT)
+	$(LINK) $(pop_debug_LDFLAGS) $(pop_debug_OBJECTS) $(pop_debug_LDADD) $(LIBS)
+
+popper$(EXEEXT): $(popper_OBJECTS) $(popper_DEPENDENCIES)
+	@rm -f popper$(EXEEXT)
+	$(LINK) $(popper_LDFLAGS) $(popper_OBJECTS) $(popper_LDADD) $(LIBS)
+.c.o:
+	$(COMPILE) -c $<
+.c.obj:
+	$(COMPILE) -c `cygpath -w $<`
+.c.lo:
+	$(LTCOMPILE) -c -o $@ $<
+
+tags: TAGS
+
+ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
+	list='$(SOURCES) $(HEADERS) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '    { files[$$0] = 1; } \
+	       END { for (i in files) print i; }'`; \
+	mkid -fID $$unique $(LISP)
+
+TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	tags=; \
+	here=`pwd`; \
+	list='$(SOURCES) $(HEADERS) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '    { files[$$0] = 1; } \
+	       END { for (i in files) print i; }'`; \
+	test -z "$(ETAGS_ARGS)$$unique$(LISP)$$tags" \
+	  || etags $(ETAGS_ARGS) $$tags  $$unique $(LISP)
+
+GTAGS:
+	here=`CDPATH=: && cd $(top_builddir) && pwd` \
+	  && cd $(top_srcdir) \
+	  && gtags -i $$here
+
+mostlyclean-tags:
+
+clean-tags:
+
+distclean-tags:
+	-rm -f TAGS ID
+
+maintainer-clean-tags:
+
+distdir = $(top_builddir)/$(PACKAGE)-$(VERSION)/$(subdir)
+
+distdir: $(DISTFILES)
+	@for file in $(DISTFILES); do \
+	  d=$(srcdir); \
+	  if test -d $$d/$$file; then \
+	    cp -pR $$d/$$file $(distdir) \
+	    || exit 1; \
+	  else \
+	    test -f $(distdir)/$$file \
+	    || cp -p $$d/$$file $(distdir)/$$file \
+	    || exit 1; \
+	  fi; \
+	done
+	$(MAKE) $(AM_MAKEFLAGS) top_distdir="$(top_distdir)" distdir="$(distdir)" dist-hook
+info-am:
+info: info-am
+dvi-am:
+dvi: dvi-am
+check-am: all-am
+	$(MAKE) $(AM_MAKEFLAGS) check-local
+check: check-am
+installcheck-am:
+installcheck: installcheck-am
+install-exec-am: install-libexecPROGRAMS
+	@$(NORMAL_INSTALL)
+	$(MAKE) $(AM_MAKEFLAGS) install-exec-hook
+install-exec: install-exec-am
+
+install-data-am: install-data-local
+install-data: install-data-am
+
+install-am: all-am
+	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
+install: install-am
+uninstall-am: uninstall-libexecPROGRAMS
+uninstall: uninstall-am
+all-am: Makefile $(PROGRAMS) all-local
+all-redirect: all-am
+install-strip:
+	$(MAKE) $(AM_MAKEFLAGS) INSTALL_STRIP_FLAG=-s install
+installdirs:
+	$(mkinstalldirs)  $(DESTDIR)$(libexecdir)
+
+
+mostlyclean-generic:
+
+clean-generic:
+
+distclean-generic:
+	-rm -f Makefile $(CONFIG_CLEAN_FILES)
+	-rm -f config.cache config.log stamp-h stamp-h[0-9]*
+
+maintainer-clean-generic:
+	-rm -f Makefile.in
+mostlyclean-am:  mostlyclean-libexecPROGRAMS mostlyclean-noinstPROGRAMS \
+		mostlyclean-compile mostlyclean-libtool \
+		mostlyclean-tags mostlyclean-generic
+
+mostlyclean: mostlyclean-am
+
+clean-am:  clean-libexecPROGRAMS clean-noinstPROGRAMS clean-compile \
+		clean-libtool clean-tags clean-generic mostlyclean-am
+
+clean: clean-am
+
+distclean-am:  distclean-libexecPROGRAMS distclean-noinstPROGRAMS \
+		distclean-compile distclean-libtool distclean-tags \
+		distclean-generic clean-am
+	-rm -f libtool
+
+distclean: distclean-am
+
+maintainer-clean-am:  maintainer-clean-libexecPROGRAMS \
+		maintainer-clean-noinstPROGRAMS \
+		maintainer-clean-compile maintainer-clean-libtool \
+		maintainer-clean-tags maintainer-clean-generic \
+		distclean-am
+	@echo "This command is intended for maintainers to use;"
+	@echo "it deletes files that may require special tools to rebuild."
+
+maintainer-clean: maintainer-clean-am
+
+.PHONY: mostlyclean-libexecPROGRAMS distclean-libexecPROGRAMS \
+clean-libexecPROGRAMS maintainer-clean-libexecPROGRAMS \
+uninstall-libexecPROGRAMS install-libexecPROGRAMS \
+mostlyclean-noinstPROGRAMS distclean-noinstPROGRAMS \
+clean-noinstPROGRAMS maintainer-clean-noinstPROGRAMS \
+mostlyclean-compile distclean-compile clean-compile \
+maintainer-clean-compile mostlyclean-libtool distclean-libtool \
+clean-libtool maintainer-clean-libtool tags mostlyclean-tags \
+distclean-tags clean-tags maintainer-clean-tags distdir info-am info \
+dvi-am dvi check-local check check-am installcheck-am installcheck \
+install-exec-am install-exec install-data-local install-data-am \
+install-data install-am install uninstall-am uninstall all-local \
+all-redirect all-am all install-strip installdirs mostlyclean-generic \
+distclean-generic clean-generic maintainer-clean-generic clean \
+mostlyclean distclean maintainer-clean
+
+
+install-suid-programs:
+	@foo='$(bin_SUIDS)'; \
+	for file in $$foo; do \
+	x=$(DESTDIR)$(bindir)/$$file; \
+	if chown 0:0 $$x && chmod u+s $$x; then :; else \
+	echo "*"; \
+	echo "* Failed to install $$x setuid root"; \
+	echo "*"; \
+	fi; done
+
+install-exec-hook: install-suid-programs
+
+install-build-headers:: $(include_HEADERS) $(build_HEADERZ)
+	@foo='$(include_HEADERS) $(build_HEADERZ)'; \
+	for f in $$foo; do \
+		f=`basename $$f`; \
+		if test -f "$(srcdir)/$$f"; then file="$(srcdir)/$$f"; \
+		else file="$$f"; fi; \
+		if cmp -s  $$file $(buildinclude)/$$f 2> /dev/null ; then \
+		: ; else \
+			echo " $(CP) $$file $(buildinclude)/$$f"; \
+			$(CP) $$file $(buildinclude)/$$f; \
+		fi ; \
+	done
+
+all-local: install-build-headers
+#NROFF_MAN = nroff -man
+.1.cat1:
+	$(NROFF_MAN) $< > $@
+.3.cat3:
+	$(NROFF_MAN) $< > $@
+.5.cat5:
+	$(NROFF_MAN) $< > $@
+.8.cat8:
+	$(NROFF_MAN) $< > $@
+
+dist-cat1-mans:
+	@foo='$(man1_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.1) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat1/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-cat3-mans:
+	@foo='$(man3_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.3) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat3/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-cat5-mans:
+	@foo='$(man5_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.5) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat5/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-cat8-mans:
+	@foo='$(man8_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.8) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat8/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-hook: dist-cat1-mans dist-cat3-mans dist-cat5-mans dist-cat8-mans
+
+install-cat-mans:
+	$(SHELL) $(top_srcdir)/cf/install-catman.sh "$(INSTALL_DATA)" "$(mkinstalldirs)" "$(srcdir)" "$(DESTDIR)$(mandir)" '$(CATMANEXT)' $(man_MANS) $(man1_MANS) $(man3_MANS) $(man5_MANS) $(man8_MANS)
+
+install-data-local: install-cat-mans
+
+.et.h:
+	$(COMPILE_ET) $<
+.et.c:
+	$(COMPILE_ET) $<
+
+.x.c:
+	@cmp -s $< $@ 2> /dev/null || cp $< $@
+
+check-local::
+	@foo='$(CHECK_LOCAL)'; \
+	  if test "$$foo"; then \
+	  failed=0; all=0; \
+	  for i in $$foo; do \
+	    all=`expr $$all + 1`; \
+	    if ./$$i --version > /dev/null 2>&1; then \
+	      echo "PASS: $$i"; \
+	    else \
+	      echo "FAIL: $$i"; \
+	      failed=`expr $$failed + 1`; \
+	    fi; \
+	  done; \
+	  if test "$$failed" -eq 0; then \
+	    banner="All $$all tests passed"; \
+	  else \
+	    banner="$$failed of $$all tests failed"; \
+	  fi; \
+	  dashes=`echo "$$banner" | sed s/./=/g`; \
+	  echo "$$dashes"; \
+	  echo "$$banner"; \
+	  echo "$$dashes"; \
+	  test "$$failed" -eq 0; \
+	fi
+
+# Tell versions [3.59,3.63) of GNU make to not export all variables.
+# Otherwise a system limit (for SysV at least) may be exceeded.
+.NOEXPORT:
diff --git a/crypto/heimdal/appl/popper/README b/crypto/heimdal/appl/popper/README
new file mode 100644
index 0000000..0735fdd
--- /dev/null
+++ b/crypto/heimdal/appl/popper/README
@@ -0,0 +1,381 @@
+@(#)@(#)README	2.6   2.6 4/2/91
+
+
+The Post Office Protocol Server:  Installation Guide
+
+
+
+Introduction
+
+The Post Office Protocol server runs on a variety of Unix[1] computers
+to manage electronic mail for Macintosh and MS-DOS computers.  The
+server was developed at the University of California at Berkeley and
+conforms fully to the specifications in RFC 1081[2] and RFC 1082[3].
+The Berkeley server also has extensions to send electronic mail on
+behalf of a client.
+
+This guide explains how to install the POP server on your Unix
+computer.  It assumes that you are not only familiar with Unix but also
+capable of performing Unix system administration.
+
+
+How to Obtain the Server
+
+The POP server is available via anonymous ftp from ftp.CC.Berkeley.EDU
+(128.32.136.9, 128.32.206.12).  It is in two files in the pub directory:
+a compressed tar file popper-version.tar.Z and a Macintosh StuffIt archive
+in BinHex format called MacPOP.sit.hqx.
+
+
+Contents of the Distribution
+
+The distribution contains the following:
+
++   All of the C source necessary to create the server program.
+
++   A visual representation of how the POP system works.
+
++   Reprints of RFC 1081 and RFC 1082.
+
++   A HyperCard stack POP client implementation using MacTCP.
+
++   A man page for the popper daemon.
+
++   This guide.
+
+
+Compatibility
+
+The Berkeley POP server has been successfully tested on the following
+Unix operating systems:
+
++   Berkeley Systems Distribution 4.3
+
++   Sun Microsystems Operating System versions 3.5 and 4.0
+
++   Ultrix version 2.3
+
+The following POP clients operate correctly with the Berkeley POP server:
+
++   The Berkeley HyperMail HyperCard stack for the Apple Macintosh 
+    (distributed with the server).
+
++   The Stanford University Macintosh Internet Protocol MacMH program.
+
++   The Stanford University Personal Computer Internet Protocol MH 
+    program.
+
++   The mh version 6.0 programs for Unix.
+
+
+Support
+
+The Berkeley POP server is not officially supported and is without any
+warranty, explicit or implied.  However, we are interested in your
+experiences using the server.  Bugs, comments and suggestions should be
+sent electronically to netinfo@garnet.Berkeley.EDU.
+
+
+Operational Characteristics
+
+The POP Transaction Cycle
+
+The Berkeley POP server is a single program (called popper) that is
+launched by inetd when it gets a service request on the POP TCP port.
+(The official port number specified in RFC 1081 for POP version 3 is
+port 110.  However, some POP3 clients attempt to contact the server at
+port 109, the POP version 2 port.  Unless you are running both POP2 and
+POP3 servers, you can simply define both ports for use by the POP3
+server.  This is explained in the installation instructions later on.)
+The popper program initializes and verifies that the peer IP address is
+registered in the local domain, logging a warning message when a
+connection is made to a client whose IP address does not have a
+canonical name.  For systems using BSD 4.3 bind, it also checks to see
+if a cannonical name lookup for the client returns the same peer IP
+address, logging a warning message if it does not.  The the server
+enters the authorization state, during which the client must correctly
+identify itself by providing a valid Unix userid and password on the
+server's host machine.  No other exchanges are allowed during this
+state (other than a request to quit.)  If authentication fails, a
+warning message is logged and the session ends.  Once the user is
+identified, popper changes its user and group ids to match that of the
+user and enters the transaction state.  The server makes a temporary
+copy of the user's maildrop (ordinarily in /usr/spool/mail) which is
+used for all subsequent transactions.  These include the bulk of POP
+commands to retrieve mail, delete mail, undelete mail, and so forth.  A
+Berkeley extension also allows the user to submit a mail parcel to the
+server who mails it using the sendmail program (this extension is
+supported in the HyperMail client distributed with the server).  When
+the client quits, the server enters the final update state during which
+the network connection is terminated and the user's maildrop is updated
+with the (possibly) modified temporary maildrop.
+
+
+Logging
+
+The POP server uses syslog to keep a record of its activities.  On
+systems with BSD 4.3 syslogging, the server logs (by default) to the
+"local0" facility at priority "notice" for all messages except
+debugging which is logged at priority "debug".  The default log file is
+/usr/spool/mqueue/POPlog.  These can be changed, if desired.  On
+systems with 4.2 syslogging all messages are logged to the local log
+file, usually /usr/spool/mqueue/syslog.
+
+Problems
+
+If the filesystem which holds the /usr/spool/mail fills up users will 
+experience difficulties.  The filesystem must have enough space to hold
+(approximately) two copies of the largest mail box.  Popper (v1.81 and
+above) is designed to be robust in the face of this problem, but you may
+end up with a situation where some of the user's mail is in
+
+	/usr/spool/mail/.userid.pop
+
+and some of the mail is in
+
+	/usr/spool/mail/userid
+
+If this happens the System Administrator should clear enough disk space
+so that the filesystem has at least as much free disk as both mailboxes
+hold and probably a little more.  Then the user should initiate a POP
+session, and do nothing but quit.  If the POP session ends without an
+error the user can then use POP or another mail program to clean up his/her
+mailbox.
+
+Alternatively, the System Administrator can combine the two files (but
+popper will do this for you if there is enough disk space).
+
+
+Debugging
+
+The popper program will log debugging information when the -d parameter
+is specified after its invocation in the inetd.conf file.  Care should
+be exercised in using this option since it generates considerable
+output in the syslog file.  Alternatively, the "-t <file-name>" option
+will place debugging information into file "<file-name>" using fprintf
+instead of syslog.  (To enable debugging, you must edit the Makefile
+to add -DDEBUG to the compiler options.)
+
+For SunOS version 3.5, the popper program is launched by inetd from
+/etc/servers.  This file does not allow you to specify command line
+arguments.  Therefore, if you want to enable debugging, you can specify
+a shell script in /etc/servers to be launched instead of popper and in
+this script call popper with the desired arguments.
+
+
+Installation
+
+1.  Examine this file for the latest information, warnings, etc.
+
+2.  Check the Makefile for conformity with your system.
+
+3.  Issue the make command in the directory containing the popper 
+    source.
+
+4.  Issue the make install command in the directory containing the 
+    popper source to copy the program to /usr/etc.
+
+5.  Enable syslogging:
+
+    +   For systems with 4.3 syslogging:
+
+        Add the following line to the /etc/syslog.conf file:
+
+            local0.notice;local0.debug  /usr/spool/mqueue/POPlog
+
+        Create the empty file /usr/spool/mqueue/POPlog.
+
+        Kill and restart the syslogd daemon.
+
+    +   For systems with 4.2 syslogging:
+
+        Be sure that you are logging messages of priority 7 and higher.  
+        For example:
+
+            7/usr/spool/mqueue/syslog
+            9/dev/null
+
+6.  Update /etc/services:
+
+    Add the following line to the /etc/services file:
+
+        pop 110/tcp
+
+    Note:  This is the official port number for version 3 of the
+    Post Office Protocol as defined in RFC 1081.  However, some
+    POP3 clients use port 109, the port number for the previous
+    version (2) of POP.  Therefore you may also want to add the
+    following line to the /etc/services file:
+
+    pop2    109/tcp
+
+    For Sun systems running yp, also do the following:
+
+    +   Change to the /var/yp directory.
+
+    +   Issue the make services command.
+
+7.  Update the inetd daemon configuration.  Include the second line ONLY if you
+    are running the server at both ports.
+
+    +   On BSD 4.3 and SunOS 4.0 systems, add the following line to the 
+        /etc/inetd.conf file:
+
+        pop stream tcp nowait root /usr/etc/popper popper
+        pop2 stream tcp nowait root /usr/etc/popper popper
+
+    +   On Ultrix systems, add the following line to the 
+        /etc/inetd.conf file:
+
+        pop stream tcp nowait /usr/etc/popper popper
+        pop2 stream tcp nowait /usr/etc/popper popper
+
+    +   On SunOS 3.5 systems, add the following line to the 
+        /etc/servers file:
+
+        pop tcp /usr/etc/popper
+        pop2 tcp /usr/etc/popper
+
+        Kill and restart the inetd daemon.
+
+You can confirm that the POP server is running on Unix by telneting to
+port 110 (or 109 if you set it up that way).  For example:
+
+%telnet myhost 110
+Trying...
+Connected to myhost.berkeley.edu.
+Escape character is '^]'.
++OK UCB Pop server (version 1.6) at myhost starting.
+quit
+Connection closed by foreign host.
+
+
+Release Notes
+
+1.83    Make sure that everything we do as root is non-destructive.
+
+1.82	Make the /usr/spool/mail/.userid.pop file owned by the user rather
+	than owned by root.
+
+1.81	There were two versions of 1.7 floating around, 1.7b4 and 1.7b5.
+	The difference is that 1.7b5 attempted to save disk space on 
+	/usr/spool/mail by deleting the users permanent maildrop after
+	making the temporary copy.  Unfortunately, if compiled with 
+	-DDEBUG, this version could easily wipe out a users' mail file.
+	This is now fixed.
+
+	This version also fixes a security hole for systems that have
+	/usr/spool/mail writeable by all users.
+
+	With this version we go to all new SCCS IDs for all files.  This
+	is unfortunate, and we hope it is not too much of a problem.
+
+	Thanks to Steve Dorner of UIUC for pointing out the major problem.
+
+1.7     Extensive re-write of the maildrop processing code contributed by 
+        Viktor Dukhovni <viktor@math.princeton.edu> that greatly reduces the
+        possibility that the maildrop can be corrupted as the result of
+        simultaneous access by two or more processes.
+
+        Added "pop_dropcopy" module to create a temporary maildrop from
+        the existing, standard maildrop as root before the setuid and 
+        setgid for the user is done.  This allows the temporary maildrop
+        to be created in a mail spool area that is not world read-writable.
+
+        This version does *not* send the sendmail "From " delimiter line
+        in response to a TOP or RETR command.
+
+        Encased all debugging code in #ifdef DEBUG constructs.  This code can
+        be included by specifying the DEGUG compiler flag.  Note:  You still
+        need to use the -d or -t option to obtain debugging output.
+
+1.6     Corrects a bug that causes the server to crash on SunOS
+        4.0 systems.
+
+        Uses varargs and vsprintf (if available) in pop_log and
+        pop_msg.  This is enabled by the "HAVE_VSPRINTF"
+        compiler flag.
+
+        For systems with BSD 4.3 bind, performs a cannonical
+        name lookup and searches the returned address(es) for
+        the client's address, logging a warning message if it
+        is not located.  This is enabled by the "BIND43"
+        comiler flag.
+
+        Removed all the includes from popper.h and distributed
+        them throughout the porgrams files, as needed.
+
+        Reformatted the source to convert tabs to spaces and
+        shorten lines for display on 80-column terminals.
+
+1.5     Creates the temporary maildrop with mode "600" and
+        immediately unlinks it.
+
+        Uses client's IP address in lieu of a canonical name if
+        the latter cannot be obtained.
+
+        Added "-t <file-name>" option.  The presence of this
+        option causes debugging output to be placed in the file
+        "file-name" using fprintf instead of the system log
+        file using syslog.
+
+        Corrected maildrop parsing problem.
+
+1.4     Copies user's mail into a temporary maildrop on which
+        all subsequent activity is performed.
+
+        Added "pop_log" function and replaced "syslog" calls
+        throughout the code with it.
+
+1.3     Corrected updating of Status: header line.
+
+        Added strncasecmp for systems that do not have one.
+        Used strncasecmp in all appropriate places.  This is
+        enabled by the STRNCASECMP compiler flag.
+
+1.2     Support for version 4.2 syslogging added.  This is
+        enabled by the SYSLOG42 compiler flag.
+
+1.1     Several bugs fixed.
+
+1.0     Original version.
+
+
+Limitations
+
++   The POP server copies the user's entire maildrop to /tmp and
+    then operates on that copy.  If the maildrop is particularly
+    large, or inadequate space is available in /tmp, then the
+    server will refuse to continue and terminate the connection.
+
++   Simultaneous modification of a single maildrop can result in 
+    confusing results.  For example, manipulating messages in a
+    maildrop using the Unix /usr/ucb/mail command while a copy of
+    it is being processed by the POP server can cause the changes
+    made by one program to be lost when the other terminates.  This
+    problem is being worked on and will be fixed in a later
+    release.
+
+
+Credits
+
+The POP server was written by Edward Moy and Austin Shelton with
+contributions from Robert Campbell (U.C. Berkeley) and Viktor Dukhovni
+(Princeton University).  Edward Moy wrote the HyperMail stack and drew
+the POP operation diagram.  This installation guide was written by
+Austin Shelton.
+
+
+Footnotes
+
+[1] Copyright (c) 1990 Regents of the University of California.
+    All rights reserved.  The Berkeley software License Agreement
+    specifies the terms and conditions for redistribution.  Unix is
+    a registered trademark of AT&T corporation.  HyperCard and
+    Macintosh are registered trademarks of Apple Corporation.
+
+[2] M. Rose, Post Office Protocol - Version 3.  RFC  1081, NIC, 
+    November 1988.
+
+[3] M. Rose, Post Office Protocol - Version 3 Extended Service 
+    Offerings.  RFC 1082, NIC, November 1988.
diff --git a/crypto/heimdal/appl/popper/README-FIRST b/crypto/heimdal/appl/popper/README-FIRST
new file mode 100644
index 0000000..3d78fb6
--- /dev/null
+++ b/crypto/heimdal/appl/popper/README-FIRST
@@ -0,0 +1,11 @@
+This kerberized popper was based on popper-1.831beta
+which was later announced as "offical" and not beta.
+
+This program is able to talk both the pop3 and the kpop3 protocol.
+
+Please note that the server principal is pop.hostname and not
+rcmd.hostname. I.e an additional entry is needed in your mailhub's
+/etc/srvtab. Use ksrvutil to add the extra prinicpal.
+
+The server is usually started from inetd and there is already an entry
+for that in inetd.conf.changes.
diff --git a/crypto/heimdal/appl/popper/README-KRB4 b/crypto/heimdal/appl/popper/README-KRB4
new file mode 100644
index 0000000..f029cf9
--- /dev/null
+++ b/crypto/heimdal/appl/popper/README-KRB4
@@ -0,0 +1,3 @@
+Define KERBEROS if you want support for Kerberos V4 style
+authentification, then you will be able to start a kerberise pop with
+the `-k' flag.
diff --git a/crypto/heimdal/appl/popper/maildir.c b/crypto/heimdal/appl/popper/maildir.c
new file mode 100644
index 0000000..4c9a441
--- /dev/null
+++ b/crypto/heimdal/appl/popper/maildir.c
@@ -0,0 +1,216 @@
+/*
+ * Copyright (c) 1998 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include <popper.h>
+#include <dirent.h>
+RCSID("$Id: maildir.c,v 1.5 1999/12/02 16:58:33 joda Exp $");
+
+static void
+make_path(POP *p, MsgInfoList *mp, int new, char *buf, size_t len)
+{
+    snprintf(buf, len, "%s/%s%s%s", p->drop_name, 
+	     new ? "new" : "cur", mp ? "/" : "", mp ? mp->name : "");
+}
+
+static int
+scan_file(POP *p, MsgInfoList *mp)
+{
+    char path[MAXDROPLEN];
+    FILE *f;
+    char buf[1024];
+    int eoh = 0;
+
+    make_path(p, mp, mp->flags & NEW_FLAG, path, sizeof(path));
+    f = fopen(path, "r");
+
+    if(f == NULL) {
+#ifdef DEBUG
+	if(p->debug)
+	    pop_log(p, POP_DEBUG, 
+		    "Failed to open message file `%s': %s", 
+		    path, strerror(errno));
+#endif
+	return pop_msg (p, POP_FAILURE,
+			"Failed to open message file `%s'", path);
+    }
+    while(fgets(buf, sizeof(buf), f)) {
+	if(buf[strlen(buf) - 1] == '\n')
+	    mp->lines++;
+	mp->length += strlen(buf);
+	if(eoh)
+	    continue;
+	if(strcmp(buf, "\n") == 0)
+	    eoh = 1;
+	parse_header(mp, buf);
+    }
+    fclose(f);
+    return add_missing_headers(p, mp);
+}
+
+static int
+scan_dir(POP *p, int new)
+{
+    char tmp[MAXDROPLEN];
+    DIR *dir;
+    struct dirent *dent;
+    MsgInfoList *mp = p->mlp;
+    int n_mp = p->msg_count;
+    int e;
+
+    make_path(p, NULL, new, tmp, sizeof(tmp));
+    mkdir(tmp, 0700);
+    dir = opendir(tmp);
+    while((dent = readdir(dir)) != NULL) {
+	if(strcmp(dent->d_name, ".") == 0 || strcmp(dent->d_name, "..") == 0)
+	    continue;
+	mp = realloc(mp, (n_mp + 1) * sizeof(*mp));
+	if(mp == NULL) {
+	    p->msg_count = 0;
+	    return pop_msg (p, POP_FAILURE,
+			    "Can't build message list for '%s': Out of memory",
+                            p->user);
+	}
+	memset(mp + n_mp, 0, sizeof(*mp));
+	mp[n_mp].name = strdup(dent->d_name);
+	if(mp[n_mp].name == NULL) {
+	    p->msg_count = 0;
+	    return pop_msg (p, POP_FAILURE,
+			    "Can't build message list for '%s': Out of memory",
+                            p->user);
+	}
+	mp[n_mp].number = n_mp + 1;
+	mp[n_mp].flags = 0;
+	if(new)
+	    mp[n_mp].flags |= NEW_FLAG;
+	e = scan_file(p, &mp[n_mp]);
+	if(e != POP_SUCCESS)
+	    return e;
+        p->drop_size += mp[n_mp].length;
+	n_mp++;
+    }
+    closedir(dir);
+    p->mlp = mp;
+    p->msg_count = n_mp;
+    return POP_SUCCESS;
+}
+
+int
+pop_maildir_info(POP *p)
+{
+    int e;
+    
+    p->temp_drop[0] = '\0';
+    p->mlp = NULL;
+    p->msg_count = 0;
+
+    e = scan_dir(p, 0);
+    if(e != POP_SUCCESS) return e;
+
+    e = scan_dir(p, 1);
+    if(e != POP_SUCCESS) return e;
+    return POP_SUCCESS;
+}
+
+int
+pop_maildir_update(POP *p)
+{
+    int i;
+    char tmp1[MAXDROPLEN], tmp2[MAXDROPLEN];
+    for(i = 0; i < p->msg_count; i++) {
+	make_path(p, &p->mlp[i], p->mlp[i].flags & NEW_FLAG, 
+		  tmp1, sizeof(tmp1));
+	if(p->mlp[i].flags & DEL_FLAG) {
+#ifdef DEBUG
+	    if(p->debug)
+		pop_log(p, POP_DEBUG, "Removing `%s'", tmp1);
+#endif
+	    if(unlink(tmp1) < 0) {
+#ifdef DEBUG
+		if(p->debug)
+		    pop_log(p, POP_DEBUG, "Failed to remove `%s': %s", 
+			    tmp1, strerror(errno));
+#endif
+		/* return failure? */
+	    }
+	} else if((p->mlp[i].flags & NEW_FLAG) && 
+		  (p->mlp[i].flags & RETR_FLAG)) {
+	    make_path(p, &p->mlp[i], 0, tmp2, sizeof(tmp2));
+#ifdef DEBUG
+	    if(p->debug)
+		pop_log(p, POP_DEBUG, "Linking `%s' to `%s'", tmp1, tmp2);
+#endif
+	    if(link(tmp1, tmp2) == 0) {
+#ifdef DEBUG
+		if(p->debug)
+		    pop_log(p, POP_DEBUG, "Removing `%s'", tmp1);
+#endif
+		if(unlink(tmp1) < 0) {
+#ifdef DEBUG
+		    if(p->debug)
+			pop_log(p, POP_DEBUG, "Failed to remove `%s'", tmp1);
+#endif
+		    /* return failure? */
+		}
+	    } else {
+		if(errno == EXDEV) {
+#ifdef DEBUG
+		    if(p->debug)
+			pop_log(p, POP_DEBUG, "Trying to rename `%s' to `%s'", 
+				tmp1, tmp2);
+#endif
+		    if(rename(tmp1, tmp2) < 0) {
+#ifdef DEBUG
+		    if(p->debug)
+			pop_log(p, POP_DEBUG, "Failed to rename `%s' to `%s'", 
+				tmp1, tmp2);
+#endif
+		    }
+		}
+	    }
+	}
+    }
+    return(pop_quit(p));
+}
+
+int
+pop_maildir_open(POP *p, MsgInfoList *mp)
+{
+    char tmp[MAXDROPLEN];
+    make_path(p, mp, mp->flags & NEW_FLAG, tmp, sizeof(tmp));
+    if(p->drop)
+	fclose(p->drop);
+    p->drop = fopen(tmp, "r");
+    if(p->drop == NULL)
+	return pop_msg(p, POP_FAILURE, "Failed to open message file");
+    return POP_SUCCESS;
+}
diff --git a/crypto/heimdal/appl/popper/pop3.rfc1081 b/crypto/heimdal/appl/popper/pop3.rfc1081
new file mode 100644
index 0000000..08ea6dd
--- /dev/null
+++ b/crypto/heimdal/appl/popper/pop3.rfc1081
@@ -0,0 +1,898 @@
+
+
+
+
+
+
+Network Working Group                                            M. Rose
+Request for Comments: 1081                                           TWG
+                                                           November 1988
+
+                    Post Office Protocol - Version 3
+
+
+Status of this Memo
+
+   This memo suggests a simple method for workstations to dynamically
+   access mail from a mailbox server.  This RFC specifies a proposed
+   protocol for the Internet community, and requests discussion and
+   suggestions for improvements.  Distribution of this memo is
+   unlimited.
+
+   This memo is based on RFC 918 (since revised as RFC 937).  Although
+   similar in form to the original Post Office Protocol (POP) proposed
+   for the Internet community, the protocol discussed in this memo is
+   similar in spirit to the ideas investigated by the MZnet project at
+   the University of California, Irvine.
+
+   Further, substantial work was done on examining POP in a PC-based
+   environment.  This work, which resulted in additional functionality
+   in this protocol, was performed by the ACIS Networking Systems Group
+   at Stanford University.  The author gratefully acknowledges their
+   interest.
+
+Introduction
+
+   On certain types of smaller nodes in the Internet it is often
+   impractical to maintain a message transport system (MTS).  For
+   example, a workstation may not have sufficient resources (cycles,
+   disk space) in order to permit a SMTP server and associated local
+   mail delivery system to be kept resident and continuously running.
+   Similarly, it may be expensive (or impossible) to keep a personal
+   computer interconnected to an IP-style network for long amounts of
+   time (the node is lacking the resource known as "connectivity").
+
+   Despite this, it is often very useful to be able to manage mail on
+   these smaller nodes, and they often support a user agent (UA) to aid
+   the tasks of mail handling.  To solve this problem, a node which can
+   support an MTS entity offers a maildrop service to these less endowed
+   nodes.  The Post Office Protocol - Version 3 (POP3) is intended to
+   permit a workstation to dynamically access a maildrop on a server
+   host in a useful fashion.  Usually, this means that the POP3 is used
+   to allow a workstation to retrieve mail that the server is holding
+   for it.
+
+
+
+
+Rose                                                            [Page 1]
+
+RFC 1081                          POP3                     November 1988
+
+
+   For the remainder of this memo, the term "client host" refers to a
+   host making use of the POP3 service, while the term "server host"
+   refers to a host which offers the POP3 service.
+
+A Short Digression
+
+   This memo does not specify how a client host enters mail into the
+   transport system, although a method consistent with the philosophy of
+   this memo is presented here:
+
+      When the user agent on a client host wishes to enter a message
+      into the transport system, it establishes an SMTP connection to
+      its relay host (this relay host could be, but need not be, the
+      POP3 server host for the client host).
+
+   If this method is followed, then the client host appears to the MTS
+   as a user agent, and should NOT be regarded as a "trusted" MTS entity
+   in any sense whatsoever.  This concept, along with the role of the
+   POP3 as a part of a split-UA model is discussed later in this memo.
+
+   Initially, the server host starts the POP3 service by listening on
+   TCP port 110.  When a client host wishes to make use of the service,
+   it establishes a TCP connection with the server host.  When the
+   connection is established, the POP3 server sends a greeting.  The
+   client and POP3 server then exchange commands and responses
+   (respectively) until the connection is closed or aborted.
+
+   Commands in the POP3 consist of a keyword possibly followed by an
+   argument.  All commands are terminated by a CRLF pair.
+
+   Responses in the POP3 consist of a success indicator and a keyword
+   possibly followed by additional information.  All responses are
+   terminated by a CRLF pair.  There are currently two success
+   indicators: positive ("+OK") and negative ("-ERR").
+
+   Responses to certain commands are multi-line.  In these cases, which
+   are clearly indicated below, after sending the first line of the
+   response and a CRLF, any additional lines are sent, each terminated
+   by a CRLF pair.  When all lines of the response have been sent, a
+   final line is sent, consisting of a termination octet (decimal code
+   046, ".") and a CRLF pair.  If any line of the multi-line response
+   begins with the termination octet, the line is "byte-stuffed" by
+   pre-pending the termination octet to that line of the response.
+   Hence a multi-line response is terminated with the five octets
+   "CRLF.CRLF".  When examining a multi-line response, the client checks
+   to see if the line begins with the termination octet.  If so and if
+   octets other than CRLF follow, the the first octet of the line (the
+   termination octet) is stripped away.  If so and if CRLF immediately
+
+
+
+Rose                                                            [Page 2]
+
+RFC 1081                          POP3                     November 1988
+
+
+   follows the termination character, then the response from the POP
+   server is ended and the line containing ".CRLF" is not considered
+   part of the multi-line response.
+
+   A POP3 session progresses through a number of states during its
+   lifetime.  Once the TCP connection has been opened and the POP3
+   server has sent the greeting, the session enters the AUTHORIZATION
+   state.  In this state, the client must identify itself to the POP3
+   server.  Once the client has successfully done this, the server
+   acquires resources associated with the client's maildrop, and the
+   session enters the TRANSACTION state.  In this state, the client
+   requests actions on the part of the POP3 server.  When the client has
+   finished its transactions, the session enters the UPDATE state.  In
+   this state, the POP3 server releases any resources acquired during
+   the TRANSACTION state and says goodbye.  The TCP connection is then
+   closed.
+
+The AUTHORIZATION State
+
+   Once the TCP connection has been opened by a POP3 client, the POP3
+   server issues a one line greeting.  This can be any string terminated
+   by CRLF.  An example might be:
+
+      S.  +OK dewey POP3 server ready (Comments to: PostMaster@UDEL.EDU)
+
+   Note that this greeting is a POP3 reply.  The POP3 server should
+   always give a positive response as the greeting.
+
+   The POP3 session is now in the AUTHORIZATION state.  The client must
+   now issue the USER command.  If the POP3 server responds with a
+   positive success indicator ("+OK"), then the client may issue either
+   the PASS command to complete the authorization, or the QUIT command
+   to terminate the POP3 session.  If the POP3 server responds with a
+   negative success indicator ("-ERR") to the USER command, then the
+   client may either issue a new USER command or may issue the QUIT
+   command.
+
+   When the client issues the PASS command, the POP3 server uses the
+   argument pair from the USER and PASS commands to determine if the
+   client should be given access to the appropriate maildrop.  If so,
+   the POP3 server then acquires an exclusive-access lock on the
+   maildrop.  If the lock is successfully acquired, the POP3 server
+   parses the maildrop into individual messages (read note below),
+   determines the last message (if any) present in the maildrop that was
+   referenced by the RETR command, and responds with a positive success
+   indicator.  The POP3 session now enters the TRANSACTION state.  If
+   the lock can not be acquired or the client should is denied access to
+   the appropriate maildrop or the maildrop can't be parsed for some
+
+
+
+Rose                                                            [Page 3]
+
+RFC 1081                          POP3                     November 1988
+
+
+   reason, the POP3 server responds with a negative success indicator.
+   (If a lock was acquired but the POP3 server intends to respond with a
+   negative success indicator, the POP3 server must release the lock
+   prior to rejecting the command.)  At this point, the client may
+   either issue a new USER command and start again, or the client may
+   issue the QUIT command.
+
+                 NOTE: Minimal implementations of the POP3 need only be
+                 able to break a maildrop into its component messages;
+                 they need NOT be able to parse individual messages.
+                 More advanced implementations may wish to have this
+                 capability, for reasons discussed later.
+
+   After the POP3 server has parsed the maildrop into individual
+   messages, it assigns a message-id to each message, and notes the size
+   of the message in octets.  The first message in the maildrop is
+   assigned a message-id of "1", the second is assigned "2", and so on,
+   so that the n'th message in a maildrop is assigned a message-id of
+   "n".  In POP3 commands and responses, all message-id's and message
+   sizes are expressed in base-10 (i.e., decimal).
+
+   It sets the "highest number accessed" to be that of the last message
+   referenced by the RETR command.
+
+   Here are summaries for the three POP3 commands discussed thus far:
+
+           USER name
+               Arguments: a server specific user-id (required)
+               Restrictions: may only be given in the AUTHORIZATION
+                   state after the POP3 greeting or after an
+                   unsuccessful USER or PASS command
+               Possible Responses:
+                   +OK name is welcome here
+                   -ERR never heard of name
+               Examples:
+                   C:    USER mrose
+                   S:    +OK mrose is a real hoopy frood
+                     ...
+                   C:    USER frated
+                   S:    -ERR sorry, frated doesn't get his mail here
+
+           PASS string
+               Arguments: a server/user-id specific password (required)
+               Restrictions: may only be given in the AUTHORIZATION
+                   state after a successful USER command
+               Possible Responses:
+                   +OK maildrop locked and ready
+                   -ERR invalid password
+
+
+
+Rose                                                            [Page 4]
+
+RFC 1081                          POP3                     November 1988
+
+
+                   -ERR unable to lock maildrop
+               Examples:
+                   C:    USER mrose
+                   S:    +OK mrose is a real hoopy frood
+                   C:    PASS secret
+                   S:    +OK mrose's maildrop has 2 messages
+                         (320 octets)
+                     ...
+                   C:    USER mrose
+                   S:    +OK mrose is a real hoopy frood
+                   C:    PASS secret
+                   S:    -ERR unable to lock mrose's maildrop, file
+                         already locked
+
+           QUIT
+               Arguments: none
+               Restrictions: none
+               Possible Responses:
+                   +OK
+               Examples:
+                   C:    QUIT
+                   S:    +OK dewey POP3 server signing off
+
+
+The TRANSACTION State
+
+   Once the client has successfully identified itself to the POP3 server
+   and the POP3 server has locked and burst the appropriate maildrop,
+   the POP3 session is now in the TRANSACTION state.  The client may now
+   issue any of the following POP3 commands repeatedly.  After each
+   command, the POP3 server issues a response.  Eventually, the client
+   issues the QUIT command and the POP3 session enters the UPDATE state.
+
+   Here are the POP3 commands valid in the TRANSACTION state:
+
+           STAT
+               Arguments: none
+               Restrictions: may only be given in the TRANSACTION state.
+               Discussion:
+
+                 The POP3 server issues a positive response with a line
+                 containing information for the maildrop.  This line is
+                 called a "drop listing" for that maildrop.
+
+                 In order to simplify parsing, all POP3 servers are
+                 required to use a certain format for drop listings.
+                 The first octets present must indicate the number of
+                 messages in the maildrop.  Following this is the size
+
+
+
+Rose                                                            [Page 5]
+
+RFC 1081                          POP3                     November 1988
+
+
+                 of the maildrop in octets.  This memo makes no
+                 requirement on what follows the maildrop size.
+                 Minimal implementations should just end that line of
+                 the response with a CRLF pair.  More advanced
+                 implementations may include other information.
+
+                      NOTE: This memo STRONGLY discourages
+                      implementations from supplying additional
+                      information in the drop listing.  Other,
+                      optional, facilities are discussed later on
+                      which permit the client to parse the messages
+                      in the maildrop.
+
+                 Note that messages marked as deleted are not counted in
+                 either total.
+
+               Possible Responses:
+                   +OK nn mm
+               Examples:
+                   C:    STAT
+                   S:    +OK 2 320
+
+           LIST [msg]
+               Arguments: a message-id (optionally)  If a message-id is
+                   given, it may NOT refer to a message marked as
+                   deleted.
+               Restrictions: may only be given in the TRANSACTION state.
+               Discussion:
+
+                 If an argument was given and the POP3 server issues a
+                 positive response with a line containing information
+                 for that message.  This line is called a "scan listing"
+                 for that message.
+
+                 If no argument was given and the POP3 server issues a
+                 positive response, then the response given is
+                 multi-line.  After the initial +OK, for each message
+                 in the maildrop, the POP3 server responds with a line
+                 containing information for that message.  This line
+                 is called a "scan listing" for that message.
+
+                 In order to simplify parsing, all POP3 servers are
+                 required to use a certain format for scan listings.
+                 The first octets present must be the message-id of
+                 the message.  Following the message-id is the size of
+                 the message in octets.  This memo makes no requirement
+                 on what follows the message size in the scan listing.
+                 Minimal implementations should just end that line of
+
+
+
+Rose                                                            [Page 6]
+
+RFC 1081                          POP3                     November 1988
+
+
+                 the response with a CRLF pair.  More advanced
+                 implementations may include other information, as
+                 parsed from the message.
+
+                      NOTE: This memo STRONGLY discourages
+                      implementations from supplying additional
+                      information in the scan listing.  Other, optional,
+                      facilities are discussed later on which permit
+                      the client to parse the messages in the maildrop.
+
+                 Note that messages marked as deleted are not listed.
+
+               Possible Responses:
+                   +OK scan listing follows
+                   -ERR no such message
+               Examples:
+                   C:    LIST
+                   S:    +OK 2 messages (320 octets)
+                   S:    1 120
+                   S:    2 200
+                   S:    .
+                     ...
+                   C:    LIST 2
+                   S:    +OK 2 200
+                     ...
+                   C:    LIST 3
+                   S:    -ERR no such message, only 2 messages in
+                         maildrop
+
+           RETR msg
+               Arguments: a message-id (required)  This message-id may
+                   NOT refer to a message marked as deleted.
+               Restrictions: may only be given in the TRANSACTION state.
+               Discussion:
+
+                 If the POP3 server issues a positive response, then the
+                 response given is multi-line.  After the initial +OK,
+                 the POP3 server sends the message corresponding to the
+                 given message-id, being careful to byte-stuff the
+                 termination character (as with all multi-line
+                 responses).
+
+                 If the number associated with this message is higher
+                 than the "highest number accessed" in the maildrop, the
+                 POP3 server updates the "highest number accessed" to
+                 the number associated with this message.
+
+
+
+
+
+Rose                                                            [Page 7]
+
+RFC 1081                          POP3                     November 1988
+
+
+               Possible Responses:
+                   +OK message follows
+                   -ERR no such message
+               Examples:
+                   C:    RETR 1
+                   S:    +OK 120 octets
+                   S:    <the POP3 server sends the entire message here>
+                   S:    .
+
+           DELE msg
+               Arguments: a message-id (required)  This message-id
+                   may NOT refer to a message marked as deleted.
+               Restrictions: may only be given in the TRANSACTION state.
+               Discussion:
+
+                 The POP3 server marks the message as deleted.  Any
+                 future reference to the message-id associated with the
+                 message in a POP3 command generates an error.  The POP3
+                 server does not actually delete the message until the
+                 POP3 session enters the UPDATE state.
+
+                 If the number associated with this message is higher
+                 than the "highest number accessed" in the maildrop,
+                 the POP3 server updates the "highest number accessed"
+                 to the number associated with this message.
+
+               Possible Responses:
+                   +OK message deleted
+                   -ERR no such message
+               Examples:
+                   C:    DELE 1
+                   S:    +OK message 1 deleted
+                     ...
+                   C:    DELE 2
+                   S:    -ERR message 2 already deleted
+
+           NOOP
+               Arguments: none
+               Restrictions: may only be given in the TRANSACTION state.
+               Discussion:
+
+                 The POP3 server does nothing, it merely replies with a
+                 positive response.
+
+               Possible Responses:
+                   +OK
+
+
+
+
+
+Rose                                                            [Page 8]
+
+RFC 1081                          POP3                     November 1988
+
+
+               Examples:
+                   C:    NOOP
+                   S:    +OK
+
+           LAST
+               Arguments: none
+               Restrictions: may only be issued in the TRANSACTION state.
+               Discussion:
+
+                 The POP3 server issues a positive response with a line
+                 containing the highest message number which accessed.
+                 Zero is returned in case no message in the maildrop has
+                 been accessed during previous transactions.  A client
+                 may thereafter infer that messages, if any, numbered
+                 greater than the response to the LAST command are
+                 messages not yet accessed by the client.
+
+             Possible Response:
+                   +OK nn
+
+             Examples:
+                   C:      STAT
+                   S:      +OK 4 320
+                   C:      LAST
+                   S:      +OK 1
+                   C:      RETR 3
+                   S:      +OK 120 octets
+                   S:      <the POP3 server sends the entire message
+                           here>
+                   S:      .
+                   C:      LAST
+                   S:      +OK 3
+                   C:      DELE 2
+                   S:      +OK message 2 deleted
+                   C:      LAST
+                   S:      +OK 3
+                   C:      RSET
+                   S:      +OK
+                   C:      LAST
+                   S:      +OK 1
+
+           RSET
+               Arguments: none
+               Restrictions: may only be given in the TRANSACTION
+                   state.
+               Discussion:
+
+                 If any messages have been marked as deleted by the POP3
+
+
+
+Rose                                                            [Page 9]
+
+RFC 1081                          POP3                     November 1988
+
+
+                 server, they are unmarked.  The POP3 server then
+                 replies with a positive response.  In addition, the
+                 "highest number accessed" is also reset to the value
+                 determined at the beginning of the POP3 session.
+
+               Possible Responses:
+                   +OK
+               Examples:
+                   C:    RSET
+                   S:    +OK maildrop has 2 messages (320 octets)
+
+
+
+The UPDATE State
+
+   When the client issues the QUIT command from the TRANSACTION state,
+   the POP3 session enters the UPDATE state.  (Note that if the client
+   issues the QUIT command from the AUTHORIZATION state, the POP3
+   session terminates but does NOT enter the UPDATE state.)
+
+           QUIT
+               Arguments: none
+               Restrictions: none
+               Discussion:
+
+                 The POP3 server removes all messages marked as deleted
+                 from the maildrop.  It then releases the
+                 exclusive-access lock on the maildrop and replies as
+                 to the success of
+                 these operations.  The TCP connection is then closed.
+
+               Possible Responses:
+                   +OK
+               Examples:
+                   C:    QUIT
+                   S:    +OK dewey POP3 server signing off (maildrop
+                         empty)
+                     ...
+                   C:    QUIT
+                   S:    +OK dewey POP3 server signing off (2 messages
+                         left)
+                     ...
+
+
+Optional POP3 Commands
+
+   The POP3 commands discussed above must be supported by all minimal
+   implementations of POP3 servers.
+
+
+
+Rose                                                           [Page 10]
+
+RFC 1081                          POP3                     November 1988
+
+
+   The optional POP3 commands described below permit a POP3 client
+   greater freedom in message handling, while preserving a simple POP3
+   server implementation.
+
+                 NOTE: This memo STRONGLY encourages implementations to
+                 support these commands in lieu of developing augmented
+                 drop and scan listings.  In short, the philosophy of
+                 this memo is to put intelligence in the part of the
+                 POP3 client and not the POP3 server.
+
+           TOP msg n
+               Arguments: a message-id (required) and a number.  This
+                   message-id may NOT refer to a message marked as
+                   deleted.
+               Restrictions: may only be given in the TRANSACTION state.
+               Discussion:
+
+                 If the POP3 server issues a positive response, then
+                 the response given is multi-line.  After the initial
+                 +OK, the POP3 server sends the headers of the message,
+                 the blank line separating the headers from the body,
+                 and then the number of lines indicated message's body,
+                 being careful to byte-stuff the termination character
+                 (as with all multi-line responses).
+
+                 Note that if the number of lines requested by the POP3
+                 client is greater than than the number of lines in the
+                 body, then the POP3 server sends the entire message.
+
+               Possible Responses:
+                   +OK top of message follows
+                   -ERR no such message
+               Examples:
+                   C:    TOP 10
+                   S:    +OK
+                   S:    <the POP3 server sends the headers of the
+                          message, a blank line, and the first 10 lines
+                          of the body of the message>
+                   S:    .
+                     ...
+                   C:    TOP 100
+                   S:    -ERR no such message
+
+           RPOP user
+               Arguments: a client specific user-id (required)
+               Restrictions: may only be given in the AUTHORIZATION
+                   state after a successful USER command; in addition,
+                   may only be given if the client used a reserved
+
+
+
+Rose                                                           [Page 11]
+
+RFC 1081                          POP3                     November 1988
+
+
+                   (privileged) TCP port to connect to the server.
+               Discussion:
+
+                 The RPOP command may be used instead of the PASS
+                 command to authenticate access to the maildrop.  In
+                 order for this command to be successful, the POP3
+                 client must use a reserved TCP port (port < 1024) to
+                 connect tothe server.  The POP3 server uses the
+                 argument pair from the USER and RPOP commands to
+                 determine if the client should be given access to
+                 the appropriate maildrop.  Unlike the PASS command
+                 however, the POP3 server considers if the remote user
+                 specified by the RPOP command who resides on the POP3
+                 client host is allowed to access the maildrop for the
+                 user specified by the USER command (e.g., on Berkeley
+                 UNIX, the .rhosts mechanism is used).  With the
+                 exception of this differing in authentication, this
+                 command is identical to the PASS command.
+
+                 Note that the use of this feature has allowed much wider
+                 penetration into numerous hosts on local networks (and
+                 sometimes remote networks) by those who gain illegal
+                 access to computers by guessing passwords or otherwise
+                 breaking into the system.
+
+               Possible Responses:
+                   +OK maildrop locked and ready
+                   -ERR permission denied
+               Examples:
+                   C:    USER mrose
+                   S:    +OK mrose is a real hoopy frood
+                   C:    RPOP mrose
+                   S:    +OK mrose's maildrop has 2 messages (320
+                         octets)
+
+       Minimal POP3 Commands:
+           USER name               valid in the AUTHORIZATION state
+           PASS string
+           QUIT
+
+           STAT                    valid in the TRANSACTION state
+           LIST [msg]
+           RETR msg
+           DELE msg
+           NOOP
+           LAST
+           RSET
+
+
+
+
+Rose                                                           [Page 12]
+
+RFC 1081                          POP3                     November 1988
+
+
+           QUIT                    valid in the UPDATE state
+
+       Optional POP3 Commands:
+           RPOP user               valid in the AUTHORIZATION state
+
+           TOP msg n               valid in the TRANSACTION state
+
+       POP3 Replies:
+           +OK
+           -ERR
+
+       Note that with the exception of the STAT command, the reply given
+       by the POP3 server to any command is significant only to "+OK"
+       and "-ERR".  Any text occurring after this reply may be ignored
+       by the client.
+
+Example POP3 Session
+
+    S: <wait for connection on TCP port 110>
+        ...
+    C: <open connection>
+    S:    +OK dewey POP3 server ready (Comments to: PostMaster@UDEL.EDU)
+    C:    USER mrose
+    S:    +OK mrose is a real hoopy frood
+    C:    PASS secret
+    S:    +OK mrose's maildrop has 2 messages (320 octets)
+    C:    STAT
+    S:    +OK 2 320
+    C:    LIST
+    S:    +OK 2 messages (320 octets)
+    S:    1 120
+    S:    2 200
+    S:    .
+    C:    RETR 1
+    S:    +OK 120 octets
+    S:    <the POP3 server sends message 1>
+    S:    .
+    C:    DELE 1
+    S:    +OK message 1 deleted
+    C:    RETR 2
+    S:    +OK 200 octets
+    S:    <the POP3 server sends message 2>
+    S:    .
+    C:    DELE 2
+    S:    +OK message 2 deleted
+    C:    QUIT
+
+
+
+
+
+Rose                                                           [Page 13]
+
+RFC 1081                          POP3                     November 1988
+
+
+    S:    +OK dewey POP3 server signing off (maildrop empty)
+    C:  <close connection>
+    S:  <wait for next connection>
+
+Message Format
+
+   All messages transmitted during a POP3 session are assumed to conform
+   to the standard for the format of Internet text messages [RFC822].
+
+   It is important to note that the byte count for a message on the
+   server host may differ from the octet count assigned to that message
+   due to local conventions for designating end-of-line.  Usually,
+   during the AUTHORIZATION state of the POP3 session, the POP3 client
+   can calculate the size of each message in octets when it parses the
+   maildrop into messages.  For example, if the POP3 server host
+   internally represents end-of-line as a single character, then the
+   POP3 server simply counts each occurrence of this character in a
+   message as two octets.  Note that lines in the message which start
+   with the termination octet need not be counted twice, since the POP3
+   client will remove all byte-stuffed termination characters when it
+   receives a multi-line response.
+
+The POP and the Split-UA model
+
+   The underlying paradigm in which the POP3 functions is that of a
+   split-UA model.  The POP3 client host, being a remote PC based
+   workstation, acts solely as a client to the message transport system.
+   It does not provide delivery/authentication services to others.
+   Hence, it is acting as a UA, on behalf of the person using the
+   workstation.  Furthermore, the workstation uses SMTP to enter mail
+   into the MTS.
+
+   In this sense, we have two UA functions which interface to the
+   message transport system: Posting (SMTP) and Retrieval (POP3).  The
+   entity which supports this type of environment is called a split-UA
+   (since the user agent is split between two hosts which must
+   interoperate to provide these functions).
+
+                 ASIDE:  Others might term this a remote-UA instead.
+                 There are arguments supporting the use of both terms.
+
+   This memo has explicitly referenced TCP as the underlying transport
+   agent for the POP3.  This need not be the case.  In the MZnet split-
+   UA, for example, personal micro-computer systems are used which do
+   not have IP-style networking capability.  To connect to the POP3
+   server host, a PC establishes a terminal connection using some simple
+   protocol (PhoneNet).  A program on the PC drives the connection,
+   first establishing a login session as a normal user.  The login shell
+
+
+
+Rose                                                           [Page 14]
+
+RFC 1081                          POP3                     November 1988
+
+
+   for this pseudo-user is a program which drives the other half of the
+   terminal protocol and communicates with one of two servers.  Although
+   MZnet can support several PCs, a single pseudo-user login is present
+   on the server host.  The user-id and password for this pseudo-user
+   login is known to all members of MZnet.  Hence, the first action of
+   the login shell, after starting the terminal protocol, is to demand a
+   USER/PASS authorization pair from the PC.  This second level of
+   authorization is used to ascertain who is interacting with the MTS.
+   Although the server host is deemed to support a "trusted" MTS entity,
+   PCs in MZnet are not.  Naturally, the USER/PASS authorization pair
+   for a PC is known only to the owner of the PC (in theory, at least).
+
+   After successfully verifying the identity of the client, a modified
+   SMTP server is started, and the PC posts mail with the server host.
+   After the QUIT command is given to the SMTP server and it terminates,
+   a modified POP3 server is started, and the PC retrieves mail from the
+   server host.  After the QUIT command is given to the POP3 server and
+   it terminates, the login shell for the pseudo-user terminates the
+   terminal protocol and logs the job out.  The PC then closes the
+   terminal connection to the server host.
+
+   The SMTP server used by MZnet is modified in the sense that it knows
+   that it's talking to a user agent and not a "trusted" entity in the
+   message transport system.  Hence, it does performs the validation
+   activities normally performed by an entity in the MTS when it accepts
+   a message from a UA.
+
+   The POP3 server used by MZnet is modified in the sense that it does
+   not require a USER/PASS combination before entering the TRANSACTION
+   state.  The reason for this (of course) is that the PC has already
+   identified itself during the second-level authorization step
+   described above.
+
+                 NOTE: Truth in advertising laws require that the author
+                 of this memo state that MZnet has not actually been
+                 fully implemented.  The concepts presented and proven
+                 by the project led to the notion of the MZnet
+                 split-slot model.  This notion has inspired the
+                 split-UA concept described in this memo, led to the
+                 author's interest in the POP, and heavily influenced
+                 the the description of the POP3 herein.
+
+   In fact, some UAs present in the Internet already support the notion
+   of posting directly to an SMTP server and retrieving mail directly
+   from a POP server, even if the POP server and client resided on the
+   same host!
+
+                 ASIDE: this discussion raises an issue which this memo
+
+
+
+Rose                                                           [Page 15]
+
+RFC 1081                          POP3                     November 1988
+
+
+                 purposedly avoids: how does SMTP know that it's talking
+                 to a "trusted" MTS entity?
+
+References
+
+     [MZnet]   Stefferud, E., J. Sweet, and T. Domae, "MZnet: Mail
+               Service for Personal Micro-Computer Systems",
+               Proceedings, IFIP 6.5 International Conference on
+               Computer Message Systems, Nottingham, U.K., May 1984.
+
+     [RFC821]  Postel, J., "Simple Mail Transfer Protocol",
+               USC/Information Sciences Institute, August 1982.
+
+     [RFC822]  Crocker, D., "Standard for the Format of ARPA-Internet
+               Text Messages", University of Delaware, August 1982.
+
+     [RFC937]  Butler, M., J. Postel, D. Chase, J. Goldberger, and J.
+               Reynolds, "Post Office Protocol - Version 2", RFC 937,
+               USC/Information Sciences Institute, February 1985.
+
+     [RFC1010] Reynolds, J., and J. Postel, "Assigned Numbers", RFC
+               1010, USC/Information Sciences Institute, May 1987.
+
+Author's Address:
+
+
+   Marshall Rose
+   The Wollongong Group
+   1129 San Antonio Rd.
+   Palo Alto, California 94303
+
+   Phone: (415) 962-7100
+
+   Email: MRose@TWG.COM
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Rose                                                           [Page 16]
diff --git a/crypto/heimdal/appl/popper/pop3e.rfc1082 b/crypto/heimdal/appl/popper/pop3e.rfc1082
new file mode 100644
index 0000000..ac49448
--- /dev/null
+++ b/crypto/heimdal/appl/popper/pop3e.rfc1082
@@ -0,0 +1,619 @@
+
+
+
+
+
+
+Network Working Group                                            M. Rose
+Request for Comments: 1082                                           TWG
+                                                           November 1988
+
+
+
+                    Post Office Protocol - Version 3
+                       Extended Service Offerings
+
+Status of This Memo
+
+   This memo suggests a simple method for workstations to dynamically
+   access mail from a discussion group server, as an extension to an
+   earlier memo which dealt with dynamically accessing mail from a
+   mailbox server using the Post Office Protocol -  Version 3 (POP3).
+   This RFC specifies a proposed protocol for the Internet community,
+   and requests discussion and suggestions for improvements.  All of the
+   extensions described in this memo to the POP3 are OPTIONAL.
+   Distribution of this memo is unlimited.
+
+Introduction and Motivation
+
+   It is assumed that the reader is familiar with RFC 1081 that
+   discusses the Post Office Protocol - Version 3 (POP3) [RFC1081].
+   This memo describes extensions to the POP3 which enhance the service
+   it offers to clients.  This additional service permits a client host
+   to access discussion group mail, which is often kept in a separate
+   spool area, using the general POP3 facilities.
+
+   The next section describes the evolution of discussion groups and the
+   technologies currently used to implement them.  To summarize:
+
+       o An exploder is used to map from a single address to
+       a list of addresses which subscribe to the list, and redirects
+       any subsequent error reports associated with the delivery of
+       each message.  This has two primary advantages:
+             - Subscribers need know only a single address
+             - Responsible parties get the error reports and not
+               the subscribers
+
+
+
+
+
+
+
+
+
+
+
+
+Rose                                                            [Page 1]
+
+RFC 1082                 POP3 Extended Service             November 1988
+
+
+       o Typically, each subscription address is not a person's private
+       maildrop, but a system-wide maildrop, which can be accessed
+       by more than one user.  This has several advantages:
+             - Only a single copy of each message need traverse the
+               net for a given site (which may contain several local
+               hosts).  This conserves bandwidth and cycles.
+             - Only a single copy of each message need reside on each
+               subscribing host.  This conserves disk space.
+             - The private maildrop for each user is not cluttered
+               with discussion group mail.
+
+   Despite this optimization of resources, further economy can be
+   achieved at sites with more than one host.  Typically, sites with
+   more than one host either:
+
+        1.  Replicate discussion group mail on each host.  This
+        results in literally gigabytes of disk space committed to
+        unnecessarily store redundant information.
+
+        2.  Keep discussion group mail on one host and give all users a
+        login on that host (in addition to any other logins they may
+        have).  This is usually a gross inconvenience for users who
+        work on other hosts, or a burden to users who are forced to
+        work on that host.
+
+   As discussed in [RFC1081], the problem of giving workstations dynamic
+   access to mail from a mailbox server has been explored in great
+   detail (originally there was [RFC918], this prompted the author to
+   write [RFC1081], independently of this [RFC918] was upgraded to
+   [RFC937]).  A natural solution to the problem outlined above is to
+   keep discussion group mail on a mailbox server at each site and
+   permit different hosts at that site to employ the POP3 to access
+   discussion group mail.  If implemented properly, this avoids the
+   problems of both strategies outlined above.
+
+        ASIDE:     It might be noted that a good distributed filesystem
+                   could also solve this problem.  Sadly, "good"
+                   distributed filesystems, which do not suffer
+                   unacceptable response time for interactive use, are
+                   few and far between these days!
+
+   Given this motivation, now let's consider discussion groups, both in
+   general and from the point of view of a user agent.  Following this,
+   extensions to the POP3 defined in [RFC1081] are presented.  Finally,
+   some additional policy details are discussed along with some initial
+   experiences.
+
+
+
+
+
+Rose                                                            [Page 2]
+
+RFC 1082                 POP3 Extended Service             November 1988
+
+
+What's in a Discussion Group
+
+   Since mailers and user agents first crawled out of the primordial
+   ARPAnet, the value of discussion groups have been appreciated,
+   (though their implementation has not always been well-understood).
+
+   Described simply, a discussion group is composed of a number of
+   subscribers with a common interest.  These subscribers post mail to a
+   single address, known as a distribution address.  From this
+   distribution address, a copy of the message is sent to each
+   subscriber.  Each group has a moderator, which is the person that
+   administrates the group.  The moderator can usually be reached at a
+   special address, known as a request address.  Usually, the
+   responsibilities of the moderator are quite simple, since the mail
+   system handles the distribution to subscribers automatically.  In
+   some cases, the interest group, instead of being distributed directly
+   to its subscribers, is put into a digest format by the moderator and
+   then sent to the subscribers.  Although this requires more work on
+   the part of the moderator, such groups tend to be better organized.
+
+   Unfortunately, there are a few problems with the scheme outlined
+   above.  First, if two users on the same host subscribe to the same
+   interest group, two copies of the message get delivered.  This is
+   wasteful of both processor and disk resources.
+
+   Second, some of these groups carry a lot of traffic.  Although
+   subscription to an group does indicate interest on the part of a
+   subscriber, it is usually not interesting to get 50 messages or so
+   delivered to the user's private maildrop each day, interspersed with
+   personal mail, that is likely to be of a much more important and
+   timely nature.
+
+   Third, if a subscriber on the distribution list for a group becomes
+   "bad" somehow, the originator of the message and not the moderator of
+   the group is notified.  It is not uncommon for a large list to have
+   10 or so bogus addresses present.  This results in the originator
+   being flooded with "error messages" from mailers across the Internet
+   stating that a given address on the list was bad.  Needless to say,
+   the originator usually could not care less if the bogus addresses got
+   a copy of the message or not.  The originator is merely interested in
+   posting a message to the group at large.  Furthermore, the moderator
+   of the group does care if there are bogus addresses on the list, but
+   ironically does not receive notification.
+
+   There are various approaches which can be used to solve some or all
+   of these problems.  Usually these involve placing an exploder agent
+   at the distribution source of the discussion group, which expands the
+   name of the group into the list of subscription addresses for the
+
+
+
+Rose                                                            [Page 3]
+
+RFC 1082                 POP3 Extended Service             November 1988
+
+
+   group.  In the process, the exploder will also change the address
+   that receives error notifications to be the request address or other
+   responsible party.
+
+   A complementary approach, used in order to cut down on resource
+   utilization of all kinds, replaces all the subscribers at a single
+   host (or group of hosts under a single administration) with a single
+   address at that host.  This address maps to a file on the host,
+   usually in a spool area, which all users can access.  (Advanced
+   implementations can also implement private discussion groups this
+   way, in which a single copy of each message is kept, but is
+   accessible to only a select number of users on the host.)
+
+   The two approaches can be combined to avoid all of the problems
+   described above.
+
+   Finally, a third approach can be taken, which can be used to aid user
+   agents processing mail for the discussion group:  In order to speed
+   querying of the maildrop which contains the local host's copy of the
+   discussion group, two other items are usually associated with the
+   discussion group, on a local basis.  These are the maxima and the
+   last-date.  Each time a message is received for the group on the
+   local host, the maxima is increased by at least one.  Furthermore,
+   when a new maxima is generated, the current date is determined.  This
+   is called the last date.  As the message is entered into the local
+   maildrop, it is given the current maxima and last-date.  This permits
+   the user agent to quickly determine if new messages are present in
+   the maildrop.
+
+       NOTE:      The maxima may be characterized as a monotonically
+                  increasing quanity.  Although sucessive values of the
+                  maxima need not be consecutive, any maxima assigned
+                  is always greater than any previously assigned value.
+
+Definition of Terms
+
+   To formalize these notions somewhat, consider the following 7
+   parameters which describe a given discussion group from the
+   perspective of the user agent (the syntax given is from [RFC822]):
+
+
+
+
+
+
+
+
+
+
+
+
+Rose                                                            [Page 4]
+
+RFC 1082                 POP3 Extended Service             November 1988
+
+
+         NAME            Meaning: the name of the discussion group
+                         Syntax:  TOKEN (ALPHA *[ ALPHA / DIGIT / "-" ])
+                                  (case-insensitive recognition)
+                         Example: unix-wizards
+
+         ALIASES         Meaning: alternates names for the group, which
+                                  are locally meaningful; these are
+                                  typically used to shorten user typein
+                         Syntax:  TOKEN (case-insensitive recognition)
+                         Example: uwiz
+
+         ADDRESS         Meaning: the primary source of the group
+                         Syntax:  822 address
+                         Example: Unix-Wizards@BRL.MIL
+
+         REQUEST         Meaning: the primary moderator of the group
+                         Syntax:  822 address
+                         Example: Unix-Wizards-Request@BRL.MIL
+
+         FLAGS           Meaning: locally meaningful flags associated
+                                  with the discussion group; this memo
+                                  leaves interpretation of this
+                                  parameter to each POP3 implementation
+                         Syntax:  octal number
+                         Example: 01
+
+         MAXIMA          Meaning: the magic cookie associated with the
+                                  last message locally received for the
+                                  group; it is the property of the magic
+                                  cookie that it's value NEVER
+                                  decreases, and increases by at least
+                                  one each time a message is locally
+                                  received
+                         Syntax:  decimal number
+                         Example: 1004
+
+         LASTDATE        Meaning: the date that the last message was
+                                  locally received
+                         Syntax:  822 date
+                         Example: Thu, 19 Dec 85 10:26:48 -0800
+
+   Note that the last two values are locally determined for the maildrop
+   associated with the discussion group and with each message in that
+   maildrop.  Note however that the last message in the maildrop have a
+   different MAXIMA and LASTDATE than the discussion group.  This often
+   occurs when the maildrop has been archived.
+
+
+
+
+
+Rose                                                            [Page 5]
+
+RFC 1082                 POP3 Extended Service             November 1988
+
+
+   Finally, some local systems provide mechanisms for automatically
+   archiving discussion group mail.  In some cases, a two-level archive
+   scheme is used:  current mail is kept in the standard maildrop,
+   recent mail is kept in an archive maildrop, and older mail is kept
+   off-line.  With this scheme, in addition to having a "standard"
+   maildrop for each discussion group, an "archive" maildrop may also be
+   available.  This permits a user agent to examine the most recent
+   archive using the same mechanisms as those used on the current mail.
+
+The XTND Command
+
+   The following commands are valid only in the TRANSACTION state of the
+   POP3.  This implies that the POP3 server has already opened the
+   user's maildrop (which may be empty).  This maildrop is called the
+   "default maildrop".  The phrase "closes the current maildrop" has two
+   meanings, depending on whether the current maildrop is the default
+   maildrop or is a maildrop associated with a discussion group.
+
+   In the former context, when the current maildrop is closed any
+   messages marked as deleted are removed from the maildrop currently in
+   use.  The exclusive-access lock on the maildrop is then released
+   along with any implementation-specific resources (e.g., file-
+   descriptors).
+
+   In the latter context, a maildrop associated with a discussion group
+   is considered to be read-only to the POP3 client.  In this case, the
+   phrase "closes the current maildrop" merely means that any
+   implementation-specific resources are released.  (Hence, the POP3
+   command DELE is a no-op.)
+
+   All the new facilities are introduced via a single POP3 command,
+   XTND.  All positive reponses to the XTND command are multi-line.
+
+   The most common multi-line response to the commands contains a
+   "discussion group listing" which presents the name of the discussion
+   group along with it's maxima.  In order to simplify parsing all POP3
+   servers are required to use a certain format for discussion group
+   listings:
+
+                              NAME SP MAXIMA
+
+   This memo makes no requirement on what follows the maxima in the
+   listing.  Minimal implementations should just end that line of the
+   response with a CRLF pair.  More advanced implementations may include
+   other information, as parsed from the message.
+
+       NOTE:      This memo STRONGLY discourages implementations from
+                  supplying additional information in the listing.
+
+
+
+Rose                                                            [Page 6]
+
+RFC 1082                 POP3 Extended Service             November 1988
+
+
+   XTND BBOARDS [name]
+   Arguments: the name of a discussion group (optionally)
+   Restrictions: may only be given in the TRANSACTION state.
+   Discussion:
+
+   If an argument was given, the POP3 server closes the current
+   maildrop.  The POP3 server then validates the argument as the name of
+   a discussion group.  If this is successful, it opens the maildrop
+   associated with the group, and returns a multi-line response
+   containing the discussion group listing.  If the discussion group
+   named is not valid, or the associated archive maildrop is not
+   readable by the user, then an error response is returned.
+
+   If no argument was given, the POP3 server issues a multi-line
+   response.  After the initial +OK, for each discussion group known,
+   the POP3 server responds with a line containing the listing for that
+   discussion group.  Note that only world-readable discussion groups
+   are included in the multi-line response.
+
+   In order to aid user agents, this memo requires an extension to the
+   scan listing when an "XTND BBOARDS" command has been given.
+   Normally, a scan listing, as generated by the LIST, takes the form:
+
+          MSGNO SIZE
+
+   where MSGNO is the number of the message being listed and SIZE is the
+   size of the message in octets.  When reading a maildrop accessed via
+   "XTND BBOARDS", the scan listing takes the form
+
+          MSGNO SIZE MAXIMA
+
+   where MAXIMA is the maxima that was assigned to the message when it
+   was placed in the BBoard.
+
+   Possible Responses:
+       +OK XTND
+       -ERR no such bboard
+   Examples:
+       C:    XTND BBOARDS
+       S:    +OK XTND
+       S:    system 10
+       S:    mh-users 100
+       S:    .
+       C:    XTND BBOARDS system
+       S:    + OK XTND
+       S:    system 10
+       S:    .
+
+
+
+
+Rose                                                            [Page 7]
+
+RFC 1082                 POP3 Extended Service             November 1988
+
+
+   XTND ARCHIVE name
+   Arguments: the name of a discussion group (required)
+   Restrictions: may only be given in the TRANSACTION state.
+   Discussion:
+
+   The POP3 server closes the current maildrop.  The POP3 server then
+   validates the argument as the name of a discussion group.  If this is
+   successful, it opens the archive maildrop associated with the group,
+   and returns a multi-line response containing the discussion group
+   listing.  If the discussion group named is not valid, or the
+   associated archive maildrop is not readable by the user, then an
+   error response is returned.
+
+   In addition, the scan listing generated by the LIST command is
+   augmented (as described above).
+
+   Possible Responses:
+       +OK XTND
+       -ERR no such bboard Examples:
+       C:    XTND ARCHIVE system
+       S:    + OK XTND
+       S:    system 3
+       S:    .
+
+   XTND X-BBOARDS name
+   Arguments: the name of a discussion group (required)
+   Restrictions: may only be given in the TRANSACTION state.
+   Discussion:
+
+   The POP3 server validates the argument as the name of a
+   discussion group.  If this is unsuccessful, then an error
+   response is returned.  Otherwise a multi-line response is
+   returned.  The first 14 lines of this response (after the
+   initial +OK) are defined in this memo.  Minimal implementations
+   need not include other information (and may omit certain
+   information, outputing a bare CRLF pair).  More advanced
+   implementations may include other information.
+
+           Line    Information (refer to "Definition of Terms")
+           ----    -----------
+             1     NAME
+             2     ALIASES, separated by SP
+             3     system-specific: maildrop
+             4     system-specific: archive maildrop
+             5     system-specific: information
+             6     system-specific: maildrop map
+             7     system-specific: encrypted password
+             8     system-specific: local leaders, separated by SP
+
+
+
+Rose                                                            [Page 8]
+
+RFC 1082                 POP3 Extended Service             November 1988
+
+
+             9     ADDRESS
+            10     REQUEST
+            11     system-specific: incoming feed
+            12     system-specific: outgoing feeds
+            13     FLAGS SP MAXIMA
+            14     LASTDATE
+
+   Most of this information is entirely too specific to the UCI Version
+   of the Rand MH Message Handling System [MRose85].  Nevertheless,
+   lines 1, 2, 9, 10, 13, and 14 are of general interest, regardless of
+   the implementation.
+
+           Possible Responses:
+               +OK XTND
+               -ERR no such bboard
+           Examples:
+               C:    XTND X-BBOARDS system
+               S:    + OK XTND
+               S:    system
+               S:    local general
+               S:    /usr/bboards/system.mbox
+               S:    /usr/bboards/archive/system.mbox
+               S:    /usr/bboards/.system.cnt
+               S:    /usr/bboards/.system.map
+               S:    *
+               S:    mother
+               S:    system@nrtc.northrop.com
+               S:    system-request@nrtc.northrop.com
+               S:
+               S:    dist-system@nrtc-gremlin.northrop.com
+               S:    01 10
+               S:    Thu, 19 Dec 85 00:08:49 -0800
+               S:    .
+
+Policy Notes
+
+   Depending on the particular entity administrating the POP3 service
+   host, two additional policies might be implemented:
+
+   1.  Private Discussion Groups
+
+   In the general case, discussion groups are world-readable, any user,
+   once logged in (via a terminal, terminal server, or POP3, etc.), is
+   able to read the maildrop for each discussion group known to the POP3
+   service host.  Nevertheless, it is desirable, usually for privacy
+   reasons, to implement private discussion groups as well.
+
+   Support of this is consistent with the extensions outlined in this
+
+
+
+Rose                                                            [Page 9]
+
+RFC 1082                 POP3 Extended Service             November 1988
+
+
+   memo.  Once the AUTHORIZATION state has successfully concluded, the
+   POP3 server grants the user access to exactly those discussion groups
+   the POP3 service host permits the authenticated user to access.  As a
+   "security" feature, discussion groups associated with unreadable
+   maildrops should not be listed in a positive response to the XTND
+   BBOARDS command.
+
+   2.  Anonymous POP3 Users
+
+   In order to minimize the authentication problem, a policy permitting
+   "anonymous" access to the world-readable maildrops for discussion
+   groups on the POP3 server may be implemented.
+
+   Support of this is consistent with the extensions outlined in this
+   memo.  The POP3 server can be modified to accept a USER command for a
+   well-known pseudonym (i.e., "anonymous") which is valid with any PASS
+   command.  As a "security" feature, it is advisable to limit this kind
+   of access to only hosts at the local site, or to hosts named in an
+   access list.
+
+Experiences and Conclusions
+
+   All of the facilities described in this memo and in [RFC1081] have
+   been implemented in MH #6.1.  Initial experiences have been, on the
+   whole, very positive.
+
+   After the first implementation, some performance tuning was required.
+   This consisted primarily of caching the datastructures which describe
+   discussion groups in the POP3 server.  A second optimization
+   pertained to the client:  the program most commonly used to read
+   BBoards in MH was modified to retrieve messages only when needed.
+   Two schemes are used:
+
+         o If only the headers (and the first few lines of the body) of
+           the message are required (e.g., for a scan listing), then only
+           these are retrieved.  The resulting output is then cached, on
+           a per-message basis.
+
+         o If the entire message is required, then it is retrieved intact,
+            and cached locally.
+
+   With these optimizations, response time is quite adequate when the
+   POP3 server and client are connected via a high-speed local area
+   network.  In fact, the author uses this mechanism to access certain
+   private discussion groups over the Internet.  In this case, response
+   is still good.  When a 9.6Kbps modem is inserted in the path,
+   response went from good to almost tolerable (fortunately the author
+   only reads a few discussion groups in this fashion).
+
+
+
+Rose                                                           [Page 10]
+
+RFC 1082                 POP3 Extended Service             November 1988
+
+
+   To conclude: the POP3 is a good thing, not only for personal mail but
+   for discussion group mail as well.
+
+
+References
+
+     [RFC1081] Rose, M., "Post Office Protocol - Verison 3 (POP3)", RFC
+               1081, TWG, November 1988.
+
+     [MRose85] Rose, M., and J. Romine, "The Rand MH Message Handling
+               System: User's Manual", University of California, Irvine,
+               November 1985.
+
+     [RFC822]  Crocker, D., "Standard for the Format of ARPA-Internet
+               Text Messages", RFC 822, University of Delaware, August
+               1982.
+
+     [RFC918]  Reynolds, J., "Post Office Protocol", RFC 918,
+               USC/Information Sciences Institute, October 1984.
+
+     [RFC937]  Butler, M., J. Postel, D. Chase, J. Goldberger, and J.
+               Reynolds, "Post Office Protocol - Version 2", RFC 937,
+               USC/Information Sciences Institute, February 1985.
+
+Author's Address:
+
+
+   Marshall Rose
+   The Wollongong Group
+   1129 San Antonio Rd.
+   Palo Alto, California 94303
+
+   Phone: (415) 962-7100
+
+   Email: MRose@TWG.COM
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Rose                                                           [Page 11]
+
diff --git a/crypto/heimdal/appl/popper/pop_auth.c b/crypto/heimdal/appl/popper/pop_auth.c
new file mode 100644
index 0000000..525beaa
--- /dev/null
+++ b/crypto/heimdal/appl/popper/pop_auth.c
@@ -0,0 +1,220 @@
+/*
+ * Copyright (c) 1995, 1996, 1997 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *      This product includes software developed by the Kungliga Tekniska
+ *      Högskolan and its contributors.
+ * 
+ * 4. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#include <popper.h>
+#include <base64.h>
+RCSID("$Id: pop_auth.c,v 1.2 2000/04/12 15:37:45 assar Exp $");
+
+#ifdef KRB4
+
+enum {
+    NO_PROT   = 1,
+    INT_PROT  = 2,
+    PRIV_PROT = 4
+};
+
+static int
+auth_krb4(POP *p)
+{
+    int ret;
+    des_cblock key;
+    u_int32_t nonce, nonce_reply;
+    u_int32_t max_client_packet;
+    int protocols = NO_PROT | INT_PROT | PRIV_PROT;
+    char data[8];
+    int len;
+    char *s;
+    char instance[INST_SZ];  
+    KTEXT_ST authent;
+    des_key_schedule schedule;
+    struct passwd *pw;
+
+    /* S -> C: 32 bit nonce in MSB base64 */
+
+    des_new_random_key(&key);
+    nonce = (key[0] | (key[1] << 8) | (key[2] << 16) | (key[3] << 24)
+	     | key[4] | (key[5] << 8) | (key[6] << 16) | (key[7] << 24));
+    krb_put_int(nonce, data, 4, 8);
+    len = base64_encode(data, 4, &s);
+
+    pop_msg(p, POP_CONTINUE, "%s", s);
+    free(s);
+
+    /* C -> S: ticket and authenticator */
+
+    ret = sch_readline(p->input, &s);
+    if (ret <= 0 || strcmp (s, "*") == 0)
+	return pop_msg(p, POP_FAILURE,
+		       "authentication aborted by client");
+    len = strlen(s);
+    if (len > sizeof(authent.dat)) {
+	return pop_msg(p, POP_FAILURE, "data packet too long");
+    }
+
+    authent.length = base64_decode(s, authent.dat);
+
+    k_getsockinst (0, instance, sizeof(instance));
+    ret = krb_rd_req(&authent, "pop", instance,
+		     p->in_addr.sin_addr.s_addr,
+		     &p->kdata, NULL);
+    if (ret != 0) {
+	return pop_msg(p, POP_FAILURE, "rd_req: %s",
+		       krb_get_err_text(ret));
+    }
+    if (p->kdata.checksum != nonce) {
+	return pop_msg(p, POP_FAILURE, "data stream modified");
+    }
+
+    /* S -> C: nonce + 1 | bit | max segment */
+
+    krb_put_int(nonce + 1, data, 4, 7);
+    data[4] = protocols;
+    krb_put_int(1024, data + 5, 3, 3); /* XXX */
+    des_key_sched(&p->kdata.session, schedule);
+    des_pcbc_encrypt((des_cblock*)data,
+		     (des_cblock*)data, 8,
+		     schedule,
+		     &p->kdata.session,
+		     DES_ENCRYPT);
+    len = base64_encode(data, 8, &s);
+    pop_msg(p, POP_CONTINUE, "%s", s);
+
+    free(s);
+
+    /* C -> S: nonce | bit | max segment | username */
+
+    ret = sch_readline(p->input, &s);
+    if (ret <= 0 || strcmp (s, "*") == 0)
+	return pop_msg(p, POP_FAILURE,
+		       "authentication aborted");
+    len = strlen(s);
+    if (len > sizeof(authent.dat)) {
+	return pop_msg(p, POP_FAILURE, "data packet too long");
+    }
+
+    authent.length = base64_decode(s, authent.dat);
+    
+    if (authent.length % 8 != 0) {
+	return pop_msg(p, POP_FAILURE, "reply is not a multiple of 8 bytes");
+    }
+
+    des_key_sched(&p->kdata.session, schedule);
+    des_pcbc_encrypt((des_cblock*)authent.dat,
+		     (des_cblock*)authent.dat,
+		     authent.length,
+		     schedule,
+		     &p->kdata.session,
+		     DES_DECRYPT);
+
+    krb_get_int(authent.dat, &nonce_reply, 4, 0);
+    if (nonce_reply != nonce) {
+	return pop_msg(p, POP_FAILURE, "data stream modified");
+    }
+    protocols &= authent.dat[4];
+    krb_get_int(authent.dat + 5, &max_client_packet, 3, 0);
+    if(authent.dat[authent.length - 1] != '\0') {
+	return pop_msg(p, POP_FAILURE, "bad format of username");
+    }
+    strncpy (p->user, authent.dat + 8, sizeof(p->user));
+    pw = k_getpwnam(p->user);
+    if (pw == NULL) {
+	return (pop_msg(p,POP_FAILURE,
+			"Password supplied for \"%s\" is incorrect.",
+			p->user));
+    }
+
+    if (kuserok(&p->kdata, p->user)) {
+	pop_log(p, POP_PRIORITY,
+		"%s: (%s.%s@%s) tried to retrieve mail for %s.",
+		p->client, p->kdata.pname, p->kdata.pinst,
+		p->kdata.prealm, p->user);
+	return(pop_msg(p,POP_FAILURE,
+		       "Popping not authorized"));
+    }
+    pop_log(p, POP_INFO, "%s: %s.%s@%s -> %s",
+	    p->ipaddr,
+	    p->kdata.pname, p->kdata.pinst, p->kdata.prealm,
+	    p->user);
+    ret = pop_login(p, pw);
+    if (protocols & PRIV_PROT)
+	;
+    else if (protocols & INT_PROT)
+	;
+    else
+	;
+    
+    return ret;
+}
+#endif /* KRB4 */
+
+#ifdef KRB5
+static int
+auth_gssapi(POP *p)
+{
+    
+}
+#endif /* KRB5 */
+
+/* 
+ *  auth: RFC1734
+ */
+
+static struct {
+    const char *name;
+    int (*func)(POP *);
+} methods[] = {
+#ifdef KRB4
+    {"KERBEROS_V4",	auth_krb4},
+#endif
+#ifdef KRB5
+    {"GSSAPI",		auth_gssapi},
+#endif
+    {NULL,		NULL}
+};
+
+int
+pop_auth (POP *p)
+{
+    int i;
+
+    for (i = 0; methods[i].name != NULL; ++i)
+	if (strcasecmp(p->pop_parm[1], methods[i].name) == 0)
+	    return (*methods[i].func)(p);
+    return pop_msg(p, POP_FAILURE,
+		   "Authentication method %s unknown", p->pop_parm[1]);
+}
diff --git a/crypto/heimdal/appl/popper/pop_debug.c b/crypto/heimdal/appl/popper/pop_debug.c
new file mode 100644
index 0000000..e400278
--- /dev/null
+++ b/crypto/heimdal/appl/popper/pop_debug.c
@@ -0,0 +1,280 @@
+/*
+ * Copyright (c) 1995 - 2000 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+/* Tiny program to help debug popper */
+
+#include "popper.h"
+RCSID("$Id: pop_debug.c,v 1.21 2001/02/20 01:44:47 assar Exp $");
+
+static void
+loop(int s)
+{
+    char cmd[1024];
+    char buf[1024];
+    fd_set fds;
+    while(1){
+	FD_ZERO(&fds);
+	FD_SET(0, &fds);
+	FD_SET(s, &fds);
+	if(select(s+1, &fds, 0, 0, 0) < 0)
+	    err(1, "select");
+	if(FD_ISSET(0, &fds)){
+	    fgets(cmd, sizeof(cmd), stdin);
+	    cmd[strlen(cmd) - 1] = '\0';
+	    strlcat (cmd, "\r\n", sizeof(cmd));
+	    write(s, cmd, strlen(cmd));
+	}
+	if(FD_ISSET(s, &fds)){
+	    int n = read(s, buf, sizeof(buf));
+	    if(n == 0)
+		exit(0);
+	    fwrite(buf, n, 1, stdout);
+	}
+    }
+}
+
+static int
+get_socket (const char *hostname, int port)
+{
+    int ret;
+    struct addrinfo *ai, *a;
+    struct addrinfo hints;
+    char portstr[NI_MAXSERV];
+    
+    memset (&hints, 0, sizeof(hints));
+    hints.ai_socktype = SOCK_STREAM;
+    snprintf (portstr, sizeof(portstr), "%d", ntohs(port));
+    ret = getaddrinfo (hostname, portstr, &hints, &ai);
+    if (ret)
+	errx (1, "getaddrinfo %s: %s", hostname, gai_strerror (ret));
+
+    for (a = ai; a != NULL; a = a->ai_next) {
+	int s;
+
+	s = socket (a->ai_family, a->ai_socktype, a->ai_protocol);
+	if (s < 0)
+	    continue;
+	if (connect (s, a->ai_addr, a->ai_addrlen) < 0) {
+	    close (s);
+	    continue;
+	}
+	freeaddrinfo (ai);
+	return s;
+    }
+    err (1, "failed to connect to %s", hostname);
+}
+
+#ifdef KRB4
+static int
+doit_v4 (char *host, int port)
+{
+    KTEXT_ST ticket;
+    MSG_DAT msg_data;
+    CREDENTIALS cred;
+    des_key_schedule sched;
+    int ret;
+    int s = get_socket (host, port);
+
+    ret = krb_sendauth(0,
+		       s,
+		       &ticket, 
+		       "pop",
+		       host,
+		       krb_realmofhost(host),
+		       getpid(),
+		       &msg_data,
+		       &cred,
+		       sched,
+		       NULL,
+		       NULL,
+		       "KPOPV0.1");
+    if(ret) {
+	warnx("krb_sendauth: %s", krb_get_err_text(ret));
+	return 1;
+    }
+    loop(s);
+    return 0;
+}
+#endif
+
+#ifdef KRB5
+static int
+doit_v5 (char *host, int port)
+{
+    krb5_error_code ret;
+    krb5_context context;
+    krb5_auth_context auth_context = NULL;
+    krb5_principal server;
+    int s = get_socket (host, port);
+
+    ret = krb5_init_context (&context);
+    if (ret)
+	errx (1, "krb5_init_context failed: %d", ret);
+    
+    ret = krb5_sname_to_principal (context,
+				   host,
+				   "pop",
+				   KRB5_NT_SRV_HST,
+				   &server);
+    if (ret) {
+	warnx ("krb5_sname_to_principal: %s",
+	       krb5_get_err_text (context, ret));
+	return 1;
+    }
+    ret = krb5_sendauth (context,
+			 &auth_context,
+			 &s,
+			 "KPOPV1.0",
+			 NULL,
+			 server,
+			 0,
+			 NULL,
+			 NULL,
+			 NULL,
+			 NULL,
+			 NULL,
+			 NULL);
+     if (ret) {
+	 warnx ("krb5_sendauth: %s",
+		krb5_get_err_text (context, ret));
+	 return 1;
+     }
+     loop (s);
+     return 0;
+}
+#endif
+
+
+#ifdef KRB4
+static int use_v4 = -1;
+#endif
+static int use_v5 = -1;
+static char *port_str;
+static int do_version;
+static int do_help;
+
+struct getargs args[] = {
+#ifdef KRB4
+    { "krb4",	'4', arg_flag,		&use_v4,	"Use Kerberos V4",
+      NULL },
+#endif
+    { "krb5",	'5', arg_flag,		&use_v5,	"Use Kerberos V5",
+      NULL },
+    { "port",	'p', arg_string,	&port_str,	"Use this port",
+      "number-or-service" },
+    { "version", 0,  arg_flag,		&do_version,	"Print version",
+      NULL },
+    { "help",	 0,  arg_flag,		&do_help,	NULL,
+      NULL }
+};
+
+static void
+usage (int ret)
+{
+    arg_printusage (args,
+		    sizeof(args) / sizeof(args[0]),
+		    NULL,
+		    "hostname");
+    exit (ret);
+}
+
+int
+main(int argc, char **argv)
+{
+    int port = 0;
+    int ret = 1;
+    int optind = 0;
+
+    setprogname(argv[0]);
+
+    if (getarg (args, sizeof(args) / sizeof(args[0]), argc, argv,
+		&optind))
+	usage (1);
+
+    argc -= optind;
+    argv += optind;
+
+    if (do_help)
+	usage (0);
+
+    if (do_version) {
+	print_version (NULL);
+	return 0;
+    }
+	
+    if (argc < 1)
+	usage (1);
+
+    if (port_str) {
+	struct servent *s = roken_getservbyname (port_str, "tcp");
+
+	if (s)
+	    port = s->s_port;
+	else {
+	    char *ptr;
+
+	    port = strtol (port_str, &ptr, 10);
+	    if (port == 0 && ptr == port_str)
+		errx (1, "Bad port `%s'", port_str);
+	    port = htons(port);
+	}
+    }
+    if (port == 0) {
+#ifdef KRB5
+	port = krb5_getportbyname (NULL, "kpop", "tcp", 1109);
+#elif defined(KRB4)
+	port = k_getportbyname ("kpop", "tcp", 1109);
+#else
+#error must define KRB4 or KRB5
+#endif
+    }
+
+#if defined(KRB4) && defined(KRB5)
+    if(use_v4 == -1 && use_v5 == 1)
+	use_v4 = 0;
+    if(use_v5 == -1 && use_v4 == 1)
+	use_v5 = 0;
+#endif    
+
+#ifdef KRB5
+    if (ret && use_v5) {
+	ret = doit_v5 (argv[0], port);
+    }
+#endif
+#ifdef KRB4
+    if (ret && use_v4) {
+	ret = doit_v4 (argv[0], port);
+    }
+#endif
+    return ret;
+}
diff --git a/crypto/heimdal/appl/popper/pop_dele.c b/crypto/heimdal/appl/popper/pop_dele.c
new file mode 100644
index 0000000..f1c2952
--- /dev/null
+++ b/crypto/heimdal/appl/popper/pop_dele.c
@@ -0,0 +1,107 @@
+/*
+ * Copyright (c) 1989 Regents of the University of California.
+ * All rights reserved.  The Berkeley software License Agreement
+ * specifies the terms and conditions for redistribution.
+ */
+
+#include <popper.h>
+RCSID("$Id: pop_dele.c,v 1.10 1999/08/12 11:35:26 joda Exp $");
+
+/* 
+ *  dele:   Delete a message from the POP maildrop
+ */
+int
+pop_dele (POP *p)
+{
+    MsgInfoList     *   mp;         /*  Pointer to message info list */
+    int                 msg_num;
+
+    /*  Convert the message number parameter to an integer */
+    msg_num = atoi(p->pop_parm[1]);
+
+    /*  Is requested message out of range? */
+    if ((msg_num < 1) || (msg_num > p->msg_count))
+        return (pop_msg (p,POP_FAILURE,"Message %d does not exist.",msg_num));
+
+    /*  Get a pointer to the message in the message list */
+    mp = &(p->mlp[msg_num-1]);
+
+    /*  Is the message already flagged for deletion? */
+    if (mp->flags & DEL_FLAG)
+        return (pop_msg (p,POP_FAILURE,"Message %d has already been deleted.",
+            msg_num));
+
+    /*  Flag the message for deletion */
+    mp->flags |= DEL_FLAG;
+
+#ifdef DEBUG
+    if(p->debug)
+        pop_log(p, POP_DEBUG,
+		"Deleting message %u at offset %ld of length %ld\n",
+		mp->number, mp->offset, mp->length);
+#endif /* DEBUG */
+
+    /*  Update the messages_deleted and bytes_deleted counters */
+    p->msgs_deleted++;
+    p->bytes_deleted += mp->length;
+
+    /*  Update the last-message-accessed number if it is lower than 
+        the deleted message */
+    if (p->last_msg < msg_num) p->last_msg = msg_num;
+
+    return (pop_msg (p,POP_SUCCESS,"Message %d has been deleted.",msg_num));
+}
+
+#ifdef XDELE
+/* delete a range of messages */
+int
+pop_xdele(POP *p)
+{
+    MsgInfoList     *   mp;         /*  Pointer to message info list */
+
+    int msg_min, msg_max;
+    int i;
+
+
+    msg_min = atoi(p->pop_parm[1]);
+    if(p->parm_count == 1)
+	msg_max = msg_min;
+    else
+	msg_max = atoi(p->pop_parm[2]);
+
+    if (msg_min < 1)
+        return (pop_msg (p,POP_FAILURE,"Message %d does not exist.",msg_min));
+    if(msg_max > p->msg_count)
+        return (pop_msg (p,POP_FAILURE,"Message %d does not exist.",msg_max));
+    for(i = msg_min; i <= msg_max; i++) {
+
+	/*  Get a pointer to the message in the message list */
+	mp = &(p->mlp[i - 1]);
+
+	/*  Is the message already flagged for deletion? */
+	if (mp->flags & DEL_FLAG)
+	    continue; /* no point in returning error */
+	/*  Flag the message for deletion */
+	mp->flags |= DEL_FLAG;
+	
+#ifdef DEBUG
+	if(p->debug)
+	    pop_log(p, POP_DEBUG,
+		    "Deleting message %u at offset %ld of length %ld\n",
+		    mp->number, mp->offset, mp->length);
+#endif /* DEBUG */
+	
+	/*  Update the messages_deleted and bytes_deleted counters */
+	p->msgs_deleted++;
+	p->bytes_deleted += mp->length;
+    }
+
+    /*  Update the last-message-accessed number if it is lower than 
+	the deleted message */
+    if (p->last_msg < msg_max) p->last_msg = msg_max;
+    
+    return (pop_msg (p,POP_SUCCESS,"Messages %d-%d has been deleted.",
+		     msg_min, msg_max));
+    
+}
+#endif /* XDELE */
diff --git a/crypto/heimdal/appl/popper/pop_dropcopy.c b/crypto/heimdal/appl/popper/pop_dropcopy.c
new file mode 100644
index 0000000..f33cfb0
--- /dev/null
+++ b/crypto/heimdal/appl/popper/pop_dropcopy.c
@@ -0,0 +1,173 @@
+/*
+ * Copyright (c) 1989 Regents of the University of California.
+ * All rights reserved.  The Berkeley software License Agreement
+ * specifies the terms and conditions for redistribution.
+ */
+
+#include <popper.h>
+RCSID("$Id: pop_dropcopy.c,v 1.25 1999/09/16 20:38:49 assar Exp $");
+
+/*
+ * Run as the user in `pwd'
+ */
+
+int
+changeuser(POP *p, struct passwd *pwd)
+{
+    if(setgid(pwd->pw_gid) < 0) {
+	pop_log (p, POP_PRIORITY,
+		 "Unable to change to gid %u: %s",
+		 (unsigned)pwd->pw_gid,
+		 strerror(errno));
+	return pop_msg (p, POP_FAILURE,
+			"Unable to change gid");
+    }
+    if(setuid(pwd->pw_uid) < 0) {
+	pop_log (p, POP_PRIORITY,
+		 "Unable to change to uid %u: %s",
+		 (unsigned)pwd->pw_uid,
+		 strerror(errno));
+	return pop_msg (p, POP_FAILURE,
+			"Unable to change uid");
+    }
+#ifdef DEBUG
+    if(p->debug)
+	pop_log(p, POP_DEBUG,"uid = %u, gid = %u",
+	       (unsigned)getuid(),
+	       (unsigned)getgid());
+#endif /* DEBUG */
+    return POP_SUCCESS;
+}
+
+/* 
+ *  dropcopy:   Make a temporary copy of the user's mail drop and 
+ *  save a stream pointer for it.
+ */
+
+int
+pop_dropcopy(POP *p, struct passwd *pwp)
+{
+    int                     mfd;                    /*  File descriptor for 
+                                                        the user's maildrop */
+    int                     dfd;                    /*  File descriptor for 
+                                                        the SERVER maildrop */
+    FILE		    *tf;		    /*  The temp file */
+    char		    template[POP_TMPSIZE];  /*  Temp name holder */
+    char                    buffer[BUFSIZ];         /*  Read buffer */
+    long                    offset;                 /*  Old/New boundary */
+    int                     nchar;                  /*  Bytes written/read */
+    int                     tf_fd;                  /*  fd for temp file */
+    int			    ret;
+
+    /*  Create a temporary maildrop into which to copy the updated maildrop */
+    snprintf(p->temp_drop, sizeof(p->temp_drop), POP_DROP,p->user);
+
+#ifdef DEBUG
+    if(p->debug)
+        pop_log(p,POP_DEBUG,"Creating temporary maildrop '%s'",
+            p->temp_drop);
+#endif /* DEBUG */
+
+    /* Here we work to make sure the user doesn't cause us to remove or
+     * write over existing files by limiting how much work we do while
+     * running as root.
+     */
+
+    strlcpy(template, POP_TMPDROP, sizeof(template));
+    if ((tf_fd = mkstemp(template)) < 0 ||
+	(tf = fdopen(tf_fd, "w+")) == NULL) {
+        pop_log(p,POP_PRIORITY,
+            "Unable to create temporary temporary maildrop '%s': %s",template,
+		strerror(errno));
+        return pop_msg(p,POP_FAILURE,
+		"System error, can't create temporary file.");
+    }
+
+    /* Now give this file to the user	*/
+    chown(template, pwp->pw_uid, pwp->pw_gid);
+    chmod(template, 0600);
+
+    /* Now link this file to the temporary maildrop.  If this fails it
+     * is probably because the temporary maildrop already exists.  If so,
+     * this is ok.  We can just go on our way, because by the time we try
+     * to write into the file we will be running as the user.
+     */
+    link(template,p->temp_drop);
+    fclose(tf);
+    unlink(template);
+
+    ret = changeuser(p, pwp);
+    if (ret != POP_SUCCESS)
+	return ret;
+
+    /* Open for append,  this solves the crash recovery problem */
+    if ((dfd = open(p->temp_drop,O_RDWR|O_APPEND|O_CREAT,0600)) == -1){
+        pop_log(p,POP_PRIORITY,
+            "Unable to open temporary maildrop '%s': %s",p->temp_drop,
+		strerror(errno));
+        return pop_msg(p,POP_FAILURE,
+		"System error, can't open temporary file, do you own it?");
+    }
+
+    /*  Lock the temporary maildrop */
+    if ( flock (dfd, (LOCK_EX | LOCK_NB)) == -1 ) 
+    switch(errno) {
+        case EWOULDBLOCK:
+            return pop_msg(p,POP_FAILURE,
+                 "Maildrop lock busy!  Is another session active?");
+            /* NOTREACHED */
+        default:
+            return pop_msg(p,POP_FAILURE,"flock: '%s': %s", p->temp_drop,
+		strerror(errno));
+            /* NOTREACHED */
+        }
+    
+    /* May have grown or shrunk between open and lock! */
+    offset = lseek(dfd,0, SEEK_END);
+
+    /*  Open the user's maildrop, If this fails,  no harm in assuming empty */
+    if ((mfd = open(p->drop_name,O_RDWR)) > 0) {
+
+        /*  Lock the maildrop */
+        if (flock (mfd, LOCK_EX) == -1) {
+            close(mfd) ;
+            return pop_msg(p,POP_FAILURE, "flock: '%s': %s", p->temp_drop,
+		strerror(errno));
+        }
+
+        /*  Copy the actual mail drop into the temporary mail drop */
+        while ( (nchar=read(mfd,buffer,BUFSIZ)) > 0 )
+            if ( nchar != write(dfd,buffer,nchar) ) {
+                nchar = -1 ;
+                break ;
+            }
+
+        if ( nchar != 0 ) {
+            /* Error adding new mail.  Truncate to original size,
+               and leave the maildrop as is.  The user will not 
+               see the new mail until the error goes away.
+               Should let them process the current backlog,  in case
+               the error is a quota problem requiring deletions! */
+            ftruncate(dfd,(int)offset) ;
+        } else {
+            /* Mail transferred!  Zero the mail drop NOW,  that we
+               do not have to do gymnastics to figure out what's new
+               and what is old later */
+            ftruncate(mfd,0) ;
+        }
+
+        /*  Close the actual mail drop */
+        close (mfd);
+    }
+
+    /*  Acquire a stream pointer for the temporary maildrop */
+    if ( (p->drop = fdopen(dfd,"a+")) == NULL ) {
+        close(dfd) ;
+        return pop_msg(p,POP_FAILURE,"Cannot assign stream for %s",
+            p->temp_drop);
+    }
+
+    rewind (p->drop);
+
+    return(POP_SUCCESS);
+}
diff --git a/crypto/heimdal/appl/popper/pop_dropinfo.c b/crypto/heimdal/appl/popper/pop_dropinfo.c
new file mode 100644
index 0000000..71922d2
--- /dev/null
+++ b/crypto/heimdal/appl/popper/pop_dropinfo.c
@@ -0,0 +1,232 @@
+/*
+ * Copyright (c) 1989 Regents of the University of California.
+ * All rights reserved.  The Berkeley software License Agreement
+ * specifies the terms and conditions for redistribution.
+ */
+
+#include <popper.h>
+RCSID("$Id: pop_dropinfo.c,v 1.24 1999/09/16 20:38:49 assar Exp $");
+
+#if defined(UIDL) || defined(XOVER)
+
+/*
+ * Copy the string found after after : into a malloced buffer. Stop
+ * copying at end of string or end of line. End of line delimiter is
+ * not part of the resulting copy.
+ */
+static
+char *
+find_value_after_colon(char *p)
+{
+  char *t, *tmp;
+
+  for (; *p != 0 && *p != ':'; p++) /* Find : */
+    ;
+
+  if (*p == 0)
+    goto error;
+
+  p++;				/* Skip over : */
+
+  for(; *p == ' ' || *p == '\t'; p++) /* Remove white space */
+    ;
+
+  for (t = p; *t != 0 && *t != '\n' && *t != '\r'; t++)	/* Find end of str */
+    ;
+
+  tmp = t = malloc(t - p + 1);
+  if (tmp == 0)
+    goto error;
+
+  for (; *p != 0 && *p != '\n' && *p != '\r'; p++, t++)	/* Copy characters */
+    *t = *p;
+  *t = 0;			/* Terminate string */
+  return tmp;
+
+error:
+  return "ErrorUIDL";
+}
+#endif
+
+void
+parse_header(MsgInfoList *mp, char *buffer)
+{
+#if defined(UIDL) || defined(XOVER)
+    if (strncasecmp("Message-Id:",buffer, 11) == 0) {
+	if (mp->msg_id == NULL)
+	    mp->msg_id = find_value_after_colon(buffer);
+    } 
+#ifdef UIDL
+    else if (strncasecmp(buffer, "X-UIDL:", 7) == 0) {
+	/* Courtesy to Qualcomm, there really is no such 
+	   thing as X-UIDL */
+	mp->msg_id = find_value_after_colon(buffer);
+    }
+#endif
+#endif
+#ifdef XOVER
+    else if (strncasecmp("Subject:", buffer, 8) == 0) {
+	if(mp->subject == NULL){
+	    char *p;
+	    mp->subject = find_value_after_colon(buffer);
+	    for(p = mp->subject; *p; p++)
+		if(*p == '\t') *p = ' ';
+	}
+    }
+    else if (strncasecmp("From:", buffer, 5) == 0) {
+	if(mp->from == NULL){
+	    char *p;
+	    mp->from = find_value_after_colon(buffer);
+	    for(p = mp->from; *p; p++)
+		if(*p == '\t') *p = ' ';
+	}
+    }
+    else if (strncasecmp("Date:", buffer, 5) == 0) {
+	if(mp->date == NULL){
+	    char *p;
+	    mp->date = find_value_after_colon(buffer);
+	    for(p = mp->date; *p; p++)
+		if(*p == '\t') *p = ' ';
+	}
+    }
+#endif
+}
+
+int
+add_missing_headers(POP *p, MsgInfoList *mp)
+{
+#if defined(UIDL) || defined(XOVER)
+    if (mp->msg_id == NULL) {
+	asprintf(&mp->msg_id, "no-message-id-%d", mp->number);
+	if(mp->msg_id == NULL) {
+	    fclose (p->drop);
+	    p->msg_count = 0;
+	    return pop_msg (p,POP_FAILURE,
+			    "Can't build message list for '%s': Out of memory",
+                            p->user);
+	}
+    }
+#endif	    
+#ifdef XOVER
+    if (mp->subject == NULL)
+	mp->subject = "<none>";
+    if (mp->from == NULL)
+	mp->from = "<unknown>";
+    if (mp->date == NULL)
+	mp->date = "<unknown>";
+#endif
+    return POP_SUCCESS;
+}
+
+/* 
+ *  dropinfo:   Extract information about the POP maildrop and store 
+ *  it for use by the other POP routines.
+ */
+
+int
+pop_dropinfo(POP *p)
+{
+    char                    buffer[BUFSIZ];         /*  Read buffer */
+    MsgInfoList         *   mp;                     /*  Pointer to message 
+                                                        info list */
+    int			    msg_num;                /*  Current message 
+                                                        counter */
+    int                     nchar;                  /*  Bytes written/read */
+    int blank_line = 1; /* previous line was blank */
+    int in_header = 0; /* if we are in a header block */
+    
+    /*  Initialize maildrop status variables in the POP parameter block */
+    p->msg_count = 0;
+    p->msgs_deleted = 0;
+    p->last_msg = 0;
+    p->bytes_deleted = 0;
+    p->drop_size = 0;
+
+    /*  Allocate memory for message information structures */
+    p->msg_count = ALLOC_MSGS;
+    p->mlp = (MsgInfoList *)calloc((unsigned)p->msg_count,sizeof(MsgInfoList));
+    if (p->mlp == NULL){
+        fclose (p->drop);
+        p->msg_count = 0;
+        return pop_msg (p,POP_FAILURE,
+            "Can't build message list for '%s': Out of memory", p->user);
+    }
+
+    rewind (p->drop);
+
+    /*  Scan the file, loading the message information list with 
+        information about each message */
+
+    for (msg_num = p->drop_size = 0, mp = p->mlp - 1;
+             fgets(buffer,MAXMSGLINELEN,p->drop);) {
+
+        nchar  = strlen(buffer);
+
+        if (blank_line && strncmp(buffer,"From ",5) == 0) {
+	    in_header = 1;
+            if (++msg_num > p->msg_count) {
+                p->mlp=(MsgInfoList *) realloc(p->mlp,
+                    (p->msg_count+=ALLOC_MSGS)*sizeof(MsgInfoList));
+                if (p->mlp == NULL){
+                    fclose (p->drop);
+                    p->msg_count = 0;
+                    return pop_msg (p,POP_FAILURE,
+                        "Can't build message list for '%s': Out of memory",
+                            p->user);
+                }
+                mp = p->mlp + msg_num - 2;
+            }
+            ++mp;
+            mp->number = msg_num;
+            mp->length = 0;
+            mp->lines = 0;
+            mp->offset = ftell(p->drop) - nchar;
+            mp->flags = 0;
+#if defined(UIDL) || defined(XOVER)
+	    mp->msg_id = 0;
+#endif
+#ifdef XOVER
+	    mp->subject = 0;
+	    mp->from = 0;
+	    mp->date = 0;
+#endif
+#ifdef DEBUG
+            if(p->debug)
+                pop_log(p, POP_DEBUG,
+			"Msg %d at offset %ld being added to list",
+			mp->number, mp->offset);
+#endif /* DEBUG */
+        } else if(in_header)
+	    parse_header(mp, buffer);
+	blank_line = (strncmp(buffer, "\n", nchar) == 0);
+	if(blank_line) {
+	    int e;
+	    in_header = 0;
+	    e = add_missing_headers(p, mp);
+	    if(e != POP_SUCCESS)
+		return e;
+	}
+        mp->length += nchar;
+        p->drop_size += nchar;
+        mp->lines++;
+    }
+    p->msg_count = msg_num;
+
+#ifdef DEBUG
+    if(p->debug && msg_num > 0) {
+        int i;
+        for (i = 0, mp = p->mlp; i < p->msg_count; i++, mp++)
+#ifdef UIDL
+	    pop_log(p,POP_DEBUG,
+		    "Msg %d at offset %ld is %ld octets long and has %u lines and id %s.",
+                    mp->number,mp->offset,mp->length,mp->lines, mp->msg_id);
+#else	
+            pop_log(p,POP_DEBUG,
+                "Msg %d at offset %d is %d octets long and has %u lines.",
+                    mp->number,mp->offset,mp->length,mp->lines);
+#endif
+    }
+#endif /* DEBUG */
+
+    return(POP_SUCCESS);
+}
diff --git a/crypto/heimdal/appl/popper/pop_get_command.c b/crypto/heimdal/appl/popper/pop_get_command.c
new file mode 100644
index 0000000..e43c1d9
--- /dev/null
+++ b/crypto/heimdal/appl/popper/pop_get_command.c
@@ -0,0 +1,118 @@
+/*
+ * Copyright (c) 1989 Regents of the University of California.
+ * All rights reserved.  The Berkeley software License Agreement
+ * specifies the terms and conditions for redistribution.
+ */
+
+#include <popper.h>
+RCSID("$Id: pop_get_command.c,v 1.15 1999/09/16 20:38:49 assar Exp $");
+
+/* 
+ *  get_command:    Extract the command from an input line form a POP client
+ */
+
+static state_table states[] = {
+        {auth1,  "user", 1,  1,  pop_user,   {auth1, auth2}},
+        {auth2,  "pass", 1,  99, pop_pass,   {auth1, trans}},
+#ifdef RPOP
+        {auth2,  "rpop", 1,  1,  pop_rpop,   {auth1, trans}},
+#endif /* RPOP */
+        {auth1,  "quit", 0,  0,  pop_quit,   {halt,  halt}},
+        {auth2,  "quit", 0,  0,  pop_quit,   {halt,  halt}},
+        {trans,  "stat", 0,  0,  pop_stat,   {trans, trans}},
+        {trans,  "list", 0,  1,  pop_list,   {trans, trans}},
+        {trans,  "retr", 1,  1,  pop_send,   {trans, trans}},
+        {trans,  "dele", 1,  1,  pop_dele,   {trans, trans}},
+        {trans,  "noop", 0,  0,  NULL,       {trans, trans}},
+        {trans,  "rset", 0,  0,  pop_rset,   {trans, trans}},
+        {trans,  "top",  2,  2,  pop_send,   {trans, trans}},
+        {trans,  "last", 0,  0,  pop_last,   {trans, trans}},
+        {trans,  "quit", 0,  0,  pop_updt,   {halt,  halt}},
+	{trans,  "help", 0,  0,  pop_help,   {trans, trans}},
+#ifdef UIDL
+        {trans,  "uidl", 0,  1,  pop_uidl,   {trans, trans}},
+#endif
+#ifdef XOVER
+	{trans,	"xover", 0,  0,	 pop_xover,  {trans, trans}},
+#endif
+#ifdef XDELE
+        {trans,  "xdele", 1,  2,  pop_xdele,   {trans, trans}},
+#endif
+        {(state) 0,  NULL,   0,  0,  NULL,       {halt,  halt}},
+};
+
+state_table *
+pop_get_command(POP *p, char *mp)
+{
+    state_table     *   s;
+    char                buf[MAXMSGLINELEN];
+
+    /*  Save a copy of the original client line */
+#ifdef DEBUG
+    if(p->debug) strlcpy (buf, mp, sizeof(buf));
+#endif /* DEBUG */
+
+    /*  Parse the message into the parameter array */
+    if ((p->parm_count = pop_parse(p,mp)) < 0) return(NULL);
+
+    /*  Do not log cleartext passwords */
+#ifdef DEBUG
+    if(p->debug){
+        if(strcmp(p->pop_command,"pass") == 0)
+            pop_log(p,POP_DEBUG,"Received: \"%s xxxxxxxxx\"",p->pop_command);
+        else {
+            /*  Remove trailing <LF> */
+            buf[strlen(buf)-2] = '\0';
+            pop_log(p,POP_DEBUG,"Received: \"%s\"",buf);
+        }
+    }
+#endif /* DEBUG */
+
+    /*  Search for the POP command in the command/state table */
+    for (s = states; s->command; s++) {
+
+        /*  Is this a valid command for the current operating state? */
+        if (strcmp(s->command,p->pop_command) == 0
+             && s->ValidCurrentState == p->CurrentState) {
+
+            /*  Were too few parameters passed to the command? */
+            if (p->parm_count < s->min_parms) {
+                pop_msg(p,POP_FAILURE,
+			"Too few arguments for the %s command.",
+			p->pop_command);
+		return NULL;
+	    }
+
+            /*  Were too many parameters passed to the command? */
+            if (p->parm_count > s->max_parms) {
+                pop_msg(p,POP_FAILURE,
+			"Too many arguments for the %s command.",
+			p->pop_command);
+		return NULL;
+	   }
+
+            /*  Return a pointer to the entry for this command in 
+                the command/state table */
+            return (s);
+        }
+    }
+    /*  The client command was not located in the command/state table */
+    pop_msg(p,POP_FAILURE,
+	    "Unknown command: \"%s\".",p->pop_command);
+    return NULL;
+}
+
+int
+pop_help (POP *p)
+{
+    state_table		*s;
+
+    pop_msg(p, POP_SUCCESS, "help");
+
+    for (s = states; s->command; s++) {
+	fprintf (p->output, "%s\r\n", s->command);
+    }
+    fprintf (p->output, ".\r\n");
+    fflush (p->output);
+    return POP_SUCCESS;
+}
diff --git a/crypto/heimdal/appl/popper/pop_init.c b/crypto/heimdal/appl/popper/pop_init.c
new file mode 100644
index 0000000..7487ce6
--- /dev/null
+++ b/crypto/heimdal/appl/popper/pop_init.c
@@ -0,0 +1,398 @@
+/*
+ * Copyright (c) 1989 Regents of the University of California.
+ * All rights reserved.  The Berkeley software License Agreement
+ * specifies the terms and conditions for redistribution.
+ */
+
+#include <popper.h>
+RCSID("$Id: pop_init.c,v 1.58 2001/02/20 01:44:47 assar Exp $");
+
+
+#if defined(KRB4) || defined(KRB5)
+
+static int
+pop_net_read(POP *p, int fd, void *buf, size_t len)
+{
+#ifdef KRB5
+    return krb5_net_read(p->context, &fd, buf, len);
+#elif defined(KRB4)
+    return krb_net_read(fd, buf, len);
+#endif
+}
+#endif
+
+static char *addr_log;
+
+static void
+pop_write_addr(POP *p, struct sockaddr *addr)
+{
+    char ts[32];
+    char as[128];
+    time_t t;
+    FILE *f;
+    if(addr_log == NULL)
+	return;
+    t = time(NULL);
+    strftime(ts, sizeof(ts), "%Y%m%d%H%M%S", localtime(&t));
+    if(inet_ntop (addr->sa_family, socket_get_address(addr), 
+		  as, sizeof(as)) == NULL) {
+        pop_log(p, POP_PRIORITY, "failed to print address");
+	return;
+    }
+    
+    f = fopen(addr_log, "a");
+    if(f == NULL) {
+        pop_log(p, POP_PRIORITY, "failed to open address log (%s)", addr_log);
+	return;
+    }
+    fprintf(f, "%s %s\n", as, ts);
+    fclose(f);
+}
+
+#ifdef KRB4
+static int
+krb4_authenticate (POP *p, int s, u_char *buf, struct sockaddr *addr)
+{
+    Key_schedule schedule;
+    KTEXT_ST ticket;
+    char instance[INST_SZ];  
+    char version[9];
+    int auth;
+  
+    if (memcmp (buf, KRB_SENDAUTH_VERS, 4) != 0)
+	return -1;
+    if (pop_net_read (p, s, buf + 4,
+		      KRB_SENDAUTH_VLEN - 4) != KRB_SENDAUTH_VLEN - 4)
+	return -1;
+    if (memcmp (buf, KRB_SENDAUTH_VERS, KRB_SENDAUTH_VLEN) != 0)
+	return -1;
+
+    k_getsockinst (0, instance, sizeof(instance));
+    auth = krb_recvauth(KOPT_IGNORE_PROTOCOL,
+			s,
+			&ticket,
+			"pop",
+			instance,
+                        (struct sockaddr_in *)addr,
+			(struct sockaddr_in *) NULL,
+                        &p->kdata,
+			"",
+			schedule,
+			version);
+    
+    if (auth != KSUCCESS) {
+        pop_msg(p, POP_FAILURE, "Kerberos authentication failure: %s", 
+                krb_get_err_text(auth));
+        pop_log(p, POP_PRIORITY, "%s: (%s.%s@%s) %s", p->client, 
+                p->kdata.pname, p->kdata.pinst, p->kdata.prealm,
+		krb_get_err_text(auth));
+	return -1;
+    }
+
+#ifdef DEBUG
+    pop_log(p, POP_DEBUG, "%s.%s@%s (%s): ok", p->kdata.pname, 
+            p->kdata.pinst, p->kdata.prealm, p->ipaddr);
+#endif /* DEBUG */
+    return 0;
+}
+#endif /* KRB4 */
+
+#ifdef KRB5
+static int
+krb5_authenticate (POP *p, int s, u_char *buf, struct sockaddr *addr)
+{
+    krb5_error_code ret;
+    krb5_auth_context auth_context = NULL;
+    u_int32_t len;
+    krb5_ticket *ticket;
+    char *server;
+
+    if (memcmp (buf, "\x00\x00\x00\x13", 4) != 0)
+	return -1;
+    len = (buf[0] << 24) | (buf[1] << 16) | (buf[2] << 8) | (buf[3]);
+	
+    if (krb5_net_read(p->context, &s, buf, len) != len)
+	return -1;
+    if (len != sizeof(KRB5_SENDAUTH_VERSION)
+	|| memcmp (buf, KRB5_SENDAUTH_VERSION, len) != 0)
+	return -1;
+
+    ret = krb5_recvauth (p->context,
+			 &auth_context,
+			 &s,
+			 "KPOPV1.0",
+			 NULL, /* let rd_req figure out what server to use */
+			 KRB5_RECVAUTH_IGNORE_VERSION,
+			 NULL,
+			 &ticket);
+    if (ret) {
+	pop_log(p, POP_PRIORITY, "krb5_recvauth: %s",
+		krb5_get_err_text(p->context, ret));
+	return -1;
+    }
+
+
+    ret = krb5_unparse_name(p->context, ticket->server, &server);
+    if(ret) {
+	pop_log(p, POP_PRIORITY, "krb5_unparse_name: %s", 
+		krb5_get_err_text(p->context, ret));
+	ret = -1;
+	goto out;
+    }
+    /* does this make sense? */
+    if(strncmp(server, "pop/", 4) != 0) {
+	pop_log(p, POP_PRIORITY,
+		"Got ticket for service `%s'", server);
+	ret = -1;
+	goto out;
+    } else if(p->debug)
+	pop_log(p, POP_DEBUG, 
+		"Accepted ticket for service `%s'", server);
+    free(server);
+ out:
+    krb5_auth_con_free (p->context, auth_context);
+    krb5_copy_principal (p->context, ticket->client, &p->principal);
+    krb5_free_ticket (p->context, ticket);
+
+    return ret;
+}
+#endif
+
+static int
+krb_authenticate(POP *p, struct sockaddr *addr)
+{
+#if defined(KRB4) || defined(KRB5)
+    u_char buf[BUFSIZ];
+
+    if (pop_net_read (p, 0, buf, 4) != 4) {
+	pop_msg(p, POP_FAILURE, "Reading four bytes: %s",
+		strerror(errno));
+	exit (1);
+    }
+#ifdef KRB4
+    if (krb4_authenticate (p, 0, buf, addr) == 0){
+	pop_write_addr(p, addr);
+	p->version = 4;
+	return POP_SUCCESS;
+    }
+#endif
+#ifdef KRB5
+    if (krb5_authenticate (p, 0, buf, addr) == 0){
+	pop_write_addr(p, addr);
+	p->version = 5;
+	return POP_SUCCESS;
+    }
+#endif
+    exit (1);
+	
+#endif /* defined(KRB4) || defined(KRB5) */
+
+    return(POP_SUCCESS);
+}
+
+static int
+plain_authenticate (POP *p, struct sockaddr *addr)
+{
+    return(POP_SUCCESS);
+}
+
+static int kerberos_flag;
+static char *auth_str;
+static int debug_flag;
+static int interactive_flag;
+static char *port_str;
+static char *trace_file;
+static int timeout;
+static int help_flag;
+static int version_flag;
+
+static struct getargs args[] = {
+#if defined(KRB4) || defined(KRB5)
+    { "kerberos", 'k', arg_flag, &kerberos_flag, "use kerberos" },
+#endif
+    { "auth-mode", 'a', arg_string, &auth_str, "required authentication" },
+    { "debug", 'd', arg_flag, &debug_flag },
+    { "interactive", 'i', arg_flag, &interactive_flag, "create new socket" },
+    { "port", 'p', arg_string, &port_str, "port to listen to", "port" },
+    { "trace-file", 't', arg_string, &trace_file, "trace all command to file", "file" },
+    { "timeout", 'T', arg_integer, &timeout, "timeout", "seconds" },
+    { "address-log", 0, arg_string, &addr_log, "enable address log", "file" },
+    { "help", 'h', arg_flag, &help_flag },
+    { "version", 'v', arg_flag, &version_flag }
+};
+
+static int num_args = sizeof(args) / sizeof(args[0]);
+
+/* 
+ *  init:   Start a Post Office Protocol session
+ */
+
+static int
+pop_getportbyname(POP *p, const char *service, 
+		  const char *proto, short def)
+{
+#ifdef KRB5
+    return krb5_getportbyname(p->context, service, proto, def);
+#elif defined(KRB4)
+    return k_getportbyname(service, proto, htons(def));
+#else
+    return htons(default);
+#endif
+}
+
+int
+pop_init(POP *p,int argcount,char **argmessage)
+{
+    struct sockaddr_storage cs_ss;
+    struct sockaddr *cs = (struct sockaddr *)&cs_ss;
+    socklen_t		    len;
+    char                *   trace_file_name = "/tmp/popper-trace";
+    int			    portnum = 0;
+    int 		    optind = 0;
+    int			    error;
+
+    /*  Initialize the POP parameter block */
+    memset (p, 0, sizeof(POP));
+
+    setprogname(argmessage[0]);
+
+    /*  Save my name in a global variable */
+    p->myname = (char*)getprogname();
+
+    /*  Get the name of our host */
+    gethostname(p->myhost,MaxHostNameLen);
+
+#ifdef KRB5
+    {
+	krb5_error_code ret;
+
+	ret = krb5_init_context (&p->context);
+	if (ret)
+	    errx (1, "krb5_init_context failed: %d", ret);
+
+	krb5_openlog(p->context, p->myname, &p->logf);
+	krb5_set_warn_dest(p->context, p->logf);
+    }
+#else
+    /*  Open the log file */
+    roken_openlog(p->myname,POP_LOGOPTS,POP_FACILITY);
+#endif
+
+    p->auth_level = AUTH_NONE;
+
+    if(getarg(args, num_args, argcount, argmessage, &optind)){
+	arg_printusage(args, num_args, NULL, "");
+	exit(1);
+    }
+    if(help_flag){
+	arg_printusage(args, num_args, NULL, "");
+	exit(0);
+    }
+    if(version_flag){
+	print_version(NULL);
+	exit(0);
+    }
+
+    argcount -= optind;
+    argmessage += optind;
+
+    if (argcount != 0) {
+	arg_printusage(args, num_args, NULL, "");
+	exit(1);
+    }
+
+    if(auth_str){
+	if (strcmp (auth_str, "none") == 0)
+	    p->auth_level = AUTH_NONE;
+	else if(strcmp(auth_str, "otp") == 0)
+	    p->auth_level = AUTH_OTP;
+	else
+	    warnx ("bad value for -a: %s", optarg);
+    }
+    /*  Debugging requested */
+    p->debug = debug_flag;
+
+    if(port_str)
+	portnum = htons(atoi(port_str));
+    if(trace_file){
+	p->debug++;
+	if ((p->trace = fopen(trace_file, "a+")) == NULL) {
+	    pop_log(p, POP_PRIORITY,
+		    "Unable to open trace file \"%s\", err = %d",
+		    optarg,errno);
+	    exit (1);
+	}
+	trace_file_name = trace_file;
+    }
+
+#if defined(KRB4) || defined(KRB5)
+    p->kerberosp = kerberos_flag;
+#endif
+
+    if(timeout)
+	pop_timeout = timeout;
+    
+    /* Fake inetd */
+    if (interactive_flag) {
+	if (portnum == 0)
+	    portnum = p->kerberosp ?
+		pop_getportbyname(p, "kpop", "tcp", 1109) :
+	    pop_getportbyname(p, "pop", "tcp", 110);
+	mini_inetd (portnum);
+    }
+
+    /*  Get the address and socket of the client to whom I am speaking */
+    len = sizeof(cs_ss);
+    if (getpeername(STDIN_FILENO, cs, &len) < 0) {
+        pop_log(p,POP_PRIORITY,
+            "Unable to obtain socket and address of client, err = %d",errno);
+        exit (1);
+    }
+
+    /*  Save the dotted decimal form of the client's IP address 
+        in the POP parameter block */
+    inet_ntop (cs->sa_family, socket_get_address (cs),
+	       p->ipaddr, sizeof(p->ipaddr));
+
+    /*  Save the client's port */
+    p->ipport = ntohs(socket_get_port (cs));
+
+    /*  Get the canonical name of the host to whom I am speaking */
+    error = getnameinfo_verified (cs, len, p->client, sizeof(p->client),
+				  NULL, 0, 0);
+    if (error) {
+	pop_log (p, POP_PRIORITY,
+		 "getnameinfo: %s", gai_strerror (error));
+	strlcpy (p->client, p->ipaddr, sizeof(p->client));
+    }
+
+    /*  Create input file stream for TCP/IP communication */
+    if ((p->input = fdopen(STDIN_FILENO,"r")) == NULL){
+        pop_log(p,POP_PRIORITY,
+            "Unable to open communication stream for input, err = %d",errno);
+        exit (1);
+    }
+
+    /*  Create output file stream for TCP/IP communication */
+    if ((p->output = fdopen(STDOUT_FILENO,"w")) == NULL){
+        pop_log(p,POP_PRIORITY,
+            "Unable to open communication stream for output, err = %d",errno);
+        exit (1);
+    }
+
+    pop_log(p,POP_PRIORITY,
+        "(v%s) Servicing request from \"%s\" at %s\n",
+            VERSION,p->client,p->ipaddr);
+
+#ifdef DEBUG
+    if (p->trace)
+        pop_log(p,POP_PRIORITY,
+            "Tracing session and debugging information in file \"%s\"",
+                trace_file_name);
+    else if (p->debug)
+        pop_log(p,POP_PRIORITY,"Debugging turned on");
+#endif /* DEBUG */
+
+
+    return((p->kerberosp ? krb_authenticate : plain_authenticate)(p, cs));
+}
diff --git a/crypto/heimdal/appl/popper/pop_last.c b/crypto/heimdal/appl/popper/pop_last.c
new file mode 100644
index 0000000..36fdd0d
--- /dev/null
+++ b/crypto/heimdal/appl/popper/pop_last.c
@@ -0,0 +1,18 @@
+/*
+ * Copyright (c) 1989 Regents of the University of California.
+ * All rights reserved.  The Berkeley software License Agreement
+ * specifies the terms and conditions for redistribution.
+ */
+
+#include <popper.h>
+RCSID("$Id: pop_last.c,v 1.6 1996/10/28 16:25:28 assar Exp $");
+
+/* 
+ *  last:   Display the last message touched in a POP session
+ */
+
+int
+pop_last (POP *p)
+{
+    return (pop_msg(p,POP_SUCCESS,"%u is the last message seen.",p->last_msg));
+}
diff --git a/crypto/heimdal/appl/popper/pop_list.c b/crypto/heimdal/appl/popper/pop_list.c
new file mode 100644
index 0000000..aa7666a
--- /dev/null
+++ b/crypto/heimdal/appl/popper/pop_list.c
@@ -0,0 +1,59 @@
+/*
+ * Copyright (c) 1989 Regents of the University of California.
+ * All rights reserved.  The Berkeley software License Agreement
+ * specifies the terms and conditions for redistribution.
+ */
+
+#include <popper.h>
+RCSID("$Id: pop_list.c,v 1.10 1998/04/23 17:37:47 joda Exp $");
+
+/* 
+ *  list:   List the contents of a POP maildrop
+ */
+
+int
+pop_list (POP *p)
+{
+    MsgInfoList         *   mp;         /*  Pointer to message info list */
+    int		            i;
+    int			    msg_num;
+
+    /*  Was a message number provided? */
+    if (p->parm_count > 0) {
+        msg_num = atoi(p->pop_parm[1]);
+
+        /*  Is requested message out of range? */
+        if ((msg_num < 1) || (msg_num > p->msg_count))
+            return (pop_msg (p,POP_FAILURE,
+                "Message %d does not exist.",msg_num));
+
+        /*  Get a pointer to the message in the message list */
+        mp = &p->mlp[msg_num-1];
+
+        /*  Is the message already flagged for deletion? */
+        if (mp->flags & DEL_FLAG)
+            return (pop_msg (p,POP_FAILURE,
+                "Message %d has been deleted.",msg_num));
+
+        /*  Display message information */
+        return (pop_msg(p,POP_SUCCESS,"%d %ld",msg_num,mp->length));
+    }
+    
+    /*  Display the entire list of messages */
+    pop_msg(p,POP_SUCCESS,
+	    "%d messages (%ld octets)",
+            p->msg_count-p->msgs_deleted,
+	    p->drop_size-p->bytes_deleted);
+
+    /*  Loop through the message information list.  Skip deleted messages */
+    for (i = p->msg_count, mp = p->mlp; i > 0; i--, mp++) {
+        if (!(mp->flags & DEL_FLAG)) 
+            fprintf(p->output,"%u %lu\r\n",mp->number,mp->length);
+    }
+
+    /*  "." signals the end of a multi-line transmission */
+    fprintf(p->output,".\r\n");
+    fflush(p->output);
+
+    return(POP_SUCCESS);
+}
diff --git a/crypto/heimdal/appl/popper/pop_log.c b/crypto/heimdal/appl/popper/pop_log.c
new file mode 100644
index 0000000..deb9841
--- /dev/null
+++ b/crypto/heimdal/appl/popper/pop_log.c
@@ -0,0 +1,36 @@
+/*
+ * Copyright (c) 1989 Regents of the University of California.
+ * All rights reserved.  The Berkeley software License Agreement
+ * specifies the terms and conditions for redistribution.
+ */
+
+#include <popper.h>
+RCSID("$Id: pop_log.c,v 1.13 1997/10/14 21:59:07 joda Exp $");
+
+/* 
+ *  log:    Make a log entry
+ */
+
+int
+pop_log(POP *p, int stat, char *format, ...)
+{
+    char msgbuf[MAXLINELEN];
+    va_list     ap;
+
+    va_start(ap, format);
+    vsnprintf(msgbuf, sizeof(msgbuf), format, ap);
+
+    if (p->debug && p->trace) {
+        fprintf(p->trace,"%s\n",msgbuf);
+        fflush(p->trace);
+    } else {
+#ifdef KRB5
+	krb5_log(p->context, p->logf, stat, "%s", msgbuf);
+#else
+        syslog (stat,"%s",msgbuf);
+#endif
+    }
+    va_end(ap);
+
+    return(stat);
+}
diff --git a/crypto/heimdal/appl/popper/pop_msg.c b/crypto/heimdal/appl/popper/pop_msg.c
new file mode 100644
index 0000000..12887a4
--- /dev/null
+++ b/crypto/heimdal/appl/popper/pop_msg.c
@@ -0,0 +1,57 @@
+/*
+ * Copyright (c) 1989 Regents of the University of California.
+ * All rights reserved.  The Berkeley software License Agreement
+ * specifies the terms and conditions for redistribution.
+ */
+
+#include <popper.h>
+RCSID("$Id: pop_msg.c,v 1.16 1999/09/16 20:38:50 assar Exp $");
+
+/* 
+ *  msg:    Send a formatted line to the POP client
+ */
+
+int
+pop_msg(POP *p, int stat, char *format, ...)
+{
+    char	       *mp;
+    char                message[MAXLINELEN];
+    va_list             ap;
+
+    va_start(ap, format);
+    
+    /*  Point to the message buffer */
+    mp = message;
+
+    /*  Format the POP status code at the beginning of the message */
+    snprintf (mp, sizeof(message), "%s ",
+	      (stat == POP_SUCCESS) ? POP_OK : POP_ERR);
+
+    /*  Point past the POP status indicator in the message message */
+    mp += strlen(mp);
+
+    /*  Append the message (formatted, if necessary) */
+    if (format) 
+	vsnprintf (mp, sizeof(message) - strlen(message),
+		   format, ap);
+    
+    /*  Log the message if debugging is turned on */
+#ifdef DEBUG
+    if (p->debug && stat == POP_SUCCESS)
+        pop_log(p,POP_DEBUG,"%s",message);
+#endif /* DEBUG */
+
+    /*  Log the message if a failure occurred */
+    if (stat != POP_SUCCESS) 
+        pop_log(p,POP_PRIORITY,"%s",message);
+
+    /*  Append the <CR><LF> */
+    strlcat(message, "\r\n", sizeof(message));
+        
+    /*  Send the message to the client */
+    fputs(message, p->output);
+    fflush(p->output);
+
+    va_end(ap);
+    return(stat);
+}
diff --git a/crypto/heimdal/appl/popper/pop_parse.c b/crypto/heimdal/appl/popper/pop_parse.c
new file mode 100644
index 0000000..37aef36
--- /dev/null
+++ b/crypto/heimdal/appl/popper/pop_parse.c
@@ -0,0 +1,55 @@
+/*
+ * Copyright (c) 1989 Regents of the University of California.
+ * All rights reserved.  The Berkeley software License Agreement
+ * specifies the terms and conditions for redistribution.
+ */
+
+#include <popper.h>
+RCSID("$Id: pop_parse.c,v 1.9 1999/03/13 21:17:27 assar Exp $");
+
+/* 
+ *  parse:  Parse a raw input line from a POP client 
+ *  into null-delimited tokens
+ */
+
+int
+pop_parse(POP *p, char *buf)
+{
+    char            *   mp;
+    int        i;
+    
+    /*  Loop through the POP command array */
+    for (mp = buf, i = 0; ; i++) {
+    
+        /*  Skip leading spaces and tabs in the message */
+        while (isspace((unsigned char)*mp))mp++;
+
+        /*  Are we at the end of the message? */
+        if (*mp == 0) break;
+
+        /*  Have we already obtained the maximum allowable parameters? */
+        if (i >= MAXPARMCOUNT) {
+            pop_msg(p,POP_FAILURE,"Too many arguments supplied.");
+            return(-1);
+        }
+
+        /*  Point to the start of the token */
+        p->pop_parm[i] = mp;
+
+        /*  Search for the first space character (end of the token) */
+        while (!isspace((unsigned char)*mp) && *mp) mp++;
+
+        /*  Delimit the token with a null */
+        if (*mp) *mp++ = 0;
+    }
+
+    /*  Were any parameters passed at all? */
+    if (i == 0) return (-1);
+
+    /*  Convert the first token (POP command) to lower case */
+    strlwr(p->pop_command);
+
+    /*  Return the number of tokens extracted minus the command itself */
+    return (i-1);
+    
+}
diff --git a/crypto/heimdal/appl/popper/pop_pass.c b/crypto/heimdal/appl/popper/pop_pass.c
new file mode 100644
index 0000000..cebd780
--- /dev/null
+++ b/crypto/heimdal/appl/popper/pop_pass.c
@@ -0,0 +1,220 @@
+/*
+ * Copyright (c) 1989 Regents of the University of California.
+ * All rights reserved.  The Berkeley software License Agreement
+ * specifies the terms and conditions for redistribution.
+ */
+
+#include <popper.h>
+RCSID("$Id: pop_pass.c,v 1.41 2000/04/12 15:37:46 assar Exp $");
+
+#ifdef KRB4
+static int
+krb4_verify_password (POP *p)
+{
+    int status;
+    char lrealm[REALM_SZ];
+    char tkt[MaxPathLen];
+
+    status = krb_get_lrealm(lrealm,1);
+    if (status == KFAILURE) {
+        pop_log(p, POP_PRIORITY, "%s: (%s.%s@%s) %s", p->client,
+		p->kdata.pname, p->kdata.pinst, p->kdata.prealm,
+		krb_get_err_text(status));
+	return 1;
+    }
+    snprintf(tkt, sizeof(tkt), "%s_popper.%u", TKT_ROOT, (unsigned)getpid());
+    krb_set_tkt_string (tkt);
+
+    status = krb_verify_user(p->user, "", lrealm,
+			     p->pop_parm[1], KRB_VERIFY_SECURE, "pop");
+    dest_tkt(); /* no point in keeping the tickets */
+    return status;
+}
+#endif /* KRB4 */
+
+#ifdef KRB5
+static int
+krb5_verify_password (POP *p)
+{
+    krb5_preauthtype pre_auth_types[] = {KRB5_PADATA_ENC_TIMESTAMP};
+    krb5_get_init_creds_opt get_options;
+    krb5_verify_init_creds_opt verify_options;
+    krb5_error_code ret;
+    krb5_principal client, server;
+    krb5_creds creds;
+
+    krb5_get_init_creds_opt_init (&get_options);
+
+    krb5_get_init_creds_opt_set_preauth_list (&get_options,
+					      pre_auth_types,
+					      1);
+
+    krb5_verify_init_creds_opt_init (&verify_options);
+    
+    ret = krb5_parse_name (p->context, p->user, &client);
+    if (ret) {
+	pop_log(p, POP_PRIORITY, "krb5_parse_name: %s",
+		krb5_get_err_text (p->context, ret));
+	return 1;
+    }
+
+    ret = krb5_get_init_creds_password (p->context,
+					&creds,
+					client,
+					p->pop_parm[1],
+					NULL,
+					NULL,
+					0,
+					NULL,
+					&get_options);
+    if (ret) {
+	pop_log(p, POP_PRIORITY,
+		"krb5_get_init_creds_password: %s",
+		krb5_get_err_text (p->context, ret));
+	return 1;
+    }
+
+    ret = krb5_sname_to_principal (p->context,
+				   p->myhost,
+				   "pop",
+				   KRB5_NT_SRV_HST,
+				   &server);
+    if (ret) {
+	pop_log(p, POP_PRIORITY,
+		"krb5_get_init_creds_password: %s",
+		krb5_get_err_text (p->context, ret));
+	return 1;
+    }
+
+    ret = krb5_verify_init_creds (p->context,
+				  &creds,
+				  server,
+				  NULL,
+				  NULL,
+				  &verify_options);
+    krb5_free_principal (p->context, client);
+    krb5_free_principal (p->context, server);
+    krb5_free_creds_contents (p->context, &creds);
+    return ret;
+}
+#endif
+/* 
+ *  pass:   Obtain the user password from a POP client
+ */
+
+int
+pop_pass (POP *p)
+{
+    struct passwd  *pw;
+    int i;
+    struct stat st;
+
+    /* Make one string of all these parameters */
+    
+    for (i = 1; i < p->parm_count; ++i)
+	p->pop_parm[i][strlen(p->pop_parm[i])] = ' ';
+
+    /*  Look for the user in the password file */
+    if ((pw = k_getpwnam(p->user)) == NULL)
+	return (pop_msg(p,POP_FAILURE,
+			"Password supplied for \"%s\" is incorrect.",
+			p->user));
+
+    if (p->kerberosp) {
+#ifdef KRB4
+	if (p->version == 4) {
+	    if(kuserok (&p->kdata, p->user)) {
+		pop_log(p, POP_PRIORITY,
+			"%s: (%s.%s@%s) tried to retrieve mail for %s.",
+			p->client, p->kdata.pname, p->kdata.pinst,
+			p->kdata.prealm, p->user);
+		return(pop_msg(p,POP_FAILURE,
+			       "Popping not authorized"));
+	    }
+	    pop_log(p, POP_INFO, "%s: %s.%s@%s -> %s",
+		    p->ipaddr,
+		    p->kdata.pname, p->kdata.pinst, p->kdata.prealm,
+		    p->user);
+	} else
+#endif /* KRB4 */
+#ifdef KRB5
+	if (p->version == 5) {
+	    char *name;
+	    
+	    if (!krb5_kuserok (p->context, p->principal, p->user)) {
+		pop_log (p, POP_PRIORITY,
+			 "krb5 permission denied");
+		return pop_msg(p, POP_FAILURE,
+			       "Popping not authorized");
+	    }
+	    if(krb5_unparse_name (p->context, p->principal, &name) == 0) {
+		pop_log(p, POP_INFO, "%s: %s -> %s",
+			p->ipaddr, name, p->user);
+		free (name);
+	    }
+	} else {
+	    pop_log (p, POP_PRIORITY, "kerberos authentication failed");
+	    return pop_msg (p, POP_FAILURE,
+			    "kerberos authentication failed");
+	}
+#endif
+	{ }
+    } else {
+	 /*  We don't accept connections from users with null passwords */
+	 if (pw->pw_passwd == NULL)
+	      return (pop_msg(p,
+			      POP_FAILURE,
+			      "Password supplied for \"%s\" is incorrect.",
+			      p->user));
+
+#ifdef OTP
+	 if (otp_verify_user (&p->otp_ctx, p->pop_parm[1]) == 0)
+	     /* pass OK */;
+	 else
+#endif
+	 /*  Compare the supplied password with the password file entry */
+	 if (p->auth_level != AUTH_NONE)
+	     return pop_msg(p, POP_FAILURE,
+			    "Password supplied for \"%s\" is incorrect.",
+			    p->user);
+	 else if (!strcmp(crypt(p->pop_parm[1], pw->pw_passwd), pw->pw_passwd))
+	     /* pass OK */;
+	 else {
+	     int ret = -1;
+#ifdef KRB4
+	     ret = krb4_verify_password (p);
+#endif
+#ifdef KRB5
+	     if(ret)
+		 ret = krb5_verify_password (p);
+#endif
+	     if(ret)
+		 return pop_msg(p, POP_FAILURE,
+				"Password incorrect");
+	 }
+    }
+    pop_log(p, POP_INFO, "login from %s as %s",
+	    p->ipaddr, p->user);
+
+    /*  Build the name of the user's maildrop */
+    snprintf(p->drop_name, sizeof(p->drop_name), "%s/%s", POP_MAILDIR, p->user);
+
+    if(stat(p->drop_name, &st) < 0 || !S_ISDIR(st.st_mode)){
+	/*  Make a temporary copy of the user's maildrop */
+	/*    and set the group and user id */
+	if (pop_dropcopy(p, pw) != POP_SUCCESS) return (POP_FAILURE);
+	
+	/*  Get information about the maildrop */
+	if (pop_dropinfo(p) != POP_SUCCESS) return(POP_FAILURE);
+    } else {
+	if(changeuser(p, pw) != POP_SUCCESS) return POP_FAILURE;
+	if(pop_maildir_info(p) != POP_SUCCESS) return POP_FAILURE;
+    }
+    /*  Initialize the last-message-accessed number */
+    p->last_msg = 0;
+
+    /*  Authorization completed successfully */
+    return (pop_msg (p, POP_SUCCESS,
+		     "%s has %d message(s) (%ld octets).",
+		     p->user, p->msg_count, p->drop_size));
+}
diff --git a/crypto/heimdal/appl/popper/pop_quit.c b/crypto/heimdal/appl/popper/pop_quit.c
new file mode 100644
index 0000000..429b181
--- /dev/null
+++ b/crypto/heimdal/appl/popper/pop_quit.c
@@ -0,0 +1,21 @@
+/*
+ * Copyright (c) 1989 Regents of the University of California.
+ * All rights reserved.  The Berkeley software License Agreement
+ * specifies the terms and conditions for redistribution.
+ */
+
+#include <popper.h>
+RCSID("$Id: pop_quit.c,v 1.7 1996/11/19 22:48:30 assar Exp $");
+
+/* 
+ *  quit:   Terminate a POP session
+ */
+
+int
+pop_quit (POP *p)
+{
+    /*  Release the message information list */
+    if (p->mlp) free (p->mlp);
+
+    return(POP_SUCCESS);
+}
diff --git a/crypto/heimdal/appl/popper/pop_rset.c b/crypto/heimdal/appl/popper/pop_rset.c
new file mode 100644
index 0000000..6888ebf
--- /dev/null
+++ b/crypto/heimdal/appl/popper/pop_rset.c
@@ -0,0 +1,33 @@
+/*
+ * Copyright (c) 1989 Regents of the University of California.
+ * All rights reserved.  The Berkeley software License Agreement
+ * specifies the terms and conditions for redistribution.
+ */
+
+#include <popper.h>
+RCSID("$Id: pop_rset.c,v 1.9 1998/04/23 17:38:08 joda Exp $");
+
+/* 
+ *  rset:   Unflag all messages flagged for deletion in a POP maildrop
+ */
+
+int
+pop_rset (POP *p)
+{
+    MsgInfoList     *   mp;         /*  Pointer to the message info list */
+    int		        i;
+
+    /*  Unmark all the messages */
+    for (i = p->msg_count, mp = p->mlp; i > 0; i--, mp++)
+        mp->flags &= ~DEL_FLAG;
+    
+    /*  Reset the messages-deleted and bytes-deleted counters */
+    p->msgs_deleted = 0;
+    p->bytes_deleted = 0;
+    
+    /*  Reset the last-message-access flag */
+    p->last_msg = 0;
+
+    return (pop_msg(p,POP_SUCCESS,"Maildrop has %u messages (%ld octets)",
+		    p->msg_count, p->drop_size));
+}
diff --git a/crypto/heimdal/appl/popper/pop_send.c b/crypto/heimdal/appl/popper/pop_send.c
new file mode 100644
index 0000000..166b990
--- /dev/null
+++ b/crypto/heimdal/appl/popper/pop_send.c
@@ -0,0 +1,176 @@
+/*
+ * Copyright (c) 1989 Regents of the University of California.
+ * All rights reserved.  The Berkeley software License Agreement
+ * specifies the terms and conditions for redistribution.
+ */
+
+#include <popper.h>
+RCSID("$Id: pop_send.c,v 1.25 1999/03/05 14:14:28 joda Exp $");
+
+/*
+ *  sendline:   Send a line of a multi-line response to a client.
+ */
+static int
+pop_sendline(POP *p, char *buffer)
+{
+    char        *   bp;
+
+    /*  Byte stuff lines that begin with the termination octet */
+    if (*buffer == POP_TERMINATE) 
+      fputc(POP_TERMINATE,p->output);
+
+    /*  Look for a <NL> in the buffer */
+    if ((bp = strchr(buffer, '\n')))
+      *bp = 0;
+
+    /*  Send the line to the client */
+    fputs(buffer,p->output);
+
+#ifdef DEBUG
+    if(p->debug)
+      pop_log(p,POP_DEBUG,"Sending line \"%s\"",buffer);
+#endif /* DEBUG */
+
+    /*  Put a <CR><NL> if a newline was removed from the buffer */
+    if (bp)
+      fputs ("\r\n",p->output);
+    return bp != NULL;
+}
+
+/* 
+ *  send:   Send the header and a specified number of lines 
+ *          from a mail message to a POP client.
+ */
+
+int
+pop_send(POP *p)
+{
+    MsgInfoList         *   mp;         /*  Pointer to message info list */
+    int		            msg_num;
+    int			    msg_lines;
+    char                    buffer[MAXMSGLINELEN];
+#ifdef RETURN_PATH_HANDLING
+    char		*   return_path_adr;
+    char		*   return_path_end;
+    int			    return_path_sent;
+    int			    return_path_linlen;
+#endif
+    int			sent_nl = 0;
+
+    /*  Convert the first parameter into an integer */
+    msg_num = atoi(p->pop_parm[1]);
+
+    /*  Is requested message out of range? */
+    if ((msg_num < 1) || (msg_num > p->msg_count))
+        return (pop_msg (p,POP_FAILURE,"Message %d does not exist.",msg_num));
+
+    /*  Get a pointer to the message in the message list */
+    mp = &p->mlp[msg_num-1];
+
+    /*  Is the message flagged for deletion? */
+    if (mp->flags & DEL_FLAG)
+        return (pop_msg (p,POP_FAILURE,
+			 "Message %d has been deleted.",msg_num));
+
+    /*  If this is a TOP command, get the number of lines to send */
+    if (strcmp(p->pop_command, "top") == 0) {
+        /*  Convert the second parameter into an integer */
+        msg_lines = atoi(p->pop_parm[2]);
+    }
+    else {
+        /*  Assume that a RETR (retrieve) command was issued */
+        msg_lines = -1;
+        /*  Flag the message as retreived */
+        mp->flags |= RETR_FLAG;
+    }
+    
+    /*  Display the number of bytes in the message */
+    pop_msg(p, POP_SUCCESS, "%ld octets", mp->length);
+
+    if(IS_MAILDIR(p)) {
+	int e = pop_maildir_open(p, mp);
+	if(e != POP_SUCCESS)
+	    return e;
+    }
+
+    /*  Position to the start of the message */
+    fseek(p->drop, mp->offset, 0);
+
+    return_path_sent = 0;
+
+    if(!IS_MAILDIR(p)) {
+	/*  Skip the first line (the sendmail "From" line) */
+	fgets (buffer,MAXMSGLINELEN,p->drop);
+
+#ifdef RETURN_PATH_HANDLING
+	if (strncmp(buffer,"From ",5) == 0) {
+	    return_path_linlen = strlen(buffer);
+	    for (return_path_adr = buffer+5;
+		 (*return_path_adr == ' ' || *return_path_adr == '\t') &&
+		     return_path_adr < buffer + return_path_linlen;
+		 return_path_adr++)
+		;
+	    if (return_path_adr < buffer + return_path_linlen) {
+		if ((return_path_end = strchr(return_path_adr, ' ')) != NULL)
+		    *return_path_end = '\0';
+		if (strlen(return_path_adr) != 0 && *return_path_adr != '\n') {
+		    static char tmpbuf[MAXMSGLINELEN + 20];
+		    if (snprintf (tmpbuf,
+				  sizeof(tmpbuf),
+				  "Return-Path: %s\n",
+				  return_path_adr) < MAXMSGLINELEN) {
+			pop_sendline (p,tmpbuf);
+			if (hangup)
+			    return pop_msg (p, POP_FAILURE,
+					    "SIGHUP or SIGPIPE flagged");
+			return_path_sent++;
+		    }
+		}
+	    }
+	}
+#endif
+    }
+
+    /*  Send the header of the message followed by a blank line */
+    while (fgets(buffer,MAXMSGLINELEN,p->drop)) {
+#ifdef RETURN_PATH_HANDLING
+	/* Don't send existing Return-Path-header if already sent own */
+	if (!return_path_sent || strncasecmp(buffer, "Return-Path:", 12) != 0)
+#endif
+	    sent_nl = pop_sendline (p,buffer);
+        /*  A single newline (blank line) signals the 
+            end of the header.  sendline() converts this to a NULL, 
+            so that's what we look for. */
+        if (*buffer == 0) break;
+        if (hangup)
+	    return (pop_msg (p,POP_FAILURE,"SIGHUP or SIGPIPE flagged"));
+    }
+    /*  Send the message body */
+    {
+	int blank_line = 1;
+	while (fgets(buffer, MAXMSGLINELEN-1, p->drop)) {
+	    /*  Look for the start of the next message */
+	    if (!IS_MAILDIR(p) && blank_line && strncmp(buffer,"From ",5) == 0)
+		break;
+	    blank_line = (strncmp(buffer, "\n", 1) == 0);
+	    /*  Decrement the lines sent (for a TOP command) */
+	    if (msg_lines >= 0 && msg_lines-- == 0) break;
+	    sent_nl = pop_sendline(p,buffer);
+	    if (hangup)
+		return (pop_msg (p,POP_FAILURE,"SIGHUP or SIGPIPE flagged"));
+	}
+	/* add missing newline at end */
+	if(!sent_nl)
+	    fputs("\r\n", p->output);
+	/* some pop-clients want a blank line at the end of the
+           message, we always add one here, but what the heck -- in
+           outer (white) space, no one can hear you scream */
+	if(IS_MAILDIR(p))
+	    fputs("\r\n", p->output);
+    }
+    /*  "." signals the end of a multi-line transmission */
+    fputs(".\r\n",p->output);
+    fflush(p->output);
+
+    return(POP_SUCCESS);
+}
diff --git a/crypto/heimdal/appl/popper/pop_stat.c b/crypto/heimdal/appl/popper/pop_stat.c
new file mode 100644
index 0000000..9ab2800
--- /dev/null
+++ b/crypto/heimdal/appl/popper/pop_stat.c
@@ -0,0 +1,26 @@
+/*
+ * Copyright (c) 1989 Regents of the University of California.
+ * All rights reserved.  The Berkeley software License Agreement
+ * specifies the terms and conditions for redistribution.
+ */
+
+#include <popper.h>
+RCSID("$Id: pop_stat.c,v 1.7 1997/05/11 11:04:35 assar Exp $");
+
+/* 
+ *  stat:   Display the status of a POP maildrop to its client
+ */
+
+int
+pop_stat (POP *p)
+{
+#ifdef DEBUG
+    if (p->debug) pop_log(p,POP_DEBUG,"%d message(s) (%ld octets).",
+			  p->msg_count-p->msgs_deleted,
+			  p->drop_size-p->bytes_deleted);
+#endif /* DEBUG */
+    return (pop_msg (p,POP_SUCCESS,
+		     "%d %ld",
+		     p->msg_count-p->msgs_deleted,
+		     p->drop_size-p->bytes_deleted));
+}
diff --git a/crypto/heimdal/appl/popper/pop_uidl.c b/crypto/heimdal/appl/popper/pop_uidl.c
new file mode 100644
index 0000000..42dc12d
--- /dev/null
+++ b/crypto/heimdal/appl/popper/pop_uidl.c
@@ -0,0 +1,88 @@
+/*
+ * Copyright (c) 1995, 1996, 1997 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#include <popper.h>
+RCSID("$Id: pop_uidl.c,v 1.9 1999/12/02 16:58:33 joda Exp $");
+
+#ifdef UIDL
+/* 
+ *  uidl:   Uidl the contents of a POP maildrop
+ */
+
+int
+pop_uidl (POP *p)
+{
+    MsgInfoList         *   mp;         /*  Pointer to message info list */
+    int		            i;
+    int			    msg_num;
+
+    /*  Was a message number provided? */
+    if (p->parm_count > 0) {
+        msg_num = atoi(p->pop_parm[1]);
+
+        /*  Is requested message out of range? */
+        if ((msg_num < 1) || (msg_num > p->msg_count))
+            return (pop_msg (p,POP_FAILURE,
+                "Message %d does not exist.",msg_num));
+
+        /*  Get a pointer to the message in the message list */
+        mp = &p->mlp[msg_num-1];
+
+        /*  Is the message already flagged for deletion? */
+        if (mp->flags & DEL_FLAG)
+            return (pop_msg (p,POP_FAILURE,
+                "Message %d has been deleted.",msg_num));
+
+        /*  Display message information */
+        return (pop_msg(p,POP_SUCCESS,"%u %s",msg_num,mp->msg_id));
+    }
+    
+    /*  Display the entire list of messages */
+    pop_msg(p,POP_SUCCESS,
+	    "%d messages (%ld octets)",
+            p->msg_count-p->msgs_deleted,
+	    p->drop_size-p->bytes_deleted);
+
+    /*  Loop through the message information list.  Skip deleted messages */
+    for (i = p->msg_count, mp = p->mlp; i > 0; i--, mp++) {
+        if (!(mp->flags & DEL_FLAG)) 
+            fprintf(p->output,"%u %s\r\n",mp->number,mp->msg_id);
+    }
+
+    /*  "." signals the end of a multi-line transmission */
+    fprintf(p->output,".\r\n");
+    fflush(p->output);
+
+    return(POP_SUCCESS);
+}
+#endif /* UIDL */
diff --git a/crypto/heimdal/appl/popper/pop_updt.c b/crypto/heimdal/appl/popper/pop_updt.c
new file mode 100644
index 0000000..0130132
--- /dev/null
+++ b/crypto/heimdal/appl/popper/pop_updt.c
@@ -0,0 +1,199 @@
+/*
+ * Copyright (c) 1989 Regents of the University of California.
+ * All rights reserved.  The Berkeley software License Agreement
+ * specifies the terms and conditions for redistribution.
+ */
+
+#include <popper.h>
+RCSID("$Id: pop_updt.c,v 1.19 1998/04/23 18:36:51 joda Exp $");
+
+static char standard_error[] =
+    "Error error updating primary drop. Mailbox unchanged";
+
+/* 
+ *  updt:   Apply changes to a user's POP maildrop
+ */
+
+int
+pop_updt (POP *p)
+{
+    FILE                *   md;                     /*  Stream pointer for 
+                                                        the user's maildrop */
+    int                     mfd;                    /*  File descriptor for
+                                                        above */
+    char                    buffer[BUFSIZ];         /*  Read buffer */
+
+    MsgInfoList         *   mp;                     /*  Pointer to message 
+                                                        info list */
+    int		            msg_num;                /*  Current message 
+                                                        counter */
+    int			    status_written;         /*  Status header field 
+                                                        written */
+    int                     nchar;                  /* Bytes read/written */
+
+    long                    offset;                 /* New mail offset */
+
+    int			    blank_line;
+
+#ifdef DEBUG
+    if (p->debug) {
+        pop_log(p,POP_DEBUG,"Performing maildrop update...");
+        pop_log(p,POP_DEBUG,"Checking to see if all messages were deleted");
+    }
+#endif /* DEBUG */
+
+    if(IS_MAILDIR(p))
+	return pop_maildir_update(p);
+
+    if (p->msgs_deleted == p->msg_count) {
+        /* Truncate before close, to avoid race condition,  DO NOT UNLINK!
+           Another process may have opened,  and not yet tried to lock */
+        ftruncate ((int)fileno(p->drop),0);
+        fclose(p->drop) ;
+        return (POP_SUCCESS);
+    }
+
+#ifdef DEBUG
+    if (p->debug) 
+        pop_log(p,POP_DEBUG,"Opening mail drop \"%s\"",p->drop_name);
+#endif /* DEBUG */
+
+    /*  Open the user's real maildrop */
+    if ((mfd = open(p->drop_name,O_RDWR|O_CREAT,0600)) == -1 ||
+        (md = fdopen(mfd,"r+")) == NULL) {
+        return pop_msg(p,POP_FAILURE,standard_error);
+    }
+
+    /*  Lock the user's real mail drop */
+    if ( flock(mfd, LOCK_EX) == -1 ) {
+        fclose(md) ;
+        return pop_msg(p,POP_FAILURE, "flock: '%s': %s", p->temp_drop,
+		       strerror(errno));
+    }
+
+    /* Go to the right places */
+    offset = lseek((int)fileno(p->drop),0,SEEK_END) ; 
+
+    /*  Append any messages that may have arrived during the session 
+        to the temporary maildrop */
+    while ((nchar=read(mfd,buffer,BUFSIZ)) > 0)
+        if ( nchar != write((int)fileno(p->drop),buffer,nchar) ) {
+            nchar = -1;
+            break ;
+        }
+    if ( nchar != 0 ) {
+        fclose(md) ;
+        ftruncate((int)fileno(p->drop),(int)offset) ;
+        fclose(p->drop) ;
+        return pop_msg(p,POP_FAILURE,standard_error);
+    }
+
+    rewind(md);
+    lseek(mfd,0,SEEK_SET);
+    ftruncate(mfd,0) ;
+
+    /* Synch stdio and the kernel for the POP drop */
+    rewind(p->drop);
+    lseek((int)fileno(p->drop),0,SEEK_SET);
+
+    /*  Transfer messages not flagged for deletion from the temporary 
+        maildrop to the new maildrop */
+#ifdef DEBUG
+    if (p->debug) 
+        pop_log(p,POP_DEBUG,"Creating new maildrop \"%s\" from \"%s\"",
+                p->drop_name,p->temp_drop);
+#endif /* DEBUG */
+
+    for (msg_num = 0; msg_num < p->msg_count; ++msg_num) {
+
+        int doing_body;
+
+        /*  Get a pointer to the message information list */
+        mp = &p->mlp[msg_num];
+
+        if (mp->flags & DEL_FLAG) {
+#ifdef DEBUG
+            if(p->debug)
+                pop_log(p,POP_DEBUG,
+                    "Message %d flagged for deletion.",mp->number);
+#endif /* DEBUG */
+            continue;
+        }
+
+        fseek(p->drop,mp->offset,0);
+
+#ifdef DEBUG
+        if(p->debug)
+            pop_log(p,POP_DEBUG,"Copying message %d.",mp->number);
+#endif /* DEBUG */
+	blank_line = 1;
+        for(status_written = doing_body = 0 ;
+            fgets(buffer,MAXMSGLINELEN,p->drop);) {
+
+            if (doing_body == 0) { /* Header */
+
+                /*  Update the message status */
+                if (strncasecmp(buffer,"Status:",7) == 0) {
+                    if (mp->flags & RETR_FLAG)
+                        fputs("Status: RO\n",md);
+                    else
+                        fputs(buffer, md);
+                    status_written++;
+                    continue;
+                }
+                /*  A blank line signals the end of the header. */
+                if (*buffer == '\n') {
+                    doing_body = 1;
+                    if (status_written == 0) {
+                        if (mp->flags & RETR_FLAG)
+                            fputs("Status: RO\n\n",md);
+                        else
+                            fputs("Status: U\n\n",md);
+                    }
+                    else fputs ("\n", md);
+                    continue;
+                }
+                /*  Save another header line */
+                fputs (buffer, md);
+            } 
+            else { /* Body */ 
+                if (blank_line && strncmp(buffer,"From ",5) == 0) break;
+                fputs (buffer, md);
+		blank_line = (*buffer == '\n');
+            }
+        }
+    }
+
+    /* flush and check for errors now!  The new mail will writen
+       without stdio,  since we need not separate messages */
+
+    fflush(md) ;
+    if (ferror(md)) {
+        ftruncate(mfd,0) ;
+        fclose(md) ;
+        fclose(p->drop) ;
+        return pop_msg(p,POP_FAILURE,standard_error);
+    }
+
+    /* Go to start of new mail if any */
+    lseek((int)fileno(p->drop),offset,SEEK_SET);
+
+    while((nchar=read((int)fileno(p->drop),buffer,BUFSIZ)) > 0)
+        if ( nchar != write(mfd,buffer,nchar) ) {
+            nchar = -1;
+            break ;
+        }
+    if ( nchar != 0 ) {
+        ftruncate(mfd,0) ;
+        fclose(md) ;
+        fclose(p->drop) ;
+        return pop_msg(p,POP_FAILURE,standard_error);
+    }
+
+    /*  Close the maildrop and empty temporary maildrop */
+    fclose(md);
+    ftruncate((int)fileno(p->drop),0);
+    fclose(p->drop);
+
+    return(pop_quit(p));
+}
diff --git a/crypto/heimdal/appl/popper/pop_user.c b/crypto/heimdal/appl/popper/pop_user.c
new file mode 100644
index 0000000..be771e6
--- /dev/null
+++ b/crypto/heimdal/appl/popper/pop_user.c
@@ -0,0 +1,36 @@
+/*
+ * Copyright (c) 1989 Regents of the University of California.
+ * All rights reserved.  The Berkeley software License Agreement
+ * specifies the terms and conditions for redistribution.
+ */
+
+#include <popper.h>
+RCSID("$Id: pop_user.c,v 1.15 1999/09/16 20:38:50 assar Exp $");
+
+/* 
+ *  user:   Prompt for the user name at the start of a POP session
+ */
+
+int
+pop_user (POP *p)
+{
+    char ss[256];
+
+    strlcpy(p->user, p->pop_parm[1], sizeof(p->user));
+
+#ifdef OTP
+    if (otp_challenge (&p->otp_ctx, p->user, ss, sizeof(ss)) == 0) {
+	return pop_msg(p, POP_SUCCESS, "Password %s required for %s.",
+		       ss, p->user);
+    } else
+#endif
+    if (p->auth_level != AUTH_NONE) {
+	char *s = NULL;
+#ifdef OTP
+	s = otp_error(&p->otp_ctx);
+#endif
+	return pop_msg(p, POP_FAILURE, "Permission denied%s%s",
+		       s ? ":" : "", s ? s : "");
+    } else
+	return pop_msg(p, POP_SUCCESS, "Password required for %s.", p->user);
+}
diff --git a/crypto/heimdal/appl/popper/pop_xover.c b/crypto/heimdal/appl/popper/pop_xover.c
new file mode 100644
index 0000000..94936f9
--- /dev/null
+++ b/crypto/heimdal/appl/popper/pop_xover.c
@@ -0,0 +1,37 @@
+#include <popper.h>
+RCSID("$Id: pop_xover.c,v 1.4 1998/04/23 17:39:31 joda Exp $");
+
+int
+pop_xover (POP *p)
+{
+#ifdef XOVER
+    MsgInfoList         *   mp;         /*  Pointer to message info list */
+    int		            i;
+
+    pop_msg(p,POP_SUCCESS,
+	    "%d messages (%ld octets)",
+            p->msg_count-p->msgs_deleted,
+	    p->drop_size-p->bytes_deleted);
+    
+    /*  Loop through the message information list.  Skip deleted messages */
+    for (i = p->msg_count, mp = p->mlp; i > 0; i--, mp++) {
+        if (!(mp->flags & DEL_FLAG)) 
+            fprintf(p->output,"%u\t%s\t%s\t%s\t%s\t%lu\t%u\r\n",
+		    mp->number,
+		    mp->subject,
+		    mp->from,
+		    mp->date, 
+		    mp->msg_id,
+		    mp->length,
+		    mp->lines);
+    }
+
+    /*  "." signals the end of a multi-line transmission */
+    fprintf(p->output,".\r\n");
+    fflush(p->output);
+
+    return(POP_SUCCESS);
+#else
+    return pop_msg(p, POP_FAILURE, "Command not implemented.");
+#endif
+}
diff --git a/crypto/heimdal/appl/popper/popper.8 b/crypto/heimdal/appl/popper/popper.8
new file mode 100644
index 0000000..30dc5b9
--- /dev/null
+++ b/crypto/heimdal/appl/popper/popper.8
@@ -0,0 +1,179 @@
+.\" Copyright (c) 1980 Regents of the University of California.
+.\" All rights reserved.
+.\"
+.\" Redistribution and use in source and binary forms are permitted
+.\" provided that this notice is preserved and that due credit is given
+.\" to the University of California at Berkeley. The name of the University
+.\" may not be used to endorse or promote products derived from this
+.\" software without specific prior written permission. This software
+.\" is provided ``as is'' without express or implied warranty.
+.\"
+.\" @(#)@(#)popper.8	2.3    2.3    (CCS)   4/2/91     Copyright (c) 1990 Regents of the University of California.\nAll rights reserved.\n
+.\"
+.TH popper 8 "August 1990"
+.UC 6
+.ad
+.SH NAME
+popper \- pop 3 server
+.SH SYNOPSIS
+.B /usr/etc/popper
+[ -d ]
+[ -a ]
+[ -k ]
+[ -t trace-file]
+[ -i ]
+[ -p portnum]
+.SH DESCRIPTION
+.I Popper
+is an implementation of the Post Office Protocol server that runs on a
+variety of Unix computers to manage electronic mail for Macintosh
+and MS-DOS computers.  The server was developed at the University of
+California at Berkeley and conforms fully to the specifications in RFC
+1081 and RFC 1082.  The Berkeley server also has extensions to
+send electronic mail on behalf of a client.
+.PP
+The 
+.B \-d
+flag sets the socket to debugging and turns on debugging.  All debugging
+information is saved using syslog(8).  
+.PP
+The 
+.B \-t trace\-file
+flag turns on debugging and saves the trace information in
+.I trace\-file
+using fprintf(s).
+.PP
+The
+.B \-k
+flag tells popper to talk the kerberised POP protocol (KPOP).
+.PP
+The
+.B \-a
+flag tells popper not to accept any cleartext passwords, but only OTPs.
+.PP
+The
+.B \-i
+flag tells popper it has not been started by inetd and should create
+its own socket and listen on it.  This is useful for debugging.
+.PP
+The
+.B \-p portnum
+flag tells popper on which port it should listen for connections when
+creating a socket.
+.SH HOW TO OBTAIN THE SERVER
+.PP
+The POP server is available via anonymous ftp from ftp.CC.Berkeley.EDU
+(128.32.136.9, 128.32.206.12).  It is in two files in the pub directory:
+a compressed
+tar file popper.tar.Z and a Macintosh StuffIt archive in BinHex format
+called MacPOP.sit.hqx.
+.SH THE POP TRANSACTION CYCLE
+.PP
+The Berkeley POP server is a single program (called popper) that is
+launched by inetd when it gets a service request on the POP TCP port.
+(The official port number specified in RFC 1081 for POP version 3 is
+port 110.  However, some POP3 clients attempt to contact the server at
+port 109, the POP version 2 port.  Unless you are running both POP2 and
+POP3 servers, you can simply define both ports for use by the POP3
+server.  This is explained in the installation instructions later on.)
+The popper program initializes and verifies that the peer IP address is
+registered in the local domain, logging a warning message when a
+connection is made to a client whose IP address does not have a
+canonical name.  For systems using BSD 4.3 bind, it also checks to see
+if a cannonical name lookup for the client returns the same peer IP
+address, logging a warning message if it does not.  The the server
+enters the authorization state, during which the client must correctly
+identify itself by providing a valid Unix userid and password on the
+server's host machine.  No other exchanges are allowed during this
+state (other than a request to quit.)  If authentication fails, a
+warning message is logged and the session ends.  Once the user is
+identified, popper changes its user and group ids to match that of the
+user and enters the transaction state.  The server makes a temporary
+copy of the user's maildrop (ordinarily in /usr/spool/mail) which is
+used for all subsequent transactions.  These include the bulk of POP
+commands to retrieve mail, delete mail, undelete mail, and so forth.  A
+Berkeley extension also allows the user to submit a mail parcel to the
+server who mails it using the sendmail program (this extension is
+supported in the HyperMail client distributed with the server).  When
+the client quits, the server enters the final update state during which
+the network connection is terminated and the user's maildrop is updated
+with the (possibly) modified temporary maildrop.
+.SH LOGGING
+.PP
+The POP server uses syslog to keep a record of its activities.  On
+systems with BSD 4.3 syslogging, the server logs (by default) to the
+"local0" facility at priority "notice" for all messages except
+debugging which is logged at priority "debug".  The default log file is
+/usr/spool/mqueue/POPlog.  These can be changed, if desired.  On
+systems with 4.2 syslogging all messages are logged to the local log
+file, usually /usr/spool/mqueue/syslog.
+.SH DEBUGGING
+.PP
+The popper program will log debugging information when the -d parameter
+is specified after its invocation in the inetd.conf file.  Care should
+be exercised in using this option since it generates considerable
+output in the syslog file.  Alternatively, the "-t <file-name>" option
+will place debugging information into file "<file-name>" using fprintf
+instead of syslog.
+.PP
+For SunOS version 3.5, the popper program is launched by inetd from
+/etc/servers.  This file does not allow you to specify command line
+arguments.  Therefore, if you want to enable debugging, you can specify
+a shell script in /etc/servers to be launched instead of popper and in
+this script call popper with the desired arguments.
+.PP
+You can confirm that the POP server is running on Unix by telneting to
+port 110 (or 109 if you set it up that way).  For example:
+.PP
+.nf
+%telnet myhost 110
+Trying...
+Connected to myhost.berkeley.edu.
+Escape character is '^]'.
++OK UCB Pop server (version 1.6) at myhost starting.
+quit
+Connection closed by foreign host.
+.fi
+.SH VERSION 1.7 RELEASE NOTES
+Extensive re-write of the maildrop processing code contributed by 
+Viktor Dukhovni <viktor@math.princeton.edu> that greatly reduces the
+possibility that the maildrop can be corrupted as the result of
+simultaneous access by two or more processes.
+.PP
+Added "pop_dropcopy" module to create a temporary maildrop from
+the existing, standard maildrop as root before the setuid and 
+setgid for the user is done.  This allows the temporary maildrop
+to be created in a mail spool area that is not world read-writable.
+.PP
+This version does *not* send the sendmail "From " delimiter line
+in response to a TOP or RETR command.
+.PP
+Encased all debugging code in #ifdef DEBUG constructs.  This code can
+be included by specifying the DEGUG compiler flag.  Note:  You still
+need to use the -d or -t option to obtain debugging output.
+.SH LIMITATIONS
+The POP server copies the user's entire maildrop to /tmp and
+then operates on that copy.  If the maildrop is particularly
+large, or inadequate space is available in /tmp, then the
+server will refuse to continue and terminate the connection.
+.PP
+Simultaneous modification of a single maildrop can result in 
+confusing results.  For example, manipulating messages in a
+maildrop using the Unix /usr/ucb/mail command while a copy of
+it is being processed by the POP server can cause the changes
+made by one program to be lost when the other terminates.  This
+problem is being worked on and will be fixed in a later
+release.
+.SH FILES
+.nf
+/usr/spool/mail         mail files
+/etc/inetd.conf         pop program invocation
+/etc/syslog.conf        logging specifications
+.fi
+.SH "SEE ALSO"
+inetd(8), 
+RFC1081, 
+RFC1082
+.SH AUTHORS
+Bob Campbell, Edward Moy, Austin Shelton, Marshall T Rose, and cast of
+thousands at Rand, UDel, UCI, and elsewhere
diff --git a/crypto/heimdal/appl/popper/popper.README.release b/crypto/heimdal/appl/popper/popper.README.release
new file mode 100644
index 0000000..c0b313e
--- /dev/null
+++ b/crypto/heimdal/appl/popper/popper.README.release
@@ -0,0 +1,45 @@
+Release Notes:
+
+popper-1.831beta is no longer beta	30 July 91
+	Removed popper-1.7.tar.Z
+
+popper-1.831beta.tar.Z	03 April 91
+	Changed mkstemp to mktemp for Ultrix.  Sigh.
+
+popper-1.83beta.tar.Z	02 April 91
+
+	This version makes certain that while running as root we do nothing
+	at all destructive.
+
+popper-1.82beta.tar.Z	27 March 91
+
+	This version fixes problems on Encore MultiMax and some Sun releases
+	which wouldn't allow a user to ftruncate() a file from an open
+	file descripter unless the user owns the file.  Now the user
+	owns the /usr/spool/mail/.userid.pop file.  Thanks to Ben Levy
+	of FTP Software and Henry Holtzman of Apple.
+
+popper-1.81beta.tar.Z	20 March 91
+
+	This version of popper is supposed to fix three problems reported
+	with various versions of popper (all called 1.7 or 1.7something).
+
+	1)  Dropped network connections meant lost mail files.  Some 1.7
+	    versions also risked corrupting mail files.
+
+	2)  Some versions of 1.7 created temporary drop files with world
+	    read and write permissions.
+
+	3)  Some versions of 1.7 were not careful about opening the temporary
+	    drop file.
+
+popper-1.7.tar.Z       09 September 90	(updated 20 March 91)
+
+	This version will exhibit the first problem listed above if it is
+	compiled with -DDEBUG and run without the "-d" (debug) flag.
+
+	If it is compiled without -DDEBUG it will exhibit only the second
+	and third bug listed above.
+
+Cliff Frost	poptest@nettlesome.berkeley.edu
+UC Berkeley
diff --git a/crypto/heimdal/appl/popper/popper.c b/crypto/heimdal/appl/popper/popper.c
new file mode 100644
index 0000000..28d6ab9
--- /dev/null
+++ b/crypto/heimdal/appl/popper/popper.c
@@ -0,0 +1,117 @@
+/*
+ * Copyright (c) 1989 Regents of the University of California.
+ * All rights reserved.  The Berkeley software License Agreement
+ * specifies the terms and conditions for redistribution.
+ */
+
+#include <popper.h>
+RCSID("$Id: popper.c,v 1.15 1997/05/11 11:04:37 assar Exp $");
+
+int hangup = FALSE ;
+
+static RETSIGTYPE
+catchSIGHUP(int sig)
+{
+    hangup = TRUE ;
+
+    /* This should not be a problem on BSD systems */
+    signal(SIGHUP,  catchSIGHUP);
+    signal(SIGPIPE, catchSIGHUP);
+    SIGRETURN(0);
+}
+
+int     pop_timeout = POP_TIMEOUT;
+
+jmp_buf env;
+
+static RETSIGTYPE
+ring(int sig)
+{
+  longjmp(env,1);
+}
+  
+/*
+ * fgets, but with a timeout
+ */
+static char *
+tgets(char *str, int size, FILE *fp, int timeout)
+{
+  signal(SIGALRM, ring);
+  alarm(timeout);
+  if (setjmp(env))
+    str = NULL;
+  else
+    str = fgets(str,size,fp);
+  alarm(0);
+  signal(SIGALRM,SIG_DFL);
+  return(str);
+}
+
+/* 
+ *  popper: Handle a Post Office Protocol version 3 session
+ */
+int
+main (int argc, char **argv)
+{
+    POP                 p;
+    state_table     *   s;
+    char                message[MAXLINELEN];
+
+    signal(SIGHUP,  catchSIGHUP);
+    signal(SIGPIPE, catchSIGHUP);
+
+    /*  Start things rolling */
+    pop_init(&p,argc,argv);
+
+    /*  Tell the user that we are listenting */
+    pop_msg(&p,POP_SUCCESS,
+        "UCB based pop server (version %s at %s) starting.",VERSION,p.myhost);
+
+    /*  State loop.  The POP server is always in a particular state in 
+        which a specific suite of commands can be executed.  The following 
+        loop reads a line from the client, gets the command, and processes 
+        it in the current context (if allowed) or rejects it.  This continues 
+        until the client quits or an error occurs. */
+
+    for (p.CurrentState=auth1;p.CurrentState!=halt&&p.CurrentState!=error;) {
+        if (hangup) {
+            pop_msg(&p, POP_FAILURE, "POP hangup: %s", p.myhost);
+            if (p.CurrentState > auth2 && !pop_updt(&p))
+                pop_msg(&p, POP_FAILURE,
+			"POP mailbox update failed: %s", p.myhost);
+            p.CurrentState = error;
+        } else if (tgets(message, MAXLINELEN, p.input, pop_timeout) == NULL) {
+	    pop_msg(&p, POP_FAILURE, "POP timeout: %s", p.myhost);
+	    if (p.CurrentState > auth2 && !pop_updt(&p))
+                pop_msg(&p,POP_FAILURE,
+			"POP mailbox update failed: %s", p.myhost);
+            p.CurrentState = error;
+        }
+        else {
+            /*  Search for the command in the command/state table */
+            if ((s = pop_get_command(&p,message)) == NULL) continue;
+
+            /*  Call the function associated with this command in 
+                the current state */
+            if (s->function) p.CurrentState = s->result[(*s->function)(&p)];
+
+            /*  Otherwise assume NOOP and send an OK message to the client */
+            else {
+                p.CurrentState = s->success_state;
+                pop_msg(&p,POP_SUCCESS,NULL);
+            }
+        }       
+    }
+
+    /*  Say goodbye to the client */
+    pop_msg(&p,POP_SUCCESS,"Pop server at %s signing off.",p.myhost);
+
+    /*  Log the end of activity */
+    pop_log(&p,POP_PRIORITY,
+        "(v%s) Ending request from \"%s\" at %s\n",VERSION,p.client,p.ipaddr);
+
+    /*  Stop logging */
+    closelog();
+
+    return(0);
+}
diff --git a/crypto/heimdal/appl/popper/popper.h b/crypto/heimdal/appl/popper/popper.h
new file mode 100644
index 0000000..22707da
--- /dev/null
+++ b/crypto/heimdal/appl/popper/popper.h
@@ -0,0 +1,347 @@
+/*
+ * Copyright (c) 1989 Regents of the University of California.
+ * All rights reserved.  The Berkeley software License Agreement
+ * specifies the terms and conditions for redistribution.
+ *
+ * static char copyright[] = "Copyright (c) 1990 Regents of the University of California.\nAll rights reserved.\n";
+ * static char SccsId[] = "@(#)@(#)popper.h	2.2  2.2 4/2/91";
+ *
+ */
+
+/* $Id: popper.h,v 1.49 1999/08/12 11:37:55 joda Exp $ */
+
+/* 
+ *  Header file for the POP programs
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+#define UIDL
+#define XOVER
+#define XDELE
+#define DEBUG
+#define RETURN_PATH_HANDLING
+#endif
+
+/* Common include files */
+
+#include <stdio.h>
+#include <stdarg.h>
+#include <stdlib.h>
+#include <string.h>
+#include <errno.h>
+#include <signal.h>
+#include <setjmp.h>
+#include <ctype.h>
+#ifdef HAVE_FCNTL_H
+#include <fcntl.h>
+#endif
+#ifdef HAVE_PWD_H
+#include <pwd.h>
+#endif
+#ifdef HAVE_SYS_TYPES_H
+#include <sys/types.h>
+#endif
+#ifdef HAVE_IO_H
+#include <io.h>
+#endif
+#ifdef HAVE_UNISTD_H
+#include <unistd.h>
+#endif
+#ifdef HAVE_SYS_STAT_H
+#include <sys/stat.h>
+#endif
+#ifdef HAVE_SYS_FILE_H
+#include <sys/file.h>
+#endif
+#ifdef TIME_WITH_SYS_TIME
+#include <sys/time.h>
+#include <time.h>
+#elif defined(HAVE_SYS_TIME_H)
+#include <sys/time.h>
+#else
+#include <time.h>
+#endif
+#ifdef HAVE_SYS_RESOURCE_H
+#include <sys/resource.h>
+#endif
+#ifdef HAVE_SYS_WAIT_H
+#include <sys/wait.h>
+#endif
+#ifdef HAVE_SYS_SOCKET_H
+#include <sys/socket.h>
+#endif
+#ifdef HAVE_NETINET_IN_H
+#include <netinet/in.h>
+#endif
+#ifdef HAVE_NETINET_IN6_H
+#include <netinet/in6.h>
+#endif
+#ifdef HAVE_NETINET6_IN6_H
+#include <netinet6/in6.h>
+#endif
+
+#ifdef HAVE_NETDB_H
+#include <netdb.h>
+#endif
+#ifdef HAVE_ARPA_INET_H
+#include <arpa/inet.h>
+#endif
+#ifdef HAVE_SYSLOG_H
+#include <syslog.h>
+#endif
+#ifdef HAVE_SYS_SELECT_H
+#include <sys/select.h>
+#endif
+#ifdef HAVE_SYS_PARAM_H
+#include <sys/param.h>
+#endif
+#include "version.h"
+
+#ifdef SOCKS
+#include <socks.h>
+#endif
+
+#include <err.h>
+#include <roken.h>
+#include <getarg.h>
+
+#ifdef KRB4
+#include <krb.h>
+#include <prot.h>
+#endif
+#ifdef KRB5
+#include <krb5.h>
+#endif
+
+#define MAXUSERNAMELEN  65
+#define MAXDROPLEN      64
+#define MAXLINELEN      1024
+#define MAXMSGLINELEN   1024
+#define MAXCMDLEN       4
+#define MAXPARMCOUNT    10
+#define MAXPARMLEN      10
+#define ALLOC_MSGS  20
+#define MAIL_COMMAND    "/usr/lib/sendmail"
+
+#define POP_FACILITY    LOG_LOCAL0
+#define POP_PRIORITY    LOG_NOTICE
+#define POP_DEBUG       LOG_DEBUG
+#define POP_INFO	LOG_INFO
+#define POP_LOGOPTS     0
+
+#ifdef HAVE_PATHS_H
+#include <paths.h>
+#endif
+#ifdef HAVE_MAILLOCK_H
+#include <maillock.h>
+#endif
+
+#ifdef OTP
+#include <otp.h>
+#endif
+
+#if defined(KRB4_MAILDIR)
+#define POP_MAILDIR	KRB4_MAILDIR
+#elif defined(_PATH_MAILDIR)
+#define POP_MAILDIR     _PATH_MAILDIR
+#elif defined(MAILDIR)
+#define POP_MAILDIR	MAILDIR
+#else
+#define POP_MAILDIR	"/usr/spool/mail"
+#endif
+
+#define POP_DROP        POP_MAILDIR "/.%s.pop"
+	/* POP_TMPSIZE needs to be big enough to hold the string
+	 * defined by POP_TMPDROP.  POP_DROP and POP_TMPDROP
+	 * must be in the same filesystem.
+	 */
+#define POP_TMPDROP     POP_MAILDIR "/tmpXXXXXX"
+#define POP_TMPSIZE	256
+#define POP_TMPXMIT     "/tmp/xmitXXXXXX"
+#define POP_OK          "+OK"
+#define POP_ERR         "-ERR"
+#define POP_SUCCESS     1
+#define POP_FAILURE     0
+#define POP_TERMINATE   '.'
+#define POP_TIMEOUT     120     /* timeout connection after this many secs */
+
+extern int              pop_timeout;
+
+extern int              hangup;
+
+#define AUTH_NONE 0
+#define AUTH_OTP  1
+
+#define pop_command         pop_parm[0]     /*  POP command is first token */
+#define pop_subcommand      pop_parm[1]     /*  POP XTND subcommand is the 
+                                                second token */
+
+typedef enum {                              /*  POP processing states */
+    auth1,                                  /*  Authorization: waiting for 
+                                                USER command */
+    auth2,                                  /*  Authorization: waiting for 
+                                                PASS command */
+    trans,                                  /*  Transaction */
+    update,                                 /*  Update:  session ended, 
+                                                process maildrop changes */
+    halt,                                   /*  (Halt):  stop processing 
+                                                and exit */
+    error                                   /*  (Error): something really 
+                                                bad happened */
+} state;
+
+
+#define DEL_FLAG	1
+#define RETR_FLAG	2
+#define NEW_FLAG	4
+
+typedef struct {                                /*  Message information */
+    int         number;                         /*  Message number relative to 
+                                                    the beginning of list */
+    long        length;                         /*  Length of message in 
+                                                    bytes */
+    int         lines;                          /*  Number of (null-terminated)                                                     lines in the message */
+    long        offset;                         /*  Offset from beginning of 
+                                                    file */
+    unsigned	flags;
+
+#if defined(UIDL) || defined(XOVER)
+    char        *msg_id;	                /*  The POP UIDL uniqueifier */
+#endif
+#ifdef XOVER
+    char	*subject;
+    char	*from;
+    char	*date;
+#endif
+    char	*name;
+} MsgInfoList;
+
+#define IS_MAILDIR(P) ((P)->temp_drop[0] == '\0')
+
+typedef struct  {                               /*  POP parameter block */
+    int                 debug;                  /*  Debugging requested */
+    char            *   myname;                 /*  The name of this POP 
+                                                    daemon program */
+    char                myhost[MaxHostNameLen]; /*  The name of our host 
+                                                    computer */
+    char		client[MaxHostNameLen];	/*  Canonical name of client 
+                                                    computer */
+    char                ipaddr[MaxHostNameLen];	/*  Dotted-notation format of 
+                                                    client IP address */
+    unsigned short      ipport;                 /*  Client port for privileged 
+                                                    operations */
+    char                user[MAXUSERNAMELEN];   /*  Name of the POP user */
+    state               CurrentState;           /*  The current POP operational                                                     state */
+    MsgInfoList     *   mlp;                    /*  Message information list */
+    int                 msg_count;              /*  Number of messages in 
+                                                    the maildrop */
+    int                 msgs_deleted;           /*  Number of messages flagged 
+                                                    for deletion */
+    int                 last_msg;               /*  Last message touched by 
+                                                    the user */
+    long                bytes_deleted;          /*  Number of maildrop bytes 
+                                                    flagged for deletion */
+    char                drop_name[MAXDROPLEN];  /*  The name of the user's 
+                                                    maildrop */
+    char                temp_drop[MAXDROPLEN];  /*  The name of the user's 
+                                                    temporary maildrop */
+    long                drop_size;              /*  Size of the maildrop in
+                                                    bytes */
+    FILE            *   drop;                   /*  (Temporary) mail drop */
+    FILE            *   input;                  /*  Input TCP/IP communication 
+                                                    stream */
+    FILE            *   output;                 /*  Output TCP/IP communication                                                     stream */
+    FILE            *   trace;                  /*  Debugging trace file */
+    char            *   pop_parm[MAXPARMCOUNT]; /*  Parse POP parameter list */
+    int                 parm_count;             /*  Number of parameters in 
+                                                    parsed list */
+    int			kerberosp;		/*  Using KPOP? */
+#ifdef KRB4
+    AUTH_DAT		kdata;
+#endif
+#ifdef KRB5
+    krb5_context	context;
+    krb5_principal	principal;              /*  principal auth as */
+    krb5_log_facility*  logf;
+#endif
+    int			version;                /*  4 or 5? */
+    int			auth_level;		/*  Dont allow cleartext */
+#ifdef OTP
+    OtpContext		otp_ctx;		/*  OTP context */
+#endif
+} POP;
+
+typedef struct {                                /*  State information for 
+                                                    each POP command */
+    state       ValidCurrentState;              /*  The operating state of 
+                                                    the command */
+    char   *    command;                        /*  The POP command */
+    int         min_parms;                      /*  Minimum number of parms 
+                                                    for the command */
+    int         max_parms;                      /*  Maximum number of parms 
+                                                    for the command */
+    int         (*function) ();                 /*  The function that process 
+                                                    the command */
+    state       result[2];                      /*  The resulting state after 
+                                                    command processing */
+#define success_state   result[0]               /*  State when a command 
+                                                    succeeds */
+} state_table;
+
+typedef struct {                                /*  Table of extensions */
+    char   *    subcommand;                     /*  The POP XTND subcommand */
+    int         min_parms;                      /*  Minimum number of parms for
+                                                    the subcommand */
+    int         max_parms;                      /*  Maximum number of parms for
+                                                    the subcommand */
+    int         (*function) ();                 /*  The function that processes 
+                                                    the subcommand */
+} xtnd_table;
+
+int pop_dele(POP *p);
+int pop_dropcopy(POP *p, struct passwd *pwp);
+int pop_dropinfo(POP *p);
+int pop_init(POP *p,int argcount,char **argmessage);
+int pop_last(POP *p);
+int pop_list(POP *p);
+int pop_parse(POP *p, char *buf);
+int pop_pass(POP *p);
+int pop_quit(POP *p);
+int pop_rset(POP *p);
+int pop_send(POP *p);
+int pop_stat(POP *p);
+int pop_updt(POP *p);
+int pop_user(POP *p);
+#ifdef UIDL
+int pop_uidl(POP *p);
+#endif
+#ifdef XOVER
+int pop_xover(POP *p);
+#endif
+#ifdef XDELE
+int pop_xdele(POP *p);
+#endif
+int pop_help(POP *p);
+state_table *pop_get_command(POP *p, char *mp);
+void pop_lower(char *buf);
+
+int pop_log(POP *p, int stat, char *format, ...)
+#ifdef __GNUC__
+__attribute__ ((format (printf, 3, 4)))
+#endif
+;
+
+int pop_msg(POP *p, int stat, char *format, ...)
+#ifdef __GNUC__
+__attribute__ ((format (printf, 3, 4)))
+#endif
+;
+
+int pop_maildir_info (POP*);
+int pop_maildir_open (POP*, MsgInfoList*);
+int pop_maildir_update (POP*);
+
+int changeuser(POP*, struct passwd*);
+void parse_header(MsgInfoList*, char*);
+int add_missing_headers(POP*, MsgInfoList*);
diff --git a/crypto/heimdal/appl/popper/version.h b/crypto/heimdal/appl/popper/version.h
new file mode 100644
index 0000000..1b5d135
--- /dev/null
+++ b/crypto/heimdal/appl/popper/version.h
@@ -0,0 +1,19 @@
+/*
+ * Copyright (c) 1989 Regents of the University of California.
+ * All rights reserved.  The Berkeley software License Agreement
+ * specifies the terms and conditions for redistribution.
+ *
+ * static char copyright[] = "Copyright (c) 1990 Regents of the University of California.\nAll rights reserved.\n";
+ * static char SccsId[] = "@(#)@(#)version.h	2.6  2.6 4/3/91";
+ *
+ */
+
+/* $Id: version.h,v 1.5 1997/08/08 22:50:13 assar Exp $ */
+
+/*
+ *  Current version of this POP implementation
+ */
+
+#if 0
+#define VERSION         krb4_version
+#endif
diff --git a/crypto/heimdal/appl/push/ChangeLog b/crypto/heimdal/appl/push/ChangeLog
new file mode 100644
index 0000000..96a4a70
--- /dev/null
+++ b/crypto/heimdal/appl/push/ChangeLog
@@ -0,0 +1,179 @@
+2000-12-31  Assar Westerlund  <assar@sics.se>
+
+	* push.c (main): handle krb5_init_context failure consistently
+
+2000-12-26  Assar Westerlund  <assar@sics.se>
+
+	* push.c: support several headers, from <mattiasa@e.kth.se> use
+	estrdup, emalloc, erealloc
+
+2000-11-29  Johan Danielsson  <joda@pdc.kth.se>
+
+	* pfrom.1: work around bug in grog that makes it think it needs
+	mdoc.old
+
+	* push.8: work around bug in grog that makes it think it needs
+	mdoc.old
+
+2000-11-27  Johan Danielsson  <joda@pdc.kth.se>
+
+	* push.c: add space to usage
+
+2000-10-08  Assar Westerlund  <assar@sics.se>
+
+	* push.c (doit): check that fds are not too large to select on
+
+2000-03-04  Assar Westerlund  <assar@sics.se>
+
+	* add man-page for pfrom
+
+1999-12-28  Assar Westerlund  <assar@sics.se>
+
+	* push.c (main): call k_getportbyname with port number in
+ 	network-byte-order
+
+1999-12-14  Assar Westerlund  <assar@sics.se>
+
+	* push.c (do_connect): remove bogus local block variable
+
+1999-12-05  Assar Westerlund  <assar@sics.se>
+
+	* push.c (do_connect): use `getaddrinfo'
+	* push.c: add --count (print number of messages and bytes at
+	beginning)
+
+1999-11-13  Assar Westerlund  <assar@sics.se>
+
+	* push.c: make `-v' a arg_counter
+	
+1999-11-02  Assar Westerlund  <assar@sics.se>
+
+	* push.c (main): redo the v4/v5 selection for consistency.  -4 ->
+ 	try only v4 -5 -> try only v5 none, -45 -> try v5, v4
+
+1999-08-19  Assar Westerlund  <assar@sics.se>
+
+	* push.c (doit): remember to step over the error message when we
+ 	discover that XDELE is not supported
+
+1999-08-12  Johan Danielsson  <joda@pdc.kth.se>
+
+	* push.c: use XDELE
+
+1999-08-05  Assar Westerlund  <assar@sics.se>
+
+	* push.c (do_connect): v6-ify
+
+1999-06-15  Assar Westerlund  <assar@sics.se>
+
+	* push.c: get_default_username and the resulting const propagation
+
+1999-05-21  Assar Westerlund  <assar@sics.se>
+
+	* push.c (parse_pobox): try $USERNAME
+
+1999-05-11  Assar Westerlund  <assar@sics.se>
+
+	* push.c (do_v5): remove unused and non-working code
+
+1999-05-10  Assar Westerlund  <assar@sics.se>
+
+	* push.c (do_v5): call krb5_sendauth with ccache == NULL
+	
+Wed Apr  7 23:40:00 1999  Assar Westerlund  <assar@sics.se>
+
+	* Makefile.in: fix names of hesiod variables
+
+Wed Mar 24 04:37:04 1999  Assar Westerlund  <assar@sics.se>
+
+	* Makefile.am (pfrom): fix typo
+
+	* push.c (get_pobox): try to handle old and new hesiod APIs
+
+Mon Mar 22 22:19:40 1999  Assar Westerlund  <assar@sics.se>
+
+	* Makefile.am: hesoid -> hesiod
+
+Sun Mar 21 18:02:10 1999  Johan Danielsson  <joda@hella.pdc.kth.se>
+
+	* Makefile.am: bindir -> libexecdir
+
+Sat Mar 20 00:12:26 1999  Assar Westerlund  <assar@sics.se>
+
+	* Makefile.am: LDADD: add missing backslash
+
+Thu Mar 18 15:28:35 1999  Johan Danielsson  <joda@hella.pdc.kth.se>
+
+	* Makefile.am: clean pfrom
+
+	* Makefile.am: include Makefile.am.common
+
+Mon Mar 15 18:26:16 1999  Johan Danielsson  <joda@blubb.pdc.kth.se>
+
+	* push.c: strncasecmp headers
+
+Mon Feb 15 22:22:09 1999  Assar Westerlund  <assar@sics.se>
+
+	* Makefile.in (pfrom): use libexecdir
+
+	* Makefile.am: build and install pfrom
+
+	* push.c (do_connect): init `s'
+	(pop_state): spell-check enums
+
+Tue Nov 24 23:20:54 1998  Assar Westerlund  <assar@sics.se>
+
+	* Makefile.in: build and install pfrom
+
+	* pfrom.in: bindir -> libexecdir
+
+Sun Nov 22 15:33:52 1998  Johan Danielsson  <joda@hella.pdc.kth.se>
+
+	* push.c: eliminate some warnings
+
+Sun Nov 22 10:34:54 1998  Assar Westerlund  <assar@sics.se>
+
+	* Makefile.in (WFLAGS): set
+
+Thu Nov 19 01:17:33 1998  Assar Westerlund  <assar@sics.se>
+
+	* push_locl.h: add <hesiod.h>
+
+	* Makefile.am, Makefile.in: link and include hesiod
+
+	* push.c (get_pobox): new function. add hesiod support.
+
+1998-11-07  Assar Westerlund  <assar@sics.se>
+
+	* push.8: updated
+
+	* push.c: --from implementation from <lha@stacken.kth.se>
+
+Fri Jul 10 01:14:45 1998  Assar Westerlund  <assar@sics.se>
+
+	* push.c (net_{read,write}): remove
+
+Wed Jun 24 14:41:41 1998  Johan Danielsson  <joda@blubb.pdc.kth.se>
+
+	* push.c: allow `po:user@host' mailbox syntax
+
+Tue Jun  2 17:35:06 1998  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* push.c: quote '^From ' properly
+
+Mon May 25 05:22:47 1998  Assar Westerlund  <assar@sics.se>
+
+	* Makefile.in (clean): PROGS -> PROGRAMS
+
+Sun Apr 26 11:42:13 1998  Assar Westerlund  <assar@sics.se>
+
+	* push.c (main): better default for v4 and v5
+
+	* push.c (main): init context correctly
+
+	* push.c: should work with krb4
+
+	* push_locl.h: krb4 compat
+
+	* Makefile.in: new file
+
diff --git a/crypto/heimdal/appl/push/Makefile.am b/crypto/heimdal/appl/push/Makefile.am
new file mode 100644
index 0000000..5999ec1
--- /dev/null
+++ b/crypto/heimdal/appl/push/Makefile.am
@@ -0,0 +1,27 @@
+# $Id: Makefile.am,v 1.17 2000/11/15 22:51:09 assar Exp $
+
+include $(top_srcdir)/Makefile.am.common
+
+INCLUDES += $(INCLUDE_krb4) $(INCLUDE_hesiod)
+
+bin_SCRIPTS		= pfrom
+
+libexec_PROGRAMS	= push
+
+push_SOURCES = push.c push_locl.h
+
+pfrom: pfrom.in
+	sed -e "s!%libexecdir%!$(libexecdir)!" $(srcdir)/pfrom.in > $@
+	chmod +x $@
+
+man_MANS = push.8 pfrom.1
+
+CLEANFILES = pfrom
+
+EXTRA_DIST = pfrom.in $(man_MANS)
+
+LDADD = $(LIB_krb5) \
+	$(LIB_krb4) \
+	$(LIB_des) \
+	$(LIB_roken) \
+	$(LIB_hesiod)
diff --git a/crypto/heimdal/appl/push/Makefile.in b/crypto/heimdal/appl/push/Makefile.in
new file mode 100644
index 0000000..5dd6d72
--- /dev/null
+++ b/crypto/heimdal/appl/push/Makefile.in
@@ -0,0 +1,695 @@
+# Makefile.in generated automatically by automake 1.4b from Makefile.am
+
+# Copyright 1994, 1995, 1996, 1997, 1998, 1999, 2000
+# Free Software Foundation, Inc.
+# This Makefile.in is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+
+SHELL = @SHELL@
+
+srcdir = @srcdir@
+top_srcdir = @top_srcdir@
+VPATH = @srcdir@
+prefix = @prefix@
+exec_prefix = @exec_prefix@
+
+bindir = @bindir@
+sbindir = @sbindir@
+libexecdir = @libexecdir@
+datadir = @datadir@
+sysconfdir = @sysconfdir@
+sharedstatedir = @sharedstatedir@
+localstatedir = @localstatedir@
+libdir = @libdir@
+infodir = @infodir@
+mandir = @mandir@
+includedir = @includedir@
+oldincludedir = /usr/include
+
+pkgdatadir = $(datadir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkgincludedir = $(includedir)/@PACKAGE@
+
+top_builddir = ../..
+
+ACLOCAL = @ACLOCAL@
+AUTOCONF = @AUTOCONF@
+AUTOMAKE = @AUTOMAKE@
+AUTOHEADER = @AUTOHEADER@
+
+INSTALL = @INSTALL@
+INSTALL_PROGRAM = @INSTALL_PROGRAM@
+INSTALL_DATA = @INSTALL_DATA@
+INSTALL_SCRIPT = @INSTALL_SCRIPT@
+INSTALL_STRIP_FLAG =
+transform = @program_transform_name@
+
+NORMAL_INSTALL = :
+PRE_INSTALL = :
+POST_INSTALL = :
+NORMAL_UNINSTALL = :
+PRE_UNINSTALL = :
+POST_UNINSTALL = :
+
+@SET_MAKE@
+host_alias = @host_alias@
+host_triplet = @host@
+AIX_EXTRA_KAFS = @AIX_EXTRA_KAFS@
+AMDEP = @AMDEP@
+AMTAR = @AMTAR@
+AS = @AS@
+AWK = @AWK@
+CANONICAL_HOST = @CANONICAL_HOST@
+CATMAN = @CATMAN@
+CATMANEXT = @CATMANEXT@
+CC = @CC@
+CPP = @CPP@
+CXX = @CXX@
+CXXCPP = @CXXCPP@
+DBLIB = @DBLIB@
+DEPDIR = @DEPDIR@
+DIR_des = @DIR_des@
+DIR_roken = @DIR_roken@
+DLLTOOL = @DLLTOOL@
+EXEEXT = @EXEEXT@
+EXTRA_LIB45 = @EXTRA_LIB45@
+GROFF = @GROFF@
+INCLUDES_roken = @INCLUDES_roken@
+INCLUDE_ = @INCLUDE_@
+LEX = @LEX@
+LIBOBJS = @LIBOBJS@
+LIBTOOL = @LIBTOOL@
+LIB_ = @LIB_@
+LIB_AUTH_SUBDIRS = @LIB_AUTH_SUBDIRS@
+LIB_des = @LIB_des@
+LIB_des_appl = @LIB_des_appl@
+LIB_kdb = @LIB_kdb@
+LIB_otp = @LIB_otp@
+LIB_roken = @LIB_roken@
+LIB_security = @LIB_security@
+LN_S = @LN_S@
+LTLIBOBJS = @LTLIBOBJS@
+MAKEINFO = @MAKEINFO@
+NEED_WRITEAUTH_FALSE = @NEED_WRITEAUTH_FALSE@
+NEED_WRITEAUTH_TRUE = @NEED_WRITEAUTH_TRUE@
+NROFF = @NROFF@
+OBJDUMP = @OBJDUMP@
+OBJEXT = @OBJEXT@
+PACKAGE = @PACKAGE@
+RANLIB = @RANLIB@
+STRIP = @STRIP@
+VERSION = @VERSION@
+VOID_RETSIGTYPE = @VOID_RETSIGTYPE@
+WFLAGS = @WFLAGS@
+WFLAGS_NOIMPLICITINT = @WFLAGS_NOIMPLICITINT@
+WFLAGS_NOUNUSED = @WFLAGS_NOUNUSED@
+YACC = @YACC@
+dpagaix_CFLAGS = @dpagaix_CFLAGS@
+dpagaix_LDADD = @dpagaix_LDADD@
+install_sh = @install_sh@
+
+# $Id: Makefile.am,v 1.17 2000/11/15 22:51:09 assar Exp $
+
+
+# $Id: Makefile.am.common,v 1.3 1999/04/01 14:58:43 joda Exp $
+
+
+# $Id: Makefile.am.common,v 1.26 2001/05/21 13:27:48 joda Exp $
+
+
+AUTOMAKE_OPTIONS = foreign no-dependencies
+
+SUFFIXES = .et .h .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .x
+
+INCLUDES = -I$(top_builddir)/include $(INCLUDES_roken) $(INCLUDE_krb4) $(INCLUDE_hesiod)
+
+AM_CFLAGS =  $(WFLAGS)
+
+CP = cp
+
+COMPILE_ET = $(top_builddir)/lib/com_err/compile_et
+
+buildinclude = $(top_builddir)/include
+
+LIB_XauReadAuth = @LIB_XauReadAuth@
+LIB_crypt = @LIB_crypt@
+LIB_dbm_firstkey = @LIB_dbm_firstkey@
+LIB_dbopen = @LIB_dbopen@
+LIB_dlopen = @LIB_dlopen@
+LIB_dn_expand = @LIB_dn_expand@
+LIB_el_init = @LIB_el_init@
+LIB_getattr = @LIB_getattr@
+LIB_gethostbyname = @LIB_gethostbyname@
+LIB_getpwent_r = @LIB_getpwent_r@
+LIB_getpwnam_r = @LIB_getpwnam_r@
+LIB_getsockopt = @LIB_getsockopt@
+LIB_logout = @LIB_logout@
+LIB_logwtmp = @LIB_logwtmp@
+LIB_odm_initialize = @LIB_odm_initialize@
+LIB_pidfile = @LIB_pidfile@
+LIB_readline = @LIB_readline@
+LIB_res_search = @LIB_res_search@
+LIB_setpcred = @LIB_setpcred@
+LIB_setsockopt = @LIB_setsockopt@
+LIB_socket = @LIB_socket@
+LIB_syslog = @LIB_syslog@
+LIB_tgetent = @LIB_tgetent@
+
+LIBS = @LIBS@
+
+HESIODLIB = @HESIODLIB@
+HESIODINCLUDE = @HESIODINCLUDE@
+INCLUDE_hesiod = @INCLUDE_hesiod@
+LIB_hesiod = @LIB_hesiod@
+
+INCLUDE_krb4 = @INCLUDE_krb4@
+LIB_krb4 = @LIB_krb4@
+
+INCLUDE_openldap = @INCLUDE_openldap@
+LIB_openldap = @LIB_openldap@
+
+INCLUDE_readline = @INCLUDE_readline@
+
+LEXLIB = @LEXLIB@
+
+NROFF_MAN = groff -mandoc -Tascii
+
+@KRB4_TRUE@LIB_kafs = @KRB4_TRUE@$(top_builddir)/lib/kafs/libkafs.la $(AIX_EXTRA_KAFS)
+
+@KRB5_TRUE@LIB_krb5 = @KRB5_TRUE@$(top_builddir)/lib/krb5/libkrb5.la \
+@KRB5_TRUE@	$(top_builddir)/lib/asn1/libasn1.la
+@KRB5_TRUE@LIB_gssapi = @KRB5_TRUE@$(top_builddir)/lib/gssapi/libgssapi.la
+
+@DCE_TRUE@LIB_kdfs = @DCE_TRUE@$(top_builddir)/lib/kdfs/libkdfs.la
+
+CHECK_LOCAL = $(PROGRAMS)
+
+bin_SCRIPTS = pfrom
+
+libexec_PROGRAMS = push
+
+push_SOURCES = push.c push_locl.h
+
+man_MANS = push.8 pfrom.1
+
+CLEANFILES = pfrom
+
+EXTRA_DIST = pfrom.in $(man_MANS)
+
+LDADD = $(LIB_krb5) \
+	$(LIB_krb4) \
+	$(LIB_des) \
+	$(LIB_roken) \
+	$(LIB_hesiod)
+
+subdir = appl/push
+mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs
+CONFIG_HEADER = ../../include/config.h
+CONFIG_CLEAN_FILES = 
+libexec_PROGRAMS =  push$(EXEEXT)
+PROGRAMS =  $(libexec_PROGRAMS)
+
+
+DEFS = @DEFS@ -I. -I$(srcdir) -I../../include
+CPPFLAGS = @CPPFLAGS@
+LDFLAGS = @LDFLAGS@
+X_CFLAGS = @X_CFLAGS@
+X_LIBS = @X_LIBS@
+X_EXTRA_LIBS = @X_EXTRA_LIBS@
+X_PRE_LIBS = @X_PRE_LIBS@
+am_push_OBJECTS =  push.$(OBJEXT)
+push_OBJECTS =  $(am_push_OBJECTS)
+push_LDADD = $(LDADD)
+@KRB5_FALSE@push_DEPENDENCIES = 
+@KRB5_TRUE@push_DEPENDENCIES =  $(top_builddir)/lib/krb5/libkrb5.la \
+@KRB5_TRUE@$(top_builddir)/lib/asn1/libasn1.la
+push_LDFLAGS = 
+SCRIPTS =  $(bin_SCRIPTS)
+
+COMPILE = $(CC) $(DEFS) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) --mode=compile $(CC) $(DEFS) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+CFLAGS = @CFLAGS@
+CCLD = $(CC)
+LINK = $(LIBTOOL) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) $(LDFLAGS) -o $@
+DIST_SOURCES =  $(push_SOURCES)
+man1dir = $(mandir)/man1
+man8dir = $(mandir)/man8
+MANS = $(man_MANS)
+depcomp = 
+DIST_COMMON =  ChangeLog Makefile.am Makefile.in
+
+
+DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
+
+GZIP_ENV = --best
+SOURCES = $(push_SOURCES)
+OBJECTS = $(am_push_OBJECTS)
+
+all: all-redirect
+.SUFFIXES:
+.SUFFIXES: .et .h .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .x .c .lo .o .obj
+$(srcdir)/Makefile.in: Makefile.am $(top_srcdir)/configure.in $(ACLOCAL_M4) $(top_srcdir)/Makefile.am.common $(top_srcdir)/cf/Makefile.am.common
+	cd $(top_srcdir) && $(AUTOMAKE) --foreign appl/push/Makefile
+
+Makefile: $(srcdir)/Makefile.in  $(top_builddir)/config.status
+	cd $(top_builddir) \
+	  && CONFIG_FILES=$(subdir)/$@ CONFIG_HEADERS= $(SHELL) ./config.status
+
+
+mostlyclean-libexecPROGRAMS:
+
+clean-libexecPROGRAMS:
+	-test -z "$(libexec_PROGRAMS)" || rm -f $(libexec_PROGRAMS)
+
+distclean-libexecPROGRAMS:
+
+maintainer-clean-libexecPROGRAMS:
+
+install-libexecPROGRAMS: $(libexec_PROGRAMS)
+	@$(NORMAL_INSTALL)
+	$(mkinstalldirs) $(DESTDIR)$(libexecdir)
+	@list='$(libexec_PROGRAMS)'; for p in $$list; do \
+	  if test -f $$p; then \
+	    f="`echo $$p|sed -e 's/$(EXEEXT)$$//' -e '$(transform)' -e 's/$$/$(EXEEXT)/'`"; \
+	    echo " $(LIBTOOL)  --mode=install $(INSTALL_PROGRAM) $(INSTALL_STRIP_FLAG) $$p $(DESTDIR)$(libexecdir)/$$f"; \
+	    $(LIBTOOL)  --mode=install $(INSTALL_PROGRAM) $(INSTALL_STRIP_FLAG) $$p $(DESTDIR)$(libexecdir)/$$f; \
+	  else :; fi; \
+	done
+
+uninstall-libexecPROGRAMS:
+	@$(NORMAL_UNINSTALL)
+	@list='$(libexec_PROGRAMS)'; for p in $$list; do \
+	  f="`echo $$p|sed -e 's/$(EXEEXT)$$//' -e '$(transform)' -e 's/$$/$(EXEEXT)/'`"; \
+	  echo " rm -f $(DESTDIR)$(libexecdir)/$$f"; \
+	  rm -f $(DESTDIR)$(libexecdir)/$$f; \
+	done
+
+mostlyclean-compile:
+	-rm -f *.o core *.core
+	-rm -f *.$(OBJEXT)
+
+clean-compile:
+
+distclean-compile:
+	-rm -f *.tab.c
+
+maintainer-clean-compile:
+
+mostlyclean-libtool:
+	-rm -f *.lo
+
+clean-libtool:
+	-rm -rf .libs _libs
+
+distclean-libtool:
+
+maintainer-clean-libtool:
+
+push$(EXEEXT): $(push_OBJECTS) $(push_DEPENDENCIES)
+	@rm -f push$(EXEEXT)
+	$(LINK) $(push_LDFLAGS) $(push_OBJECTS) $(push_LDADD) $(LIBS)
+
+install-binSCRIPTS: $(bin_SCRIPTS)
+	@$(NORMAL_INSTALL)
+	$(mkinstalldirs) $(DESTDIR)$(bindir)
+	@list='$(bin_SCRIPTS)'; for p in $$list; do \
+	  f="`echo $$p|sed '$(transform)'`"; \
+	  if test -f $$p; then \
+	    echo " $(INSTALL_SCRIPT) $$p $(DESTDIR)$(bindir)/$$f"; \
+	    $(INSTALL_SCRIPT) $$p $(DESTDIR)$(bindir)/$$f; \
+	  elif test -f $(srcdir)/$$p; then \
+	    echo " $(INSTALL_SCRIPT) $(srcdir)/$$p $(DESTDIR)$(bindir)/$$f"; \
+	    $(INSTALL_SCRIPT) $(srcdir)/$$p $(DESTDIR)$(bindir)/$$f; \
+	  else :; fi; \
+	done
+
+uninstall-binSCRIPTS:
+	@$(NORMAL_UNINSTALL)
+	@list='$(bin_SCRIPTS)'; for p in $$list; do \
+	  f="`echo $$p|sed '$(transform)'`"; \
+	  echo " rm -f $(DESTDIR)$(bindir)/$$f"; \
+	  rm -f $(DESTDIR)$(bindir)/$$f; \
+	done
+.c.o:
+	$(COMPILE) -c $<
+.c.obj:
+	$(COMPILE) -c `cygpath -w $<`
+.c.lo:
+	$(LTCOMPILE) -c -o $@ $<
+
+install-man1:
+	$(mkinstalldirs) $(DESTDIR)$(man1dir)
+	@list='$(man1_MANS)'; \
+	l2='$(man_MANS)'; for i in $$l2; do \
+	  case "$$i" in \
+	    *.1*) list="$$list $$i" ;; \
+	  esac; \
+	done; \
+	for i in $$list; do \
+	  if test -f $(srcdir)/$$i; then file=$(srcdir)/$$i; \
+	  else file=$$i; fi; \
+	  ext=`echo $$i | sed -e 's/^.*\\.//'`; \
+	  inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \
+	  inst=`echo $$inst | sed -e 's/^.*\///'`; \
+	  inst=`echo $$inst | sed '$(transform)'`.$$ext; \
+	  echo " $(INSTALL_DATA) $$file $(DESTDIR)$(man1dir)/$$inst"; \
+	  $(INSTALL_DATA) $$file $(DESTDIR)$(man1dir)/$$inst; \
+	done
+
+uninstall-man1:
+	@list='$(man1_MANS)'; \
+	l2='$(man_MANS)'; for i in $$l2; do \
+	  case "$$i" in \
+	    *.1*) list="$$list $$i" ;; \
+	  esac; \
+	done; \
+	for i in $$list; do \
+	  ext=`echo $$i | sed -e 's/^.*\\.//'`; \
+	  inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \
+	  inst=`echo $$inst | sed -e 's/^.*\///'`; \
+	  inst=`echo $$inst | sed '$(transform)'`.$$ext; \
+	  echo " rm -f $(DESTDIR)$(man1dir)/$$inst"; \
+	  rm -f $(DESTDIR)$(man1dir)/$$inst; \
+	done
+
+install-man8:
+	$(mkinstalldirs) $(DESTDIR)$(man8dir)
+	@list='$(man8_MANS)'; \
+	l2='$(man_MANS)'; for i in $$l2; do \
+	  case "$$i" in \
+	    *.8*) list="$$list $$i" ;; \
+	  esac; \
+	done; \
+	for i in $$list; do \
+	  if test -f $(srcdir)/$$i; then file=$(srcdir)/$$i; \
+	  else file=$$i; fi; \
+	  ext=`echo $$i | sed -e 's/^.*\\.//'`; \
+	  inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \
+	  inst=`echo $$inst | sed -e 's/^.*\///'`; \
+	  inst=`echo $$inst | sed '$(transform)'`.$$ext; \
+	  echo " $(INSTALL_DATA) $$file $(DESTDIR)$(man8dir)/$$inst"; \
+	  $(INSTALL_DATA) $$file $(DESTDIR)$(man8dir)/$$inst; \
+	done
+
+uninstall-man8:
+	@list='$(man8_MANS)'; \
+	l2='$(man_MANS)'; for i in $$l2; do \
+	  case "$$i" in \
+	    *.8*) list="$$list $$i" ;; \
+	  esac; \
+	done; \
+	for i in $$list; do \
+	  ext=`echo $$i | sed -e 's/^.*\\.//'`; \
+	  inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \
+	  inst=`echo $$inst | sed -e 's/^.*\///'`; \
+	  inst=`echo $$inst | sed '$(transform)'`.$$ext; \
+	  echo " rm -f $(DESTDIR)$(man8dir)/$$inst"; \
+	  rm -f $(DESTDIR)$(man8dir)/$$inst; \
+	done
+install-man: $(MANS)
+	@$(NORMAL_INSTALL)
+	$(MAKE) $(AM_MAKEFLAGS) install-man1 install-man8
+uninstall-man:
+	@$(NORMAL_UNINSTALL)
+	$(MAKE) $(AM_MAKEFLAGS) uninstall-man1 uninstall-man8
+
+tags: TAGS
+
+ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
+	list='$(SOURCES) $(HEADERS) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '    { files[$$0] = 1; } \
+	       END { for (i in files) print i; }'`; \
+	mkid -fID $$unique $(LISP)
+
+TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	tags=; \
+	here=`pwd`; \
+	list='$(SOURCES) $(HEADERS) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '    { files[$$0] = 1; } \
+	       END { for (i in files) print i; }'`; \
+	test -z "$(ETAGS_ARGS)$$unique$(LISP)$$tags" \
+	  || etags $(ETAGS_ARGS) $$tags  $$unique $(LISP)
+
+GTAGS:
+	here=`CDPATH=: && cd $(top_builddir) && pwd` \
+	  && cd $(top_srcdir) \
+	  && gtags -i $$here
+
+mostlyclean-tags:
+
+clean-tags:
+
+distclean-tags:
+	-rm -f TAGS ID
+
+maintainer-clean-tags:
+
+distdir = $(top_builddir)/$(PACKAGE)-$(VERSION)/$(subdir)
+
+distdir: $(DISTFILES)
+	@for file in $(DISTFILES); do \
+	  d=$(srcdir); \
+	  if test -d $$d/$$file; then \
+	    cp -pR $$d/$$file $(distdir) \
+	    || exit 1; \
+	  else \
+	    test -f $(distdir)/$$file \
+	    || cp -p $$d/$$file $(distdir)/$$file \
+	    || exit 1; \
+	  fi; \
+	done
+	$(MAKE) $(AM_MAKEFLAGS) top_distdir="$(top_distdir)" distdir="$(distdir)" dist-hook
+info-am:
+info: info-am
+dvi-am:
+dvi: dvi-am
+check-am: all-am
+	$(MAKE) $(AM_MAKEFLAGS) check-local
+check: check-am
+installcheck-am:
+installcheck: installcheck-am
+install-exec-am: install-libexecPROGRAMS install-binSCRIPTS
+	@$(NORMAL_INSTALL)
+	$(MAKE) $(AM_MAKEFLAGS) install-exec-hook
+install-exec: install-exec-am
+
+install-data-am: install-man install-data-local
+install-data: install-data-am
+
+install-am: all-am
+	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
+install: install-am
+uninstall-am: uninstall-libexecPROGRAMS uninstall-binSCRIPTS \
+		uninstall-man
+uninstall: uninstall-am
+all-am: Makefile $(PROGRAMS) $(SCRIPTS) $(MANS) all-local
+all-redirect: all-am
+install-strip:
+	$(MAKE) $(AM_MAKEFLAGS) INSTALL_STRIP_FLAG=-s install
+installdirs:
+	$(mkinstalldirs)  $(DESTDIR)$(libexecdir) $(DESTDIR)$(bindir) \
+		$(DESTDIR)$(mandir)/man1 $(DESTDIR)$(mandir)/man8
+
+
+mostlyclean-generic:
+
+clean-generic:
+	-test -z "$(CLEANFILES)" || rm -f $(CLEANFILES)
+
+distclean-generic:
+	-rm -f Makefile $(CONFIG_CLEAN_FILES)
+	-rm -f config.cache config.log stamp-h stamp-h[0-9]*
+
+maintainer-clean-generic:
+	-rm -f Makefile.in
+mostlyclean-am:  mostlyclean-libexecPROGRAMS mostlyclean-compile \
+		mostlyclean-libtool mostlyclean-tags \
+		mostlyclean-generic
+
+mostlyclean: mostlyclean-am
+
+clean-am:  clean-libexecPROGRAMS clean-compile clean-libtool clean-tags \
+		clean-generic mostlyclean-am
+
+clean: clean-am
+
+distclean-am:  distclean-libexecPROGRAMS distclean-compile \
+		distclean-libtool distclean-tags distclean-generic \
+		clean-am
+	-rm -f libtool
+
+distclean: distclean-am
+
+maintainer-clean-am:  maintainer-clean-libexecPROGRAMS \
+		maintainer-clean-compile maintainer-clean-libtool \
+		maintainer-clean-tags maintainer-clean-generic \
+		distclean-am
+	@echo "This command is intended for maintainers to use;"
+	@echo "it deletes files that may require special tools to rebuild."
+
+maintainer-clean: maintainer-clean-am
+
+.PHONY: mostlyclean-libexecPROGRAMS distclean-libexecPROGRAMS \
+clean-libexecPROGRAMS maintainer-clean-libexecPROGRAMS \
+uninstall-libexecPROGRAMS install-libexecPROGRAMS mostlyclean-compile \
+distclean-compile clean-compile maintainer-clean-compile \
+mostlyclean-libtool distclean-libtool clean-libtool \
+maintainer-clean-libtool uninstall-binSCRIPTS install-binSCRIPTS \
+install-man1 uninstall-man1 install-man8 uninstall-man8 install-man \
+uninstall-man tags mostlyclean-tags distclean-tags clean-tags \
+maintainer-clean-tags distdir info-am info dvi-am dvi check-local check \
+check-am installcheck-am installcheck install-exec-am install-exec \
+install-data-local install-data-am install-data install-am install \
+uninstall-am uninstall all-local all-redirect all-am all install-strip \
+installdirs mostlyclean-generic distclean-generic clean-generic \
+maintainer-clean-generic clean mostlyclean distclean maintainer-clean
+
+
+install-suid-programs:
+	@foo='$(bin_SUIDS)'; \
+	for file in $$foo; do \
+	x=$(DESTDIR)$(bindir)/$$file; \
+	if chown 0:0 $$x && chmod u+s $$x; then :; else \
+	echo "*"; \
+	echo "* Failed to install $$x setuid root"; \
+	echo "*"; \
+	fi; done
+
+install-exec-hook: install-suid-programs
+
+install-build-headers:: $(include_HEADERS) $(build_HEADERZ)
+	@foo='$(include_HEADERS) $(build_HEADERZ)'; \
+	for f in $$foo; do \
+		f=`basename $$f`; \
+		if test -f "$(srcdir)/$$f"; then file="$(srcdir)/$$f"; \
+		else file="$$f"; fi; \
+		if cmp -s  $$file $(buildinclude)/$$f 2> /dev/null ; then \
+		: ; else \
+			echo " $(CP) $$file $(buildinclude)/$$f"; \
+			$(CP) $$file $(buildinclude)/$$f; \
+		fi ; \
+	done
+
+all-local: install-build-headers
+#NROFF_MAN = nroff -man
+.1.cat1:
+	$(NROFF_MAN) $< > $@
+.3.cat3:
+	$(NROFF_MAN) $< > $@
+.5.cat5:
+	$(NROFF_MAN) $< > $@
+.8.cat8:
+	$(NROFF_MAN) $< > $@
+
+dist-cat1-mans:
+	@foo='$(man1_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.1) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat1/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-cat3-mans:
+	@foo='$(man3_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.3) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat3/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-cat5-mans:
+	@foo='$(man5_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.5) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat5/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-cat8-mans:
+	@foo='$(man8_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.8) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat8/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-hook: dist-cat1-mans dist-cat3-mans dist-cat5-mans dist-cat8-mans
+
+install-cat-mans:
+	$(SHELL) $(top_srcdir)/cf/install-catman.sh "$(INSTALL_DATA)" "$(mkinstalldirs)" "$(srcdir)" "$(DESTDIR)$(mandir)" '$(CATMANEXT)' $(man_MANS) $(man1_MANS) $(man3_MANS) $(man5_MANS) $(man8_MANS)
+
+install-data-local: install-cat-mans
+
+.et.h:
+	$(COMPILE_ET) $<
+.et.c:
+	$(COMPILE_ET) $<
+
+.x.c:
+	@cmp -s $< $@ 2> /dev/null || cp $< $@
+
+check-local::
+	@foo='$(CHECK_LOCAL)'; \
+	  if test "$$foo"; then \
+	  failed=0; all=0; \
+	  for i in $$foo; do \
+	    all=`expr $$all + 1`; \
+	    if ./$$i --version > /dev/null 2>&1; then \
+	      echo "PASS: $$i"; \
+	    else \
+	      echo "FAIL: $$i"; \
+	      failed=`expr $$failed + 1`; \
+	    fi; \
+	  done; \
+	  if test "$$failed" -eq 0; then \
+	    banner="All $$all tests passed"; \
+	  else \
+	    banner="$$failed of $$all tests failed"; \
+	  fi; \
+	  dashes=`echo "$$banner" | sed s/./=/g`; \
+	  echo "$$dashes"; \
+	  echo "$$banner"; \
+	  echo "$$dashes"; \
+	  test "$$failed" -eq 0; \
+	fi
+
+pfrom: pfrom.in
+	sed -e "s!%libexecdir%!$(libexecdir)!" $(srcdir)/pfrom.in > $@
+	chmod +x $@
+
+# Tell versions [3.59,3.63) of GNU make to not export all variables.
+# Otherwise a system limit (for SysV at least) may be exceeded.
+.NOEXPORT:
diff --git a/crypto/heimdal/appl/push/pfrom.1 b/crypto/heimdal/appl/push/pfrom.1
new file mode 100644
index 0000000..89af229
--- /dev/null
+++ b/crypto/heimdal/appl/push/pfrom.1
@@ -0,0 +1,24 @@
+.\" $Id: pfrom.1,v 1.3 2001/05/02 08:59:21 assar Exp $
+.\"
+.Dd Mars 4, 2000
+.Dt PFROM 1
+.Os HEIMDAL
+.Sh NAME
+.Nm pfrom
+.Nd "fetch a list of the current mail via POP"
+.Sh SYNOPSIS
+.Nm
+.Op Fl 4 | Fl -krb4
+.Op Fl 5 | Fl -krb5
+.Op Fl v | Fl -verbose
+.Op Fl c | -count
+.Op Fl -header
+.Oo Fl p Ar port-spec  \*(Ba Xo
+.Fl -port= Ns Ar port-spec
+.Xc
+.Oc
+.Sh DESCRIPTION
+.Nm
+is a script that does push --from.
+.Sh SEE ALSO
+.Xr push 8
diff --git a/crypto/heimdal/appl/push/pfrom.cat1 b/crypto/heimdal/appl/push/pfrom.cat1
new file mode 100644
index 0000000..8abf68a
--- /dev/null
+++ b/crypto/heimdal/appl/push/pfrom.cat1
@@ -0,0 +1,17 @@
+
+PFROM(1)                     UNIX Reference Manual                    PFROM(1)
+
+NNAAMMEE
+     ppffrroomm - fetch a list of the current mail via POP
+
+SSYYNNOOPPSSIISS
+     ppffrroomm [--44 | ----kkrrbb44] [--55 | ----kkrrbb55] [--vv | ----vveerrbboossee] [--cc | ----ccoouunntt]
+     [----hheeaaddeerr] [--pp _p_o_r_t_-_s_p_e_c | ----ppoorrtt==_p_o_r_t_-_s_p_e_c]
+
+DDEESSCCRRIIPPTTIIOONN
+     ppffrroomm is a script that does push --from.
+
+SSEEEE AALLSSOO
+     push(8)
+
+ HEIMDAL                         Mars 4, 2000                                1
diff --git a/crypto/heimdal/appl/push/pfrom.in b/crypto/heimdal/appl/push/pfrom.in
new file mode 100644
index 0000000..6adf4f0
--- /dev/null
+++ b/crypto/heimdal/appl/push/pfrom.in
@@ -0,0 +1,6 @@
+#!/bin/sh
+# $Id: pfrom.in,v 1.2 1998/11/24 13:25:47 assar Exp $
+libexecdir=%libexecdir%
+PATH=$libexecdir:$PATH
+export PATH
+push --from $*
diff --git a/crypto/heimdal/appl/push/push.8 b/crypto/heimdal/appl/push/push.8
new file mode 100644
index 0000000..3915fe5
--- /dev/null
+++ b/crypto/heimdal/appl/push/push.8
@@ -0,0 +1,138 @@
+.\" $Id: push.8,v 1.10 2001/05/15 12:14:24 assar Exp $
+.\"
+.Dd May 31, 1998
+.Dt PUSH 8
+.Os HEIMDAL
+.Sh NAME
+.Nm push
+.Nd fetch mail via POP
+.Sh SYNOPSIS
+.Nm
+.Op Fl 4 | Fl -krb4
+.Op Fl 5 | Fl -krb5
+.Op Fl v | Fl -verbose
+.Op Fl f | Fl -fork
+.Op Fl l | -leave
+.Op Fl -from
+.Op Fl c | -count
+.Op Fl -headers Ns = Ns Ar headers
+.Oo Fl p Ar port-spec  \*(Ba Xo
+.Fl -port Ns = Ns Ar port-spec
+.Xc
+.Oc
+.Ar po-box
+.Pa filename
+.Sh DESCRIPTION
+.Nm
+retrieves mail from the post office box
+.Ar po-box ,
+and stores the mail in mbox format in
+.Pa filename .
+The
+.Ar po-box
+can have any of the following formats:
+.Bl -hang -compact -offset indent
+.It Ql hostname:username
+.It Ql po:hostname:username
+.It Ql username@hostname
+.It Ql po:username@hostname
+.It Ql hostname
+.It Ql po:username
+.El
+.Pp
+If no username is specified,
+.Nm
+assumes that it's the same as on the local machine; 
+.Ar hostname
+defaults to the value of the
+.Ev MAILHOST
+environment variable.
+.Pp
+Supported options:
+.Bl -tag -width Ds
+.It Xo
+.Fl 4 Ns ,
+.Fl -krb4
+.Xc
+use Kerberos 4 (if compiled with support for Kerberos 4)
+.It Xo
+.Fl 5 Ns ,
+.Fl -krb5
+.Xc
+use Kerberos 5 (if compiled with support for Kerberos 5)
+.It Xo
+.Fl f Ns ,
+.Fl -fork
+.Xc
+fork before starting to delete messages
+.It Xo
+.Fl l Ns ,
+.Fl -leave
+.Xc
+don't delete fetched mail
+.It Xo
+.Fl -from
+.Xc
+behave like from.
+.It Xo
+.Fl c Ns ,
+.Fl -count
+.Xc
+first print how many messages and bytes there are.
+.It Xo
+.Fl -headers Ns = Ns Ar headers
+.Xc
+a list of comma-separated headers that should get printed.
+.It Xo
+.Fl p Ar port-spec Ns ,
+.Fl -port Ns = Ns Ar port-spec
+.Xc
+use this port instead of the default
+.Ql kpop 
+or
+.Ql 1109 .
+.El
+.Pp
+The default is to first try Kerberos 5 authentication and then, if
+that fails, Kerberos 4.
+.Sh ENVIRONMENT
+.Bl -tag -width Ds
+.It Ev MAILHOST
+points to the post office, if no other hostname is specified.
+.El
+.\".Sh FILES
+.Sh EXAMPLES
+.Bd -literal -offset indent
+$ push cornfield:roosta ~/.emacs-mail-crash-box
+.Ed
+.Pp
+tries to fetch mail for the user
+.Ar roosta
+from the post office at
+.Dq cornfield ,
+and stores the mail in
+.Pa ~/.emacs-mail-crash-box
+(you are using Gnus, aren't you?)
+.Bd -literal -offset indent
+$ push --from -5 havregryn
+.Ed
+.Pp
+tries to fetch 
+.Sy From: 
+lines for current user at post office
+.Dq havregryn
+using Kerberos 5.
+.\".Sh DIAGNOSTICS
+.Sh SEE ALSO
+.Xr movemail 8 ,
+.Xr popper 8 ,
+.Xr from 1 ,
+.Xr pfrom 1
+.\".Sh STANDARDS
+.Sh HISTORY
+.Nm
+was written while waiting for
+.Nm movemail
+to finish getting the mail.
+.\".Sh AUTHORS
+.\".Sh BUGS
diff --git a/crypto/heimdal/appl/push/push.c b/crypto/heimdal/appl/push/push.c
new file mode 100644
index 0000000..eb4b814
--- /dev/null
+++ b/crypto/heimdal/appl/push/push.c
@@ -0,0 +1,814 @@
+/*
+ * Copyright (c) 1997-2000 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "push_locl.h"
+RCSID("$Id: push.c,v 1.44 2001/02/20 01:44:47 assar Exp $");
+
+#ifdef KRB4
+static int use_v4 = -1;
+#endif
+
+#ifdef KRB5
+static int use_v5 = -1;
+static krb5_context context;
+#endif
+
+static char *port_str;
+static int verbose_level;
+static int do_fork;
+static int do_leave;
+static int do_version;
+static int do_help;
+static int do_from;
+static int do_count;
+static char *header_str;
+
+struct getargs args[] = {
+#ifdef KRB4
+    { "krb4",	'4', arg_flag,		&use_v4,	"Use Kerberos V4",
+      NULL },
+#endif    
+#ifdef KRB5
+    { "krb5",	'5', arg_flag,		&use_v5,	"Use Kerberos V5",
+      NULL },
+#endif
+    { "verbose",'v', arg_counter,	&verbose_level,	"Verbose",
+      NULL },
+    { "fork",	'f', arg_flag,		&do_fork,	"Fork deleting proc",
+      NULL },
+    { "leave",	'l', arg_flag,		&do_leave,	"Leave mail on server",
+      NULL },
+    { "port",	'p', arg_string,	&port_str,	"Use this port",
+      "number-or-service" },
+    { "from",	 0,  arg_flag,		&do_from,	"Behave like from",
+      NULL },
+    { "headers", 0,  arg_string,	&header_str,	"Headers to print", NULL },
+    { "count", 'c',  arg_flag,		&do_count,	"Print number of messages", NULL},
+    { "version", 0,  arg_flag,		&do_version,	"Print version",
+      NULL },
+    { "help",	 0,  arg_flag,		&do_help,	NULL,
+      NULL }
+
+};
+
+static void
+usage (int ret)
+{
+    arg_printusage (args,
+		    sizeof(args) / sizeof(args[0]),
+		    NULL,
+		    "[[{po:username[@hostname] | hostname[:username]}] ...] "
+		    "filename");
+    exit (ret);
+}
+
+static int
+do_connect (const char *hostname, int port, int nodelay)
+{
+    struct addrinfo *ai, *a;
+    struct addrinfo hints;
+    int error;
+    int s = -1;
+    char portstr[NI_MAXSERV];
+
+    memset (&hints, 0, sizeof(hints));
+    hints.ai_socktype = SOCK_STREAM;
+    hints.ai_protocol = IPPROTO_TCP;
+
+    snprintf (portstr, sizeof(portstr), "%u", ntohs(port));
+
+    error = getaddrinfo (hostname, portstr, &hints, &ai);
+    if (error)
+	errx (1, "getaddrinfo(%s): %s", hostname, gai_strerror(error));
+
+    for (a = ai; a != NULL; a = a->ai_next) {
+	s = socket (a->ai_family, a->ai_socktype, a->ai_protocol);
+	if (s < 0)
+	    continue;
+	if (connect (s, a->ai_addr, a->ai_addrlen) < 0) {
+	    warn ("connect(%s)", hostname);
+ 	    close (s);
+ 	    continue;
+	}
+	break;
+    }
+    freeaddrinfo (ai);
+    if (a == NULL) {
+	warnx ("failed to contact %s", hostname);
+	return -1;
+    }
+
+    if(setsockopt(s, IPPROTO_TCP, TCP_NODELAY,
+		  (void *)&nodelay, sizeof(nodelay)) < 0)
+	err (1, "setsockopt TCP_NODELAY");
+    return s;
+}
+
+typedef enum { INIT = 0, GREET, USER, PASS, STAT, RETR, TOP, 
+	       DELE, XDELE, QUIT} pop_state;
+
+#define PUSH_BUFSIZ 65536
+
+#define STEP 16
+
+struct write_state {
+    struct iovec *iovecs;
+    size_t niovecs, maxiovecs, allociovecs;
+    int fd;
+};
+
+static void
+write_state_init (struct write_state *w, int fd)
+{
+#ifdef UIO_MAXIOV
+    w->maxiovecs = UIO_MAXIOV;
+#else
+    w->maxiovecs = 16;
+#endif
+    w->allociovecs = min(STEP, w->maxiovecs);
+    w->niovecs = 0;
+    w->iovecs = emalloc(w->allociovecs * sizeof(*w->iovecs));
+    w->fd = fd;
+}
+
+static void
+write_state_add (struct write_state *w, void *v, size_t len)
+{
+    if(w->niovecs == w->allociovecs) {				
+	if(w->niovecs == w->maxiovecs) {				
+	    if(writev (w->fd, w->iovecs, w->niovecs) < 0)		
+		err(1, "writev");				
+	    w->niovecs = 0;					
+	} else {						
+	    w->allociovecs = min(w->allociovecs + STEP, w->maxiovecs);	
+	    w->iovecs = erealloc (w->iovecs,				
+				  w->allociovecs * sizeof(*w->iovecs));	
+	}							
+    }								
+    w->iovecs[w->niovecs].iov_base = v;				
+    w->iovecs[w->niovecs].iov_len  = len;				
+    ++w->niovecs;							
+}
+
+static void
+write_state_flush (struct write_state *w)
+{
+    if (w->niovecs) {
+	if (writev (w->fd, w->iovecs, w->niovecs) < 0)
+	    err (1, "writev");
+	w->niovecs = 0;
+    }
+}
+
+static void
+write_state_destroy (struct write_state *w)
+{
+    free (w->iovecs);
+}
+
+static int
+doit(int s,
+     const char *host,
+     const char *user,
+     const char *outfilename,
+     const char *header_str,
+     int leavep,
+     int verbose,
+     int forkp)
+{
+    int ret;
+    char out_buf[PUSH_BUFSIZ];
+    size_t out_len = 0;
+    char in_buf[PUSH_BUFSIZ + 1];	/* sentinel */
+    size_t in_len = 0;
+    char *in_ptr = in_buf;
+    pop_state state = INIT;
+    unsigned count, bytes;
+    unsigned asked_for = 0, retrieved = 0, asked_deleted = 0, deleted = 0;
+    unsigned sent_xdele = 0;
+    int out_fd;
+    char from_line[128];
+    size_t from_line_length;
+    time_t now;
+    struct write_state write_state;
+    int numheaders = 1;
+    char **headers = NULL;
+    int i;
+    char *tmp = NULL;
+
+    if (do_from) {
+	char *tmp2;
+
+	tmp2 = tmp = estrdup(header_str);
+
+	out_fd = -1;
+	if (verbose)
+	    fprintf (stderr, "%s@%s\n", user, host);
+	while (*tmp != '\0') {
+	    tmp = strchr(tmp, ',');
+	    if (tmp == NULL)
+		break;
+	    tmp++;
+	    numheaders++;
+	}
+
+	headers = emalloc(sizeof(char *) * (numheaders + 1));
+	for (i = 0; i < numheaders; i++) {
+	    headers[i] = strtok_r(tmp2, ",", &tmp2);
+	}
+	headers[numheaders] = NULL;
+    } else {
+	out_fd = open(outfilename, O_WRONLY | O_APPEND | O_CREAT, 0666);
+	if (out_fd < 0)
+	    err (1, "open %s", outfilename);
+	if (verbose)
+	    fprintf (stderr, "%s@%s -> %s\n", user, host, outfilename);
+    }
+
+    now = time(NULL);
+    from_line_length = snprintf (from_line, sizeof(from_line),
+				 "From %s %s", "push", ctime(&now));
+
+    out_len = snprintf (out_buf, sizeof(out_buf),
+			"USER %s\r\nPASS hej\r\nSTAT\r\n",
+			user);
+    if (net_write (s, out_buf, out_len) != out_len)
+	err (1, "write");
+    if (verbose > 1)
+	write (STDERR_FILENO, out_buf, out_len);
+
+    if (!do_from)
+	write_state_init (&write_state, out_fd);
+
+    while(state != QUIT) {
+	fd_set readset, writeset;
+
+	FD_ZERO(&readset);
+	FD_ZERO(&writeset);
+	if (s >= FD_SETSIZE)
+	    errx (1, "fd too large");
+	FD_SET(s,&readset);
+	if (((state == STAT || state == RETR || state == TOP)
+	     && asked_for < count)
+	    || (state == XDELE && !sent_xdele)
+	    || (state == DELE && asked_deleted < count))
+	    FD_SET(s,&writeset);
+	ret = select (s + 1, &readset, &writeset, NULL, NULL);
+	if (ret < 0) {
+	    if (errno == EAGAIN)
+		continue;
+	    else
+		err (1, "select");
+	}
+	
+	if (FD_ISSET(s, &readset)) {
+	    char *beg, *p;
+	    size_t rem;
+	    int blank_line = 0;
+	    
+	    ret = read (s, in_ptr, sizeof(in_buf) - in_len - 1);
+	    if (ret < 0)
+		err (1, "read");
+	    else if (ret == 0)
+		errx (1, "EOF during read");
+	    
+	    in_len += ret;
+	    in_ptr += ret;
+	    *in_ptr = '\0';
+	    
+	    beg = in_buf;
+	    rem = in_len;
+	    while(rem > 1
+		  && (p = strstr(beg, "\r\n")) != NULL) {
+		if (state == TOP) {
+		    char *copy = beg;
+
+		    for (i = 0; i < numheaders; i++) {
+			size_t len;
+
+			len = min(p - copy + 1, strlen(headers[i]));
+			if (strncasecmp(copy, headers[i], len) == 0) {
+			    fprintf (stdout, "%.*s\n", (int)(p - copy), copy);
+			}
+		    }
+		    if (beg[0] == '.' && beg[1] == '\r' && beg[2] == '\n') {
+			if (numheaders > 1)
+			    fprintf (stdout, "\n");
+			state = STAT;
+			if (++retrieved == count) {
+			    state = QUIT;
+			    net_write (s, "QUIT\r\n", 6);
+			    if (verbose > 1)
+				net_write (STDERR_FILENO, "QUIT\r\n", 6);
+			}
+		    }
+		    rem -= p - beg + 2;
+		    beg = p + 2;
+		} else if (state == RETR) {
+		    char *copy = beg;
+		    if (beg[0] == '.') {
+			if (beg[1] == '\r' && beg[2] == '\n') {
+			    if(!blank_line)
+				write_state_add(&write_state, "\n", 1);
+			    state = STAT;
+			    rem -= p - beg + 2;
+			    beg = p + 2;
+			    if (++retrieved == count) {
+				write_state_flush (&write_state);
+				if (fsync (out_fd) < 0)
+				    err (1, "fsync");
+				close(out_fd);
+				if (leavep) {
+				    state = QUIT;
+				    net_write (s, "QUIT\r\n", 6);
+				    if (verbose > 1)
+					net_write (STDERR_FILENO, "QUIT\r\n", 6);
+				} else {
+				    if (forkp) {
+					pid_t pid;
+
+					pid = fork();
+					if (pid < 0)
+					    warn ("fork");
+					else if(pid != 0) {
+					    if(verbose)
+						fprintf (stderr,
+							 "(exiting)");
+					    return 0;
+					}
+				    }
+
+				    state = XDELE;
+				    if (verbose)
+					fprintf (stderr, "deleting... ");
+				}
+			    }
+			    continue;
+			} else
+			    ++copy;
+		    }
+		    *p = '\n';
+		    if(blank_line && 
+		       strncmp(copy, "From ", min(p - copy + 1, 5)) == 0)
+			write_state_add(&write_state, ">", 1);
+		    write_state_add(&write_state, copy, p - copy + 1);
+		    blank_line = (*copy == '\n');
+		    rem -= p - beg + 2;
+		    beg = p + 2;
+		} else if (rem >= 3 && strncmp (beg, "+OK", 3) == 0) {
+		    if (state == STAT) {
+			if (!do_from)
+			    write_state_add(&write_state,
+					    from_line, from_line_length);
+			blank_line = 0;
+			if (do_from) 
+			    state = TOP;
+			else
+			    state = RETR;
+		    } else if (state == XDELE) {
+			state = QUIT;
+			net_write (s, "QUIT\r\n", 6);
+			if (verbose > 1)
+			    net_write (STDERR_FILENO, "QUIT\r\n", 6);
+			break;
+		    } else if (state == DELE) {
+			if (++deleted == count) {
+			    state = QUIT;
+			    net_write (s, "QUIT\r\n", 6);
+			    if (verbose > 1)
+				net_write (STDERR_FILENO, "QUIT\r\n", 6);
+			    break;
+			}
+		    } else if (++state == STAT) {
+			if(sscanf (beg + 4, "%u %u", &count, &bytes) != 2)
+			    errx(1, "Bad STAT-line: %.*s", (int)(p - beg), beg);
+			if (verbose) {
+			    fprintf (stderr, "%u message(s) (%u bytes). "
+				     "fetching... ",
+				     count, bytes);
+			    if (do_from)
+				fprintf (stderr, "\n");
+			} else if (do_count) {
+			    fprintf (stderr, "%u message(s) (%u bytes).\n",
+				     count, bytes);
+			}
+			if (count == 0) {
+			    state = QUIT;
+			    net_write (s, "QUIT\r\n", 6);
+			    if (verbose > 1)
+				net_write (STDERR_FILENO, "QUIT\r\n", 6);
+			    break;
+			}
+		    }
+
+		    rem -= p - beg + 2;
+		    beg = p + 2;
+		} else {
+		    if(state == XDELE) {
+			state = DELE;
+			rem -= p - beg + 2;
+			beg = p + 2;
+		    } else
+			errx (1, "Bad response: %.*s", (int)(p - beg), beg);
+		}
+	    }
+	    if (!do_from)
+		write_state_flush (&write_state);
+
+	    memmove (in_buf, beg, rem);
+	    in_len = rem;
+	    in_ptr = in_buf + rem;
+	}
+	if (FD_ISSET(s, &writeset)) {
+	    if ((state == STAT && !do_from) || state == RETR)
+		out_len = snprintf (out_buf, sizeof(out_buf),
+				    "RETR %u\r\n", ++asked_for);
+	    else if ((state == STAT && do_from) || state == TOP)
+		out_len = snprintf (out_buf, sizeof(out_buf),
+				    "TOP %u 0\r\n", ++asked_for);
+	    else if(state == XDELE) {
+		out_len = snprintf(out_buf, sizeof(out_buf),
+				   "XDELE %u %u\r\n", 1, count);
+		sent_xdele++;
+	    }
+	    else if(state == DELE)
+		out_len = snprintf (out_buf, sizeof(out_buf),
+				    "DELE %u\r\n", ++asked_deleted);
+	    if (net_write (s, out_buf, out_len) != out_len)
+		err (1, "write");
+	    if (verbose > 1)
+		write (STDERR_FILENO, out_buf, out_len);
+	}
+    }
+    if (verbose)
+	fprintf (stderr, "Done\n");
+    if (do_from) {
+	free (tmp);
+	free (headers);
+    } else {
+	write_state_destroy (&write_state);
+    }
+    return 0;
+}
+
+#ifdef KRB5
+static int
+do_v5 (const char *host,
+       int port,
+       const char *user,
+       const char *filename,
+       const char *header_str,
+       int leavep,
+       int verbose,
+       int forkp)
+{
+    krb5_error_code ret;
+    krb5_auth_context auth_context = NULL;
+    krb5_principal server;
+    int s;
+
+    s = do_connect (host, port, 1);
+    if (s < 0)
+	return 1;
+
+    ret = krb5_sname_to_principal (context,
+				   host,
+				   "pop",
+				   KRB5_NT_SRV_HST,
+				   &server);
+    if (ret) {
+	warnx ("krb5_sname_to_principal: %s",
+	       krb5_get_err_text (context, ret));
+	return 1;
+    }
+
+    ret = krb5_sendauth (context,
+			 &auth_context,
+			 &s,
+			 "KPOPV1.0",
+			 NULL,
+			 server,
+			 0,
+			 NULL,
+			 NULL,
+			 NULL,
+			 NULL,
+			 NULL,
+			 NULL);
+    krb5_free_principal (context, server);
+    if (ret) {
+	warnx ("krb5_sendauth: %s",
+	       krb5_get_err_text (context, ret));
+	return 1;
+    }
+    return doit (s, host, user, filename, header_str, leavep, verbose, forkp);
+}
+#endif
+
+#ifdef KRB4
+static int
+do_v4 (const char *host,
+       int port,
+       const char *user,
+       const char *filename,
+       const char *header_str,
+       int leavep,
+       int verbose,
+       int forkp)
+{
+    KTEXT_ST ticket;
+    MSG_DAT msg_data;
+    CREDENTIALS cred;
+    des_key_schedule sched;
+    int s;
+    int ret;
+
+    s = do_connect (host, port, 1);
+    if (s < 0)
+	return 1;
+    ret = krb_sendauth(0,
+		       s,
+		       &ticket, 
+		       "pop",
+		       (char *)host,
+		       krb_realmofhost(host),
+		       getpid(),
+		       &msg_data,
+		       &cred,
+		       sched,
+		       NULL,
+		       NULL,
+		       "KPOPV0.1");
+    if(ret) {
+	warnx("krb_sendauth: %s", krb_get_err_text(ret));
+	return 1;
+    }
+    return doit (s, host, user, filename, header_str, leavep, verbose, forkp);
+}
+#endif /* KRB4 */
+
+#ifdef HESIOD
+
+#ifdef HESIOD_INTERFACES
+
+static char *
+hesiod_get_pobox (const char **user)
+{
+    void *context;
+    struct hesiod_postoffice *hpo;
+    char *ret = NULL;
+
+    if(hesiod_init (&context) != 0)
+	err (1, "hesiod_init");
+
+    hpo = hesiod_getmailhost (context, *user);
+    if (hpo == NULL) {
+	warn ("hesiod_getmailhost %s", *user);
+    } else {
+	if (strcasecmp(hpo->hesiod_po_type, "pop") != 0)
+	    errx (1, "Unsupported po type %s", hpo->hesiod_po_type);
+
+	ret = estrdup(hpo->hesiod_po_host);
+	*user = estrdup(hpo->hesiod_po_name);
+	hesiod_free_postoffice (context, hpo);
+    }
+    hesiod_end (context);
+    return ret;
+}
+
+#else /* !HESIOD_INTERFACES */
+
+static char *
+hesiod_get_pobox (const char **user)
+{
+    char *ret = NULL;
+    struct hes_postoffice *hpo;
+
+    hpo = hes_getmailhost (*user);
+    if (hpo == NULL) {
+	warn ("hes_getmailhost %s", *user);
+    } else {
+	if (strcasecmp(hpo->po_type, "pop") != 0)
+	    errx (1, "Unsupported po type %s", hpo->po_type);
+
+	ret = estrdup(hpo->po_host);
+	*user = estrdup(hpo->po_name);
+    }
+    return ret;
+}
+
+#endif /* HESIOD_INTERFACES */
+
+#endif /* HESIOD */
+
+static char *
+get_pobox (const char **user)
+{
+    char *ret = NULL;
+
+#ifdef HESIOD
+    ret = hesiod_get_pobox (user);
+#endif
+
+    if (ret == NULL)
+	ret = getenv("MAILHOST");
+    if (ret == NULL)
+	errx (1, "MAILHOST not set");
+    return ret;
+}
+
+static void
+parse_pobox (char *a0, const char **host, const char **user)
+{
+    const char *h, *u;
+    char *p;
+    int po = 0;
+
+    if (a0 == NULL) {
+
+	*user = getenv ("USERNAME");
+	if (*user == NULL) {
+	    struct passwd *pwd = getpwuid (getuid ());
+
+	    if (pwd == NULL)
+		errx (1, "Who are you?");
+	    *user = estrdup (pwd->pw_name);
+	}
+	*host = get_pobox (user);
+	return;
+    }
+
+    /* if the specification starts with po:, remember this information */
+    if(strncmp(a0, "po:", 3) == 0) {
+	a0 += 3;
+	po++;
+    }
+    /* if there is an `@', the hostname is after it, otherwise at the
+       beginning of the string */
+    p = strchr(a0, '@');
+    if(p != NULL) {
+	*p++ = '\0';
+	h = p;
+    } else {
+	h = a0;
+    }
+    /* if there is a `:', the username comes before it, otherwise at
+       the beginning of the string */
+    p = strchr(a0, ':');
+    if(p != NULL) {
+	*p++ = '\0';
+	u = p;
+    } else {
+	u = a0;
+    }
+    if(h == u) {
+	/* some inconsistent compatibility with various mailers */
+	if(po) {
+	    h = get_pobox (&u);
+	} else {
+	    u = get_default_username ();
+	    if (u == NULL)
+		errx (1, "Who are you?");
+	}
+    }
+    *host = h;
+    *user = u;
+}
+
+int
+main(int argc, char **argv)
+{
+    int port = 0;
+    int optind = 0;
+    int ret = 1;
+    const char *host, *user, *filename = NULL;
+    char *pobox = NULL;
+
+    setprogname (argv[0]);
+
+#ifdef KRB5
+    {
+	krb5_error_code ret;
+
+	ret = krb5_init_context (&context);
+	if (ret)
+	    errx (1, "krb5_init_context failed: %d", ret);
+    }
+#endif
+
+    if (getarg (args, sizeof(args) / sizeof(args[0]), argc, argv,
+		&optind))
+	usage (1);
+
+    argc -= optind;
+    argv += optind;
+
+#if defined(KRB4) && defined(KRB5)
+    if(use_v4 == -1 && use_v5 == 1)
+	use_v4 = 0;
+    if(use_v5 == -1 && use_v4 == 1)
+	use_v5 = 0;
+#endif    
+
+    if (do_help)
+	usage (0);
+
+    if (do_version) {
+	print_version(NULL);
+	return 0;
+    }
+	
+    if (do_from && header_str == NULL)
+	header_str = "From:";
+    else if (header_str != NULL)
+	do_from = 1;
+
+    if (do_from) {
+	if (argc == 0)
+	    pobox = NULL;
+	else if (argc == 1)
+	    pobox = argv[0];
+	else
+	    usage (1);
+    } else {
+	if (argc == 1) {
+	    filename = argv[0];
+	    pobox    = NULL;
+	} else if (argc == 2) {
+	    filename = argv[1];
+	    pobox    = argv[0];
+	} else
+	    usage (1);
+    }
+
+    if (port_str) {
+	struct servent *s = roken_getservbyname (port_str, "tcp");
+
+	if (s)
+	    port = s->s_port;
+	else {
+	    char *ptr;
+
+	    port = strtol (port_str, &ptr, 10);
+	    if (port == 0 && ptr == port_str)
+		errx (1, "Bad port `%s'", port_str);
+	    port = htons(port);
+	}
+    }
+    if (port == 0) {
+#ifdef KRB5
+	port = krb5_getportbyname (context, "kpop", "tcp", 1109);
+#elif defined(KRB4)
+	port = k_getportbyname ("kpop", "tcp", htons(1109));
+#else
+#error must define KRB4 or KRB5
+#endif
+    }
+
+    parse_pobox (pobox, &host, &user);
+
+#ifdef KRB5
+    if (ret && use_v5) {
+	ret = do_v5 (host, port, user, filename, header_str,
+		     do_leave, verbose_level, do_fork);
+    }
+#endif
+
+#ifdef KRB4
+    if (ret && use_v4) {
+	ret = do_v4 (host, port, user, filename, header_str,
+		     do_leave, verbose_level, do_fork);
+    }
+#endif /* KRB4 */
+    return ret;
+}
diff --git a/crypto/heimdal/appl/push/push.cat8 b/crypto/heimdal/appl/push/push.cat8
new file mode 100644
index 0000000..dff390e
--- /dev/null
+++ b/crypto/heimdal/appl/push/push.cat8
@@ -0,0 +1,77 @@
+
+PUSH(8)                  UNIX System Manager's Manual                  PUSH(8)
+
+NNAAMMEE
+     ppuusshh - fetch mail via POP
+
+SSYYNNOOPPSSIISS
+     ppuusshh [--44 | ----kkrrbb44] [--55 | ----kkrrbb55] [--vv | ----vveerrbboossee] [--ff | ----ffoorrkk] [--ll |
+     ----lleeaavvee] [----ffrroomm] [--cc | ----ccoouunntt] [----hheeaaddeerrss=_h_e_a_d_e_r_s] [--pp _p_o_r_t_-_s_p_e_c |
+     ----ppoorrtt=_p_o_r_t_-_s_p_e_c] _p_o_-_b_o_x _f_i_l_e_n_a_m_e
+
+DDEESSCCRRIIPPTTIIOONN
+     ppuusshh retrieves mail from the post office box _p_o_-_b_o_x, and stores the mail
+     in mbox format in _f_i_l_e_n_a_m_e. The _p_o_-_b_o_x can have any of the following for-
+     mats:
+           `hostname:username'
+           `po:hostname:username'
+           `username@hostname'
+           `po:username@hostname'
+           `hostname'
+           `po:username'
+
+     If no username is specified, ppuusshh assumes that it's the same as on the
+     local machine; _h_o_s_t_n_a_m_e defaults to the value of the MAILHOST environment
+     variable.
+
+     Supported options:
+
+     --44, ----kkrrbb44
+             use Kerberos 4 (if compiled with support for Kerberos 4)
+
+     --55, ----kkrrbb55
+             use Kerberos 5 (if compiled with support for Kerberos 5)
+
+     --ff, ----ffoorrkk
+             fork before starting to delete messages
+
+     --ll, ----lleeaavvee
+             don't delete fetched mail
+
+     ----ffrroomm  behave like from.
+
+     --cc, ----ccoouunntt
+             first print how many messages and bytes there are.
+
+     ----hheeaaddeerrss=_h_e_a_d_e_r_s
+             a list of comma-separated headers that should get printed.
+
+     --pp _p_o_r_t_-_s_p_e_c, ----ppoorrtt=_p_o_r_t_-_s_p_e_c
+             use this port instead of the default `kpop' or `1109'.
+
+     The default is to first try Kerberos 5 authentication and then, if that
+     fails, Kerberos 4.
+
+EENNVVIIRROONNMMEENNTT
+     MAILHOST
+             points to the post office, if no other hostname is specified.
+
+EEXXAAMMPPLLEESS
+           $ push cornfield:roosta ~/.emacs-mail-crash-box
+
+     tries to fetch mail for the user _r_o_o_s_t_a from the post office at
+     ``cornfield'', and stores the mail in _~_/_._e_m_a_c_s_-_m_a_i_l_-_c_r_a_s_h_-_b_o_x (you are
+     using Gnus, aren't you?)
+
+           $ push --from -5 havregryn
+
+     tries to fetch FFrroomm:: lines for current user at post office ``havregryn''
+     using Kerberos 5.
+
+SSEEEE AALLSSOO
+     movemail(8),  popper(8),  from(1),  pfrom(1)
+
+HHIISSTTOORRYY
+     ppuusshh was written while waiting for mmoovveemmaaiill to finish getting the mail.
+
+ HEIMDAL                         May 31, 1998                                2
diff --git a/crypto/heimdal/appl/push/push_locl.h b/crypto/heimdal/appl/push/push_locl.h
new file mode 100644
index 0000000..1e5ca78
--- /dev/null
+++ b/crypto/heimdal/appl/push/push_locl.h
@@ -0,0 +1,98 @@
+/*
+ * Copyright (c) 1997, 1998 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+/* $Id: push_locl.h,v 1.6 1999/12/02 16:58:33 joda Exp $ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+#endif
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#ifdef HAVE_FCNTL_H
+#include <fcntl.h>
+#endif
+#ifdef HAVE_ERRNO_H
+#include <errno.h>
+#endif
+#include <ctype.h>
+#include <limits.h>
+#include <time.h>
+#ifdef HAVE_SYS_TYPES_H
+#include <sys/types.h>
+#endif
+#ifdef HAVE_SYS_SELECT_H
+#include <sys/select.h>
+#endif
+#ifdef HAVE_UNISTD_H
+#include <unistd.h>
+#endif
+#ifdef HAVE_SYS_UIO_H
+#include <sys/uio.h>
+#endif
+#ifdef HAVE_SYS_SOCKET_H
+#include <sys/socket.h>
+#endif
+#ifdef HAVE_NETINET_IN_H
+#include <netinet/in.h>
+#endif
+#ifdef HAVE_NETINET_IN6_H
+#include <netinet/in6.h>
+#endif
+#ifdef HAVE_NETINET6_IN6_H
+#include <netinet6/in6.h>
+#endif
+#ifdef HAVE_NETINET_TCP_H
+#include <netinet/tcp.h>
+#endif
+#ifdef HAVE_NETDB_H
+#include <netdb.h>
+#endif
+#ifdef HAVE_PWD_H
+#include <pwd.h>
+#endif
+#ifdef HESIOD
+#include <hesiod.h>
+#endif
+
+#include <roken.h>
+#include <err.h>
+#include <getarg.h>
+#ifdef KRB5
+#include <krb5.h>
+#endif
+
+#ifdef KRB4
+#include <krb.h>
+#endif
diff --git a/crypto/heimdal/appl/rcp/ChangeLog b/crypto/heimdal/appl/rcp/ChangeLog
new file mode 100644
index 0000000..e8a4f05
--- /dev/null
+++ b/crypto/heimdal/appl/rcp/ChangeLog
@@ -0,0 +1,40 @@
+2001-04-21  Johan Danielsson  <joda@pdc.kth.se>
+
+	* rcp.c: convert to use getarg
+
+	* rcp.c: do a better job of supporting files larger than 2GB
+
+2001-02-07  Assar Westerlund  <assar@sics.se>
+
+	* rcp.c: add -F for forwarding ticket, from Ake Sandgren
+	<ake@cs.umu.se>
+
+2001-01-29  Assar Westerlund  <assar@sics.se>
+
+	* util.c (roundup): add fallback definition
+
+	* rcp.c: remove non-STDC code
+	* rcp_locl.h: add sys/types.h and sys/wait.h
+
+	* rcp.c: no calls to err with NULL
+
+2001-01-28  Assar Westerlund  <assar@sics.se>
+
+	* rcp_locl.h: add
+
+	* Makefile.am (LDADD): remove unused libraries
+
+2001-01-27  Assar Westerlund  <assar@sics.se>
+
+	* util.c: replace vfork by fork
+
+	* rcp.c: add RCSID S_ISTXT -> S_ISVTX printf sizes of files with
+ 	%lu instead of %q (which is not portable)
+
+	* util.c: add RCSID do not use sig_t
+	* rcp.c: remove __P, use st_mtime et al from struct stat
+	* extern.h: remove __P
+
+	* initial import of port of bsd rcp changed to use existing rsh,
+	contributed by Richard Nyberg <rnyberg@it.su.se>
+
diff --git a/crypto/heimdal/appl/rcp/Makefile.am b/crypto/heimdal/appl/rcp/Makefile.am
new file mode 100644
index 0000000..4ecf7a6
--- /dev/null
+++ b/crypto/heimdal/appl/rcp/Makefile.am
@@ -0,0 +1,11 @@
+# $Id: Makefile.am,v 1.2 2001/01/28 22:50:35 assar Exp $
+
+include $(top_srcdir)/Makefile.am.common
+
+INCLUDES += $(INCLUDE_krb4)
+
+bin_PROGRAMS = rcp
+
+rcp_SOURCES  = rcp.c util.c
+
+LDADD = $(LIB_roken)
diff --git a/crypto/heimdal/appl/rcp/Makefile.in b/crypto/heimdal/appl/rcp/Makefile.in
new file mode 100644
index 0000000..0f76540
--- /dev/null
+++ b/crypto/heimdal/appl/rcp/Makefile.in
@@ -0,0 +1,567 @@
+# Makefile.in generated automatically by automake 1.4b from Makefile.am
+
+# Copyright 1994, 1995, 1996, 1997, 1998, 1999, 2000
+# Free Software Foundation, Inc.
+# This Makefile.in is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+
+SHELL = @SHELL@
+
+srcdir = @srcdir@
+top_srcdir = @top_srcdir@
+VPATH = @srcdir@
+prefix = @prefix@
+exec_prefix = @exec_prefix@
+
+bindir = @bindir@
+sbindir = @sbindir@
+libexecdir = @libexecdir@
+datadir = @datadir@
+sysconfdir = @sysconfdir@
+sharedstatedir = @sharedstatedir@
+localstatedir = @localstatedir@
+libdir = @libdir@
+infodir = @infodir@
+mandir = @mandir@
+includedir = @includedir@
+oldincludedir = /usr/include
+
+pkgdatadir = $(datadir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkgincludedir = $(includedir)/@PACKAGE@
+
+top_builddir = ../..
+
+ACLOCAL = @ACLOCAL@
+AUTOCONF = @AUTOCONF@
+AUTOMAKE = @AUTOMAKE@
+AUTOHEADER = @AUTOHEADER@
+
+INSTALL = @INSTALL@
+INSTALL_PROGRAM = @INSTALL_PROGRAM@
+INSTALL_DATA = @INSTALL_DATA@
+INSTALL_SCRIPT = @INSTALL_SCRIPT@
+INSTALL_STRIP_FLAG =
+transform = @program_transform_name@
+
+NORMAL_INSTALL = :
+PRE_INSTALL = :
+POST_INSTALL = :
+NORMAL_UNINSTALL = :
+PRE_UNINSTALL = :
+POST_UNINSTALL = :
+
+@SET_MAKE@
+host_alias = @host_alias@
+host_triplet = @host@
+AIX_EXTRA_KAFS = @AIX_EXTRA_KAFS@
+AMDEP = @AMDEP@
+AMTAR = @AMTAR@
+AS = @AS@
+AWK = @AWK@
+CANONICAL_HOST = @CANONICAL_HOST@
+CATMAN = @CATMAN@
+CATMANEXT = @CATMANEXT@
+CC = @CC@
+CPP = @CPP@
+CXX = @CXX@
+CXXCPP = @CXXCPP@
+DBLIB = @DBLIB@
+DEPDIR = @DEPDIR@
+DIR_des = @DIR_des@
+DIR_roken = @DIR_roken@
+DLLTOOL = @DLLTOOL@
+EXEEXT = @EXEEXT@
+EXTRA_LIB45 = @EXTRA_LIB45@
+GROFF = @GROFF@
+INCLUDES_roken = @INCLUDES_roken@
+INCLUDE_ = @INCLUDE_@
+LEX = @LEX@
+LIBOBJS = @LIBOBJS@
+LIBTOOL = @LIBTOOL@
+LIB_ = @LIB_@
+LIB_AUTH_SUBDIRS = @LIB_AUTH_SUBDIRS@
+LIB_des = @LIB_des@
+LIB_des_appl = @LIB_des_appl@
+LIB_kdb = @LIB_kdb@
+LIB_otp = @LIB_otp@
+LIB_roken = @LIB_roken@
+LIB_security = @LIB_security@
+LN_S = @LN_S@
+LTLIBOBJS = @LTLIBOBJS@
+MAKEINFO = @MAKEINFO@
+NEED_WRITEAUTH_FALSE = @NEED_WRITEAUTH_FALSE@
+NEED_WRITEAUTH_TRUE = @NEED_WRITEAUTH_TRUE@
+NROFF = @NROFF@
+OBJDUMP = @OBJDUMP@
+OBJEXT = @OBJEXT@
+PACKAGE = @PACKAGE@
+RANLIB = @RANLIB@
+STRIP = @STRIP@
+VERSION = @VERSION@
+VOID_RETSIGTYPE = @VOID_RETSIGTYPE@
+WFLAGS = @WFLAGS@
+WFLAGS_NOIMPLICITINT = @WFLAGS_NOIMPLICITINT@
+WFLAGS_NOUNUSED = @WFLAGS_NOUNUSED@
+YACC = @YACC@
+dpagaix_CFLAGS = @dpagaix_CFLAGS@
+dpagaix_LDADD = @dpagaix_LDADD@
+install_sh = @install_sh@
+
+# $Id: Makefile.am,v 1.2 2001/01/28 22:50:35 assar Exp $
+
+
+# $Id: Makefile.am.common,v 1.3 1999/04/01 14:58:43 joda Exp $
+
+
+# $Id: Makefile.am.common,v 1.26 2001/05/21 13:27:48 joda Exp $
+
+
+AUTOMAKE_OPTIONS = foreign no-dependencies
+
+SUFFIXES = .et .h .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .x
+
+INCLUDES = -I$(top_builddir)/include $(INCLUDES_roken) $(INCLUDE_krb4)
+
+AM_CFLAGS =  $(WFLAGS)
+
+CP = cp
+
+COMPILE_ET = $(top_builddir)/lib/com_err/compile_et
+
+buildinclude = $(top_builddir)/include
+
+LIB_XauReadAuth = @LIB_XauReadAuth@
+LIB_crypt = @LIB_crypt@
+LIB_dbm_firstkey = @LIB_dbm_firstkey@
+LIB_dbopen = @LIB_dbopen@
+LIB_dlopen = @LIB_dlopen@
+LIB_dn_expand = @LIB_dn_expand@
+LIB_el_init = @LIB_el_init@
+LIB_getattr = @LIB_getattr@
+LIB_gethostbyname = @LIB_gethostbyname@
+LIB_getpwent_r = @LIB_getpwent_r@
+LIB_getpwnam_r = @LIB_getpwnam_r@
+LIB_getsockopt = @LIB_getsockopt@
+LIB_logout = @LIB_logout@
+LIB_logwtmp = @LIB_logwtmp@
+LIB_odm_initialize = @LIB_odm_initialize@
+LIB_pidfile = @LIB_pidfile@
+LIB_readline = @LIB_readline@
+LIB_res_search = @LIB_res_search@
+LIB_setpcred = @LIB_setpcred@
+LIB_setsockopt = @LIB_setsockopt@
+LIB_socket = @LIB_socket@
+LIB_syslog = @LIB_syslog@
+LIB_tgetent = @LIB_tgetent@
+
+LIBS = @LIBS@
+
+HESIODLIB = @HESIODLIB@
+HESIODINCLUDE = @HESIODINCLUDE@
+INCLUDE_hesiod = @INCLUDE_hesiod@
+LIB_hesiod = @LIB_hesiod@
+
+INCLUDE_krb4 = @INCLUDE_krb4@
+LIB_krb4 = @LIB_krb4@
+
+INCLUDE_openldap = @INCLUDE_openldap@
+LIB_openldap = @LIB_openldap@
+
+INCLUDE_readline = @INCLUDE_readline@
+
+LEXLIB = @LEXLIB@
+
+NROFF_MAN = groff -mandoc -Tascii
+
+@KRB4_TRUE@LIB_kafs = @KRB4_TRUE@$(top_builddir)/lib/kafs/libkafs.la $(AIX_EXTRA_KAFS)
+
+@KRB5_TRUE@LIB_krb5 = @KRB5_TRUE@$(top_builddir)/lib/krb5/libkrb5.la \
+@KRB5_TRUE@	$(top_builddir)/lib/asn1/libasn1.la
+@KRB5_TRUE@LIB_gssapi = @KRB5_TRUE@$(top_builddir)/lib/gssapi/libgssapi.la
+
+@DCE_TRUE@LIB_kdfs = @DCE_TRUE@$(top_builddir)/lib/kdfs/libkdfs.la
+
+CHECK_LOCAL = $(PROGRAMS)
+
+bin_PROGRAMS = rcp
+
+rcp_SOURCES = rcp.c util.c
+
+LDADD = $(LIB_roken)
+subdir = appl/rcp
+mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs
+CONFIG_HEADER = ../../include/config.h
+CONFIG_CLEAN_FILES = 
+bin_PROGRAMS =  rcp$(EXEEXT)
+PROGRAMS =  $(bin_PROGRAMS)
+
+
+DEFS = @DEFS@ -I. -I$(srcdir) -I../../include
+CPPFLAGS = @CPPFLAGS@
+LDFLAGS = @LDFLAGS@
+X_CFLAGS = @X_CFLAGS@
+X_LIBS = @X_LIBS@
+X_EXTRA_LIBS = @X_EXTRA_LIBS@
+X_PRE_LIBS = @X_PRE_LIBS@
+am_rcp_OBJECTS =  rcp.$(OBJEXT) util.$(OBJEXT)
+rcp_OBJECTS =  $(am_rcp_OBJECTS)
+rcp_LDADD = $(LDADD)
+rcp_DEPENDENCIES = 
+rcp_LDFLAGS = 
+COMPILE = $(CC) $(DEFS) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) --mode=compile $(CC) $(DEFS) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+CFLAGS = @CFLAGS@
+CCLD = $(CC)
+LINK = $(LIBTOOL) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) $(LDFLAGS) -o $@
+DIST_SOURCES =  $(rcp_SOURCES)
+depcomp = 
+DIST_COMMON =  ChangeLog Makefile.am Makefile.in
+
+
+DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
+
+GZIP_ENV = --best
+SOURCES = $(rcp_SOURCES)
+OBJECTS = $(am_rcp_OBJECTS)
+
+all: all-redirect
+.SUFFIXES:
+.SUFFIXES: .et .h .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .x .c .lo .o .obj
+$(srcdir)/Makefile.in: Makefile.am $(top_srcdir)/configure.in $(ACLOCAL_M4) $(top_srcdir)/Makefile.am.common $(top_srcdir)/cf/Makefile.am.common
+	cd $(top_srcdir) && $(AUTOMAKE) --foreign appl/rcp/Makefile
+
+Makefile: $(srcdir)/Makefile.in  $(top_builddir)/config.status
+	cd $(top_builddir) \
+	  && CONFIG_FILES=$(subdir)/$@ CONFIG_HEADERS= $(SHELL) ./config.status
+
+
+mostlyclean-binPROGRAMS:
+
+clean-binPROGRAMS:
+	-test -z "$(bin_PROGRAMS)" || rm -f $(bin_PROGRAMS)
+
+distclean-binPROGRAMS:
+
+maintainer-clean-binPROGRAMS:
+
+install-binPROGRAMS: $(bin_PROGRAMS)
+	@$(NORMAL_INSTALL)
+	$(mkinstalldirs) $(DESTDIR)$(bindir)
+	@list='$(bin_PROGRAMS)'; for p in $$list; do \
+	  if test -f $$p; then \
+	    f="`echo $$p|sed -e 's/$(EXEEXT)$$//' -e '$(transform)' -e 's/$$/$(EXEEXT)/'`"; \
+	    echo " $(LIBTOOL)  --mode=install $(INSTALL_PROGRAM) $(INSTALL_STRIP_FLAG) $$p $(DESTDIR)$(bindir)/$$f"; \
+	    $(LIBTOOL)  --mode=install $(INSTALL_PROGRAM) $(INSTALL_STRIP_FLAG) $$p $(DESTDIR)$(bindir)/$$f; \
+	  else :; fi; \
+	done
+
+uninstall-binPROGRAMS:
+	@$(NORMAL_UNINSTALL)
+	@list='$(bin_PROGRAMS)'; for p in $$list; do \
+	  f="`echo $$p|sed -e 's/$(EXEEXT)$$//' -e '$(transform)' -e 's/$$/$(EXEEXT)/'`"; \
+	  echo " rm -f $(DESTDIR)$(bindir)/$$f"; \
+	  rm -f $(DESTDIR)$(bindir)/$$f; \
+	done
+
+mostlyclean-compile:
+	-rm -f *.o core *.core
+	-rm -f *.$(OBJEXT)
+
+clean-compile:
+
+distclean-compile:
+	-rm -f *.tab.c
+
+maintainer-clean-compile:
+
+mostlyclean-libtool:
+	-rm -f *.lo
+
+clean-libtool:
+	-rm -rf .libs _libs
+
+distclean-libtool:
+
+maintainer-clean-libtool:
+
+rcp$(EXEEXT): $(rcp_OBJECTS) $(rcp_DEPENDENCIES)
+	@rm -f rcp$(EXEEXT)
+	$(LINK) $(rcp_LDFLAGS) $(rcp_OBJECTS) $(rcp_LDADD) $(LIBS)
+.c.o:
+	$(COMPILE) -c $<
+.c.obj:
+	$(COMPILE) -c `cygpath -w $<`
+.c.lo:
+	$(LTCOMPILE) -c -o $@ $<
+
+tags: TAGS
+
+ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
+	list='$(SOURCES) $(HEADERS) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '    { files[$$0] = 1; } \
+	       END { for (i in files) print i; }'`; \
+	mkid -fID $$unique $(LISP)
+
+TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	tags=; \
+	here=`pwd`; \
+	list='$(SOURCES) $(HEADERS) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '    { files[$$0] = 1; } \
+	       END { for (i in files) print i; }'`; \
+	test -z "$(ETAGS_ARGS)$$unique$(LISP)$$tags" \
+	  || etags $(ETAGS_ARGS) $$tags  $$unique $(LISP)
+
+GTAGS:
+	here=`CDPATH=: && cd $(top_builddir) && pwd` \
+	  && cd $(top_srcdir) \
+	  && gtags -i $$here
+
+mostlyclean-tags:
+
+clean-tags:
+
+distclean-tags:
+	-rm -f TAGS ID
+
+maintainer-clean-tags:
+
+distdir = $(top_builddir)/$(PACKAGE)-$(VERSION)/$(subdir)
+
+distdir: $(DISTFILES)
+	@for file in $(DISTFILES); do \
+	  d=$(srcdir); \
+	  if test -d $$d/$$file; then \
+	    cp -pR $$d/$$file $(distdir) \
+	    || exit 1; \
+	  else \
+	    test -f $(distdir)/$$file \
+	    || cp -p $$d/$$file $(distdir)/$$file \
+	    || exit 1; \
+	  fi; \
+	done
+	$(MAKE) $(AM_MAKEFLAGS) top_distdir="$(top_distdir)" distdir="$(distdir)" dist-hook
+info-am:
+info: info-am
+dvi-am:
+dvi: dvi-am
+check-am: all-am
+	$(MAKE) $(AM_MAKEFLAGS) check-local
+check: check-am
+installcheck-am:
+installcheck: installcheck-am
+install-exec-am: install-binPROGRAMS
+	@$(NORMAL_INSTALL)
+	$(MAKE) $(AM_MAKEFLAGS) install-exec-hook
+install-exec: install-exec-am
+
+install-data-am: install-data-local
+install-data: install-data-am
+
+install-am: all-am
+	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
+install: install-am
+uninstall-am: uninstall-binPROGRAMS
+uninstall: uninstall-am
+all-am: Makefile $(PROGRAMS) all-local
+all-redirect: all-am
+install-strip:
+	$(MAKE) $(AM_MAKEFLAGS) INSTALL_STRIP_FLAG=-s install
+installdirs:
+	$(mkinstalldirs)  $(DESTDIR)$(bindir)
+
+
+mostlyclean-generic:
+
+clean-generic:
+
+distclean-generic:
+	-rm -f Makefile $(CONFIG_CLEAN_FILES)
+	-rm -f config.cache config.log stamp-h stamp-h[0-9]*
+
+maintainer-clean-generic:
+	-rm -f Makefile.in
+mostlyclean-am:  mostlyclean-binPROGRAMS mostlyclean-compile \
+		mostlyclean-libtool mostlyclean-tags \
+		mostlyclean-generic
+
+mostlyclean: mostlyclean-am
+
+clean-am:  clean-binPROGRAMS clean-compile clean-libtool clean-tags \
+		clean-generic mostlyclean-am
+
+clean: clean-am
+
+distclean-am:  distclean-binPROGRAMS distclean-compile distclean-libtool \
+		distclean-tags distclean-generic clean-am
+	-rm -f libtool
+
+distclean: distclean-am
+
+maintainer-clean-am:  maintainer-clean-binPROGRAMS \
+		maintainer-clean-compile maintainer-clean-libtool \
+		maintainer-clean-tags maintainer-clean-generic \
+		distclean-am
+	@echo "This command is intended for maintainers to use;"
+	@echo "it deletes files that may require special tools to rebuild."
+
+maintainer-clean: maintainer-clean-am
+
+.PHONY: mostlyclean-binPROGRAMS distclean-binPROGRAMS clean-binPROGRAMS \
+maintainer-clean-binPROGRAMS uninstall-binPROGRAMS install-binPROGRAMS \
+mostlyclean-compile distclean-compile clean-compile \
+maintainer-clean-compile mostlyclean-libtool distclean-libtool \
+clean-libtool maintainer-clean-libtool tags mostlyclean-tags \
+distclean-tags clean-tags maintainer-clean-tags distdir info-am info \
+dvi-am dvi check-local check check-am installcheck-am installcheck \
+install-exec-am install-exec install-data-local install-data-am \
+install-data install-am install uninstall-am uninstall all-local \
+all-redirect all-am all install-strip installdirs mostlyclean-generic \
+distclean-generic clean-generic maintainer-clean-generic clean \
+mostlyclean distclean maintainer-clean
+
+
+install-suid-programs:
+	@foo='$(bin_SUIDS)'; \
+	for file in $$foo; do \
+	x=$(DESTDIR)$(bindir)/$$file; \
+	if chown 0:0 $$x && chmod u+s $$x; then :; else \
+	echo "*"; \
+	echo "* Failed to install $$x setuid root"; \
+	echo "*"; \
+	fi; done
+
+install-exec-hook: install-suid-programs
+
+install-build-headers:: $(include_HEADERS) $(build_HEADERZ)
+	@foo='$(include_HEADERS) $(build_HEADERZ)'; \
+	for f in $$foo; do \
+		f=`basename $$f`; \
+		if test -f "$(srcdir)/$$f"; then file="$(srcdir)/$$f"; \
+		else file="$$f"; fi; \
+		if cmp -s  $$file $(buildinclude)/$$f 2> /dev/null ; then \
+		: ; else \
+			echo " $(CP) $$file $(buildinclude)/$$f"; \
+			$(CP) $$file $(buildinclude)/$$f; \
+		fi ; \
+	done
+
+all-local: install-build-headers
+#NROFF_MAN = nroff -man
+.1.cat1:
+	$(NROFF_MAN) $< > $@
+.3.cat3:
+	$(NROFF_MAN) $< > $@
+.5.cat5:
+	$(NROFF_MAN) $< > $@
+.8.cat8:
+	$(NROFF_MAN) $< > $@
+
+dist-cat1-mans:
+	@foo='$(man1_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.1) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat1/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-cat3-mans:
+	@foo='$(man3_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.3) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat3/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-cat5-mans:
+	@foo='$(man5_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.5) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat5/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-cat8-mans:
+	@foo='$(man8_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.8) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat8/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-hook: dist-cat1-mans dist-cat3-mans dist-cat5-mans dist-cat8-mans
+
+install-cat-mans:
+	$(SHELL) $(top_srcdir)/cf/install-catman.sh "$(INSTALL_DATA)" "$(mkinstalldirs)" "$(srcdir)" "$(DESTDIR)$(mandir)" '$(CATMANEXT)' $(man_MANS) $(man1_MANS) $(man3_MANS) $(man5_MANS) $(man8_MANS)
+
+install-data-local: install-cat-mans
+
+.et.h:
+	$(COMPILE_ET) $<
+.et.c:
+	$(COMPILE_ET) $<
+
+.x.c:
+	@cmp -s $< $@ 2> /dev/null || cp $< $@
+
+check-local::
+	@foo='$(CHECK_LOCAL)'; \
+	  if test "$$foo"; then \
+	  failed=0; all=0; \
+	  for i in $$foo; do \
+	    all=`expr $$all + 1`; \
+	    if ./$$i --version > /dev/null 2>&1; then \
+	      echo "PASS: $$i"; \
+	    else \
+	      echo "FAIL: $$i"; \
+	      failed=`expr $$failed + 1`; \
+	    fi; \
+	  done; \
+	  if test "$$failed" -eq 0; then \
+	    banner="All $$all tests passed"; \
+	  else \
+	    banner="$$failed of $$all tests failed"; \
+	  fi; \
+	  dashes=`echo "$$banner" | sed s/./=/g`; \
+	  echo "$$dashes"; \
+	  echo "$$banner"; \
+	  echo "$$dashes"; \
+	  test "$$failed" -eq 0; \
+	fi
+
+# Tell versions [3.59,3.63) of GNU make to not export all variables.
+# Otherwise a system limit (for SysV at least) may be exceeded.
+.NOEXPORT:
diff --git a/crypto/heimdal/appl/rcp/extern.h b/crypto/heimdal/appl/rcp/extern.h
new file mode 100644
index 0000000..a98456d
--- /dev/null
+++ b/crypto/heimdal/appl/rcp/extern.h
@@ -0,0 +1,51 @@
+/*-
+ * Copyright (c) 1992, 1993
+ *	The Regents of the University of California.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *	This product includes software developed by the University of
+ *	California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ *	@(#)extern.h	8.1 (Berkeley) 5/31/93
+ * $FreeBSD$
+ */
+
+typedef struct {
+	int cnt;
+	char *buf;
+} BUF;
+
+extern int iamremote;
+
+BUF	*allocbuf (BUF *, int, int);
+char	*colon (char *);
+void	 lostconn (int);
+void	 nospace (void);
+int	 okname (char *);
+void	 run_err (const char *, ...);
+int	 susystem (char *, int);
+void	 verifydir (char *);
diff --git a/crypto/heimdal/appl/rcp/rcp.c b/crypto/heimdal/appl/rcp/rcp.c
new file mode 100644
index 0000000..d4a062d
--- /dev/null
+++ b/crypto/heimdal/appl/rcp/rcp.c
@@ -0,0 +1,802 @@
+/*
+ * Copyright (c) 1983, 1990, 1992, 1993
+ *	The Regents of the University of California.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *	This product includes software developed by the University of
+ *	California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#include "rcp_locl.h"
+#include <getarg.h>
+
+#define RSH_PROGRAM "rsh"
+
+struct  passwd *pwd;
+uid_t	userid;
+int     errs, remin, remout;
+int     pflag, iamremote, iamrecursive, targetshouldbedirectory;
+int     doencrypt, noencrypt;
+int     usebroken, usekrb5, forwardtkt;
+char    *port;
+
+#define	CMDNEEDS	64
+char cmd[CMDNEEDS];		/* must hold "rcp -r -p -d\0" */
+
+int	 response (void);
+void	 rsource (char *, struct stat *);
+void	 sink (int, char *[]);
+void	 source (int, char *[]);
+void	 tolocal (int, char *[]);
+void	 toremote (char *, int, char *[]);
+
+int      do_cmd(char *host, char *remuser, char *cmd, int *fdin, int *fdout);
+
+static int fflag, tflag;
+
+static int version_flag, help_flag;
+
+struct getargs args[] = {
+    { NULL,	'5', arg_flag,		&usekrb5,	"use Kerberos 5 authentication" },
+    { NULL,	'F', arg_flag,		&forwardtkt,	"forward credentials" },
+    { NULL,	'K', arg_flag,		&usebroken,	"use BSD authentication" },
+    { NULL,	'P', arg_string,	&port,		"non-default port", "port" },
+    { NULL,	'p', arg_flag,		&pflag,	"preserve file permissions" },
+    { NULL,	'r', arg_flag,		&iamrecursive,	"recursive mode" },
+    { NULL,	'x', arg_flag,		&doencrypt,	"use encryption" },
+    { NULL,	'z', arg_flag,		&noencrypt,	"don't encrypt" },
+    { NULL,	'd', arg_flag,		&targetshouldbedirectory },
+    { NULL,	'f', arg_flag,		&fflag },
+    { NULL,	't', arg_flag,		&tflag },
+    { "version", 0,  arg_flag,		&version_flag },
+    { "help",	 0,  arg_flag,		&help_flag }
+};
+
+static void
+usage (int ret)
+{
+    arg_printusage (args,
+		    sizeof(args) / sizeof(args[0]),
+		    NULL,
+		    "file1 file2|file... directory");
+    exit (ret);
+}
+
+int
+main(int argc, char **argv)
+{
+	char *targ;
+	int optind = 0;
+
+	if (getarg (args, sizeof(args) / sizeof(args[0]), argc, argv,
+		    &optind))
+	    usage (1);
+	if(help_flag)
+	    usage(0);
+	if (version_flag) {
+	    print_version (NULL);
+	    return 0;
+	}
+	    
+	iamremote = (fflag || tflag);
+
+	argc -= optind;
+	argv += optind;
+
+	if ((pwd = getpwuid(userid = getuid())) == NULL)
+		errx(1, "unknown user %d", (int)userid);
+
+	remin = STDIN_FILENO;		/* XXX */
+	remout = STDOUT_FILENO;
+
+	if (fflag) {			/* Follow "protocol", send data. */
+		response();
+		setuid(userid);
+		source(argc, argv);
+		exit(errs);
+	}
+
+	if (tflag) {			/* Receive data. */
+		setuid(userid);
+		sink(argc, argv);
+		exit(errs);
+	}
+
+	if (argc < 2)
+	    usage(1);
+	if (argc > 2)
+		targetshouldbedirectory = 1;
+
+	remin = remout = -1;
+	/* Command to be executed on remote system using "rsh". */
+	 sprintf(cmd, "rcp%s%s%s", iamrecursive ? " -r" : "", 
+		       pflag ? " -p" : "", targetshouldbedirectory ? " -d" : "");
+
+	signal(SIGPIPE, lostconn);
+
+	if ((targ = colon(argv[argc - 1])))	/* Dest is remote host. */
+		toremote(targ, argc, argv);
+	else {
+		tolocal(argc, argv);		/* Dest is local host. */
+		if (targetshouldbedirectory)
+			verifydir(argv[argc - 1]);
+	}
+	exit(errs);
+}
+
+void
+toremote(char *targ, int argc, char **argv)
+{
+	int i, len;
+	char *bp, *host, *src, *suser, *thost, *tuser;
+
+	*targ++ = 0;
+	if (*targ == 0)
+		targ = ".";
+
+	if ((thost = strchr(argv[argc - 1], '@'))) {
+		/* user@host */
+		*thost++ = 0;
+		tuser = argv[argc - 1];
+		if (*tuser == '\0')
+			tuser = NULL;
+		else if (!okname(tuser))
+			exit(1);
+	} else {
+		thost = argv[argc - 1];
+		tuser = NULL;
+	}
+
+	for (i = 0; i < argc - 1; i++) {
+		src = colon(argv[i]);
+		if (src) {			/* remote to remote */
+			*src++ = 0;
+			if (*src == 0)
+				src = ".";
+			host = strchr(argv[i], '@');
+			len = strlen(_PATH_RSH) + strlen(argv[i]) +
+			    strlen(src) + (tuser ? strlen(tuser) : 0) +
+			    strlen(thost) + strlen(targ) + CMDNEEDS + 20;
+			if (!(bp = malloc(len)))
+				err(1, "malloc");
+			if (host) {
+				*host++ = 0;
+				suser = argv[i];
+				if (*suser == '\0')
+					suser = pwd->pw_name;
+				else if (!okname(suser))
+					continue;
+				snprintf(bp, len,
+				    "%s %s -l %s -n %s %s '%s%s%s:%s'",
+				    _PATH_RSH, host, suser, cmd, src,
+				    tuser ? tuser : "", tuser ? "@" : "",
+				    thost, targ);
+			} else
+				snprintf(bp, len,
+				    "exec %s %s -n %s %s '%s%s%s:%s'",
+				    _PATH_RSH, argv[i], cmd, src,
+				    tuser ? tuser : "", tuser ? "@" : "",
+				    thost, targ);
+			susystem(bp, userid);
+			free(bp);
+		} else {			/* local to remote */
+			if (remin == -1) {
+				len = strlen(targ) + CMDNEEDS + 20;
+				if (!(bp = malloc(len)))
+					err(1, "malloc");
+				snprintf(bp, len, "%s -t %s", cmd, targ);
+				host = thost;
+
+				if (do_cmd(host, tuser, bp, &remin, &remout) < 0)
+					exit(1);
+
+				if (response() < 0)
+					exit(1);
+				free(bp);
+				setuid(userid);
+			}
+			source(1, argv+i);
+		}
+	}
+}
+
+void
+tolocal(int argc, char **argv)
+{
+	int i, len;
+	char *bp, *host, *src, *suser;
+
+	for (i = 0; i < argc - 1; i++) {
+		if (!(src = colon(argv[i]))) {		/* Local to local. */
+			len = strlen(_PATH_CP) + strlen(argv[i]) +
+			    strlen(argv[argc - 1]) + 20;
+			if (!(bp = malloc(len)))
+				err(1, "malloc");
+			snprintf(bp, len, "exec %s%s%s %s %s", _PATH_CP,
+			    iamrecursive ? " -PR" : "", pflag ? " -p" : "",
+			    argv[i], argv[argc - 1]);
+			if (susystem(bp, userid))
+				++errs;
+			free(bp);
+			continue;
+		}
+		*src++ = 0;
+		if (*src == 0)
+			src = ".";
+		if ((host = strchr(argv[i], '@')) == NULL) {
+			host = argv[i];
+			suser = pwd->pw_name;
+		} else {
+			*host++ = 0;
+			suser = argv[i];
+			if (*suser == '\0')
+				suser = pwd->pw_name;
+			else if (!okname(suser))
+				continue;
+		}
+		len = strlen(src) + CMDNEEDS + 20;
+		if ((bp = malloc(len)) == NULL)
+			err(1, "malloc");
+		snprintf(bp, len, "%s -f %s", cmd, src);
+		if (do_cmd(host, suser, bp, &remin, &remout) < 0) {
+			free(bp);
+			++errs;
+			continue;
+		}
+		free(bp);
+		sink(1, argv + argc - 1);
+		seteuid(0);
+		close(remin);
+		remin = remout = -1;
+	}
+}
+
+static char *
+sizestr(off_t size)
+{
+    static char ss[32];
+    char *p;
+    ss[sizeof(ss) - 1] = '\0';
+    for(p = ss + sizeof(ss) - 2; p >= ss; p--) {
+	*p = '0' + size % 10;
+	size /= 10;
+	if(size == 0)
+	    break;
+    }
+    return ss;
+}
+		    
+
+void
+source(int argc, char **argv)
+{
+	struct stat stb;
+	static BUF buffer;
+	BUF *bp;
+	off_t i;
+	int amt, fd, haderr, indx, result;
+	char *last, *name, buf[BUFSIZ];
+
+	for (indx = 0; indx < argc; ++indx) {
+                name = argv[indx];
+		if ((fd = open(name, O_RDONLY, 0)) < 0)
+			goto syserr;
+		if (fstat(fd, &stb)) {
+syserr:			run_err("%s: %s", name, strerror(errno));
+			goto next;
+		}
+		switch (stb.st_mode & S_IFMT) {
+		case S_IFREG:
+			break;
+		case S_IFDIR:
+			if (iamrecursive) {
+				rsource(name, &stb);
+				goto next;
+			}
+			/* FALLTHROUGH */
+		default:
+			run_err("%s: not a regular file", name);
+			goto next;
+		}
+		if ((last = strrchr(name, '/')) == NULL)
+			last = name;
+		else
+			++last;
+		if (pflag) {
+			/*
+			 * Make it compatible with possible future
+			 * versions expecting microseconds.
+			 */
+			snprintf(buf, sizeof(buf), "T%ld 0 %ld 0\n",
+			    (long)stb.st_mtime,
+			    (long)stb.st_atime);
+			write(remout, buf, strlen(buf));
+			if (response() < 0)
+				goto next;
+		}
+#define	MODEMASK	(S_ISUID|S_ISGID|S_ISVTX|S_IRWXU|S_IRWXG|S_IRWXO)
+		snprintf(buf, sizeof(buf), "C%04o %s %s\n",
+			 stb.st_mode & MODEMASK, sizestr(stb.st_size), last);
+		write(remout, buf, strlen(buf));
+		if (response() < 0)
+			goto next;
+		if ((bp = allocbuf(&buffer, fd, BUFSIZ)) == NULL) {
+next:			close(fd);
+			continue;
+		}
+
+		/* Keep writing after an error so that we stay sync'd up. */
+		for (haderr = i = 0; i < stb.st_size; i += bp->cnt) {
+			amt = bp->cnt;
+			if (i + amt > stb.st_size)
+				amt = stb.st_size - i;
+			if (!haderr) {
+				result = read(fd, bp->buf, amt);
+				if (result != amt)
+					haderr = result >= 0 ? EIO : errno;
+			}
+			if (haderr)
+				write(remout, bp->buf, amt);
+			else {
+				result = write(remout, bp->buf, amt);
+				if (result != amt)
+					haderr = result >= 0 ? EIO : errno;
+			}
+		}
+		if (close(fd) && !haderr)
+			haderr = errno;
+		if (!haderr)
+			write(remout, "", 1);
+		else
+			run_err("%s: %s", name, strerror(haderr));
+		response();
+	}
+}
+
+void
+rsource(char *name, struct stat *statp)
+{
+	DIR *dirp;
+	struct dirent *dp;
+	char *last, *vect[1], path[MAXPATHLEN];
+
+	if (!(dirp = opendir(name))) {
+		run_err("%s: %s", name, strerror(errno));
+		return;
+	}
+	last = strrchr(name, '/');
+	if (last == 0)
+		last = name;
+	else
+		last++;
+	if (pflag) {
+		snprintf(path, sizeof(path), "T%ld 0 %ld 0\n",
+		    (long)statp->st_mtime,
+		    (long)statp->st_atime);
+		write(remout, path, strlen(path));
+		if (response() < 0) {
+			closedir(dirp);
+			return;
+		}
+	}
+	snprintf(path, sizeof(path),
+	    "D%04o %d %s\n", statp->st_mode & MODEMASK, 0, last);
+	write(remout, path, strlen(path));
+	if (response() < 0) {
+		closedir(dirp);
+		return;
+	}
+	while ((dp = readdir(dirp))) {
+		if (dp->d_ino == 0)
+			continue;
+		if (!strcmp(dp->d_name, ".") || !strcmp(dp->d_name, ".."))
+			continue;
+		if (strlen(name) + 1 + strlen(dp->d_name) >= MAXPATHLEN - 1) {
+			run_err("%s/%s: name too long", name, dp->d_name);
+			continue;
+		}
+		snprintf(path, sizeof(path), "%s/%s", name, dp->d_name);
+		vect[0] = path;
+		source(1, vect);
+	}
+	closedir(dirp);
+	write(remout, "E\n", 2);
+	response();
+}
+
+void
+sink(int argc, char **argv)
+{
+	static BUF buffer;
+	struct stat stb;
+	struct timeval tv[2];
+	enum { YES, NO, DISPLAYED } wrerr;
+	BUF *bp;
+	off_t i, j, size;
+	int amt, count, exists, first, mask, mode, ofd, omode;
+	int setimes, targisdir, wrerrno = 0;
+	char ch, *cp, *np, *targ, *why, *vect[1], buf[BUFSIZ];
+
+#define	atime	tv[0]
+#define	mtime	tv[1]
+#define	SCREWUP(str)	{ why = str; goto screwup; }
+
+	setimes = targisdir = 0;
+	mask = umask(0);
+	if (!pflag)
+		umask(mask);
+	if (argc != 1) {
+		run_err("ambiguous target");
+		exit(1);
+	}
+	targ = *argv;
+	if (targetshouldbedirectory)
+		verifydir(targ);
+	write(remout, "", 1);
+	if (stat(targ, &stb) == 0 && S_ISDIR(stb.st_mode))
+		targisdir = 1;
+	for (first = 1;; first = 0) {
+		cp = buf;
+		if (read(remin, cp, 1) <= 0)
+			return;
+		if (*cp++ == '\n')
+			SCREWUP("unexpected <newline>");
+		do {
+			if (read(remin, &ch, sizeof(ch)) != sizeof(ch))
+				SCREWUP("lost connection");
+			*cp++ = ch;
+		} while (cp < &buf[BUFSIZ - 1] && ch != '\n');
+		*cp = 0;
+
+		if (buf[0] == '\01' || buf[0] == '\02') {
+			if (iamremote == 0)
+				write(STDERR_FILENO,
+				    buf + 1, strlen(buf + 1));
+			if (buf[0] == '\02')
+				exit(1);
+			++errs;
+			continue;
+		}
+		if (buf[0] == 'E') {
+			write(remout, "", 1);
+			return;
+		}
+
+		if (ch == '\n')
+			*--cp = 0;
+
+		cp = buf;
+		if (*cp == 'T') {
+			setimes++;
+			cp++;
+			mtime.tv_sec = strtol(cp, &cp, 10);
+			if (!cp || *cp++ != ' ')
+				SCREWUP("mtime.sec not delimited");
+			mtime.tv_usec = strtol(cp, &cp, 10);
+			if (!cp || *cp++ != ' ')
+				SCREWUP("mtime.usec not delimited");
+			atime.tv_sec = strtol(cp, &cp, 10);
+			if (!cp || *cp++ != ' ')
+				SCREWUP("atime.sec not delimited");
+			atime.tv_usec = strtol(cp, &cp, 10);
+			if (!cp || *cp++ != '\0')
+				SCREWUP("atime.usec not delimited");
+			write(remout, "", 1);
+			continue;
+		}
+		if (*cp != 'C' && *cp != 'D') {
+			/*
+			 * Check for the case "rcp remote:foo\* local:bar".
+			 * In this case, the line "No match." can be returned
+			 * by the shell before the rcp command on the remote is
+			 * executed so the ^Aerror_message convention isn't
+			 * followed.
+			 */
+			if (first) {
+				run_err("%s", cp);
+				exit(1);
+			}
+			SCREWUP("expected control record");
+		}
+		mode = 0;
+		for (++cp; cp < buf + 5; cp++) {
+			if (*cp < '0' || *cp > '7')
+				SCREWUP("bad mode");
+			mode = (mode << 3) | (*cp - '0');
+		}
+		if (*cp++ != ' ')
+			SCREWUP("mode not delimited");
+
+		for (size = 0; isdigit(*cp);)
+			size = size * 10 + (*cp++ - '0');
+		if (*cp++ != ' ')
+			SCREWUP("size not delimited");
+		if (targisdir) {
+			static char *namebuf;
+			static int cursize;
+			size_t need;
+
+			need = strlen(targ) + strlen(cp) + 250;
+			if (need > cursize) {
+				if (!(namebuf = malloc(need)))
+					run_err("%s", strerror(errno));
+			}
+			snprintf(namebuf, need, "%s%s%s", targ,
+			    *targ ? "/" : "", cp);
+			np = namebuf;
+		} else
+			np = targ;
+		exists = stat(np, &stb) == 0;
+		if (buf[0] == 'D') {
+			int mod_flag = pflag;
+			if (exists) {
+				if (!S_ISDIR(stb.st_mode)) {
+					errno = ENOTDIR;
+					goto bad;
+				}
+				if (pflag)
+					chmod(np, mode);
+			} else {
+				/* Handle copying from a read-only directory */
+				mod_flag = 1;
+				if (mkdir(np, mode | S_IRWXU) < 0)
+					goto bad;
+			}
+			vect[0] = np;
+			sink(1, vect);
+			if (setimes) {
+				setimes = 0;
+				if (utimes(np, tv) < 0)
+				    run_err("%s: set times: %s",
+					np, strerror(errno));
+			}
+			if (mod_flag)
+				chmod(np, mode);
+			continue;
+		}
+		omode = mode;
+		mode |= S_IWRITE;
+		if ((ofd = open(np, O_WRONLY|O_CREAT, mode)) < 0) {
+bad:			run_err("%s: %s", np, strerror(errno));
+			continue;
+		}
+		write(remout, "", 1);
+		if ((bp = allocbuf(&buffer, ofd, BUFSIZ)) == NULL) {
+			close(ofd);
+			continue;
+		}
+		cp = bp->buf;
+		wrerr = NO;
+		for (count = i = 0; i < size; i += BUFSIZ) {
+			amt = BUFSIZ;
+			if (i + amt > size)
+				amt = size - i;
+			count += amt;
+			if((j = net_read(remin, cp, amt)) != amt) {
+			    run_err("%s", j ? strerror(errno) :
+				    "dropped connection");
+			    exit(1);
+			}
+			amt -= j;
+			cp += j;
+			if (count == bp->cnt) {
+				/* Keep reading so we stay sync'd up. */
+				if (wrerr == NO) {
+					j = write(ofd, bp->buf, count);
+					if (j != count) {
+						wrerr = YES;
+						wrerrno = j >= 0 ? EIO : errno;
+					}
+				}
+				count = 0;
+				cp = bp->buf;
+			}
+		}
+		if (count != 0 && wrerr == NO &&
+		    (j = write(ofd, bp->buf, count)) != count) {
+			wrerr = YES;
+			wrerrno = j >= 0 ? EIO : errno;
+		}
+		if (ftruncate(ofd, size)) {
+			run_err("%s: truncate: %s", np, strerror(errno));
+			wrerr = DISPLAYED;
+		}
+		if (pflag) {
+			if (exists || omode != mode)
+				if (fchmod(ofd, omode))
+					run_err("%s: set mode: %s",
+					    np, strerror(errno));
+		} else {
+			if (!exists && omode != mode)
+				if (fchmod(ofd, omode & ~mask))
+					run_err("%s: set mode: %s",
+					    np, strerror(errno));
+		}
+		close(ofd);
+		response();
+		if (setimes && wrerr == NO) {
+			setimes = 0;
+			if (utimes(np, tv) < 0) {
+				run_err("%s: set times: %s",
+				    np, strerror(errno));
+				wrerr = DISPLAYED;
+			}
+		}
+		switch(wrerr) {
+		case YES:
+			run_err("%s: %s", np, strerror(wrerrno));
+			break;
+		case NO:
+			write(remout, "", 1);
+			break;
+		case DISPLAYED:
+			break;
+		}
+	}
+screwup:
+	run_err("protocol error: %s", why);
+	exit(1);
+}
+
+int
+response(void)
+{
+	char ch, *cp, resp, rbuf[BUFSIZ];
+
+	if (read(remin, &resp, sizeof(resp)) != sizeof(resp))
+		lostconn(0);
+
+	cp = rbuf;
+	switch(resp) {
+	case 0:				/* ok */
+		return (0);
+	default:
+		*cp++ = resp;
+		/* FALLTHROUGH */
+	case 1:				/* error, followed by error msg */
+	case 2:				/* fatal error, "" */
+		do {
+			if (read(remin, &ch, sizeof(ch)) != sizeof(ch))
+				lostconn(0);
+			*cp++ = ch;
+		} while (cp < &rbuf[BUFSIZ] && ch != '\n');
+
+		if (!iamremote)
+			write(STDERR_FILENO, rbuf, cp - rbuf);
+		++errs;
+		if (resp == 1)
+			return (-1);
+		exit(1);
+	}
+	/* NOTREACHED */
+}
+
+#include <stdarg.h>
+
+void
+run_err(const char *fmt, ...)
+{
+	static FILE *fp;
+	va_list ap;
+	va_start(ap, fmt);
+
+	++errs;
+	if (fp == NULL && !(fp = fdopen(remout, "w")))
+		return;
+	fprintf(fp, "%c", 0x01);
+	fprintf(fp, "rcp: ");
+	vfprintf(fp, fmt, ap);
+	fprintf(fp, "\n");
+	fflush(fp);
+
+	if (!iamremote)
+		vwarnx(fmt, ap);
+
+	va_end(ap);
+}
+
+/*
+ * This function executes the given command as the specified user on the
+ * given host.  This returns < 0 if execution fails, and >= 0 otherwise. This
+ * assigns the input and output file descriptors on success.
+ *
+ * If it cannot create necessary pipes it exits with error message.
+ */
+
+int 
+do_cmd(char *host, char *remuser, char *cmd, int *fdin, int *fdout)
+{
+	int pin[2], pout[2], reserved[2];
+
+	/*
+	 * Reserve two descriptors so that the real pipes won't get
+	 * descriptors 0 and 1 because that will screw up dup2 below.
+	 */
+	pipe(reserved);
+
+	/* Create a socket pair for communicating with rsh. */
+	if (pipe(pin) < 0) {
+		perror("pipe");
+		exit(255);
+	}
+	if (pipe(pout) < 0) {
+		perror("pipe");
+		exit(255);
+	}
+
+	/* Free the reserved descriptors. */
+	close(reserved[0]);
+	close(reserved[1]);
+
+	/* For a child to execute the command on the remote host using rsh. */
+	if (fork() == 0) {
+		char *args[100];
+		unsigned int i;
+
+		/* Child. */
+		close(pin[1]);
+		close(pout[0]);
+		dup2(pin[0], 0);
+		dup2(pout[1], 1);
+		close(pin[0]);
+		close(pout[1]);
+
+		i = 0;
+		args[i++] = RSH_PROGRAM;
+		if (usekrb5)
+			args[i++] = "-5";
+		if (usebroken)
+			args[i++] = "-K";
+		if (doencrypt)
+			args[i++] = "-x";
+		if (forwardtkt)
+			args[i++] = "-F";
+		if (noencrypt)
+			args[i++] = "-z";
+		if (port != NULL) {
+			args[i++] = "-p";
+			args[i++] = port;
+		}
+		if (remuser != NULL) {
+			args[i++] = "-l";
+			args[i++] = remuser;
+		}
+		args[i++] = host;
+		args[i++] = cmd;
+		args[i++] = NULL;
+
+		execvp(RSH_PROGRAM, args);
+		perror(RSH_PROGRAM);
+		exit(1);
+	}
+	/* Parent.  Close the other side, and return the local side. */
+	close(pin[0]);
+	*fdout = pin[1];
+	close(pout[1]);
+	*fdin = pout[0];
+	return 0;
+}
diff --git a/crypto/heimdal/appl/rcp/rcp_locl.h b/crypto/heimdal/appl/rcp/rcp_locl.h
new file mode 100644
index 0000000..4397c9f
--- /dev/null
+++ b/crypto/heimdal/appl/rcp/rcp_locl.h
@@ -0,0 +1,64 @@
+/*
+ * Copyright (c) 2001 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+/* $Id: rcp_locl.h,v 1.3 2001/01/29 05:59:24 assar Exp $ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+#endif
+
+#include <sys/param.h>
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <sys/time.h>
+#include <sys/wait.h>
+
+#include <ctype.h>
+#include <dirent.h>
+#include <err.h>
+#include <errno.h>
+#include <fcntl.h>
+#include <pwd.h>
+#include <signal.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <string.h>
+#include <unistd.h>
+
+#include <roken.h>
+
+#include "extern.h"
+
+#define	_PATH_CP	"/bin/cp"
+#define	_PATH_RSH	"/usr/bin/rsh"
diff --git a/crypto/heimdal/appl/rcp/util.c b/crypto/heimdal/appl/rcp/util.c
new file mode 100644
index 0000000..9d0f6d5
--- /dev/null
+++ b/crypto/heimdal/appl/rcp/util.c
@@ -0,0 +1,165 @@
+/*-
+ * Copyright (c) 1992, 1993
+ *	The Regents of the University of California.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *	This product includes software developed by the University of
+ *	California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#if 0
+#ifndef lint
+#if 0
+static char sccsid[] = "@(#)util.c	8.2 (Berkeley) 4/2/94";
+#endif
+static const char rcsid[] =
+  "$FreeBSD$";
+#endif /* not lint */
+#endif
+
+#include "rcp_locl.h"
+
+RCSID("$Id: util.c,v 1.5 2001/01/29 23:36:37 assar Exp $");
+
+char *
+colon(cp)
+	char *cp;
+{
+	if (*cp == ':')		/* Leading colon is part of file name. */
+		return (0);
+
+	for (; *cp; ++cp) {
+		if (*cp == ':')
+			return (cp);
+		if (*cp == '/')
+			return (0);
+	}
+	return (0);
+}
+
+void
+verifydir(cp)
+	char *cp;
+{
+	struct stat stb;
+
+	if (!stat(cp, &stb)) {
+		if (S_ISDIR(stb.st_mode))
+			return;
+		errno = ENOTDIR;
+	}
+	run_err("%s: %s", cp, strerror(errno));
+	exit(1);
+}
+
+int
+okname(cp0)
+	char *cp0;
+{
+	int c;
+	char *cp;
+
+	cp = cp0;
+	do {
+		c = *cp;
+		if (c & 0200)
+			goto bad;
+		if (!isalpha(c) && !isdigit(c) && c != '_' && c != '-')
+			goto bad;
+	} while (*++cp);
+	return (1);
+
+bad:	warnx("%s: invalid user name", cp0);
+	return (0);
+}
+
+int
+susystem(s, userid)
+	int userid;
+	char *s;
+{
+	void (*istat)(int), (*qstat)(int);
+	int status;
+	pid_t pid;
+
+	pid = fork();
+	switch (pid) {
+	case -1:
+		return (127);
+
+	case 0:
+		(void)setuid(userid);
+		execl(_PATH_BSHELL, "sh", "-c", s, NULL);
+		_exit(127);
+	}
+	istat = signal(SIGINT, SIG_IGN);
+	qstat = signal(SIGQUIT, SIG_IGN);
+	if (waitpid(pid, &status, 0) < 0)
+		status = -1;
+	(void)signal(SIGINT, istat);
+	(void)signal(SIGQUIT, qstat);
+	return (status);
+}
+
+#ifndef roundup
+#define	roundup(x, y)	((((x)+((y)-1))/(y))*(y))
+#endif
+
+BUF *
+allocbuf(bp, fd, blksize)
+	BUF *bp;
+	int fd, blksize;
+{
+	struct stat stb;
+	size_t size;
+
+	if (fstat(fd, &stb) < 0) {
+		run_err("fstat: %s", strerror(errno));
+		return (0);
+	}
+	size = roundup(stb.st_blksize, blksize);
+	if (size == 0)
+		size = blksize;
+	if (bp->cnt >= size)
+		return (bp);
+	if ((bp->buf = realloc(bp->buf, size)) == NULL) {
+		bp->cnt = 0;
+		run_err("%s", strerror(errno));
+		return (0);
+	}
+	bp->cnt = size;
+	return (bp);
+}
+
+void
+lostconn(signo)
+	int signo;
+{
+	if (!iamremote)
+		warnx("lost connection");
+	exit(1);
+}
diff --git a/crypto/heimdal/appl/rsh/ChangeLog b/crypto/heimdal/appl/rsh/ChangeLog
new file mode 100644
index 0000000..a66ce22
--- /dev/null
+++ b/crypto/heimdal/appl/rsh/ChangeLog
@@ -0,0 +1,323 @@
+2001-02-07  Assar Westerlund  <assar@sics.se>
+
+	* Makefile.am: add login_access
+	* rshd.c (login_access): add prototype
+	(syslog_and_die, fatal): add printf attributes
+	(*): AIX -> _AIX
+	(doit): use login_access
+	based on patches from Ake Sandgren <ake@cs.umu.se>
+
+2001-01-09  Assar Westerlund  <assar@sics.se>
+
+	* rshd.c (save_krb5_creds): use krb5_rd_cred2 instead of
+	krb5_rd_cred
+
+2000-12-31  Assar Westerlund  <assar@sics.se>
+
+	* rshd.c (main): handle krb5_init_context failure consistently
+	* rsh.c (main): handle krb5_init_context failure consistently
+
+2000-12-05  Johan Danielsson  <joda@pdc.kth.se>
+
+	* rshd.c: require encryption if passed -x
+
+2000-11-15  Assar Westerlund  <assar@sics.se>
+
+	* rshd.c (loop): check that the fd's aren't too large to select on
+	* rsh.c (loop, proto): check that the fd's aren't too large to
+	select on
+
+2000-08-10  Assar Westerlund  <assar@sics.se>
+
+	* rsh.c: move code to do config/command parsing correctly.
+
+2000-08-09  Assar Westerlund  <assar@sics.se>
+
+	* rsh.c (main): only fetch stuff from krb5.conf when no option has
+	been given
+
+2000-08-01  Assar Westerlund  <assar@sics.se>
+
+	* rsh.c (doit): loop until we create an error socket of an
+	supported socket family
+
+2000-07-02  Assar Westerlund  <assar@sics.se>
+
+	* rshd.c: DCE stuff from Ake Sandgren <ake@cs.umu.se>
+	do not call syslog with a variable as format string
+
+	* rsh_locl.h (_PATH_ETC_ENVIRONMENT): add
+
+2000-06-09  Assar Westerlund  <assar@sics.se>
+
+	* rsh.c (main): work-around for setuid and capabilities bug fixed
+	in Linux 2.2.16
+
+2000-06-06  Johan Danielsson  <joda@pdc.kth.se>
+
+	* rsh.c: nuke long option from -z
+	
+	* rsh.c: don't try to encrypt if auth is broken (Daniel Kouril)
+	
+2000-06-03  Assar Westerlund  <assar@sics.se>
+
+	* rshd.c (doit): check return value of getspnam.  From
+	<haba@pdc.kth.se>
+
+2000-05-23  Assar Westerlund  <assar@sics.se>
+
+	* rsh.c (proto): select on the normal socket when waiting for the
+	daemon to connect back to the stderr port, so that we discover
+	when data arrives there before.  when that happens, we assume that
+	the daemon did not manage to connect (because of NAT/whatever) and
+	continue as if `-e' was given
+	* rshd.c (doit): if we fail to connect back to the stderr port,
+	act as if `-e' was given on the client side, i.e. without the
+	special TCP-connection.  This tries to make things better when
+	running the head against a NAT wall, for example.
+
+2000-02-07  Assar Westerlund  <assar@sics.se>
+
+	* Makefile.am (LDADD): make sure we use the heimdal libdes
+
+2000-02-06  Assar Westerlund  <assar@sics.se>
+
+	* *: conditionalize des stuff on KRB4
+
+1999-12-16  Assar Westerlund  <assar@sics.se>
+
+	* rsh.c (doit): addrinfo returned from getaddrinfo() is not usable
+	directly as hints.  copy it and set AI_PASSIVE.
+
+1999-11-20  Assar Westerlund  <assar@sics.se>
+
+	* rsh.c (main): remember to close the priviledged sockets before
+ 	calling rlogin
+
+1999-11-02  Assar Westerlund  <assar@sics.se>
+
+	* rsh.c (main): redo the v4/v5 selection for consistency.  -4 ->
+ 	try only v4 -5 -> try only v5 none, -45 -> try v5, v4
+
+1999-10-26  Assar Westerlund  <assar@sics.se>
+
+	* rshd.c (main): ignore SIGPIPE
+
+	* common.c (do_read): the encoded length can be longer than the
+ 	buffer being used, allocate memory for it dynamically.  From Brian
+ 	A May <bmay@dgs.monash.edu.au>
+
+1999-10-14  Assar Westerlund  <assar@sics.se>
+
+	* rsh.c (proto): be more careful and don't print errno when read()
+ 	returns 0
+
+1999-09-20  Assar Westerlund  <assar@sics.se>
+
+	* rshd.c (recv_krb4_auth): set `iv'
+
+1999-08-16  Assar Westerlund  <assar@sics.se>
+
+	* common.c (do_read): be careful with the return value from
+ 	krb5_net_read
+
+1999-08-05  Assar Westerlund  <assar@sics.se>
+
+	* rsh.c: call freehostent
+
+	* rsh.c: remove some dead code
+
+1999-08-04  Assar Westerlund  <assar@sics.se>
+
+	* rshd.c: re-write the handling of forwarded credentials and
+ 	stuff.  From Miroslav Ruda <ruda@ics.muni.cz>
+
+	* rsh_locl.h: always include kafs.h
+
+	* rsh.c: add `-z' and `-G' options
+
+	* rsh.c (loop): shutdown one side of the TCP connection on EOF.
+  	From Brian A May <bmay@dgs.monash.edu.au>
+
+	* common.c (do_read): handle EOF.  From Brian A May
+ 	<bmay@dgs.monash.edu.au>
+
+1999-08-01  Assar Westerlund  <assar@sics.se>
+
+	* rsh.c: const fixes
+
+1999-07-29  Assar Westerlund  <assar@sics.se>
+
+	* rshd.c: v6-ify
+
+	* rsh.c: v6-ify
+
+1999-07-28  Assar Westerlund  <assar@sics.se>
+
+	* rsh_locl.h: move around kafs.h
+
+1999-07-24  Assar Westerlund  <assar@sics.se>
+
+	* rsh_locl.h: <shadow.h>
+
+	* rsh.c, rshd.c: improve forwarding and implement unique ccache on
+ 	server.  From Miroslav Ruda <ruda@ics.muni.cz>
+
+1999-07-03  Assar Westerlund  <assar@sics.se>
+
+	* rsh.c (construct_command): handle argc == 0 for generality
+
+1999-06-23  Assar Westerlund  <assar@sics.se>
+
+	* rsh.c: new option `-e' for not trying to open an stderr socket
+
+1999-06-17  Assar Westerlund  <assar@sics.se>
+
+	* rsh_locl.h (RSH_BUFSIZ): bump to 16 * 1024 to be sure that we
+ 	don't leave any data inside des_enc_read.  (that constant should
+ 	really be exported in some way...)
+
+1999-06-15  Assar Westerlund  <assar@sics.se>
+
+	* rsh.c: use get_default_username and resulting const pollution
+
+1999-05-21  Assar Westerlund  <assar@sics.se>
+
+	* rsh.c (main): try $USERNAME
+
+1999-05-14  Assar Westerlund  <assar@sics.se>
+
+	* rshd.c (doit): afslog correctly
+
+1999-05-11  Assar Westerlund  <assar@sics.se>
+
+	* rsh.c (main): add fallback to rlogin
+
+1999-05-10  Assar Westerlund  <assar@sics.se>
+
+	* rsh.c (send_krb5_auth): call krb5_sendauth with ccache == NULL.
+	check return value from krb5_crypto_init
+	
+	* common.c (do_write, do_read): always return -1 for failure
+	(net_write, net_read): remove.  they already exist in libroken
+
+1999-05-09  Assar Westerlund  <assar@sics.se>
+
+	* rsh.c: make sure it tries with all other authentication methods
+	after one has failed
+	* rsh.c (main): detect the case of no command given.
+	
+1999-04-11  Assar Westerlund  <assar@sics.se>
+
+	* rsh.c: new option --forwardable. use print_version
+	
+Sat Apr 10 17:10:55 1999  Assar Westerlund  <assar@sics.se>
+
+	* rshd.c (setup_copier): use `socketpair' instead of `pipe'.  Some
+ 	shells don't think it's a rsh session if they find a pipe at the
+ 	other end.
+	(setup_environment): add SSH_CLIENT just to make bash happy
+
+	* common.c (do_read): use krb5_get_wrapped_length
+
+Wed Mar 24 03:59:42 1999  Assar Westerlund  <assar@sics.se>
+
+	* rsh.c (loop): more braces to make gcc happy
+
+Tue Mar 23 17:08:32 1999  Johan Danielsson  <joda@hella.pdc.kth.se>
+
+	* rsh_locl.h: kafs.h
+
+	* rshd.c: add `-P', `-v', and `-L' flags
+
+Thu Mar 18 11:37:24 1999  Johan Danielsson  <joda@hella.pdc.kth.se>
+
+	* Makefile.am: include Makefile.am.common
+
+Tue Dec  1 14:44:44 1998  Johan Danielsson  <joda@hella.pdc.kth.se>
+
+	* appl/rsh/rshd.c: update to new crypto framework
+
+	* appl/rsh/rsh_locl.h: update to new crypto framework
+
+	* appl/rsh/rsh.c: update to new crypto framework
+
+	* appl/rsh/common.c: update to new crypto framework
+
+Mon Nov  2 01:15:06 1998  Assar Westerlund  <assar@sics.se>
+
+	* appl/rsh/rsh.c (main): initialize host
+
+	* appl/rsh/rshd.c (recv_krb5_auth): disable `do_encrypt' if not
+ 	encrypting.
+
+Thu Jul 30 23:12:17 1998  Assar Westerlund  <assar@sics.se>
+
+	* appl/rsh/rsh.c: kludges for parsing `rsh hostname -l user'
+
+Thu Jul 23 19:49:03 1998  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* appl/rsh/rshd.c: use krb5_verify_authenticator_checksum
+
+Sat Apr 18 21:13:06 1998  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* appl/rsh/rsh.c: Don't try v5 if (only) `-4' is specified.
+
+Sun Dec 21 09:44:05 1997  Assar Westerlund  <assar@sics.se>
+
+	* appl/rsh/rshd.c (recv_krb5_auth): swap the order of the
+ 	`local_user' and the `remote_user'
+
+	* appl/rsh/rsh.c (send_krb5_auth): swap the order of the
+ 	`local_user' and the `remote_user'
+
+Sat Nov 29 07:10:11 1997  Assar Westerlund  <assar@sics.se>
+
+	* appl/rsh/rshd.c: updated to use getarg.
+	changed `struct fd_set' to `fd_set'.
+	implemented broken/BSD authentication (requires iruserok)
+
+Wed Nov 12 02:35:57 1997  Assar Westerlund  <assar@sics.se>
+
+	* appl/rsh/rsh_locl.h: add AUTH_BROKEN and PATH_RSH
+
+	* appl/rsh/Makefile.am: set BINDIR
+
+	* appl/rsh/rsh.c: implemented BSD-style reserved port
+ 	`authentication'
+
+Sun Aug 24 08:06:54 1997  Assar Westerlund  <assar@sics.se>
+
+	* appl/rsh/rshd.c: syslog remote shells
+
+Tue Aug 12 01:29:46 1997  Assar Westerlund  <assar@sics.se>
+
+	* appl/rshd/rshd.c: Use `krb5_sock_to_principal'.  Send server
+ 	parameter to krb5_rd_req/krb5_recvauth.  Set addresses in
+ 	auth_context.
+
+Fri Jul 25 17:32:12 1997  Assar Westerlund  <assar@sics.se>
+
+	* appl/rsh/rshd.c: implement forwarding
+
+	* appl/rsh/rsh.c: Use getarg.  Implement forwarding.
+
+Sun Jul 13 00:32:16 1997  Assar Westerlund  <assar@sics.se>
+
+	* appl/rsh: Conditionalize the krb4-support.
+
+Wed Jul  9 06:58:00 1997  Assar Westerlund  <assar@sics.se>
+
+	* appl/rsh/rsh.c: use the correct user for the checksum
+
+Mon Jul  7 11:15:51 1997  Assar Westerlund  <assar@sics.se>
+
+	* appl/rsh/rshd.c: Now works.  Also implementd encryption and
+ 	`-p'.
+	
+	* appl/rsh/common.c: new file
+
+Mon Jun 30 06:08:14 1997  Assar Westerlund  <assar@sics.se>
+
+	* appl/rsh: New program.
+
diff --git a/crypto/heimdal/appl/rsh/Makefile.am b/crypto/heimdal/appl/rsh/Makefile.am
new file mode 100644
index 0000000..8b5065b
--- /dev/null
+++ b/crypto/heimdal/appl/rsh/Makefile.am
@@ -0,0 +1,23 @@
+# $Id: Makefile.am,v 1.16 2001/02/07 05:09:06 assar Exp $
+
+include $(top_srcdir)/Makefile.am.common
+
+INCLUDES += $(INCLUDE_krb4) -I$(srcdir)/../login
+
+bin_PROGRAMS = rsh
+
+libexec_PROGRAMS = rshd
+
+rsh_SOURCES  = rsh.c common.c rsh_locl.h
+
+rshd_SOURCES = rshd.c common.c login_access.c rsh_locl.h
+
+login_access.c:
+	$(LN_S) $(srcdir)/../login/login_access.c .
+
+LDADD = $(LIB_kafs) \
+	$(LIB_krb5) \
+	$(LIB_krb4) \
+	$(LIB_des) \
+	$(LIB_roken) \
+	$(LIB_kdfs)
diff --git a/crypto/heimdal/appl/rsh/Makefile.in b/crypto/heimdal/appl/rsh/Makefile.in
new file mode 100644
index 0000000..08950b58
--- /dev/null
+++ b/crypto/heimdal/appl/rsh/Makefile.in
@@ -0,0 +1,670 @@
+# Makefile.in generated automatically by automake 1.4b from Makefile.am
+
+# Copyright 1994, 1995, 1996, 1997, 1998, 1999, 2000
+# Free Software Foundation, Inc.
+# This Makefile.in is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+
+SHELL = @SHELL@
+
+srcdir = @srcdir@
+top_srcdir = @top_srcdir@
+VPATH = @srcdir@
+prefix = @prefix@
+exec_prefix = @exec_prefix@
+
+bindir = @bindir@
+sbindir = @sbindir@
+libexecdir = @libexecdir@
+datadir = @datadir@
+sysconfdir = @sysconfdir@
+sharedstatedir = @sharedstatedir@
+localstatedir = @localstatedir@
+libdir = @libdir@
+infodir = @infodir@
+mandir = @mandir@
+includedir = @includedir@
+oldincludedir = /usr/include
+
+pkgdatadir = $(datadir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkgincludedir = $(includedir)/@PACKAGE@
+
+top_builddir = ../..
+
+ACLOCAL = @ACLOCAL@
+AUTOCONF = @AUTOCONF@
+AUTOMAKE = @AUTOMAKE@
+AUTOHEADER = @AUTOHEADER@
+
+INSTALL = @INSTALL@
+INSTALL_PROGRAM = @INSTALL_PROGRAM@
+INSTALL_DATA = @INSTALL_DATA@
+INSTALL_SCRIPT = @INSTALL_SCRIPT@
+INSTALL_STRIP_FLAG =
+transform = @program_transform_name@
+
+NORMAL_INSTALL = :
+PRE_INSTALL = :
+POST_INSTALL = :
+NORMAL_UNINSTALL = :
+PRE_UNINSTALL = :
+POST_UNINSTALL = :
+
+@SET_MAKE@
+host_alias = @host_alias@
+host_triplet = @host@
+AIX_EXTRA_KAFS = @AIX_EXTRA_KAFS@
+AMDEP = @AMDEP@
+AMTAR = @AMTAR@
+AS = @AS@
+AWK = @AWK@
+CANONICAL_HOST = @CANONICAL_HOST@
+CATMAN = @CATMAN@
+CATMANEXT = @CATMANEXT@
+CC = @CC@
+CPP = @CPP@
+CXX = @CXX@
+CXXCPP = @CXXCPP@
+DBLIB = @DBLIB@
+DEPDIR = @DEPDIR@
+DIR_des = @DIR_des@
+DIR_roken = @DIR_roken@
+DLLTOOL = @DLLTOOL@
+EXEEXT = @EXEEXT@
+EXTRA_LIB45 = @EXTRA_LIB45@
+GROFF = @GROFF@
+INCLUDES_roken = @INCLUDES_roken@
+INCLUDE_ = @INCLUDE_@
+LEX = @LEX@
+LIBOBJS = @LIBOBJS@
+LIBTOOL = @LIBTOOL@
+LIB_ = @LIB_@
+LIB_AUTH_SUBDIRS = @LIB_AUTH_SUBDIRS@
+LIB_des = @LIB_des@
+LIB_des_appl = @LIB_des_appl@
+LIB_kdb = @LIB_kdb@
+LIB_otp = @LIB_otp@
+LIB_roken = @LIB_roken@
+LIB_security = @LIB_security@
+LN_S = @LN_S@
+LTLIBOBJS = @LTLIBOBJS@
+MAKEINFO = @MAKEINFO@
+NEED_WRITEAUTH_FALSE = @NEED_WRITEAUTH_FALSE@
+NEED_WRITEAUTH_TRUE = @NEED_WRITEAUTH_TRUE@
+NROFF = @NROFF@
+OBJDUMP = @OBJDUMP@
+OBJEXT = @OBJEXT@
+PACKAGE = @PACKAGE@
+RANLIB = @RANLIB@
+STRIP = @STRIP@
+VERSION = @VERSION@
+VOID_RETSIGTYPE = @VOID_RETSIGTYPE@
+WFLAGS = @WFLAGS@
+WFLAGS_NOIMPLICITINT = @WFLAGS_NOIMPLICITINT@
+WFLAGS_NOUNUSED = @WFLAGS_NOUNUSED@
+YACC = @YACC@
+dpagaix_CFLAGS = @dpagaix_CFLAGS@
+dpagaix_LDADD = @dpagaix_LDADD@
+install_sh = @install_sh@
+
+# $Id: Makefile.am,v 1.16 2001/02/07 05:09:06 assar Exp $
+
+
+# $Id: Makefile.am.common,v 1.3 1999/04/01 14:58:43 joda Exp $
+
+
+# $Id: Makefile.am.common,v 1.26 2001/05/21 13:27:48 joda Exp $
+
+
+AUTOMAKE_OPTIONS = foreign no-dependencies
+
+SUFFIXES = .et .h .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .x
+
+INCLUDES = -I$(top_builddir)/include $(INCLUDES_roken) $(INCLUDE_krb4) -I$(srcdir)/../login
+
+AM_CFLAGS =  $(WFLAGS)
+
+CP = cp
+
+COMPILE_ET = $(top_builddir)/lib/com_err/compile_et
+
+buildinclude = $(top_builddir)/include
+
+LIB_XauReadAuth = @LIB_XauReadAuth@
+LIB_crypt = @LIB_crypt@
+LIB_dbm_firstkey = @LIB_dbm_firstkey@
+LIB_dbopen = @LIB_dbopen@
+LIB_dlopen = @LIB_dlopen@
+LIB_dn_expand = @LIB_dn_expand@
+LIB_el_init = @LIB_el_init@
+LIB_getattr = @LIB_getattr@
+LIB_gethostbyname = @LIB_gethostbyname@
+LIB_getpwent_r = @LIB_getpwent_r@
+LIB_getpwnam_r = @LIB_getpwnam_r@
+LIB_getsockopt = @LIB_getsockopt@
+LIB_logout = @LIB_logout@
+LIB_logwtmp = @LIB_logwtmp@
+LIB_odm_initialize = @LIB_odm_initialize@
+LIB_pidfile = @LIB_pidfile@
+LIB_readline = @LIB_readline@
+LIB_res_search = @LIB_res_search@
+LIB_setpcred = @LIB_setpcred@
+LIB_setsockopt = @LIB_setsockopt@
+LIB_socket = @LIB_socket@
+LIB_syslog = @LIB_syslog@
+LIB_tgetent = @LIB_tgetent@
+
+LIBS = @LIBS@
+
+HESIODLIB = @HESIODLIB@
+HESIODINCLUDE = @HESIODINCLUDE@
+INCLUDE_hesiod = @INCLUDE_hesiod@
+LIB_hesiod = @LIB_hesiod@
+
+INCLUDE_krb4 = @INCLUDE_krb4@
+LIB_krb4 = @LIB_krb4@
+
+INCLUDE_openldap = @INCLUDE_openldap@
+LIB_openldap = @LIB_openldap@
+
+INCLUDE_readline = @INCLUDE_readline@
+
+LEXLIB = @LEXLIB@
+
+NROFF_MAN = groff -mandoc -Tascii
+
+@KRB4_TRUE@LIB_kafs = @KRB4_TRUE@$(top_builddir)/lib/kafs/libkafs.la $(AIX_EXTRA_KAFS)
+
+@KRB5_TRUE@LIB_krb5 = @KRB5_TRUE@$(top_builddir)/lib/krb5/libkrb5.la \
+@KRB5_TRUE@	$(top_builddir)/lib/asn1/libasn1.la
+@KRB5_TRUE@LIB_gssapi = @KRB5_TRUE@$(top_builddir)/lib/gssapi/libgssapi.la
+
+@DCE_TRUE@LIB_kdfs = @DCE_TRUE@$(top_builddir)/lib/kdfs/libkdfs.la
+
+CHECK_LOCAL = $(PROGRAMS)
+
+bin_PROGRAMS = rsh
+
+libexec_PROGRAMS = rshd
+
+rsh_SOURCES = rsh.c common.c rsh_locl.h
+
+rshd_SOURCES = rshd.c common.c login_access.c rsh_locl.h
+
+LDADD = $(LIB_kafs) \
+	$(LIB_krb5) \
+	$(LIB_krb4) \
+	$(LIB_des) \
+	$(LIB_roken) \
+	$(LIB_kdfs)
+
+subdir = appl/rsh
+mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs
+CONFIG_HEADER = ../../include/config.h
+CONFIG_CLEAN_FILES = 
+bin_PROGRAMS =  rsh$(EXEEXT)
+libexec_PROGRAMS =  rshd$(EXEEXT)
+PROGRAMS =  $(bin_PROGRAMS) $(libexec_PROGRAMS)
+
+
+DEFS = @DEFS@ -I. -I$(srcdir) -I../../include
+CPPFLAGS = @CPPFLAGS@
+LDFLAGS = @LDFLAGS@
+X_CFLAGS = @X_CFLAGS@
+X_LIBS = @X_LIBS@
+X_EXTRA_LIBS = @X_EXTRA_LIBS@
+X_PRE_LIBS = @X_PRE_LIBS@
+am_rsh_OBJECTS =  rsh.$(OBJEXT) common.$(OBJEXT)
+rsh_OBJECTS =  $(am_rsh_OBJECTS)
+rsh_LDADD = $(LDADD)
+@DCE_FALSE@@KRB4_FALSE@@KRB5_FALSE@rsh_DEPENDENCIES = 
+@DCE_FALSE@@KRB4_FALSE@@KRB5_TRUE@rsh_DEPENDENCIES =  \
+@DCE_FALSE@@KRB4_FALSE@@KRB5_TRUE@$(top_builddir)/lib/krb5/libkrb5.la \
+@DCE_FALSE@@KRB4_FALSE@@KRB5_TRUE@$(top_builddir)/lib/asn1/libasn1.la
+@DCE_FALSE@@KRB4_TRUE@@KRB5_FALSE@rsh_DEPENDENCIES =  \
+@DCE_FALSE@@KRB4_TRUE@@KRB5_FALSE@$(top_builddir)/lib/kafs/libkafs.la
+@DCE_FALSE@@KRB4_TRUE@@KRB5_TRUE@rsh_DEPENDENCIES =  \
+@DCE_FALSE@@KRB4_TRUE@@KRB5_TRUE@$(top_builddir)/lib/kafs/libkafs.la \
+@DCE_FALSE@@KRB4_TRUE@@KRB5_TRUE@$(top_builddir)/lib/krb5/libkrb5.la \
+@DCE_FALSE@@KRB4_TRUE@@KRB5_TRUE@$(top_builddir)/lib/asn1/libasn1.la
+@DCE_TRUE@@KRB4_FALSE@@KRB5_FALSE@rsh_DEPENDENCIES =  \
+@DCE_TRUE@@KRB4_FALSE@@KRB5_FALSE@$(top_builddir)/lib/kdfs/libkdfs.la
+@DCE_TRUE@@KRB4_FALSE@@KRB5_TRUE@rsh_DEPENDENCIES =  \
+@DCE_TRUE@@KRB4_FALSE@@KRB5_TRUE@$(top_builddir)/lib/krb5/libkrb5.la \
+@DCE_TRUE@@KRB4_FALSE@@KRB5_TRUE@$(top_builddir)/lib/asn1/libasn1.la \
+@DCE_TRUE@@KRB4_FALSE@@KRB5_TRUE@$(top_builddir)/lib/kdfs/libkdfs.la
+@DCE_TRUE@@KRB4_TRUE@@KRB5_FALSE@rsh_DEPENDENCIES =  \
+@DCE_TRUE@@KRB4_TRUE@@KRB5_FALSE@$(top_builddir)/lib/kafs/libkafs.la \
+@DCE_TRUE@@KRB4_TRUE@@KRB5_FALSE@$(top_builddir)/lib/kdfs/libkdfs.la
+@DCE_TRUE@@KRB4_TRUE@@KRB5_TRUE@rsh_DEPENDENCIES =  \
+@DCE_TRUE@@KRB4_TRUE@@KRB5_TRUE@$(top_builddir)/lib/kafs/libkafs.la \
+@DCE_TRUE@@KRB4_TRUE@@KRB5_TRUE@$(top_builddir)/lib/krb5/libkrb5.la \
+@DCE_TRUE@@KRB4_TRUE@@KRB5_TRUE@$(top_builddir)/lib/asn1/libasn1.la \
+@DCE_TRUE@@KRB4_TRUE@@KRB5_TRUE@$(top_builddir)/lib/kdfs/libkdfs.la
+rsh_LDFLAGS = 
+am_rshd_OBJECTS =  rshd.$(OBJEXT) common.$(OBJEXT) \
+login_access.$(OBJEXT)
+rshd_OBJECTS =  $(am_rshd_OBJECTS)
+rshd_LDADD = $(LDADD)
+@DCE_FALSE@@KRB4_FALSE@@KRB5_FALSE@rshd_DEPENDENCIES = 
+@DCE_FALSE@@KRB4_FALSE@@KRB5_TRUE@rshd_DEPENDENCIES =  \
+@DCE_FALSE@@KRB4_FALSE@@KRB5_TRUE@$(top_builddir)/lib/krb5/libkrb5.la \
+@DCE_FALSE@@KRB4_FALSE@@KRB5_TRUE@$(top_builddir)/lib/asn1/libasn1.la
+@DCE_FALSE@@KRB4_TRUE@@KRB5_FALSE@rshd_DEPENDENCIES =  \
+@DCE_FALSE@@KRB4_TRUE@@KRB5_FALSE@$(top_builddir)/lib/kafs/libkafs.la
+@DCE_FALSE@@KRB4_TRUE@@KRB5_TRUE@rshd_DEPENDENCIES =  \
+@DCE_FALSE@@KRB4_TRUE@@KRB5_TRUE@$(top_builddir)/lib/kafs/libkafs.la \
+@DCE_FALSE@@KRB4_TRUE@@KRB5_TRUE@$(top_builddir)/lib/krb5/libkrb5.la \
+@DCE_FALSE@@KRB4_TRUE@@KRB5_TRUE@$(top_builddir)/lib/asn1/libasn1.la
+@DCE_TRUE@@KRB4_FALSE@@KRB5_FALSE@rshd_DEPENDENCIES =  \
+@DCE_TRUE@@KRB4_FALSE@@KRB5_FALSE@$(top_builddir)/lib/kdfs/libkdfs.la
+@DCE_TRUE@@KRB4_FALSE@@KRB5_TRUE@rshd_DEPENDENCIES =  \
+@DCE_TRUE@@KRB4_FALSE@@KRB5_TRUE@$(top_builddir)/lib/krb5/libkrb5.la \
+@DCE_TRUE@@KRB4_FALSE@@KRB5_TRUE@$(top_builddir)/lib/asn1/libasn1.la \
+@DCE_TRUE@@KRB4_FALSE@@KRB5_TRUE@$(top_builddir)/lib/kdfs/libkdfs.la
+@DCE_TRUE@@KRB4_TRUE@@KRB5_FALSE@rshd_DEPENDENCIES =  \
+@DCE_TRUE@@KRB4_TRUE@@KRB5_FALSE@$(top_builddir)/lib/kafs/libkafs.la \
+@DCE_TRUE@@KRB4_TRUE@@KRB5_FALSE@$(top_builddir)/lib/kdfs/libkdfs.la
+@DCE_TRUE@@KRB4_TRUE@@KRB5_TRUE@rshd_DEPENDENCIES =  \
+@DCE_TRUE@@KRB4_TRUE@@KRB5_TRUE@$(top_builddir)/lib/kafs/libkafs.la \
+@DCE_TRUE@@KRB4_TRUE@@KRB5_TRUE@$(top_builddir)/lib/krb5/libkrb5.la \
+@DCE_TRUE@@KRB4_TRUE@@KRB5_TRUE@$(top_builddir)/lib/asn1/libasn1.la \
+@DCE_TRUE@@KRB4_TRUE@@KRB5_TRUE@$(top_builddir)/lib/kdfs/libkdfs.la
+rshd_LDFLAGS = 
+COMPILE = $(CC) $(DEFS) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) --mode=compile $(CC) $(DEFS) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+CFLAGS = @CFLAGS@
+CCLD = $(CC)
+LINK = $(LIBTOOL) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) $(LDFLAGS) -o $@
+DIST_SOURCES =  $(rsh_SOURCES) $(rshd_SOURCES)
+depcomp = 
+DIST_COMMON =  ChangeLog Makefile.am Makefile.in
+
+
+DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
+
+GZIP_ENV = --best
+SOURCES = $(rsh_SOURCES) $(rshd_SOURCES)
+OBJECTS = $(am_rsh_OBJECTS) $(am_rshd_OBJECTS)
+
+all: all-redirect
+.SUFFIXES:
+.SUFFIXES: .et .h .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .x .c .lo .o .obj
+$(srcdir)/Makefile.in: Makefile.am $(top_srcdir)/configure.in $(ACLOCAL_M4) $(top_srcdir)/Makefile.am.common $(top_srcdir)/cf/Makefile.am.common
+	cd $(top_srcdir) && $(AUTOMAKE) --foreign appl/rsh/Makefile
+
+Makefile: $(srcdir)/Makefile.in  $(top_builddir)/config.status
+	cd $(top_builddir) \
+	  && CONFIG_FILES=$(subdir)/$@ CONFIG_HEADERS= $(SHELL) ./config.status
+
+
+mostlyclean-binPROGRAMS:
+
+clean-binPROGRAMS:
+	-test -z "$(bin_PROGRAMS)" || rm -f $(bin_PROGRAMS)
+
+distclean-binPROGRAMS:
+
+maintainer-clean-binPROGRAMS:
+
+install-binPROGRAMS: $(bin_PROGRAMS)
+	@$(NORMAL_INSTALL)
+	$(mkinstalldirs) $(DESTDIR)$(bindir)
+	@list='$(bin_PROGRAMS)'; for p in $$list; do \
+	  if test -f $$p; then \
+	    f="`echo $$p|sed -e 's/$(EXEEXT)$$//' -e '$(transform)' -e 's/$$/$(EXEEXT)/'`"; \
+	    echo " $(LIBTOOL)  --mode=install $(INSTALL_PROGRAM) $(INSTALL_STRIP_FLAG) $$p $(DESTDIR)$(bindir)/$$f"; \
+	    $(LIBTOOL)  --mode=install $(INSTALL_PROGRAM) $(INSTALL_STRIP_FLAG) $$p $(DESTDIR)$(bindir)/$$f; \
+	  else :; fi; \
+	done
+
+uninstall-binPROGRAMS:
+	@$(NORMAL_UNINSTALL)
+	@list='$(bin_PROGRAMS)'; for p in $$list; do \
+	  f="`echo $$p|sed -e 's/$(EXEEXT)$$//' -e '$(transform)' -e 's/$$/$(EXEEXT)/'`"; \
+	  echo " rm -f $(DESTDIR)$(bindir)/$$f"; \
+	  rm -f $(DESTDIR)$(bindir)/$$f; \
+	done
+
+mostlyclean-libexecPROGRAMS:
+
+clean-libexecPROGRAMS:
+	-test -z "$(libexec_PROGRAMS)" || rm -f $(libexec_PROGRAMS)
+
+distclean-libexecPROGRAMS:
+
+maintainer-clean-libexecPROGRAMS:
+
+install-libexecPROGRAMS: $(libexec_PROGRAMS)
+	@$(NORMAL_INSTALL)
+	$(mkinstalldirs) $(DESTDIR)$(libexecdir)
+	@list='$(libexec_PROGRAMS)'; for p in $$list; do \
+	  if test -f $$p; then \
+	    f="`echo $$p|sed -e 's/$(EXEEXT)$$//' -e '$(transform)' -e 's/$$/$(EXEEXT)/'`"; \
+	    echo " $(LIBTOOL)  --mode=install $(INSTALL_PROGRAM) $(INSTALL_STRIP_FLAG) $$p $(DESTDIR)$(libexecdir)/$$f"; \
+	    $(LIBTOOL)  --mode=install $(INSTALL_PROGRAM) $(INSTALL_STRIP_FLAG) $$p $(DESTDIR)$(libexecdir)/$$f; \
+	  else :; fi; \
+	done
+
+uninstall-libexecPROGRAMS:
+	@$(NORMAL_UNINSTALL)
+	@list='$(libexec_PROGRAMS)'; for p in $$list; do \
+	  f="`echo $$p|sed -e 's/$(EXEEXT)$$//' -e '$(transform)' -e 's/$$/$(EXEEXT)/'`"; \
+	  echo " rm -f $(DESTDIR)$(libexecdir)/$$f"; \
+	  rm -f $(DESTDIR)$(libexecdir)/$$f; \
+	done
+
+mostlyclean-compile:
+	-rm -f *.o core *.core
+	-rm -f *.$(OBJEXT)
+
+clean-compile:
+
+distclean-compile:
+	-rm -f *.tab.c
+
+maintainer-clean-compile:
+
+mostlyclean-libtool:
+	-rm -f *.lo
+
+clean-libtool:
+	-rm -rf .libs _libs
+
+distclean-libtool:
+
+maintainer-clean-libtool:
+
+rsh$(EXEEXT): $(rsh_OBJECTS) $(rsh_DEPENDENCIES)
+	@rm -f rsh$(EXEEXT)
+	$(LINK) $(rsh_LDFLAGS) $(rsh_OBJECTS) $(rsh_LDADD) $(LIBS)
+
+rshd$(EXEEXT): $(rshd_OBJECTS) $(rshd_DEPENDENCIES)
+	@rm -f rshd$(EXEEXT)
+	$(LINK) $(rshd_LDFLAGS) $(rshd_OBJECTS) $(rshd_LDADD) $(LIBS)
+.c.o:
+	$(COMPILE) -c $<
+.c.obj:
+	$(COMPILE) -c `cygpath -w $<`
+.c.lo:
+	$(LTCOMPILE) -c -o $@ $<
+
+tags: TAGS
+
+ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
+	list='$(SOURCES) $(HEADERS) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '    { files[$$0] = 1; } \
+	       END { for (i in files) print i; }'`; \
+	mkid -fID $$unique $(LISP)
+
+TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	tags=; \
+	here=`pwd`; \
+	list='$(SOURCES) $(HEADERS) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '    { files[$$0] = 1; } \
+	       END { for (i in files) print i; }'`; \
+	test -z "$(ETAGS_ARGS)$$unique$(LISP)$$tags" \
+	  || etags $(ETAGS_ARGS) $$tags  $$unique $(LISP)
+
+GTAGS:
+	here=`CDPATH=: && cd $(top_builddir) && pwd` \
+	  && cd $(top_srcdir) \
+	  && gtags -i $$here
+
+mostlyclean-tags:
+
+clean-tags:
+
+distclean-tags:
+	-rm -f TAGS ID
+
+maintainer-clean-tags:
+
+distdir = $(top_builddir)/$(PACKAGE)-$(VERSION)/$(subdir)
+
+distdir: $(DISTFILES)
+	@for file in $(DISTFILES); do \
+	  d=$(srcdir); \
+	  if test -d $$d/$$file; then \
+	    cp -pR $$d/$$file $(distdir) \
+	    || exit 1; \
+	  else \
+	    test -f $(distdir)/$$file \
+	    || cp -p $$d/$$file $(distdir)/$$file \
+	    || exit 1; \
+	  fi; \
+	done
+	$(MAKE) $(AM_MAKEFLAGS) top_distdir="$(top_distdir)" distdir="$(distdir)" dist-hook
+info-am:
+info: info-am
+dvi-am:
+dvi: dvi-am
+check-am: all-am
+	$(MAKE) $(AM_MAKEFLAGS) check-local
+check: check-am
+installcheck-am:
+installcheck: installcheck-am
+install-exec-am: install-binPROGRAMS install-libexecPROGRAMS
+	@$(NORMAL_INSTALL)
+	$(MAKE) $(AM_MAKEFLAGS) install-exec-hook
+install-exec: install-exec-am
+
+install-data-am: install-data-local
+install-data: install-data-am
+
+install-am: all-am
+	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
+install: install-am
+uninstall-am: uninstall-binPROGRAMS uninstall-libexecPROGRAMS
+uninstall: uninstall-am
+all-am: Makefile $(PROGRAMS) all-local
+all-redirect: all-am
+install-strip:
+	$(MAKE) $(AM_MAKEFLAGS) INSTALL_STRIP_FLAG=-s install
+installdirs:
+	$(mkinstalldirs)  $(DESTDIR)$(bindir) $(DESTDIR)$(libexecdir)
+
+
+mostlyclean-generic:
+
+clean-generic:
+
+distclean-generic:
+	-rm -f Makefile $(CONFIG_CLEAN_FILES)
+	-rm -f config.cache config.log stamp-h stamp-h[0-9]*
+
+maintainer-clean-generic:
+	-rm -f Makefile.in
+mostlyclean-am:  mostlyclean-binPROGRAMS mostlyclean-libexecPROGRAMS \
+		mostlyclean-compile mostlyclean-libtool \
+		mostlyclean-tags mostlyclean-generic
+
+mostlyclean: mostlyclean-am
+
+clean-am:  clean-binPROGRAMS clean-libexecPROGRAMS clean-compile \
+		clean-libtool clean-tags clean-generic mostlyclean-am
+
+clean: clean-am
+
+distclean-am:  distclean-binPROGRAMS distclean-libexecPROGRAMS \
+		distclean-compile distclean-libtool distclean-tags \
+		distclean-generic clean-am
+	-rm -f libtool
+
+distclean: distclean-am
+
+maintainer-clean-am:  maintainer-clean-binPROGRAMS \
+		maintainer-clean-libexecPROGRAMS \
+		maintainer-clean-compile maintainer-clean-libtool \
+		maintainer-clean-tags maintainer-clean-generic \
+		distclean-am
+	@echo "This command is intended for maintainers to use;"
+	@echo "it deletes files that may require special tools to rebuild."
+
+maintainer-clean: maintainer-clean-am
+
+.PHONY: mostlyclean-binPROGRAMS distclean-binPROGRAMS clean-binPROGRAMS \
+maintainer-clean-binPROGRAMS uninstall-binPROGRAMS install-binPROGRAMS \
+mostlyclean-libexecPROGRAMS distclean-libexecPROGRAMS \
+clean-libexecPROGRAMS maintainer-clean-libexecPROGRAMS \
+uninstall-libexecPROGRAMS install-libexecPROGRAMS mostlyclean-compile \
+distclean-compile clean-compile maintainer-clean-compile \
+mostlyclean-libtool distclean-libtool clean-libtool \
+maintainer-clean-libtool tags mostlyclean-tags distclean-tags \
+clean-tags maintainer-clean-tags distdir info-am info dvi-am dvi \
+check-local check check-am installcheck-am installcheck install-exec-am \
+install-exec install-data-local install-data-am install-data install-am \
+install uninstall-am uninstall all-local all-redirect all-am all \
+install-strip installdirs mostlyclean-generic distclean-generic \
+clean-generic maintainer-clean-generic clean mostlyclean distclean \
+maintainer-clean
+
+
+install-suid-programs:
+	@foo='$(bin_SUIDS)'; \
+	for file in $$foo; do \
+	x=$(DESTDIR)$(bindir)/$$file; \
+	if chown 0:0 $$x && chmod u+s $$x; then :; else \
+	echo "*"; \
+	echo "* Failed to install $$x setuid root"; \
+	echo "*"; \
+	fi; done
+
+install-exec-hook: install-suid-programs
+
+install-build-headers:: $(include_HEADERS) $(build_HEADERZ)
+	@foo='$(include_HEADERS) $(build_HEADERZ)'; \
+	for f in $$foo; do \
+		f=`basename $$f`; \
+		if test -f "$(srcdir)/$$f"; then file="$(srcdir)/$$f"; \
+		else file="$$f"; fi; \
+		if cmp -s  $$file $(buildinclude)/$$f 2> /dev/null ; then \
+		: ; else \
+			echo " $(CP) $$file $(buildinclude)/$$f"; \
+			$(CP) $$file $(buildinclude)/$$f; \
+		fi ; \
+	done
+
+all-local: install-build-headers
+#NROFF_MAN = nroff -man
+.1.cat1:
+	$(NROFF_MAN) $< > $@
+.3.cat3:
+	$(NROFF_MAN) $< > $@
+.5.cat5:
+	$(NROFF_MAN) $< > $@
+.8.cat8:
+	$(NROFF_MAN) $< > $@
+
+dist-cat1-mans:
+	@foo='$(man1_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.1) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat1/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-cat3-mans:
+	@foo='$(man3_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.3) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat3/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-cat5-mans:
+	@foo='$(man5_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.5) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat5/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-cat8-mans:
+	@foo='$(man8_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.8) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat8/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-hook: dist-cat1-mans dist-cat3-mans dist-cat5-mans dist-cat8-mans
+
+install-cat-mans:
+	$(SHELL) $(top_srcdir)/cf/install-catman.sh "$(INSTALL_DATA)" "$(mkinstalldirs)" "$(srcdir)" "$(DESTDIR)$(mandir)" '$(CATMANEXT)' $(man_MANS) $(man1_MANS) $(man3_MANS) $(man5_MANS) $(man8_MANS)
+
+install-data-local: install-cat-mans
+
+.et.h:
+	$(COMPILE_ET) $<
+.et.c:
+	$(COMPILE_ET) $<
+
+.x.c:
+	@cmp -s $< $@ 2> /dev/null || cp $< $@
+
+check-local::
+	@foo='$(CHECK_LOCAL)'; \
+	  if test "$$foo"; then \
+	  failed=0; all=0; \
+	  for i in $$foo; do \
+	    all=`expr $$all + 1`; \
+	    if ./$$i --version > /dev/null 2>&1; then \
+	      echo "PASS: $$i"; \
+	    else \
+	      echo "FAIL: $$i"; \
+	      failed=`expr $$failed + 1`; \
+	    fi; \
+	  done; \
+	  if test "$$failed" -eq 0; then \
+	    banner="All $$all tests passed"; \
+	  else \
+	    banner="$$failed of $$all tests failed"; \
+	  fi; \
+	  dashes=`echo "$$banner" | sed s/./=/g`; \
+	  echo "$$dashes"; \
+	  echo "$$banner"; \
+	  echo "$$dashes"; \
+	  test "$$failed" -eq 0; \
+	fi
+
+login_access.c:
+	$(LN_S) $(srcdir)/../login/login_access.c .
+
+# Tell versions [3.59,3.63) of GNU make to not export all variables.
+# Otherwise a system limit (for SysV at least) may be exceeded.
+.NOEXPORT:
diff --git a/crypto/heimdal/appl/rsh/common.c b/crypto/heimdal/appl/rsh/common.c
new file mode 100644
index 0000000..6614137
--- /dev/null
+++ b/crypto/heimdal/appl/rsh/common.c
@@ -0,0 +1,124 @@
+/*
+ * Copyright (c) 1997 - 1999 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "rsh_locl.h"
+RCSID("$Id: common.c,v 1.12 1999/12/02 17:04:56 joda Exp $");
+
+ssize_t
+do_read (int fd,
+	 void *buf,
+	 size_t sz)
+{
+    int ret;
+
+    if (do_encrypt) {
+#ifdef KRB4
+	if (auth_method == AUTH_KRB4) {
+	    return des_enc_read (fd, buf, sz, schedule, &iv);
+	} else
+#endif /* KRB4 */
+        if(auth_method == AUTH_KRB5) {
+	    u_int32_t len, outer_len;
+	    int status;
+	    krb5_data data;
+	    void *edata;
+
+	    ret = krb5_net_read (context, &fd, &len, 4);
+	    if (ret <= 0)
+		return ret;
+	    len = ntohl(len);
+	    if (len > sz)
+		abort ();
+	    outer_len = krb5_get_wrapped_length (context, crypto, len);
+	    edata = malloc (outer_len);
+	    if (edata == NULL)
+		errx (1, "malloc: cannot allocate %u bytes", outer_len);
+	    ret = krb5_net_read (context, &fd, edata, outer_len);
+	    if (ret <= 0)
+		return ret;
+
+	    status = krb5_decrypt(context, crypto, KRB5_KU_OTHER_ENCRYPTED, 
+				  edata, outer_len, &data);
+	    free (edata);
+	    
+	    if (status)
+		errx (1, "%s", krb5_get_err_text (context, status));
+	    memcpy (buf, data.data, len);
+	    krb5_data_free (&data);
+	    return len;
+	} else {
+	    abort ();
+	}
+    } else
+	return read (fd, buf, sz);
+}
+
+ssize_t
+do_write (int fd, void *buf, size_t sz)
+{
+    if (do_encrypt) {
+#ifdef KRB4
+	if(auth_method == AUTH_KRB4) {
+	    return des_enc_write (fd, buf, sz, schedule, &iv);
+	} else
+#endif /* KRB4 */
+	if(auth_method == AUTH_KRB5) {
+	    krb5_error_code status;
+	    krb5_data data;
+	    u_int32_t len;
+	    int ret;
+
+	    status = krb5_encrypt(context, crypto, KRB5_KU_OTHER_ENCRYPTED,
+				  buf, sz, &data);
+	    
+	    if (status)
+		errx (1, "%s", krb5_get_err_text(context, status));
+
+	    assert (krb5_get_wrapped_length (context, crypto,
+					     sz) == data.length);
+
+	    len = htonl(sz);
+	    ret = krb5_net_write (context, &fd, &len, 4);
+	    if (ret != 4)
+		return ret;
+	    ret = krb5_net_write (context, &fd, data.data, data.length);
+	    if (ret != data.length)
+		return ret;
+	    free (data.data);
+	    return sz;
+	} else {
+	    abort();
+	}
+    } else
+	return write (fd, buf, sz);
+}
diff --git a/crypto/heimdal/appl/rsh/rsh.c b/crypto/heimdal/appl/rsh/rsh.c
new file mode 100644
index 0000000..5898099
--- /dev/null
+++ b/crypto/heimdal/appl/rsh/rsh.c
@@ -0,0 +1,1004 @@
+/*
+ * Copyright (c) 1997 - 2000 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "rsh_locl.h"
+RCSID("$Id: rsh.c,v 1.58 2001/02/20 01:44:47 assar Exp $");
+
+enum auth_method auth_method;
+int do_encrypt       = -1;
+int do_forward       = -1;
+int do_forwardable   = -1;
+int do_unique_tkfile = 0;
+char *unique_tkfile  = NULL;
+char tkfile[MAXPATHLEN];
+krb5_context context;
+krb5_keyblock *keyblock;
+krb5_crypto crypto;
+#ifdef KRB4
+des_key_schedule schedule;
+des_cblock iv;
+#endif
+
+
+/*
+ *
+ */
+
+static int input = 1;		/* Read from stdin */
+
+static int
+loop (int s, int errsock)
+{
+    fd_set real_readset;
+    int count = 1;
+
+    if (s >= FD_SETSIZE || errsock >= FD_SETSIZE)
+	errx (1, "fd too large");
+    
+    FD_ZERO(&real_readset);
+    FD_SET(s, &real_readset);
+    if (errsock != -1) {
+	FD_SET(errsock, &real_readset);
+	++count;
+    }
+    if(input)
+	FD_SET(STDIN_FILENO, &real_readset);
+
+    for (;;) {
+	int ret;
+	fd_set readset;
+	char buf[RSH_BUFSIZ];
+
+	readset = real_readset;
+	ret = select (max(s, errsock) + 1, &readset, NULL, NULL, NULL);
+	if (ret < 0) {
+	    if (errno == EINTR)
+		continue;
+	    else
+		err (1, "select");
+	}
+	if (FD_ISSET(s, &readset)) {
+	    ret = do_read (s, buf, sizeof(buf));
+	    if (ret < 0)
+		err (1, "read");
+	    else if (ret == 0) {
+		close (s);
+		FD_CLR(s, &real_readset);
+		if (--count == 0)
+		    return 0;
+	    } else
+		net_write (STDOUT_FILENO, buf, ret);
+	}
+	if (errsock != -1 && FD_ISSET(errsock, &readset)) {
+	    ret = do_read (errsock, buf, sizeof(buf));
+	    if (ret < 0)
+		err (1, "read");
+	    else if (ret == 0) {
+		close (errsock);
+		FD_CLR(errsock, &real_readset);
+		if (--count == 0)
+		    return 0;
+	    } else
+		net_write (STDERR_FILENO, buf, ret);
+	}
+	if (FD_ISSET(STDIN_FILENO, &readset)) {
+	    ret = read (STDIN_FILENO, buf, sizeof(buf));
+	    if (ret < 0)
+		err (1, "read");
+	    else if (ret == 0) {
+		close (STDIN_FILENO);
+		FD_CLR(STDIN_FILENO, &real_readset);
+		shutdown (s, SHUT_WR);
+	    } else
+		do_write (s, buf, ret);
+	}
+    }
+}
+
+#ifdef KRB4
+static int
+send_krb4_auth(int s,
+	       struct sockaddr *thisaddr,
+	       struct sockaddr *thataddr,
+	       const char *hostname,
+	       const char *remote_user,
+	       const char *local_user,
+	       size_t cmd_len,
+	       const char *cmd)
+{
+    KTEXT_ST text;
+    CREDENTIALS cred;
+    MSG_DAT msg;
+    int status;
+    size_t len;
+
+    status = krb_sendauth (do_encrypt ? KOPT_DO_MUTUAL : 0,
+			   s, &text, "rcmd",
+			   (char *)hostname, krb_realmofhost (hostname),
+			   getpid(), &msg, &cred, schedule,
+			   (struct sockaddr_in *)thisaddr,
+			   (struct sockaddr_in *)thataddr,
+			   KCMD_VERSION);
+    if (status != KSUCCESS) {
+	warnx ("%s: %s", hostname, krb_get_err_text(status));
+	return 1;
+    }
+    memcpy (iv, cred.session, sizeof(iv));
+
+    len = strlen(remote_user) + 1;
+    if (net_write (s, remote_user, len) != len) {
+	warn("write");
+	return 1;
+    }
+    if (net_write (s, cmd, cmd_len) != cmd_len) {
+	warn("write");
+	return 1;
+    }
+    return 0;
+}
+#endif /* KRB4 */
+
+/*
+ * Send forward information on `s' for host `hostname', them being
+ * forwardable themselves if `forwardable'
+ */
+
+static int
+krb5_forward_cred (krb5_auth_context auth_context,
+		   int s,
+		   const char *hostname,
+		   int forwardable)
+{
+    krb5_error_code ret;
+    krb5_ccache     ccache;
+    krb5_creds      creds;
+    krb5_kdc_flags  flags;
+    krb5_data       out_data;
+    krb5_principal  principal;
+
+    memset (&creds, 0, sizeof(creds));
+
+    ret = krb5_cc_default (context, &ccache);
+    if (ret) {
+	warnx ("could not forward creds: krb5_cc_default: %s",
+	       krb5_get_err_text (context, ret));
+	return 1;
+    }
+
+    ret = krb5_cc_get_principal (context, ccache, &principal);
+    if (ret) {
+	warnx ("could not forward creds: krb5_cc_get_principal: %s",
+	       krb5_get_err_text (context, ret));
+	return 1;
+    }
+
+    creds.client = principal;
+    
+    ret = krb5_build_principal (context,
+				&creds.server,
+				strlen(principal->realm),
+				principal->realm,
+				"krbtgt",
+				principal->realm,
+				NULL);
+
+    if (ret) {
+	warnx ("could not forward creds: krb5_build_principal: %s",
+	       krb5_get_err_text (context, ret));
+	return 1;
+    }
+
+    creds.times.endtime = 0;
+
+    flags.i = 0;
+    flags.b.forwarded   = 1;
+    flags.b.forwardable = forwardable;
+
+    ret = krb5_get_forwarded_creds (context,
+				    auth_context,
+				    ccache,
+				    flags.i,
+				    hostname,
+				    &creds,
+				    &out_data);
+    if (ret) {
+	warnx ("could not forward creds: krb5_get_forwarded_creds: %s",
+	       krb5_get_err_text (context, ret));
+	return 1;
+    }
+
+    ret = krb5_write_message (context,
+			      (void *)&s,
+			      &out_data);
+    krb5_data_free (&out_data);
+
+    if (ret)
+	warnx ("could not forward creds: krb5_write_message: %s",
+	       krb5_get_err_text (context, ret));
+    return 0;
+}
+
+static int
+send_krb5_auth(int s,
+	       struct sockaddr *thisaddr,
+	       struct sockaddr *thataddr,
+	       const char *hostname,
+	       const char *remote_user,
+	       const char *local_user,
+	       size_t cmd_len,
+	       const char *cmd)
+{
+    krb5_principal server;
+    krb5_data cksum_data;
+    int status;
+    size_t len;
+    krb5_auth_context auth_context = NULL;
+
+    status = krb5_sname_to_principal(context,
+				     hostname,
+				     "host",
+				     KRB5_NT_SRV_HST,
+				     &server);
+    if (status) {
+	warnx ("%s: %s", hostname, krb5_get_err_text(context, status));
+	return 1;
+    }
+
+    cksum_data.length = asprintf ((char **)&cksum_data.data,
+				  "%u:%s%s%s",
+				  ntohs(socket_get_port(thataddr)),
+				  do_encrypt ? "-x " : "",
+				  cmd,
+				  remote_user);
+
+    status = krb5_sendauth (context,
+			    &auth_context,
+			    &s,
+			    KCMD_VERSION,
+			    NULL,
+			    server,
+			    do_encrypt ? AP_OPTS_MUTUAL_REQUIRED : 0,
+			    &cksum_data,
+			    NULL,
+			    NULL,
+			    NULL,
+			    NULL,
+			    NULL);
+    if (status) {
+	warnx ("%s: %s", hostname, krb5_get_err_text(context, status));
+	return 1;
+    }
+
+    status = krb5_auth_con_getkey (context, auth_context, &keyblock);
+    if (status) {
+	warnx ("krb5_auth_con_getkey: %s", krb5_get_err_text(context, status));
+	return 1;
+    }
+
+    status = krb5_auth_con_setaddrs_from_fd (context,
+					     auth_context,
+					     &s);
+    if (status) {
+        warnx("krb5_auth_con_setaddrs_from_fd: %s",
+	      krb5_get_err_text(context, status));
+        return(1);
+    }
+
+    status = krb5_crypto_init(context, keyblock, 0, &crypto);
+    if(status) {
+	warnx ("krb5_crypto_init: %s", krb5_get_err_text(context, status));
+	return 1;
+    }
+
+    len = strlen(remote_user) + 1;
+    if (net_write (s, remote_user, len) != len) {
+	warn ("write");
+	return 1;
+    }
+    if (do_encrypt && net_write (s, "-x ", 3) != 3) {
+	warn ("write");
+	return 1;
+    }
+    if (net_write (s, cmd, cmd_len) != cmd_len) {
+	warn ("write");
+	return 1;
+    }
+
+    if (do_unique_tkfile) {
+	if (net_write (s, tkfile, strlen(tkfile)) != strlen(tkfile)) {
+	    warn ("write");
+	    return 1;
+	}
+    }
+    len = strlen(local_user) + 1;
+    if (net_write (s, local_user, len) != len) {
+	warn ("write");
+	return 1;
+    }
+
+    if (!do_forward
+	|| krb5_forward_cred (auth_context, s, hostname, do_forwardable)) {
+	/* Empty forwarding info */
+
+	u_char zero[4] = {0, 0, 0, 0};
+	write (s, &zero, 4);
+    }
+    krb5_auth_con_free (context, auth_context);
+    return 0;
+}
+
+static int
+send_broken_auth(int s,
+		 struct sockaddr *thisaddr,
+		 struct sockaddr *thataddr,
+		 const char *hostname,
+		 const char *remote_user,
+		 const char *local_user,
+		 size_t cmd_len,
+		 const char *cmd)
+{
+    size_t len;
+
+    len = strlen(local_user) + 1;
+    if (net_write (s, local_user, len) != len) {
+	warn ("write");
+	return 1;
+    }
+    len = strlen(remote_user) + 1;
+    if (net_write (s, remote_user, len) != len) {
+	warn ("write");
+	return 1;
+    }
+    if (net_write (s, cmd, cmd_len) != cmd_len) {
+	warn ("write");
+	return 1;
+    }
+    return 0;
+}
+
+static int
+proto (int s, int errsock,
+       const char *hostname, const char *local_user, const char *remote_user,
+       const char *cmd, size_t cmd_len,
+       int (*auth_func)(int s,
+			struct sockaddr *this, struct sockaddr *that,
+			const char *hostname, const char *remote_user,
+			const char *local_user, size_t cmd_len,
+			const char *cmd))
+{
+    int errsock2;
+    char buf[BUFSIZ];
+    char *p;
+    size_t len;
+    char reply;
+    struct sockaddr_storage thisaddr_ss;
+    struct sockaddr *thisaddr = (struct sockaddr *)&thisaddr_ss;
+    struct sockaddr_storage thataddr_ss;
+    struct sockaddr *thataddr = (struct sockaddr *)&thataddr_ss;
+    struct sockaddr_storage erraddr_ss;
+    struct sockaddr *erraddr = (struct sockaddr *)&erraddr_ss;
+    socklen_t addrlen;
+    int ret;
+
+    addrlen = sizeof(thisaddr_ss);
+    if (getsockname (s, thisaddr, &addrlen) < 0) {
+	warn ("getsockname(%s)", hostname);
+	return 1;
+    }
+    addrlen = sizeof(thataddr_ss);
+    if (getpeername (s, thataddr, &addrlen) < 0) {
+	warn ("getpeername(%s)", hostname);
+	return 1;
+    }
+
+    if (errsock != -1) {
+
+	addrlen = sizeof(erraddr_ss);
+	if (getsockname (errsock, erraddr, &addrlen) < 0) {
+	    warn ("getsockname");
+	    return 1;
+	}
+
+	if (listen (errsock, 1) < 0) {
+	    warn ("listen");
+	    return 1;
+	}
+
+	p = buf;
+	snprintf (p, sizeof(buf), "%u",
+		  ntohs(socket_get_port(erraddr)));
+	len = strlen(buf) + 1;
+	if(net_write (s, buf, len) != len) {
+	    warn ("write");
+	    close (errsock);
+	    return 1;
+	}
+
+
+	for (;;) {
+	    fd_set fdset;
+
+	    if (errsock >= FD_SETSIZE || s >= FD_SETSIZE)
+		errx (1, "fd too large");
+
+	    FD_ZERO(&fdset);
+	    FD_SET(errsock, &fdset);
+	    FD_SET(s, &fdset);
+
+	    ret = select (max(errsock, s) + 1, &fdset, NULL, NULL, NULL);
+	    if (ret < 0) {
+		if (errno == EINTR)
+		    continue;
+		warn ("select");
+		close (errsock);
+		return 1;
+	    }
+	    if (FD_ISSET(errsock, &fdset)) {
+		errsock2 = accept (errsock, NULL, NULL);
+		close (errsock);
+		if (errsock2 < 0) {
+		    warn ("accept");
+		    return 1;
+		}
+		break;
+	    }
+
+	    /*
+	     * there should not arrive any data on this fd so if it's
+	     * readable it probably indicates that the other side when
+	     * away.
+	     */
+
+	    if (FD_ISSET(s, &fdset)) {
+		warnx ("socket closed");
+		close (errsock);
+		errsock2 = -1;
+		break;
+	    }
+	}
+    } else {
+	if (net_write (s, "0", 2) != 2) {
+	    warn ("write");
+	    return 1;
+	}
+	errsock2 = -1;
+    }
+
+    if ((*auth_func)(s, thisaddr, thataddr, hostname,
+		     remote_user, local_user,
+		     cmd_len, cmd)) {
+	close (errsock2);
+	return 1;
+    } 
+
+    ret = net_read (s, &reply, 1);
+    if (ret < 0) {
+	warn ("read");
+	close (errsock2);
+	return 1;
+    } else if (ret == 0) {
+	warnx ("unexpected EOF from %s", hostname);
+	close (errsock2);
+	return 1;
+    }
+    if (reply != 0) {
+
+	warnx ("Error from rshd at %s:", hostname);
+
+	while ((ret = read (s, buf, sizeof(buf))) > 0)
+	    write (STDOUT_FILENO, buf, ret);
+        write (STDOUT_FILENO,"\n",1);
+	close (errsock2);
+	return 1;
+    }
+
+    return loop (s, errsock2);
+}
+
+/*
+ * Return in `res' a copy of the concatenation of `argc, argv' into
+ * malloced space.  */
+
+static size_t
+construct_command (char **res, int argc, char **argv)
+{
+    int i;
+    size_t len = 0;
+    char *tmp;
+
+    for (i = 0; i < argc; ++i)
+	len += strlen(argv[i]) + 1;
+    len = max (1, len);
+    tmp = malloc (len);
+    if (tmp == NULL)
+	errx (1, "malloc %u failed", len);
+
+    *tmp = '\0';
+    for (i = 0; i < argc - 1; ++i) {
+	strcat (tmp, argv[i]);
+	strcat (tmp, " ");
+    }
+    if (argc > 0)
+	strcat (tmp, argv[argc-1]);
+    *res = tmp;
+    return len;
+}
+
+static char *
+print_addr (const struct sockaddr_in *sin)
+{
+    char addr_str[256];
+    char *res;
+
+    inet_ntop (AF_INET, &sin->sin_addr, addr_str, sizeof(addr_str));
+    res = strdup(addr_str);
+    if (res == NULL)
+	errx (1, "malloc: out of memory");
+    return res;
+}
+
+static int
+doit_broken (int argc,
+	     char **argv,
+	     int optind,
+	     const char *host,
+	     const char *remote_user,
+	     const char *local_user,
+	     int port,
+	     int priv_socket1,
+	     int priv_socket2,
+	     const char *cmd,
+	     size_t cmd_len)
+{
+    struct addrinfo *ai, *a;
+    struct addrinfo hints;
+    int error;
+    char portstr[NI_MAXSERV];
+
+    if (priv_socket1 < 0) {
+	warnx ("unable to bind reserved port: is rsh setuid root?");
+	return 1;
+    }
+
+    memset (&hints, 0, sizeof(hints));
+    hints.ai_socktype = SOCK_STREAM;
+    hints.ai_protocol = IPPROTO_TCP;
+    hints.ai_family   = AF_INET;
+
+    snprintf (portstr, sizeof(portstr), "%u", ntohs(port));
+
+    error = getaddrinfo (host, portstr, &hints, &ai);
+    if (error) {
+	warnx ("%s: %s", host, gai_strerror(error));
+	return 1;
+    }
+    
+    if (connect (priv_socket1, ai->ai_addr, ai->ai_addrlen) < 0) {
+	if (ai->ai_next == NULL) {
+	    freeaddrinfo (ai);
+	    return 1;
+	}
+
+	close(priv_socket1);
+	close(priv_socket2);
+
+	for (a = ai->ai_next; a != NULL; a = a->ai_next) {
+	    pid_t pid;
+
+	    pid = fork();
+	    if (pid < 0)
+		err (1, "fork");
+	    else if(pid == 0) {
+		char **new_argv;
+		int i = 0;
+		struct sockaddr_in *sin = (struct sockaddr_in *)a->ai_addr;
+
+		new_argv = malloc((argc + 2) * sizeof(*new_argv));
+		if (new_argv == NULL)
+		    errx (1, "malloc: out of memory");
+		new_argv[i] = argv[i];
+		++i;
+		if (optind == i)
+		    new_argv[i++] = print_addr (sin);
+		new_argv[i++] = "-K";
+		for(; i <= argc; ++i)
+		    new_argv[i] = argv[i - 1];
+		if (optind > 1)
+		    new_argv[optind + 1] = print_addr(sin);
+		new_argv[argc + 1] = NULL;
+		execv(PATH_RSH, new_argv);
+		err(1, "execv(%s)", PATH_RSH);
+	    } else {
+		int status;
+
+		freeaddrinfo (ai);
+
+		while(waitpid(pid, &status, 0) < 0)
+		    ;
+		if(WIFEXITED(status) && WEXITSTATUS(status) == 0)
+		    return 0;
+	    }
+	}
+	return 1;
+    } else {
+	int ret;
+
+	freeaddrinfo (ai);
+
+	ret = proto (priv_socket1, priv_socket2,
+		     argv[optind],
+		     local_user, remote_user,
+		     cmd, cmd_len,
+		     send_broken_auth);
+	return ret;
+    }
+}
+
+static int
+doit (const char *hostname,
+      const char *remote_user,
+      const char *local_user,
+      int port,
+      const char *cmd,
+      size_t cmd_len,
+      int do_errsock,
+      int (*auth_func)(int s,
+		       struct sockaddr *this, struct sockaddr *that,
+		       const char *hostname, const char *remote_user,
+		       const char *local_user, size_t cmd_len,
+		       const char *cmd))
+{
+    struct addrinfo *ai, *a;
+    struct addrinfo hints;
+    int error;
+    char portstr[NI_MAXSERV];
+    int ret;
+
+    memset (&hints, 0, sizeof(hints));
+    hints.ai_socktype = SOCK_STREAM;
+    hints.ai_protocol = IPPROTO_TCP;
+
+    snprintf (portstr, sizeof(portstr), "%u", ntohs(port));
+
+    error = getaddrinfo (hostname, portstr, &hints, &ai);
+    if (error) {
+	errx (1, "%s: %s", hostname, gai_strerror(error));
+	return -1;
+    }
+    
+    for (a = ai; a != NULL; a = a->ai_next) {
+	int s;
+	int errsock;
+
+	s = socket (a->ai_family, a->ai_socktype, a->ai_protocol);
+	if (s < 0)
+	    continue;
+	if (connect (s, a->ai_addr, a->ai_addrlen) < 0) {
+	    warn ("connect(%s)", hostname);
+	    close (s);
+	    continue;
+	}
+	if (do_errsock) {
+	    struct addrinfo *ea, *eai;
+	    struct addrinfo hints;
+
+	    memset (&hints, 0, sizeof(hints));
+	    hints.ai_socktype = a->ai_socktype;
+	    hints.ai_protocol = a->ai_protocol;
+	    hints.ai_family   = a->ai_family;
+	    hints.ai_flags    = AI_PASSIVE;
+
+	    errsock = -1;
+
+	    error = getaddrinfo (NULL, "0", &hints, &eai);
+	    if (error)
+		errx (1, "getaddrinfo: %s", gai_strerror(error));
+	    for (ea = eai; ea != NULL; ea = ea->ai_next) {
+		errsock = socket (ea->ai_family, ea->ai_socktype,
+				  ea->ai_protocol);
+		if (errsock < 0)
+		    continue;
+		if (bind (errsock, ea->ai_addr, ea->ai_addrlen) < 0)
+		    err (1, "bind");
+		break;
+	    }
+	    if (errsock < 0)
+		err (1, "socket");
+	    freeaddrinfo (eai);
+	} else
+	    errsock = -1;
+    
+	freeaddrinfo (ai);
+	ret = proto (s, errsock,
+		     hostname,
+		     local_user, remote_user,
+		     cmd, cmd_len, auth_func);
+	close (s);
+	return ret;
+    }
+    warnx ("failed to contact %s", hostname);
+    freeaddrinfo (ai);
+    return -1;
+}
+
+#ifdef KRB4
+static int use_v4 = -1;
+#endif
+static int use_v5 = -1;
+static int use_only_broken = 0;
+static int use_broken = 1;
+static char *port_str;
+static const char *user;
+static int do_version;
+static int do_help;
+static int do_errsock = 1;
+
+struct getargs args[] = {
+#ifdef KRB4
+    { "krb4",	'4', arg_flag,		&use_v4,	"Use Kerberos V4",
+      NULL },
+#endif
+    { "krb5",	'5', arg_flag,		&use_v5,	"Use Kerberos V5",
+      NULL },
+    { "broken", 'K', arg_flag,		&use_only_broken, "Use priv port",
+      NULL },
+    { "input",	'n', arg_negative_flag,	&input,		"Close stdin",
+      NULL },
+    { "encrypt", 'x', arg_flag,		&do_encrypt,	"Encrypt connection",
+      NULL },
+    { NULL, 	'z', arg_negative_flag,      &do_encrypt,
+      "Don't encrypt connection", NULL },
+    { "forward", 'f', arg_flag,		&do_forward,	"Forward credentials",
+      NULL },
+    { "forward", 'G', arg_negative_flag,&do_forward,	"Forward credentials",
+      NULL },
+    { "forwardable", 'F', arg_flag,	&do_forwardable,
+      "Forward forwardable credentials", NULL },
+    { "unique", 'u', arg_flag,	&do_unique_tkfile,
+      "Use unique remote tkfile", NULL },
+    { "tkfile", 'U', arg_string,  &unique_tkfile,
+      "Use that remote tkfile", NULL },
+    { "port",	'p', arg_string,	&port_str,	"Use this port",
+      "number-or-service" },
+    { "user",	'l', arg_string,	&user,		"Run as this user",
+      NULL },
+    { "stderr", 'e', arg_negative_flag, &do_errsock,	"don't open stderr"},
+    { "version", 0,  arg_flag,		&do_version,	"Print version",
+      NULL },
+    { "help",	 0,  arg_flag,		&do_help,	NULL,
+      NULL }
+};
+
+static void
+usage (int ret)
+{
+    arg_printusage (args,
+		    sizeof(args) / sizeof(args[0]),
+		    NULL,
+		    "host [command]");
+    exit (ret);
+}
+
+/*
+ *
+ */
+
+int
+main(int argc, char **argv)
+{
+    int priv_port1, priv_port2;
+    int priv_socket1, priv_socket2;
+    int port = 0;
+    int optind = 0;
+    int ret = 1;
+    char *cmd;
+    size_t cmd_len;
+    const char *local_user;
+    char *host = NULL;
+    int host_index = -1;
+    int status;
+    uid_t uid;
+
+    priv_port1 = priv_port2 = IPPORT_RESERVED-1;
+    priv_socket1 = rresvport(&priv_port1);
+    priv_socket2 = rresvport(&priv_port2);
+    uid = getuid ();
+    if (setuid (uid) || (uid != 0 && setuid(0) == 0))
+	err (1, "setuid");
+    
+    setprogname (argv[0]);
+
+    if (argc >= 2 && argv[1][0] != '-') {
+	host = argv[host_index = 1];
+	optind = 1;
+    }
+    
+    status = krb5_init_context (&context);
+    if (status)
+        errx(1, "krb5_init_context failed: %d", status);
+      
+    if (getarg (args, sizeof(args) / sizeof(args[0]), argc, argv,
+		&optind))
+	usage (1);
+
+    if (do_forwardable == -1)
+	do_forwardable = krb5_config_get_bool (context, NULL,
+					       "libdefaults",
+					       "forwardable",
+					       NULL);
+	
+    if (do_forward == -1)
+	do_forward = krb5_config_get_bool (context, NULL,
+					   "libdefaults",
+					   "forward",
+					   NULL);
+    else if (do_forward == 0)
+	do_forwardable = 0;
+
+    if (do_encrypt == -1)
+	do_encrypt = krb5_config_get_bool (context, NULL,
+					   "libdefaults",
+					   "encrypt",
+					   NULL);
+
+    if (do_forwardable)
+	do_forward = 1;
+
+#if defined(KRB4) && defined(KRB5)
+    if(use_v4 == -1 && use_v5 == 1)
+	use_v4 = 0;
+    if(use_v5 == -1 && use_v4 == 1)
+	use_v5 = 0;
+#endif    
+
+    if (use_only_broken) {
+#ifdef KRB4
+	use_v4 = 0;
+#endif
+	use_v5 = 0;
+    }
+
+    if (do_help)
+	usage (0);
+
+    if (do_version) {
+	print_version (NULL);
+	return 0;
+    }
+	
+    if (do_unique_tkfile && unique_tkfile != NULL)
+	errx (1, "Only one of -u and -U allowed.");
+
+    if (do_unique_tkfile)
+	strcpy(tkfile,"-u ");
+    else if (unique_tkfile != NULL) {
+	if (strchr(unique_tkfile,' ') != NULL) {
+	    warnx("Space is not allowed in tkfilename");
+	    usage(1);
+	}
+	do_unique_tkfile = 1;
+	snprintf (tkfile, sizeof(tkfile), "-U %s ", unique_tkfile);
+    }
+
+    if (host == NULL) {
+	if (argc - optind < 1)
+	    usage (1);
+	else
+	    host = argv[host_index = optind++];
+    }
+
+    if (optind == argc) {
+	close (priv_socket1);
+	close (priv_socket2);
+	argv[0] = "rlogin";
+	execvp ("rlogin", argv);
+	err (1, "execvp rlogin");
+    }
+
+    if (port_str) {
+	struct servent *s = roken_getservbyname (port_str, "tcp");
+
+	if (s)
+	    port = s->s_port;
+	else {
+	    char *ptr;
+
+	    port = strtol (port_str, &ptr, 10);
+	    if (port == 0 && ptr == port_str)
+		errx (1, "Bad port `%s'", port_str);
+	    port = htons(port);
+	}
+    }
+
+    local_user = get_default_username ();
+    if (local_user == NULL)
+	errx (1, "who are you?");
+
+    if (user == NULL)
+	user = local_user;
+
+    cmd_len = construct_command(&cmd, argc - optind, argv + optind);
+
+    /*
+     * Try all different authentication methods
+     */
+
+    if (ret && use_v5) {
+	int tmp_port;
+
+	if (port)
+	    tmp_port = port;
+	else
+	    tmp_port = krb5_getportbyname (context, "kshell", "tcp", 544);
+
+	auth_method = AUTH_KRB5;
+	ret = doit (host, user, local_user, tmp_port, cmd, cmd_len,
+		    do_errsock,
+		    send_krb5_auth);
+    }
+#ifdef KRB4
+    if (ret && use_v4) {
+	int tmp_port;
+
+	if (port)
+	    tmp_port = port;
+	else if (do_encrypt)
+	    tmp_port = krb5_getportbyname (context, "ekshell", "tcp", 545);
+	else
+	    tmp_port = krb5_getportbyname (context, "kshell", "tcp", 544);
+
+	auth_method = AUTH_KRB4;
+	ret = doit (host, user, local_user, tmp_port, cmd, cmd_len,
+		    do_errsock,
+		    send_krb4_auth);
+    }
+#endif
+    if (ret && use_broken) {
+	int tmp_port;
+
+	if(port)
+	    tmp_port = port;
+	else
+	    tmp_port = krb5_getportbyname(context, "shell", "tcp", 514);
+	auth_method = AUTH_BROKEN;
+	if (do_encrypt)
+	    errx (1, "encryption not supported with priv port authentication");
+	ret = doit_broken (argc, argv, host_index, host,
+			   user, local_user,
+			   tmp_port,
+			   priv_socket1,
+			   do_errsock ? priv_socket2 : -1,
+			   cmd, cmd_len);
+    }
+    return ret;
+}
diff --git a/crypto/heimdal/appl/rsh/rsh_locl.h b/crypto/heimdal/appl/rsh/rsh_locl.h
new file mode 100644
index 0000000..3418abc
--- /dev/null
+++ b/crypto/heimdal/appl/rsh/rsh_locl.h
@@ -0,0 +1,145 @@
+/*
+ * Copyright (c) 1997 - 2000 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+/* $Id: rsh_locl.h,v 1.24 2000/07/02 15:48:46 assar Exp $ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+#endif
+
+#include <stdio.h>
+#include <assert.h>
+#include <stdarg.h>
+#include <ctype.h>
+#ifdef HAVE_SYS_TYPES_H
+#include <sys/types.h>
+#endif
+#ifdef HAVE_UNISTD_H
+#include <unistd.h>
+#endif
+#ifdef HAVE_SYS_WAIT_H
+#include <sys/wait.h>
+#endif
+#ifdef HAVE_SYS_SELECT_H
+#include <sys/select.h>
+#endif
+#ifdef HAVE_SYS_SOCKET_H
+#include <sys/socket.h>
+#endif
+#ifdef HAVE_NETINET_IN_H
+#include <netinet/in.h>
+#endif
+#ifdef HAVE_NETINET_IN6_H
+#include <netinet/in6.h>
+#endif
+#ifdef HAVE_NETINET6_IN6_H
+#include <netinet6/in6.h>
+#endif
+#ifdef HAVE_ARPA_INET_H
+#include <arpa/inet.h>
+#endif
+
+#ifdef HAVE_PWD_H
+#include <pwd.h>
+#endif
+#ifdef HAVE_SHADOW_H
+#include <shadow.h>
+#endif
+#ifdef HAVE_NETDB_H
+#include <netdb.h>
+#endif
+#include <errno.h>
+
+#ifdef HAVE_SYS_PARAM_H
+#include <sys/param.h>
+#endif
+
+#ifdef HAVE_SYSLOG_H
+#include <syslog.h>
+#endif
+#ifdef HAVE_PATHS_H
+#include <paths.h>
+#endif
+#include <err.h>
+#include <roken.h>
+#include <getarg.h>
+#ifdef KRB4
+#include <krb.h>
+#include <prot.h>
+#endif
+#include <krb5.h>
+#include <kafs.h>
+
+#ifndef _PATH_NOLOGIN
+#define _PATH_NOLOGIN   "/etc/nologin"
+#endif
+
+#ifndef _PATH_BSHELL
+#define _PATH_BSHELL	"/bin/sh"
+#endif
+
+#ifndef _PATH_DEFPATH
+#define _PATH_DEFPATH	"/usr/bin:/bin"
+#endif
+
+#ifndef _PATH_ETC_ENVIRONMENT
+#define _PATH_ETC_ENVIRONMENT "/etc/environment"
+#endif
+
+/*
+ *
+ */
+
+enum auth_method { AUTH_KRB4, AUTH_KRB5, AUTH_BROKEN };
+
+extern enum auth_method auth_method;
+extern int do_encrypt;
+extern krb5_context context;
+extern krb5_keyblock *keyblock;
+extern krb5_crypto crypto;
+#ifdef KRB4
+extern des_key_schedule schedule;
+extern des_cblock iv;
+#endif
+
+#define KCMD_VERSION "KCMDV0.1"
+
+#define USERNAME_SZ 16
+#define COMMAND_SZ 1024
+
+#define RSH_BUFSIZ (16 * 1024)
+
+#define PATH_RSH BINDIR "/rsh"
+
+ssize_t do_read (int fd, void *buf, size_t sz);
+ssize_t do_write (int fd, void *buf, size_t sz);
diff --git a/crypto/heimdal/appl/rsh/rshd.c b/crypto/heimdal/appl/rsh/rshd.c
new file mode 100644
index 0000000..d22f3cf
--- /dev/null
+++ b/crypto/heimdal/appl/rsh/rshd.c
@@ -0,0 +1,945 @@
+/*
+ * Copyright (c) 1997-2001 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "rsh_locl.h"
+RCSID("$Id: rshd.c,v 1.41 2001/02/20 01:44:48 assar Exp $");
+
+int
+login_access( struct passwd *user, char *from);
+
+enum auth_method auth_method;
+
+krb5_context context;
+krb5_keyblock *keyblock;
+krb5_crypto crypto;
+
+#ifdef KRB4
+des_key_schedule schedule;
+des_cblock iv;
+#endif
+
+krb5_ccache ccache, ccache2;
+int kerberos_status = 0;
+
+int do_encrypt = 0;
+
+static int do_unique_tkfile           = 0;
+static char tkfile[MAXPATHLEN] = "";
+
+static int do_inetd = 1;
+static char *port_str;
+static int do_rhosts;
+static int do_kerberos = 0;
+static int do_vacuous = 0;
+static int do_log = 1;
+static int do_newpag = 1;
+static int do_version;
+static int do_help = 0;
+
+#if defined(DCE)
+int dfsk5ok = 0;
+int dfspag = 0;
+int dfsfwd = 0;
+krb5_ticket *user_ticket;
+#endif
+
+static void
+syslog_and_die (const char *m, ...)
+    __attribute__ ((format (printf, 1, 2)));
+
+static void
+syslog_and_die (const char *m, ...)
+{
+    va_list args;
+
+    va_start(args, m);
+    vsyslog (LOG_ERR, m, args);
+    va_end(args);
+    exit (1);
+}
+
+static void
+fatal (int sock, const char *m, ...)
+    __attribute__ ((format (printf, 2, 3)));
+
+static void
+fatal (int sock, const char *m, ...)
+{
+    va_list args;
+    char buf[BUFSIZ];
+    size_t len;
+
+    *buf = 1;
+    va_start(args, m);
+    len = vsnprintf (buf + 1, sizeof(buf) - 1, m, args);
+    va_end(args);
+    syslog (LOG_ERR, "%s", buf + 1);
+    net_write (sock, buf, len + 1);
+    exit (1);
+}
+
+static void
+read_str (int s, char *str, size_t sz, char *expl)
+{
+    while (sz > 0) {
+	if (net_read (s, str, 1) != 1)
+	    syslog_and_die ("read: %m");
+	if (*str == '\0')
+	    return;
+	--sz;
+	++str;
+    }
+    fatal (s, "%s too long", expl);
+}
+
+static int
+recv_bsd_auth (int s, u_char *buf,
+	       struct sockaddr_in *thisaddr,
+	       struct sockaddr_in *thataddr,
+	       char *client_username,
+	       char *server_username,
+	       char *cmd)
+{
+    struct passwd *pwd;
+
+    read_str (s, client_username, USERNAME_SZ, "local username");
+    read_str (s, server_username, USERNAME_SZ, "remote username");
+    read_str (s, cmd, COMMAND_SZ, "command");
+    pwd = getpwnam(server_username);
+    if (pwd == NULL)
+	fatal(s, "Login incorrect.");
+    if (iruserok(thataddr->sin_addr.s_addr, pwd->pw_uid == 0,
+		 client_username, server_username))
+	fatal(s, "Login incorrect.");
+    return 0;
+}
+
+#ifdef KRB4
+static int
+recv_krb4_auth (int s, u_char *buf,
+		struct sockaddr *thisaddr,
+		struct sockaddr *thataddr,
+		char *client_username,
+		char *server_username,
+		char *cmd)
+{
+    int status;
+    int32_t options;
+    KTEXT_ST ticket;
+    AUTH_DAT auth;
+    char instance[INST_SZ + 1];
+    char version[KRB_SENDAUTH_VLEN + 1];
+
+    if (memcmp (buf, KRB_SENDAUTH_VERS, 4) != 0)
+	return -1;
+    if (net_read (s, buf + 4, KRB_SENDAUTH_VLEN - 4) !=
+	KRB_SENDAUTH_VLEN - 4)
+	syslog_and_die ("reading auth info: %m");
+    if (memcmp (buf, KRB_SENDAUTH_VERS, KRB_SENDAUTH_VLEN) != 0)
+	syslog_and_die("unrecognized auth protocol: %.8s", buf);
+
+    options = KOPT_IGNORE_PROTOCOL;
+    if (do_encrypt)
+	options |= KOPT_DO_MUTUAL;
+    k_getsockinst (s, instance, sizeof(instance));
+    status = krb_recvauth (options,
+			   s,
+			   &ticket,
+			   "rcmd",
+			   instance,
+			   (struct sockaddr_in *)thataddr,
+			   (struct sockaddr_in *)thisaddr,
+			   &auth,
+			   "",
+			   schedule,
+			   version);
+    if (status != KSUCCESS)
+	syslog_and_die ("recvauth: %s", krb_get_err_text(status));
+    if (strncmp (version, KCMD_VERSION, KRB_SENDAUTH_VLEN) != 0)
+	syslog_and_die ("bad version: %s", version);
+
+    read_str (s, server_username, USERNAME_SZ, "remote username");
+    if (kuserok (&auth, server_username) != 0)
+	fatal (s, "Permission denied");
+    read_str (s, cmd, COMMAND_SZ, "command");
+
+    syslog(LOG_INFO|LOG_AUTH,
+	   "kerberos v4 shell from %s on %s as %s, cmd '%.80s'",
+	   krb_unparse_name_long(auth.pname, auth.pinst, auth.prealm),
+
+	   inet_ntoa(((struct sockaddr_in *)thataddr)->sin_addr),
+	   server_username,
+	   cmd);
+
+    memcpy (iv, auth.session, sizeof(iv));
+
+    return 0;
+}
+
+#endif /* KRB4 */
+
+static int 
+save_krb5_creds (int s,
+                 krb5_auth_context auth_context,
+                 krb5_principal client)
+
+{
+    int ret;
+    krb5_data remote_cred;
+ 
+    krb5_data_zero (&remote_cred);
+    ret= krb5_read_message (context, (void *)&s, &remote_cred);
+    if (ret) {
+	krb5_data_free(&remote_cred);
+	return 0;
+    }
+    if (remote_cred.length == 0)
+	return 0;
+ 
+    ret = krb5_cc_gen_new(context, &krb5_mcc_ops, &ccache);
+    if (ret) {
+	krb5_data_free(&remote_cred);
+	return 0;
+    }
+  
+    krb5_cc_initialize(context,ccache,client);
+    ret = krb5_rd_cred2(context, auth_context, ccache, &remote_cred);
+    krb5_data_free (&remote_cred);
+    if (ret)
+	return 0;
+    return 1;
+}
+
+static void
+krb5_start_session (void)
+{
+    krb5_error_code ret;
+
+    ret = krb5_cc_resolve (context, tkfile, &ccache2);
+    if (ret) {
+	krb5_cc_destroy(context, ccache);
+	return;
+    }
+
+    ret = krb5_cc_copy_cache (context, ccache, ccache2);
+    if (ret) {
+	krb5_cc_destroy(context, ccache);
+	return ;
+    }
+
+    krb5_cc_close(context, ccache2);
+    krb5_cc_destroy(context, ccache);
+    return;
+}
+
+static int
+recv_krb5_auth (int s, u_char *buf,
+		struct sockaddr *thisaddr,
+		struct sockaddr *thataddr,
+		char *client_username,
+		char *server_username,
+		char *cmd)
+{
+    u_int32_t len;
+    krb5_auth_context auth_context = NULL;
+    krb5_ticket *ticket;
+    krb5_error_code status;
+    krb5_data cksum_data;
+    krb5_principal server;
+
+    if (memcmp (buf, "\x00\x00\x00\x13", 4) != 0)
+	return -1;
+    len = (buf[0] << 24) | (buf[1] << 16) | (buf[2] << 8) | (buf[3]);
+	
+    if (net_read(s, buf, len) != len)
+	syslog_and_die ("reading auth info: %m");
+    if (len != sizeof(KRB5_SENDAUTH_VERSION)
+	|| memcmp (buf, KRB5_SENDAUTH_VERSION, len) != 0)
+	syslog_and_die ("bad sendauth version: %.8s", buf);
+    
+    status = krb5_sock_to_principal (context,
+				     s,
+				     "host",
+				     KRB5_NT_SRV_HST,
+				     &server);
+    if (status)
+	syslog_and_die ("krb5_sock_to_principal: %s",
+			krb5_get_err_text(context, status));
+
+    status = krb5_recvauth(context,
+			   &auth_context,
+			   &s,
+			   KCMD_VERSION,
+			   server,
+			   KRB5_RECVAUTH_IGNORE_VERSION,
+			   NULL,
+			   &ticket);
+    krb5_free_principal (context, server);
+    if (status)
+	syslog_and_die ("krb5_recvauth: %s",
+			krb5_get_err_text(context, status));
+
+    read_str (s, server_username, USERNAME_SZ, "remote username");
+    read_str (s, cmd, COMMAND_SZ, "command");
+    read_str (s, client_username, COMMAND_SZ, "local username");
+
+    status = krb5_auth_con_getkey (context, auth_context, &keyblock);
+    if (status)
+       syslog_and_die ("krb5_auth_con_getkey: %s",
+                       krb5_get_err_text(context, status));
+
+    status = krb5_crypto_init(context, keyblock, 0, &crypto);
+    if(status)
+	syslog_and_die("krb5_crypto_init: %s", 
+		       krb5_get_err_text(context, status));
+
+    
+    cksum_data.length = asprintf ((char **)&cksum_data.data,
+				  "%u:%s%s",
+				  ntohs(socket_get_port (thisaddr)),
+				  cmd,
+				  server_username);
+
+    status = krb5_verify_authenticator_checksum(context, 
+						auth_context,
+						cksum_data.data, 
+						cksum_data.length);
+
+    if (status)
+	syslog_and_die ("krb5_verify_authenticator_checksum: %s",
+			krb5_get_err_text(context, status));
+
+    free (cksum_data.data);
+
+    if (strncmp (client_username, "-u ", 3) == 0) {
+	do_unique_tkfile = 1;
+	memmove (client_username, client_username + 3,
+		 strlen(client_username) - 2);
+    }
+
+    if (strncmp (client_username, "-U ", 3) == 0) {
+	char *end, *temp_tkfile;
+
+	do_unique_tkfile = 1;
+	if (strncmp (server_username + 3, "FILE:", 5) == 0) {
+	    temp_tkfile = tkfile;
+	} else {
+	    strcpy (tkfile, "FILE:");
+	    temp_tkfile = tkfile + 5;
+	}
+	end = strchr(client_username + 3,' ');
+	strncpy(temp_tkfile, client_username + 3, end - client_username - 3);
+	temp_tkfile[end - client_username - 3] = '\0';
+	memmove (client_username, end +1, strlen(end+1)+1);
+    }
+
+    kerberos_status = save_krb5_creds (s, auth_context, ticket->client);
+
+    if(!krb5_kuserok (context,
+		     ticket->client,
+		     server_username))
+	fatal (s, "Permission denied");
+
+    if (strncmp (cmd, "-x ", 3) == 0) {
+	do_encrypt = 1;
+	memmove (cmd, cmd + 3, strlen(cmd) - 2);
+    } else {
+	if(do_encrypt)
+	    fatal (s, "Encryption required");
+	do_encrypt = 0;
+    }
+
+    {
+	char *name;
+
+	if (krb5_unparse_name (context, ticket->client, &name) == 0) {
+	    char addr_str[256];
+
+	    if (inet_ntop (thataddr->sa_family,
+			   socket_get_address (thataddr),
+			   addr_str, sizeof(addr_str)) == NULL)
+		strlcpy (addr_str, "unknown address",
+				 sizeof(addr_str));
+
+	    syslog(LOG_INFO|LOG_AUTH,
+		   "kerberos v5 shell from %s on %s as %s, cmd '%.80s'",
+		   name,
+		   addr_str,
+		   server_username,
+		   cmd);
+	    free (name);
+	}
+    }	   
+
+#if defined(DCE)
+    user_ticket = ticket;
+#endif
+
+    return 0;
+}
+
+static void
+loop (int from0, int to0,
+      int to1,   int from1,
+      int to2,   int from2)
+{
+    fd_set real_readset;
+    int max_fd;
+    int count = 2;
+
+    if(from0 >= FD_SETSIZE || from1 >= FD_SETSIZE || from2 >= FD_SETSIZE)
+	errx (1, "fd too large");
+
+    FD_ZERO(&real_readset);
+    FD_SET(from0, &real_readset);
+    FD_SET(from1, &real_readset);
+    FD_SET(from2, &real_readset);
+    max_fd = max(from0, max(from1, from2)) + 1;
+    for (;;) {
+	int ret;
+	fd_set readset = real_readset;
+	char buf[RSH_BUFSIZ];
+
+	ret = select (max_fd, &readset, NULL, NULL, NULL);
+	if (ret < 0) {
+	    if (errno == EINTR)
+		continue;
+	    else
+		syslog_and_die ("select: %m");
+	}
+	if (FD_ISSET(from0, &readset)) {
+	    ret = do_read (from0, buf, sizeof(buf));
+	    if (ret < 0)
+		syslog_and_die ("read: %m");
+	    else if (ret == 0) {
+		close (from0);
+		close (to0);
+		FD_CLR(from0, &real_readset);
+	    } else
+		net_write (to0, buf, ret);
+	}
+	if (FD_ISSET(from1, &readset)) {
+	    ret = read (from1, buf, sizeof(buf));
+	    if (ret < 0)
+		syslog_and_die ("read: %m");
+	    else if (ret == 0) {
+		close (from1);
+		close (to1);
+		FD_CLR(from1, &real_readset);
+		if (--count == 0)
+		    exit (0);
+	    } else
+		do_write (to1, buf, ret);
+	}
+	if (FD_ISSET(from2, &readset)) {
+	    ret = read (from2, buf, sizeof(buf));
+	    if (ret < 0)
+		syslog_and_die ("read: %m");
+	    else if (ret == 0) {
+		close (from2);
+		close (to2);
+		FD_CLR(from2, &real_readset);
+		if (--count == 0)
+		    exit (0);
+	    } else
+		do_write (to2, buf, ret);
+	}
+   }
+}
+
+/*
+ * Used by `setup_copier' to create some pipe-like means of
+ * communcation.  Real pipes would probably be the best thing, but
+ * then the shell doesn't understand it's talking to rshd.  If
+ * socketpair doesn't work everywhere, some autoconf magic would have
+ * to be added here.
+ *
+ * If it fails creating the `pipe', it aborts by calling fatal.
+ */
+
+static void
+pipe_a_like (int fd[2])
+{
+    if (socketpair (AF_UNIX, SOCK_STREAM, 0, fd) < 0)
+	fatal (STDOUT_FILENO, "socketpair: %m");
+}
+
+/*
+ * Start a child process and leave the parent copying data to and from it.  */
+
+static void
+setup_copier (void)
+{
+    int p0[2], p1[2], p2[2];
+    pid_t pid;
+
+    pipe_a_like(p0);
+    pipe_a_like(p1);
+    pipe_a_like(p2);
+    pid = fork ();
+    if (pid < 0)
+	fatal (STDOUT_FILENO, "fork: %m");
+    if (pid == 0) { /* child */
+	close (p0[1]);
+	close (p1[0]);
+	close (p2[0]);
+	dup2 (p0[0], STDIN_FILENO);
+	dup2 (p1[1], STDOUT_FILENO);
+	dup2 (p2[1], STDERR_FILENO);
+	close (p0[0]);
+	close (p1[1]);
+	close (p2[1]);
+    } else { /* parent */
+	close (p0[0]);
+	close (p1[1]);
+	close (p2[1]);
+
+	if (net_write (STDOUT_FILENO, "", 1) != 1)
+	    fatal (STDOUT_FILENO, "write failed");
+
+	loop (STDIN_FILENO, p0[1],
+	      STDOUT_FILENO, p1[0],
+	      STDERR_FILENO, p2[0]);
+    }
+}
+
+/*
+ * Is `port' a ``reserverd'' port?
+ */
+
+static int
+is_reserved(u_short port)
+{
+    return ntohs(port) < IPPORT_RESERVED;
+}
+
+/*
+ * Set the necessary part of the environment in `env'.
+ */
+
+static void
+setup_environment (char ***env, const struct passwd *pwd)
+{
+    int i, j, path;
+    char **e;
+
+    i = 0;
+    path = 0;
+    *env = NULL;
+
+    i = read_environment(_PATH_ETC_ENVIRONMENT, env);
+    e = *env;
+    for (j = 0; j < i; j++) {
+	if (!strncmp(e[j], "PATH=", 5)) {
+	    path = 1;
+	}
+    }
+
+    e = *env;
+    e = realloc(e, (i + 7) * sizeof(char *));
+
+    asprintf (&e[i++], "USER=%s",  pwd->pw_name);
+    asprintf (&e[i++], "HOME=%s",  pwd->pw_dir);
+    asprintf (&e[i++], "SHELL=%s", pwd->pw_shell);
+    if (! path) {
+	asprintf (&e[i++], "PATH=%s",  _PATH_DEFPATH);
+    }
+    asprintf (&e[i++], "SSH_CLIENT=only_to_make_bash_happy");
+#if defined(DCE)
+    if (getenv("KRB5CCNAME"))
+	asprintf (&e[i++], "KRB5CCNAME=%s",  getenv("KRB5CCNAME"));
+#else
+    if (do_unique_tkfile)
+	asprintf (&e[i++], "KRB5CCNAME=%s", tkfile);
+#endif
+    e[i++] = NULL;
+    *env = e;
+}
+
+static void
+doit (int do_kerberos, int check_rhosts)
+{
+    u_char buf[BUFSIZ];
+    u_char *p;
+    struct sockaddr_storage thisaddr_ss;
+    struct sockaddr *thisaddr = (struct sockaddr *)&thisaddr_ss;
+    struct sockaddr_storage thataddr_ss;
+    struct sockaddr *thataddr = (struct sockaddr *)&thataddr_ss;
+    struct sockaddr_storage erraddr_ss;
+    struct sockaddr *erraddr = (struct sockaddr *)&erraddr_ss;
+    socklen_t thisaddr_len, thataddr_len;
+    int port;
+    int errsock = -1;
+    char client_user[COMMAND_SZ], server_user[USERNAME_SZ];
+    char cmd[COMMAND_SZ];
+    struct passwd *pwd;
+    int s = STDIN_FILENO;
+    char **env;
+    int ret;
+    char that_host[NI_MAXHOST];
+
+    thisaddr_len = sizeof(thisaddr_ss);
+    if (getsockname (s, thisaddr, &thisaddr_len) < 0)
+	syslog_and_die("getsockname: %m");
+    thataddr_len = sizeof(thataddr_ss);
+    if (getpeername (s, thataddr, &thataddr_len) < 0)
+	syslog_and_die ("getpeername: %m");
+
+    if (!do_kerberos && !is_reserved(socket_get_port(thataddr)))
+	fatal(s, "Permission denied");
+
+    p = buf;
+    port = 0;
+    for(;;) {
+	if (net_read (s, p, 1) != 1)
+	    syslog_and_die ("reading port number: %m");
+	if (*p == '\0')
+	    break;
+	else if (isdigit(*p))
+	    port = port * 10 + *p - '0';
+	else
+	    syslog_and_die ("non-digit in port number: %c", *p);
+    }
+
+    if (!do_kerberos && !is_reserved(htons(port)))
+	fatal(s, "Permission denied");
+
+    if (port) {
+	int priv_port = IPPORT_RESERVED - 1;
+
+	/* 
+	 * There's no reason to require a ``privileged'' port number
+	 * here, but for some reason the brain dead rsh clients
+	 * do... :-(
+	 */
+
+	erraddr->sa_family = thataddr->sa_family;
+	socket_set_address_and_port (erraddr,
+				     socket_get_address (thataddr),
+				     htons(port));
+
+	/*
+	 * we only do reserved port for IPv4
+	 */
+
+	if (erraddr->sa_family == AF_INET)
+	    errsock = rresvport (&priv_port);
+	else
+	    errsock = socket (erraddr->sa_family, SOCK_STREAM, 0);
+	if (errsock < 0)
+	    syslog_and_die ("socket: %m");
+	if (connect (errsock,
+		     erraddr,
+		     socket_sockaddr_size (erraddr)) < 0) {
+	    syslog (LOG_WARNING, "connect: %m");
+	    close (errsock);
+	}
+    }
+    
+    if(do_kerberos) {
+	if (net_read (s, buf, 4) != 4)
+	    syslog_and_die ("reading auth info: %m");
+    
+#ifdef KRB4
+	if (recv_krb4_auth (s, buf, thisaddr, thataddr,
+			    client_user,
+			    server_user,
+			    cmd) == 0)
+	    auth_method = AUTH_KRB4;
+	else
+#endif /* KRB4 */
+	    if(recv_krb5_auth (s, buf, thisaddr, thataddr,
+			       client_user,
+			       server_user,
+			       cmd) == 0)
+		auth_method = AUTH_KRB5;
+	    else
+		syslog_and_die ("unrecognized auth protocol: %x %x %x %x",
+				buf[0], buf[1], buf[2], buf[3]);
+    } else {
+	if(recv_bsd_auth (s, buf,
+			  (struct sockaddr_in *)thisaddr,
+			  (struct sockaddr_in *)thataddr,
+			  client_user,
+			  server_user,
+			  cmd) == 0) {
+	    auth_method = AUTH_BROKEN;
+	    if(do_vacuous) {
+		printf("Remote host requires Kerberos authentication\n");
+		exit(0);
+	    }
+	} else
+	    syslog_and_die("recv_bsd_auth failed");
+    }
+
+#if defined(DCE) && defined(_AIX)
+    esetenv("AUTHSTATE", "DCE", 1);
+#endif
+
+    pwd = getpwnam (server_user);
+    if (pwd == NULL)
+	fatal (s, "Login incorrect.");
+
+    if (*pwd->pw_shell == '\0')
+	pwd->pw_shell = _PATH_BSHELL;
+
+    if (pwd->pw_uid != 0 && access (_PATH_NOLOGIN, F_OK) == 0)
+	fatal (s, "Login disabled.");
+
+
+    ret = getnameinfo_verified (thataddr, thataddr_len,
+				that_host, sizeof(that_host),
+				NULL, 0, 0);
+    if (ret)
+	fatal (s, "getnameinfo: %s", gai_strerror(ret));
+
+    if (login_access(pwd, that_host) == 0) {
+	syslog(LOG_NOTICE, "Kerberos rsh denied to %s from %s",
+	       server_user, that_host);
+	fatal(s, "Permission denied");
+    }
+
+#ifdef HAVE_GETSPNAM
+    {
+	struct spwd *sp;
+	long    today;
+    
+	sp = getspnam(server_user);
+	if (sp != NULL) {
+	    today = time(0)/(24L * 60 * 60);
+	    if (sp->sp_expire > 0) 
+		if (today > sp->sp_expire) 
+		    fatal(s, "Account has expired.");
+	}
+    }
+#endif
+    
+
+#ifdef KRB5
+    {
+	int fd;
+ 
+	if (!do_unique_tkfile)
+	    snprintf(tkfile,sizeof(tkfile),"FILE:/tmp/krb5cc_%u",pwd->pw_uid);
+	else if (*tkfile=='\0') {
+	    snprintf(tkfile,sizeof(tkfile),"FILE:/tmp/krb5cc_XXXXXX");
+	    fd = mkstemp(tkfile+5);
+	    close(fd);
+	    unlink(tkfile+5);
+	}
+ 
+	if (kerberos_status)
+	    krb5_start_session();
+    }
+    chown(tkfile + 5, pwd->pw_uid, -1);
+
+#if defined(DCE)
+    if (kerberos_status) {
+	esetenv("KRB5CCNAME", tkfile, 1);
+	dfspag = krb5_dfs_pag(context, kerberos_status, user_ticket->client, server_user);
+    }
+#endif
+
+#endif
+
+#ifdef HAVE_SETLOGIN
+    if (setlogin(pwd->pw_name) < 0)
+	syslog(LOG_ERR, "setlogin() failed: %m");
+#endif
+
+#ifdef HAVE_SETPCRED
+    if (setpcred (pwd->pw_name, NULL) == -1)
+	syslog(LOG_ERR, "setpcred() failure: %m");
+#endif /* HAVE_SETPCRED */
+
+    if (initgroups (pwd->pw_name, pwd->pw_gid) < 0)
+	fatal (s, "Login incorrect.");
+
+    if (setgid(pwd->pw_gid) < 0)
+	fatal (s, "Login incorrect.");
+
+    if (setuid (pwd->pw_uid) < 0)
+	fatal (s, "Login incorrect.");
+
+    if (chdir (pwd->pw_dir) < 0)
+	fatal (s, "Remote directory.");
+
+    if (errsock >= 0) {
+	if (dup2 (errsock, STDERR_FILENO) < 0)
+	    fatal (s, "Dup2 failed.");
+	close (errsock);
+    }
+
+    setup_environment (&env, pwd);
+
+    if (do_encrypt) {
+	setup_copier ();
+    } else {
+	if (net_write (s, "", 1) != 1)
+	    fatal (s, "write failed");
+    }
+
+#ifdef KRB4
+    if(k_hasafs()) {
+	char cell[64];
+
+	if(do_newpag)
+	    k_setpag();
+	if (k_afs_cell_of_file (pwd->pw_dir, cell, sizeof(cell)) == 0)
+	    krb_afslog_uid_home (cell, NULL, pwd->pw_uid, pwd->pw_dir);
+
+	krb_afslog_uid_home(NULL, NULL, pwd->pw_uid, pwd->pw_dir);
+
+#ifdef KRB5
+	/* XXX */
+       if (kerberos_status) {
+	   krb5_ccache ccache;
+	   krb5_error_code status;
+
+	   status = krb5_cc_resolve (context, tkfile, &ccache);
+	   if (!status) {
+	       krb5_afslog_uid_home(context,ccache,NULL,NULL,
+				    pwd->pw_uid, pwd->pw_dir);
+	       krb5_cc_close (context, ccache);
+	   }
+       }
+#endif /* KRB5 */
+    }
+#endif /* KRB4 */
+    execle (pwd->pw_shell, pwd->pw_shell, "-c", cmd, NULL, env);
+    err(1, "exec %s", pwd->pw_shell);
+}
+
+struct getargs args[] = {
+    { "inetd",		'i',	arg_negative_flag,	&do_inetd,
+      "Not started from inetd" },
+    { "kerberos",	'k',	arg_flag,	&do_kerberos,
+      "Implement kerberised services" },
+    { "encrypt",	'x',	arg_flag,		&do_encrypt,
+      "Implement encrypted service" },
+    { "rhosts",		'l',	arg_flag, &do_rhosts,
+      "Check users .rhosts" },
+    { "port",		'p',	arg_string,	&port_str,	"Use this port",
+      "port" },
+    { "vacuous",	'v',	arg_flag, &do_vacuous,
+      "Don't accept non-kerberised connections" },
+    { NULL,		'P',	arg_negative_flag, &do_newpag,
+      "Don't put process in new PAG" },
+    /* compatibility flag: */
+    { NULL,		'L',	arg_flag, &do_log },
+    { "version",	0, 	arg_flag,		&do_version },
+    { "help",		0, 	arg_flag,		&do_help }
+};
+
+static void
+usage (int ret)
+{
+    if(isatty(STDIN_FILENO))
+	arg_printusage (args,
+			sizeof(args) / sizeof(args[0]),
+			NULL,
+			"");
+    else
+	syslog (LOG_ERR, "Usage: %s [-ikxlvPL] [-p port]", getprogname());
+    exit (ret);
+}
+
+
+int
+main(int argc, char **argv)
+{
+    int optind = 0;
+    int port = 0;
+
+    setprogname (argv[0]);
+    roken_openlog ("rshd", LOG_ODELAY | LOG_PID, LOG_AUTH);
+
+    if (getarg(args, sizeof(args) / sizeof(args[0]), argc, argv,
+	       &optind))
+	usage(1);
+
+    if(do_help)
+	usage (0);
+
+    if (do_version) {
+	print_version(NULL);
+	exit(0);
+    }
+
+#ifdef KRB5
+    {
+	krb5_error_code ret;
+
+	ret = krb5_init_context (&context);
+	if (ret)
+	    errx (1, "krb5_init_context failed: %d", ret);
+    }	
+#endif
+
+    if(port_str) {
+	struct servent *s = roken_getservbyname (port_str, "tcp");
+
+	if (s)
+	    port = s->s_port;
+	else {
+	    char *ptr;
+
+	    port = strtol (port_str, &ptr, 10);
+	    if (port == 0 && ptr == port_str)
+		syslog_and_die("Bad port `%s'", port_str);
+	    port = htons(port);
+	}
+    }
+
+    if (do_encrypt)
+	do_kerberos = 1;
+
+    if (!do_inetd) {
+	if (port == 0) {
+	    if (do_kerberos) {
+		if (do_encrypt)
+		    port = krb5_getportbyname (context, "ekshell", "tcp", 545);
+		else
+		    port = krb5_getportbyname (context, "kshell",  "tcp", 544);
+	    } else {
+		port = krb5_getportbyname(context, "shell", "tcp", 514);
+	    }
+	}
+	mini_inetd (port);
+    }
+
+    signal (SIGPIPE, SIG_IGN);
+
+    doit (do_kerberos, do_rhosts);
+    return 0;
+}
diff --git a/crypto/heimdal/appl/su/ChangeLog b/crypto/heimdal/appl/su/ChangeLog
new file mode 100644
index 0000000..3eadf65
--- /dev/null
+++ b/crypto/heimdal/appl/su/ChangeLog
@@ -0,0 +1,64 @@
+2000-12-31  Assar Westerlund  <assar@sics.se>
+
+	* su.c (krb5_verify): handle krb5_init_context failure
+	consistently
+
+2000-08-28  Johan Danielsson  <joda@pdc.kth.se>
+
+	* su.c: set KRBTKFILE
+
+2000-07-10  Assar Westerlund  <assar@sics.se>
+
+	* Makefile.am: actually install su
+	* su.c (krb5_verify): try harder freeing.  do not get upset on
+	interrupted password read
+
+2000-06-09  Assar Westerlund  <assar@sics.se>
+
+	* su.c (main): work-around for setuid and capabilities bug fixed
+	in Linux 2.2.16
+
+2000-06-03  Assar Westerlund  <assar@sics.se>
+
+	* su.c (main): just ignore shadow information if getspnam returns
+	NULL
+
+1999-10-20  Assar Westerlund  <assar@sics.se>
+
+	* Makefile.am: use LIB_roken
+
+1999-09-28  Assar Westerlund  <assar@sics.se>
+
+	* su.c (krb5_verify): use krb5_verify_user_lrealm
+
+1999-08-04  Assar Westerlund  <assar@sics.se>
+
+	* su.c: add support for shadow passwords and rewrite some logic.
+  	From Miroslav Ruda <ruda@ics.muni.cz>
+
+	* Makefile.am: add libkafs
+
+1999-06-15  Assar Westerlund  <assar@sics.se>
+
+	* su.c (main): conditionalize `getlogin'
+
+1999-05-11  Assar Westerlund  <assar@sics.se>
+
+	* su.c (verfiy_krb5): get the name out of the ccache before
+ 	closing it
+
+1999-05-05  Assar Westerlund  <assar@sics.se>
+
+	* su.c: some more error checking
+
+Wed Apr 21 21:04:36 1999  Assar Westerlund  <assar@sics.se>
+
+	* su.c (-f): implement
+
+	* su.c: implement -i
+	(verify_krb5): correct the ownership on the credential cache
+
+Tue Apr 20 13:26:13 1999  Johan Danielsson  <joda@hella.pdc.kth.se>
+
+	* su.c: don't depend on paths.h
+
diff --git a/crypto/heimdal/appl/su/Makefile.am b/crypto/heimdal/appl/su/Makefile.am
new file mode 100644
index 0000000..aeb684f
--- /dev/null
+++ b/crypto/heimdal/appl/su/Makefile.am
@@ -0,0 +1,16 @@
+# $Id: Makefile.am,v 1.6 2000/11/15 22:51:10 assar Exp $
+
+include $(top_srcdir)/Makefile.am.common
+
+INCLUDES += $(INCLUDE_krb4)
+
+bin_PROGRAMS = su
+bin_SUIDS = su
+su_SOURCES = su.c
+
+LDADD = $(LIB_kafs) \
+	$(top_builddir)/lib/krb5/libkrb5.la \
+	$(LIB_krb4) \
+	$(LIB_des) \
+	$(top_builddir)/lib/asn1/libasn1.la \
+	$(LIB_roken)
diff --git a/crypto/heimdal/appl/su/Makefile.in b/crypto/heimdal/appl/su/Makefile.in
new file mode 100644
index 0000000..33f934b
--- /dev/null
+++ b/crypto/heimdal/appl/su/Makefile.in
@@ -0,0 +1,577 @@
+# Makefile.in generated automatically by automake 1.4b from Makefile.am
+
+# Copyright 1994, 1995, 1996, 1997, 1998, 1999, 2000
+# Free Software Foundation, Inc.
+# This Makefile.in is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+
+SHELL = @SHELL@
+
+srcdir = @srcdir@
+top_srcdir = @top_srcdir@
+VPATH = @srcdir@
+prefix = @prefix@
+exec_prefix = @exec_prefix@
+
+bindir = @bindir@
+sbindir = @sbindir@
+libexecdir = @libexecdir@
+datadir = @datadir@
+sysconfdir = @sysconfdir@
+sharedstatedir = @sharedstatedir@
+localstatedir = @localstatedir@
+libdir = @libdir@
+infodir = @infodir@
+mandir = @mandir@
+includedir = @includedir@
+oldincludedir = /usr/include
+
+pkgdatadir = $(datadir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkgincludedir = $(includedir)/@PACKAGE@
+
+top_builddir = ../..
+
+ACLOCAL = @ACLOCAL@
+AUTOCONF = @AUTOCONF@
+AUTOMAKE = @AUTOMAKE@
+AUTOHEADER = @AUTOHEADER@
+
+INSTALL = @INSTALL@
+INSTALL_PROGRAM = @INSTALL_PROGRAM@
+INSTALL_DATA = @INSTALL_DATA@
+INSTALL_SCRIPT = @INSTALL_SCRIPT@
+INSTALL_STRIP_FLAG =
+transform = @program_transform_name@
+
+NORMAL_INSTALL = :
+PRE_INSTALL = :
+POST_INSTALL = :
+NORMAL_UNINSTALL = :
+PRE_UNINSTALL = :
+POST_UNINSTALL = :
+
+@SET_MAKE@
+host_alias = @host_alias@
+host_triplet = @host@
+AIX_EXTRA_KAFS = @AIX_EXTRA_KAFS@
+AMDEP = @AMDEP@
+AMTAR = @AMTAR@
+AS = @AS@
+AWK = @AWK@
+CANONICAL_HOST = @CANONICAL_HOST@
+CATMAN = @CATMAN@
+CATMANEXT = @CATMANEXT@
+CC = @CC@
+CPP = @CPP@
+CXX = @CXX@
+CXXCPP = @CXXCPP@
+DBLIB = @DBLIB@
+DEPDIR = @DEPDIR@
+DIR_des = @DIR_des@
+DIR_roken = @DIR_roken@
+DLLTOOL = @DLLTOOL@
+EXEEXT = @EXEEXT@
+EXTRA_LIB45 = @EXTRA_LIB45@
+GROFF = @GROFF@
+INCLUDES_roken = @INCLUDES_roken@
+INCLUDE_ = @INCLUDE_@
+LEX = @LEX@
+LIBOBJS = @LIBOBJS@
+LIBTOOL = @LIBTOOL@
+LIB_ = @LIB_@
+LIB_AUTH_SUBDIRS = @LIB_AUTH_SUBDIRS@
+LIB_des = @LIB_des@
+LIB_des_appl = @LIB_des_appl@
+LIB_kdb = @LIB_kdb@
+LIB_otp = @LIB_otp@
+LIB_roken = @LIB_roken@
+LIB_security = @LIB_security@
+LN_S = @LN_S@
+LTLIBOBJS = @LTLIBOBJS@
+MAKEINFO = @MAKEINFO@
+NEED_WRITEAUTH_FALSE = @NEED_WRITEAUTH_FALSE@
+NEED_WRITEAUTH_TRUE = @NEED_WRITEAUTH_TRUE@
+NROFF = @NROFF@
+OBJDUMP = @OBJDUMP@
+OBJEXT = @OBJEXT@
+PACKAGE = @PACKAGE@
+RANLIB = @RANLIB@
+STRIP = @STRIP@
+VERSION = @VERSION@
+VOID_RETSIGTYPE = @VOID_RETSIGTYPE@
+WFLAGS = @WFLAGS@
+WFLAGS_NOIMPLICITINT = @WFLAGS_NOIMPLICITINT@
+WFLAGS_NOUNUSED = @WFLAGS_NOUNUSED@
+YACC = @YACC@
+dpagaix_CFLAGS = @dpagaix_CFLAGS@
+dpagaix_LDADD = @dpagaix_LDADD@
+install_sh = @install_sh@
+
+# $Id: Makefile.am,v 1.6 2000/11/15 22:51:10 assar Exp $
+
+
+# $Id: Makefile.am.common,v 1.3 1999/04/01 14:58:43 joda Exp $
+
+
+# $Id: Makefile.am.common,v 1.26 2001/05/21 13:27:48 joda Exp $
+
+
+AUTOMAKE_OPTIONS = foreign no-dependencies
+
+SUFFIXES = .et .h .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .x
+
+INCLUDES = -I$(top_builddir)/include $(INCLUDES_roken) $(INCLUDE_krb4)
+
+AM_CFLAGS =  $(WFLAGS)
+
+CP = cp
+
+COMPILE_ET = $(top_builddir)/lib/com_err/compile_et
+
+buildinclude = $(top_builddir)/include
+
+LIB_XauReadAuth = @LIB_XauReadAuth@
+LIB_crypt = @LIB_crypt@
+LIB_dbm_firstkey = @LIB_dbm_firstkey@
+LIB_dbopen = @LIB_dbopen@
+LIB_dlopen = @LIB_dlopen@
+LIB_dn_expand = @LIB_dn_expand@
+LIB_el_init = @LIB_el_init@
+LIB_getattr = @LIB_getattr@
+LIB_gethostbyname = @LIB_gethostbyname@
+LIB_getpwent_r = @LIB_getpwent_r@
+LIB_getpwnam_r = @LIB_getpwnam_r@
+LIB_getsockopt = @LIB_getsockopt@
+LIB_logout = @LIB_logout@
+LIB_logwtmp = @LIB_logwtmp@
+LIB_odm_initialize = @LIB_odm_initialize@
+LIB_pidfile = @LIB_pidfile@
+LIB_readline = @LIB_readline@
+LIB_res_search = @LIB_res_search@
+LIB_setpcred = @LIB_setpcred@
+LIB_setsockopt = @LIB_setsockopt@
+LIB_socket = @LIB_socket@
+LIB_syslog = @LIB_syslog@
+LIB_tgetent = @LIB_tgetent@
+
+LIBS = @LIBS@
+
+HESIODLIB = @HESIODLIB@
+HESIODINCLUDE = @HESIODINCLUDE@
+INCLUDE_hesiod = @INCLUDE_hesiod@
+LIB_hesiod = @LIB_hesiod@
+
+INCLUDE_krb4 = @INCLUDE_krb4@
+LIB_krb4 = @LIB_krb4@
+
+INCLUDE_openldap = @INCLUDE_openldap@
+LIB_openldap = @LIB_openldap@
+
+INCLUDE_readline = @INCLUDE_readline@
+
+LEXLIB = @LEXLIB@
+
+NROFF_MAN = groff -mandoc -Tascii
+
+@KRB4_TRUE@LIB_kafs = @KRB4_TRUE@$(top_builddir)/lib/kafs/libkafs.la $(AIX_EXTRA_KAFS)
+
+@KRB5_TRUE@LIB_krb5 = @KRB5_TRUE@$(top_builddir)/lib/krb5/libkrb5.la \
+@KRB5_TRUE@	$(top_builddir)/lib/asn1/libasn1.la
+@KRB5_TRUE@LIB_gssapi = @KRB5_TRUE@$(top_builddir)/lib/gssapi/libgssapi.la
+
+@DCE_TRUE@LIB_kdfs = @DCE_TRUE@$(top_builddir)/lib/kdfs/libkdfs.la
+
+CHECK_LOCAL = $(PROGRAMS)
+
+bin_PROGRAMS = su
+bin_SUIDS = su
+su_SOURCES = su.c
+
+LDADD = $(LIB_kafs) \
+	$(top_builddir)/lib/krb5/libkrb5.la \
+	$(LIB_krb4) \
+	$(LIB_des) \
+	$(top_builddir)/lib/asn1/libasn1.la \
+	$(LIB_roken)
+
+subdir = appl/su
+mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs
+CONFIG_HEADER = ../../include/config.h
+CONFIG_CLEAN_FILES = 
+bin_PROGRAMS =  su$(EXEEXT)
+PROGRAMS =  $(bin_PROGRAMS)
+
+
+DEFS = @DEFS@ -I. -I$(srcdir) -I../../include
+CPPFLAGS = @CPPFLAGS@
+LDFLAGS = @LDFLAGS@
+X_CFLAGS = @X_CFLAGS@
+X_LIBS = @X_LIBS@
+X_EXTRA_LIBS = @X_EXTRA_LIBS@
+X_PRE_LIBS = @X_PRE_LIBS@
+am_su_OBJECTS =  su.$(OBJEXT)
+su_OBJECTS =  $(am_su_OBJECTS)
+su_LDADD = $(LDADD)
+@KRB4_FALSE@su_DEPENDENCIES =  $(top_builddir)/lib/krb5/libkrb5.la \
+@KRB4_FALSE@$(top_builddir)/lib/asn1/libasn1.la
+@KRB4_TRUE@su_DEPENDENCIES =  $(top_builddir)/lib/kafs/libkafs.la \
+@KRB4_TRUE@$(top_builddir)/lib/krb5/libkrb5.la \
+@KRB4_TRUE@$(top_builddir)/lib/asn1/libasn1.la
+su_LDFLAGS = 
+COMPILE = $(CC) $(DEFS) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) --mode=compile $(CC) $(DEFS) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+CFLAGS = @CFLAGS@
+CCLD = $(CC)
+LINK = $(LIBTOOL) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) $(LDFLAGS) -o $@
+DIST_SOURCES =  $(su_SOURCES)
+depcomp = 
+DIST_COMMON =  ChangeLog Makefile.am Makefile.in
+
+
+DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
+
+GZIP_ENV = --best
+SOURCES = $(su_SOURCES)
+OBJECTS = $(am_su_OBJECTS)
+
+all: all-redirect
+.SUFFIXES:
+.SUFFIXES: .et .h .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .x .c .lo .o .obj
+$(srcdir)/Makefile.in: Makefile.am $(top_srcdir)/configure.in $(ACLOCAL_M4) $(top_srcdir)/Makefile.am.common $(top_srcdir)/cf/Makefile.am.common
+	cd $(top_srcdir) && $(AUTOMAKE) --foreign appl/su/Makefile
+
+Makefile: $(srcdir)/Makefile.in  $(top_builddir)/config.status
+	cd $(top_builddir) \
+	  && CONFIG_FILES=$(subdir)/$@ CONFIG_HEADERS= $(SHELL) ./config.status
+
+
+mostlyclean-binPROGRAMS:
+
+clean-binPROGRAMS:
+	-test -z "$(bin_PROGRAMS)" || rm -f $(bin_PROGRAMS)
+
+distclean-binPROGRAMS:
+
+maintainer-clean-binPROGRAMS:
+
+install-binPROGRAMS: $(bin_PROGRAMS)
+	@$(NORMAL_INSTALL)
+	$(mkinstalldirs) $(DESTDIR)$(bindir)
+	@list='$(bin_PROGRAMS)'; for p in $$list; do \
+	  if test -f $$p; then \
+	    f="`echo $$p|sed -e 's/$(EXEEXT)$$//' -e '$(transform)' -e 's/$$/$(EXEEXT)/'`"; \
+	    echo " $(LIBTOOL)  --mode=install $(INSTALL_PROGRAM) $(INSTALL_STRIP_FLAG) $$p $(DESTDIR)$(bindir)/$$f"; \
+	    $(LIBTOOL)  --mode=install $(INSTALL_PROGRAM) $(INSTALL_STRIP_FLAG) $$p $(DESTDIR)$(bindir)/$$f; \
+	  else :; fi; \
+	done
+
+uninstall-binPROGRAMS:
+	@$(NORMAL_UNINSTALL)
+	@list='$(bin_PROGRAMS)'; for p in $$list; do \
+	  f="`echo $$p|sed -e 's/$(EXEEXT)$$//' -e '$(transform)' -e 's/$$/$(EXEEXT)/'`"; \
+	  echo " rm -f $(DESTDIR)$(bindir)/$$f"; \
+	  rm -f $(DESTDIR)$(bindir)/$$f; \
+	done
+
+mostlyclean-compile:
+	-rm -f *.o core *.core
+	-rm -f *.$(OBJEXT)
+
+clean-compile:
+
+distclean-compile:
+	-rm -f *.tab.c
+
+maintainer-clean-compile:
+
+mostlyclean-libtool:
+	-rm -f *.lo
+
+clean-libtool:
+	-rm -rf .libs _libs
+
+distclean-libtool:
+
+maintainer-clean-libtool:
+
+su$(EXEEXT): $(su_OBJECTS) $(su_DEPENDENCIES)
+	@rm -f su$(EXEEXT)
+	$(LINK) $(su_LDFLAGS) $(su_OBJECTS) $(su_LDADD) $(LIBS)
+.c.o:
+	$(COMPILE) -c $<
+.c.obj:
+	$(COMPILE) -c `cygpath -w $<`
+.c.lo:
+	$(LTCOMPILE) -c -o $@ $<
+
+tags: TAGS
+
+ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
+	list='$(SOURCES) $(HEADERS) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '    { files[$$0] = 1; } \
+	       END { for (i in files) print i; }'`; \
+	mkid -fID $$unique $(LISP)
+
+TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	tags=; \
+	here=`pwd`; \
+	list='$(SOURCES) $(HEADERS) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '    { files[$$0] = 1; } \
+	       END { for (i in files) print i; }'`; \
+	test -z "$(ETAGS_ARGS)$$unique$(LISP)$$tags" \
+	  || etags $(ETAGS_ARGS) $$tags  $$unique $(LISP)
+
+GTAGS:
+	here=`CDPATH=: && cd $(top_builddir) && pwd` \
+	  && cd $(top_srcdir) \
+	  && gtags -i $$here
+
+mostlyclean-tags:
+
+clean-tags:
+
+distclean-tags:
+	-rm -f TAGS ID
+
+maintainer-clean-tags:
+
+distdir = $(top_builddir)/$(PACKAGE)-$(VERSION)/$(subdir)
+
+distdir: $(DISTFILES)
+	@for file in $(DISTFILES); do \
+	  d=$(srcdir); \
+	  if test -d $$d/$$file; then \
+	    cp -pR $$d/$$file $(distdir) \
+	    || exit 1; \
+	  else \
+	    test -f $(distdir)/$$file \
+	    || cp -p $$d/$$file $(distdir)/$$file \
+	    || exit 1; \
+	  fi; \
+	done
+	$(MAKE) $(AM_MAKEFLAGS) top_distdir="$(top_distdir)" distdir="$(distdir)" dist-hook
+info-am:
+info: info-am
+dvi-am:
+dvi: dvi-am
+check-am: all-am
+	$(MAKE) $(AM_MAKEFLAGS) check-local
+check: check-am
+installcheck-am:
+installcheck: installcheck-am
+install-exec-am: install-binPROGRAMS
+	@$(NORMAL_INSTALL)
+	$(MAKE) $(AM_MAKEFLAGS) install-exec-hook
+install-exec: install-exec-am
+
+install-data-am: install-data-local
+install-data: install-data-am
+
+install-am: all-am
+	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
+install: install-am
+uninstall-am: uninstall-binPROGRAMS
+uninstall: uninstall-am
+all-am: Makefile $(PROGRAMS) all-local
+all-redirect: all-am
+install-strip:
+	$(MAKE) $(AM_MAKEFLAGS) INSTALL_STRIP_FLAG=-s install
+installdirs:
+	$(mkinstalldirs)  $(DESTDIR)$(bindir)
+
+
+mostlyclean-generic:
+
+clean-generic:
+
+distclean-generic:
+	-rm -f Makefile $(CONFIG_CLEAN_FILES)
+	-rm -f config.cache config.log stamp-h stamp-h[0-9]*
+
+maintainer-clean-generic:
+	-rm -f Makefile.in
+mostlyclean-am:  mostlyclean-binPROGRAMS mostlyclean-compile \
+		mostlyclean-libtool mostlyclean-tags \
+		mostlyclean-generic
+
+mostlyclean: mostlyclean-am
+
+clean-am:  clean-binPROGRAMS clean-compile clean-libtool clean-tags \
+		clean-generic mostlyclean-am
+
+clean: clean-am
+
+distclean-am:  distclean-binPROGRAMS distclean-compile distclean-libtool \
+		distclean-tags distclean-generic clean-am
+	-rm -f libtool
+
+distclean: distclean-am
+
+maintainer-clean-am:  maintainer-clean-binPROGRAMS \
+		maintainer-clean-compile maintainer-clean-libtool \
+		maintainer-clean-tags maintainer-clean-generic \
+		distclean-am
+	@echo "This command is intended for maintainers to use;"
+	@echo "it deletes files that may require special tools to rebuild."
+
+maintainer-clean: maintainer-clean-am
+
+.PHONY: mostlyclean-binPROGRAMS distclean-binPROGRAMS clean-binPROGRAMS \
+maintainer-clean-binPROGRAMS uninstall-binPROGRAMS install-binPROGRAMS \
+mostlyclean-compile distclean-compile clean-compile \
+maintainer-clean-compile mostlyclean-libtool distclean-libtool \
+clean-libtool maintainer-clean-libtool tags mostlyclean-tags \
+distclean-tags clean-tags maintainer-clean-tags distdir info-am info \
+dvi-am dvi check-local check check-am installcheck-am installcheck \
+install-exec-am install-exec install-data-local install-data-am \
+install-data install-am install uninstall-am uninstall all-local \
+all-redirect all-am all install-strip installdirs mostlyclean-generic \
+distclean-generic clean-generic maintainer-clean-generic clean \
+mostlyclean distclean maintainer-clean
+
+
+install-suid-programs:
+	@foo='$(bin_SUIDS)'; \
+	for file in $$foo; do \
+	x=$(DESTDIR)$(bindir)/$$file; \
+	if chown 0:0 $$x && chmod u+s $$x; then :; else \
+	echo "*"; \
+	echo "* Failed to install $$x setuid root"; \
+	echo "*"; \
+	fi; done
+
+install-exec-hook: install-suid-programs
+
+install-build-headers:: $(include_HEADERS) $(build_HEADERZ)
+	@foo='$(include_HEADERS) $(build_HEADERZ)'; \
+	for f in $$foo; do \
+		f=`basename $$f`; \
+		if test -f "$(srcdir)/$$f"; then file="$(srcdir)/$$f"; \
+		else file="$$f"; fi; \
+		if cmp -s  $$file $(buildinclude)/$$f 2> /dev/null ; then \
+		: ; else \
+			echo " $(CP) $$file $(buildinclude)/$$f"; \
+			$(CP) $$file $(buildinclude)/$$f; \
+		fi ; \
+	done
+
+all-local: install-build-headers
+#NROFF_MAN = nroff -man
+.1.cat1:
+	$(NROFF_MAN) $< > $@
+.3.cat3:
+	$(NROFF_MAN) $< > $@
+.5.cat5:
+	$(NROFF_MAN) $< > $@
+.8.cat8:
+	$(NROFF_MAN) $< > $@
+
+dist-cat1-mans:
+	@foo='$(man1_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.1) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat1/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-cat3-mans:
+	@foo='$(man3_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.3) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat3/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-cat5-mans:
+	@foo='$(man5_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.5) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat5/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-cat8-mans:
+	@foo='$(man8_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.8) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat8/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-hook: dist-cat1-mans dist-cat3-mans dist-cat5-mans dist-cat8-mans
+
+install-cat-mans:
+	$(SHELL) $(top_srcdir)/cf/install-catman.sh "$(INSTALL_DATA)" "$(mkinstalldirs)" "$(srcdir)" "$(DESTDIR)$(mandir)" '$(CATMANEXT)' $(man_MANS) $(man1_MANS) $(man3_MANS) $(man5_MANS) $(man8_MANS)
+
+install-data-local: install-cat-mans
+
+.et.h:
+	$(COMPILE_ET) $<
+.et.c:
+	$(COMPILE_ET) $<
+
+.x.c:
+	@cmp -s $< $@ 2> /dev/null || cp $< $@
+
+check-local::
+	@foo='$(CHECK_LOCAL)'; \
+	  if test "$$foo"; then \
+	  failed=0; all=0; \
+	  for i in $$foo; do \
+	    all=`expr $$all + 1`; \
+	    if ./$$i --version > /dev/null 2>&1; then \
+	      echo "PASS: $$i"; \
+	    else \
+	      echo "FAIL: $$i"; \
+	      failed=`expr $$failed + 1`; \
+	    fi; \
+	  done; \
+	  if test "$$failed" -eq 0; then \
+	    banner="All $$all tests passed"; \
+	  else \
+	    banner="$$failed of $$all tests failed"; \
+	  fi; \
+	  dashes=`echo "$$banner" | sed s/./=/g`; \
+	  echo "$$dashes"; \
+	  echo "$$banner"; \
+	  echo "$$dashes"; \
+	  test "$$failed" -eq 0; \
+	fi
+
+# Tell versions [3.59,3.63) of GNU make to not export all variables.
+# Otherwise a system limit (for SysV at least) may be exceeded.
+.NOEXPORT:
diff --git a/crypto/heimdal/appl/su/su.c b/crypto/heimdal/appl/su/su.c
new file mode 100644
index 0000000..b43894b
--- /dev/null
+++ b/crypto/heimdal/appl/su/su.c
@@ -0,0 +1,445 @@
+/*
+ * Copyright (c) 1999 - 2001 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of KTH nor the names of its contributors may be
+ *    used to endorse or promote products derived from this software without
+ *    specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY KTH AND ITS CONTRIBUTORS ``AS IS'' AND ANY
+ * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL KTH OR ITS CONTRIBUTORS BE
+ * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+ * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+ * WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
+ * OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
+ * ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */
+
+#include <config.h>
+
+RCSID("$Id: su.c,v 1.20 2001/02/20 01:44:48 assar Exp $");
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+
+#include <syslog.h>
+
+#ifdef HAVE_PATHS_H
+#include <paths.h>
+#endif
+
+#ifdef HAVE_SHADOW_H
+#include <shadow.h>
+#endif
+
+#include <pwd.h>
+
+#ifdef HAVE_OPENSSL_DES_H
+#include <openssl/des.h>
+#else
+#include <des.h>
+#endif
+#include <krb5.h>
+#include <kafs.h>
+#include <err.h>
+#include <roken.h>
+#include <getarg.h>
+#include <kafs.h>
+
+#ifndef _PATH_DEFPATH
+#define _PATH_DEFPATH "/usr/bin:/bin"
+#endif
+
+#ifndef _PATH_BSHELL
+#define _PATH_BSHELL "/bin/sh"
+#endif
+
+int kerberos_flag = 1;
+int csh_f_flag;
+int full_login;
+int env_flag;
+char *kerberos_instance = "root";
+int help_flag;
+int version_flag;
+char *cmd;
+
+struct getargs args[] = {
+    { "kerberos", 'K', arg_negative_flag, &kerberos_flag,
+      "don't use kerberos" },
+    { NULL,	  'f', arg_flag,	  &csh_f_flag,
+      "don't read .cshrc" },
+    { "full",	  'l', arg_flag,          &full_login,
+      "simulate full login" },
+    { NULL,	  'm', arg_flag,          &env_flag,
+      "leave environment unmodified" },
+    { "instance", 'i', arg_string,        &kerberos_instance,
+      "root instance to use" },
+    { "command",  'c', arg_string,        &cmd,
+      "command to execute" },
+    { "help", 	  'h', arg_flag,          &help_flag },
+    { "version",  0,   arg_flag,          &version_flag },
+};
+
+
+static void
+usage (int ret)
+{
+    arg_printusage (args,
+		    sizeof(args)/sizeof(*args),
+		    NULL,
+		    "[login [shell arguments]]");
+    exit (ret);
+}
+
+static struct passwd*
+make_info(struct passwd *pwd)
+{
+    struct passwd *info;
+    info = malloc(sizeof(*info));
+    if(info == NULL)
+	return NULL;
+    info->pw_name = strdup(pwd->pw_name);
+    info->pw_passwd = strdup(pwd->pw_passwd);
+    info->pw_uid = pwd->pw_uid;
+    info->pw_gid = pwd->pw_gid;
+    info->pw_dir = strdup(pwd->pw_dir);
+    info->pw_shell = strdup(pwd->pw_shell);
+    if(info->pw_name == NULL || info->pw_passwd == NULL ||
+       info->pw_dir == NULL || info->pw_shell == NULL)
+	return NULL;
+    return info;
+}
+
+#ifdef KRB5
+static krb5_context context;
+static krb5_ccache ccache;
+#endif
+
+static int
+krb5_verify(struct passwd *login_info, struct passwd *su_info,
+	    const char *kerberos_instance)
+{
+#ifdef KRB5
+    krb5_error_code ret;
+    krb5_principal p;
+	
+    ret = krb5_init_context (&context);
+    if (ret) {
+#if 0
+	warnx("krb5_init_context failed: %d", ret);
+#endif
+	return 1;
+    }
+	
+    if (strcmp (su_info->pw_name, "root") == 0)
+	ret = krb5_make_principal(context, &p, NULL, 
+				  login_info->pw_name,
+				  kerberos_instance,
+				  NULL);
+    else
+	ret = krb5_make_principal(context, &p, NULL, 
+				  su_info->pw_name,
+				  NULL);
+    if(ret)
+	return 1;
+	
+    if(su_info->pw_uid != 0 || krb5_kuserok(context, p, su_info->pw_name)) {
+	ret = krb5_cc_gen_new(context, &krb5_mcc_ops, &ccache);
+	if(ret) {
+#if 1
+	    krb5_warn(context, ret, "krb5_cc_gen_new");
+#endif
+	    krb5_free_principal (context, p);
+	    return 1;
+	}
+	ret = krb5_verify_user_lrealm(context, p, ccache, NULL, TRUE, NULL);
+	krb5_free_principal (context, p);
+	if(ret) {
+	    krb5_cc_destroy(context, ccache);
+	    switch (ret) {
+	    case KRB5_LIBOS_PWDINTR :
+		break;
+	    case KRB5KRB_AP_ERR_BAD_INTEGRITY:
+	    case KRB5KRB_AP_ERR_MODIFIED:
+		krb5_warnx(context, "Password incorrect");
+		break;
+	    default :
+		krb5_warn(context, ret, "krb5_verify_user");
+		break;
+	    }
+	    return 1;
+	}
+	return 0;
+    }
+    krb5_free_principal (context, p);
+#endif
+    return 1;
+}
+
+#ifdef KRB5
+static int
+krb5_start_session(void)
+{
+    krb5_ccache ccache2;
+    char *cc_name;
+    int ret;
+
+    ret = krb5_cc_gen_new(context, &krb5_fcc_ops, &ccache2);
+    if (ret) {
+	krb5_cc_destroy(context, ccache);
+	return 1;
+    }
+
+    ret = krb5_cc_copy_cache(context, ccache, ccache2);
+
+    asprintf(&cc_name, "%s:%s", krb5_cc_get_type(context, ccache2),
+	     krb5_cc_get_name(context, ccache2));
+    esetenv("KRB5CCNAME", cc_name, 1);
+
+    /* we want to export this even if we don't directly support KRB4 */
+    {
+#ifndef TKT_ROOT
+#define TKT_ROOT "/tmp/tkt"
+#endif
+	int fd;
+	char tkfile[256];
+	strlcpy(tkfile, TKT_ROOT, sizeof(tkfile));
+	strlcat(tkfile, "_XXXXXX", sizeof(tkfile));
+	fd = mkstemp(tkfile);
+	if(fd >= 0) {
+	    close(fd);
+	    esetenv("KRBTKFILE", tkfile, 1);
+	}
+    }
+            
+#ifdef KRB4
+    /* convert creds? */
+    if(k_hasafs()) {
+	if (k_setpag() == 0)
+	    krb5_afslog(context, ccache2, NULL, NULL);
+    }
+#endif
+            
+    krb5_cc_close(context, ccache2);
+    krb5_cc_destroy(context, ccache);
+    return 0;
+}
+#endif
+
+static int
+verify_unix(struct passwd *su)
+{
+    char prompt[128];
+    char pw_buf[1024];
+    char *pw;
+    int r;
+    if(su->pw_passwd != NULL && *su->pw_passwd != '\0') {
+	snprintf(prompt, sizeof(prompt), "%s's password: ", su->pw_name);
+	r = des_read_pw_string(pw_buf, sizeof(pw_buf), prompt, 0);
+	if(r != 0)
+	    exit(0);
+	pw = crypt(pw_buf, su->pw_passwd);
+	memset(pw_buf, 0, sizeof(pw_buf));
+	if(strcmp(pw, su->pw_passwd) != 0)
+	    return 1;
+    }
+    return 0;
+}
+
+int
+main(int argc, char **argv)
+{
+    int i, optind = 0;
+    char *su_user;
+    struct passwd *su_info;
+    char *login_user = NULL;
+    struct passwd *login_info;
+
+    struct passwd *pwd;
+
+    char *shell;
+
+    int ok = 0;
+    int kerberos_error=1;
+
+    setprogname (argv[0]);
+
+    if(getarg(args, sizeof(args) / sizeof(args[0]), argc, argv, &optind))
+	usage(1);
+
+    for (i=0; i < optind; i++)
+      if (strcmp(argv[i], "-") == 0) {
+	 full_login = 1;
+	 break;
+      }
+	
+    if(help_flag)
+	usage(0);
+    if(version_flag) {
+	print_version(NULL);
+	exit(0);
+    }
+    if(optind >= argc)
+	su_user = "root";
+    else
+	su_user = argv[optind++];
+
+    pwd = k_getpwnam(su_user);
+    if(pwd == NULL)
+	errx (1, "unknown login %s", su_user);
+    if (pwd->pw_uid == 0 && strcmp ("root", su_user) != 0) {
+	syslog (LOG_ALERT, "NIS attack, user %s has uid 0", su_user);
+	errx (1, "unknown login %s", su_user);
+    }
+    su_info = make_info(pwd);
+    
+#if defined(HAVE_GETLOGIN) && !defined(POSIX_GETLOGIN)
+    login_user = getlogin();
+#endif
+    if(login_user == NULL || (pwd = getpwnam(login_user)) == NULL)
+	pwd = getpwuid(getuid());
+    if(pwd == NULL)
+	errx(1, "who are you?");
+    login_info = make_info(pwd);
+    if(env_flag)
+	shell = login_info->pw_shell;
+    else
+	shell = su_info->pw_shell;
+    if(shell == NULL || *shell == '\0')
+	shell = _PATH_BSHELL;
+    
+    if(kerberos_flag && ok == 0 &&
+      (kerberos_error=krb5_verify(login_info, su_info, kerberos_instance)) == 0)
+	ok++;
+
+    if(ok == 0 && login_info->pw_uid && verify_unix(su_info) != 0) {
+	printf("Sorry!\n");
+	exit(1);
+    }
+
+#ifdef HAVE_GETSPNAM
+   {  struct spwd *sp;
+      long    today;
+    
+    sp = getspnam(su_info->pw_name);
+    if (sp != NULL) {
+	today = time(0)/(24L * 60 * 60);
+	if (sp->sp_expire > 0) {
+	    if (today >= sp->sp_expire) {
+		if (login_info->pw_uid) 
+		    errx(1,"Your account has expired.");
+		else
+		    printf("Your account has expired.");
+            }
+            else if (sp->sp_expire - today < 14) 
+                printf("Your account will expire in %d days.\n",
+		       (int)(sp->sp_expire - today));
+	} 
+	if (sp->sp_max > 0) {
+	    if (today >= sp->sp_lstchg + sp->sp_max) {
+		if (login_info->pw_uid)    
+		    errx(1,"Your password has expired. Choose a new one.");
+		else
+		    printf("Your password has expired. Choose a new one.");
+	    }
+	    else if (today >= sp->sp_lstchg + sp->sp_max - sp->sp_warn)
+		printf("Your account will expire in %d days.\n",
+		       (int)(sp->sp_lstchg + sp->sp_max -today));
+	}
+    }
+    }
+#endif
+    {
+	char *tty = ttyname (STDERR_FILENO);
+	syslog (LOG_NOTICE | LOG_AUTH, tty ? "%s to %s" : "%s to %s on %s",
+		login_info->pw_name, su_info->pw_name, tty);
+    }
+
+
+    if(!env_flag) {
+	if(full_login) {
+	    char *t = getenv ("TERM");
+	    
+	    environ = malloc (10 * sizeof (char *));
+	    if (environ == NULL)
+		err (1, "malloc");
+	    environ[0] = NULL;
+	    esetenv ("PATH", _PATH_DEFPATH, 1);
+	    if (t)
+		esetenv ("TERM", t, 1);
+	    if (chdir (su_info->pw_dir) < 0)
+		errx (1, "no directory");
+	}
+	if (full_login || su_info->pw_uid)
+	    esetenv ("USER", su_info->pw_name, 1);
+	esetenv("HOME", su_info->pw_dir, 1);
+	esetenv("SHELL", shell, 1);
+    }
+
+    {
+	int i;
+	char **args;
+	char *p;
+
+	p = strrchr(shell, '/');
+	if(p)
+	    p++;
+	else
+	    p = shell;
+
+	if (strcmp(p, "csh") != 0)
+	    csh_f_flag = 0;
+
+        args = malloc(((cmd ? 2 : 0) + 1 + argc - optind + 1 + csh_f_flag) * sizeof(*args));
+	if (args == NULL)
+	    err (1, "malloc");
+	i = 0;
+	if(full_login)
+	    asprintf(&args[i++], "-%s", p);
+	else
+	    args[i++] = p;
+	if (cmd) {
+	   args[i++] = "-c";
+	   args[i++] = cmd;
+	}  
+	   
+	if (csh_f_flag)
+	    args[i++] = "-f";
+
+	for (argv += optind; *argv; ++argv)
+	   args[i++] = *argv;
+	args[i] = NULL;
+	
+	if(setgid(su_info->pw_gid) < 0)
+	    err(1, "setgid");
+	if (initgroups (su_info->pw_name, su_info->pw_gid) < 0)
+	    err (1, "initgroups");
+	if(setuid(su_info->pw_uid) < 0
+	   || (su_info->pw_uid != 0 && setuid(0) == 0))
+	    err(1, "setuid");
+
+#ifdef KRB5
+        if (!kerberos_error)
+           krb5_start_session();
+#endif
+	execv(shell, args);
+    }
+    
+    exit(1);
+}
diff --git a/crypto/heimdal/appl/telnet/ChangeLog b/crypto/heimdal/appl/telnet/ChangeLog
new file mode 100644
index 0000000..147066a
--- /dev/null
+++ b/crypto/heimdal/appl/telnet/ChangeLog
@@ -0,0 +1,464 @@
+2001-04-25  Assar Westerlund  <assar@sics.se>
+
+	* telnetd/sys_term.c (start_login): give the correct error if exec
+	fails
+	* telnetd/utility.c (fatalperror_errno): add a new function with
+	explicit errno parameter
+
+2001-03-07  Assar Westerlund  <assar@sics.se>
+
+	* telnetd/sys_term.c: some minimal more amount of
+ 	const-correctness
+
+2001-02-24  Assar Westerlund  <assar@sics.se>
+
+	* libtelnet/enc_des.c: learn to live with libcrypto (from openssl)
+
+2001-02-20  Assar Westerlund  <assar@sics.se>
+
+	* telnet/commands.c (tn): copy the hostname so it doesn't get
+	overwritten while reading ~/.telnetrc
+	(*): removed some unneeded externs
+
+2001-02-08  Assar Westerlund  <assar@sics.se>
+
+	* telnetd/sys_term.c (startslave, start_login): re-write code to
+	keep track both of remote hostname and utmp string to be used
+	* telnetd/telnetd.c (doit, my_telnet): re-write code to keep track
+	both of remote hostname and utmp string to be used
+
+2001-02-07  Assar Westerlund  <assar@sics.se>
+
+	* telnet/Makefile.am, telnetd/Makefile.am: add LIB_kdfs
+
+2001-01-09  Assar Westerlund  <assar@sics.se>
+
+	* libtelnet/kerberos5.c (kerberos5_is): use krb5_rd_cred2 instead
+	of krb5_rd_cred
+
+2000-12-31  Assar Westerlund  <assar@sics.se>
+
+	* telnet/main.c (krb5_init): check krb5_init_context for success
+	* libtelnet/kerberos5.c (kerberos5_init): check krb5_init_context
+	for success
+
+2000-12-11  Assar Westerlund  <assar@sics.se>
+
+	* telnet/commands.c (sourceroute): make it not break if the
+	rfc2292 api does not exist
+
+2000-12-09  Assar Westerlund  <assar@sics.se>
+
+	* telnetd/sys_term.c (scrub_env): add supporting non-file TERMCAP
+	variables
+
+2000-12-07  Assar Westerlund  <assar@sics.se>
+
+	* telnetd/telnetd.h: move include files around to avoid getting SE
+	from sys/*.h on HP to override SE from telnet.h
+
+	* telnetd/sys_term.c (scrub_env): remove some const-ness
+	* telnetd/sys_term.c (scrub_env): add LOGNAME and POSIXLY_CORRECT
+	to the list of authorized environment variables to be compatible
+	with linux-telnetd
+
+	* telnetd/sys_term.c (scrub_env): change filtering algoritm from
+	allowing everything except a few bad cases to not allowing
+	anything except a few non-dangerous cases
+
+2000-12-06  Johan Danielsson  <joda@pdc.kth.se>
+
+	* libtelnet/kerberos5.c: de-pointerise auth_context parameter to
+	krb5_mk_rep
+
+2000-11-23  Johan Danielsson  <joda@pdc.kth.se>
+
+	* libtelnet/kerberos5.c: print the principal we're trying to use
+
+	* libtelnet/kerberos.c: print the principal we're trying to use
+
+2000-11-16  Assar Westerlund  <assar@sics.se>
+
+	* libtelnet/misc-proto.h (telnet_getenv): const-ize some
+
+2000-11-08  Johan Danielsson  <joda@pdc.kth.se>
+
+	* telnet/telnet.c: fake entry if no tgetent
+
+2000-10-08  Assar Westerlund  <assar@sics.se>
+
+	* telnetd/utility.c (stilloob): check that fds are not too large
+	to select on
+	(ttloop): remove confusing output of errno
+	* telnetd/telnetd.c (my_telnet): check that fds are not too large
+	to select on
+	* telnet/utilities.c (EmptyTerminal): check that fds are not too
+	large to select on
+	* telnet/sys_bsd.c (process_rings): check that fds are not too
+	large to select on
+	* telnet/network.c (stilloob): check that fds are not too large to
+	select on
+
+2000-06-09  Assar Westerlund  <assar@sics.se>
+
+	* telnet/commands.c: remove all setuid(getuid()).  we do not
+	support telnet being setuid root
+
+2000-05-05  Assar Westerlund  <assar@sics.se>
+
+	* telnet/externs.h (sourceroute): update prototype
+	* telnet/commands.c (tn): re-enable source routing
+	(sourceroute): make it work again based on the code from
+	itojun@kame.net
+
+2000-03-28  Assar Westerlund  <assar@sics.se>
+
+	* telnet/commands.c (tn): clean-up a tiny little bit.  give-up if
+	we do not manage to connect to any address
+
+2000-03-26  Assar Westerlund  <assar@sics.se>
+
+	* telnetd/sys_term.c (*): make sure to always call time, ctime,
+	and gmtime with `time_t's.  there were some types (like in
+	lastlog) that we believed to always be time_t.  this has proven
+	wrong on Solaris 8 in 64-bit mode, where they are stored as 32-bit
+	quantities but time_t has gone up to 64 bits
+
+2000-03-03  Assar Westerlund  <assar@sics.se>
+
+	* libtelnet/kerberos5.c (kerberos5_init): check that we do have a
+	keytab before saying that we will support KERBEROS5
+
+2000-02-12  Assar Westerlund  <assar@sics.se>
+
+	* telnet/commands.c (tn): only set tos for AF_INET.  From
+	itojun@iijlab.net
+
+2000-02-07  Assar Westerlund  <assar@sics.se>
+
+	* libtelnet/kerberos.c (kerberos4_is): send a reject back to the
+	client when we're not authorized
+
+2000-02-06  Assar Westerlund  <assar@sics.se>
+
+	* telnet/ring.h (ring_encrypt): better proto
+	* telnet/ring.c (ring_encrypt): better proto
+
+2000-02-04  Assar Westerlund  <assar@sics.se>
+
+	* telnet/telnet_locl.h: klduge-around KLUDGELINEMODE
+
+2000-01-18  Assar Westerlund  <assar@sics.se>
+
+	* libtelnet/misc.c (auth_encrypt_user): const-ify
+	* libtelnet/misc.h (RemoteHostName, LocalHostName): const-ify
+	* libtelnet/misc.c (auth_encrypt_init, RemoteHostName,
+	LocalHostName): const-ify
+	* libtelnet/misc-proto.h (auth_encrypt_init, auth_encrypt_user):
+	const-ify
+	* libtelnet/encrypt.c (encrypt_init, Name): const-ify
+	* libtelnet/enc-proto.h (encrypt_init): const-ify
+	* libtelnet/auth.c (auth_init, Name): const-ify
+	* libtelnet/auth-proto.h (auth_init): const-ify
+
+2000-01-08  Assar Westerlund  <assar@sics.se>
+
+	* telnet/commands.c (tn): handle ai_canonname being set in any of
+	the addresses returnedby getaddrinfo.  glibc apparently returns
+	the reverse lookup of every address in ai_canonname.  remove some
+	unused variables.
+
+2000-01-01  Assar Westerlund  <assar@sics.se>
+
+	* telnetd/sys_term.c (addarg): make void (return value isn't check
+	anyway).  fatal error when malloc fails
+
+1999-12-16  Assar Westerlund  <assar@sics.se>
+
+	* telnet/commands.c (*): handle ai_canonname not being set
+
+1999-12-04  Assar Westerlund  <assar@sics.se>
+
+	* telnetd/telnetd.c (doit): use getnameinfo_verified
+	* telnetd/telnetd.c: use getnameinfo
+	* telnet/commands.c: re-write to using getaddrinfo.  disable
+	source-routing for the moment, it doesn't seem to be used anyways.
+	
+1999-09-16  Assar Westerlund  <assar@sics.se>
+
+	* telnet/commands.c: revert 1.54, get_default_username should DTRT
+ 	now
+
+1999-09-05  Assar Westerlund  <assar@sics.se>
+
+	* telnetd/utility.c (ttloop): make it return 1 if interrupted by a
+ 	signal, which must have been what was meant from the beginning
+
+	* telnetd/ext.h (ttloop): update prototype
+
+	* telnetd/authenc.c (telnet_spin): actually return the value from
+ 	ttloop (otherwise it's kind of bogus)
+
+1999-08-05  Assar Westerlund  <assar@sics.se>
+
+	* telnetd/sys_term.c (rmut): free utxp
+
+1999-08-04  Assar Westerlund  <assar@sics.se>
+
+	* telnet/main.c: add -G and config file support.  From Miroslav
+ 	Ruda <ruda@ics.muni.cz>
+
+	* telnetd/sys_term.c (rmut): work around utmpx strangness.  From
+ 	Miroslav Ruda <ruda@ics.muni.cz>
+
+1999-08-02  Assar Westerlund  <assar@sics.se>
+
+	* telnetd/telnetd.c (doit): only free hp if != NULL.  From: Jonas
+ 	Oberg <jonas@coyote.org>
+
+1999-07-29  Assar Westerlund  <assar@sics.se>
+
+	* telnetd/telnetd.c (doit): remove unused variable mapped_sin
+
+1999-07-26  Assar Westerlund  <assar@sics.se>
+
+	* telnetd/ext.h: update prototypes
+	
+	* telnetd/telnetd.c: make it handle v4 and v6 sockets.  (it
+	doesn't handle being given a v6 socket that's really talking to an
+	v4 adress (mapped) because the rest of the code in telnetd is not
+	able to handle it anyway).  please run two telnetd from your
+	inetd, one for v4 and one for v6.
+
+1999-07-07  Assar Westerlund  <assar@sics.se>
+
+	* telnet/commands.c (tn): extra bogus const-cast
+
+1999-07-06  Assar Westerlund  <assar@sics.se>
+
+	* telnetd/sys_term.c (start_login): print a different warning with
+ 	`-a otp'
+
+1999-06-24  Assar Westerlund  <assar@sics.se>
+
+	* libtelnet/kerberos5.c (kerberos5_send): set the addresses in the
+ 	auth_context
+
+1999-06-23  Assar Westerlund  <assar@sics.se>
+
+	* telnet/Makefile.am (INCLUDES): add $(INCLUDE_krb4)
+
+	* telnet/commands.c (togkrbdebug): conditionalize on
+ 	krb_disable_debug
+
+1999-06-16  Johan Danielsson  <joda@pdc.kth.se>
+
+	* telnet/commands.c: add kerberos debugging option
+
+1999-06-15  Assar Westerlund  <assar@sics.se>
+
+	* telnet/commands.c (tn): use get_default_username
+
+1999-05-14  Assar Westerlund  <assar@sics.se>
+
+	* telnetd/state.c (telrcv): magic patch to make it work against
+ 	DOS Clarkson Telnet.  From Miroslav Ruda <ruda@ics.muni.cz>
+
+1999-04-25  Assar Westerlund  <assar@sics.se>
+
+	* libtelnet/kerberos5.c (kerberos5_send): use
+	`krb5_auth_setkeytype' instead of `krb5_auth_setenctype' to make
+	sure we get a DES session key.
+
+Thu Apr  1 16:59:27 1999  Johan Danielsson  <joda@hella.pdc.kth.se>
+
+	* telnetd/Makefile.am: don't run check-local
+
+	* telnet/Makefile.am: don't run check-local
+
+Mon Mar 29 16:11:33 1999  Johan Danielsson  <joda@hella.pdc.kth.se>
+
+	* telnetd/sys_term.c: _CRAY -> HAVE_STRUCT_UTMP_UT_ID
+
+Sat Mar 20 00:12:54 1999  Assar Westerlund  <assar@sics.se>
+
+	* telnet/authenc.c (telnet_gets): remove old extern declarations
+
+Thu Mar 18 11:20:16 1999  Johan Danielsson  <joda@hella.pdc.kth.se>
+
+	* telnetd/Makefile.am: include Makefile.am.common
+
+	* telnet/Makefile.am: include Makefile.am.common
+
+	* libtelnet/Makefile.am: include Makefile.am.common
+
+	* Makefile.am: include Makefile.am.common
+
+Mon Mar 15 17:40:53 1999  Johan Danielsson  <joda@hella.pdc.kth.se>
+
+	* telnetd/telnetd.c: replace perror/exit with fatalperror
+
+Sat Mar 13 22:18:57 1999  Assar Westerlund  <assar@sics.se>
+
+	* telnetd/telnetd.c (main): 0 -> STDIN_FILENO.  remove abs
+
+	* libtelnet/kerberos.c (kerberos4_is): syslog root logins
+
+Thu Mar 11 14:48:54 1999  Johan Danielsson  <joda@hella.pdc.kth.se>
+
+	* telnetd/Makefile.in: add WFLAGS
+
+	* telnet/Makefile.in: add WFLAGS
+
+	* libtelnet/Makefile.in: add WFLAGS
+
+	* telnetd/sys_term.c: remove unused variables
+
+	* telnet/telnet.c: fix some warnings
+
+	* telnet/main.c: fix some warnings
+
+	* telnet/commands.c: fix types in format string
+
+	* libtelnet/auth.c: fix types in format string
+
+Mon Mar  1 10:50:30 1999  Johan Danielsson  <joda@hella.pdc.kth.se>
+
+	* telnetd/sys_term.c: HAVE_UT_* -> HAVE_STRUCT_UTMP*_UT_*
+
+Mon Feb  1 04:08:36 1999  Assar Westerlund  <assar@sics.se>
+
+	* telnet/commands.c (tn): only call gethostbyname2 with AF_INET6
+ 	if we actually have IPv6.  From "Brandon S. Allbery KF8NH"
+ 	<allbery@kf8nh.apk.net>
+
+Sat Nov 21 16:51:00 1998  Johan Danielsson  <joda@hella.pdc.kth.se>
+
+	* telnetd/sys_term.c (cleanup): don't call vhangup() on sgi:s
+
+Fri Aug 14 16:29:18 1998  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* libtelnet/kerberos.c: krb_put_int -> KRB_PUT_INT
+
+Thu Jul 23 20:29:05 1998  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* libtelnet/kerberos5.c: use krb5_verify_authenticator_checksum
+
+Mon Jul 13 22:00:09 1998  Assar Westerlund  <assar@sics.se>
+
+	* telnet/commands.c (tn): don't advance hostent->h_addr_list, use
+ 	a copy instead
+
+Wed May 27 04:19:17 1998  Assar Westerlund  <assar@sics.se>
+
+	* telnet/sys_bsd.c (process_rings): correct call to `stilloob'
+
+Fri May 15 19:38:19 1998  Johan Danielsson  <joda@blubb.pdc.kth.se>
+
+	* libtelnet/kerberos5.c: Always print errors from mk_req.
+
+Fri May  1 07:16:59 1998  Assar Westerlund  <assar@sics.se>
+
+	* telnet/commands.c: unifdef -DHAVE_H_ERRNO
+
+Sat Apr  4 15:00:29 1998  Assar Westerlund  <assar@sics.se>
+
+	* telnet/commands.c (tn): moved the printing of `trying...' to the
+ 	loop
+
+Thu Mar 12 02:33:48 1998  Assar Westerlund  <assar@sics.se>
+
+	* telnet/telnet_locl.h: include <term.h>. From Gregory S. Stark
+ 	<gsstark@mit.edu>
+
+Sat Feb 21 15:12:38 1998  Assar Westerlund  <assar@sics.se>
+
+	* telnetd/ext.h: add prototype for login_tty
+
+	* telnet/utilities.c (printsub): `direction' is now an int.
+
+	* libtelnet/misc-proto.h: add prototype for `printsub'
+
+Tue Feb 17 02:45:01 1998  Assar Westerlund  <assar@sics.se>
+
+	* libtelnet/kerberos.c (kerberos4_is): cred.pname should be
+ 	cred.pinst.  From <art@stacken.kth.se>
+
+Sun Feb 15 02:46:39 1998  Assar Westerlund  <assar@sics.se>
+
+	* telnet/*/*.c: renamed `telnet' to `my_telnet' to avoid
+ 	conflicts with system header files on mklinux.
+
+Tue Feb 10 02:09:03 1998  Assar Westerlund  <assar@sics.se>
+
+	* telnetd/telnetd.c: new signature for `getterminaltype' and
+ 	`auth_wait'
+
+	* libtelnet: changed the signature of the authentication method
+ 	`status'
+
+Sat Feb  7 07:21:29 1998  Assar Westerlund  <assar@sics.se>
+
+	* */*.c: replace HAS_GETTOS by HAVE_PARSETOS and HAVE_GETTOSBYNAME
+
+Fri Dec 26 16:17:10 1997  Assar Westerlund  <assar@sics.se>
+
+	* telnet/commands.c (tn): repair support for numeric addresses
+
+Sun Dec 21 09:40:31 1997  Assar Westerlund  <assar@sics.se>
+
+	* libtelnet/kerberos.c: fix up lots of stuff related to the
+ 	forwarding of v4 tickets.
+
+	* libtelnet/kerberos5.c (kerberos5_forward): zero out `creds'.
+
+Mon Dec 15 20:53:13 1997  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* telnet/sys_bsd.c: Don't turn off OPOST in 8bit-mode.
+
+Tue Dec  9 19:26:50 1997  Assar Westerlund  <assar@sics.se>
+
+	* telnet/main.c (main): add 'b' to getopt
+
+Sat Nov 29 03:28:54 1997  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* telnet/telnet.c: Change binary mode to do just that, and add a
+ 	eight-bit mode for just passing all characters.
+
+Sun Nov 16 04:37:02 1997  Assar Westerlund  <assar@sics.se>
+
+	* libtelnet/kerberos5.c (kerberos5_send): always ask for a session
+ 	key of type DES
+
+	* libtelnet/kerberos5.c: remove old garbage and fix call to
+ 	krb5_auth_con_setaddrs_from_fd
+
+Fri Nov 14 20:35:18 1997  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* telnetd/telnetd.c: Output contents of /etc/issue.
+
+Mon Nov  3 07:09:16 1997  Assar Westerlund  <assar@sics.se>
+
+	* telnet/telnet_locl.h: only include <sys/termio.h> iff
+ 	!defined(HAVE_TERMIOS_H)
+
+	* libtelnet/kerberos.c (kerberos4_is): send the peer address to
+ 	krb_rd_req
+
+	* telnetd/telnetd.c (terminaltypeok): always return OK.  It used
+ 	to call `tgetent' to figure if it was a defined terminal type.
+  	It's possible to overflow tgetent so that's a bad idea.  The worst
+ 	that could happen by saying yes to all terminals is that the user
+ 	ends up with a terminal that has no definition on the local
+ 	system.  And besides, most telnet client has no support for
+ 	falling back to a different terminal type.
+
+Mon Oct 20 05:47:19 1997  Assar Westerlund  <assar@sics.se>
+
+	* libtelnet/kerberos5.c: remove lots of old junk.  clean-up.
+  	better error checking and reporting.  tell the user permission
+ 	denied much earlier.
+
+	* libtelnet/kerberos.c (kerberos4_is): only print
+ 	UserNameRequested if != NULL
+
diff --git a/crypto/heimdal/appl/telnet/Makefile.am b/crypto/heimdal/appl/telnet/Makefile.am
new file mode 100644
index 0000000..eec013b
--- /dev/null
+++ b/crypto/heimdal/appl/telnet/Makefile.am
@@ -0,0 +1,11 @@
+# $Id: Makefile.am,v 1.6 1999/03/20 13:58:15 joda Exp $
+
+include $(top_srcdir)/Makefile.am.common
+
+SUBDIRS = libtelnet telnet telnetd
+
+dist-hook:
+	$(mkinstalldirs) $(distdir)/arpa
+	$(INSTALL_DATA) $(srcdir)/arpa/telnet.h $(distdir)/arpa
+
+EXTRA_DIST = README.ORIG telnet.state
diff --git a/crypto/heimdal/appl/telnet/Makefile.in b/crypto/heimdal/appl/telnet/Makefile.in
new file mode 100644
index 0000000..8a24b8b
--- /dev/null
+++ b/crypto/heimdal/appl/telnet/Makefile.in
@@ -0,0 +1,559 @@
+# Makefile.in generated automatically by automake 1.4b from Makefile.am
+
+# Copyright 1994, 1995, 1996, 1997, 1998, 1999, 2000
+# Free Software Foundation, Inc.
+# This Makefile.in is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+
+SHELL = @SHELL@
+
+srcdir = @srcdir@
+top_srcdir = @top_srcdir@
+VPATH = @srcdir@
+prefix = @prefix@
+exec_prefix = @exec_prefix@
+
+bindir = @bindir@
+sbindir = @sbindir@
+libexecdir = @libexecdir@
+datadir = @datadir@
+sysconfdir = @sysconfdir@
+sharedstatedir = @sharedstatedir@
+localstatedir = @localstatedir@
+libdir = @libdir@
+infodir = @infodir@
+mandir = @mandir@
+includedir = @includedir@
+oldincludedir = /usr/include
+
+pkgdatadir = $(datadir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkgincludedir = $(includedir)/@PACKAGE@
+
+top_builddir = ../..
+
+ACLOCAL = @ACLOCAL@
+AUTOCONF = @AUTOCONF@
+AUTOMAKE = @AUTOMAKE@
+AUTOHEADER = @AUTOHEADER@
+
+INSTALL = @INSTALL@
+INSTALL_PROGRAM = @INSTALL_PROGRAM@
+INSTALL_DATA = @INSTALL_DATA@
+INSTALL_SCRIPT = @INSTALL_SCRIPT@
+INSTALL_STRIP_FLAG =
+transform = @program_transform_name@
+
+NORMAL_INSTALL = :
+PRE_INSTALL = :
+POST_INSTALL = :
+NORMAL_UNINSTALL = :
+PRE_UNINSTALL = :
+POST_UNINSTALL = :
+
+@SET_MAKE@
+host_alias = @host_alias@
+host_triplet = @host@
+AIX_EXTRA_KAFS = @AIX_EXTRA_KAFS@
+AMDEP = @AMDEP@
+AMTAR = @AMTAR@
+AS = @AS@
+AWK = @AWK@
+CANONICAL_HOST = @CANONICAL_HOST@
+CATMAN = @CATMAN@
+CATMANEXT = @CATMANEXT@
+CC = @CC@
+CPP = @CPP@
+CXX = @CXX@
+CXXCPP = @CXXCPP@
+DBLIB = @DBLIB@
+DEPDIR = @DEPDIR@
+DIR_des = @DIR_des@
+DIR_roken = @DIR_roken@
+DLLTOOL = @DLLTOOL@
+EXEEXT = @EXEEXT@
+EXTRA_LIB45 = @EXTRA_LIB45@
+GROFF = @GROFF@
+INCLUDES_roken = @INCLUDES_roken@
+INCLUDE_ = @INCLUDE_@
+LEX = @LEX@
+LIBOBJS = @LIBOBJS@
+LIBTOOL = @LIBTOOL@
+LIB_ = @LIB_@
+LIB_AUTH_SUBDIRS = @LIB_AUTH_SUBDIRS@
+LIB_des = @LIB_des@
+LIB_des_appl = @LIB_des_appl@
+LIB_kdb = @LIB_kdb@
+LIB_otp = @LIB_otp@
+LIB_roken = @LIB_roken@
+LIB_security = @LIB_security@
+LN_S = @LN_S@
+LTLIBOBJS = @LTLIBOBJS@
+MAKEINFO = @MAKEINFO@
+NEED_WRITEAUTH_FALSE = @NEED_WRITEAUTH_FALSE@
+NEED_WRITEAUTH_TRUE = @NEED_WRITEAUTH_TRUE@
+NROFF = @NROFF@
+OBJDUMP = @OBJDUMP@
+OBJEXT = @OBJEXT@
+PACKAGE = @PACKAGE@
+RANLIB = @RANLIB@
+STRIP = @STRIP@
+VERSION = @VERSION@
+VOID_RETSIGTYPE = @VOID_RETSIGTYPE@
+WFLAGS = @WFLAGS@
+WFLAGS_NOIMPLICITINT = @WFLAGS_NOIMPLICITINT@
+WFLAGS_NOUNUSED = @WFLAGS_NOUNUSED@
+YACC = @YACC@
+dpagaix_CFLAGS = @dpagaix_CFLAGS@
+dpagaix_LDADD = @dpagaix_LDADD@
+install_sh = @install_sh@
+
+# $Id: Makefile.am,v 1.6 1999/03/20 13:58:15 joda Exp $
+
+
+# $Id: Makefile.am.common,v 1.3 1999/04/01 14:58:43 joda Exp $
+
+
+# $Id: Makefile.am.common,v 1.26 2001/05/21 13:27:48 joda Exp $
+
+
+AUTOMAKE_OPTIONS = foreign no-dependencies
+
+SUFFIXES = .et .h .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .x
+
+INCLUDES = -I$(top_builddir)/include $(INCLUDES_roken)
+
+AM_CFLAGS =  $(WFLAGS)
+
+CP = cp
+
+COMPILE_ET = $(top_builddir)/lib/com_err/compile_et
+
+buildinclude = $(top_builddir)/include
+
+LIB_XauReadAuth = @LIB_XauReadAuth@
+LIB_crypt = @LIB_crypt@
+LIB_dbm_firstkey = @LIB_dbm_firstkey@
+LIB_dbopen = @LIB_dbopen@
+LIB_dlopen = @LIB_dlopen@
+LIB_dn_expand = @LIB_dn_expand@
+LIB_el_init = @LIB_el_init@
+LIB_getattr = @LIB_getattr@
+LIB_gethostbyname = @LIB_gethostbyname@
+LIB_getpwent_r = @LIB_getpwent_r@
+LIB_getpwnam_r = @LIB_getpwnam_r@
+LIB_getsockopt = @LIB_getsockopt@
+LIB_logout = @LIB_logout@
+LIB_logwtmp = @LIB_logwtmp@
+LIB_odm_initialize = @LIB_odm_initialize@
+LIB_pidfile = @LIB_pidfile@
+LIB_readline = @LIB_readline@
+LIB_res_search = @LIB_res_search@
+LIB_setpcred = @LIB_setpcred@
+LIB_setsockopt = @LIB_setsockopt@
+LIB_socket = @LIB_socket@
+LIB_syslog = @LIB_syslog@
+LIB_tgetent = @LIB_tgetent@
+
+LIBS = @LIBS@
+
+HESIODLIB = @HESIODLIB@
+HESIODINCLUDE = @HESIODINCLUDE@
+INCLUDE_hesiod = @INCLUDE_hesiod@
+LIB_hesiod = @LIB_hesiod@
+
+INCLUDE_krb4 = @INCLUDE_krb4@
+LIB_krb4 = @LIB_krb4@
+
+INCLUDE_openldap = @INCLUDE_openldap@
+LIB_openldap = @LIB_openldap@
+
+INCLUDE_readline = @INCLUDE_readline@
+
+LEXLIB = @LEXLIB@
+
+NROFF_MAN = groff -mandoc -Tascii
+
+@KRB4_TRUE@LIB_kafs = @KRB4_TRUE@$(top_builddir)/lib/kafs/libkafs.la $(AIX_EXTRA_KAFS)
+
+@KRB5_TRUE@LIB_krb5 = @KRB5_TRUE@$(top_builddir)/lib/krb5/libkrb5.la \
+@KRB5_TRUE@	$(top_builddir)/lib/asn1/libasn1.la
+@KRB5_TRUE@LIB_gssapi = @KRB5_TRUE@$(top_builddir)/lib/gssapi/libgssapi.la
+
+@DCE_TRUE@LIB_kdfs = @DCE_TRUE@$(top_builddir)/lib/kdfs/libkdfs.la
+
+CHECK_LOCAL = $(PROGRAMS)
+
+SUBDIRS = libtelnet telnet telnetd
+
+EXTRA_DIST = README.ORIG telnet.state
+subdir = appl/telnet
+mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs
+CONFIG_HEADER = ../../include/config.h
+CONFIG_CLEAN_FILES = 
+CFLAGS = @CFLAGS@
+COMPILE = $(CC) $(DEFS) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) --mode=compile $(CC) $(DEFS) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+CCLD = $(CC)
+LINK = $(LIBTOOL) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) $(LDFLAGS) -o $@
+DIST_SOURCES = 
+depcomp = 
+DIST_COMMON =  ChangeLog Makefile.am Makefile.in
+
+
+DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
+
+GZIP_ENV = --best
+DIST_SUBDIRS =  $(SUBDIRS)
+all: all-redirect
+.SUFFIXES:
+.SUFFIXES: .et .h .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .x
+$(srcdir)/Makefile.in: Makefile.am $(top_srcdir)/configure.in $(ACLOCAL_M4) $(top_srcdir)/Makefile.am.common $(top_srcdir)/cf/Makefile.am.common
+	cd $(top_srcdir) && $(AUTOMAKE) --foreign appl/telnet/Makefile
+
+Makefile: $(srcdir)/Makefile.in  $(top_builddir)/config.status
+	cd $(top_builddir) \
+	  && CONFIG_FILES=$(subdir)/$@ CONFIG_HEADERS= $(SHELL) ./config.status
+
+
+# This directory's subdirectories are mostly independent; you can cd
+# into them and run `make' without going through this Makefile.
+# To change the values of `make' variables: instead of editing Makefiles,
+# (1) if the variable is set in `config.status', edit `config.status'
+#     (which will cause the Makefiles to be regenerated when you run `make');
+# (2) otherwise, pass the desired values on the `make' command line.
+
+all-recursive install-data-recursive install-exec-recursive \
+installdirs-recursive install-recursive uninstall-recursive  \
+check-recursive installcheck-recursive info-recursive dvi-recursive:
+	@set fnord $(MAKEFLAGS); amf=$$2; \
+	dot_seen=no; \
+	target=`echo $@ | sed s/-recursive//`; \
+	list='$(SUBDIRS)'; for subdir in $$list; do \
+	  echo "Making $$target in $$subdir"; \
+	  if test "$$subdir" = "."; then \
+	    dot_seen=yes; \
+	    local_target="$$target-am"; \
+	  else \
+	    local_target="$$target"; \
+	  fi; \
+	  (cd $$subdir && $(MAKE) $(AM_MAKEFLAGS) $$local_target) \
+	   || case "$$amf" in *=*) exit 1;; *k*) fail=yes;; *) exit 1;; esac; \
+	done; \
+	if test "$$dot_seen" = "no"; then \
+	  $(MAKE) $(AM_MAKEFLAGS) "$$target-am" || exit 1; \
+	fi; test -z "$$fail"
+
+mostlyclean-recursive clean-recursive distclean-recursive \
+maintainer-clean-recursive:
+	@set fnord $(MAKEFLAGS); amf=$$2; \
+	dot_seen=no; \
+	case "$@" in \
+	  distclean-* | maintainer-clean-*) list='$(DIST_SUBDIRS)' ;; \
+	  *) list='$(SUBDIRS)' ;; \
+	esac; \
+	rev=''; for subdir in $$list; do \
+	  if test "$$subdir" = "."; then :; else \
+	    rev="$$subdir $$rev"; \
+	  fi; \
+	done; \
+	rev="$$rev ."; \
+	target=`echo $@ | sed s/-recursive//`; \
+	for subdir in $$rev; do \
+	  echo "Making $$target in $$subdir"; \
+	  if test "$$subdir" = "."; then \
+	    local_target="$$target-am"; \
+	  else \
+	    local_target="$$target"; \
+	  fi; \
+	  (cd $$subdir && $(MAKE) $(AM_MAKEFLAGS) $$local_target) \
+	   || case "$$amf" in *=*) exit 1;; *k*) fail=yes;; *) exit 1;; esac; \
+	done && test -z "$$fail"
+tags-recursive:
+	list='$(SUBDIRS)'; for subdir in $$list; do \
+	  test "$$subdir" = . || (cd $$subdir && $(MAKE) $(AM_MAKEFLAGS) tags); \
+	done
+
+tags: TAGS
+
+ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
+	list='$(SOURCES) $(HEADERS) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '    { files[$$0] = 1; } \
+	       END { for (i in files) print i; }'`; \
+	mkid -fID $$unique $(LISP)
+
+TAGS: tags-recursive $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	tags=; \
+	here=`pwd`; \
+	list='$(SUBDIRS)'; for subdir in $$list; do \
+   if test "$$subdir" = .; then :; else \
+	    test -f $$subdir/TAGS && tags="$$tags -i $$here/$$subdir/TAGS"; \
+   fi; \
+	done; \
+	list='$(SOURCES) $(HEADERS) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '    { files[$$0] = 1; } \
+	       END { for (i in files) print i; }'`; \
+	test -z "$(ETAGS_ARGS)$$unique$(LISP)$$tags" \
+	  || etags $(ETAGS_ARGS) $$tags  $$unique $(LISP)
+
+GTAGS:
+	here=`CDPATH=: && cd $(top_builddir) && pwd` \
+	  && cd $(top_srcdir) \
+	  && gtags -i $$here
+
+mostlyclean-tags:
+
+clean-tags:
+
+distclean-tags:
+	-rm -f TAGS ID
+
+maintainer-clean-tags:
+
+distdir = $(top_builddir)/$(PACKAGE)-$(VERSION)/$(subdir)
+
+distdir: $(DISTFILES)
+	@for file in $(DISTFILES); do \
+	  d=$(srcdir); \
+	  if test -d $$d/$$file; then \
+	    cp -pR $$d/$$file $(distdir) \
+	    || exit 1; \
+	  else \
+	    test -f $(distdir)/$$file \
+	    || cp -p $$d/$$file $(distdir)/$$file \
+	    || exit 1; \
+	  fi; \
+	done
+	for subdir in $(SUBDIRS); do \
+	  if test "$$subdir" = .; then :; else \
+	    test -d $(distdir)/$$subdir \
+	    || mkdir $(distdir)/$$subdir \
+	    || exit 1; \
+	    (cd $$subdir && $(MAKE) $(AM_MAKEFLAGS) top_distdir=../$(top_distdir) distdir=../$(distdir)/$$subdir distdir) \
+	      || exit 1; \
+	  fi; \
+	done
+	$(MAKE) $(AM_MAKEFLAGS) top_distdir="$(top_distdir)" distdir="$(distdir)" dist-hook
+info-am:
+info: info-recursive
+dvi-am:
+dvi: dvi-recursive
+check-am: all-am
+	$(MAKE) $(AM_MAKEFLAGS) check-local
+check: check-recursive
+installcheck-am:
+installcheck: installcheck-recursive
+install-exec-am:
+	@$(NORMAL_INSTALL)
+	$(MAKE) $(AM_MAKEFLAGS) install-exec-hook
+install-exec: install-exec-recursive
+
+install-data-am: install-data-local
+install-data: install-data-recursive
+
+install-am: all-am
+	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
+install: install-recursive
+uninstall-am:
+uninstall: uninstall-recursive
+all-am: Makefile all-local
+all-redirect: all-recursive
+install-strip:
+	$(MAKE) $(AM_MAKEFLAGS) INSTALL_STRIP_FLAG=-s install
+installdirs: installdirs-recursive
+installdirs-am:
+
+
+mostlyclean-generic:
+
+clean-generic:
+
+distclean-generic:
+	-rm -f Makefile $(CONFIG_CLEAN_FILES)
+	-rm -f config.cache config.log stamp-h stamp-h[0-9]*
+
+maintainer-clean-generic:
+	-rm -f Makefile.in
+mostlyclean-am:  mostlyclean-tags mostlyclean-generic
+
+mostlyclean: mostlyclean-recursive
+
+clean-am:  clean-tags clean-generic mostlyclean-am
+
+clean: clean-recursive
+
+distclean-am:  distclean-tags distclean-generic clean-am
+	-rm -f libtool
+
+distclean: distclean-recursive
+
+maintainer-clean-am:  maintainer-clean-tags maintainer-clean-generic \
+		distclean-am
+	@echo "This command is intended for maintainers to use;"
+	@echo "it deletes files that may require special tools to rebuild."
+
+maintainer-clean: maintainer-clean-recursive
+
+.PHONY: install-recursive uninstall-recursive install-data-recursive \
+uninstall-data-recursive install-exec-recursive \
+uninstall-exec-recursive installdirs-recursive uninstalldirs-recursive \
+all-recursive check-recursive installcheck-recursive info-recursive \
+dvi-recursive mostlyclean-recursive distclean-recursive clean-recursive \
+maintainer-clean-recursive tags tags-recursive mostlyclean-tags \
+distclean-tags clean-tags maintainer-clean-tags distdir info-am info \
+dvi-am dvi check-local check check-am installcheck-am installcheck \
+install-exec-am install-exec install-data-local install-data-am \
+install-data install-am install uninstall-am uninstall all-local \
+all-redirect all-am all install-strip installdirs-am installdirs \
+mostlyclean-generic distclean-generic clean-generic \
+maintainer-clean-generic clean mostlyclean distclean maintainer-clean
+
+
+install-suid-programs:
+	@foo='$(bin_SUIDS)'; \
+	for file in $$foo; do \
+	x=$(DESTDIR)$(bindir)/$$file; \
+	if chown 0:0 $$x && chmod u+s $$x; then :; else \
+	echo "*"; \
+	echo "* Failed to install $$x setuid root"; \
+	echo "*"; \
+	fi; done
+
+install-exec-hook: install-suid-programs
+
+install-build-headers:: $(include_HEADERS) $(build_HEADERZ)
+	@foo='$(include_HEADERS) $(build_HEADERZ)'; \
+	for f in $$foo; do \
+		f=`basename $$f`; \
+		if test -f "$(srcdir)/$$f"; then file="$(srcdir)/$$f"; \
+		else file="$$f"; fi; \
+		if cmp -s  $$file $(buildinclude)/$$f 2> /dev/null ; then \
+		: ; else \
+			echo " $(CP) $$file $(buildinclude)/$$f"; \
+			$(CP) $$file $(buildinclude)/$$f; \
+		fi ; \
+	done
+
+all-local: install-build-headers
+#NROFF_MAN = nroff -man
+.1.cat1:
+	$(NROFF_MAN) $< > $@
+.3.cat3:
+	$(NROFF_MAN) $< > $@
+.5.cat5:
+	$(NROFF_MAN) $< > $@
+.8.cat8:
+	$(NROFF_MAN) $< > $@
+
+dist-cat1-mans:
+	@foo='$(man1_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.1) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat1/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-cat3-mans:
+	@foo='$(man3_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.3) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat3/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-cat5-mans:
+	@foo='$(man5_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.5) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat5/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-cat8-mans:
+	@foo='$(man8_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.8) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat8/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-hook: dist-cat1-mans dist-cat3-mans dist-cat5-mans dist-cat8-mans
+
+install-cat-mans:
+	$(SHELL) $(top_srcdir)/cf/install-catman.sh "$(INSTALL_DATA)" "$(mkinstalldirs)" "$(srcdir)" "$(DESTDIR)$(mandir)" '$(CATMANEXT)' $(man_MANS) $(man1_MANS) $(man3_MANS) $(man5_MANS) $(man8_MANS)
+
+install-data-local: install-cat-mans
+
+.et.h:
+	$(COMPILE_ET) $<
+.et.c:
+	$(COMPILE_ET) $<
+
+.x.c:
+	@cmp -s $< $@ 2> /dev/null || cp $< $@
+
+check-local::
+	@foo='$(CHECK_LOCAL)'; \
+	  if test "$$foo"; then \
+	  failed=0; all=0; \
+	  for i in $$foo; do \
+	    all=`expr $$all + 1`; \
+	    if ./$$i --version > /dev/null 2>&1; then \
+	      echo "PASS: $$i"; \
+	    else \
+	      echo "FAIL: $$i"; \
+	      failed=`expr $$failed + 1`; \
+	    fi; \
+	  done; \
+	  if test "$$failed" -eq 0; then \
+	    banner="All $$all tests passed"; \
+	  else \
+	    banner="$$failed of $$all tests failed"; \
+	  fi; \
+	  dashes=`echo "$$banner" | sed s/./=/g`; \
+	  echo "$$dashes"; \
+	  echo "$$banner"; \
+	  echo "$$dashes"; \
+	  test "$$failed" -eq 0; \
+	fi
+
+dist-hook:
+	$(mkinstalldirs) $(distdir)/arpa
+	$(INSTALL_DATA) $(srcdir)/arpa/telnet.h $(distdir)/arpa
+
+# Tell versions [3.59,3.63) of GNU make to not export all variables.
+# Otherwise a system limit (for SysV at least) may be exceeded.
+.NOEXPORT:
diff --git a/crypto/heimdal/appl/telnet/README.ORIG b/crypto/heimdal/appl/telnet/README.ORIG
new file mode 100644
index 0000000..37b588f
--- /dev/null
+++ b/crypto/heimdal/appl/telnet/README.ORIG
@@ -0,0 +1,743 @@
+
+This is a distribution of both client and server telnet.  These programs
+have been compiled on:
+			telnet	telnetd
+	4.4 BSD-Lite	  x	  x
+	4.3 BSD Reno	  X	  X
+	UNICOS 9.1	  X	  X
+	UNICOS 9.0	  X	  X
+	UNICOS 8.0	  X	  X
+	BSDI 2.0	  X	  X
+	Solaris 2.4       x       x (no linemode in server)
+	SunOs 4.1.4	  X	  X (no linemode in server)
+	Ultrix 4.3	  X	  X (no linemode in server)
+	Ultrix 4.1	  X	  X (no linemode in server)
+
+In addition, previous versions have been compiled on the following
+machines, but were not available for testing this version.
+			telnet	telnetd
+	Next1.0		  X	  X
+	UNICOS 8.3	  X	  X
+	UNICOS 7.C	  X	  X
+	UNICOS 7.0	  X	  X
+	SunOs 4.0.3c	  X	  X (no linemode in server)
+	4.3 BSD		  X  	  X (no linemode in server)
+	DYNIX V3.0.12	  X	  X (no linemode in server)
+	Ultrix 3.1	  X	  X (no linemode in server)
+	Ultrix 4.0	  X	  X (no linemode in server)
+	SunOs 3.5	  X	  X (no linemode in server)
+	SunOs 4.1.3	  X	  X (no linemode in server)
+	Solaris 2.2       x       x (no linemode in server)
+	Solaris 2.3       x       x (no linemode in server)
+	BSDI 1.0	  X	  X
+	BSDI 1.1	  X	  X
+	DYNIX V3.0.17.9	  X	  X (no linemode in server)
+	HP-UX 8.0	  x       x (no linemode in server)
+
+This code should work, but there are no guarantees.
+
+May 30, 1995
+
+This release represents what is on the 4.4BSD-Lite2 release, which
+should be the final BSD release.  I will continue to support of
+telnet, The code (without encryption) is available via anonymous ftp
+from ftp.cray.com, in src/telnet/telnet.YY.MM.DD.NE.tar.Z, where
+YY.MM.DD is replaced with the year, month and day of the release.
+If you can't find it at one of these places, at some point in the
+near future information about the latest releases should be available
+from ftp.borman.com.
+
+In addition, the version with the encryption code is available via
+ftp from net-dist.mit.edu, in the directory /pub/telnet.  There
+is a README file there that gives further information on how
+to get the distribution.
+
+Questions, comments, bug reports and bug fixes can be sent to
+one of these addresses:
+		dab@borman.com
+		dab@cray.com
+		dab@bsdi.com
+
+This release is mainly bug fixes and code cleanup.
+
+	Replace all calls to bcopy()/bzero() with calls to
+	memmove()/memset() and all calls to index()/rindex()
+	with calls to strchr()/strrchr().
+
+	Add some missing diagnostics for option tracing
+	to telnetd.
+
+	Add support for BSDI 2.0 and Solaris 2.4.
+
+	Add support for UNICOS 8.0
+
+	Get rid of expanded tabs and trailing white spaces.
+
+	From Paul Vixie:
+		Fix for telnet going into an endless spin
+		when the session dies abnormally.
+
+	From Jef Poskanzer:
+		Changes to allow telnet to compile
+		under SunOS 3.5.
+
+	From Philip Guenther:
+		makeutx() doesn't expand utmpx,
+		use pututxline() instead.
+
+	From Chris Torek:
+		Add a sleep(1) before execing login
+		to avoid race condition that can eat
+		up the login prompt.
+		Use terminal speed directly if it is
+		not an encoded value.
+
+	From Steve Parker:
+		Fix to realloc() call.  Fix for execing
+		login on solaris with no user name.
+
+January 19, 1994
+
+This is a list of some of the changes since the last tar release
+of telnet/telnetd.  There are probably other changes that aren't
+listed here, but this should hit a lot of the main ones.
+
+   General:
+	Changed #define for AUTHENTICATE to AUTHENTICATION
+	Changed #define for ENCRYPT to ENCRYPTION
+	Changed #define for DES_ENCRYPT to DES_ENCRYPTION
+
+	Added support for SPX authentication: -DSPX
+
+	Added support for Kerberos Version 5 authentication: -DKRB5
+
+	Added support for ANSI C function prototypes
+
+	Added support for the NEW-ENVIRON option (RFC-1572)
+	including support for USERVAR.
+
+	Made support for the old Environment Option (RFC-1408)
+	conditional on -DOLD_ENVIRON
+
+	Added #define ENV_HACK - support for RFC 1571
+
+	The encryption code is removed from the public distributions.
+	Domestic 4.4 BSD distributions contain the encryption code.
+
+	ENV_HACK: Code to deal with systems that only implement
+		the old ENVIRON option, and have reversed definitions
+		of ENV_VAR and ENV_VAL.  Also fixes ENV processing in
+		client to handle things besides just the default set...
+
+	NO_BSD_SETJMP: UNICOS configuration for
+		UNICOS 6.1/6.0/5.1/5.0 systems.
+
+	STREAMSPTY: Use /dev/ptmx to get a clean pty.  This
+		is for SVr4 derivatives (Like Solaris)
+
+	UTMPX: For systems that have /etc/utmpx. This is for
+		SVr4 derivatives (Like Solaris)
+
+	Definitions for BSDI 1.0
+
+	Definitions for 4.3 Reno and 4.4 BSD.
+
+	Definitions for UNICOS 8.0 and UNICOS 7.C
+
+	Definitions for Solaris 2.0
+
+	Definitions for HP-UX 8.0
+
+	Latest Copyright notices from Berkeley.
+
+	FLOW-CONTROL: support for RFC-XXXx
+
+
+   Client Specific:
+
+	Fix the "send" command to not send garbage...
+
+	Fix status message for "skiprc"
+
+	Make sure to send NAWS after telnet has been suspended
+	or an external command has been run, if the window size
+	has changed.
+
+	sysV88 support.
+
+   Server Specific:
+
+	Support flowcontrol option in non-linemode servers.
+
+	-k Server supports Kludge Linemode, but will default to
+	   either single character mode or real Linemode support.
+	   The user will have to explicitly ask to switch into
+	   kludge linemode. ("stty extproc", or escape back to
+	   to telnet and say "mode line".)
+
+	-u Specify the length of the hostname field in the utmp
+	   file.  Hostname longer than this length will be put
+	   into the utmp file in dotted decimal notation, rather
+	   than putting in a truncated hostname.
+	
+	-U Registered hosts only.  If a reverse hostname lookup
+	   fails, the connection will be refused.
+
+	-f/-F
+	   Allows forwarding of credentials for KRB5.
+
+Februrary 22, 1991:
+
+    Features:
+
+	This version of telnet/telnetd has support for both
+	the AUTHENTICATION and ENCRYPTION options.  The
+	AUTHENTICATION option is fairly well defined, and
+	an option number has been assigned to it.  The
+	ENCRYPTION option is still in a state of flux; an
+	option number has been assigned to, but it is still
+	subject to change.  The code is provided in this release
+	for experimental and testing purposes.
+
+	The telnet "send" command can now be used to send
+	do/dont/will/wont commands, with any telnet option
+	name.  The rules for when do/dont/will/wont are sent
+	are still followed, so just because the user requests
+	that one of these be sent doesn't mean that it will
+	be sent...
+
+	The telnet "getstatus" command no longer requires
+	that option printing be enabled to see the response
+	to the "DO STATUS" command.
+
+	A -n flag has been added to telnetd to disable
+	keepalives.
+
+	A new telnet command, "auth" has been added (if
+	AUTHENTICATE is defined).  It has four sub-commands,
+	"status", "disable", "enable" and "help".
+
+	A new telnet command, "encrypt" has been added (if
+	ENCRYPT is defined).  It has many sub-commands:
+	"enable", "type", "start", "stop", "input",
+	"-input", "output", "-output", "status", and "help".
+
+	The LOGOUT option is now supported by both telnet
+	and telnetd, a new command, "logout", was added
+	to support this.
+
+	Several new toggle options were added:
+	    "autoencrypt", "autodecrypt", "autologin", "authdebug",
+	    "encdebug", "skiprc", "verbose_encrypt"
+
+	An "rlogin" interface has been added.  If the program
+	is named "rlogin", or the "-r" flag is given, then
+	an rlogin type of interface will be used.
+		~.	Terminates the session
+		~<susp> Suspend the session
+		~^]	Escape to telnet command mode
+		~~	Pass through the ~.
+	    BUG: If you type the rlogin escape character
+		 in the middle of a line while in rlogin
+		 mode, you cannot erase it or any characters
+		 before it.  Hopefully this can be fixed
+		 in a future release...
+
+    General changes:
+
+	A "libtelnet.a" has now been created.  This libraray
+	contains code that is common to both telnet and
+	telnetd.  This is also where library routines that
+	are needed, but are not in the standard C library,
+	are placed.
+
+	The makefiles have been re-done.  All of the site
+	specific configuration information has now been put
+	into a single "Config.generic" file, in the top level
+	directory.  Changing this one file will take care of
+	all three subdirectories.  Also, to add a new/local
+	definition, a "Config.local" file may be created
+	at the top level; if that file exists, the subdirectories
+	will use that file instead of "Config.generic".
+
+	Many 1-2 line functions in commands.c have been
+	removed, and just inserted in-line, or replaced
+	with a macro.
+
+    Bug Fixes:
+
+	The non-termio code in both telnet and telnetd was
+	setting/clearing CTLECH in the sg_flags word.  This
+	was incorrect, and has been changed to set/clear the
+	LCTLECH bit in the local mode word.
+
+	The SRCRT #define has been removed.  If IP_OPTIONS
+	and IPPROTO_IP are defined on the system, then the
+	source route code is automatically enabled.
+
+	The NO_GETTYTAB #define has been removed; there
+	is a compatability routine that can be built into
+	libtelnet to achive the same results.
+
+	The server, telnetd, has been switched to use getopt()
+	for parsing the argument list.
+
+	The code for getting the input/output speeds via
+	cfgetispeed()/cfgetospeed() was still not quite
+	right in telnet.  Posix says if the ispeed is 0,
+	then it is really equal to the ospeed.
+
+	The suboption processing code in telnet now has
+	explicit checks to make sure that we received
+	the entire suboption (telnetd was already doing this).
+
+	The telnet code for processing the terminal type
+	could cause a core dump if an existing connection
+	was closed, and a new connection opened without
+	exiting telnet.
+
+	Telnetd was doing a TCSADRAIN when setting the new
+	terminal settings;  This is not good, because it means
+	that the tcsetattr() will hang waiting for output to
+	drain, and telnetd is the only one that will drain
+	the output...  The fix is to use TCSANOW which does
+	not wait.
+
+	Telnetd was improperly setting/clearing the ISTRIP
+	flag in the c_lflag field, it should be using the
+	c_iflag field. 
+
+	When the child process of telnetd was opening the
+	slave side of the pty, it was re-setting the EXTPROC
+	bit too early, and some of the other initialization
+	code was wiping it out.  This would cause telnetd
+	to go out of linemode and into single character mode.
+
+	One instance of leaving linemode in telnetd forgot
+	to send a WILL ECHO to the client, the net result
+	would be that the user would see double character
+	echo.
+
+	If the MODE was being changed several times very
+	quickly, telnetd could get out of sync with the
+	state changes and the returning acks; and wind up
+	being left in the wrong state.
+
+September 14, 1990:
+
+	Switch the client to use getopt() for parsing the
+	argument list.  The 4.3Reno getopt.c is included for
+	systems that don't have getopt().
+
+	Use the posix _POSIX_VDISABLE value for what value
+	to use when disabling special characters.  If this
+	is undefined, it defaults to 0x3ff.
+
+	For non-termio systems, TIOCSETP was being used to
+	change the state of the terminal.  This causes the
+	input queue to be flushed, which we don't want.  This
+	is now changed to TIOCSETN.
+
+	Take out the "#ifdef notdef" around the code in the
+	server that generates a "sync" when the pty oputput
+	is flushed.  The potential problem is that some older
+	telnet clients may go into an infinate loop when they
+	receive a "sync", if so, the server can be compiled
+	with "NO_URGENT" defined.
+
+	Fix the client where it was setting/clearing the OPOST
+	bit in the c_lflag field, not the c_oflag field.
+
+	Fix the client where it was setting/clearing the ISTRIP
+	bit in the c_lflag field, not the c_iflag field.  (On
+	4.3Reno, this is the ECHOPRT bit in the c_lflag field.)
+	The client also had its interpretation of WILL BINARY
+	and DO BINARY reversed.
+
+	Fix a bug in client that would cause a core dump when
+	attempting to remove the last environment variable.
+
+	In the client, there were a few places were switch()
+	was being passed a character, and if it was a negative
+	value, it could get sign extended, and not match
+	the 8 bit case statements.  The fix is to and the
+	switch value with 0xff.
+
+	Add a couple more printoption() calls in the client, I
+	don't think there are any more places were a telnet
+	command can be received and not printed out when
+	"options" is on.
+
+	A new flag has been added to the client, "-a".  Currently,
+	this just causes the USER name to be sent across, in
+	the future this may be used to signify that automatic
+	authentication is requested.
+
+	The USER variable is now only sent by the client if
+	the "-a" or "-l user" options are explicity used, or
+	if the user explicitly asks for the "USER" environment
+	variable to be exported.  In the server, if it receives
+	the "USER" environment variable, it won't print out the
+	banner message, so that only "Password:" will be printed.
+	This makes the symantics more like rlogin, and should be
+	more familiar to the user.  (People are not used to
+	getting a banner message, and then getting just a
+	"Password:" prompt.)
+
+	Re-vamp the code for starting up the child login
+	process.  The code was getting ugly, and it was
+	hard to tell what was really going on.  What we
+	do now is after the fork(), in the child:
+		1) make sure we have no controlling tty
+		2) open and initialize the tty
+		3) do a setsid()/setpgrp()
+		4) makes the tty our controlling tty.
+	On some systems, #2 makes the tty our controlling
+	tty, and #4 is a no-op.  The parent process does
+	a gets rid of any controlling tty after the child
+	is fork()ed.
+
+	Use the strdup() library routine in telnet, instead
+	of the local savestr() routine.  If you don't have
+	strdup(), you need to define NO_STRDUP.
+
+	Add support for ^T (SIGINFO/VSTATUS), found in the
+	4.3Reno distribution.  This maps to the AYT character.
+	You need a 4-line bugfix in the kernel to get this
+	to work properly:
+
+	> *** tty_pty.c.ORG	Tue Sep 11 09:41:53 1990
+	> --- tty_pty.c	Tue Sep 11 17:48:03 1990
+	> ***************
+	> *** 609,613 ****
+	> 			if ((tp->t_lflag&NOFLSH) == 0)
+	> 				ttyflush(tp, FREAD|FWRITE);
+	> ! 			pgsignal(tp->t_pgrp, *(unsigned int *)data);
+	> 			return(0);
+	> 		}
+	> --- 609,616 ----
+	> 			if ((tp->t_lflag&NOFLSH) == 0)
+	> 				ttyflush(tp, FREAD|FWRITE);
+	> ! 			pgsignal(tp->t_pgrp, *(unsigned int *)data, 1);
+	> ! 			if ((*(unsigned int *)data == SIGINFO) &&
+	> ! 			    ((tp->t_lflag&NOKERNINFO) == 0))
+	> ! 				ttyinfo(tp);
+	> 			return(0);
+	> 		}
+
+	The client is now smarter when setting the telnet escape
+	character; it only sets it to one of VEOL and VEOL2 if
+	one of them is undefined, and the other one is not already
+	defined to the telnet escape character.
+
+	Handle TERMIOS systems that have seperate input and output
+	line speed settings imbedded in the flags.
+
+	Many other minor bug fixes.
+
+June 20, 1990:
+	Re-organize makefiles and source tree.  The telnet/Source
+	directory is now gone, and all the source that was in
+	telnet/Source is now just in the telnet directory.
+
+	Seperate makefile for each system are now gone.  There
+	are two makefiles, Makefile and Makefile.generic.
+	The "Makefile" has the definitions for the various
+	system, and "Makefile.generic" does all the work.
+	There is a variable called "WHAT" that is used to
+	specify what to make.  For example, in the telnet
+	directory, you might say:
+		make 4.4bsd WHAT=clean
+	to clean out the directory.
+
+	Add support for the ENVIRON and XDISPLOC options.
+	In order for the server to work, login has to have
+	the "-p" option to preserve environment variables.
+
+	Add the SOFT_TAB and LIT_ECHO modes in the LINEMODE support.
+
+	Add the "-l user" option to command line and open command
+	(This is passed through the ENVIRON option).
+
+	Add the "-e" command line option, for setting the escape
+	character.
+
+	Add the "-D", diagnostic, option to the server.  This allows
+	the server to print out debug information, which is very
+	useful when trying to debug a telnet that doesn't have any
+	debugging ability.
+
+	Turn off the literal next character when not in LINEMODE.
+
+	Don't recognize ^Y locally, just pass it through.
+
+	Make minor modifications for Sun4.0 and Sun4.1
+
+	Add support for both FORW1 and FORW2 characters.  The
+	telnet escpape character is set to whichever of the
+	two is not being used.  If both are in use, the escape
+	character is not set, so when in linemode the user will
+	have to follow the escape character with a <CR> or <EOF)
+	to get it passed through.
+
+	Commands can now be put in single and double quotes, and
+	a backslash is now an escape character.  This is needed
+	for allowing arbitrary strings to be assigned to environment
+	variables.
+
+	Switch telnetd to use macros like telnet for keeping
+	track of the state of all the options.
+
+	Fix telnetd's processing of options so that we always do
+	the right processing of the LINEMODE option, regardless
+	of who initiates the request to turn it on.  Also, make
+	sure that if the other side went "WILL ECHO" in response
+	to our "DO ECHO", that we send a "DONT ECHO" to get the
+	option turned back off!
+
+	Fix the TERMIOS setting of the terminal speed to handle both
+	BSD's seperate fields, and the SYSV method of CBAUD bits.
+
+	Change how we deal with the other side refusing to enable
+	an option.  The sequence used to be: send DO option; receive
+	WONT option; send DONT option.  Now, the sequence is: send
+	DO option; receive WONT option.  Both should be valid
+	according to the spec, but there has been at least one
+	client implementation of telnet identified that can get
+	really confused by this.  (The exact sequence, from a trace
+	on the server side, is (numbers are number of responses that
+	we expect to get after that line...):
+
+		send WILL ECHO	1 (initial request)
+		send WONT ECHO	2 (server is changing state)
+		recv DO ECHO	1 (first reply, ok.  expect DONT ECHO next)
+		send WILL ECHO	2 (server changes state again)
+		recv DONT ECHO	1 (second reply, ok.  expect DO ECHO next)
+		recv DONT ECHO	0 (third reply, wrong answer. got DONT!!!)
+	***	send WONT ECHO	  (send WONT to acknowledge the DONT)
+		send WILL ECHO	1 (ask again to enable option)
+		recv DO ECHO	0
+
+		recv DONT ECHO	0
+		send WONT ECHO	1
+		recv DONT ECHO	0
+		recv DO ECHO	1
+		send WILL ECHO	0
+		(and the last 5 lines loop forever)
+
+	The line with the "***" is last of the WILL/DONT/WONT sequence.
+	The change to the server to not generate that makes this same
+	example become:
+
+		send will ECHO	1
+		send wont ECHO	2
+		recv do ECHO	1
+		send will ECHO	2
+		recv dont ECHO	1
+		recv dont ECHO	0
+		recv do ECHO	1
+		send will ECHO	0
+
+	There is other option negotiation going on, and not sending
+	the third part changes some of the timings, but this specific
+	example no longer gets stuck in a loop.  The "telnet.state"
+	file has been modified to reflect this change to the algorithm.
+
+	A bunch of miscellaneous bug fixes and changes to make
+	lint happier.
+
+	This version of telnet also has some KERBEROS stuff in
+	it. This has not been tested, it uses an un-authorized
+	telnet option number, and uses an out-of-date version
+	of the (still being defined) AUTHENTICATION option.
+	There is no support for this code, do not enable it.
+
+
+March 1, 1990:
+CHANGES/BUGFIXES SINCE LAST RELEASE:
+	Some support for IP TOS has been added.  Requires that the
+	kernel support the IP_TOS socket option (currently this
+	is only in UNICOS 6.0).
+
+	Both telnet and telnetd now use the cc_t typedef.  typedefs are
+	included for systems that don't have it (in termios.h).
+
+	SLC_SUSP was not supported properly before.  It is now.
+
+	IAC EOF was not translated  properly in telnetd for SYSV_TERMIO
+	when not in linemode.  It now saves a copy of the VEOF character,
+	so that when ICANON is turned off and we can't trust it anymore
+	(because it is now the VMIN character) we use the saved value.
+
+	There were two missing "break" commands in the linemode
+	processing code in telnetd.
+
+	Telnetd wasn't setting the kernel window size information
+	properly.  It was using the rows for both rows and columns...
+
+Questions/comments go to
+		David Borman
+		Cray Research, Inc.
+		655F Lone Oak Drive
+		Eagan, MN 55123
+		dab@cray.com.
+
+README:	You are reading it.
+
+Config.generic:
+	This file contains all the OS specific definitions.  It
+	has pre-definitions for many common system types, and is
+	in standard makefile fromat.  See the comments at the top
+	of the file for more information.
+
+Config.local:
+	This is not part of the distribution, but if this file exists,
+	it is used instead of "Config.generic".  This allows site
+	specific configuration without having to modify the distributed
+	"Config.generic" file.
+
+kern.diff:
+	This file contains the diffs for the changes needed for the
+	kernel to support LINEMODE is the server.  These changes are
+	for a 4.3BSD system.  You may need to make some changes for
+	your particular system.
+
+	There is a new bit in the terminal state word, TS_EXTPROC.
+	When this bit is set, several aspects of the terminal driver
+	are disabled.  Input line editing, character echo, and
+	mapping of signals are all disabled.  This allows the telnetd
+	to turn of these functions when in linemode, but still keep
+	track of what state the user wants the terminal to be in.
+
+	New ioctl()s:
+
+		TIOCEXT		Turn on/off the TS_EXTPROC bit
+		TIOCGSTATE	Get t_state of tty to look at TS_EXTPROC bit
+		TIOCSIG		Generate a signal to processes in the
+				current process group of the pty.
+
+	There is a new mode for packet driver, the TIOCPKT_IOCTL bit.
+	When packet mode is turned on in the pty, and the TS_EXTPROC
+	bit is set, then whenever the state of the pty is changed, the
+	next read on the master side of the pty will have the TIOCPKT_IOCTL
+	bit set, and the data will contain the following:
+		struct xx {
+			struct sgttyb a;
+			struct tchars b;
+			struct ltchars c;
+			int t_state;
+			int t_flags;
+		}
+	This allows the process on the server side of the pty to know
+	when the state of the terminal has changed, and what the new
+	state is.
+
+	However, if you define USE_TERMIO or SYSV_TERMIO, the code will
+	expect that the structure returned in the TIOCPKT_IOCTL is
+	the termio/termios structure.
+
+stty.diff:
+	This file contains the changes needed for the stty(1) program
+	to report on the current status of the TS_EXTPROC bit.  It also
+	allows the user to turn on/off the TS_EXTPROC bit.  This is useful
+	because it allows the user to say "stty -extproc", and the
+	LINEMODE option will be automatically disabled, and saying "stty
+	extproc" will re-enable the LINEMODE option.
+
+telnet.state:
+	Both the client and server have code in them to deal
+	with option negotiation loops.  The algorithm that is
+	used is described in this file.
+
+telnet:
+	This directory contains the client code.  No kernel changes are
+	needed to use this code.
+
+telnetd:
+	This directory contains the server code.  If LINEMODE or KLUDGELINEMODE
+	are defined, then the kernel modifications listed above are needed.
+
+libtelnet:
+	This directory contains code that is common to both the client
+	and the server.
+
+arpa:
+	This directory has a new <arpa/telnet.h>
+
+libtelnet/Makefile.4.4:
+telnet/Makefile.4.4:
+telnetd/Makefile.4.4:
+	These are the makefiles that can be used on a 4.3Reno
+	system when this software is installed in /usr/src/lib/libtelnet,
+	/usr/src/libexec/telnetd, and /usr/src/usr.bin/telnet.
+
+
+The following TELNET options are supported:
+	
+	LINEMODE:
+		The LINEMODE option is supported as per RFC1116.  The
+		FORWARDMASK option is not currently supported.
+
+	BINARY: The client has the ability to turn on/off the BINARY
+		option in each direction.  Turning on BINARY from
+		server to client causes the LITOUT bit to get set in
+		the terminal driver on both ends,  turning on BINARY
+		from the client to the server causes the PASS8 bit
+		to get set in the terminal driver on both ends.
+
+	TERMINAL-TYPE:
+		This is supported as per RFC1091.  On the server side,
+		when a terminal type is received, termcap/terminfo
+		is consulted to determine if it is a known terminal
+		type.  It keeps requesting terminal types until it
+		gets one that it recongnizes, or hits the end of the
+		list.  The server side looks up the entry in the
+		termcap/terminfo data base, and generates a list of
+		names which it then passes one at a time to each
+		request for a terminal type, duplicating the last
+		entry in the list before cycling back to the beginning.
+
+	NAWS:	The Negotiate about Window Size, as per RFC 1073.
+
+	TERMINAL-SPEED:
+		Implemented as per RFC 1079
+
+	TOGGLE-FLOW-CONTROL:
+		Implemented as per RFC 1080
+
+	TIMING-MARK:
+		As per RFC 860
+
+	SGA:	As per RFC 858
+
+	ECHO:	As per RFC 857
+
+	LOGOUT: As per RFC 727
+
+	STATUS:
+		The server will send its current status upon
+		request.  It does not ask for the clients status.
+		The client will request the servers current status
+		from the "send getstatus" command.
+
+	ENVIRON:
+		This option is currently being defined by the IETF
+		Telnet Working Group, and an RFC has not yet been
+		issued, but should be in the near future...
+
+	X-DISPLAY-LOCATION:
+		This functionality can be done through the ENVIRON
+		option, it is added here for completeness.
+
+	AUTHENTICATION:
+		This option is currently being defined by the IETF
+		Telnet Working Group, and an RFC has not yet been
+		issued.  The basic framework is pretty much decided,
+		but the definitions for the specific authentication
+		schemes is still in a state of flux.
+
+	ENCRYPTION:
+		This option is currently being defined by the IETF
+		Telnet Working Group, and an RFC has not yet been
+		issued.  The draft RFC is still in a state of flux,
+		so this code may change in the future.
diff --git a/crypto/heimdal/appl/telnet/arpa/telnet.h b/crypto/heimdal/appl/telnet/arpa/telnet.h
new file mode 100644
index 0000000..5d9ef60
--- /dev/null
+++ b/crypto/heimdal/appl/telnet/arpa/telnet.h
@@ -0,0 +1,323 @@
+/*
+ * Copyright (c) 1983, 1993
+ *	The Regents of the University of California.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *	This product includes software developed by the University of
+ *	California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ *	@(#)telnet.h	8.2 (Berkeley) 12/15/93
+ */
+
+#ifndef _TELNET_H_
+#define	_TELNET_H_
+
+/*
+ * Definitions for the TELNET protocol.
+ */
+#define	IAC	255		/* interpret as command: */
+#define	DONT	254		/* you are not to use option */
+#define	DO	253		/* please, you use option */
+#define	WONT	252		/* I won't use option */
+#define	WILL	251		/* I will use option */
+#define	SB	250		/* interpret as subnegotiation */
+#define	GA	249		/* you may reverse the line */
+#define	EL	248		/* erase the current line */
+#define	EC	247		/* erase the current character */
+#define	AYT	246		/* are you there */
+#define	AO	245		/* abort output--but let prog finish */
+#define	IP	244		/* interrupt process--permanently */
+#define	BREAK	243		/* break */
+#define	DM	242		/* data mark--for connect. cleaning */
+#define	NOP	241		/* nop */
+#define	SE	240		/* end sub negotiation */
+#define EOR     239             /* end of record (transparent mode) */
+#define	ABORT	238		/* Abort process */
+#define	SUSP	237		/* Suspend process */
+#define	xEOF	236		/* End of file: EOF is already used... */
+
+#define SYNCH	242		/* for telfunc calls */
+
+#ifdef TELCMDS
+char *telcmds[] = {
+	"EOF", "SUSP", "ABORT", "EOR",
+	"SE", "NOP", "DMARK", "BRK", "IP", "AO", "AYT", "EC",
+	"EL", "GA", "SB", "WILL", "WONT", "DO", "DONT", "IAC", 0,
+};
+#else
+extern char *telcmds[];
+#endif
+
+#define	TELCMD_FIRST	xEOF
+#define	TELCMD_LAST	IAC
+#define	TELCMD_OK(x)	((unsigned int)(x) <= TELCMD_LAST && \
+			 (unsigned int)(x) >= TELCMD_FIRST)
+#define	TELCMD(x)	telcmds[(x)-TELCMD_FIRST]
+
+/* telnet options */
+#define TELOPT_BINARY	0	/* 8-bit data path */
+#define TELOPT_ECHO	1	/* echo */
+#define	TELOPT_RCP	2	/* prepare to reconnect */
+#define	TELOPT_SGA	3	/* suppress go ahead */
+#define	TELOPT_NAMS	4	/* approximate message size */
+#define	TELOPT_STATUS	5	/* give status */
+#define	TELOPT_TM	6	/* timing mark */
+#define	TELOPT_RCTE	7	/* remote controlled transmission and echo */
+#define TELOPT_NAOL 	8	/* negotiate about output line width */
+#define TELOPT_NAOP 	9	/* negotiate about output page size */
+#define TELOPT_NAOCRD	10	/* negotiate about CR disposition */
+#define TELOPT_NAOHTS	11	/* negotiate about horizontal tabstops */
+#define TELOPT_NAOHTD	12	/* negotiate about horizontal tab disposition */
+#define TELOPT_NAOFFD	13	/* negotiate about formfeed disposition */
+#define TELOPT_NAOVTS	14	/* negotiate about vertical tab stops */
+#define TELOPT_NAOVTD	15	/* negotiate about vertical tab disposition */
+#define TELOPT_NAOLFD	16	/* negotiate about output LF disposition */
+#define TELOPT_XASCII	17	/* extended ascic character set */
+#define	TELOPT_LOGOUT	18	/* force logout */
+#define	TELOPT_BM	19	/* byte macro */
+#define	TELOPT_DET	20	/* data entry terminal */
+#define	TELOPT_SUPDUP	21	/* supdup protocol */
+#define	TELOPT_SUPDUPOUTPUT 22	/* supdup output */
+#define	TELOPT_SNDLOC	23	/* send location */
+#define	TELOPT_TTYPE	24	/* terminal type */
+#define	TELOPT_EOR	25	/* end or record */
+#define	TELOPT_TUID	26	/* TACACS user identification */
+#define	TELOPT_OUTMRK	27	/* output marking */
+#define	TELOPT_TTYLOC	28	/* terminal location number */
+#define	TELOPT_3270REGIME 29	/* 3270 regime */
+#define	TELOPT_X3PAD	30	/* X.3 PAD */
+#define	TELOPT_NAWS	31	/* window size */
+#define	TELOPT_TSPEED	32	/* terminal speed */
+#define	TELOPT_LFLOW	33	/* remote flow control */
+#define TELOPT_LINEMODE	34	/* Linemode option */
+#define TELOPT_XDISPLOC	35	/* X Display Location */
+#define TELOPT_OLD_ENVIRON 36	/* Old - Environment variables */
+#define	TELOPT_AUTHENTICATION 37/* Authenticate */
+#define	TELOPT_ENCRYPT	38	/* Encryption option */
+#define TELOPT_NEW_ENVIRON 39	/* New - Environment variables */
+#define	TELOPT_EXOPL	255	/* extended-options-list */
+
+
+#define	NTELOPTS	(1+TELOPT_NEW_ENVIRON)
+#ifdef TELOPTS
+char *telopts[NTELOPTS+1] = {
+	"BINARY", "ECHO", "RCP", "SUPPRESS GO AHEAD", "NAME",
+	"STATUS", "TIMING MARK", "RCTE", "NAOL", "NAOP",
+	"NAOCRD", "NAOHTS", "NAOHTD", "NAOFFD", "NAOVTS",
+	"NAOVTD", "NAOLFD", "EXTEND ASCII", "LOGOUT", "BYTE MACRO",
+	"DATA ENTRY TERMINAL", "SUPDUP", "SUPDUP OUTPUT",
+	"SEND LOCATION", "TERMINAL TYPE", "END OF RECORD",
+	"TACACS UID", "OUTPUT MARKING", "TTYLOC",
+	"3270 REGIME", "X.3 PAD", "NAWS", "TSPEED", "LFLOW",
+	"LINEMODE", "XDISPLOC", "OLD-ENVIRON", "AUTHENTICATION",
+	"ENCRYPT", "NEW-ENVIRON",
+	0,
+};
+#define	TELOPT_FIRST	TELOPT_BINARY
+#define	TELOPT_LAST	TELOPT_NEW_ENVIRON
+#define	TELOPT_OK(x)	((unsigned int)(x) <= TELOPT_LAST)
+#define	TELOPT(x)	telopts[(x)-TELOPT_FIRST]
+#endif
+
+/* sub-option qualifiers */
+#define	TELQUAL_IS	0	/* option is... */
+#define	TELQUAL_SEND	1	/* send option */
+#define	TELQUAL_INFO	2	/* ENVIRON: informational version of IS */
+#define	TELQUAL_REPLY	2	/* AUTHENTICATION: client version of IS */
+#define	TELQUAL_NAME	3	/* AUTHENTICATION: client version of IS */
+
+#define	LFLOW_OFF		0	/* Disable remote flow control */
+#define	LFLOW_ON		1	/* Enable remote flow control */
+#define	LFLOW_RESTART_ANY	2	/* Restart output on any char */
+#define	LFLOW_RESTART_XON	3	/* Restart output only on XON */
+
+/*
+ * LINEMODE suboptions
+ */
+
+#define	LM_MODE		1
+#define	LM_FORWARDMASK	2
+#define	LM_SLC		3
+
+#define	MODE_EDIT	0x01
+#define	MODE_TRAPSIG	0x02
+#define	MODE_ACK	0x04
+#define MODE_SOFT_TAB	0x08
+#define MODE_LIT_ECHO	0x10
+
+#define	MODE_MASK	0x1f
+
+/* Not part of protocol, but needed to simplify things... */
+#define MODE_FLOW		0x0100
+#define MODE_ECHO		0x0200
+#define MODE_INBIN		0x0400
+#define MODE_OUTBIN		0x0800
+#define MODE_FORCE		0x1000
+
+#define	SLC_SYNCH	1
+#define	SLC_BRK		2
+#define	SLC_IP		3
+#define	SLC_AO		4
+#define	SLC_AYT		5
+#define	SLC_EOR		6
+#define	SLC_ABORT	7
+#define	SLC_EOF		8
+#define	SLC_SUSP	9
+#define	SLC_EC		10
+#define	SLC_EL		11
+#define	SLC_EW		12
+#define	SLC_RP		13
+#define	SLC_LNEXT	14
+#define	SLC_XON		15
+#define	SLC_XOFF	16
+#define	SLC_FORW1	17
+#define	SLC_FORW2	18
+
+#define	NSLC		18
+
+/*
+ * For backwards compatability, we define SLC_NAMES to be the
+ * list of names if SLC_NAMES is not defined.
+ */
+#define	SLC_NAMELIST	"0", "SYNCH", "BRK", "IP", "AO", "AYT", "EOR", \
+			"ABORT", "EOF", "SUSP", "EC", "EL", "EW", "RP", \
+			"LNEXT", "XON", "XOFF", "FORW1", "FORW2", 0,
+#ifdef	SLC_NAMES
+char *slc_names[] = {
+	SLC_NAMELIST
+};
+#else
+extern char *slc_names[];
+#define	SLC_NAMES SLC_NAMELIST
+#endif
+
+#define	SLC_NAME_OK(x)	((unsigned int)(x) <= NSLC)
+#define SLC_NAME(x)	slc_names[x]
+
+#define	SLC_NOSUPPORT	0
+#define	SLC_CANTCHANGE	1
+#define	SLC_VARIABLE	2
+#define	SLC_DEFAULT	3
+#define	SLC_LEVELBITS	0x03
+
+#define	SLC_FUNC	0
+#define	SLC_FLAGS	1
+#define	SLC_VALUE	2
+
+#define	SLC_ACK		0x80
+#define	SLC_FLUSHIN	0x40
+#define	SLC_FLUSHOUT	0x20
+
+#define	OLD_ENV_VAR	1
+#define	OLD_ENV_VALUE	0
+#define	NEW_ENV_VAR	0
+#define	NEW_ENV_VALUE	1
+#define	ENV_ESC		2
+#define ENV_USERVAR	3
+
+/*
+ * AUTHENTICATION suboptions
+ */
+
+/*
+ * Who is authenticating who ...
+ */
+#define	AUTH_WHO_CLIENT		0	/* Client authenticating server */
+#define	AUTH_WHO_SERVER		1	/* Server authenticating client */
+#define	AUTH_WHO_MASK		1
+
+/*
+ * amount of authentication done
+ */
+#define	AUTH_HOW_ONE_WAY	0
+#define	AUTH_HOW_MUTUAL		2
+#define	AUTH_HOW_MASK		2
+
+#define	AUTHTYPE_NULL		0
+#define	AUTHTYPE_KERBEROS_V4	1
+#define	AUTHTYPE_KERBEROS_V5	2
+#define	AUTHTYPE_SPX		3
+#define	AUTHTYPE_MINK		4
+#define	AUTHTYPE_SRA		5
+#define	AUTHTYPE_CNT		6
+/* #define	AUTHTYPE_UNSECURE 6 */
+
+#define	AUTHTYPE_TEST		99
+
+#ifdef	AUTH_NAMES
+char *authtype_names[] = {
+	"NULL", "KERBEROS_V4", "KERBEROS_V5", "SPX", "MINK",
+	"SRA", 0,
+};
+#else
+extern char *authtype_names[];
+#endif
+
+#define	AUTHTYPE_NAME_OK(x)	((unsigned int)(x) < AUTHTYPE_CNT)
+#define	AUTHTYPE_NAME(x)	authtype_names[x]
+
+/*
+ * ENCRYPTion suboptions
+ */
+#define	ENCRYPT_IS		0	/* I pick encryption type ... */
+#define	ENCRYPT_SUPPORT		1	/* I support encryption types ... */
+#define	ENCRYPT_REPLY		2	/* Initial setup response */
+#define	ENCRYPT_START		3	/* Am starting to send encrypted */
+#define	ENCRYPT_END		4	/* Am ending encrypted */
+#define	ENCRYPT_REQSTART	5	/* Request you start encrypting */
+#define	ENCRYPT_REQEND		6	/* Request you send encrypting */
+#define	ENCRYPT_ENC_KEYID	7
+#define	ENCRYPT_DEC_KEYID	8
+#define	ENCRYPT_CNT		9
+
+#define	ENCTYPE_ANY		0
+#define	ENCTYPE_DES_CFB64	1
+#define	ENCTYPE_DES_OFB64	2
+#define	ENCTYPE_CNT		3
+
+#ifdef	ENCRYPT_NAMES
+char *encrypt_names[] = {
+	"IS", "SUPPORT", "REPLY", "START", "END",
+	"REQUEST-START", "REQUEST-END", "ENC-KEYID", "DEC-KEYID",
+	0,
+};
+char *enctype_names[] = {
+	"ANY", "DES_CFB64",  "DES_OFB64",  0,
+};
+#else
+extern char *encrypt_names[];
+extern char *enctype_names[];
+#endif
+
+
+#define	ENCRYPT_NAME_OK(x)	((unsigned int)(x) < ENCRYPT_CNT)
+#define	ENCRYPT_NAME(x)		encrypt_names[x]
+
+#define	ENCTYPE_NAME_OK(x)	((unsigned int)(x) < ENCTYPE_CNT)
+#define	ENCTYPE_NAME(x)		enctype_names[x]
+
+#endif /* !_TELNET_H_ */
diff --git a/crypto/heimdal/appl/telnet/libtelnet/Makefile.am b/crypto/heimdal/appl/telnet/libtelnet/Makefile.am
new file mode 100644
index 0000000..8806f88
--- /dev/null
+++ b/crypto/heimdal/appl/telnet/libtelnet/Makefile.am
@@ -0,0 +1,24 @@
+# $Id: Makefile.am,v 1.8 1999/03/20 13:58:15 joda Exp $
+
+include $(top_srcdir)/Makefile.am.common
+
+INCLUDES += -I$(srcdir)/.. $(INCLUDE_krb4)
+
+noinst_LIBRARIES = libtelnet.a
+
+libtelnet_a_SOURCES = \
+	auth-proto.h	\
+	auth.c		\
+	auth.h		\
+	enc-proto.h	\
+	enc_des.c	\
+	encrypt.c	\
+	encrypt.h	\
+	genget.c	\
+	kerberos.c	\
+	kerberos5.c	\
+	misc-proto.h	\
+	misc.c		\
+	misc.h
+
+EXTRA_DIST = krb4encpwd.c rsaencpwd.c spx.c
diff --git a/crypto/heimdal/appl/telnet/libtelnet/Makefile.in b/crypto/heimdal/appl/telnet/libtelnet/Makefile.in
new file mode 100644
index 0000000..efa9ad1
--- /dev/null
+++ b/crypto/heimdal/appl/telnet/libtelnet/Makefile.in
@@ -0,0 +1,564 @@
+# Makefile.in generated automatically by automake 1.4b from Makefile.am
+
+# Copyright 1994, 1995, 1996, 1997, 1998, 1999, 2000
+# Free Software Foundation, Inc.
+# This Makefile.in is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+
+SHELL = @SHELL@
+
+srcdir = @srcdir@
+top_srcdir = @top_srcdir@
+VPATH = @srcdir@
+prefix = @prefix@
+exec_prefix = @exec_prefix@
+
+bindir = @bindir@
+sbindir = @sbindir@
+libexecdir = @libexecdir@
+datadir = @datadir@
+sysconfdir = @sysconfdir@
+sharedstatedir = @sharedstatedir@
+localstatedir = @localstatedir@
+libdir = @libdir@
+infodir = @infodir@
+mandir = @mandir@
+includedir = @includedir@
+oldincludedir = /usr/include
+
+pkgdatadir = $(datadir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkgincludedir = $(includedir)/@PACKAGE@
+
+top_builddir = ../../..
+
+ACLOCAL = @ACLOCAL@
+AUTOCONF = @AUTOCONF@
+AUTOMAKE = @AUTOMAKE@
+AUTOHEADER = @AUTOHEADER@
+
+INSTALL = @INSTALL@
+INSTALL_PROGRAM = @INSTALL_PROGRAM@
+INSTALL_DATA = @INSTALL_DATA@
+INSTALL_SCRIPT = @INSTALL_SCRIPT@
+INSTALL_STRIP_FLAG =
+transform = @program_transform_name@
+
+NORMAL_INSTALL = :
+PRE_INSTALL = :
+POST_INSTALL = :
+NORMAL_UNINSTALL = :
+PRE_UNINSTALL = :
+POST_UNINSTALL = :
+
+@SET_MAKE@
+host_alias = @host_alias@
+host_triplet = @host@
+AIX_EXTRA_KAFS = @AIX_EXTRA_KAFS@
+AMDEP = @AMDEP@
+AMTAR = @AMTAR@
+AS = @AS@
+AWK = @AWK@
+CANONICAL_HOST = @CANONICAL_HOST@
+CATMAN = @CATMAN@
+CATMANEXT = @CATMANEXT@
+CC = @CC@
+CPP = @CPP@
+CXX = @CXX@
+CXXCPP = @CXXCPP@
+DBLIB = @DBLIB@
+DEPDIR = @DEPDIR@
+DIR_des = @DIR_des@
+DIR_roken = @DIR_roken@
+DLLTOOL = @DLLTOOL@
+EXEEXT = @EXEEXT@
+EXTRA_LIB45 = @EXTRA_LIB45@
+GROFF = @GROFF@
+INCLUDES_roken = @INCLUDES_roken@
+INCLUDE_ = @INCLUDE_@
+LEX = @LEX@
+LIBOBJS = @LIBOBJS@
+LIBTOOL = @LIBTOOL@
+LIB_ = @LIB_@
+LIB_AUTH_SUBDIRS = @LIB_AUTH_SUBDIRS@
+LIB_des = @LIB_des@
+LIB_des_appl = @LIB_des_appl@
+LIB_kdb = @LIB_kdb@
+LIB_otp = @LIB_otp@
+LIB_roken = @LIB_roken@
+LIB_security = @LIB_security@
+LN_S = @LN_S@
+LTLIBOBJS = @LTLIBOBJS@
+MAKEINFO = @MAKEINFO@
+NEED_WRITEAUTH_FALSE = @NEED_WRITEAUTH_FALSE@
+NEED_WRITEAUTH_TRUE = @NEED_WRITEAUTH_TRUE@
+NROFF = @NROFF@
+OBJDUMP = @OBJDUMP@
+OBJEXT = @OBJEXT@
+PACKAGE = @PACKAGE@
+RANLIB = @RANLIB@
+STRIP = @STRIP@
+VERSION = @VERSION@
+VOID_RETSIGTYPE = @VOID_RETSIGTYPE@
+WFLAGS = @WFLAGS@
+WFLAGS_NOIMPLICITINT = @WFLAGS_NOIMPLICITINT@
+WFLAGS_NOUNUSED = @WFLAGS_NOUNUSED@
+YACC = @YACC@
+dpagaix_CFLAGS = @dpagaix_CFLAGS@
+dpagaix_LDADD = @dpagaix_LDADD@
+install_sh = @install_sh@
+
+# $Id: Makefile.am,v 1.8 1999/03/20 13:58:15 joda Exp $
+
+
+# $Id: Makefile.am.common,v 1.3 1999/04/01 14:58:43 joda Exp $
+
+
+# $Id: Makefile.am.common,v 1.26 2001/05/21 13:27:48 joda Exp $
+
+
+AUTOMAKE_OPTIONS = foreign no-dependencies
+
+SUFFIXES = .et .h .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .x
+
+INCLUDES = -I$(top_builddir)/include $(INCLUDES_roken) -I$(srcdir)/.. $(INCLUDE_krb4)
+
+AM_CFLAGS =  $(WFLAGS)
+
+CP = cp
+
+COMPILE_ET = $(top_builddir)/lib/com_err/compile_et
+
+buildinclude = $(top_builddir)/include
+
+LIB_XauReadAuth = @LIB_XauReadAuth@
+LIB_crypt = @LIB_crypt@
+LIB_dbm_firstkey = @LIB_dbm_firstkey@
+LIB_dbopen = @LIB_dbopen@
+LIB_dlopen = @LIB_dlopen@
+LIB_dn_expand = @LIB_dn_expand@
+LIB_el_init = @LIB_el_init@
+LIB_getattr = @LIB_getattr@
+LIB_gethostbyname = @LIB_gethostbyname@
+LIB_getpwent_r = @LIB_getpwent_r@
+LIB_getpwnam_r = @LIB_getpwnam_r@
+LIB_getsockopt = @LIB_getsockopt@
+LIB_logout = @LIB_logout@
+LIB_logwtmp = @LIB_logwtmp@
+LIB_odm_initialize = @LIB_odm_initialize@
+LIB_pidfile = @LIB_pidfile@
+LIB_readline = @LIB_readline@
+LIB_res_search = @LIB_res_search@
+LIB_setpcred = @LIB_setpcred@
+LIB_setsockopt = @LIB_setsockopt@
+LIB_socket = @LIB_socket@
+LIB_syslog = @LIB_syslog@
+LIB_tgetent = @LIB_tgetent@
+
+LIBS = @LIBS@
+
+HESIODLIB = @HESIODLIB@
+HESIODINCLUDE = @HESIODINCLUDE@
+INCLUDE_hesiod = @INCLUDE_hesiod@
+LIB_hesiod = @LIB_hesiod@
+
+INCLUDE_krb4 = @INCLUDE_krb4@
+LIB_krb4 = @LIB_krb4@
+
+INCLUDE_openldap = @INCLUDE_openldap@
+LIB_openldap = @LIB_openldap@
+
+INCLUDE_readline = @INCLUDE_readline@
+
+LEXLIB = @LEXLIB@
+
+NROFF_MAN = groff -mandoc -Tascii
+
+@KRB4_TRUE@LIB_kafs = @KRB4_TRUE@$(top_builddir)/lib/kafs/libkafs.la $(AIX_EXTRA_KAFS)
+
+@KRB5_TRUE@LIB_krb5 = @KRB5_TRUE@$(top_builddir)/lib/krb5/libkrb5.la \
+@KRB5_TRUE@	$(top_builddir)/lib/asn1/libasn1.la
+@KRB5_TRUE@LIB_gssapi = @KRB5_TRUE@$(top_builddir)/lib/gssapi/libgssapi.la
+
+@DCE_TRUE@LIB_kdfs = @DCE_TRUE@$(top_builddir)/lib/kdfs/libkdfs.la
+
+CHECK_LOCAL = $(PROGRAMS)
+
+noinst_LIBRARIES = libtelnet.a
+
+libtelnet_a_SOURCES = \
+	auth-proto.h	\
+	auth.c		\
+	auth.h		\
+	enc-proto.h	\
+	enc_des.c	\
+	encrypt.c	\
+	encrypt.h	\
+	genget.c	\
+	kerberos.c	\
+	kerberos5.c	\
+	misc-proto.h	\
+	misc.c		\
+	misc.h
+
+
+EXTRA_DIST = krb4encpwd.c rsaencpwd.c spx.c
+subdir = appl/telnet/libtelnet
+mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs
+CONFIG_HEADER = ../../../include/config.h
+CONFIG_CLEAN_FILES = 
+LIBRARIES =  $(noinst_LIBRARIES)
+
+
+DEFS = @DEFS@ -I. -I$(srcdir) -I../../../include
+CPPFLAGS = @CPPFLAGS@
+LDFLAGS = @LDFLAGS@
+X_CFLAGS = @X_CFLAGS@
+X_LIBS = @X_LIBS@
+X_EXTRA_LIBS = @X_EXTRA_LIBS@
+X_PRE_LIBS = @X_PRE_LIBS@
+libtelnet_a_AR = $(AR) cru
+libtelnet_a_LIBADD = 
+am_libtelnet_a_OBJECTS =  auth.$(OBJEXT) enc_des.$(OBJEXT) \
+encrypt.$(OBJEXT) genget.$(OBJEXT) kerberos.$(OBJEXT) \
+kerberos5.$(OBJEXT) misc.$(OBJEXT)
+libtelnet_a_OBJECTS =  $(am_libtelnet_a_OBJECTS)
+AR = ar
+COMPILE = $(CC) $(DEFS) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) --mode=compile $(CC) $(DEFS) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+CFLAGS = @CFLAGS@
+CCLD = $(CC)
+LINK = $(LIBTOOL) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) $(LDFLAGS) -o $@
+DIST_SOURCES =  $(libtelnet_a_SOURCES)
+depcomp = 
+DIST_COMMON =  Makefile.am Makefile.in
+
+
+DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
+
+GZIP_ENV = --best
+SOURCES = $(libtelnet_a_SOURCES)
+OBJECTS = $(am_libtelnet_a_OBJECTS)
+
+all: all-redirect
+.SUFFIXES:
+.SUFFIXES: .et .h .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .x .c .lo .o .obj
+$(srcdir)/Makefile.in: Makefile.am $(top_srcdir)/configure.in $(ACLOCAL_M4) $(top_srcdir)/Makefile.am.common $(top_srcdir)/cf/Makefile.am.common
+	cd $(top_srcdir) && $(AUTOMAKE) --foreign appl/telnet/libtelnet/Makefile
+
+Makefile: $(srcdir)/Makefile.in  $(top_builddir)/config.status
+	cd $(top_builddir) \
+	  && CONFIG_FILES=$(subdir)/$@ CONFIG_HEADERS= $(SHELL) ./config.status
+
+
+mostlyclean-noinstLIBRARIES:
+
+clean-noinstLIBRARIES:
+	-test -z "$(noinst_LIBRARIES)" || rm -f $(noinst_LIBRARIES)
+
+distclean-noinstLIBRARIES:
+
+maintainer-clean-noinstLIBRARIES:
+
+mostlyclean-compile:
+	-rm -f *.o core *.core
+	-rm -f *.$(OBJEXT)
+
+clean-compile:
+
+distclean-compile:
+	-rm -f *.tab.c
+
+maintainer-clean-compile:
+
+mostlyclean-libtool:
+	-rm -f *.lo
+
+clean-libtool:
+	-rm -rf .libs _libs
+
+distclean-libtool:
+
+maintainer-clean-libtool:
+
+libtelnet.a: $(libtelnet_a_OBJECTS) $(libtelnet_a_DEPENDENCIES)
+	-rm -f libtelnet.a
+	$(libtelnet_a_AR) libtelnet.a $(libtelnet_a_OBJECTS) $(libtelnet_a_LIBADD)
+	$(RANLIB) libtelnet.a
+.c.o:
+	$(COMPILE) -c $<
+.c.obj:
+	$(COMPILE) -c `cygpath -w $<`
+.c.lo:
+	$(LTCOMPILE) -c -o $@ $<
+
+tags: TAGS
+
+ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
+	list='$(SOURCES) $(HEADERS) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '    { files[$$0] = 1; } \
+	       END { for (i in files) print i; }'`; \
+	mkid -fID $$unique $(LISP)
+
+TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	tags=; \
+	here=`pwd`; \
+	list='$(SOURCES) $(HEADERS) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '    { files[$$0] = 1; } \
+	       END { for (i in files) print i; }'`; \
+	test -z "$(ETAGS_ARGS)$$unique$(LISP)$$tags" \
+	  || etags $(ETAGS_ARGS) $$tags  $$unique $(LISP)
+
+GTAGS:
+	here=`CDPATH=: && cd $(top_builddir) && pwd` \
+	  && cd $(top_srcdir) \
+	  && gtags -i $$here
+
+mostlyclean-tags:
+
+clean-tags:
+
+distclean-tags:
+	-rm -f TAGS ID
+
+maintainer-clean-tags:
+
+distdir = $(top_builddir)/$(PACKAGE)-$(VERSION)/$(subdir)
+
+distdir: $(DISTFILES)
+	@for file in $(DISTFILES); do \
+	  d=$(srcdir); \
+	  if test -d $$d/$$file; then \
+	    cp -pR $$d/$$file $(distdir) \
+	    || exit 1; \
+	  else \
+	    test -f $(distdir)/$$file \
+	    || cp -p $$d/$$file $(distdir)/$$file \
+	    || exit 1; \
+	  fi; \
+	done
+	$(MAKE) $(AM_MAKEFLAGS) top_distdir="$(top_distdir)" distdir="$(distdir)" dist-hook
+info-am:
+info: info-am
+dvi-am:
+dvi: dvi-am
+check-am: all-am
+	$(MAKE) $(AM_MAKEFLAGS) check-local
+check: check-am
+installcheck-am:
+installcheck: installcheck-am
+install-exec-am:
+	@$(NORMAL_INSTALL)
+	$(MAKE) $(AM_MAKEFLAGS) install-exec-hook
+install-exec: install-exec-am
+
+install-data-am: install-data-local
+install-data: install-data-am
+
+install-am: all-am
+	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
+install: install-am
+uninstall-am:
+uninstall: uninstall-am
+all-am: Makefile $(LIBRARIES) all-local
+all-redirect: all-am
+install-strip:
+	$(MAKE) $(AM_MAKEFLAGS) INSTALL_STRIP_FLAG=-s install
+installdirs:
+
+
+mostlyclean-generic:
+
+clean-generic:
+
+distclean-generic:
+	-rm -f Makefile $(CONFIG_CLEAN_FILES)
+	-rm -f config.cache config.log stamp-h stamp-h[0-9]*
+
+maintainer-clean-generic:
+	-rm -f Makefile.in
+mostlyclean-am:  mostlyclean-noinstLIBRARIES mostlyclean-compile \
+		mostlyclean-libtool mostlyclean-tags \
+		mostlyclean-generic
+
+mostlyclean: mostlyclean-am
+
+clean-am:  clean-noinstLIBRARIES clean-compile clean-libtool clean-tags \
+		clean-generic mostlyclean-am
+
+clean: clean-am
+
+distclean-am:  distclean-noinstLIBRARIES distclean-compile \
+		distclean-libtool distclean-tags distclean-generic \
+		clean-am
+	-rm -f libtool
+
+distclean: distclean-am
+
+maintainer-clean-am:  maintainer-clean-noinstLIBRARIES \
+		maintainer-clean-compile maintainer-clean-libtool \
+		maintainer-clean-tags maintainer-clean-generic \
+		distclean-am
+	@echo "This command is intended for maintainers to use;"
+	@echo "it deletes files that may require special tools to rebuild."
+
+maintainer-clean: maintainer-clean-am
+
+.PHONY: mostlyclean-noinstLIBRARIES distclean-noinstLIBRARIES \
+clean-noinstLIBRARIES maintainer-clean-noinstLIBRARIES \
+mostlyclean-compile distclean-compile clean-compile \
+maintainer-clean-compile mostlyclean-libtool distclean-libtool \
+clean-libtool maintainer-clean-libtool tags mostlyclean-tags \
+distclean-tags clean-tags maintainer-clean-tags distdir info-am info \
+dvi-am dvi check-local check check-am installcheck-am installcheck \
+install-exec-am install-exec install-data-local install-data-am \
+install-data install-am install uninstall-am uninstall all-local \
+all-redirect all-am all install-strip installdirs mostlyclean-generic \
+distclean-generic clean-generic maintainer-clean-generic clean \
+mostlyclean distclean maintainer-clean
+
+
+install-suid-programs:
+	@foo='$(bin_SUIDS)'; \
+	for file in $$foo; do \
+	x=$(DESTDIR)$(bindir)/$$file; \
+	if chown 0:0 $$x && chmod u+s $$x; then :; else \
+	echo "*"; \
+	echo "* Failed to install $$x setuid root"; \
+	echo "*"; \
+	fi; done
+
+install-exec-hook: install-suid-programs
+
+install-build-headers:: $(include_HEADERS) $(build_HEADERZ)
+	@foo='$(include_HEADERS) $(build_HEADERZ)'; \
+	for f in $$foo; do \
+		f=`basename $$f`; \
+		if test -f "$(srcdir)/$$f"; then file="$(srcdir)/$$f"; \
+		else file="$$f"; fi; \
+		if cmp -s  $$file $(buildinclude)/$$f 2> /dev/null ; then \
+		: ; else \
+			echo " $(CP) $$file $(buildinclude)/$$f"; \
+			$(CP) $$file $(buildinclude)/$$f; \
+		fi ; \
+	done
+
+all-local: install-build-headers
+#NROFF_MAN = nroff -man
+.1.cat1:
+	$(NROFF_MAN) $< > $@
+.3.cat3:
+	$(NROFF_MAN) $< > $@
+.5.cat5:
+	$(NROFF_MAN) $< > $@
+.8.cat8:
+	$(NROFF_MAN) $< > $@
+
+dist-cat1-mans:
+	@foo='$(man1_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.1) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat1/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-cat3-mans:
+	@foo='$(man3_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.3) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat3/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-cat5-mans:
+	@foo='$(man5_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.5) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat5/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-cat8-mans:
+	@foo='$(man8_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.8) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat8/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-hook: dist-cat1-mans dist-cat3-mans dist-cat5-mans dist-cat8-mans
+
+install-cat-mans:
+	$(SHELL) $(top_srcdir)/cf/install-catman.sh "$(INSTALL_DATA)" "$(mkinstalldirs)" "$(srcdir)" "$(DESTDIR)$(mandir)" '$(CATMANEXT)' $(man_MANS) $(man1_MANS) $(man3_MANS) $(man5_MANS) $(man8_MANS)
+
+install-data-local: install-cat-mans
+
+.et.h:
+	$(COMPILE_ET) $<
+.et.c:
+	$(COMPILE_ET) $<
+
+.x.c:
+	@cmp -s $< $@ 2> /dev/null || cp $< $@
+
+check-local::
+	@foo='$(CHECK_LOCAL)'; \
+	  if test "$$foo"; then \
+	  failed=0; all=0; \
+	  for i in $$foo; do \
+	    all=`expr $$all + 1`; \
+	    if ./$$i --version > /dev/null 2>&1; then \
+	      echo "PASS: $$i"; \
+	    else \
+	      echo "FAIL: $$i"; \
+	      failed=`expr $$failed + 1`; \
+	    fi; \
+	  done; \
+	  if test "$$failed" -eq 0; then \
+	    banner="All $$all tests passed"; \
+	  else \
+	    banner="$$failed of $$all tests failed"; \
+	  fi; \
+	  dashes=`echo "$$banner" | sed s/./=/g`; \
+	  echo "$$dashes"; \
+	  echo "$$banner"; \
+	  echo "$$dashes"; \
+	  test "$$failed" -eq 0; \
+	fi
+
+# Tell versions [3.59,3.63) of GNU make to not export all variables.
+# Otherwise a system limit (for SysV at least) may be exceeded.
+.NOEXPORT:
diff --git a/crypto/heimdal/appl/telnet/libtelnet/auth-proto.h b/crypto/heimdal/appl/telnet/libtelnet/auth-proto.h
new file mode 100644
index 0000000..51fdf6a
--- /dev/null
+++ b/crypto/heimdal/appl/telnet/libtelnet/auth-proto.h
@@ -0,0 +1,122 @@
+/*-
+ * Copyright (c) 1991, 1993
+ *	The Regents of the University of California.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *	This product includes software developed by the University of
+ *	California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ *	@(#)auth-proto.h	8.1 (Berkeley) 6/4/93
+ */
+
+/*
+ * Copyright (C) 1990 by the Massachusetts Institute of Technology
+ *
+ * Export of this software from the United States of America is assumed
+ * to require a specific license from the United States Government.
+ * It is the responsibility of any person or organization contemplating
+ * export to obtain such a license before exporting.
+ * 
+ * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
+ * distribute this software and its documentation for any purpose and
+ * without fee is hereby granted, provided that the above copyright
+ * notice appear in all copies and that both that copyright notice and
+ * this permission notice appear in supporting documentation, and that
+ * the name of M.I.T. not be used in advertising or publicity pertaining
+ * to distribution of the software without specific, written prior
+ * permission.  M.I.T. makes no representations about the suitability of
+ * this software for any purpose.  It is provided "as is" without express
+ * or implied warranty.
+ */
+
+/* $Id: auth-proto.h,v 1.10 2000/01/18 03:08:55 assar Exp $ */
+
+#ifdef AUTHENTICATION
+Authenticator *findauthenticator (int, int);
+
+int auth_wait (char *, size_t);
+void auth_disable_name (char *);
+void auth_finished (Authenticator *, int);
+void auth_gen_printsub (unsigned char *, int, unsigned char *, int);
+void auth_init (const char *, int);
+void auth_is (unsigned char *, int);
+void auth_name(unsigned char*, int);
+void auth_reply (unsigned char *, int);
+void auth_request (void);
+void auth_send (unsigned char *, int);
+void auth_send_retry (void);
+void auth_printsub(unsigned char*, int, unsigned char*, int);
+int getauthmask(char *type, int *maskp);
+int auth_enable(char *type);
+int auth_disable(char *type);
+int auth_onoff(char *type, int on);
+int auth_togdebug(int on);
+int auth_status(void);
+int auth_sendname(unsigned char *cp, int len);
+void auth_debug(int mode);
+void auth_gen_printsub(unsigned char *data, int cnt,
+		       unsigned char *buf, int buflen);
+
+#ifdef UNSAFE
+int unsafe_init (Authenticator *, int);
+int unsafe_send (Authenticator *);
+void unsafe_is (Authenticator *, unsigned char *, int);
+void unsafe_reply (Authenticator *, unsigned char *, int);
+int unsafe_status (Authenticator *, char *, int);
+void unsafe_printsub (unsigned char *, int, unsigned char *, int);
+#endif
+
+#ifdef SRA
+int sra_init (Authenticator *, int);
+int sra_send (Authenticator *);
+void sra_is (Authenticator *, unsigned char *, int);
+void sra_reply (Authenticator *, unsigned char *, int);
+int sra_status (Authenticator *, char *, int);
+void sra_printsub (unsigned char *, int, unsigned char *, int);
+#endif
+
+#ifdef	KRB4
+int kerberos4_init (Authenticator *, int);
+int kerberos4_send_mutual (Authenticator *);
+int kerberos4_send_oneway (Authenticator *);
+void kerberos4_is (Authenticator *, unsigned char *, int);
+void kerberos4_reply (Authenticator *, unsigned char *, int);
+int kerberos4_status (Authenticator *, char *, size_t, int);
+void kerberos4_printsub (unsigned char *, int, unsigned char *, int);
+int kerberos4_forward(Authenticator *ap, void *);
+#endif
+
+#ifdef	KRB5
+int kerberos5_init (Authenticator *, int);
+int kerberos5_send_mutual (Authenticator *);
+int kerberos5_send_oneway (Authenticator *);
+void kerberos5_is (Authenticator *, unsigned char *, int);
+void kerberos5_reply (Authenticator *, unsigned char *, int);
+int kerberos5_status (Authenticator *, char *, size_t, int);
+void kerberos5_printsub (unsigned char *, int, unsigned char *, int);
+#endif
+#endif
diff --git a/crypto/heimdal/appl/telnet/libtelnet/auth.c b/crypto/heimdal/appl/telnet/libtelnet/auth.c
new file mode 100644
index 0000000..d791128
--- /dev/null
+++ b/crypto/heimdal/appl/telnet/libtelnet/auth.c
@@ -0,0 +1,657 @@
+/*-
+ * Copyright (c) 1991, 1993
+ *	The Regents of the University of California.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *	This product includes software developed by the University of
+ *	California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+/*
+ * Copyright (C) 1990 by the Massachusetts Institute of Technology
+ *
+ * Export of this software from the United States of America is assumed
+ * to require a specific license from the United States Government.
+ * It is the responsibility of any person or organization contemplating
+ * export to obtain such a license before exporting.
+ *
+ * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
+ * distribute this software and its documentation for any purpose and
+ * without fee is hereby granted, provided that the above copyright
+ * notice appear in all copies and that both that copyright notice and
+ * this permission notice appear in supporting documentation, and that
+ * the name of M.I.T. not be used in advertising or publicity pertaining
+ * to distribution of the software without specific, written prior
+ * permission.  M.I.T. makes no representations about the suitability of
+ * this software for any purpose.  It is provided "as is" without express
+ * or implied warranty.
+ */
+
+#include <config.h>
+
+RCSID("$Id: auth.c,v 1.23 2000/01/18 03:09:34 assar Exp $");
+
+#if	defined(AUTHENTICATION)
+#include <stdio.h>
+#ifdef HAVE_SYS_TYPES_H
+#include <sys/types.h>
+#endif
+#include <signal.h>
+#define	AUTH_NAMES
+#ifdef HAVE_ARPA_TELNET_H
+#include <arpa/telnet.h>
+#endif
+#include <stdlib.h>
+#include <string.h>
+
+#include <roken.h>
+
+#ifdef SOCKS
+#include <socks.h>
+#endif
+
+#include "encrypt.h"
+#include "auth.h"
+#include "misc-proto.h"
+#include "auth-proto.h"
+
+#define	typemask(x)		(1<<((x)-1))
+
+#ifdef	KRB4_ENCPWD
+extern krb4encpwd_init();
+extern krb4encpwd_send();
+extern krb4encpwd_is();
+extern krb4encpwd_reply();
+extern krb4encpwd_status();
+extern krb4encpwd_printsub();
+#endif
+
+#ifdef	RSA_ENCPWD
+extern rsaencpwd_init();
+extern rsaencpwd_send();
+extern rsaencpwd_is();
+extern rsaencpwd_reply();
+extern rsaencpwd_status();
+extern rsaencpwd_printsub();
+#endif
+
+int auth_debug_mode = 0;
+static 	const	char	*Name = "Noname";
+static	int	Server = 0;
+static	Authenticator	*authenticated = 0;
+static	int	authenticating = 0;
+static	int	validuser = 0;
+static	unsigned char	_auth_send_data[256];
+static	unsigned char	*auth_send_data;
+static	int	auth_send_cnt = 0;
+
+/*
+ * Authentication types supported.  Plese note that these are stored
+ * in priority order, i.e. try the first one first.
+ */
+Authenticator authenticators[] = {
+#ifdef UNSAFE
+    { AUTHTYPE_UNSAFE, AUTH_WHO_CLIENT|AUTH_HOW_ONE_WAY,
+      unsafe_init,
+      unsafe_send,
+      unsafe_is,
+      unsafe_reply,
+      unsafe_status,
+      unsafe_printsub },
+#endif
+#ifdef SRA
+    { AUTHTYPE_SRA, AUTH_WHO_CLIENT|AUTH_HOW_ONE_WAY,
+      sra_init,
+      sra_send,
+      sra_is,
+      sra_reply,
+      sra_status,
+      sra_printsub },
+#endif
+#ifdef	SPX
+    { AUTHTYPE_SPX, AUTH_WHO_CLIENT|AUTH_HOW_MUTUAL,
+      spx_init,
+      spx_send,
+      spx_is,
+      spx_reply,
+      spx_status,
+      spx_printsub },
+    { AUTHTYPE_SPX, AUTH_WHO_CLIENT|AUTH_HOW_ONE_WAY,
+      spx_init,
+      spx_send,
+      spx_is,
+      spx_reply,
+      spx_status,
+      spx_printsub },
+#endif
+#ifdef	KRB5
+    { AUTHTYPE_KERBEROS_V5, AUTH_WHO_CLIENT|AUTH_HOW_MUTUAL,
+      kerberos5_init,
+      kerberos5_send_mutual,
+      kerberos5_is,
+      kerberos5_reply,
+      kerberos5_status,
+      kerberos5_printsub },
+    { AUTHTYPE_KERBEROS_V5, AUTH_WHO_CLIENT|AUTH_HOW_ONE_WAY,
+      kerberos5_init,
+      kerberos5_send_oneway,
+      kerberos5_is,
+      kerberos5_reply,
+      kerberos5_status,
+      kerberos5_printsub },
+#endif
+#ifdef	KRB4
+    { AUTHTYPE_KERBEROS_V4, AUTH_WHO_CLIENT|AUTH_HOW_MUTUAL,
+      kerberos4_init,
+      kerberos4_send_mutual,
+      kerberos4_is,
+      kerberos4_reply,
+      kerberos4_status,
+      kerberos4_printsub },
+    { AUTHTYPE_KERBEROS_V4, AUTH_WHO_CLIENT|AUTH_HOW_ONE_WAY,
+      kerberos4_init,
+      kerberos4_send_oneway,
+      kerberos4_is,
+      kerberos4_reply,
+      kerberos4_status,
+      kerberos4_printsub },
+#endif
+#ifdef	KRB4_ENCPWD
+    { AUTHTYPE_KRB4_ENCPWD, AUTH_WHO_CLIENT|AUTH_HOW_MUTUAL,
+      krb4encpwd_init,
+      krb4encpwd_send,
+      krb4encpwd_is,
+      krb4encpwd_reply,
+      krb4encpwd_status,
+      krb4encpwd_printsub },
+#endif
+#ifdef	RSA_ENCPWD
+    { AUTHTYPE_RSA_ENCPWD, AUTH_WHO_CLIENT|AUTH_HOW_ONE_WAY,
+      rsaencpwd_init,
+      rsaencpwd_send,
+      rsaencpwd_is,
+      rsaencpwd_reply,
+      rsaencpwd_status,
+      rsaencpwd_printsub },
+#endif
+    { 0, },
+};
+
+static Authenticator NoAuth = { 0 };
+
+static int	i_support = 0;
+static int	i_wont_support = 0;
+
+Authenticator *
+findauthenticator(int type, int way)
+{
+    Authenticator *ap = authenticators;
+
+    while (ap->type && (ap->type != type || ap->way != way))
+	++ap;
+    return(ap->type ? ap : 0);
+}
+
+void
+auth_init(const char *name, int server)
+{
+    Authenticator *ap = authenticators;
+
+    Server = server;
+    Name = name;
+
+    i_support = 0;
+    authenticated = 0;
+    authenticating = 0;
+    while (ap->type) {
+	if (!ap->init || (*ap->init)(ap, server)) {
+	    i_support |= typemask(ap->type);
+	    if (auth_debug_mode)
+		printf(">>>%s: I support auth type %d %d\r\n",
+		       Name,
+		       ap->type, ap->way);
+	}
+	else if (auth_debug_mode)
+	    printf(">>>%s: Init failed: auth type %d %d\r\n",
+		   Name, ap->type, ap->way);
+	++ap;
+    }
+}
+
+void
+auth_disable_name(char *name)
+{
+    int x;
+    for (x = 0; x < AUTHTYPE_CNT; ++x) {
+	if (!strcasecmp(name, AUTHTYPE_NAME(x))) {
+	    i_wont_support |= typemask(x);
+	    break;
+	}
+    }
+}
+
+int
+getauthmask(char *type, int *maskp)
+{
+    int x;
+
+    if (!strcasecmp(type, AUTHTYPE_NAME(0))) {
+	*maskp = -1;
+	return(1);
+    }
+
+    for (x = 1; x < AUTHTYPE_CNT; ++x) {
+	if (!strcasecmp(type, AUTHTYPE_NAME(x))) {
+	    *maskp = typemask(x);
+	    return(1);
+	}
+    }
+    return(0);
+}
+
+int
+auth_enable(char *type)
+{
+    return(auth_onoff(type, 1));
+}
+
+int
+auth_disable(char *type)
+{
+    return(auth_onoff(type, 0));
+}
+
+int
+auth_onoff(char *type, int on)
+{
+    int i, mask = -1;
+    Authenticator *ap;
+
+    if (!strcasecmp(type, "?") || !strcasecmp(type, "help")) {
+	printf("auth %s 'type'\n", on ? "enable" : "disable");
+	printf("Where 'type' is one of:\n");
+	printf("\t%s\n", AUTHTYPE_NAME(0));
+	mask = 0;
+	for (ap = authenticators; ap->type; ap++) {
+	    if ((mask & (i = typemask(ap->type))) != 0)
+		continue;
+	    mask |= i;
+	    printf("\t%s\n", AUTHTYPE_NAME(ap->type));
+	}
+	return(0);
+    }
+
+    if (!getauthmask(type, &mask)) {
+	printf("%s: invalid authentication type\n", type);
+	return(0);
+    }
+    if (on)
+	i_wont_support &= ~mask;
+    else
+	i_wont_support |= mask;
+    return(1);
+}
+
+int
+auth_togdebug(int on)
+{
+    if (on < 0)
+	auth_debug_mode ^= 1;
+    else
+	auth_debug_mode = on;
+    printf("auth debugging %s\n", auth_debug_mode ? "enabled" : "disabled");
+    return(1);
+}
+
+int
+auth_status(void)
+{
+    Authenticator *ap;
+    int i, mask;
+
+    if (i_wont_support == -1)
+	printf("Authentication disabled\n");
+    else
+	printf("Authentication enabled\n");
+
+    mask = 0;
+    for (ap = authenticators; ap->type; ap++) {
+	if ((mask & (i = typemask(ap->type))) != 0)
+	    continue;
+	mask |= i;
+	printf("%s: %s\n", AUTHTYPE_NAME(ap->type),
+	       (i_wont_support & typemask(ap->type)) ?
+	       "disabled" : "enabled");
+    }
+    return(1);
+}
+
+/*
+ * This routine is called by the server to start authentication
+ * negotiation.
+ */
+void
+auth_request(void)
+{
+    static unsigned char str_request[64] = { IAC, SB,
+					     TELOPT_AUTHENTICATION,
+					     TELQUAL_SEND, };
+    Authenticator *ap = authenticators;
+    unsigned char *e = str_request + 4;
+
+    if (!authenticating) {
+	authenticating = 1;
+	while (ap->type) {
+	    if (i_support & ~i_wont_support & typemask(ap->type)) {
+		if (auth_debug_mode) {
+		    printf(">>>%s: Sending type %d %d\r\n",
+			   Name, ap->type, ap->way);
+		}
+		*e++ = ap->type;
+		*e++ = ap->way;
+	    }
+	    ++ap;
+	}
+	*e++ = IAC;
+	*e++ = SE;
+	telnet_net_write(str_request, e - str_request);
+	printsub('>', &str_request[2], e - str_request - 2);
+    }
+}
+
+/*
+ * This is called when an AUTH SEND is received.
+ * It should never arrive on the server side (as only the server can
+ * send an AUTH SEND).
+ * You should probably respond to it if you can...
+ *
+ * If you want to respond to the types out of order (i.e. even
+ * if he sends  LOGIN KERBEROS and you support both, you respond
+ * with KERBEROS instead of LOGIN (which is against what the
+ * protocol says)) you will have to hack this code...
+ */
+void
+auth_send(unsigned char *data, int cnt)
+{
+    Authenticator *ap;
+    static unsigned char str_none[] = { IAC, SB, TELOPT_AUTHENTICATION,
+					TELQUAL_IS, AUTHTYPE_NULL, 0,
+					IAC, SE };
+    if (Server) {
+	if (auth_debug_mode) {
+	    printf(">>>%s: auth_send called!\r\n", Name);
+	}
+	return;
+    }
+
+    if (auth_debug_mode) {
+	printf(">>>%s: auth_send got:", Name);
+	printd(data, cnt); printf("\r\n");
+    }
+
+    /*
+     * Save the data, if it is new, so that we can continue looking
+     * at it if the authorization we try doesn't work
+     */
+    if (data < _auth_send_data ||
+	data > _auth_send_data + sizeof(_auth_send_data)) {
+	auth_send_cnt = cnt > sizeof(_auth_send_data)
+	    ? sizeof(_auth_send_data)
+	    : cnt;
+	memmove(_auth_send_data, data, auth_send_cnt);
+	auth_send_data = _auth_send_data;
+    } else {
+	/*
+	 * This is probably a no-op, but we just make sure
+	 */
+	auth_send_data = data;
+	auth_send_cnt = cnt;
+    }
+    while ((auth_send_cnt -= 2) >= 0) {
+	if (auth_debug_mode)
+	    printf(">>>%s: He supports %d\r\n",
+		   Name, *auth_send_data);
+	if ((i_support & ~i_wont_support) & typemask(*auth_send_data)) {
+	    ap = findauthenticator(auth_send_data[0],
+				   auth_send_data[1]);
+	    if (ap && ap->send) {
+		if (auth_debug_mode)
+		    printf(">>>%s: Trying %d %d\r\n",
+			   Name, auth_send_data[0],
+			   auth_send_data[1]);
+		if ((*ap->send)(ap)) {
+		    /*
+		     * Okay, we found one we like
+		     * and did it.
+		     * we can go home now.
+		     */
+		    if (auth_debug_mode)
+			printf(">>>%s: Using type %d\r\n",
+			       Name, *auth_send_data);
+		    auth_send_data += 2;
+		    return;
+		}
+	    }
+	    /* else
+	     *	just continue on and look for the
+	     *	next one if we didn't do anything.
+	     */
+	}
+	auth_send_data += 2;
+    }
+    telnet_net_write(str_none, sizeof(str_none));
+    printsub('>', &str_none[2], sizeof(str_none) - 2);
+    if (auth_debug_mode)
+	printf(">>>%s: Sent failure message\r\n", Name);
+    auth_finished(0, AUTH_REJECT);
+#ifdef KANNAN
+    /*
+     *  We requested strong authentication, however no mechanisms worked.
+     *  Therefore, exit on client end.
+     */
+    printf("Unable to securely authenticate user ... exit\n");
+    exit(0);
+#endif /* KANNAN */
+}
+
+void
+auth_send_retry(void)
+{
+    /*
+     * if auth_send_cnt <= 0 then auth_send will end up rejecting
+     * the authentication and informing the other side of this.
+	 */
+    auth_send(auth_send_data, auth_send_cnt);
+}
+
+void
+auth_is(unsigned char *data, int cnt)
+{
+    Authenticator *ap;
+
+    if (cnt < 2)
+	return;
+
+    if (data[0] == AUTHTYPE_NULL) {
+	auth_finished(0, AUTH_REJECT);
+	return;
+    }
+
+    if ((ap = findauthenticator(data[0], data[1]))) {
+	if (ap->is)
+	    (*ap->is)(ap, data+2, cnt-2);
+    } else if (auth_debug_mode)
+	printf(">>>%s: Invalid authentication in IS: %d\r\n",
+	       Name, *data);
+}
+
+void
+auth_reply(unsigned char *data, int cnt)
+{
+    Authenticator *ap;
+
+    if (cnt < 2)
+	return;
+
+    if ((ap = findauthenticator(data[0], data[1]))) {
+	if (ap->reply)
+	    (*ap->reply)(ap, data+2, cnt-2);
+    } else if (auth_debug_mode)
+	printf(">>>%s: Invalid authentication in SEND: %d\r\n",
+	       Name, *data);
+}
+
+void
+auth_name(unsigned char *data, int cnt)
+{
+    char savename[256];
+
+    if (cnt < 1) {
+	if (auth_debug_mode)
+	    printf(">>>%s: Empty name in NAME\r\n", Name);
+	return;
+    }
+    if (cnt > sizeof(savename) - 1) {
+	if (auth_debug_mode)
+	    printf(">>>%s: Name in NAME (%d) exceeds %lu length\r\n",
+		   Name, cnt, (unsigned long)(sizeof(savename)-1));
+	return;
+    }
+    memmove(savename, data, cnt);
+    savename[cnt] = '\0';	/* Null terminate */
+    if (auth_debug_mode)
+	printf(">>>%s: Got NAME [%s]\r\n", Name, savename);
+    auth_encrypt_user(savename);
+}
+
+int
+auth_sendname(unsigned char *cp, int len)
+{
+    static unsigned char str_request[256+6]
+	= { IAC, SB, TELOPT_AUTHENTICATION, TELQUAL_NAME, };
+    unsigned char *e = str_request + 4;
+    unsigned char *ee = &str_request[sizeof(str_request)-2];
+
+    while (--len >= 0) {
+	if ((*e++ = *cp++) == IAC)
+	    *e++ = IAC;
+	if (e >= ee)
+	    return(0);
+    }
+    *e++ = IAC;
+    *e++ = SE;
+    telnet_net_write(str_request, e - str_request);
+    printsub('>', &str_request[2], e - &str_request[2]);
+    return(1);
+}
+
+void
+auth_finished(Authenticator *ap, int result)
+{
+    if (!(authenticated = ap))
+	authenticated = &NoAuth;
+    validuser = result;
+}
+
+/* ARGSUSED */
+static void
+auth_intr(int sig)
+{
+    auth_finished(0, AUTH_REJECT);
+}
+
+int
+auth_wait(char *name, size_t name_sz)
+{
+    if (auth_debug_mode)
+	printf(">>>%s: in auth_wait.\r\n", Name);
+
+    if (Server && !authenticating)
+	return(0);
+
+    signal(SIGALRM, auth_intr);
+    alarm(30);
+    while (!authenticated)
+	if (telnet_spin())
+	    break;
+    alarm(0);
+    signal(SIGALRM, SIG_DFL);
+
+    /*
+     * Now check to see if the user is valid or not
+     */
+    if (!authenticated || authenticated == &NoAuth)
+	return(AUTH_REJECT);
+
+    if (validuser == AUTH_VALID)
+	validuser = AUTH_USER;
+
+    if (authenticated->status)
+	validuser = (*authenticated->status)(authenticated,
+					     name, name_sz,
+					     validuser);
+    return(validuser);
+}
+
+void
+auth_debug(int mode)
+{
+    auth_debug_mode = mode;
+}
+
+void
+auth_printsub(unsigned char *data, int cnt, unsigned char *buf, int buflen)
+{
+    Authenticator *ap;
+
+    if ((ap = findauthenticator(data[1], data[2])) && ap->printsub)
+	(*ap->printsub)(data, cnt, buf, buflen);
+    else
+	auth_gen_printsub(data, cnt, buf, buflen);
+}
+
+void
+auth_gen_printsub(unsigned char *data, int cnt, unsigned char *buf, int buflen)
+{
+    unsigned char *cp;
+    unsigned char tbuf[16];
+
+    cnt -= 3;
+    data += 3;
+    buf[buflen-1] = '\0';
+    buf[buflen-2] = '*';
+    buflen -= 2;
+    for (; cnt > 0; cnt--, data++) {
+	snprintf(tbuf, sizeof(tbuf), " %d", *data);
+	for (cp = tbuf; *cp && buflen > 0; --buflen)
+	    *buf++ = *cp++;
+	if (buflen <= 0)
+	    return;
+    }
+    *buf = '\0';
+}
+#endif
diff --git a/crypto/heimdal/appl/telnet/libtelnet/auth.h b/crypto/heimdal/appl/telnet/libtelnet/auth.h
new file mode 100644
index 0000000..83dd701
--- /dev/null
+++ b/crypto/heimdal/appl/telnet/libtelnet/auth.h
@@ -0,0 +1,81 @@
+/*-
+ * Copyright (c) 1991, 1993
+ *	The Regents of the University of California.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *	This product includes software developed by the University of
+ *	California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ *	@(#)auth.h	8.1 (Berkeley) 6/4/93
+ */
+
+/*
+ * Copyright (C) 1990 by the Massachusetts Institute of Technology
+ *
+ * Export of this software from the United States of America is assumed
+ * to require a specific license from the United States Government.
+ * It is the responsibility of any person or organization contemplating
+ * export to obtain such a license before exporting.
+ *
+ * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
+ * distribute this software and its documentation for any purpose and
+ * without fee is hereby granted, provided that the above copyright
+ * notice appear in all copies and that both that copyright notice and
+ * this permission notice appear in supporting documentation, and that
+ * the name of M.I.T. not be used in advertising or publicity pertaining
+ * to distribution of the software without specific, written prior
+ * permission.  M.I.T. makes no representations about the suitability of
+ * this software for any purpose.  It is provided "as is" without express
+ * or implied warranty.
+ */
+
+/* $Id: auth.h,v 1.4 1998/06/09 19:24:41 joda Exp $ */
+
+#ifndef	__AUTH__
+#define	__AUTH__
+
+#define	AUTH_REJECT	0	/* Rejected */
+#define	AUTH_UNKNOWN	1	/* We don't know who he is, but he's okay */
+#define	AUTH_OTHER	2	/* We know him, but not his name */
+#define	AUTH_USER	3	/* We know he name */
+#define	AUTH_VALID	4	/* We know him, and he needs no password */
+
+typedef struct XauthP {
+	int	type;
+	int	way;
+	int	(*init) (struct XauthP *, int);
+	int	(*send) (struct XauthP *);
+	void	(*is) (struct XauthP *, unsigned char *, int);
+	void	(*reply) (struct XauthP *, unsigned char *, int);
+	int	(*status) (struct XauthP *, char *, size_t, int);
+	void	(*printsub) (unsigned char *, int, unsigned char *, int);
+} Authenticator;
+
+#include "auth-proto.h"
+
+extern int auth_debug_mode;
+#endif
diff --git a/crypto/heimdal/appl/telnet/libtelnet/enc-proto.h b/crypto/heimdal/appl/telnet/libtelnet/enc-proto.h
new file mode 100644
index 0000000..d32b096
--- /dev/null
+++ b/crypto/heimdal/appl/telnet/libtelnet/enc-proto.h
@@ -0,0 +1,132 @@
+/*-
+ * Copyright (c) 1991, 1993
+ *	The Regents of the University of California.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *	This product includes software developed by the University of
+ *	California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ *	@(#)enc-proto.h	8.1 (Berkeley) 6/4/93
+ *
+ *	@(#)enc-proto.h	5.2 (Berkeley) 3/22/91
+ */
+
+/*
+ * Copyright (C) 1990 by the Massachusetts Institute of Technology
+ *
+ * Export of this software from the United States of America is assumed
+ * to require a specific license from the United States Government.
+ * It is the responsibility of any person or organization contemplating
+ * export to obtain such a license before exporting.
+ *
+ * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
+ * distribute this software and its documentation for any purpose and
+ * without fee is hereby granted, provided that the above copyright
+ * notice appear in all copies and that both that copyright notice and
+ * this permission notice appear in supporting documentation, and that
+ * the name of M.I.T. not be used in advertising or publicity pertaining
+ * to distribution of the software without specific, written prior
+ * permission.  M.I.T. makes no representations about the suitability of
+ * this software for any purpose.  It is provided "as is" without express
+ * or implied warranty.
+ */
+
+/* $Id: enc-proto.h,v 1.10 2000/01/18 03:09:56 assar Exp $ */
+
+#if	defined(ENCRYPTION)
+Encryptions *findencryption (int);
+Encryptions *finddecryption(int);
+int EncryptAutoDec(int);
+int EncryptAutoEnc(int);
+int EncryptDebug(int);
+int EncryptDisable(char*, char*);
+int EncryptEnable(char*, char*);
+int EncryptStart(char*);
+int EncryptStartInput(void);
+int EncryptStartOutput(void);
+int EncryptStatus(void);
+int EncryptStop(char*);
+int EncryptStopInput(void);
+int EncryptStopOutput(void);
+int EncryptType(char*, char*);
+int EncryptVerbose(int);
+void decrypt_auto(int);
+void encrypt_auto(int);
+void encrypt_debug(int);
+void encrypt_dec_keyid(unsigned char*, int);
+void encrypt_display(void);
+void encrypt_enc_keyid(unsigned char*, int);
+void encrypt_end(void);
+void encrypt_gen_printsub(unsigned char*, int, unsigned char*, int);
+void encrypt_init(const char*, int);
+void encrypt_is(unsigned char*, int);
+void encrypt_list_types(void);
+void encrypt_not(void);
+void encrypt_printsub(unsigned char*, int, unsigned char*, int);
+void encrypt_reply(unsigned char*, int);
+void encrypt_request_end(void);
+void encrypt_request_start(unsigned char*, int);
+void encrypt_send_end(void);
+void encrypt_send_keyid(int, unsigned char*, int, int);
+void encrypt_send_request_end(void);
+void encrypt_send_request_start(void);
+void encrypt_send_support(void);
+void encrypt_session_key(Session_Key*, int);
+void encrypt_start(unsigned char*, int);
+void encrypt_start_output(int);
+void encrypt_support(unsigned char*, int);
+void encrypt_verbose_quiet(int);
+void encrypt_wait(void);
+int encrypt_delay(void);
+
+#ifdef	TELENTD
+void encrypt_wait (void);
+#else
+void encrypt_display (void);
+#endif
+
+void cfb64_encrypt (unsigned char *, int);
+int cfb64_decrypt (int);
+void cfb64_init (int);
+int cfb64_start (int, int);
+int cfb64_is (unsigned char *, int);
+int cfb64_reply (unsigned char *, int);
+void cfb64_session (Session_Key *, int);
+int cfb64_keyid (int, unsigned char *, int *);
+void cfb64_printsub (unsigned char *, int, unsigned char *, int);
+
+void ofb64_encrypt (unsigned char *, int);
+int ofb64_decrypt (int);
+void ofb64_init (int);
+int ofb64_start (int, int);
+int ofb64_is (unsigned char *, int);
+int ofb64_reply (unsigned char *, int);
+void ofb64_session (Session_Key *, int);
+int ofb64_keyid (int, unsigned char *, int *);
+void ofb64_printsub (unsigned char *, int, unsigned char *, int);
+
+#endif
diff --git a/crypto/heimdal/appl/telnet/libtelnet/enc_des.c b/crypto/heimdal/appl/telnet/libtelnet/enc_des.c
new file mode 100644
index 0000000..a847138
--- /dev/null
+++ b/crypto/heimdal/appl/telnet/libtelnet/enc_des.c
@@ -0,0 +1,675 @@
+/*-
+ * Copyright (c) 1991, 1993
+ *	The Regents of the University of California.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *	This product includes software developed by the University of
+ *	California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#include <config.h>
+
+RCSID("$Id: enc_des.c,v 1.18 2001/02/24 05:47:39 assar Exp $");
+
+#if	defined(AUTHENTICATION) && defined(ENCRYPTION) && defined(DES_ENCRYPTION)
+#include <arpa/telnet.h>
+#include <stdio.h>
+#ifdef	__STDC__
+#include <stdlib.h>
+#include <string.h>
+#endif
+#include <roken.h>
+#ifdef SOCKS
+#include <socks.h>
+#endif
+
+#include "encrypt.h"
+#include "misc-proto.h"
+
+#ifdef HAVE_OPENSSL_DES_H
+#include <openssl/des.h>
+#else
+#include <des.h>
+#endif
+
+extern int encrypt_debug_mode;
+
+#define	CFB	0
+#define	OFB	1
+
+#define	NO_SEND_IV	1
+#define	NO_RECV_IV	2
+#define	NO_KEYID	4
+#define	IN_PROGRESS	(NO_SEND_IV|NO_RECV_IV|NO_KEYID)
+#define	SUCCESS		0
+#define	FAILED		-1
+
+
+struct stinfo {
+  des_cblock	str_output;
+  des_cblock	str_feed;
+  des_cblock	str_iv;
+  des_cblock	str_ikey;
+  des_key_schedule str_sched;
+  int		str_index;
+  int		str_flagshift;
+};
+
+struct fb {
+	des_cblock krbdes_key;
+	des_key_schedule krbdes_sched;
+	des_cblock temp_feed;
+	unsigned char fb_feed[64];
+	int need_start;
+	int state[2];
+	int keyid[2];
+	int once;
+	struct stinfo streams[2];
+};
+
+static struct fb fb[2];
+
+struct keyidlist {
+	char	*keyid;
+	int	keyidlen;
+	char	*key;
+	int	keylen;
+	int	flags;
+} keyidlist [] = {
+	{ "\0", 1, 0, 0, 0 },		/* default key of zero */
+	{ 0, 0, 0, 0, 0 }
+};
+
+#define	KEYFLAG_MASK	03
+
+#define	KEYFLAG_NOINIT	00
+#define	KEYFLAG_INIT	01
+#define	KEYFLAG_OK	02
+#define	KEYFLAG_BAD	03
+
+#define	KEYFLAG_SHIFT	2
+
+#define	SHIFT_VAL(a,b)	(KEYFLAG_SHIFT*((a)+((b)*2)))
+
+#define	FB64_IV		1
+#define	FB64_IV_OK	2
+#define	FB64_IV_BAD	3
+
+
+void fb64_stream_iv (des_cblock, struct stinfo *);
+void fb64_init (struct fb *);
+static int fb64_start (struct fb *, int, int);
+int fb64_is (unsigned char *, int, struct fb *);
+int fb64_reply (unsigned char *, int, struct fb *);
+static void fb64_session (Session_Key *, int, struct fb *);
+void fb64_stream_key (des_cblock, struct stinfo *);
+int fb64_keyid (int, unsigned char *, int *, struct fb *);
+
+void cfb64_init(int server)
+{
+	fb64_init(&fb[CFB]);
+	fb[CFB].fb_feed[4] = ENCTYPE_DES_CFB64;
+	fb[CFB].streams[0].str_flagshift = SHIFT_VAL(0, CFB);
+	fb[CFB].streams[1].str_flagshift = SHIFT_VAL(1, CFB);
+}
+
+
+void ofb64_init(int server)
+{
+	fb64_init(&fb[OFB]);
+	fb[OFB].fb_feed[4] = ENCTYPE_DES_OFB64;
+	fb[CFB].streams[0].str_flagshift = SHIFT_VAL(0, OFB);
+	fb[CFB].streams[1].str_flagshift = SHIFT_VAL(1, OFB);
+}
+
+void fb64_init(struct fb *fbp)
+{
+	memset(fbp,0, sizeof(*fbp));
+	fbp->state[0] = fbp->state[1] = FAILED;
+	fbp->fb_feed[0] = IAC;
+	fbp->fb_feed[1] = SB;
+	fbp->fb_feed[2] = TELOPT_ENCRYPT;
+	fbp->fb_feed[3] = ENCRYPT_IS;
+}
+
+/*
+ * Returns:
+ *	-1: some error.  Negotiation is done, encryption not ready.
+ *	 0: Successful, initial negotiation all done.
+ *	 1: successful, negotiation not done yet.
+ *	 2: Not yet.  Other things (like getting the key from
+ *	    Kerberos) have to happen before we can continue.
+ */
+int cfb64_start(int dir, int server)
+{
+	return(fb64_start(&fb[CFB], dir, server));
+}
+
+int ofb64_start(int dir, int server)
+{
+	return(fb64_start(&fb[OFB], dir, server));
+}
+
+static int fb64_start(struct fb *fbp, int dir, int server)
+{
+	int x;
+	unsigned char *p;
+	int state;
+
+	switch (dir) {
+	case DIR_DECRYPT:
+		/*
+		 * This is simply a request to have the other side
+		 * start output (our input).  He will negotiate an
+		 * IV so we need not look for it.
+		 */
+		state = fbp->state[dir-1];
+		if (state == FAILED)
+			state = IN_PROGRESS;
+		break;
+
+	case DIR_ENCRYPT:
+		state = fbp->state[dir-1];
+		if (state == FAILED)
+			state = IN_PROGRESS;
+		else if ((state & NO_SEND_IV) == 0) {
+			break;
+		}
+
+		if (!VALIDKEY(fbp->krbdes_key)) {
+		        fbp->need_start = 1;
+			break;
+		}
+
+		state &= ~NO_SEND_IV;
+		state |= NO_RECV_IV;
+		if (encrypt_debug_mode)
+			printf("Creating new feed\r\n");
+		/*
+		 * Create a random feed and send it over.
+		 */
+#ifndef OLD_DES_RANDOM_KEY
+		des_new_random_key(&fbp->temp_feed);
+#else
+		/*
+		 * From des_cryp.man "If the des_check_key flag is non-zero,
+		 *  des_set_key will check that the key passed is
+		 *  of odd parity and is not a week or semi-weak key."
+		 */
+		do {
+			des_random_key(fbp->temp_feed);
+			des_set_odd_parity(fbp->temp_feed);
+		} while (des_is_weak_key(fbp->temp_feed));
+#endif
+		des_ecb_encrypt(&fbp->temp_feed,
+				&fbp->temp_feed,
+				fbp->krbdes_sched, 1);
+		p = fbp->fb_feed + 3;
+		*p++ = ENCRYPT_IS;
+		p++;
+		*p++ = FB64_IV;
+		for (x = 0; x < sizeof(des_cblock); ++x) {
+			if ((*p++ = fbp->temp_feed[x]) == IAC)
+				*p++ = IAC;
+		}
+		*p++ = IAC;
+		*p++ = SE;
+		printsub('>', &fbp->fb_feed[2], p - &fbp->fb_feed[2]);
+		telnet_net_write(fbp->fb_feed, p - fbp->fb_feed);
+		break;
+	default:
+		return(FAILED);
+	}
+	return(fbp->state[dir-1] = state);
+}
+
+/*
+ * Returns:
+ *	-1: some error.  Negotiation is done, encryption not ready.
+ *	 0: Successful, initial negotiation all done.
+ *	 1: successful, negotiation not done yet.
+ */
+
+int cfb64_is(unsigned char *data, int cnt)
+{
+	return(fb64_is(data, cnt, &fb[CFB]));
+}
+
+int ofb64_is(unsigned char *data, int cnt)
+{
+	return(fb64_is(data, cnt, &fb[OFB]));
+}
+
+
+int fb64_is(unsigned char *data, int cnt, struct fb *fbp)
+{
+	unsigned char *p;
+	int state = fbp->state[DIR_DECRYPT-1];
+
+	if (cnt-- < 1)
+		goto failure;
+
+	switch (*data++) {
+	case FB64_IV:
+		if (cnt != sizeof(des_cblock)) {
+			if (encrypt_debug_mode)
+				printf("CFB64: initial vector failed on size\r\n");
+			state = FAILED;
+			goto failure;
+		}
+
+		if (encrypt_debug_mode)
+			printf("CFB64: initial vector received\r\n");
+
+		if (encrypt_debug_mode)
+			printf("Initializing Decrypt stream\r\n");
+
+		fb64_stream_iv(data, &fbp->streams[DIR_DECRYPT-1]);
+
+		p = fbp->fb_feed + 3;
+		*p++ = ENCRYPT_REPLY;
+		p++;
+		*p++ = FB64_IV_OK;
+		*p++ = IAC;
+		*p++ = SE;
+		printsub('>', &fbp->fb_feed[2], p - &fbp->fb_feed[2]);
+		telnet_net_write(fbp->fb_feed, p - fbp->fb_feed);
+
+		state = fbp->state[DIR_DECRYPT-1] = IN_PROGRESS;
+		break;
+
+	default:
+		if (encrypt_debug_mode) {
+			printf("Unknown option type: %d\r\n", *(data-1));
+			printd(data, cnt);
+			printf("\r\n");
+		}
+		/* FALL THROUGH */
+	failure:
+		/*
+		 * We failed.  Send an FB64_IV_BAD option
+		 * to the other side so it will know that
+		 * things failed.
+		 */
+		p = fbp->fb_feed + 3;
+		*p++ = ENCRYPT_REPLY;
+		p++;
+		*p++ = FB64_IV_BAD;
+		*p++ = IAC;
+		*p++ = SE;
+		printsub('>', &fbp->fb_feed[2], p - &fbp->fb_feed[2]);
+		telnet_net_write(fbp->fb_feed, p - fbp->fb_feed);
+
+		break;
+	}
+	return(fbp->state[DIR_DECRYPT-1] = state);
+}
+
+/*
+ * Returns:
+ *	-1: some error.  Negotiation is done, encryption not ready.
+ *	 0: Successful, initial negotiation all done.
+ *	 1: successful, negotiation not done yet.
+ */
+
+int cfb64_reply(unsigned char *data, int cnt)
+{
+	return(fb64_reply(data, cnt, &fb[CFB]));
+}
+
+int ofb64_reply(unsigned char *data, int cnt)
+{
+	return(fb64_reply(data, cnt, &fb[OFB]));
+}
+
+
+int fb64_reply(unsigned char *data, int cnt, struct fb *fbp)
+{
+	int state = fbp->state[DIR_ENCRYPT-1];
+
+	if (cnt-- < 1)
+		goto failure;
+
+	switch (*data++) {
+	case FB64_IV_OK:
+		fb64_stream_iv(fbp->temp_feed, &fbp->streams[DIR_ENCRYPT-1]);
+		if (state == FAILED)
+			state = IN_PROGRESS;
+		state &= ~NO_RECV_IV;
+		encrypt_send_keyid(DIR_ENCRYPT, (unsigned char *)"\0", 1, 1);
+		break;
+
+	case FB64_IV_BAD:
+		memset(fbp->temp_feed, 0, sizeof(des_cblock));
+		fb64_stream_iv(fbp->temp_feed, &fbp->streams[DIR_ENCRYPT-1]);
+		state = FAILED;
+		break;
+
+	default:
+		if (encrypt_debug_mode) {
+			printf("Unknown option type: %d\r\n", data[-1]);
+			printd(data, cnt);
+			printf("\r\n");
+		}
+		/* FALL THROUGH */
+	failure:
+		state = FAILED;
+		break;
+	}
+	return(fbp->state[DIR_ENCRYPT-1] = state);
+}
+
+void cfb64_session(Session_Key *key, int server)
+{
+	fb64_session(key, server, &fb[CFB]);
+}
+
+void ofb64_session(Session_Key *key, int server)
+{
+	fb64_session(key, server, &fb[OFB]);
+}
+
+static void fb64_session(Session_Key *key, int server, struct fb *fbp)
+{
+
+	if (!key || key->type != SK_DES) {
+		if (encrypt_debug_mode)
+			printf("Can't set krbdes's session key (%d != %d)\r\n",
+				key ? key->type : -1, SK_DES);
+		return;
+	}
+	memcpy(fbp->krbdes_key, key->data, sizeof(des_cblock));
+
+	fb64_stream_key(fbp->krbdes_key, &fbp->streams[DIR_ENCRYPT-1]);
+	fb64_stream_key(fbp->krbdes_key, &fbp->streams[DIR_DECRYPT-1]);
+
+	if (fbp->once == 0) {
+#if !defined(OLD_DES_RANDOM_KEY) && !defined(HAVE_OPENSSL_DES_H)
+		des_init_random_number_generator(&fbp->krbdes_key);
+#endif
+		fbp->once = 1;
+	}
+	des_key_sched(&fbp->krbdes_key, fbp->krbdes_sched);
+	/*
+	 * Now look to see if krbdes_start() was was waiting for
+	 * the key to show up.  If so, go ahead an call it now
+	 * that we have the key.
+	 */
+	if (fbp->need_start) {
+		fbp->need_start = 0;
+		fb64_start(fbp, DIR_ENCRYPT, server);
+	}
+}
+
+/*
+ * We only accept a keyid of 0.  If we get a keyid of
+ * 0, then mark the state as SUCCESS.
+ */
+
+int cfb64_keyid(int dir, unsigned char *kp, int *lenp)
+{
+	return(fb64_keyid(dir, kp, lenp, &fb[CFB]));
+}
+
+int ofb64_keyid(int dir, unsigned char *kp, int *lenp)
+{
+	return(fb64_keyid(dir, kp, lenp, &fb[OFB]));
+}
+
+int fb64_keyid(int dir, unsigned char *kp, int *lenp, struct fb *fbp)
+{
+	int state = fbp->state[dir-1];
+
+	if (*lenp != 1 || (*kp != '\0')) {
+		*lenp = 0;
+		return(state);
+	}
+
+	if (state == FAILED)
+		state = IN_PROGRESS;
+
+	state &= ~NO_KEYID;
+
+	return(fbp->state[dir-1] = state);
+}
+
+void fb64_printsub(unsigned char *data, int cnt, 
+		   unsigned char *buf, int buflen, char *type)
+{
+	char lbuf[32];
+	int i;
+	char *cp;
+
+	buf[buflen-1] = '\0';		/* make sure it's NULL terminated */
+	buflen -= 1;
+
+	switch(data[2]) {
+	case FB64_IV:
+		snprintf(lbuf, sizeof(lbuf), "%s_IV", type);
+		cp = lbuf;
+		goto common;
+
+	case FB64_IV_OK:
+		snprintf(lbuf, sizeof(lbuf), "%s_IV_OK", type);
+		cp = lbuf;
+		goto common;
+
+	case FB64_IV_BAD:
+		snprintf(lbuf, sizeof(lbuf), "%s_IV_BAD", type);
+		cp = lbuf;
+		goto common;
+
+	default:
+		snprintf(lbuf, sizeof(lbuf), " %d (unknown)", data[2]);
+		cp = lbuf;
+	common:
+		for (; (buflen > 0) && (*buf = *cp++); buf++)
+			buflen--;
+		for (i = 3; i < cnt; i++) {
+			snprintf(lbuf, sizeof(lbuf), " %d", data[i]);
+			for (cp = lbuf; (buflen > 0) && (*buf = *cp++); buf++)
+				buflen--;
+		}
+		break;
+	}
+}
+
+void cfb64_printsub(unsigned char *data, int cnt, 
+		    unsigned char *buf, int buflen)
+{
+	fb64_printsub(data, cnt, buf, buflen, "CFB64");
+}
+
+void ofb64_printsub(unsigned char *data, int cnt,
+		    unsigned char *buf, int buflen)
+{
+	fb64_printsub(data, cnt, buf, buflen, "OFB64");
+}
+
+void fb64_stream_iv(des_cblock seed, struct stinfo *stp)
+{
+
+	memcpy(stp->str_iv, seed,sizeof(des_cblock));
+	memcpy(stp->str_output, seed, sizeof(des_cblock));
+
+	des_key_sched(&stp->str_ikey, stp->str_sched);
+
+	stp->str_index = sizeof(des_cblock);
+}
+
+void fb64_stream_key(des_cblock key, struct stinfo *stp)
+{
+	memcpy(stp->str_ikey, key, sizeof(des_cblock));
+	des_key_sched((des_cblock*)key, stp->str_sched);
+
+	memcpy(stp->str_output, stp->str_iv, sizeof(des_cblock));
+
+	stp->str_index = sizeof(des_cblock);
+}
+
+/*
+ * DES 64 bit Cipher Feedback
+ *
+ *     key --->+-----+
+ *          +->| DES |--+
+ *          |  +-----+  |
+ *	    |           v
+ *  INPUT --(--------->(+)+---> DATA
+ *          |             |
+ *	    +-------------+
+ *         
+ *
+ * Given:
+ *	iV: Initial vector, 64 bits (8 bytes) long.
+ *	Dn: the nth chunk of 64 bits (8 bytes) of data to encrypt (decrypt).
+ *	On: the nth chunk of 64 bits (8 bytes) of encrypted (decrypted) output.
+ *
+ *	V0 = DES(iV, key)
+ *	On = Dn ^ Vn
+ *	V(n+1) = DES(On, key)
+ */
+
+void cfb64_encrypt(unsigned char *s, int c)
+{
+	struct stinfo *stp = &fb[CFB].streams[DIR_ENCRYPT-1];
+	int index;
+
+	index = stp->str_index;
+	while (c-- > 0) {
+		if (index == sizeof(des_cblock)) {
+			des_cblock b;
+			des_ecb_encrypt(&stp->str_output, &b,stp->str_sched, 1);
+			memcpy(stp->str_feed, b, sizeof(des_cblock));
+			index = 0;
+		}
+
+		/* On encryption, we store (feed ^ data) which is cypher */
+		*s = stp->str_output[index] = (stp->str_feed[index] ^ *s);
+		s++;
+		index++;
+	}
+	stp->str_index = index;
+}
+
+int cfb64_decrypt(int data)
+{
+	struct stinfo *stp = &fb[CFB].streams[DIR_DECRYPT-1];
+	int index;
+
+	if (data == -1) {
+		/*
+		 * Back up one byte.  It is assumed that we will
+		 * never back up more than one byte.  If we do, this
+		 * may or may not work.
+		 */
+		if (stp->str_index)
+			--stp->str_index;
+		return(0);
+	}
+
+	index = stp->str_index++;
+	if (index == sizeof(des_cblock)) {
+		des_cblock b;
+		des_ecb_encrypt(&stp->str_output,&b, stp->str_sched, 1);
+		memcpy(stp->str_feed, b, sizeof(des_cblock));
+		stp->str_index = 1;	/* Next time will be 1 */
+		index = 0;		/* But now use 0 */ 
+	}
+
+	/* On decryption we store (data) which is cypher. */
+	stp->str_output[index] = data;
+	return(data ^ stp->str_feed[index]);
+}
+
+/*
+ * DES 64 bit Output Feedback
+ *
+ * key --->+-----+
+ *	+->| DES |--+
+ *	|  +-----+  |
+ *	+-----------+
+ *	            v
+ *  INPUT -------->(+) ----> DATA
+ *
+ * Given:
+ *	iV: Initial vector, 64 bits (8 bytes) long.
+ *	Dn: the nth chunk of 64 bits (8 bytes) of data to encrypt (decrypt).
+ *	On: the nth chunk of 64 bits (8 bytes) of encrypted (decrypted) output.
+ *
+ *	V0 = DES(iV, key)
+ *	V(n+1) = DES(Vn, key)
+ *	On = Dn ^ Vn
+ */
+
+void ofb64_encrypt(unsigned char *s, int c)
+{
+	struct stinfo *stp = &fb[OFB].streams[DIR_ENCRYPT-1];
+	int index;
+
+	index = stp->str_index;
+	while (c-- > 0) {
+		if (index == sizeof(des_cblock)) {
+			des_cblock b;
+			des_ecb_encrypt(&stp->str_feed,&b, stp->str_sched, 1);
+			memcpy(stp->str_feed, b, sizeof(des_cblock));
+			index = 0;
+		}
+		*s++ ^= stp->str_feed[index];
+		index++;
+	}
+	stp->str_index = index;
+}
+
+int ofb64_decrypt(int data)
+{
+	struct stinfo *stp = &fb[OFB].streams[DIR_DECRYPT-1];
+	int index;
+
+	if (data == -1) {
+		/*
+		 * Back up one byte.  It is assumed that we will
+		 * never back up more than one byte.  If we do, this
+		 * may or may not work.
+		 */
+		if (stp->str_index)
+			--stp->str_index;
+		return(0);
+	}
+
+	index = stp->str_index++;
+	if (index == sizeof(des_cblock)) {
+		des_cblock b;
+		des_ecb_encrypt(&stp->str_feed,&b,stp->str_sched, 1);
+		memcpy(stp->str_feed, b, sizeof(des_cblock));
+		stp->str_index = 1;	/* Next time will be 1 */
+		index = 0;		/* But now use 0 */ 
+	}
+
+	return(data ^ stp->str_feed[index]);
+}
+#endif
+
diff --git a/crypto/heimdal/appl/telnet/libtelnet/encrypt.c b/crypto/heimdal/appl/telnet/libtelnet/encrypt.c
new file mode 100644
index 0000000..b6d26ab
--- /dev/null
+++ b/crypto/heimdal/appl/telnet/libtelnet/encrypt.c
@@ -0,0 +1,995 @@
+/*-
+ * Copyright (c) 1991, 1993
+ *	The Regents of the University of California.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *	This product includes software developed by the University of
+ *	California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+/*
+ * Copyright (C) 1990 by the Massachusetts Institute of Technology
+ *
+ * Export of this software from the United States of America is assumed
+ * to require a specific license from the United States Government.
+ * It is the responsibility of any person or organization contemplating
+ * export to obtain such a license before exporting.
+ *
+ * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
+ * distribute this software and its documentation for any purpose and
+ * without fee is hereby granted, provided that the above copyright
+ * notice appear in all copies and that both that copyright notice and
+ * this permission notice appear in supporting documentation, and that
+ * the name of M.I.T. not be used in advertising or publicity pertaining
+ * to distribution of the software without specific, written prior
+ * permission.  M.I.T. makes no representations about the suitability of
+ * this software for any purpose.  It is provided "as is" without express
+ * or implied warranty.
+ */
+
+
+#include <config.h>
+
+RCSID("$Id: encrypt.c,v 1.22 2000/01/18 03:10:35 assar Exp $");
+
+#if	defined(ENCRYPTION)
+
+#define	ENCRYPT_NAMES
+#include <arpa/telnet.h>
+
+#include "encrypt.h"
+#include "misc.h"
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <roken.h>
+#ifdef SOCKS
+#include <socks.h>
+#endif
+
+
+/*
+ * These functions pointers point to the current routines
+ * for encrypting and decrypting data.
+ */
+void	(*encrypt_output) (unsigned char *, int);
+int	(*decrypt_input) (int);
+char	*nclearto;
+
+int encrypt_debug_mode = 0;
+static int decrypt_mode = 0;
+static int encrypt_mode = 0;
+static int encrypt_verbose = 0;
+static int autoencrypt = 0;
+static int autodecrypt = 0;
+static int havesessionkey = 0;
+static int Server = 0;
+static const char *Name = "Noname";
+
+#define	typemask(x)	((x) > 0 ? 1 << ((x)-1) : 0)
+
+static long i_support_encrypt = typemask(ENCTYPE_DES_CFB64)
+     | typemask(ENCTYPE_DES_OFB64);
+     static long i_support_decrypt = typemask(ENCTYPE_DES_CFB64)
+     | typemask(ENCTYPE_DES_OFB64);
+     static long i_wont_support_encrypt = 0;
+     static long i_wont_support_decrypt = 0;
+#define	I_SUPPORT_ENCRYPT	(i_support_encrypt & ~i_wont_support_encrypt)
+#define	I_SUPPORT_DECRYPT	(i_support_decrypt & ~i_wont_support_decrypt)
+
+     static long remote_supports_encrypt = 0;
+     static long remote_supports_decrypt = 0;
+
+     static Encryptions encryptions[] = {
+#if	defined(DES_ENCRYPTION)
+	 { "DES_CFB64",	ENCTYPE_DES_CFB64,
+	   cfb64_encrypt,	
+	   cfb64_decrypt,
+	   cfb64_init,
+	   cfb64_start,
+	   cfb64_is,
+	   cfb64_reply,
+	   cfb64_session,
+	   cfb64_keyid,
+	   cfb64_printsub },
+	 { "DES_OFB64",	ENCTYPE_DES_OFB64,
+	   ofb64_encrypt,	
+	   ofb64_decrypt,
+	   ofb64_init,
+	   ofb64_start,
+	   ofb64_is,
+	   ofb64_reply,
+	   ofb64_session,
+	   ofb64_keyid,
+	   ofb64_printsub },
+#endif
+	 { 0, },
+     };
+
+static unsigned char str_send[64] = { IAC, SB, TELOPT_ENCRYPT,
+				      ENCRYPT_SUPPORT };
+static unsigned char str_suplen = 0;
+static unsigned char str_start[72] = { IAC, SB, TELOPT_ENCRYPT };
+static unsigned char str_end[] = { IAC, SB, TELOPT_ENCRYPT, 0, IAC, SE };
+
+Encryptions *
+findencryption(int type)
+{
+    Encryptions *ep = encryptions;
+
+    if (!(I_SUPPORT_ENCRYPT & remote_supports_decrypt & typemask(type)))
+	return(0);
+    while (ep->type && ep->type != type)
+	++ep;
+    return(ep->type ? ep : 0);
+}
+
+Encryptions *
+finddecryption(int type)
+{
+    Encryptions *ep = encryptions;
+
+    if (!(I_SUPPORT_DECRYPT & remote_supports_encrypt & typemask(type)))
+	return(0);
+    while (ep->type && ep->type != type)
+	++ep;
+    return(ep->type ? ep : 0);
+}
+
+#define	MAXKEYLEN 64
+
+static struct key_info {
+    unsigned char keyid[MAXKEYLEN];
+    int keylen;
+    int dir;
+    int *modep;
+    Encryptions *(*getcrypt)();
+} ki[2] = {
+    { { 0 }, 0, DIR_ENCRYPT, &encrypt_mode, findencryption },
+    { { 0 }, 0, DIR_DECRYPT, &decrypt_mode, finddecryption },
+};
+
+void
+encrypt_init(const char *name, int server)
+{
+    Encryptions *ep = encryptions;
+
+    Name = name;
+    Server = server;
+    i_support_encrypt = i_support_decrypt = 0;
+    remote_supports_encrypt = remote_supports_decrypt = 0;
+    encrypt_mode = 0;
+    decrypt_mode = 0;
+    encrypt_output = 0;
+    decrypt_input = 0;
+#ifdef notdef
+    encrypt_verbose = !server;
+#endif
+
+    str_suplen = 4;
+
+    while (ep->type) {
+	if (encrypt_debug_mode)
+	    printf(">>>%s: I will support %s\r\n",
+		   Name, ENCTYPE_NAME(ep->type));
+	i_support_encrypt |= typemask(ep->type);
+	i_support_decrypt |= typemask(ep->type);
+	if ((i_wont_support_decrypt & typemask(ep->type)) == 0)
+	    if ((str_send[str_suplen++] = ep->type) == IAC)
+		str_send[str_suplen++] = IAC;
+	if (ep->init)
+	    (*ep->init)(Server);
+	++ep;
+    }
+    str_send[str_suplen++] = IAC;
+    str_send[str_suplen++] = SE;
+}
+
+void
+encrypt_list_types(void)
+{
+    Encryptions *ep = encryptions;
+
+    printf("Valid encryption types:\n");
+    while (ep->type) {
+	printf("\t%s (%d)\r\n", ENCTYPE_NAME(ep->type), ep->type);
+	++ep;
+    }
+}
+
+int
+EncryptEnable(char *type, char *mode)
+{
+    if (isprefix(type, "help") || isprefix(type, "?")) {
+	printf("Usage: encrypt enable <type> [input|output]\n");
+	encrypt_list_types();
+	return(0);
+    }
+    if (EncryptType(type, mode))
+	return(EncryptStart(mode));
+    return(0);
+}
+
+int
+EncryptDisable(char *type, char *mode)
+{
+    Encryptions *ep;
+    int ret = 0;
+
+    if (isprefix(type, "help") || isprefix(type, "?")) {
+	printf("Usage: encrypt disable <type> [input|output]\n");
+	encrypt_list_types();
+    } else if ((ep = (Encryptions *)genget(type, (char**)encryptions,
+					   sizeof(Encryptions))) == 0) {
+	printf("%s: invalid encryption type\n", type);
+    } else if (Ambiguous(ep)) {
+	printf("Ambiguous type '%s'\n", type);
+    } else {
+	if ((mode == 0) || (isprefix(mode, "input") ? 1 : 0)) {
+	    if (decrypt_mode == ep->type)
+		EncryptStopInput();
+	    i_wont_support_decrypt |= typemask(ep->type);
+	    ret = 1;
+	}
+	if ((mode == 0) || (isprefix(mode, "output"))) {
+	    if (encrypt_mode == ep->type)
+		EncryptStopOutput();
+	    i_wont_support_encrypt |= typemask(ep->type);
+	    ret = 1;
+	}
+	if (ret == 0)
+	    printf("%s: invalid encryption mode\n", mode);
+    }
+    return(ret);
+}
+
+int
+EncryptType(char *type, char *mode)
+{
+    Encryptions *ep;
+    int ret = 0;
+
+    if (isprefix(type, "help") || isprefix(type, "?")) {
+	printf("Usage: encrypt type <type> [input|output]\n");
+	encrypt_list_types();
+    } else if ((ep = (Encryptions *)genget(type, (char**)encryptions,
+					   sizeof(Encryptions))) == 0) {
+	printf("%s: invalid encryption type\n", type);
+    } else if (Ambiguous(ep)) {
+	printf("Ambiguous type '%s'\n", type);
+    } else {
+	if ((mode == 0) || isprefix(mode, "input")) {
+	    decrypt_mode = ep->type;
+	    i_wont_support_decrypt &= ~typemask(ep->type);
+	    ret = 1;
+	}
+	if ((mode == 0) || isprefix(mode, "output")) {
+	    encrypt_mode = ep->type;
+	    i_wont_support_encrypt &= ~typemask(ep->type);
+	    ret = 1;
+	}
+	if (ret == 0)
+	    printf("%s: invalid encryption mode\n", mode);
+    }
+    return(ret);
+}
+
+int
+EncryptStart(char *mode)
+{
+    int ret = 0;
+    if (mode) {
+	if (isprefix(mode, "input"))
+	    return(EncryptStartInput());
+	if (isprefix(mode, "output"))
+	    return(EncryptStartOutput());
+	if (isprefix(mode, "help") || isprefix(mode, "?")) {
+	    printf("Usage: encrypt start [input|output]\n");
+	    return(0);
+	}
+	printf("%s: invalid encryption mode 'encrypt start ?' for help\n", mode);
+	return(0);
+    }
+    ret += EncryptStartInput();
+    ret += EncryptStartOutput();
+    return(ret);
+}
+
+int
+EncryptStartInput(void)
+{
+    if (decrypt_mode) {
+	encrypt_send_request_start();
+	return(1);
+    }
+    printf("No previous decryption mode, decryption not enabled\r\n");
+    return(0);
+}
+
+int
+EncryptStartOutput(void)
+{
+    if (encrypt_mode) {
+	encrypt_start_output(encrypt_mode);
+	return(1);
+    }
+    printf("No previous encryption mode, encryption not enabled\r\n");
+    return(0);
+}
+
+int
+EncryptStop(char *mode)
+{
+    int ret = 0;
+    if (mode) {
+	if (isprefix(mode, "input"))
+	    return(EncryptStopInput());
+	if (isprefix(mode, "output"))
+	    return(EncryptStopOutput());
+	if (isprefix(mode, "help") || isprefix(mode, "?")) {
+	    printf("Usage: encrypt stop [input|output]\n");
+	    return(0);
+	}
+	printf("%s: invalid encryption mode 'encrypt stop ?' for help\n", mode);
+	return(0);
+    }
+    ret += EncryptStopInput();
+    ret += EncryptStopOutput();
+    return(ret);
+}
+
+int
+EncryptStopInput(void)
+{
+    encrypt_send_request_end();
+    return(1);
+}
+
+int
+EncryptStopOutput(void)
+{
+    encrypt_send_end();
+    return(1);
+}
+
+void
+encrypt_display(void)
+{
+    printf("Autoencrypt for output is %s. Autodecrypt for input is %s.\r\n",
+	   autoencrypt?"on":"off", autodecrypt?"on":"off");
+
+    if (encrypt_output)
+	printf("Currently encrypting output with %s\r\n",
+	       ENCTYPE_NAME(encrypt_mode));
+    else
+	printf("Currently not encrypting output\r\n");
+	
+    if (decrypt_input)
+	printf("Currently decrypting input with %s\r\n",
+	       ENCTYPE_NAME(decrypt_mode));
+    else
+	printf("Currently not decrypting input\r\n");
+}
+
+int
+EncryptStatus(void)
+{
+    printf("Autoencrypt for output is %s. Autodecrypt for input is %s.\r\n",
+	   autoencrypt?"on":"off", autodecrypt?"on":"off");
+
+    if (encrypt_output)
+	printf("Currently encrypting output with %s\r\n",
+	       ENCTYPE_NAME(encrypt_mode));
+    else if (encrypt_mode) {
+	printf("Currently output is clear text.\r\n");
+	printf("Last encryption mode was %s\r\n",
+	       ENCTYPE_NAME(encrypt_mode));
+    } else
+	printf("Currently not encrypting output\r\n");
+	
+    if (decrypt_input) {
+	printf("Currently decrypting input with %s\r\n",
+	       ENCTYPE_NAME(decrypt_mode));
+    } else if (decrypt_mode) {
+	printf("Currently input is clear text.\r\n");
+	printf("Last decryption mode was %s\r\n",
+	       ENCTYPE_NAME(decrypt_mode));
+    } else
+	printf("Currently not decrypting input\r\n");
+
+    return 1;
+}
+
+void
+encrypt_send_support(void)
+{
+    if (str_suplen) {
+	/*
+	 * If the user has requested that decryption start
+	 * immediatly, then send a "REQUEST START" before
+	 * we negotiate the type.
+	 */
+	if (!Server && autodecrypt)
+	    encrypt_send_request_start();
+	telnet_net_write(str_send, str_suplen);
+	printsub('>', &str_send[2], str_suplen - 2);
+	str_suplen = 0;
+    }
+}
+
+int
+EncryptDebug(int on)
+{
+    if (on < 0)
+	encrypt_debug_mode ^= 1;
+    else
+	encrypt_debug_mode = on;
+    printf("Encryption debugging %s\r\n",
+	   encrypt_debug_mode ? "enabled" : "disabled");
+    return(1);
+}
+
+/* turn on verbose encryption, but dont keep telling the whole world
+ */
+void encrypt_verbose_quiet(int on)
+{
+    if(on < 0)
+	encrypt_verbose ^= 1;
+    else
+	encrypt_verbose = on ? 1 : 0;
+}
+
+int
+EncryptVerbose(int on)
+{
+    encrypt_verbose_quiet(on);
+    printf("Encryption %s verbose\r\n",
+	   encrypt_verbose ? "is" : "is not");
+    return(1);
+}
+
+int
+EncryptAutoEnc(int on)
+{
+    encrypt_auto(on);
+    printf("Automatic encryption of output is %s\r\n",
+	   autoencrypt ? "enabled" : "disabled");
+    return(1);
+}
+
+int
+EncryptAutoDec(int on)
+{
+    decrypt_auto(on);
+    printf("Automatic decryption of input is %s\r\n",
+	   autodecrypt ? "enabled" : "disabled");
+    return(1);
+}
+
+/* Called when we receive a WONT or a DONT ENCRYPT after we sent a DO
+   encrypt */
+void
+encrypt_not(void)
+{
+    if (encrypt_verbose)
+  	printf("[ Connection is NOT encrypted ]\r\n");
+    else
+  	printf("\r\n*** Connection not encrypted! "
+	       "Communication may be eavesdropped. ***\r\n");
+}
+
+/*
+ * Called when ENCRYPT SUPPORT is received.
+ */
+void
+encrypt_support(unsigned char *typelist, int cnt)
+{
+    int type, use_type = 0;
+    Encryptions *ep;
+
+    /*
+     * Forget anything the other side has previously told us.
+     */
+    remote_supports_decrypt = 0;
+
+    while (cnt-- > 0) {
+	type = *typelist++;
+	if (encrypt_debug_mode)
+	    printf(">>>%s: He is supporting %s (%d)\r\n",
+		   Name,
+		   ENCTYPE_NAME(type), type);
+	if ((type < ENCTYPE_CNT) &&
+	    (I_SUPPORT_ENCRYPT & typemask(type))) {
+	    remote_supports_decrypt |= typemask(type);
+	    if (use_type == 0)
+		use_type = type;
+	}
+    }
+    if (use_type) {
+	ep = findencryption(use_type);
+	if (!ep)
+	    return;
+	type = ep->start ? (*ep->start)(DIR_ENCRYPT, Server) : 0;
+	if (encrypt_debug_mode)
+	    printf(">>>%s: (*ep->start)() returned %d\r\n",
+		   Name, type);
+	if (type < 0)
+	    return;
+	encrypt_mode = use_type;
+	if (type == 0)
+	    encrypt_start_output(use_type);
+    }
+}
+
+void
+encrypt_is(unsigned char *data, int cnt)
+{
+    Encryptions *ep;
+    int type, ret;
+
+    if (--cnt < 0)
+	return;
+    type = *data++;
+    if (type < ENCTYPE_CNT)
+	remote_supports_encrypt |= typemask(type);
+    if (!(ep = finddecryption(type))) {
+	if (encrypt_debug_mode)
+	    printf(">>>%s: Can't find type %s (%d) for initial negotiation\r\n",
+		   Name,
+		   ENCTYPE_NAME_OK(type)
+		   ? ENCTYPE_NAME(type) : "(unknown)",
+		   type);
+	return;
+    }
+    if (!ep->is) {
+	if (encrypt_debug_mode)
+	    printf(">>>%s: No initial negotiation needed for type %s (%d)\r\n",
+		   Name,
+		   ENCTYPE_NAME_OK(type)
+		   ? ENCTYPE_NAME(type) : "(unknown)",
+		   type);
+	ret = 0;
+    } else {
+	ret = (*ep->is)(data, cnt);
+	if (encrypt_debug_mode)
+	    printf("(*ep->is)(%p, %d) returned %s(%d)\n", data, cnt,
+		   (ret < 0) ? "FAIL " :
+		   (ret == 0) ? "SUCCESS " : "MORE_TO_DO ", ret);
+    }
+    if (ret < 0) {
+	autodecrypt = 0;
+    } else {
+	decrypt_mode = type;
+	if (ret == 0 && autodecrypt)
+	    encrypt_send_request_start();
+    }
+}
+
+void
+encrypt_reply(unsigned char *data, int cnt)
+{
+    Encryptions *ep;
+    int ret, type;
+
+    if (--cnt < 0)
+	return;
+    type = *data++;
+    if (!(ep = findencryption(type))) {
+	if (encrypt_debug_mode)
+	    printf(">>>%s: Can't find type %s (%d) for initial negotiation\r\n",
+		   Name,
+		   ENCTYPE_NAME_OK(type)
+		   ? ENCTYPE_NAME(type) : "(unknown)",
+		   type);
+	return;
+    }
+    if (!ep->reply) {
+	if (encrypt_debug_mode)
+	    printf(">>>%s: No initial negotiation needed for type %s (%d)\r\n",
+		   Name,
+		   ENCTYPE_NAME_OK(type)
+		   ? ENCTYPE_NAME(type) : "(unknown)",
+		   type);
+	ret = 0;
+    } else {
+	ret = (*ep->reply)(data, cnt);
+	if (encrypt_debug_mode)
+	    printf("(*ep->reply)(%p, %d) returned %s(%d)\n",
+		   data, cnt,
+		   (ret < 0) ? "FAIL " :
+		   (ret == 0) ? "SUCCESS " : "MORE_TO_DO ", ret);
+    }
+    if (encrypt_debug_mode)
+	printf(">>>%s: encrypt_reply returned %d\n", Name, ret);
+    if (ret < 0) {
+	autoencrypt = 0;
+    } else {
+	encrypt_mode = type;
+	if (ret == 0 && autoencrypt)
+	    encrypt_start_output(type);
+    }
+}
+
+/*
+ * Called when a ENCRYPT START command is received.
+ */
+void
+encrypt_start(unsigned char *data, int cnt)
+{
+    Encryptions *ep;
+
+    if (!decrypt_mode) {
+	/*
+	 * Something is wrong.  We should not get a START
+	 * command without having already picked our
+	 * decryption scheme.  Send a REQUEST-END to
+	 * attempt to clear the channel...
+	 */
+	printf("%s: Warning, Cannot decrypt input stream!!!\r\n", Name);
+	encrypt_send_request_end();
+	return;
+    }
+
+    if ((ep = finddecryption(decrypt_mode))) {
+	decrypt_input = ep->input;
+	if (encrypt_verbose)
+	    printf("[ Input is now decrypted with type %s ]\r\n",
+		   ENCTYPE_NAME(decrypt_mode));
+	if (encrypt_debug_mode)
+	    printf(">>>%s: Start to decrypt input with type %s\r\n",
+		   Name, ENCTYPE_NAME(decrypt_mode));
+    } else {
+	printf("%s: Warning, Cannot decrypt type %s (%d)!!!\r\n",
+	       Name,
+	       ENCTYPE_NAME_OK(decrypt_mode)
+	       ? ENCTYPE_NAME(decrypt_mode)
+	       : "(unknown)",
+	       decrypt_mode);
+	encrypt_send_request_end();
+    }
+}
+
+void
+encrypt_session_key(Session_Key *key, int server)
+{
+    Encryptions *ep = encryptions;
+
+    havesessionkey = 1;
+
+    while (ep->type) {
+	if (ep->session)
+	    (*ep->session)(key, server);
+	++ep;
+    }
+}
+
+/*
+ * Called when ENCRYPT END is received.
+ */
+void
+encrypt_end(void)
+{
+    decrypt_input = 0;
+    if (encrypt_debug_mode)
+	printf(">>>%s: Input is back to clear text\r\n", Name);
+    if (encrypt_verbose)
+	printf("[ Input is now clear text ]\r\n");
+}
+
+/*
+ * Called when ENCRYPT REQUEST-END is received.
+ */
+void
+encrypt_request_end(void)
+{
+    encrypt_send_end();
+}
+
+/*
+ * Called when ENCRYPT REQUEST-START is received.  If we receive
+ * this before a type is picked, then that indicates that the
+ * other side wants us to start encrypting data as soon as we
+ * can. 
+ */
+void
+encrypt_request_start(unsigned char *data, int cnt)
+{
+    if (encrypt_mode == 0)  {
+	if (Server)
+	    autoencrypt = 1;
+	return;
+    }
+    encrypt_start_output(encrypt_mode);
+}
+
+static unsigned char str_keyid[(MAXKEYLEN*2)+5] = { IAC, SB, TELOPT_ENCRYPT };
+
+static void
+encrypt_keyid(struct key_info *kp, unsigned char *keyid, int len)
+{
+    Encryptions *ep;
+    int dir = kp->dir;
+    int ret = 0;
+
+    if (!(ep = (*kp->getcrypt)(*kp->modep))) {
+	if (len == 0)
+	    return;
+	kp->keylen = 0;
+    } else if (len == 0) {
+	/*
+	 * Empty option, indicates a failure.
+	 */
+	if (kp->keylen == 0)
+	    return;
+	kp->keylen = 0;
+	if (ep->keyid)
+	    (void)(*ep->keyid)(dir, kp->keyid, &kp->keylen);
+
+    } else if ((len != kp->keylen) || (memcmp(keyid,kp->keyid,len) != 0)) {
+	/*
+	 * Length or contents are different
+	 */
+	kp->keylen = len;
+	memcpy(kp->keyid,keyid, len);
+	if (ep->keyid)
+	    (void)(*ep->keyid)(dir, kp->keyid, &kp->keylen);
+    } else {
+	if (ep->keyid)
+	    ret = (*ep->keyid)(dir, kp->keyid, &kp->keylen);
+	if ((ret == 0) && (dir == DIR_ENCRYPT) && autoencrypt)
+	    encrypt_start_output(*kp->modep);
+	return;
+    }
+
+    encrypt_send_keyid(dir, kp->keyid, kp->keylen, 0);
+}
+
+void encrypt_enc_keyid(unsigned char *keyid, int len)
+{
+    encrypt_keyid(&ki[1], keyid, len);
+}
+
+void encrypt_dec_keyid(unsigned char *keyid, int len)
+{
+    encrypt_keyid(&ki[0], keyid, len);
+}
+
+
+void encrypt_send_keyid(int dir, unsigned char *keyid, int keylen, int saveit)
+{
+    unsigned char *strp;
+
+    str_keyid[3] = (dir == DIR_ENCRYPT)
+	? ENCRYPT_ENC_KEYID : ENCRYPT_DEC_KEYID;
+    if (saveit) {
+	struct key_info *kp = &ki[(dir == DIR_ENCRYPT) ? 0 : 1];
+	memcpy(kp->keyid,keyid, keylen);
+	kp->keylen = keylen;
+    }
+
+    for (strp = &str_keyid[4]; keylen > 0; --keylen) {
+	if ((*strp++ = *keyid++) == IAC)
+	    *strp++ = IAC;
+    }
+    *strp++ = IAC;
+    *strp++ = SE;
+    telnet_net_write(str_keyid, strp - str_keyid);
+    printsub('>', &str_keyid[2], strp - str_keyid - 2);
+}
+
+void
+encrypt_auto(int on)
+{
+    if (on < 0)
+	autoencrypt ^= 1;
+    else
+	autoencrypt = on ? 1 : 0;
+}
+
+void
+decrypt_auto(int on)
+{
+    if (on < 0)
+	autodecrypt ^= 1;
+    else
+	autodecrypt = on ? 1 : 0;
+}
+
+void
+encrypt_start_output(int type)
+{
+    Encryptions *ep;
+    unsigned char *p;
+    int i;
+
+    if (!(ep = findencryption(type))) {
+	if (encrypt_debug_mode) {
+	    printf(">>>%s: Can't encrypt with type %s (%d)\r\n",
+		   Name,
+		   ENCTYPE_NAME_OK(type)
+		   ? ENCTYPE_NAME(type) : "(unknown)",
+		   type);
+	}
+	return;
+    }
+    if (ep->start) {
+	i = (*ep->start)(DIR_ENCRYPT, Server);
+	if (encrypt_debug_mode) {
+	    printf(">>>%s: Encrypt start: %s (%d) %s\r\n",
+		   Name, 
+		   (i < 0) ? "failed" :
+		   "initial negotiation in progress",
+		   i, ENCTYPE_NAME(type));
+	}
+	if (i)
+	    return;
+    }
+    p = str_start + 3;
+    *p++ = ENCRYPT_START;
+    for (i = 0; i < ki[0].keylen; ++i) {
+	if ((*p++ = ki[0].keyid[i]) == IAC)
+	    *p++ = IAC;
+    }
+    *p++ = IAC;
+    *p++ = SE;
+    telnet_net_write(str_start, p - str_start);
+    net_encrypt();
+    printsub('>', &str_start[2], p - &str_start[2]);
+    /*
+     * If we are already encrypting in some mode, then
+     * encrypt the ring (which includes our request) in
+     * the old mode, mark it all as "clear text" and then
+     * switch to the new mode.
+     */
+    encrypt_output = ep->output;
+    encrypt_mode = type;
+    if (encrypt_debug_mode)
+	printf(">>>%s: Started to encrypt output with type %s\r\n",
+	       Name, ENCTYPE_NAME(type));
+    if (encrypt_verbose)
+	printf("[ Output is now encrypted with type %s ]\r\n",
+	       ENCTYPE_NAME(type));
+}
+
+void
+encrypt_send_end(void)
+{
+    if (!encrypt_output)
+	return;
+
+    str_end[3] = ENCRYPT_END;
+    telnet_net_write(str_end, sizeof(str_end));
+    net_encrypt();
+    printsub('>', &str_end[2], sizeof(str_end) - 2);
+    /*
+     * Encrypt the output buffer now because it will not be done by
+     * netflush...
+     */
+    encrypt_output = 0;
+    if (encrypt_debug_mode)
+	printf(">>>%s: Output is back to clear text\r\n", Name);
+    if (encrypt_verbose)
+	printf("[ Output is now clear text ]\r\n");
+}
+
+void
+encrypt_send_request_start(void)
+{
+    unsigned char *p;
+    int i;
+
+    p = &str_start[3];
+    *p++ = ENCRYPT_REQSTART;
+    for (i = 0; i < ki[1].keylen; ++i) {
+	if ((*p++ = ki[1].keyid[i]) == IAC)
+	    *p++ = IAC;
+    }
+    *p++ = IAC;
+    *p++ = SE;
+    telnet_net_write(str_start, p - str_start);
+    printsub('>', &str_start[2], p - &str_start[2]);
+    if (encrypt_debug_mode)
+	printf(">>>%s: Request input to be encrypted\r\n", Name);
+}
+
+void
+encrypt_send_request_end(void)
+{
+    str_end[3] = ENCRYPT_REQEND;
+    telnet_net_write(str_end, sizeof(str_end));
+    printsub('>', &str_end[2], sizeof(str_end) - 2);
+
+    if (encrypt_debug_mode)
+	printf(">>>%s: Request input to be clear text\r\n", Name);
+}
+
+
+void encrypt_wait(void)
+{
+    if (encrypt_debug_mode)
+	printf(">>>%s: in encrypt_wait\r\n", Name);
+    if (!havesessionkey || !(I_SUPPORT_ENCRYPT & remote_supports_decrypt))
+	return;
+    while (autoencrypt && !encrypt_output)
+	if (telnet_spin())
+	    return;
+}
+
+int
+encrypt_delay(void)
+{
+    if(!havesessionkey ||
+       (I_SUPPORT_ENCRYPT & remote_supports_decrypt) == 0 ||
+       (I_SUPPORT_DECRYPT & remote_supports_encrypt) == 0)
+	return 0;
+    if(!(encrypt_output && decrypt_input))
+	return 1;
+    return 0;
+}
+
+void
+encrypt_debug(int mode)
+{
+    encrypt_debug_mode = mode;
+}
+
+void encrypt_gen_printsub(unsigned char *data, int cnt, 
+			  unsigned char *buf, int buflen)
+{
+    char tbuf[16], *cp;
+
+    cnt -= 2;
+    data += 2;
+    buf[buflen-1] = '\0';
+    buf[buflen-2] = '*';
+    buflen -= 2;;
+    for (; cnt > 0; cnt--, data++) {
+	snprintf(tbuf, sizeof(tbuf), " %d", *data);
+	for (cp = tbuf; *cp && buflen > 0; --buflen)
+	    *buf++ = *cp++;
+	if (buflen <= 0)
+	    return;
+    }
+    *buf = '\0';
+}
+
+void
+encrypt_printsub(unsigned char *data, int cnt, unsigned char *buf, int buflen)
+{
+    Encryptions *ep;
+    int type = data[1];
+
+    for (ep = encryptions; ep->type && ep->type != type; ep++)
+	;
+
+    if (ep->printsub)
+	(*ep->printsub)(data, cnt, buf, buflen);
+    else
+	encrypt_gen_printsub(data, cnt, buf, buflen);
+}
+#endif
diff --git a/crypto/heimdal/appl/telnet/libtelnet/encrypt.h b/crypto/heimdal/appl/telnet/libtelnet/encrypt.h
new file mode 100644
index 0000000..7bc69db
--- /dev/null
+++ b/crypto/heimdal/appl/telnet/libtelnet/encrypt.h
@@ -0,0 +1,105 @@
+/*-
+ * Copyright (c) 1991, 1993
+ *	The Regents of the University of California.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *	This product includes software developed by the University of
+ *	California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ *	@(#)encrypt.h	8.1 (Berkeley) 6/4/93
+ *
+ *	@(#)encrypt.h	5.2 (Berkeley) 3/22/91
+ */
+
+/*
+ * Copyright (C) 1990 by the Massachusetts Institute of Technology
+ *
+ * Export of this software from the United States of America is assumed
+ * to require a specific license from the United States Government.
+ * It is the responsibility of any person or organization contemplating
+ * export to obtain such a license before exporting.
+ *
+ * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
+ * distribute this software and its documentation for any purpose and
+ * without fee is hereby granted, provided that the above copyright
+ * notice appear in all copies and that both that copyright notice and
+ * this permission notice appear in supporting documentation, and that
+ * the name of M.I.T. not be used in advertising or publicity pertaining
+ * to distribution of the software without specific, written prior
+ * permission.  M.I.T. makes no representations about the suitability of
+ * this software for any purpose.  It is provided "as is" without express
+ * or implied warranty.
+ */
+
+/* $Id: encrypt.h,v 1.6 2001/02/15 06:46:28 assar Exp $ */
+
+#ifndef	__ENCRYPT__
+#define	__ENCRYPT__
+
+#define	DIR_DECRYPT		1
+#define	DIR_ENCRYPT		2
+
+#define	VALIDKEY(key)	( key[0] | key[1] | key[2] | key[3] | \
+			  key[4] | key[5] | key[6] | key[7])
+
+#define	SAMEKEY(k1, k2)	(!memcmp(k1, k2, sizeof(des_cblock)))
+
+typedef	struct {
+	short		type;
+	int		length;
+	unsigned char	*data;
+} Session_Key;
+
+typedef struct {
+	char	*name;
+	int	type;
+	void	(*output) (unsigned char *, int);
+	int	(*input) (int);
+	void	(*init) (int);
+	int	(*start) (int, int);
+	int	(*is) (unsigned char *, int);
+	int	(*reply) (unsigned char *, int);
+	void	(*session) (Session_Key *, int);
+	int	(*keyid) (int, unsigned char *, int *);
+	void	(*printsub) (unsigned char *, int, unsigned char *, int);
+} Encryptions;
+
+#define	SK_DES		1	/* Matched Kerberos v5 KEYTYPE_DES */
+
+#ifdef HAVE_OPENSSL_DES_H
+#include <openssl/des.h>
+#define des_new_random_key des_random_key
+#else
+#include <des.h>
+#endif
+
+#include "enc-proto.h"
+
+extern int encrypt_debug_mode;
+extern int (*decrypt_input) (int);
+extern void (*encrypt_output) (unsigned char *, int);
+#endif
diff --git a/crypto/heimdal/appl/telnet/libtelnet/genget.c b/crypto/heimdal/appl/telnet/libtelnet/genget.c
new file mode 100644
index 0000000..c17a7bd
--- /dev/null
+++ b/crypto/heimdal/appl/telnet/libtelnet/genget.c
@@ -0,0 +1,103 @@
+/*-
+ * Copyright (c) 1991, 1993
+ *	The Regents of the University of California.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *	This product includes software developed by the University of
+ *	California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#include <config.h>
+#include "misc-proto.h"
+
+RCSID("$Id: genget.c,v 1.6 1997/05/04 09:01:34 assar Exp $");
+
+#include <ctype.h>
+
+#define	LOWER(x) (isupper(x) ? tolower(x) : (x))
+/*
+ * The prefix function returns 0 if *s1 is not a prefix
+ * of *s2.  If *s1 exactly matches *s2, the negative of
+ * the length is returned.  If *s1 is a prefix of *s2,
+ * the length of *s1 is returned.
+ */
+
+int
+isprefix(char *s1, char *s2)
+{
+    char *os1;
+    char c1, c2;
+
+    if (*s1 == '\0')
+	return(-1);
+    os1 = s1;
+    c1 = *s1;
+    c2 = *s2;
+    while (LOWER(c1) == LOWER(c2)) {
+	if (c1 == '\0')
+	    break;
+	c1 = *++s1;
+	c2 = *++s2;
+    }
+    return(*s1 ? 0 : (*s2 ? (s1 - os1) : (os1 - s1)));
+}
+
+static char *ambiguous;		/* special return value for command routines */
+
+char **
+genget(char *name, char **table, int stlen)
+     /* name to match */
+     /* name entry in table */
+	   	      
+{
+    char **c, **found;
+    int n;
+
+    if (name == 0)
+	return 0;
+
+    found = 0;
+    for (c = table; *c != 0; c = (char **)((char *)c + stlen)) {
+	if ((n = isprefix(name, *c)) == 0)
+	    continue;
+	if (n < 0)		/* exact match */
+	    return(c);
+	if (found)
+	    return(&ambiguous);
+	found = c;
+    }
+    return(found);
+}
+
+/*
+ * Function call version of Ambiguous()
+ */
+int
+Ambiguous(void *s)
+{
+    return((char **)s == &ambiguous);
+}
diff --git a/crypto/heimdal/appl/telnet/libtelnet/kerberos.c b/crypto/heimdal/appl/telnet/libtelnet/kerberos.c
new file mode 100644
index 0000000..ea5a51e
--- /dev/null
+++ b/crypto/heimdal/appl/telnet/libtelnet/kerberos.c
@@ -0,0 +1,719 @@
+/*-
+ * Copyright (c) 1991, 1993
+ *	The Regents of the University of California.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *	This product includes software developed by the University of
+ *	California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+/*
+ * Copyright (C) 1990 by the Massachusetts Institute of Technology
+ *
+ * Export of this software from the United States of America is assumed
+ * to require a specific license from the United States Government.
+ * It is the responsibility of any person or organization contemplating
+ * export to obtain such a license before exporting.
+ *
+ * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
+ * distribute this software and its documentation for any purpose and
+ * without fee is hereby granted, provided that the above copyright
+ * notice appear in all copies and that both that copyright notice and
+ * this permission notice appear in supporting documentation, and that
+ * the name of M.I.T. not be used in advertising or publicity pertaining
+ * to distribution of the software without specific, written prior
+ * permission.  M.I.T. makes no representations about the suitability of
+ * this software for any purpose.  It is provided "as is" without express
+ * or implied warranty.
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+#endif
+
+RCSID("$Id: kerberos.c,v 1.51 2001/02/15 04:20:52 assar Exp $");
+
+#ifdef	KRB4
+#ifdef HAVE_SYS_TYPES_H
+#include <sys/types.h>
+#endif
+#ifdef HAVE_ARPA_TELNET_H
+#include <arpa/telnet.h>
+#endif
+#include <stdio.h>
+#include <krb.h>
+#include <pwd.h>
+#include <stdlib.h>
+#include <string.h>
+#include <roken.h>
+#ifdef SOCKS
+#include <socks.h>
+#endif
+
+
+#include "encrypt.h"
+#include "auth.h"
+#include "misc.h"
+
+int kerberos4_cksum (unsigned char *, int);
+extern int auth_debug_mode;
+
+static unsigned char str_data[2048] = { IAC, SB, TELOPT_AUTHENTICATION, 0,
+			  		AUTHTYPE_KERBEROS_V4, };
+
+#define	KRB_AUTH	0		/* Authentication data follows */
+#define	KRB_REJECT	1		/* Rejected (reason might follow) */
+#define	KRB_ACCEPT	2		/* Accepted */
+#define	KRB_CHALLENGE	3		/* Challenge for mutual auth. */
+#define	KRB_RESPONSE	4		/* Response for mutual auth. */
+
+#define KRB_FORWARD		5	/* */
+#define KRB_FORWARD_ACCEPT	6	/* */
+#define KRB_FORWARD_REJECT	7	/* */
+
+#define KRB_SERVICE_NAME   "rcmd"
+
+static	KTEXT_ST auth;
+static	char name[ANAME_SZ];
+static	AUTH_DAT adat;
+static des_cblock session_key;
+static des_cblock cred_session;
+static des_key_schedule sched;
+static des_cblock challenge;
+static int auth_done; /* XXX */
+
+static int pack_cred(CREDENTIALS *cred, unsigned char *buf);
+static int unpack_cred(unsigned char *buf, int len, CREDENTIALS *cred);
+
+
+static int
+Data(Authenticator *ap, int type, const void *d, int c)
+{
+    unsigned char *p = str_data + 4;
+    const unsigned char *cd = (const unsigned char *)d;
+
+    if (c == -1)
+	c = strlen((const char *)cd);
+
+    if (auth_debug_mode) {
+	printf("%s:%d: [%d] (%d)",
+	       str_data[3] == TELQUAL_IS ? ">>>IS" : ">>>REPLY",
+	       str_data[3],
+	       type, c);
+	printd(d, c);
+	printf("\r\n");
+    }
+    *p++ = ap->type;
+    *p++ = ap->way;
+    *p++ = type;
+    while (c-- > 0) {
+	if ((*p++ = *cd++) == IAC)
+	    *p++ = IAC;
+    }
+    *p++ = IAC;
+    *p++ = SE;
+    if (str_data[3] == TELQUAL_IS)
+	printsub('>', &str_data[2], p - (&str_data[2]));
+    return(telnet_net_write(str_data, p - str_data));
+}
+
+int
+kerberos4_init(Authenticator *ap, int server)
+{
+    FILE *fp;
+
+    if (server) {
+	str_data[3] = TELQUAL_REPLY;
+	if ((fp = fopen(KEYFILE, "r")) == NULL)
+	    return(0);
+	fclose(fp);
+    } else {
+	str_data[3] = TELQUAL_IS;
+    }
+    return(1);
+}
+
+char dst_realm_buf[REALM_SZ], *dest_realm = NULL;
+int dst_realm_sz = REALM_SZ;
+
+static int
+kerberos4_send(char *name, Authenticator *ap)
+{
+    KTEXT_ST auth;
+    char instance[INST_SZ];
+    char *realm;
+    CREDENTIALS cred;
+    int r;
+
+    if (!UserNameRequested) {
+	if (auth_debug_mode) {
+	    printf("Kerberos V4: no user name supplied\r\n");
+	}
+	return(0);
+    }
+
+    memset(instance, 0, sizeof(instance));
+
+    strlcpy (instance,
+		     krb_get_phost(RemoteHostName),
+		     INST_SZ);
+
+    realm = dest_realm ? dest_realm : krb_realmofhost(RemoteHostName);
+
+    if (!realm) {
+	printf("Kerberos V4: no realm for %s\r\n", RemoteHostName);
+	return(0);
+    }
+    printf("[ Trying %s (%s.%s@%s) ... ]\r\n", name, 
+	   KRB_SERVICE_NAME, instance, realm);
+    r = krb_mk_req(&auth, KRB_SERVICE_NAME, instance, realm, 0L);
+    if (r) {
+	printf("mk_req failed: %s\r\n", krb_get_err_text(r));
+	return(0);
+    }
+    r = krb_get_cred(KRB_SERVICE_NAME, instance, realm, &cred);
+    if (r) {
+	printf("get_cred failed: %s\r\n", krb_get_err_text(r));
+	return(0);
+    }
+    if (!auth_sendname(UserNameRequested, strlen(UserNameRequested))) {
+	if (auth_debug_mode)
+	    printf("Not enough room for user name\r\n");
+	return(0);
+    }
+    if (auth_debug_mode)
+	printf("Sent %d bytes of authentication data\r\n", auth.length);
+    if (!Data(ap, KRB_AUTH, (void *)auth.dat, auth.length)) {
+	if (auth_debug_mode)
+	    printf("Not enough room for authentication data\r\n");
+	return(0);
+    }
+#ifdef ENCRYPTION
+    /* create challenge */
+    if ((ap->way & AUTH_HOW_MASK)==AUTH_HOW_MUTUAL) {
+	int i;
+
+	des_key_sched(&cred.session, sched);
+	memcpy (&cred_session, &cred.session, sizeof(cred_session));
+	des_init_random_number_generator(&cred.session);
+	des_new_random_key(&session_key);
+	des_ecb_encrypt(&session_key, &session_key, sched, 0);
+	des_ecb_encrypt(&session_key, &challenge, sched, 0);
+
+	/*
+	  old code
+	  Some CERT Advisory thinks this is a bad thing...
+	    
+	  des_init_random_number_generator(&cred.session);
+	  des_new_random_key(&challenge);
+	  des_ecb_encrypt(&challenge, &session_key, sched, 1);
+	  */
+	  
+	/*
+	 * Increment the challenge by 1, and encrypt it for
+	 * later comparison.
+	 */
+	for (i = 7; i >= 0; --i) 
+	    if(++challenge[i] != 0) /* No carry! */
+		break;
+	des_ecb_encrypt(&challenge, &challenge, sched, 1);
+    }
+
+#endif
+
+    if (auth_debug_mode) {
+	printf("CK: %d:", kerberos4_cksum(auth.dat, auth.length));
+	printd(auth.dat, auth.length);
+	printf("\r\n");
+	printf("Sent Kerberos V4 credentials to server\r\n");
+    }
+    return(1);
+}
+int
+kerberos4_send_mutual(Authenticator *ap)
+{
+    return kerberos4_send("mutual KERBEROS4", ap);
+}
+
+int
+kerberos4_send_oneway(Authenticator *ap)
+{
+    return kerberos4_send("KERBEROS4", ap);
+}
+
+void
+kerberos4_is(Authenticator *ap, unsigned char *data, int cnt)
+{
+    struct sockaddr_in addr;
+    char realm[REALM_SZ];
+    char instance[INST_SZ];
+    int r;
+    socklen_t addr_len;
+
+    if (cnt-- < 1)
+	return;
+    switch (*data++) {
+    case KRB_AUTH:
+	if (krb_get_lrealm(realm, 1) != KSUCCESS) {
+	    Data(ap, KRB_REJECT, (void *)"No local V4 Realm.", -1);
+	    auth_finished(ap, AUTH_REJECT);
+	    if (auth_debug_mode)
+		printf("No local realm\r\n");
+	    return;
+	}
+	memmove(auth.dat, data, auth.length = cnt);
+	if (auth_debug_mode) {
+	    printf("Got %d bytes of authentication data\r\n", cnt);
+	    printf("CK: %d:", kerberos4_cksum(auth.dat, auth.length));
+	    printd(auth.dat, auth.length);
+	    printf("\r\n");
+	}
+	k_getsockinst(0, instance, sizeof(instance));
+	addr_len = sizeof(addr);
+	if(getpeername(0, (struct sockaddr *)&addr, &addr_len) < 0) {
+	    if(auth_debug_mode)
+		printf("getpeername failed\r\n");
+	    Data(ap, KRB_REJECT, "getpeername failed", -1);
+	    auth_finished(ap, AUTH_REJECT);
+	    return;
+	}
+	if (addr.sin_family != AF_INET) {
+	    if (auth_debug_mode)
+		printf("unknown address family: %d\r\n", addr.sin_family);
+	    Data(ap, KRB_REJECT, "bad address family", -1);
+	    auth_finished(ap, AUTH_REJECT);
+	    return;
+	}
+
+	r = krb_rd_req(&auth, KRB_SERVICE_NAME,
+		       instance, addr.sin_addr.s_addr, &adat, "");
+	if (r) {
+	    if (auth_debug_mode)
+		printf("Kerberos failed him as %s\r\n", name);
+	    Data(ap, KRB_REJECT, (void *)krb_get_err_text(r), -1);
+	    auth_finished(ap, AUTH_REJECT);
+	    return;
+	}
+	/* save the session key */
+	memmove(session_key, adat.session, sizeof(adat.session));
+	krb_kntoln(&adat, name);
+
+	if (UserNameRequested && !kuserok(&adat, UserNameRequested)){
+	    char ts[MaxPathLen];
+	    struct passwd *pw = getpwnam(UserNameRequested);
+
+	    if(pw){
+		snprintf(ts, sizeof(ts),
+			 "%s%u",
+			 TKT_ROOT,
+			 (unsigned)pw->pw_uid);
+		esetenv("KRBTKFILE", ts, 1);
+
+		if (pw->pw_uid == 0)
+		    syslog(LOG_INFO|LOG_AUTH,
+			   "ROOT Kerberos login from %s on %s\n",
+			   krb_unparse_name_long(adat.pname,
+						 adat.pinst,
+						 adat.prealm),
+			   RemoteHostName);
+	    }
+	    Data(ap, KRB_ACCEPT, NULL, 0);
+	} else {
+	    char *msg;
+
+	    asprintf (&msg, "user `%s' is not authorized to "
+		      "login as `%s'", 
+		      krb_unparse_name_long(adat.pname, 
+					    adat.pinst, 
+					    adat.prealm), 
+		      UserNameRequested ? UserNameRequested : "<nobody>");
+	    if (msg == NULL)
+		Data(ap, KRB_REJECT, NULL, 0);
+	    else {
+		Data(ap, KRB_REJECT, (void *)msg, -1);
+		free(msg);
+	    }
+	    auth_finished(ap, AUTH_REJECT);
+	    break;
+	}
+	auth_finished(ap, AUTH_USER);
+	break;
+	
+    case KRB_CHALLENGE:
+#ifndef ENCRYPTION
+	Data(ap, KRB_RESPONSE, NULL, 0);
+#else
+	if(!VALIDKEY(session_key)){
+	    Data(ap, KRB_RESPONSE, NULL, 0);
+	    break;
+	}
+	des_key_sched(&session_key, sched);
+	{
+	    des_cblock d_block;
+	    int i;
+	    Session_Key skey;
+
+	    memmove(d_block, data, sizeof(d_block));
+
+	    /* make a session key for encryption */
+	    des_ecb_encrypt(&d_block, &session_key, sched, 1);
+	    skey.type=SK_DES;
+	    skey.length=8;
+	    skey.data=session_key;
+	    encrypt_session_key(&skey, 1);
+
+	    /* decrypt challenge, add one and encrypt it */
+	    des_ecb_encrypt(&d_block, &challenge, sched, 0);
+	    for (i = 7; i >= 0; i--)
+		if(++challenge[i] != 0)
+		    break;
+	    des_ecb_encrypt(&challenge, &challenge, sched, 1);
+	    Data(ap, KRB_RESPONSE, (void *)challenge, sizeof(challenge));
+	}
+#endif
+	break;
+
+    case KRB_FORWARD:
+	{
+	    des_key_schedule ks;
+	    unsigned char netcred[sizeof(CREDENTIALS)];
+	    CREDENTIALS cred;
+	    int ret;
+	    if(cnt > sizeof(cred))
+		abort();
+
+	    memcpy (session_key, adat.session, sizeof(session_key));
+	    des_set_key(&session_key, ks);
+	    des_pcbc_encrypt((void*)data, (void*)netcred, cnt, 
+			     ks, &session_key, DES_DECRYPT);
+	    unpack_cred(netcred, cnt, &cred);
+	    {
+		if(strcmp(cred.service, KRB_TICKET_GRANTING_TICKET) ||
+		   strncmp(cred.instance, cred.realm, sizeof(cred.instance)) ||
+		   cred.lifetime < 0 || cred.lifetime > 255 ||
+		   cred.kvno < 0 || cred.kvno > 255 ||
+		   cred.issue_date < 0 || 
+		   cred.issue_date > time(0) + CLOCK_SKEW ||
+		   strncmp(cred.pname, adat.pname, sizeof(cred.pname)) ||
+		   strncmp(cred.pinst, adat.pinst, sizeof(cred.pinst))){
+		    Data(ap, KRB_FORWARD_REJECT, "Bad credentials", -1);
+		}else{
+		    if((ret = tf_setup(&cred,
+				       cred.pname,
+				       cred.pinst)) == KSUCCESS){
+		        struct passwd *pw = getpwnam(UserNameRequested);
+
+			if (pw)
+			  chown(tkt_string(), pw->pw_uid, pw->pw_gid);
+			Data(ap, KRB_FORWARD_ACCEPT, 0, 0);
+		    } else{
+			Data(ap, KRB_FORWARD_REJECT, 
+			     krb_get_err_text(ret), -1);
+		    }
+		}
+	    }
+	    memset(data, 0, cnt);
+	    memset(ks, 0, sizeof(ks));
+	    memset(&cred, 0, sizeof(cred));
+	}
+	
+	break;
+
+    default:
+	if (auth_debug_mode)
+	    printf("Unknown Kerberos option %d\r\n", data[-1]);
+	Data(ap, KRB_REJECT, 0, 0);
+	break;
+    }
+}
+
+void
+kerberos4_reply(Authenticator *ap, unsigned char *data, int cnt)
+{
+    Session_Key skey;
+
+    if (cnt-- < 1)
+	return;
+    switch (*data++) {
+    case KRB_REJECT:
+	if(auth_done){ /* XXX Ick! */
+	    printf("[ Kerberos V4 received unknown opcode ]\r\n");
+	}else{
+	    printf("[ Kerberos V4 refuses authentication ");
+	    if (cnt > 0) 
+		printf("because %.*s ", cnt, data);
+	    printf("]\r\n");
+	    auth_send_retry();
+	}
+	return;
+    case KRB_ACCEPT:
+	printf("[ Kerberos V4 accepts you ]\r\n");
+	auth_done = 1;
+	if ((ap->way & AUTH_HOW_MASK) == AUTH_HOW_MUTUAL) {
+	    /*
+	     * Send over the encrypted challenge.
+	     */
+	    Data(ap, KRB_CHALLENGE, session_key, 
+		 sizeof(session_key));
+	    des_ecb_encrypt(&session_key, &session_key, sched, 1);
+	    skey.type = SK_DES;
+	    skey.length = 8;
+	    skey.data = session_key;
+	    encrypt_session_key(&skey, 0);
+#if 0
+	    kerberos4_forward(ap, &cred_session);
+#endif
+	    return;
+	}
+	auth_finished(ap, AUTH_USER);
+	return;
+    case KRB_RESPONSE:
+	/* make sure the response is correct */
+	if ((cnt != sizeof(des_cblock)) ||
+	    (memcmp(data, challenge, sizeof(challenge)))){
+	    printf("[ Kerberos V4 challenge failed!!! ]\r\n");
+	    auth_send_retry();
+	    return;
+	}
+	printf("[ Kerberos V4 challenge successful ]\r\n");
+	auth_finished(ap, AUTH_USER);
+	break;
+    case KRB_FORWARD_ACCEPT:
+	printf("[ Kerberos V4 accepted forwarded credentials ]\r\n");
+	break;
+    case KRB_FORWARD_REJECT:
+	printf("[ Kerberos V4 rejected forwarded credentials: `%.*s']\r\n",
+	       cnt, data);
+	break;
+    default:
+	if (auth_debug_mode)
+	    printf("Unknown Kerberos option %d\r\n", data[-1]);
+	return;
+    }
+}
+
+int
+kerberos4_status(Authenticator *ap, char *name, size_t name_sz, int level)
+{
+    if (level < AUTH_USER)
+	return(level);
+
+    if (UserNameRequested && !kuserok(&adat, UserNameRequested)) {
+	strlcpy(name, UserNameRequested, name_sz);
+	return(AUTH_VALID);
+    } else
+	return(AUTH_USER);
+}
+
+#define	BUMP(buf, len)		while (*(buf)) {++(buf), --(len);}
+#define	ADDC(buf, len, c)	if ((len) > 0) {*(buf)++ = (c); --(len);}
+
+void
+kerberos4_printsub(unsigned char *data, int cnt, unsigned char *buf, int buflen)
+{
+    int i;
+
+    buf[buflen-1] = '\0';		/* make sure its NULL terminated */
+    buflen -= 1;
+
+    switch(data[3]) {
+    case KRB_REJECT:		/* Rejected (reason might follow) */
+	strlcpy((char *)buf, " REJECT ", buflen);
+	goto common;
+
+    case KRB_ACCEPT:		/* Accepted (name might follow) */
+	strlcpy((char *)buf, " ACCEPT ", buflen);
+    common:
+	BUMP(buf, buflen);
+	if (cnt <= 4)
+	    break;
+	ADDC(buf, buflen, '"');
+	for (i = 4; i < cnt; i++)
+	    ADDC(buf, buflen, data[i]);
+	ADDC(buf, buflen, '"');
+	ADDC(buf, buflen, '\0');
+	break;
+
+    case KRB_AUTH:			/* Authentication data follows */
+	strlcpy((char *)buf, " AUTH", buflen);
+	goto common2;
+
+    case KRB_CHALLENGE:
+	strlcpy((char *)buf, " CHALLENGE", buflen);
+	goto common2;
+
+    case KRB_RESPONSE:
+	strlcpy((char *)buf, " RESPONSE", buflen);
+	goto common2;
+
+    default:
+	snprintf(buf, buflen, " %d (unknown)", data[3]);
+    common2:
+	BUMP(buf, buflen);
+	for (i = 4; i < cnt; i++) {
+	    snprintf(buf, buflen, " %d", data[i]);
+	    BUMP(buf, buflen);
+	}
+	break;
+    }
+}
+
+int
+kerberos4_cksum(unsigned char *d, int n)
+{
+    int ck = 0;
+
+    /*
+     * A comment is probably needed here for those not
+     * well versed in the "C" language.  Yes, this is
+     * supposed to be a "switch" with the body of the
+     * "switch" being a "while" statement.  The whole
+     * purpose of the switch is to allow us to jump into
+     * the middle of the while() loop, and then not have
+     * to do any more switch()s.
+     *
+     * Some compilers will spit out a warning message
+     * about the loop not being entered at the top.
+     */
+    switch (n&03)
+	while (n > 0) {
+	case 0:
+	    ck ^= (int)*d++ << 24;
+	    --n;
+	case 3:
+	    ck ^= (int)*d++ << 16;
+	    --n;
+	case 2:
+	    ck ^= (int)*d++ << 8;
+	    --n;
+	case 1:
+	    ck ^= (int)*d++;
+	    --n;
+	}
+    return(ck);
+}
+
+static int
+pack_cred(CREDENTIALS *cred, unsigned char *buf)
+{
+    unsigned char *p = buf;
+    
+    memcpy (p, cred->service, ANAME_SZ);
+    p += ANAME_SZ;
+    memcpy (p, cred->instance, INST_SZ);
+    p += INST_SZ;
+    memcpy (p, cred->realm, REALM_SZ);
+    p += REALM_SZ;
+    memcpy(p, cred->session, 8);
+    p += 8;
+    p += KRB_PUT_INT(cred->lifetime, p, 4, 4);
+    p += KRB_PUT_INT(cred->kvno, p, 4, 4);
+    p += KRB_PUT_INT(cred->ticket_st.length, p, 4, 4);
+    memcpy(p, cred->ticket_st.dat, cred->ticket_st.length);
+    p += cred->ticket_st.length;
+    p += KRB_PUT_INT(0, p, 4, 4);
+    p += KRB_PUT_INT(cred->issue_date, p, 4, 4);
+    memcpy (p, cred->pname, ANAME_SZ);
+    p += ANAME_SZ;
+    memcpy (p, cred->pinst, INST_SZ);
+    p += INST_SZ;
+    return p - buf;
+}
+
+static int
+unpack_cred(unsigned char *buf, int len, CREDENTIALS *cred)
+{
+    unsigned char *p = buf;
+    u_int32_t tmp;
+
+    strncpy (cred->service, p, ANAME_SZ);
+    cred->service[ANAME_SZ - 1] = '\0';
+    p += ANAME_SZ;
+    strncpy (cred->instance, p, INST_SZ);
+    cred->instance[INST_SZ - 1] = '\0';
+    p += INST_SZ;
+    strncpy (cred->realm, p, REALM_SZ);
+    cred->realm[REALM_SZ - 1] = '\0';
+    p += REALM_SZ;
+
+    memcpy(cred->session, p, 8);
+    p += 8;
+    p += krb_get_int(p, &tmp, 4, 0);
+    cred->lifetime = tmp;
+    p += krb_get_int(p, &tmp, 4, 0);
+    cred->kvno = tmp;
+
+    p += krb_get_int(p, &cred->ticket_st.length, 4, 0);
+    memcpy(cred->ticket_st.dat, p, cred->ticket_st.length);
+    p += cred->ticket_st.length;
+    p += krb_get_int(p, &tmp, 4, 0);
+    cred->ticket_st.mbz = 0;
+    p += krb_get_int(p, (u_int32_t *)&cred->issue_date, 4, 0);
+
+    strncpy (cred->pname, p, ANAME_SZ);
+    cred->pname[ANAME_SZ - 1] = '\0';
+    p += ANAME_SZ;
+    strncpy (cred->pinst, p, INST_SZ);
+    cred->pinst[INST_SZ - 1] = '\0';
+    p += INST_SZ;
+    return 0;
+}
+
+
+int
+kerberos4_forward(Authenticator *ap, void *v)
+{
+    des_cblock *key = (des_cblock *)v;
+    CREDENTIALS cred;
+    char *realm;
+    des_key_schedule ks;
+    int len;
+    unsigned char netcred[sizeof(CREDENTIALS)];
+    int ret;
+
+    realm = krb_realmofhost(RemoteHostName);
+    if(realm == NULL)
+	return -1;
+    memset(&cred, 0, sizeof(cred));
+    ret = krb_get_cred(KRB_TICKET_GRANTING_TICKET,
+		       realm,
+		       realm, 
+		       &cred);
+    if(ret)
+	return ret;
+    des_set_key(key, ks);
+    len = pack_cred(&cred, netcred);
+    des_pcbc_encrypt((void*)netcred, (void*)netcred, len,
+		     ks, key, DES_ENCRYPT);
+    memset(ks, 0, sizeof(ks));
+    Data(ap, KRB_FORWARD, netcred, len);
+    memset(netcred, 0, sizeof(netcred));
+    return 0;
+}
+
+#endif /* KRB4 */
+
diff --git a/crypto/heimdal/appl/telnet/libtelnet/kerberos5.c b/crypto/heimdal/appl/telnet/libtelnet/kerberos5.c
new file mode 100644
index 0000000..f819904
--- /dev/null
+++ b/crypto/heimdal/appl/telnet/libtelnet/kerberos5.c
@@ -0,0 +1,814 @@
+/*-
+ * Copyright (c) 1991, 1993
+ *	The Regents of the University of California.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *	This product includes software developed by the University of
+ *	California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+/*
+ * Copyright (C) 1990 by the Massachusetts Institute of Technology
+ *
+ * Export of this software from the United States of America may
+ * require a specific license from the United States Government.
+ * It is the responsibility of any person or organization contemplating
+ * export to obtain such a license before exporting.
+ *
+ * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
+ * distribute this software and its documentation for any purpose and
+ * without fee is hereby granted, provided that the above copyright
+ * notice appear in all copies and that both that copyright notice and
+ * this permission notice appear in supporting documentation, and that
+ * the name of M.I.T. not be used in advertising or publicity pertaining
+ * to distribution of the software without specific, written prior
+ * permission.  M.I.T. makes no representations about the suitability of
+ * this software for any purpose.  It is provided "as is" without express
+ * or implied warranty.
+ */
+
+#include <config.h>
+
+RCSID("$Id: kerberos5.c,v 1.47 2001/01/09 18:45:33 assar Exp $");
+
+#ifdef	KRB5
+
+#include <arpa/telnet.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+#include <netdb.h>
+#include <ctype.h>
+#include <pwd.h>
+#define Authenticator k5_Authenticator
+#include <krb5.h>
+#undef Authenticator
+#include <roken.h>
+#ifdef SOCKS
+#include <socks.h>
+#endif
+
+
+#include "encrypt.h"
+#include "auth.h"
+#include "misc.h"
+
+#if defined(DCE)
+int dfsk5ok = 0;
+int dfspag = 0;
+int dfsfwd = 0;
+#endif
+
+int forward_flags = 0;  /* Flags get set in telnet/main.c on -f and -F */
+
+/* These values need to be the same as those defined in telnet/main.c. */
+/* Either define them in both places, or put in some common header file. */
+#define OPTS_FORWARD_CREDS	0x00000002
+#define OPTS_FORWARDABLE_CREDS	0x00000001
+
+void kerberos5_forward (Authenticator *);
+
+static unsigned char str_data[1024] = { IAC, SB, TELOPT_AUTHENTICATION, 0,
+			  		AUTHTYPE_KERBEROS_V5, };
+
+#define	KRB_AUTH		0	/* Authentication data follows */
+#define	KRB_REJECT		1	/* Rejected (reason might follow) */
+#define	KRB_ACCEPT		2	/* Accepted */
+#define	KRB_RESPONSE		3	/* Response for mutual auth. */
+
+#define KRB_FORWARD     	4       /* Forwarded credentials follow */
+#define KRB_FORWARD_ACCEPT     	5       /* Forwarded credentials accepted */
+#define KRB_FORWARD_REJECT     	6       /* Forwarded credentials rejected */
+
+static	krb5_data auth;
+static  krb5_ticket *ticket;
+
+static krb5_context context;
+static krb5_auth_context auth_context;
+
+static int
+Data(Authenticator *ap, int type, void *d, int c)
+{
+    unsigned char *p = str_data + 4;
+    unsigned char *cd = (unsigned char *)d;
+
+    if (c == -1)
+	c = strlen(cd);
+
+    if (auth_debug_mode) {
+	printf("%s:%d: [%d] (%d)",
+	       str_data[3] == TELQUAL_IS ? ">>>IS" : ">>>REPLY",
+	       str_data[3],
+	       type, c);
+	printd(d, c);
+	printf("\r\n");
+    }
+    *p++ = ap->type;
+    *p++ = ap->way;
+    *p++ = type;
+    while (c-- > 0) {
+	if ((*p++ = *cd++) == IAC)
+	    *p++ = IAC;
+    }
+    *p++ = IAC;
+    *p++ = SE;
+    if (str_data[3] == TELQUAL_IS)
+	printsub('>', &str_data[2], p - &str_data[2]);
+    return(telnet_net_write(str_data, p - str_data));
+}
+
+int
+kerberos5_init(Authenticator *ap, int server)
+{
+    krb5_error_code ret;
+
+    ret = krb5_init_context(&context);
+    if (ret)
+	return 0;
+    if (server) {
+	krb5_keytab kt;
+	krb5_kt_cursor cursor;
+
+	ret = krb5_kt_default(context, &kt);
+	if (ret)
+	    return 0;
+
+	ret = krb5_kt_start_seq_get (context, kt, &cursor);
+	if (ret) {
+	    krb5_kt_close (context, kt);
+	    return 0;
+	}
+	krb5_kt_end_seq_get (context, kt, &cursor);
+	krb5_kt_close (context, kt);
+
+	str_data[3] = TELQUAL_REPLY;
+    } else
+	str_data[3] = TELQUAL_IS;
+    return(1);
+}
+
+extern int net;
+static int
+kerberos5_send(char *name, Authenticator *ap)
+{
+    krb5_error_code ret;
+    krb5_ccache ccache;
+    int ap_opts;
+    krb5_data cksum_data;
+    char foo[2];
+    
+    if (!UserNameRequested) {
+	if (auth_debug_mode) {
+	    printf("Kerberos V5: no user name supplied\r\n");
+	}
+	return(0);
+    }
+    
+    ret = krb5_cc_default(context, &ccache);
+    if (ret) {
+	if (auth_debug_mode) {
+	    printf("Kerberos V5: could not get default ccache: %s\r\n",
+		   krb5_get_err_text (context, ret));
+	}
+	return 0;
+    }
+	
+    if ((ap->way & AUTH_HOW_MASK) == AUTH_HOW_MUTUAL)
+	ap_opts = AP_OPTS_MUTUAL_REQUIRED;
+    else
+	ap_opts = 0;
+    
+    ret = krb5_auth_con_init (context, &auth_context);
+    if (ret) {
+	if (auth_debug_mode) {
+	    printf("Kerberos V5: krb5_auth_con_init failed (%s)\r\n",
+		   krb5_get_err_text(context, ret));
+	}
+	return(0);
+    }
+
+    ret = krb5_auth_con_setaddrs_from_fd (context,
+					  auth_context,
+					  &net);
+    if (ret) {
+	if (auth_debug_mode) {
+	    printf ("Kerberos V5:"
+		    " krb5_auth_con_setaddrs_from_fd failed (%s)\r\n",
+		    krb5_get_err_text(context, ret));
+	}
+	return(0);
+    }
+
+    krb5_auth_setkeytype (context, auth_context, KEYTYPE_DES);
+
+    foo[0] = ap->type;
+    foo[1] = ap->way;
+
+    cksum_data.length = sizeof(foo);
+    cksum_data.data   = foo;
+
+
+    {
+	krb5_principal service;
+	char sname[128];
+
+
+	ret = krb5_sname_to_principal (context,
+				       RemoteHostName,
+				       NULL,
+				       KRB5_NT_SRV_HST,
+				       &service);
+	if(ret) {
+	    if (auth_debug_mode) {
+		printf ("Kerberos V5:"
+			" krb5_sname_to_principal(%s) failed (%s)\r\n",
+			RemoteHostName, krb5_get_err_text(context, ret));
+	    }
+	    return 0;
+	}
+	ret = krb5_unparse_name_fixed(context, service, sname, sizeof(sname));
+	if(ret) {
+	    if (auth_debug_mode) {
+		printf ("Kerberos V5:"
+			" krb5_unparse_name_fixed failed (%s)\r\n",
+			krb5_get_err_text(context, ret));
+	    }
+	    return 0;
+	}
+	printf("[ Trying %s (%s)... ]\r\n", name, sname);
+	ret = krb5_mk_req_exact(context, &auth_context, ap_opts,
+				service, 
+				&cksum_data, ccache, &auth);
+	krb5_free_principal (context, service);
+
+    }
+    if (ret) {
+	if (1 || auth_debug_mode) {
+	    printf("Kerberos V5: mk_req failed (%s)\r\n",
+		   krb5_get_err_text(context, ret));
+	}
+	return(0);
+    }
+
+    if (!auth_sendname((unsigned char *)UserNameRequested,
+		       strlen(UserNameRequested))) {
+	if (auth_debug_mode)
+	    printf("Not enough room for user name\r\n");
+	return(0);
+    }
+    if (!Data(ap, KRB_AUTH, auth.data, auth.length)) {
+	if (auth_debug_mode)
+	    printf("Not enough room for authentication data\r\n");
+	return(0);
+    }
+    if (auth_debug_mode) {
+	printf("Sent Kerberos V5 credentials to server\r\n");
+    }
+    return(1);
+}
+
+int
+kerberos5_send_mutual(Authenticator *ap)
+{
+    return kerberos5_send("mutual KERBEROS5", ap);
+}
+
+int
+kerberos5_send_oneway(Authenticator *ap)
+{
+    return kerberos5_send("KERBEROS5", ap);
+}
+
+void
+kerberos5_is(Authenticator *ap, unsigned char *data, int cnt)
+{
+    krb5_error_code ret;
+    krb5_data outbuf;
+    krb5_keyblock *key_block;
+    char *name;
+    krb5_principal server;
+    int zero = 0;
+
+    if (cnt-- < 1)
+	return;
+    switch (*data++) {
+    case KRB_AUTH:
+	auth.data = (char *)data;
+	auth.length = cnt;
+
+	auth_context = NULL;
+
+	ret = krb5_auth_con_init (context, &auth_context);
+	if (ret) {
+	    Data(ap, KRB_REJECT, "krb5_auth_con_init failed", -1);
+	    auth_finished(ap, AUTH_REJECT);
+	    if (auth_debug_mode)
+		printf("Kerberos V5: krb5_auth_con_init failed (%s)\r\n",
+		       krb5_get_err_text(context, ret));
+	    return;
+	}
+
+	ret = krb5_auth_con_setaddrs_from_fd (context,
+					      auth_context,
+					      &zero);
+	if (ret) {
+	    Data(ap, KRB_REJECT, "krb5_auth_con_setaddrs_from_fd failed", -1);
+	    auth_finished(ap, AUTH_REJECT);
+	    if (auth_debug_mode)
+		printf("Kerberos V5: "
+		       "krb5_auth_con_setaddrs_from_fd failed (%s)\r\n",
+		       krb5_get_err_text(context, ret));
+	    return;
+	}
+
+	ret = krb5_sock_to_principal (context,
+				      0,
+				      "host",
+				      KRB5_NT_SRV_HST,
+				      &server);
+	if (ret) {
+	    Data(ap, KRB_REJECT, "krb5_sock_to_principal failed", -1);
+	    auth_finished(ap, AUTH_REJECT);
+	    if (auth_debug_mode)
+		printf("Kerberos V5: "
+		       "krb5_sock_to_principal failed (%s)\r\n",
+		       krb5_get_err_text(context, ret));
+	    return;
+	}
+
+	ret = krb5_rd_req(context,
+			  &auth_context,
+			  &auth, 
+			  server,
+			  NULL,
+			  NULL,
+			  &ticket);
+
+	krb5_free_principal (context, server);
+	if (ret) {
+	    char *errbuf;
+
+	    asprintf(&errbuf,
+		     "Read req failed: %s",
+		     krb5_get_err_text(context, ret));
+	    Data(ap, KRB_REJECT, errbuf, -1);
+	    if (auth_debug_mode)
+		printf("%s\r\n", errbuf);
+	    free (errbuf);
+	    return;
+	}
+	
+	{
+	    char foo[2];
+	    
+	    foo[0] = ap->type;
+	    foo[1] = ap->way;
+	    
+	    ret = krb5_verify_authenticator_checksum(context,
+						     auth_context,
+						     foo, 
+						     sizeof(foo));
+
+	    if (ret) {
+		char *errbuf;
+		asprintf(&errbuf, "Bad checksum: %s", 
+			 krb5_get_err_text(context, ret));
+		Data(ap, KRB_REJECT, errbuf, -1);
+		if (auth_debug_mode)
+		    printf ("%s\r\n", errbuf);
+		free(errbuf);
+		return;
+	    }
+	}
+	ret = krb5_auth_con_getremotesubkey (context,
+					     auth_context,
+					     &key_block);
+
+	if (ret) {
+	    Data(ap, KRB_REJECT, "krb5_auth_con_getremotesubkey failed", -1);
+	    auth_finished(ap, AUTH_REJECT);
+	    if (auth_debug_mode)
+		printf("Kerberos V5: "
+		       "krb5_auth_con_getremotesubkey failed (%s)\r\n",
+		       krb5_get_err_text(context, ret));
+	    return;
+	}
+
+	if ((ap->way & AUTH_HOW_MASK) == AUTH_HOW_MUTUAL) {
+	    ret = krb5_mk_rep(context, auth_context, &outbuf);
+	    if (ret) {
+		Data(ap, KRB_REJECT,
+		     "krb5_mk_rep failed", -1);
+		auth_finished(ap, AUTH_REJECT);
+		if (auth_debug_mode)
+		    printf("Kerberos V5: "
+			   "krb5_mk_rep failed (%s)\r\n",
+			   krb5_get_err_text(context, ret));
+		return;
+	    }
+	    Data(ap, KRB_RESPONSE, outbuf.data, outbuf.length);
+	}
+	if (krb5_unparse_name(context, ticket->client, &name))
+	    name = 0;
+
+	if(UserNameRequested && krb5_kuserok(context,
+					     ticket->client,
+					     UserNameRequested)) {
+	    Data(ap, KRB_ACCEPT, name, name ? -1 : 0);
+	    if (auth_debug_mode) {
+		printf("Kerberos5 identifies him as ``%s''\r\n",
+		       name ? name : "");
+	    }
+
+	    if(key_block->keytype == ETYPE_DES_CBC_MD5 ||
+	       key_block->keytype == ETYPE_DES_CBC_MD4 ||
+	       key_block->keytype == ETYPE_DES_CBC_CRC) {
+		Session_Key skey;
+
+		skey.type = SK_DES;
+		skey.length = 8;
+		skey.data = key_block->keyvalue.data;
+		encrypt_session_key(&skey, 0);
+	    }
+
+	} else {
+	    char *msg;
+
+	    asprintf (&msg, "user `%s' is not authorized to "
+		      "login as `%s'", 
+		      name ? name : "<unknown>",
+		      UserNameRequested ? UserNameRequested : "<nobody>");
+	    if (msg == NULL)
+		Data(ap, KRB_REJECT, NULL, 0);
+	    else {
+		Data(ap, KRB_REJECT, (void *)msg, -1);
+		free(msg);
+	    }
+	    auth_finished (ap, AUTH_REJECT);
+	    krb5_free_keyblock_contents(context, key_block);
+	    break;
+	}
+	auth_finished(ap, AUTH_USER);
+	krb5_free_keyblock_contents(context, key_block);
+	
+	break;
+    case KRB_FORWARD: {
+	struct passwd *pwd;
+	char ccname[1024];	/* XXX */
+	krb5_data inbuf;
+	krb5_ccache ccache;
+	inbuf.data = (char *)data;
+	inbuf.length = cnt;
+
+	pwd = getpwnam (UserNameRequested);
+	if (pwd == NULL)
+	    break;
+
+	snprintf (ccname, sizeof(ccname),
+		  "FILE:/tmp/krb5cc_%u", pwd->pw_uid);
+
+	ret = krb5_cc_resolve (context, ccname, &ccache);
+	if (ret) {
+	    if (auth_debug_mode)
+		printf ("Kerberos V5: could not get ccache: %s\r\n",
+			krb5_get_err_text(context, ret));
+	    break;
+	}
+
+	ret = krb5_cc_initialize (context,
+				  ccache,
+				  ticket->client);
+	if (ret) {
+	    if (auth_debug_mode)
+		printf ("Kerberos V5: could not init ccache: %s\r\n",
+			krb5_get_err_text(context, ret));
+	    break;
+	}
+
+#if defined(DCE)
+	esetenv("KRB5CCNAME", ccname, 1);
+#endif
+	ret = krb5_rd_cred2 (context,
+			     auth_context,
+			     ccache,
+			     &inbuf);
+	if(ret) {
+	    char *errbuf;
+
+	    asprintf (&errbuf,
+		      "Read forwarded creds failed: %s",
+		      krb5_get_err_text (context, ret));
+	    if(errbuf == NULL)
+		Data(ap, KRB_FORWARD_REJECT, NULL, 0);
+	    else
+		Data(ap, KRB_FORWARD_REJECT, errbuf, -1);
+	    if (auth_debug_mode)
+		printf("Could not read forwarded credentials: %s\r\n",
+		       errbuf);
+	    free (errbuf);
+	} else {
+	    Data(ap, KRB_FORWARD_ACCEPT, 0, 0);
+#if defined(DCE)
+	    dfsfwd = 1;
+#endif
+	}
+	chown (ccname + 5, pwd->pw_uid, -1);
+	if (auth_debug_mode)
+	    printf("Forwarded credentials obtained\r\n");
+	break;
+    }
+    default:
+	if (auth_debug_mode)
+	    printf("Unknown Kerberos option %d\r\n", data[-1]);
+	Data(ap, KRB_REJECT, 0, 0);
+	break;
+    }
+}
+
+void
+kerberos5_reply(Authenticator *ap, unsigned char *data, int cnt)
+{
+    static int mutual_complete = 0;
+
+    if (cnt-- < 1)
+	return;
+    switch (*data++) {
+    case KRB_REJECT:
+	if (cnt > 0) {
+	    printf("[ Kerberos V5 refuses authentication because %.*s ]\r\n",
+		   cnt, data);
+	} else
+	    printf("[ Kerberos V5 refuses authentication ]\r\n");
+	auth_send_retry();
+	return;
+    case KRB_ACCEPT: {
+	krb5_error_code ret;
+	Session_Key skey;
+	krb5_keyblock *keyblock;
+	
+	if ((ap->way & AUTH_HOW_MASK) == AUTH_HOW_MUTUAL &&
+	    !mutual_complete) {
+	    printf("[ Kerberos V5 accepted you, but didn't provide mutual authentication! ]\r\n");
+	    auth_send_retry();
+	    return;
+	}
+	if (cnt)
+	    printf("[ Kerberos V5 accepts you as ``%.*s'' ]\r\n", cnt, data);
+	else
+	    printf("[ Kerberos V5 accepts you ]\r\n");
+	      
+	ret = krb5_auth_con_getlocalsubkey (context,
+					    auth_context,
+					    &keyblock);
+	if (ret)
+	    ret = krb5_auth_con_getkey (context,
+					auth_context,
+					&keyblock);
+	if(ret) {
+	    printf("[ krb5_auth_con_getkey: %s ]\r\n",
+		   krb5_get_err_text(context, ret));
+	    auth_send_retry();
+	    return;
+	}
+	      
+	skey.type = SK_DES;
+	skey.length = 8;
+	skey.data = keyblock->keyvalue.data;
+	encrypt_session_key(&skey, 0);
+	krb5_free_keyblock_contents (context, keyblock);
+	auth_finished(ap, AUTH_USER);
+	if (forward_flags & OPTS_FORWARD_CREDS)
+	    kerberos5_forward(ap);
+	break;
+    }
+    case KRB_RESPONSE:
+	if ((ap->way & AUTH_HOW_MASK) == AUTH_HOW_MUTUAL) {
+	    /* the rest of the reply should contain a krb_ap_rep */
+	  krb5_ap_rep_enc_part *reply;
+	  krb5_data inbuf;
+	  krb5_error_code ret;
+	    
+	  inbuf.length = cnt;
+	  inbuf.data = (char *)data;
+
+	  ret = krb5_rd_rep(context, auth_context, &inbuf, &reply);
+	  if (ret) {
+	      printf("[ Mutual authentication failed: %s ]\r\n",
+		     krb5_get_err_text (context, ret));
+	      auth_send_retry();
+	      return;
+	  }
+	  krb5_free_ap_rep_enc_part(context, reply);
+	  mutual_complete = 1;
+	}
+	return;
+    case KRB_FORWARD_ACCEPT:
+	printf("[ Kerberos V5 accepted forwarded credentials ]\r\n");
+	return;
+    case KRB_FORWARD_REJECT:
+	printf("[ Kerberos V5 refuses forwarded credentials because %.*s ]\r\n",
+	       cnt, data);
+	return;
+    default:
+	if (auth_debug_mode)
+	    printf("Unknown Kerberos option %d\r\n", data[-1]);
+	return;
+    }
+}
+
+int
+kerberos5_status(Authenticator *ap, char *name, size_t name_sz, int level)
+{
+    if (level < AUTH_USER)
+	return(level);
+
+    if (UserNameRequested &&
+	krb5_kuserok(context,
+		     ticket->client,
+		     UserNameRequested))
+	{
+	    strlcpy(name, UserNameRequested, name_sz);
+#if defined(DCE)
+	    dfsk5ok = 1;
+#endif
+	    return(AUTH_VALID);
+	} else
+	    return(AUTH_USER);
+}
+
+#define	BUMP(buf, len)		while (*(buf)) {++(buf), --(len);}
+#define	ADDC(buf, len, c)	if ((len) > 0) {*(buf)++ = (c); --(len);}
+
+void
+kerberos5_printsub(unsigned char *data, int cnt, unsigned char *buf, int buflen)
+{
+    int i;
+
+    buf[buflen-1] = '\0';		/* make sure its NULL terminated */
+    buflen -= 1;
+
+    switch(data[3]) {
+    case KRB_REJECT:		/* Rejected (reason might follow) */
+	strlcpy((char *)buf, " REJECT ", buflen);
+	goto common;
+
+    case KRB_ACCEPT:		/* Accepted (name might follow) */
+	strlcpy((char *)buf, " ACCEPT ", buflen);
+    common:
+	BUMP(buf, buflen);
+	if (cnt <= 4)
+	    break;
+	ADDC(buf, buflen, '"');
+	for (i = 4; i < cnt; i++)
+	    ADDC(buf, buflen, data[i]);
+	ADDC(buf, buflen, '"');
+	ADDC(buf, buflen, '\0');
+	break;
+
+
+    case KRB_AUTH:			/* Authentication data follows */
+	strlcpy((char *)buf, " AUTH", buflen);
+	goto common2;
+
+    case KRB_RESPONSE:
+	strlcpy((char *)buf, " RESPONSE", buflen);
+	goto common2;
+
+    case KRB_FORWARD:		/* Forwarded credentials follow */
+	strlcpy((char *)buf, " FORWARD", buflen);
+	goto common2;
+
+    case KRB_FORWARD_ACCEPT:	/* Forwarded credentials accepted */
+	strlcpy((char *)buf, " FORWARD_ACCEPT", buflen);
+	goto common2;
+
+    case KRB_FORWARD_REJECT:	/* Forwarded credentials rejected */
+	/* (reason might follow) */
+	strlcpy((char *)buf, " FORWARD_REJECT", buflen);
+	goto common2;
+
+    default:
+	snprintf(buf, buflen, " %d (unknown)", data[3]);
+    common2:
+	BUMP(buf, buflen);
+	for (i = 4; i < cnt; i++) {
+	    snprintf(buf, buflen, " %d", data[i]);
+	    BUMP(buf, buflen);
+	}
+	break;
+    }
+}
+
+void
+kerberos5_forward(Authenticator *ap)
+{
+    krb5_error_code ret;
+    krb5_ccache     ccache;
+    krb5_creds      creds;
+    krb5_kdc_flags  flags;
+    krb5_data       out_data;
+    krb5_principal  principal;
+
+    ret = krb5_cc_default (context, &ccache);
+    if (ret) {
+	if (auth_debug_mode)
+	    printf ("KerberosV5: could not get default ccache: %s\r\n",
+		    krb5_get_err_text (context, ret));
+	return;
+    }
+
+    ret = krb5_cc_get_principal (context, ccache, &principal);
+    if (ret) {
+	if (auth_debug_mode)
+	    printf ("KerberosV5: could not get principal: %s\r\n",
+		    krb5_get_err_text (context, ret));
+	return;
+    }
+
+    memset (&creds, 0, sizeof(creds));
+
+    creds.client = principal;
+    
+    ret = krb5_build_principal (context,
+				&creds.server,
+				strlen(principal->realm),
+				principal->realm,
+				"krbtgt",
+				principal->realm,
+				NULL);
+
+    if (ret) {
+	if (auth_debug_mode)
+	    printf ("KerberosV5: could not get principal: %s\r\n",
+		    krb5_get_err_text (context, ret));
+	return;
+    }
+
+    creds.times.endtime = 0;
+
+    flags.i = 0;
+    flags.b.forwarded = 1;
+    if (forward_flags & OPTS_FORWARDABLE_CREDS)
+	flags.b.forwardable = 1;
+
+    ret = krb5_get_forwarded_creds (context,
+				    auth_context,
+				    ccache,
+				    flags.i,
+				    RemoteHostName,
+				    &creds,
+				    &out_data);
+    if (ret) {
+	if (auth_debug_mode)
+	    printf ("Kerberos V5: error getting forwarded creds: %s\r\n",
+		    krb5_get_err_text (context, ret));
+	return;
+    }
+
+    if(!Data(ap, KRB_FORWARD, out_data.data, out_data.length)) {
+	if (auth_debug_mode)
+	    printf("Not enough room for authentication data\r\n");
+    } else {
+	if (auth_debug_mode)
+	    printf("Forwarded local Kerberos V5 credentials to server\r\n");
+    }
+}
+
+#if defined(DCE)
+/* if this was a K5 authentication try and join a PAG for the user. */
+void
+kerberos5_dfspag(void)
+{
+    if (dfsk5ok) {
+	dfspag = krb5_dfs_pag(context, dfsfwd, ticket->client,
+			      UserNameRequested);
+    }
+}
+#endif
+
+#endif /* KRB5 */
diff --git a/crypto/heimdal/appl/telnet/libtelnet/krb4encpwd.c b/crypto/heimdal/appl/telnet/libtelnet/krb4encpwd.c
new file mode 100644
index 0000000..0a4ff86
--- /dev/null
+++ b/crypto/heimdal/appl/telnet/libtelnet/krb4encpwd.c
@@ -0,0 +1,436 @@
+/*-
+ * Copyright (c) 1992, 1993
+ *	The Regents of the University of California.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *	This product includes software developed by the University of
+ *	California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#include <config.h>
+
+RCSID("$Id: krb4encpwd.c,v 1.19 2001/02/15 04:20:52 assar Exp $");
+
+#ifdef	KRB4_ENCPWD
+/*
+ * COPYRIGHT (C) 1990 DIGITAL EQUIPMENT CORPORATION
+ * ALL RIGHTS RESERVED
+ *
+ * "Digital Equipment Corporation authorizes the reproduction,
+ * distribution and modification of this software subject to the following
+ * restrictions:
+ *
+ * 1.  Any partial or whole copy of this software, or any modification
+ * thereof, must include this copyright notice in its entirety.
+ *
+ * 2.  This software is supplied "as is" with no warranty of any kind,
+ * expressed or implied, for any purpose, including any warranty of fitness
+ * or merchantibility.  DIGITAL assumes no responsibility for the use or
+ * reliability of this software, nor promises to provide any form of
+ * support for it on any basis.
+ *
+ * 3.  Distribution of this software is authorized only if no profit or
+ * remuneration of any kind is received in exchange for such distribution.
+ *
+ * 4.  This software produces public key authentication certificates
+ * bearing an expiration date established by DIGITAL and RSA Data
+ * Security, Inc.  It may cease to generate certificates after the expiration
+ * date.  Any modification of this software that changes or defeats
+ * the expiration date or its effect is unauthorized.
+ *
+ * 5.  Software that will renew or extend the expiration date of
+ * authentication certificates produced by this software may be obtained
+ * from RSA Data Security, Inc., 10 Twin Dolphin Drive, Redwood City, CA
+ * 94065, (415)595-8782, or from DIGITAL"
+ *
+ */
+
+#include <sys/types.h>
+#include <arpa/telnet.h>
+#include <pwd.h>
+#include <stdio.h>
+
+#include <krb.h>
+#include <stdlib.h>
+#include <string.h>
+#ifdef SOCKS
+#include <socks.h>
+#endif
+
+#include "encrypt.h"
+#include "auth.h"
+#include "misc.h"
+
+int krb_mk_encpwd_req (KTEXT, char *, char *, char *, char *, char *, char *);
+int krb_rd_encpwd_req (KTEXT, char *, char *, u_long, AUTH_DAT *, char *, char *, char *, char *);
+
+extern auth_debug_mode;
+
+static unsigned char str_data[1024] = { IAC, SB, TELOPT_AUTHENTICATION, 0,
+			  		AUTHTYPE_KRB4_ENCPWD, };
+static unsigned char str_name[1024] = { IAC, SB, TELOPT_AUTHENTICATION,
+					TELQUAL_NAME, };
+
+#define	KRB4_ENCPWD_AUTH	0	/* Authentication data follows */
+#define	KRB4_ENCPWD_REJECT	1	/* Rejected (reason might follow) */
+#define KRB4_ENCPWD_ACCEPT	2	/* Accepted */
+#define	KRB4_ENCPWD_CHALLENGE	3	/* Challenge for mutual auth. */
+#define	KRB4_ENCPWD_ACK		4	/* Acknowledge */
+
+#define KRB_SERVICE_NAME    "rcmd"
+
+static	KTEXT_ST auth;
+static	char name[ANAME_SZ];
+static	char user_passwd[ANAME_SZ];
+static	AUTH_DAT adat = { 0 };
+static des_key_schedule sched;
+static char  challenge[REALM_SZ];
+
+	static int
+Data(ap, type, d, c)
+	Authenticator *ap;
+	int type;
+	void *d;
+	int c;
+{
+	unsigned char *p = str_data + 4;
+	unsigned char *cd = (unsigned char *)d;
+
+	if (c == -1)
+		c = strlen(cd);
+
+	if (0) {
+		printf("%s:%d: [%d] (%d)",
+			str_data[3] == TELQUAL_IS ? ">>>IS" : ">>>REPLY",
+			str_data[3],
+			type, c);
+		printd(d, c);
+		printf("\r\n");
+	}
+	*p++ = ap->type;
+	*p++ = ap->way;
+	*p++ = type;
+	while (c-- > 0) {
+		if ((*p++ = *cd++) == IAC)
+			*p++ = IAC;
+	}
+	*p++ = IAC;
+	*p++ = SE;
+	if (str_data[3] == TELQUAL_IS)
+		printsub('>', &str_data[2], p - (&str_data[2]));
+	return(telnet_net_write(str_data, p - str_data));
+}
+
+	int
+krb4encpwd_init(ap, server)
+	Authenticator *ap;
+	int server;
+{
+	char hostname[80], *cp, *realm;
+	des_clock skey;
+
+	if (server) {
+		str_data[3] = TELQUAL_REPLY;
+	} else {
+		str_data[3] = TELQUAL_IS;
+		gethostname(hostname, sizeof(hostname));
+		realm = krb_realmofhost(hostname);
+		cp = strchr(hostname, '.');
+		if (*cp != NULL) *cp = NULL;
+		if (read_service_key(KRB_SERVICE_NAME, hostname, realm, 0,
+					KEYFILE, (char *)skey)) {
+		  return(0);
+		}
+	}
+	return(1);
+}
+
+	int
+krb4encpwd_send(ap)
+	Authenticator *ap;
+{
+
+	printf("[ Trying KRB4ENCPWD ... ]\r\n");
+	if (!UserNameRequested) {
+		return(0);
+	}
+	if (!auth_sendname(UserNameRequested, strlen(UserNameRequested))) {
+		return(0);
+	}
+
+	if (!Data(ap, KRB4_ENCPWD_ACK, NULL, 0)) {
+		return(0);
+	}
+
+	return(1);
+}
+
+	void
+krb4encpwd_is(ap, data, cnt)
+	Authenticator *ap;
+	unsigned char *data;
+	int cnt;
+{
+	Session_Key skey;
+	des_cblock datablock;
+	char  r_passwd[ANAME_SZ], r_user[ANAME_SZ];
+	char  lhostname[ANAME_SZ], *cp;
+	int r;
+	time_t now;
+
+	if (cnt-- < 1)
+		return;
+	switch (*data++) {
+	case KRB4_ENCPWD_AUTH:
+		memmove(auth.dat, data, auth.length = cnt);
+
+		gethostname(lhostname, sizeof(lhostname));
+		if ((cp = strchr(lhostname, '.')) != 0)  *cp = '\0';
+
+		if (r = krb_rd_encpwd_req(&auth, KRB_SERVICE_NAME, lhostname, 0, &adat, NULL, challenge, r_user, r_passwd)) {
+			Data(ap, KRB4_ENCPWD_REJECT, "Auth failed", -1);
+			auth_finished(ap, AUTH_REJECT);
+			return;
+		}
+		auth_encrypt_userpwd(r_passwd);
+		if (passwdok(UserNameRequested, UserPassword) == 0) {
+		  /*
+		   *  illegal username and password
+		   */
+		  Data(ap, KRB4_ENCPWD_REJECT, "Illegal password", -1);
+		  auth_finished(ap, AUTH_REJECT);
+		  return;
+		}
+
+		memmove(session_key, adat.session, sizeof(des_cblock));
+		Data(ap, KRB4_ENCPWD_ACCEPT, 0, 0);
+		auth_finished(ap, AUTH_USER);
+		break;
+
+	case KRB4_ENCPWD_CHALLENGE:
+		/*
+		 *  Take the received random challenge text and save
+		 *  for future authentication.
+		 */
+		memmove(challenge, data, sizeof(des_cblock));
+		break;
+
+
+	case KRB4_ENCPWD_ACK:
+		/*
+		 *  Receive ack, if mutual then send random challenge
+		 */
+
+		/*
+		 * If we are doing mutual authentication, get set up to send
+		 * the challenge, and verify it when the response comes back.
+		 */
+
+		if ((ap->way & AUTH_HOW_MASK) == AUTH_HOW_MUTUAL) {
+		  int i;
+
+		  time(&now);
+		  snprintf(challenge, sizeof(challenge), "%x", now);
+		  Data(ap, KRB4_ENCPWD_CHALLENGE, challenge, strlen(challenge));
+		}
+		break;
+
+	default:
+		Data(ap, KRB4_ENCPWD_REJECT, 0, 0);
+		break;
+	}
+}
+
+
+	void
+krb4encpwd_reply(ap, data, cnt)
+	Authenticator *ap;
+	unsigned char *data;
+	int cnt;
+{
+	Session_Key skey;
+	KTEXT_ST krb_token;
+	des_cblock enckey;
+	CREDENTIALS cred;
+	int r;
+	char	randchal[REALM_SZ], instance[ANAME_SZ], *cp;
+	char	hostname[80], *realm;
+
+	if (cnt-- < 1)
+		return;
+	switch (*data++) {
+	case KRB4_ENCPWD_REJECT:
+		if (cnt > 0) {
+			printf("[ KRB4_ENCPWD refuses authentication because %.*s ]\r\n",
+				cnt, data);
+		} else
+			printf("[ KRB4_ENCPWD refuses authentication ]\r\n");
+		auth_send_retry();
+		return;
+	case KRB4_ENCPWD_ACCEPT:
+		printf("[ KRB4_ENCPWD accepts you ]\r\n");
+		auth_finished(ap, AUTH_USER);
+		return;
+	case KRB4_ENCPWD_CHALLENGE:
+		/*
+		 * Verify that the response to the challenge is correct.
+		 */
+
+		gethostname(hostname, sizeof(hostname));
+		realm = krb_realmofhost(hostname);
+		memmove(challenge, data, cnt);
+		memset(user_passwd, 0, sizeof(user_passwd));
+		des_read_pw_string(user_passwd, sizeof(user_passwd)-1, "Password: ", 0);
+		UserPassword = user_passwd;
+		Challenge = challenge;
+		strlcpy(instance, RemoteHostName, sizeof(instance));
+		if ((cp = strchr(instance, '.')) != 0)  *cp = '\0';
+
+		if (r = krb_mk_encpwd_req(&krb_token, KRB_SERVICE_NAME, instance, realm, Challenge, UserNameRequested, user_passwd)) {
+		  krb_token.length = 0;
+		}
+
+		if (!Data(ap, KRB4_ENCPWD_AUTH, krb_token.dat, krb_token.length)) {
+		  return;
+		}
+
+		break;
+
+	default:
+		return;
+	}
+}
+
+	int
+krb4encpwd_status(ap, name, name_sz, level)
+	Authenticator *ap;
+	char *name;
+	size_t name_sz;
+	int level;
+{
+
+	if (level < AUTH_USER)
+		return(level);
+
+	if (UserNameRequested && passwdok(UserNameRequested, UserPassword)) {
+		strlcpy(name, UserNameRequested, name_sz);
+		return(AUTH_VALID);
+	} else {
+		return(AUTH_USER);
+	}
+}
+
+#define	BUMP(buf, len)		while (*(buf)) {++(buf), --(len);}
+#define	ADDC(buf, len, c)	if ((len) > 0) {*(buf)++ = (c); --(len);}
+
+	void
+krb4encpwd_printsub(data, cnt, buf, buflen)
+	unsigned char *data, *buf;
+	int cnt, buflen;
+{
+	int i;
+
+	buf[buflen-1] = '\0';		/* make sure its NULL terminated */
+	buflen -= 1;
+
+	switch(data[3]) {
+	case KRB4_ENCPWD_REJECT:	/* Rejected (reason might follow) */
+		strlcpy((char *)buf, " REJECT ", buflen);
+		goto common;
+
+	case KRB4_ENCPWD_ACCEPT:	/* Accepted (name might follow) */
+		strlcpy((char *)buf, " ACCEPT ", buflen);
+	common:
+		BUMP(buf, buflen);
+		if (cnt <= 4)
+			break;
+		ADDC(buf, buflen, '"');
+		for (i = 4; i < cnt; i++)
+			ADDC(buf, buflen, data[i]);
+		ADDC(buf, buflen, '"');
+		ADDC(buf, buflen, '\0');
+		break;
+
+	case KRB4_ENCPWD_AUTH:		/* Authentication data follows */
+		strlcpy((char *)buf, " AUTH", buflen);
+		goto common2;
+
+	case KRB4_ENCPWD_CHALLENGE:
+		strlcpy((char *)buf, " CHALLENGE", buflen);
+		goto common2;
+
+	case KRB4_ENCPWD_ACK:
+		strlcpy((char *)buf, " ACK", buflen);
+		goto common2;
+
+	default:
+		snprintf(buf, buflen, " %d (unknown)", data[3]);
+	common2:
+		BUMP(buf, buflen);
+		for (i = 4; i < cnt; i++) {
+			snprintf(buf, buflen, " %d", data[i]);
+			BUMP(buf, buflen);
+		}
+		break;
+	}
+}
+
+int passwdok(name, passwd)
+char *name, *passwd;
+{
+  char *crypt();
+  char *salt, *p;
+  struct passwd *pwd;
+  int   passwdok_status = 0;
+
+  if (pwd = k_getpwnam(name))
+    salt = pwd->pw_passwd;
+  else salt = "xx";
+
+  p = crypt(passwd, salt);
+
+  if (pwd && !strcmp(p, pwd->pw_passwd)) {
+    passwdok_status = 1;
+  } else passwdok_status = 0;
+  return(passwdok_status);
+}
+
+#endif
+
+#ifdef notdef
+
+prkey(msg, key)
+	char *msg;
+	unsigned char *key;
+{
+	int i;
+	printf("%s:", msg);
+	for (i = 0; i < 8; i++)
+		printf(" %3d", key[i]);
+	printf("\r\n");
+}
+#endif
diff --git a/crypto/heimdal/appl/telnet/libtelnet/misc-proto.h b/crypto/heimdal/appl/telnet/libtelnet/misc-proto.h
new file mode 100644
index 0000000..7bbafa5
--- /dev/null
+++ b/crypto/heimdal/appl/telnet/libtelnet/misc-proto.h
@@ -0,0 +1,79 @@
+/*-
+ * Copyright (c) 1991, 1993
+ *	The Regents of the University of California.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *	This product includes software developed by the University of
+ *	California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ *	@(#)misc-proto.h	8.1 (Berkeley) 6/4/93
+ */
+
+/*
+ * Copyright (C) 1990 by the Massachusetts Institute of Technology
+ *
+ * Export of this software from the United States of America is assumed
+ * to require a specific license from the United States Government.
+ * It is the responsibility of any person or organization contemplating
+ * export to obtain such a license before exporting.
+ *
+ * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
+ * distribute this software and its documentation for any purpose and
+ * without fee is hereby granted, provided that the above copyright
+ * notice appear in all copies and that both that copyright notice and
+ * this permission notice appear in supporting documentation, and that
+ * the name of M.I.T. not be used in advertising or publicity pertaining
+ * to distribution of the software without specific, written prior
+ * permission.  M.I.T. makes no representations about the suitability of
+ * this software for any purpose.  It is provided "as is" without express
+ * or implied warranty.
+ */
+
+/* $Id: misc-proto.h,v 1.9 2000/11/15 23:00:21 assar Exp $ */
+
+#ifndef	__MISC_PROTO__
+#define	__MISC_PROTO__
+
+void auth_encrypt_init (const char *, const char *, const char *, int);
+void auth_encrypt_user(const char *name);
+void auth_encrypt_connect (int);
+void printd (const unsigned char *, int);
+
+char** genget (char *name, char **table, int stlen);
+int isprefix(char *s1, char *s2);
+int Ambiguous(void *s);
+
+/*
+ * These functions are imported from the application
+ */
+int telnet_net_write (unsigned char *, int);
+void net_encrypt (void);
+int telnet_spin (void);
+char *telnet_getenv (const char *);
+char *telnet_gets (char *, char *, int, int);
+void printsub(int direction, unsigned char *pointer, int length);
+#endif
diff --git a/crypto/heimdal/appl/telnet/libtelnet/misc.c b/crypto/heimdal/appl/telnet/libtelnet/misc.c
new file mode 100644
index 0000000..b7af237
--- /dev/null
+++ b/crypto/heimdal/appl/telnet/libtelnet/misc.c
@@ -0,0 +1,95 @@
+/*-
+ * Copyright (c) 1991, 1993
+ *	The Regents of the University of California.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *	This product includes software developed by the University of
+ *	California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#include <config.h>
+
+RCSID("$Id: misc.c,v 1.15 2000/01/25 23:24:58 assar Exp $");
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <roken.h>
+#ifdef SOCKS
+#include <socks.h>
+#endif
+#include "misc.h"
+#include "auth.h"
+#include "encrypt.h"
+
+
+const char *RemoteHostName;
+const char *LocalHostName;
+char *UserNameRequested = 0;
+int ConnectedCount = 0;
+
+void
+auth_encrypt_init(const char *local, const char *remote, const char *name,
+		  int server)
+{
+    RemoteHostName = remote;
+    LocalHostName = local;
+#ifdef AUTHENTICATION
+    auth_init(name, server);
+#endif
+#ifdef ENCRYPTION
+    encrypt_init(name, server);
+#endif
+    if (UserNameRequested) {
+	free(UserNameRequested);
+	UserNameRequested = 0;
+    }
+}
+
+void
+auth_encrypt_user(const char *name)
+{
+    if (UserNameRequested)
+	free(UserNameRequested);
+    UserNameRequested = name ? strdup(name) : 0;
+}
+
+void
+auth_encrypt_connect(int cnt)
+{
+}
+
+void
+printd(const unsigned char *data, int cnt)
+{
+    if (cnt > 16)
+	cnt = 16;
+    while (cnt-- > 0) {
+	printf(" %02x", *data);
+	++data;
+    }
+}
diff --git a/crypto/heimdal/appl/telnet/libtelnet/misc.h b/crypto/heimdal/appl/telnet/libtelnet/misc.h
new file mode 100644
index 0000000..e315565
--- /dev/null
+++ b/crypto/heimdal/appl/telnet/libtelnet/misc.h
@@ -0,0 +1,42 @@
+/*-
+ * Copyright (c) 1991, 1993
+ *	The Regents of the University of California.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *	This product includes software developed by the University of
+ *	California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ *	@(#)misc.h	8.1 (Berkeley) 6/4/93
+ */
+
+extern char *UserNameRequested;
+extern const char *LocalHostName;
+extern const char *RemoteHostName;
+extern int ConnectedCount;
+extern int ReservedPort;
+
+#include "misc-proto.h"
diff --git a/crypto/heimdal/appl/telnet/libtelnet/rsaencpwd.c b/crypto/heimdal/appl/telnet/libtelnet/rsaencpwd.c
new file mode 100644
index 0000000..dafb448
--- /dev/null
+++ b/crypto/heimdal/appl/telnet/libtelnet/rsaencpwd.c
@@ -0,0 +1,487 @@
+/*-
+ * Copyright (c) 1992, 1993
+ *	The Regents of the University of California.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *	This product includes software developed by the University of
+ *	California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#include <config.h>
+
+RCSID("$Id: rsaencpwd.c,v 1.18 1999/09/16 20:41:34 assar Exp $");
+
+#ifdef	RSA_ENCPWD
+/*
+ * COPYRIGHT (C) 1990 DIGITAL EQUIPMENT CORPORATION
+ * ALL RIGHTS RESERVED
+ *
+ * "Digital Equipment Corporation authorizes the reproduction,
+ * distribution and modification of this software subject to the following
+ * restrictions:
+ *
+ * 1.  Any partial or whole copy of this software, or any modification
+ * thereof, must include this copyright notice in its entirety.
+ *
+ * 2.  This software is supplied "as is" with no warranty of any kind,
+ * expressed or implied, for any purpose, including any warranty of fitness
+ * or merchantibility.  DIGITAL assumes no responsibility for the use or
+ * reliability of this software, nor promises to provide any form of
+ * support for it on any basis.
+ *
+ * 3.  Distribution of this software is authorized only if no profit or
+ * remuneration of any kind is received in exchange for such distribution.
+ *
+ * 4.  This software produces public key authentication certificates
+ * bearing an expiration date established by DIGITAL and RSA Data
+ * Security, Inc.  It may cease to generate certificates after the expiration
+ * date.  Any modification of this software that changes or defeats
+ * the expiration date or its effect is unauthorized.
+ *
+ * 5.  Software that will renew or extend the expiration date of
+ * authentication certificates produced by this software may be obtained
+ * from RSA Data Security, Inc., 10 Twin Dolphin Drive, Redwood City, CA
+ * 94065, (415)595-8782, or from DIGITAL"
+ *
+ */
+
+#include <sys/types.h>
+#ifdef HAVE_ARPA_TELNET_H
+#include <arpa/telnet.h>
+#endif
+#include <pwd.h>
+#include <stdio.h>
+
+#include <stdlib.h>
+#include <string.h>
+#ifdef SOCKS
+#include <socks.h>
+#endif
+
+#include "encrypt.h"
+#include "auth.h"
+#include "misc.h"
+#include "cdc.h"
+
+extern auth_debug_mode;
+
+static unsigned char str_data[1024] = { IAC, SB, TELOPT_AUTHENTICATION, 0,
+			  		AUTHTYPE_RSA_ENCPWD, };
+static unsigned char str_name[1024] = { IAC, SB, TELOPT_AUTHENTICATION,
+					TELQUAL_NAME, };
+
+#define	RSA_ENCPWD_AUTH	0	/* Authentication data follows */
+#define	RSA_ENCPWD_REJECT	1	/* Rejected (reason might follow) */
+#define RSA_ENCPWD_ACCEPT	2	/* Accepted */
+#define	RSA_ENCPWD_CHALLENGEKEY	3	/* Challenge and public key */
+
+#define NAME_SZ   40
+#define CHAL_SZ   20
+#define PWD_SZ    40
+
+static	KTEXT_ST auth;
+static	char name[NAME_SZ];
+static	char user_passwd[PWD_SZ];
+static  char key_file[2*NAME_SZ];
+static  char lhostname[NAME_SZ];
+static char  challenge[CHAL_SZ];
+static int   challenge_len;
+
+	static int
+Data(ap, type, d, c)
+	Authenticator *ap;
+	int type;
+	void *d;
+	int c;
+{
+	unsigned char *p = str_data + 4;
+	unsigned char *cd = (unsigned char *)d;
+
+	if (c == -1)
+		c = strlen((char *)cd);
+
+	if (0) {
+		printf("%s:%d: [%d] (%d)",
+			str_data[3] == TELQUAL_IS ? ">>>IS" : ">>>REPLY",
+			str_data[3],
+			type, c);
+		printd(d, c);
+		printf("\r\n");
+	}
+	*p++ = ap->type;
+	*p++ = ap->way;
+	if (type != NULL) *p++ = type;
+	while (c-- > 0) {
+		if ((*p++ = *cd++) == IAC)
+			*p++ = IAC;
+	}
+	*p++ = IAC;
+	*p++ = SE;
+	if (str_data[3] == TELQUAL_IS)
+		printsub('>', &str_data[2], p - (&str_data[2]));
+	return(telnet_net_write(str_data, p - str_data));
+}
+
+	int
+rsaencpwd_init(ap, server)
+	Authenticator *ap;
+	int server;
+{
+	char  *cp;
+	FILE  *fp;
+
+	if (server) {
+		str_data[3] = TELQUAL_REPLY;
+		memset(key_file, 0, sizeof(key_file));
+		gethostname(lhostname, sizeof(lhostname));
+		if ((cp = strchr(lhostname, '.')) != 0)  *cp = '\0';
+		snprintf(key_file, sizeof(key_file),
+			 "/etc/.%s_privkey", lhostname);
+		if ((fp=fopen(key_file, "r"))==NULL) return(0);
+		fclose(fp);
+	} else {
+		str_data[3] = TELQUAL_IS;
+	}
+	return(1);
+}
+
+	int
+rsaencpwd_send(ap)
+	Authenticator *ap;
+{
+
+	printf("[ Trying RSAENCPWD ... ]\r\n");
+	if (!UserNameRequested) {
+		return(0);
+	}
+	if (!auth_sendname(UserNameRequested, strlen(UserNameRequested))) {
+		return(0);
+	}
+	if (!Data(ap, NULL, NULL, 0)) {
+		return(0);
+	}
+
+
+	return(1);
+}
+
+	void
+rsaencpwd_is(ap, data, cnt)
+	Authenticator *ap;
+	unsigned char *data;
+	int cnt;
+{
+	Session_Key skey;
+	des_cblock datablock;
+	char  r_passwd[PWD_SZ], r_user[NAME_SZ];
+	char  *cp, key[160];
+	char  chalkey[160], *ptr;
+	FILE  *fp;
+	int r, i, j, chalkey_len, len;
+	time_t now;
+
+	cnt--;
+	switch (*data++) {
+	case RSA_ENCPWD_AUTH:
+		memmove(auth.dat, data, auth.length = cnt);
+
+		if ((fp=fopen(key_file, "r"))==NULL) {
+		  Data(ap, RSA_ENCPWD_REJECT, "Auth failed", -1);
+		  auth_finished(ap, AUTH_REJECT);
+		  return;
+		}
+		/*
+		 *  get privkey
+		 */
+		fscanf(fp, "%x;", &len);
+		for (i=0;i<len;i++) {
+		  j = getc(fp);  key[i]=j;
+		}
+		fclose(fp);
+
+		r = accept_rsa_encpwd(&auth, key, challenge,
+				      challenge_len, r_passwd);
+		if (r < 0) {
+		  Data(ap, RSA_ENCPWD_REJECT, "Auth failed", -1);
+		  auth_finished(ap, AUTH_REJECT);
+		  return;
+		}
+		auth_encrypt_userpwd(r_passwd);
+		if (rsaencpwd_passwdok(UserNameRequested, UserPassword) == 0) {
+		  /*
+		   *  illegal username and password
+		   */
+		  Data(ap, RSA_ENCPWD_REJECT, "Illegal password", -1);
+		  auth_finished(ap, AUTH_REJECT);
+		  return;
+		}
+
+		Data(ap, RSA_ENCPWD_ACCEPT, 0, 0);
+		auth_finished(ap, AUTH_USER);
+		break;
+
+
+	case IAC:
+
+		/*
+		 * If we are doing mutual authentication, get set up to send
+		 * the challenge, and verify it when the response comes back.
+		 */
+		if ((ap->way & AUTH_HOW_MASK) == AUTH_HOW_ONE_WAY) {
+		  int i;
+
+
+		  time(&now);
+		  if ((now % 2) == 0) {
+		    snprintf(challenge, sizeof(challenge), "%x", now);
+		    challenge_len = strlen(challenge);
+		  } else {
+		    strlcpy(challenge, "randchal", sizeof(challenge));
+		    challenge_len = 8;
+		  }
+
+		  if ((fp=fopen(key_file, "r"))==NULL) {
+		    Data(ap, RSA_ENCPWD_REJECT, "Auth failed", -1);
+		    auth_finished(ap, AUTH_REJECT);
+		    return;
+		  }
+		  /*
+		   *  skip privkey
+		   */
+		  fscanf(fp, "%x;", &len);
+		  for (i=0;i<len;i++) {
+		    j = getc(fp);
+		  }
+		  /*
+		   * get pubkey
+		   */
+		  fscanf(fp, "%x;", &len);
+		  for (i=0;i<len;i++) {
+		    j = getc(fp);  key[i]=j;
+		  }
+		  fclose(fp);
+		  chalkey[0] = 0x30;
+		  ptr = (char *) &chalkey[1];
+		  chalkey_len = 1+NumEncodeLengthOctets(i)+i+1+NumEncodeLengthOctets(challenge_len)+challenge_len;
+		  EncodeLength(ptr, chalkey_len);
+		  ptr +=NumEncodeLengthOctets(chalkey_len);
+		  *ptr++ = 0x04;  /* OCTET STRING */
+		  *ptr++ = challenge_len;
+		  memmove(ptr, challenge, challenge_len);
+		  ptr += challenge_len;
+		  *ptr++ = 0x04;  /* OCTET STRING */
+		  EncodeLength(ptr, i);
+		  ptr += NumEncodeLengthOctets(i);
+		  memmove(ptr, key, i);
+		  chalkey_len = 1+NumEncodeLengthOctets(chalkey_len)+chalkey_len;
+		  Data(ap, RSA_ENCPWD_CHALLENGEKEY, chalkey, chalkey_len);
+		}
+		break;
+
+	default:
+		Data(ap, RSA_ENCPWD_REJECT, 0, 0);
+		break;
+	}
+}
+
+
+	void
+rsaencpwd_reply(ap, data, cnt)
+	Authenticator *ap;
+	unsigned char *data;
+	int cnt;
+{
+	Session_Key skey;
+	KTEXT_ST token;
+	des_cblock enckey;
+	int r, pubkey_len;
+	char	randchal[CHAL_SZ], *cp;
+	char	chalkey[160], pubkey[128], *ptr;
+
+	if (cnt-- < 1)
+		return;
+	switch (*data++) {
+	case RSA_ENCPWD_REJECT:
+		if (cnt > 0) {
+			printf("[ RSA_ENCPWD refuses authentication because %.*s ]\r\n",
+				cnt, data);
+		} else
+			printf("[ RSA_ENCPWD refuses authentication ]\r\n");
+		auth_send_retry();
+		return;
+	case RSA_ENCPWD_ACCEPT:
+		printf("[ RSA_ENCPWD accepts you ]\r\n");
+		auth_finished(ap, AUTH_USER);
+		return;
+	case RSA_ENCPWD_CHALLENGEKEY:
+		/*
+		 * Verify that the response to the challenge is correct.
+		 */
+
+		memmove(chalkey, data, cnt);
+		ptr = (char *) &chalkey[0];
+		ptr += DecodeHeaderLength(chalkey);
+		if (*ptr != 0x04) {
+		  return;
+		}
+		*ptr++;
+		challenge_len = DecodeValueLength(ptr);
+		ptr += NumEncodeLengthOctets(challenge_len);
+		memmove(challenge, ptr, challenge_len);
+		ptr += challenge_len;
+		if (*ptr != 0x04) {
+		  return;
+		}
+		*ptr++;
+		pubkey_len = DecodeValueLength(ptr);
+		ptr += NumEncodeLengthOctets(pubkey_len);
+		memmove(pubkey, ptr, pubkey_len);
+		memset(user_passwd, 0, sizeof(user_passwd));
+		des_read_pw_string(user_passwd, sizeof(user_passwd)-1, "Password: ", 0);
+		UserPassword = user_passwd;
+		Challenge = challenge;
+		r = init_rsa_encpwd(&token, user_passwd, challenge, challenge_len, pubkey);
+		if (r < 0) {
+		  token.length = 1;
+		}
+
+		if (!Data(ap, RSA_ENCPWD_AUTH, token.dat, token.length)) {
+		  return;
+		}
+
+		break;
+
+	default:
+		return;
+	}
+}
+
+	int
+rsaencpwd_status(ap, name, name_sz, level)
+	Authenticator *ap;
+	char *name;
+	size_t name_sz;
+	int level;
+{
+
+	if (level < AUTH_USER)
+		return(level);
+
+	if (UserNameRequested && rsaencpwd_passwdok(UserNameRequested, UserPassword)) {
+		strlcpy(name, UserNameRequested, name_sz);
+		return(AUTH_VALID);
+	} else {
+		return(AUTH_USER);
+	}
+}
+
+#define	BUMP(buf, len)		while (*(buf)) {++(buf), --(len);}
+#define	ADDC(buf, len, c)	if ((len) > 0) {*(buf)++ = (c); --(len);}
+
+	void
+rsaencpwd_printsub(data, cnt, buf, buflen)
+	unsigned char *data, *buf;
+	int cnt, buflen;
+{
+	int i;
+
+	buf[buflen-1] = '\0';		/* make sure its NULL terminated */
+	buflen -= 1;
+
+	switch(data[3]) {
+	case RSA_ENCPWD_REJECT:	/* Rejected (reason might follow) */
+		strlcpy((char *)buf, " REJECT ", buflen);
+		goto common;
+
+	case RSA_ENCPWD_ACCEPT:	/* Accepted (name might follow) */
+		strlcpy((char *)buf, " ACCEPT ", buflen);
+	common:
+		BUMP(buf, buflen);
+		if (cnt <= 4)
+			break;
+		ADDC(buf, buflen, '"');
+		for (i = 4; i < cnt; i++)
+			ADDC(buf, buflen, data[i]);
+		ADDC(buf, buflen, '"');
+		ADDC(buf, buflen, '\0');
+		break;
+
+	case RSA_ENCPWD_AUTH:		/* Authentication data follows */
+		strlcpy((char *)buf, " AUTH", buflen);
+		goto common2;
+
+	case RSA_ENCPWD_CHALLENGEKEY:
+		strlcpy((char *)buf, " CHALLENGEKEY", buflen);
+		goto common2;
+
+	default:
+		snprintf(buf, buflen, " %d (unknown)", data[3]);
+	common2:
+		BUMP(buf, buflen);
+		for (i = 4; i < cnt; i++) {
+			snprintf(buf, buflen, " %d", data[i]);
+			BUMP(buf, buflen);
+		}
+		break;
+	}
+}
+
+int rsaencpwd_passwdok(name, passwd)
+char *name, *passwd;
+{
+  char *crypt();
+  char *salt, *p;
+  struct passwd *pwd;
+  int   passwdok_status = 0;
+
+  if (pwd = k_getpwnam(name))
+    salt = pwd->pw_passwd;
+  else salt = "xx";
+
+  p = crypt(passwd, salt);
+
+  if (pwd && !strcmp(p, pwd->pw_passwd)) {
+    passwdok_status = 1;
+  } else passwdok_status = 0;
+  return(passwdok_status);
+}
+
+#endif
+
+#ifdef notdef
+
+prkey(msg, key)
+	char *msg;
+	unsigned char *key;
+{
+	int i;
+	printf("%s:", msg);
+	for (i = 0; i < 8; i++)
+		printf(" %3d", key[i]);
+	printf("\r\n");
+}
+#endif
diff --git a/crypto/heimdal/appl/telnet/libtelnet/spx.c b/crypto/heimdal/appl/telnet/libtelnet/spx.c
new file mode 100644
index 0000000..9155ef2
--- /dev/null
+++ b/crypto/heimdal/appl/telnet/libtelnet/spx.c
@@ -0,0 +1,586 @@
+/*-
+ * Copyright (c) 1992, 1993
+ *	The Regents of the University of California.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *	This product includes software developed by the University of
+ *	California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#include <config.h>
+
+RCSID("$Id: spx.c,v 1.17 1999/09/16 20:41:34 assar Exp $");
+
+#ifdef	SPX
+/*
+ * COPYRIGHT (C) 1990 DIGITAL EQUIPMENT CORPORATION
+ * ALL RIGHTS RESERVED
+ *
+ * "Digital Equipment Corporation authorizes the reproduction,
+ * distribution and modification of this software subject to the following
+ * restrictions:
+ *
+ * 1.  Any partial or whole copy of this software, or any modification
+ * thereof, must include this copyright notice in its entirety.
+ *
+ * 2.  This software is supplied "as is" with no warranty of any kind,
+ * expressed or implied, for any purpose, including any warranty of fitness
+ * or merchantibility.  DIGITAL assumes no responsibility for the use or
+ * reliability of this software, nor promises to provide any form of
+ * support for it on any basis.
+ *
+ * 3.  Distribution of this software is authorized only if no profit or
+ * remuneration of any kind is received in exchange for such distribution.
+ *
+ * 4.  This software produces public key authentication certificates
+ * bearing an expiration date established by DIGITAL and RSA Data
+ * Security, Inc.  It may cease to generate certificates after the expiration
+ * date.  Any modification of this software that changes or defeats
+ * the expiration date or its effect is unauthorized.
+ *
+ * 5.  Software that will renew or extend the expiration date of
+ * authentication certificates produced by this software may be obtained
+ * from RSA Data Security, Inc., 10 Twin Dolphin Drive, Redwood City, CA
+ * 94065, (415)595-8782, or from DIGITAL"
+ *
+ */
+
+#ifdef HAVE_SYS_TYPES_H
+#include <sys/types.h>
+#endif
+#ifdef HAVE_ARPA_TELNET_H
+#include <arpa/telnet.h>
+#endif
+#include <stdio.h>
+#include "gssapi_defs.h"
+#include <stdlib.h>
+#include <string.h>
+
+#include <pwd.h>
+#ifdef SOCKS
+#include <socks.h>
+#endif
+
+#include "encrypt.h"
+#include "auth.h"
+#include "misc.h"
+
+extern auth_debug_mode;
+
+static unsigned char str_data[1024] = { IAC, SB, TELOPT_AUTHENTICATION, 0,
+			  		AUTHTYPE_SPX, };
+static unsigned char str_name[1024] = { IAC, SB, TELOPT_AUTHENTICATION,
+					TELQUAL_NAME, };
+
+#define	SPX_AUTH	0		/* Authentication data follows */
+#define	SPX_REJECT	1		/* Rejected (reason might follow) */
+#define SPX_ACCEPT	2		/* Accepted */
+
+static des_key_schedule sched;
+static des_cblock	challenge	= { 0 };
+
+
+/*******************************************************************/
+
+gss_OID_set		actual_mechs;
+gss_OID			actual_mech_type, output_name_type;
+int			major_status, status, msg_ctx = 0, new_status;
+int			req_flags = 0, ret_flags, lifetime_rec;
+gss_cred_id_t		gss_cred_handle;
+gss_ctx_id_t		actual_ctxhandle, context_handle;
+gss_buffer_desc		output_token, input_token, input_name_buffer;
+gss_buffer_desc		status_string;
+gss_name_t		desired_targname, src_name;
+gss_channel_bindings	input_chan_bindings;
+char			lhostname[GSS_C_MAX_PRINTABLE_NAME];
+char			targ_printable[GSS_C_MAX_PRINTABLE_NAME];
+int			to_addr=0, from_addr=0;
+char			*address;
+gss_buffer_desc		fullname_buffer;
+gss_OID			fullname_type;
+gss_cred_id_t		gss_delegated_cred_handle;
+
+/*******************************************************************/
+
+
+
+	static int
+Data(ap, type, d, c)
+	Authenticator *ap;
+	int type;
+	void *d;
+	int c;
+{
+	unsigned char *p = str_data + 4;
+	unsigned char *cd = (unsigned char *)d;
+
+	if (c == -1)
+		c = strlen((char *)cd);
+
+	if (0) {
+		printf("%s:%d: [%d] (%d)",
+			str_data[3] == TELQUAL_IS ? ">>>IS" : ">>>REPLY",
+			str_data[3],
+			type, c);
+		printd(d, c);
+		printf("\r\n");
+	}
+	*p++ = ap->type;
+	*p++ = ap->way;
+	*p++ = type;
+	while (c-- > 0) {
+		if ((*p++ = *cd++) == IAC)
+			*p++ = IAC;
+	}
+	*p++ = IAC;
+	*p++ = SE;
+	if (str_data[3] == TELQUAL_IS)
+		printsub('>', &str_data[2], p - (&str_data[2]));
+	return(telnet_net_write(str_data, p - str_data));
+}
+
+	int
+spx_init(ap, server)
+	Authenticator *ap;
+	int server;
+{
+	gss_cred_id_t	tmp_cred_handle;
+
+	if (server) {
+		str_data[3] = TELQUAL_REPLY;
+		gethostname(lhostname, sizeof(lhostname));
+		snprintf (targ_printable, sizeof(targ_printable),
+			  "SERVICE:rcmd@%s", lhostname);
+		input_name_buffer.length = strlen(targ_printable);
+		input_name_buffer.value = targ_printable;
+		major_status = gss_import_name(&status,
+					&input_name_buffer,
+					GSS_C_NULL_OID,
+					&desired_targname);
+		major_status = gss_acquire_cred(&status,
+					desired_targname,
+					0,
+					GSS_C_NULL_OID_SET,
+					GSS_C_ACCEPT,
+					&tmp_cred_handle,
+					&actual_mechs,
+					&lifetime_rec);
+		if (major_status != GSS_S_COMPLETE) return(0);
+	} else {
+		str_data[3] = TELQUAL_IS;
+	}
+	return(1);
+}
+
+	int
+spx_send(ap)
+	Authenticator *ap;
+{
+	des_cblock enckey;
+	int r;
+
+	gss_OID	actual_mech_type, output_name_type;
+	int	msg_ctx = 0, new_status, status;
+	int	req_flags = 0, ret_flags, lifetime_rec, major_status;
+	gss_buffer_desc  output_token, input_token, input_name_buffer;
+	gss_buffer_desc  output_name_buffer, status_string;
+	gss_name_t    desired_targname;
+	gss_channel_bindings  input_chan_bindings;
+	char targ_printable[GSS_C_MAX_PRINTABLE_NAME];
+	int  from_addr=0, to_addr=0, myhostlen, j;
+	int  deleg_flag=1, mutual_flag=0, replay_flag=0, seq_flag=0;
+	char *address;
+
+	printf("[ Trying SPX ... ]\r\n");
+	snprintf (targ_printable, sizeof(targ_printable),
+		  "SERVICE:rcmd@%s", RemoteHostName);
+
+	input_name_buffer.length = strlen(targ_printable);
+	input_name_buffer.value = targ_printable;
+
+	if (!UserNameRequested) {
+		return(0);
+	}
+
+	major_status = gss_import_name(&status,
+					&input_name_buffer,
+					GSS_C_NULL_OID,
+					&desired_targname);
+
+
+	major_status = gss_display_name(&status,
+					desired_targname,
+					&output_name_buffer,
+					&output_name_type);
+
+	printf("target is '%s'\n", output_name_buffer.value); fflush(stdout);
+
+	major_status = gss_release_buffer(&status, &output_name_buffer);
+
+	input_chan_bindings = (gss_channel_bindings)
+	  malloc(sizeof(gss_channel_bindings_desc));
+
+	input_chan_bindings->initiator_addrtype = GSS_C_AF_INET;
+	input_chan_bindings->initiator_address.length = 4;
+	address = (char *) malloc(4);
+	input_chan_bindings->initiator_address.value = (char *) address;
+	address[0] = ((from_addr & 0xff000000) >> 24);
+	address[1] = ((from_addr & 0xff0000) >> 16);
+	address[2] = ((from_addr & 0xff00) >> 8);
+	address[3] = (from_addr & 0xff);
+	input_chan_bindings->acceptor_addrtype = GSS_C_AF_INET;
+	input_chan_bindings->acceptor_address.length = 4;
+	address = (char *) malloc(4);
+	input_chan_bindings->acceptor_address.value = (char *) address;
+	address[0] = ((to_addr & 0xff000000) >> 24);
+	address[1] = ((to_addr & 0xff0000) >> 16);
+	address[2] = ((to_addr & 0xff00) >> 8);
+	address[3] = (to_addr & 0xff);
+	input_chan_bindings->application_data.length = 0;
+
+	req_flags = 0;
+	if (deleg_flag)  req_flags = req_flags | 1;
+	if (mutual_flag) req_flags = req_flags | 2;
+	if (replay_flag) req_flags = req_flags | 4;
+	if (seq_flag)    req_flags = req_flags | 8;
+
+	major_status = gss_init_sec_context(&status,         /* minor status */
+					GSS_C_NO_CREDENTIAL, /* cred handle */
+					&actual_ctxhandle,   /* ctx handle */
+					desired_targname,    /* target name */
+					GSS_C_NULL_OID,      /* mech type */
+					req_flags,           /* req flags */
+					0,                   /* time req */
+					input_chan_bindings, /* chan binding */
+					GSS_C_NO_BUFFER,     /* input token */
+					&actual_mech_type,   /* actual mech */
+					&output_token,       /* output token */
+					&ret_flags,          /* ret flags */
+					&lifetime_rec);      /* time rec */
+
+	if ((major_status != GSS_S_COMPLETE) &&
+	    (major_status != GSS_S_CONTINUE_NEEDED)) {
+	  gss_display_status(&new_status,
+				status,
+				GSS_C_MECH_CODE,
+				GSS_C_NULL_OID,
+				&msg_ctx,
+				&status_string);
+	  printf("%s\n", status_string.value);
+	  return(0);
+	}
+
+	if (!auth_sendname(UserNameRequested, strlen(UserNameRequested))) {
+		return(0);
+	}
+
+	if (!Data(ap, SPX_AUTH, output_token.value, output_token.length)) {
+		return(0);
+	}
+
+	return(1);
+}
+
+	void
+spx_is(ap, data, cnt)
+	Authenticator *ap;
+	unsigned char *data;
+	int cnt;
+{
+	Session_Key skey;
+	des_cblock datablock;
+	int r;
+
+	if (cnt-- < 1)
+		return;
+	switch (*data++) {
+	case SPX_AUTH:
+		input_token.length = cnt;
+		input_token.value = (char *) data;
+
+		gethostname(lhostname, sizeof(lhostname));
+
+		snprintf(targ_printable, sizeof(targ_printable),
+			 "SERVICE:rcmd@%s", lhostname);
+
+		input_name_buffer.length = strlen(targ_printable);
+		input_name_buffer.value = targ_printable;
+
+		major_status = gss_import_name(&status,
+					&input_name_buffer,
+					GSS_C_NULL_OID,
+					&desired_targname);
+
+		major_status = gss_acquire_cred(&status,
+					desired_targname,
+					0,
+					GSS_C_NULL_OID_SET,
+					GSS_C_ACCEPT,
+					&gss_cred_handle,
+					&actual_mechs,
+					&lifetime_rec);
+
+		major_status = gss_release_name(&status, desired_targname);
+
+		input_chan_bindings = (gss_channel_bindings)
+		  malloc(sizeof(gss_channel_bindings_desc));
+
+		input_chan_bindings->initiator_addrtype = GSS_C_AF_INET;
+		input_chan_bindings->initiator_address.length = 4;
+		address = (char *) malloc(4);
+		input_chan_bindings->initiator_address.value = (char *) address;
+		address[0] = ((from_addr & 0xff000000) >> 24);
+		address[1] = ((from_addr & 0xff0000) >> 16);
+		address[2] = ((from_addr & 0xff00) >> 8);
+		address[3] = (from_addr & 0xff);
+		input_chan_bindings->acceptor_addrtype = GSS_C_AF_INET;
+		input_chan_bindings->acceptor_address.length = 4;
+		address = (char *) malloc(4);
+		input_chan_bindings->acceptor_address.value = (char *) address;
+		address[0] = ((to_addr & 0xff000000) >> 24);
+		address[1] = ((to_addr & 0xff0000) >> 16);
+		address[2] = ((to_addr & 0xff00) >> 8);
+		address[3] = (to_addr & 0xff);
+		input_chan_bindings->application_data.length = 0;
+
+		major_status = gss_accept_sec_context(&status,
+						&context_handle,
+						gss_cred_handle,
+						&input_token,
+						input_chan_bindings,
+						&src_name,
+						&actual_mech_type,
+						&output_token,
+						&ret_flags,
+						&lifetime_rec,
+						&gss_delegated_cred_handle);
+
+
+		if (major_status != GSS_S_COMPLETE) {
+
+		  major_status = gss_display_name(&status,
+					src_name,
+					&fullname_buffer,
+					&fullname_type);
+			Data(ap, SPX_REJECT, "auth failed", -1);
+			auth_finished(ap, AUTH_REJECT);
+			return;
+		}
+
+		major_status = gss_display_name(&status,
+					src_name,
+					&fullname_buffer,
+					&fullname_type);
+
+
+		Data(ap, SPX_ACCEPT, output_token.value, output_token.length);
+		auth_finished(ap, AUTH_USER);
+		break;
+
+	default:
+		Data(ap, SPX_REJECT, 0, 0);
+		break;
+	}
+}
+
+
+	void
+spx_reply(ap, data, cnt)
+	Authenticator *ap;
+	unsigned char *data;
+	int cnt;
+{
+	Session_Key skey;
+
+	if (cnt-- < 1)
+		return;
+	switch (*data++) {
+	case SPX_REJECT:
+		if (cnt > 0) {
+			printf("[ SPX refuses authentication because %.*s ]\r\n",
+				cnt, data);
+		} else
+			printf("[ SPX refuses authentication ]\r\n");
+		auth_send_retry();
+		return;
+	case SPX_ACCEPT:
+		printf("[ SPX accepts you ]\r\n");
+		if ((ap->way & AUTH_HOW_MASK) == AUTH_HOW_MUTUAL) {
+			/*
+			 * Send over the encrypted challenge.
+		 	 */
+		  input_token.value = (char *) data;
+		  input_token.length = cnt;
+
+		  major_status = gss_init_sec_context(&status, /* minor stat */
+					GSS_C_NO_CREDENTIAL, /* cred handle */
+					&actual_ctxhandle,   /* ctx handle */
+					desired_targname,    /* target name */
+					GSS_C_NULL_OID,      /* mech type */
+					req_flags,           /* req flags */
+					0,                   /* time req */
+					input_chan_bindings, /* chan binding */
+					&input_token,        /* input token */
+					&actual_mech_type,   /* actual mech */
+					&output_token,       /* output token */
+					&ret_flags,          /* ret flags */
+					&lifetime_rec);      /* time rec */
+
+		  if (major_status != GSS_S_COMPLETE) {
+		    gss_display_status(&new_status,
+					status,
+					GSS_C_MECH_CODE,
+					GSS_C_NULL_OID,
+					&msg_ctx,
+					&status_string);
+		    printf("[ SPX mutual response fails ... '%s' ]\r\n",
+			 status_string.value);
+		    auth_send_retry();
+		    return;
+		  }
+		}
+		auth_finished(ap, AUTH_USER);
+		return;
+
+	default:
+		return;
+	}
+}
+
+	int
+spx_status(ap, name, name_sz, level)
+	Authenticator *ap;
+	char *name;
+	size_t name_sz;
+	int level;
+{
+
+	gss_buffer_desc  fullname_buffer, acl_file_buffer;
+	gss_OID          fullname_type;
+	char acl_file[160], fullname[160];
+	int major_status, status = 0;
+	struct passwd  *pwd;
+
+	/*
+	 * hard code fullname to
+	 *   "SPX:/C=US/O=Digital/OU=LKG/OU=Sphinx/OU=Users/CN=Kannan Alagappan"
+	 * and acl_file to "~kannan/.sphinx"
+	 */
+
+	pwd = k_getpwnam(UserNameRequested);
+	if (pwd == NULL) {
+	  return(AUTH_USER);   /*  not authenticated  */
+	}
+
+	snprintf (acl_file, sizeof(acl_file),
+		  "%s/.sphinx", pwd->pw_dir);
+
+	acl_file_buffer.value = acl_file;
+	acl_file_buffer.length = strlen(acl_file);
+
+	major_status = gss_display_name(&status,
+					src_name,
+					&fullname_buffer,
+					&fullname_type);
+
+	if (level < AUTH_USER)
+		return(level);
+
+	major_status = gss__check_acl(&status, &fullname_buffer,
+					&acl_file_buffer);
+
+	if (major_status == GSS_S_COMPLETE) {
+	  strlcpy(name, UserNameRequested, name_sz);
+	  return(AUTH_VALID);
+	} else {
+	   return(AUTH_USER);
+	}
+
+}
+
+#define	BUMP(buf, len)		while (*(buf)) {++(buf), --(len);}
+#define	ADDC(buf, len, c)	if ((len) > 0) {*(buf)++ = (c); --(len);}
+
+	void
+spx_printsub(data, cnt, buf, buflen)
+	unsigned char *data, *buf;
+	int cnt, buflen;
+{
+	int i;
+
+	buf[buflen-1] = '\0';		/* make sure its NULL terminated */
+	buflen -= 1;
+
+	switch(data[3]) {
+	case SPX_REJECT:		/* Rejected (reason might follow) */
+		strlcpy((char *)buf, " REJECT ", buflen);
+		goto common;
+
+	case SPX_ACCEPT:		/* Accepted (name might follow) */
+		strlcpy((char *)buf, " ACCEPT ", buflen);
+	common:
+		BUMP(buf, buflen);
+		if (cnt <= 4)
+			break;
+		ADDC(buf, buflen, '"');
+		for (i = 4; i < cnt; i++)
+			ADDC(buf, buflen, data[i]);
+		ADDC(buf, buflen, '"');
+		ADDC(buf, buflen, '\0');
+		break;
+
+	case SPX_AUTH:			/* Authentication data follows */
+		strlcpy((char *)buf, " AUTH", buflen);
+		goto common2;
+
+	default:
+		snprintf(buf, buflen, " %d (unknown)", data[3]);
+	common2:
+		BUMP(buf, buflen);
+		for (i = 4; i < cnt; i++) {
+			snprintf(buf, buflen, " %d", data[i]);
+			BUMP(buf, buflen);
+		}
+		break;
+	}
+}
+
+#endif
+
+#ifdef notdef
+
+prkey(msg, key)
+	char *msg;
+	unsigned char *key;
+{
+	int i;
+	printf("%s:", msg);
+	for (i = 0; i < 8; i++)
+		printf(" %3d", key[i]);
+	printf("\r\n");
+}
+#endif
diff --git a/crypto/heimdal/appl/telnet/telnet.state b/crypto/heimdal/appl/telnet/telnet.state
new file mode 100644
index 0000000..1927a2b
--- /dev/null
+++ b/crypto/heimdal/appl/telnet/telnet.state
@@ -0,0 +1,80 @@
+
+   Three pieces of state need to be kept for each side of each option.
+   (You need the localside, sending WILL/WONT & receiving DO/DONT, and
+   the remoteside, sending DO/DONT and receiving WILL/WONT)
+
+	MY_STATE:	What state am I in?
+	WANT_STATE:	What state do I want?
+	WANT_RESP:	How many requests have I initiated?
+
+   Default values:
+	MY_STATE = WANT_STATE = DONT
+	WANT_RESP = 0
+
+   The local setup will change based on the state of the Telnet
+   variables.  When we are the originator, we can either make the
+   local setup changes at option request time (in which case if
+   the option is denied we need to change things back) or when
+   the option is acknowledged.
+
+   To initiate a switch to NEW_STATE:
+
+	if ((WANT_RESP == 0 && NEW_STATE == MY_STATE) ||
+			WANT_STATE == NEW_STATE) {
+	    do nothing;
+	} else {
+	    /*
+	     * This is where the logic goes to change the local setup
+	     * if we are doing so at request initiation
+	     */
+	    WANT_STATE = NEW_STATE;
+	    send NEW_STATE;
+	    WANT_RESP += 1;
+	}
+
+   When receiving NEW_STATE:
+
+	if (WANT_RESP) {
+	    --WANT_RESP;
+	    if (WANT_RESP && (NEW_STATE == MY_STATE))
+		--WANT_RESP;
+	}
+	if (WANT_RESP == 0) {
+	    if (NEW_STATE != WANT_STATE) {
+		/*
+		 * This is where the logic goes to decide if it is ok
+		 * to switch to NEW_STATE, and if so, do any necessary
+		 * local setup changes.
+		 */
+		if (ok_to_switch_to NEW_STATE)
+		    WANT_STATE = NEW_STATE;
+		else
+		    WANT_RESP++;
+*		if (MY_STATE != WANT_STATE)
+		    reply with WANT_STATE;
+	    } else {
+		/*
+		 * This is where the logic goes to change the local setup
+		 * if we are doing so at request acknowledgment
+		 */
+	    }
+	}
+	MY_STATE = NEW_STATE;
+
+* This if() line is not needed, it should be ok to always do the
+  "reply with WANT_STATE".  With the if() line, asking to turn on
+  an option that the other side doesn't understand is:
+		Send DO option
+		Recv WONT option
+  Without the if() line, it is:
+		Send DO option
+		Recv WONT option
+		Send DONT option
+  If the other side does not expect to receive the latter case,
+  but generates the latter case, then there is a potential for
+  option negotiation loops.  An implementation that does not expect
+  to get the second case should not generate it, an implementation
+  that does expect to get it may or may not generate it, and things
+  will still work.  Being conservative in what we send, we have the
+  if() statement in, but we expect the other side to generate the
+  last response.
diff --git a/crypto/heimdal/appl/telnet/telnet/Makefile.am b/crypto/heimdal/appl/telnet/telnet/Makefile.am
new file mode 100644
index 0000000..3107850
--- /dev/null
+++ b/crypto/heimdal/appl/telnet/telnet/Makefile.am
@@ -0,0 +1,23 @@
+# $Id: Makefile.am,v 1.15 2001/02/07 06:11:52 assar Exp $
+
+include $(top_srcdir)/Makefile.am.common
+
+INCLUDES += -I$(srcdir)/.. $(INCLUDE_krb4)
+
+bin_PROGRAMS = telnet
+
+CHECK_LOCAL = 
+
+telnet_SOURCES  = authenc.c commands.c main.c network.c ring.c \
+		  sys_bsd.c telnet.c terminal.c \
+		  utilities.c defines.h externs.h ring.h telnet_locl.h types.h
+
+man_MANS = telnet.1
+
+LDADD = ../libtelnet/libtelnet.a \
+	$(LIB_krb5) \
+	$(LIB_krb4) \
+	$(LIB_des) \
+	$(LIB_tgetent) \
+	$(LIB_kdfs) \
+	$(LIB_roken)
diff --git a/crypto/heimdal/appl/telnet/telnet/Makefile.in b/crypto/heimdal/appl/telnet/telnet/Makefile.in
new file mode 100644
index 0000000..02dedee
--- /dev/null
+++ b/crypto/heimdal/appl/telnet/telnet/Makefile.in
@@ -0,0 +1,634 @@
+# Makefile.in generated automatically by automake 1.4b from Makefile.am
+
+# Copyright 1994, 1995, 1996, 1997, 1998, 1999, 2000
+# Free Software Foundation, Inc.
+# This Makefile.in is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+
+SHELL = @SHELL@
+
+srcdir = @srcdir@
+top_srcdir = @top_srcdir@
+VPATH = @srcdir@
+prefix = @prefix@
+exec_prefix = @exec_prefix@
+
+bindir = @bindir@
+sbindir = @sbindir@
+libexecdir = @libexecdir@
+datadir = @datadir@
+sysconfdir = @sysconfdir@
+sharedstatedir = @sharedstatedir@
+localstatedir = @localstatedir@
+libdir = @libdir@
+infodir = @infodir@
+mandir = @mandir@
+includedir = @includedir@
+oldincludedir = /usr/include
+
+pkgdatadir = $(datadir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkgincludedir = $(includedir)/@PACKAGE@
+
+top_builddir = ../../..
+
+ACLOCAL = @ACLOCAL@
+AUTOCONF = @AUTOCONF@
+AUTOMAKE = @AUTOMAKE@
+AUTOHEADER = @AUTOHEADER@
+
+INSTALL = @INSTALL@
+INSTALL_PROGRAM = @INSTALL_PROGRAM@
+INSTALL_DATA = @INSTALL_DATA@
+INSTALL_SCRIPT = @INSTALL_SCRIPT@
+INSTALL_STRIP_FLAG =
+transform = @program_transform_name@
+
+NORMAL_INSTALL = :
+PRE_INSTALL = :
+POST_INSTALL = :
+NORMAL_UNINSTALL = :
+PRE_UNINSTALL = :
+POST_UNINSTALL = :
+
+@SET_MAKE@
+host_alias = @host_alias@
+host_triplet = @host@
+AIX_EXTRA_KAFS = @AIX_EXTRA_KAFS@
+AMDEP = @AMDEP@
+AMTAR = @AMTAR@
+AS = @AS@
+AWK = @AWK@
+CANONICAL_HOST = @CANONICAL_HOST@
+CATMAN = @CATMAN@
+CATMANEXT = @CATMANEXT@
+CC = @CC@
+CPP = @CPP@
+CXX = @CXX@
+CXXCPP = @CXXCPP@
+DBLIB = @DBLIB@
+DEPDIR = @DEPDIR@
+DIR_des = @DIR_des@
+DIR_roken = @DIR_roken@
+DLLTOOL = @DLLTOOL@
+EXEEXT = @EXEEXT@
+EXTRA_LIB45 = @EXTRA_LIB45@
+GROFF = @GROFF@
+INCLUDES_roken = @INCLUDES_roken@
+INCLUDE_ = @INCLUDE_@
+LEX = @LEX@
+LIBOBJS = @LIBOBJS@
+LIBTOOL = @LIBTOOL@
+LIB_ = @LIB_@
+LIB_AUTH_SUBDIRS = @LIB_AUTH_SUBDIRS@
+LIB_des = @LIB_des@
+LIB_des_appl = @LIB_des_appl@
+LIB_kdb = @LIB_kdb@
+LIB_otp = @LIB_otp@
+LIB_roken = @LIB_roken@
+LIB_security = @LIB_security@
+LN_S = @LN_S@
+LTLIBOBJS = @LTLIBOBJS@
+MAKEINFO = @MAKEINFO@
+NEED_WRITEAUTH_FALSE = @NEED_WRITEAUTH_FALSE@
+NEED_WRITEAUTH_TRUE = @NEED_WRITEAUTH_TRUE@
+NROFF = @NROFF@
+OBJDUMP = @OBJDUMP@
+OBJEXT = @OBJEXT@
+PACKAGE = @PACKAGE@
+RANLIB = @RANLIB@
+STRIP = @STRIP@
+VERSION = @VERSION@
+VOID_RETSIGTYPE = @VOID_RETSIGTYPE@
+WFLAGS = @WFLAGS@
+WFLAGS_NOIMPLICITINT = @WFLAGS_NOIMPLICITINT@
+WFLAGS_NOUNUSED = @WFLAGS_NOUNUSED@
+YACC = @YACC@
+dpagaix_CFLAGS = @dpagaix_CFLAGS@
+dpagaix_LDADD = @dpagaix_LDADD@
+install_sh = @install_sh@
+
+# $Id: Makefile.am,v 1.15 2001/02/07 06:11:52 assar Exp $
+
+
+# $Id: Makefile.am.common,v 1.3 1999/04/01 14:58:43 joda Exp $
+
+
+# $Id: Makefile.am.common,v 1.26 2001/05/21 13:27:48 joda Exp $
+
+
+AUTOMAKE_OPTIONS = foreign no-dependencies
+
+SUFFIXES = .et .h .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .x
+
+INCLUDES = -I$(top_builddir)/include $(INCLUDES_roken) -I$(srcdir)/.. $(INCLUDE_krb4)
+
+AM_CFLAGS =  $(WFLAGS)
+
+CP = cp
+
+COMPILE_ET = $(top_builddir)/lib/com_err/compile_et
+
+buildinclude = $(top_builddir)/include
+
+LIB_XauReadAuth = @LIB_XauReadAuth@
+LIB_crypt = @LIB_crypt@
+LIB_dbm_firstkey = @LIB_dbm_firstkey@
+LIB_dbopen = @LIB_dbopen@
+LIB_dlopen = @LIB_dlopen@
+LIB_dn_expand = @LIB_dn_expand@
+LIB_el_init = @LIB_el_init@
+LIB_getattr = @LIB_getattr@
+LIB_gethostbyname = @LIB_gethostbyname@
+LIB_getpwent_r = @LIB_getpwent_r@
+LIB_getpwnam_r = @LIB_getpwnam_r@
+LIB_getsockopt = @LIB_getsockopt@
+LIB_logout = @LIB_logout@
+LIB_logwtmp = @LIB_logwtmp@
+LIB_odm_initialize = @LIB_odm_initialize@
+LIB_pidfile = @LIB_pidfile@
+LIB_readline = @LIB_readline@
+LIB_res_search = @LIB_res_search@
+LIB_setpcred = @LIB_setpcred@
+LIB_setsockopt = @LIB_setsockopt@
+LIB_socket = @LIB_socket@
+LIB_syslog = @LIB_syslog@
+LIB_tgetent = @LIB_tgetent@
+
+LIBS = @LIBS@
+
+HESIODLIB = @HESIODLIB@
+HESIODINCLUDE = @HESIODINCLUDE@
+INCLUDE_hesiod = @INCLUDE_hesiod@
+LIB_hesiod = @LIB_hesiod@
+
+INCLUDE_krb4 = @INCLUDE_krb4@
+LIB_krb4 = @LIB_krb4@
+
+INCLUDE_openldap = @INCLUDE_openldap@
+LIB_openldap = @LIB_openldap@
+
+INCLUDE_readline = @INCLUDE_readline@
+
+LEXLIB = @LEXLIB@
+
+NROFF_MAN = groff -mandoc -Tascii
+
+@KRB4_TRUE@LIB_kafs = @KRB4_TRUE@$(top_builddir)/lib/kafs/libkafs.la $(AIX_EXTRA_KAFS)
+
+@KRB5_TRUE@LIB_krb5 = @KRB5_TRUE@$(top_builddir)/lib/krb5/libkrb5.la \
+@KRB5_TRUE@	$(top_builddir)/lib/asn1/libasn1.la
+@KRB5_TRUE@LIB_gssapi = @KRB5_TRUE@$(top_builddir)/lib/gssapi/libgssapi.la
+
+@DCE_TRUE@LIB_kdfs = @DCE_TRUE@$(top_builddir)/lib/kdfs/libkdfs.la
+
+CHECK_LOCAL = 
+
+bin_PROGRAMS = telnet
+
+telnet_SOURCES = authenc.c commands.c main.c network.c ring.c \
+		  sys_bsd.c telnet.c terminal.c \
+		  utilities.c defines.h externs.h ring.h telnet_locl.h types.h
+
+
+man_MANS = telnet.1
+
+LDADD = ../libtelnet/libtelnet.a \
+	$(LIB_krb5) \
+	$(LIB_krb4) \
+	$(LIB_des) \
+	$(LIB_tgetent) \
+	$(LIB_kdfs) \
+	$(LIB_roken)
+
+subdir = appl/telnet/telnet
+mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs
+CONFIG_HEADER = ../../../include/config.h
+CONFIG_CLEAN_FILES = 
+bin_PROGRAMS =  telnet$(EXEEXT)
+PROGRAMS =  $(bin_PROGRAMS)
+
+
+DEFS = @DEFS@ -I. -I$(srcdir) -I../../../include
+CPPFLAGS = @CPPFLAGS@
+LDFLAGS = @LDFLAGS@
+X_CFLAGS = @X_CFLAGS@
+X_LIBS = @X_LIBS@
+X_EXTRA_LIBS = @X_EXTRA_LIBS@
+X_PRE_LIBS = @X_PRE_LIBS@
+am_telnet_OBJECTS =  authenc.$(OBJEXT) commands.$(OBJEXT) main.$(OBJEXT) \
+network.$(OBJEXT) ring.$(OBJEXT) sys_bsd.$(OBJEXT) telnet.$(OBJEXT) \
+terminal.$(OBJEXT) utilities.$(OBJEXT)
+telnet_OBJECTS =  $(am_telnet_OBJECTS)
+telnet_LDADD = $(LDADD)
+@DCE_FALSE@@KRB5_FALSE@telnet_DEPENDENCIES =  ../libtelnet/libtelnet.a
+@DCE_FALSE@@KRB5_TRUE@telnet_DEPENDENCIES =  ../libtelnet/libtelnet.a \
+@DCE_FALSE@@KRB5_TRUE@$(top_builddir)/lib/krb5/libkrb5.la \
+@DCE_FALSE@@KRB5_TRUE@$(top_builddir)/lib/asn1/libasn1.la
+@DCE_TRUE@@KRB5_FALSE@telnet_DEPENDENCIES =  ../libtelnet/libtelnet.a \
+@DCE_TRUE@@KRB5_FALSE@$(top_builddir)/lib/kdfs/libkdfs.la
+@DCE_TRUE@@KRB5_TRUE@telnet_DEPENDENCIES =  ../libtelnet/libtelnet.a \
+@DCE_TRUE@@KRB5_TRUE@$(top_builddir)/lib/krb5/libkrb5.la \
+@DCE_TRUE@@KRB5_TRUE@$(top_builddir)/lib/asn1/libasn1.la \
+@DCE_TRUE@@KRB5_TRUE@$(top_builddir)/lib/kdfs/libkdfs.la
+telnet_LDFLAGS = 
+COMPILE = $(CC) $(DEFS) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) --mode=compile $(CC) $(DEFS) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+CFLAGS = @CFLAGS@
+CCLD = $(CC)
+LINK = $(LIBTOOL) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) $(LDFLAGS) -o $@
+DIST_SOURCES =  $(telnet_SOURCES)
+man1dir = $(mandir)/man1
+MANS = $(man_MANS)
+depcomp = 
+DIST_COMMON =  Makefile.am Makefile.in
+
+
+DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
+
+GZIP_ENV = --best
+SOURCES = $(telnet_SOURCES)
+OBJECTS = $(am_telnet_OBJECTS)
+
+all: all-redirect
+.SUFFIXES:
+.SUFFIXES: .et .h .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .x .c .lo .o .obj
+$(srcdir)/Makefile.in: Makefile.am $(top_srcdir)/configure.in $(ACLOCAL_M4) $(top_srcdir)/Makefile.am.common $(top_srcdir)/cf/Makefile.am.common
+	cd $(top_srcdir) && $(AUTOMAKE) --foreign appl/telnet/telnet/Makefile
+
+Makefile: $(srcdir)/Makefile.in  $(top_builddir)/config.status
+	cd $(top_builddir) \
+	  && CONFIG_FILES=$(subdir)/$@ CONFIG_HEADERS= $(SHELL) ./config.status
+
+
+mostlyclean-binPROGRAMS:
+
+clean-binPROGRAMS:
+	-test -z "$(bin_PROGRAMS)" || rm -f $(bin_PROGRAMS)
+
+distclean-binPROGRAMS:
+
+maintainer-clean-binPROGRAMS:
+
+install-binPROGRAMS: $(bin_PROGRAMS)
+	@$(NORMAL_INSTALL)
+	$(mkinstalldirs) $(DESTDIR)$(bindir)
+	@list='$(bin_PROGRAMS)'; for p in $$list; do \
+	  if test -f $$p; then \
+	    f="`echo $$p|sed -e 's/$(EXEEXT)$$//' -e '$(transform)' -e 's/$$/$(EXEEXT)/'`"; \
+	    echo " $(LIBTOOL)  --mode=install $(INSTALL_PROGRAM) $(INSTALL_STRIP_FLAG) $$p $(DESTDIR)$(bindir)/$$f"; \
+	    $(LIBTOOL)  --mode=install $(INSTALL_PROGRAM) $(INSTALL_STRIP_FLAG) $$p $(DESTDIR)$(bindir)/$$f; \
+	  else :; fi; \
+	done
+
+uninstall-binPROGRAMS:
+	@$(NORMAL_UNINSTALL)
+	@list='$(bin_PROGRAMS)'; for p in $$list; do \
+	  f="`echo $$p|sed -e 's/$(EXEEXT)$$//' -e '$(transform)' -e 's/$$/$(EXEEXT)/'`"; \
+	  echo " rm -f $(DESTDIR)$(bindir)/$$f"; \
+	  rm -f $(DESTDIR)$(bindir)/$$f; \
+	done
+
+mostlyclean-compile:
+	-rm -f *.o core *.core
+	-rm -f *.$(OBJEXT)
+
+clean-compile:
+
+distclean-compile:
+	-rm -f *.tab.c
+
+maintainer-clean-compile:
+
+mostlyclean-libtool:
+	-rm -f *.lo
+
+clean-libtool:
+	-rm -rf .libs _libs
+
+distclean-libtool:
+
+maintainer-clean-libtool:
+
+telnet$(EXEEXT): $(telnet_OBJECTS) $(telnet_DEPENDENCIES)
+	@rm -f telnet$(EXEEXT)
+	$(LINK) $(telnet_LDFLAGS) $(telnet_OBJECTS) $(telnet_LDADD) $(LIBS)
+.c.o:
+	$(COMPILE) -c $<
+.c.obj:
+	$(COMPILE) -c `cygpath -w $<`
+.c.lo:
+	$(LTCOMPILE) -c -o $@ $<
+
+install-man1:
+	$(mkinstalldirs) $(DESTDIR)$(man1dir)
+	@list='$(man1_MANS)'; \
+	l2='$(man_MANS)'; for i in $$l2; do \
+	  case "$$i" in \
+	    *.1*) list="$$list $$i" ;; \
+	  esac; \
+	done; \
+	for i in $$list; do \
+	  if test -f $(srcdir)/$$i; then file=$(srcdir)/$$i; \
+	  else file=$$i; fi; \
+	  ext=`echo $$i | sed -e 's/^.*\\.//'`; \
+	  inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \
+	  inst=`echo $$inst | sed -e 's/^.*\///'`; \
+	  inst=`echo $$inst | sed '$(transform)'`.$$ext; \
+	  echo " $(INSTALL_DATA) $$file $(DESTDIR)$(man1dir)/$$inst"; \
+	  $(INSTALL_DATA) $$file $(DESTDIR)$(man1dir)/$$inst; \
+	done
+
+uninstall-man1:
+	@list='$(man1_MANS)'; \
+	l2='$(man_MANS)'; for i in $$l2; do \
+	  case "$$i" in \
+	    *.1*) list="$$list $$i" ;; \
+	  esac; \
+	done; \
+	for i in $$list; do \
+	  ext=`echo $$i | sed -e 's/^.*\\.//'`; \
+	  inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \
+	  inst=`echo $$inst | sed -e 's/^.*\///'`; \
+	  inst=`echo $$inst | sed '$(transform)'`.$$ext; \
+	  echo " rm -f $(DESTDIR)$(man1dir)/$$inst"; \
+	  rm -f $(DESTDIR)$(man1dir)/$$inst; \
+	done
+install-man: $(MANS)
+	@$(NORMAL_INSTALL)
+	$(MAKE) $(AM_MAKEFLAGS) install-man1
+uninstall-man:
+	@$(NORMAL_UNINSTALL)
+	$(MAKE) $(AM_MAKEFLAGS) uninstall-man1
+
+tags: TAGS
+
+ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
+	list='$(SOURCES) $(HEADERS) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '    { files[$$0] = 1; } \
+	       END { for (i in files) print i; }'`; \
+	mkid -fID $$unique $(LISP)
+
+TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	tags=; \
+	here=`pwd`; \
+	list='$(SOURCES) $(HEADERS) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '    { files[$$0] = 1; } \
+	       END { for (i in files) print i; }'`; \
+	test -z "$(ETAGS_ARGS)$$unique$(LISP)$$tags" \
+	  || etags $(ETAGS_ARGS) $$tags  $$unique $(LISP)
+
+GTAGS:
+	here=`CDPATH=: && cd $(top_builddir) && pwd` \
+	  && cd $(top_srcdir) \
+	  && gtags -i $$here
+
+mostlyclean-tags:
+
+clean-tags:
+
+distclean-tags:
+	-rm -f TAGS ID
+
+maintainer-clean-tags:
+
+distdir = $(top_builddir)/$(PACKAGE)-$(VERSION)/$(subdir)
+
+distdir: $(DISTFILES)
+	@for file in $(DISTFILES); do \
+	  d=$(srcdir); \
+	  if test -d $$d/$$file; then \
+	    cp -pR $$d/$$file $(distdir) \
+	    || exit 1; \
+	  else \
+	    test -f $(distdir)/$$file \
+	    || cp -p $$d/$$file $(distdir)/$$file \
+	    || exit 1; \
+	  fi; \
+	done
+	$(MAKE) $(AM_MAKEFLAGS) top_distdir="$(top_distdir)" distdir="$(distdir)" dist-hook
+info-am:
+info: info-am
+dvi-am:
+dvi: dvi-am
+check-am: all-am
+	$(MAKE) $(AM_MAKEFLAGS) check-local
+check: check-am
+installcheck-am:
+installcheck: installcheck-am
+install-exec-am: install-binPROGRAMS
+	@$(NORMAL_INSTALL)
+	$(MAKE) $(AM_MAKEFLAGS) install-exec-hook
+install-exec: install-exec-am
+
+install-data-am: install-man install-data-local
+install-data: install-data-am
+
+install-am: all-am
+	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
+install: install-am
+uninstall-am: uninstall-binPROGRAMS uninstall-man
+uninstall: uninstall-am
+all-am: Makefile $(PROGRAMS) $(MANS) all-local
+all-redirect: all-am
+install-strip:
+	$(MAKE) $(AM_MAKEFLAGS) INSTALL_STRIP_FLAG=-s install
+installdirs:
+	$(mkinstalldirs)  $(DESTDIR)$(bindir) $(DESTDIR)$(mandir)/man1
+
+
+mostlyclean-generic:
+
+clean-generic:
+
+distclean-generic:
+	-rm -f Makefile $(CONFIG_CLEAN_FILES)
+	-rm -f config.cache config.log stamp-h stamp-h[0-9]*
+
+maintainer-clean-generic:
+	-rm -f Makefile.in
+mostlyclean-am:  mostlyclean-binPROGRAMS mostlyclean-compile \
+		mostlyclean-libtool mostlyclean-tags \
+		mostlyclean-generic
+
+mostlyclean: mostlyclean-am
+
+clean-am:  clean-binPROGRAMS clean-compile clean-libtool clean-tags \
+		clean-generic mostlyclean-am
+
+clean: clean-am
+
+distclean-am:  distclean-binPROGRAMS distclean-compile distclean-libtool \
+		distclean-tags distclean-generic clean-am
+	-rm -f libtool
+
+distclean: distclean-am
+
+maintainer-clean-am:  maintainer-clean-binPROGRAMS \
+		maintainer-clean-compile maintainer-clean-libtool \
+		maintainer-clean-tags maintainer-clean-generic \
+		distclean-am
+	@echo "This command is intended for maintainers to use;"
+	@echo "it deletes files that may require special tools to rebuild."
+
+maintainer-clean: maintainer-clean-am
+
+.PHONY: mostlyclean-binPROGRAMS distclean-binPROGRAMS clean-binPROGRAMS \
+maintainer-clean-binPROGRAMS uninstall-binPROGRAMS install-binPROGRAMS \
+mostlyclean-compile distclean-compile clean-compile \
+maintainer-clean-compile mostlyclean-libtool distclean-libtool \
+clean-libtool maintainer-clean-libtool install-man1 uninstall-man1 \
+install-man uninstall-man tags mostlyclean-tags distclean-tags \
+clean-tags maintainer-clean-tags distdir info-am info dvi-am dvi \
+check-local check check-am installcheck-am installcheck install-exec-am \
+install-exec install-data-local install-data-am install-data install-am \
+install uninstall-am uninstall all-local all-redirect all-am all \
+install-strip installdirs mostlyclean-generic distclean-generic \
+clean-generic maintainer-clean-generic clean mostlyclean distclean \
+maintainer-clean
+
+
+install-suid-programs:
+	@foo='$(bin_SUIDS)'; \
+	for file in $$foo; do \
+	x=$(DESTDIR)$(bindir)/$$file; \
+	if chown 0:0 $$x && chmod u+s $$x; then :; else \
+	echo "*"; \
+	echo "* Failed to install $$x setuid root"; \
+	echo "*"; \
+	fi; done
+
+install-exec-hook: install-suid-programs
+
+install-build-headers:: $(include_HEADERS) $(build_HEADERZ)
+	@foo='$(include_HEADERS) $(build_HEADERZ)'; \
+	for f in $$foo; do \
+		f=`basename $$f`; \
+		if test -f "$(srcdir)/$$f"; then file="$(srcdir)/$$f"; \
+		else file="$$f"; fi; \
+		if cmp -s  $$file $(buildinclude)/$$f 2> /dev/null ; then \
+		: ; else \
+			echo " $(CP) $$file $(buildinclude)/$$f"; \
+			$(CP) $$file $(buildinclude)/$$f; \
+		fi ; \
+	done
+
+all-local: install-build-headers
+#NROFF_MAN = nroff -man
+.1.cat1:
+	$(NROFF_MAN) $< > $@
+.3.cat3:
+	$(NROFF_MAN) $< > $@
+.5.cat5:
+	$(NROFF_MAN) $< > $@
+.8.cat8:
+	$(NROFF_MAN) $< > $@
+
+dist-cat1-mans:
+	@foo='$(man1_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.1) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat1/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-cat3-mans:
+	@foo='$(man3_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.3) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat3/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-cat5-mans:
+	@foo='$(man5_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.5) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat5/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-cat8-mans:
+	@foo='$(man8_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.8) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat8/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-hook: dist-cat1-mans dist-cat3-mans dist-cat5-mans dist-cat8-mans
+
+install-cat-mans:
+	$(SHELL) $(top_srcdir)/cf/install-catman.sh "$(INSTALL_DATA)" "$(mkinstalldirs)" "$(srcdir)" "$(DESTDIR)$(mandir)" '$(CATMANEXT)' $(man_MANS) $(man1_MANS) $(man3_MANS) $(man5_MANS) $(man8_MANS)
+
+install-data-local: install-cat-mans
+
+.et.h:
+	$(COMPILE_ET) $<
+.et.c:
+	$(COMPILE_ET) $<
+
+.x.c:
+	@cmp -s $< $@ 2> /dev/null || cp $< $@
+
+check-local::
+	@foo='$(CHECK_LOCAL)'; \
+	  if test "$$foo"; then \
+	  failed=0; all=0; \
+	  for i in $$foo; do \
+	    all=`expr $$all + 1`; \
+	    if ./$$i --version > /dev/null 2>&1; then \
+	      echo "PASS: $$i"; \
+	    else \
+	      echo "FAIL: $$i"; \
+	      failed=`expr $$failed + 1`; \
+	    fi; \
+	  done; \
+	  if test "$$failed" -eq 0; then \
+	    banner="All $$all tests passed"; \
+	  else \
+	    banner="$$failed of $$all tests failed"; \
+	  fi; \
+	  dashes=`echo "$$banner" | sed s/./=/g`; \
+	  echo "$$dashes"; \
+	  echo "$$banner"; \
+	  echo "$$dashes"; \
+	  test "$$failed" -eq 0; \
+	fi
+
+# Tell versions [3.59,3.63) of GNU make to not export all variables.
+# Otherwise a system limit (for SysV at least) may be exceeded.
+.NOEXPORT:
diff --git a/crypto/heimdal/appl/telnet/telnet/authenc.c b/crypto/heimdal/appl/telnet/telnet/authenc.c
new file mode 100644
index 0000000..ffce23c
--- /dev/null
+++ b/crypto/heimdal/appl/telnet/telnet/authenc.c
@@ -0,0 +1,91 @@
+/*-
+ * Copyright (c) 1991, 1993
+ *	The Regents of the University of California.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *	This product includes software developed by the University of
+ *	California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#include "telnet_locl.h"
+
+RCSID("$Id: authenc.c,v 1.11 2000/11/15 23:00:58 assar Exp $");
+
+#if	defined(AUTHENTICATION) || defined(ENCRYPTION)
+int
+telnet_net_write(unsigned char *str, int len)
+{
+	if (NETROOM() > len) {
+		ring_supply_data(&netoring, str, len);
+		if (str[0] == IAC && str[1] == SE)
+			printsub('>', &str[2], len-2);
+		return(len);
+	}
+	return(0);
+}
+
+void
+net_encrypt(void)
+{
+#if	defined(ENCRYPTION)
+	if (encrypt_output)
+		ring_encrypt(&netoring, encrypt_output);
+	else
+		ring_clearto(&netoring);
+#endif
+}
+
+int
+telnet_spin(void)
+{
+	return(-1);
+}
+
+char *
+telnet_getenv(const char *val)
+{
+	return((char *)env_getvalue((unsigned char *)val));
+}
+
+char *
+telnet_gets(char *prompt, char *result, int length, int echo)
+{
+	int om = globalmode;
+	char *res;
+
+	TerminalNewMode(-1);
+	if (echo) {
+		printf("%s", prompt);
+		res = fgets(result, length, stdin);
+	} else if ((res = getpass(prompt))) {
+		strlcpy(result, res, length);
+		res = result;
+	}
+	TerminalNewMode(om);
+	return(res);
+}
+#endif
diff --git a/crypto/heimdal/appl/telnet/telnet/commands.c b/crypto/heimdal/appl/telnet/telnet/commands.c
new file mode 100644
index 0000000..9ddcfd9
--- /dev/null
+++ b/crypto/heimdal/appl/telnet/telnet/commands.c
@@ -0,0 +1,2679 @@
+/*
+ * Copyright (c) 1988, 1990, 1993
+ *	The Regents of the University of California.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *	This product includes software developed by the University of
+ *	California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#include "telnet_locl.h"
+
+RCSID("$Id: commands.c,v 1.65 2001/02/20 03:12:09 assar Exp $");
+
+#if	defined(IPPROTO_IP) && defined(IP_TOS)
+int tos = -1;
+#endif	/* defined(IPPROTO_IP) && defined(IP_TOS) */
+
+char	*hostname;
+static char _hostname[MaxHostNameLen];
+
+typedef int (*intrtn_t)(int, char**);
+static int call(intrtn_t, ...);
+
+typedef struct {
+	char	*name;		/* command name */
+	char	*help;		/* help string (NULL for no help) */
+	int	(*handler)();	/* routine which executes command */
+	int	needconnect;	/* Do we need to be connected to execute? */
+} Command;
+
+static char line[256];
+static char saveline[256];
+static int margc;
+static char *margv[20];
+
+static void
+makeargv()
+{
+    char *cp, *cp2, c;
+    char **argp = margv;
+
+    margc = 0;
+    cp = line;
+    if (*cp == '!') {		/* Special case shell escape */
+	/* save for shell command */
+	strlcpy(saveline, line, sizeof(saveline));
+	*argp++ = "!";		/* No room in string to get this */
+	margc++;
+	cp++;
+    }
+    while ((c = *cp)) {
+	int inquote = 0;
+	while (isspace(c))
+	    c = *++cp;
+	if (c == '\0')
+	    break;
+	*argp++ = cp;
+	margc += 1;
+	for (cp2 = cp; c != '\0'; c = *++cp) {
+	    if (inquote) {
+		if (c == inquote) {
+		    inquote = 0;
+		    continue;
+		}
+	    } else {
+		if (c == '\\') {
+		    if ((c = *++cp) == '\0')
+			break;
+		} else if (c == '"') {
+		    inquote = '"';
+		    continue;
+		} else if (c == '\'') {
+		    inquote = '\'';
+		    continue;
+		} else if (isspace(c))
+		    break;
+	    }
+	    *cp2++ = c;
+	}
+	*cp2 = '\0';
+	if (c == '\0')
+	    break;
+	cp++;
+    }
+    *argp++ = 0;
+}
+
+/*
+ * Make a character string into a number.
+ *
+ * Todo:  1.  Could take random integers (12, 0x12, 012, 0b1).
+ */
+
+static char
+special(char *s)
+{
+	char c;
+	char b;
+
+	switch (*s) {
+	case '^':
+		b = *++s;
+		if (b == '?') {
+		    c = b | 0x40;		/* DEL */
+		} else {
+		    c = b & 0x1f;
+		}
+		break;
+	default:
+		c = *s;
+		break;
+	}
+	return c;
+}
+
+/*
+ * Construct a control character sequence
+ * for a special character.
+ */
+static char *
+control(cc_t c)
+{
+	static char buf[5];
+	/*
+	 * The only way I could get the Sun 3.5 compiler
+	 * to shut up about
+	 *	if ((unsigned int)c >= 0x80)
+	 * was to assign "c" to an unsigned int variable...
+	 * Arggg....
+	 */
+	unsigned int uic = (unsigned int)c;
+
+	if (uic == 0x7f)
+		return ("^?");
+	if (c == (cc_t)_POSIX_VDISABLE) {
+		return "off";
+	}
+	if (uic >= 0x80) {
+		buf[0] = '\\';
+		buf[1] = ((c>>6)&07) + '0';
+		buf[2] = ((c>>3)&07) + '0';
+		buf[3] = (c&07) + '0';
+		buf[4] = 0;
+	} else if (uic >= 0x20) {
+		buf[0] = c;
+		buf[1] = 0;
+	} else {
+		buf[0] = '^';
+		buf[1] = '@'+c;
+		buf[2] = 0;
+	}
+	return (buf);
+}
+
+
+
+/*
+ *	The following are data structures and routines for
+ *	the "send" command.
+ *
+ */
+
+struct sendlist {
+    char	*name;		/* How user refers to it (case independent) */
+    char	*help;		/* Help information (0 ==> no help) */
+    int		needconnect;	/* Need to be connected */
+    int		narg;		/* Number of arguments */
+    int		(*handler)();	/* Routine to perform (for special ops) */
+    int		nbyte;		/* Number of bytes to send this command */
+    int		what;		/* Character to be sent (<0 ==> special) */
+};
+
+
+static int
+	send_esc (void),
+	send_help (void),
+	send_docmd (char *),
+	send_dontcmd (char *),
+	send_willcmd (char *),
+	send_wontcmd (char *);
+
+static struct sendlist Sendlist[] = {
+    { "ao",	"Send Telnet Abort output",		1, 0, 0, 2, AO },
+    { "ayt",	"Send Telnet 'Are You There'",		1, 0, 0, 2, AYT },
+    { "brk",	"Send Telnet Break",			1, 0, 0, 2, BREAK },
+    { "break",	0,					1, 0, 0, 2, BREAK },
+    { "ec",	"Send Telnet Erase Character",		1, 0, 0, 2, EC },
+    { "el",	"Send Telnet Erase Line",		1, 0, 0, 2, EL },
+    { "escape",	"Send current escape character",	1, 0, send_esc, 1, 0 },
+    { "ga",	"Send Telnet 'Go Ahead' sequence",	1, 0, 0, 2, GA },
+    { "ip",	"Send Telnet Interrupt Process",	1, 0, 0, 2, IP },
+    { "intp",	0,					1, 0, 0, 2, IP },
+    { "interrupt", 0,					1, 0, 0, 2, IP },
+    { "intr",	0,					1, 0, 0, 2, IP },
+    { "nop",	"Send Telnet 'No operation'",		1, 0, 0, 2, NOP },
+    { "eor",	"Send Telnet 'End of Record'",		1, 0, 0, 2, EOR },
+    { "abort",	"Send Telnet 'Abort Process'",		1, 0, 0, 2, ABORT },
+    { "susp",	"Send Telnet 'Suspend Process'",	1, 0, 0, 2, SUSP },
+    { "eof",	"Send Telnet End of File Character",	1, 0, 0, 2, xEOF },
+    { "synch",	"Perform Telnet 'Synch operation'",	1, 0, dosynch, 2, 0 },
+    { "getstatus", "Send request for STATUS",		1, 0, get_status, 6, 0 },
+    { "?",	"Display send options",			0, 0, send_help, 0, 0 },
+    { "help",	0,					0, 0, send_help, 0, 0 },
+    { "do",	0,					0, 1, send_docmd, 3, 0 },
+    { "dont",	0,					0, 1, send_dontcmd, 3, 0 },
+    { "will",	0,					0, 1, send_willcmd, 3, 0 },
+    { "wont",	0,					0, 1, send_wontcmd, 3, 0 },
+    { 0 }
+};
+
+#define	GETSEND(name) ((struct sendlist *) genget(name, (char **) Sendlist, \
+				sizeof(struct sendlist)))
+
+static int
+sendcmd(int argc, char **argv)
+{
+    int count;		/* how many bytes we are going to need to send */
+    int i;
+    struct sendlist *s;	/* pointer to current command */
+    int success = 0;
+    int needconnect = 0;
+
+    if (argc < 2) {
+	printf("need at least one argument for 'send' command\r\n");
+	printf("'send ?' for help\r\n");
+	return 0;
+    }
+    /*
+     * First, validate all the send arguments.
+     * In addition, we see how much space we are going to need, and
+     * whether or not we will be doing a "SYNCH" operation (which
+     * flushes the network queue).
+     */
+    count = 0;
+    for (i = 1; i < argc; i++) {
+	s = GETSEND(argv[i]);
+	if (s == 0) {
+	    printf("Unknown send argument '%s'\r\n'send ?' for help.\r\n",
+			argv[i]);
+	    return 0;
+	} else if (Ambiguous(s)) {
+	    printf("Ambiguous send argument '%s'\r\n'send ?' for help.\r\n",
+			argv[i]);
+	    return 0;
+	}
+	if (i + s->narg >= argc) {
+	    fprintf(stderr,
+	    "Need %d argument%s to 'send %s' command.  'send %s ?' for help.\r\n",
+		s->narg, s->narg == 1 ? "" : "s", s->name, s->name);
+	    return 0;
+	}
+	count += s->nbyte;
+	if (s->handler == send_help) {
+	    send_help();
+	    return 0;
+	}
+
+	i += s->narg;
+	needconnect += s->needconnect;
+    }
+    if (!connected && needconnect) {
+	printf("?Need to be connected first.\r\n");
+	printf("'send ?' for help\r\n");
+	return 0;
+    }
+    /* Now, do we have enough room? */
+    if (NETROOM() < count) {
+	printf("There is not enough room in the buffer TO the network\r\n");
+	printf("to process your request.  Nothing will be done.\r\n");
+	printf("('send synch' will throw away most data in the network\r\n");
+	printf("buffer, if this might help.)\r\n");
+	return 0;
+    }
+    /* OK, they are all OK, now go through again and actually send */
+    count = 0;
+    for (i = 1; i < argc; i++) {
+	if ((s = GETSEND(argv[i])) == 0) {
+	    fprintf(stderr, "Telnet 'send' error - argument disappeared!\r\n");
+	    quit();
+	    /*NOTREACHED*/
+	}
+	if (s->handler) {
+	    count++;
+	    success += (*s->handler)((s->narg > 0) ? argv[i+1] : 0,
+				  (s->narg > 1) ? argv[i+2] : 0);
+	    i += s->narg;
+	} else {
+	    NET2ADD(IAC, s->what);
+	    printoption("SENT", IAC, s->what);
+	}
+    }
+    return (count == success);
+}
+
+static int
+send_tncmd(void (*func)(), char *cmd, char *name);
+
+static int
+send_esc()
+{
+    NETADD(escape);
+    return 1;
+}
+
+static int
+send_docmd(char *name)
+{
+    return(send_tncmd(send_do, "do", name));
+}
+
+static int
+send_dontcmd(char *name)
+{
+    return(send_tncmd(send_dont, "dont", name));
+}
+
+static int
+send_willcmd(char *name)
+{
+    return(send_tncmd(send_will, "will", name));
+}
+
+static int
+send_wontcmd(char *name)
+{
+    return(send_tncmd(send_wont, "wont", name));
+}
+
+static int
+send_tncmd(void (*func)(), char *cmd, char *name)
+{
+    char **cpp;
+    extern char *telopts[];
+    int val = 0;
+
+    if (isprefix(name, "help") || isprefix(name, "?")) {
+	int col, len;
+
+	printf("Usage: send %s <value|option>\r\n", cmd);
+	printf("\"value\" must be from 0 to 255\r\n");
+	printf("Valid options are:\r\n\t");
+
+	col = 8;
+	for (cpp = telopts; *cpp; cpp++) {
+	    len = strlen(*cpp) + 3;
+	    if (col + len > 65) {
+		printf("\r\n\t");
+		col = 8;
+	    }
+	    printf(" \"%s\"", *cpp);
+	    col += len;
+	}
+	printf("\r\n");
+	return 0;
+    }
+    cpp = genget(name, telopts, sizeof(char *));
+    if (Ambiguous(cpp)) {
+	fprintf(stderr,"'%s': ambiguous argument ('send %s ?' for help).\r\n",
+					name, cmd);
+	return 0;
+    }
+    if (cpp) {
+	val = cpp - telopts;
+    } else {
+	char *cp = name;
+
+	while (*cp >= '0' && *cp <= '9') {
+	    val *= 10;
+	    val += *cp - '0';
+	    cp++;
+	}
+	if (*cp != 0) {
+	    fprintf(stderr, "'%s': unknown argument ('send %s ?' for help).\r\n",
+					name, cmd);
+	    return 0;
+	} else if (val < 0 || val > 255) {
+	    fprintf(stderr, "'%s': bad value ('send %s ?' for help).\r\n",
+					name, cmd);
+	    return 0;
+	}
+    }
+    if (!connected) {
+	printf("?Need to be connected first.\r\n");
+	return 0;
+    }
+    (*func)(val, 1);
+    return 1;
+}
+
+static int
+send_help()
+{
+    struct sendlist *s;	/* pointer to current command */
+    for (s = Sendlist; s->name; s++) {
+	if (s->help)
+	    printf("%-15s %s\r\n", s->name, s->help);
+    }
+    return(0);
+}
+
+/*
+ * The following are the routines and data structures referred
+ * to by the arguments to the "toggle" command.
+ */
+
+static int
+lclchars()
+{
+    donelclchars = 1;
+    return 1;
+}
+
+static int
+togdebug()
+{
+#ifndef	NOT43
+    if (net > 0 &&
+	(SetSockOpt(net, SOL_SOCKET, SO_DEBUG, debug)) < 0) {
+	    perror("setsockopt (SO_DEBUG)");
+    }
+#else	/* NOT43 */
+    if (debug) {
+	if (net > 0 && SetSockOpt(net, SOL_SOCKET, SO_DEBUG, 0, 0) < 0)
+	    perror("setsockopt (SO_DEBUG)");
+    } else
+	printf("Cannot turn off socket debugging\r\n");
+#endif	/* NOT43 */
+    return 1;
+}
+
+#if defined(KRB4) && defined(HAVE_KRB_DISABLE_DEBUG)
+#include <krb.h>
+
+static int
+togkrbdebug(void)
+{
+    if(krb_debug)
+	krb_enable_debug();
+    else
+	krb_disable_debug();
+    return 1;
+}
+#endif
+
+static int
+togcrlf()
+{
+    if (crlf) {
+	printf("Will send carriage returns as telnet <CR><LF>.\r\n");
+    } else {
+	printf("Will send carriage returns as telnet <CR><NUL>.\r\n");
+    }
+    return 1;
+}
+
+int binmode;
+
+static int
+togbinary(int val)
+{
+    donebinarytoggle = 1;
+
+    if (val >= 0) {
+	binmode = val;
+    } else {
+	if (my_want_state_is_will(TELOPT_BINARY) &&
+				my_want_state_is_do(TELOPT_BINARY)) {
+	    binmode = 1;
+	} else if (my_want_state_is_wont(TELOPT_BINARY) &&
+				my_want_state_is_dont(TELOPT_BINARY)) {
+	    binmode = 0;
+	}
+	val = binmode ? 0 : 1;
+    }
+
+    if (val == 1) {
+	if (my_want_state_is_will(TELOPT_BINARY) &&
+					my_want_state_is_do(TELOPT_BINARY)) {
+	    printf("Already operating in binary mode with remote host.\r\n");
+	} else {
+	    printf("Negotiating binary mode with remote host.\r\n");
+	    tel_enter_binary(3);
+	}
+    } else {
+	if (my_want_state_is_wont(TELOPT_BINARY) &&
+					my_want_state_is_dont(TELOPT_BINARY)) {
+	    printf("Already in network ascii mode with remote host.\r\n");
+	} else {
+	    printf("Negotiating network ascii mode with remote host.\r\n");
+	    tel_leave_binary(3);
+	}
+    }
+    return 1;
+}
+
+static int
+togrbinary(int val)
+{
+    donebinarytoggle = 1;
+
+    if (val == -1)
+	val = my_want_state_is_do(TELOPT_BINARY) ? 0 : 1;
+
+    if (val == 1) {
+	if (my_want_state_is_do(TELOPT_BINARY)) {
+	    printf("Already receiving in binary mode.\r\n");
+	} else {
+	    printf("Negotiating binary mode on input.\r\n");
+	    tel_enter_binary(1);
+	}
+    } else {
+	if (my_want_state_is_dont(TELOPT_BINARY)) {
+	    printf("Already receiving in network ascii mode.\r\n");
+	} else {
+	    printf("Negotiating network ascii mode on input.\r\n");
+	    tel_leave_binary(1);
+	}
+    }
+    return 1;
+}
+
+static int
+togxbinary(int val)
+{
+    donebinarytoggle = 1;
+
+    if (val == -1)
+	val = my_want_state_is_will(TELOPT_BINARY) ? 0 : 1;
+
+    if (val == 1) {
+	if (my_want_state_is_will(TELOPT_BINARY)) {
+	    printf("Already transmitting in binary mode.\r\n");
+	} else {
+	    printf("Negotiating binary mode on output.\r\n");
+	    tel_enter_binary(2);
+	}
+    } else {
+	if (my_want_state_is_wont(TELOPT_BINARY)) {
+	    printf("Already transmitting in network ascii mode.\r\n");
+	} else {
+	    printf("Negotiating network ascii mode on output.\r\n");
+	    tel_leave_binary(2);
+	}
+    }
+    return 1;
+}
+
+
+static int togglehelp (void);
+#if	defined(AUTHENTICATION)
+extern int auth_togdebug (int);
+#endif
+#if	defined(ENCRYPTION)
+extern int EncryptAutoEnc (int);
+extern int EncryptAutoDec (int);
+extern int EncryptDebug (int);
+extern int EncryptVerbose (int);
+#endif
+
+struct togglelist {
+    char	*name;		/* name of toggle */
+    char	*help;		/* help message */
+    int		(*handler)();	/* routine to do actual setting */
+    int		*variable;
+    char	*actionexplanation;
+};
+
+static struct togglelist Togglelist[] = {
+    { "autoflush",
+	"flushing of output when sending interrupt characters",
+	    0,
+		&autoflush,
+		    "flush output when sending interrupt characters" },
+    { "autosynch",
+	"automatic sending of interrupt characters in urgent mode",
+	    0,
+		&autosynch,
+		    "send interrupt characters in urgent mode" },
+#if	defined(AUTHENTICATION)
+    { "autologin",
+	"automatic sending of login and/or authentication info",
+	    0,
+		&autologin,
+		    "send login name and/or authentication information" },
+    { "authdebug",
+	"Toggle authentication debugging",
+	    auth_togdebug,
+		0,
+		     "print authentication debugging information" },
+#endif
+#if	defined(ENCRYPTION)
+    { "autoencrypt",
+	"automatic encryption of data stream",
+	    EncryptAutoEnc,
+		0,
+		    "automatically encrypt output" },
+    { "autodecrypt",
+	"automatic decryption of data stream",
+	    EncryptAutoDec,
+		0,
+		    "automatically decrypt input" },
+    { "verbose_encrypt",
+	"Toggle verbose encryption output",
+	    EncryptVerbose,
+		0,
+		    "print verbose encryption output" },
+    { "encdebug",
+	"Toggle encryption debugging",
+	    EncryptDebug,
+		0,
+		    "print encryption debugging information" },
+#endif
+    { "skiprc",
+	"don't read ~/.telnetrc file",
+	    0,
+		&skiprc,
+		    "skip reading of ~/.telnetrc file" },
+    { "binary",
+	"sending and receiving of binary data",
+	    togbinary,
+		0,
+		    0 },
+    { "inbinary",
+	"receiving of binary data",
+	    togrbinary,
+		0,
+		    0 },
+    { "outbinary",
+	"sending of binary data",
+	    togxbinary,
+		0,
+		    0 },
+    { "crlf",
+	"sending carriage returns as telnet <CR><LF>",
+	    togcrlf,
+		&crlf,
+		    0 },
+    { "crmod",
+	"mapping of received carriage returns",
+	    0,
+		&crmod,
+		    "map carriage return on output" },
+    { "localchars",
+	"local recognition of certain control characters",
+	    lclchars,
+		&localchars,
+		    "recognize certain control characters" },
+    { " ", "", 0 },		/* empty line */
+    { "debug",
+	"debugging",
+	    togdebug,
+		&debug,
+		    "turn on socket level debugging" },
+#if defined(KRB4) && defined(HAVE_KRB_DISABLE_DEBUG)
+    { "krb_debug",
+      "kerberos 4 debugging",
+      togkrbdebug,
+      &krb_debug,
+      "turn on kerberos 4 debugging" },
+#endif
+    { "netdata",
+	"printing of hexadecimal network data (debugging)",
+	    0,
+		&netdata,
+		    "print hexadecimal representation of network traffic" },
+    { "prettydump",
+	"output of \"netdata\" to user readable format (debugging)",
+	    0,
+		&prettydump,
+		    "print user readable output for \"netdata\"" },
+    { "options",
+	"viewing of options processing (debugging)",
+	    0,
+		&showoptions,
+		    "show option processing" },
+    { "termdata",
+	"(debugging) toggle printing of hexadecimal terminal data",
+	    0,
+		&termdata,
+		    "print hexadecimal representation of terminal traffic" },
+    { "?",
+	0,
+	    togglehelp },
+    { "help",
+	0,
+	    togglehelp },
+    { 0 }
+};
+
+static int
+togglehelp()
+{
+    struct togglelist *c;
+
+    for (c = Togglelist; c->name; c++) {
+	if (c->help) {
+	    if (*c->help)
+		printf("%-15s toggle %s\r\n", c->name, c->help);
+	    else
+		printf("\r\n");
+	}
+    }
+    printf("\r\n");
+    printf("%-15s %s\r\n", "?", "display help information");
+    return 0;
+}
+
+static void
+settogglehelp(int set)
+{
+    struct togglelist *c;
+
+    for (c = Togglelist; c->name; c++) {
+	if (c->help) {
+	    if (*c->help)
+		printf("%-15s %s %s\r\n", c->name, set ? "enable" : "disable",
+						c->help);
+	    else
+		printf("\r\n");
+	}
+    }
+}
+
+#define	GETTOGGLE(name) (struct togglelist *) \
+		genget(name, (char **) Togglelist, sizeof(struct togglelist))
+
+static int
+toggle(int argc, char *argv[])
+{
+    int retval = 1;
+    char *name;
+    struct togglelist *c;
+
+    if (argc < 2) {
+	fprintf(stderr,
+	    "Need an argument to 'toggle' command.  'toggle ?' for help.\r\n");
+	return 0;
+    }
+    argc--;
+    argv++;
+    while (argc--) {
+	name = *argv++;
+	c = GETTOGGLE(name);
+	if (Ambiguous(c)) {
+	    fprintf(stderr, "'%s': ambiguous argument ('toggle ?' for help).\r\n",
+					name);
+	    return 0;
+	} else if (c == 0) {
+	    fprintf(stderr, "'%s': unknown argument ('toggle ?' for help).\r\n",
+					name);
+	    return 0;
+	} else {
+	    if (c->variable) {
+		*c->variable = !*c->variable;		/* invert it */
+		if (c->actionexplanation) {
+		    printf("%s %s.\r\n", *c->variable? "Will" : "Won't",
+							c->actionexplanation);
+		}
+	    }
+	    if (c->handler) {
+		retval &= (*c->handler)(-1);
+	    }
+	}
+    }
+    return retval;
+}
+
+/*
+ * The following perform the "set" command.
+ */
+
+struct termios new_tc = { 0 };
+
+struct setlist {
+    char *name;				/* name */
+    char *help;				/* help information */
+    void (*handler)();
+    cc_t *charp;			/* where it is located at */
+};
+
+static struct setlist Setlist[] = {
+#ifdef	KLUDGELINEMODE
+    { "echo", 	"character to toggle local echoing on/off", 0, &echoc },
+#endif
+    { "escape",	"character to escape back to telnet command mode", 0, &escape },
+    { "rlogin", "rlogin escape character", 0, &rlogin },
+    { "tracefile", "file to write trace information to", SetNetTrace, (cc_t *)NetTraceFile},
+    { " ", "" },
+    { " ", "The following need 'localchars' to be toggled true", 0, 0 },
+    { "flushoutput", "character to cause an Abort Output", 0, &termFlushChar },
+    { "interrupt", "character to cause an Interrupt Process", 0, &termIntChar },
+    { "quit",	"character to cause an Abort process", 0, &termQuitChar },
+    { "eof",	"character to cause an EOF ", 0, &termEofChar },
+    { " ", "" },
+    { " ", "The following are for local editing in linemode", 0, 0 },
+    { "erase",	"character to use to erase a character", 0, &termEraseChar },
+    { "kill",	"character to use to erase a line", 0, &termKillChar },
+    { "lnext",	"character to use for literal next", 0, &termLiteralNextChar },
+    { "susp",	"character to cause a Suspend Process", 0, &termSuspChar },
+    { "reprint", "character to use for line reprint", 0, &termRprntChar },
+    { "worderase", "character to use to erase a word", 0, &termWerasChar },
+    { "start",	"character to use for XON", 0, &termStartChar },
+    { "stop",	"character to use for XOFF", 0, &termStopChar },
+    { "forw1",	"alternate end of line character", 0, &termForw1Char },
+    { "forw2",	"alternate end of line character", 0, &termForw2Char },
+    { "ayt",	"alternate AYT character", 0, &termAytChar },
+    { 0 }
+};
+
+static struct setlist *
+getset(char *name)
+{
+    return (struct setlist *)
+		genget(name, (char **) Setlist, sizeof(struct setlist));
+}
+
+void
+set_escape_char(char *s)
+{
+	if (rlogin != _POSIX_VDISABLE) {
+		rlogin = (s && *s) ? special(s) : _POSIX_VDISABLE;
+		printf("Telnet rlogin escape character is '%s'.\r\n",
+					control(rlogin));
+	} else {
+		escape = (s && *s) ? special(s) : _POSIX_VDISABLE;
+		printf("Telnet escape character is '%s'.\r\n", control(escape));
+	}
+}
+
+static int
+setcmd(int argc, char *argv[])
+{
+    int value;
+    struct setlist *ct;
+    struct togglelist *c;
+
+    if (argc < 2 || argc > 3) {
+	printf("Format is 'set Name Value'\r\n'set ?' for help.\r\n");
+	return 0;
+    }
+    if ((argc == 2) && (isprefix(argv[1], "?") || isprefix(argv[1], "help"))) {
+	for (ct = Setlist; ct->name; ct++)
+	    printf("%-15s %s\r\n", ct->name, ct->help);
+	printf("\r\n");
+	settogglehelp(1);
+	printf("%-15s %s\r\n", "?", "display help information");
+	return 0;
+    }
+
+    ct = getset(argv[1]);
+    if (ct == 0) {
+	c = GETTOGGLE(argv[1]);
+	if (c == 0) {
+	    fprintf(stderr, "'%s': unknown argument ('set ?' for help).\r\n",
+			argv[1]);
+	    return 0;
+	} else if (Ambiguous(c)) {
+	    fprintf(stderr, "'%s': ambiguous argument ('set ?' for help).\r\n",
+			argv[1]);
+	    return 0;
+	}
+	if (c->variable) {
+	    if ((argc == 2) || (strcmp("on", argv[2]) == 0))
+		*c->variable = 1;
+	    else if (strcmp("off", argv[2]) == 0)
+		*c->variable = 0;
+	    else {
+		printf("Format is 'set togglename [on|off]'\r\n'set ?' for help.\r\n");
+		return 0;
+	    }
+	    if (c->actionexplanation) {
+		printf("%s %s.\r\n", *c->variable? "Will" : "Won't",
+							c->actionexplanation);
+	    }
+	}
+	if (c->handler)
+	    (*c->handler)(1);
+    } else if (argc != 3) {
+	printf("Format is 'set Name Value'\r\n'set ?' for help.\r\n");
+	return 0;
+    } else if (Ambiguous(ct)) {
+	fprintf(stderr, "'%s': ambiguous argument ('set ?' for help).\r\n",
+			argv[1]);
+	return 0;
+    } else if (ct->handler) {
+	(*ct->handler)(argv[2]);
+	printf("%s set to \"%s\".\r\n", ct->name, (char *)ct->charp);
+    } else {
+	if (strcmp("off", argv[2])) {
+	    value = special(argv[2]);
+	} else {
+	    value = _POSIX_VDISABLE;
+	}
+	*(ct->charp) = (cc_t)value;
+	printf("%s character is '%s'.\r\n", ct->name, control(*(ct->charp)));
+    }
+    slc_check();
+    return 1;
+}
+
+static int
+unsetcmd(int argc, char *argv[])
+{
+    struct setlist *ct;
+    struct togglelist *c;
+    char *name;
+
+    if (argc < 2) {
+	fprintf(stderr,
+	    "Need an argument to 'unset' command.  'unset ?' for help.\r\n");
+	return 0;
+    }
+    if (isprefix(argv[1], "?") || isprefix(argv[1], "help")) {
+	for (ct = Setlist; ct->name; ct++)
+	    printf("%-15s %s\r\n", ct->name, ct->help);
+	printf("\r\n");
+	settogglehelp(0);
+	printf("%-15s %s\r\n", "?", "display help information");
+	return 0;
+    }
+
+    argc--;
+    argv++;
+    while (argc--) {
+	name = *argv++;
+	ct = getset(name);
+	if (ct == 0) {
+	    c = GETTOGGLE(name);
+	    if (c == 0) {
+		fprintf(stderr, "'%s': unknown argument ('unset ?' for help).\r\n",
+			name);
+		return 0;
+	    } else if (Ambiguous(c)) {
+		fprintf(stderr, "'%s': ambiguous argument ('unset ?' for help).\r\n",
+			name);
+		return 0;
+	    }
+	    if (c->variable) {
+		*c->variable = 0;
+		if (c->actionexplanation) {
+		    printf("%s %s.\r\n", *c->variable? "Will" : "Won't",
+							c->actionexplanation);
+		}
+	    }
+	    if (c->handler)
+		(*c->handler)(0);
+	} else if (Ambiguous(ct)) {
+	    fprintf(stderr, "'%s': ambiguous argument ('unset ?' for help).\r\n",
+			name);
+	    return 0;
+	} else if (ct->handler) {
+	    (*ct->handler)(0);
+	    printf("%s reset to \"%s\".\r\n", ct->name, (char *)ct->charp);
+	} else {
+	    *(ct->charp) = _POSIX_VDISABLE;
+	    printf("%s character is '%s'.\r\n", ct->name, control(*(ct->charp)));
+	}
+    }
+    return 1;
+}
+
+/*
+ * The following are the data structures and routines for the
+ * 'mode' command.
+ */
+#ifdef	KLUDGELINEMODE
+
+static int
+dokludgemode(void)
+{
+    kludgelinemode = 1;
+    send_wont(TELOPT_LINEMODE, 1);
+    send_dont(TELOPT_SGA, 1);
+    send_dont(TELOPT_ECHO, 1);
+    return 1;
+}
+#endif
+
+static int
+dolinemode()
+{
+#ifdef	KLUDGELINEMODE
+    if (kludgelinemode)
+	send_dont(TELOPT_SGA, 1);
+#endif
+    send_will(TELOPT_LINEMODE, 1);
+    send_dont(TELOPT_ECHO, 1);
+    return 1;
+}
+
+static int
+docharmode()
+{
+#ifdef	KLUDGELINEMODE
+    if (kludgelinemode)
+	send_do(TELOPT_SGA, 1);
+    else
+#endif
+    send_wont(TELOPT_LINEMODE, 1);
+    send_do(TELOPT_ECHO, 1);
+    return 1;
+}
+
+static int
+dolmmode(int bit, int on)
+{
+    unsigned char c;
+
+    if (my_want_state_is_wont(TELOPT_LINEMODE)) {
+	printf("?Need to have LINEMODE option enabled first.\r\n");
+	printf("'mode ?' for help.\r\n");
+ 	return 0;
+    }
+
+    if (on)
+	c = (linemode | bit);
+    else
+	c = (linemode & ~bit);
+    lm_mode(&c, 1, 1);
+    return 1;
+}
+
+static int
+tn_setmode(int bit)
+{
+    return dolmmode(bit, 1);
+}
+
+static int
+tn_clearmode(int bit)
+{
+    return dolmmode(bit, 0);
+}
+
+struct modelist {
+	char	*name;		/* command name */
+	char	*help;		/* help string */
+	int	(*handler)();	/* routine which executes command */
+	int	needconnect;	/* Do we need to be connected to execute? */
+	int	arg1;
+};
+
+static int modehelp(void);
+
+static struct modelist ModeList[] = {
+    { "character", "Disable LINEMODE option",	docharmode, 1 },
+#ifdef	KLUDGELINEMODE
+    { "",	"(or disable obsolete line-by-line mode)", 0 },
+#endif
+    { "line",	"Enable LINEMODE option",	dolinemode, 1 },
+#ifdef	KLUDGELINEMODE
+    { "",	"(or enable obsolete line-by-line mode)", 0 },
+#endif
+    { "", "", 0 },
+    { "",	"These require the LINEMODE option to be enabled", 0 },
+    { "isig",	"Enable signal trapping",	tn_setmode, 1, MODE_TRAPSIG },
+    { "+isig",	0,				tn_setmode, 1, MODE_TRAPSIG },
+    { "-isig",	"Disable signal trapping",	tn_clearmode, 1, MODE_TRAPSIG },
+    { "edit",	"Enable character editing",	tn_setmode, 1, MODE_EDIT },
+    { "+edit",	0,				tn_setmode, 1, MODE_EDIT },
+    { "-edit",	"Disable character editing",	tn_clearmode, 1, MODE_EDIT },
+    { "softtabs", "Enable tab expansion",	tn_setmode, 1, MODE_SOFT_TAB },
+    { "+softtabs", 0,				tn_setmode, 1, MODE_SOFT_TAB },
+    { "-softtabs", "Disable character editing",	tn_clearmode, 1, MODE_SOFT_TAB },
+    { "litecho", "Enable literal character echo", tn_setmode, 1, MODE_LIT_ECHO },
+    { "+litecho", 0,				tn_setmode, 1, MODE_LIT_ECHO },
+    { "-litecho", "Disable literal character echo", tn_clearmode, 1, MODE_LIT_ECHO },
+    { "help",	0,				modehelp, 0 },
+#ifdef	KLUDGELINEMODE
+    { "kludgeline", 0,				dokludgemode, 1 },
+#endif
+    { "", "", 0 },
+    { "?",	"Print help information",	modehelp, 0 },
+    { 0 },
+};
+
+
+static int
+modehelp(void)
+{
+    struct modelist *mt;
+
+    printf("format is:  'mode Mode', where 'Mode' is one of:\r\n\r\n");
+    for (mt = ModeList; mt->name; mt++) {
+	if (mt->help) {
+	    if (*mt->help)
+		printf("%-15s %s\r\n", mt->name, mt->help);
+	    else
+		printf("\r\n");
+	}
+    }
+    return 0;
+}
+
+#define	GETMODECMD(name) (struct modelist *) \
+		genget(name, (char **) ModeList, sizeof(struct modelist))
+
+static int
+modecmd(int argc, char **argv)
+{
+    struct modelist *mt;
+
+    if (argc != 2) {
+	printf("'mode' command requires an argument\r\n");
+	printf("'mode ?' for help.\r\n");
+    } else if ((mt = GETMODECMD(argv[1])) == 0) {
+	fprintf(stderr, "Unknown mode '%s' ('mode ?' for help).\r\n", argv[1]);
+    } else if (Ambiguous(mt)) {
+	fprintf(stderr, "Ambiguous mode '%s' ('mode ?' for help).\r\n", argv[1]);
+    } else if (mt->needconnect && !connected) {
+	printf("?Need to be connected first.\r\n");
+	printf("'mode ?' for help.\r\n");
+    } else if (mt->handler) {
+	return (*mt->handler)(mt->arg1);
+    }
+    return 0;
+}
+
+/*
+ * The following data structures and routines implement the
+ * "display" command.
+ */
+
+static int
+display(int argc, char *argv[])
+{
+    struct togglelist *tl;
+    struct setlist *sl;
+
+#define	dotog(tl)	if (tl->variable && tl->actionexplanation) { \
+			    if (*tl->variable) { \
+				printf("will"); \
+			    } else { \
+				printf("won't"); \
+			    } \
+			    printf(" %s.\r\n", tl->actionexplanation); \
+			}
+
+#define	doset(sl)   if (sl->name && *sl->name != ' ') { \
+			if (sl->handler == 0) \
+			    printf("%-15s [%s]\r\n", sl->name, control(*sl->charp)); \
+			else \
+			    printf("%-15s \"%s\"\r\n", sl->name, (char *)sl->charp); \
+		    }
+
+    if (argc == 1) {
+	for (tl = Togglelist; tl->name; tl++) {
+	    dotog(tl);
+	}
+	printf("\r\n");
+	for (sl = Setlist; sl->name; sl++) {
+	    doset(sl);
+	}
+    } else {
+	int i;
+
+	for (i = 1; i < argc; i++) {
+	    sl = getset(argv[i]);
+	    tl = GETTOGGLE(argv[i]);
+	    if (Ambiguous(sl) || Ambiguous(tl)) {
+		printf("?Ambiguous argument '%s'.\r\n", argv[i]);
+		return 0;
+	    } else if (!sl && !tl) {
+		printf("?Unknown argument '%s'.\r\n", argv[i]);
+		return 0;
+	    } else {
+		if (tl) {
+		    dotog(tl);
+		}
+		if (sl) {
+		    doset(sl);
+		}
+	    }
+	}
+    }
+/*@*/optionstatus();
+#if	defined(ENCRYPTION)
+    EncryptStatus();
+#endif
+    return 1;
+#undef	doset
+#undef	dotog
+}
+
+/*
+ * The following are the data structures, and many of the routines,
+ * relating to command processing.
+ */
+
+/*
+ * Set the escape character.
+ */
+static int
+setescape(int argc, char *argv[])
+{
+	char *arg;
+	char buf[50];
+
+	printf(
+	    "Deprecated usage - please use 'set escape%s%s' in the future.\r\n",
+				(argc > 2)? " ":"", (argc > 2)? argv[1]: "");
+	if (argc > 2)
+		arg = argv[1];
+	else {
+		printf("new escape character: ");
+		fgets(buf, sizeof(buf), stdin);
+		arg = buf;
+	}
+	if (arg[0] != '\0')
+		escape = arg[0];
+	printf("Escape character is '%s'.\r\n", control(escape));
+
+	fflush(stdout);
+	return 1;
+}
+
+static int
+togcrmod()
+{
+    crmod = !crmod;
+    printf("Deprecated usage - please use 'toggle crmod' in the future.\r\n");
+    printf("%s map carriage return on output.\r\n", crmod ? "Will" : "Won't");
+    fflush(stdout);
+    return 1;
+}
+
+static int
+telnetsuspend()
+{
+#ifdef	SIGTSTP
+    setcommandmode();
+    {
+	long oldrows, oldcols, newrows, newcols, err;
+
+	err = (TerminalWindowSize(&oldrows, &oldcols) == 0) ? 1 : 0;
+	kill(0, SIGTSTP);
+	/*
+	 * If we didn't get the window size before the SUSPEND, but we
+	 * can get them now (?), then send the NAWS to make sure that
+	 * we are set up for the right window size.
+	 */
+	if (TerminalWindowSize(&newrows, &newcols) && connected &&
+	    (err || ((oldrows != newrows) || (oldcols != newcols)))) {
+		sendnaws();
+	}
+    }
+    /* reget parameters in case they were changed */
+    TerminalSaveState();
+    setconnmode(0);
+#else
+    printf("Suspend is not supported.  Try the '!' command instead\r\n");
+#endif
+    return 1;
+}
+
+static int
+shell(int argc, char **argv)
+{
+    long oldrows, oldcols, newrows, newcols, err;
+
+    setcommandmode();
+
+    err = (TerminalWindowSize(&oldrows, &oldcols) == 0) ? 1 : 0;
+    switch(fork()) {
+    case -1:
+	perror("Fork failed\r\n");
+	break;
+
+    case 0:
+	{
+	    /*
+	     * Fire up the shell in the child.
+	     */
+	    char *shellp, *shellname;
+
+	    shellp = getenv("SHELL");
+	    if (shellp == NULL)
+		shellp = "/bin/sh";
+	    if ((shellname = strrchr(shellp, '/')) == 0)
+		shellname = shellp;
+	    else
+		shellname++;
+	    if (argc > 1)
+		execl(shellp, shellname, "-c", &saveline[1], 0);
+	    else
+		execl(shellp, shellname, 0);
+	    perror("Execl");
+	    _exit(1);
+	}
+    default:
+	    wait((int *)0);	/* Wait for the shell to complete */
+
+	    if (TerminalWindowSize(&newrows, &newcols) && connected &&
+		(err || ((oldrows != newrows) || (oldcols != newcols)))) {
+		    sendnaws();
+	    }
+	    break;
+    }
+    return 1;
+}
+
+static int
+bye(int argc, char **argv)
+{
+    if (connected) {
+	shutdown(net, 2);
+	printf("Connection closed.\r\n");
+	NetClose(net);
+	connected = 0;
+	resettermname = 1;
+#if	defined(AUTHENTICATION) || defined(ENCRYPTION)
+	auth_encrypt_connect(connected);
+#endif
+	/* reset options */
+	tninit();
+    }
+    if ((argc != 2) || (strcmp(argv[1], "fromquit") != 0)) 
+	longjmp(toplevel, 1);
+    return 0;	/* NOTREACHED */
+}
+
+int
+quit(void)
+{
+	call(bye, "bye", "fromquit", 0);
+	Exit(0);
+	return 0; /*NOTREACHED*/
+}
+
+static int
+logout()
+{
+	send_do(TELOPT_LOGOUT, 1);
+	netflush();
+	return 1;
+}
+
+
+/*
+ * The SLC command.
+ */
+
+struct slclist {
+	char	*name;
+	char	*help;
+	void	(*handler)();
+	int	arg;
+};
+
+static void slc_help(void);
+
+struct slclist SlcList[] = {
+    { "export",	"Use local special character definitions",
+						slc_mode_export,	0 },
+    { "import",	"Use remote special character definitions",
+						slc_mode_import,	1 },
+    { "check",	"Verify remote special character definitions",
+						slc_mode_import,	0 },
+    { "help",	0,				slc_help,		0 },
+    { "?",	"Print help information",	slc_help,		0 },
+    { 0 },
+};
+
+static void
+slc_help(void)
+{
+    struct slclist *c;
+
+    for (c = SlcList; c->name; c++) {
+	if (c->help) {
+	    if (*c->help)
+		printf("%-15s %s\r\n", c->name, c->help);
+	    else
+		printf("\r\n");
+	}
+    }
+}
+
+static struct slclist *
+getslc(char *name)
+{
+    return (struct slclist *)
+		genget(name, (char **) SlcList, sizeof(struct slclist));
+}
+
+static int
+slccmd(int argc, char **argv)
+{
+    struct slclist *c;
+
+    if (argc != 2) {
+	fprintf(stderr,
+	    "Need an argument to 'slc' command.  'slc ?' for help.\r\n");
+	return 0;
+    }
+    c = getslc(argv[1]);
+    if (c == 0) {
+	fprintf(stderr, "'%s': unknown argument ('slc ?' for help).\r\n",
+    				argv[1]);
+	return 0;
+    }
+    if (Ambiguous(c)) {
+	fprintf(stderr, "'%s': ambiguous argument ('slc ?' for help).\r\n",
+    				argv[1]);
+	return 0;
+    }
+    (*c->handler)(c->arg);
+    slcstate();
+    return 1;
+}
+
+/*
+ * The ENVIRON command.
+ */
+
+struct envlist {
+	char	*name;
+	char	*help;
+	void	(*handler)();
+	int	narg;
+};
+
+static void env_help (void);
+
+struct envlist EnvList[] = {
+    { "define",	"Define an environment variable",
+						(void (*)())env_define,	2 },
+    { "undefine", "Undefine an environment variable",
+						env_undefine,	1 },
+    { "export",	"Mark an environment variable for automatic export",
+						env_export,	1 },
+    { "unexport", "Don't mark an environment variable for automatic export",
+						env_unexport,	1 },
+    { "send",	"Send an environment variable", env_send,	1 },
+    { "list",	"List the current environment variables",
+						env_list,	0 },
+    { "help",	0,				env_help,		0 },
+    { "?",	"Print help information",	env_help,		0 },
+    { 0 },
+};
+
+static void
+env_help()
+{
+    struct envlist *c;
+
+    for (c = EnvList; c->name; c++) {
+	if (c->help) {
+	    if (*c->help)
+		printf("%-15s %s\r\n", c->name, c->help);
+	    else
+		printf("\r\n");
+	}
+    }
+}
+
+static struct envlist *
+getenvcmd(char *name)
+{
+    return (struct envlist *)
+		genget(name, (char **) EnvList, sizeof(struct envlist));
+}
+
+static int
+env_cmd(int argc, char **argv)
+{
+    struct envlist *c;
+
+    if (argc < 2) {
+	fprintf(stderr,
+	    "Need an argument to 'environ' command.  'environ ?' for help.\r\n");
+	return 0;
+    }
+    c = getenvcmd(argv[1]);
+    if (c == 0) {
+	fprintf(stderr, "'%s': unknown argument ('environ ?' for help).\r\n",
+    				argv[1]);
+	return 0;
+    }
+    if (Ambiguous(c)) {
+	fprintf(stderr, "'%s': ambiguous argument ('environ ?' for help).\r\n",
+    				argv[1]);
+	return 0;
+    }
+    if (c->narg + 2 != argc) {
+	fprintf(stderr,
+	    "Need %s%d argument%s to 'environ %s' command.  'environ ?' for help.\r\n",
+		c->narg < argc + 2 ? "only " : "",
+		c->narg, c->narg == 1 ? "" : "s", c->name);
+	return 0;
+    }
+    (*c->handler)(argv[2], argv[3]);
+    return 1;
+}
+
+struct env_lst {
+	struct env_lst *next;	/* pointer to next structure */
+	struct env_lst *prev;	/* pointer to previous structure */
+	unsigned char *var;	/* pointer to variable name */
+	unsigned char *value;	/* pointer to variable value */
+	int export;		/* 1 -> export with default list of variables */
+	int welldefined;	/* A well defined variable */
+};
+
+struct env_lst envlisthead;
+
+struct env_lst *
+env_find(unsigned char *var)
+{
+	struct env_lst *ep;
+
+	for (ep = envlisthead.next; ep; ep = ep->next) {
+		if (strcmp((char *)ep->var, (char *)var) == 0)
+			return(ep);
+	}
+	return(NULL);
+}
+
+#if IRIX == 4
+#define environ _environ
+#endif
+
+void
+env_init(void)
+{
+	char **epp, *cp;
+	struct env_lst *ep;
+
+	for (epp = environ; *epp; epp++) {
+		if ((cp = strchr(*epp, '='))) {
+			*cp = '\0';
+			ep = env_define((unsigned char *)*epp,
+					(unsigned char *)cp+1);
+			ep->export = 0;
+			*cp = '=';
+		}
+	}
+	/*
+	 * Special case for DISPLAY variable.  If it is ":0.0" or
+	 * "unix:0.0", we have to get rid of "unix" and insert our
+	 * hostname.
+	 */
+	if ((ep = env_find("DISPLAY"))
+	    && (*ep->value == ':'
+	    || strncmp((char *)ep->value, "unix:", 5) == 0)) {
+		char hbuf[256+1];
+		char *cp2 = strchr((char *)ep->value, ':');
+
+		/* XXX - should be k_gethostname? */
+		gethostname(hbuf, 256);
+		hbuf[256] = '\0';
+
+		/* If this is not the full name, try to get it via DNS */
+		if (strchr(hbuf, '.') == 0) {
+			struct addrinfo hints, *ai, *a;
+			int error;
+
+			memset (&hints, 0, sizeof(hints));
+			hints.ai_flags = AI_CANONNAME;
+
+			error = getaddrinfo (hbuf, NULL, &hints, &ai);
+			if (error == 0) {
+				for (a = ai; a != NULL; a = a->ai_next)
+					if (a->ai_canonname != NULL) {
+						strlcpy (hbuf,
+							 ai->ai_canonname,
+							 256);
+						break;
+					}
+				freeaddrinfo (ai);
+			}
+		}
+
+		asprintf (&cp, "%s%s", hbuf, cp2);
+		free (ep->value);
+		ep->value = (unsigned char *)cp;
+	}
+	/*
+	 * If USER is not defined, but LOGNAME is, then add
+	 * USER with the value from LOGNAME.  By default, we
+	 * don't export the USER variable.
+	 */
+	if ((env_find("USER") == NULL) && (ep = env_find("LOGNAME"))) {
+		env_define((unsigned char *)"USER", ep->value);
+		env_unexport((unsigned char *)"USER");
+	}
+	env_export((unsigned char *)"DISPLAY");
+	env_export((unsigned char *)"PRINTER");
+	env_export((unsigned char *)"XAUTHORITY");
+}
+
+struct env_lst *
+env_define(unsigned char *var, unsigned char *value)
+{
+	struct env_lst *ep;
+
+	if ((ep = env_find(var))) {
+		if (ep->var)
+			free(ep->var);
+		if (ep->value)
+			free(ep->value);
+	} else {
+		ep = (struct env_lst *)malloc(sizeof(struct env_lst));
+		ep->next = envlisthead.next;
+		envlisthead.next = ep;
+		ep->prev = &envlisthead;
+		if (ep->next)
+			ep->next->prev = ep;
+	}
+	ep->welldefined = opt_welldefined((char *)var);
+	ep->export = 1;
+	ep->var = (unsigned char *)strdup((char *)var);
+	ep->value = (unsigned char *)strdup((char *)value);
+	return(ep);
+}
+
+void
+env_undefine(unsigned char *var)
+{
+	struct env_lst *ep;
+
+	if ((ep = env_find(var))) {
+		ep->prev->next = ep->next;
+		if (ep->next)
+			ep->next->prev = ep->prev;
+		if (ep->var)
+			free(ep->var);
+		if (ep->value)
+			free(ep->value);
+		free(ep);
+	}
+}
+
+void
+env_export(unsigned char *var)
+{
+	struct env_lst *ep;
+
+	if ((ep = env_find(var)))
+		ep->export = 1;
+}
+
+void
+env_unexport(unsigned char *var)
+{
+	struct env_lst *ep;
+
+	if ((ep = env_find(var)))
+		ep->export = 0;
+}
+
+void
+env_send(unsigned char *var)
+{
+	struct env_lst *ep;
+
+	if (my_state_is_wont(TELOPT_NEW_ENVIRON)
+#ifdef	OLD_ENVIRON
+	    && my_state_is_wont(TELOPT_OLD_ENVIRON)
+#endif
+		) {
+		fprintf(stderr,
+		    "Cannot send '%s': Telnet ENVIRON option not enabled\r\n",
+									var);
+		return;
+	}
+	ep = env_find(var);
+	if (ep == 0) {
+		fprintf(stderr, "Cannot send '%s': variable not defined\r\n",
+									var);
+		return;
+	}
+	env_opt_start_info();
+	env_opt_add(ep->var);
+	env_opt_end(0);
+}
+
+void
+env_list(void)
+{
+	struct env_lst *ep;
+
+	for (ep = envlisthead.next; ep; ep = ep->next) {
+		printf("%c %-20s %s\r\n", ep->export ? '*' : ' ',
+					ep->var, ep->value);
+	}
+}
+
+unsigned char *
+env_default(int init, int welldefined)
+{
+	static struct env_lst *nep = NULL;
+
+	if (init) {
+		nep = &envlisthead;
+		return NULL;
+	}
+	if (nep) {
+		while ((nep = nep->next)) {
+			if (nep->export && (nep->welldefined == welldefined))
+				return(nep->var);
+		}
+	}
+	return(NULL);
+}
+
+unsigned char *
+env_getvalue(unsigned char *var)
+{
+	struct env_lst *ep;
+
+	if ((ep = env_find(var)))
+		return(ep->value);
+	return(NULL);
+}
+
+
+#if	defined(AUTHENTICATION)
+/*
+ * The AUTHENTICATE command.
+ */
+
+struct authlist {
+	char	*name;
+	char	*help;
+	int	(*handler)();
+	int	narg;
+};
+
+static int
+	auth_help (void);
+
+struct authlist AuthList[] = {
+    { "status",	"Display current status of authentication information",
+						auth_status,	0 },
+    { "disable", "Disable an authentication type ('auth disable ?' for more)",
+						auth_disable,	1 },
+    { "enable", "Enable an authentication type ('auth enable ?' for more)",
+						auth_enable,	1 },
+    { "help",	0,				auth_help,		0 },
+    { "?",	"Print help information",	auth_help,		0 },
+    { 0 },
+};
+
+static int
+auth_help()
+{
+    struct authlist *c;
+
+    for (c = AuthList; c->name; c++) {
+	if (c->help) {
+	    if (*c->help)
+		printf("%-15s %s\r\n", c->name, c->help);
+	    else
+		printf("\r\n");
+	}
+    }
+    return 0;
+}
+
+static int
+auth_cmd(int argc, char **argv)
+{
+    struct authlist *c;
+
+    if (argc < 2) {
+	fprintf(stderr,
+	    "Need an argument to 'auth' command.  'auth ?' for help.\r\n");
+	return 0;
+    }
+
+    c = (struct authlist *)
+		genget(argv[1], (char **) AuthList, sizeof(struct authlist));
+    if (c == 0) {
+	fprintf(stderr, "'%s': unknown argument ('auth ?' for help).\r\n",
+    				argv[1]);
+	return 0;
+    }
+    if (Ambiguous(c)) {
+	fprintf(stderr, "'%s': ambiguous argument ('auth ?' for help).\r\n",
+    				argv[1]);
+	return 0;
+    }
+    if (c->narg + 2 != argc) {
+	fprintf(stderr,
+	    "Need %s%d argument%s to 'auth %s' command.  'auth ?' for help.\r\n",
+		c->narg < argc + 2 ? "only " : "",
+		c->narg, c->narg == 1 ? "" : "s", c->name);
+	return 0;
+    }
+    return((*c->handler)(argv[2], argv[3]));
+}
+#endif
+
+
+#if	defined(ENCRYPTION)
+/*
+ * The ENCRYPT command.
+ */
+
+struct encryptlist {
+	char	*name;
+	char	*help;
+	int	(*handler)();
+	int	needconnect;
+	int	minarg;
+	int	maxarg;
+};
+
+static int
+	EncryptHelp (void);
+
+struct encryptlist EncryptList[] = {
+    { "enable", "Enable encryption. ('encrypt enable ?' for more)",
+						EncryptEnable, 1, 1, 2 },
+    { "disable", "Disable encryption. ('encrypt enable ?' for more)",
+						EncryptDisable, 0, 1, 2 },
+    { "type", "Set encryptiong type. ('encrypt type ?' for more)",
+						EncryptType, 0, 1, 1 },
+    { "start", "Start encryption. ('encrypt start ?' for more)",
+						EncryptStart, 1, 0, 1 },
+    { "stop", "Stop encryption. ('encrypt stop ?' for more)",
+						EncryptStop, 1, 0, 1 },
+    { "input", "Start encrypting the input stream",
+						EncryptStartInput, 1, 0, 0 },
+    { "-input", "Stop encrypting the input stream",
+						EncryptStopInput, 1, 0, 0 },
+    { "output", "Start encrypting the output stream",
+						EncryptStartOutput, 1, 0, 0 },
+    { "-output", "Stop encrypting the output stream",
+						EncryptStopOutput, 1, 0, 0 },
+
+    { "status",	"Display current status of authentication information",
+						EncryptStatus,	0, 0, 0 },
+    { "help",	0,				EncryptHelp,	0, 0, 0 },
+    { "?",	"Print help information",	EncryptHelp,	0, 0, 0 },
+    { 0 },
+};
+
+static int
+EncryptHelp()
+{
+    struct encryptlist *c;
+
+    for (c = EncryptList; c->name; c++) {
+	if (c->help) {
+	    if (*c->help)
+		printf("%-15s %s\r\n", c->name, c->help);
+	    else
+		printf("\r\n");
+	}
+    }
+    return 0;
+}
+
+static int
+encrypt_cmd(int argc, char **argv)
+{
+    struct encryptlist *c;
+
+    c = (struct encryptlist *)
+		genget(argv[1], (char **) EncryptList, sizeof(struct encryptlist));
+    if (c == 0) {
+        fprintf(stderr, "'%s': unknown argument ('encrypt ?' for help).\r\n",
+    				argv[1]);
+        return 0;
+    }
+    if (Ambiguous(c)) {
+        fprintf(stderr, "'%s': ambiguous argument ('encrypt ?' for help).\r\n",
+    				argv[1]);
+        return 0;
+    }
+    argc -= 2;
+    if (argc < c->minarg || argc > c->maxarg) {
+	if (c->minarg == c->maxarg) {
+	    fprintf(stderr, "Need %s%d argument%s ",
+		c->minarg < argc ? "only " : "", c->minarg,
+		c->minarg == 1 ? "" : "s");
+	} else {
+	    fprintf(stderr, "Need %s%d-%d arguments ",
+		c->maxarg < argc ? "only " : "", c->minarg, c->maxarg);
+	}
+	fprintf(stderr, "to 'encrypt %s' command.  'encrypt ?' for help.\r\n",
+		c->name);
+	return 0;
+    }
+    if (c->needconnect && !connected) {
+	if (!(argc && (isprefix(argv[2], "help") || isprefix(argv[2], "?")))) {
+	    printf("?Need to be connected first.\r\n");
+	    return 0;
+	}
+    }
+    return ((*c->handler)(argc > 0 ? argv[2] : 0,
+			argc > 1 ? argv[3] : 0,
+			argc > 2 ? argv[4] : 0));
+}
+#endif
+
+
+/*
+ * Print status about the connection.
+ */
+
+static int
+status(int argc, char **argv)
+{
+    if (connected) {
+	printf("Connected to %s.\r\n", hostname);
+	if ((argc < 2) || strcmp(argv[1], "notmuch")) {
+	    int mode = getconnmode();
+
+	    if (my_want_state_is_will(TELOPT_LINEMODE)) {
+		printf("Operating with LINEMODE option\r\n");
+		printf("%s line editing\r\n", (mode&MODE_EDIT) ? "Local" : "No");
+		printf("%s catching of signals\r\n",
+					(mode&MODE_TRAPSIG) ? "Local" : "No");
+		slcstate();
+#ifdef	KLUDGELINEMODE
+	    } else if (kludgelinemode && my_want_state_is_dont(TELOPT_SGA)) {
+		printf("Operating in obsolete linemode\r\n");
+#endif
+	    } else {
+		printf("Operating in single character mode\r\n");
+		if (localchars)
+		    printf("Catching signals locally\r\n");
+	    }
+	    printf("%s character echo\r\n", (mode&MODE_ECHO) ? "Local" : "Remote");
+	    if (my_want_state_is_will(TELOPT_LFLOW))
+		printf("%s flow control\r\n", (mode&MODE_FLOW) ? "Local" : "No");
+#if	defined(ENCRYPTION)
+	    encrypt_display();
+#endif
+	}
+    } else {
+	printf("No connection.\r\n");
+    }
+    printf("Escape character is '%s'.\r\n", control(escape));
+    fflush(stdout);
+    return 1;
+}
+
+#ifdef	SIGINFO
+/*
+ * Function that gets called when SIGINFO is received.
+ */
+RETSIGTYPE
+ayt_status(int ignore)
+{
+    call(status, "status", "notmuch", 0);
+}
+#endif
+
+static Command *getcmd(char *name);
+
+static void
+cmdrc(char *m1, char *m2)
+{
+    static char rcname[128];
+    Command *c;
+    FILE *rcfile;
+    int gotmachine = 0;
+    int l1 = strlen(m1);
+    int l2 = strlen(m2);
+    char m1save[64];
+
+    if (skiprc)
+	return;
+
+    strlcpy(m1save, m1, sizeof(m1save));
+    m1 = m1save;
+
+    if (rcname[0] == 0) {
+	char *home = getenv("HOME");
+
+	snprintf (rcname, sizeof(rcname), "%s/.telnetrc",
+		  home ? home : "");
+    }
+
+    if ((rcfile = fopen(rcname, "r")) == 0) {
+	return;
+    }
+
+    for (;;) {
+	if (fgets(line, sizeof(line), rcfile) == NULL)
+	    break;
+	if (line[0] == 0)
+	    break;
+	if (line[0] == '#')
+	    continue;
+	if (gotmachine) {
+	    if (!isspace(line[0]))
+		gotmachine = 0;
+	}
+	if (gotmachine == 0) {
+	    if (isspace(line[0]))
+		continue;
+	    if (strncasecmp(line, m1, l1) == 0)
+		strncpy(line, &line[l1], sizeof(line) - l1);
+	    else if (strncasecmp(line, m2, l2) == 0)
+		strncpy(line, &line[l2], sizeof(line) - l2);
+	    else if (strncasecmp(line, "DEFAULT", 7) == 0)
+		strncpy(line, &line[7], sizeof(line) - 7);
+	    else
+		continue;
+	    if (line[0] != ' ' && line[0] != '\t' && line[0] != '\n')
+		continue;
+	    gotmachine = 1;
+	}
+	makeargv();
+	if (margv[0] == 0)
+	    continue;
+	c = getcmd(margv[0]);
+	if (Ambiguous(c)) {
+	    printf("?Ambiguous command: %s\r\n", margv[0]);
+	    continue;
+	}
+	if (c == 0) {
+	    printf("?Invalid command: %s\r\n", margv[0]);
+	    continue;
+	}
+	/*
+	 * This should never happen...
+	 */
+	if (c->needconnect && !connected) {
+	    printf("?Need to be connected first for %s.\r\n", margv[0]);
+	    continue;
+	}
+	(*c->handler)(margc, margv);
+    }
+    fclose(rcfile);
+}
+
+int
+tn(int argc, char **argv)
+{
+    struct servent *sp = 0;
+    char *cmd, *hostp = 0, *portp = 0;
+    char *user = 0;
+    int port = 0;
+
+    /* clear the socket address prior to use */
+
+    if (connected) {
+	printf("?Already connected to %s\r\n", hostname);
+	return 0;
+    }
+    if (argc < 2) {
+	strlcpy(line, "open ", sizeof(line));
+	printf("(to) ");
+	fgets(&line[strlen(line)], sizeof(line) - strlen(line), stdin);
+	makeargv();
+	argc = margc;
+	argv = margv;
+    }
+    cmd = *argv;
+    --argc; ++argv;
+    while (argc) {
+	if (strcmp(*argv, "help") == 0 || isprefix(*argv, "?"))
+	    goto usage;
+	if (strcmp(*argv, "-l") == 0) {
+	    --argc; ++argv;
+	    if (argc == 0)
+		goto usage;
+	    user = strdup(*argv++);
+	    --argc;
+	    continue;
+	}
+	if (strcmp(*argv, "-a") == 0) {
+	    --argc; ++argv;
+	    autologin = 1;
+	    continue;
+	}
+	if (hostp == 0) {
+	    hostp = *argv++;
+	    --argc;
+	    continue;
+	}
+	if (portp == 0) {
+	    portp = *argv++;
+	    --argc;
+	    continue;
+	}
+    usage:
+	printf("usage: %s [-l user] [-a] host-name [port]\r\n", cmd);
+	return 0;
+    }
+    if (hostp == 0)
+	goto usage;
+
+    strlcpy (_hostname, hostp, sizeof(_hostname));
+    hostp = _hostname;
+    if (hostp[0] == '@' || hostp[0] == '!') {
+	char *p;
+	hostname = NULL;
+	for (p = hostp + 1; *p; p++) {
+	    if (*p == ',' || *p == '@')
+		hostname = p;
+	}
+	if (hostname == NULL) {
+	    fprintf(stderr, "%s: bad source route specification\n", hostp);
+	    return 0;
+	}
+	*hostname++ = '\0';
+    } else
+	hostname = hostp;
+
+    if (portp) {
+	if (*portp == '-') {
+	    portp++;
+	    telnetport = 1;
+	} else
+	    telnetport = 0;
+	port = atoi(portp);
+	if (port == 0) {
+	    sp = roken_getservbyname(portp, "tcp");
+	    if (sp)
+		port = sp->s_port;
+	    else {
+		printf("%s: bad port number\r\n", portp);
+		return 0;
+	    }
+	} else {
+	    port = htons(port);
+	}
+    } else {
+	if (sp == 0) {
+	    sp = roken_getservbyname("telnet", "tcp");
+	    if (sp == 0) {
+		fprintf(stderr, "telnet: tcp/telnet: unknown service\r\n");
+		return 0;
+	    }
+	    port = sp->s_port;
+	}
+	telnetport = 1;
+    }
+
+    {
+	struct addrinfo *ai, *a, hints;
+	int error;
+	char portstr[NI_MAXSERV];
+
+	memset (&hints, 0, sizeof(hints));
+	hints.ai_socktype = SOCK_STREAM;
+	hints.ai_protocol = IPPROTO_TCP;
+	hints.ai_flags    = AI_CANONNAME;
+
+	snprintf (portstr, sizeof(portstr), "%u", ntohs(port));
+
+	error = getaddrinfo (hostname, portstr, &hints, &ai);
+	if (error) {
+	    fprintf (stderr, "%s: %s\r\n", hostname, gai_strerror (error));
+	    return 0;
+	}
+
+	for (a = ai; a != NULL && connected == 0; a = a->ai_next) {
+	    char addrstr[256];
+
+	    if (a->ai_canonname != NULL)
+		strlcpy (_hostname, a->ai_canonname, sizeof(_hostname));
+
+	    if (getnameinfo (a->ai_addr, a->ai_addrlen,
+			     addrstr, sizeof(addrstr),
+			     NULL, 0, NI_NUMERICHOST) != 0)
+		strlcpy (addrstr, "unknown address", sizeof(addrstr));
+			     
+	    printf("Trying %s...\r\n", addrstr);
+
+	    net = socket (a->ai_family, a->ai_socktype, a->ai_protocol);
+	    if (net < 0) {
+		warn ("socket");
+		continue;
+	    }
+
+#if	defined(IP_OPTIONS) && defined(IPPROTO_IP) && defined(HAVE_SETSOCKOPT)
+	if (hostp[0] == '@' || hostp[0] == '!') {
+	    char *srp = 0;
+	    int srlen;
+	    int proto, opt;
+
+	    if ((srlen = sourceroute(a, hostp, &srp, &proto, &opt)) < 0) {
+		(void) NetClose(net);
+		net = -1;
+		continue;
+	    }
+	    if (srp && setsockopt(net, proto, opt, srp, srlen) < 0)
+		perror("setsockopt (source route)");
+	}
+#endif
+
+#if	defined(IPPROTO_IP) && defined(IP_TOS)
+	    if (a->ai_family == AF_INET) {
+# if	defined(HAVE_GETTOSBYNAME)
+		struct tosent *tp;
+		if (tos < 0 && (tp = gettosbyname("telnet", "tcp")))
+		    tos = tp->t_tos;
+# endif
+		if (tos < 0)
+		    tos = 020;	/* Low Delay bit */
+		if (tos
+		    && (setsockopt(net, IPPROTO_IP, IP_TOS,
+				   (void *)&tos, sizeof(int)) < 0)
+		    && (errno != ENOPROTOOPT))
+		    perror("telnet: setsockopt (IP_TOS) (ignored)");
+	    }
+#endif	/* defined(IPPROTO_IP) && defined(IP_TOS) */
+	    if (debug && SetSockOpt(net, SOL_SOCKET, SO_DEBUG, 1) < 0) {
+		perror("setsockopt (SO_DEBUG)");
+	    }
+
+	    if (connect (net, a->ai_addr, a->ai_addrlen) < 0) {
+		fprintf (stderr, "telnet: connect to address %s: %s\n",
+			 addrstr, strerror(errno));
+		NetClose(net);
+		if (a->ai_next != NULL) {
+		    continue;
+		} else {
+		    freeaddrinfo (ai);
+		    return 0;
+		}
+	    }
+	    ++connected;
+#if	defined(AUTHENTICATION) || defined(ENCRYPTION)
+	    auth_encrypt_connect(connected);
+#endif
+	}
+	freeaddrinfo (ai);
+	if (connected == 0)
+	    return 0;
+    }
+    cmdrc(hostp, hostname);
+    if (autologin && user == NULL)
+	user = (char *)get_default_username ();
+    if (user) {
+	env_define((unsigned char *)"USER", (unsigned char *)user);
+	env_export((unsigned char *)"USER");
+    }
+    call(status, "status", "notmuch", 0);
+    if (setjmp(peerdied) == 0)
+	my_telnet((char *)user);
+    NetClose(net);
+    ExitString("Connection closed by foreign host.\r\n",1);
+    /*NOTREACHED*/
+    return 0;
+}
+
+#define HELPINDENT ((int)sizeof ("connect"))
+
+static char
+	openhelp[] =	"connect to a site",
+	closehelp[] =	"close current connection",
+	logouthelp[] =	"forcibly logout remote user and close the connection",
+	quithelp[] =	"exit telnet",
+	statushelp[] =	"print status information",
+	helphelp[] =	"print help information",
+	sendhelp[] =	"transmit special characters ('send ?' for more)",
+	sethelp[] = 	"set operating parameters ('set ?' for more)",
+	unsethelp[] = 	"unset operating parameters ('unset ?' for more)",
+	togglestring[] ="toggle operating parameters ('toggle ?' for more)",
+	slchelp[] =	"change state of special charaters ('slc ?' for more)",
+	displayhelp[] =	"display operating parameters",
+#if	defined(AUTHENTICATION)
+	authhelp[] =	"turn on (off) authentication ('auth ?' for more)",
+#endif
+#if	defined(ENCRYPTION)
+	encrypthelp[] =	"turn on (off) encryption ('encrypt ?' for more)",
+#endif
+	zhelp[] =	"suspend telnet",
+	shellhelp[] =	"invoke a subshell",
+	envhelp[] =	"change environment variables ('environ ?' for more)",
+	modestring[] = "try to enter line or character mode ('mode ?' for more)";
+
+static int help(int argc, char **argv);
+
+static Command cmdtab[] = {
+	{ "close",	closehelp,	bye,		1 },
+	{ "logout",	logouthelp,	logout,		1 },
+	{ "display",	displayhelp,	display,	0 },
+	{ "mode",	modestring,	modecmd,	0 },
+	{ "open",	openhelp,	tn,		0 },
+	{ "quit",	quithelp,	quit,		0 },
+	{ "send",	sendhelp,	sendcmd,	0 },
+	{ "set",	sethelp,	setcmd,		0 },
+	{ "unset",	unsethelp,	unsetcmd,	0 },
+	{ "status",	statushelp,	status,		0 },
+	{ "toggle",	togglestring,	toggle,		0 },
+	{ "slc",	slchelp,	slccmd,		0 },
+#if	defined(AUTHENTICATION)
+	{ "auth",	authhelp,	auth_cmd,	0 },
+#endif
+#if	defined(ENCRYPTION)
+	{ "encrypt",	encrypthelp,	encrypt_cmd,	0 },
+#endif
+	{ "z",		zhelp,		telnetsuspend,	0 },
+	{ "!",		shellhelp,	shell,		0 },
+	{ "environ",	envhelp,	env_cmd,	0 },
+	{ "?",		helphelp,	help,		0 },
+	{ 0,            0,              0,              0 }
+};
+
+static char	crmodhelp[] =	"deprecated command -- use 'toggle crmod' instead";
+static char	escapehelp[] =	"deprecated command -- use 'set escape' instead";
+
+static Command cmdtab2[] = {
+	{ "help",	0,		help,		0 },
+	{ "escape",	escapehelp,	setescape,	0 },
+	{ "crmod",	crmodhelp,	togcrmod,	0 },
+	{ 0,            0,		0, 		0 }
+};
+
+
+/*
+ * Call routine with argc, argv set from args (terminated by 0).
+ */
+
+static int
+call(intrtn_t routine, ...)
+{
+    va_list ap;
+    char *args[100];
+    int argno = 0;
+
+    va_start(ap, routine);
+    while ((args[argno++] = va_arg(ap, char *)) != 0);
+    va_end(ap);
+    return (*routine)(argno-1, args);
+}
+
+
+static Command
+*getcmd(char *name)
+{
+    Command *cm;
+
+    if ((cm = (Command *) genget(name, (char **) cmdtab, sizeof(Command))))
+	return cm;
+    return (Command *) genget(name, (char **) cmdtab2, sizeof(Command));
+}
+
+void
+command(int top, char *tbuf, int cnt)
+{
+    Command *c;
+
+    setcommandmode();
+    if (!top) {
+	putchar('\n');
+    } else {
+	signal(SIGINT, SIG_DFL);
+	signal(SIGQUIT, SIG_DFL);
+    }
+    for (;;) {
+	if (rlogin == _POSIX_VDISABLE)
+		printf("%s> ", prompt);
+	if (tbuf) {
+	    char *cp;
+	    cp = line;
+	    while (cnt > 0 && (*cp++ = *tbuf++) != '\n')
+		cnt--;
+	    tbuf = 0;
+	    if (cp == line || *--cp != '\n' || cp == line)
+		goto getline;
+	    *cp = '\0';
+	    if (rlogin == _POSIX_VDISABLE)
+		printf("%s\r\n", line);
+	} else {
+	getline:
+	    if (rlogin != _POSIX_VDISABLE)
+		printf("%s> ", prompt);
+	    if (fgets(line, sizeof(line), stdin) == NULL) {
+		if (feof(stdin) || ferror(stdin)) {
+		    quit();
+		    /*NOTREACHED*/
+		}
+		break;
+	    }
+	}
+	if (line[0] == 0)
+	    break;
+	makeargv();
+	if (margv[0] == 0) {
+	    break;
+	}
+	c = getcmd(margv[0]);
+	if (Ambiguous(c)) {
+	    printf("?Ambiguous command\r\n");
+	    continue;
+	}
+	if (c == 0) {
+	    printf("?Invalid command\r\n");
+	    continue;
+	}
+	if (c->needconnect && !connected) {
+	    printf("?Need to be connected first.\r\n");
+	    continue;
+	}
+	if ((*c->handler)(margc, margv)) {
+	    break;
+	}
+    }
+    if (!top) {
+	if (!connected) {
+	    longjmp(toplevel, 1);
+	    /*NOTREACHED*/
+	}
+	setconnmode(0);
+    }
+}
+
+/*
+ * Help command.
+ */
+static int
+help(int argc, char **argv)
+{
+	Command *c;
+
+	if (argc == 1) {
+		printf("Commands may be abbreviated.  Commands are:\r\n\r\n");
+		for (c = cmdtab; c->name; c++)
+			if (c->help) {
+				printf("%-*s\t%s\r\n", HELPINDENT, c->name,
+								    c->help);
+			}
+		return 0;
+	}
+	while (--argc > 0) {
+		char *arg;
+		arg = *++argv;
+		c = getcmd(arg);
+		if (Ambiguous(c))
+			printf("?Ambiguous help command %s\r\n", arg);
+		else if (c == (Command *)0)
+			printf("?Invalid help command %s\r\n", arg);
+		else
+			printf("%s\r\n", c->help);
+	}
+	return 0;
+}
+
+
+#if	defined(IP_OPTIONS) && defined(IPPROTO_IP)
+
+/*
+ * Source route is handed in as
+ *	[!]@hop1@hop2...@dst
+ *
+ * If the leading ! is present, it is a strict source route, otherwise it is
+ * assmed to be a loose source route.  Note that leading ! is effective
+ * only for IPv4 case.
+ *
+ * We fill in the source route option as
+ *	hop1,hop2,hop3...dest
+ * and return a pointer to hop1, which will
+ * be the address to connect() to.
+ *
+ * Arguments:
+ *	ai:	The address (by struct addrinfo) for the final destination.
+ *
+ *	arg:	Pointer to route list to decipher
+ *
+ *	cpp: 	Pointer to a pointer, so that sourceroute() can return
+ *		the address of result buffer (statically alloc'ed).
+ *
+ *	protop/optp:
+ *		Pointer to an integer.  The pointed variable
+ *	lenp:	pointer to an integer that contains the
+ *		length of *cpp if *cpp != NULL.
+ *
+ * Return values:
+ *
+ *	Returns the length of the option pointed to by *cpp.  If the
+ *	return value is -1, there was a syntax error in the
+ *	option, either arg contained unknown characters or too many hosts,
+ *	or hostname cannot be resolved.
+ *
+ *	The caller needs to pass return value (len), *cpp, *protop and *optp
+ *	to setsockopt(2).
+ *
+ *	*cpp:	Points to the result buffer.  The region is statically
+ *		allocated by the function.
+ *
+ *	*protop:
+ *		protocol # to be passed to setsockopt(2).
+ *
+ *	*optp:	option # to be passed to setsockopt(2).
+ *
+ */
+int
+sourceroute(struct addrinfo *ai,
+	    char *arg,
+	    char **cpp,
+	    int *protop,
+	    int *optp)
+{
+	char *cp, *cp2, *lsrp, *lsrep;
+	struct addrinfo hints, *res;
+	int len, error;
+	struct sockaddr_in *sin;
+	register char c;
+	static char lsr[44];
+#ifdef INET6
+	struct cmsghdr *cmsg;
+	struct sockaddr_in6 *sin6;
+	static char rhbuf[1024];
+#endif
+
+	/*
+	 * Verify the arguments.
+	 */
+	if (cpp == NULL)
+		return -1;
+
+	cp = arg;
+
+	*cpp = NULL;
+	switch (ai->ai_family) {
+	case AF_INET:
+		lsrp = lsr;
+		lsrep = lsrp + sizeof(lsr);
+
+		/*
+		 * Next, decide whether we have a loose source
+		 * route or a strict source route, and fill in
+		 * the begining of the option.
+		 */
+		if (*cp == '!') {
+			cp++;
+			*lsrp++ = IPOPT_SSRR;
+		} else
+			*lsrp++ = IPOPT_LSRR;
+		if (*cp != '@')
+			return -1;
+		lsrp++;		/* skip over length, we'll fill it in later */
+		*lsrp++ = 4;
+		cp++;
+		*protop = IPPROTO_IP;
+		*optp = IP_OPTIONS;
+		break;
+#ifdef INET6
+	case AF_INET6:
+/* this needs to be updated for rfc2292bis */
+#ifdef IPV6_PKTOPTIONS
+		cmsg = inet6_rthdr_init(rhbuf, IPV6_RTHDR_TYPE_0);
+		if (*cp != '@')
+			return -1;
+		cp++;
+		*protop = IPPROTO_IPV6;
+		*optp = IPV6_PKTOPTIONS;
+		break;
+#else
+		return -1;
+#endif
+#endif
+	default:
+		return -1;
+	}
+
+	memset(&hints, 0, sizeof(hints));
+	hints.ai_family = ai->ai_family;
+	hints.ai_socktype = SOCK_STREAM;
+
+	for (c = 0;;) {
+		if (c == ':')
+			cp2 = 0;
+		else for (cp2 = cp; (c = *cp2) != '\0'; cp2++) {
+			if (c == ',') {
+				*cp2++ = '\0';
+				if (*cp2 == '@')
+					cp2++;
+			} else if (c == '@') {
+				*cp2++ = '\0';
+			}
+#if 0	/*colon conflicts with IPv6 address*/
+			else if (c == ':') {
+				*cp2++ = '\0';
+			}
+#endif
+			else
+				continue;
+			break;
+		}
+		if (!c)
+			cp2 = 0;
+
+		error = getaddrinfo(cp, NULL, &hints, &res);
+		if (error) {
+			fprintf(stderr, "%s: %s\n", cp, gai_strerror(error));
+			return -1;
+		}
+		if (ai->ai_family != res->ai_family) {
+			freeaddrinfo(res);
+			return -1;
+		}
+		if (ai->ai_family == AF_INET) {
+			/*
+			 * Check to make sure there is space for address
+			 */
+			if (lsrp + 4 > lsrep) {
+				freeaddrinfo(res);
+				return -1;
+			}
+			sin = (struct sockaddr_in *)res->ai_addr;
+			memcpy(lsrp, &sin->sin_addr, sizeof(struct in_addr));
+			lsrp += sizeof(struct in_addr);
+		}
+#ifdef INET6
+		else if (ai->ai_family == AF_INET6) {
+			sin6 = (struct sockaddr_in6 *)res->ai_addr;
+			inet6_rthdr_add(cmsg, &sin6->sin6_addr,
+				IPV6_RTHDR_LOOSE);
+		}
+#endif
+		else {
+			freeaddrinfo(res);
+			return -1;
+		}
+		freeaddrinfo(res);
+		if (cp2)
+			cp = cp2;
+		else
+			break;
+	}
+	if (ai->ai_family == AF_INET) {
+		/* record the last hop */
+		if (lsrp + 4 > lsrep)
+			return -1;
+		sin = (struct sockaddr_in *)ai->ai_addr;
+		memcpy(lsrp, &sin->sin_addr, sizeof(struct in_addr));
+		lsrp += sizeof(struct in_addr);
+#ifndef	sysV88
+		lsr[IPOPT_OLEN] = lsrp - lsr;
+		if (lsr[IPOPT_OLEN] <= 7 || lsr[IPOPT_OLEN] > 40)
+			return -1;
+		*lsrp++ = IPOPT_NOP;	/*32bit word align*/
+		len = lsrp - lsr;
+		*cpp = lsr;
+#else
+		ipopt.io_len = lsrp - lsr;
+		if (ipopt.io_len <= 5)	/*is 3 better?*/
+			return -1;
+		*cpp = (char 8)&ipopt;
+#endif
+	}
+#ifdef INET6
+	else if (ai->ai_family == AF_INET6) {
+		inet6_rthdr_lasthop(cmsg, IPV6_RTHDR_LOOSE);
+		len = cmsg->cmsg_len;
+		*cpp = rhbuf;
+	}
+#endif
+	else
+		return -1;
+	return len;
+}
+#endif
diff --git a/crypto/heimdal/appl/telnet/telnet/defines.h b/crypto/heimdal/appl/telnet/telnet/defines.h
new file mode 100644
index 0000000..5c1ac2b
--- /dev/null
+++ b/crypto/heimdal/appl/telnet/telnet/defines.h
@@ -0,0 +1,60 @@
+/*
+ * Copyright (c) 1988, 1993
+ *	The Regents of the University of California.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *	This product includes software developed by the University of
+ *	California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ *	@(#)defines.h	8.1 (Berkeley) 6/6/93
+ */
+
+#define	settimer(x)	clocks.x = clocks.system++
+
+#define	NETADD(c)	{ *netoring.supply = c; ring_supplied(&netoring, 1); }
+#define	NET2ADD(c1,c2)	{ NETADD(c1); NETADD(c2); }
+#define	NETBYTES()	(ring_full_count(&netoring))
+#define	NETROOM()	(ring_empty_count(&netoring))
+
+#define	TTYADD(c)	if (!(SYNCHing||flushout)) { \
+				*ttyoring.supply = c; \
+				ring_supplied(&ttyoring, 1); \
+			}
+#define	TTYBYTES()	(ring_full_count(&ttyoring))
+#define	TTYROOM()	(ring_empty_count(&ttyoring))
+
+/*	Various modes */
+#define	MODE_LOCAL_CHARS(m)	((m)&(MODE_EDIT|MODE_TRAPSIG))
+#define	MODE_LOCAL_ECHO(m)	((m)&MODE_ECHO)
+#define	MODE_COMMAND_LINE(m)	((m)==-1)
+
+#define	CONTROL(x)	((x)&0x1f)		/* CTRL(x) is not portable */
+
+
+/* XXX extra mode bits, these should be synced with <arpa/telnet.h> */
+
+#define MODE_OUT8	0x8000 /* binary mode sans -opost */
diff --git a/crypto/heimdal/appl/telnet/telnet/externs.h b/crypto/heimdal/appl/telnet/telnet/externs.h
new file mode 100644
index 0000000..14337af
--- /dev/null
+++ b/crypto/heimdal/appl/telnet/telnet/externs.h
@@ -0,0 +1,435 @@
+/*
+ * Copyright (c) 1988, 1990, 1993
+ *	The Regents of the University of California.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *	This product includes software developed by the University of
+ *	California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ *	@(#)externs.h	8.3 (Berkeley) 5/30/95
+ */
+
+/* $Id: externs.h,v 1.21 2001/03/06 20:10:13 assar Exp $ */
+
+#ifndef	BSD
+# define BSD 43
+#endif
+
+#ifndef	_POSIX_VDISABLE
+# ifdef sun
+#  include <sys/param.h>	/* pick up VDISABLE definition, mayby */
+# endif
+# ifdef VDISABLE
+#  define _POSIX_VDISABLE VDISABLE
+# else
+#  define _POSIX_VDISABLE ((cc_t)'\377')
+# endif
+#endif
+
+#define	SUBBUFSIZE	256
+
+extern int
+    autologin,		/* Autologin enabled */
+    skiprc,		/* Don't process the ~/.telnetrc file */
+    eight,		/* use eight bit mode (binary in and/or out */
+    binary,
+    flushout,		/* flush output */
+    connected,		/* Are we connected to the other side? */
+    globalmode,		/* Mode tty should be in */
+    telnetport,		/* Are we connected to the telnet port? */
+    localflow,		/* Flow control handled locally */
+    restartany,		/* If flow control, restart output on any character */
+    localchars,		/* we recognize interrupt/quit */
+    donelclchars,	/* the user has set "localchars" */
+    showoptions,
+    net,		/* Network file descriptor */
+    tin,		/* Terminal input file descriptor */
+    tout,		/* Terminal output file descriptor */
+    crlf,		/* Should '\r' be mapped to <CR><LF> (or <CR><NUL>)? */
+    autoflush,		/* flush output when interrupting? */
+    autosynch,		/* send interrupt characters with SYNCH? */
+    SYNCHing,		/* Is the stream in telnet SYNCH mode? */
+    donebinarytoggle,	/* the user has put us in binary */
+    dontlecho,		/* do we suppress local echoing right now? */
+    crmod,
+    netdata,		/* Print out network data flow */
+    prettydump,		/* Print "netdata" output in user readable format */
+    termdata,		/* Print out terminal data flow */
+    debug;		/* Debug level */
+
+extern cc_t escape;	/* Escape to command mode */
+extern cc_t rlogin;	/* Rlogin mode escape character */
+#ifdef	KLUDGELINEMODE
+extern cc_t echoc;	/* Toggle local echoing */
+#endif
+
+extern char
+    *prompt;		/* Prompt for command. */
+
+extern char
+    doopt[],
+    dont[],
+    will[],
+    wont[],
+    options[],		/* All the little options */
+    *hostname;		/* Who are we connected to? */
+#if	defined(ENCRYPTION)
+extern void (*encrypt_output) (unsigned char *, int);
+extern int (*decrypt_input) (int);
+#endif
+
+/*
+ * We keep track of each side of the option negotiation.
+ */
+
+#define	MY_STATE_WILL		0x01
+#define	MY_WANT_STATE_WILL	0x02
+#define	MY_STATE_DO		0x04
+#define	MY_WANT_STATE_DO	0x08
+
+/*
+ * Macros to check the current state of things
+ */
+
+#define	my_state_is_do(opt)		(options[opt]&MY_STATE_DO)
+#define	my_state_is_will(opt)		(options[opt]&MY_STATE_WILL)
+#define my_want_state_is_do(opt)	(options[opt]&MY_WANT_STATE_DO)
+#define my_want_state_is_will(opt)	(options[opt]&MY_WANT_STATE_WILL)
+
+#define	my_state_is_dont(opt)		(!my_state_is_do(opt))
+#define	my_state_is_wont(opt)		(!my_state_is_will(opt))
+#define my_want_state_is_dont(opt)	(!my_want_state_is_do(opt))
+#define my_want_state_is_wont(opt)	(!my_want_state_is_will(opt))
+
+#define	set_my_state_do(opt)		{options[opt] |= MY_STATE_DO;}
+#define	set_my_state_will(opt)		{options[opt] |= MY_STATE_WILL;}
+#define	set_my_want_state_do(opt)	{options[opt] |= MY_WANT_STATE_DO;}
+#define	set_my_want_state_will(opt)	{options[opt] |= MY_WANT_STATE_WILL;}
+
+#define	set_my_state_dont(opt)		{options[opt] &= ~MY_STATE_DO;}
+#define	set_my_state_wont(opt)		{options[opt] &= ~MY_STATE_WILL;}
+#define	set_my_want_state_dont(opt)	{options[opt] &= ~MY_WANT_STATE_DO;}
+#define	set_my_want_state_wont(opt)	{options[opt] &= ~MY_WANT_STATE_WILL;}
+
+/*
+ * Make everything symetrical
+ */
+
+#define	HIS_STATE_WILL			MY_STATE_DO
+#define	HIS_WANT_STATE_WILL		MY_WANT_STATE_DO
+#define HIS_STATE_DO			MY_STATE_WILL
+#define HIS_WANT_STATE_DO		MY_WANT_STATE_WILL
+
+#define	his_state_is_do			my_state_is_will
+#define	his_state_is_will		my_state_is_do
+#define his_want_state_is_do		my_want_state_is_will
+#define his_want_state_is_will		my_want_state_is_do
+
+#define	his_state_is_dont		my_state_is_wont
+#define	his_state_is_wont		my_state_is_dont
+#define his_want_state_is_dont		my_want_state_is_wont
+#define his_want_state_is_wont		my_want_state_is_dont
+
+#define	set_his_state_do		set_my_state_will
+#define	set_his_state_will		set_my_state_do
+#define	set_his_want_state_do		set_my_want_state_will
+#define	set_his_want_state_will		set_my_want_state_do
+
+#define	set_his_state_dont		set_my_state_wont
+#define	set_his_state_wont		set_my_state_dont
+#define	set_his_want_state_dont		set_my_want_state_wont
+#define	set_his_want_state_wont		set_my_want_state_dont
+
+
+extern FILE
+    *NetTrace;		/* Where debugging output goes */
+extern char
+    NetTraceFile[];	/* Name of file where debugging output goes */
+extern void
+    SetNetTrace (char *);	/* Function to change where debugging goes */
+
+extern jmp_buf
+    peerdied,
+    toplevel;		/* For error conditions. */
+
+/* authenc.c */
+
+#if	defined(AUTHENTICATION) || defined(ENCRYPTION)
+int telnet_net_write(unsigned char *str, int len);
+void net_encrypt(void);
+int telnet_spin(void);
+char *telnet_getenv(const char *val);
+char *telnet_gets(char *prompt, char *result, int length, int echo);
+#endif
+
+/* commands.c */
+
+struct env_lst *env_define (unsigned char *, unsigned char *);
+struct env_lst *env_find(unsigned char *var);
+void env_init (void);
+void env_undefine (unsigned char *);
+void env_export (unsigned char *);
+void env_unexport (unsigned char *);
+void env_send (unsigned char *);
+void env_list (void);
+unsigned char * env_default(int init, int welldefined);
+unsigned char * env_getvalue(unsigned char *var);
+
+void set_escape_char(char *s);
+int sourceroute(struct addrinfo *ai, char *arg, char **cpp,
+		int *prototp, int *optp);
+
+#if	defined(AUTHENTICATION)
+int auth_enable (char *);
+int auth_disable (char *);
+int auth_status (void);
+#endif
+
+#if defined(ENCRYPTION)
+int 	EncryptEnable (char *, char *);
+int 	EncryptDisable (char *, char *);
+int 	EncryptType (char *, char *);
+int 	EncryptStart (char *);
+int 	EncryptStartInput (void);
+int 	EncryptStartOutput (void);
+int 	EncryptStop (char *);
+int 	EncryptStopInput (void);
+int 	EncryptStopOutput (void);
+int 	EncryptStatus (void);
+#endif
+
+#ifdef SIGINFO
+RETSIGTYPE ayt_status(int);
+#endif
+int tn(int argc, char **argv);
+void command(int top, char *tbuf, int cnt);
+
+/* main.c */
+
+void tninit(void);
+void usage(void);
+
+/* network.c */
+
+void init_network(void);
+int stilloob(void);
+void setneturg(void);
+int netflush(void);
+
+/* sys_bsd.c */
+
+void init_sys(void);
+int TerminalWrite(char *buf, int n);
+int TerminalRead(unsigned char *buf, int n);
+int TerminalAutoFlush(void);
+int TerminalSpecialChars(int c);
+void TerminalFlushOutput(void);
+void TerminalSaveState(void);
+void TerminalDefaultChars(void);
+void TerminalNewMode(int f);
+cc_t *tcval(int func);
+void TerminalSpeeds(long *input_speed, long *output_speed);
+int TerminalWindowSize(long *rows, long *cols);
+int NetClose(int fd);
+void NetNonblockingIO(int fd, int onoff);
+int process_rings(int netin, int netout, int netex, int ttyin, int ttyout,
+		  int poll);
+
+/* telnet.c */
+
+void init_telnet(void);
+
+void tel_leave_binary(int rw);
+void tel_enter_binary(int rw);
+int opt_welldefined(char *ep);
+int telrcv(void);
+int rlogin_susp(void);
+void intp(void);
+void sendbrk(void);
+void sendabort(void);
+void sendsusp(void);
+void sendeof(void);
+void sendayt(void);
+
+void xmitAO(void);
+void xmitEL(void);
+void xmitEC(void);
+
+
+void     Dump (char, unsigned char *, int);
+void     printoption (char *, int, int);
+void     printsub (int, unsigned char *, int);
+void     sendnaws (void);
+void     setconnmode (int);
+void     setcommandmode (void);
+void     setneturg (void);
+void     sys_telnet_init (void);
+void     my_telnet (char *);
+void     tel_enter_binary (int);
+void     TerminalFlushOutput (void);
+void     TerminalNewMode (int);
+void     TerminalRestoreState (void);
+void     TerminalSaveState (void);
+void     tninit (void);
+void     willoption (int);
+void     wontoption (int);
+
+
+void     send_do (int, int);
+void     send_dont (int, int);
+void     send_will (int, int);
+void     send_wont (int, int);
+
+void     lm_will (unsigned char *, int);
+void     lm_wont (unsigned char *, int);
+void     lm_do (unsigned char *, int);
+void     lm_dont (unsigned char *, int);
+void     lm_mode (unsigned char *, int, int);
+
+void     slc_init (void);
+void     slcstate (void);
+void     slc_mode_export (void);
+void     slc_mode_import (int);
+void     slc_import (int);
+void     slc_export (void);
+void     slc (unsigned char *, int);
+void     slc_check (void);
+void     slc_start_reply (void);
+void     slc_add_reply (unsigned char, unsigned char, cc_t);
+void     slc_end_reply (void);
+int	 slc_update (void);
+
+void     env_opt (unsigned char *, int);
+void     env_opt_start (void);
+void     env_opt_start_info (void);
+void     env_opt_add (unsigned char *);
+void     env_opt_end (int);
+
+unsigned char     *env_default (int, int);
+unsigned char     *env_getvalue (unsigned char *);
+
+int get_status (void);
+int dosynch (void);
+
+cc_t *tcval (int);
+
+int quit (void);
+
+/* terminal.c */
+
+void init_terminal(void);
+int ttyflush(int drop);
+int getconnmode(void);
+
+/* utilities.c */
+
+int SetSockOpt(int fd, int level, int option, int yesno);
+void SetNetTrace(char *file);
+void Dump(char direction, unsigned char *buffer, int length);
+void printoption(char *direction, int cmd, int option);
+void optionstatus(void);
+void printsub(int direction, unsigned char *pointer, int length);
+void EmptyTerminal(void);
+void SetForExit(void);
+void Exit(int returnCode);
+void ExitString(char *string, int returnCode);
+
+extern struct	termios new_tc;
+
+# define termEofChar		new_tc.c_cc[VEOF]
+# define termEraseChar		new_tc.c_cc[VERASE]
+# define termIntChar		new_tc.c_cc[VINTR]
+# define termKillChar		new_tc.c_cc[VKILL]
+# define termQuitChar		new_tc.c_cc[VQUIT]
+
+# ifndef	VSUSP
+extern cc_t termSuspChar;
+# else
+#  define termSuspChar		new_tc.c_cc[VSUSP]
+# endif
+# if	defined(VFLUSHO) && !defined(VDISCARD)
+#  define VDISCARD VFLUSHO
+# endif
+# ifndef	VDISCARD
+extern cc_t termFlushChar;
+# else
+#  define termFlushChar		new_tc.c_cc[VDISCARD]
+# endif
+# ifndef VWERASE
+extern cc_t termWerasChar;
+# else
+#  define termWerasChar		new_tc.c_cc[VWERASE]
+# endif
+# ifndef	VREPRINT
+extern cc_t termRprntChar;
+# else
+#  define termRprntChar		new_tc.c_cc[VREPRINT]
+# endif
+# ifndef	VLNEXT
+extern cc_t termLiteralNextChar;
+# else
+#  define termLiteralNextChar	new_tc.c_cc[VLNEXT]
+# endif
+# ifndef	VSTART
+extern cc_t termStartChar;
+# else
+#  define termStartChar		new_tc.c_cc[VSTART]
+# endif
+# ifndef	VSTOP
+extern cc_t termStopChar;
+# else
+#  define termStopChar		new_tc.c_cc[VSTOP]
+# endif
+# ifndef	VEOL
+extern cc_t termForw1Char;
+# else
+#  define termForw1Char		new_tc.c_cc[VEOL]
+# endif
+# ifndef	VEOL2
+extern cc_t termForw2Char;
+# else
+#  define termForw2Char		new_tc.c_cc[VEOL]
+# endif
+# ifndef	VSTATUS
+extern cc_t termAytChar;
+#else
+#  define termAytChar		new_tc.c_cc[VSTATUS]
+#endif
+
+/* Ring buffer structures which are shared */
+
+extern Ring
+    netoring,
+    netiring,
+    ttyoring,
+    ttyiring;
+
+extern int resettermname;
+extern int linemode;
+#ifdef KLUDGELINEMODE
+extern int kludgelinemode;
+#endif
diff --git a/crypto/heimdal/appl/telnet/telnet/main.c b/crypto/heimdal/appl/telnet/telnet/main.c
new file mode 100644
index 0000000..533c561
--- /dev/null
+++ b/crypto/heimdal/appl/telnet/telnet/main.c
@@ -0,0 +1,362 @@
+/*
+ * Copyright (c) 1988, 1990, 1993
+ *	The Regents of the University of California.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *	This product includes software developed by the University of
+ *	California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+static char *copyright[] = {
+    "@(#) Copyright (c) 1988, 1990, 1993\n"
+    "\tThe Regents of the University of California.  All rights reserved.\n",
+    (char*)copyright
+};
+
+#include "telnet_locl.h"
+RCSID("$Id: main.c,v 1.31 2000/12/31 07:40:17 assar Exp $");
+
+/* These values need to be the same as defined in libtelnet/kerberos5.c */
+/* Either define them in both places, or put in some common header file. */
+#define OPTS_FORWARD_CREDS	0x00000002
+#define OPTS_FORWARDABLE_CREDS	0x00000001
+
+#if KRB5
+#define FORWARD
+#endif
+
+/*
+ * Initialize variables.
+ */
+void
+tninit(void)
+{
+    init_terminal();
+
+    init_network();
+
+    init_telnet();
+
+    init_sys();
+}
+
+void
+usage(void)
+{
+  fprintf(stderr, "Usage: %s %s%s%s%s\n", prompt,
+#ifdef	AUTHENTICATION
+	  "[-8] [-E] [-K] [-L] [-G] [-S tos] [-X atype] [-a] [-c] [-d] [-e char]",
+	  "\n\t[-k realm] [-l user] [-f/-F] [-n tracefile] ",
+#else
+	  "[-8] [-E] [-L] [-S tos] [-a] [-c] [-d] [-e char] [-l user]",
+	  "\n\t[-n tracefile]",
+#endif
+	  "[-r] ",
+#ifdef	ENCRYPTION
+	  "[-x] [host-name [port]]"
+#else
+	  "[host-name [port]]"
+#endif
+    );
+  exit(1);
+}
+
+/*
+ * main.  Parse arguments, invoke the protocol or command parser.
+ */
+
+
+#ifdef	FORWARD
+extern int forward_flags;
+static int default_forward=0;
+#endif	/* FORWARD */
+
+#ifdef KRB5
+/* XXX ugly hack to setup dns-proxy stuff */
+#define Authenticator asn1_Authenticator
+#include <krb5.h>
+static void
+krb5_init(void)
+{
+    krb5_context context;
+    krb5_error_code ret;
+
+    ret = krb5_init_context(&context);
+    if (ret)
+	return;
+
+#if defined(AUTHENTICATION) && defined(KRB5) && defined(FORWARD)
+    if (krb5_config_get_bool (context, NULL,
+         "libdefaults", "forward", NULL)) {
+           forward_flags |= OPTS_FORWARD_CREDS;
+           default_forward=1;
+    }
+    if (krb5_config_get_bool (context, NULL,
+         "libdefaults", "forwardable", NULL)) {
+           forward_flags |= OPTS_FORWARDABLE_CREDS;
+           default_forward=1;
+    }
+#endif
+#ifdef  ENCRYPTION
+    if (krb5_config_get_bool (context, NULL,
+        "libdefaults", "encrypt", NULL)) {
+          encrypt_auto(1);
+          decrypt_auto(1); 
+          EncryptVerbose(1);
+        }
+#endif
+
+    krb5_free_context(context);
+}
+#endif
+
+int
+main(int argc, char **argv)
+{
+	int ch;
+	char *user;
+
+#ifdef KRB5
+	krb5_init();
+#endif
+	
+	tninit();		/* Clear out things */
+
+	TerminalSaveState();
+
+	if ((prompt = strrchr(argv[0], '/')))
+		++prompt;
+	else
+		prompt = argv[0];
+
+	user = NULL;
+
+	rlogin = (strncmp(prompt, "rlog", 4) == 0) ? '~' : _POSIX_VDISABLE;
+
+	/* 
+	 * if AUTHENTICATION and ENCRYPTION is set autologin will be
+	 * se to true after the getopt switch; unless the -K option is
+	 * passed 
+	 */
+	autologin = -1;
+
+	while((ch = getopt(argc, argv,
+			   "78DEKLS:X:abcde:fFk:l:n:rxG")) != -1) {
+		switch(ch) {
+		case '8':
+			eight = 3;	/* binary output and input */
+			break;
+		case '7':
+			eight = 0;
+			break;
+		case 'b':
+		    binary = 3;
+		    break;
+		case 'D': {
+		    /* sometimes we don't want a mangled display */
+		    char *p;
+		    if((p = getenv("DISPLAY")))
+			env_define("DISPLAY", (unsigned char*)p);
+		    break;
+		}
+		case 'E':
+			rlogin = escape = _POSIX_VDISABLE;
+			break;
+		case 'K':
+#ifdef	AUTHENTICATION
+			autologin = 0;
+#endif
+			break;
+		case 'L':
+			eight |= 2;	/* binary output only */
+			break;
+		case 'S':
+		    {
+#ifdef	HAVE_PARSETOS
+			extern int tos;
+
+			if ((tos = parsetos(optarg, "tcp")) < 0)
+				fprintf(stderr, "%s%s%s%s\n",
+					prompt, ": Bad TOS argument '",
+					optarg,
+					"; will try to use default TOS");
+#else
+			fprintf(stderr,
+			   "%s: Warning: -S ignored, no parsetos() support.\n",
+								prompt);
+#endif
+		    }
+			break;
+		case 'X':
+#ifdef	AUTHENTICATION
+			auth_disable_name(optarg);
+#endif
+			break;
+		case 'a':
+			autologin = 1;
+			break;
+		case 'c':
+			skiprc = 1;
+			break;
+		case 'd':
+			debug = 1;
+			break;
+		case 'e':
+			set_escape_char(optarg);
+			break;
+		case 'f':
+#if defined(AUTHENTICATION) && defined(KRB5) && defined(FORWARD)
+			if ((forward_flags & OPTS_FORWARD_CREDS) &&
+			    !default_forward) {
+			    fprintf(stderr,
+				    "%s: Only one of -f and -F allowed.\n",
+				    prompt);
+			    usage();
+			}
+			forward_flags |= OPTS_FORWARD_CREDS;
+#else
+			fprintf(stderr,
+			 "%s: Warning: -f ignored, no Kerberos V5 support.\n",
+				prompt);
+#endif
+			break;
+		case 'F':
+#if defined(AUTHENTICATION) && defined(KRB5) && defined(FORWARD)
+			if ((forward_flags & OPTS_FORWARD_CREDS) &&
+			    !default_forward) {
+			    fprintf(stderr,
+				    "%s: Only one of -f and -F allowed.\n",
+				    prompt);
+			    usage();
+			}
+			forward_flags |= OPTS_FORWARD_CREDS;
+			forward_flags |= OPTS_FORWARDABLE_CREDS;
+#else
+			fprintf(stderr,
+			 "%s: Warning: -F ignored, no Kerberos V5 support.\n",
+				prompt);
+#endif
+			break;
+		case 'k':
+#if defined(AUTHENTICATION) && defined(KRB4)
+		    {
+			extern char *dest_realm, dst_realm_buf[];
+			extern int dst_realm_sz;
+			dest_realm = dst_realm_buf;
+			strlcpy(dest_realm, optarg, dst_realm_sz);
+		    }
+#else
+			fprintf(stderr,
+			   "%s: Warning: -k ignored, no Kerberos V4 support.\n",
+								prompt);
+#endif
+			break;
+		case 'l':
+		  if(autologin == 0){
+		    fprintf(stderr, "%s: Warning: -K ignored\n", prompt);
+		    autologin = -1;
+		  }
+			user = optarg;
+			break;
+		case 'n':
+				SetNetTrace(optarg);
+			break;
+		case 'r':
+			rlogin = '~';
+			break;
+		case 'x':
+#ifdef	ENCRYPTION
+			encrypt_auto(1);
+			decrypt_auto(1);
+			EncryptVerbose(1);
+#else
+			fprintf(stderr,
+			    "%s: Warning: -x ignored, no ENCRYPT support.\n",
+								prompt);
+#endif
+			break;
+		case 'G':
+#if defined(AUTHENTICATION) && defined(KRB5) && defined(FORWARD)
+                        forward_flags ^= OPTS_FORWARD_CREDS;
+                        forward_flags ^= OPTS_FORWARDABLE_CREDS;
+#else
+                        fprintf(stderr,
+                         "%s: Warning: -G ignored, no Kerberos V5 support.\n",
+                                prompt);
+#endif
+                        break;
+
+		case '?':
+		default:
+			usage();
+			/* NOTREACHED */
+		}
+	}
+
+	if (autologin == -1) {		/* esc@magic.fi; force  */
+#if defined(AUTHENTICATION)
+		autologin = 1;
+#endif
+#if defined(ENCRYPTION)
+		encrypt_auto(1);
+		decrypt_auto(1);
+#endif
+	}
+
+	if (autologin == -1)
+		autologin = (rlogin == _POSIX_VDISABLE) ? 0 : 1;
+
+	argc -= optind;
+	argv += optind;
+
+	if (argc) {
+		char *args[7], **argp = args;
+
+		if (argc > 2)
+			usage();
+		*argp++ = prompt;
+		if (user) {
+			*argp++ = "-l";
+			*argp++ = user;
+		}
+		*argp++ = argv[0];		/* host */
+		if (argc > 1)
+			*argp++ = argv[1];	/* port */
+		*argp = 0;
+
+		if (setjmp(toplevel) != 0)
+			Exit(0);
+		if (tn(argp - args, args) == 1)
+			return (0);
+		else
+			return (1);
+	}
+	setjmp(toplevel);
+	for (;;) {
+			command(1, 0, 0);
+	}
+}
diff --git a/crypto/heimdal/appl/telnet/telnet/network.c b/crypto/heimdal/appl/telnet/telnet/network.c
new file mode 100644
index 0000000..53818f0
--- /dev/null
+++ b/crypto/heimdal/appl/telnet/telnet/network.c
@@ -0,0 +1,165 @@
+/*
+ * Copyright (c) 1988, 1993
+ *	The Regents of the University of California.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *	This product includes software developed by the University of
+ *	California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#include "telnet_locl.h"
+
+RCSID("$Id: network.c,v 1.11 2000/10/08 13:28:21 assar Exp $");
+
+Ring		netoring, netiring;
+unsigned char	netobuf[2*BUFSIZ], netibuf[BUFSIZ];
+
+/*
+ * Initialize internal network data structures.
+ */
+
+void
+init_network(void)
+{
+    if (ring_init(&netoring, netobuf, sizeof netobuf) != 1) {
+	exit(1);
+    }
+    if (ring_init(&netiring, netibuf, sizeof netibuf) != 1) {
+	exit(1);
+    }
+    NetTrace = stdout;
+}
+
+
+/*
+ * Check to see if any out-of-band data exists on a socket (for
+ * Telnet "synch" processing).
+ */
+
+int
+stilloob(void)
+{
+    static struct timeval timeout = { 0 };
+    fd_set	excepts;
+    int value;
+
+    do {
+	FD_ZERO(&excepts);
+	if (net >= FD_SETSIZE)
+	    errx (1, "fd too large");
+	FD_SET(net, &excepts);
+	value = select(net+1, 0, 0, &excepts, &timeout);
+    } while ((value == -1) && (errno == EINTR));
+
+    if (value < 0) {
+	perror("select");
+	quit();
+	/* NOTREACHED */
+    }
+    if (FD_ISSET(net, &excepts)) {
+	return 1;
+    } else {
+	return 0;
+    }
+}
+
+
+/*
+ *  setneturg()
+ *
+ *	Sets "neturg" to the current location.
+ */
+
+void
+setneturg(void)
+{
+    ring_mark(&netoring);
+}
+
+
+/*
+ *  netflush
+ *		Send as much data as possible to the network,
+ *	handling requests for urgent data.
+ *
+ *		The return value indicates whether we did any
+ *	useful work.
+ */
+
+
+int
+netflush(void)
+{
+    int n, n1;
+
+#if	defined(ENCRYPTION)
+    if (encrypt_output)
+	ring_encrypt(&netoring, encrypt_output);
+#endif
+    if ((n1 = n = ring_full_consecutive(&netoring)) > 0) {
+	if (!ring_at_mark(&netoring)) {
+	    n = send(net, (char *)netoring.consume, n, 0); /* normal write */
+	} else {
+	    /*
+	     * In 4.2 (and 4.3) systems, there is some question about
+	     * what byte in a sendOOB operation is the "OOB" data.
+	     * To make ourselves compatible, we only send ONE byte
+	     * out of band, the one WE THINK should be OOB (though
+	     * we really have more the TCP philosophy of urgent data
+	     * rather than the Unix philosophy of OOB data).
+	     */
+	    n = send(net, (char *)netoring.consume, 1, MSG_OOB);/* URGENT data */
+	}
+    }
+    if (n < 0) {
+	if (errno != ENOBUFS && errno != EWOULDBLOCK) {
+	    setcommandmode();
+	    perror(hostname);
+	    NetClose(net);
+	    ring_clear_mark(&netoring);
+	    longjmp(peerdied, -1);
+	    /*NOTREACHED*/
+	}
+	n = 0;
+    }
+    if (netdata && n) {
+	Dump('>', netoring.consume, n);
+    }
+    if (n) {
+	ring_consumed(&netoring, n);
+	/*
+	 * If we sent all, and more to send, then recurse to pick
+	 * up the other half.
+	 */
+	if ((n1 == n) && ring_full_consecutive(&netoring)) {
+	    netflush();
+	}
+	return 1;
+    } else {
+	return 0;
+    }
+}
diff --git a/crypto/heimdal/appl/telnet/telnet/ring.c b/crypto/heimdal/appl/telnet/telnet/ring.c
new file mode 100644
index 0000000..597c79a
--- /dev/null
+++ b/crypto/heimdal/appl/telnet/telnet/ring.c
@@ -0,0 +1,321 @@
+/*
+ * Copyright (c) 1988, 1993
+ *	The Regents of the University of California.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *	This product includes software developed by the University of
+ *	California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#include "telnet_locl.h"
+
+RCSID("$Id: ring.c,v 1.11 2000/02/06 05:15:21 assar Exp $");
+
+/*
+ * This defines a structure for a ring buffer.
+ *
+ * The circular buffer has two parts:
+ *(((
+ *	full:	[consume, supply)
+ *	empty:	[supply, consume)
+ *]]]
+ *
+ */
+
+/* Internal macros */
+
+#define	ring_subtract(d,a,b)	(((a)-(b) >= 0)? \
+					(a)-(b): (((a)-(b))+(d)->size))
+
+#define	ring_increment(d,a,c)	(((a)+(c) < (d)->top)? \
+					(a)+(c) : (((a)+(c))-(d)->size))
+
+#define	ring_decrement(d,a,c)	(((a)-(c) >= (d)->bottom)? \
+					(a)-(c) : (((a)-(c))-(d)->size))
+
+
+/*
+ * The following is a clock, used to determine full, empty, etc.
+ *
+ * There is some trickiness here.  Since the ring buffers are initialized
+ * to ZERO on allocation, we need to make sure, when interpreting the
+ * clock, that when the times are EQUAL, then the buffer is FULL.
+ */
+static u_long ring_clock = 0;
+
+
+#define	ring_empty(d) (((d)->consume == (d)->supply) && \
+				((d)->consumetime >= (d)->supplytime))
+#define	ring_full(d) (((d)->supply == (d)->consume) && \
+				((d)->supplytime > (d)->consumetime))
+
+
+
+
+
+/* Buffer state transition routines */
+
+int
+ring_init(Ring *ring, unsigned char *buffer, int count)
+{
+    memset(ring, 0, sizeof *ring);
+
+    ring->size = count;
+
+    ring->supply = ring->consume = ring->bottom = buffer;
+
+    ring->top = ring->bottom+ring->size;
+
+#if	defined(ENCRYPTION)
+    ring->clearto = 0;
+#endif
+
+    return 1;
+}
+
+/* Mark routines */
+
+/*
+ * Mark the most recently supplied byte.
+ */
+
+void
+ring_mark(Ring *ring)
+{
+    ring->mark = ring_decrement(ring, ring->supply, 1);
+}
+
+/*
+ * Is the ring pointing to the mark?
+ */
+
+int
+ring_at_mark(Ring *ring)
+{
+    if (ring->mark == ring->consume) {
+	return 1;
+    } else {
+	return 0;
+    }
+}
+
+/*
+ * Clear any mark set on the ring.
+ */
+
+void
+ring_clear_mark(Ring *ring)
+{
+    ring->mark = 0;
+}
+
+/*
+ * Add characters from current segment to ring buffer.
+ */
+void
+ring_supplied(Ring *ring, int count)
+{
+    ring->supply = ring_increment(ring, ring->supply, count);
+    ring->supplytime = ++ring_clock;
+}
+
+/*
+ * We have just consumed "c" bytes.
+ */
+void
+ring_consumed(Ring *ring, int count)
+{
+    if (count == 0)	/* don't update anything */
+	return;
+
+    if (ring->mark &&
+		(ring_subtract(ring, ring->mark, ring->consume) < count)) {
+	ring->mark = 0;
+    }
+#if	defined(ENCRYPTION)
+    if (ring->consume < ring->clearto &&
+		ring->clearto <= ring->consume + count)
+	ring->clearto = 0;
+    else if (ring->consume + count > ring->top &&
+		ring->bottom <= ring->clearto &&
+		ring->bottom + ((ring->consume + count) - ring->top))
+	ring->clearto = 0;
+#endif
+    ring->consume = ring_increment(ring, ring->consume, count);
+    ring->consumetime = ++ring_clock;
+    /*
+     * Try to encourage "ring_empty_consecutive()" to be large.
+     */
+    if (ring_empty(ring)) {
+	ring->consume = ring->supply = ring->bottom;
+    }
+}
+
+
+
+/* Buffer state query routines */
+
+
+/* Number of bytes that may be supplied */
+int
+ring_empty_count(Ring *ring)
+{
+    if (ring_empty(ring)) {	/* if empty */
+	    return ring->size;
+    } else {
+	return ring_subtract(ring, ring->consume, ring->supply);
+    }
+}
+
+/* number of CONSECUTIVE bytes that may be supplied */
+int
+ring_empty_consecutive(Ring *ring)
+{
+    if ((ring->consume < ring->supply) || ring_empty(ring)) {
+			    /*
+			     * if consume is "below" supply, or empty, then
+			     * return distance to the top
+			     */
+	return ring_subtract(ring, ring->top, ring->supply);
+    } else {
+				    /*
+				     * else, return what we may.
+				     */
+	return ring_subtract(ring, ring->consume, ring->supply);
+    }
+}
+
+/* Return the number of bytes that are available for consuming
+ * (but don't give more than enough to get to cross over set mark)
+ */
+
+int
+ring_full_count(Ring *ring)
+{
+    if ((ring->mark == 0) || (ring->mark == ring->consume)) {
+	if (ring_full(ring)) {
+	    return ring->size;	/* nothing consumed, but full */
+	} else {
+	    return ring_subtract(ring, ring->supply, ring->consume);
+	}
+    } else {
+	return ring_subtract(ring, ring->mark, ring->consume);
+    }
+}
+
+/*
+ * Return the number of CONSECUTIVE bytes available for consuming.
+ * However, don't return more than enough to cross over set mark.
+ */
+int
+ring_full_consecutive(Ring *ring)
+{
+    if ((ring->mark == 0) || (ring->mark == ring->consume)) {
+	if ((ring->supply < ring->consume) || ring_full(ring)) {
+	    return ring_subtract(ring, ring->top, ring->consume);
+	} else {
+	    return ring_subtract(ring, ring->supply, ring->consume);
+	}
+    } else {
+	if (ring->mark < ring->consume) {
+	    return ring_subtract(ring, ring->top, ring->consume);
+	} else {	/* Else, distance to mark */
+	    return ring_subtract(ring, ring->mark, ring->consume);
+	}
+    }
+}
+
+/*
+ * Move data into the "supply" portion of of the ring buffer.
+ */
+void
+ring_supply_data(Ring *ring, unsigned char *buffer, int count)
+{
+    int i;
+
+    while (count) {
+	i = min(count, ring_empty_consecutive(ring));
+	memmove(ring->supply, buffer, i);
+	ring_supplied(ring, i);
+	count -= i;
+	buffer += i;
+    }
+}
+
+#ifdef notdef
+
+/*
+ * Move data from the "consume" portion of the ring buffer
+ */
+void
+ring_consume_data(Ring *ring, unsigned char *buffer, int count)
+{
+    int i;
+
+    while (count) {
+	i = min(count, ring_full_consecutive(ring));
+	memmove(buffer, ring->consume, i);
+	ring_consumed(ring, i);
+	count -= i;
+	buffer += i;
+    }
+}
+#endif
+
+#if	defined(ENCRYPTION)
+void
+ring_encrypt(Ring *ring, void (*encryptor)(unsigned char *, int))
+{
+    unsigned char *s, *c;
+
+    if (ring_empty(ring) || ring->clearto == ring->supply)
+	return;
+
+    if (!(c = ring->clearto))
+	c = ring->consume;
+
+    s = ring->supply;
+
+    if (s <= c) {
+	(*encryptor)(c, ring->top - c);
+	(*encryptor)(ring->bottom, s - ring->bottom);
+    } else
+	(*encryptor)(c, s - c);
+
+    ring->clearto = ring->supply;
+}
+
+void
+ring_clearto(Ring *ring)
+{
+    if (!ring_empty(ring))
+	ring->clearto = ring->supply;
+    else
+	ring->clearto = 0;
+}
+#endif
+
diff --git a/crypto/heimdal/appl/telnet/telnet/ring.h b/crypto/heimdal/appl/telnet/telnet/ring.h
new file mode 100644
index 0000000..1644a96
--- /dev/null
+++ b/crypto/heimdal/appl/telnet/telnet/ring.h
@@ -0,0 +1,99 @@
+/*
+ * Copyright (c) 1988, 1993
+ *	The Regents of the University of California.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *	This product includes software developed by the University of
+ *	California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ *	@(#)ring.h	8.1 (Berkeley) 6/6/93
+ */
+
+/* $Id: ring.h,v 1.4 2000/02/06 05:15:47 assar Exp $ */
+
+/*
+ * This defines a structure for a ring buffer.
+ *
+ * The circular buffer has two parts:
+ *(((
+ *	full:	[consume, supply)
+ *	empty:	[supply, consume)
+ *]]]
+ *
+ */
+typedef struct {
+    unsigned char	*consume,	/* where data comes out of */
+			*supply,	/* where data comes in to */
+			*bottom,	/* lowest address in buffer */
+			*top,		/* highest address+1 in buffer */
+			*mark;		/* marker (user defined) */
+#if	defined(ENCRYPTION)
+    unsigned char	*clearto;	/* Data to this point is clear text */
+    unsigned char	*encryyptedto;	/* Data is encrypted to here */
+#endif
+    int		size;		/* size in bytes of buffer */
+    u_long	consumetime,	/* help us keep straight full, empty, etc. */
+		supplytime;
+} Ring;
+
+/* Here are some functions and macros to deal with the ring buffer */
+
+/* Initialization routine */
+extern int
+	ring_init (Ring *ring, unsigned char *buffer, int count);
+
+/* Data movement routines */
+extern void
+	ring_supply_data (Ring *ring, unsigned char *buffer, int count);
+#ifdef notdef
+extern void
+	ring_consume_data (Ring *ring, unsigned char *buffer, int count);
+#endif
+
+/* Buffer state transition routines */
+extern void
+	ring_supplied (Ring *ring, int count),
+	ring_consumed (Ring *ring, int count);
+
+/* Buffer state query routines */
+extern int
+	ring_empty_count (Ring *ring),
+	ring_empty_consecutive (Ring *ring),
+	ring_full_count (Ring *ring),
+	ring_full_consecutive (Ring *ring);
+
+#if	defined(ENCRYPTION)
+extern void
+	ring_encrypt (Ring *ring, void (*func)(unsigned char *, int)),
+	ring_clearto (Ring *ring);
+#endif
+
+extern int ring_at_mark(Ring *ring);
+
+extern void
+    ring_clear_mark(Ring *ring),
+    ring_mark(Ring *ring);
diff --git a/crypto/heimdal/appl/telnet/telnet/sys_bsd.c b/crypto/heimdal/appl/telnet/telnet/sys_bsd.c
new file mode 100644
index 0000000..9b3f9da
--- /dev/null
+++ b/crypto/heimdal/appl/telnet/telnet/sys_bsd.c
@@ -0,0 +1,974 @@
+/*
+ * Copyright (c) 1988, 1990, 1993
+ *	The Regents of the University of California.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *	This product includes software developed by the University of
+ *	California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#include "telnet_locl.h"
+
+RCSID("$Id: sys_bsd.c,v 1.27 2001/03/06 20:10:14 assar Exp $");
+
+/*
+ * The following routines try to encapsulate what is system dependent
+ * (at least between 4.x and dos) which is used in telnet.c.
+ */
+
+int
+	tout,			/* Output file descriptor */
+	tin,			/* Input file descriptor */
+	net;
+
+struct	termios old_tc = { 0 };
+extern struct termios new_tc;
+
+# ifndef	TCSANOW
+#  ifdef TCSETS
+#   define	TCSANOW		TCSETS
+#   define	TCSADRAIN	TCSETSW
+#   define	tcgetattr(f, t) ioctl(f, TCGETS, (char *)t)
+#  else
+#   ifdef TCSETA
+#    define	TCSANOW		TCSETA
+#    define	TCSADRAIN	TCSETAW
+#    define	tcgetattr(f, t) ioctl(f, TCGETA, (char *)t)
+#   else
+#    define	TCSANOW		TIOCSETA
+#    define	TCSADRAIN	TIOCSETAW
+#    define	tcgetattr(f, t) ioctl(f, TIOCGETA, (char *)t)
+#   endif
+#  endif
+#  define	tcsetattr(f, a, t) ioctl(f, a, (char *)t)
+#  define	cfgetospeed(ptr)	((ptr)->c_cflag&CBAUD)
+#  ifdef CIBAUD
+#   define	cfgetispeed(ptr)	(((ptr)->c_cflag&CIBAUD) >> IBSHIFT)
+#  else
+#   define	cfgetispeed(ptr)	cfgetospeed(ptr)
+#  endif
+# endif /* TCSANOW */
+
+static fd_set ibits, obits, xbits;
+
+
+void
+init_sys(void)
+{
+    tout = fileno(stdout);
+    tin = fileno(stdin);
+    FD_ZERO(&ibits);
+    FD_ZERO(&obits);
+    FD_ZERO(&xbits);
+
+    errno = 0;
+}
+
+
+int
+TerminalWrite(char *buf, int n)
+{
+    return write(tout, buf, n);
+}
+
+int
+TerminalRead(unsigned char *buf, int n)
+{
+    return read(tin, buf, n);
+}
+
+/*
+ *
+ */
+
+int
+TerminalAutoFlush(void)
+{
+#if	defined(LNOFLSH)
+    int flush;
+
+    ioctl(0, TIOCLGET, (char *)&flush);
+    return !(flush&LNOFLSH);	/* if LNOFLSH, no autoflush */
+#else	/* LNOFLSH */
+    return 1;
+#endif	/* LNOFLSH */
+}
+
+/*
+ * TerminalSpecialChars()
+ *
+ * Look at an input character to see if it is a special character
+ * and decide what to do.
+ *
+ * Output:
+ *
+ *	0	Don't add this character.
+ *	1	Do add this character
+ */
+
+int
+TerminalSpecialChars(int c)
+{
+    if (c == termIntChar) {
+	intp();
+	return 0;
+    } else if (c == termQuitChar) {
+#ifdef	KLUDGELINEMODE
+	if (kludgelinemode)
+	    sendbrk();
+	else
+#endif
+	    sendabort();
+	return 0;
+    } else if (c == termEofChar) {
+	if (my_want_state_is_will(TELOPT_LINEMODE)) {
+	    sendeof();
+	    return 0;
+	}
+	return 1;
+    } else if (c == termSuspChar) {
+	sendsusp();
+	return(0);
+    } else if (c == termFlushChar) {
+	xmitAO();		/* Transmit Abort Output */
+	return 0;
+    } else if (!MODE_LOCAL_CHARS(globalmode)) {
+	if (c == termKillChar) {
+	    xmitEL();
+	    return 0;
+	} else if (c == termEraseChar) {
+	    xmitEC();		/* Transmit Erase Character */
+	    return 0;
+	}
+    }
+    return 1;
+}
+
+
+/*
+ * Flush output to the terminal
+ */
+
+void
+TerminalFlushOutput(void)
+{
+#ifdef	TIOCFLUSH
+    ioctl(fileno(stdout), TIOCFLUSH, (char *) 0);
+#else
+    ioctl(fileno(stdout), TCFLSH, (char *) 0);
+#endif
+}
+
+void
+TerminalSaveState(void)
+{
+    tcgetattr(0, &old_tc);
+
+    new_tc = old_tc;
+
+#ifndef	VDISCARD
+    termFlushChar = CONTROL('O');
+#endif
+#ifndef	VWERASE
+    termWerasChar = CONTROL('W');
+#endif
+#ifndef	VREPRINT
+    termRprntChar = CONTROL('R');
+#endif
+#ifndef	VLNEXT
+    termLiteralNextChar = CONTROL('V');
+#endif
+#ifndef	VSTART
+    termStartChar = CONTROL('Q');
+#endif
+#ifndef	VSTOP
+    termStopChar = CONTROL('S');
+#endif
+#ifndef	VSTATUS
+    termAytChar = CONTROL('T');
+#endif
+}
+
+cc_t*
+tcval(int func)
+{
+    switch(func) {
+    case SLC_IP:	return(&termIntChar);
+    case SLC_ABORT:	return(&termQuitChar);
+    case SLC_EOF:	return(&termEofChar);
+    case SLC_EC:	return(&termEraseChar);
+    case SLC_EL:	return(&termKillChar);
+    case SLC_XON:	return(&termStartChar);
+    case SLC_XOFF:	return(&termStopChar);
+    case SLC_FORW1:	return(&termForw1Char);
+    case SLC_FORW2:	return(&termForw2Char);
+# ifdef	VDISCARD
+    case SLC_AO:	return(&termFlushChar);
+# endif
+# ifdef	VSUSP
+    case SLC_SUSP:	return(&termSuspChar);
+# endif
+# ifdef	VWERASE
+    case SLC_EW:	return(&termWerasChar);
+# endif
+# ifdef	VREPRINT
+    case SLC_RP:	return(&termRprntChar);
+# endif
+# ifdef	VLNEXT
+    case SLC_LNEXT:	return(&termLiteralNextChar);
+# endif
+# ifdef	VSTATUS
+    case SLC_AYT:	return(&termAytChar);
+# endif
+
+    case SLC_SYNCH:
+    case SLC_BRK:
+    case SLC_EOR:
+    default:
+	return((cc_t *)0);
+    }
+}
+
+void
+TerminalDefaultChars(void)
+{
+    memmove(new_tc.c_cc, old_tc.c_cc, sizeof(old_tc.c_cc));
+# ifndef	VDISCARD
+    termFlushChar = CONTROL('O');
+# endif
+# ifndef	VWERASE
+    termWerasChar = CONTROL('W');
+# endif
+# ifndef	VREPRINT
+    termRprntChar = CONTROL('R');
+# endif
+# ifndef	VLNEXT
+    termLiteralNextChar = CONTROL('V');
+# endif
+# ifndef	VSTART
+    termStartChar = CONTROL('Q');
+# endif
+# ifndef	VSTOP
+    termStopChar = CONTROL('S');
+# endif
+# ifndef	VSTATUS
+    termAytChar = CONTROL('T');
+# endif
+}
+
+#ifdef notdef
+void
+TerminalRestoreState()
+{
+}
+#endif
+
+/*
+ * TerminalNewMode - set up terminal to a specific mode.
+ *	MODE_ECHO: do local terminal echo
+ *	MODE_FLOW: do local flow control
+ *	MODE_TRAPSIG: do local mapping to TELNET IAC sequences
+ *	MODE_EDIT: do local line editing
+ *
+ *	Command mode:
+ *		MODE_ECHO|MODE_EDIT|MODE_FLOW|MODE_TRAPSIG
+ *		local echo
+ *		local editing
+ *		local xon/xoff
+ *		local signal mapping
+ *
+ *	Linemode:
+ *		local/no editing
+ *	Both Linemode and Single Character mode:
+ *		local/remote echo
+ *		local/no xon/xoff
+ *		local/no signal mapping
+ */
+
+
+#ifdef	SIGTSTP
+static RETSIGTYPE susp(int);
+#endif	/* SIGTSTP */
+#ifdef	SIGINFO
+static RETSIGTYPE ayt(int);
+#endif
+
+void
+TerminalNewMode(int f)
+{
+    static int prevmode = 0;
+    struct termios tmp_tc;
+    int onoff;
+    int old;
+    cc_t esc;
+
+    globalmode = f&~MODE_FORCE;
+    if (prevmode == f)
+	return;
+
+    /*
+     * Write any outstanding data before switching modes
+     * ttyflush() returns 0 only when there is no more data
+     * left to write out, it returns -1 if it couldn't do
+     * anything at all, otherwise it returns 1 + the number
+     * of characters left to write.
+     */
+    old = ttyflush(SYNCHing|flushout);
+    if (old < 0 || old > 1) {
+	tcgetattr(tin, &tmp_tc);
+	do {
+	    /*
+	     * Wait for data to drain, then flush again.
+	     */
+	    tcsetattr(tin, TCSADRAIN, &tmp_tc);
+	    old = ttyflush(SYNCHing|flushout);
+	} while (old < 0 || old > 1);
+    }
+
+    old = prevmode;
+    prevmode = f&~MODE_FORCE;
+    tmp_tc = new_tc;
+
+    if (f&MODE_ECHO) {
+	tmp_tc.c_lflag |= ECHO;
+	tmp_tc.c_oflag |= ONLCR;
+	if (crlf)
+		tmp_tc.c_iflag |= ICRNL;
+    } else {
+	tmp_tc.c_lflag &= ~ECHO;
+	tmp_tc.c_oflag &= ~ONLCR;
+# ifdef notdef
+	if (crlf)
+		tmp_tc.c_iflag &= ~ICRNL;
+# endif
+    }
+
+    if ((f&MODE_FLOW) == 0) {
+	tmp_tc.c_iflag &= ~(IXOFF|IXON);	/* Leave the IXANY bit alone */
+    } else {
+	if (restartany < 0) {
+		tmp_tc.c_iflag |= IXOFF|IXON;	/* Leave the IXANY bit alone */
+	} else if (restartany > 0) {
+		tmp_tc.c_iflag |= IXOFF|IXON|IXANY;
+	} else {
+		tmp_tc.c_iflag |= IXOFF|IXON;
+		tmp_tc.c_iflag &= ~IXANY;
+	}
+    }
+
+    if ((f&MODE_TRAPSIG) == 0) {
+	tmp_tc.c_lflag &= ~ISIG;
+	localchars = 0;
+    } else {
+	tmp_tc.c_lflag |= ISIG;
+	localchars = 1;
+    }
+
+    if (f&MODE_EDIT) {
+	tmp_tc.c_lflag |= ICANON;
+    } else {
+	tmp_tc.c_lflag &= ~ICANON;
+	tmp_tc.c_iflag &= ~ICRNL;
+	tmp_tc.c_cc[VMIN] = 1;
+	tmp_tc.c_cc[VTIME] = 0;
+    }
+
+    if ((f&(MODE_EDIT|MODE_TRAPSIG)) == 0) {
+# ifdef VLNEXT
+	tmp_tc.c_cc[VLNEXT] = (cc_t)(_POSIX_VDISABLE);
+# endif
+    }
+
+    if (f&MODE_SOFT_TAB) {
+# ifdef	OXTABS
+	tmp_tc.c_oflag |= OXTABS;
+# endif
+# ifdef	TABDLY
+	tmp_tc.c_oflag &= ~TABDLY;
+	tmp_tc.c_oflag |= TAB3;
+# endif
+    } else {
+# ifdef	OXTABS
+	tmp_tc.c_oflag &= ~OXTABS;
+# endif
+# ifdef	TABDLY
+	tmp_tc.c_oflag &= ~TABDLY;
+# endif
+    }
+
+    if (f&MODE_LIT_ECHO) {
+# ifdef	ECHOCTL
+	tmp_tc.c_lflag &= ~ECHOCTL;
+# endif
+    } else {
+# ifdef	ECHOCTL
+	tmp_tc.c_lflag |= ECHOCTL;
+# endif
+    }
+
+    if (f == -1) {
+	onoff = 0;
+    } else {
+	if (f & MODE_INBIN)
+		tmp_tc.c_iflag &= ~ISTRIP;
+	else
+		tmp_tc.c_iflag |= ISTRIP;
+	if ((f & MODE_OUTBIN) || (f & MODE_OUT8)) {
+		tmp_tc.c_cflag &= ~(CSIZE|PARENB);
+		tmp_tc.c_cflag |= CS8;
+		if(f & MODE_OUTBIN)
+		    tmp_tc.c_oflag &= ~OPOST;
+		else
+		    tmp_tc.c_oflag |= OPOST;
+	} else {
+		tmp_tc.c_cflag &= ~(CSIZE|PARENB);
+		tmp_tc.c_cflag |= old_tc.c_cflag & (CSIZE|PARENB);
+		tmp_tc.c_oflag |= OPOST;
+	}
+	onoff = 1;
+    }
+
+    if (f != -1) {
+
+#ifdef	SIGTSTP
+	signal(SIGTSTP, susp);
+#endif	/* SIGTSTP */
+#ifdef	SIGINFO
+	signal(SIGINFO, ayt);
+#endif
+#ifdef NOKERNINFO
+	tmp_tc.c_lflag |= NOKERNINFO;
+#endif
+	/*
+	 * We don't want to process ^Y here.  It's just another
+	 * character that we'll pass on to the back end.  It has
+	 * to process it because it will be processed when the
+	 * user attempts to read it, not when we send it.
+	 */
+# ifdef	VDSUSP
+	tmp_tc.c_cc[VDSUSP] = (cc_t)(_POSIX_VDISABLE);
+# endif
+	/*
+	 * If the VEOL character is already set, then use VEOL2,
+	 * otherwise use VEOL.
+	 */
+	esc = (rlogin != _POSIX_VDISABLE) ? rlogin : escape;
+	if ((tmp_tc.c_cc[VEOL] != esc)
+# ifdef	VEOL2
+	    && (tmp_tc.c_cc[VEOL2] != esc)
+# endif
+	    ) {
+		if (tmp_tc.c_cc[VEOL] == (cc_t)(_POSIX_VDISABLE))
+		    tmp_tc.c_cc[VEOL] = esc;
+# ifdef	VEOL2
+		else if (tmp_tc.c_cc[VEOL2] == (cc_t)(_POSIX_VDISABLE))
+		    tmp_tc.c_cc[VEOL2] = esc;
+# endif
+	}
+    } else {
+        sigset_t sm;
+#ifdef	SIGINFO
+	RETSIGTYPE ayt_status(int);
+
+	signal(SIGINFO, ayt_status);
+#endif
+#ifdef	SIGTSTP
+	signal(SIGTSTP, SIG_DFL);
+	sigemptyset(&sm);
+	sigaddset(&sm, SIGTSTP);
+	sigprocmask(SIG_UNBLOCK, &sm, NULL);
+#endif	/* SIGTSTP */
+	tmp_tc = old_tc;
+    }
+    if (tcsetattr(tin, TCSADRAIN, &tmp_tc) < 0)
+	tcsetattr(tin, TCSANOW, &tmp_tc);
+
+    ioctl(tin, FIONBIO, (char *)&onoff);
+    ioctl(tout, FIONBIO, (char *)&onoff);
+
+}
+
+/*
+ * Try to guess whether speeds are "encoded" (4.2BSD) or just numeric (4.4BSD).
+ */
+#if B4800 != 4800
+#define	DECODE_BAUD
+#endif
+
+#ifdef	DECODE_BAUD
+#ifndef	B7200
+#define B7200   B4800
+#endif
+
+#ifndef	B14400
+#define B14400  B9600
+#endif
+
+#ifndef	B19200
+# define B19200 B14400
+#endif
+
+#ifndef	B28800
+#define B28800  B19200
+#endif
+
+#ifndef	B38400
+# define B38400 B28800
+#endif
+
+#ifndef B57600
+#define B57600  B38400
+#endif
+
+#ifndef B76800
+#define B76800  B57600
+#endif
+
+#ifndef B115200
+#define B115200 B76800
+#endif
+
+#ifndef B230400
+#define B230400 B115200
+#endif
+
+
+/*
+ * This code assumes that the values B0, B50, B75...
+ * are in ascending order.  They do not have to be
+ * contiguous.
+ */
+struct termspeeds {
+	long speed;
+	long value;
+} termspeeds[] = {
+	{ 0,      B0 },      { 50,    B50 },    { 75,     B75 },
+	{ 110,    B110 },    { 134,   B134 },   { 150,    B150 },
+	{ 200,    B200 },    { 300,   B300 },   { 600,    B600 },
+	{ 1200,   B1200 },   { 1800,  B1800 },  { 2400,   B2400 },
+	{ 4800,   B4800 },   { 7200,  B7200 },  { 9600,   B9600 },
+	{ 14400,  B14400 },  { 19200, B19200 }, { 28800,  B28800 },
+	{ 38400,  B38400 },  { 57600, B57600 }, { 115200, B115200 },
+	{ 230400, B230400 }, { -1,    B230400 }
+};
+#endif	/* DECODE_BAUD */
+
+void
+TerminalSpeeds(long *input_speed, long *output_speed)
+{
+#ifdef	DECODE_BAUD
+    struct termspeeds *tp;
+#endif	/* DECODE_BAUD */
+    long in, out;
+
+    out = cfgetospeed(&old_tc);
+    in = cfgetispeed(&old_tc);
+    if (in == 0)
+	in = out;
+
+#ifdef	DECODE_BAUD
+    tp = termspeeds;
+    while ((tp->speed != -1) && (tp->value < in))
+	tp++;
+    *input_speed = tp->speed;
+
+    tp = termspeeds;
+    while ((tp->speed != -1) && (tp->value < out))
+	tp++;
+    *output_speed = tp->speed;
+#else	/* DECODE_BAUD */
+	*input_speed = in;
+	*output_speed = out;
+#endif	/* DECODE_BAUD */
+}
+
+int
+TerminalWindowSize(long *rows, long *cols)
+{
+    struct winsize ws;
+
+    if (get_window_size (STDIN_FILENO, &ws) == 0) {
+	*rows = ws.ws_row;
+	*cols = ws.ws_col;
+	return 1;
+    } else
+	return 0;
+}
+
+int
+NetClose(int fd)
+{
+    return close(fd);
+}
+
+
+void
+NetNonblockingIO(int fd, int onoff)
+{
+    ioctl(fd, FIONBIO, (char *)&onoff);
+}
+
+
+/*
+ * Various signal handling routines.
+ */
+
+static RETSIGTYPE deadpeer(int),
+  intr(int), intr2(int), susp(int), sendwin(int);
+#ifdef SIGINFO
+static RETSIGTYPE ayt(int);
+#endif
+  
+
+    /* ARGSUSED */
+static RETSIGTYPE
+deadpeer(int sig)
+{
+	setcommandmode();
+	longjmp(peerdied, -1);
+}
+
+    /* ARGSUSED */
+static RETSIGTYPE
+intr(int sig)
+{
+    if (localchars) {
+	intp();
+	return;
+    }
+    setcommandmode();
+    longjmp(toplevel, -1);
+}
+
+    /* ARGSUSED */
+static RETSIGTYPE
+intr2(int sig)
+{
+    if (localchars) {
+#ifdef	KLUDGELINEMODE
+	if (kludgelinemode)
+	    sendbrk();
+	else
+#endif
+	    sendabort();
+	return;
+    }
+}
+
+#ifdef	SIGTSTP
+    /* ARGSUSED */
+static RETSIGTYPE
+susp(int sig)
+{
+    if ((rlogin != _POSIX_VDISABLE) && rlogin_susp())
+	return;
+    if (localchars)
+	sendsusp();
+}
+#endif
+
+#ifdef	SIGWINCH
+    /* ARGSUSED */
+static RETSIGTYPE
+sendwin(int sig)
+{
+    if (connected) {
+	sendnaws();
+    }
+}
+#endif
+
+#ifdef	SIGINFO
+    /* ARGSUSED */
+static RETSIGTYPE
+ayt(int sig)
+{
+    if (connected)
+	sendayt();
+    else
+	ayt_status(sig);
+}
+#endif
+
+
+void
+sys_telnet_init(void)
+{
+    signal(SIGINT, intr);
+    signal(SIGQUIT, intr2);
+    signal(SIGPIPE, deadpeer);
+#ifdef	SIGWINCH
+    signal(SIGWINCH, sendwin);
+#endif
+#ifdef	SIGTSTP
+    signal(SIGTSTP, susp);
+#endif
+#ifdef	SIGINFO
+    signal(SIGINFO, ayt);
+#endif
+
+    setconnmode(0);
+
+    NetNonblockingIO(net, 1);
+
+
+#if	defined(SO_OOBINLINE)
+    if (SetSockOpt(net, SOL_SOCKET, SO_OOBINLINE, 1) == -1) {
+	perror("SetSockOpt");
+    }
+#endif	/* defined(SO_OOBINLINE) */
+}
+
+/*
+ * Process rings -
+ *
+ *	This routine tries to fill up/empty our various rings.
+ *
+ *	The parameter specifies whether this is a poll operation,
+ *	or a block-until-something-happens operation.
+ *
+ *	The return value is 1 if something happened, 0 if not.
+ */
+
+int
+process_rings(int netin,
+	      int netout,
+	      int netex,
+	      int ttyin,
+	      int ttyout,
+	      int poll) /* If 0, then block until something to do */
+{
+    int c;
+		/* One wants to be a bit careful about setting returnValue
+		 * to one, since a one implies we did some useful work,
+		 * and therefore probably won't be called to block next
+		 * time (TN3270 mode only).
+		 */
+    int returnValue = 0;
+    static struct timeval TimeValue = { 0 };
+
+    if (net >= FD_SETSIZE
+	|| tout >= FD_SETSIZE
+	|| tin >= FD_SETSIZE)
+	errx (1, "fd too large");
+
+    if (netout) {
+	FD_SET(net, &obits);
+    }
+    if (ttyout) {
+	FD_SET(tout, &obits);
+    }
+    if (ttyin) {
+	FD_SET(tin, &ibits);
+    }
+    if (netin) {
+	FD_SET(net, &ibits);
+    }
+#if !defined(SO_OOBINLINE)
+    if (netex) {
+	FD_SET(net, &xbits);
+    }
+#endif
+    if ((c = select(FD_SETSIZE, &ibits, &obits, &xbits,
+			(poll == 0)? (struct timeval *)0 : &TimeValue)) < 0) {
+	if (c == -1) {
+		    /*
+		     * we can get EINTR if we are in line mode,
+		     * and the user does an escape (TSTP), or
+		     * some other signal generator.
+		     */
+	    if (errno == EINTR) {
+		return 0;
+	    }
+		    /* I don't like this, does it ever happen? */
+	    printf("sleep(5) from telnet, after select\r\n");
+	    sleep(5);
+	}
+	return 0;
+    }
+
+    /*
+     * Any urgent data?
+     */
+    if (FD_ISSET(net, &xbits)) {
+	FD_CLR(net, &xbits);
+	SYNCHing = 1;
+	ttyflush(1);	/* flush already enqueued data */
+    }
+
+    /*
+     * Something to read from the network...
+     */
+    if (FD_ISSET(net, &ibits)) {
+	int canread;
+
+	FD_CLR(net, &ibits);
+	canread = ring_empty_consecutive(&netiring);
+#if	!defined(SO_OOBINLINE)
+	    /*
+	     * In 4.2 (and some early 4.3) systems, the
+	     * OOB indication and data handling in the kernel
+	     * is such that if two separate TCP Urgent requests
+	     * come in, one byte of TCP data will be overlaid.
+	     * This is fatal for Telnet, but we try to live
+	     * with it.
+	     *
+	     * In addition, in 4.2 (and...), a special protocol
+	     * is needed to pick up the TCP Urgent data in
+	     * the correct sequence.
+	     *
+	     * What we do is:  if we think we are in urgent
+	     * mode, we look to see if we are "at the mark".
+	     * If we are, we do an OOB receive.  If we run
+	     * this twice, we will do the OOB receive twice,
+	     * but the second will fail, since the second
+	     * time we were "at the mark", but there wasn't
+	     * any data there (the kernel doesn't reset
+	     * "at the mark" until we do a normal read).
+	     * Once we've read the OOB data, we go ahead
+	     * and do normal reads.
+	     *
+	     * There is also another problem, which is that
+	     * since the OOB byte we read doesn't put us
+	     * out of OOB state, and since that byte is most
+	     * likely the TELNET DM (data mark), we would
+	     * stay in the TELNET SYNCH (SYNCHing) state.
+	     * So, clocks to the rescue.  If we've "just"
+	     * received a DM, then we test for the
+	     * presence of OOB data when the receive OOB
+	     * fails (and AFTER we did the normal mode read
+	     * to clear "at the mark").
+	     */
+	if (SYNCHing) {
+	    int atmark;
+	    static int bogus_oob = 0, first = 1;
+
+	    ioctl(net, SIOCATMARK, (char *)&atmark);
+	    if (atmark) {
+		c = recv(net, netiring.supply, canread, MSG_OOB);
+		if ((c == -1) && (errno == EINVAL)) {
+		    c = recv(net, netiring.supply, canread, 0);
+		    if (clocks.didnetreceive < clocks.gotDM) {
+			SYNCHing = stilloob();
+		    }
+		} else if (first && c > 0) {
+		    /*
+		     * Bogosity check.  Systems based on 4.2BSD
+		     * do not return an error if you do a second
+		     * recv(MSG_OOB).  So, we do one.  If it
+		     * succeeds and returns exactly the same
+		     * data, then assume that we are running
+		     * on a broken system and set the bogus_oob
+		     * flag.  (If the data was different, then
+		     * we probably got some valid new data, so
+		     * increment the count...)
+		     */
+		    int i;
+		    i = recv(net, netiring.supply + c, canread - c, MSG_OOB);
+		    if (i == c &&
+			 memcmp(netiring.supply, netiring.supply + c, i) == 0) {
+			bogus_oob = 1;
+			first = 0;
+		    } else if (i < 0) {
+			bogus_oob = 0;
+			first = 0;
+		    } else
+			c += i;
+		}
+		if (bogus_oob && c > 0) {
+		    int i;
+		    /*
+		     * Bogosity.  We have to do the read
+		     * to clear the atmark to get out of
+		     * an infinate loop.
+		     */
+		    i = read(net, netiring.supply + c, canread - c);
+		    if (i > 0)
+			c += i;
+		}
+	    } else {
+		c = recv(net, netiring.supply, canread, 0);
+	    }
+	} else {
+	    c = recv(net, netiring.supply, canread, 0);
+	}
+	settimer(didnetreceive);
+#else	/* !defined(SO_OOBINLINE) */
+	c = recv(net, (char *)netiring.supply, canread, 0);
+#endif	/* !defined(SO_OOBINLINE) */
+	if (c < 0 && errno == EWOULDBLOCK) {
+	    c = 0;
+	} else if (c <= 0) {
+	    return -1;
+	}
+	if (netdata) {
+	    Dump('<', netiring.supply, c);
+	}
+	if (c)
+	    ring_supplied(&netiring, c);
+	returnValue = 1;
+    }
+
+    /*
+     * Something to read from the tty...
+     */
+    if (FD_ISSET(tin, &ibits)) {
+	FD_CLR(tin, &ibits);
+	c = TerminalRead(ttyiring.supply, ring_empty_consecutive(&ttyiring));
+	if (c < 0 && errno == EIO)
+	    c = 0;
+	if (c < 0 && errno == EWOULDBLOCK) {
+	    c = 0;
+	} else {
+	    /* EOF detection for line mode!!!! */
+	    if ((c == 0) && MODE_LOCAL_CHARS(globalmode) && isatty(tin)) {
+			/* must be an EOF... */
+		*ttyiring.supply = termEofChar;
+		c = 1;
+	    }
+	    if (c <= 0) {
+		return -1;
+	    }
+	    if (termdata) {
+		Dump('<', ttyiring.supply, c);
+	    }
+	    ring_supplied(&ttyiring, c);
+	}
+	returnValue = 1;		/* did something useful */
+    }
+
+    if (FD_ISSET(net, &obits)) {
+	FD_CLR(net, &obits);
+	returnValue |= netflush();
+    }
+    if (FD_ISSET(tout, &obits)) {
+	FD_CLR(tout, &obits);
+	returnValue |= (ttyflush(SYNCHing|flushout) > 0);
+    }
+
+    return returnValue;
+}
diff --git a/crypto/heimdal/appl/telnet/telnet/telnet.1 b/crypto/heimdal/appl/telnet/telnet/telnet.1
new file mode 100644
index 0000000..a89d725
--- /dev/null
+++ b/crypto/heimdal/appl/telnet/telnet/telnet.1
@@ -0,0 +1,1367 @@
+.\" Copyright (c) 1983, 1990, 1993
+.\"	The Regents of the University of California.  All rights reserved.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\" 1. Redistributions of source code must retain the above copyright
+.\"    notice, this list of conditions and the following disclaimer.
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\"    notice, this list of conditions and the following disclaimer in the
+.\"    documentation and/or other materials provided with the distribution.
+.\" 3. All advertising materials mentioning features or use of this software
+.\"    must display the following acknowledgement:
+.\"	This product includes software developed by the University of
+.\"	California, Berkeley and its contributors.
+.\" 4. Neither the name of the University nor the names of its contributors
+.\"    may be used to endorse or promote products derived from this software
+.\"    without specific prior written permission.
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+.\" SUCH DAMAGE.
+.\"
+.\"	@(#)telnet.1	8.6 (Berkeley) 6/1/94
+.\"
+.Dd June 1, 1994
+.Dt TELNET 1
+.Os BSD 4.2
+.Sh NAME
+.Nm telnet
+.Nd user interface to the 
+.Tn TELNET
+protocol
+.Sh SYNOPSIS
+.Nm telnet
+.Op Fl 78EFKLacdfrx
+.Op Fl S Ar tos
+.Op Fl X Ar authtype
+.Op Fl e Ar escapechar
+.Op Fl k Ar realm
+.Op Fl l Ar user
+.Op Fl n Ar tracefile
+.Oo
+.Ar host
+.Op port
+.Oc
+.Sh DESCRIPTION
+The
+.Nm telnet
+command
+is used to communicate with another host using the 
+.Tn TELNET
+protocol.
+If
+.Nm telnet
+is invoked without the
+.Ar host
+argument, it enters command mode,
+indicated by its prompt
+.Pq Nm telnet\&> .
+In this mode, it accepts and executes the commands listed below.
+If it is invoked with arguments, it performs an
+.Ic open
+command with those arguments.
+.Pp
+Options:
+.Bl -tag -width indent
+.It Fl 8
+Specifies an 8-bit data path.  This causes an attempt to
+negotiate the
+.Dv TELNET BINARY
+option on both input and output.
+.It Fl 7
+Do not try to negotiate
+.Dv TELNET BINARY
+option.
+.It Fl E
+Stops any character from being recognized as an escape character.
+.It Fl F
+If Kerberos V5 authentication is being used, the
+.Fl F
+option allows the local credentials to be forwarded
+to the remote system, including any credentials that
+have already been forwarded into the local environment.
+.It Fl K
+Specifies no automatic login to the remote system.
+.It Fl L
+Specifies an 8-bit data path on output.  This causes the
+BINARY option to be negotiated on output.
+.It Fl S Ar tos
+Sets the IP type-of-service (TOS) option for the telnet
+connection to the value
+.Ar tos ,
+which can be a numeric TOS value
+or, on systems that support it, a symbolic
+TOS name found in the /etc/iptos file.
+.It Fl X Ar atype 
+Disables the
+.Ar atype
+type of authentication.
+.It Fl a
+Attempt automatic login.
+Currently, this sends the user name via the
+.Ev USER
+variable
+of the
+.Ev ENVIRON
+option if supported by the remote system.
+The name used is that of the current user as returned by
+.Xr getlogin 2
+if it agrees with the current user ID,
+otherwise it is the name associated with the user ID.
+.It Fl c
+Disables the reading of the user's
+.Pa \&.telnetrc
+file.  (See the
+.Ic toggle skiprc
+command on this man page.)
+.It Fl d
+Sets the initial value of the
+.Ic debug
+toggle to
+.Dv TRUE
+.It Fl e Ar escape char 
+Sets the initial
+.Nm
+.Nm telnet
+escape character to
+.Ar escape char .
+If
+.Ar escape char
+is omitted, then
+there will be no escape character.
+.It Fl f
+If Kerberos V5 authentication is being used, the
+.Fl f
+option allows the local credentials to be forwarded to the remote system.
+.It Fl k Ar realm
+If Kerberos authentication is being used, the
+.Fl k
+option requests that telnet obtain tickets for the remote host in
+realm realm instead of the remote host's realm, as determined
+by
+.Xr krb_realmofhost 3 .
+.It Fl l Ar user 
+When connecting to the remote system, if the remote system
+understands the
+.Ev ENVIRON
+option, then
+.Ar user
+will be sent to the remote system as the value for the variable USER.
+This option implies the
+.Fl a
+option.
+This option may also be used with the
+.Ic open
+command.
+.It Fl n Ar tracefile 
+Opens
+.Ar tracefile
+for recording trace information.
+See the
+.Ic set tracefile
+command below.
+.It Fl r
+Specifies a user interface similar to
+.Xr rlogin 1 .
+In this
+mode, the escape character is set to the tilde (~) character,
+unless modified by the -e option.
+.It Fl x
+Turns on encryption of the data stream if possible. This is 
+currently the default and when it fails a warning is issued.
+.It Ar host
+Indicates the official name, an alias, or the Internet address
+of a remote host.
+.It Ar port
+Indicates a port number (address of an application).  If a number is
+not specified, the default
+.Nm telnet
+port is used.
+.El
+.Pp
+When in rlogin mode, a line of the form ~.  disconnects from the
+remote host; ~ is the telnet escape character.
+Similarly, the line ~^Z suspends the telnet session.
+The line ~^] escapes to the normal telnet escape prompt.
+.Pp
+Once a connection has been opened,
+.Nm telnet
+will attempt to enable the
+.Dv TELNET LINEMODE
+option.
+If this fails, then
+.Nm telnet
+will revert to one of two input modes:
+either \*(Lqcharacter at a time\*(Rq
+or \*(Lqold line by line\*(Rq
+depending on what the remote system supports.
+.Pp
+When 
+.Dv LINEMODE
+is enabled, character processing is done on the
+local system, under the control of the remote system.  When input
+editing or character echoing is to be disabled, the remote system
+will relay that information.  The remote system will also relay
+changes to any special characters that happen on the remote
+system, so that they can take effect on the local system.
+.Pp
+In \*(Lqcharacter at a time\*(Rq mode, most
+text typed is immediately sent to the remote host for processing.
+.Pp
+In \*(Lqold line by line\*(Rq mode, all text is echoed locally,
+and (normally) only completed lines are sent to the remote host.
+The \*(Lqlocal echo character\*(Rq (initially \*(Lq^E\*(Rq) may be used
+to turn off and on the local echo
+(this would mostly be used to enter passwords
+without the password being echoed).
+.Pp
+If the 
+.Dv LINEMODE
+option is enabled, or if the
+.Ic localchars
+toggle is
+.Dv TRUE
+(the default for \*(Lqold line by line\*(Lq; see below),
+the user's
+.Ic quit  ,
+.Ic intr ,
+and
+.Ic flush
+characters are trapped locally, and sent as
+.Tn TELNET
+protocol sequences to the remote side.
+If 
+.Dv LINEMODE
+has ever been enabled, then the user's
+.Ic susp
+and
+.Ic eof
+are also sent as
+.Tn TELNET
+protocol sequences,
+and
+.Ic quit
+is sent as a 
+.Dv TELNET ABORT
+instead of 
+.Dv BREAK
+There are options (see
+.Ic toggle
+.Ic autoflush
+and
+.Ic toggle
+.Ic autosynch
+below)
+which cause this action to flush subsequent output to the terminal
+(until the remote host acknowledges the
+.Tn TELNET
+sequence) and flush previous terminal input
+(in the case of
+.Ic quit
+and
+.Ic intr  ) .
+.Pp
+While connected to a remote host,
+.Nm telnet
+command mode may be entered by typing the
+.Nm telnet
+\*(Lqescape character\*(Rq (initially \*(Lq^]\*(Rq).
+When in command mode, the normal terminal editing conventions are available.
+.Pp
+The following
+.Nm telnet
+commands are available.
+Only enough of each command to uniquely identify it need be typed
+(this is also true for arguments to the
+.Ic mode  ,
+.Ic set ,
+.Ic toggle  ,
+.Ic unset ,
+.Ic slc  ,
+.Ic environ ,
+and
+.Ic display
+commands).
+.Pp
+.Bl -tag -width "mode type"
+.It Ic auth Ar argument ... 
+The auth command manipulates the information sent through the
+.Dv TELNET AUTHENTICATE
+option.  Valid arguments for the
+auth command are as follows:
+.Bl -tag -width "disable type"
+.It Ic disable Ar type
+Disables the specified type of authentication.  To
+obtain a list of available types, use the
+.Ic auth disable ?\&
+command.
+.It Ic enable Ar type
+Enables the specified type of authentication.  To
+obtain a list of available types, use the
+.Ic auth enable ?\&
+command.
+.It Ic status
+Lists the current status of the various types of
+authentication.
+.El
+.It Ic close
+Close a
+.Tn TELNET
+session and return to command mode.
+.It Ic display Ar argument ... 
+Displays all, or some, of the
+.Ic set
+and
+.Ic toggle
+values (see below).
+.It Ic encrypt Ar argument ...
+The encrypt command manipulates the information sent through the
+.Dv TELNET ENCRYPT
+option.
+.Pp
+Note:  Because of export controls, the
+.Dv TELNET ENCRYPT
+option is not supported outside of the United States and Canada.
+.Pp
+Valid arguments for the encrypt command are as follows:
+.Bl -tag -width Ar
+.It Ic disable Ar type Xo
+.Op Cm input | output
+.Xc
+Disables the specified type of encryption.  If you
+omit the input and output, both input and output
+are disabled.  To obtain a list of available
+types, use the
+.Ic encrypt disable ?\&
+command.
+.It Ic enable Ar type Xo
+.Op Cm input | output
+.Xc
+Enables the specified type of encryption.  If you
+omit input and output, both input and output are
+enabled.  To obtain a list of available types, use the
+.Ic encrypt enable ?\&
+command.
+.It Ic input
+This is the same as the
+.Ic encrypt start input
+command.
+.It Ic -input
+This is the same as the
+.Ic encrypt stop input
+command.
+.It Ic output
+This is the same as the
+.Ic encrypt start output
+command.
+.It Ic -output
+This is the same as the
+.Ic encrypt stop output
+command.
+.It Ic start Op Cm input | output
+Attempts to start encryption.  If you omit
+.Ic input
+and
+.Ic output ,
+both input and output are enabled.  To
+obtain a list of available types, use the
+.Ic encrypt enable ?\&
+command.
+.It Ic status
+Lists the current status of encryption.
+.It Ic stop Op Cm input | output
+Stops encryption.  If you omit input and output,
+encryption is on both input and output.
+.It Ic type Ar type
+Sets the default type of encryption to be used
+with later
+.Ic encrypt start
+or
+.Ic encrypt stop
+commands.
+.El
+.It Ic environ Ar arguments ...
+The
+.Ic environ
+command is used to manipulate the
+the variables that my be sent through the
+.Dv TELNET ENVIRON
+option.
+The initial set of variables is taken from the users
+environment, with only the
+.Ev DISPLAY
+and
+.Ev PRINTER
+variables being exported by default.
+The
+.Ev USER
+variable is also exported if the
+.Fl a
+or
+.Fl l
+options are used.
+.Pp
+Valid arguments for the
+.Ic environ
+command are:
+.Bl -tag -width Fl
+.It Ic define Ar variable value 
+Define the variable
+.Ar variable
+to have a value of
+.Ar value .
+Any variables defined by this command are automatically exported.
+The
+.Ar value
+may be enclosed in single or double quotes so
+that tabs and spaces may be included.
+.It Ic undefine Ar variable 
+Remove
+.Ar variable
+from the list of environment variables.
+.It Ic export Ar variable 
+Mark the variable
+.Ar variable
+to be exported to the remote side.
+.It Ic unexport Ar variable 
+Mark the variable
+.Ar variable
+to not be exported unless
+explicitly asked for by the remote side.
+.It Ic list
+List the current set of environment variables.
+Those marked with a
+.Cm *
+will be sent automatically,
+other variables will only be sent if explicitly requested.
+.It Ic ?\&
+Prints out help information for the
+.Ic environ
+command.
+.El
+.It Ic logout
+Sends the
+.Dv TELNET LOGOUT
+option to the remote side.
+This command is similar to a
+.Ic close
+command; however, if the remote side does not support the
+.Dv LOGOUT
+option, nothing happens.
+If, however, the remote side does support the
+.Dv LOGOUT
+option, this command should cause the remote side to close the
+.Tn TELNET
+connection.
+If the remote side also supports the concept of
+suspending a user's session for later reattachment,
+the logout argument indicates that you
+should terminate the session immediately.
+.It Ic mode Ar type 
+.Ar Type
+is one of several options, depending on the state of the
+.Tn TELNET
+session.
+The remote host is asked for permission to go into the requested mode.
+If the remote host is capable of entering that mode, the requested
+mode will be entered.
+.Bl -tag -width Ar
+.It Ic character
+Disable the
+.Dv TELNET LINEMODE
+option, or, if the remote side does not understand the
+.Dv LINEMODE
+option, then enter \*(Lqcharacter at a time\*(Lq mode.
+.It Ic line
+Enable the
+.Dv TELNET LINEMODE
+option, or, if the remote side does not understand the
+.Dv LINEMODE
+option, then attempt to enter \*(Lqold-line-by-line\*(Lq mode.
+.It Ic isig Pq Ic \-isig 
+Attempt to enable (disable) the 
+.Dv TRAPSIG
+mode of the 
+.Dv LINEMODE
+option.
+This requires that the 
+.Dv LINEMODE
+option be enabled.
+.It Ic edit Pq Ic \-edit 
+Attempt to enable (disable) the 
+.Dv EDIT
+mode of the 
+.Dv LINEMODE
+option.
+This requires that the 
+.Dv LINEMODE
+option be enabled.
+.It Ic softtabs Pq Ic \-softtabs 
+Attempt to enable (disable) the 
+.Dv SOFT_TAB
+mode of the 
+.Dv LINEMODE
+option.
+This requires that the 
+.Dv LINEMODE
+option be enabled.
+.It Ic litecho Pq Ic \-litecho 
+Attempt to enable (disable) the 
+.Dv LIT_ECHO
+mode of the 
+.Dv LINEMODE
+option.
+This requires that the 
+.Dv LINEMODE
+option be enabled.
+.It Ic ?\&
+Prints out help information for the
+.Ic mode
+command.
+.El
+.It Xo
+.Ic open Ar host
+.Op Fl l Ar user
+.Op Oo Fl Oc Ns Ar port
+.Xc
+Open a connection to the named host.
+If no port number
+is specified,
+.Nm telnet
+will attempt to contact a
+.Tn TELNET
+server at the default port.
+The host specification may be either a host name (see
+.Xr hosts  5  )
+or an Internet address specified in the \*(Lqdot notation\*(Rq (see
+.Xr inet 3 ) .
+The
+.Op Fl l
+option may be used to specify the user name
+to be passed to the remote system via the
+.Ev ENVIRON
+option.
+When connecting to a non-standard port,
+.Nm telnet
+omits any automatic initiation of
+.Tn TELNET
+options.  When the port number is preceded by a minus sign,
+the initial option negotiation is done.
+After establishing a connection, the file
+.Pa \&.telnetrc
+in the
+users home directory is opened.  Lines beginning with a # are
+comment lines.  Blank lines are ignored.  Lines that begin
+without white space are the start of a machine entry.  The
+first thing on the line is the name of the machine that is
+being connected to.  The rest of the line, and successive
+lines that begin with white space are assumed to be
+.Nm telnet
+commands and are processed as if they had been typed
+in manually to the
+.Nm telnet
+command prompt.
+.It Ic quit
+Close any open
+.Tn TELNET
+session and exit
+.Nm telnet  .
+An end of file (in command mode) will also close a session and exit.
+.It Ic send Ar arguments 
+Sends one or more special character sequences to the remote host.
+The following are the arguments which may be specified
+(more than one argument may be specified at a time):
+.Pp
+.Bl -tag -width escape
+.It Ic abort
+Sends the
+.Dv TELNET ABORT
+(Abort
+processes)
+sequence.
+.It Ic ao
+Sends the
+.Dv TELNET AO
+(Abort Output) sequence, which should cause the remote system to flush
+all output
+.Em from
+the remote system
+.Em to
+the user's terminal.
+.It Ic ayt
+Sends the
+.Dv TELNET AYT
+(Are You There)
+sequence, to which the remote system may or may not choose to respond.
+.It Ic brk
+Sends the
+.Dv TELNET BRK
+(Break) sequence, which may have significance to the remote
+system.
+.It Ic ec
+Sends the
+.Dv TELNET EC
+(Erase Character)
+sequence, which should cause the remote system to erase the last character
+entered.
+.It Ic el
+Sends the
+.Dv TELNET EL
+(Erase Line)
+sequence, which should cause the remote system to erase the line currently
+being entered.
+.It Ic eof
+Sends the
+.Dv TELNET EOF
+(End Of File)
+sequence.
+.It Ic eor
+Sends the
+.Dv TELNET EOR
+(End of Record)
+sequence.
+.It Ic escape
+Sends the current
+.Nm telnet
+escape character (initially \*(Lq^\*(Rq).
+.It Ic ga
+Sends the
+.Dv TELNET GA
+(Go Ahead)
+sequence, which likely has no significance to the remote system.
+.It Ic getstatus
+If the remote side supports the
+.Dv TELNET STATUS
+command,
+.Ic getstatus
+will send the subnegotiation to request that the server send
+its current option status.
+.It Ic ip
+Sends the
+.Dv TELNET IP
+(Interrupt Process) sequence, which should cause the remote
+system to abort the currently running process.
+.It Ic nop
+Sends the
+.Dv TELNET NOP
+(No OPeration)
+sequence.
+.It Ic susp
+Sends the
+.Dv TELNET SUSP
+(SUSPend process)
+sequence.
+.It Ic synch
+Sends the
+.Dv TELNET SYNCH
+sequence.
+This sequence causes the remote system to discard all previously typed
+(but not yet read) input.
+This sequence is sent as
+.Tn TCP
+urgent
+data (and may not work if the remote system is a
+.Bx 4.2
+system -- if
+it doesn't work, a lower case \*(Lqr\*(Rq may be echoed on the terminal).
+.It Ic do Ar cmd
+.It Ic dont Ar cmd
+.It Ic will Ar cmd
+.It Ic wont Ar cmd
+Sends the
+.Dv TELNET DO
+.Ar cmd
+sequence.
+.Ar Cmd
+can be either a decimal number between 0 and 255,
+or a symbolic name for a specific
+.Dv TELNET
+command.
+.Ar Cmd
+can also be either
+.Ic help
+or
+.Ic ?\&
+to print out help information, including
+a list of known symbolic names.
+.It Ic ?\&
+Prints out help information for the
+.Ic send
+command.
+.El
+.It Ic set Ar argument value 
+.It Ic unset Ar argument value 
+The
+.Ic set
+command will set any one of a number of
+.Nm telnet
+variables to a specific value or to
+.Dv TRUE .
+The special value
+.Ic off
+turns off the function associated with
+the variable, this is equivalent to using the
+.Ic unset
+command.
+The
+.Ic unset
+command will disable or set to
+.Dv FALSE
+any of the specified functions.
+The values of variables may be interrogated with the
+.Ic display
+command.
+The variables which may be set or unset, but not toggled, are
+listed here.  In addition, any of the variables for the
+.Ic toggle
+command may be explicitly set or unset using
+the
+.Ic set
+and
+.Ic unset
+commands.
+.Bl -tag -width escape
+.It Ic ayt
+If
+.Tn TELNET
+is in localchars mode, or
+.Dv LINEMODE
+is enabled, and the status character is typed, a
+.Dv TELNET AYT
+sequence (see
+.Ic send ayt
+preceding) is sent to the
+remote host.  The initial value for the "Are You There"
+character is the terminal's status character.
+.It Ic echo
+This is the value (initially \*(Lq^E\*(Rq) which, when in
+\*(Lqline by line\*(Rq mode, toggles between doing local echoing
+of entered characters (for normal processing), and suppressing
+echoing of entered characters (for entering, say, a password).
+.It Ic eof
+If
+.Nm telnet
+is operating in
+.Dv LINEMODE
+or \*(Lqold line by line\*(Rq mode, entering this character
+as the first character on a line will cause this character to be
+sent to the remote system.
+The initial value of the eof character is taken to be the terminal's
+.Ic eof
+character.
+.It Ic erase
+If
+.Nm telnet
+is in
+.Ic localchars
+mode (see
+.Ic toggle
+.Ic localchars
+below),
+.Sy and
+if
+.Nm telnet
+is operating in \*(Lqcharacter at a time\*(Rq mode, then when this
+character is typed, a
+.Dv TELNET EC
+sequence (see
+.Ic send
+.Ic ec
+above)
+is sent to the remote system.
+The initial value for the erase character is taken to be
+the terminal's
+.Ic erase
+character.
+.It Ic escape
+This is the
+.Nm telnet
+escape character (initially \*(Lq^[\*(Rq) which causes entry
+into
+.Nm telnet
+command mode (when connected to a remote system).
+.It Ic flushoutput
+If
+.Nm telnet
+is in
+.Ic localchars
+mode (see
+.Ic toggle
+.Ic localchars
+below)
+and the
+.Ic flushoutput
+character is typed, a
+.Dv TELNET AO
+sequence (see
+.Ic send
+.Ic ao
+above)
+is sent to the remote host.
+The initial value for the flush character is taken to be
+the terminal's
+.Ic flush
+character.
+.It Ic forw1
+.It Ic forw2
+If
+.Tn TELNET
+is operating in
+.Dv LINEMODE ,
+these are the
+characters that, when typed, cause partial lines to be
+forwarded to the remote system.  The initial value for
+the forwarding characters are taken from the terminal's
+eol and eol2 characters.
+.It Ic interrupt
+If
+.Nm telnet
+is in
+.Ic localchars
+mode (see
+.Ic toggle
+.Ic localchars
+below)
+and the
+.Ic interrupt
+character is typed, a
+.Dv TELNET IP
+sequence (see
+.Ic send
+.Ic ip
+above)
+is sent to the remote host.
+The initial value for the interrupt character is taken to be
+the terminal's
+.Ic intr
+character.
+.It Ic kill
+If
+.Nm telnet
+is in
+.Ic localchars
+mode (see
+.Ic toggle
+.Ic localchars
+below),
+.Ic and
+if
+.Nm telnet
+is operating in \*(Lqcharacter at a time\*(Rq mode, then when this
+character is typed, a
+.Dv TELNET EL
+sequence (see
+.Ic send
+.Ic el
+above)
+is sent to the remote system.
+The initial value for the kill character is taken to be
+the terminal's
+.Ic kill
+character.
+.It Ic lnext
+If
+.Nm telnet
+is operating in
+.Dv LINEMODE
+or \*(Lqold line by line\*(Lq mode, then this character is taken to
+be the terminal's
+.Ic lnext
+character.
+The initial value for the lnext character is taken to be
+the terminal's
+.Ic lnext
+character.
+.It Ic quit
+If
+.Nm telnet
+is in
+.Ic localchars
+mode (see
+.Ic toggle
+.Ic localchars
+below)
+and the
+.Ic quit
+character is typed, a
+.Dv TELNET BRK
+sequence (see
+.Ic send
+.Ic brk
+above)
+is sent to the remote host.
+The initial value for the quit character is taken to be
+the terminal's
+.Ic quit
+character.
+.It Ic reprint
+If
+.Nm telnet
+is operating in
+.Dv LINEMODE
+or \*(Lqold line by line\*(Lq mode, then this character is taken to
+be the terminal's
+.Ic reprint
+character.
+The initial value for the reprint character is taken to be
+the terminal's
+.Ic reprint
+character.
+.It Ic rlogin
+This is the rlogin escape character.
+If set, the normal
+.Tn TELNET
+escape character is ignored unless it is
+preceded by this character at the beginning of a line.
+This character, at the beginning of a line followed by
+a "."  closes the connection; when followed by a ^Z it
+suspends the telnet command.  The initial state is to
+disable the rlogin escape character.
+.It Ic start
+If the
+.Dv TELNET TOGGLE-FLOW-CONTROL
+option has been enabled,
+then this character is taken to
+be the terminal's
+.Ic start
+character.
+The initial value for the kill character is taken to be
+the terminal's
+.Ic start
+character.
+.It Ic stop
+If the
+.Dv TELNET TOGGLE-FLOW-CONTROL
+option has been enabled,
+then this character is taken to
+be the terminal's
+.Ic stop
+character.
+The initial value for the kill character is taken to be
+the terminal's
+.Ic stop
+character.
+.It Ic susp
+If
+.Nm telnet
+is in
+.Ic localchars
+mode, or
+.Dv LINEMODE
+is enabled, and the
+.Ic suspend
+character is typed, a
+.Dv TELNET SUSP
+sequence (see
+.Ic send
+.Ic susp
+above)
+is sent to the remote host.
+The initial value for the suspend character is taken to be
+the terminal's
+.Ic suspend
+character.
+.It Ic tracefile
+This is the file to which the output, caused by
+.Ic netdata
+or
+.Ic option
+tracing being
+.Dv TRUE ,
+will be written.  If it is set to
+.Dq Fl ,
+then tracing information will be written to standard output (the default).
+.It Ic worderase
+If
+.Nm telnet
+is operating in
+.Dv LINEMODE
+or \*(Lqold line by line\*(Lq mode, then this character is taken to
+be the terminal's
+.Ic worderase
+character.
+The initial value for the worderase character is taken to be
+the terminal's
+.Ic worderase
+character.
+.It Ic ?\&
+Displays the legal
+.Ic set
+.Pq Ic unset
+commands.
+.El
+.It Ic slc Ar state 
+The
+.Ic slc
+command (Set Local Characters) is used to set
+or change the state of the the special
+characters when the 
+.Dv TELNET LINEMODE
+option has
+been enabled.  Special characters are characters that get
+mapped to 
+.Tn TELNET
+commands sequences (like
+.Ic ip
+or
+.Ic quit  )
+or line editing characters (like
+.Ic erase
+and
+.Ic kill  ) .
+By default, the local special characters are exported.
+.Bl -tag -width Fl
+.It Ic check
+Verify the current settings for the current special characters.
+The remote side is requested to send all the current special
+character settings, and if there are any discrepancies with
+the local side, the local side will switch to the remote value.
+.It Ic export
+Switch to the local defaults for the special characters.  The
+local default characters are those of the local terminal at
+the time when
+.Nm telnet
+was started.
+.It Ic import
+Switch to the remote defaults for the special characters.
+The remote default characters are those of the remote system
+at the time when the 
+.Tn TELNET
+connection was established.
+.It Ic ?\&
+Prints out help information for the
+.Ic slc
+command.
+.El
+.It Ic status
+Show the current status of
+.Nm telnet  .
+This includes the peer one is connected to, as well
+as the current mode.
+.It Ic toggle Ar arguments ... 
+Toggle (between
+.Dv TRUE
+and
+.Dv FALSE )
+various flags that control how
+.Nm telnet
+responds to events.
+These flags may be set explicitly to
+.Dv TRUE
+or
+.Dv FALSE
+using the
+.Ic set
+and
+.Ic unset
+commands listed above.
+More than one argument may be specified.
+The state of these flags may be interrogated with the
+.Ic display
+command.
+Valid arguments are:
+.Bl -tag -width Ar
+.It Ic authdebug
+Turns on debugging information for the authentication code.
+.It Ic autoflush
+If
+.Ic autoflush
+and
+.Ic localchars
+are both
+.Dv TRUE ,
+then when the
+.Ic ao  ,
+or
+.Ic quit
+characters are recognized (and transformed into
+.Tn TELNET
+sequences; see
+.Ic set
+above for details),
+.Nm telnet
+refuses to display any data on the user's terminal
+until the remote system acknowledges (via a
+.Dv TELNET TIMING MARK
+option)
+that it has processed those
+.Tn TELNET
+sequences.
+The initial value for this toggle is
+.Dv TRUE
+if the terminal user had not
+done an "stty noflsh", otherwise
+.Dv FALSE
+(see
+.Xr stty  1  ) .
+.It Ic autodecrypt
+When the
+.Dv TELNET ENCRYPT
+option is negotiated, by
+default the actual encryption (decryption) of the data
+stream does not start automatically.  The autoencrypt
+(autodecrypt) command states that encryption of the
+output (input) stream should be enabled as soon as
+possible.
+.Pp
+Note:  Because of export controls, the
+.Dv TELNET ENCRYPT
+option is not supported outside the United States and Canada.
+.It Ic autologin
+If the remote side supports the
+.Dv TELNET AUTHENTICATION
+option
+.Tn TELNET
+attempts to use it to perform automatic authentication.  If the
+.Dv AUTHENTICATION
+option is not supported, the user's login
+name are propagated through the
+.Dv TELNET ENVIRON
+option.
+This command is the same as specifying
+.Ar a
+option on the
+.Ic open
+command.
+.It Ic autosynch
+If
+.Ic autosynch
+and
+.Ic localchars
+are both
+.Dv TRUE ,
+then when either the
+.Ic intr
+or
+.Ic quit
+characters is typed (see
+.Ic set
+above for descriptions of the
+.Ic intr
+and
+.Ic quit
+characters), the resulting
+.Tn TELNET
+sequence sent is followed by the
+.Dv TELNET SYNCH
+sequence.
+This procedure
+.Ic should
+cause the remote system to begin throwing away all previously
+typed input until both of the
+.Tn TELNET
+sequences have been read and acted upon.
+The initial value of this toggle is
+.Dv FALSE .
+.It Ic binary
+Enable or disable the
+.Dv TELNET BINARY
+option on both input and output.
+.It Ic inbinary
+Enable or disable the
+.Dv TELNET BINARY
+option on input.
+.It Ic outbinary
+Enable or disable the
+.Dv TELNET BINARY
+option on output.
+.It Ic crlf
+If this is
+.Dv TRUE ,
+then carriage returns will be sent as
+.Li <CR><LF> .
+If this is
+.Dv FALSE ,
+then carriage returns will be send as
+.Li <CR><NUL> .
+The initial value for this toggle is
+.Dv FALSE .
+.It Ic crmod
+Toggle carriage return mode.
+When this mode is enabled, most carriage return characters received from
+the remote host will be mapped into a carriage return followed by
+a line feed.
+This mode does not affect those characters typed by the user, only
+those received from the remote host.
+This mode is not very useful unless the remote host
+only sends carriage return, but never line feed.
+The initial value for this toggle is
+.Dv FALSE .
+.It Ic debug
+Toggles socket level debugging (useful only to the
+.Ic super user  ) .
+The initial value for this toggle is
+.Dv FALSE .
+.It Ic encdebug
+Turns on debugging information for the encryption code.
+.It Ic localchars
+If this is
+.Dv TRUE ,
+then the
+.Ic flush  ,
+.Ic interrupt ,
+.Ic quit  ,
+.Ic erase ,
+and
+.Ic kill
+characters (see
+.Ic set
+above) are recognized locally, and transformed into (hopefully) appropriate
+.Tn TELNET
+control sequences
+(respectively
+.Ic ao  ,
+.Ic ip ,
+.Ic brk  ,
+.Ic ec ,
+and
+.Ic el  ;
+see
+.Ic send
+above).
+The initial value for this toggle is
+.Dv TRUE
+in \*(Lqold line by line\*(Rq mode,
+and
+.Dv FALSE
+in \*(Lqcharacter at a time\*(Rq mode.
+When the
+.Dv LINEMODE
+option is enabled, the value of
+.Ic localchars
+is ignored, and assumed to always be
+.Dv TRUE .
+If
+.Dv LINEMODE
+has ever been enabled, then
+.Ic quit
+is sent as
+.Ic abort  ,
+and
+.Ic eof
+and
+.Ic suspend
+are sent as
+.Ic eof
+and
+.Ic susp ,
+see
+.Ic send
+above).
+.It Ic netdata
+Toggles the display of all network data (in hexadecimal format).
+The initial value for this toggle is
+.Dv FALSE .
+.It Ic options
+Toggles the display of some internal
+.Nm telnet
+protocol processing (having to do with
+.Tn TELNET
+options).
+The initial value for this toggle is
+.Dv FALSE .
+.It Ic prettydump
+When the
+.Ic netdata
+toggle is enabled, if
+.Ic prettydump
+is enabled the output from the
+.Ic netdata
+command will be formatted in a more user readable format.
+Spaces are put between each character in the output, and the
+beginning of any
+.Tn TELNET
+escape sequence is preceded by a '*' to aid in locating them.
+.It Ic skiprc
+When the skiprc toggle is
+.Dv TRUE ,
+.Tn TELNET
+skips the reading of the
+.Pa \&.telnetrc
+file in the users home
+directory when connections are opened.  The initial
+value for this toggle is
+.Dv FALSE .
+.It Ic termdata
+Toggles the display of all terminal data (in hexadecimal format).
+The initial value for this toggle is
+.Dv FALSE .
+.It Ic verbose_encrypt
+When the
+.Ic verbose_encrypt
+toggle is
+.Dv TRUE ,
+.Tn TELNET
+prints out a message each time encryption is enabled or
+disabled.  The initial value for this toggle is
+.Dv FALSE .
+Note:  Because of export controls, data encryption
+is not supported outside of the United States and Canada.
+.It Ic \&?
+Displays the legal
+.Ic toggle
+commands.
+.El
+.It Ic z
+Suspend
+.Nm telnet  .
+This command only works when the user is using the
+.Xr csh  1  .
+.It Ic \&! Op Ar command 
+Execute a single command in a subshell on the local
+system.  If
+.Ic command
+is omitted, then an interactive
+subshell is invoked.
+.It Ic ?\& Op Ar command 
+Get help.  With no arguments,
+.Nm telnet
+prints a help summary.
+If a command is specified,
+.Nm telnet
+will print the help information for just that command.
+.El
+.Sh ENVIRONMENT
+.Nm Telnet
+uses at least the
+.Ev HOME ,
+.Ev SHELL ,
+.Ev DISPLAY ,
+and
+.Ev TERM
+environment variables.
+Other environment variables may be propagated
+to the other side via the
+.Dv TELNET ENVIRON
+option.
+.Sh FILES
+.Bl -tag -width ~/.telnetrc -compact
+.It Pa ~/.telnetrc
+user customized telnet startup values
+.El
+.Sh HISTORY
+The
+.Nm Telnet
+command appeared in
+.Bx 4.2 .
+.Sh NOTES
+.Pp
+On some remote systems, echo has to be turned off manually when in
+\*(Lqold line by line\*(Rq mode.
+.Pp
+In \*(Lqold line by line\*(Rq mode or 
+.Dv LINEMODE
+the terminal's
+.Ic eof
+character is only recognized (and sent to the remote system)
+when it is the first character on a line.
diff --git a/crypto/heimdal/appl/telnet/telnet/telnet.c b/crypto/heimdal/appl/telnet/telnet/telnet.c
new file mode 100644
index 0000000..e705a7b
--- /dev/null
+++ b/crypto/heimdal/appl/telnet/telnet/telnet.c
@@ -0,0 +1,2327 @@
+/*
+ * Copyright (c) 1988, 1990, 1993
+ *	The Regents of the University of California.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *	This product includes software developed by the University of
+ *	California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#include "telnet_locl.h"
+#ifdef HAVE_TERMCAP_H
+#include <termcap.h>
+#endif
+
+RCSID("$Id: telnet.c,v 1.28 2000/11/08 17:32:43 joda Exp $");
+
+#define	strip(x) (eight ? (x) : ((x) & 0x7f))
+
+static unsigned char	subbuffer[SUBBUFSIZE],
+			*subpointer, *subend;	 /* buffer for sub-options */
+#define	SB_CLEAR()	subpointer = subbuffer;
+#define	SB_TERM()	{ subend = subpointer; SB_CLEAR(); }
+#define	SB_ACCUM(c)	if (subpointer < (subbuffer+sizeof subbuffer)) { \
+				*subpointer++ = (c); \
+			}
+
+#define	SB_GET()	((*subpointer++)&0xff)
+#define	SB_PEEK()	((*subpointer)&0xff)
+#define	SB_EOF()	(subpointer >= subend)
+#define	SB_LEN()	(subend - subpointer)
+
+char	options[256];		/* The combined options */
+char	do_dont_resp[256];
+char	will_wont_resp[256];
+
+int
+	eight = 3,
+	binary = 0,
+	autologin = 0,	/* Autologin anyone? */
+	skiprc = 0,
+	connected,
+	showoptions,
+	ISend,		/* trying to send network data in */
+	debug = 0,
+	crmod,
+	netdata,	/* Print out network data flow */
+	crlf,		/* Should '\r' be mapped to <CR><LF> (or <CR><NUL>)? */
+	telnetport,
+	SYNCHing,	/* we are in TELNET SYNCH mode */
+	flushout,	/* flush output */
+	autoflush = 0,	/* flush output when interrupting? */
+	autosynch,	/* send interrupt characters with SYNCH? */
+	localflow,	/* we handle flow control locally */
+	restartany,	/* if flow control enabled, restart on any character */
+	localchars,	/* we recognize interrupt/quit */
+	donelclchars,	/* the user has set "localchars" */
+	donebinarytoggle,	/* the user has put us in binary */
+	dontlecho,	/* do we suppress local echoing right now? */
+	globalmode;
+
+char *prompt = 0;
+
+cc_t escape;
+cc_t rlogin;
+#ifdef	KLUDGELINEMODE
+cc_t echoc;
+#endif
+
+/*
+ * Telnet receiver states for fsm
+ */
+#define	TS_DATA		0
+#define	TS_IAC		1
+#define	TS_WILL		2
+#define	TS_WONT		3
+#define	TS_DO		4
+#define	TS_DONT		5
+#define	TS_CR		6
+#define	TS_SB		7		/* sub-option collection */
+#define	TS_SE		8		/* looking for sub-option end */
+
+static int	telrcv_state;
+#ifdef	OLD_ENVIRON
+unsigned char telopt_environ = TELOPT_NEW_ENVIRON;
+#else
+# define telopt_environ TELOPT_NEW_ENVIRON
+#endif
+
+jmp_buf	toplevel;
+jmp_buf	peerdied;
+
+int	flushline;
+int	linemode;
+
+#ifdef	KLUDGELINEMODE
+int	kludgelinemode = 1;
+#endif
+
+/*
+ * The following are some clocks used to decide how to interpret
+ * the relationship between various variables.
+ */
+
+Clocks clocks;
+
+static int is_unique(char *name, char **as, char **ae);
+
+
+/*
+ * Initialize telnet environment.
+ */
+
+void
+init_telnet(void)
+{
+    env_init();
+
+    SB_CLEAR();
+    memset(options, 0, sizeof options);
+
+    connected = ISend = localflow = donebinarytoggle = 0;
+#if	defined(AUTHENTICATION) || defined(ENCRYPTION)
+    auth_encrypt_connect(connected);
+#endif	/* defined(AUTHENTICATION) || defined(ENCRYPTION)  */
+    restartany = -1;
+
+    SYNCHing = 0;
+
+    /* Don't change NetTrace */
+
+    escape = CONTROL(']');
+    rlogin = _POSIX_VDISABLE;
+#ifdef	KLUDGELINEMODE
+    echoc = CONTROL('E');
+#endif
+
+    flushline = 1;
+    telrcv_state = TS_DATA;
+}
+
+
+/*
+ * These routines are in charge of sending option negotiations
+ * to the other side.
+ *
+ * The basic idea is that we send the negotiation if either side
+ * is in disagreement as to what the current state should be.
+ */
+
+void
+send_do(int c, int init)
+{
+    if (init) {
+	if (((do_dont_resp[c] == 0) && my_state_is_do(c)) ||
+				my_want_state_is_do(c))
+	    return;
+	set_my_want_state_do(c);
+	do_dont_resp[c]++;
+    }
+    NET2ADD(IAC, DO);
+    NETADD(c);
+    printoption("SENT", DO, c);
+}
+
+void
+send_dont(int c, int init)
+{
+    if (init) {
+	if (((do_dont_resp[c] == 0) && my_state_is_dont(c)) ||
+				my_want_state_is_dont(c))
+	    return;
+	set_my_want_state_dont(c);
+	do_dont_resp[c]++;
+    }
+    NET2ADD(IAC, DONT);
+    NETADD(c);
+    printoption("SENT", DONT, c);
+}
+
+void
+send_will(int c, int init)
+{
+    if (init) {
+	if (((will_wont_resp[c] == 0) && my_state_is_will(c)) ||
+				my_want_state_is_will(c))
+	    return;
+	set_my_want_state_will(c);
+	will_wont_resp[c]++;
+    }
+    NET2ADD(IAC, WILL);
+    NETADD(c);
+    printoption("SENT", WILL, c);
+}
+
+void
+send_wont(int c, int init)
+{
+    if (init) {
+	if (((will_wont_resp[c] == 0) && my_state_is_wont(c)) ||
+				my_want_state_is_wont(c))
+	    return;
+	set_my_want_state_wont(c);
+	will_wont_resp[c]++;
+    }
+    NET2ADD(IAC, WONT);
+    NETADD(c);
+    printoption("SENT", WONT, c);
+}
+
+
+void
+willoption(int option)
+{
+	int new_state_ok = 0;
+
+	if (do_dont_resp[option]) {
+	    --do_dont_resp[option];
+	    if (do_dont_resp[option] && my_state_is_do(option))
+		--do_dont_resp[option];
+	}
+
+	if ((do_dont_resp[option] == 0) && my_want_state_is_dont(option)) {
+
+	    switch (option) {
+
+	    case TELOPT_ECHO:
+	    case TELOPT_BINARY:
+	    case TELOPT_SGA:
+		settimer(modenegotiated);
+		/* FALL THROUGH */
+	    case TELOPT_STATUS:
+#if	defined(AUTHENTICATION)
+	    case TELOPT_AUTHENTICATION:
+#endif
+#if	defined(ENCRYPTION)
+	    case TELOPT_ENCRYPT:
+#endif
+		new_state_ok = 1;
+		break;
+
+	    case TELOPT_TM:
+		if (flushout)
+		    flushout = 0;
+		/*
+		 * Special case for TM.  If we get back a WILL,
+		 * pretend we got back a WONT.
+		 */
+		set_my_want_state_dont(option);
+		set_my_state_dont(option);
+		return;			/* Never reply to TM will's/wont's */
+
+	    case TELOPT_LINEMODE:
+	    default:
+		break;
+	    }
+
+	    if (new_state_ok) {
+		set_my_want_state_do(option);
+		send_do(option, 0);
+		setconnmode(0);		/* possibly set new tty mode */
+	    } else {
+		do_dont_resp[option]++;
+		send_dont(option, 0);
+	    }
+	}
+	set_my_state_do(option);
+#if	defined(ENCRYPTION)
+	if (option == TELOPT_ENCRYPT)
+		encrypt_send_support();
+#endif
+}
+
+void
+wontoption(int option)
+{
+	if (do_dont_resp[option]) {
+	    --do_dont_resp[option];
+	    if (do_dont_resp[option] && my_state_is_dont(option))
+		--do_dont_resp[option];
+	}
+
+	if ((do_dont_resp[option] == 0) && my_want_state_is_do(option)) {
+
+	    switch (option) {
+
+#ifdef	KLUDGELINEMODE
+	    case TELOPT_SGA:
+		if (!kludgelinemode)
+		    break;
+		/* FALL THROUGH */
+#endif
+	    case TELOPT_ECHO:
+		settimer(modenegotiated);
+		break;
+
+	    case TELOPT_TM:
+		if (flushout)
+		    flushout = 0;
+		set_my_want_state_dont(option);
+		set_my_state_dont(option);
+		return;		/* Never reply to TM will's/wont's */
+
+#ifdef ENCRYPTION
+  	    case TELOPT_ENCRYPT:
+	      encrypt_not();
+	      break;
+#endif
+	    default:
+		break;
+	    }
+	    set_my_want_state_dont(option);
+	    if (my_state_is_do(option))
+		send_dont(option, 0);
+	    setconnmode(0);			/* Set new tty mode */
+	} else if (option == TELOPT_TM) {
+	    /*
+	     * Special case for TM.
+	     */
+	    if (flushout)
+		flushout = 0;
+	    set_my_want_state_dont(option);
+	}
+	set_my_state_dont(option);
+}
+
+static void
+dooption(int option)
+{
+	int new_state_ok = 0;
+
+	if (will_wont_resp[option]) {
+	    --will_wont_resp[option];
+	    if (will_wont_resp[option] && my_state_is_will(option))
+		--will_wont_resp[option];
+	}
+
+	if (will_wont_resp[option] == 0) {
+	  if (my_want_state_is_wont(option)) {
+
+	    switch (option) {
+
+	    case TELOPT_TM:
+		/*
+		 * Special case for TM.  We send a WILL, but pretend
+		 * we sent WONT.
+		 */
+		send_will(option, 0);
+		set_my_want_state_wont(TELOPT_TM);
+		set_my_state_wont(TELOPT_TM);
+		return;
+
+	    case TELOPT_BINARY:		/* binary mode */
+	    case TELOPT_NAWS:		/* window size */
+	    case TELOPT_TSPEED:		/* terminal speed */
+	    case TELOPT_LFLOW:		/* local flow control */
+	    case TELOPT_TTYPE:		/* terminal type option */
+	    case TELOPT_SGA:		/* no big deal */
+#if	defined(ENCRYPTION)
+	    case TELOPT_ENCRYPT:	/* encryption variable option */
+#endif
+		new_state_ok = 1;
+		break;
+
+	    case TELOPT_NEW_ENVIRON:	/* New environment variable option */
+#ifdef	OLD_ENVIRON
+		if (my_state_is_will(TELOPT_OLD_ENVIRON))
+			send_wont(TELOPT_OLD_ENVIRON, 1); /* turn off the old */
+		goto env_common;
+	    case TELOPT_OLD_ENVIRON:	/* Old environment variable option */
+		if (my_state_is_will(TELOPT_NEW_ENVIRON))
+			break;		/* Don't enable if new one is in use! */
+	    env_common:
+		telopt_environ = option;
+#endif
+		new_state_ok = 1;
+		break;
+
+#if	defined(AUTHENTICATION)
+	    case TELOPT_AUTHENTICATION:
+		if (autologin)
+			new_state_ok = 1;
+		break;
+#endif
+
+	    case TELOPT_XDISPLOC:	/* X Display location */
+		if (env_getvalue((unsigned char *)"DISPLAY"))
+		    new_state_ok = 1;
+		break;
+
+	    case TELOPT_LINEMODE:
+#ifdef	KLUDGELINEMODE
+		kludgelinemode = 0;
+		send_do(TELOPT_SGA, 1);
+#endif
+		set_my_want_state_will(TELOPT_LINEMODE);
+		send_will(option, 0);
+		set_my_state_will(TELOPT_LINEMODE);
+		slc_init();
+		return;
+
+	    case TELOPT_ECHO:		/* We're never going to echo... */
+	    default:
+		break;
+	    }
+
+	    if (new_state_ok) {
+		set_my_want_state_will(option);
+		send_will(option, 0);
+		setconnmode(0);			/* Set new tty mode */
+	    } else {
+		will_wont_resp[option]++;
+		send_wont(option, 0);
+	    }
+	  } else {
+	    /*
+	     * Handle options that need more things done after the
+	     * other side has acknowledged the option.
+	     */
+	    switch (option) {
+	    case TELOPT_LINEMODE:
+#ifdef	KLUDGELINEMODE
+		kludgelinemode = 0;
+		send_do(TELOPT_SGA, 1);
+#endif
+		set_my_state_will(option);
+		slc_init();
+		send_do(TELOPT_SGA, 0);
+		return;
+	    }
+	  }
+	}
+	set_my_state_will(option);
+}
+
+static void
+dontoption(int option)
+{
+
+	if (will_wont_resp[option]) {
+	    --will_wont_resp[option];
+	    if (will_wont_resp[option] && my_state_is_wont(option))
+		--will_wont_resp[option];
+	}
+
+	if ((will_wont_resp[option] == 0) && my_want_state_is_will(option)) {
+	    switch (option) {
+	    case TELOPT_LINEMODE:
+		linemode = 0;	/* put us back to the default state */
+		break;
+#ifdef	OLD_ENVIRON
+	    case TELOPT_NEW_ENVIRON:
+		/*
+		 * The new environ option wasn't recognized, try
+		 * the old one.
+		 */
+		send_will(TELOPT_OLD_ENVIRON, 1);
+		telopt_environ = TELOPT_OLD_ENVIRON;
+		break;
+#endif
+#if 0
+#ifdef ENCRYPTION
+	    case TELOPT_ENCRYPT:
+	      encrypt_not();
+	      break;
+#endif
+#endif
+	    }
+	    /* we always accept a DONT */
+	    set_my_want_state_wont(option);
+	    if (my_state_is_will(option))
+		send_wont(option, 0);
+	    setconnmode(0);			/* Set new tty mode */
+	}
+	set_my_state_wont(option);
+}
+
+/*
+ * Given a buffer returned by tgetent(), this routine will turn
+ * the pipe seperated list of names in the buffer into an array
+ * of pointers to null terminated names.  We toss out any bad,
+ * duplicate, or verbose names (names with spaces).
+ */
+
+static char *name_unknown = "UNKNOWN";
+static char *unknown[] = { 0, 0 };
+
+static char **
+mklist(char *buf, char *name)
+{
+	int n;
+	char c, *cp, **argvp, *cp2, **argv, **avt;
+
+	if (name) {
+		if ((int)strlen(name) > 40) {
+			name = 0;
+			unknown[0] = name_unknown;
+		} else {
+			unknown[0] = name;
+			strupr(name);
+		}
+	} else
+		unknown[0] = name_unknown;
+	/*
+	 * Count up the number of names.
+	 */
+	for (n = 1, cp = buf; *cp && *cp != ':'; cp++) {
+		if (*cp == '|')
+			n++;
+	}
+	/*
+	 * Allocate an array to put the name pointers into
+	 */
+	argv = (char **)malloc((n+3)*sizeof(char *));
+	if (argv == 0)
+		return(unknown);
+
+	/*
+	 * Fill up the array of pointers to names.
+	 */
+	*argv = 0;
+	argvp = argv+1;
+	n = 0;
+	for (cp = cp2 = buf; (c = *cp);  cp++) {
+		if (c == '|' || c == ':') {
+			*cp++ = '\0';
+			/*
+			 * Skip entries that have spaces or are over 40
+			 * characters long.  If this is our environment
+			 * name, then put it up front.  Otherwise, as
+			 * long as this is not a duplicate name (case
+			 * insensitive) add it to the list.
+			 */
+			if (n || (cp - cp2 > 41))
+				;
+			else if (name && (strncasecmp(name, cp2, cp-cp2) == 0))
+				*argv = cp2;
+			else if (is_unique(cp2, argv+1, argvp))
+				*argvp++ = cp2;
+			if (c == ':')
+				break;
+			/*
+			 * Skip multiple delimiters. Reset cp2 to
+			 * the beginning of the next name. Reset n,
+			 * the flag for names with spaces.
+			 */
+			while ((c = *cp) == '|')
+				cp++;
+			cp2 = cp;
+			n = 0;
+		}
+		/*
+		 * Skip entries with spaces or non-ascii values.
+		 * Convert lower case letters to upper case.
+		 */
+#define ISASCII(c) (!((c)&0x80))
+		if ((c == ' ') || !ISASCII(c))
+			n = 1;
+		else if (islower(c))
+			*cp = toupper(c);
+	}
+
+	/*
+	 * Check for an old V6 2 character name.  If the second
+	 * name points to the beginning of the buffer, and is
+	 * only 2 characters long, move it to the end of the array.
+	 */
+	if ((argv[1] == buf) && (strlen(argv[1]) == 2)) {
+		--argvp;
+		for (avt = &argv[1]; avt < argvp; avt++)
+			*avt = *(avt+1);
+		*argvp++ = buf;
+	}
+
+	/*
+	 * Duplicate last name, for TTYPE option, and null
+	 * terminate the array.  If we didn't find a match on
+	 * our terminal name, put that name at the beginning.
+	 */
+	cp = *(argvp-1);
+	*argvp++ = cp;
+	*argvp = 0;
+
+	if (*argv == 0) {
+		if (name)
+			*argv = name;
+		else {
+			--argvp;
+			for (avt = argv; avt < argvp; avt++)
+				*avt = *(avt+1);
+		}
+	}
+	if (*argv)
+		return(argv);
+	else
+		return(unknown);
+}
+
+static int
+is_unique(char *name, char **as, char **ae)
+{
+	char **ap;
+	int n;
+
+	n = strlen(name) + 1;
+	for (ap = as; ap < ae; ap++)
+		if (strncasecmp(*ap, name, n) == 0)
+			return(0);
+	return (1);
+}
+
+static char termbuf[1024];
+
+static int
+telnet_setupterm(const char *tname, int fd, int *errp)
+{
+#ifdef HAVE_TGETENT
+    if (tgetent(termbuf, tname) == 1) {
+	termbuf[1023] = '\0';
+	if (errp)
+	    *errp = 1;
+	return(0);
+    }
+    if (errp)
+	*errp = 0;
+    return(-1);
+#else
+    strlcpy(termbuf, tname, sizeof(termbuf));
+    if(errp) *errp = 1;
+    return 0;
+#endif
+}
+
+int resettermname = 1;
+
+static char *
+gettermname()
+{
+	char *tname;
+	static char **tnamep = 0;
+	static char **next;
+	int err;
+
+	if (resettermname) {
+		resettermname = 0;
+		if (tnamep && tnamep != unknown)
+			free(tnamep);
+		if ((tname = (char *)env_getvalue((unsigned char *)"TERM")) &&
+				telnet_setupterm(tname, 1, &err) == 0) {
+			tnamep = mklist(termbuf, tname);
+		} else {
+			if (tname && ((int)strlen(tname) <= 40)) {
+				unknown[0] = tname;
+				strupr(tname);
+			} else
+				unknown[0] = name_unknown;
+			tnamep = unknown;
+		}
+		next = tnamep;
+	}
+	if (*next == 0)
+		next = tnamep;
+	return(*next++);
+}
+/*
+ * suboption()
+ *
+ *	Look at the sub-option buffer, and try to be helpful to the other
+ * side.
+ *
+ *	Currently we recognize:
+ *
+ *		Terminal type, send request.
+ *		Terminal speed (send request).
+ *		Local flow control (is request).
+ *		Linemode
+ */
+
+static void
+suboption()
+{
+    unsigned char subchar;
+
+    printsub('<', subbuffer, SB_LEN()+2);
+    switch (subchar = SB_GET()) {
+    case TELOPT_TTYPE:
+	if (my_want_state_is_wont(TELOPT_TTYPE))
+	    return;
+	if (SB_EOF() || SB_GET() != TELQUAL_SEND) {
+	    return;
+	} else {
+	    char *name;
+	    unsigned char temp[50];
+	    int len;
+
+	    name = gettermname();
+	    len = strlen(name) + 4 + 2;
+	    if (len < NETROOM()) {
+		snprintf((char *)temp, sizeof(temp),
+			 "%c%c%c%c%s%c%c", IAC, SB, TELOPT_TTYPE,
+			 TELQUAL_IS, name, IAC, SE);
+		ring_supply_data(&netoring, temp, len);
+		printsub('>', &temp[2], len-2);
+	    } else {
+		ExitString("No room in buffer for terminal type.\n", 1);
+		/*NOTREACHED*/
+	    }
+	}
+	break;
+    case TELOPT_TSPEED:
+	if (my_want_state_is_wont(TELOPT_TSPEED))
+	    return;
+	if (SB_EOF())
+	    return;
+	if (SB_GET() == TELQUAL_SEND) {
+	    long output_speed, input_speed;
+	    unsigned char temp[50];
+	    int len;
+
+	    TerminalSpeeds(&input_speed, &output_speed);
+
+	    snprintf((char *)temp, sizeof(temp),
+		     "%c%c%c%c%u,%u%c%c", IAC, SB, TELOPT_TSPEED,
+		     TELQUAL_IS,
+		     (unsigned)output_speed,
+		     (unsigned)input_speed, IAC, SE);
+	    len = strlen((char *)temp+4) + 4;	/* temp[3] is 0 ... */
+
+	    if (len < NETROOM()) {
+		ring_supply_data(&netoring, temp, len);
+		printsub('>', temp+2, len - 2);
+	    }
+/*@*/	    else printf("lm_will: not enough room in buffer\n");
+	}
+	break;
+    case TELOPT_LFLOW:
+	if (my_want_state_is_wont(TELOPT_LFLOW))
+	    return;
+	if (SB_EOF())
+	    return;
+	switch(SB_GET()) {
+	case LFLOW_RESTART_ANY:
+	    restartany = 1;
+	    break;
+	case LFLOW_RESTART_XON:
+	    restartany = 0;
+	    break;
+	case LFLOW_ON:
+	    localflow = 1;
+	    break;
+	case LFLOW_OFF:
+	    localflow = 0;
+	    break;
+	default:
+	    return;
+	}
+	setcommandmode();
+	setconnmode(0);
+	break;
+
+    case TELOPT_LINEMODE:
+	if (my_want_state_is_wont(TELOPT_LINEMODE))
+	    return;
+	if (SB_EOF())
+	    return;
+	switch (SB_GET()) {
+	case WILL:
+	    lm_will(subpointer, SB_LEN());
+	    break;
+	case WONT:
+	    lm_wont(subpointer, SB_LEN());
+	    break;
+	case DO:
+	    lm_do(subpointer, SB_LEN());
+	    break;
+	case DONT:
+	    lm_dont(subpointer, SB_LEN());
+	    break;
+	case LM_SLC:
+	    slc(subpointer, SB_LEN());
+	    break;
+	case LM_MODE:
+	    lm_mode(subpointer, SB_LEN(), 0);
+	    break;
+	default:
+	    break;
+	}
+	break;
+
+#ifdef	OLD_ENVIRON
+    case TELOPT_OLD_ENVIRON:
+#endif
+    case TELOPT_NEW_ENVIRON:
+	if (SB_EOF())
+	    return;
+	switch(SB_PEEK()) {
+	case TELQUAL_IS:
+	case TELQUAL_INFO:
+	    if (my_want_state_is_dont(subchar))
+		return;
+	    break;
+	case TELQUAL_SEND:
+	    if (my_want_state_is_wont(subchar)) {
+		return;
+	    }
+	    break;
+	default:
+	    return;
+	}
+	env_opt(subpointer, SB_LEN());
+	break;
+
+    case TELOPT_XDISPLOC:
+	if (my_want_state_is_wont(TELOPT_XDISPLOC))
+	    return;
+	if (SB_EOF())
+	    return;
+	if (SB_GET() == TELQUAL_SEND) {
+	    unsigned char temp[50], *dp;
+	    int len;
+
+	    if ((dp = env_getvalue((unsigned char *)"DISPLAY")) == NULL) {
+		/*
+		 * Something happened, we no longer have a DISPLAY
+		 * variable.  So, turn off the option.
+		 */
+		send_wont(TELOPT_XDISPLOC, 1);
+		break;
+	    }
+	    snprintf((char *)temp, sizeof(temp),
+		     "%c%c%c%c%s%c%c", IAC, SB, TELOPT_XDISPLOC,
+		     TELQUAL_IS, dp, IAC, SE);
+	    len = strlen((char *)temp+4) + 4;	/* temp[3] is 0 ... */
+
+	    if (len < NETROOM()) {
+		ring_supply_data(&netoring, temp, len);
+		printsub('>', temp+2, len - 2);
+	    }
+/*@*/	    else printf("lm_will: not enough room in buffer\n");
+	}
+	break;
+
+#if	defined(AUTHENTICATION)
+	case TELOPT_AUTHENTICATION: {
+		if (!autologin)
+			break;
+		if (SB_EOF())
+			return;
+		switch(SB_GET()) {
+		case TELQUAL_IS:
+			if (my_want_state_is_dont(TELOPT_AUTHENTICATION))
+				return;
+			auth_is(subpointer, SB_LEN());
+			break;
+		case TELQUAL_SEND:
+			if (my_want_state_is_wont(TELOPT_AUTHENTICATION))
+				return;
+			auth_send(subpointer, SB_LEN());
+			break;
+		case TELQUAL_REPLY:
+			if (my_want_state_is_wont(TELOPT_AUTHENTICATION))
+				return;
+			auth_reply(subpointer, SB_LEN());
+			break;
+		case TELQUAL_NAME:
+			if (my_want_state_is_dont(TELOPT_AUTHENTICATION))
+				return;
+			auth_name(subpointer, SB_LEN());
+			break;
+		}
+	}
+	break;
+#endif
+#if	defined(ENCRYPTION)
+	case TELOPT_ENCRYPT:
+		if (SB_EOF())
+			return;
+		switch(SB_GET()) {
+		case ENCRYPT_START:
+			if (my_want_state_is_dont(TELOPT_ENCRYPT))
+				return;
+			encrypt_start(subpointer, SB_LEN());
+			break;
+		case ENCRYPT_END:
+			if (my_want_state_is_dont(TELOPT_ENCRYPT))
+				return;
+			encrypt_end();
+			break;
+		case ENCRYPT_SUPPORT:
+			if (my_want_state_is_wont(TELOPT_ENCRYPT))
+				return;
+			encrypt_support(subpointer, SB_LEN());
+			break;
+		case ENCRYPT_REQSTART:
+			if (my_want_state_is_wont(TELOPT_ENCRYPT))
+				return;
+			encrypt_request_start(subpointer, SB_LEN());
+			break;
+		case ENCRYPT_REQEND:
+			if (my_want_state_is_wont(TELOPT_ENCRYPT))
+				return;
+			/*
+			 * We can always send an REQEND so that we cannot
+			 * get stuck encrypting.  We should only get this
+			 * if we have been able to get in the correct mode
+			 * anyhow.
+			 */
+			encrypt_request_end();
+			break;
+		case ENCRYPT_IS:
+			if (my_want_state_is_dont(TELOPT_ENCRYPT))
+				return;
+			encrypt_is(subpointer, SB_LEN());
+			break;
+		case ENCRYPT_REPLY:
+			if (my_want_state_is_wont(TELOPT_ENCRYPT))
+				return;
+			encrypt_reply(subpointer, SB_LEN());
+			break;
+		case ENCRYPT_ENC_KEYID:
+			if (my_want_state_is_dont(TELOPT_ENCRYPT))
+				return;
+			encrypt_enc_keyid(subpointer, SB_LEN());
+			break;
+		case ENCRYPT_DEC_KEYID:
+			if (my_want_state_is_wont(TELOPT_ENCRYPT))
+				return;
+			encrypt_dec_keyid(subpointer, SB_LEN());
+			break;
+		default:
+			break;
+		}
+		break;
+#endif
+    default:
+	break;
+    }
+}
+
+static unsigned char str_lm[] = { IAC, SB, TELOPT_LINEMODE, 0, 0, IAC, SE };
+
+void
+lm_will(unsigned char *cmd, int len)
+{
+    if (len < 1) {
+/*@*/	printf("lm_will: no command!!!\n");	/* Should not happen... */
+	return;
+    }
+    switch(cmd[0]) {
+    case LM_FORWARDMASK:	/* We shouldn't ever get this... */
+    default:
+	str_lm[3] = DONT;
+	str_lm[4] = cmd[0];
+	if (NETROOM() > sizeof(str_lm)) {
+	    ring_supply_data(&netoring, str_lm, sizeof(str_lm));
+	    printsub('>', &str_lm[2], sizeof(str_lm)-2);
+	}
+/*@*/	else printf("lm_will: not enough room in buffer\n");
+	break;
+    }
+}
+
+void
+lm_wont(unsigned char *cmd, int len)
+{
+    if (len < 1) {
+/*@*/	printf("lm_wont: no command!!!\n");	/* Should not happen... */
+	return;
+    }
+    switch(cmd[0]) {
+    case LM_FORWARDMASK:	/* We shouldn't ever get this... */
+    default:
+	/* We are always DONT, so don't respond */
+	return;
+    }
+}
+
+void
+lm_do(unsigned char *cmd, int len)
+{
+    if (len < 1) {
+/*@*/	printf("lm_do: no command!!!\n");	/* Should not happen... */
+	return;
+    }
+    switch(cmd[0]) {
+    case LM_FORWARDMASK:
+    default:
+	str_lm[3] = WONT;
+	str_lm[4] = cmd[0];
+	if (NETROOM() > sizeof(str_lm)) {
+	    ring_supply_data(&netoring, str_lm, sizeof(str_lm));
+	    printsub('>', &str_lm[2], sizeof(str_lm)-2);
+	}
+/*@*/	else printf("lm_do: not enough room in buffer\n");
+	break;
+    }
+}
+
+void
+lm_dont(unsigned char *cmd, int len)
+{
+    if (len < 1) {
+/*@*/	printf("lm_dont: no command!!!\n");	/* Should not happen... */
+	return;
+    }
+    switch(cmd[0]) {
+    case LM_FORWARDMASK:
+    default:
+	/* we are always WONT, so don't respond */
+	break;
+    }
+}
+
+static unsigned char str_lm_mode[] = {
+	IAC, SB, TELOPT_LINEMODE, LM_MODE, 0, IAC, SE
+};
+
+void
+lm_mode(unsigned char *cmd, int len, int init)
+{
+	if (len != 1)
+		return;
+	if ((linemode&MODE_MASK&~MODE_ACK) == *cmd)
+		return;
+	if (*cmd&MODE_ACK)
+		return;
+	linemode = *cmd&(MODE_MASK&~MODE_ACK);
+	str_lm_mode[4] = linemode;
+	if (!init)
+	    str_lm_mode[4] |= MODE_ACK;
+	if (NETROOM() > sizeof(str_lm_mode)) {
+	    ring_supply_data(&netoring, str_lm_mode, sizeof(str_lm_mode));
+	    printsub('>', &str_lm_mode[2], sizeof(str_lm_mode)-2);
+	}
+/*@*/	else printf("lm_mode: not enough room in buffer\n");
+	setconnmode(0);	/* set changed mode */
+}
+
+
+
+/*
+ * slc()
+ * Handle special character suboption of LINEMODE.
+ */
+
+struct spc {
+	cc_t val;
+	cc_t *valp;
+	char flags;	/* Current flags & level */
+	char mylevel;	/* Maximum level & flags */
+} spc_data[NSLC+1];
+
+#define SLC_IMPORT	0
+#define	SLC_EXPORT	1
+#define SLC_RVALUE	2
+static int slc_mode = SLC_EXPORT;
+
+void
+slc_init()
+{
+	struct spc *spcp;
+
+	localchars = 1;
+	for (spcp = spc_data; spcp < &spc_data[NSLC+1]; spcp++) {
+		spcp->val = 0;
+		spcp->valp = 0;
+		spcp->flags = spcp->mylevel = SLC_NOSUPPORT;
+	}
+
+#define	initfunc(func, flags) { \
+					spcp = &spc_data[func]; \
+					if ((spcp->valp = tcval(func))) { \
+					    spcp->val = *spcp->valp; \
+					    spcp->mylevel = SLC_VARIABLE|flags; \
+					} else { \
+					    spcp->val = 0; \
+					    spcp->mylevel = SLC_DEFAULT; \
+					} \
+				    }
+
+	initfunc(SLC_SYNCH, 0);
+	/* No BRK */
+	initfunc(SLC_AO, 0);
+	initfunc(SLC_AYT, 0);
+	/* No EOR */
+	initfunc(SLC_ABORT, SLC_FLUSHIN|SLC_FLUSHOUT);
+	initfunc(SLC_EOF, 0);
+	initfunc(SLC_SUSP, SLC_FLUSHIN);
+	initfunc(SLC_EC, 0);
+	initfunc(SLC_EL, 0);
+	initfunc(SLC_EW, 0);
+	initfunc(SLC_RP, 0);
+	initfunc(SLC_LNEXT, 0);
+	initfunc(SLC_XON, 0);
+	initfunc(SLC_XOFF, 0);
+	initfunc(SLC_FORW1, 0);
+	initfunc(SLC_FORW2, 0);
+	/* No FORW2 */
+
+	initfunc(SLC_IP, SLC_FLUSHIN|SLC_FLUSHOUT);
+#undef	initfunc
+
+	if (slc_mode == SLC_EXPORT)
+		slc_export();
+	else
+		slc_import(1);
+
+}
+
+void
+slcstate()
+{
+    printf("Special characters are %s values\n",
+		slc_mode == SLC_IMPORT ? "remote default" :
+		slc_mode == SLC_EXPORT ? "local" :
+					 "remote");
+}
+
+void
+slc_mode_export()
+{
+    slc_mode = SLC_EXPORT;
+    if (my_state_is_will(TELOPT_LINEMODE))
+	slc_export();
+}
+
+void
+slc_mode_import(int def)
+{
+    slc_mode = def ? SLC_IMPORT : SLC_RVALUE;
+    if (my_state_is_will(TELOPT_LINEMODE))
+	slc_import(def);
+}
+
+unsigned char slc_import_val[] = {
+	IAC, SB, TELOPT_LINEMODE, LM_SLC, 0, SLC_VARIABLE, 0, IAC, SE
+};
+unsigned char slc_import_def[] = {
+	IAC, SB, TELOPT_LINEMODE, LM_SLC, 0, SLC_DEFAULT, 0, IAC, SE
+};
+
+void
+slc_import(int def)
+{
+    if (NETROOM() > sizeof(slc_import_val)) {
+	if (def) {
+	    ring_supply_data(&netoring, slc_import_def, sizeof(slc_import_def));
+	    printsub('>', &slc_import_def[2], sizeof(slc_import_def)-2);
+	} else {
+	    ring_supply_data(&netoring, slc_import_val, sizeof(slc_import_val));
+	    printsub('>', &slc_import_val[2], sizeof(slc_import_val)-2);
+	}
+    }
+/*@*/ else printf("slc_import: not enough room\n");
+}
+
+void
+slc_export()
+{
+    struct spc *spcp;
+
+    TerminalDefaultChars();
+
+    slc_start_reply();
+    for (spcp = &spc_data[1]; spcp < &spc_data[NSLC+1]; spcp++) {
+	if (spcp->mylevel != SLC_NOSUPPORT) {
+	    if (spcp->val == (cc_t)(_POSIX_VDISABLE))
+		spcp->flags = SLC_NOSUPPORT;
+	    else
+		spcp->flags = spcp->mylevel;
+	    if (spcp->valp)
+		spcp->val = *spcp->valp;
+	    slc_add_reply(spcp - spc_data, spcp->flags, spcp->val);
+	}
+    }
+    slc_end_reply();
+    slc_update();
+    setconnmode(1);	/* Make sure the character values are set */
+}
+
+void
+slc(unsigned char *cp, int len)
+{
+	struct spc *spcp;
+	int func,level;
+
+	slc_start_reply();
+
+	for (; len >= 3; len -=3, cp +=3) {
+
+		func = cp[SLC_FUNC];
+
+		if (func == 0) {
+			/*
+			 * Client side: always ignore 0 function.
+			 */
+			continue;
+		}
+		if (func > NSLC) {
+			if ((cp[SLC_FLAGS] & SLC_LEVELBITS) != SLC_NOSUPPORT)
+				slc_add_reply(func, SLC_NOSUPPORT, 0);
+			continue;
+		}
+
+		spcp = &spc_data[func];
+
+		level = cp[SLC_FLAGS]&(SLC_LEVELBITS|SLC_ACK);
+
+		if ((cp[SLC_VALUE] == (unsigned char)spcp->val) &&
+		    ((level&SLC_LEVELBITS) == (spcp->flags&SLC_LEVELBITS))) {
+			continue;
+		}
+
+		if (level == (SLC_DEFAULT|SLC_ACK)) {
+			/*
+			 * This is an error condition, the SLC_ACK
+			 * bit should never be set for the SLC_DEFAULT
+			 * level.  Our best guess to recover is to
+			 * ignore the SLC_ACK bit.
+			 */
+			cp[SLC_FLAGS] &= ~SLC_ACK;
+		}
+
+		if (level == ((spcp->flags&SLC_LEVELBITS)|SLC_ACK)) {
+			spcp->val = (cc_t)cp[SLC_VALUE];
+			spcp->flags = cp[SLC_FLAGS];	/* include SLC_ACK */
+			continue;
+		}
+
+		level &= ~SLC_ACK;
+
+		if (level <= (spcp->mylevel&SLC_LEVELBITS)) {
+			spcp->flags = cp[SLC_FLAGS]|SLC_ACK;
+			spcp->val = (cc_t)cp[SLC_VALUE];
+		}
+		if (level == SLC_DEFAULT) {
+			if ((spcp->mylevel&SLC_LEVELBITS) != SLC_DEFAULT)
+				spcp->flags = spcp->mylevel;
+			else
+				spcp->flags = SLC_NOSUPPORT;
+		}
+		slc_add_reply(func, spcp->flags, spcp->val);
+	}
+	slc_end_reply();
+	if (slc_update())
+		setconnmode(1);	/* set the  new character values */
+}
+
+void
+slc_check()
+{
+    struct spc *spcp;
+
+    slc_start_reply();
+    for (spcp = &spc_data[1]; spcp < &spc_data[NSLC+1]; spcp++) {
+	if (spcp->valp && spcp->val != *spcp->valp) {
+	    spcp->val = *spcp->valp;
+	    if (spcp->val == (cc_t)(_POSIX_VDISABLE))
+		spcp->flags = SLC_NOSUPPORT;
+	    else
+		spcp->flags = spcp->mylevel;
+	    slc_add_reply(spcp - spc_data, spcp->flags, spcp->val);
+	}
+    }
+    slc_end_reply();
+    setconnmode(1);
+}
+
+
+unsigned char slc_reply[128];
+unsigned char *slc_replyp;
+
+void
+slc_start_reply()
+{
+	slc_replyp = slc_reply;
+	*slc_replyp++ = IAC;
+	*slc_replyp++ = SB;
+	*slc_replyp++ = TELOPT_LINEMODE;
+	*slc_replyp++ = LM_SLC;
+}
+
+void
+slc_add_reply(unsigned char func, unsigned char flags, cc_t value)
+{
+	if ((*slc_replyp++ = func) == IAC)
+		*slc_replyp++ = IAC;
+	if ((*slc_replyp++ = flags) == IAC)
+		*slc_replyp++ = IAC;
+	if ((*slc_replyp++ = (unsigned char)value) == IAC)
+		*slc_replyp++ = IAC;
+}
+
+void
+slc_end_reply()
+{
+    int len;
+
+    *slc_replyp++ = IAC;
+    *slc_replyp++ = SE;
+    len = slc_replyp - slc_reply;
+    if (len <= 6)
+	return;
+    if (NETROOM() > len) {
+	ring_supply_data(&netoring, slc_reply, slc_replyp - slc_reply);
+	printsub('>', &slc_reply[2], slc_replyp - slc_reply - 2);
+    }
+/*@*/else printf("slc_end_reply: not enough room\n");
+}
+
+int
+slc_update()
+{
+	struct spc *spcp;
+	int need_update = 0;
+
+	for (spcp = &spc_data[1]; spcp < &spc_data[NSLC+1]; spcp++) {
+		if (!(spcp->flags&SLC_ACK))
+			continue;
+		spcp->flags &= ~SLC_ACK;
+		if (spcp->valp && (*spcp->valp != spcp->val)) {
+			*spcp->valp = spcp->val;
+			need_update = 1;
+		}
+	}
+	return(need_update);
+}
+
+#ifdef	OLD_ENVIRON
+#  define old_env_var OLD_ENV_VAR
+#  define old_env_value OLD_ENV_VALUE
+#endif
+
+void
+env_opt(unsigned char *buf, int len)
+{
+	unsigned char *ep = 0, *epc = 0;
+	int i;
+
+	switch(buf[0]&0xff) {
+	case TELQUAL_SEND:
+		env_opt_start();
+		if (len == 1) {
+			env_opt_add(NULL);
+		} else for (i = 1; i < len; i++) {
+			switch (buf[i]&0xff) {
+#ifdef	OLD_ENVIRON
+			case OLD_ENV_VAR:
+			case OLD_ENV_VALUE:
+				/*
+				 * Although OLD_ENV_VALUE is not legal, we will
+				 * still recognize it, just in case it is an
+				 * old server that has VAR & VALUE mixed up...
+				 */
+				/* FALL THROUGH */
+#else
+			case NEW_ENV_VAR:
+#endif
+			case ENV_USERVAR:
+				if (ep) {
+					*epc = 0;
+					env_opt_add(ep);
+				}
+				ep = epc = &buf[i+1];
+				break;
+			case ENV_ESC:
+				i++;
+				/*FALL THROUGH*/
+			default:
+				if (epc)
+					*epc++ = buf[i];
+				break;
+			}
+		}
+		if (ep) {
+			*epc = 0;
+			env_opt_add(ep);
+		}
+		env_opt_end(1);
+		break;
+
+	case TELQUAL_IS:
+	case TELQUAL_INFO:
+		/* Ignore for now.  We shouldn't get it anyway. */
+		break;
+
+	default:
+		break;
+	}
+}
+
+#define	OPT_REPLY_SIZE	256
+unsigned char *opt_reply;
+unsigned char *opt_replyp;
+unsigned char *opt_replyend;
+
+void
+env_opt_start()
+{
+	if (opt_reply) {
+		void *tmp = realloc (opt_reply, OPT_REPLY_SIZE);
+		if (tmp != NULL) {
+			opt_reply = tmp;
+		} else {
+			free (opt_reply);
+			opt_reply = NULL;
+		}
+	} else
+		opt_reply = (unsigned char *)malloc(OPT_REPLY_SIZE);
+	if (opt_reply == NULL) {
+/*@*/		printf("env_opt_start: malloc()/realloc() failed!!!\n");
+		opt_reply = opt_replyp = opt_replyend = NULL;
+		return;
+	}
+	opt_replyp = opt_reply;
+	opt_replyend = opt_reply + OPT_REPLY_SIZE;
+	*opt_replyp++ = IAC;
+	*opt_replyp++ = SB;
+	*opt_replyp++ = telopt_environ;
+	*opt_replyp++ = TELQUAL_IS;
+}
+
+void
+env_opt_start_info()
+{
+	env_opt_start();
+	if (opt_replyp)
+	    opt_replyp[-1] = TELQUAL_INFO;
+}
+
+void
+env_opt_add(unsigned char *ep)
+{
+	unsigned char *vp, c;
+
+	if (opt_reply == NULL)		/*XXX*/
+		return;			/*XXX*/
+
+	if (ep == NULL || *ep == '\0') {
+		/* Send user defined variables first. */
+		env_default(1, 0);
+		while ((ep = env_default(0, 0)))
+			env_opt_add(ep);
+
+		/* Now add the list of well know variables.  */
+		env_default(1, 1);
+		while ((ep = env_default(0, 1)))
+			env_opt_add(ep);
+		return;
+	}
+	vp = env_getvalue(ep);
+	if (opt_replyp + (vp ? strlen((char *)vp) : 0) +
+				strlen((char *)ep) + 6 > opt_replyend)
+	{
+		int len;
+		void *tmp;
+		opt_replyend += OPT_REPLY_SIZE;
+		len = opt_replyend - opt_reply;
+		tmp = realloc(opt_reply, len);
+		if (tmp == NULL) {
+/*@*/			printf("env_opt_add: realloc() failed!!!\n");
+			opt_reply = opt_replyp = opt_replyend = NULL;
+			return;
+		}
+		opt_reply = tmp;
+		opt_replyp = opt_reply + len - (opt_replyend - opt_replyp);
+		opt_replyend = opt_reply + len;
+	}
+	if (opt_welldefined((char *)ep)) {
+#ifdef	OLD_ENVIRON
+		if (telopt_environ == TELOPT_OLD_ENVIRON)
+			*opt_replyp++ = old_env_var;
+		else
+#endif
+			*opt_replyp++ = NEW_ENV_VAR;
+	} else
+		*opt_replyp++ = ENV_USERVAR;
+	for (;;) {
+		while ((c = *ep++)) {
+			switch(c&0xff) {
+			case IAC:
+				*opt_replyp++ = IAC;
+				break;
+			case NEW_ENV_VAR:
+			case NEW_ENV_VALUE:
+			case ENV_ESC:
+			case ENV_USERVAR:
+				*opt_replyp++ = ENV_ESC;
+				break;
+			}
+			*opt_replyp++ = c;
+		}
+		if ((ep = vp)) {
+#ifdef	OLD_ENVIRON
+			if (telopt_environ == TELOPT_OLD_ENVIRON)
+				*opt_replyp++ = old_env_value;
+			else
+#endif
+				*opt_replyp++ = NEW_ENV_VALUE;
+			vp = NULL;
+		} else
+			break;
+	}
+}
+
+int
+opt_welldefined(char *ep)
+{
+	if ((strcmp(ep, "USER") == 0) ||
+	    (strcmp(ep, "DISPLAY") == 0) ||
+	    (strcmp(ep, "PRINTER") == 0) ||
+	    (strcmp(ep, "SYSTEMTYPE") == 0) ||
+	    (strcmp(ep, "JOB") == 0) ||
+	    (strcmp(ep, "ACCT") == 0))
+		return(1);
+	return(0);
+}
+
+void
+env_opt_end(int emptyok)
+{
+	int len;
+
+	len = opt_replyp - opt_reply + 2;
+	if (emptyok || len > 6) {
+		*opt_replyp++ = IAC;
+		*opt_replyp++ = SE;
+		if (NETROOM() > len) {
+			ring_supply_data(&netoring, opt_reply, len);
+			printsub('>', &opt_reply[2], len - 2);
+		}
+/*@*/		else printf("slc_end_reply: not enough room\n");
+	}
+	if (opt_reply) {
+		free(opt_reply);
+		opt_reply = opt_replyp = opt_replyend = NULL;
+	}
+}
+
+
+
+int
+telrcv(void)
+{
+    int c;
+    int scc;
+    unsigned char *sbp = NULL;
+    int count;
+    int returnValue = 0;
+
+    scc = 0;
+    count = 0;
+    while (TTYROOM() > 2) {
+	if (scc == 0) {
+	    if (count) {
+		ring_consumed(&netiring, count);
+		returnValue = 1;
+		count = 0;
+	    }
+	    sbp = netiring.consume;
+	    scc = ring_full_consecutive(&netiring);
+	    if (scc == 0) {
+		/* No more data coming in */
+		break;
+	    }
+	}
+
+	c = *sbp++ & 0xff, scc--; count++;
+#if	defined(ENCRYPTION)
+	if (decrypt_input)
+		c = (*decrypt_input)(c);
+#endif
+
+	switch (telrcv_state) {
+
+	case TS_CR:
+	    telrcv_state = TS_DATA;
+	    if (c == '\0') {
+		break;	/* Ignore \0 after CR */
+	    }
+	    else if ((c == '\n') && my_want_state_is_dont(TELOPT_ECHO) && !crmod) {
+		TTYADD(c);
+		break;
+	    }
+	    /* Else, fall through */
+
+	case TS_DATA:
+	    if (c == IAC) {
+		telrcv_state = TS_IAC;
+		break;
+	    }
+		    /* 
+		     * The 'crmod' hack (see following) is needed
+		     * since we can't set CRMOD on output only.
+		     * Machines like MULTICS like to send \r without
+		     * \n; since we must turn off CRMOD to get proper
+		     * input, the mapping is done here (sigh).
+		     */
+	    if ((c == '\r') && my_want_state_is_dont(TELOPT_BINARY)) {
+		if (scc > 0) {
+		    c = *sbp&0xff;
+#if	defined(ENCRYPTION)
+		    if (decrypt_input)
+			c = (*decrypt_input)(c);
+#endif
+		    if (c == 0) {
+			sbp++, scc--; count++;
+			/* a "true" CR */
+			TTYADD('\r');
+		    } else if (my_want_state_is_dont(TELOPT_ECHO) &&
+					(c == '\n')) {
+			sbp++, scc--; count++;
+			TTYADD('\n');
+		    } else {
+#if	defined(ENCRYPTION)
+		        if (decrypt_input)
+			    (*decrypt_input)(-1);
+#endif
+
+			TTYADD('\r');
+			if (crmod) {
+				TTYADD('\n');
+			}
+		    }
+		} else {
+		    telrcv_state = TS_CR;
+		    TTYADD('\r');
+		    if (crmod) {
+			    TTYADD('\n');
+		    }
+		}
+	    } else {
+		TTYADD(c);
+	    }
+	    continue;
+
+	case TS_IAC:
+process_iac:
+	    switch (c) {
+
+	    case WILL:
+		telrcv_state = TS_WILL;
+		continue;
+
+	    case WONT:
+		telrcv_state = TS_WONT;
+		continue;
+
+	    case DO:
+		telrcv_state = TS_DO;
+		continue;
+
+	    case DONT:
+		telrcv_state = TS_DONT;
+		continue;
+
+	    case DM:
+		    /*
+		     * We may have missed an urgent notification,
+		     * so make sure we flush whatever is in the
+		     * buffer currently.
+		     */
+		printoption("RCVD", IAC, DM);
+		SYNCHing = 1;
+		ttyflush(1);
+		SYNCHing = stilloob();
+		settimer(gotDM);
+		break;
+
+	    case SB:
+		SB_CLEAR();
+		telrcv_state = TS_SB;
+		continue;
+
+
+	    case IAC:
+		TTYADD(IAC);
+		break;
+
+	    case NOP:
+	    case GA:
+	    default:
+		printoption("RCVD", IAC, c);
+		break;
+	    }
+	    telrcv_state = TS_DATA;
+	    continue;
+
+	case TS_WILL:
+	    printoption("RCVD", WILL, c);
+	    willoption(c);
+	    telrcv_state = TS_DATA;
+	    continue;
+
+	case TS_WONT:
+	    printoption("RCVD", WONT, c);
+	    wontoption(c);
+	    telrcv_state = TS_DATA;
+	    continue;
+
+	case TS_DO:
+	    printoption("RCVD", DO, c);
+	    dooption(c);
+	    if (c == TELOPT_NAWS) {
+		sendnaws();
+	    } else if (c == TELOPT_LFLOW) {
+		localflow = 1;
+		setcommandmode();
+		setconnmode(0);
+	    }
+	    telrcv_state = TS_DATA;
+	    continue;
+
+	case TS_DONT:
+	    printoption("RCVD", DONT, c);
+	    dontoption(c);
+	    flushline = 1;
+	    setconnmode(0);	/* set new tty mode (maybe) */
+	    telrcv_state = TS_DATA;
+	    continue;
+
+	case TS_SB:
+	    if (c == IAC) {
+		telrcv_state = TS_SE;
+	    } else {
+		SB_ACCUM(c);
+	    }
+	    continue;
+
+	case TS_SE:
+	    if (c != SE) {
+		if (c != IAC) {
+		    /*
+		     * This is an error.  We only expect to get
+		     * "IAC IAC" or "IAC SE".  Several things may
+		     * have happend.  An IAC was not doubled, the
+		     * IAC SE was left off, or another option got
+		     * inserted into the suboption are all possibilities.
+		     * If we assume that the IAC was not doubled,
+		     * and really the IAC SE was left off, we could
+		     * get into an infinate loop here.  So, instead,
+		     * we terminate the suboption, and process the
+		     * partial suboption if we can.
+		     */
+		    SB_ACCUM(IAC);
+		    SB_ACCUM(c);
+		    subpointer -= 2;
+		    SB_TERM();
+
+		    printoption("In SUBOPTION processing, RCVD", IAC, c);
+		    suboption();	/* handle sub-option */
+		    telrcv_state = TS_IAC;
+		    goto process_iac;
+		}
+		SB_ACCUM(c);
+		telrcv_state = TS_SB;
+	    } else {
+		SB_ACCUM(IAC);
+		SB_ACCUM(SE);
+		subpointer -= 2;
+		SB_TERM();
+		suboption();	/* handle sub-option */
+		telrcv_state = TS_DATA;
+	    }
+	}
+    }
+    if (count)
+	ring_consumed(&netiring, count);
+    return returnValue||count;
+}
+
+static int bol = 1, local = 0;
+
+int
+rlogin_susp(void)
+{
+    if (local) {
+	local = 0;
+	bol = 1;
+	command(0, "z\n", 2);
+	return(1);
+    }
+    return(0);
+}
+
+static int
+telsnd()
+{
+    int tcc;
+    int count;
+    int returnValue = 0;
+    unsigned char *tbp = NULL;
+
+    tcc = 0;
+    count = 0;
+    while (NETROOM() > 2) {
+	int sc;
+	int c;
+
+	if (tcc == 0) {
+	    if (count) {
+		ring_consumed(&ttyiring, count);
+		returnValue = 1;
+		count = 0;
+	    }
+	    tbp = ttyiring.consume;
+	    tcc = ring_full_consecutive(&ttyiring);
+	    if (tcc == 0) {
+		break;
+	    }
+	}
+	c = *tbp++ & 0xff, sc = strip(c), tcc--; count++;
+	if (rlogin != _POSIX_VDISABLE) {
+		if (bol) {
+			bol = 0;
+			if (sc == rlogin) {
+				local = 1;
+				continue;
+			}
+		} else if (local) {
+			local = 0;
+			if (sc == '.' || c == termEofChar) {
+				bol = 1;
+				command(0, "close\n", 6);
+				continue;
+			}
+			if (sc == termSuspChar) {
+				bol = 1;
+				command(0, "z\n", 2);
+				continue;
+			}
+			if (sc == escape) {
+				command(0, (char *)tbp, tcc);
+				bol = 1;
+				count += tcc;
+				tcc = 0;
+				flushline = 1;
+				break;
+			}
+			if (sc != rlogin) {
+				++tcc;
+				--tbp;
+				--count;
+				c = sc = rlogin;
+			}
+		}
+		if ((sc == '\n') || (sc == '\r'))
+			bol = 1;
+	} else if (sc == escape) {
+	    /*
+	     * Double escape is a pass through of a single escape character.
+	     */
+	    if (tcc && strip(*tbp) == escape) {
+		tbp++;
+		tcc--;
+		count++;
+		bol = 0;
+	    } else {
+		command(0, (char *)tbp, tcc);
+		bol = 1;
+		count += tcc;
+		tcc = 0;
+		flushline = 1;
+		break;
+	    }
+	} else
+	    bol = 0;
+#ifdef	KLUDGELINEMODE
+	if (kludgelinemode && (globalmode&MODE_EDIT) && (sc == echoc)) {
+	    if (tcc > 0 && strip(*tbp) == echoc) {
+		tcc--; tbp++; count++;
+	    } else {
+		dontlecho = !dontlecho;
+		settimer(echotoggle);
+		setconnmode(0);
+		flushline = 1;
+		break;
+	    }
+	}
+#endif
+	if (MODE_LOCAL_CHARS(globalmode)) {
+	    if (TerminalSpecialChars(sc) == 0) {
+		bol = 1;
+		break;
+	    }
+	}
+	if (my_want_state_is_wont(TELOPT_BINARY)) {
+	    switch (c) {
+	    case '\n':
+		    /*
+		     * If we are in CRMOD mode (\r ==> \n)
+		     * on our local machine, then probably
+		     * a newline (unix) is CRLF (TELNET).
+		     */
+		if (MODE_LOCAL_CHARS(globalmode)) {
+		    NETADD('\r');
+		}
+		NETADD('\n');
+		bol = flushline = 1;
+		break;
+	    case '\r':
+		if (!crlf) {
+		    NET2ADD('\r', '\0');
+		} else {
+		    NET2ADD('\r', '\n');
+		}
+		bol = flushline = 1;
+		break;
+	    case IAC:
+		NET2ADD(IAC, IAC);
+		break;
+	    default:
+		NETADD(c);
+		break;
+	    }
+	} else if (c == IAC) {
+	    NET2ADD(IAC, IAC);
+	} else {
+	    NETADD(c);
+	}
+    }
+    if (count)
+	ring_consumed(&ttyiring, count);
+    return returnValue||count;		/* Non-zero if we did anything */
+}
+
+/*
+ * Scheduler()
+ *
+ * Try to do something.
+ *
+ * If we do something useful, return 1; else return 0.
+ *
+ */
+
+
+static int
+Scheduler(int block) /* should we block in the select ? */
+{
+		/* One wants to be a bit careful about setting returnValue
+		 * to one, since a one implies we did some useful work,
+		 * and therefore probably won't be called to block next
+		 * time (TN3270 mode only).
+		 */
+    int returnValue;
+    int netin, netout, netex, ttyin, ttyout;
+
+    /* Decide which rings should be processed */
+
+    netout = ring_full_count(&netoring) &&
+	    (flushline ||
+		(my_want_state_is_wont(TELOPT_LINEMODE)
+#ifdef	KLUDGELINEMODE
+			&& (!kludgelinemode || my_want_state_is_do(TELOPT_SGA))
+#endif
+		) ||
+			my_want_state_is_will(TELOPT_BINARY));
+    ttyout = ring_full_count(&ttyoring);
+
+    ttyin = ring_empty_count(&ttyiring);
+
+    netin = !ISend && ring_empty_count(&netiring);
+
+    netex = !SYNCHing;
+
+    /* If we have seen a signal recently, reset things */
+
+    /* Call to system code to process rings */
+
+    returnValue = process_rings(netin, netout, netex, ttyin, ttyout, !block);
+
+    /* Now, look at the input rings, looking for work to do. */
+
+    if (ring_full_count(&ttyiring)) {
+	    returnValue |= telsnd();
+    }
+
+    if (ring_full_count(&netiring)) {
+	returnValue |= telrcv();
+    }
+    return returnValue;
+}
+
+/*
+ * Select from tty and network...
+ */
+void
+my_telnet(char *user)
+{
+    sys_telnet_init();
+
+#if	defined(AUTHENTICATION) || defined(ENCRYPTION)
+    {
+	static char local_host[256] = { 0 };
+
+	if (!local_host[0]) {
+		/* XXX - should be k_gethostname? */
+		gethostname(local_host, sizeof(local_host));
+		local_host[sizeof(local_host)-1] = 0;
+	}
+	auth_encrypt_init(local_host, hostname, "TELNET", 0);
+	auth_encrypt_user(user);
+    }
+#endif
+    if (telnetport) {
+#if	defined(AUTHENTICATION)
+	if (autologin)
+		send_will(TELOPT_AUTHENTICATION, 1);
+#endif
+#if	defined(ENCRYPTION)
+	send_do(TELOPT_ENCRYPT, 1);
+	send_will(TELOPT_ENCRYPT, 1);
+#endif
+	send_do(TELOPT_SGA, 1);
+	send_will(TELOPT_TTYPE, 1);
+	send_will(TELOPT_NAWS, 1);
+	send_will(TELOPT_TSPEED, 1);
+	send_will(TELOPT_LFLOW, 1);
+	send_will(TELOPT_LINEMODE, 1);
+	send_will(TELOPT_NEW_ENVIRON, 1);
+	send_do(TELOPT_STATUS, 1);
+	if (env_getvalue((unsigned char *)"DISPLAY"))
+	    send_will(TELOPT_XDISPLOC, 1);
+	if (binary)
+	    tel_enter_binary(binary);
+    }
+
+    for (;;) {
+	int schedValue;
+
+	while ((schedValue = Scheduler(0)) != 0) {
+	    if (schedValue == -1) {
+		setcommandmode();
+		return;
+	    }
+	}
+
+	if (Scheduler(1) == -1) {
+	    setcommandmode();
+	    return;
+	}
+    }
+}
+
+/*
+ * netclear()
+ *
+ *	We are about to do a TELNET SYNCH operation.  Clear
+ * the path to the network.
+ *
+ *	Things are a bit tricky since we may have sent the first
+ * byte or so of a previous TELNET command into the network.
+ * So, we have to scan the network buffer from the beginning
+ * until we are up to where we want to be.
+ *
+ *	A side effect of what we do, just to keep things
+ * simple, is to clear the urgent data pointer.  The principal
+ * caller should be setting the urgent data pointer AFTER calling
+ * us in any case.
+ */
+
+static void
+netclear()
+{
+#if	0	/* XXX */
+    char *thisitem, *next;
+    char *good;
+#define	wewant(p)	((nfrontp > p) && ((*p&0xff) == IAC) && \
+				((*(p+1)&0xff) != EC) && ((*(p+1)&0xff) != EL))
+
+    thisitem = netobuf;
+
+    while ((next = nextitem(thisitem)) <= netobuf.send) {
+	thisitem = next;
+    }
+
+    /* Now, thisitem is first before/at boundary. */
+
+    good = netobuf;	/* where the good bytes go */
+
+    while (netoring.add > thisitem) {
+	if (wewant(thisitem)) {
+	    int length;
+
+	    next = thisitem;
+	    do {
+		next = nextitem(next);
+	    } while (wewant(next) && (nfrontp > next));
+	    length = next-thisitem;
+	    memmove(good, thisitem, length);
+	    good += length;
+	    thisitem = next;
+	} else {
+	    thisitem = nextitem(thisitem);
+	}
+    }
+
+#endif	/* 0 */
+}
+
+/*
+ * These routines add various telnet commands to the data stream.
+ */
+
+static void
+doflush()
+{
+    NET2ADD(IAC, DO);
+    NETADD(TELOPT_TM);
+    flushline = 1;
+    flushout = 1;
+    ttyflush(1);			/* Flush/drop output */
+    /* do printoption AFTER flush, otherwise the output gets tossed... */
+    printoption("SENT", DO, TELOPT_TM);
+}
+
+void
+xmitAO(void)
+{
+    NET2ADD(IAC, AO);
+    printoption("SENT", IAC, AO);
+    if (autoflush) {
+	doflush();
+    }
+}
+
+
+void
+xmitEL(void)
+{
+    NET2ADD(IAC, EL);
+    printoption("SENT", IAC, EL);
+}
+
+void
+xmitEC(void)
+{
+    NET2ADD(IAC, EC);
+    printoption("SENT", IAC, EC);
+}
+
+
+int
+dosynch()
+{
+    netclear();			/* clear the path to the network */
+    NETADD(IAC);
+    setneturg();
+    NETADD(DM);
+    printoption("SENT", IAC, DM);
+    return 1;
+}
+
+int want_status_response = 0;
+
+int
+get_status()
+{
+    unsigned char tmp[16];
+    unsigned char *cp;
+
+    if (my_want_state_is_dont(TELOPT_STATUS)) {
+	printf("Remote side does not support STATUS option\n");
+	return 0;
+    }
+    cp = tmp;
+
+    *cp++ = IAC;
+    *cp++ = SB;
+    *cp++ = TELOPT_STATUS;
+    *cp++ = TELQUAL_SEND;
+    *cp++ = IAC;
+    *cp++ = SE;
+    if (NETROOM() >= cp - tmp) {
+	ring_supply_data(&netoring, tmp, cp-tmp);
+	printsub('>', tmp+2, cp - tmp - 2);
+    }
+    ++want_status_response;
+    return 1;
+}
+
+void
+intp(void)
+{
+    NET2ADD(IAC, IP);
+    printoption("SENT", IAC, IP);
+    flushline = 1;
+    if (autoflush) {
+	doflush();
+    }
+    if (autosynch) {
+	dosynch();
+    }
+}
+
+void
+sendbrk(void)
+{
+    NET2ADD(IAC, BREAK);
+    printoption("SENT", IAC, BREAK);
+    flushline = 1;
+    if (autoflush) {
+	doflush();
+    }
+    if (autosynch) {
+	dosynch();
+    }
+}
+
+void
+sendabort(void)
+{
+    NET2ADD(IAC, ABORT);
+    printoption("SENT", IAC, ABORT);
+    flushline = 1;
+    if (autoflush) {
+	doflush();
+    }
+    if (autosynch) {
+	dosynch();
+    }
+}
+
+void
+sendsusp(void)
+{
+    NET2ADD(IAC, SUSP);
+    printoption("SENT", IAC, SUSP);
+    flushline = 1;
+    if (autoflush) {
+	doflush();
+    }
+    if (autosynch) {
+	dosynch();
+    }
+}
+
+void
+sendeof(void)
+{
+    NET2ADD(IAC, xEOF);
+    printoption("SENT", IAC, xEOF);
+}
+
+void
+sendayt(void)
+{
+    NET2ADD(IAC, AYT);
+    printoption("SENT", IAC, AYT);
+}
+
+/*
+ * Send a window size update to the remote system.
+ */
+
+void
+sendnaws()
+{
+    long rows, cols;
+    unsigned char tmp[16];
+    unsigned char *cp;
+
+    if (my_state_is_wont(TELOPT_NAWS))
+	return;
+
+#define	PUTSHORT(cp, x) { if ((*cp++ = ((x)>>8)&0xff) == IAC) *cp++ = IAC; \
+			    if ((*cp++ = ((x))&0xff) == IAC) *cp++ = IAC; }
+
+    if (TerminalWindowSize(&rows, &cols) == 0) {	/* Failed */
+	return;
+    }
+
+    cp = tmp;
+
+    *cp++ = IAC;
+    *cp++ = SB;
+    *cp++ = TELOPT_NAWS;
+    PUTSHORT(cp, cols);
+    PUTSHORT(cp, rows);
+    *cp++ = IAC;
+    *cp++ = SE;
+    if (NETROOM() >= cp - tmp) {
+	ring_supply_data(&netoring, tmp, cp-tmp);
+	printsub('>', tmp+2, cp - tmp - 2);
+    }
+}
+
+void
+tel_enter_binary(int rw)
+{
+    if (rw&1)
+	send_do(TELOPT_BINARY, 1);
+    if (rw&2)
+	send_will(TELOPT_BINARY, 1);
+}
+
+void
+tel_leave_binary(int rw)
+{
+    if (rw&1)
+	send_dont(TELOPT_BINARY, 1);
+    if (rw&2)
+	send_wont(TELOPT_BINARY, 1);
+}
diff --git a/crypto/heimdal/appl/telnet/telnet/telnet.cat1 b/crypto/heimdal/appl/telnet/telnet/telnet.cat1
new file mode 100644
index 0000000..708994e
--- /dev/null
+++ b/crypto/heimdal/appl/telnet/telnet/telnet.cat1
@@ -0,0 +1,718 @@
+
+TELNET(1)                    UNIX Reference Manual                   TELNET(1)
+
+NNAAMMEE
+     tteellnneett - user interface to the TELNET protocol
+
+SSYYNNOOPPSSIISS
+     tteellnneett [--7788EEFFKKLLaaccddffrrxx] [--SS _t_o_s] [--XX _a_u_t_h_t_y_p_e] [--ee _e_s_c_a_p_e_c_h_a_r] [--kk _r_e_a_l_m]
+            [--ll _u_s_e_r] [--nn _t_r_a_c_e_f_i_l_e] [_h_o_s_t [port]]
+
+DDEESSCCRRIIPPTTIIOONN
+     The tteellnneett command is used to communicate with another host using the
+     TELNET protocol.  If tteellnneett is invoked without the _h_o_s_t argument, it en-
+     ters command mode, indicated by its prompt (tteellnneett>>). In this mode, it
+     accepts and executes the commands listed below.  If it is invoked with
+     arguments, it performs an ooppeenn command with those arguments.
+
+     Options:
+
+     --88      Specifies an 8-bit data path.  This causes an attempt to negoti-
+             ate the TELNET BINARY option on both input and output.
+
+     --77      Do not try to negotiate TELNET BINARY option.
+
+     --EE      Stops any character from being recognized as an escape character.
+
+     --FF      If Kerberos V5 authentication is being used, the --FF option allows
+             the local credentials to be forwarded to the remote system, in-
+             cluding any credentials that have already been forwarded into the
+             local environment.
+
+     --KK      Specifies no automatic login to the remote system.
+
+     --LL      Specifies an 8-bit data path on output.  This causes the BINARY
+             option to be negotiated on output.
+
+     --SS _t_o_s  Sets the IP type-of-service (TOS) option for the telnet connec-
+             tion to the value _t_o_s, which can be a numeric TOS value or, on
+             systems that support it, a symbolic TOS name found in the
+             /etc/iptos file.
+
+     --XX _a_t_y_p_e
+             Disables the _a_t_y_p_e type of authentication.
+
+     --aa      Attempt automatic login.  Currently, this sends the user name via
+             the USER variable of the ENVIRON option if supported by the re-
+             mote system.  The name used is that of the current user as re-
+             turned by getlogin(2) if it agrees with the current user ID, oth-
+             erwise it is the name associated with the user ID.
+
+     --cc      Disables the reading of the user's _._t_e_l_n_e_t_r_c file.  (See the
+             ttooggggllee sskkiipprrcc command on this man page.)
+
+     --dd      Sets the initial value of the ddeebbuugg toggle to TRUE
+
+     --ee _e_s_c_a_p_e _c_h_a_r
+             Sets the initial tteellnneett tteellnneett escape character to _e_s_c_a_p_e _c_h_a_r.
+             If _e_s_c_a_p_e _c_h_a_r is omitted, then there will be no escape charac-
+             ter.
+
+     --ff      If Kerberos V5 authentication is being used, the --ff option allows
+             the local credentials to be forwarded to the remote system.
+
+     --kk _r_e_a_l_m
+             If Kerberos authentication is being used, the --kk option requests
+             that telnet obtain tickets for the remote host in realm realm in-
+             stead of the remote host's realm, as determined by
+             krb_realmofhost(3).
+
+     --ll _u_s_e_r
+             When connecting to the remote system, if the remote system under-
+             stands the ENVIRON option, then _u_s_e_r will be sent to the remote
+             system as the value for the variable USER.  This option implies
+             the --aa option.  This option may also be used with the ooppeenn com-
+             mand.
+
+     --nn _t_r_a_c_e_f_i_l_e
+             Opens _t_r_a_c_e_f_i_l_e for recording trace information.  See the sseett
+             ttrraacceeffiillee command below.
+
+     --rr      Specifies a user interface similar to rlogin(1).  In this mode,
+             the escape character is set to the tilde (~) character, unless
+             modified by the -e option.
+
+     --xx      Turns on encryption of the data stream if possible. This is cur-
+             rently the default and when it fails a warning is issued.
+
+     _h_o_s_t    Indicates the official name, an alias, or the Internet address of
+             a remote host.
+
+     _p_o_r_t    Indicates a port number (address of an application).  If a number
+             is not specified, the default tteellnneett port is used.
+
+     When in rlogin mode, a line of the form ~.  disconnects from the remote
+     host; ~ is the telnet escape character.  Similarly, the line ~^Z suspends
+     the telnet session.  The line ~^] escapes to the normal telnet escape
+     prompt.
+
+     Once a connection has been opened, tteellnneett will attempt to enable the
+     TELNET LINEMODE option.  If this fails, then tteellnneett will revert to one of
+     two input modes: either ``character at a time'' or ``old line by line''
+     depending on what the remote system supports.
+
+     When LINEMODE is enabled, character processing is done on the local sys-
+     tem, under the control of the remote system.  When input editing or char-
+     acter echoing is to be disabled, the remote system will relay that infor-
+     mation.  The remote system will also relay changes to any special charac-
+     ters that happen on the remote system, so that they can take effect on
+     the local system.
+
+     In ``character at a time'' mode, most text typed is immediately sent to
+     the remote host for processing.
+
+     In ``old line by line'' mode, all text is echoed locally, and (normally)
+     only completed lines are sent to the remote host.  The ``local echo char-
+     acter'' (initially ``^E'') may be used to turn off and on the local echo
+     (this would mostly be used to enter passwords without the password being
+     echoed).
+
+     If the LINEMODE option is enabled, or if the llooccaallcchhaarrss toggle is TRUE
+     (the default for ``old line by line``; see below), the user's qquuiitt, iinnttrr,
+     and fflluusshh characters are trapped locally, and sent as TELNET protocol se-
+     quences to the remote side.  If LINEMODE has ever been enabled, then the
+     user's ssuusspp and eeooff are also sent as TELNET protocol sequences, and qquuiitt
+     is sent as a TELNET ABORT instead of BREAK There are options (see ttooggggllee
+     aauuttoofflluusshh and ttooggggllee aauuttoossyynncchh below) which cause this action to flush
+     subsequent output to the terminal (until the remote host acknowledges the
+     TELNET sequence) and flush previous terminal input (in the case of qquuiitt
+     and iinnttrr).
+
+
+     While connected to a remote host, tteellnneett command mode may be entered by
+     typing the tteellnneett ``escape character'' (initially ``^]'').  When in com-
+     mand mode, the normal terminal editing conventions are available.
+
+     The following tteellnneett commands are available.  Only enough of each command
+     to uniquely identify it need be typed (this is also true for arguments to
+     the mmooddee, sseett, ttooggggllee, uunnsseett, ssllcc, eennvviirroonn, and ddiissppllaayy commands).
+
+     aauutthh _a_r_g_u_m_e_n_t _._._.
+                The auth command manipulates the information sent through the
+                TELNET AUTHENTICATE option.  Valid arguments for the auth com-
+                mand are as follows:
+
+                ddiissaabbllee _t_y_p_e  Disables the specified type of authentication.
+                              To obtain a list of available types, use the
+                              aauutthh ddiissaabbllee ?? command.
+
+                eennaabbllee _t_y_p_e   Enables the specified type of authentication.
+                              To obtain a list of available types, use the
+                              aauutthh eennaabbllee ?? command.
+
+                ssttaattuuss        Lists the current status of the various types of
+                              authentication.
+
+     cclloossee      Close a TELNET session and return to command mode.
+
+     ddiissppllaayy _a_r_g_u_m_e_n_t _._._.
+                Displays all, or some, of the sseett and ttooggggllee values (see be-
+                low).
+
+     eennccrryypptt _a_r_g_u_m_e_n_t _._._.
+                The encrypt command manipulates the information sent through
+                the TELNET ENCRYPT option.
+
+                Note:  Because of export controls, the TELNET ENCRYPT option
+                is not supported outside of the United States and Canada.
+
+                Valid arguments for the encrypt command are as follows:
+
+                ddiissaabbllee _t_y_p_e [iinnppuutt | oouuttppuutt]
+                              Disables the specified type of encryption.  If
+                              you omit the input and output, both input and
+                              output are disabled.  To obtain a list of avail-
+                              able types, use the eennccrryypptt ddiissaabbllee ?? command.
+
+                eennaabbllee _t_y_p_e [iinnppuutt | oouuttppuutt]
+                              Enables the specified type of encryption.  If
+                              you omit input and output, both input and output
+                              are enabled.  To obtain a list of available
+                              types, use the eennccrryypptt eennaabbllee ?? command.
+
+                iinnppuutt         This is the same as the eennccrryypptt ssttaarrtt iinnppuutt com-
+                              mand.
+
+                --iinnppuutt        This is the same as the eennccrryypptt ssttoopp iinnppuutt com-
+                              mand.
+
+                oouuttppuutt        This is the same as the eennccrryypptt ssttaarrtt oouuttppuutt
+                              command.
+
+                --oouuttppuutt       This is the same as the eennccrryypptt ssttoopp oouuttppuutt com-
+                              mand.
+
+                ssttaarrtt [iinnppuutt | oouuttppuutt]
+                              Attempts to start encryption.  If you omit iinnppuutt
+                              and oouuttppuutt, both input and output are enabled.
+                              To obtain a list of available types, use the
+                              eennccrryypptt eennaabbllee ?? command.
+
+                ssttaattuuss        Lists the current status of encryption.
+
+                ssttoopp [iinnppuutt | oouuttppuutt]
+                              Stops encryption.  If you omit input and output,
+                              encryption is on both input and output.
+
+                ttyyppee _t_y_p_e     Sets the default type of encryption to be used
+                              with later eennccrryypptt ssttaarrtt or eennccrryypptt ssttoopp com-
+                              mands.
+
+     eennvviirroonn _a_r_g_u_m_e_n_t_s _._._.
+                The eennvviirroonn command is used to manipulate the the variables
+                that my be sent through the TELNET ENVIRON option.  The ini-
+                tial set of variables is taken from the users environment,
+                with only the DISPLAY and PRINTER variables being exported by
+                default.  The USER variable is also exported if the --aa or --ll
+                options are used.
+
+                Valid arguments for the eennvviirroonn command are:
+
+                ddeeffiinnee _v_a_r_i_a_b_l_e _v_a_l_u_e
+                            Define the variable _v_a_r_i_a_b_l_e to have a value of
+                            _v_a_l_u_e. Any variables defined by this command are
+                            automatically exported.  The _v_a_l_u_e may be enclosed
+                            in single or double quotes so that tabs and spaces
+                            may be included.
+
+                uunnddeeffiinnee _v_a_r_i_a_b_l_e
+                            Remove _v_a_r_i_a_b_l_e from the list of environment vari-
+                            ables.
+
+                eexxppoorrtt _v_a_r_i_a_b_l_e
+                            Mark the variable _v_a_r_i_a_b_l_e to be exported to the
+                            remote side.
+
+                uunneexxppoorrtt _v_a_r_i_a_b_l_e
+                            Mark the variable _v_a_r_i_a_b_l_e to not be exported un-
+                            less explicitly asked for by the remote side.
+
+                lliisstt        List the current set of environment variables.
+                            Those marked with a ** will be sent automatically,
+                            other variables will only be sent if explicitly
+                            requested.
+
+                ??           Prints out help information for the eennvviirroonn com-
+                            mand.
+
+     llooggoouutt     Sends the TELNET LOGOUT option to the remote side.  This com-
+                mand is similar to a cclloossee command; however, if the remote
+                side does not support the LOGOUT option, nothing happens.  If,
+                however, the remote side does support the LOGOUT option, this
+                command should cause the remote side to close the TELNET con-
+                nection.  If the remote side also supports the concept of sus-
+                pending a user's session for later reattachment, the logout
+                argument indicates that you should terminate the session imme-
+                diately.
+
+     mmooddee _t_y_p_e  _T_y_p_e is one of several options, depending on the state of the
+                TELNET session.  The remote host is asked for permission to go
+                into the requested mode.  If the remote host is capable of en-
+                tering that mode, the requested mode will be entered.
+
+                cchhaarraacctteerr     Disable the TELNET LINEMODE option, or, if the
+                              remote side does not understand the LINEMODE op-
+                              tion, then enter ``character at a time`` mode.
+
+                lliinnee          Enable the TELNET LINEMODE option, or, if the
+                              remote side does not understand the LINEMODE op-
+                              tion, then attempt to enter ``old-line-by-line``
+                              mode.
+
+                iissiigg (--iissiigg)  Attempt to enable (disable) the TRAPSIG mode of
+                              the LINEMODE option.  This requires that the
+                              LINEMODE option be enabled.
+
+                eeddiitt (--eeddiitt)  Attempt to enable (disable) the EDIT mode of the
+                              LINEMODE option.  This requires that the
+                              LINEMODE option be enabled.
+
+                ssooffttttaabbss (--ssooffttttaabbss)
+                              Attempt to enable (disable) the SOFT_TAB mode of
+                              the LINEMODE option.  This requires that the
+                              LINEMODE option be enabled.
+
+                lliitteecchhoo (--lliitteecchhoo)
+                              Attempt to enable (disable) the LIT_ECHO mode of
+                              the LINEMODE option.  This requires that the
+                              LINEMODE option be enabled.
+
+                ??             Prints out help information for the mmooddee com-
+                              mand.
+
+     ooppeenn _h_o_s_t [--ll _u_s_e_r] [[--]_p_o_r_t]
+                Open a connection to the named host.  If no port number is
+                specified, tteellnneett will attempt to contact a TELNET server at
+                the default port.  The host specification may be either a host
+                name (see hosts(5))  or an Internet address specified in the
+                ``dot notation'' (see inet(3)).  The [--ll] option may be used
+                to specify the user name to be passed to the remote system via
+                the ENVIRON option.  When connecting to a non-standard port,
+                tteellnneett omits any automatic initiation of TELNET options.  When
+                the port number is preceded by a minus sign, the initial op-
+                tion negotiation is done.  After establishing a connection,
+                the file _._t_e_l_n_e_t_r_c in the users home directory is opened.
+                Lines beginning with a # are comment lines.  Blank lines are
+                ignored.  Lines that begin without white space are the start
+                of a machine entry.  The first thing on the line is the name
+                of the machine that is being connected to.  The rest of the
+                line, and successive lines that begin with white space are as-
+                sumed to be tteellnneett commands and are processed as if they had
+                been typed in manually to the tteellnneett command prompt.
+
+     qquuiitt       Close any open TELNET session and exit tteellnneett. An end of file
+                (in command mode) will also close a session and exit.
+
+     sseenndd _a_r_g_u_m_e_n_t_s
+                Sends one or more special character sequences to the remote
+                host.  The following are the arguments which may be specified
+                (more than one argument may be specified at a time):
+
+                aabboorrtt   Sends the TELNET ABORT (Abort processes) sequence.
+
+                aaoo      Sends the TELNET AO (Abort Output) sequence, which
+                        should cause the remote system to flush all output
+                        _f_r_o_m the remote system _t_o the user's terminal.
+
+                aayytt     Sends the TELNET AYT (Are You There) sequence, to
+                        which the remote system may or may not choose to re-
+
+                        spond.
+
+                bbrrkk     Sends the TELNET BRK (Break) sequence, which may have
+                        significance to the remote system.
+
+                eecc      Sends the TELNET EC (Erase Character) sequence, which
+                        should cause the remote system to erase the last char-
+                        acter entered.
+
+                eell      Sends the TELNET EL (Erase Line) sequence, which
+                        should cause the remote system to erase the line cur-
+                        rently being entered.
+
+                eeooff     Sends the TELNET EOF (End Of File) sequence.
+
+                eeoorr     Sends the TELNET EOR (End of Record) sequence.
+
+                eessccaappee  Sends the current tteellnneett escape character (initially
+                        ``^'').
+
+                ggaa      Sends the TELNET GA (Go Ahead) sequence, which likely
+                        has no significance to the remote system.
+
+                ggeettssttaattuuss
+                        If the remote side supports the TELNET STATUS command,
+                        ggeettssttaattuuss will send the subnegotiation to request that
+                        the server send its current option status.
+
+                iipp      Sends the TELNET IP (Interrupt Process) sequence,
+                        which should cause the remote system to abort the cur-
+                        rently running process.
+
+                nnoopp     Sends the TELNET NOP (No OPeration) sequence.
+
+                ssuusspp    Sends the TELNET SUSP (SUSPend process) sequence.
+
+                ssyynncchh   Sends the TELNET SYNCH sequence.  This sequence causes
+                        the remote system to discard all previously typed (but
+                        not yet read) input.  This sequence is sent as TCP ur-
+                        gent data (and may not work if the remote system is a
+                        4.2BSD system -- if it doesn't work, a lower case
+                        ``r'' may be echoed on the terminal).
+
+                ddoo _c_m_d
+
+                ddoonntt _c_m_d
+
+                wwiillll _c_m_d
+
+                wwoonntt _c_m_d
+                        Sends the TELNET DO _c_m_d sequence.  _C_m_d can be either a
+                        decimal number between 0 and 255, or a symbolic name
+                        for a specific TELNET command.  _C_m_d can also be either
+                        hheellpp or ?? to print out help information, including a
+                        list of known symbolic names.
+
+                ??       Prints out help information for the sseenndd command.
+
+     sseett _a_r_g_u_m_e_n_t _v_a_l_u_e
+
+     uunnsseett _a_r_g_u_m_e_n_t _v_a_l_u_e
+                The sseett command will set any one of a number of tteellnneett vari-
+                ables to a specific value or to TRUE. The special value ooffff
+                turns off the function associated with the variable, this is
+                equivalent to using the uunnsseett command.  The uunnsseett command will
+                disable or set to FALSE any of the specified functions.  The
+                values of variables may be interrogated with the ddiissppllaayy com-
+                mand.  The variables which may be set or unset, but not tog-
+                gled, are listed here.  In addition, any of the variables for
+                the ttooggggllee command may be explicitly set or unset using the
+                sseett and uunnsseett commands.
+
+                aayytt     If TELNET is in localchars mode, or LINEMODE is en-
+                        abled, and the status character is typed, a TELNET AYT
+                        sequence (see sseenndd aayytt preceding) is sent to the re-
+                        mote host.  The initial value for the "Are You There"
+                        character is the terminal's status character.
+
+                eecchhoo    This is the value (initially ``^E'') which, when in
+                        ``line by line'' mode, toggles between doing local
+                        echoing of entered characters (for normal processing),
+                        and suppressing echoing of entered characters (for en-
+                        tering, say, a password).
+
+                eeooff     If tteellnneett is operating in LINEMODE or ``old line by
+                        line'' mode, entering this character as the first
+                        character on a line will cause this character to be
+                        sent to the remote system.  The initial value of the
+                        eof character is taken to be the terminal's eeooff char-
+                        acter.
+
+                eerraassee   If tteellnneett is in llooccaallcchhaarrss mode (see ttooggggllee llooccaallcchhaarrss
+                        below), aanndd if tteellnneett is operating in ``character at a
+                        time'' mode, then when this character is typed, a
+                        TELNET EC sequence (see sseenndd eecc above) is sent to the
+                        remote system.  The initial value for the erase char-
+                        acter is taken to be the terminal's eerraassee character.
+
+                eessccaappee  This is the tteellnneett escape character (initially ``^['')
+                        which causes entry into tteellnneett command mode (when con-
+                        nected to a remote system).
+
+                fflluusshhoouuttppuutt
+                        If tteellnneett is in llooccaallcchhaarrss mode (see ttooggggllee llooccaallcchhaarrss
+                        below) and the fflluusshhoouuttppuutt character is typed, a
+                        TELNET AO sequence (see sseenndd aaoo above) is sent to the
+                        remote host.  The initial value for the flush charac-
+                        ter is taken to be the terminal's fflluusshh character.
+
+                ffoorrww11
+
+                ffoorrww22   If TELNET is operating in LINEMODE, these are the
+                        characters that, when typed, cause partial lines to be
+                        forwarded to the remote system.  The initial value for
+                        the forwarding characters are taken from the termi-
+                        nal's eol and eol2 characters.
+
+                iinntteerrrruupptt
+                        If tteellnneett is in llooccaallcchhaarrss mode (see ttooggggllee llooccaallcchhaarrss
+                        below) and the iinntteerrrruupptt character is typed, a TELNET
+                        IP sequence (see sseenndd iipp above) is sent to the remote
+                        host.  The initial value for the interrupt character
+                        is taken to be the terminal's iinnttrr character.
+
+                kkiillll    If tteellnneett is in llooccaallcchhaarrss mode (see ttooggggllee llooccaallcchhaarrss
+                        below), aanndd if tteellnneett is operating in ``character at a
+                        time'' mode, then when this character is typed, a
+                        TELNET EL sequence (see sseenndd eell above) is sent to the
+                        remote system.  The initial value for the kill charac-
+                        ter is taken to be the terminal's kkiillll character.
+
+                llnneexxtt   If tteellnneett is operating in LINEMODE or ``old line by
+                        line`` mode, then this character is taken to be the
+                        terminal's llnneexxtt character.  The initial value for the
+                        lnext character is taken to be the terminal's llnneexxtt
+                        character.
+
+                qquuiitt    If tteellnneett is in llooccaallcchhaarrss mode (see ttooggggllee llooccaallcchhaarrss
+                        below) and the qquuiitt character is typed, a TELNET BRK
+                        sequence (see sseenndd bbrrkk above) is sent to the remote
+                        host.  The initial value for the quit character is
+                        taken to be the terminal's qquuiitt character.
+
+                rreepprriinntt
+                        If tteellnneett is operating in LINEMODE or ``old line by
+                        line`` mode, then this character is taken to be the
+                        terminal's rreepprriinntt character.  The initial value for
+                        the reprint character is taken to be the terminal's
+                        rreepprriinntt character.
+
+                rrllooggiinn  This is the rlogin escape character.  If set, the nor-
+                        mal TELNET escape character is ignored unless it is
+                        preceded by this character at the beginning of a line.
+                        This character, at the beginning of a line followed by
+                        a "."  closes the connection; when followed by a ^Z it
+                        suspends the telnet command.  The initial state is to
+                        disable the rlogin escape character.
+
+                ssttaarrtt   If the TELNET TOGGLE-FLOW-CONTROL option has been en-
+                        abled, then this character is taken to be the termi-
+                        nal's ssttaarrtt character.  The initial value for the kill
+                        character is taken to be the terminal's ssttaarrtt charac-
+                        ter.
+
+                ssttoopp    If the TELNET TOGGLE-FLOW-CONTROL option has been en-
+                        abled, then this character is taken to be the termi-
+                        nal's ssttoopp character.  The initial value for the kill
+                        character is taken to be the terminal's ssttoopp charac-
+                        ter.
+
+                ssuusspp    If tteellnneett is in llooccaallcchhaarrss mode, or LINEMODE is en-
+                        abled, and the ssuussppeenndd character is typed, a TELNET
+                        SUSP sequence (see sseenndd ssuusspp above) is sent to the re-
+                        mote host.  The initial value for the suspend charac-
+                        ter is taken to be the terminal's ssuussppeenndd character.
+
+                ttrraacceeffiillee
+                        This is the file to which the output, caused by
+                        nneettddaattaa or ooppttiioonn tracing being TRUE, will be written.
+                        If it is set to ``--'', then tracing information will
+                        be written to standard output (the default).
+
+                wwoorrddeerraassee
+                        If tteellnneett is operating in LINEMODE or ``old line by
+                        line`` mode, then this character is taken to be the
+                        terminal's wwoorrddeerraassee character.  The initial value for
+                        the worderase character is taken to be the terminal's
+                        wwoorrddeerraassee character.
+
+                ??       Displays the legal sseett (uunnsseett) commands.
+
+     ssllcc _s_t_a_t_e  The ssllcc command (Set Local Characters) is used to set or
+                change the state of the the special characters when the TELNET
+                LINEMODE option has been enabled.  Special characters are
+                characters that get mapped to TELNET commands sequences (like
+                iipp or qquuiitt) or line editing characters (like eerraassee and kkiillll).
+
+
+                By default, the local special characters are exported.
+
+                cchheecckk       Verify the current settings for the current spe-
+                            cial characters.  The remote side is requested to
+                            send all the current special character settings,
+                            and if there are any discrepancies with the local
+                            side, the local side will switch to the remote
+                            value.
+
+                eexxppoorrtt      Switch to the local defaults for the special char-
+                            acters.  The local default characters are those of
+                            the local terminal at the time when tteellnneett was
+                            started.
+
+                iimmppoorrtt      Switch to the remote defaults for the special
+                            characters.  The remote default characters are
+                            those of the remote system at the time when the
+                            TELNET connection was established.
+
+                ??           Prints out help information for the ssllcc command.
+
+     ssttaattuuss     Show the current status of tteellnneett. This includes the peer one
+                is connected to, as well as the current mode.
+
+     ttooggggllee _a_r_g_u_m_e_n_t_s _._._.
+                Toggle (between TRUE and FALSE) various flags that control how
+                tteellnneett responds to events.  These flags may be set explicitly
+                to TRUE or FALSE using the sseett and uunnsseett commands listed
+                above.  More than one argument may be specified.  The state of
+                these flags may be interrogated with the ddiissppllaayy command.
+                Valid arguments are:
+
+                aauutthhddeebbuugg     Turns on debugging information for the authenti-
+                              cation code.
+
+                aauuttoofflluusshh     If aauuttoofflluusshh and llooccaallcchhaarrss are both TRUE, then
+                              when the aaoo, or qquuiitt characters are recognized
+                              (and transformed into TELNET sequences; see sseett
+                              above for details), tteellnneett refuses to display
+                              any data on the user's terminal until the remote
+                              system acknowledges (via a TELNET TIMING MARK
+                              option) that it has processed those TELNET se-
+                              quences.  The initial value for this toggle is
+                              TRUE if the terminal user had not done an "stty
+                              noflsh", otherwise FALSE (see stty(1)).
+
+                aauuttooddeeccrryypptt   When the TELNET ENCRYPT option is negotiated, by
+                              default the actual encryption (decryption) of
+                              the data stream does not start automatically.
+                              The autoencrypt (autodecrypt) command states
+                              that encryption of the output (input) stream
+                              should be enabled as soon as possible.
+
+                              Note:  Because of export controls, the TELNET
+                              ENCRYPT option is not supported outside the
+                              United States and Canada.
+
+                aauuttoollooggiinn     If the remote side supports the TELNET
+                              AUTHENTICATION option TELNET attempts to use it
+                              to perform automatic authentication.  If the
+                              AUTHENTICATION option is not supported, the us-
+                              er's login name are propagated through the
+                              TELNET ENVIRON option.  This command is the same
+                              as specifying _a option on the ooppeenn command.
+
+                aauuttoossyynncchh     If aauuttoossyynncchh and llooccaallcchhaarrss are both TRUE, then
+                              when either the iinnttrr or qquuiitt characters is typed
+                              (see sseett above for descriptions of the iinnttrr and
+                              qquuiitt characters), the resulting TELNET sequence
+                              sent is followed by the TELNET SYNCH sequence.
+                              This procedure sshhoouulldd cause the remote system to
+                              begin throwing away all previously typed input
+                              until both of the TELNET sequences have been
+                              read and acted upon.  The initial value of this
+                              toggle is FALSE.
+
+                bbiinnaarryy        Enable or disable the TELNET BINARY option on
+                              both input and output.
+
+                iinnbbiinnaarryy      Enable or disable the TELNET BINARY option on
+                              input.
+
+                oouuttbbiinnaarryy     Enable or disable the TELNET BINARY option on
+                              output.
+
+                ccrrllff          If this is TRUE, then carriage returns will be
+                              sent as <CR><LF>. If this is FALSE, then car-
+                              riage returns will be send as <CR><NUL>. The
+                              initial value for this toggle is FALSE.
+
+                ccrrmmoodd         Toggle carriage return mode.  When this mode is
+                              enabled, most carriage return characters re-
+                              ceived from the remote host will be mapped into
+                              a carriage return followed by a line feed.  This
+                              mode does not affect those characters typed by
+                              the user, only those received from the remote
+                              host.  This mode is not very useful unless the
+                              remote host only sends carriage return, but nev-
+                              er line feed.  The initial value for this toggle
+                              is FALSE.
+
+                ddeebbuugg         Toggles socket level debugging (useful only to
+                              the ssuuppeerr uusseerr). The initial value for this tog-
+                              gle is FALSE.
+
+                eennccddeebbuugg      Turns on debugging information for the encryp-
+                              tion code.
+
+                llooccaallcchhaarrss    If this is TRUE, then the fflluusshh, iinntteerrrruupptt,
+                              qquuiitt, eerraassee, and kkiillll characters (see sseett above)
+                              are recognized locally, and transformed into
+                              (hopefully) appropriate TELNET control sequences
+                              (respectively aaoo, iipp, bbrrkk, eecc, and eell; see sseenndd
+                              above).  The initial value for this toggle is
+                              TRUE in ``old line by line'' mode, and FALSE in
+                              ``character at a time'' mode.  When the LINEMODE
+                              option is enabled, the value of llooccaallcchhaarrss is
+                              ignored, and assumed to always be TRUE. If
+                              LINEMODE has ever been enabled, then qquuiitt is
+                              sent as aabboorrtt, and eeooff and ssuussppeenndd are sent as
+                              eeooff and ssuusspp, see sseenndd above).
+
+                nneettddaattaa       Toggles the display of all network data (in hex-
+                              adecimal format).  The initial value for this
+                              toggle is FALSE.
+
+                ooppttiioonnss       Toggles the display of some internal tteellnneett pro-
+                              tocol processing (having to do with TELNET op-
+                              tions).  The initial value for this toggle is
+                              FALSE.
+
+                pprreettttyydduummpp    When the nneettddaattaa toggle is enabled, if
+                              pprreettttyydduummpp is enabled the output from the
+                              nneettddaattaa command will be formatted in a more user
+                              readable format.  Spaces are put between each
+                              character in the output, and the beginning of
+                              any TELNET escape sequence is preceded by a '*'
+                              to aid in locating them.
+
+                sskkiipprrcc        When the skiprc toggle is TRUE, TELNET skips the
+                              reading of the _._t_e_l_n_e_t_r_c file in the users home
+                              directory when connections are opened.  The ini-
+                              tial value for this toggle is FALSE.
+
+                tteerrmmddaattaa      Toggles the display of all terminal data (in
+                              hexadecimal format).  The initial value for this
+                              toggle is FALSE.
+
+                vveerrbboossee__eennccrryypptt
+                              When the vveerrbboossee__eennccrryypptt toggle is TRUE, TELNET
+                              prints out a message each time encryption is en-
+                              abled or disabled.  The initial value for this
+                              toggle is FALSE. Note:  Because of export con-
+                              trols, data encryption is not supported outside
+                              of the United States and Canada.
+
+                ??             Displays the legal ttooggggllee commands.
+
+     zz          Suspend tteellnneett. This command only works when the user is using
+                the csh(1).
+
+     !! [_c_o_m_m_a_n_d]
+                Execute a single command in a subshell on the local system.
+                If ccoommmmaanndd is omitted, then an interactive subshell is in-
+                voked.
+
+     ?? [_c_o_m_m_a_n_d]
+                Get help.  With no arguments, tteellnneett prints a help summary.
+                If a command is specified, tteellnneett will print the help informa-
+                tion for just that command.
+
+EENNVVIIRROONNMMEENNTT
+     TTeellnneett uses at least the HOME, SHELL, DISPLAY, and TERM environment vari-
+     ables.  Other environment variables may be propagated to the other side
+     via the TELNET ENVIRON option.
+
+FFIILLEESS
+     ~/.telnetrc  user customized telnet startup values
+
+HHIISSTTOORRYY
+     The TTeellnneett command appeared in 4.2BSD.
+
+NNOOTTEESS
+     On some remote systems, echo has to be turned off manually when in ``old
+     line by line'' mode.
+
+     In ``old line by line'' mode or LINEMODE the terminal's eeooff character is
+     only recognized (and sent to the remote system) when it is the first
+     character on a line.
+
+4.2 Berkeley Distribution        June 1, 1994                               11
diff --git a/crypto/heimdal/appl/telnet/telnet/telnet_locl.h b/crypto/heimdal/appl/telnet/telnet/telnet_locl.h
new file mode 100644
index 0000000..4f9f86d
--- /dev/null
+++ b/crypto/heimdal/appl/telnet/telnet/telnet_locl.h
@@ -0,0 +1,173 @@
+/*
+ * Copyright (c) 1995 - 2000 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+/* $Id: telnet_locl.h,v 1.19 2000/02/04 09:49:28 assar Exp $ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+#endif
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <stdarg.h>
+#include <string.h>
+#include <ctype.h>
+#ifdef HAVE_SIGNAL_H
+#include <signal.h>
+#endif
+#include <errno.h>
+#include <setjmp.h>
+#ifdef HAVE_BSDSETJMP_H
+#include <bsdsetjmp.h>
+#endif
+
+#ifdef HAVE_SYS_TYPES_H
+#include <sys/types.h>
+#endif
+
+#ifdef HAVE_UNISTD_H
+#include <unistd.h>
+#endif
+
+/* termios.h *must* be included before curses.h */
+#ifdef HAVE_TERMIOS_H
+#include <termios.h>
+#endif
+
+#if defined(SOCKS) && defined(HAVE_CURSES_H)
+#include <curses.h>
+#endif
+
+#if defined(HAVE_SYS_TERMIO_H) && !defined(HAVE_TERMIOS_H)
+#include <sys/termio.h>
+#endif
+
+#if defined(HAVE_TERMCAP_H)
+#include <termcap.h>
+#endif
+
+#ifdef HAVE_FCNTL_H
+#include <fcntl.h>
+#endif
+
+#ifdef HAVE_NETDB_H
+#include <netdb.h>
+#endif
+
+#ifdef HAVE_PWD_H
+#include <pwd.h>
+#endif
+
+#ifdef HAVE_SYS_SELECT_H
+#include <sys/select.h>
+#endif
+#ifdef TIME_WITH_SYS_TIME
+#include <sys/time.h>
+#include <time.h>
+#elif defined(HAVE_SYS_TIME_H)
+#include <sys/time.h>
+#else
+#include <time.h>
+#endif
+#ifdef HAVE_SYS_PARAM_H
+#include <sys/param.h>
+#endif
+/* not with SunOS 4 */
+#if defined(HAVE_SYS_IOCTL_H) && SunOS != 40
+#include <sys/ioctl.h>
+#endif
+#ifdef HAVE_SYS_RESOURCE_H
+#include <sys/resource.h>
+#endif /* HAVE_SYS_RESOURCE_H */
+#ifdef HAVE_SYS_WAIT_H
+#include <sys/wait.h>
+#endif
+#ifdef HAVE_SYS_FILIO_H
+#include <sys/filio.h>
+#endif
+#ifdef HAVE_SYS_FILE_H
+#include <sys/file.h>
+#endif
+#ifdef HAVE_SYS_SOCKET_H
+#include <sys/socket.h>
+#endif
+#ifdef HAVE_NETINET_IN_H
+#include <netinet/in.h>
+#endif
+#ifdef HAVE_NETINET_IN6_H
+#include <netinet/in6.h>
+#endif
+#ifdef HAVE_NETINET6_IN6_H
+#include <netinet6/in6.h>
+#endif
+
+#ifdef HAVE_NETINET_IN_SYSTM_H
+#include <netinet/in_systm.h>
+#endif
+#ifdef HAVE_NETINET_IP_H
+#include <netinet/ip.h>
+#endif
+#ifdef HAVE_ARPA_INET_H
+#include <arpa/inet.h>
+#endif
+
+#ifdef HAVE_ARPA_TELNET_H
+#include <arpa/telnet.h>
+#endif
+
+#ifdef SOCKS
+#include <socks.h>
+#endif
+
+#include <roken.h>
+/* krb.h? */
+
+#if	defined(AUTHENTICATION) || defined(ENCRYPTION)
+#include <libtelnet/auth.h>
+#include <libtelnet/encrypt.h>
+#endif
+#include <libtelnet/misc.h>
+#include <libtelnet/misc-proto.h>
+
+#define LINEMODE
+#ifndef KLUDGELINEMODE
+#define KLUDGELINEMODE
+#endif
+
+#include "ring.h"
+#include "externs.h"
+#include "defines.h"
+#include "types.h"
+
+/* prototypes */
+
diff --git a/crypto/heimdal/appl/telnet/telnet/terminal.c b/crypto/heimdal/appl/telnet/telnet/terminal.c
new file mode 100644
index 0000000..44e1611
--- /dev/null
+++ b/crypto/heimdal/appl/telnet/telnet/terminal.c
@@ -0,0 +1,221 @@
+/*
+ * Copyright (c) 1988, 1990, 1993
+ *	The Regents of the University of California.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *	This product includes software developed by the University of
+ *	California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#include "telnet_locl.h"
+
+RCSID("$Id: terminal.c,v 1.11 2001/03/06 20:10:14 assar Exp $");
+
+Ring		ttyoring, ttyiring;
+unsigned char	ttyobuf[2*BUFSIZ], ttyibuf[BUFSIZ];
+
+int termdata;			/* Debugging flag */
+
+# ifndef VDISCARD
+cc_t termFlushChar;
+# endif
+# ifndef VLNEXT
+cc_t termLiteralNextChar;
+# endif
+# ifndef VSUSP
+cc_t termSuspChar;
+# endif
+# ifndef VWERASE
+cc_t termWerasChar;
+# endif
+# ifndef VREPRINT
+cc_t termRprntChar;
+# endif
+# ifndef VSTART
+cc_t termStartChar;
+# endif
+# ifndef VSTOP
+cc_t termStopChar;
+# endif
+# ifndef VEOL
+cc_t termForw1Char;
+# endif
+# ifndef VEOL2
+cc_t termForw2Char;
+# endif
+# ifndef VSTATUS
+cc_t termAytChar;
+# endif
+
+/*
+ * initialize the terminal data structures.
+ */
+
+void
+init_terminal(void)
+{
+    if (ring_init(&ttyoring, ttyobuf, sizeof ttyobuf) != 1) {
+	exit(1);
+    }
+    if (ring_init(&ttyiring, ttyibuf, sizeof ttyibuf) != 1) {
+	exit(1);
+    }
+    autoflush = TerminalAutoFlush();
+}
+
+
+/*
+ *		Send as much data as possible to the terminal.
+ *
+ *		Return value:
+ *			-1: No useful work done, data waiting to go out.
+ *			 0: No data was waiting, so nothing was done.
+ *			 1: All waiting data was written out.
+ *			 n: All data - n was written out.
+ */
+
+
+int
+ttyflush(int drop)
+{
+    int n, n0, n1;
+
+    n0 = ring_full_count(&ttyoring);
+    if ((n1 = n = ring_full_consecutive(&ttyoring)) > 0) {
+	if (drop) {
+	    TerminalFlushOutput();
+	    /* we leave 'n' alone! */
+	} else {
+	    n = TerminalWrite((char *)ttyoring.consume, n);
+	}
+    }
+    if (n > 0) {
+	if (termdata && n) {
+	    Dump('>', ttyoring.consume, n);
+	}
+	/*
+	 * If we wrote everything, and the full count is
+	 * larger than what we wrote, then write the
+	 * rest of the buffer.
+	 */
+	if (n1 == n && n0 > n) {
+		n1 = n0 - n;
+		if (!drop)
+			n1 = TerminalWrite((char *)ttyoring.bottom, n1);
+		if (n1 > 0)
+			n += n1;
+	}
+	ring_consumed(&ttyoring, n);
+    }
+    if (n < 0)
+	return -1;
+    if (n == n0) {
+	if (n0)
+	    return -1;
+	return 0;
+    }
+    return n0 - n + 1;
+}
+
+
+/*
+ * These routines decides on what the mode should be (based on the values
+ * of various global variables).
+ */
+
+
+int
+getconnmode(void)
+{
+    int mode = 0;
+
+    if (my_want_state_is_dont(TELOPT_ECHO))
+	mode |= MODE_ECHO;
+
+    if (localflow)
+	mode |= MODE_FLOW;
+
+    if ((eight & 1) || my_want_state_is_will(TELOPT_BINARY))
+	mode |= MODE_INBIN;
+
+    if (eight & 2)
+	mode |= MODE_OUT8;
+    if (his_want_state_is_will(TELOPT_BINARY))
+	mode |= MODE_OUTBIN;
+
+#ifdef	KLUDGELINEMODE
+    if (kludgelinemode) {
+	if (my_want_state_is_dont(TELOPT_SGA)) {
+	    mode |= (MODE_TRAPSIG|MODE_EDIT);
+	    if (dontlecho && (clocks.echotoggle > clocks.modenegotiated)) {
+		mode &= ~MODE_ECHO;
+	    }
+	}
+	return(mode);
+    }
+#endif
+    if (my_want_state_is_will(TELOPT_LINEMODE))
+	mode |= linemode;
+    return(mode);
+}
+
+    void
+setconnmode(force)
+    int force;
+{
+#ifdef	ENCRYPTION
+    static int enc_passwd = 0;
+#endif
+    int newmode;
+
+    newmode = getconnmode()|(force?MODE_FORCE:0);
+
+    TerminalNewMode(newmode);
+    
+#ifdef  ENCRYPTION
+    if ((newmode & (MODE_ECHO|MODE_EDIT)) == MODE_EDIT) {
+	if (my_want_state_is_will(TELOPT_ENCRYPT)
+				&& (enc_passwd == 0) && !encrypt_output) {
+	    encrypt_request_start(0, 0);
+	    enc_passwd = 1;
+	}
+    } else {
+	if (enc_passwd) {
+	    encrypt_request_end();
+	    enc_passwd = 0;
+	}
+    }
+#endif
+
+}
+
+
+    void
+setcommandmode()
+{
+    TerminalNewMode(-1);
+}
diff --git a/crypto/heimdal/appl/telnet/telnet/types.h b/crypto/heimdal/appl/telnet/telnet/types.h
new file mode 100644
index 0000000..191d311
--- /dev/null
+++ b/crypto/heimdal/appl/telnet/telnet/types.h
@@ -0,0 +1,52 @@
+/*
+ * Copyright (c) 1988, 1993
+ *	The Regents of the University of California.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *	This product includes software developed by the University of
+ *	California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ *	@(#)types.h	8.1 (Berkeley) 6/6/93
+ */
+
+typedef struct {
+    char *modedescriptions;
+    char modetype;
+} Modelist;
+
+extern Modelist modelist[];
+
+typedef struct {
+    int
+	system,			/* what the current time is */
+	echotoggle,		/* last time user entered echo character */
+	modenegotiated,		/* last time operating mode negotiated */
+	didnetreceive,		/* last time we read data from network */
+	gotDM;			/* when did we last see a data mark */
+} Clocks;
+
+extern Clocks clocks;
diff --git a/crypto/heimdal/appl/telnet/telnet/utilities.c b/crypto/heimdal/appl/telnet/telnet/utilities.c
new file mode 100644
index 0000000..a933261
--- /dev/null
+++ b/crypto/heimdal/appl/telnet/telnet/utilities.c
@@ -0,0 +1,866 @@
+/*
+ * Copyright (c) 1988, 1993
+ *	The Regents of the University of California.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *	This product includes software developed by the University of
+ *	California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#define TELOPTS
+#define TELCMDS
+#define SLC_NAMES
+
+#include "telnet_locl.h"
+
+RCSID("$Id: utilities.c,v 1.24 2000/10/08 22:30:15 assar Exp $");
+
+FILE	*NetTrace = 0;		/* Not in bss, since needs to stay */
+int	prettydump;
+
+/*
+ * SetSockOpt()
+ *
+ * Compensate for differences in 4.2 and 4.3 systems.
+ */
+
+int
+SetSockOpt(int fd, int level, int option, int yesno)
+{
+#ifdef HAVE_SETSOCKOPT
+#ifndef	NOT43
+    return setsockopt(fd, level, option,
+				(void *)&yesno, sizeof yesno);
+#else	/* NOT43 */
+    if (yesno == 0) {		/* Can't do that in 4.2! */
+	fprintf(stderr, "Error: attempt to turn off an option 0x%x.\n",
+				option);
+	return -1;
+    }
+    return setsockopt(fd, level, option, 0, 0);
+#endif	/* NOT43 */
+#else
+    return -1;
+#endif
+}
+
+/*
+ * The following are routines used to print out debugging information.
+ */
+
+char NetTraceFile[256] = "(standard output)";
+
+void
+SetNetTrace(char *file)
+{
+    if (NetTrace && NetTrace != stdout)
+	fclose(NetTrace);
+    if (file  && (strcmp(file, "-") != 0)) {
+	NetTrace = fopen(file, "w");
+	if (NetTrace) {
+	    strlcpy(NetTraceFile, file, sizeof(NetTraceFile));
+	    return;
+	}
+	fprintf(stderr, "Cannot open %s.\n", file);
+    }
+    NetTrace = stdout;
+    strlcpy(NetTraceFile, "(standard output)", sizeof(NetTraceFile));
+}
+
+void
+Dump(char direction, unsigned char *buffer, int length)
+{
+#   define BYTES_PER_LINE	32
+    unsigned char *pThis;
+    int offset;
+
+    offset = 0;
+
+    while (length) {
+	/* print one line */
+	fprintf(NetTrace, "%c 0x%x\t", direction, offset);
+	pThis = buffer;
+	if (prettydump) {
+	    buffer = buffer + min(length, BYTES_PER_LINE/2);
+	    while (pThis < buffer) {
+		fprintf(NetTrace, "%c%.2x",
+		    (((*pThis)&0xff) == 0xff) ? '*' : ' ',
+		    (*pThis)&0xff);
+		pThis++;
+	    }
+	    length -= BYTES_PER_LINE/2;
+	    offset += BYTES_PER_LINE/2;
+	} else {
+	    buffer = buffer + min(length, BYTES_PER_LINE);
+	    while (pThis < buffer) {
+		fprintf(NetTrace, "%.2x", (*pThis)&0xff);
+		pThis++;
+	    }
+	    length -= BYTES_PER_LINE;
+	    offset += BYTES_PER_LINE;
+	}
+	if (NetTrace == stdout) {
+	    fprintf(NetTrace, "\r\n");
+	} else {
+	    fprintf(NetTrace, "\n");
+	}
+	if (length < 0) {
+	    fflush(NetTrace);
+	    return;
+	}
+	/* find next unique line */
+    }
+    fflush(NetTrace);
+}
+
+
+void
+printoption(char *direction, int cmd, int option)
+{
+	if (!showoptions)
+		return;
+	if (cmd == IAC) {
+		if (TELCMD_OK(option))
+		    fprintf(NetTrace, "%s IAC %s", direction, TELCMD(option));
+		else
+		    fprintf(NetTrace, "%s IAC %d", direction, option);
+	} else {
+		char *fmt;
+		fmt = (cmd == WILL) ? "WILL" : (cmd == WONT) ? "WONT" :
+			(cmd == DO) ? "DO" : (cmd == DONT) ? "DONT" : 0;
+		if (fmt) {
+		    fprintf(NetTrace, "%s %s ", direction, fmt);
+		    if (TELOPT_OK(option))
+			fprintf(NetTrace, "%s", TELOPT(option));
+		    else if (option == TELOPT_EXOPL)
+			fprintf(NetTrace, "EXOPL");
+		    else
+			fprintf(NetTrace, "%d", option);
+		} else
+		    fprintf(NetTrace, "%s %d %d", direction, cmd, option);
+	}
+	if (NetTrace == stdout) {
+	    fprintf(NetTrace, "\r\n");
+	    fflush(NetTrace);
+	} else {
+	    fprintf(NetTrace, "\n");
+	}
+	return;
+}
+
+void
+optionstatus(void)
+{
+    int i;
+    extern char will_wont_resp[], do_dont_resp[];
+
+    for (i = 0; i < 256; i++) {
+	if (do_dont_resp[i]) {
+	    if (TELOPT_OK(i))
+		printf("resp DO_DONT %s: %d\n", TELOPT(i), do_dont_resp[i]);
+	    else if (TELCMD_OK(i))
+		printf("resp DO_DONT %s: %d\n", TELCMD(i), do_dont_resp[i]);
+	    else
+		printf("resp DO_DONT %d: %d\n", i,
+				do_dont_resp[i]);
+	    if (my_want_state_is_do(i)) {
+		if (TELOPT_OK(i))
+		    printf("want DO   %s\n", TELOPT(i));
+		else if (TELCMD_OK(i))
+		    printf("want DO   %s\n", TELCMD(i));
+		else
+		    printf("want DO   %d\n", i);
+	    } else {
+		if (TELOPT_OK(i))
+		    printf("want DONT %s\n", TELOPT(i));
+		else if (TELCMD_OK(i))
+		    printf("want DONT %s\n", TELCMD(i));
+		else
+		    printf("want DONT %d\n", i);
+	    }
+	} else {
+	    if (my_state_is_do(i)) {
+		if (TELOPT_OK(i))
+		    printf("     DO   %s\n", TELOPT(i));
+		else if (TELCMD_OK(i))
+		    printf("     DO   %s\n", TELCMD(i));
+		else
+		    printf("     DO   %d\n", i);
+	    }
+	}
+	if (will_wont_resp[i]) {
+	    if (TELOPT_OK(i))
+		printf("resp WILL_WONT %s: %d\n", TELOPT(i), will_wont_resp[i]);
+	    else if (TELCMD_OK(i))
+		printf("resp WILL_WONT %s: %d\n", TELCMD(i), will_wont_resp[i]);
+	    else
+		printf("resp WILL_WONT %d: %d\n",
+				i, will_wont_resp[i]);
+	    if (my_want_state_is_will(i)) {
+		if (TELOPT_OK(i))
+		    printf("want WILL %s\n", TELOPT(i));
+		else if (TELCMD_OK(i))
+		    printf("want WILL %s\n", TELCMD(i));
+		else
+		    printf("want WILL %d\n", i);
+	    } else {
+		if (TELOPT_OK(i))
+		    printf("want WONT %s\n", TELOPT(i));
+		else if (TELCMD_OK(i))
+		    printf("want WONT %s\n", TELCMD(i));
+		else
+		    printf("want WONT %d\n", i);
+	    }
+	} else {
+	    if (my_state_is_will(i)) {
+		if (TELOPT_OK(i))
+		    printf("     WILL %s\n", TELOPT(i));
+		else if (TELCMD_OK(i))
+		    printf("     WILL %s\n", TELCMD(i));
+		else
+		    printf("     WILL %d\n", i);
+	    }
+	}
+    }
+
+}
+
+void
+printsub(int direction, unsigned char *pointer, int length)
+{
+    int i;
+    unsigned char buf[512];
+    extern int want_status_response;
+
+    if (showoptions || direction == 0 ||
+	(want_status_response && (pointer[0] == TELOPT_STATUS))) {
+	if (direction) {
+	    fprintf(NetTrace, "%s IAC SB ",
+				(direction == '<')? "RCVD":"SENT");
+	    if (length >= 3) {
+		int j;
+
+		i = pointer[length-2];
+		j = pointer[length-1];
+
+		if (i != IAC || j != SE) {
+		    fprintf(NetTrace, "(terminated by ");
+		    if (TELOPT_OK(i))
+			fprintf(NetTrace, "%s ", TELOPT(i));
+		    else if (TELCMD_OK(i))
+			fprintf(NetTrace, "%s ", TELCMD(i));
+		    else
+			fprintf(NetTrace, "%d ", i);
+		    if (TELOPT_OK(j))
+			fprintf(NetTrace, "%s", TELOPT(j));
+		    else if (TELCMD_OK(j))
+			fprintf(NetTrace, "%s", TELCMD(j));
+		    else
+			fprintf(NetTrace, "%d", j);
+		    fprintf(NetTrace, ", not IAC SE!) ");
+		}
+	    }
+	    length -= 2;
+	}
+	if (length < 1) {
+	    fprintf(NetTrace, "(Empty suboption??\?)");
+	    if (NetTrace == stdout)
+		fflush(NetTrace);
+	    return;
+	}
+	switch (pointer[0]) {
+	case TELOPT_TTYPE:
+	    fprintf(NetTrace, "TERMINAL-TYPE ");
+	    switch (pointer[1]) {
+	    case TELQUAL_IS:
+		fprintf(NetTrace, "IS \"%.*s\"", length-2, (char *)pointer+2);
+		break;
+	    case TELQUAL_SEND:
+		fprintf(NetTrace, "SEND");
+		break;
+	    default:
+		fprintf(NetTrace,
+				"- unknown qualifier %d (0x%x).",
+				pointer[1], pointer[1]);
+	    }
+	    break;
+	case TELOPT_TSPEED:
+	    fprintf(NetTrace, "TERMINAL-SPEED");
+	    if (length < 2) {
+		fprintf(NetTrace, " (empty suboption??\?)");
+		break;
+	    }
+	    switch (pointer[1]) {
+	    case TELQUAL_IS:
+		fprintf(NetTrace, " IS ");
+		fprintf(NetTrace, "%.*s", length-2, (char *)pointer+2);
+		break;
+	    default:
+		if (pointer[1] == 1)
+		    fprintf(NetTrace, " SEND");
+		else
+		    fprintf(NetTrace, " %d (unknown)", pointer[1]);
+		for (i = 2; i < length; i++)
+		    fprintf(NetTrace, " ?%d?", pointer[i]);
+		break;
+	    }
+	    break;
+
+	case TELOPT_LFLOW:
+	    fprintf(NetTrace, "TOGGLE-FLOW-CONTROL");
+	    if (length < 2) {
+		fprintf(NetTrace, " (empty suboption??\?)");
+		break;
+	    }
+	    switch (pointer[1]) {
+	    case LFLOW_OFF:
+		fprintf(NetTrace, " OFF"); break;
+	    case LFLOW_ON:
+		fprintf(NetTrace, " ON"); break;
+	    case LFLOW_RESTART_ANY:
+		fprintf(NetTrace, " RESTART-ANY"); break;
+	    case LFLOW_RESTART_XON:
+		fprintf(NetTrace, " RESTART-XON"); break;
+	    default:
+		fprintf(NetTrace, " %d (unknown)", pointer[1]);
+	    }
+	    for (i = 2; i < length; i++)
+		fprintf(NetTrace, " ?%d?", pointer[i]);
+	    break;
+
+	case TELOPT_NAWS:
+	    fprintf(NetTrace, "NAWS");
+	    if (length < 2) {
+		fprintf(NetTrace, " (empty suboption??\?)");
+		break;
+	    }
+	    if (length == 2) {
+		fprintf(NetTrace, " ?%d?", pointer[1]);
+		break;
+	    }
+	    fprintf(NetTrace, " %d %d (%d)",
+		pointer[1], pointer[2],
+		(int)((((unsigned int)pointer[1])<<8)|((unsigned int)pointer[2])));
+	    if (length == 4) {
+		fprintf(NetTrace, " ?%d?", pointer[3]);
+		break;
+	    }
+	    fprintf(NetTrace, " %d %d (%d)",
+		pointer[3], pointer[4],
+		(int)((((unsigned int)pointer[3])<<8)|((unsigned int)pointer[4])));
+	    for (i = 5; i < length; i++)
+		fprintf(NetTrace, " ?%d?", pointer[i]);
+	    break;
+
+#if	defined(AUTHENTICATION)
+	case TELOPT_AUTHENTICATION:
+	    fprintf(NetTrace, "AUTHENTICATION");
+	    if (length < 2) {
+		fprintf(NetTrace, " (empty suboption??\?)");
+		break;
+	    }
+	    switch (pointer[1]) {
+	    case TELQUAL_REPLY:
+	    case TELQUAL_IS:
+		fprintf(NetTrace, " %s ", (pointer[1] == TELQUAL_IS) ?
+							"IS" : "REPLY");
+		if (AUTHTYPE_NAME_OK(pointer[2]))
+		    fprintf(NetTrace, "%s ", AUTHTYPE_NAME(pointer[2]));
+		else
+		    fprintf(NetTrace, "%d ", pointer[2]);
+		if (length < 3) {
+		    fprintf(NetTrace, "(partial suboption??\?)");
+		    break;
+		}
+		fprintf(NetTrace, "%s|%s",
+			((pointer[3] & AUTH_WHO_MASK) == AUTH_WHO_CLIENT) ?
+			"CLIENT" : "SERVER",
+			((pointer[3] & AUTH_HOW_MASK) == AUTH_HOW_MUTUAL) ?
+			"MUTUAL" : "ONE-WAY");
+
+		auth_printsub(&pointer[1], length - 1, buf, sizeof(buf));
+		fprintf(NetTrace, "%s", buf);
+		break;
+
+	    case TELQUAL_SEND:
+		i = 2;
+		fprintf(NetTrace, " SEND ");
+		while (i < length) {
+		    if (AUTHTYPE_NAME_OK(pointer[i]))
+			fprintf(NetTrace, "%s ", AUTHTYPE_NAME(pointer[i]));
+		    else
+			fprintf(NetTrace, "%d ", pointer[i]);
+		    if (++i >= length) {
+			fprintf(NetTrace, "(partial suboption??\?)");
+			break;
+		    }
+		    fprintf(NetTrace, "%s|%s ",
+			((pointer[i] & AUTH_WHO_MASK) == AUTH_WHO_CLIENT) ?
+							"CLIENT" : "SERVER",
+			((pointer[i] & AUTH_HOW_MASK) == AUTH_HOW_MUTUAL) ?
+							"MUTUAL" : "ONE-WAY");
+		    ++i;
+		}
+		break;
+
+	    case TELQUAL_NAME:
+		i = 2;
+		fprintf(NetTrace, " NAME \"");
+		while (i < length)
+		    putc(pointer[i++], NetTrace);
+		putc('"', NetTrace);
+		break;
+
+	    default:
+		    for (i = 2; i < length; i++)
+			fprintf(NetTrace, " ?%d?", pointer[i]);
+		    break;
+	    }
+	    break;
+#endif
+
+#if	defined(ENCRYPTION)
+	case TELOPT_ENCRYPT:
+	    fprintf(NetTrace, "ENCRYPT");
+	    if (length < 2) {
+		fprintf(NetTrace, " (empty suboption?)");
+		break;
+	    }
+	    switch (pointer[1]) {
+	    case ENCRYPT_START:
+		fprintf(NetTrace, " START");
+		break;
+
+	    case ENCRYPT_END:
+		fprintf(NetTrace, " END");
+		break;
+
+	    case ENCRYPT_REQSTART:
+		fprintf(NetTrace, " REQUEST-START");
+		break;
+
+	    case ENCRYPT_REQEND:
+		fprintf(NetTrace, " REQUEST-END");
+		break;
+
+	    case ENCRYPT_IS:
+	    case ENCRYPT_REPLY:
+		fprintf(NetTrace, " %s ", (pointer[1] == ENCRYPT_IS) ?
+							"IS" : "REPLY");
+		if (length < 3) {
+		    fprintf(NetTrace, " (partial suboption?)");
+		    break;
+		}
+		if (ENCTYPE_NAME_OK(pointer[2]))
+		    fprintf(NetTrace, "%s ", ENCTYPE_NAME(pointer[2]));
+		else
+		    fprintf(NetTrace, " %d (unknown)", pointer[2]);
+
+		encrypt_printsub(&pointer[1], length - 1, buf, sizeof(buf));
+		fprintf(NetTrace, "%s", buf);
+		break;
+
+	    case ENCRYPT_SUPPORT:
+		i = 2;
+		fprintf(NetTrace, " SUPPORT ");
+		while (i < length) {
+		    if (ENCTYPE_NAME_OK(pointer[i]))
+			fprintf(NetTrace, "%s ", ENCTYPE_NAME(pointer[i]));
+		    else
+			fprintf(NetTrace, "%d ", pointer[i]);
+		    i++;
+		}
+		break;
+
+	    case ENCRYPT_ENC_KEYID:
+		fprintf(NetTrace, " ENC_KEYID ");
+		goto encommon;
+
+	    case ENCRYPT_DEC_KEYID:
+		fprintf(NetTrace, " DEC_KEYID ");
+		goto encommon;
+
+	    default:
+		fprintf(NetTrace, " %d (unknown)", pointer[1]);
+	    encommon:
+		for (i = 2; i < length; i++)
+		    fprintf(NetTrace, " %d", pointer[i]);
+		break;
+	    }
+	    break;
+#endif
+
+	case TELOPT_LINEMODE:
+	    fprintf(NetTrace, "LINEMODE ");
+	    if (length < 2) {
+		fprintf(NetTrace, " (empty suboption??\?)");
+		break;
+	    }
+	    switch (pointer[1]) {
+	    case WILL:
+		fprintf(NetTrace, "WILL ");
+		goto common;
+	    case WONT:
+		fprintf(NetTrace, "WONT ");
+		goto common;
+	    case DO:
+		fprintf(NetTrace, "DO ");
+		goto common;
+	    case DONT:
+		fprintf(NetTrace, "DONT ");
+	    common:
+		if (length < 3) {
+		    fprintf(NetTrace, "(no option??\?)");
+		    break;
+		}
+		switch (pointer[2]) {
+		case LM_FORWARDMASK:
+		    fprintf(NetTrace, "Forward Mask");
+		    for (i = 3; i < length; i++)
+			fprintf(NetTrace, " %x", pointer[i]);
+		    break;
+		default:
+		    fprintf(NetTrace, "%d (unknown)", pointer[2]);
+		    for (i = 3; i < length; i++)
+			fprintf(NetTrace, " %d", pointer[i]);
+		    break;
+		}
+		break;
+
+	    case LM_SLC:
+		fprintf(NetTrace, "SLC");
+		for (i = 2; i < length - 2; i += 3) {
+		    if (SLC_NAME_OK(pointer[i+SLC_FUNC]))
+			fprintf(NetTrace, " %s", SLC_NAME(pointer[i+SLC_FUNC]));
+		    else
+			fprintf(NetTrace, " %d", pointer[i+SLC_FUNC]);
+		    switch (pointer[i+SLC_FLAGS]&SLC_LEVELBITS) {
+		    case SLC_NOSUPPORT:
+			fprintf(NetTrace, " NOSUPPORT"); break;
+		    case SLC_CANTCHANGE:
+			fprintf(NetTrace, " CANTCHANGE"); break;
+		    case SLC_VARIABLE:
+			fprintf(NetTrace, " VARIABLE"); break;
+		    case SLC_DEFAULT:
+			fprintf(NetTrace, " DEFAULT"); break;
+		    }
+		    fprintf(NetTrace, "%s%s%s",
+			pointer[i+SLC_FLAGS]&SLC_ACK ? "|ACK" : "",
+			pointer[i+SLC_FLAGS]&SLC_FLUSHIN ? "|FLUSHIN" : "",
+			pointer[i+SLC_FLAGS]&SLC_FLUSHOUT ? "|FLUSHOUT" : "");
+		    if (pointer[i+SLC_FLAGS]& ~(SLC_ACK|SLC_FLUSHIN|
+						SLC_FLUSHOUT| SLC_LEVELBITS))
+			fprintf(NetTrace, "(0x%x)", pointer[i+SLC_FLAGS]);
+		    fprintf(NetTrace, " %d;", pointer[i+SLC_VALUE]);
+		    if ((pointer[i+SLC_VALUE] == IAC) &&
+			(pointer[i+SLC_VALUE+1] == IAC))
+				i++;
+		}
+		for (; i < length; i++)
+		    fprintf(NetTrace, " ?%d?", pointer[i]);
+		break;
+
+	    case LM_MODE:
+		fprintf(NetTrace, "MODE ");
+		if (length < 3) {
+		    fprintf(NetTrace, "(no mode??\?)");
+		    break;
+		}
+		{
+		    char tbuf[64];
+		    snprintf(tbuf, sizeof(tbuf),
+			     "%s%s%s%s%s",
+			     pointer[2]&MODE_EDIT ? "|EDIT" : "",
+			     pointer[2]&MODE_TRAPSIG ? "|TRAPSIG" : "",
+			     pointer[2]&MODE_SOFT_TAB ? "|SOFT_TAB" : "",
+			     pointer[2]&MODE_LIT_ECHO ? "|LIT_ECHO" : "",
+			     pointer[2]&MODE_ACK ? "|ACK" : "");
+		    fprintf(NetTrace, "%s", tbuf[1] ? &tbuf[1] : "0");
+		}
+		if (pointer[2]&~(MODE_MASK))
+		    fprintf(NetTrace, " (0x%x)", pointer[2]);
+		for (i = 3; i < length; i++)
+		    fprintf(NetTrace, " ?0x%x?", pointer[i]);
+		break;
+	    default:
+		fprintf(NetTrace, "%d (unknown)", pointer[1]);
+		for (i = 2; i < length; i++)
+		    fprintf(NetTrace, " %d", pointer[i]);
+	    }
+	    break;
+
+	case TELOPT_STATUS: {
+	    char *cp;
+	    int j, k;
+
+	    fprintf(NetTrace, "STATUS");
+
+	    switch (pointer[1]) {
+	    default:
+		if (pointer[1] == TELQUAL_SEND)
+		    fprintf(NetTrace, " SEND");
+		else
+		    fprintf(NetTrace, " %d (unknown)", pointer[1]);
+		for (i = 2; i < length; i++)
+		    fprintf(NetTrace, " ?%d?", pointer[i]);
+		break;
+	    case TELQUAL_IS:
+		if (--want_status_response < 0)
+		    want_status_response = 0;
+		if (NetTrace == stdout)
+		    fprintf(NetTrace, " IS\r\n");
+		else
+		    fprintf(NetTrace, " IS\n");
+
+		for (i = 2; i < length; i++) {
+		    switch(pointer[i]) {
+		    case DO:	cp = "DO"; goto common2;
+		    case DONT:	cp = "DONT"; goto common2;
+		    case WILL:	cp = "WILL"; goto common2;
+		    case WONT:	cp = "WONT"; goto common2;
+		    common2:
+			i++;
+			if (TELOPT_OK((int)pointer[i]))
+			    fprintf(NetTrace, " %s %s", cp, TELOPT(pointer[i]));
+			else
+			    fprintf(NetTrace, " %s %d", cp, pointer[i]);
+
+			if (NetTrace == stdout)
+			    fprintf(NetTrace, "\r\n");
+			else
+			    fprintf(NetTrace, "\n");
+			break;
+
+		    case SB:
+			fprintf(NetTrace, " SB ");
+			i++;
+			j = k = i;
+			while (j < length) {
+			    if (pointer[j] == SE) {
+				if (j+1 == length)
+				    break;
+				if (pointer[j+1] == SE)
+				    j++;
+				else
+				    break;
+			    }
+			    pointer[k++] = pointer[j++];
+			}
+			printsub(0, &pointer[i], k - i);
+			if (i < length) {
+			    fprintf(NetTrace, " SE");
+			    i = j;
+			} else
+			    i = j - 1;
+
+			if (NetTrace == stdout)
+			    fprintf(NetTrace, "\r\n");
+			else
+			    fprintf(NetTrace, "\n");
+
+			break;
+
+		    default:
+			fprintf(NetTrace, " %d", pointer[i]);
+			break;
+		    }
+		}
+		break;
+	    }
+	    break;
+	  }
+
+	case TELOPT_XDISPLOC:
+	    fprintf(NetTrace, "X-DISPLAY-LOCATION ");
+	    switch (pointer[1]) {
+	    case TELQUAL_IS:
+		fprintf(NetTrace, "IS \"%.*s\"", length-2, (char *)pointer+2);
+		break;
+	    case TELQUAL_SEND:
+		fprintf(NetTrace, "SEND");
+		break;
+	    default:
+		fprintf(NetTrace, "- unknown qualifier %d (0x%x).",
+				pointer[1], pointer[1]);
+	    }
+	    break;
+
+	case TELOPT_NEW_ENVIRON:
+	    fprintf(NetTrace, "NEW-ENVIRON ");
+#ifdef	OLD_ENVIRON
+	    goto env_common1;
+	case TELOPT_OLD_ENVIRON:
+	    fprintf(NetTrace, "OLD-ENVIRON");
+	env_common1:
+#endif
+	    switch (pointer[1]) {
+	    case TELQUAL_IS:
+		fprintf(NetTrace, "IS ");
+		goto env_common;
+	    case TELQUAL_SEND:
+		fprintf(NetTrace, "SEND ");
+		goto env_common;
+	    case TELQUAL_INFO:
+		fprintf(NetTrace, "INFO ");
+	    env_common:
+		{
+		    int noquote = 2;
+		    for (i = 2; i < length; i++ ) {
+			switch (pointer[i]) {
+			case NEW_ENV_VALUE:
+#ifdef OLD_ENVIRON
+		     /*	case NEW_ENV_OVAR: */
+			    if (pointer[0] == TELOPT_OLD_ENVIRON) {
+				    fprintf(NetTrace, "\" VAR " + noquote);
+			    } else
+#endif /* OLD_ENVIRON */
+				fprintf(NetTrace, "\" VALUE " + noquote);
+			    noquote = 2;
+			    break;
+
+			case NEW_ENV_VAR:
+#ifdef OLD_ENVIRON
+		     /* case OLD_ENV_VALUE: */
+			    if (pointer[0] == TELOPT_OLD_ENVIRON) {
+				    fprintf(NetTrace, "\" VALUE " + noquote);
+			    } else
+#endif /* OLD_ENVIRON */
+				fprintf(NetTrace, "\" VAR " + noquote);
+			    noquote = 2;
+			    break;
+
+			case ENV_ESC:
+			    fprintf(NetTrace, "\" ESC " + noquote);
+			    noquote = 2;
+			    break;
+
+			case ENV_USERVAR:
+			    fprintf(NetTrace, "\" USERVAR " + noquote);
+			    noquote = 2;
+			    break;
+
+			default:
+			    if (isprint(pointer[i]) && pointer[i] != '"') {
+				if (noquote) {
+				    putc('"', NetTrace);
+				    noquote = 0;
+				}
+				putc(pointer[i], NetTrace);
+			    } else {
+				fprintf(NetTrace, "\" %03o " + noquote,
+							pointer[i]);
+				noquote = 2;
+			    }
+			    break;
+			}
+		    }
+		    if (!noquote)
+			putc('"', NetTrace);
+		    break;
+		}
+	    }
+	    break;
+
+	default:
+	    if (TELOPT_OK(pointer[0]))
+		fprintf(NetTrace, "%s (unknown)", TELOPT(pointer[0]));
+	    else
+		fprintf(NetTrace, "%d (unknown)", pointer[0]);
+	    for (i = 1; i < length; i++)
+		fprintf(NetTrace, " %d", pointer[i]);
+	    break;
+	}
+	if (direction) {
+	    if (NetTrace == stdout)
+		fprintf(NetTrace, "\r\n");
+	    else
+		fprintf(NetTrace, "\n");
+	}
+	if (NetTrace == stdout)
+	    fflush(NetTrace);
+    }
+}
+
+/* EmptyTerminal - called to make sure that the terminal buffer is empty.
+ *			Note that we consider the buffer to run all the
+ *			way to the kernel (thus the select).
+ */
+
+void
+EmptyTerminal(void)
+{
+    fd_set	outs;
+
+    FD_ZERO(&outs);
+
+    if (tout >= FD_SETSIZE)
+	ExitString("fd too large", 1);
+
+    if (TTYBYTES() == 0) {
+	FD_SET(tout, &outs);
+	select(tout+1, 0, &outs, 0,
+		      (struct timeval *) 0); /* wait for TTLOWAT */
+    } else {
+	while (TTYBYTES()) {
+	    ttyflush(0);
+	    FD_SET(tout, &outs);
+	    select(tout+1, 0, &outs, 0,
+			  (struct timeval *) 0); /* wait for TTLOWAT */
+	}
+    }
+}
+
+void
+SetForExit(void)
+{
+    setconnmode(0);
+    do {
+	telrcv();			/* Process any incoming data */
+	EmptyTerminal();
+    } while (ring_full_count(&netiring));	/* While there is any */
+    setcommandmode();
+    fflush(stdout);
+    fflush(stderr);
+    setconnmode(0);
+    EmptyTerminal();			/* Flush the path to the tty */
+    setcommandmode();
+}
+
+void
+Exit(int returnCode)
+{
+    SetForExit();
+    exit(returnCode);
+}
+
+void
+ExitString(char *string, int returnCode)
+{
+    SetForExit();
+    fwrite(string, 1, strlen(string), stderr);
+    exit(returnCode);
+}
diff --git a/crypto/heimdal/appl/telnet/telnetd/Makefile.am b/crypto/heimdal/appl/telnet/telnetd/Makefile.am
new file mode 100644
index 0000000..c375a05
--- /dev/null
+++ b/crypto/heimdal/appl/telnet/telnetd/Makefile.am
@@ -0,0 +1,24 @@
+# $Id: Makefile.am,v 1.15 2001/02/07 06:12:02 assar Exp $
+
+include $(top_srcdir)/Makefile.am.common
+
+INCLUDES += -I$(srcdir)/.. $(INCLUDE_krb4)
+
+libexec_PROGRAMS = telnetd
+
+CHECK_LOCAL = 
+
+telnetd_SOURCES  = telnetd.c state.c termstat.c slc.c sys_term.c \
+		   utility.c global.c authenc.c defs.h ext.h telnetd.h
+
+man_MANS = telnetd.8
+
+LDADD = \
+	../libtelnet/libtelnet.a \
+	$(LIB_krb5) \
+	$(LIB_krb4) \
+	$(LIB_des) \
+	$(LIB_tgetent) \
+	$(LIB_logwtmp) \
+	$(LIB_kdfs) \
+	$(LIB_roken)
diff --git a/crypto/heimdal/appl/telnet/telnetd/Makefile.in b/crypto/heimdal/appl/telnet/telnetd/Makefile.in
new file mode 100644
index 0000000..c62a8ba
--- /dev/null
+++ b/crypto/heimdal/appl/telnet/telnetd/Makefile.in
@@ -0,0 +1,636 @@
+# Makefile.in generated automatically by automake 1.4b from Makefile.am
+
+# Copyright 1994, 1995, 1996, 1997, 1998, 1999, 2000
+# Free Software Foundation, Inc.
+# This Makefile.in is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+
+SHELL = @SHELL@
+
+srcdir = @srcdir@
+top_srcdir = @top_srcdir@
+VPATH = @srcdir@
+prefix = @prefix@
+exec_prefix = @exec_prefix@
+
+bindir = @bindir@
+sbindir = @sbindir@
+libexecdir = @libexecdir@
+datadir = @datadir@
+sysconfdir = @sysconfdir@
+sharedstatedir = @sharedstatedir@
+localstatedir = @localstatedir@
+libdir = @libdir@
+infodir = @infodir@
+mandir = @mandir@
+includedir = @includedir@
+oldincludedir = /usr/include
+
+pkgdatadir = $(datadir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkgincludedir = $(includedir)/@PACKAGE@
+
+top_builddir = ../../..
+
+ACLOCAL = @ACLOCAL@
+AUTOCONF = @AUTOCONF@
+AUTOMAKE = @AUTOMAKE@
+AUTOHEADER = @AUTOHEADER@
+
+INSTALL = @INSTALL@
+INSTALL_PROGRAM = @INSTALL_PROGRAM@
+INSTALL_DATA = @INSTALL_DATA@
+INSTALL_SCRIPT = @INSTALL_SCRIPT@
+INSTALL_STRIP_FLAG =
+transform = @program_transform_name@
+
+NORMAL_INSTALL = :
+PRE_INSTALL = :
+POST_INSTALL = :
+NORMAL_UNINSTALL = :
+PRE_UNINSTALL = :
+POST_UNINSTALL = :
+
+@SET_MAKE@
+host_alias = @host_alias@
+host_triplet = @host@
+AIX_EXTRA_KAFS = @AIX_EXTRA_KAFS@
+AMDEP = @AMDEP@
+AMTAR = @AMTAR@
+AS = @AS@
+AWK = @AWK@
+CANONICAL_HOST = @CANONICAL_HOST@
+CATMAN = @CATMAN@
+CATMANEXT = @CATMANEXT@
+CC = @CC@
+CPP = @CPP@
+CXX = @CXX@
+CXXCPP = @CXXCPP@
+DBLIB = @DBLIB@
+DEPDIR = @DEPDIR@
+DIR_des = @DIR_des@
+DIR_roken = @DIR_roken@
+DLLTOOL = @DLLTOOL@
+EXEEXT = @EXEEXT@
+EXTRA_LIB45 = @EXTRA_LIB45@
+GROFF = @GROFF@
+INCLUDES_roken = @INCLUDES_roken@
+INCLUDE_ = @INCLUDE_@
+LEX = @LEX@
+LIBOBJS = @LIBOBJS@
+LIBTOOL = @LIBTOOL@
+LIB_ = @LIB_@
+LIB_AUTH_SUBDIRS = @LIB_AUTH_SUBDIRS@
+LIB_des = @LIB_des@
+LIB_des_appl = @LIB_des_appl@
+LIB_kdb = @LIB_kdb@
+LIB_otp = @LIB_otp@
+LIB_roken = @LIB_roken@
+LIB_security = @LIB_security@
+LN_S = @LN_S@
+LTLIBOBJS = @LTLIBOBJS@
+MAKEINFO = @MAKEINFO@
+NEED_WRITEAUTH_FALSE = @NEED_WRITEAUTH_FALSE@
+NEED_WRITEAUTH_TRUE = @NEED_WRITEAUTH_TRUE@
+NROFF = @NROFF@
+OBJDUMP = @OBJDUMP@
+OBJEXT = @OBJEXT@
+PACKAGE = @PACKAGE@
+RANLIB = @RANLIB@
+STRIP = @STRIP@
+VERSION = @VERSION@
+VOID_RETSIGTYPE = @VOID_RETSIGTYPE@
+WFLAGS = @WFLAGS@
+WFLAGS_NOIMPLICITINT = @WFLAGS_NOIMPLICITINT@
+WFLAGS_NOUNUSED = @WFLAGS_NOUNUSED@
+YACC = @YACC@
+dpagaix_CFLAGS = @dpagaix_CFLAGS@
+dpagaix_LDADD = @dpagaix_LDADD@
+install_sh = @install_sh@
+
+# $Id: Makefile.am,v 1.15 2001/02/07 06:12:02 assar Exp $
+
+
+# $Id: Makefile.am.common,v 1.3 1999/04/01 14:58:43 joda Exp $
+
+
+# $Id: Makefile.am.common,v 1.26 2001/05/21 13:27:48 joda Exp $
+
+
+AUTOMAKE_OPTIONS = foreign no-dependencies
+
+SUFFIXES = .et .h .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .x
+
+INCLUDES = -I$(top_builddir)/include $(INCLUDES_roken) -I$(srcdir)/.. $(INCLUDE_krb4)
+
+AM_CFLAGS =  $(WFLAGS)
+
+CP = cp
+
+COMPILE_ET = $(top_builddir)/lib/com_err/compile_et
+
+buildinclude = $(top_builddir)/include
+
+LIB_XauReadAuth = @LIB_XauReadAuth@
+LIB_crypt = @LIB_crypt@
+LIB_dbm_firstkey = @LIB_dbm_firstkey@
+LIB_dbopen = @LIB_dbopen@
+LIB_dlopen = @LIB_dlopen@
+LIB_dn_expand = @LIB_dn_expand@
+LIB_el_init = @LIB_el_init@
+LIB_getattr = @LIB_getattr@
+LIB_gethostbyname = @LIB_gethostbyname@
+LIB_getpwent_r = @LIB_getpwent_r@
+LIB_getpwnam_r = @LIB_getpwnam_r@
+LIB_getsockopt = @LIB_getsockopt@
+LIB_logout = @LIB_logout@
+LIB_logwtmp = @LIB_logwtmp@
+LIB_odm_initialize = @LIB_odm_initialize@
+LIB_pidfile = @LIB_pidfile@
+LIB_readline = @LIB_readline@
+LIB_res_search = @LIB_res_search@
+LIB_setpcred = @LIB_setpcred@
+LIB_setsockopt = @LIB_setsockopt@
+LIB_socket = @LIB_socket@
+LIB_syslog = @LIB_syslog@
+LIB_tgetent = @LIB_tgetent@
+
+LIBS = @LIBS@
+
+HESIODLIB = @HESIODLIB@
+HESIODINCLUDE = @HESIODINCLUDE@
+INCLUDE_hesiod = @INCLUDE_hesiod@
+LIB_hesiod = @LIB_hesiod@
+
+INCLUDE_krb4 = @INCLUDE_krb4@
+LIB_krb4 = @LIB_krb4@
+
+INCLUDE_openldap = @INCLUDE_openldap@
+LIB_openldap = @LIB_openldap@
+
+INCLUDE_readline = @INCLUDE_readline@
+
+LEXLIB = @LEXLIB@
+
+NROFF_MAN = groff -mandoc -Tascii
+
+@KRB4_TRUE@LIB_kafs = @KRB4_TRUE@$(top_builddir)/lib/kafs/libkafs.la $(AIX_EXTRA_KAFS)
+
+@KRB5_TRUE@LIB_krb5 = @KRB5_TRUE@$(top_builddir)/lib/krb5/libkrb5.la \
+@KRB5_TRUE@	$(top_builddir)/lib/asn1/libasn1.la
+@KRB5_TRUE@LIB_gssapi = @KRB5_TRUE@$(top_builddir)/lib/gssapi/libgssapi.la
+
+@DCE_TRUE@LIB_kdfs = @DCE_TRUE@$(top_builddir)/lib/kdfs/libkdfs.la
+
+CHECK_LOCAL = 
+
+libexec_PROGRAMS = telnetd
+
+telnetd_SOURCES = telnetd.c state.c termstat.c slc.c sys_term.c \
+		   utility.c global.c authenc.c defs.h ext.h telnetd.h
+
+
+man_MANS = telnetd.8
+
+LDADD = \
+	../libtelnet/libtelnet.a \
+	$(LIB_krb5) \
+	$(LIB_krb4) \
+	$(LIB_des) \
+	$(LIB_tgetent) \
+	$(LIB_logwtmp) \
+	$(LIB_kdfs) \
+	$(LIB_roken)
+
+subdir = appl/telnet/telnetd
+mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs
+CONFIG_HEADER = ../../../include/config.h
+CONFIG_CLEAN_FILES = 
+libexec_PROGRAMS =  telnetd$(EXEEXT)
+PROGRAMS =  $(libexec_PROGRAMS)
+
+
+DEFS = @DEFS@ -I. -I$(srcdir) -I../../../include
+CPPFLAGS = @CPPFLAGS@
+LDFLAGS = @LDFLAGS@
+X_CFLAGS = @X_CFLAGS@
+X_LIBS = @X_LIBS@
+X_EXTRA_LIBS = @X_EXTRA_LIBS@
+X_PRE_LIBS = @X_PRE_LIBS@
+am_telnetd_OBJECTS =  telnetd.$(OBJEXT) state.$(OBJEXT) \
+termstat.$(OBJEXT) slc.$(OBJEXT) sys_term.$(OBJEXT) utility.$(OBJEXT) \
+global.$(OBJEXT) authenc.$(OBJEXT)
+telnetd_OBJECTS =  $(am_telnetd_OBJECTS)
+telnetd_LDADD = $(LDADD)
+@DCE_FALSE@@KRB5_FALSE@telnetd_DEPENDENCIES =  ../libtelnet/libtelnet.a
+@DCE_FALSE@@KRB5_TRUE@telnetd_DEPENDENCIES =  ../libtelnet/libtelnet.a \
+@DCE_FALSE@@KRB5_TRUE@$(top_builddir)/lib/krb5/libkrb5.la \
+@DCE_FALSE@@KRB5_TRUE@$(top_builddir)/lib/asn1/libasn1.la
+@DCE_TRUE@@KRB5_FALSE@telnetd_DEPENDENCIES =  ../libtelnet/libtelnet.a \
+@DCE_TRUE@@KRB5_FALSE@$(top_builddir)/lib/kdfs/libkdfs.la
+@DCE_TRUE@@KRB5_TRUE@telnetd_DEPENDENCIES =  ../libtelnet/libtelnet.a \
+@DCE_TRUE@@KRB5_TRUE@$(top_builddir)/lib/krb5/libkrb5.la \
+@DCE_TRUE@@KRB5_TRUE@$(top_builddir)/lib/asn1/libasn1.la \
+@DCE_TRUE@@KRB5_TRUE@$(top_builddir)/lib/kdfs/libkdfs.la
+telnetd_LDFLAGS = 
+COMPILE = $(CC) $(DEFS) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) --mode=compile $(CC) $(DEFS) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+CFLAGS = @CFLAGS@
+CCLD = $(CC)
+LINK = $(LIBTOOL) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) $(LDFLAGS) -o $@
+DIST_SOURCES =  $(telnetd_SOURCES)
+man8dir = $(mandir)/man8
+MANS = $(man_MANS)
+depcomp = 
+DIST_COMMON =  Makefile.am Makefile.in
+
+
+DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
+
+GZIP_ENV = --best
+SOURCES = $(telnetd_SOURCES)
+OBJECTS = $(am_telnetd_OBJECTS)
+
+all: all-redirect
+.SUFFIXES:
+.SUFFIXES: .et .h .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .x .c .lo .o .obj
+$(srcdir)/Makefile.in: Makefile.am $(top_srcdir)/configure.in $(ACLOCAL_M4) $(top_srcdir)/Makefile.am.common $(top_srcdir)/cf/Makefile.am.common
+	cd $(top_srcdir) && $(AUTOMAKE) --foreign appl/telnet/telnetd/Makefile
+
+Makefile: $(srcdir)/Makefile.in  $(top_builddir)/config.status
+	cd $(top_builddir) \
+	  && CONFIG_FILES=$(subdir)/$@ CONFIG_HEADERS= $(SHELL) ./config.status
+
+
+mostlyclean-libexecPROGRAMS:
+
+clean-libexecPROGRAMS:
+	-test -z "$(libexec_PROGRAMS)" || rm -f $(libexec_PROGRAMS)
+
+distclean-libexecPROGRAMS:
+
+maintainer-clean-libexecPROGRAMS:
+
+install-libexecPROGRAMS: $(libexec_PROGRAMS)
+	@$(NORMAL_INSTALL)
+	$(mkinstalldirs) $(DESTDIR)$(libexecdir)
+	@list='$(libexec_PROGRAMS)'; for p in $$list; do \
+	  if test -f $$p; then \
+	    f="`echo $$p|sed -e 's/$(EXEEXT)$$//' -e '$(transform)' -e 's/$$/$(EXEEXT)/'`"; \
+	    echo " $(LIBTOOL)  --mode=install $(INSTALL_PROGRAM) $(INSTALL_STRIP_FLAG) $$p $(DESTDIR)$(libexecdir)/$$f"; \
+	    $(LIBTOOL)  --mode=install $(INSTALL_PROGRAM) $(INSTALL_STRIP_FLAG) $$p $(DESTDIR)$(libexecdir)/$$f; \
+	  else :; fi; \
+	done
+
+uninstall-libexecPROGRAMS:
+	@$(NORMAL_UNINSTALL)
+	@list='$(libexec_PROGRAMS)'; for p in $$list; do \
+	  f="`echo $$p|sed -e 's/$(EXEEXT)$$//' -e '$(transform)' -e 's/$$/$(EXEEXT)/'`"; \
+	  echo " rm -f $(DESTDIR)$(libexecdir)/$$f"; \
+	  rm -f $(DESTDIR)$(libexecdir)/$$f; \
+	done
+
+mostlyclean-compile:
+	-rm -f *.o core *.core
+	-rm -f *.$(OBJEXT)
+
+clean-compile:
+
+distclean-compile:
+	-rm -f *.tab.c
+
+maintainer-clean-compile:
+
+mostlyclean-libtool:
+	-rm -f *.lo
+
+clean-libtool:
+	-rm -rf .libs _libs
+
+distclean-libtool:
+
+maintainer-clean-libtool:
+
+telnetd$(EXEEXT): $(telnetd_OBJECTS) $(telnetd_DEPENDENCIES)
+	@rm -f telnetd$(EXEEXT)
+	$(LINK) $(telnetd_LDFLAGS) $(telnetd_OBJECTS) $(telnetd_LDADD) $(LIBS)
+.c.o:
+	$(COMPILE) -c $<
+.c.obj:
+	$(COMPILE) -c `cygpath -w $<`
+.c.lo:
+	$(LTCOMPILE) -c -o $@ $<
+
+install-man8:
+	$(mkinstalldirs) $(DESTDIR)$(man8dir)
+	@list='$(man8_MANS)'; \
+	l2='$(man_MANS)'; for i in $$l2; do \
+	  case "$$i" in \
+	    *.8*) list="$$list $$i" ;; \
+	  esac; \
+	done; \
+	for i in $$list; do \
+	  if test -f $(srcdir)/$$i; then file=$(srcdir)/$$i; \
+	  else file=$$i; fi; \
+	  ext=`echo $$i | sed -e 's/^.*\\.//'`; \
+	  inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \
+	  inst=`echo $$inst | sed -e 's/^.*\///'`; \
+	  inst=`echo $$inst | sed '$(transform)'`.$$ext; \
+	  echo " $(INSTALL_DATA) $$file $(DESTDIR)$(man8dir)/$$inst"; \
+	  $(INSTALL_DATA) $$file $(DESTDIR)$(man8dir)/$$inst; \
+	done
+
+uninstall-man8:
+	@list='$(man8_MANS)'; \
+	l2='$(man_MANS)'; for i in $$l2; do \
+	  case "$$i" in \
+	    *.8*) list="$$list $$i" ;; \
+	  esac; \
+	done; \
+	for i in $$list; do \
+	  ext=`echo $$i | sed -e 's/^.*\\.//'`; \
+	  inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \
+	  inst=`echo $$inst | sed -e 's/^.*\///'`; \
+	  inst=`echo $$inst | sed '$(transform)'`.$$ext; \
+	  echo " rm -f $(DESTDIR)$(man8dir)/$$inst"; \
+	  rm -f $(DESTDIR)$(man8dir)/$$inst; \
+	done
+install-man: $(MANS)
+	@$(NORMAL_INSTALL)
+	$(MAKE) $(AM_MAKEFLAGS) install-man8
+uninstall-man:
+	@$(NORMAL_UNINSTALL)
+	$(MAKE) $(AM_MAKEFLAGS) uninstall-man8
+
+tags: TAGS
+
+ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
+	list='$(SOURCES) $(HEADERS) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '    { files[$$0] = 1; } \
+	       END { for (i in files) print i; }'`; \
+	mkid -fID $$unique $(LISP)
+
+TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	tags=; \
+	here=`pwd`; \
+	list='$(SOURCES) $(HEADERS) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '    { files[$$0] = 1; } \
+	       END { for (i in files) print i; }'`; \
+	test -z "$(ETAGS_ARGS)$$unique$(LISP)$$tags" \
+	  || etags $(ETAGS_ARGS) $$tags  $$unique $(LISP)
+
+GTAGS:
+	here=`CDPATH=: && cd $(top_builddir) && pwd` \
+	  && cd $(top_srcdir) \
+	  && gtags -i $$here
+
+mostlyclean-tags:
+
+clean-tags:
+
+distclean-tags:
+	-rm -f TAGS ID
+
+maintainer-clean-tags:
+
+distdir = $(top_builddir)/$(PACKAGE)-$(VERSION)/$(subdir)
+
+distdir: $(DISTFILES)
+	@for file in $(DISTFILES); do \
+	  d=$(srcdir); \
+	  if test -d $$d/$$file; then \
+	    cp -pR $$d/$$file $(distdir) \
+	    || exit 1; \
+	  else \
+	    test -f $(distdir)/$$file \
+	    || cp -p $$d/$$file $(distdir)/$$file \
+	    || exit 1; \
+	  fi; \
+	done
+	$(MAKE) $(AM_MAKEFLAGS) top_distdir="$(top_distdir)" distdir="$(distdir)" dist-hook
+info-am:
+info: info-am
+dvi-am:
+dvi: dvi-am
+check-am: all-am
+	$(MAKE) $(AM_MAKEFLAGS) check-local
+check: check-am
+installcheck-am:
+installcheck: installcheck-am
+install-exec-am: install-libexecPROGRAMS
+	@$(NORMAL_INSTALL)
+	$(MAKE) $(AM_MAKEFLAGS) install-exec-hook
+install-exec: install-exec-am
+
+install-data-am: install-man install-data-local
+install-data: install-data-am
+
+install-am: all-am
+	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
+install: install-am
+uninstall-am: uninstall-libexecPROGRAMS uninstall-man
+uninstall: uninstall-am
+all-am: Makefile $(PROGRAMS) $(MANS) all-local
+all-redirect: all-am
+install-strip:
+	$(MAKE) $(AM_MAKEFLAGS) INSTALL_STRIP_FLAG=-s install
+installdirs:
+	$(mkinstalldirs)  $(DESTDIR)$(libexecdir) $(DESTDIR)$(mandir)/man8
+
+
+mostlyclean-generic:
+
+clean-generic:
+
+distclean-generic:
+	-rm -f Makefile $(CONFIG_CLEAN_FILES)
+	-rm -f config.cache config.log stamp-h stamp-h[0-9]*
+
+maintainer-clean-generic:
+	-rm -f Makefile.in
+mostlyclean-am:  mostlyclean-libexecPROGRAMS mostlyclean-compile \
+		mostlyclean-libtool mostlyclean-tags \
+		mostlyclean-generic
+
+mostlyclean: mostlyclean-am
+
+clean-am:  clean-libexecPROGRAMS clean-compile clean-libtool clean-tags \
+		clean-generic mostlyclean-am
+
+clean: clean-am
+
+distclean-am:  distclean-libexecPROGRAMS distclean-compile \
+		distclean-libtool distclean-tags distclean-generic \
+		clean-am
+	-rm -f libtool
+
+distclean: distclean-am
+
+maintainer-clean-am:  maintainer-clean-libexecPROGRAMS \
+		maintainer-clean-compile maintainer-clean-libtool \
+		maintainer-clean-tags maintainer-clean-generic \
+		distclean-am
+	@echo "This command is intended for maintainers to use;"
+	@echo "it deletes files that may require special tools to rebuild."
+
+maintainer-clean: maintainer-clean-am
+
+.PHONY: mostlyclean-libexecPROGRAMS distclean-libexecPROGRAMS \
+clean-libexecPROGRAMS maintainer-clean-libexecPROGRAMS \
+uninstall-libexecPROGRAMS install-libexecPROGRAMS mostlyclean-compile \
+distclean-compile clean-compile maintainer-clean-compile \
+mostlyclean-libtool distclean-libtool clean-libtool \
+maintainer-clean-libtool install-man8 uninstall-man8 install-man \
+uninstall-man tags mostlyclean-tags distclean-tags clean-tags \
+maintainer-clean-tags distdir info-am info dvi-am dvi check-local check \
+check-am installcheck-am installcheck install-exec-am install-exec \
+install-data-local install-data-am install-data install-am install \
+uninstall-am uninstall all-local all-redirect all-am all install-strip \
+installdirs mostlyclean-generic distclean-generic clean-generic \
+maintainer-clean-generic clean mostlyclean distclean maintainer-clean
+
+
+install-suid-programs:
+	@foo='$(bin_SUIDS)'; \
+	for file in $$foo; do \
+	x=$(DESTDIR)$(bindir)/$$file; \
+	if chown 0:0 $$x && chmod u+s $$x; then :; else \
+	echo "*"; \
+	echo "* Failed to install $$x setuid root"; \
+	echo "*"; \
+	fi; done
+
+install-exec-hook: install-suid-programs
+
+install-build-headers:: $(include_HEADERS) $(build_HEADERZ)
+	@foo='$(include_HEADERS) $(build_HEADERZ)'; \
+	for f in $$foo; do \
+		f=`basename $$f`; \
+		if test -f "$(srcdir)/$$f"; then file="$(srcdir)/$$f"; \
+		else file="$$f"; fi; \
+		if cmp -s  $$file $(buildinclude)/$$f 2> /dev/null ; then \
+		: ; else \
+			echo " $(CP) $$file $(buildinclude)/$$f"; \
+			$(CP) $$file $(buildinclude)/$$f; \
+		fi ; \
+	done
+
+all-local: install-build-headers
+#NROFF_MAN = nroff -man
+.1.cat1:
+	$(NROFF_MAN) $< > $@
+.3.cat3:
+	$(NROFF_MAN) $< > $@
+.5.cat5:
+	$(NROFF_MAN) $< > $@
+.8.cat8:
+	$(NROFF_MAN) $< > $@
+
+dist-cat1-mans:
+	@foo='$(man1_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.1) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat1/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-cat3-mans:
+	@foo='$(man3_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.3) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat3/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-cat5-mans:
+	@foo='$(man5_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.5) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat5/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-cat8-mans:
+	@foo='$(man8_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.8) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat8/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-hook: dist-cat1-mans dist-cat3-mans dist-cat5-mans dist-cat8-mans
+
+install-cat-mans:
+	$(SHELL) $(top_srcdir)/cf/install-catman.sh "$(INSTALL_DATA)" "$(mkinstalldirs)" "$(srcdir)" "$(DESTDIR)$(mandir)" '$(CATMANEXT)' $(man_MANS) $(man1_MANS) $(man3_MANS) $(man5_MANS) $(man8_MANS)
+
+install-data-local: install-cat-mans
+
+.et.h:
+	$(COMPILE_ET) $<
+.et.c:
+	$(COMPILE_ET) $<
+
+.x.c:
+	@cmp -s $< $@ 2> /dev/null || cp $< $@
+
+check-local::
+	@foo='$(CHECK_LOCAL)'; \
+	  if test "$$foo"; then \
+	  failed=0; all=0; \
+	  for i in $$foo; do \
+	    all=`expr $$all + 1`; \
+	    if ./$$i --version > /dev/null 2>&1; then \
+	      echo "PASS: $$i"; \
+	    else \
+	      echo "FAIL: $$i"; \
+	      failed=`expr $$failed + 1`; \
+	    fi; \
+	  done; \
+	  if test "$$failed" -eq 0; then \
+	    banner="All $$all tests passed"; \
+	  else \
+	    banner="$$failed of $$all tests failed"; \
+	  fi; \
+	  dashes=`echo "$$banner" | sed s/./=/g`; \
+	  echo "$$dashes"; \
+	  echo "$$banner"; \
+	  echo "$$dashes"; \
+	  test "$$failed" -eq 0; \
+	fi
+
+# Tell versions [3.59,3.63) of GNU make to not export all variables.
+# Otherwise a system limit (for SysV at least) may be exceeded.
+.NOEXPORT:
diff --git a/crypto/heimdal/appl/telnet/telnetd/authenc.c b/crypto/heimdal/appl/telnet/telnetd/authenc.c
new file mode 100644
index 0000000..14594ea2
--- /dev/null
+++ b/crypto/heimdal/appl/telnet/telnetd/authenc.c
@@ -0,0 +1,80 @@
+/*-
+ * Copyright (c) 1991, 1993
+ *	The Regents of the University of California.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *	This product includes software developed by the University of
+ *	California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#include "telnetd.h"
+
+RCSID("$Id: authenc.c,v 1.10 2000/11/15 23:20:43 assar Exp $");
+
+#ifdef AUTHENTICATION
+
+int
+telnet_net_write(unsigned char *str, int len)
+{
+    if (nfrontp + len < netobuf + BUFSIZ) {
+	memmove(nfrontp, str, len);
+	nfrontp += len;
+	return(len);
+    }
+    return(0);
+}
+
+void
+net_encrypt(void)
+{
+#ifdef ENCRYPTION
+    char *s = (nclearto > nbackp) ? nclearto : nbackp;
+    if (s < nfrontp && encrypt_output) {
+	(*encrypt_output)((unsigned char *)s, nfrontp - s);
+    }
+    nclearto = nfrontp;
+#endif
+}
+
+int
+telnet_spin(void)
+{
+    return ttloop();
+}
+
+char *
+telnet_getenv(const char *val)
+{
+    return(getenv(val));
+}
+
+char *
+telnet_gets(char *prompt, char *result, int length, int echo)
+{
+    return NULL;
+}
+#endif
diff --git a/crypto/heimdal/appl/telnet/telnetd/defs.h b/crypto/heimdal/appl/telnet/telnetd/defs.h
new file mode 100644
index 0000000..dc3f842
--- /dev/null
+++ b/crypto/heimdal/appl/telnet/telnetd/defs.h
@@ -0,0 +1,190 @@
+/*
+ * Copyright (c) 1989, 1993
+ *	The Regents of the University of California.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *	This product includes software developed by the University of
+ *	California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ *	@(#)defs.h	8.1 (Berkeley) 6/4/93
+ */
+
+/*
+ * Telnet server defines
+ */
+
+#ifndef __DEFS_H__
+#define __DEFS_H__
+
+#ifndef	BSD
+# define	BSD 43
+#endif
+
+#if defined(PRINTOPTIONS) && defined(DIAGNOSTICS)
+#define TELOPTS
+#define TELCMDS
+#define	SLC_NAMES
+#endif
+
+#if	!defined(TIOCSCTTY) && defined(TCSETCTTY)
+# define	TIOCSCTTY TCSETCTTY
+#endif
+
+#ifndef TIOCPKT_FLUSHWRITE
+#define TIOCPKT_FLUSHWRITE      0x02
+#endif
+ 
+#ifndef TIOCPKT_NOSTOP
+#define TIOCPKT_NOSTOP  0x10
+#endif
+ 
+#ifndef TIOCPKT_DOSTOP
+#define TIOCPKT_DOSTOP  0x20
+#endif
+
+/*
+ * I/O data buffers defines
+ */
+#define	NETSLOP	64
+#ifdef _CRAY
+#undef BUFSIZ
+#define BUFSIZ  2048
+#endif
+
+#define	NIACCUM(c)	{   *netip++ = c; \
+			    ncc++; \
+			}
+
+/* clock manipulations */
+#define	settimer(x)	(clocks.x = ++clocks.system)
+#define	sequenceIs(x,y)	(clocks.x < clocks.y)
+
+/*
+ * Structures of information for each special character function.
+ */
+typedef struct {
+	unsigned char	flag;		/* the flags for this function */
+	cc_t		val;		/* the value of the special character */
+} slcent, *Slcent;
+
+typedef struct {
+	slcent		defset;		/* the default settings */
+	slcent		current;	/* the current settings */
+	cc_t		*sptr;		/* a pointer to the char in */
+					/* system data structures */
+} slcfun, *Slcfun;
+
+#ifdef DIAGNOSTICS
+/*
+ * Diagnostics capabilities
+ */
+#define	TD_REPORT	0x01	/* Report operations to client */
+#define TD_EXERCISE	0x02	/* Exercise client's implementation */
+#define TD_NETDATA	0x04	/* Display received data stream */
+#define TD_PTYDATA	0x08	/* Display data passed to pty */
+#define	TD_OPTIONS	0x10	/* Report just telnet options */
+#endif /* DIAGNOSTICS */
+
+/*
+ * We keep track of each side of the option negotiation.
+ */
+
+#define	MY_STATE_WILL		0x01
+#define	MY_WANT_STATE_WILL	0x02
+#define	MY_STATE_DO		0x04
+#define	MY_WANT_STATE_DO	0x08
+
+/*
+ * Macros to check the current state of things
+ */
+
+#define	my_state_is_do(opt)		(options[opt]&MY_STATE_DO)
+#define	my_state_is_will(opt)		(options[opt]&MY_STATE_WILL)
+#define my_want_state_is_do(opt)	(options[opt]&MY_WANT_STATE_DO)
+#define my_want_state_is_will(opt)	(options[opt]&MY_WANT_STATE_WILL)
+
+#define	my_state_is_dont(opt)		(!my_state_is_do(opt))
+#define	my_state_is_wont(opt)		(!my_state_is_will(opt))
+#define my_want_state_is_dont(opt)	(!my_want_state_is_do(opt))
+#define my_want_state_is_wont(opt)	(!my_want_state_is_will(opt))
+
+#define	set_my_state_do(opt)		(options[opt] |= MY_STATE_DO)
+#define	set_my_state_will(opt)		(options[opt] |= MY_STATE_WILL)
+#define	set_my_want_state_do(opt)	(options[opt] |= MY_WANT_STATE_DO)
+#define	set_my_want_state_will(opt)	(options[opt] |= MY_WANT_STATE_WILL)
+
+#define	set_my_state_dont(opt)		(options[opt] &= ~MY_STATE_DO)
+#define	set_my_state_wont(opt)		(options[opt] &= ~MY_STATE_WILL)
+#define	set_my_want_state_dont(opt)	(options[opt] &= ~MY_WANT_STATE_DO)
+#define	set_my_want_state_wont(opt)	(options[opt] &= ~MY_WANT_STATE_WILL)
+
+/*
+ * Tricky code here.  What we want to know is if the MY_STATE_WILL
+ * and MY_WANT_STATE_WILL bits have the same value.  Since the two
+ * bits are adjacent, a little arithmatic will show that by adding
+ * in the lower bit, the upper bit will be set if the two bits were
+ * different, and clear if they were the same.
+ */
+#define my_will_wont_is_changing(opt) \
+			((options[opt]+MY_STATE_WILL) & MY_WANT_STATE_WILL)
+
+#define my_do_dont_is_changing(opt) \
+			((options[opt]+MY_STATE_DO) & MY_WANT_STATE_DO)
+
+/*
+ * Make everything symetrical
+ */
+
+#define	HIS_STATE_WILL			MY_STATE_DO
+#define	HIS_WANT_STATE_WILL		MY_WANT_STATE_DO
+#define HIS_STATE_DO			MY_STATE_WILL
+#define HIS_WANT_STATE_DO		MY_WANT_STATE_WILL
+
+#define	his_state_is_do			my_state_is_will
+#define	his_state_is_will		my_state_is_do
+#define his_want_state_is_do		my_want_state_is_will
+#define his_want_state_is_will		my_want_state_is_do
+
+#define	his_state_is_dont		my_state_is_wont
+#define	his_state_is_wont		my_state_is_dont
+#define his_want_state_is_dont		my_want_state_is_wont
+#define his_want_state_is_wont		my_want_state_is_dont
+
+#define	set_his_state_do		set_my_state_will
+#define	set_his_state_will		set_my_state_do
+#define	set_his_want_state_do		set_my_want_state_will
+#define	set_his_want_state_will		set_my_want_state_do
+
+#define	set_his_state_dont		set_my_state_wont
+#define	set_his_state_wont		set_my_state_dont
+#define	set_his_want_state_dont		set_my_want_state_wont
+#define	set_his_want_state_wont		set_my_want_state_dont
+
+#define his_will_wont_is_changing	my_do_dont_is_changing
+#define his_do_dont_is_changing		my_will_wont_is_changing
+
+#endif /* __DEFS_H__ */
diff --git a/crypto/heimdal/appl/telnet/telnetd/ext.h b/crypto/heimdal/appl/telnet/telnetd/ext.h
new file mode 100644
index 0000000..1cba5b6
--- /dev/null
+++ b/crypto/heimdal/appl/telnet/telnetd/ext.h
@@ -0,0 +1,203 @@
+/*
+ * Copyright (c) 1989, 1993
+ *	The Regents of the University of California.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *	This product includes software developed by the University of
+ *	California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ *	@(#)ext.h	8.2 (Berkeley) 12/15/93
+ */
+
+/* $Id: ext.h,v 1.22 2001/04/24 23:12:11 assar Exp $ */
+
+#ifndef __EXT_H__
+#define __EXT_H__
+
+/*
+ * Telnet server variable declarations
+ */
+extern char	options[256];
+extern char	do_dont_resp[256];
+extern char	will_wont_resp[256];
+extern int	flowmode;	/* current flow control state */
+extern int	restartany;	/* restart output on any character state */
+#ifdef DIAGNOSTICS
+extern int	diagnostic;	/* telnet diagnostic capabilities */
+#endif /* DIAGNOSTICS */
+extern int	require_otp;
+#ifdef AUTHENTICATION
+extern int	auth_level;
+#endif
+extern const char *new_login;
+
+extern slcfun	slctab[NSLC + 1];	/* slc mapping table */
+
+extern char	*terminaltype;
+
+/*
+ * I/O data buffers, pointers, and counters.
+ */
+extern char	ptyobuf[BUFSIZ+NETSLOP], *pfrontp, *pbackp;
+
+extern char	netibuf[BUFSIZ], *netip;
+
+extern char	netobuf[BUFSIZ+NETSLOP], *nfrontp, *nbackp;
+extern char	*neturg;		/* one past last bye of urgent data */
+
+extern int	pcc, ncc;
+
+extern int	ourpty, net;
+extern char	*line;
+extern int	SYNCHing;		/* we are in TELNET SYNCH mode */
+
+int telnet_net_write (unsigned char *str, int len);
+void net_encrypt (void);
+int telnet_spin (void);
+char *telnet_getenv (const char *val);
+char *telnet_gets (char *prompt, char *result, int length, int echo);
+void get_slc_defaults (void);
+void telrcv (void);
+void send_do (int option, int init);
+void willoption (int option);
+void send_dont (int option, int init);
+void wontoption (int option);
+void send_will (int option, int init);
+void dooption (int option);
+void send_wont (int option, int init);
+void dontoption (int option);
+void suboption (void);
+void doclientstat (void);
+void send_status (void);
+void init_termbuf (void);
+void set_termbuf (void);
+int spcset (int func, cc_t *valp, cc_t **valpp);
+void set_utid (void);
+int getpty (int *ptynum);
+int tty_isecho (void);
+int tty_flowmode (void);
+int tty_restartany (void);
+void tty_setecho (int on);
+int tty_israw (void);
+void tty_binaryin (int on);
+void tty_binaryout (int on);
+int tty_isbinaryin (void);
+int tty_isbinaryout (void);
+int tty_issofttab (void);
+void tty_setsofttab (int on);
+int tty_islitecho (void);
+void tty_setlitecho (int on);
+int tty_iscrnl (void);
+void tty_tspeed (int val);
+void tty_rspeed (int val);
+void getptyslave (void);
+int cleanopen (char *line);
+void startslave (const char *host, const char *, int autologin, char *autoname);
+void init_env (void);
+void start_login (const char *host, int autologin, char *name);
+void cleanup (int sig);
+int main (int argc, char **argv);
+int getterminaltype (char *name, size_t);
+void _gettermname (void);
+int terminaltypeok (char *s);
+void my_telnet (int f, int p, const char*, const char *, int, char*);
+void interrupt (void);
+void sendbrk (void);
+void sendsusp (void);
+void recv_ayt (void);
+void doeof (void);
+void flowstat (void);
+void clientstat (int code, int parm1, int parm2);
+int ttloop (void);
+int stilloob (int s);
+void ptyflush (void);
+char *nextitem (char *current);
+void netclear (void);
+void netflush (void);
+void writenet (unsigned char *ptr, int len);
+void fatal (int f, char *msg);
+void fatalperror (int f, const char *msg);
+void fatalperror_errno (int f, const char *msg, int error);
+void edithost (char *pat, char *host);
+void putstr (char *s);
+void putchr (int cc);
+void putf (char *cp, char *where);
+void printoption (char *fmt, int option);
+void printsub (int direction, unsigned char *pointer, int length);
+void printdata (char *tag, char *ptr, int cnt);
+int login_tty(int t);
+
+#ifdef ENCRYPTION
+extern void	(*encrypt_output) (unsigned char *, int);
+extern int	(*decrypt_input) (int);
+extern char	*nclearto;
+#endif
+
+
+/*
+ * The following are some clocks used to decide how to interpret
+ * the relationship between various variables.
+ */
+
+struct clocks_t{
+    int
+	system,			/* what the current time is */
+	echotoggle,		/* last time user entered echo character */
+	modenegotiated,		/* last time operating mode negotiated */
+	didnetreceive,		/* last time we read data from network */
+	ttypesubopt,		/* ttype subopt is received */
+	tspeedsubopt,		/* tspeed subopt is received */
+	environsubopt,		/* environ subopt is received */
+	oenvironsubopt,		/* old environ subopt is received */
+	xdisplocsubopt,		/* xdisploc subopt is received */
+	baseline,		/* time started to do timed action */
+	gotDM;			/* when did we last see a data mark */
+};
+extern struct clocks_t clocks;
+
+extern int log_unauth;
+extern int no_warn;
+
+#ifdef STREAMSPTY
+extern int really_stream;
+#endif
+
+#ifndef USE_IM
+# ifdef CRAY
+#  define USE_IM "Cray UNICOS (%h) (%t)"
+# endif
+# ifdef _AIX
+#  define USE_IM "%s %v.%r (%h) (%t)"
+# endif
+# ifndef USE_IM
+#  define USE_IM "%s %r (%h) (%t)"
+# endif
+#endif
+
+#define DEFAULT_IM "\r\n\r\n" USE_IM "\r\n\r\n\r\n"
+
+#endif /* __EXT_H__ */
diff --git a/crypto/heimdal/appl/telnet/telnetd/global.c b/crypto/heimdal/appl/telnet/telnetd/global.c
new file mode 100644
index 0000000..275cb45
--- /dev/null
+++ b/crypto/heimdal/appl/telnet/telnetd/global.c
@@ -0,0 +1,107 @@
+/*
+ * Copyright (c) 1989, 1993
+ *	The Regents of the University of California.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *	This product includes software developed by the University of
+ *	California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+/* a *lot* of ugly global definitions that really should be removed...
+ */
+
+#include "telnetd.h"
+
+RCSID("$Id: global.c,v 1.12 1997/05/11 06:29:59 assar Exp $");
+
+/*
+ * Telnet server variable declarations
+ */
+char	options[256];
+char	do_dont_resp[256];
+char	will_wont_resp[256];
+int	linemode;	/* linemode on/off */
+int	flowmode;	/* current flow control state */
+int	restartany;	/* restart output on any character state */
+#ifdef DIAGNOSTICS
+int	diagnostic;	/* telnet diagnostic capabilities */
+#endif /* DIAGNOSTICS */
+int	require_otp;
+
+slcfun	slctab[NSLC + 1];	/* slc mapping table */
+
+char	*terminaltype;
+
+/*
+ * I/O data buffers, pointers, and counters.
+ */
+char	ptyobuf[BUFSIZ+NETSLOP], *pfrontp, *pbackp;
+
+char	netibuf[BUFSIZ], *netip;
+
+char	netobuf[BUFSIZ+NETSLOP], *nfrontp, *nbackp;
+char	*neturg;		/* one past last bye of urgent data */
+
+int	pcc, ncc;
+
+int	ourpty, net;
+int	SYNCHing;		/* we are in TELNET SYNCH mode */
+
+/*
+ * The following are some clocks used to decide how to interpret
+ * the relationship between various variables.
+ */
+
+struct clocks_t clocks;
+
+
+/* whether to log unauthenticated login attempts */
+int log_unauth;
+
+/* do not print warning if connection is not encrypted */
+int no_warn;
+
+/*
+ * This function appends data to nfrontp and advances nfrontp.
+ */
+
+int
+output_data (const char *format, ...)
+{
+  va_list args;
+  size_t remaining, ret;
+
+  va_start(args, format);
+  remaining = BUFSIZ - (nfrontp - netobuf);
+  ret = vsnprintf (nfrontp,
+		   remaining,
+		   format,
+		   args);
+  nfrontp += ret;
+  va_end(args);
+  return ret;
+}
diff --git a/crypto/heimdal/appl/telnet/telnetd/slc.c b/crypto/heimdal/appl/telnet/telnetd/slc.c
new file mode 100644
index 0000000..799d2d8
--- /dev/null
+++ b/crypto/heimdal/appl/telnet/telnetd/slc.c
@@ -0,0 +1,57 @@
+/*
+ * Copyright (c) 1989, 1993
+ *	The Regents of the University of California.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *	This product includes software developed by the University of
+ *	California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#include "telnetd.h"
+
+RCSID("$Id: slc.c,v 1.10 1997/05/11 06:30:00 assar Exp $");
+
+/*
+ * get_slc_defaults
+ *
+ * Initialize the slc mapping table.
+ */
+void
+get_slc_defaults(void)
+{
+    int i;
+    
+    init_termbuf();
+    
+    for (i = 1; i <= NSLC; i++) {
+	slctab[i].defset.flag =
+	    spcset(i, &slctab[i].defset.val, &slctab[i].sptr);
+	slctab[i].current.flag = SLC_NOSUPPORT;
+	slctab[i].current.val = 0;
+    }
+    
+}
diff --git a/crypto/heimdal/appl/telnet/telnetd/state.c b/crypto/heimdal/appl/telnet/telnetd/state.c
new file mode 100644
index 0000000..987d99b
--- /dev/null
+++ b/crypto/heimdal/appl/telnet/telnetd/state.c
@@ -0,0 +1,1356 @@
+/*
+ * Copyright (c) 1989, 1993
+ *	The Regents of the University of California.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *	This product includes software developed by the University of
+ *	California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#include "telnetd.h"
+
+RCSID("$Id: state.c,v 1.14 2000/10/02 05:06:02 assar Exp $");
+
+unsigned char	doopt[] = { IAC, DO, '%', 'c', 0 };
+unsigned char	dont[] = { IAC, DONT, '%', 'c', 0 };
+unsigned char	will[] = { IAC, WILL, '%', 'c', 0 };
+unsigned char	wont[] = { IAC, WONT, '%', 'c', 0 };
+int	not42 = 1;
+
+/*
+ * Buffer for sub-options, and macros
+ * for suboptions buffer manipulations
+ */
+unsigned char subbuffer[2048], *subpointer= subbuffer, *subend= subbuffer;
+
+#define	SB_CLEAR()	subpointer = subbuffer
+#define	SB_TERM()	{ subend = subpointer; SB_CLEAR(); }
+#define	SB_ACCUM(c)	if (subpointer < (subbuffer+sizeof subbuffer)) { \
+    *subpointer++ = (c); \
+			     }
+#define	SB_GET()	((*subpointer++)&0xff)
+#define	SB_EOF()	(subpointer >= subend)
+#define	SB_LEN()	(subend - subpointer)
+
+#ifdef	ENV_HACK
+unsigned char *subsave;
+#define SB_SAVE()	subsave = subpointer;
+#define	SB_RESTORE()	subpointer = subsave;
+#endif
+
+
+/*
+ * State for recv fsm
+ */
+#define	TS_DATA		0	/* base state */
+#define	TS_IAC		1	/* look for double IAC's */
+#define	TS_CR		2	/* CR-LF ->'s CR */
+#define	TS_SB		3	/* throw away begin's... */
+#define	TS_SE		4	/* ...end's (suboption negotiation) */
+#define	TS_WILL		5	/* will option negotiation */
+#define	TS_WONT		6	/* wont -''- */
+#define	TS_DO		7	/* do -''- */
+#define	TS_DONT		8	/* dont -''- */
+
+void
+telrcv(void)
+{
+    int c;
+    static int state = TS_DATA;
+
+    while (ncc > 0) {
+	if ((&ptyobuf[BUFSIZ] - pfrontp) < 2)
+	    break;
+	c = *netip++ & 0377, ncc--;
+#ifdef ENCRYPTION
+	if (decrypt_input)
+	    c = (*decrypt_input)(c);
+#endif
+	switch (state) {
+
+	case TS_CR:
+	    state = TS_DATA;
+	    /* Strip off \n or \0 after a \r */
+	    if ((c == 0) || (c == '\n')) {
+		break;
+	    }
+	    /* FALL THROUGH */
+
+	case TS_DATA:
+	    if (c == IAC) {
+		state = TS_IAC;
+		break;
+	    }
+	    /*
+	     * We now map \r\n ==> \r for pragmatic reasons.
+	     * Many client implementations send \r\n when
+	     * the user hits the CarriageReturn key.
+	     *
+	     * We USED to map \r\n ==> \n, since \r\n says
+	     * that we want to be in column 1 of the next
+	     * printable line, and \n is the standard
+	     * unix way of saying that (\r is only good
+	     * if CRMOD is set, which it normally is).
+	     */
+	    if ((c == '\r') && his_state_is_wont(TELOPT_BINARY)) {
+		int nc = *netip;
+#ifdef ENCRYPTION
+		if (decrypt_input)
+		    nc = (*decrypt_input)(nc & 0xff);
+#endif
+		{
+#ifdef ENCRYPTION
+		    if (decrypt_input)
+			(void)(*decrypt_input)(-1);
+#endif
+		    state = TS_CR;
+		}
+	    }
+	    *pfrontp++ = c;
+	    break;
+
+	case TS_IAC:
+	gotiac:			switch (c) {
+
+	    /*
+	     * Send the process on the pty side an
+	     * interrupt.  Do this with a NULL or
+	     * interrupt char; depending on the tty mode.
+	     */
+	case IP:
+	    DIAG(TD_OPTIONS,
+		 printoption("td: recv IAC", c));
+	    interrupt();
+	    break;
+
+	case BREAK:
+	    DIAG(TD_OPTIONS,
+		 printoption("td: recv IAC", c));
+	    sendbrk();
+	    break;
+
+	    /*
+	     * Are You There?
+	     */
+	case AYT:
+	    DIAG(TD_OPTIONS,
+		 printoption("td: recv IAC", c));
+	    recv_ayt();
+	    break;
+
+	    /*
+	     * Abort Output
+	     */
+	case AO:
+	    {
+		DIAG(TD_OPTIONS,
+		     printoption("td: recv IAC", c));
+		ptyflush();	/* half-hearted */
+		init_termbuf();
+
+		if (slctab[SLC_AO].sptr &&
+		    *slctab[SLC_AO].sptr != (cc_t)(_POSIX_VDISABLE)) {
+		    *pfrontp++ =
+			(unsigned char)*slctab[SLC_AO].sptr;
+		}
+
+		netclear();	/* clear buffer back */
+		output_data ("%c%c", IAC, DM);
+		neturg = nfrontp-1; /* off by one XXX */
+		DIAG(TD_OPTIONS,
+		     printoption("td: send IAC", DM));
+		break;
+	    }
+
+	/*
+	 * Erase Character and
+	 * Erase Line
+	 */
+	case EC:
+	case EL:
+	    {
+		cc_t ch;
+
+		DIAG(TD_OPTIONS,
+		     printoption("td: recv IAC", c));
+		ptyflush();	/* half-hearted */
+		init_termbuf();
+		if (c == EC)
+		    ch = *slctab[SLC_EC].sptr;
+		else
+		    ch = *slctab[SLC_EL].sptr;
+		if (ch != (cc_t)(_POSIX_VDISABLE))
+		    *pfrontp++ = (unsigned char)ch;
+		break;
+	    }
+
+	/*
+	 * Check for urgent data...
+	 */
+	case DM:
+	    DIAG(TD_OPTIONS,
+		 printoption("td: recv IAC", c));
+	    SYNCHing = stilloob(net);
+	    settimer(gotDM);
+	    break;
+
+
+	    /*
+	     * Begin option subnegotiation...
+	     */
+	case SB:
+	    state = TS_SB;
+	    SB_CLEAR();
+	    continue;
+
+	case WILL:
+	    state = TS_WILL;
+	    continue;
+
+	case WONT:
+	    state = TS_WONT;
+	    continue;
+
+	case DO:
+	    state = TS_DO;
+	    continue;
+
+	case DONT:
+	    state = TS_DONT;
+	    continue;
+	case EOR:
+	    if (his_state_is_will(TELOPT_EOR))
+		doeof();
+	    break;
+
+	    /*
+	     * Handle RFC 10xx Telnet linemode option additions
+	     * to command stream (EOF, SUSP, ABORT).
+	     */
+	case xEOF:
+	    doeof();
+	    break;
+
+	case SUSP:
+	    sendsusp();
+	    break;
+
+	case ABORT:
+	    sendbrk();
+	    break;
+
+	case IAC:
+	    *pfrontp++ = c;
+	    break;
+	}
+	state = TS_DATA;
+	break;
+
+	case TS_SB:
+	    if (c == IAC) {
+		state = TS_SE;
+	    } else {
+		SB_ACCUM(c);
+	    }
+	    break;
+
+	case TS_SE:
+	    if (c != SE) {
+		if (c != IAC) {
+		    /*
+		     * bad form of suboption negotiation.
+		     * handle it in such a way as to avoid
+		     * damage to local state.  Parse
+		     * suboption buffer found so far,
+		     * then treat remaining stream as
+		     * another command sequence.
+		     */
+
+		    /* for DIAGNOSTICS */
+		    SB_ACCUM(IAC);
+		    SB_ACCUM(c);
+		    subpointer -= 2;
+
+		    SB_TERM();
+		    suboption();
+		    state = TS_IAC;
+		    goto gotiac;
+		}
+		SB_ACCUM(c);
+		state = TS_SB;
+	    } else {
+		/* for DIAGNOSTICS */
+		SB_ACCUM(IAC);
+		SB_ACCUM(SE);
+		subpointer -= 2;
+
+		SB_TERM();
+		suboption();	/* handle sub-option */
+		state = TS_DATA;
+	    }
+	    break;
+
+	case TS_WILL:
+	    willoption(c);
+	    state = TS_DATA;
+	    continue;
+
+	case TS_WONT:
+	    wontoption(c);
+	    if (c==TELOPT_ENCRYPT && his_do_dont_is_changing(TELOPT_ENCRYPT) )
+                dontoption(c);
+	    state = TS_DATA;
+	    continue;
+
+	case TS_DO:
+	    dooption(c);
+	    state = TS_DATA;
+	    continue;
+
+	case TS_DONT:
+	    dontoption(c);
+	    state = TS_DATA;
+	    continue;
+
+	default:
+	    syslog(LOG_ERR, "telnetd: panic state=%d\n", state);
+	    printf("telnetd: panic state=%d\n", state);
+	    exit(1);
+	}
+    }
+}  /* end of telrcv */
+
+/*
+ * The will/wont/do/dont state machines are based on Dave Borman's
+ * Telnet option processing state machine.
+ *
+ * These correspond to the following states:
+ *	my_state = the last negotiated state
+ *	want_state = what I want the state to go to
+ *	want_resp = how many requests I have sent
+ * All state defaults are negative, and resp defaults to 0.
+ *
+ * When initiating a request to change state to new_state:
+ *
+ * if ((want_resp == 0 && new_state == my_state) || want_state == new_state) {
+ *	do nothing;
+ * } else {
+ *	want_state = new_state;
+ *	send new_state;
+ *	want_resp++;
+ * }
+ *
+ * When receiving new_state:
+ *
+ * if (want_resp) {
+ *	want_resp--;
+ *	if (want_resp && (new_state == my_state))
+ *		want_resp--;
+ * }
+ * if ((want_resp == 0) && (new_state != want_state)) {
+ *	if (ok_to_switch_to new_state)
+ *		want_state = new_state;
+ *	else
+ *		want_resp++;
+ *	send want_state;
+ * }
+ * my_state = new_state;
+ *
+ * Note that new_state is implied in these functions by the function itself.
+ * will and do imply positive new_state, wont and dont imply negative.
+ *
+ * Finally, there is one catch.  If we send a negative response to a
+ * positive request, my_state will be the positive while want_state will
+ * remain negative.  my_state will revert to negative when the negative
+ * acknowlegment arrives from the peer.  Thus, my_state generally tells
+ * us not only the last negotiated state, but also tells us what the peer
+ * wants to be doing as well.  It is important to understand this difference
+ * as we may wish to be processing data streams based on our desired state
+ * (want_state) or based on what the peer thinks the state is (my_state).
+ *
+ * This all works fine because if the peer sends a positive request, the data
+ * that we receive prior to negative acknowlegment will probably be affected
+ * by the positive state, and we can process it as such (if we can; if we
+ * can't then it really doesn't matter).  If it is that important, then the
+ * peer probably should be buffering until this option state negotiation
+ * is complete.
+ *
+ */
+void
+send_do(int option, int init)
+{
+    if (init) {
+	if ((do_dont_resp[option] == 0 && his_state_is_will(option)) ||
+	    his_want_state_is_will(option))
+	    return;
+	/*
+	 * Special case for TELOPT_TM:  We send a DO, but pretend
+	 * that we sent a DONT, so that we can send more DOs if
+	 * we want to.
+	 */
+	if (option == TELOPT_TM)
+	    set_his_want_state_wont(option);
+	else
+	    set_his_want_state_will(option);
+	do_dont_resp[option]++;
+    }
+    output_data((const char *)doopt, option);
+
+    DIAG(TD_OPTIONS, printoption("td: send do", option));
+}
+
+#ifdef	AUTHENTICATION
+extern void auth_request(void);
+#endif
+#ifdef	ENCRYPTION
+extern void encrypt_send_support();
+#endif
+
+void
+willoption(int option)
+{
+    int changeok = 0;
+    void (*func)() = 0;
+
+    /*
+     * process input from peer.
+     */
+
+    DIAG(TD_OPTIONS, printoption("td: recv will", option));
+
+    if (do_dont_resp[option]) {
+	do_dont_resp[option]--;
+	if (do_dont_resp[option] && his_state_is_will(option))
+	    do_dont_resp[option]--;
+    }
+    if (do_dont_resp[option] == 0) {
+	if (his_want_state_is_wont(option)) {
+	    switch (option) {
+
+	    case TELOPT_BINARY:
+		init_termbuf();
+		tty_binaryin(1);
+		set_termbuf();
+		changeok++;
+		break;
+
+	    case TELOPT_ECHO:
+		/*
+		 * See comments below for more info.
+		 */
+		not42 = 0;	/* looks like a 4.2 system */
+		break;
+
+	    case TELOPT_TM:
+		/*
+		 * We never respond to a WILL TM, and
+		 * we leave the state WONT.
+		 */
+		return;
+
+	    case TELOPT_LFLOW:
+		/*
+		 * If we are going to support flow control
+		 * option, then don't worry peer that we can't
+		 * change the flow control characters.
+		 */
+		slctab[SLC_XON].defset.flag &= ~SLC_LEVELBITS;
+		slctab[SLC_XON].defset.flag |= SLC_DEFAULT;
+		slctab[SLC_XOFF].defset.flag &= ~SLC_LEVELBITS;
+		slctab[SLC_XOFF].defset.flag |= SLC_DEFAULT;
+	    case TELOPT_TTYPE:
+	    case TELOPT_SGA:
+	    case TELOPT_NAWS:
+	    case TELOPT_TSPEED:
+	    case TELOPT_XDISPLOC:
+	    case TELOPT_NEW_ENVIRON:
+	    case TELOPT_OLD_ENVIRON:
+		changeok++;
+		break;
+
+
+#ifdef	AUTHENTICATION
+	    case TELOPT_AUTHENTICATION:
+		func = auth_request;
+		changeok++;
+		break;
+#endif
+
+#ifdef	ENCRYPTION
+	    case TELOPT_ENCRYPT:
+		func = encrypt_send_support;
+		changeok++;
+		break;
+#endif
+			
+	    default:
+		break;
+	    }
+	    if (changeok) {
+		set_his_want_state_will(option);
+		send_do(option, 0);
+	    } else {
+		do_dont_resp[option]++;
+		send_dont(option, 0);
+	    }
+	} else {
+	    /*
+	     * Option processing that should happen when
+	     * we receive conformation of a change in
+	     * state that we had requested.
+	     */
+	    switch (option) {
+	    case TELOPT_ECHO:
+		not42 = 0;	/* looks like a 4.2 system */
+		/*
+		 * Egads, he responded "WILL ECHO".  Turn
+		 * it off right now!
+		 */
+		send_dont(option, 1);
+		/*
+		 * "WILL ECHO".  Kludge upon kludge!
+		 * A 4.2 client is now echoing user input at
+		 * the tty.  This is probably undesireable and
+		 * it should be stopped.  The client will
+		 * respond WONT TM to the DO TM that we send to
+		 * check for kludge linemode.  When the WONT TM
+		 * arrives, linemode will be turned off and a
+		 * change propogated to the pty.  This change
+		 * will cause us to process the new pty state
+		 * in localstat(), which will notice that
+		 * linemode is off and send a WILL ECHO
+		 * so that we are properly in character mode and
+		 * all is well.
+		 */
+		break;
+
+#ifdef	AUTHENTICATION
+	    case TELOPT_AUTHENTICATION:
+		func = auth_request;
+		break;
+#endif
+
+#ifdef	ENCRYPTION
+	    case TELOPT_ENCRYPT:
+		func = encrypt_send_support;
+		break;
+#endif
+
+	    case TELOPT_LFLOW:
+		func = flowstat;
+		break;
+	    }
+	}
+    }
+    set_his_state_will(option);
+    if (func)
+	(*func)();
+}  /* end of willoption */
+
+void
+send_dont(int option, int init)
+{
+    if (init) {
+	if ((do_dont_resp[option] == 0 && his_state_is_wont(option)) ||
+	    his_want_state_is_wont(option))
+	    return;
+	set_his_want_state_wont(option);
+	do_dont_resp[option]++;
+    }
+    output_data((const char *)dont, option);
+
+    DIAG(TD_OPTIONS, printoption("td: send dont", option));
+}
+
+void
+wontoption(int option)
+{
+    /*
+     * Process client input.
+	 */
+
+    DIAG(TD_OPTIONS, printoption("td: recv wont", option));
+
+    if (do_dont_resp[option]) {
+	do_dont_resp[option]--;
+	if (do_dont_resp[option] && his_state_is_wont(option))
+	    do_dont_resp[option]--;
+    }
+    if (do_dont_resp[option] == 0) {
+	if (his_want_state_is_will(option)) {
+	    /* it is always ok to change to negative state */
+	    switch (option) {
+	    case TELOPT_ECHO:
+		not42 = 1; /* doesn't seem to be a 4.2 system */
+		break;
+
+	    case TELOPT_BINARY:
+		init_termbuf();
+		tty_binaryin(0);
+		set_termbuf();
+		break;
+
+	    case TELOPT_TM:
+		/*
+		 * If we get a WONT TM, and had sent a DO TM,
+		 * don't respond with a DONT TM, just leave it
+		 * as is.  Short circut the state machine to
+		 * achive this.
+		 */
+		set_his_want_state_wont(TELOPT_TM);
+		return;
+
+	    case TELOPT_LFLOW:
+		/*
+		 * If we are not going to support flow control
+		 * option, then let peer know that we can't
+		 * change the flow control characters.
+		 */
+		slctab[SLC_XON].defset.flag &= ~SLC_LEVELBITS;
+		slctab[SLC_XON].defset.flag |= SLC_CANTCHANGE;
+		slctab[SLC_XOFF].defset.flag &= ~SLC_LEVELBITS;
+		slctab[SLC_XOFF].defset.flag |= SLC_CANTCHANGE;
+		break;
+
+#ifdef AUTHENTICATION
+	    case TELOPT_AUTHENTICATION:
+		auth_finished(0, AUTH_REJECT);
+		break;
+#endif
+
+		/*
+		 * For options that we might spin waiting for
+		 * sub-negotiation, if the client turns off the
+		 * option rather than responding to the request,
+		 * we have to treat it here as if we got a response
+		 * to the sub-negotiation, (by updating the timers)
+		 * so that we'll break out of the loop.
+		 */
+	    case TELOPT_TTYPE:
+		settimer(ttypesubopt);
+		break;
+
+	    case TELOPT_TSPEED:
+		settimer(tspeedsubopt);
+		break;
+
+	    case TELOPT_XDISPLOC:
+		settimer(xdisplocsubopt);
+		break;
+
+	    case TELOPT_OLD_ENVIRON:
+		settimer(oenvironsubopt);
+		break;
+
+	    case TELOPT_NEW_ENVIRON:
+		settimer(environsubopt);
+		break;
+
+	    default:
+		break;
+	    }
+	    set_his_want_state_wont(option);
+	    if (his_state_is_will(option))
+		send_dont(option, 0);
+	} else {
+	    switch (option) {
+	    case TELOPT_TM:
+		break;
+
+#ifdef AUTHENTICATION
+	    case TELOPT_AUTHENTICATION:
+		auth_finished(0, AUTH_REJECT);
+		break;
+#endif
+	    default:
+		break;
+	    }
+	}
+    }
+    set_his_state_wont(option);
+
+}  /* end of wontoption */
+
+void
+send_will(int option, int init)
+{
+    if (init) {
+	if ((will_wont_resp[option] == 0 && my_state_is_will(option))||
+	    my_want_state_is_will(option))
+	    return;
+	set_my_want_state_will(option);
+	will_wont_resp[option]++;
+    }
+    output_data ((const char *)will, option);
+
+    DIAG(TD_OPTIONS, printoption("td: send will", option));
+}
+
+/*
+ * When we get a DONT SGA, we will try once to turn it
+ * back on.  If the other side responds DONT SGA, we
+ * leave it at that.  This is so that when we talk to
+ * clients that understand KLUDGELINEMODE but not LINEMODE,
+ * we'll keep them in char-at-a-time mode.
+ */
+int turn_on_sga = 0;
+
+void
+dooption(int option)
+{
+    int changeok = 0;
+
+    /*
+     * Process client input.
+     */
+
+    DIAG(TD_OPTIONS, printoption("td: recv do", option));
+
+    if (will_wont_resp[option]) {
+	will_wont_resp[option]--;
+	if (will_wont_resp[option] && my_state_is_will(option))
+	    will_wont_resp[option]--;
+    }
+    if ((will_wont_resp[option] == 0) && (my_want_state_is_wont(option))) {
+	switch (option) {
+	case TELOPT_ECHO:
+	    {
+		init_termbuf();
+		tty_setecho(1);
+		set_termbuf();
+	    }
+	changeok++;
+	break;
+
+	case TELOPT_BINARY:
+	    init_termbuf();
+	    tty_binaryout(1);
+	    set_termbuf();
+	    changeok++;
+	    break;
+
+	case TELOPT_SGA:
+	    turn_on_sga = 0;
+	    changeok++;
+	    break;
+
+	case TELOPT_STATUS:
+	    changeok++;
+	    break;
+
+	case TELOPT_TM:
+	    /*
+	     * Special case for TM.  We send a WILL, but
+	     * pretend we sent a WONT.
+	     */
+	    send_will(option, 0);
+	    set_my_want_state_wont(option);
+	    set_my_state_wont(option);
+	    return;
+
+	case TELOPT_LOGOUT:
+	    /*
+	     * When we get a LOGOUT option, respond
+	     * with a WILL LOGOUT, make sure that
+	     * it gets written out to the network,
+	     * and then just go away...
+	     */
+	    set_my_want_state_will(TELOPT_LOGOUT);
+	    send_will(TELOPT_LOGOUT, 0);
+	    set_my_state_will(TELOPT_LOGOUT);
+	    netflush();
+	    cleanup(0);
+	    /* NOT REACHED */
+	    break;
+
+#ifdef ENCRYPTION
+	case TELOPT_ENCRYPT:
+	    changeok++;
+	    break;
+#endif
+	case TELOPT_LINEMODE:
+	case TELOPT_TTYPE:
+	case TELOPT_NAWS:
+	case TELOPT_TSPEED:
+	case TELOPT_LFLOW:
+	case TELOPT_XDISPLOC:
+#ifdef	TELOPT_ENVIRON
+	case TELOPT_NEW_ENVIRON:
+#endif
+	case TELOPT_OLD_ENVIRON:
+	default:
+	    break;
+	}
+	if (changeok) {
+	    set_my_want_state_will(option);
+	    send_will(option, 0);
+	} else {
+	    will_wont_resp[option]++;
+	    send_wont(option, 0);
+	}
+    }
+    set_my_state_will(option);
+
+}  /* end of dooption */
+
+void
+send_wont(int option, int init)
+{
+    if (init) {
+	if ((will_wont_resp[option] == 0 && my_state_is_wont(option)) ||
+	    my_want_state_is_wont(option))
+	    return;
+	set_my_want_state_wont(option);
+	will_wont_resp[option]++;
+    }
+    output_data ((const char *)wont, option);
+
+    DIAG(TD_OPTIONS, printoption("td: send wont", option));
+}
+
+void
+dontoption(int option)
+{
+    /*
+     * Process client input.
+	 */
+
+
+    DIAG(TD_OPTIONS, printoption("td: recv dont", option));
+
+    if (will_wont_resp[option]) {
+	will_wont_resp[option]--;
+	if (will_wont_resp[option] && my_state_is_wont(option))
+	    will_wont_resp[option]--;
+    }
+    if ((will_wont_resp[option] == 0) && (my_want_state_is_will(option))) {
+	switch (option) {
+	case TELOPT_BINARY:
+	    init_termbuf();
+	    tty_binaryout(0);
+	    set_termbuf();
+	    break;
+
+	case TELOPT_ECHO:	/* we should stop echoing */
+	    {
+		init_termbuf();
+		tty_setecho(0);
+		set_termbuf();
+	    }
+	break;
+
+	case TELOPT_SGA:
+	    set_my_want_state_wont(option);
+	    if (my_state_is_will(option))
+		send_wont(option, 0);
+	    set_my_state_wont(option);
+	    if (turn_on_sga ^= 1)
+		send_will(option, 1);
+	    return;
+
+	default:
+	    break;
+	}
+
+	set_my_want_state_wont(option);
+	if (my_state_is_will(option))
+	    send_wont(option, 0);
+    }
+    set_my_state_wont(option);
+
+}  /* end of dontoption */
+
+#ifdef	ENV_HACK
+int env_ovar = -1;
+int env_ovalue = -1;
+#else	/* ENV_HACK */
+# define env_ovar OLD_ENV_VAR
+# define env_ovalue OLD_ENV_VALUE
+#endif	/* ENV_HACK */
+
+/*
+ * suboption()
+ *
+ *	Look at the sub-option buffer, and try to be helpful to the other
+ * side.
+ *
+ *	Currently we recognize:
+ *
+ *	Terminal type is
+ *	Linemode
+ *	Window size
+ *	Terminal speed
+ */
+void
+suboption(void)
+{
+    int subchar;
+
+    DIAG(TD_OPTIONS, {netflush(); printsub('<', subpointer, SB_LEN()+2);});
+
+    subchar = SB_GET();
+    switch (subchar) {
+    case TELOPT_TSPEED: {
+	int xspeed, rspeed;
+
+	if (his_state_is_wont(TELOPT_TSPEED))	/* Ignore if option disabled */
+	    break;
+
+	settimer(tspeedsubopt);
+
+	if (SB_EOF() || SB_GET() != TELQUAL_IS)
+	    return;
+
+	xspeed = atoi((char *)subpointer);
+
+	while (SB_GET() != ',' && !SB_EOF());
+	if (SB_EOF())
+	    return;
+
+	rspeed = atoi((char *)subpointer);
+	clientstat(TELOPT_TSPEED, xspeed, rspeed);
+
+	break;
+
+    }  /* end of case TELOPT_TSPEED */
+
+    case TELOPT_TTYPE: {		/* Yaaaay! */
+	static char terminalname[41];
+
+	if (his_state_is_wont(TELOPT_TTYPE))	/* Ignore if option disabled */
+	    break;
+	settimer(ttypesubopt);
+
+	if (SB_EOF() || SB_GET() != TELQUAL_IS) {
+	    return;		/* ??? XXX but, this is the most robust */
+	}
+
+	terminaltype = terminalname;
+
+	while ((terminaltype < (terminalname + sizeof terminalname-1)) &&
+	       !SB_EOF()) {
+	    int c;
+
+	    c = SB_GET();
+	    if (isupper(c)) {
+		c = tolower(c);
+	    }
+	    *terminaltype++ = c;    /* accumulate name */
+	}
+	*terminaltype = 0;
+	terminaltype = terminalname;
+	break;
+    }  /* end of case TELOPT_TTYPE */
+
+    case TELOPT_NAWS: {
+	int xwinsize, ywinsize;
+
+	if (his_state_is_wont(TELOPT_NAWS))	/* Ignore if option disabled */
+	    break;
+
+	if (SB_EOF())
+	    return;
+	xwinsize = SB_GET() << 8;
+	if (SB_EOF())
+	    return;
+	xwinsize |= SB_GET();
+	if (SB_EOF())
+	    return;
+	ywinsize = SB_GET() << 8;
+	if (SB_EOF())
+	    return;
+	ywinsize |= SB_GET();
+	clientstat(TELOPT_NAWS, xwinsize, ywinsize);
+
+	break;
+
+    }  /* end of case TELOPT_NAWS */
+
+    case TELOPT_STATUS: {
+	int mode;
+
+	if (SB_EOF())
+	    break;
+	mode = SB_GET();
+	switch (mode) {
+	case TELQUAL_SEND:
+	    if (my_state_is_will(TELOPT_STATUS))
+		send_status();
+	    break;
+
+	case TELQUAL_IS:
+	    break;
+
+	default:
+	    break;
+	}
+	break;
+    }  /* end of case TELOPT_STATUS */
+
+    case TELOPT_XDISPLOC: {
+	if (SB_EOF() || SB_GET() != TELQUAL_IS)
+	    return;
+	settimer(xdisplocsubopt);
+	subpointer[SB_LEN()] = '\0';
+	esetenv("DISPLAY", (char *)subpointer, 1);
+	break;
+    }  /* end of case TELOPT_XDISPLOC */
+
+#ifdef	TELOPT_NEW_ENVIRON
+    case TELOPT_NEW_ENVIRON:
+#endif
+    case TELOPT_OLD_ENVIRON: {
+	int c;
+	char *cp, *varp, *valp;
+
+	if (SB_EOF())
+	    return;
+	c = SB_GET();
+	if (c == TELQUAL_IS) {
+	    if (subchar == TELOPT_OLD_ENVIRON)
+		settimer(oenvironsubopt);
+	    else
+		settimer(environsubopt);
+	} else if (c != TELQUAL_INFO) {
+	    return;
+	}
+
+#ifdef	TELOPT_NEW_ENVIRON
+	if (subchar == TELOPT_NEW_ENVIRON) {
+	    while (!SB_EOF()) {
+		c = SB_GET();
+		if ((c == NEW_ENV_VAR) || (c == ENV_USERVAR))
+		    break;
+	    }
+	} else
+#endif
+	    {
+#ifdef	ENV_HACK
+		/*
+		 * We only want to do this if we haven't already decided
+		 * whether or not the other side has its VALUE and VAR
+		 * reversed.
+		 */
+		if (env_ovar < 0) {
+		    int last = -1;		/* invalid value */
+		    int empty = 0;
+		    int got_var = 0, got_value = 0, got_uservar = 0;
+
+		    /*
+		     * The other side might have its VALUE and VAR values
+		     * reversed.  To be interoperable, we need to determine
+		     * which way it is.  If the first recognized character
+		     * is a VAR or VALUE, then that will tell us what
+		     * type of client it is.  If the fist recognized
+		     * character is a USERVAR, then we continue scanning
+		     * the suboption looking for two consecutive
+		     * VAR or VALUE fields.  We should not get two
+		     * consecutive VALUE fields, so finding two
+		     * consecutive VALUE or VAR fields will tell us
+		     * what the client is.
+		     */
+		    SB_SAVE();
+		    while (!SB_EOF()) {
+			c = SB_GET();
+			switch(c) {
+			case OLD_ENV_VAR:
+			    if (last < 0 || last == OLD_ENV_VAR
+				|| (empty && (last == OLD_ENV_VALUE)))
+				goto env_ovar_ok;
+			    got_var++;
+			    last = OLD_ENV_VAR;
+			    break;
+			case OLD_ENV_VALUE:
+			    if (last < 0 || last == OLD_ENV_VALUE
+				|| (empty && (last == OLD_ENV_VAR)))
+				goto env_ovar_wrong;
+			    got_value++;
+			    last = OLD_ENV_VALUE;
+			    break;
+			case ENV_USERVAR:
+			    /* count strings of USERVAR as one */
+			    if (last != ENV_USERVAR)
+				got_uservar++;
+			    if (empty) {
+				if (last == OLD_ENV_VALUE)
+				    goto env_ovar_ok;
+				if (last == OLD_ENV_VAR)
+				    goto env_ovar_wrong;
+			    }
+			    last = ENV_USERVAR;
+			    break;
+			case ENV_ESC:
+			    if (!SB_EOF())
+				c = SB_GET();
+			    /* FALL THROUGH */
+			default:
+			    empty = 0;
+			    continue;
+			}
+			empty = 1;
+		    }
+		    if (empty) {
+			if (last == OLD_ENV_VALUE)
+			    goto env_ovar_ok;
+			if (last == OLD_ENV_VAR)
+			    goto env_ovar_wrong;
+		    }
+		    /*
+		     * Ok, the first thing was a USERVAR, and there
+		     * are not two consecutive VAR or VALUE commands,
+		     * and none of the VAR or VALUE commands are empty.
+		     * If the client has sent us a well-formed option,
+		     * then the number of VALUEs received should always
+		     * be less than or equal to the number of VARs and
+		     * USERVARs received.
+		     *
+		     * If we got exactly as many VALUEs as VARs and
+		     * USERVARs, the client has the same definitions.
+		     *
+		     * If we got exactly as many VARs as VALUEs and
+		     * USERVARS, the client has reversed definitions.
+		     */
+		    if (got_uservar + got_var == got_value) {
+		    env_ovar_ok:
+			env_ovar = OLD_ENV_VAR;
+			env_ovalue = OLD_ENV_VALUE;
+		    } else if (got_uservar + got_value == got_var) {
+		    env_ovar_wrong:
+			env_ovar = OLD_ENV_VALUE;
+			env_ovalue = OLD_ENV_VAR;
+			DIAG(TD_OPTIONS, {
+			    output_data("ENVIRON VALUE and VAR are reversed!\r\n");
+			});
+
+		    }
+		}
+		SB_RESTORE();
+#endif
+
+		while (!SB_EOF()) {
+		    c = SB_GET();
+		    if ((c == env_ovar) || (c == ENV_USERVAR))
+			break;
+		}
+	    }
+
+	if (SB_EOF())
+	    return;
+
+	cp = varp = (char *)subpointer;
+	valp = 0;
+
+	while (!SB_EOF()) {
+	    c = SB_GET();
+	    if (subchar == TELOPT_OLD_ENVIRON) {
+		if (c == env_ovar)
+		    c = NEW_ENV_VAR;
+		else if (c == env_ovalue)
+		    c = NEW_ENV_VALUE;
+	    }
+	    switch (c) {
+
+	    case NEW_ENV_VALUE:
+		*cp = '\0';
+		cp = valp = (char *)subpointer;
+		break;
+
+	    case NEW_ENV_VAR:
+	    case ENV_USERVAR:
+		*cp = '\0';
+		if (valp)
+		    esetenv(varp, valp, 1);
+		else
+		    unsetenv(varp);
+		cp = varp = (char *)subpointer;
+		valp = 0;
+		break;
+
+	    case ENV_ESC:
+		if (SB_EOF())
+		    break;
+		c = SB_GET();
+		/* FALL THROUGH */
+	    default:
+		*cp++ = c;
+		break;
+	    }
+	}
+	*cp = '\0';
+	if (valp)
+	    esetenv(varp, valp, 1);
+	else
+	    unsetenv(varp);
+	break;
+    }  /* end of case TELOPT_NEW_ENVIRON */
+#ifdef AUTHENTICATION
+    case TELOPT_AUTHENTICATION:
+	if (SB_EOF())
+	    break;
+	switch(SB_GET()) {
+	case TELQUAL_SEND:
+	case TELQUAL_REPLY:
+	    /*
+	     * These are sent by us and cannot be sent by
+	     * the client.
+	     */
+	    break;
+	case TELQUAL_IS:
+	    auth_is(subpointer, SB_LEN());
+	    break;
+	case TELQUAL_NAME:
+	    auth_name(subpointer, SB_LEN());
+	    break;
+	}
+	break;
+#endif
+#ifdef ENCRYPTION
+    case TELOPT_ENCRYPT:
+	if (SB_EOF())
+	    break;
+	switch(SB_GET()) {
+	case ENCRYPT_SUPPORT:
+	    encrypt_support(subpointer, SB_LEN());
+	    break;
+	case ENCRYPT_IS:
+	    encrypt_is(subpointer, SB_LEN());
+	    break;
+	case ENCRYPT_REPLY:
+	    encrypt_reply(subpointer, SB_LEN());
+	    break;
+	case ENCRYPT_START:
+	    encrypt_start(subpointer, SB_LEN());
+	    break;
+	case ENCRYPT_END:
+	    encrypt_end();
+	    break;
+	case ENCRYPT_REQSTART:
+	    encrypt_request_start(subpointer, SB_LEN());
+	    break;
+	case ENCRYPT_REQEND:
+	    /*
+	     * We can always send an REQEND so that we cannot
+	     * get stuck encrypting.  We should only get this
+	     * if we have been able to get in the correct mode
+	     * anyhow.
+	     */
+	    encrypt_request_end();
+	    break;
+	case ENCRYPT_ENC_KEYID:
+	    encrypt_enc_keyid(subpointer, SB_LEN());
+	    break;
+	case ENCRYPT_DEC_KEYID:
+	    encrypt_dec_keyid(subpointer, SB_LEN());
+	    break;
+	default:
+	    break;
+	}
+	break;
+#endif
+
+    default:
+	break;
+    }  /* end of switch */
+
+}  /* end of suboption */
+
+void
+doclientstat(void)
+{
+    clientstat(TELOPT_LINEMODE, WILL, 0);
+}
+
+#define	ADD(c)	 *ncp++ = c
+#define	ADD_DATA(c) { *ncp++ = c; if (c == SE || c == IAC) *ncp++ = c; }
+
+void
+send_status(void)
+{
+    unsigned char statusbuf[256];
+    unsigned char *ncp;
+    unsigned char i;
+
+    ncp = statusbuf;
+
+    netflush();	/* get rid of anything waiting to go out */
+
+    ADD(IAC);
+    ADD(SB);
+    ADD(TELOPT_STATUS);
+    ADD(TELQUAL_IS);
+
+    /*
+     * We check the want_state rather than the current state,
+     * because if we received a DO/WILL for an option that we
+     * don't support, and the other side didn't send a DONT/WONT
+     * in response to our WONT/DONT, then the "state" will be
+     * WILL/DO, and the "want_state" will be WONT/DONT.  We
+     * need to go by the latter.
+     */
+    for (i = 0; i < (unsigned char)NTELOPTS; i++) {
+	if (my_want_state_is_will(i)) {
+	    ADD(WILL);
+	    ADD_DATA(i);
+	}
+	if (his_want_state_is_will(i)) {
+	    ADD(DO);
+	    ADD_DATA(i);
+	}
+    }
+
+    if (his_want_state_is_will(TELOPT_LFLOW)) {
+	ADD(SB);
+	ADD(TELOPT_LFLOW);
+	if (flowmode) {
+	    ADD(LFLOW_ON);
+	} else {
+	    ADD(LFLOW_OFF);
+	}
+	ADD(SE);
+
+	if (restartany >= 0) {
+	    ADD(SB);
+	    ADD(TELOPT_LFLOW);
+	    if (restartany) {
+		ADD(LFLOW_RESTART_ANY);
+	    } else {
+		ADD(LFLOW_RESTART_XON);
+	    }
+	    ADD(SE);
+	}
+    }
+
+
+    ADD(IAC);
+    ADD(SE);
+
+    writenet(statusbuf, ncp - statusbuf);
+    netflush();	/* Send it on its way */
+
+    DIAG(TD_OPTIONS,
+	 {printsub('>', statusbuf, ncp - statusbuf); netflush();});
+}
diff --git a/crypto/heimdal/appl/telnet/telnetd/sys_term.c b/crypto/heimdal/appl/telnet/telnetd/sys_term.c
new file mode 100644
index 0000000..067f8da
--- /dev/null
+++ b/crypto/heimdal/appl/telnet/telnetd/sys_term.c
@@ -0,0 +1,1896 @@
+/*
+ * Copyright (c) 1989, 1993
+ *	The Regents of the University of California.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *	This product includes software developed by the University of
+ *	California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#include "telnetd.h"
+
+RCSID("$Id: sys_term.c,v 1.100 2001/04/24 23:11:43 assar Exp $");
+
+#if defined(_CRAY) || (defined(__hpux) && !defined(HAVE_UTMPX_H))
+# define PARENT_DOES_UTMP
+#endif
+
+#ifdef HAVE_UTMP_H
+#include <utmp.h>
+#endif
+
+#ifdef HAVE_UTMPX_H
+#include <utmpx.h>
+#endif
+
+#ifdef HAVE_UTMPX_H
+struct	utmpx wtmp;
+#elif defined(HAVE_UTMP_H)
+struct	utmp wtmp;
+#endif /* HAVE_UTMPX_H */
+
+#ifdef HAVE_STRUCT_UTMP_UT_HOST
+int	utmp_len = sizeof(wtmp.ut_host);
+#else
+int	utmp_len = MaxHostNameLen;
+#endif
+
+#ifndef UTMP_FILE
+#ifdef _PATH_UTMP
+#define UTMP_FILE _PATH_UTMP
+#else
+#define UTMP_FILE "/etc/utmp"
+#endif
+#endif
+
+#if !defined(WTMP_FILE) && defined(_PATH_WTMP)
+#define WTMP_FILE _PATH_WTMP
+#endif
+
+#ifndef PARENT_DOES_UTMP
+#ifdef WTMP_FILE
+char	wtmpf[] = WTMP_FILE;
+#else
+char	wtmpf[]	= "/usr/adm/wtmp";
+#endif
+char	utmpf[] = UTMP_FILE;
+#else /* PARENT_DOES_UTMP */
+#ifdef WTMP_FILE
+char	wtmpf[] = WTMP_FILE;
+#else
+char	wtmpf[]	= "/etc/wtmp";
+#endif
+#endif /* PARENT_DOES_UTMP */
+
+#ifdef HAVE_TMPDIR_H
+#include <tmpdir.h>
+#endif	/* CRAY */
+
+#ifdef	STREAMSPTY
+
+#ifdef HAVE_SAC_H
+#include <sac.h>
+#endif
+
+#ifdef HAVE_SYS_STROPTS_H
+#include <sys/stropts.h>
+#endif
+
+#endif /* STREAMSPTY */
+
+#ifdef	HAVE_SYS_STREAM_H
+#ifdef  HAVE_SYS_UIO_H
+#include <sys/uio.h>
+#endif
+#ifdef __hpux
+#undef SE
+#endif
+#include <sys/stream.h>
+#endif
+#if !(defined(__sgi) || defined(__linux) || defined(_AIX)) && defined(HAVE_SYS_TTY)
+#include <sys/tty.h>
+#endif
+#ifdef	t_erase
+#undef	t_erase
+#undef	t_kill
+#undef	t_intrc
+#undef	t_quitc
+#undef	t_startc
+#undef	t_stopc
+#undef	t_eofc
+#undef	t_brkc
+#undef	t_suspc
+#undef	t_dsuspc
+#undef	t_rprntc
+#undef	t_flushc
+#undef	t_werasc
+#undef	t_lnextc
+#endif
+
+#ifdef HAVE_TERMIOS_H
+#include <termios.h>
+#else
+#ifdef HAVE_TERMIO_H
+#include <termio.h>
+#endif
+#endif
+
+#ifdef HAVE_UTIL_H
+#include <util.h>
+#endif
+
+# ifndef	TCSANOW
+#  ifdef TCSETS
+#   define	TCSANOW		TCSETS
+#   define	TCSADRAIN	TCSETSW
+#   define	tcgetattr(f, t)	ioctl(f, TCGETS, (char *)t)
+#  else
+#   ifdef TCSETA
+#    define	TCSANOW		TCSETA
+#    define	TCSADRAIN	TCSETAW
+#    define	tcgetattr(f, t)	ioctl(f, TCGETA, (char *)t)
+#   else
+#    define	TCSANOW		TIOCSETA
+#    define	TCSADRAIN	TIOCSETAW
+#    define	tcgetattr(f, t)	ioctl(f, TIOCGETA, (char *)t)
+#   endif
+#  endif
+#  define	tcsetattr(f, a, t)	ioctl(f, a, t)
+#  define	cfsetospeed(tp, val)	(tp)->c_cflag &= ~CBAUD; \
+(tp)->c_cflag |= (val)
+#  define	cfgetospeed(tp)		((tp)->c_cflag & CBAUD)
+#  ifdef CIBAUD
+#   define	cfsetispeed(tp, val)	(tp)->c_cflag &= ~CIBAUD; \
+     (tp)->c_cflag |= ((val)<<IBSHIFT)
+#   define	cfgetispeed(tp)		(((tp)->c_cflag & CIBAUD)>>IBSHIFT)
+#  else
+#   define	cfsetispeed(tp, val)	(tp)->c_cflag &= ~CBAUD; \
+     (tp)->c_cflag |= (val)
+#   define	cfgetispeed(tp)		((tp)->c_cflag & CBAUD)
+#  endif
+# endif /* TCSANOW */
+     struct termios termbuf, termbuf2;	/* pty control structure */
+# ifdef  STREAMSPTY
+     static int ttyfd = -1;
+     int really_stream = 0;
+# endif
+
+     const char *new_login = _PATH_LOGIN;
+
+/*
+ * init_termbuf()
+ * copy_termbuf(cp)
+ * set_termbuf()
+ *
+ * These three routines are used to get and set the "termbuf" structure
+ * to and from the kernel.  init_termbuf() gets the current settings.
+ * copy_termbuf() hands in a new "termbuf" to write to the kernel, and
+ * set_termbuf() writes the structure into the kernel.
+ */
+
+     void
+     init_termbuf(void)
+{
+# ifdef  STREAMSPTY
+    if (really_stream)
+	tcgetattr(ttyfd, &termbuf);
+    else
+# endif
+	tcgetattr(ourpty, &termbuf);
+    termbuf2 = termbuf;
+}
+
+void
+set_termbuf(void)
+{
+    /*
+     * Only make the necessary changes.
+	 */
+    if (memcmp(&termbuf, &termbuf2, sizeof(termbuf)))
+# ifdef  STREAMSPTY
+	if (really_stream)
+	    tcsetattr(ttyfd, TCSANOW, &termbuf);
+	else
+# endif
+	    tcsetattr(ourpty, TCSANOW, &termbuf);
+}
+
+
+/*
+ * spcset(func, valp, valpp)
+ *
+ * This function takes various special characters (func), and
+ * sets *valp to the current value of that character, and
+ * *valpp to point to where in the "termbuf" structure that
+ * value is kept.
+ *
+ * It returns the SLC_ level of support for this function.
+ */
+
+
+int
+spcset(int func, cc_t *valp, cc_t **valpp)
+{
+
+#define	setval(a, b)	*valp = termbuf.c_cc[a]; \
+    *valpp = &termbuf.c_cc[a]; \
+				   return(b);
+#define	defval(a) *valp = ((cc_t)a); *valpp = (cc_t *)0; return(SLC_DEFAULT);
+
+    switch(func) {
+    case SLC_EOF:
+	setval(VEOF, SLC_VARIABLE);
+    case SLC_EC:
+	setval(VERASE, SLC_VARIABLE);
+    case SLC_EL:
+	setval(VKILL, SLC_VARIABLE);
+    case SLC_IP:
+	setval(VINTR, SLC_VARIABLE|SLC_FLUSHIN|SLC_FLUSHOUT);
+    case SLC_ABORT:
+	setval(VQUIT, SLC_VARIABLE|SLC_FLUSHIN|SLC_FLUSHOUT);
+    case SLC_XON:
+#ifdef	VSTART
+	setval(VSTART, SLC_VARIABLE);
+#else
+	defval(0x13);
+#endif
+    case SLC_XOFF:
+#ifdef	VSTOP
+	setval(VSTOP, SLC_VARIABLE);
+#else
+	defval(0x11);
+#endif
+    case SLC_EW:
+#ifdef	VWERASE
+	setval(VWERASE, SLC_VARIABLE);
+#else
+	defval(0);
+#endif
+    case SLC_RP:
+#ifdef	VREPRINT
+	setval(VREPRINT, SLC_VARIABLE);
+#else
+	defval(0);
+#endif
+    case SLC_LNEXT:
+#ifdef	VLNEXT
+	setval(VLNEXT, SLC_VARIABLE);
+#else
+	defval(0);
+#endif
+    case SLC_AO:
+#if	!defined(VDISCARD) && defined(VFLUSHO)
+# define VDISCARD VFLUSHO
+#endif
+#ifdef	VDISCARD
+	setval(VDISCARD, SLC_VARIABLE|SLC_FLUSHOUT);
+#else
+	defval(0);
+#endif
+    case SLC_SUSP:
+#ifdef	VSUSP
+	setval(VSUSP, SLC_VARIABLE|SLC_FLUSHIN);
+#else
+	defval(0);
+#endif
+#ifdef	VEOL
+    case SLC_FORW1:
+	setval(VEOL, SLC_VARIABLE);
+#endif
+#ifdef	VEOL2
+    case SLC_FORW2:
+	setval(VEOL2, SLC_VARIABLE);
+#endif
+    case SLC_AYT:
+#ifdef	VSTATUS
+	setval(VSTATUS, SLC_VARIABLE);
+#else
+	defval(0);
+#endif
+
+    case SLC_BRK:
+    case SLC_SYNCH:
+    case SLC_EOR:
+	defval(0);
+
+    default:
+	*valp = 0;
+	*valpp = 0;
+	return(SLC_NOSUPPORT);
+    }
+}
+
+#ifdef _CRAY
+/*
+ * getnpty()
+ *
+ * Return the number of pty's configured into the system.
+ */
+int
+getnpty()
+{
+#ifdef _SC_CRAY_NPTY
+    int numptys;
+
+    if ((numptys = sysconf(_SC_CRAY_NPTY)) != -1)
+	return numptys;
+    else
+#endif /* _SC_CRAY_NPTY */
+	return 128;
+}
+#endif /* CRAY */
+
+/*
+ * getpty()
+ *
+ * Allocate a pty.  As a side effect, the external character
+ * array "line" contains the name of the slave side.
+ *
+ * Returns the file descriptor of the opened pty.
+ */
+
+static char Xline[] = "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0";
+char *line = Xline;
+
+#ifdef	_CRAY
+char myline[] = "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0";
+#endif	/* CRAY */
+
+#if !defined(HAVE_PTSNAME) && defined(STREAMSPTY)
+static char *ptsname(int fd)
+{
+#ifdef HAVE_TTYNAME
+    return ttyname(fd);
+#else
+    return NULL;
+#endif
+}
+#endif
+
+int getpty(int *ptynum)
+{
+#ifdef __osf__ /* XXX */
+    int master;
+    int slave;
+    if(openpty(&master, &slave, line, 0, 0) == 0){
+	close(slave);
+	return master;
+    }
+    return -1;
+#else
+#ifdef HAVE__GETPTY
+    int master, slave;
+    char *p;
+    p = _getpty(&master, O_RDWR, 0600, 1);
+    if(p == NULL)
+	return -1;
+    strlcpy(line, p, sizeof(Xline));
+    return master;
+#else
+
+    int p;
+    char *cp, *p1, *p2;
+    int i;
+#if SunOS == 40
+    int dummy;
+#endif
+#if 0 /* && defined(HAVE_OPENPTY) */
+    int master;
+    int slave;
+    if(openpty(&master, &slave, line, 0, 0) == 0){
+	close(slave);
+	return master;
+    }
+#else
+#ifdef	STREAMSPTY
+    char *clone[] = { "/dev/ptc", "/dev/ptmx", "/dev/ptm", 
+		      "/dev/ptym/clone", 0 };
+
+    char **q;
+    for(q=clone; *q; q++){
+	p=open(*q, O_RDWR);
+	if(p >= 0){
+#ifdef HAVE_GRANTPT
+	    grantpt(p);
+#endif
+#ifdef HAVE_UNLOCKPT
+	    unlockpt(p);
+#endif
+	    strlcpy(line, ptsname(p), sizeof(Xline));
+	    really_stream = 1;
+	    return p;
+	}
+    }
+#endif /* STREAMSPTY */
+#ifndef _CRAY
+
+#ifndef	__hpux
+    snprintf(line, sizeof(Xline), "/dev/ptyXX");
+    p1 = &line[8];
+    p2 = &line[9];
+#else
+    snprintf(line, sizeof(Xline), "/dev/ptym/ptyXX");
+    p1 = &line[13];
+    p2 = &line[14];
+#endif
+
+	
+    for (cp = "pqrstuvwxyzPQRST"; *cp; cp++) {
+	struct stat stb;
+
+	*p1 = *cp;
+	*p2 = '0';
+	/*
+	 * This stat() check is just to keep us from
+	 * looping through all 256 combinations if there
+	 * aren't that many ptys available.
+	 */
+	if (stat(line, &stb) < 0)
+	    break;
+	for (i = 0; i < 16; i++) {
+	    *p2 = "0123456789abcdef"[i];
+	    p = open(line, O_RDWR);
+	    if (p > 0) {
+#ifndef	__hpux
+		line[5] = 't';
+#else
+		for (p1 = &line[8]; *p1; p1++)
+		    *p1 = *(p1+1);
+		line[9] = 't';
+#endif
+		chown(line, 0, 0);
+		chmod(line, 0600);
+#if SunOS == 40
+		if (ioctl(p, TIOCGPGRP, &dummy) == 0
+		    || errno != EIO) {
+		    chmod(line, 0666);
+		    close(p);
+		    line[5] = 'p';
+		} else
+#endif /* SunOS == 40 */
+		    return(p);
+	    }
+	}
+    }
+#else	/* CRAY */
+    extern lowpty, highpty;
+    struct stat sb;
+
+    for (*ptynum = lowpty; *ptynum <= highpty; (*ptynum)++) {
+	snprintf(myline, sizeof(myline), "/dev/pty/%03d", *ptynum);
+	p = open(myline, 2);
+	if (p < 0)
+	    continue;
+	snprintf(line, sizeof(Xline), "/dev/ttyp%03d", *ptynum);
+	/*
+	 * Here are some shenanigans to make sure that there
+	 * are no listeners lurking on the line.
+	 */
+	if(stat(line, &sb) < 0) {
+	    close(p);
+	    continue;
+	}
+	if(sb.st_uid || sb.st_gid || sb.st_mode != 0600) {
+	    chown(line, 0, 0);
+	    chmod(line, 0600);
+	    close(p);
+	    p = open(myline, 2);
+	    if (p < 0)
+		continue;
+	}
+	/*
+	 * Now it should be safe...check for accessability.
+	 */
+	if (access(line, 6) == 0)
+	    return(p);
+	else {
+	    /* no tty side to pty so skip it */
+	    close(p);
+	}
+    }
+#endif	/* CRAY */
+#endif	/* STREAMSPTY */
+#endif /* OPENPTY */
+    return(-1);
+#endif
+}
+
+
+int
+tty_isecho(void)
+{
+    return (termbuf.c_lflag & ECHO);
+}
+
+int
+tty_flowmode(void)
+{
+    return((termbuf.c_iflag & IXON) ? 1 : 0);
+}
+
+int
+tty_restartany(void)
+{
+    return((termbuf.c_iflag & IXANY) ? 1 : 0);
+}
+
+void
+tty_setecho(int on)
+{
+    if (on)
+	termbuf.c_lflag |= ECHO;
+    else
+	termbuf.c_lflag &= ~ECHO;
+}
+
+int
+tty_israw(void)
+{
+    return(!(termbuf.c_lflag & ICANON));
+}
+
+void
+tty_binaryin(int on)
+{
+    if (on) {
+	termbuf.c_iflag &= ~ISTRIP;
+    } else {
+	termbuf.c_iflag |= ISTRIP;
+    }
+}
+
+void
+tty_binaryout(int on)
+{
+    if (on) {
+	termbuf.c_cflag &= ~(CSIZE|PARENB);
+	termbuf.c_cflag |= CS8;
+	termbuf.c_oflag &= ~OPOST;
+    } else {
+	termbuf.c_cflag &= ~CSIZE;
+	termbuf.c_cflag |= CS7|PARENB;
+	termbuf.c_oflag |= OPOST;
+    }
+}
+
+int
+tty_isbinaryin(void)
+{
+    return(!(termbuf.c_iflag & ISTRIP));
+}
+
+int
+tty_isbinaryout(void)
+{
+    return(!(termbuf.c_oflag&OPOST));
+}
+
+
+int
+tty_issofttab(void)
+{
+# ifdef	OXTABS
+    return (termbuf.c_oflag & OXTABS);
+# endif
+# ifdef	TABDLY
+    return ((termbuf.c_oflag & TABDLY) == TAB3);
+# endif
+}
+
+void
+tty_setsofttab(int on)
+{
+    if (on) {
+# ifdef	OXTABS
+	termbuf.c_oflag |= OXTABS;
+# endif
+# ifdef	TABDLY
+	termbuf.c_oflag &= ~TABDLY;
+	termbuf.c_oflag |= TAB3;
+# endif
+    } else {
+# ifdef	OXTABS
+	termbuf.c_oflag &= ~OXTABS;
+# endif
+# ifdef	TABDLY
+	termbuf.c_oflag &= ~TABDLY;
+	termbuf.c_oflag |= TAB0;
+# endif
+    }
+}
+
+int
+tty_islitecho(void)
+{
+# ifdef	ECHOCTL
+    return (!(termbuf.c_lflag & ECHOCTL));
+# endif
+# ifdef	TCTLECH
+    return (!(termbuf.c_lflag & TCTLECH));
+# endif
+# if	!defined(ECHOCTL) && !defined(TCTLECH)
+    return (0);	/* assumes ctl chars are echoed '^x' */
+# endif
+}
+
+void
+tty_setlitecho(int on)
+{
+# ifdef	ECHOCTL
+    if (on)
+	termbuf.c_lflag &= ~ECHOCTL;
+    else
+	termbuf.c_lflag |= ECHOCTL;
+# endif
+# ifdef	TCTLECH
+    if (on)
+	termbuf.c_lflag &= ~TCTLECH;
+    else
+	termbuf.c_lflag |= TCTLECH;
+# endif
+}
+
+int
+tty_iscrnl(void)
+{
+    return (termbuf.c_iflag & ICRNL);
+}
+
+/*
+ * Try to guess whether speeds are "encoded" (4.2BSD) or just numeric (4.4BSD).
+ */
+#if B4800 != 4800
+#define	DECODE_BAUD
+#endif
+
+#ifdef	DECODE_BAUD
+
+/*
+ * A table of available terminal speeds
+ */
+struct termspeeds {
+    int	speed;
+    int	value;
+} termspeeds[] = {
+    { 0,      B0 },      { 50,    B50 },    { 75,     B75 },
+    { 110,    B110 },    { 134,   B134 },   { 150,    B150 },
+    { 200,    B200 },    { 300,   B300 },   { 600,    B600 },
+    { 1200,   B1200 },   { 1800,  B1800 },  { 2400,   B2400 },
+    { 4800,   B4800 },
+#ifdef	B7200
+    { 7200,  B7200 },
+#endif
+    { 9600,   B9600 },
+#ifdef	B14400
+    { 14400,  B14400 },
+#endif
+#ifdef	B19200
+    { 19200,  B19200 },
+#endif
+#ifdef	B28800
+    { 28800,  B28800 },
+#endif
+#ifdef	B38400
+    { 38400,  B38400 },
+#endif
+#ifdef	B57600
+    { 57600,  B57600 },
+#endif
+#ifdef	B115200
+    { 115200, B115200 },
+#endif
+#ifdef	B230400
+    { 230400, B230400 },
+#endif
+    { -1,     0 }
+};
+#endif	/* DECODE_BUAD */
+
+void
+tty_tspeed(int val)
+{
+#ifdef	DECODE_BAUD
+    struct termspeeds *tp;
+
+    for (tp = termspeeds; (tp->speed != -1) && (val > tp->speed); tp++)
+	;
+    if (tp->speed == -1)	/* back up to last valid value */
+	--tp;
+    cfsetospeed(&termbuf, tp->value);
+#else	/* DECODE_BUAD */
+    cfsetospeed(&termbuf, val);
+#endif	/* DECODE_BUAD */
+}
+
+void
+tty_rspeed(int val)
+{
+#ifdef	DECODE_BAUD
+    struct termspeeds *tp;
+
+    for (tp = termspeeds; (tp->speed != -1) && (val > tp->speed); tp++)
+	;
+    if (tp->speed == -1)	/* back up to last valid value */
+	--tp;
+    cfsetispeed(&termbuf, tp->value);
+#else	/* DECODE_BAUD */
+    cfsetispeed(&termbuf, val);
+#endif	/* DECODE_BAUD */
+}
+
+#ifdef PARENT_DOES_UTMP
+extern	struct utmp wtmp;
+extern char wtmpf[];
+
+extern void utmp_sig_init (void);
+extern void utmp_sig_reset (void);
+extern void utmp_sig_wait (void);
+extern void utmp_sig_notify (int);
+# endif /* PARENT_DOES_UTMP */
+
+#ifdef STREAMSPTY
+
+/* I_FIND seems to live a life of its own */
+static int my_find(int fd, char *module)
+{
+#if defined(I_FIND) && defined(I_LIST)
+    static int flag;
+    static struct str_list sl;
+    int n;
+    int i;
+  
+    if(!flag){
+	n = ioctl(fd, I_LIST, 0);
+	if(n < 0){
+	    perror("ioctl(fd, I_LIST, 0)");
+	    return -1;
+	}
+	sl.sl_modlist=(struct str_mlist*)malloc(n * sizeof(struct str_mlist));
+	sl.sl_nmods = n;
+	n = ioctl(fd, I_LIST, &sl);
+	if(n < 0){
+	    perror("ioctl(fd, I_LIST, n)");
+	    return -1;
+	}
+	flag = 1;
+    }
+  
+    for(i=0; i<sl.sl_nmods; i++)
+	if(!strcmp(sl.sl_modlist[i].l_name, module))
+	    return 1;
+#endif
+    return 0;
+}
+
+static void maybe_push_modules(int fd, char **modules)
+{
+    char **p;
+    int err;
+
+    for(p=modules; *p; p++){
+	err = my_find(fd, *p);
+	if(err == 1)
+	    break;
+	if(err < 0 && errno != EINVAL)
+	    fatalperror(net, "my_find()");
+	/* module not pushed or does not exist */
+    }
+    /* p points to null or to an already pushed module, now push all
+       modules before this one */
+  
+    for(p--; p >= modules; p--){
+	err = ioctl(fd, I_PUSH, *p);
+	if(err < 0 && errno != EINVAL)
+	    fatalperror(net, "I_PUSH");
+    }
+}
+#endif
+
+/*
+ * getptyslave()
+ *
+ * Open the slave side of the pty, and do any initialization
+ * that is necessary.  The return value is a file descriptor
+ * for the slave side.
+ */
+void getptyslave(void)
+{
+    int t = -1;
+
+    struct winsize ws;
+    extern int def_row, def_col;
+    extern int def_tspeed, def_rspeed;
+    /*
+     * Opening the slave side may cause initilization of the
+     * kernel tty structure.  We need remember the state of
+     * 	if linemode was turned on
+     *	terminal window size
+     *	terminal speed
+     * so that we can re-set them if we need to.
+     */
+
+
+    /*
+     * Make sure that we don't have a controlling tty, and
+     * that we are the session (process group) leader.
+     */
+
+#ifdef HAVE_SETSID
+    if(setsid()<0)
+	fatalperror(net, "setsid()");
+#else
+# ifdef	TIOCNOTTY
+    t = open(_PATH_TTY, O_RDWR);
+    if (t >= 0) {
+	ioctl(t, TIOCNOTTY, (char *)0);
+	close(t);
+    }
+# endif
+#endif
+
+# ifdef PARENT_DOES_UTMP
+    /*
+     * Wait for our parent to get the utmp stuff to get done.
+     */
+    utmp_sig_wait();
+# endif
+
+    t = cleanopen(line);
+    if (t < 0)
+	fatalperror(net, line);
+
+#ifdef  STREAMSPTY
+    ttyfd = t;
+	  
+
+    /*
+     * Not all systems have (or need) modules ttcompat and pckt so
+     * don't flag it as a fatal error if they don't exist.
+     */
+
+    if (really_stream)
+	{
+	    /* these are the streams modules that we want pushed. note
+	       that they are in reverse order, ptem will be pushed
+	       first. maybe_push_modules() will try to push all modules
+	       before the first one that isn't already pushed. i.e if
+	       ldterm is pushed, only ttcompat will be attempted.
+
+	       all this is because we don't know which modules are
+	       available, and we don't know which modules are already
+	       pushed (via autopush, for instance).
+
+	       */
+	     
+	    char *ttymodules[] = { "ttcompat", "ldterm", "ptem", NULL };
+	    char *ptymodules[] = { "pckt", NULL };
+
+	    maybe_push_modules(t, ttymodules);
+	    maybe_push_modules(ourpty, ptymodules);
+	}
+#endif
+    /*
+     * set up the tty modes as we like them to be.
+     */
+    init_termbuf();
+# ifdef	TIOCSWINSZ
+    if (def_row || def_col) {
+	memset(&ws, 0, sizeof(ws));
+	ws.ws_col = def_col;
+	ws.ws_row = def_row;
+	ioctl(t, TIOCSWINSZ, (char *)&ws);
+    }
+# endif
+
+    /*
+     * Settings for sgtty based systems
+     */
+
+    /*
+     * Settings for UNICOS (and HPUX)
+     */
+# if defined(_CRAY) || defined(__hpux)
+    termbuf.c_oflag = OPOST|ONLCR|TAB3;
+    termbuf.c_iflag = IGNPAR|ISTRIP|ICRNL|IXON;
+    termbuf.c_lflag = ISIG|ICANON|ECHO|ECHOE|ECHOK;
+    termbuf.c_cflag = EXTB|HUPCL|CS8;
+# endif
+
+    /*
+     * Settings for all other termios/termio based
+     * systems, other than 4.4BSD.  In 4.4BSD the
+     * kernel does the initial terminal setup.
+     */
+# if !(defined(_CRAY) || defined(__hpux)) && (BSD <= 43)
+#  ifndef	OXTABS
+#   define OXTABS	0
+#  endif
+    termbuf.c_lflag |= ECHO;
+    termbuf.c_oflag |= ONLCR|OXTABS;
+    termbuf.c_iflag |= ICRNL;
+    termbuf.c_iflag &= ~IXOFF;
+# endif
+    tty_rspeed((def_rspeed > 0) ? def_rspeed : 9600);
+    tty_tspeed((def_tspeed > 0) ? def_tspeed : 9600);
+
+    /*
+     * Set the tty modes, and make this our controlling tty.
+     */
+    set_termbuf();
+    if (login_tty(t) == -1)
+	fatalperror(net, "login_tty");
+    if (net > 2)
+	close(net);
+    if (ourpty > 2) {
+	close(ourpty);
+	ourpty = -1;
+    }
+}
+
+#ifndef	O_NOCTTY
+#define	O_NOCTTY	0
+#endif
+/*
+ * Open the specified slave side of the pty,
+ * making sure that we have a clean tty.
+ */
+
+int cleanopen(char *line)
+{
+    int t;
+
+#ifdef STREAMSPTY
+    if (!really_stream)
+#endif
+	{
+	    /*
+	     * Make sure that other people can't open the
+	     * slave side of the connection.
+	     */
+	    chown(line, 0, 0);
+	    chmod(line, 0600);
+	}
+
+#ifdef HAVE_REVOKE
+    revoke(line);
+#endif
+
+    t = open(line, O_RDWR|O_NOCTTY);
+
+    if (t < 0)
+	return(-1);
+
+    /*
+     * Hangup anybody else using this ttyp, then reopen it for
+     * ourselves.
+     */
+# if !(defined(_CRAY) || defined(__hpux)) && (BSD <= 43) && !defined(STREAMSPTY)
+    signal(SIGHUP, SIG_IGN);
+#ifdef HAVE_VHANGUP
+    vhangup();
+#else
+#endif
+    signal(SIGHUP, SIG_DFL);
+    t = open(line, O_RDWR|O_NOCTTY);
+    if (t < 0)
+	return(-1);
+# endif
+# if	defined(_CRAY) && defined(TCVHUP)
+    {
+	int i;
+	signal(SIGHUP, SIG_IGN);
+	ioctl(t, TCVHUP, (char *)0);
+	signal(SIGHUP, SIG_DFL);
+
+	i = open(line, O_RDWR);
+
+	if (i < 0)
+	    return(-1);
+	close(t);
+	t = i;
+    }
+# endif	/* defined(CRAY) && defined(TCVHUP) */
+    return(t);
+}
+
+#if !defined(BSD4_4)
+
+int login_tty(int t)
+{
+# if defined(TIOCSCTTY) && !defined(__hpux)
+    if (ioctl(t, TIOCSCTTY, (char *)0) < 0)
+	fatalperror(net, "ioctl(sctty)");
+#  ifdef _CRAY
+    /*
+     * Close the hard fd to /dev/ttypXXX, and re-open through
+     * the indirect /dev/tty interface.
+     */
+    close(t);
+    if ((t = open("/dev/tty", O_RDWR)) < 0)
+	fatalperror(net, "open(/dev/tty)");
+#  endif
+# else
+    /*
+     * We get our controlling tty assigned as a side-effect
+     * of opening up a tty device.  But on BSD based systems,
+     * this only happens if our process group is zero.  The
+     * setsid() call above may have set our pgrp, so clear
+     * it out before opening the tty...
+     */
+#ifdef HAVE_SETPGID
+    setpgid(0, 0);
+#else
+    setpgrp(0, 0); /* if setpgid isn't available, setpgrp
+		      probably takes arguments */
+#endif
+    close(open(line, O_RDWR));
+# endif
+    if (t != 0)
+	dup2(t, 0);
+    if (t != 1)
+	dup2(t, 1);
+    if (t != 2)
+	dup2(t, 2);
+    if (t > 2)
+	close(t);
+    return(0);
+}
+#endif	/* BSD <= 43 */
+
+/*
+ * This comes from ../../bsd/tty.c and should not really be here.
+ */
+
+/*
+ * Clean the tty name.  Return a pointer to the cleaned version.
+ */
+
+static char *
+clean_ttyname (char *tty)
+{
+  char *res = tty;
+
+  if (strncmp (res, _PATH_DEV, strlen(_PATH_DEV)) == 0)
+    res += strlen(_PATH_DEV);
+  if (strncmp (res, "pty/", 4) == 0)
+    res += 4;
+  if (strncmp (res, "ptym/", 5) == 0)
+    res += 5;
+  return res;
+}
+
+/*
+ * Generate a name usable as an `ut_id', typically without `tty'.
+ */
+
+#ifdef HAVE_STRUCT_UTMP_UT_ID
+static char *
+make_id (char *tty)
+{
+  char *res = tty;
+  
+  if (strncmp (res, "pts/", 4) == 0)
+    res += 4;
+  if (strncmp (res, "tty", 3) == 0)
+    res += 3;
+  return res;
+}
+#endif
+
+/*
+ * startslave(host)
+ *
+ * Given a hostname, do whatever
+ * is necessary to startup the login process on the slave side of the pty.
+ */
+
+/* ARGSUSED */
+void
+startslave(const char *host, const char *utmp_host,
+	   int autologin, char *autoname)
+{
+    int i;
+
+#ifdef AUTHENTICATION
+    if (!autoname || !autoname[0])
+	autologin = 0;
+
+    if (autologin < auth_level) {
+	fatal(net, "Authorization failed");
+	exit(1);
+    }
+#endif
+
+    {
+	char *tbuf =
+	    "\r\n*** Connection not encrypted! "
+	    "Communication may be eavesdropped. ***\r\n";
+#ifdef ENCRYPTION
+	if (!no_warn && (encrypt_output == 0 || decrypt_input == 0))
+#endif
+	    writenet((unsigned char*)tbuf, strlen(tbuf));
+    }
+# ifdef	PARENT_DOES_UTMP
+    utmp_sig_init();
+# endif	/* PARENT_DOES_UTMP */
+
+    if ((i = fork()) < 0)
+	fatalperror(net, "fork");
+    if (i) {
+# ifdef PARENT_DOES_UTMP
+	/*
+	 * Cray parent will create utmp entry for child and send
+	 * signal to child to tell when done.  Child waits for signal
+	 * before doing anything important.
+	 */
+	int pid = i;
+	void sigjob (int);
+
+	setpgrp();
+	utmp_sig_reset();		/* reset handler to default */
+	/*
+	 * Create utmp entry for child
+	 */
+	wtmp.ut_time = time(NULL);
+	wtmp.ut_type = LOGIN_PROCESS;
+	wtmp.ut_pid = pid;
+	strncpy(wtmp.ut_user,  "LOGIN", sizeof(wtmp.ut_user));
+	strncpy(wtmp.ut_host,  utmp_host, sizeof(wtmp.ut_host));
+	strncpy(wtmp.ut_line,  clean_ttyname(line), sizeof(wtmp.ut_line));
+#ifdef HAVE_STRUCT_UTMP_UT_ID
+	strncpy(wtmp.ut_id, wtmp.ut_line + 3, sizeof(wtmp.ut_id));
+#endif
+
+	pututline(&wtmp);
+	endutent();
+	if ((i = open(wtmpf, O_WRONLY|O_APPEND)) >= 0) {
+	    write(i, &wtmp, sizeof(struct utmp));
+	    close(i);
+	}
+#ifdef	_CRAY
+	signal(WJSIGNAL, sigjob);
+#endif
+	utmp_sig_notify(pid);
+# endif	/* PARENT_DOES_UTMP */
+    } else {
+	getptyslave();
+#if defined(DCE)
+	/* if we authenticated via K5, try and join the PAG */
+	kerberos5_dfspag();
+#endif
+	start_login(host, autologin, autoname);
+	/*NOTREACHED*/
+    }
+}
+
+char	*envinit[3];
+extern char **environ;
+
+void
+init_env(void)
+{
+    char **envp;
+
+    envp = envinit;
+    if ((*envp = getenv("TZ")))
+	*envp++ -= 3;
+#if defined(_CRAY) || defined(__hpux)
+    else
+	*envp++ = "TZ=GMT0";
+#endif
+    *envp = 0;
+    environ = envinit;
+}
+
+/*
+ * scrub_env()
+ *
+ * We only accept the environment variables listed below.
+ */
+
+static void
+scrub_env(void)
+{
+    static const char *reject[] = {
+	"TERMCAP=/",
+	NULL
+    };
+
+    static const char *accept[] = {
+	"XAUTH=", "XAUTHORITY=", "DISPLAY=",
+	"TERM=",
+	"EDITOR=",
+	"PAGER=",
+	"PRINTER=",
+	"LOGNAME=",
+	"POSIXLY_CORRECT=",
+	"TERMCAP=",
+	NULL
+    };
+
+    char **cpp, **cpp2;
+    const char **p;
+  
+    for (cpp2 = cpp = environ; *cpp; cpp++) {
+	int reject_it = 0;
+
+	for(p = reject; *p; p++)
+	    if(strncmp(*cpp, *p, strlen(*p)) == 0) {
+		reject_it = 1;
+		break;
+	    }
+	if (reject_it)
+	    continue;
+
+	for(p = accept; *p; p++)
+	    if(strncmp(*cpp, *p, strlen(*p)) == 0)
+		break;
+	if(*p != NULL)
+	    *cpp2++ = *cpp;
+    }
+    *cpp2 = NULL;
+}
+
+
+struct arg_val {
+    int size;
+    int argc;
+    const char **argv;
+};
+
+static void addarg(struct arg_val*, const char*);
+
+/*
+ * start_login(host)
+ *
+ * Assuming that we are now running as a child processes, this
+ * function will turn us into the login process.
+ */
+
+void
+start_login(const char *host, int autologin, char *name)
+{
+    struct arg_val argv;
+    char *user;
+    int save_errno;
+
+#ifdef HAVE_UTMPX_H
+    int pid = getpid();
+    struct utmpx utmpx;
+    char *clean_tty;
+
+    /*
+     * Create utmp entry for child
+     */
+
+    clean_tty = clean_ttyname(line);
+    memset(&utmpx, 0, sizeof(utmpx));
+    strncpy(utmpx.ut_user,  ".telnet", sizeof(utmpx.ut_user));
+    strncpy(utmpx.ut_line,  clean_tty, sizeof(utmpx.ut_line));
+#ifdef HAVE_STRUCT_UTMP_UT_ID
+    strncpy(utmpx.ut_id, make_id(clean_tty), sizeof(utmpx.ut_id));
+#endif
+    utmpx.ut_pid = pid;
+	
+    utmpx.ut_type = LOGIN_PROCESS;
+
+    gettimeofday (&utmpx.ut_tv, NULL);
+    if (pututxline(&utmpx) == NULL)
+	fatal(net, "pututxline failed");
+#endif
+
+    scrub_env();
+	
+    /*
+     * -h : pass on name of host.
+     *		WARNING:  -h is accepted by login if and only if
+     *			getuid() == 0.
+     * -p : don't clobber the environment (so terminal type stays set).
+     *
+     * -f : force this login, he has already been authenticated
+     */
+
+    /* init argv structure */ 
+    argv.size=0;
+    argv.argc=0;
+    argv.argv=malloc(0); /*so we can call realloc later */
+    addarg(&argv, "login");
+    addarg(&argv, "-h");
+    addarg(&argv, host);
+    addarg(&argv, "-p");
+    if(name[0])
+	user = name;
+    else
+	user = getenv("USER");
+#ifdef AUTHENTICATION
+    if (auth_level < 0 || autologin != AUTH_VALID) {
+	if(!no_warn) {
+	    printf("User not authenticated. ");
+	    if (require_otp)
+		printf("Using one-time password\r\n");
+	    else
+		printf("Using plaintext username and password\r\n");
+	}
+	if (require_otp) {
+	    addarg(&argv, "-a");
+	    addarg(&argv, "otp");
+	}
+	if(log_unauth) 
+	    syslog(LOG_INFO, "unauthenticated access from %s (%s)", 
+		   host, user ? user : "unknown user");
+    }
+    if (auth_level >= 0 && autologin == AUTH_VALID)
+	addarg(&argv, "-f");
+#endif
+    if(user){
+	addarg(&argv, "--");
+	addarg(&argv, strdup(user));
+    }
+    if (getenv("USER")) {
+	/*
+	 * Assume that login will set the USER variable
+	 * correctly.  For SysV systems, this means that
+	 * USER will no longer be set, just LOGNAME by
+	 * login.  (The problem is that if the auto-login
+	 * fails, and the user then specifies a different
+	 * account name, he can get logged in with both
+	 * LOGNAME and USER in his environment, but the
+	 * USER value will be wrong.
+	 */
+	unsetenv("USER");
+    }
+    closelog();
+    /*
+     * This sleep(1) is in here so that telnetd can
+     * finish up with the tty.  There's a race condition
+     * the login banner message gets lost...
+     */
+    sleep(1);
+
+    execv(new_login, argv.argv);
+    save_errno = errno;
+    syslog(LOG_ERR, "%s: %m\n", new_login);
+    fatalperror_errno(net, new_login, save_errno);
+    /*NOTREACHED*/
+}
+
+static void
+addarg(struct arg_val *argv, const char *val)
+{
+    if(argv->size <= argv->argc+1) {
+	argv->argv = realloc(argv->argv, sizeof(char*) * (argv->size + 10));
+	if (argv->argv == NULL)
+	    fatal (net, "realloc: out of memory");
+	argv->size+=10;
+    }
+    argv->argv[argv->argc++] = val;
+    argv->argv[argv->argc]   = NULL;
+}
+
+
+/*
+ * rmut()
+ *
+ * This is the function called by cleanup() to
+ * remove the utmp entry for this person.
+ */
+
+#ifdef HAVE_UTMPX_H
+static void
+rmut(void)
+{
+    struct utmpx utmpx, *non_save_utxp;
+    char *clean_tty = clean_ttyname(line);
+
+    /*
+     * This updates the utmpx and utmp entries and make a wtmp/x entry
+     */
+
+    setutxent();
+    memset(&utmpx, 0, sizeof(utmpx));
+    strncpy(utmpx.ut_line, clean_tty, sizeof(utmpx.ut_line));
+    utmpx.ut_type = LOGIN_PROCESS;
+    non_save_utxp = getutxline(&utmpx);
+    if (non_save_utxp) {
+	struct utmpx *utxp;
+	char user0;
+
+	utxp = malloc(sizeof(struct utmpx));
+	*utxp = *non_save_utxp;
+	user0 = utxp->ut_user[0];
+	utxp->ut_user[0] = '\0';
+	utxp->ut_type = DEAD_PROCESS;
+#ifdef HAVE_STRUCT_UTMPX_UT_EXIT
+#ifdef _STRUCT___EXIT_STATUS
+	utxp->ut_exit.__e_termination = 0;
+	utxp->ut_exit.__e_exit = 0;
+#elif defined(__osf__) /* XXX */
+	utxp->ut_exit.ut_termination = 0;
+	utxp->ut_exit.ut_exit = 0;
+#else	
+	utxp->ut_exit.e_termination = 0;
+	utxp->ut_exit.e_exit = 0;
+#endif
+#endif
+	gettimeofday(&utxp->ut_tv, NULL);
+	pututxline(utxp);
+#ifdef WTMPX_FILE
+	utxp->ut_user[0] = user0;
+	updwtmpx(WTMPX_FILE, utxp);
+#elif defined(WTMP_FILE)
+	/* This is a strange system with a utmpx and a wtmp! */
+	{
+	  int f = open(wtmpf, O_WRONLY|O_APPEND);
+	  struct utmp wtmp;
+	  if (f >= 0) {
+	    strncpy(wtmp.ut_line,  clean_tty, sizeof(wtmp.ut_line));
+	    strncpy(wtmp.ut_name,  "", sizeof(wtmp.ut_name));
+#ifdef HAVE_STRUCT_UTMP_UT_HOST
+	    strncpy(wtmp.ut_host,  "", sizeof(wtmp.ut_host));
+#endif
+	    wtmp.ut_time = time(NULL);
+	    write(f, &wtmp, sizeof(wtmp));
+	    close(f);
+	  }
+	}
+#endif
+	free (utxp);
+    }
+    endutxent();
+}  /* end of rmut */
+#endif
+
+#if !defined(HAVE_UTMPX_H) && !(defined(_CRAY) || defined(__hpux)) && BSD <= 43
+static void
+rmut(void)
+{
+    int f;
+    int found = 0;
+    struct utmp *u, *utmp;
+    int nutmp;
+    struct stat statbf;
+    char *clean_tty = clean_ttyname(line);
+
+    f = open(utmpf, O_RDWR);
+    if (f >= 0) {
+	fstat(f, &statbf);
+	utmp = (struct utmp *)malloc((unsigned)statbf.st_size);
+	if (!utmp)
+	    syslog(LOG_ERR, "utmp malloc failed");
+	if (statbf.st_size && utmp) {
+	    nutmp = read(f, utmp, (int)statbf.st_size);
+	    nutmp /= sizeof(struct utmp);
+
+	    for (u = utmp ; u < &utmp[nutmp] ; u++) {
+		if (strncmp(u->ut_line,
+			    clean_tty,
+			    sizeof(u->ut_line)) ||
+		    u->ut_name[0]==0)
+		    continue;
+		lseek(f, ((long)u)-((long)utmp), L_SET);
+		strncpy(u->ut_name,  "", sizeof(u->ut_name));
+#ifdef HAVE_STRUCT_UTMP_UT_HOST
+		strncpy(u->ut_host,  "", sizeof(u->ut_host));
+#endif
+		u->ut_time = time(NULL);
+		write(f, u, sizeof(wtmp));
+		found++;
+	    }
+	}
+	close(f);
+    }
+    if (found) {
+	f = open(wtmpf, O_WRONLY|O_APPEND);
+	if (f >= 0) {
+	    strncpy(wtmp.ut_line,  clean_tty, sizeof(wtmp.ut_line));
+	    strncpy(wtmp.ut_name,  "", sizeof(wtmp.ut_name));
+#ifdef HAVE_STRUCT_UTMP_UT_HOST
+	    strncpy(wtmp.ut_host,  "", sizeof(wtmp.ut_host));
+#endif
+	    wtmp.ut_time = time(NULL);
+	    write(f, &wtmp, sizeof(wtmp));
+	    close(f);
+	}
+    }
+    chmod(line, 0666);
+    chown(line, 0, 0);
+    line[strlen("/dev/")] = 'p';
+    chmod(line, 0666);
+    chown(line, 0, 0);
+}  /* end of rmut */
+#endif	/* CRAY */
+
+#if defined(__hpux) && !defined(HAVE_UTMPX_H)
+static void
+rmut (char *line)
+{
+    struct utmp utmp;
+    struct utmp *utptr;
+    int fd;			/* for /etc/wtmp */
+
+    utmp.ut_type = USER_PROCESS;
+    strncpy(utmp.ut_line, clean_ttyname(line), sizeof(utmp.ut_line));
+    setutent();
+    utptr = getutline(&utmp);
+    /* write it out only if it exists */
+    if (utptr) {
+	utptr->ut_type = DEAD_PROCESS;
+	utptr->ut_time = time(NULL);
+	pututline(utptr);
+	/* set wtmp entry if wtmp file exists */
+	if ((fd = open(wtmpf, O_WRONLY | O_APPEND)) >= 0) {
+	    write(fd, utptr, sizeof(utmp));
+	    close(fd);
+	}
+    }
+    endutent();
+
+    chmod(line, 0666);
+    chown(line, 0, 0);
+    line[14] = line[13];
+    line[13] = line[12];
+    line[8] = 'm';
+    line[9] = '/';
+    line[10] = 'p';
+    line[11] = 't';
+    line[12] = 'y';
+    chmod(line, 0666);
+    chown(line, 0, 0);
+}
+#endif
+
+/*
+ * cleanup()
+ *
+ * This is the routine to call when we are all through, to
+ * clean up anything that needs to be cleaned up.
+ */
+
+#ifdef PARENT_DOES_UTMP
+
+void
+cleanup(int sig)
+{
+#ifdef _CRAY
+    static int incleanup = 0;
+    int t;
+    int child_status; /* status of child process as returned by waitpid */
+    int flags = WNOHANG|WUNTRACED;
+    
+    /*
+     * 1: Pick up the zombie, if we are being called
+     *    as the signal handler.
+     * 2: If we are a nested cleanup(), return.
+     * 3: Try to clean up TMPDIR.
+     * 4: Fill in utmp with shutdown of process.
+     * 5: Close down the network and pty connections.
+     * 6: Finish up the TMPDIR cleanup, if needed.
+     */
+    if (sig == SIGCHLD) {
+	while (waitpid(-1, &child_status, flags) > 0)
+	    ;	/* VOID */
+	/* Check if the child process was stopped
+	 * rather than exited.  We want cleanup only if
+	 * the child has died.
+	 */
+	if (WIFSTOPPED(child_status)) {
+	    return;
+	}
+    }
+    t = sigblock(sigmask(SIGCHLD));
+    if (incleanup) {
+	sigsetmask(t);
+	return;
+    }
+    incleanup = 1;
+    sigsetmask(t);
+    
+    t = cleantmp(&wtmp);
+    setutent();	/* just to make sure */
+#endif /* CRAY */
+    rmut(line);
+    close(ourpty);
+    shutdown(net, 2);
+#ifdef _CRAY
+    if (t == 0)
+	cleantmp(&wtmp);
+#endif /* CRAY */
+    exit(1);
+}
+
+#else /* PARENT_DOES_UTMP */
+
+void
+cleanup(int sig)
+{
+#if defined(HAVE_UTMPX_H) || !defined(HAVE_LOGWTMP)
+    rmut();
+#ifdef HAVE_VHANGUP
+#ifndef __sgi
+    vhangup(); /* XXX */
+#endif
+#endif
+#else
+    char *p;
+    
+    p = line + sizeof("/dev/") - 1;
+    if (logout(p))
+	logwtmp(p, "", "");
+    chmod(line, 0666);
+    chown(line, 0, 0);
+    *p = 'p';
+    chmod(line, 0666);
+    chown(line, 0, 0);
+#endif
+    shutdown(net, 2);
+    exit(1);
+}
+
+#endif /* PARENT_DOES_UTMP */
+
+#ifdef PARENT_DOES_UTMP
+/*
+ * _utmp_sig_rcv
+ * utmp_sig_init
+ * utmp_sig_wait
+ *	These three functions are used to coordinate the handling of
+ *	the utmp file between the server and the soon-to-be-login shell.
+ *	The server actually creates the utmp structure, the child calls
+ *	utmp_sig_wait(), until the server calls utmp_sig_notify() and
+ *	signals the future-login shell to proceed.
+ */
+static int caught=0;		/* NZ when signal intercepted */
+static void (*func)();		/* address of previous handler */
+
+void
+_utmp_sig_rcv(sig)
+     int sig;
+{
+    caught = 1;
+    signal(SIGUSR1, func);
+}
+
+void
+utmp_sig_init()
+{
+    /*
+     * register signal handler for UTMP creation
+     */
+    if ((int)(func = signal(SIGUSR1, _utmp_sig_rcv)) == -1)
+	fatalperror(net, "telnetd/signal");
+}
+
+void
+utmp_sig_reset()
+{
+    signal(SIGUSR1, func);	/* reset handler to default */
+}
+
+# ifdef __hpux
+# define sigoff() /* do nothing */
+# define sigon() /* do nothing */
+# endif
+
+void
+utmp_sig_wait()
+{
+    /*
+     * Wait for parent to write our utmp entry.
+	 */
+    sigoff();
+    while (caught == 0) {
+	pause();	/* wait until we get a signal (sigon) */
+	sigoff();	/* turn off signals while we check caught */
+    }
+    sigon();		/* turn on signals again */
+}
+
+void
+utmp_sig_notify(pid)
+{
+    kill(pid, SIGUSR1);
+}
+
+#ifdef _CRAY
+static int gotsigjob = 0;
+
+	/*ARGSUSED*/
+void
+sigjob(sig)
+     int sig;
+{
+    int jid;
+    struct jobtemp *jp;
+
+    while ((jid = waitjob(NULL)) != -1) {
+	if (jid == 0) {
+	    return;
+	}
+	gotsigjob++;
+	jobend(jid, NULL, NULL);
+    }
+}
+
+/*
+ *	jid_getutid:
+ *		called by jobend() before calling cleantmp()
+ *		to find the correct $TMPDIR to cleanup.
+ */
+
+struct utmp *
+jid_getutid(jid)
+     int jid;
+{
+    struct utmp *cur = NULL;
+
+    setutent();	/* just to make sure */
+    while (cur = getutent()) {
+	if ( (cur->ut_type != NULL) && (jid == cur->ut_jid) ) {
+	    return(cur);
+	}
+    }
+
+    return(0);
+}
+
+/*
+ * Clean up the TMPDIR that login created.
+ * The first time this is called we pick up the info
+ * from the utmp.  If the job has already gone away,
+ * then we'll clean up and be done.  If not, then
+ * when this is called the second time it will wait
+ * for the signal that the job is done.
+ */
+int
+cleantmp(wtp)
+     struct utmp *wtp;
+{
+    struct utmp *utp;
+    static int first = 1;
+    int mask, omask, ret;
+    extern struct utmp *getutid (const struct utmp *_Id);
+
+
+    mask = sigmask(WJSIGNAL);
+
+    if (first == 0) {
+	omask = sigblock(mask);
+	while (gotsigjob == 0)
+	    sigpause(omask);
+	return(1);
+    }
+    first = 0;
+    setutent();	/* just to make sure */
+
+    utp = getutid(wtp);
+    if (utp == 0) {
+	syslog(LOG_ERR, "Can't get /etc/utmp entry to clean TMPDIR");
+	return(-1);
+    }
+    /*
+     * Nothing to clean up if the user shell was never started.
+     */
+    if (utp->ut_type != USER_PROCESS || utp->ut_jid == 0)
+	return(1);
+
+    /*
+     * Block the WJSIGNAL while we are in jobend().
+     */
+    omask = sigblock(mask);
+    ret = jobend(utp->ut_jid, utp->ut_tpath, utp->ut_user);
+    sigsetmask(omask);
+    return(ret);
+}
+
+int
+jobend(jid, path, user)
+     int jid;
+     char *path;
+     char *user;
+{
+    static int saved_jid = 0;
+    static int pty_saved_jid = 0;
+    static char saved_path[sizeof(wtmp.ut_tpath)+1];
+    static char saved_user[sizeof(wtmp.ut_user)+1];
+
+    /*
+     * this little piece of code comes into play
+     * only when ptyreconnect is used to reconnect
+     * to an previous session.
+     *
+     * this is the only time when the
+     * "saved_jid != jid" code is executed.
+     */
+
+    if ( saved_jid && saved_jid != jid ) {
+	if (!path) {	/* called from signal handler */
+	    pty_saved_jid = jid;
+	} else {
+	    pty_saved_jid = saved_jid;
+	}
+    }
+
+    if (path) {
+	strncpy(saved_path, path, sizeof(wtmp.ut_tpath));
+	strncpy(saved_user, user, sizeof(wtmp.ut_user));
+	saved_path[sizeof(saved_path)] = '\0';
+	saved_user[sizeof(saved_user)] = '\0';
+    }
+    if (saved_jid == 0) {
+	saved_jid = jid;
+	return(0);
+    }
+
+    /* if the jid has changed, get the correct entry from the utmp file */
+
+    if ( saved_jid != jid ) {
+	struct utmp *utp = NULL;
+	struct utmp *jid_getutid();
+
+	utp = jid_getutid(pty_saved_jid);
+
+	if (utp == 0) {
+	    syslog(LOG_ERR, "Can't get /etc/utmp entry to clean TMPDIR");
+	    return(-1);
+	}
+
+	cleantmpdir(jid, utp->ut_tpath, utp->ut_user);
+	return(1);
+    }
+
+    cleantmpdir(jid, saved_path, saved_user);
+    return(1);
+}
+
+/*
+ * Fork a child process to clean up the TMPDIR
+ */
+cleantmpdir(jid, tpath, user)
+     int jid;
+     char *tpath;
+     char *user;
+{
+    switch(fork()) {
+    case -1:
+	syslog(LOG_ERR, "TMPDIR cleanup(%s): fork() failed: %m\n",
+	       tpath);
+	break;
+    case 0:
+	execl(CLEANTMPCMD, CLEANTMPCMD, user, tpath, 0);
+	syslog(LOG_ERR, "TMPDIR cleanup(%s): execl(%s) failed: %m\n",
+	       tpath, CLEANTMPCMD);
+	exit(1);
+    default:
+	/*
+	 * Forget about child.  We will exit, and
+	 * /etc/init will pick it up.
+	 */
+	break;
+    }
+}
+#endif /* CRAY */
+#endif	/* defined(PARENT_DOES_UTMP) */
diff --git a/crypto/heimdal/appl/telnet/telnetd/telnetd.8 b/crypto/heimdal/appl/telnet/telnetd/telnetd.8
new file mode 100644
index 0000000..1e14425
--- /dev/null
+++ b/crypto/heimdal/appl/telnet/telnetd/telnetd.8
@@ -0,0 +1,528 @@
+.\" Copyright (c) 1983, 1993
+.\"	The Regents of the University of California.  All rights reserved.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\" 1. Redistributions of source code must retain the above copyright
+.\"    notice, this list of conditions and the following disclaimer.
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\"    notice, this list of conditions and the following disclaimer in the
+.\"    documentation and/or other materials provided with the distribution.
+.\" 3. All advertising materials mentioning features or use of this software
+.\"    must display the following acknowledgement:
+.\"	This product includes software developed by the University of
+.\"	California, Berkeley and its contributors.
+.\" 4. Neither the name of the University nor the names of its contributors
+.\"    may be used to endorse or promote products derived from this software
+.\"    without specific prior written permission.
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+.\" SUCH DAMAGE.
+.\"
+.\"	@(#)telnetd.8	8.4 (Berkeley) 6/1/94
+.\"
+.Dd June 1, 1994
+.Dt TELNETD 8
+.Os BSD 4.2
+.Sh NAME
+.Nm telnetd
+.Nd DARPA
+.Tn TELNET
+protocol server
+.Sh SYNOPSIS
+.Nm telnetd
+.Op Fl BUhkln
+.Op Fl D Ar debugmode
+.Op Fl S Ar tos
+.Op Fl X Ar authtype
+.Op Fl a Ar authmode
+.Op Fl r Ns Ar lowpty-highpty
+.Op Fl u Ar len
+.Op Fl debug
+.Op Fl L Ar /bin/login
+.Op Ar port
+.Sh DESCRIPTION
+The
+.Nm telnetd
+command is a server which supports the
+.Tn DARPA
+standard
+.Tn TELNET
+virtual terminal protocol.
+.Nm Telnetd
+is normally invoked by the internet server (see
+.Xr inetd 8 )
+for requests to connect to the
+.Tn TELNET
+port as indicated by the
+.Pa /etc/services
+file (see
+.Xr services 5 ) .
+The
+.Fl debug
+option may be used to start up
+.Nm telnetd
+manually, instead of through
+.Xr inetd 8 .
+If started up this way, 
+.Ar port
+may be specified to run
+.Nm telnetd
+on an alternate
+.Tn TCP
+port number.
+.Pp
+The
+.Nm telnetd
+command accepts the following options:
+.Bl -tag -width "-a authmode"
+.It Fl a Ar authmode
+This option may be used for specifying what mode should
+be used for authentication.
+Note that this option is only useful if
+.Nm telnetd
+has been compiled with support for the
+.Dv AUTHENTICATION
+option.
+There are several valid values for
+.Ar authmode :
+.Bl -tag -width debug
+.It debug
+Turns on authentication debugging code.
+.It user
+Only allow connections when the remote user
+can provide valid authentication information
+to identify the remote user,
+and is allowed access to the specified account
+without providing a password.
+.It valid
+Only allow connections when the remote user
+can provide valid authentication information
+to identify the remote user.
+The
+.Xr login 1
+command will provide any additional user verification
+needed if the remote user is not allowed automatic
+access to the specified account.
+.It other
+Only allow connections that supply some authentication information.
+This option is currently not supported
+by any of the existing authentication mechanisms,
+and is thus the same as specifying
+.Fl a
+.Cm valid .
+.It otp
+Only allow authenticated connections (as with
+.Fl a
+.Cm user )
+and also logins with one-time passwords (OTPs).  This option will call
+login with an option so that only OTPs are accepted.  The user can of
+course still type secret information at the prompt.
+.It none
+This is the default state.
+Authentication information is not required.
+If no or insufficient authentication information
+is provided, then the
+.Xr login 1
+program will provide the necessary user
+verification.
+.It off
+This disables the authentication code.
+All user verification will happen through the
+.Xr login 1
+program.
+.El
+.It Fl B
+Ignored.
+.It Fl D Ar debugmode
+This option may be used for debugging purposes.
+This allows
+.Nm telnetd
+to print out debugging information
+to the connection, allowing the user to see what
+.Nm telnetd
+is doing.
+There are several possible values for 
+.Ar debugmode :
+.Bl -tag -width exercise
+.It Cm options
+Prints information about the negotiation of
+.Tn TELNET
+options.
+.It Cm report
+Prints the 
+.Cm options
+information, plus some additional information
+about what processing is going on.
+.It Cm netdata
+Displays the data stream received by
+.Nm telnetd .
+.It Cm ptydata
+Displays data written to the pty.
+.It Cm exercise
+Has not been implemented yet.
+.El
+.It Fl h
+Disables the printing of host-specific information before
+login has been completed.
+.It Fl k
+.It Fl l
+Ignored.
+.It Fl n
+Disable
+.Dv TCP
+keep-alives.  Normally
+.Nm telnetd
+enables the
+.Tn TCP
+keep-alive mechanism to probe connections that
+have been idle for some period of time to determine
+if the client is still there, so that idle connections
+from machines that have crashed or can no longer
+be reached may be cleaned up.
+.It Fl r Ar lowpty-highpty
+This option is only enabled when
+.Nm telnetd
+is compiled for
+.Dv UNICOS .
+It specifies an inclusive range of pseudo-terminal devices to
+use.  If the system has sysconf variable
+.Dv _SC_CRAY_NPTY
+configured, the default pty search range is 0 to
+.Dv _SC_CRAY_NPTY ;
+otherwise, the default range is 0 to 128.  Either
+.Ar lowpty
+or
+.Ar highpty
+may be omitted to allow changing
+either end of the search range.  If
+.Ar lowpty
+is omitted, the - character is still required so that
+.Nm telnetd
+can differentiate
+.Ar highpty
+from
+.Ar lowpty .
+.It Fl S Ar tos
+.It Fl u Ar len
+This option is used to specify the size of the field
+in the
+.Dv utmp
+structure that holds the remote host name.
+If the resolved host name is longer than
+.Ar len ,
+the dotted decimal value will be used instead.
+This allows hosts with very long host names that
+overflow this field to still be uniquely identified.
+Specifying
+.Fl u0
+indicates that only dotted decimal addresses
+should be put into the
+.Pa utmp
+file.
+.It Fl U
+This option causes
+.Nm telnetd
+to refuse connections from addresses that
+cannot be mapped back into a symbolic name
+via the
+.Xr gethostbyaddr 3
+routine.
+.It Fl X Ar authtype
+This option is only valid if
+.Nm telnetd
+has been built with support for the authentication option.
+It disables the use of
+.Ar authtype
+authentication, and
+can be used to temporarily disable
+a specific authentication type without having to recompile
+.Nm telnetd .
+.It Fl L pathname
+Specify pathname to an alternative login program.
+.El
+.Pp
+.Nm Telnetd
+operates by allocating a pseudo-terminal device (see
+.Xr pty 4 )
+for a client, then creating a login process which has
+the slave side of the pseudo-terminal as 
+.Dv stdin ,
+.Dv stdout
+and
+.Dv stderr .
+.Nm Telnetd
+manipulates the master side of the pseudo-terminal,
+implementing the
+.Tn TELNET
+protocol and passing characters
+between the remote client and the login process.
+.Pp
+When a
+.Tn TELNET
+session is started up, 
+.Nm telnetd
+sends
+.Tn TELNET
+options to the client side indicating
+a willingness to do the
+following
+.Tn TELNET
+options, which are described in more detail below:
+.Bd -literal -offset indent
+DO AUTHENTICATION
+WILL ENCRYPT
+DO TERMINAL TYPE
+DO TSPEED
+DO XDISPLOC
+DO NEW-ENVIRON
+DO ENVIRON
+WILL SUPPRESS GO AHEAD
+DO ECHO
+DO LINEMODE
+DO NAWS
+WILL STATUS
+DO LFLOW
+DO TIMING-MARK
+.Ed
+.Pp
+The pseudo-terminal allocated to the client is configured
+to operate in
+.Dq cooked
+mode, and with
+.Dv XTABS and
+.Dv CRMOD
+enabled (see
+.Xr tty 4 ) .
+.Pp
+.Nm Telnetd
+has support for enabling locally the following
+.Tn TELNET
+options:
+.Bl -tag -width "DO AUTHENTICATION"
+.It "WILL ECHO"
+When the
+.Dv LINEMODE
+option is enabled, a
+.Dv WILL ECHO
+or
+.Dv WONT ECHO
+will be sent to the client to indicate the
+current state of terminal echoing.
+When terminal echo is not desired, a
+.Dv WILL ECHO
+is sent to indicate that
+.Tn telnetd
+will take care of echoing any data that needs to be
+echoed to the terminal, and then nothing is echoed.
+When terminal echo is desired, a
+.Dv WONT ECHO
+is sent to indicate that
+.Tn telnetd
+will not be doing any terminal echoing, so the
+client should do any terminal echoing that is needed.
+.It "WILL BINARY"
+Indicates that the client is willing to send a
+8 bits of data, rather than the normal 7 bits
+of the Network Virtual Terminal.
+.It "WILL SGA"
+Indicates that it will not be sending
+.Dv IAC GA ,
+go ahead, commands.
+.It "WILL STATUS"
+Indicates a willingness to send the client, upon
+request, of the current status of all
+.Tn TELNET
+options.
+.It "WILL TIMING-MARK"
+Whenever a
+.Dv DO TIMING-MARK
+command is received, it is always responded
+to with a
+.Dv WILL TIMING-MARK
+.It "WILL LOGOUT"
+When a
+.Dv DO LOGOUT
+is received, a
+.Dv WILL LOGOUT
+is sent in response, and the
+.Tn TELNET
+session is shut down.
+.It "WILL ENCRYPT"
+Only sent if
+.Nm telnetd
+is compiled with support for data encryption, and
+indicates a willingness to decrypt
+the data stream.
+.El
+.Pp
+.Nm Telnetd
+has support for enabling remotely the following
+.Tn TELNET
+options:
+.Bl -tag -width "DO AUTHENTICATION"
+.It "DO BINARY"
+Sent to indicate that
+.Tn telnetd
+is willing to receive an 8 bit data stream.
+.It "DO LFLOW"
+Requests that the client handle flow control
+characters remotely.
+.It "DO ECHO"
+This is not really supported, but is sent to identify a 4.2BSD
+.Xr telnet 1
+client, which will improperly respond with
+.Dv WILL ECHO .
+If a
+.Dv WILL ECHO
+is received, a
+.Dv DONT ECHO
+will be sent in response.
+.It "DO TERMINAL-TYPE"
+Indicates a desire to be able to request the
+name of the type of terminal that is attached
+to the client side of the connection.
+.It "DO SGA"
+Indicates that it does not need to receive
+.Dv IAC GA ,
+the go ahead command.
+.It "DO NAWS"
+Requests that the client inform the server when
+the window (display) size changes.
+.It "DO TERMINAL-SPEED"
+Indicates a desire to be able to request information
+about the speed of the serial line to which
+the client is attached.
+.It "DO XDISPLOC"
+Indicates a desire to be able to request the name
+of the X windows display that is associated with
+the telnet client.
+.It "DO NEW-ENVIRON"
+Indicates a desire to be able to request environment
+variable information, as described in RFC 1572.
+.It "DO ENVIRON"
+Indicates a desire to be able to request environment
+variable information, as described in RFC 1408.
+.It "DO LINEMODE"
+Only sent if
+.Nm telnetd
+is compiled with support for linemode, and
+requests that the client do line by line processing.
+.It "DO TIMING-MARK"
+Only sent if
+.Nm telnetd
+is compiled with support for both linemode and
+kludge linemode, and the client responded with
+.Dv WONT LINEMODE .
+If the client responds with
+.Dv WILL TM ,
+the it is assumed that the client supports
+kludge linemode.
+Note that the
+.Op Fl k
+option can be used to disable this.
+.It "DO AUTHENTICATION"
+Only sent if
+.Nm telnetd
+is compiled with support for authentication, and
+indicates a willingness to receive authentication
+information for automatic login.
+.It "DO ENCRYPT"
+Only sent if
+.Nm telnetd
+is compiled with support for data encryption, and
+indicates a willingness to decrypt
+the data stream.
+.El
+.Sh ENVIRONMENT
+.Sh FILES
+.Bl -tag -width /etc/services -compact
+.It Pa /etc/services
+.It Pa /etc/inittab
+(UNICOS systems only)
+.It Pa /etc/iptos
+(if supported)
+.El
+.Sh "SEE ALSO"
+.Xr telnet 1 ,
+.Xr login 1
+.Sh STANDARDS
+.Bl -tag -compact -width RFC-1572
+.It Cm RFC-854
+.Tn TELNET
+PROTOCOL SPECIFICATION
+.It Cm RFC-855
+TELNET OPTION SPECIFICATIONS
+.It Cm RFC-856
+TELNET BINARY TRANSMISSION
+.It Cm RFC-857
+TELNET ECHO OPTION
+.It Cm RFC-858
+TELNET SUPPRESS GO AHEAD OPTION
+.It Cm RFC-859
+TELNET STATUS OPTION
+.It Cm RFC-860
+TELNET TIMING MARK OPTION
+.It Cm RFC-861
+TELNET EXTENDED OPTIONS - LIST OPTION
+.It Cm RFC-885
+TELNET END OF RECORD OPTION
+.It Cm RFC-1073
+Telnet Window Size Option
+.It Cm RFC-1079
+Telnet Terminal Speed Option
+.It Cm RFC-1091
+Telnet Terminal-Type Option
+.It Cm RFC-1096
+Telnet X Display Location Option
+.It Cm RFC-1123
+Requirements for Internet Hosts -- Application and Support
+.It Cm RFC-1184
+Telnet Linemode Option
+.It Cm RFC-1372
+Telnet Remote Flow Control Option
+.It Cm RFC-1416
+Telnet Authentication Option
+.It Cm RFC-1411
+Telnet Authentication: Kerberos Version 4
+.It Cm RFC-1412
+Telnet Authentication: SPX
+.It Cm RFC-1571
+Telnet Environment Option Interoperability Issues
+.It Cm RFC-1572
+Telnet Environment Option
+.El
+.Sh BUGS
+Some
+.Tn TELNET
+commands are only partially implemented.
+.Pp
+Because of bugs in the original 4.2 BSD
+.Xr telnet 1 ,
+.Nm telnetd
+performs some dubious protocol exchanges to try to discover if the remote
+client is, in fact, a 4.2 BSD
+.Xr telnet 1 .
+.Pp
+Binary mode
+has no common interpretation except between similar operating systems
+(Unix in this case).
+.Pp
+The terminal type name received from the remote client is converted to
+lower case.
+.Pp
+.Nm Telnetd
+never sends
+.Tn TELNET
+.Dv IAC GA
+(go ahead) commands.
diff --git a/crypto/heimdal/appl/telnet/telnetd/telnetd.c b/crypto/heimdal/appl/telnet/telnetd/telnetd.c
new file mode 100644
index 0000000..af63ce1
--- /dev/null
+++ b/crypto/heimdal/appl/telnet/telnetd/telnetd.c
@@ -0,0 +1,1364 @@
+/*
+ * Copyright (c) 1989, 1993
+ *	The Regents of the University of California.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *	This product includes software developed by the University of
+ *	California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#include "telnetd.h"
+
+RCSID("$Id: telnetd.c,v 1.64 2001/02/08 16:06:27 assar Exp $");
+
+#ifdef _SC_CRAY_SECURE_SYS
+#include <sys/sysv.h>
+#include <sys/secdev.h>
+#include <sys/secparm.h>
+#include <sys/usrv.h>
+int	secflag;
+char	tty_dev[16];
+struct	secdev dv;
+struct	sysv sysv;
+struct	socksec ss;
+#endif	/* _SC_CRAY_SECURE_SYS */
+
+#ifdef AUTHENTICATION
+int	auth_level = 0;
+#endif
+
+extern	int utmp_len;
+int	registerd_host_only = 0;
+
+#ifdef	STREAMSPTY
+# include <stropts.h>
+# include <termios.h>
+#ifdef HAVE_SYS_UIO_H
+#include <sys/uio.h>
+#endif /* HAVE_SYS_UIO_H */
+#ifdef HAVE_SYS_STREAM_H
+#include <sys/stream.h>
+#endif
+#ifdef _AIX
+#include <sys/termio.h>
+#endif
+# ifdef HAVE_SYS_STRTTY_H
+# include <sys/strtty.h>
+# endif
+# ifdef HAVE_SYS_STR_TTY_H
+# include <sys/str_tty.h>
+# endif
+/* make sure we don't get the bsd version */
+/* what is this here for? solaris? /joda */
+# ifdef HAVE_SYS_TTY_H
+# include "/usr/include/sys/tty.h"
+# endif
+# ifdef HAVE_SYS_PTYVAR_H
+# include <sys/ptyvar.h>
+# endif
+
+/*
+ * Because of the way ptyibuf is used with streams messages, we need
+ * ptyibuf+1 to be on a full-word boundary.  The following wierdness
+ * is simply to make that happen.
+ */
+long	ptyibufbuf[BUFSIZ/sizeof(long)+1];
+char	*ptyibuf = ((char *)&ptyibufbuf[1])-1;
+char	*ptyip = ((char *)&ptyibufbuf[1])-1;
+char	ptyibuf2[BUFSIZ];
+unsigned char ctlbuf[BUFSIZ];
+struct	strbuf strbufc, strbufd;
+
+int readstream(int, char*, int);
+
+#else	/* ! STREAMPTY */
+
+/*
+ * I/O data buffers,
+ * pointers, and counters.
+ */
+char	ptyibuf[BUFSIZ], *ptyip = ptyibuf;
+char	ptyibuf2[BUFSIZ];
+
+#endif /* ! STREAMPTY */
+
+int	hostinfo = 1;			/* do we print login banner? */
+
+#ifdef	_CRAY
+extern int      newmap; /* nonzero if \n maps to ^M^J */
+int	lowpty = 0, highpty;	/* low, high pty numbers */
+#endif /* CRAY */
+
+int debug = 0;
+int keepalive = 1;
+char *progname;
+
+static void usage (void);
+
+/*
+ * The string to pass to getopt().  We do it this way so
+ * that only the actual options that we support will be
+ * passed off to getopt().
+ */
+char valid_opts[] = "Bd:hklnS:u:UL:y"
+#ifdef AUTHENTICATION
+		    "a:X:z"
+#endif
+#ifdef DIAGNOSTICS
+		    "D:"
+#endif
+#ifdef _CRAY
+		    "r:"
+#endif
+		    ;
+
+static void doit(struct sockaddr*, int);
+
+int
+main(int argc, char **argv)
+{
+    struct sockaddr_storage __ss;
+    struct sockaddr *sa = (struct sockaddr *)&__ss;
+    int on = 1;
+    socklen_t sa_size;
+    int ch;
+#if	defined(IPPROTO_IP) && defined(IP_TOS)
+    int tos = -1;
+#endif
+#ifdef ENCRYPTION
+    extern int des_check_key;
+    des_check_key = 1;	/* Kludge for Mac NCSA telnet 2.6 /bg */
+#endif
+    pfrontp = pbackp = ptyobuf;
+    netip = netibuf;
+    nfrontp = nbackp = netobuf;
+
+    progname = *argv;
+#ifdef ENCRYPTION
+    nclearto = 0;
+#endif
+
+#ifdef _CRAY
+    /*
+     * Get number of pty's before trying to process options,
+     * which may include changing pty range.
+     */
+    highpty = getnpty();
+#endif /* CRAY */
+
+    while ((ch = getopt(argc, argv, valid_opts)) != -1) {
+	switch(ch) {
+
+#ifdef	AUTHENTICATION
+	case 'a':
+	    /*
+	     * Check for required authentication level
+	     */
+	    if (strcmp(optarg, "debug") == 0) {
+		auth_debug_mode = 1;
+	    } else if (strcasecmp(optarg, "none") == 0) {
+		auth_level = 0;
+	    } else if (strcasecmp(optarg, "otp") == 0) {
+		auth_level = 0;
+		require_otp = 1;
+	    } else if (strcasecmp(optarg, "other") == 0) {
+		auth_level = AUTH_OTHER;
+	    } else if (strcasecmp(optarg, "user") == 0) {
+		auth_level = AUTH_USER;
+	    } else if (strcasecmp(optarg, "valid") == 0) {
+		auth_level = AUTH_VALID;
+	    } else if (strcasecmp(optarg, "off") == 0) {
+		/*
+		 * This hack turns off authentication
+		 */
+		auth_level = -1;
+	    } else {
+		fprintf(stderr,
+			"telnetd: unknown authorization level for -a\n");
+	    }
+	    break;
+#endif	/* AUTHENTICATION */
+
+	case 'B': /* BFTP mode is not supported any more */
+	    break;
+	case 'd':
+	    if (strcmp(optarg, "ebug") == 0) {
+		debug++;
+		break;
+	    }
+	    usage();
+	    /* NOTREACHED */
+	    break;
+
+#ifdef DIAGNOSTICS
+	case 'D':
+	    /*
+	     * Check for desired diagnostics capabilities.
+	     */
+	    if (!strcmp(optarg, "report")) {
+		diagnostic |= TD_REPORT|TD_OPTIONS;
+	    } else if (!strcmp(optarg, "exercise")) {
+		diagnostic |= TD_EXERCISE;
+	    } else if (!strcmp(optarg, "netdata")) {
+		diagnostic |= TD_NETDATA;
+	    } else if (!strcmp(optarg, "ptydata")) {
+		diagnostic |= TD_PTYDATA;
+	    } else if (!strcmp(optarg, "options")) {
+		diagnostic |= TD_OPTIONS;
+	    } else {
+		usage();
+		/* NOT REACHED */
+	    }
+	    break;
+#endif /* DIAGNOSTICS */
+
+
+	case 'h':
+	    hostinfo = 0;
+	    break;
+
+	case 'k': /* Linemode is not supported any more */
+	case 'l':
+	    break;
+
+	case 'n':
+	    keepalive = 0;
+	    break;
+
+#ifdef _CRAY
+	case 'r':
+	    {
+		char *strchr();
+		char *c;
+
+		/*
+		 * Allow the specification of alterations
+		 * to the pty search range.  It is legal to
+		 * specify only one, and not change the
+		 * other from its default.
+		 */
+		c = strchr(optarg, '-');
+		if (c) {
+		    *c++ = '\0';
+		    highpty = atoi(c);
+		}
+		if (*optarg != '\0')
+		    lowpty = atoi(optarg);
+		if ((lowpty > highpty) || (lowpty < 0) ||
+		    (highpty > 32767)) {
+		    usage();
+		    /* NOT REACHED */
+		}
+		break;
+	    }
+#endif	/* CRAY */
+
+	case 'S':
+#ifdef	HAVE_PARSETOS
+	    if ((tos = parsetos(optarg, "tcp")) < 0)
+		fprintf(stderr, "%s%s%s\n",
+			"telnetd: Bad TOS argument '", optarg,
+			"'; will try to use default TOS");
+#else
+	    fprintf(stderr, "%s%s\n", "TOS option unavailable; ",
+		    "-S flag not supported\n");
+#endif
+	    break;
+
+	case 'u': {
+	    char *eptr;
+
+	    utmp_len = strtol(optarg, &eptr, 0);
+	    if (optarg == eptr)
+		fprintf(stderr, "telnetd: unknown utmp len (%s)\n", optarg);
+	    break;
+	}
+
+	case 'U':
+	    registerd_host_only = 1;
+	    break;
+
+#ifdef	AUTHENTICATION
+	case 'X':
+	    /*
+	     * Check for invalid authentication types
+	     */
+	    auth_disable_name(optarg);
+	    break;
+#endif
+	case 'y':
+	    no_warn = 1;
+	    break;
+#ifdef AUTHENTICATION
+	case 'z':
+	    log_unauth = 1;
+	    break;
+
+#endif	/* AUTHENTICATION */
+
+	case 'L':
+	    new_login = optarg;
+	    break;
+			
+	default:
+	    fprintf(stderr, "telnetd: %c: unknown option\n", ch);
+	    /* FALLTHROUGH */
+	case '?':
+	    usage();
+	    /* NOTREACHED */
+	}
+    }
+
+    argc -= optind;
+    argv += optind;
+
+    if (debug) {
+	int port = 0;
+	struct servent *sp;
+
+	if (argc > 1) {
+	    usage ();
+	} else if (argc == 1) {
+	    sp = roken_getservbyname (*argv, "tcp");
+	    if (sp)
+		port = sp->s_port;
+	    else
+		port = htons(atoi(*argv));
+	} else {
+#ifdef KRB5
+	    port = krb5_getportbyname (NULL, "telnet", "tcp", 23);
+#else
+	    port = k_getportbyname("telnet", "tcp", htons(23));
+#endif
+	}
+	mini_inetd (port);
+    } else if (argc > 0) {
+	usage();
+	/* NOT REACHED */
+    }
+
+#ifdef _SC_CRAY_SECURE_SYS
+    secflag = sysconf(_SC_CRAY_SECURE_SYS);
+
+    /*
+     *	Get socket's security label
+     */
+    if (secflag)  {
+	socklen_t szss = sizeof(ss);
+	int sock_multi;
+	socklen_t szi = sizeof(int);
+
+	memset(&dv, 0, sizeof(dv));
+
+	if (getsysv(&sysv, sizeof(struct sysv)) != 0) 
+	    fatalperror(net, "getsysv");
+
+	/*
+	 *	Get socket security label and set device values
+	 *	   {security label to be set on ttyp device}
+	 */
+#ifdef SO_SEC_MULTI			/* 8.0 code */
+	if ((getsockopt(0, SOL_SOCKET, SO_SECURITY,
+			(void *)&ss, &szss) < 0) ||
+	    (getsockopt(0, SOL_SOCKET, SO_SEC_MULTI,
+			(void *)&sock_multi, &szi) < 0)) 
+	    fatalperror(net, "getsockopt");
+	else {
+	    dv.dv_actlvl = ss.ss_actlabel.lt_level;
+	    dv.dv_actcmp = ss.ss_actlabel.lt_compart;
+	    if (!sock_multi) {
+		dv.dv_minlvl = dv.dv_maxlvl = dv.dv_actlvl;
+		dv.dv_valcmp = dv.dv_actcmp;
+	    } else {
+		dv.dv_minlvl = ss.ss_minlabel.lt_level;
+		dv.dv_maxlvl = ss.ss_maxlabel.lt_level;
+		dv.dv_valcmp = ss.ss_maxlabel.lt_compart;
+	    }
+	    dv.dv_devflg = 0;
+	}
+#else /* SO_SEC_MULTI */		/* 7.0 code */
+	if (getsockopt(0, SOL_SOCKET, SO_SECURITY,
+		       (void *)&ss, &szss) >= 0) {
+	    dv.dv_actlvl = ss.ss_slevel;
+	    dv.dv_actcmp = ss.ss_compart;
+	    dv.dv_minlvl = ss.ss_minlvl;
+	    dv.dv_maxlvl = ss.ss_maxlvl;
+	    dv.dv_valcmp = ss.ss_maxcmp;
+	}
+#endif /* SO_SEC_MULTI */
+    }
+#endif	/* _SC_CRAY_SECURE_SYS */
+
+    roken_openlog("telnetd", LOG_PID | LOG_ODELAY, LOG_DAEMON);
+    sa_size = sizeof (__ss);
+    if (getpeername(STDIN_FILENO, sa, &sa_size) < 0) {
+	fprintf(stderr, "%s: ", progname);
+	perror("getpeername");
+	_exit(1);
+    }
+    if (keepalive &&
+	setsockopt(STDIN_FILENO, SOL_SOCKET, SO_KEEPALIVE,
+		   (void *)&on, sizeof (on)) < 0) {
+	syslog(LOG_WARNING, "setsockopt (SO_KEEPALIVE): %m");
+    }
+
+#if	defined(IPPROTO_IP) && defined(IP_TOS) && defined(HAVE_SETSOCKOPT)
+    {
+# ifdef HAVE_GETTOSBYNAME
+	struct tosent *tp;
+	if (tos < 0 && (tp = gettosbyname("telnet", "tcp")))
+	    tos = tp->t_tos;
+# endif
+	if (tos < 0)
+	    tos = 020;	/* Low Delay bit */
+	if (tos
+	    && sa->sa_family == AF_INET
+	    && (setsockopt(STDIN_FILENO, IPPROTO_IP, IP_TOS,
+			   (void *)&tos, sizeof(tos)) < 0)
+	    && (errno != ENOPROTOOPT) )
+	    syslog(LOG_WARNING, "setsockopt (IP_TOS): %m");
+    }
+#endif	/* defined(IPPROTO_IP) && defined(IP_TOS) */
+    net = STDIN_FILENO;
+    doit(sa, sa_size);
+    /* NOTREACHED */
+    return 0;
+}  /* end of main */
+
+static void
+usage(void)
+{
+    fprintf(stderr, "Usage: telnetd");
+#ifdef	AUTHENTICATION
+    fprintf(stderr, " [-a (debug|other|otp|user|valid|off|none)]\n\t");
+#endif
+    fprintf(stderr, " [-debug]");
+#ifdef DIAGNOSTICS
+    fprintf(stderr, " [-D (options|report|exercise|netdata|ptydata)]\n\t");
+#endif
+#ifdef	AUTHENTICATION
+    fprintf(stderr, " [-edebug]");
+#endif
+    fprintf(stderr, " [-h]");
+    fprintf(stderr, " [-L login]");
+    fprintf(stderr, " [-n]");
+#ifdef	_CRAY
+    fprintf(stderr, " [-r[lowpty]-[highpty]]");
+#endif
+    fprintf(stderr, "\n\t");
+#ifdef	HAVE_GETTOSBYNAME
+    fprintf(stderr, " [-S tos]");
+#endif
+#ifdef	AUTHENTICATION
+    fprintf(stderr, " [-X auth-type] [-y] [-z]");
+#endif
+    fprintf(stderr, " [-u utmp_hostname_length] [-U]");
+    fprintf(stderr, " [port]\n");
+    exit(1);
+}
+
+/*
+ * getterminaltype
+ *
+ *	Ask the other end to send along its terminal type and speed.
+ * Output is the variable terminaltype filled in.
+ */
+static unsigned char ttytype_sbbuf[] = {
+    IAC, SB, TELOPT_TTYPE, TELQUAL_SEND, IAC, SE
+};
+
+int
+getterminaltype(char *name, size_t name_sz)
+{
+    int retval = -1;
+
+    settimer(baseline);
+#ifdef AUTHENTICATION
+    /*
+     * Handle the Authentication option before we do anything else.
+     */
+    send_do(TELOPT_AUTHENTICATION, 1);
+    while (his_will_wont_is_changing(TELOPT_AUTHENTICATION))
+	ttloop();
+    if (his_state_is_will(TELOPT_AUTHENTICATION)) {
+	retval = auth_wait(name, name_sz);
+    }
+#endif
+
+#ifdef ENCRYPTION
+    send_will(TELOPT_ENCRYPT, 1);
+    send_do(TELOPT_ENCRYPT, 1);	/* esc@magic.fi */
+#endif
+    send_do(TELOPT_TTYPE, 1);
+    send_do(TELOPT_TSPEED, 1);
+    send_do(TELOPT_XDISPLOC, 1);
+    send_do(TELOPT_NEW_ENVIRON, 1);
+    send_do(TELOPT_OLD_ENVIRON, 1);
+    while (
+#ifdef ENCRYPTION
+	   his_do_dont_is_changing(TELOPT_ENCRYPT) ||
+#endif
+	   his_will_wont_is_changing(TELOPT_TTYPE) ||
+	   his_will_wont_is_changing(TELOPT_TSPEED) ||
+	   his_will_wont_is_changing(TELOPT_XDISPLOC) ||
+	   his_will_wont_is_changing(TELOPT_NEW_ENVIRON) ||
+	   his_will_wont_is_changing(TELOPT_OLD_ENVIRON)) {
+	ttloop();
+    }
+#ifdef ENCRYPTION
+    /*
+     * Wait for the negotiation of what type of encryption we can
+     * send with.  If autoencrypt is not set, this will just return.
+     */
+    if (his_state_is_will(TELOPT_ENCRYPT)) {
+	encrypt_wait();
+    }
+#endif
+    if (his_state_is_will(TELOPT_TSPEED)) {
+	static unsigned char sb[] =
+	{ IAC, SB, TELOPT_TSPEED, TELQUAL_SEND, IAC, SE };
+
+	telnet_net_write (sb, sizeof sb);
+	DIAG(TD_OPTIONS, printsub('>', sb + 2, sizeof sb - 2););
+    }
+    if (his_state_is_will(TELOPT_XDISPLOC)) {
+	static unsigned char sb[] =
+	{ IAC, SB, TELOPT_XDISPLOC, TELQUAL_SEND, IAC, SE };
+
+	telnet_net_write (sb, sizeof sb);
+	DIAG(TD_OPTIONS, printsub('>', sb + 2, sizeof sb - 2););
+    }
+    if (his_state_is_will(TELOPT_NEW_ENVIRON)) {
+	static unsigned char sb[] =
+	{ IAC, SB, TELOPT_NEW_ENVIRON, TELQUAL_SEND, IAC, SE };
+
+	telnet_net_write (sb, sizeof sb);
+	DIAG(TD_OPTIONS, printsub('>', sb + 2, sizeof sb - 2););
+    }
+    else if (his_state_is_will(TELOPT_OLD_ENVIRON)) {
+	static unsigned char sb[] =
+	{ IAC, SB, TELOPT_OLD_ENVIRON, TELQUAL_SEND, IAC, SE };
+
+	telnet_net_write (sb, sizeof sb);
+	DIAG(TD_OPTIONS, printsub('>', sb + 2, sizeof sb - 2););
+    }
+    if (his_state_is_will(TELOPT_TTYPE)) {
+
+	telnet_net_write (ttytype_sbbuf, sizeof ttytype_sbbuf);
+	DIAG(TD_OPTIONS, printsub('>', ttytype_sbbuf + 2,
+				  sizeof ttytype_sbbuf - 2););
+    }
+    if (his_state_is_will(TELOPT_TSPEED)) {
+	while (sequenceIs(tspeedsubopt, baseline))
+	    ttloop();
+    }
+    if (his_state_is_will(TELOPT_XDISPLOC)) {
+	while (sequenceIs(xdisplocsubopt, baseline))
+	    ttloop();
+    }
+    if (his_state_is_will(TELOPT_NEW_ENVIRON)) {
+	while (sequenceIs(environsubopt, baseline))
+	    ttloop();
+    }
+    if (his_state_is_will(TELOPT_OLD_ENVIRON)) {
+	while (sequenceIs(oenvironsubopt, baseline))
+	    ttloop();
+    }
+    if (his_state_is_will(TELOPT_TTYPE)) {
+	char first[256], last[256];
+
+	while (sequenceIs(ttypesubopt, baseline))
+	    ttloop();
+
+	/*
+	 * If the other side has already disabled the option, then
+	 * we have to just go with what we (might) have already gotten.
+	 */
+	if (his_state_is_will(TELOPT_TTYPE) && !terminaltypeok(terminaltype)) {
+	    strlcpy(first, terminaltype, sizeof(first));
+	    for(;;) {
+		/*
+		 * Save the unknown name, and request the next name.
+		 */
+		strlcpy(last, terminaltype, sizeof(last));
+		_gettermname();
+		if (terminaltypeok(terminaltype))
+		    break;
+		if ((strncmp(last, terminaltype, sizeof(last)) == 0) ||
+		    his_state_is_wont(TELOPT_TTYPE)) {
+		    /*
+		     * We've hit the end.  If this is the same as
+		     * the first name, just go with it.
+		     */
+		    if (strncmp(first, terminaltype, sizeof(first)) == 0)
+			break;
+		    /*
+		     * Get the terminal name one more time, so that
+		     * RFC1091 compliant telnets will cycle back to
+		     * the start of the list.
+		     */
+		    _gettermname();
+		    if (strncmp(first, terminaltype, sizeof(first)) != 0)
+			strcpy(terminaltype, first);
+		    break;
+		}
+	    }
+	}
+    }
+    return(retval);
+}  /* end of getterminaltype */
+
+void
+_gettermname(void)
+{
+    /*
+     * If the client turned off the option,
+     * we can't send another request, so we
+     * just return.
+     */
+    if (his_state_is_wont(TELOPT_TTYPE))
+	return;
+    settimer(baseline);
+    telnet_net_write (ttytype_sbbuf, sizeof ttytype_sbbuf);
+    DIAG(TD_OPTIONS, printsub('>', ttytype_sbbuf + 2,
+			      sizeof ttytype_sbbuf - 2););
+    while (sequenceIs(ttypesubopt, baseline))
+	ttloop();
+}
+
+int
+terminaltypeok(char *s)
+{
+    return 1;
+}
+
+
+char host_name[MaxHostNameLen];
+char remote_host_name[MaxHostNameLen];
+char remote_utmp_name[MaxHostNameLen];
+
+/*
+ * Get a pty, scan input lines.
+ */
+static void
+doit(struct sockaddr *who, int who_len)
+{
+    int level;
+    int ptynum;
+    char user_name[256];
+    int error;
+
+    /*
+     * Find an available pty to use.
+     */
+    ourpty = getpty(&ptynum);
+    if (ourpty < 0)
+	fatal(net, "All network ports in use");
+
+#ifdef _SC_CRAY_SECURE_SYS
+    /*
+     *	set ttyp line security label
+     */
+    if (secflag) {
+	char slave_dev[16];
+
+	snprintf(tty_dev, sizeof(tty_dev), "/dev/pty/%03d", ptynum);
+	if (setdevs(tty_dev, &dv) < 0)
+	    fatal(net, "cannot set pty security");
+	snprintf(slave_dev, sizeof(slave_dev), "/dev/ttyp%03d", ptynum);
+	if (setdevs(slave_dev, &dv) < 0)
+	    fatal(net, "cannot set tty security");
+    }
+#endif	/* _SC_CRAY_SECURE_SYS */
+
+    error = getnameinfo_verified (who, who_len,
+				  remote_host_name,
+				  sizeof(remote_host_name),
+				  NULL, 0, 
+				  registerd_host_only ? NI_NAMEREQD : 0);
+    if (error)
+	fatal(net, "Couldn't resolve your address into a host name.\r\n\
+Please contact your net administrator");
+
+    gethostname(host_name, sizeof (host_name));
+
+    strlcpy (remote_utmp_name, remote_host_name, sizeof(remote_utmp_name));
+
+    /* Only trim if too long (and possible) */
+    if (strlen(remote_utmp_name) > utmp_len) {
+	char *domain = strchr(host_name, '.');
+	char *p = strchr(remote_utmp_name, '.');
+	if (domain != NULL && p != NULL && (strcmp(p, domain) == 0))
+	    *p = '\0'; /* remove domain part */
+    }
+
+    /*
+     * If hostname still doesn't fit utmp, use ipaddr.
+     */
+    if (strlen(remote_utmp_name) > utmp_len) {
+	error = getnameinfo (who, who_len,
+			     remote_utmp_name,
+			     sizeof(remote_utmp_name),
+			     NULL, 0,
+			     NI_NUMERICHOST);
+	if (error)
+	    fatal(net, "Couldn't get numeric address\r\n");
+    }
+
+#ifdef AUTHENTICATION
+    auth_encrypt_init(host_name, remote_host_name, "TELNETD", 1);
+#endif
+
+    init_env();
+    /*
+     * get terminal type.
+     */
+    *user_name = 0;
+    level = getterminaltype(user_name, sizeof(user_name));
+    esetenv("TERM", terminaltype ? terminaltype : "network", 1);
+
+#ifdef _SC_CRAY_SECURE_SYS
+    if (secflag) {
+	if (setulvl(dv.dv_actlvl) < 0)
+	    fatal(net,"cannot setulvl()");
+	if (setucmp(dv.dv_actcmp) < 0)
+	    fatal(net, "cannot setucmp()");
+    }
+#endif	/* _SC_CRAY_SECURE_SYS */
+
+    /* begin server processing */
+    my_telnet(net, ourpty, remote_host_name, remote_utmp_name,
+	      level, user_name);
+    /*NOTREACHED*/
+}  /* end of doit */
+
+/* output contents of /etc/issue.net, or /etc/issue */
+static void
+show_issue(void)
+{
+    FILE *f;
+    char buf[128];
+    f = fopen("/etc/issue.net", "r");
+    if(f == NULL)
+	f = fopen("/etc/issue", "r");
+    if(f){
+	while(fgets(buf, sizeof(buf)-2, f)){
+	    strcpy(buf + strcspn(buf, "\r\n"), "\r\n");
+	    writenet((unsigned char*)buf, strlen(buf));
+	}
+	fclose(f);
+    }
+}
+
+/*
+ * Main loop.  Select from pty and network, and
+ * hand data to telnet receiver finite state machine.
+ */
+void
+my_telnet(int f, int p, const char *host, const char *utmp_host,
+	  int level, char *autoname)
+{
+    int on = 1;
+    char *he;
+    char *IM;
+    int nfd;
+    int startslave_called = 0;
+    time_t timeout;
+
+    /*
+     * Initialize the slc mapping table.
+     */
+    get_slc_defaults();
+
+    /*
+     * Do some tests where it is desireable to wait for a response.
+     * Rather than doing them slowly, one at a time, do them all
+     * at once.
+     */
+    if (my_state_is_wont(TELOPT_SGA))
+	send_will(TELOPT_SGA, 1);
+    /*
+     * Is the client side a 4.2 (NOT 4.3) system?  We need to know this
+     * because 4.2 clients are unable to deal with TCP urgent data.
+     *
+     * To find out, we send out a "DO ECHO".  If the remote system
+     * answers "WILL ECHO" it is probably a 4.2 client, and we note
+     * that fact ("WILL ECHO" ==> that the client will echo what
+     * WE, the server, sends it; it does NOT mean that the client will
+     * echo the terminal input).
+     */
+    send_do(TELOPT_ECHO, 1);
+
+    /*
+     * Send along a couple of other options that we wish to negotiate.
+     */
+    send_do(TELOPT_NAWS, 1);
+    send_will(TELOPT_STATUS, 1);
+    flowmode = 1;		/* default flow control state */
+    restartany = -1;	/* uninitialized... */
+    send_do(TELOPT_LFLOW, 1);
+
+    /*
+     * Spin, waiting for a response from the DO ECHO.  However,
+     * some REALLY DUMB telnets out there might not respond
+     * to the DO ECHO.  So, we spin looking for NAWS, (most dumb
+     * telnets so far seem to respond with WONT for a DO that
+     * they don't understand...) because by the time we get the
+     * response, it will already have processed the DO ECHO.
+     * Kludge upon kludge.
+     */
+    while (his_will_wont_is_changing(TELOPT_NAWS))
+	ttloop();
+
+    /*
+     * But...
+     * The client might have sent a WILL NAWS as part of its
+     * startup code; if so, we'll be here before we get the
+     * response to the DO ECHO.  We'll make the assumption
+     * that any implementation that understands about NAWS
+     * is a modern enough implementation that it will respond
+     * to our DO ECHO request; hence we'll do another spin
+     * waiting for the ECHO option to settle down, which is
+     * what we wanted to do in the first place...
+     */
+    if (his_want_state_is_will(TELOPT_ECHO) &&
+	his_state_is_will(TELOPT_NAWS)) {
+	while (his_will_wont_is_changing(TELOPT_ECHO))
+	    ttloop();
+    }
+    /*
+     * On the off chance that the telnet client is broken and does not
+     * respond to the DO ECHO we sent, (after all, we did send the
+     * DO NAWS negotiation after the DO ECHO, and we won't get here
+     * until a response to the DO NAWS comes back) simulate the
+     * receipt of a will echo.  This will also send a WONT ECHO
+     * to the client, since we assume that the client failed to
+     * respond because it believes that it is already in DO ECHO
+     * mode, which we do not want.
+     */
+    if (his_want_state_is_will(TELOPT_ECHO)) {
+	DIAG(TD_OPTIONS,
+	     {output_data("td: simulating recv\r\n");
+	     });
+	willoption(TELOPT_ECHO);
+    }
+
+    /*
+     * Finally, to clean things up, we turn on our echo.  This
+     * will break stupid 4.2 telnets out of local terminal echo.
+     */
+
+    if (my_state_is_wont(TELOPT_ECHO))
+	send_will(TELOPT_ECHO, 1);
+
+#ifdef TIOCPKT
+#ifdef	STREAMSPTY
+    if (!really_stream)
+#endif
+	/*
+	 * Turn on packet mode
+	 */
+	ioctl(p, TIOCPKT, (char *)&on);
+#endif
+
+
+    /*
+     * Call telrcv() once to pick up anything received during
+     * terminal type negotiation, 4.2/4.3 determination, and
+     * linemode negotiation.
+     */
+    telrcv();
+
+    ioctl(f, FIONBIO, (char *)&on);
+    ioctl(p, FIONBIO, (char *)&on);
+
+#if	defined(SO_OOBINLINE) && defined(HAVE_SETSOCKOPT)
+    setsockopt(net, SOL_SOCKET, SO_OOBINLINE,
+	       (void *)&on, sizeof on);
+#endif	/* defined(SO_OOBINLINE) */
+
+#ifdef	SIGTSTP
+    signal(SIGTSTP, SIG_IGN);
+#endif
+#ifdef	SIGTTOU
+    /*
+     * Ignoring SIGTTOU keeps the kernel from blocking us
+     * in ttioct() in /sys/tty.c.
+     */
+    signal(SIGTTOU, SIG_IGN);
+#endif
+
+    signal(SIGCHLD, cleanup);
+
+#ifdef  TIOCNOTTY
+    {
+	int t;
+	t = open(_PATH_TTY, O_RDWR);
+	if (t >= 0) {
+	    ioctl(t, TIOCNOTTY, (char *)0);
+	    close(t);
+	}
+    }
+#endif
+
+    show_issue();
+    /*
+     * Show banner that getty never gave.
+     *
+     * We put the banner in the pty input buffer.  This way, it
+     * gets carriage return null processing, etc., just like all
+     * other pty --> client data.
+     */
+
+    if (getenv("USER"))
+	hostinfo = 0;
+
+    IM = DEFAULT_IM;
+    he = 0;
+    edithost(he, host_name);
+    if (hostinfo && *IM)
+	putf(IM, ptyibuf2);
+
+    if (pcc)
+	strncat(ptyibuf2, ptyip, pcc+1);
+    ptyip = ptyibuf2;
+    pcc = strlen(ptyip);
+
+    DIAG(TD_REPORT, {
+	output_data("td: Entering processing loop\r\n");
+    });
+
+
+    nfd = ((f > p) ? f : p) + 1;
+    timeout = time(NULL) + 5;
+    for (;;) {
+	fd_set ibits, obits, xbits;
+	int c;
+
+	/* wait for encryption to be turned on, but don't wait
+           indefinitely */
+	if(!startslave_called && (!encrypt_delay() || timeout > time(NULL))){
+	    startslave_called = 1;
+	    startslave(host, utmp_host, level, autoname);
+	}
+
+	if (ncc < 0 && pcc < 0)
+	    break;
+
+	FD_ZERO(&ibits);
+	FD_ZERO(&obits);
+	FD_ZERO(&xbits);
+
+	if (f >= FD_SETSIZE
+	    || p >= FD_SETSIZE)
+	    fatal(net, "fd too large");
+
+	/*
+	 * Never look for input if there's still
+	 * stuff in the corresponding output buffer
+	 */
+	if (nfrontp - nbackp || pcc > 0) {
+	    FD_SET(f, &obits);
+	} else {
+	    FD_SET(p, &ibits);
+	}
+	if (pfrontp - pbackp || ncc > 0) {
+	    FD_SET(p, &obits);
+	} else {
+	    FD_SET(f, &ibits);
+	}
+	if (!SYNCHing) {
+	    FD_SET(f, &xbits);
+	}
+	if ((c = select(nfd, &ibits, &obits, &xbits,
+			(struct timeval *)0)) < 1) {
+	    if (c == -1) {
+		if (errno == EINTR) {
+		    continue;
+		}
+	    }
+	    sleep(5);
+	    continue;
+	}
+
+	/*
+	 * Any urgent data?
+	 */
+	if (FD_ISSET(net, &xbits)) {
+	    SYNCHing = 1;
+	}
+
+	/*
+	 * Something to read from the network...
+	 */
+	if (FD_ISSET(net, &ibits)) {
+#ifndef SO_OOBINLINE
+	    /*
+	     * In 4.2 (and 4.3 beta) systems, the
+	     * OOB indication and data handling in the kernel
+	     * is such that if two separate TCP Urgent requests
+	     * come in, one byte of TCP data will be overlaid.
+	     * This is fatal for Telnet, but we try to live
+	     * with it.
+	     *
+	     * In addition, in 4.2 (and...), a special protocol
+	     * is needed to pick up the TCP Urgent data in
+	     * the correct sequence.
+	     *
+	     * What we do is:  if we think we are in urgent
+	     * mode, we look to see if we are "at the mark".
+	     * If we are, we do an OOB receive.  If we run
+	     * this twice, we will do the OOB receive twice,
+	     * but the second will fail, since the second
+	     * time we were "at the mark", but there wasn't
+	     * any data there (the kernel doesn't reset
+	     * "at the mark" until we do a normal read).
+	     * Once we've read the OOB data, we go ahead
+	     * and do normal reads.
+	     *
+	     * There is also another problem, which is that
+	     * since the OOB byte we read doesn't put us
+	     * out of OOB state, and since that byte is most
+	     * likely the TELNET DM (data mark), we would
+	     * stay in the TELNET SYNCH (SYNCHing) state.
+	     * So, clocks to the rescue.  If we've "just"
+	     * received a DM, then we test for the
+	     * presence of OOB data when the receive OOB
+	     * fails (and AFTER we did the normal mode read
+	     * to clear "at the mark").
+	     */
+	    if (SYNCHing) {
+		int atmark;
+
+		ioctl(net, SIOCATMARK, (char *)&atmark);
+		if (atmark) {
+		    ncc = recv(net, netibuf, sizeof (netibuf), MSG_OOB);
+		    if ((ncc == -1) && (errno == EINVAL)) {
+			ncc = read(net, netibuf, sizeof (netibuf));
+			if (sequenceIs(didnetreceive, gotDM)) {
+			    SYNCHing = stilloob(net);
+			}
+		    }
+		} else {
+		    ncc = read(net, netibuf, sizeof (netibuf));
+		}
+	    } else {
+		ncc = read(net, netibuf, sizeof (netibuf));
+	    }
+	    settimer(didnetreceive);
+#else	/* !defined(SO_OOBINLINE)) */
+	    ncc = read(net, netibuf, sizeof (netibuf));
+#endif	/* !defined(SO_OOBINLINE)) */
+	    if (ncc < 0 && errno == EWOULDBLOCK)
+		ncc = 0;
+	    else {
+		if (ncc <= 0) {
+		    break;
+		}
+		netip = netibuf;
+	    }
+	    DIAG((TD_REPORT | TD_NETDATA), {
+		output_data("td: netread %d chars\r\n", ncc);
+		});
+	    DIAG(TD_NETDATA, printdata("nd", netip, ncc));
+	}
+
+	/*
+	 * Something to read from the pty...
+	 */
+	if (FD_ISSET(p, &ibits)) {
+#ifdef STREAMSPTY
+	    if (really_stream)
+		pcc = readstream(p, ptyibuf, BUFSIZ);
+	    else
+#endif
+		pcc = read(p, ptyibuf, BUFSIZ);
+
+	    /*
+	     * On some systems, if we try to read something
+	     * off the master side before the slave side is
+	     * opened, we get EIO.
+	     */
+	    if (pcc < 0 && (errno == EWOULDBLOCK ||
+#ifdef	EAGAIN
+			    errno == EAGAIN ||
+#endif
+			    errno == EIO)) {
+		pcc = 0;
+	    } else {
+		if (pcc <= 0)
+		    break;
+		if (ptyibuf[0] & TIOCPKT_FLUSHWRITE) {
+		    netclear();	/* clear buffer back */
+#ifndef	NO_URGENT
+		    /*
+		     * There are client telnets on some
+		     * operating systems get screwed up
+		     * royally if we send them urgent
+		     * mode data.
+		     */
+		    output_data ("%c%c", IAC, DM);
+
+		    neturg = nfrontp-1; /* off by one XXX */
+		    DIAG(TD_OPTIONS,
+			 printoption("td: send IAC", DM));
+
+#endif
+		}
+		if (his_state_is_will(TELOPT_LFLOW) &&
+		    (ptyibuf[0] &
+		     (TIOCPKT_NOSTOP|TIOCPKT_DOSTOP))) {
+		    int newflow =
+			ptyibuf[0] & TIOCPKT_DOSTOP ? 1 : 0;
+		    if (newflow != flowmode) {
+			flowmode = newflow;
+			output_data("%c%c%c%c%c%c",
+				    IAC, SB, TELOPT_LFLOW,
+				    flowmode ? LFLOW_ON
+				    : LFLOW_OFF,
+				    IAC, SE);
+			DIAG(TD_OPTIONS, printsub('>',
+						  (unsigned char *)nfrontp-4,
+						  4););
+		    }
+		}
+		pcc--;
+		ptyip = ptyibuf+1;
+	    }
+	}
+
+	while (pcc > 0) {
+	    if ((&netobuf[BUFSIZ] - nfrontp) < 3)
+		break;
+	    c = *ptyip++ & 0377, pcc--;
+	    if (c == IAC)
+		*nfrontp++ = c;
+	    *nfrontp++ = c;
+	    if ((c == '\r') && (my_state_is_wont(TELOPT_BINARY))) {
+		if (pcc > 0 && ((*ptyip & 0377) == '\n')) {
+		    *nfrontp++ = *ptyip++ & 0377;
+		    pcc--;
+		} else
+		    *nfrontp++ = '\0';
+	    }
+	}
+
+	if (FD_ISSET(f, &obits) && (nfrontp - nbackp) > 0)
+	    netflush();
+	if (ncc > 0)
+	    telrcv();
+	if (FD_ISSET(p, &obits) && (pfrontp - pbackp) > 0)
+	    ptyflush();
+    }
+    cleanup(0);
+}
+
+#ifndef	TCSIG
+# ifdef	TIOCSIG
+#  define TCSIG TIOCSIG
+# endif
+#endif
+
+#ifdef	STREAMSPTY
+
+    int flowison = -1;  /* current state of flow: -1 is unknown */
+
+int
+readstream(int p, char *ibuf, int bufsize)
+{
+    int flags = 0;
+    int ret = 0;
+    struct termios *tsp;
+#if 0
+    struct termio *tp;
+#endif
+    struct iocblk *ip;
+    char vstop, vstart;
+    int ixon;
+    int newflow;
+
+    strbufc.maxlen = BUFSIZ;
+    strbufc.buf = (char *)ctlbuf;
+    strbufd.maxlen = bufsize-1;
+    strbufd.len = 0;
+    strbufd.buf = ibuf+1;
+    ibuf[0] = 0;
+
+    ret = getmsg(p, &strbufc, &strbufd, &flags);
+    if (ret < 0)  /* error of some sort -- probably EAGAIN */
+	return(-1);
+
+    if (strbufc.len <= 0 || ctlbuf[0] == M_DATA) {
+	/* data message */
+	if (strbufd.len > 0) {			/* real data */
+	    return(strbufd.len + 1);	/* count header char */
+	} else {
+	    /* nothing there */
+	    errno = EAGAIN;
+	    return(-1);
+	}
+    }
+
+    /*
+     * It's a control message.  Return 1, to look at the flag we set
+     */
+
+    switch (ctlbuf[0]) {
+    case M_FLUSH:
+	if (ibuf[1] & FLUSHW)
+	    ibuf[0] = TIOCPKT_FLUSHWRITE;
+	return(1);
+
+    case M_IOCTL:
+	ip = (struct iocblk *) (ibuf+1);
+
+	switch (ip->ioc_cmd) {
+#ifdef TCSETS
+	case TCSETS:
+	case TCSETSW:
+	case TCSETSF:
+	    tsp = (struct termios *)
+		(ibuf+1 + sizeof(struct iocblk));
+	    vstop = tsp->c_cc[VSTOP];
+	    vstart = tsp->c_cc[VSTART];
+	    ixon = tsp->c_iflag & IXON;
+	    break;
+#endif
+#if 0
+	case TCSETA:
+	case TCSETAW:
+	case TCSETAF:
+	    tp = (struct termio *) (ibuf+1 + sizeof(struct iocblk));
+	    vstop = tp->c_cc[VSTOP];
+	    vstart = tp->c_cc[VSTART];
+	    ixon = tp->c_iflag & IXON;
+	    break;
+#endif
+	default:
+	    errno = EAGAIN;
+	    return(-1);
+	}
+
+	newflow =  (ixon && (vstart == 021) && (vstop == 023)) ? 1 : 0;
+	if (newflow != flowison) {  /* it's a change */
+	    flowison = newflow;
+	    ibuf[0] = newflow ? TIOCPKT_DOSTOP : TIOCPKT_NOSTOP;
+	    return(1);
+	}
+    }
+
+    /* nothing worth doing anything about */
+    errno = EAGAIN;
+    return(-1);
+}
+#endif /* STREAMSPTY */
+
+/*
+ * Send interrupt to process on other side of pty.
+ * If it is in raw mode, just write NULL;
+ * otherwise, write intr char.
+ */
+void
+interrupt()
+{
+    ptyflush();	/* half-hearted */
+
+#if defined(STREAMSPTY) && defined(TIOCSIGNAL)
+    /* Streams PTY style ioctl to post a signal */
+    if (really_stream)
+	{
+	    int sig = SIGINT;
+	    ioctl(ourpty, TIOCSIGNAL, &sig);
+	    ioctl(ourpty, I_FLUSH, FLUSHR);
+	}
+#else
+#ifdef	TCSIG
+    ioctl(ourpty, TCSIG, (char *)SIGINT);
+#else	/* TCSIG */
+    init_termbuf();
+    *pfrontp++ = slctab[SLC_IP].sptr ?
+	(unsigned char)*slctab[SLC_IP].sptr : '\177';
+#endif	/* TCSIG */
+#endif
+}
+
+/*
+ * Send quit to process on other side of pty.
+ * If it is in raw mode, just write NULL;
+ * otherwise, write quit char.
+ */
+void
+sendbrk()
+{
+    ptyflush();	/* half-hearted */
+#ifdef	TCSIG
+    ioctl(ourpty, TCSIG, (char *)SIGQUIT);
+#else	/* TCSIG */
+    init_termbuf();
+    *pfrontp++ = slctab[SLC_ABORT].sptr ?
+	(unsigned char)*slctab[SLC_ABORT].sptr : '\034';
+#endif	/* TCSIG */
+}
+
+void
+sendsusp()
+{
+#ifdef	SIGTSTP
+    ptyflush();	/* half-hearted */
+# ifdef	TCSIG
+    ioctl(ourpty, TCSIG, (char *)SIGTSTP);
+# else	/* TCSIG */
+    *pfrontp++ = slctab[SLC_SUSP].sptr ?
+	(unsigned char)*slctab[SLC_SUSP].sptr : '\032';
+# endif	/* TCSIG */
+#endif	/* SIGTSTP */
+}
+
+/*
+ * When we get an AYT, if ^T is enabled, use that.  Otherwise,
+ * just send back "[Yes]".
+ */
+void
+recv_ayt()
+{
+#if	defined(SIGINFO) && defined(TCSIG)
+    if (slctab[SLC_AYT].sptr && *slctab[SLC_AYT].sptr != _POSIX_VDISABLE) {
+	ioctl(ourpty, TCSIG, (char *)SIGINFO);
+	return;
+    }
+#endif
+    output_data("\r\n[Yes]\r\n");
+}
+
+void
+doeof()
+{
+    init_termbuf();
+
+    *pfrontp++ = slctab[SLC_EOF].sptr ?
+	(unsigned char)*slctab[SLC_EOF].sptr : '\004';
+}
diff --git a/crypto/heimdal/appl/telnet/telnetd/telnetd.cat8 b/crypto/heimdal/appl/telnet/telnetd/telnetd.cat8
new file mode 100644
index 0000000..988bf31
--- /dev/null
+++ b/crypto/heimdal/appl/telnet/telnetd/telnetd.cat8
@@ -0,0 +1,297 @@
+
+TELNETD(8)               UNIX System Manager's Manual               TELNETD(8)
+
+NNAAMMEE
+     tteellnneettdd - DARPA TELNET protocol server
+
+SSYYNNOOPPSSIISS
+     tteellnneettdd [--BBUUhhkkllnn] [--DD _d_e_b_u_g_m_o_d_e] [--SS _t_o_s] [--XX _a_u_t_h_t_y_p_e] [--aa _a_u_t_h_m_o_d_e]
+             [--rr_l_o_w_p_t_y_-_h_i_g_h_p_t_y] [--uu _l_e_n] [--ddeebbuugg] [--LL _/_b_i_n_/_l_o_g_i_n] [_p_o_r_t]
+
+DDEESSCCRRIIPPTTIIOONN
+     The tteellnneettdd command is a server which supports the DARPA standard TELNET
+     virtual terminal protocol.  TTeellnneettdd is normally invoked by the internet
+     server (see inetd(8))  for requests to connect to the TELNET port as in-
+     dicated by the _/_e_t_c_/_s_e_r_v_i_c_e_s file (see services(5)).  The --ddeebbuugg option
+     may be used to start up tteellnneettdd manually, instead of through inetd(8).
+     If started up this way, _p_o_r_t may be specified to run tteellnneettdd on an alter-
+     nate TCP port number.
+
+     The tteellnneettdd command accepts the following options:
+
+     --aa _a_u_t_h_m_o_d_e  This option may be used for specifying what mode should be
+                  used for authentication.  Note that this option is only use-
+                  ful if tteellnneettdd has been compiled with support for the
+                  AUTHENTICATION option.  There are several valid values for
+                  _a_u_t_h_m_o_d_e:
+
+                  debug  Turns on authentication debugging code.
+
+                  user   Only allow connections when the remote user can pro-
+                         vide valid authentication information to identify the
+                         remote user, and is allowed access to the specified
+                         account without providing a password.
+
+                  valid  Only allow connections when the remote user can pro-
+                         vide valid authentication information to identify the
+                         remote user.  The login(1) command will provide any
+                         additional user verification needed if the remote us-
+                         er is not allowed automatic access to the specified
+                         account.
+
+                  other  Only allow connections that supply some authentica-
+                         tion information.  This option is currently not sup-
+                         ported by any of the existing authentication mecha-
+                         nisms, and is thus the same as specifying --aa vvaalliidd.
+
+                  otp    Only allow authenticated connections (as with --aa
+                         uusseerr) and also logins with one-time passwords (OTPs).
+                         This option will call login with an option so that
+                         only OTPs are accepted.  The user can of course still
+                         type secret information at the prompt.
+
+                  none   This is the default state.  Authentication informa-
+                         tion is not required.  If no or insufficient authen-
+                         tication information is provided, then the login(1)
+                         program will provide the necessary user verification.
+
+                  off    This disables the authentication code.  All user ver-
+                         ification will happen through the login(1) program.
+
+     --BB           Ignored.
+
+     --DD _d_e_b_u_g_m_o_d_e
+                  This option may be used for debugging purposes.  This allows
+                  tteellnneettdd to print out debugging information to the connec-
+                  tion, allowing the user to see what tteellnneettdd is doing.  There
+                  are several possible values for _d_e_b_u_g_m_o_d_e:
+
+                  ooppttiioonnss   Prints information about the negotiation of TELNET
+                            options.
+
+                  rreeppoorrtt    Prints the ooppttiioonnss information, plus some addi-
+                            tional information about what processing is going
+                            on.
+
+                  nneettddaattaa   Displays the data stream received by tteellnneettdd.
+
+                  ppttyyddaattaa   Displays data written to the pty.
+
+                  eexxeerrcciissee  Has not been implemented yet.
+
+     --hh           Disables the printing of host-specific information before
+                  login has been completed.
+
+     --kk
+
+     --ll           Ignored.
+
+     --nn           Disable TCP keep-alives.  Normally tteellnneettdd enables the TCP
+                  keep-alive mechanism to probe connections that have been
+                  idle for some period of time to determine if the client is
+                  still there, so that idle connections from machines that
+                  have crashed or can no longer be reached may be cleaned up.
+
+     --rr _l_o_w_p_t_y_-_h_i_g_h_p_t_y
+                  This option is only enabled when tteellnneettdd is compiled for
+                  UNICOS. It specifies an inclusive range of pseudo-terminal
+                  devices to use.  If the system has sysconf variable
+                  _SC_CRAY_NPTY configured, the default pty search range is 0
+                  to _SC_CRAY_NPTY; otherwise, the default range is 0 to 128.
+                  Either _l_o_w_p_t_y or _h_i_g_h_p_t_y may be omitted to allow changing
+                  either end of the search range.  If _l_o_w_p_t_y is omitted, the -
+                  character is still required so that tteellnneettdd can differenti-
+                  ate _h_i_g_h_p_t_y from _l_o_w_p_t_y.
+
+     --SS _t_o_s
+
+     --uu _l_e_n       This option is used to specify the size of the field in the
+                  utmp structure that holds the remote host name.  If the re-
+                  solved host name is longer than _l_e_n, the dotted decimal val-
+                  ue will be used instead.  This allows hosts with very long
+                  host names that overflow this field to still be uniquely
+                  identified.  Specifying --uu00 indicates that only dotted deci-
+                  mal addresses should be put into the _u_t_m_p file.
+
+     --UU           This option causes tteellnneettdd to refuse connections from ad-
+                  dresses that cannot be mapped back into a symbolic name via
+                  the gethostbyaddr(3) routine.
+
+     --XX _a_u_t_h_t_y_p_e  This option is only valid if tteellnneettdd has been built with
+                  support for the authentication option.  It disables the use
+                  of _a_u_t_h_t_y_p_e authentication, and can be used to temporarily
+                  disable a specific authentication type without having to re-
+                  compile tteellnneettdd.
+
+     --LL --ppaatthhnnaammee
+                  Specify pathname to an alternative login program.
+
+     TTeellnneettdd operates by allocating a pseudo-terminal device (see pty(4))  for
+     a client, then creating a login process which has the slave side of the
+     pseudo-terminal as stdin, stdout and stderr. TTeellnneettdd manipulates the mas-
+     ter side of the pseudo-terminal, implementing the TELNET protocol and
+     passing characters between the remote client and the login process.
+
+     When a TELNET session is started up, tteellnneettdd sends TELNET options to the
+     client side indicating a willingness to do the following TELNET options,
+     which are described in more detail below:
+
+           DO AUTHENTICATION
+           WILL ENCRYPT
+           DO TERMINAL TYPE
+           DO TSPEED
+           DO XDISPLOC
+           DO NEW-ENVIRON
+           DO ENVIRON
+           WILL SUPPRESS GO AHEAD
+           DO ECHO
+           DO LINEMODE
+           DO NAWS
+           WILL STATUS
+           DO LFLOW
+           DO TIMING-MARK
+
+     The pseudo-terminal allocated to the client is configured to operate in
+     ``cooked'' mode, and with XTABS and CRMOD enabled (see tty(4)).
+
+     TTeellnneettdd has support for enabling locally the following TELNET options:
+
+     WILL ECHO          When the LINEMODE option is enabled, a WILL ECHO or
+                        WONT ECHO will be sent to the client to indicate the
+                        current state of terminal echoing.  When terminal echo
+                        is not desired, a WILL ECHO is sent to indicate that
+                        telnetd will take care of echoing any data that needs
+                        to be echoed to the terminal, and then nothing is
+                        echoed.  When terminal echo is desired, a WONT ECHO is
+                        sent to indicate that telnetd will not be doing any
+                        terminal echoing, so the client should do any terminal
+                        echoing that is needed.
+
+     WILL BINARY        Indicates that the client is willing to send a 8 bits
+                        of data, rather than the normal 7 bits of the Network
+                        Virtual Terminal.
+
+     WILL SGA           Indicates that it will not be sending IAC GA, go
+                        ahead, commands.
+
+     WILL STATUS        Indicates a willingness to send the client, upon re-
+                        quest, of the current status of all TELNET options.
+
+     WILL TIMING-MARK   Whenever a DO TIMING-MARK command is received, it is
+                        always responded to with a WILL TIMING-MARK
+
+     WILL LOGOUT        When a DO LOGOUT is received, a WILL LOGOUT is sent in
+                        response, and the TELNET session is shut down.
+
+     WILL ENCRYPT       Only sent if tteellnneettdd is compiled with support for data
+                        encryption, and indicates a willingness to decrypt the
+                        data stream.
+
+     TTeellnneettdd has support for enabling remotely the following TELNET options:
+
+     DO BINARY          Sent to indicate that telnetd is willing to receive an
+                        8 bit data stream.
+
+     DO LFLOW           Requests that the client handle flow control charac-
+
+
+                        ters remotely.
+
+     DO ECHO            This is not really supported, but is sent to identify
+                        a 4.2BSD telnet(1) client, which will improperly re-
+                        spond with WILL ECHO. If a WILL ECHO is received, a
+                        DONT ECHO will be sent in response.
+
+     DO TERMINAL-TYPE   Indicates a desire to be able to request the name of
+                        the type of terminal that is attached to the client
+                        side of the connection.
+
+     DO SGA             Indicates that it does not need to receive IAC GA, the
+                        go ahead command.
+
+     DO NAWS            Requests that the client inform the server when the
+                        window (display) size changes.
+
+     DO TERMINAL-SPEED  Indicates a desire to be able to request information
+                        about the speed of the serial line to which the client
+                        is attached.
+
+     DO XDISPLOC        Indicates a desire to be able to request the name of
+                        the X windows display that is associated with the tel-
+                        net client.
+
+     DO NEW-ENVIRON     Indicates a desire to be able to request environment
+                        variable information, as described in RFC 1572.
+
+     DO ENVIRON         Indicates a desire to be able to request environment
+                        variable information, as described in RFC 1408.
+
+     DO LINEMODE        Only sent if tteellnneettdd is compiled with support for
+                        linemode, and requests that the client do line by line
+                        processing.
+
+     DO TIMING-MARK     Only sent if tteellnneettdd is compiled with support for both
+                        linemode and kludge linemode, and the client responded
+                        with WONT LINEMODE. If the client responds with WILL
+                        TM, the it is assumed that the client supports kludge
+                        linemode.  Note that the [--kk] option can be used to
+                        disable this.
+
+     DO AUTHENTICATION  Only sent if tteellnneettdd is compiled with support for au-
+                        thentication, and indicates a willingness to receive
+                        authentication information for automatic login.
+
+     DO ENCRYPT         Only sent if tteellnneettdd is compiled with support for data
+                        encryption, and indicates a willingness to decrypt the
+                        data stream.
+
+EENNVVIIRROONNMMEENNTT
+FFIILLEESS
+     /etc/services
+     /etc/inittab   (UNICOS systems only)
+     /etc/iptos     (if supported)
+
+SSEEEE AALLSSOO
+     telnet(1),  login(1)
+
+SSTTAANNDDAARRDDSS
+     RRFFCC--885544   TELNET PROTOCOL SPECIFICATION
+     RRFFCC--885555   TELNET OPTION SPECIFICATIONS
+     RRFFCC--885566   TELNET BINARY TRANSMISSION
+     RRFFCC--885577   TELNET ECHO OPTION
+
+
+     RRFFCC--885588   TELNET SUPPRESS GO AHEAD OPTION
+     RRFFCC--885599   TELNET STATUS OPTION
+     RRFFCC--886600   TELNET TIMING MARK OPTION
+     RRFFCC--886611   TELNET EXTENDED OPTIONS - LIST OPTION
+     RRFFCC--888855   TELNET END OF RECORD OPTION
+     RRFFCC--11007733  Telnet Window Size Option
+     RRFFCC--11007799  Telnet Terminal Speed Option
+     RRFFCC--11009911  Telnet Terminal-Type Option
+     RRFFCC--11009966  Telnet X Display Location Option
+     RRFFCC--11112233  Requirements for Internet Hosts -- Application and Support
+     RRFFCC--11118844  Telnet Linemode Option
+     RRFFCC--11337722  Telnet Remote Flow Control Option
+     RRFFCC--11441166  Telnet Authentication Option
+     RRFFCC--11441111  Telnet Authentication: Kerberos Version 4
+     RRFFCC--11441122  Telnet Authentication: SPX
+     RRFFCC--11557711  Telnet Environment Option Interoperability Issues
+     RRFFCC--11557722  Telnet Environment Option
+
+BBUUGGSS
+     Some TELNET commands are only partially implemented.
+
+     Because of bugs in the original 4.2 BSD telnet(1),  tteellnneettdd performs some
+     dubious protocol exchanges to try to discover if the remote client is, in
+     fact, a 4.2 BSD telnet(1).
+
+     Binary mode has no common interpretation except between similar operating
+     systems (Unix in this case).
+
+     The terminal type name received from the remote client is converted to
+     lower case.
+
+     TTeellnneettdd never sends TELNET IAC GA (go ahead) commands.
+
+4.2 Berkeley Distribution        June 1, 1994                                5
diff --git a/crypto/heimdal/appl/telnet/telnetd/telnetd.h b/crypto/heimdal/appl/telnet/telnetd/telnetd.h
new file mode 100644
index 0000000..6504607
--- /dev/null
+++ b/crypto/heimdal/appl/telnet/telnetd/telnetd.h
@@ -0,0 +1,223 @@
+/*
+ * Copyright (c) 1989, 1993
+ *	The Regents of the University of California.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *	This product includes software developed by the University of
+ *	California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ *	@(#)telnetd.h	8.1 (Berkeley) 6/4/93
+ */
+
+
+#include <config.h>
+
+#include <stdio.h>
+#include <stdarg.h>
+#include <stdlib.h>
+#include <string.h>
+
+#ifdef HAVE_SYS_TYPES_H
+#include <sys/types.h>
+#endif
+#ifdef HAVE_SYS_PARAM_H
+#include <sys/param.h>
+#endif
+
+#ifdef HAVE_SYS_SOCKET_H
+#include <sys/socket.h>
+#endif
+#ifdef TIME_WITH_SYS_TIME
+#include <sys/time.h>
+#include <time.h>
+#elif defined(HAVE_SYS_TIME_H)
+#include <sys/time.h>
+#else
+#include <time.h>
+#endif
+
+#ifdef HAVE_SYS_RESOURCE_H
+#include <sys/resource.h>
+#endif /* HAVE_SYS_RESOURCE_H */
+
+#ifdef HAVE_SYS_WAIT_H
+#include <sys/wait.h>
+#endif
+
+#ifdef HAVE_FCNTL_H
+#include <fcntl.h>
+#endif
+#ifdef HAVE_SYS_FILE_H
+#include <sys/file.h>
+#endif
+#ifdef HAVE_SYS_STAT_H
+#include <sys/stat.h>
+#endif
+
+/* including both <sys/ioctl.h> and <termios.h> in SunOS 4 generates a
+   lot of warnings */
+
+#if defined(HAVE_SYS_IOCTL_H) && SunOS != 40
+#include <sys/ioctl.h>
+#endif
+#ifdef HAVE_SYS_FILIO_H
+#include <sys/filio.h>
+#endif
+
+#ifdef HAVE_NETINET_IN_H
+#include <netinet/in.h>
+#endif
+#ifdef HAVE_NETINET_IN6_H
+#include <netinet/in6.h>
+#endif
+#ifdef HAVE_NETINET6_IN6_H
+#include <netinet6/in6.h>
+#endif
+
+#ifdef HAVE_ARPA_INET_H
+#include <arpa/inet.h>
+#endif
+
+#include <signal.h>
+#include <errno.h>
+#ifdef HAVE_NETDB_H
+#include <netdb.h>
+#endif
+#ifdef HAVE_SYSLOG_H
+#include <syslog.h>
+#endif
+#include <ctype.h>
+
+#ifdef HAVE_UNISTD_H
+#include <unistd.h>
+#endif
+
+#include <termios.h>
+
+#ifdef HAVE_PTY_H
+#include <pty.h>
+#endif
+
+#include "defs.h"
+
+#ifndef _POSIX_VDISABLE
+# ifdef VDISABLE
+#  define _POSIX_VDISABLE VDISABLE
+# else
+#  define _POSIX_VDISABLE ((unsigned char)'\377')
+# endif
+#endif
+
+
+#ifdef HAVE_SYS_PTY_H
+#include <sys/pty.h>
+#endif
+#ifdef HAVE_SYS_SELECT_H
+#include <sys/select.h>
+#endif
+
+#ifdef HAVE_SYS_PTYIO_H
+#include <sys/ptyio.h>
+#endif
+
+#ifdef HAVE_SYS_UTSNAME_H
+#include <sys/utsname.h>
+#endif
+
+#ifdef HAVE_PATHS_H
+#include <paths.h>
+#endif
+
+#ifdef HAVE_ARPA_TELNET_H
+#include <arpa/telnet.h>
+#endif
+
+#include "ext.h"
+
+#ifdef SOCKS
+#include <socks.h>
+/* This doesn't belong here. */
+struct tm *localtime(const time_t *);
+struct hostent  *gethostbyname(const char *);
+#endif
+
+#ifdef KRB4
+#include <krb.h>
+#endif
+
+#ifdef AUTHENTICATION
+#include <libtelnet/auth.h>
+#include <libtelnet/misc.h>
+#ifdef ENCRYPTION
+#include <libtelnet/encrypt.h>
+#endif
+#endif
+
+#ifdef HAVE_LIBUTIL_H
+#include <libutil.h>
+#endif
+
+#include <roken.h>
+
+/* Don't use the system login, use our version instead */
+
+/* BINDIR should be defined somewhere else... */
+
+#ifndef BINDIR
+#define BINDIR "/usr/athena/bin"
+#endif
+
+#undef _PATH_LOGIN
+#define _PATH_LOGIN	BINDIR "/login"
+
+/* fallbacks */
+
+#ifndef _PATH_DEV
+#define _PATH_DEV "/dev/"
+#endif
+
+#ifndef _PATH_TTY
+#define _PATH_TTY "/dev/tty"
+#endif /* _PATH_TTY */
+
+#ifdef	DIAGNOSTICS
+#define	DIAG(a,b)	if (diagnostic & (a)) b
+#else
+#define	DIAG(a,b)
+#endif
+
+/* other external variables */
+extern	char **environ;
+
+/* prototypes */
+
+/* appends data to nfrontp and advances */
+int output_data (const char *format, ...)
+#ifdef __GNUC__
+__attribute__ ((format (printf, 1, 2)))
+#endif
+;
diff --git a/crypto/heimdal/appl/telnet/telnetd/termstat.c b/crypto/heimdal/appl/telnet/telnetd/termstat.c
new file mode 100644
index 0000000..80ee145
--- /dev/null
+++ b/crypto/heimdal/appl/telnet/telnetd/termstat.c
@@ -0,0 +1,140 @@
+/*
+ * Copyright (c) 1989, 1993
+ *	The Regents of the University of California.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *	This product includes software developed by the University of
+ *	California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#include "telnetd.h"
+
+RCSID("$Id: termstat.c,v 1.11 1997/05/11 06:30:04 assar Exp $");
+
+/*
+ * local variables
+ */
+int def_tspeed = -1, def_rspeed = -1;
+#ifdef	TIOCSWINSZ
+int def_row = 0, def_col = 0;
+#endif
+
+/*
+ * flowstat
+ *
+ * Check for changes to flow control
+ */
+void
+flowstat()
+{
+    if (his_state_is_will(TELOPT_LFLOW)) {
+	if (tty_flowmode() != flowmode) {
+	    flowmode = tty_flowmode();
+	    output_data("%c%c%c%c%c%c",
+			IAC, SB, TELOPT_LFLOW,
+			flowmode ? LFLOW_ON : LFLOW_OFF,
+			IAC, SE);
+	}
+	if (tty_restartany() != restartany) {
+	    restartany = tty_restartany();
+	    output_data("%c%c%c%c%c%c",
+			IAC, SB, TELOPT_LFLOW,
+			restartany ? LFLOW_RESTART_ANY
+			: LFLOW_RESTART_XON,
+			IAC, SE);
+	}
+    }
+}
+
+/*
+ * clientstat
+ *
+ * Process linemode related requests from the client.
+ * Client can request a change to only one of linemode, editmode or slc's
+ * at a time, and if using kludge linemode, then only linemode may be
+ * affected.
+ */
+void
+clientstat(int code, int parm1, int parm2)
+{
+    void netflush();
+
+    /*
+     * Get a copy of terminal characteristics.
+     */
+    init_termbuf();
+
+    /*
+     * Process request from client. code tells what it is.
+     */
+    switch (code) {
+    case TELOPT_NAWS:
+#ifdef	TIOCSWINSZ
+	{
+	    struct winsize ws;
+
+	    def_col = parm1;
+	    def_row = parm2;
+
+	    /*
+	     * Change window size as requested by client.
+	     */
+
+	    ws.ws_col = parm1;
+	    ws.ws_row = parm2;
+	    ioctl(ourpty, TIOCSWINSZ, (char *)&ws);
+	}
+#endif	/* TIOCSWINSZ */
+
+    break;
+
+    case TELOPT_TSPEED:
+	{
+	    def_tspeed = parm1;
+	    def_rspeed = parm2;
+	    /*
+	     * Change terminal speed as requested by client.
+	     * We set the receive speed first, so that if we can't
+	     * store seperate receive and transmit speeds, the transmit
+	     * speed will take precedence.
+	     */
+	    tty_rspeed(parm2);
+	    tty_tspeed(parm1);
+	    set_termbuf();
+
+	    break;
+
+	}  /* end of case TELOPT_TSPEED */
+
+    default:
+	/* What? */
+	break;
+    }  /* end of switch */
+
+    netflush();
+
+}
diff --git a/crypto/heimdal/appl/telnet/telnetd/utility.c b/crypto/heimdal/appl/telnet/telnetd/utility.c
new file mode 100644
index 0000000..496152c
--- /dev/null
+++ b/crypto/heimdal/appl/telnet/telnetd/utility.c
@@ -0,0 +1,1171 @@
+/*
+ * Copyright (c) 1989, 1993
+ *	The Regents of the University of California.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *	This product includes software developed by the University of
+ *	California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#define PRINTOPTIONS
+#include "telnetd.h"
+
+RCSID("$Id: utility.c,v 1.25 2001/05/17 00:34:42 assar Exp $");
+
+/*
+ * utility functions performing io related tasks
+ */
+
+/*
+ * ttloop
+ *
+ * A small subroutine to flush the network output buffer, get some
+ * data from the network, and pass it through the telnet state
+ * machine.  We also flush the pty input buffer (by dropping its data)
+ * if it becomes too full.
+ *
+ * return 0 if OK or 1 if interrupted by a signal.
+ */
+
+int
+ttloop(void)
+{
+    void netflush(void);
+    
+    DIAG(TD_REPORT, {
+	output_data("td: ttloop\r\n");
+    });
+    if (nfrontp-nbackp)
+	netflush();
+    ncc = read(net, netibuf, sizeof netibuf);
+    if (ncc < 0) {
+	if (errno == EINTR)
+	    return 1;
+	syslog(LOG_INFO, "ttloop:  read: %m\n");
+	exit(1);
+    } else if (ncc == 0) {
+	syslog(LOG_INFO, "ttloop:  peer died\n");
+	exit(1);
+    }
+    DIAG(TD_REPORT, {
+	output_data("td: ttloop read %d chars\r\n", ncc);
+    });
+    netip = netibuf;
+    telrcv();			/* state machine */
+    if (ncc > 0) {
+	pfrontp = pbackp = ptyobuf;
+	telrcv();
+    }
+    return 0;
+}  /* end of ttloop */
+
+/*
+ * Check a descriptor to see if out of band data exists on it.
+ */
+int
+stilloob(int s)
+{
+    static struct timeval timeout = { 0 };
+    fd_set	excepts;
+    int value;
+
+    if (s >= FD_SETSIZE)
+	fatal(ourpty, "fd too large");
+
+    do {
+	FD_ZERO(&excepts);
+	FD_SET(s, &excepts);
+	value = select(s+1, 0, 0, &excepts, &timeout);
+    } while ((value == -1) && (errno == EINTR));
+
+    if (value < 0) {
+	fatalperror(ourpty, "select");
+    }
+    if (FD_ISSET(s, &excepts)) {
+	return 1;
+    } else {
+	return 0;
+    }
+}
+
+void
+ptyflush(void)
+{
+    int n;
+
+    if ((n = pfrontp - pbackp) > 0) {
+	DIAG((TD_REPORT | TD_PTYDATA), { 
+	    output_data("td: ptyflush %d chars\r\n", n);
+	});
+	DIAG(TD_PTYDATA, printdata("pd", pbackp, n));
+	n = write(ourpty, pbackp, n);
+    }
+    if (n < 0) {
+	if (errno == EWOULDBLOCK || errno == EINTR)
+	    return;
+	cleanup(0);
+    }
+    pbackp += n;
+    if (pbackp == pfrontp)
+	pbackp = pfrontp = ptyobuf;
+}
+
+/*
+ * nextitem()
+ *
+ *	Return the address of the next "item" in the TELNET data
+ * stream.  This will be the address of the next character if
+ * the current address is a user data character, or it will
+ * be the address of the character following the TELNET command
+ * if the current address is a TELNET IAC ("I Am a Command")
+ * character.
+ */
+char *
+nextitem(char *current)
+{
+    if ((*current&0xff) != IAC) {
+	return current+1;
+    }
+    switch (*(current+1)&0xff) {
+    case DO:
+    case DONT:
+    case WILL:
+    case WONT:
+	return current+3;
+    case SB:{
+	/* loop forever looking for the SE */
+	char *look = current+2;
+
+	for (;;) {
+	    if ((*look++&0xff) == IAC) {
+		if ((*look++&0xff) == SE) {
+		    return look;
+		}
+	    }
+	}
+    }
+    default:
+	return current+2;
+    }
+}
+
+
+/*
+ * netclear()
+ *
+ *	We are about to do a TELNET SYNCH operation.  Clear
+ * the path to the network.
+ *
+ *	Things are a bit tricky since we may have sent the first
+ * byte or so of a previous TELNET command into the network.
+ * So, we have to scan the network buffer from the beginning
+ * until we are up to where we want to be.
+ *
+ *	A side effect of what we do, just to keep things
+ * simple, is to clear the urgent data pointer.  The principal
+ * caller should be setting the urgent data pointer AFTER calling
+ * us in any case.
+ */
+void
+netclear(void)
+{
+    char *thisitem, *next;
+    char *good;
+#define	wewant(p)	((nfrontp > p) && ((*p&0xff) == IAC) && \
+			 ((*(p+1)&0xff) != EC) && ((*(p+1)&0xff) != EL))
+
+#ifdef ENCRYPTION
+	thisitem = nclearto > netobuf ? nclearto : netobuf;
+#else
+	thisitem = netobuf;
+#endif
+
+	while ((next = nextitem(thisitem)) <= nbackp) {
+	    thisitem = next;
+	}
+
+	/* Now, thisitem is first before/at boundary. */
+
+#ifdef ENCRYPTION
+	good = nclearto > netobuf ? nclearto : netobuf;
+#else
+	good = netobuf;	/* where the good bytes go */
+#endif
+
+	while (nfrontp > thisitem) {
+	    if (wewant(thisitem)) {
+		int length;
+
+		next = thisitem;
+		do {
+		    next = nextitem(next);
+		} while (wewant(next) && (nfrontp > next));
+		length = next-thisitem;
+		memmove(good, thisitem, length);
+		good += length;
+		thisitem = next;
+	    } else {
+		thisitem = nextitem(thisitem);
+	    }
+	}
+
+	nbackp = netobuf;
+	nfrontp = good;		/* next byte to be sent */
+	neturg = 0;
+}  /* end of netclear */
+
+/*
+ *  netflush
+ *		Send as much data as possible to the network,
+ *	handling requests for urgent data.
+ */
+void
+netflush(void)
+{
+    int n;
+    extern int not42;
+
+    if ((n = nfrontp - nbackp) > 0) {
+	DIAG(TD_REPORT,
+	     { n += output_data("td: netflush %d chars\r\n", n);
+	     });
+#ifdef ENCRYPTION
+	if (encrypt_output) {
+	    char *s = nclearto ? nclearto : nbackp;
+	    if (nfrontp - s > 0) {
+		(*encrypt_output)((unsigned char *)s, nfrontp-s);
+		nclearto = nfrontp;
+	    }
+	}
+#endif
+	/*
+	 * if no urgent data, or if the other side appears to be an
+	 * old 4.2 client (and thus unable to survive TCP urgent data),
+	 * write the entire buffer in non-OOB mode.
+	 */
+#if 1 /* remove this to make it work between solaris 2.6 and linux */
+	if ((neturg == 0) || (not42 == 0)) {
+#endif
+	    n = write(net, nbackp, n);	/* normal write */
+#if 1 /* remove this to make it work between solaris 2.6 and linux */
+	} else {
+	    n = neturg - nbackp;
+	    /*
+	     * In 4.2 (and 4.3) systems, there is some question about
+	     * what byte in a sendOOB operation is the "OOB" data.
+	     * To make ourselves compatible, we only send ONE byte
+	     * out of band, the one WE THINK should be OOB (though
+	     * we really have more the TCP philosophy of urgent data
+	     * rather than the Unix philosophy of OOB data).
+	     */
+	    if (n > 1) {
+		n = send(net, nbackp, n-1, 0);	/* send URGENT all by itself */
+	    } else {
+		n = send(net, nbackp, n, MSG_OOB);	/* URGENT data */
+	    }
+	}
+#endif
+    }
+    if (n < 0) {
+	if (errno == EWOULDBLOCK || errno == EINTR)
+	    return;
+	cleanup(0);
+    }
+    nbackp += n;
+#ifdef ENCRYPTION
+    if (nbackp > nclearto)
+	nclearto = 0;
+#endif
+    if (nbackp >= neturg) {
+	neturg = 0;
+    }
+    if (nbackp == nfrontp) {
+	nbackp = nfrontp = netobuf;
+#ifdef ENCRYPTION
+	nclearto = 0;
+#endif
+    }
+    return;
+}
+
+
+/*
+ * writenet
+ *
+ * Just a handy little function to write a bit of raw data to the net.
+ * It will force a transmit of the buffer if necessary
+ *
+ * arguments
+ *    ptr - A pointer to a character string to write
+ *    len - How many bytes to write
+ */
+void
+writenet(unsigned char *ptr, int len)
+{
+    /* flush buffer if no room for new data) */
+    while ((&netobuf[BUFSIZ] - nfrontp) < len) {
+	/* if this fails, don't worry, buffer is a little big */
+	netflush();
+    }
+
+    memmove(nfrontp, ptr, len);
+    nfrontp += len;
+}
+
+
+/*
+ * miscellaneous functions doing a variety of little jobs follow ...
+ */
+
+
+void fatal(int f, char *msg)
+{
+    char buf[BUFSIZ];
+
+    snprintf(buf, sizeof(buf), "telnetd: %s.\r\n", msg);
+#ifdef ENCRYPTION
+    if (encrypt_output) {
+	/*
+	 * Better turn off encryption first....
+	 * Hope it flushes...
+	 */
+	encrypt_send_end();
+	netflush();
+    }
+#endif
+    write(f, buf, (int)strlen(buf));
+    sleep(1);	/*XXX*/
+    exit(1);
+}
+
+void
+fatalperror_errno(int f, const char *msg, int error)
+{
+    char buf[BUFSIZ];
+    
+    snprintf(buf, sizeof(buf), "%s: %s", msg, strerror(error));
+    fatal(f, buf);
+}
+
+void
+fatalperror(int f, const char *msg)
+{
+    fatalperror_errno(f, msg, errno);
+}
+
+char editedhost[32];
+
+void edithost(char *pat, char *host)
+{
+    char *res = editedhost;
+
+    if (!pat)
+	pat = "";
+    while (*pat) {
+	switch (*pat) {
+
+	case '#':
+	    if (*host)
+		host++;
+	    break;
+
+	case '@':
+	    if (*host)
+		*res++ = *host++;
+	    break;
+
+	default:
+	    *res++ = *pat;
+	    break;
+	}
+	if (res == &editedhost[sizeof editedhost - 1]) {
+	    *res = '\0';
+	    return;
+	}
+	pat++;
+    }
+    if (*host)
+	strlcpy (res, host,
+			 sizeof editedhost - (res - editedhost));
+    else
+	*res = '\0';
+    editedhost[sizeof editedhost - 1] = '\0';
+}
+
+static char *putlocation;
+
+void
+putstr(char *s)
+{
+
+    while (*s)
+	putchr(*s++);
+}
+
+void
+putchr(int cc)
+{
+    *putlocation++ = cc;
+}
+
+/*
+ * This is split on two lines so that SCCS will not see the M
+ * between two % signs and expand it...
+ */
+static char fmtstr[] = { "%l:%M" "%P on %A, %d %B %Y" };
+
+void putf(char *cp, char *where)
+{
+#ifdef HAVE_UNAME
+    struct utsname name;
+#endif
+    char *slash;
+    time_t t;
+    char db[100];
+
+    /* if we don't have uname, set these to sensible values */
+    char *sysname = "Unix", 
+	*machine = "", 
+	*release = "",
+	*version = ""; 
+
+#ifdef HAVE_UNAME
+    uname(&name);
+    sysname=name.sysname;
+    machine=name.machine;
+    release=name.release;
+    version=name.version;
+#endif
+
+    putlocation = where;
+
+    while (*cp) {
+	if (*cp != '%') {
+	    putchr(*cp++);
+	    continue;
+	}
+	switch (*++cp) {
+
+	case 't':
+#ifdef	STREAMSPTY
+	    /* names are like /dev/pts/2 -- we want pts/2 */
+	    slash = strchr(line+1, '/');
+#else
+	    slash = strrchr(line, '/');
+#endif
+	    if (slash == (char *) 0)
+		putstr(line);
+	    else
+		putstr(&slash[1]);
+	    break;
+
+	case 'h':
+	    putstr(editedhost);
+	    break;
+
+	case 's':
+	    putstr(sysname);
+	    break;
+
+	case 'm':
+	    putstr(machine);
+	    break;
+
+	case 'r':
+	    putstr(release);
+	    break;
+
+	case 'v':
+	    putstr(version);
+	    break;
+
+	case 'd':
+	    time(&t);
+	    strftime(db, sizeof(db), fmtstr, localtime(&t));
+	    putstr(db);
+	    break;
+
+	case '%':
+	    putchr('%');
+	    break;
+	}
+	cp++;
+    }
+}
+
+#ifdef DIAGNOSTICS
+/*
+ * Print telnet options and commands in plain text, if possible.
+ */
+void
+printoption(char *fmt, int option)
+{
+    if (TELOPT_OK(option))
+	output_data("%s %s\r\n",
+		    fmt,
+		    TELOPT(option));
+    else if (TELCMD_OK(option))
+	output_data("%s %s\r\n",
+		    fmt,
+		    TELCMD(option));
+    else
+	output_data("%s %d\r\n",
+		    fmt,
+		    option);
+    return;
+}
+
+void
+printsub(int direction, unsigned char *pointer, int length)
+        		          	/* '<' or '>' */
+                 	         	/* where suboption data sits */
+       			       		/* length of suboption data */
+{
+    int i = 0;
+    unsigned char buf[512];
+
+    if (!(diagnostic & TD_OPTIONS))
+	return;
+
+    if (direction) {
+	output_data("td: %s suboption ",
+		    direction == '<' ? "recv" : "send");
+	if (length >= 3) {
+	    int j;
+
+	    i = pointer[length-2];
+	    j = pointer[length-1];
+
+	    if (i != IAC || j != SE) {
+		output_data("(terminated by ");
+		if (TELOPT_OK(i))
+		    output_data("%s ",
+				TELOPT(i));
+		else if (TELCMD_OK(i))
+		    output_data("%s ",
+				TELCMD(i));
+		else
+		    output_data("%d ",
+				i);
+		if (TELOPT_OK(j))
+		    output_data("%s",
+				TELOPT(j));
+		else if (TELCMD_OK(j))
+		    output_data("%s",
+				TELCMD(j));
+		else
+		    output_data("%d",
+				j);
+		output_data(", not IAC SE!) ");
+	    }
+	}
+	length -= 2;
+    }
+    if (length < 1) {
+	output_data("(Empty suboption??\?)");
+	return;
+    }
+    switch (pointer[0]) {
+    case TELOPT_TTYPE:
+	output_data("TERMINAL-TYPE ");
+	switch (pointer[1]) {
+	case TELQUAL_IS:
+	    output_data("IS \"%.*s\"",
+			length-2,
+			(char *)pointer+2);
+	    break;
+	case TELQUAL_SEND:
+	    output_data("SEND");
+	    break;
+	default:
+	    output_data("- unknown qualifier %d (0x%x).",
+			pointer[1], pointer[1]);
+	}
+	break;
+    case TELOPT_TSPEED:
+	output_data("TERMINAL-SPEED");
+	if (length < 2) {
+	    output_data(" (empty suboption??\?)");
+	    break;
+	}
+	switch (pointer[1]) {
+	case TELQUAL_IS:
+	    output_data(" IS %.*s", length-2, (char *)pointer+2);
+	    break;
+	default:
+	    if (pointer[1] == 1)
+		output_data(" SEND");
+	    else
+		output_data(" %d (unknown)", pointer[1]);
+	    for (i = 2; i < length; i++) {
+		output_data(" ?%d?", pointer[i]);
+	    }
+	    break;
+	}
+	break;
+
+    case TELOPT_LFLOW:
+	output_data("TOGGLE-FLOW-CONTROL");
+	if (length < 2) {
+	    output_data(" (empty suboption??\?)");
+	    break;
+	}
+	switch (pointer[1]) {
+	case LFLOW_OFF:
+	    output_data(" OFF");
+	    break;
+	case LFLOW_ON:
+	    output_data(" ON");
+	    break;
+	case LFLOW_RESTART_ANY:
+	    output_data(" RESTART-ANY");
+	    break;
+	case LFLOW_RESTART_XON:
+	    output_data(" RESTART-XON");
+	    break;
+	default:
+	    output_data(" %d (unknown)",
+			pointer[1]);
+	}
+	for (i = 2; i < length; i++) {
+	    output_data(" ?%d?",
+			pointer[i]);
+	}
+	break;
+
+    case TELOPT_NAWS:
+	output_data("NAWS");
+	if (length < 2) {
+	    output_data(" (empty suboption??\?)");
+	    break;
+	}
+	if (length == 2) {
+	    output_data(" ?%d?",
+			pointer[1]);
+	    break;
+	}
+	output_data(" %u %u(%u)",
+		    pointer[1],
+		    pointer[2],
+		    (((unsigned int)pointer[1])<<8) + pointer[2]);
+	if (length == 4) {
+	    output_data(" ?%d?",
+			pointer[3]);
+	    break;
+	}
+	output_data(" %u %u(%u)",
+		    pointer[3],
+		    pointer[4],
+		    (((unsigned int)pointer[3])<<8) + pointer[4]);
+	for (i = 5; i < length; i++) {
+	    output_data(" ?%d?",
+			pointer[i]);
+	}
+	break;
+
+    case TELOPT_LINEMODE:
+	output_data("LINEMODE ");
+	if (length < 2) {
+	    output_data(" (empty suboption??\?)");
+	    break;
+	}
+	switch (pointer[1]) {
+	case WILL:
+	    output_data("WILL ");
+	    goto common;
+	case WONT:
+	    output_data("WONT ");
+	    goto common;
+	case DO:
+	    output_data("DO ");
+	    goto common;
+	case DONT:
+	    output_data("DONT ");
+	common:
+	    if (length < 3) {
+		output_data("(no option??\?)");
+		break;
+	    }
+	    switch (pointer[2]) {
+	    case LM_FORWARDMASK:
+		output_data("Forward Mask");
+		for (i = 3; i < length; i++) {
+		    output_data(" %x", pointer[i]);
+		}
+		break;
+	    default:
+		output_data("%d (unknown)",
+			    pointer[2]);
+		for (i = 3; i < length; i++) {
+		    output_data(" %d",
+				pointer[i]);
+		}
+		break;
+	    }
+	    break;
+
+	case LM_SLC:
+	    output_data("SLC");
+	    for (i = 2; i < length - 2; i += 3) {
+		if (SLC_NAME_OK(pointer[i+SLC_FUNC]))
+		    output_data(" %s",
+				SLC_NAME(pointer[i+SLC_FUNC]));
+		else
+		    output_data(" %d",
+				pointer[i+SLC_FUNC]);
+		switch (pointer[i+SLC_FLAGS]&SLC_LEVELBITS) {
+		case SLC_NOSUPPORT:
+		    output_data(" NOSUPPORT");
+		    break;
+		case SLC_CANTCHANGE:
+		    output_data(" CANTCHANGE");
+		    break;
+		case SLC_VARIABLE:
+		    output_data(" VARIABLE");
+		    break;
+		case SLC_DEFAULT:
+		    output_data(" DEFAULT");
+		    break;
+		}
+		output_data("%s%s%s",
+			    pointer[i+SLC_FLAGS]&SLC_ACK ? "|ACK" : "",
+			    pointer[i+SLC_FLAGS]&SLC_FLUSHIN ? "|FLUSHIN" : "",
+			    pointer[i+SLC_FLAGS]&SLC_FLUSHOUT ? "|FLUSHOUT" : "");
+		if (pointer[i+SLC_FLAGS]& ~(SLC_ACK|SLC_FLUSHIN|
+					    SLC_FLUSHOUT| SLC_LEVELBITS)) {
+		    output_data("(0x%x)",
+				pointer[i+SLC_FLAGS]);
+		}
+		output_data(" %d;",
+			    pointer[i+SLC_VALUE]);
+		if ((pointer[i+SLC_VALUE] == IAC) &&
+		    (pointer[i+SLC_VALUE+1] == IAC))
+		    i++;
+	    }
+	    for (; i < length; i++) {
+		output_data(" ?%d?",
+			    pointer[i]);
+	    }
+	    break;
+
+	case LM_MODE:
+	    output_data("MODE ");
+	    if (length < 3) {
+		output_data("(no mode??\?)");
+		break;
+	    }
+	    {
+		char tbuf[32];
+		snprintf(tbuf,
+			 sizeof(tbuf),
+			 "%s%s%s%s%s",
+			 pointer[2]&MODE_EDIT ? "|EDIT" : "",
+			 pointer[2]&MODE_TRAPSIG ? "|TRAPSIG" : "",
+			 pointer[2]&MODE_SOFT_TAB ? "|SOFT_TAB" : "",
+			 pointer[2]&MODE_LIT_ECHO ? "|LIT_ECHO" : "",
+			 pointer[2]&MODE_ACK ? "|ACK" : "");
+		output_data("%s",
+			    tbuf[1] ? &tbuf[1] : "0");
+	    }
+	    if (pointer[2]&~(MODE_EDIT|MODE_TRAPSIG|MODE_ACK)) {
+		output_data(" (0x%x)",
+			    pointer[2]);
+	    }
+	    for (i = 3; i < length; i++) {
+		output_data(" ?0x%x?",
+			 pointer[i]);
+	    }
+	    break;
+	default:
+	    output_data("%d (unknown)",
+			pointer[1]);
+	    for (i = 2; i < length; i++) {
+		output_data(" %d", pointer[i]);
+	    }
+	}
+	break;
+
+    case TELOPT_STATUS: {
+	char *cp;
+	int j, k;
+
+	output_data("STATUS");
+
+	switch (pointer[1]) {
+	default:
+	    if (pointer[1] == TELQUAL_SEND)
+		output_data(" SEND");
+	    else
+		output_data(" %d (unknown)",
+			    pointer[1]);
+	    for (i = 2; i < length; i++) {
+		output_data(" ?%d?",
+			    pointer[i]);
+	    }
+	    break;
+	case TELQUAL_IS:
+	    output_data(" IS\r\n");
+
+	    for (i = 2; i < length; i++) {
+		switch(pointer[i]) {
+		case DO:	cp = "DO"; goto common2;
+		case DONT:	cp = "DONT"; goto common2;
+		case WILL:	cp = "WILL"; goto common2;
+		case WONT:	cp = "WONT"; goto common2;
+		common2:
+		i++;
+		if (TELOPT_OK(pointer[i]))
+		    output_data(" %s %s",
+				cp,
+				TELOPT(pointer[i]));
+		else
+		    output_data(" %s %d",
+				cp,
+				pointer[i]);
+
+		output_data("\r\n");
+		break;
+
+		case SB:
+		    output_data(" SB ");
+		    i++;
+		    j = k = i;
+		    while (j < length) {
+			if (pointer[j] == SE) {
+			    if (j+1 == length)
+				break;
+			    if (pointer[j+1] == SE)
+				j++;
+			    else
+				break;
+			}
+			pointer[k++] = pointer[j++];
+		    }
+		    printsub(0, &pointer[i], k - i);
+		    if (i < length) {
+			output_data(" SE");
+			i = j;
+		    } else
+			i = j - 1;
+
+		    output_data("\r\n");
+
+		    break;
+
+		default:
+		    output_data(" %d",
+				pointer[i]);
+		    break;
+		}
+	    }
+	    break;
+	}
+	break;
+    }
+
+    case TELOPT_XDISPLOC:
+	output_data("X-DISPLAY-LOCATION ");
+	switch (pointer[1]) {
+	case TELQUAL_IS:
+	    output_data("IS \"%.*s\"",
+			length-2,
+			(char *)pointer+2);
+	    break;
+	case TELQUAL_SEND:
+	    output_data("SEND");
+	    break;
+	default:
+	    output_data("- unknown qualifier %d (0x%x).",
+			pointer[1], pointer[1]);
+	}
+	break;
+
+    case TELOPT_NEW_ENVIRON:
+	output_data("NEW-ENVIRON ");
+	goto env_common1;
+    case TELOPT_OLD_ENVIRON:
+	output_data("OLD-ENVIRON");
+    env_common1:
+	switch (pointer[1]) {
+	case TELQUAL_IS:
+	    output_data("IS ");
+	    goto env_common;
+	case TELQUAL_SEND:
+	    output_data("SEND ");
+	    goto env_common;
+	case TELQUAL_INFO:
+	    output_data("INFO ");
+	env_common:
+	    {
+		int noquote = 2;
+		for (i = 2; i < length; i++ ) {
+		    switch (pointer[i]) {
+		    case NEW_ENV_VAR:
+			output_data("\" VAR " + noquote);
+			noquote = 2;
+			break;
+
+		    case NEW_ENV_VALUE:
+			output_data("\" VALUE " + noquote);
+			noquote = 2;
+			break;
+
+		    case ENV_ESC:
+			output_data("\" ESC " + noquote);
+			noquote = 2;
+			break;
+
+		    case ENV_USERVAR:
+			output_data("\" USERVAR " + noquote);
+			noquote = 2;
+			break;
+
+		    default:
+			if (isprint(pointer[i]) && pointer[i] != '"') {
+			    if (noquote) {
+				output_data ("\"");
+				noquote = 0;
+			    }
+			    output_data ("%c", pointer[i]);
+			} else {
+			    output_data("\" %03o " + noquote,
+					pointer[i]);
+			    noquote = 2;
+			}
+			break;
+		    }
+		}
+		if (!noquote)
+		    output_data ("\"");
+		break;
+	    }
+	}
+	break;
+
+#ifdef AUTHENTICATION
+    case TELOPT_AUTHENTICATION:
+	output_data("AUTHENTICATION");
+
+	if (length < 2) {
+	    output_data(" (empty suboption??\?)");
+	    break;
+	}
+	switch (pointer[1]) {
+	case TELQUAL_REPLY:
+	case TELQUAL_IS:
+	    output_data(" %s ",
+			(pointer[1] == TELQUAL_IS) ?
+			"IS" : "REPLY");
+	    if (AUTHTYPE_NAME_OK(pointer[2]))
+		output_data("%s ",
+			    AUTHTYPE_NAME(pointer[2]));
+	    else
+		output_data("%d ",
+			    pointer[2]);
+	    if (length < 3) {
+		output_data("(partial suboption??\?)");
+		break;
+	    }
+	    output_data("%s|%s",
+			((pointer[3] & AUTH_WHO_MASK) == AUTH_WHO_CLIENT) ?
+			"CLIENT" : "SERVER",
+			((pointer[3] & AUTH_HOW_MASK) == AUTH_HOW_MUTUAL) ?
+			"MUTUAL" : "ONE-WAY");
+
+	    auth_printsub(&pointer[1], length - 1, buf, sizeof(buf));
+	    output_data("%s",
+			buf);
+	    break;
+
+	case TELQUAL_SEND:
+	    i = 2;
+	    output_data(" SEND ");
+	    while (i < length) {
+		if (AUTHTYPE_NAME_OK(pointer[i]))
+		    output_data("%s ",
+				AUTHTYPE_NAME(pointer[i]));
+		else
+		    output_data("%d ",
+				pointer[i]);
+		if (++i >= length) {
+		    output_data("(partial suboption??\?)");
+		    break;
+		}
+		output_data("%s|%s ",
+			    ((pointer[i] & AUTH_WHO_MASK) == AUTH_WHO_CLIENT) ?
+			    "CLIENT" : "SERVER",
+			    ((pointer[i] & AUTH_HOW_MASK) == AUTH_HOW_MUTUAL) ?
+			    "MUTUAL" : "ONE-WAY");
+		++i;
+	    }
+	    break;
+
+	case TELQUAL_NAME:
+	    i = 2;
+	    output_data(" NAME \"%.*s\"",
+			length - 2,
+			pointer);
+	    break;
+
+	default:
+	    for (i = 2; i < length; i++) {
+		output_data(" ?%d?",
+			    pointer[i]);
+	    }
+	    break;
+	}
+	break;
+#endif
+
+#ifdef ENCRYPTION
+    case TELOPT_ENCRYPT:
+	output_data("ENCRYPT");
+	if (length < 2) {
+	    output_data(" (empty suboption?)");
+	    break;
+	}
+	switch (pointer[1]) {
+	case ENCRYPT_START:
+	    output_data(" START");
+	    break;
+
+	case ENCRYPT_END:
+	    output_data(" END");
+	    break;
+
+	case ENCRYPT_REQSTART:
+	    output_data(" REQUEST-START");
+	    break;
+
+	case ENCRYPT_REQEND:
+	    output_data(" REQUEST-END");
+	    break;
+
+	case ENCRYPT_IS:
+	case ENCRYPT_REPLY:
+	    output_data(" %s ",
+			(pointer[1] == ENCRYPT_IS) ?
+			"IS" : "REPLY");
+	    if (length < 3) {
+		output_data(" (partial suboption?)");
+		break;
+	    }
+	    if (ENCTYPE_NAME_OK(pointer[2]))
+		output_data("%s ",
+			    ENCTYPE_NAME(pointer[2]));
+	    else
+		output_data(" %d (unknown)",
+			    pointer[2]);
+
+	    encrypt_printsub(&pointer[1], length - 1, buf, sizeof(buf));
+	    output_data("%s",
+			buf);
+	    break;
+
+	case ENCRYPT_SUPPORT:
+	    i = 2;
+	    output_data(" SUPPORT ");
+	    while (i < length) {
+		if (ENCTYPE_NAME_OK(pointer[i]))
+		    output_data("%s ",
+				ENCTYPE_NAME(pointer[i]));
+		else
+		    output_data("%d ",
+				pointer[i]);
+		i++;
+	    }
+	    break;
+
+	case ENCRYPT_ENC_KEYID:
+	    output_data(" ENC_KEYID %d", pointer[1]);
+	    goto encommon;
+
+	case ENCRYPT_DEC_KEYID:
+	    output_data(" DEC_KEYID %d", pointer[1]);
+	    goto encommon;
+
+	default:
+	    output_data(" %d (unknown)", pointer[1]);
+	encommon:
+	    for (i = 2; i < length; i++) {
+		output_data(" %d", pointer[i]);
+	    }
+	    break;
+	}
+	break;
+#endif
+
+    default:
+	if (TELOPT_OK(pointer[0]))
+	    output_data("%s (unknown)",
+			TELOPT(pointer[0]));
+	else
+	    output_data("%d (unknown)",
+			pointer[i]);
+	for (i = 1; i < length; i++) {
+	    output_data(" %d", pointer[i]);
+	}
+	break;
+    }
+    output_data("\r\n");
+}
+
+/*
+ * Dump a data buffer in hex and ascii to the output data stream.
+ */
+void
+printdata(char *tag, char *ptr, int cnt)
+{
+    int i;
+    char xbuf[30];
+
+    while (cnt) {
+	/* flush net output buffer if no room for new data) */
+	if ((&netobuf[BUFSIZ] - nfrontp) < 80) {
+	    netflush();
+	}
+
+	/* add a line of output */
+	output_data("%s: ", tag);
+	for (i = 0; i < 20 && cnt; i++) {
+	    output_data("%02x", *ptr);
+	    if (isprint(*ptr)) {
+		xbuf[i] = *ptr;
+	    } else {
+		xbuf[i] = '.';
+	    }
+	    if (i % 2) {
+		output_data(" ");
+	    }
+	    cnt--;
+	    ptr++;
+	}
+	xbuf[i] = '\0';
+	output_data(" %s\r\n", xbuf);
+    }
+}
+#endif /* DIAGNOSTICS */
diff --git a/crypto/heimdal/appl/test/Makefile.am b/crypto/heimdal/appl/test/Makefile.am
new file mode 100644
index 0000000..154b407
--- /dev/null
+++ b/crypto/heimdal/appl/test/Makefile.am
@@ -0,0 +1,37 @@
+# $Id: Makefile.am,v 1.14 2000/11/15 22:51:11 assar Exp $
+
+include $(top_srcdir)/Makefile.am.common
+
+noinst_PROGRAMS = tcp_client tcp_server gssapi_server gssapi_client \
+	uu_server uu_client nt_gss_server nt_gss_client
+
+tcp_client_SOURCES = tcp_client.c common.c test_locl.h
+
+tcp_server_SOURCES = tcp_server.c common.c test_locl.h
+
+gssapi_server_SOURCES = gssapi_server.c gss_common.c common.c \
+	gss_common.h test_locl.h
+
+gssapi_client_SOURCES = gssapi_client.c gss_common.c common.c \
+	gss_common.h test_locl.h
+
+uu_server_SOURCES = uu_server.c common.c test_locl.h
+
+uu_client_SOURCES = uu_client.c common.c test_locl.h
+
+gssapi_server_LDADD = $(top_builddir)/lib/gssapi/libgssapi.la $(LDADD)
+
+gssapi_client_LDADD = $(gssapi_server_LDADD)
+
+nt_gss_client_SOURCES = nt_gss_client.c nt_gss_common.c common.c
+
+nt_gss_server_SOURCES = nt_gss_server.c nt_gss_common.c
+
+nt_gss_client_LDADD = $(gssapi_server_LDADD)
+
+nt_gss_server_LDADD = $(nt_gss_client_LDADD)
+
+LDADD = $(top_builddir)/lib/krb5/libkrb5.la \
+	$(LIB_des) \
+	$(top_builddir)/lib/asn1/libasn1.la \
+	$(LIB_roken)
diff --git a/crypto/heimdal/appl/test/Makefile.in b/crypto/heimdal/appl/test/Makefile.in
new file mode 100644
index 0000000..ff1332d
--- /dev/null
+++ b/crypto/heimdal/appl/test/Makefile.in
@@ -0,0 +1,655 @@
+# Makefile.in generated automatically by automake 1.4b from Makefile.am
+
+# Copyright 1994, 1995, 1996, 1997, 1998, 1999, 2000
+# Free Software Foundation, Inc.
+# This Makefile.in is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+
+SHELL = @SHELL@
+
+srcdir = @srcdir@
+top_srcdir = @top_srcdir@
+VPATH = @srcdir@
+prefix = @prefix@
+exec_prefix = @exec_prefix@
+
+bindir = @bindir@
+sbindir = @sbindir@
+libexecdir = @libexecdir@
+datadir = @datadir@
+sysconfdir = @sysconfdir@
+sharedstatedir = @sharedstatedir@
+localstatedir = @localstatedir@
+libdir = @libdir@
+infodir = @infodir@
+mandir = @mandir@
+includedir = @includedir@
+oldincludedir = /usr/include
+
+pkgdatadir = $(datadir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkgincludedir = $(includedir)/@PACKAGE@
+
+top_builddir = ../..
+
+ACLOCAL = @ACLOCAL@
+AUTOCONF = @AUTOCONF@
+AUTOMAKE = @AUTOMAKE@
+AUTOHEADER = @AUTOHEADER@
+
+INSTALL = @INSTALL@
+INSTALL_PROGRAM = @INSTALL_PROGRAM@
+INSTALL_DATA = @INSTALL_DATA@
+INSTALL_SCRIPT = @INSTALL_SCRIPT@
+INSTALL_STRIP_FLAG =
+transform = @program_transform_name@
+
+NORMAL_INSTALL = :
+PRE_INSTALL = :
+POST_INSTALL = :
+NORMAL_UNINSTALL = :
+PRE_UNINSTALL = :
+POST_UNINSTALL = :
+
+@SET_MAKE@
+host_alias = @host_alias@
+host_triplet = @host@
+AIX_EXTRA_KAFS = @AIX_EXTRA_KAFS@
+AMDEP = @AMDEP@
+AMTAR = @AMTAR@
+AS = @AS@
+AWK = @AWK@
+CANONICAL_HOST = @CANONICAL_HOST@
+CATMAN = @CATMAN@
+CATMANEXT = @CATMANEXT@
+CC = @CC@
+CPP = @CPP@
+CXX = @CXX@
+CXXCPP = @CXXCPP@
+DBLIB = @DBLIB@
+DEPDIR = @DEPDIR@
+DIR_des = @DIR_des@
+DIR_roken = @DIR_roken@
+DLLTOOL = @DLLTOOL@
+EXEEXT = @EXEEXT@
+EXTRA_LIB45 = @EXTRA_LIB45@
+GROFF = @GROFF@
+INCLUDES_roken = @INCLUDES_roken@
+INCLUDE_ = @INCLUDE_@
+LEX = @LEX@
+LIBOBJS = @LIBOBJS@
+LIBTOOL = @LIBTOOL@
+LIB_ = @LIB_@
+LIB_AUTH_SUBDIRS = @LIB_AUTH_SUBDIRS@
+LIB_des = @LIB_des@
+LIB_des_appl = @LIB_des_appl@
+LIB_kdb = @LIB_kdb@
+LIB_otp = @LIB_otp@
+LIB_roken = @LIB_roken@
+LIB_security = @LIB_security@
+LN_S = @LN_S@
+LTLIBOBJS = @LTLIBOBJS@
+MAKEINFO = @MAKEINFO@
+NEED_WRITEAUTH_FALSE = @NEED_WRITEAUTH_FALSE@
+NEED_WRITEAUTH_TRUE = @NEED_WRITEAUTH_TRUE@
+NROFF = @NROFF@
+OBJDUMP = @OBJDUMP@
+OBJEXT = @OBJEXT@
+PACKAGE = @PACKAGE@
+RANLIB = @RANLIB@
+STRIP = @STRIP@
+VERSION = @VERSION@
+VOID_RETSIGTYPE = @VOID_RETSIGTYPE@
+WFLAGS = @WFLAGS@
+WFLAGS_NOIMPLICITINT = @WFLAGS_NOIMPLICITINT@
+WFLAGS_NOUNUSED = @WFLAGS_NOUNUSED@
+YACC = @YACC@
+dpagaix_CFLAGS = @dpagaix_CFLAGS@
+dpagaix_LDADD = @dpagaix_LDADD@
+install_sh = @install_sh@
+
+# $Id: Makefile.am,v 1.14 2000/11/15 22:51:11 assar Exp $
+
+
+# $Id: Makefile.am.common,v 1.3 1999/04/01 14:58:43 joda Exp $
+
+
+# $Id: Makefile.am.common,v 1.26 2001/05/21 13:27:48 joda Exp $
+
+
+AUTOMAKE_OPTIONS = foreign no-dependencies
+
+SUFFIXES = .et .h .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .x
+
+INCLUDES = -I$(top_builddir)/include $(INCLUDES_roken)
+
+AM_CFLAGS =  $(WFLAGS)
+
+CP = cp
+
+COMPILE_ET = $(top_builddir)/lib/com_err/compile_et
+
+buildinclude = $(top_builddir)/include
+
+LIB_XauReadAuth = @LIB_XauReadAuth@
+LIB_crypt = @LIB_crypt@
+LIB_dbm_firstkey = @LIB_dbm_firstkey@
+LIB_dbopen = @LIB_dbopen@
+LIB_dlopen = @LIB_dlopen@
+LIB_dn_expand = @LIB_dn_expand@
+LIB_el_init = @LIB_el_init@
+LIB_getattr = @LIB_getattr@
+LIB_gethostbyname = @LIB_gethostbyname@
+LIB_getpwent_r = @LIB_getpwent_r@
+LIB_getpwnam_r = @LIB_getpwnam_r@
+LIB_getsockopt = @LIB_getsockopt@
+LIB_logout = @LIB_logout@
+LIB_logwtmp = @LIB_logwtmp@
+LIB_odm_initialize = @LIB_odm_initialize@
+LIB_pidfile = @LIB_pidfile@
+LIB_readline = @LIB_readline@
+LIB_res_search = @LIB_res_search@
+LIB_setpcred = @LIB_setpcred@
+LIB_setsockopt = @LIB_setsockopt@
+LIB_socket = @LIB_socket@
+LIB_syslog = @LIB_syslog@
+LIB_tgetent = @LIB_tgetent@
+
+LIBS = @LIBS@
+
+HESIODLIB = @HESIODLIB@
+HESIODINCLUDE = @HESIODINCLUDE@
+INCLUDE_hesiod = @INCLUDE_hesiod@
+LIB_hesiod = @LIB_hesiod@
+
+INCLUDE_krb4 = @INCLUDE_krb4@
+LIB_krb4 = @LIB_krb4@
+
+INCLUDE_openldap = @INCLUDE_openldap@
+LIB_openldap = @LIB_openldap@
+
+INCLUDE_readline = @INCLUDE_readline@
+
+LEXLIB = @LEXLIB@
+
+NROFF_MAN = groff -mandoc -Tascii
+
+@KRB4_TRUE@LIB_kafs = @KRB4_TRUE@$(top_builddir)/lib/kafs/libkafs.la $(AIX_EXTRA_KAFS)
+
+@KRB5_TRUE@LIB_krb5 = @KRB5_TRUE@$(top_builddir)/lib/krb5/libkrb5.la \
+@KRB5_TRUE@	$(top_builddir)/lib/asn1/libasn1.la
+@KRB5_TRUE@LIB_gssapi = @KRB5_TRUE@$(top_builddir)/lib/gssapi/libgssapi.la
+
+@DCE_TRUE@LIB_kdfs = @DCE_TRUE@$(top_builddir)/lib/kdfs/libkdfs.la
+
+CHECK_LOCAL = $(PROGRAMS)
+
+noinst_PROGRAMS = tcp_client tcp_server gssapi_server gssapi_client \
+	uu_server uu_client nt_gss_server nt_gss_client
+
+
+tcp_client_SOURCES = tcp_client.c common.c test_locl.h
+
+tcp_server_SOURCES = tcp_server.c common.c test_locl.h
+
+gssapi_server_SOURCES = gssapi_server.c gss_common.c common.c \
+	gss_common.h test_locl.h
+
+
+gssapi_client_SOURCES = gssapi_client.c gss_common.c common.c \
+	gss_common.h test_locl.h
+
+
+uu_server_SOURCES = uu_server.c common.c test_locl.h
+
+uu_client_SOURCES = uu_client.c common.c test_locl.h
+
+gssapi_server_LDADD = $(top_builddir)/lib/gssapi/libgssapi.la $(LDADD)
+
+gssapi_client_LDADD = $(gssapi_server_LDADD)
+
+nt_gss_client_SOURCES = nt_gss_client.c nt_gss_common.c common.c
+
+nt_gss_server_SOURCES = nt_gss_server.c nt_gss_common.c
+
+nt_gss_client_LDADD = $(gssapi_server_LDADD)
+
+nt_gss_server_LDADD = $(nt_gss_client_LDADD)
+
+LDADD = $(top_builddir)/lib/krb5/libkrb5.la \
+	$(LIB_des) \
+	$(top_builddir)/lib/asn1/libasn1.la \
+	$(LIB_roken)
+
+subdir = appl/test
+mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs
+CONFIG_HEADER = ../../include/config.h
+CONFIG_CLEAN_FILES = 
+noinst_PROGRAMS =  tcp_client$(EXEEXT) tcp_server$(EXEEXT) \
+gssapi_server$(EXEEXT) gssapi_client$(EXEEXT) uu_server$(EXEEXT) \
+uu_client$(EXEEXT) nt_gss_server$(EXEEXT) nt_gss_client$(EXEEXT)
+PROGRAMS =  $(noinst_PROGRAMS)
+
+
+DEFS = @DEFS@ -I. -I$(srcdir) -I../../include
+CPPFLAGS = @CPPFLAGS@
+LDFLAGS = @LDFLAGS@
+X_CFLAGS = @X_CFLAGS@
+X_LIBS = @X_LIBS@
+X_EXTRA_LIBS = @X_EXTRA_LIBS@
+X_PRE_LIBS = @X_PRE_LIBS@
+am_gssapi_client_OBJECTS =  gssapi_client.$(OBJEXT) gss_common.$(OBJEXT) \
+common.$(OBJEXT)
+gssapi_client_OBJECTS =  $(am_gssapi_client_OBJECTS)
+gssapi_client_DEPENDENCIES =  $(top_builddir)/lib/gssapi/libgssapi.la \
+$(top_builddir)/lib/krb5/libkrb5.la $(top_builddir)/lib/asn1/libasn1.la
+gssapi_client_LDFLAGS = 
+am_gssapi_server_OBJECTS =  gssapi_server.$(OBJEXT) gss_common.$(OBJEXT) \
+common.$(OBJEXT)
+gssapi_server_OBJECTS =  $(am_gssapi_server_OBJECTS)
+gssapi_server_DEPENDENCIES =  $(top_builddir)/lib/gssapi/libgssapi.la \
+$(top_builddir)/lib/krb5/libkrb5.la $(top_builddir)/lib/asn1/libasn1.la
+gssapi_server_LDFLAGS = 
+am_nt_gss_client_OBJECTS =  nt_gss_client.$(OBJEXT) \
+nt_gss_common.$(OBJEXT) common.$(OBJEXT)
+nt_gss_client_OBJECTS =  $(am_nt_gss_client_OBJECTS)
+nt_gss_client_DEPENDENCIES =  $(top_builddir)/lib/gssapi/libgssapi.la \
+$(top_builddir)/lib/krb5/libkrb5.la $(top_builddir)/lib/asn1/libasn1.la
+nt_gss_client_LDFLAGS = 
+am_nt_gss_server_OBJECTS =  nt_gss_server.$(OBJEXT) \
+nt_gss_common.$(OBJEXT)
+nt_gss_server_OBJECTS =  $(am_nt_gss_server_OBJECTS)
+nt_gss_server_DEPENDENCIES =  $(top_builddir)/lib/gssapi/libgssapi.la \
+$(top_builddir)/lib/krb5/libkrb5.la $(top_builddir)/lib/asn1/libasn1.la
+nt_gss_server_LDFLAGS = 
+am_tcp_client_OBJECTS =  tcp_client.$(OBJEXT) common.$(OBJEXT)
+tcp_client_OBJECTS =  $(am_tcp_client_OBJECTS)
+tcp_client_LDADD = $(LDADD)
+tcp_client_DEPENDENCIES =  $(top_builddir)/lib/krb5/libkrb5.la \
+$(top_builddir)/lib/asn1/libasn1.la
+tcp_client_LDFLAGS = 
+am_tcp_server_OBJECTS =  tcp_server.$(OBJEXT) common.$(OBJEXT)
+tcp_server_OBJECTS =  $(am_tcp_server_OBJECTS)
+tcp_server_LDADD = $(LDADD)
+tcp_server_DEPENDENCIES =  $(top_builddir)/lib/krb5/libkrb5.la \
+$(top_builddir)/lib/asn1/libasn1.la
+tcp_server_LDFLAGS = 
+am_uu_client_OBJECTS =  uu_client.$(OBJEXT) common.$(OBJEXT)
+uu_client_OBJECTS =  $(am_uu_client_OBJECTS)
+uu_client_LDADD = $(LDADD)
+uu_client_DEPENDENCIES =  $(top_builddir)/lib/krb5/libkrb5.la \
+$(top_builddir)/lib/asn1/libasn1.la
+uu_client_LDFLAGS = 
+am_uu_server_OBJECTS =  uu_server.$(OBJEXT) common.$(OBJEXT)
+uu_server_OBJECTS =  $(am_uu_server_OBJECTS)
+uu_server_LDADD = $(LDADD)
+uu_server_DEPENDENCIES =  $(top_builddir)/lib/krb5/libkrb5.la \
+$(top_builddir)/lib/asn1/libasn1.la
+uu_server_LDFLAGS = 
+COMPILE = $(CC) $(DEFS) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) --mode=compile $(CC) $(DEFS) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+CFLAGS = @CFLAGS@
+CCLD = $(CC)
+LINK = $(LIBTOOL) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) $(LDFLAGS) -o $@
+DIST_SOURCES =  $(gssapi_client_SOURCES) $(gssapi_server_SOURCES) \
+$(nt_gss_client_SOURCES) $(nt_gss_server_SOURCES) $(tcp_client_SOURCES) \
+$(tcp_server_SOURCES) $(uu_client_SOURCES) $(uu_server_SOURCES)
+depcomp = 
+DIST_COMMON =  Makefile.am Makefile.in
+
+
+DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
+
+GZIP_ENV = --best
+SOURCES = $(gssapi_client_SOURCES) $(gssapi_server_SOURCES) $(nt_gss_client_SOURCES) $(nt_gss_server_SOURCES) $(tcp_client_SOURCES) $(tcp_server_SOURCES) $(uu_client_SOURCES) $(uu_server_SOURCES)
+OBJECTS = $(am_gssapi_client_OBJECTS) $(am_gssapi_server_OBJECTS) $(am_nt_gss_client_OBJECTS) $(am_nt_gss_server_OBJECTS) $(am_tcp_client_OBJECTS) $(am_tcp_server_OBJECTS) $(am_uu_client_OBJECTS) $(am_uu_server_OBJECTS)
+
+all: all-redirect
+.SUFFIXES:
+.SUFFIXES: .et .h .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .x .c .lo .o .obj
+$(srcdir)/Makefile.in: Makefile.am $(top_srcdir)/configure.in $(ACLOCAL_M4) $(top_srcdir)/Makefile.am.common $(top_srcdir)/cf/Makefile.am.common
+	cd $(top_srcdir) && $(AUTOMAKE) --foreign appl/test/Makefile
+
+Makefile: $(srcdir)/Makefile.in  $(top_builddir)/config.status
+	cd $(top_builddir) \
+	  && CONFIG_FILES=$(subdir)/$@ CONFIG_HEADERS= $(SHELL) ./config.status
+
+
+mostlyclean-noinstPROGRAMS:
+
+clean-noinstPROGRAMS:
+	-test -z "$(noinst_PROGRAMS)" || rm -f $(noinst_PROGRAMS)
+
+distclean-noinstPROGRAMS:
+
+maintainer-clean-noinstPROGRAMS:
+
+mostlyclean-compile:
+	-rm -f *.o core *.core
+	-rm -f *.$(OBJEXT)
+
+clean-compile:
+
+distclean-compile:
+	-rm -f *.tab.c
+
+maintainer-clean-compile:
+
+mostlyclean-libtool:
+	-rm -f *.lo
+
+clean-libtool:
+	-rm -rf .libs _libs
+
+distclean-libtool:
+
+maintainer-clean-libtool:
+
+gssapi_client$(EXEEXT): $(gssapi_client_OBJECTS) $(gssapi_client_DEPENDENCIES)
+	@rm -f gssapi_client$(EXEEXT)
+	$(LINK) $(gssapi_client_LDFLAGS) $(gssapi_client_OBJECTS) $(gssapi_client_LDADD) $(LIBS)
+
+gssapi_server$(EXEEXT): $(gssapi_server_OBJECTS) $(gssapi_server_DEPENDENCIES)
+	@rm -f gssapi_server$(EXEEXT)
+	$(LINK) $(gssapi_server_LDFLAGS) $(gssapi_server_OBJECTS) $(gssapi_server_LDADD) $(LIBS)
+
+nt_gss_client$(EXEEXT): $(nt_gss_client_OBJECTS) $(nt_gss_client_DEPENDENCIES)
+	@rm -f nt_gss_client$(EXEEXT)
+	$(LINK) $(nt_gss_client_LDFLAGS) $(nt_gss_client_OBJECTS) $(nt_gss_client_LDADD) $(LIBS)
+
+nt_gss_server$(EXEEXT): $(nt_gss_server_OBJECTS) $(nt_gss_server_DEPENDENCIES)
+	@rm -f nt_gss_server$(EXEEXT)
+	$(LINK) $(nt_gss_server_LDFLAGS) $(nt_gss_server_OBJECTS) $(nt_gss_server_LDADD) $(LIBS)
+
+tcp_client$(EXEEXT): $(tcp_client_OBJECTS) $(tcp_client_DEPENDENCIES)
+	@rm -f tcp_client$(EXEEXT)
+	$(LINK) $(tcp_client_LDFLAGS) $(tcp_client_OBJECTS) $(tcp_client_LDADD) $(LIBS)
+
+tcp_server$(EXEEXT): $(tcp_server_OBJECTS) $(tcp_server_DEPENDENCIES)
+	@rm -f tcp_server$(EXEEXT)
+	$(LINK) $(tcp_server_LDFLAGS) $(tcp_server_OBJECTS) $(tcp_server_LDADD) $(LIBS)
+
+uu_client$(EXEEXT): $(uu_client_OBJECTS) $(uu_client_DEPENDENCIES)
+	@rm -f uu_client$(EXEEXT)
+	$(LINK) $(uu_client_LDFLAGS) $(uu_client_OBJECTS) $(uu_client_LDADD) $(LIBS)
+
+uu_server$(EXEEXT): $(uu_server_OBJECTS) $(uu_server_DEPENDENCIES)
+	@rm -f uu_server$(EXEEXT)
+	$(LINK) $(uu_server_LDFLAGS) $(uu_server_OBJECTS) $(uu_server_LDADD) $(LIBS)
+.c.o:
+	$(COMPILE) -c $<
+.c.obj:
+	$(COMPILE) -c `cygpath -w $<`
+.c.lo:
+	$(LTCOMPILE) -c -o $@ $<
+
+tags: TAGS
+
+ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
+	list='$(SOURCES) $(HEADERS) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '    { files[$$0] = 1; } \
+	       END { for (i in files) print i; }'`; \
+	mkid -fID $$unique $(LISP)
+
+TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	tags=; \
+	here=`pwd`; \
+	list='$(SOURCES) $(HEADERS) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '    { files[$$0] = 1; } \
+	       END { for (i in files) print i; }'`; \
+	test -z "$(ETAGS_ARGS)$$unique$(LISP)$$tags" \
+	  || etags $(ETAGS_ARGS) $$tags  $$unique $(LISP)
+
+GTAGS:
+	here=`CDPATH=: && cd $(top_builddir) && pwd` \
+	  && cd $(top_srcdir) \
+	  && gtags -i $$here
+
+mostlyclean-tags:
+
+clean-tags:
+
+distclean-tags:
+	-rm -f TAGS ID
+
+maintainer-clean-tags:
+
+distdir = $(top_builddir)/$(PACKAGE)-$(VERSION)/$(subdir)
+
+distdir: $(DISTFILES)
+	@for file in $(DISTFILES); do \
+	  d=$(srcdir); \
+	  if test -d $$d/$$file; then \
+	    cp -pR $$d/$$file $(distdir) \
+	    || exit 1; \
+	  else \
+	    test -f $(distdir)/$$file \
+	    || cp -p $$d/$$file $(distdir)/$$file \
+	    || exit 1; \
+	  fi; \
+	done
+	$(MAKE) $(AM_MAKEFLAGS) top_distdir="$(top_distdir)" distdir="$(distdir)" dist-hook
+info-am:
+info: info-am
+dvi-am:
+dvi: dvi-am
+check-am: all-am
+	$(MAKE) $(AM_MAKEFLAGS) check-local
+check: check-am
+installcheck-am:
+installcheck: installcheck-am
+install-exec-am:
+	@$(NORMAL_INSTALL)
+	$(MAKE) $(AM_MAKEFLAGS) install-exec-hook
+install-exec: install-exec-am
+
+install-data-am: install-data-local
+install-data: install-data-am
+
+install-am: all-am
+	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
+install: install-am
+uninstall-am:
+uninstall: uninstall-am
+all-am: Makefile $(PROGRAMS) all-local
+all-redirect: all-am
+install-strip:
+	$(MAKE) $(AM_MAKEFLAGS) INSTALL_STRIP_FLAG=-s install
+installdirs:
+
+
+mostlyclean-generic:
+
+clean-generic:
+
+distclean-generic:
+	-rm -f Makefile $(CONFIG_CLEAN_FILES)
+	-rm -f config.cache config.log stamp-h stamp-h[0-9]*
+
+maintainer-clean-generic:
+	-rm -f Makefile.in
+mostlyclean-am:  mostlyclean-noinstPROGRAMS mostlyclean-compile \
+		mostlyclean-libtool mostlyclean-tags \
+		mostlyclean-generic
+
+mostlyclean: mostlyclean-am
+
+clean-am:  clean-noinstPROGRAMS clean-compile clean-libtool clean-tags \
+		clean-generic mostlyclean-am
+
+clean: clean-am
+
+distclean-am:  distclean-noinstPROGRAMS distclean-compile \
+		distclean-libtool distclean-tags distclean-generic \
+		clean-am
+	-rm -f libtool
+
+distclean: distclean-am
+
+maintainer-clean-am:  maintainer-clean-noinstPROGRAMS \
+		maintainer-clean-compile maintainer-clean-libtool \
+		maintainer-clean-tags maintainer-clean-generic \
+		distclean-am
+	@echo "This command is intended for maintainers to use;"
+	@echo "it deletes files that may require special tools to rebuild."
+
+maintainer-clean: maintainer-clean-am
+
+.PHONY: mostlyclean-noinstPROGRAMS distclean-noinstPROGRAMS \
+clean-noinstPROGRAMS maintainer-clean-noinstPROGRAMS \
+mostlyclean-compile distclean-compile clean-compile \
+maintainer-clean-compile mostlyclean-libtool distclean-libtool \
+clean-libtool maintainer-clean-libtool tags mostlyclean-tags \
+distclean-tags clean-tags maintainer-clean-tags distdir info-am info \
+dvi-am dvi check-local check check-am installcheck-am installcheck \
+install-exec-am install-exec install-data-local install-data-am \
+install-data install-am install uninstall-am uninstall all-local \
+all-redirect all-am all install-strip installdirs mostlyclean-generic \
+distclean-generic clean-generic maintainer-clean-generic clean \
+mostlyclean distclean maintainer-clean
+
+
+install-suid-programs:
+	@foo='$(bin_SUIDS)'; \
+	for file in $$foo; do \
+	x=$(DESTDIR)$(bindir)/$$file; \
+	if chown 0:0 $$x && chmod u+s $$x; then :; else \
+	echo "*"; \
+	echo "* Failed to install $$x setuid root"; \
+	echo "*"; \
+	fi; done
+
+install-exec-hook: install-suid-programs
+
+install-build-headers:: $(include_HEADERS) $(build_HEADERZ)
+	@foo='$(include_HEADERS) $(build_HEADERZ)'; \
+	for f in $$foo; do \
+		f=`basename $$f`; \
+		if test -f "$(srcdir)/$$f"; then file="$(srcdir)/$$f"; \
+		else file="$$f"; fi; \
+		if cmp -s  $$file $(buildinclude)/$$f 2> /dev/null ; then \
+		: ; else \
+			echo " $(CP) $$file $(buildinclude)/$$f"; \
+			$(CP) $$file $(buildinclude)/$$f; \
+		fi ; \
+	done
+
+all-local: install-build-headers
+#NROFF_MAN = nroff -man
+.1.cat1:
+	$(NROFF_MAN) $< > $@
+.3.cat3:
+	$(NROFF_MAN) $< > $@
+.5.cat5:
+	$(NROFF_MAN) $< > $@
+.8.cat8:
+	$(NROFF_MAN) $< > $@
+
+dist-cat1-mans:
+	@foo='$(man1_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.1) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat1/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-cat3-mans:
+	@foo='$(man3_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.3) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat3/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-cat5-mans:
+	@foo='$(man5_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.5) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat5/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-cat8-mans:
+	@foo='$(man8_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.8) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat8/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-hook: dist-cat1-mans dist-cat3-mans dist-cat5-mans dist-cat8-mans
+
+install-cat-mans:
+	$(SHELL) $(top_srcdir)/cf/install-catman.sh "$(INSTALL_DATA)" "$(mkinstalldirs)" "$(srcdir)" "$(DESTDIR)$(mandir)" '$(CATMANEXT)' $(man_MANS) $(man1_MANS) $(man3_MANS) $(man5_MANS) $(man8_MANS)
+
+install-data-local: install-cat-mans
+
+.et.h:
+	$(COMPILE_ET) $<
+.et.c:
+	$(COMPILE_ET) $<
+
+.x.c:
+	@cmp -s $< $@ 2> /dev/null || cp $< $@
+
+check-local::
+	@foo='$(CHECK_LOCAL)'; \
+	  if test "$$foo"; then \
+	  failed=0; all=0; \
+	  for i in $$foo; do \
+	    all=`expr $$all + 1`; \
+	    if ./$$i --version > /dev/null 2>&1; then \
+	      echo "PASS: $$i"; \
+	    else \
+	      echo "FAIL: $$i"; \
+	      failed=`expr $$failed + 1`; \
+	    fi; \
+	  done; \
+	  if test "$$failed" -eq 0; then \
+	    banner="All $$all tests passed"; \
+	  else \
+	    banner="$$failed of $$all tests failed"; \
+	  fi; \
+	  dashes=`echo "$$banner" | sed s/./=/g`; \
+	  echo "$$dashes"; \
+	  echo "$$banner"; \
+	  echo "$$dashes"; \
+	  test "$$failed" -eq 0; \
+	fi
+
+# Tell versions [3.59,3.63) of GNU make to not export all variables.
+# Otherwise a system limit (for SysV at least) may be exceeded.
+.NOEXPORT:
diff --git a/crypto/heimdal/appl/test/common.c b/crypto/heimdal/appl/test/common.c
new file mode 100644
index 0000000..58b9fdf
--- /dev/null
+++ b/crypto/heimdal/appl/test/common.c
@@ -0,0 +1,172 @@
+/*
+ * Copyright (c) 1997 - 2000 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "test_locl.h"
+
+RCSID("$Id: common.c,v 1.11 2000/08/27 04:29:34 assar Exp $");
+
+static int help_flag;
+static int version_flag;
+static char *port_str;
+static char *keytab_str;
+krb5_keytab keytab;
+char *service = SERVICE;
+int fork_flag;
+
+static struct getargs args[] = {
+    { "port", 'p', arg_string, &port_str, "port to listen to", "port" },
+    { "service", 's', arg_string, &service, "service to use", "service" },
+    { "keytab", 'k', arg_string, &keytab_str, "keytab to use", "keytab" },
+    { "fork", 'f', arg_flag, &fork_flag, "do fork" },
+    { "help", 'h', arg_flag, &help_flag },
+    { "version", 0, arg_flag, &version_flag }
+};
+
+static int num_args = sizeof(args) / sizeof(args[0]);
+
+static void
+server_usage(int code, struct getargs *args, int num_args)
+{
+    arg_printusage(args, num_args, NULL, "");
+    exit(code);
+}
+
+static void
+client_usage(int code, struct getargs *args, int num_args)
+{
+    arg_printusage(args, num_args, NULL, "host");
+    exit(code);
+}
+
+
+static int
+common_setup(krb5_context *context, int *argc, char **argv, 
+	     void (*usage)(int, struct getargs*, int))
+{
+    int port = 0;
+    *argc = krb5_program_setup(context, *argc, argv, args, num_args, usage);
+
+    if(help_flag)
+	(*usage)(0, args, num_args);
+    if(version_flag) {
+	print_version(NULL);
+	exit(0);
+    }
+    
+    if(port_str){
+	struct servent *s = roken_getservbyname(port_str, "tcp");
+	if(s)
+	    port = s->s_port;
+	else {
+	    char *ptr;
+
+	    port = strtol (port_str, &ptr, 10);
+	    if (port == 0 && ptr == port_str)
+		errx (1, "Bad port `%s'", port_str);
+	    port = htons(port);
+	}
+    }
+
+    if (port == 0)
+	port = krb5_getportbyname (*context, PORT, "tcp", 4711);
+    
+    return port;
+}
+
+int
+server_setup(krb5_context *context, int argc, char **argv)
+{
+    int port = common_setup(context, &argc, argv, server_usage);
+    krb5_error_code ret;
+
+    if(argv[argc] != NULL)
+	server_usage(1, args, num_args);
+    if (keytab_str != NULL)
+	ret = krb5_kt_resolve (*context, keytab_str, &keytab);
+    else
+	ret = krb5_kt_default (*context, &keytab);
+    if (ret)
+	krb5_err (*context, 1, ret, "krb5_kt_resolve/default");
+    return port;
+}
+
+int
+client_setup(krb5_context *context, int *argc, char **argv)
+{
+    int optind = *argc;
+    int port = common_setup(context, &optind, argv, client_usage);
+    if(*argc - optind != 1)
+	client_usage(1, args, num_args);
+    *argc = optind;
+    return port;
+}
+
+int
+client_doit (const char *hostname, int port, const char *service,
+	     int (*func)(int, const char *hostname, const char *service))
+{
+    struct addrinfo *ai, *a;
+    struct addrinfo hints;
+    int error;
+    char portstr[NI_MAXSERV];
+
+    memset (&hints, 0, sizeof(hints));
+    hints.ai_socktype = SOCK_STREAM;
+    hints.ai_protocol = IPPROTO_TCP;
+
+    snprintf (portstr, sizeof(portstr), "%u", ntohs(port));
+
+    error = getaddrinfo (hostname, portstr, &hints, &ai);
+    if (error) {
+	errx (1, "%s: %s", hostname, gai_strerror(error));
+	return -1;
+    }
+
+    for (a = ai; a != NULL; a = a->ai_next) {
+	int s;
+
+	s = socket (a->ai_family, a->ai_socktype, a->ai_protocol);
+	if (s < 0)
+	    continue;
+	if (connect (s, a->ai_addr, a->ai_addrlen) < 0) {
+	    warn ("connect(%s)", hostname);
+	    close (s);
+	    continue;
+	}
+	freeaddrinfo (ai);
+	return (*func) (s, hostname, service);
+    }
+    warnx ("failed to contact %s", hostname);
+    freeaddrinfo (ai);
+    return 1;
+}
diff --git a/crypto/heimdal/appl/test/gss_common.c b/crypto/heimdal/appl/test/gss_common.c
new file mode 100644
index 0000000..4b5319a
--- /dev/null
+++ b/crypto/heimdal/appl/test/gss_common.c
@@ -0,0 +1,118 @@
+/*
+ * Copyright (c) 1997 - 2000 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "test_locl.h"
+#include <gssapi.h>
+#include "gss_common.h"
+RCSID("$Id: gss_common.c,v 1.9 2000/11/15 23:05:27 assar Exp $");
+
+void
+write_token (int sock, gss_buffer_t buf)
+{
+    u_int32_t len, net_len;
+    OM_uint32 min_stat;
+
+    len = buf->length;
+
+    net_len = htonl(len);
+
+    if (net_write (sock, &net_len, 4) != 4)
+	err (1, "write");
+    if (net_write (sock, buf->value, len) != len)
+	err (1, "write");
+
+    gss_release_buffer (&min_stat, buf);
+}
+
+static void
+enet_read(int fd, void *buf, size_t len)
+{
+    ssize_t ret;
+
+    ret = net_read (fd, buf, len);
+    if (ret == 0)
+	errx (1, "EOF in read");
+    else if (ret < 0)
+	errx (1, "read");
+}
+
+void
+read_token (int sock, gss_buffer_t buf)
+{
+    u_int32_t len, net_len;
+
+    enet_read (sock, &net_len, 4);
+    len = ntohl(net_len);
+    buf->length = len;
+    buf->value  = emalloc(len);
+    enet_read (sock, buf->value, len);
+}
+
+void
+gss_print_errors (int min_stat)
+{
+    OM_uint32 new_stat;
+    OM_uint32 msg_ctx = 0;
+    gss_buffer_desc status_string;
+    OM_uint32 ret;
+
+    do {
+	ret = gss_display_status (&new_stat,
+				  min_stat,
+				  GSS_C_MECH_CODE,
+				  GSS_C_NO_OID,
+				  &msg_ctx,
+				  &status_string);
+	fprintf (stderr, "%s\n", (char *)status_string.value);
+	gss_release_buffer (&new_stat, &status_string);
+    } while (!GSS_ERROR(ret) && msg_ctx != 0);
+}
+
+void
+gss_verr(int exitval, int status, const char *fmt, va_list ap)
+{
+    vwarnx (fmt, ap);
+    gss_print_errors (status);
+    exit (exitval);
+}
+
+void
+gss_err(int exitval, int status, const char *fmt, ...)
+{
+    va_list args;
+
+    va_start(args, fmt);
+    gss_verr (exitval, status, fmt, args);
+    va_end(args);
+}
+
diff --git a/crypto/heimdal/appl/test/gss_common.h b/crypto/heimdal/appl/test/gss_common.h
new file mode 100644
index 0000000..775126b
--- /dev/null
+++ b/crypto/heimdal/appl/test/gss_common.h
@@ -0,0 +1,45 @@
+/*
+ * Copyright (c) 1997, 1998, 1999 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+/* $Id: gss_common.h,v 1.5 1999/12/02 17:04:56 joda Exp $ */
+
+void write_token (int sock, gss_buffer_t buf);
+void read_token (int sock, gss_buffer_t buf);
+
+void gss_print_errors (int min_stat);
+
+void gss_verr(int exitval, int status, const char *fmt, va_list ap)
+    __attribute__ ((format (printf, 3, 0)));
+
+void gss_err(int exitval, int status, const char *fmt, ...)
+    __attribute__ ((format (printf, 3, 4)));
diff --git a/crypto/heimdal/appl/test/gssapi_client.c b/crypto/heimdal/appl/test/gssapi_client.c
new file mode 100644
index 0000000..126ce91
--- /dev/null
+++ b/crypto/heimdal/appl/test/gssapi_client.c
@@ -0,0 +1,230 @@
+/*
+ * Copyright (c) 1997 - 2000 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "test_locl.h"
+#include <gssapi.h>
+#include "gss_common.h"
+RCSID("$Id: gssapi_client.c,v 1.16 2000/08/09 20:53:06 assar Exp $");
+
+static int
+do_trans (int sock, gss_ctx_id_t context_hdl)
+{
+    OM_uint32 maj_stat, min_stat;
+    gss_buffer_desc real_input_token, real_output_token;
+    gss_buffer_t input_token = &real_input_token,
+	output_token = &real_output_token;
+
+    /* get_mic */
+
+    input_token->length = 3;
+    input_token->value  = strdup("hej");
+
+    maj_stat = gss_get_mic(&min_stat,
+			   context_hdl,
+			   GSS_C_QOP_DEFAULT,
+			   input_token,
+			   output_token);
+    if (GSS_ERROR(maj_stat))
+	gss_err (1, min_stat, "gss_get_mic");
+
+    write_token (sock, input_token);
+    write_token (sock, output_token);
+
+    /* wrap */
+
+    input_token->length = 7;
+    input_token->value  = "hemligt";
+
+
+    maj_stat = gss_wrap (&min_stat,
+			 context_hdl,
+			 1,
+			 GSS_C_QOP_DEFAULT,
+			 input_token,
+			 NULL,
+			 output_token);
+    if (GSS_ERROR(maj_stat))
+	gss_err (1, min_stat, "gss_wrap");
+
+    write_token (sock, output_token);
+
+    return 0;
+}
+
+static int
+proto (int sock, const char *hostname, const char *service)
+{
+    struct sockaddr_in remote, local;
+    socklen_t addrlen;
+
+    int context_established = 0;
+    gss_ctx_id_t context_hdl = GSS_C_NO_CONTEXT;
+    gss_buffer_desc real_input_token, real_output_token;
+    gss_buffer_t input_token = &real_input_token,
+	output_token = &real_output_token;
+    OM_uint32 maj_stat, min_stat;
+    gss_name_t server;
+    gss_buffer_desc name_token;
+    struct gss_channel_bindings_struct input_chan_bindings;
+    u_char init_buf[4];
+    u_char acct_buf[4];
+
+    name_token.length = asprintf ((char **)&name_token.value,
+				  "%s@%s", service, hostname);
+
+    maj_stat = gss_import_name (&min_stat,
+				&name_token,
+				GSS_C_NT_HOSTBASED_SERVICE,
+				&server);
+    if (GSS_ERROR(maj_stat))
+	gss_err (1, min_stat,
+		 "Error importing name `%s@%s':\n", service, hostname);
+
+    addrlen = sizeof(local);
+    if (getsockname (sock, (struct sockaddr *)&local, &addrlen) < 0
+	|| addrlen != sizeof(local))
+	err (1, "getsockname(%s)", hostname);
+
+    addrlen = sizeof(remote);
+    if (getpeername (sock, (struct sockaddr *)&remote, &addrlen) < 0
+	|| addrlen != sizeof(remote))
+	err (1, "getpeername(%s)", hostname);
+
+    input_token->length = 0;
+    output_token->length = 0;
+
+    input_chan_bindings.initiator_addrtype = GSS_C_AF_INET;
+    input_chan_bindings.initiator_address.length = 4;
+    init_buf[0] = (local.sin_addr.s_addr >> 24) & 0xFF;
+    init_buf[1] = (local.sin_addr.s_addr >> 16) & 0xFF;
+    init_buf[2] = (local.sin_addr.s_addr >>  8) & 0xFF;
+    init_buf[3] = (local.sin_addr.s_addr >>  0) & 0xFF;
+    input_chan_bindings.initiator_address.value = init_buf;
+
+    input_chan_bindings.acceptor_addrtype = GSS_C_AF_INET;
+    input_chan_bindings.acceptor_address.length = 4;
+    acct_buf[0] = (remote.sin_addr.s_addr >> 24) & 0xFF;
+    acct_buf[1] = (remote.sin_addr.s_addr >> 16) & 0xFF;
+    acct_buf[2] = (remote.sin_addr.s_addr >>  8) & 0xFF;
+    acct_buf[3] = (remote.sin_addr.s_addr >>  0) & 0xFF;
+    input_chan_bindings.acceptor_address.value = acct_buf;
+    
+#if 0
+    input_chan_bindings.application_data.value = emalloc(4);
+    * (unsigned short*)input_chan_bindings.application_data.value = local.sin_port;
+    * ((unsigned short *)input_chan_bindings.application_data.value + 1) = remote.sin_port;
+    input_chan_bindings.application_data.length = 4;
+#else
+    input_chan_bindings.application_data.length = 0;
+    input_chan_bindings.application_data.value = NULL;
+#endif
+
+    while(!context_established) {
+	maj_stat =
+	    gss_init_sec_context(&min_stat,
+				 GSS_C_NO_CREDENTIAL,
+				 &context_hdl,
+				 server,
+				 GSS_C_NO_OID,
+				 GSS_C_MUTUAL_FLAG | GSS_C_SEQUENCE_FLAG
+				 | GSS_C_DELEG_FLAG,
+				 0,
+				 &input_chan_bindings,
+				 input_token,
+				 NULL,
+				 output_token,
+				 NULL,
+				 NULL);
+	if (GSS_ERROR(maj_stat))
+	    gss_err (1, min_stat, "gss_init_sec_context");
+	if (output_token->length != 0)
+	    write_token (sock, output_token);
+	if (GSS_ERROR(maj_stat)) {
+	    if (context_hdl != GSS_C_NO_CONTEXT)
+		gss_delete_sec_context (&min_stat,
+					&context_hdl,
+					GSS_C_NO_BUFFER);
+	    break;
+	}
+	if (maj_stat & GSS_S_CONTINUE_NEEDED) {
+	    read_token (sock, input_token);
+	} else {
+	    context_established = 1;
+	}
+
+    }
+    if (fork_flag) {
+	pid_t pid;
+	int pipefd[2];
+
+	if (pipe (pipefd) < 0)
+	    err (1, "pipe");
+
+	pid = fork ();
+	if (pid < 0)
+	    err (1, "fork");
+	if (pid != 0) {
+	    gss_buffer_desc buf;
+
+	    maj_stat = gss_export_sec_context (&min_stat,
+					       &context_hdl,
+					       &buf);
+	    if (GSS_ERROR(maj_stat))
+		gss_err (1, min_stat, "gss_export_sec_context");
+	    write_token (pipefd[1], &buf);
+	    exit (0);
+	} else {
+	    gss_ctx_id_t context_hdl;
+	    gss_buffer_desc buf;
+
+	    close (pipefd[1]);
+	    read_token (pipefd[0], &buf);
+	    close (pipefd[0]);
+	    maj_stat = gss_import_sec_context (&min_stat, &buf, &context_hdl);
+	    if (GSS_ERROR(maj_stat))
+		gss_err (1, min_stat, "gss_import_sec_context");
+	    gss_release_buffer (&min_stat, &buf);
+	    return do_trans (sock, context_hdl);
+	}
+    } else {
+	return do_trans (sock, context_hdl);
+    }
+}
+
+int
+main(int argc, char **argv)
+{
+    krb5_context context; /* XXX */
+    int port = client_setup(&context, &argc, argv);
+    return client_doit (argv[argc], port, service, proto);
+}
diff --git a/crypto/heimdal/appl/test/gssapi_server.c b/crypto/heimdal/appl/test/gssapi_server.c
new file mode 100644
index 0000000..3d4affd
--- /dev/null
+++ b/crypto/heimdal/appl/test/gssapi_server.c
@@ -0,0 +1,277 @@
+/*
+ * Copyright (c) 1997 - 2000 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "test_locl.h"
+#include <gssapi.h>
+#include "gss_common.h"
+RCSID("$Id: gssapi_server.c,v 1.15 2000/08/09 20:53:07 assar Exp $");
+
+static int
+process_it(int sock,
+	   gss_ctx_id_t context_hdl,
+	   gss_name_t client_name
+	   )
+{
+    OM_uint32 maj_stat, min_stat;
+    gss_buffer_desc name_token;
+    gss_buffer_desc real_input_token, real_output_token;
+    gss_buffer_t input_token = &real_input_token,
+	output_token = &real_output_token;
+
+    maj_stat = gss_display_name (&min_stat,
+				 client_name,
+				 &name_token,
+				 NULL);
+    if (GSS_ERROR(maj_stat))
+	gss_err (1, min_stat, "gss_display_name");
+
+    fprintf (stderr, "User is `%.*s'\n", (int)name_token.length,
+	    (char *)name_token.value);
+
+    gss_release_buffer (&min_stat, &name_token);
+
+    /* gss_verify_mic */
+
+    read_token (sock, input_token);
+    read_token (sock, output_token);
+
+    maj_stat = gss_verify_mic (&min_stat,
+			       context_hdl,
+			       input_token,
+			       output_token,
+			       NULL);
+    if (GSS_ERROR(maj_stat))
+	gss_err (1, min_stat, "gss_verify_mic");
+
+    fprintf (stderr, "gss_verify_mic: %.*s\n", (int)input_token->length,
+	    (char *)input_token->value);
+
+    gss_release_buffer (&min_stat, input_token);
+    gss_release_buffer (&min_stat, output_token);
+
+    /* gss_unwrap */
+
+    read_token (sock, input_token);
+
+    maj_stat = gss_unwrap (&min_stat,
+			   context_hdl,
+			   input_token,
+			   output_token,
+			   NULL,
+			   NULL);
+    if(GSS_ERROR(maj_stat))
+	gss_err (1, min_stat, "gss_unwrap");
+
+    fprintf (stderr, "gss_unwrap: %.*s\n", (int)output_token->length,
+	    (char *)output_token->value);
+
+    gss_release_buffer (&min_stat, input_token);
+    gss_release_buffer (&min_stat, output_token);
+
+    return 0;
+}
+
+static int
+proto (int sock, const char *service)
+{
+    struct sockaddr_in remote, local;
+    socklen_t addrlen;
+    gss_ctx_id_t context_hdl = GSS_C_NO_CONTEXT;
+    gss_buffer_desc real_input_token, real_output_token;
+    gss_buffer_t input_token = &real_input_token,
+	output_token = &real_output_token;
+    OM_uint32 maj_stat, min_stat;
+    gss_name_t client_name;
+    struct gss_channel_bindings_struct input_chan_bindings;
+    gss_cred_id_t delegated_cred_handle = NULL;
+    krb5_ccache ccache;
+    u_char init_buf[4];
+    u_char acct_buf[4];
+
+    addrlen = sizeof(local);
+    if (getsockname (sock, (struct sockaddr *)&local, &addrlen) < 0
+	|| addrlen != sizeof(local))
+	err (1, "getsockname)");
+
+    addrlen = sizeof(remote);
+    if (getpeername (sock, (struct sockaddr *)&remote, &addrlen) < 0
+	|| addrlen != sizeof(remote))
+	err (1, "getpeername");
+
+    input_chan_bindings.initiator_addrtype = GSS_C_AF_INET;
+    input_chan_bindings.initiator_address.length = 4;
+    init_buf[0] = (remote.sin_addr.s_addr >> 24) & 0xFF;
+    init_buf[1] = (remote.sin_addr.s_addr >> 16) & 0xFF;
+    init_buf[2] = (remote.sin_addr.s_addr >>  8) & 0xFF;
+    init_buf[3] = (remote.sin_addr.s_addr >>  0) & 0xFF;
+
+    input_chan_bindings.initiator_address.value = init_buf;
+    input_chan_bindings.acceptor_addrtype = GSS_C_AF_INET;
+
+    input_chan_bindings.acceptor_address.length = 4;
+    acct_buf[0] = (local.sin_addr.s_addr >> 24) & 0xFF;
+    acct_buf[1] = (local.sin_addr.s_addr >> 16) & 0xFF;
+    acct_buf[2] = (local.sin_addr.s_addr >>  8) & 0xFF;
+    acct_buf[3] = (local.sin_addr.s_addr >>  0) & 0xFF;
+    input_chan_bindings.acceptor_address.value = acct_buf;
+    input_chan_bindings.application_data.value = emalloc(4);
+#if 0
+    * (unsigned short *)input_chan_bindings.application_data.value =
+                          remote.sin_port;
+    * ((unsigned short *)input_chan_bindings.application_data.value + 1) =
+                          local.sin_port;
+    input_chan_bindings.application_data.length = 4;
+#else
+    input_chan_bindings.application_data.length = 0;
+    input_chan_bindings.application_data.value = NULL;
+#endif
+    
+    delegated_cred_handle = emalloc(sizeof(*delegated_cred_handle));
+    memset((char*)delegated_cred_handle, 0, sizeof(*delegated_cred_handle));
+    
+    do {
+	read_token (sock, input_token);
+	maj_stat =
+	    gss_accept_sec_context (&min_stat,
+				    &context_hdl,
+				    GSS_C_NO_CREDENTIAL,
+				    input_token,
+				    &input_chan_bindings,
+				    &client_name,
+				    NULL,
+				    output_token,
+				    NULL,
+				    NULL,
+				    /*&delegated_cred_handle*/ NULL);
+	if(GSS_ERROR(maj_stat))
+	    gss_err (1, min_stat, "gss_accept_sec_context");
+	if (output_token->length != 0)
+	    write_token (sock, output_token);
+	if (GSS_ERROR(maj_stat)) {
+	    if (context_hdl != GSS_C_NO_CONTEXT)
+		gss_delete_sec_context (&min_stat,
+					&context_hdl,
+					GSS_C_NO_BUFFER);
+	    break;
+	}
+    } while(maj_stat & GSS_S_CONTINUE_NEEDED);
+    
+    if (delegated_cred_handle->ccache) {
+       krb5_context context;
+
+       maj_stat = krb5_init_context(&context);
+       maj_stat = krb5_cc_resolve(context, "FILE:/tmp/krb5cc_test", &ccache);
+       maj_stat = krb5_cc_copy_cache(context,
+                                      delegated_cred_handle->ccache, ccache);
+       krb5_cc_close(context, ccache);
+       krb5_cc_destroy(context, delegated_cred_handle->ccache);
+    }
+
+    if (fork_flag) {
+	pid_t pid;
+	int pipefd[2];
+
+	if (pipe (pipefd) < 0)
+	    err (1, "pipe");
+
+	pid = fork ();
+	if (pid < 0)
+	    err (1, "fork");
+	if (pid != 0) {
+	    gss_buffer_desc buf;
+
+	    maj_stat = gss_export_sec_context (&min_stat,
+					       &context_hdl,
+					       &buf);
+	    if (GSS_ERROR(maj_stat))
+		gss_err (1, min_stat, "gss_export_sec_context");
+	    write_token (pipefd[1], &buf);
+	    exit (0);
+	} else {
+	    gss_ctx_id_t context_hdl;
+	    gss_buffer_desc buf;
+
+	    close (pipefd[1]);
+	    read_token (pipefd[0], &buf);
+	    close (pipefd[0]);
+	    maj_stat = gss_import_sec_context (&min_stat, &buf, &context_hdl);
+	    if (GSS_ERROR(maj_stat))
+		gss_err (1, min_stat, "gss_import_sec_context");
+	    gss_release_buffer (&min_stat, &buf);
+	    return process_it (sock, context_hdl, client_name);
+	}
+    } else {
+	return process_it (sock, context_hdl, client_name);
+    }
+}
+
+static int
+doit (int port, const char *service)
+{
+    int sock, sock2;
+    struct sockaddr_in my_addr;
+    int one = 1;
+
+    sock = socket (AF_INET, SOCK_STREAM, 0);
+    if (sock < 0)
+	err (1, "socket");
+
+    memset (&my_addr, 0, sizeof(my_addr));
+    my_addr.sin_family      = AF_INET;
+    my_addr.sin_port        = port;
+    my_addr.sin_addr.s_addr = INADDR_ANY;
+
+    if (setsockopt (sock, SOL_SOCKET, SO_REUSEADDR,
+		    (void *)&one, sizeof(one)) < 0)
+	warn ("setsockopt SO_REUSEADDR");
+
+    if (bind (sock, (struct sockaddr *)&my_addr, sizeof(my_addr)) < 0)
+	err (1, "bind");
+
+    if (listen (sock, 1) < 0)
+	err (1, "listen");
+
+    sock2 = accept (sock, NULL, NULL);
+    if (sock2 < 0)
+	err (1, "accept");
+
+    return proto (sock2, service);
+}
+
+int
+main(int argc, char **argv)
+{
+    krb5_context context = NULL; /* XXX */
+    int port = server_setup(&context, argc, argv);
+    return doit (port, service);
+}
diff --git a/crypto/heimdal/appl/test/nt_gss_client.c b/crypto/heimdal/appl/test/nt_gss_client.c
new file mode 100644
index 0000000..4fabd66
--- /dev/null
+++ b/crypto/heimdal/appl/test/nt_gss_client.c
@@ -0,0 +1,163 @@
+/*
+ * Copyright (c) 1997 - 1999 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "test_locl.h"
+#include <gssapi.h>
+#include "nt_gss_common.h"
+
+RCSID("$Id: nt_gss_client.c,v 1.4 2000/08/09 20:53:07 assar Exp $");
+
+/*
+ * This program tries to act as a client for the sample in `Sample
+ * SSPI Code' in Windows 2000 RC1 SDK.
+ */
+
+static int
+proto (int sock, const char *hostname, const char *service)
+{
+    struct sockaddr_in remote, local;
+    socklen_t addrlen;
+
+    int context_established = 0;
+    gss_ctx_id_t context_hdl = GSS_C_NO_CONTEXT;
+    gss_buffer_t input_token, output_token;
+    gss_buffer_desc real_input_token, real_output_token;
+    OM_uint32 maj_stat, min_stat;
+    gss_name_t server;
+    gss_buffer_desc name_token;
+
+    name_token.length = asprintf ((char **)&name_token.value,
+				  "%s@%s", service, hostname);
+
+    maj_stat = gss_import_name (&min_stat,
+				&name_token,
+				GSS_C_NT_HOSTBASED_SERVICE,
+				&server);
+    if (GSS_ERROR(maj_stat))
+	gss_err (1, min_stat,
+		 "Error importing name `%s@%s':\n", service, hostname);
+
+    addrlen = sizeof(local);
+    if (getsockname (sock, (struct sockaddr *)&local, &addrlen) < 0
+	|| addrlen != sizeof(local))
+	err (1, "getsockname(%s)", hostname);
+
+    addrlen = sizeof(remote);
+    if (getpeername (sock, (struct sockaddr *)&remote, &addrlen) < 0
+	|| addrlen != sizeof(remote))
+	err (1, "getpeername(%s)", hostname);
+
+    input_token = &real_input_token;
+    output_token = &real_output_token;
+
+    input_token->length = 0;
+    output_token->length = 0;
+
+    while(!context_established) {
+	maj_stat =
+	    gss_init_sec_context(&min_stat,
+				 GSS_C_NO_CREDENTIAL,
+				 &context_hdl,
+				 server,
+				 GSS_C_NO_OID,
+				 GSS_C_MUTUAL_FLAG | GSS_C_SEQUENCE_FLAG,
+				 0,
+				 GSS_C_NO_CHANNEL_BINDINGS,
+				 input_token,
+				 NULL,
+				 output_token,
+				 NULL,
+				 NULL);
+	if (GSS_ERROR(maj_stat))
+	    gss_err (1, min_stat, "gss_init_sec_context");
+	if (output_token->length != 0)
+	    nt_write_token (sock, output_token);
+	if (GSS_ERROR(maj_stat)) {
+	    if (context_hdl != GSS_C_NO_CONTEXT)
+		gss_delete_sec_context (&min_stat,
+					&context_hdl,
+					GSS_C_NO_BUFFER);
+	    break;
+	}
+	if (maj_stat & GSS_S_CONTINUE_NEEDED) {
+	    nt_read_token (sock, input_token);
+	} else {
+	    context_established = 1;
+	}
+
+    }
+
+    /* get_mic */
+
+    input_token->length = 3;
+    input_token->value  = strdup("hej");
+
+    maj_stat = gss_get_mic(&min_stat,
+			   context_hdl,
+			   GSS_C_QOP_DEFAULT,
+			   input_token,
+			   output_token);
+    if (GSS_ERROR(maj_stat))
+	gss_err (1, min_stat, "gss_get_mic");
+
+    nt_write_token (sock, input_token);
+    nt_write_token (sock, output_token);
+
+    /* wrap */
+
+    input_token->length = 7;
+    input_token->value  = "hemligt";
+
+
+    maj_stat = gss_wrap (&min_stat,
+			 context_hdl,
+			 1,
+			 GSS_C_QOP_DEFAULT,
+			 input_token,
+			 NULL,
+			 output_token);
+    if (GSS_ERROR(maj_stat))
+	gss_err (1, min_stat, "gss_wrap");
+
+    nt_write_token (sock, output_token);
+
+    return 0;
+}
+
+int
+main(int argc, char **argv)
+{
+    krb5_context context; /* XXX */
+    int port = client_setup(&context, &argc, argv);
+    return client_doit (argv[argc], port, service, proto);
+}
diff --git a/crypto/heimdal/appl/test/nt_gss_common.c b/crypto/heimdal/appl/test/nt_gss_common.c
new file mode 100644
index 0000000..ab10355
--- /dev/null
+++ b/crypto/heimdal/appl/test/nt_gss_common.c
@@ -0,0 +1,131 @@
+/*
+ * Copyright (c) 1997, 1998, 1999 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "test_locl.h"
+#include <gssapi.h>
+#include "nt_gss_common.h"
+
+RCSID("$Id: nt_gss_common.c,v 1.3 1999/12/02 17:04:57 joda Exp $");
+
+/*
+ * These are functions that are needed to interoperate with the
+ * `Sample SSPI Code' in Windows 2000 RC1 SDK.
+ */
+
+/*
+ * Write the `gss_buffer_t' in `buf' onto the fd `sock', but remember that 
+ * the length is written in little-endian-order.
+ */
+
+void
+nt_write_token (int sock, gss_buffer_t buf)
+{
+    unsigned char net_len[4];
+    u_int32_t len;
+    OM_uint32 min_stat;
+
+    len = buf->length;
+
+    net_len[0] = (len >>  0) & 0xFF;
+    net_len[1] = (len >>  8) & 0xFF;
+    net_len[2] = (len >> 16) & 0xFF;
+    net_len[3] = (len >> 24) & 0xFF;
+
+    if (write (sock, net_len, 4) != 4)
+	err (1, "write");
+    if (write (sock, buf->value, len) != len)
+	err (1, "write");
+
+    gss_release_buffer (&min_stat, buf);
+}
+
+/*
+ *
+ */
+
+void
+nt_read_token (int sock, gss_buffer_t buf)
+{
+    unsigned char net_len[4];
+    u_int32_t len;
+
+    if (read(sock, net_len, 4) != 4)
+	err (1, "read");
+    len = (net_len[0] <<  0)
+	| (net_len[1] <<  8)
+	| (net_len[2] << 16)
+	| (net_len[3] << 24);
+
+    buf->length = len;
+    buf->value  = malloc(len);
+    if (read (sock, buf->value, len) != len)
+	err (1, "read");
+}
+
+void
+gss_print_errors (int min_stat)
+{
+    OM_uint32 new_stat;
+    OM_uint32 msg_ctx = 0;
+    gss_buffer_desc status_string;
+    OM_uint32 ret;
+
+    do {
+	ret = gss_display_status (&new_stat,
+				  min_stat,
+				  GSS_C_MECH_CODE,
+				  GSS_C_NO_OID,
+				  &msg_ctx,
+				  &status_string);
+	fprintf (stderr, "%s\n", (char *)status_string.value);
+	gss_release_buffer (&new_stat, &status_string);
+    } while (!GSS_ERROR(ret) && msg_ctx != 0);
+}
+
+void
+gss_verr(int exitval, int status, const char *fmt, va_list ap)
+{
+    vwarnx (fmt, ap);
+    gss_print_errors (status);
+    exit (exitval);
+}
+
+void
+gss_err(int exitval, int status, const char *fmt, ...)
+{
+    va_list args;
+
+    va_start(args, fmt);
+    gss_verr (exitval, status, fmt, args);
+    va_end(args);
+}
diff --git a/crypto/heimdal/appl/test/nt_gss_common.h b/crypto/heimdal/appl/test/nt_gss_common.h
new file mode 100644
index 0000000..07428dd
--- /dev/null
+++ b/crypto/heimdal/appl/test/nt_gss_common.h
@@ -0,0 +1,45 @@
+/*
+ * Copyright (c) 1997, 1998, 1999 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+/* $Id: nt_gss_common.h,v 1.2 1999/12/02 17:04:57 joda Exp $ */
+
+void nt_write_token (int sock, gss_buffer_t buf);
+void nt_read_token (int sock, gss_buffer_t buf);
+
+void gss_print_errors (int min_stat);
+
+void gss_verr(int exitval, int status, const char *fmt, va_list ap)
+    __attribute__ ((format (printf, 3, 0)));
+
+void gss_err(int exitval, int status, const char *fmt, ...)
+    __attribute__ ((format (printf, 3, 4)));
diff --git a/crypto/heimdal/appl/test/nt_gss_server.c b/crypto/heimdal/appl/test/nt_gss_server.c
new file mode 100644
index 0000000..05b6bcb
--- /dev/null
+++ b/crypto/heimdal/appl/test/nt_gss_server.c
@@ -0,0 +1,242 @@
+/*
+ * Copyright (c) 1997 - 2000 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "test_locl.h"
+#include <gssapi.h>
+#include <krb5.h>
+#include "nt_gss_common.h"
+
+RCSID("$Id: nt_gss_server.c,v 1.5 2000/08/09 20:53:07 assar Exp $");
+
+/*
+ * This program tries to act as a server for the sample in `Sample
+ * SSPI Code' in Windows 2000 RC1 SDK.
+ *
+ * use --dump-auth to get a binary dump of the authorization data in the ticket
+ */
+
+static int help_flag;
+static int version_flag;
+static char *port_str;
+char *service = SERVICE;
+static char *auth_file;
+
+static struct getargs args[] = {
+    { "port", 'p', arg_string, &port_str, "port to listen to", "port" },
+    { "service", 's', arg_string, &service, "service to use", "service" },
+    { "dump-auth", 0, arg_string, &auth_file, "dump authorization data",
+      "file" },
+    { "help", 'h', arg_flag, &help_flag },
+    { "version", 0, arg_flag, &version_flag }
+};
+
+static int num_args = sizeof(args) / sizeof(args[0]);
+
+static int
+proto (int sock, const char *service)
+{
+    struct sockaddr_in remote, local;
+    socklen_t addrlen;
+    gss_ctx_id_t context_hdl = GSS_C_NO_CONTEXT;
+    gss_buffer_t input_token, output_token;
+    gss_buffer_desc real_input_token, real_output_token;
+    OM_uint32 maj_stat, min_stat;
+    gss_name_t client_name;
+    gss_buffer_desc name_token;
+
+    addrlen = sizeof(local);
+    if (getsockname (sock, (struct sockaddr *)&local, &addrlen) < 0
+	|| addrlen != sizeof(local))
+	err (1, "getsockname)");
+
+    addrlen = sizeof(remote);
+    if (getpeername (sock, (struct sockaddr *)&remote, &addrlen) < 0
+	|| addrlen != sizeof(remote))
+	err (1, "getpeername");
+
+    input_token = &real_input_token;
+    output_token = &real_output_token;
+
+    do {
+	nt_read_token (sock, input_token);
+	maj_stat =
+	    gss_accept_sec_context (&min_stat,
+				    &context_hdl,
+				    GSS_C_NO_CREDENTIAL,
+				    input_token,
+				    GSS_C_NO_CHANNEL_BINDINGS,
+				    &client_name,
+				    NULL,
+				    output_token,
+				    NULL,
+				    NULL,
+				    NULL);
+	if(GSS_ERROR(maj_stat))
+	    gss_err (1, min_stat, "gss_accept_sec_context");
+	if (output_token->length != 0)
+	    nt_write_token (sock, output_token);
+	if (GSS_ERROR(maj_stat)) {
+	    if (context_hdl != GSS_C_NO_CONTEXT)
+		gss_delete_sec_context (&min_stat,
+					&context_hdl,
+					GSS_C_NO_BUFFER);
+	    break;
+	}
+    } while(maj_stat & GSS_S_CONTINUE_NEEDED);
+
+    if (auth_file != NULL) {
+	int fd = open (auth_file, O_WRONLY | O_CREAT, 0666);
+	krb5_ticket *ticket = context_hdl->ticket;
+	krb5_data *data = &ticket->ticket.authorization_data->val[0].ad_data;
+
+	if(fd < 0)
+	    err (1, "open %s", auth_file);
+	if (write (fd, data->data, data->length) != data->length)
+	    errx (1, "write to %s failed", auth_file);
+	if (close (fd))
+	    err (1, "close %s", auth_file);
+    }
+
+    maj_stat = gss_display_name (&min_stat,
+				 client_name,
+				 &name_token,
+				 NULL);
+    if (GSS_ERROR(maj_stat))
+	gss_err (1, min_stat, "gss_display_name");
+
+    fprintf (stderr, "User is `%.*s'\n", (int)name_token.length,
+	    (char *)name_token.value);
+
+    /* write something back */
+
+    output_token->value  = strdup ("hejsan");
+    output_token->length = strlen (output_token->value) + 1;
+    nt_write_token (sock, output_token);
+
+    output_token->value  = strdup ("hoppsan");
+    output_token->length = strlen (output_token->value) + 1;
+    nt_write_token (sock, output_token);
+
+    return 0;
+}
+
+static int
+doit (int port, const char *service)
+{
+    int sock, sock2;
+    struct sockaddr_in my_addr;
+    int one = 1;
+
+    sock = socket (AF_INET, SOCK_STREAM, 0);
+    if (sock < 0)
+	err (1, "socket");
+
+    memset (&my_addr, 0, sizeof(my_addr));
+    my_addr.sin_family      = AF_INET;
+    my_addr.sin_port        = port;
+    my_addr.sin_addr.s_addr = INADDR_ANY;
+
+    if (setsockopt (sock, SOL_SOCKET, SO_REUSEADDR,
+		    (void *)&one, sizeof(one)) < 0)
+	warn ("setsockopt SO_REUSEADDR");
+
+    if (bind (sock, (struct sockaddr *)&my_addr, sizeof(my_addr)) < 0)
+	err (1, "bind");
+
+    if (listen (sock, 1) < 0)
+	err (1, "listen");
+
+    sock2 = accept (sock, NULL, NULL);
+    if (sock2 < 0)
+	err (1, "accept");
+
+    return proto (sock2, service);
+}
+
+static void
+usage(int code, struct getargs *args, int num_args)
+{
+    arg_printusage(args, num_args, NULL, "");
+    exit(code);
+}
+
+static int
+common_setup(krb5_context *context, int *argc, char **argv, 
+	     void (*usage)(int, struct getargs*, int))
+{
+    int port = 0;
+    *argc = krb5_program_setup(context, *argc, argv, args, num_args, usage);
+
+    if(help_flag)
+	(*usage)(0, args, num_args);
+    if(version_flag) {
+	print_version(NULL);
+	exit(0);
+    }
+    
+    if(port_str){
+	struct servent *s = roken_getservbyname(port_str, "tcp");
+	if(s)
+	    port = s->s_port;
+	else {
+	    char *ptr;
+
+	    port = strtol (port_str, &ptr, 10);
+	    if (port == 0 && ptr == port_str)
+		errx (1, "Bad port `%s'", port_str);
+	    port = htons(port);
+	}
+    }
+
+    if (port == 0)
+	port = krb5_getportbyname (*context, PORT, "tcp", 4711);
+    
+    return port;
+}
+
+static int
+setup(krb5_context *context, int argc, char **argv)
+{
+    int port = common_setup(context, &argc, argv, usage);
+    if(argv[argc] != NULL)
+	usage(1, args, num_args);
+    return port;
+}
+
+int
+main(int argc, char **argv)
+{
+    krb5_context context = NULL; /* XXX */
+    int port = setup(&context, argc, argv);
+    return doit (port, service);
+}
diff --git a/crypto/heimdal/appl/test/tcp_client.c b/crypto/heimdal/appl/test/tcp_client.c
new file mode 100644
index 0000000..7affc43
--- /dev/null
+++ b/crypto/heimdal/appl/test/tcp_client.c
@@ -0,0 +1,132 @@
+/*
+ * Copyright (c) 1997 - 1999 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "test_locl.h"
+RCSID("$Id: tcp_client.c,v 1.15 1999/12/16 10:30:17 assar Exp $");
+
+krb5_context context;
+
+static int
+proto (int sock, const char *hostname, const char *service)
+{
+    krb5_auth_context auth_context;
+    krb5_error_code status;
+    krb5_principal server;
+    krb5_data data;
+    krb5_data packet;
+    u_int32_t len, net_len;
+
+    status = krb5_auth_con_init (context, &auth_context);
+    if (status)
+	krb5_err (context, 1, status, "krb5_auth_con_init");
+
+    status = krb5_auth_con_setaddrs_from_fd (context,
+					     auth_context,
+					     &sock);
+    if (status)
+	krb5_err (context, 1, status, "krb5_auth_con_setaddrs_from_fd");
+
+    status = krb5_sname_to_principal (context,
+				      hostname,
+				      service,
+				      KRB5_NT_SRV_HST,
+				      &server);
+    if (status)
+	krb5_err (context, 1, status, "krb5_sname_to_principal");
+
+    status = krb5_sendauth (context,
+			    &auth_context,
+			    &sock,
+			    VERSION,
+			    NULL,
+			    server,
+			    AP_OPTS_MUTUAL_REQUIRED,
+			    NULL,
+			    NULL,
+			    NULL,
+			    NULL,
+			    NULL,
+			    NULL);
+    if (status)
+	krb5_err (context, 1, status, "krb5_sendauth");
+
+    data.data   = "hej";
+    data.length = 3;
+
+    krb5_data_zero (&packet);
+
+    status = krb5_mk_safe (context,
+			   auth_context,
+			   &data,
+			   &packet,
+			   NULL);
+    if (status)
+	krb5_err (context, 1, status, "krb5_mk_safe");
+
+    len = packet.length;
+    net_len = htonl(len);
+
+    if (krb5_net_write (context, &sock, &net_len, 4) != 4)
+	err (1, "krb5_net_write");
+    if (krb5_net_write (context, &sock, packet.data, len) != len)
+	err (1, "krb5_net_write");
+
+    data.data   = "hemligt";
+    data.length = 7;
+
+    krb5_data_free (&packet);
+
+    status = krb5_mk_priv (context,
+			   auth_context,
+			   &data,
+			   &packet,
+			   NULL);
+    if (status)
+	krb5_err (context, 1, status, "krb5_mk_priv");
+
+    len = packet.length;
+    net_len = htonl(len);
+
+    if (krb5_net_write (context, &sock, &net_len, 4) != 4)
+	err (1, "krb5_net_write");
+    if (krb5_net_write (context, &sock, packet.data, len) != len)
+	err (1, "krb5_net_write");
+    return 0;
+}
+
+int
+main(int argc, char **argv)
+{
+    int port = client_setup(&context, &argc, argv);
+    return client_doit (argv[argc], port, service, proto);
+}
diff --git a/crypto/heimdal/appl/test/tcp_server.c b/crypto/heimdal/appl/test/tcp_server.c
new file mode 100644
index 0000000..4469c58
--- /dev/null
+++ b/crypto/heimdal/appl/test/tcp_server.c
@@ -0,0 +1,168 @@
+/*
+ * Copyright (c) 1997 - 1999 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "test_locl.h"
+RCSID("$Id: tcp_server.c,v 1.16 1999/12/16 10:31:08 assar Exp $");
+
+krb5_context context;
+
+static int
+proto (int sock, const char *service)
+{
+    krb5_auth_context auth_context;
+    krb5_error_code status;
+    krb5_principal server;
+    krb5_ticket *ticket;
+    char *name;
+    char hostname[MAXHOSTNAMELEN];
+    krb5_data packet;
+    krb5_data data;
+    u_int32_t len, net_len;
+    ssize_t n;
+
+    status = krb5_auth_con_init (context, &auth_context);
+    if (status)
+	krb5_err (context, 1, status, "krb5_auth_con_init");
+
+    status = krb5_auth_con_setaddrs_from_fd (context,
+					     auth_context,
+					     &sock);
+
+    if (status)
+	krb5_err (context, 1, status, "krb5_auth_con_setaddrs_from_fd");
+
+    if(gethostname (hostname, sizeof(hostname)) < 0)
+	krb5_err (context, 1, errno, "gethostname");
+
+    status = krb5_sname_to_principal (context,
+				      hostname,
+				      service,
+				      KRB5_NT_SRV_HST,
+				      &server);
+    if (status)
+	krb5_err (context, 1, status, "krb5_sname_to_principal");
+
+    status = krb5_recvauth (context,
+			    &auth_context,
+			    &sock,
+			    VERSION,
+			    server,
+			    0,
+			    NULL,
+			    &ticket);
+    if (status)
+	krb5_err (context, 1, status, "krb5_recvauth");
+
+    status = krb5_unparse_name (context,
+				ticket->client,
+				&name);
+    if (status)
+	krb5_err (context, 1, status, "krb5_unparse_name");
+
+    fprintf (stderr, "User is `%s'\n", name);
+    free (name);
+
+    krb5_data_zero (&data);
+    krb5_data_zero (&packet);
+
+    n = krb5_net_read (context, &sock, &net_len, 4);
+    if (n == 0)
+	krb5_errx (context, 1, "EOF in krb5_net_read");
+    if (n < 0)
+	krb5_err (context, 1, errno, "krb5_net_read");
+
+    len = ntohl(net_len);
+
+    krb5_data_alloc (&packet, len);
+
+    n = krb5_net_read (context, &sock, packet.data, len);
+    if (n == 0)
+	krb5_errx (context, 1, "EOF in krb5_net_read");
+    if (n < 0)
+	krb5_err (context, 1, errno, "krb5_net_read");
+    
+    status = krb5_rd_safe (context,
+			   auth_context,
+			   &packet,
+			   &data,
+			   NULL);
+    if (status)
+	krb5_err (context, 1, status, "krb5_rd_safe");
+
+    fprintf (stderr, "safe packet: %.*s\n", (int)data.length,
+	    (char *)data.data);
+
+    n = krb5_net_read (context, &sock, &net_len, 4);
+    if (n == 0)
+	krb5_errx (context, 1, "EOF in krb5_net_read");
+    if (n < 0)
+	krb5_err (context, 1, errno, "krb5_net_read");
+
+    len = ntohl(net_len);
+
+    krb5_data_alloc (&packet, len);
+
+    n = krb5_net_read (context, &sock, packet.data, len);
+    if (n == 0)
+	krb5_errx (context, 1, "EOF in krb5_net_read");
+    if (n < 0)
+	krb5_err (context, 1, errno, "krb5_net_read");
+    
+    status = krb5_rd_priv (context,
+			   auth_context,
+			   &packet,
+			   &data,
+			   NULL);
+    if (status)
+	krb5_err (context, 1, status, "krb5_rd_priv");
+
+    fprintf (stderr, "priv packet: %.*s\n", (int)data.length,
+	    (char *)data.data);
+
+    return 0;
+}
+
+static int
+doit (int port, const char *service)
+{
+    mini_inetd (port);
+
+    return proto (STDIN_FILENO, service);
+}
+
+int
+main(int argc, char **argv)
+{
+    int port = server_setup(&context, argc, argv);
+    return doit (port, service);
+}
diff --git a/crypto/heimdal/appl/test/test_locl.h b/crypto/heimdal/appl/test/test_locl.h
new file mode 100644
index 0000000..56f8745
--- /dev/null
+++ b/crypto/heimdal/appl/test/test_locl.h
@@ -0,0 +1,87 @@
+/*
+ * Copyright (c) 1997 - 2000 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+/* $Id: test_locl.h,v 1.9 2000/08/27 04:29:54 assar Exp $ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+#endif
+
+#include <stdio.h>
+#include <stdarg.h>
+#include <ctype.h>
+#ifdef HAVE_SYS_TYPES_H
+#include <sys/types.h>
+#endif
+#ifdef HAVE_UNISTD_H
+#include <unistd.h>
+#endif
+#ifdef HAVE_SYS_SOCKET_H
+#include <sys/socket.h>
+#endif
+#ifdef HAVE_NETINET_IN_H
+#include <netinet/in.h>
+#endif
+#ifdef HAVE_NETINET_IN6_H
+#include <netinet/in6.h>
+#endif
+#ifdef HAVE_NETINET6_IN6_H
+#include <netinet6/in6.h>
+#endif
+
+#ifdef HAVE_PWD_H
+#include <pwd.h>
+#endif
+#ifdef HAVE_NETDB_H
+#include <netdb.h>
+#endif
+#ifdef HAVE_SYS_PARAM_H
+#include <sys/param.h>
+#endif
+#include <errno.h>
+#include <roken.h>
+#include <getarg.h>
+#include <err.h>
+#include <krb5.h>
+
+#define SERVICE "test"
+
+#define PORT "test"
+
+extern char *service;
+extern krb5_keytab keytab;
+extern int fork_flag;
+int server_setup(krb5_context*, int, char**);
+int client_setup(krb5_context*, int*, char**);
+int client_doit (const char *hostname, int port, const char *service,
+		 int (*func)(int, const char *hostname, const char *service));
diff --git a/crypto/heimdal/appl/test/uu_client.c b/crypto/heimdal/appl/test/uu_client.c
new file mode 100644
index 0000000..fae5bcb
--- /dev/null
+++ b/crypto/heimdal/appl/test/uu_client.c
@@ -0,0 +1,175 @@
+/*
+ * Copyright (c) 1997 - 2000 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "test_locl.h"
+RCSID("$Id: uu_client.c,v 1.7 2000/12/31 07:41:39 assar Exp $");
+
+krb5_context context;
+
+static int
+proto (int sock, const char *hostname, const char *service)
+{
+    struct sockaddr_in remote, local;
+    socklen_t addrlen;
+    krb5_address remote_addr, local_addr;
+    krb5_context context;
+    krb5_ccache ccache;
+    krb5_auth_context auth_context;
+    krb5_error_code status;
+    krb5_principal client;
+    krb5_data data;
+    krb5_data packet;
+    krb5_creds mcred, cred;
+
+    addrlen = sizeof(local);
+    if (getsockname (sock, (struct sockaddr *)&local, &addrlen) < 0
+	|| addrlen != sizeof(local))
+	err (1, "getsockname(%s)", hostname);
+
+    addrlen = sizeof(remote);
+    if (getpeername (sock, (struct sockaddr *)&remote, &addrlen) < 0
+	|| addrlen != sizeof(remote))
+	err (1, "getpeername(%s)", hostname);
+
+    status = krb5_init_context(&context);
+    if (status)
+	errx(1, "krb5_init_context failed: %d", status);
+
+    status = krb5_cc_default (context, &ccache);
+    if (status)
+	krb5_err(context, 1, status, "krb5_cc_default");
+
+    status = krb5_auth_con_init (context, &auth_context);
+    if (status)
+	krb5_err(context, 1, status, "krb5_auth_con_init");
+
+    local_addr.addr_type = AF_INET;
+    local_addr.address.length = sizeof(local.sin_addr);
+    local_addr.address.data   = &local.sin_addr;
+
+    remote_addr.addr_type = AF_INET;
+    remote_addr.address.length = sizeof(remote.sin_addr);
+    remote_addr.address.data   = &remote.sin_addr;
+
+    status = krb5_auth_con_setaddrs (context,
+				     auth_context,
+				     &local_addr,
+				     &remote_addr);
+    if (status)
+	krb5_err(context, 1, status, "krb5_auth_con_setaddr");
+
+    status = krb5_cc_get_principal(context, ccache, &client);
+    if(status)
+	krb5_err(context, 1, status, "krb5_cc_get_principal");
+    status = krb5_make_principal(context, &mcred.server,
+				 *krb5_princ_realm(context, client), 
+				 "krbtgt", 
+				 *krb5_princ_realm(context, client),
+				 NULL);
+    if(status)
+	krb5_err(context, 1, status, "krb5_make_principal");
+    
+    status = krb5_cc_retrieve_cred(context, ccache, 0, &mcred, &cred);
+    if(status)
+	krb5_err(context, 1, status, "krb5_cc_retrieve_cred");
+
+    {
+	char *client_name;
+	krb5_data data;
+	status = krb5_unparse_name(context, cred.client, &client_name);
+	if(status)
+	    krb5_err(context, 1, status, "krb5_unparse_name");
+	data.data = client_name;
+	data.length = strlen(client_name) + 1;
+	status = krb5_write_message(context, &sock, &data);
+	if(status)
+	    krb5_err(context, 1, status, "krb5_write_message");
+	free(client_name);
+    }
+
+    status = krb5_write_message(context, &sock, &cred.ticket);
+    if(status)
+	krb5_err(context, 1, status, "krb5_write_message");
+
+    status = krb5_auth_con_setuserkey(context, auth_context, &cred.session);
+    if(status)
+	krb5_err(context, 1, status, "krb5_auth_con_setuserkey");
+    
+    status = krb5_recvauth(context, &auth_context, &sock, 
+			   VERSION, client, 0, NULL, NULL);
+
+    if (status)
+	krb5_err(context, 1, status, "krb5_recvauth");
+    
+    data.data   = "hej";
+    data.length = 3;
+
+    krb5_data_zero (&packet);
+
+    status = krb5_mk_safe (context,
+			   auth_context,
+			   &data,
+			   &packet,
+			   NULL);
+    if (status)
+	krb5_err(context, 1, status, "krb5_mk_safe");
+
+    status = krb5_write_message(context, &sock, &packet);
+    if(status)
+	krb5_err(context, 1, status, "krb5_write_message");
+
+    data.data   = "hemligt";
+    data.length = 7;
+
+    krb5_data_free (&packet);
+
+    status = krb5_mk_priv (context,
+			   auth_context,
+			   &data,
+			   &packet,
+			   NULL);
+    if (status)
+	krb5_err(context, 1, status, "krb5_mk_priv");
+
+    status = krb5_write_message(context, &sock, &packet);
+    if(status)
+	krb5_err(context, 1, status, "krb5_write_message");
+    return 0;
+}
+
+int
+main(int argc, char **argv)
+{
+    int port = client_setup(&context, &argc, argv);
+    return client_doit (argv[argc], port, service, proto);
+}
diff --git a/crypto/heimdal/appl/test/uu_server.c b/crypto/heimdal/appl/test/uu_server.c
new file mode 100644
index 0000000..34a0927
--- /dev/null
+++ b/crypto/heimdal/appl/test/uu_server.c
@@ -0,0 +1,203 @@
+/*
+ * Copyright (c) 1997 - 1999 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "test_locl.h"
+RCSID("$Id: uu_server.c,v 1.7 2000/08/09 20:53:08 assar Exp $");
+
+krb5_context context;
+
+static int
+proto (int sock, const char *service)
+{
+    struct sockaddr_in remote, local;
+    socklen_t addrlen;
+    krb5_address remote_addr, local_addr;
+    krb5_ccache ccache;
+    krb5_auth_context auth_context;
+    krb5_error_code status;
+    krb5_data packet;
+    krb5_data data;
+    krb5_data client_name;
+    krb5_creds in_creds, *out_creds;
+
+    addrlen = sizeof(local);
+    if (getsockname (sock, (struct sockaddr *)&local, &addrlen) < 0
+	|| addrlen != sizeof(local))
+	err (1, "getsockname)");
+
+    addrlen = sizeof(remote);
+    if (getpeername (sock, (struct sockaddr *)&remote, &addrlen) < 0
+	|| addrlen != sizeof(remote))
+	err (1, "getpeername");
+
+    status = krb5_auth_con_init (context, &auth_context);
+    if (status)
+	errx (1, "krb5_auth_con_init: %s",
+	      krb5_get_err_text(context, status));
+
+    local_addr.addr_type = AF_INET;
+    local_addr.address.length = sizeof(local.sin_addr);
+    local_addr.address.data   = &local.sin_addr;
+
+    remote_addr.addr_type = AF_INET;
+    remote_addr.address.length = sizeof(remote.sin_addr);
+    remote_addr.address.data   = &remote.sin_addr;
+
+    status = krb5_auth_con_setaddrs (context,
+				     auth_context,
+				     &local_addr,
+				     &remote_addr);
+    if (status)
+	errx (1, "krb5_auth_con_setaddr: %s",
+	      krb5_get_err_text(context, status));
+
+    status = krb5_read_message(context, &sock, &client_name);
+    if(status)
+	krb5_err(context, 1, status, "krb5_read_message");
+    
+    memset(&in_creds, 0, sizeof(in_creds));
+    status = krb5_cc_default(context, &ccache);
+    status = krb5_cc_get_principal(context, ccache, &in_creds.client);
+
+    status = krb5_read_message(context, &sock, &in_creds.second_ticket);
+    if(status)
+	krb5_err(context, 1, status, "krb5_read_message");
+
+    status = krb5_parse_name(context, client_name.data, &in_creds.server);
+    if(status)
+	krb5_err(context, 1, status, "krb5_parse_name");
+    
+    status = krb5_get_credentials(context, KRB5_GC_USER_USER, ccache, 
+				  &in_creds, &out_creds);
+    if(status)
+	krb5_err(context, 1, status, "krb5_get_credentials");
+
+    status = krb5_cc_default(context, &ccache);
+
+    status = krb5_sendauth(context, 
+			   &auth_context,
+			   &sock, 
+			   VERSION, 
+			   in_creds.client,
+			   in_creds.server,
+			   AP_OPTS_USE_SESSION_KEY,
+			   NULL,
+			   out_creds,
+			   ccache,
+			   NULL,
+			   NULL,
+			   NULL);
+			   
+    if (status)
+	krb5_err(context, 1, status, "krb5_sendauth");
+    
+    fprintf (stderr, "User is `%.*s'\n", (int)client_name.length,
+	    (char *)client_name.data);
+
+    krb5_data_zero (&data);
+    krb5_data_zero (&packet);
+
+    status = krb5_read_message(context, &sock, &packet);
+    if(status)
+	krb5_err(context, 1, status, "krb5_read_message");
+    
+    status = krb5_rd_safe (context,
+			   auth_context,
+			   &packet,
+			   &data,
+			   NULL);
+    if (status)
+	errx (1, "krb5_rd_safe: %s",
+	      krb5_get_err_text(context, status));
+
+    fprintf (stderr, "safe packet: %.*s\n", (int)data.length,
+	    (char *)data.data);
+
+    status = krb5_read_message(context, &sock, &packet);
+    if(status)
+	krb5_err(context, 1, status, "krb5_read_message");
+    
+    status = krb5_rd_priv (context,
+			   auth_context,
+			   &packet,
+			   &data,
+			   NULL);
+    if (status)
+	errx (1, "krb5_rd_priv: %s",
+	      krb5_get_err_text(context, status));
+
+    fprintf (stderr, "priv packet: %.*s\n", (int)data.length,
+	    (char *)data.data);
+
+    return 0;
+}
+
+static int
+doit (int port, const char *service)
+{
+    int sock, sock2;
+    struct sockaddr_in my_addr;
+    int one = 1;
+
+    sock = socket (AF_INET, SOCK_STREAM, 0);
+    if (sock < 0)
+	err (1, "socket");
+
+    memset (&my_addr, 0, sizeof(my_addr));
+    my_addr.sin_family      = AF_INET;
+    my_addr.sin_port        = port;
+    my_addr.sin_addr.s_addr = INADDR_ANY;
+
+    if (setsockopt (sock, SOL_SOCKET, SO_REUSEADDR, 
+		    (void *)&one, sizeof(one)) < 0)
+	warn ("setsockopt SO_REUSEADDR");
+
+    if (bind (sock, (struct sockaddr *)&my_addr, sizeof(my_addr)) < 0)
+	err (1, "bind");
+
+    if (listen (sock, 1) < 0)
+	err (1, "listen");
+
+    sock2 = accept (sock, NULL, NULL);
+    if (sock2 < 0)
+	err (1, "accept");
+
+    return proto (sock2, service);
+}
+
+int
+main(int argc, char **argv)
+{
+    int port = server_setup(&context, argc, argv);
+    return doit (port, service);
+}
diff --git a/crypto/heimdal/appl/xnlock/ChangeLog b/crypto/heimdal/appl/xnlock/ChangeLog
new file mode 100644
index 0000000..822b4f7
--- /dev/null
+++ b/crypto/heimdal/appl/xnlock/ChangeLog
@@ -0,0 +1,64 @@
+2001-03-15  Johan Danielsson  <joda@pdc.kth.se>
+
+	* xnlock.c: don't explicitly set the krb4 ticket file
+
+2000-12-31  Assar Westerlund  <assar@sics.se>
+
+	* xnlock.c (main): handle krb5_init_context failure consistently
+
+2000-04-09  Assar Westerlund  <assar@sics.se>
+
+	* xnlock.c (verfiy_krb5): get the v4-realm from the v5-ticket and
+	not from the default one.
+	* xnlock.c (verify_krb5): add obtainting of v4 tickets.
+
+1999-11-17  Assar Westerlund  <assar@sics.se>
+
+	* Makefile.am: only build when we have X11.  From: Simon Josefsson
+ 	<jas@pdc.kth.se>
+
+Thu Mar 18 11:21:44 1999  Johan Danielsson  <joda@hella.pdc.kth.se>
+
+	* Makefile.am: include Makefile.am.common
+
+Wed Mar 17 23:35:51 1999  Assar Westerlund  <assar@sics.se>
+
+	* xnlock.c (verify): use KRB_VERIFY_SECURE instead of 1
+
+Tue Mar 16 22:29:14 1999  Assar Westerlund  <assar@sics.se>
+
+	* xnlock.c: krb_verify_user_multiple -> krb_verify_user
+
+Thu Mar 11 14:59:20 1999  Johan Danielsson  <joda@hella.pdc.kth.se>
+
+	* xnlock.c: add some if-braces to keep gcc happy
+
+Sun Nov 22 10:36:45 1998  Assar Westerlund  <assar@sics.se>
+
+	* Makefile.in (WFLAGS): set
+
+Wed Jul  8 01:37:37 1998  Assar Westerlund  <assar@sics.se>
+
+	* xnlock.c (main): create place-holder ticket file with
+ 	open(O_EXCL | O_CREAT) instead of creat
+
+Sat Mar 28 12:53:46 1998  Assar Westerlund  <assar@sics.se>
+
+	* Makefile.in (install, uninstall): transform the man page
+
+Tue Mar 24 05:20:34 1998  Assar Westerlund  <assar@sics.se>
+
+	* xnlock.c: remove redundant preprocessor stuff
+
+Sat Mar 21 14:36:21 1998  Assar Westerlund  <assar@sics.se>
+
+	* xnlock.c (init_words): recognize both `-p' and `-prog'
+
+Sat Feb  7 10:08:07 1998  Assar Westerlund  <assar@sics.se>
+
+	* xnlock.c: Don't use REALM_SZ + 1, just REALM_SZ
+
+Sat Nov 29 04:58:19 1997  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* xnlock.c: Make it build w/o krb4.
+
diff --git a/crypto/heimdal/appl/xnlock/Makefile.am b/crypto/heimdal/appl/xnlock/Makefile.am
new file mode 100644
index 0000000..a8e6440
--- /dev/null
+++ b/crypto/heimdal/appl/xnlock/Makefile.am
@@ -0,0 +1,30 @@
+# $Id: Makefile.am,v 1.15 2000/11/15 22:51:12 assar Exp $
+
+include $(top_srcdir)/Makefile.am.common
+
+INCLUDES += $(INCLUDE_krb4) $(X_CFLAGS)
+
+WFLAGS += $(WFLAGS_NOIMPLICITINT)
+
+if HAVE_X
+
+bin_PROGRAMS = xnlock
+
+else
+
+bin_PROGRAMS =
+
+endif
+
+man_MANS = xnlock.1
+
+EXTRA_DIST = $(man_MANS) nose.0.left nose.0.right nose.1.left nose.1.right \
+	nose.down nose.front nose.left.front nose.right.front
+
+LDADD = \
+	$(LIB_kafs) \
+	$(LIB_krb5) \
+	$(LIB_krb4) \
+	$(LIB_des) \
+	$(LIB_roken) \
+	$(X_LIBS) -lXt $(X_PRE_LIBS) -lX11 $(X_EXTRA_LIBS)
diff --git a/crypto/heimdal/appl/xnlock/Makefile.in b/crypto/heimdal/appl/xnlock/Makefile.in
new file mode 100644
index 0000000..a023f23
--- /dev/null
+++ b/crypto/heimdal/appl/xnlock/Makefile.in
@@ -0,0 +1,633 @@
+# Makefile.in generated automatically by automake 1.4b from Makefile.am
+
+# Copyright 1994, 1995, 1996, 1997, 1998, 1999, 2000
+# Free Software Foundation, Inc.
+# This Makefile.in is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+
+SHELL = @SHELL@
+
+srcdir = @srcdir@
+top_srcdir = @top_srcdir@
+VPATH = @srcdir@
+prefix = @prefix@
+exec_prefix = @exec_prefix@
+
+bindir = @bindir@
+sbindir = @sbindir@
+libexecdir = @libexecdir@
+datadir = @datadir@
+sysconfdir = @sysconfdir@
+sharedstatedir = @sharedstatedir@
+localstatedir = @localstatedir@
+libdir = @libdir@
+infodir = @infodir@
+mandir = @mandir@
+includedir = @includedir@
+oldincludedir = /usr/include
+
+pkgdatadir = $(datadir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkgincludedir = $(includedir)/@PACKAGE@
+
+top_builddir = ../..
+
+ACLOCAL = @ACLOCAL@
+AUTOCONF = @AUTOCONF@
+AUTOMAKE = @AUTOMAKE@
+AUTOHEADER = @AUTOHEADER@
+
+INSTALL = @INSTALL@
+INSTALL_PROGRAM = @INSTALL_PROGRAM@
+INSTALL_DATA = @INSTALL_DATA@
+INSTALL_SCRIPT = @INSTALL_SCRIPT@
+INSTALL_STRIP_FLAG =
+transform = @program_transform_name@
+
+NORMAL_INSTALL = :
+PRE_INSTALL = :
+POST_INSTALL = :
+NORMAL_UNINSTALL = :
+PRE_UNINSTALL = :
+POST_UNINSTALL = :
+
+@SET_MAKE@
+host_alias = @host_alias@
+host_triplet = @host@
+AIX_EXTRA_KAFS = @AIX_EXTRA_KAFS@
+AMDEP = @AMDEP@
+AMTAR = @AMTAR@
+AS = @AS@
+AWK = @AWK@
+CANONICAL_HOST = @CANONICAL_HOST@
+CATMAN = @CATMAN@
+CATMANEXT = @CATMANEXT@
+CC = @CC@
+CPP = @CPP@
+CXX = @CXX@
+CXXCPP = @CXXCPP@
+DBLIB = @DBLIB@
+DEPDIR = @DEPDIR@
+DIR_des = @DIR_des@
+DIR_roken = @DIR_roken@
+DLLTOOL = @DLLTOOL@
+EXEEXT = @EXEEXT@
+EXTRA_LIB45 = @EXTRA_LIB45@
+GROFF = @GROFF@
+INCLUDES_roken = @INCLUDES_roken@
+INCLUDE_ = @INCLUDE_@
+LEX = @LEX@
+LIBOBJS = @LIBOBJS@
+LIBTOOL = @LIBTOOL@
+LIB_ = @LIB_@
+LIB_AUTH_SUBDIRS = @LIB_AUTH_SUBDIRS@
+LIB_des = @LIB_des@
+LIB_des_appl = @LIB_des_appl@
+LIB_kdb = @LIB_kdb@
+LIB_otp = @LIB_otp@
+LIB_roken = @LIB_roken@
+LIB_security = @LIB_security@
+LN_S = @LN_S@
+LTLIBOBJS = @LTLIBOBJS@
+MAKEINFO = @MAKEINFO@
+NEED_WRITEAUTH_FALSE = @NEED_WRITEAUTH_FALSE@
+NEED_WRITEAUTH_TRUE = @NEED_WRITEAUTH_TRUE@
+NROFF = @NROFF@
+OBJDUMP = @OBJDUMP@
+OBJEXT = @OBJEXT@
+PACKAGE = @PACKAGE@
+RANLIB = @RANLIB@
+STRIP = @STRIP@
+VERSION = @VERSION@
+VOID_RETSIGTYPE = @VOID_RETSIGTYPE@
+WFLAGS_NOIMPLICITINT = @WFLAGS_NOIMPLICITINT@
+WFLAGS_NOUNUSED = @WFLAGS_NOUNUSED@
+YACC = @YACC@
+dpagaix_CFLAGS = @dpagaix_CFLAGS@
+dpagaix_LDADD = @dpagaix_LDADD@
+install_sh = @install_sh@
+
+# $Id: Makefile.am,v 1.15 2000/11/15 22:51:12 assar Exp $
+
+
+# $Id: Makefile.am.common,v 1.3 1999/04/01 14:58:43 joda Exp $
+
+
+# $Id: Makefile.am.common,v 1.26 2001/05/21 13:27:48 joda Exp $
+
+
+AUTOMAKE_OPTIONS = foreign no-dependencies
+
+SUFFIXES = .et .h .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .x
+
+INCLUDES = -I$(top_builddir)/include $(INCLUDES_roken) $(INCLUDE_krb4) $(X_CFLAGS)
+
+AM_CFLAGS =  $(WFLAGS)
+
+CP = cp
+
+COMPILE_ET = $(top_builddir)/lib/com_err/compile_et
+
+buildinclude = $(top_builddir)/include
+
+LIB_XauReadAuth = @LIB_XauReadAuth@
+LIB_crypt = @LIB_crypt@
+LIB_dbm_firstkey = @LIB_dbm_firstkey@
+LIB_dbopen = @LIB_dbopen@
+LIB_dlopen = @LIB_dlopen@
+LIB_dn_expand = @LIB_dn_expand@
+LIB_el_init = @LIB_el_init@
+LIB_getattr = @LIB_getattr@
+LIB_gethostbyname = @LIB_gethostbyname@
+LIB_getpwent_r = @LIB_getpwent_r@
+LIB_getpwnam_r = @LIB_getpwnam_r@
+LIB_getsockopt = @LIB_getsockopt@
+LIB_logout = @LIB_logout@
+LIB_logwtmp = @LIB_logwtmp@
+LIB_odm_initialize = @LIB_odm_initialize@
+LIB_pidfile = @LIB_pidfile@
+LIB_readline = @LIB_readline@
+LIB_res_search = @LIB_res_search@
+LIB_setpcred = @LIB_setpcred@
+LIB_setsockopt = @LIB_setsockopt@
+LIB_socket = @LIB_socket@
+LIB_syslog = @LIB_syslog@
+LIB_tgetent = @LIB_tgetent@
+
+LIBS = @LIBS@
+
+HESIODLIB = @HESIODLIB@
+HESIODINCLUDE = @HESIODINCLUDE@
+INCLUDE_hesiod = @INCLUDE_hesiod@
+LIB_hesiod = @LIB_hesiod@
+
+INCLUDE_krb4 = @INCLUDE_krb4@
+LIB_krb4 = @LIB_krb4@
+
+INCLUDE_openldap = @INCLUDE_openldap@
+LIB_openldap = @LIB_openldap@
+
+INCLUDE_readline = @INCLUDE_readline@
+
+LEXLIB = @LEXLIB@
+
+NROFF_MAN = groff -mandoc -Tascii
+
+@KRB4_TRUE@LIB_kafs = @KRB4_TRUE@$(top_builddir)/lib/kafs/libkafs.la $(AIX_EXTRA_KAFS)
+
+@KRB5_TRUE@LIB_krb5 = @KRB5_TRUE@$(top_builddir)/lib/krb5/libkrb5.la \
+@KRB5_TRUE@	$(top_builddir)/lib/asn1/libasn1.la
+@KRB5_TRUE@LIB_gssapi = @KRB5_TRUE@$(top_builddir)/lib/gssapi/libgssapi.la
+
+@DCE_TRUE@LIB_kdfs = @DCE_TRUE@$(top_builddir)/lib/kdfs/libkdfs.la
+
+CHECK_LOCAL = $(PROGRAMS)
+
+WFLAGS = @WFLAGS@ $(WFLAGS_NOIMPLICITINT)
+
+@HAVE_X_TRUE@bin_PROGRAMS = @HAVE_X_TRUE@xnlock
+@HAVE_X_FALSE@bin_PROGRAMS = 
+
+man_MANS = xnlock.1
+
+EXTRA_DIST = $(man_MANS) nose.0.left nose.0.right nose.1.left nose.1.right \
+	nose.down nose.front nose.left.front nose.right.front
+
+
+LDADD = \
+	$(LIB_kafs) \
+	$(LIB_krb5) \
+	$(LIB_krb4) \
+	$(LIB_des) \
+	$(LIB_roken) \
+	$(X_LIBS) -lXt $(X_PRE_LIBS) -lX11 $(X_EXTRA_LIBS)
+
+subdir = appl/xnlock
+mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs
+CONFIG_HEADER = ../../include/config.h
+CONFIG_CLEAN_FILES = 
+@HAVE_X_FALSE@bin_PROGRAMS = 
+PROGRAMS =  $(bin_PROGRAMS)
+
+
+DEFS = @DEFS@ -I. -I$(srcdir) -I../../include
+CPPFLAGS = @CPPFLAGS@
+LDFLAGS = @LDFLAGS@
+X_CFLAGS = @X_CFLAGS@
+X_LIBS = @X_LIBS@
+X_EXTRA_LIBS = @X_EXTRA_LIBS@
+X_PRE_LIBS = @X_PRE_LIBS@
+xnlock_SOURCES = xnlock.c
+xnlock_OBJECTS =  xnlock.$(OBJEXT)
+xnlock_LDADD = $(LDADD)
+@KRB4_FALSE@@KRB5_FALSE@xnlock_DEPENDENCIES = 
+@KRB4_FALSE@@KRB5_TRUE@xnlock_DEPENDENCIES =  \
+@KRB4_FALSE@@KRB5_TRUE@$(top_builddir)/lib/krb5/libkrb5.la \
+@KRB4_FALSE@@KRB5_TRUE@$(top_builddir)/lib/asn1/libasn1.la
+@KRB4_TRUE@@KRB5_FALSE@xnlock_DEPENDENCIES =  \
+@KRB4_TRUE@@KRB5_FALSE@$(top_builddir)/lib/kafs/libkafs.la
+@KRB4_TRUE@@KRB5_TRUE@xnlock_DEPENDENCIES =  \
+@KRB4_TRUE@@KRB5_TRUE@$(top_builddir)/lib/kafs/libkafs.la \
+@KRB4_TRUE@@KRB5_TRUE@$(top_builddir)/lib/krb5/libkrb5.la \
+@KRB4_TRUE@@KRB5_TRUE@$(top_builddir)/lib/asn1/libasn1.la
+xnlock_LDFLAGS = 
+COMPILE = $(CC) $(DEFS) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) --mode=compile $(CC) $(DEFS) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+CFLAGS = @CFLAGS@
+CCLD = $(CC)
+LINK = $(LIBTOOL) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) $(LDFLAGS) -o $@
+DIST_SOURCES =  xnlock.c
+man1dir = $(mandir)/man1
+MANS = $(man_MANS)
+depcomp = 
+DIST_COMMON =  README ChangeLog Makefile.am Makefile.in
+
+
+DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
+
+GZIP_ENV = --best
+SOURCES = xnlock.c
+OBJECTS = xnlock.$(OBJEXT)
+
+all: all-redirect
+.SUFFIXES:
+.SUFFIXES: .et .h .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .x .c .lo .o .obj
+$(srcdir)/Makefile.in: Makefile.am $(top_srcdir)/configure.in $(ACLOCAL_M4) $(top_srcdir)/Makefile.am.common $(top_srcdir)/cf/Makefile.am.common
+	cd $(top_srcdir) && $(AUTOMAKE) --foreign appl/xnlock/Makefile
+
+Makefile: $(srcdir)/Makefile.in  $(top_builddir)/config.status
+	cd $(top_builddir) \
+	  && CONFIG_FILES=$(subdir)/$@ CONFIG_HEADERS= $(SHELL) ./config.status
+
+
+mostlyclean-binPROGRAMS:
+
+clean-binPROGRAMS:
+	-test -z "$(bin_PROGRAMS)" || rm -f $(bin_PROGRAMS)
+
+distclean-binPROGRAMS:
+
+maintainer-clean-binPROGRAMS:
+
+install-binPROGRAMS: $(bin_PROGRAMS)
+	@$(NORMAL_INSTALL)
+	$(mkinstalldirs) $(DESTDIR)$(bindir)
+	@list='$(bin_PROGRAMS)'; for p in $$list; do \
+	  if test -f $$p; then \
+	    f="`echo $$p|sed -e 's/$(EXEEXT)$$//' -e '$(transform)' -e 's/$$/$(EXEEXT)/'`"; \
+	    echo " $(LIBTOOL)  --mode=install $(INSTALL_PROGRAM) $(INSTALL_STRIP_FLAG) $$p $(DESTDIR)$(bindir)/$$f"; \
+	    $(LIBTOOL)  --mode=install $(INSTALL_PROGRAM) $(INSTALL_STRIP_FLAG) $$p $(DESTDIR)$(bindir)/$$f; \
+	  else :; fi; \
+	done
+
+uninstall-binPROGRAMS:
+	@$(NORMAL_UNINSTALL)
+	@list='$(bin_PROGRAMS)'; for p in $$list; do \
+	  f="`echo $$p|sed -e 's/$(EXEEXT)$$//' -e '$(transform)' -e 's/$$/$(EXEEXT)/'`"; \
+	  echo " rm -f $(DESTDIR)$(bindir)/$$f"; \
+	  rm -f $(DESTDIR)$(bindir)/$$f; \
+	done
+
+mostlyclean-compile:
+	-rm -f *.o core *.core
+	-rm -f *.$(OBJEXT)
+
+clean-compile:
+
+distclean-compile:
+	-rm -f *.tab.c
+
+maintainer-clean-compile:
+
+mostlyclean-libtool:
+	-rm -f *.lo
+
+clean-libtool:
+	-rm -rf .libs _libs
+
+distclean-libtool:
+
+maintainer-clean-libtool:
+
+xnlock$(EXEEXT): $(xnlock_OBJECTS) $(xnlock_DEPENDENCIES)
+	@rm -f xnlock$(EXEEXT)
+	$(LINK) $(xnlock_LDFLAGS) $(xnlock_OBJECTS) $(xnlock_LDADD) $(LIBS)
+.c.o:
+	$(COMPILE) -c $<
+.c.obj:
+	$(COMPILE) -c `cygpath -w $<`
+.c.lo:
+	$(LTCOMPILE) -c -o $@ $<
+
+install-man1:
+	$(mkinstalldirs) $(DESTDIR)$(man1dir)
+	@list='$(man1_MANS)'; \
+	l2='$(man_MANS)'; for i in $$l2; do \
+	  case "$$i" in \
+	    *.1*) list="$$list $$i" ;; \
+	  esac; \
+	done; \
+	for i in $$list; do \
+	  if test -f $(srcdir)/$$i; then file=$(srcdir)/$$i; \
+	  else file=$$i; fi; \
+	  ext=`echo $$i | sed -e 's/^.*\\.//'`; \
+	  inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \
+	  inst=`echo $$inst | sed -e 's/^.*\///'`; \
+	  inst=`echo $$inst | sed '$(transform)'`.$$ext; \
+	  echo " $(INSTALL_DATA) $$file $(DESTDIR)$(man1dir)/$$inst"; \
+	  $(INSTALL_DATA) $$file $(DESTDIR)$(man1dir)/$$inst; \
+	done
+
+uninstall-man1:
+	@list='$(man1_MANS)'; \
+	l2='$(man_MANS)'; for i in $$l2; do \
+	  case "$$i" in \
+	    *.1*) list="$$list $$i" ;; \
+	  esac; \
+	done; \
+	for i in $$list; do \
+	  ext=`echo $$i | sed -e 's/^.*\\.//'`; \
+	  inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \
+	  inst=`echo $$inst | sed -e 's/^.*\///'`; \
+	  inst=`echo $$inst | sed '$(transform)'`.$$ext; \
+	  echo " rm -f $(DESTDIR)$(man1dir)/$$inst"; \
+	  rm -f $(DESTDIR)$(man1dir)/$$inst; \
+	done
+install-man: $(MANS)
+	@$(NORMAL_INSTALL)
+	$(MAKE) $(AM_MAKEFLAGS) install-man1
+uninstall-man:
+	@$(NORMAL_UNINSTALL)
+	$(MAKE) $(AM_MAKEFLAGS) uninstall-man1
+
+tags: TAGS
+
+ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
+	list='$(SOURCES) $(HEADERS) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '    { files[$$0] = 1; } \
+	       END { for (i in files) print i; }'`; \
+	mkid -fID $$unique $(LISP)
+
+TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	tags=; \
+	here=`pwd`; \
+	list='$(SOURCES) $(HEADERS) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '    { files[$$0] = 1; } \
+	       END { for (i in files) print i; }'`; \
+	test -z "$(ETAGS_ARGS)$$unique$(LISP)$$tags" \
+	  || etags $(ETAGS_ARGS) $$tags  $$unique $(LISP)
+
+GTAGS:
+	here=`CDPATH=: && cd $(top_builddir) && pwd` \
+	  && cd $(top_srcdir) \
+	  && gtags -i $$here
+
+mostlyclean-tags:
+
+clean-tags:
+
+distclean-tags:
+	-rm -f TAGS ID
+
+maintainer-clean-tags:
+
+distdir = $(top_builddir)/$(PACKAGE)-$(VERSION)/$(subdir)
+
+distdir: $(DISTFILES)
+	@for file in $(DISTFILES); do \
+	  d=$(srcdir); \
+	  if test -d $$d/$$file; then \
+	    cp -pR $$d/$$file $(distdir) \
+	    || exit 1; \
+	  else \
+	    test -f $(distdir)/$$file \
+	    || cp -p $$d/$$file $(distdir)/$$file \
+	    || exit 1; \
+	  fi; \
+	done
+	$(MAKE) $(AM_MAKEFLAGS) top_distdir="$(top_distdir)" distdir="$(distdir)" dist-hook
+info-am:
+info: info-am
+dvi-am:
+dvi: dvi-am
+check-am: all-am
+	$(MAKE) $(AM_MAKEFLAGS) check-local
+check: check-am
+installcheck-am:
+installcheck: installcheck-am
+install-exec-am: install-binPROGRAMS
+	@$(NORMAL_INSTALL)
+	$(MAKE) $(AM_MAKEFLAGS) install-exec-hook
+install-exec: install-exec-am
+
+install-data-am: install-man install-data-local
+install-data: install-data-am
+
+install-am: all-am
+	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
+install: install-am
+uninstall-am: uninstall-binPROGRAMS uninstall-man
+uninstall: uninstall-am
+all-am: Makefile $(PROGRAMS) $(MANS) all-local
+all-redirect: all-am
+install-strip:
+	$(MAKE) $(AM_MAKEFLAGS) INSTALL_STRIP_FLAG=-s install
+installdirs:
+	$(mkinstalldirs)  $(DESTDIR)$(bindir) $(DESTDIR)$(mandir)/man1
+
+
+mostlyclean-generic:
+
+clean-generic:
+
+distclean-generic:
+	-rm -f Makefile $(CONFIG_CLEAN_FILES)
+	-rm -f config.cache config.log stamp-h stamp-h[0-9]*
+
+maintainer-clean-generic:
+	-rm -f Makefile.in
+mostlyclean-am:  mostlyclean-binPROGRAMS mostlyclean-compile \
+		mostlyclean-libtool mostlyclean-tags \
+		mostlyclean-generic
+
+mostlyclean: mostlyclean-am
+
+clean-am:  clean-binPROGRAMS clean-compile clean-libtool clean-tags \
+		clean-generic mostlyclean-am
+
+clean: clean-am
+
+distclean-am:  distclean-binPROGRAMS distclean-compile distclean-libtool \
+		distclean-tags distclean-generic clean-am
+	-rm -f libtool
+
+distclean: distclean-am
+
+maintainer-clean-am:  maintainer-clean-binPROGRAMS \
+		maintainer-clean-compile maintainer-clean-libtool \
+		maintainer-clean-tags maintainer-clean-generic \
+		distclean-am
+	@echo "This command is intended for maintainers to use;"
+	@echo "it deletes files that may require special tools to rebuild."
+
+maintainer-clean: maintainer-clean-am
+
+.PHONY: mostlyclean-binPROGRAMS distclean-binPROGRAMS clean-binPROGRAMS \
+maintainer-clean-binPROGRAMS uninstall-binPROGRAMS install-binPROGRAMS \
+mostlyclean-compile distclean-compile clean-compile \
+maintainer-clean-compile mostlyclean-libtool distclean-libtool \
+clean-libtool maintainer-clean-libtool install-man1 uninstall-man1 \
+install-man uninstall-man tags mostlyclean-tags distclean-tags \
+clean-tags maintainer-clean-tags distdir info-am info dvi-am dvi \
+check-local check check-am installcheck-am installcheck install-exec-am \
+install-exec install-data-local install-data-am install-data install-am \
+install uninstall-am uninstall all-local all-redirect all-am all \
+install-strip installdirs mostlyclean-generic distclean-generic \
+clean-generic maintainer-clean-generic clean mostlyclean distclean \
+maintainer-clean
+
+
+install-suid-programs:
+	@foo='$(bin_SUIDS)'; \
+	for file in $$foo; do \
+	x=$(DESTDIR)$(bindir)/$$file; \
+	if chown 0:0 $$x && chmod u+s $$x; then :; else \
+	echo "*"; \
+	echo "* Failed to install $$x setuid root"; \
+	echo "*"; \
+	fi; done
+
+install-exec-hook: install-suid-programs
+
+install-build-headers:: $(include_HEADERS) $(build_HEADERZ)
+	@foo='$(include_HEADERS) $(build_HEADERZ)'; \
+	for f in $$foo; do \
+		f=`basename $$f`; \
+		if test -f "$(srcdir)/$$f"; then file="$(srcdir)/$$f"; \
+		else file="$$f"; fi; \
+		if cmp -s  $$file $(buildinclude)/$$f 2> /dev/null ; then \
+		: ; else \
+			echo " $(CP) $$file $(buildinclude)/$$f"; \
+			$(CP) $$file $(buildinclude)/$$f; \
+		fi ; \
+	done
+
+all-local: install-build-headers
+#NROFF_MAN = nroff -man
+.1.cat1:
+	$(NROFF_MAN) $< > $@
+.3.cat3:
+	$(NROFF_MAN) $< > $@
+.5.cat5:
+	$(NROFF_MAN) $< > $@
+.8.cat8:
+	$(NROFF_MAN) $< > $@
+
+dist-cat1-mans:
+	@foo='$(man1_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.1) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat1/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-cat3-mans:
+	@foo='$(man3_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.3) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat3/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-cat5-mans:
+	@foo='$(man5_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.5) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat5/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-cat8-mans:
+	@foo='$(man8_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.8) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat8/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-hook: dist-cat1-mans dist-cat3-mans dist-cat5-mans dist-cat8-mans
+
+install-cat-mans:
+	$(SHELL) $(top_srcdir)/cf/install-catman.sh "$(INSTALL_DATA)" "$(mkinstalldirs)" "$(srcdir)" "$(DESTDIR)$(mandir)" '$(CATMANEXT)' $(man_MANS) $(man1_MANS) $(man3_MANS) $(man5_MANS) $(man8_MANS)
+
+install-data-local: install-cat-mans
+
+.et.h:
+	$(COMPILE_ET) $<
+.et.c:
+	$(COMPILE_ET) $<
+
+.x.c:
+	@cmp -s $< $@ 2> /dev/null || cp $< $@
+
+check-local::
+	@foo='$(CHECK_LOCAL)'; \
+	  if test "$$foo"; then \
+	  failed=0; all=0; \
+	  for i in $$foo; do \
+	    all=`expr $$all + 1`; \
+	    if ./$$i --version > /dev/null 2>&1; then \
+	      echo "PASS: $$i"; \
+	    else \
+	      echo "FAIL: $$i"; \
+	      failed=`expr $$failed + 1`; \
+	    fi; \
+	  done; \
+	  if test "$$failed" -eq 0; then \
+	    banner="All $$all tests passed"; \
+	  else \
+	    banner="$$failed of $$all tests failed"; \
+	  fi; \
+	  dashes=`echo "$$banner" | sed s/./=/g`; \
+	  echo "$$dashes"; \
+	  echo "$$banner"; \
+	  echo "$$dashes"; \
+	  test "$$failed" -eq 0; \
+	fi
+
+# Tell versions [3.59,3.63) of GNU make to not export all variables.
+# Otherwise a system limit (for SysV at least) may be exceeded.
+.NOEXPORT:
diff --git a/crypto/heimdal/appl/xnlock/README b/crypto/heimdal/appl/xnlock/README
new file mode 100644
index 0000000..5b16c52
--- /dev/null
+++ b/crypto/heimdal/appl/xnlock/README
@@ -0,0 +1,21 @@
+xnlock -- Dan Heller, 1990
+"nlock" is a "new lockscreen" type program... something that prevents
+screen burnout by making most of it "black" while providing something
+of interest to be displayed in case anyone is watching.  The program
+also provides added security.
+
+"xnlock" is the X11 version of the program.
+
+Original sunview version written by Dan Heller 1985 (not included).
+
+For a real description of how this program works, read the
+man page or just try running it.
+
+The one major outstanding bug with this program is that every
+once in a while, two horizontal lines appear below the little
+figure that runs around the screen.  If someone can find and
+fix this bug, *please* let me know -- I don't have time to
+look and if I waited till I had time, you'd never see this
+program...  It has something to do with the "looking down"
+position and then directly moving up and right or left...
+
diff --git a/crypto/heimdal/appl/xnlock/nose.0.left b/crypto/heimdal/appl/xnlock/nose.0.left
new file mode 100644
index 0000000..cb3d152
--- /dev/null
+++ b/crypto/heimdal/appl/xnlock/nose.0.left
@@ -0,0 +1,38 @@
+#define nose_0_left_width 64
+#define nose_0_left_height 64
+static unsigned char nose_0_left_bits[] = {
+ 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+ 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+ 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+ 0x00,0x00,0x00,0x00,0x00,0xc0,0xff,0xff,0x07,0x00,0x00,0x00,0x00,0x40,0x00,
+ 0x00,0x04,0x00,0x00,0x00,0x00,0x40,0x00,0x00,0x04,0x00,0x00,0x00,0x00,0x40,
+ 0x00,0x00,0x04,0x00,0x00,0x00,0x00,0x40,0x00,0x00,0x04,0x00,0x00,0x00,0x00,
+ 0x40,0x00,0x00,0x04,0x00,0x00,0x00,0xf8,0xff,0xff,0xff,0xff,0x3f,0x00,0x00,
+ 0x08,0x00,0x00,0x00,0x00,0x20,0x00,0x00,0x08,0x00,0x00,0x00,0x00,0x20,0x00,
+ 0x00,0xf8,0xff,0xff,0xff,0xff,0x3f,0x00,0x00,0xf0,0x03,0x00,0x00,0x80,0x00,
+ 0x00,0x00,0x0e,0x0c,0x00,0x00,0x80,0x01,0x00,0x00,0x03,0x30,0x00,0x00,0x00,
+ 0x01,0x00,0x80,0x00,0x40,0x00,0x00,0x00,0x02,0x00,0x40,0x00,0xc0,0x00,0x00,
+ 0x00,0x02,0x00,0x20,0x00,0x80,0x00,0x00,0x00,0x04,0x00,0x10,0x00,0x00,0x00,
+ 0x00,0x00,0x04,0x00,0x10,0x00,0x00,0x00,0x00,0x00,0x0c,0x00,0x08,0x00,0x00,
+ 0x00,0x00,0x00,0x08,0x00,0x08,0x00,0x00,0x00,0x00,0x00,0x08,0x00,0x08,0x00,
+ 0x00,0x00,0x00,0x00,0x10,0x00,0x08,0x00,0x00,0x00,0x00,0x00,0x10,0x00,0x08,
+ 0x00,0x00,0x00,0x00,0x00,0x10,0x00,0x08,0x00,0x00,0x00,0x00,0x00,0x10,0x00,
+ 0x08,0x00,0x00,0x00,0x00,0x00,0x10,0x00,0x08,0x00,0x00,0x00,0x00,0x00,0x10,
+ 0x00,0x10,0x00,0x00,0x00,0x00,0x00,0x10,0x00,0x10,0x00,0x00,0x01,0x00,0x00,
+ 0x18,0x00,0x20,0x00,0x00,0x01,0x00,0x00,0x08,0x00,0x40,0x00,0x80,0x00,0x00,
+ 0x00,0x08,0x00,0x80,0x00,0x40,0x00,0x00,0x00,0x0c,0x00,0x00,0x01,0x20,0x00,
+ 0x00,0x00,0x04,0x00,0x00,0x06,0x18,0x00,0x00,0x00,0x06,0x00,0x00,0xf8,0x07,
+ 0x00,0x00,0x00,0x02,0x00,0x00,0x00,0xf8,0xff,0xff,0xff,0x01,0x00,0x00,0x00,
+ 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0xf8,0x0f,0x00,0x00,0x00,
+ 0x00,0xff,0x00,0x04,0x10,0x00,0x00,0x00,0xc0,0x00,0x03,0x03,0x10,0x00,0x00,
+ 0x00,0x30,0x00,0x0c,0x01,0x20,0x00,0x00,0x00,0x08,0x00,0x98,0x00,0x20,0x00,
+ 0x00,0x00,0x0c,0x03,0x60,0x00,0x20,0x00,0x00,0x00,0xc2,0x00,0xc0,0x00,0x20,
+ 0x00,0x00,0x00,0x42,0x00,0x80,0x00,0x20,0x00,0x00,0x00,0x21,0x00,0x00,0x01,
+ 0x20,0x00,0x00,0x00,0x21,0x00,0x00,0x01,0x20,0x00,0x00,0x00,0x21,0x00,0x00,
+ 0x00,0x20,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x40,0x00,0x00,0x00,0x01,0x00,
+ 0x00,0x00,0x40,0x00,0x00,0x00,0x02,0x00,0x00,0x00,0x40,0x00,0x00,0x00,0x02,
+ 0x00,0x00,0x00,0x40,0x00,0x00,0x00,0x04,0x00,0x00,0x00,0x20,0x00,0x00,0x00,
+ 0x18,0x00,0x00,0x00,0x20,0x00,0x00,0x00,0x70,0x00,0x00,0x00,0x10,0x00,0x00,
+ 0x00,0xc0,0xff,0xff,0xff,0x0f,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+ 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+ 0x00,0x00};
diff --git a/crypto/heimdal/appl/xnlock/nose.0.right b/crypto/heimdal/appl/xnlock/nose.0.right
new file mode 100644
index 0000000..f387baa
--- /dev/null
+++ b/crypto/heimdal/appl/xnlock/nose.0.right
@@ -0,0 +1,38 @@
+#define nose_0_right_width 64
+#define nose_0_right_height 64
+static unsigned char nose_0_right_bits[] = {
+ 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+ 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+ 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+ 0x00,0x00,0x00,0x00,0x00,0xe0,0xff,0xff,0x03,0x00,0x00,0x00,0x00,0x20,0x00,
+ 0x00,0x02,0x00,0x00,0x00,0x00,0x20,0x00,0x00,0x02,0x00,0x00,0x00,0x00,0x20,
+ 0x00,0x00,0x02,0x00,0x00,0x00,0x00,0x20,0x00,0x00,0x02,0x00,0x00,0x00,0x00,
+ 0x20,0x00,0x00,0x02,0x00,0x00,0x00,0xfc,0xff,0xff,0xff,0xff,0x1f,0x00,0x00,
+ 0x04,0x00,0x00,0x00,0x00,0x10,0x00,0x00,0x04,0x00,0x00,0x00,0x00,0x10,0x00,
+ 0x00,0xfc,0xff,0xff,0xff,0xff,0x1f,0x00,0x00,0x00,0x01,0x00,0x00,0xc0,0x0f,
+ 0x00,0x00,0x80,0x01,0x00,0x00,0x30,0x70,0x00,0x00,0x80,0x00,0x00,0x00,0x0c,
+ 0xc0,0x00,0x00,0x40,0x00,0x00,0x00,0x02,0x00,0x01,0x00,0x40,0x00,0x00,0x00,
+ 0x03,0x00,0x02,0x00,0x20,0x00,0x00,0x00,0x01,0x00,0x04,0x00,0x20,0x00,0x00,
+ 0x00,0x00,0x00,0x08,0x00,0x30,0x00,0x00,0x00,0x00,0x00,0x08,0x00,0x10,0x00,
+ 0x00,0x00,0x00,0x00,0x10,0x00,0x10,0x00,0x00,0x00,0x00,0x00,0x10,0x00,0x08,
+ 0x00,0x00,0x00,0x00,0x00,0x10,0x00,0x08,0x00,0x00,0x00,0x00,0x00,0x10,0x00,
+ 0x08,0x00,0x00,0x00,0x00,0x00,0x10,0x00,0x08,0x00,0x00,0x00,0x00,0x00,0x10,
+ 0x00,0x08,0x00,0x00,0x00,0x00,0x00,0x10,0x00,0x08,0x00,0x00,0x00,0x00,0x00,
+ 0x10,0x00,0x08,0x00,0x00,0x00,0x00,0x00,0x08,0x00,0x18,0x00,0x00,0x80,0x00,
+ 0x00,0x08,0x00,0x10,0x00,0x00,0x80,0x00,0x00,0x04,0x00,0x10,0x00,0x00,0x00,
+ 0x01,0x00,0x02,0x00,0x30,0x00,0x00,0x00,0x02,0x00,0x01,0x00,0x20,0x00,0x00,
+ 0x00,0x04,0x80,0x00,0x00,0x60,0x00,0x00,0x00,0x18,0x60,0x00,0x00,0x40,0x00,
+ 0x00,0x00,0xe0,0x1f,0x00,0x00,0x80,0xff,0xff,0xff,0x1f,0x00,0x00,0x00,0x00,
+ 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0xf0,0x1f,0x00,0x00,0x00,0x00,0x00,
+ 0x00,0x08,0x20,0x00,0xff,0x00,0x00,0x00,0x00,0x08,0xc0,0xc0,0x00,0x03,0x00,
+ 0x00,0x00,0x04,0x80,0x30,0x00,0x0c,0x00,0x00,0x00,0x04,0x00,0x19,0x00,0x10,
+ 0x00,0x00,0x00,0x04,0x00,0x06,0xc0,0x30,0x00,0x00,0x00,0x04,0x00,0x03,0x00,
+ 0x43,0x00,0x00,0x00,0x04,0x00,0x01,0x00,0x42,0x00,0x00,0x00,0x04,0x80,0x00,
+ 0x00,0x84,0x00,0x00,0x00,0x04,0x80,0x00,0x00,0x84,0x00,0x00,0x00,0x04,0x00,
+ 0x00,0x00,0x84,0x00,0x00,0x00,0x02,0x00,0x00,0x00,0x80,0x00,0x00,0x00,0x02,
+ 0x00,0x00,0x00,0x80,0x00,0x00,0x00,0x02,0x00,0x00,0x00,0x40,0x00,0x00,0x00,
+ 0x02,0x00,0x00,0x00,0x40,0x00,0x00,0x00,0x04,0x00,0x00,0x00,0x20,0x00,0x00,
+ 0x00,0x04,0x00,0x00,0x00,0x18,0x00,0x00,0x00,0x08,0x00,0x00,0x00,0x0e,0x00,
+ 0x00,0x00,0xf0,0xff,0xff,0xff,0x03,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+ 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+ 0x00,0x00};
diff --git a/crypto/heimdal/appl/xnlock/nose.1.left b/crypto/heimdal/appl/xnlock/nose.1.left
new file mode 100644
index 0000000..8a6b829
--- /dev/null
+++ b/crypto/heimdal/appl/xnlock/nose.1.left
@@ -0,0 +1,38 @@
+#define nose_1_left_width 64
+#define nose_1_left_height 64
+static unsigned char nose_1_left_bits[] = {
+ 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+ 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+ 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+ 0x00,0x00,0x00,0x00,0x00,0xc0,0xff,0xff,0x07,0x00,0x00,0x00,0x00,0x40,0x00,
+ 0x00,0x04,0x00,0x00,0x00,0x00,0x40,0x00,0x00,0x04,0x00,0x00,0x00,0x00,0x40,
+ 0x00,0x00,0x04,0x00,0x00,0x00,0x00,0x40,0x00,0x00,0x04,0x00,0x00,0x00,0x00,
+ 0x40,0x00,0x00,0x04,0x00,0x00,0x00,0xf8,0xff,0xff,0xff,0xff,0x3f,0x00,0x00,
+ 0x08,0x00,0x00,0x00,0x00,0x20,0x00,0x00,0x08,0x00,0x00,0x00,0x00,0x20,0x00,
+ 0x00,0xf8,0xff,0xff,0xff,0xff,0x3f,0x00,0x00,0xf0,0x03,0x00,0x00,0x80,0x00,
+ 0x00,0x00,0x0e,0x0c,0x00,0x00,0x80,0x01,0x00,0x00,0x03,0x30,0x00,0x00,0x00,
+ 0x01,0x00,0x80,0x00,0x40,0x00,0x00,0x00,0x02,0x00,0x40,0x00,0xc0,0x00,0x00,
+ 0x00,0x02,0x00,0x20,0x00,0x80,0x00,0x00,0x00,0x04,0x00,0x10,0x00,0x00,0x00,
+ 0x00,0x00,0x04,0x00,0x10,0x00,0x00,0x00,0x00,0x00,0x0c,0x00,0x08,0x00,0x00,
+ 0x00,0x00,0x00,0x08,0x00,0x08,0x00,0x00,0x00,0x00,0x00,0x08,0x00,0x08,0x00,
+ 0x00,0x00,0x00,0x00,0x10,0x00,0x08,0x00,0x00,0x00,0x00,0x00,0x10,0x00,0x08,
+ 0x00,0x00,0x00,0x00,0x00,0x10,0x00,0x08,0x00,0x00,0x00,0x00,0x00,0x10,0x00,
+ 0x08,0x00,0x00,0x00,0x00,0x00,0x10,0x00,0x08,0x00,0x00,0x00,0x00,0x00,0x10,
+ 0x00,0x08,0x00,0x00,0x00,0x00,0x00,0x10,0x00,0x10,0x00,0x00,0x01,0x00,0x00,
+ 0x18,0x00,0x10,0x00,0x00,0x01,0x00,0x00,0x08,0x00,0x20,0x00,0x80,0x00,0x00,
+ 0x00,0x08,0x00,0x40,0x00,0x40,0x00,0x00,0x00,0x0c,0x00,0x80,0x00,0x20,0x00,
+ 0x00,0x00,0xe4,0x00,0x00,0x03,0x18,0x00,0x00,0x00,0x26,0x03,0x00,0xfc,0x07,
+ 0x00,0x00,0x00,0x12,0x0c,0x00,0x00,0xf8,0xff,0xff,0xff,0x11,0x10,0x80,0x1f,
+ 0x00,0x00,0x00,0x00,0x08,0x20,0x60,0x60,0xc0,0x07,0x00,0x00,0x04,0x40,0x10,
+ 0xc0,0x20,0x08,0x00,0x1f,0x02,0x40,0x08,0x00,0x21,0x10,0xc0,0x60,0x02,0x40,
+ 0x04,0x00,0x12,0x20,0x20,0x80,0x02,0x20,0xc2,0x00,0x14,0x40,0x18,0x00,0x03,
+ 0x20,0x22,0x00,0x0c,0x80,0x04,0x03,0x02,0x10,0x12,0x00,0x08,0x80,0x86,0x00,
+ 0x04,0x10,0x12,0x00,0x10,0x80,0x42,0x00,0x18,0x08,0x12,0x00,0x10,0x40,0x42,
+ 0x00,0x00,0x04,0x02,0x00,0x20,0x40,0x42,0x00,0x00,0x04,0x02,0x00,0x00,0x20,
+ 0x42,0x00,0x00,0x02,0x04,0x00,0x00,0x20,0x02,0x00,0x00,0x01,0x04,0x00,0x00,
+ 0x20,0x02,0x00,0x00,0x01,0x08,0x00,0x00,0x20,0x04,0x00,0x80,0x00,0x10,0x00,
+ 0x00,0x20,0x0c,0x00,0x80,0x00,0x60,0x00,0x00,0x10,0x08,0x00,0x40,0x00,0x80,
+ 0xff,0xff,0x0f,0x30,0x00,0x30,0x00,0x00,0x00,0x00,0x00,0xc0,0xff,0x0f,0x00,
+ 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+ 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+ 0x00,0x00};
diff --git a/crypto/heimdal/appl/xnlock/nose.1.right b/crypto/heimdal/appl/xnlock/nose.1.right
new file mode 100644
index 0000000..f7c8962
--- /dev/null
+++ b/crypto/heimdal/appl/xnlock/nose.1.right
@@ -0,0 +1,38 @@
+#define nose_1_right_width 64
+#define nose_1_right_height 64
+static unsigned char nose_1_right_bits[] = {
+ 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+ 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+ 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+ 0x00,0x00,0x00,0x00,0x00,0xe0,0xff,0xff,0x03,0x00,0x00,0x00,0x00,0x20,0x00,
+ 0x00,0x02,0x00,0x00,0x00,0x00,0x20,0x00,0x00,0x02,0x00,0x00,0x00,0x00,0x20,
+ 0x00,0x00,0x02,0x00,0x00,0x00,0x00,0x20,0x00,0x00,0x02,0x00,0x00,0x00,0x00,
+ 0x20,0x00,0x00,0x02,0x00,0x00,0x00,0xfc,0xff,0xff,0xff,0xff,0x1f,0x00,0x00,
+ 0x04,0x00,0x00,0x00,0x00,0x10,0x00,0x00,0x04,0x00,0x00,0x00,0x00,0x10,0x00,
+ 0x00,0xfc,0xff,0xff,0xff,0xff,0x1f,0x00,0x00,0x00,0x01,0x00,0x00,0xc0,0x0f,
+ 0x00,0x00,0x80,0x01,0x00,0x00,0x30,0x70,0x00,0x00,0x80,0x00,0x00,0x00,0x0c,
+ 0xc0,0x00,0x00,0x40,0x00,0x00,0x00,0x02,0x00,0x01,0x00,0x40,0x00,0x00,0x00,
+ 0x03,0x00,0x02,0x00,0x20,0x00,0x00,0x00,0x01,0x00,0x04,0x00,0x20,0x00,0x00,
+ 0x00,0x00,0x00,0x08,0x00,0x30,0x00,0x00,0x00,0x00,0x00,0x08,0x00,0x10,0x00,
+ 0x00,0x00,0x00,0x00,0x10,0x00,0x10,0x00,0x00,0x00,0x00,0x00,0x10,0x00,0x08,
+ 0x00,0x00,0x00,0x00,0x00,0x10,0x00,0x08,0x00,0x00,0x00,0x00,0x00,0x10,0x00,
+ 0x08,0x00,0x00,0x00,0x00,0x00,0x10,0x00,0x08,0x00,0x00,0x00,0x00,0x00,0x10,
+ 0x00,0x08,0x00,0x00,0x00,0x00,0x00,0x10,0x00,0x08,0x00,0x00,0x00,0x00,0x00,
+ 0x10,0x00,0x08,0x00,0x00,0x00,0x00,0x00,0x10,0x00,0x18,0x00,0x00,0x80,0x00,
+ 0x00,0x08,0x00,0x10,0x00,0x00,0x80,0x00,0x00,0x08,0x00,0x10,0x00,0x00,0x00,
+ 0x01,0x00,0x04,0x00,0x30,0x00,0x00,0x00,0x02,0x00,0x02,0x00,0x27,0x00,0x00,
+ 0x00,0x04,0x00,0x01,0xc0,0x64,0x00,0x00,0x00,0x18,0xc0,0x00,0x30,0x48,0x00,
+ 0x00,0x00,0xe0,0x3f,0x00,0x08,0x88,0xff,0xff,0xff,0x1f,0x00,0x00,0x04,0x10,
+ 0x00,0x00,0x00,0x00,0xf8,0x01,0x02,0x20,0x00,0x00,0xe0,0x03,0x06,0x06,0x02,
+ 0x40,0xf8,0x00,0x10,0x04,0x03,0x08,0x02,0x40,0x06,0x03,0x08,0x84,0x00,0x10,
+ 0x04,0x40,0x01,0x04,0x04,0x48,0x00,0x20,0x04,0xc0,0x00,0x18,0x02,0x28,0x00,
+ 0x43,0x08,0x40,0xc0,0x20,0x01,0x30,0x00,0x44,0x08,0x20,0x00,0x61,0x01,0x10,
+ 0x00,0x48,0x10,0x18,0x00,0x42,0x01,0x08,0x00,0x48,0x20,0x00,0x00,0x42,0x02,
+ 0x08,0x00,0x48,0x20,0x00,0x00,0x42,0x02,0x04,0x00,0x40,0x40,0x00,0x00,0x42,
+ 0x04,0x00,0x00,0x40,0x80,0x00,0x00,0x40,0x04,0x00,0x00,0x20,0x80,0x00,0x00,
+ 0x40,0x04,0x00,0x00,0x20,0x00,0x01,0x00,0x20,0x04,0x00,0x00,0x10,0x00,0x01,
+ 0x00,0x30,0x04,0x00,0x00,0x08,0x00,0x02,0x00,0x10,0x08,0x00,0x00,0x06,0x00,
+ 0x0c,0x00,0x0c,0xf0,0xff,0xff,0x01,0x00,0xf0,0xff,0x03,0x00,0x00,0x00,0x00,
+ 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+ 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+ 0x00,0x00};
diff --git a/crypto/heimdal/appl/xnlock/nose.down b/crypto/heimdal/appl/xnlock/nose.down
new file mode 100644
index 0000000..e8bdba4
--- /dev/null
+++ b/crypto/heimdal/appl/xnlock/nose.down
@@ -0,0 +1,38 @@
+#define nose_down_width 64
+#define nose_down_height 64
+static unsigned char nose_down_bits[] = {
+ 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+ 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+ 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+ 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+ 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+ 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+ 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+ 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+ 0x00,0x00,0x00,0xfc,0xff,0x01,0x00,0x00,0x00,0x00,0xc0,0x03,0x00,0x1e,0x00,
+ 0x00,0x00,0x00,0x38,0x00,0x00,0xe0,0x00,0x00,0x00,0x00,0x06,0x00,0x00,0x00,
+ 0x03,0x00,0x00,0x80,0x01,0x00,0x00,0x00,0x04,0x00,0x00,0x40,0x00,0x00,0x00,
+ 0x00,0x08,0x00,0x00,0x20,0x00,0x00,0x00,0x00,0x30,0x00,0x00,0x10,0x00,0x80,
+ 0x1f,0x00,0x40,0x00,0x00,0x08,0x00,0x60,0x60,0x00,0x80,0x00,0x00,0x08,0x00,
+ 0x10,0x80,0x00,0x80,0x00,0x00,0x04,0x00,0x08,0x00,0x01,0x00,0x01,0x00,0x04,
+ 0x00,0x08,0x00,0x01,0x00,0x01,0x00,0x02,0x00,0x18,0x80,0x01,0x00,0x02,0x00,
+ 0x02,0x00,0x68,0x60,0x01,0x00,0x02,0x00,0x02,0x00,0x88,0x1f,0x01,0x00,0x02,
+ 0x00,0x02,0x00,0x08,0x00,0x01,0x00,0x02,0x00,0x02,0x00,0x10,0x80,0x00,0x00,
+ 0x03,0x00,0x06,0x00,0x60,0x60,0x00,0x80,0x02,0x00,0x0c,0x00,0x80,0x1f,0x00,
+ 0x40,0x01,0x00,0x14,0x00,0x00,0x00,0x00,0x20,0x01,0x00,0x28,0x00,0x00,0x00,
+ 0x00,0x90,0x00,0x00,0x50,0x00,0x00,0x00,0x00,0x48,0x00,0x00,0xa0,0x01,0x00,
+ 0x00,0x00,0x26,0x00,0x00,0x40,0x1e,0x00,0x00,0xc0,0x11,0x00,0x00,0x80,0xe1,
+ 0x03,0x00,0x3c,0x0c,0x00,0x00,0x00,0x0e,0xfc,0xff,0x83,0x03,0x00,0x00,0x00,
+ 0xf0,0x01,0x00,0x78,0x00,0x00,0x00,0x00,0x00,0xfe,0xff,0x0f,0x00,0x00,0x00,
+ 0x00,0x80,0x03,0x00,0x0c,0x00,0x00,0x00,0x00,0x80,0x02,0x00,0x14,0x00,0x00,
+ 0x00,0x00,0x60,0x04,0x00,0x12,0x00,0x00,0xc0,0x7f,0x10,0x04,0x00,0x22,0xe0,
+ 0x01,0x70,0xc0,0x18,0x08,0x00,0x61,0x1c,0x06,0x10,0x00,0x0f,0x30,0xc0,0x80,
+ 0x07,0x08,0x08,0x00,0x06,0xc0,0x3f,0x80,0x01,0x08,0x08,0x00,0x18,0x00,0x02,
+ 0xc0,0x00,0x10,0x04,0x00,0x30,0x00,0x05,0x30,0x00,0x10,0x04,0x00,0x00,0x80,
+ 0x08,0x18,0x00,0x20,0x04,0x00,0x00,0x80,0x08,0x00,0x00,0x20,0x04,0x00,0x00,
+ 0x40,0x10,0x00,0x00,0x20,0x24,0x00,0x00,0x40,0x10,0x00,0x00,0x22,0x24,0x00,
+ 0x00,0x40,0x10,0x00,0x00,0x22,0x44,0x00,0x00,0x40,0x10,0x00,0x00,0x11,0x84,
+ 0x01,0x00,0xc0,0x18,0x00,0xc0,0x10,0x08,0x00,0x00,0x80,0x08,0x00,0x00,0x08,
+ 0x30,0x00,0x00,0x80,0x08,0x00,0x00,0x04,0xe0,0xff,0xff,0xff,0xf8,0xff,0xff,
+ 0x03,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+ 0x00,0x00};
diff --git a/crypto/heimdal/appl/xnlock/nose.front b/crypto/heimdal/appl/xnlock/nose.front
new file mode 100644
index 0000000..64b8201
--- /dev/null
+++ b/crypto/heimdal/appl/xnlock/nose.front
@@ -0,0 +1,38 @@
+#define nose_front_width 64
+#define nose_front_height 64
+static unsigned char nose_front_bits[] = {
+ 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+ 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+ 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+ 0x00,0x00,0x00,0x00,0x00,0xc0,0xff,0xff,0x07,0x00,0x00,0x00,0x00,0x40,0x00,
+ 0x00,0x04,0x00,0x00,0x00,0x00,0x40,0x00,0x00,0x04,0x00,0x00,0x00,0x00,0x40,
+ 0x00,0x00,0x04,0x00,0x00,0x00,0x00,0x40,0x00,0x00,0x04,0x00,0x00,0x00,0x00,
+ 0x40,0x00,0x00,0x04,0x00,0x00,0x00,0xf8,0xff,0xff,0xff,0xff,0x3f,0x00,0x00,
+ 0x08,0x00,0xc0,0x1f,0x00,0x20,0x00,0x00,0x08,0x00,0x30,0x60,0x00,0x20,0x00,
+ 0x00,0xf8,0xff,0x0f,0x80,0xff,0x3f,0x00,0x00,0x00,0x02,0x02,0x00,0x82,0x00,
+ 0x00,0x00,0x00,0x03,0x01,0x00,0x84,0x01,0x00,0x00,0x00,0x81,0x00,0x00,0x08,
+ 0x01,0x00,0x00,0x80,0x80,0x00,0x00,0x08,0x02,0x00,0x00,0x80,0x40,0x00,0x00,
+ 0x10,0x02,0x00,0x00,0x40,0x40,0x00,0x00,0x10,0x04,0x00,0x00,0x40,0x20,0x00,
+ 0x00,0x20,0x04,0x00,0x00,0x60,0x20,0x00,0x00,0x20,0x0c,0x00,0x00,0x20,0x20,
+ 0x00,0x00,0x20,0x08,0x00,0x00,0x20,0x20,0x00,0x00,0x20,0x08,0x00,0x00,0x10,
+ 0x20,0x00,0x00,0x20,0x10,0x00,0x00,0x10,0x20,0x00,0x00,0x20,0x10,0x00,0x00,
+ 0x10,0x20,0x00,0x00,0x20,0x10,0x00,0x00,0x10,0x40,0x00,0x00,0x10,0x10,0x00,
+ 0x00,0x10,0x40,0x00,0x00,0x10,0x10,0x00,0x00,0x10,0x80,0x00,0x00,0x08,0x10,
+ 0x00,0x00,0x10,0x80,0x00,0x00,0x08,0x10,0x00,0x00,0x30,0x00,0x01,0x00,0x04,
+ 0x18,0x00,0x00,0x20,0x00,0x02,0x00,0x02,0x08,0x00,0x00,0x20,0x00,0x0c,0x80,
+ 0x01,0x08,0x00,0x00,0x60,0x00,0x30,0x60,0x00,0x0c,0x00,0x00,0x40,0x00,0xc0,
+ 0x1f,0x00,0x04,0x00,0x00,0xc0,0x00,0x00,0x00,0x00,0x06,0x00,0x00,0x00,0x01,
+ 0x00,0x00,0x00,0x02,0x00,0x00,0x00,0xfe,0xff,0xff,0xff,0x01,0x00,0x00,0x00,
+ 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x80,0x0f,0xc0,0x0f,0x00,0x00,0x00,
+ 0x00,0x40,0x10,0x20,0x10,0x00,0x00,0x00,0x00,0x20,0x60,0x30,0x20,0x00,0x00,
+ 0x00,0x00,0x20,0xc0,0x18,0x20,0x00,0x00,0xc0,0x7f,0x10,0x80,0x0d,0x40,0xe0,
+ 0x01,0x70,0xc0,0x18,0x00,0x05,0x40,0x1c,0x06,0x10,0x00,0x0f,0x00,0x05,0x80,
+ 0x07,0x08,0x08,0x00,0x06,0x00,0x05,0x80,0x01,0x08,0x08,0x00,0x18,0x00,0x05,
+ 0xc0,0x00,0x10,0x04,0x00,0x30,0x00,0x05,0x30,0x00,0x10,0x04,0x00,0x00,0x80,
+ 0x08,0x18,0x00,0x20,0x04,0x00,0x00,0x80,0x08,0x00,0x00,0x20,0x04,0x00,0x00,
+ 0x40,0x10,0x00,0x00,0x20,0x24,0x00,0x00,0x40,0x10,0x00,0x00,0x22,0x24,0x00,
+ 0x00,0x40,0x10,0x00,0x00,0x22,0x44,0x00,0x00,0x40,0x10,0x00,0x00,0x11,0x84,
+ 0x01,0x00,0xc0,0x18,0x00,0xc0,0x10,0x08,0x00,0x00,0x80,0x08,0x00,0x00,0x08,
+ 0x30,0x00,0x00,0x80,0x08,0x00,0x00,0x04,0xe0,0xff,0xff,0xff,0xf8,0xff,0xff,
+ 0x03,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+ 0x00,0x00};
diff --git a/crypto/heimdal/appl/xnlock/nose.left.front b/crypto/heimdal/appl/xnlock/nose.left.front
new file mode 100644
index 0000000..3a871ea
--- /dev/null
+++ b/crypto/heimdal/appl/xnlock/nose.left.front
@@ -0,0 +1,38 @@
+#define nose_left_front_width 64
+#define nose_left_front_height 64
+static unsigned char nose_left_front_bits[] = {
+ 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+ 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+ 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+ 0x00,0x00,0x00,0x00,0x00,0xc0,0xff,0xff,0x07,0x00,0x00,0x00,0x00,0x40,0x00,
+ 0x00,0x04,0x00,0x00,0x00,0x00,0x40,0x00,0x00,0x04,0x00,0x00,0x00,0x00,0x40,
+ 0x00,0x00,0x04,0x00,0x00,0x00,0x00,0x40,0x00,0x00,0x04,0x00,0x00,0x00,0x00,
+ 0x40,0x00,0x00,0x04,0x00,0x00,0x00,0xf8,0xff,0xff,0xff,0xff,0x3f,0x00,0x00,
+ 0x08,0x00,0xe0,0x0f,0x00,0x20,0x00,0x00,0x08,0x00,0x18,0x30,0x00,0x20,0x00,
+ 0x00,0xf8,0xff,0x07,0xc0,0xff,0x3f,0x00,0x00,0x00,0x02,0x01,0x00,0x81,0x00,
+ 0x00,0x00,0x00,0x83,0x00,0x00,0x82,0x01,0x00,0x00,0x00,0x41,0x00,0x00,0x04,
+ 0x01,0x00,0x00,0x80,0x40,0x00,0x00,0x04,0x02,0x00,0x00,0x80,0x20,0x00,0x00,
+ 0x08,0x02,0x00,0x00,0x40,0x20,0x00,0x00,0x08,0x04,0x00,0x00,0x40,0x10,0x00,
+ 0x00,0x10,0x04,0x00,0x00,0x60,0x10,0x00,0x00,0x10,0x0c,0x00,0x00,0x20,0x10,
+ 0x00,0x00,0x10,0x08,0x00,0x00,0x30,0x10,0x00,0x00,0x10,0x08,0x00,0x00,0x10,
+ 0x10,0x00,0x00,0x10,0x10,0x00,0x00,0x10,0x10,0x00,0x00,0x10,0x10,0x00,0x00,
+ 0x10,0x10,0x00,0x00,0x10,0x10,0x00,0x00,0x10,0x20,0x00,0x00,0x08,0x10,0x00,
+ 0x00,0x10,0x20,0x00,0x00,0x08,0x10,0x00,0x00,0x10,0x40,0x00,0x00,0x04,0x10,
+ 0x00,0x00,0x30,0x40,0x00,0x00,0x04,0x10,0x00,0x00,0x20,0x80,0x00,0x00,0x02,
+ 0x18,0x00,0x00,0x20,0x00,0x01,0x00,0x01,0x08,0x00,0x00,0x60,0x00,0x06,0xc0,
+ 0x00,0x08,0x00,0x00,0x80,0x00,0x18,0x30,0x00,0x0c,0x00,0x00,0x80,0x00,0xe0,
+ 0x0f,0x00,0x04,0x00,0x00,0x80,0x01,0x00,0x00,0x00,0x06,0x00,0x00,0x00,0x01,
+ 0x00,0x00,0x00,0x02,0x00,0x00,0x00,0xfe,0xff,0xff,0xff,0x01,0x00,0x00,0x00,
+ 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0xf8,0x0f,0x00,0x00,0x00,
+ 0x00,0xff,0x00,0x04,0x10,0x00,0x00,0x00,0xe0,0x00,0x07,0x02,0x10,0x00,0x00,
+ 0x00,0x30,0x00,0x8c,0x01,0x20,0x00,0x00,0x00,0x0c,0x00,0x90,0x00,0x20,0x00,
+ 0x00,0x00,0x04,0x03,0x60,0x00,0x20,0x00,0x00,0x00,0xc2,0x00,0xc0,0x00,0x20,
+ 0x00,0x00,0x00,0x42,0x00,0x00,0x01,0x20,0x00,0x00,0x00,0x21,0x00,0x00,0x02,
+ 0x20,0x00,0x00,0x00,0x21,0x00,0x00,0x06,0x20,0x00,0x00,0x00,0x21,0x00,0x00,
+ 0x00,0x20,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x40,0x00,0x00,0x00,0x03,0x00,
+ 0x00,0x00,0x40,0x00,0x00,0x00,0x02,0x00,0x00,0x00,0x40,0x00,0x00,0x00,0x02,
+ 0x00,0x00,0x00,0x40,0x00,0x00,0x00,0x04,0x00,0x00,0x00,0x20,0x00,0x00,0x00,
+ 0x18,0x00,0x00,0x00,0x20,0x00,0x00,0x00,0x70,0x00,0x00,0x00,0x10,0x00,0x00,
+ 0x00,0xc0,0xff,0xff,0xff,0x0f,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+ 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+ 0x00,0x00};
diff --git a/crypto/heimdal/appl/xnlock/nose.right.front b/crypto/heimdal/appl/xnlock/nose.right.front
new file mode 100644
index 0000000..f821417
--- /dev/null
+++ b/crypto/heimdal/appl/xnlock/nose.right.front
@@ -0,0 +1,38 @@
+#define nose_right_front_width 64
+#define nose_right_front_height 64
+static unsigned char nose_right_front_bits[] = {
+ 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+ 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+ 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+ 0x00,0x00,0x00,0x00,0x00,0xe0,0xff,0xff,0x03,0x00,0x00,0x00,0x00,0x20,0x00,
+ 0x00,0x02,0x00,0x00,0x00,0x00,0x20,0x00,0x00,0x02,0x00,0x00,0x00,0x00,0x20,
+ 0x00,0x00,0x02,0x00,0x00,0x00,0x00,0x20,0x00,0x00,0x02,0x00,0x00,0x00,0x00,
+ 0x20,0x00,0x00,0x02,0x00,0x00,0x00,0xfc,0xff,0xff,0xff,0xff,0x1f,0x00,0x00,
+ 0x04,0x00,0xf0,0x07,0x00,0x10,0x00,0x00,0x04,0x00,0x0c,0x18,0x00,0x10,0x00,
+ 0x00,0xfc,0xff,0x03,0xe0,0xff,0x1f,0x00,0x00,0x00,0x81,0x00,0x80,0x40,0x00,
+ 0x00,0x00,0x80,0x41,0x00,0x00,0xc1,0x00,0x00,0x00,0x80,0x20,0x00,0x00,0x82,
+ 0x00,0x00,0x00,0x40,0x20,0x00,0x00,0x02,0x01,0x00,0x00,0x40,0x10,0x00,0x00,
+ 0x04,0x01,0x00,0x00,0x20,0x10,0x00,0x00,0x04,0x02,0x00,0x00,0x20,0x08,0x00,
+ 0x00,0x08,0x02,0x00,0x00,0x30,0x08,0x00,0x00,0x08,0x06,0x00,0x00,0x10,0x08,
+ 0x00,0x00,0x08,0x04,0x00,0x00,0x10,0x08,0x00,0x00,0x08,0x0c,0x00,0x00,0x08,
+ 0x08,0x00,0x00,0x08,0x08,0x00,0x00,0x08,0x08,0x00,0x00,0x08,0x08,0x00,0x00,
+ 0x08,0x08,0x00,0x00,0x08,0x08,0x00,0x00,0x08,0x10,0x00,0x00,0x04,0x08,0x00,
+ 0x00,0x08,0x10,0x00,0x00,0x04,0x08,0x00,0x00,0x08,0x20,0x00,0x00,0x02,0x08,
+ 0x00,0x00,0x08,0x20,0x00,0x00,0x02,0x0c,0x00,0x00,0x18,0x40,0x00,0x00,0x01,
+ 0x04,0x00,0x00,0x10,0x80,0x00,0x80,0x00,0x04,0x00,0x00,0x10,0x00,0x03,0x60,
+ 0x00,0x06,0x00,0x00,0x30,0x00,0x0c,0x18,0x00,0x01,0x00,0x00,0x20,0x00,0xf0,
+ 0x07,0x00,0x01,0x00,0x00,0x60,0x00,0x00,0x00,0x80,0x01,0x00,0x00,0x40,0x00,
+ 0x00,0x00,0x80,0x00,0x00,0x00,0x80,0xff,0xff,0xff,0x7f,0x00,0x00,0x00,0x00,
+ 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0xf0,0x1f,0x00,0x00,0x00,0x00,0x00,
+ 0x00,0x08,0x20,0x00,0xff,0x00,0x00,0x00,0x00,0x08,0x40,0xe0,0x00,0x07,0x00,
+ 0x00,0x00,0x04,0x80,0x31,0x00,0x0c,0x00,0x00,0x00,0x04,0x00,0x09,0x00,0x30,
+ 0x00,0x00,0x00,0x04,0x00,0x06,0xc0,0x20,0x00,0x00,0x00,0x04,0x00,0x03,0x00,
+ 0x43,0x00,0x00,0x00,0x04,0x80,0x00,0x00,0x42,0x00,0x00,0x00,0x04,0x40,0x00,
+ 0x00,0x84,0x00,0x00,0x00,0x04,0x60,0x00,0x00,0x84,0x00,0x00,0x00,0x04,0x00,
+ 0x00,0x00,0x84,0x00,0x00,0x00,0x02,0x00,0x00,0x00,0x80,0x00,0x00,0x00,0x02,
+ 0x00,0x00,0x00,0xc0,0x00,0x00,0x00,0x02,0x00,0x00,0x00,0x40,0x00,0x00,0x00,
+ 0x02,0x00,0x00,0x00,0x40,0x00,0x00,0x00,0x04,0x00,0x00,0x00,0x20,0x00,0x00,
+ 0x00,0x04,0x00,0x00,0x00,0x18,0x00,0x00,0x00,0x08,0x00,0x00,0x00,0x0e,0x00,
+ 0x00,0x00,0xf0,0xff,0xff,0xff,0x03,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+ 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+ 0x00,0x00};
diff --git a/crypto/heimdal/appl/xnlock/xnlock.1 b/crypto/heimdal/appl/xnlock/xnlock.1
new file mode 100644
index 0000000..c62417d
--- /dev/null
+++ b/crypto/heimdal/appl/xnlock/xnlock.1
@@ -0,0 +1,123 @@
+.\" xnlock -- Dan Heller 1985 <argv@sun.com>
+.TH XNLOCK 1L "19 April 1990"
+.SH NAME
+xnlock \- amusing lock screen program with message for passers-by
+.SH SYNOPSIS
+.B xnlock
+[
+\fIoptions\fP
+]
+[
+\fImessage\fP
+]
+.SH DESCRIPTION
+.I xnlock
+is a program that acts as a screen saver for workstations running X11.
+It also "locks" the screen such that the workstation can be left
+unattended without worry that someone else will walk up to it and
+mess everything up.  When \fIxnlock\fP is running, a little man with
+a big nose and a hat runs around spewing out messages to the screen.
+By default, the messages are "humorous", but that depends on your
+sense of humor.
+.LP
+If a key or mouse button is pressed, a prompt is printed requesting the
+user's password.  If a RETURN is not typed within 30 seconds,
+the little man resumes running around.
+.LP
+Text on the command line is used as the message.  For example:
+.br
+	% xnlock I\'m out to lunch for a couple of hours.
+.br
+Note the need to quote shell metacharacters.
+.LP
+In the absence of flags or text, \fIxnlock\fP displays random fortunes.
+.SH OPTIONS
+Command line options override all resource specifications.
+All arguments that are not associated with a command line option
+is taken to be message text that the little man will "say" every
+once in a while.  The resource \fBxnlock.text\fP may be set to
+a string.
+.TP
+.BI \-fn " fontname"
+The default font is the first 18 point font in the \fInew century schoolbook\fP
+family.  While larger fonts are recokmmended over smaller ones, any font
+in the server's font list will work.  The resource to use for this option
+is \fBxnlock.font\fP.
+.TP
+.BI \-filename "  filename"
+Take the message to be displayed from the file \fIfilename\fP.
+If \fIfilename\fP is not specified, \fI$HOME/.msgfile\fP is used.
+If the contents of the file are changed during runtime, the most recent text
+of the file is used (allowing the displayed message to be altered remotely).
+Carriage returns within the text are allowed, but tabs or other control
+characters are not translated and should not be used.
+The resource available for this option is \fBxnlock.file\fP.
+.TP
+.BI \-ar
+Accept root's password to unlock screen.  This option is true by
+default.  The reason for this is so that someone's screen may be
+unlocked by autorized users in case of emergency and the person
+running the program is still out to lunch.  The resource available
+for specifying this option is \fBxnlock.acceptRootPasswd\fP.
+.TP
+.BI \-noar
+Don't accept root's password.  This option is for paranoids who
+fear their peers might breakin using root's password and remove
+their files anyway.  Specifying this option on the command line
+overrides the \fBxnlock.acceptRootPasswd\fP if set to True.
+.TP
+.BI \-ip
+Ignore password prompt.
+The resource available for this option is \fBxnlock.ignorePasswd\fP.
+.TP
+.BI \-noip
+Don't ignore password prompt.  This is available in order to
+override the resource \fBignorePasswd\fP if set to True.
+.TP
+.BI -fg " color"
+Specifies the foreground color.  The resource available for this
+is \fBxnlock.foreground\fP.
+.TP
+.BI -bg " color"
+Specifies the background color.  The resource available for this
+is \fBxnlock.background\fP.
+.TP
+.BI \-rv
+Reverse the foreground and background colors.
+The resource for this is \fBxvnlock.reverseVideo\fP.
+.TP
+.BI \-norv
+Don't use reverse video.  This is available to override the reverseVideo
+resource if set to True.
+.TP
+.BI \-prog " program"
+Receive message text from the running program \fIprogram\fP. If there
+are arguments to \fIprogram\fP, encase them with the name of the program in
+quotes (e.g. xnlock -t "fortune -o").
+The resource for this is \fBxnlock.program\fP.
+.SH RESOURCES
+.br
+xnlock.font:               fontname
+.br
+xnlock.foreground:         color
+.br
+xnlock.background:         color
+.br
+xnlock.reverseVideo:       True/False
+.br
+xnlock.text:               Some random text string
+.br
+xnlock.program:            program [args]
+.br
+xnlock.ignorePasswd:       True/False
+.br
+xnlock.acceptRootPasswd:   True/False
+.SH FILES
+\fIxnlock\fP               executable file
+.br
+~/.msgfile                 default message file
+.SH AUTHOR
+Dan Heller <argv@sun.com>  Copyright (c) 1985, 1990.
+.br
+The original version of this program was written using pixrects on
+a Sun 2 running SunOS 1.1.
diff --git a/crypto/heimdal/appl/xnlock/xnlock.c b/crypto/heimdal/appl/xnlock/xnlock.c
new file mode 100644
index 0000000..da61baf
--- /dev/null
+++ b/crypto/heimdal/appl/xnlock/xnlock.c
@@ -0,0 +1,1117 @@
+/*
+ * xnlock -- Dan Heller, 1990
+ * "nlock" is a "new lockscreen" type program... something that prevents
+ * screen burnout by making most of it "black" while providing something
+ * of interest to be displayed in case anyone is watching.
+ * "xnlock" is the X11 version of the program.
+ * Original sunview version written by Dan Heller 1985 (not included here).
+ */
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+RCSID("$Id: xnlock.c,v 1.85 2001/03/15 17:13:13 joda Exp $");
+#endif
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <signal.h>
+#include <X11/StringDefs.h>
+#include <X11/Intrinsic.h>
+#include <X11/keysym.h>
+#include <X11/Shell.h>
+#include <X11/Xos.h>
+#ifdef strerror
+#undef strerror
+#endif
+#include <ctype.h>
+#ifdef HAVE_SYS_TYPES_H
+#include <sys/types.h>
+#endif
+#ifdef HAVE_PWD_H
+#include <pwd.h>
+#endif
+
+#ifdef KRB5
+#include <krb5.h>
+#endif
+#ifdef KRB4
+#include <krb.h>
+#include <kafs.h>
+#endif
+
+#include <roken.h>
+#include <err.h>
+
+static char login[16];
+static char userprompt[128];
+#ifdef KRB4
+static char name[ANAME_SZ];
+static char inst[INST_SZ];
+static char realm[REALM_SZ];
+#endif
+#ifdef KRB5
+static krb5_context context;
+static krb5_principal client;
+#endif
+
+#define font_height(font)	  	(font->ascent + font->descent)
+
+static char *SPACE_STRING = "                                                      ";
+static char STRING[] = "****************";
+
+#define STRING_LENGTH (sizeof(STRING))
+#define MAX_PASSWD_LENGTH 256
+/* (sizeof(STRING)) */
+
+#define PROMPT	    "Password: "
+#define FAIL_MSG    "Sorry, try again"
+#define LEFT 	001
+#define RIGHT 	002
+#define DOWN 	004
+#define UP 	010
+#define FRONT	020
+#define X_INCR 3
+#define Y_INCR 2
+#define XNLOCK_CTRL 1
+#define XNLOCK_NOCTRL 0
+
+static XtAppContext	app;
+static Display        *dpy;
+static unsigned short	Width, Height;
+static Widget		widget;
+static GC		gc;
+static XtIntervalId	timeout_id;
+static char	       *words;
+static int		x, y;
+static Pixel		Black, White;
+static XFontStruct    *font;
+static char		root_cpass[128];
+static char		user_cpass[128];
+static int		time_left, prompt_x, prompt_y, time_x, time_y;
+static unsigned long	interval;
+static Pixmap		left0, left1, right0, right1, left_front,
+			right_front, front, down;
+
+#define MAXLINES 40
+
+#define IS_MOVING  1
+#define GET_PASSWD 2
+static int state; /* indicates states: walking or getting passwd */
+
+static int ALLOW_LOGOUT = (60*10);	/* Allow logout after nn seconds */
+#define LOGOUT_PASSWD "enuHDmTo5Lq4g" /* when given password "LOGOUT" */
+static time_t locked_at;
+
+struct appres_t {
+    Pixel bg;
+    Pixel fg;
+    XFontStruct *font;
+    Boolean ignore_passwd;
+    Boolean do_reverse;
+    Boolean accept_root;
+    char *text, *text_prog, *file, *logoutPasswd;
+    Boolean no_screensaver;
+    Boolean destroytickets;
+} appres;
+
+static XtResource resources[] = {
+    { XtNbackground, XtCBackground, XtRPixel, sizeof(Pixel), 
+      XtOffsetOf(struct appres_t, bg), XtRString, "black" },
+
+    { XtNforeground, XtCForeground, XtRPixel, sizeof(Pixel), 
+      XtOffsetOf(struct appres_t, fg), XtRString, "white" },
+
+    { XtNfont, XtCFont, XtRFontStruct, sizeof (XFontStruct *),
+      XtOffsetOf(struct appres_t, font), 
+      XtRString, "-*-new century schoolbook-*-*-*-18-*" },
+
+    { "ignorePasswd", "IgnorePasswd", XtRBoolean, sizeof(Boolean),
+      XtOffsetOf(struct appres_t,ignore_passwd),XtRImmediate,(XtPointer)False },
+
+    { "acceptRootPasswd", "AcceptRootPasswd", XtRBoolean, sizeof(Boolean),
+      XtOffsetOf(struct appres_t, accept_root), XtRImmediate, (XtPointer)True },
+
+    { "text", "Text", XtRString, sizeof(String),
+      XtOffsetOf(struct appres_t, text), XtRString, "I'm out running around." },
+    
+    { "program", "Program", XtRString, sizeof(String),
+      XtOffsetOf(struct appres_t, text_prog), XtRImmediate, NULL },
+
+    { "file", "File", XtRString, sizeof(String),
+      XtOffsetOf(struct appres_t,file), XtRImmediate, NULL },
+
+    { "logoutPasswd", "logoutPasswd", XtRString, sizeof(String),
+      XtOffsetOf(struct appres_t, logoutPasswd), XtRString, LOGOUT_PASSWD },
+    
+    { "noScreenSaver", "NoScreenSaver", XtRBoolean, sizeof(Boolean),
+      XtOffsetOf(struct appres_t,no_screensaver), XtRImmediate, (XtPointer)True },
+
+    { "destroyTickets", "DestroyTickets", XtRBoolean, sizeof(Boolean),
+      XtOffsetOf(struct appres_t,destroytickets), XtRImmediate, (XtPointer)True },
+};
+
+static XrmOptionDescRec options[] = {
+    { "-fg", ".foreground", XrmoptionSepArg, NULL }, 
+    { "-foreground", ".foreground", XrmoptionSepArg, NULL }, 
+    { "-fn", ".font", XrmoptionSepArg, NULL }, 
+    { "-font", ".font", XrmoptionSepArg, NULL }, 
+    { "-ip", ".ignorePasswd", XrmoptionNoArg, "True" },
+    { "-noip", ".ignorePasswd", XrmoptionNoArg, "False" },
+    { "-ar",  ".acceptRootPasswd", XrmoptionNoArg, "True" },
+    { "-noar", ".acceptRootPasswd", XrmoptionNoArg, "False" },
+    { "-nonoscreensaver", ".noScreenSaver", XrmoptionNoArg, "False" },
+    { "-nodestroytickets", ".destroyTickets", XrmoptionNoArg, "False" },
+};
+
+static char*
+get_words(void)
+{
+    FILE *pp = NULL;
+    static char buf[512];
+    long n;
+
+    if (appres.text_prog) {
+	pp = popen(appres.text_prog, "r");
+	if (!pp) {
+	    warn("popen %s", appres.text_prog);
+	    return appres.text;
+	}
+	n = fread(buf, 1, sizeof(buf) - 1, pp);
+	buf[n] = 0;
+	pclose(pp);
+	return buf;
+    }
+    if (appres.file) {
+	pp = fopen(appres.file, "r");
+	if (!pp) {
+	    warn("fopen %s", appres.file);
+	    return appres.text;
+	}
+	n = fread(buf, 1, sizeof(buf) - 1, pp);
+	buf[n] = 0;
+	fclose(pp);
+	return buf;
+    }
+
+    return appres.text;
+}
+
+static void
+usage(void)
+{
+    fprintf(stderr, "usage: %s [options] [message]\n", getprogname());
+    fprintf(stderr, "-fg color     foreground color\n");
+    fprintf(stderr, "-bg color     background color\n");
+    fprintf(stderr, "-rv           reverse foreground/background colors\n");
+    fprintf(stderr, "-nrv          no reverse video\n");
+    fprintf(stderr, "-ip           ignore passwd\n");
+    fprintf(stderr, "-nip          don't ignore passwd\n");
+    fprintf(stderr, "-ar           accept root's passwd to unlock\n");
+    fprintf(stderr, "-nar          don't accept root's passwd\n");
+    fprintf(stderr, "-f [file]     message is read from file or ~/.msgfile\n");
+    fprintf(stderr, "-prog program  text is gotten from executing `program'\n");
+    fprintf(stderr, "-nodestroytickets keep kerberos tickets\n");
+    exit(1);
+}
+
+static void
+init_words (int argc, char **argv)
+{
+    int i = 0;
+
+    while(argv[i]) {
+	if(strcmp(argv[i], "-p") == 0
+	   || strcmp(argv[i], "-prog") == 0) {
+	    i++;
+	    if(argv[i]) {
+		appres.text_prog = argv[i];
+		i++;
+	    } else {
+		warnx ("-p requires an argument");
+		usage();
+	    }
+	} else if(strcmp(argv[i], "-f") == 0) {
+	    i++;
+	    if(argv[i]) {
+		appres.file = argv[i];
+		i++;
+	    } else {
+		asprintf (&appres.file,
+			  "%s/.msgfile", getenv("HOME"));
+		if (appres.file == NULL)
+		    errx (1, "cannot allocate memory for message");
+	    }
+	} else {
+	    int j;
+	    int len = 1;
+	    for(j = i; argv[j]; j++)
+		len += strlen(argv[j]) + 1;
+	    appres.text = malloc(len);
+	    if (appres.text == NULL)
+		errx (1, "cannot allocate memory for message");
+	    appres.text[0] = 0;
+	    for(; i < j; i++){
+		strlcat(appres.text, argv[i], len);
+		strlcat(appres.text, " ", len);
+	    }
+	}
+    }
+}
+
+static void
+ScreenSaver(int save)
+{
+    static int timeout, interval, prefer_blank, allow_exp;
+    if(!appres.no_screensaver){
+	if (save) {
+	    XGetScreenSaver(dpy, &timeout, &interval, 
+			    &prefer_blank, &allow_exp);
+	    XSetScreenSaver(dpy, 0, interval, prefer_blank, allow_exp);
+	} else
+	    /* restore state */
+	    XSetScreenSaver(dpy, timeout, interval, prefer_blank, allow_exp);
+    }
+}
+
+/* Forward decls necessary */
+static void talk(int force_erase);
+static unsigned long look(void);
+
+static int
+zrefresh(void)
+{
+  switch (fork()) {
+  case -1:
+      warn ("zrefresh: fork");
+      return -1;
+  case 0:
+      /* Child */
+      execlp("zrefresh", "zrefresh", 0);
+      execl(BINDIR "/zrefresh", "zrefresh", 0);
+      return -1;
+  default:
+      /* Parent */
+      break;
+  }
+  return 0;
+}
+
+static void
+leave(void)
+{
+    XUngrabPointer(dpy, CurrentTime);
+    XUngrabKeyboard(dpy, CurrentTime);
+    ScreenSaver(0);
+    XCloseDisplay(dpy);
+    zrefresh();
+    exit(0);
+}
+
+static void
+walk(int dir)
+{
+    int incr = 0;
+    static int lastdir;
+    static int up = 1;
+    static Pixmap frame;
+
+    XSetForeground(dpy, gc, White);
+    XSetBackground(dpy, gc, Black);
+    if (dir & (LEFT|RIGHT)) { /* left/right movement (mabye up/down too) */
+	up = -up; /* bouncing effect (even if hit a wall) */
+	if (dir & LEFT) {
+	    incr = X_INCR;
+	    frame = (up < 0) ? left0 : left1;
+	} else {
+	    incr = -X_INCR;
+	    frame = (up < 0) ? right0 : right1;
+	}
+	if ((lastdir == FRONT || lastdir == DOWN) && dir & UP) {
+	    /* workaround silly bug that leaves screen dust when
+	     * guy is facing forward or down and moves up-left/right.
+	     */
+	    XCopyPlane(dpy, frame, XtWindow(widget), gc, 0, 0, 64,64, x, y, 1L);
+	    XFlush(dpy);
+	}
+	/* note that maybe neither UP nor DOWN is set! */
+	if (dir & UP && y > Y_INCR)
+	    y -= Y_INCR;
+	else if (dir & DOWN && y < (int)Height - 64)
+	    y += Y_INCR;
+    }
+    /* Explicit up/down movement only (no left/right) */
+    else if (dir == UP)
+	XCopyPlane(dpy, front, XtWindow(widget), gc,
+	    0,0, 64,64, x, y -= Y_INCR, 1L);
+    else if (dir == DOWN)
+	XCopyPlane(dpy, down, XtWindow(widget), gc,
+	    0,0, 64,64, x, y += Y_INCR, 1L);
+    else if (dir == FRONT && frame != front) {
+	if (up > 0)
+	    up = -up;
+	if (lastdir & LEFT)
+	    frame = left_front;
+	else if (lastdir & RIGHT)
+	    frame = right_front;
+	else
+	    frame = front;
+	XCopyPlane(dpy, frame, XtWindow(widget), gc, 0, 0, 64,64, x, y, 1L);
+    }
+    if (dir & LEFT)
+	while(--incr >= 0) {
+	    XCopyPlane(dpy, frame, XtWindow(widget), gc,
+		0,0, 64,64, --x, y+up, 1L);
+	    XFlush(dpy);
+	}
+    else if (dir & RIGHT)
+	while(++incr <= 0) {
+	    XCopyPlane(dpy, frame, XtWindow(widget), gc,
+		0,0, 64,64, ++x, y+up, 1L);
+	    XFlush(dpy);
+	}
+    lastdir = dir;
+}
+
+static int
+think(void)
+{
+    if (rand() & 1)
+	walk(FRONT);
+    if (rand() & 1) {
+	words = get_words();
+	return 1;
+    }
+    return 0;
+}
+
+static void
+move(XtPointer _p, XtIntervalId *_id)
+{
+    static int length, dir;
+
+    if (!length) {
+	int tries = 0;
+	dir = 0;
+	if ((rand() & 1) && think()) {
+	    talk(0); /* sets timeout to itself */
+	    return;
+	}
+	if (!(rand() % 3) && (interval = look())) {
+	    timeout_id = XtAppAddTimeOut(app, interval, move, NULL);
+	    return;
+	}
+	interval = 20 + rand() % 100;
+	do  {
+	    if (!tries)
+		length = Width/100 + rand() % 90, tries = 8;
+	    else
+		tries--;
+	    switch (rand() % 8) {
+		case 0:
+		    if (x - X_INCR*length >= 5)
+			dir = LEFT;
+		case 1:
+		    if (x + X_INCR*length <= (int)Width - 70)
+			dir = RIGHT;
+		case 2:
+		    if (y - (Y_INCR*length) >= 5)
+			dir = UP, interval = 40;
+		case 3:
+		    if (y + Y_INCR*length <= (int)Height - 70)
+			dir = DOWN, interval = 20;
+		case 4:
+		    if (x - X_INCR*length >= 5 && y - (Y_INCR*length) >= 5)
+			dir = (LEFT|UP);
+		case 5:
+		    if (x + X_INCR * length <= (int)Width - 70 &&
+			y-Y_INCR * length >= 5)
+			dir = (RIGHT|UP);
+		case 6:
+		    if (x - X_INCR * length >= 5 &&
+			y + Y_INCR * length <= (int)Height - 70)
+			dir = (LEFT|DOWN);
+		case 7:
+		    if (x + X_INCR*length <= (int)Width - 70 &&
+			y + Y_INCR*length <= (int)Height - 70)
+			dir = (RIGHT|DOWN);
+	    }
+	} while (!dir);
+    }
+    walk(dir);
+    --length;
+    timeout_id = XtAppAddTimeOut(app, interval, move, NULL);
+}
+
+static void
+post_prompt_box(Window window)
+{
+    int width = (Width / 3);
+    int height = font_height(font) * 6;
+    int box_x, box_y;
+
+    /* make sure the entire nose icon fits in the box */
+    if (height < 100)
+	height = 100;
+
+    if(width < 105 + font->max_bounds.width*STRING_LENGTH)
+	width = 105 + font->max_bounds.width*STRING_LENGTH;
+    box_x = (Width - width) / 2;
+    time_x = prompt_x = box_x + 105;
+
+    time_y = prompt_y = Height / 2;
+    box_y = prompt_y - 3 * font_height(font);
+
+    /* erase current guy -- text message may still exist */
+    XSetForeground(dpy, gc, Black);
+    XFillRectangle(dpy, window, gc, x, y, 64, 64);
+    talk(1); /* forcefully erase message if one is being displayed */
+    /* Clear area in middle of screen for prompt box */
+    XSetForeground(dpy, gc, White);
+    XFillRectangle(dpy, window, gc, box_x, box_y, width, height);
+
+    /* make a box that's 5 pixels thick. Then add a thin box inside it */
+    XSetForeground(dpy, gc, Black);
+    XSetLineAttributes(dpy, gc, 5, 0, 0, 0);
+    XDrawRectangle(dpy, window, gc, box_x+5, box_y+5, width-10, height-10);
+    XSetLineAttributes(dpy, gc, 0, 0, 0, 0);
+    XDrawRectangle(dpy, window, gc, box_x+12, box_y+12, width-23, height-23);
+
+    XDrawString(dpy, window, gc,
+		prompt_x, prompt_y-font_height(font), 
+		userprompt, strlen(userprompt));
+    XDrawString(dpy, window, gc, prompt_x, prompt_y, PROMPT, strlen(PROMPT));
+    /* set background for copyplane and DrawImageString; need reverse video */
+    XSetBackground(dpy, gc, White);
+    XCopyPlane(dpy, right0, window, gc, 0,0, 64,64,
+	       box_x + 20, box_y + (height - 64)/2, 1L);
+    prompt_x += XTextWidth(font, PROMPT, strlen(PROMPT));
+    time_y += 2*font_height(font);
+}
+
+static void
+RaiseWindow(Widget w, XEvent *ev, String *s, Cardinal *n)
+{
+  Widget x;
+  if(!XtIsRealized(w))
+    return;
+  x = XtParent(w);
+  XRaiseWindow(dpy, XtWindow(x));
+}
+
+
+static void
+ClearWindow(Widget w, XEvent *_event, String *_s, Cardinal *_n)
+{
+    XExposeEvent *event = (XExposeEvent *)_event;
+    if (!XtIsRealized(w))
+	return;
+    XClearArea(dpy, XtWindow(w), event->x, event->y, 
+	       event->width, event->height, False);
+    if (state == GET_PASSWD)
+	post_prompt_box(XtWindow(w));
+    if (timeout_id == 0 && event->count == 0) {
+	timeout_id = XtAppAddTimeOut(app, 1000L, move, NULL);
+	/* first grab the input focus */
+	XSetInputFocus(dpy, XtWindow(w), RevertToPointerRoot, CurrentTime);
+	/* now grab the pointer and keyboard and contrain to this window */
+	XGrabPointer(dpy, XtWindow(w), TRUE, 0, GrabModeAsync,
+	     GrabModeAsync, XtWindow(w), None, CurrentTime);
+    }
+}
+
+static void
+countdown(XtPointer _t, XtIntervalId *_d)
+{
+    int *timeout = (int *)_t;
+    char buf[128];
+    time_t seconds;
+
+    if (--(*timeout) < 0) {
+	XExposeEvent event;
+	XtRemoveTimeOut(timeout_id);
+	state = IS_MOVING;
+	event.x = event.y = 0;
+	event.width = Width, event.height = Height;
+	ClearWindow(widget, (XEvent *)&event, 0, 0);
+	timeout_id = XtAppAddTimeOut(app, 200L, move, NULL);
+	return;
+    }
+    seconds = time(0) - locked_at;
+    if (seconds >= 3600)
+      snprintf(buf, sizeof(buf),
+	       "Locked for %d:%02d:%02d    ",
+	       (int)seconds/3600, (int)seconds/60%60, (int)seconds%60);
+    else
+      snprintf(buf, sizeof(buf),
+	       "Locked for %2d:%02d    ",
+	       (int)seconds/60, (int)seconds%60);
+      
+    XDrawImageString(dpy, XtWindow(widget), gc,
+	time_x, time_y, buf, strlen(buf));
+    XtAppAddTimeOut(app, 1000L, countdown, timeout);
+    return;
+}
+
+#ifdef KRB5
+static int
+verify_krb5(const char *password)
+{
+    krb5_error_code ret;
+    krb5_ccache id;
+    
+    krb5_cc_default(context, &id);
+    ret = krb5_verify_user(context,
+			   client, 
+			   id,
+			   password, 
+			   0,
+			   NULL);
+    if (ret == 0){
+#ifdef KRB4
+	if (krb5_config_get_bool(context, NULL,
+				 "libdefaults",
+				 "krb4_get_tickets",
+				 NULL)) {
+	    CREDENTIALS c;
+	    krb5_creds mcred, cred;
+	    char krb4tkfile[MAXPATHLEN];
+
+	    krb5_make_principal(context, &mcred.server,
+				client->realm,
+				"krbtgt",
+				client->realm,
+				NULL);
+	    ret = krb5_cc_retrieve_cred(context, id, 0, &mcred, &cred);
+	    if(ret == 0) {
+		ret = krb524_convert_creds_kdc(context, id, &cred, &c);
+		if(ret == 0) 
+		    tf_setup(&c, c.pname, c.pinst);
+		memset(&c, 0, sizeof(c));
+		krb5_free_creds_contents(context, &cred);
+	    }
+	    krb5_free_principal(context, mcred.server);
+	}
+	if (k_hasafs())
+	    krb5_afslog(context, id, NULL, NULL);
+#endif
+	return 0;
+    }
+    if (ret != KRB5KRB_AP_ERR_MODIFIED)
+	krb5_warn(context, ret, "verify_krb5");
+    
+    return -1;
+}
+#endif
+
+static int
+verify(char *password)
+{
+    int ret;
+
+    /*
+     * First try with root password, if allowed.
+     */
+    if (   appres.accept_root
+	&& strcmp(crypt(password, root_cpass), root_cpass) == 0)
+      return 0;
+
+    /*
+     * Password that log out user
+     */
+    if (getuid() != 0 &&
+	geteuid() != 0 &&
+	(time(0) - locked_at) > ALLOW_LOGOUT &&
+	strcmp(crypt(password, appres.logoutPasswd), appres.logoutPasswd) == 0)
+	    {
+		signal(SIGHUP, SIG_IGN);
+		kill(-1, SIGHUP);
+		sleep(5);
+		/* If the X-server shut down then so will we, else
+		 * continue */
+		signal(SIGHUP, SIG_DFL);
+	    }
+
+    /*
+     * Try copy of users password.
+     */
+    if (strcmp(crypt(password, user_cpass), user_cpass) == 0)
+      return 0;
+
+    /*
+     * Try to verify as user in case password change.
+     */
+    if (unix_verify_user(login, password) == 0)
+	return 0;
+
+#ifdef KRB5
+    /*
+     * Try to verify as user with kerberos 5.
+     */
+    if(verify_krb5(password) == 0)
+	return 0;
+#endif
+
+#ifdef KRB4
+    /*
+     * Try to verify as user with kerberos 4.
+     */
+    ret = krb_verify_user(name, inst, realm, password,
+			  KRB_VERIFY_NOT_SECURE, NULL);
+    if (ret == KSUCCESS){
+	if (k_hasafs())
+	    krb_afslog(NULL, NULL);
+	return 0;
+    }
+    if (ret != INTK_BADPW)
+	warnx ("warning: %s",
+	       (ret < 0) ? strerror(ret) : krb_get_err_text(ret));
+#endif
+    
+    return -1;
+}
+
+
+static void
+GetPasswd(Widget w, XEvent *_event, String *_s, Cardinal *_n)
+{
+    XKeyEvent *event = (XKeyEvent *)_event;
+    static char passwd[MAX_PASSWD_LENGTH];
+    static int cnt;
+    static int is_ctrl = XNLOCK_NOCTRL;
+    char c;
+    KeySym keysym;
+    int echolen;
+    int old_state = state;
+
+    if (event->type == ButtonPress) {
+	x = event->x, y = event->y;
+	return;
+    }
+    if (state == IS_MOVING) {
+	/* guy is running around--change to post prompt box. */
+	XtRemoveTimeOut(timeout_id);
+	state = GET_PASSWD;
+	if (appres.ignore_passwd || !strlen(user_cpass))
+	    leave();
+	post_prompt_box(XtWindow(w));
+	cnt = 0;
+	time_left = 30;
+	countdown((XtPointer)&time_left, 0);
+    }
+    if (event->type == KeyRelease) {
+      keysym = XLookupKeysym(event, 0);
+      if (keysym == XK_Control_L || keysym == XK_Control_R) {
+	is_ctrl = XNLOCK_NOCTRL;
+      }
+    }
+    if (event->type != KeyPress)
+	return;
+
+    time_left = 30;
+    
+    keysym = XLookupKeysym(event, 0);
+    if (keysym == XK_Control_L || keysym == XK_Control_R) {
+      is_ctrl = XNLOCK_CTRL;
+      return;
+    }
+    if (!XLookupString(event, &c, 1, &keysym, 0))
+	return;
+    if (keysym == XK_Return || keysym == XK_Linefeed) {
+	passwd[cnt] = 0;
+	if(old_state == IS_MOVING)
+	    return;
+	XtRemoveTimeOut(timeout_id);
+
+	if(verify(passwd) == 0)
+	    leave();
+
+	cnt = 0;
+
+	XDrawImageString(dpy, XtWindow(widget), gc,
+	    time_x, time_y, FAIL_MSG, strlen(FAIL_MSG));
+	time_left = 0;
+	timeout_id = XtAppAddTimeOut(app, 2000L, countdown, &time_left);
+	return;
+    }
+    if (keysym == XK_BackSpace || keysym == XK_Delete || keysym == XK_Left) {
+	if (cnt)
+	    passwd[cnt--] = ' ';
+    } else if (keysym == XK_u && is_ctrl == XNLOCK_CTRL) {
+      while (cnt) {
+	passwd[cnt--] = ' ';
+	echolen = min(cnt, STRING_LENGTH);
+	XDrawImageString(dpy, XtWindow(w), gc,
+		    prompt_x, prompt_y, STRING, echolen);
+	XDrawImageString(dpy, XtWindow(w), gc,
+			 prompt_x + XTextWidth(font, STRING, echolen),
+			 prompt_y, SPACE_STRING, STRING_LENGTH - echolen + 1);
+      }
+    } else if (isprint(c)) {
+	if ((cnt + 1) >= MAX_PASSWD_LENGTH)
+	    XBell(dpy, 50);
+	else
+	    passwd[cnt++] = c;
+    } else
+	return;
+    echolen = min(cnt, STRING_LENGTH);
+    XDrawImageString(dpy, XtWindow(w), gc,
+	prompt_x, prompt_y, STRING, echolen);
+    XDrawImageString(dpy, XtWindow(w), gc,
+	prompt_x + XTextWidth(font, STRING, echolen),
+	prompt_y, SPACE_STRING, STRING_LENGTH - echolen +1);
+}
+
+#include "nose.0.left"
+#include "nose.1.left"
+#include "nose.0.right"
+#include "nose.1.right"
+#include "nose.left.front"
+#include "nose.right.front"
+#include "nose.front"
+#include "nose.down"
+
+static void
+init_images(void)
+{
+    static Pixmap *images[] = {
+	&left0, &left1, &right0, &right1,
+	&left_front, &right_front, &front, &down 
+    };
+    static unsigned char *bits[] = {
+	nose_0_left_bits, nose_1_left_bits, nose_0_right_bits,
+	nose_1_right_bits, nose_left_front_bits, nose_right_front_bits,
+	nose_front_bits, nose_down_bits
+    };
+    int i;
+
+    for (i = 0; i < XtNumber(images); i++)
+	if (!(*images[i] =
+		XCreatePixmapFromBitmapData(dpy, DefaultRootWindow(dpy),
+		    (char*)(bits[i]), 64, 64, 1, 0, 1)))
+	    XtError("Can't load nose images");
+}
+
+static void
+talk(int force_erase)
+{
+    int width = 0, height, Z, total = 0;
+    static int X, Y, talking;
+    static struct { int x, y, width, height; } s_rect;
+    char *p, *p2;
+    char buf[BUFSIZ], args[MAXLINES][256];
+
+    /* clear what we've written */
+    if (talking || force_erase) {
+	if (!talking)
+	    return;
+	if (talking == 2) {
+	    XSetForeground(dpy, gc, Black);
+	    XDrawString(dpy, XtWindow(widget), gc, X, Y, words, strlen(words));
+	} else if (talking == 1) {
+	    XSetForeground(dpy, gc, Black);
+	    XFillRectangle(dpy, XtWindow(widget), gc, s_rect.x-5, s_rect.y-5,
+			   s_rect.width+10, s_rect.height+10);
+	}
+	talking = 0;
+	if (!force_erase)
+	    timeout_id = XtAppAddTimeOut(app, 40L,
+					 (XtTimerCallbackProc)move,
+					 NULL);
+	return;
+    }
+    XSetForeground(dpy, gc, White);
+    talking = 1;
+    walk(FRONT);
+    strlcpy (buf, words, sizeof(buf));
+    p = buf;
+
+    /* possibly avoid a lot of work here
+     * if no CR or only one, then just print the line
+     */
+    if (!(p2 = strchr(p, '\n')) || !p2[1]) {
+	int w;
+
+	if (p2)
+	    *p2 = 0;
+	w = XTextWidth(font, words, strlen(words));
+	X = x + 32 - w/2;
+	Y = y - 5 - font_height(font);
+	/* give us a nice 5 pixel margin */
+	if (X < 5)
+	    X = 5;
+	else if (X + w + 15 > (int)Width + 5)
+	    X = Width - w - 5;
+	if (Y < 5)
+	    Y = y + 64 + 5 + font_height(font);
+	XDrawString(dpy, XtWindow(widget), gc, X, Y, words, strlen(words));
+	timeout_id = XtAppAddTimeOut(app, 5000L, (XtTimerCallbackProc)talk, 
+				     NULL);
+	talking++;
+	return;
+    }
+
+    /* p2 now points to the first '\n' */
+    for (height = 0; p; height++) {
+	int w;
+	*p2 = 0;
+	if ((w = XTextWidth(font, p, p2 - p)) > width)
+	    width = w;
+	total += p2 - p; /* total chars; count to determine reading time */
+	strlcpy(args[height], p, sizeof(args[height]));
+	if (height == MAXLINES - 1) {
+	    puts("Message too long!");
+	    break;
+	}
+	p = p2+1;
+	if (!(p2 = strchr(p, '\n')))
+	    break;
+    }
+    height++;
+
+    /* Figure out the height and width in pixels (height, width) extend
+     * the new box by 15 pixels on the sides (30 total) top and bottom.
+     */
+    s_rect.width = width + 30;
+    s_rect.height = height * font_height(font) + 30;
+    if (x - s_rect.width - 10 < 5)
+	s_rect.x = 5;
+    else
+	if ((s_rect.x = x+32-(s_rect.width+15)/2)
+					 + s_rect.width+15 > (int)Width-5)
+	    s_rect.x = Width - 15 - s_rect.width;
+    if (y - s_rect.height - 10 < 5)
+	s_rect.y = y + 64 + 5;
+    else
+	s_rect.y = y - 5 - s_rect.height;
+
+    XSetForeground(dpy, gc, White);
+    XFillRectangle(dpy, XtWindow(widget), gc,
+       s_rect.x-5, s_rect.y-5, s_rect.width+10, s_rect.height+10);
+
+    /* make a box that's 5 pixels thick. Then add a thin box inside it */
+    XSetForeground(dpy, gc, Black);
+    XSetLineAttributes(dpy, gc, 5, 0, 0, 0);
+    XDrawRectangle(dpy, XtWindow(widget), gc,
+		   s_rect.x, s_rect.y, s_rect.width-1, s_rect.height-1);
+    XSetLineAttributes(dpy, gc, 0, 0, 0, 0);
+    XDrawRectangle(dpy, XtWindow(widget), gc,
+		   s_rect.x + 7, s_rect.y + 7, s_rect.width - 15, 
+		   s_rect.height - 15);
+
+    X = 15;
+    Y = 15 + font_height(font);
+
+    /* now print each string in reverse order (start at bottom of box) */
+    for (Z = 0; Z < height; Z++) {
+	XDrawString(dpy, XtWindow(widget), gc, s_rect.x+X, s_rect.y+Y,
+	    args[Z], strlen(args[Z]));
+	Y += font_height(font);
+    }
+    timeout_id = XtAppAddTimeOut(app, (total/15) * 1000, 
+				 (XtTimerCallbackProc)talk, NULL);
+}
+
+static unsigned long
+look(void)
+{
+    XSetForeground(dpy, gc, White);
+    XSetBackground(dpy, gc, Black);
+    if (rand() % 3) {
+	XCopyPlane(dpy, (rand() & 1)? down : front, XtWindow(widget), gc,
+	    0, 0, 64,64, x, y, 1L);
+	return 1000L;
+    }
+    if (!(rand() % 5))
+	return 0;
+    if (rand() % 3) {
+	XCopyPlane(dpy, (rand() & 1)? left_front : right_front,
+	    XtWindow(widget), gc, 0, 0, 64,64, x, y, 1L);
+	return 1000L;
+    }
+    if (!(rand() % 5))
+	return 0;
+    XCopyPlane(dpy, (rand() & 1)? left0 : right0, XtWindow(widget), gc,
+	0, 0, 64,64, x, y, 1L);
+    return 1000L;
+}
+
+int
+main (int argc, char **argv)
+{
+    int i;
+    Widget override;
+    XGCValues gcvalues;
+
+    setprogname (argv[0]);
+
+    /*
+     * Must be setuid root to read /etc/shadow, copy encrypted
+     * passwords here and then switch to sane uid.
+     */
+    {
+      struct passwd *pw;
+      uid_t uid = getuid();
+      if (!(pw = k_getpwuid(0)))
+	errx (1, "can't get root's passwd!");
+      strlcpy(root_cpass, pw->pw_passwd, sizeof(root_cpass));
+
+      if (!(pw = k_getpwuid(uid)))
+	errx (1, "Can't get your password entry!");
+      strlcpy(user_cpass, pw->pw_passwd, sizeof(user_cpass));
+      setuid(uid);
+      if (uid != 0 && setuid(0) != -1) {
+	fprintf(stderr, "Failed to drop privileges!\n");
+	exit(1);
+      }
+      /* Now we're no longer running setuid root. */
+      strlcpy(login, pw->pw_name, sizeof(login));
+    }
+
+    srand(getpid());
+    for (i = 0; i < STRING_LENGTH; i++)
+	STRING[i] = ((unsigned long)rand() % ('~' - ' ')) + ' ';
+
+    locked_at = time(0);
+
+    snprintf(userprompt, sizeof(userprompt), "User: %s", login);
+#ifdef KRB4
+    krb_get_default_principal(name, inst, realm);
+    snprintf(userprompt, sizeof(userprompt), "User: %s", 
+	     krb_unparse_name_long(name, inst, realm));
+#endif
+#ifdef KRB5
+    {
+	krb5_error_code ret;
+	char *str;
+
+	ret = krb5_init_context(&context);
+	if (ret)
+	    errx (1, "krb5_init_context failed: %d", ret);
+	krb5_get_default_principal(context, &client);
+	krb5_unparse_name(context, client, &str);
+	snprintf(userprompt, sizeof(userprompt), "User: %s", str);
+	free(str);
+    }
+#endif
+
+    override = XtVaAppInitialize(&app, "XNlock", options, XtNumber(options),
+				 (Cardinal*)&argc, argv, NULL, 
+				 XtNoverrideRedirect, True, 
+				 NULL);
+    
+    XtVaGetApplicationResources(override,(XtPointer)&appres,
+				resources,XtNumber(resources),
+				NULL);
+    /* the background is black and the little guy is white */
+    Black = appres.bg;
+    White = appres.fg;
+
+    if (appres.destroytickets) {
+#ifdef KRB4
+	int fd;
+
+        dest_tkt();		/* Nuke old ticket file */
+				/* but keep a place holder */
+	fd = open (TKT_FILE, O_WRONLY | O_CREAT | O_EXCL, 0600);
+	if (fd >= 0)
+	    close (fd);
+#endif
+    }
+
+    dpy = XtDisplay(override);
+    
+    if (dpy == 0)
+      errx (1, "Error: Can't open display");
+
+    Width = DisplayWidth(dpy, DefaultScreen(dpy)) + 2;
+    Height = DisplayHeight(dpy, DefaultScreen(dpy)) + 2;
+    
+    for(i = 0; i < ScreenCount(dpy); i++){
+	Widget shell, core;
+
+	struct xxx{
+	    Pixel bg;
+	}res;
+	
+	XtResource Res[] = {
+	    { XtNbackground, XtCBackground, XtRPixel, sizeof(Pixel),
+	      XtOffsetOf(struct xxx, bg), XtRString, "black" }
+	};
+
+	if(i == DefaultScreen(dpy))
+	    continue;
+      
+	shell = XtVaAppCreateShell(NULL,NULL, applicationShellWidgetClass, dpy, 
+				   XtNscreen, ScreenOfDisplay(dpy, i), 
+				   XtNoverrideRedirect, True, 
+				   XtNx, -1, 
+				   XtNy, -1,
+				   NULL);
+      
+	XtVaGetApplicationResources(shell, (XtPointer)&res, 
+				    Res, XtNumber(Res),
+				    NULL);
+
+	core = XtVaCreateManagedWidget("_foo", widgetClass, shell,
+				       XtNwidth, DisplayWidth(dpy, i),
+				       XtNheight, DisplayHeight(dpy, i),
+				       XtNbackground, res.bg, 
+				       NULL);
+	XtRealizeWidget(shell);
+    }
+
+    widget = XtVaCreateManagedWidget("_foo", widgetClass, override,
+				     XtNwidth,	Width,
+				     XtNheight,	Height,
+				     XtNbackground, Black, 
+				     NULL);
+
+    init_words(--argc, ++argv);
+    init_images();
+
+    gcvalues.foreground = Black;
+    gcvalues.background = White;
+
+
+    font = appres.font;
+    gcvalues.font = font->fid;
+    gcvalues.graphics_exposures = False;
+    gc = XCreateGC(dpy, DefaultRootWindow(dpy),
+	GCForeground | GCBackground | GCGraphicsExposures | GCFont,
+	&gcvalues);
+
+    x = Width / 2;
+    y = Height / 2;
+    srand (time(0));
+    state = IS_MOVING;
+
+    {
+	static XtActionsRec actions[] = {
+	    { "ClearWindow",	ClearWindow  },
+	    { "GetPasswd",	GetPasswd    },
+	    { "RaiseWindow", 	RaiseWindow  },
+	};
+	XtAppAddActions(app, actions, XtNumber(actions));
+	XtOverrideTranslations(widget,
+	       XtParseTranslationTable(
+				       "<Expose>:	ClearWindow()	\n"
+				       "<BtnDown>:	GetPasswd()	\n"
+				       "<Visible>: RaiseWindow() \n"
+				       "<KeyRelease>:  GetPasswd()     \n"
+				       "<KeyPress>:	GetPasswd()"));
+    }
+
+    XtRealizeWidget(override);
+    if((i = XGrabPointer(dpy, XtWindow(widget), True, 0, GrabModeAsync,
+			 GrabModeAsync, XtWindow(widget), 
+			 None, CurrentTime)) != 0) 
+	errx(1, "Failed to grab pointer (%d)", i);
+	
+    if((i = XGrabKeyboard(dpy, XtWindow(widget), True, GrabModeAsync,
+			  GrabModeAsync, CurrentTime)) != 0)
+	errx(1, "Failed to grab keyboard (%d)", i);
+    ScreenSaver(1);
+    XtAppMainLoop(app);
+    exit(0);
+}
+
diff --git a/crypto/heimdal/appl/xnlock/xnlock.cat1 b/crypto/heimdal/appl/xnlock/xnlock.cat1
new file mode 100644
index 0000000..dde8eef
--- /dev/null
+++ b/crypto/heimdal/appl/xnlock/xnlock.cat1
@@ -0,0 +1,132 @@
+
+
+
+XNLOCK(1L)                                                         XNLOCK(1L)
+
+
+
+NAME
+  xnlock - amusing lock screen program with message for passers-by
+
+SYNOPSIS
+  xxnnlloocckk [ _o_p_t_i_o_n_s ] [ _m_e_s_s_a_g_e ]
+
+DESCRIPTION
+  _x_n_l_o_c_k is a program that acts as a screen saver for workstations running
+  X11.  It also "locks" the screen such that the workstation can be left
+  unattended without worry that someone else will walk up to it and mess
+  everything up.  When _x_n_l_o_c_k is running, a little man with a big nose and a
+  hat runs around spewing out messages to the screen.  By default, the mes-
+  sages are "humorous", but that depends on your sense of humor.
+
+  If a key or mouse button is pressed, a prompt is printed requesting the
+  user's password.  If a RETURN is not typed within 30 seconds, the little
+  man resumes running around.
+
+  Text on the command line is used as the message.  For example:
+          % xnlock I'm out to lunch for a couple of hours.
+  Note the need to quote shell metacharacters.
+
+  In the absence of flags or text, _x_n_l_o_c_k displays random fortunes.
+
+OPTIONS
+  Command line options override all resource specifications.  All arguments
+  that are not associated with a command line option is taken to be message
+  text that the little man will "say" every once in a while.  The resource
+  xxnnlloocckk..tteexxtt may be set to a string.
+
+  --ffnn _f_o_n_t_n_a_m_e
+       The default font is the first 18 point font in the _n_e_w _c_e_n_t_u_r_y _s_c_h_o_o_l_-
+       _b_o_o_k family.  While larger fonts are recokmmended over smaller ones,
+       any font in the server's font list will work.  The resource to use for
+       this option is xxnnlloocckk..ffoonntt.
+
+  --ffiilleennaammee  _f_i_l_e_n_a_m_e
+       Take the message to be displayed from the file _f_i_l_e_n_a_m_e.  If _f_i_l_e_n_a_m_e
+       is not specified, _$_H_O_M_E_/_._m_s_g_f_i_l_e is used.  If the contents of the file
+       are changed during runtime, the most recent text of the file is used
+       (allowing the displayed message to be altered remotely).  Carriage
+       returns within the text are allowed, but tabs or other control charac-
+       ters are not translated and should not be used.  The resource avail-
+       able for this option is xxnnlloocckk..ffiillee.
+
+  --aarr  Accept root's password to unlock screen.  This option is true by
+       default.  The reason for this is so that someone's screen may be
+       unlocked by autorized users in case of emergency and the person run-
+       ning the program is still out to lunch.  The resource available for
+       specifying this option is xxnnlloocckk..aacccceeppttRRoooottPPaasssswwdd.
+
+  --nnooaarr
+       Don't accept root's password.  This option is for paranoids who fear
+       their peers might breakin using root's password and remove their files
+       anyway.  Specifying this option on the command line overrides the
+       xxnnlloocckk..aacccceeppttRRoooottPPaasssswwdd if set to True.
+
+  --iipp  Ignore password prompt.  The resource available for this option is
+       xxnnlloocckk..iiggnnoorreePPaasssswwdd.
+
+  --nnooiipp
+       Don't ignore password prompt.  This is available in order to override
+       the resource iiggnnoorreePPaasssswwdd if set to True.
+
+  --ffgg _c_o_l_o_r
+       Specifies the foreground color.  The resource available for this is
+       xxnnlloocckk..ffoorreeggrroouunndd.
+
+  --bbgg _c_o_l_o_r
+       Specifies the background color.  The resource available for this is
+       xxnnlloocckk..bbaacckkggrroouunndd.
+
+  --rrvv  Reverse the foreground and background colors.  The resource for this
+       is xxvvnnlloocckk..rreevveerrsseeVViiddeeoo.
+
+  --nnoorrvv
+       Don't use reverse video.  This is available to override the reverseV-
+       ideo resource if set to True.
+
+  --pprroogg _p_r_o_g_r_a_m
+       Receive message text from the running program _p_r_o_g_r_a_m. If there are
+       arguments to _p_r_o_g_r_a_m, encase them with the name of the program in
+       quotes (e.g. xnlock -t "fortune -o").  The resource for this is
+       xxnnlloocckk..pprrooggrraamm.
+
+RESOURCES
+  xnlock.font:               fontname
+  xnlock.foreground:         color
+  xnlock.background:         color
+  xnlock.reverseVideo:       True/False
+  xnlock.text:               Some random text string
+  xnlock.program:            program [args]
+  xnlock.ignorePasswd:       True/False
+  xnlock.acceptRootPasswd:   True/False
+
+FILES
+  _x_n_l_o_c_k               executable file
+  ~/.msgfile                 default message file
+
+AUTHOR
+  Dan Heller <argv@sun.com>  Copyright (c) 1985, 1990.
+  The original version of this program was written using pixrects on a Sun 2
+  running SunOS 1.1.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
diff --git a/crypto/heimdal/cf/ChangeLog b/crypto/heimdal/cf/ChangeLog
new file mode 100644
index 0000000..e56198a
--- /dev/null
+++ b/crypto/heimdal/cf/ChangeLog
@@ -0,0 +1,409 @@
+2001-03-26  Assar Westerlund  <assar@sics.se>
+
+	* broken-glob.m4: also test for GLOB_LIMIT
+	* krb-ipv6.m4: restore CFLAGS if v6 is not detected
+
+2001-02-20  Assar Westerlund  <assar@sics.se>
+
+	* roken-frag.m4: check for getprogname, setprogname
+
+2001-02-07  Assar Westerlund  <assar@sics.se>
+
+	* Makefile.am.common (LIB_kdfs): set.  use it.  from Ake Sandgren
+ 	<ake@cs.umu.se>
+
+2000-12-26  Assar Westerlund  <assar@sics.se>
+
+	* krb-ipv6.m4: remove some dnl that weren't the correct with
+	modern autoconf
+
+2000-12-15  Assar Westerlund  <assar@sics.se>
+
+	* roken-frag.m4 (inet_ntoa, inet_ntop, inet_pton): add necessary
+	includes when testing
+	* broken2.m4: new variant of broken, with includes and arguments
+
+	* test-package.m4: s/ifval/m4_ifval/ to keep in sync with
+ 	autoconf.  from Ake Sandgren <ake@cs.umu.se>
+	* check-var.m4: s/ifval/m4_ifval/ to keep in sync with autoconf.
+  	from Ake Sandgren <ake@cs.umu.se>
+
+2000-12-13  Assar Westerlund  <assar@sics.se>
+
+	* krb-irix.m4: need to set irix to no first.  From Ake Sandgren
+	<ake@cs.umu.se>
+
+2000-12-12  Johan Danielsson  <joda@pdc.kth.se>
+
+	* roken-frag.m4: move sa_len test to before test for broken
+	getnameinfo
+
+2000-12-12  Assar Westerlund  <assar@sics.se>
+
+	* roken-frag.m4: only test for broken getnameinfo if it exists
+
+2000-12-10  Johan Danielsson  <joda@pdc.kth.se>
+
+	* roken-frag.m4: ifaddrs.h
+
+2000-12-06  Johan Danielsson  <joda@pdc.kth.se>
+
+	* roken-frag.m4: test for unvis, and vis.h
+
+	* roken-frag.m4: test for strvis*
+
+2000-12-05  Johan Danielsson  <joda@pdc.kth.se>
+
+	* Makefile.am.common: just warn if we fail to setuid a program
+
+	* broken-getnameinfo.m4: add more quotes
+
+	* roken-frag.m4: test for getifaddrs
+
+	* roken-frag.m4: test for broken AIX getnameinfo
+
+	* broken-getnameinfo.m4: test for broken getnameinfo
+
+2000-12-01  Assar Westerlund  <assar@sics.se>
+
+	* Makefile.am.common: add kludge for LIBS
+
+2000-11-30  Johan Danielsson  <joda@pdc.kth.se>
+
+	* check-man.m4: update this after recent changes
+
+	* Makefile.am.common: use install-catman.sh
+
+	* install-catman.sh: script to install preformatted manual pages
+
+	* Makefile.am.common: change cat handling
+
+2000-11-29  Johan Danielsson  <joda@pdc.kth.se>
+
+	* roken-frag.m4: don't use AC_CONFIG_FILES here, since it doesn't
+	work with automake
+
+2000-11-15  Assar Westerlund  <assar@sics.se>
+
+	* krb-readline.m4: link against the libtool-versions of
+	libeditline and libel_compat
+
+	* Makefile.am.common (INCLUDES): add $(INCLUDES_roken)
+	* roken-frag.m4 (CPPFLAGS_roken): rename to INCLUDES_roken
+
+2000-11-05  Johan Danielsson  <joda@pdc.kth.se>
+
+	* aix.m4: set aix
+
+2000-08-19  Assar Westerlund  <assar@sics.se>
+
+	* krb-bigendian.m4: merge from arla: make it work better
+
+2000-08-07  Johan Danielsson  <joda@pdc.kth.se>
+
+	* roken-frag.m4: check getsockname for proto compat
+
+2000-08-04  Johan Danielsson  <joda@pdc.kth.se>
+
+	* Makefile.am.common: add library for pidfile
+
+	* roken-frag.m4: tests for util.h and pidfile
+
+2000-07-19  Johan Danielsson  <joda@pdc.kth.se>
+
+	* check-var.m4: rename to rk_CHECK_VAR, transposing the arguments,
+	and making the second optional, AU_DEFINE AC_CHECK_VAR to
+	rk_CHECK_VAR
+
+	* roken-frag.m4: other roken tests
+
+	* db.m4: db tests
+
+2000-07-18  Johan Danielsson  <joda@pdc.kth.se>
+
+	* mips-abi.m4: AC_ERROR -> AC_MSG_ERROR
+
+	* check-netinet-ip-and-tcp.m4: use cache_check, and make this work
+	with new autoconf
+
+	* aix.m4: don't subst AFS_EXTRA_LD
+
+2000-07-15  Johan Danielsson  <joda@pdc.kth.se>
+
+	* check-var.m4: workaround feature of newer autoconf
+
+	* find-func-no-libs2.m4: use cleaner autoheader trick
+
+	* have-type.m4: use cleaner autoheader trick
+
+	* have-types.m4: use cleaner autoheader trick
+
+	* test-package.m4: add 6th parameter for now
+
+	* broken.m4: use cleaner autoheader trick
+
+	* retsigtype.m4: test for signal handler return type
+
+	* broken-realloc.m4: test for broken realloc
+
+2000-07-08  Assar Westerlund  <assar@sics.se>
+
+	* roken.m4: set CPPFLAGS_roken and call AC_CONFIG_SUBDIRS
+
+2000-07-02  Assar Westerlund  <assar@sics.se>
+
+	* Makefile.am.common (CP): set and use
+
+2000-04-05  Assar Westerlund  <assar@sics.se>
+
+	* Makefile.am.common (INCLUDE_openldap, LIB_openldap): add
+
+2000-03-28  Assar Westerlund  <assar@sics.se>
+
+	* krb-prog-yacc.m4: AC_MSG_WARNING should be AC_MSG_WARN
+
+	* shared-libs.m4: try to update to freebsd5 (and elf)
+
+2000-03-16  Assar Westerlund  <assar@sics.se>
+
+	* krb-prog-yacc.m4: warn we do not find any yacc
+
+2000-01-08  Assar Westerlund  <assar@sics.se>
+
+	* krb-bigendian.m4: new file, replacement for ac_c_bigendian
+
+2000-01-01  Assar Westerlund  <assar@sics.se>
+
+	* krb-ipv6.m4: re-organize: test for type of stack first so that
+	we can find the libraries that we might have to link the test
+	program against.  not linking the test program means we don't know
+	if the right stuff is in the libraries.  also cosmetic changes to
+	make sure we print the checking for... nicely
+
+1999-12-21  Assar Westerlund  <assar@sics.se>
+
+	* krb-ipv6.m4: try linking, not only compiling
+	* krb-ipv6.m4: add --without-ipv6 make sure we have `in6addr_any'
+ 	which we use in the code.  This test avoids false positives on
+ 	OpenBSD
+
+1999-11-29  Johan Danielsson  <joda@pdc.kth.se>
+
+	* grok-type.m4: inttypes.h
+
+1999-11-05  Assar Westerlund  <assar@sics.se>
+
+	* check-x.m4: include X_PRE_LIBS and X_EXTRA_LIBS when testing
+
+1999-11-01  Assar Westerlund  <assar@sics.se>
+
+	* Makefile.am.common (install-build-headers): use `cp' instead of
+ 	INSTALL_DATA for copying header files inside the build tree.  The
+ 	user might have redefined INSTALL_DATA to specify owners and other
+ 	information.
+
+1999-10-30  Assar Westerlund  <assar@sics.se>
+
+	* find-func-no-libs2.m4: add yet another argument to allow specify
+ 	linker flags that will be added _before_ the library when trying
+ 	to link
+
+	* find-func-no-libs.m4: add yet another argument to allow specify
+ 	linker flags that will be added _before_ the library when trying
+ 	to link
+
+1999-10-12  Assar Westerlund  <assar@sics.se>
+
+	* find-func-no-libs2.m4 (AC_FIND_FUNC_NO_LIBS2): new argument
+ 	`extra libs'
+
+	* find-func-no-libs.m4 (AC_FIND_FUNC_NO_LIBS): new argument `extra
+ 	libs'
+
+1999-09-01  Johan Danielsson  <joda@pdc.kth.se>
+
+	* capabilities.m4: sgi capabilities
+
+1999-07-29  Assar Westerlund  <assar@sics.se>
+
+	* have-struct-field.m4: quote macros when undefining
+
+1999-07-28  Assar Westerlund  <assar@sics.se>
+
+	* Makefile.am.common (install-build-headers): add dependencies
+
+1999-07-24  Assar Westerlund  <assar@sics.se>
+	
+	* have-type.m4: try to get autoheader to co-operate
+
+	* have-type.m4: stolen from Arla
+
+	* krb-struct-sockaddr-sa-len.m4: not used any longer.  removed.
+
+1999-06-13  Assar Westerlund  <assar@sics.se>
+
+	* krb-struct-spwd.m4: consequent name of cache variables
+
+	* krb-func-getlogin.m4: new file for testing for posix (broken)
+ 	getlogin
+
+	* shared-libs.m4 (freebsd[34]): don't use ld -Bshareable
+
+1999-06-02  Johan Danielsson  <joda@pdc.kth.se>
+
+	* check-x.m4: extended test for X
+	
+1999-05-14  Assar Westerlund  <assar@sics.se>
+
+	* check-netinet-ip-and-tcp.m4: proper autoheader tricks
+
+	* check-netinet-ip-and-tcp.m4: new file for checking for
+ 	netinet/{ip,tcp}.h.  These are special as they on Irix 6.5.3
+	require <standards.h> to be included in advance.
+ 
+	* check-xau.m4: we also need to check for XauFilename since it's
+ 	used by appl/kx.  And on Irix 6.5 that function requires linking
+ 	with -lX11.
+
+1999-05-08  Assar Westerlund  <assar@sics.se>
+
+	* krb-find-db.m4: try with more header files than ndbm.h
+
+1999-04-19  Assar Westerlund  <assar@sics.se>
+
+	* test-package.m4: try to handle the case of --without-package
+ 	correctly
+
+1999-04-17  Assar Westerlund  <assar@sics.se>
+
+	* make-aclocal: removed.  Not used anymore, being replaced by
+	aclocal from automake.
+
+Thu Apr 15 14:17:26 1999  Johan Danielsson  <joda@hella.pdc.kth.se>
+
+	* make-proto.pl: handle __attribute__
+
+Fri Apr  9 20:37:18 1999  Assar Westerlund  <assar@sics.se>
+
+	* shared-libs.m4: quote $@
+	(freebsd3): add install_symlink_command2
+
+Wed Apr  7 20:40:22 1999  Assar Westerlund  <assar@sics.se>
+
+	* shared-libs.m4 (hpux): no library dependencies
+
+Mon Apr  5 16:13:08 1999  Johan Danielsson  <joda@hella.pdc.kth.se>
+
+	* test-package.m4: compile and link, rather than looking for
+ 	files; also export more information, so it's possible to add rpath
+ 	information
+
+Tue Mar 30 13:49:54 1999  Johan Danielsson  <joda@hella.pdc.kth.se>
+
+	* Makefile.am.common: CFLAGS -> AM_CFLAGS
+
+Mon Mar 29 16:51:12 1999  Johan Danielsson  <joda@hella.pdc.kth.se>
+
+	* check-xau.m4: check for XauWriteAuth before checking for
+ 	XauReadAuth to catch -lX11:s not containing XauWriteAuth, and IRIX
+ 	6.5 that doesn't work with -lXau
+
+Sat Mar 27 18:03:58 1999  Johan Danielsson  <joda@hella.pdc.kth.se>
+
+	* osfc2.m4: --enable-osfc2
+
+Fri Mar 19 15:34:52 1999  Johan Danielsson  <joda@hella.pdc.kth.se>
+
+	* shared-libs.m4: move shared lib stuff here
+
+Wed Mar 24 23:24:51 1999  Assar Westerlund  <assar@sics.se>
+
+	* Makefile.am.common (install-build-headers): simplify loop
+
+Tue Mar 23 17:31:23 1999  Johan Danielsson  <joda@hella.pdc.kth.se>
+
+	* check-getpwnam_r-posix.m4: check for getpwnam_r, and if it's
+ 	posix or not
+
+Tue Mar 23 00:00:13 1999  Assar Westerlund  <assar@sics.se>
+
+	* Makefile.am.common (install_build_headers): try to make it work
+ 	better when list of headers is empty.  handle make rewriting the
+ 	filenames.
+
+	* Makefile.am.common: hesoid -> hesiod
+
+Sun Mar 21 14:48:03 1999  Johan Danielsson  <joda@hella.pdc.kth.se>
+
+	* grok-type.m4: <bind/bitypes.h>
+
+	* Makefile.am.common: fix for automake bug/feature; add more LIB_*
+
+	* test-package.m4: fix typo
+
+	* check-man.m4: fix some typos
+
+	* auth-modules.m4: tests for authentication modules
+
+Thu Mar 18 11:02:55 1999  Johan Danielsson  <joda@hella.pdc.kth.se>
+
+	* Makefile.am.common: make install-build-headers a multi
+ 	dependency target
+
+	* Makefile.am.common: remove include_dir hack
+
+	* Makefile.am.common: define LIB_kafs and LIB_gssapi
+
+	* krb-find-db.m4: subst DBLIB also
+
+	* check-xau.m4: test for Xau{Read,Write}Auth
+
+Wed Mar 10 19:29:20 1999  Johan Danielsson  <joda@hella.pdc.kth.se>
+
+	* wflags.m4: AC_WFLAGS
+
+Mon Mar  1 11:23:41 1999  Johan Danielsson  <joda@hella.pdc.kth.se>
+
+	* have-struct-field.m4: remove extra AC_MSG_RESULT
+
+	* proto-compat.m4: typo
+
+	* krb-func-getcwd-broken.m4: update to autoconf 2.13
+
+	* krb-find-db.m4: update to autoconf 2.13
+
+	* check-declaration.m4: typo
+
+	* have-pragma-weak.m4: update to autoconf 2.13
+
+	* have-struct-field.m4: better handling of types with spaces
+
+Mon Feb 22 20:05:06 1999  Johan Danielsson  <joda@hella.pdc.kth.se>
+
+	* broken-glob.m4: check for broken glob
+
+Sun Jan 31 06:50:33 1999  Assar Westerlund  <assar@sics.se>
+
+	* krb-ipv6.m4: more magic for different v6 implementations.  From
+ 	Jun-ichiro itojun Hagino <itojun@kame.net>
+
+Sun Nov 22 12:16:06 1998  Assar Westerlund  <assar@sics.se>
+
+	* krb-struct-spwd.m4: new file
+
+Thu Jun  4 04:07:41 1998  Assar Westerlund  <assar@sics.se>
+
+	* find-func-no-libs2.m4: new file
+
+Fri May  1 23:31:28 1998  Assar Westerlund  <assar@sics.se>
+
+	* c-attribute.m4, c-function.m4: new files (from arla)
+
+Wed Mar 18 23:11:29 1998  Assar Westerlund  <assar@sics.se>
+
+	* krb-ipv6.m4: rename HAVE_STRUCT_SOCKADDR_IN6 to HAVE_IPV6
+
+Thu Feb 26 02:37:49 1998  Assar Westerlund  <assar@sics.se>
+
+	* make-proto.pl: should work with perl4
+
diff --git a/crypto/heimdal/cf/Makefile.am.common b/crypto/heimdal/cf/Makefile.am.common
new file mode 100644
index 0000000..963460c
--- /dev/null
+++ b/crypto/heimdal/cf/Makefile.am.common
@@ -0,0 +1,181 @@
+# $Id: Makefile.am.common,v 1.26 2001/05/21 13:27:48 joda Exp $
+
+AUTOMAKE_OPTIONS = foreign no-dependencies
+
+SUFFIXES = .et .h
+
+INCLUDES = -I$(top_builddir)/include $(INCLUDES_roken)
+
+AM_CFLAGS += $(WFLAGS)
+
+CP	= cp
+
+COMPILE_ET = $(top_builddir)/lib/com_err/compile_et
+
+## set build_HEADERZ to headers that should just be installed in build tree
+
+buildinclude = $(top_builddir)/include
+
+## these aren't detected by automake
+LIB_XauReadAuth		= @LIB_XauReadAuth@
+LIB_crypt		= @LIB_crypt@
+LIB_dbm_firstkey	= @LIB_dbm_firstkey@
+LIB_dbopen		= @LIB_dbopen@
+LIB_dlopen		= @LIB_dlopen@
+LIB_dn_expand		= @LIB_dn_expand@
+LIB_el_init		= @LIB_el_init@
+LIB_getattr		= @LIB_getattr@
+LIB_gethostbyname	= @LIB_gethostbyname@
+LIB_getpwent_r		= @LIB_getpwent_r@
+LIB_getpwnam_r		= @LIB_getpwnam_r@
+LIB_getsockopt		= @LIB_getsockopt@
+LIB_logout		= @LIB_logout@
+LIB_logwtmp		= @LIB_logwtmp@
+LIB_odm_initialize	= @LIB_odm_initialize@
+LIB_pidfile		= @LIB_pidfile@
+LIB_readline		= @LIB_readline@
+LIB_res_search		= @LIB_res_search@
+LIB_setpcred		= @LIB_setpcred@
+LIB_setsockopt		= @LIB_setsockopt@
+LIB_socket		= @LIB_socket@
+LIB_syslog		= @LIB_syslog@
+LIB_tgetent		= @LIB_tgetent@
+
+LIBS			= @LIBS@
+
+HESIODLIB = @HESIODLIB@
+HESIODINCLUDE = @HESIODINCLUDE@
+INCLUDE_hesiod = @INCLUDE_hesiod@
+LIB_hesiod = @LIB_hesiod@
+
+INCLUDE_krb4 = @INCLUDE_krb4@
+LIB_krb4 = @LIB_krb4@
+
+INCLUDE_openldap = @INCLUDE_openldap@
+LIB_openldap = @LIB_openldap@
+
+INCLUDE_readline = @INCLUDE_readline@
+LIB_readline = @LIB_readline@
+
+LEXLIB = @LEXLIB@
+
+install-suid-programs:
+	@foo='$(bin_SUIDS)'; \
+	for file in $$foo; do \
+	x=$(DESTDIR)$(bindir)/$$file; \
+	if chown 0:0 $$x && chmod u+s $$x; then :; else \
+	echo "*"; \
+	echo "* Failed to install $$x setuid root"; \
+	echo "*"; \
+	fi; done
+
+install-exec-hook: install-suid-programs
+
+install-build-headers:: $(include_HEADERS) $(build_HEADERZ)
+	@foo='$(include_HEADERS) $(build_HEADERZ)'; \
+	for f in $$foo; do \
+		f=`basename $$f`; \
+		if test -f "$(srcdir)/$$f"; then file="$(srcdir)/$$f"; \
+		else file="$$f"; fi; \
+		if cmp -s  $$file $(buildinclude)/$$f 2> /dev/null ; then \
+		: ; else \
+			echo " $(CP) $$file $(buildinclude)/$$f"; \
+			$(CP) $$file $(buildinclude)/$$f; \
+		fi ; \
+	done
+
+all-local: install-build-headers
+
+SUFFIXES += .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8
+
+NROFF_MAN = groff -mandoc -Tascii
+#NROFF_MAN = nroff -man
+.1.cat1:
+	$(NROFF_MAN) $< > $@
+.3.cat3:
+	$(NROFF_MAN) $< > $@
+.5.cat5:
+	$(NROFF_MAN) $< > $@
+.8.cat8:
+	$(NROFF_MAN) $< > $@
+
+## MAINTAINERCLEANFILES += 
+
+dist-cat1-mans:
+	@foo='$(man1_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.1) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat1/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-cat3-mans:
+	@foo='$(man3_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.3) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat3/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-cat5-mans:
+	@foo='$(man5_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.5) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat5/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-cat8-mans:
+	@foo='$(man8_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.8) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat8/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-hook: dist-cat1-mans dist-cat3-mans dist-cat5-mans dist-cat8-mans
+
+install-cat-mans:
+	$(SHELL) $(top_srcdir)/cf/install-catman.sh "$(INSTALL_DATA)" "$(mkinstalldirs)" "$(srcdir)" "$(DESTDIR)$(mandir)" '$(CATMANEXT)' $(man_MANS) $(man1_MANS) $(man3_MANS) $(man5_MANS) $(man8_MANS)
+
+install-data-local: install-cat-mans
+
+
+.et.h:
+	$(COMPILE_ET) $<
+.et.c:
+	$(COMPILE_ET) $<
+
+if KRB4
+LIB_kafs = $(top_builddir)/lib/kafs/libkafs.la $(AIX_EXTRA_KAFS)
+endif
+
+if KRB5
+LIB_krb5 = $(top_builddir)/lib/krb5/libkrb5.la \
+	$(top_builddir)/lib/asn1/libasn1.la
+LIB_gssapi = $(top_builddir)/lib/gssapi/libgssapi.la
+endif
+
+if DCE
+LIB_kdfs = $(top_builddir)/lib/kdfs/libkdfs.la
+endif
diff --git a/crypto/heimdal/cf/aix.m4 b/crypto/heimdal/cf/aix.m4
new file mode 100644
index 0000000..25aaa2a
--- /dev/null
+++ b/crypto/heimdal/cf/aix.m4
@@ -0,0 +1,39 @@
+dnl
+dnl $Id: aix.m4,v 1.5 2000/11/05 17:15:46 joda Exp $
+dnl
+
+AC_DEFUN(KRB_AIX,[
+aix=no
+case "$host" in 
+*-*-aix3*)
+	aix=3
+	;;
+*-*-aix4*)
+	aix=4
+	;;
+esac
+AM_CONDITIONAL(AIX, test "$aix" != no)dnl
+AM_CONDITIONAL(AIX4, test "$aix" = 4)
+aix_dynamic_afs=yes
+AM_CONDITIONAL(AIX_DYNAMIC_AFS, test "$aix_dynamic_afs" = yes)dnl
+
+AC_FIND_FUNC_NO_LIBS(dlopen, dl)
+
+if test "$aix" != no; then
+	if test "$aix_dynamic_afs" = yes; then
+		if test "$ac_cv_funclib_dlopen" = yes; then
+			AIX_EXTRA_KAFS=
+		elif test "$ac_cv_funclib_dlopen" != no; then
+			AIX_EXTRA_KAFS="$ac_cv_funclib_dlopen"
+		else
+			AIX_EXTRA_KAFS=-lld
+		fi
+	else
+		AIX_EXTRA_KAFS=
+	fi
+fi
+
+AM_CONDITIONAL(HAVE_DLOPEN, test "$ac_cv_funclib_dlopen" != no)dnl
+AC_SUBST(AIX_EXTRA_KAFS)dnl
+
+])
\ No newline at end of file
diff --git a/crypto/heimdal/cf/auth-modules.m4 b/crypto/heimdal/cf/auth-modules.m4
new file mode 100644
index 0000000..2f11c73
--- /dev/null
+++ b/crypto/heimdal/cf/auth-modules.m4
@@ -0,0 +1,27 @@
+dnl $Id: auth-modules.m4,v 1.1 1999/03/21 13:48:00 joda Exp $
+dnl
+dnl Figure what authentication modules should be built
+
+AC_DEFUN(AC_AUTH_MODULES,[
+AC_MSG_CHECKING(which authentication modules should be built)
+
+LIB_AUTH_SUBDIRS=
+
+if test "$ac_cv_header_siad_h" = yes; then
+	LIB_AUTH_SUBDIRS="$LIB_AUTH_SUBDIRS sia"
+fi
+
+if test "$ac_cv_header_security_pam_modules_h" = yes -a "$enable_shared" = yes; then
+	LIB_AUTH_SUBDIRS="$LIB_AUTH_SUBDIRS pam"
+fi
+
+case "${host}" in
+changequote(,)dnl
+*-*-irix[56]*) LIB_AUTH_SUBDIRS="$LIB_AUTH_SUBDIRS afskauthlib" ;;
+changequote([,])dnl
+esac
+
+AC_MSG_RESULT($LIB_AUTH_SUBDIRS)
+
+AC_SUBST(LIB_AUTH_SUBDIRS)dnl
+])
diff --git a/crypto/heimdal/cf/broken-getnameinfo.m4 b/crypto/heimdal/cf/broken-getnameinfo.m4
new file mode 100644
index 0000000..da206c0
--- /dev/null
+++ b/crypto/heimdal/cf/broken-getnameinfo.m4
@@ -0,0 +1,28 @@
+dnl $Id: broken-getnameinfo.m4,v 1.2 2000/12/05 09:09:00 joda Exp $
+dnl
+dnl test for broken AIX getnameinfo
+
+AC_DEFUN(rk_BROKEN_GETNAMEINFO,[
+AC_CACHE_CHECK([if getnameinfo is broken], ac_cv_func_getnameinfo_broken,
+AC_TRY_RUN([[#include <stdio.h>
+#include <sys/types.h>
+#include <sys/socket.h>
+#include <netinet/in.h>
+#include <netdb.h>
+
+int
+main(int argc, char **argv)
+{
+  struct sockaddr_in sin;
+  char host[256];
+  memset(&sin, 0, sizeof(sin));
+#ifdef HAVE_STRUCT_SOCKADDR_SA_LEN
+  sin.sin_len = sizeof(sin);
+#endif
+  sin.sin_family = AF_INET;
+  sin.sin_addr.s_addr = 0xffffffff;
+  sin.sin_port = 0;
+  return getnameinfo((struct sockaddr*)&sin, sizeof(sin), host, sizeof(host),
+	      NULL, 0, 0);
+}
+]], ac_cv_func_getnameinfo_broken=no, ac_cv_func_getnameinfo_broken=yes))])
diff --git a/crypto/heimdal/cf/broken-glob.m4 b/crypto/heimdal/cf/broken-glob.m4
new file mode 100644
index 0000000..149c957
--- /dev/null
+++ b/crypto/heimdal/cf/broken-glob.m4
@@ -0,0 +1,23 @@
+dnl $Id: broken-glob.m4,v 1.3 2001/03/26 11:40:24 assar Exp $
+dnl
+dnl check for glob(3)
+dnl
+AC_DEFUN(AC_BROKEN_GLOB,[
+AC_CACHE_CHECK(for working glob, ac_cv_func_glob_working,
+ac_cv_func_glob_working=yes
+AC_TRY_LINK([
+#include <stdio.h>
+#include <glob.h>],[
+glob(NULL, GLOB_BRACE|GLOB_NOCHECK|GLOB_QUOTE|GLOB_TILDE|GLOB_LIMIT,
+NULL, NULL);
+],:,ac_cv_func_glob_working=no,:))
+
+if test "$ac_cv_func_glob_working" = yes; then
+	AC_DEFINE(HAVE_GLOB, 1, [define if you have a glob() that groks 
+	GLOB_BRACE, GLOB_NOCHECK, GLOB_QUOTE, GLOB_TILDE, and GLOB_LIMIT])
+fi
+if test "$ac_cv_func_glob_working" = yes; then
+AC_NEED_PROTO([#include <stdio.h>
+#include <glob.h>],glob)
+fi
+])
diff --git a/crypto/heimdal/cf/broken-realloc.m4 b/crypto/heimdal/cf/broken-realloc.m4
new file mode 100644
index 0000000..1569255
--- /dev/null
+++ b/crypto/heimdal/cf/broken-realloc.m4
@@ -0,0 +1,26 @@
+dnl
+dnl $Id: broken-realloc.m4,v 1.1 2000/07/15 18:05:36 joda Exp $
+dnl
+dnl Test for realloc that doesn't handle NULL as first parameter
+dnl
+AC_DEFUN(rk_BROKEN_REALLOC, [
+AC_CACHE_CHECK(if realloc if broken, ac_cv_func_realloc_broken, [
+ac_cv_func_realloc_broken=no
+AC_TRY_RUN([
+#include <stddef.h>
+#include <stdlib.h>
+
+int main()
+{
+	return realloc(NULL, 17) == NULL;
+}
+],:, ac_cv_func_realloc_broken=yes, :)
+])
+if test "$ac_cv_func_realloc_broken" = yes ; then
+	AC_DEFINE(BROKEN_REALLOC, 1, [Define if realloc(NULL) doesn't work.])
+fi
+AH_BOTTOM([#ifdef BROKEN_REALLOC
+#define realloc(X, Y) isoc_realloc((X), (Y))
+#define isoc_realloc(X, Y) ((X) ? realloc((X), (Y)) : malloc(Y))
+#endif])
+])
diff --git a/crypto/heimdal/cf/broken-snprintf.m4 b/crypto/heimdal/cf/broken-snprintf.m4
new file mode 100644
index 0000000..efd69f0
--- /dev/null
+++ b/crypto/heimdal/cf/broken-snprintf.m4
@@ -0,0 +1,58 @@
+dnl $Id: broken-snprintf.m4,v 1.3 1999/03/01 09:52:22 joda Exp $
+dnl
+AC_DEFUN(AC_BROKEN_SNPRINTF, [
+AC_CACHE_CHECK(for working snprintf,ac_cv_func_snprintf_working,
+ac_cv_func_snprintf_working=yes
+AC_TRY_RUN([
+#include <stdio.h>
+#include <string.h>
+int main()
+{
+changequote(`,')dnl
+	char foo[3];
+changequote([,])dnl
+	snprintf(foo, 2, "12");
+	return strcmp(foo, "1");
+}],:,ac_cv_func_snprintf_working=no,:))
+
+if test "$ac_cv_func_snprintf_working" = yes; then
+	AC_DEFINE_UNQUOTED(HAVE_SNPRINTF, 1, [define if you have a working snprintf])
+fi
+if test "$ac_cv_func_snprintf_working" = yes; then
+AC_NEED_PROTO([#include <stdio.h>],snprintf)
+fi
+])
+
+AC_DEFUN(AC_BROKEN_VSNPRINTF,[
+AC_CACHE_CHECK(for working vsnprintf,ac_cv_func_vsnprintf_working,
+ac_cv_func_vsnprintf_working=yes
+AC_TRY_RUN([
+#include <stdio.h>
+#include <string.h>
+#include <stdarg.h>
+
+int foo(int num, ...)
+{
+changequote(`,')dnl
+	char bar[3];
+changequote([,])dnl
+	va_list arg;
+	va_start(arg, num);
+	vsnprintf(bar, 2, "%s", arg);
+	va_end(arg);
+	return strcmp(bar, "1");
+}
+
+
+int main()
+{
+	return foo(0, "12");
+}],:,ac_cv_func_vsnprintf_working=no,:))
+
+if test "$ac_cv_func_vsnprintf_working" = yes; then
+	AC_DEFINE_UNQUOTED(HAVE_VSNPRINTF, 1, [define if you have a working vsnprintf])
+fi
+if test "$ac_cv_func_vsnprintf_working" = yes; then
+AC_NEED_PROTO([#include <stdio.h>],vsnprintf)
+fi
+])
diff --git a/crypto/heimdal/cf/broken.m4 b/crypto/heimdal/cf/broken.m4
new file mode 100644
index 0000000..911ed27
--- /dev/null
+++ b/crypto/heimdal/cf/broken.m4
@@ -0,0 +1,18 @@
+dnl $Id: broken.m4,v 1.4 2000/07/15 18:06:36 joda Exp $
+dnl
+dnl
+dnl Same as AC _REPLACE_FUNCS, just define HAVE_func if found in normal
+dnl libraries 
+
+AC_DEFUN(AC_BROKEN,
+[for ac_func in $1
+do
+AC_CHECK_FUNC($ac_func, [
+ac_tr_func=HAVE_[]upcase($ac_func)
+AC_DEFINE_UNQUOTED($ac_tr_func)],[LIBOBJS[]="$LIBOBJS ${ac_func}.o"])
+if false; then
+	AC_CHECK_FUNCS($1)
+fi
+done
+AC_SUBST(LIBOBJS)dnl
+])
diff --git a/crypto/heimdal/cf/broken2.m4 b/crypto/heimdal/cf/broken2.m4
new file mode 100644
index 0000000..78a3dcb
--- /dev/null
+++ b/crypto/heimdal/cf/broken2.m4
@@ -0,0 +1,35 @@
+dnl $Id: broken2.m4,v 1.1 2000/12/15 14:27:33 assar Exp $
+dnl
+dnl AC_BROKEN but with more arguments
+
+dnl AC_BROKEN2(func, includes, arguments)
+AC_DEFUN(AC_BROKEN2,
+[for ac_func in $1
+do
+AC_MSG_CHECKING([for $ac_func])
+AC_CACHE_VAL(ac_cv_func_$ac_func,
+[AC_TRY_LINK([$2],
+[
+/* The GNU C library defines this for functions which it implements
+    to always fail with ENOSYS.  Some functions are actually named
+    something starting with __ and the normal name is an alias.  */
+#if defined (__stub_$1) || defined (__stub___$1)
+choke me
+#else
+$ac_func($3)
+#endif
+], [eval "ac_cv_func_$ac_func=yes"], [eval "ac_cv_func_$ac_func=no"])])
+if eval "test \"\${ac_cv_func_$ac_func}\" = yes"; then
+  ac_tr_func=HAVE_[]upcase($ac_func)
+  AC_DEFINE_UNQUOTED($ac_tr_func)
+  AC_MSG_RESULT(yes)
+else
+  AC_MSG_RESULT(no)
+  LIBOBJS[]="$LIBOBJS ${ac_func}.o"
+fi
+done
+if false; then
+	AC_CHECK_FUNCS($1)
+fi
+AC_SUBST(LIBOBJS)dnl
+])
diff --git a/crypto/heimdal/cf/c-attribute.m4 b/crypto/heimdal/cf/c-attribute.m4
new file mode 100644
index 0000000..87cea03
--- /dev/null
+++ b/crypto/heimdal/cf/c-attribute.m4
@@ -0,0 +1,31 @@
+dnl
+dnl $Id: c-attribute.m4,v 1.2 1999/03/01 09:52:23 joda Exp $
+dnl
+
+dnl
+dnl Test for __attribute__
+dnl
+
+AC_DEFUN(AC_C___ATTRIBUTE__, [
+AC_MSG_CHECKING(for __attribute__)
+AC_CACHE_VAL(ac_cv___attribute__, [
+AC_TRY_COMPILE([
+#include <stdlib.h>
+],
+[
+static void foo(void) __attribute__ ((noreturn));
+
+static void
+foo(void)
+{
+  exit(1);
+}
+],
+ac_cv___attribute__=yes,
+ac_cv___attribute__=no)])
+if test "$ac_cv___attribute__" = "yes"; then
+  AC_DEFINE(HAVE___ATTRIBUTE__, 1, [define if your compiler has __attribute__])
+fi
+AC_MSG_RESULT($ac_cv___attribute__)
+])
+
diff --git a/crypto/heimdal/cf/c-function.m4 b/crypto/heimdal/cf/c-function.m4
new file mode 100644
index 0000000..b16d556
--- /dev/null
+++ b/crypto/heimdal/cf/c-function.m4
@@ -0,0 +1,33 @@
+dnl
+dnl $Id: c-function.m4,v 1.2 1999/03/01 09:52:23 joda Exp $
+dnl
+
+dnl
+dnl Test for __FUNCTION__
+dnl
+
+AC_DEFUN(AC_C___FUNCTION__, [
+AC_MSG_CHECKING(for __FUNCTION__)
+AC_CACHE_VAL(ac_cv___function__, [
+AC_TRY_RUN([
+#include <string.h>
+
+static char *foo()
+{
+  return __FUNCTION__;
+}
+
+int main()
+{
+  return strcmp(foo(), "foo") != 0;
+}
+],
+ac_cv___function__=yes,
+ac_cv___function__=no,
+ac_cv___function__=no)])
+if test "$ac_cv___function__" = "yes"; then
+  AC_DEFINE(HAVE___FUNCTION__, 1, [define if your compiler has __FUNCTION__])
+fi
+AC_MSG_RESULT($ac_cv___function__)
+])
+
diff --git a/crypto/heimdal/cf/capabilities.m4 b/crypto/heimdal/cf/capabilities.m4
new file mode 100644
index 0000000..6d2669b
--- /dev/null
+++ b/crypto/heimdal/cf/capabilities.m4
@@ -0,0 +1,14 @@
+dnl
+dnl $Id: capabilities.m4,v 1.2 1999/09/01 11:02:26 joda Exp $
+dnl
+
+dnl
+dnl Test SGI capabilities
+dnl
+
+AC_DEFUN(KRB_CAPABILITIES,[
+
+AC_CHECK_HEADERS(capability.h sys/capability.h)
+
+AC_CHECK_FUNCS(sgi_getcapabilitybyname cap_set_proc)
+])
diff --git a/crypto/heimdal/cf/check-declaration.m4 b/crypto/heimdal/cf/check-declaration.m4
new file mode 100644
index 0000000..5f584e5
--- /dev/null
+++ b/crypto/heimdal/cf/check-declaration.m4
@@ -0,0 +1,25 @@
+dnl $Id: check-declaration.m4,v 1.3 1999/03/01 13:03:08 joda Exp $
+dnl
+dnl
+dnl Check if we need the declaration of a variable
+dnl
+
+dnl AC_HAVE_DECLARATION(includes, variable)
+AC_DEFUN(AC_CHECK_DECLARATION, [
+AC_MSG_CHECKING([if $2 is properly declared])
+AC_CACHE_VAL(ac_cv_var_$2_declaration, [
+AC_TRY_COMPILE([$1
+extern struct { int foo; } $2;],
+[$2.foo = 1;],
+eval "ac_cv_var_$2_declaration=no",
+eval "ac_cv_var_$2_declaration=yes")
+])
+
+define(foo, [HAVE_]translit($2, [a-z], [A-Z])[_DECLARATION])
+
+AC_MSG_RESULT($ac_cv_var_$2_declaration)
+if eval "test \"\$ac_cv_var_$2_declaration\" = yes"; then
+	AC_DEFINE(foo, 1, [define if your system declares $2])
+fi
+undefine([foo])
+])
diff --git a/crypto/heimdal/cf/check-getpwnam_r-posix.m4 b/crypto/heimdal/cf/check-getpwnam_r-posix.m4
new file mode 100644
index 0000000..cc75666
--- /dev/null
+++ b/crypto/heimdal/cf/check-getpwnam_r-posix.m4
@@ -0,0 +1,24 @@
+dnl $Id: check-getpwnam_r-posix.m4,v 1.2 1999/03/23 16:47:31 joda Exp $
+dnl
+dnl check for getpwnam_r, and if it's posix or not
+
+AC_DEFUN(AC_CHECK_GETPWNAM_R_POSIX,[
+AC_FIND_FUNC_NO_LIBS(getpwnam_r,c_r)
+if test "$ac_cv_func_getpwnam_r" = yes; then
+	AC_CACHE_CHECK(if getpwnam_r is posix,ac_cv_func_getpwnam_r_posix,
+	ac_libs="$LIBS"
+	LIBS="$LIBS $LIB_getpwnam_r"
+	AC_TRY_RUN([
+#include <pwd.h>
+int main()
+{
+	struct passwd pw, *pwd;
+	return getpwnam_r("", &pw, NULL, 0, &pwd) < 0;
+}
+],ac_cv_func_getpwnam_r_posix=yes,ac_cv_func_getpwnam_r_posix=no,:)
+LIBS="$ac_libs")
+if test "$ac_cv_func_getpwnam_r_posix" = yes; then
+	AC_DEFINE(POSIX_GETPWNAM_R, 1, [Define if getpwnam_r has POSIX flavour.])
+fi
+fi
+])
\ No newline at end of file
diff --git a/crypto/heimdal/cf/check-man.m4 b/crypto/heimdal/cf/check-man.m4
new file mode 100644
index 0000000..adf5477
--- /dev/null
+++ b/crypto/heimdal/cf/check-man.m4
@@ -0,0 +1,58 @@
+dnl $Id: check-man.m4,v 1.3 2000/11/30 01:47:17 joda Exp $
+dnl check how to format manual pages
+dnl
+
+AC_DEFUN(rk_CHECK_MAN,
+[AC_PATH_PROG(NROFF, nroff)
+AC_PATH_PROG(GROFF, groff)
+AC_CACHE_CHECK(how to format man pages,ac_cv_sys_man_format,
+[cat > conftest.1 << END
+.Dd January 1, 1970
+.Dt CONFTEST 1
+.Sh NAME
+.Nm conftest
+.Nd
+foobar
+END
+
+if test "$NROFF" ; then
+	for i in "-mdoc" "-mandoc"; do
+		if "$NROFF" $i conftest.1 2> /dev/null | \
+			grep Jan > /dev/null 2>&1 ; then
+			ac_cv_sys_man_format="$NROFF $i"
+			break
+		fi
+	done
+fi
+if test "$ac_cv_sys_man_format" = "" -a "$GROFF" ; then
+	for i in "-mdoc" "-mandoc"; do
+		if "$GROFF" -Tascii $i conftest.1 2> /dev/null | \
+			grep Jan > /dev/null 2>&1 ; then
+			ac_cv_sys_man_format="$GROFF -Tascii $i"
+			break
+		fi
+	done
+fi
+if test "$ac_cv_sys_man_format"; then
+	ac_cv_sys_man_format="$ac_cv_sys_man_format \[$]< > \[$]@"
+fi
+])
+if test "$ac_cv_sys_man_format"; then
+	CATMAN="$ac_cv_sys_man_format"
+	AC_SUBST(CATMAN)
+fi
+AM_CONDITIONAL(CATMAN, test "$CATMAN")
+AC_CACHE_CHECK(extension of pre-formatted manual pages,ac_cv_sys_catman_ext,
+[if grep _suffix /etc/man.conf > /dev/null 2>&1; then
+	ac_cv_sys_catman_ext=0
+else
+	ac_cv_sys_catman_ext=number
+fi
+])
+if test "$ac_cv_sys_catman_ext" = number; then
+	CATMANEXT='$$section'
+else
+	CATMANEXT=0
+fi
+AC_SUBST(CATMANEXT)
+])
\ No newline at end of file
diff --git a/crypto/heimdal/cf/check-netinet-ip-and-tcp.m4 b/crypto/heimdal/cf/check-netinet-ip-and-tcp.m4
new file mode 100644
index 0000000..70b58f5
--- /dev/null
+++ b/crypto/heimdal/cf/check-netinet-ip-and-tcp.m4
@@ -0,0 +1,33 @@
+dnl
+dnl $Id: check-netinet-ip-and-tcp.m4,v 1.3 2000/07/18 10:33:02 joda Exp $
+dnl
+
+dnl extra magic check for netinet/{ip.h,tcp.h} because on irix 6.5.3
+dnl you have to include standards.h before including these files
+
+AC_DEFUN(CHECK_NETINET_IP_AND_TCP,
+[
+AC_CHECK_HEADERS(standards.h)
+for i in netinet/ip.h netinet/tcp.h; do
+
+cv=`echo "$i" | sed 'y%./+-%__p_%'`
+
+AC_CACHE_CHECK([for $i],ac_cv_header_$cv,
+[AC_TRY_CPP([\
+#ifdef HAVE_STANDARDS_H
+#include <standards.h>
+#endif
+#include <$i>
+],
+eval "ac_cv_header_$cv=yes",
+eval "ac_cv_header_$cv=no")])
+ac_res=`eval echo \\$ac_cv_header_$cv`
+if test "$ac_res" = yes; then
+	ac_tr_hdr=HAVE_`echo $i | sed 'y%abcdefghijklmnopqrstuvwxyz./-%ABCDEFGHIJKLMNOPQRSTUVWXYZ___%'`
+	AC_DEFINE_UNQUOTED($ac_tr_hdr, 1)
+fi
+done
+if false;then
+	AC_CHECK_HEADERS(netinet/ip.h netinet/tcp.h)
+fi
+])
diff --git a/crypto/heimdal/cf/check-type-extra.m4 b/crypto/heimdal/cf/check-type-extra.m4
new file mode 100644
index 0000000..e6af4bd
--- /dev/null
+++ b/crypto/heimdal/cf/check-type-extra.m4
@@ -0,0 +1,23 @@
+dnl $Id: check-type-extra.m4,v 1.2 1999/03/01 09:52:23 joda Exp $
+dnl
+dnl ac_check_type + extra headers
+
+dnl AC_CHECK_TYPE_EXTRA(TYPE, DEFAULT, HEADERS)
+AC_DEFUN(AC_CHECK_TYPE_EXTRA,
+[AC_REQUIRE([AC_HEADER_STDC])dnl
+AC_MSG_CHECKING(for $1)
+AC_CACHE_VAL(ac_cv_type_$1,
+[AC_EGREP_CPP(dnl
+changequote(<<,>>)dnl
+<<$1[^a-zA-Z_0-9]>>dnl
+changequote([,]), [#include <sys/types.h>
+#if STDC_HEADERS
+#include <stdlib.h>
+#include <stddef.h>
+#endif
+$3], ac_cv_type_$1=yes, ac_cv_type_$1=no)])dnl
+AC_MSG_RESULT($ac_cv_type_$1)
+if test $ac_cv_type_$1 = no; then
+  AC_DEFINE($1, $2, [Define this to what the type $1 should be.])
+fi
+])
diff --git a/crypto/heimdal/cf/check-var.m4 b/crypto/heimdal/cf/check-var.m4
new file mode 100644
index 0000000..8041c32
--- /dev/null
+++ b/crypto/heimdal/cf/check-var.m4
@@ -0,0 +1,22 @@
+dnl $Id: check-var.m4,v 1.5 2000/12/15 04:54:06 assar Exp $
+dnl
+dnl rk_CHECK_VAR(variable, includes)
+AC_DEFUN([rk_CHECK_VAR], [
+AC_MSG_CHECKING(for $1)
+AC_CACHE_VAL(ac_cv_var_$1, [
+AC_TRY_LINK([extern int $1;
+int foo() { return $1; }],
+	    [foo()],
+	    ac_cv_var_$1=yes, ac_cv_var_$1=no)
+])
+ac_foo=`eval echo \\$ac_cv_var_$1`
+AC_MSG_RESULT($ac_foo)
+if test "$ac_foo" = yes; then
+	AC_DEFINE_UNQUOTED(AC_TR_CPP(HAVE_[]$1), 1, 
+		[Define if you have the `]$1[' variable.])
+	m4_ifval([$2], AC_CHECK_DECLARATION([$2],[$1]))
+fi
+])
+
+AC_WARNING_ENABLE([obsolete])
+AU_DEFUN([AC_CHECK_VAR], [rk_CHECK_VAR([$2], [$1])], [foo])
\ No newline at end of file
diff --git a/crypto/heimdal/cf/check-x.m4 b/crypto/heimdal/cf/check-x.m4
new file mode 100644
index 0000000..1791e5a
--- /dev/null
+++ b/crypto/heimdal/cf/check-x.m4
@@ -0,0 +1,52 @@
+dnl 
+dnl See if there is any X11 present
+dnl
+dnl $Id: check-x.m4,v 1.2 1999/11/05 04:25:23 assar Exp $
+
+AC_DEFUN(KRB_CHECK_X,[
+AC_PATH_XTRA
+
+# try to figure out if we need any additional ld flags, like -R
+# and yes, the autoconf X test is utterly broken
+if test "$no_x" != yes; then
+	AC_CACHE_CHECK(for special X linker flags,krb_cv_sys_x_libs_rpath,[
+	ac_save_libs="$LIBS"
+	ac_save_cflags="$CFLAGS"
+	CFLAGS="$CFLAGS $X_CFLAGS"
+	krb_cv_sys_x_libs_rpath=""
+	krb_cv_sys_x_libs=""
+	for rflag in "" "-R" "-R " "-rpath "; do
+		if test "$rflag" = ""; then
+			foo="$X_LIBS"
+		else
+			foo=""
+			for flag in $X_LIBS; do
+			case $flag in
+			-L*)
+				foo="$foo $flag `echo $flag | sed \"s/-L/$rflag/\"`"
+				;;
+			*)
+				foo="$foo $flag"
+				;;
+			esac
+			done
+		fi
+		LIBS="$ac_save_libs $foo $X_PRE_LIBS -lX11 $X_EXTRA_LIBS"
+		AC_TRY_RUN([
+		#include <X11/Xlib.h>
+		foo()
+		{
+		XOpenDisplay(NULL);
+		}
+		main()
+		{
+		return 0;
+		}
+		], krb_cv_sys_x_libs_rpath="$rflag"; krb_cv_sys_x_libs="$foo"; break,:)
+	done
+	LIBS="$ac_save_libs"
+	CFLAGS="$ac_save_cflags"
+	])
+	X_LIBS="$krb_cv_sys_x_libs"
+fi
+])
diff --git a/crypto/heimdal/cf/check-xau.m4 b/crypto/heimdal/cf/check-xau.m4
new file mode 100644
index 0000000..bad2a60
--- /dev/null
+++ b/crypto/heimdal/cf/check-xau.m4
@@ -0,0 +1,64 @@
+dnl $Id: check-xau.m4,v 1.3 1999/05/14 01:17:06 assar Exp $
+dnl
+dnl check for Xau{Read,Write}Auth and XauFileName
+dnl
+AC_DEFUN(AC_CHECK_XAU,[
+save_CFLAGS="$CFLAGS"
+CFLAGS="$X_CFLAGS $CFLAGS"
+save_LIBS="$LIBS"
+dnl LIBS="$X_LIBS $X_PRE_LIBS $X_EXTRA_LIBS $LIBS"
+LIBS="$X_PRE_LIBS $X_EXTRA_LIBS $LIBS"
+save_LDFLAGS="$LDFLAGS"
+LDFLAGS="$LDFLAGS $X_LIBS"
+
+## check for XauWriteAuth first, so we detect the case where
+## XauReadAuth is in -lX11, but XauWriteAuth is only in -lXau this
+## could be done by checking for XauReadAuth in -lXau first, but this
+## breaks in IRIX 6.5
+
+AC_FIND_FUNC_NO_LIBS(XauWriteAuth, X11 Xau)
+ac_xxx="$LIBS"
+LIBS="$LIB_XauWriteAuth $LIBS"
+AC_FIND_FUNC_NO_LIBS(XauReadAuth, X11 Xau)
+LIBS="$LIB_XauReadAauth $LIBS"
+AC_FIND_FUNC_NO_LIBS(XauFileName, X11 Xau)
+LIBS="$ac_xxx"
+
+## set LIB_XauReadAuth to union of these tests, since this is what the
+## Makefiles are using
+case "$ac_cv_funclib_XauWriteAuth" in
+yes)	;;
+no)	;;
+*)	if test "$ac_cv_funclib_XauReadAuth" = yes; then
+		if test "$ac_cv_funclib_XauFileName" = yes; then
+			LIB_XauReadAuth="$LIB_XauWriteAuth"
+		else
+			LIB_XauReadAuth="$LIB_XauWriteAuth $LIB_XauFileName"
+		fi
+	else
+		if test "$ac_cv_funclib_XauFileName" = yes; then
+			LIB_XauReadAuth="$LIB_XauReadAuth $LIB_XauWriteAuth"
+		else
+			LIB_XauReadAuth="$LIB_XauReadAuth $LIB_XauWriteAuth $LIB_XauFileName"
+		fi
+	fi
+	;;
+esac
+
+if test "$AUTOMAKE" != ""; then
+	AM_CONDITIONAL(NEED_WRITEAUTH, test "$ac_cv_func_XauWriteAuth" != "yes")
+else
+	AC_SUBST(NEED_WRITEAUTH_TRUE)
+	AC_SUBST(NEED_WRITEAUTH_FALSE)
+	if test "$ac_cv_func_XauWriteAuth" != "yes"; then
+		NEED_WRITEAUTH_TRUE=
+		NEED_WRITEAUTH_FALSE='#'
+	else
+		NEED_WRITEAUTH_TRUE='#'
+		NEED_WRITEAUTH_FALSE=
+	fi
+fi
+CFLAGS=$save_CFLAGS
+LIBS=$save_LIBS
+LDFLAGS=$save_LDFLAGS
+])
diff --git a/crypto/heimdal/cf/db.m4 b/crypto/heimdal/cf/db.m4
new file mode 100644
index 0000000..c147569
--- /dev/null
+++ b/crypto/heimdal/cf/db.m4
@@ -0,0 +1,40 @@
+dnl $Id: db.m4,v 1.1 2000/07/19 11:21:07 joda Exp $
+dnl
+dnl tests for various db libraries
+dnl
+AC_DEFUN([rk_DB],[berkeley_db=db
+AC_ARG_WITH(berkeley-db,
+[  --without-berkeley-db   if you don't want berkeley db],[
+if test "$withval" = no; then
+	berkeley_db=""
+fi
+])
+if test "$berkeley_db"; then
+  AC_CHECK_HEADERS([				\
+	db.h					\
+	db_185.h				\
+  ])
+fi
+
+AC_FIND_FUNC_NO_LIBS2(dbopen, $berkeley_db, [
+#include <stdio.h>
+#if defined(HAVE_DB_185_H)
+#include <db_185.h>
+#elif defined(HAVE_DB_H)
+#include <db.h>
+#endif
+],[NULL, 0, 0, 0, NULL])
+
+AC_FIND_FUNC_NO_LIBS(dbm_firstkey, $berkeley_db gdbm ndbm)
+AC_FIND_FUNC_NO_LIBS(db_create, $berkeley_db)
+
+DBLIB="$LIB_dbopen"
+if test "$LIB_dbopen" != "$LIB_db_create"; then
+        DBLIB="$DBLIB $LIB_db_create"
+fi
+if test "$LIB_dbopen" != "$LIB_dbm_firstkey"; then
+	DBLIB="$DBLIB $LIB_dbm_firstkey"
+fi
+AC_SUBST(DBLIB)dnl
+
+])
diff --git a/crypto/heimdal/cf/find-func-no-libs.m4 b/crypto/heimdal/cf/find-func-no-libs.m4
new file mode 100644
index 0000000..3deab02
--- /dev/null
+++ b/crypto/heimdal/cf/find-func-no-libs.m4
@@ -0,0 +1,9 @@
+dnl $Id: find-func-no-libs.m4,v 1.5 1999/10/30 21:08:18 assar Exp $
+dnl
+dnl
+dnl Look for function in any of the specified libraries
+dnl
+
+dnl AC_FIND_FUNC_NO_LIBS(func, libraries, includes, arguments, extra libs, extra args)
+AC_DEFUN(AC_FIND_FUNC_NO_LIBS, [
+AC_FIND_FUNC_NO_LIBS2([$1], ["" $2], [$3], [$4], [$5], [$6])])
diff --git a/crypto/heimdal/cf/find-func-no-libs2.m4 b/crypto/heimdal/cf/find-func-no-libs2.m4
new file mode 100644
index 0000000..87e8984
--- /dev/null
+++ b/crypto/heimdal/cf/find-func-no-libs2.m4
@@ -0,0 +1,61 @@
+dnl $Id: find-func-no-libs2.m4,v 1.4 2000/07/15 18:10:19 joda Exp $
+dnl
+dnl
+dnl Look for function in any of the specified libraries
+dnl
+
+dnl AC_FIND_FUNC_NO_LIBS2(func, libraries, includes, arguments, extra libs, extra args)
+AC_DEFUN(AC_FIND_FUNC_NO_LIBS2, [
+
+AC_MSG_CHECKING([for $1])
+AC_CACHE_VAL(ac_cv_funclib_$1,
+[
+if eval "test \"\$ac_cv_func_$1\" != yes" ; then
+	ac_save_LIBS="$LIBS"
+	for ac_lib in $2; do
+		if test -n "$ac_lib"; then 
+			ac_lib="-l$ac_lib"
+		else
+			ac_lib=""
+		fi
+		LIBS="$6 $ac_lib $5 $ac_save_LIBS"
+		AC_TRY_LINK([$3],[$1($4)],eval "if test -n \"$ac_lib\";then ac_cv_funclib_$1=$ac_lib; else ac_cv_funclib_$1=yes; fi";break)
+	done
+	eval "ac_cv_funclib_$1=\${ac_cv_funclib_$1-no}"
+	LIBS="$ac_save_LIBS"
+fi
+])
+
+eval "ac_res=\$ac_cv_funclib_$1"
+
+if false; then
+	AC_CHECK_FUNCS($1)
+dnl	AC_CHECK_LIBS($2, foo)
+fi
+# $1
+eval "ac_tr_func=HAVE_[]upcase($1)"
+eval "ac_tr_lib=HAVE_LIB[]upcase($ac_res | sed -e 's/-l//')"
+eval "LIB_$1=$ac_res"
+
+case "$ac_res" in
+	yes)
+	eval "ac_cv_func_$1=yes"
+	eval "LIB_$1="
+	AC_DEFINE_UNQUOTED($ac_tr_func)
+	AC_MSG_RESULT([yes])
+	;;
+	no)
+	eval "ac_cv_func_$1=no"
+	eval "LIB_$1="
+	AC_MSG_RESULT([no])
+	;;
+	*)
+	eval "ac_cv_func_$1=yes"
+	eval "ac_cv_lib_`echo "$ac_res" | sed 's/-l//'`=yes"
+	AC_DEFINE_UNQUOTED($ac_tr_func)
+	AC_DEFINE_UNQUOTED($ac_tr_lib)
+	AC_MSG_RESULT([yes, in $ac_res])
+	;;
+esac
+AC_SUBST(LIB_$1)
+])
diff --git a/crypto/heimdal/cf/find-func.m4 b/crypto/heimdal/cf/find-func.m4
new file mode 100644
index 0000000..bb2b3ac
--- /dev/null
+++ b/crypto/heimdal/cf/find-func.m4
@@ -0,0 +1,9 @@
+dnl $Id: find-func.m4,v 1.1 1997/12/14 15:58:58 joda Exp $
+dnl
+dnl AC_FIND_FUNC(func, libraries, includes, arguments)
+AC_DEFUN(AC_FIND_FUNC, [
+AC_FIND_FUNC_NO_LIBS([$1], [$2], [$3], [$4])
+if test -n "$LIB_$1"; then
+	LIBS="$LIB_$1 $LIBS"
+fi
+])
diff --git a/crypto/heimdal/cf/find-if-not-broken.m4 b/crypto/heimdal/cf/find-if-not-broken.m4
new file mode 100644
index 0000000..e855ec7
--- /dev/null
+++ b/crypto/heimdal/cf/find-if-not-broken.m4
@@ -0,0 +1,13 @@
+dnl $Id: find-if-not-broken.m4,v 1.2 1998/03/16 22:16:27 joda Exp $
+dnl
+dnl
+dnl Mix between AC_FIND_FUNC and AC_BROKEN
+dnl
+
+AC_DEFUN(AC_FIND_IF_NOT_BROKEN,
+[AC_FIND_FUNC([$1], [$2], [$3], [$4])
+if eval "test \"$ac_cv_func_$1\" != yes"; then
+LIBOBJS[]="$LIBOBJS $1.o"
+fi
+AC_SUBST(LIBOBJS)dnl
+])
diff --git a/crypto/heimdal/cf/grok-type.m4 b/crypto/heimdal/cf/grok-type.m4
new file mode 100644
index 0000000..5bc6a66
--- /dev/null
+++ b/crypto/heimdal/cf/grok-type.m4
@@ -0,0 +1,38 @@
+dnl $Id: grok-type.m4,v 1.4 1999/11/29 11:16:48 joda Exp $
+dnl
+AC_DEFUN(AC_GROK_TYPE, [
+AC_CACHE_VAL(ac_cv_type_$1, 
+AC_TRY_COMPILE([
+#ifdef HAVE_INTTYPES_H
+#include <inttypes.h>
+#endif
+#ifdef HAVE_SYS_TYPES_H
+#include <sys/types.h>
+#endif
+#ifdef HAVE_SYS_BITYPES_H
+#include <sys/bitypes.h>
+#endif
+#ifdef HAVE_BIND_BITYPES_H
+#include <bind/bitypes.h>
+#endif
+#ifdef HAVE_NETINET_IN6_MACHTYPES_H
+#include <netinet/in6_machtypes.h>
+#endif
+],
+$i x;
+,
+eval ac_cv_type_$1=yes,
+eval ac_cv_type_$1=no))])
+
+AC_DEFUN(AC_GROK_TYPES, [
+for i in $1; do
+	AC_MSG_CHECKING(for $i)
+	AC_GROK_TYPE($i)
+	eval ac_res=\$ac_cv_type_$i
+	if test "$ac_res" = yes; then
+		type=HAVE_[]upcase($i)
+		AC_DEFINE_UNQUOTED($type)
+	fi
+	AC_MSG_RESULT($ac_res)
+done
+])
diff --git a/crypto/heimdal/cf/have-pragma-weak.m4 b/crypto/heimdal/cf/have-pragma-weak.m4
new file mode 100644
index 0000000..330e601
--- /dev/null
+++ b/crypto/heimdal/cf/have-pragma-weak.m4
@@ -0,0 +1,37 @@
+dnl $Id: have-pragma-weak.m4,v 1.3 1999/03/01 11:55:25 joda Exp $
+dnl
+AC_DEFUN(AC_HAVE_PRAGMA_WEAK, [
+if test "${enable_shared}" = "yes"; then
+AC_MSG_CHECKING(for pragma weak)
+AC_CACHE_VAL(ac_have_pragma_weak, [
+ac_have_pragma_weak=no
+cat > conftest_foo.$ac_ext <<'EOF'
+[#]line __oline__ "configure"
+#include "confdefs.h"
+#pragma weak foo = _foo
+int _foo = 17;
+EOF
+cat > conftest_bar.$ac_ext <<'EOF'
+[#]line __oline__ "configure"
+#include "confdefs.h"
+extern int foo;
+
+int t() {
+  return foo;
+}
+
+int main() {
+  return t();
+}
+EOF
+if AC_TRY_EVAL('CC -o conftest $CFLAGS $CPPFLAGS $LDFLAGS conftest_foo.$ac_ext conftest_bar.$ac_ext 1>&AC_FD_CC'); then
+ac_have_pragma_weak=yes
+fi
+rm -rf conftest*
+])
+if test "$ac_have_pragma_weak" = "yes"; then
+	AC_DEFINE(HAVE_PRAGMA_WEAK, 1, [Define this if your compiler supports \`#pragma weak.'])dnl
+fi
+AC_MSG_RESULT($ac_have_pragma_weak)
+fi
+])
diff --git a/crypto/heimdal/cf/have-struct-field.m4 b/crypto/heimdal/cf/have-struct-field.m4
new file mode 100644
index 0000000..88ad5c3
--- /dev/null
+++ b/crypto/heimdal/cf/have-struct-field.m4
@@ -0,0 +1,19 @@
+dnl $Id: have-struct-field.m4,v 1.6 1999/07/29 01:44:32 assar Exp $
+dnl
+dnl check for fields in a structure
+dnl
+dnl AC_HAVE_STRUCT_FIELD(struct, field, headers)
+
+AC_DEFUN(AC_HAVE_STRUCT_FIELD, [
+define(cache_val, translit(ac_cv_type_$1_$2, [A-Z ], [a-z_]))
+AC_CACHE_CHECK([for $2 in $1], cache_val,[
+AC_TRY_COMPILE([$3],[$1 x; x.$2;],
+cache_val=yes,
+cache_val=no)])
+if test "$cache_val" = yes; then
+	define(foo, translit(HAVE_$1_$2, [a-z ], [A-Z_]))
+	AC_DEFINE(foo, 1, [Define if $1 has field $2.])
+	undefine([foo])
+fi
+undefine([cache_val])
+])
diff --git a/crypto/heimdal/cf/have-type.m4 b/crypto/heimdal/cf/have-type.m4
new file mode 100644
index 0000000..4b79e1e
--- /dev/null
+++ b/crypto/heimdal/cf/have-type.m4
@@ -0,0 +1,30 @@
+dnl $Id: have-type.m4,v 1.6 2000/07/15 18:10:00 joda Exp $
+dnl
+dnl check for existance of a type
+
+dnl AC_HAVE_TYPE(TYPE,INCLUDES)
+AC_DEFUN(AC_HAVE_TYPE, [
+AC_REQUIRE([AC_HEADER_STDC])
+cv=`echo "$1" | sed 'y%./+- %__p__%'`
+AC_MSG_CHECKING(for $1)
+AC_CACHE_VAL([ac_cv_type_$cv],
+AC_TRY_COMPILE(
+[#include <sys/types.h>
+#if STDC_HEADERS
+#include <stdlib.h>
+#include <stddef.h>
+#endif
+$2],
+[$1 foo;],
+eval "ac_cv_type_$cv=yes",
+eval "ac_cv_type_$cv=no"))dnl
+ac_foo=`eval echo \\$ac_cv_type_$cv`
+AC_MSG_RESULT($ac_foo)
+if test "$ac_foo" = yes; then
+  ac_tr_hdr=HAVE_`echo $1 | sed 'y%abcdefghijklmnopqrstuvwxyz./- %ABCDEFGHIJKLMNOPQRSTUVWXYZ____%'`
+if false; then
+	AC_CHECK_TYPES($1)
+fi
+  AC_DEFINE_UNQUOTED($ac_tr_hdr, 1, [Define if you have type `$1'])
+fi
+])
diff --git a/crypto/heimdal/cf/have-types.m4 b/crypto/heimdal/cf/have-types.m4
new file mode 100644
index 0000000..b968d4b
--- /dev/null
+++ b/crypto/heimdal/cf/have-types.m4
@@ -0,0 +1,12 @@
+dnl
+dnl $Id: have-types.m4,v 1.2 2000/07/15 18:09:16 joda Exp $
+dnl
+
+AC_DEFUN(AC_HAVE_TYPES, [
+for i in $1; do
+        AC_HAVE_TYPE($i)
+done
+if false;then
+	AC_CHECK_FUNCS($1)
+fi
+])
diff --git a/crypto/heimdal/cf/install-catman.sh b/crypto/heimdal/cf/install-catman.sh
new file mode 100755
index 0000000..c48cc20
--- /dev/null
+++ b/crypto/heimdal/cf/install-catman.sh
@@ -0,0 +1,25 @@
+#!/bin/sh
+#
+# $Id: install-catman.sh,v 1.1 2000/11/30 01:38:17 joda Exp $
+#
+# install preformatted manual pages
+
+INSTALL_DATA="$1"; shift
+mkinstalldirs="$1"; shift
+srcdir="$1"; shift
+mandir="$1"; shift
+suffix="$1"; shift
+
+for f in "$@"; do
+	base=`echo "$f" | sed 's/\(.*\)\.\([^.]*\)$/\1/'`
+	section=`echo "$f" | sed 's/\(.*\)\.\([^.]*\)$/\2/'`
+	catdir="$mandir/cat$section"
+	c="$base.cat$section"
+	if test -f "$srcdir/$c"; then
+		if test \! -d "$catdir"; then
+			eval "$mkinstalldirs $catdir"
+		fi
+		eval "echo $INSTALL_DATA $srcdir/$c $catdir/$base.$suffix"
+		eval "$INSTALL_DATA $srcdir/$c $catdir/$base.$suffix"
+	fi
+done
diff --git a/crypto/heimdal/cf/krb-bigendian.m4 b/crypto/heimdal/cf/krb-bigendian.m4
new file mode 100644
index 0000000..ab16931
--- /dev/null
+++ b/crypto/heimdal/cf/krb-bigendian.m4
@@ -0,0 +1,53 @@
+dnl
+dnl $Id: krb-bigendian.m4,v 1.6 2000/08/19 15:37:00 assar Exp $
+dnl
+
+dnl check if this computer is little or big-endian
+dnl if we can figure it out at compile-time then don't define the cpp symbol
+dnl otherwise test for it and define it.  also allow options for overriding
+dnl it when cross-compiling
+
+AC_DEFUN(KRB_C_BIGENDIAN, [
+AC_ARG_ENABLE(bigendian,
+[  --enable-bigendian	the target is big endian],
+krb_cv_c_bigendian=yes)
+AC_ARG_ENABLE(littleendian,
+[  --enable-littleendian	the target is little endian],
+krb_cv_c_bigendian=no)
+AC_CACHE_CHECK(whether byte order is known at compile time,
+krb_cv_c_bigendian_compile,
+[AC_TRY_COMPILE([
+#include <sys/types.h>
+#include <sys/param.h>],[
+#if !BYTE_ORDER || !BIG_ENDIAN || !LITTLE_ENDIAN
+ bogus endian macros
+#endif], krb_cv_c_bigendian_compile=yes, krb_cv_c_bigendian_compile=no)])
+AC_CACHE_CHECK(whether byte ordering is bigendian, krb_cv_c_bigendian,[
+  if test "$krb_cv_c_bigendian_compile" = "yes"; then
+    AC_TRY_COMPILE([
+#include <sys/types.h>
+#include <sys/param.h>],[
+#if BYTE_ORDER != BIG_ENDIAN
+  not big endian
+#endif], krb_cv_c_bigendian=yes, krb_cv_c_bigendian=no)
+  else
+    AC_TRY_RUN([main () {
+      /* Are we little or big endian?  From Harbison&Steele.  */
+      union
+      {
+	long l;
+	char c[sizeof (long)];
+    } u;
+    u.l = 1;
+    exit (u.c[sizeof (long) - 1] == 1);
+  }], krb_cv_c_bigendian=no, krb_cv_c_bigendian=yes,
+  AC_MSG_ERROR([specify either --enable-bigendian or --enable-littleendian]))
+  fi
+])
+if test "$krb_cv_c_bigendian" = "yes"; then
+  AC_DEFINE(WORDS_BIGENDIAN, 1, [define if target is big endian])dnl
+fi
+if test "$krb_cv_c_bigendian_compile" = "yes"; then
+  AC_DEFINE(ENDIANESS_IN_SYS_PARAM_H, 1, [define if sys/param.h defines the endiness])dnl
+fi
+])
diff --git a/crypto/heimdal/cf/krb-find-db.m4 b/crypto/heimdal/cf/krb-find-db.m4
new file mode 100644
index 0000000..5d38f2e
--- /dev/null
+++ b/crypto/heimdal/cf/krb-find-db.m4
@@ -0,0 +1,100 @@
+dnl $Id: krb-find-db.m4,v 1.6 2000/08/16 03:58:51 assar Exp $
+dnl
+dnl find a suitable database library
+dnl
+dnl AC_FIND_DB(libraries)
+AC_DEFUN(KRB_FIND_DB, [
+
+lib_dbm=no
+lib_db=no
+
+for i in $1; do
+
+	if test "$i"; then
+		m="lib$i"
+		l="-l$i"
+	else
+		m="libc"
+		l=""
+	fi	
+
+	AC_MSG_CHECKING(for dbm_open in $m)
+	AC_CACHE_VAL(ac_cv_krb_dbm_open_$m, [
+
+	save_LIBS="$LIBS"
+	LIBS="$l $LIBS"
+	AC_TRY_RUN([
+#include <unistd.h>
+#include <fcntl.h>
+#if defined(HAVE_NDBM_H)
+#include <ndbm.h>
+#elif defined(HAVE_GDBM_NDBM_H)
+#include <gdbm/ndbm.h>
+#elif defined(HAVE_DBM_H)
+#include <dbm.h>
+#elif defined(HAVE_RPCSVC_DBM_H)
+#include <rpcsvc/dbm.h>
+#elif defined(HAVE_DB_H)
+#define DB_DBM_HSEARCH 1
+#include <db.h>
+#endif
+int main()
+{
+  DBM *d;
+
+  d = dbm_open("conftest", O_RDWR | O_CREAT, 0666);
+  if(d == NULL)
+    return 1;
+  dbm_close(d);
+  return 0;
+}], [
+	if test -f conftest.db; then
+		ac_res=db
+	else
+		ac_res=dbm
+	fi], ac_res=no, ac_res=no)
+
+	LIBS="$save_LIBS"
+
+	eval ac_cv_krb_dbm_open_$m=$ac_res])
+	eval ac_res=\$ac_cv_krb_dbm_open_$m
+	AC_MSG_RESULT($ac_res)
+
+	if test "$lib_dbm" = no -a $ac_res = dbm; then
+		lib_dbm="$l"
+	elif test "$lib_db" = no -a $ac_res = db; then
+		lib_db="$l"
+		break
+	fi
+done
+
+AC_MSG_CHECKING(for NDBM library)
+ac_ndbm=no
+if test "$lib_db" != no; then
+	LIB_DBM="$lib_db"
+	ac_ndbm=yes
+	AC_DEFINE(HAVE_NEW_DB, 1, [Define if NDBM really is DB (creates files ending in .db).])
+	if test "$LIB_DBM"; then
+		ac_res="yes, $LIB_DBM"
+	else
+		ac_res=yes
+	fi
+elif test "$lib_dbm" != no; then
+	LIB_DBM="$lib_dbm"
+	ac_ndbm=yes
+	if test "$LIB_DBM"; then
+		ac_res="yes, $LIB_DBM"
+	else
+		ac_res=yes
+	fi
+else
+	LIB_DBM=""
+	ac_res=no
+fi
+test "$ac_ndbm" = yes && AC_DEFINE(NDBM, 1, [Define if you have NDBM (and not DBM)])dnl
+AC_SUBST(LIB_DBM)
+DBLIB="$LIB_DBM"
+AC_SUBST(DBLIB)
+AC_MSG_RESULT($ac_res)
+
+])
diff --git a/crypto/heimdal/cf/krb-func-getcwd-broken.m4 b/crypto/heimdal/cf/krb-func-getcwd-broken.m4
new file mode 100644
index 0000000..d248922
--- /dev/null
+++ b/crypto/heimdal/cf/krb-func-getcwd-broken.m4
@@ -0,0 +1,42 @@
+dnl $Id: krb-func-getcwd-broken.m4,v 1.2 1999/03/01 13:03:32 joda Exp $
+dnl
+dnl
+dnl test for broken getcwd in (SunOS braindamage)
+dnl
+
+AC_DEFUN(AC_KRB_FUNC_GETCWD_BROKEN, [
+if test "$ac_cv_func_getcwd" = yes; then
+AC_MSG_CHECKING(if getcwd is broken)
+AC_CACHE_VAL(ac_cv_func_getcwd_broken, [
+ac_cv_func_getcwd_broken=no
+
+AC_TRY_RUN([
+#include <errno.h>
+char *getcwd(char*, int);
+
+void *popen(char *cmd, char *mode)
+{
+	errno = ENOTTY;
+	return 0;
+}
+
+int main()
+{
+	char *ret;
+	ret = getcwd(0, 1024);
+	if(ret == 0 && errno == ENOTTY)
+		return 0;
+	return 1;
+}
+], ac_cv_func_getcwd_broken=yes,:,:)
+])
+if test "$ac_cv_func_getcwd_broken" = yes; then
+	AC_DEFINE(BROKEN_GETCWD, 1, [Define if getcwd is broken (like in SunOS 4).])dnl
+	LIBOBJS="$LIBOBJS getcwd.o"
+	AC_SUBST(LIBOBJS)dnl
+	AC_MSG_RESULT($ac_cv_func_getcwd_broken)
+else
+	AC_MSG_RESULT([seems ok])
+fi
+fi
+])
diff --git a/crypto/heimdal/cf/krb-func-getlogin.m4 b/crypto/heimdal/cf/krb-func-getlogin.m4
new file mode 100644
index 0000000..921c5ab
--- /dev/null
+++ b/crypto/heimdal/cf/krb-func-getlogin.m4
@@ -0,0 +1,22 @@
+dnl
+dnl $Id: krb-func-getlogin.m4,v 1.1 1999/07/13 17:45:30 assar Exp $
+dnl
+dnl test for POSIX (broken) getlogin
+dnl
+
+
+AC_DEFUN(AC_FUNC_GETLOGIN, [
+AC_CHECK_FUNCS(getlogin setlogin)
+if test "$ac_cv_func_getlogin" = yes; then
+AC_CACHE_CHECK(if getlogin is posix, ac_cv_func_getlogin_posix, [
+if test "$ac_cv_func_getlogin" = yes -a "$ac_cv_func_setlogin" = yes; then
+	ac_cv_func_getlogin_posix=no
+else
+	ac_cv_func_getlogin_posix=yes
+fi
+])
+if test "$ac_cv_func_getlogin_posix" = yes; then
+	AC_DEFINE(POSIX_GETLOGIN, 1, [Define if getlogin has POSIX flavour (and not BSD).])
+fi
+fi
+])
diff --git a/crypto/heimdal/cf/krb-ipv6.m4 b/crypto/heimdal/cf/krb-ipv6.m4
new file mode 100644
index 0000000..bb494c1
--- /dev/null
+++ b/crypto/heimdal/cf/krb-ipv6.m4
@@ -0,0 +1,125 @@
+dnl $Id: krb-ipv6.m4,v 1.10 2001/03/26 03:28:03 assar Exp $
+dnl
+dnl test for IPv6
+dnl
+AC_DEFUN(AC_KRB_IPV6, [
+AC_ARG_WITH(ipv6,
+[  --without-ipv6	do not enable IPv6 support],[
+if test "$withval" = "no"; then
+	ac_cv_lib_ipv6=no
+fi])
+save_CFLAGS="${CFLAGS}"
+AC_CACHE_VAL(ac_cv_lib_ipv6,
+[dnl check for different v6 implementations (by itojun)
+v6type=unknown
+v6lib=none
+
+AC_MSG_CHECKING([ipv6 stack type])
+for i in v6d toshiba kame inria zeta linux; do
+	case $i in
+	v6d)
+		AC_EGREP_CPP(yes, [
+#include </usr/local/v6/include/sys/types.h>
+#ifdef __V6D__
+yes
+#endif],
+			[v6type=$i; v6lib=v6;
+			v6libdir=/usr/local/v6/lib;
+			CFLAGS="-I/usr/local/v6/include $CFLAGS"])
+		;;
+	toshiba)
+		AC_EGREP_CPP(yes, [
+#include <sys/param.h>
+#ifdef _TOSHIBA_INET6
+yes
+#endif],
+			[v6type=$i; v6lib=inet6;
+			v6libdir=/usr/local/v6/lib;
+			CFLAGS="-DINET6 $CFLAGS"])
+		;;
+	kame)
+		AC_EGREP_CPP(yes, [
+#include <netinet/in.h>
+#ifdef __KAME__
+yes
+#endif],
+			[v6type=$i; v6lib=inet6;
+			v6libdir=/usr/local/v6/lib;
+			CFLAGS="-DINET6 $CFLAGS"])
+		;;
+	inria)
+		AC_EGREP_CPP(yes, [
+#include <netinet/in.h>
+#ifdef IPV6_INRIA_VERSION
+yes
+#endif],
+			[v6type=$i; CFLAGS="-DINET6 $CFLAGS"])
+		;;
+	zeta)
+		AC_EGREP_CPP(yes, [
+#include <sys/param.h>
+#ifdef _ZETA_MINAMI_INET6
+yes
+#endif],
+			[v6type=$i; v6lib=inet6;
+			v6libdir=/usr/local/v6/lib;
+			CFLAGS="-DINET6 $CFLAGS"])
+		;;
+	linux)
+		if test -d /usr/inet6; then
+			v6type=$i
+			v6lib=inet6
+			v6libdir=/usr/inet6
+			CFLAGS="-DINET6 $CFLAGS"
+		fi
+		;;
+	esac
+	if test "$v6type" != "unknown"; then
+		break
+	fi
+done
+AC_MSG_RESULT($v6type)
+
+if test "$v6lib" != "none"; then
+	for dir in $v6libdir /usr/local/v6/lib /usr/local/lib; do
+		if test -d $dir -a -f $dir/lib$v6lib.a; then
+			LIBS="-L$dir -l$v6lib $LIBS"
+			break
+		fi
+	done
+fi
+AC_TRY_LINK([
+#ifdef HAVE_SYS_TYPES_H
+#include <sys/types.h>
+#endif
+#ifdef HAVE_SYS_SOCKET_H
+#include <sys/socket.h>
+#endif
+#ifdef HAVE_NETINET_IN_H
+#include <netinet/in.h>
+#endif
+#ifdef HAVE_NETINET_IN6_H
+#include <netinet/in6.h>
+#endif
+],
+[
+ struct sockaddr_in6 sin6;
+ int s;
+
+ s = socket(AF_INET6, SOCK_DGRAM, 0);
+
+ sin6.sin6_family = AF_INET6;
+ sin6.sin6_port = htons(17);
+ sin6.sin6_addr = in6addr_any;
+ bind(s, (struct sockaddr *)&sin6, sizeof(sin6));
+],
+ac_cv_lib_ipv6=yes,
+ac_cv_lib_ipv6=no)])
+AC_MSG_CHECKING(for IPv6)
+AC_MSG_RESULT($ac_cv_lib_ipv6)
+if test "$ac_cv_lib_ipv6" = yes; then
+  AC_DEFINE(HAVE_IPV6, 1, [Define if you have IPv6.])
+else
+  CFLAGS="${save_CFLAGS}"
+fi
+])
diff --git a/crypto/heimdal/cf/krb-irix.m4 b/crypto/heimdal/cf/krb-irix.m4
new file mode 100644
index 0000000..cdde69c
--- /dev/null
+++ b/crypto/heimdal/cf/krb-irix.m4
@@ -0,0 +1,12 @@
+dnl
+dnl $Id: krb-irix.m4,v 1.2 2000/12/13 12:48:45 assar Exp $
+dnl
+
+dnl requires AC_CANONICAL_HOST
+AC_DEFUN(KRB_IRIX,[
+irix=no
+case "$host_os" in
+irix*) irix=yes ;;
+esac
+AM_CONDITIONAL(IRIX, test "$irix" != no)dnl
+])
diff --git a/crypto/heimdal/cf/krb-prog-ln-s.m4 b/crypto/heimdal/cf/krb-prog-ln-s.m4
new file mode 100644
index 0000000..efb706e
--- /dev/null
+++ b/crypto/heimdal/cf/krb-prog-ln-s.m4
@@ -0,0 +1,28 @@
+dnl $Id: krb-prog-ln-s.m4,v 1.1 1997/12/14 15:59:01 joda Exp $
+dnl
+dnl
+dnl Better test for ln -s, ln or cp
+dnl
+
+AC_DEFUN(AC_KRB_PROG_LN_S,
+[AC_MSG_CHECKING(for ln -s or something else)
+AC_CACHE_VAL(ac_cv_prog_LN_S,
+[rm -f conftestdata
+if ln -s X conftestdata 2>/dev/null
+then
+  rm -f conftestdata
+  ac_cv_prog_LN_S="ln -s"
+else
+  touch conftestdata1
+  if ln conftestdata1 conftestdata2; then
+    rm -f conftestdata*
+    ac_cv_prog_LN_S=ln
+  else
+    ac_cv_prog_LN_S=cp
+  fi
+fi])dnl
+LN_S="$ac_cv_prog_LN_S"
+AC_MSG_RESULT($ac_cv_prog_LN_S)
+AC_SUBST(LN_S)dnl
+])
+
diff --git a/crypto/heimdal/cf/krb-prog-ranlib.m4 b/crypto/heimdal/cf/krb-prog-ranlib.m4
new file mode 100644
index 0000000..fd1d3db
--- /dev/null
+++ b/crypto/heimdal/cf/krb-prog-ranlib.m4
@@ -0,0 +1,8 @@
+dnl $Id: krb-prog-ranlib.m4,v 1.1 1997/12/14 15:59:01 joda Exp $
+dnl
+dnl
+dnl Also look for EMXOMF for OS/2
+dnl
+
+AC_DEFUN(AC_KRB_PROG_RANLIB,
+[AC_CHECK_PROGS(RANLIB, ranlib EMXOMF, :)])
diff --git a/crypto/heimdal/cf/krb-prog-yacc.m4 b/crypto/heimdal/cf/krb-prog-yacc.m4
new file mode 100644
index 0000000..f0b6e44
--- /dev/null
+++ b/crypto/heimdal/cf/krb-prog-yacc.m4
@@ -0,0 +1,12 @@
+dnl $Id: krb-prog-yacc.m4,v 1.3 2000/03/28 12:12:23 assar Exp $
+dnl
+dnl
+dnl We prefer byacc or yacc because they do not use `alloca'
+dnl
+
+AC_DEFUN(AC_KRB_PROG_YACC,
+[AC_CHECK_PROGS(YACC, byacc yacc 'bison -y')
+if test "$YACC" = ""; then
+  AC_MSG_WARN([yacc not found - some stuff will not build])
+fi
+])
diff --git a/crypto/heimdal/cf/krb-readline.m4 b/crypto/heimdal/cf/krb-readline.m4
new file mode 100644
index 0000000..6d0f0b2
--- /dev/null
+++ b/crypto/heimdal/cf/krb-readline.m4
@@ -0,0 +1,43 @@
+dnl $Id: krb-readline.m4,v 1.2 2000/11/15 00:47:08 assar Exp $
+dnl
+dnl Tests for readline functions
+dnl
+
+dnl el_init
+
+AC_DEFUN(KRB_READLINE,[
+AC_FIND_FUNC_NO_LIBS(el_init, edit, [], [], [$LIB_tgetent])
+if test "$ac_cv_func_el_init" = yes ; then
+	AC_CACHE_CHECK(for four argument el_init, ac_cv_func_el_init_four,[
+		AC_TRY_COMPILE([#include <stdio.h>
+			#include <histedit.h>],
+			[el_init("", NULL, NULL, NULL);],
+			ac_cv_func_el_init_four=yes,
+			ac_cv_func_el_init_four=no)])
+	if test "$ac_cv_func_el_init_four" = yes; then
+		AC_DEFINE(HAVE_FOUR_VALUED_EL_INIT, 1, [Define if el_init takes four arguments.])
+	fi
+fi
+
+dnl readline
+
+ac_foo=no
+if test "$with_readline" = yes; then
+	:
+elif test "$ac_cv_func_readline" = yes; then
+	:
+elif test "$ac_cv_func_el_init" = yes; then
+	ac_foo=yes
+	LIB_readline="\$(top_builddir)/lib/editline/libel_compat.la $LIB_el_init"
+else
+	LIB_readline='$(top_builddir)/lib/editline/libeditline.la'
+fi
+AM_CONDITIONAL(el_compat, test "$ac_foo" = yes)
+if test "$readline_libdir"; then
+	LIB_readline="-rpath $readline_libdir $LIB_readline"
+fi
+LIB_readline="$LIB_readline \$(LIB_tgetent)"
+AC_DEFINE(HAVE_READLINE, 1, 
+	[Define if you have a readline compatible library.])dnl
+
+])
\ No newline at end of file
diff --git a/crypto/heimdal/cf/krb-struct-spwd.m4 b/crypto/heimdal/cf/krb-struct-spwd.m4
new file mode 100644
index 0000000..4ab81fd
--- /dev/null
+++ b/crypto/heimdal/cf/krb-struct-spwd.m4
@@ -0,0 +1,22 @@
+dnl $Id: krb-struct-spwd.m4,v 1.3 1999/07/13 21:04:11 assar Exp $
+dnl
+dnl Test for `struct spwd'
+
+AC_DEFUN(AC_KRB_STRUCT_SPWD, [
+AC_MSG_CHECKING(for struct spwd)
+AC_CACHE_VAL(ac_cv_struct_spwd, [
+AC_TRY_COMPILE(
+[#include <pwd.h>
+#ifdef HAVE_SHADOW_H
+#include <shadow.h>
+#endif],
+[struct spwd foo;],
+ac_cv_struct_spwd=yes,
+ac_cv_struct_spwd=no)
+])
+AC_MSG_RESULT($ac_cv_struct_spwd)
+
+if test "$ac_cv_struct_spwd" = "yes"; then
+  AC_DEFINE(HAVE_STRUCT_SPWD, 1, [define if you have struct spwd])
+fi
+])
diff --git a/crypto/heimdal/cf/krb-struct-winsize.m4 b/crypto/heimdal/cf/krb-struct-winsize.m4
new file mode 100644
index 0000000..f89f683
--- /dev/null
+++ b/crypto/heimdal/cf/krb-struct-winsize.m4
@@ -0,0 +1,27 @@
+dnl $Id: krb-struct-winsize.m4,v 1.2 1999/03/01 09:52:23 joda Exp $
+dnl
+dnl
+dnl Search for struct winsize
+dnl
+
+AC_DEFUN(AC_KRB_STRUCT_WINSIZE, [
+AC_MSG_CHECKING(for struct winsize)
+AC_CACHE_VAL(ac_cv_struct_winsize, [
+ac_cv_struct_winsize=no
+for i in sys/termios.h sys/ioctl.h; do
+AC_EGREP_HEADER(
+changequote(, )dnl
+struct[ 	]*winsize,dnl
+changequote([,])dnl
+$i, ac_cv_struct_winsize=yes; break)dnl
+done
+])
+if test "$ac_cv_struct_winsize" = "yes"; then
+  AC_DEFINE(HAVE_STRUCT_WINSIZE, 1, [define if struct winsize is declared in sys/termios.h])
+fi
+AC_MSG_RESULT($ac_cv_struct_winsize)
+AC_EGREP_HEADER(ws_xpixel, termios.h, 
+	AC_DEFINE(HAVE_WS_XPIXEL, 1, [define if struct winsize has ws_xpixel]))
+AC_EGREP_HEADER(ws_ypixel, termios.h, 
+	AC_DEFINE(HAVE_WS_YPIXEL, 1, [define if struct winsize has ws_ypixel]))
+])
diff --git a/crypto/heimdal/cf/krb-sys-aix.m4 b/crypto/heimdal/cf/krb-sys-aix.m4
new file mode 100644
index 0000000..a538005
--- /dev/null
+++ b/crypto/heimdal/cf/krb-sys-aix.m4
@@ -0,0 +1,15 @@
+dnl $Id: krb-sys-aix.m4,v 1.1 1997/12/14 15:59:02 joda Exp $
+dnl
+dnl
+dnl AIX have a very different syscall convention
+dnl
+AC_DEFUN(AC_KRB_SYS_AIX, [
+AC_MSG_CHECKING(for AIX)
+AC_CACHE_VAL(krb_cv_sys_aix,
+AC_EGREP_CPP(yes, 
+[#ifdef _AIX
+	yes
+#endif 
+], krb_cv_sys_aix=yes, krb_cv_sys_aix=no) )
+AC_MSG_RESULT($krb_cv_sys_aix)
+])
diff --git a/crypto/heimdal/cf/krb-sys-nextstep.m4 b/crypto/heimdal/cf/krb-sys-nextstep.m4
new file mode 100644
index 0000000..5dec8b1
--- /dev/null
+++ b/crypto/heimdal/cf/krb-sys-nextstep.m4
@@ -0,0 +1,21 @@
+dnl $Id: krb-sys-nextstep.m4,v 1.3 2000/07/15 17:56:45 joda Exp $
+dnl
+dnl NEXTSTEP is not posix compliant by default,
+dnl you need a switch -posix to the compiler
+dnl
+
+AC_DEFUN(rk_SYS_NEXTSTEP, [
+AC_CACHE_CHECK(for NeXTSTEP, rk_cv_sys_nextstep, [
+AC_EGREP_CPP(yes, 
+[#if defined(NeXT) && !defined(__APPLE__)
+	yes
+#endif 
+], rk_cv_sys_nextstep=yes, rk_cv_sys_nextstep=no)])
+if test "$rk_cv_sys_nextstep" = "yes"; then
+  CFLAGS="$CFLAGS -posix"
+  LIBS="$LIBS -posix"
+fi
+AH_BOTTOM([#if defined(HAVE_SGTTY_H) && defined(__NeXT__)
+#define SGTTY
+#endif])
+])
diff --git a/crypto/heimdal/cf/krb-version.m4 b/crypto/heimdal/cf/krb-version.m4
new file mode 100644
index 0000000..9907ed1
--- /dev/null
+++ b/crypto/heimdal/cf/krb-version.m4
@@ -0,0 +1,25 @@
+dnl $Id: krb-version.m4,v 1.2 2000/08/27 05:42:19 assar Exp $
+dnl
+dnl
+dnl output a C header-file with some version strings
+dnl
+AC_DEFUN(AC_KRB_VERSION,[
+dnl AC_OUTPUT_COMMANDS([
+cat > include/newversion.h.in <<FOOBAR
+const char *${PACKAGE}_long_version = "@(#)\$Version: $PACKAGE-$VERSION by @USER@ on @HOST@ ($host) @DATE@ \$";
+const char *${PACKAGE}_version = "$PACKAGE-$VERSION";
+FOOBAR
+
+if test -f include/version.h && cmp -s include/newversion.h.in include/version.h.in; then
+	echo "include/version.h is unchanged"
+	rm -f include/newversion.h.in
+else
+ 	echo "creating include/version.h"
+ 	User=${USER-${LOGNAME}}
+ 	Host=`(hostname || uname -n) 2>/dev/null | sed 1q`
+ 	Date=`date`
+	mv -f include/newversion.h.in include/version.h.in
+	sed -e "s/@USER@/$User/" -e "s/@HOST@/$Host/" -e "s/@DATE@/$Date/" include/version.h.in > include/version.h
+fi
+dnl ],host=$host PACKAGE=$PACKAGE VERSION=$VERSION)
+])
diff --git a/crypto/heimdal/cf/make-proto.pl b/crypto/heimdal/cf/make-proto.pl
new file mode 100644
index 0000000..9a47aed
--- /dev/null
+++ b/crypto/heimdal/cf/make-proto.pl
@@ -0,0 +1,199 @@
+# Make prototypes from .c files
+# $Id: make-proto.pl,v 1.11 1999/04/15 12:37:54 joda Exp $
+
+##use Getopt::Std;
+require 'getopts.pl';
+
+$brace = 0;
+$line = "";
+$debug = 0;
+
+do Getopts('o:p:d') || die "foo";
+
+if($opt_d) {
+    $debug = 1;
+}
+
+while(<>) {
+    print $brace, " ", $_ if($debug);
+    if(/^\#if 0/) {
+	$if_0 = 1;
+    }
+    if($if_0 && /^\#endif/) {
+	$if_0 = 0;
+    }
+    if($if_0) { next }
+    if(/^\s*\#/) {
+	next;
+    }
+    if(/^\s*$/) {
+	$line = "";
+	next;
+    }
+    if(/\{/){
+	$_ = $line;
+	while(s/\*\//\ca/){
+	    s/\/\*(.|\n)*\ca//;
+	}
+	s/^\s*//;
+	s/\s$//;
+	s/\s+/ /g;
+	if($line =~ /\)\s$/){
+	    if(!/^static/ && !/^PRIVATE/){
+		if(/(.*)(__attribute__\s?\(.*\))/) {
+		    $attr = $2;
+		    $_ = $1;
+		} else {
+		    $attr = "";
+		}
+		# remove outer ()
+		s/\s*\(/@/;
+		s/\)\s?$/@/;
+		# remove , within ()
+		while(s/\(([^()]*),(.*)\)/($1\$$2)/g){}
+		s/,\s*/,\n\t/g;
+		# fix removed ,
+		s/\$/,/g;
+		# match function name
+		/([a-zA-Z0-9_]+)\s*@/;
+		$f = $1;
+		# only add newline if more than one parameter
+		$LP = "((";  # XXX workaround for indentation bug in emacs
+		$RP = "))";
+		$P = "__P((";
+                if(/,/){ 
+		    s/@/ __P$LP\n\t/;
+		}else{
+		    s/@/ __P$LP/;
+		}
+		s/@/$RP/;
+		# insert newline before function name
+		s/(.*)\s([a-zA-Z0-9_]+ __P)/$1\n$2/;
+		if($attr ne "") {
+		    $_ .= "\n    $attr";
+		}
+		$_ = $_ . ";";
+		$funcs{$f} = $_;
+	    }
+	}
+	$line = "";
+	$brace++;
+    }
+    if(/\}/){
+	$brace--;
+    }
+    if(/^\}/){
+	$brace = 0;
+    }
+    if($brace == 0) {
+	$line = $line . " " . $_;
+    }
+}
+
+sub foo {
+    local ($arg) = @_;
+    $_ = $arg;
+    s/.*\/([^\/]*)/$1/;
+    s/[^a-zA-Z0-9]/_/g;
+    "__" . $_ . "__";
+}
+
+if($opt_o) {
+    open(OUT, ">$opt_o");
+    $block = &foo($opt_o);
+} else {
+    $block = "__public_h__";
+}
+
+if($opt_p) {
+    open(PRIV, ">$opt_p");
+    $private = &foo($opt_p);
+} else {
+    $private = "__private_h__";
+}
+
+$public_h = "";
+$private_h = "";
+
+$public_h_header = "/* This is a generated file */
+#ifndef $block
+#define $block
+
+#ifdef __STDC__
+#include <stdarg.h>
+#ifndef __P
+#define __P(x) x
+#endif
+#else
+#ifndef __P
+#define __P(x) ()
+#endif
+#endif
+
+";
+
+$private_h_header = "/* This is a generated file */
+#ifndef $private
+#define $private
+
+#ifdef __STDC__
+#include <stdarg.h>
+#ifndef __P
+#define __P(x) x
+#endif
+#else
+#ifndef __P
+#define __P(x) ()
+#endif
+#endif
+
+";
+
+foreach(sort keys %funcs){
+    if(/^(main)$/) { next }
+    if(/^_/) {
+	$private_h .= $funcs{$_} . "\n\n";
+	if($funcs{$_} =~ /__attribute__/) {
+	    $private_attribute_seen = 1;
+	}
+    } else {
+	$public_h .= $funcs{$_} . "\n\n";
+	if($funcs{$_} =~ /__attribute__/) {
+	    $public_attribute_seen = 1;
+	}
+    }
+}
+
+if ($public_attribute_seen) {
+    $public_h_header .= "#if !defined(__GNUC__) && !defined(__attribute__)
+#define __attribute__(x)
+#endif
+
+";
+}
+
+if ($private_attribute_seen) {
+    $private_h_header .= "#if !defined(__GNUC__) && !defined(__attribute__)
+#define __attribute__(x)
+#endif
+
+";
+}
+
+
+if ($public_h ne "") {
+    $public_h = $public_h_header . $public_h . "#endif /* $block */\n";
+}
+if ($private_h ne "") {
+    $private_h = $private_h_header . $private_h . "#endif /* $private */\n";
+}
+
+if($opt_o) {
+    print OUT $public_h;
+} 
+if($opt_p) {
+    print PRIV $private_h;
+} 
+
+close OUT;
+close PRIV;
diff --git a/crypto/heimdal/cf/mips-abi.m4 b/crypto/heimdal/cf/mips-abi.m4
new file mode 100644
index 0000000..afd3fc0
--- /dev/null
+++ b/crypto/heimdal/cf/mips-abi.m4
@@ -0,0 +1,87 @@
+dnl $Id: mips-abi.m4,v 1.5 2000/07/18 15:01:42 joda Exp $
+dnl
+dnl
+dnl Check for MIPS/IRIX ABI flags. Sets $abi and $abilibdirext to some
+dnl value.
+
+AC_DEFUN(AC_MIPS_ABI, [
+AC_ARG_WITH(mips_abi,
+[  --with-mips-abi=abi     ABI to use for IRIX (32, n32, or 64)])
+
+case "$host_os" in
+irix*)
+with_mips_abi="${with_mips_abi:-yes}"
+if test -n "$GCC"; then
+
+# GCC < 2.8 only supports the O32 ABI. GCC >= 2.8 has a flag to select
+# which ABI to use, but only supports (as of 2.8.1) the N32 and 64 ABIs.
+#
+# Default to N32, but if GCC doesn't grok -mabi=n32, we assume an old
+# GCC and revert back to O32. The same goes if O32 is asked for - old
+# GCCs doesn't like the -mabi option, and new GCCs can't output O32.
+#
+# Don't you just love *all* the different SGI ABIs?
+
+case "${with_mips_abi}" in 
+        32|o32) abi='-mabi=32';  abilibdirext=''     ;;
+       n32|yes) abi='-mabi=n32'; abilibdirext='32'  ;;
+        64) abi='-mabi=64';  abilibdirext='64'   ;;
+	no) abi=''; abilibdirext='';;
+         *) AC_MSG_ERROR("Invalid ABI specified") ;;
+esac
+if test -n "$abi" ; then
+ac_foo=krb_cv_gcc_`echo $abi | tr =- __`
+dnl
+dnl can't use AC_CACHE_CHECK here, since it doesn't quote CACHE-ID to
+dnl AC_MSG_RESULT
+dnl
+AC_MSG_CHECKING([if $CC supports the $abi option])
+AC_CACHE_VAL($ac_foo, [
+save_CFLAGS="$CFLAGS"
+CFLAGS="$CFLAGS $abi"
+AC_TRY_COMPILE(,int x;, eval $ac_foo=yes, eval $ac_foo=no)
+CFLAGS="$save_CFLAGS"
+])
+ac_res=`eval echo \\\$$ac_foo`
+AC_MSG_RESULT($ac_res)
+if test $ac_res = no; then
+# Try to figure out why that failed...
+case $abi in
+	-mabi=32) 
+	save_CFLAGS="$CFLAGS"
+	CFLAGS="$CFLAGS -mabi=n32"
+	AC_TRY_COMPILE(,int x;, ac_res=yes, ac_res=no)
+	CLAGS="$save_CFLAGS"
+	if test $ac_res = yes; then
+		# New GCC
+		AC_MSG_ERROR([$CC does not support the $with_mips_abi ABI])
+	fi
+	# Old GCC
+	abi=''
+	abilibdirext=''
+	;;
+	-mabi=n32|-mabi=64)
+		if test $with_mips_abi = yes; then
+			# Old GCC, default to O32
+			abi=''
+			abilibdirext=''
+		else
+			# Some broken GCC
+			AC_MSG_ERROR([$CC does not support the $with_mips_abi ABI])
+		fi
+	;;
+esac
+fi #if test $ac_res = no; then
+fi #if test -n "$abi" ; then
+else
+case "${with_mips_abi}" in
+        32|o32) abi='-32'; abilibdirext=''     ;;
+       n32|yes) abi='-n32'; abilibdirext='32'  ;;
+        64) abi='-64'; abilibdirext='64'   ;;
+	no) abi=''; abilibdirext='';;
+         *) AC_MSG_ERROR("Invalid ABI specified") ;;
+esac
+fi #if test -n "$GCC"; then
+;;
+esac
+])
diff --git a/crypto/heimdal/cf/misc.m4 b/crypto/heimdal/cf/misc.m4
new file mode 100644
index 0000000..c8c3804
--- /dev/null
+++ b/crypto/heimdal/cf/misc.m4
@@ -0,0 +1,27 @@
+dnl $Id: misc.m4,v 1.2 2000/07/19 15:04:00 joda Exp $
+dnl
+AC_DEFUN([upcase],[`echo $1 | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`])dnl
+AC_DEFUN([rk_CONFIG_HEADER],[AH_TOP([#ifndef RCSID
+#define RCSID(msg) \
+static /**/const char *const rcsid[] = { (const char *)rcsid, "\100(#)" msg }
+#endif
+
+#undef BINDIR 
+#undef LIBDIR
+#undef LIBEXECDIR
+#undef SBINDIR
+
+#undef HAVE_INT8_T
+#undef HAVE_INT16_T
+#undef HAVE_INT32_T
+#undef HAVE_INT64_T
+#undef HAVE_U_INT8_T
+#undef HAVE_U_INT16_T
+#undef HAVE_U_INT32_T
+#undef HAVE_U_INT64_T
+
+/* Maximum values on all known systems */
+#define MaxHostNameLen (64+4)
+#define MaxPathLen (1024+4)
+
+])])
\ No newline at end of file
diff --git a/crypto/heimdal/cf/need-proto.m4 b/crypto/heimdal/cf/need-proto.m4
new file mode 100644
index 0000000..8c8d1d3
--- /dev/null
+++ b/crypto/heimdal/cf/need-proto.m4
@@ -0,0 +1,25 @@
+dnl $Id: need-proto.m4,v 1.2 1999/03/01 09:52:24 joda Exp $
+dnl
+dnl
+dnl Check if we need the prototype for a function
+dnl
+
+dnl AC_NEED_PROTO(includes, function)
+
+AC_DEFUN(AC_NEED_PROTO, [
+if test "$ac_cv_func_$2+set" != set -o "$ac_cv_func_$2" = yes; then
+AC_CACHE_CHECK([if $2 needs a prototype], ac_cv_func_$2_noproto,
+AC_TRY_COMPILE([$1],
+[struct foo { int foo; } xx;
+extern int $2 (struct foo*);
+$2(&xx);
+],
+eval "ac_cv_func_$2_noproto=yes",
+eval "ac_cv_func_$2_noproto=no"))
+define([foo], [NEED_]translit($2, [a-z], [A-Z])[_PROTO])
+if test "$ac_cv_func_$2_noproto" = yes; then
+	AC_DEFINE(foo, 1, [define if the system is missing a prototype for $2()])
+fi
+undefine([foo])
+fi
+])
diff --git a/crypto/heimdal/cf/osfc2.m4 b/crypto/heimdal/cf/osfc2.m4
new file mode 100644
index 0000000..d8cb2e1
--- /dev/null
+++ b/crypto/heimdal/cf/osfc2.m4
@@ -0,0 +1,14 @@
+dnl $Id: osfc2.m4,v 1.2 1999/03/27 17:28:16 joda Exp $
+dnl
+dnl enable OSF C2 stuff
+
+AC_DEFUN(AC_CHECK_OSFC2,[
+AC_ARG_ENABLE(osfc2,
+[  --enable-osfc2          enable some OSF C2 support])
+LIB_security=
+if test "$enable_osfc2" = yes; then
+	AC_DEFINE(HAVE_OSFC2, 1, [Define to enable basic OSF C2 support.])
+	LIB_security=-lsecurity
+fi
+AC_SUBST(LIB_security)
+])
diff --git a/crypto/heimdal/cf/proto-compat.m4 b/crypto/heimdal/cf/proto-compat.m4
new file mode 100644
index 0000000..942f658
--- /dev/null
+++ b/crypto/heimdal/cf/proto-compat.m4
@@ -0,0 +1,22 @@
+dnl $Id: proto-compat.m4,v 1.3 1999/03/01 13:03:48 joda Exp $
+dnl
+dnl
+dnl Check if the prototype of a function is compatible with another one
+dnl
+
+dnl AC_PROTO_COMPAT(includes, function, prototype)
+
+AC_DEFUN(AC_PROTO_COMPAT, [
+AC_CACHE_CHECK([if $2 is compatible with system prototype],
+ac_cv_func_$2_proto_compat,
+AC_TRY_COMPILE([$1],
+[$3;],
+eval "ac_cv_func_$2_proto_compat=yes",
+eval "ac_cv_func_$2_proto_compat=no"))
+define([foo], translit($2, [a-z], [A-Z])[_PROTO_COMPATIBLE])
+if test "$ac_cv_func_$2_proto_compat" = yes; then
+	AC_DEFINE(foo, 1, [define if prototype of $2 is compatible with
+	$3])
+fi
+undefine([foo])
+])
\ No newline at end of file
diff --git a/crypto/heimdal/cf/retsigtype.m4 b/crypto/heimdal/cf/retsigtype.m4
new file mode 100644
index 0000000..4c3ecbd
--- /dev/null
+++ b/crypto/heimdal/cf/retsigtype.m4
@@ -0,0 +1,18 @@
+dnl
+dnl $Id: retsigtype.m4,v 1.1 2000/07/15 18:05:56 joda Exp $
+dnl
+dnl Figure out return type of signal handlers, and define SIGRETURN macro
+dnl that can be used to return from one
+dnl
+AC_DEFUN(rk_RETSIGTYPE,[
+AC_TYPE_SIGNAL
+if test "$ac_cv_type_signal" = "void" ; then
+	AC_DEFINE(VOID_RETSIGTYPE, 1, [Define if signal handlers return void.])
+fi
+AC_SUBST(VOID_RETSIGTYPE)
+AH_BOTTOM([#ifdef VOID_RETSIGTYPE
+#define SIGRETURN(x) return
+#else
+#define SIGRETURN(x) return (RETSIGTYPE)(x)
+#endif])
+])
\ No newline at end of file
diff --git a/crypto/heimdal/cf/roken-frag.m4 b/crypto/heimdal/cf/roken-frag.m4
new file mode 100644
index 0000000..fb0c14be
--- /dev/null
+++ b/crypto/heimdal/cf/roken-frag.m4
@@ -0,0 +1,599 @@
+dnl $Id: roken-frag.m4,v 1.21 2001/05/11 13:58:21 joda Exp $
+dnl
+dnl some code to get roken working
+dnl
+dnl rk_ROKEN(subdir)
+dnl
+AC_DEFUN(rk_ROKEN, [
+
+AC_REQUIRE([rk_CONFIG_HEADER])
+
+DIR_roken=roken
+LIB_roken='$(top_builddir)/$1/libroken.la'
+INCLUDES_roken='-I$(top_builddir)/$1 -I$(top_srcdir)/$1'
+
+dnl Checks for programs
+AC_REQUIRE([AC_PROG_CC])
+AC_REQUIRE([AC_PROG_AWK])
+AC_REQUIRE([AC_OBJEXT])
+AC_REQUIRE([AC_EXEEXT])
+AC_REQUIRE([AC_PROG_LIBTOOL])
+
+AC_REQUIRE([AC_MIPS_ABI])
+
+dnl C characteristics
+
+AC_REQUIRE([AC_C___ATTRIBUTE__])
+AC_REQUIRE([AC_C_INLINE])
+AC_REQUIRE([AC_C_CONST])
+AC_WFLAGS(-Wall -Wmissing-prototypes -Wpointer-arith -Wbad-function-cast -Wmissing-declarations -Wnested-externs)
+
+AC_REQUIRE([rk_DB])
+
+dnl C types
+
+AC_REQUIRE([AC_TYPE_SIZE_T])
+AC_CHECK_TYPE_EXTRA(ssize_t, int, [#include <unistd.h>])
+AC_REQUIRE([AC_TYPE_PID_T])
+AC_REQUIRE([AC_TYPE_UID_T])
+AC_HAVE_TYPE([long long])
+
+AC_REQUIRE([rk_RETSIGTYPE])
+
+dnl Checks for header files.
+AC_REQUIRE([AC_HEADER_STDC])
+AC_REQUIRE([AC_HEADER_TIME])
+
+AC_CHECK_HEADERS([\
+	arpa/inet.h				\
+	arpa/nameser.h				\
+	config.h				\
+	crypt.h					\
+	dbm.h					\
+	db.h					\
+	dirent.h				\
+	errno.h					\
+	err.h					\
+	fcntl.h					\
+	gdbm/ndbm.h				\
+	grp.h					\
+	ifaddrs.h				\
+	ndbm.h					\
+	net/if.h				\
+	netdb.h					\
+	netinet/in.h				\
+	netinet/in6.h				\
+	netinet/in_systm.h			\
+	netinet6/in6.h				\
+	netinet6/in6_var.h			\
+	paths.h					\
+	pwd.h					\
+	resolv.h				\
+	rpcsvc/dbm.h				\
+	rpcsvc/ypclnt.h				\
+	shadow.h				\
+	sys/bswap.h				\
+	sys/ioctl.h				\
+	sys/param.h				\
+	sys/proc.h				\
+	sys/resource.h				\
+	sys/socket.h				\
+	sys/sockio.h				\
+	sys/stat.h				\
+	sys/sysctl.h				\
+	sys/time.h				\
+	sys/tty.h				\
+	sys/types.h				\
+	sys/uio.h				\
+	sys/utsname.h				\
+	sys/wait.h				\
+	syslog.h				\
+	termios.h				\
+	unistd.h				\
+	userconf.h				\
+	usersec.h				\
+	util.h					\
+	vis.h					\
+	winsock.h				\
+])
+	
+AC_REQUIRE([CHECK_NETINET_IP_AND_TCP])
+
+AM_CONDITIONAL(have_err_h, test "$ac_cv_header_err_h" = yes)
+AM_CONDITIONAL(have_fnmatch_h, test "$ac_cv_header_fnmatch_h" = yes)
+AM_CONDITIONAL(have_ifaddrs_h, test "$ac_cv_header_ifaddrs_h" = yes)
+AM_CONDITIONAL(have_vis_h, test "$ac_cv_header_vis_h" = yes)
+
+dnl Check for functions and libraries
+
+AC_KRB_IPV6
+
+AC_FIND_FUNC(socket, socket)
+AC_FIND_FUNC(gethostbyname, nsl)
+AC_FIND_FUNC(syslog, syslog)
+AC_FIND_FUNC(gethostbyname2, inet6 ip6)
+
+AC_FIND_FUNC(res_search, resolv,
+[
+#include <stdio.h>
+#ifdef HAVE_SYS_TYPES_H
+#include <sys/types.h>
+#endif
+#ifdef HAVE_NETINET_IN_H
+#include <netinet/in.h>
+#endif
+#ifdef HAVE_ARPA_NAMESER_H
+#include <arpa/nameser.h>
+#endif
+#ifdef HAVE_RESOLV_H
+#include <resolv.h>
+#endif
+],
+[0,0,0,0,0])
+
+AC_FIND_FUNC(dn_expand, resolv,
+[
+#include <stdio.h>
+#ifdef HAVE_SYS_TYPES_H
+#include <sys/types.h>
+#endif
+#ifdef HAVE_NETINET_IN_H
+#include <netinet/in.h>
+#endif
+#ifdef HAVE_ARPA_NAMESER_H
+#include <arpa/nameser.h>
+#endif
+#ifdef HAVE_RESOLV_H
+#include <resolv.h>
+#endif
+],
+[0,0,0,0,0])
+
+AC_BROKEN_SNPRINTF
+AC_BROKEN_VSNPRINTF
+
+AC_BROKEN_GLOB
+if test "$ac_cv_func_glob_working" != yes; then
+	LIBOBJS="$LIBOBJS glob.o"
+fi
+AM_CONDITIONAL(have_glob_h, test "$ac_cv_func_glob_working" = yes)
+
+
+AC_CHECK_FUNCS([				\
+	asnprintf				\
+	asprintf				\
+	cgetent					\
+	getconfattr				\
+	getprogname				\
+	getrlimit				\
+	getspnam				\
+	setprogname				\
+	strsvis					\
+	strunvis				\
+	strvis					\
+	strvisx					\
+	svis					\
+	sysconf					\
+	sysctl					\
+	uname					\
+	unvis					\
+	vasnprintf				\
+	vasprintf				\
+	vis					\
+])
+
+if test "$ac_cv_func_cgetent" = no; then
+	LIBOBJS="$LIBOBJS getcap.o"
+fi
+
+AC_REQUIRE([AC_FUNC_GETLOGIN])
+
+AC_FIND_FUNC_NO_LIBS(getsockopt,,
+[#ifdef HAVE_SYS_TYPES_H
+#include <sys/types.h>
+#endif
+#ifdef HAVE_SYS_SOCKET_H
+#include <sys/socket.h>
+#endif],
+[0,0,0,0,0])
+AC_FIND_FUNC_NO_LIBS(setsockopt,,
+[#ifdef HAVE_SYS_TYPES_H
+#include <sys/types.h>
+#endif
+#ifdef HAVE_SYS_SOCKET_H
+#include <sys/socket.h>
+#endif],
+[0,0,0,0,0])
+
+AC_FIND_IF_NOT_BROKEN(hstrerror, resolv,
+[#ifdef HAVE_NETDB_H
+#include <netdb.h>
+#endif],
+17)
+if test "$ac_cv_func_hstrerror" = yes; then
+AC_NEED_PROTO([
+#ifdef HAVE_NETDB_H
+#include <netdb.h>
+#endif],
+hstrerror)
+fi
+
+dnl sigh, wish this could be done in a loop
+if test "$ac_cv_func_asprintf" = yes; then
+AC_NEED_PROTO([
+#include <stdio.h>
+#include <string.h>],
+asprintf)dnl
+fi
+if test "$ac_cv_func_vasprintf" = yes; then
+AC_NEED_PROTO([
+#include <stdio.h>
+#include <string.h>],
+vasprintf)dnl
+fi
+if test "$ac_cv_func_asnprintf" = yes; then
+AC_NEED_PROTO([
+#include <stdio.h>
+#include <string.h>],
+asnprintf)dnl
+fi
+if test "$ac_cv_func_vasnprintf" = yes; then
+AC_NEED_PROTO([
+#include <stdio.h>
+#include <string.h>],
+vasnprintf)dnl
+fi
+
+AC_FIND_FUNC_NO_LIBS(bswap16,,
+[#ifdef HAVE_SYS_BSWAP_H
+#include <sys/bswap.h>
+#endif],0)
+
+AC_FIND_FUNC_NO_LIBS(bswap32,,
+[#ifdef HAVE_SYS_BSWAP_H
+#include <sys/bswap.h>
+#endif],0)
+
+AC_FIND_FUNC_NO_LIBS(pidfile,util,
+[#ifdef HAVE_UTIL_H
+#include <util.h>
+#endif],0)
+
+AC_BROKEN([					\
+	chown					\
+	copyhostent				\
+	daemon					\
+	err					\
+	errx					\
+	fchown					\
+	flock					\
+	fnmatch					\
+	freeaddrinfo				\
+	freehostent				\
+	gai_strerror				\
+	getaddrinfo				\
+	getcwd					\
+	getdtablesize				\
+	getegid					\
+	geteuid					\
+	getgid					\
+	gethostname				\
+	getifaddrs				\
+	getipnodebyaddr				\
+	getipnodebyname				\
+	getnameinfo				\
+	getopt					\
+	gettimeofday				\
+	getuid					\
+	getusershell				\
+	initgroups				\
+	innetgr					\
+	iruserok				\
+	lstat					\
+	memmove					\
+	mkstemp					\
+	putenv					\
+	rcmd					\
+	readv					\
+	recvmsg					\
+	sendmsg					\
+	setegid					\
+	setenv					\
+	seteuid					\
+	strcasecmp				\
+	strdup					\
+	strerror				\
+	strftime				\
+	strlcat					\
+	strlcpy					\
+	strlwr					\
+	strncasecmp				\
+	strndup					\
+	strnlen					\
+	strptime				\
+	strsep					\
+	strsep_copy				\
+	strtok_r				\
+	strupr					\
+	swab					\
+	unsetenv				\
+	verr					\
+	verrx					\
+	vsyslog					\
+	vwarn					\
+	vwarnx					\
+	warn					\
+	warnx					\
+	writev					\
+])
+
+AC_BROKEN2(inet_aton,
+[#ifdef HAVE_SYS_TYPES_H
+#include <sys/types.h>
+#endif
+#ifdef HAVE_SYS_SOCKET_H
+#include <sys/socket.h>
+#endif
+#ifdef HAVE_NETINET_IN_H
+#include <netinet/in.h>
+#endif
+#ifdef HAVE_ARPA_INET_H
+#include <arpa/inet.h>
+#endif],
+[0,0])
+
+AC_BROKEN2(inet_ntop,
+[#ifdef HAVE_SYS_TYPES_H
+#include <sys/types.h>
+#endif
+#ifdef HAVE_SYS_SOCKET_H
+#include <sys/socket.h>
+#endif
+#ifdef HAVE_NETINET_IN_H
+#include <netinet/in.h>
+#endif
+#ifdef HAVE_ARPA_INET_H
+#include <arpa/inet.h>
+#endif],
+[0, 0, 0, 0])
+
+AC_BROKEN2(inet_pton,
+[#ifdef HAVE_SYS_TYPES_H
+#include <sys/types.h>
+#endif
+#ifdef HAVE_SYS_SOCKET_H
+#include <sys/socket.h>
+#endif
+#ifdef HAVE_NETINET_IN_H
+#include <netinet/in.h>
+#endif
+#ifdef HAVE_ARPA_INET_H
+#include <arpa/inet.h>
+#endif],
+[0,0,0])
+
+dnl
+dnl Check for sa_len in struct sockaddr, 
+dnl needs to come before the getnameinfo test
+dnl
+AC_HAVE_STRUCT_FIELD(struct sockaddr, sa_len, [#include <sys/types.h>
+#include <sys/socket.h>])
+
+if test "$ac_cv_func_getnameinfo" = "yes"; then
+  rk_BROKEN_GETNAMEINFO
+  if test "$ac_cv_func_getnameinfo_broken" = yes; then
+    LIBOBJS="$LIBOBJS getnameinfo.o"
+  fi
+fi
+
+AC_NEED_PROTO([#include <stdlib.h>], setenv)
+AC_NEED_PROTO([#include <stdlib.h>], unsetenv)
+AC_NEED_PROTO([#include <unistd.h>], gethostname)
+AC_NEED_PROTO([#include <unistd.h>], mkstemp)
+AC_NEED_PROTO([#include <unistd.h>], getusershell)
+
+AC_NEED_PROTO([
+#ifdef HAVE_SYS_TYPES_H
+#include <sys/types.h>
+#endif
+#ifdef HAVE_SYS_SOCKET_H
+#include <sys/socket.h>
+#endif
+#ifdef HAVE_NETINET_IN_H
+#include <netinet/in.h>
+#endif
+#ifdef HAVE_ARPA_INET_H
+#include <arpa/inet.h>
+#endif],
+inet_aton)
+
+AC_FIND_FUNC_NO_LIBS(crypt, crypt)dnl
+
+AC_REQUIRE([rk_BROKEN_REALLOC])dnl
+
+dnl AC_KRB_FUNC_GETCWD_BROKEN
+
+dnl
+dnl Checks for prototypes and declarations
+dnl
+
+AC_PROTO_COMPAT([
+#ifdef HAVE_SYS_TYPES_H
+#include <sys/types.h>
+#endif
+#ifdef HAVE_SYS_SOCKET_H
+#include <sys/socket.h>
+#endif
+#ifdef HAVE_NETINET_IN_H
+#include <netinet/in.h>
+#endif
+#ifdef HAVE_ARPA_INET_H
+#include <arpa/inet.h>
+#endif
+#ifdef HAVE_NETDB_H
+#include <netdb.h>
+#endif
+],
+gethostbyname, struct hostent *gethostbyname(const char *))
+
+AC_PROTO_COMPAT([
+#ifdef HAVE_SYS_TYPES_H
+#include <sys/types.h>
+#endif
+#ifdef HAVE_SYS_SOCKET_H
+#include <sys/socket.h>
+#endif
+#ifdef HAVE_NETINET_IN_H
+#include <netinet/in.h>
+#endif
+#ifdef HAVE_ARPA_INET_H
+#include <arpa/inet.h>
+#endif
+#ifdef HAVE_NETDB_H
+#include <netdb.h>
+#endif
+],
+gethostbyaddr, struct hostent *gethostbyaddr(const void *, size_t, int))
+
+AC_PROTO_COMPAT([
+#ifdef HAVE_SYS_TYPES_H
+#include <sys/types.h>
+#endif
+#ifdef HAVE_SYS_SOCKET_H
+#include <sys/socket.h>
+#endif
+#ifdef HAVE_NETINET_IN_H
+#include <netinet/in.h>
+#endif
+#ifdef HAVE_ARPA_INET_H
+#include <arpa/inet.h>
+#endif
+#ifdef HAVE_NETDB_H
+#include <netdb.h>
+#endif
+],
+getservbyname, struct servent *getservbyname(const char *, const char *))
+
+AC_PROTO_COMPAT([
+#ifdef HAVE_SYS_TYPES_H
+#include <sys/types.h>
+#endif
+#ifdef HAVE_SYS_SOCKET_H
+#include <sys/socket.h>
+#endif
+],
+getsockname, int getsockname(int, struct sockaddr*, socklen_t*))
+
+AC_PROTO_COMPAT([
+#ifdef HAVE_SYSLOG_H
+#include <syslog.h>
+#endif
+],
+openlog, void openlog(const char *, int, int))
+
+AC_NEED_PROTO([
+#ifdef HAVE_CRYPT_H
+#include <crypt.h>
+#endif
+#ifdef HAVE_UNISTD_H
+#include <unistd.h>
+#endif
+],
+crypt)
+
+AC_NEED_PROTO([
+#include <string.h>
+],
+strtok_r)
+
+AC_NEED_PROTO([
+#include <string.h>
+],
+strsep)
+
+dnl variables
+
+rk_CHECK_VAR(h_errno, 
+[#ifdef HAVE_SYS_TYPES_H
+#include <sys/types.h>
+#endif
+#ifdef HAVE_NETDB_H
+#include <netdb.h>
+#endif])
+
+rk_CHECK_VAR(h_errlist, 
+[#ifdef HAVE_NETDB_H
+#include <netdb.h>
+#endif])
+
+rk_CHECK_VAR(h_nerr, 
+[#ifdef HAVE_NETDB_H
+#include <netdb.h>
+#endif])
+
+rk_CHECK_VAR([__progname], 
+[#ifdef HAVE_ERR_H
+#include <err.h>
+#endif])
+
+AC_CHECK_DECLARATION([#include <stdlib.h>
+#ifdef HAVE_UNISTD_H
+#include <unistd.h>
+#endif], optarg)
+AC_CHECK_DECLARATION([#include <stdlib.h>
+#ifdef HAVE_UNISTD_H
+#include <unistd.h>
+#endif], optind)
+AC_CHECK_DECLARATION([#include <stdlib.h>
+#ifdef HAVE_UNISTD_H
+#include <unistd.h>
+#endif], opterr)
+AC_CHECK_DECLARATION([#include <stdlib.h>
+#ifdef HAVE_UNISTD_H
+#include <unistd.h>
+#endif], optopt)
+
+AC_CHECK_DECLARATION([#include <stdlib.h>], environ)
+
+dnl
+dnl Check for fields in struct tm
+dnl
+
+AC_HAVE_STRUCT_FIELD(struct tm, tm_gmtoff, [#include <time.h>])
+AC_HAVE_STRUCT_FIELD(struct tm, tm_zone, [#include <time.h>])
+
+dnl
+dnl or do we have a variable `timezone' ?
+dnl
+
+rk_CHECK_VAR(timezone,[#include <time.h>])
+
+AC_HAVE_TYPE([sa_family_t],[#include <sys/socket.h>])
+AC_HAVE_TYPE([socklen_t],[#include <sys/socket.h>])
+AC_HAVE_TYPE([struct sockaddr], [#include <sys/socket.h>])
+AC_HAVE_TYPE([struct sockaddr_storage], [#include <sys/socket.h>])
+AC_HAVE_TYPE([struct addrinfo], [#include <netdb.h>])
+AC_HAVE_TYPE([struct ifaddrs], [#include <ifaddrs.h>])
+
+dnl
+dnl Check for struct winsize
+dnl
+
+AC_KRB_STRUCT_WINSIZE
+
+dnl
+dnl Check for struct spwd
+dnl
+
+AC_KRB_STRUCT_SPWD
+
+dnl won't work with automake
+dnl moved to AC_OUTPUT in configure.in
+dnl AC_CONFIG_FILES($1/Makefile)
+
+LIB_roken="${LIB_roken} \$(LIB_crypt) \$(LIB_dbopen)"
+
+AC_SUBST(DIR_roken)dnl
+AC_SUBST(LIB_roken)dnl
+AC_SUBST(INCLUDES_roken)dnl
+])
\ No newline at end of file
diff --git a/crypto/heimdal/cf/roken.m4 b/crypto/heimdal/cf/roken.m4
new file mode 100644
index 0000000..f5a8678
--- /dev/null
+++ b/crypto/heimdal/cf/roken.m4
@@ -0,0 +1,64 @@
+dnl $Id: roken.m4,v 1.2 2000/07/08 15:50:34 assar Exp $
+dnl
+dnl try to look for an installed roken library with sufficient stuff
+dnl
+dnl set LIB_roken to the what we should link with
+dnl set DIR_roken to if the directory should be built
+dnl set CPPFLAGS_roken to stuff to add to CPPFLAGS
+
+dnl AC_ROKEN(version,directory-to-try,roken-dir,fallback-library,fallback-cppflags)
+AC_DEFUN(AC_ROKEN, [
+
+AC_ARG_WITH(roken,
+[  --with-roken=dir	use the roken library in dir],
+[if test "$withval" = "no"; then
+  AC_MSG_ERROR(roken is required)
+fi])
+
+save_CPPFLAGS="${CPPFLAGS}"
+
+case $with_roken in
+yes|"")
+  dirs="$2" ;;
+*)
+  dirs="$with_roken" ;;
+esac
+
+roken_installed=no
+
+for i in $dirs; do
+
+AC_MSG_CHECKING(for roken in $i)
+
+CPPFLAGS="-I$i/include ${CPPFLAGS}"
+
+AC_TRY_CPP(
+[#include <roken.h>
+#if ROKEN_VERSION < $1
+#error old roken version, should be $1
+fail
+#endif
+],[roken_installed=yes; break])
+
+AC_MSG_RESULT($roken_installed)
+
+done
+
+CPPFLAGS="$save_CPPFLAGS"
+
+if test "$roken_installed" != "yes"; then
+  DIR_roken="roken"
+  LIB_roken='$4'
+  CPPFLAGS_roken='$5'
+  AC_CONFIG_SUBDIRS(lib/roken)
+else
+  LIB_roken="$i/lib/libroken.la"
+  CPPFLAGS_roken="-I$i/include"
+fi
+
+LIB_roken="${LIB_roken} \$(LIB_crypt) \$(LIB_dbopen)"
+
+AC_SUBST(LIB_roken)dnl
+AC_SUBST(DIR_roken)dnl
+AC_SUBST(CPPFLAGS_roken)dnl
+])
diff --git a/crypto/heimdal/cf/shared-libs.m4 b/crypto/heimdal/cf/shared-libs.m4
new file mode 100644
index 0000000..bddc121
--- /dev/null
+++ b/crypto/heimdal/cf/shared-libs.m4
@@ -0,0 +1,192 @@
+dnl
+dnl $Id: shared-libs.m4,v 1.6 2000/11/17 02:59:27 assar Exp $
+dnl
+dnl Shared library stuff has to be different everywhere
+dnl
+
+AC_DEFUN(AC_SHARED_LIBS, [
+
+dnl Check if we want to use shared libraries
+AC_ARG_ENABLE(shared,
+[  --enable-shared         create shared libraries for Kerberos])
+
+AC_SUBST(CFLAGS)dnl
+AC_SUBST(LDFLAGS)dnl
+
+case ${enable_shared} in
+  yes ) enable_shared=yes;;
+  no  ) enable_shared=no;;
+  *   ) enable_shared=no;;
+esac
+
+# NOTE: Building shared libraries may not work if you do not use gcc!
+#
+# OS		$SHLIBEXT
+# HP-UX		sl
+# Linux		so
+# NetBSD	so
+# FreeBSD	so
+# OSF		so
+# SunOS5	so
+# SunOS4	so.0.5
+# Irix		so
+#
+# LIBEXT is the extension we should build (.a or $SHLIBEXT)
+LINK='$(CC)'
+AC_SUBST(LINK)
+lib_deps=yes
+REAL_PICFLAGS="-fpic"
+LDSHARED='$(CC) $(PICFLAGS) -shared'
+LIBPREFIX=lib
+build_symlink_command=@true
+install_symlink_command=@true
+install_symlink_command2=@true
+REAL_SHLIBEXT=so
+changequote({,})dnl
+SHLIB_VERSION=`echo $VERSION | sed 's/\([0-9.]*\).*/\1/'`
+SHLIB_SONAME=`echo $VERSION | sed 's/\([0-9]*\).*/\1/'`
+changequote([,])dnl
+case "${host}" in
+*-*-hpux*)
+	REAL_SHLIBEXT=sl
+	REAL_LD_FLAGS='-Wl,+b$(libdir)'
+	if test -z "$GCC"; then
+		LDSHARED="ld -b"
+		REAL_PICFLAGS="+z"
+	fi
+	lib_deps=no
+	;;
+*-*-linux*)
+	LDSHARED='$(CC) -shared -Wl,-soname,$(LIBNAME).so.'"${SHLIB_SONAME}"
+	REAL_LD_FLAGS='-Wl,-rpath,$(libdir)'
+	REAL_SHLIBEXT=so.$SHLIB_VERSION
+	build_symlink_command='$(LN_S) -f [$][@] $(LIBNAME).so'
+	install_symlink_command='$(LN_S) -f $(LIB) $(DESTDIR)$(libdir)/$(LIBNAME).so.'"${SHLIB_SONAME}"';$(LN_S) -f $(LIB) $(DESTDIR)$(libdir)/$(LIBNAME).so'
+	install_symlink_command2='$(LN_S) -f $(LIB2) $(DESTDIR)$(libdir)/$(LIBNAME2).so.'"${SHLIB_SONAME}"';$(LN_S) -f $(LIB2) $(DESTDIR)$(libdir)/$(LIBNAME2).so'
+	;;
+changequote(,)dnl
+*-*-freebsd[345]* | *-*-freebsdelf[345]*)
+changequote([,])dnl
+	REAL_SHLIBEXT=so.$SHLIB_VERSION
+	REAL_LD_FLAGS='-Wl,-R$(libdir)'
+	build_symlink_command='$(LN_S) -f [$][@] $(LIBNAME).so'
+	install_symlink_command='$(LN_S) -f $(LIB) $(DESTDIR)$(libdir)/$(LIBNAME).so'
+	install_symlink_command2='$(LN_S) -f $(LIB2) $(DESTDIR)$(libdir)/$(LIBNAME2).so'
+	;;
+*-*-*bsd*)
+	REAL_SHLIBEXT=so.$SHLIB_VERSION
+	LDSHARED='ld -Bshareable'
+	REAL_LD_FLAGS='-Wl,-R$(libdir)'
+	;;
+*-*-osf*)
+	REAL_LD_FLAGS='-Wl,-rpath,$(libdir)'
+	REAL_PICFLAGS=
+	LDSHARED='ld -shared -expect_unresolved \*'
+	;;
+*-*-solaris2*)
+	LDSHARED='$(CC) -shared -Wl,-soname,$(LIBNAME).so.'"${SHLIB_SONAME}"
+	REAL_SHLIBEXT=so.$SHLIB_VERSION
+	build_symlink_command='$(LN_S) [$][@] $(LIBNAME).so'
+	install_symlink_command='$(LN_S) $(LIB) $(DESTDIR)$(libdir)/$(LIBNAME).so.'"${SHLIB_SONAME}"';$(LN_S) $(LIB) $(DESTDIR)$(libdir)/$(LIBNAME).so'
+	install_symlink_command2='$(LN_S) $(LIB2) $(DESTDIR)$(libdir)/$(LIBNAME2).so.'"${SHLIB_SONAME}"';$(LN_S) $(LIB2) $(DESTDIR)$(libdir)/$(LIBNAME2).so'
+	REAL_LD_FLAGS='-Wl,-R$(libdir)'
+	if test -z "$GCC"; then
+		LDSHARED='$(CC) -G -h$(LIBNAME).so.'"${SHLIB_SONAME}"
+		REAL_PICFLAGS="-Kpic"
+	fi
+	;;
+*-fujitsu-uxpv*)
+	REAL_LD_FLAGS='' # really: LD_RUN_PATH=$(libdir) cc -o ...
+	REAL_LINK='LD_RUN_PATH=$(libdir) $(CC)'
+	LDSHARED='$(CC) -G'
+	REAL_PICFLAGS="-Kpic"
+	lib_deps=no # fails in mysterious ways
+	;;
+*-*-sunos*)
+	REAL_SHLIBEXT=so.$SHLIB_VERSION
+	REAL_LD_FLAGS='-Wl,-L$(libdir)'
+	lib_deps=no
+	;;
+*-*-irix*)
+        libdir="${libdir}${abilibdirext}"
+        REAL_LD_FLAGS="${abi} -Wl,-rpath,\$(libdir)"
+        LD_FLAGS="${abi} -Wl,-rpath,\$(libdir)"
+	LDSHARED="\$(CC) -shared ${abi}"
+        REAL_PICFLAGS=
+        CFLAGS="${abi} ${CFLAGS}"
+	;;
+*-*-os2*)
+	LIBPREFIX=
+	EXECSUFFIX='.exe'
+	RANLIB=EMXOMF
+	LD_FLAGS=-Zcrtdll
+	REAL_SHLIBEXT=nobuild
+	;;
+*-*-cygwin32*)
+	EXECSUFFIX='.exe'
+	REAL_SHLIBEXT=nobuild
+	;;
+*)	REAL_SHLIBEXT=nobuild
+	REAL_PICFLAGS= 
+	;;
+esac
+
+if test "${enable_shared}" != "yes" ; then 
+ PICFLAGS=""
+ SHLIBEXT="nobuild"
+ LIBEXT="a"
+ build_symlink_command=@true
+ install_symlink_command=@true
+ install_symlink_command2=@true
+else
+ PICFLAGS="$REAL_PICFLAGS"
+ SHLIBEXT="$REAL_SHLIBEXT"
+ LIBEXT="$SHLIBEXT"
+ AC_MSG_CHECKING(whether to use -rpath)
+ case "$libdir" in
+   /lib | /usr/lib | /usr/local/lib)
+     AC_MSG_RESULT(no)
+     REAL_LD_FLAGS=
+     LD_FLAGS=
+     ;;
+   *)
+     LD_FLAGS="$REAL_LD_FLAGS"
+     test "$REAL_LINK" && LINK="$REAL_LINK"
+     AC_MSG_RESULT($LD_FLAGS)
+     ;;
+   esac
+fi
+
+if test "$lib_deps" = yes; then
+	lib_deps_yes=""
+	lib_deps_no="# "
+else
+	lib_deps_yes="# "
+	lib_deps_no=""
+fi
+AC_SUBST(lib_deps_yes)
+AC_SUBST(lib_deps_no)
+
+# use supplied ld-flags, or none if `no'
+if test "$with_ld_flags" = no; then
+	LD_FLAGS=
+elif test -n "$with_ld_flags"; then
+	LD_FLAGS="$with_ld_flags"
+fi
+
+AC_SUBST(REAL_PICFLAGS) dnl
+AC_SUBST(REAL_SHLIBEXT) dnl
+AC_SUBST(REAL_LD_FLAGS) dnl
+
+AC_SUBST(PICFLAGS) dnl
+AC_SUBST(SHLIBEXT) dnl
+AC_SUBST(LDSHARED) dnl
+AC_SUBST(LD_FLAGS) dnl
+AC_SUBST(LIBEXT) dnl
+AC_SUBST(LIBPREFIX) dnl
+AC_SUBST(EXECSUFFIX) dnl
+
+AC_SUBST(build_symlink_command)dnl
+AC_SUBST(install_symlink_command)dnl
+AC_SUBST(install_symlink_command2)dnl
+])
diff --git a/crypto/heimdal/cf/test-package.m4 b/crypto/heimdal/cf/test-package.m4
new file mode 100644
index 0000000..6aac770
--- /dev/null
+++ b/crypto/heimdal/cf/test-package.m4
@@ -0,0 +1,93 @@
+dnl $Id: test-package.m4,v 1.9 2000/12/15 04:54:24 assar Exp $
+dnl
+dnl AC_TEST_PACKAGE_NEW(package,headers,libraries,extra libs,default locations, conditional)
+
+AC_DEFUN(AC_TEST_PACKAGE,[AC_TEST_PACKAGE_NEW($1,[#include <$2>],$4,,$5)])
+
+AC_DEFUN(AC_TEST_PACKAGE_NEW,[
+AC_ARG_WITH($1,
+[  --with-$1=dir                use $1 in dir])
+AC_ARG_WITH($1-lib,
+[  --with-$1-lib=dir            use $1 libraries in dir],
+[if test "$withval" = "yes" -o "$withval" = "no"; then
+  AC_MSG_ERROR([No argument for --with-$1-lib])
+elif test "X$with_$1" = "X"; then
+  with_$1=yes
+fi])
+AC_ARG_WITH($1-include,
+[  --with-$1-include=dir        use $1 headers in dir],
+[if test "$withval" = "yes" -o "$withval" = "no"; then
+  AC_MSG_ERROR([No argument for --with-$1-include])
+elif test "X$with_$1" = "X"; then
+  with_$1=yes
+fi])
+
+AC_MSG_CHECKING(for $1)
+
+case "$with_$1" in
+yes)	;;
+no)	;;
+"")	;;
+*)	if test "$with_$1_include" = ""; then
+		with_$1_include="$with_$1/include"
+	fi
+	if test "$with_$1_lib" = ""; then
+		with_$1_lib="$with_$1/lib$abilibdirext"
+	fi
+	;;
+esac
+header_dirs=
+lib_dirs=
+d='$5'
+for i in $d; do
+	header_dirs="$header_dirs $i/include"
+	lib_dirs="$lib_dirs $i/lib$abilibdirext"
+done
+
+case "$with_$1_include" in
+yes) ;;
+no)  ;;
+*)   header_dirs="$with_$1_include $header_dirs";;
+esac
+case "$with_$1_lib" in
+yes) ;;
+no)  ;;
+*)   lib_dirs="$with_$1_lib $lib_dirs";;
+esac
+
+save_CFLAGS="$CFLAGS"
+save_LIBS="$LIBS"
+ires= lres=
+for i in $header_dirs; do
+	CFLAGS="-I$i $save_CFLAGS"
+	AC_TRY_COMPILE([$2],,ires=$i;break)
+done
+for i in $lib_dirs; do
+	LIBS="-L$i $3 $4 $save_LIBS"
+	AC_TRY_LINK([$2],,lres=$i;break)
+done
+CFLAGS="$save_CFLAGS"
+LIBS="$save_LIBS"
+
+if test "$ires" -a "$lres" -a "$with_$1" != "no"; then
+	$1_includedir="$ires"
+	$1_libdir="$lres"
+	INCLUDE_$1="-I$$1_includedir"
+	LIB_$1="-L$$1_libdir $3"
+	m4_ifval([$6],
+		AC_DEFINE_UNQUOTED($6,1,[Define if you have the $1 package.]),
+		AC_DEFINE_UNQUOTED(upcase($1),1,[Define if you have the $1 package.]))
+	with_$1=yes
+	AC_MSG_RESULT([headers $ires, libraries $lres])
+else
+	INCLUDE_$1=
+	LIB_$1=
+	with_$1=no
+	AC_MSG_RESULT($with_$1)
+fi
+dnl m4_ifval([$6],
+dnl 	AM_CONDITIONAL($6, test "$with_$1" = yes)
+dnl 	AM_CONDITIONAL(upcase($1), test "$with_$1" = yes))
+AC_SUBST(INCLUDE_$1)
+AC_SUBST(LIB_$1)
+])
diff --git a/crypto/heimdal/cf/wflags.m4 b/crypto/heimdal/cf/wflags.m4
new file mode 100644
index 0000000..6d9e073
--- /dev/null
+++ b/crypto/heimdal/cf/wflags.m4
@@ -0,0 +1,21 @@
+dnl $Id: wflags.m4,v 1.3 1999/03/11 12:11:41 joda Exp $
+dnl
+dnl set WFLAGS
+
+AC_DEFUN(AC_WFLAGS,[
+WFLAGS_NOUNUSED=""
+WFLAGS_NOIMPLICITINT=""
+if test -z "$WFLAGS" -a "$GCC" = "yes"; then
+  # -Wno-implicit-int for broken X11 headers
+  # leave these out for now:
+  #   -Wcast-align doesn't work well on alpha osf/1
+  #   -Wmissing-prototypes -Wpointer-arith -Wbad-function-cast
+  #   -Wmissing-declarations -Wnested-externs
+  WFLAGS="ifelse($#, 0,-Wall, $1)"
+  WFLAGS_NOUNUSED="-Wno-unused"
+  WFLAGS_NOIMPLICITINT="-Wno-implicit-int"
+fi
+AC_SUBST(WFLAGS)dnl
+AC_SUBST(WFLAGS_NOUNUSED)dnl
+AC_SUBST(WFLAGS_NOIMPLICITINT)dnl
+])
diff --git a/crypto/heimdal/config.guess b/crypto/heimdal/config.guess
new file mode 100755
index 0000000..265ea69
--- /dev/null
+++ b/crypto/heimdal/config.guess
@@ -0,0 +1,1291 @@
+#! /bin/sh
+# Attempt to guess a canonical system name.
+#   Copyright (C) 1992, 1993, 1994, 1995, 1996, 1997, 1998, 1999, 2000
+#   Free Software Foundation, Inc.
+
+version='2000-09-05'
+
+# This file is free software; you can redistribute it and/or modify it
+# under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 2 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful, but
+# WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+# General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
+#
+# As a special exception to the GNU General Public License, if you
+# distribute this file as part of a program that contains a
+# configuration script generated by Autoconf, you may include it under
+# the same distribution terms that you use for the rest of that program.
+
+# Written by Per Bothner <bothner@cygnus.com>.
+# Please send patches to <config-patches@gnu.org>.
+#
+# This script attempts to guess a canonical system name similar to
+# config.sub.  If it succeeds, it prints the system name on stdout, and
+# exits with 0.  Otherwise, it exits with 1.
+#
+# The plan is that this can be called by configure scripts if you
+# don't specify an explicit system type (host/target name).
+#
+# Only a few systems have been added to this list; please add others
+# (but try to keep the structure clean).
+#
+
+me=`echo "$0" | sed -e 's,.*/,,'`
+
+usage="\
+Usage: $0 [OPTION]
+
+Output the configuration name of this system.
+
+Operation modes:
+  -h, --help               print this help, then exit
+  -V, --version            print version number, then exit"
+
+help="
+Try \`$me --help' for more information."
+
+# Parse command line
+while test $# -gt 0 ; do
+  case "$1" in
+    --version | --vers* | -V )
+       echo "$version" ; exit 0 ;;
+    --help | --h* | -h )
+       echo "$usage"; exit 0 ;;
+    -- )     # Stop option processing
+       shift; break ;;
+    - )	# Use stdin as input.
+       break ;;
+    -* )
+       exec >&2
+       echo "$me: invalid option $1"
+       echo "$help"
+       exit 1 ;;
+    * )
+       break ;;
+  esac
+done
+
+if test $# != 0; then
+  echo "$me: too many arguments$help" >&2
+  exit 1
+fi
+
+# Use $HOST_CC if defined. $CC may point to a cross-compiler
+if test x"$CC_FOR_BUILD" = x; then
+  if test x"$HOST_CC" != x; then
+    CC_FOR_BUILD="$HOST_CC"
+  else
+    if test x"$CC" != x; then
+      CC_FOR_BUILD="$CC"
+    else
+      CC_FOR_BUILD=cc
+    fi
+  fi
+fi
+
+
+# This is needed to find uname on a Pyramid OSx when run in the BSD universe.
+# (ghazi@noc.rutgers.edu 8/24/94.)
+if (test -f /.attbin/uname) >/dev/null 2>&1 ; then
+	PATH=$PATH:/.attbin ; export PATH
+fi
+
+UNAME_MACHINE=`(uname -m) 2>/dev/null` || UNAME_MACHINE=unknown
+UNAME_RELEASE=`(uname -r) 2>/dev/null` || UNAME_RELEASE=unknown
+UNAME_SYSTEM=`(uname -s) 2>/dev/null` || UNAME_SYSTEM=unknown
+UNAME_VERSION=`(uname -v) 2>/dev/null` || UNAME_VERSION=unknown
+
+dummy=dummy-$$
+trap 'rm -f $dummy.c $dummy.o $dummy; exit 1' 1 2 15
+
+# Note: order is significant - the case branches are not exclusive.
+
+case "${UNAME_MACHINE}:${UNAME_SYSTEM}:${UNAME_RELEASE}:${UNAME_VERSION}" in
+    *:NetBSD:*:*)
+	# Netbsd (nbsd) targets should (where applicable) match one or
+	# more of the tupples: *-*-netbsdelf*, *-*-netbsdaout*,
+	# *-*-netbsdecoff* and *-*-netbsd*.  For targets that recently
+	# switched to ELF, *-*-netbsd* would select the old
+	# object file format.  This provides both forward
+	# compatibility and a consistent mechanism for selecting the
+	# object file format.
+	# Determine the machine/vendor (is the vendor relevant).
+	case "${UNAME_MACHINE}" in
+	    amiga) machine=m68k-unknown ;;
+	    arm32) machine=arm-unknown ;;
+	    atari*) machine=m68k-atari ;;
+	    sun3*) machine=m68k-sun ;;
+	    mac68k) machine=m68k-apple ;;
+	    macppc) machine=powerpc-apple ;;
+	    hp3[0-9][05]) machine=m68k-hp ;;
+	    ibmrt|romp-ibm) machine=romp-ibm ;;
+	    *) machine=${UNAME_MACHINE}-unknown ;;
+	esac
+	# The Operating System including object format.
+	if echo __ELF__ | $CC_FOR_BUILD -E - 2>/dev/null \
+		| grep __ELF__ >/dev/null
+	then
+	    # Once all utilities can be ECOFF (netbsdecoff) or a.out (netbsdaout).
+	    # Return netbsd for either.  FIX?
+	    os=netbsd
+	else
+	    os=netbsdelf
+	fi
+	# The OS release
+	release=`echo ${UNAME_RELEASE}|sed -e 's/[-_].*/\./'`
+	# Since CPU_TYPE-MANUFACTURER-KERNEL-OPERATING_SYSTEM:
+	# contains redundant information, the shorter form:
+	# CPU_TYPE-MANUFACTURER-OPERATING_SYSTEM is used.
+	echo "${machine}-${os}${release}"
+	exit 0 ;;
+    alpha:OSF1:*:*)
+	if test $UNAME_RELEASE = "V4.0"; then
+		UNAME_RELEASE=`/usr/sbin/sizer -v | awk '{print $3}'`
+	fi
+	# A Vn.n version is a released version.
+	# A Tn.n version is a released field test version.
+	# A Xn.n version is an unreleased experimental baselevel.
+	# 1.2 uses "1.2" for uname -r.
+	cat <<EOF >$dummy.s
+	.data
+\$Lformat:
+	.byte 37,100,45,37,120,10,0	# "%d-%x\n"
+
+	.text
+	.globl main
+	.align 4
+	.ent main
+main:
+	.frame \$30,16,\$26,0
+	ldgp \$29,0(\$27)
+	.prologue 1
+	.long 0x47e03d80 # implver \$0
+	lda \$2,-1
+	.long 0x47e20c21 # amask \$2,\$1
+	lda \$16,\$Lformat
+	mov \$0,\$17
+	not \$1,\$18
+	jsr \$26,printf
+	ldgp \$29,0(\$26)
+	mov 0,\$16
+	jsr \$26,exit
+	.end main
+EOF
+	$CC_FOR_BUILD $dummy.s -o $dummy 2>/dev/null
+	if test "$?" = 0 ; then
+		case `./$dummy` in
+			0-0)
+				UNAME_MACHINE="alpha"
+				;;
+			1-0)
+				UNAME_MACHINE="alphaev5"
+				;;
+			1-1)
+				UNAME_MACHINE="alphaev56"
+				;;
+			1-101)
+				UNAME_MACHINE="alphapca56"
+				;;
+			2-303)
+				UNAME_MACHINE="alphaev6"
+				;;
+			2-307)
+				UNAME_MACHINE="alphaev67"
+				;;
+		esac
+	fi
+	rm -f $dummy.s $dummy
+	echo ${UNAME_MACHINE}-dec-osf`echo ${UNAME_RELEASE} | sed -e 's/^[VTX]//' | tr 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' 'abcdefghijklmnopqrstuvwxyz'`
+	exit 0 ;;
+    Alpha\ *:Windows_NT*:*)
+	# How do we know it's Interix rather than the generic POSIX subsystem?
+	# Should we change UNAME_MACHINE based on the output of uname instead
+	# of the specific Alpha model?
+	echo alpha-pc-interix
+	exit 0 ;;
+    21064:Windows_NT:50:3)
+	echo alpha-dec-winnt3.5
+	exit 0 ;;
+    Amiga*:UNIX_System_V:4.0:*)
+	echo m68k-unknown-sysv4
+	exit 0;;
+    amiga:OpenBSD:*:*)
+	echo m68k-unknown-openbsd${UNAME_RELEASE}
+	exit 0 ;;
+    *:[Aa]miga[Oo][Ss]:*:*)
+	echo ${UNAME_MACHINE}-unknown-amigaos
+	exit 0 ;;
+    arc64:OpenBSD:*:*)
+	echo mips64el-unknown-openbsd${UNAME_RELEASE}
+	exit 0 ;;
+    arc:OpenBSD:*:*)
+	echo mipsel-unknown-openbsd${UNAME_RELEASE}
+	exit 0 ;;
+    hkmips:OpenBSD:*:*)
+	echo mips-unknown-openbsd${UNAME_RELEASE}
+	exit 0 ;;
+    pmax:OpenBSD:*:*)
+	echo mipsel-unknown-openbsd${UNAME_RELEASE}
+	exit 0 ;;
+    sgi:OpenBSD:*:*)
+	echo mips-unknown-openbsd${UNAME_RELEASE}
+	exit 0 ;;
+    wgrisc:OpenBSD:*:*)
+	echo mipsel-unknown-openbsd${UNAME_RELEASE}
+	exit 0 ;;
+    *:OS/390:*:*)
+	echo i370-ibm-openedition
+	exit 0 ;;
+    arm:RISC*:1.[012]*:*|arm:riscix:1.[012]*:*)
+	echo arm-acorn-riscix${UNAME_RELEASE}
+	exit 0;;
+    SR2?01:HI-UX/MPP:*:*)
+	echo hppa1.1-hitachi-hiuxmpp
+	exit 0;;
+    Pyramid*:OSx*:*:* | MIS*:OSx*:*:* | MIS*:SMP_DC-OSx*:*:*)
+	# akee@wpdis03.wpafb.af.mil (Earle F. Ake) contributed MIS and NILE.
+	if test "`(/bin/universe) 2>/dev/null`" = att ; then
+		echo pyramid-pyramid-sysv3
+	else
+		echo pyramid-pyramid-bsd
+	fi
+	exit 0 ;;
+    NILE*:*:*:dcosx)
+	echo pyramid-pyramid-svr4
+	exit 0 ;;
+    sun4H:SunOS:5.*:*)
+	echo sparc-hal-solaris2`echo ${UNAME_RELEASE}|sed -e 's/[^.]*//'`
+	exit 0 ;;
+    sun4*:SunOS:5.*:* | tadpole*:SunOS:5.*:*)
+	echo sparc-sun-solaris2`echo ${UNAME_RELEASE}|sed -e 's/[^.]*//'`
+	exit 0 ;;
+    i86pc:SunOS:5.*:*)
+	echo i386-pc-solaris2`echo ${UNAME_RELEASE}|sed -e 's/[^.]*//'`
+	exit 0 ;;
+    sun4*:SunOS:6*:*)
+	# According to config.sub, this is the proper way to canonicalize
+	# SunOS6.  Hard to guess exactly what SunOS6 will be like, but
+	# it's likely to be more like Solaris than SunOS4.
+	echo sparc-sun-solaris3`echo ${UNAME_RELEASE}|sed -e 's/[^.]*//'`
+	exit 0 ;;
+    sun4*:SunOS:*:*)
+	case "`/usr/bin/arch -k`" in
+	    Series*|S4*)
+		UNAME_RELEASE=`uname -v`
+		;;
+	esac
+	# Japanese Language versions have a version number like `4.1.3-JL'.
+	echo sparc-sun-sunos`echo ${UNAME_RELEASE}|sed -e 's/-/_/'`
+	exit 0 ;;
+    sun3*:SunOS:*:*)
+	echo m68k-sun-sunos${UNAME_RELEASE}
+	exit 0 ;;
+    sun*:*:4.2BSD:*)
+	UNAME_RELEASE=`(head -1 /etc/motd | awk '{print substr($5,1,3)}') 2>/dev/null`
+	test "x${UNAME_RELEASE}" = "x" && UNAME_RELEASE=3
+	case "`/bin/arch`" in
+	    sun3)
+		echo m68k-sun-sunos${UNAME_RELEASE}
+		;;
+	    sun4)
+		echo sparc-sun-sunos${UNAME_RELEASE}
+		;;
+	esac
+	exit 0 ;;
+    aushp:SunOS:*:*)
+	echo sparc-auspex-sunos${UNAME_RELEASE}
+	exit 0 ;;
+    atari*:OpenBSD:*:*)
+	echo m68k-unknown-openbsd${UNAME_RELEASE}
+	exit 0 ;;
+    # The situation for MiNT is a little confusing.  The machine name
+    # can be virtually everything (everything which is not
+    # "atarist" or "atariste" at least should have a processor 
+    # > m68000).  The system name ranges from "MiNT" over "FreeMiNT"
+    # to the lowercase version "mint" (or "freemint").  Finally
+    # the system name "TOS" denotes a system which is actually not
+    # MiNT.  But MiNT is downward compatible to TOS, so this should
+    # be no problem.
+    atarist[e]:*MiNT:*:* | atarist[e]:*mint:*:* | atarist[e]:*TOS:*:*)
+        echo m68k-atari-mint${UNAME_RELEASE}
+	exit 0 ;;
+    atari*:*MiNT:*:* | atari*:*mint:*:* | atarist[e]:*TOS:*:*)
+	echo m68k-atari-mint${UNAME_RELEASE}
+        exit 0 ;;
+    *falcon*:*MiNT:*:* | *falcon*:*mint:*:* | *falcon*:*TOS:*:*)
+        echo m68k-atari-mint${UNAME_RELEASE}
+	exit 0 ;;
+    milan*:*MiNT:*:* | milan*:*mint:*:* | *milan*:*TOS:*:*)
+        echo m68k-milan-mint${UNAME_RELEASE}
+        exit 0 ;;
+    hades*:*MiNT:*:* | hades*:*mint:*:* | *hades*:*TOS:*:*)
+        echo m68k-hades-mint${UNAME_RELEASE}
+        exit 0 ;;
+    *:*MiNT:*:* | *:*mint:*:* | *:*TOS:*:*)
+        echo m68k-unknown-mint${UNAME_RELEASE}
+        exit 0 ;;
+    sun3*:OpenBSD:*:*)
+	echo m68k-unknown-openbsd${UNAME_RELEASE}
+	exit 0 ;;
+    mac68k:OpenBSD:*:*)
+	echo m68k-unknown-openbsd${UNAME_RELEASE}
+	exit 0 ;;
+    mvme68k:OpenBSD:*:*)
+	echo m68k-unknown-openbsd${UNAME_RELEASE}
+	exit 0 ;;
+    mvme88k:OpenBSD:*:*)
+	echo m88k-unknown-openbsd${UNAME_RELEASE}
+	exit 0 ;;
+    powerpc:machten:*:*)
+	echo powerpc-apple-machten${UNAME_RELEASE}
+	exit 0 ;;
+    RISC*:Mach:*:*)
+	echo mips-dec-mach_bsd4.3
+	exit 0 ;;
+    RISC*:ULTRIX:*:*)
+	echo mips-dec-ultrix${UNAME_RELEASE}
+	exit 0 ;;
+    VAX*:ULTRIX*:*:*)
+	echo vax-dec-ultrix${UNAME_RELEASE}
+	exit 0 ;;
+    2020:CLIX:*:* | 2430:CLIX:*:*)
+	echo clipper-intergraph-clix${UNAME_RELEASE}
+	exit 0 ;;
+    mips:*:*:UMIPS | mips:*:*:RISCos)
+	sed 's/^	//' << EOF >$dummy.c
+#ifdef __cplusplus
+#include <stdio.h>  /* for printf() prototype */
+	int main (int argc, char *argv[]) {
+#else
+	int main (argc, argv) int argc; char *argv[]; {
+#endif
+	#if defined (host_mips) && defined (MIPSEB)
+	#if defined (SYSTYPE_SYSV)
+	  printf ("mips-mips-riscos%ssysv\n", argv[1]); exit (0);
+	#endif
+	#if defined (SYSTYPE_SVR4)
+	  printf ("mips-mips-riscos%ssvr4\n", argv[1]); exit (0);
+	#endif
+	#if defined (SYSTYPE_BSD43) || defined(SYSTYPE_BSD)
+	  printf ("mips-mips-riscos%sbsd\n", argv[1]); exit (0);
+	#endif
+	#endif
+	  exit (-1);
+	}
+EOF
+	$CC_FOR_BUILD $dummy.c -o $dummy \
+	  && ./$dummy `echo "${UNAME_RELEASE}" | sed -n 's/\([0-9]*\).*/\1/p'` \
+	  && rm $dummy.c $dummy && exit 0
+	rm -f $dummy.c $dummy
+	echo mips-mips-riscos${UNAME_RELEASE}
+	exit 0 ;;
+    Night_Hawk:Power_UNIX:*:*)
+	echo powerpc-harris-powerunix
+	exit 0 ;;
+    m88k:CX/UX:7*:*)
+	echo m88k-harris-cxux7
+	exit 0 ;;
+    m88k:*:4*:R4*)
+	echo m88k-motorola-sysv4
+	exit 0 ;;
+    m88k:*:3*:R3*)
+	echo m88k-motorola-sysv3
+	exit 0 ;;
+    AViiON:dgux:*:*)
+        # DG/UX returns AViiON for all architectures
+        UNAME_PROCESSOR=`/usr/bin/uname -p`
+	if [ $UNAME_PROCESSOR = mc88100 ] || [ $UNAME_PROCESSOR = mc88110]
+	then
+	    if [ ${TARGET_BINARY_INTERFACE}x = m88kdguxelfx ] || \
+	       [ ${TARGET_BINARY_INTERFACE}x = x ]
+	    then
+		echo m88k-dg-dgux${UNAME_RELEASE}
+	    else
+		echo m88k-dg-dguxbcs${UNAME_RELEASE}
+	    fi
+	else
+	    echo i586-dg-dgux${UNAME_RELEASE}
+	fi
+ 	exit 0 ;;
+    M88*:DolphinOS:*:*)	# DolphinOS (SVR3)
+	echo m88k-dolphin-sysv3
+	exit 0 ;;
+    M88*:*:R3*:*)
+	# Delta 88k system running SVR3
+	echo m88k-motorola-sysv3
+	exit 0 ;;
+    XD88*:*:*:*) # Tektronix XD88 system running UTekV (SVR3)
+	echo m88k-tektronix-sysv3
+	exit 0 ;;
+    Tek43[0-9][0-9]:UTek:*:*) # Tektronix 4300 system running UTek (BSD)
+	echo m68k-tektronix-bsd
+	exit 0 ;;
+    *:IRIX*:*:*)
+	echo mips-sgi-irix`echo ${UNAME_RELEASE}|sed -e 's/-/_/g'`
+	exit 0 ;;
+    ????????:AIX?:[12].1:2)   # AIX 2.2.1 or AIX 2.1.1 is RT/PC AIX.
+	echo romp-ibm-aix      # uname -m gives an 8 hex-code CPU id
+	exit 0 ;;              # Note that: echo "'`uname -s`'" gives 'AIX '
+    i?86:AIX:*:*)
+	echo i386-ibm-aix
+	exit 0 ;;
+    *:AIX:2:3)
+	if grep bos325 /usr/include/stdio.h >/dev/null 2>&1; then
+		sed 's/^		//' << EOF >$dummy.c
+		#include <sys/systemcfg.h>
+
+		main()
+			{
+			if (!__power_pc())
+				exit(1);
+			puts("powerpc-ibm-aix3.2.5");
+			exit(0);
+			}
+EOF
+		$CC_FOR_BUILD $dummy.c -o $dummy && ./$dummy && rm $dummy.c $dummy && exit 0
+		rm -f $dummy.c $dummy
+		echo rs6000-ibm-aix3.2.5
+	elif grep bos324 /usr/include/stdio.h >/dev/null 2>&1; then
+		echo rs6000-ibm-aix3.2.4
+	else
+		echo rs6000-ibm-aix3.2
+	fi
+	exit 0 ;;
+    *:AIX:*:4)
+	IBM_CPU_ID=`/usr/sbin/lsdev -C -c processor -S available | head -1 | awk '{ print $1 }'`
+	if /usr/sbin/lsattr -EHl ${IBM_CPU_ID} | grep POWER >/dev/null 2>&1; then
+		IBM_ARCH=rs6000
+	else
+		IBM_ARCH=powerpc
+	fi
+	if [ -x /usr/bin/oslevel ] ; then
+		IBM_REV=`/usr/bin/oslevel`
+	else
+		IBM_REV=4.${UNAME_RELEASE}
+	fi
+	echo ${IBM_ARCH}-ibm-aix${IBM_REV}
+	exit 0 ;;
+    *:AIX:*:*)
+	echo rs6000-ibm-aix
+	exit 0 ;;
+    ibmrt:4.4BSD:*|romp-ibm:BSD:*)
+	echo romp-ibm-bsd4.4
+	exit 0 ;;
+    ibmrt:*BSD:*|romp-ibm:BSD:*)            # covers RT/PC BSD and
+	echo romp-ibm-bsd${UNAME_RELEASE}   # 4.3 with uname added to
+	exit 0 ;;                           # report: romp-ibm BSD 4.3
+    *:BOSX:*:*)
+	echo rs6000-bull-bosx
+	exit 0 ;;
+    DPX/2?00:B.O.S.:*:*)
+	echo m68k-bull-sysv3
+	exit 0 ;;
+    9000/[34]??:4.3bsd:1.*:*)
+	echo m68k-hp-bsd
+	exit 0 ;;
+    hp300:4.4BSD:*:* | 9000/[34]??:4.3bsd:2.*:*)
+	echo m68k-hp-bsd4.4
+	exit 0 ;;
+    9000/[34678]??:HP-UX:*:*)
+	case "${UNAME_MACHINE}" in
+	    9000/31? )            HP_ARCH=m68000 ;;
+	    9000/[34]?? )         HP_ARCH=m68k ;;
+	    9000/[678][0-9][0-9])
+              sed 's/^              //' << EOF >$dummy.c
+
+              #define _HPUX_SOURCE
+              #include <stdlib.h>
+              #include <unistd.h>
+
+              int main ()
+              {
+              #if defined(_SC_KERNEL_BITS)
+                  long bits = sysconf(_SC_KERNEL_BITS);
+              #endif
+                  long cpu  = sysconf (_SC_CPU_VERSION);
+
+                  switch (cpu)
+              	{
+              	case CPU_PA_RISC1_0: puts ("hppa1.0"); break;
+              	case CPU_PA_RISC1_1: puts ("hppa1.1"); break;
+              	case CPU_PA_RISC2_0:
+              #if defined(_SC_KERNEL_BITS)
+              	    switch (bits)
+              		{
+              		case 64: puts ("hppa2.0w"); break;
+              		case 32: puts ("hppa2.0n"); break;
+              		default: puts ("hppa2.0"); break;
+              		} break;
+              #else  /* !defined(_SC_KERNEL_BITS) */
+              	    puts ("hppa2.0"); break;
+              #endif
+              	default: puts ("hppa1.0"); break;
+              	}
+                  exit (0);
+              }
+EOF
+	(CCOPTS= $CC_FOR_BUILD $dummy.c -o $dummy 2>/dev/null ) && HP_ARCH=`./$dummy`
+	rm -f $dummy.c $dummy
+	esac
+	HPUX_REV=`echo ${UNAME_RELEASE}|sed -e 's/[^.]*.[0B]*//'`
+	echo ${HP_ARCH}-hp-hpux${HPUX_REV}
+	exit 0 ;;
+    3050*:HI-UX:*:*)
+	sed 's/^	//' << EOF >$dummy.c
+	#include <unistd.h>
+	int
+	main ()
+	{
+	  long cpu = sysconf (_SC_CPU_VERSION);
+	  /* The order matters, because CPU_IS_HP_MC68K erroneously returns
+	     true for CPU_PA_RISC1_0.  CPU_IS_PA_RISC returns correct
+	     results, however.  */
+	  if (CPU_IS_PA_RISC (cpu))
+	    {
+	      switch (cpu)
+		{
+		  case CPU_PA_RISC1_0: puts ("hppa1.0-hitachi-hiuxwe2"); break;
+		  case CPU_PA_RISC1_1: puts ("hppa1.1-hitachi-hiuxwe2"); break;
+		  case CPU_PA_RISC2_0: puts ("hppa2.0-hitachi-hiuxwe2"); break;
+		  default: puts ("hppa-hitachi-hiuxwe2"); break;
+		}
+	    }
+	  else if (CPU_IS_HP_MC68K (cpu))
+	    puts ("m68k-hitachi-hiuxwe2");
+	  else puts ("unknown-hitachi-hiuxwe2");
+	  exit (0);
+	}
+EOF
+	$CC_FOR_BUILD $dummy.c -o $dummy && ./$dummy && rm $dummy.c $dummy && exit 0
+	rm -f $dummy.c $dummy
+	echo unknown-hitachi-hiuxwe2
+	exit 0 ;;
+    9000/7??:4.3bsd:*:* | 9000/8?[79]:4.3bsd:*:* )
+	echo hppa1.1-hp-bsd
+	exit 0 ;;
+    9000/8??:4.3bsd:*:*)
+	echo hppa1.0-hp-bsd
+	exit 0 ;;
+    *9??*:MPE/iX:*:*)
+	echo hppa1.0-hp-mpeix
+	exit 0 ;;
+    hp7??:OSF1:*:* | hp8?[79]:OSF1:*:* )
+	echo hppa1.1-hp-osf
+	exit 0 ;;
+    hp8??:OSF1:*:*)
+	echo hppa1.0-hp-osf
+	exit 0 ;;
+    i?86:OSF1:*:*)
+	if [ -x /usr/sbin/sysversion ] ; then
+	    echo ${UNAME_MACHINE}-unknown-osf1mk
+	else
+	    echo ${UNAME_MACHINE}-unknown-osf1
+	fi
+	exit 0 ;;
+    parisc*:Lites*:*:*)
+	echo hppa1.1-hp-lites
+	exit 0 ;;
+    hppa*:OpenBSD:*:*)
+	echo hppa-unknown-openbsd
+	exit 0 ;;
+    C1*:ConvexOS:*:* | convex:ConvexOS:C1*:*)
+	echo c1-convex-bsd
+        exit 0 ;;
+    C2*:ConvexOS:*:* | convex:ConvexOS:C2*:*)
+	if getsysinfo -f scalar_acc
+	then echo c32-convex-bsd
+	else echo c2-convex-bsd
+	fi
+        exit 0 ;;
+    C34*:ConvexOS:*:* | convex:ConvexOS:C34*:*)
+	echo c34-convex-bsd
+        exit 0 ;;
+    C38*:ConvexOS:*:* | convex:ConvexOS:C38*:*)
+	echo c38-convex-bsd
+        exit 0 ;;
+    C4*:ConvexOS:*:* | convex:ConvexOS:C4*:*)
+	echo c4-convex-bsd
+        exit 0 ;;
+    CRAY*X-MP:*:*:*)
+	echo xmp-cray-unicos
+        exit 0 ;;
+    CRAY*Y-MP:*:*:*)
+	echo ymp-cray-unicos${UNAME_RELEASE}
+	exit 0 ;;
+    CRAY*[A-Z]90:*:*:*)
+	echo ${UNAME_MACHINE}-cray-unicos${UNAME_RELEASE} \
+	| sed -e 's/CRAY.*\([A-Z]90\)/\1/' \
+	      -e y/ABCDEFGHIJKLMNOPQRSTUVWXYZ/abcdefghijklmnopqrstuvwxyz/
+	exit 0 ;;
+    CRAY*TS:*:*:*)
+	echo t90-cray-unicos${UNAME_RELEASE} | sed -e 's/\.[^.]*$/.X/'
+	exit 0 ;;
+    CRAY*T3E:*:*:*)
+	echo alpha-cray-unicosmk${UNAME_RELEASE} | sed -e 's/\.[^.]*$/.X/'
+	exit 0 ;;
+    CRAY*SV1:*:*:*)
+	echo sv1-cray-unicos${UNAME_RELEASE} | sed -e 's/\.[^.]*$/.X/'    
+	exit 0 ;;
+    CRAY-2:*:*:*)
+	echo cray2-cray-unicos
+        exit 0 ;;
+    F300:UNIX_System_V:*:*)
+        FUJITSU_SYS=`uname -p | tr 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' 'abcdefghijklmnopqrstuvwxyz' | sed -e 's/\///'`
+        FUJITSU_REL=`echo ${UNAME_RELEASE} | sed -e 's/ /_/'`
+        echo "f300-fujitsu-${FUJITSU_SYS}${FUJITSU_REL}"
+        exit 0 ;;
+    F301:UNIX_System_V:*:*)
+       echo f301-fujitsu-uxpv`echo $UNAME_RELEASE | sed 's/ .*//'`
+       exit 0 ;;
+    hp300:OpenBSD:*:*)
+	echo m68k-unknown-openbsd${UNAME_RELEASE}
+	exit 0 ;;
+    i?86:BSD/386:*:* | i?86:BSD/OS:*:* | *:Ascend\ Embedded/OS:*:*)
+	echo ${UNAME_MACHINE}-pc-bsdi${UNAME_RELEASE}
+	exit 0 ;;
+    sparc*:BSD/OS:*:*)
+	echo sparc-unknown-bsdi${UNAME_RELEASE}
+	exit 0 ;;
+    *:BSD/OS:*:*)
+	echo ${UNAME_MACHINE}-unknown-bsdi${UNAME_RELEASE}
+	exit 0 ;;
+    *:FreeBSD:*:*)
+	echo ${UNAME_MACHINE}-unknown-freebsd`echo ${UNAME_RELEASE}|sed -e 's/[-(].*//'`
+	exit 0 ;;
+    *:OpenBSD:*:*)
+	echo ${UNAME_MACHINE}-unknown-openbsd`echo ${UNAME_RELEASE}|sed -e 's/[-_].*/\./'`
+	exit 0 ;;
+    i*:CYGWIN*:*)
+	echo ${UNAME_MACHINE}-pc-cygwin
+	exit 0 ;;
+    i*:MINGW*:*)
+	echo ${UNAME_MACHINE}-pc-mingw32
+	exit 0 ;;
+    i*:PW*:*)
+	echo ${UNAME_MACHINE}-pc-pw32
+	exit 0 ;;
+    i*:Windows_NT*:* | Pentium*:Windows_NT*:*)
+	# How do we know it's Interix rather than the generic POSIX subsystem?
+	# It also conflicts with pre-2.0 versions of AT&T UWIN. Should we
+	# UNAME_MACHINE based on the output of uname instead of i386?
+	echo i386-pc-interix
+	exit 0 ;;
+    i*:UWIN*:*)
+	echo ${UNAME_MACHINE}-pc-uwin
+	exit 0 ;;
+    p*:CYGWIN*:*)
+	echo powerpcle-unknown-cygwin
+	exit 0 ;;
+    prep*:SunOS:5.*:*)
+	echo powerpcle-unknown-solaris2`echo ${UNAME_RELEASE}|sed -e 's/[^.]*//'`
+	exit 0 ;;
+    *:GNU:*:*)
+	echo `echo ${UNAME_MACHINE}|sed -e 's,[-/].*$,,'`-unknown-gnu`echo ${UNAME_RELEASE}|sed -e 's,/.*$,,'`
+	exit 0 ;;
+    i*86:Minix:*:*)
+	echo ${UNAME_MACHINE}-pc-minix
+	exit 0 ;;
+    *:Linux:*:*)
+
+	# The BFD linker knows what the default object file format is, so
+	# first see if it will tell us. cd to the root directory to prevent
+	# problems with other programs or directories called `ld' in the path.
+	ld_help_string=`cd /; ld --help 2>&1`
+	ld_supported_emulations=`echo $ld_help_string \
+			 | sed -ne '/supported emulations:/!d
+				    s/[ 	][ 	]*/ /g
+				    s/.*supported emulations: *//
+				    s/ .*//
+				    p'`
+        case "$ld_supported_emulations" in
+	  *ia64)
+		echo "${UNAME_MACHINE}-unknown-linux"
+		exit 0
+		;;
+	  i?86linux)
+		echo "${UNAME_MACHINE}-pc-linux-gnuaout"
+		exit 0
+		;;
+	  elf_i?86)
+		TENTATIVE="${UNAME_MACHINE}-pc-linux-gnu"
+		;;
+	  i?86coff)
+		echo "${UNAME_MACHINE}-pc-linux-gnucoff"
+		exit 0
+		;;
+	  sparclinux)
+		echo "${UNAME_MACHINE}-unknown-linux-gnuaout"
+		exit 0
+		;;
+	  armlinux)
+		echo "${UNAME_MACHINE}-unknown-linux-gnuaout"
+		exit 0
+		;;
+	  elf32arm*)
+		echo "${UNAME_MACHINE}-unknown-linux-gnuoldld"
+		exit 0
+		;;
+	  armelf_linux*)
+		echo "${UNAME_MACHINE}-unknown-linux-gnu"
+		exit 0
+		;;
+	  m68klinux)
+		echo "${UNAME_MACHINE}-unknown-linux-gnuaout"
+		exit 0
+		;;
+	  elf32ppc | elf32ppclinux)
+		# Determine Lib Version
+		cat >$dummy.c <<EOF
+#include <features.h>
+#if defined(__GLIBC__)
+extern char __libc_version[];
+extern char __libc_release[];
+#endif
+main(argc, argv)
+     int argc;
+     char *argv[];
+{
+#if defined(__GLIBC__)
+  printf("%s %s\n", __libc_version, __libc_release);
+#else
+  printf("unkown\n");
+#endif
+  return 0;
+}
+EOF
+		LIBC=""
+		$CC_FOR_BUILD $dummy.c -o $dummy 2>/dev/null
+		if test "$?" = 0 ; then
+			./$dummy | grep 1\.99 > /dev/null
+			if test "$?" = 0 ; then
+				LIBC="libc1"
+			fi
+		fi	
+		rm -f $dummy.c $dummy
+		echo powerpc-unknown-linux-gnu${LIBC}
+		exit 0
+		;;
+	  shelf_linux)
+		echo "${UNAME_MACHINE}-unknown-linux-gnu"
+		exit 0
+		;;
+	esac
+
+	if test "${UNAME_MACHINE}" = "alpha" ; then
+		cat <<EOF >$dummy.s
+			.data
+		\$Lformat:
+			.byte 37,100,45,37,120,10,0	# "%d-%x\n"
+
+			.text
+			.globl main
+			.align 4
+			.ent main
+		main:
+			.frame \$30,16,\$26,0
+			ldgp \$29,0(\$27)
+			.prologue 1
+			.long 0x47e03d80 # implver \$0
+			lda \$2,-1
+			.long 0x47e20c21 # amask \$2,\$1
+			lda \$16,\$Lformat
+			mov \$0,\$17
+			not \$1,\$18
+			jsr \$26,printf
+			ldgp \$29,0(\$26)
+			mov 0,\$16
+			jsr \$26,exit
+			.end main
+EOF
+		LIBC=""
+		$CC_FOR_BUILD $dummy.s -o $dummy 2>/dev/null
+		if test "$?" = 0 ; then
+			case `./$dummy` in
+			0-0)
+				UNAME_MACHINE="alpha"
+				;;
+			1-0)
+				UNAME_MACHINE="alphaev5"
+				;;
+			1-1)
+				UNAME_MACHINE="alphaev56"
+				;;
+			1-101)
+				UNAME_MACHINE="alphapca56"
+				;;
+			2-303)
+				UNAME_MACHINE="alphaev6"
+				;;
+			2-307)
+				UNAME_MACHINE="alphaev67"
+				;;
+			esac
+
+			objdump --private-headers $dummy | \
+			  grep ld.so.1 > /dev/null
+			if test "$?" = 0 ; then
+				LIBC="libc1"
+			fi
+		fi
+		rm -f $dummy.s $dummy
+		echo ${UNAME_MACHINE}-unknown-linux-gnu${LIBC} ; exit 0
+	elif test "${UNAME_MACHINE}" = "mips" ; then
+	  cat >$dummy.c <<EOF
+#ifdef __cplusplus
+#include <stdio.h>  /* for printf() prototype */
+	int main (int argc, char *argv[]) {
+#else
+	int main (argc, argv) int argc; char *argv[]; {
+#endif
+#ifdef __MIPSEB__
+  printf ("%s-unknown-linux-gnu\n", argv[1]);
+#endif
+#ifdef __MIPSEL__
+  printf ("%sel-unknown-linux-gnu\n", argv[1]);
+#endif
+  return 0;
+}
+EOF
+	  $CC_FOR_BUILD $dummy.c -o $dummy 2>/dev/null && ./$dummy "${UNAME_MACHINE}" && rm $dummy.c $dummy && exit 0
+	  rm -f $dummy.c $dummy
+	elif test "${UNAME_MACHINE}" = "s390"; then
+	  echo s390-ibm-linux && exit 0
+	elif test "${UNAME_MACHINE}" = "x86_64"; then
+	  echo x86_64-unknown-linux-gnu && exit 0
+	else
+	  # Either a pre-BFD a.out linker (linux-gnuoldld)
+	  # or one that does not give us useful --help.
+	  # GCC wants to distinguish between linux-gnuoldld and linux-gnuaout.
+	  # If ld does not provide *any* "supported emulations:"
+	  # that means it is gnuoldld.
+	  echo "$ld_help_string" | grep >/dev/null 2>&1 "supported emulations:"
+	  test $? != 0 && echo "${UNAME_MACHINE}-pc-linux-gnuoldld" && exit 0
+
+	  case "${UNAME_MACHINE}" in
+	  i?86)
+	    VENDOR=pc;
+	    ;;
+	  *)
+	    VENDOR=unknown;
+	    ;;
+	  esac
+	  # Determine whether the default compiler is a.out or elf
+	  cat >$dummy.c <<EOF
+#include <features.h>
+#ifdef __cplusplus
+#include <stdio.h>  /* for printf() prototype */
+	int main (int argc, char *argv[]) {
+#else
+	int main (argc, argv) int argc; char *argv[]; {
+#endif
+#ifdef __ELF__
+# ifdef __GLIBC__
+#  if __GLIBC__ >= 2
+    printf ("%s-${VENDOR}-linux-gnu\n", argv[1]);
+#  else
+    printf ("%s-${VENDOR}-linux-gnulibc1\n", argv[1]);
+#  endif
+# else
+   printf ("%s-${VENDOR}-linux-gnulibc1\n", argv[1]);
+# endif
+#else
+  printf ("%s-${VENDOR}-linux-gnuaout\n", argv[1]);
+#endif
+  return 0;
+}
+EOF
+	  $CC_FOR_BUILD $dummy.c -o $dummy 2>/dev/null && ./$dummy "${UNAME_MACHINE}" && rm $dummy.c $dummy && exit 0
+	  rm -f $dummy.c $dummy
+	  test x"${TENTATIVE}" != x && echo "${TENTATIVE}" && exit 0
+	fi ;;
+# ptx 4.0 does uname -s correctly, with DYNIX/ptx in there.  earlier versions
+# are messed up and put the nodename in both sysname and nodename.
+    i?86:DYNIX/ptx:4*:*)
+	echo i386-sequent-sysv4
+	exit 0 ;;
+    i?86:UNIX_SV:4.2MP:2.*)
+        # Unixware is an offshoot of SVR4, but it has its own version
+        # number series starting with 2...
+        # I am not positive that other SVR4 systems won't match this,
+	# I just have to hope.  -- rms.
+        # Use sysv4.2uw... so that sysv4* matches it.
+	echo ${UNAME_MACHINE}-pc-sysv4.2uw${UNAME_VERSION}
+	exit 0 ;;
+    i?86:*:4.*:* | i?86:SYSTEM_V:4.*:*)
+	UNAME_REL=`echo ${UNAME_RELEASE} | sed 's/\/MP$//'`
+	if grep Novell /usr/include/link.h >/dev/null 2>/dev/null; then
+		echo ${UNAME_MACHINE}-univel-sysv${UNAME_REL}
+	else
+		echo ${UNAME_MACHINE}-pc-sysv${UNAME_REL}
+	fi
+	exit 0 ;;
+    i?86:*:5:7*)
+        # Fixed at (any) Pentium or better
+        UNAME_MACHINE=i586
+        if [ ${UNAME_SYSTEM} = "UnixWare" ] ; then
+	    echo ${UNAME_MACHINE}-sco-sysv${UNAME_RELEASE}uw${UNAME_VERSION}
+	else
+	    echo ${UNAME_MACHINE}-pc-sysv${UNAME_RELEASE}
+	fi
+	exit 0 ;;
+    i?86:*:3.2:*)
+	if test -f /usr/options/cb.name; then
+		UNAME_REL=`sed -n 's/.*Version //p' </usr/options/cb.name`
+		echo ${UNAME_MACHINE}-pc-isc$UNAME_REL
+	elif /bin/uname -X 2>/dev/null >/dev/null ; then
+		UNAME_REL=`(/bin/uname -X|egrep Release|sed -e 's/.*= //')`
+		(/bin/uname -X|egrep i80486 >/dev/null) && UNAME_MACHINE=i486
+		(/bin/uname -X|egrep '^Machine.*Pentium' >/dev/null) \
+			&& UNAME_MACHINE=i586
+		(/bin/uname -X|egrep '^Machine.*Pent ?II' >/dev/null) \
+			&& UNAME_MACHINE=i686
+		(/bin/uname -X|egrep '^Machine.*Pentium Pro' >/dev/null) \
+			&& UNAME_MACHINE=i686
+		echo ${UNAME_MACHINE}-pc-sco$UNAME_REL
+	else
+		echo ${UNAME_MACHINE}-pc-sysv32
+	fi
+	exit 0 ;;
+    i?86:*DOS:*:*)
+	echo ${UNAME_MACHINE}-pc-msdosdjgpp
+	exit 0 ;;
+    pc:*:*:*)
+	# Left here for compatibility:
+        # uname -m prints for DJGPP always 'pc', but it prints nothing about
+        # the processor, so we play safe by assuming i386.
+	echo i386-pc-msdosdjgpp
+        exit 0 ;;
+    Intel:Mach:3*:*)
+	echo i386-pc-mach3
+	exit 0 ;;
+    paragon:*:*:*)
+	echo i860-intel-osf1
+	exit 0 ;;
+    i860:*:4.*:*) # i860-SVR4
+	if grep Stardent /usr/include/sys/uadmin.h >/dev/null 2>&1 ; then
+	  echo i860-stardent-sysv${UNAME_RELEASE} # Stardent Vistra i860-SVR4
+	else # Add other i860-SVR4 vendors below as they are discovered.
+	  echo i860-unknown-sysv${UNAME_RELEASE}  # Unknown i860-SVR4
+	fi
+	exit 0 ;;
+    mini*:CTIX:SYS*5:*)
+	# "miniframe"
+	echo m68010-convergent-sysv
+	exit 0 ;;
+    M68*:*:R3V[567]*:*)
+	test -r /sysV68 && echo 'm68k-motorola-sysv' && exit 0 ;;
+    3[34]??:*:4.0:3.0 | 3[34]??,*:*:4.0:3.0 | 4850:*:4.0:3.0)
+	OS_REL=''
+	test -r /etc/.relid \
+	&& OS_REL=.`sed -n 's/[^ ]* [^ ]* \([0-9][0-9]\).*/\1/p' < /etc/.relid`
+	/bin/uname -p 2>/dev/null | grep 86 >/dev/null \
+	  && echo i486-ncr-sysv4.3${OS_REL} && exit 0
+	/bin/uname -p 2>/dev/null | /bin/grep entium >/dev/null \
+	  && echo i586-ncr-sysv4.3${OS_REL} && exit 0 ;;
+    3[34]??:*:4.0:* | 3[34]??,*:*:4.0:*)
+        /bin/uname -p 2>/dev/null | grep 86 >/dev/null \
+          && echo i486-ncr-sysv4 && exit 0 ;;
+    m68*:LynxOS:2.*:*)
+	echo m68k-unknown-lynxos${UNAME_RELEASE}
+	exit 0 ;;
+    mc68030:UNIX_System_V:4.*:*)
+	echo m68k-atari-sysv4
+	exit 0 ;;
+    i?86:LynxOS:2.*:* | i?86:LynxOS:3.[01]*:*)
+	echo i386-unknown-lynxos${UNAME_RELEASE}
+	exit 0 ;;
+    TSUNAMI:LynxOS:2.*:*)
+	echo sparc-unknown-lynxos${UNAME_RELEASE}
+	exit 0 ;;
+    rs6000:LynxOS:2.*:* | PowerPC:LynxOS:2.*:*)
+	echo rs6000-unknown-lynxos${UNAME_RELEASE}
+	exit 0 ;;
+    SM[BE]S:UNIX_SV:*:*)
+	echo mips-dde-sysv${UNAME_RELEASE}
+	exit 0 ;;
+    RM*:ReliantUNIX-*:*:*)
+	echo mips-sni-sysv4
+	exit 0 ;;
+    RM*:SINIX-*:*:*)
+	echo mips-sni-sysv4
+	exit 0 ;;
+    *:SINIX-*:*:*)
+	if uname -p 2>/dev/null >/dev/null ; then
+		UNAME_MACHINE=`(uname -p) 2>/dev/null`
+		echo ${UNAME_MACHINE}-sni-sysv4
+	else
+		echo ns32k-sni-sysv
+	fi
+	exit 0 ;;
+    PENTIUM:CPunix:4.0*:*) # Unisys `ClearPath HMP IX 4000' SVR4/MP effort
+                           # says <Richard.M.Bartel@ccMail.Census.GOV>
+        echo i586-unisys-sysv4
+        exit 0 ;;
+    *:UNIX_System_V:4*:FTX*)
+	# From Gerald Hewes <hewes@openmarket.com>.
+	# How about differentiating between stratus architectures? -djm
+	echo hppa1.1-stratus-sysv4
+	exit 0 ;;
+    *:*:*:FTX*)
+	# From seanf@swdc.stratus.com.
+	echo i860-stratus-sysv4
+	exit 0 ;;
+    mc68*:A/UX:*:*)
+	echo m68k-apple-aux${UNAME_RELEASE}
+	exit 0 ;;
+    news*:NEWS-OS:6*:*)
+	echo mips-sony-newsos6
+	exit 0 ;;
+    R[34]000:*System_V*:*:* | R4000:UNIX_SYSV:*:* | R*000:UNIX_SV:*:*)
+	if [ -d /usr/nec ]; then
+	        echo mips-nec-sysv${UNAME_RELEASE}
+	else
+	        echo mips-unknown-sysv${UNAME_RELEASE}
+	fi
+        exit 0 ;;
+    BeBox:BeOS:*:*)	# BeOS running on hardware made by Be, PPC only.
+	echo powerpc-be-beos
+	exit 0 ;;
+    BeMac:BeOS:*:*)	# BeOS running on Mac or Mac clone, PPC only.
+	echo powerpc-apple-beos
+	exit 0 ;;
+    BePC:BeOS:*:*)	# BeOS running on Intel PC compatible.
+	echo i586-pc-beos
+	exit 0 ;;
+    SX-4:SUPER-UX:*:*)
+	echo sx4-nec-superux${UNAME_RELEASE}
+	exit 0 ;;
+    SX-5:SUPER-UX:*:*)
+	echo sx5-nec-superux${UNAME_RELEASE}
+	exit 0 ;;
+    Power*:Rhapsody:*:*)
+	echo powerpc-apple-rhapsody${UNAME_RELEASE}
+	exit 0 ;;
+    *:Rhapsody:*:*)
+	echo ${UNAME_MACHINE}-apple-rhapsody${UNAME_RELEASE}
+	exit 0 ;;
+    *:Darwin:*:*)
+	echo `uname -p`-apple-darwin${UNAME_RELEASE}
+	exit 0 ;;
+    *:procnto*:*:* | *:QNX:[0123456789]*:*)
+	if test "${UNAME_MACHINE}" = "x86pc"; then
+		UNAME_MACHINE=pc
+	fi
+	echo `uname -p`-${UNAME_MACHINE}-nto-qnx
+	exit 0 ;;
+    *:QNX:*:4*)
+	echo i386-pc-qnx
+	exit 0 ;;
+    NSR-[KW]:NONSTOP_KERNEL:*:*)
+	echo nsr-tandem-nsk${UNAME_RELEASE}
+	exit 0 ;;
+    BS2000:POSIX*:*:*)
+	echo bs2000-siemens-sysv
+	exit 0 ;;
+    DS/*:UNIX_System_V:*:*)
+	echo ${UNAME_MACHINE}-${UNAME_SYSTEM}-${UNAME_RELEASE}
+	exit 0 ;;
+    *:Plan9:*:*)
+	# "uname -m" is not consistent, so use $cputype instead. 386
+	# is converted to i386 for consistency with other x86
+	# operating systems.
+	if test "$cputype" = "386"; then
+	    UNAME_MACHINE=i386
+	else
+	    UNAME_MACHINE="$cputype"
+	fi
+	echo ${UNAME_MACHINE}-unknown-plan9
+	exit 0 ;;
+    *:OS/2:*:*)
+	echo ${UNAME_MACHINE}-pc-os2_emx
+esac
+
+#echo '(No uname command or uname output not recognized.)' 1>&2
+#echo "${UNAME_MACHINE}:${UNAME_SYSTEM}:${UNAME_RELEASE}:${UNAME_VERSION}" 1>&2
+
+cat >$dummy.c <<EOF
+#ifdef _SEQUENT_
+# include <sys/types.h>
+# include <sys/utsname.h>
+#endif
+main ()
+{
+#if defined (sony)
+#if defined (MIPSEB)
+  /* BFD wants "bsd" instead of "newsos".  Perhaps BFD should be changed,
+     I don't know....  */
+  printf ("mips-sony-bsd\n"); exit (0);
+#else
+#include <sys/param.h>
+  printf ("m68k-sony-newsos%s\n",
+#ifdef NEWSOS4
+          "4"
+#else
+	  ""
+#endif
+         ); exit (0);
+#endif
+#endif
+
+#if defined (__arm) && defined (__acorn) && defined (__unix)
+  printf ("arm-acorn-riscix"); exit (0);
+#endif
+
+#if defined (hp300) && !defined (hpux)
+  printf ("m68k-hp-bsd\n"); exit (0);
+#endif
+
+#if defined (NeXT)
+#if !defined (__ARCHITECTURE__)
+#define __ARCHITECTURE__ "m68k"
+#endif
+  int version;
+  version=`(hostinfo | sed -n 's/.*NeXT Mach \([0-9]*\).*/\1/p') 2>/dev/null`;
+  if (version < 4)
+    printf ("%s-next-nextstep%d\n", __ARCHITECTURE__, version);
+  else
+    printf ("%s-next-openstep%d\n", __ARCHITECTURE__, version);
+  exit (0);
+#endif
+
+#if defined (MULTIMAX) || defined (n16)
+#if defined (UMAXV)
+  printf ("ns32k-encore-sysv\n"); exit (0);
+#else
+#if defined (CMU)
+  printf ("ns32k-encore-mach\n"); exit (0);
+#else
+  printf ("ns32k-encore-bsd\n"); exit (0);
+#endif
+#endif
+#endif
+
+#if defined (__386BSD__)
+  printf ("i386-pc-bsd\n"); exit (0);
+#endif
+
+#if defined (sequent)
+#if defined (i386)
+  printf ("i386-sequent-dynix\n"); exit (0);
+#endif
+#if defined (ns32000)
+  printf ("ns32k-sequent-dynix\n"); exit (0);
+#endif
+#endif
+
+#if defined (_SEQUENT_)
+    struct utsname un;
+
+    uname(&un);
+
+    if (strncmp(un.version, "V2", 2) == 0) {
+	printf ("i386-sequent-ptx2\n"); exit (0);
+    }
+    if (strncmp(un.version, "V1", 2) == 0) { /* XXX is V1 correct? */
+	printf ("i386-sequent-ptx1\n"); exit (0);
+    }
+    printf ("i386-sequent-ptx\n"); exit (0);
+
+#endif
+
+#if defined (vax)
+#if !defined (ultrix)
+  printf ("vax-dec-bsd\n"); exit (0);
+#else
+  printf ("vax-dec-ultrix\n"); exit (0);
+#endif
+#endif
+
+#if defined (alliant) && defined (i860)
+  printf ("i860-alliant-bsd\n"); exit (0);
+#endif
+
+  exit (1);
+}
+EOF
+
+$CC_FOR_BUILD $dummy.c -o $dummy 2>/dev/null && ./$dummy && rm $dummy.c $dummy && exit 0
+rm -f $dummy.c $dummy
+
+# Apollos put the system type in the environment.
+
+test -d /usr/apollo && { echo ${ISP}-apollo-${SYSTYPE}; exit 0; }
+
+# Convex versions that predate uname can use getsysinfo(1)
+
+if [ -x /usr/convex/getsysinfo ]
+then
+    case `getsysinfo -f cpu_type` in
+    c1*)
+	echo c1-convex-bsd
+	exit 0 ;;
+    c2*)
+	if getsysinfo -f scalar_acc
+	then echo c32-convex-bsd
+	else echo c2-convex-bsd
+	fi
+	exit 0 ;;
+    c34*)
+	echo c34-convex-bsd
+	exit 0 ;;
+    c38*)
+	echo c38-convex-bsd
+	exit 0 ;;
+    c4*)
+	echo c4-convex-bsd
+	exit 0 ;;
+    esac
+fi
+
+cat >&2 <<EOF
+$0: unable to guess system type
+
+The $version version of this script cannot recognize your system type.
+Please download the most up to date version of the config scripts:
+
+    ftp://ftp.gnu.org/pub/gnu/config/
+
+If the version you run ($0) is already up to date, please
+send the following data and any information you think might be
+pertinent to <config-patches@gnu.org> in order to provide the needed
+information to handle your system.
+
+config.guess version = $version
+
+uname -m = `(uname -m) 2>/dev/null || echo unknown`
+uname -r = `(uname -r) 2>/dev/null || echo unknown`
+uname -s = `(uname -s) 2>/dev/null || echo unknown`
+uname -v = `(uname -v) 2>/dev/null || echo unknown`
+
+/usr/bin/uname -p = `(/usr/bin/uname -p) 2>/dev/null`
+/bin/uname -X     = `(/bin/uname -X) 2>/dev/null`
+
+hostinfo               = `(hostinfo) 2>/dev/null`
+/bin/universe          = `(/bin/universe) 2>/dev/null`
+/usr/bin/arch -k       = `(/usr/bin/arch -k) 2>/dev/null`
+/bin/arch              = `(/bin/arch) 2>/dev/null`
+/usr/bin/oslevel       = `(/usr/bin/oslevel) 2>/dev/null`
+/usr/convex/getsysinfo = `(/usr/convex/getsysinfo) 2>/dev/null`
+
+UNAME_MACHINE = ${UNAME_MACHINE}
+UNAME_RELEASE = ${UNAME_RELEASE}
+UNAME_SYSTEM  = ${UNAME_SYSTEM}
+UNAME_VERSION = ${UNAME_VERSION}
+EOF
+
+exit 1
+
+# Local variables:
+# eval: (add-hook 'write-file-hooks 'time-stamp)
+# time-stamp-start: "version='"
+# time-stamp-format: "%:y-%02m-%02d"
+# time-stamp-end: "'"
+# End:
diff --git a/crypto/heimdal/config.sub b/crypto/heimdal/config.sub
new file mode 100755
index 0000000..42fc991
--- /dev/null
+++ b/crypto/heimdal/config.sub
@@ -0,0 +1,1328 @@
+#! /bin/sh
+# Configuration validation subroutine script, version 1.1.
+#   Copyright (C) 1992, 1993, 1994, 1995, 1996, 1997, 1998, 1999, 2000
+#   Free Software Foundation, Inc.
+
+version='2000-09-11'
+
+# This file is (in principle) common to ALL GNU software.
+# The presence of a machine in this file suggests that SOME GNU software
+# can handle that machine.  It does not imply ALL GNU software can.
+#
+# This file is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 2 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 59 Temple Place - Suite 330,
+# Boston, MA 02111-1307, USA.
+
+# As a special exception to the GNU General Public License, if you
+# distribute this file as part of a program that contains a
+# configuration script generated by Autoconf, you may include it under
+# the same distribution terms that you use for the rest of that program.
+
+# Please send patches to <config-patches@gnu.org>.
+#
+# Configuration subroutine to validate and canonicalize a configuration type.
+# Supply the specified configuration type as an argument.
+# If it is invalid, we print an error message on stderr and exit with code 1.
+# Otherwise, we print the canonical config type on stdout and succeed.
+
+# This file is supposed to be the same for all GNU packages
+# and recognize all the CPU types, system types and aliases
+# that are meaningful with *any* GNU software.
+# Each package is responsible for reporting which valid configurations
+# it does not support.  The user should be able to distinguish
+# a failure to support a valid configuration from a meaningless
+# configuration.
+
+# The goal of this file is to map all the various variations of a given
+# machine specification into a single specification in the form:
+#	CPU_TYPE-MANUFACTURER-OPERATING_SYSTEM
+# or in some cases, the newer four-part form:
+#	CPU_TYPE-MANUFACTURER-KERNEL-OPERATING_SYSTEM
+# It is wrong to echo any other type of specification.
+
+me=`echo "$0" | sed -e 's,.*/,,'`
+
+usage="\
+Usage: $0 [OPTION] CPU-MFR-OPSYS
+       $0 [OPTION] ALIAS
+
+Canonicalize a configuration name.
+
+Operation modes:
+  -h, --help               print this help, then exit
+  -V, --version            print version number, then exit"
+
+help="
+Try \`$me --help' for more information."
+
+# Parse command line
+while test $# -gt 0 ; do
+  case "$1" in
+    --version | --vers* | -V )
+       echo "$version" ; exit 0 ;;
+    --help | --h* | -h )
+       echo "$usage"; exit 0 ;;
+    -- )     # Stop option processing
+       shift; break ;;
+    - )	# Use stdin as input.
+       break ;;
+    -* )
+       exec >&2
+       echo "$me: invalid option $1"
+       echo "$help"
+       exit 1 ;;
+
+    *local*)
+       # First pass through any local machine types.
+       echo $1
+       exit 0;;
+
+    * )
+       break ;;
+  esac
+done
+
+case $# in
+ 0) echo "$me: missing argument$help" >&2
+    exit 1;;
+ 1) ;;
+ *) echo "$me: too many arguments$help" >&2
+    exit 1;;
+esac
+
+# Separate what the user gave into CPU-COMPANY and OS or KERNEL-OS (if any).
+# Here we must recognize all the valid KERNEL-OS combinations.
+maybe_os=`echo $1 | sed 's/^\(.*\)-\([^-]*-[^-]*\)$/\2/'`
+case $maybe_os in
+  nto-qnx* | linux-gnu*)
+    os=-$maybe_os
+    basic_machine=`echo $1 | sed 's/^\(.*\)-\([^-]*-[^-]*\)$/\1/'`
+    ;;
+  *)
+    basic_machine=`echo $1 | sed 's/-[^-]*$//'`
+    if [ $basic_machine != $1 ]
+    then os=`echo $1 | sed 's/.*-/-/'`
+    else os=; fi
+    ;;
+esac
+
+### Let's recognize common machines as not being operating systems so
+### that things like config.sub decstation-3100 work.  We also
+### recognize some manufacturers as not being operating systems, so we
+### can provide default operating systems below.
+case $os in
+	-sun*os*)
+		# Prevent following clause from handling this invalid input.
+		;;
+	-dec* | -mips* | -sequent* | -encore* | -pc532* | -sgi* | -sony* | \
+	-att* | -7300* | -3300* | -delta* | -motorola* | -sun[234]* | \
+	-unicom* | -ibm* | -next | -hp | -isi* | -apollo | -altos* | \
+	-convergent* | -ncr* | -news | -32* | -3600* | -3100* | -hitachi* |\
+	-c[123]* | -convex* | -sun | -crds | -omron* | -dg | -ultra | -tti* | \
+	-harris | -dolphin | -highlevel | -gould | -cbm | -ns | -masscomp | \
+	-apple | -axis)
+		os=
+		basic_machine=$1
+		;;
+	-sim | -cisco | -oki | -wec | -winbond)
+		os=
+		basic_machine=$1
+		;;
+	-scout)
+		;;
+	-wrs)
+		os=-vxworks
+		basic_machine=$1
+		;;
+	-hiux*)
+		os=-hiuxwe2
+		;;
+	-sco5)
+		os=-sco3.2v5
+		basic_machine=`echo $1 | sed -e 's/86-.*/86-pc/'`
+		;;
+	-sco4)
+		os=-sco3.2v4
+		basic_machine=`echo $1 | sed -e 's/86-.*/86-pc/'`
+		;;
+	-sco3.2.[4-9]*)
+		os=`echo $os | sed -e 's/sco3.2./sco3.2v/'`
+		basic_machine=`echo $1 | sed -e 's/86-.*/86-pc/'`
+		;;
+	-sco3.2v[4-9]*)
+		# Don't forget version if it is 3.2v4 or newer.
+		basic_machine=`echo $1 | sed -e 's/86-.*/86-pc/'`
+		;;
+	-sco*)
+		os=-sco3.2v2
+		basic_machine=`echo $1 | sed -e 's/86-.*/86-pc/'`
+		;;
+	-udk*)
+		basic_machine=`echo $1 | sed -e 's/86-.*/86-pc/'`
+		;;
+	-isc)
+		os=-isc2.2
+		basic_machine=`echo $1 | sed -e 's/86-.*/86-pc/'`
+		;;
+	-clix*)
+		basic_machine=clipper-intergraph
+		;;
+	-isc*)
+		basic_machine=`echo $1 | sed -e 's/86-.*/86-pc/'`
+		;;
+	-lynx*)
+		os=-lynxos
+		;;
+	-ptx*)
+		basic_machine=`echo $1 | sed -e 's/86-.*/86-sequent/'`
+		;;
+	-windowsnt*)
+		os=`echo $os | sed -e 's/windowsnt/winnt/'`
+		;;
+	-psos*)
+		os=-psos
+		;;
+	-mint | -mint[0-9]*)
+		basic_machine=m68k-atari
+		os=-mint
+		;;
+esac
+
+# Decode aliases for certain CPU-COMPANY combinations.
+case $basic_machine in
+	# Recognize the basic CPU types without company name.
+	# Some are omitted here because they have special meanings below.
+	tahoe | i860 | ia64 | m32r | m68k | m68000 | m88k | ns32k | arc | arm \
+		| arme[lb] | armv[2345] | armv[345][lb] | pyramid | mn10200 | mn10300 | tron | a29k \
+		| 580 | i960 | h8300 \
+		| x86 | ppcbe | mipsbe | mipsle | shbe | shle | armbe | armle \
+		| hppa | hppa1.0 | hppa1.1 | hppa2.0 | hppa2.0w | hppa2.0n \
+		| hppa64 \
+		| alpha | alphaev[4-8] | alphaev56 | alphapca5[67] \
+		| alphaev6[78] \
+		| we32k | ns16k | clipper | i370 | sh | sh[34] \
+		| powerpc | powerpcle \
+		| 1750a | dsp16xx | pdp11 | mips16 | mips64 | mipsel | mips64el \
+		| mips64orion | mips64orionel | mipstx39 | mipstx39el \
+		| mips64vr4300 | mips64vr4300el | mips64vr4100 | mips64vr4100el \
+		| mips64vr5000 | miprs64vr5000el | mcore \
+		| sparc | sparclet | sparclite | sparc64 | sparcv9 | v850 | c4x \
+		| thumb | d10v | d30v | fr30 | avr)
+		basic_machine=$basic_machine-unknown
+		;;
+	m6811 | m68hc11 | m6812 | m68hc12)
+		# Motorola 68HC11/12.
+		basic_machine=$basic_machine-unknown
+		os=-none
+		;;
+	m88110 | m680[12346]0 | m683?2 | m68360 | m5200 | z8k | v70 | h8500 | w65 | pj | pjl)
+		;;
+
+	# We use `pc' rather than `unknown'
+	# because (1) that's what they normally are, and
+	# (2) the word "unknown" tends to confuse beginning users.
+	i[234567]86 | x86_64)
+	  basic_machine=$basic_machine-pc
+	  ;;
+	# Object if more than one company name word.
+	*-*-*)
+		echo Invalid configuration \`$1\': machine \`$basic_machine\' not recognized 1>&2
+		exit 1
+		;;
+	# Recognize the basic CPU types with company name.
+	# FIXME: clean up the formatting here.
+	vax-* | tahoe-* | i[234567]86-* | i860-* | ia64-* | m32r-* | m68k-* | m68000-* \
+	      | m88k-* | sparc-* | ns32k-* | fx80-* | arc-* | arm-* | c[123]* \
+	      | mips-* | pyramid-* | tron-* | a29k-* | romp-* | rs6000-* \
+	      | power-* | none-* | 580-* | cray2-* | h8300-* | h8500-* | i960-* \
+	      | xmp-* | ymp-* \
+	      | x86-* | ppcbe-* | mipsbe-* | mipsle-* | shbe-* | shle-* | armbe-* | armle-* \
+	      | hppa-* | hppa1.0-* | hppa1.1-* | hppa2.0-* | hppa2.0w-* \
+	      | hppa2.0n-* | hppa64-* \
+	      | alpha-* | alphaev[4-8]-* | alphaev56-* | alphapca5[67]-* \
+	      | alphaev6[78]-* \
+	      | we32k-* | cydra-* | ns16k-* | pn-* | np1-* | xps100-* \
+	      | clipper-* | orion-* \
+	      | sparclite-* | pdp11-* | sh-* | powerpc-* | powerpcle-* \
+	      | sparc64-* | sparcv9-* | sparc86x-* | mips16-* | mips64-* | mipsel-* \
+	      | mips64el-* | mips64orion-* | mips64orionel-* \
+	      | mips64vr4100-* | mips64vr4100el-* | mips64vr4300-* | mips64vr4300el-* \
+	      | mipstx39-* | mipstx39el-* | mcore-* \
+	      | f301-* | armv*-* | s390-* | sv1-* | t3e-* \
+	      | m88110-* | m680[01234]0-* | m683?2-* | m68360-* | z8k-* | d10v-* \
+	      | thumb-* | v850-* | d30v-* | tic30-* | c30-* | fr30-* \
+	      | bs2000-* | tic54x-* | c54x-* | x86_64-*)
+		;;
+	# Recognize the various machine names and aliases which stand
+	# for a CPU type and a company and sometimes even an OS.
+	386bsd)
+		basic_machine=i386-unknown
+		os=-bsd
+		;;
+	3b1 | 7300 | 7300-att | att-7300 | pc7300 | safari | unixpc)
+		basic_machine=m68000-att
+		;;
+	3b*)
+		basic_machine=we32k-att
+		;;
+	a29khif)
+		basic_machine=a29k-amd
+		os=-udi
+		;;
+	adobe68k)
+		basic_machine=m68010-adobe
+		os=-scout
+		;;
+	alliant | fx80)
+		basic_machine=fx80-alliant
+		;;
+	altos | altos3068)
+		basic_machine=m68k-altos
+		;;
+	am29k)
+		basic_machine=a29k-none
+		os=-bsd
+		;;
+	amdahl)
+		basic_machine=580-amdahl
+		os=-sysv
+		;;
+	amiga | amiga-*)
+		basic_machine=m68k-unknown
+		;;
+	amigaos | amigados)
+		basic_machine=m68k-unknown
+		os=-amigaos
+		;;
+	amigaunix | amix)
+		basic_machine=m68k-unknown
+		os=-sysv4
+		;;
+	apollo68)
+		basic_machine=m68k-apollo
+		os=-sysv
+		;;
+	apollo68bsd)
+		basic_machine=m68k-apollo
+		os=-bsd
+		;;
+	aux)
+		basic_machine=m68k-apple
+		os=-aux
+		;;
+	balance)
+		basic_machine=ns32k-sequent
+		os=-dynix
+		;;
+	convex-c1)
+		basic_machine=c1-convex
+		os=-bsd
+		;;
+	convex-c2)
+		basic_machine=c2-convex
+		os=-bsd
+		;;
+	convex-c32)
+		basic_machine=c32-convex
+		os=-bsd
+		;;
+	convex-c34)
+		basic_machine=c34-convex
+		os=-bsd
+		;;
+	convex-c38)
+		basic_machine=c38-convex
+		os=-bsd
+		;;
+	cray | ymp)
+		basic_machine=ymp-cray
+		os=-unicos
+		;;
+	cray2)
+		basic_machine=cray2-cray
+		os=-unicos
+		;;
+	[ctj]90-cray)
+		basic_machine=c90-cray
+		os=-unicos
+		;;
+	crds | unos)
+		basic_machine=m68k-crds
+		;;
+	cris | cris-* | etrax*)
+		basic_machine=cris-axis
+		;;
+	da30 | da30-*)
+		basic_machine=m68k-da30
+		;;
+	decstation | decstation-3100 | pmax | pmax-* | pmin | dec3100 | decstatn)
+		basic_machine=mips-dec
+		;;
+	delta | 3300 | motorola-3300 | motorola-delta \
+	      | 3300-motorola | delta-motorola)
+		basic_machine=m68k-motorola
+		;;
+	delta88)
+		basic_machine=m88k-motorola
+		os=-sysv3
+		;;
+	dpx20 | dpx20-*)
+		basic_machine=rs6000-bull
+		os=-bosx
+		;;
+	dpx2* | dpx2*-bull)
+		basic_machine=m68k-bull
+		os=-sysv3
+		;;
+	ebmon29k)
+		basic_machine=a29k-amd
+		os=-ebmon
+		;;
+	elxsi)
+		basic_machine=elxsi-elxsi
+		os=-bsd
+		;;
+	encore | umax | mmax)
+		basic_machine=ns32k-encore
+		;;
+	es1800 | OSE68k | ose68k | ose | OSE)
+		basic_machine=m68k-ericsson
+		os=-ose
+		;;
+	fx2800)
+		basic_machine=i860-alliant
+		;;
+	genix)
+		basic_machine=ns32k-ns
+		;;
+	gmicro)
+		basic_machine=tron-gmicro
+		os=-sysv
+		;;
+	h3050r* | hiux*)
+		basic_machine=hppa1.1-hitachi
+		os=-hiuxwe2
+		;;
+	h8300hms)
+		basic_machine=h8300-hitachi
+		os=-hms
+		;;
+	h8300xray)
+		basic_machine=h8300-hitachi
+		os=-xray
+		;;
+	h8500hms)
+		basic_machine=h8500-hitachi
+		os=-hms
+		;;
+	harris)
+		basic_machine=m88k-harris
+		os=-sysv3
+		;;
+	hp300-*)
+		basic_machine=m68k-hp
+		;;
+	hp300bsd)
+		basic_machine=m68k-hp
+		os=-bsd
+		;;
+	hp300hpux)
+		basic_machine=m68k-hp
+		os=-hpux
+		;;
+	hp3k9[0-9][0-9] | hp9[0-9][0-9])
+		basic_machine=hppa1.0-hp
+		;;
+	hp9k2[0-9][0-9] | hp9k31[0-9])
+		basic_machine=m68000-hp
+		;;
+	hp9k3[2-9][0-9])
+		basic_machine=m68k-hp
+		;;
+	hp9k6[0-9][0-9] | hp6[0-9][0-9])
+		basic_machine=hppa1.0-hp
+		;;
+	hp9k7[0-79][0-9] | hp7[0-79][0-9])
+		basic_machine=hppa1.1-hp
+		;;
+	hp9k78[0-9] | hp78[0-9])
+		# FIXME: really hppa2.0-hp
+		basic_machine=hppa1.1-hp
+		;;
+	hp9k8[67]1 | hp8[67]1 | hp9k80[24] | hp80[24] | hp9k8[78]9 | hp8[78]9 | hp9k893 | hp893)
+		# FIXME: really hppa2.0-hp
+		basic_machine=hppa1.1-hp
+		;;
+	hp9k8[0-9][13679] | hp8[0-9][13679])
+		basic_machine=hppa1.1-hp
+		;;
+	hp9k8[0-9][0-9] | hp8[0-9][0-9])
+		basic_machine=hppa1.0-hp
+		;;
+	hppa-next)
+		os=-nextstep3
+		;;
+	hppaosf)
+		basic_machine=hppa1.1-hp
+		os=-osf
+		;;
+	hppro)
+		basic_machine=hppa1.1-hp
+		os=-proelf
+		;;
+	i370-ibm* | ibm*)
+		basic_machine=i370-ibm
+		;;
+# I'm not sure what "Sysv32" means.  Should this be sysv3.2?
+	i[34567]86v32)
+		basic_machine=`echo $1 | sed -e 's/86.*/86-pc/'`
+		os=-sysv32
+		;;
+	i[34567]86v4*)
+		basic_machine=`echo $1 | sed -e 's/86.*/86-pc/'`
+		os=-sysv4
+		;;
+	i[34567]86v)
+		basic_machine=`echo $1 | sed -e 's/86.*/86-pc/'`
+		os=-sysv
+		;;
+	i[34567]86sol2)
+		basic_machine=`echo $1 | sed -e 's/86.*/86-pc/'`
+		os=-solaris2
+		;;
+	i386mach)
+		basic_machine=i386-mach
+		os=-mach
+		;;
+	i386-vsta | vsta)
+		basic_machine=i386-unknown
+		os=-vsta
+		;;
+	i386-go32 | go32)
+		basic_machine=i386-unknown
+		os=-go32
+		;;
+	i386-mingw32 | mingw32)
+		basic_machine=i386-unknown
+		os=-mingw32
+		;;
+	i[34567]86-pw32 | pw32)
+		basic_machine=i586-unknown
+		os=-pw32
+		;;
+	iris | iris4d)
+		basic_machine=mips-sgi
+		case $os in
+		    -irix*)
+			;;
+		    *)
+			os=-irix4
+			;;
+		esac
+		;;
+	isi68 | isi)
+		basic_machine=m68k-isi
+		os=-sysv
+		;;
+	m88k-omron*)
+		basic_machine=m88k-omron
+		;;
+	magnum | m3230)
+		basic_machine=mips-mips
+		os=-sysv
+		;;
+	merlin)
+		basic_machine=ns32k-utek
+		os=-sysv
+		;;
+	miniframe)
+		basic_machine=m68000-convergent
+		;;
+	*mint | -mint[0-9]* | *MiNT | *MiNT[0-9]*)
+		basic_machine=m68k-atari
+		os=-mint
+		;;
+	mipsel*-linux*)
+		basic_machine=mipsel-unknown
+		os=-linux-gnu
+		;;
+	mips*-linux*)
+		basic_machine=mips-unknown
+		os=-linux-gnu
+		;;
+	mips3*-*)
+		basic_machine=`echo $basic_machine | sed -e 's/mips3/mips64/'`
+		;;
+	mips3*)
+		basic_machine=`echo $basic_machine | sed -e 's/mips3/mips64/'`-unknown
+		;;
+	mmix*)
+		basic_machine=mmix-knuth
+		os=-mmixware
+		;;
+	monitor)
+		basic_machine=m68k-rom68k
+		os=-coff
+		;;
+	msdos)
+		basic_machine=i386-unknown
+		os=-msdos
+		;;
+	mvs)
+		basic_machine=i370-ibm
+		os=-mvs
+		;;
+	ncr3000)
+		basic_machine=i486-ncr
+		os=-sysv4
+		;;
+	netbsd386)
+		basic_machine=i386-unknown
+		os=-netbsd
+		;;
+	netwinder)
+		basic_machine=armv4l-rebel
+		os=-linux
+		;;
+	news | news700 | news800 | news900)
+		basic_machine=m68k-sony
+		os=-newsos
+		;;
+	news1000)
+		basic_machine=m68030-sony
+		os=-newsos
+		;;
+	news-3600 | risc-news)
+		basic_machine=mips-sony
+		os=-newsos
+		;;
+	necv70)
+		basic_machine=v70-nec
+		os=-sysv
+		;;
+	next | m*-next )
+		basic_machine=m68k-next
+		case $os in
+		    -nextstep* )
+			;;
+		    -ns2*)
+		      os=-nextstep2
+			;;
+		    *)
+		      os=-nextstep3
+			;;
+		esac
+		;;
+	nh3000)
+		basic_machine=m68k-harris
+		os=-cxux
+		;;
+	nh[45]000)
+		basic_machine=m88k-harris
+		os=-cxux
+		;;
+	nindy960)
+		basic_machine=i960-intel
+		os=-nindy
+		;;
+	mon960)
+		basic_machine=i960-intel
+		os=-mon960
+		;;
+	np1)
+		basic_machine=np1-gould
+		;;
+	nsr-tandem)
+		basic_machine=nsr-tandem
+		;;
+	op50n-* | op60c-*)
+		basic_machine=hppa1.1-oki
+		os=-proelf
+		;;
+	OSE68000 | ose68000)
+		basic_machine=m68000-ericsson
+		os=-ose
+		;;
+	os68k)
+		basic_machine=m68k-none
+		os=-os68k
+		;;
+	pa-hitachi)
+		basic_machine=hppa1.1-hitachi
+		os=-hiuxwe2
+		;;
+	paragon)
+		basic_machine=i860-intel
+		os=-osf
+		;;
+	pbd)
+		basic_machine=sparc-tti
+		;;
+	pbb)
+		basic_machine=m68k-tti
+		;;
+        pc532 | pc532-*)
+		basic_machine=ns32k-pc532
+		;;
+	pentium | p5 | k5 | k6 | nexen)
+		basic_machine=i586-pc
+		;;
+	pentiumpro | p6 | 6x86 | athlon)
+		basic_machine=i686-pc
+		;;
+	pentiumii | pentium2)
+		basic_machine=i786-pc
+		;;
+	pentium-* | p5-* | k5-* | k6-* | nexen-*)
+		basic_machine=i586-`echo $basic_machine | sed 's/^[^-]*-//'`
+		;;
+	pentiumpro-* | p6-* | 6x86-* | athlon-*)
+		basic_machine=i686-`echo $basic_machine | sed 's/^[^-]*-//'`
+		;;
+	pentiumii-* | pentium2-*)
+		basic_machine=i786-`echo $basic_machine | sed 's/^[^-]*-//'`
+		;;
+	pn)
+		basic_machine=pn-gould
+		;;
+	power)	basic_machine=rs6000-ibm
+		;;
+	ppc)	basic_machine=powerpc-unknown
+	        ;;
+	ppc-*)	basic_machine=powerpc-`echo $basic_machine | sed 's/^[^-]*-//'`
+		;;
+	ppcle | powerpclittle | ppc-le | powerpc-little)
+		basic_machine=powerpcle-unknown
+	        ;;
+	ppcle-* | powerpclittle-*)
+		basic_machine=powerpcle-`echo $basic_machine | sed 's/^[^-]*-//'`
+		;;
+	ps2)
+		basic_machine=i386-ibm
+		;;
+	rom68k)
+		basic_machine=m68k-rom68k
+		os=-coff
+		;;
+	rm[46]00)
+		basic_machine=mips-siemens
+		;;
+	rtpc | rtpc-*)
+		basic_machine=romp-ibm
+		;;
+	sa29200)
+		basic_machine=a29k-amd
+		os=-udi
+		;;
+	sequent)
+		basic_machine=i386-sequent
+		;;
+	sh)
+		basic_machine=sh-hitachi
+		os=-hms
+		;;
+	sparclite-wrs)
+		basic_machine=sparclite-wrs
+		os=-vxworks
+		;;
+	sps7)
+		basic_machine=m68k-bull
+		os=-sysv2
+		;;
+	spur)
+		basic_machine=spur-unknown
+		;;
+	st2000)
+		basic_machine=m68k-tandem
+		;;
+	stratus)
+		basic_machine=i860-stratus
+		os=-sysv4
+		;;
+	sun2)
+		basic_machine=m68000-sun
+		;;
+	sun2os3)
+		basic_machine=m68000-sun
+		os=-sunos3
+		;;
+	sun2os4)
+		basic_machine=m68000-sun
+		os=-sunos4
+		;;
+	sun3os3)
+		basic_machine=m68k-sun
+		os=-sunos3
+		;;
+	sun3os4)
+		basic_machine=m68k-sun
+		os=-sunos4
+		;;
+	sun4os3)
+		basic_machine=sparc-sun
+		os=-sunos3
+		;;
+	sun4os4)
+		basic_machine=sparc-sun
+		os=-sunos4
+		;;
+	sun4sol2)
+		basic_machine=sparc-sun
+		os=-solaris2
+		;;
+	sun3 | sun3-*)
+		basic_machine=m68k-sun
+		;;
+	sun4)
+		basic_machine=sparc-sun
+		;;
+	sun386 | sun386i | roadrunner)
+		basic_machine=i386-sun
+		;;
+	sv1)
+		basic_machine=sv1-cray
+		os=-unicos
+		;;
+	symmetry)
+		basic_machine=i386-sequent
+		os=-dynix
+		;;
+	t3e)
+		basic_machine=t3e-cray
+		os=-unicos
+		;;
+	tic54x | c54x*)
+		basic_machine=tic54x-unknown
+		os=-coff
+		;;
+	tx39)
+		basic_machine=mipstx39-unknown
+		;;
+	tx39el)
+		basic_machine=mipstx39el-unknown
+		;;
+	tower | tower-32)
+		basic_machine=m68k-ncr
+		;;
+	udi29k)
+		basic_machine=a29k-amd
+		os=-udi
+		;;
+	ultra3)
+		basic_machine=a29k-nyu
+		os=-sym1
+		;;
+	v810 | necv810)
+		basic_machine=v810-nec
+		os=-none
+		;;
+	vaxv)
+		basic_machine=vax-dec
+		os=-sysv
+		;;
+	vms)
+		basic_machine=vax-dec
+		os=-vms
+		;;
+	vpp*|vx|vx-*)
+               basic_machine=f301-fujitsu
+               ;;
+	vxworks960)
+		basic_machine=i960-wrs
+		os=-vxworks
+		;;
+	vxworks68)
+		basic_machine=m68k-wrs
+		os=-vxworks
+		;;
+	vxworks29k)
+		basic_machine=a29k-wrs
+		os=-vxworks
+		;;
+	w65*)
+		basic_machine=w65-wdc
+		os=-none
+		;;
+	w89k-*)
+		basic_machine=hppa1.1-winbond
+		os=-proelf
+		;;
+	xmp)
+		basic_machine=xmp-cray
+		os=-unicos
+		;;
+        xps | xps100)
+		basic_machine=xps100-honeywell
+		;;
+	z8k-*-coff)
+		basic_machine=z8k-unknown
+		os=-sim
+		;;
+	none)
+		basic_machine=none-none
+		os=-none
+		;;
+
+# Here we handle the default manufacturer of certain CPU types.  It is in
+# some cases the only manufacturer, in others, it is the most popular.
+	w89k)
+		basic_machine=hppa1.1-winbond
+		;;
+	op50n)
+		basic_machine=hppa1.1-oki
+		;;
+	op60c)
+		basic_machine=hppa1.1-oki
+		;;
+	mips)
+		if [ x$os = x-linux-gnu ]; then
+			basic_machine=mips-unknown
+		else
+			basic_machine=mips-mips
+		fi
+		;;
+	romp)
+		basic_machine=romp-ibm
+		;;
+	rs6000)
+		basic_machine=rs6000-ibm
+		;;
+	vax)
+		basic_machine=vax-dec
+		;;
+	pdp11)
+		basic_machine=pdp11-dec
+		;;
+	we32k)
+		basic_machine=we32k-att
+		;;
+	sh3 | sh4)
+		base_machine=sh-unknown
+		;;
+	sparc | sparcv9)
+		basic_machine=sparc-sun
+		;;
+        cydra)
+		basic_machine=cydra-cydrome
+		;;
+	orion)
+		basic_machine=orion-highlevel
+		;;
+	orion105)
+		basic_machine=clipper-highlevel
+		;;
+	mac | mpw | mac-mpw)
+		basic_machine=m68k-apple
+		;;
+	pmac | pmac-mpw)
+		basic_machine=powerpc-apple
+		;;
+	c4x*)
+		basic_machine=c4x-none
+		os=-coff
+		;;
+	*)
+		echo Invalid configuration \`$1\': machine \`$basic_machine\' not recognized 1>&2
+		exit 1
+		;;
+esac
+
+# Here we canonicalize certain aliases for manufacturers.
+case $basic_machine in
+	*-digital*)
+		basic_machine=`echo $basic_machine | sed 's/digital.*/dec/'`
+		;;
+	*-commodore*)
+		basic_machine=`echo $basic_machine | sed 's/commodore.*/cbm/'`
+		;;
+	*)
+		;;
+esac
+
+# Decode manufacturer-specific aliases for certain operating systems.
+
+if [ x"$os" != x"" ]
+then
+case $os in
+        # First match some system type aliases
+        # that might get confused with valid system types.
+	# -solaris* is a basic system type, with this one exception.
+	-solaris1 | -solaris1.*)
+		os=`echo $os | sed -e 's|solaris1|sunos4|'`
+		;;
+	-solaris)
+		os=-solaris2
+		;;
+	-svr4*)
+		os=-sysv4
+		;;
+	-unixware*)
+		os=-sysv4.2uw
+		;;
+	-gnu/linux*)
+		os=`echo $os | sed -e 's|gnu/linux|linux-gnu|'`
+		;;
+	# First accept the basic system types.
+	# The portable systems comes first.
+	# Each alternative MUST END IN A *, to match a version number.
+	# -sysv* is not here because it comes later, after sysvr4.
+	-gnu* | -bsd* | -mach* | -minix* | -genix* | -ultrix* | -irix* \
+	      | -*vms* | -sco* | -esix* | -isc* | -aix* | -sunos | -sunos[34]*\
+	      | -hpux* | -unos* | -osf* | -luna* | -dgux* | -solaris* | -sym* \
+	      | -amigaos* | -amigados* | -msdos* | -newsos* | -unicos* | -aof* \
+	      | -aos* \
+	      | -nindy* | -vxsim* | -vxworks* | -ebmon* | -hms* | -mvs* \
+	      | -clix* | -riscos* | -uniplus* | -iris* | -rtu* | -xenix* \
+	      | -hiux* | -386bsd* | -netbsd* | -openbsd* | -freebsd* | -riscix* \
+	      | -lynxos* | -bosx* | -nextstep* | -cxux* | -aout* | -elf* | -oabi* \
+	      | -ptx* | -coff* | -ecoff* | -winnt* | -domain* | -vsta* \
+	      | -udi* | -eabi* | -lites* | -ieee* | -go32* | -aux* \
+	      | -cygwin* | -pe* | -psos* | -moss* | -proelf* | -rtems* \
+	      | -mingw32* | -linux-gnu* | -uxpv* | -beos* | -mpeix* | -udk* \
+	      | -interix* | -uwin* | -rhapsody* | -darwin* | -opened* \
+	      | -openstep* | -oskit* | -conix* | -pw32*)
+	# Remember, each alternative MUST END IN *, to match a version number.
+		;;
+	-qnx*)
+		case $basic_machine in
+		    x86-* | i[34567]86-*)
+			;;
+		    *)
+			os=-nto$os
+			;;
+		esac
+		;;
+	-nto*)
+		os=-nto-qnx
+		;;
+	-sim | -es1800* | -hms* | -xray | -os68k* | -none* | -v88r* \
+	      | -windows* | -osx | -abug | -netware* | -os9* | -beos* \
+	      | -macos* | -mpw* | -magic* | -mmixware* | -mon960* | -lnews*)
+		;;
+	-mac*)
+		os=`echo $os | sed -e 's|mac|macos|'`
+		;;
+	-linux*)
+		os=`echo $os | sed -e 's|linux|linux-gnu|'`
+		;;
+	-sunos5*)
+		os=`echo $os | sed -e 's|sunos5|solaris2|'`
+		;;
+	-sunos6*)
+		os=`echo $os | sed -e 's|sunos6|solaris3|'`
+		;;
+	-opened*)
+		os=-openedition
+		;;
+	-wince*)
+		os=-wince
+		;;
+	-osfrose*)
+		os=-osfrose
+		;;
+	-osf*)
+		os=-osf
+		;;
+	-utek*)
+		os=-bsd
+		;;
+	-dynix*)
+		os=-bsd
+		;;
+	-acis*)
+		os=-aos
+		;;
+	-386bsd)
+		os=-bsd
+		;;
+	-ctix* | -uts*)
+		os=-sysv
+		;;
+	-ns2 )
+	        os=-nextstep2
+		;;
+	-nsk*)
+		os=-nsk
+		;;
+	# Preserve the version number of sinix5.
+	-sinix5.*)
+		os=`echo $os | sed -e 's|sinix|sysv|'`
+		;;
+	-sinix*)
+		os=-sysv4
+		;;
+	-triton*)
+		os=-sysv3
+		;;
+	-oss*)
+		os=-sysv3
+		;;
+	-svr4)
+		os=-sysv4
+		;;
+	-svr3)
+		os=-sysv3
+		;;
+	-sysvr4)
+		os=-sysv4
+		;;
+	# This must come after -sysvr4.
+	-sysv*)
+		;;
+	-ose*)
+		os=-ose
+		;;
+	-es1800*)
+		os=-ose
+		;;
+	-xenix)
+		os=-xenix
+		;;
+        -*mint | -*MiNT)
+	        os=-mint
+		;;
+	-none)
+		;;
+	*)
+		# Get rid of the `-' at the beginning of $os.
+		os=`echo $os | sed 's/[^-]*-//'`
+		echo Invalid configuration \`$1\': system \`$os\' not recognized 1>&2
+		exit 1
+		;;
+esac
+else
+
+# Here we handle the default operating systems that come with various machines.
+# The value should be what the vendor currently ships out the door with their
+# machine or put another way, the most popular os provided with the machine.
+
+# Note that if you're going to try to match "-MANUFACTURER" here (say,
+# "-sun"), then you have to tell the case statement up towards the top
+# that MANUFACTURER isn't an operating system.  Otherwise, code above
+# will signal an error saying that MANUFACTURER isn't an operating
+# system, and we'll never get to this point.
+
+case $basic_machine in
+	*-acorn)
+		os=-riscix1.2
+		;;
+	arm*-rebel)
+		os=-linux
+		;;
+	arm*-semi)
+		os=-aout
+		;;
+        pdp11-*)
+		os=-none
+		;;
+	*-dec | vax-*)
+		os=-ultrix4.2
+		;;
+	m68*-apollo)
+		os=-domain
+		;;
+	i386-sun)
+		os=-sunos4.0.2
+		;;
+	m68000-sun)
+		os=-sunos3
+		# This also exists in the configure program, but was not the
+		# default.
+		# os=-sunos4
+		;;
+	m68*-cisco)
+		os=-aout
+		;;
+	mips*-cisco)
+		os=-elf
+		;;
+	mips*-*)
+		os=-elf
+		;;
+	*-tti)	# must be before sparc entry or we get the wrong os.
+		os=-sysv3
+		;;
+	sparc-* | *-sun)
+		os=-sunos4.1.1
+		;;
+	*-be)
+		os=-beos
+		;;
+	*-ibm)
+		os=-aix
+		;;
+	*-wec)
+		os=-proelf
+		;;
+	*-winbond)
+		os=-proelf
+		;;
+	*-oki)
+		os=-proelf
+		;;
+	*-hp)
+		os=-hpux
+		;;
+	*-hitachi)
+		os=-hiux
+		;;
+	i860-* | *-att | *-ncr | *-altos | *-motorola | *-convergent)
+		os=-sysv
+		;;
+	*-cbm)
+		os=-amigaos
+		;;
+	*-dg)
+		os=-dgux
+		;;
+	*-dolphin)
+		os=-sysv3
+		;;
+	m68k-ccur)
+		os=-rtu
+		;;
+	m88k-omron*)
+		os=-luna
+		;;
+	*-next )
+		os=-nextstep
+		;;
+	*-sequent)
+		os=-ptx
+		;;
+	*-crds)
+		os=-unos
+		;;
+	*-ns)
+		os=-genix
+		;;
+	i370-*)
+		os=-mvs
+		;;
+	*-next)
+		os=-nextstep3
+		;;
+        *-gould)
+		os=-sysv
+		;;
+        *-highlevel)
+		os=-bsd
+		;;
+	*-encore)
+		os=-bsd
+		;;
+        *-sgi)
+		os=-irix
+		;;
+        *-siemens)
+		os=-sysv4
+		;;
+	*-masscomp)
+		os=-rtu
+		;;
+	f301-fujitsu)
+		os=-uxpv
+		;;
+	*-rom68k)
+		os=-coff
+		;;
+	*-*bug)
+		os=-coff
+		;;
+	*-apple)
+		os=-macos
+		;;
+	*-atari*)
+		os=-mint
+		;;
+	*)
+		os=-none
+		;;
+esac
+fi
+
+# Here we handle the case where we know the os, and the CPU type, but not the
+# manufacturer.  We pick the logical manufacturer.
+vendor=unknown
+case $basic_machine in
+	*-unknown)
+		case $os in
+			-riscix*)
+				vendor=acorn
+				;;
+			-sunos*)
+				vendor=sun
+				;;
+			-aix*)
+				vendor=ibm
+				;;
+			-beos*)
+				vendor=be
+				;;
+			-hpux*)
+				vendor=hp
+				;;
+			-mpeix*)
+				vendor=hp
+				;;
+			-hiux*)
+				vendor=hitachi
+				;;
+			-unos*)
+				vendor=crds
+				;;
+			-dgux*)
+				vendor=dg
+				;;
+			-luna*)
+				vendor=omron
+				;;
+			-genix*)
+				vendor=ns
+				;;
+			-mvs* | -opened*)
+				vendor=ibm
+				;;
+			-ptx*)
+				vendor=sequent
+				;;
+			-vxsim* | -vxworks*)
+				vendor=wrs
+				;;
+			-aux*)
+				vendor=apple
+				;;
+			-hms*)
+				vendor=hitachi
+				;;
+			-mpw* | -macos*)
+				vendor=apple
+				;;
+			-*mint | -*MiNT)
+				vendor=atari
+				;;
+		esac
+		basic_machine=`echo $basic_machine | sed "s/unknown/$vendor/"`
+		;;
+esac
+
+echo $basic_machine$os
+exit 0
+
+# Local variables:
+# eval: (add-hook 'write-file-hooks 'time-stamp)
+# time-stamp-start: "version='"
+# time-stamp-format: "%:y-%02m-%02d"
+# time-stamp-end: "'"
+# End:
diff --git a/crypto/heimdal/configure b/crypto/heimdal/configure
new file mode 100755
index 0000000..65cc39b
--- /dev/null
+++ b/crypto/heimdal/configure
@@ -0,0 +1,20704 @@
+#! /bin/sh
+# From configure.in Revision: 1.278 .
+# Guess values for system-dependent variables and create Makefiles.
+# Generated by Autoconf 2.49b for heimdal 0.3f.
+#
+# Report bugs to <heimdal-bugs@pdc.kth.se>.
+#
+# Copyright 1992, 1993, 1994, 1995, 1996, 1998, 1999, 2000
+# Free Software Foundation, Inc.
+# This configure script is free software; the Free Software Foundation
+# gives unlimited permission to copy, distribute and modify it.
+
+# Be Bourne compatible
+if test -n "${ZSH_VERSION+set}" && (emulate sh) >/dev/null 2>&1; then
+  emulate sh
+  NULLCMD=:
+elif test -n "${BASH_VERSION+set}" && (set -o posix) >/dev/null 2>&1; then
+  set -o posix
+fi
+
+if expr a : '\(a\)' >/dev/null 2>&1; then
+  as_expr=expr
+else
+  as_expr=false
+fi
+# Support unset when possible.
+if (FOO=FOO; unset FOO) >/dev/null 2>&1; then
+  as_unset=unset
+else
+  as_unset=false
+fi
+
+# NLS nuisances.
+$as_unset LANG || test "${LANG+set}" != set || { LANG=C; export LANG; }
+$as_unset LC_ALL || test "${LC_ALL+set}" != set || { LC_ALL=C; export LC_ALL; }
+$as_unset LC_TIME || test "${LC_TIME+set}" != set || { LC_TIME=C; export LC_TIME; }
+$as_unset LC_CTYPE || test "${LC_CTYPE+set}" != set || { LC_CTYPE=C; export LC_CTYPE; }
+$as_unset LANGUAGE || test "${LANGUAGE+set}" != set || { LANGUAGE=C; export LANGUAGE; }
+$as_unset LC_COLLATE || test "${LC_COLLATE+set}" != set || { LC_COLLATE=C; export LC_COLLATE; }
+$as_unset LC_NUMERIC || test "${LC_NUMERIC+set}" != set || { LC_NUMERIC=C; export LC_NUMERIC; }
+$as_unset LC_MESSAGES || test "${LC_MESSAGES+set}" != set || { LC_MESSAGES=C; export LC_MESSAGES; }
+
+# IFS
+# We need space, tab and new line, in precisely that order.
+ac_nl='
+'
+IFS=" 	$ac_nl"
+
+# CDPATH.
+$as_unset CDPATH || test "${CDPATH+set}" != set || { CDPATH=:; export CDPATH; }
+
+cat >config.log << EOF
+This file contains any messages produced by compilers while
+running configure, to aid debugging if configure makes a mistake.
+
+It was created by $as_me (heimdal 0.3f) 2.49b, executed with
+ > $0 $@
+
+on `(hostname || uname -n) 2>/dev/null | sed 1q`:
+
+uname -m = `(uname -m) 2>/dev/null || echo unknown`
+uname -r = `(uname -r) 2>/dev/null || echo unknown`
+uname -s = `(uname -s) 2>/dev/null || echo unknown`
+uname -v = `(uname -v) 2>/dev/null || echo unknown`
+
+/usr/bin/uname -p = `(/usr/bin/uname -p) 2>/dev/null`
+/bin/uname -X     = `(/bin/uname -X) 2>/dev/null`
+
+/bin/arch              = `(/bin/arch) 2>/dev/null`
+/usr/bin/arch -k       = `(/usr/bin/arch -k) 2>/dev/null`
+/usr/convex/getsysinfo = `(/usr/convex/getsysinfo) 2>/dev/null`
+hostinfo               = `(hostinfo) 2>/dev/null`
+/bin/machine           = `(/bin/machine) 2>/dev/null`
+/usr/bin/oslevel       = `(/usr/bin/oslevel) 2>/dev/null`
+/bin/universe          = `(/bin/universe) 2>/dev/null`
+
+PATH = $PATH
+EOF
+
+# File descriptor usage:
+# 0 standard input
+# 1 file creation
+# 2 errors and warnings
+# 3 some systems may open it to /dev/tty
+# 4 used on the Kubota Titan
+# 6 checking for... messages and results
+# 5 compiler messages saved in config.log
+if test "$silent" = yes; then
+  exec 6>/dev/null
+else
+  exec 6>&1
+fi
+exec 5>>config.log
+
+#
+# Initializations.
+#
+ac_default_prefix=/usr/local
+cross_compiling=no
+subdirs=
+MFLAGS= MAKEFLAGS=
+SHELL=${CONFIG_SHELL-/bin/sh}
+
+# Maximum number of lines to put in a shell here document.
+# This variable seems obsolete.  It should probably be removed, and
+# only ac_max_sed_lines should be used.
+: ${ac_max_here_lines=38}
+
+# Name of the host.
+# hostname on some systems (SVR3.2, Linux) returns a bogus exit status,
+# so uname gets run too.
+ac_hostname=`(hostname || uname -n) 2>/dev/null | sed 1q`
+
+# Name of the executable.
+as_me=`echo "$0" | sed 's,.*/,,'`
+
+# Avoid depending upon Character Ranges.
+ac_cr_az='abcdefghijklmnopqrstuvwxyz'
+ac_cr_AZ='ABCDEFGHIJKLMNOPQRSTUVWXYZ'
+ac_cr_09='0123456789'
+ac_cr_alnum=$ac_cr_az$ac_cr_AZ$ac_cr_09
+
+# Sed expression to map a string onto a valid sh and CPP variable names.
+ac_tr_sh="sed y%*+%pp%;s%[^_$ac_cr_alnum]%_%g"
+ac_tr_cpp="sed y%*$ac_cr_az%P$ac_cr_AZ%;s%[^_$ac_cr_alnum]%_%g"
+
+# By default always use an empty string as the executable extension.
+# Only change it if the script calls AC_EXEEXT.
+ac_exeext=
+# By default assume that objects files use an extension of .o.  Only
+# change it if the script calls AC_OBJEXT.
+ac_objext=o
+# Factoring default headers for most tests.
+ac_includes_default="\
+#include <stdio.h>
+#include <sys/types.h>
+#include <sys/stat.h>
+#if STDC_HEADERS
+# include <stdlib.h>
+# include <stddef.h>
+#else
+# if HAVE_STDLIB_H
+#  include <stdlib.h>
+# endif
+#endif
+#if HAVE_STRING_H
+# if !STDC_HEADERS && HAVE_MEMORY_H
+#  include <memory.h>
+# endif
+# include <string.h>
+#else
+# if HAVE_STRINGS_H
+#  include <strings.h>
+# endif
+#endif
+#if HAVE_INTTYPES_H
+# include <inttypes.h>
+#endif
+#if HAVE_UNISTD_H
+# include <unistd.h>
+#endif"
+ac_default_prefix=/usr/heimdal
+
+# Initialize some variables set by options.
+ac_init_help=
+ac_init_version=false
+# The variables have the same names as the options, with
+# dashes changed to underlines.
+cache_file=/dev/null
+exec_prefix=NONE
+no_create=
+no_recursion=
+prefix=NONE
+program_prefix=NONE
+program_suffix=NONE
+program_transform_name=s,x,x,
+silent=
+site=
+srcdir=
+verbose=
+x_includes=NONE
+x_libraries=NONE
+bindir='${exec_prefix}/bin'
+sbindir='${exec_prefix}/sbin'
+libexecdir='${exec_prefix}/libexec'
+datadir='${prefix}/share'
+sysconfdir='${prefix}/etc'
+sharedstatedir='${prefix}/com'
+localstatedir='${prefix}/var'
+libdir='${exec_prefix}/lib'
+includedir='${prefix}/include'
+oldincludedir='/usr/include'
+infodir='${prefix}/info'
+mandir='${prefix}/man'
+
+ac_prev=
+for ac_option
+do
+  # If the previous option needs an argument, assign it.
+  if test -n "$ac_prev"; then
+    eval "$ac_prev=\$ac_option"
+    ac_prev=
+    continue
+  fi
+
+  ac_optarg=`expr "x$ac_option" : 'x[^=]*=\(.*\)'`
+
+  # Accept the important Cygnus configure options, so we can diagnose typos.
+
+  case $ac_option in
+
+  -bindir | --bindir | --bindi | --bind | --bin | --bi)
+    ac_prev=bindir ;;
+  -bindir=* | --bindir=* | --bindi=* | --bind=* | --bin=* | --bi=*)
+    bindir=$ac_optarg ;;
+
+  -build | --build | --buil | --bui | --bu)
+    ac_prev=build_alias ;;
+  -build=* | --build=* | --buil=* | --bui=* | --bu=*)
+    build_alias=$ac_optarg ;;
+
+  -cache-file | --cache-file | --cache-fil | --cache-fi \
+  | --cache-f | --cache- | --cache | --cach | --cac | --ca | --c)
+    ac_prev=cache_file ;;
+  -cache-file=* | --cache-file=* | --cache-fil=* | --cache-fi=* \
+  | --cache-f=* | --cache-=* | --cache=* | --cach=* | --cac=* | --ca=* | --c=*)
+    cache_file=$ac_optarg ;;
+
+  --config-cache | -C)
+    cache_file=config.cache ;;
+
+  -datadir | --datadir | --datadi | --datad | --data | --dat | --da)
+    ac_prev=datadir ;;
+  -datadir=* | --datadir=* | --datadi=* | --datad=* | --data=* | --dat=* \
+  | --da=*)
+    datadir=$ac_optarg ;;
+
+  -disable-* | --disable-*)
+    ac_feature=`expr "x$ac_option" : 'x-*disable-\(.*\)'`
+    # Reject names that are not valid shell variable names.
+    expr "x$ac_feature" : ".*[^-_$ac_cr_alnum]" >/dev/null &&
+      {  echo "$as_me: error: invalid feature name: $ac_feature" >&2
+  { (exit 1); exit; }; }
+    ac_feature=`echo $ac_feature | sed 's/-/_/g'`
+    eval "enable_$ac_feature=no" ;;
+
+  -enable-* | --enable-*)
+    ac_feature=`expr "x$ac_option" : 'x-*enable-\([^=]*\)'`
+    # Reject names that are not valid shell variable names.
+    expr "x$ac_feature" : ".*[^-_$ac_cr_alnum]" >/dev/null &&
+      {  echo "$as_me: error: invalid feature name: $ac_feature" >&2
+  { (exit 1); exit; }; }
+    ac_feature=`echo $ac_feature | sed 's/-/_/g'`
+    case $ac_option in
+      *=*) ac_optarg=`echo "$ac_optarg" | sed "s/'/'\\\\\\\\''/g"`;;
+      *) ac_optarg=yes ;;
+    esac
+    eval "enable_$ac_feature='$ac_optarg'" ;;
+
+  -exec-prefix | --exec_prefix | --exec-prefix | --exec-prefi \
+  | --exec-pref | --exec-pre | --exec-pr | --exec-p | --exec- \
+  | --exec | --exe | --ex)
+    ac_prev=exec_prefix ;;
+  -exec-prefix=* | --exec_prefix=* | --exec-prefix=* | --exec-prefi=* \
+  | --exec-pref=* | --exec-pre=* | --exec-pr=* | --exec-p=* | --exec-=* \
+  | --exec=* | --exe=* | --ex=*)
+    exec_prefix=$ac_optarg ;;
+
+  -gas | --gas | --ga | --g)
+    # Obsolete; use --with-gas.
+    with_gas=yes ;;
+
+  -help | --help | --hel | --he | -h)
+    ac_init_help=long ;;
+  -help=r* | --help=r* | --hel=r* | --he=r* | -hr*)
+    ac_init_help=recursive ;;
+  -help=s* | --help=s* | --hel=s* | --he=s* | -hs*)
+    ac_init_help=short ;;
+
+  -host | --host | --hos | --ho)
+    ac_prev=host_alias ;;
+  -host=* | --host=* | --hos=* | --ho=*)
+    host_alias=$ac_optarg ;;
+
+  -includedir | --includedir | --includedi | --included | --include \
+  | --includ | --inclu | --incl | --inc)
+    ac_prev=includedir ;;
+  -includedir=* | --includedir=* | --includedi=* | --included=* | --include=* \
+  | --includ=* | --inclu=* | --incl=* | --inc=*)
+    includedir=$ac_optarg ;;
+
+  -infodir | --infodir | --infodi | --infod | --info | --inf)
+    ac_prev=infodir ;;
+  -infodir=* | --infodir=* | --infodi=* | --infod=* | --info=* | --inf=*)
+    infodir=$ac_optarg ;;
+
+  -libdir | --libdir | --libdi | --libd)
+    ac_prev=libdir ;;
+  -libdir=* | --libdir=* | --libdi=* | --libd=*)
+    libdir=$ac_optarg ;;
+
+  -libexecdir | --libexecdir | --libexecdi | --libexecd | --libexec \
+  | --libexe | --libex | --libe)
+    ac_prev=libexecdir ;;
+  -libexecdir=* | --libexecdir=* | --libexecdi=* | --libexecd=* | --libexec=* \
+  | --libexe=* | --libex=* | --libe=*)
+    libexecdir=$ac_optarg ;;
+
+  -localstatedir | --localstatedir | --localstatedi | --localstated \
+  | --localstate | --localstat | --localsta | --localst \
+  | --locals | --local | --loca | --loc | --lo)
+    ac_prev=localstatedir ;;
+  -localstatedir=* | --localstatedir=* | --localstatedi=* | --localstated=* \
+  | --localstate=* | --localstat=* | --localsta=* | --localst=* \
+  | --locals=* | --local=* | --loca=* | --loc=* | --lo=*)
+    localstatedir=$ac_optarg ;;
+
+  -mandir | --mandir | --mandi | --mand | --man | --ma | --m)
+    ac_prev=mandir ;;
+  -mandir=* | --mandir=* | --mandi=* | --mand=* | --man=* | --ma=* | --m=*)
+    mandir=$ac_optarg ;;
+
+  -nfp | --nfp | --nf)
+    # Obsolete; use --without-fp.
+    with_fp=no ;;
+
+  -no-create | --no-create | --no-creat | --no-crea | --no-cre \
+  | --no-cr | --no-c)
+    no_create=yes ;;
+
+  -no-recursion | --no-recursion | --no-recursio | --no-recursi \
+  | --no-recurs | --no-recur | --no-recu | --no-rec | --no-re | --no-r)
+    no_recursion=yes ;;
+
+  -oldincludedir | --oldincludedir | --oldincludedi | --oldincluded \
+  | --oldinclude | --oldinclud | --oldinclu | --oldincl | --oldinc \
+  | --oldin | --oldi | --old | --ol | --o)
+    ac_prev=oldincludedir ;;
+  -oldincludedir=* | --oldincludedir=* | --oldincludedi=* | --oldincluded=* \
+  | --oldinclude=* | --oldinclud=* | --oldinclu=* | --oldincl=* | --oldinc=* \
+  | --oldin=* | --oldi=* | --old=* | --ol=* | --o=*)
+    oldincludedir=$ac_optarg ;;
+
+  -prefix | --prefix | --prefi | --pref | --pre | --pr | --p)
+    ac_prev=prefix ;;
+  -prefix=* | --prefix=* | --prefi=* | --pref=* | --pre=* | --pr=* | --p=*)
+    prefix=$ac_optarg ;;
+
+  -program-prefix | --program-prefix | --program-prefi | --program-pref \
+  | --program-pre | --program-pr | --program-p)
+    ac_prev=program_prefix ;;
+  -program-prefix=* | --program-prefix=* | --program-prefi=* \
+  | --program-pref=* | --program-pre=* | --program-pr=* | --program-p=*)
+    program_prefix=$ac_optarg ;;
+
+  -program-suffix | --program-suffix | --program-suffi | --program-suff \
+  | --program-suf | --program-su | --program-s)
+    ac_prev=program_suffix ;;
+  -program-suffix=* | --program-suffix=* | --program-suffi=* \
+  | --program-suff=* | --program-suf=* | --program-su=* | --program-s=*)
+    program_suffix=$ac_optarg ;;
+
+  -program-transform-name | --program-transform-name \
+  | --program-transform-nam | --program-transform-na \
+  | --program-transform-n | --program-transform- \
+  | --program-transform | --program-transfor \
+  | --program-transfo | --program-transf \
+  | --program-trans | --program-tran \
+  | --progr-tra | --program-tr | --program-t)
+    ac_prev=program_transform_name ;;
+  -program-transform-name=* | --program-transform-name=* \
+  | --program-transform-nam=* | --program-transform-na=* \
+  | --program-transform-n=* | --program-transform-=* \
+  | --program-transform=* | --program-transfor=* \
+  | --program-transfo=* | --program-transf=* \
+  | --program-trans=* | --program-tran=* \
+  | --progr-tra=* | --program-tr=* | --program-t=*)
+    program_transform_name=$ac_optarg ;;
+
+  -q | -quiet | --quiet | --quie | --qui | --qu | --q \
+  | -silent | --silent | --silen | --sile | --sil)
+    silent=yes ;;
+
+  -sbindir | --sbindir | --sbindi | --sbind | --sbin | --sbi | --sb)
+    ac_prev=sbindir ;;
+  -sbindir=* | --sbindir=* | --sbindi=* | --sbind=* | --sbin=* \
+  | --sbi=* | --sb=*)
+    sbindir=$ac_optarg ;;
+
+  -sharedstatedir | --sharedstatedir | --sharedstatedi \
+  | --sharedstated | --sharedstate | --sharedstat | --sharedsta \
+  | --sharedst | --shareds | --shared | --share | --shar \
+  | --sha | --sh)
+    ac_prev=sharedstatedir ;;
+  -sharedstatedir=* | --sharedstatedir=* | --sharedstatedi=* \
+  | --sharedstated=* | --sharedstate=* | --sharedstat=* | --sharedsta=* \
+  | --sharedst=* | --shareds=* | --shared=* | --share=* | --shar=* \
+  | --sha=* | --sh=*)
+    sharedstatedir=$ac_optarg ;;
+
+  -site | --site | --sit)
+    ac_prev=site ;;
+  -site=* | --site=* | --sit=*)
+    site=$ac_optarg ;;
+
+  -srcdir | --srcdir | --srcdi | --srcd | --src | --sr)
+    ac_prev=srcdir ;;
+  -srcdir=* | --srcdir=* | --srcdi=* | --srcd=* | --src=* | --sr=*)
+    srcdir=$ac_optarg ;;
+
+  -sysconfdir | --sysconfdir | --sysconfdi | --sysconfd | --sysconf \
+  | --syscon | --sysco | --sysc | --sys | --sy)
+    ac_prev=sysconfdir ;;
+  -sysconfdir=* | --sysconfdir=* | --sysconfdi=* | --sysconfd=* | --sysconf=* \
+  | --syscon=* | --sysco=* | --sysc=* | --sys=* | --sy=*)
+    sysconfdir=$ac_optarg ;;
+
+  -target | --target | --targe | --targ | --tar | --ta | --t)
+    ac_prev=target_alias ;;
+  -target=* | --target=* | --targe=* | --targ=* | --tar=* | --ta=* | --t=*)
+    target_alias=$ac_optarg ;;
+
+  -v | -verbose | --verbose | --verbos | --verbo | --verb)
+    verbose=yes ;;
+
+  -version | --version | --versio | --versi | --vers | -V)
+    ac_init_version=: ;;
+
+  -with-* | --with-*)
+    ac_package=`expr "x$ac_option" : 'x-*with-\([^=]*\)'`
+    # Reject names that are not valid shell variable names.
+    expr "x$ac_package" : ".*[^-_$ac_cr_alnum]" >/dev/null &&
+      {  echo "$as_me: error: invalid package name: $ac_package" >&2
+  { (exit 1); exit; }; }
+    ac_package=`echo $ac_package| sed 's/-/_/g'`
+    case $ac_option in
+      *=*) ac_optarg=`echo "$ac_optarg" | sed "s/'/'\\\\\\\\''/g"`;;
+      *) ac_optarg=yes ;;
+    esac
+    eval "with_$ac_package='$ac_optarg'" ;;
+
+  -without-* | --without-*)
+    ac_package=`expr "x$ac_option" : 'x-*without-\(.*\)'`
+    # Reject names that are not valid shell variable names.
+    expr "x$ac_package" : ".*[^-_$ac_cr_alnum]" >/dev/null &&
+      {  echo "$as_me: error: invalid package name: $ac_package" >&2
+  { (exit 1); exit; }; }
+    ac_package=`echo $ac_package | sed 's/-/_/g'`
+    eval "with_$ac_package=no" ;;
+
+  --x)
+    # Obsolete; use --with-x.
+    with_x=yes ;;
+
+  -x-includes | --x-includes | --x-include | --x-includ | --x-inclu \
+  | --x-incl | --x-inc | --x-in | --x-i)
+    ac_prev=x_includes ;;
+  -x-includes=* | --x-includes=* | --x-include=* | --x-includ=* | --x-inclu=* \
+  | --x-incl=* | --x-inc=* | --x-in=* | --x-i=*)
+    x_includes=$ac_optarg ;;
+
+  -x-libraries | --x-libraries | --x-librarie | --x-librari \
+  | --x-librar | --x-libra | --x-libr | --x-lib | --x-li | --x-l)
+    ac_prev=x_libraries ;;
+  -x-libraries=* | --x-libraries=* | --x-librarie=* | --x-librari=* \
+  | --x-librar=* | --x-libra=* | --x-libr=* | --x-lib=* | --x-li=* | --x-l=*)
+    x_libraries=$ac_optarg ;;
+
+  -*) {  echo "$as_me: error: unrecognized option: $ac_option
+Try \`$0 --help' for more information." >&2
+  { (exit 1); exit; }; }
+    ;;
+
+  *=*)
+    ac_envvar=`expr "x$ac_option" : 'x\([^=]*\)='`
+    # Reject names that are not valid shell variable names.
+    expr "x$ac_envvar" : ".*[^_$ac_cr_alnum]" >/dev/null &&
+      {  echo "$as_me: error: invalid variable name: $ac_envvar" >&2
+  { (exit 1); exit; }; }
+    ac_optarg=`echo "$ac_optarg" | sed "s/'/'\\\\\\\\''/g"`
+    eval "$ac_envvar='$ac_optarg'"
+    export $ac_envvar ;;
+
+  *)
+    # FIXME: should be removed in autoconf 3.0.
+    { echo "$as_me:486: WARNING: you should use --build, --host, --target" >&5
+echo "$as_me: warning: you should use --build, --host, --target" >&2; }
+    expr "x$ac_option" : ".*[^-._$ac_cr_alnum]" >/dev/null &&
+      { echo "$as_me:489: WARNING: invalid host type: $ac_option" >&5
+echo "$as_me: warning: invalid host type: $ac_option" >&2; }
+    : ${build_alias=$ac_option} ${host_alias=$ac_option} ${target_alias=$ac_option}
+    ;;
+
+  esac
+done
+
+if test -n "$ac_prev"; then
+  ac_option=--`echo $ac_prev | sed 's/_/-/g'`
+  {  echo "$as_me: error: missing argument to $ac_option" >&2
+  { (exit 1); exit; }; }
+fi
+
+# Be sure to have absolute paths.
+for ac_var in bindir sbindir libexecdir datadir sysconfdir sharedstatedir \
+              localstatedir libdir includedir oldincludedir infodir mandir \
+              exec_prefix prefix
+do
+  eval ac_val=$`echo $ac_var`
+  case $ac_val in
+    [\\/$]* | ?:[\\/]* ) ;;
+    NONE ) ;;
+    *)  {  echo "$as_me: error: expected an absolute path for --$ac_var: $ac_val" >&2
+  { (exit 1); exit; }; };;
+  esac
+done
+
+# There might be people who depend on the old broken behavior: `$host'
+# used to hold the argument of --host etc.
+build=$build_alias
+host=$host_alias
+target=$target_alias
+
+# FIXME: should be removed in autoconf 3.0.
+if test "x$host_alias" != x; then
+  if test "x$build_alias" = x; then
+    cross_compiling=maybe
+    { echo "$as_me:527: WARNING: If you wanted to set the --build type, don't use --host.
+    If a cross compiler is detected then cross compile mode will be used." >&5
+echo "$as_me: warning: If you wanted to set the --build type, don't use --host.
+    If a cross compiler is detected then cross compile mode will be used." >&2; }
+  elif test "x$build_alias" != "x$host_alias"; then
+    cross_compiling=yes
+  fi
+fi
+
+ac_tool_prefix=
+test -n "$host_alias" && ac_tool_prefix=$host_alias-
+
+# Find the source files, if location was not specified.
+if test -z "$srcdir"; then
+  ac_srcdir_defaulted=yes
+  # Try the directory containing this script, then its parent.
+  ac_prog=$0
+  ac_confdir=`echo "$ac_prog" | sed 's%/[^/][^/]*$%%'`
+  test "x$ac_confdir" = "x$ac_prog" && ac_confdir=.
+  srcdir=$ac_confdir
+  if test ! -r $srcdir/$ac_unique_file; then
+    srcdir=..
+  fi
+else
+  ac_srcdir_defaulted=no
+fi
+if test ! -r $srcdir/$ac_unique_file; then
+  if test "$ac_srcdir_defaulted" = yes; then
+    {  echo "$as_me: error: cannot find sources in $ac_confdir or .." >&2
+  { (exit 1); exit; }; }
+  else
+    {  echo "$as_me: error: cannot find sources in $srcdir" >&2
+  { (exit 1); exit; }; }
+  fi
+fi
+srcdir=`echo "$srcdir" | sed 's%\([^/]\)/*$%\1%'`
+ac_env_build_alias_set=${build_alias+set}
+ac_env_build_alias_value=$build_alias
+ac_cv_env_build_alias_set=${build_alias+set}
+ac_cv_env_build_alias_value=$build_alias
+ac_env_host_alias_set=${host_alias+set}
+ac_env_host_alias_value=$host_alias
+ac_cv_env_host_alias_set=${host_alias+set}
+ac_cv_env_host_alias_value=$host_alias
+ac_env_target_alias_set=${target_alias+set}
+ac_env_target_alias_value=$target_alias
+ac_cv_env_target_alias_set=${target_alias+set}
+ac_cv_env_target_alias_value=$target_alias
+ac_env_CC_set=${CC+set}
+ac_env_CC_value=$CC
+ac_cv_env_CC_set=${CC+set}
+ac_cv_env_CC_value=$CC
+ac_env_CFLAGS_set=${CFLAGS+set}
+ac_env_CFLAGS_value=$CFLAGS
+ac_cv_env_CFLAGS_set=${CFLAGS+set}
+ac_cv_env_CFLAGS_value=$CFLAGS
+ac_env_LDFLAGS_set=${LDFLAGS+set}
+ac_env_LDFLAGS_value=$LDFLAGS
+ac_cv_env_LDFLAGS_set=${LDFLAGS+set}
+ac_cv_env_LDFLAGS_value=$LDFLAGS
+ac_env_CPPFLAGS_set=${CPPFLAGS+set}
+ac_env_CPPFLAGS_value=$CPPFLAGS
+ac_cv_env_CPPFLAGS_set=${CPPFLAGS+set}
+ac_cv_env_CPPFLAGS_value=$CPPFLAGS
+
+#
+# Report the --help message.
+#
+if test "$ac_init_help" = "long"; then
+  # Omit some internal or obsolete options to make the list less imposing.
+  # This message is too long to be a string in the A/UX 3.1 sh.
+  cat <<EOF
+\`configure' configures heimdal 0.3f to adapt to many kinds of systems.
+
+Usage: $0 [OPTION]... [VAR=VALUE]...
+
+To assign environment variables (e.g., CC, CFLAGS...), specify them as
+VAR=VALUE.  See below for descriptions of some of the useful variables.
+
+Defaults for the options are specified in brackets.
+
+Configuration:
+  -h, --help              display this help and exit
+      --help=short        display options specific to this package
+      --help=recursive    display the short help of all the included packages
+  -V, --version           display version information and exit
+  -q, --quiet, --silent   do not print \`checking...' messages
+      --cache-file=FILE   cache test results in FILE [disabled]
+  -C, --config-cache      alias for \`--cache-file=config.cache'
+  -n, --no-create         do not create output files
+      --srcdir=DIR        find the sources in DIR [configure dir or \`..']
+
+EOF
+
+  cat <<EOF
+Installation directories:
+  --prefix=PREFIX         install architecture-independent files in PREFIX
+                          [$ac_default_prefix]
+  --exec-prefix=EPREFIX   install architecture-dependent files in EPREFIX
+                          [PREFIX]
+
+By default, \`make install' will install all the files in
+\`$ac_default_prefix/bin', \`$ac_default_prefix/lib' etc.  You can specify
+an installation prefix other than \`$ac_default_prefix' using \`--prefix',
+for instance \`--prefix=\$HOME'.
+
+For better control, use the options below.
+
+Fine tuning of the installation directories:
+  --bindir=DIR           user executables [EPREFIX/bin]
+  --sbindir=DIR          system admin executables [EPREFIX/sbin]
+  --libexecdir=DIR       program executables [EPREFIX/libexec]
+  --datadir=DIR          read-only architecture-independent data [PREFIX/share]
+  --sysconfdir=DIR       read-only single-machine data [PREFIX/etc]
+  --sharedstatedir=DIR   modifiable architecture-independent data [PREFIX/com]
+  --localstatedir=DIR    modifiable single-machine data [PREFIX/var]
+  --libdir=DIR           object code libraries [EPREFIX/lib]
+  --includedir=DIR       C header files [PREFIX/include]
+  --oldincludedir=DIR    C header files for non-gcc [/usr/include]
+  --infodir=DIR          info documentation [PREFIX/info]
+  --mandir=DIR           man documentation [PREFIX/man]
+EOF
+
+  cat <<\EOF
+
+Program names:
+  --program-prefix=PREFIX            prepend PREFIX to installed program names
+  --program-suffix=SUFFIX            append SUFFIX to installed program names
+  --program-transform-name=PROGRAM   run sed PROGRAM on installed program names
+
+X features:
+  --x-includes=DIR    X include files are in DIR
+  --x-libraries=DIR   X library files are in DIR
+
+System types:
+  --build=BUILD     configure for building on BUILD [guessed]
+  --host=HOST       build programs to run on HOST [BUILD]
+EOF
+fi
+
+if test -n "$ac_init_help"; then
+  case $ac_init_help in
+     short | recursive ) echo "Configuration of heimdal 0.3f:";;
+   esac
+  cat <<\EOF
+
+Optional Features:
+  --disable-FEATURE       do not include FEATURE (same as --enable-FEATURE=no)
+  --enable-FEATURE[=ARG]  include FEATURE [ARG=yes]
+  --disable-dependency-tracking Speeds up one-time builds
+  --enable-dependency-tracking  Do not reject slow dependency extractors
+  --enable-shared=PKGS  build shared libraries default=no
+  --enable-static=PKGS  build static libraries default=yes
+  --enable-fast-install=PKGS  optimize for fast installation default=yes
+  --disable-libtool-lock  avoid locking (might break parallel builds)
+  --enable-dce	if you want support for DCE/DFS PAG's.
+  --enable-kaserver	  if you want the KDC to try to emulate a kaserver
+  --enable-kaserver-db	  if you want support for reading kaserver databases in hprop
+  --disable-otp          if you don't want OTP support
+  --enable-osfc2          enable some OSF C2 support
+  --enable-bigendian	the target is big endian
+  --enable-littleendian	the target is little endian
+  --enable-netinfo      enable netinfo for configuration lookup
+
+Optional Packages:
+  --with-PACKAGE[=ARG]    use PACKAGE [ARG=yes]
+  --without-PACKAGE       do not use PACKAGE (same as --with-PACKAGE=no)
+  --with-mips-abi=abi     ABI to use for IRIX (32, n32, or 64)
+  --with-gnu-ld           assume the C compiler uses GNU ld default=no
+  --with-pic              try to use only PIC/non-PIC objects default=use both
+  --without-berkeley-db   if you don't want berkeley db
+  --without-ipv6	do not enable IPv6 support
+  --with-openldap=dir                use openldap in dir
+  --with-openldap-lib=dir            use openldap libraries in dir
+  --with-openldap-include=dir        use openldap headers in dir
+  --with-krb4=dir                use krb4 in dir
+  --with-krb4-lib=dir            use krb4 libraries in dir
+  --with-krb4-include=dir        use krb4 headers in dir
+  --with-readline=dir                use readline in dir
+  --with-readline-lib=dir            use readline libraries in dir
+  --with-readline-include=dir        use readline headers in dir
+  --with-hesiod=dir                use hesiod in dir
+  --with-hesiod-lib=dir            use hesiod libraries in dir
+  --with-hesiod-include=dir        use hesiod headers in dir
+  --with-x                use the X Window System
+
+Some influential environment variables:
+  CC          C compiler command
+  CFLAGS      C compiler flags
+  LDFLAGS     linker flags, e.g. -L<lib dir> if you have libraries in a
+              nonstandard directory <lib dir>
+  CPPFLAGS    C/C++ preprocessor flags, e.g. -I<include dir> if you have
+              headers in a nonstandard directory <include dir>
+
+Use these variables to override the choices made by `configure' or to help
+it to find libraries and programs with nonstandard names/locations.
+
+Report bugs to <heimdal-bugs@pdc.kth.se>.
+EOF
+fi
+
+if test "$ac_init_help" = "recursive"; then
+  # If there are subdirs, report their specific --help.
+  ac_popdir=`pwd`
+  for ac_subdir in : $ac_subdirs_all; do test "x$ac_subdir" = x: && continue
+    cd $ac_subdir
+    # A "../" for each directory in /$ac_subdir.
+    ac_dots=`echo $ac_subdir |
+             sed 's,^\./,,;s,[^/]$,&/,;s,[^/]*/,../,g'`
+
+    case $srcdir in
+    .) # No --srcdir option.  We are building in place.
+      ac_sub_srcdir=$srcdir ;;
+    [\\/]* | ?:[\\/]* ) # Absolute path.
+      ac_sub_srcdir=$srcdir/$ac_subdir ;;
+    *) # Relative path.
+      ac_sub_srcdir=$ac_dots$srcdir/$ac_subdir ;;
+    esac
+
+    # Check for guested configure; otherwise get Cygnus style configure.
+    if test -f $ac_sub_srcdir/configure.gnu; then
+      echo
+      $SHELL $ac_sub_srcdir/configure.gnu  --help=recursive
+    elif test -f $ac_sub_srcdir/configure; then
+      echo
+      $SHELL $ac_sub_srcdir/configure  --help=recursive
+    elif test -f $ac_sub_srcdir/configure.in; then
+      echo
+      $ac_configure --help
+    else
+      { echo "$as_me:757: WARNING: no configuration information is in $ac_subdir" >&5
+echo "$as_me: warning: no configuration information is in $ac_subdir" >&2; }
+    fi
+    cd $ac_popdir
+  done
+fi
+
+test -n "$ac_init_help" && exit 0
+if $ac_init_version; then
+  cat <<\EOF
+configure (heimdal 0.3f) 2.49b
+
+Copyright 1992, 1993, 1994, 1995, 1996, 1998, 1999, 2000
+Free Software Foundation, Inc.
+This configure script is free software; the Free Software Foundation
+gives unlimited permission to copy, distribute and modify it.
+EOF
+  exit 0
+fi
+
+# Keep a trace of the command line.
+# Strip out --no-create and --no-recursion so they do not pile up.
+# Also quote any args containing shell meta-characters.
+ac_configure_args=
+ac_sep=
+for ac_arg
+do
+  case $ac_arg in
+  -no-create | --no-create | --no-creat | --no-crea | --no-cre \
+  | --no-cr | --no-c) ;;
+  -no-recursion | --no-recursion | --no-recursio | --no-recursi \
+  | --no-recurs | --no-recur | --no-recu | --no-rec | --no-re | --no-r) ;;
+  *" "*|*"	"*|*[\[\]\~\#\$\^\&\*\(\)\{\}\\\|\;\<\>\?\"\']*)
+    ac_arg=`echo "$ac_arg" | sed "s/'/'\\\\\\\\''/g"`
+    ac_configure_args="$ac_configure_args$ac_sep'$ac_arg'"
+    ac_sep=" " ;;
+  *) ac_configure_args="$ac_configure_args$ac_sep$ac_arg"
+     ac_sep=" " ;;
+  esac
+  # Get rid of the leading space.
+done
+
+# When interrupted or exit'd, cleanup temporary files, and complete
+# config.log.
+trap 'exit_status=$?
+  test "$ac_signal" != 0 &&
+    echo "$as_me: caught signal $ac_signal" >&5
+  echo "$as_me: exit $exit_status" >&5
+  rm -rf conftest* confdefs* core core.* *.core $ac_clean_files &&
+    exit $exit_status
+     ' 0
+for ac_signal in 1 2 13 15; do
+  trap 'ac_status=$?; ac_signal='$ac_signal'; exit $ac_status' $ac_signal
+done
+ac_signal=0
+
+# confdefs.h avoids OS command line length limits that DEFS can exceed.
+rm -rf conftest* confdefs.h
+# AIX cpp loses on an empty file, so make sure it contains at least a newline.
+echo >confdefs.h
+
+# Let the site file select an alternate cache file if it wants to.
+# Prefer explicitly selected file to automatically selected ones.
+if test -z "$CONFIG_SITE"; then
+  if test "x$prefix" != xNONE; then
+    CONFIG_SITE="$prefix/share/config.site $prefix/etc/config.site"
+  else
+    CONFIG_SITE="$ac_default_prefix/share/config.site $ac_default_prefix/etc/config.site"
+  fi
+fi
+for ac_site_file in $CONFIG_SITE; do
+  if test -r "$ac_site_file"; then
+    echo "loading site script $ac_site_file"
+    . "$ac_site_file"
+  fi
+done
+
+if test -r "$cache_file"; then
+  # Some versions of bash will fail to source /dev/null (special
+  # files actually), so we avoid doing that.
+  if test -f "$cache_file"; then
+    { echo "$as_me:838: loading cache $cache_file" >&5
+echo "loading cache $cache_file" >&6;}
+    case $cache_file in
+      [\\/]* | ?:[\\/]* ) . $cache_file;;
+      *)                      . ./$cache_file;;
+    esac
+  fi
+else
+  { echo "$as_me:846: creating cache $cache_file" >&5
+echo "creating cache $cache_file" >&6;}
+  >$cache_file
+fi
+
+# Check that the precious variables saved in the cache have kept the same
+# value.
+ac_suggest_removing_cache=false
+for ac_var in `(set) 2>&1 |
+               sed -n 's/^ac_env_\([a-zA-Z_0-9]*\)_set=.*/\1/p'`; do
+  eval ac_old_set=\$ac_cv_env_${ac_var}_set
+  eval ac_new_set=\$ac_env_${ac_var}_set
+  eval ac_old_val="\$ac_cv_env_${ac_var}_value"
+  eval ac_new_val="\$ac_env_${ac_var}_value"
+  case $ac_old_set,$ac_new_set in
+    set,)
+      { echo "$as_me:862: WARNING: \`$ac_var' was set to \`$ac_old_val' in the previous run" >&5
+echo "$as_me: warning: \`$ac_var' was set to \`$ac_old_val' in the previous run" >&2; }
+      ac_suggest_removing_cache=: ;;
+    ,set)
+      { echo "$as_me:866: WARNING: \`$ac_var' was not set in the previous run" >&5
+echo "$as_me: warning: \`$ac_var' was not set in the previous run" >&2; }
+      ac_suggest_removing_cache=: ;;
+    ,);;
+    *)
+      if test "x$ac_old_val" != "x$ac_new_val"; then
+        { echo "$as_me:872: WARNING: \`$ac_var' has changed since the previous run:" >&5
+echo "$as_me: warning: \`$ac_var' has changed since the previous run:" >&2; }
+        { echo "$as_me:874: WARNING:   former value:  $ac_old_val" >&5
+echo "$as_me: warning:   former value:  $ac_old_val" >&2; }
+        { echo "$as_me:876: WARNING:   current value: $ac_new_val" >&5
+echo "$as_me: warning:   current value: $ac_new_val" >&2; }
+        ac_suggest_removing_cache=:
+      fi;;
+  esac
+done
+if $ac_suggest_removing_cache; then
+  { echo "$as_me:883: WARNING: changes in the environment can compromise the build" >&5
+echo "$as_me: warning: changes in the environment can compromise the build" >&2; }
+  { echo "$as_me:885: WARNING: consider removing $cache_file and starting over" >&5
+echo "$as_me: warning: consider removing $cache_file and starting over" >&2; }
+fi
+
+ac_ext=c
+ac_cpp='$CPP $CPPFLAGS'
+ac_compile='${CC-cc} -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5'
+ac_link='${CC-cc} -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5'
+ac_compiler_gnu=$ac_cv_c_compiler_gnu
+
+case `echo "testing\c"; echo 1,2,3`,`echo -n testing; echo 1,2,3` in
+  *c*,-n*) ECHO_N= ECHO_C='
+' ECHO_T='	' ;;
+  *c*,*  ) ECHO_N=-n ECHO_C= ECHO_T= ;;
+  *)      ECHO_N= ECHO_C='\c' ECHO_T= ;;
+esac
+
+ac_config_headers="$ac_config_headers include/config.h"
+
+  ac_config_commands="$ac_config_commands default-1"
+
+ac_ext=c
+ac_cpp='$CPP $CPPFLAGS'
+ac_compile='${CC-cc} -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5'
+ac_link='${CC-cc} -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5'
+ac_compiler_gnu=$ac_cv_c_compiler_gnu
+
+if test -n "$ac_tool_prefix"; then
+  # Extract the first word of "${ac_tool_prefix}gcc", so it can be a program name with args.
+set dummy ${ac_tool_prefix}gcc; ac_word=$2
+echo "$as_me:915: checking for $ac_word" >&5
+echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6
+if test "${ac_cv_prog_CC+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  if test -n "$CC"; then
+  ac_cv_prog_CC="$CC" # Let the user override the test.
+else
+  ac_save_IFS=$IFS; IFS=':'
+ac_dummy="$PATH"
+for ac_dir in $ac_dummy; do
+  IFS=$ac_save_IFS
+  test -z "$ac_dir" && ac_dir=.
+  test -f "$ac_dir/$ac_word" || continue
+ac_cv_prog_CC="${ac_tool_prefix}gcc"
+break
+done
+
+fi
+fi
+CC=$ac_cv_prog_CC
+if test -n "$CC"; then
+  echo "$as_me:937: result: $CC" >&5
+echo "${ECHO_T}$CC" >&6
+else
+  echo "$as_me:940: result: no" >&5
+echo "${ECHO_T}no" >&6
+fi
+
+fi
+if test -z "$ac_cv_prog_CC"; then
+  ac_ct_CC=$CC
+  # Extract the first word of "gcc", so it can be a program name with args.
+set dummy gcc; ac_word=$2
+echo "$as_me:949: checking for $ac_word" >&5
+echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6
+if test "${ac_cv_prog_ac_ct_CC+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  if test -n "$ac_ct_CC"; then
+  ac_cv_prog_ac_ct_CC="$ac_ct_CC" # Let the user override the test.
+else
+  ac_save_IFS=$IFS; IFS=':'
+ac_dummy="$PATH"
+for ac_dir in $ac_dummy; do
+  IFS=$ac_save_IFS
+  test -z "$ac_dir" && ac_dir=.
+  test -f "$ac_dir/$ac_word" || continue
+ac_cv_prog_ac_ct_CC="gcc"
+break
+done
+
+fi
+fi
+ac_ct_CC=$ac_cv_prog_ac_ct_CC
+if test -n "$ac_ct_CC"; then
+  echo "$as_me:971: result: $ac_ct_CC" >&5
+echo "${ECHO_T}$ac_ct_CC" >&6
+else
+  echo "$as_me:974: result: no" >&5
+echo "${ECHO_T}no" >&6
+fi
+
+  CC=$ac_ct_CC
+else
+  CC="$ac_cv_prog_CC"
+fi
+
+if test -z "$CC"; then
+  if test -n "$ac_tool_prefix"; then
+  # Extract the first word of "${ac_tool_prefix}cc", so it can be a program name with args.
+set dummy ${ac_tool_prefix}cc; ac_word=$2
+echo "$as_me:987: checking for $ac_word" >&5
+echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6
+if test "${ac_cv_prog_CC+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  if test -n "$CC"; then
+  ac_cv_prog_CC="$CC" # Let the user override the test.
+else
+  ac_save_IFS=$IFS; IFS=':'
+ac_dummy="$PATH"
+for ac_dir in $ac_dummy; do
+  IFS=$ac_save_IFS
+  test -z "$ac_dir" && ac_dir=.
+  test -f "$ac_dir/$ac_word" || continue
+ac_cv_prog_CC="${ac_tool_prefix}cc"
+break
+done
+
+fi
+fi
+CC=$ac_cv_prog_CC
+if test -n "$CC"; then
+  echo "$as_me:1009: result: $CC" >&5
+echo "${ECHO_T}$CC" >&6
+else
+  echo "$as_me:1012: result: no" >&5
+echo "${ECHO_T}no" >&6
+fi
+
+fi
+if test -z "$ac_cv_prog_CC"; then
+  ac_ct_CC=$CC
+  # Extract the first word of "cc", so it can be a program name with args.
+set dummy cc; ac_word=$2
+echo "$as_me:1021: checking for $ac_word" >&5
+echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6
+if test "${ac_cv_prog_ac_ct_CC+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  if test -n "$ac_ct_CC"; then
+  ac_cv_prog_ac_ct_CC="$ac_ct_CC" # Let the user override the test.
+else
+  ac_save_IFS=$IFS; IFS=':'
+ac_dummy="$PATH"
+for ac_dir in $ac_dummy; do
+  IFS=$ac_save_IFS
+  test -z "$ac_dir" && ac_dir=.
+  test -f "$ac_dir/$ac_word" || continue
+ac_cv_prog_ac_ct_CC="cc"
+break
+done
+
+fi
+fi
+ac_ct_CC=$ac_cv_prog_ac_ct_CC
+if test -n "$ac_ct_CC"; then
+  echo "$as_me:1043: result: $ac_ct_CC" >&5
+echo "${ECHO_T}$ac_ct_CC" >&6
+else
+  echo "$as_me:1046: result: no" >&5
+echo "${ECHO_T}no" >&6
+fi
+
+  CC=$ac_ct_CC
+else
+  CC="$ac_cv_prog_CC"
+fi
+
+fi
+if test -z "$CC"; then
+  # Extract the first word of "cc", so it can be a program name with args.
+set dummy cc; ac_word=$2
+echo "$as_me:1059: checking for $ac_word" >&5
+echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6
+if test "${ac_cv_prog_CC+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  if test -n "$CC"; then
+  ac_cv_prog_CC="$CC" # Let the user override the test.
+else
+  ac_prog_rejected=no
+  ac_save_IFS=$IFS; IFS=':'
+ac_dummy="$PATH"
+for ac_dir in $ac_dummy; do
+  IFS=$ac_save_IFS
+  test -z "$ac_dir" && ac_dir=.
+  test -f "$ac_dir/$ac_word" || continue
+if test "$ac_dir/$ac_word" = "/usr/ucb/cc"; then
+  ac_prog_rejected=yes
+  continue
+fi
+ac_cv_prog_CC="cc"
+break
+done
+
+if test $ac_prog_rejected = yes; then
+  # We found a bogon in the path, so make sure we never use it.
+  set dummy $ac_cv_prog_CC
+  shift
+  if test $# != 0; then
+    # We chose a different compiler from the bogus one.
+    # However, it has the same basename, so the bogon will be chosen
+    # first if we set CC to just the basename; use the full file name.
+    shift
+    set dummy "$ac_dir/$ac_word" ${1+"$@"}
+    shift
+    ac_cv_prog_CC="$@"
+  fi
+fi
+fi
+fi
+CC=$ac_cv_prog_CC
+if test -n "$CC"; then
+  echo "$as_me:1100: result: $CC" >&5
+echo "${ECHO_T}$CC" >&6
+else
+  echo "$as_me:1103: result: no" >&5
+echo "${ECHO_T}no" >&6
+fi
+
+fi
+if test -z "$CC"; then
+  if test -n "$ac_tool_prefix"; then
+  for ac_prog in cl
+  do
+    # Extract the first word of "$ac_tool_prefix$ac_prog", so it can be a program name with args.
+set dummy $ac_tool_prefix$ac_prog; ac_word=$2
+echo "$as_me:1114: checking for $ac_word" >&5
+echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6
+if test "${ac_cv_prog_CC+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  if test -n "$CC"; then
+  ac_cv_prog_CC="$CC" # Let the user override the test.
+else
+  ac_save_IFS=$IFS; IFS=':'
+ac_dummy="$PATH"
+for ac_dir in $ac_dummy; do
+  IFS=$ac_save_IFS
+  test -z "$ac_dir" && ac_dir=.
+  test -f "$ac_dir/$ac_word" || continue
+ac_cv_prog_CC="$ac_tool_prefix$ac_prog"
+break
+done
+
+fi
+fi
+CC=$ac_cv_prog_CC
+if test -n "$CC"; then
+  echo "$as_me:1136: result: $CC" >&5
+echo "${ECHO_T}$CC" >&6
+else
+  echo "$as_me:1139: result: no" >&5
+echo "${ECHO_T}no" >&6
+fi
+
+    test -n "$CC" && break
+  done
+fi
+if test -z "$CC"; then
+  ac_ct_CC=$CC
+  for ac_prog in cl
+do
+  # Extract the first word of "$ac_prog", so it can be a program name with args.
+set dummy $ac_prog; ac_word=$2
+echo "$as_me:1152: checking for $ac_word" >&5
+echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6
+if test "${ac_cv_prog_ac_ct_CC+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  if test -n "$ac_ct_CC"; then
+  ac_cv_prog_ac_ct_CC="$ac_ct_CC" # Let the user override the test.
+else
+  ac_save_IFS=$IFS; IFS=':'
+ac_dummy="$PATH"
+for ac_dir in $ac_dummy; do
+  IFS=$ac_save_IFS
+  test -z "$ac_dir" && ac_dir=.
+  test -f "$ac_dir/$ac_word" || continue
+ac_cv_prog_ac_ct_CC="$ac_prog"
+break
+done
+
+fi
+fi
+ac_ct_CC=$ac_cv_prog_ac_ct_CC
+if test -n "$ac_ct_CC"; then
+  echo "$as_me:1174: result: $ac_ct_CC" >&5
+echo "${ECHO_T}$ac_ct_CC" >&6
+else
+  echo "$as_me:1177: result: no" >&5
+echo "${ECHO_T}no" >&6
+fi
+
+  test -n "$ac_ct_CC" && break
+done
+
+  CC=$ac_ct_CC
+fi
+
+fi
+
+test -z "$CC" && {  echo "$as_me: error: no acceptable cc found in \$PATH" >&2
+  { (exit 1); exit; }; }
+
+echo "$as_me:1192: checking whether the C compiler works" >&5
+echo $ECHO_N "checking whether the C compiler works... $ECHO_C" >&6
+cat >conftest.$ac_ext <<_ACEOF
+#line 1195 "configure"
+#include "confdefs.h"
+
+int
+main ()
+{
+
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (eval echo $as_me:1207: \"$ac_link\") >&5; (eval $ac_link) 2>&5; } && test -s conftest$ac_exeext; then
+  # FIXME: these cross compiler hacks should be removed for autoconf 3.0
+# If not cross compiling, check that we can run a simple program.
+if test "$cross_compiling" != yes; then
+  if { ac_try='./conftest$ac_exeext'; { (eval echo $as_me:1211: \"$ac_try\") >&5; (eval $ac_try) 2>&5; }; }; then
+    cross_compiling=no
+  else
+    if test "$cross_compiling" = maybe; then
+      cross_compiling=yes
+    else
+      {  echo "$as_me: error: cannot run C compiled programs.
+To enable cross compilation, use \`--host'." >&2
+  { (exit 1); exit; }; }
+    fi
+  fi
+fi
+echo "$as_me:1223: result: yes" >&5
+echo "${ECHO_T}yes" >&6
+else
+  echo "$as_me: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  echo "$as_me:1228: result: no" >&5
+echo "${ECHO_T}no" >&6
+{  echo "$as_me: error: C compiler cannot create executables" >&2
+  { (exit 77); exit; }; }
+fi
+rm -f conftest$ac_exeext conftest.$ac_ext
+echo "$as_me:1234: checking whether we are cross compiling" >&5
+echo $ECHO_N "checking whether we are cross compiling... $ECHO_C" >&6
+echo "$as_me:1236: result: $cross_compiling" >&5
+echo "${ECHO_T}$cross_compiling" >&6
+
+echo "$as_me:1239: checking whether we are using the GNU C compiler" >&5
+echo $ECHO_N "checking whether we are using the GNU C compiler... $ECHO_C" >&6
+if test "${ac_cv_c_compiler_gnu+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+#line 1245 "configure"
+#include "confdefs.h"
+
+int
+main ()
+{
+#ifndef __GNUC__
+  choke me
+#endif
+
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext
+if { (eval echo $as_me:1260: \"$ac_compile\") >&5; (eval $ac_compile) 2>&5; } && test -s conftest.$ac_objext; then
+  ac_compiler_gnu=yes
+else
+  echo "$as_me: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  ac_compiler_gnu=no
+fi
+rm -f conftest.$ac_objext conftest.$ac_ext
+ac_cv_c_compiler_gnu=$ac_compiler_gnu
+
+fi
+echo "$as_me:1271: result: $ac_cv_c_compiler_gnu" >&5
+echo "${ECHO_T}$ac_cv_c_compiler_gnu" >&6
+GCC=`test $ac_compiler_gnu = yes && echo yes`
+echo "$as_me:1274: checking for object suffix" >&5
+echo $ECHO_N "checking for object suffix... $ECHO_C" >&6
+if test "${ac_cv_objext+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+#line 1280 "configure"
+#include "confdefs.h"
+
+int
+main ()
+{
+
+  ;
+  return 0;
+}
+_ACEOF
+if { (eval echo $as_me:1291: \"$ac_compile\") >&5; (eval $ac_compile) 2>&5; }; then
+  for ac_file in `ls conftest.o conftest.obj conftest.* 2>/dev/null`; do
+    case $ac_file in
+      *.$ac_ext | *.tds | *.d ) ;;
+      *) ac_cv_objext=`expr "$ac_file" : '.*\.\(.*\)'`
+         break;;
+    esac
+  done
+  rm -f conftest.$ac_objext conftest.$ac_ext
+else
+  {  echo "$as_me: error: cannot compile" >&2
+  { (exit 1); exit; }; }
+fi
+fi
+echo "$as_me:1305: result: $ac_cv_objext" >&5
+echo "${ECHO_T}$ac_cv_objext" >&6
+OBJEXT=$ac_cv_objext
+ac_objext=$ac_cv_objext
+
+echo "$as_me:1310: checking for executable suffix" >&5
+echo $ECHO_N "checking for executable suffix... $ECHO_C" >&6
+if test "${ac_cv_exeext+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  case "$CYGWIN $MINGW32 $EMXOS2" in
+  *yes*) ac_cv_exeext=.exe ;;
+  *)
+    cat >conftest.$ac_ext <<_ACEOF
+#line 1319 "configure"
+#include "confdefs.h"
+
+int
+main ()
+{
+
+  ;
+  return 0;
+}
+_ACEOF
+    if { (eval echo $as_me:1330: \"$ac_link\") >&5; (eval $ac_link) 2>&5; }; then
+      # If both `conftest.exe' and `conftest' are `present' (well, observable)
+      # catch `conftest.exe'.  For instance with Cygwin, `ls conftest' will
+      # work properly (i.e., refer to `conftest.exe'), while it won't with
+      # `rm'.
+      for ac_file in `ls conftest.exe conftest conftest.* 2>/dev/null`; do
+    	case $ac_file in
+    	  *.$ac_ext | *.o | *.obj | *.xcoff | *.tds | *.d) ;;
+    	  *) ac_cv_exeext=`expr "$ac_file" : 'conftest\(.*\)'`
+    	     break;;
+    	esac
+      done
+      rm -f conftest$ac_exeext conftest.$ac_objext conftest.$ac_ext
+    else
+      {  echo "$as_me: error: cannot compile and link" >&2
+  { (exit 1); exit; }; }
+    fi
+    ;;
+esac
+fi
+echo "$as_me:1350: result: $ac_cv_exeext" >&5
+echo "${ECHO_T}$ac_cv_exeext" >&6
+EXEEXT=$ac_cv_exeext
+ac_exeext=$EXEEXT
+
+ac_test_CFLAGS=${CFLAGS+set}
+ac_save_CFLAGS=$CFLAGS
+CFLAGS="-g"
+echo "$as_me:1358: checking whether ${CC-cc} accepts -g" >&5
+echo $ECHO_N "checking whether ${CC-cc} accepts -g... $ECHO_C" >&6
+if test "${ac_cv_prog_cc_g+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+#line 1364 "configure"
+#include "confdefs.h"
+
+int
+main ()
+{
+
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext
+if { (eval echo $as_me:1376: \"$ac_compile\") >&5; (eval $ac_compile) 2>&5; } && test -s conftest.$ac_objext; then
+  ac_cv_prog_cc_g=yes
+else
+  echo "$as_me: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  ac_cv_prog_cc_g=no
+fi
+rm -f conftest.$ac_objext conftest.$ac_ext
+fi
+echo "$as_me:1385: result: $ac_cv_prog_cc_g" >&5
+echo "${ECHO_T}$ac_cv_prog_cc_g" >&6
+if test "$ac_test_CFLAGS" = set; then
+  CFLAGS=$ac_save_CFLAGS
+elif test $ac_cv_prog_cc_g = yes; then
+  if test "$GCC" = yes; then
+    CFLAGS="-g -O2"
+  else
+    CFLAGS="-g"
+  fi
+else
+  if test "$GCC" = yes; then
+    CFLAGS="-O2"
+  else
+    CFLAGS=
+  fi
+fi
+
+echo "$as_me:1403: checking how to run the C preprocessor" >&5
+echo $ECHO_N "checking how to run the C preprocessor... $ECHO_C" >&6
+# On Suns, sometimes $CPP names a directory.
+if test -n "$CPP" && test -d "$CPP"; then
+  CPP=
+fi
+if test -z "$CPP"; then
+  if test "${ac_cv_prog_CPP+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+      # Double quotes because CPP needs to be expanded
+    for CPP in "${CC-cc} -E" "${CC-cc} -E -traditional-cpp" "/lib/cpp"
+    do
+      # Use a header file that comes with gcc, so configuring glibc
+# with a fresh cross-compiler works.
+# On the NeXT, cc -E runs the code through the compiler's parser,
+# not just through cpp. "Syntax error" is here to catch this case.
+cat >conftest.$ac_ext <<_ACEOF
+#line 1421 "configure"
+#include "confdefs.h"
+#include <assert.h>
+Syntax error
+_ACEOF
+ac_c_preproc_warn_flag=maybe
+ac_try="$ac_cpp conftest.$ac_ext >/dev/null 2>conftest.err"
+if { (eval echo $as_me:1428: \"$ac_try\") >&5; (eval $ac_try) 2>&5; }; then
+  if egrep -v '^ *\+' conftest.err | grep . >/dev/null; then
+    ac_cpp_err=$ac_c_preproc_warn_flag
+  else
+    ac_cpp_err=
+  fi
+else
+  ac_cpp_err=yes
+fi
+
+# Now check whether non-existent headers can be detected and how
+# Skip if ac_cpp_err is not empty - ac_cpp is broken
+if test -z "$ac_cpp_err"; then
+  cat >conftest.$ac_ext <<_ACEOF
+#line 1442 "configure"
+#include "confdefs.h"
+#include <ac_nonexistent.h>
+_ACEOF
+  ac_try="$ac_cpp conftest.$ac_ext >/dev/null 2>conftest.err"
+if { (eval echo $as_me:1447: \"$ac_try\") >&5; (eval $ac_try) 2>&5; }; then
+  if egrep -v '^ *\+' conftest.err | grep . >/dev/null; then
+    ac_cpp_err=$ac_c_preproc_warn_flag
+  else
+    ac_cpp_err=
+  fi
+else
+  ac_cpp_err=yes
+fi
+
+  if test -z "$ac_cpp_err"; then
+    # cannot detect missing includes at all
+    ac_cpp_err=yes
+  else
+    if test "x$ac_cpp_err" = xmaybe; then
+      ac_c_preproc_warn_flag=yes
+    else
+      ac_c_preproc_warn_flag=
+    fi
+    ac_cpp_err=
+  fi
+fi
+rm -f conftest*
+
+      if test -z "$ac_cpp_err"; then
+        break
+      fi
+    done
+    ac_cv_prog_CPP=$CPP
+
+fi
+  CPP=$ac_cv_prog_CPP
+else
+  # Use a header file that comes with gcc, so configuring glibc
+# with a fresh cross-compiler works.
+# On the NeXT, cc -E runs the code through the compiler's parser,
+# not just through cpp. "Syntax error" is here to catch this case.
+cat >conftest.$ac_ext <<_ACEOF
+#line 1485 "configure"
+#include "confdefs.h"
+#include <assert.h>
+Syntax error
+_ACEOF
+ac_c_preproc_warn_flag=maybe
+ac_try="$ac_cpp conftest.$ac_ext >/dev/null 2>conftest.err"
+if { (eval echo $as_me:1492: \"$ac_try\") >&5; (eval $ac_try) 2>&5; }; then
+  if egrep -v '^ *\+' conftest.err | grep . >/dev/null; then
+    ac_cpp_err=$ac_c_preproc_warn_flag
+  else
+    ac_cpp_err=
+  fi
+else
+  ac_cpp_err=yes
+fi
+
+# Now check whether non-existent headers can be detected and how
+# Skip if ac_cpp_err is not empty - ac_cpp is broken
+if test -z "$ac_cpp_err"; then
+  cat >conftest.$ac_ext <<_ACEOF
+#line 1506 "configure"
+#include "confdefs.h"
+#include <ac_nonexistent.h>
+_ACEOF
+  ac_try="$ac_cpp conftest.$ac_ext >/dev/null 2>conftest.err"
+if { (eval echo $as_me:1511: \"$ac_try\") >&5; (eval $ac_try) 2>&5; }; then
+  if egrep -v '^ *\+' conftest.err | grep . >/dev/null; then
+    ac_cpp_err=$ac_c_preproc_warn_flag
+  else
+    ac_cpp_err=
+  fi
+else
+  ac_cpp_err=yes
+fi
+
+  if test -z "$ac_cpp_err"; then
+    # cannot detect missing includes at all
+    ac_cpp_err=yes
+  else
+    if test "x$ac_cpp_err" = xmaybe; then
+      ac_c_preproc_warn_flag=yes
+    else
+      ac_c_preproc_warn_flag=
+    fi
+    ac_cpp_err=
+  fi
+fi
+rm -f conftest*
+
+  ac_cv_prog_CPP=$CPP
+fi
+echo "$as_me:1537: result: $CPP" >&5
+echo "${ECHO_T}$CPP" >&6
+if test -n "$ac_cpp_err"; then
+  {  echo "$as_me: error: C preprocessor \"$CPP\" fails sanity check" >&2
+  { (exit 1); exit; }; }
+fi
+
+echo "$as_me:1544: checking for ${CC-cc} option to accept ANSI C" >&5
+echo $ECHO_N "checking for ${CC-cc} option to accept ANSI C... $ECHO_C" >&6
+if test "${ac_cv_prog_cc_stdc+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  ac_cv_prog_cc_stdc=no
+ac_save_CC=$CC
+cat >conftest.$ac_ext <<_ACEOF
+#line 1552 "configure"
+#include "confdefs.h"
+#include <stdarg.h>
+#include <stdio.h>
+#include <sys/types.h>
+#include <sys/stat.h>
+/* Most of the following tests are stolen from RCS 5.7's src/conf.sh.  */
+struct buf { int x; };
+FILE * (*rcsopen) (struct buf *, struct stat *, int);
+static char *e (p, i)
+     char **p;
+     int i;
+{
+  return p[i];
+}
+static char *f (char * (*g) (char **, int), char **p, ...)
+{
+  char *s;
+  va_list v;
+  va_start (v,p);
+  s = g (p, va_arg (v,int));
+  va_end (v);
+  return s;
+}
+int test (int i, double x);
+struct s1 {int (*f) (int a);};
+struct s2 {int (*f) (double a);};
+int pairnames (int, char **, FILE *(*)(struct buf *, struct stat *, int), int, int);
+int argc;
+char **argv;
+int
+main ()
+{
+return f (e, argv, 0) != argv[0]  ||  f (e, argv, 1) != argv[1];
+  ;
+  return 0;
+}
+_ACEOF
+# Don't try gcc -ansi; that turns off useful extensions and
+# breaks some systems' header files.
+# AIX			-qlanglvl=ansi
+# Ultrix and OSF/1	-std1
+# HP-UX 10.20 and later	-Ae
+# HP-UX older versions	-Aa -D_HPUX_SOURCE
+# SVR4			-Xc -D__EXTENSIONS__
+for ac_arg in "" -qlanglvl=ansi -std1 -Ae "-Aa -D_HPUX_SOURCE" "-Xc -D__EXTENSIONS__"
+do
+  CC="$ac_save_CC $ac_arg"
+  rm -f conftest.$ac_objext
+if { (eval echo $as_me:1601: \"$ac_compile\") >&5; (eval $ac_compile) 2>&5; } && test -s conftest.$ac_objext; then
+  ac_cv_prog_cc_stdc=$ac_arg
+rm -f conftest.$ac_ext conftest.$ac_objext
+break
+else
+  echo "$as_me: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+fi
+rm -f conftest.$ac_objext
+done
+CC=$ac_save_CC
+
+fi
+
+case "x$ac_cv_prog_cc_stdc" in
+  x|xno)
+    echo "$as_me:1617: result: none needed" >&5
+echo "${ECHO_T}none needed" >&6 ;;
+  *)
+    echo "$as_me:1620: result: $ac_cv_prog_cc_stdc" >&5
+echo "${ECHO_T}$ac_cv_prog_cc_stdc" >&6
+    CC="$CC $ac_cv_prog_cc_stdc" ;;
+esac
+
+ac_aux_dir=
+for ac_dir in $srcdir $srcdir/.. $srcdir/../..; do
+  if test -f $ac_dir/install-sh; then
+    ac_aux_dir=$ac_dir
+    ac_install_sh="$ac_aux_dir/install-sh -c"
+    break
+  elif test -f $ac_dir/install.sh; then
+    ac_aux_dir=$ac_dir
+    ac_install_sh="$ac_aux_dir/install.sh -c"
+    break
+  elif test -f $ac_dir/shtool; then
+    ac_aux_dir=$ac_dir
+    ac_install_sh="$ac_aux_dir/shtool install -c"
+    break
+  fi
+done
+if test -z "$ac_aux_dir"; then
+  {  echo "$as_me: error: cannot find install-sh or install.sh in $srcdir $srcdir/.. $srcdir/../.." >&2
+  { (exit 1); exit; }; }
+fi
+ac_config_guess="$SHELL $ac_aux_dir/config.guess"
+ac_config_sub="$SHELL $ac_aux_dir/config.sub"
+ac_configure="$SHELL $ac_aux_dir/configure" # This should be Cygnus configure.
+
+# Find a good install program.  We prefer a C program (faster),
+# so one script is as good as another.  But avoid the broken or
+# incompatible versions:
+# SysV /etc/install, /usr/sbin/install
+# SunOS /usr/etc/install
+# IRIX /sbin/install
+# AIX /bin/install
+# AmigaOS /C/install, which installs bootblocks on floppy discs
+# AIX 4 /usr/bin/installbsd, which doesn't work without a -g flag
+# AFS /usr/afsws/bin/install, which mishandles nonexistent args
+# SVR4 /usr/ucb/install, which tries to use the nonexistent group "staff"
+# ./install, which can be erroneously created by make from ./install.sh.
+echo "$as_me:1661: checking for a BSD compatible install" >&5
+echo $ECHO_N "checking for a BSD compatible install... $ECHO_C" >&6
+if test -z "$INSTALL"; then
+if test "${ac_cv_path_install+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+    ac_save_IFS=$IFS; IFS=':'
+  for ac_dir in $PATH; do
+    # Account for people who put trailing slashes in PATH elements.
+    case $ac_dir/ in
+    / | ./ | .// | /cC/* \
+    | /etc/* | /usr/sbin/* | /usr/etc/* | /sbin/* | /usr/afsws/bin/* \
+    | /usr/ucb/* ) ;;
+    *)
+      # OSF1 and SCO ODT 3.0 have their own names for install.
+      # Don't use installbsd from OSF since it installs stuff as root
+      # by default.
+      for ac_prog in ginstall scoinst install; do
+        if test -f "$ac_dir/$ac_prog"; then
+	  if test $ac_prog = install &&
+            grep dspmsg "$ac_dir/$ac_prog" >/dev/null 2>&1; then
+	    # AIX install.  It has an incompatible calling convention.
+	    :
+	  elif test $ac_prog = install &&
+	    grep pwplus "$ac_dir/$ac_prog" >/dev/null 2>&1; then
+	    # program-specific install script used by HP pwplus--don't use.
+	    :
+	  else
+	    ac_cv_path_install="$ac_dir/$ac_prog -c"
+	    break 2
+	  fi
+	fi
+      done
+      ;;
+    esac
+  done
+  IFS=$ac_save_IFS
+
+fi
+  if test "${ac_cv_path_install+set}" = set; then
+    INSTALL=$ac_cv_path_install
+  else
+    # As a last resort, use the slow shell script.  We don't cache a
+    # path for INSTALL within a source directory, because that will
+    # break other packages using the cache if that directory is
+    # removed, or if the path is relative.
+    INSTALL=$ac_install_sh
+  fi
+fi
+echo "$as_me:1710: result: $INSTALL" >&5
+echo "${ECHO_T}$INSTALL" >&6
+
+# Use test -z because SunOS4 sh mishandles braces in ${var-val}.
+# It thinks the first close brace ends the variable substitution.
+test -z "$INSTALL_PROGRAM" && INSTALL_PROGRAM='${INSTALL}'
+
+test -z "$INSTALL_SCRIPT" && INSTALL_SCRIPT='${INSTALL}'
+
+test -z "$INSTALL_DATA" && INSTALL_DATA='${INSTALL} -m 644'
+
+echo "$as_me:1721: checking whether build environment is sane" >&5
+echo $ECHO_N "checking whether build environment is sane... $ECHO_C" >&6
+# Just in case
+sleep 1
+echo timestamp > conftestfile
+# Do `set' in a subshell so we don't clobber the current shell's
+# arguments.  Must try -L first in case configure is actually a
+# symlink; some systems play weird games with the mod time of symlinks
+# (eg FreeBSD returns the mod time of the symlink's containing
+# directory).
+if (
+   set X `ls -Lt $srcdir/configure conftestfile 2> /dev/null`
+   if test "$*" = "X"; then
+      # -L didn't work.
+      set X `ls -t $srcdir/configure conftestfile`
+   fi
+   if test "$*" != "X $srcdir/configure conftestfile" \
+      && test "$*" != "X conftestfile $srcdir/configure"; then
+
+      # If neither matched, then we have a broken ls.  This can happen
+      # if, for instance, CONFIG_SHELL is bash and it inherits a
+      # broken ls alias from the environment.  This has actually
+      # happened.  Such a system could not be considered "sane".
+      {  echo "$as_me: error: ls -t appears to fail.  Make sure there is not a broken
+alias in your environment" >&2
+  { (exit 1); exit; }; }
+   fi
+
+   test "$2" = conftestfile
+   )
+then
+   # Ok.
+   :
+else
+   {  echo "$as_me: error: newly created file is older than distributed files!
+Check your system clock" >&2
+  { (exit 1); exit; }; }
+fi
+rm -f conftest*
+echo "$as_me:1760: result: yes" >&5
+echo "${ECHO_T}yes" >&6
+if test "$program_transform_name" = s,x,x,; then
+  program_transform_name=
+else
+  # Double any \ or $.  echo might interpret backslashes.
+  cat <<\EOF >conftestsed
+s,\\,\\\\,g; s,\$,$$,g
+EOF
+  program_transform_name=`echo $program_transform_name | sed -f conftestsed`
+  rm -f conftestsed
+fi
+test "$program_prefix" != NONE &&
+  program_transform_name="s,^,${program_prefix},;$program_transform_name"
+# Use a double $ so make ignores it.
+test "$program_suffix" != NONE &&
+  program_transform_name="s,\$\$,${program_suffix},;$program_transform_name"
+
+# sed with no file args requires a program.
+test -z "$program_transform_name" && program_transform_name="s,x,x,"
+
+test x"${MISSING+set}" = xset || \
+  MISSING="\${SHELL} `CDPATH=:; cd $ac_aux_dir && pwd`/missing"
+# Use eval to expand $SHELL
+if eval "$MISSING --run :"; then
+  am_missing_run="$MISSING --run "
+else
+  am_missing_run=
+  am_backtick='`'
+  { echo "$as_me:1789: WARNING: ${am_backtick}missing' script is too old or missing" >&5
+echo "$as_me: warning: ${am_backtick}missing' script is too old or missing" >&2; }
+fi
+
+for ac_prog in mawk gawk nawk awk
+do
+  # Extract the first word of "$ac_prog", so it can be a program name with args.
+set dummy $ac_prog; ac_word=$2
+echo "$as_me:1797: checking for $ac_word" >&5
+echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6
+if test "${ac_cv_prog_AWK+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  if test -n "$AWK"; then
+  ac_cv_prog_AWK="$AWK" # Let the user override the test.
+else
+  ac_save_IFS=$IFS; IFS=':'
+ac_dummy="$PATH"
+for ac_dir in $ac_dummy; do
+  IFS=$ac_save_IFS
+  test -z "$ac_dir" && ac_dir=.
+  test -f "$ac_dir/$ac_word" || continue
+ac_cv_prog_AWK="$ac_prog"
+break
+done
+
+fi
+fi
+AWK=$ac_cv_prog_AWK
+if test -n "$AWK"; then
+  echo "$as_me:1819: result: $AWK" >&5
+echo "${ECHO_T}$AWK" >&6
+else
+  echo "$as_me:1822: result: no" >&5
+echo "${ECHO_T}no" >&6
+fi
+
+  test -n "$AWK" && break
+done
+
+echo "$as_me:1829: checking whether ${MAKE-make} sets \${MAKE}" >&5
+echo $ECHO_N "checking whether ${MAKE-make} sets \${MAKE}... $ECHO_C" >&6
+set dummy ${MAKE-make}; ac_make=`echo "$2" | sed 'y,./+-,__p_,'`
+if eval "test \"\${ac_cv_prog_make_${ac_make}_set+set}\" = set"; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftestmake <<\EOF
+all:
+	@echo 'ac_maketemp="${MAKE}"'
+EOF
+# GNU make sometimes prints "make[1]: Entering...", which would confuse us.
+eval `${MAKE-make} -f conftestmake 2>/dev/null | grep temp=`
+if test -n "$ac_maketemp"; then
+  eval ac_cv_prog_make_${ac_make}_set=yes
+else
+  eval ac_cv_prog_make_${ac_make}_set=no
+fi
+rm -f conftestmake
+fi
+if eval "test \"`echo '$ac_cv_prog_make_'${ac_make}_set`\" = yes"; then
+  echo "$as_me:1849: result: yes" >&5
+echo "${ECHO_T}yes" >&6
+  SET_MAKE=
+else
+  echo "$as_me:1853: result: no" >&5
+echo "${ECHO_T}no" >&6
+  SET_MAKE="MAKE=${MAKE-make}"
+fi
+
+# Check whether --enable-dependency-tracking or --disable-dependency-tracking was given.
+if test "${enable_dependency_tracking+set}" = set; then
+  enableval="$enable_dependency_tracking"
+
+fi;
+if test "x$enable_dependency_tracking" = xno; then
+  AMDEP="#"
+else
+  am_depcomp="$ac_aux_dir/depcomp"
+  if test ! -f "$am_depcomp"; then
+    AMDEP="#"
+  else
+    AMDEP=
+  fi
+fi
+
+if test -z "$AMDEP"; then
+  AMDEPBACKSLASH='\'
+else
+  AMDEPBACKSLASH=
+fi
+
+if test -d .deps || mkdir .deps 2> /dev/null || test -d .deps; then
+  DEPDIR=.deps
+  # We redirect because .deps might already exist and be populated.
+  # In this situation we don't want to see an error.
+  rmdir .deps > /dev/null 2>&1
+else
+  DEPDIR=_deps
+fi
+
+ac_config_commands="$ac_config_commands default-2"
+
+# test to see if srcdir already configured
+if test "`CDPATH=:; cd $srcdir && pwd`" != "`pwd`" &&
+   test -f $srcdir/config.status; then
+  {  echo "$as_me: error: source directory already configured; run \"make distclean\" there first" >&2
+  { (exit 1); exit; }; }
+fi
+
+# Define the identity of the package.
+PACKAGE=heimdal
+VERSION=0.3f
+
+cat >>confdefs.h <<EOF
+#define PACKAGE "$PACKAGE"
+EOF
+
+cat >>confdefs.h <<EOF
+#define VERSION "$VERSION"
+EOF
+
+# Some tools Automake needs.
+
+ACLOCAL=${ACLOCAL-"${am_missing_run}aclocal"}
+
+AUTOCONF=${AUTOCONF-"${am_missing_run}autoconf"}
+
+AUTOMAKE=${AUTOMAKE-"${am_missing_run}automake"}
+
+AUTOHEADER=${AUTOHEADER-"${am_missing_run}autoheader"}
+
+MAKEINFO=${MAKEINFO-"${am_missing_run}makeinfo"}
+
+AMTAR=${AMTAR-"${am_missing_run}tar"}
+
+if test -z "$install_sh"; then
+   install_sh="$ac_aux_dir/install-sh"
+   test -f "$install_sh" || install_sh="$ac_aux_dir/install.sh"
+   test -f "$install_sh" || install_sh="${am_missing_run}${ac_auxdir}/install-sh"
+         install_sh="`echo $install_sh | sed -e 's/\${SHELL}//'`"
+fi
+
+# We need awk for the "check" target.  The system "awk" is bad on
+# some platforms.
+
+depcc="$CC"
+depcpp="$CPP"
+echo "$as_me:1936: checking dependency style of $depcc" >&5
+echo $ECHO_N "checking dependency style of $depcc... $ECHO_C" >&6
+if test "${am_cv_CC_dependencies_compiler_type+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+
+if test -z "$AMDEP"; then
+  echo '#include "conftest.h"' > conftest.c
+  echo 'int i;' > conftest.h
+
+  am_cv_CC_dependencies_compiler_type=none
+  for depmode in `sed -n 's/^#*\([a-zA-Z0-9]*\))$/\1/p' < "$am_depcomp"`; do
+    case "$depmode" in
+    nosideeffect)
+      # after this tag, mechanisms are not by side-effect, so they'll
+      # only be used when explicitly requested
+      if test "x$enable_dependency_tracking" = xyes; then
+	continue
+      else
+	break
+      fi
+      ;;
+    none) break ;;
+    esac
+    # We check with `-c' and `-o' for the sake of the "dashmstdout"
+    # mode.  It turns out that the SunPro C++ compiler does not properly
+    # handle `-M -o', and we need to detect this.
+    if depmode="$depmode" \
+       source=conftest.c object=conftest.o \
+       depfile=conftest.Po tmpdepfile=conftest.TPo \
+       $SHELL $am_depcomp $depcc -c conftest.c -o conftest.o >/dev/null 2>&1 &&
+       grep conftest.h conftest.Po > /dev/null 2>&1; then
+      am_cv_CC_dependencies_compiler_type="$depmode"
+      break
+    fi
+  done
+
+  rm -f conftest.*
+else
+  am_cv_CC_dependencies_compiler_type=none
+fi
+
+fi
+
+echo "$as_me:1980: result: $am_cv_CC_dependencies_compiler_type" >&5
+echo "${ECHO_T}$am_cv_CC_dependencies_compiler_type" >&6
+CCDEPMODE="depmode=$am_cv_CC_dependencies_compiler_type"
+
+# Make sure we can run config.sub.
+$ac_config_sub sun4 >/dev/null 2>&1 ||
+  {  echo "$as_me: error: cannot run $ac_config_sub" >&2
+  { (exit 1); exit; }; }
+
+echo "$as_me:1989: checking build system type" >&5
+echo $ECHO_N "checking build system type... $ECHO_C" >&6
+if test "${ac_cv_build+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  ac_cv_build_alias=$build_alias
+test -z "$ac_cv_build_alias" &&
+  ac_cv_build_alias=`$ac_config_guess`
+test -z "$ac_cv_build_alias" &&
+  {  echo "$as_me: error: cannot guess build type; you must specify one" >&2
+  { (exit 1); exit; }; }
+ac_cv_build=`$ac_config_sub $ac_cv_build_alias` ||
+  {  echo "$as_me: error: $ac_config_sub $ac_cv_build_alias failed." >&2
+  { (exit 1); exit; }; }
+
+fi
+echo "$as_me:2005: result: $ac_cv_build" >&5
+echo "${ECHO_T}$ac_cv_build" >&6
+build=$ac_cv_build
+build_cpu=`echo $ac_cv_build | sed 's/^\([^-]*\)-\([^-]*\)-\(.*\)$/\1/'`
+build_vendor=`echo $ac_cv_build | sed 's/^\([^-]*\)-\([^-]*\)-\(.*\)$/\2/'`
+build_os=`echo $ac_cv_build | sed 's/^\([^-]*\)-\([^-]*\)-\(.*\)$/\3/'`
+
+echo "$as_me:2012: checking host system type" >&5
+echo $ECHO_N "checking host system type... $ECHO_C" >&6
+if test "${ac_cv_host+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  ac_cv_host_alias=$host_alias
+test -z "$ac_cv_host_alias" &&
+  ac_cv_host_alias=$ac_cv_build_alias
+ac_cv_host=`$ac_config_sub $ac_cv_host_alias` ||
+  {  echo "$as_me: error: $ac_config_sub $ac_cv_host_alias failed" >&2
+  { (exit 1); exit; }; }
+
+fi
+echo "$as_me:2025: result: $ac_cv_host" >&5
+echo "${ECHO_T}$ac_cv_host" >&6
+host=$ac_cv_host
+host_cpu=`echo $ac_cv_host | sed 's/^\([^-]*\)-\([^-]*\)-\(.*\)$/\1/'`
+host_vendor=`echo $ac_cv_host | sed 's/^\([^-]*\)-\([^-]*\)-\(.*\)$/\2/'`
+host_os=`echo $ac_cv_host | sed 's/^\([^-]*\)-\([^-]*\)-\(.*\)$/\3/'`
+
+CANONICAL_HOST=$host
+
+sunos=no
+case "$host" in
+*-*-sunos4*)
+	sunos=40
+	;;
+*-*-solaris2.7)
+	sunos=57
+	;;
+*-*-solaris2.8)
+	sunos=58
+	;;
+*-*-solaris2*)
+	sunos=50
+	;;
+esac
+if test "$sunos" != no; then
+
+cat >>confdefs.h <<EOF
+#define SunOS $sunos
+EOF
+
+fi
+
+aix=no
+case "$host" in
+*-*-aix3*)
+	aix=3
+	;;
+*-*-aix4*)
+	aix=4
+	;;
+esac
+
+#test -z "$CFLAGS" && CFLAGS="-g"
+
+for ac_prog in 'bison -y' byacc
+do
+  # Extract the first word of "$ac_prog", so it can be a program name with args.
+set dummy $ac_prog; ac_word=$2
+echo "$as_me:2073: checking for $ac_word" >&5
+echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6
+if test "${ac_cv_prog_YACC+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  if test -n "$YACC"; then
+  ac_cv_prog_YACC="$YACC" # Let the user override the test.
+else
+  ac_save_IFS=$IFS; IFS=':'
+ac_dummy="$PATH"
+for ac_dir in $ac_dummy; do
+  IFS=$ac_save_IFS
+  test -z "$ac_dir" && ac_dir=.
+  test -f "$ac_dir/$ac_word" || continue
+ac_cv_prog_YACC="$ac_prog"
+break
+done
+
+fi
+fi
+YACC=$ac_cv_prog_YACC
+if test -n "$YACC"; then
+  echo "$as_me:2095: result: $YACC" >&5
+echo "${ECHO_T}$YACC" >&6
+else
+  echo "$as_me:2098: result: no" >&5
+echo "${ECHO_T}no" >&6
+fi
+
+  test -n "$YACC" && break
+done
+test -n "$YACC" || YACC="yacc"
+
+for ac_prog in flex lex
+do
+  # Extract the first word of "$ac_prog", so it can be a program name with args.
+set dummy $ac_prog; ac_word=$2
+echo "$as_me:2110: checking for $ac_word" >&5
+echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6
+if test "${ac_cv_prog_LEX+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  if test -n "$LEX"; then
+  ac_cv_prog_LEX="$LEX" # Let the user override the test.
+else
+  ac_save_IFS=$IFS; IFS=':'
+ac_dummy="$PATH"
+for ac_dir in $ac_dummy; do
+  IFS=$ac_save_IFS
+  test -z "$ac_dir" && ac_dir=.
+  test -f "$ac_dir/$ac_word" || continue
+ac_cv_prog_LEX="$ac_prog"
+break
+done
+
+fi
+fi
+LEX=$ac_cv_prog_LEX
+if test -n "$LEX"; then
+  echo "$as_me:2132: result: $LEX" >&5
+echo "${ECHO_T}$LEX" >&6
+else
+  echo "$as_me:2135: result: no" >&5
+echo "${ECHO_T}no" >&6
+fi
+
+  test -n "$LEX" && break
+done
+test -n "$LEX" || LEX="${am_missing_run}flex"
+
+for ac_prog in flex lex
+do
+  # Extract the first word of "$ac_prog", so it can be a program name with args.
+set dummy $ac_prog; ac_word=$2
+echo "$as_me:2147: checking for $ac_word" >&5
+echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6
+if test "${ac_cv_prog_LEX+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  if test -n "$LEX"; then
+  ac_cv_prog_LEX="$LEX" # Let the user override the test.
+else
+  ac_save_IFS=$IFS; IFS=':'
+ac_dummy="$PATH"
+for ac_dir in $ac_dummy; do
+  IFS=$ac_save_IFS
+  test -z "$ac_dir" && ac_dir=.
+  test -f "$ac_dir/$ac_word" || continue
+ac_cv_prog_LEX="$ac_prog"
+break
+done
+
+fi
+fi
+LEX=$ac_cv_prog_LEX
+if test -n "$LEX"; then
+  echo "$as_me:2169: result: $LEX" >&5
+echo "${ECHO_T}$LEX" >&6
+else
+  echo "$as_me:2172: result: no" >&5
+echo "${ECHO_T}no" >&6
+fi
+
+  test -n "$LEX" && break
+done
+test -n "$LEX" || LEX=":"
+
+if test -z "$LEXLIB"
+then
+
+echo "$as_me:2183: checking for yywrap in -lfl" >&5
+echo $ECHO_N "checking for yywrap in -lfl... $ECHO_C" >&6
+if test "${ac_cv_lib_fl_yywrap+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  ac_check_lib_save_LIBS=$LIBS
+LIBS="-lfl  $LIBS"
+cat >conftest.$ac_ext <<_ACEOF
+#line 2191 "configure"
+#include "confdefs.h"
+
+/* Override any gcc2 internal prototype to avoid an error.  */
+#ifdef __cplusplus
+extern "C"
+#endif
+/* We use char because int might match the return type of a gcc2
+   builtin and then its argument prototype would still apply.  */
+char yywrap ();
+int
+main ()
+{
+yywrap ();
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (eval echo $as_me:2210: \"$ac_link\") >&5; (eval $ac_link) 2>&5; } && test -s conftest$ac_exeext; then
+  ac_cv_lib_fl_yywrap=yes
+else
+  echo "$as_me: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  ac_cv_lib_fl_yywrap=no
+fi
+rm -f conftest$ac_exeext conftest.$ac_ext
+LIBS=$ac_check_lib_save_LIBS
+fi
+echo "$as_me:2220: result: $ac_cv_lib_fl_yywrap" >&5
+echo "${ECHO_T}$ac_cv_lib_fl_yywrap" >&6
+if test $ac_cv_lib_fl_yywrap = yes; then
+  LEXLIB="-lfl"
+else
+
+echo "$as_me:2226: checking for yywrap in -ll" >&5
+echo $ECHO_N "checking for yywrap in -ll... $ECHO_C" >&6
+if test "${ac_cv_lib_l_yywrap+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  ac_check_lib_save_LIBS=$LIBS
+LIBS="-ll  $LIBS"
+cat >conftest.$ac_ext <<_ACEOF
+#line 2234 "configure"
+#include "confdefs.h"
+
+/* Override any gcc2 internal prototype to avoid an error.  */
+#ifdef __cplusplus
+extern "C"
+#endif
+/* We use char because int might match the return type of a gcc2
+   builtin and then its argument prototype would still apply.  */
+char yywrap ();
+int
+main ()
+{
+yywrap ();
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (eval echo $as_me:2253: \"$ac_link\") >&5; (eval $ac_link) 2>&5; } && test -s conftest$ac_exeext; then
+  ac_cv_lib_l_yywrap=yes
+else
+  echo "$as_me: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  ac_cv_lib_l_yywrap=no
+fi
+rm -f conftest$ac_exeext conftest.$ac_ext
+LIBS=$ac_check_lib_save_LIBS
+fi
+echo "$as_me:2263: result: $ac_cv_lib_l_yywrap" >&5
+echo "${ECHO_T}$ac_cv_lib_l_yywrap" >&6
+if test $ac_cv_lib_l_yywrap = yes; then
+  LEXLIB="-ll"
+fi
+
+fi
+
+fi
+
+if test "x$LEX" != "x:"; then
+  echo "$as_me:2274: checking lex output file root" >&5
+echo $ECHO_N "checking lex output file root... $ECHO_C" >&6
+if test "${ac_cv_prog_lex_root+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  # The minimal lex program is just a single line: %%.  But some broken lexes
+# (Solaris, I think it was) want two %% lines, so accommodate them.
+echo '%%
+%%' | $LEX
+if test -f lex.yy.c; then
+  ac_cv_prog_lex_root=lex.yy
+elif test -f lexyy.c; then
+  ac_cv_prog_lex_root=lexyy
+else
+  {  echo "$as_me: error: cannot find output from $LEX; giving up" >&2
+  { (exit 1); exit; }; }
+fi
+fi
+echo "$as_me:2292: result: $ac_cv_prog_lex_root" >&5
+echo "${ECHO_T}$ac_cv_prog_lex_root" >&6
+LEX_OUTPUT_ROOT=$ac_cv_prog_lex_root
+
+echo "$as_me:2296: checking whether yytext is a pointer" >&5
+echo $ECHO_N "checking whether yytext is a pointer... $ECHO_C" >&6
+if test "${ac_cv_prog_lex_yytext_pointer+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  # POSIX says lex can declare yytext either as a pointer or an array; the
+# default is implementation-dependent. Figure out which it is, since
+# not all implementations provide the %pointer and %array declarations.
+ac_cv_prog_lex_yytext_pointer=no
+echo 'extern char *yytext;' >>$LEX_OUTPUT_ROOT.c
+ac_save_LIBS=$LIBS
+LIBS="$LIBS $LEXLIB"
+cat >conftest.$ac_ext <<_ACEOF
+`cat $LEX_OUTPUT_ROOT.c`
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (eval echo $as_me:2312: \"$ac_link\") >&5; (eval $ac_link) 2>&5; } && test -s conftest$ac_exeext; then
+  ac_cv_prog_lex_yytext_pointer=yes
+else
+  echo "$as_me: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+fi
+rm -f conftest$ac_exeext conftest.$ac_ext
+LIBS=$ac_save_LIBS
+rm -f "${LEX_OUTPUT_ROOT}.c"
+
+fi
+echo "$as_me:2323: result: $ac_cv_prog_lex_yytext_pointer" >&5
+echo "${ECHO_T}$ac_cv_prog_lex_yytext_pointer" >&6
+if test $ac_cv_prog_lex_yytext_pointer = yes; then
+
+cat >>confdefs.h <<\EOF
+#define YYTEXT_POINTER 1
+EOF
+
+fi
+
+fi
+
+if test -n "$ac_tool_prefix"; then
+  # Extract the first word of "${ac_tool_prefix}ranlib", so it can be a program name with args.
+set dummy ${ac_tool_prefix}ranlib; ac_word=$2
+echo "$as_me:2338: checking for $ac_word" >&5
+echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6
+if test "${ac_cv_prog_RANLIB+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  if test -n "$RANLIB"; then
+  ac_cv_prog_RANLIB="$RANLIB" # Let the user override the test.
+else
+  ac_save_IFS=$IFS; IFS=':'
+ac_dummy="$PATH"
+for ac_dir in $ac_dummy; do
+  IFS=$ac_save_IFS
+  test -z "$ac_dir" && ac_dir=.
+  test -f "$ac_dir/$ac_word" || continue
+ac_cv_prog_RANLIB="${ac_tool_prefix}ranlib"
+break
+done
+
+fi
+fi
+RANLIB=$ac_cv_prog_RANLIB
+if test -n "$RANLIB"; then
+  echo "$as_me:2360: result: $RANLIB" >&5
+echo "${ECHO_T}$RANLIB" >&6
+else
+  echo "$as_me:2363: result: no" >&5
+echo "${ECHO_T}no" >&6
+fi
+
+fi
+if test -z "$ac_cv_prog_RANLIB"; then
+  ac_ct_RANLIB=$RANLIB
+  # Extract the first word of "ranlib", so it can be a program name with args.
+set dummy ranlib; ac_word=$2
+echo "$as_me:2372: checking for $ac_word" >&5
+echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6
+if test "${ac_cv_prog_ac_ct_RANLIB+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  if test -n "$ac_ct_RANLIB"; then
+  ac_cv_prog_ac_ct_RANLIB="$ac_ct_RANLIB" # Let the user override the test.
+else
+  ac_save_IFS=$IFS; IFS=':'
+ac_dummy="$PATH"
+for ac_dir in $ac_dummy; do
+  IFS=$ac_save_IFS
+  test -z "$ac_dir" && ac_dir=.
+  test -f "$ac_dir/$ac_word" || continue
+ac_cv_prog_ac_ct_RANLIB="ranlib"
+break
+done
+
+  test -z "$ac_cv_prog_ac_ct_RANLIB" && ac_cv_prog_ac_ct_RANLIB=":"
+fi
+fi
+ac_ct_RANLIB=$ac_cv_prog_ac_ct_RANLIB
+if test -n "$ac_ct_RANLIB"; then
+  echo "$as_me:2395: result: $ac_ct_RANLIB" >&5
+echo "${ECHO_T}$ac_ct_RANLIB" >&6
+else
+  echo "$as_me:2398: result: no" >&5
+echo "${ECHO_T}no" >&6
+fi
+
+  RANLIB=$ac_ct_RANLIB
+else
+  RANLIB="$ac_cv_prog_RANLIB"
+fi
+
+for ac_prog in mawk gawk nawk awk
+do
+  # Extract the first word of "$ac_prog", so it can be a program name with args.
+set dummy $ac_prog; ac_word=$2
+echo "$as_me:2411: checking for $ac_word" >&5
+echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6
+if test "${ac_cv_prog_AWK+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  if test -n "$AWK"; then
+  ac_cv_prog_AWK="$AWK" # Let the user override the test.
+else
+  ac_save_IFS=$IFS; IFS=':'
+ac_dummy="$PATH"
+for ac_dir in $ac_dummy; do
+  IFS=$ac_save_IFS
+  test -z "$ac_dir" && ac_dir=.
+  test -f "$ac_dir/$ac_word" || continue
+ac_cv_prog_AWK="$ac_prog"
+break
+done
+
+fi
+fi
+AWK=$ac_cv_prog_AWK
+if test -n "$AWK"; then
+  echo "$as_me:2433: result: $AWK" >&5
+echo "${ECHO_T}$AWK" >&6
+else
+  echo "$as_me:2436: result: no" >&5
+echo "${ECHO_T}no" >&6
+fi
+
+  test -n "$AWK" && break
+done
+
+echo "$as_me:2443: checking for ln -s or something else" >&5
+echo $ECHO_N "checking for ln -s or something else... $ECHO_C" >&6
+if test "${ac_cv_prog_LN_S+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  rm -f conftestdata
+if ln -s X conftestdata 2>/dev/null
+then
+  rm -f conftestdata
+  ac_cv_prog_LN_S="ln -s"
+else
+  touch conftestdata1
+  if ln conftestdata1 conftestdata2; then
+    rm -f conftestdata*
+    ac_cv_prog_LN_S=ln
+  else
+    ac_cv_prog_LN_S=cp
+  fi
+fi
+fi
+LN_S="$ac_cv_prog_LN_S"
+echo "$as_me:2464: result: $ac_cv_prog_LN_S" >&5
+echo "${ECHO_T}$ac_cv_prog_LN_S" >&6
+
+# Check whether --with-mips_abi or --without-mips_abi was given.
+if test "${with_mips_abi+set}" = set; then
+  withval="$with_mips_abi"
+
+fi;
+
+case "$host_os" in
+irix*)
+with_mips_abi="${with_mips_abi:-yes}"
+if test -n "$GCC"; then
+
+# GCC < 2.8 only supports the O32 ABI. GCC >= 2.8 has a flag to select
+# which ABI to use, but only supports (as of 2.8.1) the N32 and 64 ABIs.
+#
+# Default to N32, but if GCC doesn't grok -mabi=n32, we assume an old
+# GCC and revert back to O32. The same goes if O32 is asked for - old
+# GCCs doesn't like the -mabi option, and new GCCs can't output O32.
+#
+# Don't you just love *all* the different SGI ABIs?
+
+case "${with_mips_abi}" in
+        32|o32) abi='-mabi=32';  abilibdirext=''     ;;
+       n32|yes) abi='-mabi=n32'; abilibdirext='32'  ;;
+        64) abi='-mabi=64';  abilibdirext='64'   ;;
+	no) abi=''; abilibdirext='';;
+         *) {  echo "$as_me: error: \"Invalid ABI specified\"" >&2
+  { (exit 1); exit; }; } ;;
+esac
+if test -n "$abi" ; then
+ac_foo=krb_cv_gcc_`echo $abi | tr =- __`
+echo "$as_me:2497: checking if $CC supports the $abi option" >&5
+echo $ECHO_N "checking if $CC supports the $abi option... $ECHO_C" >&6
+if eval "test \"\${$ac_foo+set}\" = set"; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+
+save_CFLAGS="$CFLAGS"
+CFLAGS="$CFLAGS $abi"
+cat >conftest.$ac_ext <<_ACEOF
+#line 2506 "configure"
+#include "confdefs.h"
+
+int
+main ()
+{
+int x;
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext
+if { (eval echo $as_me:2518: \"$ac_compile\") >&5; (eval $ac_compile) 2>&5; } && test -s conftest.$ac_objext; then
+  eval $ac_foo=yes
+else
+  echo "$as_me: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  eval $ac_foo=no
+fi
+rm -f conftest.$ac_objext conftest.$ac_ext
+CFLAGS="$save_CFLAGS"
+
+fi
+
+ac_res=`eval echo \\\$$ac_foo`
+echo "$as_me:2531: result: $ac_res" >&5
+echo "${ECHO_T}$ac_res" >&6
+if test $ac_res = no; then
+# Try to figure out why that failed...
+case $abi in
+	-mabi=32)
+	save_CFLAGS="$CFLAGS"
+	CFLAGS="$CFLAGS -mabi=n32"
+	cat >conftest.$ac_ext <<_ACEOF
+#line 2540 "configure"
+#include "confdefs.h"
+
+int
+main ()
+{
+int x;
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext
+if { (eval echo $as_me:2552: \"$ac_compile\") >&5; (eval $ac_compile) 2>&5; } && test -s conftest.$ac_objext; then
+  ac_res=yes
+else
+  echo "$as_me: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  ac_res=no
+fi
+rm -f conftest.$ac_objext conftest.$ac_ext
+	CLAGS="$save_CFLAGS"
+	if test $ac_res = yes; then
+		# New GCC
+		{  echo "$as_me: error: $CC does not support the $with_mips_abi ABI" >&2
+  { (exit 1); exit; }; }
+	fi
+	# Old GCC
+	abi=''
+	abilibdirext=''
+	;;
+	-mabi=n32|-mabi=64)
+		if test $with_mips_abi = yes; then
+			# Old GCC, default to O32
+			abi=''
+			abilibdirext=''
+		else
+			# Some broken GCC
+			{  echo "$as_me: error: $CC does not support the $with_mips_abi ABI" >&2
+  { (exit 1); exit; }; }
+		fi
+	;;
+esac
+fi #if test $ac_res = no; then
+fi #if test -n "$abi" ; then
+else
+case "${with_mips_abi}" in
+        32|o32) abi='-32'; abilibdirext=''     ;;
+       n32|yes) abi='-n32'; abilibdirext='32'  ;;
+        64) abi='-64'; abilibdirext='64'   ;;
+	no) abi=''; abilibdirext='';;
+         *) {  echo "$as_me: error: \"Invalid ABI specified\"" >&2
+  { (exit 1); exit; }; } ;;
+esac
+fi #if test -n "$GCC"; then
+;;
+esac
+
+CC="$CC $abi"
+libdir="$libdir$abilibdirext"
+
+echo "$as_me:2600: checking for __attribute__" >&5
+echo $ECHO_N "checking for __attribute__... $ECHO_C" >&6
+if test "${ac_cv___attribute__+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+
+cat >conftest.$ac_ext <<_ACEOF
+#line 2607 "configure"
+#include "confdefs.h"
+
+#include <stdlib.h>
+
+int
+main ()
+{
+
+static void foo(void) __attribute__ ((noreturn));
+
+static void
+foo(void)
+{
+  exit(1);
+}
+
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext
+if { (eval echo $as_me:2629: \"$ac_compile\") >&5; (eval $ac_compile) 2>&5; } && test -s conftest.$ac_objext; then
+  ac_cv___attribute__=yes
+else
+  echo "$as_me: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  ac_cv___attribute__=no
+fi
+rm -f conftest.$ac_objext conftest.$ac_ext
+fi
+
+if test "$ac_cv___attribute__" = "yes"; then
+
+cat >>confdefs.h <<\EOF
+#define HAVE___ATTRIBUTE__ 1
+EOF
+
+fi
+echo "$as_me:2646: result: $ac_cv___attribute__" >&5
+echo "${ECHO_T}$ac_cv___attribute__" >&6
+
+# Check whether --enable-shared or --disable-shared was given.
+if test "${enable_shared+set}" = set; then
+  enableval="$enable_shared"
+  p=${PACKAGE-default}
+case "$enableval" in
+yes) enable_shared=yes ;;
+no) enable_shared=no ;;
+*)
+  enable_shared=no
+  # Look at the argument we got.  We use all the common list separators.
+  IFS="${IFS= 	}"; ac_save_ifs="$IFS"; IFS="${IFS}:,"
+  for pkg in $enableval; do
+    if test "X$pkg" = "X$p"; then
+      enable_shared=yes
+    fi
+  done
+  IFS="$ac_save_ifs"
+  ;;
+esac
+else
+  enable_shared=no
+fi;
+# Check whether --enable-static or --disable-static was given.
+if test "${enable_static+set}" = set; then
+  enableval="$enable_static"
+  p=${PACKAGE-default}
+case "$enableval" in
+yes) enable_static=yes ;;
+no) enable_static=no ;;
+*)
+  enable_static=no
+  # Look at the argument we got.  We use all the common list separators.
+  IFS="${IFS= 	}"; ac_save_ifs="$IFS"; IFS="${IFS}:,"
+  for pkg in $enableval; do
+    if test "X$pkg" = "X$p"; then
+      enable_static=yes
+    fi
+  done
+  IFS="$ac_save_ifs"
+  ;;
+esac
+else
+  enable_static=yes
+fi;
+# Check whether --enable-fast-install or --disable-fast-install was given.
+if test "${enable_fast_install+set}" = set; then
+  enableval="$enable_fast_install"
+  p=${PACKAGE-default}
+case "$enableval" in
+yes) enable_fast_install=yes ;;
+no) enable_fast_install=no ;;
+*)
+  enable_fast_install=no
+  # Look at the argument we got.  We use all the common list separators.
+  IFS="${IFS= 	}"; ac_save_ifs="$IFS"; IFS="${IFS}:,"
+  for pkg in $enableval; do
+    if test "X$pkg" = "X$p"; then
+      enable_fast_install=yes
+    fi
+  done
+  IFS="$ac_save_ifs"
+  ;;
+esac
+else
+  enable_fast_install=yes
+fi;
+
+# Check whether --with-gnu-ld or --without-gnu-ld was given.
+if test "${with_gnu_ld+set}" = set; then
+  withval="$with_gnu_ld"
+  test "$withval" = no || with_gnu_ld=yes
+else
+  with_gnu_ld=no
+fi;
+ac_prog=ld
+if test "$ac_cv_c_compiler_gnu" = yes; then
+  # Check if gcc -print-prog-name=ld gives a path.
+  echo "$as_me:2726: checking for ld used by GCC" >&5
+echo $ECHO_N "checking for ld used by GCC... $ECHO_C" >&6
+  case $host in
+  *-*-mingw*)
+    # gcc leaves a trailing carriage return which upsets mingw
+    ac_prog=`($CC -print-prog-name=ld) 2>&5 | tr -d '\015'` ;;
+  *)
+    ac_prog=`($CC -print-prog-name=ld) 2>&5` ;;
+  esac
+  case "$ac_prog" in
+    # Accept absolute paths.
+    [\\/]* | [A-Za-z]:[\\/]*)
+      re_direlt='/[^/][^/]*/\.\./'
+      # Canonicalize the path of ld
+      ac_prog=`echo $ac_prog| sed 's%\\\\%/%g'`
+      while echo $ac_prog | grep "$re_direlt" > /dev/null 2>&1; do
+	ac_prog=`echo $ac_prog| sed "s%$re_direlt%/%"`
+      done
+      test -z "$LD" && LD="$ac_prog"
+      ;;
+  "")
+    # If it fails, then pretend we aren't using GCC.
+    ac_prog=ld
+    ;;
+  *)
+    # If it is relative, then search for the first ld in PATH.
+    with_gnu_ld=unknown
+    ;;
+  esac
+elif test "$with_gnu_ld" = yes; then
+  echo "$as_me:2756: checking for GNU ld" >&5
+echo $ECHO_N "checking for GNU ld... $ECHO_C" >&6
+else
+  echo "$as_me:2759: checking for non-GNU ld" >&5
+echo $ECHO_N "checking for non-GNU ld... $ECHO_C" >&6
+fi
+if test "${ac_cv_path_LD+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  if test -z "$LD"; then
+  IFS="${IFS= 	}"; ac_save_ifs="$IFS"; IFS="${IFS}${PATH_SEPARATOR-:}"
+  for ac_dir in $PATH; do
+    test -z "$ac_dir" && ac_dir=.
+    if test -f "$ac_dir/$ac_prog" || test -f "$ac_dir/$ac_prog$ac_exeext"; then
+      ac_cv_path_LD="$ac_dir/$ac_prog"
+      # Check to see if the program is GNU ld.  I'd rather use --version,
+      # but apparently some GNU ld's only accept -v.
+      # Break only if it was the GNU/non-GNU ld that we prefer.
+      if "$ac_cv_path_LD" -v 2>&1 < /dev/null | egrep '(GNU|with BFD)' > /dev/null; then
+	test "$with_gnu_ld" != no && break
+      else
+	test "$with_gnu_ld" != yes && break
+      fi
+    fi
+  done
+  IFS="$ac_save_ifs"
+else
+  ac_cv_path_LD="$LD" # Let the user override the test with a path.
+fi
+fi
+
+LD="$ac_cv_path_LD"
+if test -n "$LD"; then
+  echo "$as_me:2789: result: $LD" >&5
+echo "${ECHO_T}$LD" >&6
+else
+  echo "$as_me:2792: result: no" >&5
+echo "${ECHO_T}no" >&6
+fi
+test -z "$LD" && {  echo "$as_me: error: no acceptable ld found in \$PATH" >&2
+  { (exit 1); exit; }; }
+echo "$as_me:2797: checking if the linker ($LD) is GNU ld" >&5
+echo $ECHO_N "checking if the linker ($LD) is GNU ld... $ECHO_C" >&6
+if test "${ac_cv_prog_gnu_ld+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  # I'd rather use --version here, but apparently some GNU ld's only accept -v.
+if $LD -v 2>&1 </dev/null | egrep '(GNU|with BFD)' 1>&5; then
+  ac_cv_prog_gnu_ld=yes
+else
+  ac_cv_prog_gnu_ld=no
+fi
+fi
+echo "$as_me:2809: result: $ac_cv_prog_gnu_ld" >&5
+echo "${ECHO_T}$ac_cv_prog_gnu_ld" >&6
+with_gnu_ld=$ac_cv_prog_gnu_ld
+
+echo "$as_me:2813: checking for $LD option to reload object files" >&5
+echo $ECHO_N "checking for $LD option to reload object files... $ECHO_C" >&6
+if test "${lt_cv_ld_reload_flag+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  lt_cv_ld_reload_flag='-r'
+fi
+echo "$as_me:2820: result: $lt_cv_ld_reload_flag" >&5
+echo "${ECHO_T}$lt_cv_ld_reload_flag" >&6
+reload_flag=$lt_cv_ld_reload_flag
+test -n "$reload_flag" && reload_flag=" $reload_flag"
+
+echo "$as_me:2825: checking for BSD-compatible nm" >&5
+echo $ECHO_N "checking for BSD-compatible nm... $ECHO_C" >&6
+if test "${ac_cv_path_NM+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  if test -n "$NM"; then
+  # Let the user override the test.
+  ac_cv_path_NM="$NM"
+else
+  IFS="${IFS= 	}"; ac_save_ifs="$IFS"; IFS="${IFS}${PATH_SEPARATOR-:}"
+  for ac_dir in $PATH /usr/ccs/bin /usr/ucb /bin; do
+    test -z "$ac_dir" && ac_dir=.
+    tmp_nm=$ac_dir/${ac_tool_prefix}nm
+    if test -f $tmp_nm || test -f $tmp_nm$ac_exeext ; then
+      # Check to see if the nm accepts a BSD-compat flag.
+      # Adding the `sed 1q' prevents false positives on HP-UX, which says:
+      #   nm: unknown option "B" ignored
+      if ($tmp_nm -B /dev/null 2>&1 | sed '1q'; exit 0) | egrep /dev/null >/dev/null; then
+	ac_cv_path_NM="$tmp_nm -B"
+	break
+      elif ($tmp_nm -p /dev/null 2>&1 | sed '1q'; exit 0) | egrep /dev/null >/dev/null; then
+	ac_cv_path_NM="$tmp_nm -p"
+	break
+      else
+	ac_cv_path_NM=${ac_cv_path_NM="$tmp_nm"} # keep the first match, but
+	continue # so that we can try to find one that supports BSD flags
+      fi
+    fi
+  done
+  IFS="$ac_save_ifs"
+  test -z "$ac_cv_path_NM" && ac_cv_path_NM=nm
+fi
+fi
+
+NM="$ac_cv_path_NM"
+echo "$as_me:2860: result: $NM" >&5
+echo "${ECHO_T}$NM" >&6
+
+echo "$as_me:2863: checking whether ln -s works" >&5
+echo $ECHO_N "checking whether ln -s works... $ECHO_C" >&6
+if test "${ac_cv_prog_LN_S+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  rm -f conftest.sym conftest.file
+echo >conftest.file
+if ln -s conftest.file conftest.sym 2>/dev/null; then
+  ac_cv_prog_LN_S="ln -s"
+elif ln conftest.file conftest.sym 2>/dev/null; then
+  ac_cv_prog_LN_S=ln
+else
+  ac_cv_prog_LN_S=cp
+fi
+rm -f conftest.sym conftest.file
+fi
+LN_S=$ac_cv_prog_LN_S
+
+if test "$ac_cv_prog_LN_S" = "ln -s"; then
+  echo "$as_me:2882: result: yes" >&5
+echo "${ECHO_T}yes" >&6
+else
+  echo "$as_me:2885: result: no, using $LN_S" >&5
+echo "${ECHO_T}no, using $LN_S" >&6
+fi
+
+echo "$as_me:2889: checking how to recognise dependant libraries" >&5
+echo $ECHO_N "checking how to recognise dependant libraries... $ECHO_C" >&6
+if test "${lt_cv_deplibs_check_method+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  lt_cv_file_magic_cmd='${MAGIC}'
+lt_cv_file_magic_test_file=
+lt_cv_deplibs_check_method='unknown'
+# Need to set the preceding variable on all platforms that support
+# interlibrary dependencies.
+# 'none' -- dependencies not supported.
+# `unknown' -- same as none, but documents that we really don't know.
+# 'pass_all' -- all dependencies passed with no checks.
+# 'test_compile' -- check by making test program.
+# 'file_magic [regex]' -- check by looking for files in library path
+# which responds to the $file_magic_cmd with a given egrep regex.
+# If you have `file' or equivalent on your system and you're not sure
+# whether `pass_all' will *always* work, you probably want this one.
+
+case "$host_os" in
+aix4*)
+  lt_cv_deplibs_check_method=pass_all
+  ;;
+
+beos*)
+  lt_cv_deplibs_check_method=pass_all
+  ;;
+
+bsdi4*)
+    lt_cv_deplibs_check_method='file_magic ELF [0-9][0-9]*-bit [ML]SB (shared object|dynamic lib)'
+    lt_cv_file_magic_cmd='/usr/bin/file -L'
+  lt_cv_file_magic_test_file=/shlib/libc.so
+  ;;
+
+cygwin* | mingw*)
+  lt_cv_deplibs_check_method='file_magic file format pei*-i386(.*architecture: i386)?'
+  lt_cv_file_magic_cmd='${OBJDUMP} -f'
+  ;;
+
+freebsd*)
+  if echo __ELF__ | $CC -E - | grep __ELF__ > /dev/null; then
+    case "$host_cpu" in
+    i*86 )
+            lt_cv_deplibs_check_method=='file_magic OpenBSD/i[3-9]86 demand paged shared library'
+            lt_cv_file_magic_cmd=/usr/bin/file
+      lt_cv_file_magic_test_file=`echo /usr/lib/libc.so.*`
+      ;;
+    esac
+  else
+    lt_cv_deplibs_check_method=pass_all
+  fi
+  ;;
+
+gnu*)
+  lt_cv_deplibs_check_method=pass_all
+  ;;
+
+hpux10.20*)
+  # TODO:  Does this work for hpux-11 too?
+  lt_cv_deplibs_check_method='file_magic (s0-90-90-9|PA-RISC0-9.0-9) shared library'
+  lt_cv_file_magic_cmd=/usr/bin/file
+  lt_cv_file_magic_test_file=/usr/lib/libc.sl
+  ;;
+
+irix5* | irix6*)
+  case "$host_os" in
+  irix5*)
+    # this will be overridden with pass_all, but let us keep it just in case
+    lt_cv_deplibs_check_method="file_magic ELF 32-bit MSB dynamic lib MIPS - version 1"
+    ;;
+  *)
+    case "$LD" in
+    *-32|*"-32 ") libmagic=32-bit;;
+    *-n32|*"-n32 ") libmagic=N32;;
+    *-64|*"-64 ") libmagic=64-bit;;
+    *) libmagic=never-match;;
+    esac
+    # this will be overridden with pass_all, but let us keep it just in case
+        lt_cv_deplibs_check_method="file_magic ELF ${libmagic} MSB mips-[1234] dynamic lib MIPS - version 1"
+        ;;
+  esac
+  lt_cv_file_magic_test_file=`echo /lib${libsuff}/libc.so*`
+  lt_cv_deplibs_check_method=pass_all
+  ;;
+
+# This must be Linux ELF.
+linux-gnu*)
+  case "$host_cpu" in
+  alpha* | i*86 | powerpc* | sparc* | ia64* )
+    lt_cv_deplibs_check_method=pass_all ;;
+  *)
+    # glibc up to 2.1.1 does not perform some relocations on ARM
+        lt_cv_deplibs_check_method='file_magic ELF [0-9][0-9]*-bit [LM]SB (shared object|dynamic lib )' ;;
+      esac
+  lt_cv_file_magic_test_file=`echo /lib/libc.so* /lib/libc-*.so`
+  ;;
+
+netbsd*)
+  if echo __ELF__ | $CC -E - | grep __ELF__ > /dev/null; then :
+  else
+        lt_cv_deplibs_check_method='file_magic ELF [0-9][0-9]*-bit [LM]SB shared object'
+        lt_cv_file_magic_cmd='/usr/bin/file -L'
+    lt_cv_file_magic_test_file=`echo /usr/lib/libc.so*`
+  fi
+  ;;
+
+osf3* | osf4* | osf5*)
+  # this will be overridden with pass_all, but let us keep it just in case
+  lt_cv_deplibs_check_method='file_magic COFF format alpha shared library'
+  lt_cv_file_magic_test_file=/shlib/libc.so
+  lt_cv_deplibs_check_method=pass_all
+  ;;
+
+sco3.2v5*)
+  lt_cv_deplibs_check_method=pass_all
+  ;;
+
+solaris*)
+  lt_cv_deplibs_check_method=pass_all
+  lt_cv_file_magic_test_file=/lib/libc.so
+  ;;
+
+sysv4 | sysv4.2uw2* | sysv4.3* | sysv5*)
+  case "$host_vendor" in
+  ncr)
+    lt_cv_deplibs_check_method=pass_all
+    ;;
+  motorola)
+        lt_cv_deplibs_check_method='file_magic ELF [0-9][0-9]*-bit [ML]SB (shared object|dynamic lib) M[0-9][0-9]* Version [0-9]'
+        lt_cv_file_magic_test_file=`echo /usr/lib/libc.so*`
+    ;;
+  esac
+  ;;
+esac
+
+fi
+echo "$as_me:3025: result: $lt_cv_deplibs_check_method" >&5
+echo "${ECHO_T}$lt_cv_deplibs_check_method" >&6
+file_magic_cmd=$lt_cv_file_magic_cmd
+deplibs_check_method=$lt_cv_deplibs_check_method
+
+# Only perform the check for file, if the check method requires it
+case "$deplibs_check_method" in
+file_magic*)
+  if test "$file_magic_cmd" = '${MAGIC}'; then
+    echo "$as_me:3034: checking for ${ac_tool_prefix}file" >&5
+echo $ECHO_N "checking for ${ac_tool_prefix}file... $ECHO_C" >&6
+if test "${lt_cv_path_MAGIC+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  case "$MAGIC" in
+  /*)
+  lt_cv_path_MAGIC="$MAGIC" # Let the user override the test with a path.
+  ;;
+  ?:/*)
+  ac_cv_path_MAGIC="$MAGIC" # Let the user override the test with a dos path.
+  ;;
+  *)
+  ac_save_MAGIC="$MAGIC"
+  IFS="${IFS=   }"; ac_save_ifs="$IFS"; IFS=":"
+  ac_dummy="/usr/bin:$PATH"
+  for ac_dir in $ac_dummy; do
+    test -z "$ac_dir" && ac_dir=.
+    if test -f $ac_dir/${ac_tool_prefix}file; then
+      lt_cv_path_MAGIC="$ac_dir/${ac_tool_prefix}file"
+      if test -n "$file_magic_test_file"; then
+	case "$deplibs_check_method" in
+	"file_magic "*)
+	  file_magic_regex="`expr \"$deplibs_check_method\" : \"file_magic \(.*\)\"`"
+	  MAGIC="$lt_cv_path_MAGIC"
+	  if eval $file_magic_cmd \$file_magic_test_file 2> /dev/null |
+	    egrep "$file_magic_regex" > /dev/null; then
+	    :
+	  else
+	    cat <<EOF 1>&2
+
+*** Warning: the command libtool uses to detect shared libraries,
+*** $file_magic_cmd, produces output that libtool cannot recognize.
+*** The result is that libtool may fail to recognize shared libraries
+*** as such.  This will affect the creation of libtool libraries that
+*** depend on shared libraries, but programs linked with such libtool
+*** libraries will work regardless of this problem.  Nevertheless, you
+*** may want to report the problem to your system manager and/or to
+*** bug-libtool@gnu.org
+
+EOF
+	  fi ;;
+	esac
+      fi
+      break
+    fi
+  done
+  IFS="$ac_save_ifs"
+  MAGIC="$ac_save_MAGIC"
+  ;;
+esac
+fi
+
+MAGIC="$lt_cv_path_MAGIC"
+if test -n "$MAGIC"; then
+  echo "$as_me:3089: result: $MAGIC" >&5
+echo "${ECHO_T}$MAGIC" >&6
+else
+  echo "$as_me:3092: result: no" >&5
+echo "${ECHO_T}no" >&6
+fi
+
+if test -z "$lt_cv_path_MAGIC"; then
+  if test -n "$ac_tool_prefix"; then
+    echo "$as_me:3098: checking for file" >&5
+echo $ECHO_N "checking for file... $ECHO_C" >&6
+if test "${lt_cv_path_MAGIC+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  case "$MAGIC" in
+  /*)
+  lt_cv_path_MAGIC="$MAGIC" # Let the user override the test with a path.
+  ;;
+  ?:/*)
+  ac_cv_path_MAGIC="$MAGIC" # Let the user override the test with a dos path.
+  ;;
+  *)
+  ac_save_MAGIC="$MAGIC"
+  IFS="${IFS=   }"; ac_save_ifs="$IFS"; IFS=":"
+  ac_dummy="/usr/bin:$PATH"
+  for ac_dir in $ac_dummy; do
+    test -z "$ac_dir" && ac_dir=.
+    if test -f $ac_dir/file; then
+      lt_cv_path_MAGIC="$ac_dir/file"
+      if test -n "$file_magic_test_file"; then
+	case "$deplibs_check_method" in
+	"file_magic "*)
+	  file_magic_regex="`expr \"$deplibs_check_method\" : \"file_magic \(.*\)\"`"
+	  MAGIC="$lt_cv_path_MAGIC"
+	  if eval $file_magic_cmd \$file_magic_test_file 2> /dev/null |
+	    egrep "$file_magic_regex" > /dev/null; then
+	    :
+	  else
+	    cat <<EOF 1>&2
+
+*** Warning: the command libtool uses to detect shared libraries,
+*** $file_magic_cmd, produces output that libtool cannot recognize.
+*** The result is that libtool may fail to recognize shared libraries
+*** as such.  This will affect the creation of libtool libraries that
+*** depend on shared libraries, but programs linked with such libtool
+*** libraries will work regardless of this problem.  Nevertheless, you
+*** may want to report the problem to your system manager and/or to
+*** bug-libtool@gnu.org
+
+EOF
+	  fi ;;
+	esac
+      fi
+      break
+    fi
+  done
+  IFS="$ac_save_ifs"
+  MAGIC="$ac_save_MAGIC"
+  ;;
+esac
+fi
+
+MAGIC="$lt_cv_path_MAGIC"
+if test -n "$MAGIC"; then
+  echo "$as_me:3153: result: $MAGIC" >&5
+echo "${ECHO_T}$MAGIC" >&6
+else
+  echo "$as_me:3156: result: no" >&5
+echo "${ECHO_T}no" >&6
+fi
+
+  else
+    MAGIC=:
+  fi
+fi
+
+  fi
+  ;;
+esac
+
+if test -n "$ac_tool_prefix"; then
+  # Extract the first word of "${ac_tool_prefix}ranlib", so it can be a program name with args.
+set dummy ${ac_tool_prefix}ranlib; ac_word=$2
+echo "$as_me:3172: checking for $ac_word" >&5
+echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6
+if test "${ac_cv_prog_RANLIB+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  if test -n "$RANLIB"; then
+  ac_cv_prog_RANLIB="$RANLIB" # Let the user override the test.
+else
+  ac_save_IFS=$IFS; IFS=':'
+ac_dummy="$PATH"
+for ac_dir in $ac_dummy; do
+  IFS=$ac_save_IFS
+  test -z "$ac_dir" && ac_dir=.
+  test -f "$ac_dir/$ac_word" || continue
+ac_cv_prog_RANLIB="${ac_tool_prefix}ranlib"
+break
+done
+
+fi
+fi
+RANLIB=$ac_cv_prog_RANLIB
+if test -n "$RANLIB"; then
+  echo "$as_me:3194: result: $RANLIB" >&5
+echo "${ECHO_T}$RANLIB" >&6
+else
+  echo "$as_me:3197: result: no" >&5
+echo "${ECHO_T}no" >&6
+fi
+
+fi
+if test -z "$ac_cv_prog_RANLIB"; then
+  ac_ct_RANLIB=$RANLIB
+  # Extract the first word of "ranlib", so it can be a program name with args.
+set dummy ranlib; ac_word=$2
+echo "$as_me:3206: checking for $ac_word" >&5
+echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6
+if test "${ac_cv_prog_ac_ct_RANLIB+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  if test -n "$ac_ct_RANLIB"; then
+  ac_cv_prog_ac_ct_RANLIB="$ac_ct_RANLIB" # Let the user override the test.
+else
+  ac_save_IFS=$IFS; IFS=':'
+ac_dummy="$PATH"
+for ac_dir in $ac_dummy; do
+  IFS=$ac_save_IFS
+  test -z "$ac_dir" && ac_dir=.
+  test -f "$ac_dir/$ac_word" || continue
+ac_cv_prog_ac_ct_RANLIB="ranlib"
+break
+done
+
+  test -z "$ac_cv_prog_ac_ct_RANLIB" && ac_cv_prog_ac_ct_RANLIB=":"
+fi
+fi
+ac_ct_RANLIB=$ac_cv_prog_ac_ct_RANLIB
+if test -n "$ac_ct_RANLIB"; then
+  echo "$as_me:3229: result: $ac_ct_RANLIB" >&5
+echo "${ECHO_T}$ac_ct_RANLIB" >&6
+else
+  echo "$as_me:3232: result: no" >&5
+echo "${ECHO_T}no" >&6
+fi
+
+  RANLIB=$ac_ct_RANLIB
+else
+  RANLIB="$ac_cv_prog_RANLIB"
+fi
+
+if test -n "$ac_tool_prefix"; then
+  # Extract the first word of "${ac_tool_prefix}strip", so it can be a program name with args.
+set dummy ${ac_tool_prefix}strip; ac_word=$2
+echo "$as_me:3244: checking for $ac_word" >&5
+echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6
+if test "${ac_cv_prog_STRIP+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  if test -n "$STRIP"; then
+  ac_cv_prog_STRIP="$STRIP" # Let the user override the test.
+else
+  ac_save_IFS=$IFS; IFS=':'
+ac_dummy="$PATH"
+for ac_dir in $ac_dummy; do
+  IFS=$ac_save_IFS
+  test -z "$ac_dir" && ac_dir=.
+  test -f "$ac_dir/$ac_word" || continue
+ac_cv_prog_STRIP="${ac_tool_prefix}strip"
+break
+done
+
+fi
+fi
+STRIP=$ac_cv_prog_STRIP
+if test -n "$STRIP"; then
+  echo "$as_me:3266: result: $STRIP" >&5
+echo "${ECHO_T}$STRIP" >&6
+else
+  echo "$as_me:3269: result: no" >&5
+echo "${ECHO_T}no" >&6
+fi
+
+fi
+if test -z "$ac_cv_prog_STRIP"; then
+  ac_ct_STRIP=$STRIP
+  # Extract the first word of "strip", so it can be a program name with args.
+set dummy strip; ac_word=$2
+echo "$as_me:3278: checking for $ac_word" >&5
+echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6
+if test "${ac_cv_prog_ac_ct_STRIP+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  if test -n "$ac_ct_STRIP"; then
+  ac_cv_prog_ac_ct_STRIP="$ac_ct_STRIP" # Let the user override the test.
+else
+  ac_save_IFS=$IFS; IFS=':'
+ac_dummy="$PATH"
+for ac_dir in $ac_dummy; do
+  IFS=$ac_save_IFS
+  test -z "$ac_dir" && ac_dir=.
+  test -f "$ac_dir/$ac_word" || continue
+ac_cv_prog_ac_ct_STRIP="strip"
+break
+done
+
+  test -z "$ac_cv_prog_ac_ct_STRIP" && ac_cv_prog_ac_ct_STRIP=":"
+fi
+fi
+ac_ct_STRIP=$ac_cv_prog_ac_ct_STRIP
+if test -n "$ac_ct_STRIP"; then
+  echo "$as_me:3301: result: $ac_ct_STRIP" >&5
+echo "${ECHO_T}$ac_ct_STRIP" >&6
+else
+  echo "$as_me:3304: result: no" >&5
+echo "${ECHO_T}no" >&6
+fi
+
+  STRIP=$ac_ct_STRIP
+else
+  STRIP="$ac_cv_prog_STRIP"
+fi
+
+# Check for any special flags to pass to ltconfig.
+libtool_flags="--cache-file=$cache_file"
+test "$enable_shared" = no && libtool_flags="$libtool_flags --disable-shared"
+test "$enable_static" = no && libtool_flags="$libtool_flags --disable-static"
+test "$enable_fast_install" = no && libtool_flags="$libtool_flags --disable-fast-install"
+test "$ac_cv_c_compiler_gnu" = yes && libtool_flags="$libtool_flags --with-gcc"
+test "$ac_cv_prog_gnu_ld" = yes && libtool_flags="$libtool_flags --with-gnu-ld"
+
+# Check whether --enable-libtool-lock or --disable-libtool-lock was given.
+if test "${enable_libtool_lock+set}" = set; then
+  enableval="$enable_libtool_lock"
+
+fi;
+test "x$enable_libtool_lock" = xno && libtool_flags="$libtool_flags --disable-lock"
+test x"$silent" = xyes && libtool_flags="$libtool_flags --silent"
+
+# Check whether --with-pic or --without-pic was given.
+if test "${with_pic+set}" = set; then
+  withval="$with_pic"
+  pic_mode="$withval"
+else
+  pic_mode=default
+fi;
+test x"$pic_mode" = xyes && libtool_flags="$libtool_flags --prefer-pic"
+test x"$pic_mode" = xno && libtool_flags="$libtool_flags --prefer-non-pic"
+
+# Some flags need to be propagated to the compiler or linker for good
+# libtool support.
+case "$host" in
+*-*-irix6*)
+  # Find out which ABI we are using.
+  echo '#line 3344 "configure"' > conftest.$ac_ext
+  if { (eval echo $as_me:3345: \"$ac_compile\") >&5; (eval $ac_compile) 2>&5; }; then
+    case "`/usr/bin/file conftest.o`" in
+    *32-bit*)
+      LD="${LD-ld} -32"
+      ;;
+    *N32*)
+      LD="${LD-ld} -n32"
+      ;;
+    *64-bit*)
+      LD="${LD-ld} -64"
+      ;;
+    esac
+  fi
+  rm -rf conftest*
+  ;;
+
+*-*-sco3.2v5*)
+  # On SCO OpenServer 5, we need -belf to get full-featured binaries.
+  SAVE_CFLAGS="$CFLAGS"
+  CFLAGS="$CFLAGS -belf"
+  echo "$as_me:3365: checking whether the C compiler needs -belf" >&5
+echo $ECHO_N "checking whether the C compiler needs -belf... $ECHO_C" >&6
+if test "${lt_cv_cc_needs_belf+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+
+     cat >conftest.$ac_ext <<_ACEOF
+#line 3372 "configure"
+#include "confdefs.h"
+
+int
+main ()
+{
+
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (eval echo $as_me:3384: \"$ac_link\") >&5; (eval $ac_link) 2>&5; } && test -s conftest$ac_exeext; then
+  lt_cv_cc_needs_belf=yes
+else
+  echo "$as_me: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  lt_cv_cc_needs_belf=no
+fi
+rm -f conftest$ac_exeext conftest.$ac_ext
+
+fi
+echo "$as_me:3394: result: $lt_cv_cc_needs_belf" >&5
+echo "${ECHO_T}$lt_cv_cc_needs_belf" >&6
+  if test x"$lt_cv_cc_needs_belf" != x"yes"; then
+    # this is probably gcc 2.8.0, egcs 1.0 or newer; no need for -belf
+    CFLAGS="$SAVE_CFLAGS"
+  fi
+  ;;
+
+esac
+
+# Save cache, so that ltconfig can load it
+cat >confcache <<\_ACEOF
+# This file is a shell script that caches the results of configure
+# tests run on this system so they can be shared between configure
+# scripts and configure runs, see configure's option --config-cache.
+# It is not useful on other systems.  If it contains results you don't
+# want to keep, you may remove or edit it.
+#
+# config.status only pays attention to the cache file if you give it
+# the --recheck option to rerun configure.
+#
+# `ac_cv_env_foo' variables (set or unset) will be overriden when
+# loading this file, other *unset* `ac_cv_foo' will be assigned the
+# following values.
+
+_ACEOF
+
+# The following way of writing the cache mishandles newlines in values,
+# but we know of no workaround that is simple, portable, and efficient.
+# So, don't put newlines in cache variables' values.
+# Ultrix sh set writes to stderr and can't be redirected directly,
+# and sets the high bit in the cache file unless we assign to the vars.
+{
+  (set) 2>&1 |
+    case `(ac_space=' '; set | grep ac_space) 2>&1` in
+    *ac_space=\ *)
+      # `set' does not quote correctly, so add quotes (double-quote
+      # substitution turns \\\\ into \\, and sed turns \\ into \).
+      sed -n \
+        "s/'/'\\\\''/g;
+    	  s/^\\([_$ac_cr_alnum]*_cv_[_$ac_cr_alnum]*\\)=\\(.*\\)/\\1='\\2'/p"
+      ;;
+    *)
+      # `set' quotes correctly as required by POSIX, so do not add quotes.
+      sed -n \
+        "s/^\\([_$ac_cr_alnum]*_cv_[_$ac_cr_alnum]*\\)=\\(.*\\)/\\1=\\2/p"
+      ;;
+    esac;
+} |
+  sed '
+     t clear
+     : clear
+     s/^\([^=]*\)=\(.*[{}].*\)$/test "${\1+set}" = set || &/
+     t end
+     /^ac_cv_env/!s/^\([^=]*\)=\(.*\)$/\1=${\1=\2}/
+     : end' >>confcache
+if cmp -s $cache_file confcache; then :; else
+  if test -w $cache_file; then
+    test "x$cache_file" != "x/dev/null" && echo "updating cache $cache_file"
+    cat confcache >$cache_file
+  else
+    echo "not updating unwritable cache $cache_file"
+  fi
+fi
+rm -f confcache
+
+# Actually configure libtool.  ac_aux_dir is where install-sh is found.
+AR="$AR" CC="$CC" CFLAGS="$CFLAGS" CPPFLAGS="$CPPFLAGS" \
+MAGIC="$MAGIC" LD="$LD" LDFLAGS="$LDFLAGS" LIBS="$LIBS" \
+LN_S="$LN_S" NM="$NM" RANLIB="$RANLIB" STRIP="$STRIP" \
+AS="$AS" DLLTOOL="$DLLTOOL" OBJDUMP="$OBJDUMP" \
+objext="$OBJEXT" exeext="$EXEEXT" reload_flag="$reload_flag" \
+deplibs_check_method="$deplibs_check_method" file_magic_cmd="$file_magic_cmd" \
+${CONFIG_SHELL-/bin/sh} $ac_aux_dir/ltconfig --no-reexec \
+$libtool_flags --no-verify --build="$build" $ac_aux_dir/ltmain.sh $host \
+|| {  echo "$as_me: error: libtool configure failed" >&2
+  { (exit 1); exit; }; }
+
+# Reload cache, that may have been modified by ltconfig
+if test -r "$cache_file"; then
+  # Some versions of bash will fail to source /dev/null (special
+  # files actually), so we avoid doing that.
+  if test -f "$cache_file"; then
+    { echo "$as_me:3477: loading cache $cache_file" >&5
+echo "loading cache $cache_file" >&6;}
+    case $cache_file in
+      [\\/]* | ?:[\\/]* ) . $cache_file;;
+      *)                      . ./$cache_file;;
+    esac
+  fi
+else
+  { echo "$as_me:3485: creating cache $cache_file" >&5
+echo "creating cache $cache_file" >&6;}
+  >$cache_file
+fi
+
+# This can be used to rebuild libtool when needed
+LIBTOOL_DEPS="$ac_aux_dir/ltconfig $ac_aux_dir/ltmain.sh"
+
+# Always use our own libtool.
+LIBTOOL='$(SHELL) $(top_builddir)/libtool'
+
+# Redirect the config.log output again, so that the ltconfig log is not
+# clobbered by the next message.
+exec 5>>./config.log
+
+WFLAGS_NOUNUSED=""
+WFLAGS_NOIMPLICITINT=""
+if test -z "$WFLAGS" -a "$GCC" = "yes"; then
+  # -Wno-implicit-int for broken X11 headers
+  # leave these out for now:
+  #   -Wcast-align doesn't work well on alpha osf/1
+  #   -Wmissing-prototypes -Wpointer-arith -Wbad-function-cast
+  #   -Wmissing-declarations -Wnested-externs
+  WFLAGS="-Wall -Wmissing-prototypes -Wpointer-arith -Wbad-function-cast -Wmissing-declarations -Wnested-externs"
+  WFLAGS_NOUNUSED="-Wno-unused"
+  WFLAGS_NOIMPLICITINT="-Wno-implicit-int"
+fi
+
+berkeley_db=db
+
+# Check whether --with-berkeley-db or --without-berkeley-db was given.
+if test "${with_berkeley_db+set}" = set; then
+  withval="$with_berkeley_db"
+
+if test "$withval" = no; then
+	berkeley_db=""
+fi
+
+fi;
+if test "$berkeley_db"; then
+
+for ac_header in 				\
+	db.h					\
+	db_185.h				\
+
+do
+ac_ac_Header=`echo "ac_cv_header_$ac_header" | $ac_tr_sh`
+
+echo "$as_me:3533: checking for $ac_header" >&5
+echo $ECHO_N "checking for $ac_header... $ECHO_C" >&6
+if eval "test \"\${$ac_ac_Header+set}\" = set"; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+#line 3539 "configure"
+#include "confdefs.h"
+#include <$ac_header>
+
+_ACEOF
+ac_try="$ac_cpp conftest.$ac_ext >/dev/null 2>conftest.err"
+if { (eval echo $as_me:3545: \"$ac_try\") >&5; (eval $ac_try) 2>&5; }; then
+  if egrep -v '^ *\+' conftest.err | grep . >/dev/null; then
+    ac_cpp_err=$ac_c_preproc_warn_flag
+  else
+    ac_cpp_err=
+  fi
+else
+  ac_cpp_err=yes
+fi
+
+if test -z "$ac_cpp_err"; then
+  eval "$ac_ac_Header=yes"
+else
+  cat conftest.err >&5
+  echo "$as_me: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  eval "$ac_ac_Header=no"
+fi
+rm -f conftest*
+
+fi
+echo "$as_me:3566: result: `eval echo '${'$ac_ac_Header'}'`" >&5
+echo "${ECHO_T}`eval echo '${'$ac_ac_Header'}'`" >&6
+if test `eval echo '${'$ac_ac_Header'}'` = yes; then
+  cat >>confdefs.h <<EOF
+#define `echo "HAVE_$ac_header" | $ac_tr_cpp` 1
+EOF
+
+fi
+done
+
+fi
+
+echo "$as_me:3578: checking for dbopen" >&5
+echo $ECHO_N "checking for dbopen... $ECHO_C" >&6
+if test "${ac_cv_funclib_dbopen+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+
+if eval "test \"\$ac_cv_func_dbopen\" != yes" ; then
+	ac_save_LIBS="$LIBS"
+	for ac_lib in $berkeley_db; do
+		if test -n "$ac_lib"; then
+			ac_lib="-l$ac_lib"
+		else
+			ac_lib=""
+		fi
+		LIBS=" $ac_lib  $ac_save_LIBS"
+		cat >conftest.$ac_ext <<_ACEOF
+#line 3594 "configure"
+#include "confdefs.h"
+
+#include <stdio.h>
+#if defined(HAVE_DB_185_H)
+#include <db_185.h>
+#elif defined(HAVE_DB_H)
+#include <db.h>
+#endif
+
+int
+main ()
+{
+dbopen(NULL, 0, 0, 0, NULL)
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (eval echo $as_me:3613: \"$ac_link\") >&5; (eval $ac_link) 2>&5; } && test -s conftest$ac_exeext; then
+  eval "if test -n \"$ac_lib\";then ac_cv_funclib_dbopen=$ac_lib; else ac_cv_funclib_dbopen=yes; fi";break
+else
+  echo "$as_me: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+fi
+rm -f conftest$ac_exeext conftest.$ac_ext
+	done
+	eval "ac_cv_funclib_dbopen=\${ac_cv_funclib_dbopen-no}"
+	LIBS="$ac_save_LIBS"
+fi
+
+fi
+
+eval "ac_res=\$ac_cv_funclib_dbopen"
+
+if false; then
+
+for ac_func in dbopen
+do
+ac_ac_var=`echo "ac_cv_func_$ac_func" | $ac_tr_sh`
+echo "$as_me:3634: checking for $ac_func" >&5
+echo $ECHO_N "checking for $ac_func... $ECHO_C" >&6
+if eval "test \"\${$ac_ac_var+set}\" = set"; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+#line 3640 "configure"
+#include "confdefs.h"
+/* System header to define __stub macros and hopefully few prototypes,
+    which can conflict with char $ac_func (); below.  */
+#include <assert.h>
+/* Override any gcc2 internal prototype to avoid an error.  */
+#ifdef __cplusplus
+extern "C"
+#endif
+/* We use char because int might match the return type of a gcc2
+   builtin and then its argument prototype would still apply.  */
+char $ac_func ();
+char (*f) ();
+
+int
+main ()
+{
+/* The GNU C library defines this for functions which it implements
+    to always fail with ENOSYS.  Some functions are actually named
+    something starting with __ and the normal name is an alias.  */
+#if defined (__stub_$ac_func) || defined (__stub___$ac_func)
+choke me
+#else
+f = $ac_func;
+#endif
+
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (eval echo $as_me:3671: \"$ac_link\") >&5; (eval $ac_link) 2>&5; } && test -s conftest$ac_exeext; then
+  eval "$ac_ac_var=yes"
+else
+  echo "$as_me: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  eval "$ac_ac_var=no"
+fi
+rm -f conftest$ac_exeext conftest.$ac_ext
+fi
+echo "$as_me:3680: result: `eval echo '${'$ac_ac_var'}'`" >&5
+echo "${ECHO_T}`eval echo '${'$ac_ac_var'}'`" >&6
+if test `eval echo '${'$ac_ac_var'}'` = yes; then
+  cat >>confdefs.h <<EOF
+#define `echo "HAVE_$ac_func" | $ac_tr_cpp` 1
+EOF
+
+fi
+done
+
+fi
+# dbopen
+eval "ac_tr_func=HAVE_`echo dbopen | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`"
+eval "ac_tr_lib=HAVE_LIB`echo $ac_res | sed -e 's/-l//' | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`"
+eval "LIB_dbopen=$ac_res"
+
+case "$ac_res" in
+	yes)
+	eval "ac_cv_func_dbopen=yes"
+	eval "LIB_dbopen="
+	cat >>confdefs.h <<EOF
+#define $ac_tr_func 1
+EOF
+
+	echo "$as_me:3704: result: yes" >&5
+echo "${ECHO_T}yes" >&6
+	;;
+	no)
+	eval "ac_cv_func_dbopen=no"
+	eval "LIB_dbopen="
+	echo "$as_me:3710: result: no" >&5
+echo "${ECHO_T}no" >&6
+	;;
+	*)
+	eval "ac_cv_func_dbopen=yes"
+	eval "ac_cv_lib_`echo "$ac_res" | sed 's/-l//'`=yes"
+	cat >>confdefs.h <<EOF
+#define $ac_tr_func 1
+EOF
+
+	cat >>confdefs.h <<EOF
+#define $ac_tr_lib 1
+EOF
+
+	echo "$as_me:3724: result: yes, in $ac_res" >&5
+echo "${ECHO_T}yes, in $ac_res" >&6
+	;;
+esac
+
+echo "$as_me:3729: checking for dbm_firstkey" >&5
+echo $ECHO_N "checking for dbm_firstkey... $ECHO_C" >&6
+if test "${ac_cv_funclib_dbm_firstkey+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+
+if eval "test \"\$ac_cv_func_dbm_firstkey\" != yes" ; then
+	ac_save_LIBS="$LIBS"
+	for ac_lib in "" $berkeley_db gdbm ndbm; do
+		if test -n "$ac_lib"; then
+			ac_lib="-l$ac_lib"
+		else
+			ac_lib=""
+		fi
+		LIBS=" $ac_lib  $ac_save_LIBS"
+		cat >conftest.$ac_ext <<_ACEOF
+#line 3745 "configure"
+#include "confdefs.h"
+
+int
+main ()
+{
+dbm_firstkey()
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (eval echo $as_me:3757: \"$ac_link\") >&5; (eval $ac_link) 2>&5; } && test -s conftest$ac_exeext; then
+  eval "if test -n \"$ac_lib\";then ac_cv_funclib_dbm_firstkey=$ac_lib; else ac_cv_funclib_dbm_firstkey=yes; fi";break
+else
+  echo "$as_me: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+fi
+rm -f conftest$ac_exeext conftest.$ac_ext
+	done
+	eval "ac_cv_funclib_dbm_firstkey=\${ac_cv_funclib_dbm_firstkey-no}"
+	LIBS="$ac_save_LIBS"
+fi
+
+fi
+
+eval "ac_res=\$ac_cv_funclib_dbm_firstkey"
+
+if false; then
+
+for ac_func in dbm_firstkey
+do
+ac_ac_var=`echo "ac_cv_func_$ac_func" | $ac_tr_sh`
+echo "$as_me:3778: checking for $ac_func" >&5
+echo $ECHO_N "checking for $ac_func... $ECHO_C" >&6
+if eval "test \"\${$ac_ac_var+set}\" = set"; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+#line 3784 "configure"
+#include "confdefs.h"
+/* System header to define __stub macros and hopefully few prototypes,
+    which can conflict with char $ac_func (); below.  */
+#include <assert.h>
+/* Override any gcc2 internal prototype to avoid an error.  */
+#ifdef __cplusplus
+extern "C"
+#endif
+/* We use char because int might match the return type of a gcc2
+   builtin and then its argument prototype would still apply.  */
+char $ac_func ();
+char (*f) ();
+
+int
+main ()
+{
+/* The GNU C library defines this for functions which it implements
+    to always fail with ENOSYS.  Some functions are actually named
+    something starting with __ and the normal name is an alias.  */
+#if defined (__stub_$ac_func) || defined (__stub___$ac_func)
+choke me
+#else
+f = $ac_func;
+#endif
+
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (eval echo $as_me:3815: \"$ac_link\") >&5; (eval $ac_link) 2>&5; } && test -s conftest$ac_exeext; then
+  eval "$ac_ac_var=yes"
+else
+  echo "$as_me: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  eval "$ac_ac_var=no"
+fi
+rm -f conftest$ac_exeext conftest.$ac_ext
+fi
+echo "$as_me:3824: result: `eval echo '${'$ac_ac_var'}'`" >&5
+echo "${ECHO_T}`eval echo '${'$ac_ac_var'}'`" >&6
+if test `eval echo '${'$ac_ac_var'}'` = yes; then
+  cat >>confdefs.h <<EOF
+#define `echo "HAVE_$ac_func" | $ac_tr_cpp` 1
+EOF
+
+fi
+done
+
+fi
+# dbm_firstkey
+eval "ac_tr_func=HAVE_`echo dbm_firstkey | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`"
+eval "ac_tr_lib=HAVE_LIB`echo $ac_res | sed -e 's/-l//' | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`"
+eval "LIB_dbm_firstkey=$ac_res"
+
+case "$ac_res" in
+	yes)
+	eval "ac_cv_func_dbm_firstkey=yes"
+	eval "LIB_dbm_firstkey="
+	cat >>confdefs.h <<EOF
+#define $ac_tr_func 1
+EOF
+
+	echo "$as_me:3848: result: yes" >&5
+echo "${ECHO_T}yes" >&6
+	;;
+	no)
+	eval "ac_cv_func_dbm_firstkey=no"
+	eval "LIB_dbm_firstkey="
+	echo "$as_me:3854: result: no" >&5
+echo "${ECHO_T}no" >&6
+	;;
+	*)
+	eval "ac_cv_func_dbm_firstkey=yes"
+	eval "ac_cv_lib_`echo "$ac_res" | sed 's/-l//'`=yes"
+	cat >>confdefs.h <<EOF
+#define $ac_tr_func 1
+EOF
+
+	cat >>confdefs.h <<EOF
+#define $ac_tr_lib 1
+EOF
+
+	echo "$as_me:3868: result: yes, in $ac_res" >&5
+echo "${ECHO_T}yes, in $ac_res" >&6
+	;;
+esac
+
+echo "$as_me:3873: checking for db_create" >&5
+echo $ECHO_N "checking for db_create... $ECHO_C" >&6
+if test "${ac_cv_funclib_db_create+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+
+if eval "test \"\$ac_cv_func_db_create\" != yes" ; then
+	ac_save_LIBS="$LIBS"
+	for ac_lib in "" $berkeley_db; do
+		if test -n "$ac_lib"; then
+			ac_lib="-l$ac_lib"
+		else
+			ac_lib=""
+		fi
+		LIBS=" $ac_lib  $ac_save_LIBS"
+		cat >conftest.$ac_ext <<_ACEOF
+#line 3889 "configure"
+#include "confdefs.h"
+
+int
+main ()
+{
+db_create()
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (eval echo $as_me:3901: \"$ac_link\") >&5; (eval $ac_link) 2>&5; } && test -s conftest$ac_exeext; then
+  eval "if test -n \"$ac_lib\";then ac_cv_funclib_db_create=$ac_lib; else ac_cv_funclib_db_create=yes; fi";break
+else
+  echo "$as_me: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+fi
+rm -f conftest$ac_exeext conftest.$ac_ext
+	done
+	eval "ac_cv_funclib_db_create=\${ac_cv_funclib_db_create-no}"
+	LIBS="$ac_save_LIBS"
+fi
+
+fi
+
+eval "ac_res=\$ac_cv_funclib_db_create"
+
+if false; then
+
+for ac_func in db_create
+do
+ac_ac_var=`echo "ac_cv_func_$ac_func" | $ac_tr_sh`
+echo "$as_me:3922: checking for $ac_func" >&5
+echo $ECHO_N "checking for $ac_func... $ECHO_C" >&6
+if eval "test \"\${$ac_ac_var+set}\" = set"; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+#line 3928 "configure"
+#include "confdefs.h"
+/* System header to define __stub macros and hopefully few prototypes,
+    which can conflict with char $ac_func (); below.  */
+#include <assert.h>
+/* Override any gcc2 internal prototype to avoid an error.  */
+#ifdef __cplusplus
+extern "C"
+#endif
+/* We use char because int might match the return type of a gcc2
+   builtin and then its argument prototype would still apply.  */
+char $ac_func ();
+char (*f) ();
+
+int
+main ()
+{
+/* The GNU C library defines this for functions which it implements
+    to always fail with ENOSYS.  Some functions are actually named
+    something starting with __ and the normal name is an alias.  */
+#if defined (__stub_$ac_func) || defined (__stub___$ac_func)
+choke me
+#else
+f = $ac_func;
+#endif
+
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (eval echo $as_me:3959: \"$ac_link\") >&5; (eval $ac_link) 2>&5; } && test -s conftest$ac_exeext; then
+  eval "$ac_ac_var=yes"
+else
+  echo "$as_me: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  eval "$ac_ac_var=no"
+fi
+rm -f conftest$ac_exeext conftest.$ac_ext
+fi
+echo "$as_me:3968: result: `eval echo '${'$ac_ac_var'}'`" >&5
+echo "${ECHO_T}`eval echo '${'$ac_ac_var'}'`" >&6
+if test `eval echo '${'$ac_ac_var'}'` = yes; then
+  cat >>confdefs.h <<EOF
+#define `echo "HAVE_$ac_func" | $ac_tr_cpp` 1
+EOF
+
+fi
+done
+
+fi
+# db_create
+eval "ac_tr_func=HAVE_`echo db_create | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`"
+eval "ac_tr_lib=HAVE_LIB`echo $ac_res | sed -e 's/-l//' | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`"
+eval "LIB_db_create=$ac_res"
+
+case "$ac_res" in
+	yes)
+	eval "ac_cv_func_db_create=yes"
+	eval "LIB_db_create="
+	cat >>confdefs.h <<EOF
+#define $ac_tr_func 1
+EOF
+
+	echo "$as_me:3992: result: yes" >&5
+echo "${ECHO_T}yes" >&6
+	;;
+	no)
+	eval "ac_cv_func_db_create=no"
+	eval "LIB_db_create="
+	echo "$as_me:3998: result: no" >&5
+echo "${ECHO_T}no" >&6
+	;;
+	*)
+	eval "ac_cv_func_db_create=yes"
+	eval "ac_cv_lib_`echo "$ac_res" | sed 's/-l//'`=yes"
+	cat >>confdefs.h <<EOF
+#define $ac_tr_func 1
+EOF
+
+	cat >>confdefs.h <<EOF
+#define $ac_tr_lib 1
+EOF
+
+	echo "$as_me:4012: result: yes, in $ac_res" >&5
+echo "${ECHO_T}yes, in $ac_res" >&6
+	;;
+esac
+
+DBLIB="$LIB_dbopen"
+if test "$LIB_dbopen" != "$LIB_db_create"; then
+        DBLIB="$DBLIB $LIB_db_create"
+fi
+if test "$LIB_dbopen" != "$LIB_dbm_firstkey"; then
+	DBLIB="$DBLIB $LIB_dbm_firstkey"
+fi
+
+echo "$as_me:4025: checking for inline" >&5
+echo $ECHO_N "checking for inline... $ECHO_C" >&6
+if test "${ac_cv_c_inline+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  ac_cv_c_inline=no
+for ac_kw in inline __inline__ __inline; do
+  cat >conftest.$ac_ext <<_ACEOF
+#line 4033 "configure"
+#include "confdefs.h"
+#ifndef __cplusplus
+$ac_kw int foo () {return 0; }
+#endif
+
+_ACEOF
+rm -f conftest.$ac_objext
+if { (eval echo $as_me:4041: \"$ac_compile\") >&5; (eval $ac_compile) 2>&5; } && test -s conftest.$ac_objext; then
+  ac_cv_c_inline=$ac_kw; break
+else
+  echo "$as_me: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+fi
+rm -f conftest.$ac_objext conftest.$ac_ext
+done
+
+fi
+echo "$as_me:4051: result: $ac_cv_c_inline" >&5
+echo "${ECHO_T}$ac_cv_c_inline" >&6
+case $ac_cv_c_inline in
+  inline | yes) ;;
+  no)
+cat >>confdefs.h <<\EOF
+#define inline
+EOF
+ ;;
+  *)  cat >>confdefs.h <<EOF
+#define inline $ac_cv_c_inline
+EOF
+ ;;
+esac
+
+echo "$as_me:4066: checking for an ANSI C-conforming const" >&5
+echo $ECHO_N "checking for an ANSI C-conforming const... $ECHO_C" >&6
+if test "${ac_cv_c_const+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+#line 4072 "configure"
+#include "confdefs.h"
+
+int
+main ()
+{
+/* FIXME: Include the comments suggested by Paul. */
+#ifndef __cplusplus
+  /* Ultrix mips cc rejects this.  */
+  typedef int charset[2];
+  const charset x;
+  /* SunOS 4.1.1 cc rejects this.  */
+  char const *const *ccp;
+  char **p;
+  /* NEC SVR4.0.2 mips cc rejects this.  */
+  struct point {int x, y;};
+  static struct point const zero = {0,0};
+  /* AIX XL C 1.02.0.0 rejects this.
+     It does not let you subtract one const X* pointer from another in
+     an arm of an if-expression whose if-part is not a constant
+     expression */
+  const char *g = "string";
+  ccp = &g + (g ? g-g : 0);
+  /* HPUX 7.0 cc rejects these. */
+  ++ccp;
+  p = (char**) ccp;
+  ccp = (char const *const *) p;
+  { /* SCO 3.2v4 cc rejects this.  */
+    char *t;
+    char const *s = 0 ? (char *) 0 : (char const *) 0;
+
+    *t++ = 0;
+  }
+  { /* Someone thinks the Sun supposedly-ANSI compiler will reject this.  */
+    int x[] = {25, 17};
+    const int *foo = &x[0];
+    ++foo;
+  }
+  { /* Sun SC1.0 ANSI compiler rejects this -- but not the above. */
+    typedef const int *iptr;
+    iptr p = 0;
+    ++p;
+  }
+  { /* AIX XL C 1.02.0.0 rejects this saying
+       "k.c", line 2.27: 1506-025 (S) Operand must be a modifiable lvalue. */
+    struct s { int j; const int *ap[3]; };
+    struct s *b; b->j = 5;
+  }
+  { /* ULTRIX-32 V3.1 (Rev 9) vcc rejects this */
+    const int foo = 10;
+  }
+#endif
+
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext
+if { (eval echo $as_me:4130: \"$ac_compile\") >&5; (eval $ac_compile) 2>&5; } && test -s conftest.$ac_objext; then
+  ac_cv_c_const=yes
+else
+  echo "$as_me: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  ac_cv_c_const=no
+fi
+rm -f conftest.$ac_objext conftest.$ac_ext
+fi
+echo "$as_me:4139: result: $ac_cv_c_const" >&5
+echo "${ECHO_T}$ac_cv_c_const" >&6
+if test $ac_cv_c_const = no; then
+
+cat >>confdefs.h <<\EOF
+#define const
+EOF
+
+fi
+
+echo "$as_me:4149: checking for ANSI C header files" >&5
+echo $ECHO_N "checking for ANSI C header files... $ECHO_C" >&6
+if test "${ac_cv_header_stdc+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+#line 4155 "configure"
+#include "confdefs.h"
+#include <stdlib.h>
+#include <stdarg.h>
+#include <string.h>
+#include <float.h>
+
+_ACEOF
+ac_try="$ac_cpp conftest.$ac_ext >/dev/null 2>conftest.err"
+if { (eval echo $as_me:4164: \"$ac_try\") >&5; (eval $ac_try) 2>&5; }; then
+  if egrep -v '^ *\+' conftest.err | grep . >/dev/null; then
+    ac_cpp_err=$ac_c_preproc_warn_flag
+  else
+    ac_cpp_err=
+  fi
+else
+  ac_cpp_err=yes
+fi
+
+if test -z "$ac_cpp_err"; then
+  ac_cv_header_stdc=yes
+else
+  cat conftest.err >&5
+  echo "$as_me: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  ac_cv_header_stdc=no
+fi
+rm -f conftest*
+
+if test $ac_cv_header_stdc = yes; then
+  # SunOS 4.x string.h does not declare mem*, contrary to ANSI.
+  cat >conftest.$ac_ext <<_ACEOF
+#line 4187 "configure"
+#include "confdefs.h"
+#include <string.h>
+
+_ACEOF
+if (eval "$ac_cpp conftest.$ac_ext") 2>&5 |
+  egrep "memchr" >/dev/null 2>&1; then
+  :
+else
+  ac_cv_header_stdc=no
+fi
+rm -f conftest*
+
+fi
+
+if test $ac_cv_header_stdc = yes; then
+  # ISC 2.0.2 stdlib.h does not declare free, contrary to ANSI.
+  cat >conftest.$ac_ext <<_ACEOF
+#line 4205 "configure"
+#include "confdefs.h"
+#include <stdlib.h>
+
+_ACEOF
+if (eval "$ac_cpp conftest.$ac_ext") 2>&5 |
+  egrep "free" >/dev/null 2>&1; then
+  :
+else
+  ac_cv_header_stdc=no
+fi
+rm -f conftest*
+
+fi
+
+if test $ac_cv_header_stdc = yes; then
+  # /bin/cc in Irix-4.0.5 gets non-ANSI ctype macros unless using -ansi.
+  if test "$cross_compiling" = yes; then
+  :
+else
+  cat >conftest.$ac_ext <<_ACEOF
+#line 4226 "configure"
+#include "confdefs.h"
+#include <ctype.h>
+#if ((' ' & 0x0FF) == 0x020)
+# define ISLOWER(c) ('a' <= (c) && (c) <= 'z')
+# define TOUPPER(c) (ISLOWER(c) ? 'A' + ((c) - 'a') : (c))
+#else
+# define ISLOWER(c) (('a' <= (c) && (c) <= 'i') \
+                     || ('j' <= (c) && (c) <= 'r') \
+                     || ('s' <= (c) && (c) <= 'z'))
+# define TOUPPER(c) (ISLOWER(c) ? ((c) | 0x40) : (c))
+#endif
+
+#define XOR(e, f) (((e) && !(f)) || (!(e) && (f)))
+int
+main ()
+{
+  int i;
+  for (i = 0; i < 256; i++)
+    if (XOR (islower (i), ISLOWER (i))
+        || toupper (i) != TOUPPER (i))
+      exit(2);
+  exit (0);
+}
+_ACEOF
+rm -f conftest$ac_exeext
+{ (eval echo $as_me:4252: \"$ac_link\") >&5; (eval $ac_link) 2>&5; } &&
+  (./conftest$ac_exeext) >&5 2>&1;
+ac_status=$?
+if test $ac_status = 0; then
+  :
+else
+  echo "$as_me: program exited with status $ac_status" >&5
+echo "$as_me: failed program was:" >&5
+cat conftest.$ac_ext >&5
+ac_cv_header_stdc=no
+fi
+
+rm -f conftest$ac_exeext conftest.$ac_ext
+fi
+
+fi
+fi
+echo "$as_me:4269: result: $ac_cv_header_stdc" >&5
+echo "${ECHO_T}$ac_cv_header_stdc" >&6
+if test $ac_cv_header_stdc = yes; then
+
+cat >>confdefs.h <<\EOF
+#define STDC_HEADERS 1
+EOF
+
+fi
+
+echo "$as_me:4279: checking for size_t" >&5
+echo $ECHO_N "checking for size_t... $ECHO_C" >&6
+if test "${ac_cv_type_size_t+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+#line 4285 "configure"
+#include "confdefs.h"
+$ac_includes_default
+int
+main ()
+{
+if ((size_t *) 0)
+  return 0;
+if (sizeof (size_t))
+  return 0;
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext
+if { (eval echo $as_me:4300: \"$ac_compile\") >&5; (eval $ac_compile) 2>&5; } && test -s conftest.$ac_objext; then
+  ac_cv_type_size_t=yes
+else
+  echo "$as_me: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  ac_cv_type_size_t=no
+fi
+rm -f conftest.$ac_objext conftest.$ac_ext
+fi
+echo "$as_me:4309: result: $ac_cv_type_size_t" >&5
+echo "${ECHO_T}$ac_cv_type_size_t" >&6
+if test $ac_cv_type_size_t = yes; then
+  :
+else
+
+cat >>confdefs.h <<EOF
+#define size_t unsigned
+EOF
+
+fi
+
+echo "$as_me:4321: checking for pid_t" >&5
+echo $ECHO_N "checking for pid_t... $ECHO_C" >&6
+if test "${ac_cv_type_pid_t+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+#line 4327 "configure"
+#include "confdefs.h"
+$ac_includes_default
+int
+main ()
+{
+if ((pid_t *) 0)
+  return 0;
+if (sizeof (pid_t))
+  return 0;
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext
+if { (eval echo $as_me:4342: \"$ac_compile\") >&5; (eval $ac_compile) 2>&5; } && test -s conftest.$ac_objext; then
+  ac_cv_type_pid_t=yes
+else
+  echo "$as_me: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  ac_cv_type_pid_t=no
+fi
+rm -f conftest.$ac_objext conftest.$ac_ext
+fi
+echo "$as_me:4351: result: $ac_cv_type_pid_t" >&5
+echo "${ECHO_T}$ac_cv_type_pid_t" >&6
+if test $ac_cv_type_pid_t = yes; then
+  :
+else
+
+cat >>confdefs.h <<EOF
+#define pid_t int
+EOF
+
+fi
+
+echo "$as_me:4363: checking for uid_t in sys/types.h" >&5
+echo $ECHO_N "checking for uid_t in sys/types.h... $ECHO_C" >&6
+if test "${ac_cv_type_uid_t+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+#line 4369 "configure"
+#include "confdefs.h"
+#include <sys/types.h>
+
+_ACEOF
+if (eval "$ac_cpp conftest.$ac_ext") 2>&5 |
+  egrep "uid_t" >/dev/null 2>&1; then
+  ac_cv_type_uid_t=yes
+else
+  ac_cv_type_uid_t=no
+fi
+rm -f conftest*
+
+fi
+echo "$as_me:4383: result: $ac_cv_type_uid_t" >&5
+echo "${ECHO_T}$ac_cv_type_uid_t" >&6
+if test $ac_cv_type_uid_t = no; then
+
+cat >>confdefs.h <<\EOF
+#define uid_t int
+EOF
+
+cat >>confdefs.h <<\EOF
+#define gid_t int
+EOF
+
+fi
+
+echo "$as_me:4397: checking return type of signal handlers" >&5
+echo $ECHO_N "checking return type of signal handlers... $ECHO_C" >&6
+if test "${ac_cv_type_signal+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+#line 4403 "configure"
+#include "confdefs.h"
+#include <sys/types.h>
+#include <signal.h>
+#ifdef signal
+# undef signal
+#endif
+#ifdef __cplusplus
+extern "C" void (*signal (int, void (*)(int)))(int);
+#else
+void (*signal ()) ();
+#endif
+
+int
+main ()
+{
+int i;
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext
+if { (eval echo $as_me:4425: \"$ac_compile\") >&5; (eval $ac_compile) 2>&5; } && test -s conftest.$ac_objext; then
+  ac_cv_type_signal=void
+else
+  echo "$as_me: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  ac_cv_type_signal=int
+fi
+rm -f conftest.$ac_objext conftest.$ac_ext
+fi
+echo "$as_me:4434: result: $ac_cv_type_signal" >&5
+echo "${ECHO_T}$ac_cv_type_signal" >&6
+
+cat >>confdefs.h <<EOF
+#define RETSIGTYPE $ac_cv_type_signal
+EOF
+
+if test "$ac_cv_type_signal" = "void" ; then
+
+cat >>confdefs.h <<\EOF
+#define VOID_RETSIGTYPE 1
+EOF
+
+fi
+
+echo "$as_me:4449: checking whether time.h and sys/time.h may both be included" >&5
+echo $ECHO_N "checking whether time.h and sys/time.h may both be included... $ECHO_C" >&6
+if test "${ac_cv_header_time+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+#line 4455 "configure"
+#include "confdefs.h"
+#include <sys/types.h>
+#include <sys/time.h>
+#include <time.h>
+
+int
+main ()
+{
+struct tm *tp;
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext
+if { (eval echo $as_me:4470: \"$ac_compile\") >&5; (eval $ac_compile) 2>&5; } && test -s conftest.$ac_objext; then
+  ac_cv_header_time=yes
+else
+  echo "$as_me: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  ac_cv_header_time=no
+fi
+rm -f conftest.$ac_objext conftest.$ac_ext
+fi
+echo "$as_me:4479: result: $ac_cv_header_time" >&5
+echo "${ECHO_T}$ac_cv_header_time" >&6
+if test $ac_cv_header_time = yes; then
+
+cat >>confdefs.h <<\EOF
+#define TIME_WITH_SYS_TIME 1
+EOF
+
+fi
+
+for ac_header in standards.h
+do
+ac_ac_Header=`echo "ac_cv_header_$ac_header" | $ac_tr_sh`
+
+echo "$as_me:4493: checking for $ac_header" >&5
+echo $ECHO_N "checking for $ac_header... $ECHO_C" >&6
+if eval "test \"\${$ac_ac_Header+set}\" = set"; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+#line 4499 "configure"
+#include "confdefs.h"
+#include <$ac_header>
+
+_ACEOF
+ac_try="$ac_cpp conftest.$ac_ext >/dev/null 2>conftest.err"
+if { (eval echo $as_me:4505: \"$ac_try\") >&5; (eval $ac_try) 2>&5; }; then
+  if egrep -v '^ *\+' conftest.err | grep . >/dev/null; then
+    ac_cpp_err=$ac_c_preproc_warn_flag
+  else
+    ac_cpp_err=
+  fi
+else
+  ac_cpp_err=yes
+fi
+
+if test -z "$ac_cpp_err"; then
+  eval "$ac_ac_Header=yes"
+else
+  cat conftest.err >&5
+  echo "$as_me: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  eval "$ac_ac_Header=no"
+fi
+rm -f conftest*
+
+fi
+echo "$as_me:4526: result: `eval echo '${'$ac_ac_Header'}'`" >&5
+echo "${ECHO_T}`eval echo '${'$ac_ac_Header'}'`" >&6
+if test `eval echo '${'$ac_ac_Header'}'` = yes; then
+  cat >>confdefs.h <<EOF
+#define `echo "HAVE_$ac_header" | $ac_tr_cpp` 1
+EOF
+
+fi
+done
+
+for i in netinet/ip.h netinet/tcp.h; do
+
+cv=`echo "$i" | sed 'y%./+-%__p_%'`
+
+echo "$as_me:4540: checking for $i" >&5
+echo $ECHO_N "checking for $i... $ECHO_C" >&6
+if eval "test \"\${ac_cv_header_$cv+set}\" = set"; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+#line 4546 "configure"
+#include "confdefs.h"
+\
+#ifdef HAVE_STANDARDS_H
+#include <standards.h>
+#endif
+#include <$i>
+
+_ACEOF
+ac_try="$ac_cpp conftest.$ac_ext >/dev/null 2>conftest.err"
+if { (eval echo $as_me:4556: \"$ac_try\") >&5; (eval $ac_try) 2>&5; }; then
+  if egrep -v '^ *\+' conftest.err | grep . >/dev/null; then
+    ac_cpp_err=$ac_c_preproc_warn_flag
+  else
+    ac_cpp_err=
+  fi
+else
+  ac_cpp_err=yes
+fi
+
+if test -z "$ac_cpp_err"; then
+  eval "ac_cv_header_$cv=yes"
+else
+  cat conftest.err >&5
+  echo "$as_me: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  eval "ac_cv_header_$cv=no"
+fi
+rm -f conftest*
+
+fi
+echo "$as_me:4577: result: `eval echo '${'ac_cv_header_$cv'}'`" >&5
+echo "${ECHO_T}`eval echo '${'ac_cv_header_$cv'}'`" >&6
+ac_res=`eval echo \\$ac_cv_header_$cv`
+if test "$ac_res" = yes; then
+	ac_tr_hdr=HAVE_`echo $i | sed 'y%abcdefghijklmnopqrstuvwxyz./-%ABCDEFGHIJKLMNOPQRSTUVWXYZ___%'`
+	cat >>confdefs.h <<EOF
+#define $ac_tr_hdr 1
+EOF
+
+fi
+done
+if false;then
+
+for ac_header in netinet/ip.h netinet/tcp.h
+do
+ac_ac_Header=`echo "ac_cv_header_$ac_header" | $ac_tr_sh`
+
+echo "$as_me:4594: checking for $ac_header" >&5
+echo $ECHO_N "checking for $ac_header... $ECHO_C" >&6
+if eval "test \"\${$ac_ac_Header+set}\" = set"; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+#line 4600 "configure"
+#include "confdefs.h"
+#include <$ac_header>
+
+_ACEOF
+ac_try="$ac_cpp conftest.$ac_ext >/dev/null 2>conftest.err"
+if { (eval echo $as_me:4606: \"$ac_try\") >&5; (eval $ac_try) 2>&5; }; then
+  if egrep -v '^ *\+' conftest.err | grep . >/dev/null; then
+    ac_cpp_err=$ac_c_preproc_warn_flag
+  else
+    ac_cpp_err=
+  fi
+else
+  ac_cpp_err=yes
+fi
+
+if test -z "$ac_cpp_err"; then
+  eval "$ac_ac_Header=yes"
+else
+  cat conftest.err >&5
+  echo "$as_me: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  eval "$ac_ac_Header=no"
+fi
+rm -f conftest*
+
+fi
+echo "$as_me:4627: result: `eval echo '${'$ac_ac_Header'}'`" >&5
+echo "${ECHO_T}`eval echo '${'$ac_ac_Header'}'`" >&6
+if test `eval echo '${'$ac_ac_Header'}'` = yes; then
+  cat >>confdefs.h <<EOF
+#define `echo "HAVE_$ac_header" | $ac_tr_cpp` 1
+EOF
+
+fi
+done
+
+fi
+
+for ac_func in getlogin setlogin
+do
+ac_ac_var=`echo "ac_cv_func_$ac_func" | $ac_tr_sh`
+echo "$as_me:4642: checking for $ac_func" >&5
+echo $ECHO_N "checking for $ac_func... $ECHO_C" >&6
+if eval "test \"\${$ac_ac_var+set}\" = set"; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+#line 4648 "configure"
+#include "confdefs.h"
+/* System header to define __stub macros and hopefully few prototypes,
+    which can conflict with char $ac_func (); below.  */
+#include <assert.h>
+/* Override any gcc2 internal prototype to avoid an error.  */
+#ifdef __cplusplus
+extern "C"
+#endif
+/* We use char because int might match the return type of a gcc2
+   builtin and then its argument prototype would still apply.  */
+char $ac_func ();
+char (*f) ();
+
+int
+main ()
+{
+/* The GNU C library defines this for functions which it implements
+    to always fail with ENOSYS.  Some functions are actually named
+    something starting with __ and the normal name is an alias.  */
+#if defined (__stub_$ac_func) || defined (__stub___$ac_func)
+choke me
+#else
+f = $ac_func;
+#endif
+
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (eval echo $as_me:4679: \"$ac_link\") >&5; (eval $ac_link) 2>&5; } && test -s conftest$ac_exeext; then
+  eval "$ac_ac_var=yes"
+else
+  echo "$as_me: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  eval "$ac_ac_var=no"
+fi
+rm -f conftest$ac_exeext conftest.$ac_ext
+fi
+echo "$as_me:4688: result: `eval echo '${'$ac_ac_var'}'`" >&5
+echo "${ECHO_T}`eval echo '${'$ac_ac_var'}'`" >&6
+if test `eval echo '${'$ac_ac_var'}'` = yes; then
+  cat >>confdefs.h <<EOF
+#define `echo "HAVE_$ac_func" | $ac_tr_cpp` 1
+EOF
+
+fi
+done
+
+if test "$ac_cv_func_getlogin" = yes; then
+echo "$as_me:4699: checking if getlogin is posix" >&5
+echo $ECHO_N "checking if getlogin is posix... $ECHO_C" >&6
+if test "${ac_cv_func_getlogin_posix+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+
+if test "$ac_cv_func_getlogin" = yes -a "$ac_cv_func_setlogin" = yes; then
+	ac_cv_func_getlogin_posix=no
+else
+	ac_cv_func_getlogin_posix=yes
+fi
+
+fi
+echo "$as_me:4712: result: $ac_cv_func_getlogin_posix" >&5
+echo "${ECHO_T}$ac_cv_func_getlogin_posix" >&6
+if test "$ac_cv_func_getlogin_posix" = yes; then
+
+cat >>confdefs.h <<\EOF
+#define POSIX_GETLOGIN 1
+EOF
+
+fi
+fi
+
+echo "$as_me:4723: checking if realloc if broken" >&5
+echo $ECHO_N "checking if realloc if broken... $ECHO_C" >&6
+if test "${ac_cv_func_realloc_broken+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+
+ac_cv_func_realloc_broken=no
+if test "$cross_compiling" = yes; then
+  :
+else
+  cat >conftest.$ac_ext <<_ACEOF
+#line 4734 "configure"
+#include "confdefs.h"
+
+#include <stddef.h>
+#include <stdlib.h>
+
+int main()
+{
+	return realloc(NULL, 17) == NULL;
+}
+
+_ACEOF
+rm -f conftest$ac_exeext
+{ (eval echo $as_me:4747: \"$ac_link\") >&5; (eval $ac_link) 2>&5; } &&
+  (./conftest$ac_exeext) >&5 2>&1;
+ac_status=$?
+if test $ac_status = 0; then
+  :
+else
+  echo "$as_me: program exited with status $ac_status" >&5
+echo "$as_me: failed program was:" >&5
+cat conftest.$ac_ext >&5
+ac_cv_func_realloc_broken=yes
+fi
+
+rm -f conftest$ac_exeext conftest.$ac_ext
+fi
+
+fi
+echo "$as_me:4763: result: $ac_cv_func_realloc_broken" >&5
+echo "${ECHO_T}$ac_cv_func_realloc_broken" >&6
+if test "$ac_cv_func_realloc_broken" = yes ; then
+
+cat >>confdefs.h <<\EOF
+#define BROKEN_REALLOC 1
+EOF
+
+fi
+
+DIR_roken=roken
+LIB_roken='$(top_builddir)/lib/roken/libroken.la'
+INCLUDES_roken='-I$(top_builddir)/lib/roken -I$(top_srcdir)/lib/roken'
+
+WFLAGS_NOUNUSED=""
+WFLAGS_NOIMPLICITINT=""
+if test -z "$WFLAGS" -a "$GCC" = "yes"; then
+  # -Wno-implicit-int for broken X11 headers
+  # leave these out for now:
+  #   -Wcast-align doesn't work well on alpha osf/1
+  #   -Wmissing-prototypes -Wpointer-arith -Wbad-function-cast
+  #   -Wmissing-declarations -Wnested-externs
+  WFLAGS="-Wall -Wmissing-prototypes -Wpointer-arith -Wbad-function-cast -Wmissing-declarations -Wnested-externs"
+  WFLAGS_NOUNUSED="-Wno-unused"
+  WFLAGS_NOIMPLICITINT="-Wno-implicit-int"
+fi
+
+echo "$as_me:4790: checking for ssize_t" >&5
+echo $ECHO_N "checking for ssize_t... $ECHO_C" >&6
+if test "${ac_cv_type_ssize_t+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+#line 4796 "configure"
+#include "confdefs.h"
+#include <sys/types.h>
+#if STDC_HEADERS
+#include <stdlib.h>
+#include <stddef.h>
+#endif
+#include <unistd.h>
+_ACEOF
+if (eval "$ac_cpp conftest.$ac_ext") 2>&5 |
+  egrep "ssize_t[^a-zA-Z_0-9]" >/dev/null 2>&1; then
+  ac_cv_type_ssize_t=yes
+else
+  ac_cv_type_ssize_t=no
+fi
+rm -f conftest*
+
+fi
+echo "$as_me:4814: result: $ac_cv_type_ssize_t" >&5
+echo "${ECHO_T}$ac_cv_type_ssize_t" >&6
+if test $ac_cv_type_ssize_t = no; then
+
+cat >>confdefs.h <<\EOF
+#define ssize_t int
+EOF
+
+fi
+
+cv=`echo "long long" | sed 'y%./+- %__p__%'`
+echo "$as_me:4825: checking for long long" >&5
+echo $ECHO_N "checking for long long... $ECHO_C" >&6
+if eval "test \"\${ac_cv_type_$cv+set}\" = set"; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+#line 4831 "configure"
+#include "confdefs.h"
+#include <sys/types.h>
+#if STDC_HEADERS
+#include <stdlib.h>
+#include <stddef.h>
+#endif
+
+int
+main ()
+{
+long long foo;
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext
+if { (eval echo $as_me:4848: \"$ac_compile\") >&5; (eval $ac_compile) 2>&5; } && test -s conftest.$ac_objext; then
+  eval "ac_cv_type_$cv=yes"
+else
+  echo "$as_me: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  eval "ac_cv_type_$cv=no"
+fi
+rm -f conftest.$ac_objext conftest.$ac_ext
+fi
+ac_foo=`eval echo \\$ac_cv_type_$cv`
+echo "$as_me:4858: result: $ac_foo" >&5
+echo "${ECHO_T}$ac_foo" >&6
+if test "$ac_foo" = yes; then
+  ac_tr_hdr=HAVE_`echo long long | sed 'y%abcdefghijklmnopqrstuvwxyz./- %ABCDEFGHIJKLMNOPQRSTUVWXYZ____%'`
+if false; then
+	echo "$as_me:4863: checking for long long" >&5
+echo $ECHO_N "checking for long long... $ECHO_C" >&6
+if test "${ac_cv_type_long_long+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+#line 4869 "configure"
+#include "confdefs.h"
+$ac_includes_default
+int
+main ()
+{
+if ((long long *) 0)
+  return 0;
+if (sizeof (long long))
+  return 0;
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext
+if { (eval echo $as_me:4884: \"$ac_compile\") >&5; (eval $ac_compile) 2>&5; } && test -s conftest.$ac_objext; then
+  ac_cv_type_long_long=yes
+else
+  echo "$as_me: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  ac_cv_type_long_long=no
+fi
+rm -f conftest.$ac_objext conftest.$ac_ext
+fi
+echo "$as_me:4893: result: $ac_cv_type_long_long" >&5
+echo "${ECHO_T}$ac_cv_type_long_long" >&6
+if test $ac_cv_type_long_long = yes; then
+
+cat >>confdefs.h <<EOF
+#define HAVE_LONG_LONG 1
+EOF
+
+fi
+
+fi
+
+cat >>confdefs.h <<EOF
+#define $ac_tr_hdr 1
+EOF
+
+fi
+
+for ac_header in \
+	arpa/inet.h				\
+	arpa/nameser.h				\
+	config.h				\
+	crypt.h					\
+	dbm.h					\
+	db.h					\
+	dirent.h				\
+	errno.h					\
+	err.h					\
+	fcntl.h					\
+	gdbm/ndbm.h				\
+	grp.h					\
+	ifaddrs.h				\
+	ndbm.h					\
+	net/if.h				\
+	netdb.h					\
+	netinet/in.h				\
+	netinet/in6.h				\
+	netinet/in_systm.h			\
+	netinet6/in6.h				\
+	netinet6/in6_var.h			\
+	paths.h					\
+	pwd.h					\
+	resolv.h				\
+	rpcsvc/dbm.h				\
+	rpcsvc/ypclnt.h				\
+	shadow.h				\
+	sys/bswap.h				\
+	sys/ioctl.h				\
+	sys/param.h				\
+	sys/proc.h				\
+	sys/resource.h				\
+	sys/socket.h				\
+	sys/sockio.h				\
+	sys/stat.h				\
+	sys/sysctl.h				\
+	sys/time.h				\
+	sys/tty.h				\
+	sys/types.h				\
+	sys/uio.h				\
+	sys/utsname.h				\
+	sys/wait.h				\
+	syslog.h				\
+	termios.h				\
+	unistd.h				\
+	userconf.h				\
+	usersec.h				\
+	util.h					\
+	vis.h					\
+	winsock.h				\
+
+do
+ac_ac_Header=`echo "ac_cv_header_$ac_header" | $ac_tr_sh`
+
+echo "$as_me:4966: checking for $ac_header" >&5
+echo $ECHO_N "checking for $ac_header... $ECHO_C" >&6
+if eval "test \"\${$ac_ac_Header+set}\" = set"; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+#line 4972 "configure"
+#include "confdefs.h"
+#include <$ac_header>
+
+_ACEOF
+ac_try="$ac_cpp conftest.$ac_ext >/dev/null 2>conftest.err"
+if { (eval echo $as_me:4978: \"$ac_try\") >&5; (eval $ac_try) 2>&5; }; then
+  if egrep -v '^ *\+' conftest.err | grep . >/dev/null; then
+    ac_cpp_err=$ac_c_preproc_warn_flag
+  else
+    ac_cpp_err=
+  fi
+else
+  ac_cpp_err=yes
+fi
+
+if test -z "$ac_cpp_err"; then
+  eval "$ac_ac_Header=yes"
+else
+  cat conftest.err >&5
+  echo "$as_me: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  eval "$ac_ac_Header=no"
+fi
+rm -f conftest*
+
+fi
+echo "$as_me:4999: result: `eval echo '${'$ac_ac_Header'}'`" >&5
+echo "${ECHO_T}`eval echo '${'$ac_ac_Header'}'`" >&6
+if test `eval echo '${'$ac_ac_Header'}'` = yes; then
+  cat >>confdefs.h <<EOF
+#define `echo "HAVE_$ac_header" | $ac_tr_cpp` 1
+EOF
+
+fi
+done
+
+if test "$ac_cv_header_err_h" = yes; then
+  have_err_h_TRUE=
+  have_err_h_FALSE='#'
+else
+  have_err_h_TRUE='#'
+  have_err_h_FALSE=
+fi
+
+if test "$ac_cv_header_fnmatch_h" = yes; then
+  have_fnmatch_h_TRUE=
+  have_fnmatch_h_FALSE='#'
+else
+  have_fnmatch_h_TRUE='#'
+  have_fnmatch_h_FALSE=
+fi
+
+if test "$ac_cv_header_ifaddrs_h" = yes; then
+  have_ifaddrs_h_TRUE=
+  have_ifaddrs_h_FALSE='#'
+else
+  have_ifaddrs_h_TRUE='#'
+  have_ifaddrs_h_FALSE=
+fi
+
+if test "$ac_cv_header_vis_h" = yes; then
+  have_vis_h_TRUE=
+  have_vis_h_FALSE='#'
+else
+  have_vis_h_TRUE='#'
+  have_vis_h_FALSE=
+fi
+
+# Check whether --with-ipv6 or --without-ipv6 was given.
+if test "${with_ipv6+set}" = set; then
+  withval="$with_ipv6"
+
+if test "$withval" = "no"; then
+	ac_cv_lib_ipv6=no
+fi
+fi;
+save_CFLAGS="${CFLAGS}"
+if test "${ac_cv_lib_ipv6+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  v6type=unknown
+v6lib=none
+
+echo "$as_me:5056: checking ipv6 stack type" >&5
+echo $ECHO_N "checking ipv6 stack type... $ECHO_C" >&6
+for i in v6d toshiba kame inria zeta linux; do
+	case $i in
+	v6d)
+		cat >conftest.$ac_ext <<_ACEOF
+#line 5062 "configure"
+#include "confdefs.h"
+
+#include </usr/local/v6/include/sys/types.h>
+#ifdef __V6D__
+yes
+#endif
+_ACEOF
+if (eval "$ac_cpp conftest.$ac_ext") 2>&5 |
+  egrep "yes" >/dev/null 2>&1; then
+  v6type=$i; v6lib=v6;
+			v6libdir=/usr/local/v6/lib;
+			CFLAGS="-I/usr/local/v6/include $CFLAGS"
+fi
+rm -f conftest*
+
+		;;
+	toshiba)
+		cat >conftest.$ac_ext <<_ACEOF
+#line 5081 "configure"
+#include "confdefs.h"
+
+#include <sys/param.h>
+#ifdef _TOSHIBA_INET6
+yes
+#endif
+_ACEOF
+if (eval "$ac_cpp conftest.$ac_ext") 2>&5 |
+  egrep "yes" >/dev/null 2>&1; then
+  v6type=$i; v6lib=inet6;
+			v6libdir=/usr/local/v6/lib;
+			CFLAGS="-DINET6 $CFLAGS"
+fi
+rm -f conftest*
+
+		;;
+	kame)
+		cat >conftest.$ac_ext <<_ACEOF
+#line 5100 "configure"
+#include "confdefs.h"
+
+#include <netinet/in.h>
+#ifdef __KAME__
+yes
+#endif
+_ACEOF
+if (eval "$ac_cpp conftest.$ac_ext") 2>&5 |
+  egrep "yes" >/dev/null 2>&1; then
+  v6type=$i; v6lib=inet6;
+			v6libdir=/usr/local/v6/lib;
+			CFLAGS="-DINET6 $CFLAGS"
+fi
+rm -f conftest*
+
+		;;
+	inria)
+		cat >conftest.$ac_ext <<_ACEOF
+#line 5119 "configure"
+#include "confdefs.h"
+
+#include <netinet/in.h>
+#ifdef IPV6_INRIA_VERSION
+yes
+#endif
+_ACEOF
+if (eval "$ac_cpp conftest.$ac_ext") 2>&5 |
+  egrep "yes" >/dev/null 2>&1; then
+  v6type=$i; CFLAGS="-DINET6 $CFLAGS"
+fi
+rm -f conftest*
+
+		;;
+	zeta)
+		cat >conftest.$ac_ext <<_ACEOF
+#line 5136 "configure"
+#include "confdefs.h"
+
+#include <sys/param.h>
+#ifdef _ZETA_MINAMI_INET6
+yes
+#endif
+_ACEOF
+if (eval "$ac_cpp conftest.$ac_ext") 2>&5 |
+  egrep "yes" >/dev/null 2>&1; then
+  v6type=$i; v6lib=inet6;
+			v6libdir=/usr/local/v6/lib;
+			CFLAGS="-DINET6 $CFLAGS"
+fi
+rm -f conftest*
+
+		;;
+	linux)
+		if test -d /usr/inet6; then
+			v6type=$i
+			v6lib=inet6
+			v6libdir=/usr/inet6
+			CFLAGS="-DINET6 $CFLAGS"
+		fi
+		;;
+	esac
+	if test "$v6type" != "unknown"; then
+		break
+	fi
+done
+echo "$as_me:5166: result: $v6type" >&5
+echo "${ECHO_T}$v6type" >&6
+
+if test "$v6lib" != "none"; then
+	for dir in $v6libdir /usr/local/v6/lib /usr/local/lib; do
+		if test -d $dir -a -f $dir/lib$v6lib.a; then
+			LIBS="-L$dir -l$v6lib $LIBS"
+			break
+		fi
+	done
+fi
+cat >conftest.$ac_ext <<_ACEOF
+#line 5178 "configure"
+#include "confdefs.h"
+
+#ifdef HAVE_SYS_TYPES_H
+#include <sys/types.h>
+#endif
+#ifdef HAVE_SYS_SOCKET_H
+#include <sys/socket.h>
+#endif
+#ifdef HAVE_NETINET_IN_H
+#include <netinet/in.h>
+#endif
+#ifdef HAVE_NETINET_IN6_H
+#include <netinet/in6.h>
+#endif
+
+int
+main ()
+{
+
+ struct sockaddr_in6 sin6;
+ int s;
+
+ s = socket(AF_INET6, SOCK_DGRAM, 0);
+
+ sin6.sin6_family = AF_INET6;
+ sin6.sin6_port = htons(17);
+ sin6.sin6_addr = in6addr_any;
+ bind(s, (struct sockaddr *)&sin6, sizeof(sin6));
+
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (eval echo $as_me:5213: \"$ac_link\") >&5; (eval $ac_link) 2>&5; } && test -s conftest$ac_exeext; then
+  ac_cv_lib_ipv6=yes
+else
+  echo "$as_me: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  ac_cv_lib_ipv6=no
+fi
+rm -f conftest$ac_exeext conftest.$ac_ext
+fi
+
+echo "$as_me:5223: checking for IPv6" >&5
+echo $ECHO_N "checking for IPv6... $ECHO_C" >&6
+echo "$as_me:5225: result: $ac_cv_lib_ipv6" >&5
+echo "${ECHO_T}$ac_cv_lib_ipv6" >&6
+if test "$ac_cv_lib_ipv6" = yes; then
+
+cat >>confdefs.h <<\EOF
+#define HAVE_IPV6 1
+EOF
+
+else
+  CFLAGS="${save_CFLAGS}"
+fi
+
+echo "$as_me:5237: checking for socket" >&5
+echo $ECHO_N "checking for socket... $ECHO_C" >&6
+if test "${ac_cv_funclib_socket+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+
+if eval "test \"\$ac_cv_func_socket\" != yes" ; then
+	ac_save_LIBS="$LIBS"
+	for ac_lib in "" socket; do
+		if test -n "$ac_lib"; then
+			ac_lib="-l$ac_lib"
+		else
+			ac_lib=""
+		fi
+		LIBS=" $ac_lib  $ac_save_LIBS"
+		cat >conftest.$ac_ext <<_ACEOF
+#line 5253 "configure"
+#include "confdefs.h"
+
+int
+main ()
+{
+socket()
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (eval echo $as_me:5265: \"$ac_link\") >&5; (eval $ac_link) 2>&5; } && test -s conftest$ac_exeext; then
+  eval "if test -n \"$ac_lib\";then ac_cv_funclib_socket=$ac_lib; else ac_cv_funclib_socket=yes; fi";break
+else
+  echo "$as_me: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+fi
+rm -f conftest$ac_exeext conftest.$ac_ext
+	done
+	eval "ac_cv_funclib_socket=\${ac_cv_funclib_socket-no}"
+	LIBS="$ac_save_LIBS"
+fi
+
+fi
+
+eval "ac_res=\$ac_cv_funclib_socket"
+
+if false; then
+
+for ac_func in socket
+do
+ac_ac_var=`echo "ac_cv_func_$ac_func" | $ac_tr_sh`
+echo "$as_me:5286: checking for $ac_func" >&5
+echo $ECHO_N "checking for $ac_func... $ECHO_C" >&6
+if eval "test \"\${$ac_ac_var+set}\" = set"; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+#line 5292 "configure"
+#include "confdefs.h"
+/* System header to define __stub macros and hopefully few prototypes,
+    which can conflict with char $ac_func (); below.  */
+#include <assert.h>
+/* Override any gcc2 internal prototype to avoid an error.  */
+#ifdef __cplusplus
+extern "C"
+#endif
+/* We use char because int might match the return type of a gcc2
+   builtin and then its argument prototype would still apply.  */
+char $ac_func ();
+char (*f) ();
+
+int
+main ()
+{
+/* The GNU C library defines this for functions which it implements
+    to always fail with ENOSYS.  Some functions are actually named
+    something starting with __ and the normal name is an alias.  */
+#if defined (__stub_$ac_func) || defined (__stub___$ac_func)
+choke me
+#else
+f = $ac_func;
+#endif
+
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (eval echo $as_me:5323: \"$ac_link\") >&5; (eval $ac_link) 2>&5; } && test -s conftest$ac_exeext; then
+  eval "$ac_ac_var=yes"
+else
+  echo "$as_me: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  eval "$ac_ac_var=no"
+fi
+rm -f conftest$ac_exeext conftest.$ac_ext
+fi
+echo "$as_me:5332: result: `eval echo '${'$ac_ac_var'}'`" >&5
+echo "${ECHO_T}`eval echo '${'$ac_ac_var'}'`" >&6
+if test `eval echo '${'$ac_ac_var'}'` = yes; then
+  cat >>confdefs.h <<EOF
+#define `echo "HAVE_$ac_func" | $ac_tr_cpp` 1
+EOF
+
+fi
+done
+
+fi
+# socket
+eval "ac_tr_func=HAVE_`echo socket | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`"
+eval "ac_tr_lib=HAVE_LIB`echo $ac_res | sed -e 's/-l//' | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`"
+eval "LIB_socket=$ac_res"
+
+case "$ac_res" in
+	yes)
+	eval "ac_cv_func_socket=yes"
+	eval "LIB_socket="
+	cat >>confdefs.h <<EOF
+#define $ac_tr_func 1
+EOF
+
+	echo "$as_me:5356: result: yes" >&5
+echo "${ECHO_T}yes" >&6
+	;;
+	no)
+	eval "ac_cv_func_socket=no"
+	eval "LIB_socket="
+	echo "$as_me:5362: result: no" >&5
+echo "${ECHO_T}no" >&6
+	;;
+	*)
+	eval "ac_cv_func_socket=yes"
+	eval "ac_cv_lib_`echo "$ac_res" | sed 's/-l//'`=yes"
+	cat >>confdefs.h <<EOF
+#define $ac_tr_func 1
+EOF
+
+	cat >>confdefs.h <<EOF
+#define $ac_tr_lib 1
+EOF
+
+	echo "$as_me:5376: result: yes, in $ac_res" >&5
+echo "${ECHO_T}yes, in $ac_res" >&6
+	;;
+esac
+
+if test -n "$LIB_socket"; then
+	LIBS="$LIB_socket $LIBS"
+fi
+
+echo "$as_me:5385: checking for gethostbyname" >&5
+echo $ECHO_N "checking for gethostbyname... $ECHO_C" >&6
+if test "${ac_cv_funclib_gethostbyname+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+
+if eval "test \"\$ac_cv_func_gethostbyname\" != yes" ; then
+	ac_save_LIBS="$LIBS"
+	for ac_lib in "" nsl; do
+		if test -n "$ac_lib"; then
+			ac_lib="-l$ac_lib"
+		else
+			ac_lib=""
+		fi
+		LIBS=" $ac_lib  $ac_save_LIBS"
+		cat >conftest.$ac_ext <<_ACEOF
+#line 5401 "configure"
+#include "confdefs.h"
+
+int
+main ()
+{
+gethostbyname()
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (eval echo $as_me:5413: \"$ac_link\") >&5; (eval $ac_link) 2>&5; } && test -s conftest$ac_exeext; then
+  eval "if test -n \"$ac_lib\";then ac_cv_funclib_gethostbyname=$ac_lib; else ac_cv_funclib_gethostbyname=yes; fi";break
+else
+  echo "$as_me: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+fi
+rm -f conftest$ac_exeext conftest.$ac_ext
+	done
+	eval "ac_cv_funclib_gethostbyname=\${ac_cv_funclib_gethostbyname-no}"
+	LIBS="$ac_save_LIBS"
+fi
+
+fi
+
+eval "ac_res=\$ac_cv_funclib_gethostbyname"
+
+if false; then
+
+for ac_func in gethostbyname
+do
+ac_ac_var=`echo "ac_cv_func_$ac_func" | $ac_tr_sh`
+echo "$as_me:5434: checking for $ac_func" >&5
+echo $ECHO_N "checking for $ac_func... $ECHO_C" >&6
+if eval "test \"\${$ac_ac_var+set}\" = set"; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+#line 5440 "configure"
+#include "confdefs.h"
+/* System header to define __stub macros and hopefully few prototypes,
+    which can conflict with char $ac_func (); below.  */
+#include <assert.h>
+/* Override any gcc2 internal prototype to avoid an error.  */
+#ifdef __cplusplus
+extern "C"
+#endif
+/* We use char because int might match the return type of a gcc2
+   builtin and then its argument prototype would still apply.  */
+char $ac_func ();
+char (*f) ();
+
+int
+main ()
+{
+/* The GNU C library defines this for functions which it implements
+    to always fail with ENOSYS.  Some functions are actually named
+    something starting with __ and the normal name is an alias.  */
+#if defined (__stub_$ac_func) || defined (__stub___$ac_func)
+choke me
+#else
+f = $ac_func;
+#endif
+
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (eval echo $as_me:5471: \"$ac_link\") >&5; (eval $ac_link) 2>&5; } && test -s conftest$ac_exeext; then
+  eval "$ac_ac_var=yes"
+else
+  echo "$as_me: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  eval "$ac_ac_var=no"
+fi
+rm -f conftest$ac_exeext conftest.$ac_ext
+fi
+echo "$as_me:5480: result: `eval echo '${'$ac_ac_var'}'`" >&5
+echo "${ECHO_T}`eval echo '${'$ac_ac_var'}'`" >&6
+if test `eval echo '${'$ac_ac_var'}'` = yes; then
+  cat >>confdefs.h <<EOF
+#define `echo "HAVE_$ac_func" | $ac_tr_cpp` 1
+EOF
+
+fi
+done
+
+fi
+# gethostbyname
+eval "ac_tr_func=HAVE_`echo gethostbyname | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`"
+eval "ac_tr_lib=HAVE_LIB`echo $ac_res | sed -e 's/-l//' | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`"
+eval "LIB_gethostbyname=$ac_res"
+
+case "$ac_res" in
+	yes)
+	eval "ac_cv_func_gethostbyname=yes"
+	eval "LIB_gethostbyname="
+	cat >>confdefs.h <<EOF
+#define $ac_tr_func 1
+EOF
+
+	echo "$as_me:5504: result: yes" >&5
+echo "${ECHO_T}yes" >&6
+	;;
+	no)
+	eval "ac_cv_func_gethostbyname=no"
+	eval "LIB_gethostbyname="
+	echo "$as_me:5510: result: no" >&5
+echo "${ECHO_T}no" >&6
+	;;
+	*)
+	eval "ac_cv_func_gethostbyname=yes"
+	eval "ac_cv_lib_`echo "$ac_res" | sed 's/-l//'`=yes"
+	cat >>confdefs.h <<EOF
+#define $ac_tr_func 1
+EOF
+
+	cat >>confdefs.h <<EOF
+#define $ac_tr_lib 1
+EOF
+
+	echo "$as_me:5524: result: yes, in $ac_res" >&5
+echo "${ECHO_T}yes, in $ac_res" >&6
+	;;
+esac
+
+if test -n "$LIB_gethostbyname"; then
+	LIBS="$LIB_gethostbyname $LIBS"
+fi
+
+echo "$as_me:5533: checking for syslog" >&5
+echo $ECHO_N "checking for syslog... $ECHO_C" >&6
+if test "${ac_cv_funclib_syslog+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+
+if eval "test \"\$ac_cv_func_syslog\" != yes" ; then
+	ac_save_LIBS="$LIBS"
+	for ac_lib in "" syslog; do
+		if test -n "$ac_lib"; then
+			ac_lib="-l$ac_lib"
+		else
+			ac_lib=""
+		fi
+		LIBS=" $ac_lib  $ac_save_LIBS"
+		cat >conftest.$ac_ext <<_ACEOF
+#line 5549 "configure"
+#include "confdefs.h"
+
+int
+main ()
+{
+syslog()
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (eval echo $as_me:5561: \"$ac_link\") >&5; (eval $ac_link) 2>&5; } && test -s conftest$ac_exeext; then
+  eval "if test -n \"$ac_lib\";then ac_cv_funclib_syslog=$ac_lib; else ac_cv_funclib_syslog=yes; fi";break
+else
+  echo "$as_me: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+fi
+rm -f conftest$ac_exeext conftest.$ac_ext
+	done
+	eval "ac_cv_funclib_syslog=\${ac_cv_funclib_syslog-no}"
+	LIBS="$ac_save_LIBS"
+fi
+
+fi
+
+eval "ac_res=\$ac_cv_funclib_syslog"
+
+if false; then
+
+for ac_func in syslog
+do
+ac_ac_var=`echo "ac_cv_func_$ac_func" | $ac_tr_sh`
+echo "$as_me:5582: checking for $ac_func" >&5
+echo $ECHO_N "checking for $ac_func... $ECHO_C" >&6
+if eval "test \"\${$ac_ac_var+set}\" = set"; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+#line 5588 "configure"
+#include "confdefs.h"
+/* System header to define __stub macros and hopefully few prototypes,
+    which can conflict with char $ac_func (); below.  */
+#include <assert.h>
+/* Override any gcc2 internal prototype to avoid an error.  */
+#ifdef __cplusplus
+extern "C"
+#endif
+/* We use char because int might match the return type of a gcc2
+   builtin and then its argument prototype would still apply.  */
+char $ac_func ();
+char (*f) ();
+
+int
+main ()
+{
+/* The GNU C library defines this for functions which it implements
+    to always fail with ENOSYS.  Some functions are actually named
+    something starting with __ and the normal name is an alias.  */
+#if defined (__stub_$ac_func) || defined (__stub___$ac_func)
+choke me
+#else
+f = $ac_func;
+#endif
+
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (eval echo $as_me:5619: \"$ac_link\") >&5; (eval $ac_link) 2>&5; } && test -s conftest$ac_exeext; then
+  eval "$ac_ac_var=yes"
+else
+  echo "$as_me: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  eval "$ac_ac_var=no"
+fi
+rm -f conftest$ac_exeext conftest.$ac_ext
+fi
+echo "$as_me:5628: result: `eval echo '${'$ac_ac_var'}'`" >&5
+echo "${ECHO_T}`eval echo '${'$ac_ac_var'}'`" >&6
+if test `eval echo '${'$ac_ac_var'}'` = yes; then
+  cat >>confdefs.h <<EOF
+#define `echo "HAVE_$ac_func" | $ac_tr_cpp` 1
+EOF
+
+fi
+done
+
+fi
+# syslog
+eval "ac_tr_func=HAVE_`echo syslog | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`"
+eval "ac_tr_lib=HAVE_LIB`echo $ac_res | sed -e 's/-l//' | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`"
+eval "LIB_syslog=$ac_res"
+
+case "$ac_res" in
+	yes)
+	eval "ac_cv_func_syslog=yes"
+	eval "LIB_syslog="
+	cat >>confdefs.h <<EOF
+#define $ac_tr_func 1
+EOF
+
+	echo "$as_me:5652: result: yes" >&5
+echo "${ECHO_T}yes" >&6
+	;;
+	no)
+	eval "ac_cv_func_syslog=no"
+	eval "LIB_syslog="
+	echo "$as_me:5658: result: no" >&5
+echo "${ECHO_T}no" >&6
+	;;
+	*)
+	eval "ac_cv_func_syslog=yes"
+	eval "ac_cv_lib_`echo "$ac_res" | sed 's/-l//'`=yes"
+	cat >>confdefs.h <<EOF
+#define $ac_tr_func 1
+EOF
+
+	cat >>confdefs.h <<EOF
+#define $ac_tr_lib 1
+EOF
+
+	echo "$as_me:5672: result: yes, in $ac_res" >&5
+echo "${ECHO_T}yes, in $ac_res" >&6
+	;;
+esac
+
+if test -n "$LIB_syslog"; then
+	LIBS="$LIB_syslog $LIBS"
+fi
+
+echo "$as_me:5681: checking for gethostbyname2" >&5
+echo $ECHO_N "checking for gethostbyname2... $ECHO_C" >&6
+if test "${ac_cv_funclib_gethostbyname2+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+
+if eval "test \"\$ac_cv_func_gethostbyname2\" != yes" ; then
+	ac_save_LIBS="$LIBS"
+	for ac_lib in "" inet6 ip6; do
+		if test -n "$ac_lib"; then
+			ac_lib="-l$ac_lib"
+		else
+			ac_lib=""
+		fi
+		LIBS=" $ac_lib  $ac_save_LIBS"
+		cat >conftest.$ac_ext <<_ACEOF
+#line 5697 "configure"
+#include "confdefs.h"
+
+int
+main ()
+{
+gethostbyname2()
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (eval echo $as_me:5709: \"$ac_link\") >&5; (eval $ac_link) 2>&5; } && test -s conftest$ac_exeext; then
+  eval "if test -n \"$ac_lib\";then ac_cv_funclib_gethostbyname2=$ac_lib; else ac_cv_funclib_gethostbyname2=yes; fi";break
+else
+  echo "$as_me: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+fi
+rm -f conftest$ac_exeext conftest.$ac_ext
+	done
+	eval "ac_cv_funclib_gethostbyname2=\${ac_cv_funclib_gethostbyname2-no}"
+	LIBS="$ac_save_LIBS"
+fi
+
+fi
+
+eval "ac_res=\$ac_cv_funclib_gethostbyname2"
+
+if false; then
+
+for ac_func in gethostbyname2
+do
+ac_ac_var=`echo "ac_cv_func_$ac_func" | $ac_tr_sh`
+echo "$as_me:5730: checking for $ac_func" >&5
+echo $ECHO_N "checking for $ac_func... $ECHO_C" >&6
+if eval "test \"\${$ac_ac_var+set}\" = set"; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+#line 5736 "configure"
+#include "confdefs.h"
+/* System header to define __stub macros and hopefully few prototypes,
+    which can conflict with char $ac_func (); below.  */
+#include <assert.h>
+/* Override any gcc2 internal prototype to avoid an error.  */
+#ifdef __cplusplus
+extern "C"
+#endif
+/* We use char because int might match the return type of a gcc2
+   builtin and then its argument prototype would still apply.  */
+char $ac_func ();
+char (*f) ();
+
+int
+main ()
+{
+/* The GNU C library defines this for functions which it implements
+    to always fail with ENOSYS.  Some functions are actually named
+    something starting with __ and the normal name is an alias.  */
+#if defined (__stub_$ac_func) || defined (__stub___$ac_func)
+choke me
+#else
+f = $ac_func;
+#endif
+
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (eval echo $as_me:5767: \"$ac_link\") >&5; (eval $ac_link) 2>&5; } && test -s conftest$ac_exeext; then
+  eval "$ac_ac_var=yes"
+else
+  echo "$as_me: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  eval "$ac_ac_var=no"
+fi
+rm -f conftest$ac_exeext conftest.$ac_ext
+fi
+echo "$as_me:5776: result: `eval echo '${'$ac_ac_var'}'`" >&5
+echo "${ECHO_T}`eval echo '${'$ac_ac_var'}'`" >&6
+if test `eval echo '${'$ac_ac_var'}'` = yes; then
+  cat >>confdefs.h <<EOF
+#define `echo "HAVE_$ac_func" | $ac_tr_cpp` 1
+EOF
+
+fi
+done
+
+fi
+# gethostbyname2
+eval "ac_tr_func=HAVE_`echo gethostbyname2 | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`"
+eval "ac_tr_lib=HAVE_LIB`echo $ac_res | sed -e 's/-l//' | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`"
+eval "LIB_gethostbyname2=$ac_res"
+
+case "$ac_res" in
+	yes)
+	eval "ac_cv_func_gethostbyname2=yes"
+	eval "LIB_gethostbyname2="
+	cat >>confdefs.h <<EOF
+#define $ac_tr_func 1
+EOF
+
+	echo "$as_me:5800: result: yes" >&5
+echo "${ECHO_T}yes" >&6
+	;;
+	no)
+	eval "ac_cv_func_gethostbyname2=no"
+	eval "LIB_gethostbyname2="
+	echo "$as_me:5806: result: no" >&5
+echo "${ECHO_T}no" >&6
+	;;
+	*)
+	eval "ac_cv_func_gethostbyname2=yes"
+	eval "ac_cv_lib_`echo "$ac_res" | sed 's/-l//'`=yes"
+	cat >>confdefs.h <<EOF
+#define $ac_tr_func 1
+EOF
+
+	cat >>confdefs.h <<EOF
+#define $ac_tr_lib 1
+EOF
+
+	echo "$as_me:5820: result: yes, in $ac_res" >&5
+echo "${ECHO_T}yes, in $ac_res" >&6
+	;;
+esac
+
+if test -n "$LIB_gethostbyname2"; then
+	LIBS="$LIB_gethostbyname2 $LIBS"
+fi
+
+echo "$as_me:5829: checking for res_search" >&5
+echo $ECHO_N "checking for res_search... $ECHO_C" >&6
+if test "${ac_cv_funclib_res_search+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+
+if eval "test \"\$ac_cv_func_res_search\" != yes" ; then
+	ac_save_LIBS="$LIBS"
+	for ac_lib in "" resolv; do
+		if test -n "$ac_lib"; then
+			ac_lib="-l$ac_lib"
+		else
+			ac_lib=""
+		fi
+		LIBS=" $ac_lib  $ac_save_LIBS"
+		cat >conftest.$ac_ext <<_ACEOF
+#line 5845 "configure"
+#include "confdefs.h"
+
+#include <stdio.h>
+#ifdef HAVE_SYS_TYPES_H
+#include <sys/types.h>
+#endif
+#ifdef HAVE_NETINET_IN_H
+#include <netinet/in.h>
+#endif
+#ifdef HAVE_ARPA_NAMESER_H
+#include <arpa/nameser.h>
+#endif
+#ifdef HAVE_RESOLV_H
+#include <resolv.h>
+#endif
+
+int
+main ()
+{
+res_search(0,0,0,0,0)
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (eval echo $as_me:5871: \"$ac_link\") >&5; (eval $ac_link) 2>&5; } && test -s conftest$ac_exeext; then
+  eval "if test -n \"$ac_lib\";then ac_cv_funclib_res_search=$ac_lib; else ac_cv_funclib_res_search=yes; fi";break
+else
+  echo "$as_me: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+fi
+rm -f conftest$ac_exeext conftest.$ac_ext
+	done
+	eval "ac_cv_funclib_res_search=\${ac_cv_funclib_res_search-no}"
+	LIBS="$ac_save_LIBS"
+fi
+
+fi
+
+eval "ac_res=\$ac_cv_funclib_res_search"
+
+if false; then
+
+for ac_func in res_search
+do
+ac_ac_var=`echo "ac_cv_func_$ac_func" | $ac_tr_sh`
+echo "$as_me:5892: checking for $ac_func" >&5
+echo $ECHO_N "checking for $ac_func... $ECHO_C" >&6
+if eval "test \"\${$ac_ac_var+set}\" = set"; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+#line 5898 "configure"
+#include "confdefs.h"
+/* System header to define __stub macros and hopefully few prototypes,
+    which can conflict with char $ac_func (); below.  */
+#include <assert.h>
+/* Override any gcc2 internal prototype to avoid an error.  */
+#ifdef __cplusplus
+extern "C"
+#endif
+/* We use char because int might match the return type of a gcc2
+   builtin and then its argument prototype would still apply.  */
+char $ac_func ();
+char (*f) ();
+
+int
+main ()
+{
+/* The GNU C library defines this for functions which it implements
+    to always fail with ENOSYS.  Some functions are actually named
+    something starting with __ and the normal name is an alias.  */
+#if defined (__stub_$ac_func) || defined (__stub___$ac_func)
+choke me
+#else
+f = $ac_func;
+#endif
+
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (eval echo $as_me:5929: \"$ac_link\") >&5; (eval $ac_link) 2>&5; } && test -s conftest$ac_exeext; then
+  eval "$ac_ac_var=yes"
+else
+  echo "$as_me: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  eval "$ac_ac_var=no"
+fi
+rm -f conftest$ac_exeext conftest.$ac_ext
+fi
+echo "$as_me:5938: result: `eval echo '${'$ac_ac_var'}'`" >&5
+echo "${ECHO_T}`eval echo '${'$ac_ac_var'}'`" >&6
+if test `eval echo '${'$ac_ac_var'}'` = yes; then
+  cat >>confdefs.h <<EOF
+#define `echo "HAVE_$ac_func" | $ac_tr_cpp` 1
+EOF
+
+fi
+done
+
+fi
+# res_search
+eval "ac_tr_func=HAVE_`echo res_search | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`"
+eval "ac_tr_lib=HAVE_LIB`echo $ac_res | sed -e 's/-l//' | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`"
+eval "LIB_res_search=$ac_res"
+
+case "$ac_res" in
+	yes)
+	eval "ac_cv_func_res_search=yes"
+	eval "LIB_res_search="
+	cat >>confdefs.h <<EOF
+#define $ac_tr_func 1
+EOF
+
+	echo "$as_me:5962: result: yes" >&5
+echo "${ECHO_T}yes" >&6
+	;;
+	no)
+	eval "ac_cv_func_res_search=no"
+	eval "LIB_res_search="
+	echo "$as_me:5968: result: no" >&5
+echo "${ECHO_T}no" >&6
+	;;
+	*)
+	eval "ac_cv_func_res_search=yes"
+	eval "ac_cv_lib_`echo "$ac_res" | sed 's/-l//'`=yes"
+	cat >>confdefs.h <<EOF
+#define $ac_tr_func 1
+EOF
+
+	cat >>confdefs.h <<EOF
+#define $ac_tr_lib 1
+EOF
+
+	echo "$as_me:5982: result: yes, in $ac_res" >&5
+echo "${ECHO_T}yes, in $ac_res" >&6
+	;;
+esac
+
+if test -n "$LIB_res_search"; then
+	LIBS="$LIB_res_search $LIBS"
+fi
+
+echo "$as_me:5991: checking for dn_expand" >&5
+echo $ECHO_N "checking for dn_expand... $ECHO_C" >&6
+if test "${ac_cv_funclib_dn_expand+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+
+if eval "test \"\$ac_cv_func_dn_expand\" != yes" ; then
+	ac_save_LIBS="$LIBS"
+	for ac_lib in "" resolv; do
+		if test -n "$ac_lib"; then
+			ac_lib="-l$ac_lib"
+		else
+			ac_lib=""
+		fi
+		LIBS=" $ac_lib  $ac_save_LIBS"
+		cat >conftest.$ac_ext <<_ACEOF
+#line 6007 "configure"
+#include "confdefs.h"
+
+#include <stdio.h>
+#ifdef HAVE_SYS_TYPES_H
+#include <sys/types.h>
+#endif
+#ifdef HAVE_NETINET_IN_H
+#include <netinet/in.h>
+#endif
+#ifdef HAVE_ARPA_NAMESER_H
+#include <arpa/nameser.h>
+#endif
+#ifdef HAVE_RESOLV_H
+#include <resolv.h>
+#endif
+
+int
+main ()
+{
+dn_expand(0,0,0,0,0)
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (eval echo $as_me:6033: \"$ac_link\") >&5; (eval $ac_link) 2>&5; } && test -s conftest$ac_exeext; then
+  eval "if test -n \"$ac_lib\";then ac_cv_funclib_dn_expand=$ac_lib; else ac_cv_funclib_dn_expand=yes; fi";break
+else
+  echo "$as_me: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+fi
+rm -f conftest$ac_exeext conftest.$ac_ext
+	done
+	eval "ac_cv_funclib_dn_expand=\${ac_cv_funclib_dn_expand-no}"
+	LIBS="$ac_save_LIBS"
+fi
+
+fi
+
+eval "ac_res=\$ac_cv_funclib_dn_expand"
+
+if false; then
+
+for ac_func in dn_expand
+do
+ac_ac_var=`echo "ac_cv_func_$ac_func" | $ac_tr_sh`
+echo "$as_me:6054: checking for $ac_func" >&5
+echo $ECHO_N "checking for $ac_func... $ECHO_C" >&6
+if eval "test \"\${$ac_ac_var+set}\" = set"; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+#line 6060 "configure"
+#include "confdefs.h"
+/* System header to define __stub macros and hopefully few prototypes,
+    which can conflict with char $ac_func (); below.  */
+#include <assert.h>
+/* Override any gcc2 internal prototype to avoid an error.  */
+#ifdef __cplusplus
+extern "C"
+#endif
+/* We use char because int might match the return type of a gcc2
+   builtin and then its argument prototype would still apply.  */
+char $ac_func ();
+char (*f) ();
+
+int
+main ()
+{
+/* The GNU C library defines this for functions which it implements
+    to always fail with ENOSYS.  Some functions are actually named
+    something starting with __ and the normal name is an alias.  */
+#if defined (__stub_$ac_func) || defined (__stub___$ac_func)
+choke me
+#else
+f = $ac_func;
+#endif
+
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (eval echo $as_me:6091: \"$ac_link\") >&5; (eval $ac_link) 2>&5; } && test -s conftest$ac_exeext; then
+  eval "$ac_ac_var=yes"
+else
+  echo "$as_me: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  eval "$ac_ac_var=no"
+fi
+rm -f conftest$ac_exeext conftest.$ac_ext
+fi
+echo "$as_me:6100: result: `eval echo '${'$ac_ac_var'}'`" >&5
+echo "${ECHO_T}`eval echo '${'$ac_ac_var'}'`" >&6
+if test `eval echo '${'$ac_ac_var'}'` = yes; then
+  cat >>confdefs.h <<EOF
+#define `echo "HAVE_$ac_func" | $ac_tr_cpp` 1
+EOF
+
+fi
+done
+
+fi
+# dn_expand
+eval "ac_tr_func=HAVE_`echo dn_expand | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`"
+eval "ac_tr_lib=HAVE_LIB`echo $ac_res | sed -e 's/-l//' | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`"
+eval "LIB_dn_expand=$ac_res"
+
+case "$ac_res" in
+	yes)
+	eval "ac_cv_func_dn_expand=yes"
+	eval "LIB_dn_expand="
+	cat >>confdefs.h <<EOF
+#define $ac_tr_func 1
+EOF
+
+	echo "$as_me:6124: result: yes" >&5
+echo "${ECHO_T}yes" >&6
+	;;
+	no)
+	eval "ac_cv_func_dn_expand=no"
+	eval "LIB_dn_expand="
+	echo "$as_me:6130: result: no" >&5
+echo "${ECHO_T}no" >&6
+	;;
+	*)
+	eval "ac_cv_func_dn_expand=yes"
+	eval "ac_cv_lib_`echo "$ac_res" | sed 's/-l//'`=yes"
+	cat >>confdefs.h <<EOF
+#define $ac_tr_func 1
+EOF
+
+	cat >>confdefs.h <<EOF
+#define $ac_tr_lib 1
+EOF
+
+	echo "$as_me:6144: result: yes, in $ac_res" >&5
+echo "${ECHO_T}yes, in $ac_res" >&6
+	;;
+esac
+
+if test -n "$LIB_dn_expand"; then
+	LIBS="$LIB_dn_expand $LIBS"
+fi
+
+echo "$as_me:6153: checking for working snprintf" >&5
+echo $ECHO_N "checking for working snprintf... $ECHO_C" >&6
+if test "${ac_cv_func_snprintf_working+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  ac_cv_func_snprintf_working=yes
+if test "$cross_compiling" = yes; then
+  :
+else
+  cat >conftest.$ac_ext <<_ACEOF
+#line 6163 "configure"
+#include "confdefs.h"
+
+#include <stdio.h>
+#include <string.h>
+int main()
+{
+	char foo[3];
+	snprintf(foo, 2, "12");
+	return strcmp(foo, "1");
+}
+_ACEOF
+rm -f conftest$ac_exeext
+{ (eval echo $as_me:6176: \"$ac_link\") >&5; (eval $ac_link) 2>&5; } &&
+  (./conftest$ac_exeext) >&5 2>&1;
+ac_status=$?
+if test $ac_status = 0; then
+  :
+else
+  echo "$as_me: program exited with status $ac_status" >&5
+echo "$as_me: failed program was:" >&5
+cat conftest.$ac_ext >&5
+ac_cv_func_snprintf_working=no
+fi
+
+rm -f conftest$ac_exeext conftest.$ac_ext
+fi
+
+fi
+echo "$as_me:6192: result: $ac_cv_func_snprintf_working" >&5
+echo "${ECHO_T}$ac_cv_func_snprintf_working" >&6
+
+if test "$ac_cv_func_snprintf_working" = yes; then
+
+cat >>confdefs.h <<EOF
+#define HAVE_SNPRINTF 1
+EOF
+
+fi
+if test "$ac_cv_func_snprintf_working" = yes; then
+
+if test "$ac_cv_func_snprintf+set" != set -o "$ac_cv_func_snprintf" = yes; then
+echo "$as_me:6205: checking if snprintf needs a prototype" >&5
+echo $ECHO_N "checking if snprintf needs a prototype... $ECHO_C" >&6
+if test "${ac_cv_func_snprintf_noproto+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+#line 6211 "configure"
+#include "confdefs.h"
+#include <stdio.h>
+int
+main ()
+{
+struct foo { int foo; } xx;
+extern int snprintf (struct foo*);
+snprintf(&xx);
+
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext
+if { (eval echo $as_me:6226: \"$ac_compile\") >&5; (eval $ac_compile) 2>&5; } && test -s conftest.$ac_objext; then
+  eval "ac_cv_func_snprintf_noproto=yes"
+else
+  echo "$as_me: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  eval "ac_cv_func_snprintf_noproto=no"
+fi
+rm -f conftest.$ac_objext conftest.$ac_ext
+fi
+echo "$as_me:6235: result: $ac_cv_func_snprintf_noproto" >&5
+echo "${ECHO_T}$ac_cv_func_snprintf_noproto" >&6
+
+if test "$ac_cv_func_snprintf_noproto" = yes; then
+
+cat >>confdefs.h <<\EOF
+#define NEED_SNPRINTF_PROTO 1
+EOF
+
+fi
+
+fi
+
+fi
+
+echo "$as_me:6250: checking for working vsnprintf" >&5
+echo $ECHO_N "checking for working vsnprintf... $ECHO_C" >&6
+if test "${ac_cv_func_vsnprintf_working+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  ac_cv_func_vsnprintf_working=yes
+if test "$cross_compiling" = yes; then
+  :
+else
+  cat >conftest.$ac_ext <<_ACEOF
+#line 6260 "configure"
+#include "confdefs.h"
+
+#include <stdio.h>
+#include <string.h>
+#include <stdarg.h>
+
+int foo(int num, ...)
+{
+	char bar[3];
+	va_list arg;
+	va_start(arg, num);
+	vsnprintf(bar, 2, "%s", arg);
+	va_end(arg);
+	return strcmp(bar, "1");
+}
+
+int main()
+{
+	return foo(0, "12");
+}
+_ACEOF
+rm -f conftest$ac_exeext
+{ (eval echo $as_me:6283: \"$ac_link\") >&5; (eval $ac_link) 2>&5; } &&
+  (./conftest$ac_exeext) >&5 2>&1;
+ac_status=$?
+if test $ac_status = 0; then
+  :
+else
+  echo "$as_me: program exited with status $ac_status" >&5
+echo "$as_me: failed program was:" >&5
+cat conftest.$ac_ext >&5
+ac_cv_func_vsnprintf_working=no
+fi
+
+rm -f conftest$ac_exeext conftest.$ac_ext
+fi
+
+fi
+echo "$as_me:6299: result: $ac_cv_func_vsnprintf_working" >&5
+echo "${ECHO_T}$ac_cv_func_vsnprintf_working" >&6
+
+if test "$ac_cv_func_vsnprintf_working" = yes; then
+
+cat >>confdefs.h <<EOF
+#define HAVE_VSNPRINTF 1
+EOF
+
+fi
+if test "$ac_cv_func_vsnprintf_working" = yes; then
+
+if test "$ac_cv_func_vsnprintf+set" != set -o "$ac_cv_func_vsnprintf" = yes; then
+echo "$as_me:6312: checking if vsnprintf needs a prototype" >&5
+echo $ECHO_N "checking if vsnprintf needs a prototype... $ECHO_C" >&6
+if test "${ac_cv_func_vsnprintf_noproto+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+#line 6318 "configure"
+#include "confdefs.h"
+#include <stdio.h>
+int
+main ()
+{
+struct foo { int foo; } xx;
+extern int vsnprintf (struct foo*);
+vsnprintf(&xx);
+
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext
+if { (eval echo $as_me:6333: \"$ac_compile\") >&5; (eval $ac_compile) 2>&5; } && test -s conftest.$ac_objext; then
+  eval "ac_cv_func_vsnprintf_noproto=yes"
+else
+  echo "$as_me: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  eval "ac_cv_func_vsnprintf_noproto=no"
+fi
+rm -f conftest.$ac_objext conftest.$ac_ext
+fi
+echo "$as_me:6342: result: $ac_cv_func_vsnprintf_noproto" >&5
+echo "${ECHO_T}$ac_cv_func_vsnprintf_noproto" >&6
+
+if test "$ac_cv_func_vsnprintf_noproto" = yes; then
+
+cat >>confdefs.h <<\EOF
+#define NEED_VSNPRINTF_PROTO 1
+EOF
+
+fi
+
+fi
+
+fi
+
+echo "$as_me:6357: checking for working glob" >&5
+echo $ECHO_N "checking for working glob... $ECHO_C" >&6
+if test "${ac_cv_func_glob_working+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  ac_cv_func_glob_working=yes
+cat >conftest.$ac_ext <<_ACEOF
+#line 6364 "configure"
+#include "confdefs.h"
+
+#include <stdio.h>
+#include <glob.h>
+int
+main ()
+{
+
+glob(NULL, GLOB_BRACE|GLOB_NOCHECK|GLOB_QUOTE|GLOB_TILDE|GLOB_LIMIT,
+NULL, NULL);
+
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (eval echo $as_me:6381: \"$ac_link\") >&5; (eval $ac_link) 2>&5; } && test -s conftest$ac_exeext; then
+  :
+else
+  echo "$as_me: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  ac_cv_func_glob_working=no
+fi
+rm -f conftest$ac_exeext conftest.$ac_ext
+fi
+echo "$as_me:6390: result: $ac_cv_func_glob_working" >&5
+echo "${ECHO_T}$ac_cv_func_glob_working" >&6
+
+if test "$ac_cv_func_glob_working" = yes; then
+
+cat >>confdefs.h <<\EOF
+#define HAVE_GLOB 1
+EOF
+
+fi
+if test "$ac_cv_func_glob_working" = yes; then
+
+if test "$ac_cv_func_glob+set" != set -o "$ac_cv_func_glob" = yes; then
+echo "$as_me:6403: checking if glob needs a prototype" >&5
+echo $ECHO_N "checking if glob needs a prototype... $ECHO_C" >&6
+if test "${ac_cv_func_glob_noproto+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+#line 6409 "configure"
+#include "confdefs.h"
+#include <stdio.h>
+#include <glob.h>
+int
+main ()
+{
+struct foo { int foo; } xx;
+extern int glob (struct foo*);
+glob(&xx);
+
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext
+if { (eval echo $as_me:6425: \"$ac_compile\") >&5; (eval $ac_compile) 2>&5; } && test -s conftest.$ac_objext; then
+  eval "ac_cv_func_glob_noproto=yes"
+else
+  echo "$as_me: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  eval "ac_cv_func_glob_noproto=no"
+fi
+rm -f conftest.$ac_objext conftest.$ac_ext
+fi
+echo "$as_me:6434: result: $ac_cv_func_glob_noproto" >&5
+echo "${ECHO_T}$ac_cv_func_glob_noproto" >&6
+
+if test "$ac_cv_func_glob_noproto" = yes; then
+
+cat >>confdefs.h <<\EOF
+#define NEED_GLOB_PROTO 1
+EOF
+
+fi
+
+fi
+
+fi
+
+if test "$ac_cv_func_glob_working" != yes; then
+	LIBOBJS="$LIBOBJS glob.o"
+fi
+
+if test "$ac_cv_func_glob_working" = yes; then
+  have_glob_h_TRUE=
+  have_glob_h_FALSE='#'
+else
+  have_glob_h_TRUE='#'
+  have_glob_h_FALSE=
+fi
+
+for ac_func in 				\
+	asnprintf				\
+	asprintf				\
+	cgetent					\
+	getconfattr				\
+	getprogname				\
+	getrlimit				\
+	getspnam				\
+	setprogname				\
+	strsvis					\
+	strunvis				\
+	strvis					\
+	strvisx					\
+	svis					\
+	sysconf					\
+	sysctl					\
+	uname					\
+	unvis					\
+	vasnprintf				\
+	vasprintf				\
+	vis					\
+
+do
+ac_ac_var=`echo "ac_cv_func_$ac_func" | $ac_tr_sh`
+echo "$as_me:6485: checking for $ac_func" >&5
+echo $ECHO_N "checking for $ac_func... $ECHO_C" >&6
+if eval "test \"\${$ac_ac_var+set}\" = set"; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+#line 6491 "configure"
+#include "confdefs.h"
+/* System header to define __stub macros and hopefully few prototypes,
+    which can conflict with char $ac_func (); below.  */
+#include <assert.h>
+/* Override any gcc2 internal prototype to avoid an error.  */
+#ifdef __cplusplus
+extern "C"
+#endif
+/* We use char because int might match the return type of a gcc2
+   builtin and then its argument prototype would still apply.  */
+char $ac_func ();
+char (*f) ();
+
+int
+main ()
+{
+/* The GNU C library defines this for functions which it implements
+    to always fail with ENOSYS.  Some functions are actually named
+    something starting with __ and the normal name is an alias.  */
+#if defined (__stub_$ac_func) || defined (__stub___$ac_func)
+choke me
+#else
+f = $ac_func;
+#endif
+
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (eval echo $as_me:6522: \"$ac_link\") >&5; (eval $ac_link) 2>&5; } && test -s conftest$ac_exeext; then
+  eval "$ac_ac_var=yes"
+else
+  echo "$as_me: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  eval "$ac_ac_var=no"
+fi
+rm -f conftest$ac_exeext conftest.$ac_ext
+fi
+echo "$as_me:6531: result: `eval echo '${'$ac_ac_var'}'`" >&5
+echo "${ECHO_T}`eval echo '${'$ac_ac_var'}'`" >&6
+if test `eval echo '${'$ac_ac_var'}'` = yes; then
+  cat >>confdefs.h <<EOF
+#define `echo "HAVE_$ac_func" | $ac_tr_cpp` 1
+EOF
+
+fi
+done
+
+if test "$ac_cv_func_cgetent" = no; then
+	LIBOBJS="$LIBOBJS getcap.o"
+fi
+
+echo "$as_me:6545: checking for getsockopt" >&5
+echo $ECHO_N "checking for getsockopt... $ECHO_C" >&6
+if test "${ac_cv_funclib_getsockopt+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+
+if eval "test \"\$ac_cv_func_getsockopt\" != yes" ; then
+	ac_save_LIBS="$LIBS"
+	for ac_lib in "" ; do
+		if test -n "$ac_lib"; then
+			ac_lib="-l$ac_lib"
+		else
+			ac_lib=""
+		fi
+		LIBS=" $ac_lib  $ac_save_LIBS"
+		cat >conftest.$ac_ext <<_ACEOF
+#line 6561 "configure"
+#include "confdefs.h"
+#ifdef HAVE_SYS_TYPES_H
+#include <sys/types.h>
+#endif
+#ifdef HAVE_SYS_SOCKET_H
+#include <sys/socket.h>
+#endif
+int
+main ()
+{
+getsockopt(0,0,0,0,0)
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (eval echo $as_me:6578: \"$ac_link\") >&5; (eval $ac_link) 2>&5; } && test -s conftest$ac_exeext; then
+  eval "if test -n \"$ac_lib\";then ac_cv_funclib_getsockopt=$ac_lib; else ac_cv_funclib_getsockopt=yes; fi";break
+else
+  echo "$as_me: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+fi
+rm -f conftest$ac_exeext conftest.$ac_ext
+	done
+	eval "ac_cv_funclib_getsockopt=\${ac_cv_funclib_getsockopt-no}"
+	LIBS="$ac_save_LIBS"
+fi
+
+fi
+
+eval "ac_res=\$ac_cv_funclib_getsockopt"
+
+if false; then
+
+for ac_func in getsockopt
+do
+ac_ac_var=`echo "ac_cv_func_$ac_func" | $ac_tr_sh`
+echo "$as_me:6599: checking for $ac_func" >&5
+echo $ECHO_N "checking for $ac_func... $ECHO_C" >&6
+if eval "test \"\${$ac_ac_var+set}\" = set"; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+#line 6605 "configure"
+#include "confdefs.h"
+/* System header to define __stub macros and hopefully few prototypes,
+    which can conflict with char $ac_func (); below.  */
+#include <assert.h>
+/* Override any gcc2 internal prototype to avoid an error.  */
+#ifdef __cplusplus
+extern "C"
+#endif
+/* We use char because int might match the return type of a gcc2
+   builtin and then its argument prototype would still apply.  */
+char $ac_func ();
+char (*f) ();
+
+int
+main ()
+{
+/* The GNU C library defines this for functions which it implements
+    to always fail with ENOSYS.  Some functions are actually named
+    something starting with __ and the normal name is an alias.  */
+#if defined (__stub_$ac_func) || defined (__stub___$ac_func)
+choke me
+#else
+f = $ac_func;
+#endif
+
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (eval echo $as_me:6636: \"$ac_link\") >&5; (eval $ac_link) 2>&5; } && test -s conftest$ac_exeext; then
+  eval "$ac_ac_var=yes"
+else
+  echo "$as_me: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  eval "$ac_ac_var=no"
+fi
+rm -f conftest$ac_exeext conftest.$ac_ext
+fi
+echo "$as_me:6645: result: `eval echo '${'$ac_ac_var'}'`" >&5
+echo "${ECHO_T}`eval echo '${'$ac_ac_var'}'`" >&6
+if test `eval echo '${'$ac_ac_var'}'` = yes; then
+  cat >>confdefs.h <<EOF
+#define `echo "HAVE_$ac_func" | $ac_tr_cpp` 1
+EOF
+
+fi
+done
+
+fi
+# getsockopt
+eval "ac_tr_func=HAVE_`echo getsockopt | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`"
+eval "ac_tr_lib=HAVE_LIB`echo $ac_res | sed -e 's/-l//' | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`"
+eval "LIB_getsockopt=$ac_res"
+
+case "$ac_res" in
+	yes)
+	eval "ac_cv_func_getsockopt=yes"
+	eval "LIB_getsockopt="
+	cat >>confdefs.h <<EOF
+#define $ac_tr_func 1
+EOF
+
+	echo "$as_me:6669: result: yes" >&5
+echo "${ECHO_T}yes" >&6
+	;;
+	no)
+	eval "ac_cv_func_getsockopt=no"
+	eval "LIB_getsockopt="
+	echo "$as_me:6675: result: no" >&5
+echo "${ECHO_T}no" >&6
+	;;
+	*)
+	eval "ac_cv_func_getsockopt=yes"
+	eval "ac_cv_lib_`echo "$ac_res" | sed 's/-l//'`=yes"
+	cat >>confdefs.h <<EOF
+#define $ac_tr_func 1
+EOF
+
+	cat >>confdefs.h <<EOF
+#define $ac_tr_lib 1
+EOF
+
+	echo "$as_me:6689: result: yes, in $ac_res" >&5
+echo "${ECHO_T}yes, in $ac_res" >&6
+	;;
+esac
+
+echo "$as_me:6694: checking for setsockopt" >&5
+echo $ECHO_N "checking for setsockopt... $ECHO_C" >&6
+if test "${ac_cv_funclib_setsockopt+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+
+if eval "test \"\$ac_cv_func_setsockopt\" != yes" ; then
+	ac_save_LIBS="$LIBS"
+	for ac_lib in "" ; do
+		if test -n "$ac_lib"; then
+			ac_lib="-l$ac_lib"
+		else
+			ac_lib=""
+		fi
+		LIBS=" $ac_lib  $ac_save_LIBS"
+		cat >conftest.$ac_ext <<_ACEOF
+#line 6710 "configure"
+#include "confdefs.h"
+#ifdef HAVE_SYS_TYPES_H
+#include <sys/types.h>
+#endif
+#ifdef HAVE_SYS_SOCKET_H
+#include <sys/socket.h>
+#endif
+int
+main ()
+{
+setsockopt(0,0,0,0,0)
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (eval echo $as_me:6727: \"$ac_link\") >&5; (eval $ac_link) 2>&5; } && test -s conftest$ac_exeext; then
+  eval "if test -n \"$ac_lib\";then ac_cv_funclib_setsockopt=$ac_lib; else ac_cv_funclib_setsockopt=yes; fi";break
+else
+  echo "$as_me: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+fi
+rm -f conftest$ac_exeext conftest.$ac_ext
+	done
+	eval "ac_cv_funclib_setsockopt=\${ac_cv_funclib_setsockopt-no}"
+	LIBS="$ac_save_LIBS"
+fi
+
+fi
+
+eval "ac_res=\$ac_cv_funclib_setsockopt"
+
+if false; then
+
+for ac_func in setsockopt
+do
+ac_ac_var=`echo "ac_cv_func_$ac_func" | $ac_tr_sh`
+echo "$as_me:6748: checking for $ac_func" >&5
+echo $ECHO_N "checking for $ac_func... $ECHO_C" >&6
+if eval "test \"\${$ac_ac_var+set}\" = set"; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+#line 6754 "configure"
+#include "confdefs.h"
+/* System header to define __stub macros and hopefully few prototypes,
+    which can conflict with char $ac_func (); below.  */
+#include <assert.h>
+/* Override any gcc2 internal prototype to avoid an error.  */
+#ifdef __cplusplus
+extern "C"
+#endif
+/* We use char because int might match the return type of a gcc2
+   builtin and then its argument prototype would still apply.  */
+char $ac_func ();
+char (*f) ();
+
+int
+main ()
+{
+/* The GNU C library defines this for functions which it implements
+    to always fail with ENOSYS.  Some functions are actually named
+    something starting with __ and the normal name is an alias.  */
+#if defined (__stub_$ac_func) || defined (__stub___$ac_func)
+choke me
+#else
+f = $ac_func;
+#endif
+
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (eval echo $as_me:6785: \"$ac_link\") >&5; (eval $ac_link) 2>&5; } && test -s conftest$ac_exeext; then
+  eval "$ac_ac_var=yes"
+else
+  echo "$as_me: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  eval "$ac_ac_var=no"
+fi
+rm -f conftest$ac_exeext conftest.$ac_ext
+fi
+echo "$as_me:6794: result: `eval echo '${'$ac_ac_var'}'`" >&5
+echo "${ECHO_T}`eval echo '${'$ac_ac_var'}'`" >&6
+if test `eval echo '${'$ac_ac_var'}'` = yes; then
+  cat >>confdefs.h <<EOF
+#define `echo "HAVE_$ac_func" | $ac_tr_cpp` 1
+EOF
+
+fi
+done
+
+fi
+# setsockopt
+eval "ac_tr_func=HAVE_`echo setsockopt | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`"
+eval "ac_tr_lib=HAVE_LIB`echo $ac_res | sed -e 's/-l//' | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`"
+eval "LIB_setsockopt=$ac_res"
+
+case "$ac_res" in
+	yes)
+	eval "ac_cv_func_setsockopt=yes"
+	eval "LIB_setsockopt="
+	cat >>confdefs.h <<EOF
+#define $ac_tr_func 1
+EOF
+
+	echo "$as_me:6818: result: yes" >&5
+echo "${ECHO_T}yes" >&6
+	;;
+	no)
+	eval "ac_cv_func_setsockopt=no"
+	eval "LIB_setsockopt="
+	echo "$as_me:6824: result: no" >&5
+echo "${ECHO_T}no" >&6
+	;;
+	*)
+	eval "ac_cv_func_setsockopt=yes"
+	eval "ac_cv_lib_`echo "$ac_res" | sed 's/-l//'`=yes"
+	cat >>confdefs.h <<EOF
+#define $ac_tr_func 1
+EOF
+
+	cat >>confdefs.h <<EOF
+#define $ac_tr_lib 1
+EOF
+
+	echo "$as_me:6838: result: yes, in $ac_res" >&5
+echo "${ECHO_T}yes, in $ac_res" >&6
+	;;
+esac
+
+echo "$as_me:6843: checking for hstrerror" >&5
+echo $ECHO_N "checking for hstrerror... $ECHO_C" >&6
+if test "${ac_cv_funclib_hstrerror+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+
+if eval "test \"\$ac_cv_func_hstrerror\" != yes" ; then
+	ac_save_LIBS="$LIBS"
+	for ac_lib in "" resolv; do
+		if test -n "$ac_lib"; then
+			ac_lib="-l$ac_lib"
+		else
+			ac_lib=""
+		fi
+		LIBS=" $ac_lib  $ac_save_LIBS"
+		cat >conftest.$ac_ext <<_ACEOF
+#line 6859 "configure"
+#include "confdefs.h"
+#ifdef HAVE_NETDB_H
+#include <netdb.h>
+#endif
+int
+main ()
+{
+hstrerror(17)
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (eval echo $as_me:6873: \"$ac_link\") >&5; (eval $ac_link) 2>&5; } && test -s conftest$ac_exeext; then
+  eval "if test -n \"$ac_lib\";then ac_cv_funclib_hstrerror=$ac_lib; else ac_cv_funclib_hstrerror=yes; fi";break
+else
+  echo "$as_me: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+fi
+rm -f conftest$ac_exeext conftest.$ac_ext
+	done
+	eval "ac_cv_funclib_hstrerror=\${ac_cv_funclib_hstrerror-no}"
+	LIBS="$ac_save_LIBS"
+fi
+
+fi
+
+eval "ac_res=\$ac_cv_funclib_hstrerror"
+
+if false; then
+
+for ac_func in hstrerror
+do
+ac_ac_var=`echo "ac_cv_func_$ac_func" | $ac_tr_sh`
+echo "$as_me:6894: checking for $ac_func" >&5
+echo $ECHO_N "checking for $ac_func... $ECHO_C" >&6
+if eval "test \"\${$ac_ac_var+set}\" = set"; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+#line 6900 "configure"
+#include "confdefs.h"
+/* System header to define __stub macros and hopefully few prototypes,
+    which can conflict with char $ac_func (); below.  */
+#include <assert.h>
+/* Override any gcc2 internal prototype to avoid an error.  */
+#ifdef __cplusplus
+extern "C"
+#endif
+/* We use char because int might match the return type of a gcc2
+   builtin and then its argument prototype would still apply.  */
+char $ac_func ();
+char (*f) ();
+
+int
+main ()
+{
+/* The GNU C library defines this for functions which it implements
+    to always fail with ENOSYS.  Some functions are actually named
+    something starting with __ and the normal name is an alias.  */
+#if defined (__stub_$ac_func) || defined (__stub___$ac_func)
+choke me
+#else
+f = $ac_func;
+#endif
+
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (eval echo $as_me:6931: \"$ac_link\") >&5; (eval $ac_link) 2>&5; } && test -s conftest$ac_exeext; then
+  eval "$ac_ac_var=yes"
+else
+  echo "$as_me: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  eval "$ac_ac_var=no"
+fi
+rm -f conftest$ac_exeext conftest.$ac_ext
+fi
+echo "$as_me:6940: result: `eval echo '${'$ac_ac_var'}'`" >&5
+echo "${ECHO_T}`eval echo '${'$ac_ac_var'}'`" >&6
+if test `eval echo '${'$ac_ac_var'}'` = yes; then
+  cat >>confdefs.h <<EOF
+#define `echo "HAVE_$ac_func" | $ac_tr_cpp` 1
+EOF
+
+fi
+done
+
+fi
+# hstrerror
+eval "ac_tr_func=HAVE_`echo hstrerror | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`"
+eval "ac_tr_lib=HAVE_LIB`echo $ac_res | sed -e 's/-l//' | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`"
+eval "LIB_hstrerror=$ac_res"
+
+case "$ac_res" in
+	yes)
+	eval "ac_cv_func_hstrerror=yes"
+	eval "LIB_hstrerror="
+	cat >>confdefs.h <<EOF
+#define $ac_tr_func 1
+EOF
+
+	echo "$as_me:6964: result: yes" >&5
+echo "${ECHO_T}yes" >&6
+	;;
+	no)
+	eval "ac_cv_func_hstrerror=no"
+	eval "LIB_hstrerror="
+	echo "$as_me:6970: result: no" >&5
+echo "${ECHO_T}no" >&6
+	;;
+	*)
+	eval "ac_cv_func_hstrerror=yes"
+	eval "ac_cv_lib_`echo "$ac_res" | sed 's/-l//'`=yes"
+	cat >>confdefs.h <<EOF
+#define $ac_tr_func 1
+EOF
+
+	cat >>confdefs.h <<EOF
+#define $ac_tr_lib 1
+EOF
+
+	echo "$as_me:6984: result: yes, in $ac_res" >&5
+echo "${ECHO_T}yes, in $ac_res" >&6
+	;;
+esac
+
+if test -n "$LIB_hstrerror"; then
+	LIBS="$LIB_hstrerror $LIBS"
+fi
+
+if eval "test \"$ac_cv_func_hstrerror\" != yes"; then
+LIBOBJS="$LIBOBJS hstrerror.o"
+fi
+
+if test "$ac_cv_func_hstrerror" = yes; then
+
+if test "$ac_cv_func_hstrerror+set" != set -o "$ac_cv_func_hstrerror" = yes; then
+echo "$as_me:7000: checking if hstrerror needs a prototype" >&5
+echo $ECHO_N "checking if hstrerror needs a prototype... $ECHO_C" >&6
+if test "${ac_cv_func_hstrerror_noproto+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+#line 7006 "configure"
+#include "confdefs.h"
+
+#ifdef HAVE_NETDB_H
+#include <netdb.h>
+#endif
+int
+main ()
+{
+struct foo { int foo; } xx;
+extern int hstrerror (struct foo*);
+hstrerror(&xx);
+
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext
+if { (eval echo $as_me:7024: \"$ac_compile\") >&5; (eval $ac_compile) 2>&5; } && test -s conftest.$ac_objext; then
+  eval "ac_cv_func_hstrerror_noproto=yes"
+else
+  echo "$as_me: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  eval "ac_cv_func_hstrerror_noproto=no"
+fi
+rm -f conftest.$ac_objext conftest.$ac_ext
+fi
+echo "$as_me:7033: result: $ac_cv_func_hstrerror_noproto" >&5
+echo "${ECHO_T}$ac_cv_func_hstrerror_noproto" >&6
+
+if test "$ac_cv_func_hstrerror_noproto" = yes; then
+
+cat >>confdefs.h <<\EOF
+#define NEED_HSTRERROR_PROTO 1
+EOF
+
+fi
+
+fi
+
+fi
+
+if test "$ac_cv_func_asprintf" = yes; then
+
+if test "$ac_cv_func_asprintf+set" != set -o "$ac_cv_func_asprintf" = yes; then
+echo "$as_me:7051: checking if asprintf needs a prototype" >&5
+echo $ECHO_N "checking if asprintf needs a prototype... $ECHO_C" >&6
+if test "${ac_cv_func_asprintf_noproto+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+#line 7057 "configure"
+#include "confdefs.h"
+
+#include <stdio.h>
+#include <string.h>
+int
+main ()
+{
+struct foo { int foo; } xx;
+extern int asprintf (struct foo*);
+asprintf(&xx);
+
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext
+if { (eval echo $as_me:7074: \"$ac_compile\") >&5; (eval $ac_compile) 2>&5; } && test -s conftest.$ac_objext; then
+  eval "ac_cv_func_asprintf_noproto=yes"
+else
+  echo "$as_me: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  eval "ac_cv_func_asprintf_noproto=no"
+fi
+rm -f conftest.$ac_objext conftest.$ac_ext
+fi
+echo "$as_me:7083: result: $ac_cv_func_asprintf_noproto" >&5
+echo "${ECHO_T}$ac_cv_func_asprintf_noproto" >&6
+
+if test "$ac_cv_func_asprintf_noproto" = yes; then
+
+cat >>confdefs.h <<\EOF
+#define NEED_ASPRINTF_PROTO 1
+EOF
+
+fi
+
+fi
+fi
+if test "$ac_cv_func_vasprintf" = yes; then
+
+if test "$ac_cv_func_vasprintf+set" != set -o "$ac_cv_func_vasprintf" = yes; then
+echo "$as_me:7099: checking if vasprintf needs a prototype" >&5
+echo $ECHO_N "checking if vasprintf needs a prototype... $ECHO_C" >&6
+if test "${ac_cv_func_vasprintf_noproto+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+#line 7105 "configure"
+#include "confdefs.h"
+
+#include <stdio.h>
+#include <string.h>
+int
+main ()
+{
+struct foo { int foo; } xx;
+extern int vasprintf (struct foo*);
+vasprintf(&xx);
+
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext
+if { (eval echo $as_me:7122: \"$ac_compile\") >&5; (eval $ac_compile) 2>&5; } && test -s conftest.$ac_objext; then
+  eval "ac_cv_func_vasprintf_noproto=yes"
+else
+  echo "$as_me: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  eval "ac_cv_func_vasprintf_noproto=no"
+fi
+rm -f conftest.$ac_objext conftest.$ac_ext
+fi
+echo "$as_me:7131: result: $ac_cv_func_vasprintf_noproto" >&5
+echo "${ECHO_T}$ac_cv_func_vasprintf_noproto" >&6
+
+if test "$ac_cv_func_vasprintf_noproto" = yes; then
+
+cat >>confdefs.h <<\EOF
+#define NEED_VASPRINTF_PROTO 1
+EOF
+
+fi
+
+fi
+fi
+if test "$ac_cv_func_asnprintf" = yes; then
+
+if test "$ac_cv_func_asnprintf+set" != set -o "$ac_cv_func_asnprintf" = yes; then
+echo "$as_me:7147: checking if asnprintf needs a prototype" >&5
+echo $ECHO_N "checking if asnprintf needs a prototype... $ECHO_C" >&6
+if test "${ac_cv_func_asnprintf_noproto+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+#line 7153 "configure"
+#include "confdefs.h"
+
+#include <stdio.h>
+#include <string.h>
+int
+main ()
+{
+struct foo { int foo; } xx;
+extern int asnprintf (struct foo*);
+asnprintf(&xx);
+
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext
+if { (eval echo $as_me:7170: \"$ac_compile\") >&5; (eval $ac_compile) 2>&5; } && test -s conftest.$ac_objext; then
+  eval "ac_cv_func_asnprintf_noproto=yes"
+else
+  echo "$as_me: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  eval "ac_cv_func_asnprintf_noproto=no"
+fi
+rm -f conftest.$ac_objext conftest.$ac_ext
+fi
+echo "$as_me:7179: result: $ac_cv_func_asnprintf_noproto" >&5
+echo "${ECHO_T}$ac_cv_func_asnprintf_noproto" >&6
+
+if test "$ac_cv_func_asnprintf_noproto" = yes; then
+
+cat >>confdefs.h <<\EOF
+#define NEED_ASNPRINTF_PROTO 1
+EOF
+
+fi
+
+fi
+fi
+if test "$ac_cv_func_vasnprintf" = yes; then
+
+if test "$ac_cv_func_vasnprintf+set" != set -o "$ac_cv_func_vasnprintf" = yes; then
+echo "$as_me:7195: checking if vasnprintf needs a prototype" >&5
+echo $ECHO_N "checking if vasnprintf needs a prototype... $ECHO_C" >&6
+if test "${ac_cv_func_vasnprintf_noproto+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+#line 7201 "configure"
+#include "confdefs.h"
+
+#include <stdio.h>
+#include <string.h>
+int
+main ()
+{
+struct foo { int foo; } xx;
+extern int vasnprintf (struct foo*);
+vasnprintf(&xx);
+
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext
+if { (eval echo $as_me:7218: \"$ac_compile\") >&5; (eval $ac_compile) 2>&5; } && test -s conftest.$ac_objext; then
+  eval "ac_cv_func_vasnprintf_noproto=yes"
+else
+  echo "$as_me: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  eval "ac_cv_func_vasnprintf_noproto=no"
+fi
+rm -f conftest.$ac_objext conftest.$ac_ext
+fi
+echo "$as_me:7227: result: $ac_cv_func_vasnprintf_noproto" >&5
+echo "${ECHO_T}$ac_cv_func_vasnprintf_noproto" >&6
+
+if test "$ac_cv_func_vasnprintf_noproto" = yes; then
+
+cat >>confdefs.h <<\EOF
+#define NEED_VASNPRINTF_PROTO 1
+EOF
+
+fi
+
+fi
+fi
+
+echo "$as_me:7241: checking for bswap16" >&5
+echo $ECHO_N "checking for bswap16... $ECHO_C" >&6
+if test "${ac_cv_funclib_bswap16+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+
+if eval "test \"\$ac_cv_func_bswap16\" != yes" ; then
+	ac_save_LIBS="$LIBS"
+	for ac_lib in "" ; do
+		if test -n "$ac_lib"; then
+			ac_lib="-l$ac_lib"
+		else
+			ac_lib=""
+		fi
+		LIBS=" $ac_lib  $ac_save_LIBS"
+		cat >conftest.$ac_ext <<_ACEOF
+#line 7257 "configure"
+#include "confdefs.h"
+#ifdef HAVE_SYS_BSWAP_H
+#include <sys/bswap.h>
+#endif
+int
+main ()
+{
+bswap16(0)
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (eval echo $as_me:7271: \"$ac_link\") >&5; (eval $ac_link) 2>&5; } && test -s conftest$ac_exeext; then
+  eval "if test -n \"$ac_lib\";then ac_cv_funclib_bswap16=$ac_lib; else ac_cv_funclib_bswap16=yes; fi";break
+else
+  echo "$as_me: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+fi
+rm -f conftest$ac_exeext conftest.$ac_ext
+	done
+	eval "ac_cv_funclib_bswap16=\${ac_cv_funclib_bswap16-no}"
+	LIBS="$ac_save_LIBS"
+fi
+
+fi
+
+eval "ac_res=\$ac_cv_funclib_bswap16"
+
+if false; then
+
+for ac_func in bswap16
+do
+ac_ac_var=`echo "ac_cv_func_$ac_func" | $ac_tr_sh`
+echo "$as_me:7292: checking for $ac_func" >&5
+echo $ECHO_N "checking for $ac_func... $ECHO_C" >&6
+if eval "test \"\${$ac_ac_var+set}\" = set"; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+#line 7298 "configure"
+#include "confdefs.h"
+/* System header to define __stub macros and hopefully few prototypes,
+    which can conflict with char $ac_func (); below.  */
+#include <assert.h>
+/* Override any gcc2 internal prototype to avoid an error.  */
+#ifdef __cplusplus
+extern "C"
+#endif
+/* We use char because int might match the return type of a gcc2
+   builtin and then its argument prototype would still apply.  */
+char $ac_func ();
+char (*f) ();
+
+int
+main ()
+{
+/* The GNU C library defines this for functions which it implements
+    to always fail with ENOSYS.  Some functions are actually named
+    something starting with __ and the normal name is an alias.  */
+#if defined (__stub_$ac_func) || defined (__stub___$ac_func)
+choke me
+#else
+f = $ac_func;
+#endif
+
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (eval echo $as_me:7329: \"$ac_link\") >&5; (eval $ac_link) 2>&5; } && test -s conftest$ac_exeext; then
+  eval "$ac_ac_var=yes"
+else
+  echo "$as_me: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  eval "$ac_ac_var=no"
+fi
+rm -f conftest$ac_exeext conftest.$ac_ext
+fi
+echo "$as_me:7338: result: `eval echo '${'$ac_ac_var'}'`" >&5
+echo "${ECHO_T}`eval echo '${'$ac_ac_var'}'`" >&6
+if test `eval echo '${'$ac_ac_var'}'` = yes; then
+  cat >>confdefs.h <<EOF
+#define `echo "HAVE_$ac_func" | $ac_tr_cpp` 1
+EOF
+
+fi
+done
+
+fi
+# bswap16
+eval "ac_tr_func=HAVE_`echo bswap16 | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`"
+eval "ac_tr_lib=HAVE_LIB`echo $ac_res | sed -e 's/-l//' | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`"
+eval "LIB_bswap16=$ac_res"
+
+case "$ac_res" in
+	yes)
+	eval "ac_cv_func_bswap16=yes"
+	eval "LIB_bswap16="
+	cat >>confdefs.h <<EOF
+#define $ac_tr_func 1
+EOF
+
+	echo "$as_me:7362: result: yes" >&5
+echo "${ECHO_T}yes" >&6
+	;;
+	no)
+	eval "ac_cv_func_bswap16=no"
+	eval "LIB_bswap16="
+	echo "$as_me:7368: result: no" >&5
+echo "${ECHO_T}no" >&6
+	;;
+	*)
+	eval "ac_cv_func_bswap16=yes"
+	eval "ac_cv_lib_`echo "$ac_res" | sed 's/-l//'`=yes"
+	cat >>confdefs.h <<EOF
+#define $ac_tr_func 1
+EOF
+
+	cat >>confdefs.h <<EOF
+#define $ac_tr_lib 1
+EOF
+
+	echo "$as_me:7382: result: yes, in $ac_res" >&5
+echo "${ECHO_T}yes, in $ac_res" >&6
+	;;
+esac
+
+echo "$as_me:7387: checking for bswap32" >&5
+echo $ECHO_N "checking for bswap32... $ECHO_C" >&6
+if test "${ac_cv_funclib_bswap32+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+
+if eval "test \"\$ac_cv_func_bswap32\" != yes" ; then
+	ac_save_LIBS="$LIBS"
+	for ac_lib in "" ; do
+		if test -n "$ac_lib"; then
+			ac_lib="-l$ac_lib"
+		else
+			ac_lib=""
+		fi
+		LIBS=" $ac_lib  $ac_save_LIBS"
+		cat >conftest.$ac_ext <<_ACEOF
+#line 7403 "configure"
+#include "confdefs.h"
+#ifdef HAVE_SYS_BSWAP_H
+#include <sys/bswap.h>
+#endif
+int
+main ()
+{
+bswap32(0)
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (eval echo $as_me:7417: \"$ac_link\") >&5; (eval $ac_link) 2>&5; } && test -s conftest$ac_exeext; then
+  eval "if test -n \"$ac_lib\";then ac_cv_funclib_bswap32=$ac_lib; else ac_cv_funclib_bswap32=yes; fi";break
+else
+  echo "$as_me: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+fi
+rm -f conftest$ac_exeext conftest.$ac_ext
+	done
+	eval "ac_cv_funclib_bswap32=\${ac_cv_funclib_bswap32-no}"
+	LIBS="$ac_save_LIBS"
+fi
+
+fi
+
+eval "ac_res=\$ac_cv_funclib_bswap32"
+
+if false; then
+
+for ac_func in bswap32
+do
+ac_ac_var=`echo "ac_cv_func_$ac_func" | $ac_tr_sh`
+echo "$as_me:7438: checking for $ac_func" >&5
+echo $ECHO_N "checking for $ac_func... $ECHO_C" >&6
+if eval "test \"\${$ac_ac_var+set}\" = set"; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+#line 7444 "configure"
+#include "confdefs.h"
+/* System header to define __stub macros and hopefully few prototypes,
+    which can conflict with char $ac_func (); below.  */
+#include <assert.h>
+/* Override any gcc2 internal prototype to avoid an error.  */
+#ifdef __cplusplus
+extern "C"
+#endif
+/* We use char because int might match the return type of a gcc2
+   builtin and then its argument prototype would still apply.  */
+char $ac_func ();
+char (*f) ();
+
+int
+main ()
+{
+/* The GNU C library defines this for functions which it implements
+    to always fail with ENOSYS.  Some functions are actually named
+    something starting with __ and the normal name is an alias.  */
+#if defined (__stub_$ac_func) || defined (__stub___$ac_func)
+choke me
+#else
+f = $ac_func;
+#endif
+
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (eval echo $as_me:7475: \"$ac_link\") >&5; (eval $ac_link) 2>&5; } && test -s conftest$ac_exeext; then
+  eval "$ac_ac_var=yes"
+else
+  echo "$as_me: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  eval "$ac_ac_var=no"
+fi
+rm -f conftest$ac_exeext conftest.$ac_ext
+fi
+echo "$as_me:7484: result: `eval echo '${'$ac_ac_var'}'`" >&5
+echo "${ECHO_T}`eval echo '${'$ac_ac_var'}'`" >&6
+if test `eval echo '${'$ac_ac_var'}'` = yes; then
+  cat >>confdefs.h <<EOF
+#define `echo "HAVE_$ac_func" | $ac_tr_cpp` 1
+EOF
+
+fi
+done
+
+fi
+# bswap32
+eval "ac_tr_func=HAVE_`echo bswap32 | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`"
+eval "ac_tr_lib=HAVE_LIB`echo $ac_res | sed -e 's/-l//' | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`"
+eval "LIB_bswap32=$ac_res"
+
+case "$ac_res" in
+	yes)
+	eval "ac_cv_func_bswap32=yes"
+	eval "LIB_bswap32="
+	cat >>confdefs.h <<EOF
+#define $ac_tr_func 1
+EOF
+
+	echo "$as_me:7508: result: yes" >&5
+echo "${ECHO_T}yes" >&6
+	;;
+	no)
+	eval "ac_cv_func_bswap32=no"
+	eval "LIB_bswap32="
+	echo "$as_me:7514: result: no" >&5
+echo "${ECHO_T}no" >&6
+	;;
+	*)
+	eval "ac_cv_func_bswap32=yes"
+	eval "ac_cv_lib_`echo "$ac_res" | sed 's/-l//'`=yes"
+	cat >>confdefs.h <<EOF
+#define $ac_tr_func 1
+EOF
+
+	cat >>confdefs.h <<EOF
+#define $ac_tr_lib 1
+EOF
+
+	echo "$as_me:7528: result: yes, in $ac_res" >&5
+echo "${ECHO_T}yes, in $ac_res" >&6
+	;;
+esac
+
+echo "$as_me:7533: checking for pidfile" >&5
+echo $ECHO_N "checking for pidfile... $ECHO_C" >&6
+if test "${ac_cv_funclib_pidfile+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+
+if eval "test \"\$ac_cv_func_pidfile\" != yes" ; then
+	ac_save_LIBS="$LIBS"
+	for ac_lib in "" util; do
+		if test -n "$ac_lib"; then
+			ac_lib="-l$ac_lib"
+		else
+			ac_lib=""
+		fi
+		LIBS=" $ac_lib  $ac_save_LIBS"
+		cat >conftest.$ac_ext <<_ACEOF
+#line 7549 "configure"
+#include "confdefs.h"
+#ifdef HAVE_UTIL_H
+#include <util.h>
+#endif
+int
+main ()
+{
+pidfile(0)
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (eval echo $as_me:7563: \"$ac_link\") >&5; (eval $ac_link) 2>&5; } && test -s conftest$ac_exeext; then
+  eval "if test -n \"$ac_lib\";then ac_cv_funclib_pidfile=$ac_lib; else ac_cv_funclib_pidfile=yes; fi";break
+else
+  echo "$as_me: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+fi
+rm -f conftest$ac_exeext conftest.$ac_ext
+	done
+	eval "ac_cv_funclib_pidfile=\${ac_cv_funclib_pidfile-no}"
+	LIBS="$ac_save_LIBS"
+fi
+
+fi
+
+eval "ac_res=\$ac_cv_funclib_pidfile"
+
+if false; then
+
+for ac_func in pidfile
+do
+ac_ac_var=`echo "ac_cv_func_$ac_func" | $ac_tr_sh`
+echo "$as_me:7584: checking for $ac_func" >&5
+echo $ECHO_N "checking for $ac_func... $ECHO_C" >&6
+if eval "test \"\${$ac_ac_var+set}\" = set"; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+#line 7590 "configure"
+#include "confdefs.h"
+/* System header to define __stub macros and hopefully few prototypes,
+    which can conflict with char $ac_func (); below.  */
+#include <assert.h>
+/* Override any gcc2 internal prototype to avoid an error.  */
+#ifdef __cplusplus
+extern "C"
+#endif
+/* We use char because int might match the return type of a gcc2
+   builtin and then its argument prototype would still apply.  */
+char $ac_func ();
+char (*f) ();
+
+int
+main ()
+{
+/* The GNU C library defines this for functions which it implements
+    to always fail with ENOSYS.  Some functions are actually named
+    something starting with __ and the normal name is an alias.  */
+#if defined (__stub_$ac_func) || defined (__stub___$ac_func)
+choke me
+#else
+f = $ac_func;
+#endif
+
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (eval echo $as_me:7621: \"$ac_link\") >&5; (eval $ac_link) 2>&5; } && test -s conftest$ac_exeext; then
+  eval "$ac_ac_var=yes"
+else
+  echo "$as_me: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  eval "$ac_ac_var=no"
+fi
+rm -f conftest$ac_exeext conftest.$ac_ext
+fi
+echo "$as_me:7630: result: `eval echo '${'$ac_ac_var'}'`" >&5
+echo "${ECHO_T}`eval echo '${'$ac_ac_var'}'`" >&6
+if test `eval echo '${'$ac_ac_var'}'` = yes; then
+  cat >>confdefs.h <<EOF
+#define `echo "HAVE_$ac_func" | $ac_tr_cpp` 1
+EOF
+
+fi
+done
+
+fi
+# pidfile
+eval "ac_tr_func=HAVE_`echo pidfile | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`"
+eval "ac_tr_lib=HAVE_LIB`echo $ac_res | sed -e 's/-l//' | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`"
+eval "LIB_pidfile=$ac_res"
+
+case "$ac_res" in
+	yes)
+	eval "ac_cv_func_pidfile=yes"
+	eval "LIB_pidfile="
+	cat >>confdefs.h <<EOF
+#define $ac_tr_func 1
+EOF
+
+	echo "$as_me:7654: result: yes" >&5
+echo "${ECHO_T}yes" >&6
+	;;
+	no)
+	eval "ac_cv_func_pidfile=no"
+	eval "LIB_pidfile="
+	echo "$as_me:7660: result: no" >&5
+echo "${ECHO_T}no" >&6
+	;;
+	*)
+	eval "ac_cv_func_pidfile=yes"
+	eval "ac_cv_lib_`echo "$ac_res" | sed 's/-l//'`=yes"
+	cat >>confdefs.h <<EOF
+#define $ac_tr_func 1
+EOF
+
+	cat >>confdefs.h <<EOF
+#define $ac_tr_lib 1
+EOF
+
+	echo "$as_me:7674: result: yes, in $ac_res" >&5
+echo "${ECHO_T}yes, in $ac_res" >&6
+	;;
+esac
+
+for ac_func in 					\
+	chown					\
+	copyhostent				\
+	daemon					\
+	err					\
+	errx					\
+	fchown					\
+	flock					\
+	fnmatch					\
+	freeaddrinfo				\
+	freehostent				\
+	gai_strerror				\
+	getaddrinfo				\
+	getcwd					\
+	getdtablesize				\
+	getegid					\
+	geteuid					\
+	getgid					\
+	gethostname				\
+	getifaddrs				\
+	getipnodebyaddr				\
+	getipnodebyname				\
+	getnameinfo				\
+	getopt					\
+	gettimeofday				\
+	getuid					\
+	getusershell				\
+	initgroups				\
+	innetgr					\
+	iruserok				\
+	lstat					\
+	memmove					\
+	mkstemp					\
+	putenv					\
+	rcmd					\
+	readv					\
+	recvmsg					\
+	sendmsg					\
+	setegid					\
+	setenv					\
+	seteuid					\
+	strcasecmp				\
+	strdup					\
+	strerror				\
+	strftime				\
+	strlcat					\
+	strlcpy					\
+	strlwr					\
+	strncasecmp				\
+	strndup					\
+	strnlen					\
+	strptime				\
+	strsep					\
+	strsep_copy				\
+	strtok_r				\
+	strupr					\
+	swab					\
+	unsetenv				\
+	verr					\
+	verrx					\
+	vsyslog					\
+	vwarn					\
+	vwarnx					\
+	warn					\
+	warnx					\
+	writev					\
+
+do
+ac_ac_var=`echo "ac_cv_func_$ac_func" | $ac_tr_sh`
+echo "$as_me:7748: checking for $ac_func" >&5
+echo $ECHO_N "checking for $ac_func... $ECHO_C" >&6
+if eval "test \"\${$ac_ac_var+set}\" = set"; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+#line 7754 "configure"
+#include "confdefs.h"
+/* System header to define __stub macros and hopefully few prototypes,
+    which can conflict with char $ac_func (); below.  */
+#include <assert.h>
+/* Override any gcc2 internal prototype to avoid an error.  */
+#ifdef __cplusplus
+extern "C"
+#endif
+/* We use char because int might match the return type of a gcc2
+   builtin and then its argument prototype would still apply.  */
+char $ac_func ();
+char (*f) ();
+
+int
+main ()
+{
+/* The GNU C library defines this for functions which it implements
+    to always fail with ENOSYS.  Some functions are actually named
+    something starting with __ and the normal name is an alias.  */
+#if defined (__stub_$ac_func) || defined (__stub___$ac_func)
+choke me
+#else
+f = $ac_func;
+#endif
+
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (eval echo $as_me:7785: \"$ac_link\") >&5; (eval $ac_link) 2>&5; } && test -s conftest$ac_exeext; then
+  eval "$ac_ac_var=yes"
+else
+  echo "$as_me: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  eval "$ac_ac_var=no"
+fi
+rm -f conftest$ac_exeext conftest.$ac_ext
+fi
+echo "$as_me:7794: result: `eval echo '${'$ac_ac_var'}'`" >&5
+echo "${ECHO_T}`eval echo '${'$ac_ac_var'}'`" >&6
+if test `eval echo '${'$ac_ac_var'}'` = yes; then
+
+ac_tr_func=HAVE_`echo $ac_func | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`
+cat >>confdefs.h <<EOF
+#define $ac_tr_func 1
+EOF
+
+else
+  LIBOBJS="$LIBOBJS ${ac_func}.o"
+fi
+
+if false; then
+
+for ac_func in \
+	chown					\
+	copyhostent				\
+	daemon					\
+	err					\
+	errx					\
+	fchown					\
+	flock					\
+	fnmatch					\
+	freeaddrinfo				\
+	freehostent				\
+	gai_strerror				\
+	getaddrinfo				\
+	getcwd					\
+	getdtablesize				\
+	getegid					\
+	geteuid					\
+	getgid					\
+	gethostname				\
+	getifaddrs				\
+	getipnodebyaddr				\
+	getipnodebyname				\
+	getnameinfo				\
+	getopt					\
+	gettimeofday				\
+	getuid					\
+	getusershell				\
+	initgroups				\
+	innetgr					\
+	iruserok				\
+	lstat					\
+	memmove					\
+	mkstemp					\
+	putenv					\
+	rcmd					\
+	readv					\
+	recvmsg					\
+	sendmsg					\
+	setegid					\
+	setenv					\
+	seteuid					\
+	strcasecmp				\
+	strdup					\
+	strerror				\
+	strftime				\
+	strlcat					\
+	strlcpy					\
+	strlwr					\
+	strncasecmp				\
+	strndup					\
+	strnlen					\
+	strptime				\
+	strsep					\
+	strsep_copy				\
+	strtok_r				\
+	strupr					\
+	swab					\
+	unsetenv				\
+	verr					\
+	verrx					\
+	vsyslog					\
+	vwarn					\
+	vwarnx					\
+	warn					\
+	warnx					\
+	writev					\
+
+do
+ac_ac_var=`echo "ac_cv_func_$ac_func" | $ac_tr_sh`
+echo "$as_me:7878: checking for $ac_func" >&5
+echo $ECHO_N "checking for $ac_func... $ECHO_C" >&6
+if eval "test \"\${$ac_ac_var+set}\" = set"; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+#line 7884 "configure"
+#include "confdefs.h"
+/* System header to define __stub macros and hopefully few prototypes,
+    which can conflict with char $ac_func (); below.  */
+#include <assert.h>
+/* Override any gcc2 internal prototype to avoid an error.  */
+#ifdef __cplusplus
+extern "C"
+#endif
+/* We use char because int might match the return type of a gcc2
+   builtin and then its argument prototype would still apply.  */
+char $ac_func ();
+char (*f) ();
+
+int
+main ()
+{
+/* The GNU C library defines this for functions which it implements
+    to always fail with ENOSYS.  Some functions are actually named
+    something starting with __ and the normal name is an alias.  */
+#if defined (__stub_$ac_func) || defined (__stub___$ac_func)
+choke me
+#else
+f = $ac_func;
+#endif
+
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (eval echo $as_me:7915: \"$ac_link\") >&5; (eval $ac_link) 2>&5; } && test -s conftest$ac_exeext; then
+  eval "$ac_ac_var=yes"
+else
+  echo "$as_me: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  eval "$ac_ac_var=no"
+fi
+rm -f conftest$ac_exeext conftest.$ac_ext
+fi
+echo "$as_me:7924: result: `eval echo '${'$ac_ac_var'}'`" >&5
+echo "${ECHO_T}`eval echo '${'$ac_ac_var'}'`" >&6
+if test `eval echo '${'$ac_ac_var'}'` = yes; then
+  cat >>confdefs.h <<EOF
+#define `echo "HAVE_$ac_func" | $ac_tr_cpp` 1
+EOF
+
+fi
+done
+
+fi
+done
+
+for ac_func in inet_aton
+do
+echo "$as_me:7939: checking for $ac_func" >&5
+echo $ECHO_N "checking for $ac_func... $ECHO_C" >&6
+if eval "test \"\${ac_cv_func_$ac_func+set}\" = set"; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+#line 7945 "configure"
+#include "confdefs.h"
+#ifdef HAVE_SYS_TYPES_H
+#include <sys/types.h>
+#endif
+#ifdef HAVE_SYS_SOCKET_H
+#include <sys/socket.h>
+#endif
+#ifdef HAVE_NETINET_IN_H
+#include <netinet/in.h>
+#endif
+#ifdef HAVE_ARPA_INET_H
+#include <arpa/inet.h>
+#endif
+int
+main ()
+{
+
+/* The GNU C library defines this for functions which it implements
+    to always fail with ENOSYS.  Some functions are actually named
+    something starting with __ and the normal name is an alias.  */
+#if defined (__stub_inet_aton) || defined (__stub___inet_aton)
+choke me
+#else
+$ac_func(0,0)
+#endif
+
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (eval echo $as_me:7977: \"$ac_link\") >&5; (eval $ac_link) 2>&5; } && test -s conftest$ac_exeext; then
+  eval "ac_cv_func_$ac_func=yes"
+else
+  echo "$as_me: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  eval "ac_cv_func_$ac_func=no"
+fi
+rm -f conftest$ac_exeext conftest.$ac_ext
+fi
+
+if eval "test \"\${ac_cv_func_$ac_func}\" = yes"; then
+  ac_tr_func=HAVE_`echo $ac_func | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`
+  cat >>confdefs.h <<EOF
+#define $ac_tr_func 1
+EOF
+
+  echo "$as_me:7993: result: yes" >&5
+echo "${ECHO_T}yes" >&6
+else
+  echo "$as_me:7996: result: no" >&5
+echo "${ECHO_T}no" >&6
+  LIBOBJS="$LIBOBJS ${ac_func}.o"
+fi
+done
+if false; then
+
+for ac_func in inet_aton
+do
+ac_ac_var=`echo "ac_cv_func_$ac_func" | $ac_tr_sh`
+echo "$as_me:8006: checking for $ac_func" >&5
+echo $ECHO_N "checking for $ac_func... $ECHO_C" >&6
+if eval "test \"\${$ac_ac_var+set}\" = set"; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+#line 8012 "configure"
+#include "confdefs.h"
+/* System header to define __stub macros and hopefully few prototypes,
+    which can conflict with char $ac_func (); below.  */
+#include <assert.h>
+/* Override any gcc2 internal prototype to avoid an error.  */
+#ifdef __cplusplus
+extern "C"
+#endif
+/* We use char because int might match the return type of a gcc2
+   builtin and then its argument prototype would still apply.  */
+char $ac_func ();
+char (*f) ();
+
+int
+main ()
+{
+/* The GNU C library defines this for functions which it implements
+    to always fail with ENOSYS.  Some functions are actually named
+    something starting with __ and the normal name is an alias.  */
+#if defined (__stub_$ac_func) || defined (__stub___$ac_func)
+choke me
+#else
+f = $ac_func;
+#endif
+
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (eval echo $as_me:8043: \"$ac_link\") >&5; (eval $ac_link) 2>&5; } && test -s conftest$ac_exeext; then
+  eval "$ac_ac_var=yes"
+else
+  echo "$as_me: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  eval "$ac_ac_var=no"
+fi
+rm -f conftest$ac_exeext conftest.$ac_ext
+fi
+echo "$as_me:8052: result: `eval echo '${'$ac_ac_var'}'`" >&5
+echo "${ECHO_T}`eval echo '${'$ac_ac_var'}'`" >&6
+if test `eval echo '${'$ac_ac_var'}'` = yes; then
+  cat >>confdefs.h <<EOF
+#define `echo "HAVE_$ac_func" | $ac_tr_cpp` 1
+EOF
+
+fi
+done
+
+fi
+
+for ac_func in inet_ntop
+do
+echo "$as_me:8066: checking for $ac_func" >&5
+echo $ECHO_N "checking for $ac_func... $ECHO_C" >&6
+if eval "test \"\${ac_cv_func_$ac_func+set}\" = set"; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+#line 8072 "configure"
+#include "confdefs.h"
+#ifdef HAVE_SYS_TYPES_H
+#include <sys/types.h>
+#endif
+#ifdef HAVE_SYS_SOCKET_H
+#include <sys/socket.h>
+#endif
+#ifdef HAVE_NETINET_IN_H
+#include <netinet/in.h>
+#endif
+#ifdef HAVE_ARPA_INET_H
+#include <arpa/inet.h>
+#endif
+int
+main ()
+{
+
+/* The GNU C library defines this for functions which it implements
+    to always fail with ENOSYS.  Some functions are actually named
+    something starting with __ and the normal name is an alias.  */
+#if defined (__stub_inet_ntop) || defined (__stub___inet_ntop)
+choke me
+#else
+$ac_func(0, 0, 0, 0)
+#endif
+
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (eval echo $as_me:8104: \"$ac_link\") >&5; (eval $ac_link) 2>&5; } && test -s conftest$ac_exeext; then
+  eval "ac_cv_func_$ac_func=yes"
+else
+  echo "$as_me: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  eval "ac_cv_func_$ac_func=no"
+fi
+rm -f conftest$ac_exeext conftest.$ac_ext
+fi
+
+if eval "test \"\${ac_cv_func_$ac_func}\" = yes"; then
+  ac_tr_func=HAVE_`echo $ac_func | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`
+  cat >>confdefs.h <<EOF
+#define $ac_tr_func 1
+EOF
+
+  echo "$as_me:8120: result: yes" >&5
+echo "${ECHO_T}yes" >&6
+else
+  echo "$as_me:8123: result: no" >&5
+echo "${ECHO_T}no" >&6
+  LIBOBJS="$LIBOBJS ${ac_func}.o"
+fi
+done
+if false; then
+
+for ac_func in inet_ntop
+do
+ac_ac_var=`echo "ac_cv_func_$ac_func" | $ac_tr_sh`
+echo "$as_me:8133: checking for $ac_func" >&5
+echo $ECHO_N "checking for $ac_func... $ECHO_C" >&6
+if eval "test \"\${$ac_ac_var+set}\" = set"; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+#line 8139 "configure"
+#include "confdefs.h"
+/* System header to define __stub macros and hopefully few prototypes,
+    which can conflict with char $ac_func (); below.  */
+#include <assert.h>
+/* Override any gcc2 internal prototype to avoid an error.  */
+#ifdef __cplusplus
+extern "C"
+#endif
+/* We use char because int might match the return type of a gcc2
+   builtin and then its argument prototype would still apply.  */
+char $ac_func ();
+char (*f) ();
+
+int
+main ()
+{
+/* The GNU C library defines this for functions which it implements
+    to always fail with ENOSYS.  Some functions are actually named
+    something starting with __ and the normal name is an alias.  */
+#if defined (__stub_$ac_func) || defined (__stub___$ac_func)
+choke me
+#else
+f = $ac_func;
+#endif
+
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (eval echo $as_me:8170: \"$ac_link\") >&5; (eval $ac_link) 2>&5; } && test -s conftest$ac_exeext; then
+  eval "$ac_ac_var=yes"
+else
+  echo "$as_me: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  eval "$ac_ac_var=no"
+fi
+rm -f conftest$ac_exeext conftest.$ac_ext
+fi
+echo "$as_me:8179: result: `eval echo '${'$ac_ac_var'}'`" >&5
+echo "${ECHO_T}`eval echo '${'$ac_ac_var'}'`" >&6
+if test `eval echo '${'$ac_ac_var'}'` = yes; then
+  cat >>confdefs.h <<EOF
+#define `echo "HAVE_$ac_func" | $ac_tr_cpp` 1
+EOF
+
+fi
+done
+
+fi
+
+for ac_func in inet_pton
+do
+echo "$as_me:8193: checking for $ac_func" >&5
+echo $ECHO_N "checking for $ac_func... $ECHO_C" >&6
+if eval "test \"\${ac_cv_func_$ac_func+set}\" = set"; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+#line 8199 "configure"
+#include "confdefs.h"
+#ifdef HAVE_SYS_TYPES_H
+#include <sys/types.h>
+#endif
+#ifdef HAVE_SYS_SOCKET_H
+#include <sys/socket.h>
+#endif
+#ifdef HAVE_NETINET_IN_H
+#include <netinet/in.h>
+#endif
+#ifdef HAVE_ARPA_INET_H
+#include <arpa/inet.h>
+#endif
+int
+main ()
+{
+
+/* The GNU C library defines this for functions which it implements
+    to always fail with ENOSYS.  Some functions are actually named
+    something starting with __ and the normal name is an alias.  */
+#if defined (__stub_inet_pton) || defined (__stub___inet_pton)
+choke me
+#else
+$ac_func(0,0,0)
+#endif
+
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (eval echo $as_me:8231: \"$ac_link\") >&5; (eval $ac_link) 2>&5; } && test -s conftest$ac_exeext; then
+  eval "ac_cv_func_$ac_func=yes"
+else
+  echo "$as_me: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  eval "ac_cv_func_$ac_func=no"
+fi
+rm -f conftest$ac_exeext conftest.$ac_ext
+fi
+
+if eval "test \"\${ac_cv_func_$ac_func}\" = yes"; then
+  ac_tr_func=HAVE_`echo $ac_func | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`
+  cat >>confdefs.h <<EOF
+#define $ac_tr_func 1
+EOF
+
+  echo "$as_me:8247: result: yes" >&5
+echo "${ECHO_T}yes" >&6
+else
+  echo "$as_me:8250: result: no" >&5
+echo "${ECHO_T}no" >&6
+  LIBOBJS="$LIBOBJS ${ac_func}.o"
+fi
+done
+if false; then
+
+for ac_func in inet_pton
+do
+ac_ac_var=`echo "ac_cv_func_$ac_func" | $ac_tr_sh`
+echo "$as_me:8260: checking for $ac_func" >&5
+echo $ECHO_N "checking for $ac_func... $ECHO_C" >&6
+if eval "test \"\${$ac_ac_var+set}\" = set"; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+#line 8266 "configure"
+#include "confdefs.h"
+/* System header to define __stub macros and hopefully few prototypes,
+    which can conflict with char $ac_func (); below.  */
+#include <assert.h>
+/* Override any gcc2 internal prototype to avoid an error.  */
+#ifdef __cplusplus
+extern "C"
+#endif
+/* We use char because int might match the return type of a gcc2
+   builtin and then its argument prototype would still apply.  */
+char $ac_func ();
+char (*f) ();
+
+int
+main ()
+{
+/* The GNU C library defines this for functions which it implements
+    to always fail with ENOSYS.  Some functions are actually named
+    something starting with __ and the normal name is an alias.  */
+#if defined (__stub_$ac_func) || defined (__stub___$ac_func)
+choke me
+#else
+f = $ac_func;
+#endif
+
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (eval echo $as_me:8297: \"$ac_link\") >&5; (eval $ac_link) 2>&5; } && test -s conftest$ac_exeext; then
+  eval "$ac_ac_var=yes"
+else
+  echo "$as_me: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  eval "$ac_ac_var=no"
+fi
+rm -f conftest$ac_exeext conftest.$ac_ext
+fi
+echo "$as_me:8306: result: `eval echo '${'$ac_ac_var'}'`" >&5
+echo "${ECHO_T}`eval echo '${'$ac_ac_var'}'`" >&6
+if test `eval echo '${'$ac_ac_var'}'` = yes; then
+  cat >>confdefs.h <<EOF
+#define `echo "HAVE_$ac_func" | $ac_tr_cpp` 1
+EOF
+
+fi
+done
+
+fi
+
+echo "$as_me:8318: checking for sa_len in struct sockaddr" >&5
+echo $ECHO_N "checking for sa_len in struct sockaddr... $ECHO_C" >&6
+if test "${ac_cv_type_struct_sockaddr_sa_len+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+
+cat >conftest.$ac_ext <<_ACEOF
+#line 8325 "configure"
+#include "confdefs.h"
+#include <sys/types.h>
+#include <sys/socket.h>
+int
+main ()
+{
+struct sockaddr x; x.sa_len;
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext
+if { (eval echo $as_me:8338: \"$ac_compile\") >&5; (eval $ac_compile) 2>&5; } && test -s conftest.$ac_objext; then
+  ac_cv_type_struct_sockaddr_sa_len=yes
+else
+  echo "$as_me: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  ac_cv_type_struct_sockaddr_sa_len=no
+fi
+rm -f conftest.$ac_objext conftest.$ac_ext
+fi
+echo "$as_me:8347: result: $ac_cv_type_struct_sockaddr_sa_len" >&5
+echo "${ECHO_T}$ac_cv_type_struct_sockaddr_sa_len" >&6
+if test "$ac_cv_type_struct_sockaddr_sa_len" = yes; then
+
+cat >>confdefs.h <<\EOF
+#define HAVE_STRUCT_SOCKADDR_SA_LEN 1
+EOF
+
+fi
+
+if test "$ac_cv_func_getnameinfo" = "yes"; then
+
+echo "$as_me:8359: checking if getnameinfo is broken" >&5
+echo $ECHO_N "checking if getnameinfo is broken... $ECHO_C" >&6
+if test "${ac_cv_func_getnameinfo_broken+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  if test "$cross_compiling" = yes; then
+  {  echo "$as_me: error: cannot run test program while cross compiling" >&2
+  { (exit 1); exit; }; }
+else
+  cat >conftest.$ac_ext <<_ACEOF
+#line 8369 "configure"
+#include "confdefs.h"
+#include <stdio.h>
+#include <sys/types.h>
+#include <sys/socket.h>
+#include <netinet/in.h>
+#include <netdb.h>
+
+int
+main(int argc, char **argv)
+{
+  struct sockaddr_in sin;
+  char host[256];
+  memset(&sin, 0, sizeof(sin));
+#ifdef HAVE_STRUCT_SOCKADDR_SA_LEN
+  sin.sin_len = sizeof(sin);
+#endif
+  sin.sin_family = AF_INET;
+  sin.sin_addr.s_addr = 0xffffffff;
+  sin.sin_port = 0;
+  return getnameinfo((struct sockaddr*)&sin, sizeof(sin), host, sizeof(host),
+	      NULL, 0, 0);
+}
+
+_ACEOF
+rm -f conftest$ac_exeext
+{ (eval echo $as_me:8395: \"$ac_link\") >&5; (eval $ac_link) 2>&5; } &&
+  (./conftest$ac_exeext) >&5 2>&1;
+ac_status=$?
+if test $ac_status = 0; then
+  ac_cv_func_getnameinfo_broken=no
+else
+  echo "$as_me: program exited with status $ac_status" >&5
+echo "$as_me: failed program was:" >&5
+cat conftest.$ac_ext >&5
+ac_cv_func_getnameinfo_broken=yes
+fi
+
+rm -f conftest$ac_exeext conftest.$ac_ext
+fi
+
+fi
+echo "$as_me:8411: result: $ac_cv_func_getnameinfo_broken" >&5
+echo "${ECHO_T}$ac_cv_func_getnameinfo_broken" >&6
+  if test "$ac_cv_func_getnameinfo_broken" = yes; then
+    LIBOBJS="$LIBOBJS getnameinfo.o"
+  fi
+fi
+
+if test "$ac_cv_func_setenv+set" != set -o "$ac_cv_func_setenv" = yes; then
+echo "$as_me:8419: checking if setenv needs a prototype" >&5
+echo $ECHO_N "checking if setenv needs a prototype... $ECHO_C" >&6
+if test "${ac_cv_func_setenv_noproto+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+#line 8425 "configure"
+#include "confdefs.h"
+#include <stdlib.h>
+int
+main ()
+{
+struct foo { int foo; } xx;
+extern int setenv (struct foo*);
+setenv(&xx);
+
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext
+if { (eval echo $as_me:8440: \"$ac_compile\") >&5; (eval $ac_compile) 2>&5; } && test -s conftest.$ac_objext; then
+  eval "ac_cv_func_setenv_noproto=yes"
+else
+  echo "$as_me: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  eval "ac_cv_func_setenv_noproto=no"
+fi
+rm -f conftest.$ac_objext conftest.$ac_ext
+fi
+echo "$as_me:8449: result: $ac_cv_func_setenv_noproto" >&5
+echo "${ECHO_T}$ac_cv_func_setenv_noproto" >&6
+
+if test "$ac_cv_func_setenv_noproto" = yes; then
+
+cat >>confdefs.h <<\EOF
+#define NEED_SETENV_PROTO 1
+EOF
+
+fi
+
+fi
+
+if test "$ac_cv_func_unsetenv+set" != set -o "$ac_cv_func_unsetenv" = yes; then
+echo "$as_me:8463: checking if unsetenv needs a prototype" >&5
+echo $ECHO_N "checking if unsetenv needs a prototype... $ECHO_C" >&6
+if test "${ac_cv_func_unsetenv_noproto+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+#line 8469 "configure"
+#include "confdefs.h"
+#include <stdlib.h>
+int
+main ()
+{
+struct foo { int foo; } xx;
+extern int unsetenv (struct foo*);
+unsetenv(&xx);
+
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext
+if { (eval echo $as_me:8484: \"$ac_compile\") >&5; (eval $ac_compile) 2>&5; } && test -s conftest.$ac_objext; then
+  eval "ac_cv_func_unsetenv_noproto=yes"
+else
+  echo "$as_me: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  eval "ac_cv_func_unsetenv_noproto=no"
+fi
+rm -f conftest.$ac_objext conftest.$ac_ext
+fi
+echo "$as_me:8493: result: $ac_cv_func_unsetenv_noproto" >&5
+echo "${ECHO_T}$ac_cv_func_unsetenv_noproto" >&6
+
+if test "$ac_cv_func_unsetenv_noproto" = yes; then
+
+cat >>confdefs.h <<\EOF
+#define NEED_UNSETENV_PROTO 1
+EOF
+
+fi
+
+fi
+
+if test "$ac_cv_func_gethostname+set" != set -o "$ac_cv_func_gethostname" = yes; then
+echo "$as_me:8507: checking if gethostname needs a prototype" >&5
+echo $ECHO_N "checking if gethostname needs a prototype... $ECHO_C" >&6
+if test "${ac_cv_func_gethostname_noproto+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+#line 8513 "configure"
+#include "confdefs.h"
+#include <unistd.h>
+int
+main ()
+{
+struct foo { int foo; } xx;
+extern int gethostname (struct foo*);
+gethostname(&xx);
+
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext
+if { (eval echo $as_me:8528: \"$ac_compile\") >&5; (eval $ac_compile) 2>&5; } && test -s conftest.$ac_objext; then
+  eval "ac_cv_func_gethostname_noproto=yes"
+else
+  echo "$as_me: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  eval "ac_cv_func_gethostname_noproto=no"
+fi
+rm -f conftest.$ac_objext conftest.$ac_ext
+fi
+echo "$as_me:8537: result: $ac_cv_func_gethostname_noproto" >&5
+echo "${ECHO_T}$ac_cv_func_gethostname_noproto" >&6
+
+if test "$ac_cv_func_gethostname_noproto" = yes; then
+
+cat >>confdefs.h <<\EOF
+#define NEED_GETHOSTNAME_PROTO 1
+EOF
+
+fi
+
+fi
+
+if test "$ac_cv_func_mkstemp+set" != set -o "$ac_cv_func_mkstemp" = yes; then
+echo "$as_me:8551: checking if mkstemp needs a prototype" >&5
+echo $ECHO_N "checking if mkstemp needs a prototype... $ECHO_C" >&6
+if test "${ac_cv_func_mkstemp_noproto+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+#line 8557 "configure"
+#include "confdefs.h"
+#include <unistd.h>
+int
+main ()
+{
+struct foo { int foo; } xx;
+extern int mkstemp (struct foo*);
+mkstemp(&xx);
+
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext
+if { (eval echo $as_me:8572: \"$ac_compile\") >&5; (eval $ac_compile) 2>&5; } && test -s conftest.$ac_objext; then
+  eval "ac_cv_func_mkstemp_noproto=yes"
+else
+  echo "$as_me: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  eval "ac_cv_func_mkstemp_noproto=no"
+fi
+rm -f conftest.$ac_objext conftest.$ac_ext
+fi
+echo "$as_me:8581: result: $ac_cv_func_mkstemp_noproto" >&5
+echo "${ECHO_T}$ac_cv_func_mkstemp_noproto" >&6
+
+if test "$ac_cv_func_mkstemp_noproto" = yes; then
+
+cat >>confdefs.h <<\EOF
+#define NEED_MKSTEMP_PROTO 1
+EOF
+
+fi
+
+fi
+
+if test "$ac_cv_func_getusershell+set" != set -o "$ac_cv_func_getusershell" = yes; then
+echo "$as_me:8595: checking if getusershell needs a prototype" >&5
+echo $ECHO_N "checking if getusershell needs a prototype... $ECHO_C" >&6
+if test "${ac_cv_func_getusershell_noproto+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+#line 8601 "configure"
+#include "confdefs.h"
+#include <unistd.h>
+int
+main ()
+{
+struct foo { int foo; } xx;
+extern int getusershell (struct foo*);
+getusershell(&xx);
+
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext
+if { (eval echo $as_me:8616: \"$ac_compile\") >&5; (eval $ac_compile) 2>&5; } && test -s conftest.$ac_objext; then
+  eval "ac_cv_func_getusershell_noproto=yes"
+else
+  echo "$as_me: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  eval "ac_cv_func_getusershell_noproto=no"
+fi
+rm -f conftest.$ac_objext conftest.$ac_ext
+fi
+echo "$as_me:8625: result: $ac_cv_func_getusershell_noproto" >&5
+echo "${ECHO_T}$ac_cv_func_getusershell_noproto" >&6
+
+if test "$ac_cv_func_getusershell_noproto" = yes; then
+
+cat >>confdefs.h <<\EOF
+#define NEED_GETUSERSHELL_PROTO 1
+EOF
+
+fi
+
+fi
+
+if test "$ac_cv_func_inet_aton+set" != set -o "$ac_cv_func_inet_aton" = yes; then
+echo "$as_me:8639: checking if inet_aton needs a prototype" >&5
+echo $ECHO_N "checking if inet_aton needs a prototype... $ECHO_C" >&6
+if test "${ac_cv_func_inet_aton_noproto+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+#line 8645 "configure"
+#include "confdefs.h"
+
+#ifdef HAVE_SYS_TYPES_H
+#include <sys/types.h>
+#endif
+#ifdef HAVE_SYS_SOCKET_H
+#include <sys/socket.h>
+#endif
+#ifdef HAVE_NETINET_IN_H
+#include <netinet/in.h>
+#endif
+#ifdef HAVE_ARPA_INET_H
+#include <arpa/inet.h>
+#endif
+int
+main ()
+{
+struct foo { int foo; } xx;
+extern int inet_aton (struct foo*);
+inet_aton(&xx);
+
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext
+if { (eval echo $as_me:8672: \"$ac_compile\") >&5; (eval $ac_compile) 2>&5; } && test -s conftest.$ac_objext; then
+  eval "ac_cv_func_inet_aton_noproto=yes"
+else
+  echo "$as_me: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  eval "ac_cv_func_inet_aton_noproto=no"
+fi
+rm -f conftest.$ac_objext conftest.$ac_ext
+fi
+echo "$as_me:8681: result: $ac_cv_func_inet_aton_noproto" >&5
+echo "${ECHO_T}$ac_cv_func_inet_aton_noproto" >&6
+
+if test "$ac_cv_func_inet_aton_noproto" = yes; then
+
+cat >>confdefs.h <<\EOF
+#define NEED_INET_ATON_PROTO 1
+EOF
+
+fi
+
+fi
+
+echo "$as_me:8694: checking for crypt" >&5
+echo $ECHO_N "checking for crypt... $ECHO_C" >&6
+if test "${ac_cv_funclib_crypt+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+
+if eval "test \"\$ac_cv_func_crypt\" != yes" ; then
+	ac_save_LIBS="$LIBS"
+	for ac_lib in "" crypt; do
+		if test -n "$ac_lib"; then
+			ac_lib="-l$ac_lib"
+		else
+			ac_lib=""
+		fi
+		LIBS=" $ac_lib  $ac_save_LIBS"
+		cat >conftest.$ac_ext <<_ACEOF
+#line 8710 "configure"
+#include "confdefs.h"
+
+int
+main ()
+{
+crypt()
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (eval echo $as_me:8722: \"$ac_link\") >&5; (eval $ac_link) 2>&5; } && test -s conftest$ac_exeext; then
+  eval "if test -n \"$ac_lib\";then ac_cv_funclib_crypt=$ac_lib; else ac_cv_funclib_crypt=yes; fi";break
+else
+  echo "$as_me: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+fi
+rm -f conftest$ac_exeext conftest.$ac_ext
+	done
+	eval "ac_cv_funclib_crypt=\${ac_cv_funclib_crypt-no}"
+	LIBS="$ac_save_LIBS"
+fi
+
+fi
+
+eval "ac_res=\$ac_cv_funclib_crypt"
+
+if false; then
+
+for ac_func in crypt
+do
+ac_ac_var=`echo "ac_cv_func_$ac_func" | $ac_tr_sh`
+echo "$as_me:8743: checking for $ac_func" >&5
+echo $ECHO_N "checking for $ac_func... $ECHO_C" >&6
+if eval "test \"\${$ac_ac_var+set}\" = set"; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+#line 8749 "configure"
+#include "confdefs.h"
+/* System header to define __stub macros and hopefully few prototypes,
+    which can conflict with char $ac_func (); below.  */
+#include <assert.h>
+/* Override any gcc2 internal prototype to avoid an error.  */
+#ifdef __cplusplus
+extern "C"
+#endif
+/* We use char because int might match the return type of a gcc2
+   builtin and then its argument prototype would still apply.  */
+char $ac_func ();
+char (*f) ();
+
+int
+main ()
+{
+/* The GNU C library defines this for functions which it implements
+    to always fail with ENOSYS.  Some functions are actually named
+    something starting with __ and the normal name is an alias.  */
+#if defined (__stub_$ac_func) || defined (__stub___$ac_func)
+choke me
+#else
+f = $ac_func;
+#endif
+
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (eval echo $as_me:8780: \"$ac_link\") >&5; (eval $ac_link) 2>&5; } && test -s conftest$ac_exeext; then
+  eval "$ac_ac_var=yes"
+else
+  echo "$as_me: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  eval "$ac_ac_var=no"
+fi
+rm -f conftest$ac_exeext conftest.$ac_ext
+fi
+echo "$as_me:8789: result: `eval echo '${'$ac_ac_var'}'`" >&5
+echo "${ECHO_T}`eval echo '${'$ac_ac_var'}'`" >&6
+if test `eval echo '${'$ac_ac_var'}'` = yes; then
+  cat >>confdefs.h <<EOF
+#define `echo "HAVE_$ac_func" | $ac_tr_cpp` 1
+EOF
+
+fi
+done
+
+fi
+# crypt
+eval "ac_tr_func=HAVE_`echo crypt | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`"
+eval "ac_tr_lib=HAVE_LIB`echo $ac_res | sed -e 's/-l//' | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`"
+eval "LIB_crypt=$ac_res"
+
+case "$ac_res" in
+	yes)
+	eval "ac_cv_func_crypt=yes"
+	eval "LIB_crypt="
+	cat >>confdefs.h <<EOF
+#define $ac_tr_func 1
+EOF
+
+	echo "$as_me:8813: result: yes" >&5
+echo "${ECHO_T}yes" >&6
+	;;
+	no)
+	eval "ac_cv_func_crypt=no"
+	eval "LIB_crypt="
+	echo "$as_me:8819: result: no" >&5
+echo "${ECHO_T}no" >&6
+	;;
+	*)
+	eval "ac_cv_func_crypt=yes"
+	eval "ac_cv_lib_`echo "$ac_res" | sed 's/-l//'`=yes"
+	cat >>confdefs.h <<EOF
+#define $ac_tr_func 1
+EOF
+
+	cat >>confdefs.h <<EOF
+#define $ac_tr_lib 1
+EOF
+
+	echo "$as_me:8833: result: yes, in $ac_res" >&5
+echo "${ECHO_T}yes, in $ac_res" >&6
+	;;
+esac
+
+echo "$as_me:8838: checking if gethostbyname is compatible with system prototype" >&5
+echo $ECHO_N "checking if gethostbyname is compatible with system prototype... $ECHO_C" >&6
+if test "${ac_cv_func_gethostbyname_proto_compat+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+#line 8844 "configure"
+#include "confdefs.h"
+
+#ifdef HAVE_SYS_TYPES_H
+#include <sys/types.h>
+#endif
+#ifdef HAVE_SYS_SOCKET_H
+#include <sys/socket.h>
+#endif
+#ifdef HAVE_NETINET_IN_H
+#include <netinet/in.h>
+#endif
+#ifdef HAVE_ARPA_INET_H
+#include <arpa/inet.h>
+#endif
+#ifdef HAVE_NETDB_H
+#include <netdb.h>
+#endif
+
+int
+main ()
+{
+struct hostent *gethostbyname(const char *);
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext
+if { (eval echo $as_me:8872: \"$ac_compile\") >&5; (eval $ac_compile) 2>&5; } && test -s conftest.$ac_objext; then
+  eval "ac_cv_func_gethostbyname_proto_compat=yes"
+else
+  echo "$as_me: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  eval "ac_cv_func_gethostbyname_proto_compat=no"
+fi
+rm -f conftest.$ac_objext conftest.$ac_ext
+fi
+echo "$as_me:8881: result: $ac_cv_func_gethostbyname_proto_compat" >&5
+echo "${ECHO_T}$ac_cv_func_gethostbyname_proto_compat" >&6
+
+if test "$ac_cv_func_gethostbyname_proto_compat" = yes; then
+
+cat >>confdefs.h <<\EOF
+#define GETHOSTBYNAME_PROTO_COMPATIBLE 1
+EOF
+
+fi
+
+echo "$as_me:8892: checking if gethostbyaddr is compatible with system prototype" >&5
+echo $ECHO_N "checking if gethostbyaddr is compatible with system prototype... $ECHO_C" >&6
+if test "${ac_cv_func_gethostbyaddr_proto_compat+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+#line 8898 "configure"
+#include "confdefs.h"
+
+#ifdef HAVE_SYS_TYPES_H
+#include <sys/types.h>
+#endif
+#ifdef HAVE_SYS_SOCKET_H
+#include <sys/socket.h>
+#endif
+#ifdef HAVE_NETINET_IN_H
+#include <netinet/in.h>
+#endif
+#ifdef HAVE_ARPA_INET_H
+#include <arpa/inet.h>
+#endif
+#ifdef HAVE_NETDB_H
+#include <netdb.h>
+#endif
+
+int
+main ()
+{
+struct hostent *gethostbyaddr(const void *, size_t, int);
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext
+if { (eval echo $as_me:8926: \"$ac_compile\") >&5; (eval $ac_compile) 2>&5; } && test -s conftest.$ac_objext; then
+  eval "ac_cv_func_gethostbyaddr_proto_compat=yes"
+else
+  echo "$as_me: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  eval "ac_cv_func_gethostbyaddr_proto_compat=no"
+fi
+rm -f conftest.$ac_objext conftest.$ac_ext
+fi
+echo "$as_me:8935: result: $ac_cv_func_gethostbyaddr_proto_compat" >&5
+echo "${ECHO_T}$ac_cv_func_gethostbyaddr_proto_compat" >&6
+
+if test "$ac_cv_func_gethostbyaddr_proto_compat" = yes; then
+
+cat >>confdefs.h <<\EOF
+#define GETHOSTBYADDR_PROTO_COMPATIBLE 1
+EOF
+
+fi
+
+echo "$as_me:8946: checking if getservbyname is compatible with system prototype" >&5
+echo $ECHO_N "checking if getservbyname is compatible with system prototype... $ECHO_C" >&6
+if test "${ac_cv_func_getservbyname_proto_compat+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+#line 8952 "configure"
+#include "confdefs.h"
+
+#ifdef HAVE_SYS_TYPES_H
+#include <sys/types.h>
+#endif
+#ifdef HAVE_SYS_SOCKET_H
+#include <sys/socket.h>
+#endif
+#ifdef HAVE_NETINET_IN_H
+#include <netinet/in.h>
+#endif
+#ifdef HAVE_ARPA_INET_H
+#include <arpa/inet.h>
+#endif
+#ifdef HAVE_NETDB_H
+#include <netdb.h>
+#endif
+
+int
+main ()
+{
+struct servent *getservbyname(const char *, const char *);
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext
+if { (eval echo $as_me:8980: \"$ac_compile\") >&5; (eval $ac_compile) 2>&5; } && test -s conftest.$ac_objext; then
+  eval "ac_cv_func_getservbyname_proto_compat=yes"
+else
+  echo "$as_me: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  eval "ac_cv_func_getservbyname_proto_compat=no"
+fi
+rm -f conftest.$ac_objext conftest.$ac_ext
+fi
+echo "$as_me:8989: result: $ac_cv_func_getservbyname_proto_compat" >&5
+echo "${ECHO_T}$ac_cv_func_getservbyname_proto_compat" >&6
+
+if test "$ac_cv_func_getservbyname_proto_compat" = yes; then
+
+cat >>confdefs.h <<\EOF
+#define GETSERVBYNAME_PROTO_COMPATIBLE 1
+EOF
+
+fi
+
+echo "$as_me:9000: checking if getsockname is compatible with system prototype" >&5
+echo $ECHO_N "checking if getsockname is compatible with system prototype... $ECHO_C" >&6
+if test "${ac_cv_func_getsockname_proto_compat+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+#line 9006 "configure"
+#include "confdefs.h"
+
+#ifdef HAVE_SYS_TYPES_H
+#include <sys/types.h>
+#endif
+#ifdef HAVE_SYS_SOCKET_H
+#include <sys/socket.h>
+#endif
+
+int
+main ()
+{
+int getsockname(int, struct sockaddr*, socklen_t*);
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext
+if { (eval echo $as_me:9025: \"$ac_compile\") >&5; (eval $ac_compile) 2>&5; } && test -s conftest.$ac_objext; then
+  eval "ac_cv_func_getsockname_proto_compat=yes"
+else
+  echo "$as_me: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  eval "ac_cv_func_getsockname_proto_compat=no"
+fi
+rm -f conftest.$ac_objext conftest.$ac_ext
+fi
+echo "$as_me:9034: result: $ac_cv_func_getsockname_proto_compat" >&5
+echo "${ECHO_T}$ac_cv_func_getsockname_proto_compat" >&6
+
+if test "$ac_cv_func_getsockname_proto_compat" = yes; then
+
+cat >>confdefs.h <<\EOF
+#define GETSOCKNAME_PROTO_COMPATIBLE 1
+EOF
+
+fi
+
+echo "$as_me:9045: checking if openlog is compatible with system prototype" >&5
+echo $ECHO_N "checking if openlog is compatible with system prototype... $ECHO_C" >&6
+if test "${ac_cv_func_openlog_proto_compat+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+#line 9051 "configure"
+#include "confdefs.h"
+
+#ifdef HAVE_SYSLOG_H
+#include <syslog.h>
+#endif
+
+int
+main ()
+{
+void openlog(const char *, int, int);
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext
+if { (eval echo $as_me:9067: \"$ac_compile\") >&5; (eval $ac_compile) 2>&5; } && test -s conftest.$ac_objext; then
+  eval "ac_cv_func_openlog_proto_compat=yes"
+else
+  echo "$as_me: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  eval "ac_cv_func_openlog_proto_compat=no"
+fi
+rm -f conftest.$ac_objext conftest.$ac_ext
+fi
+echo "$as_me:9076: result: $ac_cv_func_openlog_proto_compat" >&5
+echo "${ECHO_T}$ac_cv_func_openlog_proto_compat" >&6
+
+if test "$ac_cv_func_openlog_proto_compat" = yes; then
+
+cat >>confdefs.h <<\EOF
+#define OPENLOG_PROTO_COMPATIBLE 1
+EOF
+
+fi
+
+if test "$ac_cv_func_crypt+set" != set -o "$ac_cv_func_crypt" = yes; then
+echo "$as_me:9088: checking if crypt needs a prototype" >&5
+echo $ECHO_N "checking if crypt needs a prototype... $ECHO_C" >&6
+if test "${ac_cv_func_crypt_noproto+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+#line 9094 "configure"
+#include "confdefs.h"
+
+#ifdef HAVE_CRYPT_H
+#include <crypt.h>
+#endif
+#ifdef HAVE_UNISTD_H
+#include <unistd.h>
+#endif
+
+int
+main ()
+{
+struct foo { int foo; } xx;
+extern int crypt (struct foo*);
+crypt(&xx);
+
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext
+if { (eval echo $as_me:9116: \"$ac_compile\") >&5; (eval $ac_compile) 2>&5; } && test -s conftest.$ac_objext; then
+  eval "ac_cv_func_crypt_noproto=yes"
+else
+  echo "$as_me: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  eval "ac_cv_func_crypt_noproto=no"
+fi
+rm -f conftest.$ac_objext conftest.$ac_ext
+fi
+echo "$as_me:9125: result: $ac_cv_func_crypt_noproto" >&5
+echo "${ECHO_T}$ac_cv_func_crypt_noproto" >&6
+
+if test "$ac_cv_func_crypt_noproto" = yes; then
+
+cat >>confdefs.h <<\EOF
+#define NEED_CRYPT_PROTO 1
+EOF
+
+fi
+
+fi
+
+if test "$ac_cv_func_strtok_r+set" != set -o "$ac_cv_func_strtok_r" = yes; then
+echo "$as_me:9139: checking if strtok_r needs a prototype" >&5
+echo $ECHO_N "checking if strtok_r needs a prototype... $ECHO_C" >&6
+if test "${ac_cv_func_strtok_r_noproto+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+#line 9145 "configure"
+#include "confdefs.h"
+
+#include <string.h>
+
+int
+main ()
+{
+struct foo { int foo; } xx;
+extern int strtok_r (struct foo*);
+strtok_r(&xx);
+
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext
+if { (eval echo $as_me:9162: \"$ac_compile\") >&5; (eval $ac_compile) 2>&5; } && test -s conftest.$ac_objext; then
+  eval "ac_cv_func_strtok_r_noproto=yes"
+else
+  echo "$as_me: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  eval "ac_cv_func_strtok_r_noproto=no"
+fi
+rm -f conftest.$ac_objext conftest.$ac_ext
+fi
+echo "$as_me:9171: result: $ac_cv_func_strtok_r_noproto" >&5
+echo "${ECHO_T}$ac_cv_func_strtok_r_noproto" >&6
+
+if test "$ac_cv_func_strtok_r_noproto" = yes; then
+
+cat >>confdefs.h <<\EOF
+#define NEED_STRTOK_R_PROTO 1
+EOF
+
+fi
+
+fi
+
+if test "$ac_cv_func_strsep+set" != set -o "$ac_cv_func_strsep" = yes; then
+echo "$as_me:9185: checking if strsep needs a prototype" >&5
+echo $ECHO_N "checking if strsep needs a prototype... $ECHO_C" >&6
+if test "${ac_cv_func_strsep_noproto+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+#line 9191 "configure"
+#include "confdefs.h"
+
+#include <string.h>
+
+int
+main ()
+{
+struct foo { int foo; } xx;
+extern int strsep (struct foo*);
+strsep(&xx);
+
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext
+if { (eval echo $as_me:9208: \"$ac_compile\") >&5; (eval $ac_compile) 2>&5; } && test -s conftest.$ac_objext; then
+  eval "ac_cv_func_strsep_noproto=yes"
+else
+  echo "$as_me: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  eval "ac_cv_func_strsep_noproto=no"
+fi
+rm -f conftest.$ac_objext conftest.$ac_ext
+fi
+echo "$as_me:9217: result: $ac_cv_func_strsep_noproto" >&5
+echo "${ECHO_T}$ac_cv_func_strsep_noproto" >&6
+
+if test "$ac_cv_func_strsep_noproto" = yes; then
+
+cat >>confdefs.h <<\EOF
+#define NEED_STRSEP_PROTO 1
+EOF
+
+fi
+
+fi
+
+echo "$as_me:9230: checking for h_errno" >&5
+echo $ECHO_N "checking for h_errno... $ECHO_C" >&6
+if test "${ac_cv_var_h_errno+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+
+cat >conftest.$ac_ext <<_ACEOF
+#line 9237 "configure"
+#include "confdefs.h"
+extern int h_errno;
+int foo() { return h_errno; }
+int
+main ()
+{
+foo()
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (eval echo $as_me:9250: \"$ac_link\") >&5; (eval $ac_link) 2>&5; } && test -s conftest$ac_exeext; then
+  ac_cv_var_h_errno=yes
+else
+  echo "$as_me: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  ac_cv_var_h_errno=no
+fi
+rm -f conftest$ac_exeext conftest.$ac_ext
+
+fi
+
+ac_foo=`eval echo \\$ac_cv_var_h_errno`
+echo "$as_me:9262: result: $ac_foo" >&5
+echo "${ECHO_T}$ac_foo" >&6
+if test "$ac_foo" = yes; then
+
+cat >>confdefs.h <<EOF
+#define HAVE_H_ERRNO 1
+EOF
+
+echo "$as_me:9270: checking if h_errno is properly declared" >&5
+echo $ECHO_N "checking if h_errno is properly declared... $ECHO_C" >&6
+if test "${ac_cv_var_h_errno_declaration+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+
+cat >conftest.$ac_ext <<_ACEOF
+#line 9277 "configure"
+#include "confdefs.h"
+#ifdef HAVE_SYS_TYPES_H
+#include <sys/types.h>
+#endif
+#ifdef HAVE_NETDB_H
+#include <netdb.h>
+#endif
+extern struct { int foo; } h_errno;
+int
+main ()
+{
+h_errno.foo = 1;
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext
+if { (eval echo $as_me:9295: \"$ac_compile\") >&5; (eval $ac_compile) 2>&5; } && test -s conftest.$ac_objext; then
+  eval "ac_cv_var_h_errno_declaration=no"
+else
+  echo "$as_me: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  eval "ac_cv_var_h_errno_declaration=yes"
+fi
+rm -f conftest.$ac_objext conftest.$ac_ext
+
+fi
+
+echo "$as_me:9306: result: $ac_cv_var_h_errno_declaration" >&5
+echo "${ECHO_T}$ac_cv_var_h_errno_declaration" >&6
+if eval "test \"\$ac_cv_var_h_errno_declaration\" = yes"; then
+
+cat >>confdefs.h <<\EOF
+#define HAVE_H_ERRNO_DECLARATION 1
+EOF
+
+fi
+
+fi
+
+echo "$as_me:9318: checking for h_errlist" >&5
+echo $ECHO_N "checking for h_errlist... $ECHO_C" >&6
+if test "${ac_cv_var_h_errlist+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+
+cat >conftest.$ac_ext <<_ACEOF
+#line 9325 "configure"
+#include "confdefs.h"
+extern int h_errlist;
+int foo() { return h_errlist; }
+int
+main ()
+{
+foo()
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (eval echo $as_me:9338: \"$ac_link\") >&5; (eval $ac_link) 2>&5; } && test -s conftest$ac_exeext; then
+  ac_cv_var_h_errlist=yes
+else
+  echo "$as_me: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  ac_cv_var_h_errlist=no
+fi
+rm -f conftest$ac_exeext conftest.$ac_ext
+
+fi
+
+ac_foo=`eval echo \\$ac_cv_var_h_errlist`
+echo "$as_me:9350: result: $ac_foo" >&5
+echo "${ECHO_T}$ac_foo" >&6
+if test "$ac_foo" = yes; then
+
+cat >>confdefs.h <<EOF
+#define HAVE_H_ERRLIST 1
+EOF
+
+echo "$as_me:9358: checking if h_errlist is properly declared" >&5
+echo $ECHO_N "checking if h_errlist is properly declared... $ECHO_C" >&6
+if test "${ac_cv_var_h_errlist_declaration+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+
+cat >conftest.$ac_ext <<_ACEOF
+#line 9365 "configure"
+#include "confdefs.h"
+#ifdef HAVE_NETDB_H
+#include <netdb.h>
+#endif
+extern struct { int foo; } h_errlist;
+int
+main ()
+{
+h_errlist.foo = 1;
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext
+if { (eval echo $as_me:9380: \"$ac_compile\") >&5; (eval $ac_compile) 2>&5; } && test -s conftest.$ac_objext; then
+  eval "ac_cv_var_h_errlist_declaration=no"
+else
+  echo "$as_me: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  eval "ac_cv_var_h_errlist_declaration=yes"
+fi
+rm -f conftest.$ac_objext conftest.$ac_ext
+
+fi
+
+echo "$as_me:9391: result: $ac_cv_var_h_errlist_declaration" >&5
+echo "${ECHO_T}$ac_cv_var_h_errlist_declaration" >&6
+if eval "test \"\$ac_cv_var_h_errlist_declaration\" = yes"; then
+
+cat >>confdefs.h <<\EOF
+#define HAVE_H_ERRLIST_DECLARATION 1
+EOF
+
+fi
+
+fi
+
+echo "$as_me:9403: checking for h_nerr" >&5
+echo $ECHO_N "checking for h_nerr... $ECHO_C" >&6
+if test "${ac_cv_var_h_nerr+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+
+cat >conftest.$ac_ext <<_ACEOF
+#line 9410 "configure"
+#include "confdefs.h"
+extern int h_nerr;
+int foo() { return h_nerr; }
+int
+main ()
+{
+foo()
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (eval echo $as_me:9423: \"$ac_link\") >&5; (eval $ac_link) 2>&5; } && test -s conftest$ac_exeext; then
+  ac_cv_var_h_nerr=yes
+else
+  echo "$as_me: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  ac_cv_var_h_nerr=no
+fi
+rm -f conftest$ac_exeext conftest.$ac_ext
+
+fi
+
+ac_foo=`eval echo \\$ac_cv_var_h_nerr`
+echo "$as_me:9435: result: $ac_foo" >&5
+echo "${ECHO_T}$ac_foo" >&6
+if test "$ac_foo" = yes; then
+
+cat >>confdefs.h <<EOF
+#define HAVE_H_NERR 1
+EOF
+
+echo "$as_me:9443: checking if h_nerr is properly declared" >&5
+echo $ECHO_N "checking if h_nerr is properly declared... $ECHO_C" >&6
+if test "${ac_cv_var_h_nerr_declaration+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+
+cat >conftest.$ac_ext <<_ACEOF
+#line 9450 "configure"
+#include "confdefs.h"
+#ifdef HAVE_NETDB_H
+#include <netdb.h>
+#endif
+extern struct { int foo; } h_nerr;
+int
+main ()
+{
+h_nerr.foo = 1;
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext
+if { (eval echo $as_me:9465: \"$ac_compile\") >&5; (eval $ac_compile) 2>&5; } && test -s conftest.$ac_objext; then
+  eval "ac_cv_var_h_nerr_declaration=no"
+else
+  echo "$as_me: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  eval "ac_cv_var_h_nerr_declaration=yes"
+fi
+rm -f conftest.$ac_objext conftest.$ac_ext
+
+fi
+
+echo "$as_me:9476: result: $ac_cv_var_h_nerr_declaration" >&5
+echo "${ECHO_T}$ac_cv_var_h_nerr_declaration" >&6
+if eval "test \"\$ac_cv_var_h_nerr_declaration\" = yes"; then
+
+cat >>confdefs.h <<\EOF
+#define HAVE_H_NERR_DECLARATION 1
+EOF
+
+fi
+
+fi
+
+echo "$as_me:9488: checking for __progname" >&5
+echo $ECHO_N "checking for __progname... $ECHO_C" >&6
+if test "${ac_cv_var___progname+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+
+cat >conftest.$ac_ext <<_ACEOF
+#line 9495 "configure"
+#include "confdefs.h"
+extern int __progname;
+int foo() { return __progname; }
+int
+main ()
+{
+foo()
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (eval echo $as_me:9508: \"$ac_link\") >&5; (eval $ac_link) 2>&5; } && test -s conftest$ac_exeext; then
+  ac_cv_var___progname=yes
+else
+  echo "$as_me: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  ac_cv_var___progname=no
+fi
+rm -f conftest$ac_exeext conftest.$ac_ext
+
+fi
+
+ac_foo=`eval echo \\$ac_cv_var___progname`
+echo "$as_me:9520: result: $ac_foo" >&5
+echo "${ECHO_T}$ac_foo" >&6
+if test "$ac_foo" = yes; then
+
+cat >>confdefs.h <<EOF
+#define HAVE___PROGNAME 1
+EOF
+
+echo "$as_me:9528: checking if __progname is properly declared" >&5
+echo $ECHO_N "checking if __progname is properly declared... $ECHO_C" >&6
+if test "${ac_cv_var___progname_declaration+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+
+cat >conftest.$ac_ext <<_ACEOF
+#line 9535 "configure"
+#include "confdefs.h"
+#ifdef HAVE_ERR_H
+#include <err.h>
+#endif
+extern struct { int foo; } __progname;
+int
+main ()
+{
+__progname.foo = 1;
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext
+if { (eval echo $as_me:9550: \"$ac_compile\") >&5; (eval $ac_compile) 2>&5; } && test -s conftest.$ac_objext; then
+  eval "ac_cv_var___progname_declaration=no"
+else
+  echo "$as_me: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  eval "ac_cv_var___progname_declaration=yes"
+fi
+rm -f conftest.$ac_objext conftest.$ac_ext
+
+fi
+
+echo "$as_me:9561: result: $ac_cv_var___progname_declaration" >&5
+echo "${ECHO_T}$ac_cv_var___progname_declaration" >&6
+if eval "test \"\$ac_cv_var___progname_declaration\" = yes"; then
+
+cat >>confdefs.h <<\EOF
+#define HAVE___PROGNAME_DECLARATION 1
+EOF
+
+fi
+
+fi
+
+echo "$as_me:9573: checking if optarg is properly declared" >&5
+echo $ECHO_N "checking if optarg is properly declared... $ECHO_C" >&6
+if test "${ac_cv_var_optarg_declaration+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+
+cat >conftest.$ac_ext <<_ACEOF
+#line 9580 "configure"
+#include "confdefs.h"
+#include <stdlib.h>
+#ifdef HAVE_UNISTD_H
+#include <unistd.h>
+#endif
+extern struct { int foo; } optarg;
+int
+main ()
+{
+optarg.foo = 1;
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext
+if { (eval echo $as_me:9596: \"$ac_compile\") >&5; (eval $ac_compile) 2>&5; } && test -s conftest.$ac_objext; then
+  eval "ac_cv_var_optarg_declaration=no"
+else
+  echo "$as_me: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  eval "ac_cv_var_optarg_declaration=yes"
+fi
+rm -f conftest.$ac_objext conftest.$ac_ext
+
+fi
+
+echo "$as_me:9607: result: $ac_cv_var_optarg_declaration" >&5
+echo "${ECHO_T}$ac_cv_var_optarg_declaration" >&6
+if eval "test \"\$ac_cv_var_optarg_declaration\" = yes"; then
+
+cat >>confdefs.h <<\EOF
+#define HAVE_OPTARG_DECLARATION 1
+EOF
+
+fi
+
+echo "$as_me:9617: checking if optind is properly declared" >&5
+echo $ECHO_N "checking if optind is properly declared... $ECHO_C" >&6
+if test "${ac_cv_var_optind_declaration+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+
+cat >conftest.$ac_ext <<_ACEOF
+#line 9624 "configure"
+#include "confdefs.h"
+#include <stdlib.h>
+#ifdef HAVE_UNISTD_H
+#include <unistd.h>
+#endif
+extern struct { int foo; } optind;
+int
+main ()
+{
+optind.foo = 1;
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext
+if { (eval echo $as_me:9640: \"$ac_compile\") >&5; (eval $ac_compile) 2>&5; } && test -s conftest.$ac_objext; then
+  eval "ac_cv_var_optind_declaration=no"
+else
+  echo "$as_me: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  eval "ac_cv_var_optind_declaration=yes"
+fi
+rm -f conftest.$ac_objext conftest.$ac_ext
+
+fi
+
+echo "$as_me:9651: result: $ac_cv_var_optind_declaration" >&5
+echo "${ECHO_T}$ac_cv_var_optind_declaration" >&6
+if eval "test \"\$ac_cv_var_optind_declaration\" = yes"; then
+
+cat >>confdefs.h <<\EOF
+#define HAVE_OPTIND_DECLARATION 1
+EOF
+
+fi
+
+echo "$as_me:9661: checking if opterr is properly declared" >&5
+echo $ECHO_N "checking if opterr is properly declared... $ECHO_C" >&6
+if test "${ac_cv_var_opterr_declaration+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+
+cat >conftest.$ac_ext <<_ACEOF
+#line 9668 "configure"
+#include "confdefs.h"
+#include <stdlib.h>
+#ifdef HAVE_UNISTD_H
+#include <unistd.h>
+#endif
+extern struct { int foo; } opterr;
+int
+main ()
+{
+opterr.foo = 1;
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext
+if { (eval echo $as_me:9684: \"$ac_compile\") >&5; (eval $ac_compile) 2>&5; } && test -s conftest.$ac_objext; then
+  eval "ac_cv_var_opterr_declaration=no"
+else
+  echo "$as_me: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  eval "ac_cv_var_opterr_declaration=yes"
+fi
+rm -f conftest.$ac_objext conftest.$ac_ext
+
+fi
+
+echo "$as_me:9695: result: $ac_cv_var_opterr_declaration" >&5
+echo "${ECHO_T}$ac_cv_var_opterr_declaration" >&6
+if eval "test \"\$ac_cv_var_opterr_declaration\" = yes"; then
+
+cat >>confdefs.h <<\EOF
+#define HAVE_OPTERR_DECLARATION 1
+EOF
+
+fi
+
+echo "$as_me:9705: checking if optopt is properly declared" >&5
+echo $ECHO_N "checking if optopt is properly declared... $ECHO_C" >&6
+if test "${ac_cv_var_optopt_declaration+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+
+cat >conftest.$ac_ext <<_ACEOF
+#line 9712 "configure"
+#include "confdefs.h"
+#include <stdlib.h>
+#ifdef HAVE_UNISTD_H
+#include <unistd.h>
+#endif
+extern struct { int foo; } optopt;
+int
+main ()
+{
+optopt.foo = 1;
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext
+if { (eval echo $as_me:9728: \"$ac_compile\") >&5; (eval $ac_compile) 2>&5; } && test -s conftest.$ac_objext; then
+  eval "ac_cv_var_optopt_declaration=no"
+else
+  echo "$as_me: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  eval "ac_cv_var_optopt_declaration=yes"
+fi
+rm -f conftest.$ac_objext conftest.$ac_ext
+
+fi
+
+echo "$as_me:9739: result: $ac_cv_var_optopt_declaration" >&5
+echo "${ECHO_T}$ac_cv_var_optopt_declaration" >&6
+if eval "test \"\$ac_cv_var_optopt_declaration\" = yes"; then
+
+cat >>confdefs.h <<\EOF
+#define HAVE_OPTOPT_DECLARATION 1
+EOF
+
+fi
+
+echo "$as_me:9749: checking if environ is properly declared" >&5
+echo $ECHO_N "checking if environ is properly declared... $ECHO_C" >&6
+if test "${ac_cv_var_environ_declaration+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+
+cat >conftest.$ac_ext <<_ACEOF
+#line 9756 "configure"
+#include "confdefs.h"
+#include <stdlib.h>
+extern struct { int foo; } environ;
+int
+main ()
+{
+environ.foo = 1;
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext
+if { (eval echo $as_me:9769: \"$ac_compile\") >&5; (eval $ac_compile) 2>&5; } && test -s conftest.$ac_objext; then
+  eval "ac_cv_var_environ_declaration=no"
+else
+  echo "$as_me: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  eval "ac_cv_var_environ_declaration=yes"
+fi
+rm -f conftest.$ac_objext conftest.$ac_ext
+
+fi
+
+echo "$as_me:9780: result: $ac_cv_var_environ_declaration" >&5
+echo "${ECHO_T}$ac_cv_var_environ_declaration" >&6
+if eval "test \"\$ac_cv_var_environ_declaration\" = yes"; then
+
+cat >>confdefs.h <<\EOF
+#define HAVE_ENVIRON_DECLARATION 1
+EOF
+
+fi
+
+echo "$as_me:9790: checking for tm_gmtoff in struct tm" >&5
+echo $ECHO_N "checking for tm_gmtoff in struct tm... $ECHO_C" >&6
+if test "${ac_cv_type_struct_tm_tm_gmtoff+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+
+cat >conftest.$ac_ext <<_ACEOF
+#line 9797 "configure"
+#include "confdefs.h"
+#include <time.h>
+int
+main ()
+{
+struct tm x; x.tm_gmtoff;
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext
+if { (eval echo $as_me:9809: \"$ac_compile\") >&5; (eval $ac_compile) 2>&5; } && test -s conftest.$ac_objext; then
+  ac_cv_type_struct_tm_tm_gmtoff=yes
+else
+  echo "$as_me: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  ac_cv_type_struct_tm_tm_gmtoff=no
+fi
+rm -f conftest.$ac_objext conftest.$ac_ext
+fi
+echo "$as_me:9818: result: $ac_cv_type_struct_tm_tm_gmtoff" >&5
+echo "${ECHO_T}$ac_cv_type_struct_tm_tm_gmtoff" >&6
+if test "$ac_cv_type_struct_tm_tm_gmtoff" = yes; then
+
+cat >>confdefs.h <<\EOF
+#define HAVE_STRUCT_TM_TM_GMTOFF 1
+EOF
+
+fi
+
+echo "$as_me:9828: checking for tm_zone in struct tm" >&5
+echo $ECHO_N "checking for tm_zone in struct tm... $ECHO_C" >&6
+if test "${ac_cv_type_struct_tm_tm_zone+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+
+cat >conftest.$ac_ext <<_ACEOF
+#line 9835 "configure"
+#include "confdefs.h"
+#include <time.h>
+int
+main ()
+{
+struct tm x; x.tm_zone;
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext
+if { (eval echo $as_me:9847: \"$ac_compile\") >&5; (eval $ac_compile) 2>&5; } && test -s conftest.$ac_objext; then
+  ac_cv_type_struct_tm_tm_zone=yes
+else
+  echo "$as_me: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  ac_cv_type_struct_tm_tm_zone=no
+fi
+rm -f conftest.$ac_objext conftest.$ac_ext
+fi
+echo "$as_me:9856: result: $ac_cv_type_struct_tm_tm_zone" >&5
+echo "${ECHO_T}$ac_cv_type_struct_tm_tm_zone" >&6
+if test "$ac_cv_type_struct_tm_tm_zone" = yes; then
+
+cat >>confdefs.h <<\EOF
+#define HAVE_STRUCT_TM_TM_ZONE 1
+EOF
+
+fi
+
+echo "$as_me:9866: checking for timezone" >&5
+echo $ECHO_N "checking for timezone... $ECHO_C" >&6
+if test "${ac_cv_var_timezone+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+
+cat >conftest.$ac_ext <<_ACEOF
+#line 9873 "configure"
+#include "confdefs.h"
+extern int timezone;
+int foo() { return timezone; }
+int
+main ()
+{
+foo()
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (eval echo $as_me:9886: \"$ac_link\") >&5; (eval $ac_link) 2>&5; } && test -s conftest$ac_exeext; then
+  ac_cv_var_timezone=yes
+else
+  echo "$as_me: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  ac_cv_var_timezone=no
+fi
+rm -f conftest$ac_exeext conftest.$ac_ext
+
+fi
+
+ac_foo=`eval echo \\$ac_cv_var_timezone`
+echo "$as_me:9898: result: $ac_foo" >&5
+echo "${ECHO_T}$ac_foo" >&6
+if test "$ac_foo" = yes; then
+
+cat >>confdefs.h <<EOF
+#define HAVE_TIMEZONE 1
+EOF
+
+echo "$as_me:9906: checking if timezone is properly declared" >&5
+echo $ECHO_N "checking if timezone is properly declared... $ECHO_C" >&6
+if test "${ac_cv_var_timezone_declaration+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+
+cat >conftest.$ac_ext <<_ACEOF
+#line 9913 "configure"
+#include "confdefs.h"
+#include <time.h>
+extern struct { int foo; } timezone;
+int
+main ()
+{
+timezone.foo = 1;
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext
+if { (eval echo $as_me:9926: \"$ac_compile\") >&5; (eval $ac_compile) 2>&5; } && test -s conftest.$ac_objext; then
+  eval "ac_cv_var_timezone_declaration=no"
+else
+  echo "$as_me: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  eval "ac_cv_var_timezone_declaration=yes"
+fi
+rm -f conftest.$ac_objext conftest.$ac_ext
+
+fi
+
+echo "$as_me:9937: result: $ac_cv_var_timezone_declaration" >&5
+echo "${ECHO_T}$ac_cv_var_timezone_declaration" >&6
+if eval "test \"\$ac_cv_var_timezone_declaration\" = yes"; then
+
+cat >>confdefs.h <<\EOF
+#define HAVE_TIMEZONE_DECLARATION 1
+EOF
+
+fi
+
+fi
+
+cv=`echo "sa_family_t" | sed 'y%./+- %__p__%'`
+echo "$as_me:9950: checking for sa_family_t" >&5
+echo $ECHO_N "checking for sa_family_t... $ECHO_C" >&6
+if eval "test \"\${ac_cv_type_$cv+set}\" = set"; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+#line 9956 "configure"
+#include "confdefs.h"
+#include <sys/types.h>
+#if STDC_HEADERS
+#include <stdlib.h>
+#include <stddef.h>
+#endif
+#include <sys/socket.h>
+int
+main ()
+{
+sa_family_t foo;
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext
+if { (eval echo $as_me:9973: \"$ac_compile\") >&5; (eval $ac_compile) 2>&5; } && test -s conftest.$ac_objext; then
+  eval "ac_cv_type_$cv=yes"
+else
+  echo "$as_me: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  eval "ac_cv_type_$cv=no"
+fi
+rm -f conftest.$ac_objext conftest.$ac_ext
+fi
+ac_foo=`eval echo \\$ac_cv_type_$cv`
+echo "$as_me:9983: result: $ac_foo" >&5
+echo "${ECHO_T}$ac_foo" >&6
+if test "$ac_foo" = yes; then
+  ac_tr_hdr=HAVE_`echo sa_family_t | sed 'y%abcdefghijklmnopqrstuvwxyz./- %ABCDEFGHIJKLMNOPQRSTUVWXYZ____%'`
+if false; then
+	echo "$as_me:9988: checking for sa_family_t" >&5
+echo $ECHO_N "checking for sa_family_t... $ECHO_C" >&6
+if test "${ac_cv_type_sa_family_t+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+#line 9994 "configure"
+#include "confdefs.h"
+$ac_includes_default
+int
+main ()
+{
+if ((sa_family_t *) 0)
+  return 0;
+if (sizeof (sa_family_t))
+  return 0;
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext
+if { (eval echo $as_me:10009: \"$ac_compile\") >&5; (eval $ac_compile) 2>&5; } && test -s conftest.$ac_objext; then
+  ac_cv_type_sa_family_t=yes
+else
+  echo "$as_me: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  ac_cv_type_sa_family_t=no
+fi
+rm -f conftest.$ac_objext conftest.$ac_ext
+fi
+echo "$as_me:10018: result: $ac_cv_type_sa_family_t" >&5
+echo "${ECHO_T}$ac_cv_type_sa_family_t" >&6
+if test $ac_cv_type_sa_family_t = yes; then
+
+cat >>confdefs.h <<EOF
+#define HAVE_SA_FAMILY_T 1
+EOF
+
+fi
+
+fi
+
+cat >>confdefs.h <<EOF
+#define $ac_tr_hdr 1
+EOF
+
+fi
+
+cv=`echo "socklen_t" | sed 'y%./+- %__p__%'`
+echo "$as_me:10037: checking for socklen_t" >&5
+echo $ECHO_N "checking for socklen_t... $ECHO_C" >&6
+if eval "test \"\${ac_cv_type_$cv+set}\" = set"; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+#line 10043 "configure"
+#include "confdefs.h"
+#include <sys/types.h>
+#if STDC_HEADERS
+#include <stdlib.h>
+#include <stddef.h>
+#endif
+#include <sys/socket.h>
+int
+main ()
+{
+socklen_t foo;
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext
+if { (eval echo $as_me:10060: \"$ac_compile\") >&5; (eval $ac_compile) 2>&5; } && test -s conftest.$ac_objext; then
+  eval "ac_cv_type_$cv=yes"
+else
+  echo "$as_me: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  eval "ac_cv_type_$cv=no"
+fi
+rm -f conftest.$ac_objext conftest.$ac_ext
+fi
+ac_foo=`eval echo \\$ac_cv_type_$cv`
+echo "$as_me:10070: result: $ac_foo" >&5
+echo "${ECHO_T}$ac_foo" >&6
+if test "$ac_foo" = yes; then
+  ac_tr_hdr=HAVE_`echo socklen_t | sed 'y%abcdefghijklmnopqrstuvwxyz./- %ABCDEFGHIJKLMNOPQRSTUVWXYZ____%'`
+if false; then
+	echo "$as_me:10075: checking for socklen_t" >&5
+echo $ECHO_N "checking for socklen_t... $ECHO_C" >&6
+if test "${ac_cv_type_socklen_t+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+#line 10081 "configure"
+#include "confdefs.h"
+$ac_includes_default
+int
+main ()
+{
+if ((socklen_t *) 0)
+  return 0;
+if (sizeof (socklen_t))
+  return 0;
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext
+if { (eval echo $as_me:10096: \"$ac_compile\") >&5; (eval $ac_compile) 2>&5; } && test -s conftest.$ac_objext; then
+  ac_cv_type_socklen_t=yes
+else
+  echo "$as_me: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  ac_cv_type_socklen_t=no
+fi
+rm -f conftest.$ac_objext conftest.$ac_ext
+fi
+echo "$as_me:10105: result: $ac_cv_type_socklen_t" >&5
+echo "${ECHO_T}$ac_cv_type_socklen_t" >&6
+if test $ac_cv_type_socklen_t = yes; then
+
+cat >>confdefs.h <<EOF
+#define HAVE_SOCKLEN_T 1
+EOF
+
+fi
+
+fi
+
+cat >>confdefs.h <<EOF
+#define $ac_tr_hdr 1
+EOF
+
+fi
+
+cv=`echo "struct sockaddr" | sed 'y%./+- %__p__%'`
+echo "$as_me:10124: checking for struct sockaddr" >&5
+echo $ECHO_N "checking for struct sockaddr... $ECHO_C" >&6
+if eval "test \"\${ac_cv_type_$cv+set}\" = set"; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+#line 10130 "configure"
+#include "confdefs.h"
+#include <sys/types.h>
+#if STDC_HEADERS
+#include <stdlib.h>
+#include <stddef.h>
+#endif
+#include <sys/socket.h>
+int
+main ()
+{
+struct sockaddr foo;
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext
+if { (eval echo $as_me:10147: \"$ac_compile\") >&5; (eval $ac_compile) 2>&5; } && test -s conftest.$ac_objext; then
+  eval "ac_cv_type_$cv=yes"
+else
+  echo "$as_me: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  eval "ac_cv_type_$cv=no"
+fi
+rm -f conftest.$ac_objext conftest.$ac_ext
+fi
+ac_foo=`eval echo \\$ac_cv_type_$cv`
+echo "$as_me:10157: result: $ac_foo" >&5
+echo "${ECHO_T}$ac_foo" >&6
+if test "$ac_foo" = yes; then
+  ac_tr_hdr=HAVE_`echo struct sockaddr | sed 'y%abcdefghijklmnopqrstuvwxyz./- %ABCDEFGHIJKLMNOPQRSTUVWXYZ____%'`
+if false; then
+	echo "$as_me:10162: checking for struct sockaddr" >&5
+echo $ECHO_N "checking for struct sockaddr... $ECHO_C" >&6
+if test "${ac_cv_type_struct_sockaddr+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+#line 10168 "configure"
+#include "confdefs.h"
+$ac_includes_default
+int
+main ()
+{
+if ((struct sockaddr *) 0)
+  return 0;
+if (sizeof (struct sockaddr))
+  return 0;
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext
+if { (eval echo $as_me:10183: \"$ac_compile\") >&5; (eval $ac_compile) 2>&5; } && test -s conftest.$ac_objext; then
+  ac_cv_type_struct_sockaddr=yes
+else
+  echo "$as_me: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  ac_cv_type_struct_sockaddr=no
+fi
+rm -f conftest.$ac_objext conftest.$ac_ext
+fi
+echo "$as_me:10192: result: $ac_cv_type_struct_sockaddr" >&5
+echo "${ECHO_T}$ac_cv_type_struct_sockaddr" >&6
+if test $ac_cv_type_struct_sockaddr = yes; then
+
+cat >>confdefs.h <<EOF
+#define HAVE_STRUCT_SOCKADDR 1
+EOF
+
+fi
+
+fi
+
+cat >>confdefs.h <<EOF
+#define $ac_tr_hdr 1
+EOF
+
+fi
+
+cv=`echo "struct sockaddr_storage" | sed 'y%./+- %__p__%'`
+echo "$as_me:10211: checking for struct sockaddr_storage" >&5
+echo $ECHO_N "checking for struct sockaddr_storage... $ECHO_C" >&6
+if eval "test \"\${ac_cv_type_$cv+set}\" = set"; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+#line 10217 "configure"
+#include "confdefs.h"
+#include <sys/types.h>
+#if STDC_HEADERS
+#include <stdlib.h>
+#include <stddef.h>
+#endif
+#include <sys/socket.h>
+int
+main ()
+{
+struct sockaddr_storage foo;
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext
+if { (eval echo $as_me:10234: \"$ac_compile\") >&5; (eval $ac_compile) 2>&5; } && test -s conftest.$ac_objext; then
+  eval "ac_cv_type_$cv=yes"
+else
+  echo "$as_me: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  eval "ac_cv_type_$cv=no"
+fi
+rm -f conftest.$ac_objext conftest.$ac_ext
+fi
+ac_foo=`eval echo \\$ac_cv_type_$cv`
+echo "$as_me:10244: result: $ac_foo" >&5
+echo "${ECHO_T}$ac_foo" >&6
+if test "$ac_foo" = yes; then
+  ac_tr_hdr=HAVE_`echo struct sockaddr_storage | sed 'y%abcdefghijklmnopqrstuvwxyz./- %ABCDEFGHIJKLMNOPQRSTUVWXYZ____%'`
+if false; then
+	echo "$as_me:10249: checking for struct sockaddr_storage" >&5
+echo $ECHO_N "checking for struct sockaddr_storage... $ECHO_C" >&6
+if test "${ac_cv_type_struct_sockaddr_storage+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+#line 10255 "configure"
+#include "confdefs.h"
+$ac_includes_default
+int
+main ()
+{
+if ((struct sockaddr_storage *) 0)
+  return 0;
+if (sizeof (struct sockaddr_storage))
+  return 0;
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext
+if { (eval echo $as_me:10270: \"$ac_compile\") >&5; (eval $ac_compile) 2>&5; } && test -s conftest.$ac_objext; then
+  ac_cv_type_struct_sockaddr_storage=yes
+else
+  echo "$as_me: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  ac_cv_type_struct_sockaddr_storage=no
+fi
+rm -f conftest.$ac_objext conftest.$ac_ext
+fi
+echo "$as_me:10279: result: $ac_cv_type_struct_sockaddr_storage" >&5
+echo "${ECHO_T}$ac_cv_type_struct_sockaddr_storage" >&6
+if test $ac_cv_type_struct_sockaddr_storage = yes; then
+
+cat >>confdefs.h <<EOF
+#define HAVE_STRUCT_SOCKADDR_STORAGE 1
+EOF
+
+fi
+
+fi
+
+cat >>confdefs.h <<EOF
+#define $ac_tr_hdr 1
+EOF
+
+fi
+
+cv=`echo "struct addrinfo" | sed 'y%./+- %__p__%'`
+echo "$as_me:10298: checking for struct addrinfo" >&5
+echo $ECHO_N "checking for struct addrinfo... $ECHO_C" >&6
+if eval "test \"\${ac_cv_type_$cv+set}\" = set"; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+#line 10304 "configure"
+#include "confdefs.h"
+#include <sys/types.h>
+#if STDC_HEADERS
+#include <stdlib.h>
+#include <stddef.h>
+#endif
+#include <netdb.h>
+int
+main ()
+{
+struct addrinfo foo;
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext
+if { (eval echo $as_me:10321: \"$ac_compile\") >&5; (eval $ac_compile) 2>&5; } && test -s conftest.$ac_objext; then
+  eval "ac_cv_type_$cv=yes"
+else
+  echo "$as_me: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  eval "ac_cv_type_$cv=no"
+fi
+rm -f conftest.$ac_objext conftest.$ac_ext
+fi
+ac_foo=`eval echo \\$ac_cv_type_$cv`
+echo "$as_me:10331: result: $ac_foo" >&5
+echo "${ECHO_T}$ac_foo" >&6
+if test "$ac_foo" = yes; then
+  ac_tr_hdr=HAVE_`echo struct addrinfo | sed 'y%abcdefghijklmnopqrstuvwxyz./- %ABCDEFGHIJKLMNOPQRSTUVWXYZ____%'`
+if false; then
+	echo "$as_me:10336: checking for struct addrinfo" >&5
+echo $ECHO_N "checking for struct addrinfo... $ECHO_C" >&6
+if test "${ac_cv_type_struct_addrinfo+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+#line 10342 "configure"
+#include "confdefs.h"
+$ac_includes_default
+int
+main ()
+{
+if ((struct addrinfo *) 0)
+  return 0;
+if (sizeof (struct addrinfo))
+  return 0;
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext
+if { (eval echo $as_me:10357: \"$ac_compile\") >&5; (eval $ac_compile) 2>&5; } && test -s conftest.$ac_objext; then
+  ac_cv_type_struct_addrinfo=yes
+else
+  echo "$as_me: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  ac_cv_type_struct_addrinfo=no
+fi
+rm -f conftest.$ac_objext conftest.$ac_ext
+fi
+echo "$as_me:10366: result: $ac_cv_type_struct_addrinfo" >&5
+echo "${ECHO_T}$ac_cv_type_struct_addrinfo" >&6
+if test $ac_cv_type_struct_addrinfo = yes; then
+
+cat >>confdefs.h <<EOF
+#define HAVE_STRUCT_ADDRINFO 1
+EOF
+
+fi
+
+fi
+
+cat >>confdefs.h <<EOF
+#define $ac_tr_hdr 1
+EOF
+
+fi
+
+cv=`echo "struct ifaddrs" | sed 'y%./+- %__p__%'`
+echo "$as_me:10385: checking for struct ifaddrs" >&5
+echo $ECHO_N "checking for struct ifaddrs... $ECHO_C" >&6
+if eval "test \"\${ac_cv_type_$cv+set}\" = set"; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+#line 10391 "configure"
+#include "confdefs.h"
+#include <sys/types.h>
+#if STDC_HEADERS
+#include <stdlib.h>
+#include <stddef.h>
+#endif
+#include <ifaddrs.h>
+int
+main ()
+{
+struct ifaddrs foo;
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext
+if { (eval echo $as_me:10408: \"$ac_compile\") >&5; (eval $ac_compile) 2>&5; } && test -s conftest.$ac_objext; then
+  eval "ac_cv_type_$cv=yes"
+else
+  echo "$as_me: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  eval "ac_cv_type_$cv=no"
+fi
+rm -f conftest.$ac_objext conftest.$ac_ext
+fi
+ac_foo=`eval echo \\$ac_cv_type_$cv`
+echo "$as_me:10418: result: $ac_foo" >&5
+echo "${ECHO_T}$ac_foo" >&6
+if test "$ac_foo" = yes; then
+  ac_tr_hdr=HAVE_`echo struct ifaddrs | sed 'y%abcdefghijklmnopqrstuvwxyz./- %ABCDEFGHIJKLMNOPQRSTUVWXYZ____%'`
+if false; then
+	echo "$as_me:10423: checking for struct ifaddrs" >&5
+echo $ECHO_N "checking for struct ifaddrs... $ECHO_C" >&6
+if test "${ac_cv_type_struct_ifaddrs+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+#line 10429 "configure"
+#include "confdefs.h"
+$ac_includes_default
+int
+main ()
+{
+if ((struct ifaddrs *) 0)
+  return 0;
+if (sizeof (struct ifaddrs))
+  return 0;
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext
+if { (eval echo $as_me:10444: \"$ac_compile\") >&5; (eval $ac_compile) 2>&5; } && test -s conftest.$ac_objext; then
+  ac_cv_type_struct_ifaddrs=yes
+else
+  echo "$as_me: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  ac_cv_type_struct_ifaddrs=no
+fi
+rm -f conftest.$ac_objext conftest.$ac_ext
+fi
+echo "$as_me:10453: result: $ac_cv_type_struct_ifaddrs" >&5
+echo "${ECHO_T}$ac_cv_type_struct_ifaddrs" >&6
+if test $ac_cv_type_struct_ifaddrs = yes; then
+
+cat >>confdefs.h <<EOF
+#define HAVE_STRUCT_IFADDRS 1
+EOF
+
+fi
+
+fi
+
+cat >>confdefs.h <<EOF
+#define $ac_tr_hdr 1
+EOF
+
+fi
+
+echo "$as_me:10471: checking for struct winsize" >&5
+echo $ECHO_N "checking for struct winsize... $ECHO_C" >&6
+if test "${ac_cv_struct_winsize+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+
+ac_cv_struct_winsize=no
+for i in sys/termios.h sys/ioctl.h; do
+cat >conftest.$ac_ext <<_ACEOF
+#line 10480 "configure"
+#include "confdefs.h"
+#include <$i>
+
+_ACEOF
+if (eval "$ac_cpp conftest.$ac_ext") 2>&5 |
+  egrep "struct[ 	]*winsize" >/dev/null 2>&1; then
+  ac_cv_struct_winsize=yes; break
+fi
+rm -f conftest*
+done
+
+fi
+
+if test "$ac_cv_struct_winsize" = "yes"; then
+
+cat >>confdefs.h <<\EOF
+#define HAVE_STRUCT_WINSIZE 1
+EOF
+
+fi
+echo "$as_me:10501: result: $ac_cv_struct_winsize" >&5
+echo "${ECHO_T}$ac_cv_struct_winsize" >&6
+cat >conftest.$ac_ext <<_ACEOF
+#line 10504 "configure"
+#include "confdefs.h"
+#include <termios.h>
+
+_ACEOF
+if (eval "$ac_cpp conftest.$ac_ext") 2>&5 |
+  egrep "ws_xpixel" >/dev/null 2>&1; then
+
+cat >>confdefs.h <<\EOF
+#define HAVE_WS_XPIXEL 1
+EOF
+
+fi
+rm -f conftest*
+
+cat >conftest.$ac_ext <<_ACEOF
+#line 10520 "configure"
+#include "confdefs.h"
+#include <termios.h>
+
+_ACEOF
+if (eval "$ac_cpp conftest.$ac_ext") 2>&5 |
+  egrep "ws_ypixel" >/dev/null 2>&1; then
+
+cat >>confdefs.h <<\EOF
+#define HAVE_WS_YPIXEL 1
+EOF
+
+fi
+rm -f conftest*
+
+echo "$as_me:10535: checking for struct spwd" >&5
+echo $ECHO_N "checking for struct spwd... $ECHO_C" >&6
+if test "${ac_cv_struct_spwd+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+
+cat >conftest.$ac_ext <<_ACEOF
+#line 10542 "configure"
+#include "confdefs.h"
+#include <pwd.h>
+#ifdef HAVE_SHADOW_H
+#include <shadow.h>
+#endif
+int
+main ()
+{
+struct spwd foo;
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext
+if { (eval echo $as_me:10557: \"$ac_compile\") >&5; (eval $ac_compile) 2>&5; } && test -s conftest.$ac_objext; then
+  ac_cv_struct_spwd=yes
+else
+  echo "$as_me: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  ac_cv_struct_spwd=no
+fi
+rm -f conftest.$ac_objext conftest.$ac_ext
+
+fi
+
+echo "$as_me:10568: result: $ac_cv_struct_spwd" >&5
+echo "${ECHO_T}$ac_cv_struct_spwd" >&6
+
+if test "$ac_cv_struct_spwd" = "yes"; then
+
+cat >>confdefs.h <<\EOF
+#define HAVE_STRUCT_SPWD 1
+EOF
+
+fi
+
+LIB_roken="${LIB_roken} \$(LIB_crypt) \$(LIB_dbopen)"
+
+LIB_roken="\$(top_builddir)/lib/vers/libvers.la $LIB_roken"
+
+# Check whether --with-openldap or --without-openldap was given.
+if test "${with_openldap+set}" = set; then
+  withval="$with_openldap"
+
+fi;
+
+# Check whether --with-openldap-lib or --without-openldap-lib was given.
+if test "${with_openldap_lib+set}" = set; then
+  withval="$with_openldap_lib"
+  if test "$withval" = "yes" -o "$withval" = "no"; then
+  {  echo "$as_me: error: No argument for --with-openldap-lib" >&2
+  { (exit 1); exit; }; }
+elif test "X$with_openldap" = "X"; then
+  with_openldap=yes
+fi
+fi;
+
+# Check whether --with-openldap-include or --without-openldap-include was given.
+if test "${with_openldap_include+set}" = set; then
+  withval="$with_openldap_include"
+  if test "$withval" = "yes" -o "$withval" = "no"; then
+  {  echo "$as_me: error: No argument for --with-openldap-include" >&2
+  { (exit 1); exit; }; }
+elif test "X$with_openldap" = "X"; then
+  with_openldap=yes
+fi
+fi;
+
+echo "$as_me:10611: checking for openldap" >&5
+echo $ECHO_N "checking for openldap... $ECHO_C" >&6
+
+case "$with_openldap" in
+yes)	;;
+no)	;;
+"")	;;
+*)	if test "$with_openldap_include" = ""; then
+		with_openldap_include="$with_openldap/include"
+	fi
+	if test "$with_openldap_lib" = ""; then
+		with_openldap_lib="$with_openldap/lib$abilibdirext"
+	fi
+	;;
+esac
+header_dirs=
+lib_dirs=
+d=''
+for i in $d; do
+	header_dirs="$header_dirs $i/include"
+	lib_dirs="$lib_dirs $i/lib$abilibdirext"
+done
+
+case "$with_openldap_include" in
+yes) ;;
+no)  ;;
+*)   header_dirs="$with_openldap_include $header_dirs";;
+esac
+case "$with_openldap_lib" in
+yes) ;;
+no)  ;;
+*)   lib_dirs="$with_openldap_lib $lib_dirs";;
+esac
+
+save_CFLAGS="$CFLAGS"
+save_LIBS="$LIBS"
+ires= lres=
+for i in $header_dirs; do
+	CFLAGS="-I$i $save_CFLAGS"
+	cat >conftest.$ac_ext <<_ACEOF
+#line 10651 "configure"
+#include "confdefs.h"
+#include <lber.h>
+#include <ldap.h>
+int
+main ()
+{
+
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext
+if { (eval echo $as_me:10664: \"$ac_compile\") >&5; (eval $ac_compile) 2>&5; } && test -s conftest.$ac_objext; then
+  ires=$i;break
+else
+  echo "$as_me: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+fi
+rm -f conftest.$ac_objext conftest.$ac_ext
+done
+for i in $lib_dirs; do
+	LIBS="-L$i -lldap -llber  $save_LIBS"
+	cat >conftest.$ac_ext <<_ACEOF
+#line 10675 "configure"
+#include "confdefs.h"
+#include <lber.h>
+#include <ldap.h>
+int
+main ()
+{
+
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (eval echo $as_me:10688: \"$ac_link\") >&5; (eval $ac_link) 2>&5; } && test -s conftest$ac_exeext; then
+  lres=$i;break
+else
+  echo "$as_me: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+fi
+rm -f conftest$ac_exeext conftest.$ac_ext
+done
+CFLAGS="$save_CFLAGS"
+LIBS="$save_LIBS"
+
+if test "$ires" -a "$lres" -a "$with_openldap" != "no"; then
+	openldap_includedir="$ires"
+	openldap_libdir="$lres"
+	INCLUDE_openldap="-I$openldap_includedir"
+	LIB_openldap="-L$openldap_libdir -lldap -llber"
+
+cat >>confdefs.h <<EOF
+#define OPENLDAP 1
+EOF
+
+	with_openldap=yes
+	echo "$as_me:10710: result: headers $ires, libraries $lres" >&5
+echo "${ECHO_T}headers $ires, libraries $lres" >&6
+else
+	INCLUDE_openldap=
+	LIB_openldap=
+	with_openldap=no
+	echo "$as_me:10716: result: $with_openldap" >&5
+echo "${ECHO_T}$with_openldap" >&6
+fi
+
+if test "$openldap_libdir"; then
+	LIB_openldap="-R $openldap_libdir $LIB_openldap"
+fi
+
+# Check whether --with-krb4 or --without-krb4 was given.
+if test "${with_krb4+set}" = set; then
+  withval="$with_krb4"
+
+fi;
+
+# Check whether --with-krb4-lib or --without-krb4-lib was given.
+if test "${with_krb4_lib+set}" = set; then
+  withval="$with_krb4_lib"
+  if test "$withval" = "yes" -o "$withval" = "no"; then
+  {  echo "$as_me: error: No argument for --with-krb4-lib" >&2
+  { (exit 1); exit; }; }
+elif test "X$with_krb4" = "X"; then
+  with_krb4=yes
+fi
+fi;
+
+# Check whether --with-krb4-include or --without-krb4-include was given.
+if test "${with_krb4_include+set}" = set; then
+  withval="$with_krb4_include"
+  if test "$withval" = "yes" -o "$withval" = "no"; then
+  {  echo "$as_me: error: No argument for --with-krb4-include" >&2
+  { (exit 1); exit; }; }
+elif test "X$with_krb4" = "X"; then
+  with_krb4=yes
+fi
+fi;
+
+echo "$as_me:10752: checking for krb4" >&5
+echo $ECHO_N "checking for krb4... $ECHO_C" >&6
+
+case "$with_krb4" in
+yes)	;;
+no)	;;
+"")	;;
+*)	if test "$with_krb4_include" = ""; then
+		with_krb4_include="$with_krb4/include"
+	fi
+	if test "$with_krb4_lib" = ""; then
+		with_krb4_lib="$with_krb4/lib$abilibdirext"
+	fi
+	;;
+esac
+header_dirs=
+lib_dirs=
+d='/usr/athena'
+for i in $d; do
+	header_dirs="$header_dirs $i/include"
+	lib_dirs="$lib_dirs $i/lib$abilibdirext"
+done
+
+case "$with_krb4_include" in
+yes) ;;
+no)  ;;
+*)   header_dirs="$with_krb4_include $header_dirs";;
+esac
+case "$with_krb4_lib" in
+yes) ;;
+no)  ;;
+*)   lib_dirs="$with_krb4_lib $lib_dirs";;
+esac
+
+save_CFLAGS="$CFLAGS"
+save_LIBS="$LIBS"
+ires= lres=
+for i in $header_dirs; do
+	CFLAGS="-I$i $save_CFLAGS"
+	cat >conftest.$ac_ext <<_ACEOF
+#line 10792 "configure"
+#include "confdefs.h"
+#include <krb.h>
+int
+main ()
+{
+
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext
+if { (eval echo $as_me:10804: \"$ac_compile\") >&5; (eval $ac_compile) 2>&5; } && test -s conftest.$ac_objext; then
+  ires=$i;break
+else
+  echo "$as_me: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+fi
+rm -f conftest.$ac_objext conftest.$ac_ext
+done
+for i in $lib_dirs; do
+	LIBS="-L$i -lkrb -ldes $save_LIBS"
+	cat >conftest.$ac_ext <<_ACEOF
+#line 10815 "configure"
+#include "confdefs.h"
+#include <krb.h>
+int
+main ()
+{
+
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (eval echo $as_me:10827: \"$ac_link\") >&5; (eval $ac_link) 2>&5; } && test -s conftest$ac_exeext; then
+  lres=$i;break
+else
+  echo "$as_me: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+fi
+rm -f conftest$ac_exeext conftest.$ac_ext
+done
+CFLAGS="$save_CFLAGS"
+LIBS="$save_LIBS"
+
+if test "$ires" -a "$lres" -a "$with_krb4" != "no"; then
+	krb4_includedir="$ires"
+	krb4_libdir="$lres"
+	INCLUDE_krb4="-I$krb4_includedir"
+	LIB_krb4="-L$krb4_libdir -lkrb"
+
+cat >>confdefs.h <<EOF
+#define KRB4 1
+EOF
+
+	with_krb4=yes
+	echo "$as_me:10849: result: headers $ires, libraries $lres" >&5
+echo "${ECHO_T}headers $ires, libraries $lres" >&6
+else
+	INCLUDE_krb4=
+	LIB_krb4=
+	with_krb4=no
+	echo "$as_me:10855: result: $with_krb4" >&5
+echo "${ECHO_T}$with_krb4" >&6
+fi
+
+LIB_kdb=
+if test "$with_krb4" != "no"; then
+	save_CFLAGS="$CFLAGS"
+	CFLAGS="$CFLAGS $INCLUDE_krb4"
+	save_LIBS="$LIBS"
+	LIBS="$LIB_krb4 -ldes $LIBS"
+	EXTRA_LIB45=lib45.a
+
+	echo "$as_me:10867: checking for four valued krb_put_int" >&5
+echo $ECHO_N "checking for four valued krb_put_int... $ECHO_C" >&6
+if test "${ac_cv_func_krb_put_int_four+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+#line 10873 "configure"
+#include "confdefs.h"
+#include <krb.h>
+int
+main ()
+{
+
+		char tmp[4];
+		krb_put_int(17, tmp, 4, sizeof(tmp));
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext
+if { (eval echo $as_me:10887: \"$ac_compile\") >&5; (eval $ac_compile) 2>&5; } && test -s conftest.$ac_objext; then
+  ac_cv_func_krb_put_int_four=yes
+else
+  echo "$as_me: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  ac_cv_func_krb_put_int_four=no
+fi
+rm -f conftest.$ac_objext conftest.$ac_ext
+
+fi
+echo "$as_me:10897: result: $ac_cv_func_krb_put_int_four" >&5
+echo "${ECHO_T}$ac_cv_func_krb_put_int_four" >&6
+	if test "$ac_cv_func_krb_put_int_four" = yes; then
+
+cat >>confdefs.h <<\EOF
+#define HAVE_FOUR_VALUED_KRB_PUT_INT 1
+EOF
+
+	fi
+
+	echo "$as_me:10907: checking for KRB_VERIFY_SECURE" >&5
+echo $ECHO_N "checking for KRB_VERIFY_SECURE... $ECHO_C" >&6
+if test "${ac_cv_func_krb_verify_secure+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+#line 10913 "configure"
+#include "confdefs.h"
+#include <krb.h>
+int
+main ()
+{
+
+		int x = KRB_VERIFY_SECURE
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext
+if { (eval echo $as_me:10926: \"$ac_compile\") >&5; (eval $ac_compile) 2>&5; } && test -s conftest.$ac_objext; then
+  ac_cv_func_krb_verify_secure=yes
+else
+  echo "$as_me: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  ac_cv_func_krb_verify_secure=no
+fi
+rm -f conftest.$ac_objext conftest.$ac_ext
+
+fi
+echo "$as_me:10936: result: $ac_cv_func_krb_verify_secure" >&5
+echo "${ECHO_T}$ac_cv_func_krb_verify_secure" >&6
+	if test "$ac_cv_func_krb_verify_secure" != yes; then
+
+cat >>confdefs.h <<\EOF
+#define KRB_VERIFY_SECURE 1
+EOF
+
+cat >>confdefs.h <<\EOF
+#define KRB_VERIFY_SECURE_FAIL 2
+EOF
+
+	fi
+	echo "$as_me:10949: checking for KRB_VERIFY_NOT_SECURE" >&5
+echo $ECHO_N "checking for KRB_VERIFY_NOT_SECURE... $ECHO_C" >&6
+if test "${ac_cv_func_krb_verify_not_secure+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+#line 10955 "configure"
+#include "confdefs.h"
+#include <krb.h>
+int
+main ()
+{
+
+		int x = KRB_VERIFY_NOT_SECURE
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext
+if { (eval echo $as_me:10968: \"$ac_compile\") >&5; (eval $ac_compile) 2>&5; } && test -s conftest.$ac_objext; then
+  ac_cv_func_krb_verify_not_secure=yes
+else
+  echo "$as_me: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  ac_cv_func_krb_verify_not_secure=no
+fi
+rm -f conftest.$ac_objext conftest.$ac_ext
+
+fi
+echo "$as_me:10978: result: $ac_cv_func_krb_verify_not_secure" >&5
+echo "${ECHO_T}$ac_cv_func_krb_verify_not_secure" >&6
+	if test "$ac_cv_func_krb_verify_not_secure" != yes; then
+
+cat >>confdefs.h <<\EOF
+#define KRB_VERIFY_NOT_SECURE 0
+EOF
+
+	fi
+
+echo "$as_me:10988: checking for krb_enable_debug" >&5
+echo $ECHO_N "checking for krb_enable_debug... $ECHO_C" >&6
+if test "${ac_cv_funclib_krb_enable_debug+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+
+if eval "test \"\$ac_cv_func_krb_enable_debug\" != yes" ; then
+	ac_save_LIBS="$LIBS"
+	for ac_lib in "" ; do
+		if test -n "$ac_lib"; then
+			ac_lib="-l$ac_lib"
+		else
+			ac_lib=""
+		fi
+		LIBS=" $ac_lib  $ac_save_LIBS"
+		cat >conftest.$ac_ext <<_ACEOF
+#line 11004 "configure"
+#include "confdefs.h"
+
+int
+main ()
+{
+krb_enable_debug()
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (eval echo $as_me:11016: \"$ac_link\") >&5; (eval $ac_link) 2>&5; } && test -s conftest$ac_exeext; then
+  eval "if test -n \"$ac_lib\";then ac_cv_funclib_krb_enable_debug=$ac_lib; else ac_cv_funclib_krb_enable_debug=yes; fi";break
+else
+  echo "$as_me: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+fi
+rm -f conftest$ac_exeext conftest.$ac_ext
+	done
+	eval "ac_cv_funclib_krb_enable_debug=\${ac_cv_funclib_krb_enable_debug-no}"
+	LIBS="$ac_save_LIBS"
+fi
+
+fi
+
+eval "ac_res=\$ac_cv_funclib_krb_enable_debug"
+
+if false; then
+
+for ac_func in krb_enable_debug
+do
+ac_ac_var=`echo "ac_cv_func_$ac_func" | $ac_tr_sh`
+echo "$as_me:11037: checking for $ac_func" >&5
+echo $ECHO_N "checking for $ac_func... $ECHO_C" >&6
+if eval "test \"\${$ac_ac_var+set}\" = set"; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+#line 11043 "configure"
+#include "confdefs.h"
+/* System header to define __stub macros and hopefully few prototypes,
+    which can conflict with char $ac_func (); below.  */
+#include <assert.h>
+/* Override any gcc2 internal prototype to avoid an error.  */
+#ifdef __cplusplus
+extern "C"
+#endif
+/* We use char because int might match the return type of a gcc2
+   builtin and then its argument prototype would still apply.  */
+char $ac_func ();
+char (*f) ();
+
+int
+main ()
+{
+/* The GNU C library defines this for functions which it implements
+    to always fail with ENOSYS.  Some functions are actually named
+    something starting with __ and the normal name is an alias.  */
+#if defined (__stub_$ac_func) || defined (__stub___$ac_func)
+choke me
+#else
+f = $ac_func;
+#endif
+
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (eval echo $as_me:11074: \"$ac_link\") >&5; (eval $ac_link) 2>&5; } && test -s conftest$ac_exeext; then
+  eval "$ac_ac_var=yes"
+else
+  echo "$as_me: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  eval "$ac_ac_var=no"
+fi
+rm -f conftest$ac_exeext conftest.$ac_ext
+fi
+echo "$as_me:11083: result: `eval echo '${'$ac_ac_var'}'`" >&5
+echo "${ECHO_T}`eval echo '${'$ac_ac_var'}'`" >&6
+if test `eval echo '${'$ac_ac_var'}'` = yes; then
+  cat >>confdefs.h <<EOF
+#define `echo "HAVE_$ac_func" | $ac_tr_cpp` 1
+EOF
+
+fi
+done
+
+fi
+# krb_enable_debug
+eval "ac_tr_func=HAVE_`echo krb_enable_debug | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`"
+eval "ac_tr_lib=HAVE_LIB`echo $ac_res | sed -e 's/-l//' | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`"
+eval "LIB_krb_enable_debug=$ac_res"
+
+case "$ac_res" in
+	yes)
+	eval "ac_cv_func_krb_enable_debug=yes"
+	eval "LIB_krb_enable_debug="
+	cat >>confdefs.h <<EOF
+#define $ac_tr_func 1
+EOF
+
+	echo "$as_me:11107: result: yes" >&5
+echo "${ECHO_T}yes" >&6
+	;;
+	no)
+	eval "ac_cv_func_krb_enable_debug=no"
+	eval "LIB_krb_enable_debug="
+	echo "$as_me:11113: result: no" >&5
+echo "${ECHO_T}no" >&6
+	;;
+	*)
+	eval "ac_cv_func_krb_enable_debug=yes"
+	eval "ac_cv_lib_`echo "$ac_res" | sed 's/-l//'`=yes"
+	cat >>confdefs.h <<EOF
+#define $ac_tr_func 1
+EOF
+
+	cat >>confdefs.h <<EOF
+#define $ac_tr_lib 1
+EOF
+
+	echo "$as_me:11127: result: yes, in $ac_res" >&5
+echo "${ECHO_T}yes, in $ac_res" >&6
+	;;
+esac
+
+if test -n "$LIB_krb_enable_debug"; then
+	LIBS="$LIB_krb_enable_debug $LIBS"
+fi
+
+echo "$as_me:11136: checking for krb_disable_debug" >&5
+echo $ECHO_N "checking for krb_disable_debug... $ECHO_C" >&6
+if test "${ac_cv_funclib_krb_disable_debug+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+
+if eval "test \"\$ac_cv_func_krb_disable_debug\" != yes" ; then
+	ac_save_LIBS="$LIBS"
+	for ac_lib in "" ; do
+		if test -n "$ac_lib"; then
+			ac_lib="-l$ac_lib"
+		else
+			ac_lib=""
+		fi
+		LIBS=" $ac_lib  $ac_save_LIBS"
+		cat >conftest.$ac_ext <<_ACEOF
+#line 11152 "configure"
+#include "confdefs.h"
+
+int
+main ()
+{
+krb_disable_debug()
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (eval echo $as_me:11164: \"$ac_link\") >&5; (eval $ac_link) 2>&5; } && test -s conftest$ac_exeext; then
+  eval "if test -n \"$ac_lib\";then ac_cv_funclib_krb_disable_debug=$ac_lib; else ac_cv_funclib_krb_disable_debug=yes; fi";break
+else
+  echo "$as_me: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+fi
+rm -f conftest$ac_exeext conftest.$ac_ext
+	done
+	eval "ac_cv_funclib_krb_disable_debug=\${ac_cv_funclib_krb_disable_debug-no}"
+	LIBS="$ac_save_LIBS"
+fi
+
+fi
+
+eval "ac_res=\$ac_cv_funclib_krb_disable_debug"
+
+if false; then
+
+for ac_func in krb_disable_debug
+do
+ac_ac_var=`echo "ac_cv_func_$ac_func" | $ac_tr_sh`
+echo "$as_me:11185: checking for $ac_func" >&5
+echo $ECHO_N "checking for $ac_func... $ECHO_C" >&6
+if eval "test \"\${$ac_ac_var+set}\" = set"; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+#line 11191 "configure"
+#include "confdefs.h"
+/* System header to define __stub macros and hopefully few prototypes,
+    which can conflict with char $ac_func (); below.  */
+#include <assert.h>
+/* Override any gcc2 internal prototype to avoid an error.  */
+#ifdef __cplusplus
+extern "C"
+#endif
+/* We use char because int might match the return type of a gcc2
+   builtin and then its argument prototype would still apply.  */
+char $ac_func ();
+char (*f) ();
+
+int
+main ()
+{
+/* The GNU C library defines this for functions which it implements
+    to always fail with ENOSYS.  Some functions are actually named
+    something starting with __ and the normal name is an alias.  */
+#if defined (__stub_$ac_func) || defined (__stub___$ac_func)
+choke me
+#else
+f = $ac_func;
+#endif
+
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (eval echo $as_me:11222: \"$ac_link\") >&5; (eval $ac_link) 2>&5; } && test -s conftest$ac_exeext; then
+  eval "$ac_ac_var=yes"
+else
+  echo "$as_me: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  eval "$ac_ac_var=no"
+fi
+rm -f conftest$ac_exeext conftest.$ac_ext
+fi
+echo "$as_me:11231: result: `eval echo '${'$ac_ac_var'}'`" >&5
+echo "${ECHO_T}`eval echo '${'$ac_ac_var'}'`" >&6
+if test `eval echo '${'$ac_ac_var'}'` = yes; then
+  cat >>confdefs.h <<EOF
+#define `echo "HAVE_$ac_func" | $ac_tr_cpp` 1
+EOF
+
+fi
+done
+
+fi
+# krb_disable_debug
+eval "ac_tr_func=HAVE_`echo krb_disable_debug | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`"
+eval "ac_tr_lib=HAVE_LIB`echo $ac_res | sed -e 's/-l//' | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`"
+eval "LIB_krb_disable_debug=$ac_res"
+
+case "$ac_res" in
+	yes)
+	eval "ac_cv_func_krb_disable_debug=yes"
+	eval "LIB_krb_disable_debug="
+	cat >>confdefs.h <<EOF
+#define $ac_tr_func 1
+EOF
+
+	echo "$as_me:11255: result: yes" >&5
+echo "${ECHO_T}yes" >&6
+	;;
+	no)
+	eval "ac_cv_func_krb_disable_debug=no"
+	eval "LIB_krb_disable_debug="
+	echo "$as_me:11261: result: no" >&5
+echo "${ECHO_T}no" >&6
+	;;
+	*)
+	eval "ac_cv_func_krb_disable_debug=yes"
+	eval "ac_cv_lib_`echo "$ac_res" | sed 's/-l//'`=yes"
+	cat >>confdefs.h <<EOF
+#define $ac_tr_func 1
+EOF
+
+	cat >>confdefs.h <<EOF
+#define $ac_tr_lib 1
+EOF
+
+	echo "$as_me:11275: result: yes, in $ac_res" >&5
+echo "${ECHO_T}yes, in $ac_res" >&6
+	;;
+esac
+
+if test -n "$LIB_krb_disable_debug"; then
+	LIBS="$LIB_krb_disable_debug $LIBS"
+fi
+
+echo "$as_me:11284: checking for krb_get_our_ip_for_realm" >&5
+echo $ECHO_N "checking for krb_get_our_ip_for_realm... $ECHO_C" >&6
+if test "${ac_cv_funclib_krb_get_our_ip_for_realm+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+
+if eval "test \"\$ac_cv_func_krb_get_our_ip_for_realm\" != yes" ; then
+	ac_save_LIBS="$LIBS"
+	for ac_lib in "" ; do
+		if test -n "$ac_lib"; then
+			ac_lib="-l$ac_lib"
+		else
+			ac_lib=""
+		fi
+		LIBS=" $ac_lib  $ac_save_LIBS"
+		cat >conftest.$ac_ext <<_ACEOF
+#line 11300 "configure"
+#include "confdefs.h"
+
+int
+main ()
+{
+krb_get_our_ip_for_realm()
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (eval echo $as_me:11312: \"$ac_link\") >&5; (eval $ac_link) 2>&5; } && test -s conftest$ac_exeext; then
+  eval "if test -n \"$ac_lib\";then ac_cv_funclib_krb_get_our_ip_for_realm=$ac_lib; else ac_cv_funclib_krb_get_our_ip_for_realm=yes; fi";break
+else
+  echo "$as_me: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+fi
+rm -f conftest$ac_exeext conftest.$ac_ext
+	done
+	eval "ac_cv_funclib_krb_get_our_ip_for_realm=\${ac_cv_funclib_krb_get_our_ip_for_realm-no}"
+	LIBS="$ac_save_LIBS"
+fi
+
+fi
+
+eval "ac_res=\$ac_cv_funclib_krb_get_our_ip_for_realm"
+
+if false; then
+
+for ac_func in krb_get_our_ip_for_realm
+do
+ac_ac_var=`echo "ac_cv_func_$ac_func" | $ac_tr_sh`
+echo "$as_me:11333: checking for $ac_func" >&5
+echo $ECHO_N "checking for $ac_func... $ECHO_C" >&6
+if eval "test \"\${$ac_ac_var+set}\" = set"; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+#line 11339 "configure"
+#include "confdefs.h"
+/* System header to define __stub macros and hopefully few prototypes,
+    which can conflict with char $ac_func (); below.  */
+#include <assert.h>
+/* Override any gcc2 internal prototype to avoid an error.  */
+#ifdef __cplusplus
+extern "C"
+#endif
+/* We use char because int might match the return type of a gcc2
+   builtin and then its argument prototype would still apply.  */
+char $ac_func ();
+char (*f) ();
+
+int
+main ()
+{
+/* The GNU C library defines this for functions which it implements
+    to always fail with ENOSYS.  Some functions are actually named
+    something starting with __ and the normal name is an alias.  */
+#if defined (__stub_$ac_func) || defined (__stub___$ac_func)
+choke me
+#else
+f = $ac_func;
+#endif
+
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (eval echo $as_me:11370: \"$ac_link\") >&5; (eval $ac_link) 2>&5; } && test -s conftest$ac_exeext; then
+  eval "$ac_ac_var=yes"
+else
+  echo "$as_me: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  eval "$ac_ac_var=no"
+fi
+rm -f conftest$ac_exeext conftest.$ac_ext
+fi
+echo "$as_me:11379: result: `eval echo '${'$ac_ac_var'}'`" >&5
+echo "${ECHO_T}`eval echo '${'$ac_ac_var'}'`" >&6
+if test `eval echo '${'$ac_ac_var'}'` = yes; then
+  cat >>confdefs.h <<EOF
+#define `echo "HAVE_$ac_func" | $ac_tr_cpp` 1
+EOF
+
+fi
+done
+
+fi
+# krb_get_our_ip_for_realm
+eval "ac_tr_func=HAVE_`echo krb_get_our_ip_for_realm | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`"
+eval "ac_tr_lib=HAVE_LIB`echo $ac_res | sed -e 's/-l//' | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`"
+eval "LIB_krb_get_our_ip_for_realm=$ac_res"
+
+case "$ac_res" in
+	yes)
+	eval "ac_cv_func_krb_get_our_ip_for_realm=yes"
+	eval "LIB_krb_get_our_ip_for_realm="
+	cat >>confdefs.h <<EOF
+#define $ac_tr_func 1
+EOF
+
+	echo "$as_me:11403: result: yes" >&5
+echo "${ECHO_T}yes" >&6
+	;;
+	no)
+	eval "ac_cv_func_krb_get_our_ip_for_realm=no"
+	eval "LIB_krb_get_our_ip_for_realm="
+	echo "$as_me:11409: result: no" >&5
+echo "${ECHO_T}no" >&6
+	;;
+	*)
+	eval "ac_cv_func_krb_get_our_ip_for_realm=yes"
+	eval "ac_cv_lib_`echo "$ac_res" | sed 's/-l//'`=yes"
+	cat >>confdefs.h <<EOF
+#define $ac_tr_func 1
+EOF
+
+	cat >>confdefs.h <<EOF
+#define $ac_tr_lib 1
+EOF
+
+	echo "$as_me:11423: result: yes, in $ac_res" >&5
+echo "${ECHO_T}yes, in $ac_res" >&6
+	;;
+esac
+
+if test -n "$LIB_krb_get_our_ip_for_realm"; then
+	LIBS="$LIB_krb_get_our_ip_for_realm $LIBS"
+fi
+
+	echo "$as_me:11432: checking for krb_mk_req with const arguments" >&5
+echo $ECHO_N "checking for krb_mk_req with const arguments... $ECHO_C" >&6
+if test "${ac_cv_func_krb_mk_req_const+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+#line 11438 "configure"
+#include "confdefs.h"
+#include <krb.h>
+		int krb_mk_req(KTEXT a, const char *s, const char *i,
+			       const char *r, int32_t checksum)
+		{ return 17; }
+int
+main ()
+{
+
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext
+if { (eval echo $as_me:11453: \"$ac_compile\") >&5; (eval $ac_compile) 2>&5; } && test -s conftest.$ac_objext; then
+  ac_cv_func_krb_mk_req_const=yes
+else
+  echo "$as_me: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  ac_cv_func_krb_mk_req_const=no
+fi
+rm -f conftest.$ac_objext conftest.$ac_ext
+
+fi
+echo "$as_me:11463: result: $ac_cv_func_krb_mk_req_const" >&5
+echo "${ECHO_T}$ac_cv_func_krb_mk_req_const" >&6
+	if test "$ac_cv_func_krb_mk_req_const" = "yes"; then
+
+cat >>confdefs.h <<\EOF
+#define KRB_MK_REQ_CONST 1
+EOF
+
+	fi
+
+	LIBS="$save_LIBS"
+	CFLAGS="$save_CFLAGS"
+	LIB_kdb="-lkdb -lkrb"
+	test_LIB_krb4="$LIB_krb4"
+	if test "$krb4_libdir"; then
+		LIB_krb4="-R $krb4_libdir $LIB_krb4"
+		LIB_kdb="-R $krb4_libdir -L$krb4_libdir $LIB_kdb"
+	fi
+fi
+
+if test "$with_krb4" != "no"; then
+  KRB4_TRUE=
+  KRB4_FALSE='#'
+else
+  KRB4_TRUE='#'
+  KRB4_FALSE=
+fi
+
+if true; then
+  KRB5_TRUE=
+  KRB5_FALSE='#'
+else
+  KRB5_TRUE='#'
+  KRB5_FALSE=
+fi
+
+if true; then
+  do_roken_rename_TRUE=
+  do_roken_rename_FALSE='#'
+else
+  do_roken_rename_TRUE='#'
+  do_roken_rename_FALSE=
+fi
+
+cat >>confdefs.h <<\EOF
+#define KRB5 1
+EOF
+
+# Check whether --enable-dce or --disable-dce was given.
+if test "${enable_dce+set}" = set; then
+  enableval="$enable_dce"
+
+fi;
+if test "$enable_dce" = yes; then
+
+cat >>confdefs.h <<\EOF
+#define DCE 1
+EOF
+
+fi
+
+if test "$enable_dce" = yes; then
+  DCE_TRUE=
+  DCE_FALSE='#'
+else
+  DCE_TRUE='#'
+  DCE_FALSE=
+fi
+
+## XXX quite horrible:
+if test -f /etc/ibmcxx.cfg; then
+	dpagaix_LDADD=`sed -n '/^xlc_r4/,/^$/p' /etc/ibmcxx.cfg | sed -n -e '/libraries/{;s/^[^=]*=\(.*\)/\1/;s/,/ /gp;}'`
+	dpagaix_CFLAGS=`sed -n '/^xlc_r4/,/^$/p' /etc/ibmcxx.cfg | sed -n -e '/options/{;s/^[^=]*=\(.*\)/\1/;s/-q^,*//;s/,/ /gp;}'`
+else
+	dpagaix_CFLAGS="-D_THREAD_SAFE -D_AIX_PTHREADS_D7 -D_AIX32_THREADS=1 -D_AES_SOURCE -D_AIX41 -I/usr/include/dce"
+	dpagaix_LDADD="-L/usr/lib/threads -ldcelibc_r -ldcepthreads -lpthreads_compat lpthreads -lc_r"
+	dpagaix_LDFLAGS="-Wl,-bI:dfspag.exp"
+fi
+
+# Check whether --enable-kaserver or --disable-kaserver was given.
+if test "${enable_kaserver+set}" = set; then
+  enableval="$enable_kaserver"
+
+fi;
+if test "$enable_kaserver" = yes; then
+
+cat >>confdefs.h <<\EOF
+#define KASERVER 1
+EOF
+
+	if test "$with_krb4" = "no"; then
+		{  echo "$as_me: error: kaserver requires krb4" >&2
+  { (exit 1); exit; }; }
+		exit 1
+	fi
+fi
+
+# Check whether --enable-kaserver-db or --disable-kaserver-db was given.
+if test "${enable_kaserver_db+set}" = set; then
+  enableval="$enable_kaserver_db"
+
+fi;
+if test "$enable_kaserver_db" = yes; then
+
+cat >>confdefs.h <<\EOF
+#define KASERVER_DB 1
+EOF
+
+	if test "$with_krb4" = "no"; then
+		{  echo "$as_me: error: kaserver-db requires krb4" >&2
+  { (exit 1); exit; }; }
+		exit 1
+	fi
+fi
+
+otp=yes
+# Check whether --enable-otp or --disable-otp was given.
+if test "${enable_otp+set}" = set; then
+  enableval="$enable_otp"
+
+if test "$enableval" = "no"; then
+	otp=no
+fi
+
+fi;
+if test "$otp" = "yes"; then
+
+cat >>confdefs.h <<\EOF
+#define OTP 1
+EOF
+
+	LIB_otp='$(top_builddir)/lib/otp/libotp.la'
+fi
+
+if test "$otp" = yes; then
+  OTP_TRUE=
+  OTP_FALSE='#'
+else
+  OTP_TRUE='#'
+  OTP_FALSE=
+fi
+
+# Check whether --enable-osfc2 or --disable-osfc2 was given.
+if test "${enable_osfc2+set}" = set; then
+  enableval="$enable_osfc2"
+
+fi;
+LIB_security=
+if test "$enable_osfc2" = yes; then
+
+cat >>confdefs.h <<\EOF
+#define HAVE_OSFC2 1
+EOF
+
+	LIB_security=-lsecurity
+fi
+
+# Extract the first word of "nroff", so it can be a program name with args.
+set dummy nroff; ac_word=$2
+echo "$as_me:11622: checking for $ac_word" >&5
+echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6
+if test "${ac_cv_path_NROFF+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  case $NROFF in
+  [\\/]* | ?:[\\/]*)
+  ac_cv_path_NROFF="$NROFF" # Let the user override the test with a path.
+  ;;
+  *)
+  ac_save_IFS=$IFS; IFS=':'
+ac_dummy="$PATH"
+for ac_dir in $ac_dummy; do
+  IFS=$ac_save_IFS
+  test -z "$ac_dir" && ac_dir=.
+  if test -f "$ac_dir/$ac_word"; then
+   ac_cv_path_NROFF="$ac_dir/$ac_word"
+   break
+fi
+done
+
+  ;;
+esac
+fi
+NROFF=$ac_cv_path_NROFF
+
+if test -n "$NROFF"; then
+  echo "$as_me:11649: result: $NROFF" >&5
+echo "${ECHO_T}$NROFF" >&6
+else
+  echo "$as_me:11652: result: no" >&5
+echo "${ECHO_T}no" >&6
+fi
+
+# Extract the first word of "groff", so it can be a program name with args.
+set dummy groff; ac_word=$2
+echo "$as_me:11658: checking for $ac_word" >&5
+echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6
+if test "${ac_cv_path_GROFF+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  case $GROFF in
+  [\\/]* | ?:[\\/]*)
+  ac_cv_path_GROFF="$GROFF" # Let the user override the test with a path.
+  ;;
+  *)
+  ac_save_IFS=$IFS; IFS=':'
+ac_dummy="$PATH"
+for ac_dir in $ac_dummy; do
+  IFS=$ac_save_IFS
+  test -z "$ac_dir" && ac_dir=.
+  if test -f "$ac_dir/$ac_word"; then
+   ac_cv_path_GROFF="$ac_dir/$ac_word"
+   break
+fi
+done
+
+  ;;
+esac
+fi
+GROFF=$ac_cv_path_GROFF
+
+if test -n "$GROFF"; then
+  echo "$as_me:11685: result: $GROFF" >&5
+echo "${ECHO_T}$GROFF" >&6
+else
+  echo "$as_me:11688: result: no" >&5
+echo "${ECHO_T}no" >&6
+fi
+
+echo "$as_me:11692: checking how to format man pages" >&5
+echo $ECHO_N "checking how to format man pages... $ECHO_C" >&6
+if test "${ac_cv_sys_man_format+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat > conftest.1 << END
+.Dd January 1, 1970
+.Dt CONFTEST 1
+.Sh NAME
+.Nm conftest
+.Nd
+foobar
+END
+
+if test "$NROFF" ; then
+	for i in "-mdoc" "-mandoc"; do
+		if "$NROFF" $i conftest.1 2> /dev/null | \
+			grep Jan > /dev/null 2>&1 ; then
+			ac_cv_sys_man_format="$NROFF $i"
+			break
+		fi
+	done
+fi
+if test "$ac_cv_sys_man_format" = "" -a "$GROFF" ; then
+	for i in "-mdoc" "-mandoc"; do
+		if "$GROFF" -Tascii $i conftest.1 2> /dev/null | \
+			grep Jan > /dev/null 2>&1 ; then
+			ac_cv_sys_man_format="$GROFF -Tascii $i"
+			break
+		fi
+	done
+fi
+if test "$ac_cv_sys_man_format"; then
+	ac_cv_sys_man_format="$ac_cv_sys_man_format \$< > \$@"
+fi
+
+fi
+echo "$as_me:11729: result: $ac_cv_sys_man_format" >&5
+echo "${ECHO_T}$ac_cv_sys_man_format" >&6
+if test "$ac_cv_sys_man_format"; then
+	CATMAN="$ac_cv_sys_man_format"
+
+fi
+
+if test "$CATMAN"; then
+  CATMAN_TRUE=
+  CATMAN_FALSE='#'
+else
+  CATMAN_TRUE='#'
+  CATMAN_FALSE=
+fi
+echo "$as_me:11743: checking extension of pre-formatted manual pages" >&5
+echo $ECHO_N "checking extension of pre-formatted manual pages... $ECHO_C" >&6
+if test "${ac_cv_sys_catman_ext+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  if grep _suffix /etc/man.conf > /dev/null 2>&1; then
+	ac_cv_sys_catman_ext=0
+else
+	ac_cv_sys_catman_ext=number
+fi
+
+fi
+echo "$as_me:11755: result: $ac_cv_sys_catman_ext" >&5
+echo "${ECHO_T}$ac_cv_sys_catman_ext" >&6
+if test "$ac_cv_sys_catman_ext" = number; then
+	CATMANEXT='$$section'
+else
+	CATMANEXT=0
+fi
+
+# Check whether --with-readline or --without-readline was given.
+if test "${with_readline+set}" = set; then
+  withval="$with_readline"
+
+fi;
+
+# Check whether --with-readline-lib or --without-readline-lib was given.
+if test "${with_readline_lib+set}" = set; then
+  withval="$with_readline_lib"
+  if test "$withval" = "yes" -o "$withval" = "no"; then
+  {  echo "$as_me: error: No argument for --with-readline-lib" >&2
+  { (exit 1); exit; }; }
+elif test "X$with_readline" = "X"; then
+  with_readline=yes
+fi
+fi;
+
+# Check whether --with-readline-include or --without-readline-include was given.
+if test "${with_readline_include+set}" = set; then
+  withval="$with_readline_include"
+  if test "$withval" = "yes" -o "$withval" = "no"; then
+  {  echo "$as_me: error: No argument for --with-readline-include" >&2
+  { (exit 1); exit; }; }
+elif test "X$with_readline" = "X"; then
+  with_readline=yes
+fi
+fi;
+
+echo "$as_me:11791: checking for readline" >&5
+echo $ECHO_N "checking for readline... $ECHO_C" >&6
+
+case "$with_readline" in
+yes)	;;
+no)	;;
+"")	;;
+*)	if test "$with_readline_include" = ""; then
+		with_readline_include="$with_readline/include"
+	fi
+	if test "$with_readline_lib" = ""; then
+		with_readline_lib="$with_readline/lib$abilibdirext"
+	fi
+	;;
+esac
+header_dirs=
+lib_dirs=
+d=''
+for i in $d; do
+	header_dirs="$header_dirs $i/include"
+	lib_dirs="$lib_dirs $i/lib$abilibdirext"
+done
+
+case "$with_readline_include" in
+yes) ;;
+no)  ;;
+*)   header_dirs="$with_readline_include $header_dirs";;
+esac
+case "$with_readline_lib" in
+yes) ;;
+no)  ;;
+*)   lib_dirs="$with_readline_lib $lib_dirs";;
+esac
+
+save_CFLAGS="$CFLAGS"
+save_LIBS="$LIBS"
+ires= lres=
+for i in $header_dirs; do
+	CFLAGS="-I$i $save_CFLAGS"
+	cat >conftest.$ac_ext <<_ACEOF
+#line 11831 "configure"
+#include "confdefs.h"
+#include <stdio.h>
+ #include <readline.h>
+int
+main ()
+{
+
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext
+if { (eval echo $as_me:11844: \"$ac_compile\") >&5; (eval $ac_compile) 2>&5; } && test -s conftest.$ac_objext; then
+  ires=$i;break
+else
+  echo "$as_me: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+fi
+rm -f conftest.$ac_objext conftest.$ac_ext
+done
+for i in $lib_dirs; do
+	LIBS="-L$i -lreadline  $save_LIBS"
+	cat >conftest.$ac_ext <<_ACEOF
+#line 11855 "configure"
+#include "confdefs.h"
+#include <stdio.h>
+ #include <readline.h>
+int
+main ()
+{
+
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (eval echo $as_me:11868: \"$ac_link\") >&5; (eval $ac_link) 2>&5; } && test -s conftest$ac_exeext; then
+  lres=$i;break
+else
+  echo "$as_me: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+fi
+rm -f conftest$ac_exeext conftest.$ac_ext
+done
+CFLAGS="$save_CFLAGS"
+LIBS="$save_LIBS"
+
+if test "$ires" -a "$lres" -a "$with_readline" != "no"; then
+	readline_includedir="$ires"
+	readline_libdir="$lres"
+	INCLUDE_readline="-I$readline_includedir"
+	LIB_readline="-L$readline_libdir -lreadline"
+
+cat >>confdefs.h <<EOF
+#define READLINE 1
+EOF
+
+	with_readline=yes
+	echo "$as_me:11890: result: headers $ires, libraries $lres" >&5
+echo "${ECHO_T}headers $ires, libraries $lres" >&6
+else
+	INCLUDE_readline=
+	LIB_readline=
+	with_readline=no
+	echo "$as_me:11896: result: $with_readline" >&5
+echo "${ECHO_T}$with_readline" >&6
+fi
+
+# Check whether --with-hesiod or --without-hesiod was given.
+if test "${with_hesiod+set}" = set; then
+  withval="$with_hesiod"
+
+fi;
+
+# Check whether --with-hesiod-lib or --without-hesiod-lib was given.
+if test "${with_hesiod_lib+set}" = set; then
+  withval="$with_hesiod_lib"
+  if test "$withval" = "yes" -o "$withval" = "no"; then
+  {  echo "$as_me: error: No argument for --with-hesiod-lib" >&2
+  { (exit 1); exit; }; }
+elif test "X$with_hesiod" = "X"; then
+  with_hesiod=yes
+fi
+fi;
+
+# Check whether --with-hesiod-include or --without-hesiod-include was given.
+if test "${with_hesiod_include+set}" = set; then
+  withval="$with_hesiod_include"
+  if test "$withval" = "yes" -o "$withval" = "no"; then
+  {  echo "$as_me: error: No argument for --with-hesiod-include" >&2
+  { (exit 1); exit; }; }
+elif test "X$with_hesiod" = "X"; then
+  with_hesiod=yes
+fi
+fi;
+
+echo "$as_me:11928: checking for hesiod" >&5
+echo $ECHO_N "checking for hesiod... $ECHO_C" >&6
+
+case "$with_hesiod" in
+yes)	;;
+no)	;;
+"")	;;
+*)	if test "$with_hesiod_include" = ""; then
+		with_hesiod_include="$with_hesiod/include"
+	fi
+	if test "$with_hesiod_lib" = ""; then
+		with_hesiod_lib="$with_hesiod/lib$abilibdirext"
+	fi
+	;;
+esac
+header_dirs=
+lib_dirs=
+d=''
+for i in $d; do
+	header_dirs="$header_dirs $i/include"
+	lib_dirs="$lib_dirs $i/lib$abilibdirext"
+done
+
+case "$with_hesiod_include" in
+yes) ;;
+no)  ;;
+*)   header_dirs="$with_hesiod_include $header_dirs";;
+esac
+case "$with_hesiod_lib" in
+yes) ;;
+no)  ;;
+*)   lib_dirs="$with_hesiod_lib $lib_dirs";;
+esac
+
+save_CFLAGS="$CFLAGS"
+save_LIBS="$LIBS"
+ires= lres=
+for i in $header_dirs; do
+	CFLAGS="-I$i $save_CFLAGS"
+	cat >conftest.$ac_ext <<_ACEOF
+#line 11968 "configure"
+#include "confdefs.h"
+#include <hesiod.h>
+int
+main ()
+{
+
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext
+if { (eval echo $as_me:11980: \"$ac_compile\") >&5; (eval $ac_compile) 2>&5; } && test -s conftest.$ac_objext; then
+  ires=$i;break
+else
+  echo "$as_me: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+fi
+rm -f conftest.$ac_objext conftest.$ac_ext
+done
+for i in $lib_dirs; do
+	LIBS="-L$i -lhesiod  $save_LIBS"
+	cat >conftest.$ac_ext <<_ACEOF
+#line 11991 "configure"
+#include "confdefs.h"
+#include <hesiod.h>
+int
+main ()
+{
+
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (eval echo $as_me:12003: \"$ac_link\") >&5; (eval $ac_link) 2>&5; } && test -s conftest$ac_exeext; then
+  lres=$i;break
+else
+  echo "$as_me: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+fi
+rm -f conftest$ac_exeext conftest.$ac_ext
+done
+CFLAGS="$save_CFLAGS"
+LIBS="$save_LIBS"
+
+if test "$ires" -a "$lres" -a "$with_hesiod" != "no"; then
+	hesiod_includedir="$ires"
+	hesiod_libdir="$lres"
+	INCLUDE_hesiod="-I$hesiod_includedir"
+	LIB_hesiod="-L$hesiod_libdir -lhesiod"
+
+cat >>confdefs.h <<EOF
+#define HESIOD 1
+EOF
+
+	with_hesiod=yes
+	echo "$as_me:12025: result: headers $ires, libraries $lres" >&5
+echo "${ECHO_T}headers $ires, libraries $lres" >&6
+else
+	INCLUDE_hesiod=
+	LIB_hesiod=
+	with_hesiod=no
+	echo "$as_me:12031: result: $with_hesiod" >&5
+echo "${ECHO_T}$with_hesiod" >&6
+fi
+
+# Check whether --enable-bigendian or --disable-bigendian was given.
+if test "${enable_bigendian+set}" = set; then
+  enableval="$enable_bigendian"
+  krb_cv_c_bigendian=yes
+fi;
+# Check whether --enable-littleendian or --disable-littleendian was given.
+if test "${enable_littleendian+set}" = set; then
+  enableval="$enable_littleendian"
+  krb_cv_c_bigendian=no
+fi;
+echo "$as_me:12045: checking whether byte order is known at compile time" >&5
+echo $ECHO_N "checking whether byte order is known at compile time... $ECHO_C" >&6
+if test "${krb_cv_c_bigendian_compile+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+#line 12051 "configure"
+#include "confdefs.h"
+
+#include <sys/types.h>
+#include <sys/param.h>
+int
+main ()
+{
+
+#if !BYTE_ORDER || !BIG_ENDIAN || !LITTLE_ENDIAN
+ bogus endian macros
+#endif
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext
+if { (eval echo $as_me:12068: \"$ac_compile\") >&5; (eval $ac_compile) 2>&5; } && test -s conftest.$ac_objext; then
+  krb_cv_c_bigendian_compile=yes
+else
+  echo "$as_me: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  krb_cv_c_bigendian_compile=no
+fi
+rm -f conftest.$ac_objext conftest.$ac_ext
+fi
+echo "$as_me:12077: result: $krb_cv_c_bigendian_compile" >&5
+echo "${ECHO_T}$krb_cv_c_bigendian_compile" >&6
+echo "$as_me:12079: checking whether byte ordering is bigendian" >&5
+echo $ECHO_N "checking whether byte ordering is bigendian... $ECHO_C" >&6
+if test "${krb_cv_c_bigendian+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+
+  if test "$krb_cv_c_bigendian_compile" = "yes"; then
+    cat >conftest.$ac_ext <<_ACEOF
+#line 12087 "configure"
+#include "confdefs.h"
+
+#include <sys/types.h>
+#include <sys/param.h>
+int
+main ()
+{
+
+#if BYTE_ORDER != BIG_ENDIAN
+  not big endian
+#endif
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext
+if { (eval echo $as_me:12104: \"$ac_compile\") >&5; (eval $ac_compile) 2>&5; } && test -s conftest.$ac_objext; then
+  krb_cv_c_bigendian=yes
+else
+  echo "$as_me: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  krb_cv_c_bigendian=no
+fi
+rm -f conftest.$ac_objext conftest.$ac_ext
+  else
+    if test "$cross_compiling" = yes; then
+  {  echo "$as_me: error: specify either --enable-bigendian or --enable-littleendian" >&2
+  { (exit 1); exit; }; }
+else
+  cat >conftest.$ac_ext <<_ACEOF
+#line 12118 "configure"
+#include "confdefs.h"
+main () {
+      /* Are we little or big endian?  From Harbison&Steele.  */
+      union
+      {
+	long l;
+	char c[sizeof (long)];
+    } u;
+    u.l = 1;
+    exit (u.c[sizeof (long) - 1] == 1);
+  }
+_ACEOF
+rm -f conftest$ac_exeext
+{ (eval echo $as_me:12132: \"$ac_link\") >&5; (eval $ac_link) 2>&5; } &&
+  (./conftest$ac_exeext) >&5 2>&1;
+ac_status=$?
+if test $ac_status = 0; then
+  krb_cv_c_bigendian=no
+else
+  echo "$as_me: program exited with status $ac_status" >&5
+echo "$as_me: failed program was:" >&5
+cat conftest.$ac_ext >&5
+krb_cv_c_bigendian=yes
+fi
+
+rm -f conftest$ac_exeext conftest.$ac_ext
+fi
+
+  fi
+
+fi
+echo "$as_me:12150: result: $krb_cv_c_bigendian" >&5
+echo "${ECHO_T}$krb_cv_c_bigendian" >&6
+if test "$krb_cv_c_bigendian" = "yes"; then
+
+cat >>confdefs.h <<\EOF
+#define WORDS_BIGENDIAN 1
+EOF
+fi
+if test "$krb_cv_c_bigendian_compile" = "yes"; then
+
+cat >>confdefs.h <<\EOF
+#define ENDIANESS_IN_SYS_PARAM_H 1
+EOF
+fi
+
+echo "$as_me:12165: checking for inline" >&5
+echo $ECHO_N "checking for inline... $ECHO_C" >&6
+if test "${ac_cv_c_inline+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  ac_cv_c_inline=no
+for ac_kw in inline __inline__ __inline; do
+  cat >conftest.$ac_ext <<_ACEOF
+#line 12173 "configure"
+#include "confdefs.h"
+#ifndef __cplusplus
+$ac_kw int foo () {return 0; }
+#endif
+
+_ACEOF
+rm -f conftest.$ac_objext
+if { (eval echo $as_me:12181: \"$ac_compile\") >&5; (eval $ac_compile) 2>&5; } && test -s conftest.$ac_objext; then
+  ac_cv_c_inline=$ac_kw; break
+else
+  echo "$as_me: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+fi
+rm -f conftest.$ac_objext conftest.$ac_ext
+done
+
+fi
+echo "$as_me:12191: result: $ac_cv_c_inline" >&5
+echo "${ECHO_T}$ac_cv_c_inline" >&6
+case $ac_cv_c_inline in
+  inline | yes) ;;
+  no)
+cat >>confdefs.h <<\EOF
+#define inline
+EOF
+ ;;
+  *)  cat >>confdefs.h <<EOF
+#define inline $ac_cv_c_inline
+EOF
+ ;;
+esac
+
+aix=no
+case "$host" in
+*-*-aix3*)
+	aix=3
+	;;
+*-*-aix4*)
+	aix=4
+	;;
+esac
+
+if test "$aix" != no; then
+  AIX_TRUE=
+  AIX_FALSE='#'
+else
+  AIX_TRUE='#'
+  AIX_FALSE=
+fi
+
+if test "$aix" = 4; then
+  AIX4_TRUE=
+  AIX4_FALSE='#'
+else
+  AIX4_TRUE='#'
+  AIX4_FALSE=
+fi
+aix_dynamic_afs=yes
+
+if test "$aix_dynamic_afs" = yes; then
+  AIX_DYNAMIC_AFS_TRUE=
+  AIX_DYNAMIC_AFS_FALSE='#'
+else
+  AIX_DYNAMIC_AFS_TRUE='#'
+  AIX_DYNAMIC_AFS_FALSE=
+fi
+
+echo "$as_me:12241: checking for dlopen" >&5
+echo $ECHO_N "checking for dlopen... $ECHO_C" >&6
+if test "${ac_cv_funclib_dlopen+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+
+if eval "test \"\$ac_cv_func_dlopen\" != yes" ; then
+	ac_save_LIBS="$LIBS"
+	for ac_lib in "" dl; do
+		if test -n "$ac_lib"; then
+			ac_lib="-l$ac_lib"
+		else
+			ac_lib=""
+		fi
+		LIBS=" $ac_lib  $ac_save_LIBS"
+		cat >conftest.$ac_ext <<_ACEOF
+#line 12257 "configure"
+#include "confdefs.h"
+
+int
+main ()
+{
+dlopen()
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (eval echo $as_me:12269: \"$ac_link\") >&5; (eval $ac_link) 2>&5; } && test -s conftest$ac_exeext; then
+  eval "if test -n \"$ac_lib\";then ac_cv_funclib_dlopen=$ac_lib; else ac_cv_funclib_dlopen=yes; fi";break
+else
+  echo "$as_me: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+fi
+rm -f conftest$ac_exeext conftest.$ac_ext
+	done
+	eval "ac_cv_funclib_dlopen=\${ac_cv_funclib_dlopen-no}"
+	LIBS="$ac_save_LIBS"
+fi
+
+fi
+
+eval "ac_res=\$ac_cv_funclib_dlopen"
+
+if false; then
+
+for ac_func in dlopen
+do
+ac_ac_var=`echo "ac_cv_func_$ac_func" | $ac_tr_sh`
+echo "$as_me:12290: checking for $ac_func" >&5
+echo $ECHO_N "checking for $ac_func... $ECHO_C" >&6
+if eval "test \"\${$ac_ac_var+set}\" = set"; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+#line 12296 "configure"
+#include "confdefs.h"
+/* System header to define __stub macros and hopefully few prototypes,
+    which can conflict with char $ac_func (); below.  */
+#include <assert.h>
+/* Override any gcc2 internal prototype to avoid an error.  */
+#ifdef __cplusplus
+extern "C"
+#endif
+/* We use char because int might match the return type of a gcc2
+   builtin and then its argument prototype would still apply.  */
+char $ac_func ();
+char (*f) ();
+
+int
+main ()
+{
+/* The GNU C library defines this for functions which it implements
+    to always fail with ENOSYS.  Some functions are actually named
+    something starting with __ and the normal name is an alias.  */
+#if defined (__stub_$ac_func) || defined (__stub___$ac_func)
+choke me
+#else
+f = $ac_func;
+#endif
+
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (eval echo $as_me:12327: \"$ac_link\") >&5; (eval $ac_link) 2>&5; } && test -s conftest$ac_exeext; then
+  eval "$ac_ac_var=yes"
+else
+  echo "$as_me: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  eval "$ac_ac_var=no"
+fi
+rm -f conftest$ac_exeext conftest.$ac_ext
+fi
+echo "$as_me:12336: result: `eval echo '${'$ac_ac_var'}'`" >&5
+echo "${ECHO_T}`eval echo '${'$ac_ac_var'}'`" >&6
+if test `eval echo '${'$ac_ac_var'}'` = yes; then
+  cat >>confdefs.h <<EOF
+#define `echo "HAVE_$ac_func" | $ac_tr_cpp` 1
+EOF
+
+fi
+done
+
+fi
+# dlopen
+eval "ac_tr_func=HAVE_`echo dlopen | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`"
+eval "ac_tr_lib=HAVE_LIB`echo $ac_res | sed -e 's/-l//' | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`"
+eval "LIB_dlopen=$ac_res"
+
+case "$ac_res" in
+	yes)
+	eval "ac_cv_func_dlopen=yes"
+	eval "LIB_dlopen="
+	cat >>confdefs.h <<EOF
+#define $ac_tr_func 1
+EOF
+
+	echo "$as_me:12360: result: yes" >&5
+echo "${ECHO_T}yes" >&6
+	;;
+	no)
+	eval "ac_cv_func_dlopen=no"
+	eval "LIB_dlopen="
+	echo "$as_me:12366: result: no" >&5
+echo "${ECHO_T}no" >&6
+	;;
+	*)
+	eval "ac_cv_func_dlopen=yes"
+	eval "ac_cv_lib_`echo "$ac_res" | sed 's/-l//'`=yes"
+	cat >>confdefs.h <<EOF
+#define $ac_tr_func 1
+EOF
+
+	cat >>confdefs.h <<EOF
+#define $ac_tr_lib 1
+EOF
+
+	echo "$as_me:12380: result: yes, in $ac_res" >&5
+echo "${ECHO_T}yes, in $ac_res" >&6
+	;;
+esac
+
+if test "$aix" != no; then
+	if test "$aix_dynamic_afs" = yes; then
+		if test "$ac_cv_funclib_dlopen" = yes; then
+			AIX_EXTRA_KAFS=
+		elif test "$ac_cv_funclib_dlopen" != no; then
+			AIX_EXTRA_KAFS="$ac_cv_funclib_dlopen"
+		else
+			AIX_EXTRA_KAFS=-lld
+		fi
+	else
+		AIX_EXTRA_KAFS=
+	fi
+fi
+
+if test "$ac_cv_funclib_dlopen" != no; then
+  HAVE_DLOPEN_TRUE=
+  HAVE_DLOPEN_FALSE='#'
+else
+  HAVE_DLOPEN_TRUE='#'
+  HAVE_DLOPEN_FALSE=
+fi
+
+irix=no
+case "$host_os" in
+irix*) irix=yes ;;
+esac
+
+if test "$irix" != no; then
+  IRIX_TRUE=
+  IRIX_FALSE='#'
+else
+  IRIX_TRUE='#'
+  IRIX_FALSE=
+fi
+
+echo "$as_me:12420: checking for X" >&5
+echo $ECHO_N "checking for X... $ECHO_C" >&6
+
+# Check whether --with-x or --without-x was given.
+if test "${with_x+set}" = set; then
+  withval="$with_x"
+
+fi;
+# $have_x is `yes', `no', `disabled', or empty when we do not yet know.
+if test "x$with_x" = xno; then
+  # The user explicitly disabled X.
+  have_x=disabled
+else
+  if test "x$x_includes" != xNONE && test "x$x_libraries" != xNONE; then
+    # Both variables are already set.
+    have_x=yes
+  else
+if test "${ac_cv_have_x+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  # One or both of the vars are not set, and there is no cached value.
+ac_x_includes=no ac_x_libraries=no
+rm -fr conftestdir
+if mkdir conftestdir; then
+  cd conftestdir
+  # Make sure to not put "make" in the Imakefile rules, since we grep it out.
+  cat >Imakefile <<'EOF'
+acfindx:
+	@echo 'ac_im_incroot="${INCROOT}"; ac_im_usrlibdir="${USRLIBDIR}"; ac_im_libdir="${LIBDIR}"'
+EOF
+  if (xmkmf) >/dev/null 2>/dev/null && test -f Makefile; then
+    # GNU make sometimes prints "make[1]: Entering...", which would confuse us.
+    eval `${MAKE-make} acfindx 2>/dev/null | grep -v make`
+    # Open Windows xmkmf reportedly sets LIBDIR instead of USRLIBDIR.
+    for ac_extension in a so sl; do
+      if test ! -f $ac_im_usrlibdir/libX11.$ac_extension &&
+         test -f $ac_im_libdir/libX11.$ac_extension; then
+        ac_im_usrlibdir=$ac_im_libdir; break
+      fi
+    done
+    # Screen out bogus values from the imake configuration.  They are
+    # bogus both because they are the default anyway, and because
+    # using them would break gcc on systems where it needs fixed includes.
+    case $ac_im_incroot in
+	/usr/include) ;;
+	*) test -f "$ac_im_incroot/X11/Xos.h" && ac_x_includes=$ac_im_incroot;;
+    esac
+    case $ac_im_usrlibdir in
+	/usr/lib | /lib) ;;
+	*) test -d "$ac_im_usrlibdir" && ac_x_libraries=$ac_im_usrlibdir ;;
+    esac
+  fi
+  cd ..
+  rm -fr conftestdir
+fi
+
+# Standard set of common directories for X headers.
+# Check X11 before X11Rn because it is often a symlink to the current release.
+ac_x_header_dirs='
+/usr/X11/include
+/usr/X11R6/include
+/usr/X11R5/include
+/usr/X11R4/include
+
+/usr/include/X11
+/usr/include/X11R6
+/usr/include/X11R5
+/usr/include/X11R4
+
+/usr/local/X11/include
+/usr/local/X11R6/include
+/usr/local/X11R5/include
+/usr/local/X11R4/include
+
+/usr/local/include/X11
+/usr/local/include/X11R6
+/usr/local/include/X11R5
+/usr/local/include/X11R4
+
+/usr/X386/include
+/usr/x386/include
+/usr/XFree86/include/X11
+
+/usr/include
+/usr/local/include
+/usr/unsupported/include
+/usr/athena/include
+/usr/local/x11r5/include
+/usr/lpp/Xamples/include
+
+/usr/openwin/include
+/usr/openwin/share/include'
+
+if test "$ac_x_includes" = no; then
+  # Guess where to find include files, by looking for Intrinsic.h.
+  # First, try using that file with no special directory specified.
+  cat >conftest.$ac_ext <<_ACEOF
+#line 12517 "configure"
+#include "confdefs.h"
+#include <X11/Intrinsic.h>
+_ACEOF
+ac_try="$ac_cpp conftest.$ac_ext >/dev/null 2>conftest.err"
+if { (eval echo $as_me:12522: \"$ac_try\") >&5; (eval $ac_try) 2>&5; }; then
+  if egrep -v '^ *\+' conftest.err | grep . >/dev/null; then
+    ac_cpp_err=$ac_c_preproc_warn_flag
+  else
+    ac_cpp_err=
+  fi
+else
+  ac_cpp_err=yes
+fi
+
+if test -z "$ac_cpp_err"; then
+  # We can compile using X headers with no special include directory.
+ac_x_includes=
+else
+  cat conftest.err >&5
+  echo "$as_me: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  for ac_dir in $ac_x_header_dirs; do
+  if test -r "$ac_dir/X11/Intrinsic.h"; then
+    ac_x_includes=$ac_dir
+    break
+  fi
+done
+fi
+rm -f conftest*
+
+fi # $ac_x_includes = no
+
+if test "$ac_x_libraries" = no; then
+  # Check for the libraries.
+  # See if we find them without any special options.
+  # Don't add to $LIBS permanently.
+  ac_save_LIBS=$LIBS
+  LIBS="-lXt $LIBS"
+  cat >conftest.$ac_ext <<_ACEOF
+#line 12557 "configure"
+#include "confdefs.h"
+#include <X11/Intrinsic.h>
+int
+main ()
+{
+XtMalloc (0)
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (eval echo $as_me:12569: \"$ac_link\") >&5; (eval $ac_link) 2>&5; } && test -s conftest$ac_exeext; then
+  LIBS=$ac_save_LIBS
+# We can link X programs with no special library path.
+ac_x_libraries=
+else
+  echo "$as_me: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  LIBS=$ac_save_LIBS
+for ac_dir in `echo "$ac_x_includes $ac_x_header_dirs" | sed s/include/lib/g`
+do
+  # Don't even attempt the hair of trying to link an X program!
+  for ac_extension in a so sl; do
+    if test -r $ac_dir/libXt.$ac_extension; then
+      ac_x_libraries=$ac_dir
+      break 2
+    fi
+  done
+done
+fi
+rm -f conftest$ac_exeext conftest.$ac_ext
+fi # $ac_x_libraries = no
+
+if test "$ac_x_includes" = no || test "$ac_x_libraries" = no; then
+  # Didn't find X anywhere.  Cache the known absence of X.
+  ac_cv_have_x="have_x=no"
+else
+  # Record where we found X for the cache.
+  ac_cv_have_x="have_x=yes \
+	        ac_x_includes=$ac_x_includes ac_x_libraries=$ac_x_libraries"
+fi
+fi
+  fi
+  eval "$ac_cv_have_x"
+fi # $with_x != no
+
+if test "$have_x" != yes; then
+  echo "$as_me:12605: result: $have_x" >&5
+echo "${ECHO_T}$have_x" >&6
+  no_x=yes
+else
+  # If each of the values was on the command line, it overrides each guess.
+  test "x$x_includes" = xNONE && x_includes=$ac_x_includes
+  test "x$x_libraries" = xNONE && x_libraries=$ac_x_libraries
+  # Update the cache value to reflect the command line values.
+  ac_cv_have_x="have_x=yes \
+		ac_x_includes=$x_includes ac_x_libraries=$x_libraries"
+  echo "$as_me:12615: result: libraries $x_libraries, headers $x_includes" >&5
+echo "${ECHO_T}libraries $x_libraries, headers $x_includes" >&6
+fi
+
+if test "$no_x" = yes; then
+  # Not all programs may use this symbol, but it does not hurt to define it.
+
+cat >>confdefs.h <<\EOF
+#define X_DISPLAY_MISSING 1
+EOF
+
+  X_CFLAGS= X_PRE_LIBS= X_LIBS= X_EXTRA_LIBS=
+else
+  if test -n "$x_includes"; then
+    X_CFLAGS="$X_CFLAGS -I$x_includes"
+  fi
+
+  # It would also be nice to do this for all -L options, not just this one.
+  if test -n "$x_libraries"; then
+    X_LIBS="$X_LIBS -L$x_libraries"
+    # For Solaris; some versions of Sun CC require a space after -R and
+    # others require no space.  Words are not sufficient . . . .
+    case `(uname -sr) 2>/dev/null` in
+    "SunOS 5"*)
+      echo "$as_me:12639: checking whether -R must be followed by a space" >&5
+echo $ECHO_N "checking whether -R must be followed by a space... $ECHO_C" >&6
+      ac_xsave_LIBS=$LIBS; LIBS="$LIBS -R$x_libraries"
+      cat >conftest.$ac_ext <<_ACEOF
+#line 12643 "configure"
+#include "confdefs.h"
+
+int
+main ()
+{
+
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (eval echo $as_me:12655: \"$ac_link\") >&5; (eval $ac_link) 2>&5; } && test -s conftest$ac_exeext; then
+  ac_R_nospace=yes
+else
+  echo "$as_me: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  ac_R_nospace=no
+fi
+rm -f conftest$ac_exeext conftest.$ac_ext
+      if test $ac_R_nospace = yes; then
+	echo "$as_me:12664: result: no" >&5
+echo "${ECHO_T}no" >&6
+	X_LIBS="$X_LIBS -R$x_libraries"
+      else
+	LIBS="$ac_xsave_LIBS -R $x_libraries"
+	cat >conftest.$ac_ext <<_ACEOF
+#line 12670 "configure"
+#include "confdefs.h"
+
+int
+main ()
+{
+
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (eval echo $as_me:12682: \"$ac_link\") >&5; (eval $ac_link) 2>&5; } && test -s conftest$ac_exeext; then
+  ac_R_space=yes
+else
+  echo "$as_me: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  ac_R_space=no
+fi
+rm -f conftest$ac_exeext conftest.$ac_ext
+	if test $ac_R_space = yes; then
+	  echo "$as_me:12691: result: yes" >&5
+echo "${ECHO_T}yes" >&6
+	  X_LIBS="$X_LIBS -R $x_libraries"
+	else
+	  echo "$as_me:12695: result: neither works" >&5
+echo "${ECHO_T}neither works" >&6
+	fi
+      fi
+      LIBS=$ac_xsave_LIBS
+    esac
+  fi
+
+  # Check for system-dependent libraries X programs must link with.
+  # Do this before checking for the system-independent R6 libraries
+  # (-lICE), since we may need -lsocket or whatever for X linking.
+
+  if test "$ISC" = yes; then
+    X_EXTRA_LIBS="$X_EXTRA_LIBS -lnsl_s -linet"
+  else
+    # Martyn Johnson says this is needed for Ultrix, if the X
+    # libraries were built with DECnet support.  And Karl Berry says
+    # the Alpha needs dnet_stub (dnet does not exist).
+
+echo "$as_me:12714: checking for dnet_ntoa in -ldnet" >&5
+echo $ECHO_N "checking for dnet_ntoa in -ldnet... $ECHO_C" >&6
+if test "${ac_cv_lib_dnet_dnet_ntoa+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  ac_check_lib_save_LIBS=$LIBS
+LIBS="-ldnet  $LIBS"
+cat >conftest.$ac_ext <<_ACEOF
+#line 12722 "configure"
+#include "confdefs.h"
+
+/* Override any gcc2 internal prototype to avoid an error.  */
+#ifdef __cplusplus
+extern "C"
+#endif
+/* We use char because int might match the return type of a gcc2
+   builtin and then its argument prototype would still apply.  */
+char dnet_ntoa ();
+int
+main ()
+{
+dnet_ntoa ();
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (eval echo $as_me:12741: \"$ac_link\") >&5; (eval $ac_link) 2>&5; } && test -s conftest$ac_exeext; then
+  ac_cv_lib_dnet_dnet_ntoa=yes
+else
+  echo "$as_me: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  ac_cv_lib_dnet_dnet_ntoa=no
+fi
+rm -f conftest$ac_exeext conftest.$ac_ext
+LIBS=$ac_check_lib_save_LIBS
+fi
+echo "$as_me:12751: result: $ac_cv_lib_dnet_dnet_ntoa" >&5
+echo "${ECHO_T}$ac_cv_lib_dnet_dnet_ntoa" >&6
+if test $ac_cv_lib_dnet_dnet_ntoa = yes; then
+  X_EXTRA_LIBS="$X_EXTRA_LIBS -ldnet"
+fi
+
+    if test $ac_cv_lib_dnet_dnet_ntoa = no; then
+
+echo "$as_me:12759: checking for dnet_ntoa in -ldnet_stub" >&5
+echo $ECHO_N "checking for dnet_ntoa in -ldnet_stub... $ECHO_C" >&6
+if test "${ac_cv_lib_dnet_stub_dnet_ntoa+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  ac_check_lib_save_LIBS=$LIBS
+LIBS="-ldnet_stub  $LIBS"
+cat >conftest.$ac_ext <<_ACEOF
+#line 12767 "configure"
+#include "confdefs.h"
+
+/* Override any gcc2 internal prototype to avoid an error.  */
+#ifdef __cplusplus
+extern "C"
+#endif
+/* We use char because int might match the return type of a gcc2
+   builtin and then its argument prototype would still apply.  */
+char dnet_ntoa ();
+int
+main ()
+{
+dnet_ntoa ();
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (eval echo $as_me:12786: \"$ac_link\") >&5; (eval $ac_link) 2>&5; } && test -s conftest$ac_exeext; then
+  ac_cv_lib_dnet_stub_dnet_ntoa=yes
+else
+  echo "$as_me: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  ac_cv_lib_dnet_stub_dnet_ntoa=no
+fi
+rm -f conftest$ac_exeext conftest.$ac_ext
+LIBS=$ac_check_lib_save_LIBS
+fi
+echo "$as_me:12796: result: $ac_cv_lib_dnet_stub_dnet_ntoa" >&5
+echo "${ECHO_T}$ac_cv_lib_dnet_stub_dnet_ntoa" >&6
+if test $ac_cv_lib_dnet_stub_dnet_ntoa = yes; then
+  X_EXTRA_LIBS="$X_EXTRA_LIBS -ldnet_stub"
+fi
+
+    fi
+
+    # msh@cis.ufl.edu says -lnsl (and -lsocket) are needed for his 386/AT,
+    # to get the SysV transport functions.
+    # Chad R. Larson says the Pyramis MIS-ES running DC/OSx (SVR4)
+    # needs -lnsl.
+    # The nsl library prevents programs from opening the X display
+    # on Irix 5.2, according to T.E. Dickey.
+    # The functions gethostbyname, getservbyname, and inet_addr are
+    # in -lbsd on LynxOS 3.0.1/i386, according to Lars Hecking.
+    echo "$as_me:12812: checking for gethostbyname" >&5
+echo $ECHO_N "checking for gethostbyname... $ECHO_C" >&6
+if test "${ac_cv_func_gethostbyname+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+#line 12818 "configure"
+#include "confdefs.h"
+/* System header to define __stub macros and hopefully few prototypes,
+    which can conflict with char gethostbyname (); below.  */
+#include <assert.h>
+/* Override any gcc2 internal prototype to avoid an error.  */
+#ifdef __cplusplus
+extern "C"
+#endif
+/* We use char because int might match the return type of a gcc2
+   builtin and then its argument prototype would still apply.  */
+char gethostbyname ();
+char (*f) ();
+
+int
+main ()
+{
+/* The GNU C library defines this for functions which it implements
+    to always fail with ENOSYS.  Some functions are actually named
+    something starting with __ and the normal name is an alias.  */
+#if defined (__stub_gethostbyname) || defined (__stub___gethostbyname)
+choke me
+#else
+f = gethostbyname;
+#endif
+
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (eval echo $as_me:12849: \"$ac_link\") >&5; (eval $ac_link) 2>&5; } && test -s conftest$ac_exeext; then
+  ac_cv_func_gethostbyname=yes
+else
+  echo "$as_me: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  ac_cv_func_gethostbyname=no
+fi
+rm -f conftest$ac_exeext conftest.$ac_ext
+fi
+echo "$as_me:12858: result: $ac_cv_func_gethostbyname" >&5
+echo "${ECHO_T}$ac_cv_func_gethostbyname" >&6
+
+    if test $ac_cv_func_gethostbyname = no; then
+
+echo "$as_me:12863: checking for gethostbyname in -lnsl" >&5
+echo $ECHO_N "checking for gethostbyname in -lnsl... $ECHO_C" >&6
+if test "${ac_cv_lib_nsl_gethostbyname+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  ac_check_lib_save_LIBS=$LIBS
+LIBS="-lnsl  $LIBS"
+cat >conftest.$ac_ext <<_ACEOF
+#line 12871 "configure"
+#include "confdefs.h"
+
+/* Override any gcc2 internal prototype to avoid an error.  */
+#ifdef __cplusplus
+extern "C"
+#endif
+/* We use char because int might match the return type of a gcc2
+   builtin and then its argument prototype would still apply.  */
+char gethostbyname ();
+int
+main ()
+{
+gethostbyname ();
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (eval echo $as_me:12890: \"$ac_link\") >&5; (eval $ac_link) 2>&5; } && test -s conftest$ac_exeext; then
+  ac_cv_lib_nsl_gethostbyname=yes
+else
+  echo "$as_me: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  ac_cv_lib_nsl_gethostbyname=no
+fi
+rm -f conftest$ac_exeext conftest.$ac_ext
+LIBS=$ac_check_lib_save_LIBS
+fi
+echo "$as_me:12900: result: $ac_cv_lib_nsl_gethostbyname" >&5
+echo "${ECHO_T}$ac_cv_lib_nsl_gethostbyname" >&6
+if test $ac_cv_lib_nsl_gethostbyname = yes; then
+  X_EXTRA_LIBS="$X_EXTRA_LIBS -lnsl"
+fi
+
+      if test $ac_cv_lib_nsl_gethostbyname = no; then
+
+echo "$as_me:12908: checking for gethostbyname in -lbsd" >&5
+echo $ECHO_N "checking for gethostbyname in -lbsd... $ECHO_C" >&6
+if test "${ac_cv_lib_bsd_gethostbyname+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  ac_check_lib_save_LIBS=$LIBS
+LIBS="-lbsd  $LIBS"
+cat >conftest.$ac_ext <<_ACEOF
+#line 12916 "configure"
+#include "confdefs.h"
+
+/* Override any gcc2 internal prototype to avoid an error.  */
+#ifdef __cplusplus
+extern "C"
+#endif
+/* We use char because int might match the return type of a gcc2
+   builtin and then its argument prototype would still apply.  */
+char gethostbyname ();
+int
+main ()
+{
+gethostbyname ();
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (eval echo $as_me:12935: \"$ac_link\") >&5; (eval $ac_link) 2>&5; } && test -s conftest$ac_exeext; then
+  ac_cv_lib_bsd_gethostbyname=yes
+else
+  echo "$as_me: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  ac_cv_lib_bsd_gethostbyname=no
+fi
+rm -f conftest$ac_exeext conftest.$ac_ext
+LIBS=$ac_check_lib_save_LIBS
+fi
+echo "$as_me:12945: result: $ac_cv_lib_bsd_gethostbyname" >&5
+echo "${ECHO_T}$ac_cv_lib_bsd_gethostbyname" >&6
+if test $ac_cv_lib_bsd_gethostbyname = yes; then
+  X_EXTRA_LIBS="$X_EXTRA_LIBS -lbsd"
+fi
+
+      fi
+    fi
+
+    # lieder@skyler.mavd.honeywell.com says without -lsocket,
+    # socket/setsockopt and other routines are undefined under SCO ODT
+    # 2.0.  But -lsocket is broken on IRIX 5.2 (and is not necessary
+    # on later versions), says Simon Leinen: it contains gethostby*
+    # variants that don't use the nameserver (or something).  -lsocket
+    # must be given before -lnsl if both are needed.  We assume that
+    # if connect needs -lnsl, so does gethostbyname.
+    echo "$as_me:12961: checking for connect" >&5
+echo $ECHO_N "checking for connect... $ECHO_C" >&6
+if test "${ac_cv_func_connect+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+#line 12967 "configure"
+#include "confdefs.h"
+/* System header to define __stub macros and hopefully few prototypes,
+    which can conflict with char connect (); below.  */
+#include <assert.h>
+/* Override any gcc2 internal prototype to avoid an error.  */
+#ifdef __cplusplus
+extern "C"
+#endif
+/* We use char because int might match the return type of a gcc2
+   builtin and then its argument prototype would still apply.  */
+char connect ();
+char (*f) ();
+
+int
+main ()
+{
+/* The GNU C library defines this for functions which it implements
+    to always fail with ENOSYS.  Some functions are actually named
+    something starting with __ and the normal name is an alias.  */
+#if defined (__stub_connect) || defined (__stub___connect)
+choke me
+#else
+f = connect;
+#endif
+
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (eval echo $as_me:12998: \"$ac_link\") >&5; (eval $ac_link) 2>&5; } && test -s conftest$ac_exeext; then
+  ac_cv_func_connect=yes
+else
+  echo "$as_me: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  ac_cv_func_connect=no
+fi
+rm -f conftest$ac_exeext conftest.$ac_ext
+fi
+echo "$as_me:13007: result: $ac_cv_func_connect" >&5
+echo "${ECHO_T}$ac_cv_func_connect" >&6
+
+    if test $ac_cv_func_connect = no; then
+
+echo "$as_me:13012: checking for connect in -lsocket" >&5
+echo $ECHO_N "checking for connect in -lsocket... $ECHO_C" >&6
+if test "${ac_cv_lib_socket_connect+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  ac_check_lib_save_LIBS=$LIBS
+LIBS="-lsocket $X_EXTRA_LIBS $LIBS"
+cat >conftest.$ac_ext <<_ACEOF
+#line 13020 "configure"
+#include "confdefs.h"
+
+/* Override any gcc2 internal prototype to avoid an error.  */
+#ifdef __cplusplus
+extern "C"
+#endif
+/* We use char because int might match the return type of a gcc2
+   builtin and then its argument prototype would still apply.  */
+char connect ();
+int
+main ()
+{
+connect ();
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (eval echo $as_me:13039: \"$ac_link\") >&5; (eval $ac_link) 2>&5; } && test -s conftest$ac_exeext; then
+  ac_cv_lib_socket_connect=yes
+else
+  echo "$as_me: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  ac_cv_lib_socket_connect=no
+fi
+rm -f conftest$ac_exeext conftest.$ac_ext
+LIBS=$ac_check_lib_save_LIBS
+fi
+echo "$as_me:13049: result: $ac_cv_lib_socket_connect" >&5
+echo "${ECHO_T}$ac_cv_lib_socket_connect" >&6
+if test $ac_cv_lib_socket_connect = yes; then
+  X_EXTRA_LIBS="-lsocket $X_EXTRA_LIBS"
+fi
+
+    fi
+
+    # Guillermo Gomez says -lposix is necessary on A/UX.
+    echo "$as_me:13058: checking for remove" >&5
+echo $ECHO_N "checking for remove... $ECHO_C" >&6
+if test "${ac_cv_func_remove+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+#line 13064 "configure"
+#include "confdefs.h"
+/* System header to define __stub macros and hopefully few prototypes,
+    which can conflict with char remove (); below.  */
+#include <assert.h>
+/* Override any gcc2 internal prototype to avoid an error.  */
+#ifdef __cplusplus
+extern "C"
+#endif
+/* We use char because int might match the return type of a gcc2
+   builtin and then its argument prototype would still apply.  */
+char remove ();
+char (*f) ();
+
+int
+main ()
+{
+/* The GNU C library defines this for functions which it implements
+    to always fail with ENOSYS.  Some functions are actually named
+    something starting with __ and the normal name is an alias.  */
+#if defined (__stub_remove) || defined (__stub___remove)
+choke me
+#else
+f = remove;
+#endif
+
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (eval echo $as_me:13095: \"$ac_link\") >&5; (eval $ac_link) 2>&5; } && test -s conftest$ac_exeext; then
+  ac_cv_func_remove=yes
+else
+  echo "$as_me: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  ac_cv_func_remove=no
+fi
+rm -f conftest$ac_exeext conftest.$ac_ext
+fi
+echo "$as_me:13104: result: $ac_cv_func_remove" >&5
+echo "${ECHO_T}$ac_cv_func_remove" >&6
+
+    if test $ac_cv_func_remove = no; then
+
+echo "$as_me:13109: checking for remove in -lposix" >&5
+echo $ECHO_N "checking for remove in -lposix... $ECHO_C" >&6
+if test "${ac_cv_lib_posix_remove+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  ac_check_lib_save_LIBS=$LIBS
+LIBS="-lposix  $LIBS"
+cat >conftest.$ac_ext <<_ACEOF
+#line 13117 "configure"
+#include "confdefs.h"
+
+/* Override any gcc2 internal prototype to avoid an error.  */
+#ifdef __cplusplus
+extern "C"
+#endif
+/* We use char because int might match the return type of a gcc2
+   builtin and then its argument prototype would still apply.  */
+char remove ();
+int
+main ()
+{
+remove ();
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (eval echo $as_me:13136: \"$ac_link\") >&5; (eval $ac_link) 2>&5; } && test -s conftest$ac_exeext; then
+  ac_cv_lib_posix_remove=yes
+else
+  echo "$as_me: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  ac_cv_lib_posix_remove=no
+fi
+rm -f conftest$ac_exeext conftest.$ac_ext
+LIBS=$ac_check_lib_save_LIBS
+fi
+echo "$as_me:13146: result: $ac_cv_lib_posix_remove" >&5
+echo "${ECHO_T}$ac_cv_lib_posix_remove" >&6
+if test $ac_cv_lib_posix_remove = yes; then
+  X_EXTRA_LIBS="$X_EXTRA_LIBS -lposix"
+fi
+
+    fi
+
+    # BSDI BSD/OS 2.1 needs -lipc for XOpenDisplay.
+    echo "$as_me:13155: checking for shmat" >&5
+echo $ECHO_N "checking for shmat... $ECHO_C" >&6
+if test "${ac_cv_func_shmat+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+#line 13161 "configure"
+#include "confdefs.h"
+/* System header to define __stub macros and hopefully few prototypes,
+    which can conflict with char shmat (); below.  */
+#include <assert.h>
+/* Override any gcc2 internal prototype to avoid an error.  */
+#ifdef __cplusplus
+extern "C"
+#endif
+/* We use char because int might match the return type of a gcc2
+   builtin and then its argument prototype would still apply.  */
+char shmat ();
+char (*f) ();
+
+int
+main ()
+{
+/* The GNU C library defines this for functions which it implements
+    to always fail with ENOSYS.  Some functions are actually named
+    something starting with __ and the normal name is an alias.  */
+#if defined (__stub_shmat) || defined (__stub___shmat)
+choke me
+#else
+f = shmat;
+#endif
+
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (eval echo $as_me:13192: \"$ac_link\") >&5; (eval $ac_link) 2>&5; } && test -s conftest$ac_exeext; then
+  ac_cv_func_shmat=yes
+else
+  echo "$as_me: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  ac_cv_func_shmat=no
+fi
+rm -f conftest$ac_exeext conftest.$ac_ext
+fi
+echo "$as_me:13201: result: $ac_cv_func_shmat" >&5
+echo "${ECHO_T}$ac_cv_func_shmat" >&6
+
+    if test $ac_cv_func_shmat = no; then
+
+echo "$as_me:13206: checking for shmat in -lipc" >&5
+echo $ECHO_N "checking for shmat in -lipc... $ECHO_C" >&6
+if test "${ac_cv_lib_ipc_shmat+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  ac_check_lib_save_LIBS=$LIBS
+LIBS="-lipc  $LIBS"
+cat >conftest.$ac_ext <<_ACEOF
+#line 13214 "configure"
+#include "confdefs.h"
+
+/* Override any gcc2 internal prototype to avoid an error.  */
+#ifdef __cplusplus
+extern "C"
+#endif
+/* We use char because int might match the return type of a gcc2
+   builtin and then its argument prototype would still apply.  */
+char shmat ();
+int
+main ()
+{
+shmat ();
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (eval echo $as_me:13233: \"$ac_link\") >&5; (eval $ac_link) 2>&5; } && test -s conftest$ac_exeext; then
+  ac_cv_lib_ipc_shmat=yes
+else
+  echo "$as_me: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  ac_cv_lib_ipc_shmat=no
+fi
+rm -f conftest$ac_exeext conftest.$ac_ext
+LIBS=$ac_check_lib_save_LIBS
+fi
+echo "$as_me:13243: result: $ac_cv_lib_ipc_shmat" >&5
+echo "${ECHO_T}$ac_cv_lib_ipc_shmat" >&6
+if test $ac_cv_lib_ipc_shmat = yes; then
+  X_EXTRA_LIBS="$X_EXTRA_LIBS -lipc"
+fi
+
+    fi
+  fi
+
+  # Check for libraries that X11R6 Xt/Xaw programs need.
+  ac_save_LDFLAGS=$LDFLAGS
+  test -n "$x_libraries" && LDFLAGS="$LDFLAGS -L$x_libraries"
+  # SM needs ICE to (dynamically) link under SunOS 4.x (so we have to
+  # check for ICE first), but we must link in the order -lSM -lICE or
+  # we get undefined symbols.  So assume we have SM if we have ICE.
+  # These have to be linked with before -lX11, unlike the other
+  # libraries we check for below, so use a different variable.
+  # John Interrante, Karl Berry
+
+echo "$as_me:13262: checking for IceConnectionNumber in -lICE" >&5
+echo $ECHO_N "checking for IceConnectionNumber in -lICE... $ECHO_C" >&6
+if test "${ac_cv_lib_ICE_IceConnectionNumber+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  ac_check_lib_save_LIBS=$LIBS
+LIBS="-lICE $X_EXTRA_LIBS $LIBS"
+cat >conftest.$ac_ext <<_ACEOF
+#line 13270 "configure"
+#include "confdefs.h"
+
+/* Override any gcc2 internal prototype to avoid an error.  */
+#ifdef __cplusplus
+extern "C"
+#endif
+/* We use char because int might match the return type of a gcc2
+   builtin and then its argument prototype would still apply.  */
+char IceConnectionNumber ();
+int
+main ()
+{
+IceConnectionNumber ();
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (eval echo $as_me:13289: \"$ac_link\") >&5; (eval $ac_link) 2>&5; } && test -s conftest$ac_exeext; then
+  ac_cv_lib_ICE_IceConnectionNumber=yes
+else
+  echo "$as_me: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  ac_cv_lib_ICE_IceConnectionNumber=no
+fi
+rm -f conftest$ac_exeext conftest.$ac_ext
+LIBS=$ac_check_lib_save_LIBS
+fi
+echo "$as_me:13299: result: $ac_cv_lib_ICE_IceConnectionNumber" >&5
+echo "${ECHO_T}$ac_cv_lib_ICE_IceConnectionNumber" >&6
+if test $ac_cv_lib_ICE_IceConnectionNumber = yes; then
+  X_PRE_LIBS="$X_PRE_LIBS -lSM -lICE"
+fi
+
+  LDFLAGS=$ac_save_LDFLAGS
+
+fi
+
+# try to figure out if we need any additional ld flags, like -R
+# and yes, the autoconf X test is utterly broken
+if test "$no_x" != yes; then
+	echo "$as_me:13312: checking for special X linker flags" >&5
+echo $ECHO_N "checking for special X linker flags... $ECHO_C" >&6
+if test "${krb_cv_sys_x_libs_rpath+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+
+	ac_save_libs="$LIBS"
+	ac_save_cflags="$CFLAGS"
+	CFLAGS="$CFLAGS $X_CFLAGS"
+	krb_cv_sys_x_libs_rpath=""
+	krb_cv_sys_x_libs=""
+	for rflag in "" "-R" "-R " "-rpath "; do
+		if test "$rflag" = ""; then
+			foo="$X_LIBS"
+		else
+			foo=""
+			for flag in $X_LIBS; do
+			case $flag in
+			-L*)
+				foo="$foo $flag `echo $flag | sed \"s/-L/$rflag/\"`"
+				;;
+			*)
+				foo="$foo $flag"
+				;;
+			esac
+			done
+		fi
+		LIBS="$ac_save_libs $foo $X_PRE_LIBS -lX11 $X_EXTRA_LIBS"
+		if test "$cross_compiling" = yes; then
+  {  echo "$as_me: error: cannot run test program while cross compiling" >&2
+  { (exit 1); exit; }; }
+else
+  cat >conftest.$ac_ext <<_ACEOF
+#line 13345 "configure"
+#include "confdefs.h"
+
+		#include <X11/Xlib.h>
+		foo()
+		{
+		XOpenDisplay(NULL);
+		}
+		main()
+		{
+		return 0;
+		}
+
+_ACEOF
+rm -f conftest$ac_exeext
+{ (eval echo $as_me:13360: \"$ac_link\") >&5; (eval $ac_link) 2>&5; } &&
+  (./conftest$ac_exeext) >&5 2>&1;
+ac_status=$?
+if test $ac_status = 0; then
+  krb_cv_sys_x_libs_rpath="$rflag"; krb_cv_sys_x_libs="$foo"; break
+else
+  echo "$as_me: program exited with status $ac_status" >&5
+echo "$as_me: failed program was:" >&5
+cat conftest.$ac_ext >&5
+:
+fi
+
+rm -f conftest$ac_exeext conftest.$ac_ext
+fi
+
+	done
+	LIBS="$ac_save_libs"
+	CFLAGS="$ac_save_cflags"
+
+fi
+echo "$as_me:13380: result: $krb_cv_sys_x_libs_rpath" >&5
+echo "${ECHO_T}$krb_cv_sys_x_libs_rpath" >&6
+	X_LIBS="$krb_cv_sys_x_libs"
+fi
+
+if test "$no_x" != yes; then
+  HAVE_X_TRUE=
+  HAVE_X_FALSE='#'
+else
+  HAVE_X_TRUE='#'
+  HAVE_X_FALSE=
+fi
+
+save_CFLAGS="$CFLAGS"
+CFLAGS="$X_CFLAGS $CFLAGS"
+save_LIBS="$LIBS"
+LIBS="$X_PRE_LIBS $X_EXTRA_LIBS $LIBS"
+save_LDFLAGS="$LDFLAGS"
+LDFLAGS="$LDFLAGS $X_LIBS"
+
+echo "$as_me:13400: checking for XauWriteAuth" >&5
+echo $ECHO_N "checking for XauWriteAuth... $ECHO_C" >&6
+if test "${ac_cv_funclib_XauWriteAuth+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+
+if eval "test \"\$ac_cv_func_XauWriteAuth\" != yes" ; then
+	ac_save_LIBS="$LIBS"
+	for ac_lib in "" X11 Xau; do
+		if test -n "$ac_lib"; then
+			ac_lib="-l$ac_lib"
+		else
+			ac_lib=""
+		fi
+		LIBS=" $ac_lib  $ac_save_LIBS"
+		cat >conftest.$ac_ext <<_ACEOF
+#line 13416 "configure"
+#include "confdefs.h"
+
+int
+main ()
+{
+XauWriteAuth()
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (eval echo $as_me:13428: \"$ac_link\") >&5; (eval $ac_link) 2>&5; } && test -s conftest$ac_exeext; then
+  eval "if test -n \"$ac_lib\";then ac_cv_funclib_XauWriteAuth=$ac_lib; else ac_cv_funclib_XauWriteAuth=yes; fi";break
+else
+  echo "$as_me: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+fi
+rm -f conftest$ac_exeext conftest.$ac_ext
+	done
+	eval "ac_cv_funclib_XauWriteAuth=\${ac_cv_funclib_XauWriteAuth-no}"
+	LIBS="$ac_save_LIBS"
+fi
+
+fi
+
+eval "ac_res=\$ac_cv_funclib_XauWriteAuth"
+
+if false; then
+
+for ac_func in XauWriteAuth
+do
+ac_ac_var=`echo "ac_cv_func_$ac_func" | $ac_tr_sh`
+echo "$as_me:13449: checking for $ac_func" >&5
+echo $ECHO_N "checking for $ac_func... $ECHO_C" >&6
+if eval "test \"\${$ac_ac_var+set}\" = set"; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+#line 13455 "configure"
+#include "confdefs.h"
+/* System header to define __stub macros and hopefully few prototypes,
+    which can conflict with char $ac_func (); below.  */
+#include <assert.h>
+/* Override any gcc2 internal prototype to avoid an error.  */
+#ifdef __cplusplus
+extern "C"
+#endif
+/* We use char because int might match the return type of a gcc2
+   builtin and then its argument prototype would still apply.  */
+char $ac_func ();
+char (*f) ();
+
+int
+main ()
+{
+/* The GNU C library defines this for functions which it implements
+    to always fail with ENOSYS.  Some functions are actually named
+    something starting with __ and the normal name is an alias.  */
+#if defined (__stub_$ac_func) || defined (__stub___$ac_func)
+choke me
+#else
+f = $ac_func;
+#endif
+
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (eval echo $as_me:13486: \"$ac_link\") >&5; (eval $ac_link) 2>&5; } && test -s conftest$ac_exeext; then
+  eval "$ac_ac_var=yes"
+else
+  echo "$as_me: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  eval "$ac_ac_var=no"
+fi
+rm -f conftest$ac_exeext conftest.$ac_ext
+fi
+echo "$as_me:13495: result: `eval echo '${'$ac_ac_var'}'`" >&5
+echo "${ECHO_T}`eval echo '${'$ac_ac_var'}'`" >&6
+if test `eval echo '${'$ac_ac_var'}'` = yes; then
+  cat >>confdefs.h <<EOF
+#define `echo "HAVE_$ac_func" | $ac_tr_cpp` 1
+EOF
+
+fi
+done
+
+fi
+# XauWriteAuth
+eval "ac_tr_func=HAVE_`echo XauWriteAuth | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`"
+eval "ac_tr_lib=HAVE_LIB`echo $ac_res | sed -e 's/-l//' | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`"
+eval "LIB_XauWriteAuth=$ac_res"
+
+case "$ac_res" in
+	yes)
+	eval "ac_cv_func_XauWriteAuth=yes"
+	eval "LIB_XauWriteAuth="
+	cat >>confdefs.h <<EOF
+#define $ac_tr_func 1
+EOF
+
+	echo "$as_me:13519: result: yes" >&5
+echo "${ECHO_T}yes" >&6
+	;;
+	no)
+	eval "ac_cv_func_XauWriteAuth=no"
+	eval "LIB_XauWriteAuth="
+	echo "$as_me:13525: result: no" >&5
+echo "${ECHO_T}no" >&6
+	;;
+	*)
+	eval "ac_cv_func_XauWriteAuth=yes"
+	eval "ac_cv_lib_`echo "$ac_res" | sed 's/-l//'`=yes"
+	cat >>confdefs.h <<EOF
+#define $ac_tr_func 1
+EOF
+
+	cat >>confdefs.h <<EOF
+#define $ac_tr_lib 1
+EOF
+
+	echo "$as_me:13539: result: yes, in $ac_res" >&5
+echo "${ECHO_T}yes, in $ac_res" >&6
+	;;
+esac
+
+ac_xxx="$LIBS"
+LIBS="$LIB_XauWriteAuth $LIBS"
+
+echo "$as_me:13547: checking for XauReadAuth" >&5
+echo $ECHO_N "checking for XauReadAuth... $ECHO_C" >&6
+if test "${ac_cv_funclib_XauReadAuth+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+
+if eval "test \"\$ac_cv_func_XauReadAuth\" != yes" ; then
+	ac_save_LIBS="$LIBS"
+	for ac_lib in "" X11 Xau; do
+		if test -n "$ac_lib"; then
+			ac_lib="-l$ac_lib"
+		else
+			ac_lib=""
+		fi
+		LIBS=" $ac_lib  $ac_save_LIBS"
+		cat >conftest.$ac_ext <<_ACEOF
+#line 13563 "configure"
+#include "confdefs.h"
+
+int
+main ()
+{
+XauReadAuth()
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (eval echo $as_me:13575: \"$ac_link\") >&5; (eval $ac_link) 2>&5; } && test -s conftest$ac_exeext; then
+  eval "if test -n \"$ac_lib\";then ac_cv_funclib_XauReadAuth=$ac_lib; else ac_cv_funclib_XauReadAuth=yes; fi";break
+else
+  echo "$as_me: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+fi
+rm -f conftest$ac_exeext conftest.$ac_ext
+	done
+	eval "ac_cv_funclib_XauReadAuth=\${ac_cv_funclib_XauReadAuth-no}"
+	LIBS="$ac_save_LIBS"
+fi
+
+fi
+
+eval "ac_res=\$ac_cv_funclib_XauReadAuth"
+
+if false; then
+
+for ac_func in XauReadAuth
+do
+ac_ac_var=`echo "ac_cv_func_$ac_func" | $ac_tr_sh`
+echo "$as_me:13596: checking for $ac_func" >&5
+echo $ECHO_N "checking for $ac_func... $ECHO_C" >&6
+if eval "test \"\${$ac_ac_var+set}\" = set"; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+#line 13602 "configure"
+#include "confdefs.h"
+/* System header to define __stub macros and hopefully few prototypes,
+    which can conflict with char $ac_func (); below.  */
+#include <assert.h>
+/* Override any gcc2 internal prototype to avoid an error.  */
+#ifdef __cplusplus
+extern "C"
+#endif
+/* We use char because int might match the return type of a gcc2
+   builtin and then its argument prototype would still apply.  */
+char $ac_func ();
+char (*f) ();
+
+int
+main ()
+{
+/* The GNU C library defines this for functions which it implements
+    to always fail with ENOSYS.  Some functions are actually named
+    something starting with __ and the normal name is an alias.  */
+#if defined (__stub_$ac_func) || defined (__stub___$ac_func)
+choke me
+#else
+f = $ac_func;
+#endif
+
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (eval echo $as_me:13633: \"$ac_link\") >&5; (eval $ac_link) 2>&5; } && test -s conftest$ac_exeext; then
+  eval "$ac_ac_var=yes"
+else
+  echo "$as_me: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  eval "$ac_ac_var=no"
+fi
+rm -f conftest$ac_exeext conftest.$ac_ext
+fi
+echo "$as_me:13642: result: `eval echo '${'$ac_ac_var'}'`" >&5
+echo "${ECHO_T}`eval echo '${'$ac_ac_var'}'`" >&6
+if test `eval echo '${'$ac_ac_var'}'` = yes; then
+  cat >>confdefs.h <<EOF
+#define `echo "HAVE_$ac_func" | $ac_tr_cpp` 1
+EOF
+
+fi
+done
+
+fi
+# XauReadAuth
+eval "ac_tr_func=HAVE_`echo XauReadAuth | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`"
+eval "ac_tr_lib=HAVE_LIB`echo $ac_res | sed -e 's/-l//' | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`"
+eval "LIB_XauReadAuth=$ac_res"
+
+case "$ac_res" in
+	yes)
+	eval "ac_cv_func_XauReadAuth=yes"
+	eval "LIB_XauReadAuth="
+	cat >>confdefs.h <<EOF
+#define $ac_tr_func 1
+EOF
+
+	echo "$as_me:13666: result: yes" >&5
+echo "${ECHO_T}yes" >&6
+	;;
+	no)
+	eval "ac_cv_func_XauReadAuth=no"
+	eval "LIB_XauReadAuth="
+	echo "$as_me:13672: result: no" >&5
+echo "${ECHO_T}no" >&6
+	;;
+	*)
+	eval "ac_cv_func_XauReadAuth=yes"
+	eval "ac_cv_lib_`echo "$ac_res" | sed 's/-l//'`=yes"
+	cat >>confdefs.h <<EOF
+#define $ac_tr_func 1
+EOF
+
+	cat >>confdefs.h <<EOF
+#define $ac_tr_lib 1
+EOF
+
+	echo "$as_me:13686: result: yes, in $ac_res" >&5
+echo "${ECHO_T}yes, in $ac_res" >&6
+	;;
+esac
+
+LIBS="$LIB_XauReadAauth $LIBS"
+
+echo "$as_me:13693: checking for XauFileName" >&5
+echo $ECHO_N "checking for XauFileName... $ECHO_C" >&6
+if test "${ac_cv_funclib_XauFileName+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+
+if eval "test \"\$ac_cv_func_XauFileName\" != yes" ; then
+	ac_save_LIBS="$LIBS"
+	for ac_lib in "" X11 Xau; do
+		if test -n "$ac_lib"; then
+			ac_lib="-l$ac_lib"
+		else
+			ac_lib=""
+		fi
+		LIBS=" $ac_lib  $ac_save_LIBS"
+		cat >conftest.$ac_ext <<_ACEOF
+#line 13709 "configure"
+#include "confdefs.h"
+
+int
+main ()
+{
+XauFileName()
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (eval echo $as_me:13721: \"$ac_link\") >&5; (eval $ac_link) 2>&5; } && test -s conftest$ac_exeext; then
+  eval "if test -n \"$ac_lib\";then ac_cv_funclib_XauFileName=$ac_lib; else ac_cv_funclib_XauFileName=yes; fi";break
+else
+  echo "$as_me: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+fi
+rm -f conftest$ac_exeext conftest.$ac_ext
+	done
+	eval "ac_cv_funclib_XauFileName=\${ac_cv_funclib_XauFileName-no}"
+	LIBS="$ac_save_LIBS"
+fi
+
+fi
+
+eval "ac_res=\$ac_cv_funclib_XauFileName"
+
+if false; then
+
+for ac_func in XauFileName
+do
+ac_ac_var=`echo "ac_cv_func_$ac_func" | $ac_tr_sh`
+echo "$as_me:13742: checking for $ac_func" >&5
+echo $ECHO_N "checking for $ac_func... $ECHO_C" >&6
+if eval "test \"\${$ac_ac_var+set}\" = set"; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+#line 13748 "configure"
+#include "confdefs.h"
+/* System header to define __stub macros and hopefully few prototypes,
+    which can conflict with char $ac_func (); below.  */
+#include <assert.h>
+/* Override any gcc2 internal prototype to avoid an error.  */
+#ifdef __cplusplus
+extern "C"
+#endif
+/* We use char because int might match the return type of a gcc2
+   builtin and then its argument prototype would still apply.  */
+char $ac_func ();
+char (*f) ();
+
+int
+main ()
+{
+/* The GNU C library defines this for functions which it implements
+    to always fail with ENOSYS.  Some functions are actually named
+    something starting with __ and the normal name is an alias.  */
+#if defined (__stub_$ac_func) || defined (__stub___$ac_func)
+choke me
+#else
+f = $ac_func;
+#endif
+
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (eval echo $as_me:13779: \"$ac_link\") >&5; (eval $ac_link) 2>&5; } && test -s conftest$ac_exeext; then
+  eval "$ac_ac_var=yes"
+else
+  echo "$as_me: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  eval "$ac_ac_var=no"
+fi
+rm -f conftest$ac_exeext conftest.$ac_ext
+fi
+echo "$as_me:13788: result: `eval echo '${'$ac_ac_var'}'`" >&5
+echo "${ECHO_T}`eval echo '${'$ac_ac_var'}'`" >&6
+if test `eval echo '${'$ac_ac_var'}'` = yes; then
+  cat >>confdefs.h <<EOF
+#define `echo "HAVE_$ac_func" | $ac_tr_cpp` 1
+EOF
+
+fi
+done
+
+fi
+# XauFileName
+eval "ac_tr_func=HAVE_`echo XauFileName | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`"
+eval "ac_tr_lib=HAVE_LIB`echo $ac_res | sed -e 's/-l//' | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`"
+eval "LIB_XauFileName=$ac_res"
+
+case "$ac_res" in
+	yes)
+	eval "ac_cv_func_XauFileName=yes"
+	eval "LIB_XauFileName="
+	cat >>confdefs.h <<EOF
+#define $ac_tr_func 1
+EOF
+
+	echo "$as_me:13812: result: yes" >&5
+echo "${ECHO_T}yes" >&6
+	;;
+	no)
+	eval "ac_cv_func_XauFileName=no"
+	eval "LIB_XauFileName="
+	echo "$as_me:13818: result: no" >&5
+echo "${ECHO_T}no" >&6
+	;;
+	*)
+	eval "ac_cv_func_XauFileName=yes"
+	eval "ac_cv_lib_`echo "$ac_res" | sed 's/-l//'`=yes"
+	cat >>confdefs.h <<EOF
+#define $ac_tr_func 1
+EOF
+
+	cat >>confdefs.h <<EOF
+#define $ac_tr_lib 1
+EOF
+
+	echo "$as_me:13832: result: yes, in $ac_res" >&5
+echo "${ECHO_T}yes, in $ac_res" >&6
+	;;
+esac
+
+LIBS="$ac_xxx"
+
+case "$ac_cv_funclib_XauWriteAuth" in
+yes)	;;
+no)	;;
+*)	if test "$ac_cv_funclib_XauReadAuth" = yes; then
+		if test "$ac_cv_funclib_XauFileName" = yes; then
+			LIB_XauReadAuth="$LIB_XauWriteAuth"
+		else
+			LIB_XauReadAuth="$LIB_XauWriteAuth $LIB_XauFileName"
+		fi
+	else
+		if test "$ac_cv_funclib_XauFileName" = yes; then
+			LIB_XauReadAuth="$LIB_XauReadAuth $LIB_XauWriteAuth"
+		else
+			LIB_XauReadAuth="$LIB_XauReadAuth $LIB_XauWriteAuth $LIB_XauFileName"
+		fi
+	fi
+	;;
+esac
+
+if test "$AUTOMAKE" != ""; then
+
+if test "$ac_cv_func_XauWriteAuth" != "yes"; then
+  NEED_WRITEAUTH_TRUE=
+  NEED_WRITEAUTH_FALSE='#'
+else
+  NEED_WRITEAUTH_TRUE='#'
+  NEED_WRITEAUTH_FALSE=
+fi
+else
+
+	if test "$ac_cv_func_XauWriteAuth" != "yes"; then
+		NEED_WRITEAUTH_TRUE=
+		NEED_WRITEAUTH_FALSE='#'
+	else
+		NEED_WRITEAUTH_TRUE='#'
+		NEED_WRITEAUTH_FALSE=
+	fi
+fi
+CFLAGS=$save_CFLAGS
+LIBS=$save_LIBS
+LDFLAGS=$save_LDFLAGS
+
+echo "$as_me:13881: checking for an ANSI C-conforming const" >&5
+echo $ECHO_N "checking for an ANSI C-conforming const... $ECHO_C" >&6
+if test "${ac_cv_c_const+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+#line 13887 "configure"
+#include "confdefs.h"
+
+int
+main ()
+{
+/* FIXME: Include the comments suggested by Paul. */
+#ifndef __cplusplus
+  /* Ultrix mips cc rejects this.  */
+  typedef int charset[2];
+  const charset x;
+  /* SunOS 4.1.1 cc rejects this.  */
+  char const *const *ccp;
+  char **p;
+  /* NEC SVR4.0.2 mips cc rejects this.  */
+  struct point {int x, y;};
+  static struct point const zero = {0,0};
+  /* AIX XL C 1.02.0.0 rejects this.
+     It does not let you subtract one const X* pointer from another in
+     an arm of an if-expression whose if-part is not a constant
+     expression */
+  const char *g = "string";
+  ccp = &g + (g ? g-g : 0);
+  /* HPUX 7.0 cc rejects these. */
+  ++ccp;
+  p = (char**) ccp;
+  ccp = (char const *const *) p;
+  { /* SCO 3.2v4 cc rejects this.  */
+    char *t;
+    char const *s = 0 ? (char *) 0 : (char const *) 0;
+
+    *t++ = 0;
+  }
+  { /* Someone thinks the Sun supposedly-ANSI compiler will reject this.  */
+    int x[] = {25, 17};
+    const int *foo = &x[0];
+    ++foo;
+  }
+  { /* Sun SC1.0 ANSI compiler rejects this -- but not the above. */
+    typedef const int *iptr;
+    iptr p = 0;
+    ++p;
+  }
+  { /* AIX XL C 1.02.0.0 rejects this saying
+       "k.c", line 2.27: 1506-025 (S) Operand must be a modifiable lvalue. */
+    struct s { int j; const int *ap[3]; };
+    struct s *b; b->j = 5;
+  }
+  { /* ULTRIX-32 V3.1 (Rev 9) vcc rejects this */
+    const int foo = 10;
+  }
+#endif
+
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext
+if { (eval echo $as_me:13945: \"$ac_compile\") >&5; (eval $ac_compile) 2>&5; } && test -s conftest.$ac_objext; then
+  ac_cv_c_const=yes
+else
+  echo "$as_me: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  ac_cv_c_const=no
+fi
+rm -f conftest.$ac_objext conftest.$ac_ext
+fi
+echo "$as_me:13954: result: $ac_cv_c_const" >&5
+echo "${ECHO_T}$ac_cv_c_const" >&6
+if test $ac_cv_c_const = no; then
+
+cat >>confdefs.h <<\EOF
+#define const
+EOF
+
+fi
+
+echo "$as_me:13964: checking for off_t" >&5
+echo $ECHO_N "checking for off_t... $ECHO_C" >&6
+if test "${ac_cv_type_off_t+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+#line 13970 "configure"
+#include "confdefs.h"
+$ac_includes_default
+int
+main ()
+{
+if ((off_t *) 0)
+  return 0;
+if (sizeof (off_t))
+  return 0;
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext
+if { (eval echo $as_me:13985: \"$ac_compile\") >&5; (eval $ac_compile) 2>&5; } && test -s conftest.$ac_objext; then
+  ac_cv_type_off_t=yes
+else
+  echo "$as_me: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  ac_cv_type_off_t=no
+fi
+rm -f conftest.$ac_objext conftest.$ac_ext
+fi
+echo "$as_me:13994: result: $ac_cv_type_off_t" >&5
+echo "${ECHO_T}$ac_cv_type_off_t" >&6
+if test $ac_cv_type_off_t = yes; then
+  :
+else
+
+cat >>confdefs.h <<EOF
+#define off_t long
+EOF
+
+fi
+
+echo "$as_me:14006: checking for size_t" >&5
+echo $ECHO_N "checking for size_t... $ECHO_C" >&6
+if test "${ac_cv_type_size_t+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+#line 14012 "configure"
+#include "confdefs.h"
+$ac_includes_default
+int
+main ()
+{
+if ((size_t *) 0)
+  return 0;
+if (sizeof (size_t))
+  return 0;
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext
+if { (eval echo $as_me:14027: \"$ac_compile\") >&5; (eval $ac_compile) 2>&5; } && test -s conftest.$ac_objext; then
+  ac_cv_type_size_t=yes
+else
+  echo "$as_me: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  ac_cv_type_size_t=no
+fi
+rm -f conftest.$ac_objext conftest.$ac_ext
+fi
+echo "$as_me:14036: result: $ac_cv_type_size_t" >&5
+echo "${ECHO_T}$ac_cv_type_size_t" >&6
+if test $ac_cv_type_size_t = yes; then
+  :
+else
+
+cat >>confdefs.h <<EOF
+#define size_t unsigned
+EOF
+
+fi
+
+echo "$as_me:14048: checking for ssize_t" >&5
+echo $ECHO_N "checking for ssize_t... $ECHO_C" >&6
+if test "${ac_cv_type_ssize_t+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+#line 14054 "configure"
+#include "confdefs.h"
+#include <sys/types.h>
+#if STDC_HEADERS
+#include <stdlib.h>
+#include <stddef.h>
+#endif
+#include <unistd.h>
+_ACEOF
+if (eval "$ac_cpp conftest.$ac_ext") 2>&5 |
+  egrep "ssize_t[^a-zA-Z_0-9]" >/dev/null 2>&1; then
+  ac_cv_type_ssize_t=yes
+else
+  ac_cv_type_ssize_t=no
+fi
+rm -f conftest*
+
+fi
+echo "$as_me:14072: result: $ac_cv_type_ssize_t" >&5
+echo "${ECHO_T}$ac_cv_type_ssize_t" >&6
+if test $ac_cv_type_ssize_t = no; then
+
+cat >>confdefs.h <<\EOF
+#define ssize_t int
+EOF
+
+fi
+
+echo "$as_me:14082: checking for pid_t" >&5
+echo $ECHO_N "checking for pid_t... $ECHO_C" >&6
+if test "${ac_cv_type_pid_t+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+#line 14088 "configure"
+#include "confdefs.h"
+$ac_includes_default
+int
+main ()
+{
+if ((pid_t *) 0)
+  return 0;
+if (sizeof (pid_t))
+  return 0;
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext
+if { (eval echo $as_me:14103: \"$ac_compile\") >&5; (eval $ac_compile) 2>&5; } && test -s conftest.$ac_objext; then
+  ac_cv_type_pid_t=yes
+else
+  echo "$as_me: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  ac_cv_type_pid_t=no
+fi
+rm -f conftest.$ac_objext conftest.$ac_ext
+fi
+echo "$as_me:14112: result: $ac_cv_type_pid_t" >&5
+echo "${ECHO_T}$ac_cv_type_pid_t" >&6
+if test $ac_cv_type_pid_t = yes; then
+  :
+else
+
+cat >>confdefs.h <<EOF
+#define pid_t int
+EOF
+
+fi
+
+echo "$as_me:14124: checking for uid_t in sys/types.h" >&5
+echo $ECHO_N "checking for uid_t in sys/types.h... $ECHO_C" >&6
+if test "${ac_cv_type_uid_t+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+#line 14130 "configure"
+#include "confdefs.h"
+#include <sys/types.h>
+
+_ACEOF
+if (eval "$ac_cpp conftest.$ac_ext") 2>&5 |
+  egrep "uid_t" >/dev/null 2>&1; then
+  ac_cv_type_uid_t=yes
+else
+  ac_cv_type_uid_t=no
+fi
+rm -f conftest*
+
+fi
+echo "$as_me:14144: result: $ac_cv_type_uid_t" >&5
+echo "${ECHO_T}$ac_cv_type_uid_t" >&6
+if test $ac_cv_type_uid_t = no; then
+
+cat >>confdefs.h <<\EOF
+#define uid_t int
+EOF
+
+cat >>confdefs.h <<\EOF
+#define gid_t int
+EOF
+
+fi
+
+echo "$as_me:14158: checking for mode_t" >&5
+echo $ECHO_N "checking for mode_t... $ECHO_C" >&6
+if test "${ac_cv_type_mode_t+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+#line 14164 "configure"
+#include "confdefs.h"
+#include <sys/types.h>
+#if STDC_HEADERS
+#include <stdlib.h>
+#include <stddef.h>
+#endif
+
+_ACEOF
+if (eval "$ac_cpp conftest.$ac_ext") 2>&5 |
+  egrep "mode_t[^a-zA-Z_0-9]" >/dev/null 2>&1; then
+  ac_cv_type_mode_t=yes
+else
+  ac_cv_type_mode_t=no
+fi
+rm -f conftest*
+
+fi
+echo "$as_me:14182: result: $ac_cv_type_mode_t" >&5
+echo "${ECHO_T}$ac_cv_type_mode_t" >&6
+if test $ac_cv_type_mode_t = no; then
+
+cat >>confdefs.h <<\EOF
+#define mode_t unsigned short
+EOF
+
+fi
+
+echo "$as_me:14192: checking for sig_atomic_t" >&5
+echo $ECHO_N "checking for sig_atomic_t... $ECHO_C" >&6
+if test "${ac_cv_type_sig_atomic_t+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+#line 14198 "configure"
+#include "confdefs.h"
+#include <sys/types.h>
+#if STDC_HEADERS
+#include <stdlib.h>
+#include <stddef.h>
+#endif
+#include <signal.h>
+_ACEOF
+if (eval "$ac_cpp conftest.$ac_ext") 2>&5 |
+  egrep "sig_atomic_t[^a-zA-Z_0-9]" >/dev/null 2>&1; then
+  ac_cv_type_sig_atomic_t=yes
+else
+  ac_cv_type_sig_atomic_t=no
+fi
+rm -f conftest*
+
+fi
+echo "$as_me:14216: result: $ac_cv_type_sig_atomic_t" >&5
+echo "${ECHO_T}$ac_cv_type_sig_atomic_t" >&6
+if test $ac_cv_type_sig_atomic_t = no; then
+
+cat >>confdefs.h <<\EOF
+#define sig_atomic_t int
+EOF
+
+fi
+
+cv=`echo "long long" | sed 'y%./+- %__p__%'`
+echo "$as_me:14227: checking for long long" >&5
+echo $ECHO_N "checking for long long... $ECHO_C" >&6
+if eval "test \"\${ac_cv_type_$cv+set}\" = set"; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+#line 14233 "configure"
+#include "confdefs.h"
+#include <sys/types.h>
+#if STDC_HEADERS
+#include <stdlib.h>
+#include <stddef.h>
+#endif
+
+int
+main ()
+{
+long long foo;
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext
+if { (eval echo $as_me:14250: \"$ac_compile\") >&5; (eval $ac_compile) 2>&5; } && test -s conftest.$ac_objext; then
+  eval "ac_cv_type_$cv=yes"
+else
+  echo "$as_me: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  eval "ac_cv_type_$cv=no"
+fi
+rm -f conftest.$ac_objext conftest.$ac_ext
+fi
+ac_foo=`eval echo \\$ac_cv_type_$cv`
+echo "$as_me:14260: result: $ac_foo" >&5
+echo "${ECHO_T}$ac_foo" >&6
+if test "$ac_foo" = yes; then
+  ac_tr_hdr=HAVE_`echo long long | sed 'y%abcdefghijklmnopqrstuvwxyz./- %ABCDEFGHIJKLMNOPQRSTUVWXYZ____%'`
+if false; then
+	echo "$as_me:14265: checking for long long" >&5
+echo $ECHO_N "checking for long long... $ECHO_C" >&6
+if test "${ac_cv_type_long_long+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+#line 14271 "configure"
+#include "confdefs.h"
+$ac_includes_default
+int
+main ()
+{
+if ((long long *) 0)
+  return 0;
+if (sizeof (long long))
+  return 0;
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext
+if { (eval echo $as_me:14286: \"$ac_compile\") >&5; (eval $ac_compile) 2>&5; } && test -s conftest.$ac_objext; then
+  ac_cv_type_long_long=yes
+else
+  echo "$as_me: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  ac_cv_type_long_long=no
+fi
+rm -f conftest.$ac_objext conftest.$ac_ext
+fi
+echo "$as_me:14295: result: $ac_cv_type_long_long" >&5
+echo "${ECHO_T}$ac_cv_type_long_long" >&6
+if test $ac_cv_type_long_long = yes; then
+
+cat >>confdefs.h <<EOF
+#define HAVE_LONG_LONG 1
+EOF
+
+fi
+
+fi
+
+cat >>confdefs.h <<EOF
+#define $ac_tr_hdr 1
+EOF
+
+fi
+
+echo "$as_me:14313: checking whether time.h and sys/time.h may both be included" >&5
+echo $ECHO_N "checking whether time.h and sys/time.h may both be included... $ECHO_C" >&6
+if test "${ac_cv_header_time+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+#line 14319 "configure"
+#include "confdefs.h"
+#include <sys/types.h>
+#include <sys/time.h>
+#include <time.h>
+
+int
+main ()
+{
+struct tm *tp;
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext
+if { (eval echo $as_me:14334: \"$ac_compile\") >&5; (eval $ac_compile) 2>&5; } && test -s conftest.$ac_objext; then
+  ac_cv_header_time=yes
+else
+  echo "$as_me: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  ac_cv_header_time=no
+fi
+rm -f conftest.$ac_objext conftest.$ac_ext
+fi
+echo "$as_me:14343: result: $ac_cv_header_time" >&5
+echo "${ECHO_T}$ac_cv_header_time" >&6
+if test $ac_cv_header_time = yes; then
+
+cat >>confdefs.h <<\EOF
+#define TIME_WITH_SYS_TIME 1
+EOF
+
+fi
+
+echo "$as_me:14353: checking whether struct tm is in sys/time.h or time.h" >&5
+echo $ECHO_N "checking whether struct tm is in sys/time.h or time.h... $ECHO_C" >&6
+if test "${ac_cv_struct_tm+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+#line 14359 "configure"
+#include "confdefs.h"
+#include <sys/types.h>
+#include <time.h>
+
+int
+main ()
+{
+struct tm *tp; tp->tm_sec;
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext
+if { (eval echo $as_me:14373: \"$ac_compile\") >&5; (eval $ac_compile) 2>&5; } && test -s conftest.$ac_objext; then
+  ac_cv_struct_tm=time.h
+else
+  echo "$as_me: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  ac_cv_struct_tm=sys/time.h
+fi
+rm -f conftest.$ac_objext conftest.$ac_ext
+fi
+echo "$as_me:14382: result: $ac_cv_struct_tm" >&5
+echo "${ECHO_T}$ac_cv_struct_tm" >&6
+if test $ac_cv_struct_tm = sys/time.h; then
+
+cat >>confdefs.h <<\EOF
+#define TM_IN_SYS_TIME 1
+EOF
+
+fi
+
+echo "$as_me:14392: checking for ANSI C header files" >&5
+echo $ECHO_N "checking for ANSI C header files... $ECHO_C" >&6
+if test "${ac_cv_header_stdc+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+#line 14398 "configure"
+#include "confdefs.h"
+#include <stdlib.h>
+#include <stdarg.h>
+#include <string.h>
+#include <float.h>
+
+_ACEOF
+ac_try="$ac_cpp conftest.$ac_ext >/dev/null 2>conftest.err"
+if { (eval echo $as_me:14407: \"$ac_try\") >&5; (eval $ac_try) 2>&5; }; then
+  if egrep -v '^ *\+' conftest.err | grep . >/dev/null; then
+    ac_cpp_err=$ac_c_preproc_warn_flag
+  else
+    ac_cpp_err=
+  fi
+else
+  ac_cpp_err=yes
+fi
+
+if test -z "$ac_cpp_err"; then
+  ac_cv_header_stdc=yes
+else
+  cat conftest.err >&5
+  echo "$as_me: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  ac_cv_header_stdc=no
+fi
+rm -f conftest*
+
+if test $ac_cv_header_stdc = yes; then
+  # SunOS 4.x string.h does not declare mem*, contrary to ANSI.
+  cat >conftest.$ac_ext <<_ACEOF
+#line 14430 "configure"
+#include "confdefs.h"
+#include <string.h>
+
+_ACEOF
+if (eval "$ac_cpp conftest.$ac_ext") 2>&5 |
+  egrep "memchr" >/dev/null 2>&1; then
+  :
+else
+  ac_cv_header_stdc=no
+fi
+rm -f conftest*
+
+fi
+
+if test $ac_cv_header_stdc = yes; then
+  # ISC 2.0.2 stdlib.h does not declare free, contrary to ANSI.
+  cat >conftest.$ac_ext <<_ACEOF
+#line 14448 "configure"
+#include "confdefs.h"
+#include <stdlib.h>
+
+_ACEOF
+if (eval "$ac_cpp conftest.$ac_ext") 2>&5 |
+  egrep "free" >/dev/null 2>&1; then
+  :
+else
+  ac_cv_header_stdc=no
+fi
+rm -f conftest*
+
+fi
+
+if test $ac_cv_header_stdc = yes; then
+  # /bin/cc in Irix-4.0.5 gets non-ANSI ctype macros unless using -ansi.
+  if test "$cross_compiling" = yes; then
+  :
+else
+  cat >conftest.$ac_ext <<_ACEOF
+#line 14469 "configure"
+#include "confdefs.h"
+#include <ctype.h>
+#if ((' ' & 0x0FF) == 0x020)
+# define ISLOWER(c) ('a' <= (c) && (c) <= 'z')
+# define TOUPPER(c) (ISLOWER(c) ? 'A' + ((c) - 'a') : (c))
+#else
+# define ISLOWER(c) (('a' <= (c) && (c) <= 'i') \
+                     || ('j' <= (c) && (c) <= 'r') \
+                     || ('s' <= (c) && (c) <= 'z'))
+# define TOUPPER(c) (ISLOWER(c) ? ((c) | 0x40) : (c))
+#endif
+
+#define XOR(e, f) (((e) && !(f)) || (!(e) && (f)))
+int
+main ()
+{
+  int i;
+  for (i = 0; i < 256; i++)
+    if (XOR (islower (i), ISLOWER (i))
+        || toupper (i) != TOUPPER (i))
+      exit(2);
+  exit (0);
+}
+_ACEOF
+rm -f conftest$ac_exeext
+{ (eval echo $as_me:14495: \"$ac_link\") >&5; (eval $ac_link) 2>&5; } &&
+  (./conftest$ac_exeext) >&5 2>&1;
+ac_status=$?
+if test $ac_status = 0; then
+  :
+else
+  echo "$as_me: program exited with status $ac_status" >&5
+echo "$as_me: failed program was:" >&5
+cat conftest.$ac_ext >&5
+ac_cv_header_stdc=no
+fi
+
+rm -f conftest$ac_exeext conftest.$ac_ext
+fi
+
+fi
+fi
+echo "$as_me:14512: result: $ac_cv_header_stdc" >&5
+echo "${ECHO_T}$ac_cv_header_stdc" >&6
+if test $ac_cv_header_stdc = yes; then
+
+cat >>confdefs.h <<\EOF
+#define STDC_HEADERS 1
+EOF
+
+fi
+
+for ac_header in \
+	arpa/ftp.h				\
+	arpa/inet.h				\
+	arpa/nameser.h				\
+	arpa/telnet.h				\
+	bind/bitypes.h				\
+	bsdsetjmp.h				\
+	crypt.h					\
+	curses.h				\
+	dbm.h					\
+	dirent.h				\
+	dlfcn.h					\
+	err.h					\
+	errno.h					\
+	fcntl.h					\
+	fnmatch.h				\
+	gdbm/ndbm.h				\
+	grp.h					\
+	inttypes.h				\
+	io.h					\
+	limits.h				\
+	maillock.h				\
+	ndbm.h					\
+	net/if.h				\
+	netdb.h					\
+	netinet/in.h				\
+	netinet/in6.h				\
+	netinet/in6_machtypes.h			\
+	netinet/in6_var.h			\
+	netinet/in_systm.h			\
+	netinet6/in6.h				\
+	netinfo/ni.h				\
+	paths.h					\
+	pthread.h				\
+	pty.h					\
+	pwd.h					\
+	resolv.h				\
+	rpcsvc/dbm.h				\
+	sac.h					\
+	security/pam_modules.h			\
+	sgtty.h					\
+	shadow.h				\
+	siad.h					\
+	signal.h				\
+	stropts.h				\
+	sys/bitypes.h				\
+	sys/category.h				\
+	sys/file.h				\
+	sys/filio.h				\
+	sys/ioccom.h				\
+	sys/ioctl.h				\
+	sys/param.h				\
+	sys/proc.h				\
+	sys/pty.h				\
+	sys/ptyio.h				\
+	sys/ptyvar.h				\
+	sys/resource.h				\
+	sys/select.h				\
+	sys/socket.h				\
+	sys/sockio.h				\
+	sys/stat.h				\
+	sys/str_tty.h				\
+	sys/stream.h				\
+	sys/stropts.h				\
+	sys/strtty.h				\
+	sys/syscall.h				\
+	sys/sysctl.h				\
+	sys/termio.h				\
+	sys/time.h				\
+	sys/timeb.h				\
+	sys/times.h				\
+	sys/tty.h				\
+	sys/types.h				\
+	sys/uio.h				\
+	sys/un.h				\
+	sys/utsname.h				\
+	sys/wait.h				\
+	syslog.h				\
+	term.h					\
+	termio.h				\
+	termios.h				\
+	time.h					\
+	tmpdir.h				\
+	udb.h					\
+	unistd.h				\
+	userconf.h				\
+	usersec.h				\
+	util.h					\
+	utmp.h					\
+	utmpx.h					\
+
+do
+ac_ac_Header=`echo "ac_cv_header_$ac_header" | $ac_tr_sh`
+
+echo "$as_me:14616: checking for $ac_header" >&5
+echo $ECHO_N "checking for $ac_header... $ECHO_C" >&6
+if eval "test \"\${$ac_ac_Header+set}\" = set"; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+#line 14622 "configure"
+#include "confdefs.h"
+#include <$ac_header>
+
+_ACEOF
+ac_try="$ac_cpp conftest.$ac_ext >/dev/null 2>conftest.err"
+if { (eval echo $as_me:14628: \"$ac_try\") >&5; (eval $ac_try) 2>&5; }; then
+  if egrep -v '^ *\+' conftest.err | grep . >/dev/null; then
+    ac_cpp_err=$ac_c_preproc_warn_flag
+  else
+    ac_cpp_err=
+  fi
+else
+  ac_cpp_err=yes
+fi
+
+if test -z "$ac_cpp_err"; then
+  eval "$ac_ac_Header=yes"
+else
+  cat conftest.err >&5
+  echo "$as_me: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  eval "$ac_ac_Header=no"
+fi
+rm -f conftest*
+
+fi
+echo "$as_me:14649: result: `eval echo '${'$ac_ac_Header'}'`" >&5
+echo "${ECHO_T}`eval echo '${'$ac_ac_Header'}'`" >&6
+if test `eval echo '${'$ac_ac_Header'}'` = yes; then
+  cat >>confdefs.h <<EOF
+#define `echo "HAVE_$ac_header" | $ac_tr_cpp` 1
+EOF
+
+fi
+done
+
+for ac_header in standards.h
+do
+ac_ac_Header=`echo "ac_cv_header_$ac_header" | $ac_tr_sh`
+
+echo "$as_me:14663: checking for $ac_header" >&5
+echo $ECHO_N "checking for $ac_header... $ECHO_C" >&6
+if eval "test \"\${$ac_ac_Header+set}\" = set"; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+#line 14669 "configure"
+#include "confdefs.h"
+#include <$ac_header>
+
+_ACEOF
+ac_try="$ac_cpp conftest.$ac_ext >/dev/null 2>conftest.err"
+if { (eval echo $as_me:14675: \"$ac_try\") >&5; (eval $ac_try) 2>&5; }; then
+  if egrep -v '^ *\+' conftest.err | grep . >/dev/null; then
+    ac_cpp_err=$ac_c_preproc_warn_flag
+  else
+    ac_cpp_err=
+  fi
+else
+  ac_cpp_err=yes
+fi
+
+if test -z "$ac_cpp_err"; then
+  eval "$ac_ac_Header=yes"
+else
+  cat conftest.err >&5
+  echo "$as_me: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  eval "$ac_ac_Header=no"
+fi
+rm -f conftest*
+
+fi
+echo "$as_me:14696: result: `eval echo '${'$ac_ac_Header'}'`" >&5
+echo "${ECHO_T}`eval echo '${'$ac_ac_Header'}'`" >&6
+if test `eval echo '${'$ac_ac_Header'}'` = yes; then
+  cat >>confdefs.h <<EOF
+#define `echo "HAVE_$ac_header" | $ac_tr_cpp` 1
+EOF
+
+fi
+done
+
+for i in netinet/ip.h netinet/tcp.h; do
+
+cv=`echo "$i" | sed 'y%./+-%__p_%'`
+
+echo "$as_me:14710: checking for $i" >&5
+echo $ECHO_N "checking for $i... $ECHO_C" >&6
+if eval "test \"\${ac_cv_header_$cv+set}\" = set"; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+#line 14716 "configure"
+#include "confdefs.h"
+\
+#ifdef HAVE_STANDARDS_H
+#include <standards.h>
+#endif
+#include <$i>
+
+_ACEOF
+ac_try="$ac_cpp conftest.$ac_ext >/dev/null 2>conftest.err"
+if { (eval echo $as_me:14726: \"$ac_try\") >&5; (eval $ac_try) 2>&5; }; then
+  if egrep -v '^ *\+' conftest.err | grep . >/dev/null; then
+    ac_cpp_err=$ac_c_preproc_warn_flag
+  else
+    ac_cpp_err=
+  fi
+else
+  ac_cpp_err=yes
+fi
+
+if test -z "$ac_cpp_err"; then
+  eval "ac_cv_header_$cv=yes"
+else
+  cat conftest.err >&5
+  echo "$as_me: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  eval "ac_cv_header_$cv=no"
+fi
+rm -f conftest*
+
+fi
+echo "$as_me:14747: result: `eval echo '${'ac_cv_header_$cv'}'`" >&5
+echo "${ECHO_T}`eval echo '${'ac_cv_header_$cv'}'`" >&6
+ac_res=`eval echo \\$ac_cv_header_$cv`
+if test "$ac_res" = yes; then
+	ac_tr_hdr=HAVE_`echo $i | sed 'y%abcdefghijklmnopqrstuvwxyz./-%ABCDEFGHIJKLMNOPQRSTUVWXYZ___%'`
+	cat >>confdefs.h <<EOF
+#define $ac_tr_hdr 1
+EOF
+
+fi
+done
+if false;then
+
+for ac_header in netinet/ip.h netinet/tcp.h
+do
+ac_ac_Header=`echo "ac_cv_header_$ac_header" | $ac_tr_sh`
+
+echo "$as_me:14764: checking for $ac_header" >&5
+echo $ECHO_N "checking for $ac_header... $ECHO_C" >&6
+if eval "test \"\${$ac_ac_Header+set}\" = set"; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+#line 14770 "configure"
+#include "confdefs.h"
+#include <$ac_header>
+
+_ACEOF
+ac_try="$ac_cpp conftest.$ac_ext >/dev/null 2>conftest.err"
+if { (eval echo $as_me:14776: \"$ac_try\") >&5; (eval $ac_try) 2>&5; }; then
+  if egrep -v '^ *\+' conftest.err | grep . >/dev/null; then
+    ac_cpp_err=$ac_c_preproc_warn_flag
+  else
+    ac_cpp_err=
+  fi
+else
+  ac_cpp_err=yes
+fi
+
+if test -z "$ac_cpp_err"; then
+  eval "$ac_ac_Header=yes"
+else
+  cat conftest.err >&5
+  echo "$as_me: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  eval "$ac_ac_Header=no"
+fi
+rm -f conftest*
+
+fi
+echo "$as_me:14797: result: `eval echo '${'$ac_ac_Header'}'`" >&5
+echo "${ECHO_T}`eval echo '${'$ac_ac_Header'}'`" >&6
+if test `eval echo '${'$ac_ac_Header'}'` = yes; then
+  cat >>confdefs.h <<EOF
+#define `echo "HAVE_$ac_header" | $ac_tr_cpp` 1
+EOF
+
+fi
+done
+
+fi
+
+# Check whether --enable-netinfo or --disable-netinfo was given.
+if test "${enable_netinfo+set}" = set; then
+  enableval="$enable_netinfo"
+
+fi;
+
+if test "$ac_cv_header_netinfo_ni_h" = yes -a "$enable_netinfo" = yes; then
+
+cat >>confdefs.h <<\EOF
+#define HAVE_NETINFO 1
+EOF
+
+fi
+
+if test "$ac_cv_header_err_h" = yes; then
+  have_err_h_TRUE=
+  have_err_h_FALSE='#'
+else
+  have_err_h_TRUE='#'
+  have_err_h_FALSE=
+fi
+
+if test "$ac_cv_header_fnmatch_h" = yes; then
+  have_fnmatch_h_TRUE=
+  have_fnmatch_h_FALSE='#'
+else
+  have_fnmatch_h_TRUE='#'
+  have_fnmatch_h_FALSE=
+fi
+
+# Check whether --with-ipv6 or --without-ipv6 was given.
+if test "${with_ipv6+set}" = set; then
+  withval="$with_ipv6"
+
+if test "$withval" = "no"; then
+	ac_cv_lib_ipv6=no
+fi
+fi;
+save_CFLAGS="${CFLAGS}"
+if test "${ac_cv_lib_ipv6+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  v6type=unknown
+v6lib=none
+
+echo "$as_me:14854: checking ipv6 stack type" >&5
+echo $ECHO_N "checking ipv6 stack type... $ECHO_C" >&6
+for i in v6d toshiba kame inria zeta linux; do
+	case $i in
+	v6d)
+		cat >conftest.$ac_ext <<_ACEOF
+#line 14860 "configure"
+#include "confdefs.h"
+
+#include </usr/local/v6/include/sys/types.h>
+#ifdef __V6D__
+yes
+#endif
+_ACEOF
+if (eval "$ac_cpp conftest.$ac_ext") 2>&5 |
+  egrep "yes" >/dev/null 2>&1; then
+  v6type=$i; v6lib=v6;
+			v6libdir=/usr/local/v6/lib;
+			CFLAGS="-I/usr/local/v6/include $CFLAGS"
+fi
+rm -f conftest*
+
+		;;
+	toshiba)
+		cat >conftest.$ac_ext <<_ACEOF
+#line 14879 "configure"
+#include "confdefs.h"
+
+#include <sys/param.h>
+#ifdef _TOSHIBA_INET6
+yes
+#endif
+_ACEOF
+if (eval "$ac_cpp conftest.$ac_ext") 2>&5 |
+  egrep "yes" >/dev/null 2>&1; then
+  v6type=$i; v6lib=inet6;
+			v6libdir=/usr/local/v6/lib;
+			CFLAGS="-DINET6 $CFLAGS"
+fi
+rm -f conftest*
+
+		;;
+	kame)
+		cat >conftest.$ac_ext <<_ACEOF
+#line 14898 "configure"
+#include "confdefs.h"
+
+#include <netinet/in.h>
+#ifdef __KAME__
+yes
+#endif
+_ACEOF
+if (eval "$ac_cpp conftest.$ac_ext") 2>&5 |
+  egrep "yes" >/dev/null 2>&1; then
+  v6type=$i; v6lib=inet6;
+			v6libdir=/usr/local/v6/lib;
+			CFLAGS="-DINET6 $CFLAGS"
+fi
+rm -f conftest*
+
+		;;
+	inria)
+		cat >conftest.$ac_ext <<_ACEOF
+#line 14917 "configure"
+#include "confdefs.h"
+
+#include <netinet/in.h>
+#ifdef IPV6_INRIA_VERSION
+yes
+#endif
+_ACEOF
+if (eval "$ac_cpp conftest.$ac_ext") 2>&5 |
+  egrep "yes" >/dev/null 2>&1; then
+  v6type=$i; CFLAGS="-DINET6 $CFLAGS"
+fi
+rm -f conftest*
+
+		;;
+	zeta)
+		cat >conftest.$ac_ext <<_ACEOF
+#line 14934 "configure"
+#include "confdefs.h"
+
+#include <sys/param.h>
+#ifdef _ZETA_MINAMI_INET6
+yes
+#endif
+_ACEOF
+if (eval "$ac_cpp conftest.$ac_ext") 2>&5 |
+  egrep "yes" >/dev/null 2>&1; then
+  v6type=$i; v6lib=inet6;
+			v6libdir=/usr/local/v6/lib;
+			CFLAGS="-DINET6 $CFLAGS"
+fi
+rm -f conftest*
+
+		;;
+	linux)
+		if test -d /usr/inet6; then
+			v6type=$i
+			v6lib=inet6
+			v6libdir=/usr/inet6
+			CFLAGS="-DINET6 $CFLAGS"
+		fi
+		;;
+	esac
+	if test "$v6type" != "unknown"; then
+		break
+	fi
+done
+echo "$as_me:14964: result: $v6type" >&5
+echo "${ECHO_T}$v6type" >&6
+
+if test "$v6lib" != "none"; then
+	for dir in $v6libdir /usr/local/v6/lib /usr/local/lib; do
+		if test -d $dir -a -f $dir/lib$v6lib.a; then
+			LIBS="-L$dir -l$v6lib $LIBS"
+			break
+		fi
+	done
+fi
+cat >conftest.$ac_ext <<_ACEOF
+#line 14976 "configure"
+#include "confdefs.h"
+
+#ifdef HAVE_SYS_TYPES_H
+#include <sys/types.h>
+#endif
+#ifdef HAVE_SYS_SOCKET_H
+#include <sys/socket.h>
+#endif
+#ifdef HAVE_NETINET_IN_H
+#include <netinet/in.h>
+#endif
+#ifdef HAVE_NETINET_IN6_H
+#include <netinet/in6.h>
+#endif
+
+int
+main ()
+{
+
+ struct sockaddr_in6 sin6;
+ int s;
+
+ s = socket(AF_INET6, SOCK_DGRAM, 0);
+
+ sin6.sin6_family = AF_INET6;
+ sin6.sin6_port = htons(17);
+ sin6.sin6_addr = in6addr_any;
+ bind(s, (struct sockaddr *)&sin6, sizeof(sin6));
+
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (eval echo $as_me:15011: \"$ac_link\") >&5; (eval $ac_link) 2>&5; } && test -s conftest$ac_exeext; then
+  ac_cv_lib_ipv6=yes
+else
+  echo "$as_me: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  ac_cv_lib_ipv6=no
+fi
+rm -f conftest$ac_exeext conftest.$ac_ext
+fi
+
+echo "$as_me:15021: checking for IPv6" >&5
+echo $ECHO_N "checking for IPv6... $ECHO_C" >&6
+echo "$as_me:15023: result: $ac_cv_lib_ipv6" >&5
+echo "${ECHO_T}$ac_cv_lib_ipv6" >&6
+if test "$ac_cv_lib_ipv6" = yes; then
+
+cat >>confdefs.h <<\EOF
+#define HAVE_IPV6 1
+EOF
+
+else
+  CFLAGS="${save_CFLAGS}"
+fi
+
+echo "$as_me:15035: checking for socket" >&5
+echo $ECHO_N "checking for socket... $ECHO_C" >&6
+if test "${ac_cv_funclib_socket+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+
+if eval "test \"\$ac_cv_func_socket\" != yes" ; then
+	ac_save_LIBS="$LIBS"
+	for ac_lib in "" socket; do
+		if test -n "$ac_lib"; then
+			ac_lib="-l$ac_lib"
+		else
+			ac_lib=""
+		fi
+		LIBS=" $ac_lib  $ac_save_LIBS"
+		cat >conftest.$ac_ext <<_ACEOF
+#line 15051 "configure"
+#include "confdefs.h"
+
+int
+main ()
+{
+socket()
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (eval echo $as_me:15063: \"$ac_link\") >&5; (eval $ac_link) 2>&5; } && test -s conftest$ac_exeext; then
+  eval "if test -n \"$ac_lib\";then ac_cv_funclib_socket=$ac_lib; else ac_cv_funclib_socket=yes; fi";break
+else
+  echo "$as_me: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+fi
+rm -f conftest$ac_exeext conftest.$ac_ext
+	done
+	eval "ac_cv_funclib_socket=\${ac_cv_funclib_socket-no}"
+	LIBS="$ac_save_LIBS"
+fi
+
+fi
+
+eval "ac_res=\$ac_cv_funclib_socket"
+
+if false; then
+
+for ac_func in socket
+do
+ac_ac_var=`echo "ac_cv_func_$ac_func" | $ac_tr_sh`
+echo "$as_me:15084: checking for $ac_func" >&5
+echo $ECHO_N "checking for $ac_func... $ECHO_C" >&6
+if eval "test \"\${$ac_ac_var+set}\" = set"; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+#line 15090 "configure"
+#include "confdefs.h"
+/* System header to define __stub macros and hopefully few prototypes,
+    which can conflict with char $ac_func (); below.  */
+#include <assert.h>
+/* Override any gcc2 internal prototype to avoid an error.  */
+#ifdef __cplusplus
+extern "C"
+#endif
+/* We use char because int might match the return type of a gcc2
+   builtin and then its argument prototype would still apply.  */
+char $ac_func ();
+char (*f) ();
+
+int
+main ()
+{
+/* The GNU C library defines this for functions which it implements
+    to always fail with ENOSYS.  Some functions are actually named
+    something starting with __ and the normal name is an alias.  */
+#if defined (__stub_$ac_func) || defined (__stub___$ac_func)
+choke me
+#else
+f = $ac_func;
+#endif
+
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (eval echo $as_me:15121: \"$ac_link\") >&5; (eval $ac_link) 2>&5; } && test -s conftest$ac_exeext; then
+  eval "$ac_ac_var=yes"
+else
+  echo "$as_me: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  eval "$ac_ac_var=no"
+fi
+rm -f conftest$ac_exeext conftest.$ac_ext
+fi
+echo "$as_me:15130: result: `eval echo '${'$ac_ac_var'}'`" >&5
+echo "${ECHO_T}`eval echo '${'$ac_ac_var'}'`" >&6
+if test `eval echo '${'$ac_ac_var'}'` = yes; then
+  cat >>confdefs.h <<EOF
+#define `echo "HAVE_$ac_func" | $ac_tr_cpp` 1
+EOF
+
+fi
+done
+
+fi
+# socket
+eval "ac_tr_func=HAVE_`echo socket | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`"
+eval "ac_tr_lib=HAVE_LIB`echo $ac_res | sed -e 's/-l//' | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`"
+eval "LIB_socket=$ac_res"
+
+case "$ac_res" in
+	yes)
+	eval "ac_cv_func_socket=yes"
+	eval "LIB_socket="
+	cat >>confdefs.h <<EOF
+#define $ac_tr_func 1
+EOF
+
+	echo "$as_me:15154: result: yes" >&5
+echo "${ECHO_T}yes" >&6
+	;;
+	no)
+	eval "ac_cv_func_socket=no"
+	eval "LIB_socket="
+	echo "$as_me:15160: result: no" >&5
+echo "${ECHO_T}no" >&6
+	;;
+	*)
+	eval "ac_cv_func_socket=yes"
+	eval "ac_cv_lib_`echo "$ac_res" | sed 's/-l//'`=yes"
+	cat >>confdefs.h <<EOF
+#define $ac_tr_func 1
+EOF
+
+	cat >>confdefs.h <<EOF
+#define $ac_tr_lib 1
+EOF
+
+	echo "$as_me:15174: result: yes, in $ac_res" >&5
+echo "${ECHO_T}yes, in $ac_res" >&6
+	;;
+esac
+
+if test -n "$LIB_socket"; then
+	LIBS="$LIB_socket $LIBS"
+fi
+
+echo "$as_me:15183: checking for gethostbyname" >&5
+echo $ECHO_N "checking for gethostbyname... $ECHO_C" >&6
+if test "${ac_cv_funclib_gethostbyname+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+
+if eval "test \"\$ac_cv_func_gethostbyname\" != yes" ; then
+	ac_save_LIBS="$LIBS"
+	for ac_lib in "" nsl; do
+		if test -n "$ac_lib"; then
+			ac_lib="-l$ac_lib"
+		else
+			ac_lib=""
+		fi
+		LIBS=" $ac_lib  $ac_save_LIBS"
+		cat >conftest.$ac_ext <<_ACEOF
+#line 15199 "configure"
+#include "confdefs.h"
+
+int
+main ()
+{
+gethostbyname()
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (eval echo $as_me:15211: \"$ac_link\") >&5; (eval $ac_link) 2>&5; } && test -s conftest$ac_exeext; then
+  eval "if test -n \"$ac_lib\";then ac_cv_funclib_gethostbyname=$ac_lib; else ac_cv_funclib_gethostbyname=yes; fi";break
+else
+  echo "$as_me: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+fi
+rm -f conftest$ac_exeext conftest.$ac_ext
+	done
+	eval "ac_cv_funclib_gethostbyname=\${ac_cv_funclib_gethostbyname-no}"
+	LIBS="$ac_save_LIBS"
+fi
+
+fi
+
+eval "ac_res=\$ac_cv_funclib_gethostbyname"
+
+if false; then
+
+for ac_func in gethostbyname
+do
+ac_ac_var=`echo "ac_cv_func_$ac_func" | $ac_tr_sh`
+echo "$as_me:15232: checking for $ac_func" >&5
+echo $ECHO_N "checking for $ac_func... $ECHO_C" >&6
+if eval "test \"\${$ac_ac_var+set}\" = set"; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+#line 15238 "configure"
+#include "confdefs.h"
+/* System header to define __stub macros and hopefully few prototypes,
+    which can conflict with char $ac_func (); below.  */
+#include <assert.h>
+/* Override any gcc2 internal prototype to avoid an error.  */
+#ifdef __cplusplus
+extern "C"
+#endif
+/* We use char because int might match the return type of a gcc2
+   builtin and then its argument prototype would still apply.  */
+char $ac_func ();
+char (*f) ();
+
+int
+main ()
+{
+/* The GNU C library defines this for functions which it implements
+    to always fail with ENOSYS.  Some functions are actually named
+    something starting with __ and the normal name is an alias.  */
+#if defined (__stub_$ac_func) || defined (__stub___$ac_func)
+choke me
+#else
+f = $ac_func;
+#endif
+
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (eval echo $as_me:15269: \"$ac_link\") >&5; (eval $ac_link) 2>&5; } && test -s conftest$ac_exeext; then
+  eval "$ac_ac_var=yes"
+else
+  echo "$as_me: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  eval "$ac_ac_var=no"
+fi
+rm -f conftest$ac_exeext conftest.$ac_ext
+fi
+echo "$as_me:15278: result: `eval echo '${'$ac_ac_var'}'`" >&5
+echo "${ECHO_T}`eval echo '${'$ac_ac_var'}'`" >&6
+if test `eval echo '${'$ac_ac_var'}'` = yes; then
+  cat >>confdefs.h <<EOF
+#define `echo "HAVE_$ac_func" | $ac_tr_cpp` 1
+EOF
+
+fi
+done
+
+fi
+# gethostbyname
+eval "ac_tr_func=HAVE_`echo gethostbyname | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`"
+eval "ac_tr_lib=HAVE_LIB`echo $ac_res | sed -e 's/-l//' | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`"
+eval "LIB_gethostbyname=$ac_res"
+
+case "$ac_res" in
+	yes)
+	eval "ac_cv_func_gethostbyname=yes"
+	eval "LIB_gethostbyname="
+	cat >>confdefs.h <<EOF
+#define $ac_tr_func 1
+EOF
+
+	echo "$as_me:15302: result: yes" >&5
+echo "${ECHO_T}yes" >&6
+	;;
+	no)
+	eval "ac_cv_func_gethostbyname=no"
+	eval "LIB_gethostbyname="
+	echo "$as_me:15308: result: no" >&5
+echo "${ECHO_T}no" >&6
+	;;
+	*)
+	eval "ac_cv_func_gethostbyname=yes"
+	eval "ac_cv_lib_`echo "$ac_res" | sed 's/-l//'`=yes"
+	cat >>confdefs.h <<EOF
+#define $ac_tr_func 1
+EOF
+
+	cat >>confdefs.h <<EOF
+#define $ac_tr_lib 1
+EOF
+
+	echo "$as_me:15322: result: yes, in $ac_res" >&5
+echo "${ECHO_T}yes, in $ac_res" >&6
+	;;
+esac
+
+if test -n "$LIB_gethostbyname"; then
+	LIBS="$LIB_gethostbyname $LIBS"
+fi
+
+echo "$as_me:15331: checking for syslog" >&5
+echo $ECHO_N "checking for syslog... $ECHO_C" >&6
+if test "${ac_cv_funclib_syslog+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+
+if eval "test \"\$ac_cv_func_syslog\" != yes" ; then
+	ac_save_LIBS="$LIBS"
+	for ac_lib in "" syslog; do
+		if test -n "$ac_lib"; then
+			ac_lib="-l$ac_lib"
+		else
+			ac_lib=""
+		fi
+		LIBS=" $ac_lib  $ac_save_LIBS"
+		cat >conftest.$ac_ext <<_ACEOF
+#line 15347 "configure"
+#include "confdefs.h"
+
+int
+main ()
+{
+syslog()
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (eval echo $as_me:15359: \"$ac_link\") >&5; (eval $ac_link) 2>&5; } && test -s conftest$ac_exeext; then
+  eval "if test -n \"$ac_lib\";then ac_cv_funclib_syslog=$ac_lib; else ac_cv_funclib_syslog=yes; fi";break
+else
+  echo "$as_me: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+fi
+rm -f conftest$ac_exeext conftest.$ac_ext
+	done
+	eval "ac_cv_funclib_syslog=\${ac_cv_funclib_syslog-no}"
+	LIBS="$ac_save_LIBS"
+fi
+
+fi
+
+eval "ac_res=\$ac_cv_funclib_syslog"
+
+if false; then
+
+for ac_func in syslog
+do
+ac_ac_var=`echo "ac_cv_func_$ac_func" | $ac_tr_sh`
+echo "$as_me:15380: checking for $ac_func" >&5
+echo $ECHO_N "checking for $ac_func... $ECHO_C" >&6
+if eval "test \"\${$ac_ac_var+set}\" = set"; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+#line 15386 "configure"
+#include "confdefs.h"
+/* System header to define __stub macros and hopefully few prototypes,
+    which can conflict with char $ac_func (); below.  */
+#include <assert.h>
+/* Override any gcc2 internal prototype to avoid an error.  */
+#ifdef __cplusplus
+extern "C"
+#endif
+/* We use char because int might match the return type of a gcc2
+   builtin and then its argument prototype would still apply.  */
+char $ac_func ();
+char (*f) ();
+
+int
+main ()
+{
+/* The GNU C library defines this for functions which it implements
+    to always fail with ENOSYS.  Some functions are actually named
+    something starting with __ and the normal name is an alias.  */
+#if defined (__stub_$ac_func) || defined (__stub___$ac_func)
+choke me
+#else
+f = $ac_func;
+#endif
+
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (eval echo $as_me:15417: \"$ac_link\") >&5; (eval $ac_link) 2>&5; } && test -s conftest$ac_exeext; then
+  eval "$ac_ac_var=yes"
+else
+  echo "$as_me: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  eval "$ac_ac_var=no"
+fi
+rm -f conftest$ac_exeext conftest.$ac_ext
+fi
+echo "$as_me:15426: result: `eval echo '${'$ac_ac_var'}'`" >&5
+echo "${ECHO_T}`eval echo '${'$ac_ac_var'}'`" >&6
+if test `eval echo '${'$ac_ac_var'}'` = yes; then
+  cat >>confdefs.h <<EOF
+#define `echo "HAVE_$ac_func" | $ac_tr_cpp` 1
+EOF
+
+fi
+done
+
+fi
+# syslog
+eval "ac_tr_func=HAVE_`echo syslog | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`"
+eval "ac_tr_lib=HAVE_LIB`echo $ac_res | sed -e 's/-l//' | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`"
+eval "LIB_syslog=$ac_res"
+
+case "$ac_res" in
+	yes)
+	eval "ac_cv_func_syslog=yes"
+	eval "LIB_syslog="
+	cat >>confdefs.h <<EOF
+#define $ac_tr_func 1
+EOF
+
+	echo "$as_me:15450: result: yes" >&5
+echo "${ECHO_T}yes" >&6
+	;;
+	no)
+	eval "ac_cv_func_syslog=no"
+	eval "LIB_syslog="
+	echo "$as_me:15456: result: no" >&5
+echo "${ECHO_T}no" >&6
+	;;
+	*)
+	eval "ac_cv_func_syslog=yes"
+	eval "ac_cv_lib_`echo "$ac_res" | sed 's/-l//'`=yes"
+	cat >>confdefs.h <<EOF
+#define $ac_tr_func 1
+EOF
+
+	cat >>confdefs.h <<EOF
+#define $ac_tr_lib 1
+EOF
+
+	echo "$as_me:15470: result: yes, in $ac_res" >&5
+echo "${ECHO_T}yes, in $ac_res" >&6
+	;;
+esac
+
+if test -n "$LIB_syslog"; then
+	LIBS="$LIB_syslog $LIBS"
+fi
+
+echo "$as_me:15479: checking for logwtmp" >&5
+echo $ECHO_N "checking for logwtmp... $ECHO_C" >&6
+if test "${ac_cv_funclib_logwtmp+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+
+if eval "test \"\$ac_cv_func_logwtmp\" != yes" ; then
+	ac_save_LIBS="$LIBS"
+	for ac_lib in "" util; do
+		if test -n "$ac_lib"; then
+			ac_lib="-l$ac_lib"
+		else
+			ac_lib=""
+		fi
+		LIBS=" $ac_lib  $ac_save_LIBS"
+		cat >conftest.$ac_ext <<_ACEOF
+#line 15495 "configure"
+#include "confdefs.h"
+
+int
+main ()
+{
+logwtmp()
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (eval echo $as_me:15507: \"$ac_link\") >&5; (eval $ac_link) 2>&5; } && test -s conftest$ac_exeext; then
+  eval "if test -n \"$ac_lib\";then ac_cv_funclib_logwtmp=$ac_lib; else ac_cv_funclib_logwtmp=yes; fi";break
+else
+  echo "$as_me: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+fi
+rm -f conftest$ac_exeext conftest.$ac_ext
+	done
+	eval "ac_cv_funclib_logwtmp=\${ac_cv_funclib_logwtmp-no}"
+	LIBS="$ac_save_LIBS"
+fi
+
+fi
+
+eval "ac_res=\$ac_cv_funclib_logwtmp"
+
+if false; then
+
+for ac_func in logwtmp
+do
+ac_ac_var=`echo "ac_cv_func_$ac_func" | $ac_tr_sh`
+echo "$as_me:15528: checking for $ac_func" >&5
+echo $ECHO_N "checking for $ac_func... $ECHO_C" >&6
+if eval "test \"\${$ac_ac_var+set}\" = set"; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+#line 15534 "configure"
+#include "confdefs.h"
+/* System header to define __stub macros and hopefully few prototypes,
+    which can conflict with char $ac_func (); below.  */
+#include <assert.h>
+/* Override any gcc2 internal prototype to avoid an error.  */
+#ifdef __cplusplus
+extern "C"
+#endif
+/* We use char because int might match the return type of a gcc2
+   builtin and then its argument prototype would still apply.  */
+char $ac_func ();
+char (*f) ();
+
+int
+main ()
+{
+/* The GNU C library defines this for functions which it implements
+    to always fail with ENOSYS.  Some functions are actually named
+    something starting with __ and the normal name is an alias.  */
+#if defined (__stub_$ac_func) || defined (__stub___$ac_func)
+choke me
+#else
+f = $ac_func;
+#endif
+
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (eval echo $as_me:15565: \"$ac_link\") >&5; (eval $ac_link) 2>&5; } && test -s conftest$ac_exeext; then
+  eval "$ac_ac_var=yes"
+else
+  echo "$as_me: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  eval "$ac_ac_var=no"
+fi
+rm -f conftest$ac_exeext conftest.$ac_ext
+fi
+echo "$as_me:15574: result: `eval echo '${'$ac_ac_var'}'`" >&5
+echo "${ECHO_T}`eval echo '${'$ac_ac_var'}'`" >&6
+if test `eval echo '${'$ac_ac_var'}'` = yes; then
+  cat >>confdefs.h <<EOF
+#define `echo "HAVE_$ac_func" | $ac_tr_cpp` 1
+EOF
+
+fi
+done
+
+fi
+# logwtmp
+eval "ac_tr_func=HAVE_`echo logwtmp | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`"
+eval "ac_tr_lib=HAVE_LIB`echo $ac_res | sed -e 's/-l//' | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`"
+eval "LIB_logwtmp=$ac_res"
+
+case "$ac_res" in
+	yes)
+	eval "ac_cv_func_logwtmp=yes"
+	eval "LIB_logwtmp="
+	cat >>confdefs.h <<EOF
+#define $ac_tr_func 1
+EOF
+
+	echo "$as_me:15598: result: yes" >&5
+echo "${ECHO_T}yes" >&6
+	;;
+	no)
+	eval "ac_cv_func_logwtmp=no"
+	eval "LIB_logwtmp="
+	echo "$as_me:15604: result: no" >&5
+echo "${ECHO_T}no" >&6
+	;;
+	*)
+	eval "ac_cv_func_logwtmp=yes"
+	eval "ac_cv_lib_`echo "$ac_res" | sed 's/-l//'`=yes"
+	cat >>confdefs.h <<EOF
+#define $ac_tr_func 1
+EOF
+
+	cat >>confdefs.h <<EOF
+#define $ac_tr_lib 1
+EOF
+
+	echo "$as_me:15618: result: yes, in $ac_res" >&5
+echo "${ECHO_T}yes, in $ac_res" >&6
+	;;
+esac
+
+echo "$as_me:15623: checking for tgetent" >&5
+echo $ECHO_N "checking for tgetent... $ECHO_C" >&6
+if test "${ac_cv_funclib_tgetent+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+
+if eval "test \"\$ac_cv_func_tgetent\" != yes" ; then
+	ac_save_LIBS="$LIBS"
+	for ac_lib in "" termcap ncurses curses; do
+		if test -n "$ac_lib"; then
+			ac_lib="-l$ac_lib"
+		else
+			ac_lib=""
+		fi
+		LIBS=" $ac_lib  $ac_save_LIBS"
+		cat >conftest.$ac_ext <<_ACEOF
+#line 15639 "configure"
+#include "confdefs.h"
+
+int
+main ()
+{
+tgetent()
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (eval echo $as_me:15651: \"$ac_link\") >&5; (eval $ac_link) 2>&5; } && test -s conftest$ac_exeext; then
+  eval "if test -n \"$ac_lib\";then ac_cv_funclib_tgetent=$ac_lib; else ac_cv_funclib_tgetent=yes; fi";break
+else
+  echo "$as_me: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+fi
+rm -f conftest$ac_exeext conftest.$ac_ext
+	done
+	eval "ac_cv_funclib_tgetent=\${ac_cv_funclib_tgetent-no}"
+	LIBS="$ac_save_LIBS"
+fi
+
+fi
+
+eval "ac_res=\$ac_cv_funclib_tgetent"
+
+if false; then
+
+for ac_func in tgetent
+do
+ac_ac_var=`echo "ac_cv_func_$ac_func" | $ac_tr_sh`
+echo "$as_me:15672: checking for $ac_func" >&5
+echo $ECHO_N "checking for $ac_func... $ECHO_C" >&6
+if eval "test \"\${$ac_ac_var+set}\" = set"; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+#line 15678 "configure"
+#include "confdefs.h"
+/* System header to define __stub macros and hopefully few prototypes,
+    which can conflict with char $ac_func (); below.  */
+#include <assert.h>
+/* Override any gcc2 internal prototype to avoid an error.  */
+#ifdef __cplusplus
+extern "C"
+#endif
+/* We use char because int might match the return type of a gcc2
+   builtin and then its argument prototype would still apply.  */
+char $ac_func ();
+char (*f) ();
+
+int
+main ()
+{
+/* The GNU C library defines this for functions which it implements
+    to always fail with ENOSYS.  Some functions are actually named
+    something starting with __ and the normal name is an alias.  */
+#if defined (__stub_$ac_func) || defined (__stub___$ac_func)
+choke me
+#else
+f = $ac_func;
+#endif
+
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (eval echo $as_me:15709: \"$ac_link\") >&5; (eval $ac_link) 2>&5; } && test -s conftest$ac_exeext; then
+  eval "$ac_ac_var=yes"
+else
+  echo "$as_me: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  eval "$ac_ac_var=no"
+fi
+rm -f conftest$ac_exeext conftest.$ac_ext
+fi
+echo "$as_me:15718: result: `eval echo '${'$ac_ac_var'}'`" >&5
+echo "${ECHO_T}`eval echo '${'$ac_ac_var'}'`" >&6
+if test `eval echo '${'$ac_ac_var'}'` = yes; then
+  cat >>confdefs.h <<EOF
+#define `echo "HAVE_$ac_func" | $ac_tr_cpp` 1
+EOF
+
+fi
+done
+
+fi
+# tgetent
+eval "ac_tr_func=HAVE_`echo tgetent | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`"
+eval "ac_tr_lib=HAVE_LIB`echo $ac_res | sed -e 's/-l//' | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`"
+eval "LIB_tgetent=$ac_res"
+
+case "$ac_res" in
+	yes)
+	eval "ac_cv_func_tgetent=yes"
+	eval "LIB_tgetent="
+	cat >>confdefs.h <<EOF
+#define $ac_tr_func 1
+EOF
+
+	echo "$as_me:15742: result: yes" >&5
+echo "${ECHO_T}yes" >&6
+	;;
+	no)
+	eval "ac_cv_func_tgetent=no"
+	eval "LIB_tgetent="
+	echo "$as_me:15748: result: no" >&5
+echo "${ECHO_T}no" >&6
+	;;
+	*)
+	eval "ac_cv_func_tgetent=yes"
+	eval "ac_cv_lib_`echo "$ac_res" | sed 's/-l//'`=yes"
+	cat >>confdefs.h <<EOF
+#define $ac_tr_func 1
+EOF
+
+	cat >>confdefs.h <<EOF
+#define $ac_tr_lib 1
+EOF
+
+	echo "$as_me:15762: result: yes, in $ac_res" >&5
+echo "${ECHO_T}yes, in $ac_res" >&6
+	;;
+esac
+
+echo "$as_me:15767: checking for gethostbyname2" >&5
+echo $ECHO_N "checking for gethostbyname2... $ECHO_C" >&6
+if test "${ac_cv_funclib_gethostbyname2+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+
+if eval "test \"\$ac_cv_func_gethostbyname2\" != yes" ; then
+	ac_save_LIBS="$LIBS"
+	for ac_lib in "" inet6 ip6; do
+		if test -n "$ac_lib"; then
+			ac_lib="-l$ac_lib"
+		else
+			ac_lib=""
+		fi
+		LIBS=" $ac_lib  $ac_save_LIBS"
+		cat >conftest.$ac_ext <<_ACEOF
+#line 15783 "configure"
+#include "confdefs.h"
+
+int
+main ()
+{
+gethostbyname2()
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (eval echo $as_me:15795: \"$ac_link\") >&5; (eval $ac_link) 2>&5; } && test -s conftest$ac_exeext; then
+  eval "if test -n \"$ac_lib\";then ac_cv_funclib_gethostbyname2=$ac_lib; else ac_cv_funclib_gethostbyname2=yes; fi";break
+else
+  echo "$as_me: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+fi
+rm -f conftest$ac_exeext conftest.$ac_ext
+	done
+	eval "ac_cv_funclib_gethostbyname2=\${ac_cv_funclib_gethostbyname2-no}"
+	LIBS="$ac_save_LIBS"
+fi
+
+fi
+
+eval "ac_res=\$ac_cv_funclib_gethostbyname2"
+
+if false; then
+
+for ac_func in gethostbyname2
+do
+ac_ac_var=`echo "ac_cv_func_$ac_func" | $ac_tr_sh`
+echo "$as_me:15816: checking for $ac_func" >&5
+echo $ECHO_N "checking for $ac_func... $ECHO_C" >&6
+if eval "test \"\${$ac_ac_var+set}\" = set"; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+#line 15822 "configure"
+#include "confdefs.h"
+/* System header to define __stub macros and hopefully few prototypes,
+    which can conflict with char $ac_func (); below.  */
+#include <assert.h>
+/* Override any gcc2 internal prototype to avoid an error.  */
+#ifdef __cplusplus
+extern "C"
+#endif
+/* We use char because int might match the return type of a gcc2
+   builtin and then its argument prototype would still apply.  */
+char $ac_func ();
+char (*f) ();
+
+int
+main ()
+{
+/* The GNU C library defines this for functions which it implements
+    to always fail with ENOSYS.  Some functions are actually named
+    something starting with __ and the normal name is an alias.  */
+#if defined (__stub_$ac_func) || defined (__stub___$ac_func)
+choke me
+#else
+f = $ac_func;
+#endif
+
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (eval echo $as_me:15853: \"$ac_link\") >&5; (eval $ac_link) 2>&5; } && test -s conftest$ac_exeext; then
+  eval "$ac_ac_var=yes"
+else
+  echo "$as_me: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  eval "$ac_ac_var=no"
+fi
+rm -f conftest$ac_exeext conftest.$ac_ext
+fi
+echo "$as_me:15862: result: `eval echo '${'$ac_ac_var'}'`" >&5
+echo "${ECHO_T}`eval echo '${'$ac_ac_var'}'`" >&6
+if test `eval echo '${'$ac_ac_var'}'` = yes; then
+  cat >>confdefs.h <<EOF
+#define `echo "HAVE_$ac_func" | $ac_tr_cpp` 1
+EOF
+
+fi
+done
+
+fi
+# gethostbyname2
+eval "ac_tr_func=HAVE_`echo gethostbyname2 | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`"
+eval "ac_tr_lib=HAVE_LIB`echo $ac_res | sed -e 's/-l//' | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`"
+eval "LIB_gethostbyname2=$ac_res"
+
+case "$ac_res" in
+	yes)
+	eval "ac_cv_func_gethostbyname2=yes"
+	eval "LIB_gethostbyname2="
+	cat >>confdefs.h <<EOF
+#define $ac_tr_func 1
+EOF
+
+	echo "$as_me:15886: result: yes" >&5
+echo "${ECHO_T}yes" >&6
+	;;
+	no)
+	eval "ac_cv_func_gethostbyname2=no"
+	eval "LIB_gethostbyname2="
+	echo "$as_me:15892: result: no" >&5
+echo "${ECHO_T}no" >&6
+	;;
+	*)
+	eval "ac_cv_func_gethostbyname2=yes"
+	eval "ac_cv_lib_`echo "$ac_res" | sed 's/-l//'`=yes"
+	cat >>confdefs.h <<EOF
+#define $ac_tr_func 1
+EOF
+
+	cat >>confdefs.h <<EOF
+#define $ac_tr_lib 1
+EOF
+
+	echo "$as_me:15906: result: yes, in $ac_res" >&5
+echo "${ECHO_T}yes, in $ac_res" >&6
+	;;
+esac
+
+if test -n "$LIB_gethostbyname2"; then
+	LIBS="$LIB_gethostbyname2 $LIBS"
+fi
+
+echo "$as_me:15915: checking for res_search" >&5
+echo $ECHO_N "checking for res_search... $ECHO_C" >&6
+if test "${ac_cv_funclib_res_search+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+
+if eval "test \"\$ac_cv_func_res_search\" != yes" ; then
+	ac_save_LIBS="$LIBS"
+	for ac_lib in "" resolv; do
+		if test -n "$ac_lib"; then
+			ac_lib="-l$ac_lib"
+		else
+			ac_lib=""
+		fi
+		LIBS=" $ac_lib  $ac_save_LIBS"
+		cat >conftest.$ac_ext <<_ACEOF
+#line 15931 "configure"
+#include "confdefs.h"
+
+#include <stdio.h>
+#ifdef HAVE_SYS_TYPES_H
+#include <sys/types.h>
+#endif
+#ifdef HAVE_NETINET_IN_H
+#include <netinet/in.h>
+#endif
+#ifdef HAVE_ARPA_NAMESER_H
+#include <arpa/nameser.h>
+#endif
+#ifdef HAVE_RESOLV_H
+#include <resolv.h>
+#endif
+
+int
+main ()
+{
+res_search(0,0,0,0,0)
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (eval echo $as_me:15957: \"$ac_link\") >&5; (eval $ac_link) 2>&5; } && test -s conftest$ac_exeext; then
+  eval "if test -n \"$ac_lib\";then ac_cv_funclib_res_search=$ac_lib; else ac_cv_funclib_res_search=yes; fi";break
+else
+  echo "$as_me: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+fi
+rm -f conftest$ac_exeext conftest.$ac_ext
+	done
+	eval "ac_cv_funclib_res_search=\${ac_cv_funclib_res_search-no}"
+	LIBS="$ac_save_LIBS"
+fi
+
+fi
+
+eval "ac_res=\$ac_cv_funclib_res_search"
+
+if false; then
+
+for ac_func in res_search
+do
+ac_ac_var=`echo "ac_cv_func_$ac_func" | $ac_tr_sh`
+echo "$as_me:15978: checking for $ac_func" >&5
+echo $ECHO_N "checking for $ac_func... $ECHO_C" >&6
+if eval "test \"\${$ac_ac_var+set}\" = set"; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+#line 15984 "configure"
+#include "confdefs.h"
+/* System header to define __stub macros and hopefully few prototypes,
+    which can conflict with char $ac_func (); below.  */
+#include <assert.h>
+/* Override any gcc2 internal prototype to avoid an error.  */
+#ifdef __cplusplus
+extern "C"
+#endif
+/* We use char because int might match the return type of a gcc2
+   builtin and then its argument prototype would still apply.  */
+char $ac_func ();
+char (*f) ();
+
+int
+main ()
+{
+/* The GNU C library defines this for functions which it implements
+    to always fail with ENOSYS.  Some functions are actually named
+    something starting with __ and the normal name is an alias.  */
+#if defined (__stub_$ac_func) || defined (__stub___$ac_func)
+choke me
+#else
+f = $ac_func;
+#endif
+
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (eval echo $as_me:16015: \"$ac_link\") >&5; (eval $ac_link) 2>&5; } && test -s conftest$ac_exeext; then
+  eval "$ac_ac_var=yes"
+else
+  echo "$as_me: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  eval "$ac_ac_var=no"
+fi
+rm -f conftest$ac_exeext conftest.$ac_ext
+fi
+echo "$as_me:16024: result: `eval echo '${'$ac_ac_var'}'`" >&5
+echo "${ECHO_T}`eval echo '${'$ac_ac_var'}'`" >&6
+if test `eval echo '${'$ac_ac_var'}'` = yes; then
+  cat >>confdefs.h <<EOF
+#define `echo "HAVE_$ac_func" | $ac_tr_cpp` 1
+EOF
+
+fi
+done
+
+fi
+# res_search
+eval "ac_tr_func=HAVE_`echo res_search | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`"
+eval "ac_tr_lib=HAVE_LIB`echo $ac_res | sed -e 's/-l//' | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`"
+eval "LIB_res_search=$ac_res"
+
+case "$ac_res" in
+	yes)
+	eval "ac_cv_func_res_search=yes"
+	eval "LIB_res_search="
+	cat >>confdefs.h <<EOF
+#define $ac_tr_func 1
+EOF
+
+	echo "$as_me:16048: result: yes" >&5
+echo "${ECHO_T}yes" >&6
+	;;
+	no)
+	eval "ac_cv_func_res_search=no"
+	eval "LIB_res_search="
+	echo "$as_me:16054: result: no" >&5
+echo "${ECHO_T}no" >&6
+	;;
+	*)
+	eval "ac_cv_func_res_search=yes"
+	eval "ac_cv_lib_`echo "$ac_res" | sed 's/-l//'`=yes"
+	cat >>confdefs.h <<EOF
+#define $ac_tr_func 1
+EOF
+
+	cat >>confdefs.h <<EOF
+#define $ac_tr_lib 1
+EOF
+
+	echo "$as_me:16068: result: yes, in $ac_res" >&5
+echo "${ECHO_T}yes, in $ac_res" >&6
+	;;
+esac
+
+if test -n "$LIB_res_search"; then
+	LIBS="$LIB_res_search $LIBS"
+fi
+
+echo "$as_me:16077: checking for dn_expand" >&5
+echo $ECHO_N "checking for dn_expand... $ECHO_C" >&6
+if test "${ac_cv_funclib_dn_expand+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+
+if eval "test \"\$ac_cv_func_dn_expand\" != yes" ; then
+	ac_save_LIBS="$LIBS"
+	for ac_lib in "" resolv; do
+		if test -n "$ac_lib"; then
+			ac_lib="-l$ac_lib"
+		else
+			ac_lib=""
+		fi
+		LIBS=" $ac_lib  $ac_save_LIBS"
+		cat >conftest.$ac_ext <<_ACEOF
+#line 16093 "configure"
+#include "confdefs.h"
+
+#include <stdio.h>
+#ifdef HAVE_SYS_TYPES_H
+#include <sys/types.h>
+#endif
+#ifdef HAVE_NETINET_IN_H
+#include <netinet/in.h>
+#endif
+#ifdef HAVE_ARPA_NAMESER_H
+#include <arpa/nameser.h>
+#endif
+#ifdef HAVE_RESOLV_H
+#include <resolv.h>
+#endif
+
+int
+main ()
+{
+dn_expand(0,0,0,0,0)
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (eval echo $as_me:16119: \"$ac_link\") >&5; (eval $ac_link) 2>&5; } && test -s conftest$ac_exeext; then
+  eval "if test -n \"$ac_lib\";then ac_cv_funclib_dn_expand=$ac_lib; else ac_cv_funclib_dn_expand=yes; fi";break
+else
+  echo "$as_me: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+fi
+rm -f conftest$ac_exeext conftest.$ac_ext
+	done
+	eval "ac_cv_funclib_dn_expand=\${ac_cv_funclib_dn_expand-no}"
+	LIBS="$ac_save_LIBS"
+fi
+
+fi
+
+eval "ac_res=\$ac_cv_funclib_dn_expand"
+
+if false; then
+
+for ac_func in dn_expand
+do
+ac_ac_var=`echo "ac_cv_func_$ac_func" | $ac_tr_sh`
+echo "$as_me:16140: checking for $ac_func" >&5
+echo $ECHO_N "checking for $ac_func... $ECHO_C" >&6
+if eval "test \"\${$ac_ac_var+set}\" = set"; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+#line 16146 "configure"
+#include "confdefs.h"
+/* System header to define __stub macros and hopefully few prototypes,
+    which can conflict with char $ac_func (); below.  */
+#include <assert.h>
+/* Override any gcc2 internal prototype to avoid an error.  */
+#ifdef __cplusplus
+extern "C"
+#endif
+/* We use char because int might match the return type of a gcc2
+   builtin and then its argument prototype would still apply.  */
+char $ac_func ();
+char (*f) ();
+
+int
+main ()
+{
+/* The GNU C library defines this for functions which it implements
+    to always fail with ENOSYS.  Some functions are actually named
+    something starting with __ and the normal name is an alias.  */
+#if defined (__stub_$ac_func) || defined (__stub___$ac_func)
+choke me
+#else
+f = $ac_func;
+#endif
+
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (eval echo $as_me:16177: \"$ac_link\") >&5; (eval $ac_link) 2>&5; } && test -s conftest$ac_exeext; then
+  eval "$ac_ac_var=yes"
+else
+  echo "$as_me: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  eval "$ac_ac_var=no"
+fi
+rm -f conftest$ac_exeext conftest.$ac_ext
+fi
+echo "$as_me:16186: result: `eval echo '${'$ac_ac_var'}'`" >&5
+echo "${ECHO_T}`eval echo '${'$ac_ac_var'}'`" >&6
+if test `eval echo '${'$ac_ac_var'}'` = yes; then
+  cat >>confdefs.h <<EOF
+#define `echo "HAVE_$ac_func" | $ac_tr_cpp` 1
+EOF
+
+fi
+done
+
+fi
+# dn_expand
+eval "ac_tr_func=HAVE_`echo dn_expand | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`"
+eval "ac_tr_lib=HAVE_LIB`echo $ac_res | sed -e 's/-l//' | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`"
+eval "LIB_dn_expand=$ac_res"
+
+case "$ac_res" in
+	yes)
+	eval "ac_cv_func_dn_expand=yes"
+	eval "LIB_dn_expand="
+	cat >>confdefs.h <<EOF
+#define $ac_tr_func 1
+EOF
+
+	echo "$as_me:16210: result: yes" >&5
+echo "${ECHO_T}yes" >&6
+	;;
+	no)
+	eval "ac_cv_func_dn_expand=no"
+	eval "LIB_dn_expand="
+	echo "$as_me:16216: result: no" >&5
+echo "${ECHO_T}no" >&6
+	;;
+	*)
+	eval "ac_cv_func_dn_expand=yes"
+	eval "ac_cv_lib_`echo "$ac_res" | sed 's/-l//'`=yes"
+	cat >>confdefs.h <<EOF
+#define $ac_tr_func 1
+EOF
+
+	cat >>confdefs.h <<EOF
+#define $ac_tr_lib 1
+EOF
+
+	echo "$as_me:16230: result: yes, in $ac_res" >&5
+echo "${ECHO_T}yes, in $ac_res" >&6
+	;;
+esac
+
+if test -n "$LIB_dn_expand"; then
+	LIBS="$LIB_dn_expand $LIBS"
+fi
+
+echo "$as_me:16239: checking for working snprintf" >&5
+echo $ECHO_N "checking for working snprintf... $ECHO_C" >&6
+if test "${ac_cv_func_snprintf_working+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  ac_cv_func_snprintf_working=yes
+if test "$cross_compiling" = yes; then
+  :
+else
+  cat >conftest.$ac_ext <<_ACEOF
+#line 16249 "configure"
+#include "confdefs.h"
+
+#include <stdio.h>
+#include <string.h>
+int main()
+{
+	char foo[3];
+	snprintf(foo, 2, "12");
+	return strcmp(foo, "1");
+}
+_ACEOF
+rm -f conftest$ac_exeext
+{ (eval echo $as_me:16262: \"$ac_link\") >&5; (eval $ac_link) 2>&5; } &&
+  (./conftest$ac_exeext) >&5 2>&1;
+ac_status=$?
+if test $ac_status = 0; then
+  :
+else
+  echo "$as_me: program exited with status $ac_status" >&5
+echo "$as_me: failed program was:" >&5
+cat conftest.$ac_ext >&5
+ac_cv_func_snprintf_working=no
+fi
+
+rm -f conftest$ac_exeext conftest.$ac_ext
+fi
+
+fi
+echo "$as_me:16278: result: $ac_cv_func_snprintf_working" >&5
+echo "${ECHO_T}$ac_cv_func_snprintf_working" >&6
+
+if test "$ac_cv_func_snprintf_working" = yes; then
+
+cat >>confdefs.h <<EOF
+#define HAVE_SNPRINTF 1
+EOF
+
+fi
+if test "$ac_cv_func_snprintf_working" = yes; then
+
+if test "$ac_cv_func_snprintf+set" != set -o "$ac_cv_func_snprintf" = yes; then
+echo "$as_me:16291: checking if snprintf needs a prototype" >&5
+echo $ECHO_N "checking if snprintf needs a prototype... $ECHO_C" >&6
+if test "${ac_cv_func_snprintf_noproto+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+#line 16297 "configure"
+#include "confdefs.h"
+#include <stdio.h>
+int
+main ()
+{
+struct foo { int foo; } xx;
+extern int snprintf (struct foo*);
+snprintf(&xx);
+
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext
+if { (eval echo $as_me:16312: \"$ac_compile\") >&5; (eval $ac_compile) 2>&5; } && test -s conftest.$ac_objext; then
+  eval "ac_cv_func_snprintf_noproto=yes"
+else
+  echo "$as_me: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  eval "ac_cv_func_snprintf_noproto=no"
+fi
+rm -f conftest.$ac_objext conftest.$ac_ext
+fi
+echo "$as_me:16321: result: $ac_cv_func_snprintf_noproto" >&5
+echo "${ECHO_T}$ac_cv_func_snprintf_noproto" >&6
+
+if test "$ac_cv_func_snprintf_noproto" = yes; then
+
+cat >>confdefs.h <<\EOF
+#define NEED_SNPRINTF_PROTO 1
+EOF
+
+fi
+
+fi
+
+fi
+
+echo "$as_me:16336: checking for working vsnprintf" >&5
+echo $ECHO_N "checking for working vsnprintf... $ECHO_C" >&6
+if test "${ac_cv_func_vsnprintf_working+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  ac_cv_func_vsnprintf_working=yes
+if test "$cross_compiling" = yes; then
+  :
+else
+  cat >conftest.$ac_ext <<_ACEOF
+#line 16346 "configure"
+#include "confdefs.h"
+
+#include <stdio.h>
+#include <string.h>
+#include <stdarg.h>
+
+int foo(int num, ...)
+{
+	char bar[3];
+	va_list arg;
+	va_start(arg, num);
+	vsnprintf(bar, 2, "%s", arg);
+	va_end(arg);
+	return strcmp(bar, "1");
+}
+
+int main()
+{
+	return foo(0, "12");
+}
+_ACEOF
+rm -f conftest$ac_exeext
+{ (eval echo $as_me:16369: \"$ac_link\") >&5; (eval $ac_link) 2>&5; } &&
+  (./conftest$ac_exeext) >&5 2>&1;
+ac_status=$?
+if test $ac_status = 0; then
+  :
+else
+  echo "$as_me: program exited with status $ac_status" >&5
+echo "$as_me: failed program was:" >&5
+cat conftest.$ac_ext >&5
+ac_cv_func_vsnprintf_working=no
+fi
+
+rm -f conftest$ac_exeext conftest.$ac_ext
+fi
+
+fi
+echo "$as_me:16385: result: $ac_cv_func_vsnprintf_working" >&5
+echo "${ECHO_T}$ac_cv_func_vsnprintf_working" >&6
+
+if test "$ac_cv_func_vsnprintf_working" = yes; then
+
+cat >>confdefs.h <<EOF
+#define HAVE_VSNPRINTF 1
+EOF
+
+fi
+if test "$ac_cv_func_vsnprintf_working" = yes; then
+
+if test "$ac_cv_func_vsnprintf+set" != set -o "$ac_cv_func_vsnprintf" = yes; then
+echo "$as_me:16398: checking if vsnprintf needs a prototype" >&5
+echo $ECHO_N "checking if vsnprintf needs a prototype... $ECHO_C" >&6
+if test "${ac_cv_func_vsnprintf_noproto+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+#line 16404 "configure"
+#include "confdefs.h"
+#include <stdio.h>
+int
+main ()
+{
+struct foo { int foo; } xx;
+extern int vsnprintf (struct foo*);
+vsnprintf(&xx);
+
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext
+if { (eval echo $as_me:16419: \"$ac_compile\") >&5; (eval $ac_compile) 2>&5; } && test -s conftest.$ac_objext; then
+  eval "ac_cv_func_vsnprintf_noproto=yes"
+else
+  echo "$as_me: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  eval "ac_cv_func_vsnprintf_noproto=no"
+fi
+rm -f conftest.$ac_objext conftest.$ac_ext
+fi
+echo "$as_me:16428: result: $ac_cv_func_vsnprintf_noproto" >&5
+echo "${ECHO_T}$ac_cv_func_vsnprintf_noproto" >&6
+
+if test "$ac_cv_func_vsnprintf_noproto" = yes; then
+
+cat >>confdefs.h <<\EOF
+#define NEED_VSNPRINTF_PROTO 1
+EOF
+
+fi
+
+fi
+
+fi
+
+for ac_func in 				\
+	_getpty					\
+	_scrsize				\
+	fcntl					\
+	gettimeofday				\
+	getuid					\
+	grantpt					\
+	mktime					\
+	ptsname					\
+	rand					\
+	random					\
+	revoke					\
+	select					\
+	setitimer				\
+	setpcred				\
+	setpgid					\
+	setproctitle				\
+	setregid				\
+	setresgid				\
+	setresuid				\
+	setreuid				\
+	setsid					\
+	setutent				\
+	sigaction				\
+	strstr					\
+	timegm					\
+	ttyname					\
+	ttyslot					\
+	umask					\
+	unlockpt				\
+	vhangup					\
+	yp_get_default_domain			\
+
+do
+ac_ac_var=`echo "ac_cv_func_$ac_func" | $ac_tr_sh`
+echo "$as_me:16478: checking for $ac_func" >&5
+echo $ECHO_N "checking for $ac_func... $ECHO_C" >&6
+if eval "test \"\${$ac_ac_var+set}\" = set"; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+#line 16484 "configure"
+#include "confdefs.h"
+/* System header to define __stub macros and hopefully few prototypes,
+    which can conflict with char $ac_func (); below.  */
+#include <assert.h>
+/* Override any gcc2 internal prototype to avoid an error.  */
+#ifdef __cplusplus
+extern "C"
+#endif
+/* We use char because int might match the return type of a gcc2
+   builtin and then its argument prototype would still apply.  */
+char $ac_func ();
+char (*f) ();
+
+int
+main ()
+{
+/* The GNU C library defines this for functions which it implements
+    to always fail with ENOSYS.  Some functions are actually named
+    something starting with __ and the normal name is an alias.  */
+#if defined (__stub_$ac_func) || defined (__stub___$ac_func)
+choke me
+#else
+f = $ac_func;
+#endif
+
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (eval echo $as_me:16515: \"$ac_link\") >&5; (eval $ac_link) 2>&5; } && test -s conftest$ac_exeext; then
+  eval "$ac_ac_var=yes"
+else
+  echo "$as_me: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  eval "$ac_ac_var=no"
+fi
+rm -f conftest$ac_exeext conftest.$ac_ext
+fi
+echo "$as_me:16524: result: `eval echo '${'$ac_ac_var'}'`" >&5
+echo "${ECHO_T}`eval echo '${'$ac_ac_var'}'`" >&6
+if test `eval echo '${'$ac_ac_var'}'` = yes; then
+  cat >>confdefs.h <<EOF
+#define `echo "HAVE_$ac_func" | $ac_tr_cpp` 1
+EOF
+
+fi
+done
+
+for ac_header in capability.h sys/capability.h
+do
+ac_ac_Header=`echo "ac_cv_header_$ac_header" | $ac_tr_sh`
+
+echo "$as_me:16538: checking for $ac_header" >&5
+echo $ECHO_N "checking for $ac_header... $ECHO_C" >&6
+if eval "test \"\${$ac_ac_Header+set}\" = set"; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+#line 16544 "configure"
+#include "confdefs.h"
+#include <$ac_header>
+
+_ACEOF
+ac_try="$ac_cpp conftest.$ac_ext >/dev/null 2>conftest.err"
+if { (eval echo $as_me:16550: \"$ac_try\") >&5; (eval $ac_try) 2>&5; }; then
+  if egrep -v '^ *\+' conftest.err | grep . >/dev/null; then
+    ac_cpp_err=$ac_c_preproc_warn_flag
+  else
+    ac_cpp_err=
+  fi
+else
+  ac_cpp_err=yes
+fi
+
+if test -z "$ac_cpp_err"; then
+  eval "$ac_ac_Header=yes"
+else
+  cat conftest.err >&5
+  echo "$as_me: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  eval "$ac_ac_Header=no"
+fi
+rm -f conftest*
+
+fi
+echo "$as_me:16571: result: `eval echo '${'$ac_ac_Header'}'`" >&5
+echo "${ECHO_T}`eval echo '${'$ac_ac_Header'}'`" >&6
+if test `eval echo '${'$ac_ac_Header'}'` = yes; then
+  cat >>confdefs.h <<EOF
+#define `echo "HAVE_$ac_header" | $ac_tr_cpp` 1
+EOF
+
+fi
+done
+
+for ac_func in sgi_getcapabilitybyname cap_set_proc
+do
+ac_ac_var=`echo "ac_cv_func_$ac_func" | $ac_tr_sh`
+echo "$as_me:16584: checking for $ac_func" >&5
+echo $ECHO_N "checking for $ac_func... $ECHO_C" >&6
+if eval "test \"\${$ac_ac_var+set}\" = set"; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+#line 16590 "configure"
+#include "confdefs.h"
+/* System header to define __stub macros and hopefully few prototypes,
+    which can conflict with char $ac_func (); below.  */
+#include <assert.h>
+/* Override any gcc2 internal prototype to avoid an error.  */
+#ifdef __cplusplus
+extern "C"
+#endif
+/* We use char because int might match the return type of a gcc2
+   builtin and then its argument prototype would still apply.  */
+char $ac_func ();
+char (*f) ();
+
+int
+main ()
+{
+/* The GNU C library defines this for functions which it implements
+    to always fail with ENOSYS.  Some functions are actually named
+    something starting with __ and the normal name is an alias.  */
+#if defined (__stub_$ac_func) || defined (__stub___$ac_func)
+choke me
+#else
+f = $ac_func;
+#endif
+
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (eval echo $as_me:16621: \"$ac_link\") >&5; (eval $ac_link) 2>&5; } && test -s conftest$ac_exeext; then
+  eval "$ac_ac_var=yes"
+else
+  echo "$as_me: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  eval "$ac_ac_var=no"
+fi
+rm -f conftest$ac_exeext conftest.$ac_ext
+fi
+echo "$as_me:16630: result: `eval echo '${'$ac_ac_var'}'`" >&5
+echo "${ECHO_T}`eval echo '${'$ac_ac_var'}'`" >&6
+if test `eval echo '${'$ac_ac_var'}'` = yes; then
+  cat >>confdefs.h <<EOF
+#define `echo "HAVE_$ac_func" | $ac_tr_cpp` 1
+EOF
+
+fi
+done
+
+echo "$as_me:16640: checking for getpwnam_r" >&5
+echo $ECHO_N "checking for getpwnam_r... $ECHO_C" >&6
+if test "${ac_cv_funclib_getpwnam_r+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+
+if eval "test \"\$ac_cv_func_getpwnam_r\" != yes" ; then
+	ac_save_LIBS="$LIBS"
+	for ac_lib in "" c_r; do
+		if test -n "$ac_lib"; then
+			ac_lib="-l$ac_lib"
+		else
+			ac_lib=""
+		fi
+		LIBS=" $ac_lib  $ac_save_LIBS"
+		cat >conftest.$ac_ext <<_ACEOF
+#line 16656 "configure"
+#include "confdefs.h"
+
+int
+main ()
+{
+getpwnam_r()
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (eval echo $as_me:16668: \"$ac_link\") >&5; (eval $ac_link) 2>&5; } && test -s conftest$ac_exeext; then
+  eval "if test -n \"$ac_lib\";then ac_cv_funclib_getpwnam_r=$ac_lib; else ac_cv_funclib_getpwnam_r=yes; fi";break
+else
+  echo "$as_me: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+fi
+rm -f conftest$ac_exeext conftest.$ac_ext
+	done
+	eval "ac_cv_funclib_getpwnam_r=\${ac_cv_funclib_getpwnam_r-no}"
+	LIBS="$ac_save_LIBS"
+fi
+
+fi
+
+eval "ac_res=\$ac_cv_funclib_getpwnam_r"
+
+if false; then
+
+for ac_func in getpwnam_r
+do
+ac_ac_var=`echo "ac_cv_func_$ac_func" | $ac_tr_sh`
+echo "$as_me:16689: checking for $ac_func" >&5
+echo $ECHO_N "checking for $ac_func... $ECHO_C" >&6
+if eval "test \"\${$ac_ac_var+set}\" = set"; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+#line 16695 "configure"
+#include "confdefs.h"
+/* System header to define __stub macros and hopefully few prototypes,
+    which can conflict with char $ac_func (); below.  */
+#include <assert.h>
+/* Override any gcc2 internal prototype to avoid an error.  */
+#ifdef __cplusplus
+extern "C"
+#endif
+/* We use char because int might match the return type of a gcc2
+   builtin and then its argument prototype would still apply.  */
+char $ac_func ();
+char (*f) ();
+
+int
+main ()
+{
+/* The GNU C library defines this for functions which it implements
+    to always fail with ENOSYS.  Some functions are actually named
+    something starting with __ and the normal name is an alias.  */
+#if defined (__stub_$ac_func) || defined (__stub___$ac_func)
+choke me
+#else
+f = $ac_func;
+#endif
+
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (eval echo $as_me:16726: \"$ac_link\") >&5; (eval $ac_link) 2>&5; } && test -s conftest$ac_exeext; then
+  eval "$ac_ac_var=yes"
+else
+  echo "$as_me: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  eval "$ac_ac_var=no"
+fi
+rm -f conftest$ac_exeext conftest.$ac_ext
+fi
+echo "$as_me:16735: result: `eval echo '${'$ac_ac_var'}'`" >&5
+echo "${ECHO_T}`eval echo '${'$ac_ac_var'}'`" >&6
+if test `eval echo '${'$ac_ac_var'}'` = yes; then
+  cat >>confdefs.h <<EOF
+#define `echo "HAVE_$ac_func" | $ac_tr_cpp` 1
+EOF
+
+fi
+done
+
+fi
+# getpwnam_r
+eval "ac_tr_func=HAVE_`echo getpwnam_r | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`"
+eval "ac_tr_lib=HAVE_LIB`echo $ac_res | sed -e 's/-l//' | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`"
+eval "LIB_getpwnam_r=$ac_res"
+
+case "$ac_res" in
+	yes)
+	eval "ac_cv_func_getpwnam_r=yes"
+	eval "LIB_getpwnam_r="
+	cat >>confdefs.h <<EOF
+#define $ac_tr_func 1
+EOF
+
+	echo "$as_me:16759: result: yes" >&5
+echo "${ECHO_T}yes" >&6
+	;;
+	no)
+	eval "ac_cv_func_getpwnam_r=no"
+	eval "LIB_getpwnam_r="
+	echo "$as_me:16765: result: no" >&5
+echo "${ECHO_T}no" >&6
+	;;
+	*)
+	eval "ac_cv_func_getpwnam_r=yes"
+	eval "ac_cv_lib_`echo "$ac_res" | sed 's/-l//'`=yes"
+	cat >>confdefs.h <<EOF
+#define $ac_tr_func 1
+EOF
+
+	cat >>confdefs.h <<EOF
+#define $ac_tr_lib 1
+EOF
+
+	echo "$as_me:16779: result: yes, in $ac_res" >&5
+echo "${ECHO_T}yes, in $ac_res" >&6
+	;;
+esac
+
+if test "$ac_cv_func_getpwnam_r" = yes; then
+	echo "$as_me:16785: checking if getpwnam_r is posix" >&5
+echo $ECHO_N "checking if getpwnam_r is posix... $ECHO_C" >&6
+if test "${ac_cv_func_getpwnam_r_posix+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  ac_libs="$LIBS"
+	LIBS="$LIBS $LIB_getpwnam_r"
+	if test "$cross_compiling" = yes; then
+  :
+else
+  cat >conftest.$ac_ext <<_ACEOF
+#line 16796 "configure"
+#include "confdefs.h"
+
+#include <pwd.h>
+int main()
+{
+	struct passwd pw, *pwd;
+	return getpwnam_r("", &pw, NULL, 0, &pwd) < 0;
+}
+
+_ACEOF
+rm -f conftest$ac_exeext
+{ (eval echo $as_me:16808: \"$ac_link\") >&5; (eval $ac_link) 2>&5; } &&
+  (./conftest$ac_exeext) >&5 2>&1;
+ac_status=$?
+if test $ac_status = 0; then
+  ac_cv_func_getpwnam_r_posix=yes
+else
+  echo "$as_me: program exited with status $ac_status" >&5
+echo "$as_me: failed program was:" >&5
+cat conftest.$ac_ext >&5
+ac_cv_func_getpwnam_r_posix=no
+fi
+
+rm -f conftest$ac_exeext conftest.$ac_ext
+fi
+
+LIBS="$ac_libs"
+fi
+echo "$as_me:16825: result: $ac_cv_func_getpwnam_r_posix" >&5
+echo "${ECHO_T}$ac_cv_func_getpwnam_r_posix" >&6
+if test "$ac_cv_func_getpwnam_r_posix" = yes; then
+
+cat >>confdefs.h <<\EOF
+#define POSIX_GETPWNAM_R 1
+EOF
+
+fi
+fi
+
+echo "$as_me:16836: checking for getsockopt" >&5
+echo $ECHO_N "checking for getsockopt... $ECHO_C" >&6
+if test "${ac_cv_funclib_getsockopt+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+
+if eval "test \"\$ac_cv_func_getsockopt\" != yes" ; then
+	ac_save_LIBS="$LIBS"
+	for ac_lib in "" ; do
+		if test -n "$ac_lib"; then
+			ac_lib="-l$ac_lib"
+		else
+			ac_lib=""
+		fi
+		LIBS=" $ac_lib  $ac_save_LIBS"
+		cat >conftest.$ac_ext <<_ACEOF
+#line 16852 "configure"
+#include "confdefs.h"
+#ifdef HAVE_SYS_TYPES_H
+#include <sys/types.h>
+#endif
+#ifdef HAVE_SYS_SOCKET_H
+#include <sys/socket.h>
+#endif
+int
+main ()
+{
+getsockopt(0,0,0,0,0)
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (eval echo $as_me:16869: \"$ac_link\") >&5; (eval $ac_link) 2>&5; } && test -s conftest$ac_exeext; then
+  eval "if test -n \"$ac_lib\";then ac_cv_funclib_getsockopt=$ac_lib; else ac_cv_funclib_getsockopt=yes; fi";break
+else
+  echo "$as_me: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+fi
+rm -f conftest$ac_exeext conftest.$ac_ext
+	done
+	eval "ac_cv_funclib_getsockopt=\${ac_cv_funclib_getsockopt-no}"
+	LIBS="$ac_save_LIBS"
+fi
+
+fi
+
+eval "ac_res=\$ac_cv_funclib_getsockopt"
+
+if false; then
+
+for ac_func in getsockopt
+do
+ac_ac_var=`echo "ac_cv_func_$ac_func" | $ac_tr_sh`
+echo "$as_me:16890: checking for $ac_func" >&5
+echo $ECHO_N "checking for $ac_func... $ECHO_C" >&6
+if eval "test \"\${$ac_ac_var+set}\" = set"; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+#line 16896 "configure"
+#include "confdefs.h"
+/* System header to define __stub macros and hopefully few prototypes,
+    which can conflict with char $ac_func (); below.  */
+#include <assert.h>
+/* Override any gcc2 internal prototype to avoid an error.  */
+#ifdef __cplusplus
+extern "C"
+#endif
+/* We use char because int might match the return type of a gcc2
+   builtin and then its argument prototype would still apply.  */
+char $ac_func ();
+char (*f) ();
+
+int
+main ()
+{
+/* The GNU C library defines this for functions which it implements
+    to always fail with ENOSYS.  Some functions are actually named
+    something starting with __ and the normal name is an alias.  */
+#if defined (__stub_$ac_func) || defined (__stub___$ac_func)
+choke me
+#else
+f = $ac_func;
+#endif
+
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (eval echo $as_me:16927: \"$ac_link\") >&5; (eval $ac_link) 2>&5; } && test -s conftest$ac_exeext; then
+  eval "$ac_ac_var=yes"
+else
+  echo "$as_me: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  eval "$ac_ac_var=no"
+fi
+rm -f conftest$ac_exeext conftest.$ac_ext
+fi
+echo "$as_me:16936: result: `eval echo '${'$ac_ac_var'}'`" >&5
+echo "${ECHO_T}`eval echo '${'$ac_ac_var'}'`" >&6
+if test `eval echo '${'$ac_ac_var'}'` = yes; then
+  cat >>confdefs.h <<EOF
+#define `echo "HAVE_$ac_func" | $ac_tr_cpp` 1
+EOF
+
+fi
+done
+
+fi
+# getsockopt
+eval "ac_tr_func=HAVE_`echo getsockopt | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`"
+eval "ac_tr_lib=HAVE_LIB`echo $ac_res | sed -e 's/-l//' | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`"
+eval "LIB_getsockopt=$ac_res"
+
+case "$ac_res" in
+	yes)
+	eval "ac_cv_func_getsockopt=yes"
+	eval "LIB_getsockopt="
+	cat >>confdefs.h <<EOF
+#define $ac_tr_func 1
+EOF
+
+	echo "$as_me:16960: result: yes" >&5
+echo "${ECHO_T}yes" >&6
+	;;
+	no)
+	eval "ac_cv_func_getsockopt=no"
+	eval "LIB_getsockopt="
+	echo "$as_me:16966: result: no" >&5
+echo "${ECHO_T}no" >&6
+	;;
+	*)
+	eval "ac_cv_func_getsockopt=yes"
+	eval "ac_cv_lib_`echo "$ac_res" | sed 's/-l//'`=yes"
+	cat >>confdefs.h <<EOF
+#define $ac_tr_func 1
+EOF
+
+	cat >>confdefs.h <<EOF
+#define $ac_tr_lib 1
+EOF
+
+	echo "$as_me:16980: result: yes, in $ac_res" >&5
+echo "${ECHO_T}yes, in $ac_res" >&6
+	;;
+esac
+
+echo "$as_me:16985: checking for setsockopt" >&5
+echo $ECHO_N "checking for setsockopt... $ECHO_C" >&6
+if test "${ac_cv_funclib_setsockopt+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+
+if eval "test \"\$ac_cv_func_setsockopt\" != yes" ; then
+	ac_save_LIBS="$LIBS"
+	for ac_lib in "" ; do
+		if test -n "$ac_lib"; then
+			ac_lib="-l$ac_lib"
+		else
+			ac_lib=""
+		fi
+		LIBS=" $ac_lib  $ac_save_LIBS"
+		cat >conftest.$ac_ext <<_ACEOF
+#line 17001 "configure"
+#include "confdefs.h"
+#ifdef HAVE_SYS_TYPES_H
+#include <sys/types.h>
+#endif
+#ifdef HAVE_SYS_SOCKET_H
+#include <sys/socket.h>
+#endif
+int
+main ()
+{
+setsockopt(0,0,0,0,0)
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (eval echo $as_me:17018: \"$ac_link\") >&5; (eval $ac_link) 2>&5; } && test -s conftest$ac_exeext; then
+  eval "if test -n \"$ac_lib\";then ac_cv_funclib_setsockopt=$ac_lib; else ac_cv_funclib_setsockopt=yes; fi";break
+else
+  echo "$as_me: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+fi
+rm -f conftest$ac_exeext conftest.$ac_ext
+	done
+	eval "ac_cv_funclib_setsockopt=\${ac_cv_funclib_setsockopt-no}"
+	LIBS="$ac_save_LIBS"
+fi
+
+fi
+
+eval "ac_res=\$ac_cv_funclib_setsockopt"
+
+if false; then
+
+for ac_func in setsockopt
+do
+ac_ac_var=`echo "ac_cv_func_$ac_func" | $ac_tr_sh`
+echo "$as_me:17039: checking for $ac_func" >&5
+echo $ECHO_N "checking for $ac_func... $ECHO_C" >&6
+if eval "test \"\${$ac_ac_var+set}\" = set"; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+#line 17045 "configure"
+#include "confdefs.h"
+/* System header to define __stub macros and hopefully few prototypes,
+    which can conflict with char $ac_func (); below.  */
+#include <assert.h>
+/* Override any gcc2 internal prototype to avoid an error.  */
+#ifdef __cplusplus
+extern "C"
+#endif
+/* We use char because int might match the return type of a gcc2
+   builtin and then its argument prototype would still apply.  */
+char $ac_func ();
+char (*f) ();
+
+int
+main ()
+{
+/* The GNU C library defines this for functions which it implements
+    to always fail with ENOSYS.  Some functions are actually named
+    something starting with __ and the normal name is an alias.  */
+#if defined (__stub_$ac_func) || defined (__stub___$ac_func)
+choke me
+#else
+f = $ac_func;
+#endif
+
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (eval echo $as_me:17076: \"$ac_link\") >&5; (eval $ac_link) 2>&5; } && test -s conftest$ac_exeext; then
+  eval "$ac_ac_var=yes"
+else
+  echo "$as_me: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  eval "$ac_ac_var=no"
+fi
+rm -f conftest$ac_exeext conftest.$ac_ext
+fi
+echo "$as_me:17085: result: `eval echo '${'$ac_ac_var'}'`" >&5
+echo "${ECHO_T}`eval echo '${'$ac_ac_var'}'`" >&6
+if test `eval echo '${'$ac_ac_var'}'` = yes; then
+  cat >>confdefs.h <<EOF
+#define `echo "HAVE_$ac_func" | $ac_tr_cpp` 1
+EOF
+
+fi
+done
+
+fi
+# setsockopt
+eval "ac_tr_func=HAVE_`echo setsockopt | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`"
+eval "ac_tr_lib=HAVE_LIB`echo $ac_res | sed -e 's/-l//' | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`"
+eval "LIB_setsockopt=$ac_res"
+
+case "$ac_res" in
+	yes)
+	eval "ac_cv_func_setsockopt=yes"
+	eval "LIB_setsockopt="
+	cat >>confdefs.h <<EOF
+#define $ac_tr_func 1
+EOF
+
+	echo "$as_me:17109: result: yes" >&5
+echo "${ECHO_T}yes" >&6
+	;;
+	no)
+	eval "ac_cv_func_setsockopt=no"
+	eval "LIB_setsockopt="
+	echo "$as_me:17115: result: no" >&5
+echo "${ECHO_T}no" >&6
+	;;
+	*)
+	eval "ac_cv_func_setsockopt=yes"
+	eval "ac_cv_lib_`echo "$ac_res" | sed 's/-l//'`=yes"
+	cat >>confdefs.h <<EOF
+#define $ac_tr_func 1
+EOF
+
+	cat >>confdefs.h <<EOF
+#define $ac_tr_lib 1
+EOF
+
+	echo "$as_me:17129: result: yes, in $ac_res" >&5
+echo "${ECHO_T}yes, in $ac_res" >&6
+	;;
+esac
+
+for ac_func in getudbnam setlim
+do
+ac_ac_var=`echo "ac_cv_func_$ac_func" | $ac_tr_sh`
+echo "$as_me:17137: checking for $ac_func" >&5
+echo $ECHO_N "checking for $ac_func... $ECHO_C" >&6
+if eval "test \"\${$ac_ac_var+set}\" = set"; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+#line 17143 "configure"
+#include "confdefs.h"
+/* System header to define __stub macros and hopefully few prototypes,
+    which can conflict with char $ac_func (); below.  */
+#include <assert.h>
+/* Override any gcc2 internal prototype to avoid an error.  */
+#ifdef __cplusplus
+extern "C"
+#endif
+/* We use char because int might match the return type of a gcc2
+   builtin and then its argument prototype would still apply.  */
+char $ac_func ();
+char (*f) ();
+
+int
+main ()
+{
+/* The GNU C library defines this for functions which it implements
+    to always fail with ENOSYS.  Some functions are actually named
+    something starting with __ and the normal name is an alias.  */
+#if defined (__stub_$ac_func) || defined (__stub___$ac_func)
+choke me
+#else
+f = $ac_func;
+#endif
+
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (eval echo $as_me:17174: \"$ac_link\") >&5; (eval $ac_link) 2>&5; } && test -s conftest$ac_exeext; then
+  eval "$ac_ac_var=yes"
+else
+  echo "$as_me: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  eval "$ac_ac_var=no"
+fi
+rm -f conftest$ac_exeext conftest.$ac_ext
+fi
+echo "$as_me:17183: result: `eval echo '${'$ac_ac_var'}'`" >&5
+echo "${ECHO_T}`eval echo '${'$ac_ac_var'}'`" >&6
+if test `eval echo '${'$ac_ac_var'}'` = yes; then
+  cat >>confdefs.h <<EOF
+#define `echo "HAVE_$ac_func" | $ac_tr_cpp` 1
+EOF
+
+fi
+done
+
+echo "$as_me:17193: checking return type of signal handlers" >&5
+echo $ECHO_N "checking return type of signal handlers... $ECHO_C" >&6
+if test "${ac_cv_type_signal+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+#line 17199 "configure"
+#include "confdefs.h"
+#include <sys/types.h>
+#include <signal.h>
+#ifdef signal
+# undef signal
+#endif
+#ifdef __cplusplus
+extern "C" void (*signal (int, void (*)(int)))(int);
+#else
+void (*signal ()) ();
+#endif
+
+int
+main ()
+{
+int i;
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext
+if { (eval echo $as_me:17221: \"$ac_compile\") >&5; (eval $ac_compile) 2>&5; } && test -s conftest.$ac_objext; then
+  ac_cv_type_signal=void
+else
+  echo "$as_me: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  ac_cv_type_signal=int
+fi
+rm -f conftest.$ac_objext conftest.$ac_ext
+fi
+echo "$as_me:17230: result: $ac_cv_type_signal" >&5
+echo "${ECHO_T}$ac_cv_type_signal" >&6
+
+cat >>confdefs.h <<EOF
+#define RETSIGTYPE $ac_cv_type_signal
+EOF
+
+if test "$ac_cv_type_signal" = "void" ; then
+
+cat >>confdefs.h <<\EOF
+#define VOID_RETSIGTYPE 1
+EOF
+
+fi
+
+echo "$as_me:17245: checking if realloc if broken" >&5
+echo $ECHO_N "checking if realloc if broken... $ECHO_C" >&6
+if test "${ac_cv_func_realloc_broken+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+
+ac_cv_func_realloc_broken=no
+if test "$cross_compiling" = yes; then
+  :
+else
+  cat >conftest.$ac_ext <<_ACEOF
+#line 17256 "configure"
+#include "confdefs.h"
+
+#include <stddef.h>
+#include <stdlib.h>
+
+int main()
+{
+	return realloc(NULL, 17) == NULL;
+}
+
+_ACEOF
+rm -f conftest$ac_exeext
+{ (eval echo $as_me:17269: \"$ac_link\") >&5; (eval $ac_link) 2>&5; } &&
+  (./conftest$ac_exeext) >&5 2>&1;
+ac_status=$?
+if test $ac_status = 0; then
+  :
+else
+  echo "$as_me: program exited with status $ac_status" >&5
+echo "$as_me: failed program was:" >&5
+cat conftest.$ac_ext >&5
+ac_cv_func_realloc_broken=yes
+fi
+
+rm -f conftest$ac_exeext conftest.$ac_ext
+fi
+
+fi
+echo "$as_me:17285: result: $ac_cv_func_realloc_broken" >&5
+echo "${ECHO_T}$ac_cv_func_realloc_broken" >&6
+if test "$ac_cv_func_realloc_broken" = yes ; then
+
+cat >>confdefs.h <<\EOF
+#define BROKEN_REALLOC 1
+EOF
+
+fi
+
+echo "$as_me:17295: checking for ut_addr in struct utmp" >&5
+echo $ECHO_N "checking for ut_addr in struct utmp... $ECHO_C" >&6
+if test "${ac_cv_type_struct_utmp_ut_addr+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+
+cat >conftest.$ac_ext <<_ACEOF
+#line 17302 "configure"
+#include "confdefs.h"
+#include <utmp.h>
+int
+main ()
+{
+struct utmp x; x.ut_addr;
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext
+if { (eval echo $as_me:17314: \"$ac_compile\") >&5; (eval $ac_compile) 2>&5; } && test -s conftest.$ac_objext; then
+  ac_cv_type_struct_utmp_ut_addr=yes
+else
+  echo "$as_me: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  ac_cv_type_struct_utmp_ut_addr=no
+fi
+rm -f conftest.$ac_objext conftest.$ac_ext
+fi
+echo "$as_me:17323: result: $ac_cv_type_struct_utmp_ut_addr" >&5
+echo "${ECHO_T}$ac_cv_type_struct_utmp_ut_addr" >&6
+if test "$ac_cv_type_struct_utmp_ut_addr" = yes; then
+
+cat >>confdefs.h <<\EOF
+#define HAVE_STRUCT_UTMP_UT_ADDR 1
+EOF
+
+fi
+
+echo "$as_me:17333: checking for ut_host in struct utmp" >&5
+echo $ECHO_N "checking for ut_host in struct utmp... $ECHO_C" >&6
+if test "${ac_cv_type_struct_utmp_ut_host+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+
+cat >conftest.$ac_ext <<_ACEOF
+#line 17340 "configure"
+#include "confdefs.h"
+#include <utmp.h>
+int
+main ()
+{
+struct utmp x; x.ut_host;
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext
+if { (eval echo $as_me:17352: \"$ac_compile\") >&5; (eval $ac_compile) 2>&5; } && test -s conftest.$ac_objext; then
+  ac_cv_type_struct_utmp_ut_host=yes
+else
+  echo "$as_me: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  ac_cv_type_struct_utmp_ut_host=no
+fi
+rm -f conftest.$ac_objext conftest.$ac_ext
+fi
+echo "$as_me:17361: result: $ac_cv_type_struct_utmp_ut_host" >&5
+echo "${ECHO_T}$ac_cv_type_struct_utmp_ut_host" >&6
+if test "$ac_cv_type_struct_utmp_ut_host" = yes; then
+
+cat >>confdefs.h <<\EOF
+#define HAVE_STRUCT_UTMP_UT_HOST 1
+EOF
+
+fi
+
+echo "$as_me:17371: checking for ut_id in struct utmp" >&5
+echo $ECHO_N "checking for ut_id in struct utmp... $ECHO_C" >&6
+if test "${ac_cv_type_struct_utmp_ut_id+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+
+cat >conftest.$ac_ext <<_ACEOF
+#line 17378 "configure"
+#include "confdefs.h"
+#include <utmp.h>
+int
+main ()
+{
+struct utmp x; x.ut_id;
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext
+if { (eval echo $as_me:17390: \"$ac_compile\") >&5; (eval $ac_compile) 2>&5; } && test -s conftest.$ac_objext; then
+  ac_cv_type_struct_utmp_ut_id=yes
+else
+  echo "$as_me: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  ac_cv_type_struct_utmp_ut_id=no
+fi
+rm -f conftest.$ac_objext conftest.$ac_ext
+fi
+echo "$as_me:17399: result: $ac_cv_type_struct_utmp_ut_id" >&5
+echo "${ECHO_T}$ac_cv_type_struct_utmp_ut_id" >&6
+if test "$ac_cv_type_struct_utmp_ut_id" = yes; then
+
+cat >>confdefs.h <<\EOF
+#define HAVE_STRUCT_UTMP_UT_ID 1
+EOF
+
+fi
+
+echo "$as_me:17409: checking for ut_pid in struct utmp" >&5
+echo $ECHO_N "checking for ut_pid in struct utmp... $ECHO_C" >&6
+if test "${ac_cv_type_struct_utmp_ut_pid+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+
+cat >conftest.$ac_ext <<_ACEOF
+#line 17416 "configure"
+#include "confdefs.h"
+#include <utmp.h>
+int
+main ()
+{
+struct utmp x; x.ut_pid;
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext
+if { (eval echo $as_me:17428: \"$ac_compile\") >&5; (eval $ac_compile) 2>&5; } && test -s conftest.$ac_objext; then
+  ac_cv_type_struct_utmp_ut_pid=yes
+else
+  echo "$as_me: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  ac_cv_type_struct_utmp_ut_pid=no
+fi
+rm -f conftest.$ac_objext conftest.$ac_ext
+fi
+echo "$as_me:17437: result: $ac_cv_type_struct_utmp_ut_pid" >&5
+echo "${ECHO_T}$ac_cv_type_struct_utmp_ut_pid" >&6
+if test "$ac_cv_type_struct_utmp_ut_pid" = yes; then
+
+cat >>confdefs.h <<\EOF
+#define HAVE_STRUCT_UTMP_UT_PID 1
+EOF
+
+fi
+
+echo "$as_me:17447: checking for ut_type in struct utmp" >&5
+echo $ECHO_N "checking for ut_type in struct utmp... $ECHO_C" >&6
+if test "${ac_cv_type_struct_utmp_ut_type+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+
+cat >conftest.$ac_ext <<_ACEOF
+#line 17454 "configure"
+#include "confdefs.h"
+#include <utmp.h>
+int
+main ()
+{
+struct utmp x; x.ut_type;
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext
+if { (eval echo $as_me:17466: \"$ac_compile\") >&5; (eval $ac_compile) 2>&5; } && test -s conftest.$ac_objext; then
+  ac_cv_type_struct_utmp_ut_type=yes
+else
+  echo "$as_me: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  ac_cv_type_struct_utmp_ut_type=no
+fi
+rm -f conftest.$ac_objext conftest.$ac_ext
+fi
+echo "$as_me:17475: result: $ac_cv_type_struct_utmp_ut_type" >&5
+echo "${ECHO_T}$ac_cv_type_struct_utmp_ut_type" >&6
+if test "$ac_cv_type_struct_utmp_ut_type" = yes; then
+
+cat >>confdefs.h <<\EOF
+#define HAVE_STRUCT_UTMP_UT_TYPE 1
+EOF
+
+fi
+
+echo "$as_me:17485: checking for ut_user in struct utmp" >&5
+echo $ECHO_N "checking for ut_user in struct utmp... $ECHO_C" >&6
+if test "${ac_cv_type_struct_utmp_ut_user+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+
+cat >conftest.$ac_ext <<_ACEOF
+#line 17492 "configure"
+#include "confdefs.h"
+#include <utmp.h>
+int
+main ()
+{
+struct utmp x; x.ut_user;
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext
+if { (eval echo $as_me:17504: \"$ac_compile\") >&5; (eval $ac_compile) 2>&5; } && test -s conftest.$ac_objext; then
+  ac_cv_type_struct_utmp_ut_user=yes
+else
+  echo "$as_me: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  ac_cv_type_struct_utmp_ut_user=no
+fi
+rm -f conftest.$ac_objext conftest.$ac_ext
+fi
+echo "$as_me:17513: result: $ac_cv_type_struct_utmp_ut_user" >&5
+echo "${ECHO_T}$ac_cv_type_struct_utmp_ut_user" >&6
+if test "$ac_cv_type_struct_utmp_ut_user" = yes; then
+
+cat >>confdefs.h <<\EOF
+#define HAVE_STRUCT_UTMP_UT_USER 1
+EOF
+
+fi
+
+echo "$as_me:17523: checking for ut_exit in struct utmpx" >&5
+echo $ECHO_N "checking for ut_exit in struct utmpx... $ECHO_C" >&6
+if test "${ac_cv_type_struct_utmpx_ut_exit+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+
+cat >conftest.$ac_ext <<_ACEOF
+#line 17530 "configure"
+#include "confdefs.h"
+#include <utmpx.h>
+int
+main ()
+{
+struct utmpx x; x.ut_exit;
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext
+if { (eval echo $as_me:17542: \"$ac_compile\") >&5; (eval $ac_compile) 2>&5; } && test -s conftest.$ac_objext; then
+  ac_cv_type_struct_utmpx_ut_exit=yes
+else
+  echo "$as_me: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  ac_cv_type_struct_utmpx_ut_exit=no
+fi
+rm -f conftest.$ac_objext conftest.$ac_ext
+fi
+echo "$as_me:17551: result: $ac_cv_type_struct_utmpx_ut_exit" >&5
+echo "${ECHO_T}$ac_cv_type_struct_utmpx_ut_exit" >&6
+if test "$ac_cv_type_struct_utmpx_ut_exit" = yes; then
+
+cat >>confdefs.h <<\EOF
+#define HAVE_STRUCT_UTMPX_UT_EXIT 1
+EOF
+
+fi
+
+echo "$as_me:17561: checking for ut_syslen in struct utmpx" >&5
+echo $ECHO_N "checking for ut_syslen in struct utmpx... $ECHO_C" >&6
+if test "${ac_cv_type_struct_utmpx_ut_syslen+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+
+cat >conftest.$ac_ext <<_ACEOF
+#line 17568 "configure"
+#include "confdefs.h"
+#include <utmpx.h>
+int
+main ()
+{
+struct utmpx x; x.ut_syslen;
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext
+if { (eval echo $as_me:17580: \"$ac_compile\") >&5; (eval $ac_compile) 2>&5; } && test -s conftest.$ac_objext; then
+  ac_cv_type_struct_utmpx_ut_syslen=yes
+else
+  echo "$as_me: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  ac_cv_type_struct_utmpx_ut_syslen=no
+fi
+rm -f conftest.$ac_objext conftest.$ac_ext
+fi
+echo "$as_me:17589: result: $ac_cv_type_struct_utmpx_ut_syslen" >&5
+echo "${ECHO_T}$ac_cv_type_struct_utmpx_ut_syslen" >&6
+if test "$ac_cv_type_struct_utmpx_ut_syslen" = yes; then
+
+cat >>confdefs.h <<\EOF
+#define HAVE_STRUCT_UTMPX_UT_SYSLEN 1
+EOF
+
+fi
+
+echo "$as_me:17599: checking for tm_gmtoff in struct tm" >&5
+echo $ECHO_N "checking for tm_gmtoff in struct tm... $ECHO_C" >&6
+if test "${ac_cv_type_struct_tm_tm_gmtoff+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+
+cat >conftest.$ac_ext <<_ACEOF
+#line 17606 "configure"
+#include "confdefs.h"
+#include <time.h>
+int
+main ()
+{
+struct tm x; x.tm_gmtoff;
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext
+if { (eval echo $as_me:17618: \"$ac_compile\") >&5; (eval $ac_compile) 2>&5; } && test -s conftest.$ac_objext; then
+  ac_cv_type_struct_tm_tm_gmtoff=yes
+else
+  echo "$as_me: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  ac_cv_type_struct_tm_tm_gmtoff=no
+fi
+rm -f conftest.$ac_objext conftest.$ac_ext
+fi
+echo "$as_me:17627: result: $ac_cv_type_struct_tm_tm_gmtoff" >&5
+echo "${ECHO_T}$ac_cv_type_struct_tm_tm_gmtoff" >&6
+if test "$ac_cv_type_struct_tm_tm_gmtoff" = yes; then
+
+cat >>confdefs.h <<\EOF
+#define HAVE_STRUCT_TM_TM_GMTOFF 1
+EOF
+
+fi
+
+echo "$as_me:17637: checking for tm_zone in struct tm" >&5
+echo $ECHO_N "checking for tm_zone in struct tm... $ECHO_C" >&6
+if test "${ac_cv_type_struct_tm_tm_zone+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+
+cat >conftest.$ac_ext <<_ACEOF
+#line 17644 "configure"
+#include "confdefs.h"
+#include <time.h>
+int
+main ()
+{
+struct tm x; x.tm_zone;
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext
+if { (eval echo $as_me:17656: \"$ac_compile\") >&5; (eval $ac_compile) 2>&5; } && test -s conftest.$ac_objext; then
+  ac_cv_type_struct_tm_tm_zone=yes
+else
+  echo "$as_me: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  ac_cv_type_struct_tm_tm_zone=no
+fi
+rm -f conftest.$ac_objext conftest.$ac_ext
+fi
+echo "$as_me:17665: result: $ac_cv_type_struct_tm_tm_zone" >&5
+echo "${ECHO_T}$ac_cv_type_struct_tm_tm_zone" >&6
+if test "$ac_cv_type_struct_tm_tm_zone" = yes; then
+
+cat >>confdefs.h <<\EOF
+#define HAVE_STRUCT_TM_TM_ZONE 1
+EOF
+
+fi
+
+echo "$as_me:17675: checking for timezone" >&5
+echo $ECHO_N "checking for timezone... $ECHO_C" >&6
+if test "${ac_cv_var_timezone+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+
+cat >conftest.$ac_ext <<_ACEOF
+#line 17682 "configure"
+#include "confdefs.h"
+extern int timezone;
+int foo() { return timezone; }
+int
+main ()
+{
+foo()
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (eval echo $as_me:17695: \"$ac_link\") >&5; (eval $ac_link) 2>&5; } && test -s conftest$ac_exeext; then
+  ac_cv_var_timezone=yes
+else
+  echo "$as_me: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  ac_cv_var_timezone=no
+fi
+rm -f conftest$ac_exeext conftest.$ac_ext
+
+fi
+
+ac_foo=`eval echo \\$ac_cv_var_timezone`
+echo "$as_me:17707: result: $ac_foo" >&5
+echo "${ECHO_T}$ac_foo" >&6
+if test "$ac_foo" = yes; then
+
+cat >>confdefs.h <<EOF
+#define HAVE_TIMEZONE 1
+EOF
+
+echo "$as_me:17715: checking if timezone is properly declared" >&5
+echo $ECHO_N "checking if timezone is properly declared... $ECHO_C" >&6
+if test "${ac_cv_var_timezone_declaration+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+
+cat >conftest.$ac_ext <<_ACEOF
+#line 17722 "configure"
+#include "confdefs.h"
+#include <time.h>
+extern struct { int foo; } timezone;
+int
+main ()
+{
+timezone.foo = 1;
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext
+if { (eval echo $as_me:17735: \"$ac_compile\") >&5; (eval $ac_compile) 2>&5; } && test -s conftest.$ac_objext; then
+  eval "ac_cv_var_timezone_declaration=no"
+else
+  echo "$as_me: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  eval "ac_cv_var_timezone_declaration=yes"
+fi
+rm -f conftest.$ac_objext conftest.$ac_ext
+
+fi
+
+echo "$as_me:17746: result: $ac_cv_var_timezone_declaration" >&5
+echo "${ECHO_T}$ac_cv_var_timezone_declaration" >&6
+if eval "test \"\$ac_cv_var_timezone_declaration\" = yes"; then
+
+cat >>confdefs.h <<\EOF
+#define HAVE_TIMEZONE_DECLARATION 1
+EOF
+
+fi
+
+fi
+
+cv=`echo "sa_family_t" | sed 'y%./+- %__p__%'`
+echo "$as_me:17759: checking for sa_family_t" >&5
+echo $ECHO_N "checking for sa_family_t... $ECHO_C" >&6
+if eval "test \"\${ac_cv_type_$cv+set}\" = set"; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+#line 17765 "configure"
+#include "confdefs.h"
+#include <sys/types.h>
+#if STDC_HEADERS
+#include <stdlib.h>
+#include <stddef.h>
+#endif
+#include <sys/socket.h>
+int
+main ()
+{
+sa_family_t foo;
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext
+if { (eval echo $as_me:17782: \"$ac_compile\") >&5; (eval $ac_compile) 2>&5; } && test -s conftest.$ac_objext; then
+  eval "ac_cv_type_$cv=yes"
+else
+  echo "$as_me: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  eval "ac_cv_type_$cv=no"
+fi
+rm -f conftest.$ac_objext conftest.$ac_ext
+fi
+ac_foo=`eval echo \\$ac_cv_type_$cv`
+echo "$as_me:17792: result: $ac_foo" >&5
+echo "${ECHO_T}$ac_foo" >&6
+if test "$ac_foo" = yes; then
+  ac_tr_hdr=HAVE_`echo sa_family_t | sed 'y%abcdefghijklmnopqrstuvwxyz./- %ABCDEFGHIJKLMNOPQRSTUVWXYZ____%'`
+if false; then
+	echo "$as_me:17797: checking for sa_family_t" >&5
+echo $ECHO_N "checking for sa_family_t... $ECHO_C" >&6
+if test "${ac_cv_type_sa_family_t+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+#line 17803 "configure"
+#include "confdefs.h"
+$ac_includes_default
+int
+main ()
+{
+if ((sa_family_t *) 0)
+  return 0;
+if (sizeof (sa_family_t))
+  return 0;
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext
+if { (eval echo $as_me:17818: \"$ac_compile\") >&5; (eval $ac_compile) 2>&5; } && test -s conftest.$ac_objext; then
+  ac_cv_type_sa_family_t=yes
+else
+  echo "$as_me: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  ac_cv_type_sa_family_t=no
+fi
+rm -f conftest.$ac_objext conftest.$ac_ext
+fi
+echo "$as_me:17827: result: $ac_cv_type_sa_family_t" >&5
+echo "${ECHO_T}$ac_cv_type_sa_family_t" >&6
+if test $ac_cv_type_sa_family_t = yes; then
+
+cat >>confdefs.h <<EOF
+#define HAVE_SA_FAMILY_T 1
+EOF
+
+fi
+
+fi
+
+cat >>confdefs.h <<EOF
+#define $ac_tr_hdr 1
+EOF
+
+fi
+
+cv=`echo "socklen_t" | sed 'y%./+- %__p__%'`
+echo "$as_me:17846: checking for socklen_t" >&5
+echo $ECHO_N "checking for socklen_t... $ECHO_C" >&6
+if eval "test \"\${ac_cv_type_$cv+set}\" = set"; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+#line 17852 "configure"
+#include "confdefs.h"
+#include <sys/types.h>
+#if STDC_HEADERS
+#include <stdlib.h>
+#include <stddef.h>
+#endif
+#include <sys/socket.h>
+int
+main ()
+{
+socklen_t foo;
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext
+if { (eval echo $as_me:17869: \"$ac_compile\") >&5; (eval $ac_compile) 2>&5; } && test -s conftest.$ac_objext; then
+  eval "ac_cv_type_$cv=yes"
+else
+  echo "$as_me: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  eval "ac_cv_type_$cv=no"
+fi
+rm -f conftest.$ac_objext conftest.$ac_ext
+fi
+ac_foo=`eval echo \\$ac_cv_type_$cv`
+echo "$as_me:17879: result: $ac_foo" >&5
+echo "${ECHO_T}$ac_foo" >&6
+if test "$ac_foo" = yes; then
+  ac_tr_hdr=HAVE_`echo socklen_t | sed 'y%abcdefghijklmnopqrstuvwxyz./- %ABCDEFGHIJKLMNOPQRSTUVWXYZ____%'`
+if false; then
+	echo "$as_me:17884: checking for socklen_t" >&5
+echo $ECHO_N "checking for socklen_t... $ECHO_C" >&6
+if test "${ac_cv_type_socklen_t+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+#line 17890 "configure"
+#include "confdefs.h"
+$ac_includes_default
+int
+main ()
+{
+if ((socklen_t *) 0)
+  return 0;
+if (sizeof (socklen_t))
+  return 0;
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext
+if { (eval echo $as_me:17905: \"$ac_compile\") >&5; (eval $ac_compile) 2>&5; } && test -s conftest.$ac_objext; then
+  ac_cv_type_socklen_t=yes
+else
+  echo "$as_me: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  ac_cv_type_socklen_t=no
+fi
+rm -f conftest.$ac_objext conftest.$ac_ext
+fi
+echo "$as_me:17914: result: $ac_cv_type_socklen_t" >&5
+echo "${ECHO_T}$ac_cv_type_socklen_t" >&6
+if test $ac_cv_type_socklen_t = yes; then
+
+cat >>confdefs.h <<EOF
+#define HAVE_SOCKLEN_T 1
+EOF
+
+fi
+
+fi
+
+cat >>confdefs.h <<EOF
+#define $ac_tr_hdr 1
+EOF
+
+fi
+
+cv=`echo "struct sockaddr" | sed 'y%./+- %__p__%'`
+echo "$as_me:17933: checking for struct sockaddr" >&5
+echo $ECHO_N "checking for struct sockaddr... $ECHO_C" >&6
+if eval "test \"\${ac_cv_type_$cv+set}\" = set"; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+#line 17939 "configure"
+#include "confdefs.h"
+#include <sys/types.h>
+#if STDC_HEADERS
+#include <stdlib.h>
+#include <stddef.h>
+#endif
+#include <sys/socket.h>
+int
+main ()
+{
+struct sockaddr foo;
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext
+if { (eval echo $as_me:17956: \"$ac_compile\") >&5; (eval $ac_compile) 2>&5; } && test -s conftest.$ac_objext; then
+  eval "ac_cv_type_$cv=yes"
+else
+  echo "$as_me: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  eval "ac_cv_type_$cv=no"
+fi
+rm -f conftest.$ac_objext conftest.$ac_ext
+fi
+ac_foo=`eval echo \\$ac_cv_type_$cv`
+echo "$as_me:17966: result: $ac_foo" >&5
+echo "${ECHO_T}$ac_foo" >&6
+if test "$ac_foo" = yes; then
+  ac_tr_hdr=HAVE_`echo struct sockaddr | sed 'y%abcdefghijklmnopqrstuvwxyz./- %ABCDEFGHIJKLMNOPQRSTUVWXYZ____%'`
+if false; then
+	echo "$as_me:17971: checking for struct sockaddr" >&5
+echo $ECHO_N "checking for struct sockaddr... $ECHO_C" >&6
+if test "${ac_cv_type_struct_sockaddr+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+#line 17977 "configure"
+#include "confdefs.h"
+$ac_includes_default
+int
+main ()
+{
+if ((struct sockaddr *) 0)
+  return 0;
+if (sizeof (struct sockaddr))
+  return 0;
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext
+if { (eval echo $as_me:17992: \"$ac_compile\") >&5; (eval $ac_compile) 2>&5; } && test -s conftest.$ac_objext; then
+  ac_cv_type_struct_sockaddr=yes
+else
+  echo "$as_me: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  ac_cv_type_struct_sockaddr=no
+fi
+rm -f conftest.$ac_objext conftest.$ac_ext
+fi
+echo "$as_me:18001: result: $ac_cv_type_struct_sockaddr" >&5
+echo "${ECHO_T}$ac_cv_type_struct_sockaddr" >&6
+if test $ac_cv_type_struct_sockaddr = yes; then
+
+cat >>confdefs.h <<EOF
+#define HAVE_STRUCT_SOCKADDR 1
+EOF
+
+fi
+
+fi
+
+cat >>confdefs.h <<EOF
+#define $ac_tr_hdr 1
+EOF
+
+fi
+
+cv=`echo "struct sockaddr_storage" | sed 'y%./+- %__p__%'`
+echo "$as_me:18020: checking for struct sockaddr_storage" >&5
+echo $ECHO_N "checking for struct sockaddr_storage... $ECHO_C" >&6
+if eval "test \"\${ac_cv_type_$cv+set}\" = set"; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+#line 18026 "configure"
+#include "confdefs.h"
+#include <sys/types.h>
+#if STDC_HEADERS
+#include <stdlib.h>
+#include <stddef.h>
+#endif
+#include <sys/socket.h>
+int
+main ()
+{
+struct sockaddr_storage foo;
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext
+if { (eval echo $as_me:18043: \"$ac_compile\") >&5; (eval $ac_compile) 2>&5; } && test -s conftest.$ac_objext; then
+  eval "ac_cv_type_$cv=yes"
+else
+  echo "$as_me: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  eval "ac_cv_type_$cv=no"
+fi
+rm -f conftest.$ac_objext conftest.$ac_ext
+fi
+ac_foo=`eval echo \\$ac_cv_type_$cv`
+echo "$as_me:18053: result: $ac_foo" >&5
+echo "${ECHO_T}$ac_foo" >&6
+if test "$ac_foo" = yes; then
+  ac_tr_hdr=HAVE_`echo struct sockaddr_storage | sed 'y%abcdefghijklmnopqrstuvwxyz./- %ABCDEFGHIJKLMNOPQRSTUVWXYZ____%'`
+if false; then
+	echo "$as_me:18058: checking for struct sockaddr_storage" >&5
+echo $ECHO_N "checking for struct sockaddr_storage... $ECHO_C" >&6
+if test "${ac_cv_type_struct_sockaddr_storage+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+#line 18064 "configure"
+#include "confdefs.h"
+$ac_includes_default
+int
+main ()
+{
+if ((struct sockaddr_storage *) 0)
+  return 0;
+if (sizeof (struct sockaddr_storage))
+  return 0;
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext
+if { (eval echo $as_me:18079: \"$ac_compile\") >&5; (eval $ac_compile) 2>&5; } && test -s conftest.$ac_objext; then
+  ac_cv_type_struct_sockaddr_storage=yes
+else
+  echo "$as_me: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  ac_cv_type_struct_sockaddr_storage=no
+fi
+rm -f conftest.$ac_objext conftest.$ac_ext
+fi
+echo "$as_me:18088: result: $ac_cv_type_struct_sockaddr_storage" >&5
+echo "${ECHO_T}$ac_cv_type_struct_sockaddr_storage" >&6
+if test $ac_cv_type_struct_sockaddr_storage = yes; then
+
+cat >>confdefs.h <<EOF
+#define HAVE_STRUCT_SOCKADDR_STORAGE 1
+EOF
+
+fi
+
+fi
+
+cat >>confdefs.h <<EOF
+#define $ac_tr_hdr 1
+EOF
+
+fi
+
+cv=`echo "struct addrinfo" | sed 'y%./+- %__p__%'`
+echo "$as_me:18107: checking for struct addrinfo" >&5
+echo $ECHO_N "checking for struct addrinfo... $ECHO_C" >&6
+if eval "test \"\${ac_cv_type_$cv+set}\" = set"; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+#line 18113 "configure"
+#include "confdefs.h"
+#include <sys/types.h>
+#if STDC_HEADERS
+#include <stdlib.h>
+#include <stddef.h>
+#endif
+#include <netdb.h>
+int
+main ()
+{
+struct addrinfo foo;
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext
+if { (eval echo $as_me:18130: \"$ac_compile\") >&5; (eval $ac_compile) 2>&5; } && test -s conftest.$ac_objext; then
+  eval "ac_cv_type_$cv=yes"
+else
+  echo "$as_me: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  eval "ac_cv_type_$cv=no"
+fi
+rm -f conftest.$ac_objext conftest.$ac_ext
+fi
+ac_foo=`eval echo \\$ac_cv_type_$cv`
+echo "$as_me:18140: result: $ac_foo" >&5
+echo "${ECHO_T}$ac_foo" >&6
+if test "$ac_foo" = yes; then
+  ac_tr_hdr=HAVE_`echo struct addrinfo | sed 'y%abcdefghijklmnopqrstuvwxyz./- %ABCDEFGHIJKLMNOPQRSTUVWXYZ____%'`
+if false; then
+	echo "$as_me:18145: checking for struct addrinfo" >&5
+echo $ECHO_N "checking for struct addrinfo... $ECHO_C" >&6
+if test "${ac_cv_type_struct_addrinfo+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+#line 18151 "configure"
+#include "confdefs.h"
+$ac_includes_default
+int
+main ()
+{
+if ((struct addrinfo *) 0)
+  return 0;
+if (sizeof (struct addrinfo))
+  return 0;
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext
+if { (eval echo $as_me:18166: \"$ac_compile\") >&5; (eval $ac_compile) 2>&5; } && test -s conftest.$ac_objext; then
+  ac_cv_type_struct_addrinfo=yes
+else
+  echo "$as_me: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  ac_cv_type_struct_addrinfo=no
+fi
+rm -f conftest.$ac_objext conftest.$ac_ext
+fi
+echo "$as_me:18175: result: $ac_cv_type_struct_addrinfo" >&5
+echo "${ECHO_T}$ac_cv_type_struct_addrinfo" >&6
+if test $ac_cv_type_struct_addrinfo = yes; then
+
+cat >>confdefs.h <<EOF
+#define HAVE_STRUCT_ADDRINFO 1
+EOF
+
+fi
+
+fi
+
+cat >>confdefs.h <<EOF
+#define $ac_tr_hdr 1
+EOF
+
+fi
+
+echo "$as_me:18193: checking for struct winsize" >&5
+echo $ECHO_N "checking for struct winsize... $ECHO_C" >&6
+if test "${ac_cv_struct_winsize+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+
+ac_cv_struct_winsize=no
+for i in sys/termios.h sys/ioctl.h; do
+cat >conftest.$ac_ext <<_ACEOF
+#line 18202 "configure"
+#include "confdefs.h"
+#include <$i>
+
+_ACEOF
+if (eval "$ac_cpp conftest.$ac_ext") 2>&5 |
+  egrep "struct[ 	]*winsize" >/dev/null 2>&1; then
+  ac_cv_struct_winsize=yes; break
+fi
+rm -f conftest*
+done
+
+fi
+
+if test "$ac_cv_struct_winsize" = "yes"; then
+
+cat >>confdefs.h <<\EOF
+#define HAVE_STRUCT_WINSIZE 1
+EOF
+
+fi
+echo "$as_me:18223: result: $ac_cv_struct_winsize" >&5
+echo "${ECHO_T}$ac_cv_struct_winsize" >&6
+cat >conftest.$ac_ext <<_ACEOF
+#line 18226 "configure"
+#include "confdefs.h"
+#include <termios.h>
+
+_ACEOF
+if (eval "$ac_cpp conftest.$ac_ext") 2>&5 |
+  egrep "ws_xpixel" >/dev/null 2>&1; then
+
+cat >>confdefs.h <<\EOF
+#define HAVE_WS_XPIXEL 1
+EOF
+
+fi
+rm -f conftest*
+
+cat >conftest.$ac_ext <<_ACEOF
+#line 18242 "configure"
+#include "confdefs.h"
+#include <termios.h>
+
+_ACEOF
+if (eval "$ac_cpp conftest.$ac_ext") 2>&5 |
+  egrep "ws_ypixel" >/dev/null 2>&1; then
+
+cat >>confdefs.h <<\EOF
+#define HAVE_WS_YPIXEL 1
+EOF
+
+fi
+rm -f conftest*
+
+echo "$as_me:18257: checking for struct spwd" >&5
+echo $ECHO_N "checking for struct spwd... $ECHO_C" >&6
+if test "${ac_cv_struct_spwd+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+
+cat >conftest.$ac_ext <<_ACEOF
+#line 18264 "configure"
+#include "confdefs.h"
+#include <pwd.h>
+#ifdef HAVE_SHADOW_H
+#include <shadow.h>
+#endif
+int
+main ()
+{
+struct spwd foo;
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext
+if { (eval echo $as_me:18279: \"$ac_compile\") >&5; (eval $ac_compile) 2>&5; } && test -s conftest.$ac_objext; then
+  ac_cv_struct_spwd=yes
+else
+  echo "$as_me: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  ac_cv_struct_spwd=no
+fi
+rm -f conftest.$ac_objext conftest.$ac_ext
+
+fi
+
+echo "$as_me:18290: result: $ac_cv_struct_spwd" >&5
+echo "${ECHO_T}$ac_cv_struct_spwd" >&6
+
+if test "$ac_cv_struct_spwd" = "yes"; then
+
+cat >>confdefs.h <<\EOF
+#define HAVE_STRUCT_SPWD 1
+EOF
+
+fi
+
+echo "$as_me:18301: checking for sa_len in struct sockaddr" >&5
+echo $ECHO_N "checking for sa_len in struct sockaddr... $ECHO_C" >&6
+if test "${ac_cv_type_struct_sockaddr_sa_len+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+
+cat >conftest.$ac_ext <<_ACEOF
+#line 18308 "configure"
+#include "confdefs.h"
+#include <sys/types.h>
+#include <sys/socket.h>
+int
+main ()
+{
+struct sockaddr x; x.sa_len;
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext
+if { (eval echo $as_me:18321: \"$ac_compile\") >&5; (eval $ac_compile) 2>&5; } && test -s conftest.$ac_objext; then
+  ac_cv_type_struct_sockaddr_sa_len=yes
+else
+  echo "$as_me: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  ac_cv_type_struct_sockaddr_sa_len=no
+fi
+rm -f conftest.$ac_objext conftest.$ac_ext
+fi
+echo "$as_me:18330: result: $ac_cv_type_struct_sockaddr_sa_len" >&5
+echo "${ECHO_T}$ac_cv_type_struct_sockaddr_sa_len" >&6
+if test "$ac_cv_type_struct_sockaddr_sa_len" = yes; then
+
+cat >>confdefs.h <<\EOF
+#define HAVE_STRUCT_SOCKADDR_SA_LEN 1
+EOF
+
+fi
+
+for i in int8_t int16_t int32_t int64_t \
+	u_int8_t u_int16_t u_int32_t u_int64_t \
+	uint8_t uint16_t uint32_t uint64_t; do
+	echo "$as_me:18343: checking for $i" >&5
+echo $ECHO_N "checking for $i... $ECHO_C" >&6
+
+if eval "test \"\${ac_cv_type_$i+set}\" = set"; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+#line 18350 "configure"
+#include "confdefs.h"
+
+#ifdef HAVE_INTTYPES_H
+#include <inttypes.h>
+#endif
+#ifdef HAVE_SYS_TYPES_H
+#include <sys/types.h>
+#endif
+#ifdef HAVE_SYS_BITYPES_H
+#include <sys/bitypes.h>
+#endif
+#ifdef HAVE_BIND_BITYPES_H
+#include <bind/bitypes.h>
+#endif
+#ifdef HAVE_NETINET_IN6_MACHTYPES_H
+#include <netinet/in6_machtypes.h>
+#endif
+
+int
+main ()
+{
+$i x;
+
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext
+if { (eval echo $as_me:18379: \"$ac_compile\") >&5; (eval $ac_compile) 2>&5; } && test -s conftest.$ac_objext; then
+  eval ac_cv_type_$i=yes
+else
+  echo "$as_me: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  eval ac_cv_type_$i=no
+fi
+rm -f conftest.$ac_objext conftest.$ac_ext
+fi
+
+	eval ac_res=\$ac_cv_type_$i
+	if test "$ac_res" = yes; then
+		type=HAVE_`echo $i | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`
+		cat >>confdefs.h <<EOF
+#define $type 1
+EOF
+
+	fi
+	echo "$as_me:18397: result: $ac_res" >&5
+echo "${ECHO_T}$ac_res" >&6
+done
+
+for ac_header in 				\
+	openssl/md4.h				\
+	openssl/md5.h				\
+	openssl/sha.h				\
+	openssl/des.h				\
+	openssl/rc4.h				\
+
+do
+ac_ac_Header=`echo "ac_cv_header_$ac_header" | $ac_tr_sh`
+
+echo "$as_me:18411: checking for $ac_header" >&5
+echo $ECHO_N "checking for $ac_header... $ECHO_C" >&6
+if eval "test \"\${$ac_ac_Header+set}\" = set"; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+#line 18417 "configure"
+#include "confdefs.h"
+#include <$ac_header>
+
+_ACEOF
+ac_try="$ac_cpp conftest.$ac_ext >/dev/null 2>conftest.err"
+if { (eval echo $as_me:18423: \"$ac_try\") >&5; (eval $ac_try) 2>&5; }; then
+  if egrep -v '^ *\+' conftest.err | grep . >/dev/null; then
+    ac_cpp_err=$ac_c_preproc_warn_flag
+  else
+    ac_cpp_err=
+  fi
+else
+  ac_cpp_err=yes
+fi
+
+if test -z "$ac_cpp_err"; then
+  eval "$ac_ac_Header=yes"
+else
+  cat conftest.err >&5
+  echo "$as_me: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  eval "$ac_ac_Header=no"
+fi
+rm -f conftest*
+
+fi
+echo "$as_me:18444: result: `eval echo '${'$ac_ac_Header'}'`" >&5
+echo "${ECHO_T}`eval echo '${'$ac_ac_Header'}'`" >&6
+if test `eval echo '${'$ac_ac_Header'}'` = yes; then
+  cat >>confdefs.h <<EOF
+#define `echo "HAVE_$ac_header" | $ac_tr_cpp` 1
+EOF
+
+fi
+done
+
+echo "$as_me:18454: checking for MD4_Init" >&5
+echo $ECHO_N "checking for MD4_Init... $ECHO_C" >&6
+if test "${ac_cv_funclib_MD4_Init+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+
+if eval "test \"\$ac_cv_func_MD4_Init\" != yes" ; then
+	ac_save_LIBS="$LIBS"
+	for ac_lib in crypto des; do
+		if test -n "$ac_lib"; then
+			ac_lib="-l$ac_lib"
+		else
+			ac_lib=""
+		fi
+		LIBS="$test_LIB_krb4 $ac_lib  $ac_save_LIBS"
+		cat >conftest.$ac_ext <<_ACEOF
+#line 18470 "configure"
+#include "confdefs.h"
+
+int
+main ()
+{
+MD4_Init()
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (eval echo $as_me:18482: \"$ac_link\") >&5; (eval $ac_link) 2>&5; } && test -s conftest$ac_exeext; then
+  eval "if test -n \"$ac_lib\";then ac_cv_funclib_MD4_Init=$ac_lib; else ac_cv_funclib_MD4_Init=yes; fi";break
+else
+  echo "$as_me: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+fi
+rm -f conftest$ac_exeext conftest.$ac_ext
+	done
+	eval "ac_cv_funclib_MD4_Init=\${ac_cv_funclib_MD4_Init-no}"
+	LIBS="$ac_save_LIBS"
+fi
+
+fi
+
+eval "ac_res=\$ac_cv_funclib_MD4_Init"
+
+if false; then
+
+for ac_func in MD4_Init
+do
+ac_ac_var=`echo "ac_cv_func_$ac_func" | $ac_tr_sh`
+echo "$as_me:18503: checking for $ac_func" >&5
+echo $ECHO_N "checking for $ac_func... $ECHO_C" >&6
+if eval "test \"\${$ac_ac_var+set}\" = set"; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+#line 18509 "configure"
+#include "confdefs.h"
+/* System header to define __stub macros and hopefully few prototypes,
+    which can conflict with char $ac_func (); below.  */
+#include <assert.h>
+/* Override any gcc2 internal prototype to avoid an error.  */
+#ifdef __cplusplus
+extern "C"
+#endif
+/* We use char because int might match the return type of a gcc2
+   builtin and then its argument prototype would still apply.  */
+char $ac_func ();
+char (*f) ();
+
+int
+main ()
+{
+/* The GNU C library defines this for functions which it implements
+    to always fail with ENOSYS.  Some functions are actually named
+    something starting with __ and the normal name is an alias.  */
+#if defined (__stub_$ac_func) || defined (__stub___$ac_func)
+choke me
+#else
+f = $ac_func;
+#endif
+
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (eval echo $as_me:18540: \"$ac_link\") >&5; (eval $ac_link) 2>&5; } && test -s conftest$ac_exeext; then
+  eval "$ac_ac_var=yes"
+else
+  echo "$as_me: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  eval "$ac_ac_var=no"
+fi
+rm -f conftest$ac_exeext conftest.$ac_ext
+fi
+echo "$as_me:18549: result: `eval echo '${'$ac_ac_var'}'`" >&5
+echo "${ECHO_T}`eval echo '${'$ac_ac_var'}'`" >&6
+if test `eval echo '${'$ac_ac_var'}'` = yes; then
+  cat >>confdefs.h <<EOF
+#define `echo "HAVE_$ac_func" | $ac_tr_cpp` 1
+EOF
+
+fi
+done
+
+fi
+# MD4_Init
+eval "ac_tr_func=HAVE_`echo MD4_Init | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`"
+eval "ac_tr_lib=HAVE_LIB`echo $ac_res | sed -e 's/-l//' | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`"
+eval "LIB_MD4_Init=$ac_res"
+
+case "$ac_res" in
+	yes)
+	eval "ac_cv_func_MD4_Init=yes"
+	eval "LIB_MD4_Init="
+	cat >>confdefs.h <<EOF
+#define $ac_tr_func 1
+EOF
+
+	echo "$as_me:18573: result: yes" >&5
+echo "${ECHO_T}yes" >&6
+	;;
+	no)
+	eval "ac_cv_func_MD4_Init=no"
+	eval "LIB_MD4_Init="
+	echo "$as_me:18579: result: no" >&5
+echo "${ECHO_T}no" >&6
+	;;
+	*)
+	eval "ac_cv_func_MD4_Init=yes"
+	eval "ac_cv_lib_`echo "$ac_res" | sed 's/-l//'`=yes"
+	cat >>confdefs.h <<EOF
+#define $ac_tr_func 1
+EOF
+
+	cat >>confdefs.h <<EOF
+#define $ac_tr_lib 1
+EOF
+
+	echo "$as_me:18593: result: yes, in $ac_res" >&5
+echo "${ECHO_T}yes, in $ac_res" >&6
+	;;
+esac
+
+echo "$as_me:18598: checking for MD5_Init" >&5
+echo $ECHO_N "checking for MD5_Init... $ECHO_C" >&6
+if test "${ac_cv_funclib_MD5_Init+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+
+if eval "test \"\$ac_cv_func_MD5_Init\" != yes" ; then
+	ac_save_LIBS="$LIBS"
+	for ac_lib in crypto des; do
+		if test -n "$ac_lib"; then
+			ac_lib="-l$ac_lib"
+		else
+			ac_lib=""
+		fi
+		LIBS="$test_LIB_krb4 $ac_lib  $ac_save_LIBS"
+		cat >conftest.$ac_ext <<_ACEOF
+#line 18614 "configure"
+#include "confdefs.h"
+
+int
+main ()
+{
+MD5_Init()
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (eval echo $as_me:18626: \"$ac_link\") >&5; (eval $ac_link) 2>&5; } && test -s conftest$ac_exeext; then
+  eval "if test -n \"$ac_lib\";then ac_cv_funclib_MD5_Init=$ac_lib; else ac_cv_funclib_MD5_Init=yes; fi";break
+else
+  echo "$as_me: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+fi
+rm -f conftest$ac_exeext conftest.$ac_ext
+	done
+	eval "ac_cv_funclib_MD5_Init=\${ac_cv_funclib_MD5_Init-no}"
+	LIBS="$ac_save_LIBS"
+fi
+
+fi
+
+eval "ac_res=\$ac_cv_funclib_MD5_Init"
+
+if false; then
+
+for ac_func in MD5_Init
+do
+ac_ac_var=`echo "ac_cv_func_$ac_func" | $ac_tr_sh`
+echo "$as_me:18647: checking for $ac_func" >&5
+echo $ECHO_N "checking for $ac_func... $ECHO_C" >&6
+if eval "test \"\${$ac_ac_var+set}\" = set"; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+#line 18653 "configure"
+#include "confdefs.h"
+/* System header to define __stub macros and hopefully few prototypes,
+    which can conflict with char $ac_func (); below.  */
+#include <assert.h>
+/* Override any gcc2 internal prototype to avoid an error.  */
+#ifdef __cplusplus
+extern "C"
+#endif
+/* We use char because int might match the return type of a gcc2
+   builtin and then its argument prototype would still apply.  */
+char $ac_func ();
+char (*f) ();
+
+int
+main ()
+{
+/* The GNU C library defines this for functions which it implements
+    to always fail with ENOSYS.  Some functions are actually named
+    something starting with __ and the normal name is an alias.  */
+#if defined (__stub_$ac_func) || defined (__stub___$ac_func)
+choke me
+#else
+f = $ac_func;
+#endif
+
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (eval echo $as_me:18684: \"$ac_link\") >&5; (eval $ac_link) 2>&5; } && test -s conftest$ac_exeext; then
+  eval "$ac_ac_var=yes"
+else
+  echo "$as_me: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  eval "$ac_ac_var=no"
+fi
+rm -f conftest$ac_exeext conftest.$ac_ext
+fi
+echo "$as_me:18693: result: `eval echo '${'$ac_ac_var'}'`" >&5
+echo "${ECHO_T}`eval echo '${'$ac_ac_var'}'`" >&6
+if test `eval echo '${'$ac_ac_var'}'` = yes; then
+  cat >>confdefs.h <<EOF
+#define `echo "HAVE_$ac_func" | $ac_tr_cpp` 1
+EOF
+
+fi
+done
+
+fi
+# MD5_Init
+eval "ac_tr_func=HAVE_`echo MD5_Init | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`"
+eval "ac_tr_lib=HAVE_LIB`echo $ac_res | sed -e 's/-l//' | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`"
+eval "LIB_MD5_Init=$ac_res"
+
+case "$ac_res" in
+	yes)
+	eval "ac_cv_func_MD5_Init=yes"
+	eval "LIB_MD5_Init="
+	cat >>confdefs.h <<EOF
+#define $ac_tr_func 1
+EOF
+
+	echo "$as_me:18717: result: yes" >&5
+echo "${ECHO_T}yes" >&6
+	;;
+	no)
+	eval "ac_cv_func_MD5_Init=no"
+	eval "LIB_MD5_Init="
+	echo "$as_me:18723: result: no" >&5
+echo "${ECHO_T}no" >&6
+	;;
+	*)
+	eval "ac_cv_func_MD5_Init=yes"
+	eval "ac_cv_lib_`echo "$ac_res" | sed 's/-l//'`=yes"
+	cat >>confdefs.h <<EOF
+#define $ac_tr_func 1
+EOF
+
+	cat >>confdefs.h <<EOF
+#define $ac_tr_lib 1
+EOF
+
+	echo "$as_me:18737: result: yes, in $ac_res" >&5
+echo "${ECHO_T}yes, in $ac_res" >&6
+	;;
+esac
+
+echo "$as_me:18742: checking for SHA1_Init" >&5
+echo $ECHO_N "checking for SHA1_Init... $ECHO_C" >&6
+if test "${ac_cv_funclib_SHA1_Init+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+
+if eval "test \"\$ac_cv_func_SHA1_Init\" != yes" ; then
+	ac_save_LIBS="$LIBS"
+	for ac_lib in crypto des; do
+		if test -n "$ac_lib"; then
+			ac_lib="-l$ac_lib"
+		else
+			ac_lib=""
+		fi
+		LIBS="$test_LIB_krb4 $ac_lib  $ac_save_LIBS"
+		cat >conftest.$ac_ext <<_ACEOF
+#line 18758 "configure"
+#include "confdefs.h"
+
+int
+main ()
+{
+SHA1_Init()
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (eval echo $as_me:18770: \"$ac_link\") >&5; (eval $ac_link) 2>&5; } && test -s conftest$ac_exeext; then
+  eval "if test -n \"$ac_lib\";then ac_cv_funclib_SHA1_Init=$ac_lib; else ac_cv_funclib_SHA1_Init=yes; fi";break
+else
+  echo "$as_me: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+fi
+rm -f conftest$ac_exeext conftest.$ac_ext
+	done
+	eval "ac_cv_funclib_SHA1_Init=\${ac_cv_funclib_SHA1_Init-no}"
+	LIBS="$ac_save_LIBS"
+fi
+
+fi
+
+eval "ac_res=\$ac_cv_funclib_SHA1_Init"
+
+if false; then
+
+for ac_func in SHA1_Init
+do
+ac_ac_var=`echo "ac_cv_func_$ac_func" | $ac_tr_sh`
+echo "$as_me:18791: checking for $ac_func" >&5
+echo $ECHO_N "checking for $ac_func... $ECHO_C" >&6
+if eval "test \"\${$ac_ac_var+set}\" = set"; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+#line 18797 "configure"
+#include "confdefs.h"
+/* System header to define __stub macros and hopefully few prototypes,
+    which can conflict with char $ac_func (); below.  */
+#include <assert.h>
+/* Override any gcc2 internal prototype to avoid an error.  */
+#ifdef __cplusplus
+extern "C"
+#endif
+/* We use char because int might match the return type of a gcc2
+   builtin and then its argument prototype would still apply.  */
+char $ac_func ();
+char (*f) ();
+
+int
+main ()
+{
+/* The GNU C library defines this for functions which it implements
+    to always fail with ENOSYS.  Some functions are actually named
+    something starting with __ and the normal name is an alias.  */
+#if defined (__stub_$ac_func) || defined (__stub___$ac_func)
+choke me
+#else
+f = $ac_func;
+#endif
+
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (eval echo $as_me:18828: \"$ac_link\") >&5; (eval $ac_link) 2>&5; } && test -s conftest$ac_exeext; then
+  eval "$ac_ac_var=yes"
+else
+  echo "$as_me: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  eval "$ac_ac_var=no"
+fi
+rm -f conftest$ac_exeext conftest.$ac_ext
+fi
+echo "$as_me:18837: result: `eval echo '${'$ac_ac_var'}'`" >&5
+echo "${ECHO_T}`eval echo '${'$ac_ac_var'}'`" >&6
+if test `eval echo '${'$ac_ac_var'}'` = yes; then
+  cat >>confdefs.h <<EOF
+#define `echo "HAVE_$ac_func" | $ac_tr_cpp` 1
+EOF
+
+fi
+done
+
+fi
+# SHA1_Init
+eval "ac_tr_func=HAVE_`echo SHA1_Init | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`"
+eval "ac_tr_lib=HAVE_LIB`echo $ac_res | sed -e 's/-l//' | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`"
+eval "LIB_SHA1_Init=$ac_res"
+
+case "$ac_res" in
+	yes)
+	eval "ac_cv_func_SHA1_Init=yes"
+	eval "LIB_SHA1_Init="
+	cat >>confdefs.h <<EOF
+#define $ac_tr_func 1
+EOF
+
+	echo "$as_me:18861: result: yes" >&5
+echo "${ECHO_T}yes" >&6
+	;;
+	no)
+	eval "ac_cv_func_SHA1_Init=no"
+	eval "LIB_SHA1_Init="
+	echo "$as_me:18867: result: no" >&5
+echo "${ECHO_T}no" >&6
+	;;
+	*)
+	eval "ac_cv_func_SHA1_Init=yes"
+	eval "ac_cv_lib_`echo "$ac_res" | sed 's/-l//'`=yes"
+	cat >>confdefs.h <<EOF
+#define $ac_tr_func 1
+EOF
+
+	cat >>confdefs.h <<EOF
+#define $ac_tr_lib 1
+EOF
+
+	echo "$as_me:18881: result: yes, in $ac_res" >&5
+echo "${ECHO_T}yes, in $ac_res" >&6
+	;;
+esac
+
+echo "$as_me:18886: checking for des_cbc_encrypt" >&5
+echo $ECHO_N "checking for des_cbc_encrypt... $ECHO_C" >&6
+if test "${ac_cv_funclib_des_cbc_encrypt+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+
+if eval "test \"\$ac_cv_func_des_cbc_encrypt\" != yes" ; then
+	ac_save_LIBS="$LIBS"
+	for ac_lib in crypto des; do
+		if test -n "$ac_lib"; then
+			ac_lib="-l$ac_lib"
+		else
+			ac_lib=""
+		fi
+		LIBS="$test_LIB_krb4 $ac_lib  $ac_save_LIBS"
+		cat >conftest.$ac_ext <<_ACEOF
+#line 18902 "configure"
+#include "confdefs.h"
+
+int
+main ()
+{
+des_cbc_encrypt()
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (eval echo $as_me:18914: \"$ac_link\") >&5; (eval $ac_link) 2>&5; } && test -s conftest$ac_exeext; then
+  eval "if test -n \"$ac_lib\";then ac_cv_funclib_des_cbc_encrypt=$ac_lib; else ac_cv_funclib_des_cbc_encrypt=yes; fi";break
+else
+  echo "$as_me: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+fi
+rm -f conftest$ac_exeext conftest.$ac_ext
+	done
+	eval "ac_cv_funclib_des_cbc_encrypt=\${ac_cv_funclib_des_cbc_encrypt-no}"
+	LIBS="$ac_save_LIBS"
+fi
+
+fi
+
+eval "ac_res=\$ac_cv_funclib_des_cbc_encrypt"
+
+if false; then
+
+for ac_func in des_cbc_encrypt
+do
+ac_ac_var=`echo "ac_cv_func_$ac_func" | $ac_tr_sh`
+echo "$as_me:18935: checking for $ac_func" >&5
+echo $ECHO_N "checking for $ac_func... $ECHO_C" >&6
+if eval "test \"\${$ac_ac_var+set}\" = set"; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+#line 18941 "configure"
+#include "confdefs.h"
+/* System header to define __stub macros and hopefully few prototypes,
+    which can conflict with char $ac_func (); below.  */
+#include <assert.h>
+/* Override any gcc2 internal prototype to avoid an error.  */
+#ifdef __cplusplus
+extern "C"
+#endif
+/* We use char because int might match the return type of a gcc2
+   builtin and then its argument prototype would still apply.  */
+char $ac_func ();
+char (*f) ();
+
+int
+main ()
+{
+/* The GNU C library defines this for functions which it implements
+    to always fail with ENOSYS.  Some functions are actually named
+    something starting with __ and the normal name is an alias.  */
+#if defined (__stub_$ac_func) || defined (__stub___$ac_func)
+choke me
+#else
+f = $ac_func;
+#endif
+
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (eval echo $as_me:18972: \"$ac_link\") >&5; (eval $ac_link) 2>&5; } && test -s conftest$ac_exeext; then
+  eval "$ac_ac_var=yes"
+else
+  echo "$as_me: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  eval "$ac_ac_var=no"
+fi
+rm -f conftest$ac_exeext conftest.$ac_ext
+fi
+echo "$as_me:18981: result: `eval echo '${'$ac_ac_var'}'`" >&5
+echo "${ECHO_T}`eval echo '${'$ac_ac_var'}'`" >&6
+if test `eval echo '${'$ac_ac_var'}'` = yes; then
+  cat >>confdefs.h <<EOF
+#define `echo "HAVE_$ac_func" | $ac_tr_cpp` 1
+EOF
+
+fi
+done
+
+fi
+# des_cbc_encrypt
+eval "ac_tr_func=HAVE_`echo des_cbc_encrypt | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`"
+eval "ac_tr_lib=HAVE_LIB`echo $ac_res | sed -e 's/-l//' | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`"
+eval "LIB_des_cbc_encrypt=$ac_res"
+
+case "$ac_res" in
+	yes)
+	eval "ac_cv_func_des_cbc_encrypt=yes"
+	eval "LIB_des_cbc_encrypt="
+	cat >>confdefs.h <<EOF
+#define $ac_tr_func 1
+EOF
+
+	echo "$as_me:19005: result: yes" >&5
+echo "${ECHO_T}yes" >&6
+	;;
+	no)
+	eval "ac_cv_func_des_cbc_encrypt=no"
+	eval "LIB_des_cbc_encrypt="
+	echo "$as_me:19011: result: no" >&5
+echo "${ECHO_T}no" >&6
+	;;
+	*)
+	eval "ac_cv_func_des_cbc_encrypt=yes"
+	eval "ac_cv_lib_`echo "$ac_res" | sed 's/-l//'`=yes"
+	cat >>confdefs.h <<EOF
+#define $ac_tr_func 1
+EOF
+
+	cat >>confdefs.h <<EOF
+#define $ac_tr_lib 1
+EOF
+
+	echo "$as_me:19025: result: yes, in $ac_res" >&5
+echo "${ECHO_T}yes, in $ac_res" >&6
+	;;
+esac
+
+echo "$as_me:19030: checking for RC4" >&5
+echo $ECHO_N "checking for RC4... $ECHO_C" >&6
+if test "${ac_cv_funclib_RC4+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+
+if eval "test \"\$ac_cv_func_RC4\" != yes" ; then
+	ac_save_LIBS="$LIBS"
+	for ac_lib in crypto des; do
+		if test -n "$ac_lib"; then
+			ac_lib="-l$ac_lib"
+		else
+			ac_lib=""
+		fi
+		LIBS="$test_LIB_krb4 $ac_lib  $ac_save_LIBS"
+		cat >conftest.$ac_ext <<_ACEOF
+#line 19046 "configure"
+#include "confdefs.h"
+
+int
+main ()
+{
+RC4()
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (eval echo $as_me:19058: \"$ac_link\") >&5; (eval $ac_link) 2>&5; } && test -s conftest$ac_exeext; then
+  eval "if test -n \"$ac_lib\";then ac_cv_funclib_RC4=$ac_lib; else ac_cv_funclib_RC4=yes; fi";break
+else
+  echo "$as_me: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+fi
+rm -f conftest$ac_exeext conftest.$ac_ext
+	done
+	eval "ac_cv_funclib_RC4=\${ac_cv_funclib_RC4-no}"
+	LIBS="$ac_save_LIBS"
+fi
+
+fi
+
+eval "ac_res=\$ac_cv_funclib_RC4"
+
+if false; then
+
+for ac_func in RC4
+do
+ac_ac_var=`echo "ac_cv_func_$ac_func" | $ac_tr_sh`
+echo "$as_me:19079: checking for $ac_func" >&5
+echo $ECHO_N "checking for $ac_func... $ECHO_C" >&6
+if eval "test \"\${$ac_ac_var+set}\" = set"; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+#line 19085 "configure"
+#include "confdefs.h"
+/* System header to define __stub macros and hopefully few prototypes,
+    which can conflict with char $ac_func (); below.  */
+#include <assert.h>
+/* Override any gcc2 internal prototype to avoid an error.  */
+#ifdef __cplusplus
+extern "C"
+#endif
+/* We use char because int might match the return type of a gcc2
+   builtin and then its argument prototype would still apply.  */
+char $ac_func ();
+char (*f) ();
+
+int
+main ()
+{
+/* The GNU C library defines this for functions which it implements
+    to always fail with ENOSYS.  Some functions are actually named
+    something starting with __ and the normal name is an alias.  */
+#if defined (__stub_$ac_func) || defined (__stub___$ac_func)
+choke me
+#else
+f = $ac_func;
+#endif
+
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (eval echo $as_me:19116: \"$ac_link\") >&5; (eval $ac_link) 2>&5; } && test -s conftest$ac_exeext; then
+  eval "$ac_ac_var=yes"
+else
+  echo "$as_me: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  eval "$ac_ac_var=no"
+fi
+rm -f conftest$ac_exeext conftest.$ac_ext
+fi
+echo "$as_me:19125: result: `eval echo '${'$ac_ac_var'}'`" >&5
+echo "${ECHO_T}`eval echo '${'$ac_ac_var'}'`" >&6
+if test `eval echo '${'$ac_ac_var'}'` = yes; then
+  cat >>confdefs.h <<EOF
+#define `echo "HAVE_$ac_func" | $ac_tr_cpp` 1
+EOF
+
+fi
+done
+
+fi
+# RC4
+eval "ac_tr_func=HAVE_`echo RC4 | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`"
+eval "ac_tr_lib=HAVE_LIB`echo $ac_res | sed -e 's/-l//' | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`"
+eval "LIB_RC4=$ac_res"
+
+case "$ac_res" in
+	yes)
+	eval "ac_cv_func_RC4=yes"
+	eval "LIB_RC4="
+	cat >>confdefs.h <<EOF
+#define $ac_tr_func 1
+EOF
+
+	echo "$as_me:19149: result: yes" >&5
+echo "${ECHO_T}yes" >&6
+	;;
+	no)
+	eval "ac_cv_func_RC4=no"
+	eval "LIB_RC4="
+	echo "$as_me:19155: result: no" >&5
+echo "${ECHO_T}no" >&6
+	;;
+	*)
+	eval "ac_cv_func_RC4=yes"
+	eval "ac_cv_lib_`echo "$ac_res" | sed 's/-l//'`=yes"
+	cat >>confdefs.h <<EOF
+#define $ac_tr_func 1
+EOF
+
+	cat >>confdefs.h <<EOF
+#define $ac_tr_lib 1
+EOF
+
+	echo "$as_me:19169: result: yes, in $ac_res" >&5
+echo "${ECHO_T}yes, in $ac_res" >&6
+	;;
+esac
+
+if test "$ac_cv_func_des_cbc_encrypt" = "yes" -a \
+"$ac_cv_func_MD4_Init"  = "yes" -a \
+"$ac_cv_func_MD5_Init"  = "yes" -a \
+"$ac_cv_func_SHA1_Init" = "yes" -a \
+"$ac_cv_func_RC4" = "yes"; then
+  DIR_des=''
+  LIB_des=''
+  if test "$krb4_libdir" != ""; then
+    LIB_des="-R $krb4_libdir -L$krb4_libdir"
+  fi
+  LIB_des="$LIB_des $ac_cv_funclib_MD4_Init"
+  LIB_des_appl="$LIB_des"
+else
+  DIR_des='des'
+  LIB_des='$(top_builddir)/lib/des/libdes.la'
+  LIB_des_appl="-ldes"
+fi
+
+echo "$as_me:19192: checking for el_init" >&5
+echo $ECHO_N "checking for el_init... $ECHO_C" >&6
+if test "${ac_cv_funclib_el_init+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+
+if eval "test \"\$ac_cv_func_el_init\" != yes" ; then
+	ac_save_LIBS="$LIBS"
+	for ac_lib in "" edit; do
+		if test -n "$ac_lib"; then
+			ac_lib="-l$ac_lib"
+		else
+			ac_lib=""
+		fi
+		LIBS=" $ac_lib $LIB_tgetent $ac_save_LIBS"
+		cat >conftest.$ac_ext <<_ACEOF
+#line 19208 "configure"
+#include "confdefs.h"
+
+int
+main ()
+{
+el_init()
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (eval echo $as_me:19220: \"$ac_link\") >&5; (eval $ac_link) 2>&5; } && test -s conftest$ac_exeext; then
+  eval "if test -n \"$ac_lib\";then ac_cv_funclib_el_init=$ac_lib; else ac_cv_funclib_el_init=yes; fi";break
+else
+  echo "$as_me: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+fi
+rm -f conftest$ac_exeext conftest.$ac_ext
+	done
+	eval "ac_cv_funclib_el_init=\${ac_cv_funclib_el_init-no}"
+	LIBS="$ac_save_LIBS"
+fi
+
+fi
+
+eval "ac_res=\$ac_cv_funclib_el_init"
+
+if false; then
+
+for ac_func in el_init
+do
+ac_ac_var=`echo "ac_cv_func_$ac_func" | $ac_tr_sh`
+echo "$as_me:19241: checking for $ac_func" >&5
+echo $ECHO_N "checking for $ac_func... $ECHO_C" >&6
+if eval "test \"\${$ac_ac_var+set}\" = set"; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+#line 19247 "configure"
+#include "confdefs.h"
+/* System header to define __stub macros and hopefully few prototypes,
+    which can conflict with char $ac_func (); below.  */
+#include <assert.h>
+/* Override any gcc2 internal prototype to avoid an error.  */
+#ifdef __cplusplus
+extern "C"
+#endif
+/* We use char because int might match the return type of a gcc2
+   builtin and then its argument prototype would still apply.  */
+char $ac_func ();
+char (*f) ();
+
+int
+main ()
+{
+/* The GNU C library defines this for functions which it implements
+    to always fail with ENOSYS.  Some functions are actually named
+    something starting with __ and the normal name is an alias.  */
+#if defined (__stub_$ac_func) || defined (__stub___$ac_func)
+choke me
+#else
+f = $ac_func;
+#endif
+
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (eval echo $as_me:19278: \"$ac_link\") >&5; (eval $ac_link) 2>&5; } && test -s conftest$ac_exeext; then
+  eval "$ac_ac_var=yes"
+else
+  echo "$as_me: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  eval "$ac_ac_var=no"
+fi
+rm -f conftest$ac_exeext conftest.$ac_ext
+fi
+echo "$as_me:19287: result: `eval echo '${'$ac_ac_var'}'`" >&5
+echo "${ECHO_T}`eval echo '${'$ac_ac_var'}'`" >&6
+if test `eval echo '${'$ac_ac_var'}'` = yes; then
+  cat >>confdefs.h <<EOF
+#define `echo "HAVE_$ac_func" | $ac_tr_cpp` 1
+EOF
+
+fi
+done
+
+fi
+# el_init
+eval "ac_tr_func=HAVE_`echo el_init | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`"
+eval "ac_tr_lib=HAVE_LIB`echo $ac_res | sed -e 's/-l//' | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`"
+eval "LIB_el_init=$ac_res"
+
+case "$ac_res" in
+	yes)
+	eval "ac_cv_func_el_init=yes"
+	eval "LIB_el_init="
+	cat >>confdefs.h <<EOF
+#define $ac_tr_func 1
+EOF
+
+	echo "$as_me:19311: result: yes" >&5
+echo "${ECHO_T}yes" >&6
+	;;
+	no)
+	eval "ac_cv_func_el_init=no"
+	eval "LIB_el_init="
+	echo "$as_me:19317: result: no" >&5
+echo "${ECHO_T}no" >&6
+	;;
+	*)
+	eval "ac_cv_func_el_init=yes"
+	eval "ac_cv_lib_`echo "$ac_res" | sed 's/-l//'`=yes"
+	cat >>confdefs.h <<EOF
+#define $ac_tr_func 1
+EOF
+
+	cat >>confdefs.h <<EOF
+#define $ac_tr_lib 1
+EOF
+
+	echo "$as_me:19331: result: yes, in $ac_res" >&5
+echo "${ECHO_T}yes, in $ac_res" >&6
+	;;
+esac
+
+if test "$ac_cv_func_el_init" = yes ; then
+	echo "$as_me:19337: checking for four argument el_init" >&5
+echo $ECHO_N "checking for four argument el_init... $ECHO_C" >&6
+if test "${ac_cv_func_el_init_four+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+
+		cat >conftest.$ac_ext <<_ACEOF
+#line 19344 "configure"
+#include "confdefs.h"
+#include <stdio.h>
+			#include <histedit.h>
+int
+main ()
+{
+el_init("", NULL, NULL, NULL);
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext
+if { (eval echo $as_me:19357: \"$ac_compile\") >&5; (eval $ac_compile) 2>&5; } && test -s conftest.$ac_objext; then
+  ac_cv_func_el_init_four=yes
+else
+  echo "$as_me: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  ac_cv_func_el_init_four=no
+fi
+rm -f conftest.$ac_objext conftest.$ac_ext
+fi
+echo "$as_me:19366: result: $ac_cv_func_el_init_four" >&5
+echo "${ECHO_T}$ac_cv_func_el_init_four" >&6
+	if test "$ac_cv_func_el_init_four" = yes; then
+
+cat >>confdefs.h <<\EOF
+#define HAVE_FOUR_VALUED_EL_INIT 1
+EOF
+
+	fi
+fi
+
+ac_foo=no
+if test "$with_readline" = yes; then
+	:
+elif test "$ac_cv_func_readline" = yes; then
+	:
+elif test "$ac_cv_func_el_init" = yes; then
+	ac_foo=yes
+	LIB_readline="\$(top_builddir)/lib/editline/libel_compat.la $LIB_el_init"
+else
+	LIB_readline='$(top_builddir)/lib/editline/libeditline.la'
+fi
+
+if test "$ac_foo" = yes; then
+  el_compat_TRUE=
+  el_compat_FALSE='#'
+else
+  el_compat_TRUE='#'
+  el_compat_FALSE=
+fi
+if test "$readline_libdir"; then
+	LIB_readline="-rpath $readline_libdir $LIB_readline"
+fi
+LIB_readline="$LIB_readline \$(LIB_tgetent)"
+
+cat >>confdefs.h <<\EOF
+#define HAVE_READLINE 1
+EOF
+
+cat >>confdefs.h <<\EOF
+#define AUTHENTICATION 1
+EOF
+
+cat >>confdefs.h <<\EOF
+#define ENCRYPTION 1
+EOF
+
+cat >>confdefs.h <<\EOF
+#define DES_ENCRYPTION 1
+EOF
+
+cat >>confdefs.h <<\EOF
+#define DIAGNOSTICS 1
+EOF
+
+cat >>confdefs.h <<\EOF
+#define OLD_ENVIRON 1
+EOF
+if false; then
+
+cat >>confdefs.h <<\EOF
+#define ENV_HACK 1
+EOF
+
+fi
+
+# Simple test for streamspty, based on the existance of getmsg(), alas
+# this breaks on SunOS4 which have streams but BSD-like ptys
+#
+# And also something wierd has happend with dec-osf1, fallback to bsd-ptys
+
+echo "$as_me:19437: checking for getmsg" >&5
+echo $ECHO_N "checking for getmsg... $ECHO_C" >&6
+if test "${ac_cv_func_getmsg+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+#line 19443 "configure"
+#include "confdefs.h"
+/* System header to define __stub macros and hopefully few prototypes,
+    which can conflict with char getmsg (); below.  */
+#include <assert.h>
+/* Override any gcc2 internal prototype to avoid an error.  */
+#ifdef __cplusplus
+extern "C"
+#endif
+/* We use char because int might match the return type of a gcc2
+   builtin and then its argument prototype would still apply.  */
+char getmsg ();
+char (*f) ();
+
+int
+main ()
+{
+/* The GNU C library defines this for functions which it implements
+    to always fail with ENOSYS.  Some functions are actually named
+    something starting with __ and the normal name is an alias.  */
+#if defined (__stub_getmsg) || defined (__stub___getmsg)
+choke me
+#else
+f = getmsg;
+#endif
+
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (eval echo $as_me:19474: \"$ac_link\") >&5; (eval $ac_link) 2>&5; } && test -s conftest$ac_exeext; then
+  ac_cv_func_getmsg=yes
+else
+  echo "$as_me: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  ac_cv_func_getmsg=no
+fi
+rm -f conftest$ac_exeext conftest.$ac_ext
+fi
+echo "$as_me:19483: result: $ac_cv_func_getmsg" >&5
+echo "${ECHO_T}$ac_cv_func_getmsg" >&6
+
+if test "$ac_cv_func_getmsg" = "yes"; then
+
+echo "$as_me:19488: checking for working getmsg" >&5
+echo $ECHO_N "checking for working getmsg... $ECHO_C" >&6
+if test "${ac_cv_func_getmsg_work+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  if test "$cross_compiling" = yes; then
+  ac_cv_func_getmsg_work=no
+else
+  cat >conftest.$ac_ext <<_ACEOF
+#line 19497 "configure"
+#include "confdefs.h"
+
+#include <stdio.h>
+#include <errno.h>
+
+int main()
+{
+  int ret;
+  ret = getmsg(open("/dev/null", 0), NULL, NULL, NULL);
+  if(ret < 0 && errno == ENOSYS)
+    return 1;
+  return 0;
+}
+
+_ACEOF
+rm -f conftest$ac_exeext
+{ (eval echo $as_me:19514: \"$ac_link\") >&5; (eval $ac_link) 2>&5; } &&
+  (./conftest$ac_exeext) >&5 2>&1;
+ac_status=$?
+if test $ac_status = 0; then
+  ac_cv_func_getmsg_work=yes
+else
+  echo "$as_me: program exited with status $ac_status" >&5
+echo "$as_me: failed program was:" >&5
+cat conftest.$ac_ext >&5
+ac_cv_func_getmsg_work=no
+fi
+
+rm -f conftest$ac_exeext conftest.$ac_ext
+fi
+
+fi
+echo "$as_me:19530: result: $ac_cv_func_getmsg_work" >&5
+echo "${ECHO_T}$ac_cv_func_getmsg_work" >&6
+test "$ac_cv_func_getmsg_work" = "yes" &&
+
+cat >>confdefs.h <<\EOF
+#define HAVE_GETMSG 1
+EOF
+
+fi
+
+if test "$ac_cv_func_getmsg_work" = yes; then
+echo "$as_me:19541: checking for streamspty" >&5
+echo $ECHO_N "checking for streamspty... $ECHO_C" >&6
+case "$host" in
+*-*-aix3*|*-*-sunos4*|*-*-osf*|*-*-hpux1[01]*)
+	krb_cv_sys_streamspty=no
+	;;
+*)
+	krb_cv_sys_streamspty=yes
+	;;
+esac
+echo "$as_me:19551: result: $krb_cv_sys_streamspty" >&5
+echo "${ECHO_T}$krb_cv_sys_streamspty" >&6
+fi
+if test "$krb_cv_sys_streamspty" = yes; then
+
+cat >>confdefs.h <<\EOF
+#define STREAMSPTY 1
+EOF
+
+fi
+
+echo "$as_me:19562: checking which authentication modules should be built" >&5
+echo $ECHO_N "checking which authentication modules should be built... $ECHO_C" >&6
+
+LIB_AUTH_SUBDIRS=
+
+if test "$ac_cv_header_siad_h" = yes; then
+	LIB_AUTH_SUBDIRS="$LIB_AUTH_SUBDIRS sia"
+fi
+
+if test "$ac_cv_header_security_pam_modules_h" = yes -a "$enable_shared" = yes; then
+	LIB_AUTH_SUBDIRS="$LIB_AUTH_SUBDIRS pam"
+fi
+
+case "${host}" in
+*-*-irix[56]*) LIB_AUTH_SUBDIRS="$LIB_AUTH_SUBDIRS afskauthlib" ;;
+esac
+
+echo "$as_me:19579: result: $LIB_AUTH_SUBDIRS" >&5
+echo "${ECHO_T}$LIB_AUTH_SUBDIRS" >&6
+
+test "x$prefix" = xNONE && prefix=$ac_default_prefix
+test "x$exec_prefix" = xNONE && exec_prefix='${prefix}'
+
+for i in bin lib libexec sbin; do
+	i=${i}dir
+	foo=`echo $i | tr 'xindiscernible' 'XINDISCERNIBLE'`
+	x="\$${i}"
+	eval y="$x"
+	while test "x$y" != "x$x"; do
+		x="$y"
+		eval y="$x"
+	done
+	cat >>confdefs.h <<EOF
+#define $foo "$x"
+EOF
+
+done
+
+if false; then
+	# hack to shut up automake
+	LIBOBJS="$LIBOBJS make-print-version.o"
+fi
+LTLIBOBJS=`echo "$LIBOBJS" | sed 's/\.o/\.lo/g'`
+
+ac_config_files="$ac_config_files Makefile 		\
+	include/Makefile		\
+	include/kadm5/Makefile		\
+	lib/Makefile			\
+	lib/45/Makefile			\
+	lib/auth/Makefile		\
+	lib/auth/afskauthlib/Makefile	\
+	lib/auth/pam/Makefile		\
+	lib/auth/sia/Makefile		\
+	lib/asn1/Makefile		\
+	lib/com_err/Makefile		\
+	lib/des/Makefile		\
+	lib/editline/Makefile		\
+	lib/gssapi/Makefile		\
+	lib/hdb/Makefile		\
+	lib/kadm5/Makefile		\
+	lib/kafs/Makefile		\
+	lib/kdfs/Makefile		\
+	lib/krb5/Makefile		\
+	lib/otp/Makefile		\
+	lib/roken/Makefile		\
+	lib/sl/Makefile			\
+	lib/vers/Makefile		\
+	kuser/Makefile			\
+	kpasswd/Makefile		\
+	kadmin/Makefile			\
+	admin/Makefile			\
+	kdc/Makefile			\
+	appl/Makefile			\
+	appl/afsutil/Makefile		\
+	appl/ftp/Makefile		\
+	appl/ftp/common/Makefile	\
+	appl/ftp/ftp/Makefile		\
+	appl/ftp/ftpd/Makefile		\
+	appl/kx/Makefile		\
+	appl/login/Makefile		\
+	appl/otp/Makefile		\
+	appl/popper/Makefile		\
+	appl/push/Makefile		\
+	appl/rsh/Makefile		\
+	appl/rcp/Makefile		\
+	appl/su/Makefile		\
+	appl/xnlock/Makefile		\
+	appl/telnet/Makefile		\
+	appl/telnet/libtelnet/Makefile	\
+	appl/telnet/telnet/Makefile	\
+	appl/telnet/telnetd/Makefile	\
+	appl/test/Makefile		\
+	appl/kf/Makefile		\
+	appl/dceutils/Makefile		\
+	doc/Makefile			\
+	tools/Makefile			\
+"
+
+cat >confcache <<\_ACEOF
+# This file is a shell script that caches the results of configure
+# tests run on this system so they can be shared between configure
+# scripts and configure runs, see configure's option --config-cache.
+# It is not useful on other systems.  If it contains results you don't
+# want to keep, you may remove or edit it.
+#
+# config.status only pays attention to the cache file if you give it
+# the --recheck option to rerun configure.
+#
+# `ac_cv_env_foo' variables (set or unset) will be overriden when
+# loading this file, other *unset* `ac_cv_foo' will be assigned the
+# following values.
+
+_ACEOF
+
+# The following way of writing the cache mishandles newlines in values,
+# but we know of no workaround that is simple, portable, and efficient.
+# So, don't put newlines in cache variables' values.
+# Ultrix sh set writes to stderr and can't be redirected directly,
+# and sets the high bit in the cache file unless we assign to the vars.
+{
+  (set) 2>&1 |
+    case `(ac_space=' '; set | grep ac_space) 2>&1` in
+    *ac_space=\ *)
+      # `set' does not quote correctly, so add quotes (double-quote
+      # substitution turns \\\\ into \\, and sed turns \\ into \).
+      sed -n \
+        "s/'/'\\\\''/g;
+    	  s/^\\([_$ac_cr_alnum]*_cv_[_$ac_cr_alnum]*\\)=\\(.*\\)/\\1='\\2'/p"
+      ;;
+    *)
+      # `set' quotes correctly as required by POSIX, so do not add quotes.
+      sed -n \
+        "s/^\\([_$ac_cr_alnum]*_cv_[_$ac_cr_alnum]*\\)=\\(.*\\)/\\1=\\2/p"
+      ;;
+    esac;
+} |
+  sed '
+     t clear
+     : clear
+     s/^\([^=]*\)=\(.*[{}].*\)$/test "${\1+set}" = set || &/
+     t end
+     /^ac_cv_env/!s/^\([^=]*\)=\(.*\)$/\1=${\1=\2}/
+     : end' >>confcache
+if cmp -s $cache_file confcache; then :; else
+  if test -w $cache_file; then
+    test "x$cache_file" != "x/dev/null" && echo "updating cache $cache_file"
+    cat confcache >$cache_file
+  else
+    echo "not updating unwritable cache $cache_file"
+  fi
+fi
+rm -f confcache
+
+test "x$prefix" = xNONE && prefix=$ac_default_prefix
+# Let make expand exec_prefix.
+test "x$exec_prefix" = xNONE && exec_prefix='${prefix}'
+
+# Any assignment to VPATH causes Sun make to only execute
+# the first set of double-colon rules, so remove it if not needed.
+# If there is a colon in the path, we need to keep it.
+if test "x$srcdir" = x.; then
+  ac_vpsub='/^[ 	]*VPATH[ 	]*=[^:]*$/d'
+fi
+
+DEFS=-DHAVE_CONFIG_H
+
+# Save into config.log some information that might help in debugging.
+echo >&5
+echo "Cache variables:" >&5
+# The following way of writing the cache mishandles newlines in values,
+# but we know of no workaround that is simple, portable, and efficient.
+# So, don't put newlines in cache variables' values.
+# Ultrix sh set writes to stderr and can't be redirected directly,
+# and sets the high bit in the cache file unless we assign to the vars.
+{
+  (set) 2>&1 |
+    case `(ac_space=' '; set | grep ac_space) 2>&1` in
+    *ac_space=\ *)
+      # `set' does not quote correctly, so add quotes (double-quote
+      # substitution turns \\\\ into \\, and sed turns \\ into \).
+      sed -n \
+        "s/'/'\\\\''/g;
+    	  s/^\\([_$ac_cr_alnum]*_cv_[_$ac_cr_alnum]*\\)=\\(.*\\)/\\1='\\2'/p"
+      ;;
+    *)
+      # `set' quotes correctly as required by POSIX, so do not add quotes.
+      sed -n \
+        "s/^\\([_$ac_cr_alnum]*_cv_[_$ac_cr_alnum]*\\)=\\(.*\\)/\\1=\\2/p"
+      ;;
+    esac;
+} | sed 's/^/| /' >&5
+echo >&5
+echo "confdefs.h:" >&5
+sed '/^$/d;s/^/| /' confdefs.h >&5
+
+: ${CONFIG_STATUS=./config.status}
+ac_clean_files_save=$ac_clean_files
+ac_clean_files="$ac_clean_files $CONFIG_STATUS"
+{ echo "$as_me:19760: creating $CONFIG_STATUS" >&5
+echo "creating $CONFIG_STATUS" >&6;}
+cat >$CONFIG_STATUS <<\_ACEOF
+#! /bin/sh
+# Generated automatically by configure.
+# Run this file to recreate the current configuration.
+# Compiler output produced by configure, useful for debugging
+# configure, is in config.log if it exists.
+
+debug=false
+as_me=`echo "$0" | sed 's,.*/,,'`
+SHELL=${CONFIG_SHELL-/bin/sh}
+
+# Be Bourne compatible
+if test -n "${ZSH_VERSION+set}" && (emulate sh) >/dev/null 2>&1; then
+  emulate sh
+  NULLCMD=:
+elif test -n "${BASH_VERSION+set}" && (set -o posix) >/dev/null 2>&1; then
+  set -o posix
+fi
+
+if expr a : '\(a\)' >/dev/null 2>&1; then
+  as_expr=expr
+else
+  as_expr=false
+fi
+# Support unset when possible.
+if (FOO=FOO; unset FOO) >/dev/null 2>&1; then
+  as_unset=unset
+else
+  as_unset=false
+fi
+
+# NLS nuisances.
+$as_unset LANG || test "${LANG+set}" != set || { LANG=C; export LANG; }
+$as_unset LC_ALL || test "${LC_ALL+set}" != set || { LC_ALL=C; export LC_ALL; }
+$as_unset LC_TIME || test "${LC_TIME+set}" != set || { LC_TIME=C; export LC_TIME; }
+$as_unset LC_CTYPE || test "${LC_CTYPE+set}" != set || { LC_CTYPE=C; export LC_CTYPE; }
+$as_unset LANGUAGE || test "${LANGUAGE+set}" != set || { LANGUAGE=C; export LANGUAGE; }
+$as_unset LC_COLLATE || test "${LC_COLLATE+set}" != set || { LC_COLLATE=C; export LC_COLLATE; }
+$as_unset LC_NUMERIC || test "${LC_NUMERIC+set}" != set || { LC_NUMERIC=C; export LC_NUMERIC; }
+$as_unset LC_MESSAGES || test "${LC_MESSAGES+set}" != set || { LC_MESSAGES=C; export LC_MESSAGES; }
+
+# IFS
+# We need space, tab and new line, in precisely that order.
+ac_nl='
+'
+IFS=" 	$ac_nl"
+
+# CDPATH.
+$as_unset CDPATH || test "${CDPATH+set}" != set || { CDPATH=:; export CDPATH; }
+
+# File descriptor usage:
+# 0 standard input
+# 1 file creation
+# 2 errors and warnings
+# 3 some systems may open it to /dev/tty
+# 4 used on the Kubota Titan
+# 6 checking for... messages and results
+# 5 compiler messages saved in config.log
+if test "$silent" = yes; then
+  exec 6>/dev/null
+else
+  exec 6>&1
+fi
+exec 5>>config.log
+
+cat >&5 << EOF
+
+----------------------------------------------------------------------
+
+This file was extended by $as_me (heimdal 0.3f) 2.49b, executed with
+ > $0 $@
+on `(hostname || uname -n) 2>/dev/null | sed 1q`
+
+EOF
+
+_ACEOF
+
+# Files that config.status was made for.
+if test -n "$ac_config_files"; then
+  echo "config_files=\"$ac_config_files\"" >>$CONFIG_STATUS
+fi
+
+if test -n "$ac_config_headers"; then
+  echo "config_headers=\"$ac_config_headers\"" >>$CONFIG_STATUS
+fi
+
+if test -n "$ac_config_links"; then
+  echo "config_links=\"$ac_config_links\"" >>$CONFIG_STATUS
+fi
+
+if test -n "$ac_config_commands"; then
+  echo "config_commands=\"$ac_config_commands\"" >>$CONFIG_STATUS
+fi
+
+cat >>$CONFIG_STATUS <<\EOF
+
+ac_cs_usage="\
+\`$as_me' instantiates files from templates according to the
+current configuration.
+
+Usage: $0 [OPTIONS] [FILE]...
+
+  -h, --help       print this help, then exit
+  -V, --version    print version number, then exit
+  -d, --debug      don't remove temporary files
+      --recheck    update $as_me by reconfiguring in the same conditions
+  --file=FILE[:TEMPLATE]
+                   instantiate the configuration file FILE
+  --header=FILE[:TEMPLATE]
+                   instantiate the configuration header FILE
+
+Configuration files:
+$config_files
+
+Configuration headers:
+$config_headers
+
+Configuration commands:
+$config_commands
+
+Report bugs to <bug-autoconf@gnu.org>."
+EOF
+
+cat >>$CONFIG_STATUS <<EOF
+ac_cs_version="\\
+$CONFIG_STATUS generated by $as_me (Autoconf 2.49b).
+Configured on host $ac_hostname by
+  `echo "$0 $ac_configure_args" | sed 's/[\\""\`\$]/\\\\&/g'`"
+
+ac_given_srcdir=$srcdir
+ac_given_INSTALL="$INSTALL"
+EOF
+
+cat >>$CONFIG_STATUS <<\EOF
+# If no file are specified by the user, then we need to provide default
+# value.  By we need to know if files were specified by the user.
+ac_need_defaults=:
+while test $# != 0
+do
+  case $1 in
+  --*=*)
+    ac_option=`expr "x$1" : 'x\([^=]*\)='`
+    ac_optarg=`expr "x$1" : 'x[^=]*=\(.*\)'`
+    shift
+    set dummy "$ac_option" "$ac_optarg" ${1+"$@"}
+    shift
+    ;;
+  -*);;
+  *) # This is not an option, so the user has probably given explicit
+     # arguments.
+     ac_need_defaults=false;;
+  esac
+
+  case $1 in
+  # Handling of the options.
+EOF
+cat >>$CONFIG_STATUS <<EOF
+  -recheck | --recheck | --rechec | --reche | --rech | --rec | --re | --r)
+    echo "running $SHELL $0 " $ac_configure_args " --no-create --no-recursion"
+    exec $SHELL $0 $ac_configure_args --no-create --no-recursion ;;
+EOF
+cat >>$CONFIG_STATUS <<\EOF
+  --version | --vers* | -V )
+    echo "$ac_cs_version"; exit 0 ;;
+  --he | --h)
+    # Conflict between --help and --header
+    {  echo "$as_me: error: ambiguous option: $1
+Try \`$0 --help' for more information." >&2
+  { (exit 1); exit; }; };;
+  --help | --hel | -h )
+    echo "$ac_cs_usage"; exit 0 ;;
+  --debug | --d* | -d )
+    debug=: ;;
+  --file | --fil | --fi | --f )
+    shift
+    CONFIG_FILES="$CONFIG_FILES $1"
+    ac_need_defaults=false;;
+  --header | --heade | --head | --hea )
+    shift
+    CONFIG_HEADERS="$CONFIG_HEADERS $1"
+    ac_need_defaults=false;;
+
+  # Handling of arguments.
+  'Makefile' ) CONFIG_FILES="$CONFIG_FILES Makefile" ;;
+  'include/Makefile' ) CONFIG_FILES="$CONFIG_FILES include/Makefile" ;;
+  'include/kadm5/Makefile' ) CONFIG_FILES="$CONFIG_FILES include/kadm5/Makefile" ;;
+  'lib/Makefile' ) CONFIG_FILES="$CONFIG_FILES lib/Makefile" ;;
+  'lib/45/Makefile' ) CONFIG_FILES="$CONFIG_FILES lib/45/Makefile" ;;
+  'lib/auth/Makefile' ) CONFIG_FILES="$CONFIG_FILES lib/auth/Makefile" ;;
+  'lib/auth/afskauthlib/Makefile' ) CONFIG_FILES="$CONFIG_FILES lib/auth/afskauthlib/Makefile" ;;
+  'lib/auth/pam/Makefile' ) CONFIG_FILES="$CONFIG_FILES lib/auth/pam/Makefile" ;;
+  'lib/auth/sia/Makefile' ) CONFIG_FILES="$CONFIG_FILES lib/auth/sia/Makefile" ;;
+  'lib/asn1/Makefile' ) CONFIG_FILES="$CONFIG_FILES lib/asn1/Makefile" ;;
+  'lib/com_err/Makefile' ) CONFIG_FILES="$CONFIG_FILES lib/com_err/Makefile" ;;
+  'lib/des/Makefile' ) CONFIG_FILES="$CONFIG_FILES lib/des/Makefile" ;;
+  'lib/editline/Makefile' ) CONFIG_FILES="$CONFIG_FILES lib/editline/Makefile" ;;
+  'lib/gssapi/Makefile' ) CONFIG_FILES="$CONFIG_FILES lib/gssapi/Makefile" ;;
+  'lib/hdb/Makefile' ) CONFIG_FILES="$CONFIG_FILES lib/hdb/Makefile" ;;
+  'lib/kadm5/Makefile' ) CONFIG_FILES="$CONFIG_FILES lib/kadm5/Makefile" ;;
+  'lib/kafs/Makefile' ) CONFIG_FILES="$CONFIG_FILES lib/kafs/Makefile" ;;
+  'lib/kdfs/Makefile' ) CONFIG_FILES="$CONFIG_FILES lib/kdfs/Makefile" ;;
+  'lib/krb5/Makefile' ) CONFIG_FILES="$CONFIG_FILES lib/krb5/Makefile" ;;
+  'lib/otp/Makefile' ) CONFIG_FILES="$CONFIG_FILES lib/otp/Makefile" ;;
+  'lib/roken/Makefile' ) CONFIG_FILES="$CONFIG_FILES lib/roken/Makefile" ;;
+  'lib/sl/Makefile' ) CONFIG_FILES="$CONFIG_FILES lib/sl/Makefile" ;;
+  'lib/vers/Makefile' ) CONFIG_FILES="$CONFIG_FILES lib/vers/Makefile" ;;
+  'kuser/Makefile' ) CONFIG_FILES="$CONFIG_FILES kuser/Makefile" ;;
+  'kpasswd/Makefile' ) CONFIG_FILES="$CONFIG_FILES kpasswd/Makefile" ;;
+  'kadmin/Makefile' ) CONFIG_FILES="$CONFIG_FILES kadmin/Makefile" ;;
+  'admin/Makefile' ) CONFIG_FILES="$CONFIG_FILES admin/Makefile" ;;
+  'kdc/Makefile' ) CONFIG_FILES="$CONFIG_FILES kdc/Makefile" ;;
+  'appl/Makefile' ) CONFIG_FILES="$CONFIG_FILES appl/Makefile" ;;
+  'appl/afsutil/Makefile' ) CONFIG_FILES="$CONFIG_FILES appl/afsutil/Makefile" ;;
+  'appl/ftp/Makefile' ) CONFIG_FILES="$CONFIG_FILES appl/ftp/Makefile" ;;
+  'appl/ftp/common/Makefile' ) CONFIG_FILES="$CONFIG_FILES appl/ftp/common/Makefile" ;;
+  'appl/ftp/ftp/Makefile' ) CONFIG_FILES="$CONFIG_FILES appl/ftp/ftp/Makefile" ;;
+  'appl/ftp/ftpd/Makefile' ) CONFIG_FILES="$CONFIG_FILES appl/ftp/ftpd/Makefile" ;;
+  'appl/kx/Makefile' ) CONFIG_FILES="$CONFIG_FILES appl/kx/Makefile" ;;
+  'appl/login/Makefile' ) CONFIG_FILES="$CONFIG_FILES appl/login/Makefile" ;;
+  'appl/otp/Makefile' ) CONFIG_FILES="$CONFIG_FILES appl/otp/Makefile" ;;
+  'appl/popper/Makefile' ) CONFIG_FILES="$CONFIG_FILES appl/popper/Makefile" ;;
+  'appl/push/Makefile' ) CONFIG_FILES="$CONFIG_FILES appl/push/Makefile" ;;
+  'appl/rsh/Makefile' ) CONFIG_FILES="$CONFIG_FILES appl/rsh/Makefile" ;;
+  'appl/rcp/Makefile' ) CONFIG_FILES="$CONFIG_FILES appl/rcp/Makefile" ;;
+  'appl/su/Makefile' ) CONFIG_FILES="$CONFIG_FILES appl/su/Makefile" ;;
+  'appl/xnlock/Makefile' ) CONFIG_FILES="$CONFIG_FILES appl/xnlock/Makefile" ;;
+  'appl/telnet/Makefile' ) CONFIG_FILES="$CONFIG_FILES appl/telnet/Makefile" ;;
+  'appl/telnet/libtelnet/Makefile' ) CONFIG_FILES="$CONFIG_FILES appl/telnet/libtelnet/Makefile" ;;
+  'appl/telnet/telnet/Makefile' ) CONFIG_FILES="$CONFIG_FILES appl/telnet/telnet/Makefile" ;;
+  'appl/telnet/telnetd/Makefile' ) CONFIG_FILES="$CONFIG_FILES appl/telnet/telnetd/Makefile" ;;
+  'appl/test/Makefile' ) CONFIG_FILES="$CONFIG_FILES appl/test/Makefile" ;;
+  'appl/kf/Makefile' ) CONFIG_FILES="$CONFIG_FILES appl/kf/Makefile" ;;
+  'appl/dceutils/Makefile' ) CONFIG_FILES="$CONFIG_FILES appl/dceutils/Makefile" ;;
+  'doc/Makefile' ) CONFIG_FILES="$CONFIG_FILES doc/Makefile" ;;
+  'tools/Makefile' ) CONFIG_FILES="$CONFIG_FILES tools/Makefile" ;;
+  'default-1' ) CONFIG_COMMANDS="$CONFIG_COMMANDS default-1" ;;
+  'default-2' ) CONFIG_COMMANDS="$CONFIG_COMMANDS default-2" ;;
+  'include/config.h' ) CONFIG_HEADERS="$CONFIG_HEADERS include/config.h" ;;
+
+  # This is an error.
+  -*) {  echo "$as_me: error: unrecognized option: $1
+Try \`$0 --help' for more information." >&2
+  { (exit 1); exit; }; } ;;
+  *) {  echo "$as_me: error: invalid argument: $1" >&2
+  { (exit 1); exit; }; };;
+  esac
+  shift
+done
+
+EOF
+
+cat >>$CONFIG_STATUS <<\EOF
+# If the user did not use the arguments to specify the items to instantiate,
+# then the envvar interface is used.  Set only those that are not.
+if $ac_need_defaults; then
+  CONFIG_FILES=${CONFIG_FILES="$config_files"}
+  CONFIG_HEADERS=${CONFIG_HEADERS="$config_headers"}
+  CONFIG_COMMANDS=${CONFIG_COMMANDS="$config_commands"}
+fi
+
+# Create a temporary directory, and hook for its removal unless debugging.
+$debug ||
+{
+  trap 'exit_status=$?; rm -rf $tmp && exit $exit_status' 0
+  trap '{ (exit $?); exit; }' 1 2 13 15
+}
+
+# Create a (secure) tmp directory for tmp files.
+: ${TMPDIR=/tmp}
+{
+  tmp=`(umask 077 && mktemp -d -q "$TMPDIR/csXXXXXX") 2>/dev/null` &&
+  test -n "$tmp" && test -d "$tmp"
+}  ||
+{
+  tmp=$TMPDIR/cs$$-$RANDOM
+  (umask 077 && mkdir $tmp)
+} ||
+{
+   echo "$me: cannot create a temporary directory in $TMPDIR" >&2
+   { (exit 1); exit; }
+}
+
+EOF
+
+cat >>$CONFIG_STATUS <<EOF
+#
+# INIT-COMMANDS section.
+#
+
+am_indx=1
+  for am_file in include/config.h; do
+    case " $CONFIG_HEADERS " in
+    *" $am_file "*)
+      echo timestamp > `echo $am_file | sed 's%:.*%%;s%[^/]*$%%'`stamp-h$am_indx
+      ;;
+    esac
+    am_indx=\`expr \$am_indx + 1\`
+  done
+AMDEP="$AMDEP"
+ac_aux_dir="$ac_aux_dir"
+
+EOF
+
+cat >>$CONFIG_STATUS <<EOF
+
+#
+# CONFIG_FILES section.
+#
+
+# No need to generate the scripts if there are no CONFIG_FILES.
+# This happens for instance when ./config.status config.h
+if test -n "\$CONFIG_FILES"; then
+  # Protect against being on the right side of a sed subst in config.status.
+  sed 's/,@/@@/; s/@,/@@/; s/,;t t\$/@;t t/; /@;t t\$/s/[\\\\&,]/\\\\&/g;
+   s/@@/,@/; s/@@/@,/; s/@;t t\$/,;t t/' >\$tmp/subs.sed <<\\CEOF
+s,@SHELL@,$SHELL,;t t
+s,@exec_prefix@,$exec_prefix,;t t
+s,@prefix@,$prefix,;t t
+s,@program_transform_name@,$program_transform_name,;t t
+s,@bindir@,$bindir,;t t
+s,@sbindir@,$sbindir,;t t
+s,@libexecdir@,$libexecdir,;t t
+s,@datadir@,$datadir,;t t
+s,@sysconfdir@,$sysconfdir,;t t
+s,@sharedstatedir@,$sharedstatedir,;t t
+s,@localstatedir@,$localstatedir,;t t
+s,@libdir@,$libdir,;t t
+s,@includedir@,$includedir,;t t
+s,@oldincludedir@,$oldincludedir,;t t
+s,@infodir@,$infodir,;t t
+s,@mandir@,$mandir,;t t
+s,@ECHO_C@,$ECHO_C,;t t
+s,@ECHO_N@,$ECHO_N,;t t
+s,@ECHO_T@,$ECHO_T,;t t
+s,@CFLAGS@,$CFLAGS,;t t
+s,@CPPFLAGS@,$CPPFLAGS,;t t
+s,@CXXFLAGS@,$CXXFLAGS,;t t
+s,@FFLAGS@,$FFLAGS,;t t
+s,@DEFS@,$DEFS,;t t
+s,@LDFLAGS@,$LDFLAGS,;t t
+s,@LIBS@,$LIBS,;t t
+s,@CC@,$CC,;t t
+s,@ac_ct_CC@,$ac_ct_CC,;t t
+s,@OBJEXT@,$OBJEXT,;t t
+s,@EXEEXT@,$EXEEXT,;t t
+s,@CPP@,$CPP,;t t
+s,@INSTALL_PROGRAM@,$INSTALL_PROGRAM,;t t
+s,@INSTALL_SCRIPT@,$INSTALL_SCRIPT,;t t
+s,@INSTALL_DATA@,$INSTALL_DATA,;t t
+s,@PACKAGE@,$PACKAGE,;t t
+s,@VERSION@,$VERSION,;t t
+s,@ACLOCAL@,$ACLOCAL,;t t
+s,@AUTOCONF@,$AUTOCONF,;t t
+s,@AUTOMAKE@,$AUTOMAKE,;t t
+s,@AUTOHEADER@,$AUTOHEADER,;t t
+s,@MAKEINFO@,$MAKEINFO,;t t
+s,@AMTAR@,$AMTAR,;t t
+s,@install_sh@,$install_sh,;t t
+s,@AWK@,$AWK,;t t
+s,@SET_MAKE@,$SET_MAKE,;t t
+s,@AMDEP@,$AMDEP,;t t
+s,@AMDEPBACKSLASH@,$AMDEPBACKSLASH,;t t
+s,@DEPDIR@,$DEPDIR,;t t
+s,@CCDEPMODE@,$CCDEPMODE,;t t
+s,@build@,$build,;t t
+s,@build_cpu@,$build_cpu,;t t
+s,@build_vendor@,$build_vendor,;t t
+s,@build_os@,$build_os,;t t
+s,@host@,$host,;t t
+s,@host_cpu@,$host_cpu,;t t
+s,@host_vendor@,$host_vendor,;t t
+s,@host_os@,$host_os,;t t
+s,@CANONICAL_HOST@,$CANONICAL_HOST,;t t
+s,@YACC@,$YACC,;t t
+s,@LEX@,$LEX,;t t
+s,@LEXLIB@,$LEXLIB,;t t
+s,@LEX_OUTPUT_ROOT@,$LEX_OUTPUT_ROOT,;t t
+s,@RANLIB@,$RANLIB,;t t
+s,@ac_ct_RANLIB@,$ac_ct_RANLIB,;t t
+s,@LN_S@,$LN_S,;t t
+s,@STRIP@,$STRIP,;t t
+s,@ac_ct_STRIP@,$ac_ct_STRIP,;t t
+s,@LIBTOOL@,$LIBTOOL,;t t
+s,@WFLAGS@,$WFLAGS,;t t
+s,@WFLAGS_NOUNUSED@,$WFLAGS_NOUNUSED,;t t
+s,@WFLAGS_NOIMPLICITINT@,$WFLAGS_NOIMPLICITINT,;t t
+s,@LIB_dbopen@,$LIB_dbopen,;t t
+s,@LIB_dbm_firstkey@,$LIB_dbm_firstkey,;t t
+s,@LIB_db_create@,$LIB_db_create,;t t
+s,@DBLIB@,$DBLIB,;t t
+s,@VOID_RETSIGTYPE@,$VOID_RETSIGTYPE,;t t
+s,@have_err_h_TRUE@,$have_err_h_TRUE,;t t
+s,@have_err_h_FALSE@,$have_err_h_FALSE,;t t
+s,@have_fnmatch_h_TRUE@,$have_fnmatch_h_TRUE,;t t
+s,@have_fnmatch_h_FALSE@,$have_fnmatch_h_FALSE,;t t
+s,@have_ifaddrs_h_TRUE@,$have_ifaddrs_h_TRUE,;t t
+s,@have_ifaddrs_h_FALSE@,$have_ifaddrs_h_FALSE,;t t
+s,@have_vis_h_TRUE@,$have_vis_h_TRUE,;t t
+s,@have_vis_h_FALSE@,$have_vis_h_FALSE,;t t
+s,@LIB_socket@,$LIB_socket,;t t
+s,@LIB_gethostbyname@,$LIB_gethostbyname,;t t
+s,@LIB_syslog@,$LIB_syslog,;t t
+s,@LIB_gethostbyname2@,$LIB_gethostbyname2,;t t
+s,@LIB_res_search@,$LIB_res_search,;t t
+s,@LIB_dn_expand@,$LIB_dn_expand,;t t
+s,@have_glob_h_TRUE@,$have_glob_h_TRUE,;t t
+s,@have_glob_h_FALSE@,$have_glob_h_FALSE,;t t
+s,@LIB_getsockopt@,$LIB_getsockopt,;t t
+s,@LIB_setsockopt@,$LIB_setsockopt,;t t
+s,@LIB_hstrerror@,$LIB_hstrerror,;t t
+s,@LIBOBJS@,$LIBOBJS,;t t
+s,@LIB_bswap16@,$LIB_bswap16,;t t
+s,@LIB_bswap32@,$LIB_bswap32,;t t
+s,@LIB_pidfile@,$LIB_pidfile,;t t
+s,@LIB_crypt@,$LIB_crypt,;t t
+s,@DIR_roken@,$DIR_roken,;t t
+s,@LIB_roken@,$LIB_roken,;t t
+s,@INCLUDES_roken@,$INCLUDES_roken,;t t
+s,@INCLUDE_openldap@,$INCLUDE_openldap,;t t
+s,@LIB_openldap@,$LIB_openldap,;t t
+s,@INCLUDE_krb4@,$INCLUDE_krb4,;t t
+s,@LIB_krb4@,$LIB_krb4,;t t
+s,@EXTRA_LIB45@,$EXTRA_LIB45,;t t
+s,@LIB_krb_enable_debug@,$LIB_krb_enable_debug,;t t
+s,@LIB_krb_disable_debug@,$LIB_krb_disable_debug,;t t
+s,@LIB_krb_get_our_ip_for_realm@,$LIB_krb_get_our_ip_for_realm,;t t
+s,@KRB4_TRUE@,$KRB4_TRUE,;t t
+s,@KRB4_FALSE@,$KRB4_FALSE,;t t
+s,@KRB5_TRUE@,$KRB5_TRUE,;t t
+s,@KRB5_FALSE@,$KRB5_FALSE,;t t
+s,@do_roken_rename_TRUE@,$do_roken_rename_TRUE,;t t
+s,@do_roken_rename_FALSE@,$do_roken_rename_FALSE,;t t
+s,@LIB_kdb@,$LIB_kdb,;t t
+s,@DCE_TRUE@,$DCE_TRUE,;t t
+s,@DCE_FALSE@,$DCE_FALSE,;t t
+s,@dpagaix_CFLAGS@,$dpagaix_CFLAGS,;t t
+s,@dpagaix_LDADD@,$dpagaix_LDADD,;t t
+s,@LIB_otp@,$LIB_otp,;t t
+s,@OTP_TRUE@,$OTP_TRUE,;t t
+s,@OTP_FALSE@,$OTP_FALSE,;t t
+s,@LIB_security@,$LIB_security,;t t
+s,@NROFF@,$NROFF,;t t
+s,@GROFF@,$GROFF,;t t
+s,@CATMAN@,$CATMAN,;t t
+s,@CATMAN_TRUE@,$CATMAN_TRUE,;t t
+s,@CATMAN_FALSE@,$CATMAN_FALSE,;t t
+s,@CATMANEXT@,$CATMANEXT,;t t
+s,@INCLUDE_readline@,$INCLUDE_readline,;t t
+s,@LIB_readline@,$LIB_readline,;t t
+s,@INCLUDE_hesiod@,$INCLUDE_hesiod,;t t
+s,@LIB_hesiod@,$LIB_hesiod,;t t
+s,@AIX_TRUE@,$AIX_TRUE,;t t
+s,@AIX_FALSE@,$AIX_FALSE,;t t
+s,@AIX4_TRUE@,$AIX4_TRUE,;t t
+s,@AIX4_FALSE@,$AIX4_FALSE,;t t
+s,@AIX_DYNAMIC_AFS_TRUE@,$AIX_DYNAMIC_AFS_TRUE,;t t
+s,@AIX_DYNAMIC_AFS_FALSE@,$AIX_DYNAMIC_AFS_FALSE,;t t
+s,@LIB_dlopen@,$LIB_dlopen,;t t
+s,@HAVE_DLOPEN_TRUE@,$HAVE_DLOPEN_TRUE,;t t
+s,@HAVE_DLOPEN_FALSE@,$HAVE_DLOPEN_FALSE,;t t
+s,@AIX_EXTRA_KAFS@,$AIX_EXTRA_KAFS,;t t
+s,@IRIX_TRUE@,$IRIX_TRUE,;t t
+s,@IRIX_FALSE@,$IRIX_FALSE,;t t
+s,@X_CFLAGS@,$X_CFLAGS,;t t
+s,@X_PRE_LIBS@,$X_PRE_LIBS,;t t
+s,@X_LIBS@,$X_LIBS,;t t
+s,@X_EXTRA_LIBS@,$X_EXTRA_LIBS,;t t
+s,@HAVE_X_TRUE@,$HAVE_X_TRUE,;t t
+s,@HAVE_X_FALSE@,$HAVE_X_FALSE,;t t
+s,@LIB_XauWriteAuth@,$LIB_XauWriteAuth,;t t
+s,@LIB_XauReadAuth@,$LIB_XauReadAuth,;t t
+s,@LIB_XauFileName@,$LIB_XauFileName,;t t
+s,@NEED_WRITEAUTH_TRUE@,$NEED_WRITEAUTH_TRUE,;t t
+s,@NEED_WRITEAUTH_FALSE@,$NEED_WRITEAUTH_FALSE,;t t
+s,@LIB_logwtmp@,$LIB_logwtmp,;t t
+s,@LIB_tgetent@,$LIB_tgetent,;t t
+s,@LIB_getpwnam_r@,$LIB_getpwnam_r,;t t
+s,@LIB_MD4_Init@,$LIB_MD4_Init,;t t
+s,@LIB_MD5_Init@,$LIB_MD5_Init,;t t
+s,@LIB_SHA1_Init@,$LIB_SHA1_Init,;t t
+s,@LIB_des_cbc_encrypt@,$LIB_des_cbc_encrypt,;t t
+s,@LIB_RC4@,$LIB_RC4,;t t
+s,@DIR_des@,$DIR_des,;t t
+s,@LIB_des@,$LIB_des,;t t
+s,@LIB_des_appl@,$LIB_des_appl,;t t
+s,@LIB_el_init@,$LIB_el_init,;t t
+s,@el_compat_TRUE@,$el_compat_TRUE,;t t
+s,@el_compat_FALSE@,$el_compat_FALSE,;t t
+s,@LIB_AUTH_SUBDIRS@,$LIB_AUTH_SUBDIRS,;t t
+s,@LTLIBOBJS@,$LTLIBOBJS,;t t
+CEOF
+
+EOF
+
+  cat >>$CONFIG_STATUS <<\EOF
+  # Split the substitutions into bite-sized pieces for seds with
+  # small command number limits, like on Digital OSF/1 and HP-UX.
+  ac_max_sed_lines=48
+  ac_sed_frag=1 # Number of current file.
+  ac_beg=1 # First line for current file.
+  ac_end=$ac_max_sed_lines # Line after last line for current file.
+  ac_more_lines=:
+  ac_sed_cmds=
+  while $ac_more_lines; do
+    if test $ac_beg -gt 1; then
+      sed "1,${ac_beg}d; ${ac_end}q" $tmp/subs.sed >$tmp/subs.frag
+    else
+      sed "${ac_end}q" $tmp/subs.sed >$tmp/subs.frag
+    fi
+    if test ! -s $tmp/subs.frag; then
+      ac_more_lines=false
+    else
+      # The purpose of the label and of the branching condition is to
+      # speed up the sed processing (if there are no `@' at all, there
+      # is no need to browse any of the substitutions).
+      # These are the two extra sed commands mentioned above.
+      (echo ':t
+  /@[a-zA-Z_][a-zA-Z_0-9]*@/!b' && cat $tmp/subs.frag) >$tmp/subs-$ac_sed_frag.sed
+      if test -z "$ac_sed_cmds"; then
+  	ac_sed_cmds="sed -f $tmp/subs-$ac_sed_frag.sed"
+      else
+  	ac_sed_cmds="$ac_sed_cmds | sed -f $tmp/subs-$ac_sed_frag.sed"
+      fi
+      ac_sed_frag=`expr $ac_sed_frag + 1`
+      ac_beg=$ac_end
+      ac_end=`expr $ac_end + $ac_max_sed_lines`
+    fi
+  done
+  if test -z "$ac_sed_cmds"; then
+    ac_sed_cmds=cat
+  fi
+fi # test -n "$CONFIG_FILES"
+
+EOF
+cat >>$CONFIG_STATUS <<\EOF
+for ac_file in : $CONFIG_FILES; do test "x$ac_file" = x: && continue
+  # Support "outfile[:infile[:infile...]]", defaulting infile="outfile.in".
+  case $ac_file in
+  - | *:- | *:-:* ) # input from stdin
+        cat >$tmp/stdin
+        ac_file_in=`echo "$ac_file" | sed 's,[^:]*:,,'`
+        ac_file=`echo "$ac_file" | sed 's,:.*,,'` ;;
+  *:* ) ac_file_in=`echo "$ac_file" | sed 's,[^:]*:,,'`
+        ac_file=`echo "$ac_file" | sed 's,:.*,,'` ;;
+  * )   ac_file_in=$ac_file.in ;;
+  esac
+
+  # Adjust a relative srcdir, top_srcdir, and INSTALL for subdirectories.
+  ac_dir=`$as_expr X"$ac_file" : 'X\(.*[^/]\)//*[^/][^/]*/*$' \| \
+         X"$ac_file" : 'X\(//\)[^/]' \| \
+         X"$ac_file" : 'X\(//\)$' \| \
+         X"$ac_file" : 'X\(/\)' \| \
+         .     : '\(.\)' 2>/dev/null ||
+echo X"$ac_file" |
+    sed '/^X\(.*[^/]\)\/\/*[^/][^/]*\/*$/{ s//\1/; q; }
+  	  /^X\(\/\/\)[^/].*/{ s//\1/; q; }
+  	  /^X\(\/\/\)$/{ s//\1/; q; }
+  	  /^X\(\/\).*/{ s//\1/; q; }
+  	  s/.*/./; q'`
+  if test "$ac_dir" != "$ac_file" && test "$ac_dir" != .; then
+    { case "$ac_dir" in
+  [\\/]* | ?:[\\/]* ) ac_incr_dir=;;
+  *)                      ac_incr_dir=.;;
+esac
+ac_dummy="$ac_dir"
+for ac_mkdir_dir in `IFS=/; set X $ac_dummy; shift; echo "$@"`; do
+  ac_incr_dir=$ac_incr_dir/$ac_mkdir_dir
+  test -d $ac_incr_dir || mkdir $ac_incr_dir
+done; }
+
+    ac_dir_suffix="/`echo $ac_dir|sed 's,^\./,,'`"
+    # A "../" for each directory in $ac_dir_suffix.
+    ac_dots=`echo "$ac_dir_suffix" | sed 's,/[^/]*,../,g'`
+  else
+    ac_dir_suffix= ac_dots=
+  fi
+
+  case $ac_given_srcdir in
+  .)  srcdir=.
+      if test -z "$ac_dots"; then top_srcdir=.
+      else top_srcdir=`echo $ac_dots | sed 's,/$,,'`; fi ;;
+  [\\/]* | ?:[\\/]* )
+      srcdir=$ac_given_srcdir$ac_dir_suffix;
+      top_srcdir=$ac_given_srcdir ;;
+  *) # Relative path.
+    srcdir=$ac_dots$ac_given_srcdir$ac_dir_suffix
+    top_srcdir=$ac_dots$ac_given_srcdir ;;
+  esac
+
+  case $ac_given_INSTALL in
+  [\\/$]* | ?:[\\/]* ) INSTALL=$ac_given_INSTALL ;;
+  *) INSTALL=$ac_dots$ac_given_INSTALL ;;
+  esac
+
+  if test x"$ac_file" != x-; then
+    { echo "$as_me:20357: creating $ac_file" >&5
+echo "creating $ac_file" >&6;}
+    rm -f "$ac_file"
+  fi
+  # Let's still pretend it is `configure' which instantiates (i.e., don't
+  # use $as_me), people would be surprised to read:
+  #    /* config.h.  Generated automatically by config.status.  */
+  configure_input="Generated automatically from `echo $ac_file_in |
+                                                 sed 's,.*/,,'` by configure."
+
+  # Don't redirect the output to AC_FILE directly: use `mv' so that
+  # updating is atomic, and doesn't need trapping.
+
+  # First look for the input files in the build tree, otherwise in the
+  # src tree.
+  ac_file_inputs=`IFS=:
+    for f in $ac_file_in; do
+      case $f in
+      -) echo $tmp/stdin ;;
+      [\\/$]* | ?:[\\/]*)
+         # Absolute
+         test -f "$f" || {  echo "$as_me: error: cannot find input file: $f" >&2
+  { (exit 1); exit; }; }
+         echo $f;;
+      *) # Relative
+         if test -f "$f"; then
+           # Build tree
+           echo $f
+         elif test -f "$ac_given_srcdir/$f"; then
+           # Source tree
+           echo $ac_given_srcdir/$f
+         else
+           # /dev/null tree
+           {  echo "$as_me: error: cannot find input file: $f" >&2
+  { (exit 1); exit; }; }
+         fi;;
+      esac
+    done` || { (exit 1); exit; }
+EOF
+cat >>$CONFIG_STATUS <<EOF
+  sed "$ac_vpsub
+$extrasub
+EOF
+cat >>$CONFIG_STATUS <<\EOF
+:t
+/@[a-zA-Z_][a-zA-Z_0-9]*@/!b
+s,@configure_input@,$configure_input,;t t
+s,@srcdir@,$srcdir,;t t
+s,@top_srcdir@,$top_srcdir,;t t
+s,@INSTALL@,$INSTALL,;t t
+" $ac_file_inputs | (eval "$ac_sed_cmds") >$tmp/out
+  rm -f $tmp/stdin
+  if test x"$ac_file" != x-; then
+    mv $tmp/out $ac_file
+  else
+    cat $tmp/out
+    rm -f $tmp/out
+  fi
+
+done
+EOF
+cat >>$CONFIG_STATUS <<\EOF
+
+#
+# CONFIG_HEADER section.
+#
+
+# These sed commands are passed to sed as "A NAME B NAME C VALUE D", where
+# NAME is the cpp macro being defined and VALUE is the value it is being given.
+#
+# ac_d sets the value in "#define NAME VALUE" lines.
+ac_dA='s,^\([ 	]*\)#\([ 	]*define[ 	][ 	]*\)'
+ac_dB='[ 	].*$,\1#\2'
+ac_dC=' '
+ac_dD=',;t'
+# ac_u turns "#undef NAME" without trailing blanks into "#define NAME VALUE".
+ac_uA='s,^\([ 	]*\)#\([ 	]*\)undef\([ 	][ 	]*\)'
+ac_uB='$,\1#\2define\3'
+ac_uC=' '
+ac_uD=',;t'
+
+for ac_file in : $CONFIG_HEADERS; do test "x$ac_file" = x: && continue
+  # Support "outfile[:infile[:infile...]]", defaulting infile="outfile.in".
+  case $ac_file in
+  - | *:- | *:-:* ) # input from stdin
+        cat >$tmp/stdin
+        ac_file_in=`echo "$ac_file" | sed 's,[^:]*:,,'`
+        ac_file=`echo "$ac_file" | sed 's,:.*,,'` ;;
+  *:* ) ac_file_in=`echo "$ac_file" | sed 's,[^:]*:,,'`
+        ac_file=`echo "$ac_file" | sed 's,:.*,,'` ;;
+  * )   ac_file_in=$ac_file.in ;;
+  esac
+
+  test x"$ac_file" != x- && { echo "$as_me:20450: creating $ac_file" >&5
+echo "creating $ac_file" >&6;}
+
+  # First look for the input files in the build tree, otherwise in the
+  # src tree.
+  ac_file_inputs=`IFS=:
+    for f in $ac_file_in; do
+      case $f in
+      -) echo $tmp/stdin ;;
+      [\\/$]* | ?:[\\/]*)
+         # Absolute
+         test -f "$f" || {  echo "$as_me: error: cannot find input file: $f" >&2
+  { (exit 1); exit; }; }
+         echo $f;;
+      *) # Relative
+         if test -f "$f"; then
+           # Build tree
+           echo $f
+         elif test -f "$ac_given_srcdir/$f"; then
+           # Source tree
+           echo $ac_given_srcdir/$f
+         else
+           # /dev/null tree
+           {  echo "$as_me: error: cannot find input file: $f" >&2
+  { (exit 1); exit; }; }
+         fi;;
+      esac
+    done` || { (exit 1); exit; }
+  # Remove the trailing spaces.
+  sed 's/[ 	]*$//' $ac_file_inputs >$tmp/in
+
+EOF
+
+# Transform confdefs.h into two sed scripts, `conftest.defines' and
+# `conftest.undefs', that substitutes the proper values into
+# config.h.in to produce config.h.  The first handles `#define'
+# templates, and the second `#undef' templates.
+# And first: Protect against being on the right side of a sed subst in
+# config.status.  Protect against being in an unquoted here document
+# in config.status.
+rm -f conftest.defines conftest.undefs
+# Using a here document instead of a string reduces the quoting nightmare.
+# Putting comments in sed scripts is not portable.
+#
+# `end' is used to avoid that the second main sed command (meant for
+# 0-ary CPP macros) applies to n-ary macro definitions.
+# See the Autoconf documentation for `clear'.
+cat >confdef2sed.sed <<\EOF
+s/[\\&,]/\\&/g
+s,[\\$`],\\&,g
+t clear
+: clear
+s,^[ 	]*#[ 	]*define[ 	][ 	]*\(\([^ 	(][^ 	(]*\)([^)]*)\)[ 	]*\(.*\)$,${ac_dA}\2${ac_dB}\1${ac_dC}\3${ac_dD},gp
+t end
+s,^[ 	]*#[ 	]*define[ 	][ 	]*\([^ 	][^ 	]*\)[ 	]*\(.*\)$,${ac_dA}\1${ac_dB}\1${ac_dC}\2${ac_dD},gp
+: end
+EOF
+# If some macros were called several times there might be several times
+# the same #defines, which is useless.  Nevertheless, we may not want to
+# sort them, since we want the *last* AC_DEFINE to be honored.
+uniq confdefs.h | sed -n -f confdef2sed.sed >conftest.defines
+sed 's/ac_d/ac_u/g' conftest.defines >conftest.undefs
+rm -f confdef2sed.sed
+
+# This sed command replaces #undef with comments.  This is necessary, for
+# example, in the case of _POSIX_SOURCE, which is predefined and required
+# on some systems where configure will not decide to define it.
+cat >>conftest.undefs <<\EOF
+s,^[ 	]*#[ 	]*undef[ 	][ 	]*[a-zA-Z_][a-zA-Z_0-9]*,/* & */,
+EOF
+
+# Break up conftest.defines because some shells have a limit on the size
+# of here documents, and old seds have small limits too (100 cmds).
+echo '  # Handle all the #define templates only if necessary.' >>$CONFIG_STATUS
+echo '  if egrep "^[ 	]*#[ 	]*define" $tmp/in >/dev/null; then' >>$CONFIG_STATUS
+echo '  # If there are no defines, we may have an empty if/fi' >>$CONFIG_STATUS
+echo '  :' >>$CONFIG_STATUS
+rm -f conftest.tail
+while grep . conftest.defines >/dev/null
+do
+  # Write a limited-size here document to $tmp/defines.sed.
+  echo '  cat >$tmp/defines.sed <<CEOF' >>$CONFIG_STATUS
+  # Speed up: don't consider the non `#define' lines.
+  echo '/^[ 	]*#[ 	]*define/!b' >>$CONFIG_STATUS
+  # Work around the forget-to-reset-the-flag bug.
+  echo 't clr' >>$CONFIG_STATUS
+  echo ': clr' >>$CONFIG_STATUS
+  sed ${ac_max_here_lines}q conftest.defines >>$CONFIG_STATUS
+  echo 'CEOF
+  sed -f $tmp/defines.sed $tmp/in >$tmp/out
+  rm -f $tmp/in
+  mv $tmp/out $tmp/in
+' >>$CONFIG_STATUS
+  sed 1,${ac_max_here_lines}d conftest.defines >conftest.tail
+  rm -f conftest.defines
+  mv conftest.tail conftest.defines
+done
+rm -f conftest.defines
+echo '  fi # egrep' >>$CONFIG_STATUS
+echo >>$CONFIG_STATUS
+
+# Break up conftest.undefs because some shells have a limit on the size
+# of here documents, and old seds have small limits too (100 cmds).
+echo '  # Handle all the #undef templates' >>$CONFIG_STATUS
+rm -f conftest.tail
+while grep . conftest.undefs >/dev/null
+do
+  # Write a limited-size here document to $tmp/undefs.sed.
+  echo '  cat >$tmp/undefs.sed <<CEOF' >>$CONFIG_STATUS
+  # Speed up: don't consider the non `#undef'
+  echo '/^[ 	]*#[ 	]*undef/!b' >>$CONFIG_STATUS
+  # Work around the forget-to-reset-the-flag bug.
+  echo 't clr' >>$CONFIG_STATUS
+  echo ': clr' >>$CONFIG_STATUS
+  sed ${ac_max_here_lines}q conftest.undefs >>$CONFIG_STATUS
+  echo 'CEOF
+  sed -f $tmp/undefs.sed $tmp/in >$tmp/out
+  rm -f $tmp/in
+  mv $tmp/out $tmp/in
+' >>$CONFIG_STATUS
+  sed 1,${ac_max_here_lines}d conftest.undefs >conftest.tail
+  rm -f conftest.undefs
+  mv conftest.tail conftest.undefs
+done
+rm -f conftest.undefs
+
+cat >>$CONFIG_STATUS <<\EOF
+  # Let's still pretend it is `configure' which instantiates (i.e., don't
+  # use $as_me), people would be surprised to read:
+  #    /* config.h.  Generated automatically by config.status.  */
+  if test x"$ac_file" = x-; then
+    echo "/* Generated automatically by configure.  */" >$tmp/config.h
+  else
+    echo "/* $ac_file.  Generated automatically by configure.  */" >$tmp/config.h
+  fi
+  cat $tmp/in >>$tmp/config.h
+  rm -f $tmp/in
+  if test x"$ac_file" != x-; then
+    if cmp -s $ac_file $tmp/config.h 2>/dev/null; then
+      { echo "$as_me:20589: $ac_file is unchanged" >&5
+echo "$ac_file is unchanged" >&6;}
+    else
+      ac_dir=`$as_expr X"$ac_file" : 'X\(.*[^/]\)//*[^/][^/]*/*$' \| \
+         X"$ac_file" : 'X\(//\)[^/]' \| \
+         X"$ac_file" : 'X\(//\)$' \| \
+         X"$ac_file" : 'X\(/\)' \| \
+         .     : '\(.\)' 2>/dev/null ||
+echo X"$ac_file" |
+    sed '/^X\(.*[^/]\)\/\/*[^/][^/]*\/*$/{ s//\1/; q; }
+  	  /^X\(\/\/\)[^/].*/{ s//\1/; q; }
+  	  /^X\(\/\/\)$/{ s//\1/; q; }
+  	  /^X\(\/\).*/{ s//\1/; q; }
+  	  s/.*/./; q'`
+      if test "$ac_dir" != "$ac_file" && test "$ac_dir" != .; then
+        { case "$ac_dir" in
+  [\\/]* | ?:[\\/]* ) ac_incr_dir=;;
+  *)                      ac_incr_dir=.;;
+esac
+ac_dummy="$ac_dir"
+for ac_mkdir_dir in `IFS=/; set X $ac_dummy; shift; echo "$@"`; do
+  ac_incr_dir=$ac_incr_dir/$ac_mkdir_dir
+  test -d $ac_incr_dir || mkdir $ac_incr_dir
+done; }
+
+      fi
+      rm -f $ac_file
+      mv $tmp/config.h $ac_file
+    fi
+  else
+    cat $tmp/config.h
+    rm -f $tmp/config.h
+  fi
+done
+EOF
+cat >>$CONFIG_STATUS <<\EOF
+
+#
+# CONFIG_COMMANDS section.
+#
+for ac_file in : $CONFIG_COMMANDS; do test "x$ac_file" = x: && continue
+  ac_dest=`echo "$ac_file" | sed 's,:.*,,'`
+  ac_source=`echo "$ac_file" | sed 's,[^:]*:,,'`
+
+  case $ac_dest in
+    default-1 ) test -z "$CONFIG_HEADERS" || echo timestamp >	   include/stamp-h ;;
+    default-2 )
+test x"$AMDEP" != x"" ||
+for mf in $CONFIG_FILES; do
+  case "$mf" in
+  Makefile) dirpart=.;;
+  */Makefile) dirpart=`echo "$mf" | sed -e 's|/[^/]*$||'`;;
+  *) continue;;
+  esac
+  grep '^DEP_FILES *= *[^ #]' < "$mf" > /dev/null || continue
+  # Extract the definition of DEP_FILES from the Makefile without
+  # running `make'.
+  DEPDIR=`sed -n -e '/^DEPDIR = / s///p' < "$mf"`
+  test -z "$DEPDIR" && continue
+  # When using ansi2knr, U may be empty or an underscore; expand it
+  U=`sed -n -e '/^U = / s///p' < "$mf"`
+  test -d "$dirpart/$DEPDIR" || mkdir "$dirpart/$DEPDIR"
+  # We invoke sed twice because it is the simplest approach to
+  # changing $(DEPDIR) to its actual value in the expansion.
+  for file in `sed -n -e '
+    /^DEP_FILES = .*\\\\$/ {
+      s/^DEP_FILES = //
+      :loop
+	s/\\\\$//
+	p
+	n
+	/\\\\$/ b loop
+      p
+    }
+    /^DEP_FILES = / s/^DEP_FILES = //p' < "$mf" | \
+       sed -e 's/\$(DEPDIR)/'"$DEPDIR"'/g' -e 's/\$U/'"$U"'/g'`; do
+    # Make sure the directory exists.
+    test -f "$dirpart/$file" && continue
+    fdir=`echo "$file" | sed -e 's|/[^/]*$||'`
+    $ac_aux_dir/mkinstalldirs "$dirpart/$fdir" > /dev/null 2>&1
+    # echo "creating $dirpart/$file"
+    echo '# dummy' > "$dirpart/$file"
+  done
+done
+ ;;
+  esac
+done
+EOF
+
+cat >>$CONFIG_STATUS <<\EOF
+
+exit 0
+EOF
+chmod +x $CONFIG_STATUS
+ac_clean_files=$ac_clean_files_save
+
+test "$no_create" = yes || $SHELL $CONFIG_STATUS || { (exit 1); exit; }
+
+HEIMDALVERSION="$PACKAGE-$VERSION"
+
+cat > include/newversion.h.in <<EOF
+const char *heimdal_long_version = "@(#)\$Version: $HEIMDALVERSION by @USER@ on @HOST@ ($host) @DATE@ \$";
+const char *heimdal_version = "$HEIMDALVERSION";
+EOF
+
+if test -f include/version.h && cmp -s include/newversion.h.in include/version.h.in; then
+	echo "include/version.h is unchanged"
+	rm -f include/newversion.h.in
+else
+ 	echo "creating include/version.h"
+ 	User=${USER-${LOGNAME}}
+ 	Host=`(hostname || uname -n || echo unknown) 2>/dev/null | sed 1q`
+ 	Date=`date`
+	mv -f include/newversion.h.in include/version.h.in
+	sed -e "s/@USER@/$User/" -e "s/@HOST@/$Host/" -e "s/@DATE@/$Date/" include/version.h.in > include/version.h
+fi
diff --git a/crypto/heimdal/configure.in b/crypto/heimdal/configure.in
new file mode 100644
index 0000000..5072966
--- /dev/null
+++ b/crypto/heimdal/configure.in
@@ -0,0 +1,759 @@
+dnl Process this file with autoconf to produce a configure script.
+AC_REVISION($Revision: 1.278 $)
+AC_PREREQ(2.14.-1.1)dnl 2.14a
+AC_INIT(heimdal, 0.3f, heimdal-bugs@pdc.kth.se)
+AM_CONFIG_HEADER(include/config.h)
+
+dnl Checks for programs.
+AC_PROG_CC
+AC_PROG_CPP
+AC_PROG_CC_STDC
+
+AM_INIT_AUTOMAKE(heimdal,0.3f)
+
+AC_PREFIX_DEFAULT(/usr/heimdal)
+
+AC_CANONICAL_HOST
+CANONICAL_HOST=$host
+AC_SUBST(CANONICAL_HOST)
+
+sunos=no
+case "$host" in 
+*-*-sunos4*)
+	sunos=40
+	;;
+*-*-solaris2.7)
+	sunos=57
+	;;
+*-*-solaris2.8)
+	sunos=58
+	;;
+*-*-solaris2*)
+	sunos=50
+	;;
+esac
+if test "$sunos" != no; then
+	AC_DEFINE_UNQUOTED(SunOS, $sunos, 
+		[Define to what version of SunOS you are running.])
+fi
+
+aix=no
+case "$host" in 
+*-*-aix3*)
+	aix=3
+	;;
+*-*-aix4*)
+	aix=4
+	;;
+esac
+
+#test -z "$CFLAGS" && CFLAGS="-g"
+
+AC_OBJEXT
+AC_EXEEXT
+
+dnl AC_KRB_PROG_YACC
+AC_PROG_YACC
+AM_PROG_LEX
+AC_PROG_RANLIB
+AC_PROG_AWK
+AC_KRB_PROG_LN_S
+
+AC_MIPS_ABI
+CC="$CC $abi"
+libdir="$libdir$abilibdirext"
+
+AC_C___ATTRIBUTE__
+
+AC_ENABLE_SHARED(no)
+AC_PROG_LIBTOOL
+
+AC_WFLAGS(-Wall -Wmissing-prototypes -Wpointer-arith -Wbad-function-cast -Wmissing-declarations -Wnested-externs)
+
+rk_DB
+
+dnl AC_ROKEN(10,[/usr/heimdal /usr/athena],[lib/roken],[$(top_builddir)/lib/roken/libroken.la],[-I$(top_builddir)/lib/roken -I$(top_srcdir)/lib/roken])
+
+rk_ROKEN(lib/roken)
+LIB_roken="\$(top_builddir)/lib/vers/libvers.la $LIB_roken"
+
+AC_TEST_PACKAGE_NEW(openldap,
+[#include <lber.h>
+#include <ldap.h>],
+[-lldap -llber],,,OPENLDAP)
+
+if test "$openldap_libdir"; then
+	LIB_openldap="-R $openldap_libdir $LIB_openldap"
+fi
+
+AC_TEST_PACKAGE_NEW(krb4,[#include <krb.h>],-lkrb,-ldes,/usr/athena, KRB4)
+
+LIB_kdb=
+if test "$with_krb4" != "no"; then
+	save_CFLAGS="$CFLAGS"
+	CFLAGS="$CFLAGS $INCLUDE_krb4"
+	save_LIBS="$LIBS"
+	LIBS="$LIB_krb4 -ldes $LIBS"
+	EXTRA_LIB45=lib45.a
+	AC_SUBST(EXTRA_LIB45)
+	AC_CACHE_CHECK(for four valued krb_put_int, ac_cv_func_krb_put_int_four,
+		[AC_TRY_COMPILE([#include <krb.h>],[
+		char tmp[4];
+		krb_put_int(17, tmp, 4, sizeof(tmp));],
+		ac_cv_func_krb_put_int_four=yes,
+		ac_cv_func_krb_put_int_four=no)
+	])
+	if test "$ac_cv_func_krb_put_int_four" = yes; then
+		AC_DEFINE(HAVE_FOUR_VALUED_KRB_PUT_INT, 1,
+			[define if krb_put_int takes four arguments.])
+	fi
+	AH_BOTTOM([#if defined(HAVE_FOUR_VALUED_KRB_PUT_INT) || !defined(KRB4)
+#define KRB_PUT_INT(F, T, L, S) krb_put_int((F), (T), (L), (S))
+#else
+#define KRB_PUT_INT(F, T, L, S) krb_put_int((F), (T), (S))
+#endif
+])
+	AC_CACHE_CHECK(for KRB_VERIFY_SECURE, ac_cv_func_krb_verify_secure,
+		[AC_TRY_COMPILE([#include <krb.h>],[
+		int x = KRB_VERIFY_SECURE],
+		ac_cv_func_krb_verify_secure=yes,
+		ac_cv_func_krb_verify_secure=no)
+	])
+	if test "$ac_cv_func_krb_verify_secure" != yes; then
+		AC_DEFINE(KRB_VERIFY_SECURE, 1,
+			[Define to one if your krb.h doesn't])
+		AC_DEFINE(KRB_VERIFY_SECURE_FAIL, 2,
+			[Define to two if your krb.h doesn't])
+	fi
+	AC_CACHE_CHECK(for KRB_VERIFY_NOT_SECURE,
+		ac_cv_func_krb_verify_not_secure,
+		[AC_TRY_COMPILE([#include <krb.h>],[
+		int x = KRB_VERIFY_NOT_SECURE],
+		ac_cv_func_krb_verify_not_secure=yes,
+		ac_cv_func_krb_verify_not_secure=no)
+	])
+	if test "$ac_cv_func_krb_verify_not_secure" != yes; then
+		AC_DEFINE(KRB_VERIFY_NOT_SECURE, 0,
+			[Define to zero if your krb.h doesn't])
+	fi
+	AC_FIND_FUNC(krb_enable_debug)
+	AC_FIND_FUNC(krb_disable_debug)
+	AC_FIND_FUNC(krb_get_our_ip_for_realm)
+	AC_CACHE_CHECK(for krb_mk_req with const arguments,
+		ac_cv_func_krb_mk_req_const,
+		[AC_TRY_COMPILE([#include <krb.h>
+		int krb_mk_req(KTEXT a, const char *s, const char *i,
+			       const char *r, int32_t checksum)
+		{ return 17; }], [],
+		ac_cv_func_krb_mk_req_const=yes,
+		ac_cv_func_krb_mk_req_const=no)
+	])
+	if test "$ac_cv_func_krb_mk_req_const" = "yes"; then
+		AC_DEFINE(KRB_MK_REQ_CONST, 1,
+			[Define if krb_mk_req takes cons char *])
+	fi
+
+	LIBS="$save_LIBS"
+	CFLAGS="$save_CFLAGS"
+	LIB_kdb="-lkdb -lkrb"
+	test_LIB_krb4="$LIB_krb4"
+	if test "$krb4_libdir"; then
+		LIB_krb4="-R $krb4_libdir $LIB_krb4"
+		LIB_kdb="-R $krb4_libdir -L$krb4_libdir $LIB_kdb"
+	fi
+fi
+AM_CONDITIONAL(KRB4, test "$with_krb4" != "no")
+AM_CONDITIONAL(KRB5, true)
+AM_CONDITIONAL(do_roken_rename, true)
+
+AC_DEFINE(KRB5, 1, [Enable Kerberos 5 support in applications.])dnl
+AC_SUBST(LIB_kdb)dnl
+
+AC_ARG_ENABLE(dce, [  --enable-dce	if you want support for DCE/DFS PAG's.])
+if test "$enable_dce" = yes; then
+    AC_DEFINE(DCE, 1, [Define if you want support for DCE/DFS PAG's.])
+fi
+AM_CONDITIONAL(DCE, test "$enable_dce" = yes)
+
+## XXX quite horrible:
+if test -f /etc/ibmcxx.cfg; then
+	dpagaix_LDADD=`sed -n '/^xlc_r4/,/^$/p' /etc/ibmcxx.cfg | sed -n -e '/libraries/{;s/^[[^=]]*=\(.*\)/\1/;s/,/ /gp;}'`
+	dpagaix_CFLAGS=`sed -n '/^xlc_r4/,/^$/p' /etc/ibmcxx.cfg | sed -n -e '/options/{;s/^[[^=]]*=\(.*\)/\1/;s/-q[^,]*//;s/,/ /gp;}'`
+else
+	dpagaix_CFLAGS="-D_THREAD_SAFE -D_AIX_PTHREADS_D7 -D_AIX32_THREADS=1 -D_AES_SOURCE -D_AIX41 -I/usr/include/dce"
+	dpagaix_LDADD="-L/usr/lib/threads -ldcelibc_r -ldcepthreads -lpthreads_compat lpthreads -lc_r"
+	dpagaix_LDFLAGS="-Wl,-bI:dfspag.exp"
+fi
+AC_SUBST(dpagaix_CFLAGS)
+AC_SUBST(dpagaix_LDADD)
+
+
+AC_ARG_ENABLE(kaserver,
+[  --enable-kaserver	  if you want the KDC to try to emulate a kaserver])
+if test "$enable_kaserver" = yes; then
+	AC_DEFINE(KASERVER, 1,
+		[Define if you want to use the KDC as a kaserver.])
+	if test "$with_krb4" = "no"; then
+		AC_MSG_ERROR(kaserver requires krb4)
+		exit 1
+	fi
+fi
+
+AC_ARG_ENABLE(kaserver-db,
+[  --enable-kaserver-db	  if you want support for reading kaserver databases in hprop])
+if test "$enable_kaserver_db" = yes; then
+	AC_DEFINE(KASERVER_DB, 1,
+		[Define if you want support in hprop for reading kaserver databases])
+	if test "$with_krb4" = "no"; then
+		AC_MSG_ERROR(kaserver-db requires krb4)
+		exit 1
+	fi
+fi
+
+otp=yes
+AC_ARG_ENABLE(otp,
+[  --disable-otp          if you don't want OTP support],
+[
+if test "$enableval" = "no"; then
+	otp=no
+fi
+])
+if test "$otp" = "yes"; then
+	AC_DEFINE(OTP, 1, [Define if you want OTP support in applications.])
+	LIB_otp='$(top_builddir)/lib/otp/libotp.la'
+fi
+AC_SUBST(LIB_otp)
+AM_CONDITIONAL(OTP, test "$otp" = yes)dnl
+
+AC_CHECK_OSFC2
+
+rk_CHECK_MAN
+
+AC_TEST_PACKAGE_NEW(readline,
+[#include <stdio.h>
+ #include <readline.h>],-lreadline,,, READLINE)
+
+AC_TEST_PACKAGE_NEW(hesiod,[#include <hesiod.h>],-lhesiod,,, HESIOD)
+
+KRB_C_BIGENDIAN
+AC_C_INLINE
+
+KRB_AIX
+KRB_IRIX
+
+KRB_CHECK_X
+
+AM_CONDITIONAL(HAVE_X, test "$no_x" != yes)
+
+AC_CHECK_XAU
+
+dnl AM_C_PROTOTYPES
+
+dnl Checks for typedefs, structures, and compiler characteristics.
+AC_C_CONST
+AC_TYPE_OFF_T
+AC_TYPE_SIZE_T
+AC_CHECK_TYPE_EXTRA(ssize_t, int, [#include <unistd.h>])
+AC_TYPE_PID_T
+AC_TYPE_UID_T
+AC_CHECK_TYPE_EXTRA(mode_t, unsigned short, [])
+AC_CHECK_TYPE_EXTRA(sig_atomic_t, int, [#include <signal.h>])
+AC_HAVE_TYPE([long long])
+AC_HEADER_TIME
+AC_STRUCT_TM
+
+dnl Checks for header files.
+AC_HEADER_STDC
+
+AC_CHECK_HEADERS([\
+	arpa/ftp.h				\
+	arpa/inet.h				\
+	arpa/nameser.h				\
+	arpa/telnet.h				\
+	bind/bitypes.h				\
+	bsdsetjmp.h				\
+	crypt.h					\
+	curses.h				\
+	dbm.h					\
+	dirent.h				\
+	dlfcn.h					\
+	err.h					\
+	errno.h					\
+	fcntl.h					\
+	fnmatch.h				\
+	gdbm/ndbm.h				\
+	grp.h					\
+	inttypes.h				\
+	io.h					\
+	limits.h				\
+	maillock.h				\
+	ndbm.h					\
+	net/if.h				\
+	netdb.h					\
+	netinet/in.h				\
+	netinet/in6.h				\
+	netinet/in6_machtypes.h			\
+	netinet/in6_var.h			\
+	netinet/in_systm.h			\
+	netinet6/in6.h				\
+	netinfo/ni.h				\
+	paths.h					\
+	pthread.h				\
+	pty.h					\
+	pwd.h					\
+	resolv.h				\
+	rpcsvc/dbm.h				\
+	sac.h					\
+	security/pam_modules.h			\
+	sgtty.h					\
+	shadow.h				\
+	siad.h					\
+	signal.h				\
+	stropts.h				\
+	sys/bitypes.h				\
+	sys/category.h				\
+	sys/file.h				\
+	sys/filio.h				\
+	sys/ioccom.h				\
+	sys/ioctl.h				\
+	sys/param.h				\
+	sys/proc.h				\
+	sys/pty.h				\
+	sys/ptyio.h				\
+	sys/ptyvar.h				\
+	sys/resource.h				\
+	sys/select.h				\
+	sys/socket.h				\
+	sys/sockio.h				\
+	sys/stat.h				\
+	sys/str_tty.h				\
+	sys/stream.h				\
+	sys/stropts.h				\
+	sys/strtty.h				\
+	sys/syscall.h				\
+	sys/sysctl.h				\
+	sys/termio.h				\
+	sys/time.h				\
+	sys/timeb.h				\
+	sys/times.h				\
+	sys/tty.h				\
+	sys/types.h				\
+	sys/uio.h				\
+	sys/un.h				\
+	sys/utsname.h				\
+	sys/wait.h				\
+	syslog.h				\
+	term.h					\
+	termio.h				\
+	termios.h				\
+	time.h					\
+	tmpdir.h				\
+	udb.h					\
+	unistd.h				\
+	userconf.h				\
+	usersec.h				\
+	util.h					\
+	utmp.h					\
+	utmpx.h					\
+])
+
+CHECK_NETINET_IP_AND_TCP
+
+
+AC_ARG_ENABLE(netinfo,
+[  --enable-netinfo      enable netinfo for configuration lookup])
+
+if test "$ac_cv_header_netinfo_ni_h" = yes -a "$enable_netinfo" = yes; then
+       AC_DEFINE(HAVE_NETINFO, 1,
+               [Define if you want to use Netinfo instead of krb5.conf.])
+fi
+
+AM_CONDITIONAL(have_err_h, test "$ac_cv_header_err_h" = yes)
+AM_CONDITIONAL(have_fnmatch_h, test "$ac_cv_header_fnmatch_h" = yes)
+
+AC_KRB_IPV6
+
+dnl Checks for libraries.
+
+AC_FIND_FUNC(socket, socket)
+AC_FIND_FUNC(gethostbyname, nsl)
+AC_FIND_FUNC(syslog, syslog)
+
+AC_FIND_FUNC_NO_LIBS(logwtmp, util)
+AC_FIND_FUNC_NO_LIBS(tgetent, termcap ncurses curses)
+AC_FIND_FUNC(gethostbyname2, inet6 ip6)
+
+AC_FIND_FUNC(res_search, resolv,
+[
+#include <stdio.h>
+#ifdef HAVE_SYS_TYPES_H
+#include <sys/types.h>
+#endif
+#ifdef HAVE_NETINET_IN_H
+#include <netinet/in.h>
+#endif
+#ifdef HAVE_ARPA_NAMESER_H
+#include <arpa/nameser.h>
+#endif
+#ifdef HAVE_RESOLV_H
+#include <resolv.h>
+#endif
+],
+[0,0,0,0,0])
+
+AC_FIND_FUNC(dn_expand, resolv,
+[
+#include <stdio.h>
+#ifdef HAVE_SYS_TYPES_H
+#include <sys/types.h>
+#endif
+#ifdef HAVE_NETINET_IN_H
+#include <netinet/in.h>
+#endif
+#ifdef HAVE_ARPA_NAMESER_H
+#include <arpa/nameser.h>
+#endif
+#ifdef HAVE_RESOLV_H
+#include <resolv.h>
+#endif
+],
+[0,0,0,0,0])
+
+dnl Checks for library functions.
+
+AC_BROKEN_SNPRINTF
+AC_BROKEN_VSNPRINTF
+
+AC_CHECK_FUNCS([				\
+	_getpty					\
+	_scrsize				\
+	fcntl					\
+	gettimeofday				\
+	getuid					\
+	grantpt					\
+	mktime					\
+	ptsname					\
+	rand					\
+	random					\
+	revoke					\
+	select					\
+	setitimer				\
+	setpcred				\
+	setpgid					\
+	setproctitle				\
+	setregid				\
+	setresgid				\
+	setresuid				\
+	setreuid				\
+	setsid					\
+	setutent				\
+	sigaction				\
+	strstr					\
+	timegm					\
+	ttyname					\
+	ttyslot					\
+	umask					\
+	unlockpt				\
+	vhangup					\
+	yp_get_default_domain			\
+])
+
+KRB_CAPABILITIES
+
+AC_CHECK_GETPWNAM_R_POSIX
+
+AC_FIND_FUNC_NO_LIBS(getsockopt,,
+[#ifdef HAVE_SYS_TYPES_H
+#include <sys/types.h>
+#endif
+#ifdef HAVE_SYS_SOCKET_H
+#include <sys/socket.h>
+#endif],
+[0,0,0,0,0])
+AC_FIND_FUNC_NO_LIBS(setsockopt,,
+[#ifdef HAVE_SYS_TYPES_H
+#include <sys/types.h>
+#endif
+#ifdef HAVE_SYS_SOCKET_H
+#include <sys/socket.h>
+#endif],
+[0,0,0,0,0])
+
+dnl Cray stuff
+AC_CHECK_FUNCS(getudbnam setlim)
+
+rk_RETSIGTYPE
+
+rk_BROKEN_REALLOC
+
+dnl AC_KRB_FUNC_GETCWD_BROKEN
+
+dnl
+dnl Check for fields in struct utmp
+dnl
+
+AC_HAVE_STRUCT_FIELD(struct utmp, ut_addr, [#include <utmp.h>])
+AC_HAVE_STRUCT_FIELD(struct utmp, ut_host, [#include <utmp.h>])
+AC_HAVE_STRUCT_FIELD(struct utmp, ut_id, [#include <utmp.h>])
+AC_HAVE_STRUCT_FIELD(struct utmp, ut_pid, [#include <utmp.h>])
+AC_HAVE_STRUCT_FIELD(struct utmp, ut_type, [#include <utmp.h>])
+AC_HAVE_STRUCT_FIELD(struct utmp, ut_user, [#include <utmp.h>])
+AC_HAVE_STRUCT_FIELD(struct utmpx, ut_exit, [#include <utmpx.h>])
+AC_HAVE_STRUCT_FIELD(struct utmpx, ut_syslen, [#include <utmpx.h>])
+
+dnl
+dnl Check for fields in struct tm
+dnl
+
+AC_HAVE_STRUCT_FIELD(struct tm, tm_gmtoff, [#include <time.h>])
+AC_HAVE_STRUCT_FIELD(struct tm, tm_zone, [#include <time.h>])
+
+dnl
+dnl or do we have a variable `timezone' ?
+dnl
+
+rk_CHECK_VAR(timezone, [#include <time.h>])
+
+AC_HAVE_TYPE([sa_family_t],[#include <sys/socket.h>])
+
+AC_HAVE_TYPE([socklen_t],[#include <sys/socket.h>])
+
+AC_HAVE_TYPE([struct sockaddr], [#include <sys/socket.h>])
+
+AC_HAVE_TYPE([struct sockaddr_storage], [#include <sys/socket.h>])
+
+AC_HAVE_TYPE([struct addrinfo], [#include <netdb.h>])
+
+dnl
+dnl Check for struct winsize
+dnl
+
+AC_KRB_STRUCT_WINSIZE
+
+dnl
+dnl Check for struct spwd
+dnl
+
+AC_KRB_STRUCT_SPWD
+
+dnl
+dnl Check for sa_len in struct sockaddr
+dnl
+
+AC_HAVE_STRUCT_FIELD(struct sockaddr, sa_len, [#include <sys/types.h>
+#include <sys/socket.h>])
+
+
+AC_GROK_TYPES([int8_t int16_t int32_t int64_t \
+	u_int8_t u_int16_t u_int32_t u_int64_t \
+	uint8_t uint16_t uint32_t uint64_t])
+
+dnl
+dnl crypto functions tests
+dnl
+
+AC_CHECK_HEADERS([				\
+	openssl/md4.h				\
+	openssl/md5.h				\
+	openssl/sha.h				\
+	openssl/des.h				\
+	openssl/rc4.h				\
+])
+
+AC_FIND_FUNC_NO_LIBS2(MD4_Init, crypto des, [], [], [], [$test_LIB_krb4])
+AC_FIND_FUNC_NO_LIBS2(MD5_Init, crypto des, [], [], [], [$test_LIB_krb4])
+AC_FIND_FUNC_NO_LIBS2(SHA1_Init, crypto des, [], [], [], [$test_LIB_krb4])
+AC_FIND_FUNC_NO_LIBS2(des_cbc_encrypt, crypto des, [], [], [], [$test_LIB_krb4])
+AC_FIND_FUNC_NO_LIBS2(RC4, crypto des, [], [], [], [$test_LIB_krb4])
+if test "$ac_cv_func_des_cbc_encrypt" = "yes" -a \
+"$ac_cv_func_MD4_Init"  = "yes" -a \
+"$ac_cv_func_MD5_Init"  = "yes" -a \
+"$ac_cv_func_SHA1_Init" = "yes" -a \
+"$ac_cv_func_RC4" = "yes"; then
+  DIR_des=''
+  LIB_des=''
+  if test "$krb4_libdir" != ""; then
+    LIB_des="-R $krb4_libdir -L$krb4_libdir"
+  fi
+  LIB_des="$LIB_des $ac_cv_funclib_MD4_Init"
+  LIB_des_appl="$LIB_des"
+else
+  DIR_des='des'
+  LIB_des='$(top_builddir)/lib/des/libdes.la'
+  LIB_des_appl="-ldes"
+fi
+AC_SUBST(DIR_des)
+AC_SUBST(LIB_des)
+AC_SUBST(LIB_des_appl)
+
+KRB_READLINE
+
+dnl telnet muck --------------------------------------------------
+
+AC_DEFINE(AUTHENTICATION, 1, 
+	[Define if you want authentication support in telnet.])dnl
+AC_DEFINE(ENCRYPTION, 1,
+	[Define if you want encryption support in telnet.])dnl
+AC_DEFINE(DES_ENCRYPTION, 1,
+	[Define if you want to use DES encryption in telnet.])dnl
+AC_DEFINE(DIAGNOSTICS, 1,
+	[Define this to enable diagnostics in telnet.])dnl
+AC_DEFINE(OLD_ENVIRON, 1,
+	[Define this to enable old environment option in telnet.])dnl
+if false; then
+AC_DEFINE(ENV_HACK, 1,
+	[Define this if you want support for broken ENV_{VAR,VAL} telnets.])
+fi
+
+# Simple test for streamspty, based on the existance of getmsg(), alas
+# this breaks on SunOS4 which have streams but BSD-like ptys
+#
+# And also something wierd has happend with dec-osf1, fallback to bsd-ptys
+
+AC_CHECK_FUNC(getmsg)
+
+if test "$ac_cv_func_getmsg" = "yes"; then
+
+AC_CACHE_CHECK(for working getmsg, ac_cv_func_getmsg_work,
+AC_TRY_RUN(
+[
+#include <stdio.h>
+#include <errno.h>
+
+int main()
+{
+  int ret;
+  ret = getmsg(open("/dev/null", 0), NULL, NULL, NULL);
+  if(ret < 0 && errno == ENOSYS)
+    return 1;
+  return 0;
+}
+], ac_cv_func_getmsg_work=yes, ac_cv_func_getmsg_work=no,
+ac_cv_func_getmsg_work=no))
+test "$ac_cv_func_getmsg_work" = "yes" &&
+AC_DEFINE(HAVE_GETMSG, 1, [Define if you have a working getmsg.])
+
+fi
+
+if test "$ac_cv_func_getmsg_work" = yes; then
+AC_MSG_CHECKING(for streamspty)
+case "$host" in
+*-*-aix3*|*-*-sunos4*|*-*-osf*|*-*-hpux1[[01]]*)
+	krb_cv_sys_streamspty=no
+	;;
+*)
+	krb_cv_sys_streamspty=yes
+	;;
+esac
+AC_MSG_RESULT($krb_cv_sys_streamspty)
+fi
+if test "$krb_cv_sys_streamspty" = yes; then
+	AC_DEFINE(STREAMSPTY, 1, [Define if you have streams ptys.])
+fi
+
+AC_AUTH_MODULES
+
+dnl This is done by AC_OUTPUT but we need the result here.
+
+test "x$prefix" = xNONE && prefix=$ac_default_prefix
+test "x$exec_prefix" = xNONE && exec_prefix='${prefix}'
+
+for i in bin lib libexec sbin; do
+	i=${i}dir
+	foo=`echo $i | tr 'xindiscernible' 'XINDISCERNIBLE'`
+	x="\$${i}"
+	eval y="$x"
+	while test "x$y" != "x$x"; do
+		x="$y"
+		eval y="$x"
+	done
+	AC_DEFINE_UNQUOTED($foo,"$x")
+done
+AH_BOTTOM([#undef BINDIR 
+#undef LIBDIR
+#undef LIBEXECDIR
+#undef SBINDIR])
+
+if false; then
+	# hack to shut up automake
+	LIBOBJS="$LIBOBJS make-print-version.o"
+fi
+LTLIBOBJS=`echo "$LIBOBJS" | sed 's/\.o/\.lo/g'`
+AC_SUBST(LTLIBOBJS)
+AC_CONFIG_FILES(Makefile 		\
+	include/Makefile		\
+	include/kadm5/Makefile		\
+	lib/Makefile			\
+	lib/45/Makefile			\
+	lib/auth/Makefile		\
+	lib/auth/afskauthlib/Makefile	\
+	lib/auth/pam/Makefile		\
+	lib/auth/sia/Makefile		\
+	lib/asn1/Makefile		\
+	lib/com_err/Makefile		\
+	lib/des/Makefile		\
+	lib/editline/Makefile		\
+	lib/gssapi/Makefile		\
+	lib/hdb/Makefile		\
+	lib/kadm5/Makefile		\
+	lib/kafs/Makefile		\
+	lib/kdfs/Makefile		\
+	lib/krb5/Makefile		\
+	lib/otp/Makefile		\
+	lib/roken/Makefile		\
+	lib/sl/Makefile			\
+	lib/vers/Makefile		\
+	kuser/Makefile			\
+	kpasswd/Makefile		\
+	kadmin/Makefile			\
+	admin/Makefile			\
+	kdc/Makefile			\
+	appl/Makefile			\
+	appl/afsutil/Makefile		\
+	appl/ftp/Makefile		\
+	appl/ftp/common/Makefile	\
+	appl/ftp/ftp/Makefile		\
+	appl/ftp/ftpd/Makefile		\
+	appl/kx/Makefile		\
+	appl/login/Makefile		\
+	appl/otp/Makefile		\
+	appl/popper/Makefile		\
+	appl/push/Makefile		\
+	appl/rsh/Makefile		\
+	appl/rcp/Makefile		\
+	appl/su/Makefile		\
+	appl/xnlock/Makefile		\
+	appl/telnet/Makefile		\
+	appl/telnet/libtelnet/Makefile	\
+	appl/telnet/telnet/Makefile	\
+	appl/telnet/telnetd/Makefile	\
+	appl/test/Makefile		\
+	appl/kf/Makefile		\
+	appl/dceutils/Makefile		\
+	doc/Makefile			\
+	tools/Makefile			\
+)
+
+AC_OUTPUT
+
+dnl
+dnl This is the release version name-number[beta]
+dnl
+HEIMDALVERSION="$PACKAGE-$VERSION"
+
+cat > include/newversion.h.in <<EOF
+const char *heimdal_long_version = "@(#)\$Version: $HEIMDALVERSION by @USER@ on @HOST@ ($host) @DATE@ \$";
+const char *heimdal_version = "$HEIMDALVERSION";
+EOF
+
+if test -f include/version.h && cmp -s include/newversion.h.in include/version.h.in; then
+	echo "include/version.h is unchanged"
+	rm -f include/newversion.h.in
+else
+ 	echo "creating include/version.h"
+ 	User=${USER-${LOGNAME}}
+ 	Host=`(hostname || uname -n || echo unknown) 2>/dev/null | sed 1q`
+ 	Date=`date`
+	mv -f include/newversion.h.in include/version.h.in
+	sed -e "s/@USER@/$User/" -e "s/@HOST@/$Host/" -e "s/@DATE@/$Date/" include/version.h.in > include/version.h
+fi
diff --git a/crypto/heimdal/doc/Makefile.am b/crypto/heimdal/doc/Makefile.am
new file mode 100644
index 0000000..734bf62
--- /dev/null
+++ b/crypto/heimdal/doc/Makefile.am
@@ -0,0 +1,8 @@
+# $Id: Makefile.am,v 1.6 1999/03/20 13:58:16 joda Exp $
+
+include $(top_srcdir)/Makefile.am.common
+
+AUTOMAKE_OPTIONS += no-texinfo.tex
+
+info_TEXINFOS = heimdal.texi
+heimdal_TEXINFOS = intro.texi install.texi setup.texi kerberos4.texi
diff --git a/crypto/heimdal/doc/Makefile.in b/crypto/heimdal/doc/Makefile.in
new file mode 100644
index 0000000..ffc5d89
--- /dev/null
+++ b/crypto/heimdal/doc/Makefile.in
@@ -0,0 +1,565 @@
+# Makefile.in generated automatically by automake 1.4b from Makefile.am
+
+# Copyright 1994, 1995, 1996, 1997, 1998, 1999, 2000
+# Free Software Foundation, Inc.
+# This Makefile.in is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+
+SHELL = @SHELL@
+
+srcdir = @srcdir@
+top_srcdir = @top_srcdir@
+VPATH = @srcdir@
+prefix = @prefix@
+exec_prefix = @exec_prefix@
+
+bindir = @bindir@
+sbindir = @sbindir@
+libexecdir = @libexecdir@
+datadir = @datadir@
+sysconfdir = @sysconfdir@
+sharedstatedir = @sharedstatedir@
+localstatedir = @localstatedir@
+libdir = @libdir@
+infodir = @infodir@
+mandir = @mandir@
+includedir = @includedir@
+oldincludedir = /usr/include
+
+pkgdatadir = $(datadir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkgincludedir = $(includedir)/@PACKAGE@
+
+top_builddir = ..
+
+ACLOCAL = @ACLOCAL@
+AUTOCONF = @AUTOCONF@
+AUTOMAKE = @AUTOMAKE@
+AUTOHEADER = @AUTOHEADER@
+
+INSTALL = @INSTALL@
+INSTALL_PROGRAM = @INSTALL_PROGRAM@
+INSTALL_DATA = @INSTALL_DATA@
+INSTALL_SCRIPT = @INSTALL_SCRIPT@
+INSTALL_STRIP_FLAG =
+transform = @program_transform_name@
+
+NORMAL_INSTALL = :
+PRE_INSTALL = :
+POST_INSTALL = :
+NORMAL_UNINSTALL = :
+PRE_UNINSTALL = :
+POST_UNINSTALL = :
+
+@SET_MAKE@
+host_alias = @host_alias@
+host_triplet = @host@
+AIX_EXTRA_KAFS = @AIX_EXTRA_KAFS@
+AMDEP = @AMDEP@
+AMTAR = @AMTAR@
+AS = @AS@
+AWK = @AWK@
+CANONICAL_HOST = @CANONICAL_HOST@
+CATMAN = @CATMAN@
+CATMANEXT = @CATMANEXT@
+CC = @CC@
+CPP = @CPP@
+CXX = @CXX@
+CXXCPP = @CXXCPP@
+DBLIB = @DBLIB@
+DEPDIR = @DEPDIR@
+DIR_des = @DIR_des@
+DIR_roken = @DIR_roken@
+DLLTOOL = @DLLTOOL@
+EXEEXT = @EXEEXT@
+EXTRA_LIB45 = @EXTRA_LIB45@
+GROFF = @GROFF@
+INCLUDES_roken = @INCLUDES_roken@
+INCLUDE_ = @INCLUDE_@
+LEX = @LEX@
+LIBOBJS = @LIBOBJS@
+LIBTOOL = @LIBTOOL@
+LIB_ = @LIB_@
+LIB_AUTH_SUBDIRS = @LIB_AUTH_SUBDIRS@
+LIB_des = @LIB_des@
+LIB_des_appl = @LIB_des_appl@
+LIB_kdb = @LIB_kdb@
+LIB_otp = @LIB_otp@
+LIB_roken = @LIB_roken@
+LIB_security = @LIB_security@
+LN_S = @LN_S@
+LTLIBOBJS = @LTLIBOBJS@
+MAKEINFO = @MAKEINFO@
+NEED_WRITEAUTH_FALSE = @NEED_WRITEAUTH_FALSE@
+NEED_WRITEAUTH_TRUE = @NEED_WRITEAUTH_TRUE@
+NROFF = @NROFF@
+OBJDUMP = @OBJDUMP@
+OBJEXT = @OBJEXT@
+PACKAGE = @PACKAGE@
+RANLIB = @RANLIB@
+STRIP = @STRIP@
+VERSION = @VERSION@
+VOID_RETSIGTYPE = @VOID_RETSIGTYPE@
+WFLAGS = @WFLAGS@
+WFLAGS_NOIMPLICITINT = @WFLAGS_NOIMPLICITINT@
+WFLAGS_NOUNUSED = @WFLAGS_NOUNUSED@
+YACC = @YACC@
+dpagaix_CFLAGS = @dpagaix_CFLAGS@
+dpagaix_LDADD = @dpagaix_LDADD@
+install_sh = @install_sh@
+
+# $Id: Makefile.am,v 1.6 1999/03/20 13:58:16 joda Exp $
+
+
+# $Id: Makefile.am.common,v 1.3 1999/04/01 14:58:43 joda Exp $
+
+
+# $Id: Makefile.am.common,v 1.26 2001/05/21 13:27:48 joda Exp $
+
+
+AUTOMAKE_OPTIONS = foreign no-dependencies no-texinfo.tex
+
+SUFFIXES = .et .h .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .x
+
+INCLUDES = -I$(top_builddir)/include $(INCLUDES_roken)
+
+AM_CFLAGS =  $(WFLAGS)
+
+CP = cp
+
+COMPILE_ET = $(top_builddir)/lib/com_err/compile_et
+
+buildinclude = $(top_builddir)/include
+
+LIB_XauReadAuth = @LIB_XauReadAuth@
+LIB_crypt = @LIB_crypt@
+LIB_dbm_firstkey = @LIB_dbm_firstkey@
+LIB_dbopen = @LIB_dbopen@
+LIB_dlopen = @LIB_dlopen@
+LIB_dn_expand = @LIB_dn_expand@
+LIB_el_init = @LIB_el_init@
+LIB_getattr = @LIB_getattr@
+LIB_gethostbyname = @LIB_gethostbyname@
+LIB_getpwent_r = @LIB_getpwent_r@
+LIB_getpwnam_r = @LIB_getpwnam_r@
+LIB_getsockopt = @LIB_getsockopt@
+LIB_logout = @LIB_logout@
+LIB_logwtmp = @LIB_logwtmp@
+LIB_odm_initialize = @LIB_odm_initialize@
+LIB_pidfile = @LIB_pidfile@
+LIB_readline = @LIB_readline@
+LIB_res_search = @LIB_res_search@
+LIB_setpcred = @LIB_setpcred@
+LIB_setsockopt = @LIB_setsockopt@
+LIB_socket = @LIB_socket@
+LIB_syslog = @LIB_syslog@
+LIB_tgetent = @LIB_tgetent@
+
+LIBS = @LIBS@
+
+HESIODLIB = @HESIODLIB@
+HESIODINCLUDE = @HESIODINCLUDE@
+INCLUDE_hesiod = @INCLUDE_hesiod@
+LIB_hesiod = @LIB_hesiod@
+
+INCLUDE_krb4 = @INCLUDE_krb4@
+LIB_krb4 = @LIB_krb4@
+
+INCLUDE_openldap = @INCLUDE_openldap@
+LIB_openldap = @LIB_openldap@
+
+INCLUDE_readline = @INCLUDE_readline@
+
+LEXLIB = @LEXLIB@
+
+NROFF_MAN = groff -mandoc -Tascii
+
+@KRB4_TRUE@LIB_kafs = @KRB4_TRUE@$(top_builddir)/lib/kafs/libkafs.la $(AIX_EXTRA_KAFS)
+
+@KRB5_TRUE@LIB_krb5 = @KRB5_TRUE@$(top_builddir)/lib/krb5/libkrb5.la \
+@KRB5_TRUE@	$(top_builddir)/lib/asn1/libasn1.la
+@KRB5_TRUE@LIB_gssapi = @KRB5_TRUE@$(top_builddir)/lib/gssapi/libgssapi.la
+
+@DCE_TRUE@LIB_kdfs = @DCE_TRUE@$(top_builddir)/lib/kdfs/libkdfs.la
+
+CHECK_LOCAL = $(PROGRAMS)
+
+info_TEXINFOS = heimdal.texi
+heimdal_TEXINFOS = intro.texi install.texi setup.texi kerberos4.texi
+subdir = doc
+mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs
+CONFIG_HEADER = ../include/config.h
+CONFIG_CLEAN_FILES = 
+CFLAGS = @CFLAGS@
+COMPILE = $(CC) $(DEFS) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) --mode=compile $(CC) $(DEFS) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+CCLD = $(CC)
+LINK = $(LIBTOOL) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) $(LDFLAGS) -o $@
+DIST_SOURCES = 
+TEXI2DVI = texi2dvi
+INFO_DEPS = heimdal.info
+DVIS = heimdal.dvi
+TEXINFOS = heimdal.texi
+depcomp = 
+DIST_COMMON =  $(heimdal_TEXINFOS) Makefile.am Makefile.in mdate-sh
+
+
+DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
+
+GZIP_ENV = --best
+all: all-redirect
+.SUFFIXES:
+.SUFFIXES: .et .h .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .x .dvi .info .ps .texi .texinfo .txi
+$(srcdir)/Makefile.in: Makefile.am $(top_srcdir)/configure.in $(ACLOCAL_M4) $(top_srcdir)/Makefile.am.common $(top_srcdir)/cf/Makefile.am.common
+	cd $(top_srcdir) && $(AUTOMAKE) --foreign doc/Makefile
+
+Makefile: $(srcdir)/Makefile.in  $(top_builddir)/config.status
+	cd $(top_builddir) \
+	  && CONFIG_FILES=$(subdir)/$@ CONFIG_HEADERS= $(SHELL) ./config.status
+
+
+heimdal.info: heimdal.texi $(heimdal_TEXINFOS)
+heimdal.dvi: heimdal.texi $(heimdal_TEXINFOS)
+
+
+DVIPS = dvips
+
+.texi.info:
+	@cd $(srcdir) && rm -f $@ $@-[0-9] $@-[0-9][0-9]
+	cd $(srcdir) \
+	  && $(MAKEINFO) `echo $< | sed 's,.*/,,'`
+
+.texi.dvi:
+	TEXINPUTS=$(srcdir):$$TEXINPUTS \
+	  MAKEINFO='$(MAKEINFO) -I $(srcdir)' $(TEXI2DVI) $<
+
+.texi:
+	@cd $(srcdir) && rm -f $@ $@-[0-9] $@-[0-9][0-9]
+	cd $(srcdir) \
+	  && $(MAKEINFO) `echo $< | sed 's,.*/,,'`
+
+.texinfo.info:
+	@cd $(srcdir) && rm -f $@ $@-[0-9] $@-[0-9][0-9]
+	cd $(srcdir) \
+	  && $(MAKEINFO) `echo $< | sed 's,.*/,,'`
+
+.texinfo:
+	@cd $(srcdir) && rm -f $@ $@-[0-9] $@-[0-9][0-9]
+	cd $(srcdir) \
+	  && $(MAKEINFO) `echo $< | sed 's,.*/,,'`
+
+.texinfo.dvi:
+	TEXINPUTS=$(srcdir):$$TEXINPUTS \
+	  MAKEINFO='$(MAKEINFO) -I $(srcdir)' $(TEXI2DVI) $<
+
+.txi.info:
+	@cd $(srcdir) && rm -f $@ $@-[0-9] $@-[0-9][0-9]
+	cd $(srcdir) \
+	  && $(MAKEINFO) `echo $< | sed 's,.*/,,'`
+
+.txi.dvi:
+	TEXINPUTS=$(srcdir):$$TEXINPUTS \
+	  MAKEINFO='$(MAKEINFO) -I $(srcdir)' $(TEXI2DVI) $<
+
+.txi:
+	@cd $(srcdir) && rm -f $@ $@-[0-9] $@-[0-9][0-9]
+	cd $(srcdir) \
+	  && $(MAKEINFO) `echo $< | sed 's,.*/,,'`
+.dvi.ps:
+	$(DVIPS) $< -o $@
+
+install-info-am: $(INFO_DEPS)
+	@$(NORMAL_INSTALL)
+	$(mkinstalldirs) $(DESTDIR)$(infodir)
+	@list='$(INFO_DEPS)'; \
+	for file in $$list; do \
+	  d=$(srcdir); \
+	  for ifile in `CDPATH=: && cd $$d && echo $$file $$file-[0-9] $$file-[0-9][0-9]`; do \
+	    if test -f $$d/$$ifile; then \
+	      echo " $(INSTALL_DATA) $$d/$$ifile $(DESTDIR)$(infodir)/$$ifile"; \
+	      $(INSTALL_DATA) $$d/$$ifile $(DESTDIR)$(infodir)/$$ifile; \
+	    else : ; fi; \
+	  done; \
+	done
+	@$(POST_INSTALL)
+	@if $(SHELL) -c 'install-info --version | sed 1q | fgrep -s -v -i debian' >/dev/null 2>&1; then \
+	  list='$(INFO_DEPS)'; \
+	  for file in $$list; do \
+	    echo " install-info --info-dir=$(DESTDIR)$(infodir) $(DESTDIR)$(infodir)/$$file";\
+	    install-info --info-dir=$(DESTDIR)$(infodir) $(DESTDIR)$(infodir)/$$file || :;\
+	  done; \
+	else : ; fi
+
+uninstall-info:
+	$(PRE_UNINSTALL)
+	@if $(SHELL) -c 'install-info --version | sed 1q | fgrep -s -v -i debian' >/dev/null 2>&1; then \
+	  list='$(INFO_DEPS)'; \
+	  for file in $$list; do \
+	    echo " install-info --info-dir=$(DESTDIR)$(infodir) --remove $(DESTDIR)$(infodir)/$$file"; \
+	    install-info --info-dir=$(DESTDIR)$(infodir) --remove $(DESTDIR)$(infodir)/$$file; \
+	  done; \
+	else :; fi
+	@$(NORMAL_UNINSTALL)
+	@list='$(INFO_DEPS)'; \
+	for file in $$list; do \
+	  (if cd $(DESTDIR)$(infodir); then \
+	     echo " rm -f $$file $$file-[0-9] $$file-[0-9][0-9])"; \
+	     rm -f $$file $$file-[0-9] $$file-[0-9][0-9]; \
+	   else :; fi); \
+	done
+
+dist-info: $(INFO_DEPS)
+	list='$(INFO_DEPS)'; \
+	for base in $$list; do \
+	  d=$(srcdir); \
+	  for file in `CDPATH=: && cd $$d && eval echo $$base*`; do \
+	    test -f $(distdir)/$$file \
+	    || cp -p $$d/$$file $(distdir)/$$file; \
+	  done; \
+	done
+
+mostlyclean-aminfo:
+	-rm -f heimdal.aux heimdal.cp heimdal.cps heimdal.dvi heimdal.fn \
+	  heimdal.fns heimdal.pgs heimdal.ky heimdal.kys heimdal.ps \
+	  heimdal.log heimdal.pg heimdal.toc heimdal.tp heimdal.tps \
+	  heimdal.vr heimdal.vrs heimdal.op heimdal.tr heimdal.cv \
+	  heimdal.cn heimdal.cm heimdal.ov
+
+clean-aminfo:
+
+distclean-aminfo:
+
+maintainer-clean-aminfo:
+	cd $(srcdir) && for i in $(INFO_DEPS); do \
+	  rm -f $$i; \
+	  if test "`echo $$i-[0-9]*`" != "$$i-[0-9]*"; then \
+	    rm -f $$i-[0-9]*; \
+	  fi; \
+	done
+tags: TAGS
+TAGS:
+
+
+distdir = $(top_builddir)/$(PACKAGE)-$(VERSION)/$(subdir)
+
+distdir: $(DISTFILES)
+	@for file in $(DISTFILES); do \
+	  d=$(srcdir); \
+	  if test -d $$d/$$file; then \
+	    cp -pR $$d/$$file $(distdir) \
+	    || exit 1; \
+	  else \
+	    test -f $(distdir)/$$file \
+	    || cp -p $$d/$$file $(distdir)/$$file \
+	    || exit 1; \
+	  fi; \
+	done
+	$(MAKE) $(AM_MAKEFLAGS) top_distdir="$(top_distdir)" distdir="$(distdir)" dist-info
+	$(MAKE) $(AM_MAKEFLAGS) top_distdir="$(top_distdir)" distdir="$(distdir)" dist-hook
+info-am: $(INFO_DEPS)
+info: info-am
+dvi-am: $(DVIS)
+dvi: dvi-am
+check-am: all-am
+	$(MAKE) $(AM_MAKEFLAGS) check-local
+check: check-am
+installcheck-am:
+installcheck: installcheck-am
+install-exec-am:
+	@$(NORMAL_INSTALL)
+	$(MAKE) $(AM_MAKEFLAGS) install-exec-hook
+install-exec: install-exec-am
+
+install-data-am: install-info-am install-data-local
+install-data: install-data-am
+
+install-am: all-am
+	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
+install: install-am
+uninstall-am: uninstall-info
+uninstall: uninstall-am
+all-am: Makefile $(INFO_DEPS) all-local
+all-redirect: all-am
+install-strip:
+	$(MAKE) $(AM_MAKEFLAGS) INSTALL_STRIP_FLAG=-s install
+installdirs:
+	$(mkinstalldirs)  $(DESTDIR)$(infodir)
+
+
+mostlyclean-generic:
+
+clean-generic:
+
+distclean-generic:
+	-rm -f Makefile $(CONFIG_CLEAN_FILES)
+	-rm -f config.cache config.log stamp-h stamp-h[0-9]*
+
+maintainer-clean-generic:
+	-rm -f Makefile.in
+mostlyclean-am:  mostlyclean-aminfo mostlyclean-generic
+
+mostlyclean: mostlyclean-am
+
+clean-am:  clean-aminfo clean-generic mostlyclean-am
+
+clean: clean-am
+
+distclean-am:  distclean-aminfo distclean-generic clean-am
+	-rm -f libtool
+
+distclean: distclean-am
+
+maintainer-clean-am:  maintainer-clean-aminfo maintainer-clean-generic \
+		distclean-am
+	@echo "This command is intended for maintainers to use;"
+	@echo "it deletes files that may require special tools to rebuild."
+
+maintainer-clean: maintainer-clean-am
+
+.PHONY: install-info-am uninstall-info mostlyclean-aminfo \
+distclean-aminfo clean-aminfo maintainer-clean-aminfo tags distdir \
+info-am info dvi-am dvi check-local check check-am installcheck-am \
+installcheck install-exec-am install-exec install-data-local \
+install-data-am install-data install-am install uninstall-am uninstall \
+all-local all-redirect all-am all install-strip installdirs \
+mostlyclean-generic distclean-generic clean-generic \
+maintainer-clean-generic clean mostlyclean distclean maintainer-clean
+
+
+install-suid-programs:
+	@foo='$(bin_SUIDS)'; \
+	for file in $$foo; do \
+	x=$(DESTDIR)$(bindir)/$$file; \
+	if chown 0:0 $$x && chmod u+s $$x; then :; else \
+	echo "*"; \
+	echo "* Failed to install $$x setuid root"; \
+	echo "*"; \
+	fi; done
+
+install-exec-hook: install-suid-programs
+
+install-build-headers:: $(include_HEADERS) $(build_HEADERZ)
+	@foo='$(include_HEADERS) $(build_HEADERZ)'; \
+	for f in $$foo; do \
+		f=`basename $$f`; \
+		if test -f "$(srcdir)/$$f"; then file="$(srcdir)/$$f"; \
+		else file="$$f"; fi; \
+		if cmp -s  $$file $(buildinclude)/$$f 2> /dev/null ; then \
+		: ; else \
+			echo " $(CP) $$file $(buildinclude)/$$f"; \
+			$(CP) $$file $(buildinclude)/$$f; \
+		fi ; \
+	done
+
+all-local: install-build-headers
+#NROFF_MAN = nroff -man
+.1.cat1:
+	$(NROFF_MAN) $< > $@
+.3.cat3:
+	$(NROFF_MAN) $< > $@
+.5.cat5:
+	$(NROFF_MAN) $< > $@
+.8.cat8:
+	$(NROFF_MAN) $< > $@
+
+dist-cat1-mans:
+	@foo='$(man1_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.1) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat1/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-cat3-mans:
+	@foo='$(man3_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.3) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat3/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-cat5-mans:
+	@foo='$(man5_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.5) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat5/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-cat8-mans:
+	@foo='$(man8_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.8) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat8/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-hook: dist-cat1-mans dist-cat3-mans dist-cat5-mans dist-cat8-mans
+
+install-cat-mans:
+	$(SHELL) $(top_srcdir)/cf/install-catman.sh "$(INSTALL_DATA)" "$(mkinstalldirs)" "$(srcdir)" "$(DESTDIR)$(mandir)" '$(CATMANEXT)' $(man_MANS) $(man1_MANS) $(man3_MANS) $(man5_MANS) $(man8_MANS)
+
+install-data-local: install-cat-mans
+
+.et.h:
+	$(COMPILE_ET) $<
+.et.c:
+	$(COMPILE_ET) $<
+
+.x.c:
+	@cmp -s $< $@ 2> /dev/null || cp $< $@
+
+check-local::
+	@foo='$(CHECK_LOCAL)'; \
+	  if test "$$foo"; then \
+	  failed=0; all=0; \
+	  for i in $$foo; do \
+	    all=`expr $$all + 1`; \
+	    if ./$$i --version > /dev/null 2>&1; then \
+	      echo "PASS: $$i"; \
+	    else \
+	      echo "FAIL: $$i"; \
+	      failed=`expr $$failed + 1`; \
+	    fi; \
+	  done; \
+	  if test "$$failed" -eq 0; then \
+	    banner="All $$all tests passed"; \
+	  else \
+	    banner="$$failed of $$all tests failed"; \
+	  fi; \
+	  dashes=`echo "$$banner" | sed s/./=/g`; \
+	  echo "$$dashes"; \
+	  echo "$$banner"; \
+	  echo "$$dashes"; \
+	  test "$$failed" -eq 0; \
+	fi
+
+# Tell versions [3.59,3.63) of GNU make to not export all variables.
+# Otherwise a system limit (for SysV at least) may be exceeded.
+.NOEXPORT:
diff --git a/crypto/heimdal/doc/ack.texi b/crypto/heimdal/doc/ack.texi
new file mode 100644
index 0000000..fe0113e
--- /dev/null
+++ b/crypto/heimdal/doc/ack.texi
@@ -0,0 +1,63 @@
+@c $Id: ack.texi,v 1.14 2001/02/24 05:09:23 assar Exp $
+
+@node  Acknowledgments, , Migration, Top
+@comment  node-name,  next,  previous,  up
+@appendix Acknowledgments
+
+Eric Young wrote ``libdes''.
+
+The University of California at Berkeley initially wrote @code{telnet},
+and @code{telnetd}.  The authentication and encryption code of
+@code{telnet} and @code{telnetd} was added by David Borman (then of Cray
+Research, Inc).  The encryption code was removed when this was exported
+and then added back by Juha Eskelinen, @email{esc@@magic.fi}.
+
+The @code{popper} was also a Berkeley program initially.
+
+Some of the functions in @file{libroken} also come from Berkeley by way
+of NetBSD/FreeBSD.
+
+@code{editline} was written by Simmule Turner and Rich Salz.
+
+Bugfixes, documentation, encouragement, and code has been contributed by:
+@table @asis
+@item Derrick J Brashear
+@email{shadow@@dementia.org}
+@item Ken Hornstein
+@email{kenh@@cmf.nrl.navy.mil}
+@item Johan Ihrén
+@email{johani@@pdc.kth.se}
+@item Love Hörnquist-Åstrand
+@email{lha@@stacken.kth.se}
+@item Magnus Ahltorp
+@email{map@@stacken.kth.se}
+@item Mark Eichin
+@email{eichin@@cygnus.com}
+@item Marc Horowitz
+@email{marc@@cygnus.com}
+@item Luke Howard
+@email{lukeh@@xedoc.com.au}
+@item Brandon S. Allbery KF8NH
+@email{allbery@@kf8nh.apk.net}
+@item Jun-ichiro itojun Hagino
+@email{itojun@@kame.net}
+@item Daniel Kouril
+@email{kouril@@informatics.muni.cz}
+@item Åke Sandgren 
+@email{ake@@cs.umu.se}
+@item Michal Vocu
+@email{michal@@karlin.mff.cuni.cz}
+@item Miroslav Ruda
+@email{ruda@@ics.muni.cz}
+@item Brian A May
+@email{bmay@@snoopy.apana.org.au}
+@item Chaskiel M Grundman
+@email{cg2v@@andrew.cmu.edu}
+@item Richard Nyberg
+@email{rnyberg@@it.su.se}
+@item Frank van der Linden
+@email{fvdl@@netbsd.org}
+@item and we hope that those not mentioned here will forgive us.
+@end table
+
+All bugs were introduced by ourselves.
diff --git a/crypto/heimdal/doc/heimdal.texi b/crypto/heimdal/doc/heimdal.texi
new file mode 100644
index 0000000..6bc92a9
--- /dev/null
+++ b/crypto/heimdal/doc/heimdal.texi
@@ -0,0 +1,250 @@
+\input texinfo @c -*- texinfo -*-
+@c %**start of header
+@c $Id: heimdal.texi,v 1.17 2001/02/24 05:09:24 assar Exp $
+@setfilename heimdal.info
+@settitle HEIMDAL
+@iftex
+@afourpaper
+@end iftex
+@c some sensible characters, please?
+@tex
+\input latin1.tex
+@end tex
+@setchapternewpage on
+@syncodeindex pg cp
+@c %**end of header
+
+@c not yet @include version.texi
+@set UPDATED $Date: 2001/02/24 05:09:24 $
+@set EDITION 0.1
+@set VERSION 0.3a
+
+@ifinfo
+@dircategory Heimdal
+@direntry
+* Heimdal: (heimdal).           The Kerberos 5 distribution from KTH
+@end direntry
+@end ifinfo
+
+@c title page
+@titlepage
+@title Heimdal
+@subtitle Kerberos 5 from KTH
+@subtitle Edition @value{EDITION}, for version @value{VERSION}
+@subtitle 1999
+@author Johan Danielsson
+@author Assar Westerlund
+@author last updated @value{UPDATED}
+
+@def@copynext{@vskip 20pt plus 1fil@penalty-1000}
+@def@copyrightstart{}
+@def@copyrightend{}
+@page
+@copyrightstart
+Copyright (c) 1997-2000 Kungliga Tekniska Högskolan 
+(Royal Institute of Technology, Stockholm, Sweden).
+All rights reserved.
+
+Redistribution and use in source and binary forms, with or without
+modification, are permitted provided that the following conditions
+are met:
+
+1. Redistributions of source code must retain the above copyright
+   notice, this list of conditions and the following disclaimer.
+
+2. Redistributions in binary form must reproduce the above copyright
+   notice, this list of conditions and the following disclaimer in the
+   documentation and/or other materials provided with the distribution.
+
+3. Neither the name of the Institute nor the names of its contributors
+   may be used to endorse or promote products derived from this software
+   without specific prior written permission.
+
+THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+SUCH DAMAGE.
+
+@copynext
+
+Copyright (C) 1995-1997 Eric Young (eay@@mincom.oz.au)
+All rights reserved.
+
+This package is an DES implementation written by Eric Young (eay@@mincom.oz.au).
+The implementation was written so as to conform with MIT's libdes.
+
+This library is free for commercial and non-commercial use as long as
+the following conditions are aheared to.  The following conditions
+apply to all code found in this distribution.
+
+Copyright remains Eric Young's, and as such any Copyright notices in
+the code are not to be removed.
+If this package is used in a product, Eric Young should be given attribution
+as the author of that the SSL library.  This can be in the form of a textual
+message at program startup or in documentation (online or textual) provided
+with the package.
+
+Redistribution and use in source and binary forms, with or without
+modification, are permitted provided that the following conditions
+are met:
+
+1. Redistributions of source code must retain the copyright
+   notice, this list of conditions and the following disclaimer.
+
+2. Redistributions in binary form must reproduce the above copyright
+   notice, this list of conditions and the following disclaimer in the
+   documentation and/or other materials provided with the distribution.
+
+3. All advertising materials mentioning features or use of this software
+   must display the following acknowledgement:
+   This product includes software developed by Eric Young (eay@@mincom.oz.au)
+
+THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+SUCH DAMAGE.
+
+@copynext
+
+Copyright (C) 1990 by the Massachusetts Institute of Technology
+
+Export of this software from the United States of America may
+require a specific license from the United States Government.
+It is the responsibility of any person or organization contemplating
+export to obtain such a license before exporting.
+
+WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
+distribute this software and its documentation for any purpose and
+without fee is hereby granted, provided that the above copyright
+notice appear in all copies and that both that copyright notice and
+this permission notice appear in supporting documentation, and that
+the name of M.I.T. not be used in advertising or publicity pertaining
+to distribution of the software without specific, written prior
+permission.  M.I.T. makes no representations about the suitability of
+this software for any purpose.  It is provided "as is" without express
+or implied warranty.
+
+@copynext
+
+Copyright (c) 1988, 1990, 1993
+     The Regents of the University of California.  All rights reserved.
+
+Redistribution and use in source and binary forms, with or without
+modification, are permitted provided that the following conditions
+are met:
+
+1. Redistributions of source code must retain the above copyright
+   notice, this list of conditions and the following disclaimer.
+
+2. Redistributions in binary form must reproduce the above copyright
+   notice, this list of conditions and the following disclaimer in the
+   documentation and/or other materials provided with the distribution.
+
+3. All advertising materials mentioning features or use of this software
+   must display the following acknowledgement:
+     This product includes software developed by the University of
+     California, Berkeley and its contributors.
+
+4. Neither the name of the University nor the names of its contributors
+   may be used to endorse or promote products derived from this software
+   without specific prior written permission.
+
+THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+SUCH DAMAGE.
+
+@copynext
+
+Copyright 1992 Simmule Turner and Rich Salz.  All rights reserved. 
+
+This software is not subject to any license of the American Telephone 
+and Telegraph Company or of the Regents of the University of California. 
+
+Permission is granted to anyone to use this software for any purpose on
+any computer system, and to alter it and redistribute it freely, subject
+to the following restrictions:
+
+1. The authors are not responsible for the consequences of use of this
+   software, no matter how awful, even if they arise from flaws in it.
+
+2. The origin of this software must not be misrepresented, either by
+   explicit claim or by omission.  Since few users ever read sources,
+   credits must appear in the documentation.
+
+3. Altered versions must be plainly marked as such, and must not be
+   misrepresented as being the original software.  Since few users
+   ever read sources, credits must appear in the documentation.
+
+4. This notice may not be removed or altered.
+
+@copyrightend
+@end titlepage
+
+@c Less filling! Tastes great!
+@iftex
+@parindent=0pt
+@global@parskip 6pt plus 1pt
+@global@chapheadingskip = 15pt plus 4pt minus 2pt 
+@global@secheadingskip = 12pt plus 3pt minus 2pt
+@global@subsecheadingskip = 9pt plus 2pt minus 2pt
+@end iftex
+@ifinfo
+@paragraphindent 0
+@end ifinfo
+
+@ifinfo
+@node Top, Introduction, (dir), (dir)
+@top Heimdal
+@end ifinfo
+
+@menu
+* Introduction::                
+* What is Kerberos?::           
+* Building and Installing::     
+* Setting up a realm::          
+* Things in search for a better place::  
+* Kerberos 4 issues::           
+* Windows 2000 compatability::
+* Programming with Kerberos::
+* Migration::
+* Acknowledgments::             
+
+@end menu
+
+@include intro.texi
+@include whatis.texi
+@include install.texi
+@include setup.texi
+@include misc.texi
+@include kerberos4.texi
+@include win2k.texi
+@include programming.texi
+@include migration.texi
+@include ack.texi
+
+@c @shortcontents
+@contents
+
+@bye
diff --git a/crypto/heimdal/doc/init-creds b/crypto/heimdal/doc/init-creds
new file mode 100644
index 0000000..13667e0
--- /dev/null
+++ b/crypto/heimdal/doc/init-creds
@@ -0,0 +1,374 @@
+Currently, getting an initial ticket for a user involves many function
+calls, especially when a full set of features including password
+expiration and challenge preauthentication is desired.  In order to
+solve this problem, a new api is proposed.
+
+typedef struct _krb5_prompt {
+    char *prompt;
+    int hidden;
+    krb5_data *reply;
+} krb5_prompt;
+
+typedef int (*krb5_prompter_fct)(krb5_context context,
+				 void *data,
+				 const char *banner,
+				 int num_prompts,
+				 krb5_prompt prompts[]);
+
+typedef struct _krb5_get_init_creds_opt {
+    krb5_flags flags;
+    krb5_deltat tkt_life;
+    krb5_deltat renew_life;
+    int forwardable;
+    int proxiable;
+    krb5_enctype *etype_list;
+    int etype_list_length;
+    krb5_address **address_list;
+	/* XXX the next three should not be used, as they may be
+	removed later */
+    krb5_preauthtype *preauth_list;
+    int preauth_list_length;
+    krb5_data *salt;
+} krb5_get_init_creds_opt;
+
+#define KRB5_GET_INIT_CREDS_OPT_TKT_LIFE	0x0001
+#define KRB5_GET_INIT_CREDS_OPT_RENEW_LIFE	0x0002
+#define KRB5_GET_INIT_CREDS_OPT_FORWARDABLE	0x0004
+#define KRB5_GET_INIT_CREDS_OPT_PROXIABLE	0x0008
+#define KRB5_GET_INIT_CREDS_OPT_ETYPE_LIST	0x0010
+#define KRB5_GET_INIT_CREDS_OPT_ADDRESS_LIST	0x0020
+#define KRB5_GET_INIT_CREDS_OPT_PREAUTH_LIST	0x0040
+#define KRB5_GET_INIT_CREDS_OPT_SALT		0x0080
+
+void krb5_get_init_creds_opt_init(krb5_get_init_creds_opt *opt);
+
+void krb5_get_init_creds_opt_set_tkt_life(krb5_get_init_creds_opt *opt,
+					  krb5_deltat tkt_life);
+void krb5_get_init_creds_opt_set_renew_life(krb5_get_init_creds_opt *opt,
+					    krb5_deltat renew_life);
+void krb5_get_init_creds_opt_set_forwardable(krb5_get_init_creds_opt *opt,
+					     int forwardable);
+void krb5_get_init_creds_opt_set_proxiable(krb5_get_init_creds_opt *opt,
+					   int proxiable);
+void krb5_get_init_creds_opt_set_etype_list(krb5_get_init_creds_opt *opt,
+					    krb5_enctype *etype_list,
+					    int etype_list_length);
+void krb5_get_init_creds_opt_set_address_list(krb5_get_init_creds_opt *opt,
+					      krb5_address **addresses);
+void krb5_get_init_creds_opt_set_preauth_list(krb5_get_init_creds_opt *opt,
+					      krb5_preauthtype *preauth_list,
+					      int preauth_list_length);
+void krb5_get_init_creds_opt_set_salt(krb5_get_init_creds_opt *opt,
+				      krb5_data *salt);
+
+krb5_error_code
+krb5_get_init_creds_password(krb5_context context,
+			     krb5_creds *creds,
+			     krb5_principal client,
+			     char *password,
+			     krb5_prompter_fct prompter,
+			     void *data,
+			     krb5_deltat start_time,
+			     char *in_tkt_service,
+			     krb5_get_init_creds_opt *options);
+
+This function will attempt to acquire an initial ticket.  The function
+will perform whatever tasks are necessary to do so.  This may include
+changing an expired password, preauthentication.
+
+The arguments divide into two types.  Some arguments are basically
+invariant and arbitrary across all initial tickets, and if not
+specified are determined by configuration or library defaults.  Some
+arguments are different for each execution or application, and if not
+specified can be determined correctly from system configuration or
+environment.  The former arguments are contained in a structure whose
+pointer is passed to the function.  A bitmask specifies which elements
+of the structure should be used.  In most cases, a NULL pointer can be
+used.  The latter arguments are specified as individual arguments to
+the function.
+
+If a pointer to a credential is specified, the initial credential is
+filled in.  If the caller only wishes to do a simple password check
+and will not be doing any other kerberos functions, then a NULL
+pointer may be specified, and the credential will be destroyed.
+
+If the client name is non-NULL, the initial ticket requested will be
+for that principal.  Otherwise, the principal will be the the username
+specified by the USER environment variable, or if the USER environment
+variable is not set, the username corresponding to the real user id of
+the caller.
+
+If the password is non-NULL, then this string is used as the password.
+Otherwise, the prompter function will be used to prompt the user for
+the password.
+
+If a prompter function is non-NULL, it will be used if additional user
+input is required, such as if the user's password has expired and
+needs to be changed, or if input preauthentication is necessary.  If
+no function is specified and input is required, then the login will
+fail.
+
+	The context argument is the same as that passed to krb5_login.
+	The data argument is passed unmodified to the prompter
+	function and is intended to be used to pass application data
+	(such as a display handle) to the prompter function.
+
+	The banner argument, if non-NULL, will indicate what sort of
+	input is expected from the user (for example, "Password has
+	expired and must be changed" or "Enter Activcard response for
+	challenge 012345678"), and should be displayed accordingly.
+	
+	The num_prompts argument indicates the number of values which
+	should be prompted for.  If num_prompts == 0, then the banner
+	contains an informational message which should be displayed to
+	the user.
+
+	The prompts argument contains an array describing the values
+	for which the user should be prompted.  The prompt member
+	indicates the prompt for each value ("Enter new
+	password"/"Enter it again", or "Challenge response").  The
+	hidden member is nonzero if the response should not be
+	displayed back to the user.  The reply member is a pointer to
+	krb5_data structure which has already been allocated.  The
+	prompter should fill in the structure with the NUL-terminated
+	response from the user.
+
+	If the response data does not fit, or if any other error
+	occurs, then the prompter function should return a non-zero
+	value which will be returned by the krb5_get_init_creds
+	function. Otherwise, zero should be returned.
+
+	The library function krb5_prompter_posix() implements
+	a prompter using a posix terminal for user in.  This function
+	does not use the data argument.
+
+If the start_time is zero, then the requested ticket will be valid
+beginning immediately.  Otherwise, the start_time indicates how far in
+the future the ticket should be postdated.
+
+If the in_tkt_service name is non-NULL, that principal name will be
+used as the server name for the initial ticket request.  The realm of
+the name specified will be ignored and will be set to the realm of the
+client name.  If no in_tkt_service name is specified,
+krbtgt/CLIENT-REALM@CLIENT-REALM will be used.
+
+For the rest of arguments, a configuration or library default will be
+used if no value is specified in the options structure.
+
+If a tkt_life is specified, that will be the lifetime of the ticket.
+The library default is 10 hours; there is no configuration variable
+(there should be, but it's not there now).
+
+If a renew_life is specified and non-zero, then the RENEWABLE option
+on the ticket will be set, and the value of the argument will be the
+the renewable lifetime.  The configuration variable [libdefaults]
+"renew_lifetime" is the renewable lifetime if none is passed in.  The
+library default is not to set the RENEWABLE option.
+
+If forwardable is specified, the FORWARDABLE option on the ticket will
+be set if and only if forwardable is non-zero.  The configuration
+variable [libdefaults] "forwardable" is used if no value is passed in.
+The option will be set if and only if the variable is "y", "yes",
+"true", "t", "1", or "on", case insensitive.  The library default is
+not to set the FORWARDABLE option.
+
+If proxiable is specified, the PROXIABLE option on the ticket will be
+set if and only if proxiable is non-zero.  The configuration variable
+[libdefaults] "proxiable" is used if no value is passed in.  The
+option will be set if and only if the variable is "y", "yes", "true",
+"t", "1", or "on", case insensitive.  The library default is not to
+set the PROXIABLE option.
+
+If etype_list is specified, it will be used as the list of desired
+encryption algorithms in the request.  The configuration variable
+[libdefaults] "default_tkt_enctypes" is used if no value is passed in.
+The library default is "des-cbc-md5 des-cbc-crc".
+
+If address_list is specified, it will be used as the list of addresses
+for which the ticket will be valid.  The library default is to use all
+local non-loopback addresses.  There is no configuration variable.
+
+If preauth_list is specified, it names preauth data types which will
+be included in the request.  The library default is to interact with
+the kdc to determine the required preauth types.  There is no
+configuration variable.
+
+If salt is specified, it specifies the salt which will be used when
+converting the password to a key.  The library default is to interact
+with the kdc to determine the correct salt.  There is no configuration
+variable.
+
+================================================================
+
+typedef struct _krb5_verify_init_creds_opt {
+    krb5_flags flags;
+    int ap_req_nofail;
+} krb5_verify_init_creds_opt;
+
+#define KRB5_VERIFY_INIT_CREDS_OPT_AP_REQ_NOFAIL	0x0001
+
+void krb5_verify_init_creds_opt_init(krb5_init_creds_opt *options);
+void krb5_verify_init_creds_opt_set_ap_req_nofail(krb5_init_creds_opt *options,
+						  int ap_req_nofail);
+
+krb5_error_code
+krb5_verify_init_creds(krb5_context context,
+		       krb5_creds *creds,
+		       krb5_principal ap_req_server,
+		       krb5_keytab ap_req_keytab,
+		       krb5_ccache *ccache,
+		       krb5_verify_init_creds_opt *options);
+
+This function will use the initial ticket in creds to make an AP_REQ
+and verify it to insure that the AS_REP has not been spoofed.
+
+If the ap_req_server name is non-NULL, then this service name will be
+used for the AP_REQ; otherwise, the default host key
+(host/hostname.domain@LOCAL-REALM) will be used.
+
+If ap_req_keytab is non-NULL, the service key for the verification
+will be read from that keytab; otherwise, the service key will be read
+from the default keytab. 
+
+If the service of the ticket in creds is the same as the service name
+for the AP_REQ, then this ticket will be used directly.  If the ticket
+is a tgt, then it will be used to obtain credentials for the service.
+Otherwise, the verification will fail, and return an error.
+
+Other failures of the AP_REQ verification may or may not be considered
+errors, as described below.
+
+If a pointer to a credential cache handle is specified, and the handle
+is NULL, a credential cache handle referring to all credentials
+obtained in the course of verifying the user will be returned.  In
+order to avoid potential setuid race conditions and other problems
+related to file system access, this handle will refer to a memory
+credential cache.  If the handle is non-NULL, then the credentials
+will be added to the existing ccache.  If the caller only wishes to
+verify the password and will not be doing any other kerberos
+functions, then a NULL pointer may be specified, and the credentials
+will be deleted before the function returns.
+
+If ap_req_nofail is specified, then failures of the AP_REQ
+verification are considered errors if and only if ap_req_nofail is
+non-zero.
+
+Whether or not AP_REQ validation is performed and what failures mean
+depends on these inputs:
+
+ A) The appropriate keytab exists and contains the named key.
+
+ B) An AP_REQ request to the kdc succeeds, and the resulting AP_REQ
+can be decrypted and verified.
+
+ C) The administrator has specified in a configuration file that
+AP_REQ validation must succeed.  This is basically a paranoid bit, and
+can be overridden by the application based on a command line flag or
+other application-specific info.  This flag is especially useful if
+the admin is concerned that DNS might be spoofed while determining the
+host/FQDN name.  The configuration variable [libdefaults]
+"verify_ap_req_nofail" is used if no value is passed in.  The library
+default is not to set this option.
+
+Initial ticket verification will succeed if and only if:
+
+ - A && B    or
+ - !A && !C
+
+================================================================
+
+For illustrative purposes, here's the invocations I expect some
+programs will use.  Of course, error checking needs to be added.
+
+kinit:
+
+    /* Fill in client from the command line || existing ccache, and,
+       start_time, and options.{tkt_life,renew_life,forwardable,proxiable}
+       from the command line.  Some or all may remain unset. */
+
+    krb5_get_init_creds(context, &creds, client,
+			krb5_initial_prompter_posix, NULL,
+			start_time, NULL, &options);
+    krb5_cc_store_cred(context, ccache, &creds);
+    krb5_free_cred_contents(context, &creds);
+
+login:
+
+    krb5_get_init_creds(context, &creds, client,
+			krb5_initial_prompter_posix, NULL,
+			0, NULL, NULL);
+    krb5_verify_init_creds(context, &creds, NULL, NULL, &vcc, NULL);
+    /* setuid */
+    krb5_cc_store_cred(context, ccache, &creds);
+    krb5_cc_copy(context, vcc, ccache);
+    krb5_free_cred_contents(context, &creds);
+    krb5_cc_destroy(context, vcc);
+
+xdm:
+
+    krb5_get_initial_creds(context, &creds, client,
+			   krb5_initial_prompter_xt, (void *) &xtstuff,
+			   0, NULL, NULL);
+    krb5_verify_init_creds(context, &creds, NULL, NULL, &vcc, NULL);
+    /* setuid */
+    krb5_cc_store_cred(context, ccache, &creds);
+    krb5_free_cred_contents(context, &creds);
+    krb5_cc_copy(context, vcc, ccache);
+    krb5_cc_destroy(context, vcc);
+
+passwd:
+
+    krb5_init_creds_opt_init(&options);
+    krb5_init_creds_opt_set_tkt_life = 300;
+    krb5_get_initial_creds(context, &creds, client,
+			   krb5_initial_prompter_posix, NULL,
+			   0, "kadmin/changepw", &options);
+    /* change password */
+    krb5_free_cred_contents(context, &creds);
+
+pop3d (simple password validator when no user interation possible):
+
+    krb5_get_initial_creds(context, &creds, client,
+			   NULL, NULL, 0, NULL, NULL);
+    krb5_verify_init_creds(context, &creds, NULL, NULL, &vcc, NULL);
+    krb5_cc_destroy(context, vcc);
+
+================================================================
+
+password expiration has a subtlety.  When a password expires and is
+changed, there is a delay between when the master gets the new key
+(immediately), and the slaves (propogation interval).  So, when
+getting an in_tkt, if the password is expired, the request should be
+reissued to the master (this kind of sucks if you have SAM, oh well).
+If this says expired, too, then the password should be changed, and
+then the initial ticket request should be issued to the master again.
+If the master times out, then a message that the password has expired
+and cannot be changed due to the master being unreachable should be
+displayed.
+
+================================================================
+
+get_init_creds reads config stuff from:
+
+[libdefaults]
+	varname1 = defvalue
+	REALM = {
+		varname1 = value
+		varname2 = value
+	}
+
+typedef struct _krb5_get_init_creds_opt {
+    krb5_flags flags;
+    krb5_deltat tkt_life;	/* varname = "ticket_lifetime" */
+    krb5_deltat renew_life;	/* varname = "renew_lifetime" */
+    int forwardable;		/* varname = "forwardable" */
+    int proxiable;		/* varname = "proxiable" */
+    krb5_enctype *etype_list;	/* varname = "default_tkt_enctypes" */
+    int etype_list_length;
+    krb5_address **address_list; /* no varname */
+    krb5_preauthtype *preauth_list; /* no varname */
+    int preauth_list_length;
+    krb5_data *salt;
+} krb5_get_init_creds_opt;
+
+
diff --git a/crypto/heimdal/doc/install.texi b/crypto/heimdal/doc/install.texi
new file mode 100644
index 0000000..aa56cea
--- /dev/null
+++ b/crypto/heimdal/doc/install.texi
@@ -0,0 +1,109 @@
+@c $Id: install.texi,v 1.16 2001/01/28 22:11:22 assar Exp $
+
+@node Building and Installing, Setting up a realm, What is Kerberos?, Top
+@comment  node-name,  next,  previous,  up
+@chapter Building and Installing
+
+Heimdal uses GNU Autoconf to configure for specific hosts, and GNU
+Automake to manage makefiles. If this is new to you, the short
+instruction is to run the @code{configure} script in the top level
+directory, and when that finishes @code{make}.
+
+If you want to build the distribution in a different directory from the
+source directory, you will need a make that implements VPATH correctly,
+such as GNU make.
+
+You will need to build the distribution:
+
+@itemize @bullet
+@item
+A compiler that supports a ``loose'' ANSI C mode, such as @code{gcc}.
+@item
+lex or flex
+@item
+awk
+@item
+yacc or bison
+@item
+a socket library
+@item
+NDBM or Berkeley DB for building the server side.
+@end itemize
+
+When everything is built, you can install by doing @kbd{make
+install}. The default location for installation is @file{/usr/heimdal},
+but this can be changed by running @code{configure} with
+@samp{--prefix=/some/other/place}.
+
+If you need to change the default behavior, configure understands the
+following options:
+
+@table @asis
+@item @kbd{--without-berkeley-db}
+DB is preferred before NDBM, but if you for some reason want to use NDBM
+instead, you can use this option.
+
+@item @kbd{--with-krb4=@file{dir}}
+Gives the location of Kerberos 4 libraries and headers. This enables
+Kerberos 4 support in the applications (telnet, rsh, popper, etc) and
+the KDC. It is automatically check for in @file{/usr/athena}. If you
+keep libraries and headers in different places, you can instead give the
+path to each with the @kbd{--with-krb4-lib=@file{dir}}, and
+@kbd{--with-krb4-include=@file{dir}} options.
+
+You will need a fairly recent version of our Kerberos 4 distribution for
+@code{rshd} and @code{popper} to support version 4 clients.
+
+@item @kbd{--enable-kaserver}
+Enables experimental kaserver support in the KDC. This is the protocol
+used by the ``KDC'' in AFS. Requires Kerberos 4 support.
+
+@item @kbd{--enable-kaserver-db}
+Enables experimental support for reading kaserver databases in hprop.
+This is useful when migrating from a kaserver to a Heimdal KDC.
+
+@item @kbd{--enable-dce}
+Enables support for getting DCE credentials and tokens.  See the README
+files in @file{appl/dceutils} for more information.
+
+@item @kbd{--disable-otp}
+By default some of the application programs will build with support for
+one-time passwords (OTP).  Use this option to disable that support.
+
+@item @kbd{--enable-osfc2}
+Enable some C2 support for OSF/Digital Unix/Tru64.  Use this option if
+you are running your OSF operating system in C2 mode.
+
+@item @kbd{--with-readline=@file{dir}}
+Gives the path for the GNU Readline library, which will be used in some
+programs. If no readline library is found, the (simpler) editline
+library will be used instead.
+
+@item @kbd{--with-hesiod=@file{dir}}
+Enables hesiod support in push.
+
+@item @kbd{--enable-netinfo}
+Add support for using netinfo to lookup configuration information.
+Probably only useful (and working) on NextStep/Mac OS X.
+
+@item @kbd{--without-ipv6}
+Disable the IPv6 support.
+
+@item @kbd{--with-openldap}
+Compile Heimdal with support for storing the database in LDAP.  Requires
+OpenLDAP @url{http://www.openldap.org}.  See
+@url{http://www.padl.com/~lukeh/heimdal/} for more information.
+
+@item @kbd{--enable-bigendian}
+@item @kbd{--enable-littleendian}
+Normally, the build process will figure out by itself if the machine is
+big or little endian.  It might fail in some cases when
+cross-compiling.  If it does fail to figure it out, use the relevant of
+these two options.
+
+@item @kbd{--with-mips-abi=@var{abi}}
+On Irix there are three different ABIs that can be used (@samp{32},
+@samp{n32}, or @samp{64}).  This option allows you to override the
+automatic selection.
+
+@end table
diff --git a/crypto/heimdal/doc/intro.texi b/crypto/heimdal/doc/intro.texi
new file mode 100644
index 0000000..6c6ff3a
--- /dev/null
+++ b/crypto/heimdal/doc/intro.texi
@@ -0,0 +1,95 @@
+@c $Id: intro.texi,v 1.12 2001/01/28 22:11:22 assar Exp $
+
+@node Introduction, What is Kerberos?, Top, Top
+@c @node Introduction, What is Kerberos?, Top, Top
+@comment  node-name,  next,  previous,  up
+@chapter Introduction
+
+@heading What is Heimdal?
+
+Heimdal is a free implementation of Kerberos 5. The goals are to:
+
+@itemize @bullet
+@item
+have an implementation that can be freely used by anyone
+@item
+be protocol compatible with existing implementations and, if not in
+conflict, with RFC 1510 (and any future updated RFC)
+@item
+be reasonably compatible with the M.I.T Kerberos V5 API
+@item
+have support for Kerberos V5 over GSS-API (RFC1964)
+@item
+include the most important and useful application programs (rsh, telnet,
+popper, etc.)
+@item
+include enough backwards compatibility with Kerberos V4
+@end itemize
+
+@heading Status
+
+Heimdal has the following features (this does not mean any of this
+works):
+
+@itemize @bullet
+@item
+a stub generator and a library to encode/decode/whatever ASN.1/DER
+stuff
+@item
+a @code{libkrb5} library that should be possible to get to work with
+simple applications
+@item
+a GSS-API library that should have all the important functions for
+building applications
+@item
+Eric Young's @file{libdes}
+@item
+@file{kinit}, @file{klist}, @file{kdestroy}
+@item
+@file{telnet}, @file{telnetd}
+@item
+@file{rsh}, @file{rshd}
+@item
+@file{popper}, @file{push} (a movemail equivalent)
+@item
+@file{ftp}, and @file{ftpd}
+@item
+a library @file{libkafs} for authenticating to AFS and a program
+@file{afslog} that uses it
+@item
+some simple test programs
+@item
+a KDC that supports most things; optionally, it may also support
+Kerberos V4 and kaserver,
+@item
+simple programs for distributing databases between a KDC master and
+slaves
+@item
+a password changing daemon @file{kpasswdd}, library functions for
+changing passwords and a simple client
+@item
+some kind of administration system
+@item
+Kerberos V4 support in many of the applications.
+@end itemize
+
+@heading Bug reports
+
+If you find bugs in this software, make sure it is a genuine bug and not
+just a part of the code that isn't implemented.
+
+Bug reports should be sent to @email{heimdal-bugs@@pdc.kth.se}. Please
+include information on what machine and operating system (including
+version) you are running, what you are trying to do, what happens, what
+you think should have happened, an example for us to repeat, the output
+you get when trying the example, and a patch for the problem if you have
+one. Please make any patches with @code{diff -u} or @code{diff -c}.
+
+Suggestions, comments and other non bug reports are also welcome.
+
+@heading Mailing list
+
+There are two mailing lists with talk about
+Heimdal. @email{heimdal-announce@@sics.se} is a low-volume announcement
+list, while @email{heimdal-discuss@@sics.se} is for general discussion.
+Send a message to @email{majordomo@@sics.se} to subscribe.
diff --git a/crypto/heimdal/doc/kerberos4.texi b/crypto/heimdal/doc/kerberos4.texi
new file mode 100644
index 0000000..613e352
--- /dev/null
+++ b/crypto/heimdal/doc/kerberos4.texi
@@ -0,0 +1,226 @@
+@c $Id: kerberos4.texi,v 1.13 2001/02/24 05:09:24 assar Exp $
+
+@node Kerberos 4 issues, Windows 2000 compatability, Things in search for a better place, Top
+@comment  node-name,  next,  previous,  up
+@chapter Kerberos 4 issues
+
+If compiled with version 4 support, the KDC can serve requests from a
+Kerberos 4 client. There are a few things you must do for this to work.
+
+You might also want use the built in kaserver emulation in the kdc
+when you have AFS-clients that use @code{klog}.
+
+@menu
+* Principal conversion issues::  
+* Converting a version 4 database::  
+* kaserver::
+@end menu
+
+@node Principal conversion issues, Converting a version 4 database, Kerberos 4 issues, Kerberos 4 issues
+@section Principal conversion issues
+
+First, Kerberos 4 and Kerberos 5 principals are different. A version 4
+principal consists of a name, an instance, and a realm. A version 5
+principal has one or more components, and a realm (the terms ``name''
+and ``instance'' are still used, for the first and second component,
+respectively).    Also, in some cases the name of a version 4 principal
+differs from the first component of the corresponding version 5
+principal. One notable example is the ``host'' type principals, where
+the version 4 name is @samp{rcmd} (for ``remote command''), and the
+version 5 name is @samp{host}. For the class of principals that has a
+hostname as instance, there is an other major difference, Kerberos 4
+uses only the first component of the hostname, whereas Kerberos 5 uses
+the fully qualified hostname.
+
+Because of this it can be hard or impossible to correctly convert a
+version 4 principal to a version 5 principal @footnote{the other way is
+not always trivial either, but usually easier}. The biggest problem is
+to know if the conversion resulted in a valid principal. To give an
+example, suppose you want to convert the principal @samp{rcmd.foo}.
+
+The @samp{rcmd} name suggests that the instance is a hostname (even if
+there are exceptions to this rule). To correctly convert the instance
+@samp{foo} to a hostname, you have to know which host it is referring
+to. You can to this by either guessing (from the realm) which domain
+name to append, or you have to have a list of possible hostnames. In the
+simplest cases you can cover most principals with the first rule. If you
+have several domains sharing a single realm this will not usually
+work. If the exceptions are few you can probably come by with a lookup
+table for the exceptions.
+
+In a complex scenario you will need some kind of host lookup mechanism.
+Using DNS for this is tempting, but DNS is error prone, slow and unsafe
+@footnote{at least until secure DNS is commonly available}.
+
+Fortunately, the KDC has a trump on hand: it can easily tell if a
+principal exists in the database. The KDC will use
+@code{krb5_425_conv_principal_ext} to convert principals when handling
+to version 4 requests.
+
+@node Converting a version 4 database, kaserver , Principal conversion issues, Kerberos 4 issues
+@section Converting a version 4 database
+
+If you want to convert an existing version 4 database, the principal
+conversion issue arises too.
+
+If you decide to convert your database once and for all, you will only
+have to do this conversion once. It is also possible to run a version 5
+KDC as a slave to a version 4 KDC. In this case this conversion will
+happen every time the database is propagated.  When doing this
+conversion, there are a few things to look out for. If you have stale
+entries in the database, these entries will not be converted. This might
+be because these principals are not used anymore, or it might be just
+because the principal couldn't be converted.
+
+You might also see problems with a many-to-one mapping of
+principals. For instance, if you are using DNS lookups and you have two
+principals @samp{rcmd.foo} and @samp{rcmd.bar}, where `foo' is a CNAME
+for `bar', the resulting principals will be the same. Since the
+conversion function can't tell which is correct, these conflicts will
+have to be resolved manually.
+
+@subsection Conversion example
+
+Given the following set of hosts and services:
+
+@example
+foo.se          rcmd
+mail.foo.se     rcmd, pop
+ftp.bar.se      rcmd, ftp
+@end example
+
+you have a database that consists of the following principals:
+
+@samp{rcmd.foo}, @samp{rcmd.mail}, @samp{pop.mail}, @samp{rcmd.ftp}, and
+@samp{ftp.ftp}.
+
+lets say you also got these extra principals: @samp{rcmd.gone},
+@samp{rcmd.old-mail}, where @samp{gone.foo.se} was a machine that has
+now passed away, and @samp{old-mail.foo.se} was an old mail machine that
+is now a CNAME for @samp{mail.foo.se}.
+
+When you convert this database you want the following conversions to be
+done:
+@example
+rcmd.foo         host/foo.se
+rcmd.mail        host/mail.foo.se
+pop.mail         pop/mail.foo.se
+rcmd.ftp         host/ftp.bar.se
+ftp.ftp          ftp/ftp.bar.se
+rcmd.gone        @i{removed}
+rcmd.old-mail    @i{removed}
+@end example
+
+A @file{krb5.conf} that does this looks like:
+
+@example
+[realms]
+        FOO.SE = @{
+                v4_name_convert = @{
+                        host = @{
+                                ftp = ftp
+                                pop = pop
+                                rcmd = host
+                        @}
+                @}
+                v4_instance_convert = @{
+                        foo = foo.se
+                        ftp = ftp.bar.se
+                @}
+                default_domain = foo.se
+        @}
+@end example
+
+The @samp{v4_name_convert} section says which names should be considered
+having an instance consisting of a hostname, and it also says how the
+names should be converted (for instance @samp{rcmd} should be converted
+to @samp{host}). The @samp{v4_instance_convert} section says how a
+hostname should be qualified (this is just a hosts-file in
+disguise). Host-instances that aren't covered by
+@samp{v4_instance_convert} are qualified by appending the contents of
+the @samp{default_domain}.
+
+Actually, this example doesn't work. Or rather, it works to well. Since
+it has no way of knowing which hostnames are valid and which are not, it
+will happily convert @samp{rcmd.gone} to @samp{host/gone.foo.se}. This
+isn't a big problem, but if you have run your kerberos realm for a few
+years, chances are big that you have quite a few `junk' principals.
+
+If you don't want this you can remove the @samp{default_domain}
+statement, but then you will have to add entries for @emph{all} your hosts
+in the @samp{v4_instance_convert} section.
+
+Instead of doing this you can use DNS to convert instances. This is not
+a solution without problems, but it is probably easier than adding lots
+of static host entries. 
+
+To enable DNS lookup you should turn on @samp{v4_instance_resolve} in
+the @samp{[libdefaults]} section.
+
+@subsection Converting a database
+
+The database conversion is done with @samp{hprop}. You can run this
+command to propagate the database to the machine called
+@samp{slave-server} (which should be running a @samp{hpropd}).
+
+@example
+hprop --source=krb4-db -E slave-server
+@end example
+
+This command can also be to use for converting the v4 database on the
+server:
+
+@example
+hprop -n --source=krb4-db -d /var/kerberos/principal -E | hpropd -n
+@end example
+
+@section Version 4 Kadmin
+
+@samp{kadmind} can act as a version 4 kadmind, and you can do most
+operations, but with some restrictions (since the version 4 kadmin
+protocol is, lets say, very ad hoc.) One example is that it only passes
+des keys when creating principals and changing passwords (modern kpasswd
+clients do send the password, so it's possible to to password quality
+checks). Because of this you can only create principals with des keys,
+and you can't set any flags or do any other fancy stuff.
+
+To get this to work, you have to add another entry to inetd (since
+version 4 uses port 751, not 749).
+
+@emph{And then there are a many more things you can do; more on this in
+a later version of this manual. Until then, UTSL.}
+
+@node kaserver, , Converting a version 4 database, Kerberos 4 issues
+@section kaserver
+
+@subsection kaserver emulation
+
+The Heimdal kdc can emulate a kaserver. The kaserver is a Kerberos 4
+server with pre-authentication using Rx as the on-wire protocol. The kdc
+contains a minimalistic Rx implementation.
+
+There are three parts of the kaserver; KAA (Authentication), KAT (Ticket
+Granting), and KAM (Maintenance). The KAA interface and KAT interface
+both passes over DES encrypted data-blobs (just like the
+Kerberos-protocol) and thus o not need any other protection.  The KAM
+interface uses @code{rxkad} (Kerberos authentication layer for Rx) for
+security and data protection, and is used for example for changing
+passwords.  This part is not implemented in the kdc.
+
+Another difference between the ka-protocol and the Kerberos 4 protocol
+is that the pass-phrase is salted with the cellname in the @code{string to
+key} function in the ka-protocol, while in the Kerberos 4 protocol there
+is no salting of the password at all. To make sure AFS-compatible keys
+are added to each principals when they are created or their password are
+changed, @samp{afs3-salt} should be added to
+@samp{[kadmin]default_keys}.
+
+@subsection Transarc AFS Windows client
+
+The Transarc Windows client uses Kerberos 4 to obtain tokens, and thus
+does not need a kaserver. The Windows client assumes that the Kerberos
+server is on the same machine as the AFS-database server. If you do not
+like to do that you can add a small program that runs on the database
+servers that forward all kerberos requests to the real kerberos
+server. A program that does this is @code{krb-forward}
+(@url{ftp://ftp.stacken.kth.se/pub/projekts/krb-forward}).
diff --git a/crypto/heimdal/doc/latin1.tex b/crypto/heimdal/doc/latin1.tex
new file mode 100644
index 0000000..e683dd2
--- /dev/null
+++ b/crypto/heimdal/doc/latin1.tex
@@ -0,0 +1,95 @@
+% ISO Latin 1 (ISO 8859/1) encoding for Computer Modern fonts.
+% Jan Michael Rynning <jmr@nada.kth.se> 1990-10-12
+\def\inmathmode#1{\relax\ifmmode#1\else$#1$\fi}
+\global\catcode`\^^a0=\active \global\let^^a0=~		% no-break space
+\global\catcode`\^^a1=\active \global\def^^a1{!`}		% inverted exclamation mark
+\global\catcode`\^^a2=\active \global\def^^a2{{\rm\rlap/c}}	% cent sign
+\global\catcode`\^^a3=\active \global\def^^a3{{\it\$}}	% pound sign
+% currency sign, yen sign, broken bar
+\global\catcode`\^^a7=\active \global\let^^a7=\S		% section sign
+\global\catcode`\^^a8=\active \global\def^^a8{\"{}}		% diaeresis
+\global\catcode`\^^a9=\active \global\let^^a9=\copyright	% copyright sign
+% feminine ordinal indicator, left angle quotation mark
+\global\catcode`\^^ac=\active \global\def^^ac{\inmathmode\neg}% not sign
+\global\catcode`\^^ad=\active \global\let^^ad=\-		% soft hyphen
+% registered trade mark sign
+\global\catcode`\^^af=\active \global\def^^af{\={}}		% macron
+% ...
+\global\catcode`\^^b1=\active \global\def^^b1{\inmathmode\pm}	% plus minus
+\global\catcode`\^^b2=\active \global\def^^b2{\inmathmode{{^2}}}
+\global\catcode`\^^b3=\active \global\def^^b3{\inmathmode{{^3}}}
+\global\catcode`\^^b4=\active \global\def^^b4{\'{}}		% acute accent
+\global\catcode`\^^b5=\active \global\def^^b5{\inmathmode\mu}	% mu
+\global\catcode`\^^b6=\active \global\let^^b6=\P		% pilcroy
+\global\catcode`\^^b7=\active \global\def^^b7{\inmathmode{{\cdot}}}
+\global\catcode`\^^b8=\active \global\def^^b8{\c{}}		% cedilla
+\global\catcode`\^^b9=\active \global\def^^b9{\inmathmode{{^1}}}
+% ...
+\global\catcode`\^^bc=\active \global\def^^bc{\inmathmode{{1\over4}}}
+\global\catcode`\^^bd=\active \global\def^^bd{\inmathmode{{1\over2}}}
+\global\catcode`\^^be=\active \global\def^^be{\inmathmode{{3\over4}}}
+\global\catcode`\^^bf=\active \global\def^^bf{?`}		% inverted question mark
+\global\catcode`\^^c0=\active \global\def^^c0{\`A}
+\global\catcode`\^^c1=\active \global\def^^c1{\'A}
+\global\catcode`\^^c2=\active \global\def^^c2{\^A}
+\global\catcode`\^^c3=\active \global\def^^c3{\~A}
+\global\catcode`\^^c4=\active \global\def^^c4{\"A}		% capital a with diaeresis
+\global\catcode`\^^c5=\active \global\let^^c5=\AA		% capital a with ring above
+\global\catcode`\^^c6=\active \global\let^^c6=\AE
+\global\catcode`\^^c7=\active \global\def^^c7{\c C}
+\global\catcode`\^^c8=\active \global\def^^c8{\`E}
+\global\catcode`\^^c9=\active \global\def^^c9{\'E}
+\global\catcode`\^^ca=\active \global\def^^ca{\^E}
+\global\catcode`\^^cb=\active \global\def^^cb{\"E}
+\global\catcode`\^^cc=\active \global\def^^cc{\`I}
+\global\catcode`\^^cd=\active \global\def^^cd{\'I}
+\global\catcode`\^^ce=\active \global\def^^ce{\^I}
+\global\catcode`\^^cf=\active \global\def^^cf{\"I}
+% capital eth
+\global\catcode`\^^d1=\active \global\def^^d1{\~N}
+\global\catcode`\^^d2=\active \global\def^^d2{\`O}
+\global\catcode`\^^d3=\active \global\def^^d3{\'O}
+\global\catcode`\^^d4=\active \global\def^^d4{\^O}
+\global\catcode`\^^d5=\active \global\def^^d5{\~O}
+\global\catcode`\^^d6=\active \global\def^^d6{\"O}		% capital o with diaeresis
+\global\catcode`\^^d7=\active \global\def^^d7{\inmathmode\times}% multiplication sign
+\global\catcode`\^^d8=\active \global\let^^d8=\O
+\global\catcode`\^^d9=\active \global\def^^d9{\`U}
+\global\catcode`\^^da=\active \global\def^^da{\'U}
+\global\catcode`\^^db=\active \global\def^^db{\^U}
+\global\catcode`\^^dc=\active \global\def^^dc{\"U}
+\global\catcode`\^^dd=\active \global\def^^dd{\'Y}
+% capital thorn
+\global\catcode`\^^df=\active \global\def^^df{\ss}
+\global\catcode`\^^e0=\active \global\def^^e0{\`a}
+\global\catcode`\^^e1=\active \global\def^^e1{\'a}
+\global\catcode`\^^e2=\active \global\def^^e2{\^a}
+\global\catcode`\^^e3=\active \global\def^^e3{\~a}
+\global\catcode`\^^e4=\active \global\def^^e4{\"a}		% small a with diaeresis
+\global\catcode`\^^e5=\active \global\let^^e5=\aa		% small a with ring above
+\global\catcode`\^^e6=\active \global\let^^e6=\ae
+\global\catcode`\^^e7=\active \global\def^^e7{\c c}
+\global\catcode`\^^e8=\active \global\def^^e8{\`e}
+\global\catcode`\^^e9=\active \global\def^^e9{\'e}
+\global\catcode`\^^ea=\active \global\def^^ea{\^e}
+\global\catcode`\^^eb=\active \global\def^^eb{\"e}
+\global\catcode`\^^ec=\active \global\def^^ec{\`\i}
+\global\catcode`\^^ed=\active \global\def^^ed{\'\i}
+\global\catcode`\^^ee=\active \global\def^^ee{\^\i}
+\global\catcode`\^^ef=\active \global\def^^ef{\"\i}
+% small eth
+\global\catcode`\^^f1=\active \global\def^^f1{\~n}
+\global\catcode`\^^f2=\active \global\def^^f2{\`o}
+\global\catcode`\^^f3=\active \global\def^^f3{\'o}
+\global\catcode`\^^f4=\active \global\def^^f4{\^o}
+\global\catcode`\^^f5=\active \global\def^^f5{\~o}
+\global\catcode`\^^f6=\active \global\def^^f6{\"o}		% small o with diaeresis
+\global\catcode`\^^f7=\active \global\def^^f7{\inmathmode\div}% division sign
+\global\catcode`\^^f8=\active \global\let^^f8=\o
+\global\catcode`\^^f9=\active \global\def^^f9{\`u}
+\global\catcode`\^^fa=\active \global\def^^fa{\'u}
+\global\catcode`\^^fb=\active \global\def^^fb{\^u}
+\global\catcode`\^^fc=\active \global\def^^fc{\"u}
+\global\catcode`\^^fd=\active \global\def^^fd{\'y}
+% capital thorn
+\global\catcode`\^^ff=\active \global\def^^ff{\"y}
diff --git a/crypto/heimdal/doc/layman.asc b/crypto/heimdal/doc/layman.asc
new file mode 100644
index 0000000..d4fbe64
--- /dev/null
+++ b/crypto/heimdal/doc/layman.asc
@@ -0,0 +1,1855 @@
+A Layman's Guide to a Subset of ASN.1, BER, and DER
+
+An RSA Laboratories Technical Note
+Burton S. Kaliski Jr.
+Revised November 1, 1993
+
+
+Supersedes June 3, 1991 version, which was also published as
+NIST/OSI Implementors' Workshop document SEC-SIG-91-17.
+PKCS documents are available by electronic mail to
+<pkcs@rsa.com>.
+
+Copyright (C) 1991-1993 RSA Laboratories, a division of RSA
+Data Security, Inc. License to copy this document is granted
+provided that it is identified as "RSA Data Security, Inc.
+Public-Key Cryptography Standards (PKCS)" in all material
+mentioning or referencing this document.
+003-903015-110-000-000
+
+
+Abstract. This note gives a layman's introduction to a
+subset of OSI's Abstract Syntax Notation One (ASN.1), Basic
+Encoding Rules (BER), and Distinguished Encoding Rules
+(DER). The particular purpose of this note is to provide
+background material sufficient for understanding and
+implementing the PKCS family of standards.
+
+
+1. Introduction
+
+It is a generally accepted design principle that abstraction
+is a key to managing software development. With abstraction,
+a designer can specify a part of a system without concern
+for how the part is actually implemented or represented.
+Such a practice leaves the implementation open; it
+simplifies the specification; and it makes it possible to
+state "axioms" about the part that can be proved when the
+part is implemented, and assumed when the part is employed
+in another, higher-level part. Abstraction is the hallmark
+of most modern software specifications.
+
+One of the most complex systems today, and one that also
+involves a great deal of abstraction, is Open Systems
+Interconnection (OSI, described in X.200). OSI is an
+internationally standardized architecture that governs the
+interconnection of computers from the physical layer up to
+the user application layer. Objects at higher layers are
+defined abstractly and intended to be implemented with
+objects at lower layers. For instance, a service at one
+layer may require transfer of certain abstract objects
+between computers; a lower layer may provide transfer
+services for strings of ones and zeroes, using encoding
+rules to transform the abstract objects into such strings.
+OSI is called an open system because it supports many
+different implementations of the services at each layer.
+
+OSI's method of specifying abstract objects is called ASN.1
+(Abstract Syntax Notation One, defined in X.208), and one
+set of rules for representing such objects as strings of
+ones and zeros is called the BER (Basic Encoding Rules,
+defined in X.209). ASN.1 is a flexible notation that allows
+one to define a variety data types, from simple types such
+as integers and bit strings to structured types such as sets
+and sequences, as well as complex types defined in terms of
+others. BER describes how to represent or encode values of
+each ASN.1 type as a string of eight-bit octets. There is
+generally more than one way to BER-encode a given value.
+Another set of rules, called the Distinguished Encoding
+Rules (DER), which is a subset of BER, gives a unique
+encoding to each ASN.1 value.
+
+The purpose of this note is to describe a subset of ASN.1,
+BER and DER sufficient to understand and implement one OSI-
+based application, RSA Data Security, Inc.'s Public-Key
+Cryptography Standards. The features described include an
+overview of ASN.1, BER, and DER and an abridged list of
+ASN.1 types and their BER and DER encodings. Sections 2-4
+give an overview of ASN.1, BER, and DER, in that order.
+Section 5 lists some ASN.1 types, giving their notation,
+specific encoding rules, examples, and comments about their
+application to PKCS. Section 6 concludes with an example,
+X.500 distinguished names.
+
+Advanced features of ASN.1, such as macros, are not
+described in this note, as they are not needed to implement
+PKCS. For information on the other features, and for more
+detail generally, the reader is referred to CCITT
+Recommendations X.208 and X.209, which define ASN.1 and BER.
+
+Terminology and notation. In this note, an octet is an eight-
+bit unsigned integer. Bit 8 of the octet is the most
+significant and bit 1 is the least significant.
+
+The following meta-syntax is used for in describing ASN.1
+notation:
+
+     BIT  monospace denotes literal characters in the type
+          and value notation; in examples, it generally
+          denotes an octet value in hexadecimal
+
+     n1   bold italics denotes a variable
+
+     []   bold square brackets indicate that a term is
+          optional
+
+     {}   bold braces group related terms
+
+     |    bold vertical bar delimits alternatives with a
+          group
+
+     ...  bold ellipsis indicates repeated occurrences
+
+     =    bold equals sign expresses terms as subterms
+
+
+2. Abstract Syntax Notation One
+
+Abstract Syntax Notation One, abbreviated ASN.1, is a
+notation for describing abstract types and values.
+
+In ASN.1, a type is a set of values. For some types, there
+are a finite number of values, and for other types there are
+an infinite number. A value of a given ASN.1 type is an
+element of the type's set. ASN.1 has four kinds of type:
+simple types, which are "atomic" and have no components;
+structured types, which have components; tagged types, which
+are derived from other types; and other types, which include
+the CHOICE type and the ANY type. Types and values can be
+given names with the ASN.1 assignment operator (::=) , and
+those names can be used in defining other types and values.
+
+Every ASN.1 type other than CHOICE and ANY has a tag, which
+consists of a class and a nonnegative tag number. ASN.1
+types are abstractly the same if and only if their tag
+numbers are the same. In other words, the name of an ASN.1
+type does not affect its abstract meaning, only the tag
+does. There are four classes of tag:
+
+     Universal, for types whose meaning is the same in all
+          applications; these types are only defined in
+          X.208.
+
+     Application, for types whose meaning is specific to an
+          application, such as X.500 directory services;
+          types in two different applications may have the
+          same application-specific tag and different
+          meanings.
+
+     Private, for types whose meaning is specific to a given
+          enterprise.
+
+     Context-specific, for types whose meaning is specific
+          to a given structured type; context-specific tags
+          are used to distinguish between component types
+          with the same underlying tag within the context of
+          a given structured type, and component types in
+          two different structured types may have the same
+          tag and different meanings.
+
+The types with universal tags are defined in X.208, which
+also gives the types' universal tag numbers. Types with
+other tags are defined in many places, and are always
+obtained by implicit or explicit tagging (see Section 2.3).
+Table 1 lists some ASN.1 types and their universal-class
+tags.
+
+    Type                     Tag number     Tag number
+                             (decimal)      (hexadecimal)
+    INTEGER                  2              02
+    BIT STRING               3              03
+    OCTET STRING             4              04
+    NULL                     5              05
+    OBJECT IDENTIFIER        6              06
+    SEQUENCE and SEQUENCE OF 16             10
+    SET and SET OF           17             11
+    PrintableString          19             13
+    T61String                20             14
+    IA5String                22             16
+    UTCTime                  23             17
+
+     Table 1. Some types and their universal-class tags.
+
+ASN.1 types and values are expressed in a flexible,
+programming-language-like notation, with the following
+special rules:
+
+     o    Layout is not significant; multiple spaces and
+          line breaks can be considered as a single space.
+
+     o    Comments are delimited by pairs of hyphens (--),
+          or a pair of hyphens and a line break.
+
+     o    Identifiers (names of values and fields) and type
+          references (names of types) consist of upper- and
+          lower-case letters, digits, hyphens, and spaces;
+          identifiers begin with lower-case letters; type
+          references begin with upper-case letters.
+
+The following four subsections give an overview of simple
+types, structured types, implicitly and explicitly tagged
+types, and other types. Section 5 describes specific types
+in more detail.
+
+
+2.1 Simple types
+
+Simple types are those not consisting of components; they
+are the "atomic" types. ASN.1 defines several; the types
+that are relevant to the PKCS standards are the following:
+
+     BIT STRING, an arbitrary string of bits (ones and
+          zeroes).
+
+     IA5String, an arbitrary string of IA5 (ASCII)
+          characters.
+
+     INTEGER, an arbitrary integer.
+
+     NULL, a null value.
+
+     OBJECT IDENTIFIER, an object identifier, which is a
+          sequence of integer components that identify an
+          object such as an algorithm or attribute type.
+
+     OCTET STRING, an arbitrary string of octets (eight-bit
+          values).
+
+     PrintableString, an arbitrary string of printable
+          characters.
+
+     T61String, an arbitrary string of T.61 (eight-bit)
+          characters.
+
+     UTCTime, a "coordinated universal time" or Greenwich
+          Mean Time (GMT) value.
+
+Simple types fall into two categories: string types and non-
+string types. BIT STRING, IA5String, OCTET STRING,
+PrintableString, T61String, and UTCTime are string types.
+
+String types can be viewed, for the purposes of encoding, as
+consisting of components, where the components are
+substrings. This view allows one to encode a value whose
+length is not known in advance (e.g., an octet string value
+input from a file stream) with a constructed, indefinite-
+length encoding (see Section 3).
+
+The string types can be given size constraints limiting the
+length of values.
+
+
+2.2 Structured types
+
+Structured types are those consisting of components. ASN.1
+defines four, all of which are relevant to the PKCS
+standards:
+
+     SEQUENCE, an ordered collection of one or more types.
+
+     SEQUENCE OF, an ordered collection of zero or more
+          occurrences of a given type.
+
+     SET, an unordered collection of one or more types.
+
+     SET OF, an unordered collection of zero or more
+          occurrences of a given type.
+
+The structured types can have optional components, possibly
+with default values.
+
+
+2.3 Implicitly and explicitly tagged types
+
+Tagging is useful to distinguish types within an
+application; it is also commonly used to distinguish
+component types within a structured type. For instance,
+optional components of a SET or SEQUENCE type are typically
+given distinct context-specific tags to avoid ambiguity.
+
+There are two ways to tag a type: implicitly and explicitly.
+
+Implicitly tagged types are derived from other types by
+changing the tag of the underlying type. Implicit tagging is
+denoted by the ASN.1 keywords [class number] IMPLICIT (see
+Section 5.1).
+
+Explicitly tagged types are derived from other types by
+adding an outer tag to the underlying type. In effect,
+explicitly tagged types are structured types consisting of
+one component, the underlying type. Explicit tagging is
+denoted by the ASN.1 keywords [class number] EXPLICIT (see
+Section 5.2).
+
+The keyword [class number] alone is the same as explicit
+tagging, except when the "module" in which the ASN.1 type is
+defined has implicit tagging by default. ("Modules" are
+among the advanced features not described in this note.)
+
+For purposes of encoding, an implicitly tagged type is
+considered the same as the underlying type, except that the
+tag is different. An explicitly tagged type is considered
+like a structured type with one component, the underlying
+type. Implicit tags result in shorter encodings, but
+explicit tags may be necessary to avoid ambiguity if the tag
+of the underlying type is indeterminate (e.g., the
+underlying type is CHOICE or ANY).
+
+
+2.4 Other types
+
+Other types in ASN.1 include the CHOICE and ANY types. The
+CHOICE type denotes a union of one or more alternatives; the
+ANY type denotes an arbitrary value of an arbitrary type,
+where the arbitrary type is possibly defined in the
+registration of an object identifier or integer value.
+
+
+3. Basic Encoding Rules
+
+The Basic Encoding Rules for ASN.1, abbreviated BER, give
+one or more ways to represent any ASN.1 value as an octet
+string. (There are certainly other ways to represent ASN.1
+values, but BER is the standard for interchanging such
+values in OSI.)
+
+There are three methods to encode an ASN.1 value under BER,
+the choice of which depends on the type of value and whether
+the length of the value is known. The three methods are
+primitive, definite-length encoding; constructed, definite-
+length encoding; and constructed, indefinite-length
+encoding. Simple non-string types employ the primitive,
+definite-length method; structured types employ either of
+the constructed methods; and simple string types employ any
+of the methods, depending on whether the length of the value
+is known. Types derived by implicit tagging employ the
+method of the underlying type and types derived by explicit
+tagging employ the constructed methods.
+
+In each method, the BER encoding has three or four parts:
+
+     Identifier octets. These identify the class and tag
+          number of the ASN.1 value, and indicate whether
+          the method is primitive or constructed.
+
+     Length octets. For the definite-length methods, these
+          give the number of contents octets. For the
+          constructed, indefinite-length method, these
+          indicate that the length is indefinite.
+
+     Contents octets. For the primitive, definite-length
+          method, these give a concrete representation of
+          the  value. For the constructed methods, these
+          give the concatenation of the BER encodings of the
+          components of the value.
+
+     End-of-contents octets. For the constructed, indefinite-
+          length method, these denote the end of the
+          contents. For the other methods, these are absent.
+
+The three methods of encoding are described in the following
+sections.
+
+
+3.1 Primitive, definite-length method
+
+This method applies to simple types and types derived from
+simple types by implicit tagging. It requires that the
+length of the value be known in advance. The parts of the
+BER encoding are as follows:
+
+Identifier octets. There are two forms: low tag number (for
+tag numbers between 0 and 30) and high tag number (for tag
+numbers 31 and greater).
+
+     Low-tag-number form. One octet. Bits 8 and 7 specify
+          the class (see Table 2), bit 6 has value "0,"
+          indicating that the encoding is primitive, and
+          bits 5-1 give the tag number.
+
+                  Class            Bit  Bit
+                                   8    7
+                  universal        0    0
+                  application      0    1
+                  context-specific 1    0
+                  private          1    1
+
+        Table 2. Class encoding in identifier octets.
+
+     High-tag-number form. Two or more octets. First octet
+          is as in low-tag-number form, except that bits 5-1
+          all have value "1." Second and following octets
+          give the tag number, base 128, most significant
+          digit first, with as few digits as possible, and
+          with the bit 8 of each octet except the last set
+          to "1."
+
+Length octets. There are two forms: short (for lengths
+between 0 and 127), and long definite (for lengths between 0
+and 21008-1).
+
+     Short form. One octet. Bit 8 has value "0" and bits 7-1
+          give the length.
+
+     Long form. Two to 127 octets. Bit 8 of first octet has
+          value "1" and bits 7-1 give the number of
+          additional length octets. Second and following
+          octets give the length, base 256, most significant
+          digit first.
+
+Contents octets. These give a concrete representation of the
+value (or the value of the underlying type, if the type is
+derived by implicit tagging). Details for particular types
+are given in Section 5.
+
+
+3.2 Constructed, definite-length method
+
+This method applies to simple string types, structured
+types, types derived simple string types and structured
+types by implicit tagging, and types derived from anything
+by explicit tagging. It requires that the length of the
+value be known in advance. The parts of the BER encoding are
+as follows:
+
+Identifier octets. As described in Section 3.1, except that
+bit 6 has value "1," indicating that the encoding is
+constructed.
+
+Length octets. As described in Section 3.1.
+
+Contents octets. The concatenation of the BER encodings of
+the components of the value:
+
+     o    For simple string types and types derived from
+          them by implicit tagging, the concatenation of the
+          BER encodings of consecutive substrings of the
+          value (underlying value for implicit tagging).
+
+     o    For structured types and types derived from them
+          by implicit tagging, the concatenation of the BER
+          encodings of components of the value (underlying
+          value for implicit tagging).
+
+     o    For types derived from anything by explicit
+          tagging, the BER encoding of the underlying value.
+
+Details for particular types are given in Section 5.
+
+
+3.3 Constructed, indefinite-length method
+
+This method applies to simple string types, structured
+types, types derived simple string types and structured
+types by implicit tagging, and types derived from anything
+by explicit tagging. It does not require that the length of
+the value be known in advance. The parts of the BER encoding
+are as follows:
+
+Identifier octets. As described in Section 3.2.
+
+Length octets. One octet, 80.
+
+Contents octets. As described in Section 3.2.
+
+End-of-contents octets. Two octets, 00 00.
+
+Since the end-of-contents octets appear where an ordinary
+BER encoding might be expected (e.g., in the contents octets
+of a sequence value), the 00 and 00 appear as identifier and
+length octets, respectively. Thus the end-of-contents octets
+is really the primitive, definite-length encoding of a value
+with universal class, tag number 0, and length 0.
+
+
+4. Distinguished Encoding Rules
+
+The Distinguished Encoding Rules for ASN.1, abbreviated DER,
+are a subset of BER, and give exactly one way to represent
+any ASN.1 value as an octet string. DER is intended for
+applications in which a unique octet string encoding is
+needed, as is the case when a digital signature is computed
+on an ASN.1 value. DER is defined in Section 8.7 of X.509.
+
+DER adds the following restrictions to the rules given in
+Section 3:
+
+     1.   When the length is between 0 and 127, the short
+          form of length must be used
+
+     2.   When the length is 128 or greater, the long form
+          of length must be used, and the length must be
+          encoded in the minimum number of octets.
+
+     3.   For simple string types and implicitly tagged
+          types derived from simple string types, the
+          primitive, definite-length method must be
+          employed.
+
+     4.   For structured types, implicitly tagged types
+          derived from structured types, and explicitly
+          tagged types derived from anything, the
+          constructed, definite-length method must be
+          employed.
+
+Other restrictions are defined for particular types (such as
+BIT STRING, SEQUENCE, SET, and SET OF), and can be found in
+Section 5.
+
+
+5. Notation and encodings for some types
+
+This section gives the notation for some ASN.1 types and
+describes how to encode values of those types under both BER
+and DER.
+
+The types described are those presented in Section 2. They
+are listed alphabetically here.
+
+Each description includes ASN.1 notation, BER encoding, and
+DER encoding. The focus of the encodings is primarily on the
+contents octets; the tag and length octets follow Sections 3
+and 4. The descriptions also explain where each type is used
+in PKCS and related standards. ASN.1 notation is generally
+only for types, although for the type OBJECT IDENTIFIER,
+value notation is given as well.
+
+
+5.1 Implicitly tagged types
+
+An implicitly tagged type is a type derived from another
+type by changing the tag of the underlying type.
+
+Implicit tagging is used for optional SEQUENCE components
+with underlying type other than ANY throughout PKCS, and for
+the extendedCertificate alternative of PKCS #7's
+ExtendedCertificateOrCertificate type.
+
+ASN.1 notation:
+
+[[class] number] IMPLICIT Type
+
+class = UNIVERSAL  |  APPLICATION  |  PRIVATE
+
+where Type is a type, class is an optional class name, and
+number is the tag number within the class, a nonnegative
+integer.
+
+In ASN.1 "modules" whose default tagging method is implicit
+tagging, the notation [[class] number] Type is also
+acceptable, and the keyword IMPLICIT is implied. (See
+Section 2.3.) For definitions stated outside a module, the
+explicit inclusion of the keyword IMPLICIT is preferable to
+prevent ambiguity.
+
+If the class name is absent, then the tag is context-
+specific. Context-specific tags can only appear in a
+component of a structured or CHOICE type.
+
+Example: PKCS #8's PrivateKeyInfo type has an optional
+attributes component with an implicit, context-specific tag:
+
+PrivateKeyInfo ::= SEQUENCE {
+  version Version,
+  privateKeyAlgorithm PrivateKeyAlgorithmIdentifier,
+  privateKey PrivateKey,
+  attributes [0] IMPLICIT Attributes OPTIONAL }
+
+Here the underlying type is Attributes, the class is absent
+(i.e., context-specific), and the tag number within the
+class is 0.
+
+BER encoding. Primitive or constructed, depending on the
+underlying type. Contents octets are as for the BER encoding
+of the underlying value.
+
+Example: The BER encoding of the attributes component of a
+PrivateKeyInfo value is as follows:
+
+     o    the identifier octets are 80 if the underlying
+          Attributes value has a primitive BER encoding and
+          a0 if the underlying Attributes value has a
+          constructed BER encoding
+
+     o    the length and contents octets are the same as the
+          length and contents octets of the BER encoding of
+          the underlying Attributes value
+
+DER encoding. Primitive or constructed, depending on the
+underlying type. Contents octets are as for the DER encoding
+of the underlying value.
+
+
+5.2 Explicitly tagged types
+
+Explicit tagging denotes a type derived from another type by
+adding an outer tag to the underlying type.
+
+Explicit tagging is used for optional SEQUENCE components
+with underlying type ANY throughout PKCS, and for the
+version component of X.509's Certificate type.
+
+ASN.1 notation:
+
+[[class] number] EXPLICIT Type
+
+class = UNIVERSAL  |  APPLICATION  |  PRIVATE
+
+where Type is a type, class is an optional class name, and
+number is the tag number within the class, a nonnegative
+integer.
+
+If the class name is absent, then the tag is context-
+specific. Context-specific tags can only appear in a
+component of a SEQUENCE, SET or CHOICE type.
+
+In ASN.1 "modules" whose default tagging method is explicit
+tagging, the notation [[class] number] Type is also
+acceptable, and the keyword EXPLICIT is implied. (See
+Section 2.3.) For definitions stated outside a module, the
+explicit inclusion of the keyword EXPLICIT is preferable to
+prevent ambiguity.
+
+Example 1: PKCS #7's ContentInfo type has an optional
+content component with an explicit, context-specific tag:
+
+ContentInfo ::= SEQUENCE {
+  contentType ContentType,
+  content
+    [0] EXPLICIT ANY DEFINED BY contentType OPTIONAL }
+
+Here the underlying type is ANY DEFINED BY contentType, the
+class is absent (i.e., context-specific), and the tag number
+within the class is 0.
+
+Example 2: X.509's Certificate type has a version component
+with an explicit, context-specific tag, where the EXPLICIT
+keyword is omitted:
+
+Certificate ::= ...
+  version [0] Version DEFAULT v1988,
+...
+
+The tag is explicit because the default tagging method for
+the ASN.1 "module" in X.509 that defines the Certificate
+type is explicit tagging.
+
+BER encoding. Constructed. Contents octets are the BER
+encoding of the underlying value.
+
+Example: the BER encoding of the content component of a
+ContentInfo value is as follows:
+
+     o    identifier octets are a0
+
+     o    length octets represent the length of the BER
+          encoding of the underlying ANY DEFINED BY
+          contentType value
+
+     o    contents octets are the BER encoding of the
+          underlying ANY DEFINED BY contentType value
+
+DER encoding. Constructed. Contents octets are the DER
+encoding of the underlying value.
+
+
+5.3 ANY
+
+The ANY type denotes an arbitrary value of an arbitrary
+type, where the arbitrary type is possibly defined in the
+registration of an object identifier or associated with an
+integer index.
+
+The ANY type is used for content of a particular content
+type in PKCS #7's ContentInfo type, for parameters of a
+particular algorithm in X.509's AlgorithmIdentifier type,
+and for attribute values in X.501's Attribute and
+AttributeValueAssertion types. The Attribute type is used by
+PKCS #6, #7, #8, #9 and #10, and the AttributeValueAssertion
+type is used in X.501 distinguished names.
+
+ASN.1 notation:
+
+ANY [DEFINED BY identifier]
+
+where identifier is an optional identifier.
+
+In the ANY form, the actual type is indeterminate.
+
+The ANY DEFINED BY identifier form can only appear in a
+component of a SEQUENCE or SET type for which identifier
+identifies some other component, and that other component
+has type INTEGER or OBJECT IDENTIFIER (or a type derived
+from either of those by tagging). In that form, the actual
+type is determined by the value of the other component,
+either in the registration of the object identifier value,
+or in a table of integer values.
+
+Example: X.509's AlgorithmIdentifier type has a component of
+type ANY:
+
+AlgorithmIdentifier ::= SEQUENCE {
+  algorithm OBJECT IDENTIFIER,
+  parameters ANY DEFINED BY algorithm OPTIONAL }
+
+Here the actual type of the parameter component depends on
+the value of the algorithm component. The actual type would
+be defined in the registration of object identifier values
+for the algorithm component.
+
+BER encoding. Same as the BER encoding of the actual value.
+
+Example: The BER encoding of the value of the parameter
+component is the BER encoding of the value of the actual
+type as defined in the registration of object identifier
+values for the algorithm component.
+
+DER encoding. Same as the DER encoding of the actual value.
+
+
+5.4 BIT STRING
+
+The BIT STRING type denotes an arbitrary string of bits
+(ones and zeroes). A BIT STRING value can have any length,
+including zero. This type is a string type.
+
+The BIT STRING type is used for digital signatures on
+extended certificates in PKCS #6's ExtendedCertificate type,
+for digital signatures on certificates in X.509's
+Certificate type, and for public keys in certificates in
+X.509's SubjectPublicKeyInfo type.
+
+ASN.1 notation:
+
+BIT STRING
+
+Example: X.509's SubjectPublicKeyInfo type has a component
+of type BIT STRING:
+
+SubjectPublicKeyInfo ::= SEQUENCE {
+  algorithm AlgorithmIdentifier,
+  publicKey BIT STRING }
+
+BER encoding. Primitive or constructed. In a primitive
+encoding, the first contents octet gives the number of bits
+by which the length of the bit string is less than the next
+multiple of eight (this is called the "number of unused
+bits"). The second and following contents octets give the
+value of the bit string, converted to an octet string. The
+conversion process is as follows:
+
+     1.   The bit string is padded after the last bit with
+          zero to seven bits of any value to make the length
+          of the bit string a multiple of eight. If the
+          length of the bit string is a multiple of eight
+          already, no padding is done.
+
+     2.   The padded bit string is divided into octets. The
+          first eight bits of the padded bit string become
+          the first octet, bit 8 to bit 1, and so on through
+          the last eight bits of the padded bit string.
+
+In a constructed encoding, the contents octets give the
+concatenation of the BER encodings of consecutive substrings
+of the bit string, where each substring except the last has
+a length that is a multiple of eight bits.
+
+Example: The BER encoding of the BIT STRING value
+"011011100101110111" can be any of the following, among
+others, depending on the choice of padding bits, the form of
+length octets, and whether the encoding is primitive or
+constructed:
+
+03 04 06 6e 5d c0                               DER encoding
+
+03 04 06 6e 5d e0                       padded with "100000"
+
+03 81 04 06 6e 5d c0              long form of length octets
+
+23 09        constructed encoding: "0110111001011101" + "11"
+   03 03 00 6e 5d
+   03 02 06 c0
+
+DER encoding. Primitive. The contents octects are as for a
+primitive BER encoding, except that the bit string is padded
+with zero-valued bits.
+
+Example: The DER encoding of the BIT STRING value
+"011011100101110111" is
+
+03 04 06 6e 5d c0
+
+
+5.5 CHOICE
+
+The CHOICE type denotes a union of one or more alternatives.
+
+The CHOICE type is used to represent the union of an
+extended certificate and an X.509 certificate in PKCS #7's
+ExtendedCertificateOrCertificate type.
+
+ASN.1 notation:
+
+CHOICE {
+  [identifier1] Type1,
+  ...,
+  [identifiern] Typen }
+
+where identifier1 , ..., identifiern are optional, distinct
+identifiers for the alternatives, and Type1, ..., Typen are
+the types of the alternatives. The identifiers are primarily
+for documentation; they do not affect values of the type or
+their encodings in any way.
+
+The types must have distinct tags. This requirement is
+typically satisfied with explicit or implicit tagging on
+some of the alternatives.
+
+Example: PKCS #7's ExtendedCertificateOrCertificate type is
+a CHOICE type:
+
+ExtendedCertificateOrCertificate ::= CHOICE {
+  certificate Certificate, -- X.509
+  extendedCertificate [0] IMPLICIT ExtendedCertificate
+}
+
+Here the identifiers for the alternatives are certificate
+and extendedCertificate, and the types of the alternatives
+are Certificate and [0] IMPLICIT ExtendedCertificate.
+
+BER encoding. Same as the BER encoding of the chosen
+alternative. The fact that the alternatives have distinct
+tags makes it possible to distinguish between their BER
+encodings.
+
+Example: The identifier octets for the BER encoding are 30
+if the chosen alternative is certificate, and a0 if the
+chosen alternative is extendedCertificate.
+
+DER encoding. Same as the DER encoding of the chosen
+alternative.
+
+
+5.6 IA5String
+
+The IA5String type denotes an arbtrary string of IA5
+characters. IA5 stands for International Alphabet 5, which
+is the same as ASCII. The character set includes non-
+printing control characters. An IA5String value can have any
+length, including zero. This type is a string type.
+
+The IA5String type is used in PKCS #9's electronic-mail
+address, unstructured-name, and unstructured-address
+attributes.
+
+ASN.1 notation:
+
+IA5String
+
+BER encoding. Primitive or constructed. In a primitive
+encoding, the contents octets give the characters in the IA5
+string, encoded in ASCII. In a constructed encoding, the
+contents octets give the concatenation of the BER encodings
+of consecutive substrings of the IA5 string.
+
+Example: The BER encoding of the IA5String value
+"test1@rsa.com" can be any of the following, among others,
+depending on the form of length octets and whether the
+encoding is primitive or constructed:
+
+16 0d 74 65 73 74 31 40 72 73 61 2e 63 6f 6d DER encoding
+
+16 81 0d                       long form of length octets
+   74 65 73 74 31 40 72 73 61 2e 63 6f 6d
+
+36 13     constructed encoding: "test1" + "@" + "rsa.com"
+   16 05 74 65 73 74 31
+   16 01 40
+   16 07 72 73 61 2e 63 6f 6d
+
+DER encoding. Primitive. Contents octets are as for a
+primitive BER encoding.
+
+Example: The DER encoding of the IA5String value
+"test1@rsa.com" is
+
+16 0d 74 65 73 74 31 40 72 73 61 2e 63 6f 6d
+
+
+5.7 INTEGER
+
+The INTEGER type denotes an arbitrary integer. INTEGER
+values can be positive, negative, or zero, and can have any
+magnitude.
+
+The INTEGER type is used for version numbers throughout
+PKCS, cryptographic values such as modulus, exponent, and
+primes in PKCS #1's RSAPublicKey and RSAPrivateKey types and
+PKCS #3's DHParameter type, a message-digest iteration count
+in PKCS #5's PBEParameter type, and version numbers and
+serial numbers in X.509's Certificate type.
+
+ASN.1 notation:
+
+INTEGER [{ identifier1(value1) ... identifiern(valuen) }]
+
+where identifier1, ..., identifiern are optional distinct
+identifiers and value1, ..., valuen are optional integer
+values. The identifiers, when present, are associated with
+values of the type.
+
+Example: X.509's Version type is an INTEGER type with
+identified values:
+
+Version ::= INTEGER { v1988(0) }
+
+The identifier v1988 is associated with the value 0. X.509's
+Certificate type uses the identifier v1988 to give a default
+value of 0 for the version component:
+
+Certificate ::= ...
+  version Version DEFAULT v1988,
+...
+
+BER encoding. Primitive. Contents octets give the value of
+the integer, base 256, in two's complement form, most
+significant digit first, with the minimum number of octets.
+The value 0 is encoded as a single 00 octet.
+
+Some example BER encodings (which also happen to be DER
+encodings) are given in Table 3.
+
+                    Integer   BER encoding
+                    value
+                    0         02 01 00
+                    127       02 01 7F
+                    128       02 02 00 80
+                    256       02 02 01 00
+                    -128      02 01 80
+                    -129      02 02 FF 7F
+
+      Table 3. Example BER encodings of INTEGER values.
+
+DER encoding. Primitive. Contents octets are as for a
+primitive BER encoding.
+
+
+5.8 NULL
+
+The NULL type denotes a null value.
+
+The NULL type is used for algorithm parameters in several
+places in PKCS.
+
+ASN.1 notation:
+
+NULL
+
+BER encoding. Primitive. Contents octets are empty.
+
+Example: The BER encoding of a NULL value can be either of
+the following, as well as others, depending on the form of
+the length octets:
+
+05 00
+
+05 81 00
+
+DER encoding. Primitive. Contents octets are empty; the DER
+encoding of a NULL value is always 05 00.
+
+
+5.9 OBJECT IDENTIFIER
+
+The OBJECT IDENTIFIER type denotes an object identifier, a
+sequence of integer components that identifies an object
+such as an algorithm, an attribute type, or perhaps a
+registration authority that defines other object
+identifiers. An OBJECT IDENTIFIER value can have any number
+of components, and components can generally have any
+nonnegative value. This type is a non-string type.
+
+OBJECT IDENTIFIER values are given meanings by registration
+authorities. Each registration authority is responsible for
+all sequences of components beginning with a given sequence.
+A registration authority typically delegates responsibility
+for subsets of the sequences in its domain to other
+registration authorities, or for particular types of object.
+There are always at least two components.
+
+The OBJECT IDENTIFIER type is used to identify content in
+PKCS #7's ContentInfo type, to identify algorithms in
+X.509's AlgorithmIdentifier type, and to identify attributes
+in X.501's Attribute and AttributeValueAssertion types. The
+Attribute type is used by PKCS #6, #7, #8, #9, and #10, and
+the AttributeValueAssertion type is used in X.501
+distinguished names. OBJECT IDENTIFIER values are defined
+throughout PKCS.
+
+ASN.1 notation:
+
+OBJECT IDENTIFIER
+
+The ASN.1 notation for values of the OBJECT IDENTIFIER type
+is
+
+{ [identifier] component1 ... componentn }
+
+componenti = identifieri | identifieri (valuei) | valuei
+
+where identifier, identifier1, ..., identifiern are
+identifiers, and value1, ..., valuen are optional integer
+values.
+
+The form without identifier is the "complete" value with all
+its components; the form with identifier abbreviates the
+beginning components with another object identifier value.
+The identifiers identifier1, ..., identifiern are intended
+primarily for documentation, but they must correspond to the
+integer value when both are present. These identifiers can
+appear without integer values only if they are among a small
+set of identifiers defined in X.208.
+
+Example: The following values both refer to the object
+identifier assigned to RSA Data Security, Inc.:
+
+{ iso(1) member-body(2) 840 113549 }
+{ 1 2 840 113549 }
+
+(In this example, which gives ASN.1 value notation, the
+object identifier values are decimal, not hexadecimal.)
+Table 4 gives some other object identifier values and their
+meanings.
+
+ Object identifier value       Meaning
+ { 1 2 }                       ISO member bodies
+ { 1 2 840 }                   US (ANSI)
+ { 1 2 840 113549 }            RSA Data Security, Inc.
+ { 1 2 840 113549 1 }          RSA Data Security, Inc. PKCS
+ { 2 5 }                       directory services (X.500)
+ { 2 5 8 }                     directory services-algorithms
+
+ Table 4. Some object identifier values and their meanings.
+
+BER encoding. Primitive. Contents octets are as follows,
+where value1, ..., valuen denote the integer values of the
+components in the complete object identifier:
+
+     1.   The first octet has value 40 * value1 + value2.
+          (This is unambiguous, since value1 is limited to
+          values 0, 1, and 2; value2 is limited to the range
+          0 to 39 when value1 is 0 or 1; and, according to
+          X.208, n is always at least 2.)
+
+     2.   The following octets, if any, encode value3, ...,
+          valuen. Each value is encoded base 128, most
+          significant digit first, with as few digits as
+          possible, and the most significant bit of each
+          octet except the last in the value's encoding set
+          to "1."
+
+Example: The first octet of the BER encoding of RSA Data
+Security, Inc.'s object identifier is 40 * 1 + 2 = 42 =
+2a16. The encoding of 840 = 6 * 128 + 4816 is 86 48 and the
+encoding of 113549 = 6 * 1282 + 7716 * 128 + d16 is 86 f7
+0d. This leads to the following BER encoding:
+
+06 06 2a 86 48 86 f7 0d
+
+DER encoding. Primitive. Contents octets are as for a
+primitive BER encoding.
+
+
+5.10 OCTET STRING
+
+The OCTET STRING type denotes an arbitrary string of octets
+(eight-bit values). An OCTET STRING value can have any
+length, including zero. This type is a string type.
+
+The OCTET STRING type is used for salt values in PKCS #5's
+PBEParameter type, for message digests, encrypted message
+digests, and encrypted content in PKCS #7, and for private
+keys and encrypted private keys in PKCS #8.
+
+ASN.1 notation:
+
+OCTET STRING [SIZE ({size | size1..size2})]
+
+where size, size1, and size2 are optional size constraints.
+In the OCTET STRING SIZE (size) form, the octet string must
+have size octets. In the OCTET STRING SIZE (size1..size2)
+form, the octet string must have between size1 and size2
+octets. In the OCTET STRING form, the octet string can have
+any size.
+
+Example: PKCS #5's PBEParameter type has a component of type
+OCTET STRING:
+
+PBEParameter ::= SEQUENCE {
+  salt OCTET STRING SIZE(8),
+  iterationCount INTEGER }
+
+Here the size of the salt component is always eight octets.
+
+BER encoding. Primitive or constructed. In a primitive
+encoding, the contents octets give the value of the octet
+string, first octet to last octet. In a constructed
+encoding, the contents octets give the concatenation of the
+BER encodings of substrings of the OCTET STRING value.
+
+Example: The BER encoding of the OCTET STRING value 01 23 45
+67 89 ab cd ef can be any of the following, among others,
+depending on the form of length octets and whether the
+encoding is primitive or constructed:
+
+04 08 01 23 45 67 89 ab cd ef                   DER encoding
+
+04 81 08 01 23 45 67 89 ab cd ef  long form of length octets
+
+24 0c            constructed encoding: 01 ... 67 + 89 ... ef
+   04 04 01 23 45 67
+   04 04 89 ab cd ef
+
+DER encoding. Primitive. Contents octets are as for a
+primitive BER encoding.
+
+Example: The BER encoding of the OCTET STRING value 01 23 45
+67 89 ab cd ef is
+
+04 08 01 23 45 67 89 ab cd ef
+
+
+5.11 PrintableString
+
+The PrintableString type denotes an arbitrary string of
+printable characters from the following character set:
+
+                         A, B, ..., Z
+                         a, b, ..., z
+                         0, 1, ..., 9
+               (space) ' ( ) + , - . / : = ?
+
+This type is a string type.
+
+The PrintableString type is used in PKCS #9's challenge-
+password and unstructuerd-address attributes, and in several
+X.521 distinguished names attributes.
+
+ASN.1 notation:
+
+PrintableString
+
+BER encoding. Primitive or constructed. In a primitive
+encoding, the contents octets give the characters in the
+printable string, encoded in ASCII. In a constructed
+encoding, the contents octets give the concatenation of the
+BER encodings of consecutive substrings of the string.
+
+Example: The BER encoding of the PrintableString value "Test
+User 1" can be any of the following, among others, depending
+on the form of length octets and whether the encoding is
+primitive or constructed:
+
+13 0b 54 65 73 74 20 55 73 65 72 20 31          DER encoding
+
+13 81 0b                          long form of length octets
+   54 65 73 74 20 55 73 65 72 20 31
+
+33 0f               constructed encoding: "Test " + "User 1"
+   13 05 54 65 73 74 20
+   13 06 55 73 65 72 20 31
+
+DER encoding. Primitive. Contents octets are as for a
+primitive BER encoding.
+
+Example: The DER encoding of the PrintableString value "Test
+User 1" is
+
+13 0b 54 65 73 74 20 55 73 65 72 20 31
+
+
+5.12 SEQUENCE
+
+The SEQUENCE type denotes an ordered collection of one or
+more types.
+
+The SEQUENCE type is used throughout PKCS and related
+standards.
+
+ASN.1 notation:
+
+SEQUENCE {
+  [identifier1] Type1 [{OPTIONAL | DEFAULT value1}],
+  ...,
+  [identifiern] Typen [{OPTIONAL | DEFAULT valuen}]}
+
+where identifier1 , ..., identifiern are optional, distinct
+identifiers for the components, Type1, ..., Typen are the
+types of the components, and value1, ..., valuen are optional
+default values for the components. The identifiers are
+primarily for documentation; they do not affect values of
+the type or their encodings in any way.
+
+The OPTIONAL qualifier indicates that the value of a
+component is optional and need not be present in the
+sequence. The DEFAULT qualifier also indicates that the
+value of a component is optional, and assigns a default
+value to the component when the component is absent.
+
+The types of any consecutive series of components with the
+OPTIONAL or DEFAULT qualifier, as well as of any component
+immediately following that series, must have distinct tags.
+This requirement is typically satisfied with explicit or
+implicit tagging on some of the components.
+
+Example: X.509's Validity type is a SEQUENCE type with two
+components:
+
+Validity ::= SEQUENCE {
+  start UTCTime,
+  end UTCTime }
+
+Here the identifiers for the components are start and end,
+and the types of the components are both UTCTime.
+
+BER encoding. Constructed. Contents octets are the
+concatenation of the BER encodings of the values of the
+components of the sequence, in order of definition, with the
+following rules for components with the OPTIONAL and DEFAULT
+qualifiers:
+
+     o    if the value of a component with the OPTIONAL or
+          DEFAULT qualifier is absent from the sequence,
+          then the encoding of that component is not
+          included in the contents octets
+
+     o    if the value of a component with the DEFAULT
+          qualifier is the default value, then the encoding
+          of that component may or may not be included in
+          the contents octets
+
+DER encoding. Constructed. Contents octets are the same as
+the BER encoding, except that if the value of a component
+with the DEFAULT qualifier is the default value, the
+encoding of that component is not included in the contents
+octets.
+
+
+5.13 SEQUENCE OF
+
+The SEQUENCE OF type denotes an ordered collection of zero
+or more occurrences of a given type.
+
+The SEQUENCE OF type is used in X.501 distinguished names.
+
+ASN.1 notation:
+
+SEQUENCE OF Type
+
+where Type is a type.
+
+Example: X.501's RDNSequence type consists of zero or more
+occurences of the RelativeDistinguishedName type, most
+significant occurrence first:
+
+RDNSequence ::= SEQUENCE OF RelativeDistinguishedName
+
+BER encoding. Constructed. Contents octets are the
+concatenation of the BER encodings of the values of the
+occurrences in the collection, in order of occurence.
+
+DER encoding. Constructed. Contents octets are the
+concatenation of the DER encodings of the values of the
+occurrences in the collection, in order of occurence.
+
+
+5.14 SET
+
+The SET type denotes an unordered collection of one or more
+types.
+
+The SET type is not used in PKCS.
+
+ASN.1 notation:
+
+SET {
+  [identifier1] Type1 [{OPTIONAL | DEFAULT value1}],
+  ...,
+  [identifiern] Typen [{OPTIONAL | DEFAULT valuen}]}
+
+where identifier1, ..., identifiern are optional, distinct
+identifiers for the components, Type1, ..., Typen are the
+types of the components, and value1, ..., valuen are
+optional default values for the components. The identifiers
+are primarily for documentation; they do not affect values
+of the type or their encodings in any way.
+
+The OPTIONAL qualifier indicates that the value of a
+component is optional and need not be present in the set.
+The DEFAULT qualifier also indicates that the value of a
+component is optional, and assigns a default value to the
+component when the component is absent.
+
+The types must have distinct tags. This requirement is
+typically satisfied with explicit or implicit tagging on
+some of the components.
+
+BER encoding. Constructed. Contents octets are the
+concatenation of the BER encodings of the values of the
+components of the set, in any order, with the following
+rules for components with the OPTIONAL and DEFAULT
+qualifiers:
+
+     o    if the value of a component with the OPTIONAL or
+          DEFAULT qualifier is absent from the set, then the
+          encoding of that component is not included in the
+          contents octets
+
+     o    if the value of a component with the DEFAULT
+          qualifier is the default value, then the encoding
+          of that component may or may not be included in
+          the contents octets
+
+DER encoding. Constructed. Contents octets are the same as
+for the BER encoding, except that:
+
+     1.   If the value of a component with the DEFAULT
+          qualifier is the default value, the encoding of
+          that component is not included.
+
+     2.   There is an order to the components, namely
+          ascending order by tag.
+
+
+5.15 SET OF
+
+The SET OF type denotes an unordered collection of zero or
+more occurrences of a given type.
+
+The SET OF type is used for sets of attributes in PKCS #6,
+#7, #8, #9 and #10, for sets of message-digest algorithm
+identifiers, signer information, and recipient information
+in PKCS #7, and in X.501 distinguished names.
+
+ASN.1 notation:
+
+SET OF Type
+
+where Type is a type.
+
+Example: X.501's RelativeDistinguishedName type consists of
+zero or more occurrences of the AttributeValueAssertion
+type, where the order is unimportant:
+
+RelativeDistinguishedName ::=
+  SET OF AttributeValueAssertion
+
+BER encoding. Constructed. Contents octets are the
+concatenation of the BER encodings of the values of the
+occurrences in the collection, in any order.
+
+DER encoding. Constructed. Contents octets are the same as
+for the BER encoding, except that there is an order, namely
+ascending lexicographic order of BER encoding. Lexicographic
+comparison of two different BER encodings is done as
+follows: Logically pad the shorter BER encoding after the
+last octet with dummy octets that are smaller in value than
+any normal octet. Scan the BER encodings from left to right
+until a difference is found. The smaller-valued BER encoding
+is the one with the smaller-valued octet at the point of
+difference.
+
+
+5.16 T61String
+
+The T61String type denotes an arbtrary string of T.61
+characters. T.61 is an eight-bit extension to the ASCII
+character set. Special "escape" sequences specify the
+interpretation of subsequent character values as, for
+example, Japanese; the initial interpretation is Latin. The
+character set includes non-printing control characters. The
+T61String type allows only the Latin and Japanese character
+interepretations, and implementors' agreements for directory
+names exclude control characters [NIST92]. A T61String value
+can have any length, including zero. This type is a string
+type.
+
+The T61String type is used in PKCS #9's unstructured-address
+and challenge-password attributes, and in several X.521
+attributes.
+
+ASN.1 notation:
+
+T61String
+
+BER encoding. Primitive or constructed. In a primitive
+encoding, the contents octets give the characters in the
+T.61 string, encoded in ASCII. In a constructed encoding,
+the contents octets give the concatenation of the BER
+encodings of consecutive substrings of the T.61 string.
+
+Example: The BER encoding of the T61String value "cl'es
+publiques" (French for "public keys") can be any of the
+following, among others, depending on the form of length
+octets and whether the encoding is primitive or constructed:
+
+14 0f                                           DER encoding
+   63 6c c2 65 73 20 70 75 62 6c 69 71 75 65 73
+
+14 81 0f                          long form of length octets
+   63 6c c2 65 73 20 70 75 62 6c 69 71 75 65 73
+
+34 15      constructed encoding: "cl'es" + " " + "publiques"
+   14 05 63 6c c2 65 73
+   14 01 20
+   14 09 70 75 62 6c 69 71 75 65 73
+
+The eight-bit character c2 is a T.61 prefix that adds an
+acute accent (') to the next character.
+
+DER encoding. Primitive. Contents octets are as for a
+primitive BER encoding.
+
+Example: The DER encoding of the T61String value "cl'es
+publiques" is
+
+14 0f 63 6c c2 65 73 20 70 75 62 6c 69 71 75 65 73
+
+
+5.17 UTCTime
+
+The UTCTime type denotes a "coordinated universal time" or
+Greenwich Mean Time (GMT) value. A UTCTime value includes
+the local time precise to either minutes or seconds, and an
+offset from GMT in hours and minutes. It takes any of the
+following forms:
+
+YYMMDDhhmmZ
+YYMMDDhhmm+hh'mm'
+YYMMDDhhmm-hh'mm'
+YYMMDDhhmmssZ
+YYMMDDhhmmss+hh'mm'
+YYMMDDhhmmss-hh'mm'
+
+where:
+
+     YY is the least significant two digits of the year
+
+     MM is the month (01 to 12)
+
+     DD is the day (01 to 31)
+
+     hh is the hour (00 to 23)
+
+     mm are the minutes (00 to 59)
+
+     ss are the seconds (00 to 59)
+
+     Z indicates that local time is GMT, + indicates that
+          local time is later than GMT, and - indicates that
+          local time is earlier than GMT
+
+     hh' is the absolute value of the offset from GMT in
+          hours
+
+     mm' is the absolute value of the offset from GMT in
+          minutes
+
+This type is a string type.
+
+The UTCTime type is used for signing times in PKCS #9's
+signing-time attribute and for certificate validity periods
+in X.509's Validity type.
+
+ASN.1 notation:
+
+UTCTime
+
+BER encoding. Primitive or constructed. In a primitive
+encoding, the contents octets give the characters in the
+string, encoded in ASCII. In a constructed encoding, the
+contents octets give the concatenation of the BER encodings
+of consecutive substrings of the string. (The constructed
+encoding is not particularly interesting, since UTCTime
+values are so short, but the constructed encoding is
+permitted.)
+
+Example: The time this sentence was originally written was
+4:45:40 p.m. Pacific Daylight Time on May 6, 1991, which can
+be represented with either of the following UTCTime values,
+among others:
+
+"910506164540-0700"
+
+"910506234540Z"
+
+These values have the following BER encodings, among others:
+
+17 0d 39 31 30 35 30 36 32 33 34 35 34 30 5a
+
+17 11 39 31 30 35 30 36 31 36 34 35 34 30 2D 30 37 30
+      30
+
+DER encoding. Primitive. Contents octets are as for a
+primitive BER encoding.
+
+
+6. An example
+
+This section gives an example of ASN.1 notation and DER
+encoding: the X.501 type Name.
+
+
+6.1 Abstract notation
+
+This section gives the ASN.1 notation for the X.501 type
+Name.
+
+Name ::= CHOICE {
+  RDNSequence }
+
+RDNSequence ::= SEQUENCE OF RelativeDistinguishedName
+
+RelativeDistinguishedName ::=
+  SET OF AttributeValueAssertion
+
+AttributeValueAssertion ::= SEQUENCE {
+   AttributeType,
+   AttributeValue }
+
+AttributeType ::= OBJECT IDENTIFIER
+
+AttributeValue ::= ANY
+
+The Name type identifies an object in an X.500 directory.
+Name is a CHOICE type consisting of one alternative:
+RDNSequence. (Future revisions of X.500 may have other
+alternatives.)
+
+The RDNSequence type gives a path through an X.500 directory
+tree starting at the root. RDNSequence is a SEQUENCE OF type
+consisting of zero or more occurences of
+RelativeDistinguishedName.
+
+The RelativeDistinguishedName type gives a unique name to an
+object relative to the object superior to it in the
+directory tree. RelativeDistinguishedName is a SET OF type
+consisting of zero or more occurrences of
+AttributeValueAssertion.
+
+The AttributeValueAssertion type assigns a value to some
+attribute of a relative distinguished name, such as country
+name or common name. AttributeValueAssertion is a SEQUENCE
+type consisting of two components, an AttributeType type and
+an AttributeValue type.
+
+The AttributeType type identifies an attribute by object
+identifier. The AttributeValue type gives an arbitrary
+attribute value. The actual type of the attribute value is
+determined by the attribute type.
+
+
+6.2 DER encoding
+
+This section gives an example of a DER encoding of a value
+of type Name, working from the bottom up.
+
+The name is that of the Test User 1 from the PKCS examples
+[Kal93]. The name is represented by the following path:
+
+                           (root)
+                              |
+                     countryName = "US"
+                              |
+          organizationName = "Example Organization"
+                              |
+                 commonName = "Test User 1"
+
+Each level corresponds to one RelativeDistinguishedName
+value, each of which happens for this name to consist of one
+AttributeValueAssertion value. The AttributeType value is
+before the equals sign, and the AttributeValue value (a
+printable string for the given attribute types) is after the
+equals sign.
+
+The countryName, organizationName, and commonUnitName are
+attribute types defined in X.520 as:
+
+attributeType OBJECT IDENTIFIER ::=
+  { joint-iso-ccitt(2) ds(5) 4 }
+
+countryName OBJECT IDENTIFIER ::= { attributeType 6 }
+organizationName OBJECT IDENTIFIER ::=
+  { attributeType 10 }
+commonUnitName OBJECT IDENTIFIER ::=
+  { attributeType 3 }
+
+
+6.2.1 AttributeType
+
+The three AttributeType values are OCTET STRING values, so
+their DER encoding follows the primitive, definite-length
+method:
+
+06 03 55 04 06                                   countryName
+
+06 03 55 04 0a                              organizationName
+
+06 03 55 04 03                                    commonName
+
+The identifier octets follow the low-tag form, since the tag
+is 6 for OBJECT IDENTIFIER. Bits 8 and 7 have value "0,"
+indicating universal class, and bit 6 has value "0,"
+indicating that the encoding is primitive. The length octets
+follow the short form. The contents octets are the
+concatenation of three octet strings derived from
+subidentifiers (in decimal): 40 * 2 + 5 = 85 = 5516; 4; and
+6, 10, or 3.
+
+
+6.2.2 AttributeValue
+
+The three AttributeValue values are PrintableString values,
+so their encodings follow the primitive, definite-length
+method:
+
+13 02 55 53                                             "US"
+
+13 14                                 "Example Organization"
+   45 78 61 6d 70 6c 65 20 4f 72 67 61 6e 69 7a 61
+   74 69 6f 6e
+
+13 0b                                          "Test User 1"
+   54 65 73 74 20 55 73 65 72 20 31
+
+The identifier octets follow the low-tag-number form, since
+the tag for PrintableString, 19 (decimal), is between 0 and
+30. Bits 8 and 7 have value "0" since PrintableString is in
+the universal class. Bit 6 has value "0" since the encoding
+is primitive. The length octets follow the short form, and
+the contents octets are the ASCII representation of the
+attribute value.
+
+
+6.2.3 AttributeValueAssertion
+
+The three AttributeValueAssertion values are SEQUENCE
+values, so their DER encodings follow the constructed,
+definite-length method:
+
+30 09                                     countryName = "US"
+   06 03 55 04 06
+   13 02 55 53
+
+30 1b              organizationName = "Example Organizaiton"
+   06 03 55 04 0a
+   13 14 ... 6f 6e
+
+30 12                             commonName = "Test User 1"
+   06 03 55 04 0b
+   13 0b ... 20 31
+
+The identifier octets follow the low-tag-number form, since
+the tag for SEQUENCE, 16 (decimal), is between 0 and 30.
+Bits 8 and 7 have value "0" since SEQUENCE is in the
+universal class. Bit 6 has value "1" since the encoding is
+constructed. The length octets follow the short form, and
+the contents octets are the concatenation of the DER
+encodings of the attributeType and attributeValue
+components.
+
+
+6.2.4 RelativeDistinguishedName
+
+The three RelativeDistinguishedName values are SET OF
+values, so their DER encodings follow the constructed,
+definite-length method:
+
+31 0b
+   30 09 ... 55 53
+
+31 1d
+   30 1b ... 6f 6e
+
+31 14
+   30 12 ... 20 31
+
+The identifier octets follow the low-tag-number form, since
+the tag for SET OF, 17 (decimal), is between 0 and 30. Bits
+8 and 7 have value "0" since SET OF is in the universal
+class Bit 6 has value "1" since the encoding is constructed.
+The lengths octets follow the short form, and the contents
+octets are the DER encodings of the respective
+AttributeValueAssertion values, since there is only one
+value in each set.
+
+
+6.2.5 RDNSequence
+
+The RDNSequence value is a SEQUENCE OF value, so its DER
+encoding follows the constructed, definite-length method:
+
+30 42
+   31 0b ... 55 53
+   31 1d ... 6f 6e
+   31 14 ... 20 31
+
+The identifier octets follow the low-tag-number form, since
+the tag for SEQUENCE OF, 16 (decimal), is between 0 and 30.
+Bits 8 and 7 have value "0" since SEQUENCE OF is in the
+universal class. Bit 6 has value "1" since the encoding is
+constructed. The lengths octets follow the short form, and
+the contents octets are the concatenation of the DER
+encodings of the three RelativeDistinguishedName values, in
+order of occurrence.
+
+
+6.2.6 Name
+
+The Name value is a CHOICE value, so its DER encoding is the
+same as that of the RDNSequence value:
+
+30 42
+   31 0b
+      30 09
+         06 03 55 04 06          attributeType = countryName
+         13 02 55 53                   attributeValue = "US"
+   31 1d
+      30 1b
+         06 03 55 04 0a     attributeType = organizationName
+         13 14       attributeValue = "Example Organization"
+            45 78 61 6d 70 6c 65 20 4f 72 67 61 6e 69 7a 61
+            74 69 6f 6e
+
+   31 14
+      30 12
+         06 03 55 04 03           attributeType = commonName
+         13 0b                attributeValue = "Test User 1"
+            54 65 73 74 20 55 73 65 72 20 31
+
+
+References
+
+PKCS #1   RSA Laboratories. PKCS #1: RSA Encryption
+          Standard. Version 1.5, November 1993.
+
+PKCS #3   RSA Laboratories. PKCS #3: Diffie-Hellman Key-
+          Agreement Standard. Version 1.4, November 1993.
+
+PKCS #5   RSA Laboratories. PKCS #5: Password-Based
+          Encryption Standard. Version 1.5, November 1993.
+
+PKCS #6   RSA Laboratories. PKCS #6: Extended-Certificate
+          Syntax Standard. Version 1.5, November 1993.
+
+PKCS #7   RSA Laboratories. PKCS #7: Cryptographic Message
+          Syntax Standard. Version 1.5, November 1993.
+
+PKCS #8   RSA Laboratories. PKCS #8: Private-Key Information
+          Syntax Standard. Version 1.2, November 1993.
+
+PKCS #9   RSA Laboratories. PKCS #9: Selected Attribute
+          Types. Version 1.1, November 1993.
+
+PKCS #10  RSA Laboratories. PKCS #10: Certification Request
+          Syntax Standard. Version 1.0, November 1993.
+
+X.200     CCITT. Recommendation X.200: Reference Model of
+          Open Systems Interconnection for CCITT
+          Applications. 1984.
+
+X.208     CCITT. Recommendation X.208: Specification of
+          Abstract Syntax Notation One (ASN.1). 1988.
+
+X.209     CCITT. Recommendation X.209: Specification of
+          Basic Encoding Rules for Abstract Syntax Notation
+          One (ASN.1). 1988.
+
+X.500     CCITT. Recommendation X.500: The
+          Directory--Overview of Concepts, Models and
+          Services. 1988.
+
+X.501     CCITT. Recommendation X.501: The Directory--
+          Models. 1988.
+
+X.509     CCITT. Recommendation X.509: The Directory--
+          Authentication Framework. 1988.
+
+X.520     CCITT. Recommendation X.520: The Directory--
+          Selected Attribute Types. 1988.
+
+[Kal93]   Burton S. Kaliski Jr. Some Examples of the PKCS
+          Standards. RSA Laboratories, November 1993.
+
+[NIST92]  NIST. Special Publication 500-202: Stable
+          Implementation Agreements for Open Systems
+          Interconnection Protocols. Part 11 (Directory
+          Services Protocols). December 1992.
+
+
+Revision history
+
+
+June 3, 1991 version
+
+The June 3, 1991 version is part of the initial public
+release of PKCS. It was published as NIST/OSI Implementors'
+Workshop document SEC-SIG-91-17.
+
+
+November 1, 1993 version
+
+The November 1, 1993 version incorporates several editorial
+changes, including the addition of a revision history. It is
+updated to be consistent with the following versions of the
+PKCS documents:
+
+     PKCS #1: RSA Encryption Standard. Version 1.5, November
+          1993.
+
+     PKCS #3: Diffie-Hellman Key-Agreement Standard. Version
+          1.4, November 1993.
+
+     PKCS #5: Password-Based Encryption Standard. Version
+          1.5, November 1993.
+
+     PKCS #6: Extended-Certificate Syntax Standard. Version
+          1.5, November 1993.
+
+     PKCS #7: Cryptographic Message Syntax Standard. Version
+          1.5, November 1993.
+
+     PKCS #8: Private-Key Information Syntax Standard.
+          Version 1.2, November 1993.
+
+     PKCS #9: Selected Attribute Types. Version 1.1,
+          November 1993.
+
+     PKCS #10: Certification Request Syntax Standard.
+          Version 1.0, November 1993.
+
+The following substantive changes were made:
+
+     Section 5: Description of T61String type is added.
+
+     Section 6: Names are changed, consistent with other
+          PKCS examples.
+
+
+Author's address
+
+Burton S. Kaliski Jr., Ph.D.
+Chief Scientist
+RSA Laboratories              (415) 595-7703
+100 Marine Parkway            (415) 595-4126 (fax)
+Redwood City, CA  94065  USA  burt@rsa.com
diff --git a/crypto/heimdal/doc/mdate-sh b/crypto/heimdal/doc/mdate-sh
new file mode 100755
index 0000000..37171f2
--- /dev/null
+++ b/crypto/heimdal/doc/mdate-sh
@@ -0,0 +1,92 @@
+#!/bin/sh
+# Get modification time of a file or directory and pretty-print it.
+# Copyright (C) 1995, 1996, 1997 Free Software Foundation, Inc.
+# written by Ulrich Drepper <drepper@gnu.ai.mit.edu>, June 1995
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 2, or (at your option)
+# any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software Foundation,
+# Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
+
+# Prevent date giving response in another language.
+LANG=C
+export LANG
+LC_ALL=C
+export LC_ALL
+LC_TIME=C
+export LC_TIME
+
+# Get the extended ls output of the file or directory.
+# On HPUX /bin/sh, "set" interprets "-rw-r--r--" as options, so the "x" below.
+if ls -L /dev/null 1>/dev/null 2>&1; then
+  set - x`ls -L -l -d $1`
+else
+  set - x`ls -l -d $1`
+fi
+# The month is at least the fourth argument
+# (3 shifts here, the next inside the loop).
+shift
+shift
+shift
+
+# Find the month.  Next argument is day, followed by the year or time.
+month=
+until test $month
+do
+  shift
+  case $1 in
+    Jan) month=January; nummonth=1;;
+    Feb) month=February; nummonth=2;;
+    Mar) month=March; nummonth=3;;
+    Apr) month=April; nummonth=4;;
+    May) month=May; nummonth=5;;
+    Jun) month=June; nummonth=6;;
+    Jul) month=July; nummonth=7;;
+    Aug) month=August; nummonth=8;;
+    Sep) month=September; nummonth=9;;
+    Oct) month=October; nummonth=10;;
+    Nov) month=November; nummonth=11;;
+    Dec) month=December; nummonth=12;;
+  esac
+done
+
+day=$2
+
+# Here we have to deal with the problem that the ls output gives either
+# the time of day or the year.
+case $3 in
+  *:*) set `date`; eval year=\$$#
+       case $2 in
+	 Jan) nummonthtod=1;;
+	 Feb) nummonthtod=2;;
+	 Mar) nummonthtod=3;;
+	 Apr) nummonthtod=4;;
+	 May) nummonthtod=5;;
+	 Jun) nummonthtod=6;;
+	 Jul) nummonthtod=7;;
+	 Aug) nummonthtod=8;;
+	 Sep) nummonthtod=9;;
+	 Oct) nummonthtod=10;;
+	 Nov) nummonthtod=11;;
+	 Dec) nummonthtod=12;;
+       esac
+       # For the first six month of the year the time notation can also
+       # be used for files modified in the last year.
+       if (expr $nummonth \> $nummonthtod) > /dev/null;
+       then
+	 year=`expr $year - 1`
+       fi;;
+  *) year=$3;;
+esac
+
+# The result.
+echo $day $month $year
diff --git a/crypto/heimdal/doc/migration.texi b/crypto/heimdal/doc/migration.texi
new file mode 100644
index 0000000..67b843a
--- /dev/null
+++ b/crypto/heimdal/doc/migration.texi
@@ -0,0 +1,43 @@
+@c $Id: migration.texi,v 1.3 2001/02/24 05:09:24 assar Exp $
+
+@node Migration, Acknowledgments, Programming with Kerberos, Top
+@chapter Migration
+
+@section General issues
+
+When migrating from a Kerberos 4 KDC.
+
+@section Order in what to do things:
+
+@itemize @bullet
+
+@item Convert the database, check all principals that hprop complains
+about.
+
+@samp{hprop -n --source=<NNN>| hpropd -n}
+
+Replace <NNN> with whatever source you have, like krb4-db or krb4-dump.
+
+@item Run a Kerberos 5 slave for a while.
+
+@c XXX Add you slave first to your kdc list in you kdc.
+
+@item Figure out if it does everything you want it to.
+
+Make sure that all things that you use works for you.
+
+@item Let a small number of controlled users use Kerberos 5 tools.
+
+Find a sample population of your users and check what programs they use,
+you can also check the kdc-log to check what ticket are checked out.
+
+@item Burn the bridge and change the master.
+@item Let all users use the Kerberos 5 tools by default.
+@item Turn off services that do not need Kerberos 4 authentication.
+
+Things that might be hard to get away is old programs with support for
+Kerberos 4. Example applications are old Eudora installations using
+KPOP, and Zephyr. Eudora can use the Kerberos 4 kerberos in the Heimdal
+kdc.
+
+@end itemize
diff --git a/crypto/heimdal/doc/misc.texi b/crypto/heimdal/doc/misc.texi
new file mode 100644
index 0000000..8b3f980
--- /dev/null
+++ b/crypto/heimdal/doc/misc.texi
@@ -0,0 +1,64 @@
+@c $Id: misc.texi,v 1.6 2001/02/24 05:09:24 assar Exp $
+
+@node Things in search for a better place, Kerberos 4 issues, Setting up a realm, Top
+@chapter Things in search for a better place
+
+@section Making things work on Ciscos
+
+Modern versions of Cisco IOS has some support for authenticating via
+Kerberos 5. This can be used both by having the router get a ticket when
+you login (boring), and by using Kerberos authenticated telnet to access
+your router (less boring). The following has been tested on IOS
+11.2(12), things might be different with other versions. Old versions
+are known to have bugs.
+
+To make this work, you will first have to configure your router to use
+Kerberos (this is explained in the documentation). A sample
+configuration looks like the following:
+
+@example
+aaa new-model
+aaa authentication login default krb5-telnet krb5 enable
+aaa authorization exec krb5-instance
+kerberos local-realm FOO.SE
+kerberos srvtab entry host/router.foo.se 0 891725446 4 1 8 012345678901234567
+kerberos server FOO.SE 10.0.0.1
+kerberos instance map admin 15
+@end example
+
+This tells you (among other things) that when logging in, the router
+should try to authenticate with kerberised telnet, and if that fails try
+to verify a plain text password via a Kerberos ticket exchange (as
+opposed to a local database, RADIUS or something similar), and if that
+fails try the local enable password. If you're not careful when you
+specify the `login default' authentication mechanism, you might not be
+able to login at all. The `instance map' and `authorization exec' lines
+says that people with `admin' instances should be given `enabled' shells
+when logging in.
+
+The numbers after the principal on the `srvtab' line are principal type,
+timestamp (in seconds since 1970), key version number (4), keytype (1 ==
+des), key length (always 8 with des), and then the key.
+
+To make the Heimdal KDC produce tickets that the Cisco can decode you
+might have to turn on the @samp{encode_as_rep_as_tgs_rep} flag in the
+KDC. You will also have to specify that the router can't handle anything
+but @samp{des-cbc-crc}. This can be done with the @samp{del_enctype}
+command of @samp{kadmin}.
+
+This all fine and so, but unless you have an IOS version with encryption
+(available only in the U.S) it doesn't really solve any problems. Sure
+you don't have to send your password over the wire, but since the telnet
+connection isn't protected it's still possible for someone to steal your
+session. This won't be fixed until someone adds integrity to the telnet
+protocol.
+
+A working solution would be to hook up a machine with a real operating
+system to the console of the Cisco and then use it as a backwards
+terminal server.
+
+@section Making things work on Transarc AFS
+
+@subsection How to get a KeyFile
+
+@file{ktutil -k AFSKEYFILE:KeyFile get afs@@MY.REALM}
diff --git a/crypto/heimdal/doc/programming.texi b/crypto/heimdal/doc/programming.texi
new file mode 100644
index 0000000..ffcac21
--- /dev/null
+++ b/crypto/heimdal/doc/programming.texi
@@ -0,0 +1,287 @@
+@c $Id: programming.texi,v 1.2 2001/05/16 22:11:00 assar Exp $
+
+@node Programming with Kerberos
+@chapter Programming with Kerberos
+
+First you need to know how the Kerberos model works, go read the
+introduction text (@pxref{What is Kerberos?}).
+
+@macro manpage{man, section}
+@cite{\man\(\section\)}
+@end macro
+
+@menu
+* Kerberos 5 API Overview::     
+* Walkthru a sample Kerberos 5 client::  
+* Validating a password in a server application::  
+@end menu
+
+@node Kerberos 5 API Overview, Walkthru a sample Kerberos 5 client, Programming with Kerberos, Programming with Kerberos
+@section Kerberos 5 API Overview
+
+Most functions are documenteded in manual pages.  This overview only
+tries to point to where to look for a specific function.
+
+@subsection Kerberos context
+
+A kerberos context (@code{krb5_context}) holds all per thread state. All global variables that
+are context specific are stored in this struture, including default
+encryption types, credential-cache (ticket file), and default realms.
+
+See the manual pages for @manpage{krb5_context,3} and
+@manpage{krb5_init_context,3}.
+
+@subsection Kerberos authenication context
+
+Kerberos authentication context (@code{krb5_auth_context}) holds all
+context related to an authenticated connection, in a similar way to the
+kerberos context that holds the context for the thread or process.
+
+The @code{krb5_auth_context} is used by various functions that are
+directly related to authentication between the server/client. Example of
+data that this structure contains are various flags, addresses of client
+and server, port numbers, keyblocks (and subkeys), sequence numbers,
+replay cache, and checksum types.
+
+See the manual page for @manpage{krb5_auth_context,3}.
+
+@subsection Keytab managment
+
+A keytab is a storage for locally stored keys. Heimdal includes keytab
+support for Kerberos 5 keytabs, Kerberos 4 srvtab, AFS-KeyFile's,
+and for storing keys in memory.
+
+See also manual page for @manpage{krb5_keytab,3}
+
+@node Walkthru a sample Kerberos 5 client, Validating a password in a server application, Kerberos 5 API Overview, Programming with Kerberos
+@section Walkthru a sample Kerberos 5 client
+
+This example contains parts of a sample TCP Kerberos 5 clients, if you
+want a real working client, please look in @file{appl/test} directory in
+the Heimdal distribution.
+
+All Kerberos error-codes that are returned from kerberos functions in
+this program are passed to @code{krb5_err}, that will print a
+descriptive text of the error code and exit. Graphical programs can
+convert error-code to a humal readable error-string with the
+@manpage{krb5_get_err_text,3} function.
+
+Note that you should not use any Kerberos function before
+@code{krb5_init_context()} have completed successfully. That is the
+reson @code{err()} is used when @code{krb5_init_context()} fails.
+
+First the client needs to call @code{krb5_init_context} to initialize
+the Kerberos 5 library. This is only needed once per thread
+in the program. If the function returns a non-zero value it indicates
+that either the Kerberos implemtation is failing or its disabled on
+this host.
+
+@example
+#include <krb5.h>
+
+int
+main(int argc, char **argv)
+@{
+        krb5_context context;
+
+        if (krb5_context(&context))
+                errx (1, "krb5_context");
+@end example
+
+Now the client wants to connect to the host at the other end. The
+preferred way of doing this is using @manpage{getaddrinfo,3} (for
+operating system that have this function implemented), since getaddrinfo
+is neutral to the address type and can use any protocol that is available.
+
+@example
+        struct addrinfo *ai, *a;
+        struct addrinfo hints;
+        int error;
+
+        memset (&hints, 0, sizeof(hints));
+        hints.ai_socktype = SOCK_STREAM;
+        hints.ai_protocol = IPPROTO_TCP;
+
+        error = getaddrinfo (hostname, "pop3", &hints, &ai);
+        if (error)
+                errx (1, "%s: %s", hostname, gai_strerror(error));
+
+        for (a = ai; a != NULL; a = a->ai_next) @{
+                int s;
+
+                s = socket (a->ai_family, a->ai_socktype, a->ai_protocol);
+                if (s < 0)
+                        continue;
+                if (connect (s, a->ai_addr, a->ai_addrlen) < 0) @{
+                        warn ("connect(%s)", hostname);
+                            close (s);
+                            continue;
+                @}
+                freeaddrinfo (ai);
+                ai = NULL;
+        @}
+        if (ai) @{
+                    freeaddrinfo (ai);
+                    errx ("failed to contact %s", hostname);
+        @}
+@end example
+
+Before authenticating, an authentication context needs to be
+created. This context keeps all information for one (to be) authenticated
+connection (see @manpage{krb5_auth_context,3}).
+
+@example
+        status = krb5_auth_con_init (context, &auth_context);
+        if (status)
+                krb5_err (context, 1, status, "krb5_auth_con_init");
+@end example
+
+For setting the address in the authentication there is a help function
+@code{krb5_auth_con_setaddrs_from_fd} that does everthing that is needed
+when given a connected file descriptor to the socket.
+
+@example
+        status = krb5_auth_con_setaddrs_from_fd (context,
+                                                 auth_context,
+                                                 &sock);
+        if (status)
+                krb5_err (context, 1, status, 
+                          "krb5_auth_con_setaddrs_from_fd");
+@end example
+
+The next step is to build a server principal for the service we want
+to connect to. (See also @manpage{krb5_sname_to_principal,3}.)
+
+@example
+        status = krb5_sname_to_principal (context,
+                                          hostname,
+                                          service,
+                                          KRB5_NT_SRV_HST,
+                                          &server);
+        if (status)
+                krb5_err (context, 1, status, "krb5_sname_to_principal");
+@end example
+
+The client principal is not passed to @manpage{krb5_sendauth,3}
+function, this causes the @code{krb5_sendauth} function to try to figure it
+out itself.
+
+The server program is using the function @manpage{krb5_recvauth,3} to
+receive the Kerberos 5 authenticator.
+
+In this case, mutual authenication will be tried. That means that the server
+will authenticate to the client. Using mutual authenication
+is good since it enables the user to verify that they are talking to the
+right server (a server that knows the key).
+
+If you are using a non-blocking socket you will need to do all work of
+@code{krb5_sendauth} yourself. Basically you need to send over the
+authenticator from @manpage{krb5_mk_req,3} and, in case of mutual
+authentication, verifying the result from the server with
+@manpage{krb5_rd_rep,3}.
+
+@example
+        status = krb5_sendauth (context,
+                                &auth_context,
+                                &sock,
+                                VERSION,
+                                NULL,
+                                server,
+                                AP_OPTS_MUTUAL_REQUIRED,
+                                NULL,
+                                NULL,
+                                NULL,
+                                NULL,
+                                NULL,
+                                NULL);
+        if (status)
+                krb5_err (context, 1, status, "krb5_sendauth");
+@end example
+
+Once authentication has been performed, it is time to send some
+data. First we create a krb5_data structure, then we sign it with
+@manpage{krb5_mk_safe,3} using the @code{auth_context} that contains the
+session-key that was exchanged in the
+@manpage{krb5_sendauth,3}/@manpage{krb5_recvauth,3} authentication
+sequence.
+
+@example
+        data.data   = "hej";
+        data.length = 3;
+
+        krb5_data_zero (&packet);
+
+        status = krb5_mk_safe (context,
+                               auth_context,
+                               &data,
+                               &packet,
+                               NULL);
+        if (status)
+                krb5_err (context, 1, status, "krb5_mk_safe");
+@end example
+
+And send it over the network.
+
+@example
+        len = packet.length;
+        net_len = htonl(len);
+
+        if (krb5_net_write (context, &sock, &net_len, 4) != 4)
+                err (1, "krb5_net_write");
+        if (krb5_net_write (context, &sock, packet.data, len) != len)
+                err (1, "krb5_net_write");
+@end example
+
+To send encrypted (and signed) data @manpage{krb5_mk_priv,3} should be
+used instead. @manpage{krb5_mk_priv,3} works the same way as
+@manpage{krb5_mk_safe,3}, with the exception that it encrypts the data
+in addition to signing it.
+
+@example
+        data.data   = "hemligt";
+        data.length = 7;
+
+        krb5_data_free (&packet);
+
+        status = krb5_mk_priv (context,
+                               auth_context,
+                               &data,
+                               &packet,
+                               NULL);
+        if (status)
+                krb5_err (context, 1, status, "krb5_mk_priv");
+@end example
+
+And send it over the network.
+
+@example
+        len = packet.length;
+        net_len = htonl(len);
+
+        if (krb5_net_write (context, &sock, &net_len, 4) != 4)
+                err (1, "krb5_net_write");
+        if (krb5_net_write (context, &sock, packet.data, len) != len)
+                err (1, "krb5_net_write");
+
+@end example
+
+The server is using @manpage{krb5_rd_safe,3} and
+@manpage{krb5_rd_priv,3} to verify the signature and decrypt the packet.
+
+@node Validating a password in a server application,  , Walkthru a sample Kerberos 5 client, Programming with Kerberos
+@section Validating a password in an application
+
+See the manual page for @manpage{krb5_verify_user,3}.
+
+@c @node Why you should use GSS-API for new applications, Walkthru a sample GSS-API client, Validating a password in a server application, Programming with Kerberos
+@c @section Why you should use GSS-API for new applications
+@c 
+@c SSPI, bah, bah, microsoft, bah, bah, almost GSS-API.
+@c 
+@c It would also be possible for other mechanisms then Kerberos, but that
+@c doesn't exist any other GSS-API implementations today.
+@c 
+@c @node Walkthru a sample GSS-API client, , Why you should use GSS-API for new applications, Programming with Kerberos
+@c @section Walkthru a sample GSS-API client
+@c 
+@c Write about how gssapi_clent.c works.
diff --git a/crypto/heimdal/doc/setup.texi b/crypto/heimdal/doc/setup.texi
new file mode 100644
index 0000000..8a1a31b
--- /dev/null
+++ b/crypto/heimdal/doc/setup.texi
@@ -0,0 +1,435 @@
+@c $Id: setup.texi,v 1.22 2001/02/11 17:10:34 assar Exp $
+
+@node Setting up a realm, Things in search for a better place, Building and Installing, Top
+
+@chapter Setting up a realm
+
+@menu
+* Configuration file::          
+* Creating the database::       
+* keytabs::                     
+* Remote administration::       
+* Password changing::           
+* Testing clients and servers::  
+* Slave Servers::               
+* Incremental propagation::     
+* Salting::
+@end menu
+
+A
+@cindex realm
+realm is an administrative domain.  The name of a Kerberos realm is
+usually the Internet domain name in uppercase.  Call your realm the same
+as your Internet domain name if you do not have strong reasons for not
+doing so.  It will make life easier for you and everyone else.
+
+@node  Configuration file, Creating the database, Setting up a realm, Setting up a realm
+@section Configuration file
+
+To setup a realm you will first have to create a configuration file:
+@file{/etc/krb5.conf}. The @file{krb5.conf} file can contain many
+configuration options, some of which are described here.
+
+There is a sample @file{krb5.conf} supplied with the distribution.
+
+The configuration file is a hierarchical structure consisting of
+sections, each containing a list of bindings (either variable
+assignments or subsections). A section starts with
+@samp{[section-name]}.  A binding consists of a left hand side, an equal
+(@samp{=}) and a right hand side (the left hand side tag must be
+separated from the equal with some whitespace.) Subsections has a
+@samp{@{} as the first non-whitespace character after the equal. All
+other bindings are treated as variable assignments. The value of a
+variable extends to the end of the line.
+
+@example
+[section1]
+        a-subsection = @{
+                var = value1
+                other-var = value with @{@}
+                sub-sub-section = @{ 
+                        var = 123
+                @}
+        @}
+        var = some other value
+[section2]
+        var = yet another value
+@end example
+
+In this manual, names of sections and bindings will be given as strings
+separated by slashes (@samp{/}). The @samp{other-var} variable will thus
+be @samp{section1/a-subsection/other-var}.
+
+For in-depth information about the contents of the config file, refer to
+the @file{krb5.conf} manual page. Some of the more important sections
+are briefly described here.
+
+The @samp{libdefaults} section contains a list of library configuration
+parameters, such as the default realm and the timeout for kdc
+responses. The @samp{realms} section contains information about specific
+realms, such as where they hide their KDC. This section serves the same
+purpose as the Kerberos 4 @file{krb.conf} file, but can contain more
+information. Finally the @samp{domain_realm} section contains a list of
+mappings from domains to realms, equivalent to the Kerberos 4
+@file{krb.realms} file.
+
+To continue with the realm setup, you will have to create a config file,
+with contents similar to the following.
+
+@example
+[libdefaults]
+        default_realm = MY.REALM
+[realms]
+        MY.REALM = @{
+                kdc = my.kdc
+        @}
+[domain_realm]
+        .my.domain = MY.REALM
+
+@end example
+
+If you use a realm name equal to your domain name, you can omit the
+@samp{libdefaults}, and @samp{domain_realm}, sections. If you have a
+SRV-record for your realm, or your kerberos server has CNAME called
+@samp{kerberos.my.realm}, you can omit the @samp{realms} section too.
+
+@node Creating the database, keytabs, Configuration file, Setting up a realm
+@section Creating the database
+
+The database library will look for the database in @file{/var/heimdal},
+so you should probably create that directory.
+
+The keys of all the principals are stored in the database.  If you
+choose to, these can be encrypted with a master key.  You do not have to
+remember this key (or password), but just to enter it once and it will
+be stored in a file (@file{/var/heimdal/m-key}).  If you want to have a
+master key, run @samp{kstash} to create this master key:
+
+@example
+# kstash
+Master key: 
+Verifying password - Master key: 
+@end example
+
+To initialise the database use the @code{kadmin} program, with the
+@samp{-l} option (to enable local database mode). First issue a
+@kbd{init MY.REALM} command. This will create the database and insert
+default principals for that realm. You can have more than one realm in
+one database, so @samp{init} does not destroy any old database.
+
+Before creating the database, @samp{init} will ask you some questions
+about max ticket lifetimes.
+
+After creating the database you should probably add yourself to it. You
+do this with the @samp{add} command. It takes as argument the name of a
+principal. The principal should contain a realm, so if you haven't setup
+a default realm, you will need to explicitly include the realm.
+
+@example
+# kadmin -l
+kadmin> init MY.REALM
+Realm max ticket life [unlimited]:
+Realm max renewable ticket life [unlimited]:
+kadmin> add me  
+Max ticket life [unlimited]:
+Max renewable life [unlimited]:
+Attributes []:
+Password: 
+Verifying password - Password: 
+@end example
+
+Now start the KDC and try getting a ticket.
+
+@example
+# kdc &
+# kinit me
+me@@MY.REALMS's Password:
+# klist
+Credentials cache: /tmp/krb5cc_0
+        Principal: me@@MY.REALM
+
+  Issued           Expires          Principal
+Aug 25 07:25:55  Aug 25 17:25:55  krbtgt/MY.REALM@@MY.REALM
+@end example
+
+If you are curious you can use the @samp{dump} command to list all the
+entries in the database.  It should look something similar to the
+following example (note that the entries here are truncated for
+typographical reasons):
+
+@smallexample
+kadmin> dump
+me@@MY.REALM 1:0:1:0b01d3cb7c293b57:-:0:7:8aec316b9d1629e3baf8 ...
+kadmin/admin@@MY.REALM 1:0:1:e5c8a2675b37a443:-:0:7:cb913ebf85 ...
+krbtgt/MY.REALM@@MY.REALM 1:0:1:52b53b61c875ce16:-:0:7:c8943be ...
+kadmin/changepw@@MY.REALM 1:0:1:f48c8af2b340e9fb:-:0:7:e3e6088 ...
+@end smallexample
+
+@node keytabs, Remote administration, Creating the database, Setting up a realm
+@section keytabs
+
+To extract a service ticket from the database and put it in a keytab you
+need to first create the principal in the database with @samp{ank}
+(using the @kbd{--random-key} flag to get a random key) and then
+extract it with @samp{ext_keytab}.
+
+@example
+kadmin> add --random-key host/my.host.name
+Max ticket life [unlimited]:
+Max renewable life [unlimited]:
+Attributes []:
+kadmin> ext host/my.host.name
+# ktutil list
+Version  Type             Principal
+     1   des-cbc-md5      host/my.host.name@@MY.REALM
+     1   des-cbc-md4      host/my.host.name@@MY.REALM
+     1   des-cbc-crc      host/my.host.name@@MY.REALM
+     1   des3-cbc-sha1    host/my.host.name@@MY.REALM
+@end example
+
+@node Remote administration, Password changing, keytabs, Setting up a realm
+@section Remote administration
+
+The administration server, @samp{kadmind}, can be started by
+@samp{inetd} (which isn't recommended) or run as a normal daemon. If you
+want to start it from @samp{inetd} you should add a line similar to the
+one below to your @file{/etc/inetd.conf}.
+
+@example
+kerberos-adm stream     tcp     nowait  root /usr/heimdal/libexec/kadmind kadmind
+@end example
+
+You might need to add @samp{kerberos-adm} to your @file{/etc/services}
+as 749/tcp.
+
+Access to the admin server is controlled by an acl-file, (default
+@file{/var/heimdal/kadmind.acl}.) The lines in the access file, has the
+following syntax:
+@smallexample
+principal       [priv1,priv2,...]       [glob-pattern]
+@end smallexample
+
+The privileges you can assign to a principal are: @samp{add},
+@samp{change-password} (or @samp{cpw} for short), @samp{delete},
+@samp{get}, @samp{list}, and @samp{modify}, or the special privilege
+@samp{all}. All of these roughly corresponds to the different commands
+in @samp{kadmin}.
+
+If a @var{glob-pattern} is given on a line, it restricts the right for
+the principal to only apply for the subjects that match the pattern.
+The patters are of the same type as those used in shell globbing, see
+@url{none,,fnmatch(3)}.
+
+In the example below @samp{lha/admin} can change every principal in the
+database. @samp{jimmy/admin} can only modify principals that belong to
+the realm @samp{E.KTH.SE}. @samp{mille/admin} is working at the
+helpdesk, so he should only be able to change the passwords for single
+component principals (ordinary users). He will not be able to change any
+@samp{/admin} principal.
+
+@example
+lha/admin@@E.KTH.SE	all
+jimmy/admin@@E.KTH.SE	all		*@@E.KTH.SE
+jimmy/admin@@E.KTH.SE	all		*/*@@E.KTH.SE
+mille/admin@@E.KTH.SE	change-password	*@@E.KTH.SE
+@end example
+
+@node Password changing, Testing clients and servers, Remote administration, Setting up a realm
+@section Password changing
+
+To allow users to change their passwords, you should run @samp{kpasswdd}.
+It is not run from @samp{inetd}.
+
+You might need to add @samp{kpasswd} to your @file{/etc/services} as
+464/udp.
+
+@subsection Password quality assurance
+
+It is important that users have good passwords, both to make it harder
+to guess them and to avoid off-line attacks (pre-authentication provides
+some defense against off-line attacks).  To ensure that the users choose
+good passwords, you can enable password quality controls in
+@samp{kpasswdd}.  The controls themselves are done in a shared library
+that is used by @samp{kpasswdd}.  To configure in these controls, add
+lines similar to the following to your @file{/etc/krb5.conf}:
+
+@example
+[password_quality]
+        check_library = @var{library}
+        check_function = @var{function}
+@end example
+
+The function @var{function} in the shared library @var{library} will be
+called for proposed new passwords.  The function should be declared as:
+
+@example
+const char *
+function(krb5_context context, krb5_principal principal, krb5_data *pwd);
+@end example
+
+The function should verify that @var{pwd} is a good password for
+@var{principal} and if so return @code{NULL}.  If it is deemed to be of
+low quality, it should return a string explaining why that password
+should not be used.
+
+Code for a password quality checking function that uses the cracklib
+library can be found in @file{kpasswd/sample_password_check.c} in the
+source code distribution.  It requires the cracklib library built with
+the patch available at
+@url{ftp://ftp.pdc.kth.se/pub/krb/src/cracklib.patch}.
+
+If no password quality checking function is configured, it is only
+verified that it is at least six characters of length.
+
+@node Testing clients and servers, Slave Servers, Password changing, Setting up a realm
+@section Testing clients and servers
+
+Now you should be able to run all the clients and servers.  Refer to the
+appropriate man pages for information on how to use them.
+
+@node Slave Servers, Incremental propagation, Testing clients and servers, Setting up a realm
+@section Slave servers, Incremental propagation, Testing clients and servers, Setting up a realm
+
+It is desirable to have at least one backup (slave) server in case the
+master server fails. It is possible to have any number of such slave
+servers but more than three usually doesn't buy much more redundancy.
+
+All Kerberos servers for a realm shall have the same database so that
+they present the same service to all the users.  The
+@pindex hprop
+@code{hprop} program, running on the master, will propagate the database
+to the slaves, running
+@pindex hpropd
+@code{hpropd} processes.
+
+Every slave needs a keytab with a principal,
+@samp{hprop/@var{hostname}}.  Add that with the
+@pindex ktutil
+@code{ktutil} command and start
+@pindex hpropd
+@code{propd}, as follows:
+
+@example
+slave# ktutil get -p foo/admin host/`hostname`
+slave# hpropd
+@end example
+
+The master will use the principal @samp{kadmin/hprop} to authenticate to
+the slaves.  This principal should be added when running @kbd{kadmin -l
+init} but if you do not have it in your database for whatever reason,
+please add it with @kbd{kadmin -l add}.
+
+Then run
+@pindex hprop
+@code{hprop} on the master:
+
+@example
+master# hprop slave
+@end example
+
+This was just an on-hands example to make sure that everything was
+working properly.  Doing it manually is of course the wrong way and to
+automate this you will want to start
+@pindex hpropd
+@code{hpropd} from @code{inetd} on the slave(s) and regularly run
+@pindex hprop
+@code{hprop} on the master to regularly propagate the database.
+Starting the propagation once an hour from @code{cron} is probably a
+good idea.
+
+@node Incremental propagation, Salting , Slave Servers, Setting up a realm
+@section Incremental propagation
+
+There is also a newer and still somewhat experimental mechanism for
+doing incremental propagation in Heimdal.  Instead of sending the whole
+database regularly, it sends the changes as they happen on the master to
+the slaves.  The master keeps track of all the changes by assigned a
+version number to every change to the database.  The slaves know which
+was the latest version they saw and in this way it can be determined if
+they are in sync or not.  A log of all the changes is kept on the master
+and when a slave is at an older versioner than the oldest one in the
+log, the whole database has to be sent.
+
+Protocol-wise, all the slaves connects to the master and as a greeting
+tell it the latest version that they have (@samp{IHAVE} message).  The
+master then responds by sending all the changes between that version and
+the current version at the master (a series of @samp{FORYOU} messages)
+or the whole database in a @samp{TELLYOUEVERYTHING} message.
+
+@subsection Configuring incremental propagation
+
+The program that runs on the master is @code{ipropd-master} and all
+clients run @code{ipropd-slave}.
+
+Create the file @file{/var/heimdal/slaves} on the master containing all
+the slaves that the database should be propagated to.  Each line contains
+the full name of the principal (for example
+@samp{iprop/hemligare.foo.se@@FOO.SE}).
+
+You should already have @samp{iprop/tcp} defined as 2121, in your
+@file{/etc/services}.  Otherwise, or if you need to use a different port
+for some peculiar reason, you can use the @kbd{--port} option.  This is
+useful when you have multiple realms to distribute from one server.
+
+Then you need to create these principals that you added in the
+configuration file.  Create one @samp{iprop/hostname} for the master and
+for every slave.
+
+
+@example
+master# /usr/heimdal/sbin/ktutil get iprop/`hostname`
+@end example
+
+The next step is to start the @code{ipropd-master} process on the master
+server.  The @code{ipropd-master} listens on the UNIX-socket
+@file{/var/heimdal/signal} to know when changes have been made to the
+database so they can be propagated to the slaves.  There is also a
+safety feature of testing the version number regularly (every 30
+seconds) to see if it has been modified by some means that do not raise
+this signal.  Then, start @code{ipropd-slave} on all the slaves:
+
+@example
+master# /usr/heimdal/libexec/ipropd-master &
+slave#  /usr/heimdal/libexec/ipropd-slave master &
+@end example
+
+@node Salting, , Incremental propagation, Setting up a realm
+@section Salting
+@cindex Salting
+
+Salting is used to make it harder to precalculate all possible
+keys. Using a salt increases the search space to make it almost
+impossible to precalculate all keys. In salting you just append the salt
+to the password, or somehow merge the password with the salt.
+
+In Kerberos 5 the salting is determined by the encryption-type, except
+in case of @code{des}. In @code{des} there is the kerberos 4 salting
+(none at all) or the afs-salting (using the cell (realm in
+afs-lingo)). @code{[kadmin]default_keys} in @file{krb5.conf} controls
+what salting to use,
+
+The syntax of @code{[kadmin]default_keys} is
+@samp{[etype:]salt-type[:salt-string]}. @samp{etype} is the encryption
+type (des, des3, arcfour), @code{salt-type} is the type of salt (pw-salt
+or afs3-salt), and the salt-string is the string that will be used as
+salt (remember that if the salt is appened/prepended, the empty salt ""
+is the same thing as no salt at all).
+
+Common types of salting includes
+
+@itemize @bullet
+@item @code{v4} (or @code{des:pw-salt:})
+
+The Kerberos 4 salting is using no salt att all. Reson there is colon
+that the end is that 
+
+@item @code{v5} (or @code{pw-salt})
+
+@code{pw-salt} means all regular encryption-types that is regular 
+
+@item @code{afs3-salt}
+
+@code{afs3-salt} is the salting that is used with Transarc kaserver. Its
+the cell appended to the password.
+
+@end itemize
diff --git a/crypto/heimdal/doc/standardisation/draft-brezak-win2k-krb-rc4-hmac-01.txt b/crypto/heimdal/doc/standardisation/draft-brezak-win2k-krb-rc4-hmac-01.txt
new file mode 100644
index 0000000..a97ef9d
--- /dev/null
+++ b/crypto/heimdal/doc/standardisation/draft-brezak-win2k-krb-rc4-hmac-01.txt
@@ -0,0 +1,412 @@
+CAT working group                                              M. Swift 
+Internet Draft                                                J. Brezak 
+Document: draft-brezak-win2k-krb-rc4-hmac-01.txt              Microsoft 
+Category: Informational                                    October 1999 
+ 
+ 
+           The Windows 2000 RC4-HMAC Kerberos encryption type 
+ 
+ 
+Status of this Memo 
+ 
+   This document is an Internet-Draft and is in full conformance with 
+   all provisions of Section 10 of RFC2026 [1]. Internet-Drafts are 
+   working documents of the Internet Engineering Task Force (IETF), its 
+   areas, and its working groups. Note that other groups may also 
+   distribute working documents as Internet-Drafts. Internet-Drafts are 
+   draft documents valid for a maximum of six months and may be 
+   updated, replaced, or obsoleted by other documents at any time. It 
+   is inappropriate to use Internet- Drafts as reference material or to 
+   cite them other than as "work in progress." 
+     
+   The list of current Internet-Drafts can be accessed at 
+   http://www.ietf.org/ietf/1id-abstracts.txt  
+
+   The list of Internet-Draft Shadow Directories can be accessed at 
+   http://www.ietf.org/shadow.html. 
+    
+1. Abstract 
+    
+   The Windows 2000 implementation of Kerberos introduces a new 
+   encryption type based on the RC4 encryption algorithm and using an 
+   MD5 HMAC for checksum. This is offered as an alternative to using 
+   the existing DES based encryption types. 
+    
+   The RC4-HMAC encryption types are used to ease upgrade of existing 
+   Windows NT environments, provide strong crypto (128-bit key 
+   lengths), and provide exportable (meet United States government 
+   export restriction requirements) encryption. 
+    
+   The Windows 2000 implementation of Kerberos contains new encryption 
+   and checksum types for two reasons: for export reasons early in the 
+   development process, 56 bit DES encryption could not be exported, 
+   and because upon upgrade from Windows NT 4.0 to Windows 2000, 
+   accounts will not have the appropriate DES keying material to do the 
+   standard DES encryption. Furthermore, 3DES is not available for 
+   export, and there was a desire to use a single flavor of encryption 
+   in the product for both US and international products. 
+    
+   As a result, there are two new encryption types and one new checksum 
+   type introduced in Windows 2000. 
+    
+    
+2. Conventions used in this document 
+    
+
+  
+Swift                  Category - Informational                      1 
+
+                Windows 2000 RC4-HMAC Kerberos E-Type    October 1999 
+ 
+ 
+   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 
+   "SHOULD", "SHOULD NOT", "RECOMMENDED",  "MAY", and "OPTIONAL" in 
+   this document are to be interpreted as described in RFC-2119 [2]. 
+    
+3. Key Generation 
+    
+   On upgrade from existing Windows NT domains, the user accounts would 
+   not have a DES based key available to enable the use of DES base 
+   encryption types specified in RFC 1510. The key used for RC4-HMAC is 
+   the same as the existing Windows NT key (NT Password Hash) for 
+   compatibility reasons. Once the account password is changed, the DES 
+   based keys are created and maintained. Once the DES keys are 
+   available DES based encryption types can be used with Kerberos.  
+    
+   The RC4-HMAC String to key function is defined as follow: 
+    
+   String2Key(password) 
+    
+        K = MD4(UNICODE(password)) 
+         
+   The RC4-HMAC keys are generated by using the Windows UNICODE version 
+   of the password. Each Windows UNICODE character is encoded in 
+   little-endian format of 2 octets each. Then performing an MD4 [6] 
+   hash operation on just the UNICODE characters of the password (not 
+   including the terminating zero octets). 
+    
+4. Basic Operations 
+    
+   The MD5 HMAC function is defined in [3]. It is used in this 
+   encryption type for checksum operations. Refer to [3] for details on 
+   its operation. In this document this function is referred to as 
+   HMAC(Key, Data) returning the checksum using the specified key on 
+   the data. 
+    
+   The basic MD5 hash operation is used in this encryption type and 
+   defined in [7]. In this document this function is referred to as 
+   MD5(Data) returning the checksum of the data. 
+    
+   The basic RC4 encryption operation is used in this encryption type 
+   and defined in [8]. In this document the function is referred to as 
+   RC4(Key, Data) returning the encrypted data using the specified key 
+   on the data. 
+    
+   These encryption types use key derivation as defined in [9] (RFC-
+   1510BIS) in Section titled "Key Derivation". With each message, the 
+   message type (T) is used as a component of the keying material. 
+    
+   All strings in this document are ASCII unless otherwise specified. 
+   The lengths of ASCII encoded character strings include the trailing 
+   terminator character (0). 
+    
+   The concat(a,b,c,...) function will return the logical concatenation 
+   (left to right) of the values of the arguments. 
+  
+Swift                  Category - Informational                      2 
+
+                Windows 2000 RC4-HMAC Kerberos E-Type    October 1999 
+ 
+ 
+    
+   The nonce(n) function returns a pseudo-random number of "n" octets. 
+    
+5. Checksum Types 
+    
+   There is one checksum type used in this encryption type. The 
+   Kerberos constant for this type is: 
+        #define KERB_CHECKSUM_HMAC_MD5 (-138) 
+    
+   The function is defined as follows: 
+    
+   K - is the Key 
+   T - the message type, encoded as a little-endian four byte integer 
+    
+   CHKSUM(K, T, data) 
+    
+        Ksign = HMAC(K, "signature key")  //includes zero octet at end 
+        tmp = MD5(concat(T, data)) 
+        CHKSUM = HMAC(Ksign, tmp) 
+    
+    
+6. Encryption Types 
+    
+   There are two encryption types used in these encryption types. The 
+   Kerberos constants for these types are: 
+        #define KERB_ETYPE_RC4_HMAC             23 
+        #define KERB_ETYPE_RC4_HMAC_EXP         24 
+    
+   The basic encryption function is defined as follow: 
+    
+   T = the message type, encoded as a little-endian four byte integer. 
+    
+   ENCRYPT(K, T, data) 
+        if (K.enctype == KERB_ETYPE_RC4_HMAC_EXP) 
+                L = concat("fortybits", T) //includes zero octet at 
+                                           //end of string constant 
+        Else 
+                L = T 
+        Ksign = HMAC(K,L) 
+        Confounder = nonce(8) // get an 8 octet nonce for a confounder 
+        Checksum = HMAC(Ksign, concat(Confounder, data)) 
+        Ke = Ksign 
+        if (K.enctype == KERB_ETYPE_RC4_HMAC_EXP) 
+                memset(&Ke[7], 0x0ab, 9) 
+        Ke2 = HMAC(Ke, Checksum) 
+        data = RC4(Ke2, data) 
+    
+   The header field on the encrypted data in KDC messages is: 
+    
+        typedef struct _RC4_MDx_HEADER { 
+            UCHAR Checksum[16]; 
+            UCHAR Confounder[8]; 
+        } RC4_MDx_HEADER, *PRC4_MDx_HEADER; 
+  
+Swift                  Category - Informational                      3 
+
+                Windows 2000 RC4-HMAC Kerberos E-Type    October 1999 
+ 
+ 
+    
+   The character constant "fortybits" evolved from the time when a 40-
+   bit key length was all that was exportable from the United States. 
+   It is now used to recognize that the key length is of "exportable" 
+   length. In this description, the key size is actually 56-bits. 
+    
+7. Key Strength Negotiation 
+    
+   A Kerberos client and server can negotiate over key length if they 
+   are using mutual authentication. If the client is unable to perform 
+   full strength encryption, it may propose a key in the "subkey" field 
+   of the authenticator, using a weaker encryption type. The server 
+   must then either return the same key or suggest its own key in the 
+   subkey field of the AP reply message. The key used to encrypt data 
+   is derived from the key returned by the server. If the client is 
+   able to perform strong encryption but the server is not, it may 
+   propose a subkey in the AP reply without first being sent a subkey 
+   in the authenticator. 
+ 
+8. GSSAPI Kerberos V5 Mechanism Type  
+ 
+8.1 Mechanism Specific Changes 
+    
+   The GSSAPI per-message tokens also require new checksum and 
+   encryption types. The GSS-API per-message tokens must be changed to 
+   support these new encryption types (See [5] Section 1.2.2). The 
+   sealing algorithm identifier (SEAL_ALG) for an RC4 based encryption 
+   is: 
+        Byte 4..5 SEAL_ALG      0x10 0x00 - RC4 
+    
+   The signing algorithm identifier (SGN_ALG) for MD5 HMAC is: 
+        Byte 2..3 SGN ALG       0x11 0x00 - HMAC 
+    
+   The only support quality of protection is: 
+        #define GSS_KRB5_INTEG_C_QOP_DEFAULT    0x0 
+    
+   In addition, when using an RC4 based encryption type, the sequence 
+   number is sent in big-endian rather than little-endian order. 
+    
+8.2 GSSAPI Checksum Type 
+    
+   The GSSAPI checksum type and algorithm is defined in Section 5. Only 
+   the first 8 octets of the checksum are used. The resulting checksum 
+   is stored in the SGN_CKSUM field (See [5] Section 1.2) for 
+   GSS_GetMIC() and GSS_Wrap(conf_flag=FALSE). 
+    
+8.3 GSSAPI Encryption Types 
+    
+   There are two encryption types for GSSAPI message tokens, one that 
+   is 128 bits in strength, and one that is 56 bits in strength as 
+   defined in Section 6. 
+    
+
+  
+Swift                  Category - Informational                      4 
+
+                Windows 2000 RC4-HMAC Kerberos E-Type    October 1999 
+ 
+ 
+   All padding is rounded up to 1 byte. One byte is needed to say that 
+   there is 1 byte of padding. The DES based mechanism type uses 8 byte 
+   padding. See [5] Section 1.2.2.3. 
+    
+   The encryption mechanism used for GSS based messages is as follow: 
+    
+   T = the message type, encoded as a little-endian four byte integer. 
+    
+   GSS-ENCRYPT(K, T, data) 
+        IV = SND_SEQ 
+        K = XOR(K, 0xf0f0f0f0f0f0f0f0f0f0f0f0f0f0f0) 
+        if (K.enctype == KERB_ETYPE_RC4_HMAC_EXP) 
+                L = concat("fortybits", T) //includes zero octet at end 
+        else 
+                L = T 
+        Ksign = HMAC(K, L) 
+        Ke = Ksign 
+        if (K.enctype == KERB_ETYPE_RC4_HMAC_EXP) 
+                memset(&Ke[7], 0x0ab, 9) 
+        Ke2 = HMAC(Ke, IV) 
+        Data = RC4(Ke2, data) 
+        SND_SEQ = RC4(Ke, seq#) 
+         
+   The sequence number (SND_SEQ) and IV are used as defined in [5] 
+   Section 1.2.2. 
+    
+   The character constant "fortybits" evolved from the time when a 40-
+   bit key length was all that was exportable from the United States. 
+   It is now used to recognize that the key length is of "exportable" 
+   length. In this description, the key size is actually 56-bits. 
+    
+8. Security Considerations 
+ 
+   Care must be taken in implementing this encryption type because it 
+   uses a stream cipher. If a different IV isnÆt used in each direction 
+   when using a session key, the encryption is weak. By using the 
+   sequence number as an IV, this is avoided. 
+    
+9. References 
+ 
+   1  Bradner, S., "The Internet Standards Process -- Revision 3", BCP 
+      9, RFC 2026, October 1996. 
+    
+   2  Bradner, S., "Key words for use in RFCs to Indicate Requirement 
+      Levels", BCP 14, RFC 2119, March 1997 
+    
+   3  Krawczyk, H., Bellare, M., Canetti, R.,"HMAC: Keyed-Hashing for 
+      Message Authentication", RFC 2104, February 1997 
+    
+   4  Kohl, J., Neuman, C., "The Kerberos Network Authentication 
+      Service (V5)", RFC 1510, September 1993 
+ 
+ 
+  
+Swift                  Category - Informational                      5 
+
+                Windows 2000 RC4-HMAC Kerberos E-Type    October 1999 
+ 
+ 
+ 
+   5  Linn, J., "The Kerberos Version 5 GSS-API Mechanism", RFC-1964, 
+      June 1996 
+ 
+   6  R. Rivest, "The MD4 Message-Digest Algorithm", RFC-1320, April 
+      1992 
+ 
+   7  R. Rivest, "The MD5 Message-Digest Algorithm", RFC-1321, April 
+      1992 
+ 
+   8  RC4 is a proprietary encryption algorithm available under license 
+             from RSA Data Security Inc.  For licensing information, 
+      contact: 
+             RSA Data Security, Inc. 
+             100 Marine Parkway 
+             Redwood City, CA 94065-1031 
+ 
+   9  Neuman, C., Kohl, J., Ts'o, T., "The Kerberos Network 
+      Authentication Service (V5)", draft-ietf-cat-kerberos-revisions-
+      04.txt, June 25, 1999 
+ 
+    
+10. Author's Addresses 
+    
+   Mike Swift 
+   Microsoft 
+   One Microsoft Way 
+   Redmond, Washington 
+   Email: mikesw@microsoft.com  
+    
+   John Brezak 
+   Microsoft 
+   One Microsoft Way 
+   Redmond, Washington 
+   Email: jbrezak@microsoft.com 
+    
+    
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+  
+Swift                  Category - Informational                      6 
+
+                Windows 2000 RC4-HMAC Kerberos E-Type    October 1999 
+ 
+ 
+    
+11. Full Copyright Statement 
+ 
+   Copyright (C) The Internet Society (1999).  All Rights Reserved. 
+    
+   This document and translations of it may be copied and furnished to 
+   others, and derivative works that comment on or otherwise explain it 
+   or assist in its implementation may be prepared, copied, published 
+   and distributed, in whole or in part, without restriction of any 
+   kind, provided that the above copyright notice and this paragraph 
+   are included on all such copies and derivative works.  However, this   
+   document itself may not be modified in any way, such as by removing   
+   the copyright notice or references to the Internet Society or other   
+   Internet organizations, except as needed for the purpose of 
+   developing Internet standards in which case the procedures for 
+   copyrights defined in the Internet Standards process must be 
+   followed, or as required to translate it into languages other than 
+   English. 
+    
+   The limited permissions granted above are perpetual and will not be 
+   revoked by the Internet Society or its successors or assigns. 
+    
+   This document and the information contained herein is provided on an 
+   "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING 
+   TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING 
+   BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION 
+   HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF 
+   MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE." 
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+  
+Swift                  Category - Informational                      7 
+
\ No newline at end of file
diff --git a/crypto/heimdal/doc/standardisation/draft-brezak-win2k-krb-rc4-hmac-02.txt b/crypto/heimdal/doc/standardisation/draft-brezak-win2k-krb-rc4-hmac-02.txt
new file mode 100644
index 0000000..85d7456
--- /dev/null
+++ b/crypto/heimdal/doc/standardisation/draft-brezak-win2k-krb-rc4-hmac-02.txt
@@ -0,0 +1,5 @@
+This Internet-Draft has expired and is no longer available.
+
+Unrevised documents placed in the Internet-Drafts directories have a
+maximum life of six months. After that time, they must be updated, or
+they will be deleted. This document was deleted on July 17, 2000.
diff --git a/crypto/heimdal/doc/standardisation/draft-brezak-win2k-krb-rc4-hmac-03.txt b/crypto/heimdal/doc/standardisation/draft-brezak-win2k-krb-rc4-hmac-03.txt
new file mode 100644
index 0000000..202d44e
--- /dev/null
+++ b/crypto/heimdal/doc/standardisation/draft-brezak-win2k-krb-rc4-hmac-03.txt
@@ -0,0 +1,587 @@
+CAT working group                                              M. Swift 
+Internet Draft                                                J. Brezak 
+Document: draft-brezak-win2k-krb-rc4-hmac-03.txt              Microsoft 
+Category: Informational                                       June 2000 
+ 
+ 
+           The Windows 2000 RC4-HMAC Kerberos encryption type 
+ 
+ 
+Status of this Memo 
+ 
+   This document is an Internet-Draft and is in full conformance with 
+   all provisions of Section 10 of RFC2026 [1]. Internet-Drafts are 
+   working documents of the Internet Engineering Task Force (IETF), its 
+   areas, and its working groups. Note that other groups may also 
+   distribute working documents as Internet-Drafts. Internet-Drafts are 
+   draft documents valid for a maximum of six months and may be 
+   updated, replaced, or obsoleted by other documents at any time. It 
+   is inappropriate to use Internet- Drafts as reference material or to 
+   cite them other than as "work in progress." 
+     
+   The list of current Internet-Drafts can be accessed at 
+   http://www.ietf.org/ietf/1id-abstracts.txt  
+   The list of Internet-Draft Shadow Directories can be accessed at 
+   http://www.ietf.org/shadow.html. 
+    
+1. Abstract 
+    
+   The Windows 2000 implementation of Kerberos introduces a new 
+   encryption type based on the RC4 encryption algorithm and using an 
+   MD5 HMAC for checksum. This is offered as an alternative to using 
+   the existing DES based encryption types. 
+    
+   The RC4-HMAC encryption types are used to ease upgrade of existing 
+   Windows NT environments, provide strong crypto (128-bit key 
+   lengths), and provide exportable (meet United States government 
+   export restriction requirements) encryption. 
+    
+   The Windows 2000 implementation of Kerberos contains new encryption 
+   and checksum types for two reasons: for export reasons early in the 
+   development process, 56 bit DES encryption could not be exported, 
+   and because upon upgrade from Windows NT 4.0 to Windows 2000, 
+   accounts will not have the appropriate DES keying material to do the 
+   standard DES encryption. Furthermore, 3DES is not available for 
+   export, and there was a desire to use a single flavor of encryption 
+   in the product for both US and international products. 
+    
+   As a result, there are two new encryption types and one new checksum 
+   type introduced in Windows 2000. 
+    
+    
+2. Conventions used in this document 
+    
+
+  
+Swift                  Category - Informational                      1 
+
+                Windows 2000 RC4-HMAC Kerberos E-Type       June 2000 
+ 
+ 
+   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 
+   "SHOULD", "SHOULD NOT", "RECOMMENDED",  "MAY", and "OPTIONAL" in 
+   this document are to be interpreted as described in RFC-2119 [2]. 
+    
+3. Key Generation 
+    
+   On upgrade from existing Windows NT domains, the user accounts would 
+   not have a DES based key available to enable the use of DES base 
+   encryption types specified in RFC 1510. The key used for RC4-HMAC is 
+   the same as the existing Windows NT key (NT Password Hash) for 
+   compatibility reasons. Once the account password is changed, the DES 
+   based keys are created and maintained. Once the DES keys are 
+   available DES based encryption types can be used with Kerberos.  
+    
+   The RC4-HMAC String to key function is defined as follow: 
+    
+   String2Key(password) 
+    
+        K = MD4(UNICODE(password)) 
+         
+   The RC4-HMAC keys are generated by using the Windows UNICODE version 
+   of the password. Each Windows UNICODE character is encoded in 
+   little-endian format of 2 octets each. Then performing an MD4 [6] 
+   hash operation on just the UNICODE characters of the password (not 
+   including the terminating zero octets). 
+    
+   For an account with a password of "foo", this String2Key("foo") will 
+   return: 
+    
+        0xac, 0x8e, 0x65, 0x7f, 0x83, 0xdf, 0x82, 0xbe, 
+        0xea, 0x5d, 0x43, 0xbd, 0xaf, 0x78, 0x00, 0xcc 
+    
+4. Basic Operations 
+    
+   The MD5 HMAC function is defined in [3]. It is used in this 
+   encryption type for checksum operations. Refer to [3] for details on 
+   its operation. In this document this function is referred to as 
+   HMAC(Key, Data) returning the checksum using the specified key on 
+   the data. 
+    
+   The basic MD5 hash operation is used in this encryption type and 
+   defined in [7]. In this document this function is referred to as 
+   MD5(Data) returning the checksum of the data. 
+    
+   RC4 is a stream cipher licensed by RSA Data Security [RSADSI]. A       
+   compatible cipher is described in [8]. In this document the function 
+   is referred to as RC4(Key, Data) returning the encrypted data using 
+   the specified key on the data. 
+    
+   These encryption types use key derivation as defined in [9] (RFC-
+   1510BIS) in Section titled "Key Derivation". With each message, the 
+   message type (T) is used as a component of the keying material. This 
+   summarizes the different key derivation values used in the various 
+  
+Swift                  Category - Informational                      2 
+
+                Windows 2000 RC4-HMAC Kerberos E-Type       June 2000 
+ 
+ 
+   operations. Note that these differ from the key derivations used in 
+   other Kerberos encryption types. 
+    
+        T = 1 for TS-ENC-TS in the AS-Request 
+        T = 8 for the AS-Reply  
+        T = 7 for the Authenticator in the TGS-Request 
+        T = 8 for the TGS-Reply  
+        T = 2 for the Server Ticket in the AP-Request 
+        T = 11 for the Authenticator in the AP-Request 
+        T = 12 for the Server returned AP-Reply 
+        T = 15 in the generation of checksum for the MIC token 
+        T = 0 in the generation of sequence number for the MIC token  
+        T = 13 in the generation of checksum for the WRAP token 
+        T = 0 in the generation of sequence number for the WRAP token  
+        T = 0 in the generation of encrypted data for the WRAPPED token 
+    
+   All strings in this document are ASCII unless otherwise specified. 
+   The lengths of ASCII encoded character strings include the trailing 
+   terminator character (0). 
+    
+   The concat(a,b,c,...) function will return the logical concatenation 
+   (left to right) of the values of the arguments. 
+    
+   The nonce(n) function returns a pseudo-random number of "n" octets. 
+    
+5. Checksum Types 
+    
+   There is one checksum type used in this encryption type. The 
+   Kerberos constant for this type is: 
+        #define KERB_CHECKSUM_HMAC_MD5 (-138) 
+    
+   The function is defined as follows: 
+    
+   K - is the Key 
+   T - the message type, encoded as a little-endian four byte integer 
+    
+   CHKSUM(K, T, data) 
+    
+        Ksign = HMAC(K, "signaturekey")  //includes zero octet at end 
+        tmp = MD5(concat(T, data)) 
+        CHKSUM = HMAC(Ksign, tmp) 
+    
+    
+6. Encryption Types 
+    
+   There are two encryption types used in these encryption types. The 
+   Kerberos constants for these types are: 
+        #define KERB_ETYPE_RC4_HMAC             23 
+        #define KERB_ETYPE_RC4_HMAC_EXP         24 
+    
+   The basic encryption function is defined as follow: 
+    
+   T = the message type, encoded as a little-endian four byte integer. 
+  
+Swift                  Category - Informational                      3 
+
+                Windows 2000 RC4-HMAC Kerberos E-Type       June 2000 
+ 
+ 
+    
+        BYTE L40[14] = "fortybits"; 
+        BYTE SK = "signaturekey"; 
+         
+        ENCRYPT (K, fRC4_EXP, T, data, data_len, edata, edata_len) 
+        { 
+            if (fRC4_EXP){ 
+                *((DWORD *)(L40+10)) = T; 
+                HMAC (K, L40, 10 + 4, K1); 
+            }else{ 
+                HMAC (K, &T, 4, K1); 
+            } 
+            memcpy (K2, K1, 16); 
+            if (fRC4_EXP) memset (K1+7, 0xAB, 9); 
+            add_8_random_bytes(data, data_len, conf_plus_data); 
+            HMAC (K2, conf_plus_data, 8 + data_len, checksum); 
+            HMAC (K1, checksum, 16, K3); 
+            RC4(K3, conf_plus_data, 8 + data_len, edata + 16); 
+            memcpy (edata, checksum, 16); 
+            edata_len = 16 + 8 + data_len; 
+        }         
+         
+        DECRYPT (K, fRC4_EXP, T, edata, edata_len, data, data_len) 
+        { 
+            if (fRC4_EXP){ 
+                *((DWORD *)(L40+10)) = T; 
+                HMAC (K, L40, 14, K1); 
+            }else{ 
+                HMAC (K, &T, 4, K1); 
+            } 
+            memcpy (K2, K1, 16); 
+            if (fRC4_EXP) memset (K1+7, 0xAB, 9); 
+            HMAC (K1, edata, 16, K3); // checksum is at edata 
+            RC4(K3, edata + 16, edata_len - 16, edata + 16); 
+            data_len = edata_len - 16 - 8; 
+            memcpy (data, edata + 16 + 8, data_len); 
+             
+            // verify generated and received checksums 
+            HMAC (K2, edata + 16, edata_len - 16, checksum); 
+            if (memcmp(edata, checksum, 16) != 0)  
+                printf("CHECKSUM ERROR  !!!!!!\n"); 
+        } 
+    
+   The header field on the encrypted data in KDC messages is: 
+    
+        typedef struct _RC4_MDx_HEADER { 
+            UCHAR Checksum[16]; 
+            UCHAR Confounder[8]; 
+        } RC4_MDx_HEADER, *PRC4_MDx_HEADER; 
+         
+   The KDC message is encrypted using the ENCRYPT function not 
+   including the Checksum in the RC4_MDx_HEADER. 
+    
+  
+Swift                  Category - Informational                      4 
+
+                Windows 2000 RC4-HMAC Kerberos E-Type       June 2000 
+ 
+ 
+   The character constant "fortybits" evolved from the time when a 40-
+   bit key length was all that was exportable from the United States. 
+   It is now used to recognize that the key length is of "exportable" 
+   length. In this description, the key size is actually 56-bits. 
+    
+7. Key Strength Negotiation 
+    
+   A Kerberos client and server can negotiate over key length if they 
+   are using mutual authentication. If the client is unable to perform 
+   full strength encryption, it may propose a key in the "subkey" field 
+   of the authenticator, using a weaker encryption type. The server 
+   must then either return the same key or suggest its own key in the 
+   subkey field of the AP reply message. The key used to encrypt data 
+   is derived from the key returned by the server. If the client is 
+   able to perform strong encryption but the server is not, it may 
+   propose a subkey in the AP reply without first being sent a subkey 
+   in the authenticator. 
+ 
+8. GSSAPI Kerberos V5 Mechanism Type  
+ 
+8.1 Mechanism Specific Changes 
+    
+   The GSSAPI per-message tokens also require new checksum and 
+   encryption types. The GSS-API per-message tokens must be changed to 
+   support these new encryption types (See [5] Section 1.2.2). The 
+   sealing algorithm identifier (SEAL_ALG) for an RC4 based encryption 
+   is: 
+        Byte 4..5 SEAL_ALG      0x10 0x00 - RC4 
+    
+   The signing algorithm identifier (SGN_ALG) for MD5 HMAC is: 
+        Byte 2..3 SGN ALG       0x11 0x00 - HMAC 
+    
+   The only support quality of protection is: 
+        #define GSS_KRB5_INTEG_C_QOP_DEFAULT    0x0 
+    
+   In addition, when using an RC4 based encryption type, the sequence 
+   number is sent in big-endian rather than little-endian order. 
+    
+   The Windows 2000 implementation also defines new GSSAPI flags in the 
+   initial token passed when initializing a security context. These 
+   flags are passed in the checksum field of the authenticator (See [5] 
+   Section 1.1.1). 
+    
+   GSS_C_DCE_STYLE - This flag was added for use with Microsoft’s 
+   implementation of DCE RPC, which initially expected three legs of 
+   authentication. Setting this flag causes an extra AP reply to be 
+   sent from the client back to the server after receiving the server’s 
+   AP reply. In addition, the context negotiation tokens do not have 
+   GSSAPI framing - they are raw AP message and do not include object 
+   identifiers. 
+        #define GSS_C_DCE_STYLE                 0x1000 
+    
+
+  
+Swift                  Category - Informational                      5 
+
+                Windows 2000 RC4-HMAC Kerberos E-Type       June 2000 
+ 
+ 
+   GSS_C_IDENTIFY_FLAG - This flag allows the client to indicate to the 
+   server that it should only allow the server application to identify 
+   the client by name and ID, but not to impersonate the client. 
+        #define GSS_C_IDENTIFY_FLAG             0x2000 
+         
+   GSS_C_EXTENDED_ERROR_FLAG - Setting this flag indicates that the 
+   client wants to be informed of extended error information. In 
+   particular, Windows 2000 status codes may be returned in the data 
+   field of a Kerberos error message. This allows the client to 
+   understand a server failure more precisely. In addition, the server 
+   may return errors to the client that are normally handled at the 
+   application layer in the server, in order to let the client try to 
+   recover. After receiving an error message, the client may attempt to 
+   resubmit an AP request. 
+        #define GSS_C_EXTENDED_ERROR_FLAG       0x4000 
+    
+   These flags are only used if a client is aware of these conventions 
+   when using the SSPI on the Windows platform, they are not generally 
+   used by default. 
+    
+   When NetBIOS addresses are used in the GSSAPI, they are identified 
+   by the GSS_C_AF_NETBIOS value. This value is defined as: 
+        #define GSS_C_AF_NETBIOS                0x14 
+   NetBios addresses are 16-octet addresses typically composed of 1 to 
                                                                 th
   15 characters, trailing blank (ascii char 20) filled, with a 16  
+   octet of 0x0. 
+    
+8.2 GSSAPI Checksum Type 
+    
+   The GSSAPI checksum type and algorithm is defined in Section 5. Only 
+   the first 8 octets of the checksum are used. The resulting checksum 
+   is stored in the SGN_CKSUM field (See [5] Section 1.2) for 
+   GSS_GetMIC() and GSS_Wrap(conf_flag=FALSE). 
+    
+        MIC (K, fRC4_EXP, seq_num, MIC_hdr, msg, msg_len, 
+             MIC_seq, MIC_checksum) 
+        { 
+            HMAC (K, SK, 13, K4); 
+            T = 15; 
+            memcpy (T_plus_hdr_plus_msg + 00, &T, 4); 
+            memcpy (T_plus_hdr_plus_msg + 04, MIC_hdr, 8);  
+                                                // 0101 1100 FFFFFFFF 
+            memcpy (T_plus_hdr_plus_msg + 12, msg, msg_len); 
+            MD5 (T_hdr_msg, 4 + 8 + msg_len, MD5_of_T_hdr_msg); 
+            HMAC (K4, MD5_of_T_hdr_msg, CHKSUM); 
+            memcpy (MIC_checksum, CHKSUM, 8); // use only first 8 bytes 
+          
+            T = 0; 
+            if (fRC4_EXP){  
+                *((DWORD *)(L40+10)) = T; 
+                HMAC (K, L40, 14, K5); 
+            }else{ 
+                HMAC (K, &T, 4, K5); 
+  
+Swift                  Category - Informational                      6 
+
+                Windows 2000 RC4-HMAC Kerberos E-Type       June 2000 
+ 
+ 
+            } 
+            if (fRC4_EXP) memset(K5+7, 0xAB, 9); 
+            HMAC(K5, MIT_checksum, 8, K6); 
+            copy_seq_num_in_big_endian(seq_num, seq_plus_direction); 
+        //0x12345678 
+            copy_direction_flag (direction_flag, seq_plus_direction + 
+        4); //0x12345678FFFFFFFF 
+            RC4(K6, seq_plus_direction, 8, MIC_seq); 
+        } 
+    
+8.3 GSSAPI Encryption Types 
+    
+   There are two encryption types for GSSAPI message tokens, one that 
+   is 128 bits in strength, and one that is 56 bits in strength as 
+   defined in Section 6. 
+    
+   All padding is rounded up to 1 byte. One byte is needed to say that 
+   there is 1 byte of padding. The DES based mechanism type uses 8 byte 
+   padding. See [5] Section 1.2.2.3. 
+    
+   The encryption mechanism used for GSS wrap based messages is as 
+   follow: 
+    
+    
+        WRAP (K, fRC4_EXP, seq_num, WRAP_hdr, msg, msg_len, 
+              WRAP_seq, WRAP_checksum, edata, edata_len) 
+        { 
+            HMAC (K, SK, 13, K7); 
+            T = 13; 
+            PAD = 1; 
+            memcpy (T_hdr_conf_msg_pad + 00, &T, 4); 
+            memcpy (T_hdr_conf_msg_pad + 04, WRAP_hdr, 8); // 0101 1100 
+        FFFFFFFF 
+            memcpy (T_hdr_conf_msg_pad + 12, msg, msg_len); 
+            memcpy (T_hdr_conf_msg_pad + 12 + msg_len, &PAD, 1); 
+            MD5 (T_hdr_conf_msg_pad, 
+                 4 + 8 + 8 + msg_len + 1, 
+                 MD5_of_T_hdr_conf_msg_pad); 
+            HMAC (K7, MD5_of_T_hdr_conf_msg_pad, CHKSUM); 
+            memcpy (WRAP_checksum, CHKSUM, 8); // use only first 8 
+        bytes 
+          
+            T = 0; 
+            if (fRC4_EXP){  
+                *((DWORD *)(L40+10)) = T; 
+                HMAC (K, L40, 14, K8); 
+            }else{ 
+                HMAC (K, &T, 4, K8); 
+            } 
+            if (fRC4_EXP) memset(K8+7, 0xAB, 9); 
+            HMAC(K8, WRAP_checksum, 8, K9); 
+            copy_seq_num_in_big_endian(seq_num, seq_plus_direction); 
+        //0x12345678 
+  
+Swift                  Category - Informational                      7 
+
+                Windows 2000 RC4-HMAC Kerberos E-Type       June 2000 
+ 
+ 
+            copy_direction_flag (direction_flag, seq_plus_direction + 
+        4); //0x12345678FFFFFFFF 
+            RC4(K9, seq_plus_direction, 8, WRAP_seq); 
+          
+            for (i = 0; i < 16; i++) K10 [i] ^= 0xF0; // XOR each byte 
+        of key with 0xF0 
+            T = 0; 
+            if (fRC4_EXP){ 
+                *(DWORD *)(L40+10) = T; 
+                HMAC(K10, L40, 14, K11); 
+                memset(K11+7, 0xAB, 9); 
+            }else{ 
+                HMAC(K10, &T, 4, K11);  
+            } 
+            HMAC(K11, seq_num, 4, K12); 
+            RC4(K12, T_hdr_conf_msg_pad + 4 + 8, 8 + msg_len + 1, 
+        edata); /* skip T & hdr */ 
+            edata_len = 8 + msg_len + 1; // conf + msg_len + pad 
+         } 
+          
+    
+   The character constant "fortybits" evolved from the time when a 40-
+   bit key length was all that was exportable from the United States. 
+   It is now used to recognize that the key length is of "exportable" 
+   length. In this description, the key size is actually 56-bits. 
+    
+9. Security Considerations 
+ 
+   Care must be taken in implementing this encryption type because it 
+   uses a stream cipher. If a different IV isn’t used in each direction 
+   when using a session key, the encryption is weak. By using the 
+   sequence number as an IV, this is avoided. 
+    
+10. Acknowledgements 
+    
+   We would like to thank Salil Dangi for the valuable input in 
+   refining the descriptions of the functions and review input. 
+     
+11. References 
+ 
+   1  Bradner, S., "The Internet Standards Process -- Revision 3", BCP 
+      9, RFC 2026, October 1996. 
+    
+   2  Bradner, S., "Key words for use in RFCs to Indicate Requirement 
+      Levels", BCP 14, RFC 2119, March 1997 
+    
+   3  Krawczyk, H., Bellare, M., Canetti, R.,"HMAC: Keyed-Hashing for 
+      Message Authentication", RFC 2104, February 1997 
+    
+   4  Kohl, J., Neuman, C., "The Kerberos Network Authentication 
+      Service (V5)", RFC 1510, September 1993 
+ 
+ 
+  
+Swift                  Category - Informational                      8 
+
+                Windows 2000 RC4-HMAC Kerberos E-Type       June 2000 
+ 
+ 
+ 
+   5  Linn, J., "The Kerberos Version 5 GSS-API Mechanism", RFC-1964, 
+      June 1996 
+ 
+   6  R. Rivest, "The MD4 Message-Digest Algorithm", RFC-1320, April 
+      1992 
+ 
+   7  R. Rivest, "The MD5 Message-Digest Algorithm", RFC-1321, April 
+      1992 
+ 
+   8  Thayer, R. and K. Kaukonen, "A Stream Cipher Encryption             
+      Algorithm", Work in Progress. 
+ 
+   9  RC4 is a proprietary encryption algorithm available under license 
+      from RSA Data Security Inc.  For licensing information, contact: 
+       
+         RSA Data Security, Inc. 
+         100 Marine Parkway 
+         Redwood City, CA 94065-1031 
+ 
+   10 Neuman, C., Kohl, J., Ts'o, T., "The Kerberos Network 
+      Authentication Service (V5)", draft-ietf-cat-kerberos-revisions-
+      04.txt, June 25, 1999 
+ 
+    
+12. Author's Addresses 
+    
+   Mike Swift 
+   Dept. of Computer Science 
+   Sieg Hall 
+   University of Washington 
+   Seattle, WA 98105 
+   Email: mikesw@cs.washington.edu  
+    
+   John Brezak 
+   Microsoft 
+   One Microsoft Way 
+   Redmond, Washington 
+   Email: jbrezak@microsoft.com 
+    
+    
+
+
+
+
+
+
+
+
+
+
+
+
+  
+Swift                  Category - Informational                      9 
+
+                Windows 2000 RC4-HMAC Kerberos E-Type    October 1999 
+ 
+ 
+    
+13. Full Copyright Statement 
+ 
+   "Copyright (C) The Internet Society (2000). All Rights Reserved. 
+    
+   This document and translations of it may be copied and          
+   furnished to others, and derivative works that comment on or          
+   otherwise explain it or assist in its implementation may be          
+   prepared, copied, published and distributed, in whole or in          
+   part, without restriction of any kind, provided that the above          
+   copyright notice and this paragraph are included on all such          
+   copies and derivative works.  However, this document itself may          
+   not be modified in any way, such as by removing the copyright          
+   notice or references to the Internet Society or other Internet          
+   organizations, except as needed for the purpose of developing          
+   Internet standards in which case the procedures for copyrights          
+   defined in the Internet Standards process must be followed, or          
+   as required to translate it into languages other than English. 
+    
+   The limited permissions granted above are perpetual and will          
+   not be revoked by the Internet Society or its successors or          
+   assigns. 
+    
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+  
+Swift                  Category - Informational                     10 
+
diff --git a/crypto/heimdal/doc/standardisation/draft-foo b/crypto/heimdal/doc/standardisation/draft-foo
new file mode 100644
index 0000000..8174d46
--- /dev/null
+++ b/crypto/heimdal/doc/standardisation/draft-foo
@@ -0,0 +1,171 @@
+
+
+
+
+
+
+Network Working Group                                   Assar Westerlund
+<draft-ietf-cat-krb5-ipv6.txt>                                      SICS
+Internet-Draft                                             October, 1997
+Expire in six months
+
+                           Kerberos over IPv6
+
+Status of this Memo
+
+   This document is an Internet-Draft.  Internet-Drafts are working
+   documents of the Internet Engineering Task Force (IETF), its areas,
+   and its working groups.  Note that other groups may also distribute
+   working documents as Internet-Drafts.
+
+   Internet-Drafts are draft documents valid for a maximum of six months
+   and may be updated, replaced, or obsoleted by other documents at any
+   time.  It is inappropriate to use Internet- Drafts as reference
+   material or to cite them other than as "work in progress."
+
+   To view the entire list of current Internet-Drafts, please check the
+   "1id-abstracts.txt" listing contained in the Internet-Drafts Shadow
+   Directories on ftp.is.co.za (Africa), ftp.nordu.net (Europe),
+   munnari.oz.au (Pacific Rim), ds.internic.net (US East Coast), or
+   ftp.isi.edu (US West Coast).
+
+   Distribution of this memo is unlimited.  Please send comments to the
+   <cat-ietf@mit.edu> mailing list.
+
+Abstract
+
+   This document specifies the address types and transport types
+   necessary for using Kerberos [RFC1510] over IPv6 [RFC1883].
+
+Specification
+
+   IPv6 addresses are 128-bit (16-octet) quantities, encoded in MSB
+   order.  The type of IPv6 addresses is twenty-four (24).
+
+   The following addresses (see [RFC1884]) MUST not appear in any
+   Kerberos packet:
+
+   the Unspecified Address
+   the Loopback Address
+   Link-Local addresses
+
+   IPv4-mapped IPv6 addresses MUST be represented as addresses of type
+   2.
+
+
+
+
+Westerlund                                                      [Page 1]
+
+Internet Draft             Kerberos over IPv6              October, 1997
+
+
+   Communication with the KDC over IPv6 MUST be done as in section 8.2.1
+   of [RFC1510].
+
+Discussion
+
+   [RFC1510] suggests using the address family constants in
+   <sys/socket.h> from BSD.  This cannot be done for IPv6 as these
+   numbers have diverged and are different on different BSD-derived
+   systems.  [RFC2133] does not either specify a value for AF_INET6.
+   Thus a value has to be decided and the implementations have to
+   convert between the value used in Kerberos HostAddress and the local
+   AF_INET6.
+
+   There are a few different address types in IPv6, see [RFC1884].  Some
+   of these are used for quite special purposes and it makes no sense to
+   include them in Kerberos packets.
+
+   It is necessary to represent IPv4-mapped addresses as Internet
+   addresses (type 2) to be compatible with Kerberos implementations
+   that only support IPv4.
+
+Security considerations
+
+   This memo does not introduce any known security considerations in
+   addition to those mentioned in [RFC1510].
+
+References
+
+   [RFC1510] Kohl, J. and Neuman, C., "The Kerberos Network
+   Authentication Service (V5)", RFC 1510, September 1993.
+
+   [RFC1883] Deering, S., Hinden, R., "Internet Protocol, Version 6
+   (IPv6) Specification", RFC 1883, December 1995.
+
+   [RFC1884] Hinden, R., Deering, S., "IP Version 6 Addressing
+   Architecture", RFC 1884, December 1995.
+
+   [RFC2133] Gilligan, R., Thomson, S., Bound, J., Stevens, W., "Basic
+   Socket Interface Extensions for IPv6", RFC2133, April 1997.
+
+Author's Address
+
+   Assar Westerlund
+   Swedish Institute of Computer Science
+   Box 1263
+   S-164 29  KISTA
+   Sweden
+
+
+
+
+Westerlund                                                      [Page 2]
+
+Internet Draft             Kerberos over IPv6              October, 1997
+
+
+   Phone: +46-8-7521526
+   Fax:   +46-8-7517230
+   EMail: assar@sics.se
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Westerlund                                                      [Page 3]
+
diff --git a/crypto/heimdal/doc/standardisation/draft-foo.ms b/crypto/heimdal/doc/standardisation/draft-foo.ms
new file mode 100644
index 0000000..62b109a
--- /dev/null
+++ b/crypto/heimdal/doc/standardisation/draft-foo.ms
@@ -0,0 +1,136 @@
+.pl 10.0i
+.po 0
+.ll 7.2i
+.lt 7.2i
+.nr LL 7.2i
+.nr LT 7.2i
+.ds LF Westerlund
+.ds RF [Page %]
+.ds CF
+.ds LH Internet Draft
+.ds RH October, 1997
+.ds CH Kerberos over IPv6
+.hy 0
+.ad l
+.in 0
+.ta \n(.luR
+Network Working Group	Assar Westerlund
+<draft-ietf-cat-krb5-ipv6.txt>	SICS
+Internet-Draft	October, 1997
+Expire in six months
+
+.ce
+Kerberos over IPv6
+
+.ti 0
+Status of this Memo
+
+.in 3
+This document is an Internet-Draft.  Internet-Drafts are working
+documents of the Internet Engineering Task Force (IETF), its
+areas, and its working groups.  Note that other groups may also
+distribute working documents as Internet-Drafts.
+
+Internet-Drafts are draft documents valid for a maximum of six
+months and may be updated, replaced, or obsoleted by other
+documents at any time.  It is inappropriate to use Internet-
+Drafts as reference material or to cite them other than as
+"work in progress."
+
+To view the entire list of current Internet-Drafts, please check
+the "1id-abstracts.txt" listing contained in the Internet-Drafts
+Shadow Directories on ftp.is.co.za (Africa), ftp.nordu.net
+(Europe), munnari.oz.au (Pacific Rim), ds.internic.net (US East
+Coast), or ftp.isi.edu (US West Coast).
+
+Distribution of this memo is unlimited.  Please send comments to the
+<cat-ietf@mit.edu> mailing list.
+
+.ti 0
+Abstract
+
+.in 3
+This document specifies the address types and transport types
+necessary for using Kerberos [RFC1510] over IPv6 [RFC1883].
+
+.ti 0
+Specification
+
+.in 3
+IPv6 addresses are 128-bit (16-octet) quantities, encoded in MSB
+order.  The type of IPv6 addresses is twenty-four (24).
+
+The following addresses (see [RFC1884]) MUST not appear in any
+Kerberos packet:
+
+the Unspecified Address
+.br
+the Loopback Address
+.br
+Link-Local addresses
+
+IPv4-mapped IPv6 addresses MUST be represented as addresses of type 2.
+
+Communication with the KDC over IPv6 MUST be done as in section
+8.2.1 of [RFC1510].
+
+.ti 0
+Discussion
+
+.in 3
+[RFC1510] suggests using the address family constants in
+<sys/socket.h> from BSD.  This cannot be done for IPv6 as these
+numbers have diverged and are different on different BSD-derived
+systems.  [RFC2133] does not either specify a value for AF_INET6.
+Thus a value has to be decided and the implementations have to convert
+between the value used in Kerberos HostAddress and the local AF_INET6.
+
+There are a few different address types in IPv6, see [RFC1884].  Some
+of these are used for quite special purposes and it makes no sense to
+include them in Kerberos packets.
+
+It is necessary to represent IPv4-mapped addresses as Internet
+addresses (type 2) to be compatible with Kerberos implementations that
+only support IPv4.
+
+.ti 0
+Security considerations
+
+.in 3
+This memo does not introduce any known security considerations in
+addition to those mentioned in [RFC1510].
+
+.ti 0
+References
+
+.in 3
+[RFC1510] Kohl, J. and Neuman, C., "The Kerberos Network
+Authentication Service (V5)", RFC 1510, September 1993.
+
+[RFC1883] Deering, S., Hinden, R., "Internet Protocol, Version 6
+(IPv6) Specification", RFC 1883, December 1995.
+
+[RFC1884] Hinden, R., Deering, S., "IP Version 6 Addressing
+Architecture", RFC 1884, December 1995.
+
+[RFC2133] Gilligan, R., Thomson, S., Bound, J., Stevens, W., "Basic
+Socket Interface Extensions for IPv6", RFC2133, April 1997.
+
+.ti 0
+Author's Address
+
+Assar Westerlund
+.br
+Swedish Institute of Computer Science
+.br
+Box 1263
+.br
+S-164 29  KISTA
+.br
+Sweden
+
+Phone: +46-8-7521526
+.br
+Fax:   +46-8-7517230
+.br
+EMail: assar@sics.se
diff --git a/crypto/heimdal/doc/standardisation/draft-foo2 b/crypto/heimdal/doc/standardisation/draft-foo2
new file mode 100644
index 0000000..0fa695f
--- /dev/null
+++ b/crypto/heimdal/doc/standardisation/draft-foo2
@@ -0,0 +1,171 @@
+
+
+
+
+
+
+Network Working Group                                   Assar Westerlund
+<draft-ietf-cat-krb5-tcp.txt>                                       SICS
+Internet-Draft                                          Johan Danielsson
+November, 1997                                                  PDC, KTH
+Expire in six months
+
+                           Kerberos over TCP
+
+Status of this Memo
+
+   This document is an Internet-Draft.  Internet-Drafts are working
+   documents of the Internet Engineering Task Force (IETF), its areas,
+   and its working groups.  Note that other groups may also distribute
+   working documents as Internet-Drafts.
+
+   Internet-Drafts are draft documents valid for a maximum of six months
+   and may be updated, replaced, or obsoleted by other documents at any
+   time.  It is inappropriate to use Internet- Drafts as reference
+   material or to cite them other than as "work in progress."
+
+   To view the entire list of current Internet-Drafts, please check the
+   "1id-abstracts.txt" listing contained in the Internet-Drafts Shadow
+   Directories on ftp.is.co.za (Africa), ftp.nordu.net (Europe),
+   munnari.oz.au (Pacific Rim), ds.internic.net (US East Coast), or
+   ftp.isi.edu (US West Coast).
+
+   Distribution of this memo is unlimited.  Please send comments to the
+   <cat-ietf@mit.edu> mailing list.
+
+Abstract
+
+   This document specifies how the communication should be done between
+   a client and a KDC using Kerberos [RFC1510] with TCP as the transport
+   protocol.
+
+Specification
+
+   This draft specifies an extension to section 8.2.1 of RFC1510.
+
+   A Kerberos server MAY accept requests on TCP port 88 (decimal).
+
+   The data sent from the client to the KDC should consist of 4 bytes
+   containing the length, in network byte order, of the Kerberos
+   request, followed by the request (AS-REQ or TGS-REQ) itself.  The
+   reply from the KDC should consist of the length of the reply packet
+   (4 bytes, network byte order) followed by the packet itself (AS-REP,
+   TGS-REP, or KRB-ERROR).
+
+
+
+
+Westerlund, Danielsson                                          [Page 1]
+
+Internet Draft             Kerberos over TCP              November, 1997
+
+
+   C->S: Open connection to TCP port 88 at the server
+   C->S: length of request
+   C->S: AS-REQ or TGS-REQ
+   S->C: length of reply
+   S->C: AS-REP, TGS-REP, or KRB-ERROR
+
+Discussion
+
+   Even though the preferred way of sending kerberos packets is over UDP
+   there are several occasions when it's more practical to use TCP.
+
+   Mainly, it's usually much less cumbersome to get TCP through
+   firewalls than UDP.
+
+   In theory, there's no reason for having explicit length fields, that
+   information is already encoded in the ASN1 encoding of the Kerberos
+   packets.  But having explicit lengths makes it unnecessary to have to
+   decode the ASN.1 encoding just to know how much data has to be read.
+
+   Another way of signaling the end of the request of the reply would be
+   to do a half-close after the request and a full-close after the
+   reply.  This does not work well with all kinds of firewalls.
+
+Security considerations
+
+   This memo does not introduce any known security considerations in
+   addition to those mentioned in [RFC1510].
+
+References
+
+   [RFC1510] Kohl, J. and Neuman, C., "The Kerberos Network
+   Authentication Service (V5)", RFC 1510, September 1993.
+
+Authors' Addresses
+
+   Assar Westerlund
+   Swedish Institute of Computer Science
+   Box 1263
+   S-164 29  KISTA
+   Sweden
+
+   Phone: +46-8-7521526
+   Fax:   +46-8-7517230
+   EMail: assar@sics.se
+
+   Johan Danielsson
+   PDC, KTH
+   S-100 44  STOCKHOLM
+
+
+
+Westerlund, Danielsson                                          [Page 2]
+
+Internet Draft             Kerberos over TCP              November, 1997
+
+
+   Sweden
+
+   Phone: +46-8-7907885
+   Fax:   +46-8-247784
+   EMail: joda@pdc.kth.se
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Westerlund, Danielsson                                          [Page 3]
+
diff --git a/crypto/heimdal/doc/standardisation/draft-foo2.ms b/crypto/heimdal/doc/standardisation/draft-foo2.ms
new file mode 100644
index 0000000..7e0fa0a
--- /dev/null
+++ b/crypto/heimdal/doc/standardisation/draft-foo2.ms
@@ -0,0 +1,145 @@
+.pl 10.0i
+.po 0
+.ll 7.2i
+.lt 7.2i
+.nr LL 7.2i
+.nr LT 7.2i
+.ds LF Westerlund, Danielsson
+.ds RF [Page %]
+.ds CF
+.ds LH Internet Draft
+.ds RH November, 1997
+.ds CH Kerberos over TCP
+.hy 0
+.ad l
+.in 0
+.ta \n(.luR
+.nf
+Network Working Group	Assar Westerlund
+<draft-ietf-cat-krb5-tcp.txt>	SICS
+Internet-Draft	Johan Danielsson
+November, 1997	PDC, KTH
+Expire in six months
+.fi
+
+.ce
+Kerberos over TCP
+
+.ti 0
+Status of this Memo
+
+.in 3
+This document is an Internet-Draft.  Internet-Drafts are working
+documents of the Internet Engineering Task Force (IETF), its
+areas, and its working groups.  Note that other groups may also
+distribute working documents as Internet-Drafts.
+
+Internet-Drafts are draft documents valid for a maximum of six
+months and may be updated, replaced, or obsoleted by other
+documents at any time.  It is inappropriate to use Internet-
+Drafts as reference material or to cite them other than as
+"work in progress."
+
+To view the entire list of current Internet-Drafts, please check
+the "1id-abstracts.txt" listing contained in the Internet-Drafts
+Shadow Directories on ftp.is.co.za (Africa), ftp.nordu.net
+(Europe), munnari.oz.au (Pacific Rim), ds.internic.net (US East
+Coast), or ftp.isi.edu (US West Coast).
+
+Distribution of this memo is unlimited.  Please send comments to the
+<cat-ietf@mit.edu> mailing list.
+
+.ti 0
+Abstract
+
+.in 3
+This document specifies how the communication should be done between a
+client and a KDC using Kerberos [RFC1510] with TCP as the transport
+protocol.
+
+.ti 0
+Specification
+
+This draft specifies an extension to section 8.2.1 of RFC1510. 
+
+A Kerberos server MAY accept requests on TCP port 88 (decimal).
+
+The data sent from the client to the KDC should consist of 4 bytes
+containing the length, in network byte order, of the Kerberos request,
+followed by the request (AS-REQ or TGS-REQ) itself.  The reply from
+the KDC should consist of the length of the reply packet (4 bytes,
+network byte order) followed by the packet itself (AS-REP, TGS-REP, or
+KRB-ERROR).
+
+.nf
+C->S: Open connection to TCP port 88 at the server
+C->S: length of request
+C->S: AS-REQ or TGS-REQ
+S->C: length of reply
+S->C: AS-REP, TGS-REP, or KRB-ERROR
+.fi
+
+.ti 0
+Discussion
+
+Even though the preferred way of sending kerberos packets is over UDP
+there are several occasions when it's more practical to use TCP.
+
+Mainly, it's usually much less cumbersome to get TCP through firewalls
+than UDP.
+
+In theory, there's no reason for having explicit length fields, that
+information is already encoded in the ASN1 encoding of the Kerberos
+packets.  But having explicit lengths makes it unnecessary to have to
+decode the ASN.1 encoding just to know how much data has to be read.
+
+Another way of signaling the end of the request of the reply would be
+to do a half-close after the request and a full-close after the reply.
+This does not work well with all kinds of firewalls.
+
+.ti 0
+Security considerations
+
+.in 3
+This memo does not introduce any known security considerations in
+addition to those mentioned in [RFC1510].
+
+.ti 0
+References
+
+.in 3
+[RFC1510] Kohl, J. and Neuman, C., "The Kerberos Network
+Authentication Service (V5)", RFC 1510, September 1993.
+
+.ti 0
+Authors' Addresses
+
+Assar Westerlund
+.br
+Swedish Institute of Computer Science
+.br
+Box 1263
+.br
+S-164 29  KISTA
+.br
+Sweden
+
+Phone: +46-8-7521526
+.br
+Fax:   +46-8-7517230
+.br
+EMail: assar@sics.se
+
+Johan Danielsson
+.br
+PDC, KTH
+.br
+S-100 44  STOCKHOLM
+.br
+Sweden
+
+Phone: +46-8-7907885
+.br
+Fax:   +46-8-247784
+.br
+EMail: joda@pdc.kth.se
diff --git a/crypto/heimdal/doc/standardisation/draft-foo3 b/crypto/heimdal/doc/standardisation/draft-foo3
new file mode 100644
index 0000000..2b8b7bb
--- /dev/null
+++ b/crypto/heimdal/doc/standardisation/draft-foo3
@@ -0,0 +1,227 @@
+
+
+
+
+
+
+Network Working Group                                   Assar Westerlund
+<draft-ietf-cat-krb5-firewalls.txt>                                 SICS
+Internet-Draft                                          Johan Danielsson
+November, 1997                                                  PDC, KTH
+Expire in six months
+
+                         Kerberos vs firewalls
+
+Status of this Memo
+
+   This document is an Internet-Draft.  Internet-Drafts are working
+   documents of the Internet Engineering Task Force (IETF), its areas,
+   and its working groups.  Note that other groups may also distribute
+   working documents as Internet-Drafts.
+
+   Internet-Drafts are draft documents valid for a maximum of six months
+   and may be updated, replaced, or obsoleted by other documents at any
+   time.  It is inappropriate to use Internet- Drafts as reference
+   material or to cite them other than as "work in progress."
+
+   To view the entire list of current Internet-Drafts, please check the
+   "1id-abstracts.txt" listing contained in the Internet-Drafts Shadow
+   Directories on ftp.is.co.za (Africa), ftp.nordu.net (Europe),
+   munnari.oz.au (Pacific Rim), ds.internic.net (US East Coast), or
+   ftp.isi.edu (US West Coast).
+
+   Distribution of this memo is unlimited.  Please send comments to the
+   <cat-ietf@mit.edu> mailing list.
+
+Abstract
+
+Introduction
+
+   Kerberos[RFC1510] is a protocol for authenticating parties
+   communicating over insecure networks.
+
+   Firewalling is a technique for achieving an illusion of security by
+   putting restrictions on what kinds of packets and how these are sent
+   between the internal (so called "secure") network and the global (or
+   "insecure") Internet.
+
+Definitions
+
+   client: the user, process, and host acquiring tickets from the KDC
+   and authenticating itself to the kerberised server.
+
+   KDC: the Kerberos Key Distribution Center
+
+
+
+
+Westerlund, Danielsson                                          [Page 1]
+
+Internet Draft           Kerberos vs firewalls            November, 1997
+
+
+   Kerberised server: the server using Kerberos to authenticate the
+   client, for example telnetd.
+
+Firewalls
+
+   A firewall is usually placed between the "inside" and the "outside"
+   networks, and is supposed to protect the inside from the evils on the
+   outside.  There are different kinds of firewalls.  The main
+   differences are in the way they forward packets.
+
+   o+  The most straight forward type is the one that just imposes
+      restrictions on incoming packets. Such a firewall could be
+      described as a router that filters packets that match some
+      criteria.
+
+   o+  They may also "hide" some or all addresses on the inside of the
+      firewall, replacing the addresses in the outgoing packets with the
+      address of the firewall (aka network address translation, or NAT).
+      NAT can also be used without any packet filtering, for instance
+      when you have more than one host sharing a single address (for
+      example, with a dialed-in PPP connection).
+
+   There are also firewalls that does NAT both on the inside and the
+   outside (a server on the inside will see this as a connection from
+   the firewall).
+
+   o+  A third type is the proxy type firewall, that parses the contents
+      of the packets, basically acting as a server to the client, and as
+      a client to the server (man-in-the-middle). If Kerberos is to be
+      used with this kind of firewall, a protocol module that handles
+      KDC requests has to be written.
+
+   This type of firewall might also cause extra trouble when used with
+   kerberised versions of protocols that the proxy understands, in
+   addition to the ones mentioned below. This is the case with the FTP
+   Security Extensions [RFC2228], that adds a new set of commands to the
+   FTP protocol [RFC959], for integrity, confidentiality, and privacy
+   protecting commands. When transferring data, the FTP protocol uses a
+   separate data channel, and an FTP proxy will have to look out for
+   commands that start a data transfer. If all commands are encrypted,
+   this is impossible. A protocol that doesn't suffer from this is the
+   Telnet Authentication Option [RFC1416] that does all authentication
+   and encryption in-bound.
+
+Scenarios
+
+   Here the different scenarios we have considered are described, the
+   problems they introduce and the proposed ways of solving them.
+
+
+
+Westerlund, Danielsson                                          [Page 2]
+
+Internet Draft           Kerberos vs firewalls            November, 1997
+
+
+   Combinations of these can also occur.
+
+ Client behind firewall
+
+   This is the most typical and common scenario.  First of all the
+   client needs some way of communicating with the KDC.  This can be
+   done with whatever means and is usually much simpler when the KDC is
+   able to communicate over TCP.
+
+   Apart from that, the client needs to be sure that the ticket it will
+   acquire from the KDC can be used to authenticate to a server outside
+   its firewall.  For this, it needs to add the address(es) of potential
+   firewalls between itself and the KDC/server, to the list of its own
+   addresses when requesting the ticket.  We are not aware of any
+   protocol for determining this set of addresses, thus this will have
+   to be manually configured in the client.
+
+   The client could also request a ticket with no addresses, but some
+   KDCs and servers might not accept such a ticket.
+
+   With the ticket in possession, communication with the kerberised
+   server will not need to be any different from communicating between a
+   non-kerberised client and server.
+
+ Kerberised server behind firewall
+
+   The kerberised server does not talk to the KDC at all so nothing
+   beyond normal firewall-traversal techniques for reaching the server
+   itself needs to be applied.
+
+   The kerberised server needs to be able to retrieve the original
+   address (before its firewall) that the request was sent for.  If this
+   is done via some out-of-band mechanism or it's directly able to see
+   it doesn't matter.
+
+ KDC behind firewall
+
+   The same restrictions applies for a KDC as for any other server.
+
+Specification
+
+Security considerations
+
+   This memo does not introduce any known security considerations in
+   addition to those mentioned in [RFC1510].
+
+References
+
+
+
+
+Westerlund, Danielsson                                          [Page 3]
+
+Internet Draft           Kerberos vs firewalls            November, 1997
+
+
+   [RFC959] Postel, J. and Reynolds, J., "File Transfer Protocol (FTP)",
+   RFC 969, October 1985
+
+   [RFC1416] Borman, D., "Telnet Authentication Option", RFC 1416,
+   February 1993.
+
+   [RFC1510] Kohl, J. and Neuman, C., "The Kerberos Network
+   Authentication Service (V5)", RFC 1510, September 1993.
+
+   [RFC2228] Horowitz, M. and Lunt, S., "FTP Security Extensions",
+   RFC2228, October 1997.
+
+Authors' Addresses
+
+   Assar Westerlund
+   Swedish Institute of Computer Science
+   Box 1263
+   S-164 29  KISTA
+   Sweden
+
+   Phone: +46-8-7521526
+   Fax:   +46-8-7517230
+   EMail: assar@sics.se
+
+   Johan Danielsson
+   PDC, KTH
+   S-100 44  STOCKHOLM
+   Sweden
+
+   Phone: +46-8-7907885
+   Fax:   +46-8-247784
+   EMail: joda@pdc.kth.se
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Westerlund, Danielsson                                          [Page 4]
+
diff --git a/crypto/heimdal/doc/standardisation/draft-foo3.ms b/crypto/heimdal/doc/standardisation/draft-foo3.ms
new file mode 100644
index 0000000..c024ca3
--- /dev/null
+++ b/crypto/heimdal/doc/standardisation/draft-foo3.ms
@@ -0,0 +1,260 @@
+.\" even if this file is called .ms, it's using the me macros.
+.\" to format try something like `nroff -me'
+.\" level 2 heading
+.de HH
+.$p "\\$2" "" "\\$1"
+.$0 "\\$2"
+..
+.\" make sure footnotes produce the right thing with nroff
+.ie t \
+\{\
+.ds { \v'-0.4m'\x'\\n(0x=0*-0.2m'\s-3
+.ds } \s0\v'0.4m'
+.\}
+.el \
+\{\
+.ds { [
+.ds } ]
+.\}
+.ds * \\*{\\n($f\\*}\k*
+.\" page footer
+.fo 'Westerlund, Danielsson''[Page %]'
+.\" date
+.ds RH \*(mo, 19\n(yr
+.\" left margin
+.nr lm 6
+.\" heading indent per level
+.nr si 3n
+.\" footnote indent
+.nr fi 0
+.\" paragraph indent
+.nr po 0
+.\" don't hyphenate
+.hy 0
+.\" left adjustment
+.ad l
+.\" indent 0
+.in 0
+.\" line length 16cm and page length 25cm (~10 inches)
+.ll 16c
+.pl 25c
+.ta \n(.luR
+.nf
+Network Working Group	Assar Westerlund
+<draft-ietf-cat-krb5-firewalls.txt>	SICS
+Internet-Draft	Johan Danielsson
+\*(RH	PDC, KTH
+Expire in six months	
+.fi
+
+.\" page header, has to be set here so it won't appear on page 1
+.he 'Internet Draft'Kerberos vs firewalls'\*(RH'
+.ce
+.b "Kerberos vs firewalls"
+
+.HH 1 "Status of this Memo"
+.lp
+This document is an Internet-Draft.  Internet-Drafts are working
+documents of the Internet Engineering Task Force (IETF), its areas,
+and its working groups.  Note that other groups may also distribute
+working documents as Internet-Drafts.
+.lp
+Internet-Drafts are draft documents valid for a maximum of six months
+and may be updated, replaced, or obsoleted by other documents at any
+time.  It is inappropriate to use Internet- Drafts as reference
+material or to cite them other than as \*(lqwork in progress.\*(rq
+.lp
+To view the entire list of current Internet-Drafts, please check the
+\*(lq1id-abstracts.txt\*(rq listing contained in the Internet-Drafts
+Shadow Directories on ftp.is.co.za (Africa), ftp.nordu.net (Europe),
+munnari.oz.au (Pacific Rim), ds.internic.net (US East Coast), or
+ftp.isi.edu (US West Coast).
+.lp
+Distribution of this memo is unlimited.  Please send comments to the
+<cat-ietf@mit.edu> mailing list.
+.HH 1 "Abstract"
+.lp
+Kerberos and firewalls both deal with security, but doesn't get along
+very well. This memo discusses ways to use Kerberos in a firewalled
+environment.
+.HH 1 "Introduction"
+.lp
+Kerberos[RFC1510]
+.(d
+[RFC1510]
+Kohl, J. and Neuman, C., \*(lqThe Kerberos Network Authentication
+Service (V5)\*(rq, RFC 1510, September 1993.
+.)d
+is a protocol for authenticating parties communicating over insecure
+networks.  Firewalling is a technique for achieving an illusion of
+security by putting restrictions on what kinds of packets and how
+these are sent between the internal (so called \*(lqsecure\*(rq)
+network and the global (or \*(lqinsecure\*(rq) Internet.  The problems
+with firewalls are many, but to name a few:
+.np
+Firewalls usually doesn't allow people to use UDP. The reason for this
+is that UDP is (by firewall advocates) considered insecure. This
+belief is probably based on the fact that many \*(lqinsecure\*(rq
+protocols (like NFS) use UDP. UDP packets are also considered easy to
+fake.
+.np
+Firewalls usually doesn't allow people to connect to arbitrary ports,
+such as the ports used when talking to the KDC.
+.np
+In many non-computer organisations, the computer staff isn't what
+you'd call \*(lqwizards\*(rq; a typical case is an academic
+institution, where someone is taking care of the computers part time,
+and is doing research the rest of the time. Adding a complex device
+like a firewall to an environment like this, often leads to poorly run
+systems that is more a hindrance for the legitimate users than to
+possible crackers.
+.lp
+The easiest way to deal with firewalls is to ignore them, however in
+some cases this just isn't possible. You might have users that are
+stuck behind a firewall, but also has to access your system, or you
+might find yourself behind a firewall, for instance when out
+travelling.
+.lp
+To make it possible for people to use Kerberos from behind a firewall,
+there are several things to consider.
+.(q
+.i
+Add things to do when stuck behind a firewall, like talking about the
+problem with local staff, making them open some port in the firewall,
+using some other port, or proxy.
+.r
+.)q
+.HH 1 "Firewalls"
+.lp
+A firewall is usually placed between the \*(lqinside\*(rq and the
+\*(lqoutside\*(rq networks, and is supposed to protect the inside from the
+evils on the outside.  There are different kinds of firewalls.  The
+main differences are in the way they forward (or doesn't) packets.
+.ip \(bu
+The most straight forward type is the one that just imposes
+restrictions on incoming packets. Such a firewall could be described
+as a router that filters packets that match some criteria.
+.ip \(bu
+They may also \*(lqhide\*(rq some or all addresses on the inside of the
+firewall, replacing the addresses in the outgoing packets with the
+address of the firewall (aka network address translation, or NAT). NAT
+can also be used without any packet filtering, for instance when you
+have more than one host sharing a single address (e.g with a dialed-in
+PPP connection).
+.ip
+There are also firewalls that does NAT both on the inside and the
+outside (a server on the inside will see this as a connection from the
+firewall).
+.ip \(bu
+A third type is the proxy type firewall, that parses the contents of
+the packets, basically acting as a server to the client, and as a
+client to the server (man-in-the-middle). If Kerberos is to be used
+with this kind of firewall, a protocol module that handles KDC
+requests has to be written\**.
+.(f
+\**Instead of writing a new module for Kerberos, it can be possible to
+hitch a ride on some other protocol, that's already beeing handled by
+the proxy.
+.)f
+.lp
+The last type of firewall might also cause extra trouble when used
+with kerberised versions of protocols that the proxy understands, in
+addition to the ones mentioned below. This is the case with the FTP
+Security Extensions [RFC2228],
+.(d
+[RFC2228]
+Horowitz, M. and Lunt, S., \*(lqFTP Security Extensions\*(rq, RFC2228,
+October 1997.
+.)d
+that adds a new set of commands to the FTP protocol [RFC959],
+.(d
+[RFC959] Postel, J. and Reynolds, J., \*(lqFile Transfer Protocol
+(FTP)\*(rq, RFC 969, October 1985
+.)d
+for integrity, confidentiality, and privacy protecting commands, and
+data. When transferring data, the FTP protocol uses a separate data
+channel, and an FTP proxy will have to look out for commands that
+start a data transfer. If all commands are encrypted, this is
+impossible. A protocol that doesn't suffer from this is the Telnet
+Authentication Option [RFC1416]
+.(d
+[RFC1416]
+Borman, D., \*(lqTelnet Authentication Option\*(rq, RFC 1416, February
+1993.
+.)d
+that does all
+authentication and encryption in-bound.
+.HH 1 "Scenarios"
+.lp
+Here the different scenarios we have considered are described, the
+problems they introduce and the proposed ways of solving them.
+Combinations of these can also occur.
+.HH 2 "Client behind firewall"
+.lp
+This is the most typical and common scenario.  First of all the client
+needs some way of communicating with the KDC.  This can be done with
+whatever means and is usually much simpler when the KDC is able to
+communicate over TCP.
+.lp
+Apart from that, the client needs to be sure that the ticket it will
+acquire from the KDC can be used to authenticate to a server outside
+its firewall.  For this, it needs to add the address(es) of potential
+firewalls between itself and the KDC/server, to the list of its own
+addresses when requesting the ticket.  We are not aware of any
+protocol for determining this set of addresses, thus this will have to
+be manually configured in the client.
+.lp
+The client could also request a ticket with no addresses. This is not
+a recommended way to solve this problem. The address was put into the
+ticket to make it harder to use a stolen ticket.  A ticket without
+addresses will therefore be less \*(lqsecure.\*(rq RFC1510 also says that
+the KDC may refuse to issue, and the server may refuse to accept an
+address-less ticket.
+.lp
+With the ticket in possession, communication with the kerberised
+server will not need to be any different from communicating between a
+non-kerberised client and server.
+.HH 2 "Kerberised server behind firewall"
+.lp
+The kerberised server does not talk to the KDC at all, so nothing
+beyond normal firewall-traversal techniques for reaching the server
+itself needs to be applied.
+.lp
+If the firewall rewrites the clients address, the server will have to
+use some other (possibly firewall specific) protocol to retrieve the
+original address. If this is not possible, the address field will have
+to be ignored. This has the same effect as if there were no addresses
+in the ticket (see the discussion above).
+.HH 2 "KDC behind firewall"
+.lp
+The KDC is in this respect basically just like any other server.
+.\" .uh "Specification"
+.HH 1 "Security considerations"
+.lp
+Since the whole network behind a NAT-type firewall looks like one
+computer from the outside, any security added by the addresses in the
+ticket will be lost.
+.HH 1 "References"
+.lp
+.pd
+.HH 1 "Authors' Addresses"
+.lp
+.nf
+Assar Westerlund
+Swedish Institute of Computer Science
+Box 1263
+S-164 29 KISTA
+.sp
+Phone: +46-8-7521526
+Fax: +46-8-7517230
+EMail: assar@sics.se
+.sp 2
+Johan Danielsson
+Center for Parallel Computers
+KTH
+S-100 44 STOCKHOLM
+.sp
+Phone: +46-8-7906356
+Fax: +46-8-247784
+EMail: joda@pdc.kth.se
+.fi
\ No newline at end of file
diff --git a/crypto/heimdal/doc/standardisation/draft-hornstein-dhc-kerbauth-02.txt b/crypto/heimdal/doc/standardisation/draft-hornstein-dhc-kerbauth-02.txt
new file mode 100644
index 0000000..89e6452
--- /dev/null
+++ b/crypto/heimdal/doc/standardisation/draft-hornstein-dhc-kerbauth-02.txt
@@ -0,0 +1,1594 @@
+
+DHC Working Group                                          Ken Hornstein
+INTERNET-DRAFT                                                       NRL
+Category: Standards Track                                      Ted Lemon
+<draft-hornstein-dhc-kerbauth-02.txt>             Internet Engines, Inc.
+20 February 2000                                           Bernard Aboba
+Expires: September 1, 2000                                     Microsoft
+                                                        Jonathan Trostle
+                                                           Cisco Systems
+
+                   DHCP Authentication Via Kerberos V
+
+This document is an Internet-Draft and is in full conformance with all
+provisions of Section 10 of RFC2026.
+
+Internet-Drafts are working documents of the Internet Engineering Task
+Force (IETF), its areas, and its working groups.  Note that other groups
+may also distribute working documents as Internet- Drafts.
+
+Internet-Drafts are draft documents valid for a maximum of six months
+and may be updated, replaced, or obsoleted by other documents at any
+time.  It is inappropriate to use Internet-Drafts as reference material
+or to cite them other than as "work in progress."
+
+The list of current Internet-Drafts can be accessed at
+http://www.ietf.org/ietf/1id-abstracts.txt
+
+The list of Internet-Draft Shadow Directories can be accessed at
+http://www.ietf.org/shadow.html.
+
+The distribution of this memo is unlimited.
+
+1.  Copyright Notice
+
+Copyright (C) The Internet Society (2000).  All Rights Reserved.
+
+2.  Abstract
+
+The Dynamic Host Configuration Protocol (DHCP) provides a mechanism for
+host configuration. In some circumstances, it is useful for the DHCP
+client and server to be able to mutually authenticate as well as to
+guarantee the integrity of DHCP packets in transit.  This document
+describes how Kerberos V may be used in order to allow a DHCP client and
+server to mutually authenticate as well as to protect the integrity of
+the DHCP exchange. The protocol described in this document is capable of
+handling both intra-realm and inter-realm authentication.
+
+
+
+
+
+
+Hornstein, et al.            Standards Track                    [Page 1]
+
+
+INTERNET-DRAFT     DHCP Authentication Via Kerberos V   20 February 2000
+
+
+3.  Introduction
+
+The Dynamic Host Configuration Protocol (DHCP) provides a mechanism for
+host configuration. In some circumstances, it is useful for the DHCP
+client and server to be able to mutually authenticate as well as to
+guarantee the integrity of DHCP packets in transit.  This document
+describes how Kerberos V may be used in order to allow a DHCP client and
+server to mutually authenticate as well as to protect the integrity of
+the DHCP exchange.  The protocol described in this document is capable
+of handling both intra-realm and inter-realm authentication.
+
+3.1.  Terminology
+
+This document uses the following terms:
+
+DHCP client
+          A DHCP client or "client" is an Internet host using DHCP to
+          obtain configuration parameters such as a network address.
+
+DHCP server
+          A DHCP server or "server" is an Internet host that returns
+          configuration parameters to DHCP clients.
+
+Home KDC  The KDC corresponding to the DHCP client's realm.
+
+Local KDC The KDC corresponding to the DHCP server's realm.
+
+3.2.  Requirements language
+
+In this document, the key words "MAY", "MUST,  "MUST  NOT",  "optional",
+"recommended",  "SHOULD",  and  "SHOULD  NOT",  are to be interpreted as
+described in [1].
+
+4.  Protocol overview
+
+In DHCP authentication via Kerberos V, DHCP clients and servers utilize
+a Kerberos session key in order to compute a message integrity check
+value included within the DHCP authentication option. The message
+integrity check serves to authenticate as well as integrity protect the
+messages, while remaining compatible with the operation of a DHCP relay.
+Replay protection is also provided by a replay counter within the
+authentication option, as described in [3].
+
+Each server maintains a list of session keys and identifiers for
+clients, so that the server can retrieve the session key and identifier
+used by a client to which the server has provided previous configuration
+information.  Each server MUST save the replay counter from the previous
+authenticated message. To avoid replay attacks, the server MUST discard
+
+
+
+Hornstein, et al.            Standards Track                    [Page 2]
+
+
+INTERNET-DRAFT     DHCP Authentication Via Kerberos V   20 February 2000
+
+
+any incoming message whose replay counter is not strictly greater than
+the replay counter from the previous message.
+
+DHCP authentication, described in [3], must work within the existing
+DHCP state machine described in [4].  For a client in INIT state, this
+means that the client must obtain a valid TGT, as well as a session key,
+within the two round-trips provided by the
+DHCPDISCOVER/OFFER/REQUEST/ACK sequence.
+
+In INIT state, the DHCP client submits an incomplete AS_REQ to the DHCP
+server within the DHCPDISCOVER message.  The DHCP server then completes
+the AS_REQ using the IP address to be assigned to the client, and
+submits this to the client's home KDC in order to obtain a TGT on the
+client's behalf. Once the home KDC responds with an AS_REP, the DHCP
+server extracts the client TGT and submits this along with its own TGT
+to the home KDC, in order to obtain a user-to-user ticket to the DHCP
+client. The AS_REP as well as the AP_REQ are included by the DHCP server
+in the DHCPOFFER. The DHCP client can then decrypt the AS_REP to obtain
+a home realm TGT and TGT session key, using the latter to decrypt the
+user-to-user ticket to obtain the user-to-user session key. It is the
+user-to-user session key that is used to authenticate and integrity
+protect the client's DHCPREQUEST, and DHCPDECLINE messages. Similarly,
+this same session key is used to compute the integrity attribute in the
+server's DHCPOFFER, DHCPACK and DHCPNAK messages, as described in [3].
+
+In the INIT-REBOOT, REBINDING, or RENEWING states, the server can submit
+the home realm TGT in the DHCPREQUEST, along with authenticating and
+integrity protecting the message using an integrity attribute within the
+authentication option. The integrity attribute is computed using the
+existing session key.  The DHCP server can then return a renewed user-
+to-user ticket within the DHCPACK message. The authenticated DHCPREQUEST
+message from a client in INIT-REBOOT state can only be validated by
+servers that used the same session key to compute the integrity
+attribute in their DHCPOFFER messages.
+
+Other servers will discard the DHCPREQUEST messages. Thus, only servers
+that used the user-to-user session key selected by the client will be
+able to determine that their offered configuration information was not
+selected, returning the offered network address to the server's pool of
+available addresses.  The servers that cannot validate the DHCPREQUEST
+message will eventually return their offered network addresses to their
+pool of available addresses as described in section 3.1 of the DHCP
+specification [4].
+
+When sending a DHCPINFORM, there are two possible procedures.  If the
+client knows the DHCP server it will be interacting with, then it can
+obtain a ticket to the DHCP server from the local realm KDC. This will
+require obtaining a TGT to its home realm, as well as possibly a cross-
+
+
+
+Hornstein, et al.            Standards Track                    [Page 3]
+
+
+INTERNET-DRAFT     DHCP Authentication Via Kerberos V   20 February 2000
+
+
+realm TGT to the local realm if the local and home realms differ. Once
+the DHCP client has a local realm TGT, it can then request a DHCP server
+ticket in a TGS_REQ. The DHCP client can then include AP_REQ and
+integrity attributes within the DHCPINFORM. The integrity attribute is
+computed as described in [3], using the session key obtained from the
+TGS_REP. The DHCP server replies with a DHCPACK/DHCPNAK, authenticated
+using the same session key.
+
+If the DHCP client does not know the DHCP server it is interacting with
+then it will not be able to obtain a ticket to it and a different
+procedure is needed.  In this case, the client will include in the
+DHCPINFORM an authentication option with a ticket attribute containing
+its home realm TGT. The DHCP server will then use this TGT in order to
+request a user-to-user ticket from the home KDC in a TGS_REQ.  The DHCP
+server will return the user-to-user ticket and will authenticate and
+integrity protect the DHCPACK/DHCPNAK message. This is accomplished by
+including AP_REQ and integrity attributes within the authentication
+option included with the DHCPACK/DHCPNAK messages.
+
+In order to support the DHCP client's ability to authenticate the DHCP
+server in the case where the server name is unknown, the Kerberos
+principal name for the DHCP server must be of type KRB_NT_SRV_HST with
+the service name component equal to 'dhcp'. For example, the DHCP server
+principal name for the host srv.foo.org would be of the form
+dhcp/srv.foo.org.  The client MUST validate that the DHCP server
+principal name has the above format. This convention requires that the
+administrator ensure that non-DHCP server principals do not have names
+that match the above format.
+
+4.1.  Authentication Option Format
+
+A summary of the authentication option  format for DHCP authentication
+via Kerberos V is shown below.  The fields are transmitted from left to
+right.
+
+0                   1                   2                   3
+0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
++-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+|     Code      |     Length    |   Protocol    | Algorithm     |
++-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+|                      Global Replay Counter                    |
++-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+|                      Global Replay Counter                    |
++-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+|                           Attributes...
++-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+
+Code
+
+
+
+Hornstein, et al.            Standards Track                    [Page 4]
+
+
+INTERNET-DRAFT     DHCP Authentication Via Kerberos V   20 February 2000
+
+
+   TBD - DHCP Authentication
+
+Length
+
+   The length field is a single octet and indicates the length of the
+   Protocol, Algorith, and Authentication Information fields.  Octets
+   outside the range of the length field should be ignored on reception.
+
+Protocol
+
+   TBD - DHCP Kerberos V authentication
+
+Algorithm
+
+   The algorithm field is a single octet and defines the specific
+   algorithm to be used for computation of the authentication option.
+   Values for the field are as follows:
+
+   0 - reserved
+   1 - HMAC-MD5
+   2 - HMAC-SHA
+   3 - 255 reserved
+
+Global Replay Counter
+
+   As described in [3], the global replay counter field is 8 octets in
+   length. It MUST be set to the value of a monotonically increasing
+   counter. Using a counter value such as the current time of day (e.g.,
+   an NTP-format timestamp [10]) can reduce the danger of replay
+   attacks.
+
+Attributes
+
+   The attributes field consists of type-length-value attributes of the
+   following format:
+
+   0                   1                   2                   3
+   0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+   |     Type      |  Reserved     |       Payload Length          |
+   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+   |                           Attribute value...
+   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+
+Type
+   The type field is a single octet and is defined as follows:
+
+   0  - Integrity check
+
+
+
+Hornstein, et al.            Standards Track                    [Page 5]
+
+
+INTERNET-DRAFT     DHCP Authentication Via Kerberos V   20 February 2000
+
+
+   1  - TICKET
+   2  - Authenticator
+   3  - EncTicketPart
+   10 - AS_REQ
+   11 - AS_REP
+   12 - TGS_REQ
+   13 - TGS_REP
+   14 - AP_REQ
+   15 - AP_REP
+   20 - KRB_SAFE
+   21 - KRB_PRIV
+   22 - KRB_CRED
+   25 - EncASRepPart
+   26 - EncTGSRepPart
+   27 - EncAPRepPart
+   28 - EncKrbPrvPart
+   29 - EncKrbCredPart
+   30 - KRB_ERROR
+
+   Note that the values of the Type field are the same as in the
+   Kerberos MSG-TYPE field. As a result, no new number spaces are
+   created for IANA administration.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Hornstein, et al.            Standards Track                    [Page 6]
+
+
+INTERNET-DRAFT     DHCP Authentication Via Kerberos V   20 February 2000
+
+
+   The following attribute types are allowed within the following
+   messages:
+
+   DISCOVER  OFFER  REQUEST  DECLINE   #    Attribute
+   --------------------------------------------------------
+      0        1       1        1      0    Integrity check
+      0        0      0-1       0      1    Ticket
+      1        0       0        0     10    AS_REQ
+      0        1       0        0     11    AS_REP
+      0        1       0        0     14    AP_REQ
+      0       0-1      0        0     30    KRB_ERROR
+
+   RELEASE   ACK   NAK    INFORM   INFORM      #    Attribute
+                          w/known  w/unknown
+                          server   server
+   ---------------------------------------------------------------
+      1       1     1        1        0        0    Integrity check
+      0       0     0        0        1        1    Ticket
+      0       0     0        0        0       10    AS_REQ
+      0       0     0        0        0       11    AS_REP
+      0      0-1    0        1        0       14    AP_REQ
+      0       0    0-1       0        0       30    KRB_ERROR
+
+4.2.  Client behavior
+
+The following section, which incorporates material from [3], describes
+client behavior in detail.
+
+4.2.1.  INIT state
+
+When in INIT state, the client behaves as follows:
+
+
+[1]  As described in [3], the client MUST include the authentication
+     request option in its DHCPDISCOVER message along with option 61
+     [11] to identify itself uniquely to the server. An AS_REQ attribute
+     MUST be included within the authentication request option. This
+     (incomplete) AS_REQ will set the FORWARDABLE and RENEWABLE flags
+     and MAY include pre-authentication data (PADATA) if the client
+     knows what PADATA its home KDC will require. The ADDRESSES field in
+     the AS_REQ will be ommitted since the client does not yet know its
+     IP address. The ETYPE field will be set to an encryption type that
+     the client can accept.
+
+[2]  The client MUST validate DHCPOFFER messages that include an
+     authentication option. Messages including an authentication option
+     with a KRB_ERROR attribute and no integrity attribute are treated
+     as though they are unauthenticated. More typically, authentication
+
+
+
+Hornstein, et al.            Standards Track                    [Page 7]
+
+
+INTERNET-DRAFT     DHCP Authentication Via Kerberos V   20 February 2000
+
+
+     options within the DHCPOFFER message will include AS_REP, AP_REQ,
+     and integrity attributes. To validate the authentication option,
+     the client decrypts the enc-part of the AS_REP in order to obtain
+     the TGT session key. This is used to decrypt the enc-part of the
+     AP_REQ in order to obtain the user-to-user session key. The user-
+     to-user session key is then used to compute the message integrity
+     check as described in [3], and the computed value is compared to
+     the value within the integrity attribute. The client MUST discard
+     any messages which fail to pass validation and MAY log the
+     validation failure.
+
+     As described in [3], the client selects one DHCPOFFER message as
+     its selected configuration. If none of the DHCPOFFER messages
+     received by the client include an authentication option, the client
+     MAY choose an unauthenticated message as its selected
+     configuration.  DHCPOFFER messages including an authentication
+     option with a KRB_ERROR attribute and no integrity attribute are
+     treated as though they are unauthenticated.  The client SHOULD be
+     configurable to accept or reject unauthenticated DHCPOFFER
+     messages.
+
+[3]  The client replies with a DHCPREQUEST message that MUST include an
+     authentication option. The authentication option MUST include an
+     integrity attribute, computed as described in [3], using the user
+     to user session key recovered in step 2.
+
+[4]  As noted in [3], the client MUST validate a DHCPACK message from
+     the server that includes an authentication option. DHCPACK or
+     DHCPNAK messages including an authentication option with a
+     KRB_ERROR attribute and no integrity attribute are treated as
+     though they are unauthenticated. The client MUST silently discard
+     the DHCPACK if the message fails to pass validation and MAY log the
+     validation failure. If the DHCPACK fails to pass validation, the
+     client MUST revert to the INIT state and return to step 1. The
+     client MAY choose to remember which server replied with an invalid
+     DHCPACK message and discard subsequent messages from that server.
+
+4.2.2.  INIT-REBOOT state
+
+When in INIT-REBOOT state, if the user-to-user ticket is still valid,
+the client MUST re-use the session key from the DHCP server user-to-user
+ticket in its DHCPREQUEST message. This is used to generate the
+integrity attribute contained within the authentication option, as
+described in [3]. In the DHCPREQUEST, the DHCP client also includes its
+home realm TGT in a ticket attribute in the authentication option in
+order to assist the DHCP server in renewing the user-to-user ticket.  To
+ensure that the user-to-user ticket remains valid throughout the DHCP
+lease period so that the renewal process can proceed, the Kerberos
+
+
+
+Hornstein, et al.            Standards Track                    [Page 8]
+
+
+INTERNET-DRAFT     DHCP Authentication Via Kerberos V   20 February 2000
+
+
+ticket lifetime SHOULD be set to exceed the DHCP lease time.  If the
+user-to-user ticket is expired, then the client MUST return to the INIT
+state.
+
+The client MAY choose to accept unauthenticated DHCPACK/DHCPNAK messages
+if no authenticated messages were received. DHCPACK/DHCPNAK messages
+with an authentication option containing a KRB_ERROR attribute and no
+integrity attribute are treated as though they are unauthenticated. The
+client MUST treat the receipt (or lack thereof) of any DHCPACK/DHCPNAK
+messages as specified in section 3.2 of the DHCP specification [4].
+
+4.2.3.  RENEWING state
+
+When in RENEWING state, the DHCP client can be assumed to have a valid
+IP address, as well as a TGT to the home realm, a user-to-user ticket
+provided by the DHCP server, and a session key with the DHCP server, all
+obtained during the original DHCP conversation.  If the user-to-user
+ticket is still valid, the client MUST re-use the session key from the
+user-to-user ticket in its DHCPREQUEST message to generate the integrity
+attribute contained within the authentication option.
+
+Since the DHCP client can renew the TGT to the home realm, it is
+possible for it to continue to hold a valid home realm TGT.  However,
+since the DHCP client did not obtain the user-to-user ticket on its own,
+it will need to rely on the DHCP server to renew this ticket. In the
+DHCPREQUEST, the DHCP client includes its home realm TGT in a ticket
+attribute in the authentication option in order to assist the DHCP
+server in renewing the user-to-user ticket.
+
+If the DHCP server user-to-user ticket is expired, then the client MUST
+return to INIT state.  To ensure that the user-to-user ticket remains
+valid throughout the DHCP lease period so that the renewal process can
+proceed, the Kerberos ticket lifetime SHOULD be set to exceed the DHCP
+lease time.  If client receives no DHCPACK messages or none of the
+DHCPACK messages pass validation, the client behaves as if it had not
+received a DHCPACK message in section 4.4.5 of the DHCP specification
+[4].
+
+4.2.4.  REBINDING state
+
+When in REBINDING state, the DHCP client can be assumed to have a valid
+IP address, as well as a TGT to the home realm, a user-to-user ticket
+and a session key with the DHCP server, all obtained during the original
+DHCP conversation.  If the user-to-user ticket is still valid, the
+client MUST re-use the session key from the user-to-user ticket in its
+DHCPREQUEST message to generate the integrity attribute contained within
+the authentication option, as described in [3].
+
+
+
+
+Hornstein, et al.            Standards Track                    [Page 9]
+
+
+INTERNET-DRAFT     DHCP Authentication Via Kerberos V   20 February 2000
+
+
+Since the DHCP client can renew the TGT to the home realm, it is
+possible for it to continue to hold a valid home realm TGT.  However,
+since the DHCP client did not obtain the user-to-user ticket on its own,
+it will need to rely on the DHCP server to renew this ticket. In the
+DHCPREQUEST, the DHCP client includes its home realm TGT in a ticket
+attribute in the authentication option in order to assist the DHCP
+server in renewing the user-to-user ticket.
+
+If the user-to-user ticket is expired, then the client MUST return to
+INIT state.  To ensure that the user-to-user ticket remains valid
+throughout the DHCP lease period so that the renewal process can
+proceed, the Kerberos ticket lifetime SHOULD be set to exceed the DHCP
+lease time.  If client receives no DHCPACK messages or none of the
+DHCPACK messages pass validation, the client behaves as if it had not
+received a DHCPACK message in section 4.4.5 of the DHCP specification
+[4].
+
+4.2.5.  DHCPRELEASE message
+
+Clients sending a DHCPRELEASE MUST include an authentication option. The
+authentication option MUST include an integrity attribute, computed as
+described in [3], using the user to user session key.
+
+4.2.6.  DHCPDECLINE message
+
+Clients sending a DHCPDECLINE MUST include an authentication option. The
+authentication option MUST include an integrity attribute, computed as
+described in [3], using the user to user session key.
+
+4.2.7.  DHCPINFORM message
+
+Since the client already has some configuration information, it can be
+assumed that it has the ability to obtain a home or local realm TGT
+prior to sending the DHCPINFORM.
+
+If the DHCP client knows which DHCP server it will be interacting with,
+then it SHOULD include an authentication option containing AP_REQ and
+integrity attributes within the DHCPINFORM.  The DHCP client first
+requests a TGT to the local realm via an AS_REQ and then using the TGT
+returned in the AS_REP to request a ticket to the DHCP server from the
+local KDC in a TGS_REQ. The session key obtained from the TGS_REP will
+be used to generate the integrity attribute as described in [3].
+
+If the DHCP client does not know what DHCP server it will be talking to,
+then it cannot obtain a ticket to the DHCP server. In this case, the
+DHCP client MAY send an unauthenticated DHCPINFORM or it MAY include an
+authentication option including a ticket attribute only.  The ticket
+attribute includes a TGT for the home realm. The client MUST validate
+
+
+
+Hornstein, et al.            Standards Track                   [Page 10]
+
+
+INTERNET-DRAFT     DHCP Authentication Via Kerberos V   20 February 2000
+
+
+that the DHCP server name in the received Kerberos AP_REQ message is of
+the form dhcp/.... as described in section 4.
+
+The client MAY choose to accept unauthenticated DHCPACK/DHCPNAK messages
+if no authenticated messages were received. DHCPACK/DHCPNAK messages
+with an authentication option containing a KRB_ERROR attribute and no
+integrity attribute are treated as though they are unauthenticated. The
+client MUST treat the receipt (or lack thereof) of any DHCPACK/DHCPNAK
+messages as specified in section 3.2 of the DHCP specification [4].
+
+4.3.  Server behavior
+
+This section, which relies on material from [3], describes the behavior
+of a server in response to client messages.
+
+4.3.1.  After receiving a DHCPDISCOVER message
+
+For installations where IP addresses are required within tickets, the
+DHCP server MAY complete the AS_REQ by filling in the ADDRESSES field
+based on the IP address that it will include in the DHCPOFFER.  The DHCP
+server sends the AS_REQ to the home KDC with the FORWARDABLE flag set.
+The home KDC then replies to the DHCP server with an AS_REP.  The DHCP
+server extracts the client TGT from the AS_REP and forms a TGS_REQ,
+which it sends to  the home KDC.
+
+If the DHCP server and client are in different realms, then the DHCP
+server will need to obtain a TGT to the home realm from the KDC of its
+own (local) realm prior to sending the TGS_REQ. The TGS_REQ includes the
+DHCP server's TGT within the home realm, has the ENC-TKT-IN-SKEY flag
+set and includes the client home realm TGT in the ADDITIONAL-TICKETS
+field, thus requesting a user-to ticket to the DHCP client.  The home
+KDC then returns a user-to-user ticket in a TGS_REP. The user-to-user
+ticket is encrypted in the client's home realm TGT session key.
+
+In order to recover the user-to-user session key, the DHCP server
+decrypts the enc-part of the TGS_REP. To accomplish this, the DHCP
+server uses the session key that it shares with the home realm, obtained
+in the AS_REQ/AS_REP conversation that it used to obtain its own TGT to
+the home realm.
+
+The DHCP server then sends a DHCPOFFER to the client, including AS_REP,
+AP_REQ and integrity attributes within the authentication option.  The
+AS_REP attribute encapsulates the AS_REP sent to the DHCP server by the
+home KDC. The AP_REQ attribute includes an AP_REQ constructed by the
+DHCP server based on the TGS_REP sent to it by the home KDC. The server
+also includes an integrity attribute generated as specified in [3] from
+the user-to-user session key.  The server MUST record the user-to-user
+session key selected for the client and use that session key for
+
+
+
+Hornstein, et al.            Standards Track                   [Page 11]
+
+
+INTERNET-DRAFT     DHCP Authentication Via Kerberos V   20 February 2000
+
+
+validating subsequent messages with the client.
+
+4.3.2.  After receiving a DHCPREQUEST message
+
+The DHCP server uses the user-to-user session key in order to validate
+the integrity attribute contained within the authentication option,
+using the method specified in [3]. If the message fails to pass
+validation, it MUST discard the message and MAY choose to log the
+validation failure.
+
+If the message passes the validation procedure, the server responds as
+described in [4], including an integrity attribute computed as specified
+in [3] within the DHCPACK or DHCPNAK message.
+
+If the authentication option included within the DHCPREQUEST message
+contains a ticket attribute then the DHCP server will use the home realm
+TGT included in the ticket attribute in order to renew the user-to-user
+ticket, which it returns in an AP_REQ attribute within the DHCPACK.
+DHCPACK or DHCPNAK messages then include an integrity attribute
+generated as specified in [3], using the new user-to-user session key
+included within the AP_REQ.
+
+4.3.3.  After receiving a DHCPINFORM message
+
+The server MAY choose to accept unauthenticated DHCPINFORM messages, or
+only accept authenticated DHCPINFORM messages based on a site policy.
+
+When a client includes an authentication option in a DHCPINFORM message,
+the server MUST respond with an authenticated DHCPACK or DHCPNAK
+message. If the DHCPINFORM message includes an authentication option
+including AP_REQ and integrity attributes, the DHCP server decrypts the
+AP_REQ attribute and then recovers the session key. The DHCP server than
+validates the integrity attribute included in the authentication option
+using the session key. If the integrity attribute is invalid then the
+DHCP server MUST silently discard the DHCPINFORM message.
+
+If the authentication option only includes a ticket attribute and no
+integrity or AP_REQ attributes, then the DHCP server should assume that
+the client needs the server to obtain a user-to-user ticket from the
+home realm KDC.  In this case, the DHCP server includes the client home
+realm TGT and its own home realm TGT in a TGS_REQ to the home realm KDC.
+It then receives a user-to-user ticket from the home realm KDC in a
+TGS_REP. The DHCP server will then include AP_REQ and integrity
+attributes within the DHCPACK/DHCPNAK.
+
+If the client does not include an authentication option in the
+DHCPINFORM, the server can either respond with an unauthenticated
+DHCPACK message, or a DHCPNAK if the server does not accept
+
+
+
+Hornstein, et al.            Standards Track                   [Page 12]
+
+
+INTERNET-DRAFT     DHCP Authentication Via Kerberos V   20 February 2000
+
+
+unauthenticated clients.
+
+4.3.4.  After receiving a DHCPRELEASE message
+
+The DHCP server uses the session key in order to validate the integrity
+attribute contained within the authentication option, using the method
+specified in [3]. If the message fails to pass validation, it MUST
+discard the message and MAY choose to log the validation failure.
+
+If the message passes the validation procedure, the server responds as
+described in [4], marking the client's network address as not allocated.
+
+4.3.5.  After receiving a DHCPDECLINE message
+
+The DHCP server uses the session key in order to validate the integrity
+attribute contained within the authentication option, using the method
+specified in [3]. If the message fails to pass validation, it MUST
+discard the message and MAY choose to log the validation failure.
+
+If the message passes the validation procedure, the server proceeds as
+described in [4].
+
+4.4.  Error handling
+
+When an error condition occurs during a Kerberos exchange, Kerberos
+error messages can be returned by either side.  These Kerberos error
+messages MAY be logged by the receiving and sending parties.
+
+In some cases, it may be possible for these error messages to be
+included within the authentication option via the KRB_ERROR attribute.
+However, in most cases, errors will result in messages being silently
+discarded and so no response will be returned.
+
+For example, if the home KDC returns a KRB_ERROR in response to the
+AS_REQ submitted by the DHCP server on the client's behalf, then the
+DHCP server will conclude that the DHCPDISCOVER was not authentic, and
+will silently discard it.
+
+However, if the AS_REQ included PADATA and the home KDC responds with an
+AS_REP, then the DHCP server can conclude that the client is authentic.
+If the subsequent TGS_REQ is unsuccessful, with a KRB_ERROR returned by
+the home KDC in the TGS_REP, then the fault may lie with the DHCP server
+rather than with the client. In this case, the DHCP server MAY choose to
+return a KRB_ERROR within the authentication option included in the
+DHCPOFFER. The client will then treat this as an unauthenticated
+DHCPOFFER.
+
+
+
+
+
+Hornstein, et al.            Standards Track                   [Page 13]
+
+
+INTERNET-DRAFT     DHCP Authentication Via Kerberos V   20 February 2000
+
+
+Similarly, if the integrity attribute contained in the DHCPOFFER proves
+invalid, the client will silently discard the DHCPOFFER and instead
+accept an offer from another server if one is available. If the
+integrity attribute included in the DHCPACK/DHCPNAK proves invalid, then
+the client behaves as if it did not receive a DHCPACK/DHCPNAK.
+
+When in INIT-REBOOT, REBINDING or RENEWING state, the client will
+include a ticket attribute and integrity attribute within the
+authentication option of the DHCPREQUEST, in order to assist the DHCP
+server in renewing the user-to-user ticket.  If the integrity attribute
+is invalid, then the DHCP server MUST silently discard the DHCPREQUEST.
+
+However, if the integrity attribute is successfully validated by the
+DHCP server, but the home realm TGT included in the ticket attribute is
+invalid (e.g. expired), then the DHCP server will receive a KRB_ERROR in
+response to its TGS_REQ to the home KDC.  In this case, the DHCP server
+MAY respond with a DHCPNAK including a KRB_ERROR attribute and no
+integrity attribute within the authentication option. This will force
+the client back to the INIT state, where it can receive a valid home
+realm TGT.
+
+Where the client included PADATA in the AS_REQ attribute of the
+authentication option within the DHCPDISCOVER and the AS_REQ was
+successfully validated by the KDC, the DHCP server will conclude that
+the DHCP client is authentic. In this case if the client successfully
+validates the integrity attribute in the DHCPOFFER, but the server does
+not validate the integrity attribute in the client's DHCPREQUEST, the
+server MAY choose to respond with an authenticated DHCPNAK containing a
+KRB_ERROR attribute.
+
+4.5.  PKINIT issues
+
+When public key authentication is supported with Kerberos as described
+in [8], the client certificate and a signature accompany the initial
+request in the preauthentication fields.  As a result, it is conceivable
+that the incomplete AS_REQ included in the DHCPDISCOVER packet may
+exceed the size of a single DHCP option, or even the MTU size.  As noted
+in [4], a single option may be as large as 255 octets. If the value to
+be passed is larger than this the client concatenates together the
+values of multiple instances of the same option.
+
+4.6.  Examples
+
+4.6.1.  INIT state
+
+In the intra-realm case where the DHCP Kerberos mutual authentication is
+successful, the conversation will appear as follows:
+
+
+
+
+Hornstein, et al.            Standards Track                   [Page 14]
+
+
+INTERNET-DRAFT     DHCP Authentication Via Kerberos V   20 February 2000
+
+
+   DHCP               DHCP
+   Client             Server            KDC
+--------------     -------------     ---------
+DHCPDISCOVER
+ (Incomplete
+ AS_REQ)  ->
+                   AS_REQ ->
+                                      <- AS_REP
+                   TGS_REQ
+                    U-2-U ->
+                                      <- TGS_REP
+                <- DHCPOFFER,
+                    (AS_REP,
+                    AP_REQ,
+                    Integrity)
+DHCPREQUEST
+ (Integrity) ->
+                <- DHCPACK
+                    (Integrity)
+
+In the case where the KDC returns a KRB_ERROR in response to the AS_REQ,
+the server will silently discard the DHCPDISCOVER and the conversation
+will appear as follows:
+
+   DHCP               DHCP
+   Client             Server            KDC
+--------------     -------------     ---------
+DHCPDISCOVER
+ (Incomplete
+ AS_REQ)  ->
+                   AS_REQ ->
+                                     <- KRB_ERROR
+
+In the inter-realm case where the DHCP Kerberos mutual authentication is
+successful, the conversation will appear as follows:
+
+   DHCP            DHCP           Home      Local
+   Client          Server         KDC        KDC
+--------------  -------------  ---------  ---------
+DHCPDISCOVER
+(Incomplete
+ AS_REQ)  ->
+                   AS_REQ ->
+                                <- AS_REP
+                   TGS_REQ ->
+                   (cross realm,
+                   for home
+                   KDC)
+
+
+
+Hornstein, et al.            Standards Track                   [Page 15]
+
+
+INTERNET-DRAFT     DHCP Authentication Via Kerberos V   20 February 2000
+
+
+                                           <- TGS_REP
+
+                   TGS_REQ
+                    U-2-U ->
+                                <- TGS_REP
+                <- DHCPOFFER,
+                    (AS_REP,
+                    AP_REQ,
+                    Integrity)
+DHCPREQUEST
+ (Integrity) ->
+                <- DHCPACK
+                    (Integrity)
+
+In the case where the client includes PADATA in the AS_REQ attribute
+within the authentication option of the DHCPDISCOVER and the KDC returns
+an error-free AS_REP indicating successful validation of the PADATA, the
+DHCP server will conclude that the DHCP client is authentic.  If the KDC
+then returns a KRB_ERROR in response to the TGS_REQ, indicating a fault
+that lies with the DHCP server, the server MAY choose not to silently
+discard the DHCPDISCOVER.  Instead it MAY respond with a DHCPOFFER
+including a KRB_ERROR attribute within the authentication option. The
+client will then treat this as an unauthenticated DHCPOFFER.  The
+conversation will appear as follows:
+
+   DHCP               DHCP
+   Client             Server            KDC
+--------------     -------------     ---------
+DHCPDISCOVER
+ (Incomplete
+ AS_REQ
+ w/PADATA)  ->
+                   AS_REQ ->
+                                     <- AS_REP
+                   TGS_REQ
+                    U-2-U ->
+                                     <- KRB_ERROR
+                <- DHCPOFFER,
+                    (KRB_ERROR)
+DHCPREQUEST ->
+                <- DHCPACK
+
+In the intra-realm case where the client included PADATA in the AS_REQ
+attribute of the authentication option and the AS_REQ was successfully
+validated by the KDC, the DHCP server will conclude that the DHCP client
+is authentic. In this case if the client successfully validates the
+integrity attribute in the DHCPOFFER, but the server does not validate
+the integrity attribute in the client's DHCPREQUEST, the server MAY
+
+
+
+Hornstein, et al.            Standards Track                   [Page 16]
+
+
+INTERNET-DRAFT     DHCP Authentication Via Kerberos V   20 February 2000
+
+
+choose to respond with an authenticated DHCPNAK containing a KRB_ERROR
+attribute.  The conversation will appear as follows:
+
+   DHCP               DHCP
+   Client             Server            KDC
+--------------     -------------     ---------
+DHCPDISCOVER
+ (Incomplete
+ AS_REQ
+ w/PADATA)  ->
+                   AS_REQ ->
+                                     <- AS_REP
+                   TGS_REQ
+                    U-2-U ->
+                                     <- TGS_REP
+                <- DHCPOFFER,
+                    (AS_REP,
+                    AP_REQ,
+                    Integrity)
+DHCPREQUEST
+ (Integrity) ->
+                <- DHCNAK
+                    (KRB_ERROR,
+                     Integrity)
+DHCPDISCOVER
+ (Incomplete
+ AS_REQ)  ->
+
+In the intra-realm case where the DHCP client cannot validate the
+integrity attribute in the DHCPOFFER, the client silently discards the
+DHCPOFFER. The conversation will appear as follows:
+
+   DHCP               DHCP
+   Client             Server            KDC
+--------------     -------------     ---------
+DHCPDISCOVER
+ (Incomplete
+ AS_REQ)  ->
+                   AS_REQ ->
+                                     <- AS_REP
+                   TGS_REQ
+                    U-2-U ->
+                                     <- TGS_REP
+                <- DHCPOFFER,
+                   (AS_REP,
+                   AP_REQ,
+                   Integrity)
+DHCPREQUEST
+
+
+
+Hornstein, et al.            Standards Track                   [Page 17]
+
+
+INTERNET-DRAFT     DHCP Authentication Via Kerberos V   20 February 2000
+
+
+ [To another server]
+ (Integrity) ->
+
+In the intra-realm case where the DHCP client cannot validate the
+integrity attribute in the DHCPACK, the client reverts to INIT state.
+The conversation will appear as follows:
+
+   DHCP               DHCP
+   Client             Server            KDC
+--------------     -------------     ---------
+DHCPDISCOVER
+(Incomplete
+ AS_REQ)  ->
+                   AS_REQ ->
+                                     <- AS_REP
+                   TGS_REQ
+                    U-2-U ->
+                                     <- TGS_REP
+                <- DHCPOFFER,
+                    (AS_REP,
+                    AP_REQ,
+                    Integrity)
+DHCPREQUEST
+ (Integrity) ->
+                <- DHCPACK
+                    (Integrity)
+DHCPDISCOVER
+ (Incomplete
+ AS_REQ)  ->
+
+4.6.2.  INIT-REBOOT, RENEWING or REBINDING
+
+In the intra-realm or inter-realm case where the original user-to-user
+ticket is still valid, and the DHCP server still has a valid TGT to the
+home realm, the conversation will appear as follows:
+
+   DHCP               DHCP             Home
+   Client             Server            KDC
+--------------     -------------     ---------
+
+DHCPREQUEST
+ (TGT,
+ Integrity)  ->
+                   TGS_REQ
+                    U-2-U ->
+                                     <- TGS_REP
+                <- DHCPACK
+                    (AP_REQ,
+
+
+
+Hornstein, et al.            Standards Track                   [Page 18]
+
+
+INTERNET-DRAFT     DHCP Authentication Via Kerberos V   20 February 2000
+
+
+                    Integrity)
+
+In the intra-realm or inter-realm case where the DHCP server validates
+the integrity attribute in the DHCPREQUEST, but receives a KRB_ERROR in
+response to the TGS_REQ to the KDC, the DHCP sever MAY choose not to
+silently discard the DHCPREQUEST and MAY return an authenticated DHCPNAK
+to the client instead, using the user-to-user session key previously
+established with the client. The conversation appears as follows:
+
+   DHCP               DHCP             Home
+   Client             Server            KDC
+--------------     -------------     ---------
+
+DHCPREQUEST
+ (TGT,
+ Integrity)  ->
+                   TGS_REQ
+                    U-2-U ->
+                                     <- KRB_ERROR
+                <- DHCPNAK
+                    (KRB_ERROR,
+                    Integrity)
+DHCPDISCOVER
+ (Incomplete
+ AS_REQ)  ->
+
+In the intra-realm or inter-realm case where the DHCP server cannot
+validate the integrity attribute in the DHCPREQUEST, the DHCP server
+MUST silently discard the DHCPREQUEST and the conversation will appear
+as follows:
+
+   DHCP               DHCP
+   Client             Server            KDC
+--------------     -------------     ---------
+
+DHCPREQUEST
+ (TGT,
+ Integrity)  ->
+                   Silent discard
+[Sequence repeats
+ until timeout]
+
+DHCPDISCOVER
+ (Incomplete
+ AS_REQ)  ->
+
+In the intra-realm or inter-realm case where the original user-to-user
+ticket is still valid, the server validates the integrity attribute in
+
+
+
+Hornstein, et al.            Standards Track                   [Page 19]
+
+
+INTERNET-DRAFT     DHCP Authentication Via Kerberos V   20 February 2000
+
+
+the DHCPREQUEST, but the client fails to validate the integrity
+attribute in the DHCPACK, the client will silently discard the DHCPACK.
+The conversation will appear as follows:
+
+   DHCP               DHCP
+   Client             Server            KDC
+--------------     -------------     ---------
+
+DHCPREQUEST
+ (TGT,
+ Integrity)  ->
+
+                <- DHCPACK
+                    (AP_REQ,
+                    Integrity)
+DHCPDISCOVER
+ (Incomplete
+ AS_REQ)  ->
+
+4.6.3.  DHCPINFORM (with known DHCP server)
+
+In the case where the DHCP client knows the DHCP server it will be
+interacting with, the DHCP client will obtain a ticket to the DHCP
+server and will include AP_REQ and integrity attributes within the
+DHCPINFORM.
+
+Where the DHCP Kerberos mutual authentication is successful, the
+conversation will appear as follows:
+
+   DHCP               DHCP
+   Client             Server            KDC
+--------------     -------------     ---------
+AS_REQ ->
+                                     <- AS_REP
+TGS_REQ ->
+                                     <- TGS_REP
+DHCPINFORM
+ (AP_REQ,
+ Integrity) ->
+                <- DHCPACK
+                    (Integrity)
+
+In the inter-realm case where the DHCP Kerberos mutual authentication is
+successful, the conversation will appear as follows:
+
+   DHCP            DHCP           Home      Local
+   Client          Server         KDC        KDC
+--------------  -------------  ---------  ---------
+
+
+
+Hornstein, et al.            Standards Track                   [Page 20]
+
+
+INTERNET-DRAFT     DHCP Authentication Via Kerberos V   20 February 2000
+
+
+AS_REQ ->
+                                          <- AS_REP
+TGS_REQ ->
+                                          <- TGS_REP
+TGS_REQ ->
+                               <- TGS_REP
+DHCPINFORM
+ (AP_REQ,
+ Integrity) ->
+                <- DHCPACK
+                    (Integrity)
+
+In the inter-realm case where the DHCP server fails to validate the
+integrity attribute in the DHCPINFORM, the server MUST silently discard
+the DHCPINFORM. The conversation will appear as follows:
+
+   DHCP            DHCP           Home      Local
+   Client          Server         KDC        KDC
+--------------  -------------  ---------  ---------
+AS_REQ ->
+                                          <- AS_REP
+TGS_REQ ->
+                                          <- TGS_REP
+TGS_REQ ->
+                               <- TGS_REP
+DHCPINFORM
+ (AP_REQ,
+ Integrity) ->
+                <- DHCPACK
+                    (Integrity)
+DHCPINFORM
+ (AP_REQ,
+ Integrity) ->
+
+In the inter-realm case where the DHCP client fails to validate the
+integrity attribute in the DHCPACK, the client MUST silently discard the
+DHCPACK.  The conversation will appear as follows:
+
+   DHCP            DHCP           Home      Local
+   Client          Server         KDC        KDC
+--------------  -------------  ---------  ---------
+AS_REQ ->
+                                          <- AS_REP
+TGS_REQ ->
+                                          <- TGS_REP
+TGS_REQ ->
+                               <- TGS_REP
+DHCPINFORM
+
+
+
+Hornstein, et al.            Standards Track                   [Page 21]
+
+
+INTERNET-DRAFT     DHCP Authentication Via Kerberos V   20 February 2000
+
+
+ (AP_REQ,
+ Integrity) ->
+
+4.6.4.  DHCPINFORM (with unknown DHCP server)
+
+In the case where the DHCP client does not know the DHCP server it will
+be interacting with, the DHCP client will only include a ticket
+attribute within the DHCPINFORM.  Thus the DHCP server will not be able
+to validate the authentication option.
+
+Where the DHCP client is able to validate the DHCPACK and no error
+occur, the onversation will appear as follows:
+
+   DHCP               DHCP
+   Client             Server            KDC
+--------------     -------------     ---------
+AS_REQ ->
+                                     <- AS_REP
+DHCPINFORM
+ (Ticket) ->
+                   TGS_REQ
+                    U-2-U ->
+                                     <- TGS_REP
+                <- DHCPACK
+                    (AP_REQ,
+                    Integrity)
+
+In the inter-realm case where the DHCP server needs to obtain a TGT to
+the home realm, and where the client successfully validates the DHCPACK,
+the conversation will appear as follows:
+
+   DHCP            DHCP           Home      Local
+   Client          Server         KDC        KDC
+--------------  -------------  ---------  ---------
+AS_REQ ->
+                                          <- AS_REP
+DHCPINFORM
+ (Ticket) ->
+                   AS_REQ ->
+                                <- AS_REP
+                   TGS_REQ ->
+                   (cross realm,
+                   for home
+                   KDC)
+                                           <- TGS_REP
+
+                   TGS_REQ
+                    U-2-U ->
+
+
+
+Hornstein, et al.            Standards Track                   [Page 22]
+
+
+INTERNET-DRAFT     DHCP Authentication Via Kerberos V   20 February 2000
+
+
+                                <- TGS_REP
+                <- DHCPACK
+                    (AP_REQ,
+                    Integrity)
+
+In the inter-realm case where the local KDC returns a KRB_ERROR in
+response to the TGS_REQ from the DHCP server, the DHCP server MAY return
+a KRB_ERROR within the DHCP authentication option included in a DHCPNAK.
+The conversation will appear as follows:
+
+   DHCP            DHCP           Home      Local
+   Client          Server         KDC        KDC
+--------------  -------------  ---------  ---------
+AS_REQ ->
+                                          <- AS_REP
+DHCPINFORM
+ (Ticket) ->
+                   AS_REQ ->
+                                <- AS_REP
+                   TGS_REQ ->
+                   (cross realm,
+                   for home
+                   KDC)
+                                           <- KRB_ERROR
+                <- DHCPNAK
+                    (KRB_ERROR)
+
+
+In the inter-realm case where the DHCP client fails to validate the
+integrity attribute in the DHCPACK, the client MUST silently discard the
+DHCPACK.  The conversation will appear as follows:
+
+   DHCP            DHCP           Home      Local
+   Client          Server         KDC        KDC
+--------------  -------------  ---------  ---------
+AS_REQ ->
+                                          <- AS_REP
+DHCPINFORM
+ (Ticket) ->
+                   AS_REQ ->
+                                <- AS_REP
+                   TGS_REQ ->
+                   (cross realm,
+                   for home
+                   KDC)
+                                           <- TGS_REP
+
+                   TGS_REQ
+
+
+
+Hornstein, et al.            Standards Track                   [Page 23]
+
+
+INTERNET-DRAFT     DHCP Authentication Via Kerberos V   20 February 2000
+
+
+                    U-2-U ->
+                                <- TGS_REP
+                <- DHCPACK
+                    (AP_REQ,
+                    Integrity)
+DHCPINFORM
+ (Ticket) ->
+
+5.  References
+
+
+[1]  Bradner, S., "Key words for use in RFCs to Indicate Requirement
+     Levels", BCP 14, RFC 2119, March 1997.
+
+[2]  Kohl, J., Neuman, C., "The Kerberos Network Authentication Service
+     (V5)", RFC 1510, September 1993.
+
+[3]  Droms, R., Arbaugh, W., "Authentication for DHCP Messages",
+     Internet draft (work in progress), draft-ietf-dhc-
+     authentication-11.txt, June 1999.
+
+[4]  Droms, R., "Dynamic Host Configuration Protocol", RFC 2131, March
+     1997.
+
+[5]  Alexander, S., Droms, R., "DHCP Options and BOOTP Vendor
+     Extensions", RFC 2132, March 1997.
+
+[6]  Perkins, C., "IP Mobility Support", RFC 2002, October 1996.
+
+[7]  Jain, V., Congdon, P., Roese, J., "Network Port Authentication",
+     IEEE 802.1 PAR submission, June 1999.
+
+[8]  Tung, B., Neuman, C., Hur, M., Medvinsky, A., Medvinsky, S., Wray,
+     J., Trostle, J., "Public Key Cryptography for Initial
+     Authentication in Kerberos", Internet draft (work in progress),
+     draft-ietf-cat-kerberos-pk-init-09.txt, June 1999.
+
+[9]  Tung, B., Ryutov, T., Neuman, C., Tsudik, G., Sommerfeld, B.,
+     Medvinsky, A., Hur, M.,  "Public Key Cryptography for Cross-Realm
+     Authentication in Kerberos", Internet draft (work in progress),
+     draft-ietf-cat-kerberos-pk-cross-04.txt, June 1999.
+
+[10] Mills, D., "Network Time Protocol (Version 3)", RFC-1305, March
+     1992.
+
+[11] Henry, M., "DHCP Option 61 UUID Type Definition", Internet draft
+     (work in progress), draft-henry-DHCP-opt61-UUID-type-00.txt,
+     November 1998.
+
+
+
+Hornstein, et al.            Standards Track                   [Page 24]
+
+
+INTERNET-DRAFT     DHCP Authentication Via Kerberos V   20 February 2000
+
+
+6.  Security Considerations
+
+DHCP authentication, described in [3], addresses the following threats:
+
+     Modification of messages
+     Rogue servers
+     Unauthorized clients
+
+This section describes how DHCP authentication via Kerberos V addresses
+each of these threats.
+
+6.1.  Client security
+
+As noted in [3], it may be desirable to ensure that IP addresses are
+only allocated to authorized clients. This can serve to protect against
+denial of service attacks. To address this issue it is necessary for
+DHCP client messages to be authenticated. In order to guard against
+message modification, it is also necessary for DHCP client messages to
+be integrity protected.
+
+Note that this protocol does not make use of KRB_SAFE, so as to allow
+modification of mutable fields by the DHCP relay. Replay protection is
+therefore provided within the DHCP authentication option itself.
+
+In DHCP authentication via Kerberos V the DHCP client will authenticate,
+integrity and replay-protect the DHCPREQUEST, DHCPDECLINE and
+DHCPRELEASE messages using a user-to-user session key obtained by the
+DHCP server from the home KDC. If the DHCP client knows the DHCP server
+it will be interacting with, then the DHCP client MAY also authenticate,
+integrity and replay-protect the DHCPINFORM message using a session key
+obtained from the local realm KDC for the DHCP server it expects to
+converse with.
+
+Since the client has not yet obtained a session key, DHCPDISCOVER
+packets cannot be authenticated using the session key. However, the
+client MAY include pre-authentication data in the PADATA field included
+in the DHCPDISCOVER packet. Since the PADATA will then be used by the
+DHCP server to request a ticket on the client's behalf, the DHCP server
+will learn from the AS_REP whether the PADATA was acceptable or not.
+Therefore in this case, the DHCPDISCOVER will be authenticated but not
+integrity protected.
+
+Where the DHCP client does not know the DHCP server it will be
+interacting with ahead of time, the DHCPINFORM message will not be
+authenticated, integrity or replay protected.
+
+Note that snooping of PADATA and TGTs on the wire may provide an
+attacker with a means of mounting a dictionary attack, since these items
+
+
+
+Hornstein, et al.            Standards Track                   [Page 25]
+
+
+INTERNET-DRAFT     DHCP Authentication Via Kerberos V   20 February 2000
+
+
+are typically encrypted with a key derived from the user's password.
+Thus use of strong passwords and/or pre-authentication methods utilizing
+strong cryptography (see [8]) are recommended.
+
+6.2.  Network access control
+
+DHCP authentication has been proposed as a method of limiting access to
+network media that are not physically secured such as wireless LANs and
+ports in college residence halls.  However, it is not particularly well
+suited to this purpose since even if address allocation is denied an
+inauthentic client may use a statically assigned IP address instead, or
+may attempt to access the network using non-IP protocols.  As a result,
+other methods, described in [6]-[7], have been proposed for controlling
+access to wireless media and switched LANs.
+
+6.3.  Server security
+
+As noted in [3], it may be desirable to protect against rogue DHCP
+servers put on the network either intentionally or by accident.  To
+address this issue it is necessary for DHCP server messages to be
+authenticated. In order to guard against message modification, it is
+also necessary for DHCP server messages to be integrity protected.
+Replay protection is also provided within the DHCP authentication
+option.
+
+All messages sent by the DHCP server are authenticated and integrity and
+replaly protected using a session key.  This includes the DHCPOFFER,
+DHCPACK, and DHCPNAK messages.  The session key is used to compute the
+DHCP authentication option, which is verified by the client.
+
+In order to provide protection against rogue servers it is necessary to
+prevent rogue servers from obtaining the credentials necessary to act as
+a DHCP server. As noted in Section 4, the Kerberos principal name for
+the DHCP server  must be of type KRB_NT_SRV_HST with  the service name
+component equal to 'dhcp'. The client MUST validate that the DHCP server
+principal name has the above  format. This convention requires that the
+administrator ensure that non-DHCP  server principals do not have names
+that match the above format.
+
+7.  IANA Considerations
+
+This draft does not create any new number spaces for IANA
+administration.
+
+8.  Acknowledgements
+
+The authors would like to acknowledge Ralph Droms and William Arbaugh,
+authors of the DHCP authentication draft [3]. This draft incorporates
+
+
+
+Hornstein, et al.            Standards Track                   [Page 26]
+
+
+INTERNET-DRAFT     DHCP Authentication Via Kerberos V   20 February 2000
+
+
+material from their work; however, any mistakes in this document are
+solely the responsibility of the authors.
+
+9.  Authors' Addresses
+
+Ken Hornstein
+US Naval Research Laboratory
+Bldg A-49, Room 2
+4555 Overlook Avenue
+Washington DC  20375 USA
+
+Phone: +1 (202) 404-4765
+EMail: kenh@cmf.nrl.navy.mil
+
+Ted Lemon
+Internet Engines, Inc.
+950 Charter Street
+Redwood City, CA 94063
+
+Phone: +1 (650) 779 6031
+Email: mellon@iengines.net
+
+Bernard Aboba
+Microsoft Corporation
+One Microsoft Way
+Redmond, WA 98052
+
+Phone: +1 (425) 936-6605
+EMail: bernarda@microsoft.com
+
+Jonathan Trostle
+170 W. Tasman Dr.
+San Jose, CA 95134, U.S.A.
+
+Email: jtrostle@cisco.com
+Phone: +1 (408) 527-6201
+
+
+10.  Intellectual Property Statement
+
+The IETF takes no position regarding the validity or scope of any
+intellectual property or other rights that might be claimed to  pertain
+to the implementation or use of the technology described in this
+document or the extent to which any license under such rights might or
+might not be available; neither does it represent that it has made any
+effort to identify any such rights.  Information on the IETF's
+procedures with respect to rights in standards-track and standards-
+related documentation can be found in BCP-11.  Copies of claims of
+
+
+
+Hornstein, et al.            Standards Track                   [Page 27]
+
+
+INTERNET-DRAFT     DHCP Authentication Via Kerberos V   20 February 2000
+
+
+rights made available for publication and any assurances of licenses to
+be made available, or the result of an attempt made to obtain a general
+license or permission for the use of such proprietary rights by
+implementors or users of this specification can be obtained from the
+IETF Secretariat.
+
+The IETF invites any interested party to bring to its attention any
+copyrights, patents or patent applications, or other proprietary rights
+which may cover technology that may be required to practice this
+standard.  Please address the information to the IETF Executive
+Director.
+
+11.  Full Copyright Statement
+
+Copyright (C) The Internet Society (2000).  All Rights Reserved.
+This document and translations of it may be copied and furnished to
+others, and derivative works that comment on or otherwise explain it or
+assist in its implmentation may be prepared, copied, published and
+distributed, in whole or in part, without restriction of any kind,
+provided that the above copyright notice and this paragraph are included
+on all such copies and derivative works.  However, this document itself
+may not be modified in any way, such as by removing the copyright notice
+or references to the Internet Society or other Internet organizations,
+except as needed for the purpose of developing Internet standards in
+which case the procedures for copyrights defined in the Internet
+Standards process must be followed, or as required to translate it into
+languages other than English.  The limited permissions granted above are
+perpetual and will not be revoked by the Internet Society or its
+successors or assigns.  This document and the information contained
+herein is provided on an "AS IS" basis and THE INTERNET SOCIETY AND THE
+INTERNET ENGINEERING TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
+INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
+WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE."
+
+12.  Expiration Date
+
+This memo is filed as <draft-hornstein-dhc-kerbauth-02.txt>,  and
+expires October 1, 2000.
+
+
+
+
+
+
+
+
+
+
+
+
+Hornstein, et al.            Standards Track                   [Page 28]
+
+
diff --git a/crypto/heimdal/doc/standardisation/draft-horowitz-key-derivation-01.txt b/crypto/heimdal/doc/standardisation/draft-horowitz-key-derivation-01.txt
new file mode 100644
index 0000000..4dcff48
--- /dev/null
+++ b/crypto/heimdal/doc/standardisation/draft-horowitz-key-derivation-01.txt
@@ -0,0 +1,244 @@
+Network Working Group                                        M. Horowitz
+<draft-horowitz-key-derivation-01.txt>                  Cygnus Solutions
+Internet-Draft                                               March, 1997
+
+
+       Key Derivation for Authentication, Integrity, and Privacy
+
+Status of this Memo
+
+   This document is an Internet-Draft.  Internet-Drafts are working
+   documents of the Internet Engineering Task Force (IETF), its areas,
+   and its working groups.  Note that other groups may also distribute
+   working documents as Internet-Drafts.
+
+   Internet-Drafts are draft documents valid for a maximum of six months
+   and may be updated, replaced, or obsoleted by other documents at any
+   time.  It is inappropriate to use Internet-Drafts as reference
+   material or to cite them other than as ``work in progress.''
+
+   To learn the current status of any Internet-Draft, please check the
+   ``1id-abstracts.txt'' listing contained in the Internet-Drafts Shadow
+   Directories on ds.internic.net (US East Coast), nic.nordu.net
+   (Europe), ftp.isi.edu (US West Coast), or munnari.oz.au (Pacific
+   Rim).
+
+   Distribution of this memo is unlimited.  Please send comments to the
+   author.
+
+Abstract
+
+   Recent advances in cryptography have made it desirable to use longer
+   cryptographic keys, and to make more careful use of these keys.  In
+   particular, it is considered unwise by some cryptographers to use the
+   same key for multiple purposes.  Since most cryptographic-based
+   systems perform a range of functions, such as authentication, key
+   exchange, integrity, and encryption, it is desirable to use different
+   cryptographic keys for these purposes.
+
+   This RFC does not define a particular protocol, but defines a set of
+   cryptographic transformations for use with arbitrary network
+   protocols and block cryptographic algorithm.
+
+
+Deriving Keys
+
+   In order to use multiple keys for different functions, there are two
+   possibilities:
+
+    - Each protocol ``key'' contains multiple cryptographic keys.  The
+      implementation would know how to break up the protocol ``key'' for
+      use by the underlying cryptographic routines.
+
+    - The protocol ``key'' is used to derive the cryptographic keys.
+      The implementation would perform this derivation before calling
+
+
+
+Horowitz                                                        [Page 1]
+
+Internet Draft               Key Derivation                  March, 1997
+
+
+      the underlying cryptographic routines.
+
+   In the first solution, the system has the opportunity to provide
+   separate keys for different functions.  This has the advantage that
+   if one of these keys is broken, the others remain secret.  However,
+   this comes at the cost of larger ``keys'' at the protocol layer.  In
+   addition, since these ``keys'' may be encrypted, compromising the
+   cryptographic key which is used to encrypt them compromises all the
+   component keys.  Also, the not all ``keys'' are used for all possible
+   functions.  Some ``keys'', especially those derived from passwords,
+   are generated from limited amounts of entropy.  Wasting some of this
+   entropy on cryptographic keys which are never used is unwise.
+
+   The second solution uses keys derived from a base key to perform
+   cryptographic operations.  By carefully specifying how this key is
+   used, all of the advantages of the first solution can be kept, while
+   eliminating some disadvantages.  In particular, the base key must be
+   used only for generating the derived keys, and this derivation must
+   be non-invertible and entropy-preserving.  Given these restrictions,
+   compromise of one derived keys does not compromise the other subkeys.
+   Attack of the base key is limited, since it is only used for
+   derivation, and is not exposed to any user data.
+
+   Since the derived key has as much entropy as the base keys (if the
+   cryptosystem is good), password-derived keys have the full benefit of
+   all the entropy in the password.
+
+   To generate a derived key from a base key:
+
+      Derived Key = DK(Base Key, Well-Known Constant)
+
+   where
+
+      DK(Key, Constant) = n-truncate(E(Key, Constant))
+
+   In this construction, E(Key, Plaintext) is a block cipher, Constant
+   is a well-known constant defined by the protocol, and n-truncate
+   truncates its argument by taking the first n bits; here, n is the key
+   size of E.
+
+   If the output of E is is shorter than n bits, then some entropy in
+   the key will be lost.  If the Constant is smaller than the block size
+   of E, then it must be padded so it may be encrypted.  If the Constant
+   is larger than the block size, then it must be folded down to the
+   block size to avoid chaining, which affects the distribution of
+   entropy.
+
+   In any of these situations, a variation of the above construction is
+   used, where the folded Constant is encrypted, and the resulting
+   output is fed back into the encryption as necessary (the | indicates
+   concatentation):
+
+      K1 = E(Key, n-fold(Constant))
+      K2 = E(Key, K1)
+
+
+
+Horowitz                                                        [Page 2]
+
+Internet Draft               Key Derivation                  March, 1997
+
+
+      K3 = E(Key, K2)
+      K4 = ...
+
+      DK(Key, Constant) = n-truncate(K1 | K2 | K3 | K4 ...)
+
+   n-fold is an algorithm which takes m input bits and ``stretches''
+   them to form n output bits with no loss of entropy, as described in
+   [Blumenthal96].  In this document, n-fold is always used to produce n
+   bits of output, where n is the key size of E.
+
+   If the size of the Constant is not equal to the block size of E, then
+   the Constant must be n-folded to the block size of E.  This number is
+   used as input to E.  If the block size of E is less than the key
+   size, then the output from E is taken as input to a second invocation
+   of E.  This process is repeated until the number of bits accumulated
+   is greater than or equal to the key size of E.  When enough bits have
+   been computed, the first n are taken as the derived key.
+
+   Since the derived key is the result of one or more encryptions in the
+   base key, deriving the base key from the derived key is equivalent to
+   determining the key from a very small number of plaintext/ciphertext
+   pairs.  Thus, this construction is as strong as the cryptosystem
+   itself.
+
+
+Deriving Keys from Passwords
+
+   When protecting information with a password or other user data, it is
+   necessary to convert an arbitrary bit string into an encryption key.
+   In addition, it is sometimes desirable that the transformation from
+   password to key be difficult to reverse.  A simple variation on the
+   construction in the prior section can be used:
+
+      Key = DK(n-fold(Password), Well-Known Constant)
+
+   The n-fold algorithm is reversible, so recovery of the n-fold output
+   is equivalent to recovery of Password.  However, recovering the n-
+   fold output is difficult for the same reason recovering the base key
+   from a derived key is difficult.
+
+
+
+   Traditionally, the transformation from plaintext to ciphertext, or
+   vice versa, is determined by the cryptographic algorithm and the key.
+   A simple way to think of derived keys is that the transformation is
+   determined by the cryptographic algorithm, the constant, and the key.
+
+   For interoperability, the constants used to derive keys for different
+   purposes must be specified in the protocol specification.  The
+   constants must not be specified on the wire, or else an attacker who
+   determined one derived key could provide the associated constant and
+   spoof data using that derived key, rather than the one the protocol
+   designer intended.
+
+
+
+
+Horowitz                                                        [Page 3]
+
+Internet Draft               Key Derivation                  March, 1997
+
+
+   Determining which parts of a protocol require their own constants is
+   an issue for the designer of protocol using derived keys.
+
+
+Security Considerations
+
+   This entire document deals with security considerations relating to
+   the use of cryptography in network protocols.
+
+
+Acknowledgements
+
+   I would like to thank Uri Blumenthal, Hugo Krawczyk, and Bill
+   Sommerfeld for their contributions to this document.
+
+
+References
+
+   [Blumenthal96] Blumenthal, U., "A Better Key Schedule for DES-Like
+      Ciphers", Proceedings of PRAGOCRYPT '96, 1996.
+
+
+Author's Address
+
+   Marc Horowitz
+   Cygnus Solutions
+   955 Massachusetts Avenue
+   Cambridge, MA 02139
+
+   Phone: +1 617 354 7688
+   Email: marc@cygnus.com
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Horowitz                                                        [Page 4]
diff --git a/crypto/heimdal/doc/standardisation/draft-ietf-cat-gssv2-08.txt b/crypto/heimdal/doc/standardisation/draft-ietf-cat-gssv2-08.txt
new file mode 100644
index 0000000..ccba35e
--- /dev/null
+++ b/crypto/heimdal/doc/standardisation/draft-ietf-cat-gssv2-08.txt
@@ -0,0 +1,62 @@
+
+
+A new Request for Comments is now available in online RFC libraries.
+
+
+        RFC 2078
+
+        Title:      Generic Security Service Application Program
+                    Interface, Version 2
+        Author:     J. Linn
+        Date:       January 1997
+        Mailbox:    John.Linn@ov.com
+        Pages:      85
+        Characters: 185990
+        Obsoletes:  1508
+
+        URL:        ftp://ds.internic.net/rfc/rfc2078.txt
+
+
+This memo revises RFC-1508, making specific, incremental changes in
+response to implementation experience and liaison requests. It is
+intended, therefore, that this memo or a successor version thereto
+will become the basis for subsequent progression of the GSS-API
+specification on the standards track.  This document is a product of
+the Common Authentication Technology Working Group.
+
+This is now a Proposed Standard Protocol.
+
+This document specifies an Internet standards track protocol for the
+Internet community, and requests discussion and suggestions for
+improvements.  Please refer to the current edition of the "Internet
+Official Protocol Standards" (STD 1) for the standardization state and
+status of this protocol.  Distribution of this memo is unlimited.
+
+This announcement is sent to the IETF list and the RFC-DIST list.
+Requests to be added to or deleted from the IETF distribution list
+should be sent to IETF-REQUEST@CNRI.RESTON.VA.US.  Requests to be
+added to or deleted from the RFC-DIST distribution list should
+be sent to RFC-DIST-REQUEST@ISI.EDU.
+
+Details on obtaining RFCs via FTP or EMAIL may be obtained by sending
+an EMAIL message to rfc-info@ISI.EDU with the message body 
+help: ways_to_get_rfcs.  For example:
+
+        To: rfc-info@ISI.EDU
+        Subject: getting rfcs
+
+        help: ways_to_get_rfcs
+
+Requests for special distribution should be addressed to either the
+author of the RFC in question, or to admin@DS.INTERNIC.NET.  Unless
+specifically noted otherwise on the RFC itself, all RFCs are for
+unlimited distribution.
+
+Submissions for Requests for Comments should be sent to
+RFC-EDITOR@ISI.EDU.  Please consult RFC 1543, Instructions to RFC
+Authors, for further information.
+
+
+Joyce K. Reynolds and Mary Kennedy
+USC/Information Sciences Institute
+
diff --git a/crypto/heimdal/doc/standardisation/draft-ietf-cat-gssv2-cbind-04.txt b/crypto/heimdal/doc/standardisation/draft-ietf-cat-gssv2-cbind-04.txt
new file mode 100644
index 0000000..518f4c6
--- /dev/null
+++ b/crypto/heimdal/doc/standardisation/draft-ietf-cat-gssv2-cbind-04.txt
@@ -0,0 +1,6188 @@
+
+   Internet draft                                                    J.Wray
+   IETF Common Authentication Technology WG   Digital Equipment Corporation
+   <draft-ietf-cat-gssv2-cbind-04.txt>                           March 1997
+
+
+
+             Generic Security Service API Version 2 : C-bindings
+
+
+   1. STATUS OF THIS MEMO
+
+   This document is an Internet Draft.  Internet Drafts are working
+   documents of the Internet Engineering Task Force (IETF), its Areas, and
+   its Working Groups.  Note that other groups may also distribute working
+   documents as Internet Drafts.  Internet Drafts are draft documents valid
+   for a maximum of six months. Internet Drafts may be updated, replaced,
+   or obsoleted by other documents at any time.  It is not appropriate to
+   use Internet Drafts as reference material or to cite them other than as
+   a "working draft" or "work in progress." Please check the I-D abstract
+   listing contained in each Internet Draft directory to learn the current
+   status of this or any other Internet Draft.
+
+   Comments on this document should be sent to "cat-ietf@MIT.EDU", the IETF
+   Common Authentication Technology WG discussion list.
+
+
+   2. ABSTRACT
+
+   This draft document specifies C language bindings for Version 2 of the
+   Generic Security Service Application Program Interface (GSSAPI), which
+   is described at a language-independent conceptual level in other drafts
+   [GSSAPI]. It revises RFC-1509, making specific incremental changes in
+   response to implementation experience and liaison requests.  It is
+   intended, therefore, that this draft or a successor version thereof will
+   become the basis for subsequent progression of the GSS-API specification
+   on the standards track.
+
+   The Generic Security Service Application Programming Interface provides
+   security services to its callers, and is intended for implementation
+   atop a variety of underlying cryptographic mechanisms.  Typically,
+   GSSAPI callers will be application protocols into which security
+   enhancements are integrated through invocation of services provided by
+   the GSSAPI. The GSSAPI allows a caller application to authenticate a
+   principal identity associated with a peer application, to delegate
+   rights to a peer, and to apply security services such as confidentiality
+   and integrity on a per-message basis.
+
+
+
+
+
+
+
+
+   Wray             Document Expiration: 1 September 1997          [Page 1]
+
+
+
+
+
+
+
+   INTERNET-DRAFT          GSS-API V2 - C bindings               March 1997
+
+
+
+   3. INTRODUCTION
+
+   The Generic Security Service Application Programming Interface [GSSAPI]
+   provides security services to calling applications.  It allows a
+   communicating application to authenticate the user associated with
+   another application, to delegate rights to another application, and to
+   apply security services such as confidentiality and integrity on a per-
+   message basis.
+
+   There are four stages to using the GSSAPI:
+
+     (a) The application acquires a set of credentials with which it may
+         prove its identity to other processes.  The application's
+         credentials vouch for its global identity, which may or may not be
+         related to any local username under which it may be running.
+
+     (b) A pair of communicating applications establish a joint security
+         context using their credentials.  The security context is a pair
+         of GSSAPI data structures that contain shared state information,
+         which is required in order that per-message security services may
+         be provided.  Examples of state that might be shared between
+         applications as part of a security context are cryptographic keys,
+         and message sequence numbers.  As part of the establishment of a
+         security context, the context initiator is authenticated to the
+         responder, and may require that the responder is authenticated in
+         turn.  The initiator may optionally give the responder the right
+         to initiate further security contexts, acting as an agent or
+         delegate of the initiator.  This transfer of rights is termed
+         delegation, and is achieved by creating a set of credentials,
+         similar to those used by the initiating application, but which may
+         be used by the responder.
+
+         To establish and maintain the shared information that makes up the
+         security context, certain GSSAPI calls will return a token data
+         structure, which is a cryptographically protected opaque data
+         type.  The caller of such a GSSAPI routine is responsible for
+         transferring the token to the peer application, encapsulated if
+         necessary in an application-application protocol.  On receipt of
+         such a token, the peer application should pass it to a
+         corresponding GSSAPI routine which will decode the token and
+         extract the information, updating the security context state
+         information accordingly.
+
+     (c) Per-message services are invoked to apply either:
+
+           (i) integrity and data origin authentication, or
+
+          (ii) confidentiality, integrity and data origin authentication
+
+         to application data, which are treated by GSSAPI as arbitrary
+         octet-strings.  An application transmitting a message that it
+
+
+
+   Wray             Document Expiration: 1 September 1997          [Page 2]
+
+
+
+
+
+
+
+   INTERNET-DRAFT          GSS-API V2 - C bindings               March 1997
+
+
+
+         wishes to protect will call the appropriate GSSAPI routine
+         (gss_get_mic or gss_wrap) to apply protection, specifying the
+         appropriate security context, and send the resulting token to the
+         receiving application.  The receiver will pass the received token
+         (and, in the case of data protected by gss_get_mic, the
+         accompanying message-data) to the corresponding decoding routine
+         (gss_verify_mic or gss_unwrap) to remove the protection and
+         validate the data.
+
+     (d) At the completion of a communications session (which may extend
+         across several transport connections), each application calls a
+         GSSAPI routine to delete the security context.  Multiple contexts
+         may also be used (either successively or simultaneously) within a
+         single communications association, at the option of the
+         applications.
+
+
+   4. GSSAPI ROUTINES
+
+   This section lists the routines that make up the GSSAPI, and offers a
+   brief description of the purpose of each routine.  Detailed descriptions
+   of each routine are listed in alphabetical order in section 7.
+
+   Table 4-1  GSSAPI Credential-management Routines
+
+         ROUTINE            SECTION        FUNCTION
+
+     gss_acquire_cred          7.2  Assume a global identity;
+                                    Obtain a GSSAPI credential
+                                    handle for pre-existing
+                                    credentials.
+
+     gss_add_cred              7.3  Construct credentials
+                                    incrementally
+
+     gss_inquire_cred          7.21 Obtain information about
+                                    a credential.
+
+     gss_inquire_cred_by_mech  7.22 Obtain per-mechanism information
+                                    about a credential.
+
+     gss_release_cred          7.27 Discard a credential handle.
+
+
+
+
+
+
+
+
+
+
+
+
+   Wray             Document Expiration: 1 September 1997          [Page 3]
+
+
+
+
+
+
+
+   INTERNET-DRAFT          GSS-API V2 - C bindings               March 1997
+
+
+
+   Table 4-2  GSSAPI Context-level Routines
+
+         ROUTINE            SECTION        FUNCTION
+
+     gss_init_sec_context      7.19 Initiate a security context
+                                    with a peer application
+
+
+     gss_accept_sec_context    7.1  Accept a security context
+                                    initiated by a peer
+                                    application
+
+     gss_delete_sec_context    7.9  Discard a security context
+
+     gss_process_context_token 7.25 Process a token on a security
+                                    context from a peer
+                                    application
+
+     gss_context_time          7.7  Determine for how long a
+                                    context will remain valid
+
+     gss_inquire_context       7.20 Obtain information about a
+                                    security context
+
+     gss_wrap_size_limit       7.33 Determine token-size limit for
+                                    gss_wrap on a context
+
+     gss_export_sec_context    7.14 Transfer a security context to
+                                    another process
+
+     gss_import_sec_context    7.17 Import a transferred context
+
+
+
+
+   Table 4-3  GSSAPI Per-message Routines
+
+         ROUTINE            SECTION        FUNCTION
+
+     gss_get_mic               7.15 Calculate a cryptographic
+                                    Message Integrity Code (MIC)
+                                    for a message; integrity service
+
+     gss_verify_mic            7.32 Check a MIC against a message;
+                                    verify integrity of a received
+                                    message
+
+     gss_wrap                  7.36 Attach a MIC to a message, and
+                                    optionally encrypt the message
+                                    content; confidentiality service
+
+
+
+
+   Wray             Document Expiration: 1 September 1997          [Page 4]
+
+
+
+
+
+
+
+   INTERNET-DRAFT          GSS-API V2 - C bindings               March 1997
+
+
+
+     gss_unwrap                7.31 Verify a message with attached
+                                    MIC, and decrypt message
+                                    content if necessary.
+
+
+
+
+   Table 4-4  GSSAPI Name manipulation Routines
+
+         ROUTINE              SECTION        FUNCTION
+
+     gss_import_name            7.16 Convert a contiguous string name
+                                     to internal-form
+
+     gss_display_name           7.10 Convert internal-form name
+                                     to text
+
+     gss_compare_name           7.6  Compare two internal-form names
+
+     gss_release_name           7.28 Discard an internal-form name
+
+     gss_inquire_names_for_mech 7.24 List the name-types supported
+                                     by a specified mechanism
+
+     gss_inquire_mechs_for_name 7.23 List mechanisms that support
+                                     a given nametype
+
+     gss_canonicalize_name      7.5  Convert an internal name to
+                                     an MN.
+
+     gss_export_name            7.13 Convert an MN to export form
+
+     gss_duplicate_name         7.12 Create a copy of an internal name
+
+
+
+
+   Table 4-5  GSSAPI Miscellaneous Routines
+
+         ROUTINE              SECTION        FUNCTION
+
+     gss_display_status         7.11 Convert a GSSAPI status code
+                                     to text
+
+     gss_indicate_mechs         7.18 Determine available underlying
+                                     authentication mechanisms
+
+     gss_release_buffer         7.26 Discard a buffer
+
+     gss_release_oid_set        7.29 Discard a set of object
+                                     identifiers
+
+
+
+   Wray             Document Expiration: 1 September 1997          [Page 5]
+
+
+
+
+
+
+
+   INTERNET-DRAFT          GSS-API V2 - C bindings               March 1997
+
+
+
+     gss_create_empty_oid_set   7.8  Create a set containing no
+                                     object identifiers
+
+     gss_add_oid_set_member     7.4  Add an object identifier to
+                                     a set
+
+     gss_test_oid_set_member    7.30 Determines whether an object
+                                     identifier is a member of a set
+
+
+
+
+
+   Individual GSSAPI implementations may augment these routines by
+   providing additional mechanism-specific routines if required
+   functionality is not available from the generic forms.  Applications are
+   encouraged to use the generic routines wherever possible on portability
+   grounds.
+
+
+   5. DATA TYPES AND CALLING CONVENTIONS
+
+   The following conventions are used by the GSSAPI C-language bindings:
+
+   5.1.  Integer types
+
+   GSSAPI uses the following integer data type:
+
+        OM_uint32      32-bit unsigned integer
+
+   Where guaranteed minimum bit-count is important, this portable data type
+   is used by the GSSAPI routine definitions.  Individual GSSAPI
+   implementations will include appropriate typedef definitions to map this
+   type onto a built-in data type.  If the platform supports the X/Open
+   xom.h header file, the OM_uint32 definition contained therein should be
+   used; the GSSAPI header file in Appendix A contains logic that will
+   detect the prior inclusion of xom.h, and will not attempt to re-declare
+   OM_uint32.  If the X/Open header file is not available on the platform,
+   the GSSAPI implementation should use the smallest natural unsigned
+   integer type that provides at least 32 bits of precision.
+
+   5.2.  String and similar data
+
+   Many of the GSSAPI routines take arguments and return values that
+   describe contiguous octet-strings.  All such data is passed between the
+   GSSAPI and the caller using the gss_buffer_t data type.  This data type
+   is a pointer to a buffer descriptor, which consists of a length field
+   that contains the total number of bytes in the datum, and a value field
+   which contains a pointer to the actual datum:
+
+
+
+
+
+   Wray             Document Expiration: 1 September 1997          [Page 6]
+
+
+
+
+
+
+
+   INTERNET-DRAFT          GSS-API V2 - C bindings               March 1997
+
+
+
+        typedef struct gss_buffer_desc_struct {
+           size_t  length;
+           void    *value;
+        } gss_buffer_desc, *gss_buffer_t;
+
+   Storage for data returned to the application by a GSSAPI routine using
+   the gss_buffer_t conventions is allocated by the GSSAPI routine.  The
+   application may free this storage by invoking the gss_release_buffer
+   routine.  Allocation of the gss_buffer_desc object is always the
+   responsibility of the application;  unused gss_buffer_desc objects may
+   be initialized to the value GSS_C_EMPTY_BUFFER.
+
+   5.2.1.  Opaque data types
+
+   Certain multiple-word data items are considered opaque data types at the
+   GSSAPI, because their internal structure has no significance either to
+   the GSSAPI or to the caller.  Examples of such opaque data types are the
+   input_token parameter to gss_init_sec_context (which is opaque to the
+   caller), and the input_message parameter to gss_wrap (which is opaque to
+   the GSSAPI).  Opaque data is passed between the GSSAPI and the
+   application using the gss_buffer_t datatype.
+
+   5.2.2.  Character strings
+
+   Certain multiple-word data items may be regarded as simple ISO Latin-1
+   character strings.  Examples are the printable strings passed to
+   gss_import_name via the input_name_buffer parameter. Some GSSAPI
+   routines also return character strings.  All such character strings are
+   passed between the application and the GSSAPI implementation using the
+   gss_buffer_t datatype, which is a pointer to a gss_buffer_desc object.
+
+   When a gss_buffer_desc object describes a printable string, the length
+   field of the gss_buffer_desc should only count printable characters
+   within the string.  In particular, a trailing NUL character should NOT
+   be included in the length count, nor should either the GSSAPI
+   implementation or the application assume the presence of an uncounted
+   trailing NUL.
+
+   5.3.  Object Identifiers
+
+   Certain GSSAPI procedures take parameters of the type gss_OID, or Object
+   identifier.  This is a type containing ISO-defined tree-structured
+   values, and is used by the GSSAPI caller to select an underlying
+   security mechanism and to specify namespaces.  A value of type gss_OID
+   has the following structure:
+
+        typedef struct gss_OID_desc_struct {
+           OM_uint32 length;
+           void      *elements;
+        } gss_OID_desc, *gss_OID;
+
+
+
+
+   Wray             Document Expiration: 1 September 1997          [Page 7]
+
+
+
+
+
+
+
+   INTERNET-DRAFT          GSS-API V2 - C bindings               March 1997
+
+
+
+   The elements field of this structure points to the first byte of an
+   octet string containing the ASN.1 BER encoding of the value portion of
+   the normal BER TLV encoding of the gss_OID.  The length field contains
+   the number of bytes in this value.  For example, the gss_OID value
+   corresponding to {iso(1) identified-organization(3) icd-ecma(12)
+   member-company(2) dec(1011) cryptoAlgorithms(7) DASS(5)}, meaning the
+   DASS X.509 authentication mechanism, has a length field of 7 and an
+   elements field pointing to seven octets containing the following octal
+   values: 53,14,2,207,163,7,5. GSSAPI implementations should provide
+   constant gss_OID values to allow applications to request any supported
+   mechanism, although applications are encouraged on portability grounds
+   to accept the default mechanism.  gss_OID values should also be provided
+   to allow applications to specify particular name types (see section
+   5.10).  Applications should treat gss_OID_desc values returned by GSSAPI
+   routines as read-only.  In particular, the application should not
+   attempt to deallocate them with free().  The gss_OID_desc datatype is
+   equivalent to the X/Open OM_object_identifier datatype[XOM].
+
+   5.4.  Object Identifier Sets
+
+   Certain GSSAPI procedures take parameters of the type gss_OID_set.  This
+   type represents one or more object identifiers (section 5.3).  A
+   gss_OID_set object has the following structure:
+
+        typedef struct gss_OID_set_desc_struct {
+           size_t       count;
+           gss_OID   elements;
+        } gss_OID_set_desc, *gss_OID_set;
+
+   The count field contains the number of OIDs within the set.  The
+   elements field is a pointer to an array of gss_OID_desc objects, each of
+   which describes a single OID.  gss_OID_set values are used to name the
+   available mechanisms supported by the GSSAPI, to request the use of
+   specific mechanisms, and to indicate which mechanisms a given credential
+   supports.
+
+   All OID sets returned to the application by GSSAPI are dynamic objects
+   (the gss_OID_set_desc, the "elements" array of the set, and the
+   "elements" array of each member OID are all dynamically allocated), and
+   this storage must be deallocated by the application using the
+   gss_release_oid_set() routine.
+
+
+   5.5.  Credentials
+
+   A credential handle is a caller-opaque atomic datum that identifies a
+   GSSAPI credential data structure.  It is represented by the caller-
+   opaque type gss_cred_id_t, which should be implemented as a pointer or
+   arithmetic type.  If a pointer implementation is chosen, care must be
+   taken to ensure that two gss_cred_id_t values may be compared with the
+   == operator.
+
+
+
+   Wray             Document Expiration: 1 September 1997          [Page 8]
+
+
+
+
+
+
+
+   INTERNET-DRAFT          GSS-API V2 - C bindings               March 1997
+
+
+
+   GSSAPI credentials can contain mechanism-specific principal
+   authentication data for multiple mechanisms.  A GSSAPI credential is
+   composed of a set of credential-elements, each of which is applicable to
+   a single mechanism.  A credential may contain at most one credential-
+   element for each supported mechanism. A credential-element identifies
+   the data needed by a single mechanism to authenticate a single
+   principal, and conceptually contains two credential-references that
+   describing the actual mechanism-specific authentication data, one to be
+   used by GSSAPI for initiating contexts,  and one to be used for
+   accepting contexts.  For mechanisms that do not distinguish between
+   acceptor and initiator credentials, both references would point to the
+   same underlying mechanism-specific authentication data.
+
+   Credentials describe a set of mechanism-specific principals, and give
+   their holder the ability to act as any of those principals.  All
+   principal identities asserted by a single GSSAPI credential should
+   belong to the same entity, although enforcement of this property is an
+   implementation-specific matter.  The GSSAPI does not make the actual
+   credentials available to applications; instead a credential handle is
+   used to identify a particular credential, held internally by GSSAPI.
+   The combination of GSSAPI credential handle and mechanism identifies the
+   principal whose identity will be asserted by the credential when used
+   with that mechanism.
+
+   The gss_init_sec_context and gss_accept_sec_context routines allow the
+   value GSS_C_NO_CREDENTIAL to be specified as their credential handle
+   parameter.  This special credential-handle indicates a desire by the
+   application to act as a default principal.  While individual GSSAPI
+   implementations are free to determine such default behavior as
+   appropriate to the mechanism, the following default behavior by these
+   routines is recommended for portability:
+
+     (a) gss_init_sec_context
+
+           (i) If there is only a single principal capable of initiating
+               security contexts for the chosen mechanism that the
+               application is authorized to act on behalf of, then that
+               principal shall be used, otherwise
+
+          (ii) If the platform maintains a concept of a default network-
+               identity for the chosen mechanism, and if the application is
+               authorized to act on behalf of that identity for the purpose
+               of initiating security contexts, then the principal
+               corresponding to that identity shall be used, otherwise
+
+         (iii) If the platform maintains a concept of a default local
+               identity, and provides a means to map local identities into
+               network-identities for the chosen mechanism, and if the
+               application is authorized to act on behalf of the network-
+               identity image of the default local identity for the purpose
+               of initiating security contexts using the chosen mechanism,
+
+
+
+   Wray             Document Expiration: 1 September 1997          [Page 9]
+
+
+
+
+
+
+
+   INTERNET-DRAFT          GSS-API V2 - C bindings               March 1997
+
+
+
+               then the principal corresponding to that identity shall be
+               used, otherwise
+
+          (iv) A user-configurable default identity should be used.
+
+     (b) gss_accept_sec_context
+
+           (i) If there is only a single authorized principal identity
+               capable of accepting security contexts for the chosen
+               mechanism, then that principal shall be used, otherwise
+
+          (ii) If the mechanism can determine the identity of the target
+               principal by examining the context-establishment token, and
+               if the accepting application is authorized to act as that
+               principal for the purpose of accepting security contexts
+               using the chosen mechanism, then that principal identity
+               shall be used, otherwise
+
+         (iii) If the mechanism supports context acceptance by any
+               principal, and if mutual authentication was not requested,
+               any principal that the application is authorized to accept
+               security contexts under using the chosen mechanism may be
+               used, otherwise
+
+          (iv) A user-configurable default identity shall be used.
+
+   The purpose of the above rules is to allow security contexts to be
+   established by both initiator and acceptor using the default behavior
+   wherever possible.  Applications requesting default behavior are likely
+   to be more portable across mechanisms and platforms than ones that use
+   gss_acquire_cred to request a specific identity.
+
+   5.6.  Contexts
+
+   The gss_ctx_id_t data type contains a caller-opaque atomic value that
+   identifies one end of a GSSAPI security context.  It should be
+   implemented as a pointer or arithmetic type.  If a pointer type is
+   chosen, care should be taken to ensure that two gss_ctx_id_t values may
+   be compared with the == operator.
+
+   The security context holds state information about each end of a peer
+   communication, including cryptographic state information.
+
+   5.7.  Authentication tokens
+
+   A token is a caller-opaque type that GSSAPI uses to maintain
+   synchronization between the context data structures at each end of a
+   GSSAPI security context.  The token is a cryptographically protected
+   octet-string, generated by the underlying mechanism at one end of a
+   GSSAPI security context for use by the peer mechanism at the other end.
+   Encapsulation (if required) and transfer of the token are the
+
+
+
+   Wray             Document Expiration: 1 September 1997         [Page 10]
+
+
+
+
+
+
+
+   INTERNET-DRAFT          GSS-API V2 - C bindings               March 1997
+
+
+
+   responsibility of the peer applications.  A token is passed between the
+   GSSAPI and the application using the gss_buffer_t conventions.
+
+   5.8.  Interprocess tokens
+
+   Certain GSSAPI routines are intended to transfer data between processes
+   in multi-process programs.  These routines use a caller-opaque octet-
+   string, generated by the GSSAPI in one process for use by the GSSAPI in
+   another process.  The calling application is responsible for
+   transferring such tokens between processes in an OS-specific manner.
+   Note that, while GSSAPI implementors are encouraged to avoid placing
+   sensitive information within interprocess tokens, or to
+   cryptographically protect them, many implementations will be unable to
+   avoid placing key material or other sensitive data within them.  It is
+   the application's responsibility to ensure that interprocess tokens are
+   protected in transit, and transferred only to processes that are
+   trustworthy. An interprocess token is passed between the GSSAPI and the
+   application using the gss_buffer_t conventions.
+
+   5.9.  Status values
+
+   One or more status codes are returned by each GSSAPI routine.  Two
+   distinct sorts of status codes are returned.  These are termed GSS
+   status codes and Mechanism status codes.
+
+   5.9.1.  GSS status codes
+
+   GSSAPI routines return GSS status codes as their OM_uint32 function
+   value.  These codes indicate errors that are independent of the
+   underlying mechanism(s) used to provide the security service.  The
+   errors that can be indicated via a GSS status code are either generic
+   API routine errors (errors that are defined in the GSS-API
+   specification) or calling errors (errors that are specific to these
+   language bindings).
+
+   A GSS status code can indicate a single fatal generic API error from the
+   routine and a single calling error.  In addition, supplementary status
+   information may be indicated via the setting of bits in the
+   supplementary info field of a GSS status code.
+
+   These errors are encoded into the 32-bit GSS status code as follows:
+
+       MSB                                                        LSB
+       |------------------------------------------------------------|
+       | Calling Error | Routine Error  |    Supplementary Info     |
+       |------------------------------------------------------------|
+    Bit 31           24 23            16 15                        0
+
+
+   Hence if a GSS-API routine returns a GSS status code whose upper 16 bits
+   contain a non-zero value, the call failed.  If the calling error field
+
+
+
+   Wray             Document Expiration: 1 September 1997         [Page 11]
+
+
+
+
+
+
+
+   INTERNET-DRAFT          GSS-API V2 - C bindings               March 1997
+
+
+
+   is non-zero, the invoking application's call of the routine was
+   erroneous.  Calling errors are defined in table 5-1.  If the routine
+   error field is non-zero, the routine failed for one of the routine-
+   specific reasons listed below in table 5-2.  Whether or not the upper 16
+   bits indicate a failure or a success, the routine may indicate
+   additional information by setting bits in the supplementary info field
+   of the status code.  The meaning of individual bits is listed below in
+   table 5-3.
+
+   Table 5-1  Calling Errors
+
+         Name                    Value in        Meaning
+                                   Field
+    GSS_S_CALL_INACCESSIBLE_READ     1           A required input
+                                                 parameter could
+                                                 not be read.
+    GSS_S_CALL_INACCESSIBLE_WRITE    2           A required output
+                                                 parameter could
+                                                 not be written.
+    GSS_S_CALL_BAD_STRUCTURE         3           A parameter was
+                                                 malformed
+
+
+
+
+   Table 5-2  Routine Errors
+
+          Name             Value in       Meaning
+                            Field
+
+    GSS_S_BAD_MECH             1      An unsupported mechanism was
+                                      requested
+    GSS_S_BAD_NAME             2      An invalid name was supplied
+    GSS_S_BAD_NAMETYPE         3      A supplied name was of an
+                                      unsupported type
+    GSS_S_BAD_BINDINGS         4      Incorrect channel bindings
+                                      were supplied
+    GSS_S_BAD_STATUS           5      An invalid status code was
+                                      supplied
+    GSS_S_BAD_SIG              6      A token had an invalid
+    GSS_S_BAD_MIC                     MIC
+    GSS_S_NO_CRED              7      No credentials were supplied,
+                                      or the credentials were
+                                      unavailable or inaccessible.
+    GSS_S_NO_CONTEXT           8      No context has been
+                                      established
+    GSS_S_DEFECTIVE_TOKEN      9      A token was invalid
+    GSS_S_DEFECTIVE_CREDENTIAL 10     A credential was invalid
+    GSS_S_CREDENTIALS_EXPIRED  11     The referenced credentials
+                                      have expired
+
+
+
+
+   Wray             Document Expiration: 1 September 1997         [Page 12]
+
+
+
+
+
+
+
+   INTERNET-DRAFT          GSS-API V2 - C bindings               March 1997
+
+
+
+    GSS_S_CONTEXT_EXPIRED      12     The context has expired
+    GSS_S_FAILURE              13     Miscellaneous failure
+                                      (see text)
+    GSS_S_BAD_QOP              14     The quality-of-protection
+                                      requested could not be
+                                      provide
+    GSS_S_UNAUTHORIZED         15     The operation is forbidden by
+                                      local security policy
+    GSS_S_UNAVAILABLE          16     The operation or option is not
+                                      available
+    GSS_S_DUPLICATE_ELEMENT    17     The requested credential element
+                                      already exists
+    GSS_S_NAME_NOT_MN          18     The provided name was not a
+                                      mechanism name.
+
+
+
+
+
+   Table 5-3  Supplementary Status Bits
+
+    Name                Bit Number         Meaning
+    GSS_S_CONTINUE_NEEDED   0 (LSB)  The routine must be called
+                                     again to complete its function.
+                                     See routine documentation for
+                                     detailed description.
+    GSS_S_DUPLICATE_TOKEN   1        The token was a duplicate of
+                                     an earlier token
+    GSS_S_OLD_TOKEN         2        The token's validity period
+                                     has expired
+    GSS_S_UNSEQ_TOKEN       3        A later token has already been
+                                     processed
+    GSS_S_GAP_TOKEN         4        An expected per-message token
+                                     was not received
+
+
+   The routine documentation also uses the name GSS_S_COMPLETE, which is a
+   zero value, to indicate an absence of any API errors or supplementary
+   information bits.
+
+   All GSS_S_xxx symbols equate to complete OM_uint32 status codes, rather
+   than to bitfield values.  For example, the actual value of the symbol
+   GSS_S_BAD_NAMETYPE (value 3 in the routine error field) is 3 << 16.
+
+   The macros GSS_CALLING_ERROR(), GSS_ROUTINE_ERROR() and
+   GSS_SUPPLEMENTARY_INFO() are provided, each of which takes a GSS status
+   code and removes all but the relevant field.  For example, the value
+   obtained by applying GSS_ROUTINE_ERROR to a status code removes the
+   calling errors and supplementary info fields, leaving only the routine
+   errors field.  The values delivered by these macros may be directly
+   compared with a GSS_S_xxx symbol of the appropriate type.  The macro
+
+
+
+   Wray             Document Expiration: 1 September 1997         [Page 13]
+
+
+
+
+
+
+
+   INTERNET-DRAFT          GSS-API V2 - C bindings               March 1997
+
+
+
+   GSS_ERROR() is also provided, which when applied to a GSS status code
+   returns a non-zero value if the status code indicated a calling or
+   routine error, and a zero value otherwise.  All macros defined by GSS-
+   API evaluate their argument(s) exactly once.
+
+   A GSS-API implementation may choose to signal calling errors in a
+   platform-specific manner instead of, or in addition to the routine
+   value;  routine errors and supplementary info should be returned via
+   routine status values only.
+
+   5.9.2.  Mechanism-specific status codes
+
+   GSS-API routines return a minor_status parameter, which is used to
+   indicate specialized errors from the underlying security mechanism.
+   This parameter may contain a single mechanism-specific error, indicated
+   by a OM_uint32 value.
+
+   The minor_status parameter will always be set by a GSS-API routine, even
+   if it returns a calling error or one of the generic API errors indicated
+   above as fatal, although most other output parameters may remain unset
+   in such cases.  However, output parameters that are expected to return
+   pointers to storage allocated by a routine must always be set by the
+   routine, even in the event of an error, although in such cases the GSS-
+   API routine may elect to set the returned parameter value to NULL to
+   indicate that no storage was actually allocated.  Any length field
+   associated with such pointers (as in a gss_buffer_desc structure) should
+   also be set to zero in such cases.
+
+   The GSS status code GSS_S_FAILURE is used to indicate that the
+   underlying mechanism detected an error for which no specific GSS status
+   code is defined.  The mechanism status code will provide more details
+   about the error.
+
+   5.10.  Names
+
+   A name is used to identify a person or entity.  GSS-API authenticates
+   the relationship between a name and the entity claiming the name.
+
+   Since different authentication mechanisms may employ different
+   namespaces for identifying their principals, GSSAPI's naming support is
+   necessarily complex in multi-mechanism environments (or even in some
+   single-mechanism environments where the underlying mechanism supports
+   multiple namespaces).
+
+   Two distinct representations are defined for names:
+
+     (a) An internal form.  This is the GSSAPI "native" format for names,
+         represented by the implementation-specific gss_name_t type.  It is
+         opaque to GSSAPI callers.  A single gss_name_t object may contain
+         multiple names from different namespaces, but all names should
+         refer to the same entity.  An example of such an internal name
+
+
+
+   Wray             Document Expiration: 1 September 1997         [Page 14]
+
+
+
+
+
+
+
+   INTERNET-DRAFT          GSS-API V2 - C bindings               March 1997
+
+
+
+         would be the name returned from a call to the gss_inquire_cred
+         routine, when applied to a credential containing credential
+         elements for multiple authentication mechanisms employing
+         different namespaces.  This gss_name_t object will contain a
+         distinct name for the entity for each authentication mechanism.
+
+         For GSSAPI implementations supporting multiple namespaces, objects
+         of type gss_name_t must contain sufficient information to
+         determine the namespace to which each primitive name belongs.
+
+     (b) Mechanism-specific contiguous octet-string forms.  A format
+         capable of containing a single name (from a single namespace).
+         Contiguous string names are always accompanied by an object
+         identifier specifying the namespace to which the name belongs, and
+         their format is dependent on the authentication mechanism that
+         employs the name.  Many, but not all, contiguous string names will
+         be printable, and may therefore be used by GSSAPI applications for
+         communication with their users.
+
+   Routines (gss_import_name and gss_display_name) are provided to convert
+   names between contiguous string representations and the internal
+   gss_name_t type.  gss_import_name may support multiple syntaxes for each
+   supported namespace, allowing users the freedom to choose a preferred
+   name representation.  gss_display_name should use an implementation-
+   chosen printable syntax for each supported name-type.
+
+   If an application calls gss_display_name(), passing the internal name
+   resulting from a call to gss_import_name(), there is no guarantee the
+   the resulting contiguous string name will be the same as the original
+   imported string name.  Nor do name-space identifiers necessarily survive
+   unchanged after a journey through the internal name-form.  An example of
+   this might be a mechanism that authenticates X.500 names, but provides
+   an algorithmic mapping of Internet DNS names into X.500.  That
+   mechanism's implementation of gss_import_name() might, when presented
+   with a DNS name, generate an internal name that contained both the
+   original DNS name and the equivalent X.500 name. Alternatively, it might
+   only store the X.500 name.  In the latter case, gss_display_name() would
+   most likely generate a printable X.500 name, rather than the original
+   DNS name.
+
+   The process of authentication delivers to the context acceptor an
+   internal name.  Since this name has been authenticated by a single
+   mechanism, it contains only a single name (even if the internal name
+   presented by the context initiator to gss_init_sec_context had multiple
+   components).  Such names are termed internal mechanism names, or "MN"s
+   and the names emitted by gss_accept_sec_context() are always of this
+   type.  Since some applications may require MNs without wanting to incur
+   the overhead of an authentication operation, a second function,
+   gss_canonicalize_name(), is provided to convert a general internal name
+   into an MN.
+
+
+
+
+   Wray             Document Expiration: 1 September 1997         [Page 15]
+
+
+
+
+
+
+
+   INTERNET-DRAFT          GSS-API V2 - C bindings               March 1997
+
+
+
+   Comparison of internal-form names may be accomplished via the
+   gss_compare_name() routine, which returns true if the two names being
+   compared refer to the same entity.  This removes the need for the
+   application program to understand the syntaxes of the various printable
+   names that a given GSS-API implementation may support.  Since GSSAPI
+   assumes that all primitive names contained within a given internal name
+   refer to the same entity, gss_compare_name() can return true if the two
+   names have at least one primitive name in common.  If the implementation
+   embodies knowledge of equivalence relationships between names taken from
+   different namespaces, this knowledge may also allow successful
+   comparison of internal names containing no overlapping primitive
+   elements.
+
+   When used in large access control lists, the overhead of invoking
+   gss_import_name() and gss_compare_name() on each name from the ACL may
+   be prohibitive.  As an alternative way of supporting this case, GSSAPI
+   defines a special form of the contiguous string name which may be
+   compared directly (e.g. with memcmp()).  Contigous names suitable for
+   comparison are generated by the gss_export_name() routine, which
+   requires an MN as input.  Exported names may be re-imported by the
+   gss_import_name() routine, and the resulting internal name will also be
+   an MN.  The gss_OID constant GSS_C_NT_EXPORT_NAME indentifies the
+   "export name" type, and the value of this constant is given in Appendix
+   A.     Structurally, an exported name object consists of a header
+   containing an OID identifying the mechanism that authenticated the name,
+   and a trailer containing the name itself, where the syntax of the
+   trailer is defined by the individual mechanism specification.   The
+   precise format of an export name is defined in the language-independent
+   GSSAPI specification [GSSAPI].
+
+   Note that the results obtained by using gss_compare_name() will in
+   general be different from those obtained by invoking
+   gss_canonicalize_name() and gss_export_name(), and then comparing the
+   exported names.  The first series of operation determines whether two
+   (unauthenticated) names identify the same principal; the second whether
+   a particular mechanism would authenticate them as the same principal.
+   These two operations will in general give the same results only for MNs.
+
+   The gss_name_t datatype should be implemented as a pointer type.  To
+   allow the compiler to aid the application programmer by performing
+   type-checking, the use of (void *) is discouraged.  A pointer to an
+   implementation-defined type is the preferred choice.
+
+   Storage is allocated by routines that return gss_name_t values.  A
+   procedure, gss_release_name, is provided to free storage associated with
+   an internal-form name.
+
+
+
+
+
+
+
+
+   Wray             Document Expiration: 1 September 1997         [Page 16]
+
+
+
+
+
+
+
+   INTERNET-DRAFT          GSS-API V2 - C bindings               March 1997
+
+
+
+   5.11.  Channel Bindings
+
+   GSS-API supports the use of user-specified tags to identify a given
+   context to the peer application.  These tags are intended to be used to
+   identify the particular communications channel that carries the context.
+   Channel bindings are communicated to the GSS-API using the following
+   structure:
+
+        typedef struct gss_channel_bindings_struct {
+           OM_uint32       initiator_addrtype;
+           gss_buffer_desc initiator_address;
+           OM_uint32       acceptor_addrtype;
+           gss_buffer_desc acceptor_address;
+           gss_buffer_desc application_data;
+        } *gss_channel_bindings_t;
+
+   The initiator_addrtype and acceptor_addrtype fields denote the type of
+   addresses contained in the initiator_address and acceptor_address
+   buffers.  The address type should be one of the following:
+
+        GSS_C_AF_UNSPEC      Unspecified address type
+        GSS_C_AF_LOCAL       Host-local address type
+        GSS_C_AF_INET        Internet address type (e.g. IP)
+        GSS_C_AF_IMPLINK     ARPAnet IMP address type
+        GSS_C_AF_PUP         pup protocols (eg BSP) address type
+        GSS_C_AF_CHAOS       MIT CHAOS protocol address type
+        GSS_C_AF_NS          XEROX NS address type
+        GSS_C_AF_NBS         nbs address type
+        GSS_C_AF_ECMA        ECMA address type
+        GSS_C_AF_DATAKIT     datakit protocols address type
+        GSS_C_AF_CCITT       CCITT protocols
+        GSS_C_AF_SNA         IBM SNA address type
+        GSS_C_AF_DECnet      DECnet address type
+        GSS_C_AF_DLI         Direct data link interface address type
+        GSS_C_AF_LAT         LAT address type
+        GSS_C_AF_HYLINK      NSC Hyperchannel address type
+        GSS_C_AF_APPLETALK   AppleTalk address type
+        GSS_C_AF_BSC         BISYNC 2780/3780 address type
+        GSS_C_AF_DSS         Distributed system services address type
+        GSS_C_AF_OSI         OSI TP4 address type
+        GSS_C_AF_X25         X25
+        GSS_C_AF_NULLADDR    No address specified
+
+   Note that these symbols name address families rather than specific
+   addressing formats.  For address families that contain several
+   alternative address forms, the initiator_address and acceptor_address
+   fields must contain sufficient information to determine which address
+   form is used.  When not otherwise specified, addresses should be
+   specified in network byte-order (that is, native byte-ordering for the
+   address family).
+
+
+
+
+   Wray             Document Expiration: 1 September 1997         [Page 17]
+
+
+
+
+
+
+
+   INTERNET-DRAFT          GSS-API V2 - C bindings               March 1997
+
+
+
+   Conceptually, the GSS-API concatenates the initiator_addrtype,
+   initiator_address, acceptor_addrtype, acceptor_address and
+   application_data to form an octet string.  The mechanism calculates a
+   MIC over this octet string, and binds the MIC to the context
+   establishment token emitted by gss_init_sec_context.  The same bindings
+   are presented by the context acceptor to gss_accept_sec_context, and a
+   MIC is calculated in the same way.  The calculated MIC is compared with
+   that found in the token, and if the MICs differ, gss_accept_sec_context
+   will return a GSS_S_BAD_BINDINGS error, and the context will not be
+   established.  Some mechanisms may include the actual channel binding
+   data in the token (rather than just a MIC); applications should
+   therefore not use confidential data as channel-binding components.
+   Individual mechanisms may impose additional constraints on addresses and
+   address types that may appear in channel bindings.  For example, a
+   mechanism may verify that the initiator_address field of the channel
+   bindings presented to gss_init_sec_context contains the correct network
+   address of the host system.  Portable applications should therefore
+   ensure that they either provide correct information for the address
+   fields, or omit addressing information, specifying GSS_C_AF_NULLADDR as
+   the address-types.
+
+   5.12.  Optional parameters
+
+   Various parameters are described as optional.  This means that they
+   follow a convention whereby a default value may be requested.  The
+   following conventions are used for omitted parameters.  These
+   conventions apply only to those parameters that are explicitly
+   documented as optional.
+
+   5.12.1.  gss_buffer_t types
+
+   Specify GSS_C_NO_BUFFER as a value.  For an input parameter this
+   signifies that default behavior is requested, while for an output
+   parameter it indicates that the information that would be returned via
+   the parameter is not required by the application.
+
+   5.12.2.  Integer types (input)
+
+   Individual parameter documentation lists values to be used to indicate
+   default actions.
+
+   5.12.3.  Integer types (output)
+
+   Specify NULL as the value for the pointer.
+
+   5.12.4.  Pointer types
+
+   Specify NULL as the value.
+
+
+
+
+
+
+   Wray             Document Expiration: 1 September 1997         [Page 18]
+
+
+
+
+
+
+
+   INTERNET-DRAFT          GSS-API V2 - C bindings               March 1997
+
+
+
+   5.12.5.  Object IDs
+
+   Specify GSS_C_NO_OID as the value.
+
+   5.12.6.  Object ID Sets
+
+   Specify GSS_C_NO_OID_SET as the value.
+
+   5.12.7.  Channel Bindings
+
+   Specify GSS_C_NO_CHANNEL_BINDINGS to indicate that channel bindings are
+   not to be used.
+
+
+   6. ADDITIONAL CONTROLS
+
+   This section discusses the optional services that a context initiator
+   may request of the GSS-API at context establishment.  Each of these
+   services is requested by setting a flag in the req_flags input parameter
+   to gss_init_sec_context.
+
+   The optional services currently defined are:
+
+   Delegation - The (usually temporary) transfer of rights from initiator
+         to acceptor, enabling the acceptor to authenticate itself as an
+         agent of the initiator.
+
+   Mutual Authentication - In addition to the initiator authenticating its
+         identity to the context acceptor, the context acceptor should also
+         authenticate itself to the initiator.
+
+   Replay detection - In addition to providing message integrity services,
+         gss_get_mic and gss_wrap should include message numbering
+         information to enable gss_verify_mic and gss_unwrap to detect if a
+         message has been duplicated.
+
+   Out-of-sequence detection - In addition to providing message integrity
+         services, gss_get_mic and gss_wrap should include message
+         sequencing information to enable gss_verify_mic and gss_unwrap to
+         detect if a message has been received out of sequence.
+
+   Anonymous authentication - The establishment of the security context
+         should not reveal the initiator's identity to the context
+         acceptor.
+
+   Any currently undefined bits within such flag arguments should be
+   ignored by GSS-API implementations when presented by an application, and
+   should be set to zero when returned to the application by the GSS-API
+   implementation.
+
+
+
+
+
+   Wray             Document Expiration: 1 September 1997         [Page 19]
+
+
+
+
+
+
+
+   INTERNET-DRAFT          GSS-API V2 - C bindings               March 1997
+
+
+
+   Some mechanisms may not support all optional services, and some
+   mechanisms may only support some services in conjunction with others.
+   Both gss_init_sec_context and gss_accept_sec_context inform the
+   applications which services will be available from the context when the
+   establishment phase is complete, via the ret_flags output parameter.  In
+   general, if the security mechanism is capable of providing a requested
+   service, it should do so, even if additional services must be enabled in
+   order to provide the requested service.  If the mechanism is incapable
+   of providing a requested service, it should proceed without the service,
+   leaving the application to abort the context establishment process if it
+   considers the requested service to be mandatory.
+
+   Some mechanisms may specify that support for some services is optional,
+   and that implementors of the mechanism need not provide it.  This is
+   most commonly true of the confidentiality service, often because of
+   legal restrictions on the use of data-encryption, but may apply to any
+   of the services.  Such mechanisms are required to send at least one
+   token from acceptor to initiator during context establishment when the
+   initiator indicates a desire to use such a service, so that the
+   initiating GSSAPI can correctly indicate whether the service is
+   supported by the acceptor's GSSAPI.
+
+   6.1.  Delegation
+
+   The GSS-API allows delegation to be controlled by the initiating
+   application via a boolean parameter to gss_init_sec_context(), the
+   routine that establishes a security context.  Some mechanisms do not
+   support delegation, and for such mechanisms attempts by an application
+   to enable delegation are ignored.
+
+   The acceptor of a security context for which the initiator enabled
+   delegation will receive (via the delegated_cred_handle parameter of
+   gss_accept_sec_context) a credential handle that contains the delegated
+   identity, and this credential handle may be used to initiate subsequent
+   GSSAPI security contexts as an agent or delegate of the initiator.  If
+   the original initiator's identity is "A" and the delegate's identity is
+   "B", then, depending on the underlying mechanism, the identity embodied
+   by the delegated credential may be either "A" or "B acting for A".
+
+   For many mechanisms that support delegation, a simple boolean does not
+   provide enough control.  Examples of additional aspects of delegation
+   control that a mechanism might provide to an application are duration of
+   delegation, network addresses from which delegation is valid, and
+   constraints on the tasks that may be performed by a delegate.  Such
+   controls are presently outside the scope of the GSS-API.  GSS-API
+   implementations supporting mechanisms offering additional controls
+   should provide extension routines that allow these controls to be
+   exercised (perhaps by modifying the initiator's GSS-API credential prior
+   to its use in establishing a context).  However, the simple delegation
+   control provided by GSS-API should always be able to over-ride other
+   mechanism-specific delegation controls - If the application instructs
+
+
+
+   Wray             Document Expiration: 1 September 1997         [Page 20]
+
+
+
+
+
+
+
+   INTERNET-DRAFT          GSS-API V2 - C bindings               March 1997
+
+
+
+   gss_init_sec_context() that delegation is not desired, then the
+   implementation must not permit delegation to occur.  This is an
+   exception to the general rule that a mechanism may enable services even
+   if they are not requested - delegation may only be provide at the
+   explicit request of the application.
+
+   6.2.  Mutual authentication
+
+   Usually, a context acceptor will require that a context initiator
+   authenticate itself so that the acceptor may make an access-control
+   decision prior to performing a service for the initiator.  In some
+   cases, the initiator may also request that the acceptor authenticate
+   itself.  GSS-API allows the initiating application to request this
+   mutual authentication service by setting a flag when calling
+   gss_init_sec_context.
+
+   The initiating application is informed as to whether or not mutual
+   authentication is being requested of the context acceptor.  Note that
+   some mechanisms may not support mutual authentication, and other
+   mechanisms may always perform mutual authentication, whether or not the
+   initiating application requests it.  In particular, mutual
+   authentication my be required by some mechanisms in order to support
+   replay or out-of-sequence message detection, and for such mechanisms a
+   request for either of these services will automatically enable mutual
+   authentication.
+
+   6.3.  Replay and out-of-sequence detection
+
+   The GSS-API may provide detection of mis-ordered message once a security
+   context has been established.  Protection may be applied to messages by
+   either application, by calling either gss_get_mic or gss_wrap, and
+   verified by the peer application by calling gss_verify_mic or
+   gss_unwrap.
+
+   gss_get_mic calculates a cryptographic checksum of an application
+   message, and returns that checksum in a token.  The application should
+   pass both the token and the message to the peer application, which
+   presents them to gss_verify_mic.
+
+   gss_wrap calculates a cryptographic checksum of an application message,
+   and places both the checksum and the message inside a single token.  The
+   application should pass the token to the peer application, which
+   presents it to gss_unwrap to extract the message and verify the
+   checksum.
+
+   Either pair of routines may be capable of detecting out-of-sequence
+   message delivery, or duplication of messages. Details of such mis-
+   ordered messages are indicated through supplementary status bits in the
+   major status code returned by gss_verify_mic or gss_unwrap.  The
+   relevant supplementary bits are:
+
+
+
+
+   Wray             Document Expiration: 1 September 1997         [Page 21]
+
+
+
+
+
+
+
+   INTERNET-DRAFT          GSS-API V2 - C bindings               March 1997
+
+
+
+   GSS_S_DUPLICATE_TOKEN - The token is a duplicate of one that has already
+         been received and processed.  Contexts that do not claim to
+         provide replay detection may still set this bit if the duplicate
+         message is processed immediately after the original, with no
+         intervening messages.
+
+   GSS_S_OLD_TOKEN - The token is too old to determine whether or not it is
+         a duplicate.  Contexts supporting out-of-sequence detection but
+         not replay detection should always set this bit if
+         GSS_S_UNSEQ_TOKEN is set; contexts that support replay detection
+         should only set this bit if the token is so old that it cannot be
+         checked for duplication.
+
+   GSS_S_UNSEQ_TOKEN - A later token has already been processed.
+
+   GSS_S_GAP_TOKEN - An earlier token has not yet been received.
+
+   A mechanism need not maintain a list of all tokens that have been
+   processed in order to support these status codes.  A typical mechanism
+   might retain information about only the most recent "N" tokens
+   processed, allowing it to distinguish duplicates and missing tokens
+   within the most recent "N" messages; the receipt of a token older than
+   the most recent "N" would result in a GSS_S_OLD_TOKEN status.
+
+   6.4.  Anonymous Authentication
+
+   In certain situations, an application may wish to initiate the
+   authentication process to authenticate a peer, without revealing its own
+   identity.  As an example, consider an application providing access to a
+   database containing medical information, and offering unrestricted
+   access to the service.  A client of such a service might wish to
+   authenticate the service (in order to establish trust in any information
+   retrieved from it), but might not wish the service to be able to obtain
+   the client's identity (perhaps due to privacy concerns about the
+   specific inquiries, or perhaps simply to avoid being placed on mailing-
+   lists).
+
+   In normal use of the GSS-API, the initiator's identity is made available
+   to the acceptor as a result of the context establishment process.
+   However, context initiators may request that their identity not be
+   revealed to the context acceptor.  Many mechanisms do not support
+   anonymous authentication, and for such mechanisms the request will not
+   be honored.  An authentication token will be still be generated, but the
+   application is always informed if a requested service is unavailable,
+   and has the option to abort context establishment if anonymity is valued
+   above the other security services that would require a context to be
+   established.
+
+   In addition to informing the application that a context is established
+   anonymously (via the ret_flags outputs from gss_init_sec_context and
+   gss_accept_sec_context), the optional src_name output from
+
+
+
+   Wray             Document Expiration: 1 September 1997         [Page 22]
+
+
+
+
+
+
+
+   INTERNET-DRAFT          GSS-API V2 - C bindings               March 1997
+
+
+
+   gss_accept_sec_context and gss_inquire_context will, for such contexts,
+   return a reserved internal-form name, defined by the implementation.
+   When presented to gss_display_name, this reserved internal-form name
+   will result in a printable name that is syntactically distinguishable
+   from any valid principal name supported by the implementation,
+   associated with a name-type object identifier with the value
+   GSS_C_NT_ANONYMOUS, whose value us given in Appendix A.  The printable
+   form of an anonymous name should be chosen such that it implies
+   anonymity, since this name may appear in, for example, audit logs.  For
+   example, the string "<anonymous>" might be a good choice, if no valid
+   printable names supported by the implementation can begin with "<" and
+   end with ">".
+
+   6.5.  Confidentiality
+
+   If a context supports the confidentiality service, gss_wrap may be used
+   to encrypt application messages.  Messages are selectively encrypted,
+   under the control of the conf_req_flag input parameter to gss_wrap.
+
+   6.6.  Inter-process context transfer
+
+   GSSAPI V2 provides routines (gss_export_sec_context and
+   gss_import_sec_context) which allow a security context to be transferred
+   between processes on a single machine.  The most common use for such a
+   feature is a client-server design where the server is implemented as a
+   single process that accepts incoming security contexts, which then
+   launches child processes to deal with the data on these contexts.  In
+   such a design, the child processes must have access to the security
+   context data structure created within the parent by its call to
+   gss_accept_sec_context so that they can use per-message protection
+   services and delete the security context when the communication session
+   ends.
+
+   Since the security context data structure is expected to contain
+   sequencing information, it is impractical in general to share a context
+   between processes.  Thus GSSAPI provides a call (gss_export_sec_context)
+   that the process which currently owns the context can call to declare
+   that it has no intention to use the context subsequently, and to create
+   an inter-process token containing information needed by the adopting
+   process to successfully import the context.  After successful completion
+   of this call, the original security context is made inaccessible to the
+   calling process by GSSAPI, and any context handles referring to this
+   context are no longer valid.  The originating process transfers the
+   inter-process token to the adopting process, which passes it to
+   gss_import_sec_context, and a fresh gss_ctx_id_t is created such that it
+   is functionally identical to the original context.
+
+   The inter-process token may contain sensitive data from the original
+   security context (including cryptographic keys).  Applications using
+   inter-process tokens to transfer security contexts must take appropriate
+   steps to protect these tokens in transit.
+
+
+
+   Wray             Document Expiration: 1 September 1997         [Page 23]
+
+
+
+
+
+
+
+   INTERNET-DRAFT          GSS-API V2 - C bindings               March 1997
+
+
+
+   Implementations are not required to support the inter-process transfer
+   of security contexts.  The ability to transfer a security context is
+   indicated when the context is created, by gss_init_sec_context or
+   gss_accept_sec_context setting the GSS_C_TRANS_FLAG bit in their
+   ret_flags parameter.
+
+
+   6.7.  The use of incomplete contexts
+
+   Some mechanisms may allow the per-message services to be used before the
+   context establishment process is complete.  For example, a mechanism may
+   include sufficient information in its initial context-level token for
+   the context acceptor to immediately decode messages protected with
+   gss_wrap or gss_get_mic.  For such a mechanism, the initiating
+   application need not wait until subsequent context-level tokens have
+   been sent and received before invoking the per-message protection
+   services.
+
+   The ability of a context to provide per-message services in advance of
+   complete context establishment is indicated by the setting of the
+   GSS_C_PROT_READY_FLAG bit in the ret_flags parameter from
+   gss_init_sec_context and gss_accept_sec_context.  Applications wishing
+   to use per-message protection services on partially-established contexts
+   should check this flag before attempting to invoke gss_wrap or
+   gss_get_mic.
+
+
+
+   7. GSS-API routine descriptions
+
+   In addition to the explicit major status codes documented here, the code
+   GSS_S_FAILURE may be returned by any routine, indicating an
+   implementation-specific or mechanism-specific error condition, further
+   details of which are reported via the minor_status parameter.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+   Wray             Document Expiration: 1 September 1997         [Page 24]
+
+
+
+
+
+
+
+   INTERNET-DRAFT          GSS-API V2 - C bindings               March 1997
+
+
+
+   7.1.  gss_accept_sec_context
+
+   OM_uint32 gss_accept_sec_context (
+        OM_uint32 *              minor_status,
+        gss_ctx_id_t *           context_handle,
+        const gss_cred_id_t      acceptor_cred_handle,
+        const gss_buffer_t       input_token_buffer,
+        const gss_channel_bindings_t
+                                 input_chan_bindings,
+        const gss_name_t *       src_name,
+        gss_OID *                mech_type,
+        gss_buffer_t             output_token,
+        OM_uint32 *              ret_flags,
+        OM_uint32 *              time_rec,
+        gss_cred_id_t *          delegated_cred_handle)
+
+   Purpose:
+
+   Allows a remotely initiated security context between the application and
+   a remote peer to be established.  The routine may return a output_token
+   which should be transferred to the peer application, where the peer
+   application will present it to gss_init_sec_context.  If no token need
+   be sent, gss_accept_sec_context will indicate this by setting the length
+   field of the output_token argument to zero.  To complete the context
+   establishment, one or more reply tokens may be required from the peer
+   application; if so, gss_accept_sec_context  will return a status flag of
+   GSS_S_CONTINUE_NEEDED, in which case it should be called again when the
+   reply token is received from the peer application, passing the token to
+   gss_accept_sec_context via the input_token parameters.
+
+   Portable applications should be constructed to use the token length and
+   return status to determine whether a token needs to be sent or waited
+   for.  Thus a typical portable caller should always invoke
+   gss_accept_sec_context within a loop:
+
+       gss_ctx_id_t context_hdl = GSS_C_NO_CONTEXT;
+       ...
+
+       do {
+          receive_token_from_peer(input_token);
+          maj_stat = gss_accept_sec_context(&min_stat,
+                                            &context_hdl,
+                                            cred_hdl,
+                                            input_token,
+                                            input_bindings,
+                                            &client_name,
+                                            &mech_type,
+                                            output_token,
+                                            &ret_flags,
+                                            &time_rec,
+                                            &deleg_cred);
+
+
+
+   Wray             Document Expiration: 1 September 1997         [Page 25]
+
+
+
+
+
+
+
+   INTERNET-DRAFT          GSS-API V2 - C bindings               March 1997
+
+
+
+          if (GSS_ERROR(maj_stat)) {
+             report_error(maj_stat, min_stat);
+          };
+          if (output_token->length != 0) {
+             send_token_to_peer(output_token);
+             gss_release_buffer(&min_stat,
+                                output_token)
+          };
+          if (GSS_ERROR(maj_stat)) {
+             if (context_hdl != GSS_C_NO_CONTEXT)
+                gss_delete_sec_context(&min_stat,
+                                       &context_hdl,
+                                       GSS_C_NO_BUFFER);
+             break;
+          };
+       } while (maj_stat & GSS_S_CONTINUE_NEEDED);
+
+
+   Whenever the routine returns a major status that includes the value
+   GSS_S_CONTINUE_NEEDED, the context is not fully established and the
+   following restrictions apply to the output parameters:
+
+     (a) The value returned via the time_rec parameter is undefined
+
+     (b) Unless the accompanying ret_flags parameter contains the bit
+         GSS_C_PROT_READY_FLAG, indicating that per-message services may be
+         applied in advance of a successful completion status, the value
+         returned via the mech_type parameter may be undefined until the
+         routine returns a major status value of GSS_S_COMPLETE.
+
+     (c) The values of the GSS_C_DELEG_FLAG, GSS_C_MUTUAL_FLAG,
+         GSS_C_REPLAY_FLAG, GSS_C_SEQUENCE_FLAG, GSS_C_CONF_FLAG,
+         GSS_C_INTEG_FLAG and GSS_C_ANON_FLAG bits returned via the
+         ret_flags parameter should contain the values that the
+         implementation expects would be valid if context establishment
+         were to succeed.
+
+         The values of the GSS_C_PROT_READY_FLAG and GSS_C_TRANS_FLAG bits
+         within ret_flags should indicate the actual state at the time
+         gss_accept_sec_context returns, whether or not the context is
+         fully established.
+
+         Although this requires that GSSAPI implementations set the
+         GSS_C_PROT_READY_FLAG in the final ret_flags returned to a caller
+         (i.e. when accompanied by a GSS_S_COMPLETE status code),
+         applications should not rely on this behavior as the flag was not
+         defined in Version 1 of the GSSAPI. Instead, applications should
+         be prepared to use per-message services after a successful context
+         establishment, according to the GSS_C_INTEG_FLAG and
+         GSS_C_CONF_FLAG values.
+
+
+
+
+   Wray             Document Expiration: 1 September 1997         [Page 26]
+
+
+
+
+
+
+
+   INTERNET-DRAFT          GSS-API V2 - C bindings               March 1997
+
+
+
+         All other bits within the ret_flags argument should be set to
+         zero.
+
+
+   While the routine returns GSS_S_CONTINUE_NEEDED, the values returned via
+   the ret_flags argument indicate the services that the implementation
+   expects to be available from the established context.
+
+   If the initial call of gss_accept_sec_context() fails, the
+   implementation should not create a context object, and should leave the
+   value of the context_handle parameter set to GSS_C_NO_CONTEXT to
+   indicate this.  In the event of a failure on a subsequent call, the
+   implementation is permitted to delete the "half-built" security context
+   (in which case it should set the context_handle parameter to
+   GSS_C_NO_CONTEXT), but the preferred behavior is to leave the security
+   context (and the context_handle parameter) untouched for the application
+   to delete (using gss_delete_sec_context).
+
+   Parameters:
+
+   context_handle    gss_ctx_id_t, read/modify
+                     context handle for new context.  Supply
+                     GSS_C_NO_CONTEXT for first call; use value
+                     returned in subsequent calls.  Once
+                     gss_accept_sec_context() has returned a value
+                     via this parameter, resources have been assigned
+                     to the corresponding context, and must be
+                     freed by the application after use with a call
+                     to gss_delete_sec_context().
+
+
+   acceptor_cred_handle  gss_cred_id_t, read
+                     Credential handle claimed by context acceptor.
+                     Specify GSS_C_NO_CREDENTIAL to accept the
+                     context as a default principal.  If
+                     GSS_C_NO_CREDENTIAL is specified, but no
+                     default acceptor principal is defined,
+                     GSS_S_NO_CRED will be returned.
+
+   input_token_buffer  buffer, opaque, read
+                     token obtained from remote application.
+
+   input_chan_bindings  channel bindings, read, optional
+                     Application-specified bindings.  Allows
+                     application to securely bind channel
+                     identification information to the security
+                     context.  If channel bindings are not
+                     used, specify GSS_C_NO_CHANNEL_BINDINGS.
+
+   src_name          gss_name_t, modify, optional
+                     Authenticated name of context initiator.
+
+
+
+   Wray             Document Expiration: 1 September 1997         [Page 27]
+
+
+
+
+
+
+
+   INTERNET-DRAFT          GSS-API V2 - C bindings               March 1997
+
+
+
+                     After use, this name should be deallocated by
+                     passing it to gss_release_name().  If not
+                     required, specify NULL.
+
+   mech_type         Object ID, modify, optional
+                     Security mechanism used.  The returned
+                     OID value will be a pointer into static
+                     storage, and should be treated as read-only
+                     by the caller (in particular, it does not
+                     need to be freed).  If not required, specify
+                     NULL.
+
+   output_token      buffer, opaque, modify
+                     Token to be passed to peer application. If the
+                     length field of the returned token buffer is 0,
+                     then no token need be passed to the peer
+                     application.  If a non-zero length field is
+                     returned, the associated storage must be freed
+                     after use by the application with a call to
+                     gss_release_buffer().
+
+   ret_flags         bit-mask, modify, optional
+                     Contains various independent flags, each of
+                     which indicates that the context supports a
+                     specific service option.  If not needed,
+                     specify NULL.  Symbolic names are
+                     provided for each flag, and the symbolic names
+                     corresponding to the required flags
+                     should be logically-ANDed with the ret_flags
+                     value to test whether a given option is
+                     supported by the context.  The flags are:
+                     GSS_C_DELEG_FLAG
+                           True - Delegated credentials are available
+                                  via the delegated_cred_handle
+                                  parameter
+                           False - No credentials were delegated
+                     GSS_C_MUTUAL_FLAG
+                           True - Remote peer asked for mutual
+                                  authentication
+                           False - Remote peer did not ask for mutual
+                                   authentication
+                     GSS_C_REPLAY_FLAG
+                           True - replay of protected messages
+                                  will be detected
+                           False - replayed messages will not be
+                                   detected
+                     GSS_C_SEQUENCE_FLAG
+                           True - out-of-sequence protected
+                                  messages will be detected
+                           False - out-of-sequence messages will not
+                                   be detected
+
+
+
+   Wray             Document Expiration: 1 September 1997         [Page 28]
+
+
+
+
+
+
+
+   INTERNET-DRAFT          GSS-API V2 - C bindings               March 1997
+
+
+
+                     GSS_C_CONF_FLAG
+                           True - Confidentiality service may be invoked
+                                  by calling the gss_wrap routine
+                           False - No confidentiality service (via
+                                   gss_wrap) available. gss_wrap will
+                                   provide message encapsulation,
+                                   data-origin authentication and
+                                   integrity services only.
+                     GSS_C_INTEG_FLAG
+                           True - Integrity service may be invoked by
+                                  calling either gss_get_mic or gss_wrap
+                                  routines.
+                           False - Per-message integrity service
+                                   unavailable.
+                     GSS_C_ANON_FLAG
+                           True - The initiator does not wish to
+                                  be authenticated; the src_name
+                                  parameter (if requested) contains
+                                  an anonymous internal name.
+                           False - The initiator has been
+                                   authenticated normally.
+                     GSS_C_PROT_READY_FLAG
+                           True - Protection services (as specified
+                                  by the states of the GSS_C_CONF_FLAG
+                                  and GSS_C_INTEG_FLAG) are available
+                                  if the accompanying major status return
+                                  value is either GSS_S_COMPLETE or
+                                  GSS_S_CONTINUE_NEEDED.
+                           False - Protection services (as specified
+                                   by the states of the GSS_C_CONF_FLAG
+                                   and GSS_C_INTEG_FLAG) are available
+                                   only if the accompanying major status
+                                   return value is GSS_S_COMPLETE.
+                     GSS_C_TRANS_FLAG
+                           True - The resultant security context may
+                                  be transferred to other processes via
+                                  a call to gss_export_sec_context().
+                           False - The security context is not
+                                   transferrable.
+                     All other bits should be set to zero.
+
+   time_rec          Integer, modify, optional
+                     number of seconds for which the context
+                     will remain valid. Specify NULL if not required.
+
+   delegated_cred_handle
+                     gss_cred_id_t, modify, optional
+                     credential handle for credentials received from
+                     context initiator.  Only valid if deleg_flag in
+                     ret_flags is true, in which case an explicit
+
+
+
+   Wray             Document Expiration: 1 September 1997         [Page 29]
+
+
+
+
+
+
+
+   INTERNET-DRAFT          GSS-API V2 - C bindings               March 1997
+
+
+
+                     credential handle (i.e. not GSS_C_NO_CREDENTIAL)
+                     will be returned; if deleg_flag is false,
+                     gss_accept_context() will set this parameter to
+                     GSS_C_NO_CREDENTIAL.  If a credential handle is
+                     returned, the associated resources must be released
+                     by the application after use with a call to
+                     gss_release_cred().  Specify NULL if not required.
+
+
+   minor_status      Integer, modify
+                     Mechanism specific status code.
+
+
+   Function value:  GSS status code
+
+   GSS_S_COMPLETE    Successful completion
+
+   GSS_S_CONTINUE_NEEDED Indicates that a token from the peer application
+                     is required to complete the context, and that
+                     gss_accept_sec_context must be called again with that
+                     token.
+
+   GSS_S_DEFECTIVE_TOKEN Indicates that consistency checks performed on the
+                     input_token failed.
+
+   GSS_S_DEFECTIVE_CREDENTIAL Indicates that consistency checks performed
+                     on the credential failed.
+
+   GSS_S_NO_CRED     The supplied credentials were not valid for context
+                     acceptance, or the credential handle did not reference
+                     any credentials.
+
+   GSS_S_CREDENTIALS_EXPIRED The referenced credentials have expired.
+
+   GSS_S_BAD_BINDINGS The input_token contains different channel bindings
+                     to those specified via the input_chan_bindings
+                     parameter.
+
+   GSS_S_NO_CONTEXT  Indicates that the supplied context handle did not
+                     refer to a valid context.
+
+   GSS_S_BAD_SIG     The input_token contains an invalid MIC.
+
+   GSS_S_OLD_TOKEN   The input_token was too old.  This is a fatal error
+                     during context establishment.
+
+   GSS_S_DUPLICATE_TOKEN The input_token is valid, but is a duplicate of a
+                     token already processed.  This is a fatal error during
+                     context establishment.
+
+
+
+
+
+   Wray             Document Expiration: 1 September 1997         [Page 30]
+
+
+
+
+
+
+
+   INTERNET-DRAFT          GSS-API V2 - C bindings               March 1997
+
+
+
+   GSS_S_BAD_MECH    The received token specified a mechanism that is not
+                     supported by the implementation or the provided
+                     credential.
+
+
+
+
+
+
+
+   7.2.  gss_acquire_cred
+
+
+   OM_uint32 gss_acquire_cred (
+        OM_uint32 *              minor_status,
+        const gss_name_t         desired_name,
+        OM_uint32                time_req,
+        const gss_OID_set        desired_mechs,
+        gss_cred_usage_t         cred_usage,
+        gss_cred_id_t *          output_cred_handle,
+        gss_OID_set *            actual_mechs,
+        OM_uint32 *              time_rec)
+
+   Purpose:
+
+   Allows an application to acquire a handle for a pre-existing credential
+   by name.  GSS-API implementations must impose a local access-control
+   policy on callers of this routine to prevent unauthorized callers from
+   acquiring credentials to which they are not entitled.  This routine is
+   not intended to provide a ``login to the network'' function, as such a
+   function would involve the creation of new credentials rather than
+   merely acquiring a handle to existing credentials.  Such functions, if
+   required, should be defined in implementation-specific extensions to the
+   API.
+
+   If desired_name is GSS_C_NO_NAME, the call is interpreted as a request
+   for a credential handle that will invoke default behavior when passed to
+   gss_init_sec_context() (if cred_usage is GSS_C_INITIATE or GSS_C_BOTH)
+   or gss_accept_sec_context() (if cred_usage is GSS_C_ACCEPT or
+   GSS_C_BOTH).
+
+   This routine is expected to be used primarily by context acceptors,
+   since implementations are likely to provide mechanism-specific ways of
+   obtaining GSS-API initiator credentials from the system login process.
+   Some implementations may therefore not support the acquisition of
+   GSS_C_INITIATE or GSS_C_BOTH credentials via gss_acquire_cred for any
+   name other than an empty name.
+
+   If credential acquisition is time-consuming for a mechanism, the
+   mechanism may chooses to delay the actual acquisition until the
+   credential is required (e.g. by gss_init_sec_context or
+
+
+
+   Wray             Document Expiration: 1 September 1997         [Page 31]
+
+
+
+
+
+
+
+   INTERNET-DRAFT          GSS-API V2 - C bindings               March 1997
+
+
+
+   gss_accept_sec_context).  Such mechanism-specific implementation
+   decisions should be invisible to the calling application; thus a call of
+   gss_inquire_cred immediately following the call of gss_acquire_cred must
+   return valid credential data, and may therefore incur the overhead of a
+   deferred credential acquisition.
+
+   Parameters:
+
+   desired_name      gss_name_t, read
+                     Name of principal whose credential
+                     should be acquired
+
+   time_req          Integer, read, optional
+                     number of seconds that credentials
+                     should remain valid. Specify GSS_C_INDEFINITE
+                     to request that the credentials have the maximum
+                     permitted lifetime.
+
+   desired_mechs     Set of Object IDs, read, optional
+                     set of underlying security mechanisms that
+                     may be used.  GSS_C_NO_OID_SET may be used
+                     to obtain an implementation-specific default.
+
+   cred_usage        gss_cred_usage_t, read
+                     GSS_C_BOTH - Credentials may be used
+                                  either to initiate or accept
+                                  security contexts.
+                     GSS_C_INITIATE - Credentials will only be
+                                      used to initiate security
+                                      contexts.
+                     GSS_C_ACCEPT - Credentials will only be used to
+                                    accept security contexts.
+
+   output_cred_handle  gss_cred_id_t, modify
+                     The returned credential handle.  Resources
+                     associated with this credential handle must
+                     be released by the application after use
+                     with a call to gss_release_cred().
+
+   actual_mechs      Set of Object IDs, modify, optional
+                     The set of mechanisms for which the
+                     credential is valid.  Storage associated
+                     with the returned OID-set must be released by
+                     the application after use with a call to
+                     gss_release_oid_set().  Specify NULL if not
+                     required.
+
+   time_rec          Integer, modify, optional
+                     Actual number of seconds for which the
+                     returned credentials will remain valid.  If the
+                     implementation does not support expiration of
+
+
+
+   Wray             Document Expiration: 1 September 1997         [Page 32]
+
+
+
+
+
+
+
+   INTERNET-DRAFT          GSS-API V2 - C bindings               March 1997
+
+
+
+                     credentials, the value GSS_C_INDEFINITE will
+                     be returned. Specify NULL if not required
+
+   minor_status      Integer, modify
+                     Mechanism specific status code.
+
+   Function value:  GSS status code
+
+   GSS_S_COMPLETE    Successful completion
+
+   GSS_S_BAD_MECH    Unavailable mechanism requested
+
+   GSS_S_BAD_NAMETYPE Type contained within desired_name parameter is not
+                     supported
+
+   GSS_S_BAD_NAME    Value supplied for desired_name parameter is ill-
+                     formed.
+
+   GSS_S_CREDENTIALS_EXPIRED The credentials could not be acquired because
+                     they have expired.
+
+   GSS_S_NO_CRED     No credentials were found for the specified name.
+
+
+
+
+
+
+
+   7.3.  gss_add_cred
+
+
+   OM_uint32 gss_add_cred (
+        OM_uint32 *              minor_status,
+        const gss_cred_id_t      input_cred_handle,
+        const gss_name_t         desired_name,
+        const gss_OID            desired_mech,
+        gss_cred_usage_t         cred_usage,
+        OM_uint32                initiator_time_req,
+        OM_uint32                acceptor_time_req,
+        gss_cred_id_t *          output_cred_handle,
+        gss_OID_set *            actual_mechs,
+        OM_uint32 *              initiator_time_rec,
+        OM_uint32 *              acceptor_time_rec)
+
+
+
+
+
+
+
+
+
+
+   Wray             Document Expiration: 1 September 1997         [Page 33]
+
+
+
+
+
+
+
+   INTERNET-DRAFT          GSS-API V2 - C bindings               March 1997
+
+
+
+   Purpose:
+
+   Adds a credential-element to a credential.  The credential-element is
+   identified by the name of the principal to which it refers.  GSSAPI
+   implementations must impose a local access-control policy on callers of
+   this routine to prevent unauthorized callers from acquiring credential-
+   elements to which they are not entitled. This routine is not intended to
+   provide a ``login to the network'' function, as such a function would
+   involve the creation of new mechanism-specific authentication data,
+   rather than merely acquiring a GSSAPI handle to existing data.  Such
+   functions, if required, should be defined in implementation-specific
+   extensions to the API.
+
+   This routine is expected to be used primarily by context acceptors,
+   since implementations are likely to provide mechanism-specific ways of
+   obtaining GSS-API initiator credentials from the system login process.
+   Some implementations may therefore not support the acquisition of
+   GSS_C_INITIATE or GSS_C_BOTH credentials via gss_acquire_cred.
+
+   If credential acquisition is time-consuming for a mechanism, the
+   mechanism may chooses to delay the actual acquisition until the
+   credential is required (e.g. by gss_init_sec_context or
+   gss_accept_sec_context).  Such mechanism-specific implementation
+   decisions should be invisible to the calling application; thus a call of
+   gss_inquire_cred immediately following the call of gss_acquire_cred must
+   return valid credential data, and may therefore incur the overhead of a
+   deferred credential acquisition.
+
+   This routine can be used to either create a new credential containing
+   all credential-elements of the original in addition to the newly-acquire
+   credential-element, or to add the new credential-element to an existing
+   credential. If NULL is specified for the output_cred_handle parameter
+   argument, the new credential-element will be added to the credential
+   identified by input_cred_handle; if a valid pointer is specified for the
+   output_cred_handle parameter, a new credential and handle will be
+   created.
+
+   If GSS_C_NO_CREDENTIAL is specified as the input_cred_handle, the
+   gss_add_cred will create its output_cred_handle based on default
+   behavior.  That is, the call will have the same effect as if the
+   application had first made a call to gss_acquire_cred(), specifying the
+   same usage and passing GSS_C_NO_NAME as the desired_name parameter to
+   obtain an explicit credential handle embodying default behavior, passed
+   this credential handle to gss_add_cred(), and finally called
+   gss_release_cred() on the first credential handle.
+
+   If GSS_C_NO_CREDENTIAL is specified as the input_cred_handle parameter,
+   a non-NULL output_cred_handle must be supplied.
+
+   Parameters:
+
+
+
+
+   Wray             Document Expiration: 1 September 1997         [Page 34]
+
+
+
+
+
+
+
+   INTERNET-DRAFT          GSS-API V2 - C bindings               March 1997
+
+
+
+   minor_status      Integer, modify
+                     Mechanism specific status code.
+
+   input_cred_handle gss_cred_id_t, read, optional
+                     The credential to which a credential-element
+                     will be added.  If GSS_C_NO_CREDENTIAL is
+                     specified, the routine will create the new
+                     credential based on default behavior (see
+                     description above).  Note that, while the
+                     credential-handle is not modified by
+                     gss_add_cred(), the underlying credential
+                     will be modified if output_credential_handle
+                     is NULL.
+
+   desired_name      gss_name_t, read.
+                     Name of principal whose credential
+                     should be acquired.
+
+   desired_mech      Object ID, read
+                     Underlying security mechanism with which the
+                     credential may be used.
+
+   cred_usage        gss_cred_usage_t, read
+                     GSS_C_BOTH - Credential may be used
+                                  either to initiate or accept
+                                  security contexts.
+                     GSS_C_INITIATE - Credential will only be
+                                      used to initiate security
+                                      contexts.
+                     GSS_C_ACCEPT - Credential will only be used to
+                                    accept security contexts.
+
+   initiator_time_req Integer, read, optional
+                     number of seconds that the credential
+                     should remain valid for initiating security
+                     contexts.  This argument is ignored if the
+                     created credentials are of type GSS_C_ACCEPT.
+                     Specify GSS_C_INDEFINITE to request that the
+                     credentials have the maximum permitted initiator
+                     lifetime.
+
+   acceptor_time_req Integer, read, optional
+                     number of seconds that the credential
+                     should remain valid for accepting security
+                     contexts.  This argument is ignored if the
+                     created credentials are of type GSS_C_INITIATE.
+                     Specify GSS_C_INDEFINITE to request that the
+                     credentials have the maximum permitted initiator
+                     lifetime.
+
+
+
+
+   Wray             Document Expiration: 1 September 1997         [Page 35]
+
+
+
+
+
+
+
+   INTERNET-DRAFT          GSS-API V2 - C bindings               March 1997
+
+
+
+   output_cred_handle gss_cred_id_t, modify, optional
+                     The returned credential handle, containing
+                     the new credential-element and all the
+                     credential-elements from input_cred_handle.
+                     If a valid pointer to a gss_cred_id_t is
+                     supplied for this parameter, gss_add_cred
+                     creates a new credential handle containing all
+                     credential-elements from the input_cred_handle
+                     and the newly acquired credential-element; if
+                     NULL is specified for this parameter, the newly
+                     acquired credential-element will be added
+                     to the credential identified by input_cred_handle.
+                     The resources associated with any credential
+                     handle returned via this parameter must be
+                     released by the application after use with a
+                     call to gss_release_cred().
+
+   actual_mechs      Set of Object IDs, modify, optional
+                     The complete set of mechanisms for which
+                     the new credential is valid.  Storage for
+                     the returned OID-set must be freed by the
+                     application after use with a call to
+                     gss_release_oid_set(). Specify NULL if
+                     not required.
+
+   initiator_time_rec Integer, modify, optional
+                     Actual number of seconds for which the
+                     returned credentials will remain valid for
+                     initiating contexts using the specified
+                     mechanism.  If the implementation or mechanism
+                     does not support expiration of credentials, the
+                     value GSS_C_INDEFINITE will be returned. Specify
+                     NULL if not required
+
+   acceptor_time_rec Integer, modify, optional
+                     Actual number of seconds for which the
+                     returned credentials will remain valid for
+                     accepting security contexts using the specified
+                     mechanism.  If the implementation or mechanism
+                     does not support expiration of credentials, the
+                     value GSS_C_INDEFINITE will be returned. Specify
+                     NULL if not required
+
+   Function value:   GSS status code
+
+   GSS_S_COMPLETE    Successful completion
+
+   GSS_S_BAD_MECH    Unavailable mechanism requested
+
+   GSS_S_BAD_NAMETYPE Type contained within desired_name parameter is not
+                     supported
+
+
+
+
+   Wray             Document Expiration: 1 September 1997         [Page 36]
+
+
+
+
+
+
+
+   INTERNET-DRAFT          GSS-API V2 - C bindings               March 1997
+
+
+
+   GSS_S_BAD_NAME    Value supplied for desired_name parameter is ill-
+                     formed.
+
+   GSS_S_DUPLICATE_ELEMENT The credential already contains an element for
+                     the requested mechanism with overlapping usage and
+                     validity period.
+
+   GSS_S_CREDENTIALS_EXPIRED The required credentials could not be added
+                     because they have expired.
+
+   GSS_S_NO_CRED     No credentials were found for the specified name.
+
+
+
+
+
+
+
+   7.4.  gss_add_oid_set_member
+
+   OM_uint32 gss_add_oid_set_member (
+        OM_uint32  *             minor_status,
+        const gss_OID            member_oid,
+        gss_OID_set *            oid_set)
+
+   Purpose:
+
+   Add an Object Identifier to an Object Identifier set.  This routine is
+   intended for use in conjunction with gss_create_empty_oid_set when
+   constructing a set of mechanism OIDs for input to gss_acquire_cred.
+
+   The oid_set parameter must refer to an OID-set that was created by
+   GSSAPI (e.g. a set returned by gss_create_empty_oid_set()).  GSSAPI
+   creates a copy of the member_oid and inserts this copy into the set,
+   expanding the storage allocated to the OID-set's elements array if
+   necessary.  The routine may add the new member OID anywhere within the
+   elements array, and implementations should verify that the new
+   member_oid is not already contained within the elements array.
+
+   Parameters:
+
+   minor_status      Integer, modify
+                     Mechanism specific status code
+
+   member_oid        Object ID, read
+                     The object identifier to copied into
+                     the set.
+
+   oid_set           Set of Object ID, modify
+                     The set in which the object identifier
+                     should be inserted.
+
+
+
+   Wray             Document Expiration: 1 September 1997         [Page 37]
+
+
+
+
+
+
+
+   INTERNET-DRAFT          GSS-API V2 - C bindings               March 1997
+
+
+
+   Function value:   GSS status code
+
+   GSS_S_COMPLETE    Successful completion
+
+
+
+
+
+
+
+   7.5.  gss_canonicalize_name
+
+   OM_uint32 gss_canonicalize_name (
+        OM_uint32  *             minor_status,
+        const gss_name_t         input_name,
+        const gss_OID            mech_type,
+        gss_name_t *             output_name)
+
+   Purpose:
+
+   Generate a canonical mechanism name (MN) from an arbitrary internal
+   name.  The mechanism name is the name that would be returned to a
+   context acceptor on successful authentication of a context where the
+   initiator used the input_name in a successful call to gss_acquire_cred,
+   specifying an OID set containing <mech_type> as its only member,
+   followed by a call to gss_init_sec_context, specifying <mech_type> as
+   the authentication mechanism.
+
+   Parameters:
+
+   minor_status      Integer, modify
+                     Mechanism specific status code
+
+   input_name        gss_name_t, read
+                     The name for which a canonical form is
+                     desired
+
+   mech_type         Object ID, read
+                     The authentication mechanism for which the
+                     canonical form of the name is desired.  The
+                     desired mechanism must be specified explicitly;
+                     no default is provided.
+
+   output_name       gss_name_t, modify
+                     The resultant canonical name.  Storage
+                     associated with this name must be freed by
+                     the application after use with a call to
+                     gss_release_name().
+
+   Function value:   GSS status code
+
+
+
+
+   Wray             Document Expiration: 1 September 1997         [Page 38]
+
+
+
+
+
+
+
+   INTERNET-DRAFT          GSS-API V2 - C bindings               March 1997
+
+
+
+   GSS_S_COMPLETE    Successful completion.
+
+   GSS_S_BAD_MECH    The identified mechanism is not supported.
+
+   GSS_S_BAD_NAMETYPE The provided internal name contains no elements that
+                     could be processed by the sepcified mechanism.
+
+   GSS_S_BAD_NAME    The provided internal name was ill-formed.
+
+
+
+
+
+
+
+   7.6.  gss_compare_name
+
+   OM_uint32 gss_compare_name (
+        OM_uint32 *              minor_status,
+        const gss_name_t         name1,
+        const gss_name_t         name2,
+        int *                    name_equal)
+
+   Purpose:
+
+   Allows an application to compare two internal-form names to determine
+   whether they refer to the same entity.
+
+   If either name presented to gss_compare_name denotes an anonymous
+   principal, the routines should indicate that the two names do not refer
+   to the same identity.
+
+   Parameters:
+
+   minor_status      Integer, modify
+                     Mechanism specific status code.
+
+   name1             gss_name_t, read
+                     internal-form name
+
+   name2             gss_name_t, read
+                     internal-form name
+
+   name_equal        boolean, modify
+                     non-zero - names refer to same entity
+                     zero - names refer to different entities
+                            (strictly, the names are not known
+                            to refer to the same identity).
+
+   Function value:   GSS status code
+
+
+
+
+   Wray             Document Expiration: 1 September 1997         [Page 39]
+
+
+
+
+
+
+
+   INTERNET-DRAFT          GSS-API V2 - C bindings               March 1997
+
+
+
+   GSS_S_COMPLETE    Successful completion
+
+   GSS_S_BAD_NAMETYPE The two names were of incomparable types.
+
+   GSS_S_BAD_NAME    One or both of name1 or name2 was ill-formed
+
+
+
+
+
+
+
+   7.7.  gss_context_time
+
+   OM_uint32 gss_context_time (
+        OM_uint32 *              minor_status,
+        const gss_ctx_id_t       context_handle,
+        OM_uint32 *              time_rec)
+
+   Purpose:
+
+   Determines the number of seconds for which the specified context will
+   remain valid.
+
+   Parameters:
+
+   minor_status      Integer, modify
+                     Implementation specific status code.
+
+   context_handle    gss_ctx_id_t, read
+                     Identifies the context to be interrogated.
+
+   time_rec          Integer, modify
+                     Number of seconds that the context will remain
+                     valid.  If the context has already expired,
+                     zero will be returned.
+
+   Function value:   GSS status code
+
+   GSS_S_COMPLETE    Successful completion
+
+   GSS_S_CONTEXT_EXPIRED The context has already expired
+
+   GSS_S_NO_CONTEXT  The context_handle parameter did not identify a valid
+                     context
+
+
+
+
+
+
+
+
+
+   Wray             Document Expiration: 1 September 1997         [Page 40]
+
+
+
+
+
+
+
+   INTERNET-DRAFT          GSS-API V2 - C bindings               March 1997
+
+
+
+   7.8.  gss_create_empty_oid_set
+
+   OM_uint32 gss_create_empty_oid_set (
+        OM_uint32  *             minor_status,
+        gss_OID_set *            oid_set)
+
+   Purpose:
+
+   Create an object-identifier set containing no object identifiers, to
+   which members may be subsequently added using the
+   gss_add_oid_set_member() routine.  These routines are intended to be
+   used to construct sets of mechanism object identifiers, for input to
+   gss_acquire_cred.
+
+   Parameters:
+
+   minor_status      Integer, modify
+                     Mechanism specific status code
+
+   oid_set           Set of Object IDs, modify
+                     The empty object identifier set.
+                     The routine will allocate the
+                     gss_OID_set_desc object, which the
+                     application must free after use with
+                     a call to gss_release_oid_set().
+
+   Function value:   GSS status code
+
+   GSS_S_COMPLETE    Successful completion
+
+
+
+
+
+
+
+   7.9.  gss_delete_sec_context
+
+   OM_uint32 gss_delete_sec_context (
+       OM_uint32 *               minor_status,
+       gss_ctx_id_t *            context_handle,
+       gss_buffer_t              output_token)
+
+   Purpose:
+
+   Delete a security context.  gss_delete_sec_context will delete the local
+   data structures associated with the specified security context, and may
+   generate an output_token, which when passed to the peer
+   gss_process_context_token will instruct it to do likewise.  If no token
+   is required by the mechanism, the GSS-API should set the length field of
+   the output_token (if provided) to zero.  No further security services
+
+
+
+   Wray             Document Expiration: 1 September 1997         [Page 41]
+
+
+
+
+
+
+
+   INTERNET-DRAFT          GSS-API V2 - C bindings               March 1997
+
+
+
+   may be obtained using the context specified by context_handle.
+
+   In addition to deleting established security contexts,
+   gss_delete_sec_context must also be able to delete "half-built" security
+   contexts resulting from an incomplete sequence of
+   gss_init_sec_context()/gss_accept_sec_context() calls.
+
+   The output_token parameter is retained for compatibility with version 1
+   of the GSS-API.  It is recommended that both peer applications invoke
+   gss_delete_sec_context passing the value GSS_C_NO_BUFFER for the
+   output_token parameter, indicating that no token is required, and that
+   gss_delete_sec_context should simply delete local context data
+   structures.  If the application does pass a valid buffer to
+   gss_delete_sec_context, mechanisms are encouraged to return a zero-
+   length token, indicating that no peer action is necessary, and that no
+   token should be transferred by the application.
+
+   Parameters:
+
+   minor_status      Integer, modify
+                     Mechanism specific status code.
+
+   context_handle    gss_ctx_id_t, modify
+                     context handle identifying context to delete.
+                     After deleting the context, the GSSAPI will set
+                     this context handle to GSS_C_NO_CONTEXT.
+
+   output_token      buffer, opaque, modify, optional
+                     token to be sent to remote application to
+                     instruct it to also delete the context.  It
+                     is recommended that applications specify
+                     GSS_C_NO_BUFFER for this parameter, requesting
+                     local deletion only.  If a buffer parameter is
+                     provided by the application, the mechanism may
+                     return a token in it;  mechanisms that implement
+                     only local deletion should set the length field of
+                     this token to zero to indicate to the application
+                     that no token is to be sent to the peer.
+
+   Function value:   GSS status code
+
+   GSS_S_COMPLETE    Successful completion
+
+   GSS_S_NO_CONTEXT  No valid context was supplied
+
+
+
+
+
+
+
+
+
+
+   Wray             Document Expiration: 1 September 1997         [Page 42]
+
+
+
+
+
+
+
+   INTERNET-DRAFT          GSS-API V2 - C bindings               March 1997
+
+
+
+   7.10.  gss_display_name
+
+   OM_uint32 gss_display_name (
+        OM_uint32 *              minor_status,
+        const gss_name_t         input_name,
+        gss_buffer_t             output_name_buffer,
+        gss_OID *                output_name_type)
+
+   Purpose:
+
+   Allows an application to obtain a textual representation of an opaque
+   internal-form  name for display purposes.  The syntax of a printable
+   name is defined by the GSS-API implementation.
+
+   If input_name denotes an anonymous principal, the implementation should
+   return the gss_OID value GSS_C_NT_ANONYMOUS as the output_name_type, and
+   a textual name that is syntactically distinct from all valid supported
+   printable names in output_name_buffer.
+
+   Parameters:
+
+   minor_status      Integer, modify
+                     Mechanism specific status code.
+
+   input_name        gss_name_t, read
+                     name to be displayed
+
+   output_name_buffer  buffer, character-string, modify
+                     buffer to receive textual name string.
+                     The application must free storage associated
+                     with this name after use with a call to
+                     gss_release_buffer().
+
+   output_name_type  Object ID, modify, optional
+                     The type of the returned name.  The returned
+                     gss_OID will be a pointer into static storage,
+                     and should be treated as read-only by the caller
+                     (in particular, it does not need to be freed).
+                     Specify NULL if not required.
+
+   Function value:   GSS status code
+
+   GSS_S_COMPLETE    Successful completion
+
+   GSS_S_BAD_NAME    input_name was ill-formed
+
+
+
+
+
+
+
+
+
+   Wray             Document Expiration: 1 September 1997         [Page 43]
+
+
+
+
+
+
+
+   INTERNET-DRAFT          GSS-API V2 - C bindings               March 1997
+
+
+
+   7.11.  gss_display_status
+
+   OM_uint32 gss_display_status (
+        OM_uint32 *              minor_status,
+        OM_uint32                status_value,
+        int                      status_type,
+        const gss_OID            mech_type,
+        OM_uint32 *              message_context,
+        gss_buffer_t             status_string)
+
+   Purpose:
+
+   Allows an application to obtain a textual representation of a GSS-API
+   status code, for display to the user or for logging purposes.  Since
+   some status values may indicate multiple conditions, applications may
+   need to call gss_display_status multiple times, each call generating a
+   single text string.  The message_context parameter is used by
+   gss_acquire_cred to store state information about which error messages
+   have already been extracted from a given status_value; message_context
+   must be initialized to 0 by the application prior to the first call, and
+   gss_display_status will return a non-zero value in this parameter if
+   there are further messages to extract.  The message_context parameter
+   contains all state information required by gss_display_status in order
+   to extract further messages from the status_value;  even when a non-zero
+   value is returned in this parameter, the application is not required to
+   call gss_display_status again unless subsequent messages are desired.
+   The following code extracts all messages from a given status code and
+   prints them to stderr:
+
+
+       OM_uint32 message_context;
+       OM_uint32 status_code;
+       OM_uint32 maj_status;
+       OM_uint32 min_status;
+       gss_buffer_desc status_string;
+
+       ...
+
+       message_context = 0;
+
+       do {
+
+           maj_status = gss_display_status (&min_status,
+                                            status_code,
+                                            GSS_C_GSS_CODE,
+                                            GSS_C_NO_OID,
+                                            &message_context,
+                                            &status_string)
+
+           fprintf(stderr,
+                   "%.*s\n",
+
+
+
+   Wray             Document Expiration: 1 September 1997         [Page 44]
+
+
+
+
+
+
+
+   INTERNET-DRAFT          GSS-API V2 - C bindings               March 1997
+
+
+
+                   status_string.length,
+                   status_string.value);
+
+           gss_release_buffer(&min_status,
+                              &status_string);
+
+       } while (message_context != 0);
+
+
+
+   Parameters:
+
+   minor_status      Integer, modify
+                     Mechanism specific status code.
+
+   status_value      Integer, read
+                     Status value to be converted
+
+   status_type       Integer, read
+                     GSS_C_GSS_CODE - status_value is a GSS status
+                                      code
+                     GSS_C_MECH_CODE - status_value is a mechanism
+                                       status code
+
+   mech_type         Object ID, read, optional
+                     Underlying mechanism (used to interpret a
+                     minor status value) Supply GSS_C_NO_OID to
+                     obtain the system default.
+
+   message_context   Integer, read/modify
+                     Should be initialized to zero by the
+                     application prior to the first call.
+                     On return from gss_display_status(),
+                     a non-zero status_value parameter indicates
+                     that additional messages may be extracted
+                     from the status code via subsequent calls
+                     to gss_display_status(), passing the same
+                     status_value, status_type, mech_type, and
+                     message_context parameters.
+
+   status_string     buffer, character string, modify
+                     textual interpretation of the status_value.
+                     Storage associated with this parameter must
+                     be freed by the application after use with
+                     a call to gss_release_buffer().
+
+   Function value:   GSS status code
+
+   GSS_S_COMPLETE    Successful completion
+
+
+
+
+
+   Wray             Document Expiration: 1 September 1997         [Page 45]
+
+
+
+
+
+
+
+   INTERNET-DRAFT          GSS-API V2 - C bindings               March 1997
+
+
+
+   GSS_S_BAD_MECH    Indicates that translation in accordance with an
+                     unsupported mechanism type was requested
+
+   GSS_S_BAD_STATUS  The status value was not recognized, or the status
+                     type was neither GSS_C_GSS_CODE nor GSS_C_MECH_CODE.
+
+
+
+
+
+
+
+   7.12.  gss_duplicate_name
+
+   OM_uint32 gss_duplicate_name (
+        OM_uint32 *              minor_status,
+        const gss_name_t         src_name,
+        gss_name_t *             dest_name)
+
+   Purpose:
+
+   Create an exact duplicate of the existing internal name src_name.  The
+   new dest_name will be independent of src_name (i.e. src_name and
+   dest_name must both be released, and the release of one shall not affect
+   the validity of the other).
+
+   Parameters:
+
+   minor_status      Integer, modify
+                     Mechanism specific status code.
+
+   src_name          gss_name_t, read
+                     internal name to be duplicated.
+
+   dest_name         gss_name_t, modify
+                     The resultant copy of <src_name>.
+                     Storage associated with this name must
+                     be freed by the application after use
+                     with a call to gss_release_name().
+
+   Function value:   GSS status code
+
+   GSS_S_COMPLETE    Successful completion
+
+   GSS_S_BAD_NAME    The src_name parameter was ill-formed.
+
+
+
+
+
+
+
+
+
+   Wray             Document Expiration: 1 September 1997         [Page 46]
+
+
+
+
+
+
+
+   INTERNET-DRAFT          GSS-API V2 - C bindings               March 1997
+
+
+
+   7.13.  gss_export_name
+
+   OM_uint32 gss_export_name (
+        OM_uint32 *              minor_status,
+        const gss_name_t         input_name,
+        gss_buffer_t             exported_name)
+
+   Purpose:
+
+   To produce a canonical contiguous string representation of a mechanism
+   name (MN), suitable for direct comparison (e.g. with memcmp) for use in
+   authorization functions (e.g. matching entries in an access-control
+   list).
+
+   The <input_name> parameter must specify a valid MN (i.e. an internal
+   name generated by gss_accept_sec_context or by gss_canonicalize_name).
+
+
+   Parameters:
+
+   minor_status      Integer, modify
+                     Mechanism specific status code
+
+   input_name        gss_name_t, read
+                     The MN to be exported
+
+   exported_name     gss_buffer_t, octet-string, modify
+                     The canonical contiguous string form of
+                     <input_name>.  Storage associated with
+                     this string must freed by the application
+                     after use with gss_release_buffer().
+
+   Function value:   GSS status code
+
+   GSS_S_COMPLETE    Successful completion
+
+   GSS_S_NAME_NOT_MN The provided internal name was not a mechanism name.
+
+   GSS_S_BAD_NAME    The provide internal name was ill-formed.
+
+   GSS_S_BAD_NAMETYPE The internal name was of a type not supported by the
+                     GSSAPI implementation.
+
+
+
+
+
+
+
+
+
+
+
+
+   Wray             Document Expiration: 1 September 1997         [Page 47]
+
+
+
+
+
+
+
+   INTERNET-DRAFT          GSS-API V2 - C bindings               March 1997
+
+
+
+   7.14.  gss_export_sec_context
+
+   OM_uint32 gss_export_sec_context (
+        OM_uint32  *             minor_status,
+        gss_ctx_id_t *           context_handle,
+        gss_buffer_t             interprocess_token)
+
+   Purpose:
+
+   Provided to support the sharing of work between multiple processes.
+   This routine will typically be used by the context-acceptor, in an
+   application where a single process receives incoming connection requests
+   and accepts security contexts over them, then passes the established
+   context to one or more other processes for message exchange.
+   gss_export_sec_context() deactivates the security context for the
+   calling process and creates an interprocess token which, when passed to
+   gss_import_sec_context in another process, will re-activate the context
+   in the second process. Only a single instantiation of a given context
+   may be active at any one time; a subsequent attempt by a context
+   exporter to access the exported security context will fail.
+
+   The implementation may constrain the set of processes by which the
+   interprocess token may be imported, either as a function of local
+   security policy, or as a result of implementation decisions.  For
+   example, some implementations may constrain contexts to be passed only
+   between processes that run under the same account, or which are part of
+   the same process group.
+
+   The interprocess token may contain security-sensitive information (for
+   example cryptographic keys).  While mechanisms are encouraged to either
+   avoid placing such sensitive information within interprocess tokens, or
+   to encrypt the token before returning it to the application, in a
+   typical object-library GSSAPI implementation this may not be possible.
+   Thus the application must take care to protect the interprocess token,
+   and ensure that any process to which the token is transferred is
+   trustworthy.
+
+   If creation of the interprocess token is succesful, the implementation
+   shall deallocate all process-wide resources associated with the security
+   context, and set the context_handle to GSS_C_NO_CONTEXT.  In the event
+   of an error that makes it impossible to complete the export of the
+   security context, the implementation must not return an interprocess
+   token, and should strive to leave the security context referenced by the
+   context_handle parameter untouched.  If this is impossible, it is
+   permissible for the implementation to delete the security context,
+   providing it also sets the context_handle parameter to GSS_C_NO_CONTEXT.
+
+   Parameters:
+
+   minor_status      Integer, modify
+                     Mechanism specific status code
+
+
+
+   Wray             Document Expiration: 1 September 1997         [Page 48]
+
+
+
+
+
+
+
+   INTERNET-DRAFT          GSS-API V2 - C bindings               March 1997
+
+
+
+   context_handle    gss_ctx_id_t, modify
+                     context handle identifying the context to transfer.
+
+   interprocess_token   buffer, opaque, modify
+                        token to be transferred to target process.
+                        Storage associated with this token must be
+                        freed by the application after use with a
+                        call to gss_release_buffer().
+
+   Function value:   GSS status code
+
+   GSS_S_COMPLETE    Successful completion
+
+   GSS_S_CONTEXT_EXPIRED The context has expired
+
+   GSS_S_NO_CONTEXT  The context was invalid
+
+   GSS_S_UNAVAILABLE The operation is not supported.
+
+
+
+
+
+
+
+   7.15.  gss_get_mic
+
+   OM_uint32 gss_get_mic (
+        OM_uint32 *              minor_status,
+        const gss_ctx_id_t       context_handle,
+        gss_qop_t                qop_req,
+        const gss_buffer_t       message_buffer,
+        gss_buffer_t             msg_token)
+
+   Purpose:
+
+   Generates a cryptographic MIC for the supplied message, and places the
+   MIC in a token for transfer to the peer application.  The qop_req
+   parameter allows a choice between several cryptographic algorithms, if
+   supported by the chosen mechanism.
+
+   Parameters:
+
+   minor_status      Integer, modify
+                     Implementation specific status code.
+
+   context_handle    gss_ctx_id_t, read
+                     identifies the context on which the message
+                     will be sent
+
+
+
+
+   Wray             Document Expiration: 1 September 1997         [Page 49]
+
+
+
+
+
+
+
+   INTERNET-DRAFT          GSS-API V2 - C bindings               March 1997
+
+
+   qop_req           gss_qop_t, read, optional
+                     Specifies requested quality of protection.
+                     Callers are encouraged, on portability grounds,
+                     to accept the default quality of protection
+                     offered by the chosen mechanism, which may be
+                     requested by specifying GSS_C_QOP_DEFAULT for
+                     this parameter.  If an unsupported protection
+                     strength is requested, gss_get_mic will return a
+                     major_status of GSS_S_BAD_QOP.
+
+   message_buffer    buffer, opaque, read
+                     message to be protected
+
+   msg_token         buffer, opaque, modify
+                     buffer to receive token.  The application must
+                     free storage associated with this buffer after
+                     use with a call to gss_release_buffer().
+
+   Function value:   GSS status code
+
+   GSS_S_COMPLETE    Successful completion
+
+   GSS_S_CONTEXT_EXPIRED The context has already expired
+
+   GSS_S_NO_CONTEXT  The context_handle parameter did not identify a valid
+                     context
+
+   GSS_S_BAD_QOP     The specified QOP is not supported by the mechanism.
+
+
+
+
+
+
+
+   7.16.  gss_import_name
+
+   OM_uint32 gss_import_name (
+        OM_uint32 *              minor_status,
+        const gss_buffer_t       input_name_buffer,
+        const gss_OID            input_name_type,
+        gss_name_t *             output_name)
+
+   Purpose:
+
+   Convert a contiguous string name to internal form.  In general, the
+   internal name returned (via the <output_name> parameter) will not be an
+   MN; the exception to this is if the <input_name_type> indicates that the
+   contiguous string provided via the <input_name_buffer> parameter is of
+   type GSS_C_NT_EXPORT_NAME, in which case the returned internal name will
+   be an MN for the mechanism that exported the name.
+
+
+
+
+   Wray             Document Expiration: 1 September 1997         [Page 50]
+
+
+
+
+
+
+
+   INTERNET-DRAFT          GSS-API V2 - C bindings               March 1997
+
+
+
+   Parameters:
+
+   minor_status      Integer, modify
+                     Mechanism specific status code
+
+   input_name_buffer  buffer, octet-string, read
+                     buffer containing contiguous string name to convert
+
+   input_name_type   Object ID, read, optional
+                     Object ID specifying type of printable
+                     name.  Applications may specify either
+                     GSS_C_NO_OID to use a mechanism-specific
+                     default printable syntax, or an OID registered
+                     by the GSS-API implementation to name a
+                     specific namespace.
+
+   output_name       gss_name_t, modify
+                     returned name in internal form.  Storage
+                     associated with this name must be freed
+                     by the application after use with a call
+                     to gss_release_name().
+
+   Function value:   GSS status code
+
+   GSS_S_COMPLETE    Successful completion
+
+   GSS_S_BAD_NAMETYPE The input_name_type was unrecognized
+
+   GSS_S_BAD_NAME    The input_name parameter could not be interpreted as a
+                     name of the specified type
+
+
+
+
+
+
+
+
+   7.17.  gss_import_sec_context
+
+   OM_uint32 gss_import_sec_context (
+        OM_uint32  *             minor_status,
+        const gss_buffer_t       interprocess_token,
+        gss_ctx_id_t *           context_handle)
+
+   Purpose:
+
+   Allows a process to import a security context established by another
+   process.  A given interprocess token may be imported only once.  See
+   gss_export_sec_context.
+
+
+
+
+   Wray             Document Expiration: 1 September 1997         [Page 51]
+
+
+
+
+
+
+
+   INTERNET-DRAFT          GSS-API V2 - C bindings               March 1997
+
+
+
+   Parameters:
+
+   minor_status      Integer, modify
+                     Mechanism specific status code
+
+   interprocess_token  buffer, opaque, modify
+                     token received from exporting process
+
+   context_handle    gss_ctx_id_t, modify
+                     context handle of newly reactivated context.
+                     Resources associated with this context handle
+                     must be released by the application after use
+                     with a call to gss_delete_sec_context().
+
+
+   Function value:   GSS status code
+
+   GSS_S_COMPLETE    Successful completion.
+
+   GSS_S_NO_CONTEXT  The token did not contain a valid context reference.
+
+   GSS_S_DEFECTIVE_TOKEN The token was invalid.
+
+   GSS_S_UNAVAILABLE The operation is unavailable.
+
+   GSS_S_UNAUTHORIZED Local policy prevents the import of this context by
+                     the current process..
+
+
+
+
+
+
+
+   7.18.  gss_indicate_mechs
+
+   OM_uint32 gss_indicate_mechs (
+        OM_uint32 *              minor_status,
+        gss_OID_set *            mech_set)
+
+   Purpose:
+
+   Allows an application to determine which underlying security mechanisms
+   are available.
+
+   Parameters:
+
+   minor_status      Integer, modify
+                     Mechanism specific status code.
+
+
+
+
+   Wray             Document Expiration: 1 September 1997         [Page 52]
+
+
+
+
+
+
+
+   INTERNET-DRAFT          GSS-API V2 - C bindings               March 1997
+
+
+   mech_set          set of Object IDs, modify
+                     set of implementation-supported mechanisms.
+                     The returned gss_OID_set value will be a
+                     dynamically-allocated OID set, that should
+                     be released by the caller after use with a
+                     call to gss_release_oid_set().
+
+   Function value:   GSS status code
+
+   GSS_S_COMPLETE    Successful completion
+
+
+
+
+
+
+
+   7.19.  gss_init_sec_context
+
+   OM_uint32 gss_init_sec_context (
+        OM_uint32 *              minor_status,
+        const gss_cred_id_t      initiator_cred_handle,
+        gss_ctx_id_t *           context_handle,
+        const gss_name_t         target_name,
+        const gss_OID            mech_type,
+        OM_uint32                req_flags,
+        OM_uint32                time_req,
+        const gss_channel_bindings_t
+                                 input_chan_bindings,
+        const gss_buffer_t       input_token
+        gss_OID *                actual_mech_type,
+        gss_buffer_t             output_token,
+        OM_uint32 *              ret_flags,
+        OM_uint32 *              time_rec )
+
+   Purpose:
+
+   Initiates the establishment of a security context between the
+   application and a remote peer.  Initially, the input_token parameter
+   should be specified either as GSS_C_NO_BUFFER, or as a pointer to a
+   gss_buffer_desc object whose length field contains the value zero.  The
+   routine may return a output_token which should be transferred to the
+   peer application, where the peer application will present it to
+   gss_accept_sec_context.  If no token need be sent, gss_init_sec_context
+   will indicate this by setting the length field of the output_token
+   argument to zero.  To complete the context establishment, one or more
+   reply tokens may be required from the peer application; if so,
+   gss_init_sec_context will return a status containing the supplementary
+   information bit GSS_S_CONTINUE_NEEDED.  In this case,
+   gss_init_sec_context should be called again when the reply token is
+   received from the peer application, passing the reply token to
+   gss_init_sec_context via the input_token parameters.
+
+
+
+   Wray             Document Expiration: 1 September 1997         [Page 53]
+
+
+
+
+
+
+
+   INTERNET-DRAFT          GSS-API V2 - C bindings               March 1997
+
+
+
+   Portable applications should be constructed to use the token length and
+   return status to determine whether a token needs to be sent or waited
+   for.  Thus a typical portable caller should always invoke
+   gss_init_sec_context within a loop:
+
+       int context_established = 0;
+       gss_ctx_id_t context_hdl = GSS_C_NO_CONTEXT;
+       ...
+       input_token->length = 0;
+
+       while (!context_established) {
+          maj_stat = gss_init_sec_context(&min_stat,
+                                          cred_hdl,
+                                          &context_hdl,
+                                          target_name,
+                                          desired_mech,
+                                          desired_services,
+                                          desired_time,
+                                          input_bindings,
+                                          input_token,
+                                          &actual_mech,
+                                          output_token,
+                                          &actual_services,
+                                          &actual_time);
+          if (GSS_ERROR(maj_stat)) {
+             report_error(maj_stat, min_stat);
+          };
+          if (output_token->length != 0) {
+             send_token_to_peer(output_token);
+             gss_release_buffer(&min_stat,
+                                output_token)
+          };
+          if (GSS_ERROR(maj_stat)) {
+             if (context_hdl != GSS_C_NO_CONTEXT)
+                gss_delete_sec_context(&min_stat,
+                                       &context_hdl,
+                                       GSS_C_NO_BUFFER);
+             break;
+          };
+          if (maj_stat & GSS_S_CONTINUE_NEEDED) {
+             receive_token_from_peer(input_token);
+          } else {
+             context_established = 1;
+          };
+       };
+
+   Whenever the routine returns a major status that includes the value
+   GSS_S_CONTINUE_NEEDED, the context is not fully established and the
+   following restrictions apply to the output parameters:
+
+
+
+
+
+   Wray             Document Expiration: 1 September 1997         [Page 54]
+
+
+
+
+
+
+
+   INTERNET-DRAFT          GSS-API V2 - C bindings               March 1997
+
+
+
+     (a) The value returned via the time_rec parameter is undefined
+
+     (b) Unless the accompanying ret_flags parameter contains the bit
+         GSS_C_PROT_READY_FLAG, indicating that per-message services may be
+         applied in advance of a successful completion status, the value
+         returned via the actual_mech_type parameter is undefined until the
+         routine returns a major status value of GSS_S_COMPLETE.
+
+     (c) The values of the GSS_C_DELEG_FLAG, GSS_C_MUTUAL_FLAG,
+         GSS_C_REPLAY_FLAG, GSS_C_SEQUENCE_FLAG, GSS_C_CONF_FLAG,
+         GSS_C_INTEG_FLAG and GSS_C_ANON_FLAG bits returned via the
+         ret_flags parameter should contain the values that the
+         implementation expects would be valid if context establishment
+         were to succeed.  In particular, if the application has requested
+         a service such as delegation or anonymous authentication via the
+         req_flags argument, and such a service is unavailable from the
+         underlying mechanism, gss_init_sec_context should generate a token
+         that will not provide the service, and indicate via the ret_flags
+         argument that the service will not be supported.  The application
+         may choose to abort the context establishment by calling
+         gss_delete_sec_context (if it cannot continue in the absence of
+         the service), or it may choose to transmit the token and continue
+         context establishment (if the service was merely desired but not
+         mandatory).
+
+         The values of the GSS_C_PROT_READY_FLAG and GSS_C_TRANS_FLAG bits
+         within ret_flags should indicate the actual state at the time
+         gss_init_sec_context returns, whether or not the context is fully
+         established.
+
+         Although this requires that GSSAPI implementations set the
+         GSS_C_PROT_READY_FLAG in the final ret_flags returned to a caller
+         (i.e. when accompanied by a GSS_S_COMPLETE status code),
+         applications should not rely on this behavior as the flag was not
+         defined in Version 1 of the GSSAPI. Instead, applications should
+         be prepared to use per-message services after a successful context
+         establishment, according to the GSS_C_INTEG_FLAG and
+         GSS_C_CONF_FLAG values.
+
+         All other bits within the ret_flags argument should be set to
+         zero.
+
+   If the initial call of gss_init_sec_context() fails, the implementation
+   should not create a context object, and should leave the value of the
+   context_handle parameter set to GSS_C_NO_CONTEXT to indicate this.  In
+   the event of a failure on a subsequent call, the implementation is
+   permitted to delete the "half-built" security context (in which case it
+   should set the context_handle parameter to GSS_C_NO_CONTEXT), but the
+   preferred behavior is to leave the security context untouched for the
+   application to delete (using gss_delete_sec_context).
+
+
+
+
+   Wray             Document Expiration: 1 September 1997         [Page 55]
+
+
+
+
+
+
+
+   INTERNET-DRAFT          GSS-API V2 - C bindings               March 1997
+
+
+
+   Parameters:
+
+   minor_status      Integer,  modify
+                     Mechanism specific status code.
+
+   initiator_cred_handle  gss_cred_id_t, read, optional
+                     handle for credentials claimed.  Supply
+                     GSS_C_NO_CREDENTIAL to act as a default
+                     initiator principal.  If no default
+                     initiator is defined, the function will
+                     return GSS_S_NO_CRED.
+
+   context_handle    gss_ctx_id_t, read/modify
+                     context handle for new context.  Supply
+                     GSS_C_NO_CONTEXT for first call; use value
+                     returned by first call in continuation calls.
+                     Resources associated with this context-handle
+                     must be released by the application after use
+                     with a call to gee_delete_sec_context().
+
+   target_name       gss_name_t, read
+                     Name of target
+
+   mech_type         OID, read, optional
+                     Object ID of desired mechanism. Supply
+                     GSS_C_NO_OID to obtain an implementation
+                     specific default
+
+   req_flags         bit-mask, read
+                     Contains various independent flags, each of
+                     which requests that the context support a
+                     specific service option.  Symbolic
+                     names are provided for each flag, and the
+                     symbolic names corresponding to the required
+                     flags should be logically-ORed
+                     together to form the bit-mask value.  The
+                     flags are:
+
+                     GSS_C_DELEG_FLAG
+                           True - Delegate credentials to remote peer
+                           False - Don't delegate
+                     GSS_C_MUTUAL_FLAG
+                           True - Request that remote peer
+                                  authenticate itself
+                           False - Authenticate self to remote peer
+                                   only
+                     GSS_C_REPLAY_FLAG
+                           True - Enable replay detection for
+                                  messages protected with gss_wrap
+                                  or gss_get_mic
+                           False - Don't attempt to detect
+                                   replayed messages
+
+
+   Wray             Document Expiration: 1 September 1997         [Page 56]
+
+
+
+
+
+
+
+   INTERNET-DRAFT          GSS-API V2 - C bindings               March 1997
+
+
+
+                     GSS_C_SEQUENCE_FLAG
+                           True - Enable detection of out-of-sequence
+                                  protected messages
+                           False - Don't attempt to detect
+                                   out-of-sequence messages
+                     GSS_C_ANON_FLAG
+                           True - Do not reveal the initiator's
+                                  identity to the acceptor.
+                           False - Authenticate normally.
+
+   time_req          Integer, read, optional
+                     Desired number of seconds for which context
+                     should remain valid.  Supply 0 to request a
+                     default validity period.
+
+   input_chan_bindings  channel bindings, read, optional
+                     Application-specified bindings.  Allows
+                     application to securely bind channel
+                     identification information to the security
+                     context.  Specify GSS_C_NO_CHANNEL_BINDINGS
+                     if channel bindings are not used.
+
+   input_token       buffer, opaque, read, optional (see text)
+                     Token received from peer application.
+                     Supply GSS_C_NO_BUFFER, or a pointer to
+                     a buffer containing the value GSS_C_EMPTY_BUFFER
+                     on initial call.
+
+   actual_mech_type  OID, modify, optional
+                     Actual mechanism used.  The OID returned via
+                     this parameter will be a pointer to static
+                     storage that should be treated as read-only;
+                     In particular the application should not attempt
+                     to free it.  Specify NULL if not required.
+
+   output_token      buffer, opaque, modify
+                     token to be sent to peer application.  If
+                     the length field of the returned buffer is
+                     zero, no token need be sent to the peer
+                     application.  Storage associated with this
+                     buffer must be freed by the application
+                     after use with a call to gss_release_buffer().
+
+   ret_flags         bit-mask, modify, optional
+                     Contains various independent flags, each of which
+                     indicates that the context supports a specific
+                     service option.  Specify NULL if not
+                     required.  Symbolic names are provided
+                     for each flag, and the symbolic names
+                     corresponding to the required flags should be
+
+
+
+   Wray             Document Expiration: 1 September 1997         [Page 57]
+
+
+
+
+
+
+
+   INTERNET-DRAFT          GSS-API V2 - C bindings               March 1997
+
+
+
+                     logically-ANDed with the ret_flags value to test
+                     whether a given option is supported by the
+                     context.  The flags are:
+
+                     GSS_C_DELEG_FLAG
+                           True - Credentials were delegated to
+                                  the remote peer
+                           False - No credentials were delegated
+                     GSS_C_MUTUAL_FLAG
+                           True - Remote peer has been asked to
+                                  authenticated itself
+                           False - Remote peer has not been asked to
+                                   authenticate itself
+                     GSS_C_REPLAY_FLAG
+                           True - replay of protected messages
+                                  will be detected
+                           False - replayed messages will not be
+                                   detected
+                     GSS_C_SEQUENCE_FLAG
+                           True - out-of-sequence protected
+                                  messages will be detected
+                           False - out-of-sequence messages will
+                                   not be detected
+                     GSS_C_CONF_FLAG
+                           True - Confidentiality service may be
+                                  invoked by calling gss_wrap routine
+                           False - No confidentiality service (via
+                                   gss_wrap) available. gss_wrap will
+                                   provide message encapsulation,
+                                   data-origin authentication and
+                                   integrity services only.
+                     GSS_C_INTEG_FLAG
+                           True - Integrity service may be invoked by
+                                  calling either gss_get_mic or gss_wrap
+                                  routines.
+                           False - Per-message integrity service
+                                   unavailable.
+                     GSS_C_ANON_FLAG
+                           True - The initiator's identity has not been
+                                  revealed, and will not be revealed if
+                                  any emitted token is passed to the
+                                  acceptor.
+                           False - The initiator's identity has been or
+                                   will be authenticated normally.
+                     GSS_C_PROT_READY_FLAG
+                           True - Protection services (as specified
+                                  by the states of the GSS_C_CONF_FLAG
+                                  and GSS_C_INTEG_FLAG) are available for
+                                  use if the accompanying major status
+                                  return value is either GSS_S_COMPLETE or
+                                  GSS_S_CONTINUE_NEEDED.
+
+
+
+   Wray             Document Expiration: 1 September 1997         [Page 58]
+
+
+
+
+
+
+
+   INTERNET-DRAFT          GSS-API V2 - C bindings               March 1997
+
+
+
+                           False - Protection services (as specified
+                                   by the states of the GSS_C_CONF_FLAG
+                                   and GSS_C_INTEG_FLAG) are available
+                                   only if the accompanying major status
+                                   return value is GSS_S_COMPLETE.
+                     GSS_C_TRANS_FLAG
+                           True - The resultant security context may
+                                  be transferred to other processes via
+                                  a call to gss_export_sec_context().
+                           False - The security context is not
+                                   transferrable.
+                     All other bits should be set to zero.
+
+   time_rec          Integer, modify, optional
+                     number of seconds for which the context
+                     will remain valid. If the implementation does
+                     not support context expiration, the value
+                     GSS_C_INDEFINITE will be returned.  Specify
+                     NULL if not required.
+
+   Function value:   GSS status code
+
+   GSS_S_COMPLETE    Successful completion
+
+   GSS_S_CONTINUE_NEEDED Indicates that a token from the peer application
+                     is required to complete the context, and that
+                     gss_init_sec_context must be called again with that
+                     token.
+
+   GSS_S_DEFECTIVE_TOKEN Indicates that consistency checks performed on the
+                     input_token failed
+
+   GSS_S_DEFECTIVE_CREDENTIAL Indicates that consistency checks performed
+                     on the credential failed.
+
+   GSS_S_NO_CRED     The supplied credentials were not valid for context
+                     initiation, or the credential handle did not reference
+                     any credentials.
+
+   GSS_S_CREDENTIALS_EXPIRED The referenced credentials have expired
+
+   GSS_S_BAD_BINDINGS The input_token contains different channel bindings
+                     to those specified via the input_chan_bindings
+                     parameter
+
+   GSS_S_BAD_SIG     The input_token contains an invalid MIC, or a MIC that
+                     could not be verified
+
+   GSS_S_OLD_TOKEN   The input_token was too old.  This is a fatal error
+                     during context establishment
+
+
+
+
+   Wray             Document Expiration: 1 September 1997         [Page 59]
+
+
+
+
+
+
+
+   INTERNET-DRAFT          GSS-API V2 - C bindings               March 1997
+
+
+
+   GSS_S_DUPLICATE_TOKEN The input_token is valid, but is a duplicate of a
+                     token already processed.  This is a fatal error during
+                     context establishment.
+
+   GSS_S_NO_CONTEXT  Indicates that the supplied context handle did not
+                     refer to a valid context
+
+   GSS_S_BAD_NAMETYPE The provided target_name parameter contained an
+                     invalid or unsupported type of name
+
+   GSS_S_BAD_NAME    The provided target_name parameter was ill-formed.
+
+   GSS_S_BAD_MECH    The specified mechanism is not supported by the
+                     provided credential, or is unrecognized by the
+                     implementation.
+
+
+
+
+
+
+
+   7.20.  gss_inquire_context
+
+   OM_uint32 gss_inquire_context (
+        OM_uint32 *              minor_status,
+        const gss_ctx_id_t       context_handle,
+        gss_name_t *             src_name,
+        gss_name_t *             targ_name,
+        OM_uint32 *              lifetime_rec,
+        gss_OID *                mech_type,
+        OM_uint32 *              ctx_flags,
+        int *                    locally_initiated,
+        int *                    open )
+
+   Purpose:
+
+   Obtains information about a security context.  The caller must already
+   have obtained a handle that refers to the context, although the context
+   need not be fully established.
+
+   Parameters:
+
+   minor_status      Integer, modify
+                     Mechanism specific status code
+
+   context_handle    gss_ctx_id_t, read
+                     A handle that refers to the security context.
+
+   src_name          gss_name_t, modify, optional
+                     The name of the context initiator.
+
+
+
+   Wray             Document Expiration: 1 September 1997         [Page 60]
+
+
+
+
+
+
+
+   INTERNET-DRAFT          GSS-API V2 - C bindings               March 1997
+
+
+
+                     If the context was established using anonymous
+                     authentication, and if the application invoking
+                     gss_inquire_context is the context acceptor,
+                     an anonymous name will be returned.  Storage
+                     associated with this name must be freed by the
+                     application after use with a call to
+                     gss_release_name().  Specify NULL if not
+                     required.
+
+   targ_name         gss_name_t, modify, optional
+                     The name of the context acceptor.
+                     Storage associated with this name must be
+                     freed by the application after use with a call
+                     to gss_release_name().  Specify NULL if not
+                     Specify NULL if not required.
+
+   lifetime_rec      Integer, modify, optional
+                     The number of seconds for which the context
+                     will remain valid.  If the context has
+                     expired, this parameter will be set to zero.
+                     If the implementation does not support
+                     context expiration, the value
+                     GSS_C_INDEFINITE will be returned.  Specify
+                     NULL if not required.
+
+   mech_type         gss_OID, modify, optional
+                     The security mechanism providing the
+                     context.  The returned OID will be a
+                     pointer to static storage that should
+                     be treated as read-only by the application;
+                     in particular the application should not
+                     attempt to free it.  Specify NULL if not
+                     required.
+
+   ctx_flags         bit-mask, modify, optional
+                     Contains various independent flags, each of
+                     which indicates that the context supports
+                     (or is expected to support, if ctx_open is
+                     false) a specific service option.  If not
+                     needed, specify NULL.  Symbolic names are
+                     provided for each flag, and the symbolic names
+                     corresponding to the required flags
+                     should be logically-ANDed with the ret_flags
+                     value to test whether a given option is
+                     supported by the context.  The flags are:
+
+                     GSS_C_DELEG_FLAG
+                           True - Credentials were delegated from
+                                  the initiator to the acceptor.
+                           False - No credentials were delegated
+
+
+
+   Wray             Document Expiration: 1 September 1997         [Page 61]
+
+
+
+
+
+
+
+   INTERNET-DRAFT          GSS-API V2 - C bindings               March 1997
+
+
+                     GSS_C_MUTUAL_FLAG
+                           True - The acceptor was authenticated
+                                  to the initiator
+                           False - The acceptor did not authenticate
+                                   itself.
+                     GSS_C_REPLAY_FLAG
+                           True - replay of protected messages
+                                  will be detected
+                           False - replayed messages will not be
+                                   detected
+                     GSS_C_SEQUENCE_FLAG
+                           True - out-of-sequence protected
+                                  messages will be detected
+                           False - out-of-sequence messages will not
+                                   be detected
+                     GSS_C_CONF_FLAG
+                           True - Confidentiality service may be invoked
+                                  by calling gss_wrap routine
+                           False - No confidentiality service (via
+                                   gss_wrap) available. gss_wrap will
+                                   provide message encapsulation,
+                                   data-origin authentication and
+                                   integrity services only.
+                     GSS_C_INTEG_FLAG
+                           True - Integrity service may be invoked by
+                                  calling either gss_get_mic or gss_wrap
+                                  routines.
+                           False - Per-message integrity service
+                                   unavailable.
+                     GSS_C_ANON_FLAG
+                           True - The initiator's identity will not
+                                  be revealed to the acceptor.
+                                  The src_name parameter (if
+                                  requested) contains an anonymous
+                                  internal name.
+                           False - The initiator has been
+                                   authenticated normally.
+                     GSS_C_PROT_READY_FLAG
+                           True - Protection services (as specified
+                                  by the states of the GSS_C_CONF_FLAG
+                                  and GSS_C_INTEG_FLAG) are available
+                                  for use.
+                           False - Protection services (as specified
+                                   by the states of the GSS_C_CONF_FLAG
+                                   and GSS_C_INTEG_FLAG) are available
+                                   only if the context is fully
+                                   established (i.e. if the open parameter
+                                   is non-zero).
+                     GSS_C_TRANS_FLAG
+                           True - The resultant security context may
+                                  be transferred to other processes via
+                                  a call to gss_export_sec_context().
+                           False - The security context is not
+                                   transferrable.
+
+   Wray             Document Expiration: 1 September 1997         [Page 62]
+
+
+
+
+
+
+
+   INTERNET-DRAFT          GSS-API V2 - C bindings               March 1997
+
+
+
+
+
+   locally_initiated Boolean, modify
+                     Non-zero if the invoking application is the
+                     context initiator.
+                     Specify NULL if not required.
+
+   open              Boolean, modify
+                     Non-zero if the context is fully established;
+                     Zero if a context-establishment token
+                     is expected from the peer application.
+                     Specify NULL if not required.
+
+   Function value:   GSS status code
+
+   GSS_S_COMPLETE    Successful completion
+
+   GSS_S_NO_CONTEXT  The referenced context could not be accessed.
+
+   GSS_S_CONTEXT_EXPIRED The context has expired.  If the lifetime_rec
+                     parameter was requested, it will be set to 0.
+
+
+
+
+
+
+
+   7.21.  gss_inquire_cred
+
+   OM_uint32 gss_inquire_cred (
+        OM_uint32  *             minor_status,
+        const gss_cred_id_t      cred_handle,
+        gss_name_t *             name,
+        OM_uint32 *              lifetime,
+        gss_cred_usage_t *       cred_usage,
+        gss_OID_set *            mechanisms )
+
+   Purpose:
+
+   Obtains information about a credential.  The caller must already have
+   obtained a handle that refers to the credential.
+
+   Parameters:
+
+   minor_status      Integer, modify
+                     Mechanism specific status code
+
+   cred_handle       gss_cred_id_t, read
+                     A handle that refers to the target credential.
+                     Specify GSS_C_NO_CREDENTIAL to inquire about
+                     the default initiator principal.
+
+
+   Wray             Document Expiration: 1 September 1997         [Page 63]
+
+
+
+
+
+
+
+   INTERNET-DRAFT          GSS-API V2 - C bindings               March 1997
+
+
+
+
+   name              gss_name_t, modify, optional
+                     The name whose identity the credential asserts.
+                     Storage associated with this name should be freed
+                     by the application after use with a call to
+                     gss_release_name().  Specify NULL if not required.
+
+   lifetime          Integer, modify, optional
+                     The number of seconds for which the credential
+                     will remain valid.  If the credential has
+                     expired, this parameter will be set to zero.
+                     If the implementation does not support
+                     credential expiration, the value
+                     GSS_C_INDEFINITE will be returned.  Specify
+                     NULL if not required.
+
+   cred_usage        gss_cred_usage_t, modify, optional
+                     How the credential may be used.  One of the
+                     following:
+                        GSS_C_INITIATE
+                        GSS_C_ACCEPT
+                        GSS_C_BOTH
+                     Specify NULL if not required.
+
+   mechanisms        gss_OID_set, modify, optional
+                     Set of mechanisms supported by the credential.
+                     Storage associated with this OID set must be
+                     freed by the application after use with a call
+                     to gss_release_oid_set().  Specify NULL if not
+                     required.
+
+   Function value:   GSS status code
+
+   GSS_S_COMPLETE    Successful completion
+
+   GSS_S_NO_CRED     The referenced credentials could not be accessed.
+
+   GSS_S_DEFECTIVE_CREDENTIAL The referenced credentials were invalid.
+
+   GSS_S_CREDENTIALS_EXPIRED The referenced credentials have expired.  If
+                     the lifetime parameter was not passed as NULL, it will
+                     be set to 0.
+
+
+
+
+
+
+
+
+
+   Wray             Document Expiration: 1 September 1997         [Page 64]
+
+
+
+
+
+
+
+   INTERNET-DRAFT          GSS-API V2 - C bindings               March 1997
+
+
+
+   7.22.  gss_inquire_cred_by_mech
+
+   OM_uint32 gss_inquire_cred_by_mech (
+        OM_uint32 *              minor_status,
+        const gss_cred_id_t      cred_handle,
+        const gss_OID            mech_type,
+        gss_name_t *             name,
+        OM_uint32 *              initiator_lifetime,
+        OM_uint32 *              acceptor_lifetime,
+        gss_cred_usage_t *       cred_usage )
+
+   Purpose:
+
+   Obtains per-mechanism information about a credential.  The caller must
+   already have obtained a handle that refers to the credential.
+
+   Parameters:
+
+   minor_status      Integer, modify
+                     Mechanism specific status code
+
+   cred_handle       gss_cred_id_t, read
+                     A handle that refers to the target credential.
+                     Specify GSS_C_NO_CREDENTIAL to inquire about
+                     the default initiator principal.
+
+   mech_type         gss_OID, read
+                     The mechanism for which information should be
+                     returned.
+
+   name              gss_name_t, modify, optional
+                     The name whose identity the credential asserts.
+                     Storage associated with this name must be
+                     freed by the application after use with a call
+                     to gss_release_name().  Specify NULL if not
+                     required.
+
+   initiator_lifetime  Integer, modify, optional
+                     The number of seconds for which the credential
+                     will remain capable of initiating security contexts
+                     under the specified mechanism.  If the credential
+                     can no longer be used to initiate contexts, or if
+                     the credential usage for this mechanism is
+   GSS_C_ACCEPT,
+                     this parameter will be set to zero.  If the
+                     implementation does not support expiration of
+                     initiator credentials, the value GSS_C_INDEFINITE
+                     will be returned.  Specify NULL if not required.
+
+   acceptor_lifetime Integer, modify, optional
+                     The number of seconds for which the credential
+
+
+
+   Wray             Document Expiration: 1 September 1997         [Page 65]
+
+
+
+
+
+
+
+   INTERNET-DRAFT          GSS-API V2 - C bindings               March 1997
+
+
+
+                     will remain capable of accepting security contexts
+                     under the specified mechanism.  If the credential
+                     can no longer be used to accept contexts, or if
+                     the credential usage for this mechanism is
+                     GSS_C_INITIATE, this parameter will be set to zero.
+                     If the implementation does not support expiration
+                     of acceptor credentials, the value GSS_C_INDEFINITE
+                     will be returned.  Specify NULL if not required.
+
+   cred_usage        gss_cred_usage_t, modify, optional
+                     How the credential may be used with the specified
+                     mechanism.  One of the following:
+                        GSS_C_INITIATE
+                        GSS_C_ACCEPT
+                        GSS_C_BOTH
+                     Specify NULL if not required.
+
+   Function value:   GSS status code
+
+   GSS_S_COMPLETE    Successful completion
+
+   GSS_S_NO_CRED     The referenced credentials could not be accessed.
+
+   GSS_S_DEFECTIVE_CREDENTIAL The referenced credentials were invalid.
+
+   GSS_S_CREDENTIALS_EXPIRED The referenced credentials have expired.  If
+                     the lifetime parameter was not passed as NULL, it will
+                     be set to 0.
+
+
+
+
+
+
+
+   7.23.  gss_inquire_mechs_for_name
+
+   OM_uint32 gss_inquire_mechs_for_name (
+        OM_uint32 *              minor_status,
+        const gss_name_t         input_name,
+        gss_OID_set *            mech_types )
+
+   Purpose:
+
+   Returns the set of mechanisms supported by the GSSAPI implementation
+   that may be able to process the specified name.
+
+   Each mechanism returned will recognize at least one element within the
+   name.  It is permissible for this routine to be implemented within a
+   mechanism-independent GSSAPI layer, using the type information contained
+   within the presented name, and based on registration information
+
+
+
+   Wray             Document Expiration: 1 September 1997         [Page 66]
+
+
+
+
+
+
+
+   INTERNET-DRAFT          GSS-API V2 - C bindings               March 1997
+
+
+
+   provided by individual mechanism implementations.  This means that the
+   returned mech_types set may indicate that a particular mechanism will
+   understand the name when in fact it would refuse to accept the name as
+   input to gss_canonicalize_name, gss_init_sec_context, gss_acquire_cred
+   or gss_add_cred (due to some property of the specific name, as opposed
+   to the name type).  Thus this routine should be used only as a pre-
+   filter for a call to a subsequent mechanism-specific routine.
+
+
+
+   Parameters:
+
+   minor_status      Integer, modify
+                     Implementation specific status code.
+
+   input_name        gss_name_t, read
+                     The name to which the inquiry relates.
+
+   mech_types        gss_OID_set, modify
+                     Set of mechanisms that may support the
+                     specified name.  The returned OID set
+                     must be freed by the caller after use
+                     with a call to gss_release_oid_set().
+
+   Function value:   GSS status code
+
+   GSS_S_COMPLETE    Successful completion
+
+   GSS_S_BAD_NAME    The input_name parameter was ill-formed.
+
+   GSS_S_BAD_NAMETYPE The input_name parameter contained an invalid or
+                     unsupported type of name
+
+
+
+
+
+
+   7.24.  gss_inquire_names_for_mech
+
+   OM_uint32 gss_inquire_names_for_mech (
+        OM_uint32 *              minor_status,
+        const gss_OID            mechanism,
+        gss_OID_set *            name_types)
+
+   Purpose:
+
+   Returns the set of nametypes supported by the specified mechanism.
+
+
+
+
+
+
+   Wray             Document Expiration: 1 September 1997         [Page 67]
+
+
+
+
+
+
+
+   INTERNET-DRAFT          GSS-API V2 - C bindings               March 1997
+
+
+
+   Parameters:
+
+   minor_status      Integer, modify
+                     Implementation specific status code.
+
+   mechanism         gss_OID, read
+                     The mechanism to be interrogated.
+
+   name_types        gss_OID_set, modify
+                     Set of name-types supported by the specified
+                     mechanism.  The returned OID set must be
+                     freed by the application after use with a
+                     call to gss_release_oid_set().
+
+   Function value:   GSS status code
+
+   GSS_S_COMPLETE    Successful completion
+
+
+
+
+
+
+
+   7.25.  gss_process_context_token
+
+   OM_uint32 gss_process_context_token (
+        OM_uint32 *              minor_status,
+        const gss_ctx_id_t       context_handle,
+        const gss_buffer_t       token_buffer)
+
+   Purpose:
+
+   Provides a way to pass a token to the security service.  Used with
+   tokens emitted by gss_delete_sec_context.  Note that mechanisms are
+   encouraged to perform local deletion, and not emit tokens from
+   gss_delete_sec_context.  This routine, therefore, is primarily for
+   backwards compatibility with V1 applications.
+
+   Parameters:
+
+   minor_status      Integer, modify
+                     Implementation specific status code.
+
+   context_handle    gss_ctx_id_t, read
+                     context handle of context on which token is to
+                     be processed
+
+   token_buffer      buffer, opaque, read
+                     token to process
+
+
+
+
+   Wray             Document Expiration: 1 September 1997         [Page 68]
+
+
+
+
+
+
+
+   INTERNET-DRAFT          GSS-API V2 - C bindings               March 1997
+
+
+
+   Function value:   GSS status code
+
+   GSS_S_COMPLETE    Successful completion
+
+   GSS_S_DEFECTIVE_TOKEN Indicates that consistency checks performed on the
+                     token failed
+
+   GSS_S_NO_CONTEXT  The context_handle did not refer to a valid context
+
+
+
+
+
+
+
+   7.26.  gss_release_buffer
+
+   OM_uint32 gss_release_buffer (
+        OM_uint32 *              minor_status,
+        gss_buffer_t             buffer)
+
+   Purpose:
+
+   Free storage associated with a buffer.  The storage must have been
+   allocated by a GSS-API routine.  In addition to freeing the associated
+   storage, the routine will zero the length field in the descriptor to
+   which the buffer parameter refers.
+
+   Parameters:
+
+   minor_status      Integer, modify
+                     Mechanism specific status code
+
+   buffer            buffer, modify
+                     The storage associated with the buffer will be
+                     deleted.  The gss_buffer_desc object will not
+                     be freed, but its length field will be zeroed.
+
+   Function value:   GSS status code
+
+   GSS_S_COMPLETE    Successful completion
+
+
+
+
+
+
+
+
+
+
+
+
+
+   Wray             Document Expiration: 1 September 1997         [Page 69]
+
+
+
+
+
+
+
+   INTERNET-DRAFT          GSS-API V2 - C bindings               March 1997
+
+
+
+   7.27.  gss_release_cred
+
+   OM_uint32 gss_release_cred (
+        OM_uint32 *              minor_status,
+        gss_cred_id_t *          cred_handle)
+
+   Purpose:
+
+   Informs GSS-API that the specified credential handle is no longer
+   required by the application, and frees associated resources.
+
+   Parameters:
+
+   cred_handle       gss_cred_id_t, modify, optional
+                     Opaque handle identifying credential
+                     to be released.  If GSS_C_NO_CREDENTIAL
+                     is supplied, the routine will complete
+                     successfully, but will do nothing.
+
+   minor_status      Integer, modify
+                     Mechanism specific status code.
+
+   Function value:   GSS status code
+
+   GSS_S_COMPLETE    Successful completion
+
+   GSS_S_NO_CRED     Credentials could not be accessed.
+
+
+
+
+
+
+
+   7.28.  gss_release_name
+
+   OM_uint32 gss_release_name (
+        OM_uint32 *              minor_status,
+        gss_name_t *             name)
+
+   Purpose:
+
+   Free GSSAPI-allocated storage by associated with an internal-form name.
+
+   Parameters:
+
+   minor_status      Integer, modify
+                     Mechanism specific status code
+
+   name              gss_name_t, modify
+                     The name to be deleted
+
+
+
+   Wray             Document Expiration: 1 September 1997         [Page 70]
+
+
+
+
+
+
+
+   INTERNET-DRAFT          GSS-API V2 - C bindings               March 1997
+
+
+
+   Function value:   GSS status code
+
+   GSS_S_COMPLETE    Successful completion
+
+   GSS_S_BAD_NAME    The name parameter did not contain a valid name
+
+
+
+
+
+
+
+   7.29.  gss_release_oid_set
+
+   OM_uint32 gss_release_oid_set (
+        OM_uint32 *              minor_status,
+        gss_OID_set *            set)
+
+   Purpose:
+
+   Free storage associated with a GSSAPI-generated gss_OID_set object.  The
+   set parameter must refer to an OID-set that was returned from a GSSAPI
+   routine.  gss_release_oid_set() will free the storage associated with
+   each individual member OID, the OID set's elements array, and the
+   gss_OID_set_desc.
+
+
+   Parameters:
+
+   minor_status      Integer, modify
+                     Mechanism specific status code
+
+   set               Set of Object IDs, modify
+                     The storage associated with the gss_OID_set
+                     will be deleted.
+
+   Function value:   GSS status code
+
+   GSS_S_COMPLETE    Successful completion
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+   Wray             Document Expiration: 1 September 1997         [Page 71]
+
+
+
+
+
+
+
+   INTERNET-DRAFT          GSS-API V2 - C bindings               March 1997
+
+
+
+   7.30.  gss_test_oid_set_member
+
+   OM_uint32 gss_test_oid_set_member (
+        OM_uint32  *             minor_status,
+        const gss_OID            member,
+        const gss_OID_set        set,
+        int *                    present)
+
+   Purpose:
+
+   Interrogate an Object Identifier set to determine whether a specified
+   Object Identifier is a member.  This routine is intended to be used with
+   OID sets returned by gss_indicate_mechs(), gss_acquire_cred(), and
+   gss_inquire_cred(), but will also work with user-generated sets.
+
+   Parameters:
+
+   minor_status      Integer, modify
+                     Mechanism specific status code
+
+   member            Object ID, read
+                     The object identifier whose presence
+                     is to be tested.
+
+   set               Set of Object ID, read
+                     The Object Identifier set.
+
+   present           Boolean, modify
+                     non-zero if the specified OID is a member
+                     of the set, zero if not.
+
+   Function value:   GSS status code
+
+   GSS_S_COMPLETE    Successful completion
+
+
+
+
+
+
+
+   7.31.  gss_unwrap
+
+   OM_uint32 gss_unwrap (
+        OM_uint32 *              minor_status,
+        const gss_ctx_id_t       context_handle,
+        const gss_buffer_t       input_message_buffer,
+        gss_buffer_t             output_message_buffer,
+        int *                    conf_state,
+        gss_qop_t *              qop_state)
+
+
+
+
+   Wray             Document Expiration: 1 September 1997         [Page 72]
+
+
+
+
+
+
+
+   INTERNET-DRAFT          GSS-API V2 - C bindings               March 1997
+
+
+
+   Purpose:
+
+   Converts a message previously protected by gss_wrap back to a usable
+   form, verifying the embedded MIC.  The conf_state parameter indicates
+   whether the message was encrypted; the qop_state parameter indicates the
+   strength of protection that was used to provide the confidentiality and
+   integrity services.
+
+   Parameters:
+
+   minor_status      Integer, modify
+                     Mechanism specific status code.
+
+   context_handle    gss_ctx_id_t, read
+                     Identifies the context on which the message
+                     arrived
+
+   input_message_buffer  buffer, opaque, read
+                     protected message
+
+   output_message_buffer  buffer, opaque, modify
+                     Buffer to receive unwrapped message.
+                     Storage associated with this buffer must
+                     be freed by the application after use use
+                     with a call to gss_release_buffer().
+
+   conf_state        boolean, modify, optional
+                     Non-zero - Confidentiality and integrity protection
+                                were used
+                     Zero - Integrity service only was used
+                     Specify NULL if not required
+
+   qop_state         gss_qop_t, modify, optional
+                     Quality of protection gained from MIC.
+                     Specify NULL if not required
+
+   Function value:   GSS status code
+
+   GSS_S_COMPLETE    Successful completion
+
+   GSS_S_DEFECTIVE_TOKEN The token failed consistency checks
+
+   GSS_S_BAD_SIG     The MIC was incorrect
+
+   GSS_S_DUPLICATE_TOKEN The token was valid, and contained a correct MIC
+                     for the message, but it had already been processed
+
+   GSS_S_OLD_TOKEN   The token was valid, and contained a correct MIC for
+                     the message, but it is too old to check for
+                     duplication.
+
+
+
+
+   Wray             Document Expiration: 1 September 1997         [Page 73]
+
+
+
+
+
+
+
+   INTERNET-DRAFT          GSS-API V2 - C bindings               March 1997
+
+
+
+   GSS_S_UNSEQ_TOKEN The token was valid, and contained a correct MIC for
+                     the message, but has been verified out of sequence; a
+                     later token has already been received.
+
+   GSS_S_GAP_TOKEN   The token was valid, and contained a correct MIC for
+                     the message, but has been verified out of sequence;
+                     an earlier expected token has not yet been received.
+
+   GSS_S_CONTEXT_EXPIRED The context has already expired
+
+   GSS_S_NO_CONTEXT  The context_handle parameter did not identify a valid
+                     context
+
+
+
+
+
+
+
+   7.32.  gss_verify_mic
+
+   OM_uint32 gss_verify_mic (
+        OM_uint32 *              minor_status,
+        const gss_ctx_id_t       context_handle,
+        const gss_buffer_t       message_buffer,
+        const gss_buffer_t       token_buffer,
+        gss_qop_t *              qop_state)
+
+   Purpose:
+
+   Verifies that a cryptographic MIC, contained in the token parameter,
+   fits the supplied message.  The qop_state parameter allows a message
+   recipient to determine the strength of protection that was applied to
+   the message.
+
+   Parameters:
+
+   minor_status      Integer, modify
+                     Mechanism specific status code.
+
+   context_handle    gss_ctx_id_t, read
+                     Identifies the context on which the message
+                     arrived
+
+   message_buffer    buffer, opaque, read
+                     Message to be verified
+
+   token_buffer      buffer, opaque, read
+                     Token associated with message
+
+
+
+
+   Wray             Document Expiration: 1 September 1997         [Page 74]
+
+
+
+
+
+
+
+   INTERNET-DRAFT          GSS-API V2 - C bindings               March 1997
+
+
+   qop_state         gss_qop_t, modify, optional
+                     quality of protection gained from MIC
+                     Specify NULL if not required
+
+   Function value:   GSS status code
+
+   GSS_S_COMPLETE    Successful completion
+
+   GSS_S_DEFECTIVE_TOKEN The token failed consistency checks
+
+   GSS_S_BAD_SIG     The MIC was incorrect
+
+   GSS_S_DUPLICATE_TOKEN The token was valid, and contained a correct MIC
+                     for the message, but it had already been processed
+
+   GSS_S_OLD_TOKEN   The token was valid, and contained a correct MIC for
+                     the message, but it is too old to check for
+                     duplication.
+
+   GSS_S_UNSEQ_TOKEN The token was valid, and contained a correct MIC for
+                     the message, but has been verified out of sequence; a
+                     later token has already been received.
+
+   GSS_S_GAP_TOKEN   The token was valid, and contained a correct MIC for
+                     the message, but has been verified out of sequence;
+                     an earlier expected token has not yet been received.
+
+   GSS_S_CONTEXT_EXPIRED The context has already expired
+
+   GSS_S_NO_CONTEXT  The context_handle parameter did not identify a valid
+                     context
+
+
+
+
+
+
+
+   7.33.  gss_wrap
+
+   OM_uint32 gss_wrap (
+        OM_uint32 *              minor_status,
+        const gss_ctx_id_t       context_handle,
+        int                      conf_req_flag,
+        gss_qop_t                qop_req
+        const gss_buffer_t       input_message_buffer,
+        int *                    conf_state,
+        gss_buffer_t             output_message_buffer )
+
+
+
+
+
+
+
+   Wray             Document Expiration: 1 September 1997         [Page 75]
+
+
+
+
+
+
+
+   INTERNET-DRAFT          GSS-API V2 - C bindings               March 1997
+
+
+
+   Purpose:
+
+   Attaches a cryptographic MIC and optionally encrypts the specified
+   input_message.  The output_message contains both the MIC and the
+   message.  The qop_req parameter allows a choice between several
+   cryptographic algorithms, if supported by the chosen mechanism.
+
+   Since some application-level protocols may wish to use tokens emitted by
+   gss_wrap() to provide "secure framing", implementations should support
+   the wrapping of zero-length messages.
+
+   Parameters:
+
+   minor_status      Integer, modify
+                     Mechanism specific status code.
+
+   context_handle    gss_ctx_id_t, read
+                     Identifies the context on which the message
+                     will be sent
+
+   conf_req_flag     boolean, read
+                     Non-zero - Both confidentiality and integrity
+                                services are requested
+                     Zero - Only integrity service is requested
+
+   qop_req           gss_qop_t, read, optional
+                     Specifies required quality of protection.  A
+                     mechanism-specific default may be requested by
+                     setting qop_req to GSS_C_QOP_DEFAULT.  If an
+                     unsupported protection strength is requested,
+                     gss_wrap will return a major_status of
+                     GSS_S_BAD_QOP.
+
+   input_message_buffer  buffer, opaque, read
+                     Message to be protected
+
+   conf_state        boolean, modify, optional
+                     Non-zero - Confidentiality, data origin
+                                authentication and integrity
+                                services have been applied
+                     Zero - Integrity and data origin services only
+                            has been applied.
+                     Specify NULL if not required
+
+   output_message_buffer  buffer, opaque, modify
+                     Buffer to receive protected message.
+                     Storage associated with this message must
+                     be freed by the application after use with
+                     a call to gss_release_buffer().
+
+   Function value:   GSS status code
+
+
+
+   Wray             Document Expiration: 1 September 1997         [Page 76]
+
+
+
+
+
+
+
+   INTERNET-DRAFT          GSS-API V2 - C bindings               March 1997
+
+
+
+   GSS_S_COMPLETE    Successful completion
+
+   GSS_S_CONTEXT_EXPIRED The context has already expired
+
+   GSS_S_NO_CONTEXT  The context_handle parameter did not identify a valid
+                     context
+
+   GSS_S_BAD_QOP     The specified QOP is not supported by the mechanism.
+
+
+
+
+
+
+
+   7.34.  gss_wrap_size_limit
+
+   OM_uint32 gss_wrap_size_limit (
+        OM_uint32  *             minor_status,
+        const gss_ctx_id_t       context_handle,
+        int                      conf_req_flag,
+        gss_qop_t                qop_req,
+        OM_uint32                req_output_size,
+        OM_uint32 *              max_input_size)
+
+   Purpose:
+
+   Allows an application to determine the maximum message size that, if
+   presented to gss_wrap with the same conf_req_flag and qop_req
+   parameters, will result in an output token containing no more than
+   req_output_size bytes.
+
+   This call is intended for use by applications that communicate over
+   protocols that impose a maximum message size.  It enables the
+   application to fragment messages prior to applying protection.
+
+   Successful completion of this call does not guarantee that gss_wrap will
+   be able to protect a message of length max_input_size bytes, since this
+   ability may depend on the availability of system resources at the time
+   that gss_wrap is called.  However, if the implementation itself imposes
+   an upper limit on the length of messages that may be processed by
+   gss_wrap, the implementation should not return a value via
+   max_input_bytes that is greater than this length.
+
+   Parameters:
+
+   minor_status      Integer, modify
+                     Mechanism specific status code
+
+   context_handle    gss_ctx_id_t, read
+                     A handle that refers to the security over
+
+
+
+   Wray             Document Expiration: 1 September 1997         [Page 77]
+
+
+
+
+
+
+
+   INTERNET-DRAFT          GSS-API V2 - C bindings               March 1997
+
+
+
+                     which the messages will be sent.
+
+   conf_req_flag     Boolean, read
+                     Indicates whether gss_wrap will be asked
+                     to apply confidentiality protection in
+                     addition to integrity protection.  See
+                     the routine description for gss_wrap
+                     for more details.
+
+   qop_req           gss_qop_t, read
+                     Indicates the level of protection that
+                     gss_wrap will be asked to provide.  See
+                     the routine description for gss_wrap for
+                     more details.
+
+   req_output_size   Integer, read
+                     The desired maximum size for tokens emitted
+                     by gss_wrap.
+
+   max_input_size    Integer, modify
+                     The maximum input message size that may
+                     be presented to gss_wrap in order to
+                     guarantee that the emitted token shall
+                     be no larger than req_output_size bytes.
+
+   Function value:   GSS status code
+
+   GSS_S_COMPLETE    Successful completion
+
+   GSS_S_NO_CONTEXT  The referenced context could not be accessed.
+
+   GSS_S_CONTEXT_EXPIRED The context has expired.
+
+   GSS_S_BAD_QOP     The specified QOP is not supported by the mechanism.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+   Wray             Document Expiration: 1 September 1997         [Page 78]
+
+
+
+
+
+
+
+   INTERNET-DRAFT          GSS-API V2 - C bindings               March 1997
+
+
+
+   APPENDIX A. GSS-API C header file gssapi.h
+
+   C-language GSS-API implementations should include a copy of the
+   following header-file.
+
+   #ifndef GSSAPI_H_
+   #define GSSAPI_H_
+
+
+
+   /*
+    * First, include stddef.h to get size_t defined.
+    */
+   #include <stddef.h>
+
+   /*
+    * If the platform supports the xom.h header file, it should be
+    * included here.
+    */
+   #include <xom.h>
+
+
+
+   /*
+    * Now define the three implementation-dependent types.
+    */
+   typedef <platform-specific> gss_ctx_id_t;
+   typedef <platform-specific> gss_cred_id_t;
+   typedef <platform-specific> gss_name_t;
+
+   /*
+    * The following type must be defined as the smallest natural
+    * unsigned integer supported by the platform that has at least
+    * 32 bits of precision.
+    */
+   typedef <platform-specific> gss_uint32;
+
+
+   #ifdef OM_STRING
+   /*
+    * We have included the xom.h header file.  Verify that OM_uint32
+    * is defined correctly.
+    */
+
+   #if sizeof(gss_uint32) != sizeof(OM_uint32)
+   #error Incompatible definition of OM_uint32 from xom.h
+   #endif
+
+   typedef OM_object_identifier gss_OID_desc, *gss_OID;
+
+   #else
+
+
+
+   Wray             Document Expiration: 1 September 1997         [Page 79]
+
+
+
+
+
+
+
+   INTERNET-DRAFT          GSS-API V2 - C bindings               March 1997
+
+
+
+   /*
+    * We can't use X/Open definitions, so roll our own.
+    */
+
+   typedef gss_uint32 OM_uint32;
+
+   typedef struct gss_OID_desc_struct {
+         OM_uint32 length;
+         void      *elements;
+   } gss_OID_desc, *gss_OID;
+
+   #endif
+
+   typedef struct gss_OID_set_desc_struct  {
+         size_t     count;
+         gss_OID    elements;
+   } gss_OID_set_desc, *gss_OID_set;
+
+   typedef struct gss_buffer_desc_struct {
+         size_t length;
+         void *value;
+   } gss_buffer_desc, *gss_buffer_t;
+
+   typedef struct gss_channel_bindings_struct {
+         OM_uint32 initiator_addrtype;
+         gss_buffer_desc initiator_address;
+         OM_uint32 acceptor_addrtype;
+         gss_buffer_desc acceptor_address;
+         gss_buffer_desc application_data;
+   } *gss_channel_bindings_t;
+
+
+   /*
+    * For now, define a QOP-type as an OM_uint32
+    */
+   typedef OM_uint32 gss_qop_t;
+
+   typedef int gss_cred_usage_t;
+
+   /*
+    * Flag bits for context-level services.
+    */
+   #define GSS_C_DELEG_FLAG 1
+   #define GSS_C_MUTUAL_FLAG 2
+   #define GSS_C_REPLAY_FLAG 4
+   #define GSS_C_SEQUENCE_FLAG 8
+   #define GSS_C_CONF_FLAG 16
+   #define GSS_C_INTEG_FLAG 32
+   #define GSS_C_ANON_FLAG 64
+   #define GSS_C_PROT_READY_FLAG 128
+   #define GSS_C_TRANS_FLAG 256
+
+
+
+   Wray             Document Expiration: 1 September 1997         [Page 80]
+
+
+
+
+
+
+
+   INTERNET-DRAFT          GSS-API V2 - C bindings               March 1997
+
+
+
+   /*
+    * Credential usage options
+    */
+   #define GSS_C_BOTH 0
+   #define GSS_C_INITIATE 1
+   #define GSS_C_ACCEPT 2
+
+   /*
+    * Status code types for gss_display_status
+    */
+   #define GSS_C_GSS_CODE 1
+   #define GSS_C_MECH_CODE 2
+
+   /*
+    * The constant definitions for channel-bindings address families
+    */
+   #define GSS_C_AF_UNSPEC     0
+   #define GSS_C_AF_LOCAL      1
+   #define GSS_C_AF_INET       2
+   #define GSS_C_AF_IMPLINK    3
+   #define GSS_C_AF_PUP        4
+   #define GSS_C_AF_CHAOS      5
+   #define GSS_C_AF_NS         6
+   #define GSS_C_AF_NBS        7
+   #define GSS_C_AF_ECMA       8
+   #define GSS_C_AF_DATAKIT    9
+   #define GSS_C_AF_CCITT      10
+   #define GSS_C_AF_SNA        11
+   #define GSS_C_AF_DECnet     12
+   #define GSS_C_AF_DLI        13
+   #define GSS_C_AF_LAT        14
+   #define GSS_C_AF_HYLINK     15
+   #define GSS_C_AF_APPLETALK  16
+   #define GSS_C_AF_BSC        17
+   #define GSS_C_AF_DSS        18
+   #define GSS_C_AF_OSI        19
+   #define GSS_C_AF_X25        21
+
+   #define GSS_C_AF_NULLADDR   255
+
+   /*
+    * Various Null values
+    */
+   #define GSS_C_NO_NAME ((gss_name_t) 0)
+   #define GSS_C_NO_BUFFER ((gss_buffer_t) 0)
+   #define GSS_C_NO_OID ((gss_OID) 0)
+   #define GSS_C_NO_OID_SET ((gss_OID_set) 0)
+   #define GSS_C_NO_CONTEXT ((gss_ctx_id_t) 0)
+   #define GSS_C_NO_CREDENTIAL ((gss_cred_id_t) 0)
+   #define GSS_C_NO_CHANNEL_BINDINGS ((gss_channel_bindings_t) 0)
+   #define GSS_C_EMPTY_BUFFER {0, NULL}
+
+
+
+   Wray             Document Expiration: 1 September 1997         [Page 81]
+
+
+
+
+
+
+
+   INTERNET-DRAFT          GSS-API V2 - C bindings               March 1997
+
+
+
+   /*
+    * Some alternate names for a couple of the above
+    * values.  These are defined for V1 compatibility.
+    */
+   #define GSS_C_NULL_OID GSS_C_NO_OID
+   #define GSS_C_NULL_OID_SET GSS_C_NO_OID_SET
+
+   /*
+    * Define the default Quality of Protection for per-message
+    * services.  Note that an implementation that offers multiple
+    * levels of QOP may define GSS_C_QOP_DEFAULT to be either zero
+    * (as done here) to mean "default protection", or to a specific
+    * explicit QOP value.  However, a value of 0 should always be
+    * interpreted by a GSSAPI implementation as a request for the
+    * default protection level.
+    */
+   #define GSS_C_QOP_DEFAULT 0
+
+   /*
+    * Expiration time of 2^32-1 seconds means infinite lifetime for a
+    * credential or security context
+    */
+   #define GSS_C_INDEFINITE 0xfffffffful
+
+   /*
+    * The implementation must reserve static storage for a
+    * gss_OID_desc object containing the value
+    * {10, (void *)"\x2a\x86\x48\x86\xf7\x12"
+    *              "\x01\x02\x01\x01"},
+    * corresponding to an object-identifier value of
+    * {iso(1) member-body(2) United States(840) mit(113554)
+    *  infosys(1) gssapi(2) generic(1) user_name(1)}.  The constant
+    * GSS_C_NT_USER_NAME should be initialized to point
+    * to that gss_OID_desc.
+    */
+   extern gss_OID GSS_C_NT_USER_NAME;
+
+   /*
+    * The implementation must reserve static storage for a
+    * gss_OID_desc object containing the value
+    * {10, (void *)"\x2a\x86\x48\x86\xf7\x12"
+    *              "\x01\x02\x01\x02"},
+    * corresponding to an object-identifier value of
+    * {iso(1) member-body(2) United States(840) mit(113554)
+    *  infosys(1) gssapi(2) generic(1) machine_uid_name(2)}.
+    * The constant GSS_C_NT_MACHINE_UID_NAME should be
+    * initialized to point to that gss_OID_desc.
+    */
+   extern gss_OID GSS_C_NT_MACHINE_UID_NAME;
+
+   /*
+
+
+
+   Wray             Document Expiration: 1 September 1997         [Page 82]
+
+
+
+
+
+
+
+   INTERNET-DRAFT          GSS-API V2 - C bindings               March 1997
+
+
+
+    * The implementation must reserve static storage for a
+    * gss_OID_desc object containing the value
+    * {10, (void *)"\x2a\x86\x48\x86\xf7\x12"
+    *              "\x01\x02\x01\x03"},
+    * corresponding to an object-identifier value of
+    * {iso(1) member-body(2) United States(840) mit(113554)
+    *  infosys(1) gssapi(2) generic(1) string_uid_name(3)}.
+    * The constant GSS_C_NT_STRING_UID_NAME should be
+    * initialized to point to that gss_OID_desc.
+    */
+   extern gss_OID GSS_C_NT_STRING_UID_NAME;
+
+   /*
+    * The implementation must reserve static storage for a
+    * gss_OID_desc object containing the value
+    * {6, (void *)"\x2b\x06\x01\x05\x06\x02"},
+    * corresponding to an object-identifier value of
+    * {1(iso), 3(org), 6(dod), 1(internet), 5(security),
+    * 6(nametypes), 2(gss-host-based-services)}.  The constant
+    * GSS_C_NT_HOSTBASED_SERVICE should be initialized to point
+    * to that gss_OID_desc.
+    */
+   extern gss_OID GSS_C_NT_HOSTBASED_SERVICE;
+
+   /*
+    * The implementation must reserve static storage for a
+    * gss_OID_desc object containing the value
+    * {6, (void *)"\x2b\x06\01\x05\x06\x03"},
+    * corresponding to an object identifier value of
+    * {1(iso), 3(org), 6(dod), 1(internet), 5(security),
+    * 6(nametypes), 3(gss-anonymous-name)}.  The constant
+    * and GSS_C_NT_ANONYMOUS should be initialized to point
+    * to that gss_OID_desc.
+    */
+   extern gss_OID GSS_C_NT_ANONYMOUS;
+
+
+
+   /*
+    * The implementation must reserve static storage for a
+    * gss_OID_desc object containing the value
+    * {6, (void *)"\x2b\x06\x01\x05\x06\x04"},
+    * corresponding to an object-identifier value of
+    * {1(iso), 3(org), 6(dod), 1(internet), 5(security),
+    * 6(nametypes), 4(gss-api-exported-name)}.  The constant
+    * GSS_C_NT_EXPORT_NAME should be initialized to point
+    * to that gss_OID_desc.
+    */
+   extern gss_OID GSS_C_NT_EXPORT_NAME;
+
+
+
+
+
+   Wray             Document Expiration: 1 September 1997         [Page 83]
+
+
+
+
+
+
+
+   INTERNET-DRAFT          GSS-API V2 - C bindings               March 1997
+
+
+
+   /* Major status codes */
+
+   #define GSS_S_COMPLETE 0
+
+   /*
+    * Some "helper" definitions to make the status code macros obvious.
+    */
+   #define GSS_C_CALLING_ERROR_OFFSET 24
+   #define GSS_C_ROUTINE_ERROR_OFFSET 16
+   #define GSS_C_SUPPLEMENTARY_OFFSET 0
+   #define GSS_C_CALLING_ERROR_MASK 0377ul
+   #define GSS_C_ROUTINE_ERROR_MASK 0377ul
+   #define GSS_C_SUPPLEMENTARY_MASK 0177777ul
+
+   /*
+    * The macros that test status codes for error conditions.
+    * Note that the GSS_ERROR() macro has changed slightly from
+    * the V1 GSSAPI so that it now evaluates its argument
+    * only once.
+    */
+   #define GSS_CALLING_ERROR(x) \
+     (x & (GSS_C_CALLING_ERROR_MASK << GSS_C_CALLING_ERROR_OFFSET))
+   #define GSS_ROUTINE_ERROR(x) \
+     (x & (GSS_C_ROUTINE_ERROR_MASK << GSS_C_ROUTINE_ERROR_OFFSET))
+   #define GSS_SUPPLEMENTARY_INFO(x) \
+     (x & (GSS_C_SUPPLEMENTARY_MASK << GSS_C_SUPPLEMENTARY_OFFSET))
+   #define GSS_ERROR(x) \
+     (x & ((GSS_C_CALLING_ERROR_MASK << GSS_C_CALLING_ERROR_OFFSET) | \
+           (GSS_C_ROUTINE_ERROR_MASK << GSS_C_ROUTINE_ERROR_OFFSET)))
+
+
+   /*
+    * Now the actual status code definitions
+    */
+
+   /*
+    * Calling errors:
+    */
+   #define GSS_S_CALL_INACCESSIBLE_READ \
+                                (1ul << GSS_C_CALLING_ERROR_OFFSET)
+   #define GSS_S_CALL_INACCESSIBLE_WRITE \
+                                (2ul << GSS_C_CALLING_ERROR_OFFSET)
+   #define GSS_S_CALL_BAD_STRUCTURE \
+                                (3ul << GSS_C_CALLING_ERROR_OFFSET)
+
+   /*
+    * Routine errors:
+    */
+   #define GSS_S_BAD_MECH (1ul << GSS_C_ROUTINE_ERROR_OFFSET)
+   #define GSS_S_BAD_NAME (2ul << GSS_C_ROUTINE_ERROR_OFFSET)
+   #define GSS_S_BAD_NAMETYPE (3ul << GSS_C_ROUTINE_ERROR_OFFSET)
+
+
+
+   Wray             Document Expiration: 1 September 1997         [Page 84]
+
+
+
+
+
+
+
+   INTERNET-DRAFT          GSS-API V2 - C bindings               March 1997
+
+
+
+   #define GSS_S_BAD_BINDINGS (4ul << GSS_C_ROUTINE_ERROR_OFFSET)
+   #define GSS_S_BAD_STATUS (5ul << GSS_C_ROUTINE_ERROR_OFFSET)
+   #define GSS_S_BAD_SIG (6ul << GSS_C_ROUTINE_ERROR_OFFSET)
+   #define GSS_S_BAD_MIC GSS_S_BAD_SIG
+   #define GSS_S_NO_CRED (7ul << GSS_C_ROUTINE_ERROR_OFFSET)
+   #define GSS_S_NO_CONTEXT (8ul << GSS_C_ROUTINE_ERROR_OFFSET)
+   #define GSS_S_DEFECTIVE_TOKEN (9ul << GSS_C_ROUTINE_ERROR_OFFSET)
+   #define GSS_S_DEFECTIVE_CREDENTIAL (10ul << GSS_C_ROUTINE_ERROR_OFFSET)
+   #define GSS_S_CREDENTIALS_EXPIRED (11ul << GSS_C_ROUTINE_ERROR_OFFSET)
+   #define GSS_S_CONTEXT_EXPIRED (12ul << GSS_C_ROUTINE_ERROR_OFFSET)
+   #define GSS_S_FAILURE (13ul << GSS_C_ROUTINE_ERROR_OFFSET)
+   #define GSS_S_BAD_QOP (14ul << GSS_C_ROUTINE_ERROR_OFFSET)
+   #define GSS_S_UNAUTHORIZED (15ul << GSS_C_ROUTINE_ERROR_OFFSET)
+   #define GSS_S_UNAVAILABLE (16ul << GSS_C_ROUTINE_ERROR_OFFSET)
+   #define GSS_S_DUPLICATE_ELEMENT (17ul << GSS_C_ROUTINE_ERROR_OFFSET)
+   #define GSS_S_NAME_NOT_MN (18ul << GSS_C_ROUTINE_ERROR_OFFSET)
+
+   /*
+    * Supplementary info bits:
+    */
+   #define GSS_S_CONTINUE_NEEDED (1ul << (GSS_C_SUPPLEMENTARY_OFFSET + 0))
+   #define GSS_S_DUPLICATE_TOKEN (1ul << (GSS_C_SUPPLEMENTARY_OFFSET + 1))
+   #define GSS_S_OLD_TOKEN (1ul << (GSS_C_SUPPLEMENTARY_OFFSET + 2))
+   #define GSS_S_UNSEQ_TOKEN (1ul << (GSS_C_SUPPLEMENTARY_OFFSET + 3))
+   #define GSS_S_GAP_TOKEN (1ul << (GSS_C_SUPPLEMENTARY_OFFSET + 4))
+
+
+   /*
+    * Finally, function prototypes for the GSS-API routines.
+    */
+
+   OM_uint32 gss_acquire_cred
+              (OM_uint32 *,             /*  minor_status */
+               const gss_name_t,        /* desired_name */
+               OM_uint32,               /* time_req */
+               const gss_OID_set,       /* desired_mechs */
+               gss_cred_usage_t,        /* cred_usage */
+               gss_cred_id_t *,         /* output_cred_handle */
+               gss_OID_set *,           /* actual_mechs */
+               OM_uint32 *              /* time_rec */
+              );
+
+   OM_uint32 gss_release_cred
+              (OM_uint32 *,             /* minor_status */
+               gss_cred_id_t *          /* cred_handle */
+              );
+
+   OM_uint32 gss_init_sec_context
+              (OM_uint32 *,             /* minor_status */
+               const gss_cred_id_t,     /* initiator_cred_handle */
+               gss_ctx_id_t *,          /* context_handle */
+
+
+
+   Wray             Document Expiration: 1 September 1997         [Page 85]
+
+
+
+
+
+
+
+   INTERNET-DRAFT          GSS-API V2 - C bindings               March 1997
+
+
+
+               const gss_name_t,        /* target_name */
+               const gss_OID,           /* mech_type */
+               OM_uint32,               /* req_flags */
+               OM_uint32,               /* time_req */
+               const gss_channel_bindings_t,
+                                        /* input_chan_bindings */
+               const gss_buffer_t,      /* input_token */
+               gss_OID *,               /* actual_mech_type */
+               gss_buffer_t,            /* output_token */
+               OM_uint32 *,             /* ret_flags */
+               OM_uint32 *              /* time_rec */
+              );
+
+   OM_uint32 gss_accept_sec_context
+              (OM_uint32 *,             /* minor_status */
+               gss_ctx_id_t *,          /* context_handle */
+               const gss_cred_id_t,     /* acceptor_cred_handle */
+               const gss_buffer_t,      /* input_token_buffer */
+               const gss_channel_bindings_t,
+                                        /* input_chan_bindings */
+               gss_name_t *,            /* src_name */
+               gss_OID *,               /* mech_type */
+               gss_buffer_t,            /* output_token */
+               OM_uint32 *,             /* ret_flags */
+               OM_uint32 *,             /* time_rec */
+               gss_cred_id_t *          /* delegated_cred_handle */
+              );
+
+   OM_uint32 gss_process_context_token
+              (OM_uint32 *,             /* minor_status */
+               const gss_ctx_id_t,      /* context_handle */
+               const gss_buffer_t       /* token_buffer */
+              );
+
+   OM_uint32 gss_delete_sec_context
+              (OM_uint32 *,             /* minor_status */
+               gss_ctx_id_t *,          /* context_handle */
+               gss_buffer_t             /* output_token */
+              );
+
+   OM_uint32 gss_context_time
+              (OM_uint32 *,             /* minor_status */
+               const gss_ctx_id_t,      /* context_handle */
+               OM_uint32 *              /* time_rec */
+              );
+
+   OM_uint32 gss_get_mic
+              (OM_uint32 *,             /* minor_status */
+               const gss_ctx_id_t,      /* context_handle */
+               gss_qop_t,               /* qop_req */
+               const gss_buffer_t,      /* message_buffer */
+
+
+
+   Wray             Document Expiration: 1 September 1997         [Page 86]
+
+
+
+
+
+
+
+   INTERNET-DRAFT          GSS-API V2 - C bindings               March 1997
+
+
+
+               gss_buffer_t             /* message_token */
+              );
+
+
+   OM_uint32 gss_verify_mic
+              (OM_uint32 *,             /* minor_status */
+               const gss_ctx_id_t,      /* context_handle */
+               const gss_buffer_t,      /* message_buffer */
+               const gss_buffer_t,      /* token_buffer */
+               gss_qop_t *              /* qop_state */
+              );
+
+   OM_uint32 gss_wrap
+              (OM_uint32 *,             /* minor_status */
+               const gss_ctx_id_t,      /* context_handle */
+               int,                     /* conf_req_flag */
+               gss_qop_t,               /* qop_req */
+               const gss_buffer_t,      /* input_message_buffer */
+               int *,                   /* conf_state */
+               gss_buffer_t             /* output_message_buffer */
+              );
+
+
+   OM_uint32 gss_unwrap
+              (OM_uint32 *,             /* minor_status */
+               const gss_ctx_id_t,      /* context_handle */
+               const gss_buffer_t,      /* input_message_buffer */
+               gss_buffer_t,            /* output_message_buffer */
+               int *,                   /* conf_state */
+               gss_qop_t *              /* qop_state */
+              );
+
+
+
+   OM_uint32 gss_display_status
+              (OM_uint32 *,             /* minor_status */
+               OM_uint32,               /* status_value */
+               int,                     /* status_type */
+               const gss_OID,           /* mech_type */
+               OM_uint32 *,             /* message_context */
+               gss_buffer_t             /* status_string */
+              );
+
+   OM_uint32 gss_indicate_mechs
+              (OM_uint32 *,             /* minor_status */
+               gss_OID_set *            /* mech_set */
+              );
+
+   OM_uint32 gss_compare_name
+              (OM_uint32 *,             /* minor_status */
+               const gss_name_t,        /* name1 */
+
+
+
+   Wray             Document Expiration: 1 September 1997         [Page 87]
+
+
+
+
+
+
+
+   INTERNET-DRAFT          GSS-API V2 - C bindings               March 1997
+
+
+
+               const gss_name_t,        /* name2 */
+               int *                    /* name_equal */
+              );
+
+   OM_uint32 gss_display_name
+              (OM_uint32 *,             /* minor_status */
+               const gss_name_t,        /* input_name */
+               gss_buffer_t,            /* output_name_buffer */
+               gss_OID *                /* output_name_type */
+              );
+
+   OM_uint32 gss_import_name
+              (OM_uint32 *,             /* minor_status */
+               const gss_buffer_t,      /* input_name_buffer */
+               const gss_OID,           /* input_name_type */
+               gss_name_t *             /* output_name */
+              );
+
+   OM_uint32 gss_export_name
+              (OM_uint32  *,            /* minor_status */
+               const gss_name_t,        /* input_name */
+               gss_buffer_t             /* exported_name */
+              );
+
+   OM_uint32 gss_release_name
+              (OM_uint32 *,             /* minor_status */
+               gss_name_t *             /* input_name */
+              );
+
+   OM_uint32 gss_release_buffer
+              (OM_uint32 *,             /* minor_status */
+               gss_buffer_t             /* buffer */
+              );
+
+   OM_uint32 gss_release_oid_set
+              (OM_uint32 *,             /* minor_status */
+               gss_OID_set *            /* set */
+              );
+
+   OM_uint32 gss_inquire_cred
+              (OM_uint32 *,             /* minor_status */
+               const gss_cred_id_t,     /* cred_handle */
+               gss_name_t *,            /* name */
+               OM_uint32 *,             /* lifetime */
+               gss_cred_usage_t *,      /* cred_usage */
+               gss_OID_set *            /* mechanisms */
+              );
+
+   OM_uint32 gss_inquire_context (
+               OM_uint32 *,             /* minor_status */
+               const gss_ctx_id_t,      /* context_handle */
+
+
+
+   Wray             Document Expiration: 1 September 1997         [Page 88]
+
+
+
+
+
+
+
+   INTERNET-DRAFT          GSS-API V2 - C bindings               March 1997
+
+
+
+               gss_name_t *,            /* src_name */
+               gss_name_t *,            /* targ_name */
+               OM_uint32 *,             /* lifetime_rec */
+               gss_OID *,               /* mech_type */
+               OM_uint32 *,             /* ctx_flags */
+               int *,                   /* locally_initiated */
+               int *                    /* open */
+              );
+
+   OM_uint32 gss_wrap_size_limit (
+               OM_uint32 *,             /* minor_status */
+               const gss_ctx_id_t,      /* context_handle */
+               int,                     /* conf_req_flag */
+               gss_qop_t,               /* qop_req */
+               OM_uint32,               /* req_output_size */
+               OM_uint32 *              /* max_input_size */
+              );
+
+
+   OM_uint32 gss_add_cred (
+               OM_uint32 *,             /* minor_status */
+               const gss_cred_id_t,     /* input_cred_handle */
+               const gss_name_t,        /* desired_name */
+               const gss_OID,           /* desired_mech */
+               gss_cred_usage_t,        /* cred_usage */
+               OM_uint32,               /* initiator_time_req */
+               OM_uint32,               /* acceptor_time_req */
+               gss_cred_id_t *,         /* output_cred_handle */
+               gss_OID_set *,           /* actual_mechs */
+               OM_uint32 *,             /* initiator_time_rec */
+               OM_uint32 *              /* acceptor_time_rec */
+              );
+
+
+   OM_uint32 gss_inquire_cred_by_mech (
+               OM_uint32 *,             /* minor_status */
+               const gss_cred_id_t,     /* cred_handle */
+               const gss_OID,           /* mech_type */
+               gss_name_t *,            /* name */
+               OM_uint32 *,             /* initiator_lifetime */
+               OM_uint32 *,             /* acceptor_lifetime */
+               gss_cred_usage_t *       /* cred_usage */
+              );
+
+   OM_uint32 gss_export_sec_context (
+               OM_uint32 *,             /* minor_status */
+               gss_ctx_id_t *,          /* context_handle */
+               gss_buffer_t             /* interprocess_token */
+              );
+
+   OM_uint32 gss_import_sec_context (
+
+
+
+   Wray             Document Expiration: 1 September 1997         [Page 89]
+
+
+
+
+
+
+
+   INTERNET-DRAFT          GSS-API V2 - C bindings               March 1997
+
+
+
+               OM_uint32 *,             /* minor_status */
+               const gss_buffer_t,      /* interprocess_token */
+               gss_ctx_id_t *           /* context_handle */
+              );
+
+   OM_uint32 gss_create_empty_oid_set (
+               OM_uint32 *,             /* minor_status */
+               gss_OID_set *            /* oid_set */
+              );
+
+   OM_uint32 gss_add_oid_set_member (
+               OM_uint32 *,             /* minor_status */
+               const gss_OID,           /* member_oid */
+               gss_OID_set *            /* oid_set */
+              );
+
+   OM_uint32 gss_test_oid_set_member (
+               OM_uint32 *,             /* minor_status */
+               const gss_OID,           /* member */
+               const gss_OID_set,       /* set */
+               int *                    /* present */
+              );
+
+   OM_uint32 gss_inquire_names_for_mech (
+               OM_uint32 *,             /* minor_status */
+               const gss_OID,           /* mechanism */
+               gss_OID_set *            /* name_types */
+              );
+
+   OM_uint32 gss_inquire_mechs_for_name (
+               OM_uint32 *,             /* minor_status */
+               const gss_name_t,        /* input_name */
+               gss_OID_set *            /* mech_types */
+              );
+
+   OM_uint32 gss_canonicalize_name (
+               OM_uint32 *,             /* minor_status */
+               const gss_name_t,        /* input_name */
+               const gss_OID,           /* mech_type */
+               gss_name_t *             /* output_name */
+              );
+
+   OM_uint32 gss_duplicate_name (
+               OM_uint32 *,             /* minor_status */
+               const gss_name_t,        /* src_name */
+               gss_name_t *             /* dest_name */
+              );
+
+   /*
+    * The following routines are obsolete variants of gss_get_mic,
+    * gss_verify_mic, gss_wrap and gss_unwrap.  They should be
+
+
+
+   Wray             Document Expiration: 1 September 1997         [Page 90]
+
+
+
+
+
+
+
+   INTERNET-DRAFT          GSS-API V2 - C bindings               March 1997
+
+
+
+    * provided by GSSAPI V2 implementations for backwards
+    * compatibility with V1 applications.  Distinct entrypoints
+    * (as opposed to #defines) should be provided, both to allow
+    * GSSAPI V1 applications to link against GSSAPI V2 implementations,
+    * and to retain the slight parameter type differences between the
+    * obsolete versions of these routines and their current forms.
+    */
+
+   OM_uint32 gss_sign
+              (OM_uint32 *,        /* minor_status */
+               gss_ctx_id_t,       /* context_handle */
+               int,                /* qop_req */
+               gss_buffer_t,       /* message_buffer */
+               gss_buffer_t        /* message_token */
+              );
+
+
+   OM_uint32 gss_verify
+              (OM_uint32 *,        /* minor_status */
+               gss_ctx_id_t,       /* context_handle */
+               gss_buffer_t,       /* message_buffer */
+               gss_buffer_t,       /* token_buffer */
+               int *               /* qop_state */
+              );
+
+   OM_uint32 gss_seal
+              (OM_uint32 *,        /* minor_status */
+               gss_ctx_id_t,       /* context_handle */
+               int,                /* conf_req_flag */
+               int,                /* qop_req */
+               gss_buffer_t,       /* input_message_buffer */
+               int *,              /* conf_state */
+               gss_buffer_t        /* output_message_buffer */
+              );
+
+
+   OM_uint32 gss_unseal
+              (OM_uint32 *,        /* minor_status */
+               gss_ctx_id_t,       /* context_handle */
+               gss_buffer_t,       /* input_message_buffer */
+               gss_buffer_t,       /* output_message_buffer */
+               int *,              /* conf_state */
+               int *               /* qop_state */
+              );
+
+
+
+
+   #endif /* GSSAPI_H_ */
+
+
+
+
+
+   Wray             Document Expiration: 1 September 1997         [Page 91]
+
+
+
+
+
+
+
+   INTERNET-DRAFT          GSS-API V2 - C bindings               March 1997
+
+
+
+   APPENDIX B. Additional constraints for application binary portability
+
+   The purpose of this C-bindings document is to encourage source-level
+   portability of applications across GSS-API implementations on different
+   platforms and atop different mechanisms.  Additional goals that have not
+   been explicitly addressed by this document are link-time and run-time
+   portability.
+
+   Link-time portability provides the ability to compile an application
+   against one implementation of GSS-API, and then link it against a
+   different implementation on the same platform.  It is a stricter
+   requirement than source-level portability.
+
+   Run-time portability differs from link-time portability only on those
+   platforms that implement dynamically loadable GSS-API implementations,
+   but do not offer load-time symbol resolution.  On such platforms, run-
+   time portability is a stricter requirement than link-time portability,
+   and will typically include the precise placement of the various GSS-API
+   routines within library entrypoint vectors.
+
+   Individual platforms will impose their own rules that must be followed
+   to achieve link-time (and run-time, if different) portability.  In order
+   to ensure either form of binary portability, an ABI specification must
+   be written for GSS-API implementations on that platform.  However, it is
+   recognized that there are some issues that are likely to be common to
+   all such ABI specifications. This appendix is intended to be a
+   repository for such common issues, and contains some suggestions that
+   individual ABI specifications may choose to reference.  Since machine
+   architectures vary greatly, it may not be possible or desirable to
+   follow these suggestions on all platforms.
+
+   B.1.  Pointers
+
+   While ANSI-C provides a single pointer type for each declared type, plus
+   a single (void *) type, some platforms (notably those using segmented
+   memory architectures) augment this with various modified pointer types
+   (e.g. far pointers, near pointers).  These language bindings assume
+   ANSI-C, and thus do not address such non-standard implementations.
+   GSS-API implementations for such platforms must choose an appropriate
+   memory model, and should use it consistently throughout.  For example,
+   if a memory model is chosen that requires the use of far pointers when
+   passing routine parameters, then far pointers should also be used within
+   the structures defined by GSS-API.
+
+   B.2.  Internal structure alignment
+
+   GSS-API defines several data-structures containing differently-sized
+   fields.  An ABI specification should include a detailed description of
+   how the fields of such structures are aligned, and if there is any
+   internal padding in these data structures.  The use of compiler defaults
+   for the platform is recommended.
+
+
+
+   Wray             Document Expiration: 1 September 1997         [Page 92]
+
+
+
+
+
+
+
+   INTERNET-DRAFT          GSS-API V2 - C bindings               March 1997
+
+
+
+   B.3.  Handle types
+
+   The C bindings specify that the gss_cred_id_t and gss_ctx_id_t types
+   should be implemented as either pointer or arithmetic types, and that if
+   pointer types are used, care should be taken to ensure that two handles
+   may be compared with the == operator.  Note that ANSI-C does not
+   guarantee that two pointer values may be compared with the == operator
+   unless either the two pointers point to members of a single array, or at
+   least one of the pointers contains a NULL value.
+
+   For binary portability, additional constraints are required.  The
+   following is an attempt at defining platform-independent constraints.
+
+     (a) The size of the handle type must be the same as sizeof(void *),
+         using the appropriate memory model.
+
+     (b) The == operator for the chosen type must be a simple bit-wise
+         comparison.  That is, for two in-memory handle objects h1 and h2,
+         the boolean value of the expression
+
+              (h1 == h2)
+
+         should always be the same as the boolean value of the expression
+
+              (memcmp(&h1, &h2, sizeof(h1)) == 0)
+
+     (c) The actual use of the type (void *) for handle types is
+         discouraged, not for binary portability reasons, but since it
+         effectively disables much of the compile-time type-checking that
+         the compiler can otherwise perform, and is therefore not
+         "programmer-friendly".  If a pointer implementation is desired,
+         and if the platform's implementation of pointers permits, the
+         handles should be implemented as pointers to distinct
+         implementation-defined types.
+
+   B.4.  The gss_name_t type
+
+   The gss_name_t type, representing the internal name object, should be
+   implemented as a pointer type.  The use of the (void *) type is
+   discouraged as it does not allow the compiler to perform strong type-
+   checking.  However, the pointer type chosen should be of the same size
+   as the (void *) type.  Provided this rule is obeyed, ABI specifications
+   need not further constrain the implementation of gss_name_t objects.
+
+   B.5.  The int and size_t types
+
+   Some platforms may support differently sized implementations of the
+   "int" and "size_t" types, perhaps chosen through compiler switches, and
+   perhaps dependent on memory model.  An ABI specification for such a
+   platform should include required implementations for these types. It is
+   recommended that the default implementation (for the chosen memory
+
+
+
+   Wray             Document Expiration: 1 September 1997         [Page 93]
+
+
+
+
+
+
+
+   INTERNET-DRAFT          GSS-API V2 - C bindings               March 1997
+
+
+
+   model, if appropriate) is chosen.
+
+   B.6.  Procedure-calling conventions
+
+   Some platforms support a variety of different binary conventions for
+   calling procedures.  Such conventions cover things like the format of
+   the stack frame, the order in which the routine parameters are pushed
+   onto the stack, whether or not a parameter count is pushed onto the
+   stack, whether some argument(s) or return values are to be passed in
+   registers, and whether the called routine or the caller is responsible
+   for removing the stack frame on return.  For such platforms, an ABI
+   specification should specify which calling convention is to be used for
+   GSSAPI implementations.
+
+
+   REFERENCES
+
+   [GSSAPI]    J. Linn, "Generic Security Service Application Program
+               Interface, Version 2", Internet-Draft draft-ietf-cat-gssv2-
+               08, 26 August 1996.  (This Internet-Draft, like all other
+               Internet-Drafts, is not an archival document and is subject
+               to change or deletion.  It is available at the time of this
+               writing by anonymous ftp from ds.internic.net, directory
+               internet-drafts. Would-be readers should check for successor
+               Internet-Draft versions or Internet RFCs before relying on
+               this document.)
+
+   [XOM]       OSI Object Management API Specification, Version 2.0 t",
+               X.400 API Association & X/Open Company Limited, August 24,
+               1990.  Specification of datatypes and routines for
+               manipulating information objects.
+
+
+   AUTHOR'S ADDRESS
+
+   John Wray                       Internet email: Wray@tuxedo.enet.dec.com
+   Digital Equipment Corporation                 Telephone: +1-508-486-5210
+   550 King Street, LKG2-2/Z7
+   Littleton, MA  01460
+   USA
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+   Wray             Document Expiration: 1 September 1997         [Page 94]
+
+
+
diff --git a/crypto/heimdal/doc/standardisation/draft-ietf-cat-iakerb-04.txt b/crypto/heimdal/doc/standardisation/draft-ietf-cat-iakerb-04.txt
new file mode 100644
index 0000000..208d057
--- /dev/null
+++ b/crypto/heimdal/doc/standardisation/draft-ietf-cat-iakerb-04.txt
@@ -0,0 +1,301 @@
+INTERNET-DRAFT                                        Mike Swift
+draft-ietf-cat-iakerb-04.txt                          Microsoft
+Updates: RFC 1510                                     Jonathan Trostle
+July 2000					      Cisco Systems
+                                  
+
+         Initial Authentication and Pass Through Authentication 
+                Using Kerberos V5 and the GSS-API (IAKERB)
+
+
+0. Status Of This Memo
+
+   This document is an Internet-Draft and is in full conformance
+   with all provisions of Section 10 of RFC2026.
+
+   Internet-Drafts are working documents of the Internet Engineering
+   Task Force (IETF), its areas, and its working groups.  Note that
+   other groups may also distribute working documents as
+   Internet-Drafts.
+
+   Internet-Drafts are draft documents valid for a maximum of six
+   months and may be updated, replaced, or obsoleted by other
+   documents at any time.  It is inappropriate to use Internet-
+   Drafts as reference material or to cite them other than as
+   "work in progress."
+
+   The list of current Internet-Drafts can be accessed at
+   http://www.ietf.org/ietf/1id-abstracts.txt
+
+   The list of Internet-Draft Shadow Directories can be accessed at
+   http://www.ietf.org/shadow.html.
+
+   This draft expires on January 31st, 2001.
+
+
+1. Abstract
+
+   This document defines an extension to the Kerberos protocol
+   specification (RFC 1510 [1]) and GSSAPI Kerberos mechanism (RFC 
+   1964 [2]) that enables a client to obtain Kerberos tickets for 
+   services where:
+
+   (1) The client knows its principal name and password, but not
+   its realm name (applicable in the situation where a user is already 
+   on the network but needs to authenticate to an ISP, and the user  
+   does not know his ISP realm name).
+   (2) The client is able to obtain the IP address of the service in 
+   a realm which it wants to send a request to, but is otherwise unable 
+   to locate or communicate with a KDC in the service realm or one of 
+   the intermediate realms. (One example would be a dial up user who 
+   does not have direct IP connectivity).
+   (3) The client does not know the realm name of the service.
+
+
+2. Motivation
+
+   When authenticating using Kerberos V5, clients obtain tickets from
+   a KDC and present them to services. This method of operation works
+
+   well in many situations, but is not always applicable since it
+   requires the client to know its own realm, the realm of the target 
+   service, the names of the KDC's, and to be able to connect to the 
+   KDC's. 
+  
+   This document defines an extension to the Kerberos protocol
+   specification (RFC 1510) [1] that enables a client to obtain
+   Kerberos tickets for services where:
+
+   (1) The client knows its principal name and password, but not
+   its realm name (applicable in the situation where a user is already 
+   on the network but needs to authenticate to an ISP, and the user 
+   does not know his ISP realm name).
+   (2) The client is able to obtain the IP address of the service in 
+   a realm which it wants to send a request to, but is otherwise unable 
+   to locate or communicate with a KDC in the service realm or one of 
+   the intermediate realms. (One example would be a dial up user who 
+   does not have direct IP connectivity).
+   (3) The client does not know the realm name of the service.
+
+   In this proposal, the client sends KDC request messages directly 
+   to application servers if one of the above failure cases develops. 
+   The application server acts as a proxy, forwarding messages back
+   and forth between the client and various KDC's (see Figure 1).
+
+
+           Client <---------> App Server <----------> KDC
+                               proxies
+
+
+                     Figure 1: IAKERB proxying
+
+
+   In the case where the client has sent a TGS_REQ message to the 
+   application server without a realm name in the request, the 
+   application server will forward an error message to the client 
+   with its realm name in the e-data field of the error message. 
+   The client will attempt to proceed using conventional Kerberos. 
+
+3. When Clients Should Use IAKERB
+
+   We list several, but possibly not all, cases where the client
+   should use IAKERB. In general, the existing Kerberos paradigm
+   where clients contact the KDC to obtain service tickets should
+   be preserved where possible.
+
+   (a) AS_REQ cases:
+
+   (i) The client is unable to locate the user's KDC or the KDC's
+   in the user's realm are not responding, or
+   (ii) The user has not entered a name which can be converted 
+   into a realm name (and the realm name cannot be derived from
+   a certificate). 
+
+   (b) TGS_REQ cases:
+
+   (i) the client determines that the KDC(s) in either an 
+   intermediate realm or the service realm are not responding or
+
+   the client is unable to locate a KDC, 
+
+   (ii) the client is not able to generate the application server 
+   realm name. 
+
+
+4. GSSAPI Encapsulation
+
+   The mechanism ID for IAKERB GSS-API Kerberos, in accordance with the 
+   mechanism proposed by SPNEGO for negotiating protocol variations, is:
+   {iso(1) member-body(2) United States(840) mit(113554) infosys(1) 
+   gssapi(2) krb5(2) initialauth(4)}
+
+   The AS request, AS reply, TGS request, and TGS reply messages are all 
+   encapsulated using the format defined by RFC1964 [2].  This consists 
+   of the GSS-API token framing defined in appendix B of RFC1508 [3]: 
+
+   InitialContextToken ::= 
+   [APPLICATION 0] IMPLICIT SEQUENCE { 
+           thisMech        MechType 
+                   -- MechType is OBJECT IDENTIFIER 
+                   -- representing "Kerberos V5" 
+           innerContextToken ANY DEFINED BY thisMech
+                   -- contents mechanism-specific;
+                   -- ASN.1 usage within innerContextToken
+                   -- is not required
+           }
+
+   The innerContextToken consists of a 2-byte TOK_ID field (defined 
+   below), followed by the Kerberos V5 KRB-AS-REQ, KRB-AS-REP, 
+   KRB-TGS-REQ, or KRB-TGS-REP messages, as appropriate. The TOK_ID field
+   shall be one of the following values, to denote that the message is 
+   either a request to the KDC or a response from the KDC.
+
+   Message         TOK_ID
+   KRB-KDC-REQ      00 03
+   KRB-KDC-REP      01 03
+   
+
+5. The Protocol
+
+   a. The user supplies a password (AS_REQ): Here the Kerberos client
+      will send an AS_REQ message to the application server if it cannot
+      locate a KDC for the user's realm, or such KDC's do not respond,
+      or the user does not enter a name from which the client can derive
+      the user's realm name. The client sets the realm field of the 
+      request equal to its own realm if the realm name is known, 
+      otherwise the realm length is set to 0. Upon receipt of the AS_REQ 
+      message, the application server checks if the client has included 
+      a realm. 
+
+      If the realm was not included in the original request, the 
+      application server must determine the realm and add it to the 
+      AS_REQ message before forwarding it. If the application server 
+      cannot determine the client realm, it returns the 
+      KRB_AP_ERR_REALM_REQUIRED error-code in an error message to 
+      the client:
+
+            KRB_AP_ERR_REALM_REQUIRED         77  
+
+      The error message can be sent in response to either an AS_REQ
+      message, or in response to a TGS_REQ message, in which case the 
+      realm and principal name of the application server are placed
+      into the realm and sname fields respectively, of the KRB-ERROR 
+      message. In the AS_REQ case, once the realm is filled in, the 
+      application server forwards the request to a KDC in the user's 
+      realm. It will retry the request if necessary, and forward the 
+      KDC response back to the client.
+
+      At the time the user enters a username and password, the client
+      should create a new credential with an INTERNAL NAME [3] that can
+      be used as an input into the GSS_Acquire_cred function call.
+
+      This functionality is useful when there is no trust relationship
+      between the user's logon realm and the target realm (Figure 2).
+
+
+                                     User Realm KDC        
+                                      /                
+                                     /                
+                                    /                
+                                   / 2,3   
+                      1,4         /      
+           Client<-------------->App Server
+
+
+      1 Client sends AS_REQ to App Server
+      2 App server forwards AS_REQ to User Realm KDC
+      3 App server receives AS_REP from User Realm KDC
+      4 App server sends AS_REP back to Client
+
+
+                      Figure 2: IAKERB AS_REQ
+
+
+
+   b. The user does not supply a password (TGS_REQ): The user includes a 
+      TGT targetted at the user's realm, or an intermediate realm, in a 
+      TGS_REQ message. The TGS_REQ message is sent to the application 
+      server. 
+
+      If the client has included the realm name in the TGS request, then
+      the application server will forward the request to a KDC in the
+      request TGT srealm. It will forward the response back to the client.
+
+      If the client has not included the realm name in the TGS request,
+      then the application server will return its realm name and principal 
+      name to the client using the KRB_AP_ERR_REALM_REQUIRED error 
+      described above. Sending a TGS_REQ message to the application server 
+      without a realm name in the request, followed by a TGS request using 
+      the returned realm name and then sending an AP request with a mutual 
+      authentication flag should be subject to a local policy decision 
+      (see security considerations below). Using the returned server 
+      principal name in a TGS request followed by sending an AP request 
+      message using the received ticket MUST NOT set any mutual 
+      authentication flags.
+
+
+6. Addresses in Tickets
+
+   In IAKERB, the machine sending requests to the KDC is the server and 
+   not the client. As a result, the client should not include its 
+   addresses in any KDC requests for two reasons. First, the KDC may
+   reject the forwarded request as being from the wrong client. Second,
+   in the case of initial authentication for a dial-up client, the client
+   machine may not yet possess a network address. Hence, as allowed by 
+   RFC1510 [1], the addresses field of the AS and TGS requests should be
+   blank and the caddr field of the ticket should similarly be left blank. 
+
+
+7. Combining IAKERB with Other Kerberos Extensions
+   
+   This protocol is usable with other proposed Kerberos extensions such as 
+   PKINIT (Public Key Cryptography for Initial Authentication in Kerberos 
+   [4]). In such cases, the messages which would normally be sent to the 
+   KDC by the GSS runtime are instead sent by the client application to the 
+   server, which then forwards them to a KDC.
+
+
+8. Security Considerations
+
+   A principal is identified by its principal name and realm. A client
+   that sends a TGS request to an application server without the request
+   realm name will only be able to mutually authenticate the server
+   up to its principal name. Thus when requesting mutual authentication, 
+   it is preferable if clients can either determine the server realm name 
+   beforehand, or apply some policy checks to the realm name obtained from 
+   the returned error message.
+   
+
+9. Bibliography
+ 
+   [1] J. Kohl, C. Neuman. The Kerberos Network Authentication
+   Service (V5). Request for Comments 1510.
+
+   [2]  J. Linn.  The Kerberos Version 5 GSS-API Mechanism. Request 
+   for Comments 1964 
+
+   [3]  J. Linn. Generic Security Service Application Program Interface.  
+   Request for Comments 1508 
+
+   [4] B. Tung, C. Neuman, M. Hur, A. Medvinsky, S. Medvinsky, J. Wray, 
+   J. Trostle, Public Key Cryptography for Initial Authentication in 
+   Kerberos, http://www.ietf.org/internet-drafts/draft-ietf-cat-kerberos-
+   pkinit-10.txt.
+
+
+10. This draft expires on January 31st, 2001. 
+
+
+11. Authors' Addresses
+
+   Michael Swift
+   Microsoft
+   One Microsoft Way
+   Redmond, Washington, 98052, U.S.A.
+   Email: mikesw@microsoft.com
+
+   Jonathan Trostle
+   170 W. Tasman Dr. 
+   San Jose, CA 95134, U.S.A.
+   Email: jtrostle@cisco.com
+   Phone: (408) 527-6201
diff --git a/crypto/heimdal/doc/standardisation/draft-ietf-cat-kerb-chg-password-02.txt b/crypto/heimdal/doc/standardisation/draft-ietf-cat-kerb-chg-password-02.txt
new file mode 100644
index 0000000..e235bec
--- /dev/null
+++ b/crypto/heimdal/doc/standardisation/draft-ietf-cat-kerb-chg-password-02.txt
@@ -0,0 +1,311 @@
+
+
+
+
+Network Working Group                                        M. Horowitz
+<draft-ietf-cat-kerb-chg-password-02.txt>                Stonecast, Inc.
+Internet-Draft                                              August, 1998
+
+                   Kerberos Change Password Protocol
+
+Status of this Memo
+
+   This document is an Internet-Draft.  Internet-Drafts are working
+   documents of the Internet Engineering Task Force (IETF), its areas,
+   and its working groups.  Note that other groups may also distribute
+   working documents as Internet-Drafts.
+
+   Internet-Drafts are draft documents valid for a maximum of six months
+   and may be updated, replaced, or obsoleted by other documents at any
+   time.  It is inappropriate to use Internet-Drafts as reference
+   material or to cite them other than as ``work in progress.''
+
+   To learn the current status of any Internet-Draft, please check the
+   ``1id-abstracts.txt'' listing contained in the Internet-Drafts Shadow
+   Directories on ftp.ietf.org (US East Coast), nic.nordu.net
+   (Europe), ftp.isi.edu (US West Coast), or munnari.oz.au (Pacific
+   Rim).
+
+   Distribution of this memo is unlimited.  Please send comments to the
+   <cat-ietf@mit.edu> mailing list.
+
+Abstract
+
+   The Kerberos V5 protocol [RFC1510] does not describe any mechanism
+   for users to change their own passwords.  In order to promote
+   interoperability between workstations, personal computers, terminal
+   servers, routers, and KDC's from multiple vendors, a common password
+   changing protocol is required.
+
+
+
+Overview
+
+   When a user wishes to change his own password, or is required to by
+   local policy, a simple request of a password changing service is
+   necessary.  This service must be implemented on at least one host for
+   each Kerberos realm, probably on one of the kdc's for that realm.
+   The service must accept requests on UDP port 464 (kpasswd), and may
+   accept requests on TCP port 464 as well.
+
+   The protocol itself consists of a single request message followed by
+   a single reply message.  For UDP transport, each message must be
+   fully contained in a single UDP packet.
+
+
+
+
+
+
+
+
+Horowitz                                                        [Page 1]
+
+Internet Draft      Kerberos Change Password Protocol       August, 1998
+
+
+Request Message
+
+       0                   1                   2                   3
+       0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+      |         message length        |    protocol version number    |
+      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+      |          AP_REQ length        |         AP-REQ data           /
+      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+      /                        KRB-PRIV message                       /
+      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+
+   message length (16 bits)
+      Contains the length of the message, including this field, in bytes
+      (big-endian integer)
+   protocol version number (16 bits)
+      Contains the hex constant 0x0001 (big-endian integer)
+   AP-REQ length (16 bits)
+      length (big-endian integer) of AP-REQ data, in bytes.
+   AP-REQ data, as described in RFC1510 (variable length)
+      This AP-REQ must be for the service principal
+      kadmin/changepw@REALM, where REALM is the REALM of the user who
+      wishes to change his password.  The Ticket in the AP-REQ must be
+      derived from an AS request (thus having the INITIAL flag set), and
+      must include a subkey in the Authenticator.
+   KRB-PRIV message, as described in RFC1510 (variable length)
+      This KRB-PRIV message must be generated using the subkey in the
+      Authenticator in the AP-REQ data.  The user-data component of the
+      message must consist of the user's new password.
+
+   The server must verify the AP-REQ message, decrypt the new password,
+   perform any local policy checks (such as password quality, history,
+   authorization, etc.) required, then set the password to the new value
+   specified.
+
+   The principal whose password is to be changed is the principal which
+   authenticated to the password changing service.  This protocol does
+   not address administrators who want to change passwords of principal
+   besides their own.
+
+
+Reply Message
+
+       0                   1                   2                   3
+       0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+      |         message length        |    protocol version number    |
+      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+      |          AP_REP length        |         AP-REP data           /
+      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+      /                KRB-PRIV or KRB-ERROR message                  /
+      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+
+   message length (16 bits)
+
+
+
+Horowitz                                                        [Page 2]
+
+Internet Draft      Kerberos Change Password Protocol       August, 1998
+
+
+      Contains the length of the message, including this field, in bytes
+      (big-endian integer),
+   protocol version number (16 bits)
+      Contains the hex constant 0x0001 (big-endian integer)
+   AP-REP length (16 bits)
+      length of AP-REP data, in bytes.  If the the length is zero, then
+      the last field will contain a KRB-ERROR message instead of a KRB-
+      PRIV message.
+   AP-REP data, as described in RFC1510 (variable length)
+      The AP-REP corresponding to the AP-REQ in the request packet.
+   KRB-PRIV or KRB-ERROR message, as described in RFC1510 (variable
+      length)
+      If the AP-REP length is zero, then this field contains a KRB-ERROR
+      message.  Otherwise, it contains a KRB-PRIV message.  This KRB-
+      PRIV message must be generated using the subkey in the
+      Authenticator in the AP-REQ data.
+
+      The user-data component of the KRB-PRIV message, or e-data
+      component of the KRB-ERROR message, must consist of the following
+      data:
+
+       0                   1                   2                   3
+       0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+      |          result code          |        result string          /
+      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+
+      result code (16 bits)
+         The result code must have one of the following values (big-
+         endian integer):
+         0x0000 if the request succeeds.  (This value is not permitted
+            in a KRB-ERROR message.)
+         0x0001 if the request fails due to being malformed
+         0x0002 if the request fails due to a "hard" error processing
+            the request (for example, there is a resource or other
+            problem causing the request to fail)
+         0x0003 if the request fails due to an error in authentication
+            processing
+         0x0004 if the request fails due to a "soft" error processing
+            the request (for example, some policy or other similar
+            consideration is causing the request to be rejected).
+         0xFFFF if the request fails for some other reason.
+         Although only a few non-zero result codes are specified here,
+         the client should accept any non-zero result code as indicating
+         failure.
+      result string (variable length)
+         This field should contain information which the server thinks
+         might be useful to the user, such as feedback about policy
+         failures.  The string must be encoded in UTF-8.  It may be
+         omitted if the server does not wish to include it.  If it is
+         present, the client should display the string to the user.
+         This field is analogous to the string which follows the numeric
+         code in SMTP, FTP, and similar protocols.
+
+
+
+
+Horowitz                                                        [Page 3]
+
+Internet Draft      Kerberos Change Password Protocol       August, 1998
+
+
+Dropped and Modified Messages
+
+   An attacker (or simply a lossy network) could cause either the
+   request or reply to be dropped, or modified by substituting a KRB-
+   ERROR message in the reply.
+
+   If a request is dropped, no modification of the password/key database
+   will take place.  If a reply is dropped, the server will (assuming a
+   valid request) make the password change.  However, the client cannot
+   distinguish between these two cases.
+
+   In this situation, the client should construct a new authenticator,
+   re-encrypt the request, and retransmit.  If the original request was
+   lost, the server will treat this as a valid request, and the password
+   will be changed normally.  If the reply was lost, then the server
+   should take care to notice that the request was a duplicate of the
+   prior request, because the "new" password is the current password,
+   and the password change time is within some implementation-defined
+   replay time window.  The server should then return a success reply
+   (an AP-REP message with result code == 0x0000) without actually
+   changing the password or any other information (such as modification
+   timestamps).
+
+   If a success reply was replaced with an error reply, then the
+   application performing the request would return an error to the user.
+   In this state, the user's password has been changed, but the user
+   believes that it has not.  If the user attempts to change the
+   password again, this will probably fail, because the user cannot
+   successfully provide the old password to get an INITIAL ticket to
+   make the request.  This situation requires administrative
+   intervention as if a password was lost.  This situation is,
+   unfortunately, impossible to prevent.
+
+
+Security Considerations
+
+   This document deals with changing passwords for Kerberos.  Because
+   Kerberos is used for authentication and key distribution, it is
+   important that this protocol use the highest level of security
+   services available to a particular installation.  Mutual
+   authentication is performed, so that the server knows the request is
+   valid, and the client knows that the request has been received and
+   processed by the server.
+
+   There are also security issues relating to dropped or modified
+   messages which are addressed explicitly.
+
+
+References
+
+   [RFC1510] Kohl, J. and Neuman, C., "The Kerberos Network
+      Authentication Service (V5)", RFC 1510, September 1993.
+
+
+
+
+
+Horowitz                                                        [Page 4]
+
+Internet Draft      Kerberos Change Password Protocol       August, 1998
+
+
+Author's Address
+
+   Marc Horowitz
+   Stonecast, Inc.
+   108 Stow Road
+   Harvard, MA 01451
+
+   Phone: +1 978 456 9103
+   Email: marc@stonecast.net
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Horowitz                                                        [Page 5]
+
diff --git a/crypto/heimdal/doc/standardisation/draft-ietf-cat-kerb-des3-hmac-sha1-00.txt b/crypto/heimdal/doc/standardisation/draft-ietf-cat-kerb-des3-hmac-sha1-00.txt
new file mode 100644
index 0000000..2583a84
--- /dev/null
+++ b/crypto/heimdal/doc/standardisation/draft-ietf-cat-kerb-des3-hmac-sha1-00.txt
@@ -0,0 +1,127 @@
+
+
+
+
+
+
+Network Working Group                                        M. Horowitz
+<draft-ietf-cat-kerb-des3-hmac-sha1-00.txt>             Cygnus Solutions
+Internet-Draft                                            November, 1996
+
+
+           Triple DES with HMAC-SHA1 Kerberos Encryption Type
+
+Status of this Memo
+
+   This document is an Internet-Draft.  Internet-Drafts are working
+   documents of the Internet Engineering Task Force (IETF), its areas,
+   and its working groups.  Note that other groups may also distribute
+   working documents as Internet-Drafts.
+
+   Internet-Drafts are draft documents valid for a maximum of six months
+   and may be updated, replaced, or obsoleted by other documents at any
+   time.  It is inappropriate to use Internet-Drafts as reference
+   material or to cite them other than as ``work in progress.''
+
+   To learn the current status of any Internet-Draft, please check the
+   ``1id-abstracts.txt'' listing contained in the Internet-Drafts Shadow
+   Directories on ds.internic.net (US East Coast), nic.nordu.net
+   (Europe), ftp.isi.edu (US West Coast), or munnari.oz.au (Pacific
+   Rim).
+
+   Distribution of this memo is unlimited.  Please send comments to the
+   <cat-ietf@mit.edu> mailing list.
+
+Abstract
+
+   This document defines a new encryption type and a new checksum type
+   for use with Kerberos V5 [RFC1510].  This encryption type is based on
+   the Triple DES cryptosystem and the HMAC-SHA1 [Krawczyk96] message
+   authentication algorithm.
+
+   The des3-cbc-hmac-sha1 encryption type has been assigned the value 7.
+   The hmac-sha1-des3 checksum type has been assigned the value 12.
+
+
+Encryption Type des3-cbc-hmac-sha1
+
+   EncryptedData using this type must be generated as described in
+   [Horowitz96].  The encryption algorithm is Triple DES in Outer-CBC
+   mode.  The keyed hash algorithm is HMAC-SHA1.  Unless otherwise
+   specified, a zero IV must be used.  If the length of the input data
+   is not a multiple of the block size, zero octets must be used to pad
+   the plaintext to the next eight-octet boundary.  The counfounder must
+   be eight random octets (one block).
+
+
+Checksum Type hmac-sha1-des3
+
+   Checksums using this type must be generated as described in
+   [Horowitz96].  The keyed hash algorithm is HMAC-SHA1.
+
+
+
+Horowitz                                                        [Page 1]
+
+Internet Draft     Kerberos Triple DES with HMAC-SHA1     November, 1996
+
+
+Common Requirements
+
+   Where the Triple DES key is represented as an EncryptionKey, it shall
+   be represented as three DES keys, with parity bits, concatenated
+   together.  The key shall be represented with the most significant bit
+   first.
+
+   When keys are generated by the derivation function, a key length of
+   168 bits shall be used.  The output bit string will be converted to a
+   valid Triple DES key by inserting DES parity bits after every seventh
+   bit.
+
+   Any implementation which implements either of the encryption or
+   checksum types in this document must support both.
+
+
+Security Considerations
+
+   This entire document defines encryption and checksum types for use
+   with Kerberos V5.
+
+
+References
+
+   [Horowitz96] Horowitz, M., "Key Derivation for Kerberos V5", draft-
+      horowitz-kerb-key-derivation-00.txt, November 1996.
+   [Krawczyk96] Krawczyk, H., Bellare, and M., Canetti, R., "HMAC:
+      Keyed-Hashing for Message Authentication", draft-ietf-ipsec-hmac-
+      md5-01.txt, August, 1996.
+   [RFC1510] Kohl, J. and Neuman, C., "The Kerberos Network
+      Authentication Service (V5)", RFC 1510, September 1993.
+
+
+Author's Address
+
+   Marc Horowitz
+   Cygnus Solutions
+   955 Massachusetts Avenue
+   Cambridge, MA 02139
+
+   Phone: +1 617 354 7688
+   Email: marc@cygnus.com
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Horowitz                                                        [Page 2]
+
diff --git a/crypto/heimdal/doc/standardisation/draft-ietf-cat-kerb-key-derivation-00.txt b/crypto/heimdal/doc/standardisation/draft-ietf-cat-kerb-key-derivation-00.txt
new file mode 100644
index 0000000..46a4158
--- /dev/null
+++ b/crypto/heimdal/doc/standardisation/draft-ietf-cat-kerb-key-derivation-00.txt
@@ -0,0 +1,250 @@
+
+
+
+
+
+Network Working Group                                        M. Horowitz
+<draft-ietf-cat-kerb-key-derivation-00.txt>             Cygnus Solutions
+Internet-Draft                                            November, 1996
+
+
+                     Key Derivation for Kerberos V5
+
+Status of this Memo
+
+   This document is an Internet-Draft.  Internet-Drafts are working
+   documents of the Internet Engineering Task Force (IETF), its areas,
+   and its working groups.  Note that other groups may also distribute
+   working documents as Internet-Drafts.
+
+   Internet-Drafts are draft documents valid for a maximum of six months
+   and may be updated, replaced, or obsoleted by other documents at any
+   time.  It is inappropriate to use Internet-Drafts as reference
+   material or to cite them other than as ``work in progress.''
+
+   To learn the current status of any Internet-Draft, please check the
+   ``1id-abstracts.txt'' listing contained in the Internet-Drafts Shadow
+   Directories on ds.internic.net (US East Coast), nic.nordu.net
+   (Europe), ftp.isi.edu (US West Coast), or munnari.oz.au (Pacific
+   Rim).
+
+   Distribution of this memo is unlimited.  Please send comments to the
+   <cat-ietf@mit.edu> mailing list.
+
+Abstract
+
+   In the Kerberos protocol [RFC1510], cryptographic keys are used in a
+   number of places.  In order to minimize the effect of compromising a
+   key, it is desirable to use a different key for each of these places.
+   Key derivation [Horowitz96] can be used to construct different keys
+   for each operation from the keys transported on the network.  For
+   this to be possible, a small change to the specification is
+   necessary.
+
+
+Overview
+
+   Under RFC1510 as stated, key derivation could be specified as a set
+   of encryption types which share the same key type.  The constant for
+   each derivation would be a function of the encryption type.  However,
+   it is generally accepted that, for interoperability, key types and
+   encryption types must map one-to-one onto each other.  (RFC 1510 is
+   being revised to address this issue.)  Therefore, to use key
+   derivcation with Kerberos V5 requires a small change to the
+   specification.
+
+   For each place where a key is used in Kerberos, a ``key usage'' must
+   be specified for that purpose.  The key, key usage, and
+   encryption/checksum type together describe the transformation from
+   plaintext to ciphertext, or plaintext to checksum.  For backward
+
+
+
+Horowitz                                                        [Page 1]
+
+Internet Draft       Key Derivation for Kerberos V5       November, 1996
+
+
+   compatibility, old encryption types would be defined independently of
+   the key usage.
+
+
+Key Usage Values
+
+   This is a complete list of places keys are used in the kerberos
+   protocol, with key usage values and RFC 1510 section numbers:
+
+      1.  AS-REQ PA-ENC-TIMESTAMP padata timestamp, encrypted with the
+          client key (section 5.4.1)
+      2.  AS-REP Ticket and TGS-REP Ticket (includes tgs session key or
+          application session key), encrypted with the service key
+          (section 5.4.2)
+      3.  AS-REP encrypted part (includes tgs session key or application
+          session key), encrypted with the client key (section 5.4.2)
+
+      4.  TGS-REQ KDC-REQ-BODY AuthorizationData, encrypted with the tgs
+          session key (section 5.4.1)
+      5.  TGS-REQ KDC-REQ-BODY AuthorizationData, encrypted with the tgs
+          authenticator subkey (section 5.4.1)
+      6.  TGS-REQ PA-TGS-REQ padata AP-REQ Authenticator cksum, keyed
+          with the tgs session key (sections 5.3.2, 5.4.1)
+      7.  TGS-REQ PA-TGS-REQ padata AP-REQ Authenticator (includes tgs
+          authenticator subkey), encrypted with the tgs session key
+          (section 5.3.2)
+      8.  TGS-REP encrypted part (includes application session key),
+          encrypted with the tgs session key (section 5.4.2)
+      9.  TGS-REP encrypted part (includes application session key),
+          encrypted with the tgs authenticator subkey (section 5.4.2)
+
+      10. AP-REQ Authenticator cksum, keyed with the application session
+          key (section 5.3.2)
+      11. AP-REQ Authenticator (includes application authenticator
+          subkey), encrypted with the application session key (section
+          5.3.2)
+      12. AP-REP encrypted part (includes application session subkey),
+          encrypted with the application session key (section 5.5.2)
+
+      13. KRB-PRIV encrypted part, encrypted with a key chosen by the
+          application (section 5.7.1)
+      14. KRB-CRED encrypted part, encrypted with a key chosen by the
+          application (section 5.6.1)
+      15. KRB-SAVE cksum, keyed with a key chosen by the application
+          (section 5.8.1)
+
+      16. Data which is defined in some specification outside of
+          Kerberos to be encrypted using an RFC1510 encryption type.
+      17. Data which is defined in some specification outside of
+          Kerberos to be checksummed using an RFC1510 checksum type.
+
+   A few of these key usages need a little clarification.  A service
+   which receives an AP-REQ has no way to know if the enclosed Ticket
+   was part of an AS-REP or TGS-REP.  Therefore, key usage 2 must always
+
+
+
+Horowitz                                                        [Page 2]
+
+Internet Draft       Key Derivation for Kerberos V5       November, 1996
+
+
+   be used for generating a Ticket, whether it is in response to an AS-
+   REQ or TGS-REQ.
+
+   There might exist other documents which define protocols in terms of
+   the RFC1510 encryption types or checksum types.  Such documents would
+   not know about key usages.  In order that these documents continue to
+   be meaningful until they are updated, key usages 16 and 17 must be
+   used to derive keys for encryption and checksums, respectively.  New
+   protocols defined in terms of the Kerberos encryption and checksum
+   types should use their own key usages.  Key usages may be registered
+   with IANA to avoid conflicts.  Key usages shall be unsigned 32 bit
+   integers.  Zero is not permitted.
+
+
+Defining Cryptosystems Using Key Derivation
+
+   Kerberos requires that the ciphertext component of EncryptedData be
+   tamper-resistant as well as confidential.  This implies encryption
+   and integrity functions, which must each use their own separate keys.
+   So, for each key usage, two keys must be generated, one for
+   encryption (Ke), and one for integrity (Ki):
+
+      Ke = DK(protocol key, key usage | 0xAA)
+      Ki = DK(protocol key, key usage | 0x55)
+
+   where the key usage is represented as a 32 bit integer in network
+   byte order.  The ciphertest must be generated from the plaintext as
+   follows:
+
+      ciphertext = E(Ke, confounder | length | plaintext | padding) |
+                   H(Ki, confounder | length | plaintext | padding)
+
+   The confounder and padding are specific to the encryption algorithm
+   E.
+
+   When generating a checksum only, there is no need for a confounder or
+   padding.  Again, a new key (Kc) must be used.  Checksums must be
+   generated from the plaintext as follows:
+
+      Kc = DK(protocol key, key usage | 0x99)
+
+      MAC = H(Kc, length | plaintext)
+
+   Note that each enctype is described by an encryption algorithm E and
+   a keyed hash algorithm H, and each checksum type is described by a
+   keyed hash algorithm H.  HMAC, with an appropriate hash, is
+   recommended for use as H.
+
+
+Security Considerations
+
+   This entire document addresses shortcomings in the use of
+   cryptographic keys in Kerberos V5.
+
+
+
+
+Horowitz                                                        [Page 3]
+
+Internet Draft       Key Derivation for Kerberos V5       November, 1996
+
+
+Acknowledgements
+
+   I would like to thank Uri Blumenthal, Sam Hartman, and Bill
+   Sommerfeld for their contributions to this document.
+
+
+References
+
+   [Horowitz96] Horowitz, M., "Key Derivation for Authentication,
+      Integrity, and Privacy", draft-horowitz-key-derivation-00.txt,
+      November 1996.  [RFC1510] Kohl, J. and Neuman, C., "The Kerberos
+      Network Authentication Service (V5)", RFC 1510, September 1993.
+
+
+Author's Address
+
+   Marc Horowitz
+   Cygnus Solutions
+   955 Massachusetts Avenue
+   Cambridge, MA 02139
+
+   Phone: +1 617 354 7688
+   Email: marc@cygnus.com
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Horowitz                                                        [Page 4]
+
diff --git a/crypto/heimdal/doc/standardisation/draft-ietf-cat-kerberos-err-msg-00.txt b/crypto/heimdal/doc/standardisation/draft-ietf-cat-kerberos-err-msg-00.txt
new file mode 100644
index 0000000..c5e4d05
--- /dev/null
+++ b/crypto/heimdal/doc/standardisation/draft-ietf-cat-kerberos-err-msg-00.txt
@@ -0,0 +1,252 @@
+
+INTERNET-DRAFT                                           Ari Medvinsky
+draft-ietf-cat-kerberos-err-msg-00.txt                        Matt Hur
+Updates: RFC 1510                                  Dominique Brezinski
+expires September 30, 1997                       CyberSafe Corporation
+                                                           Gene Tsudik
+                                                            Brian Tung
+                                                                   ISI
+
+Integrity Protection for the Kerberos Error Message
+
+0.  Status Of this Memo
+
+    This document is an Internet-Draft.  Internet-Drafts are working
+    documents of the Internet Engineering Task Force (IETF), its
+    areas, and its working groups.  Note that other groups may also
+    distribute working documents as Internet-Drafts.
+
+    Internet-Drafts are draft documents valid for a maximum of six
+    months and may be updated, replaced, or obsoleted by other
+    documents at any time.  It is inappropriate to use Internet-Drafts
+    as reference material or to cite them other than as "work in
+    progress."
+
+    To learn the current status of any Internet-Draft, please check
+    the "1id-abstracts.txt" listing contained in the Internet-Drafts
+    Shadow Directories on ds.internic.net (US East Coast),
+    nic.nordu.net (Europe), ftp.isi.edu (US West Coast), or
+    munnari.oz.au (Pacific Rim).
+
+    The distribution of this memo is unlimited.  It is filed as
+    draft-ietf-cat-kerberos-pk-init-03.txt, and expires June xx, 1997.
+    Please send comments to the authors.
+
+1.  Abstract
+
+    The Kerberos error message, as defined in RFC 1510, is transmitted 
+    to the client without any integrity assurance.  Therefore, the 
+    client has no means to distinguish between a valid error message 
+    sent from the KDC and one sent by an attacker.  This draft describes 
+    a method for assuring the integrity of Kerberos error messages, and 
+    proposes a consistent format for the e-data field in the KRB_ERROR 
+    message.  This e-data format enables the storage of cryptographic 
+    checksums by providing an extensible mechanism for specifying e-data 
+    types.
+
+
+2.  Motivation      
+
+    In the Kerberos protocol [1], if an error occurs for AS_REQ,
+    TGS_REQ, or AP_REQ, a clear text error message is returned to the
+    client.  An attacker may exploit this vulnerability by sending a
+    false error message as a reply to any of the above requests.  For
+    example, an attacker may send the KDC_ERR_KEY_EXPIRED error message
+    in order to force a user to change their password in hope that the
+    new key will not be as strong as the current key, and thus, easier
+    to break.
+
+    Since false error messages may be utilized by an attacker, a
+    Kerberos client should have a means for determining how much trust
+    to place in a given error message.  The rest of this draft
+    describes a method for assuring the integrity of Kerberos error
+    messages.
+
+
+3.  Approach
+
+    We propose taking a cryptographic checksum over the entire KRB-ERROR
+    message.  This checksum would be returned as part of the error
+    message and would enable the client to verify the integrity of the
+    error message.  For interoperability reasons, no new fields are
+    added to the KRB-ERROR message.  Instead, the e-data field (see
+    figure 1) is utilized to carry the cryptographic checksum.
+
+
+3.1 Cryptographic checksums in error messages for AS_REQ,
+    TGS_REQ & AP_REQ
+
+    If an error occurs for the AS request, the only key that is
+    available to the KDC is the shared secret (the key derived from the
+    clients password) registered in the KDCs database.  The KDC will
+    use this key to sign the error message, if and only if, the client
+    already proved knowledge of the shared secret in the AS request
+    (e.g. via PA-ENC-TIMESTAMP in preauth data).  This policy is needed
+    to prevent an attacker from getting the KDC to send a signed error
+    message and then launching an off-line attack in order to obtain a
+    key of a given principal. 
+
+    If an error occurs for a TGS or an AP request, the server will use
+    the session key sealed in the clients ticket granting ticket to
+    compute the checksum over the error message.  If the checksum could
+    not be computed (e.g. error while decrypting the ticket) the error
+    message is returned to the client without the checksum.  The client
+    then has the option to treat unprotected error messages differently.
+
+
+    KRB-ERROR ::=  [APPLICATION 30] SEQUENCE {
+            pvno       [0]  integer,
+            msg-type   [1]  integer,
+            ctime      [2]  KerberosTime OPTIONAL,
+            cusec      [3]  INTEGER OPTIONAL,
+            stime      [4]  KerberosTime,
+            susec      [5]  INTEGER,
+            error-code [6]  INTEGER, 
+            crealm     [7]  Realm OPTIONAL,
+            cname      [8]  PrincipalName OPTIONAL,
+            realm      [9]  Realm,         --Correct realm  
+            sname      [10] PrincipalName, --Correct name  
+            e-text     [11] GeneralString OPTIONAL,
+            e-data     [12] OCTET STRING OPTIONAL
+    }
+    Figure 1
+
+
+3.2 Format of the e-data field
+
+    We propose to place the cryptographic checksum in the e-data field.
+    First, we review the format of the e-data field, as specified in
+    RFC 1510.  The format of e-data is specified only in two cases [2].
+    "If the error code is KDC_ERR_PREAUTH_REQUIRED, then the e-data
+    field will contain an encoding of a sequence of padata fields":
+
+    METHOD-DATA ::=  SEQUENCE of PA-DATA
+    PA-DATA ::= SEQUENCE {
+                padata-type    [1] INTEGER,
+                padata-value   [2] OCTET STRING
+    }
+
+    The second case deals with the KRB_AP_ERR_METHOD error code.  The
+    e-data field will contain an encoding of the following sequence:
+
+    METHOD-DATA ::=  SEQUENCE {
+                     method-type    [0] INTEGER,
+                     method-data    [1] OCTET STRING OPTIONAL
+    }
+
+    method-type indicates the required alternate authentication method.
+
+    It should be noted that, in the case of KRB_AP_ERR_METHOD, a signed
+    checksum is not returned as part of the error message, since the
+    error code indicates that the Kerberos credentials provided in the
+    AP_REQ message are unacceptable.
+
+    We propose that the e-data field have the following format for all
+    error-codes (except KRB_AP_ERR_METHOD):
+
+    E-DATA ::=  SEQUENCE {
+                data-type    [1] INTEGER,
+                data-value   [2] OCTET STRING,
+    }
+
+    The data-type field specifies the type of information that is
+    carried in the data-value field.  Thus, to send a cryptographic
+    checksum back to the client, the data-type is set to CHECKSUM, the
+    data-value is set to the ASN.1 encoding of the following sequence:
+
+    Checksum  ::=  SEQUENCE {
+                   cksumtype  [0] INTEGER,
+                   checksum   [1] OCTET STRING
+    }
+
+
+3.3 Computing the checksum 
+
+    After the error message is filled out, the error structure is
+    converted into ASN.1 representation.  A cryptographic checksum is
+    then taken over the encoded error message; the result is placed in
+    the error message structure, as the last item in the e-data field.
+    To send the error message, ASN.1 encoding is again performed over
+    the error message, which now includes the cryptographic checksum.
+
+
+3.4 Verifying the integrity of the error message
+
+    In addition to verifying the cryptographic checksum for the error
+    message, the client must verify that the error message is bound to
+    its request.  This is done by comparing the ctime field in the
+    error message to its counterpart in the request message.
+
+
+4.  E-DATA types
+
+    Since the e-data types must not conflict with preauthentication data
+    types, we propose that the preauthentication data types in the range
+    of 2048 and above be reserved for use as e-data types.
+
+    We define the following e-data type in support of integrity checking
+    for the Kerberos error message:
+
+    CHECKSUM = 2048 -- the keyed checksum described above
+
+
+5.  Discussion
+
+
+5.1 e-data types
+
+    The extension for Kerberos error messages, as outlined above, is
+    extensible to allow for definition of other error data types. 
+    We propose that the following e-data types be reserved:
+
+    KDCTIME = 2049
+    The error data would consist of the KDCs time in KerberosTime.
+    This data would be used by the client to adjust for clock skew.
+
+    REDIRECT = 2050
+    The error data would consist of a hostname.  The hostname would
+    indicate the authoritative KDC from which to obtain a TGT.
+
+
+5.2 e-data types vs. error code specific data formats
+
+    Since RFC 1510 does not define an error data type, the data format
+    must be explicitly specified for each error code.  This draft has
+    proposed an extension to RFC 1510 that would introduce the concept
+    of error data types.  This would allow for a manageable set of data
+    types to be used for any error message.  The authors assume that
+    the introduction of this e-data structure will not break any
+    existing Kerberos implementations.
+
+
+6.  Bibliography
+
+    [1] J. Kohl, C. Neuman.  The Kerberos Network Authentication
+        Service (V5).  Request for Comments: 1510
+    [2] J. Kohl, C. Neuman.  The Kerberos Network Authentication
+        Service (V5).  Request for Comments: 1510 p.67
+
+
+7.  Authors
+
+    Ari Medvinsky       <ari.medvinsky@cybersafe.com>
+    Matthew Hur         <matt.hur@cybersafe.com>
+    Dominique Brezinski <dominique.brezinski@cybersafe.com>
+
+    CyberSafe Corporation 
+    1605 NW Sammamish Road
+    Suite 310
+    Issaquah, WA 98027-5378
+    Phone: (206) 391-6000
+    Fax:   (206) 391-0508
+    http:/www.cybersafe.com
+
+
+    Brian Tung  <brian@isi.edu>
+    Gene Tsudik <gts@isi.edu>
+
+    USC Information Sciences Institute
+    4676 Admiralty Way Suite 1001
+    Marina del Rey CA 90292-6695
+    Phone: (310) 822-1511
+
diff --git a/crypto/heimdal/doc/standardisation/draft-ietf-cat-kerberos-extra-tgt-02.txt b/crypto/heimdal/doc/standardisation/draft-ietf-cat-kerberos-extra-tgt-02.txt
new file mode 100644
index 0000000..b3ec336
--- /dev/null
+++ b/crypto/heimdal/doc/standardisation/draft-ietf-cat-kerberos-extra-tgt-02.txt
@@ -0,0 +1,174 @@
+INTERNET-DRAFT                                        Jonathan Trostle
+draft-ietf-cat-kerberos-extra-tgt-02.txt              Cisco Systems
+Updates: RFC 1510                                     Michael M. Swift
+expires January 30, 2000                              University of WA
+
+
+    Extension to Kerberos V5 For Additional Initial Encryption
+
+0. Status Of This Memo
+
+   This document is an Internet-Draft and is in full conformance
+   with all provisions of Section 10 of RFC2026.
+
+   Internet-Drafts are working documents of the Internet Engineering
+   Task Force (IETF), its areas, and its working groups.  Note that
+   other groups may also distribute working documents as
+   Internet-Drafts.
+
+   Internet-Drafts are draft documents valid for a maximum of six
+   months and may be updated, replaced, or obsoleted by other
+   documents at any time.  It is inappropriate to use Internet-
+   Drafts as reference material or to cite them other than as
+   "work in progress."
+
+   The list of current Internet-Drafts can be accessed at
+   http://www.ietf.org/ietf/1id-abstracts.txt
+
+   The list of Internet-Draft Shadow Directories can be accessed at
+   http://www.ietf.org/shadow.html.
+
+1. Abstract
+
+   This document defines an extension to the Kerberos protocol
+   specification (RFC 1510) [1] to enable a preauthentication field in
+   the AS_REQ message to carry a ticket granting ticket. The session
+   key from this ticket granting ticket will be used to
+   cryptographically strengthen the initial exchange in either the
+   conventional Kerberos V5 case or in the case the user stores their
+   encrypted private key on the KDC [2].
+
+
+2. Motivation
+
+   In Kerberos V5, the initial exchange with the KDC consists of the
+   AS_REQ and AS_REP messages. For users, the encrypted part of the
+   AS_REP message is encrypted in a key derived from a password.
+   Although a password policy may be in place to prevent dictionary
+   attacks, brute force attacks may still be a concern due to
+   insufficient key length.
+
+   This draft specifies an extension to the Kerberos V5 protocol to
+   allow a ticket granting ticket to be included in an AS_REQ message
+   preauthentication field. The session key from this ticket granting
+   ticket will be used to cryptographically strengthen the initial
+
+   exchange in either the conventional Kerberos V5 case or in the case
+   the user stores their encrypted private key on the KDC [2]. The
+   session key from the ticket granting ticket is combined with the
+   user password key (key K2 in the encrypted private key on KDC
+   option) using HMAC to obtain a new triple des key that is used in
+   place of the user key in the initial exchange. The ticket granting
+   ticket could be obtained by the workstation using its host key.
+
+3. The Extension
+
+   The following new preauthentication type is proposed:
+
+      PA-EXTRA-TGT                         22
+
+   The preauthentication-data field contains a ticket granting ticket
+   encoded as an ASN.1 octet string. The server realm of the ticket
+   granting ticket must be equal to the realm in the KDC-REQ-BODY of
+   the AS_REQ message. In the absence of a trust relationship, the
+   local Kerberos client should send the AS_REQ message without this
+   extension.
+
+   In the conventional (non-pkinit) case, we require the RFC 1510
+   PA-ENC-TIMESTAMP preauthentication field in the AS_REQ message.
+   If neither it or the PA-PK-KEY-REQ preauthentication field is
+   included in the AS_REQ message, the KDC will reply with a
+   KDC_ERR_PREAUTH_FAILED error message.
+
+   We propose the following new etypes:
+
+     des3-cbc-md5-xor                              16
+     des3-cbc-sha1-xor                             17
+
+   The encryption key is obtained by:
+
+   (1) Obtaining an output M from the HMAC-SHA1 function [3] using
+       the user password key (the key K2 in the encrypted private
+       key on KDC option of pkinit) as the text and the triple des
+       session key as the K input in HMAC:
+
+       M = H(K XOR opad, H(K XOR ipad, text)) where H = SHA1.
+
+       The session key from the accompanying ticket granting ticket
+       must be a triple des key when one of the triple des xor
+       encryption types is used.
+   (2) Concatenate the output M (20 bytes) with the first 8 non-parity
+       bits of the triple-des ticket granting ticket session key to
+       get 168 bits that will be used for the new triple-des encryption
+       key.
+   (3) Set the parity bits of the resulting key.
+
+   The resulting triple des key is used to encrypt the timestamp
+   for the PA-ENC-TIMESTAMP preauthentication value (or in the
+   encrypted private key on KDC option of pkinit, it is used in
+   place of the key K2 to both sign in the PA-PK-KEY-REQ and for
+   encryption in the PA-PK-KEY-REP preauthentication types).
+
+   If the KDC decrypts the encrypted timestamp and it is not within
+   the appropriate clock skew period, the KDC will reply with the
+   KDC_ERR_PREAUTH_FAILED error. The same error will also be sent if
+   the above ticket granting ticket fails to decrypt properly, or if
+   it is not a valid ticket.
+
+   The KDC will create the shared triple des key from the ticket
+   granting ticket session key and the user password key (the key K2
+   in the encrypted private key on KDC case) using HMAC as specified
+   above and use it to validate the AS_REQ message and then to
+   encrypt the encrypted part of the AS_REP message (use it in place
+   of the key K2 for encryption in the PA-PK-KEY-REP preauthentication
+   field).
+
+   Local workstation policy will determine the exact behaviour of
+   the Kerberos client with respect to the extension protocol. For
+   example, the client should consult policy to decide when to use
+   use the extension. This policy could be dependent on the user
+   identity, or whether the workstation is in the same realm as the
+   user. One possibility is for the workstation logon to fail if
+   the extension is not used. Another possibility is for the KDC
+   to set a flag in tickets issued when this extension is used.
+
+   A similar idea was proposed in OSF DCE RFC 26.0 [4]; there a
+   preauthentication field containing a ticket granting ticket,
+   a randomly generated subkey encrypted in the session key from
+   the ticket, and a timestamp structure encrypted in the user
+   password and then the randomly generated subkey was proposed.
+   Some advantages of the current proposal are that the KDC has two
+   fewer decryptions to perform per request and the client does not
+   have to generate a random key.
+
+4. Bibliography
+
+   [1] J. Kohl, C. Neuman. The Kerberos Network Authentication
+   Service (V5). Request for Comments 1510.
+
+   [2] B. Tung, C. Neuman, J. Wray, A. Medvinsky, M. Hur, J. Trostle.
+   Public Key Cryptography for Initial Authentication in Kerberos.
+   ftp://ds.internic.net/internet-drafts/
+   draft-ietf-cat-kerberos-pkinit-08.txt
+
+   [3] H. Krawczyk, M. Bellare, R. Canetti. HMAC: Keyed-Hashing for
+   Message Authentication. Request for Comments 2104.
+
+   [4] J. Pato. Using Pre-authentication to Avoid Password Guessing
+   Attacks. OSF DCE SIG Request for Comments 26.0.
+
+5. Acknowledgement: We thank Ken Hornstein for some helpful comments.
+
+6. Expires January 30, 2000.
+
+7. Authors' Addresses
+
+   Jonathan Trostle
+   170 W. Tasman Dr.
+   San Jose, CA 95134, U.S.A.
+
+   Email: jtrostle@cisco.com
+   Phone: (408) 527-6201
+
+   Michael Swift
+   Email: mikesw@cs.washington.edu
diff --git a/crypto/heimdal/doc/standardisation/draft-ietf-cat-kerberos-extra-tgt-03.txt b/crypto/heimdal/doc/standardisation/draft-ietf-cat-kerberos-extra-tgt-03.txt
new file mode 100644
index 0000000..d09a2de
--- /dev/null
+++ b/crypto/heimdal/doc/standardisation/draft-ietf-cat-kerberos-extra-tgt-03.txt
@@ -0,0 +1,5 @@
+This Internet-Draft has expired and is no longer available.
+
+Unrevised documents placed in the Internet-Drafts directories have a
+maximum life of six months. After that time, they must be updated, or
+they will be deleted. This document was deleted on March 20, 2000.
diff --git a/crypto/heimdal/doc/standardisation/draft-ietf-cat-kerberos-pk-cross-01.txt b/crypto/heimdal/doc/standardisation/draft-ietf-cat-kerberos-pk-cross-01.txt
new file mode 100644
index 0000000..4b193c5
--- /dev/null
+++ b/crypto/heimdal/doc/standardisation/draft-ietf-cat-kerberos-pk-cross-01.txt
@@ -0,0 +1,282 @@
+INTERNET-DRAFT                                              Brian Tung
+draft-ietf-cat-kerberos-pk-cross-01.txt                 Tatyana Ryutov
+Updates: RFC 1510                                      Clifford Neuman
+expires September 30, 1997                                 Gene Tsudik
+                                                                   ISI
+                                                       Bill Sommerfeld
+                                                       Hewlett-Packard
+                                                         Ari Medvinsky
+                                                           Matthew Hur
+                                                 CyberSafe Corporation
+
+
+    Public Key Cryptography for Cross-Realm Authentication in Kerberos
+
+
+0.  Status Of this Memo
+
+    This document is an Internet-Draft.  Internet-Drafts are working
+    documents of the Internet Engineering Task Force (IETF), its
+    areas, and its working groups.  Note that other groups may also
+    distribute working documents as Internet-Drafts.
+
+    Internet-Drafts are draft documents valid for a maximum of six
+    months and may be updated, replaced, or obsoleted by other
+    documents at any time.  It is inappropriate to use Internet-Drafts
+    as reference material or to cite them other than as ``work in
+    progress.''
+
+    To learn the current status of any Internet-Draft, please check
+    the ``1id-abstracts.txt'' listing contained in the Internet-Drafts
+    Shadow Directories on ds.internic.net (US East Coast),
+    nic.nordu.net (Europe), ftp.isi.edu (US West Coast), or
+    munnari.oz.au (Pacific Rim).
+
+    The distribution of this memo is unlimited.  It is filed as
+    draft-ietf-cat-kerberos-pk-cross-01.txt, and expires September 30,
+    1997.  Please send comments to the authors.
+
+
+1.  Abstract
+
+    This document defines extensions to the Kerberos protocol
+    specification (RFC 1510, "The Kerberos Network Authentication
+    Service (V5)", September 1993) to provide a method for using
+    public key cryptography during cross-realm authentication.  The
+    methods defined here specify the way in which message exchanges
+    are to be used to transport cross-realm secret keys protected by
+    encryption under public keys certified as belonging to KDCs.
+
+
+2.  Motivation
+
+    The advantages provided by public key cryptography--ease of
+    recoverability in the event of a compromise, the possibility of
+    an autonomous authentication infrastructure, to name a few--have
+    produced a demand for use by Kerberos authentication protocol.  A
+    draft describing the use of public key cryptography in the initial
+    authentication exchange in Kerberos has already been submitted.
+    This draft describes its use in cross-realm authentication.
+
+    The principal advantage provided by public key cryptography in
+    cross-realm authentication lies in the ability to leverage the
+    existing public key infrastructure.  It frees the Kerberos realm
+    administrator from having to maintain separate keys for each other
+    realm with which it wishes to exchange authentication information,
+    or to utilize a hierarchical arrangement, which may pose problems
+    of trust.
+
+    Even with the multi-hop cross-realm authentication, there must be
+    some way to locate the path by which separate realms are to be
+    transited.  The current method, which makes use of the DNS-like
+    realm names typical to Kerberos, requires trust of the intermediate
+    KDCs.
+
+    The methods described in this draft allow a realm to specify, at
+    the time of authentication, which certification paths it will
+    trust.  A shared key for cross-realm authentication can be
+    established, for a period of time.  Furthermore, these methods are
+    transparent to the client, so that only the KDC's need to be
+    modified to use them.
+
+    It is not necessary to implement the changes described in the
+    "Public Key Cryptography for Initial Authentication" draft to make
+    use of the changes in this draft.  We solicit comments about the
+    interaction between the two protocol changes, but as of this
+    writing, the authors do not perceive any obstacles to using both.
+
+
+3.  Protocol Amendments
+
+    We assume that the user has already obtained a TGT.  To perform
+    cross-realm authentication, the user sends a request to the local
+    KDC as per RFC 1510.  If the two realms share a secret key, then
+    cross-realm authentication proceeds as usual.  Otherwise, the
+    local KDC may attempt to establish a shared key with the remote
+    KDC using public key cryptography, and exchange this key through
+    the cross-realm ticket granting ticket.
+
+    We will consider the specific channel on which the message
+    exchanges take place in Section 5 below.
+
+
+3.1.  Changes to the Cross-Realm Ticket Granting Ticket
+
+    In order to avoid the need for changes to the "installed base" of
+    Kerberos application clients and servers, the only protocol change
+    is to the way in which cross-realm ticket granting tickets (TGTs)
+    are encrypted; as these tickets are opaque to clients and servers,
+    the only change visible to them will be the increased size of the
+    tickets.
+
+    Cross-realm TGTs are granted by a local KDC to authenticate a user
+    to a remote KDC's ticket granting service.  In standard Kerberos,
+    they are encrypted using a shared secret key manually configured
+    into each KDC.
+
+    In order to incorporate public key cryptography, we define a new
+    encryption type, "ENCTYPE_PK_CROSS".  Operationally, this encryption
+    type transforms an OCTET STRING of plaintext (normally an EncTktPart)
+    into the following SEQUENCE:
+
+        PKCrossOutput ::= SEQUENCE {
+            certificate [0]     OCTET STRING OPTIONAL,
+                                    -- public key certificate
+                                    -- of local KDC
+            encSharedKey [1]    EncryptedData,
+                                    -- of type EncryptionKey
+                                    -- containing random symmetric key
+                                    -- encrypted using public key
+                                    -- of remote KDC
+            sigSharedKey [2]    Signature,
+                                    -- of encSharedKey
+                                    -- using signature key
+                                    -- of local KDC
+            pkEncData [3]       EncryptedData,
+                                    -- (normally) of type EncTktPart
+                                    -- encrypted using encryption key
+                                    -- found in encSharedKey
+        }
+
+    PKCROSS operates as follows: when a client submits a request for
+    cross-realm authentication, the local KDC checks to see if it has
+    a long-term shared key established for that realm.  If so, it uses
+    this key as per RFC 1510.
+
+    If not, it sends a request for information to the remote KDC.  The
+    content of this message is immaterial, as it does not need to be
+    processed by the remote KDC; for the sake of consistency, we define
+    it as follows:
+
+        RemoteRequest ::= [APPLICATION 41] SEQUENCE {
+            nonce [0]                   INTEGER
+        }
+
+    The remote KDC replies with a list of all trusted certifiers and
+    all its (the remote KDC's) certificates.  We note that this response
+    is universal and does not depend on which KDC makes the request:
+
+        RemoteReply ::= [APPLICATION 42] SEQUENCE {
+            trustedCertifiers [0]       SEQUENCE OF PrincipalName,
+            certificates[1]             SEQUENCE OF Certificate,
+            encTypeToUse [1]            SEQUENCE OF INTEGER
+                                            -- encryption types usable
+                                            -- for encrypting pkEncData
+        }
+
+        Certificate ::= SEQUENCE {
+            CertType                [0] INTEGER,
+                                        -- type of certificate
+                                        -- 1 = X.509v3 (DER encoding)
+                                        -- 2 = PGP (per PGP draft)
+            CertData                [1] OCTET STRING
+                                        -- actual certificate
+                                        -- type determined by CertType
+        } -- from pk-init draft
+
+    Upon receiving this reply, the local KDC determines whether it has
+    a certificate the remote KDC trusts, and whether the remote KDC has
+    a certificate the local KDC trusts.  If so, it issues a ticket
+    encrypted using the ENCTYPE_PK_CROSS encryption type defined above.
+
+
+3.2.  Profile Caches
+
+    We observe that using PKCROSS as specified above requires two
+    private key operations: a signature generation by the local KDC and
+    a decryption by the remote KDC.  This cost can be reduced in the
+    long term by judicious caching of the encSharedKey and the
+    sigSharedKey.
+
+    Let us define a "profile" as the encSharedKey and sigSharedKey, in
+    conjunction with the associated remote realm name and decrypted
+    shared key (the key encrypted in the encSharedKey).
+
+    To optimize these interactions, each KDC maintains two caches, one
+    for outbound profiles and one for inbound profiles.  When generating
+    an outbound TGT for another realm, the local KDC first checks to see
+    if the corresponding entry exists in the outbound profile cache; if
+    so, it uses its contents to form the first three fields of the
+    PKCrossOutput; the shared key is used to encrypt the data for the
+    fourth field.  If not, the components are generated fresh and stored
+    in the outbound profile cache.
+
+    Upon receipt of the TGT, the remote realm checks its inbound profile
+    cache for the corresponding entry.  If it exists, then it uses the
+    contents of the entry to decrypt the data encrypted in the pkEncData.
+    If not, then it goes through the full process of verifying and
+    extracting the shared key; if this is successful, then a new entry
+    is created in the inbound profile cache.
+
+    The inbound profile cache should support multiple entries per realm,
+    in the event that the initiating realm is replicated.
+
+
+4.  Finding Realms Supporting PKCROSS
+
+    If either the local realm or the destination realm does not support
+    PKCROSS, or both do not, the mechanism specified in Section 3 can
+    still be used in obtaining the desired remote TGT.
+
+    In the reference Kerberos implementations, the default behavior is
+    to traverse a path up and down the realm name hierarchy, if the
+    two realms do not share a key.  There is, however, the possibility
+    of using cross links--i.e., keys shared between two realms that
+    are non-contiguous in the realm name hierarchy--to shorten the
+    path, both to minimize delay and the number of intermediate realms
+    that need to be trusted.
+
+    PKCROSS can be used as a way to provide cross-links even in the
+    absence of shared keys.  If the client is aware that one or two
+    intermediate realms support PKCROSS, then a combination of
+    PKCROSS and conventional cross-realm authentication can be used
+    to reach the final destination realm.
+
+    We solicit discussion on the best methods for clients and KDCs to
+    determine or advertise support for PKCROSS.
+
+
+5.  Message Ports
+
+    We have not specified the port on which KDCs supporting PKCROSS
+    should listen to receive the request for information messages noted
+    above.  We solicit discussion on which port should be used.  We
+    propose to use the standard Kerberos ports (well-known 88 or 750),
+    but another possibility is to use a completely different port.
+
+    We also solicit discussion on what other approaches can be taken to
+    obtain the information in the RemoteReply (e.g., secure DNS or some
+    other repository).
+
+
+6.  Expiration Date
+
+    This Internet-Draft will expire on September 30, 1997.
+
+
+7.  Authors' Addresses
+
+    Brian Tung
+    Tatyana Ryutov
+    Clifford Neuman
+    Gene Tsudik
+    USC/Information Sciences Institute
+    4676 Admiralty Way Suite 1001
+    Marina del Rey, CA 90292-6695
+    Phone: +1 310 822 1511
+    E-Mail: {brian, tryutov, bcn, gts}@isi.edu
+
+    Bill Sommerfeld
+    Hewlett Packard
+    300 Apollo Drive
+    Chelmsford MA 01824
+    Phone: +1 508 436 4352
+    E-Mail: sommerfeld@apollo.hp.com
+
+    Ari Medvinsky
+    Matthew Hur
+    CyberSafe Corporation
+    1605 NW Sammamish Road Suite 310
+    Issaquah WA 98027-5378
+    Phone: +1 206 391 6000
+    E-mail: {ari.medvinsky, matt.hur}@cybersafe.com
diff --git a/crypto/heimdal/doc/standardisation/draft-ietf-cat-kerberos-pk-cross-06.txt b/crypto/heimdal/doc/standardisation/draft-ietf-cat-kerberos-pk-cross-06.txt
new file mode 100644
index 0000000..1ab2b03
--- /dev/null
+++ b/crypto/heimdal/doc/standardisation/draft-ietf-cat-kerberos-pk-cross-06.txt
@@ -0,0 +1,523 @@
+
+INTERNET-DRAFT                                               Matthew Hur
+draft-ietf-cat-kerberos-pk-cross-06.txt            CyberSafe Corporation
+Updates: RFC 1510                                             Brian Tung
+expires October 10, 2000                                  Tatyana Ryutov
+                                                         Clifford Neuman
+                                                             Gene Tsudik
+                                                                     ISI
+                                                           Ari Medvinsky
+                                                                Keen.com
+                                                         Bill Sommerfeld
+                                                         Hewlett-Packard
+
+
+    Public Key Cryptography for Cross-Realm Authentication in Kerberos
+
+
+0.  Status Of this Memo
+
+    This document is an Internet-Draft and is in full conformance with
+    all provisions of Section 10 of RFC 2026.  Internet-Drafts are
+    working documents of the Internet Engineering Task Force (IETF),
+    its areas, and its working groups.  Note that other groups may
+    also distribute working documents as Internet-Drafts.
+
+    Internet-Drafts are draft documents valid for a maximum of six
+    months and may be updated, replaced, or obsoleted by other
+    documents at any time.  It is inappropriate to use Internet-Drafts
+    as reference material or to cite them other than as ``work in
+    progress.''
+
+     The list of current Internet-Drafts can be accessed at
+     http://www.ietf.org/ietf/1id-abstracts.txt
+
+     The list of Internet-Draft Shadow Directories can be accessed at
+     http://www.ietf.org/shadow.html.
+
+
+
+    To learn the current status of any Internet-Draft, please check
+    the ``1id-abstracts.txt'' listing contained in the Internet-Drafts
+    Shadow Directories on ftp.ietf.org (US East Coast),
+    nic.nordu.net (Europe), ftp.isi.edu (US West Coast), or
+    munnari.oz.au (Pacific Rim).
+
+    The distribution of this memo is unlimited.  It is filed as
+    draft-ietf-cat-kerberos-pk-cross-06.txt, and expires May 15, 1999.
+    Please send comments to the authors.
+
+
+1.  Abstract
+
+    This document defines extensions to the Kerberos protocol 
+    specification [1] to provide a method for using public key 
+    cryptography to enable cross-realm authentication.  The methods 
+    defined here specify the way in which message exchanges are to be 
+    used to transport cross-realm secret keys protected by encryption 
+    under public keys certified as belonging to KDCs.
+
+
+2.  Introduction
+
+    The Kerberos authentication protocol [2]  can leverage the 
+    advantages provided by public key cryptography.  PKINIT [3] 
+    describes the use of public key cryptography in the initial 
+    authentication exchange in Kerberos.  PKTAPP [4] describes how an 
+    application service can essentially issue a kerberos ticket to 
+    itself after utilizing public key cryptography for authentication. 
+    Another informational document species the use of public key 
+    crypography for anonymous authentication in Kerberos [5].  This 
+    specification describes the use of public key crpytography in cross- 
+    realm authentication.
+
+    Without the use of public key cryptography, administrators must 
+    maintain separate keys for every realm which wishes to exchange 
+    authentication information with another realm (which implies n(n-1) 
+    keys), or they must utilize a hierachichal arrangement of realms, 
+    which may complicate the trust model by requiring evaluation of 
+    transited realms.
+
+    Even with the multi-hop cross-realm authentication, there must be 
+    some way to locate the path by which separate realms are to be 
+    transited.  The current method, which makes use of the DNS-like 
+    realm names typical to Kerberos, requires trust of the intermediate 
+    KDCs.
+
+    PKCROSS utilizes a public key infrastructure (PKI) [6] to simplify 
+    the administrative burden of maintaining cross-realm keys.  Such 
+    usage leverages a PKI for a non-centrally-administratable environment 
+    (namely, inter-realm).  Thus, a shared key for cross-realm 
+    authentication can be established for a set period of time, and a 
+    remote realm is able to issue policy information that is returned to 
+    itself when a client requests cross-realm authentication. Such policy 
+    information may be in the form of restrictions [7].  Furthermore, 
+    these methods are transparent to the client; therefore, only the KDCs 
+    need to be modified to use them.  In this way, we take advantage of 
+    the the distributed trust management capabilities of public key 
+    crypography while maintaining the advantages of localized trust 
+    management provided by Kerberos.
+
+
+    Although this specification utilizes the protocol specfied in the 
+    PKINIT specification, it is not necessary to implement client 
+    changes in order to make use of the changes in this document.
+
+
+3.  Objectives
+
+    The objectives of this specification are as follows:
+    
+      1.  Simplify the administration required to establish Kerberos
+          cross-realm keys.
+          
+      2.  Avoid modification of clients and application servers.
+
+      3.  Allow remote KDC to control its policy on cross-realm
+          keys shared between KDCs, and on cross-realm tickets
+          presented by clients.
+
+      4.  Remove any need for KDCs to maintain state about keys
+          shared with other KDCs.
+
+      5.  Leverage the work done for PKINIT to provide the public key
+          protocol for establishing symmetric cross realm keys.
+
+
+4.  Definitions
+
+    The following notation is used throughout this specification:
+    KDC_l ........... local KDC
+    KDC_r ........... remote KDC
+    XTKT_(l,r) ...... PKCROSS ticket that the remote KDC issues to the
+                      local KDC
+    TGT_(c,r) ....... cross-realm TGT that the local KDC issues to the
+                      client for presentation to the remote KDC
+
+    This specification defines the following new types to be added to the 
+    Kerberos specification:
+      PKCROSS kdc-options field in the AS_REQ is bit 9
+      TE-TYPE-PKCROSS-KDC       2
+      TE-TYPE-PKCROSS-CLIENT    3
+
+    This specification defines the following ASN.1 type for conveying
+    policy information:
+    CrossRealmTktData ::= SEQUENCE OF TypedData
+
+    This specification defines the following types for policy information 
+    conveyed in CrossRealmTktData:
+      PLC_LIFETIME              1
+      PLC_SET_TKT_FLAGS         2
+      PLC_NOSET_TKT_FLAGS       3
+
+    TicketExtensions are defined per the Kerberos specification [8]:
+    TicketExtensions ::= SEQUENCE OF TypedData
+      Where
+        TypedData ::=   SEQUENCE {
+            data-type[0]   INTEGER,
+            data-value[1]  OCTET STRING OPTIONAL
+        }
+
+
+5.  Protocol Specification
+
+    We assume that the client has already obtained a TGT.  To perform
+    cross-realm authentication, the client does exactly what it does
+    with ordinary (i.e. non-public-key-enabled) Kerberos; the only
+    changes are in the KDC; although the ticket which the client
+    forwards to the remote realm may be changed.  This is acceptable
+    since the client treats the ticket as opaque.
+
+
+5.1.  Overview of Protocol
+
+    The basic operation of the PKCROSS protocol is as follows:
+
+        1.  The client submits a request to the local KDC for
+            credentials for the remote realm.  This is just a typical
+            cross realm request that may occur with or without PKCROSS. 
+
+        2.  The local KDC submits a PKINIT request to the remote KDC to
+            obtain a "special" PKCROSS ticket.  This is a standard
+            PKINIT request, except that PKCROSS flag (bit 9) is set in
+            the kdc-options field in the AS_REQ.
+
+        3.  The remote KDC responds as per PKINIT, except that
+            the ticket contains a TicketExtension, which contains
+            policy information such as lifetime of cross realm tickets
+            issued by KDC_l to a client.  The local KDC must reflect
+            this policy information in the credentials it forwards to
+            the client.  Call this ticket XTKT_(l,r) to indicate that
+            this ticket is used to authenticate the local KDC to the
+            remote KDC.
+
+        4.  The local KDC passes a ticket, TGT_(c,r) (the cross realm
+            TGT between the client and remote KDC), to the client.
+            This ticket contains in its TicketExtension field the
+            ticket, XTKT_(l,r), which contains the cross-realm key.
+            The TGT_(c,r) ticket is encrypted using the key sealed in
+            XTKT_(l,r).  (The TicketExtension field is not encrypted.)
+            The local KDC may optionally include another TicketExtension
+            type that indicates the hostname and/or IP address for the
+            remote KDC.
+
+        5.  The client submits the request directly to the remote
+            KDC, as before.
+            
+        6.  The remote KDC extracts XTKT_(l,r) from the TicketExtension
+            in order to decrypt the encrypted part of TGT_(c,r).
+
+    --------------------------------------------------------------------
+    
+    Client                Local KDC (KDC_l)           Remote KDC (KDC_r)
+    ------                -----------------           ------------------
+    Normal Kerberos
+    request for
+    cross-realm
+    ticket for KDC_r
+    ---------------------->
+    
+                          PKINIT request for
+                          XTKT(l,r) - PKCROSS flag
+                          set in the AS-REQ
+                          * ------------------------->
+                          
+                                                      PKINIT reply with
+                                                      XTKT_(l,r) and
+                                                      policy info in
+                                                      ticket extension
+                                           <-------------------------- *
+
+                          Normal Kerberos reply
+                          with TGT_(c,r) and
+                          XTKT(l,r) in ticket
+                          extension
+         <--------------------------------- 
+
+    Normal Kerberos
+    cross-realm TGS-REQ
+    for remote
+    application
+    service with
+    TGT_(c,r) and
+    XTKT(l,r) in ticket
+    extension
+    ------------------------------------------------->
+
+                                                      Normal Kerberos
+                                                      cross-realm
+                                                      TGS-REP
+        <---------------------------------------------------------------
+
+    * Note that the KDC to KDC messages occur only periodically, since
+      the local KDC caches the XTKT_(l,r).
+    --------------------------------------------------------------------
+    
+
+    Sections 5.2 through 5.4 describe in detail steps 2 through 4
+    above.  Section 5.6 describes the conditions under which steps
+    2 and 3 may be skipped.
+
+    Note that the mechanism presented above requires infrequent KDC to 
+    KDC communication (as dictated by policy - this is discussed
+    later).  Without such an exchange, there are the following issues:
+    1) KDC_l would have to issue a ticket with the expectation that
+       KDC_r will accept it.
+    2) In the message that the client sends to KDC_r, KDC_l would have
+       to authenticate KDC_r with credentials that KDC_r trusts.
+    3) There is no way for KDC_r to convey policy information to KDC_l.
+    4) If, based on local policy, KDC_r does not accept a ticket from
+       KDC_l, then the client gets stuck in the middle.  To address such
+       an issue would require modifications to standard client
+       processing behavior.
+    Therefore, the infreqeunt use of KDC to KDC communication assures
+    that inter-realm KDC keys may be established in accordance with local
+    policies and that clients may continue to operate without
+    modification.
+
+
+5.2.  Local KDC's Request to Remote KDC
+
+    When the local KDC receives a request for cross-realm authentication, 
+    it first checks its ticket cache to see if it has a valid PKCROSS 
+    ticket, XTKT_(l,r).  If it has a valid XTKT_(l,r), then it does not 
+    need to send a request to the remote KDC (see section 5.5).
+
+    If the local KDC does not have a valid XTKT_(l,r), it sends a     
+    request to the remote KDC in order to establish a cross realm key and 
+    obtain the XTKT_(l,r).  This request is in fact a PKINIT request as 
+    described in the PKINIT specification; i.e., it consists of an AS-REQ 
+    with a PA-PK-AS-REQ included as a preauthentication field.  Note, 
+    that the AS-REQ MUST have the PKCROSS flag (bit 9) set in the 
+    kdc_options field of the AS-REQ.  Otherwise, this exchange exactly 
+    follows the description given in the PKINIT specification.  In 
+    addition, the naming
+
+
+5.3.  Remote KDC's Response to Local KDC
+
+    When the remote KDC receives the PKINIT/PKCROSS request from the
+    local KDC, it sends back a PKINIT response as described in
+    the PKINIT specification with the following exception: the encrypted
+    part of the Kerberos ticket is not encrypted with the krbtgt key;
+    instead, it is encrypted with the ticket granting server's PKCROSS
+    key.  This key, rather than the krbtgt key, is used because it
+    encrypts a ticket used for verifying a cross realm request rather
+    than for issuing an application service ticket.  Note that, as a
+    matter of policy, the session key for the XTKT_(l,r) MAY be of
+    greater strength than that of a session key for a normal PKINIT
+    reply, since the XTKT_(l,r) SHOULD be much longer lived than a
+    normal application service ticket.
+
+    In addition, the remote KDC SHOULD include policy information in the 
+    XTKT_(l,r).  This policy information would then be reflected in the 
+    cross-realm TGT, TGT_(c,r).  Otherwise, the policy for TGT_(c,r) 
+    would be dictated by KDC_l rather than by KDC_r.  The local KDC MAY 
+    enforce a more restrictive local policy when creating a cross-realm 
+    ticket, TGT_(c,r).  For example, KDC_r  may dictate a lifetime 
+    policy of eight hours, but KDC_l may create TKT_(c,r) with a 
+    lifetime of four hours, as dictated by local policy.  Also, the 
+    remote KDC MAY include other information about itself along with the 
+    PKCROSS ticket.  These items are further discussed in section 6 
+    below.
+
+
+5.4.  Local KDC's Response to Client
+
+    Upon receipt of the PKINIT/CROSS response from the remote KDC,
+    the local KDC formulates a response to the client.  This reply
+    is constructed exactly as in the Kerberos specification, except
+    for the following:
+
+    A) The local KDC places XTKT_(l,r) in the TicketExtension field of
+       the client's cross-realm, ticket, TGT_(c,r), for the remote realm.
+       Where
+          data-type   equals 3 for TE-TYPE-PKCROSS-CLIENT
+          data-value  is ASN.1 encoding of XTKT_(l,r)
+     
+    B) The local KDC adds the name of its CA to the transited field of
+       TGT_(c,r).
+
+
+5.5   Remote KDC's Processing of Client Request
+
+    When the remote KDC, KDC_r, receives a cross-realm ticket, 
+    TGT_(c,r), and it detects that the ticket contains a ticket 
+    extension of type TE-TYPE-PKCROSS-CLIENT, KDC_r must first decrypt 
+    the ticket, XTKT_(l,r), that is encoded in the ticket extension.  
+    KDC_r uses its PKCROSS key in order to decrypt XTKT_(l,r).  KDC_r 
+    then uses the key obtained from XTKT_(l,r) in order to decrypt the 
+    cross-realm ticket, TGT_(c,r).
+
+    KDC_r MUST verify that the cross-realm ticket, TGT_(c,r) is in 
+    compliance with any policy information contained in XTKT_(l,r) (see 
+    section 6).  If the TGT_(c,r) is not in compliance with policy, then 
+    the KDC_r responds to the client with a KRB-ERROR message of type 
+    KDC_ERR_POLICY.
+
+    
+5.6.  Short-Circuiting the KDC-to-KDC Exchange
+
+    As we described earlier, the KDC to KDC exchange is required only 
+    for establishing a symmetric, inter-realm key.  Once this key is 
+    established (via the PKINIT exchange), no KDC to KDC communication 
+    is required until that key needs to be renewed.  This section 
+    describes the circumstances under which the KDC to KDC exchange 
+    described in Sections 5.2 and 5.3 may be skipped.
+
+    The local KDC has a known lifetime for TGT_(c,r).  This lifetime may 
+    be determined by policy information included in XTKT_(l,r), and/or 
+    it may be determined by local KDC policy.  If the local KDC already 
+    has a ticket XTKT(l,r), and the start time plus the lifetime for 
+    TGT_(c,r) does not exceed the expiration time for XTGT_(l,r), then 
+    the local KDC may skip the exchange with the remote KDC, and issue a 
+    cross-realm ticket to the client as described in Section 5.4.
+
+    Since the remote KDC may change its PKCROSS key (referred to in 
+    Section 5.2) while there are PKCROSS tickets still active, it SHOULD 
+    cache the old PKCROSS keys until the last issued PKCROSS ticket 
+    expires.  Otherwise, the remote KDC will respond to a client with a 
+    KRB-ERROR message of type KDC_ERR_TGT_REVOKED.
+
+
+6.  Extensions for the PKCROSS Ticket
+
+    As stated in section 5.3, the remote KDC SHOULD include policy 
+    information in XTKT_(l,r).  This policy information is contained in 
+    a TicketExtension, as defined by the Kerberos specification, and the 
+    authorization data of the ticket will contain an authorization 
+    record of type AD-IN-Ticket-Extensions.  The TicketExtension defined 
+    for use by PKCROSS is TE-TYPE-PKCROSS-KDC.
+      Where
+        data-type   equals 2 for TE-TYPE-PKCROSS-KDC
+        data-value  is ASN.1 encoding of CrossRealmTktData
+
+      CrossRealmTktData ::= SEQUENCE OF TypedData
+
+
+      ------------------------------------------------------------------
+      CrossRealmTktData types and the corresponding data are interpreted 
+      as follows:
+
+                                                            ASN.1 data
+      type                value   interpretation            encoding
+      ----------------    -----   --------------            ----------
+      PLC_LIFETIME          1     lifetime (in seconds)     INTEGER
+                                  for TGT_(c,r) 
+                                  - cross-realm tickets
+                                    issued for clients by
+                                    TGT_l
+
+      PLC_SET_TKT_FLAGS     2     TicketFlags that must     BITSTRING
+                                  be set
+                                  - format defined by
+                                    Kerberos specification
+
+      PLC_NOSET_TKT_FLAGS   3     TicketFlags that must     BITSTRING
+                                  not be set
+                                  - format defined by
+                                    Kerberos specification
+
+      Further types may be added to this table.
+      ------------------------------------------------------------------
+
+
+7.  Usage of Certificates
+
+    In the cases of PKINIT and PKCROSS, the trust in a certification 
+    authority is equivalent to Kerberos cross realm trust.  For this 
+    reason, an implementation MAY choose to use the same KDC certificate 
+    when the KDC is acting in any of the following three roles:
+      1) KDC is authenticating clients via PKINIT
+      2) KDC is authenticating another KDC for PKCROSS 
+      3) KDC is the client in a PKCROSS exchange with another KDC
+
+    Note that per PKINIT, the KDC X.509 certificate (the server in a 
+    PKINIT exchange) MUST contain the principal name of the KDC in the 
+    subjectAltName field.
+
+
+8.  Transport Issues
+
+    Because the messages between the KDCs involve PKINIT exchanges, and 
+    PKINIT recommends TCP as a transport mechanism (due to the length of 
+    the messages and the likelihood that they will fragment), the same 
+    recommendation for TCP applies to PKCROSS as well.
+
+    
+9. Security Considerations
+
+   Since PKCROSS utilizes PKINIT, it is subject to the same security
+   considerations as PKINIT.  Administrators should assure adherence 
+   to security policy - for example, this affects the PKCROSS policies
+   for cross realm key lifetime and for policy propogation from the 
+   PKCROSS ticket, issued from a remote KDC to a local KDC, to
+   cross realm tickets that are issued by a local KDC to a client.
+
+
+10. Bibliography
+
+  [1] J. Kohl, C. Neuman.  The Kerberos Network Authentication Service 
+  (V5).  Request for Comments 1510.
+
+  [2] B.C. Neuman, Theodore Ts'o. Kerberos: An Authentication Service
+  for Computer Networks, IEEE Communications, 32(9):33-38.  September
+  1994.
+
+  [3] B. Tung, C. Neuman, M. Hur, A. Medvinsky, S.Medvinsky, J. Wray
+  J. Trostle.  Public Key Cryptography for Initial Authentication
+  in Kerberos.
+  draft-ietf-cat-kerberos-pk-init-11.txt
+
+  [4] A. Medvinsky, M. Hur, S. Medvinsky, B. Clifford Neuman.  Public 
+  Key Utilizing Tickets for Application Servers (PKTAPP). draft-ietf-
+  cat-pktapp-02.txt
+
+  [5] A. Medvinsky, J. Cargille, M. Hur.  Anonymous Credentials in
+  Kerberos. draft-ietf-cat-kerberos-anoncred-01.txt
+
+  [6] ITU-T (formerly CCITT) Information technology - Open Systems
+  Interconnection - The Directory: Authentication Framework
+  Recommendation X.509 ISO/IEC 9594-8
+    
+  [7] B.C. Neuman, Proxy-Based Authorization and Accounting for 
+  Distributed Systems.  In Proceedings of the 13th International 
+  Conference on Distributed Computing Systems, May 1993.
+
+  [8] C.Neuman, J. Kohl, T. Ts'o.  The Kerberos Network Authentication 
+  Service (V5). draft-ietf-cat-kerberos-revisions-05.txt
+
+
+11. Authors' Addresses
+
+    Matthew Hur
+    CyberSafe Corporation
+    1605 NW Sammamish Road
+    Issaquah WA 98027-5378
+    Phone: +1 425 391 6000
+    E-mail: matt.hur@cybersafe.com
+
+    Brian Tung
+    Tatyana Ryutov
+    Clifford Neuman
+    Gene Tsudik
+    USC/Information Sciences Institute
+    4676 Admiralty Way Suite 1001
+    Marina del Rey, CA 90292-6695
+    Phone: +1 310 822 1511
+    E-Mail: {brian, tryutov, bcn, gts}@isi.edu
+
+    Ari Medvinsky
+    Keen.com
+    2480 Sand Hill Road, Suite 200
+    Menlo Park, CA 94025
+    Phone +1 650 289 3134
+    E-mail: ari@keen.com
+
+    Bill Sommerfeld
+    Hewlett Packard
+    300 Apollo Drive
+    Chelmsford MA 01824
+    Phone: +1 508 436 4352
+    E-Mail: sommerfeld@apollo.hp.com
+
diff --git a/crypto/heimdal/doc/standardisation/draft-ietf-cat-kerberos-pk-init-03.txt b/crypto/heimdal/doc/standardisation/draft-ietf-cat-kerberos-pk-init-03.txt
new file mode 100644
index 0000000..d91c087
--- /dev/null
+++ b/crypto/heimdal/doc/standardisation/draft-ietf-cat-kerberos-pk-init-03.txt
@@ -0,0 +1,589 @@
+
+INTERNET-DRAFT                                         Clifford Neuman
+draft-ietf-cat-kerberos-pk-init-03.txt                      Brian Tung
+Updates: RFC 1510                                                  ISI
+expires September 30, 1997                                   John Wray
+                                         Digital Equipment Corporation
+                                                         Ari Medvinsky
+                                                           Matthew Hur
+                                                 CyberSafe Corporation
+                                                      Jonathan Trostle
+                                                                Novell
+
+
+    Public Key Cryptography for Initial Authentication in Kerberos
+
+
+0.  Status Of this Memo
+
+    This document is an Internet-Draft.  Internet-Drafts are working
+    documents of the Internet Engineering Task Force (IETF), its
+    areas, and its working groups.  Note that other groups may also
+    distribute working documents as Internet-Drafts.
+
+    Internet-Drafts are draft documents valid for a maximum of six
+    months and may be updated, replaced, or obsoleted by other
+    documents at any time.  It is inappropriate to use Internet-Drafts
+    as reference material or to cite them other than as "work in
+    progress."
+
+    To learn the current status of any Internet-Draft, please check
+    the "1id-abstracts.txt" listing contained in the Internet-Drafts
+    Shadow Directories on ds.internic.net (US East Coast),
+    nic.nordu.net (Europe), ftp.isi.edu (US West Coast), or
+    munnari.oz.au (Pacific Rim).
+
+    The distribution of this memo is unlimited.  It is filed as
+    draft-ietf-cat-kerberos-pk-init-03.txt, and expires September 30,
+    1997.  Please send comments to the authors.
+
+
+1.  Abstract
+
+    This document defines extensions (PKINIT) to the Kerberos protocol
+    specification (RFC 1510 [1]) to provide a method for using public
+    key cryptography during initial authentication.  The methods
+    defined specify the ways in which preauthentication data fields and
+    error data fields in Kerberos messages are to be used to transport
+    public key data.
+
+
+2.  Introduction
+
+    The popularity of public key cryptography has produced a desire for
+    its support in Kerberos [2].  The advantages provided by public key
+    cryptography include simplified key management (from the Kerberos
+    perspective) and the ability to leverage existing and developing
+    public key certification infrastructures.
+
+    Public key cryptography can be integrated into Kerberos in a number
+    of ways.  One is to to associate a key pair with each realm, which
+    can then be used to facilitate cross-realm authentication; this is
+    the topic of another draft proposal.  Another way is to allow users
+    with public key certificates to use them in initial authentication.
+    This is the concern of the current document.
+
+    One of the guiding principles in the design of PKINIT is that
+    changes should be as minimal as possible.  As a result, the basic
+    mechanism of PKINIT is as follows:  The user sends a request to the
+    KDC as before, except that if that user is to use public key
+    cryptography in the initial authentication step, his certificate
+    accompanies the initial request, in the preauthentication fields.
+
+    Upon receipt of this request, the KDC verifies the certificate and
+    issues a ticket granting ticket (TGT) as before, except that instead
+    of being encrypted in the user's long-term key (which is derived
+    from a password), it is encrypted in a randomly-generated key.  This
+    random key is in turn encrypted using the public key certificate
+    that came with the request and signed using the KDC's signature key,
+    and accompanies the reply, in the preauthentication fields.
+
+    PKINIT also allows for users with only digital signature keys to
+    authenticate using those keys, and for users to store and retrieve
+    private keys on the KDC.
+
+    The PKINIT specification may also be used for direct peer to peer
+    authentication without contacting a central KDC. This application
+    of PKINIT is described in PKTAPP [4] and is based on concepts
+    introduced in [5, 6]. For direct client-to-server authentication,
+    the client uses PKINIT to authenticate to the end server (instead
+    of a central KDC), which then issues a ticket for itself.  This
+    approach has an advantage over SSL [7] in that the server does not
+    need to save state (cache session keys).  Furthermore, an
+    additional benefit is that Kerberos tickets can facilitate
+    delegation (see [8]).
+
+
+3.  Proposed Extensions
+
+    This section describes extensions to RFC 1510 for supporting the
+    use of public key cryptography in the initial request for a ticket
+    granting ticket (TGT).
+
+    In summary, the following changes to RFC 1510 are proposed:
+
+        --> Users may authenticate using either a public key pair or a
+            conventional (symmetric) key.  If public key cryptography is
+            used, public key data is transported in preauthentication
+            data fields to help establish identity.
+        --> Users may store private keys on the KDC for retrieval during
+            Kerberos initial authentication.
+
+    This proposal addresses two ways that users may use public key
+    cryptography for initial authentication.  Users may present public
+    key certificates, or they may generate their own session key,
+    signed by their digital signature key.  In either case, the end
+    result is that the user obtains an ordinary TGT that may be used for
+    subsequent authentication, with such authentication using only
+    conventional cryptography.
+
+    Section 3.1 provides definitions to help specify message formats.
+    Section 3.2 and 3.3 describe the extensions for the two initial
+    authentication methods.  Section 3.3 describes a way for the user to
+    store and retrieve his private key on the KDC.
+
+
+3.1.  Definitions
+
+    Hash and encryption types will be specified using ENCTYPE tags; we
+    propose the addition of the following types:
+
+        #define ENCTYPE_SIGN_DSA_GENERATE   0x0011
+        #define ENCTYPE_SIGN_DSA_VERIFY     0x0012
+        #define ENCTYPE_ENCRYPT_RSA_PRIV    0x0021
+        #define ENCTYPE_ENCRYPT_RSA_PUB     0x0022
+
+    allowing further signature types to be defined in the range 0x0011
+    through 0x001f, and further encryption types to be defined in the
+    range 0x0021 through 0x002f.
+
+    The extensions involve new preauthentication fields.  The
+    preauthentication data types are in the range 17 through 21.
+    These values are also specified along with their corresponding
+    ASN.1 definition.
+
+        #define PA-PK-AS-REQ                17
+        #define PA-PK-AS-REP                18
+        #define PA-PK-AS-SIGN               19
+        #define PA-PK-KEY-REQ               20
+        #define PA-PK-KEY-REP               21
+
+    The extensions also involve new error types.  The new error types
+    are in the range 227 through 229.  They are:
+
+        #define KDC_ERROR_CLIENT_NOT_TRUSTED    227
+        #define KDC_ERROR_KDC_NOT_TRUSTED       228
+        #define KDC_ERROR_INVALID_SIG           229
+
+    In the exposition below, we use the following terms: encryption key,
+    decryption key, signature key, verification key.  It should be
+    understood that encryption and verification keys are essentially
+    public keys, and decryption and signature keys are essentially
+    private keys.  The fact that they are logically distinct does
+    not preclude the assignment of bitwise identical keys.
+
+
+3.2.  Standard Public Key Authentication
+
+    Implementation of the changes in this section is REQUIRED for
+    compliance with pk-init.
+
+    It is assumed that all public keys are signed by some certification
+    authority (CA).  The initial authentication request is sent as per
+    RFC 1510, except that a preauthentication field containing data
+    signed by the user's signature key accompanies the request:
+
+    PA-PK-AS-REQ ::- SEQUENCE {
+                                -- PA TYPE 17
+        signedPKAuth            [0] SignedPKAuthenticator,
+        userCert                [1] SEQUENCE OF Certificate OPTIONAL,
+                                    -- the user's certificate
+                                    -- optionally followed by that
+                                    -- certificate's certifier chain
+        trustedCertifiers       [2] SEQUENCE OF PrincipalName OPTIONAL
+                                    -- CAs that the client trusts
+    }
+
+    SignedPKAuthenticator ::= SEQUENCE {
+        pkAuth                  [0] PKAuthenticator,
+        pkAuthSig               [1] Signature,
+                                    -- of pkAuth
+                                    -- using user's signature key
+    }
+
+    PKAuthenticator ::= SEQUENCE {
+        cusec                   [0] INTEGER,
+                                    -- for replay prevention
+        ctime                   [1] KerberosTime,
+                                    -- for replay prevention
+        nonce                   [2] INTEGER,
+                                    -- binds response to this request
+        kdcName                 [3] PrincipalName,
+        clientPubValue          [4] SubjectPublicKeyInfo OPTIONAL,
+                                    -- for Diffie-Hellman algorithm
+    }
+
+    Signature ::= SEQUENCE {
+        signedHash              [0] EncryptedData
+                                    -- of type Checksum
+                                    -- encrypted under signature key
+    }
+
+    Checksum ::=   SEQUENCE {
+        cksumtype               [0] INTEGER,
+        checksum                [1] OCTET STRING
+    }   -- as specified by RFC 1510
+
+    SubjectPublicKeyInfo ::= SEQUENCE {
+        algorithm               [0] algorithmIdentifier,
+        subjectPublicKey        [1] BIT STRING
+    }   -- as specified by the X.509 recommendation [9]
+
+    Certificate ::= SEQUENCE {
+        CertType                [0] INTEGER,
+                                    -- type of certificate
+                                    -- 1 = X.509v3 (DER encoding)
+                                    -- 2 = PGP (per PGP draft)
+        CertData                [1] OCTET STRING
+                                    -- actual certificate
+                                    -- type determined by CertType
+    }
+
+    Note: If the signature uses RSA keys, then it is to be performed
+    as per PKCS #1.
+
+    The PKAuthenticator carries information to foil replay attacks,
+    to bind the request and response, and to optionally pass the
+    client's Diffie-Hellman public value (i.e. for using DSA in
+    combination with Diffie-Hellman).  The PKAuthenticator is signed
+    with the private key corresponding to the public key in the
+    certificate found in userCert (or cached by the KDC).
+
+    In the PKAuthenticator, the client may specify the KDC name in one
+    of two ways: 1) a Kerberos principal name, or 2) the name in the
+    KDC's certificate (e.g., an X.500 name, or a PGP name).  Note that
+    case #1 requires that the certificate name and the Kerberos principal
+    name be bound together (e.g., via an X.509v3 extension).
+
+    The userCert field is a sequence of certificates, the first of which
+    must be the user's public key certificate. Any subsequent
+    certificates will be certificates of the certifiers of the user's
+    certificate.  These cerificates may be used by the KDC to verify the
+    user's public key.  This field is empty if the KDC already has the
+    user's certifcate.
+
+    The trustedCertifiers field contains a list of certification
+    authorities trusted by the client, in the case that the client does
+    not possess the KDC's public key certificate.
+
+    Upon receipt of the AS_REQ with PA-PK-AS-REQ pre-authentication
+    type, the KDC attempts to verify the user's certificate chain
+    (userCert), if one is provided in the request.  This is done by
+    verifying the certification path against the KDC's policy of
+    legitimate certifiers.  This may be based on a certification
+    hierarchy, or it may be simply a list of recognized certifiers in a
+    system like PGP.  If the certification path does not match one of
+    the KDC's trusted certifiers, the KDC sends back an error message of
+    type KDC_ERROR_CLIENT_NOT_TRUSTED, and it includes in the error data
+    field a list of its own trusted certifiers, upon which the client
+    resends the request.
+
+    If  trustedCertifiers is provided in the PA-PK-AS-REQ, the KDC
+    verifies that it has a certificate issued by one of the certifiers
+    trusted by the client.  If it does not have a suitable certificate,
+    the KDC returns an error message of type KDC_ERROR_KDC_NOT_TRUSTED
+    to the client. 
+
+    If a trust relationship exists, the KDC then verifies the client's
+    signature on PKAuthenticator.  If that fails, the KDC returns an
+    error message of type KDC_ERROR_INVALID_SIG.  Otherwise, the KDC
+    uses the timestamp in the PKAuthenticator to assure that the request
+    is not a replay.   The KDC also verifies that its name is specified
+    in PKAuthenticator.
+
+    Assuming no errors, the KDC replies as per RFC 1510, except that it
+    encrypts the reply not with the user's key, but with a random key
+    generated only for this particular response.  This random key
+    is sealed in the preauthentication field:
+
+    PA-PK-AS-REP ::= SEQUENCE {
+                               -- PA TYPE 18
+        kdcCert                 [0] SEQUENCE OF Certificate OPTIONAL,
+                                    -- the KDC's certificate
+                                    -- optionally followed by that
+                                    -- certificate's certifier chain
+        encPaReply              [1] EncryptedData,
+                                    -- of type PaReply
+                                    -- using either the client public
+                                    -- key or the Diffie-Hellman key
+                                    -- specified by SignedDHPublicValue
+        signedDHPublicValue     [2] SignedDHPublicValue OPTIONAL
+    }
+
+
+    PaReply ::= SEQUENCE {
+        replyEncKeyPack         [0] ReplyEncKeyPack,
+        replyEncKeyPackSig      [1] Signature,
+                                    -- of replyEncKeyPack
+                                    -- using KDC's signature key
+    }
+
+    ReplyEncKeyPack ::= SEQUENCE {
+        replyEncKey             [0] EncryptionKey,
+                                    -- used to encrypt main reply
+        nonce                   [1] INTEGER
+                                    -- binds response to the request
+                                    -- passed in the PKAuthenticator
+    }
+
+    SignedDHPublicValue ::= SEQUENCE {
+        dhPublicValue           [0] SubjectPublicKeyInfo,
+        dhPublicValueSig        [1] Signature
+                                    -- of dhPublicValue
+                                    -- using KDC's signature key
+    }
+
+    The kdcCert field is a sequence of certificates, the first of which
+    must have as its root certifier one of the certifiers sent to the
+    KDC in the PA-PK-AS-REQ. Any subsequent certificates will be 
+    certificates of the certifiers of the KDC's certificate.  These
+    cerificates may be used by the client to verify the KDC's public
+    key.  This field is empty if the client did not send to the KDC a
+    list of trusted certifiers (the trustedCertifiers field was empty).
+    
+    Since each certifier in the certification path of a user's
+    certificate is essentially a separate realm, the name of each
+    certifier shall be added to the transited field of the ticket.  The
+    format of these realm names shall follow the naming constraints set
+    forth in RFC 1510 (sections 7.1 and 3.3.3.1).  Note that this will
+    require new nametypes to be defined for PGP certifiers and other
+    types of realms as they arise.
+
+    The KDC's certificate must bind the public key to a name derivable
+    from the name of the realm for that KDC.  The client then extracts
+    the random key used to encrypt the main reply.  This random key (in
+    encPaReply) is encrypted with either the client's public key or
+    with a key derived from the DH values exchanged between the client
+    and the KDC.
+
+
+3.3.  Digital Signature
+
+    Implementation of the changes in this section are OPTIONAL for
+    compliance with pk-init.
+
+    We offer this option with the warning that it requires the client to
+    generate a random key; the client may not be able to guarantee the
+    same level of randomness as the KDC.
+
+    If the user registered a digital signature key with the KDC instead
+    of an encryption key, then a separate exchange must be used.  The
+    client sends a request for a TGT as usual, except that it (rather
+    than the KDC) generates the random key that will be used to encrypt
+    the KDC response.  This key is sent to the KDC along with the
+    request in a preauthentication field:
+
+    PA-PK-AS-SIGN ::= SEQUENCE {
+                                -- PA TYPE 19
+        encSignedKeyPack        [0] EncryptedData
+                                    -- of SignedKeyPack
+                                    -- using the KDC's public key
+    }
+
+    SignedKeyPack ::= SEQUENCE {
+        signedKey               [0] KeyPack,
+        signedKeyAuth           [1] PKAuthenticator,
+        signedKeySig            [2] Signature
+                                    -- of signedKey.signedKeyAuth
+                                    -- using user's signature key
+    }
+
+    KeyPack ::= SEQUENCE {
+        randomKey               [0] EncryptionKey,
+                                    -- will be used to encrypt reply
+        nonce                   [1] INTEGER
+    }
+
+    where the nonce is copied from the request.
+
+    Upon receipt of the PA-PK-AS-SIGN, the KDC decrypts then verifies
+    the randomKey.  It then replies as per RFC 1510, except that the
+    reply is encrypted not with a password-derived user key, but with
+    the randomKey sent in the request.  Since the client already knows
+    this key, there is no need to accompany the reply with an extra
+    preauthentication field.  The transited field of the ticket should
+    specify the certification path as described in Section 3.2.
+
+
+3.4.  Retrieving the Private Key From the KDC
+
+    Implementation of the changes in this section is RECOMMENDED for
+    compliance with pk-init.
+
+    When the user's private key is not stored local to the user, he may
+    choose to store the private key (normally encrypted using a
+    password-derived key) on the KDC.  We provide this option to present
+    the user with an alternative to storing the private key on local
+    disk at each machine where he expects to authenticate himself using
+    pk-init.  It should be noted that it replaces the added risk of
+    long-term storage of the private key on possibly many workstations
+    with the added risk of storing the private key on the KDC in a
+    form vulnerable to brute-force attack.
+
+    In order to obtain a private key, the client includes a
+    preauthentication field with the AS-REQ message:
+
+    PA-PK-KEY-REQ ::= SEQUENCE {
+                                -- PA TYPE 20
+        patimestamp             [0] KerberosTime OPTIONAL, 
+                                    -- used to address replay attacks.
+        pausec                  [1] INTEGER OPTIONAL,
+                                    -- used to address replay attacks.
+        nonce                   [2] INTEGER,
+                                    -- binds the reply to this request
+        privkeyID               [3] SEQUENCE OF KeyID OPTIONAL
+                                    -- constructed as a hash of
+                                    -- public key corresponding to
+                                    -- desired private key
+    }
+
+    KeyID ::= SEQUENCE {
+        KeyIdentifier           [0] OCTET STRING
+    }
+
+    The client may request a specific private key by sending the
+    corresponding ID.  If this field is left empty, then all
+    private keys are returned.
+
+    If all checks out, the KDC responds as described in the above
+    sections, except that an additional preauthentication field,
+    containing the user's private key, accompanies the reply:
+
+    PA-PK-KEY-REP ::= SEQUENCE {
+                                -- PA TYPE 21
+        nonce                   [0] INTEGER,
+                                    -- binds the reply to the request
+        KeyData                 [1] SEQUENCE OF KeyPair
+    }
+
+    KeyPair ::= SEQUENCE {
+        privKeyID               [0] OCTET STRING,
+                                    -- corresponding to encPrivKey
+        encPrivKey              [1] OCTET STRING
+    }
+
+
+3.4.1.  Additional Protection of Retrieved Private Keys
+
+    We solicit discussion on the following proposal: that the client may
+    optionally include in its request additional data to encrypt the
+    private key, which is currently only protected by the user's
+    password.  One possibility is that the client might generate a
+    random string of bits, encrypt it with the public key of the KDC (as
+    in the SignedKeyPack, but with an ordinary OCTET STRING in place of
+    an EncryptionKey), and include this with the request.  The KDC then
+    XORs each returned key with this random bit string.  (If the bit
+    string is too short, the KDC could either return an error, or XOR
+    the returned key with a repetition of the bit string.)
+
+    In order to make this work, additional means of preauthentication
+    need to be devised in order to prevent attackers from simply
+    inserting their own bit string.  One way to do this is to store
+    a hash of the password-derived key (the one used to encrypt the
+    private key).  This hash is then used in turn to derive a second
+    key (called the hash-key); the hash-key is used to encrypt an ASN.1
+    structure containing the generated bit string and a nonce value
+    that binds it to the request.
+
+    Since the KDC possesses the hash, it can generate the hash-key and
+    verify this (weaker) preauthentication, and yet cannot reproduce
+    the private key itself, since the hash is a one-way function.
+
+
+4.  Logistics and Policy Issues
+
+    We solicit discussion on how clients and KDCs should be configured
+    in order to determine which of the options described above (if any)
+    should be used.  One possibility is to set the user's database
+    record to indicate that authentication is to use public key
+    cryptography; this will not work, however, in the event that the
+    client needs to know before making the initial request.
+
+5.  Compatibility with One-Time Passcodes
+
+    We solicit discussion on how the protocol changes proposed in this
+    draft will interact with the proposed use of one-time passcodes
+    discussed in draft-ietf-cat-kerberos-passwords-00.txt.
+
+
+6.  Strength of Cryptographic Schemes
+
+    In light of recent findings on the strength of MD5 and DES,
+    we solicit discussion on which encryption types to incorporate
+    into the protocol changes.
+
+
+7.  Bibliography
+
+    [1] J. Kohl, C. Neuman.  The Kerberos Network Authentication
+    Service (V5).  Request for Comments: 1510
+
+    [2] B.C. Neuman, Theodore Ts'o. Kerberos: An Authentication Service
+    for Computer Networks, IEEE Communications, 32(9):33-38.
+    September 1994.
+
+    [3] A. Medvinsky, M. Hur.  Addition of Kerberos Cipher Suites to
+    Transport Layer Security (TLS).
+    draft-ietf-tls-kerb-cipher-suites-00.txt
+
+    [4] A. Medvinsky, M. Hur, B. Clifford Neuman.  Public Key Utilizing
+    Tickets for Application Servers (PKTAPP).
+    draft-ietf-cat-pktapp-00.txt
+
+    [5] M. Sirbu, J. Chuang.  Distributed Authentication in Kerberos Using 
+    Public Key Cryptography.  Symposium On Network and Distributed System 
+    Security, 1997.
+
+    [6] B. Cox, J.D. Tygar, M. Sirbu.  NetBill Security and Transaction 
+    Protocol.  In Proceedings of the USENIX Workshop on Electronic Commerce,
+    July 1995.
+
+    [7] Alan O. Freier, Philip Karlton and Paul C. Kocher.
+    The SSL Protocol, Version 3.0 - IETF Draft. 
+
+    [8] B.C. Neuman, Proxy-Based Authorization and Accounting for 
+    Distributed Systems.  In Proceedings of the 13th International 
+    Conference on Distributed Computing Systems, May 1993
+
+    [9] ITU-T (formerly CCITT)
+    Information technology - Open Systems Interconnection -
+    The Directory: Authentication Framework Recommendation X.509
+    ISO/IEC 9594-8
+
+
+8.  Acknowledgements
+
+    Some of the ideas on which this proposal is based arose during
+    discussions over several years between members of the SAAG, the IETF
+    CAT working group, and the PSRG, regarding integration of Kerberos
+    and SPX.  Some ideas have also been drawn from the DASS system.
+    These changes are by no means endorsed by these groups.  This is an
+    attempt to revive some of the goals of those groups, and this
+    proposal approaches those goals primarily from the Kerberos
+    perspective.  Lastly, comments from groups working on similar ideas
+    in DCE have been invaluable.
+
+
+9.  Expiration Date
+
+    This draft expires September 30, 1997.
+
+
+10.  Authors
+
+    Clifford Neuman
+    Brian Tung
+    USC Information Sciences Institute
+    4676 Admiralty Way Suite 1001
+    Marina del Rey CA 90292-6695
+    Phone: +1 310 822 1511
+    E-mail: {bcn, brian}@isi.edu
+
+    John Wray
+    Digital Equipment Corporation
+    550 King Street, LKG2-2/Z7
+    Littleton, MA 01460
+    Phone: +1 508 486 5210
+    E-mail: wray@tuxedo.enet.dec.com
+
+    Ari Medvinsky
+    Matthew Hur
+    CyberSafe Corporation
+    1605 NW Sammamish Road Suite 310
+    Issaquah WA 98027-5378
+    Phone: +1 206 391 6000
+    E-mail: {ari.medvinsky, matt.hur}@cybersafe.com
+
+    Jonathan Trostle
+    Novell
+    E-mail: jonathan.trostle@novell.com
diff --git a/crypto/heimdal/doc/standardisation/draft-ietf-cat-kerberos-pk-init-11.txt b/crypto/heimdal/doc/standardisation/draft-ietf-cat-kerberos-pk-init-11.txt
new file mode 100644
index 0000000..9b0e76ad
--- /dev/null
+++ b/crypto/heimdal/doc/standardisation/draft-ietf-cat-kerberos-pk-init-11.txt
@@ -0,0 +1,1059 @@
+INTERNET-DRAFT                                                Brian Tung
+draft-ietf-cat-kerberos-pk-init-11.txt                   Clifford Neuman
+Updates: RFC 1510                                                USC/ISI
+expires September 15, 2000                                   Matthew Hur
+                                                   CyberSafe Corporation
+                                                           Ari Medvinsky
+                                                          Keen.com, Inc.
+                                                         Sasha Medvinsky
+                                                                Motorola
+                                                               John Wray
+                                                   Iris Associates, Inc.
+                                                        Jonathan Trostle
+                                                                   Cisco
+
+    Public Key Cryptography for Initial Authentication in Kerberos
+
+0.  Status Of This Memo
+
+    This document is an Internet-Draft and is in full conformance with
+    all provisions of Section 10 of RFC 2026.  Internet-Drafts are
+    working documents of the Internet Engineering Task Force (IETF),
+    its areas, and its working groups.  Note that other groups may also
+    distribute working documents as Internet-Drafts.
+
+    Internet-Drafts are draft documents valid for a maximum of six
+    months and may be updated, replaced, or obsoleted by other
+    documents at any time.  It is inappropriate to use Internet-Drafts
+    as reference material or to cite them other than as "work in
+    progress."
+
+    The list of current Internet-Drafts can be accessed at
+    http://www.ietf.org/ietf/1id-abstracts.txt
+
+    The list of Internet-Draft Shadow Directories can be accessed at
+    http://www.ietf.org/shadow.html.
+
+    To learn the current status of any Internet-Draft, please check
+    the "1id-abstracts.txt" listing contained in the Internet-Drafts
+    Shadow Directories on ftp.ietf.org (US East Coast),
+    nic.nordu.net (Europe), ftp.isi.edu (US West Coast), or
+    munnari.oz.au (Pacific Rim).
+
+    The distribution of this memo is unlimited.  It is filed as
+    draft-ietf-cat-kerberos-pk-init-11.txt, and expires September 15,
+    2000.  Please send comments to the authors.
+
+1.  Abstract
+
+    This document defines extensions (PKINIT) to the Kerberos protocol
+    specification (RFC 1510 [1]) to provide a method for using public
+    key cryptography during initial authentication.  The methods
+    defined specify the ways in which preauthentication data fields and
+    error data fields in Kerberos messages are to be used to transport
+    public key data.
+
+2.  Introduction
+
+    The popularity of public key cryptography has produced a desire for
+    its support in Kerberos [2].  The advantages provided by public key
+    cryptography include simplified key management (from the Kerberos
+    perspective) and the ability to leverage existing and developing
+    public key certification infrastructures.
+
+    Public key cryptography can be integrated into Kerberos in a number
+    of ways.  One is to associate a key pair with each realm, which can
+    then be used to facilitate cross-realm authentication; this is the
+    topic of another draft proposal.  Another way is to allow users with
+    public key certificates to use them in initial authentication.  This
+    is the concern of the current document.
+
+    PKINIT utilizes ephemeral-ephemeral Diffie-Hellman keys in
+    combination with digital signature keys as the primary, required
+    mechanism.  It also allows for the use of RSA keys and/or (static)
+    Diffie-Hellman certificates.  Note in particular that PKINIT supports
+    the use of separate signature and encryption keys.
+
+    PKINIT enables access to Kerberos-secured services based on initial
+    authentication utilizing public key cryptography.  PKINIT utilizes
+    standard public key signature and encryption data formats within the
+    standard Kerberos messages.  The basic mechanism is as follows:  The
+    user sends an AS-REQ message to the KDC as before, except that if that
+    user is to use public key cryptography in the initial authentication
+    step, his certificate and a signature accompany the initial request
+    in the preauthentication fields.  Upon receipt of this request, the
+    KDC verifies the certificate and issues a ticket granting ticket
+    (TGT) as before, except that the encPart from the AS-REP message
+    carrying the TGT is now encrypted utilizing either a Diffie-Hellman
+    derived key or the user's public key.  This message is authenticated
+    utilizing the public key signature of the KDC.
+
+    Note that PKINIT does not require the use of certificates.  A KDC
+    may store the public key of a principal as part of that principal's
+    record.  In this scenario, the KDC is the trusted party that vouches
+    for the principal (as in a standard, non-cross realm, Kerberos
+    environment).  Thus, for any principal, the KDC may maintain a
+    secret key, a public key, or both.
+
+    The PKINIT specification may also be used as a building block for
+    other specifications.  PKCROSS [3] utilizes PKINIT for establishing
+    the inter-realm key and associated inter-realm policy to be applied
+    in issuing cross realm service tickets.  As specified in [4],
+    anonymous Kerberos tickets can be issued by applying a NULL
+    signature in combination with Diffie-Hellman in the PKINIT exchange.
+    Additionally, the PKINIT specification may be used for direct peer
+    to peer authentication without contacting a central KDC. This
+    application of PKINIT is described in PKTAPP [5] and is based on
+    concepts introduced in [6, 7]. For direct client-to-server
+    authentication, the client uses PKINIT to authenticate to the end
+    server (instead of a central KDC), which then issues a ticket for
+    itself.  This approach has an advantage over TLS [8] in that the
+    server does not need to save state (cache session keys).
+    Furthermore, an additional benefit is that Kerberos tickets can
+    facilitate delegation (see [9]).
+
+3.  Proposed Extensions
+
+    This section describes extensions to RFC 1510 for supporting the
+    use of public key cryptography in the initial request for a ticket
+    granting ticket (TGT).
+
+    In summary, the following change to RFC 1510 is proposed:
+
+        * Users may authenticate using either a public key pair or a
+          conventional (symmetric) key.  If public key cryptography is
+          used, public key data is transported in preauthentication
+          data fields to help establish identity.  The user presents
+          a public key certificate and obtains an ordinary TGT that may
+          be used for subsequent authentication, with such
+          authentication using only conventional cryptography.
+
+    Section 3.1 provides definitions to help specify message formats.
+    Section 3.2 describes the extensions for the initial authentication
+    method.
+
+3.1.  Definitions
+
+    The extensions involve new preauthentication fields; we introduce
+    the following preauthentication types:
+
+        PA-PK-AS-REQ                            14
+        PA-PK-AS-REP                            15
+
+    The extensions also involve new error types; we introduce the
+    following types:
+
+        KDC_ERR_CLIENT_NOT_TRUSTED              62
+        KDC_ERR_KDC_NOT_TRUSTED                 63
+        KDC_ERR_INVALID_SIG                     64
+        KDC_ERR_KEY_TOO_WEAK                    65
+        KDC_ERR_CERTIFICATE_MISMATCH            66
+        KDC_ERR_CANT_VERIFY_CERTIFICATE         70
+        KDC_ERR_INVALID_CERTIFICATE             71
+        KDC_ERR_REVOKED_CERTIFICATE             72
+        KDC_ERR_REVOCATION_STATUS_UNKNOWN       73
+        KDC_ERR_REVOCATION_STATUS_UNAVAILABLE   74
+        KDC_ERR_CLIENT_NAME_MISMATCH            75
+        KDC_ERR_KDC_NAME_MISMATCH               76
+
+    We utilize the following typed data for errors:
+
+        TD-PKINIT-CMS-CERTIFICATES             101
+        TD-KRB-PRINCIPAL                       102
+        TD-KRB-REALM                           103
+        TD-TRUSTED-CERTIFIERS                  104
+        TD-CERTIFICATE-INDEX                   105
+
+    We utilize the following encryption types (which map directly to
+    OIDs):
+
+        dsaWithSHA1-CmsOID                       9
+        md5WithRSAEncryption-CmsOID             10
+        sha1WithRSAEncryption-CmsOID            11
+        rc2CBC-EnvOID                           12
+        rsaEncryption-EnvOID (PKCS#1 v1.5)      13
+        rsaES-OAEP-ENV-OID   (PKCS#1 v2.0)      14
+        des-ede3-cbc-Env-OID                    15
+
+    These mappings are provided so that a client may send the
+    appropriate enctypes in the AS-REQ message in order to indicate
+    support for the corresponding OIDs (for performing PKINIT).
+
+    In many cases, PKINIT requires the encoding of the X.500 name of a
+    certificate authority as a Realm.  When such a name appears as
+    a realm it will be represented using the "other" form of the realm
+    name as specified in the naming constraints section of RFC1510.
+    For a realm derived from an X.500 name, NAMETYPE will have the value
+    X500-RFC2253.  The full realm name will appear as follows:
+
+        <nametype> + ":" + <string>
+
+    where nametype is "X500-RFC2253" and string is the result of doing
+    an RFC2253 encoding of the distinguished name, i.e.
+
+        "X500-RFC2253:" + RFC2253Encode(DistinguishedName)
+
+    where DistinguishedName is an X.500 name, and RFC2253Encode is a
+    function returing a readable UTF encoding of an X.500 name, as
+    defined by RFC 2253 [14] (part of LDAPv3 [18]).
+
+    To ensure that this encoding is unique, we add the following rule
+    to those specified by RFC 2253:
+
+        The order in which the attributes appear in the RFC 2253
+        encoding must be the reverse of the order in the ASN.1
+        encoding of the X.500 name that appears in the public key
+        certificate. The order of the relative distinguished names
+        (RDNs), as well as the order of the AttributeTypeAndValues
+        within each RDN, will be reversed. (This is despite the fact
+        that an RDN is defined as a SET of AttributeTypeAndValues, where
+        an order is normally not important.)
+
+    Similarly, in cases where the KDC does not provide a specific
+    policy based mapping from the X.500 name or X.509 Version 3
+    SubjectAltName extension in the user's certificate to a Kerberos
+    principal name, PKINIT requires the direct encoding of the X.500
+    name as a PrincipalName.  In this case, the name-type of the
+    principal name shall be set to KRB_NT-X500-PRINCIPAL.  This new
+    name type is defined in RFC 1510 as:
+
+        KRB_NT_X500_PRINCIPAL    6
+
+    The name-string shall be set as follows:
+
+        RFC2253Encode(DistinguishedName)
+
+    as described above.  When this name type is used, the principal's
+    realm shall be set to the certificate authority's distinguished
+    name using the X500-RFC2253 realm name format described earlier in
+    this section
+
+    RFC 1510 specifies the ASN.1 structure for PrincipalName as follows:
+
+        PrincipalName ::=   SEQUENCE {
+                        name-type[0]     INTEGER,
+                        name-string[1]   SEQUENCE OF GeneralString
+        }
+
+    For the purposes of encoding an X.500 name as a Kerberos name for
+    use in Kerberos structures, the name-string shall be encoded as a
+    single GeneralString.  The name-type should be KRB_NT_X500_PRINCIPAL,
+    as noted above.  All Kerberos names must conform to validity
+    requirements as given in RFC 1510.  Note that name mapping may be
+    required or optional, based on policy.
+
+    We also define the following similar ASN.1 structure:
+
+        CertPrincipalName ::= SEQUENCE {
+                        name-type[0]     INTEGER,
+                        name-string[1]   SEQUENCE OF UTF8String
+        }
+
+    When a Kerberos PrincipalName is to be placed within an X.509 data
+    structure, the CertPrincipalName structure is to be used, with the
+    name-string encoded as a single UTF8String.  The name-type should be
+    as identified in the original PrincipalName structure.  The mapping
+    between the GeneralString and UTF8String formats can be found in
+    [19].
+
+    The following rules relate to the the matching of PrincipalNames (or
+    corresponding CertPrincipalNames) with regard to the PKI name
+    constraints for CAs as laid out in RFC 2459 [15].  In order to be
+    regarded as a match (for permitted and excluded name trees), the
+    following must be satisfied.
+
+        1.  If the constraint is given as a user plus realm name, or
+            as a user plus instance plus realm name (as specified in
+            RFC 1510), the realm name must be valid (see 2.a-d below)
+            and the match must be exact, byte for byte.
+
+        2.  If the constraint is given only as a realm name, matching
+            depends on the type of the realm:
+
+            a.  If the realm contains a colon (':') before any equal
+                sign ('='), it is treated as a realm of type Other,
+                and must match exactly, byte for byte.
+
+            b.  Otherwise, if the realm contains an equal sign, it
+                is treated as an X.500 name.  In order to match, every
+                component in the constraint MUST be in the principal
+                name, and have the same value.  For example, 'C=US'
+                matches 'C=US/O=ISI' but not 'C=UK'.
+
+            c.  Otherwise, if the realm name conforms to rules regarding
+                the format of DNS names, it is considered a realm name of
+                type Domain.  The constraint may be given as a realm
+                name 'FOO.BAR', which matches any PrincipalName within
+                the realm 'FOO.BAR' but not those in subrealms such as
+                'CAR.FOO.BAR'.  A constraint of the form '.FOO.BAR'
+                matches PrincipalNames in subrealms of the form
+                'CAR.FOO.BAR' but not the realm 'FOO.BAR' itself.
+
+            d.  Otherwise, the realm name is invalid and does not match
+                under any conditions.
+
+3.1.1.  Encryption and Key Formats
+
+    In the exposition below, we use the terms public key and private
+    key generically.  It should be understood that the term "public
+    key" may be used to refer to either a public encryption key or a
+    signature verification key, and that the term "private key" may be
+    used to refer to either a private decryption key or a signature
+    generation key.  The fact that these are logically distinct does
+    not preclude the assignment of bitwise identical keys for RSA
+    keys.
+
+    In the case of Diffie-Hellman, the key shall be produced from the
+    agreed bit string as follows:
+
+        * Truncate the bit string to the appropriate length.
+        * Rectify parity in each byte (if necessary) to obtain the key.
+
+    For instance, in the case of a DES key, we take the first eight
+    bytes of the bit stream, and then adjust the least significant bit
+    of each byte to ensure that each byte has odd parity.
+
+3.1.2. Algorithm Identifiers
+
+    PKINIT does not define, but does permit, the algorithm identifiers
+    listed below.
+
+3.1.2.1. Signature Algorithm Identifiers
+
+    The following signature algorithm identifiers specified in [11] and
+    in [15] shall be used with PKINIT:
+
+    id-dsa-with-sha1       (DSA with SHA1)
+    md5WithRSAEncryption   (RSA with MD5)
+    sha-1WithRSAEncryption (RSA with SHA1)
+
+3.1.2.2 Diffie-Hellman Key Agreement Algorithm Identifier
+
+    The following algorithm identifier shall be used within the
+    SubjectPublicKeyInfo data structure: dhpublicnumber
+
+    This identifier and the associated algorithm parameters are
+    specified in RFC 2459 [15].
+
+3.1.2.3. Algorithm Identifiers for RSA Encryption
+
+    These algorithm identifiers are used inside the EnvelopedData data
+    structure, for encrypting the temporary key with a public key:
+
+        rsaEncryption (RSA encryption, PKCS#1 v1.5)
+        id-RSAES-OAEP (RSA encryption, PKCS#1 v2.0)
+
+    Both of the above RSA encryption schemes are specified in [16].
+    Currently, only PKCS#1 v1.5 is specified by CMS [11], although the
+    CMS specification says that it will likely include PKCS#1 v2.0 in
+    the future.  (PKCS#1 v2.0 addresses adaptive chosen ciphertext
+    vulnerability discovered in PKCS#1 v1.5.)
+
+3.1.2.4. Algorithm Identifiers for Encryption with Secret Keys
+
+    These algorithm identifiers are used inside the EnvelopedData data
+    structure in the PKINIT Reply, for encrypting the reply key with the
+    temporary key:
+        des-ede3-cbc (3-key 3-DES, CBC mode)
+        rc2-cbc      (RC2, CBC mode)
+
+    The full definition of the above algorithm identifiers and their
+    corresponding parameters (an IV for block chaining) is provided in
+    the CMS specification [11].
+
+3.2.  Public Key Authentication
+
+    Implementation of the changes in this section is REQUIRED for
+    compliance with PKINIT.
+
+3.2.1.  Client Request
+
+    Public keys may be signed by some certification authority (CA), or
+    they may be maintained by the KDC in which case the KDC is the
+    trusted authority.  Note that the latter mode does not require the
+    use of certificates.
+
+    The initial authentication request is sent as per RFC 1510, except
+    that a preauthentication field containing data signed by the user's
+    private key accompanies the request:
+
+    PA-PK-AS-REQ ::= SEQUENCE {
+                                -- PA TYPE 14
+        signedAuthPack          [0] SignedData
+                                    -- Defined in CMS [11];
+                                    -- AuthPack (below) defines the
+                                    -- data that is signed.
+        trustedCertifiers       [1] SEQUENCE OF TrustedCas OPTIONAL,
+                                    -- This is a list of CAs that the
+                                    -- client trusts and that certify
+                                    -- KDCs.
+        kdcCert                 [2] IssuerAndSerialNumber OPTIONAL
+                                    -- As defined in CMS [11];
+                                    -- specifies a particular KDC
+                                    -- certificate if the client
+                                    -- already has it.
+        encryptionCert          [3] IssuerAndSerialNumber OPTIONAL
+                                    -- For example, this may be the
+                                    -- client's Diffie-Hellman
+                                    -- certificate, or it may be the
+                                    -- client's RSA encryption
+                                    -- certificate.
+    }
+
+    TrustedCas ::= CHOICE {
+        principalName         [0] KerberosName,
+                                  -- as defined below
+        caName                [1] Name
+                                  -- fully qualified X.500 name
+                                  -- as defined by X.509
+        issuerAndSerial       [2] IssuerAndSerialNumber
+                                  -- Since a CA may have a number of
+                                  -- certificates, only one of which
+                                  -- a client trusts
+    }
+
+    Usage of SignedData:
+
+        The SignedData data type is specified in the Cryptographic
+        Message Syntax, a product of the S/MIME working group of the
+        IETF.  The following describes how to fill in the fields of
+        this data:
+
+        1.  The encapContentInfo field must contain the PKAuthenticator
+            and, optionally, the client's Diffie Hellman public value.
+
+            a.  The eContentType field shall contain the OID value for
+                pkdata: iso (1) org (3) dod (6) internet (1) security (5)
+                kerberosv5 (2) pkinit (3) pkdata (1)
+
+            b.  The eContent field is data of the type AuthPack (below).
+
+        2.  The signerInfos field contains the signature of AuthPack.
+
+        3.  The Certificates field, when non-empty, contains the client's
+            certificate chain.  If present, the KDC uses the public key
+            from the client's certificate to verify the signature in the
+            request.  Note that the client may pass different certificate
+            chains that are used for signing or for encrypting.  Thus,
+            the KDC may utilize a different client certificate for
+            signature verification than the one it uses to encrypt the
+            reply to the client.  For example, the client may place a
+            Diffie-Hellman certificate in this field in order to convey
+            its static Diffie Hellman certificate to the KDC to enable
+            static-ephemeral Diffie-Hellman mode for the reply; in this
+            case, the client does NOT place its public value in the
+            AuthPack (defined below).  As another example, the client may
+            place an RSA encryption certificate in this field.  However,
+            there must always be (at least) a signature certificate.
+
+    AuthPack ::= SEQUENCE {
+        pkAuthenticator         [0] PKAuthenticator,
+        clientPublicValue       [1] SubjectPublicKeyInfo OPTIONAL
+                                    -- if client is using Diffie-Hellman
+                                    -- (ephemeral-ephemeral only)
+    }
+
+    PKAuthenticator ::= SEQUENCE {
+        kdcName                 [0] PrincipalName,
+        kdcRealm                [1] Realm,
+        cusec                   [2] INTEGER,
+                                    -- for replay prevention as in RFC1510
+        ctime                   [3] KerberosTime,
+                                    -- for replay prevention as in RFC1510
+        nonce                   [4] INTEGER
+    }
+
+    SubjectPublicKeyInfo ::= SEQUENCE {
+        algorithm                   AlgorithmIdentifier,
+                                    -- dhKeyAgreement
+        subjectPublicKey            BIT STRING
+                                    -- for DH, equals
+                                    -- public exponent (INTEGER encoded
+                                    -- as payload of BIT STRING)
+    }   -- as specified by the X.509 recommendation [10]
+
+    AlgorithmIdentifier ::= SEQUENCE {
+        algorithm                   ALGORITHM.&id,
+        parameters                  ALGORITHM.&type
+    }   -- as specified by the X.509 recommendation [10]
+
+    If the client passes an issuer and serial number in the request,
+    the KDC is requested to use the referred-to certificate.  If none
+    exists, then the KDC returns an error of type
+    KDC_ERR_CERTIFICATE_MISMATCH.  It also returns this error if, on the
+    other hand, the client does not pass any trustedCertifiers,
+    believing that it has the KDC's certificate, but the KDC has more
+    than one certificate.  The KDC should include information in the
+    KRB-ERROR message that indicates the KDC certificate(s) that a
+    client may utilize.  This data is specified in the e-data, which
+    is defined in RFC 1510 revisions as a SEQUENCE of TypedData:
+
+    TypedData ::=  SEQUENCE {
+                    data-type      [0] INTEGER,
+                    data-value     [1] OCTET STRING,
+    } -- per Kerberos RFC 1510 revisions
+
+    where:
+    data-type = TD-PKINIT-CMS-CERTIFICATES = 101
+    data-value = CertificateSet // as specified by CMS [11]
+
+    The PKAuthenticator carries information to foil replay attacks, and
+    to bind the request and response.  The PKAuthenticator is signed
+    with the client's signature key.
+
+3.2.2.  KDC Response
+
+    Upon receipt of the AS_REQ with PA-PK-AS-REQ pre-authentication
+    type, the KDC attempts to verify the user's certificate chain
+    (userCert), if one is provided in the request.  This is done by
+    verifying the certification path against the KDC's policy of
+    legitimate certifiers.  This may be based on a certification
+    hierarchy, or it may be simply a list of recognized certifiers in a
+    system like PGP.
+
+    If the client's certificate chain contains no certificate signed by
+    a CA trusted by the KDC, then the KDC sends back an error message
+    of type KDC_ERR_CANT_VERIFY_CERTIFICATE.  The accompanying e-data
+    is a SEQUENCE of one TypedData (with type TD-TRUSTED-CERTIFIERS=104)
+    whose data-value is an OCTET STRING which is the DER encoding of
+
+        TrustedCertifiers ::= SEQUENCE OF PrincipalName
+                              -- X.500 name encoded as a principal name
+                              -- see Section 3.1
+
+    If while verifying a certificate chain the KDC determines that the
+    signature on one of the certificates in the CertificateSet from
+    the signedAuthPack fails verification, then the KDC returns an
+    error of type KDC_ERR_INVALID_CERTIFICATE.  The accompanying
+    e-data is a SEQUENCE of one TypedData (with type
+    TD-CERTIFICATE-INDEX=105) whose data-value is an OCTET STRING
+    which is the DER encoding of the index into the CertificateSet
+    ordered as sent by the client.
+
+        CertificateIndex  ::= INTEGER
+                              -- 0 = 1st certificate,
+                              --     (in order of encoding)
+                              -- 1 = 2nd certificate, etc
+
+    The KDC may also check whether any of the certificates in the
+    client's chain has been revoked.  If one of the certificates has
+    been revoked, then the KDC returns an error of type
+    KDC_ERR_REVOKED_CERTIFICATE; if such a query reveals that
+    the certificate's revocation status is unknown or not
+    available, then if required by policy, the KDC returns the
+    appropriate error of type KDC_ERR_REVOCATION_STATUS_UNKNOWN or
+    KDC_ERR_REVOCATION_STATUS_UNAVAILABLE.  In any of these three
+    cases, the affected certificate is identified by the accompanying
+    e-data, which contains a CertificateIndex as described for
+    KDC_ERR_INVALID_CERTIFICATE.
+
+    If the certificate chain can be verified, but the name of the
+    client in the certificate does not match the client's name in the
+    request, then the KDC returns an error of type
+    KDC_ERR_CLIENT_NAME_MISMATCH.  There is no accompanying e-data
+    field in this case.
+
+    Finally, if the certificate chain is verified, but the KDC's name
+    or realm as given in the PKAuthenticator does not match the KDC's
+    actual principal name, then the KDC returns an error of type
+    KDC_ERR_KDC_NAME_MISMATCH.  The accompanying e-data field is again
+    a SEQUENCE of one TypedData (with type TD-KRB-PRINCIPAL=102 or
+    TD-KRB-REALM=103 as appropriate) whose data-value is an OCTET
+    STRING whose data-value is the DER encoding of a PrincipalName or
+    Realm as defined in RFC 1510 revisions.
+
+    Even if all succeeds, the KDC may--for policy reasons--decide not
+    to trust the client.  In this case, the KDC returns an error message
+    of type KDC_ERR_CLIENT_NOT_TRUSTED.  One specific case of this is
+    the presence or absence of an Enhanced Key Usage (EKU) OID within
+    the certificate extensions.  The rules regarding acceptability of
+    an EKU sequence (or the absence of any sequence) are a matter of
+    local policy.  For the benefit of implementers, we define a PKINIT
+    EKU OID as the following: iso (1) org (3) dod (6) internet (1)
+    security (5) kerberosv5 (2) pkinit (3) pkekuoid (2).
+
+    If a trust relationship exists, the KDC then verifies the client's
+    signature on AuthPack.  If that fails, the KDC returns an error
+    message of type KDC_ERR_INVALID_SIG.  Otherwise, the KDC uses the
+    timestamp (ctime and cusec) in the PKAuthenticator to assure that
+    the request is not a replay.  The KDC also verifies that its name
+    is specified in the PKAuthenticator.
+
+    If the clientPublicValue field is filled in, indicating that the
+    client wishes to use Diffie-Hellman key agreement, then the KDC
+    checks to see that the parameters satisfy its policy.  If they do
+    not (e.g., the prime size is insufficient for the expected
+    encryption type), then the KDC sends back an error message of type
+    KDC_ERR_KEY_TOO_WEAK.  Otherwise, it generates its own public and
+    private values for the response.
+
+    The KDC also checks that the timestamp in the PKAuthenticator is
+    within the allowable window and that the principal name and realm
+    are correct.  If the local (server) time and the client time in the
+    authenticator differ by more than the allowable clock skew, then the
+    KDC returns an error message of type KRB_AP_ERR_SKEW as defined in 1510.
+
+    Assuming no errors, the KDC replies as per RFC 1510, except as
+    follows.  The user's name in the ticket is determined by the
+    following decision algorithm:
+
+        1.  If the KDC has a mapping from the name in the certificate
+            to a Kerberos name, then use that name.
+            Else
+        2.  If the certificate contains the SubjectAltName extention
+            and the local KDC policy defines a mapping from the
+            SubjectAltName to a Kerberos name, then use that name.
+            Else
+        3.  Use the name as represented in the certificate, mapping
+            mapping as necessary (e.g., as per RFC 2253 for X.500
+            names).  In this case the realm in the ticket shall be the
+            name of the certifier that issued the user's certificate.
+
+    Note that a principal name may be carried in the subject alt name
+    field of a certificate. This name may be mapped to a principal
+    record in a security database based on local policy, for example
+    the subject alt name may be kerberos/principal@realm format.  In
+    this case the realm name is not that of the CA but that of the
+    local realm doing the mapping (or some realm name chosen by that
+    realm).
+
+    If a non-KDC X.509 certificate contains the principal name within
+    the subjectAltName version 3 extension , that name may utilize
+    KerberosName as defined below, or, in the case of an S/MIME
+    certificate [17], may utilize the email address.  If the KDC
+    is presented with an S/MIME certificate, then the email address
+    within subjectAltName will be interpreted as a principal and realm
+    separated by the "@" sign, or as a name that needs to be
+    canonicalized.  If the resulting name does not correspond to a
+    registered principal name, then the principal name is formed as
+    defined in section 3.1.
+
+    The trustedCertifiers field contains a list of certification
+    authorities trusted by the client, in the case that the client does
+    not possess the KDC's public key certificate.  If the KDC has no
+    certificate signed by any of the trustedCertifiers, then it returns
+    an error of type KDC_ERR_KDC_NOT_TRUSTED.
+
+    KDCs should try to (in order of preference):
+    1. Use the KDC certificate identified by the serialNumber included
+       in the client's request.
+    2. Use a certificate issued to the KDC by the client's CA (if in the
+       middle of a CA key roll-over, use the KDC cert issued under same
+       CA key as user cert used to verify request).
+    3. Use a certificate issued to the KDC by one of the client's
+       trustedCertifier(s);
+    If the KDC is unable to comply with any of these options, then the
+    KDC returns an error message of type KDC_ERR_KDC_NOT_TRUSTED to the
+    client.
+
+    The KDC encrypts the reply not with the user's long-term key, but
+    with the Diffie Hellman derived key or a random key generated
+    for this particular response which is carried in the padata field of
+    the TGS-REP message.
+
+    PA-PK-AS-REP ::= CHOICE {
+                            -- PA TYPE 15
+        dhSignedData       [0] SignedData,
+                            -- Defined in CMS and used only with
+                            -- Diffie-Hellman key exchange (if the
+                            -- client public value was present in the
+                            -- request).
+                            -- This choice MUST be supported
+                            -- by compliant implementations.
+        encKeyPack         [1] EnvelopedData,
+                            -- Defined in CMS
+                            -- The temporary key is encrypted
+                            -- using the client public key
+                            -- key
+                            -- SignedReplyKeyPack, encrypted
+                            -- with the temporary key, is also
+                            -- included.
+    }
+
+    Usage of SignedData:
+
+        When the Diffie-Hellman option is used, dhSignedData in
+        PA-PK-AS-REP provides authenticated Diffie-Hellman parameters
+        of the KDC.  The reply key used to encrypt part of the KDC reply
+        message is derived from the Diffie-Hellman exchange:
+
+        1.  Both the KDC and the client calculate a secret value
+            (g^ab mod p), where a is the client's private exponent and
+            b is the KDC's private exponent.
+
+        2.  Both the KDC and the client take the first N bits of this
+            secret value and convert it into a reply key.  N depends on
+            the reply key type.
+
+        3.  If the reply key is DES, N=64 bits, where some of the bits
+            are replaced with parity bits, according to FIPS PUB 74.
+
+        4.  If the reply key is (3-key) 3-DES, N=192 bits, where some
+            of the bits are replaced with parity bits, according to
+            FIPS PUB 74.
+
+        5.  The encapContentInfo field must contain the KdcDHKeyInfo as
+            defined below.
+
+            a.  The eContentType field shall contain the OID value for
+                pkdata: iso (1) org (3) dod (6) internet (1) security (5)
+                kerberosv5 (2) pkinit (3) pkdata (1)
+
+            b.  The eContent field is data of the type KdcDHKeyInfo
+                (below).
+
+        6.  The certificates field must contain the certificates
+            necessary for the client to establish trust in the KDC's
+            certificate based on the list of trusted certifiers sent by
+            the client in the PA-PK-AS-REQ.  This field may be empty if
+            the client did not send to the KDC a list of trusted
+            certifiers (the trustedCertifiers field was empty, meaning
+            that the client already possesses the KDC's certificate).
+
+        7.  The signerInfos field is a SET that must contain at least
+            one member, since it contains the actual signature.
+
+    KdcDHKeyInfo ::= SEQUENCE {
+                              -- used only when utilizing Diffie-Hellman
+      nonce                 [0] INTEGER,
+                                -- binds responce to the request
+      subjectPublicKey      [2] BIT STRING
+                                -- Equals public exponent (g^a mod p)
+                                -- INTEGER encoded as payload of
+                                -- BIT STRING
+    }
+
+    Usage of EnvelopedData:
+
+        The EnvelopedData data type is specified in the Cryptographic
+        Message Syntax, a product of the S/MIME working group of the
+        IETF.  It contains a temporary key encrypted with the PKINIT
+        client's public key.  It also contains a signed and encrypted
+        reply key.
+
+        1.  The originatorInfo field is not required, since that
+            information may be presented in the signedData structure
+            that is encrypted within the encryptedContentInfo field.
+
+        2.  The optional unprotectedAttrs field is not required for
+            PKINIT.
+
+        3.  The recipientInfos field is a SET which must contain exactly
+            one member of the KeyTransRecipientInfo type for encryption
+            with an RSA public key.
+
+            a.  The encryptedKey field (in KeyTransRecipientInfo)
+                contains the temporary key which is encrypted with the
+                PKINIT client's public key.
+
+        4.  The encryptedContentInfo field contains the signed and
+            encrypted reply key.
+
+            a.  The contentType field shall contain the OID value for
+                id-signedData: iso (1) member-body (2) us (840)
+                rsadsi (113549) pkcs (1) pkcs7 (7) signedData (2)
+
+            b.  The encryptedContent field is encrypted data of the CMS
+                type signedData as specified below.
+
+                i.  The encapContentInfo field must contains the
+                    ReplyKeyPack.
+
+                    * The eContentType field shall contain the OID value
+                      for pkdata: iso (1) org (3) dod (6) internet (1)
+                      security (5) kerberosv5 (2) pkinit (3) pkdata (1)
+
+                    * The eContent field is data of the type ReplyKeyPack
+                      (below).
+
+                ii.  The certificates field must contain the certificates
+                     necessary for the client to establish trust in the
+                     KDC's certificate based on the list of trusted
+                     certifiers sent by the client in the PA-PK-AS-REQ.
+                     This field may be empty if the client did not send
+                     to the KDC a list of trusted certifiers (the
+                     trustedCertifiers field was empty, meaning that the
+                     client already possesses the KDC's certificate).
+
+                iii.  The signerInfos field is a SET that must contain at
+                      least one member, since it contains the actual
+                      signature.
+
+    ReplyKeyPack ::= SEQUENCE {
+                              -- not used for Diffie-Hellman
+        replyKey             [0] EncryptionKey,
+                                 -- used to encrypt main reply
+                                 -- ENCTYPE is at least as strong as
+                                 -- ENCTYPE of session key
+        nonce                [1] INTEGER,
+                                 -- binds response to the request
+                                 -- must be same as the nonce
+                                 -- passed in the PKAuthenticator
+    }
+
+    Since each certifier in the certification path of a user's
+    certificate is equivalent to a separate Kerberos realm, the name
+    of each certifier in the certificate chain must be added to the
+    transited field of the ticket.  The format of these realm names is
+    defined in Section 3.1 of this document.  If applicable, the
+    transit-policy-checked flag should be set in the issued ticket.
+
+    The KDC's certificate(s) must bind the public key(s) of the KDC to
+    a name derivable from the name of the realm for that KDC.  X.509
+    certificates shall contain the principal name of the KDC
+    (defined in section 8.2 of RFC 1510) as the SubjectAltName version
+    3 extension. Below is the definition of this version 3 extension,
+    as specified by the X.509 standard:
+
+        subjectAltName EXTENSION ::= {
+            SYNTAX GeneralNames
+            IDENTIFIED BY id-ce-subjectAltName
+        }
+
+        GeneralNames ::= SEQUENCE SIZE(1..MAX) OF GeneralName
+
+        GeneralName ::= CHOICE {
+            otherName       [0] OtherName,
+            ...
+        }
+
+        OtherName ::= SEQUENCE {
+            type-id         OBJECT IDENTIFIER,
+            value           [0] EXPLICIT ANY DEFINED BY type-id
+        }
+
+    For the purpose of specifying a Kerberos principal name, the value
+    in OtherName shall be a KerberosName as defined in RFC 1510, but with
+    the PrincipalName replaced by CertPrincipalName as mentioned in
+    Section 3.1:
+
+        KerberosName ::= SEQUENCE {
+            realm           [0] Realm,
+            principalName   [1] CertPrincipalName  -- defined above
+        }
+
+    This specific syntax is identified within subjectAltName by setting
+    the type-id in OtherName to krb5PrincipalName, where (from the
+    Kerberos specification) we have
+
+        krb5 OBJECT IDENTIFIER ::= { iso (1)
+                                     org (3)
+                                     dod (6)
+                                     internet (1)
+                                     security (5)
+                                     kerberosv5 (2) }
+
+        krb5PrincipalName OBJECT IDENTIFIER ::= { krb5 2 }
+
+    (This specification may also be used to specify a Kerberos name
+    within the user's certificate.)  The KDC's certificate may be signed
+    directly by a CA, or there may be intermediaries if the server resides
+    within a large organization, or it may be unsigned if the client
+    indicates possession (and trust) of the KDC's certificate.
+
+    The client then extracts the random key used to encrypt the main
+    reply.  This random key (in encPaReply) is encrypted with either the
+    client's public key or with a key derived from the DH values
+    exchanged between the client and the KDC.  The client uses this
+    random key to decrypt the main reply, and subsequently proceeds as
+    described in RFC 1510.
+
+3.2.3. Required Algorithms
+
+    Not all of the algorithms in the PKINIT protocol specification have
+    to be implemented in order to comply with the proposed standard.
+    Below is a list of the required algorithms:
+
+    * Diffie-Hellman public/private key pairs
+        * utilizing Diffie-Hellman ephemeral-ephemeral mode
+    * SHA1 digest and DSA for signatures
+    * 3-key triple DES keys derived from the Diffie-Hellman Exchange
+    * 3-key triple DES Temporary and Reply keys
+
+4.  Logistics and Policy
+
+    This section describes a way to define the policy on the use of
+    PKINIT for each principal and request.
+
+    The KDC is not required to contain a database record for users
+    who use public key authentication.  However, if these users are
+    registered with the KDC, it is recommended that the database record
+    for these users be modified to an additional flag in the attributes
+    field to indicate that the user should authenticate using PKINIT.
+    If this flag is set and a request message does not contain the
+    PKINIT preauthentication field, then the KDC sends back as error of
+    type KDC_ERR_PREAUTH_REQUIRED indicating that a preauthentication
+    field of type PA-PK-AS-REQ must be included in the request.
+
+5.  Security Considerations
+
+    PKINIT raises a few security considerations, which we will address
+    in this section.
+
+    First of all, PKINIT introduces a new trust model, where KDCs do not
+    (necessarily) certify the identity of those for whom they issue
+    tickets.  PKINIT does allow KDCs to act as their own CAs, in the
+    limited capacity of self-signing their certificates, but one of the
+    additional benefits is to align Kerberos authentication with a global
+    public key infrastructure.  Anyone using PKINIT in this way must be
+    aware of how the certification infrastructure they are linking to
+    works.
+
+    Secondly, PKINIT also introduces the possibility of interactions
+    between different cryptosystems, which may be of widely varying
+    strengths.  Many systems, for instance, allow the use of 512-bit
+    public keys.  Using such keys to wrap data encrypted under strong
+    conventional cryptosystems, such as triple-DES, is inappropriate;
+    it adds a weak link to a strong one at extra cost.  Implementors
+    and administrators should take care to avoid such wasteful and
+    deceptive interactions.
+
+    Lastly, PKINIT calls for randomly generated keys for conventional
+    cryptosystems.  Many such systems contain systematically "weak"
+    keys.  PKINIT implementations MUST avoid use of these keys, either
+    by discarding those keys when they are generated, or by fixing them
+    in some way (e.g., by XORing them with a given mask).  These
+    precautions vary from system to system; it is not our intention to
+    give an explicit recipe for them here.
+
+6.  Transport Issues
+
+    Certificate chains can potentially grow quite large and span several
+    UDP packets; this in turn increases the probability that a Kerberos
+    message involving PKINIT extensions will be broken in transit.  In
+    light of the possibility that the Kerberos specification will
+    require KDCs to accept requests using TCP as a transport mechanism,
+    we make the same recommendation with respect to the PKINIT
+    extensions as well.
+
+7.  Bibliography
+
+    [1] J. Kohl, C. Neuman.  The Kerberos Network Authentication Service
+    (V5).  Request for Comments 1510.
+
+    [2] B.C. Neuman, Theodore Ts'o. Kerberos: An Authentication Service
+    for Computer Networks, IEEE Communications, 32(9):33-38.  September
+    1994.
+
+    [3] B. Tung, T. Ryutov, C. Neuman, G. Tsudik, B. Sommerfeld,
+    A. Medvinsky, M. Hur.  Public Key Cryptography for Cross-Realm
+    Authentication in Kerberos.  draft-ietf-cat-kerberos-pk-cross-04.txt
+
+    [4] A. Medvinsky, J. Cargille, M. Hur.  Anonymous Credentials in
+    Kerberos.  draft-ietf-cat-kerberos-anoncred-00.txt
+
+    [5] Ari Medvinsky, M. Hur, Alexander Medvinsky, B. Clifford Neuman.
+    Public Key Utilizing Tickets for Application Servers (PKTAPP).
+    draft-ietf-cat-pktapp-02.txt
+
+    [6] M. Sirbu, J. Chuang.  Distributed Authentication in Kerberos
+    Using Public Key Cryptography.  Symposium On Network and Distributed
+    System Security, 1997.
+
+    [7] B. Cox, J.D. Tygar, M. Sirbu.  NetBill Security and Transaction
+    Protocol.  In Proceedings of the USENIX Workshop on Electronic
+    Commerce, July 1995.
+
+    [8] T. Dierks, C. Allen.  The TLS Protocol, Version 1.0
+    Request for Comments 2246, January 1999.
+
+    [9] B.C. Neuman, Proxy-Based Authorization and Accounting for
+    Distributed Systems.  In Proceedings of the 13th International
+    Conference on Distributed Computing Systems, May 1993.
+
+    [10] ITU-T (formerly CCITT) Information technology - Open Systems
+    Interconnection - The Directory: Authentication Framework
+    Recommendation X.509 ISO/IEC 9594-8
+
+    [11] R. Housley. Cryptographic Message Syntax.
+    draft-ietf-smime-cms-13.txt, April 1999, approved for publication
+    as RFC.
+
+    [12] PKCS #7: Cryptographic Message Syntax Standard,
+    An RSA Laboratories Technical Note Version 1.5
+    Revised November 1, 1993
+
+    [13] R. Rivest, MIT Laboratory for Computer Science and RSA Data
+    Security, Inc. A Description of the RC2(r) Encryption Algorithm
+    March 1998.
+    Request for Comments 2268.
+
+    [14] M. Wahl, S. Kille, T. Howes. Lightweight Directory Access
+    Protocol (v3): UTF-8 String Representation of Distinguished Names.
+    Request for Comments 2253.
+
+    [15] R. Housley, W. Ford, W. Polk, D. Solo. Internet X.509 Public
+    Key Infrastructure, Certificate and CRL Profile, January 1999.
+    Request for Comments 2459.
+
+    [16] B. Kaliski, J. Staddon. PKCS #1: RSA Cryptography
+    Specifications, October 1998.  Request for Comments 2437.
+
+    [17] S. Dusse, P. Hoffman, B. Ramsdell, J. Weinstein.  S/MIME
+    Version 2 Certificate Handling, March 1998.  Request for
+    Comments 2312.
+
+    [18] M. Wahl, T. Howes, S. Kille.  Lightweight Directory Access
+    Protocol (v3), December 1997.  Request for Comments 2251.
+
+    [19] ITU-T (formerly CCITT) Information Processing Systems - Open
+    Systems Interconnection - Specification of Abstract Syntax Notation
+    One (ASN.1) Rec. X.680 ISO/IEC 8824-1
+
+8.  Acknowledgements
+
+    Some of the ideas on which this proposal is based arose during
+    discussions over several years between members of the SAAG, the IETF
+    CAT working group, and the PSRG, regarding integration of Kerberos
+    and SPX.  Some ideas have also been drawn from the DASS system.
+    These changes are by no means endorsed by these groups.  This is an
+    attempt to revive some of the goals of those groups, and this
+    proposal approaches those goals primarily from the Kerberos
+    perspective.  Lastly, comments from groups working on similar ideas
+    in DCE have been invaluable.
+
+9.  Expiration Date
+
+    This draft expires September 15, 2000.
+
+10. Authors
+
+    Brian Tung
+    Clifford Neuman
+    USC Information Sciences Institute
+    4676 Admiralty Way Suite 1001
+    Marina del Rey CA 90292-6695
+    Phone: +1 310 822 1511
+    E-mail: {brian, bcn}@isi.edu
+
+    Matthew Hur
+    CyberSafe Corporation
+    1605 NW Sammamish Road
+    Issaquah WA 98027-5378
+    Phone: +1 425 391 6000
+    E-mail: matt.hur@cybersafe.com
+
+    Ari Medvinsky
+    Keen.com, Inc.
+    150 Independence Drive
+    Menlo Park CA 94025
+    Phone: +1 650 289 3134
+    E-mail: ari@keen.com
+
+    Sasha Medvinsky
+    Motorola
+    6450 Sequence Drive
+    San Diego, CA 92121
+    Phone +1 619 404 2825
+    E-mail: smedvinsky@gi.com
+
+    John Wray
+    Iris Associates, Inc.
+    5 Technology Park Dr.
+    Westford, MA 01886
+    E-mail: John_Wray@iris.com
+
+    Jonathan Trostle
+    170 W. Tasman Dr.
+    San Jose, CA 95134
+    E-mail: jtrostle@cisco.com
diff --git a/crypto/heimdal/doc/standardisation/draft-ietf-cat-kerberos-pk-init-12.txt b/crypto/heimdal/doc/standardisation/draft-ietf-cat-kerberos-pk-init-12.txt
new file mode 100644
index 0000000..b1e5968
--- /dev/null
+++ b/crypto/heimdal/doc/standardisation/draft-ietf-cat-kerberos-pk-init-12.txt
@@ -0,0 +1,1080 @@
+INTERNET-DRAFT                                                Brian Tung
+draft-ietf-cat-kerberos-pk-init-12.txt                   Clifford Neuman
+Updates: RFC 1510                                                USC/ISI
+expires January 15, 2001                                     Matthew Hur
+                                                   CyberSafe Corporation
+                                                           Ari Medvinsky
+                                                          Keen.com, Inc.
+                                                         Sasha Medvinsky
+                                                                Motorola
+                                                               John Wray
+                                                   Iris Associates, Inc.
+                                                        Jonathan Trostle
+                                                                   Cisco
+
+    Public Key Cryptography for Initial Authentication in Kerberos
+
+0.  Status Of This Memo
+
+    This document is an Internet-Draft and is in full conformance with
+    all provisions of Section 10 of RFC 2026.  Internet-Drafts are
+    working documents of the Internet Engineering Task Force (IETF),
+    its areas, and its working groups.  Note that other groups may also
+    distribute working documents as Internet-Drafts.
+
+    Internet-Drafts are draft documents valid for a maximum of six
+    months and may be updated, replaced, or obsoleted by other
+    documents at any time.  It is inappropriate to use Internet-Drafts
+    as reference material or to cite them other than as "work in
+    progress."
+
+    The list of current Internet-Drafts can be accessed at
+    http://www.ietf.org/ietf/1id-abstracts.txt
+
+    The list of Internet-Draft Shadow Directories can be accessed at
+    http://www.ietf.org/shadow.html.
+
+    To learn the current status of any Internet-Draft, please check
+    the "1id-abstracts.txt" listing contained in the Internet-Drafts
+    Shadow Directories on ftp.ietf.org (US East Coast),
+    nic.nordu.net (Europe), ftp.isi.edu (US West Coast), or
+    munnari.oz.au (Pacific Rim).
+
+    The distribution of this memo is unlimited.  It is filed as
+    draft-ietf-cat-kerberos-pk-init-11.txt, and expires January 15,
+    2001.  Please send comments to the authors.
+
+1.  Abstract
+
+    This document defines extensions (PKINIT) to the Kerberos protocol
+    specification (RFC 1510 [1]) to provide a method for using public
+    key cryptography during initial authentication.  The methods
+    defined specify the ways in which preauthentication data fields and
+    error data fields in Kerberos messages are to be used to transport
+    public key data.
+
+2.  Introduction
+
+    The popularity of public key cryptography has produced a desire for
+    its support in Kerberos [2].  The advantages provided by public key
+    cryptography include simplified key management (from the Kerberos
+    perspective) and the ability to leverage existing and developing
+    public key certification infrastructures.
+
+    Public key cryptography can be integrated into Kerberos in a number
+    of ways.  One is to associate a key pair with each realm, which can
+    then be used to facilitate cross-realm authentication; this is the
+    topic of another draft proposal.  Another way is to allow users with
+    public key certificates to use them in initial authentication.  This
+    is the concern of the current document.
+
+    PKINIT utilizes ephemeral-ephemeral Diffie-Hellman keys in
+    combination with digital signature keys as the primary, required
+    mechanism.  It also allows for the use of RSA keys and/or (static)
+    Diffie-Hellman certificates.  Note in particular that PKINIT supports
+    the use of separate signature and encryption keys.
+
+    PKINIT enables access to Kerberos-secured services based on initial
+    authentication utilizing public key cryptography.  PKINIT utilizes
+    standard public key signature and encryption data formats within the
+    standard Kerberos messages.  The basic mechanism is as follows:  The
+    user sends an AS-REQ message to the KDC as before, except that if that
+    user is to use public key cryptography in the initial authentication
+    step, his certificate and a signature accompany the initial request
+    in the preauthentication fields.  Upon receipt of this request, the
+    KDC verifies the certificate and issues a ticket granting ticket
+    (TGT) as before, except that the encPart from the AS-REP message
+    carrying the TGT is now encrypted utilizing either a Diffie-Hellman
+    derived key or the user's public key.  This message is authenticated
+    utilizing the public key signature of the KDC.
+
+    Note that PKINIT does not require the use of certificates.  A KDC
+    may store the public key of a principal as part of that principal's
+    record.  In this scenario, the KDC is the trusted party that vouches
+    for the principal (as in a standard, non-cross realm, Kerberos
+    environment).  Thus, for any principal, the KDC may maintain a
+    secret key, a public key, or both.
+
+    The PKINIT specification may also be used as a building block for
+    other specifications.  PKCROSS [3] utilizes PKINIT for establishing
+    the inter-realm key and associated inter-realm policy to be applied
+    in issuing cross realm service tickets.  As specified in [4],
+    anonymous Kerberos tickets can be issued by applying a NULL
+    signature in combination with Diffie-Hellman in the PKINIT exchange.
+    Additionally, the PKINIT specification may be used for direct peer
+    to peer authentication without contacting a central KDC. This
+    application of PKINIT is described in PKTAPP [5] and is based on
+    concepts introduced in [6, 7]. For direct client-to-server
+    authentication, the client uses PKINIT to authenticate to the end
+    server (instead of a central KDC), which then issues a ticket for
+    itself.  This approach has an advantage over TLS [8] in that the
+    server does not need to save state (cache session keys).
+    Furthermore, an additional benefit is that Kerberos tickets can
+    facilitate delegation (see [9]).
+
+3.  Proposed Extensions
+
+    This section describes extensions to RFC 1510 for supporting the
+    use of public key cryptography in the initial request for a ticket
+    granting ticket (TGT).
+
+    In summary, the following change to RFC 1510 is proposed:
+
+        * Users may authenticate using either a public key pair or a
+          conventional (symmetric) key.  If public key cryptography is
+          used, public key data is transported in preauthentication
+          data fields to help establish identity.  The user presents
+          a public key certificate and obtains an ordinary TGT that may
+          be used for subsequent authentication, with such
+          authentication using only conventional cryptography.
+
+    Section 3.1 provides definitions to help specify message formats.
+    Section 3.2 describes the extensions for the initial authentication
+    method.
+
+3.1.  Definitions
+
+    The extensions involve new preauthentication fields; we introduce
+    the following preauthentication types:
+
+        PA-PK-AS-REQ                            14
+        PA-PK-AS-REP                            15
+
+    The extensions also involve new error types; we introduce the
+    following types:
+
+        KDC_ERR_CLIENT_NOT_TRUSTED              62
+        KDC_ERR_KDC_NOT_TRUSTED                 63
+        KDC_ERR_INVALID_SIG                     64
+        KDC_ERR_KEY_TOO_WEAK                    65
+        KDC_ERR_CERTIFICATE_MISMATCH            66
+        KDC_ERR_CANT_VERIFY_CERTIFICATE         70
+        KDC_ERR_INVALID_CERTIFICATE             71
+        KDC_ERR_REVOKED_CERTIFICATE             72
+        KDC_ERR_REVOCATION_STATUS_UNKNOWN       73
+        KDC_ERR_REVOCATION_STATUS_UNAVAILABLE   74
+        KDC_ERR_CLIENT_NAME_MISMATCH            75
+        KDC_ERR_KDC_NAME_MISMATCH               76
+
+    We utilize the following typed data for errors:
+
+        TD-PKINIT-CMS-CERTIFICATES             101
+        TD-KRB-PRINCIPAL                       102
+        TD-KRB-REALM                           103
+        TD-TRUSTED-CERTIFIERS                  104
+        TD-CERTIFICATE-INDEX                   105
+
+    We utilize the following encryption types (which map directly to
+    OIDs):
+
+        dsaWithSHA1-CmsOID                       9
+        md5WithRSAEncryption-CmsOID             10
+        sha1WithRSAEncryption-CmsOID            11
+        rc2CBC-EnvOID                           12
+        rsaEncryption-EnvOID (PKCS#1 v1.5)      13
+        rsaES-OAEP-ENV-OID   (PKCS#1 v2.0)      14
+        des-ede3-cbc-Env-OID                    15
+
+    These mappings are provided so that a client may send the
+    appropriate enctypes in the AS-REQ message in order to indicate
+    support for the corresponding OIDs (for performing PKINIT).
+
+    In many cases, PKINIT requires the encoding of the X.500 name of a
+    certificate authority as a Realm.  When such a name appears as
+    a realm it will be represented using the "other" form of the realm
+    name as specified in the naming constraints section of RFC1510.
+    For a realm derived from an X.500 name, NAMETYPE will have the value
+    X500-RFC2253.  The full realm name will appear as follows:
+
+        <nametype> + ":" + <string>
+
+    where nametype is "X500-RFC2253" and string is the result of doing
+    an RFC2253 encoding of the distinguished name, i.e.
+
+        "X500-RFC2253:" + RFC2253Encode(DistinguishedName)
+
+    where DistinguishedName is an X.500 name, and RFC2253Encode is a
+    function returing a readable UTF encoding of an X.500 name, as
+    defined by RFC 2253 [14] (part of LDAPv3 [18]).
+
+    To ensure that this encoding is unique, we add the following rule
+    to those specified by RFC 2253:
+
+        The order in which the attributes appear in the RFC 2253
+        encoding must be the reverse of the order in the ASN.1
+        encoding of the X.500 name that appears in the public key
+        certificate. The order of the relative distinguished names
+        (RDNs), as well as the order of the AttributeTypeAndValues
+        within each RDN, will be reversed. (This is despite the fact
+        that an RDN is defined as a SET of AttributeTypeAndValues, where
+        an order is normally not important.)
+
+    Similarly, in cases where the KDC does not provide a specific
+    policy based mapping from the X.500 name or X.509 Version 3
+    SubjectAltName extension in the user's certificate to a Kerberos
+    principal name, PKINIT requires the direct encoding of the X.500
+    name as a PrincipalName.  In this case, the name-type of the
+    principal name shall be set to KRB_NT-X500-PRINCIPAL.  This new
+    name type is defined in RFC 1510 as:
+
+        KRB_NT_X500_PRINCIPAL    6
+
+    The name-string shall be set as follows:
+
+        RFC2253Encode(DistinguishedName)
+
+    as described above.  When this name type is used, the principal's
+    realm shall be set to the certificate authority's distinguished
+    name using the X500-RFC2253 realm name format described earlier in
+    this section
+
+    RFC 1510 specifies the ASN.1 structure for PrincipalName as follows:
+
+        PrincipalName ::=   SEQUENCE {
+                        name-type[0]     INTEGER,
+                        name-string[1]   SEQUENCE OF GeneralString
+        }
+
+    For the purposes of encoding an X.500 name as a Kerberos name for
+    use in Kerberos structures, the name-string shall be encoded as a
+    single GeneralString.  The name-type should be KRB_NT_X500_PRINCIPAL,
+    as noted above.  All Kerberos names must conform to validity
+    requirements as given in RFC 1510.  Note that name mapping may be
+    required or optional, based on policy.
+
+    We also define the following similar ASN.1 structure:
+
+        CertPrincipalName ::= SEQUENCE {
+                        name-type[0]     INTEGER,
+                        name-string[1]   SEQUENCE OF UTF8String
+        }
+
+    When a Kerberos PrincipalName is to be placed within an X.509 data
+    structure, the CertPrincipalName structure is to be used, with the
+    name-string encoded as a single UTF8String.  The name-type should be
+    as identified in the original PrincipalName structure.  The mapping
+    between the GeneralString and UTF8String formats can be found in
+    [19].
+
+    The following rules relate to the the matching of PrincipalNames (or
+    corresponding CertPrincipalNames) with regard to the PKI name
+    constraints for CAs as laid out in RFC 2459 [15].  In order to be
+    regarded as a match (for permitted and excluded name trees), the
+    following must be satisfied.
+
+        1.  If the constraint is given as a user plus realm name, or
+            as a user plus instance plus realm name (as specified in
+            RFC 1510), the realm name must be valid (see 2.a-d below)
+            and the match must be exact, byte for byte.
+
+        2.  If the constraint is given only as a realm name, matching
+            depends on the type of the realm:
+
+            a.  If the realm contains a colon (':') before any equal
+                sign ('='), it is treated as a realm of type Other,
+                and must match exactly, byte for byte.
+
+            b.  Otherwise, if the realm contains an equal sign, it
+                is treated as an X.500 name.  In order to match, every
+                component in the constraint MUST be in the principal
+                name, and have the same value.  For example, 'C=US'
+                matches 'C=US/O=ISI' but not 'C=UK'.
+
+            c.  Otherwise, if the realm name conforms to rules regarding
+                the format of DNS names, it is considered a realm name of
+                type Domain.  The constraint may be given as a realm
+                name 'FOO.BAR', which matches any PrincipalName within
+                the realm 'FOO.BAR' but not those in subrealms such as
+                'CAR.FOO.BAR'.  A constraint of the form '.FOO.BAR'
+                matches PrincipalNames in subrealms of the form
+                'CAR.FOO.BAR' but not the realm 'FOO.BAR' itself.
+
+            d.  Otherwise, the realm name is invalid and does not match
+                under any conditions.
+
+3.1.1.  Encryption and Key Formats
+
+    In the exposition below, we use the terms public key and private
+    key generically.  It should be understood that the term "public
+    key" may be used to refer to either a public encryption key or a
+    signature verification key, and that the term "private key" may be
+    used to refer to either a private decryption key or a signature
+    generation key.  The fact that these are logically distinct does
+    not preclude the assignment of bitwise identical keys for RSA
+    keys.
+
+    In the case of Diffie-Hellman, the key shall be produced from the
+    agreed bit string as follows:
+
+        * Truncate the bit string to the appropriate length.
+        * Rectify parity in each byte (if necessary) to obtain the key.
+
+    For instance, in the case of a DES key, we take the first eight
+    bytes of the bit stream, and then adjust the least significant bit
+    of each byte to ensure that each byte has odd parity.
+
+3.1.2. Algorithm Identifiers
+
+    PKINIT does not define, but does permit, the algorithm identifiers
+    listed below.
+
+3.1.2.1. Signature Algorithm Identifiers
+
+    The following signature algorithm identifiers specified in [11] and
+    in [15] shall be used with PKINIT:
+
+    id-dsa-with-sha1       (DSA with SHA1)
+    md5WithRSAEncryption   (RSA with MD5)
+    sha-1WithRSAEncryption (RSA with SHA1)
+
+3.1.2.2 Diffie-Hellman Key Agreement Algorithm Identifier
+
+    The following algorithm identifier shall be used within the
+    SubjectPublicKeyInfo data structure: dhpublicnumber
+
+    This identifier and the associated algorithm parameters are
+    specified in RFC 2459 [15].
+
+3.1.2.3. Algorithm Identifiers for RSA Encryption
+
+    These algorithm identifiers are used inside the EnvelopedData data
+    structure, for encrypting the temporary key with a public key:
+
+        rsaEncryption (RSA encryption, PKCS#1 v1.5)
+        id-RSAES-OAEP (RSA encryption, PKCS#1 v2.0)
+
+    Both of the above RSA encryption schemes are specified in [16].
+    Currently, only PKCS#1 v1.5 is specified by CMS [11], although the
+    CMS specification says that it will likely include PKCS#1 v2.0 in
+    the future.  (PKCS#1 v2.0 addresses adaptive chosen ciphertext
+    vulnerability discovered in PKCS#1 v1.5.)
+
+3.1.2.4. Algorithm Identifiers for Encryption with Secret Keys
+
+    These algorithm identifiers are used inside the EnvelopedData data
+    structure in the PKINIT Reply, for encrypting the reply key with the
+    temporary key:
+        des-ede3-cbc (3-key 3-DES, CBC mode)
+        rc2-cbc      (RC2, CBC mode)
+
+    The full definition of the above algorithm identifiers and their
+    corresponding parameters (an IV for block chaining) is provided in
+    the CMS specification [11].
+
+3.2.  Public Key Authentication
+
+    Implementation of the changes in this section is REQUIRED for
+    compliance with PKINIT.
+
+3.2.1.  Client Request
+
+    Public keys may be signed by some certification authority (CA), or
+    they may be maintained by the KDC in which case the KDC is the
+    trusted authority.  Note that the latter mode does not require the
+    use of certificates.
+
+    The initial authentication request is sent as per RFC 1510, except
+    that a preauthentication field containing data signed by the user's
+    private key accompanies the request:
+
+    PA-PK-AS-REQ ::= SEQUENCE {
+                                -- PA TYPE 14
+        signedAuthPack          [0] SignedData
+                                    -- Defined in CMS [11];
+                                    -- AuthPack (below) defines the
+                                    -- data that is signed.
+        trustedCertifiers       [1] SEQUENCE OF TrustedCas OPTIONAL,
+                                    -- This is a list of CAs that the
+                                    -- client trusts and that certify
+                                    -- KDCs.
+        kdcCert                 [2] IssuerAndSerialNumber OPTIONAL
+                                    -- As defined in CMS [11];
+                                    -- specifies a particular KDC
+                                    -- certificate if the client
+                                    -- already has it.
+        encryptionCert          [3] IssuerAndSerialNumber OPTIONAL
+                                    -- For example, this may be the
+                                    -- client's Diffie-Hellman
+                                    -- certificate, or it may be the
+                                    -- client's RSA encryption
+                                    -- certificate.
+    }
+
+    TrustedCas ::= CHOICE {
+        principalName         [0] KerberosName,
+                                  -- as defined below
+        caName                [1] Name
+                                  -- fully qualified X.500 name
+                                  -- as defined by X.509
+        issuerAndSerial       [2] IssuerAndSerialNumber
+                                  -- Since a CA may have a number of
+                                  -- certificates, only one of which
+                                  -- a client trusts
+    }
+
+    Usage of SignedData:
+
+        The SignedData data type is specified in the Cryptographic
+        Message Syntax, a product of the S/MIME working group of the
+        IETF.  The following describes how to fill in the fields of
+        this data:
+
+        1.  The encapContentInfo field must contain the PKAuthenticator
+            and, optionally, the client's Diffie Hellman public value.
+
+            a.  The eContentType field shall contain the OID value for
+                pkauthdata: iso (1) org (3) dod (6) internet (1)
+                security (5) kerberosv5 (2) pkinit (3) pkauthdata (1)
+
+            b.  The eContent field is data of the type AuthPack (below).
+
+        2.  The signerInfos field contains the signature of AuthPack.
+
+        3.  The Certificates field, when non-empty, contains the client's
+            certificate chain.  If present, the KDC uses the public key
+            from the client's certificate to verify the signature in the
+            request.  Note that the client may pass different certificate
+            chains that are used for signing or for encrypting.  Thus,
+            the KDC may utilize a different client certificate for
+            signature verification than the one it uses to encrypt the
+            reply to the client.  For example, the client may place a
+            Diffie-Hellman certificate in this field in order to convey
+            its static Diffie Hellman certificate to the KDC to enable
+            static-ephemeral Diffie-Hellman mode for the reply; in this
+            case, the client does NOT place its public value in the
+            AuthPack (defined below).  As another example, the client may
+            place an RSA encryption certificate in this field.  However,
+            there must always be (at least) a signature certificate.
+
+    AuthPack ::= SEQUENCE {
+        pkAuthenticator         [0] PKAuthenticator,
+        clientPublicValue       [1] SubjectPublicKeyInfo OPTIONAL
+                                    -- if client is using Diffie-Hellman
+                                    -- (ephemeral-ephemeral only)
+    }
+
+    PKAuthenticator ::= SEQUENCE {
+        cusec                   [0] INTEGER,
+                                    -- for replay prevention as in RFC1510
+        ctime                   [1] KerberosTime,
+                                    -- for replay prevention as in RFC1510
+        nonce                   [2] INTEGER,
+        pachecksum              [3] Checksum
+                                    -- Checksum over KDC-REQ-BODY
+                                    -- Defined by Kerberos spec
+    }
+
+    SubjectPublicKeyInfo ::= SEQUENCE {
+        algorithm                   AlgorithmIdentifier,
+                                    -- dhKeyAgreement
+        subjectPublicKey            BIT STRING
+                                    -- for DH, equals
+                                    -- public exponent (INTEGER encoded
+                                    -- as payload of BIT STRING)
+    }   -- as specified by the X.509 recommendation [10]
+
+    AlgorithmIdentifier ::= SEQUENCE {
+        algorithm                   OBJECT IDENTIFIER,
+                                    -- for dhKeyAgreement, this is
+                                    -- { iso (1) member-body (2) US (840)
+                                    -- rsadsi (113459) pkcs (1) 3 1 }
+                                    -- from PKCS #3 [20]
+        parameters                  ANY DEFINED by algorithm OPTIONAL
+                                    -- for dhKeyAgreement, this is
+                                    -- DHParameter
+    }   -- as specified by the X.509 recommendation [10]
+
+    DHParameter ::= SEQUENCE {
+        prime                       INTEGER,
+                                    -- p
+        base                        INTEGER,
+                                    -- g
+        privateValueLength          INTEGER OPTIONAL
+                                    -- l
+    }   -- as defined in PKCS #3 [20]
+
+    If the client passes an issuer and serial number in the request,
+    the KDC is requested to use the referred-to certificate.  If none
+    exists, then the KDC returns an error of type
+    KDC_ERR_CERTIFICATE_MISMATCH.  It also returns this error if, on the
+    other hand, the client does not pass any trustedCertifiers,
+    believing that it has the KDC's certificate, but the KDC has more
+    than one certificate.  The KDC should include information in the
+    KRB-ERROR message that indicates the KDC certificate(s) that a
+    client may utilize.  This data is specified in the e-data, which
+    is defined in RFC 1510 revisions as a SEQUENCE of TypedData:
+
+    TypedData ::=  SEQUENCE {
+                    data-type      [0] INTEGER,
+                    data-value     [1] OCTET STRING,
+    } -- per Kerberos RFC 1510 revisions
+
+    where:
+    data-type = TD-PKINIT-CMS-CERTIFICATES = 101
+    data-value = CertificateSet // as specified by CMS [11]
+
+    The PKAuthenticator carries information to foil replay attacks, to
+    bind the pre-authentication data to the KDC-REQ-BODY, and to bind the
+    request and response.  The PKAuthenticator is signed with the client's
+    signature key.
+
+3.2.2.  KDC Response
+
+    Upon receipt of the AS_REQ with PA-PK-AS-REQ pre-authentication
+    type, the KDC attempts to verify the user's certificate chain
+    (userCert), if one is provided in the request.  This is done by
+    verifying the certification path against the KDC's policy of
+    legitimate certifiers.  This may be based on a certification
+    hierarchy, or it may be simply a list of recognized certifiers in a
+    system like PGP.
+
+    If the client's certificate chain contains no certificate signed by
+    a CA trusted by the KDC, then the KDC sends back an error message
+    of type KDC_ERR_CANT_VERIFY_CERTIFICATE.  The accompanying e-data
+    is a SEQUENCE of one TypedData (with type TD-TRUSTED-CERTIFIERS=104)
+    whose data-value is an OCTET STRING which is the DER encoding of
+
+        TrustedCertifiers ::= SEQUENCE OF PrincipalName
+                              -- X.500 name encoded as a principal name
+                              -- see Section 3.1
+
+    If while verifying a certificate chain the KDC determines that the
+    signature on one of the certificates in the CertificateSet from
+    the signedAuthPack fails verification, then the KDC returns an
+    error of type KDC_ERR_INVALID_CERTIFICATE.  The accompanying
+    e-data is a SEQUENCE of one TypedData (with type
+    TD-CERTIFICATE-INDEX=105) whose data-value is an OCTET STRING
+    which is the DER encoding of the index into the CertificateSet
+    ordered as sent by the client.
+
+        CertificateIndex  ::= INTEGER
+                              -- 0 = 1st certificate,
+                              --     (in order of encoding)
+                              -- 1 = 2nd certificate, etc
+
+    The KDC may also check whether any of the certificates in the
+    client's chain has been revoked.  If one of the certificates has
+    been revoked, then the KDC returns an error of type
+    KDC_ERR_REVOKED_CERTIFICATE; if such a query reveals that
+    the certificate's revocation status is unknown or not
+    available, then if required by policy, the KDC returns the
+    appropriate error of type KDC_ERR_REVOCATION_STATUS_UNKNOWN or
+    KDC_ERR_REVOCATION_STATUS_UNAVAILABLE.  In any of these three
+    cases, the affected certificate is identified by the accompanying
+    e-data, which contains a CertificateIndex as described for
+    KDC_ERR_INVALID_CERTIFICATE.
+
+    If the certificate chain can be verified, but the name of the
+    client in the certificate does not match the client's name in the
+    request, then the KDC returns an error of type
+    KDC_ERR_CLIENT_NAME_MISMATCH.  There is no accompanying e-data
+    field in this case.
+
+    Finally, if the certificate chain is verified, but the KDC's name
+    or realm as given in the PKAuthenticator does not match the KDC's
+    actual principal name, then the KDC returns an error of type
+    KDC_ERR_KDC_NAME_MISMATCH.  The accompanying e-data field is again
+    a SEQUENCE of one TypedData (with type TD-KRB-PRINCIPAL=102 or
+    TD-KRB-REALM=103 as appropriate) whose data-value is an OCTET
+    STRING whose data-value is the DER encoding of a PrincipalName or
+    Realm as defined in RFC 1510 revisions.
+
+    Even if all succeeds, the KDC may--for policy reasons--decide not
+    to trust the client.  In this case, the KDC returns an error message
+    of type KDC_ERR_CLIENT_NOT_TRUSTED.  One specific case of this is
+    the presence or absence of an Enhanced Key Usage (EKU) OID within
+    the certificate extensions.  The rules regarding acceptability of
+    an EKU sequence (or the absence of any sequence) are a matter of
+    local policy.  For the benefit of implementers, we define a PKINIT
+    EKU OID as the following: iso (1) org (3) dod (6) internet (1)
+    security (5) kerberosv5 (2) pkinit (3) pkekuoid (2).
+
+    If a trust relationship exists, the KDC then verifies the client's
+    signature on AuthPack.  If that fails, the KDC returns an error
+    message of type KDC_ERR_INVALID_SIG.  Otherwise, the KDC uses the
+    timestamp (ctime and cusec) in the PKAuthenticator to assure that
+    the request is not a replay.  The KDC also verifies that its name
+    is specified in the PKAuthenticator.
+
+    If the clientPublicValue field is filled in, indicating that the
+    client wishes to use Diffie-Hellman key agreement, then the KDC
+    checks to see that the parameters satisfy its policy.  If they do
+    not (e.g., the prime size is insufficient for the expected
+    encryption type), then the KDC sends back an error message of type
+    KDC_ERR_KEY_TOO_WEAK.  Otherwise, it generates its own public and
+    private values for the response.
+
+    The KDC also checks that the timestamp in the PKAuthenticator is
+    within the allowable window and that the principal name and realm
+    are correct.  If the local (server) time and the client time in the
+    authenticator differ by more than the allowable clock skew, then the
+    KDC returns an error message of type KRB_AP_ERR_SKEW as defined in 1510.
+
+    Assuming no errors, the KDC replies as per RFC 1510, except as
+    follows.  The user's name in the ticket is determined by the
+    following decision algorithm:
+
+        1.  If the KDC has a mapping from the name in the certificate
+            to a Kerberos name, then use that name.
+            Else
+        2.  If the certificate contains the SubjectAltName extention
+            and the local KDC policy defines a mapping from the
+            SubjectAltName to a Kerberos name, then use that name.
+            Else
+        3.  Use the name as represented in the certificate, mapping
+            mapping as necessary (e.g., as per RFC 2253 for X.500
+            names).  In this case the realm in the ticket shall be the
+            name of the certifier that issued the user's certificate.
+
+    Note that a principal name may be carried in the subject alt name
+    field of a certificate. This name may be mapped to a principal
+    record in a security database based on local policy, for example
+    the subject alt name may be kerberos/principal@realm format.  In
+    this case the realm name is not that of the CA but that of the
+    local realm doing the mapping (or some realm name chosen by that
+    realm).
+
+    If a non-KDC X.509 certificate contains the principal name within
+    the subjectAltName version 3 extension , that name may utilize
+    KerberosName as defined below, or, in the case of an S/MIME
+    certificate [17], may utilize the email address.  If the KDC
+    is presented with an S/MIME certificate, then the email address
+    within subjectAltName will be interpreted as a principal and realm
+    separated by the "@" sign, or as a name that needs to be
+    canonicalized.  If the resulting name does not correspond to a
+    registered principal name, then the principal name is formed as
+    defined in section 3.1.
+
+    The trustedCertifiers field contains a list of certification
+    authorities trusted by the client, in the case that the client does
+    not possess the KDC's public key certificate.  If the KDC has no
+    certificate signed by any of the trustedCertifiers, then it returns
+    an error of type KDC_ERR_KDC_NOT_TRUSTED.
+
+    KDCs should try to (in order of preference):
+    1. Use the KDC certificate identified by the serialNumber included
+       in the client's request.
+    2. Use a certificate issued to the KDC by the client's CA (if in the
+       middle of a CA key roll-over, use the KDC cert issued under same
+       CA key as user cert used to verify request).
+    3. Use a certificate issued to the KDC by one of the client's
+       trustedCertifier(s);
+    If the KDC is unable to comply with any of these options, then the
+    KDC returns an error message of type KDC_ERR_KDC_NOT_TRUSTED to the
+    client.
+
+    The KDC encrypts the reply not with the user's long-term key, but
+    with the Diffie Hellman derived key or a random key generated
+    for this particular response which is carried in the padata field of
+    the TGS-REP message.
+
+    PA-PK-AS-REP ::= CHOICE {
+                            -- PA TYPE 15
+        dhSignedData       [0] SignedData,
+                            -- Defined in CMS and used only with
+                            -- Diffie-Hellman key exchange (if the
+                            -- client public value was present in the
+                            -- request).
+                            -- This choice MUST be supported
+                            -- by compliant implementations.
+        encKeyPack         [1] EnvelopedData,
+                            -- Defined in CMS
+                            -- The temporary key is encrypted
+                            -- using the client public key
+                            -- key
+                            -- SignedReplyKeyPack, encrypted
+                            -- with the temporary key, is also
+                            -- included.
+    }
+
+    Usage of SignedData:
+
+        When the Diffie-Hellman option is used, dhSignedData in
+        PA-PK-AS-REP provides authenticated Diffie-Hellman parameters
+        of the KDC.  The reply key used to encrypt part of the KDC reply
+        message is derived from the Diffie-Hellman exchange:
+
+        1.  Both the KDC and the client calculate a secret value
+            (g^ab mod p), where a is the client's private exponent and
+            b is the KDC's private exponent.
+
+        2.  Both the KDC and the client take the first N bits of this
+            secret value and convert it into a reply key.  N depends on
+            the reply key type.
+
+        3.  If the reply key is DES, N=64 bits, where some of the bits
+            are replaced with parity bits, according to FIPS PUB 74.
+
+        4.  If the reply key is (3-key) 3-DES, N=192 bits, where some
+            of the bits are replaced with parity bits, according to
+            FIPS PUB 74.
+
+        5.  The encapContentInfo field must contain the KdcDHKeyInfo as
+            defined below.
+
+            a.  The eContentType field shall contain the OID value for
+                pkdhkeydata: iso (1) org (3) dod (6) internet (1)
+                security (5) kerberosv5 (2) pkinit (3) pkdhkeydata (2)
+
+            b.  The eContent field is data of the type KdcDHKeyInfo
+                (below).
+
+        6.  The certificates field must contain the certificates
+            necessary for the client to establish trust in the KDC's
+            certificate based on the list of trusted certifiers sent by
+            the client in the PA-PK-AS-REQ.  This field may be empty if
+            the client did not send to the KDC a list of trusted
+            certifiers (the trustedCertifiers field was empty, meaning
+            that the client already possesses the KDC's certificate).
+
+        7.  The signerInfos field is a SET that must contain at least
+            one member, since it contains the actual signature.
+
+    KdcDHKeyInfo ::= SEQUENCE {
+                              -- used only when utilizing Diffie-Hellman
+      nonce                 [0] INTEGER,
+                                -- binds responce to the request
+      subjectPublicKey      [2] BIT STRING
+                                -- Equals public exponent (g^a mod p)
+                                -- INTEGER encoded as payload of
+                                -- BIT STRING
+    }
+
+    Usage of EnvelopedData:
+
+        The EnvelopedData data type is specified in the Cryptographic
+        Message Syntax, a product of the S/MIME working group of the
+        IETF.  It contains a temporary key encrypted with the PKINIT
+        client's public key.  It also contains a signed and encrypted
+        reply key.
+
+        1.  The originatorInfo field is not required, since that
+            information may be presented in the signedData structure
+            that is encrypted within the encryptedContentInfo field.
+
+        2.  The optional unprotectedAttrs field is not required for
+            PKINIT.
+
+        3.  The recipientInfos field is a SET which must contain exactly
+            one member of the KeyTransRecipientInfo type for encryption
+            with an RSA public key.
+
+            a.  The encryptedKey field (in KeyTransRecipientInfo)
+                contains the temporary key which is encrypted with the
+                PKINIT client's public key.
+
+        4.  The encryptedContentInfo field contains the signed and
+            encrypted reply key.
+
+            a.  The contentType field shall contain the OID value for
+                id-signedData: iso (1) member-body (2) us (840)
+                rsadsi (113549) pkcs (1) pkcs7 (7) signedData (2)
+
+            b.  The encryptedContent field is encrypted data of the CMS
+                type signedData as specified below.
+
+                i.  The encapContentInfo field must contains the
+                    ReplyKeyPack.
+
+                    * The eContentType field shall contain the OID value
+                      for pkrkeydata: iso (1) org (3) dod (6) internet (1)
+                      security (5) kerberosv5 (2) pkinit (3) pkrkeydata (3)
+
+                    * The eContent field is data of the type ReplyKeyPack
+                      (below).
+
+                ii.  The certificates field must contain the certificates
+                     necessary for the client to establish trust in the
+                     KDC's certificate based on the list of trusted
+                     certifiers sent by the client in the PA-PK-AS-REQ.
+                     This field may be empty if the client did not send
+                     to the KDC a list of trusted certifiers (the
+                     trustedCertifiers field was empty, meaning that the
+                     client already possesses the KDC's certificate).
+
+                iii.  The signerInfos field is a SET that must contain at
+                      least one member, since it contains the actual
+                      signature.
+
+    ReplyKeyPack ::= SEQUENCE {
+                              -- not used for Diffie-Hellman
+        replyKey             [0] EncryptionKey,
+                                 -- used to encrypt main reply
+                                 -- ENCTYPE is at least as strong as
+                                 -- ENCTYPE of session key
+        nonce                [1] INTEGER,
+                                 -- binds response to the request
+                                 -- must be same as the nonce
+                                 -- passed in the PKAuthenticator
+    }
+
+    Since each certifier in the certification path of a user's
+    certificate is equivalent to a separate Kerberos realm, the name
+    of each certifier in the certificate chain must be added to the
+    transited field of the ticket.  The format of these realm names is
+    defined in Section 3.1 of this document.  If applicable, the
+    transit-policy-checked flag should be set in the issued ticket.
+
+    The KDC's certificate(s) must bind the public key(s) of the KDC to
+    a name derivable from the name of the realm for that KDC.  X.509
+    certificates shall contain the principal name of the KDC
+    (defined in section 8.2 of RFC 1510) as the SubjectAltName version
+    3 extension. Below is the definition of this version 3 extension,
+    as specified by the X.509 standard:
+
+        subjectAltName EXTENSION ::= {
+            SYNTAX GeneralNames
+            IDENTIFIED BY id-ce-subjectAltName
+        }
+
+        GeneralNames ::= SEQUENCE SIZE(1..MAX) OF GeneralName
+
+        GeneralName ::= CHOICE {
+            otherName       [0] OtherName,
+            ...
+        }
+
+        OtherName ::= SEQUENCE {
+            type-id         OBJECT IDENTIFIER,
+            value           [0] EXPLICIT ANY DEFINED BY type-id
+        }
+
+    For the purpose of specifying a Kerberos principal name, the value
+    in OtherName shall be a KerberosName as defined in RFC 1510, but with
+    the PrincipalName replaced by CertPrincipalName as mentioned in
+    Section 3.1:
+
+        KerberosName ::= SEQUENCE {
+            realm           [0] Realm,
+            principalName   [1] CertPrincipalName  -- defined above
+        }
+
+    This specific syntax is identified within subjectAltName by setting
+    the type-id in OtherName to krb5PrincipalName, where (from the
+    Kerberos specification) we have
+
+        krb5 OBJECT IDENTIFIER ::= { iso (1)
+                                     org (3)
+                                     dod (6)
+                                     internet (1)
+                                     security (5)
+                                     kerberosv5 (2) }
+
+        krb5PrincipalName OBJECT IDENTIFIER ::= { krb5 2 }
+
+    (This specification may also be used to specify a Kerberos name
+    within the user's certificate.)  The KDC's certificate may be signed
+    directly by a CA, or there may be intermediaries if the server resides
+    within a large organization, or it may be unsigned if the client
+    indicates possession (and trust) of the KDC's certificate.
+
+    The client then extracts the random key used to encrypt the main
+    reply.  This random key (in encPaReply) is encrypted with either the
+    client's public key or with a key derived from the DH values
+    exchanged between the client and the KDC.  The client uses this
+    random key to decrypt the main reply, and subsequently proceeds as
+    described in RFC 1510.
+
+3.2.3. Required Algorithms
+
+    Not all of the algorithms in the PKINIT protocol specification have
+    to be implemented in order to comply with the proposed standard.
+    Below is a list of the required algorithms:
+
+    * Diffie-Hellman public/private key pairs
+        * utilizing Diffie-Hellman ephemeral-ephemeral mode
+    * SHA1 digest and DSA for signatures
+    * SHA1 digest also for the Checksum in the PKAuthenticator
+    * 3-key triple DES keys derived from the Diffie-Hellman Exchange
+    * 3-key triple DES Temporary and Reply keys
+
+4.  Logistics and Policy
+
+    This section describes a way to define the policy on the use of
+    PKINIT for each principal and request.
+
+    The KDC is not required to contain a database record for users
+    who use public key authentication.  However, if these users are
+    registered with the KDC, it is recommended that the database record
+    for these users be modified to an additional flag in the attributes
+    field to indicate that the user should authenticate using PKINIT.
+    If this flag is set and a request message does not contain the
+    PKINIT preauthentication field, then the KDC sends back as error of
+    type KDC_ERR_PREAUTH_REQUIRED indicating that a preauthentication
+    field of type PA-PK-AS-REQ must be included in the request.
+
+5.  Security Considerations
+
+    PKINIT raises a few security considerations, which we will address
+    in this section.
+
+    First of all, PKINIT introduces a new trust model, where KDCs do not
+    (necessarily) certify the identity of those for whom they issue
+    tickets.  PKINIT does allow KDCs to act as their own CAs, in the
+    limited capacity of self-signing their certificates, but one of the
+    additional benefits is to align Kerberos authentication with a global
+    public key infrastructure.  Anyone using PKINIT in this way must be
+    aware of how the certification infrastructure they are linking to
+    works.
+
+    Secondly, PKINIT also introduces the possibility of interactions
+    between different cryptosystems, which may be of widely varying
+    strengths.  Many systems, for instance, allow the use of 512-bit
+    public keys.  Using such keys to wrap data encrypted under strong
+    conventional cryptosystems, such as triple-DES, is inappropriate;
+    it adds a weak link to a strong one at extra cost.  Implementors
+    and administrators should take care to avoid such wasteful and
+    deceptive interactions.
+
+    Lastly, PKINIT calls for randomly generated keys for conventional
+    cryptosystems.  Many such systems contain systematically "weak"
+    keys.  PKINIT implementations MUST avoid use of these keys, either
+    by discarding those keys when they are generated, or by fixing them
+    in some way (e.g., by XORing them with a given mask).  These
+    precautions vary from system to system; it is not our intention to
+    give an explicit recipe for them here.
+
+6.  Transport Issues
+
+    Certificate chains can potentially grow quite large and span several
+    UDP packets; this in turn increases the probability that a Kerberos
+    message involving PKINIT extensions will be broken in transit.  In
+    light of the possibility that the Kerberos specification will
+    require KDCs to accept requests using TCP as a transport mechanism,
+    we make the same recommendation with respect to the PKINIT
+    extensions as well.
+
+7.  Bibliography
+
+    [1] J. Kohl, C. Neuman.  The Kerberos Network Authentication Service
+    (V5).  Request for Comments 1510.
+
+    [2] B.C. Neuman, Theodore Ts'o. Kerberos: An Authentication Service
+    for Computer Networks, IEEE Communications, 32(9):33-38.  September
+    1994.
+
+    [3] B. Tung, T. Ryutov, C. Neuman, G. Tsudik, B. Sommerfeld,
+    A. Medvinsky, M. Hur.  Public Key Cryptography for Cross-Realm
+    Authentication in Kerberos.  draft-ietf-cat-kerberos-pk-cross-04.txt
+
+    [4] A. Medvinsky, J. Cargille, M. Hur.  Anonymous Credentials in
+    Kerberos.  draft-ietf-cat-kerberos-anoncred-00.txt
+
+    [5] Ari Medvinsky, M. Hur, Alexander Medvinsky, B. Clifford Neuman.
+    Public Key Utilizing Tickets for Application Servers (PKTAPP).
+    draft-ietf-cat-pktapp-02.txt
+
+    [6] M. Sirbu, J. Chuang.  Distributed Authentication in Kerberos
+    Using Public Key Cryptography.  Symposium On Network and Distributed
+    System Security, 1997.
+
+    [7] B. Cox, J.D. Tygar, M. Sirbu.  NetBill Security and Transaction
+    Protocol.  In Proceedings of the USENIX Workshop on Electronic
+    Commerce, July 1995.
+
+    [8] T. Dierks, C. Allen.  The TLS Protocol, Version 1.0
+    Request for Comments 2246, January 1999.
+
+    [9] B.C. Neuman, Proxy-Based Authorization and Accounting for
+    Distributed Systems.  In Proceedings of the 13th International
+    Conference on Distributed Computing Systems, May 1993.
+
+    [10] ITU-T (formerly CCITT) Information technology - Open Systems
+    Interconnection - The Directory: Authentication Framework
+    Recommendation X.509 ISO/IEC 9594-8
+
+    [11] R. Housley. Cryptographic Message Syntax.
+    draft-ietf-smime-cms-13.txt, April 1999, approved for publication
+    as RFC.
+
+    [12] PKCS #7: Cryptographic Message Syntax Standard,
+    An RSA Laboratories Technical Note Version 1.5
+    Revised November 1, 1993
+
+    [13] R. Rivest, MIT Laboratory for Computer Science and RSA Data
+    Security, Inc. A Description of the RC2(r) Encryption Algorithm
+    March 1998.
+    Request for Comments 2268.
+
+    [14] M. Wahl, S. Kille, T. Howes. Lightweight Directory Access
+    Protocol (v3): UTF-8 String Representation of Distinguished Names.
+    Request for Comments 2253.
+
+    [15] R. Housley, W. Ford, W. Polk, D. Solo. Internet X.509 Public
+    Key Infrastructure, Certificate and CRL Profile, January 1999.
+    Request for Comments 2459.
+
+    [16] B. Kaliski, J. Staddon. PKCS #1: RSA Cryptography
+    Specifications, October 1998.  Request for Comments 2437.
+
+    [17] S. Dusse, P. Hoffman, B. Ramsdell, J. Weinstein.  S/MIME
+    Version 2 Certificate Handling, March 1998.  Request for
+    Comments 2312.
+
+    [18] M. Wahl, T. Howes, S. Kille.  Lightweight Directory Access
+    Protocol (v3), December 1997.  Request for Comments 2251.
+
+    [19] ITU-T (formerly CCITT) Information Processing Systems - Open
+    Systems Interconnection - Specification of Abstract Syntax Notation
+    One (ASN.1) Rec. X.680 ISO/IEC 8824-1
+
+    [20] PKCS #3: Diffie-Hellman Key-Agreement Standard, An RSA
+    Laboratories Technical Note, Version 1.4, Revised November 1, 1993.
+
+8.  Acknowledgements
+
+    Some of the ideas on which this proposal is based arose during
+    discussions over several years between members of the SAAG, the IETF
+    CAT working group, and the PSRG, regarding integration of Kerberos
+    and SPX.  Some ideas have also been drawn from the DASS system.
+    These changes are by no means endorsed by these groups.  This is an
+    attempt to revive some of the goals of those groups, and this
+    proposal approaches those goals primarily from the Kerberos
+    perspective.  Lastly, comments from groups working on similar ideas
+    in DCE have been invaluable.
+
+9.  Expiration Date
+
+    This draft expires January 15, 2001.
+
+10. Authors
+
+    Brian Tung
+    Clifford Neuman
+    USC Information Sciences Institute
+    4676 Admiralty Way Suite 1001
+    Marina del Rey CA 90292-6695
+    Phone: +1 310 822 1511
+    E-mail: {brian, bcn}@isi.edu
+
+    Matthew Hur
+    CyberSafe Corporation
+    1605 NW Sammamish Road
+    Issaquah WA 98027-5378
+    Phone: +1 425 391 6000
+    E-mail: matt.hur@cybersafe.com
+
+    Ari Medvinsky
+    Keen.com, Inc.
+    150 Independence Drive
+    Menlo Park CA 94025
+    Phone: +1 650 289 3134
+    E-mail: ari@keen.com
+
+    Sasha Medvinsky
+    Motorola
+    6450 Sequence Drive
+    San Diego, CA 92121
+    +1 858 404 2367
+    E-mail: smedvinsky@gi.com
+
+    John Wray
+    Iris Associates, Inc.
+    5 Technology Park Dr.
+    Westford, MA 01886
+    E-mail: John_Wray@iris.com
+
+    Jonathan Trostle
+    170 W. Tasman Dr.
+    San Jose, CA 95134
+    E-mail: jtrostle@cisco.com
diff --git a/crypto/heimdal/doc/standardisation/draft-ietf-cat-kerberos-pk-tapp-03.txt b/crypto/heimdal/doc/standardisation/draft-ietf-cat-kerberos-pk-tapp-03.txt
new file mode 100644
index 0000000..6581dd5
--- /dev/null
+++ b/crypto/heimdal/doc/standardisation/draft-ietf-cat-kerberos-pk-tapp-03.txt
@@ -0,0 +1,378 @@
+INTERNET-DRAFT                                    Ari Medvinsky
+draft-ietf-cat-kerberos-pk-tapp-03.txt            Keen.com, Inc.
+Expires January 14, 2001                          Matthew Hur
+Informational					  CyberSafe Corporation
+						  Sasha Medvinsky
+						  Motorola
+                                                  Clifford Neuman
+                                                  USC/ISI
+
+Public Key Utilizing Tickets for Application Servers (PKTAPP)
+
+
+0. Status Of this Memo
+
+This document is an Internet-Draft and is in full conformance with
+all provisions of Section 10 of RFC 2026.  Internet-Drafts are
+working documents of the Internet Engineering Task Force (IETF),
+its areas, and its working groups.  Note that other groups may also
+distribute working documents as Internet-Drafts.
+
+Internet-Drafts are draft documents valid for a maximum of six
+months and may be updated, replaced, or obsoleted by other
+documents at any time.  It is inappropriate to use Internet-Drafts
+as reference material or to cite them other than as "work in
+progress."
+
+The list of current Internet-Drafts can be accessed at
+http://www.ietf.org/ietf/1id-abstracts.txt
+
+The list of Internet-Draft Shadow Directories can be accessed at
+http://www.ietf.org/shadow.html.
+
+To learn the current status of any Internet-Draft, please check
+the "1id-abstracts.txt" listing contained in the Internet-Drafts
+Shadow Directories on ftp.ietf.org (US East Coast),
+nic.nordu.net (Europe), ftp.isi.edu (US West Coast), or
+munnari.oz.au (Pacific Rim).
+
+The distribution of this memo is unlimited.  It is filed as
+draft-ietf-cat-kerberos-pk-init-10.txt, and expires April 30,
+2000.  Please send comments to the authors.
+
+1. Abstract
+
+Public key based Kerberos for Distributed Authentication[1], (PKDA) 
+proposed by Sirbu & Chuang, describes PK based authentication that 
+eliminates the use of a centralized key distribution center while 
+retaining the advantages of Kerberos tickets.  This draft describes how, 
+without any modification, the PKINIT specification[2] may be used to 
+implement the ideas introduced in PKDA.  The benefit is that only a 
+single PK Kerberos extension is needed to address the goals of PKINIT & 
+PKDA.
+
+
+
+2. Introduction
+
+With the proliferation of public key cryptography, a number of public 
+key extensions to Kerberos have been proposed to provide 
+interoperability with the PK infrastructure and to improve the Kerberos 
+authentication system [4].  Among these are PKINIT[2] (under development
+in the CAT working group) and more recently PKDA [1] proposed by Sirbu & 
+Chuang of CMU.  One of the principal goals of PKINIT is to provide for 
+interoperability between a PK infrastructure and Kerberos.  Using 
+PKINIT, a user can authenticate to the KDC via a public key certificate.  
+A ticket granting ticket (TGT), returned by the KDC, enables a PK user 
+to obtain tickets and authenticate to kerberized services.  The PKDA 
+proposal goes a step further.  It supports direct client to server 
+authentication, eliminating the need for an online key distribution 
+center.  In this draft, we describe how, without any modification, the 
+PKINIT protocol may be applied to achieve the goals of PKDA. For direct 
+client to server authentication, the client will use PKINIT to 
+authenticate to the end server (instead of a central KDC), which then, 
+will issue a ticket for itself.  The benefit of this proposal, is that a 
+single PK extension to Kerberos can addresses the goals of PKINIT and 
+PKDA.
+
+
+3. PKDA background
+
+The PKDA proposal provides direct client to server authentication, thus 
+eliminating the need for an online key distribution center.  A client 
+and server take part in an initial PK based authentication exchange, 
+with an added caveat that the server acts as a Kerberos ticket granting 
+service and issues a traditional Kerberos ticket for itself.  In 
+subsequent communication, the client makes use of the Kerberos ticket, 
+thus eliminating the need for public key operations on the server.  This 
+approach has an advantage over SSL in that the server does not need to 
+save state (cache session keys).  Furthermore, an additional benefit, is 
+that Kerberos tickets can facilitate delegation (see Neuman[3]). 
+
+Below is a brief overview of the PKDA protocol.  For a more detailed 
+description see [1]. 
+
+SCERT_REQ: Client to Server
+The client requests a certificate from the server.  If the serverÆs 
+certificate is cached locally, SCERT_REQ and SCERT_REP are omitted.
+
+SCERT_REP:  Server to Client
+The server returns its certificate to the client.
+
+PKTGS_REQ: Client to Server
+The client sends a request for a service ticket to the server.  To 
+authenticate the request, the client signs, among other fields, a time 
+stamp and a newly generated symmetric key .  The time stamp is used to 
+foil replay attacks;  the symmetric key is used by the server to secure 
+the PKTGS_REP message. 
+The client provides a certificate in the request (the certificate 
+enables the server to verify the validity of the clientÆs signature) and 
+seals it along with the signed information using the serverÆs public 
+key.  
+
+ 
+PKTGS_REP:  Server to Client
+The server returns a service ticket (which it issued for itself) along 
+with the session key for the ticket.  The session key is protected by 
+the client-generated key from the PKTGS_REQ message.  
+
+AP_REQ:  Client to Server
+After the above exchange, the client can proceed in a normal fashion, 
+using the conventional Kerberos ticket in an AP_REQ message.
+
+
+4. PKINIT background
+
+One of the principal goals of PKINIT is to provide for interoperability 
+between a public key infrastructure and Kerberos.  Using a public key 
+certificate, a client can authenticate to the KDC and receive a TGT 
+which enables the client to obtain service tickets to kerberized 
+services..  In PKINIT, the AS-REQ and AS-REP messages remain the same; 
+new preauthentication data types are used to conduct the PK exchange.  
+Client and server certificates are exchanged via the preauthentication 
+data.  Thus, the exchange of certificates , PK authentication, and 
+delivery of a TGT can occur in two messages.
+
+Below is a brief overview of the PKINIT protocol.  For a more detailed 
+description see [2]. 
+
+PreAuthentication data of AS-REQ:  Client to Server
+The client sends a list of trusted certifiers, a signed PK 
+authenticator, and its certificate.  The PK authenticator, based on the 
+Kerberos authenticator, contains the name of the KDC, a timestamp, and a 
+nonce.
+
+PreAuthentication data of AS-REP:  Server to Client
+The server responds with its certificate and the key used for decrypting 
+the encrypted part of the AS-REQ.  This key is encrypted with the 
+clientÆs public key.
+
+AP_REQ:  Client to Server
+After the above exchange, the client can proceed in a normal fashion, 
+using the conventional Kerberos ticket in an AP_REQ message.
+
+
+5. Application of PKINIT to achieve equivalence to PKDA
+
+While PKINIT is normally used to retrieve a ticket granting ticket 
+(TGT), it may also be used to request an end service ticket.  When used 
+in this fashion, PKINIT is functionally equivalent to PKDA.  We 
+introduce the concept of a local ticket granting server (LTGS) to 
+illustrate how PKINIT may be used for issuing end service tickets based 
+on public key authentication.  It is important to note that the LTGS may 
+be built into an application server, or it may be a stand-alone server 
+used for issuing tickets within a well-defined realm, such as a single 
+machine.  We will discuss both of these options.
+
+
+5.1. The LTGS
+
+The LTGS processes the Kerberos AS-REQ and AS-REP messages with PKINIT 
+preauthentication data.  When a client submits an AS-REQ to the LTGS, it
+specifies an application server, in order to receive an end service 
+ticket instead of a TGT.
+
+
+5.1.1. The LTGS as a standalone server
+
+The LTGS may run as a separate process that serves applications which 
+reside on the same machine. This serves to consolidate administrative 
+functions and provide an easier migration path for a heterogeneous 
+environment consisting of both public key and Kerberos.  The LTGS would 
+use one well-known port (port #88 - same as the KDC) for all message 
+traffic and would share a symmetric with each service.  After the client 
+receives a service ticket, it then contacts the application server 
+directly.  This approach is similar to the one suggested by Sirbu , et 
+al [1].
+
+5.1.1.1. Ticket Policy for PKTAPP Clients
+
+It is desirable for the LTGS to have access to a PKTAPP client ticket
+policy. This policy will contain information for each client, such as 
+the maximum lifetime of a ticket, whether or not a ticket can be 
+forwardable, etc. PKTAPP clients, however, use the PKINIT protocol for
+authentication and are not required to be registered as Kerberos 
+principals.
+
+As one possible solution, each public key Certification Authority could
+be registered in a secure database, along with the ticket policy 
+information for all PKTAPP clients that are certified by this
+Certification Authority.
+
+5.1.1.2. LTGS as a Kerberos Principal
+
+Since the LTGS serves only PKTAPP clients and returns only end service
+tickets for other services, it does not require a Kerberos service key 
+or a Kerberos principal identity. It is therefore not necessary for the
+LTGS to even be registered as a Kerberos principal.
+
+The LTGS still requires public key credentials for the PKINIT exchange,
+and it may be desired to have some global restrictions on the Kerberos
+tickets that it can issue. It is recommended (but not required) that
+this information be associated with a Kerberos principal entry for the
+LTGS.
+
+
+5.1.1.3. Kerberos Principal Database
+
+Since the LTGS issues tickets for Kerberos services, it will require
+access to a Kerberos principal database containing entries for at least
+the end services. Each entry must contain a service key and may also
+contain restrictions on the service tickets that are issued to clients.
+It is recommended that (for ease of administration) this principal
+database be centrally administered and distributed (replicated) to all
+hosts where an LTGS may be running.
+
+In the case that there are other clients that do not support PKINIT
+protocol, but still need access to the same Kerberos services, this
+principal database will also require entries for Kerberos clients and
+for the TGS entries.
+
+5.1.2. The LTGS as part of an application server
+
+The LTGS may be combined with an application server.  This accomplishes 
+direct client to application server authentication; however, it requires 
+that applications be modified to process AS-REQ and AS-REP messages.  
+The LTGS would communicate over the port assigned to the application 
+server or over the well known Kerberos port for that particular 
+application.
+
+5.1.2.2. Ticket Policy for PKTAPP Clients
+
+Application servers normally do not have access to a distributed 
+principal database. Therefore, they will have to find another means of
+keeping track of the ticket policy information for PKTAPP clients. It is
+recommended that this ticket policy be kept in a directory service (such
+as LDAP).  
+
+It is critical, however, that both read and write access to this ticket
+policy is restricted with strong authentication and encryption to only
+the correct application server.  An unauthorized party should not have
+the authority to modify the ticket policy. Disclosing the ticket policy
+to a 3rd party may aid an adversary in determining the best way to
+compromise the network.
+
+It is just as critical for the application server to authenticate the
+directory service. Otherwise an adversary could use a man-in-the-middle
+attack to substitute a false ticket policy with a false directory
+service.
+
+5.1.2.3. LTGS Credentials
+
+Each LTGS (combined with an application service) will require public key
+credentials in order to use the PKINIT protocol. These credentials can 
+be stored in a single file that is both encrypted with a password-
+derived symmetric key and also secured by an operating system. This
+symmetric key may be stashed somewhere on the machine for convenience,
+although such practice potentially weakens the overall system security
+and is strongly discouraged.
+
+For added security, it is recommended that the LTGS private keys are
+stored inside a temper-resistant hardware module that requires a pin
+code for access.
+
+
+5.1.2.4. Compatibility With Standard Kerberos
+
+Even though an application server is combined with the LTGS, for
+backward compatibility it should still accept service tickets that have
+been issued by the KDC. This will allow Kerberos clients that do not
+support PKTAPP to authenticate to the same application server (with the
+help of a KDC).
+
+5.1.3. Cross-Realm Authentication
+
+According to the PKINIT draft, the client's realm is the X.500 name of
+the Certification Authority that issued the client certificate. A 
+Kerberos application service will be in a standard Kerberos realm, which
+implies that the LTGS will need to issue cross-realm end service 
+tickets. This is the only case, where cross-realm end service tickets
+are issued. In a standard Kerberos model, a client first acquires a
+cross-realm TGT, and then gets an end service ticket from the KDC that
+is in the same realm as the application service.
+
+6. Protocol differences between PKINIT and PKDA
+
+Both PKINIT and PKDA will accomplish the same goal of issuing end 
+service tickets, based on initial public key authentication.  A PKINIT-
+based implementation and a PKDA implementation would be functionally 
+equivalent.  The primary differences are that 1)PKDA requires the client 
+to create the symmetric key while PKINIT requires the server to create 
+the key and 2)PKINIT accomplishes in two messages what PKDA accomplishes 
+in four messages.
+
+7. Summary
+
+The PKINIT protocol can be used, without modification to facilitate 
+client to server authentication without the use of a central KDC.  The 
+approach described in this draft  (and originally proposed in PKDA[1]) 
+is essentially a public key authentication protocol that retains the 
+advantages of Kerberos tickets.
+
+Given that PKINIT has progressed through the CAT working group of the 
+IETF, with plans for non-commercial distribution (via MITÆs v5 Kerberos)  
+as well as commercial support, it is worthwhile to provide PKDA 
+functionality, under the PKINIT umbrella.
+
+8. Security Considerations
+
+PKTAPP is based on the PKINIT protocol and all security considerations
+already listed in [2] apply here.
+
+When the LTGS is implemented as part of each application server, the
+secure storage of its public key credentials and of its ticket policy
+are both a concern.  The respective security considerations are already
+covered in sections 5.1.2.3 and 5.1.2.2 of this document.  
+
+
+9. Bibliography
+
+[1] M. Sirbu, J. Chuang.  Distributed Authentication in Kerberos Using 
+Public Key Cryptography.  Symposium On Network and Distributed System 
+Security, 1997.
+
+[2] B. Tung, C. Neuman, M. Hur, A. Medvinsky, S. Medvinsky, J. Wray,
+J. Trostle.  Public Key Cryptography for Initial Authentication in
+Kerberos.  Internet Draft, October 1999. 
+(ftp://ietf.org/internet-drafts/draft-ietf-cat-kerberos-pk-init-10.txt)
+
+[3] C. Neuman, Proxy-Based Authorization and Accounting for 
+Distributed Systems.  In Proceedings of the 13th International 
+Conference on Distributed Computing Systems, May 1993.
+
+[4] J. Kohl, C. Neuman.  The Kerberos Network Authentication Service
+(V5).  Request for Comments 1510.
+
+10.  Expiration Date
+
+This draft expires April 24, 2000.
+
+11. Authors
+
+Ari Medvinsky
+Keen.com, Inc.
+150 Independence Dr.
+Menlo Park, CA 94025
+Phone +1 650 289 3134
+E-mail: ari@keen.com
+
+Matthew Hur
+CyberSafe Corporation
+1605 NW Sammamish Road
+Issaquah, WA 98027-5378
+Phone: +1 425 391 6000
+E-mail: matt.hur@cybersafe.com
+
+Alexander Medvinsky
+Motorola
+6450 Sequence Dr.
+San Diego, CA 92121
+Phone: +1 858 404 2367
+E-mail: smedvinsky@gi.com
+
+Clifford Neuman
+USC Information Sciences Institute
+4676 Admiralty Way Suite 1001
+Marina del Rey CA 90292-6695
+Phone: +1 310 822 1511
+E-mail: bcn@isi.edu
diff --git a/crypto/heimdal/doc/standardisation/draft-ietf-cat-kerberos-revisions-00.txt b/crypto/heimdal/doc/standardisation/draft-ietf-cat-kerberos-revisions-00.txt
new file mode 100644
index 0000000..2284c3c
--- /dev/null
+++ b/crypto/heimdal/doc/standardisation/draft-ietf-cat-kerberos-revisions-00.txt
@@ -0,0 +1,8277 @@
+
+INTERNET-DRAFT                               Clifford Neuman
+                                                   John Kohl
+                                               Theodore Ts'o
+                                                11 July 1997
+
+
+
+     The Kerberos  Network Authentication Service (V5)
+
+
+STATUS OF THIS MEMO
+
+     This document is  an  Internet-Draft.   Internet-Drafts
+are working documents of the Internet Engineering Task Force
+(IETF), its areas, and its working groups.  Note that  other
+groups  may  also  distribute working documents as Internet-
+Drafts.
+
+     Internet-Drafts are draft documents valid for a maximum
+of  six months and may be updated, replaced, or obsoleted by
+other documents at any time.  It  is  inappropriate  to  use
+Internet-Drafts  as reference material or to cite them other
+than as "work in progress."
+
+     To learn the  current  status  of  any  Internet-Draft,
+please  check  the  "1id-abstracts.txt" listing contained in
+the Internet-Drafts Shadow  Directories  on  ds.internic.net
+(US  East  Coast),  nic.nordu.net  (Europe), ftp.isi.edu (US
+West Coast), or munnari.oz.au (Pacific Rim).
+
+     The distribution of this  memo  is  unlimited.   It  is
+filed  as  draft-ietf-cat-kerberos-revisions-00.txt,  and expires 
+11 January 1998.  Please send comments to:
+
+   krb-protocol@MIT.EDU
+
+ABSTRACT
+
+
+     This document provides an overview and specification of
+Version  5  of the Kerberos protocol, and updates RFC1510 to
+clarify aspects of the protocol and its  intended  use  that
+require  more  detailed or clearer explanation than was pro-
+vided in RFC1510.  This document is intended  to  provide  a
+detailed description of the protocol, suitable for implemen-
+tation, together with descriptions of the appropriate use of
+protocol messages and fields within those messages.
+
+     This document is not intended to describe  Kerberos  to
+__________________________
+Project Athena, Athena, and Kerberos are trademarks  of
+the  Massachusetts  Institute  of Technology (MIT).  No
+commercial use of these trademarks may be made  without
+prior written permission of MIT.
+
+
+
+Overview                   - 1 -     Expires 11 January 1998
+
+
+
+
+
+
+
+            Version 5 - Specification Revision 6
+
+
+the  end  user,   system   administrator,   or   application
+developer.   Higher level papers describing Version 5 of the
+Kerberos system [1] and documenting  version  4   [23],  are
+available elsewhere.
+
+OVERVIEW
+
+     This INTERNET-DRAFT describes the  concepts  and  model
+upon  which  the  Kerberos  network authentication system is
+based.  It also specifies Version 5 of the  Kerberos  proto-
+col.
+
+     The  motivations,  goals,  assumptions,  and  rationale
+behind most design decisions are treated cursorily; they are
+more fully described in a paper available in IEEE communica-
+tions  [1] and earlier in the Kerberos portion of the Athena
+Technical Plan [2].  The  protocols  have  been  a  proposed
+standard  and are being considered for advancement for draft
+standard through the IETF standard  process.   Comments  are
+encouraged  on  the presentation, but only minor refinements
+to the protocol as implemented or extensions that fit within
+current protocol framework will be considered at this time.
+
+     Requests for addition to an electronic mailing list for
+discussion  of  Kerberos, kerberos@MIT.EDU, may be addressed
+to kerberos-request@MIT.EDU.  This mailing list is gatewayed
+onto   the  Usenet  as  the  group  comp.protocols.kerberos.
+Requests for further information,  including  documents  and
+code availability, may be sent to info-kerberos@MIT.EDU.
+
+BACKGROUND
+
+     The Kerberos model is based  in  part  on  Needham  and
+Schroeder's  trusted third-party authentication protocol [4]
+and on modifications suggested by  Denning  and  Sacco  [5].
+The  original design and implementation of Kerberos Versions
+1 through 4 was the work of two former Project Athena  staff
+members,  Steve  Miller of Digital Equipment Corporation and
+Clifford Neuman (now at the Information  Sciences  Institute
+of the University of Southern California), along with Jerome
+Saltzer, Technical Director of Project Athena,  and  Jeffrey
+Schiller, MIT Campus Network Manager.  Many other members of
+Project Athena have also contributed to  the  work  on  Ker-
+beros.
+
+     Version 5 of the Kerberos protocol (described  in  this
+document)  has  evolved from Version 4 based on new require-
+ments and desires for features not available in  Version  4.
+The  design of Version 5 of the Kerberos protocol was led by
+Clifford Neuman and John Kohl with much input from the  com-
+munity.  The development of the MIT reference implementation
+was led at MIT by John Kohl and Theodore T'so, with help and
+contributed  code  from  many others.  Reference implementa-
+tions of both version 4 and version 5 of Kerberos  are  pub-
+licly  available  and  commercial  implementations have been
+
+Overview                   - 2 -     Expires 11 January 1998
+
+
+
+
+
+
+
+            Version 5 - Specification Revision 6
+
+
+developed and are widely used.
+
+     Details on the differences between Kerberos Versions  4
+and 5 can be found in [6].
+
+1.  Introduction
+
+     Kerberos provides a means of verifying  the  identities
+of principals, (e.g. a workstation user or a network server)
+on an open  (unprotected)  network.   This  is  accomplished
+without  relying on assertions by the host operating system,
+without basing trust on host  addresses,  without  requiring
+physical security of all the hosts on the network, and under
+the assumption that packets traveling along the network  can
+be read, modified, and inserted at will[1].   Kerberos  per-
+forms  authentication  under  these  conditions as a trusted
+third-party authentication  service  by  using  conventional
+(shared secret key[2])  cryptography.   Kerberos  extensions
+have  been proposed and implemented that provide for the use
+of public key cryptography  during  certain  phases  of  the
+authentication   protocol.   These  extensions  provide  for
+authentication of users registered with public key  certifi-
+cation  authorities, and allow the system to provide certain
+benefits of public key cryptography in situations where they
+are needed.
+
+     The basic Kerberos authentication process  proceeds  as
+follows:  A  client  sends  a  request to the authentication
+server (AS) requesting "credentials"  for  a  given  server.
+The  AS  responds  with  these credentials, encrypted in the
+client's key.  The credentials consist of 1) a "ticket"  for
+the server and 2) a temporary encryption key (often called a
+"session key").  The client transmits the ticket (which con-
+tains  the  client's identity and a copy of the session key,
+all encrypted in the server's key) to the server.  The  ses-
+sion  key  (now  shared by the client and server) is used to
+authenticate the client,  and  may  optionally  be  used  to
+__________________________
+[1] Note, however, that many applications use Kerberos'
+functions  only  upon  the initiation of a stream-based
+network connection.  Unless an application subsequently
+provides  integrity protection for the data stream, the
+identity verification applies only to the initiation of
+the  connection, and does not guarantee that subsequent
+messages on the  connection  originate  from  the  same
+principal.
+[2] Secret  and  private are often used interchangeably
+in the literature.  In our  usage,  it  takes  two  (or
+more)  to  share  a  secret, thus a shared DES key is a
+secret key.  Something is only private when no one  but
+its owner knows it.  Thus, in public key cryptosystems,
+one has a public and a private key.
+
+
+
+Section 1.                 - 3 -     Expires 11 January 1998
+
+
+
+
+
+
+
+            Version 5 - Specification Revision 6
+
+
+authenticate the server.  It may also  be  used  to  encrypt
+further communication between the two parties or to exchange
+a separate sub-session key to be  used  to  encrypt  further
+communication.
+
+     Implementation of the basic protocol consists of one or
+more  authentication  servers  running  on physically secure
+hosts.  The authentication servers maintain  a  database  of
+principals  (i.e., users and servers) and their secret keys.
+Code libraries provide encryption and implement the Kerberos
+protocol.   In  order  to add authentication to its transac-
+tions, a typical network application adds one or  two  calls
+to  the  Kerberos  library  directly  or through the Generic
+Security Services Application Programming Interface, GSSAPI,
+described  in  separate document.  These calls result in the
+transmission of the necessary messages to achieve  authenti-
+cation.
+
+     The Kerberos protocol consists of several sub-protocols
+(or  exchanges).   There  are  two  basic methods by which a
+client can ask a Kerberos server for  credentials.   In  the
+first  approach,  the client sends a cleartext request for a
+ticket for the desired server to the AS.  The reply is  sent
+encrypted  in the client's secret key.  Usually this request
+is for a ticket-granting ticket (TGT)  which  can  later  be
+used  with  the ticket-granting server (TGS).  In the second
+method, the client sends a request to the TGS.   The  client
+uses  the  TGT to authenticate itself to the TGS in the same
+manner as if it were contacting any other application server
+that   requires   Kerberos  authentication.   The  reply  is
+encrypted in the session key from the TGT.  Though the  pro-
+tocol specification describes the AS and the TGS as separate
+servers, they are implemented in practice as different  pro-
+tocol entry points within a single Kerberos server.
+
+     Once obtained, credentials may be used  to  verify  the
+identity  of  the principals in a transaction, to ensure the
+integrity of messages exchanged between them, or to preserve
+privacy  of the messages.  The application is free to choose
+whatever protection may be necessary.
+
+     To verify the identities of the principals in  a  tran-
+saction,  the client transmits the ticket to the application
+server.  Since the ticket is sent "in the clear"  (parts  of
+it are encrypted, but this encryption doesn't thwart replay)
+and might be intercepted and reused by  an  attacker,  addi-
+tional  information  is  sent to prove that the message ori-
+ginated with the principal to whom the  ticket  was  issued.
+This  information (called the authenticator) is encrypted in
+the session key, and includes a  timestamp.   The  timestamp
+proves  that the message was recently generated and is not a
+replay.  Encrypting the authenticator  in  the  session  key
+proves  that it was generated by a party possessing the ses-
+sion key.  Since no one except the requesting principal  and
+
+
+Section 1.                 - 4 -     Expires 11 January 1998
+
+
+
+
+
+
+
+            Version 5 - Specification Revision 6
+
+
+the  server  know the session key (it is never sent over the
+network in the clear) this guarantees the  identity  of  the
+client.
+
+     The integrity of the messages exchanged between princi-
+pals can also be guaranteed using the session key (passed in
+the ticket and contained in the credentials).  This approach
+provides detection of both replay attacks and message stream
+modification attacks.  It is accomplished by generating  and
+transmitting  a collision-proof checksum (elsewhere called a
+hash or digest function) of the client's message, keyed with
+the  session  key.   Privacy  and  integrity of the messages
+exchanged between principals can be  secured  by  encrypting
+the data to be passed using the session key contained in the
+ticket or the subsession key found in the authenticator.
+
+     The authentication exchanges  mentioned  above  require
+read-only  access to the Kerberos database.  Sometimes, how-
+ever, the entries in the database must be modified, such  as
+when  adding  new  principals or changing a principal's key.
+This is done using a protocol between a client and  a  third
+Kerberos  server, the Kerberos Administration Server (KADM).
+There is also a protocol for maintaining multiple copies  of
+the  Kerberos  database.   Neither  of  these  protocols are
+described in this document.
+
+1.1.  Cross-Realm Operation
+
+     The Kerberos protocol is  designed  to  operate  across
+organizational boundaries.  A client in one organization can
+be authenticated to a server in another.  Each  organization
+wishing  to  run  a  Kerberos  server  establishes  its  own
+"realm".  The name  of  the  realm  in  which  a  client  is
+registered  is part of the client's name, and can be used by
+the end-service to decide whether to honor a request.
+
+     By establishing "inter-realm" keys, the  administrators
+of  two realms can allow a client authenticated in the local
+realm to prove its identity to servers in  other  realms[3].
+The exchange of inter-realm keys (a separate key may be used
+for each direction) registers the ticket-granting service of
+each  realm  as a principal in the other realm.  A client is
+then able to obtain a ticket-granting ticket for the  remote
+realm's  ticket-granting service from its local realm.  When
+that ticket-granting ticket  is  used,  the  remote  ticket-
+granting  service  uses  the  inter-realm key (which usually
+__________________________
+[3] Of course, with appropriate permission  the  client
+could  arrange registration of a separately-named prin-
+cipal in a remote realm, and engage in normal exchanges
+with  that  realm's  services.  However, for even small
+numbers of clients this becomes  cumbersome,  and  more
+automatic methods as described here are necessary.
+
+
+Section 1.1.               - 5 -     Expires 11 January 1998
+
+
+
+
+
+
+
+            Version 5 - Specification Revision 6
+
+
+differs from its own normal TGS key) to decrypt the  ticket-
+granting  ticket,  and is thus certain that it was issued by
+the client's own TGS.  Tickets issued by the remote  ticket-
+granting  service  will indicate to the end-service that the
+client was authenticated from another realm.
+
+     A realm is said to communicate with  another  realm  if
+the  two  realms  share  an inter-realm key, or if the local
+realm shares an inter-realm key with an  intermediate  realm
+that  communicates with the remote realm.  An authentication
+path is the sequence of intermediate realms that  are  tran-
+sited in communicating from one realm to another.
+
+     Realms are typically  organized  hierarchically.   Each
+realm  shares a key with its parent and a different key with
+each child.  If an inter-realm key is not directly shared by
+two  realms, the hierarchical organization allows an authen-
+tication path to be easily constructed.  If  a  hierarchical
+organization  is  not used, it may be necessary to consult a
+database  in  order  to  construct  an  authentication  path
+between realms.
+
+     Although realms are typically hierarchical,  intermedi-
+ate  realms may be bypassed to achieve cross-realm authenti-
+cation through alternate authentication paths  (these  might
+be established to make communication between two realms more
+efficient).  It is important for  the  end-service  to  know
+which  realms were transited when deciding how much faith to
+place in the authentication  process.   To  facilitate  this
+decision,  a  field in each ticket contains the names of the
+realms that were involved in authenticating the client.
+
+1.2.  Authorization
+
+As an authentication service, Kerberos provides a  means  of
+verifying  the identity of principals on a network.  Authen-
+tication is usually useful primarily as a first step in  the
+process  of  authorization, determining whether a client may
+use a service,  which  objects  the  client  is  allowed  to
+access,  and  the type of access allowed for each.  Kerberos
+does not, by itself, provide authorization.  Possession of a
+client ticket for a service provides only for authentication
+of the client to that service,  and  in  the  absence  of  a
+separate  authorization  procedure,  it  should  not be con-
+sidered by an application as authorizing  the  use  of  that
+service.
+
+     Such separate authorization methods may be  implemented
+as  application specific access control functions and may be
+based on  files  such  as  the  application  server,  or  on
+separately  issued  authorization  credentials such as those
+based on proxies [7] , or on other authorization services.
+
+     Applications should  not  be  modified  to  accept  the
+issuance of a service ticket by the Kerberos server (even by
+
+Section 1.2.               - 6 -     Expires 11 January 1998
+
+
+
+
+
+
+
+            Version 5 - Specification Revision 6
+
+
+an modified Kerberos server) as granting  authority  to  use
+the  service,  since such applications may become vulnerable
+to the bypass of this authorization check in an  environment
+where  they  interoperate  with  other  KDCs  or where other
+options for application authentication (e.g. the PKTAPP pro-
+posal) are provided.
+
+1.3.  Environmental assumptions
+
+Kerberos imposes a few assumptions  on  the  environment  in
+which it can properly function:
+
++    "Denial of service" attacks are not  solved  with  Ker-
+     beros.   There  are  places in these protocols where an
+     intruder can prevent an application from  participating
+     in  the  proper  authentication  steps.   Detection and
+     solution of such attacks (some of which can  appear  to
+     be  not-uncommon "normal" failure modes for the system)
+     is usually best left to the  human  administrators  and
+     users.
+
++    Principals must keep their secret keys secret.   If  an
+     intruder  somehow  steals a principal's key, it will be
+     able to masquerade as that principal or impersonate any
+     server to the legitimate principal.
+
++    "Password guessing" attacks are not solved by Kerberos.
+     If  a  user chooses a poor password, it is possible for
+     an attacker to successfully mount an offline dictionary
+     attack  by  repeatedly attempting to decrypt, with suc-
+     cessive entries from a  dictionary,  messages  obtained
+     which are encrypted under a key derived from the user's
+     password.
+
++    Each host on the network must have  a  clock  which  is
+     "loosely  synchronized" to the time of the other hosts;
+     this synchronization is used to reduce the  bookkeeping
+     needs of application servers when they do replay detec-
+     tion.  The degree of "looseness" can be configured on a
+     per-server  basis,  but  is typically on the order of 5
+     minutes.  If the clocks are synchronized over the  net-
+     work, the clock synchronization protocol must itself be
+     secured from network attackers.
+
++    Principal identifiers are not recycled on a  short-term
+     basis.   A  typical  mode  of  access  control will use
+     access control lists (ACLs)  to  grant  permissions  to
+     particular  principals.   If  a stale ACL entry remains
+     for a deleted principal and the principal identifier is
+     reused, the new principal will inherit rights specified
+     in the stale ACL  entry.   By  not  re-using  principal
+     identifiers,   the  danger  of  inadvertent  access  is
+     removed.
+
+
+
+Section 1.3.               - 7 -     Expires 11 January 1998
+
+
+
+
+
+
+
+            Version 5 - Specification Revision 6
+
+
+1.4.  Glossary of terms
+
+Below is a list of terms used throughout this document.
+
+
+Authentication      Verifying  the  claimed  identity  of  a
+                    principal.
+
+
+Authentication headerA record containing  a  Ticket  and  an
+                    Authenticator   to  be  presented  to  a
+                    server as  part  of  the  authentication
+                    process.
+
+
+Authentication path A sequence of intermediate realms  tran-
+                    sited in the authentication process when
+                    communicating from one realm to another.
+
+
+Authenticator       A record containing information that can
+                    be shown to have been recently generated
+                    using the session key known only by  the
+                    client and server.
+
+
+Authorization       The process  of  determining  whether  a
+                    client may use a service,  which objects
+                    the client is allowed to access, and the
+                    type of access allowed for each.
+
+
+Capability          A token that grants the  bearer  permis-
+                    sion to access an object or service.  In
+                    Kerberos, this might be a  ticket  whose
+                    use is restricted by the contents of the
+                    authorization  data  field,  but   which
+                    lists  no  network  addresses,  together
+                    with the session key  necessary  to  use
+                    the ticket.
+
+
+Ciphertext          The output of  an  encryption  function.
+                    Encryption   transforms  plaintext  into
+                    ciphertext.
+
+
+Client              A process that makes use  of  a  network
+                    service  on behalf of a user.  Note that
+                    in some cases a Server may itself  be  a
+                    client  of  some  other  server  (e.g. a
+                    print server may be a client of  a  file
+                    server).
+
+
+
+Section 1.4.               - 8 -     Expires 11 January 1998
+
+
+
+
+
+
+
+            Version 5 - Specification Revision 6
+
+
+Credentials         A ticket plus  the  secret  session  key
+                    necessary   to   successfully  use  that
+                    ticket in an authentication exchange.
+
+
+KDC                 Key Distribution Center, a network  ser-
+                    vice that supplies tickets and temporary
+                    session keys; or  an  instance  of  that
+                    service  or  the  host on which it runs.
+                    The KDC services both initial ticket and
+                    ticket-granting  ticket  requests.   The
+                    initial  ticket  portion  is   sometimes
+                    referred to as the Authentication Server
+                    (or   service).    The   ticket-granting
+                    ticket  portion is sometimes referred to
+                    as the ticket-granting server  (or  ser-
+                    vice).
+
+
+Kerberos            Aside from  the  3-headed  dog  guarding
+                    Hades,   the   name   given  to  Project
+                    Athena's  authentication  service,   the
+                    protocol  used  by  that service, or the
+                    code used to implement  the  authentica-
+                    tion service.
+
+
+Plaintext           The input to an encryption  function  or
+                    the  output  of  a  decryption function.
+                    Decryption  transforms  ciphertext  into
+                    plaintext.
+
+
+Principal           A  uniquely  named  client   or   server
+                    instance  that participates in a network
+                    communication.
+
+
+Principal identifierThe name used to uniquely identify  each
+                    different principal.
+
+
+Seal                To encipher a record containing  several
+                    fields  in  such  a  way that the fields
+                    cannot be individually replaced  without
+                    either  knowledge  of the encryption key
+                    or leaving evidence of tampering.
+
+
+Secret key          An encryption key shared by a  principal
+                    and  the  KDC,  distributed  outside the
+                    bounds of the system, with a long  life-
+                    time.   In  the  case  of a human user's
+                    principal, the  secret  key  is  derived
+
+
+Section 1.4.               - 9 -     Expires 11 January 1998
+
+
+
+
+
+
+
+            Version 5 - Specification Revision 6
+
+
+                    from a password.
+
+
+Server              A particular Principal which provides  a
+                    resource to network clients.  The server
+                    is sometimes refered to as the  Applica-
+                    tion Server.
+
+
+Service             A resource provided to network  clients;
+                    often  provided  by more than one server
+                    (for example, remote file service).
+
+
+Session key         A temporary encryption key used  between
+                    two  principals, with a lifetime limited
+                    to the duration of a single login  "ses-
+                    sion".
+
+
+Sub-session key     A temporary encryption key used  between
+                    two  principals,  selected and exchanged
+                    by the principals using the session key,
+                    and with a lifetime limited to the dura-
+                    tion of a single association.
+
+
+Ticket              A record that helps a  client  authenti-
+                    cate itself to a server; it contains the
+                    client's  identity,  a  session  key,  a
+                    timestamp,  and  other  information, all
+                    sealed using the  server's  secret  key.
+                    It  only serves to authenticate a client
+                    when  presented  along  with   a   fresh
+                    Authenticator.
+
+2.  Ticket flag uses and requests
+
+Each Kerberos ticket contains a set of flags which are  used
+to  indicate  various attributes of that ticket.  Most flags
+may be requested by a client when the  ticket  is  obtained;
+some  are  automatically  turned  on  and  off by a Kerberos
+server as required.  The following sections explain what the
+various  flags  mean,  and  gives examples of reasons to use
+such a flag.
+
+2.1.  Initial and pre-authenticated tickets
+
+     The INITIAL flag indicates that  a  ticket  was  issued
+using  the  AS  protocol  and  not issued based on a ticket-
+granting ticket.  Application servers that want  to  require
+the  demonstrated knowledge of a client's secret key (e.g. a
+password-changing program) can insist that this flag be  set
+in  any  tickets  they  accept, and thus be assured that the
+
+
+Section 2.1.               - 10 -    Expires 11 January 1998
+
+
+
+
+
+
+
+            Version 5 - Specification Revision 6
+
+
+client's key  was  recently  presented  to  the  application
+client.
+
+     The PRE-AUTHENT and HW-AUTHENT flags  provide  addition
+information  about the initial authentication, regardless of
+whether the current ticket was  issued  directly  (in  which
+case  INITIAL  will also be set) or issued on the basis of a
+ticket-granting ticket (in which case the  INITIAL  flag  is
+clear,  but the PRE-AUTHENT and HW-AUTHENT flags are carried
+forward from the ticket-granting ticket).
+
+2.2.  Invalid tickets
+
+     The INVALID flag indicates that a  ticket  is  invalid.
+Application servers must reject tickets which have this flag
+set.  A postdated ticket will  usually  be  issued  in  this
+form.   Invalid  tickets must be validated by the KDC before
+use, by presenting them to the KDC in a TGS request with the
+VALIDATE option specified.  The KDC will only validate tick-
+ets after their starttime has  passed.   The  validation  is
+required  so  that  postdated tickets which have been stolen
+before their starttime can be rendered  permanently  invalid
+(through a hot-list mechanism) (see section 3.3.3.1).
+
+2.3.  Renewable tickets
+
+     Applications may desire to hold tickets  which  can  be
+valid  for  long  periods of time.  However, this can expose
+their  credentials  to  potential  theft  for  equally  long
+periods,  and  those stolen credentials would be valid until
+the expiration time of the ticket(s).  Simply  using  short-
+lived  tickets  and  obtaining  new  ones periodically would
+require the client to have long-term access  to  its  secret
+key, an even greater risk.  Renewable tickets can be used to
+mitigate the consequences of theft.  Renewable tickets  have
+two  "expiration  times":  the  first  is  when  the current
+instance of the ticket expires, and the second is the latest
+permissible  value  for  an  individual expiration time.  An
+application  client  must  periodically  (i.e.   before   it
+expires)  present  a  renewable  ticket to the KDC, with the
+RENEW option set in the KDC request.  The KDC will  issue  a
+new  ticket  with  a  new session key and a later expiration
+time.  All other fields of the ticket are left unmodified by
+the renewal process.  When the latest permissible expiration
+time arrives,  the  ticket  expires  permanently.   At  each
+renewal,  the KDC may consult a hot-list to determine if the
+ticket had been reported stolen since its last  renewal;  it
+will  refuse  to  renew  such  stolen  tickets, and thus the
+usable lifetime of stolen tickets is reduced.
+
+     The RENEWABLE flag in a ticket is normally only  inter-
+preted  by  the  ticket-granting service (discussed below in
+section 3.3).  It can  usually  be  ignored  by  application
+servers.   However,  some  particularly  careful application
+
+
+Section 2.3.               - 11 -    Expires 11 January 1998
+
+
+
+
+
+
+
+            Version 5 - Specification Revision 6
+
+
+servers may wish to disallow renewable tickets.
+
+     If a renewable ticket is not renewed by its  expiration
+time, the KDC will not renew the ticket.  The RENEWABLE flag
+is reset by default, but a client may request it be  set  by
+setting  the RENEWABLE option in the KRB_AS_REQ message.  If
+it is set, then the renew-till field in the ticket  contains
+the time after which the ticket may not be renewed.
+
+2.4.  Postdated tickets
+
+     Applications may occasionally need  to  obtain  tickets
+for  use  much  later,  e.g. a batch submission system would
+need tickets to be valid at the time the batch job  is  ser-
+viced.   However, it is dangerous to hold valid tickets in a
+batch queue, since they will  be  on-line  longer  and  more
+prone  to  theft.  Postdated tickets provide a way to obtain
+these tickets from the KDC at job submission  time,  but  to
+leave  them "dormant" until they are activated and validated
+by a further request of the KDC.  If  a  ticket  theft  were
+reported  in  the  interim, the KDC would refuse to validate
+the ticket, and the thief would be foiled.
+
+     The MAY-POSTDATE flag in  a  ticket  is  normally  only
+interpreted  by  the  ticket-granting  service.  It  can  be
+ignored by application servers.  This flag must be set in  a
+ticket-granting  ticket in order to issue a postdated ticket
+based on the presented ticket.  It is reset by  default;  it
+may  be  requested by a client by setting the ALLOW-POSTDATE
+option in the KRB_AS_REQ message.  This flag does not  allow
+a client to obtain a postdated ticket-granting ticket; post-
+dated  ticket-granting  tickets  can  only  by  obtained  by
+requesting  the  postdating  in the KRB_AS_REQ message.  The
+life (endtime-starttime) of a postdated ticket will  be  the
+remaining  life of the ticket-granting ticket at the time of
+the request, unless the RENEWABLE option  is  also  set,  in
+which  case  it  can be the full life (endtime-starttime) of
+the ticket-granting ticket.  The KDC may limit  how  far  in
+the future a ticket may be postdated.
+
+     The POSTDATED flag indicates that  a  ticket  has  been
+postdated.   The  application  server can check the authtime
+field in the ticket to see when the original  authentication
+occurred.   Some  services  may  choose  to reject postdated
+tickets, or they may  only  accept  them  within  a  certain
+period  after  the  original  authentication.   When the KDC
+issues a  POSTDATED  ticket,  it  will  also  be  marked  as
+INVALID,  so  that  the  application client must present the
+ticket to the KDC to be validated before use.
+
+2.5.  Proxiable and proxy tickets
+
+     At times it may be necessary for a principal to allow a
+service  to perform an operation on its behalf.  The service
+
+
+Section 2.5.               - 12 -    Expires 11 January 1998
+
+
+
+
+
+
+
+            Version 5 - Specification Revision 6
+
+
+must be able to take on the identity of the client, but only
+for  a  particular purpose.  A principal can allow a service
+to take on the principal's identity for a particular purpose
+by granting it a proxy.
+
+     The process of granting a proxy  using  the  proxy  and
+proxiable  flags is used to provide credentials for use with
+specific services.  Though conceptually also a proxy, user's
+wishing  to delegate their identity for ANY purpose must use
+the ticket forwarding mechanism described in the  next  sec-
+tion to forward a ticket granting ticket.
+
+     The PROXIABLE flag in a ticket is normally only  inter-
+preted  by the ticket-granting service. It can be ignored by
+application servers.  When set, this flag tells the  ticket-
+granting server that it is OK to issue a new ticket (but not
+a ticket-granting ticket) with a different  network  address
+based  on this ticket.  This flag is set if requested by the
+client on initial authentication.  By  default,  the  client
+will  request that it be set when requesting a ticket grant-
+ing ticket, and reset when requesting any other ticket.
+
+     This flag allows a client to pass a proxy to  a  server
+to perform a remote request on its behalf, e.g. a print ser-
+vice client can give the print server a proxy to access  the
+client's  files  on  a  particular  file  server in order to
+satisfy a print request.
+
+     In order to complicate the use of  stolen  credentials,
+Kerberos  tickets  are usually valid from only those network
+addresses specifically  included  in  the  ticket[4].   When
+granting  a  proxy,  the client must specify the new network
+address from which the proxy is to be used, or indicate that
+the proxy is to be issued for use from any address.
+
+     The PROXY flag is set in a ticket by the  TGS  when  it
+issues  a  proxy ticket.  Application servers may check this
+flag and at their option they may require additional authen-
+tication  from  the  agent  presenting the proxy in order to
+provide an audit trail.
+
+2.6.  Forwardable tickets
+
+     Authentication forwarding is an  instance  of  a  proxy
+where  the  service  is granted complete use of the client's
+identity.  An example where it might be used is when a  user
+logs  in to a remote system and wants authentication to work
+from that system as if the login were local.
+
+     The FORWARDABLE flag  in  a  ticket  is  normally  only
+__________________________
+[4] Though it is permissible to request or issue  tick-
+ets with no network addresses specified.
+
+
+Section 2.6.               - 13 -    Expires 11 January 1998
+
+
+
+
+
+
+
+            Version 5 - Specification Revision 6
+
+
+interpreted by  the  ticket-granting  service.   It  can  be
+ignored by application servers.  The FORWARDABLE flag has an
+interpretation similar to that of the PROXIABLE flag, except
+ticket-granting  tickets  may  also be issued with different
+network addresses.  This flag is reset by default, but users
+may request that it be set by setting the FORWARDABLE option
+in the AS request when they request  their  initial  ticket-
+granting ticket.
+
+     This flag allows for authentication forwarding  without
+requiring  the  user to enter a password again.  If the flag
+is not set, then authentication forwarding is not permitted,
+but  the  same  result  can  still  be  achieved if the user
+engages in the AS exchange specifying the requested  network
+addresses and supplies a password.
+
+     The FORWARDED flag is set by  the  TGS  when  a  client
+presents a ticket with the FORWARDABLE flag set and requests
+a forwarded ticket by specifying the  FORWARDED  KDC  option
+and  supplying a set of addresses for the new ticket.  It is
+also set in all tickets issued based  on  tickets  with  the
+FORWARDED  flag set.  Application servers may choose to pro-
+cess FORWARDED tickets differently than non-FORWARDED  tick-
+ets.
+
+2.7.  Other KDC options
+
+     There are two additional options which may be set in  a
+client's  request of the KDC.  The RENEWABLE-OK option indi-
+cates that the client will accept a renewable  ticket  if  a
+ticket with the requested life cannot otherwise be provided.
+If a ticket with the requested life cannot be provided, then
+the KDC may issue a renewable ticket with a renew-till equal
+to the the requested endtime.  The value of  the  renew-till
+field  may  still  be  adjusted by site-determined limits or
+limits imposed by the individual principal or server.
+
+     The ENC-TKT-IN-SKEY  option  is  honored  only  by  the
+ticket-granting service.  It indicates that the ticket to be
+issued for the end server is to be encrypted in the  session
+key from the a additional second ticket-granting ticket pro-
+vided with the request.   See  section  3.3.3  for  specific
+details.
+
+__________________________
+[5] The password-changing request must not  be  honored
+unless  the requester can provide the old password (the
+user's current secret key).   Otherwise,  it  would  be
+possible  for  someone to walk up to an unattended ses-
+sion and change another user's password.
+[6] To authenticate a user logging on to a  local  sys-
+tem,  the  credentials  obtained in the AS exchange may
+first be used in a TGS exchange to  obtain  credentials
+
+
+Section 3.1.               - 14 -    Expires 11 January 1998
+
+
+
+
+
+
+            Version 5 - Specification Revision 6
+
+
+
+3.  Message Exchanges
+
+The following sections  describe  the  interactions  between
+network  clients  and  servers  and the messages involved in
+those exchanges.
+
+3.1.  The Authentication Service Exchange
+
+                          Summary
+      Message direction       Message type    Section
+      1. Client to Kerberos   KRB_AS_REQ      5.4.1
+      2. Kerberos to client   KRB_AS_REP or   5.4.2
+                              KRB_ERROR       5.9.1
+
+
+     The Authentication Service (AS)  Exchange  between  the
+client  and  the Kerberos Authentication Server is initiated
+by a client when it wishes to obtain authentication  creden-
+tials for a given server but currently holds no credentials.
+In its basic form, the client's secret key is used  for  en-
+cryption and decryption.  This exchange is typically used at
+the initiation of a login session to obtain credentials  for
+a  Ticket-Granting Server which will subsequently be used to
+obtain credentials  for  other  servers  (see  section  3.3)
+without  requiring  further  use of the client's secret key.
+This exchange is also used to request credentials  for  ser-
+vices which must not be mediated through the Ticket-Granting
+Service, but rather require a principal's secret  key,  such
+as the password-changing service[5].  This exchange does not
+by  itself  provide any assurance of the the identity of the
+user[6].
+
+     The exchange consists of two messages: KRB_AS_REQ  from
+the  client  to  Kerberos,  and  KRB_AS_REP  or KRB_ERROR in
+reply.  The formats for these messages are described in sec-
+tions 5.4.1, 5.4.2, and 5.9.1.
+
+     In the request, the client sends (in cleartext) its own
+identity  and  the  identity  of  the server for which it is
+requesting credentials.  The response, KRB_AS_REP,  contains
+a ticket for the client to present to the server, and a ses-
+sion key that will be shared by the client and  the  server.
+The  session key and additional information are encrypted in
+the client's secret key.  The  KRB_AS_REP  message  contains
+information  which  can  be  used  to detect replays, and to
+associate it with the message to which it replies.   Various
+errors  can  occur; these are indicated by an error response
+(KRB_ERROR) instead of the KRB_AS_REP response.   The  error
+__________________________
+for  a  local  server.   Those credentials must then be
+verified by a local server through  successful  comple-
+tion of the Client/Server exchange.
+
+
+
+Section 3.1.               - 15 -    Expires 11 January 1998
+
+
+
+
+
+
+
+            Version 5 - Specification Revision 6
+
+
+message is not encrypted.  The  KRB_ERROR  message  contains
+information  which can be used to associate it with the mes-
+sage to which it replies.  The lack  of  encryption  in  the
+KRB_ERROR  message  precludes the ability to detect replays,
+fabrications, or modifications of such messages.
+
+     Without  preautentication,  the  authentication  server
+does  not  know whether the client is actually the principal
+named in the request.  It simply sends a reply without know-
+ing or caring whether they are the same.  This is acceptable
+because nobody but the principal whose identity was given in
+the  request  will  be  able  to use the reply. Its critical
+information is encrypted in that principal's key.  The  ini-
+tial  request supports an optional field that can be used to
+pass additional information that might  be  needed  for  the
+initial   exchange.    This  field  may  be  used  for  pre-
+authentication as described in section <<sec preauth>>.
+
+3.1.1.  Generation of KRB_AS_REQ message
+
+     The client may specify a number of options in the  ini-
+tial   request.    Among  these  options  are  whether  pre-
+authentication is to be  performed;  whether  the  requested
+ticket  is  to  be  renewable,  proxiable,  or  forwardable;
+whether it  should  be  postdated  or  allow  postdating  of
+derivative  tickets;  and whether a renewable ticket will be
+accepted in lieu of a non-renewable ticket if the  requested
+ticket  expiration  date  cannot  be  satisfied  by  a  non-
+renewable ticket (due to configuration constraints; see sec-
+tion 4).  See section A.1 for pseudocode.
+
+     The client prepares the KRB_AS_REQ message and sends it
+to the KDC.
+
+3.1.2.  Receipt of KRB_AS_REQ message
+
+     If all goes well,  processing  the  KRB_AS_REQ  message
+will  result  in  the creation of a ticket for the client to
+present to  the  server.   The  format  for  the  ticket  is
+described  in section 5.3.1.  The contents of the ticket are
+determined as follows.
+
+3.1.3.  Generation of KRB_AS_REP message
+
+     The authentication  server  looks  up  the  client  and
+server  principals  named in the KRB_AS_REQ in its database,
+extracting their respective keys.  If required,  the  server
+pre-authenticates the request, and if the pre-authentication
+check   fails,   an   error   message    with    the    code
+KDC_ERR_PREAUTH_FAILED  is  returned.   If the server cannot
+accommodate the requested encryption type, an error  message
+with  code  KDC_ERR_ETYPE_NOSUPP  is returned.  Otherwise it
+generates a "random" session key[7].
+__________________________
+
+
+Section 3.1.3.             - 16 -    Expires 11 January 1998
+
+
+
+
+
+
+
+            Version 5 - Specification Revision 6
+
+
+     If there are multiple encryption keys registered for  a
+client  in  the  Kerberos database (or if the key registered
+supports multiple encryption  types;  e.g.  DES-CBC-CRC  and
+DES-CBC-MD5),  then  the  etype field from the AS request is
+used by the KDC to select the encryption method to  be  used
+for encrypting the response to the client.  If there is more
+than one supported, strong  encryption  type  in  the  etype
+list,  the  first valid etype for which an encryption key is
+available is used.  The encryption method used to respond to
+a  TGS  request is taken from the keytype of the session key
+found in the ticket granting ticket.
+
+     When the etype field  is  present  in  a  KDC  request,
+whether an AS or TGS request, the KDC will attempt to assign
+the type of the random session key from the list of  methods
+in  the  etype  field.   The KDC will select the appropriate
+type using the list of methods provided together with infor-
+mation  from  the  Kerberos  database  indicating acceptable
+encryption methods for the application server.  The KDC will
+not issue tickets with a weak session key encryption type.
+
+     If the requested start time is absent, indicates a time
+in  the  past,  or  is within the window of acceptable clock
+skew for the KDC and the POSTDATE option has not been speci-
+fied,  then  the  start  time  of  the  ticket is set to the
+authentication server's current time.   If  it  indicates  a
+time in the future beyond the acceptable clock skew, but the
+POSTDATED option has  not  been  specified  then  the  error
+KDC_ERR_CANNOT_POSTDATE    is   returned.    Otherwise   the
+requested start time is checked against the  policy  of  the
+local realm (the administrator might decide to prohibit cer-
+tain types or ranges of postdated tickets), and  if  accept-
+able,  the  ticket's  start time is set as requested and the
+INVALID flag is set in the new ticket. The postdated  ticket
+must  be  validated  before  use by presenting it to the KDC
+after the start time has been reached.
+
+
+
+
+
+
+
+
+
+__________________________
+[7] "Random" means that, among other things, it  should
+be  impossible  to  guess the next session key based on
+knowledge of past  session  keys.   This  can  only  be
+achieved  in  a pseudo-random number generator if it is
+based on cryptographic principles.  It is  more  desir-
+able  to  use  a truly random number generator, such as
+one based on measurements of random physical phenomena.
+
+
+
+Section 3.1.3.             - 17 -    Expires 11 January 1998
+
+
+
+
+
+
+
+            Version 5 - Specification Revision 6
+
+
+The expiration time of the ticket will be set to the minimum
+of the following:
+
++The expiration time (endtime) requested in  the  KRB_AS_REQ
+ message.
+
++The ticket's start time plus the maximum allowable lifetime
+ associated  with  the  client principal (the authentication
+ server's database includes a maximum ticket lifetime  field
+ in each principal's record; see section 4).
+
++The ticket's start time plus the maximum allowable lifetime
+ associated with the server principal.
+
++The ticket's start time plus the maximum  lifetime  set  by
+ the policy of the local realm.
+
+     If the requested expiration time minus the  start  time
+(as determined above) is less than a site-determined minimum
+lifetime, an error message with code KDC_ERR_NEVER_VALID  is
+returned.   If  the requested expiration time for the ticket
+exceeds  what  was  determined  as   above,   and   if   the
+"RENEWABLE-OK"  option  was  requested, then the "RENEWABLE"
+flag is set in the new ticket, and the renew-till  value  is
+set  as  if the "RENEWABLE" option were requested (the field
+and option names are described fully in section 5.4.1).
+
+If the  RENEWABLE  option  has  been  requested  or  if  the
+RENEWABLE-OK  option  has been set and a renewable ticket is
+to be issued, then  the  renew-till  field  is  set  to  the
+minimum of:
+
++Its requested value.
+
++The start time of the ticket plus the minimum  of  the  two
+ maximum renewable lifetimes associated with the principals'
+ database entries.
+
++The start time of the ticket  plus  the  maximum  renewable
+ lifetime set by the policy of the local realm.
+
+     The flags field of the new ticket will have the follow-
+ing  options set if they have been requested and if the pol-
+icy of the local realm  allows:  FORWARDABLE,  MAY-POSTDATE,
+POSTDATED,  PROXIABLE, RENEWABLE. If the new ticket is post-
+dated (the start time is in the future),  its  INVALID  flag
+will also be set.
+
+     If all of the  above  succeed,  the  server  formats  a
+KRB_AS_REP   message   (see   section  5.4.2),  copying  the
+addresses in the request into the  caddr  of  the  response,
+placing any required pre-authentication data into the padata
+of the response, and encrypts the  ciphertext  part  in  the
+client's  key  using  the  requested  encryption method, and
+
+
+Section 3.1.3.             - 18 -    Expires 11 January 1998
+
+
+
+
+
+
+
+            Version 5 - Specification Revision 6
+
+
+sends it to the client.  See section A.2 for pseudocode.
+
+3.1.4.  Generation of KRB_ERROR message
+
+     Several errors can occur, and the Authentication Server
+responds  by  returning  an error message, KRB_ERROR, to the
+client,  with  the  error-code  and  e-text  fields  set  to
+appropriate  values.  The error message contents and details
+are described in Section 5.9.1.
+
+3.1.5.  Receipt of KRB_AS_REP message
+
+     If the reply  message  type  is  KRB_AS_REP,  then  the
+client  verifies  that  the  cname  and crealm fields in the
+cleartext portion of the reply match what it requested.   If
+any  padata  fields  are present, they may be used to derive
+the proper secret key to decrypt the  message.   The  client
+decrypts the encrypted part of the response using its secret
+key, verifies that the nonce in the encrypted  part  matches
+the  nonce  it  supplied in its request (to detect replays).
+It also verifies that the sname and srealm in  the  response
+match  those  in  the  request  (or  are  otherwise expected
+values), and that the host address field  is  also  correct.
+It then stores the ticket, session key, start and expiration
+times, and  other  information  for  later  use.   The  key-
+expiration field from the encrypted part of the response may
+be checked to notify the user of  impending  key  expiration
+(the client program could then suggest remedial action, such
+as a password change).  See section A.3 for pseudocode.
+
+     Proper decryption of the KRB_AS_REP message is not suf-
+ficient  to verify the identity of the user; the user and an
+attacker could cooperate to  generate  a  KRB_AS_REP  format
+message  which  decrypts properly but is not from the proper
+KDC.  If the host wishes to verify the identity of the user,
+it  must require the user to present application credentials
+which can be verified using a securely-stored secret key for
+the  host.   If  those credentials can be verified, then the
+identity of the user can be assured.
+
+3.1.6.  Receipt of KRB_ERROR message
+
+     If the reply message type is KRB_ERROR, then the client
+interprets   it   as   an   error   and   performs  whatever
+application-specific tasks are necessary to recover.
+
+3.2.  The Client/Server Authentication Exchange
+
+                             Summary
+Message direction                         Message type    Section
+Client to Application server              KRB_AP_REQ      5.5.1
+[optional] Application server to client   KRB_AP_REP or   5.5.2
+                                          KRB_ERROR       5.9.1
+
+
+
+Section 3.2.               - 19 -    Expires 11 January 1998
+
+
+
+
+
+
+
+            Version 5 - Specification Revision 6
+
+
+     The client/server authentication (CS) exchange is  used
+by  network  applications  to authenticate the client to the
+server  and  vice  versa.   The  client  must  have  already
+acquired  credentials  for  the  server  using the AS or TGS
+exchange.
+
+3.2.1.  The KRB_AP_REQ message
+
+     The  KRB_AP_REQ  contains  authentication   information
+which  should  be  part of the first message in an authenti-
+cated transaction.  It contains a ticket, an  authenticator,
+and  some  additional  bookkeeping  information (see section
+5.5.1 for the exact format).  The ticket by itself is insuf-
+ficient  to  authenticate a client, since tickets are passed
+across the network in cleartext[8], so the authenticator  is
+used  to prevent invalid replay of tickets by proving to the
+server that the client knows the session key of  the  ticket
+and thus is entitled to use the ticket.  The KRB_AP_REQ mes-
+sage  is  referred  to  elsewhere  as  the   "authentication
+header."
+
+3.2.2.  Generation of a KRB_AP_REQ message
+
+     When a client wishes to initiate  authentication  to  a
+server,  it obtains (either through a credentials cache, the
+AS exchange, or the TGS exchange) a ticket and  session  key
+for  the desired service.  The client may re-use any tickets
+it holds until they expire.  To use a ticket the client con-
+structs  a  new  Authenticator from the the system time, its
+name, and optionally an application  specific  checksum,  an
+initial  sequence  number to be used in KRB_SAFE or KRB_PRIV
+messages, and/or a session subkey to be used in negotiations
+for  a  session  key  unique  to  this  particular  session.
+Authenticators may not be re-used and will  be  rejected  if
+replayed to a server[9].  If a  sequence  number  is  to  be
+included,  it  should  be randomly chosen so that even after
+many messages have been exchanged it is not likely  to  col-
+lide with other sequence numbers in use.
+
+     The  client  may  indicate  a  requirement  of   mutual
+__________________________
+[8] Tickets contain both an encrypted  and  unencrypted
+portion,  so  cleartext here refers to the entire unit,
+which can be copied from one message  and  replayed  in
+another without any cryptographic skill.
+[9] Note  that  this can make applications based on un-
+reliable transports difficult to code correctly. If the
+transport  might  deliver duplicated messages, either a
+new authenticator must be generated for each retry,  or
+the  application server must match requests and replies
+and replay the first reply in response  to  a  detected
+duplicate.
+
+
+
+Section 3.2.2.             - 20 -    Expires 11 January 1998
+
+
+
+
+
+
+
+            Version 5 - Specification Revision 6
+
+
+authentication or the use of a session-key based  ticket  by
+setting  the  appropriate flag(s) in the ap-options field of
+the message.
+
+     The Authenticator is encrypted in the session  key  and
+combined  with  the  ticket  to  form the KRB_AP_REQ message
+which is then sent to the end server along  with  any  addi-
+tional  application-specific  information.   See section A.9
+for pseudocode.
+
+3.2.3.  Receipt of KRB_AP_REQ message
+
+     Authentication is based on the server's current time of
+day  (clocks  must be loosely synchronized), the authentica-
+tor, and the ticket.  Several errors are  possible.   If  an
+error  occurs, the server is expected to reply to the client
+with a KRB_ERROR message.  This message may be  encapsulated
+in the application protocol if its "raw" form is not accept-
+able to the protocol.   The  format  of  error  messages  is
+described in section 5.9.1.
+
+     The algorithm for verifying authentication  information
+is  as  follows.  If the message type is not KRB_AP_REQ, the
+server returns the KRB_AP_ERR_MSG_TYPE error.   If  the  key
+version indicated by the Ticket in the KRB_AP_REQ is not one
+the server can use (e.g., it indicates an old key,  and  the
+server  no  longer  possesses  a  copy  of the old key), the
+KRB_AP_ERR_BADKEYVER  error  is  returned.   If   the   USE-
+SESSION-KEY  flag  is  set in the ap-options field, it indi-
+cates to the server that the ticket is encrypted in the ses-
+sion  key  from  the  server's ticket-granting ticket rather
+than its secret key[10].   Since  it  is  possible  for  the
+server  to  be registered in multiple realms, with different
+keys in each, the srealm field in the unencrypted portion of
+the ticket in the KRB_AP_REQ is used to specify which secret
+key the server should  use  to  decrypt  that  ticket.   The
+KRB_AP_ERR_NOKEY  error  code  is  returned  if  the  server
+doesn't have the proper key to decipher the ticket.
+
+     The ticket  is  decrypted  using  the  version  of  the
+server's  key  specified  by  the ticket.  If the decryption
+routines detect a modification of the ticket  (each  encryp-
+tion  system  must  provide  safeguards  to  detect modified
+ciphertext; see  section  6),  the  KRB_AP_ERR_BAD_INTEGRITY
+error is returned (chances are good that different keys were
+used to encrypt and decrypt).
+
+     The authenticator is decrypted using  the  session  key
+extracted from the decrypted ticket.  If decryption shows it
+to have been modified, the KRB_AP_ERR_BAD_INTEGRITY error is
+__________________________
+[10] This is used for  user-to-user  authentication  as
+described in  [8].
+
+
+Section 3.2.3.             - 21 -    Expires 11 January 1998
+
+
+
+
+
+
+
+            Version 5 - Specification Revision 6
+
+
+returned.  The name and realm of the client from the  ticket
+are  compared  against the same fields in the authenticator.
+If  they  don't  match,  the  KRB_AP_ERR_BADMATCH  error  is
+returned  (they  might  not match, for example, if the wrong
+session key was used to  encrypt  the  authenticator).   The
+addresses  in  the  ticket (if any) are then searched for an
+address matching the operating-system  reported  address  of
+the  client.   If no match is found or the server insists on
+ticket addresses but none are present  in  the  ticket,  the
+KRB_AP_ERR_BADADDR error is returned.
+
+     If the local (server) time and the client time  in  the
+authenticator  differ  by more than the allowable clock skew
+(e.g., 5 minutes), the KRB_AP_ERR_SKEW  error  is  returned.
+If  the  server  name,  along with the client name, time and
+microsecond  fields  from  the   Authenticator   match   any
+recently-seen  such  tuples,  the KRB_AP_ERR_REPEAT error is
+returned[11].  The server must  remember  any  authenticator
+presented  within the allowable clock skew, so that a replay
+attempt is guaranteed to fail.  If a server loses  track  of
+any authenticator presented within the allowable clock skew,
+it must reject all requests until the  clock  skew  interval
+has passed.  This assures that any lost or re-played authen-
+ticators will fall outside the allowable clock skew and  can
+no  longer be successfully replayed (If this is not done, an
+attacker could conceivably record the ticket and authentica-
+tor  sent  over  the  network  to a server, then disable the
+client's host, pose as the disabled  host,  and  replay  the
+ticket  and  authenticator  to subvert the authentication.).
+If a sequence number is provided in the  authenticator,  the
+server  saves it for later use in processing KRB_SAFE and/or
+KRB_PRIV messages.  If  a  subkey  is  present,  the  server
+either  saves  it  for later use or uses it to help generate
+its own choice for a subkey to be returned in  a  KRB_AP_REP
+message.
+
+     The server  computes  the  age  of  the  ticket:  local
+(server)  time  minus  the start time inside the Ticket.  If
+the start time is later than the current time by  more  than
+the  allowable  clock  skew or if the INVALID flag is set in
+the ticket, the KRB_AP_ERR_TKT_NYV error is returned.   Oth-
+erwise,  if  the current time is later than end time by more
+than the allowable clock  skew,  the  KRB_AP_ERR_TKT_EXPIRED
+error is returned.
+
+     If all these  checks  succeed  without  an  error,  the
+__________________________
+[11] Note that the rejection here is restricted to  au-
+thenticators  from  the  same  principal  to  the  same
+server.  Other client principals communicating with the
+same  server principal should not be have their authen-
+ticators rejected if the time  and  microsecond  fields
+happen to match some other client's authenticator.
+
+
+Section 3.2.3.             - 22 -    Expires 11 January 1998
+
+
+
+
+
+
+
+            Version 5 - Specification Revision 6
+
+
+server is assured that the client possesses the  credentials
+of  the  principal  named in the ticket and thus, the client
+has been authenticated to the server.  See section A.10  for
+pseudocode.
+
+     Passing these checks provides  only  authentication  of
+the  named principal; it does not imply authorization to use
+the  named  service.   Applications  must  make  a  separate
+authorization decisions based upon the authenticated name of
+the user,  the  requested  operation,  local  acces  control
+information such as that contained in a .k5login or .k5users
+file, and possibly a separate distributed authorization ser-
+vice.
+
+3.2.4.  Generation of a KRB_AP_REP message
+
+     Typically, a client's request  will  include  both  the
+authentication  information  and  its initial request in the
+same message, and the server need not  explicitly  reply  to
+the KRB_AP_REQ.  However, if mutual authentication (not only
+authenticating the client to the server, but also the server
+to  the  client)  is being performed, the KRB_AP_REQ message
+will have MUTUAL-REQUIRED set in its ap-options field, and a
+KRB_AP_REP  message  is  required  in response.  As with the
+error message, this  message  may  be  encapsulated  in  the
+application  protocol if its "raw" form is not acceptable to
+the application's protocol.  The timestamp  and  microsecond
+field  used  in the reply must be the client's timestamp and
+microsecond field (as provided  in  the  authenticator)[12].
+If  a  sequence  number is to be included, it should be ran-
+domly chosen as described above for  the  authenticator.   A
+subkey  may be included if the server desires to negotiate a
+different subkey.  The KRB_AP_REP message  is  encrypted  in
+the session key extracted from the ticket.  See section A.11
+for pseudocode.
+
+3.2.5.  Receipt of KRB_AP_REP message
+
+
+     If a KRB_AP_REP message is returned,  the  client  uses
+the  session  key  from  the  credentials  obtained  for the
+server[13] to decrypt the message,  and  verifies  that  the
+__________________________
+[12] In the Kerberos version 4 protocol, the  timestamp
+in the reply was the client's timestamp plus one.  This
+is not necessary in version 5 because  version  5  mes-
+sages are formatted in such a way that it is not possi-
+ble to create the reply by  judicious  message  surgery
+(even  in  encrypted form) without knowledge of the ap-
+propriate encryption keys.
+[13] Note that for encrypting the  KRB_AP_REP  message,
+the sub-session key is not used, even if present in the
+Authenticator.
+
+
+Section 3.2.5.             - 23 -    Expires 11 January 1998
+
+
+
+
+
+
+
+            Version 5 - Specification Revision 6
+
+
+timestamp and microsecond fields match those in the  Authen-
+ticator  it  sent  to  the  server.  If they match, then the
+client is assured that the server is genuine.  The  sequence
+number  and  subkey (if present) are retained for later use.
+See section A.12 for pseudocode.
+
+
+3.2.6.  Using the encryption key
+
+     After the KRB_AP_REQ/KRB_AP_REP exchange has  occurred,
+the  client  and server share an encryption key which can be
+used by the application.  The "true session key" to be  used
+for  KRB_PRIV,  KRB_SAFE, or other application-specific uses
+may be chosen by the application based on the subkeys in the
+KRB_AP_REP  message  and  the  authenticator[14].   In  some
+cases,  the  use of this session key will be implicit in the
+protocol; in others the method of use must  be  chosen  from
+several alternatives.  We leave the protocol negotiations of
+how to use the key (e.g.  selecting an encryption or  check-
+sum type) to the application programmer; the Kerberos proto-
+col does not constrain the implementation  options,  but  an
+example of how this might be done follows.
+
+     One way that an application may choose to  negotiate  a
+key  to  be used for subequent integrity and privacy protec-
+tion is for the client to propose a key in the subkey  field
+of  the  authenticator.   The  server  can then choose a key
+using the proposed key from the client as  input,  returning
+the new subkey in the subkey field of the application reply.
+This key could then be used  for  subsequent  communication.
+To make this example more concrete, if the encryption method
+in use required a 56 bit key, and for whatever  reason,  one
+of the parties was prevented from using a key with more than
+40 unknown bits, this method would allow the the party which
+is  prevented from using more than 40 bits to either propose
+(if the client) an initial key with a known quantity for  16
+of  those  bits,  or  to mask 16 of the bits (if the server)
+with the known quantity.   The  application  implementor  is
+warned,  however,  that this is only an example, and that an
+analysis of the particular crytosystem to be used,  and  the
+reasons  for  limiting  the  key length, must be made before
+deciding whether it is acceptable to mask bits of the key.
+
+     With  both  the  one-way  and   mutual   authentication
+exchanges,  the peers should take care not to send sensitive
+information to each other  without  proper  assurances.   In
+particular,  applications  that require privacy or integrity
+should use the KRB_AP_REP response from the server to client
+__________________________
+[14] Implementations of the protocol may wish  to  pro-
+vide  routines  to choose subkeys based on session keys
+and random numbers and to generate a negotiated key  to
+be returned in the KRB_AP_REP message.
+
+
+Section 3.2.6.             - 24 -    Expires 11 January 1998
+
+
+
+
+
+
+
+            Version 5 - Specification Revision 6
+
+
+to assure both client and server of their  peer's  identity.
+If an application protocol requires privacy of its messages,
+it can use the KRB_PRIV message (section 3.5).  The KRB_SAFE
+message (section 3.4) can be used to assure integrity.
+
+
+3.3.  The Ticket-Granting Service (TGS) Exchange
+
+                          Summary
+      Message direction       Message type     Section
+      1. Client to Kerberos   KRB_TGS_REQ      5.4.1
+      2. Kerberos to client   KRB_TGS_REP or   5.4.2
+                              KRB_ERROR        5.9.1
+
+
+     The TGS exchange between  a  client  and  the  Kerberos
+Ticket-Granting  Server  is  initiated  by  a client when it
+wishes to obtain  authentication  credentials  for  a  given
+server  (which  might be registered in a remote realm), when
+it wishes to renew or validate an existing ticket,  or  when
+it  wishes to obtain a proxy ticket.  In the first case, the
+client must already have acquired a ticket for  the  Ticket-
+Granting  Service using the AS exchange (the ticket-granting
+ticket is usually obtained when a client initially authenti-
+cates to the system, such as when a user logs in).  The mes-
+sage format for the TGS exchange is almost identical to that
+for the AS exchange.  The primary difference is that encryp-
+tion and decryption in the TGS exchange does not take  place
+under  the  client's key.  Instead, the session key from the
+ticket-granting ticket or renewable ticket,  or  sub-session
+key  from  an Authenticator is used.  As is the case for all
+application servers, expired tickets are not accepted by the
+TGS,  so once a renewable or ticket-granting ticket expires,
+the client must use a  separate  exchange  to  obtain  valid
+tickets.
+
+     The TGS exchange consists of two  messages:  A  request
+(KRB_TGS_REQ)  from  the  client  to  the  Kerberos  Ticket-
+Granting Server, and a  reply  (KRB_TGS_REP  or  KRB_ERROR).
+The  KRB_TGS_REQ message includes information authenticating
+the client plus a request for credentials.  The  authentica-
+tion  information  consists  of  the  authentication  header
+(KRB_AP_REQ) which includes the client's previously obtained
+ticket-granting,  renewable,  or  invalid  ticket.   In  the
+ticket-granting ticket and  proxy  cases,  the  request  may
+include  one or more of: a list of network addresses, a col-
+lection of typed authorization data  to  be  sealed  in  the
+ticket  for  authorization use by the application server, or
+additional tickets (the use of which are  described  later).
+The  TGS  reply (KRB_TGS_REP) contains the requested creden-
+tials, encrypted in the session key from the ticket-granting
+ticket  or  renewable  ticket,  or  if  present, in the sub-
+session key from the Authenticator (part of the  authentica-
+tion  header).  The KRB_ERROR message contains an error code
+
+
+Section 3.3.               - 25 -    Expires 11 January 1998
+
+
+
+
+
+
+
+            Version 5 - Specification Revision 6
+
+
+and text explaining what went wrong.  The KRB_ERROR  message
+is not encrypted.  The KRB_TGS_REP message contains informa-
+tion which can be used to detect replays, and  to  associate
+it with the message to which it replies.  The KRB_ERROR mes-
+sage also contains information which can be used to  associ-
+ate it with the message to which it replies, but the lack of
+encryption in the KRB_ERROR message precludes the ability to
+detect replays or fabrications of such messages.
+
+3.3.1.  Generation of KRB_TGS_REQ message
+
+     Before sending a request to  the  ticket-granting  ser-
+vice,  the client must determine in which realm the applica-
+tion server is  registered[15].   If  the  client  does  not
+already possess a ticket-granting ticket for the appropriate
+realm, then one must be obtained.  This is  first  attempted
+by  requesting  a ticket-granting ticket for the destination
+realm from a Kerberos  server  for  which  the  client  does
+posess  a ticket-granting ticket (using the KRB_TGS_REQ mes-
+sage recursively).  The Kerberos server may return a TGT for
+the  desired  realm in which case one can proceed.  Alterna-
+tively, the Kerberos server may return a  TGT  for  a  realm
+which  is  "closer"  to the desired realm (further along the
+standard hierarchical path), in which case this step must be
+repeated  with  a  Kerberos server in the realm specified in
+the returned TGT.  If neither are returned, then the request
+must be retried with a Kerberos server for a realm higher in
+the hierarchy.  This request will itself require  a  ticket-
+granting  ticket for the higher realm which must be obtained
+by recursively applying these directions.
+
+
+     Once the client obtains a  ticket-granting  ticket  for
+the  appropriate realm, it determines which Kerberos servers
+serve that realm, and  contacts  one.   The  list  might  be
+obtained  through a configuration file or network service or
+it may be generated from the name of the realm; as  long  as
+the  secret  keys  exchanged by realms are kept secret, only
+denial of  service  results  from  using  a  false  Kerberos
+server.
+__________________________
+[15] This can be  accomplished  in  several  ways.   It
+might  be  known beforehand (since the realm is part of
+the principal identifier), it  might  be  stored  in  a
+nameserver,  or  it might be obtained from a configura-
+tion file.  If the realm to be used is obtained from  a
+nameserver,  there  is a danger of being spoofed if the
+nameservice providing the realm name is  not  authenti-
+cated.   This  might result in the use of a realm which
+has been compromised, and would result in an attacker's
+ability  to compromise the authentication of the appli-
+cation server to the client.
+
+
+
+Section 3.3.1.             - 26 -    Expires 11 January 1998
+
+
+
+
+
+
+
+            Version 5 - Specification Revision 6
+
+
+     As in the AS exchange, the client may specify a  number
+of  options in the KRB_TGS_REQ message.  The client prepares
+the KRB_TGS_REQ message, providing an authentication  header
+as  an  element  of the padata field, and including the same
+fields as used in the KRB_AS_REQ message along with  several
+optional fields: the enc-authorization-data field for appli-
+cation server use and additional tickets  required  by  some
+options.
+
+     In preparing the authentication header, the client  can
+select  a  sub-session key under which the response from the
+Kerberos server will be encrypted[16].  If  the  sub-session
+key  is  not  specified,  the  session  key from the ticket-
+granting ticket will be used.  If the enc-authorization-data
+is  present, it must be encrypted in the sub-session key, if
+present, from the authenticator portion of  the  authentica-
+tion  header,  or if not present, using the session key from
+the ticket-granting ticket.
+
+     Once prepared, the message is sent to a Kerberos server
+for the destination realm.  See section A.5 for pseudocode.
+
+3.3.2.  Receipt of KRB_TGS_REQ message
+
+     The KRB_TGS_REQ message is processed in a manner  simi-
+lar to the KRB_AS_REQ message, but there are many additional
+checks to be performed.  First,  the  Kerberos  server  must
+determine which server the accompanying ticket is for and it
+must select the appropriate key to decrypt it.  For a normal
+KRB_TGS_REQ message, it will be for the ticket granting ser-
+vice, and the TGS's key will be used.  If the TGT was issued
+by  another realm, then the appropriate inter-realm key must
+be used.  If the accompanying ticket is not a ticket  grant-
+ing  ticket for the current realm, but is for an application
+server in the current realm, the RENEW, VALIDATE,  or  PROXY
+options  are  specified  in  the request, and the server for
+which a ticket is requested  is  the  server  named  in  the
+accompanying ticket, then the KDC will decrypt the ticket in
+the authentication header using the key of  the  server  for
+which  it  was  issued.   If  no  ticket can be found in the
+padata  field,  the  KDC_ERR_PADATA_TYPE_NOSUPP   error   is
+returned.
+
+     Once the accompanying ticket has  been  decrypted,  the
+user-supplied checksum in the Authenticator must be verified
+against  the  contents  of  the  request,  and  the  message
+rejected  if  the checksums do not match (with an error code
+__________________________
+[16] If the client selects a sub-session key, care must
+be  taken to ensure the randomness of the selected sub-
+session key.  One approach would be to generate a  ran-
+dom  number  and  XOR  it with the session key from the
+ticket-granting ticket.
+
+
+Section 3.3.2.             - 27 -    Expires 11 January 1998
+
+
+
+
+
+
+
+            Version 5 - Specification Revision 6
+
+
+of KRB_AP_ERR_MODIFIED) or if the checksum is not  keyed  or
+not    collision-proof    (with    an    error    code    of
+KRB_AP_ERR_INAPP_CKSUM).  If the checksum type is  not  sup-
+ported,  the  KDC_ERR_SUMTYPE_NOSUPP  error is returned.  If
+the authorization-data are present, they are decrypted using
+the sub-session key from the Authenticator.
+
+     If any of the  decryptions  indicate  failed  integrity
+checks, the KRB_AP_ERR_BAD_INTEGRITY error is returned.
+
+3.3.3.  Generation of KRB_TGS_REP message
+
+     The KRB_TGS_REP message  shares  its  format  with  the
+KRB_AS_REP  (KRB_KDC_REP),  but  with  its type field set to
+KRB_TGS_REP.   The  detailed  specification  is  in  section
+5.4.2.
+
+     The response will include a ticket  for  the  requested
+server.   The  Kerberos  database is queried to retrieve the
+record for the requested  server  (including  the  key  with
+which  the ticket will be encrypted).  If the request is for
+a ticket granting ticket for a remote realm, and if  no  key
+is shared with the requested realm, then the Kerberos server
+will select the realm "closest" to the requested realm  with
+which it does share a key, and use that realm instead.  This
+is the only case where the response from the KDC will be for
+a different server than that requested by the client.
+
+     By default, the address field, the  client's  name  and
+realm,  the  list  of  transited realms, the time of initial
+authentication, the expiration time, and  the  authorization
+data  of  the  newly-issued  ticket  will be copied from the
+ticket-granting ticket (TGT) or renewable  ticket.   If  the
+transited  field needs to be updated, but the transited type
+is  not  supported,  the  KDC_ERR_TRTYPE_NOSUPP   error   is
+returned.
+
+     If the request specifies an endtime, then  the  endtime
+of the new ticket is set to the minimum of (a) that request,
+(b) the endtime from the TGT, and (c) the starttime  of  the
+TGT plus the minimum of the maximum life for the application
+server and the maximum life for the local realm (the maximum
+life  for  the requesting principal was already applied when
+the TGT was issued).  If the new ticket is to be a  renewal,
+then the endtime above is replaced by the minimum of (a) the
+value of the renew_till field of  the  ticket  and  (b)  the
+starttime  for  the  new  ticket  plus  the  life  (endtime-
+starttime) of the old ticket.
+
+     If the FORWARDED option has been  requested,  then  the
+resulting ticket will contain the addresses specified by the
+client.  This option will only be honored if the FORWARDABLE
+flag  is  set in the TGT.  The PROXY option is similar;  the
+resulting ticket will contain the addresses specified by the
+
+
+Section 3.3.3.             - 28 -    Expires 11 January 1998
+
+
+
+
+
+
+
+            Version 5 - Specification Revision 6
+
+
+client.   It  will  be honored only if the PROXIABLE flag in
+the TGT is set.  The PROXY option will  not  be  honored  on
+requests for additional ticket-granting tickets.
+
+     If the requested start time is absent, indicates a time
+in  the  past,  or  is within the window of acceptable clock
+skew for the KDC and the POSTDATE option has not been speci-
+fied,  then  the  start  time  of  the  ticket is set to the
+authentication server's current time.   If  it  indicates  a
+time in the future beyond the acceptable clock skew, but the
+POSTDATED option has not been specified or the  MAY-POSTDATE
+flag   is   not   set   in   the   TGT,   then   the   error
+KDC_ERR_CANNOT_POSTDATE  is  returned.   Otherwise,  if  the
+ticket-granting  ticket  has the MAY-POSTDATE flag set, then
+the resulting ticket will be  postdated  and  the  requested
+starttime  is checked against the policy of the local realm.
+If acceptable, the ticket's start time is set as  requested,
+and  the  INVALID flag is set.  The postdated ticket must be
+validated before use by presenting it to the KDC  after  the
+starttime  has  been  reached.   However, in no case may the
+starttime, endtime, or renew-till  time  of  a  newly-issued
+postdated  ticket  extend  beyond the renew-till time of the
+ticket-granting ticket.
+
+     If the ENC-TKT-IN-SKEY option has been specified and an
+additional  ticket has been included in the request, the KDC
+will decrypt the additional ticket using  the  key  for  the
+server  to which the additional ticket was issued and verify
+that it is a ticket-granting ticket.  If  the  name  of  the
+requested  server  is  missing from the request, the name of
+the client in the additional ticket will be used.  Otherwise
+the  name  of  the  requested server will be compared to the
+name of the client in the  additional  ticket  and  if  dif-
+ferent,  the  request  will  be  rejected.   If  the request
+succeeds, the session key from the additional ticket will be
+used  to  encrypt  the  new ticket that is issued instead of
+using the key of the server for which the new ticket will be
+used[17].
+
+     If the name  of  the  server  in  the  ticket  that  is
+presented to the KDC as part of the authentication header is
+not that of the ticket-granting server itself, the server is
+registered  in the realm of the KDC, and the RENEW option is
+requested, then the KDC will verify that the RENEWABLE  flag
+is  set  in  the ticket, that the INVALID flag is not set in
+the ticket, and that the renew_till time  is  still  in  the
+future.   If  the VALIDATE option is rqeuested, the KDC will
+__________________________
+[17] This allows easy  implementation  of  user-to-user
+authentication  [8],  which uses ticket-granting ticket
+session keys in lieu of secret server  keys  in  situa-
+tions  where  such secret keys could be easily comprom-
+ised.
+
+
+Section 3.3.3.             - 29 -    Expires 11 January 1998
+
+
+
+
+
+
+
+            Version 5 - Specification Revision 6
+
+
+check that the starttime has passed and the INVALID flag  is
+set.   If  the  PROXY option is requested, then the KDC will
+check that the PROXIABLE flag is set in the ticket.  If  the
+tests  succeed,  and  the  ticket  passes  the hotlist check
+described in the next paragraph,  the  KDC  will  issue  the
+appropriate new ticket.
+
+
+3.3.3.1.  Checking for revoked tickets
+
+     Whenever a  request  is  made  to  the  ticket-granting
+server,  the  presented  ticket(s) is(are) checked against a
+hot-list of tickets which have been canceled.  This hot-list
+might  be implemented by storing a range of issue timestamps
+for "suspect tickets"; if a presented ticket had an authtime
+in  that range, it would be rejected.  In this way, a stolen
+ticket-granting ticket or renewable ticket cannot be used to
+gain  additional  tickets  (renewals  or otherwise) once the
+theft has been reported.  Any normal ticket obtained  before
+it  was  reported  stolen  will still be valid (because they
+require no interaction with the KDC), but only  until  their
+normal expiration time.
+
+     The ciphertext part of the response in the  KRB_TGS_REP
+message is encrypted in the sub-session key from the Authen-
+ticator, if  present,  or  the  session  key  key  from  the
+ticket-granting  ticket.   It  is  not  encrypted  using the
+client's  secret  key.   Furthermore,  the  client's   key's
+expiration  date  and the key version number fields are left
+out since these values are stored along  with  the  client's
+database  record, and that record is not needed to satisfy a
+request based on a ticket-granting ticket.  See section  A.6
+for pseudocode.
+
+3.3.3.2.  Encoding the transited field
+
+     If the identity of  the  server  in  the  TGT  that  is
+presented to the KDC as part of the authentication header is
+that of the ticket-granting service, but the TGT was  issued
+from another realm, the KDC will look up the inter-realm key
+shared with that realm and  use  that  key  to  decrypt  the
+ticket.  If the ticket is valid, then the KDC will honor the
+request, subject to the constraints outlined  above  in  the
+section  describing  the AS exchange.  The realm part of the
+client's identity will be  taken  from  the  ticket-granting
+ticket.   The  name  of  the  realm  that issued the ticket-
+granting ticket will be added to the transited field of  the
+ticket  to  be  issued.  This is accomplished by reading the
+transited field from the ticket-granting  ticket  (which  is
+treated  as an unordered set of realm names), adding the new
+realm to the set, then  constructing  and  writing  out  its
+encoded  (shorthand)  form (this may involve a rearrangement
+of the existing encoding).
+
+
+
+Section 3.3.3.2.           - 30 -    Expires 11 January 1998
+
+
+
+
+
+
+
+            Version 5 - Specification Revision 6
+
+
+     Note that the ticket-granting service does not add  the
+name  of  its  own realm.  Instead, its responsibility is to
+add the name of the previous realm.  This prevents  a  mali-
+cious Kerberos server from intentionally leaving out its own
+name (it could, however, omit other realms' names).
+
+     The  names  of  neither  the  local   realm   nor   the
+principal's realm are to be included in the transited field.
+They appear elsewhere in the ticket and both  are  known  to
+have  taken part in authenticating the principal.  Since the
+endpoints  are  not  included,  both  local  and  single-hop
+inter-realm  authentication result in a transited field that
+is empty.
+
+     Because the name of each realm transited  is  added  to
+this  field, it might potentially be very long.  To decrease
+the length of this field, its  contents  are  encoded.   The
+initially  supported  encoding  is  optimized for the normal
+case of inter-realm communication: a  hierarchical  arrange-
+ment  of  realms  using  either  domain or X.500 style realm
+names.  This encoding (called DOMAIN-X500-COMPRESS)  is  now
+described.
+
+     Realm names in the transited field are separated  by  a
+",".   The ",", "\", trailing "."s, and leading spaces (" ")
+are special characters, and if they  are  part  of  a  realm
+name,  they must be quoted in the transited field by preced-
+ing them with a "\".
+
+     A realm name ending with a "." is interpreted as  being
+prepended to the previous realm.  For example, we can encode
+traversal of EDU, MIT.EDU,  ATHENA.MIT.EDU,  WASHINGTON.EDU,
+and CS.WASHINGTON.EDU as:
+
+     "EDU,MIT.,ATHENA.,WASHINGTON.EDU,CS.".
+
+Note that if ATHENA.MIT.EDU, or CS.WASHINGTON.EDU were  end-
+points,  that  they would not be included in this field, and
+we would have:
+
+     "EDU,MIT.,WASHINGTON.EDU"
+
+A realm name beginning with a "/" is  interpreted  as  being
+appended to the previous realm[18].  If it is  to  stand  by
+itself,  then  it  should be preceded by a space (" ").  For
+example, we can encode traversal of /COM/HP/APOLLO, /COM/HP,
+/COM, and /COM/DEC as:
+
+     "/COM,/HP,/APOLLO, /COM/DEC".
+__________________________
+[18] For the purpose of appending, the realm  preceding
+the  first  listed  realm  is considered to be the null
+realm ("").
+
+
+Section 3.3.3.2.           - 31 -    Expires 11 January 1998
+
+
+
+
+
+
+
+            Version 5 - Specification Revision 6
+
+
+Like the example above, if /COM/HP/APOLLO and  /COM/DEC  are
+endpoints,  they  they  would not be included in this field,
+and we would have:
+
+     "/COM,/HP"
+
+
+     A null subfield preceding or following a ","  indicates
+that  all  realms  between  the  previous realm and the next
+realm have been traversed[19].  Thus,  ","  means  that  all
+realms along the path between the client and the server have
+been traversed. ",EDU, /COM," means  that  that  all  realms
+from the client's realm up to EDU (in a domain style hierar-
+chy) have been traversed, and that everything from /COM down
+to  the  server's  realm  in  an  X.500  style has also been
+traversed.  This could occur if the EDU realm in one hierar-
+chy  shares  an inter-realm key directly with the /COM realm
+in another hierarchy.
+
+3.3.4.  Receipt of KRB_TGS_REP message
+
+When the KRB_TGS_REP is received by the client, it  is  pro-
+cessed  in  the  same  manner  as  the KRB_AS_REP processing
+described above.  The primary difference is that the cipher-
+text  part  of the response must be decrypted using the ses-
+sion key from the ticket-granting  ticket  rather  than  the
+client's secret key.  See section A.7 for pseudocode.
+
+
+3.4.  The KRB_SAFE Exchange
+
+     The KRB_SAFE message may be used by  clients  requiring
+the   ability  to  detect  modifications  of  messages  they
+exchange.  It achieves this by including a keyed  collision-
+proof  checksum  of  the user data and some control informa-
+tion.  The checksum is keyed with an encryption key (usually
+the  last  key negotiated via subkeys, or the session key if
+no negotiation has occured).
+
+3.4.1.  Generation of a KRB_SAFE message
+
+When an application wishes to send a  KRB_SAFE  message,  it
+collects  its  data  and the appropriate control information
+and computes a checksum over them.  The  checksum  algorithm
+should  be  a  keyed one-way hash function (such as the RSA-
+MD5-DES checksum algorithm specified in  section  6.4.5,  or
+the  DES  MAC),  generated  using  the  sub-session  key  if
+present, or the session key.  Different  algorithms  may  be
+__________________________
+[19] For the purpose of  interpreting  null  subfields,
+the  client's  realm  is considered to precede those in
+the transited field, and the  server's  realm  is  con-
+sidered to follow them.
+
+
+Section 3.4.1.             - 32 -    Expires 11 January 1998
+
+
+
+
+
+
+
+            Version 5 - Specification Revision 6
+
+
+selected by changing  the  checksum  type  in  the  message.
+Unkeyed  or  non-collision-proof  checksums are not suitable
+for this use.
+
+     The  control  information  for  the  KRB_SAFE   message
+includes  both  a  timestamp  and  a  sequence  number.  The
+designer of an application using the KRB_SAFE  message  must
+choose  at  least  one  of  the two mechanisms.  This choice
+should be based on the needs of the application protocol.
+
+     Sequence numbers are useful when all messages sent will
+be  received  by  one's peer.  Connection state is presently
+required to maintain the session  key,  so  maintaining  the
+next  sequence number should not present an additional prob-
+lem.
+
+     If the application protocol  is  expected  to  tolerate
+lost  messages  without  them  being  resent, the use of the
+timestamp is the  appropriate  replay  detection  mechanism.
+Using  timestamps  is  also  the  appropriate  mechanism for
+multi-cast protocols where all of one's peers share a common
+sub-session  key, but some messages will be sent to a subset
+of one's peers.
+
+     After computing the checksum, the client then transmits
+the information and checksum to the recipient in the message
+format specified in section 5.6.1.
+
+3.4.2.  Receipt of KRB_SAFE message
+
+When an application receives a KRB_SAFE message, it verifies
+it  as  follows.   If  any  error  occurs,  an error code is
+reported for use by the application.
+
+     The message is first checked by verifying that the pro-
+tocol  version and type fields match the current version and
+KRB_SAFE,   respectively.    A    mismatch    generates    a
+KRB_AP_ERR_BADVERSION  or  KRB_AP_ERR_MSG_TYPE  error.   The
+application verifies that the checksum used is a  collision-
+proof    keyed    checksum,    and   if   it   is   not,   a
+KRB_AP_ERR_INAPP_CKSUM error is  generated.   The  recipient
+verifies  that the operating system's report of the sender's
+address matches the sender's address in the message, and (if
+a  recipient  address is specified or the recipient requires
+an address) that one of the recipient's addresses appears as
+the  recipient's address in the message.  A failed match for
+either case generates a KRB_AP_ERR_BADADDR error.  Then  the
+timestamp  and  usec  and/or  the sequence number fields are
+checked.   If  timestamp  and  usec  are  expected  and  not
+present,   or   they   are  present  but  not  current,  the
+KRB_AP_ERR_SKEW error is generated.   If  the  server  name,
+along with the client name, time and microsecond fields from
+the  Authenticator  match   any   recently-seen   (sent   or
+received[20] ) such tuples, the KRB_AP_ERR_REPEAT  error  is
+__________________________
+[20] This means that a client and server running on the
+
+
+
+
+
+
+            Version 5 - Specification Revision 6
+
+
+generated.  If an incorrect sequence number is included,  or
+a   sequence   number  is  expected  but  not  present,  the
+KRB_AP_ERR_BADORDER error is generated.  If neither a  time-
+stamp   and   usec  or  a  sequence  number  is  present,  a
+KRB_AP_ERR_MODIFIED error is generated.  Finally, the check-
+sum  is  computed over the data and control information, and
+if   it   doesn't   match   the   received    checksum,    a
+KRB_AP_ERR_MODIFIED error is generated.
+
+     If all the checks succeed, the application  is  assured
+that the message was generated by its peer and was not modi-
+fied in transit.
+
+3.5.  The KRB_PRIV Exchange
+
+     The KRB_PRIV message may be used by  clients  requiring
+confidentiality  and  the ability to detect modifications of
+exchanged messages.  It achieves this by encrypting the mes-
+sages and adding control information.
+
+3.5.1.  Generation of a KRB_PRIV message
+
+When an application wishes to send a  KRB_PRIV  message,  it
+collects  its  data  and the appropriate control information
+(specified in section 5.7.1)  and  encrypts  them  under  an
+encryption key (usually the last key negotiated via subkeys,
+or the session key if no negotiation has occured).  As  part
+of  the  control  information, the client must choose to use
+either a timestamp or a sequence number (or both);  see  the
+discussion  in section 3.4.1 for guidelines on which to use.
+After the user data and control information  are  encrypted,
+the  client  transmits  the  ciphertext  and some "envelope"
+information to the recipient.
+
+3.5.2.  Receipt of KRB_PRIV message
+
+When an application receives a KRB_PRIV message, it verifies
+it  as  follows.   If  any  error  occurs,  an error code is
+reported for use by the application.
+
+     The message is first checked by verifying that the pro-
+tocol  version and type fields match the current version and
+KRB_PRIV,   respectively.    A    mismatch    generates    a
+KRB_AP_ERR_BADVERSION  or  KRB_AP_ERR_MSG_TYPE  error.   The
+application then decrypts the ciphertext and  processes  the
+resultant  plaintext.   If decryption shows the data to have
+been modified,  a  KRB_AP_ERR_BAD_INTEGRITY  error  is  gen-
+erated.   The recipient verifies that the operating system's
+report of the sender's address matches the sender's  address
+__________________________
+same  host and communicating with one another using the
+KRB_SAFE messages should  not  share  a  common  replay
+cache to detect KRB_SAFE replays.
+
+
+
+Section 3.5.2.             - 34 -    Expires 11 January 1998
+
+
+
+
+
+
+
+            Version 5 - Specification Revision 6
+
+
+in the message, and (if a recipient address is specified  or
+the   recipient   requires  an  address)  that  one  of  the
+recipient's addresses appears as the recipient's address  in
+the  message.   A  failed  match for either case generates a
+KRB_AP_ERR_BADADDR  error.   Then  the  timestamp  and  usec
+and/or the sequence number fields are checked.  If timestamp
+and usec are expected and not present, or they  are  present
+but  not current, the KRB_AP_ERR_SKEW error is generated. If
+the server name,  along  with  the  client  name,  time  and
+microsecond   fields   from   the  Authenticator  match  any
+recently-seen such tuples, the  KRB_AP_ERR_REPEAT  error  is
+generated.   If an incorrect sequence number is included, or
+a  sequence  number  is  expected  but  not   present,   the
+KRB_AP_ERR_BADORDER  error is generated.  If neither a time-
+stamp  and  usec  or  a  sequence  number  is   present,   a
+KRB_AP_ERR_MODIFIED error is generated.
+
+     If all the checks succeed, the application  can  assume
+the  message  was  generated  by  its peer, and was securely
+transmitted (without intruders able to see  the  unencrypted
+contents).
+
+3.6.  The KRB_CRED Exchange
+
+     The KRB_CRED message may be used by  clients  requiring
+the  ability  to  send Kerberos credentials from one host to
+another.  It achieves this by sending the  tickets  together
+with  encrypted  data  containing the session keys and other
+information associated with the tickets.
+
+3.6.1.  Generation of a KRB_CRED message
+
+When an application wishes to send  a  KRB_CRED  message  it
+first (using the KRB_TGS exchange) obtains credentials to be
+sent to the remote host.  It then constructs a KRB_CRED mes-
+sage  using  the  ticket or tickets so obtained, placing the
+session key needed to use each ticket in the  key  field  of
+the corresponding KrbCredInfo sequence of the encrypted part
+of the the KRB_CRED message.
+
+     Other  information  associated  with  each  ticket  and
+obtained  during  the KRB_TGS exchange is also placed in the
+corresponding KrbCredInfo sequence in the encrypted part  of
+the KRB_CRED message.  The current time and, if specifically
+required by the application the  nonce,  s-address,  and  r-
+address  fields,  are  placed  in  the encrypted part of the
+KRB_CRED message which is then encrypted under an encryption
+key previosuly exchanged in the KRB_AP exchange (usually the
+last key negotiated via subkeys, or the session  key  if  no
+negotiation has occured).
+
+3.6.2.  Receipt of KRB_CRED message
+
+When an application receives a KRB_CRED message, it verifies
+
+
+Section 3.6.2.             - 35 -    Expires 11 January 1998
+
+
+
+
+
+
+
+            Version 5 - Specification Revision 6
+
+
+it.   If any error occurs, an error code is reported for use
+by the application.  The message  is  verified  by  checking
+that  the protocol version and type fields match the current
+version and KRB_CRED, respectively.  A mismatch generates  a
+KRB_AP_ERR_BADVERSION  or  KRB_AP_ERR_MSG_TYPE  error.   The
+application then decrypts the ciphertext and  processes  the
+resultant  plaintext.   If decryption shows the data to have
+been modified,  a  KRB_AP_ERR_BAD_INTEGRITY  error  is  gen-
+erated.
+
+     If present or required, the recipient verifies that the
+operating  system's  report  of the sender's address matches
+the sender's address in the message, and  that  one  of  the
+recipient's  addresses appears as the recipient's address in
+the message.  A failed match for  either  case  generates  a
+KRB_AP_ERR_BADADDR  error.   The  timestamp  and usec fields
+(and the nonce field if required) are checked next.  If  the
+timestamp  and usec are not present, or they are present but
+not current, the KRB_AP_ERR_SKEW error is generated.
+
+     If all the checks succeed, the application stores  each
+of  the  new  tickets  in its ticket cache together with the
+session key  and  other  information  in  the  corresponding
+KrbCredInfo sequence from the encrypted part of the KRB_CRED
+message.
+
+4.  The Kerberos Database
+
+The Kerberos server must have access to a database  contain-
+ing  the principal identifiers and secret keys of principals
+to be authenticated[21].
+
+4.1.  Database contents
+
+A database entry  should  contain  at  least  the  following
+fields:
+
+Field                Value
+
+name                 Principal's                    identif-
+ier
+key                  Principal's secret key
+p_kvno               Principal's key version
+max_life             Maximum lifetime for Tickets
+__________________________
+[21] The implementation of the Kerberos server need not
+combine  the  database  and  the  server  on  the  same
+machine; it is feasible to store the principal database
+in, say, a network name service, as long as the entries
+stored therein are protected  from  disclosure  to  and
+modification  by  unauthorized  parties.   However,  we
+recommend against such strategies,  as  they  can  make
+system management and threat analysis quite complex.
+
+
+Section 4.1.               - 36 -    Expires 11 January 1998
+
+
+
+
+
+
+
+            Version 5 - Specification Revision 6
+
+
+max_renewable_life   Maximum total lifetime for renewable Tickets
+
+The name field is an encoding of the principal's identifier.
+The  key  field contains an encryption key.  This key is the
+principal's secret key.  (The key can  be  encrypted  before
+storage  under a Kerberos "master key" to protect it in case
+the database is compromised but the master key is  not.   In
+that case, an extra field must be added to indicate the mas-
+ter key version used, see below.) The p_kvno  field  is  the
+key  version  number  of  the  principal's  secret key.  The
+max_life field contains the maximum allowable lifetime (end-
+time  - starttime) for any Ticket issued for this principal.
+The max_renewable_life field contains the maximum  allowable
+total  lifetime  for  any  renewable  Ticket issued for this
+principal.  (See section 3.1 for a description of how  these
+lifetimes  are  used  in determining the lifetime of a given
+Ticket.)
+
+     A server may provide KDC service to several realms,  as
+long  as the database representation provides a mechanism to
+distinguish between principal records with identifiers which
+differ only in the realm name.
+
+     When an application server's key changes, if the change
+is  routine  (i.e.  not  the result of disclosure of the old
+key), the old key should be retained by the server until all
+tickets  that  had  been issued using that key have expired.
+Because of this, it is  possible  for  several  keys  to  be
+active  for  a  single principal.  Ciphertext encrypted in a
+principal's key is always tagged with the version of the key
+that was used for encryption, to help the recipient find the
+proper key for decryption.
+
+     When more than one key is active for a particular prin-
+cipal,  the  principal will have more than one record in the
+Kerberos database.  The keys and key  version  numbers  will
+differ  between  the  records (the rest of the fields may or
+may not be the same). Whenever Kerberos issues a ticket,  or
+responds  to  a request for initial authentication, the most
+recent key (known by the Kerberos server) will be  used  for
+encryption.   This  is  the key with the highest key version
+number.
+
+4.2.  Additional fields
+
+Project Athena's KDC implementation uses  additional  fields
+in its database:
+
+Field        Value
+
+K_kvno       Kerberos' key version
+expiration   Expiration date for entry
+attributes   Bit field of attributes
+mod_date     Timestamp of last modification
+
+
+Section 4.2.               - 37 -    Expires 11 January 1998
+
+
+
+
+
+
+
+            Version 5 - Specification Revision 6
+
+
+mod_name     Modifying principal's identifier
+
+
+The K_kvno field indicates the key version of  the  Kerberos
+master  key  under  which  the  principal's  secret  key  is
+encrypted.
+
+     After an entry's expiration date has  passed,  the  KDC
+will  return an error to any client attempting to gain tick-
+ets as or for the principal.  (A database may want to  main-
+tain  two  expiration  dates: one for the principal, and one
+for the principal's current key.  This allows password aging
+to  work  independently  of the principal's expiration date.
+However, due to the limited space in the responses, the  KDC
+must  combine  the  key  expiration and principal expiration
+date into a single value called "key_exp", which is used  as
+a hint to the user to take administrative action.)
+
+     The attributes field is a bitfield used to  govern  the
+operations  involving  the  principal.   This field might be
+useful in conjunction with user registration procedures, for
+site-specific   policy   implementations   (Project   Athena
+currently uses it for their user registration  process  con-
+trolled  by the system-wide database service, Moira [9]), to
+identify whether a principal can play the role of  a  client
+or  server  or both, to note whether a server is appropriate
+trusted to recieve credentials delegated by a client, or  to
+identify the "string to key" conversion algorithm used for a
+principal's key[22].  Other bits are used to  indicate  that
+certain  ticket  options  should  not  be allowed in tickets
+encrypted under a principal's key (one bit each):   Disallow
+issuing  postdated  tickets,  disallow  issuing  forwardable
+tickets, disallow issuing tickets based on  TGT  authentica-
+tion,  disallow  issuing renewable tickets, disallow issuing
+proxiable tickets, and disallow issuing  tickets  for  which
+the principal is the server.
+
+     The mod_date field contains the time of last  modifica-
+tion  of the entry, and the mod_name field contains the name
+of the principal which last modified the entry.
+
+4.3.  Frequently Changing Fields
+
+     Some KDC implementations may wish to maintain the  last
+time  that  a  request  was  made by a particular principal.
+Information that might be maintained includes  the  time  of
+the  last  request,  the  time  of  the  last  request for a
+ticket-granting ticket, the  time  of  the  last  use  of  a
+ticket-granting  ticket,  or  other times.  This information
+can then be returned to the user in the last-req field  (see
+__________________________
+[22] See the discussion of the padata field in  section
+5.4.2 for details on why this can be useful.
+
+
+Section 4.3.               - 38 -    Expires 11 January 1998
+
+
+
+
+
+
+
+            Version 5 - Specification Revision 6
+
+
+section 5.2).
+
+     Other frequently changing information that can be main-
+tained  is  the  latest expiration time for any tickets that
+have been issued using each key.  This field would  be  used
+to indicate how long old keys must remain valid to allow the
+continued use of outstanding tickets.
+
+4.4.  Site Constants
+
+     The KDC implementation should have the following confi-
+gurable  constants  or options, to allow an administrator to
+make and enforce policy decisions:
+
++  The minimum supported lifetime (used to determine whether
+   the  KDC_ERR_NEVER_VALID error should be returned).  This
+   constant  should  reflect  reasonable   expectations   of
+   round-trip  time  to the KDC, encryption/decryption time,
+   and processing time by the client and target server,  and
+   it should allow for a minimum "useful" lifetime.
+
++  The maximum allowable total  (renewable)  lifetime  of  a
+   ticket (renew_till - starttime).
+
++  The maximum allowable lifetime of  a  ticket  (endtime  -
+   starttime).
+
++  Whether to allow the issue of tickets with empty  address
+   fields  (including the ability to specify that such tick-
+   ets may only be issued  if  the  request  specifies  some
+   authorization_data).
+
++  Whether proxiable, forwardable, renewable or post-datable
+   tickets are to be issued.
+
+
+5.  Message Specifications
+
+     The following sections describe the exact contents  and
+encoding  of  protocol messages and objects.  The ASN.1 base
+definitions are presented  in  the  first  subsection.   The
+remaining  subsections specify the protocol objects (tickets
+and authenticators) and messages.  Specification of  encryp-
+tion  and  checksum  techniques,  and  the fields related to
+them, appear in section 6.
+
+5.1.  ASN.1 Distinguished Encoding Representation
+
+     All uses of  ASN.1  in  Kerberos  shall  use  the  Dis-
+tinguished  Encoding  Representation of the data elements as
+described in the X.509 specification, section 8.7  [10].
+
+
+
+
+
+Section 5.1.               - 39 -    Expires 11 January 1998
+
+
+
+
+
+
+
+            Version 5 - Specification Revision 6
+
+
+5.2.  ASN.1 Base Definitions
+
+     The following ASN.1 base definitions are  used  in  the
+rest  of this section.  Note that since the underscore char-
+acter (_) is not permitted in ASN.1 names, the hyphen (-) is
+used in its place for the purposes of ASN.1 names.
+
+Realm ::=           GeneralString
+PrincipalName ::=   SEQUENCE {
+                    name-type[0]     INTEGER,
+                    name-string[1]   SEQUENCE OF GeneralString
+}
+
+
+Kerberos realms are encoded as GeneralStrings.  Realms shall
+not  contain  a  character  with the code 0 (the ASCII NUL).
+Most realms  will  usually  consist  of  several  components
+separated  by  periods  (.), in the style of Internet Domain
+Names, or separated by slashes (/) in  the  style  of  X.500
+names.   Acceptable  forms  for realm names are specified in
+section 7.  A PrincipalName is  a  typed  sequence  of  com-
+ponents consisting of the following sub-fields:
+
+name-type This field specifies the type of  name  that  fol-
+          lows.   Pre-defined  values  for  this  field  are
+          specified in section 7.2.  The name-type should be
+          treated as a hint.  Ignoring the name type, no two
+          names can be the same (i.e. at least  one  of  the
+          components,  or  the  realm,  must  be different).
+          This constraint may be eliminated in the future.
+
+name-stringThis field encodes a sequence of components  that
+          form  a name, each component encoded as a General-
+          String.  Taken together,  a  PrincipalName  and  a
+          Realm  form  a principal identifier.  Most Princi-
+          palNames will have only a  few  components  (typi-
+          cally one or two).
+
+
+
+        KerberosTime ::=   GeneralizedTime
+                           -- Specifying UTC time zone (Z)
+
+
+     The timestamps used in Kerberos are encoded as General-
+izedTimes.   An encoding shall specify the UTC time zone (Z)
+and  shall  not  include  any  fractional  portions  of  the
+seconds.   It  further  shall  not  include  any separators.
+Example: The only valid format for UTC time  6  minutes,  27
+seconds after 9 pm on 6 November 1985 is 19851106210627Z.
+
+ HostAddress ::=     SEQUENCE  {
+                     addr-type[0]             INTEGER,
+                     address[1]               OCTET STRING
+
+
+Section 5.2.               - 40 -    Expires 11 January 1998
+
+
+
+
+
+
+
+            Version 5 - Specification Revision 6
+
+
+ }
+
+ HostAddresses ::=   SEQUENCE OF SEQUENCE {
+                     addr-type[0]             INTEGER,
+                     address[1]               OCTET STRING
+ }
+
+
+     The host adddress encodings consists of two fields:
+
+addr-type This field  specifies the  type  of  address  that
+          follows.   Pre-defined  values  for this field are
+          specified in section 8.1.
+
+
+address   This field encodes a single address of type  addr-
+          type.
+
+The two forms differ slightly. HostAddress contains  exactly
+one  address;  HostAddresses contains a sequence of possibly
+many addresses.
+
+AuthorizationData ::=   SEQUENCE OF SEQUENCE {
+                        ad-type[0]               INTEGER,
+                        ad-data[1]               OCTET STRING
+}
+
+
+ad-data   This  field  contains  authorization  data  to  be
+          interpreted   according   to   the  value  of  the
+          corresponding ad-type field.
+
+ad-type   This field specifies the format  for  the  ad-data
+          subfield.   All  negative  values are reserved for
+          local use.  Non-negative values are  reserved  for
+          registered use.
+
+                APOptions ::=   BIT STRING {
+                                reserved(0),
+                                use-session-key(1),
+                                mutual-required(2)
+                }
+
+
+          TicketFlags ::=   BIT STRING {
+                            reserved(0),
+                            forwardable(1),
+                            forwarded(2),
+                            proxiable(3),
+                            proxy(4),
+                            may-postdate(5),
+                            postdated(6),
+                            invalid(7),
+                            renewable(8),
+                            initial(9),
+
+
+Section 5.2.               - 41 -    Expires 11 January 1998
+
+
+
+
+
+
+
+            Version 5 - Specification Revision 6
+
+
+                            pre-authent(10),
+                            hw-authent(11),
+                            transited-policy-checked(12),
+                            ok-as-delegate(13)
+          }
+
+
+           KDCOptions ::=   BIT STRING {
+                            reserved(0),
+                            forwardable(1),
+                            forwarded(2),
+                            proxiable(3),
+                            proxy(4),
+                            allow-postdate(5),
+                            postdated(6),
+                            unused7(7),
+                            renewable(8),
+                            unused9(9),
+                            unused10(10),
+                            unused11(11),
+                            unused12(12),
+                            unused13(13),
+                            disable-transited-check(26),
+                            renewable-ok(27),
+                            enc-tkt-in-skey(28),
+                            renew(30),
+                            validate(31)
+           }
+
+          ASN.1 Bit strings have a length and a value.  When
+          used  in  Kerberos for the APOptions, TicketFlags,
+          and KDCOptions, the length of the  bit  string  on
+          generated  values  should be the smallest multiple
+          of 32 bits needed to include the highest order bit
+          that is set (1), but in no case less than 32 bits.
+          Implementations  should  accept  values   of   bit
+          strings of any length and treat the value of flags
+          cooresponding to bits beyond the end  of  the  bit
+          string as if the bit were reset (0).  Comparisonof
+          bit strings of different length should  treat  the
+          smaller  string  as  if  it were padded with zeros
+          beyond the high order bits to the  length  of  the
+          longer string[23].
+
+__________________________
+[23] Warning for implementations that unpack and repack
+data  structures during the generation and verification
+of embedded checksums: Because any checksums applied to
+data  structures  must  be checked against the original
+data the length of bit strings must be preserved within
+a  data  structure  between the time that a checksum is
+generated through transmission to  the  time  that  the
+checksum is verified.
+
+
+
+Section 5.2.               - 42 -    Expires 11 January 1998
+
+
+
+
+
+
+
+            Version 5 - Specification Revision 6
+
+
+         LastReq ::=   SEQUENCE OF SEQUENCE {
+                       lr-type[0]               INTEGER,
+                       lr-value[1]              KerberosTime
+         }
+
+
+lr-type   This field indicates how  the  following  lr-value
+          field is to be interpreted.  Negative values indi-
+          cate that the information  pertains  only  to  the
+          responding server.  Non-negative values pertain to
+          all servers for the realm.
+
+          If the lr-type field is zero (0), then no informa-
+          tion is conveyed by the lr-value subfield.  If the
+          absolute value of the lr-type field  is  one  (1),
+          then  the  lr-value  subfield  is the time of last
+          initial request for a TGT.  If it is two (2), then
+          the  lr-value subfield is the time of last initial
+          request.  If it is three (3),  then  the  lr-value
+          subfield  is  the  time  of  issue  for the newest
+          ticket-granting ticket used.  If it is  four  (4),
+          then the lr-value subfield is the time of the last
+          renewal.  If it is five  (5),  then  the  lr-value
+          subfield  is  the  time  of  last  request (of any
+          type).
+
+
+lr-value  This field contains the time of the last  request.
+          The time must be interpreted according to the con-
+          tents of the accompanying lr-type subfield.
+
+     See section 6 for the definitions of  Checksum,  Check-
+sumType,  EncryptedData,  EncryptionKey, EncryptionType, and
+KeyType.
+
+
+5.3.  Tickets and Authenticators
+
+     This section describes the format and encryption param-
+eters  for  tickets  and  authenticators.   When a ticket or
+authenticator is  included  in  a  protocol  message  it  is
+treated as an opaque object.
+
+5.3.1.  Tickets
+
+     A ticket is a record that helps a  client  authenticate
+to a service.  A Ticket contains the following information:
+
+Ticket ::=                    [APPLICATION 1] SEQUENCE {
+                              tkt-vno[0]                   INTEGER,
+                              realm[1]                     Realm,
+                              sname[2]                     PrincipalName,
+                              enc-part[3]                  EncryptedData
+}
+
+
+Section 5.3.1.             - 43 -    Expires 11 January 1998
+
+
+
+
+
+
+
+            Version 5 - Specification Revision 6
+
+
+-- Encrypted part of ticket
+EncTicketPart ::= [APPLICATION 3] SEQUENCE {
+                  flags[0]                     TicketFlags,
+                  key[1]                       EncryptionKey,
+                  crealm[2]                    Realm,
+                  cname[3]                     PrincipalName,
+                  transited[4]                 TransitedEncoding,
+                  authtime[5]                  KerberosTime,
+                  starttime[6]                 KerberosTime OPTIONAL,
+                  endtime[7]                   KerberosTime,
+                  renew-till[8]                KerberosTime OPTIONAL,
+                  caddr[9]                     HostAddresses OPTIONAL,
+                  authorization-data[10]       AuthorizationData OPTIONAL
+}
+-- encoded Transited field
+TransitedEncoding ::=   SEQUENCE {
+                        tr-type[0]             INTEGER, -- must be registered
+                        contents[1]            OCTET STRING
+}
+
+The encoding of EncTicketPart is encrypted in the key shared
+by  Kerberos  and  the end server (the server's secret key).
+See section 6 for the format of the ciphertext.
+
+tkt-vno   This field specifies the version  number  for  the
+          ticket  format.   This  document describes version
+          number 5.
+
+
+realm     This field  specifies  the  realm  that  issued  a
+          ticket.  It also serves to identify the realm part
+          of the server's  principal  identifier.   Since  a
+          Kerberos server can only issue tickets for servers
+          within its realm, the two will always  be  identi-
+          cal.
+
+
+sname     This field specifies the name part of the server's
+          identity.
+
+
+enc-part  This field holds the  encrypted  encoding  of  the
+          EncTicketPart sequence.
+
+
+flags     This field indicates which of various options were
+          used  or requested when the ticket was issued.  It
+          is a bit-field, where  the  selected  options  are
+          indicated  by  the  bit  being  set  (1),  and the
+          unselected options and reserved fields being reset
+          (0).   Bit  0  is  the  most significant bit.  The
+          encoding of the bits is specified in section  5.2.
+          The  flags  are  described in more detail above in
+          section 2.  The meanings of the flags are:
+
+
+Section 5.3.1.             - 44 -    Expires 11 January 1998
+
+
+
+
+
+            Version 5 - Specification Revision 6
+
+
+     Bit(s)      Name         Description
+
+     0           RESERVED
+                              Reserved for future  expansion  of  this
+                              field.
+
+     1           FORWARDABLE 
+                              The FORWARDABLE flag  is  normally  only
+                              interpreted  by  the  TGS,  and  can  be
+                              ignored by end servers.  When set,  this
+                              flag  tells  the  ticket-granting server
+                              that it is OK to  issue  a  new  ticket-
+                              granting ticket with a different network
+                              address based on the presented ticket.
+
+     2           FORWARDED   
+                              When set, this flag indicates  that  the
+                              ticket  has either been forwarded or was
+                              issued based on authentication involving
+                              a forwarded ticket-granting ticket.
+
+     3           PROXIABLE   
+                              The  PROXIABLE  flag  is  normally  only
+                              interpreted  by  the  TGS,  and  can  be
+                              ignored by end servers.   The  PROXIABLE
+                              flag  has an interpretation identical to
+                              that of  the  FORWARDABLE  flag,  except
+                              that   the   PROXIABLE  flag  tells  the
+                              ticket-granting server  that  only  non-
+                              ticket-granting  tickets  may  be issued
+                              with different network addresses.
+
+     4           PROXY       
+                              When set, this  flag  indicates  that  a
+                              ticket is a proxy.
+
+     5           MAY-POSTDATE 
+                              The MAY-POSTDATE flag is  normally  only
+                              interpreted  by  the  TGS,  and  can  be
+                              ignored by end servers.  This flag tells
+                              the  ticket-granting server that a post-
+                              dated ticket may be issued based on this
+                              ticket-granting ticket.
+
+     6           POSTDATED    
+                              This flag indicates that this ticket has
+                              been  postdated.   The  end-service  can
+                              check the authtime field to see when the
+                              original authentication occurred.
+
+     7           INVALID      
+                              This flag indicates  that  a  ticket  is
+                              invalid, and it must be validated by the
+                              KDC  before  use.   Application  servers
+                              must reject tickets which have this flag
+                              set.
+
+
+
+
+
+
+
+
+Section 5.3.1.             - 45 -    Expires 11 January 1998
+
+
+
+
+
+
+
+            Version 5 - Specification Revision 6
+
+
+     8           RENEWABLE                        
+                              The  RENEWABLE  flag  is  normally  only
+                              interpreted  by the TGS, and can usually
+                              be ignored by end servers (some particu-
+                              larly careful servers may wish to disal-
+                              low  renewable  tickets).   A  renewable
+                              ticket  can be used to obtain a replace-
+                              ment ticket  that  expires  at  a  later
+                              date.
+
+     9           INITIAL                    
+                              This flag indicates that this ticket was
+                              issued  using  the  AS protocol, and not
+                              issued  based   on   a   ticket-granting
+                              ticket.
+
+     10          PRE-AUTHENT              
+                              This flag indicates that during  initial
+                              authentication, the client was authenti-
+                              cated by the KDC  before  a  ticket  was
+                              issued.    The   strength  of  the  pre-
+                              authentication method is not  indicated,
+                              but is acceptable to the KDC.
+
+     11          HW-AUTHENT                    
+                              This flag indicates  that  the  protocol
+                              employed   for   initial  authentication
+                              required the use of hardware expected to
+                              be possessed solely by the named client.
+                              The hardware  authentication  method  is
+                              selected  by the KDC and the strength of
+                              the method is not indicated.
+
+
+
+
+Section 5.3.1.             - 46 -    Expires 11 January 1998
+
+
+
+
+
+
+
+            Version 5 - Specification Revision 6
+
+
+     12           TRANSITED   This flag indicates that the KDC for the
+             POLICY-CHECKED   realm has checked the transited field
+			      against a realm defined policy for
+			      trusted certifiers.  If this flag is
+			      reset (0), then the application server
+			      must check the transited field itself,
+			      and if unable to do so it must reject
+			      the authentication.  If the flag is set
+			      (1) then the application server may skip
+			      its own validation of the transited
+			      field, relying on the validation
+			      performed by the KDC.  At its option the
+			      application server may still apply its
+			      own validation based on a separate
+			      policy for acceptance.
+
+Section 5.3.1.             - 47 -    Expires 11 January 1998
+
+
+
+
+
+
+
+            Version 5 - Specification Revision 6
+
+
+     13      OK-AS-DELEGATE   This flag indicates that the server (not
+			      the client) specified in the ticket has
+			      been determined by policy of the realm
+			      to be a suitable recipient of
+			      delegation.  A client can use the
+			      presence of this flag to help it make a
+			      decision whether to delegate credentials
+			      (either grant a proxy or a forwarded
+			      ticket granting ticket) to this server.
+			      The client is free to ignore the value
+			      of this flag.  When setting this flag,
+			      an administrator should consider the
+			      security and placement of the server on
+			      which the service will run, as well as
+			      whether the service requires the use of
+			      delegated credentials.
+
+
+
+
+Section 5.3.1.             - 48 -    Expires 11 January 1998
+
+
+
+
+
+
+
+            Version 5 - Specification Revision 6
+
+
+     14          ANONYMOUS                
+                              This flag indicates that  the  principal
+                              named in the ticket is a generic princi-
+                              pal for the realm and does not  identify
+                              the  individual  using  the ticket.  The
+                              purpose  of  the  ticket  is   only   to
+                              securely  distribute  a session key, and
+                              not to identify  the  user.   Subsequent
+                              requests  using the same ticket and ses-
+                              sion may be  considered  as  originating
+                              from  the  same  user, but requests with
+                              the same username but a different ticket
+                              are  likely  to originate from different
+                              users.
+
+     15-31       RESERVED                
+                              Reserved for future use.
+
+
+
+key       This field  exists  in  the  ticket  and  the  KDC
+          response  and is used to pass the session key from
+          Kerberos to the application server and the client.
+          The field's encoding is described in section 6.2.
+
+crealm    This field contains the name of the realm in which
+          the  client  is  registered  and  in which initial
+          authentication took place.
+
+
+cname     This field contains the name part of the  client's
+          principal identifier.
+
+
+transited This field lists the names of the Kerberos  realms
+          that  took part in authenticating the user to whom
+          this ticket was issued.  It does not  specify  the
+          order  in  which  the  realms were transited.  See
+          section 3.3.3.2 for  details  on  how  this  field
+          encodes the traversed realms.
+
+
+authtime  This field indicates the time of initial authenti-
+          cation for the named principal.  It is the time of
+          issue for the original ticket on which this ticket
+          is based.  It is included in the ticket to provide
+          additional information to the end service, and  to
+          provide  the necessary information for implementa-
+          tion of a `hot list' service at the KDC.   An  end
+          service that is particularly paranoid could refuse
+          to accept tickets for which the initial  authenti-
+          cation occurred "too far" in the past.
+
+          This  field  is  also  returned  as  part  of  the
+          response  from  the KDC.  When returned as part of
+          the    response    to    initial    authentication
+
+
+Section 5.3.1.             - 49 -    Expires 11 January 1998
+
+
+
+
+
+
+
+            Version 5 - Specification Revision 6
+
+
+          (KRB_AS_REP), this is the current time on the Ker-
+          beros server[24].
+
+
+starttime This field in the ticket specifies the time  after
+          which the ticket is valid.  Together with endtime,
+          this field specifies the life of the  ticket.   If
+          it  is absent from the ticket, its value should be
+          treated as that of the authtime field.
+
+
+endtime   This field  contains  the  time  after  which  the
+          ticket  will not be honored (its expiration time).
+          Note that individual services may place their  own
+          limits  on  the  life  of  a ticket and may reject
+          tickets which have not yet expired.  As such, this
+          is  really  an  upper bound on the expiration time
+          for the ticket.
+
+
+renew-tillThis field is only present in  tickets  that  have
+          the  RENEWABLE  flag  set  in the flags field.  It
+          indicates the maximum endtime that may be included
+          in  a  renewal.  It can be thought of as the abso-
+          lute expiration time for the ticket, including all
+          renewals.
+
+
+caddr     This field in a ticket contains zero (if  omitted)
+          or  more  (if  present) host addresses.  These are
+          the addresses from which the ticket can  be  used.
+          If  there are no addresses, the ticket can be used
+          from any location.  The decision  by  the  KDC  to
+          issue  or by the end server to accept zero-address
+          tickets is a policy decision and is  left  to  the
+          Kerberos  and end-service administrators; they may
+          refuse to issue or accept such tickets.  The  sug-
+          gested  and  default policy, however, is that such
+          tickets will only be issued or accepted when addi-
+          tional  information  that  can be used to restrict
+          the  use  of  the  ticket  is  included   in   the
+          authorization_data  field.   Such  a  ticket  is a
+          capability.
+
+          Network addresses are included in  the  ticket  to
+          make  it  harder  for  an  attacker  to use stolen
+          credentials.  Because the session key is not  sent
+          over  the  network in cleartext, credentials can't
+__________________________
+[24] It is NOT recommended that this time value be used
+to adjust the workstation's clock since the workstation
+cannot reliably determine that such a KRB_AS_REP  actu-
+ally came from the proper KDC in a timely manner.
+
+
+Section 5.3.1.             - 50 -    Expires 11 January 1998
+
+
+
+
+
+
+
+            Version 5 - Specification Revision 6
+
+
+          be stolen simply by listening to the  network;  an
+          attacker  has  to  gain  access to the session key
+          (perhaps   through   operating   system   security
+          breaches  or a careless user's unattended session)
+          to make use of stolen tickets.
+
+          It is important to note that the  network  address
+          from  which  a  connection  is  received cannot be
+          reliably determined.  Even  if  it  could  be,  an
+          attacker who has compromised the client's worksta-
+          tion  could  use  the  credentials   from   there.
+          Including the network addresses only makes it more
+          difficult, not impossible, for an attacker to walk
+          off with stolen credentials and then use them from
+          a "safe" location.
+
+
+authorization-data
+          The  authorization-data  field  is  used  to  pass
+          authorization  data  from  the  principal on whose
+          behalf a ticket was issued to the application ser-
+          vice.   If no authorization data is included, this
+          field will be left out.  Experience has shown that
+          the  name  of  this field is confusing, and that a
+          better name for this field would be  restrictions.
+          Unfortunately,  it  is  not possible to change the
+          name of this field at this time.
+
+          This field contains restrictions on any  authority
+          obtained  on the bases of authentication using the
+          ticket.  It  is  possible  for  any  principal  in
+          posession  of  credentials  to  add entries to the
+          authorization  data  field  since  these   entries
+          further restrict what can be done with the ticket.
+          Such additions can be made by specifying the addi-
+          tional  entries when a new ticket is obtained dur-
+          ing the TGS exchange, or they may be added  during
+          chained  delegation  using  the authorization data
+          field of the authenticator.
+
+          Because entries may be added to this field by  the
+          holder of credentials, it is not allowable for the
+          presence of an entry  in  the  authorization  data
+          field  of  a  ticket to amplify the priveleges one
+          would obtain from using a ticket.
+
+          The data in this field may be specific to the  end
+          service;  the field will contain the names of ser-
+          vice specific objects, and  the  rights  to  those
+          objects.   The  format for this field is described
+          in section 5.2.  Although  Kerberos  is  not  con-
+          cerned with the format of the contents of the sub-
+          fields, it does carry type information (ad-type).
+
+
+
+Section 5.3.1.             - 51 -    Expires 11 January 1998
+
+
+
+
+
+
+
+            Version 5 - Specification Revision 6
+
+
+          By using the authorization_data field, a principal
+          is  able  to  issue  a  proxy  that is valid for a
+          specific purpose.  For example, a  client  wishing
+          to  print a file can obtain a file server proxy to
+          be passed to the print server.  By specifying  the
+          name  of the file in the authorization_data field,
+          the file server knows that the  print  server  can
+          only  use  the  client's rights when accessing the
+          particular file to be printed.
+
+          A separate service providing providing  authoriza-
+          tion  or  certifying group membership may be built
+          using the authorization-data field.  In this case,
+          the entity granting authorization (not the author-
+          ized entity), obtains a ticket  in  its  own  name
+          (e.g.  the  ticket  is  issued  in  the  name of a
+          privelege server), and this entity  adds  restric-
+          tions  on its own authority and delegates the res-
+          tricted authority through a proxy to  the  client.
+          The  client  would then present this authorization
+          credential to the  application  server  separately
+          from the authentication exchange.
+
+          Similarly, if one specifies the authorization-data
+          field  of  a  proxy  and leaves the host addresses
+          blank, the resulting ticket and session key can be
+          treated  as  a  capability.  See [7] for some sug-
+          gested uses of this field.
+
+          The authorization-data field is optional and  does
+          not have to be included in a ticket.
+
+
+5.3.2.  Authenticators
+
+     An authenticator is a record sent with a  ticket  to  a
+server  to  certify the client's knowledge of the encryption
+key in the ticket, to help the server detect replays, and to
+help  choose a "true session key" to use with the particular
+session.  The encoding is encrypted in the ticket's  session
+key shared by the client and the server:
+
+-- Unencrypted authenticator
+Authenticator ::= [APPLICATION 2] SEQUENCE  {
+                  authenticator-vno[0]          INTEGER,
+                  crealm[1]                     Realm,
+                  cname[2]                      PrincipalName,
+                  cksum[3]                      Checksum OPTIONAL,
+                  cusec[4]                      INTEGER,
+                  ctime[5]                      KerberosTime,
+                  subkey[6]                     EncryptionKey OPTIONAL,
+                  seq-number[7]                 INTEGER OPTIONAL,
+                  authorization-data[8]         AuthorizationData OPTIONAL
+}
+
+
+
+Section 5.3.2.             - 52 -    Expires 11 January 1998
+
+
+
+
+
+
+
+            Version 5 - Specification Revision 6
+
+
+authenticator-vno
+          This field specifies the version  number  for  the
+          format of the authenticator.  This document speci-
+          fies version 5.
+
+
+crealm and cname
+          These fields are the same as those  described  for
+          the ticket in section 5.3.1.
+
+
+cksum     This field contains a checksum of the the applica-
+          tion data that accompanies the KRB_AP_REQ.
+
+
+cusec     This field contains the microsecond  part  of  the
+          client's timestamp.  Its value (before encryption)
+          ranges from 0 to 999999.  It often  appears  along
+          with  ctime.   The two fields are used together to
+          specify a reasonably accurate timestamp.
+
+
+ctime     This  field  contains  the  current  time  on  the
+          client's host.
+
+
+subkey    This field contains the  client's  choice  for  an
+          encryption key which is to be used to protect this
+          specific application session.  Unless an  applica-
+          tion  specifies  otherwise,  if this field is left
+          out the session key from the ticket will be used.
+
+seq-numberThis optional field includes the initial  sequence
+          number to be used by the KRB_PRIV or KRB_SAFE mes-
+          sages when sequence numbers  are  used  to  detect
+          replays  (It  may  also  be  used  by  application
+          specific messages).  When included in the  authen-
+          ticator  this field specifies the initial sequence
+          number for messages from the client to the server.
+          When  included  in the AP-REP message, the initial
+          sequence number is  that  for  messages  from  the
+          server  to  the  client.  When used in KRB_PRIV or
+          KRB_SAFE messages, it is incremented by one  after
+          each message is sent.
+
+          For sequence numbers  to  adequately  support  the
+          detection of replays they should be non-repeating,
+          even across connection  boundaries.   The  initial
+          sequence  number  should  be  random and uniformly
+          distributed across  the  full  space  of  possible
+          sequence  numbers, so that it cannot be guessed by
+          an attacker and so  that  it  and  the  successive
+          sequence numbers do not repeat other sequences.
+
+
+
+Section 5.3.2.             - 53 -    Expires 11 January 1998
+
+
+
+
+
+
+
+            Version 5 - Specification Revision 6
+
+
+authorization-data
+          This field is the same as described for the ticket
+          in  section  5.3.1.   It is optional and will only
+          appear when  additional  restrictions  are  to  be
+          placed  on  the use of a ticket, beyond those car-
+          ried in the ticket itself.
+
+5.4.  Specifications for the AS and TGS exchanges
+
+     This section specifies the format of the messages  used
+in  the exchange between the client and the Kerberos server.
+The format of possible error  messages  appears  in  section
+5.9.1.
+
+5.4.1.  KRB_KDC_REQ definition
+
+     The  KRB_KDC_REQ  message  has  no  type  of  its  own.
+Instead,  its  type  is  one  of  KRB_AS_REQ  or KRB_TGS_REQ
+depending on whether the request is for an initial ticket or
+an  additional  ticket.  In either case, the message is sent
+from the client to  the  Authentication  Server  to  request
+credentials for a service.
+
+     The message fields are:
+
+AS-REQ ::=         [APPLICATION 10] KDC-REQ
+TGS-REQ ::=        [APPLICATION 12] KDC-REQ
+
+KDC-REQ ::=        SEQUENCE {
+                   pvno[1]            INTEGER,
+                   msg-type[2]        INTEGER,
+                   padata[3]          SEQUENCE OF PA-DATA OPTIONAL,
+                   req-body[4]        KDC-REQ-BODY
+}
+
+PA-DATA ::=        SEQUENCE {
+                   padata-type[1]     INTEGER,
+                   padata-value[2]    OCTET STRING,
+                                      -- might be encoded AP-REQ
+}
+
+KDC-REQ-BODY ::=   SEQUENCE {
+                    kdc-options[0]         KDCOptions,
+                    cname[1]               PrincipalName OPTIONAL,
+                                           -- Used only in AS-REQ
+                    realm[2]               Realm, -- Server's realm
+                                           -- Also client's in AS-REQ
+                    sname[3]               PrincipalName OPTIONAL,
+                    from[4]                KerberosTime OPTIONAL,
+                    till[5]                KerberosTime OPTIONAL,
+                    rtime[6]               KerberosTime OPTIONAL,
+                    nonce[7]               INTEGER,
+                    etype[8]               SEQUENCE OF INTEGER, 
+                                           -- EncryptionType,
+                                           -- in preference order
+
+
+Section 5.4.1.             - 54 -    Expires 11 January 1998
+
+
+
+
+
+
+
+            Version 5 - Specification Revision 6
+
+
+                    addresses[9]           HostAddresses OPTIONAL,
+                enc-authorization-data[10] EncryptedData OPTIONAL,
+                                           -- Encrypted AuthorizationData 
+                                           -- encoding
+                    additional-tickets[11] SEQUENCE OF Ticket OPTIONAL
+}
+
+The fields in this message are:
+
+
+pvno      This field is included in each message, and speci-
+          fies  the  protocol version number.  This document
+          specifies protocol version 5.
+
+
+msg-type  This field indicates the type of a  protocol  mes-
+          sage.   It  will  almost always be the same as the
+          application identifier associated with a  message.
+          It is included to make the identifier more readily
+          accessible to the application.   For  the  KDC-REQ
+          message,   this   type   will   be  KRB_AS_REQ  or
+          KRB_TGS_REQ.
+
+
+padata    The padata (pre-authentication  data)  field  con-
+          tains  a  sequence  of  authentication information
+          which may be  needed  before  credentials  can  be
+          issued  or decrypted.  In the case of requests for
+          additional tickets (KRB_TGS_REQ), this field  will
+          include  an element with padata-type of PA-TGS-REQ
+          and data  of  an  authentication  header  (ticket-
+          granting  ticket and authenticator).  The checksum
+          in the authenticator  (which  must  be  collision-
+          proof)  is  to  be  computed over the KDC-REQ-BODY
+          encoding.  In most requests for initial  authenti-
+          cation  (KRB_AS_REQ)  and  most replies (KDC-REP),
+          the padata field will be left out.
+
+          This field may also contain information needed  by
+          certain  extensions to the Kerberos protocol.  For
+          example, it might be used to initially verify  the
+          identity  of  a  client  before  any  response  is
+          returned.  This  is  accomplished  with  a  padata
+          field  with  padata-type equal to PA-ENC-TIMESTAMP
+          and padata-value defined as follows:
+
+padata-type     ::= PA-ENC-TIMESTAMP
+padata-value    ::= EncryptedData -- PA-ENC-TS-ENC
+
+PA-ENC-TS-ENC   ::= SEQUENCE {
+                patimestamp[0]     KerberosTime, -- client's time
+                pausec[1]          INTEGER OPTIONAL
+}
+
+          with patimestamp containing the client's time  and
+
+
+Section 5.4.1.             - 55 -    Expires 11 January 1998
+
+
+
+
+
+
+
+            Version 5 - Specification Revision 6
+
+
+          pausec  containing  the  microseconds which may be
+          omitted if a client will not  generate  more  than
+          one  request  per second.  The ciphertext (padata-
+          value) consists  of  the  PA-ENC-TS-ENC  sequence,
+          encrypted using the client's secret key.
+
+          The padata  field  can  also  contain  information
+          needed  to  help  the KDC or the client select the
+          key  needed  for  generating  or  decrypting   the
+          response.   This  form of the padata is useful for
+          supporting the use of  certain  token  cards  with
+          Kerberos.   The  details  of  such  extensions are
+          specified in separate  documents.   See  [11]  for
+          additional uses of this field.
+
+padata-type
+          The padata-type element of the padata field  indi-
+          cates  the way that the padata-value element is to
+          be interpreted.  Negative  values  of  padata-type
+          are  reserved  for  unregistered use; non-negative
+          values are used for a registered interpretation of
+          the element type.
+
+
+req-body  This field is a placeholder delimiting the  extent
+          of  the  remaining fields.  If a checksum is to be
+          calculated over the request, it is calculated over
+          an  encoding of the KDC-REQ-BODY sequence which is
+          enclosed within the req-body field.
+
+
+kdc-options
+          This  field  appears   in   the   KRB_AS_REQ   and
+          KRB_TGS_REQ  requests to the KDC and indicates the
+          flags that the client wants set on the tickets  as
+          well  as  other  information that is to modify the
+          behavior of the KDC.  Where appropriate, the  name
+          of  an  option may be the same as the flag that is
+          set by that option.  Although in  most  case,  the
+          bit  in the options field will be the same as that
+          in the flags field, this is not guaranteed, so  it
+          is not acceptable to simply copy the options field
+          to the flags field.  There are various checks that
+          must be made before honoring an option anyway.
+
+          The kdc_options field is a  bit-field,  where  the
+          selected  options  are  indicated by the bit being
+          set (1), and the unselected options  and  reserved
+          fields  being reset (0).  The encoding of the bits
+          is specified in  section  5.2.   The  options  are
+          described  in more detail above in section 2.  The
+          meanings of the options are:
+
+
+
+
+Section 5.4.1.             - 56 -    Expires 11 January 1998
+
+
+
+
+            Version 5 - Specification Revision 6
+
+
+   Bit(s)    Name                Description
+    0        RESERVED
+                                 Reserved for future  expansion  of  this
+                                 field.
+
+    1        FORWARDABLE
+                                 The FORWARDABLE  option  indicates  that
+                                 the  ticket  to be issued is to have its
+                                 forwardable flag set.  It  may  only  be
+                                 set on the initial request, or in a sub-
+                                 sequent request if  the  ticket-granting
+                                 ticket on which it is based is also for-
+                                 wardable.
+
+    2        FORWARDED
+                                 The FORWARDED option is  only  specified
+                                 in  a  request  to  the  ticket-granting
+                                 server and will only be honored  if  the
+                                 ticket-granting  ticket  in  the request
+                                 has  its  FORWARDABLE  bit  set.    This
+                                 option  indicates that this is a request
+                                 for forwarding.  The address(es) of  the
+                                 host  from which the resulting ticket is
+                                 to  be  valid  are   included   in   the
+                                 addresses field of the request.
+
+    3        PROXIABLE
+                                 The PROXIABLE option indicates that  the
+                                 ticket to be issued is to have its prox-
+                                 iable flag set.  It may only be  set  on
+                                 the  initial request, or in a subsequent
+                                 request if the ticket-granting ticket on
+                                 which it is based is also proxiable.
+
+    4        PROXY
+                                 The PROXY option indicates that this  is
+                                 a request for a proxy.  This option will
+                                 only be honored if  the  ticket-granting
+                                 ticket  in the request has its PROXIABLE
+                                 bit set.  The address(es)  of  the  host
+                                 from which the resulting ticket is to be
+                                  valid  are  included  in  the  addresses
+                                 field of the request.
+
+    5        ALLOW-POSTDATE
+                                 The ALLOW-POSTDATE option indicates that
+                                 the  ticket  to be issued is to have its
+                                 MAY-POSTDATE flag set.  It may  only  be
+                                 set on the initial request, or in a sub-
+                                 sequent request if  the  ticket-granting
+                                 ticket on which it is based also has its
+                                 MAY-POSTDATE flag set.
+
+
+
+
+
+
+
+Section 5.4.1.             - 57 -    Expires 11 January 1998
+
+
+
+
+
+
+
+            Version 5 - Specification Revision 6
+
+
+    6        POSTDATED
+                                 The POSTDATED option indicates that this
+                                 is  a  request  for  a postdated ticket.
+                                 This option will only be honored if  the
+                                 ticket-granting  ticket  on  which it is
+                                 based has  its  MAY-POSTDATE  flag  set.
+                                 The  resulting ticket will also have its
+                                 INVALID flag set, and that flag  may  be
+                                 reset by a subsequent request to the KDC
+                                 after the starttime in  the  ticket  has
+                                 been reached.
+
+    7        UNUSED
+                                 This option is presently unused.
+
+    8        RENEWABLE
+                                 The RENEWABLE option indicates that  the
+                                 ticket  to  be  issued  is  to  have its
+                                 RENEWABLE flag set.  It may only be  set
+                                 on  the  initial  request,  or  when the
+                                 ticket-granting  ticket  on  which   the
+                                 request  is based is also renewable.  If
+                                 this option is requested, then the rtime
+                                 field   in   the  request  contains  the
+                                 desired absolute expiration time for the
+                                 ticket.
+
+    9-13     UNUSED
+                                 These options are presently unused.
+
+    14       REQUEST-ANONYMOUS
+                                 The REQUEST-ANONYMOUS  option  indicates
+                                 that  the  ticket to be issued is not to
+                                 identify  the  user  to  which  it   was
+                                 issued.  Instead, the principal identif-
+                                 ier is to be generic,  as  specified  by
+                                 the  policy  of  the realm (e.g. usually
+                                 anonymous@realm).  The  purpose  of  the
+                                 ticket  is only to securely distribute a
+                                 session key, and  not  to  identify  the
+                                 user.   The ANONYMOUS flag on the ticket
+                                 to be returned should be  set.   If  the
+                                 local  realms  policy  does  not  permit
+                                 anonymous credentials, the request is to
+                                 be rejected.
+
+    15-25    RESERVED
+                                 Reserved for future use.
+
+    26       DISABLE-TRANSITED-CHECK
+				 By default the KDC will check the
+				 transited field of a ticket-granting-
+				 ticket against the policy of the local
+				 realm before it will issue derivative
+				 tickets based on the ticket granting
+				 ticket.  If this flag is set in the
+				 request, checking of the transited field
+				 is disabled.  Tickets issued without the
+				 performance of this check will be noted
+				 by the reset (0) value of the
+				 TRANSITED-POLICY-CHECKED flag,
+				 indicating to the application server
+				 that the tranisted field must be checked
+				 locally.  KDC's are encouraged but not
+				 required to honor the
+				 DISABLE-TRANSITED-CHECK option.
+
+
+
+Section 5.4.1.             - 58 -    Expires 11 January 1998
+
+
+
+
+
+
+
+            Version 5 - Specification Revision 6
+
+
+    27       RENEWABLE-OK
+                                 The RENEWABLE-OK option indicates that a
+                                 renewable ticket will be acceptable if a
+                                 ticket with the  requested  life  cannot
+                                 otherwise be provided.  If a ticket with
+                                 the requested life cannot  be  provided,
+                                 then  a  renewable  ticket may be issued
+                                 with  a  renew-till  equal  to  the  the
+                                 requested  endtime.   The  value  of the
+                                 renew-till field may still be limited by
+                                 local  limits, or limits selected by the
+                                 individual principal or server.
+
+    28       ENC-TKT-IN-SKEY
+                                 This option is used only by the  ticket-
+                                 granting  service.   The ENC-TKT-IN-SKEY
+                                 option indicates that the ticket for the
+                                 end  server  is  to  be encrypted in the
+                                 session key from the additional  ticket-
+                                 granting ticket provided.
+
+    29       RESERVED
+                                 Reserved for future use.
+
+    30       RENEW
+                                 This option is used only by the  ticket-
+                                 granting   service.   The  RENEW  option
+                                 indicates that the  present  request  is
+                                 for  a  renewal.  The ticket provided is
+                                 encrypted in  the  secret  key  for  the
+                                 server  on  which  it  is  valid.   This
+                                 option  will  only  be  honored  if  the
+                                 ticket  to  be renewed has its RENEWABLE
+                                 flag set and if the time in  its  renew-
+                                 till  field  has not passed.  The ticket
+                                 to be renewed is passed  in  the  padata
+                                 field  as  part  of  the  authentication
+                                 header.
+
+    31       VALIDATE
+                                 This option is used only by the  ticket-
+                                 granting  service.   The VALIDATE option
+                                 indicates that the request is  to  vali-
+                                 date  a  postdated ticket.  It will only
+                                 be honored if the  ticket  presented  is
+                                 postdated,  presently  has  its  INVALID
+                                 flag set, and would be otherwise  usable
+                                 at  this time.  A ticket cannot be vali-
+                                 dated before its starttime.  The  ticket
+                                 presented for validation is encrypted in
+                                 the key of the server for  which  it  is
+                                 valid  and is passed in the padata field
+                                 as part of the authentication header.
+
+cname and sname
+          These fields are the same as those  described  for
+          the  ticket  in  section 5.3.1.  sname may only be
+
+
+Section 5.4.1.             - 59 -    Expires 11 January 1998
+
+
+
+
+
+
+
+            Version 5 - Specification Revision 6
+
+
+          absent when the ENC-TKT-IN-SKEY option  is  speci-
+          fied.   If absent, the name of the server is taken
+          from the name of the client in the  ticket  passed
+          as additional-tickets.
+
+
+enc-authorization-data
+          The enc-authorization-data, if present (and it can
+          only be present in the TGS_REQ form), is an encod-
+          ing of the  desired  authorization-data  encrypted
+          under  the  sub-session  key  if  present  in  the
+          Authenticator, or alternatively from  the  session
+          key  in  the ticket-granting ticket, both from the
+          padata field in the KRB_AP_REQ.
+
+
+realm     This  field  specifies  the  realm  part  of   the
+          server's   principal   identifier.    In   the  AS
+          exchange, this is  also  the  realm  part  of  the
+          client's principal identifier.
+
+
+from      This field  is  included  in  the  KRB_AS_REQ  and
+          KRB_TGS_REQ  ticket  requests  when  the requested
+          ticket  is  to  be  postdated.  It  specifies  the
+          desired start time for the requested ticket.
+
+
+
+till      This field contains the expiration date  requested
+          by  the  client in a ticket request.  It is option
+          and if omitted the requested ticket is to have the
+          maximum  endtime permitted according to KDC policy
+          for the parties to the authentication exchange  as
+          limited  by expiration date of the ticket granting
+          ticket or other preauthentication credentials.
+
+
+rtime     This field is the requested renew-till  time  sent
+          from  a client to the KDC in a ticket request.  It
+          is optional.
+
+
+nonce     This  field  is  part  of  the  KDC  request   and
+          response.   It it intended to hold a random number
+          generated by the client.  If the  same  number  is
+          included  in  the encrypted response from the KDC,
+          it provides evidence that the  response  is  fresh
+          and  has not been replayed by an attacker.  Nonces
+          must never be re-used.  Ideally, it should be gen-
+          erated randomly, but if the correct time is known,
+          it may suffice[25].
+__________________________
+[25] Note, however, that if the time  is  used  as  the
+
+Section 5.4.1.             - 60 -    Expires 11 January 1998
+
+
+
+
+
+
+
+            Version 5 - Specification Revision 6
+
+
+etype     This field specifies the desired encryption  algo-
+          rithm to be used in the response.
+
+
+addresses This field is included in the initial request  for
+          tickets,  and  optionally included in requests for
+          additional  tickets   from   the   ticket-granting
+          server.  It specifies the addresses from which the
+          requested ticket is  to  be  valid.   Normally  it
+          includes  the addresses for the client's host.  If
+          a proxy is  requested,  this  field  will  contain
+          other  addresses.   The contents of this field are
+          usually copied by the KDC into the caddr field  of
+          the resulting ticket.
+
+
+additional-tickets
+          Additional tickets may be optionally included in a
+          request  to  the  ticket-granting  server.  If the
+          ENC-TKT-IN-SKEY option has  been  specified,  then
+          the session key from the additional ticket will be
+          used in place of the server's key to  encrypt  the
+          new   ticket.   If  more  than  one  option  which
+          requires additional tickets  has  been  specified,
+          then  the additional tickets are used in the order
+          specified by the ordering of the options bits (see
+          kdc-options, above).
+
+
+     The application code will be either ten (10) or  twelve
+(12)  depending  on  whether  the  request is for an initial
+ticket (AS-REQ) or for an additional ticket (TGS-REQ).
+
+     The optional fields (addresses, authorization-data  and
+additional-tickets)  are  only included if necessary to per-
+form the operation specified in the kdc-options field.
+
+     It should be noted that in  KRB_TGS_REQ,  the  protocol
+version number appears twice and two different message types
+appear:  the KRB_TGS_REQ message contains  these  fields  as
+does  the  authentication header (KRB_AP_REQ) that is passed
+in the padata field.
+
+5.4.2.  KRB_KDC_REP definition
+
+     The KRB_KDC_REP message format is used  for  the  reply
+from  the KDC for either an initial (AS) request or a subse-
+quent  (TGS)  request.   There  is  no  message   type   for
+__________________________
+nonce,  one must make sure that the workstation time is
+monotonically increasing.  If the time  is  ever  reset
+backwards,  there  is  a small, but finite, probability
+that a nonce will be reused.
+
+
+
+Section 5.4.2.             - 61 -    Expires 11 January 1998
+
+
+
+
+
+
+
+            Version 5 - Specification Revision 6
+
+
+KRB_KDC_REP.  Instead, the type will be either KRB_AS_REP or
+KRB_TGS_REP.  The key used to encrypt the ciphertext part of
+the reply depends on the message type.  For KRB_AS_REP,  the
+ciphertext  is encrypted in the client's secret key, and the
+client's key version number is included in the  key  version
+number for the encrypted data.  For KRB_TGS_REP, the cipher-
+text is encrypted in the sub-session key from the  Authenti-
+cator,  or  if  absent,  the  session  key  from the ticket-
+granting ticket used in the request.  In that case, no  ver-
+sion number will be present in the EncryptedData sequence.
+
+     The KRB_KDC_REP message contains the following fields:
+
+AS-REP ::=    [APPLICATION 11] KDC-REP
+TGS-REP ::=   [APPLICATION 13] KDC-REP
+
+KDC-REP ::=   SEQUENCE {
+              pvno[0]                    INTEGER,
+              msg-type[1]                INTEGER,
+              padata[2]                  SEQUENCE OF PA-DATA OPTIONAL,
+              crealm[3]                  Realm,
+              cname[4]                   PrincipalName,
+              ticket[5]                  Ticket,
+              enc-part[6]                EncryptedData
+}
+
+
+EncASRepPart ::=    [APPLICATION 25[27]] EncKDCRepPart
+EncTGSRepPart ::=   [APPLICATION 26] EncKDCRepPart
+
+
+
+EncKDCRepPart ::=   SEQUENCE {
+                    key[0]               EncryptionKey,
+                    last-req[1]          LastReq,
+                    nonce[2]             INTEGER,
+                    key-expiration[3]    KerberosTime OPTIONAL,
+                    flags[4]             TicketFlags,
+                    authtime[5]          KerberosTime,
+                    starttime[6]         KerberosTime OPTIONAL,
+                    endtime[7]           KerberosTime,
+                    renew-till[8]        KerberosTime OPTIONAL,
+                    srealm[9]            Realm,
+                    sname[10]            PrincipalName,
+                    caddr[11]            HostAddresses OPTIONAL
+}
+
+
+pvno and msg-type
+          These fields are described above in section 5.4.1.
+          msg-type is either KRB_AS_REP or KRB_TGS_REP.
+__________________________
+[27] An application code in the  encrypted  part  of  a
+message  provides  an additional check that the message
+was decrypted properly.
+
+
+Section 5.4.2.             - 62 -    Expires 11 January 1998
+
+
+
+
+
+
+
+            Version 5 - Specification Revision 6
+
+
+padata    This field  is  described  in  detail  in  section
+          5.4.1.   One  possible  use  for  this field is to
+          encode an alternate "mix-in"  string  to  be  used
+          with   a   string-to-key  algorithm  (such  as  is
+          described in section 6.3.2).  This ability is use-
+          ful  to  ease transitions if a realm name needs to
+          change (e.g. when a company is acquired); in  such
+          a  case  all  existing password-derived entries in
+          the KDC database would be  flagged  as  needing  a
+          special  mix-in  string  until  the  next password
+          change.
+
+
+crealm, cname, srealm and sname
+          These fields are the same as those  described  for
+          the ticket in section 5.3.1.
+
+
+ticket    The newly-issued ticket, from section 5.3.1.
+
+
+enc-part  This field is a place holder  for  the  ciphertext
+          and  related  information that forms the encrypted
+          part  of  a  message.   The  description  of   the
+          encrypted part of the message follows each appear-
+          ance of this field.  The encrypted part is encoded
+          as described in section 6.1.
+
+
+key       This field is the same as described for the ticket
+          in section 5.3.1.
+
+
+last-req  This field is returned by the  KDC  and  specifies
+          the  time(s)  of  the last request by a principal.
+          Depending on what information is  available,  this
+          might  be  the  last  time  that  a  request for a
+          ticket-granting ticket was made, or the last  time
+          that  a  request based on a ticket-granting ticket
+          was successful.  It also might cover  all  servers
+          for  a realm, or just the particular server.  Some
+          implementations may display  this  information  to
+          the user to aid in discovering unauthorized use of
+          one's identity.  It is similar in  spirit  to  the
+          last   login  time  displayed  when  logging  into
+          timesharing systems.
+
+
+nonce     This field is described above in section 5.4.1.
+
+
+key-expiration
+          The key-expiration field is part of  the  response
+          from  the  KDC  and  specifies  the  time that the
+
+
+Section 5.4.2.             - 63 -    Expires 11 January 1998
+
+
+
+
+
+
+
+            Version 5 - Specification Revision 6
+
+
+          client's secret key is due to expire.  The expira-
+          tion  might  be the result of password aging or an
+          account expiration.  This field  will  usually  be
+          left  out  of  the TGS reply since the response to
+          the TGS request is encrypted in a session key  and
+          no  client  information need be retrieved from the
+          KDC database.  It is up to the application  client
+          (usually  the  login  program) to take appropriate
+          action (such as notifying the user) if the expira-
+          tion time is imminent.
+
+
+flags, authtime, starttime, endtime, renew-till and caddr
+          These fields are duplicates of those found in  the
+          encrypted portion of the attached ticket (see sec-
+          tion 5.3.1), provided so  the  client  may  verify
+          they  match  the intended request and to assist in
+          proper ticket caching.  If the message is of  type
+          KRB_TGS_REP,  the  caddr field will only be filled
+          in if the request was for  a  proxy  or  forwarded
+          ticket, or if the user is substituting a subset of
+          the addresses from the ticket granting ticket.  If
+          the  client-requested addresses are not present or
+          not used, then  the  addresses  contained  in  the
+          ticket  will  be the same as those included in the
+          ticket-granting ticket.
+
+
+5.5.  Client/Server (CS) message specifications
+
+     This section specifies the format of the messages  used
+for  the  authentication  of  the  client to the application
+server.
+
+5.5.1.  KRB_AP_REQ definition
+
+     The KRB_AP_REQ message contains the  Kerberos  protocol
+version  number,  the  message  type  KRB_AP_REQ, an options
+field to indicate any options in use,  and  the  ticket  and
+authenticator  themselves.   The KRB_AP_REQ message is often
+referred to as the "authentication header".
+
+AP-REQ ::=      [APPLICATION 14] SEQUENCE {
+                pvno[0]                       INTEGER,
+                msg-type[1]                   INTEGER,
+                ap-options[2]                 APOptions,
+                ticket[3]                     Ticket,
+                authenticator[4]              EncryptedData
+}
+
+APOptions ::=   BIT STRING {
+                reserved(0),
+                use-session-key(1),
+                mutual-required(2)
+
+
+Section 5.5.1.             - 64 -    Expires 11 January 1998
+
+
+
+
+
+
+
+            Version 5 - Specification Revision 6
+
+
+}
+
+
+pvno and msg-type
+          These fields are described above in section 5.4.1.
+          msg-type is KRB_AP_REQ.
+
+
+ap-optionsThis field  appears  in  the  application  request
+          (KRB_AP_REQ)  and  affects  the way the request is
+          processed.  It is a bit-field, where the  selected
+          options  are  indicated  by the bit being set (1),
+          and the unselected  options  and  reserved  fields
+          being  reset  (0).   The  encoding  of the bits is
+          specified in section 5.2.   The  meanings  of  the
+          options are:
+
+          Bit(s)   Name              Description
+
+          0        RESERVED
+                                     Reserved for future  expansion  of  this
+                                     field.
+
+          1        USE-SESSION-KEY
+                                     The  USE-SESSION-KEY  option   indicates
+                                     that the ticket the client is presenting
+                                     to a server is encrypted in the  session
+                                     key  from  the  server's ticket-granting
+                                     ticket.  When this option is not  speci-
+                                     fied,  the  ticket  is  encrypted in the
+                                     server's secret key.
+
+          2        MUTUAL-REQUIRED
+                                     The  MUTUAL-REQUIRED  option  tells  the
+                                     server  that  the client requires mutual
+                                     authentication, and that it must respond
+                                     with a KRB_AP_REP message.
+
+          3-31     RESERVED
+                                     Reserved for future use.
+
+
+
+ticket    This field is a ticket authenticating  the  client
+          to the server.
+
+
+authenticator
+          This contains the  authenticator,  which  includes
+          the  client's choice of a subkey.  Its encoding is
+          described in section 5.3.2.
+
+5.5.2.  KRB_AP_REP definition
+
+     The KRB_AP_REP message contains the  Kerberos  protocol
+version  number,  the  message  type, and an encrypted time-
+stamp.  The message is sent in in response to an application
+request  (KRB_AP_REQ) where the mutual authentication option
+
+
+Section 5.5.2.             - 65 -    Expires 11 January 1998
+
+
+
+
+
+
+
+            Version 5 - Specification Revision 6
+
+
+has been selected in the ap-options field.
+
+AP-REP ::=         [APPLICATION 15] SEQUENCE {
+                   pvno[0]                           INTEGER,
+                   msg-type[1]                       INTEGER,
+                   enc-part[2]                       EncryptedData
+}
+
+EncAPRepPart ::=   [APPLICATION 27[29]] SEQUENCE {
+                   ctime[0]                          KerberosTime,
+                   cusec[1]                          INTEGER,
+                   subkey[2]                         EncryptionKey OPTIONAL,
+                   seq-number[3]                     INTEGER OPTIONAL
+}
+
+The encoded EncAPRepPart is encrypted in the shared  session
+key of the ticket.  The optional subkey field can be used in
+an application-arranged negotiation to choose a per associa-
+tion session key.
+
+
+pvno and msg-type
+          These fields are described above in section 5.4.1.
+          msg-type is KRB_AP_REP.
+
+
+enc-part  This field is described above in section 5.4.2.
+
+
+ctime     This  field  contains  the  current  time  on  the
+          client's host.
+
+
+cusec     This field contains the microsecond  part  of  the
+          client's timestamp.
+
+
+subkey    This field contains an encryption key which is  to
+          be  used to protect this specific application ses-
+          sion.  See section 3.2.6 for specifics on how this
+          field  is  used  to  negotiate  a  key.  Unless an
+          application specifies otherwise, if this field  is
+          left out, the sub-session key from the authentica-
+          tor, or if also left out, the session key from the
+          ticket will be used.
+
+
+
+__________________________
+[29] An application code in the  encrypted  part  of  a
+message  provides  an additional check that the message
+was decrypted properly.
+
+
+
+Section 5.5.2.             - 66 -    Expires 11 January 1998
+
+
+
+
+
+
+
+            Version 5 - Specification Revision 6
+
+
+5.5.3.  Error message reply
+
+     If an error occurs  while  processing  the  application
+request,  the  KRB_ERROR  message  will be sent in response.
+See section 5.9.1 for the format of the error message.   The
+cname and crealm fields may be left out if the server cannot
+determine their appropriate values  from  the  corresponding
+KRB_AP_REQ  message.  If the authenticator was decipherable,
+the ctime and cusec fields will contain the values from it.
+
+5.6.  KRB_SAFE message specification
+
+     This section specifies the format of a message that can
+be  used by either side (client or server) of an application
+to send a tamper-proof message to  its  peer.   It  presumes
+that  a session key has previously been exchanged (for exam-
+ple, by using the KRB_AP_REQ/KRB_AP_REP messages).
+
+5.6.1.  KRB_SAFE definition
+
+     The KRB_SAFE message contains user data  along  with  a
+collision-proof  checksum keyed with the last encryption key
+negotiated via subkeys, or the session key if no negotiation
+has occured.  The message fields are:
+
+KRB-SAFE ::=        [APPLICATION 20] SEQUENCE {
+                    pvno[0]                       INTEGER,
+                    msg-type[1]                   INTEGER,
+                    safe-body[2]                  KRB-SAFE-BODY,
+                    cksum[3]                      Checksum
+}
+
+KRB-SAFE-BODY ::=   SEQUENCE {
+                    user-data[0]                  OCTET STRING,
+                    timestamp[1]                  KerberosTime OPTIONAL,
+                    usec[2]                       INTEGER OPTIONAL,
+                    seq-number[3]                 INTEGER OPTIONAL,
+                    s-address[4]                  HostAddress OPTIONAL,
+                    r-address[5]                  HostAddress OPTIONAL
+}
+
+
+
+
+pvno and msg-type
+          These fields are described above in section 5.4.1.
+          msg-type is KRB_SAFE.
+
+
+safe-body This field is a placeholder for the  body  of  the
+          KRB-SAFE  message.  It is to be encoded separately
+          and then have the checksum computed over  it,  for
+          use in the cksum field.
+
+
+
+Section 5.6.1.             - 67 -    Expires 11 January 1998
+
+
+
+
+
+
+
+            Version 5 - Specification Revision 6
+
+
+cksum     This field contains the checksum of  the  applica-
+          tion data.  Checksum details are described in sec-
+          tion 6.4.   The  checksum  is  computed  over  the
+          encoding of the KRB-SAFE-BODY sequence.
+
+
+user-data This field is part of the  KRB_SAFE  and  KRB_PRIV
+          messages and contain the application specific data
+          that is being passed from the sender to the  reci-
+          pient.
+
+
+timestamp This field is part of the  KRB_SAFE  and  KRB_PRIV
+          messages.   Its  contents  are the current time as
+          known by the sender of the message.   By  checking
+          the  timestamp,  the  recipient  of the message is
+          able to make sure that it was recently  generated,
+          and is not a replay.
+
+
+usec      This field is part of the  KRB_SAFE  and  KRB_PRIV
+          headers.   It contains the microsecond part of the
+          timestamp.
+
+
+seq-number
+          This field is described above in section 5.3.2.
+
+
+s-address This field specifies the address  in  use  by  the
+          sender of the message.
+
+
+r-address This field specifies the address  in  use  by  the
+          recipient  of  the message.  It may be omitted for
+          some uses (such as broadcast protocols),  but  the
+          recipient  may  arbitrarily  reject such messages.
+          This field along with s-address  can  be  used  to
+          help  detect  messages which have been incorrectly
+          or maliciously delivered to the wrong recipient.
+
+5.7.  KRB_PRIV message specification
+
+     This section specifies the format of a message that can
+be  used by either side (client or server) of an application
+to securely and privately send a message to  its  peer.   It
+presumes  that  a  session key has previously been exchanged
+(for example, by using the KRB_AP_REQ/KRB_AP_REP messages).
+
+5.7.1.  KRB_PRIV definition
+
+     The KRB_PRIV message contains user  data  encrypted  in
+the Session Key.  The message fields are:
+
+__________________________
+[31] An application code in the  encrypted  part  of  a
+
+
+
+
+
+
+            Version 5 - Specification Revision 6
+
+
+
+KRB-PRIV ::=         [APPLICATION 21] SEQUENCE {
+                     pvno[0]                           INTEGER,
+                     msg-type[1]                       INTEGER,
+                     enc-part[3]                       EncryptedData
+}
+
+EncKrbPrivPart ::=   [APPLICATION 28[31]] SEQUENCE {
+                     user-data[0]        OCTET STRING,
+                     timestamp[1]        KerberosTime OPTIONAL,
+                     usec[2]             INTEGER OPTIONAL,
+                     seq-number[3]       INTEGER OPTIONAL,
+                     s-address[4]        HostAddress OPTIONAL, -- sender's addr
+                     r-address[5]        HostAddress OPTIONAL -- recip's addr
+}
+
+
+
+pvno and msg-type
+          These fields are described above in section 5.4.1.
+          msg-type is KRB_PRIV.
+
+
+enc-part  This field holds an encoding of the EncKrbPrivPart
+          sequence  encrypted  under  the  session  key[32].
+          This  encrypted  encoding is used for the enc-part
+          field of the KRB-PRIV message.  See section 6  for
+          the format of the ciphertext.
+
+
+user-data, timestamp, usec, s-address and r-address
+          These fields are described above in section 5.6.1.
+
+
+seq-number
+          This field is described above in section 5.3.2.
+
+5.8.  KRB_CRED message specification
+
+     This section specifies the format of a message that can
+be  used  to send Kerberos credentials from one principal to
+__________________________
+message  provides  an additional check that the message
+was decrypted properly.
+[32] If  supported  by the encryption method in use, an
+initialization vector may be passed to  the  encryption
+procedure,  in order to achieve proper cipher chaining.
+The initialization vector  might  come  from  the  last
+block of the ciphertext from the previous KRB_PRIV mes-
+sage, but it is the application's choice whether or not
+to use such an initialization vector.  If left out, the
+default initialization vector for the encryption  algo-
+rithm will be used.
+
+
+Section 5.8.               - 69 -    Expires 11 January 1998
+
+
+
+
+
+
+
+            Version 5 - Specification Revision 6
+
+
+another.  It is presented here to encourage a common mechan-
+ism  to  be  used by applications when forwarding tickets or
+providing proxies to subordinate servers.  It presumes  that
+a  session  key  has already been exchanged perhaps by using
+the KRB_AP_REQ/KRB_AP_REP messages.
+
+5.8.1.  KRB_CRED definition
+
+     The KRB_CRED message contains a sequence of tickets  to
+be sent and information needed to use the tickets, including
+the session key from each.  The information  needed  to  use
+the  tickets is encrypted under an encryption key previously
+exchanged or transferred  alongside  the  KRB_CRED  message.
+The message fields are:
+
+KRB-CRED         ::= [APPLICATION 22]   SEQUENCE {
+                 pvno[0]                INTEGER,
+                 msg-type[1]            INTEGER, -- KRB_CRED
+                 tickets[2]             SEQUENCE OF Ticket,
+                 enc-part[3]            EncryptedData
+}
+
+EncKrbCredPart   ::= [APPLICATION 29]   SEQUENCE {
+                 ticket-info[0]         SEQUENCE OF KrbCredInfo,
+                 nonce[1]               INTEGER OPTIONAL,
+                 timestamp[2]           KerberosTime OPTIONAL,
+                 usec[3]                INTEGER OPTIONAL,
+                 s-address[4]           HostAddress OPTIONAL,
+                 r-address[5]           HostAddress OPTIONAL
+}
+
+KrbCredInfo      ::=                    SEQUENCE {
+                 key[0]                 EncryptionKey,
+                 prealm[1]              Realm OPTIONAL,
+                 pname[2]               PrincipalName OPTIONAL,
+                 flags[3]               TicketFlags OPTIONAL,
+                 authtime[4]            KerberosTime OPTIONAL,
+                 starttime[5]           KerberosTime OPTIONAL,
+                 endtime[6]             KerberosTime OPTIONAL
+                 renew-till[7]          KerberosTime OPTIONAL,
+                 srealm[8]              Realm OPTIONAL,
+                 sname[9]               PrincipalName OPTIONAL,
+                 caddr[10]              HostAddresses OPTIONAL
+}
+
+
+
+
+
+pvno and msg-type
+          These fields are described above in section 5.4.1.
+          msg-type is KRB_CRED.
+
+
+
+
+Section 5.8.1.             - 70 -    Expires 11 January 1998
+
+
+
+
+
+
+
+            Version 5 - Specification Revision 6
+
+
+tickets
+          These  are  the  tickets  obtained  from  the  KDC
+          specifically  for  use  by the intended recipient.
+          Successive tickets are paired with the correspond-
+          ing  KrbCredInfo sequence from the enc-part of the
+          KRB-CRED message.
+
+
+enc-part  This field holds an encoding of the EncKrbCredPart
+          sequence  encrypted  under  the session key shared
+          between the sender  and  the  intended  recipient.
+          This  encrypted  encoding is used for the enc-part
+          field of the KRB-CRED message.  See section 6  for
+          the format of the ciphertext.
+
+
+nonce     If  practical,  an  application  may  require  the
+          inclusion of a nonce generated by the recipient of
+          the message.  If the same value is included as the
+          nonce  in  the  message, it provides evidence that
+          the message is fresh and has not been replayed  by
+          an  attacker.   A  nonce must never be re-used; it
+          should be generated randomly by the  recipient  of
+          the message and provided to the sender of the mes-
+          sage in an application specific manner.
+
+
+timestamp and usec
+
+          These fields specify the time  that  the  KRB-CRED
+          message  was  generated.  The time is used to pro-
+          vide assurance that the message is fresh.
+
+
+s-address and r-address
+          These fields are described above in section 5.6.1.
+          They  are  used  optionally  to provide additional
+          assurance of the integrity of  the  KRB-CRED  mes-
+          sage.
+
+
+key       This field  exists  in  the  corresponding  ticket
+          passed by the KRB-CRED message and is used to pass
+          the session key from the sender  to  the  intended
+          recipient.   The  field's encoding is described in
+          section 6.2.
+
+     The following fields are optional.   If  present,  they
+can  be associated with the credentials in the remote ticket
+file.  If left out, then it is assumed that the recipient of
+the credentials already knows their value.
+
+
+prealm and pname
+
+
+Section 5.8.1.             - 71 -    Expires 11 January 1998
+
+
+
+
+
+
+
+            Version 5 - Specification Revision 6
+
+
+          The name and  realm  of  the  delegated  principal
+          identity.
+
+
+flags, authtime,  starttime,  endtime,  renew-till,  srealm,
+          sname, and caddr
+          These fields contain the values of the correspond-
+          ing  fields  from  the  ticket found in the ticket
+          field.  Descriptions of the fields  are  identical
+          to the descriptions in the KDC-REP message.
+
+5.9.  Error message specification
+
+     This section specifies the  format  for  the  KRB_ERROR
+message.  The fields included in the message are intended to
+return as much information as possible about an  error.   It
+is  not  expected  that  all the information required by the
+fields will be available for all types of  errors.   If  the
+appropriate information is not available when the message is
+composed, the corresponding field will be left  out  of  the
+message.
+
+     Note that since the KRB_ERROR message is not  protected
+by  any  encryption, it is quite possible for an intruder to
+synthesize or modify such a message.   In  particular,  this
+means that the client should not use any fields in this mes-
+sage for security-critical purposes, such as setting a  sys-
+tem  clock or generating a fresh authenticator.  The message
+can be useful, however, for advising a user  on  the  reason
+for some failure.
+
+5.9.1.  KRB_ERROR definition
+
+     The KRB_ERROR message consists of the following fields:
+
+KRB-ERROR ::=   [APPLICATION 30] SEQUENCE {
+                pvno[0]                       INTEGER,
+                msg-type[1]                   INTEGER,
+                ctime[2]                      KerberosTime OPTIONAL,
+                cusec[3]                      INTEGER OPTIONAL,
+                stime[4]                      KerberosTime,
+                susec[5]                      INTEGER,
+                error-code[6]                 INTEGER,
+                crealm[7]                     Realm OPTIONAL,
+                cname[8]                      PrincipalName OPTIONAL,
+                realm[9]                      Realm, -- Correct realm
+                sname[10]                     PrincipalName, -- Correct name
+                e-text[11]                    GeneralString OPTIONAL,
+                e-data[12]                    OCTET STRING OPTIONAL,
+                e-cksum[13]                   Checksum OPTIONAL
+}
+
+
+
+
+
+Section 5.9.1.             - 72 -    Expires 11 January 1998
+
+
+
+
+
+
+
+            Version 5 - Specification Revision 6
+
+
+pvno and msg-type
+          These fields are described above in section 5.4.1.
+          msg-type is KRB_ERROR.
+
+
+ctime     This field is described above in section 5.4.1.
+
+
+
+cusec     This field is described above in section 5.5.2.
+
+
+stime     This  field  contains  the  current  time  on  the
+          server.  It is of type KerberosTime.
+
+
+susec     This field contains the microsecond  part  of  the
+          server's  timestamp.   Its  value ranges from 0 to
+          999999.  It appears  along  with  stime.  The  two
+          fields  are  used in conjunction to specify a rea-
+          sonably accurate timestamp.
+
+
+error-codeThis field contains the  error  code  returned  by
+          Kerberos  or  the server when a request fails.  To
+          interpret the value of this field see the list  of
+          error  codes  in  section  8.  Implementations are
+          encouraged to provide for national  language  sup-
+          port in the display of error messages.
+
+
+crealm, cname, srealm and sname
+          These fields are described above in section 5.3.1.
+
+
+e-text    This  field  contains  additional  text  to   help
+          explain  the error code associated with the failed
+          request (for example, it might include a principal
+          name which was unknown).
+
+
+e-data     This field contains  additional  data  about  the
+          error  for  use  by  the  application  to  help it
+          recover from or handle the error.  If  the  error-
+          code  is KDC_ERR_PREAUTH_REQUIRED, then the e-data
+          field will contain an encoding of  a  sequence  of
+          padata fields, each corresponding to an acceptable
+          pre-authentication method and optionally  contain-
+          ing data for the method:
+
+
+e-cksum   This field contains an optional checksum  for  the
+          KRB-ERROR  message.   The  checksum  is calculated
+          over the Kerberos ASN.1 encoding of the  KRB-ERROR
+
+
+Section 5.9.1.             - 73 -    Expires 11 January 1998
+
+
+
+
+
+
+
+            Version 5 - Specification Revision 6
+
+
+          message with the checksum absent.  The checksum is
+          then added to the KRB-ERROR structure and the mes-
+          sage is re-encoded.  The Checksum should be calcu-
+          lated using the session key from the ticket grant-
+          ing ticket or service ticket, where available.  If
+          the error is in response to a TGS or  AP  request,
+          the  checksum  should  be  calculated uing the the
+          session key from  the  client's  ticket.   If  the
+          error  is  in  response to an AS request, then the
+          checksum should be calulated  using  the  client's
+          secret  key ONLY if there has been suitable preau-
+          thentication to prove knowledge of the secret  key
+          by the client[33].  If a checksum can not be  com-
+          puted because the key to be used is not available,
+          no checksum will be included.
+
+               METHOD-DATA ::=   SEQUENCE of PA-DATA
+
+
+          If the error-code is KRB_AP_ERR_METHOD,  then  the
+          e-data  field will contain an encoding of the fol-
+          lowing sequence:
+
+       METHOD-DATA ::=   SEQUENCE {
+                         method-type[0]   INTEGER,
+                         method-data[1]   OCTET STRING OPTIONAL
+       }
+
+          method-type will indicate the  required  alternate
+          method;  method-data  will  contain  any  required
+          additional information.
+
+
+
+6.  Encryption and Checksum Specifications
+
+The  Kerberos  protocols  described  in  this  document  are
+designed  to  use  stream  encryption  ciphers, which can be
+simulated using commonly available block encryption ciphers,
+such  as  the  Data Encryption Standard, [12] in conjunction
+with block chaining and checksum methods  [13].   Encryption
+is used to prove the identities of the network entities par-
+ticipating  in  message  exchanges.   The  Key  Distribution
+Center   for   each  realm  is  trusted  by  all  principals
+registered in that realm to store a  secret  key  in  confi-
+dence.   Proof  of  knowledge  of this secret key is used to
+verify the authenticity of a principal.
+
+     The KDC uses the principal's  secret  key  (in  the  AS
+__________________________
+[33] This prevents an attacker  who  generates  an  in-
+correct  AS request from obtaining verifiable plaintext
+for use in an off-line password guessing attack.
+
+
+Section 6.                 - 74 -    Expires 11 January 1998
+
+
+
+
+
+
+
+            Version 5 - Specification Revision 6
+
+
+exchange) or a shared session key (in the TGS  exchange)  to
+encrypt  responses to ticket requests; the ability to obtain
+the secret key or session key implies the knowledge  of  the
+appropriate  keys  and the identity of the KDC.  The ability
+of a principal to decrypt the KDC  response  and  present  a
+Ticket  and  a properly formed Authenticator (generated with
+the session key from the KDC response) to a service verifies
+the  identity  of the principal; likewise the ability of the
+service to extract the session key from the Ticket and prove
+its knowledge thereof in a response verifies the identity of
+the service.
+
+     The  Kerberos  protocols  generally  assume  that   the
+encryption  used  is  secure from cryptanalysis; however, in
+some cases, the order of fields in the encrypted portions of
+messages  are  arranged  to  minimize  the effects of poorly
+chosen keys.  It is still important to choose good keys.  If
+keys  are derived from user-typed passwords, those passwords
+need to be well chosen to make brute force attacks more dif-
+ficult.   Poorly  chosen  keys  still  make easy targets for
+intruders.
+
+     The  following  sections  specify  the  encryption  and
+checksum  mechanisms  currently  defined  for Kerberos.  The
+encodings, chaining, and padding requirements for  each  are
+described.  For encryption methods, it is often desirable to
+place random information (often referred to as a confounder)
+at  the  start  of the message.  The requirements for a con-
+founder are specified with each encryption mechanism.
+
+     Some encryption systems use a block-chaining method  to
+improve  the the security characteristics of the ciphertext.
+However, these  chaining  methods  often  don't  provide  an
+integrity  check upon decryption.  Such systems (such as DES
+in CBC mode) must be augmented with a checksum of the plain-
+text  which can be verified at decryption and used to detect
+any tampering or damage.  Such checksums should be  good  at
+detecting  burst  errors  in  the  input.   If any damage is
+detected, the decryption routine is expected  to  return  an
+error  indicating  the  failure of an integrity check.  Each
+encryption  type  is  expected  to  provide  and  verify  an
+appropriate  checksum.  The specification of each encryption
+method sets out its checksum requirements.
+
+     Finally, where a key is to be  derived  from  a  user's
+password,  an algorithm for converting the password to a key
+of the appropriate type is included.  It  is  desirable  for
+the  string  to key function to be one-way, and for the map-
+ping to be different in different realms.  This is important
+because users who are registered in more than one realm will
+often use the same password in each,  and  it  is  desirable
+that  an  attacker  compromising  the Kerberos server in one
+realm not obtain or derive the user's key in another.
+
+
+
+Section 6.                 - 75 -    Expires 11 January 1998
+
+
+
+
+
+
+
+            Version 5 - Specification Revision 6
+
+
+     For an discussion of the integrity  characteristics  of
+the candidate encryption and checksum methods considered for
+Kerberos, the the reader is referred to [14].
+
+6.1.  Encryption Specifications
+
+     The following ASN.1 definition describes all  encrypted
+messages.   The  enc-part  field  which appears in the unen-
+crypted part of messages in section 5 is a sequence consist-
+ing  of  an encryption type, an optional key version number,
+and the ciphertext.
+
+
+EncryptedData ::=   SEQUENCE {
+                    etype[0]     INTEGER, -- EncryptionType
+                    kvno[1]      INTEGER OPTIONAL,
+                    cipher[2]    OCTET STRING -- ciphertext
+}
+
+
+etype     This field identifies which  encryption  algorithm
+          was used to encipher the cipher.  Detailed specif-
+          ications  for  selected  encryption  types  appear
+          later in this section.
+
+
+kvno      This field contains the version number of the  key
+          under which data is encrypted.  It is only present
+          in messages encrypted  under  long  lasting  keys,
+          such as principals' secret keys.
+
+
+cipher    This field contains the enciphered  text,  encoded
+          as an OCTET STRING.
+
+
+     The cipher field is generated by applying the specified
+encryption  algorithm  to  data  composed of the message and
+algorithm-specific inputs.   Encryption  mechanisms  defined
+for  use  with  Kerberos  must  take  sufficient measures to
+guarantee the integrity of the plaintext, and  we  recommend
+they  also take measures to protect against precomputed dic-
+tionary attacks.  If the encryption algorithm is not  itself
+capable  of  doing so, the protections can often be enhanced
+by adding a checksum and a confounder.
+
+     The suggested format  for  the  data  to  be  encrypted
+includes  a  confounder,  a checksum, the encoded plaintext,
+and any necessary padding.  The msg-seq field  contains  the
+part of the protocol message described in section 5 which is
+to be encrypted.  The confounder, checksum, and padding  are
+all untagged and untyped, and their length is exactly suffi-
+cient to hold the appropriate item.  The type and length  is
+implicit  and  specified  by  the particular encryption type
+
+
+Section 6.1.               - 76 -    Expires 11 January 1998
+
+
+
+
+
+
+
+            Version 5 - Specification Revision 6
+
+
+being used (etype).  The format for the data to be encrypted
+is described in the following diagram:
+
+      +-----------+----------+-------------+-----+
+      |confounder |   check  |   msg-seq   | pad |
+      +-----------+----------+-------------+-----+
+
+The format cannot be described in ASN.1, but for  those  who
+prefer an ASN.1-like notation:
+
+CipherText ::=   ENCRYPTED       SEQUENCE {
+            confounder[0]   UNTAGGED[35] OCTET STRING(conf_length) OPTIONAL,
+            check[1]        UNTAGGED OCTET STRING(checksum_length) OPTIONAL,
+            msg-seq[2]      MsgSequence,
+            pad             UNTAGGED OCTET STRING(pad_length) OPTIONAL
+}
+
+
+     One generates a random confounder  of  the  appropriate
+length,  placing  it in confounder; zeroes out check; calcu-
+lates the appropriate checksum over confounder,  check,  and
+msg-seq,  placing  the  result  in check; adds the necessary
+padding; then encrypts using the specified  encryption  type
+and the appropriate key.
+
+     Unless otherwise specified, a definition of an  encryp-
+tion  algorithm  that specifies a checksum, a length for the
+confounder field, or an octet boundary for padding uses this
+ciphertext format[36].  Those fields which are not specified
+will be omitted.
+
+     In the interest of allowing all implementations using a
+__________________________
+[35] In  the  above   specification,   UNTAGGED   OCTET
+STRING(length) is the notation for an octet string with
+its tag and length removed.  It is not  a  valid  ASN.1
+type.  The tag bits and length must be removed from the
+confounder since the purpose of the  confounder  is  so
+that  the  message starts with random data, but the tag
+and its length are fixed.  For other fields, the length
+and  tag  would  be redundant if they were included be-
+cause they are specified by the encryption type.
+[36] The  ordering  of  the fields in the CipherText is
+important.  Additionally, messages encoded in this for-
+mat must include a length as part of the msg-seq field.
+This allows the recipient to verify  that  the  message
+has  not been truncated.  Without a length, an attacker
+could use a chosen plaintext attack to generate a  mes-
+sage which could be truncated, while leaving the check-
+sum intact.  Note that if the msg-seq is an encoding of
+an  ASN.1  SEQUENCE or OCTET STRING, then the length is
+part of that encoding.
+
+
+
+Section 6.1.               - 77 -    Expires 11 January 1998
+
+
+
+
+
+
+
+            Version 5 - Specification Revision 6
+
+
+particular encryption type to communicate  with  all  others
+using  that  type,  the  specification of an encryption type
+defines any checksum that is needed as part of  the  encryp-
+tion  process.   If an alternative checksum is to be used, a
+new encryption type must be defined.
+
+     Some  cryptosystems  require   additional   information
+beyond  the  key and the data to be encrypted.  For example,
+DES, when used in cipher-block-chaining  mode,  requires  an
+initialization  vector.   If  required,  the description for
+each encryption type must specify the source of  such  addi-
+tional information.
+
+6.2.  Encryption Keys
+
+     The sequence below shows the encoding of an  encryption
+key:
+
+       EncryptionKey ::=   SEQUENCE {
+                           keytype[0]    INTEGER,
+                           keyvalue[1]   OCTET STRING
+       }
+
+
+keytype   This field specifies the type  of  encryption  key
+          that  follows  in  the  keyvalue  field.   It will
+          almost always correspond to the  encryption  algo-
+          rithm  used  to generate the EncryptedData, though
+          more than one algorithm may use the same  type  of
+          key (the mapping is many to one).  This might hap-
+          pen, for example, if the encryption algorithm uses
+          an  alternate  checksum algorithm for an integrity
+          check, or a different chaining mechanism.
+
+
+keyvalue  This field contains the key itself, encoded as  an
+          octet string.
+
+     All negative values for the  encryption  key  type  are
+reserved   for  local  use.   All  non-negative  values  are
+reserved for officially assigned type fields and interpreta-
+tions.
+
+6.3.  Encryption Systems
+
+6.3.1.  The NULL Encryption System (null)
+
+     If no encryption is in use, the  encryption  system  is
+said  to be the NULL encryption system.  In the NULL encryp-
+tion system there is no  checksum,  confounder  or  padding.
+The  ciphertext  is  simply  the plaintext.  The NULL Key is
+used by the null encryption system and  is  zero  octets  in
+length, with keytype zero (0).
+
+
+
+Section 6.3.1.             - 78 -    Expires 11 January 1998
+
+
+
+
+
+
+
+            Version 5 - Specification Revision 6
+
+
+6.3.2.  DES in CBC mode with a CRC-32 checksum (des-cbc-crc)
+
+     The des-cbc-crc encryption  mode  encrypts  information
+under  the  Data  Encryption Standard  [12] using the cipher
+block chaining mode [13].  A CRC-32 checksum  (described  in
+ISO  3309  [15])  is  applied  to the confounder and message
+sequence (msg-seq) and  placed  in  the  cksum  field.   DES
+blocks  are  8 bytes.  As a result, the data to be encrypted
+(the concatenation of  confounder,  checksum,  and  message)
+must be padded to an 8 byte boundary before encryption.  The
+details of the encryption of  this  data  are  identical  to
+those for the des-cbc-md5 encryption mode.
+
+     Note that, since the CRC-32 checksum is not  collision-
+proof,   an  attacker  could  use  a  probabilistic  chosen-
+plaintext attack to generate a valid message even if a  con-
+founder is used  [14].  The use of collision-proof checksums
+is recommended for environments where such attacks represent
+a significant threat.  The use of the CRC-32 as the checksum
+for ticket or authenticator is  no  longer  mandated  as  an
+interoperability requirement for Kerberos Version 5 Specifi-
+cation 1 (See section 9.1 for specific details).
+
+
+6.3.3.  DES in CBC mode with an MD4 checksum (des-cbc-md4)
+
+     The des-cbc-md4 encryption  mode  encrypts  information
+under  the  Data  Encryption Standard  [12] using the cipher
+block chaining mode [13].  An  MD4  checksum  (described  in
+[16])  is  applied  to  the  confounder and message sequence
+(msg-seq) and placed in the cksum field.  DES blocks  are  8
+bytes.   As a result, the data to be encrypted (the concate-
+nation of confounder, checksum, and message) must be  padded
+to an 8 byte boundary before encryption.  The details of the
+encryption of this data are identical to those for the  des-
+cbc-md5 encryption mode.
+
+
+6.3.4.  DES in CBC mode with an MD5 checksum (des-cbc-md5)
+
+     The des-cbc-md5 encryption  mode  encrypts  information
+under  the  Data  Encryption Standard  [12] using the cipher
+block chaining mode [13].  An MD5  checksum   (described  in
+[17].)  is  applied  to  the confounder and message sequence
+(msg-seq) and placed in the cksum field.  DES blocks  are  8
+bytes.   As a result, the data to be encrypted (the concate-
+nation of confounder, checksum, and message) must be  padded
+to an 8 byte boundary before encryption.
+
+     Plaintext and DES ciphtertext are  encoded  as  8-octet
+blocks  which are concatenated to make the 64-bit inputs for
+the DES algorithms.  The first octet  supplies  the  8  most
+significant  bits  (with  the  octet's MSbit used as the DES
+input block's MSbit, etc.), the  second  octet  the  next  8
+
+
+Section 6.3.4.             - 79 -    Expires 11 January 1998
+
+
+
+
+
+
+
+            Version 5 - Specification Revision 6
+
+
+bits,  ..., and the eighth octet supplies the 8 least signi-
+ficant bits.
+
+     Encryption  under  DES  using  cipher  block   chaining
+requires  an  additional input in the form of an initializa-
+tion vector.  Unless otherwise  specified,  zero  should  be
+used  as  the  initialization  vector.  Kerberos' use of DES
+requires an 8-octet confounder.
+
+     The DES specifications identify some "weak" and  "semi-
+weak" keys; those keys shall not be used for encrypting mes-
+sages for use in Kerberos.  Additionally, because of the way
+that  keys are derived for the encryption of checksums, keys
+shall not be used that yield "weak" or "semi-weak" keys when
+eXclusive-ORed with the constant F0F0F0F0F0F0F0F0.
+
+     A DES key is 8 octets of data, with  keytype  one  (1).
+This  consists of 56 bits of key, and 8 parity bits (one per
+octet).  The key is encoded as a series of 8 octets  written
+in  MSB-first  order.   The  bits  within  the  key are also
+encoded in MSB order.  For example, if the encryption key is
+(B1,B2,...,B7,P1,B8,...,B14,P2,B15,...,B49,P7,B50,...,B56,P8)
+where B1,B2,...,B56 are the  key  bits  in  MSB  order,  and
+P1,P2,...,P8 are the parity bits, the first octet of the key
+would be B1,B2,...,B7,P1 (with B1 as the MSbit).   [See  the
+FIPS 81 introduction for reference.]
+
+     To generate a DES key from a  text  string  (password),
+the  text  string normally must have the realm and each com-
+ponent of the principal's  name  appended[37],  then  padded
+with ASCII nulls to an 8 byte boundary.  This string is then
+fan-folded and eXclusive-ORed with itself to form an 8  byte
+DES key.  The parity is corrected on the key, and it is used
+to generate a DES CBC checksum on the initial  string  (with
+the  realm and name appended).  Next, parity is corrected on
+the CBC checksum.  If the result matches a "weak" or  "semi-
+weak"  key  as  described  in  the  DES specification, it is
+eXclusive-ORed with the constant 00000000000000F0.  Finally,
+the result is returned as the key.  Pseudocode follows:
+
+     string_to_key(string,realm,name) {
+          odd = 1;
+          s = string + realm;
+          for(each component in name) {
+               s = s + component;
+          }
+          tempkey = NULL;
+          pad(s); /* with nulls to 8 byte boundary */
+          for(8byteblock in s) {
+__________________________
+[37] In some cases, it may be necessary to use  a  dif-
+ferent  "mix-in"  string for compatibility reasons; see
+the discussion of padata in section 5.4.2.
+
+
+Section 6.3.4.             - 80 -    Expires 11 January 1998
+
+
+
+
+
+
+
+            Version 5 - Specification Revision 6
+
+
+               if(odd == 0)  {
+                   odd = 1;
+                   reverse(8byteblock)
+               }
+               else odd = 0;
+               tempkey = tempkey XOR 8byteblock;
+          }
+          fixparity(tempkey);
+          key = DES-CBC-check(s,tempkey);
+          fixparity(key);
+          if(is_weak_key_key(key))
+               key = key XOR 0xF0;
+          return(key);
+     }
+
+6.3.5.  Triple DES EDE in outer CBC mode with an SHA1 check-
+sum (des3-cbc-sha1)
+
+     The des3-cbc-sha1 encryption encodes information  using
+three  Data  Encryption  Standard transformations with three
+DES keys.  The first key  is  used  to  perform  a  DES  ECB
+encryption  on an eight-octet data block using the first DES
+key, followed by a DES ECB decryption of  the  result  using
+the  second  DES key, and a DES ECB encryption of the result
+using the third DES key.  Because DES blocks  are  8  bytes,
+the  data  to be encrypted (the concatenation of confounder,
+checksum, and message) must first be padded  to  an  8  byte
+boundary  before encryption.  To support the outer CBC mode,
+the input is padded an eight-octet boundary.   The  first  8
+octets  of  the  data  to  be  encrypted (the confounder) is
+exclusive-ored with an initialization  vector  of  zero  and
+then  ECB  encrypted  using  triple  DES as described above.
+Subsequent blocks of 8 octets are  exclusive-ored  with  the
+ciphertext  produced by the encryption on the previous block
+before ECB encryption.
+
+     An HMAC-SHA1 checksum  (described in  [18].) is applied
+to  the confounder and message sequence (msg-seq) and placed
+in the cksum field.
+
+     Plaintext  are encoded as 8-octet blocks which are con-
+catenated  to make the 64-bit inputs for the DES algorithms.
+The first octet supplies the 8 most significant  bits  (with
+the  octet's  MSbit  used  as  the  DES input block's MSbit,
+etc.), the second octet the next 8 bits, ..., and the eighth
+octet supplies the 8 least significant bits.
+
+     Encryption under Triple DES using cipher block chaining
+requires  an  additional input in the form of an initializa-
+tion vector.  Unless otherwise  specified,  zero  should  be
+used  as  the  initialization  vector.  Kerberos' use of DES
+requires an 8-octet confounder.
+
+     The DES specifications identify some "weak" and  "semi-
+
+
+Section 6.3.5.             - 81 -    Expires 11 January 1998
+
+
+
+
+
+
+
+            Version 5 - Specification Revision 6
+
+
+weak" keys; those keys shall not be used for encrypting mes-
+sages for use in Kerberos.  Additionally, because of the way
+that  keys are derived for the encryption of checksums, keys
+shall not be used that yield "weak" or "semi-weak" keys when
+eXclusive-ORed with the constant F0F0F0F0F0F0F0F0.
+
+     A Triple DES key is 24 octets  of  data,  with  keytype
+seven  (7).  This consists of 168 bits of key, and 24 parity
+bits (one per octet).  The key is encoded as a series of  24
+octets  written  in MSB-first order, with the first 8 octets
+treated as the first DES key, the second  8  octets  as  the
+second  key,  and the third 8 octets the third DES key.  The
+bits within each key are also encoded  in  MSB  order.   For
+example,       if       the      encryption      key      is
+(B1,B2,...,B7,P1,B8,...,B14,P2,B15,...,B49,P7,B50,...,B56,P8)
+where  B1,B2,...,B56  are  the  key  bits  in MSB order, and
+P1,P2,...,P8 are the parity bits, the first octet of the key
+would  be  B1,B2,...,B7,P1 (with B1 as the MSbit).  [See the
+FIPS 81 introduction for reference.]
+
+     To generate a DES key from a  text  string  (password),
+the  text  string normally must have the realm and each com-
+ponent of the principal's name appended[38],
+
+     The input string (with any salt data appended to it) is
+n-folded  into  a  24  octet  (192 bit) string.  To n-fold a
+number X, replicate the input value to a length that is  the
+least common multiple of n and the length of X.  Before each
+repetition, the input X is rotated to the right  by  13  bit
+positions.   The  successive n-bit chunks are added together
+using  1's-complement  addition  (addition  with  end-around
+carry)  to  yield  a  n-bit result. (This transformation was
+proposed by Richard Basch)
+
+     Each successive set of 8 octets is taken as a DES  key,
+and  its parity is adjusted in the same manner as previously
+described.  If any of the three sets of  8  octets  match  a
+"weak" or "semi-weak" key as described in the DES specifica-
+tion,  that  chunk  is  eXclusive-ORed  with  the   constant
+00000000000000F0.   The  resulting DES keys are then used in
+sequence to perform a Triple-DES CBC encryption  of  the  n-
+folded  input  string (appended with any salt data), using a
+zero initial vector.  Parity, weak, and semi-weak  keys  are
+once  again  corrected  and the result is returned as the 24
+octet key.
+
+     Pseudocode follows:
+
+     string_to_key(string,realm,name) {
+__________________________
+[38] In some cases, it may be necessary to use  a  dif-
+ferent  "mix-in"  string for compatibility reasons; see
+the discussion of padata in section 5.4.2.
+
+
+Section 6.3.5.             - 82 -    Expires 11 January 1998
+
+
+
+
+
+
+
+            Version 5 - Specification Revision 6
+
+
+          s = string + realm;
+          for(each component in name) {
+               s = s + component;
+          }
+          tkey[24] = fold(s);
+          fixparity(tkey);
+          if(isweak(tkey[0-7])) tkey[0-7] = tkey[0-7] XOR 0xF0;
+          if(isweak(tkey[8-15])) tkey[8-15] = tkey[8-15] XOR 0xF0;
+          if(is_weak(tkey[16-23])) tkey[16-23] = tkey[16-23] XOR 0xF0;
+          key[24] = 3DES-CBC(data=fold(s),key=tkey,iv=0);
+          fixparity(key);
+          if(is_weak(key[0-7])) key[0-7] = key[0-7] XOR 0xF0;
+          if(is_weak(key[8-15])) key[8-15] = key[8-15] XOR 0xF0;
+          if(is_weak(key[16-23])) key[16-23] = key[16-23] XOR 0xF0;
+          return(key);
+     }
+
+6.4.  Checksums
+
+     The following is the ASN.1 definition used for a check-
+sum:
+
+         Checksum ::=   SEQUENCE {
+                        cksumtype[0]   INTEGER,
+                        checksum[1]    OCTET STRING
+         }
+
+
+cksumtype This field indicates the algorithm  used  to  gen-
+          erate the accompanying checksum.
+
+checksum  This field contains the checksum  itself,  encoded
+          as an octet string.
+
+     Detailed  specification  of  selected  checksum   types
+appear  later  in  this  section.   Negative  values for the
+checksum type are reserved for local use.  All  non-negative
+values  are reserved for officially assigned type fields and
+interpretations.
+
+     Checksums used by Kerberos can  be  classified  by  two
+properties:   whether  they are collision-proof, and whether
+they are keyed.  It is infeasible  to  find  two  plaintexts
+which generate the same checksum value for a collision-proof
+checksum.  A key is required to perturb  or  initialize  the
+algorithm  in  a  keyed checksum.  To prevent message-stream
+modification by an active attacker, unkeyed checksums should
+only  be  used  when the checksum and message will be subse-
+quently encrypted (e.g. the checksums defined as part of the
+encryption algorithms covered earlier in this section).
+
+     Collision-proof checksums can be made  tamper-proof  if
+the  checksum  value is encrypted before inclusion in a mes-
+sage.  In such cases, the composition of  the  checksum  and
+
+
+Section 6.4.               - 83 -    Expires 11 January 1998
+
+
+
+
+
+
+
+            Version 5 - Specification Revision 6
+
+
+the  encryption  algorithm  must  be  considered  a separate
+checksum algorithm (e.g. RSA-MD5 encrypted using  DES  is  a
+new checksum algorithm of type RSA-MD5-DES).  For most keyed
+checksums, as well as for the  encrypted  forms  of  unkeyed
+collision-proof  checksums,  Kerberos  prepends a confounder
+before the checksum is calculated.
+
+6.4.1.  The CRC-32 Checksum (crc32)
+
+     The CRC-32 checksum calculates a checksum  based  on  a
+cyclic  redundancy check as described in ISO 3309 [15].  The
+resulting checksum is four (4) octets in length.  The CRC-32
+is  neither  keyed  nor  collision-proof.   The  use of this
+checksum is not recommended.  An  attacker  using  a  proba-
+bilistic  chosen-plaintext attack as described in [14] might
+be able to generate an alternative  message  that  satisfies
+the  checksum.   The  use  of  collision-proof  checksums is
+recommended for environments where such attacks represent  a
+significant threat.
+
+6.4.2.  The RSA MD4 Checksum (rsa-md4)
+
+     The RSA-MD4 checksum calculates a  checksum  using  the
+RSA  MD4  algorithm  [16].   The algorithm takes as input an
+input message of arbitrary length and produces as  output  a
+128-bit  (16  octet)  checksum.   RSA-MD4  is believed to be
+collision-proof.
+
+6.4.3.  RSA MD4 Cryptographic Checksum Using  DES  (rsa-md4-
+des)
+
+     The RSA-MD4-DES checksum calculates a keyed  collision-
+proof  checksum  by  prepending an 8 octet confounder before
+the text, applying  the  RSA  MD4  checksum  algorithm,  and
+encrypting  the  confounder  and  the  checksum using DES in
+cipher-block-chaining (CBC) mode using a variant of the key,
+where  the  variant  is  computed by eXclusive-ORing the key
+with the constant F0F0F0F0F0F0F0F0[39].  The  initialization
+vector  should be zero.  The resulting checksum is 24 octets
+long (8 octets of which are redundant).   This  checksum  is
+tamper-proof and believed to be collision-proof.
+
+     The DES specifications identify some  "weak  keys"  and
+__________________________
+[39] A variant of the key is used to limit the use of a
+key  to a particular function, separating the functions
+of generating a checksum  from  other  encryption  per-
+formed   using   the   session   key.    The   constant
+F0F0F0F0F0F0F0F0 was chosen because  it  maintains  key
+parity.  The properties of DES precluded the use of the
+complement.  The same constant is used for similar pur-
+pose  in  the  Message  Integrity  Check in the Privacy
+Enhanced Mail standard.
+
+
+Section 6.4.3.             - 84 -    Expires 11 January 1998
+
+
+
+
+
+
+
+            Version 5 - Specification Revision 6
+
+
+"semi-weak keys"; those keys shall not be used for  generat-
+ing RSA-MD4 checksums for use in Kerberos.
+
+     The format for the checksum is described in the follow-
+ing diagram:
+
++--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+|  des-cbc(confounder   +   rsa-md4(confounder+msg),key=var(key),iv=0)  |
++--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+
+The format cannot be described in ASN.1, but for  those  who
+prefer an ASN.1-like notation:
+
+rsa-md4-des-checksum ::=   ENCRYPTED       UNTAGGED SEQUENCE {
+                           confounder[0]   UNTAGGED OCTET STRING(8),
+                           check[1]        UNTAGGED OCTET STRING(16)
+}
+
+
+
+6.4.4.  The RSA MD5 Checksum (rsa-md5)
+
+     The RSA-MD5 checksum calculates a  checksum  using  the
+RSA  MD5  algorithm.  [17].  The algorithm takes as input an
+input message of arbitrary length and produces as  output  a
+128-bit  (16  octet)  checksum.   RSA-MD5  is believed to be
+collision-proof.
+
+6.4.5.  RSA MD5 Cryptographic Checksum Using  DES  (rsa-md5-
+des)
+
+     The RSA-MD5-DES checksum calculates a keyed  collision-
+proof  checksum  by  prepending an 8 octet confounder before
+the text, applying  the  RSA  MD5  checksum  algorithm,  and
+encrypting  the  confounder  and  the  checksum using DES in
+cipher-block-chaining (CBC) mode using a variant of the key,
+where  the  variant  is  computed by eXclusive-ORing the key
+with the constant F0F0F0F0F0F0F0F0.  The initialization vec-
+tor  should  be  zero.   The resulting checksum is 24 octets
+long (8 octets of which are redundant).   This  checksum  is
+tamper-proof and believed to be collision-proof.
+
+     The DES specifications identify some  "weak  keys"  and
+"semi-weak  keys"; those keys shall not be used for encrypt-
+ing RSA-MD5 checksums for use in Kerberos.
+
+     The format for the checksum is described in the follow-
+ing diagram:
+
++--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+|  des-cbc(confounder   +   rsa-md5(confounder+msg),key=var(key),iv=0)  |
++--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+
+The format cannot be described in ASN.1, but for  those  who
+
+
+Section 6.4.5.             - 85 -    Expires 11 January 1998
+
+
+
+
+
+
+
+            Version 5 - Specification Revision 6
+
+
+prefer an ASN.1-like notation:
+
+rsa-md5-des-checksum ::=   ENCRYPTED       UNTAGGED SEQUENCE {
+                           confounder[0]   UNTAGGED OCTET STRING(8),
+                           check[1]        UNTAGGED OCTET STRING(16)
+}
+
+
+6.4.6.  DES cipher-block chained checksum (des-mac)
+
+     The DES-MAC checksum is computed  by  prepending  an  8
+octet confounder to the plaintext, performing a DES CBC-mode
+encryption on the result using the key and an initialization
+vector  of  zero,  taking  the last block of the ciphertext,
+prepending the same confounder and encrypting the pair using
+DES in cipher-block-chaining (CBC) mode using a a variant of
+the key, where the variant is  computed  by  eXclusive-ORing
+the key with the constant F0F0F0F0F0F0F0F0.  The initializa-
+tion vector should be zero.  The resulting checksum  is  128
+bits (16 octets) long, 64 bits of which are redundant.  This
+checksum is tamper-proof and collision-proof.
+
+     The format for the checksum is described in the follow-
+ing diagram:
+
++--+--+--+--+--+--+--+--+-----+-----+-----+-----+-----+-----+-----+-----+
+|   des-cbc(confounder  + des-mac(conf+msg,iv=0,key),key=var(key),iv=0) |
++--+--+--+--+--+--+--+--+-----+-----+-----+-----+-----+-----+-----+-----+
+
+The format cannot be described in ASN.1, but for  those  who
+prefer an ASN.1-like notation:
+
+des-mac-checksum ::=   ENCRYPTED       UNTAGGED SEQUENCE {
+                       confounder[0]   UNTAGGED OCTET STRING(8),
+                       check[1]        UNTAGGED OCTET STRING(8)
+}
+
+
+     The DES specifications identify some "weak" and  "semi-
+weak"  keys;  those  keys  shall  not be used for generating
+DES-MAC checksums for use in Kerberos, nor shall  a  key  be
+used whose variant is "weak" or "semi-weak".
+
+6.4.7.  RSA MD4 Cryptographic Checksum Using DES alternative
+(rsa-md4-des-k)
+
+     The   RSA-MD4-DES-K   checksum   calculates   a   keyed
+collision-proof  checksum  by  applying the RSA MD4 checksum
+algorithm and encrypting the results using  DES  in  cipher-
+block-chaining  (CBC)  mode  using a DES key as both key and
+initialization vector.  The resulting checksum is 16  octets
+long.   This  checksum  is  tamper-proof  and believed to be
+collision-proof.  Note that this checksum type  is  the  old
+method  for  encoding  the RSA-MD4-DES checksum and it is no
+
+
+Section 6.4.7.             - 86 -    Expires 11 January 1998
+
+
+
+
+
+
+
+            Version 5 - Specification Revision 6
+
+
+longer recommended.
+
+6.4.8.  DES cipher-block chained checksum alternative  (des-
+mac-k)
+
+     The DES-MAC-K checksum is computed by performing a  DES
+CBC-mode  encryption  of  the  plaintext, and using the last
+block of the ciphertext as the checksum value.  It is  keyed
+with  an  encryption  key  and an initialization vector; any
+uses which do not specify an additional initialization  vec-
+tor  will use the key as both key and initialization vector.
+The resulting checksum is 64 bits  (8  octets)  long.   This
+checksum  is  tamper-proof  and  collision-proof.  Note that
+this checksum type is the old method for encoding  the  DES-
+MAC checksum and it is no longer recommended.
+
+     The DES specifications identify some  "weak  keys"  and
+"semi-weak  keys"; those keys shall not be used for generat-
+ing DES-MAC checksums for use in Kerberos.
+
+7.  Naming Constraints
+
+
+7.1.  Realm Names
+
+     Although realm names are encoded as GeneralStrings  and
+although a realm can technically select any name it chooses,
+interoperability across realm boundaries requires  agreement
+on  how realm names are to be assigned, and what information
+they imply.
+
+     To enforce these conventions, each realm  must  conform
+to  the  conventions  itself,  and  it must require that any
+realms with which inter-realm keys are shared  also  conform
+to the conventions and require the same from its neighbors.
+
+     Kerberos realm names are case sensitive.   Realm  names
+that  differ  only  in  the  case  of the characters are not
+equivalent.  There are presently four styles of realm names:
+domain,  X500,  other, and reserved.  Examples of each style
+follow:
+
+     domain:   ATHENA.MIT.EDU (example)
+       X500:   C=US/O=OSF (example)
+      other:   NAMETYPE:rest/of.name=without-restrictions (example)
+   reserved:   reserved, but will not conflict with above
+
+
+Domain names must look like domain names:  they  consist  of
+components separated by periods (.) and they contain neither
+colons (:) nor slashes (/).  Domain names must be  converted
+to upper case when used as realm names.
+
+     X.500 names contain an equal (=) and cannot  contain  a
+
+
+Section 7.1.               - 87 -    Expires 11 January 1998
+
+
+
+
+
+
+
+            Version 5 - Specification Revision 6
+
+
+colon (:) before the equal.  The realm names for X.500 names
+will be string representations of the names with  components
+separated by slashes.  Leading and trailing slashes will not
+be included.
+
+     Names that fall into the other category must begin with
+a  prefix  that  contains no equal (=) or period (.) and the
+prefix must be followed by a colon (:) and the rest  of  the
+name.   All  prefixes  must  be  assigned before they may be
+used.  Presently none are assigned.
+
+     The reserved category includes  strings  which  do  not
+fall  into  the  first  three categories.  All names in this
+category are reserved.  It is unlikely that  names  will  be
+assigned  to  this  category  unless  there is a very strong
+argument for not using the "other" category.
+
+     These rules guarantee that there will be  no  conflicts
+between  the  various name styles.  The following additional
+constraints apply to the assignment of realm  names  in  the
+domain  and  X.500  categories:  the name of a realm for the
+domain or X.500 formats must either be used by the organiza-
+tion  owning  (to  whom  it was assigned) an Internet domain
+name or X.500 name, or in the case that no  such  names  are
+registered,  authority  to  use  a realm name may be derived
+from the authority of the  parent  realm.  For  example,  if
+there  is  no domain name for E40.MIT.EDU, then the adminis-
+trator of the MIT.EDU realm can authorize the creation of  a
+realm with that name.
+
+     This is acceptable because the  organization  to  which
+the  parent  is  assigned  is  presumably  the  organization
+authorized to assign names to its children in the X.500  and
+domain  name systems as well.  If the parent assigns a realm
+name without also registering it in the domain name or X.500
+hierarchy,  it  is  the parent's responsibility to make sure
+that there will not in the future exists a name identical to
+the  realm  name  of  the child unless it is assigned to the
+same entity as the realm name.
+
+
+7.2.  Principal Names
+
+     As was the case for realm names, conventions are needed
+to ensure that all agree on what information is implied by a
+principal name.  The name-type field that  is  part  of  the
+principal  name indicates the kind of information implied by
+the name.  The  name-type  should  be  treated  as  a  hint.
+Ignoring  the  name type, no two names can be the same (i.e.
+at least one of the components, or the realm, must  be  dif-
+ferent).   This  constraint may be eliminated in the future.
+The following name types are defined:
+
+                    name-type      value   meaning
+
+
+Section 7.2.               - 88 -    Expires 11 January 1998
+
+
+
+
+
+
+
+            Version 5 - Specification Revision 6
+
+
+   NT-UNKNOWN     0   Name type not known
+   NT-PRINCIPAL   1   General principal name (e.g. username, or DCE principal)
+   NT-SRV-INST    2   Service and other unique instance (krbtgt)
+   NT-SRV-HST     3   Service with host name as instance (telnet, rcommands)
+   NT-SRV-XHST    4   Service with slash-separated host name components
+   NT-UID         5   Unique ID
+
+
+When a name implies no information other than its uniqueness
+at a particular time the name type PRINCIPAL should be used.
+The principal name type should be used  for  users,  and  it
+might  also  be  used for a unique server.  If the name is a
+unique machine generated ID that is guaranteed never  to  be
+reassigned  then  the  name type of UID should be used (note
+that it is generally a bad idea to  reassign  names  of  any
+type  since  stale  entries  might  remain in access control
+lists).
+
+     If the first component of a name identifies  a  service
+and  the  remaining  components  identify an instance of the
+service in a server specified manner, then the name type  of
+SRV-INST  should  be  used.  An example of this name type is
+the Kerberos ticket-granting service whose name has a  first
+component  of  krbtgt and a second component identifying the
+realm for which the ticket is valid.
+
+     If instance is a single component following the service
+name  and  the  instance  identifies  the  host on which the
+server is running, then the  name  type  SRV-HST  should  be
+used.   This  type  is  typically used for Internet services
+such as telnet and the Berkeley R commands.  If the separate
+components  of the host name appear as successive components
+following the name of the service, then the name  type  SRV-
+XHST  should  be  used.  This type might be used to identify
+servers on hosts with X.500 names where the slash (/)  might
+otherwise be ambiguous.
+
+     A name type of UNKNOWN should be used when the form  of
+the name is not known.  When comparing names, a name of type
+UNKNOWN will match principals authenticated  with  names  of
+any  type.   A  principal  authenticated with a name of type
+UNKNOWN, however, will only match other names of  type  UNK-
+NOWN.
+
+     Names of any type with an initial component of "krbtgt"
+are  reserved for the Kerberos ticket granting service.  See
+section 8.2.3 for the form of such names.
+
+7.2.1.  Name of server principals
+
+     The principal identifier for a server on  a  host  will
+generally be composed of two parts: (1) the realm of the KDC
+with which the server is registered, and (2) a two-component
+
+
+Section 7.2.1.             - 89 -    Expires 11 January 1998
+
+
+
+
+
+
+
+            Version 5 - Specification Revision 6
+
+
+name  of  type  NT-SRV-HST  if  the host name is an Internet
+domain name or a multi-component name of type NT-SRV-XHST if
+the  name of the host is of a form such as X.500 that allows
+slash (/) separators.  The first component of  the  two-  or
+multi-component  name  will  identify  the  service  and the
+latter components will identify the host.  Where the name of
+the  host  is not case sensitive (for example, with Internet
+domain names) the name of the host must be lower  case.   If
+specified  by  the application protocol for services such as
+telnet and the Berkeley R commands  which  run  with  system
+privileges,  the  first  component  may be the string "host"
+instead of a service specific identifier.  When a  host  has
+an  official name and one or more aliases, the official name
+of the host must be used when constructing the name  of  the
+server principal.
+
+8.  Constants and other defined values
+
+
+8.1.  Host address types
+
+     All negative values  for  the  host  address  type  are
+reserved   for  local  use.   All  non-negative  values  are
+reserved for officially assigned type fields and interpreta-
+tions.
+
+     The values of the types for the following addresses are
+chosen  to match the defined address family constants in the
+Berkeley Standard Distributions of Unix.  They can be  found
+in  <sys/socket.h>  with symbolic names AF_xxx (where xxx is
+an abbreviation of the address family name).
+
+
+Internet addresses
+
+     Internet addresses  are  32-bit  (4-octet)  quantities,
+encoded in MSB order.  The type of internet addresses is two
+(2).
+
+CHAOSnet addresses
+
+     CHAOSnet addresses  are  16-bit  (2-octet)  quantities,
+encoded  in  MSB  order.   The type of CHAOSnet addresses is
+five (5).
+
+ISO addresses
+
+     ISO addresses are variable-length.   The  type  of  ISO
+addresses is seven (7).
+
+Xerox Network Services (XNS) addresses
+
+     XNS addresses are 48-bit (6-octet) quantities,  encoded
+in MSB order.  The type of XNS addresses is six (6).
+
+
+Section 8.1.               - 90 -    Expires 11 January 1998
+
+
+
+
+
+
+
+            Version 5 - Specification Revision 6
+
+
+AppleTalk Datagram Delivery Protocol (DDP) addresses
+
+     AppleTalk DDP addresses consist of an 8-bit node number
+and a 16-bit network number.  The first octet of the address
+is the node number; the remaining two octets encode the net-
+work  number  in  MSB  order.   The  type  of  AppleTalk DDP
+addresses is sixteen (16).
+
+DECnet Phase IV addresses
+
+     DECnet Phase IV addresses are 16-bit addresses, encoded
+in  LSB  order.   The  type  of DECnet Phase IV addresses is
+twelve (12).
+
+8.2.  KDC messages
+
+8.2.1.  IP transport
+
+     When  contacting  a  Kerberos  server   (KDC)   for   a
+KRB_KDC_REQ request using UDP IP transport, the client shall
+send a UDP datagram  containing  only  an  encoding  of  the
+request  to  port  88 (decimal) at the KDC's IP address; the
+KDC will respond with a reply datagram  containing  only  an
+encoding  of  the  reply  message  (either  a KRB_ERROR or a
+KRB_KDC_REP) to the sending port at the sender's IP address.
+
+     Kerberos servers supporting IP  transport  must  accept
+UDP  requests on port 88 (decimal).  Servers may also accept
+TCP requests on port 88  (decimal).   When  the  KRB_KDC_REQ
+message  is sent to the KDC by TCP, a new connection will be
+established  for  each  authentication  exchange   and   the
+KRB_KDC_REP  or  KRB_ERROR  message  will be returned to the
+client on the  TCP  stream  that  was  established  for  the
+request.   The connection will be broken after the reply has
+been received (or upon time-out).  Care  must  be  taken  in
+managing  TCP/IP  connections with the KDC to prevent denial
+of service attacks based on the number of TCP/IP connections
+with the KDC that remain open.
+
+8.2.2.  OSI transport
+
+     During authentication  of  an  OSI  client  to  an  OSI
+server, the mutual authentication of an OSI server to an OSI
+client, the transfer of credentials from an OSI client to an
+OSI  server,  or  during  exchange  of  private or integrity
+checked messages, Kerberos protocol messages may be  treated
+as opaque objects and the type of the authentication mechan-
+ism will be:
+
+OBJECT IDENTIFIER ::= {iso (1), org(3), dod(6),internet(1), security(5),
+                       kerberosv5(2)} 
+
+Depending on the situation, the opaque  object  will  be  an
+authentication  header (KRB_AP_REQ), an authentication reply
+(KRB_AP_REP), a safe message (KRB_SAFE), a  private  message
+
+
+Section 8.2.2.             - 91 -    Expires 11 January 1998
+
+
+
+
+
+
+
+            Version 5 - Specification Revision 6
+
+
+(KRB_PRIV), or a credentials message (KRB_CRED).  The opaque
+data contains an application code as specified in the  ASN.1
+description  for  each message.  The application code may be
+used by Kerberos to determine the message type.
+
+8.2.3.  Name of the TGS
+
+     The principal identifier of the ticket-granting service
+shall  be  composed of three parts: (1) the realm of the KDC
+issuing the TGS ticket (2) a two-part name of  type  NT-SRV-
+INST,  with  the first part "krbtgt" and the second part the
+name of the realm  which  will  accept  the  ticket-granting
+ticket.  For example, a ticket-granting ticket issued by the
+ATHENA.MIT.EDU realm to be used  to  get  tickets  from  the
+ATHENA.MIT.EDU   KDC   has   a   principal   identifier   of
+"ATHENA.MIT.EDU"   (realm),   ("krbtgt",   "ATHENA.MIT.EDU")
+(name).     A   ticket-granting   ticket   issued   by   the
+ATHENA.MIT.EDU realm to be used  to  get  tickets  from  the
+MIT.EDU realm has a principal identifier of "ATHENA.MIT.EDU"
+(realm), ("krbtgt", "MIT.EDU") (name).
+
+
+8.3.  Protocol constants and associated values
+
+The following tables list constants used in the protocol and defines their
+meanings.
+
+Encryption type  etype value  block size    minimum pad size  confounder size
+NULL              0            1                 0                 0
+des-cbc-crc       1            8                 4                 8
+des-cbc-md4       2            8                 0                 8
+des-cbc-md5       3            8                 0                 8
+<reserved>        4
+des3-cbc-md5      5            8                 0                 8
+<reserved>        6
+des3-cbc-sha1     7            8                 0                 8
+sign-dsa-generate 8                                   (pkinit)
+encrypt-rsa-priv  9                                   (pkinit)
+encrypt-rsa-pub  10                                   (pkinit)
+ENCTYPE_PK_CROSS 48                                   (reserved for pkcross)
+<reserved>       0x8003
+
+Checksum type              sumtype value       checksum size
+CRC32                      1                   4
+rsa-md4                    2                   16
+rsa-md4-des                3                   24
+des-mac                    4                   16
+des-mac-k                  5                   8
+rsa-md4-des-k              6                   16
+rsa-md5                    7                   16
+rsa-md5-des                8                   24
+rsa-md5-des3               9                   24
+hmac-sha1-des3             10                  20  (I had this as 10, is it 12)
+
+
+Section 8.3.               - 92 -    Expires 11 January 1998
+
+
+
+
+
+
+
+            Version 5 - Specification Revision 6
+
+
+padata type                     padata-type value
+
+PA-TGS-REQ                      1
+PA-ENC-TIMESTAMP                2
+PA-PW-SALT                      3
+<reserved>                      4
+PA-ENC-UNIX-TIME                5
+PA-SANDIA-SECUREID              6
+PA-SESAME                       7
+PA-OSF-DCE                      8
+PA-CYBERSAFE-SECUREID           9
+PA-AFS3-SALT                    10
+PA-ETYPE-INFO                   11
+SAM-CHALLENGE                   12                  (sam/otp)
+SAM-RESPONSE                    13                  (sam/otp)
+PA-PK-AS-REQ                    14                  (pkinit)
+PA-PK-AS-REP                    15                  (pkinit)
+PA-PK-AS-SIGN                   16                  (pkinit)
+PA-PK-KEY-REQ                   17                  (pkinit)
+PA-PK-KEY-REP                   18                  (pkinit)
+
+authorization data type         ad-type value
+reserved values                 0-63
+OSF-DCE                         64
+SESAME                          65
+
+alternate authentication type   method-type value
+reserved values                 0-63
+ATT-CHALLENGE-RESPONSE          64
+
+transited encoding type         tr-type value
+DOMAIN-X500-COMPRESS            1
+reserved values                 all others
+
+
+
+Label               Value   Meaning or MIT code
+
+pvno                    5   current Kerberos protocol version number
+
+message types
+
+KRB_AS_REQ             10   Request for initial authentication
+KRB_AS_REP             11   Response to KRB_AS_REQ request
+KRB_TGS_REQ            12   Request for authentication based on TGT
+KRB_TGS_REP            13   Response to KRB_TGS_REQ request
+KRB_AP_REQ             14   application request to server
+KRB_AP_REP             15   Response to KRB_AP_REQ_MUTUAL
+KRB_SAFE               20   Safe (checksummed) application message
+KRB_PRIV               21   Private (encrypted) application message
+KRB_CRED               22   Private (encrypted) message to forward credentials
+KRB_ERROR              30   Error response
+
+
+Section 8.3.               - 93 -    Expires 11 January 1998
+
+
+
+
+
+
+
+            Version 5 - Specification Revision 6
+
+
+name types
+
+KRB_NT_UNKNOWN       0   Name type not known
+KRB_NT_PRINCIPAL     1   Just the name of the principal as in DCE, or for users
+KRB_NT_SRV_INST      2   Service and other unique instance (krbtgt)
+KRB_NT_SRV_HST       3   Service with host name as instance (telnet, rcommands)
+KRB_NT_SRV_XHST      4   Service with host as remaining components
+KRB_NT_UID           5   Unique ID
+
+error codes
+
+KDC_ERR_NONE                    0   No error
+KDC_ERR_NAME_EXP                1   Client's entry in database has expired
+KDC_ERR_SERVICE_EXP             2   Server's entry in database has expired
+KDC_ERR_BAD_PVNO                3   Requested protocol version number not supported
+KDC_ERR_C_OLD_MAST_KVNO         4   Client's key encrypted in old master key
+KDC_ERR_S_OLD_MAST_KVNO         5   Server's key encrypted in old master key
+KDC_ERR_C_PRINCIPAL_UNKNOWN     6   Client not found in Kerberos database
+KDC_ERR_S_PRINCIPAL_UNKNOWN     7   Server not found in Kerberos database
+KDC_ERR_PRINCIPAL_NOT_UNIQUE    8   Multiple principal entries in database
+KDC_ERR_NULL_KEY                9   The client or server has a null key
+KDC_ERR_CANNOT_POSTDATE        10   Ticket not eligible for postdating
+KDC_ERR_NEVER_VALID            11   Requested start time is later than end time
+KDC_ERR_POLICY                 12   KDC policy rejects request
+KDC_ERR_BADOPTION              13   KDC cannot accommodate requested option
+KDC_ERR_ETYPE_NOSUPP           14   KDC has no support for encryption type
+KDC_ERR_SUMTYPE_NOSUPP         15   KDC has no support for checksum type
+KDC_ERR_PADATA_TYPE_NOSUPP     16   KDC has no support for padata type
+KDC_ERR_TRTYPE_NOSUPP          17   KDC has no support for transited type
+KDC_ERR_CLIENT_REVOKED         18   Clients credentials have been revoked
+KDC_ERR_SERVICE_REVOKED        19   Credentials for server have been revoked
+KDC_ERR_TGT_REVOKED            20   TGT has been revoked
+KDC_ERR_CLIENT_NOTYET          21   Client not yet valid - try again later
+KDC_ERR_SERVICE_NOTYET         22   Server not yet valid - try again later
+KDC_ERR_KEY_EXPIRED            23   Password has expired - change password to reset
+KDC_ERR_PREAUTH_FAILED         24   Pre-authentication information was invalid
+KDC_ERR_PREAUTH_REQUIRED       25   Additional pre-authenticationrequired-
+KDC_ERR_SERVER_NOMATCH         26   Requested server and ticket don't match
+KDC_ERR_MUST_USE_USER2USER     27   Server principal valid for user2user only
+KDC_ERR_PATH_NOT_ACCPETED      28   KDC Policy rejects transited path
+KRB_AP_ERR_BAD_INTEGRITY       31   Integrity check on decrypted field failed
+KRB_AP_ERR_TKT_EXPIRED         32   Ticket expired
+KRB_AP_ERR_TKT_NYV             33   Ticket not yet valid
+KRB_AP_ERR_REPEAT              34   Request is a replay
+KRB_AP_ERR_NOT_US              35   The ticket isn't for us
+KRB_AP_ERR_BADMATCH            36   Ticket and authenticator don't match
+KRB_AP_ERR_SKEW                37   Clock skew too great
+KRB_AP_ERR_BADADDR             38   Incorrect net address
+KRB_AP_ERR_BADVERSION          39   Protocol version mismatch
+KRB_AP_ERR_MSG_TYPE            40   Invalid msg type
+KRB_AP_ERR_MODIFIED            41   Message stream modified
+KRB_AP_ERR_BADORDER            42   Message out of order
+KRB_AP_ERR_BADKEYVER           44   Specified version of key is not available
+KRB_AP_ERR_NOKEY               45   Service key not available
+KRB_AP_ERR_MUT_FAIL            46   Mutual authentication failed
+KRB_AP_ERR_BADDIRECTION        47   Incorrect message direction
+KRB_AP_ERR_METHOD              48   Alternative authentication method required
+KRB_AP_ERR_BADSEQ              49   Incorrect sequence number in message
+
+
+
+Section 8.3.               - 94 -    Expires 11 January 1998
+
+
+
+
+
+
+
+            Version 5 - Specification Revision 6
+
+
+KRB_AP_ERR_INAPP_CKSUM         50   Inappropriate type of checksum in message
+KRB_ERR_GENERIC                60   Generic error (description in e-text)
+KRB_ERR_FIELD_TOOLONG          61   Field is too long for this implementation
+KDC_ERROR_CLIENT_NOT_TRUSTED   62   (pkinit)
+KDC_ERROR_KDC_NOT_TRUSTED      63   (pkinit)
+KDC_ERROR_INVALID_SIG          64   (pkinit)
+KDC_ERR_KEY_TOO_WEAK           65   (pkinit)
+
+
+9.  Interoperability requirements
+
+     Version 5 of the Kerberos protocol supports a myriad of
+options.   Among  these are multiple encryption and checksum
+types, alternative encoding schemes for the transited field,
+optional  mechanisms for pre-authentication, the handling of
+tickets with no addresses, options  for  mutual  authentica-
+tion, user to user authentication, support for proxies, for-
+warding, postdating, and renewing  tickets,  the  format  of
+realm names, and the handling of authorization data.
+
+     In order to ensure the interoperability of  realms,  it
+is necessary to define a minimal configuration which must be
+supported by all implementations.  This  minimal  configura-
+tion  is subject to change as technology does.  For example,
+if at some later date it  is  discovered  that  one  of  the
+required encryption or checksum algorithms is not secure, it
+will be replaced.
+
+9.1.  Specification 1
+
+     This section defines the first specification  of  these
+options.   Implementations  which are configured in this way
+can be said to support Kerberos Version  5  Specification  1
+(5.1).
+
+Encryption and checksum methods
+
+The following encryption and  checksum  mechanisms  must  be
+supported.   Implementations may support other mechanisms as
+well, but the additional mechanisms may only  be  used  when
+communicating with principals known to also support them:
+This list is to be determined.
+Encryption: DES-CBC-MD5
+Checksums: CRC-32, DES-MAC, DES-MAC-K, and DES-MD5
+
+
+__________________________
+- This error carries additional information in  the  e-
+data  field.  The contents of the e-data field for this
+message is described in section 5.9.1.
+
+
+
+Section 9.1.               - 95 -    Expires 11 January 1998
+
+
+
+
+
+
+
+            Version 5 - Specification Revision 6
+
+
+Realm Names
+
+All implementations must understand hierarchical  realms  in
+both the Internet Domain and the X.500 style.  When a ticket
+granting ticket for an unknown realm is requested,  the  KDC
+must  be  able  to  determine  the names of the intermediate
+realms between the KDCs realm and the requested realm.
+
+Transited field encoding
+
+DOMAIN-X500-COMPRESS (described in section 3.3.3.2) must  be
+supported.  Alternative encodings may be supported, but they
+may be used only when that  encoding  is  supported  by  ALL
+intermediate realms.
+
+Pre-authentication methods
+
+The TGS-REQ method must be supported.  The TGS-REQ method is
+not  used  on  the  initial  request.   The PA-ENC-TIMESTAMP
+method must be  supported  by  clients  but  whether  it  is
+enabled  by  default  may  be determined on a realm by realm
+basis.  If not used in the initial  request  and  the  error
+KDC_ERR_PREAUTH_REQUIRED   is  returned  specifying  PA-ENC-
+TIMESTAMP as an acceptable method, the client  should  retry
+the   initial   request   using  the  PA-ENC-TIMESTAMP  pre-
+authentication method.  Servers need  not  support  the  PA-
+ENC-TIMESTAMP method, but if not supported the server should
+ignore the presence of  PA-ENC-TIMESTAMP  pre-authentication
+in a request.
+
+Mutual authentication
+
+Mutual authentication (via the KRB_AP_REP message)  must  be
+supported.
+
+
+Ticket addresses and flags
+
+All KDC's must pass on tickets that carry no addresses (i.e.
+if  a TGT contains no addresses, the KDC will return deriva-
+tive tickets), but each realm may set  its  own  policy  for
+issuing  such  tickets, and each application server will set
+its own policy with respect to accepting them.
+
+     Proxies and forwarded tickets must be supported.  Indi-
+vidual realms and application servers can set their own pol-
+icy on when such tickets will be accepted.
+
+     All implementations must recognize renewable and  post-
+dated  tickets,  but  need  not actually implement them.  If
+these options are not supported, the starttime  and  endtime
+in  the  ticket shall specify a ticket's entire useful life.
+When a postdated ticket is decoded by a server,  all  imple-
+mentations  shall  make  the  presence of the postdated flag
+
+
+Section 9.1.               - 96 -    Expires 11 January 1998
+
+
+
+
+
+
+
+            Version 5 - Specification Revision 6
+
+
+visible to the calling server.
+
+User-to-user authentication
+
+Support for user to user authentication  (via  the  ENC-TKT-
+IN-SKEY KDC option) must be provided by implementations, but
+individual realms may decide as a matter of policy to reject
+such requests on a per-principal or realm-wide basis.
+
+Authorization data
+
+Implementations must pass all authorization  data  subfields
+from  ticket-granting  tickets  to  any  derivative  tickets
+unless directed to suppress a subfield as part of the defin-
+ition   of  that  registered  subfield  type  (it  is  never
+incorrect to pass on a subfield, and no registered  subfield
+types presently specify suppression at the KDC).
+
+     Implementations must make the contents of any  authori-
+zation  data subfields available to the server when a ticket
+is used.  Implementations are not required to allow  clients
+to specify the contents of the authorization data fields.
+
+9.2.  Recommended KDC values
+
+Following is a list of recommended values for a  KDC  imple-
+mentation, based on the list of suggested configuration con-
+stants (see section 4.4).
+
+minimum lifetime    5 minutes
+
+maximum renewable lifetime1 week
+
+maximum ticket lifetime1 day
+
+empty addresses     only when suitable  restrictions  appear
+                    in authorization data
+
+proxiable, etc.     Allowed.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Section 9.2.               - 97 -    Expires 11 January 1998
+
+
+
+
+
+
+
+            Version 5 - Specification Revision 6
+
+
+10.  REFERENCES
+
+
+
+1.   B. Clifford Neuman and Theodore Y. Ts'o, "An  Authenti-
+     cation  Service for Computer Networks," IEEE Communica-
+     tions Magazine, Vol. 32(9), pp. 33-38 (September 1994).
+
+2.   S. P. Miller, B. C. Neuman, J. I. Schiller, and  J.  H.
+     Saltzer,  Section  E.2.1:  Kerberos  Authentication and
+     Authorization System, M.I.T. Project Athena, Cambridge,
+     Massachusetts (December 21, 1987).
+
+3.   J. G. Steiner, B. C. Neuman, and J. I. Schiller,  "Ker-
+     beros:  An Authentication Service for Open Network Sys-
+     tems," pp. 191-202 in  Usenix  Conference  Proceedings,
+     Dallas, Texas (February, 1988).
+
+4.   Roger M.  Needham  and  Michael  D.  Schroeder,  "Using
+     Encryption for Authentication in Large Networks of Com-
+     puters,"  Communications  of  the  ACM,  Vol.   21(12),
+     pp. 993-999 (December, 1978).
+
+5.   Dorothy E. Denning and  Giovanni  Maria  Sacco,  "Time-
+     stamps  in  Key Distribution Protocols," Communications
+     of the ACM, Vol. 24(8), pp. 533-536 (August 1981).
+
+6.   John T. Kohl, B. Clifford Neuman, and Theodore Y. Ts'o,
+     "The Evolution of the Kerberos Authentication Service,"
+     in an IEEE Computer Society Text soon to  be  published
+     (June 1992).
+
+7.   B.  Clifford  Neuman,  "Proxy-Based  Authorization  and
+     Accounting  for Distributed Systems," in Proceedings of
+     the 13th International Conference on  Distributed  Com-
+     puting Systems, Pittsburgh, PA (May, 1993).
+
+8.   Don Davis and Ralph Swick,  "Workstation  Services  and
+     Kerberos  Authentication  at Project Athena," Technical
+     Memorandum TM-424,  MIT Laboratory for Computer Science
+     (February 1990).
+
+9.   P. J. Levine, M. R. Gretzinger, J. M. Diaz, W. E.  Som-
+     merfeld,  and  K. Raeburn, Section E.1: Service Manage-
+     ment System, M.I.T.  Project  Athena,  Cambridge,  Mas-
+     sachusetts (1987).
+
+10.  CCITT, Recommendation X.509: The Directory  Authentica-
+     tion Framework, December 1988.
+
+11.  J. Pato, Using  Pre-Authentication  to  Avoid  Password
+     Guessing  Attacks, Open Software Foundation DCE Request
+     for Comments 26 (December 1992).
+
+
+
+Section 10.                - 98 -    Expires 11 January 1998
+
+
+
+
+
+
+
+            Version 5 - Specification Revision 6
+
+
+12.  National Bureau of Standards, U.S. Department  of  Com-
+     merce,  "Data Encryption Standard," Federal Information
+     Processing Standards Publication  46,   Washington,  DC
+     (1977).
+
+13.  National Bureau of Standards, U.S. Department  of  Com-
+     merce,  "DES  Modes  of Operation," Federal Information
+     Processing Standards Publication 81,   Springfield,  VA
+     (December 1980).
+
+14.  Stuart G. Stubblebine and Virgil D. Gligor, "On Message
+     Integrity  in  Cryptographic Protocols," in Proceedings
+     of the IEEE  Symposium  on  Research  in  Security  and
+     Privacy, Oakland, California (May 1992).
+
+15.  International Organization  for  Standardization,  "ISO
+     Information  Processing  Systems - Data Communication -
+     High-Level Data Link Control Procedure -  Frame  Struc-
+     ture," IS 3309 (October 1984).  3rd Edition.
+
+16.  R. Rivest, "The  MD4  Message  Digest  Algorithm,"  RFC
+     1320,   MIT  Laboratory  for  Computer  Science  (April
+     1992).
+
+17.  R. Rivest, "The  MD5  Message  Digest  Algorithm,"  RFC
+     1321,   MIT  Laboratory  for  Computer  Science  (April
+     1992).
+
+18.  H. Krawczyk, M. Bellare, and R. Canetti, "HMAC:  Keyed-
+     Hashing  for  Message  Authentication,"  Working  Draft
+     draft-ietf-ipsec-hmac-md5-01.txt,   (August 1996).
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Section 10.                - 99 -    Expires 11 January 1998
+
+
+
+
+
+
+
+            Version 5 - Specification Revision 6
+
+
+A.  Pseudo-code for protocol processing
+
+     This appendix provides pseudo-code describing  how  the
+messages  are  to  be constructed and interpreted by clients
+and servers.
+
+A.1.  KRB_AS_REQ generation
+        request.pvno := protocol version; /* pvno = 5 */
+        request.msg-type := message type; /* type = KRB_AS_REQ */
+
+        if(pa_enc_timestamp_required) then
+                request.padata.padata-type = PA-ENC-TIMESTAMP;
+                get system_time;
+                padata-body.patimestamp,pausec = system_time;
+                encrypt padata-body into request.padata.padata-value
+                        using client.key; /* derived from password */
+        endif
+
+        body.kdc-options := users's preferences;
+        body.cname := user's name;
+        body.realm := user's realm;
+        body.sname := service's name; /* usually "krbtgt",  "localrealm" */
+        if (body.kdc-options.POSTDATED is set) then
+                body.from := requested starting time;
+        else
+                omit body.from;
+        endif
+        body.till := requested end time;
+        if (body.kdc-options.RENEWABLE is set) then
+                body.rtime := requested final renewal time;
+        endif
+        body.nonce := random_nonce();
+        body.etype := requested etypes;
+        if (user supplied addresses) then
+                body.addresses := user's addresses;
+        else
+                omit body.addresses;
+        endif
+        omit body.enc-authorization-data;
+        request.req-body := body;
+
+        kerberos := lookup(name of local kerberos server (or servers));
+        send(packet,kerberos);
+
+        wait(for response);
+        if (timed_out) then
+                retry or use alternate server;
+        endif
+
+A.2.  KRB_AS_REQ verification and KRB_AS_REP generation
+        decode message into req;
+
+        client := lookup(req.cname,req.realm);
+        server := lookup(req.sname,req.realm);
+
+
+Section A.2.              - 100 -    Expires 11 January 1998
+
+
+
+
+
+
+
+            Version 5 - Specification Revision 6
+
+
+
+        get system_time;
+        kdc_time := system_time.seconds;
+
+        if (!client) then
+                /* no client in Database */
+                error_out(KDC_ERR_C_PRINCIPAL_UNKNOWN);
+        endif
+        if (!server) then
+                /* no server in Database */
+                error_out(KDC_ERR_S_PRINCIPAL_UNKNOWN);
+        endif
+
+        if(client.pa_enc_timestamp_required and
+           pa_enc_timestamp not present) then
+                error_out(KDC_ERR_PREAUTH_REQUIRED(PA_ENC_TIMESTAMP));
+        endif
+
+        if(pa_enc_timestamp present) then
+                decrypt req.padata-value into decrypted_enc_timestamp
+                        using client.key;
+                        using auth_hdr.authenticator.subkey;
+                if (decrypt_error()) then
+                        error_out(KRB_AP_ERR_BAD_INTEGRITY);
+                if(decrypted_enc_timestamp is not within allowable skew) then
+                        error_out(KDC_ERR_PREAUTH_FAILED);
+                endif
+                if(decrypted_enc_timestamp and usec is replay)
+                        error_out(KDC_ERR_PREAUTH_FAILED);
+                endif
+                add decrypted_enc_timestamp and usec to replay cache;
+        endif
+
+        use_etype := first supported etype in req.etypes;
+
+        if (no support for req.etypes) then
+                error_out(KDC_ERR_ETYPE_NOSUPP);
+        endif
+
+        new_tkt.vno := ticket version; /* = 5 */
+        new_tkt.sname := req.sname;
+        new_tkt.srealm := req.srealm;
+        reset all flags in new_tkt.flags;
+
+        /* It should be noted that local policy may affect the  */
+        /* processing of any of these flags.  For example, some */
+        /* realms may refuse to issue renewable tickets         */
+
+        if (req.kdc-options.FORWARDABLE is set) then
+                set new_tkt.flags.FORWARDABLE;
+        endif
+        if (req.kdc-options.PROXIABLE is set) then
+                set new_tkt.flags.PROXIABLE;
+        endif
+
+
+Section A.2.              - 101 -    Expires 11 January 1998
+
+
+
+
+
+
+
+            Version 5 - Specification Revision 6
+
+
+        if (req.kdc-options.ALLOW-POSTDATE is set) then
+                set new_tkt.flags.MAY-POSTDATE;
+        endif
+        if ((req.kdc-options.RENEW is set) or
+            (req.kdc-options.VALIDATE is set) or
+            (req.kdc-options.PROXY is set) or
+            (req.kdc-options.FORWARDED is set) or
+            (req.kdc-options.ENC-TKT-IN-SKEY is set)) then
+                error_out(KDC_ERR_BADOPTION);
+        endif
+
+        new_tkt.session := random_session_key();
+        new_tkt.cname := req.cname;
+        new_tkt.crealm := req.crealm;
+        new_tkt.transited := empty_transited_field();
+
+        new_tkt.authtime := kdc_time;
+
+        if (req.kdc-options.POSTDATED is set) then
+           if (against_postdate_policy(req.from)) then
+                error_out(KDC_ERR_POLICY);
+           endif
+           set new_tkt.flags.POSTDATED;
+           set new_tkt.flags.INVALID;
+           new_tkt.starttime := req.from;
+        else
+           omit new_tkt.starttime; /* treated as authtime when omitted */
+        endif
+        if (req.till = 0) then
+                till := infinity;
+        else
+                till := req.till;
+        endif
+
+        new_tkt.endtime := min(till,
+                              new_tkt.starttime+client.max_life,
+                              new_tkt.starttime+server.max_life,
+                              new_tkt.starttime+max_life_for_realm);
+
+        if ((req.kdc-options.RENEWABLE-OK is set) and
+            (new_tkt.endtime < req.till)) then
+                /* we set the RENEWABLE option for later processing */
+                set req.kdc-options.RENEWABLE;
+                req.rtime := req.till;
+        endif
+
+        if (req.rtime = 0) then
+                rtime := infinity;
+        else
+                rtime := req.rtime;
+        endif
+
+        if (req.kdc-options.RENEWABLE is set) then
+                set new_tkt.flags.RENEWABLE;
+
+
+Section A.2.              - 102 -    Expires 11 January 1998
+
+
+
+
+
+
+
+            Version 5 - Specification Revision 6
+
+
+                new_tkt.renew-till := min(rtime,
+                                          new_tkt.starttime+client.max_rlife,
+                                          new_tkt.starttime+server.max_rlife,
+                                          new_tkt.starttime+max_rlife_for_realm);
+        else
+                omit new_tkt.renew-till; /* only present if RENEWABLE */
+        endif
+
+        if (req.addresses) then
+                new_tkt.caddr := req.addresses;
+        else
+                omit new_tkt.caddr;
+        endif
+
+        new_tkt.authorization_data := empty_authorization_data();
+
+        encode to-be-encrypted part of ticket into OCTET STRING;
+        new_tkt.enc-part := encrypt OCTET STRING
+                using etype_for_key(server.key), server.key, server.p_kvno;
+
+
+        /* Start processing the response */
+
+        resp.pvno := 5;
+        resp.msg-type := KRB_AS_REP;
+        resp.cname := req.cname;
+        resp.crealm := req.realm;
+        resp.ticket := new_tkt;
+
+        resp.key := new_tkt.session;
+        resp.last-req := fetch_last_request_info(client);
+        resp.nonce := req.nonce;
+        resp.key-expiration := client.expiration;
+        resp.flags := new_tkt.flags;
+
+        resp.authtime := new_tkt.authtime;
+        resp.starttime := new_tkt.starttime;
+        resp.endtime := new_tkt.endtime;
+
+        if (new_tkt.flags.RENEWABLE) then
+                resp.renew-till := new_tkt.renew-till;
+        endif
+
+        resp.realm := new_tkt.realm;
+        resp.sname := new_tkt.sname;
+
+        resp.caddr := new_tkt.caddr;
+
+        encode body of reply into OCTET STRING;
+
+        resp.enc-part := encrypt OCTET STRING
+                         using use_etype, client.key, client.p_kvno;
+        send(resp);
+
+
+
+Section A.2.              - 103 -    Expires 11 January 1998
+
+
+
+
+
+
+
+            Version 5 - Specification Revision 6
+
+
+A.3.  KRB_AS_REP verification
+        decode response into resp;
+
+        if (resp.msg-type = KRB_ERROR) then
+                if(error = KDC_ERR_PREAUTH_REQUIRED(PA_ENC_TIMESTAMP)) then
+                        set pa_enc_timestamp_required;
+                        goto KRB_AS_REQ;
+                endif
+                process_error(resp);
+                return;
+        endif
+
+        /* On error, discard the response, and zero the session key */
+        /* from the response immediately */
+
+        key = get_decryption_key(resp.enc-part.kvno, resp.enc-part.etype,
+                                 resp.padata);
+        unencrypted part of resp := decode of decrypt of resp.enc-part
+                                using resp.enc-part.etype and key;
+        zero(key);
+
+        if (common_as_rep_tgs_rep_checks fail) then
+                destroy resp.key;
+                return error;
+        endif
+
+        if near(resp.princ_exp) then
+                print(warning message);
+        endif
+        save_for_later(ticket,session,client,server,times,flags);
+
+A.4.  KRB_AS_REP and KRB_TGS_REP common checks
+        if (decryption_error() or
+            (req.cname != resp.cname) or
+            (req.realm != resp.crealm) or
+            (req.sname != resp.sname) or
+            (req.realm != resp.realm) or
+            (req.nonce != resp.nonce) or
+            (req.addresses != resp.caddr)) then
+                destroy resp.key;
+                return KRB_AP_ERR_MODIFIED;
+        endif
+
+        /* make sure no flags are set that shouldn't be, and that all that */
+        /* should be are set                                               */
+        if (!check_flags_for_compatability(req.kdc-options,resp.flags)) then
+                destroy resp.key;
+                return KRB_AP_ERR_MODIFIED;
+        endif
+
+        if ((req.from = 0) and
+            (resp.starttime is not within allowable skew)) then
+                destroy resp.key;
+                return KRB_AP_ERR_SKEW;
+
+
+Section A.4.              - 104 -    Expires 11 January 1998
+
+
+
+
+
+
+
+            Version 5 - Specification Revision 6
+
+
+        endif
+        if ((req.from != 0) and (req.from != resp.starttime)) then
+                destroy resp.key;
+                return KRB_AP_ERR_MODIFIED;
+        endif
+        if ((req.till != 0) and (resp.endtime > req.till)) then
+                destroy resp.key;
+                return KRB_AP_ERR_MODIFIED;
+        endif
+
+        if ((req.kdc-options.RENEWABLE is set) and
+            (req.rtime != 0) and (resp.renew-till > req.rtime)) then
+                destroy resp.key;
+                return KRB_AP_ERR_MODIFIED;
+        endif
+        if ((req.kdc-options.RENEWABLE-OK is set) and
+            (resp.flags.RENEWABLE) and
+            (req.till != 0) and
+            (resp.renew-till > req.till)) then
+                destroy resp.key;
+                return KRB_AP_ERR_MODIFIED;
+        endif
+
+A.5.  KRB_TGS_REQ generation
+        /* Note that make_application_request might have to recursivly     */
+        /* call this routine to get the appropriate ticket-granting ticket */
+
+        request.pvno := protocol version; /* pvno = 5 */
+        request.msg-type := message type; /* type = KRB_TGS_REQ */
+
+        body.kdc-options := users's preferences;
+        /* If the TGT is not for the realm of the end-server  */
+        /* then the sname will be for a TGT for the end-realm */
+        /* and the realm of the requested ticket (body.realm) */
+        /* will be that of the TGS to which the TGT we are    */
+        /* sending applies                                    */
+        body.sname := service's name;
+        body.realm := service's realm;
+
+        if (body.kdc-options.POSTDATED is set) then
+                body.from := requested starting time;
+        else
+                omit body.from;
+        endif
+        body.till := requested end time;
+        if (body.kdc-options.RENEWABLE is set) then
+                body.rtime := requested final renewal time;
+        endif
+        body.nonce := random_nonce();
+        body.etype := requested etypes;
+        if (user supplied addresses) then
+                body.addresses := user's addresses;
+        else
+                omit body.addresses;
+
+
+Section A.5.              - 105 -    Expires 11 January 1998
+
+
+
+
+
+
+
+            Version 5 - Specification Revision 6
+
+
+        endif
+
+        body.enc-authorization-data := user-supplied data;
+        if (body.kdc-options.ENC-TKT-IN-SKEY) then
+                body.additional-tickets_ticket := second TGT;
+        endif
+
+        request.req-body := body;
+        check := generate_checksum (req.body,checksumtype);
+
+        request.padata[0].padata-type := PA-TGS-REQ;
+        request.padata[0].padata-value := create a KRB_AP_REQ using
+                                      the TGT and checksum
+
+        /* add in any other padata as required/supplied */
+
+        kerberos := lookup(name of local kerberose server (or servers));
+        send(packet,kerberos);
+
+        wait(for response);
+        if (timed_out) then
+                retry or use alternate server;
+        endif
+
+A.6.  KRB_TGS_REQ verification and KRB_TGS_REP generation
+        /* note that reading the application request requires first
+        determining the server for which a ticket was issued, and choosing the
+        correct key for decryption.  The name of the server appears in the
+        plaintext part of the ticket. */
+
+        if (no KRB_AP_REQ in req.padata) then
+                error_out(KDC_ERR_PADATA_TYPE_NOSUPP);
+        endif
+        verify KRB_AP_REQ in req.padata;
+
+        /* Note that the realm in which the Kerberos server is operating is
+        determined by the instance from the ticket-granting ticket.  The realm
+        in the ticket-granting ticket is the realm under which the ticket
+        granting ticket was issued.  It is possible for a single Kerberos
+        server to support more than one realm. */
+
+        auth_hdr := KRB_AP_REQ;
+        tgt := auth_hdr.ticket;
+
+        if (tgt.sname is not a TGT for local realm and is not req.sname) then
+                error_out(KRB_AP_ERR_NOT_US);
+
+        realm := realm_tgt_is_for(tgt);
+
+        decode remainder of request;
+
+        if (auth_hdr.authenticator.cksum is missing) then
+                error_out(KRB_AP_ERR_INAPP_CKSUM);
+        endif
+
+
+Section A.6.              - 106 -    Expires 11 January 1998
+
+
+
+
+
+
+
+            Version 5 - Specification Revision 6
+
+
+        if (auth_hdr.authenticator.cksum type is not supported) then
+                error_out(KDC_ERR_SUMTYPE_NOSUPP);
+        endif
+        if (auth_hdr.authenticator.cksum is not both collision-proof and keyed) then
+                error_out(KRB_AP_ERR_INAPP_CKSUM);
+        endif
+
+        set computed_checksum := checksum(req);
+        if (computed_checksum != auth_hdr.authenticatory.cksum) then
+                error_out(KRB_AP_ERR_MODIFIED);
+        endif
+
+        server := lookup(req.sname,realm);
+
+        if (!server) then
+                if (is_foreign_tgt_name(server)) then
+                        server := best_intermediate_tgs(server);
+                else
+                        /* no server in Database */
+                        error_out(KDC_ERR_S_PRINCIPAL_UNKNOWN);
+                endif
+        endif
+
+        session := generate_random_session_key();
+
+
+        use_etype := first supported etype in req.etypes;
+
+        if (no support for req.etypes) then
+                error_out(KDC_ERR_ETYPE_NOSUPP);
+        endif
+
+        new_tkt.vno := ticket version; /* = 5 */
+        new_tkt.sname := req.sname;
+        new_tkt.srealm := realm;
+        reset all flags in new_tkt.flags;
+
+        /* It should be noted that local policy may affect the  */
+        /* processing of any of these flags.  For example, some */
+        /* realms may refuse to issue renewable tickets         */
+
+        new_tkt.caddr := tgt.caddr;
+        resp.caddr := NULL; /* We only include this if they change */
+        if (req.kdc-options.FORWARDABLE is set) then
+                if (tgt.flags.FORWARDABLE is reset) then
+                        error_out(KDC_ERR_BADOPTION);
+                endif
+                set new_tkt.flags.FORWARDABLE;
+        endif
+        if (req.kdc-options.FORWARDED is set) then
+                if (tgt.flags.FORWARDABLE is reset) then
+                        error_out(KDC_ERR_BADOPTION);
+                endif
+                set new_tkt.flags.FORWARDED;
+
+
+Section A.6.              - 107 -    Expires 11 January 1998
+
+
+
+
+
+
+
+            Version 5 - Specification Revision 6
+
+
+                new_tkt.caddr := req.addresses;
+                resp.caddr := req.addresses;
+        endif
+        if (tgt.flags.FORWARDED is set) then
+                set new_tkt.flags.FORWARDED;
+        endif
+
+        if (req.kdc-options.PROXIABLE is set) then
+                if (tgt.flags.PROXIABLE is reset)
+                        error_out(KDC_ERR_BADOPTION);
+                endif
+                set new_tkt.flags.PROXIABLE;
+        endif
+        if (req.kdc-options.PROXY is set) then
+                if (tgt.flags.PROXIABLE is reset) then
+                        error_out(KDC_ERR_BADOPTION);
+                endif
+                set new_tkt.flags.PROXY;
+                new_tkt.caddr := req.addresses;
+                resp.caddr := req.addresses;
+        endif
+
+        if (req.kdc-options.ALLOW-POSTDATE is set) then
+                if (tgt.flags.MAY-POSTDATE is reset)
+                        error_out(KDC_ERR_BADOPTION);
+                endif
+                set new_tkt.flags.MAY-POSTDATE;
+        endif
+        if (req.kdc-options.POSTDATED is set) then
+                if (tgt.flags.MAY-POSTDATE is reset) then
+                        error_out(KDC_ERR_BADOPTION);
+                endif
+                set new_tkt.flags.POSTDATED;
+                set new_tkt.flags.INVALID;
+                if (against_postdate_policy(req.from)) then
+                        error_out(KDC_ERR_POLICY);
+                endif
+                new_tkt.starttime := req.from;
+        endif
+
+
+        if (req.kdc-options.VALIDATE is set) then
+                if (tgt.flags.INVALID is reset) then
+                        error_out(KDC_ERR_POLICY);
+                endif
+                if (tgt.starttime > kdc_time) then
+                        error_out(KRB_AP_ERR_NYV);
+                endif
+                if (check_hot_list(tgt)) then
+                        error_out(KRB_AP_ERR_REPEAT);
+                endif
+                tkt := tgt;
+                reset new_tkt.flags.INVALID;
+        endif
+
+
+Section A.6.              - 108 -    Expires 11 January 1998
+
+
+
+
+
+
+
+            Version 5 - Specification Revision 6
+
+
+        if (req.kdc-options.(any flag except ENC-TKT-IN-SKEY, RENEW,
+                             and those already processed) is set) then
+                error_out(KDC_ERR_BADOPTION);
+        endif
+
+        new_tkt.authtime := tgt.authtime;
+
+        if (req.kdc-options.RENEW is set) then
+          /* Note that if the endtime has already passed, the ticket would  */
+          /* have been rejected in the initial authentication stage, so     */
+          /* there is no need to check again here                           */
+                if (tgt.flags.RENEWABLE is reset) then
+                        error_out(KDC_ERR_BADOPTION);
+                endif
+                if (tgt.renew-till >= kdc_time) then
+                        error_out(KRB_AP_ERR_TKT_EXPIRED);
+                endif
+                tkt := tgt;
+                new_tkt.starttime := kdc_time;
+                old_life := tgt.endttime - tgt.starttime;
+                new_tkt.endtime := min(tgt.renew-till,
+                                       new_tkt.starttime + old_life);
+        else
+                new_tkt.starttime := kdc_time;
+                if (req.till = 0) then
+                        till := infinity;
+                else
+                        till := req.till;
+                endif
+                new_tkt.endtime := min(till,
+                                       new_tkt.starttime+client.max_life,
+                                       new_tkt.starttime+server.max_life,
+                                       new_tkt.starttime+max_life_for_realm,
+                                       tgt.endtime);
+
+                if ((req.kdc-options.RENEWABLE-OK is set) and
+                    (new_tkt.endtime < req.till) and
+                    (tgt.flags.RENEWABLE is set) then
+                        /* we set the RENEWABLE option for later processing */
+                        set req.kdc-options.RENEWABLE;
+                        req.rtime := min(req.till, tgt.renew-till);
+                endif
+        endif
+
+        if (req.rtime = 0) then
+                rtime := infinity;
+        else
+                rtime := req.rtime;
+        endif
+
+        if ((req.kdc-options.RENEWABLE is set) and
+            (tgt.flags.RENEWABLE is set)) then
+                set new_tkt.flags.RENEWABLE;
+                new_tkt.renew-till := min(rtime,
+
+
+Section A.6.              - 109 -    Expires 11 January 1998
+
+
+
+
+
+
+
+            Version 5 - Specification Revision 6
+
+
+                                          new_tkt.starttime+client.max_rlife,
+                                          new_tkt.starttime+server.max_rlife,
+                                          new_tkt.starttime+max_rlife_for_realm,
+                                          tgt.renew-till);
+        else
+                new_tkt.renew-till := OMIT; /* leave the renew-till field out */
+        endif
+        if (req.enc-authorization-data is present) then
+                decrypt req.enc-authorization-data into decrypted_authorization_data
+                        using auth_hdr.authenticator.subkey;
+                if (decrypt_error()) then
+                        error_out(KRB_AP_ERR_BAD_INTEGRITY);
+                endif
+        endif
+        new_tkt.authorization_data := req.auth_hdr.ticket.authorization_data +
+                                 decrypted_authorization_data;
+
+        new_tkt.key := session;
+        new_tkt.crealm := tgt.crealm;
+        new_tkt.cname := req.auth_hdr.ticket.cname;
+
+        if (realm_tgt_is_for(tgt) := tgt.realm) then
+                /* tgt issued by local realm */
+                new_tkt.transited := tgt.transited;
+        else
+                /* was issued for this realm by some other realm */
+                if (tgt.transited.tr-type not supported) then
+                        error_out(KDC_ERR_TRTYPE_NOSUPP);
+                endif
+                new_tkt.transited := compress_transited(tgt.transited + tgt.realm)
+        endif
+
+        encode encrypted part of new_tkt into OCTET STRING;
+        if (req.kdc-options.ENC-TKT-IN-SKEY is set) then
+                if (server not specified) then
+                        server = req.second_ticket.client;
+                endif
+                if ((req.second_ticket is not a TGT) or
+                    (req.second_ticket.client != server)) then
+                        error_out(KDC_ERR_POLICY);
+                endif
+
+                new_tkt.enc-part := encrypt OCTET STRING using
+                        using etype_for_key(second-ticket.key), second-ticket.key;
+        else
+                new_tkt.enc-part := encrypt OCTET STRING
+                        using etype_for_key(server.key), server.key, server.p_kvno;
+        endif
+
+        resp.pvno := 5;
+        resp.msg-type := KRB_TGS_REP;
+        resp.crealm := tgt.crealm;
+        resp.cname := tgt.cname;
+
+
+
+Section A.6.              - 110 -    Expires 11 January 1998
+
+
+
+
+
+
+
+            Version 5 - Specification Revision 6
+
+
+        resp.ticket := new_tkt;
+
+        resp.key := session;
+        resp.nonce := req.nonce;
+        resp.last-req := fetch_last_request_info(client);
+        resp.flags := new_tkt.flags;
+
+        resp.authtime := new_tkt.authtime;
+        resp.starttime := new_tkt.starttime;
+        resp.endtime := new_tkt.endtime;
+
+        omit resp.key-expiration;
+
+        resp.sname := new_tkt.sname;
+        resp.realm := new_tkt.realm;
+
+        if (new_tkt.flags.RENEWABLE) then
+                resp.renew-till := new_tkt.renew-till;
+        endif
+
+
+        encode body of reply into OCTET STRING;
+
+        if (req.padata.authenticator.subkey)
+                resp.enc-part := encrypt OCTET STRING using use_etype,
+                        req.padata.authenticator.subkey;
+        else resp.enc-part := encrypt OCTET STRING using use_etype, tgt.key;
+
+        send(resp);
+
+A.7.  KRB_TGS_REP verification
+        decode response into resp;
+
+        if (resp.msg-type = KRB_ERROR) then
+                process_error(resp);
+                return;
+        endif
+
+        /* On error, discard the response, and zero the session key from
+        the response immediately */
+
+        if (req.padata.authenticator.subkey)
+                unencrypted part of resp := decode of decrypt of resp.enc-part
+                        using resp.enc-part.etype and subkey;
+        else unencrypted part of resp := decode of decrypt of resp.enc-part
+                                using resp.enc-part.etype and tgt's session key;
+        if (common_as_rep_tgs_rep_checks fail) then
+                destroy resp.key;
+                return error;
+        endif
+
+        check authorization_data as necessary;
+        save_for_later(ticket,session,client,server,times,flags);
+
+
+
+Section A.7.              - 111 -    Expires 11 January 1998
+
+
+
+
+
+
+
+            Version 5 - Specification Revision 6
+
+
+A.8.  Authenticator generation
+        body.authenticator-vno := authenticator vno; /* = 5 */
+        body.cname, body.crealm := client name;
+        if (supplying checksum) then
+                body.cksum := checksum;
+        endif
+        get system_time;
+        body.ctime, body.cusec := system_time;
+        if (selecting sub-session key) then
+                select sub-session key;
+                body.subkey := sub-session key;
+        endif
+        if (using sequence numbers) then
+                select initial sequence number;
+                body.seq-number := initial sequence;
+        endif
+
+A.9.  KRB_AP_REQ generation
+        obtain ticket and session_key from cache;
+
+        packet.pvno := protocol version; /* 5 */
+        packet.msg-type := message type; /* KRB_AP_REQ */
+
+        if (desired(MUTUAL_AUTHENTICATION)) then
+                set packet.ap-options.MUTUAL-REQUIRED;
+        else
+                reset packet.ap-options.MUTUAL-REQUIRED;
+        endif
+        if (using session key for ticket) then
+                set packet.ap-options.USE-SESSION-KEY;
+        else
+                reset packet.ap-options.USE-SESSION-KEY;
+        endif
+        packet.ticket := ticket; /* ticket */
+        generate authenticator;
+        encode authenticator into OCTET STRING;
+        encrypt OCTET STRING into packet.authenticator using session_key;
+
+A.10.  KRB_AP_REQ verification
+        receive packet;
+        if (packet.pvno != 5) then
+                either process using other protocol spec
+                or error_out(KRB_AP_ERR_BADVERSION);
+        endif
+        if (packet.msg-type != KRB_AP_REQ) then
+                error_out(KRB_AP_ERR_MSG_TYPE);
+        endif
+        if (packet.ticket.tkt_vno != 5) then
+                either process using other protocol spec
+                or error_out(KRB_AP_ERR_BADVERSION);
+        endif
+        if (packet.ap_options.USE-SESSION-KEY is set) then
+                retrieve session key from ticket-granting ticket for
+                 packet.ticket.{sname,srealm,enc-part.etype};
+
+
+Section A.10.             - 112 -    Expires 11 January 1998
+
+
+
+
+
+
+
+            Version 5 - Specification Revision 6
+
+
+        else
+                retrieve service key for
+                 packet.ticket.{sname,srealm,enc-part.etype,enc-part.skvno};
+        endif
+        if (no_key_available) then
+                if (cannot_find_specified_skvno) then
+                        error_out(KRB_AP_ERR_BADKEYVER);
+                else
+                        error_out(KRB_AP_ERR_NOKEY);
+                endif
+        endif
+        decrypt packet.ticket.enc-part into decr_ticket using retrieved key;
+        if (decryption_error()) then
+                error_out(KRB_AP_ERR_BAD_INTEGRITY);
+        endif
+        decrypt packet.authenticator into decr_authenticator
+                using decr_ticket.key;
+        if (decryption_error()) then
+                error_out(KRB_AP_ERR_BAD_INTEGRITY);
+        endif
+        if (decr_authenticator.{cname,crealm} !=
+            decr_ticket.{cname,crealm}) then
+                error_out(KRB_AP_ERR_BADMATCH);
+        endif
+        if (decr_ticket.caddr is present) then
+                if (sender_address(packet) is not in decr_ticket.caddr) then
+                        error_out(KRB_AP_ERR_BADADDR);
+                endif
+        elseif (application requires addresses) then
+                error_out(KRB_AP_ERR_BADADDR);
+        endif
+        if (not in_clock_skew(decr_authenticator.ctime,
+                              decr_authenticator.cusec)) then
+                error_out(KRB_AP_ERR_SKEW);
+        endif
+        if (repeated(decr_authenticator.{ctime,cusec,cname,crealm})) then
+                error_out(KRB_AP_ERR_REPEAT);
+        endif
+        save_identifier(decr_authenticator.{ctime,cusec,cname,crealm});
+        get system_time;
+        if ((decr_ticket.starttime-system_time > CLOCK_SKEW) or
+            (decr_ticket.flags.INVALID is set)) then
+                /* it hasn't yet become valid */
+                error_out(KRB_AP_ERR_TKT_NYV);
+        endif
+        if (system_time-decr_ticket.endtime > CLOCK_SKEW) then
+                error_out(KRB_AP_ERR_TKT_EXPIRED);
+        endif
+        /* caller must check decr_ticket.flags for any pertinent details */
+        return(OK, decr_ticket, packet.ap_options.MUTUAL-REQUIRED);
+
+A.11.  KRB_AP_REP generation
+        packet.pvno := protocol version; /* 5 */
+        packet.msg-type := message type; /* KRB_AP_REP */
+
+
+Section A.11.             - 113 -    Expires 11 January 1998
+
+
+
+
+
+
+
+            Version 5 - Specification Revision 6
+
+
+        body.ctime := packet.ctime;
+        body.cusec := packet.cusec;
+        if (selecting sub-session key) then
+                select sub-session key;
+                body.subkey := sub-session key;
+        endif
+        if (using sequence numbers) then
+                select initial sequence number;
+                body.seq-number := initial sequence;
+        endif
+
+        encode body into OCTET STRING;
+
+        select encryption type;
+        encrypt OCTET STRING into packet.enc-part;
+
+A.12.  KRB_AP_REP verification
+        receive packet;
+        if (packet.pvno != 5) then
+                either process using other protocol spec
+                or error_out(KRB_AP_ERR_BADVERSION);
+        endif
+        if (packet.msg-type != KRB_AP_REP) then
+                error_out(KRB_AP_ERR_MSG_TYPE);
+        endif
+        cleartext := decrypt(packet.enc-part) using ticket's session key;
+        if (decryption_error()) then
+                error_out(KRB_AP_ERR_BAD_INTEGRITY);
+        endif
+        if (cleartext.ctime != authenticator.ctime) then
+                error_out(KRB_AP_ERR_MUT_FAIL);
+        endif
+        if (cleartext.cusec != authenticator.cusec) then
+                error_out(KRB_AP_ERR_MUT_FAIL);
+        endif
+        if (cleartext.subkey is present) then
+                save cleartext.subkey for future use;
+        endif
+        if (cleartext.seq-number is present) then
+                save cleartext.seq-number for future verifications;
+        endif
+        return(AUTHENTICATION_SUCCEEDED);
+
+A.13.  KRB_SAFE generation
+        collect user data in buffer;
+
+        /* assemble packet: */
+        packet.pvno := protocol version; /* 5 */
+        packet.msg-type := message type; /* KRB_SAFE */
+
+        body.user-data := buffer; /* DATA */
+        if (using timestamp) then
+                get system_time;
+                body.timestamp, body.usec := system_time;
+
+
+Section A.13.             - 114 -    Expires 11 January 1998
+
+
+
+
+
+
+
+            Version 5 - Specification Revision 6
+
+
+        endif
+        if (using sequence numbers) then
+                body.seq-number := sequence number;
+        endif
+        body.s-address := sender host addresses;
+        if (only one recipient) then
+                body.r-address := recipient host address;
+        endif
+        checksum.cksumtype := checksum type;
+        compute checksum over body;
+        checksum.checksum := checksum value; /* checksum.checksum */
+        packet.cksum := checksum;
+        packet.safe-body := body;
+
+A.14.  KRB_SAFE verification
+        receive packet;
+        if (packet.pvno != 5) then
+                either process using other protocol spec
+                or error_out(KRB_AP_ERR_BADVERSION);
+        endif
+        if (packet.msg-type != KRB_SAFE) then
+                error_out(KRB_AP_ERR_MSG_TYPE);
+        endif
+        if (packet.checksum.cksumtype is not both collision-proof and keyed) then
+                error_out(KRB_AP_ERR_INAPP_CKSUM);
+        endif
+        if (safe_priv_common_checks_ok(packet)) then
+                set computed_checksum := checksum(packet.body);
+                if (computed_checksum != packet.checksum) then
+                        error_out(KRB_AP_ERR_MODIFIED);
+                endif
+                return (packet, PACKET_IS_GENUINE);
+        else
+                return common_checks_error;
+        endif
+
+A.15.  KRB_SAFE and KRB_PRIV common checks
+        if (packet.s-address != O/S_sender(packet)) then
+                /* O/S report of sender not who claims to have sent it */
+                error_out(KRB_AP_ERR_BADADDR);
+        endif
+        if ((packet.r-address is present) and
+            (packet.r-address != local_host_address)) then
+                /* was not sent to proper place */
+                error_out(KRB_AP_ERR_BADADDR);
+        endif
+        if (((packet.timestamp is present) and
+             (not in_clock_skew(packet.timestamp,packet.usec))) or
+            (packet.timestamp is not present and timestamp expected)) then
+                error_out(KRB_AP_ERR_SKEW);
+        endif
+        if (repeated(packet.timestamp,packet.usec,packet.s-address)) then
+                error_out(KRB_AP_ERR_REPEAT);
+        endif
+
+
+Section A.15.             - 115 -    Expires 11 January 1998
+
+
+
+
+
+
+
+            Version 5 - Specification Revision 6
+
+
+        if (((packet.seq-number is present) and
+             ((not in_sequence(packet.seq-number)))) or
+            (packet.seq-number is not present and sequence expected)) then
+                error_out(KRB_AP_ERR_BADORDER);
+        endif
+        if (packet.timestamp not present and packet.seq-number not present) then
+                error_out(KRB_AP_ERR_MODIFIED);
+        endif
+
+        save_identifier(packet.{timestamp,usec,s-address},
+                        sender_principal(packet));
+
+        return PACKET_IS_OK;
+
+A.16.  KRB_PRIV generation
+        collect user data in buffer;
+
+        /* assemble packet: */
+        packet.pvno := protocol version; /* 5 */
+        packet.msg-type := message type; /* KRB_PRIV */
+
+        packet.enc-part.etype := encryption type;
+
+        body.user-data := buffer;
+        if (using timestamp) then
+                get system_time;
+                body.timestamp, body.usec := system_time;
+        endif
+        if (using sequence numbers) then
+                body.seq-number := sequence number;
+        endif
+        body.s-address := sender host addresses;
+        if (only one recipient) then
+                body.r-address := recipient host address;
+        endif
+
+        encode body into OCTET STRING;
+
+        select encryption type;
+        encrypt OCTET STRING into packet.enc-part.cipher;
+
+
+A.17.  KRB_PRIV verification
+        receive packet;
+        if (packet.pvno != 5) then
+                either process using other protocol spec
+                or error_out(KRB_AP_ERR_BADVERSION);
+        endif
+        if (packet.msg-type != KRB_PRIV) then
+                error_out(KRB_AP_ERR_MSG_TYPE);
+        endif
+
+        cleartext := decrypt(packet.enc-part) using negotiated key;
+        if (decryption_error()) then
+
+
+Section A.17.             - 116 -    Expires 11 January 1998
+
+
+
+
+
+
+
+            Version 5 - Specification Revision 6
+
+
+                error_out(KRB_AP_ERR_BAD_INTEGRITY);
+        endif
+
+        if (safe_priv_common_checks_ok(cleartext)) then
+                return(cleartext.DATA, PACKET_IS_GENUINE_AND_UNMODIFIED);
+        else
+                return common_checks_error;
+        endif
+
+A.18.  KRB_CRED generation
+        invoke KRB_TGS; /* obtain tickets to be provided to peer */
+
+        /* assemble packet: */
+        packet.pvno := protocol version; /* 5 */
+        packet.msg-type := message type; /* KRB_CRED */
+
+        for (tickets[n] in tickets to be forwarded) do
+                packet.tickets[n] = tickets[n].ticket;
+        done
+
+        packet.enc-part.etype := encryption type;
+
+        for (ticket[n] in tickets to be forwarded) do
+                body.ticket-info[n].key = tickets[n].session;
+                body.ticket-info[n].prealm = tickets[n].crealm;
+                body.ticket-info[n].pname = tickets[n].cname;
+                body.ticket-info[n].flags = tickets[n].flags;
+                body.ticket-info[n].authtime = tickets[n].authtime;
+                body.ticket-info[n].starttime = tickets[n].starttime;
+                body.ticket-info[n].endtime = tickets[n].endtime;
+                body.ticket-info[n].renew-till = tickets[n].renew-till;
+                body.ticket-info[n].srealm = tickets[n].srealm;
+                body.ticket-info[n].sname = tickets[n].sname;
+                body.ticket-info[n].caddr = tickets[n].caddr;
+        done
+
+        get system_time;
+        body.timestamp, body.usec := system_time;
+
+        if (using nonce) then
+                body.nonce := nonce;
+        endif
+
+        if (using s-address) then
+                body.s-address := sender host addresses;
+        endif
+        if (limited recipients) then
+                body.r-address := recipient host address;
+        endif
+
+        encode body into OCTET STRING;
+
+        select encryption type;
+        encrypt OCTET STRING into packet.enc-part.cipher
+
+
+Section A.18.             - 117 -    Expires 11 January 1998
+
+
+
+
+
+
+
+            Version 5 - Specification Revision 6
+
+
+               using negotiated encryption key;
+
+
+A.19.  KRB_CRED verification
+        receive packet;
+        if (packet.pvno != 5) then
+                either process using other protocol spec
+                or error_out(KRB_AP_ERR_BADVERSION);
+        endif
+        if (packet.msg-type != KRB_CRED) then
+                error_out(KRB_AP_ERR_MSG_TYPE);
+        endif
+
+        cleartext := decrypt(packet.enc-part) using negotiated key;
+        if (decryption_error()) then
+                error_out(KRB_AP_ERR_BAD_INTEGRITY);
+        endif
+        if ((packet.r-address is present or required) and
+           (packet.s-address != O/S_sender(packet)) then
+                /* O/S report of sender not who claims to have sent it */
+                error_out(KRB_AP_ERR_BADADDR);
+        endif
+        if ((packet.r-address is present) and
+            (packet.r-address != local_host_address)) then
+                /* was not sent to proper place */
+                error_out(KRB_AP_ERR_BADADDR);
+        endif
+        if (not in_clock_skew(packet.timestamp,packet.usec)) then
+                error_out(KRB_AP_ERR_SKEW);
+        endif
+        if (repeated(packet.timestamp,packet.usec,packet.s-address)) then
+                error_out(KRB_AP_ERR_REPEAT);
+        endif
+        if (packet.nonce is required or present) and
+           (packet.nonce != expected-nonce) then
+                error_out(KRB_AP_ERR_MODIFIED);
+        endif
+
+        for (ticket[n] in tickets that were forwarded) do
+                save_for_later(ticket[n],key[n],principal[n],
+                               server[n],times[n],flags[n]);
+        return
+
+A.20.  KRB_ERROR generation
+
+        /* assemble packet: */
+        packet.pvno := protocol version; /* 5 */
+        packet.msg-type := message type; /* KRB_ERROR */
+
+        get system_time;
+        packet.stime, packet.susec := system_time;
+        packet.realm, packet.sname := server name;
+
+        if (client time available) then
+
+
+Section A.20.             - 118 -    Expires 11 January 1998
+
+
+
+
+
+
+
+            Version 5 - Specification Revision 6
+
+
+                packet.ctime, packet.cusec := client_time;
+        endif
+        packet.error-code := error code;
+        if (client name available) then
+                packet.cname, packet.crealm := client name;
+        endif
+        if (error text available) then
+                packet.e-text := error text;
+        endif
+        if (error data available) then
+                packet.e-data := error data;
+        endif
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+                          - 119 -    Expires 11 January 1998
+
+
+
+
+
+
+
+            Version 5 - Specification Revision 6
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+                          - cxx -    Expires 11 January 1998
+
+
+
+
+
+
+
+
+
+
+                     Table of Contents
+
+
+
+
+Overview ..............................................    2
+
+Background ............................................    2
+
+1. Introduction .......................................    3
+
+1.1. Cross-Realm Operation ............................    5
+
+1.2. Authorization ....................................    6
+
+1.3. Environmental assumptions ........................    7
+
+1.4. Glossary of terms ................................    8
+
+2. Ticket flag uses and requests ......................   10
+
+2.1. Initial and pre-authenticated tickets ............   10
+
+2.2. Invalid tickets ..................................   11
+
+2.3. Renewable tickets ................................   11
+
+2.4. Postdated tickets ................................   12
+
+2.5. Proxiable and proxy tickets ......................   12
+
+2.6. Forwardable tickets ..............................   13
+
+2.7. Other KDC options ................................   14
+
+3. Message Exchanges ..................................   14
+
+3.1. The Authentication Service Exchange ..............   14
+
+3.1.1. Generation of KRB_AS_REQ message ...............   16
+
+3.1.2. Receipt of KRB_AS_REQ message ..................   16
+
+3.1.3. Generation of KRB_AS_REP message ...............   16
+
+3.1.4. Generation of KRB_ERROR message ................   19
+
+3.1.5. Receipt of KRB_AS_REP message ..................   19
+
+3.1.6. Receipt of KRB_ERROR message ...................   19
+
+3.2. The Client/Server Authentication Exchange ........   19
+
+3.2.1. The KRB_AP_REQ message .........................   20
+
+
+                           - i -     Expires 11 January 1998
+
+
+
+
+
+
+
+            Version 5 - Specification Revision 6
+
+
+3.2.2. Generation of a KRB_AP_REQ message .............   20
+
+3.2.3. Receipt of KRB_AP_REQ message ..................   21
+
+3.2.4. Generation of a KRB_AP_REP message .............   23
+
+3.2.5. Receipt of KRB_AP_REP message ..................   23
+
+3.2.6. Using the encryption key .......................   24
+
+3.3. The Ticket-Granting Service (TGS) Exchange .......   25
+
+3.3.1. Generation of KRB_TGS_REQ message ..............   26
+
+3.3.2. Receipt of KRB_TGS_REQ message .................   27
+
+3.3.3. Generation of KRB_TGS_REP message ..............   28
+
+3.3.3.1. Checking for revoked tickets .................   30
+
+3.3.3.2. Encoding the transited field .................   30
+
+3.3.4. Receipt of KRB_TGS_REP message .................   32
+
+3.4. The KRB_SAFE Exchange ............................   32
+
+3.4.1. Generation of a KRB_SAFE message ...............   32
+
+3.4.2. Receipt of KRB_SAFE message ....................   33
+
+3.5. The KRB_PRIV Exchange ............................   34
+
+3.5.1. Generation of a KRB_PRIV message ...............   34
+
+3.5.2. Receipt of KRB_PRIV message ....................   34
+
+3.6. The KRB_CRED Exchange ............................   35
+
+3.6.1. Generation of a KRB_CRED message ...............   35
+
+3.6.2. Receipt of KRB_CRED message ....................   35
+
+4. The Kerberos Database ..............................   36
+
+4.1. Database contents ................................   36
+
+4.2. Additional fields ................................   37
+
+4.3. Frequently Changing Fields .......................   38
+
+4.4. Site Constants ...................................   39
+
+5. Message Specifications .............................   39
+
+
+
+                           - ii -    Expires 11 January 1998
+
+
+
+
+
+
+
+            Version 5 - Specification Revision 6
+
+
+5.1. ASN.1 Distinguished Encoding Representation ......   39
+
+5.2. ASN.1 Base Definitions ...........................   40
+
+5.3. Tickets and Authenticators .......................   43
+
+5.3.1. Tickets ........................................   43
+
+5.3.2. Authenticators .................................   52
+
+5.4. Specifications for the AS and TGS exchanges ......   54
+
+5.4.1. KRB_KDC_REQ definition .........................   54
+
+5.4.2. KRB_KDC_REP definition .........................   61
+
+5.5. Client/Server (CS) message specifications ........   64
+
+5.5.1. KRB_AP_REQ definition ..........................   64
+
+5.5.2. KRB_AP_REP definition ..........................   65
+
+5.5.3. Error message reply ............................   67
+
+5.6. KRB_SAFE message specification ...................   67
+
+5.6.1. KRB_SAFE definition ............................   67
+
+5.7. KRB_PRIV message specification ...................   68
+
+5.7.1. KRB_PRIV definition ............................   68
+
+5.8. KRB_CRED message specification ...................   69
+
+5.8.1. KRB_CRED definition ............................   70
+
+5.9. Error message specification ......................   72
+
+5.9.1. KRB_ERROR definition ...........................   72
+
+6. Encryption and Checksum Specifications .............   74
+
+6.1. Encryption Specifications ........................   76
+
+6.2. Encryption Keys ..................................   78
+
+6.3. Encryption Systems ...............................   78
+
+6.3.1. The NULL Encryption System (null) ..............   78
+
+6.3.2. DES in CBC mode with a CRC-32 checksum (des-
+cbc-crc) ..............................................   79
+
+6.3.3. DES in CBC mode with an MD4 checksum (des-
+
+
+                          - iii -    Expires 11 January 1998
+
+
+
+
+
+
+
+            Version 5 - Specification Revision 6
+
+
+cbc-md4) ..............................................   79
+
+6.3.4. DES in CBC mode with an MD5 checksum (des-
+cbc-md5) ..............................................   79
+
+6.3.5. Triple DES EDE in outer CBC mode with an SHA1
+checksum (des3-cbc-sha1) ..............................   81
+
+6.4. Checksums ........................................   83
+
+6.4.1. The CRC-32 Checksum (crc32) ....................   84
+
+6.4.2. The RSA MD4 Checksum (rsa-md4) .................   84
+
+6.4.3. RSA MD4 Cryptographic Checksum Using DES
+(rsa-md4-des) .........................................   84
+
+6.4.4. The RSA MD5 Checksum (rsa-md5) .................   85
+
+6.4.5. RSA MD5 Cryptographic Checksum Using DES
+(rsa-md5-des) .........................................   85
+
+6.4.6. DES cipher-block chained checksum (des-mac)
+
+6.4.7. RSA MD4 Cryptographic Checksum Using DES
+alternative (rsa-md4-des-k) ...........................   86
+
+6.4.8. DES cipher-block chained checksum alternative
+(des-mac-k) ...........................................   87
+
+7. Naming Constraints .................................   87
+
+7.1. Realm Names ......................................   87
+
+7.2. Principal Names ..................................   88
+
+7.2.1. Name of server principals ......................   89
+
+8. Constants and other defined values .................   90
+
+8.1. Host address types ...............................   90
+
+8.2. KDC messages .....................................   91
+
+8.2.1. IP transport ...................................   91
+
+8.2.2. OSI transport ..................................   91
+
+8.2.3. Name of the TGS ................................   92
+
+8.3. Protocol constants and associated values .........   92
+
+9. Interoperability requirements ......................   95
+
+
+
+                           - iv -    Expires 11 January 1998
+
+
+
+
+
+
+
+            Version 5 - Specification Revision 6
+
+
+9.1. Specification 1 ..................................   95
+
+9.2. Recommended KDC values ...........................   97
+
+10. REFERENCES ........................................   98
+
+A. Pseudo-code for protocol processing ................  100
+
+A.1. KRB_AS_REQ generation ............................  100
+
+A.2. KRB_AS_REQ verification and KRB_AS_REP genera-
+tion ..................................................  100
+
+A.3. KRB_AS_REP verification ..........................  104
+
+A.4. KRB_AS_REP and KRB_TGS_REP common checks .........  104
+
+A.5. KRB_TGS_REQ generation ...........................  105
+
+A.6. KRB_TGS_REQ verification and KRB_TGS_REP gen-
+eration ...............................................  106
+
+A.7. KRB_TGS_REP verification .........................  111
+
+A.8. Authenticator generation .........................  112
+
+A.9. KRB_AP_REQ generation ............................  112
+
+A.10. KRB_AP_REQ verification .........................  112
+
+A.11. KRB_AP_REP generation ...........................  113
+
+A.12. KRB_AP_REP verification .........................  114
+
+A.13. KRB_SAFE generation .............................  114
+
+A.14. KRB_SAFE verification ...........................  115
+
+A.15. KRB_SAFE and KRB_PRIV common checks .............  115
+
+A.16. KRB_PRIV generation .............................  116
+
+A.17. KRB_PRIV verification ...........................  116
+
+A.18. KRB_CRED generation .............................  117
+
+A.19. KRB_CRED verification ...........................  118
+
+A.20. KRB_ERROR generation ............................  118
+
+
+
+
+
+
+
+                           - v -     Expires 11 January 1998
+
+
+
+
diff --git a/crypto/heimdal/doc/standardisation/draft-ietf-cat-kerberos-revisions-01.txt b/crypto/heimdal/doc/standardisation/draft-ietf-cat-kerberos-revisions-01.txt
new file mode 100644
index 0000000..78db9d7
--- /dev/null
+++ b/crypto/heimdal/doc/standardisation/draft-ietf-cat-kerberos-revisions-01.txt
@@ -0,0 +1,6214 @@
+
+INTERNET-DRAFT                                          Clifford Neuman
+                                                              John Kohl
+                                                          Theodore Ts'o
+                                                       21 November 1997
+
+The Kerberos Network Authentication Service (V5)
+
+STATUS OF THIS MEMO
+
+This document is an Internet-Draft. Internet-Drafts are working documents of
+the Internet Engineering Task Force (IETF), its areas, and its working
+groups. Note that other groups may also distribute working documents as
+Internet-Drafts.
+
+Internet-Drafts are draft documents valid for a maximum of six months and
+may be updated, replaced, or obsoleted by other documents at any time. It is
+inappropriate to use Internet-Drafts as reference material or to cite them
+other than as 'work in progress.'
+
+To learn the current status of any Internet-Draft, please check the
+'1id-abstracts.txt' listing contained in the Internet-Drafts Shadow
+Directories on ds.internic.net (US East Coast), nic.nordu.net (Europe),
+ftp.isi.edu (US West Coast), or munnari.oz.au (Pacific Rim).
+
+The distribution of this memo is unlimited. It is filed as
+draft-ietf-cat-kerberos-r-01.txt, and expires 21 May 1998. Please send
+comments to: krb-protocol@MIT.EDU
+
+ABSTRACT
+
+This document provides an overview and specification of Version 5 of the
+Kerberos protocol, and updates RFC1510 to clarify aspects of the protocol
+and its intended use that require more detailed or clearer explanation than
+was provided in RFC1510. This document is intended to provide a detailed
+description of the protocol, suitable for implementation, together with
+descriptions of the appropriate use of protocol messages and fields within
+those messages.
+
+This document is not intended to describe Kerberos to the end user, system
+administrator, or application developer. Higher level papers describing
+Version 5 of the Kerberos system [NT94] and documenting version 4 [SNS88],
+are available elsewhere.
+
+OVERVIEW
+
+This INTERNET-DRAFT describes the concepts and model upon which the Kerberos
+network authentication system is based. It also specifies Version 5 of the
+Kerberos protocol.
+
+The motivations, goals, assumptions, and rationale behind most design
+decisions are treated cursorily; they are more fully described in a paper
+available in IEEE communications [NT94] and earlier in the Kerberos portion
+of the Athena Technical Plan [MNSS87]. The protocols have been a proposed
+
+
+draft-ietf-cat-kerberos-r-01                        Expires 21 May 1998
+
+standard and are being considered for advancement for draft standard through
+the IETF standard process. Comments are encouraged on the presentation, but
+only minor refinements to the protocol as implemented or extensions that fit
+within current protocol framework will be considered at this time.
+
+Requests for addition to an electronic mailing list for discussion of
+Kerberos, kerberos@MIT.EDU, may be addressed to kerberos-request@MIT.EDU.
+This mailing list is gatewayed onto the Usenet as the group
+comp.protocols.kerberos. Requests for further information, including
+documents and code availability, may be sent to info-kerberos@MIT.EDU.
+
+BACKGROUND
+
+The Kerberos model is based in part on Needham and Schroeder's trusted
+third-party authentication protocol [NS78] and on modifications suggested by
+Denning and Sacco [DS81]. The original design and implementation of Kerberos
+Versions 1 through 4 was the work of two former Project Athena staff
+members, Steve Miller of Digital Equipment Corporation and Clifford Neuman
+(now at the Information Sciences Institute of the University of Southern
+California), along with Jerome Saltzer, Technical Director of Project
+Athena, and Jeffrey Schiller, MIT Campus Network Manager. Many other members
+of Project Athena have also contributed to the work on Kerberos.
+
+Version 5 of the Kerberos protocol (described in this document) has evolved
+from Version 4 based on new requirements and desires for features not
+available in Version 4. The design of Version 5 of the Kerberos protocol was
+led by Clifford Neuman and John Kohl with much input from the community. The
+development of the MIT reference implementation was led at MIT by John Kohl
+and Theodore T'so, with help and contributed code from many others.
+Reference implementations of both version 4 and version 5 of Kerberos are
+publicly available and commercial implementations have been developed and
+are widely used.
+
+Details on the differences between Kerberos Versions 4 and 5 can be found in
+[KNT92].
+
+1. Introduction
+
+Kerberos provides a means of verifying the identities of principals, (e.g. a
+workstation user or a network server) on an open (unprotected) network. This
+is accomplished without relying on assertions by the host operating system,
+without basing trust on host addresses, without requiring physical security
+of all the hosts on the network, and under the assumption that packets
+traveling along the network can be read, modified, and inserted at will[1].
+Kerberos performs authentication under these conditions as a trusted
+third-party authentication service by using conventional (shared secret key
+[2] cryptography. Kerberos extensions have been proposed and implemented
+that provide for the use of public key cryptography during certain phases of
+the authentication protocol. These extensions provide for authentication of
+users registered with public key certification authorities, and allow the
+system to provide certain benefits of public key cryptography in situations
+where they are needed.
+
+The basic Kerberos authentication process proceeds as follows: A client
+
+
+draft-ietf-cat-kerberos-r-01                        Expires 21 May 1998
+
+sends a request to the authentication server (AS) requesting 'credentials'
+for a given server. The AS responds with these credentials, encrypted in the
+client's key. The credentials consist of 1) a 'ticket' for the server and 2)
+a temporary encryption key (often called a "session key"). The client
+transmits the ticket (which contains the client's identity and a copy of the
+session key, all encrypted in the server's key) to the server. The session
+key (now shared by the client and server) is used to authenticate the
+client, and may optionally be used to authenticate the server. It may also
+be used to encrypt further communication between the two parties or to
+exchange a separate sub-session key to be used to encrypt further
+communication.
+
+Implementation of the basic protocol consists of one or more authentication
+servers running on physically secure hosts. The authentication servers
+maintain a database of principals (i.e., users and servers) and their secret
+keys. Code libraries provide encryption and implement the Kerberos protocol.
+In order to add authentication to its transactions, a typical network
+application adds one or two calls to the Kerberos library directly or
+through the Generic Security Services Application Programming Interface,
+GSSAPI, described in separate document. These calls result in the
+transmission of the necessary messages to achieve authentication.
+
+The Kerberos protocol consists of several sub-protocols (or exchanges).
+There are two basic methods by which a client can ask a Kerberos server for
+credentials. In the first approach, the client sends a cleartext request for
+a ticket for the desired server to the AS. The reply is sent encrypted in
+the client's secret key. Usually this request is for a ticket-granting
+ticket (TGT) which can later be used with the ticket-granting server (TGS).
+In the second method, the client sends a request to the TGS. The client uses
+the TGT to authenticate itself to the TGS in the same manner as if it were
+contacting any other application server that requires Kerberos
+authentication. The reply is encrypted in the session key from the TGT.
+Though the protocol specification describes the AS and the TGS as separate
+servers, they are implemented in practice as different protocol entry points
+within a single Kerberos server.
+
+Once obtained, credentials may be used to verify the identity of the
+principals in a transaction, to ensure the integrity of messages exchanged
+between them, or to preserve privacy of the messages. The application is
+free to choose whatever protection may be necessary.
+
+To verify the identities of the principals in a transaction, the client
+transmits the ticket to the application server. Since the ticket is sent "in
+the clear" (parts of it are encrypted, but this encryption doesn't thwart
+replay) and might be intercepted and reused by an attacker, additional
+information is sent to prove that the message originated with the principal
+to whom the ticket was issued. This information (called the authenticator)
+is encrypted in the session key, and includes a timestamp. The timestamp
+proves that the message was recently generated and is not a replay.
+Encrypting the authenticator in the session key proves that it was generated
+by a party possessing the session key. Since no one except the requesting
+principal and the server know the session key (it is never sent over the
+network in the clear) this guarantees the identity of the client.
+
+
+
+draft-ietf-cat-kerberos-r-01                        Expires 21 May 1998
+
+The integrity of the messages exchanged between principals can also be
+guaranteed using the session key (passed in the ticket and contained in the
+credentials). This approach provides detection of both replay attacks and
+message stream modification attacks. It is accomplished by generating and
+transmitting a collision-proof checksum (elsewhere called a hash or digest
+function) of the client's message, keyed with the session key. Privacy and
+integrity of the messages exchanged between principals can be secured by
+encrypting the data to be passed using the session key contained in the
+ticket or the subsession key found in the authenticator.
+
+The authentication exchanges mentioned above require read-only access to the
+Kerberos database. Sometimes, however, the entries in the database must be
+modified, such as when adding new principals or changing a principal's key.
+This is done using a protocol between a client and a third Kerberos server,
+the Kerberos Administration Server (KADM). There is also a protocol for
+maintaining multiple copies of the Kerberos database. Neither of these
+protocols are described in this document.
+
+1.1. Cross-Realm Operation
+
+The Kerberos protocol is designed to operate across organizational
+boundaries. A client in one organization can be authenticated to a server in
+another. Each organization wishing to run a Kerberos server establishes its
+own 'realm'. The name of the realm in which a client is registered is part
+of the client's name, and can be used by the end-service to decide whether
+to honor a request.
+
+By establishing 'inter-realm' keys, the administrators of two realms can
+allow a client authenticated in the local realm to prove its identity to
+servers in other realms[3]. The exchange of inter-realm keys (a separate key
+may be used for each direction) registers the ticket-granting service of
+each realm as a principal in the other realm. A client is then able to
+obtain a ticket-granting ticket for the remote realm's ticket-granting
+service from its local realm. When that ticket-granting ticket is used, the
+remote ticket-granting service uses the inter-realm key (which usually
+differs from its own normal TGS key) to decrypt the ticket-granting ticket,
+and is thus certain that it was issued by the client's own TGS. Tickets
+issued by the remote ticket-granting service will indicate to the
+end-service that the client was authenticated from another realm.
+
+A realm is said to communicate with another realm if the two realms share an
+inter-realm key, or if the local realm shares an inter-realm key with an
+intermediate realm that communicates with the remote realm. An
+authentication path is the sequence of intermediate realms that are
+transited in communicating from one realm to another.
+
+Realms are typically organized hierarchically. Each realm shares a key with
+its parent and a different key with each child. If an inter-realm key is not
+directly shared by two realms, the hierarchical organization allows an
+authentication path to be easily constructed. If a hierarchical organization
+is not used, it may be necessary to consult a database in order to construct
+an authentication path between realms.
+
+Although realms are typically hierarchical, intermediate realms may be
+
+
+draft-ietf-cat-kerberos-r-01                        Expires 21 May 1998
+
+bypassed to achieve cross-realm authentication through alternate
+authentication paths (these might be established to make communication
+between two realms more efficient). It is important for the end-service to
+know which realms were transited when deciding how much faith to place in
+the authentication process. To facilitate this decision, a field in each
+ticket contains the names of the realms that were involved in authenticating
+the client.
+
+The application server is ultimately responsible for accepting or rejecting
+authentication and should check the transited field. The application server
+may choose to rely on the KDC for the application server's realm to check
+the transited field. The application server's KDC will set the
+TRANSITED-POLICY-CHECKED flag in this case. The KDC's for intermediate
+realms may also check the transited field as they issue
+ticket-granting-tickets for other realms, but they are encouraged not to do
+so. A client may request that the KDC's not check the transited field by
+setting the DISABLE-TRANSITED-CHECK flag. KDC's are encouraged but not
+required to honor this flag.
+
+1.2. Authorization
+
+As an authentication service, Kerberos provides a means of verifying the
+identity of principals on a network. Authentication is usually useful
+primarily as a first step in the process of authorization, determining
+whether a client may use a service, which objects the client is allowed to
+access, and the type of access allowed for each. Kerberos does not, by
+itself, provide authorization. Possession of a client ticket for a service
+provides only for authentication of the client to that service, and in the
+absence of a separate authorization procedure, it should not be considered
+by an application as authorizing the use of that service.
+
+Such separate authorization methods may be implemented as application
+specific access control functions and may be based on files such as the
+application server, or on separately issued authorization credentials such
+as those based on proxies [Neu93] , or on other authorization services.
+
+Applications should not be modified to accept the issuance of a service
+ticket by the Kerberos server (even by an modified Kerberos server) as
+granting authority to use the service, since such applications may become
+vulnerable to the bypass of this authorization check in an environment if
+they interoperate with other KDCs or where other options for application
+authentication (e.g. the PKTAPP proposal) are provided.
+
+1.3. Environmental assumptions
+
+Kerberos imposes a few assumptions on the environment in which it can
+properly function:
+
+   * 'Denial of service' attacks are not solved with Kerberos. There are
+     places in these protocols where an intruder can prevent an application
+     from participating in the proper authentication steps. Detection and
+     solution of such attacks (some of which can appear to be nnot-uncommon
+     'normal' failure modes for the system) is usually best left to the
+     human administrators and users.
+
+
+draft-ietf-cat-kerberos-r-01                        Expires 21 May 1998
+
+   * Principals must keep their secret keys secret. If an intruder somehow
+     steals a principal's key, it will be able to masquerade as that
+     principal or impersonate any server to the legitimate principal.
+   * 'Password guessing' attacks are not solved by Kerberos. If a user
+     chooses a poor password, it is possible for an attacker to successfully
+     mount an offline dictionary attack by repeatedly attempting to decrypt,
+     with successive entries from a dictionary, messages obtained which are
+     encrypted under a key derived from the user's password.
+   * Each host on the network must have a clock which is 'loosely
+     synchronized' to the time of the other hosts; this synchronization is
+     used to reduce the bookkeeping needs of application servers when they
+     do replay detection. The degree of "looseness" can be configured on a
+     per-server basis, but is typically on the order of 5 minutes. If the
+     clocks are synchronized over the network, the clock synchronization
+     protocol must itself be secured from network attackers.
+   * Principal identifiers are not recycled on a short-term basis. A typical
+     mode of access control will use access control lists (ACLs) to grant
+     permissions to particular principals. If a stale ACL entry remains for
+     a deleted principal and the principal identifier is reused, the new
+     principal will inherit rights specified in the stale ACL entry. By not
+     re-using principal identifiers, the danger of inadvertent access is
+     removed.
+
+1.4. Glossary of terms
+
+Below is a list of terms used throughout this document.
+
+Authentication
+     Verifying the claimed identity of a principal.
+Authentication header
+     A record containing a Ticket and an Authenticator to be presented to a
+     server as part of the authentication process.
+Authentication path
+     A sequence of intermediate realms transited in the authentication
+     process when communicating from one realm to another.
+Authenticator
+     A record containing information that can be shown to have been recently
+     generated using the session key known only by the client and server.
+Authorization
+     The process of determining whether a client may use a service, which
+     objects the client is allowed to access, and the type of access allowed
+     for each.
+Capability
+     A token that grants the bearer permission to access an object or
+     service. In Kerberos, this might be a ticket whose use is restricted by
+     the contents of the authorization data field, but which lists no
+     network addresses, together with the session key necessary to use the
+     ticket.
+Ciphertext
+     The output of an encryption function. Encryption transforms plaintext
+     into ciphertext.
+Client
+     A process that makes use of a network service on behalf of a user. Note
+     that in some cases a Server may itself be a client of some other server
+
+
+draft-ietf-cat-kerberos-r-01                        Expires 21 May 1998
+
+     (e.g. a print server may be a client of a file server).
+Credentials
+     A ticket plus the secret session key necessary to successfully use that
+     ticket in an authentication exchange.
+KDC
+     Key Distribution Center, a network service that supplies tickets and
+     temporary session keys; or an instance of that service or the host on
+     which it runs. The KDC services both initial ticket and ticket-granting
+     ticket requests. The initial ticket portion is sometimes referred to as
+     the Authentication Server (or service). The ticket-granting ticket
+     portion is sometimes referred to as the ticket-granting server (or
+     service).
+Kerberos
+     Aside from the 3-headed dog guarding Hades, the name given to Project
+     Athena's authentication service, the protocol used by that service, or
+     the code used to implement the authentication service.
+Plaintext
+     The input to an encryption function or the output of a decryption
+     function. Decryption transforms ciphertext into plaintext.
+Principal
+     A uniquely named client or server instance that participates in a
+     network communication.
+Principal identifier
+     The name used to uniquely identify each different principal.
+Seal
+     To encipher a record containing several fields in such a way that the
+     fields cannot be individually replaced without either knowledge of the
+     encryption key or leaving evidence of tampering.
+Secret key
+     An encryption key shared by a principal and the KDC, distributed
+     outside the bounds of the system, with a long lifetime. In the case of
+     a human user's principal, the secret key is derived from a password.
+Server
+     A particular Principal which provides a resource to network clients.
+     The server is sometimes refered to as the Application Server.
+Service
+     A resource provided to network clients; often provided by more than one
+     server (for example, remote file service).
+Session key
+     A temporary encryption key used between two principals, with a lifetime
+     limited to the duration of a single login "session".
+Sub-session key
+     A temporary encryption key used between two principals, selected and
+     exchanged by the principals using the session key, and with a lifetime
+     limited to the duration of a single association.
+Ticket
+     A record that helps a client authenticate itself to a server; it
+     contains the client's identity, a session key, a timestamp, and other
+     information, all sealed using the server's secret key. It only serves
+     to authenticate a client when presented along with a fresh
+     Authenticator.
+
+2. Ticket flag uses and requests
+
+
+
+draft-ietf-cat-kerberos-r-01                        Expires 21 May 1998
+
+Each Kerberos ticket contains a set of flags which are used to indicate
+various attributes of that ticket. Most flags may be requested by a client
+when the ticket is obtained; some are automatically turned on and off by a
+Kerberos server as required. The following sections explain what the various
+flags mean, and gives examples of reasons to use such a flag.
+
+2.1. Initial and pre-authenticated tickets
+
+The INITIAL flag indicates that a ticket was issued using the AS protocol
+and not issued based on a ticket-granting ticket. Application servers that
+want to require the demonstrated knowledge of a client's secret key (e.g. a
+password-changing program) can insist that this flag be set in any tickets
+they accept, and thus be assured that the client's key was recently
+presented to the application client.
+
+The PRE-AUTHENT and HW-AUTHENT flags provide addition information about the
+initial authentication, regardless of whether the current ticket was issued
+directly (in which case INITIAL will also be set) or issued on the basis of
+a ticket-granting ticket (in which case the INITIAL flag is clear, but the
+PRE-AUTHENT and HW-AUTHENT flags are carried forward from the
+ticket-granting ticket).
+
+2.2. Invalid tickets
+
+The INVALID flag indicates that a ticket is invalid. Application servers
+must reject tickets which have this flag set. A postdated ticket will
+usually be issued in this form. Invalid tickets must be validated by the KDC
+before use, by presenting them to the KDC in a TGS request with the VALIDATE
+option specified. The KDC will only validate tickets after their starttime
+has passed. The validation is required so that postdated tickets which have
+been stolen before their starttime can be rendered permanently invalid
+(through a hot-list mechanism) (see section 3.3.3.1).
+
+2.3. Renewable tickets
+
+Applications may desire to hold tickets which can be valid for long periods
+of time. However, this can expose their credentials to potential theft for
+equally long periods, and those stolen credentials would be valid until the
+expiration time of the ticket(s). Simply using short-lived tickets and
+obtaining new ones periodically would require the client to have long-term
+access to its secret key, an even greater risk. Renewable tickets can be
+used to mitigate the consequences of theft. Renewable tickets have two
+"expiration times": the first is when the current instance of the ticket
+expires, and the second is the latest permissible value for an individual
+expiration time. An application client must periodically (i.e. before it
+expires) present a renewable ticket to the KDC, with the RENEW option set in
+the KDC request. The KDC will issue a new ticket with a new session key and
+a later expiration time. All other fields of the ticket are left unmodified
+by the renewal process. When the latest permissible expiration time arrives,
+the ticket expires permanently. At each renewal, the KDC may consult a
+hot-list to determine if the ticket had been reported stolen since its last
+renewal; it will refuse to renew such stolen tickets, and thus the usable
+lifetime of stolen tickets is reduced.
+
+
+
+draft-ietf-cat-kerberos-r-01                        Expires 21 May 1998
+
+The RENEWABLE flag in a ticket is normally only interpreted by the
+ticket-granting service (discussed below in section 3.3). It can usually be
+ignored by application servers. However, some particularly careful
+application servers may wish to disallow renewable tickets.
+
+If a renewable ticket is not renewed by its expiration time, the KDC will
+not renew the ticket. The RENEWABLE flag is reset by default, but a client
+may request it be set by setting the RENEWABLE option in the KRB_AS_REQ
+message. If it is set, then the renew-till field in the ticket contains the
+time after which the ticket may not be renewed.
+
+2.4. Postdated tickets
+
+Applications may occasionally need to obtain tickets for use much later,
+e.g. a batch submission system would need tickets to be valid at the time
+the batch job is serviced. However, it is dangerous to hold valid tickets in
+a batch queue, since they will be on-line longer and more prone to theft.
+Postdated tickets provide a way to obtain these tickets from the KDC at job
+submission time, but to leave them "dormant" until they are activated and
+validated by a further request of the KDC. If a ticket theft were reported
+in the interim, the KDC would refuse to validate the ticket, and the thief
+would be foiled.
+
+The MAY-POSTDATE flag in a ticket is normally only interpreted by the
+ticket-granting service. It can be ignored by application servers. This flag
+must be set in a ticket-granting ticket in order to issue a postdated ticket
+based on the presented ticket. It is reset by default; it may be requested
+by a client by setting the ALLOW-POSTDATE option in the KRB_AS_REQ message.
+This flag does not allow a client to obtain a postdated ticket-granting
+ticket; postdated ticket-granting tickets can only by obtained by requesting
+the postdating in the KRB_AS_REQ message. The life (endtime-starttime) of a
+postdated ticket will be the remaining life of the ticket-granting ticket at
+the time of the request, unless the RENEWABLE option is also set, in which
+case it can be the full life (endtime-starttime) of the ticket-granting
+ticket. The KDC may limit how far in the future a ticket may be postdated.
+
+The POSTDATED flag indicates that a ticket has been postdated. The
+application server can check the authtime field in the ticket to see when
+the original authentication occurred. Some services may choose to reject
+postdated tickets, or they may only accept them within a certain period
+after the original authentication. When the KDC issues a POSTDATED ticket,
+it will also be marked as INVALID, so that the application client must
+present the ticket to the KDC to be validated before use.
+
+2.5. Proxiable and proxy tickets
+
+At times it may be necessary for a principal to allow a service to perform
+an operation on its behalf. The service must be able to take on the identity
+of the client, but only for a particular purpose. A principal can allow a
+service to take on the principal's identity for a particular purpose by
+granting it a proxy.
+
+The process of granting a proxy using the proxy and proxiable flags is used
+to provide credentials for use with specific services. Though conceptually
+
+
+draft-ietf-cat-kerberos-r-01                        Expires 21 May 1998
+
+also a proxy, user's wishing to delegate their identity for ANY purpose must
+use the ticket forwarding mechanism described in the next section to forward
+a ticket granting ticket.
+
+The PROXIABLE flag in a ticket is normally only interpreted by the
+ticket-granting service. It can be ignored by application servers. When set,
+this flag tells the ticket-granting server that it is OK to issue a new
+ticket (but not a ticket-granting ticket) with a different network address
+based on this ticket. This flag is set if requested by the client on initial
+authentication. By default, the client will request that it be set when
+requesting a ticket granting ticket, and reset when requesting any other
+ticket.
+
+This flag allows a client to pass a proxy to a server to perform a remote
+request on its behalf, e.g. a print service client can give the print server
+a proxy to access the client's files on a particular file server in order to
+satisfy a print request.
+
+In order to complicate the use of stolen credentials, Kerberos tickets are
+usually valid from only those network addresses specifically included in the
+ticket[4]. When granting a proxy, the client must specify the new network
+address from which the proxy is to be used, or indicate that the proxy is to
+be issued for use from any address.
+
+The PROXY flag is set in a ticket by the TGS when it issues a proxy ticket.
+Application servers may check this flag and at their option they may require
+additional authentication from the agent presenting the proxy in order to
+provide an audit trail.
+
+2.6. Forwardable tickets
+
+Authentication forwarding is an instance of a proxy where the service is
+granted complete use of the client's identity. An example where it might be
+used is when a user logs in to a remote system and wants authentication to
+work from that system as if the login were local.
+
+The FORWARDABLE flag in a ticket is normally only interpreted by the
+ticket-granting service. It can be ignored by application servers. The
+FORWARDABLE flag has an interpretation similar to that of the PROXIABLE
+flag, except ticket-granting tickets may also be issued with different
+network addresses. This flag is reset by default, but users may request that
+it be set by setting the FORWARDABLE option in the AS request when they
+request their initial ticket- granting ticket.
+
+This flag allows for authentication forwarding without requiring the user to
+enter a password again. If the flag is not set, then authentication
+forwarding is not permitted, but the same result can still be achieved if
+the user engages in the AS exchange specifying the requested network
+addresses and supplies a password.
+
+The FORWARDED flag is set by the TGS when a client presents a ticket with
+the FORWARDABLE flag set and requests a forwarded ticket by specifying the
+FORWARDED KDC option and supplying a set of addresses for the new ticket. It
+is also set in all tickets issued based on tickets with the FORWARDED flag
+
+
+draft-ietf-cat-kerberos-r-01                        Expires 21 May 1998
+
+set. Application servers may choose to process FORWARDED tickets differently
+than non-FORWARDED tickets.
+
+2.7. Other KDC options
+
+There are two additional options which may be set in a client's request of
+the KDC. The RENEWABLE-OK option indicates that the client will accept a
+renewable ticket if a ticket with the requested life cannot otherwise be
+provided. If a ticket with the requested life cannot be provided, then the
+KDC may issue a renewable ticket with a renew-till equal to the the
+requested endtime. The value of the renew-till field may still be adjusted
+by site-determined limits or limits imposed by the individual principal or
+server.
+
+The ENC-TKT-IN-SKEY option is honored only by the ticket-granting service.
+It indicates that the ticket to be issued for the end server is to be
+encrypted in the session key from the a additional second ticket-granting
+ticket provided with the request. See section 3.3.3 for specific details.
+
+3. Message Exchanges
+
+The following sections describe the interactions between network clients and
+servers and the messages involved in those exchanges.
+
+3.1. The Authentication Service Exchange
+
+                          Summary
+      Message direction       Message type    Section
+      1. Client to Kerberos   KRB_AS_REQ      5.4.1
+      2. Kerberos to client   KRB_AS_REP or   5.4.2
+                              KRB_ERROR       5.9.1
+
+The Authentication Service (AS) Exchange between the client and the Kerberos
+Authentication Server is initiated by a client when it wishes to obtain
+authentication credentials for a given server but currently holds no
+credentials. In its basic form, the client's secret key is used for
+encryption and decryption. This exchange is typically used at the initiation
+of a login session to obtain credentials for a Ticket-Granting Server which
+will subsequently be used to obtain credentials for other servers (see
+section 3.3) without requiring further use of the client's secret key. This
+exchange is also used to request credentials for services which must not be
+mediated through the Ticket-Granting Service, but rather require a
+principal's secret key, such as the password-changing service[5]. This
+exchange does not by itself provide any assurance of the the identity of the
+user[6].
+
+The exchange consists of two messages: KRB_AS_REQ from the client to
+Kerberos, and KRB_AS_REP or KRB_ERROR in reply. The formats for these
+messages are described in sections 5.4.1, 5.4.2, and 5.9.1.
+
+In the request, the client sends (in cleartext) its own identity and the
+identity of the server for which it is requesting credentials. The response,
+KRB_AS_REP, contains a ticket for the client to present to the server, and a
+session key that will be shared by the client and the server. The session
+
+
+draft-ietf-cat-kerberos-r-01                        Expires 21 May 1998
+
+key and additional information are encrypted in the client's secret key. The
+KRB_AS_REP message contains information which can be used to detect replays,
+and to associate it with the message to which it replies. Various errors can
+occur; these are indicated by an error response (KRB_ERROR) instead of the
+KRB_AS_REP response. The error message is not encrypted. The KRB_ERROR
+message contains information which can be used to associate it with the
+message to which it replies. The lack of encryption in the KRB_ERROR message
+precludes the ability to detect replays, fabrications, or modifications of
+such messages.
+
+Without preautentication, the authentication server does not know whether
+the client is actually the principal named in the request. It simply sends a
+reply without knowing or caring whether they are the same. This is
+acceptable because nobody but the principal whose identity was given in the
+request will be able to use the reply. Its critical information is encrypted
+in that principal's key. The initial request supports an optional field that
+can be used to pass additional information that might be needed for the
+initial exchange. This field may be used for preauthentication as described
+in section [hl<>].
+
+3.1.1. Generation of KRB_AS_REQ message
+
+The client may specify a number of options in the initial request. Among
+these options are whether pre-authentication is to be performed; whether the
+requested ticket is to be renewable, proxiable, or forwardable; whether it
+should be postdated or allow postdating of derivative tickets; and whether a
+renewable ticket will be accepted in lieu of a non-renewable ticket if the
+requested ticket expiration date cannot be satisfied by a non-renewable
+ticket (due to configuration constraints; see section 4). See section A.1
+for pseudocode.
+
+The client prepares the KRB_AS_REQ message and sends it to the KDC.
+
+3.1.2. Receipt of KRB_AS_REQ message
+
+If all goes well, processing the KRB_AS_REQ message will result in the
+creation of a ticket for the client to present to the server. The format for
+the ticket is described in section 5.3.1. The contents of the ticket are
+determined as follows.
+
+3.1.3. Generation of KRB_AS_REP message
+
+The authentication server looks up the client and server principals named in
+the KRB_AS_REQ in its database, extracting their respective keys. If
+required, the server pre-authenticates the request, and if the
+pre-authentication check fails, an error message with the code
+KDC_ERR_PREAUTH_FAILED is returned. If the server cannot accommodate the
+requested encryption type, an error message with code KDC_ERR_ETYPE_NOSUPP
+is returned. Otherwise it generates a 'random' session key[7].
+
+If there are multiple encryption keys registered for a client in the
+Kerberos database (or if the key registered supports multiple encryption
+types; e.g. DES-CBC-CRC and DES-CBC-MD5), then the etype field from the AS
+request is used by the KDC to select the encryption method to be used for
+
+
+draft-ietf-cat-kerberos-r-01                        Expires 21 May 1998
+
+encrypting the response to the client. If there is more than one supported,
+strong encryption type in the etype list, the first valid etype for which an
+encryption key is available is used. The encryption method used to respond
+to a TGS request is taken from the keytype of the session key found in the
+ticket granting ticket.
+
+When the etype field is present in a KDC request, whether an AS or TGS
+request, the KDC will attempt to assign the type of the random session key
+from the list of methods in the etype field. The KDC will select the
+appropriate type using the list of methods provided together with
+information from the Kerberos database indicating acceptable encryption
+methods for the application server. The KDC will not issue tickets with a
+weak session key encryption type.
+
+If the requested start time is absent, indicates a time in the past, or is
+within the window of acceptable clock skew for the KDC and the POSTDATE
+option has not been specified, then the start time of the ticket is set to
+the authentication server's current time. If it indicates a time in the
+future beyond the acceptable clock skew, but the POSTDATED option has not
+been specified then the error KDC_ERR_CANNOT_POSTDATE is returned. Otherwise
+the requested start time is checked against the policy of the local realm
+(the administrator might decide to prohibit certain types or ranges of
+postdated tickets), and if acceptable, the ticket's start time is set as
+requested and the INVALID flag is set in the new ticket. The postdated
+ticket must be validated before use by presenting it to the KDC after the
+start time has been reached.
+
+The expiration time of the ticket will be set to the minimum of the
+following:
+
+   * The expiration time (endtime) requested in the KRB_AS_REQ message.
+   * The ticket's start time plus the maximum allowable lifetime associated
+     with the client principal (the authentication server's database
+     includes a maximum ticket lifetime field in each principal's record;
+     see section 4).
+   * The ticket's start time plus the maximum allowable lifetime associated
+     with the server principal.
+   * The ticket's start time plus the maximum lifetime set by the policy of
+     the local realm.
+
+If the requested expiration time minus the start time (as determined above)
+is less than a site-determined minimum lifetime, an error message with code
+KDC_ERR_NEVER_VALID is returned. If the requested expiration time for the
+ticket exceeds what was determined as above, and if the 'RENEWABLE-OK'
+option was requested, then the 'RENEWABLE' flag is set in the new ticket,
+and the renew-till value is set as if the 'RENEWABLE' option were requested
+(the field and option names are described fully in section 5.4.1).
+
+If the RENEWABLE option has been requested or if the RENEWABLE-OK option has
+been set and a renewable ticket is to be issued, then the renew-till field
+is set to the minimum of:
+
+   * Its requested value.
+   * The start time of the ticket plus the minimum of the two maximum
+
+
+draft-ietf-cat-kerberos-r-01                        Expires 21 May 1998
+
+     renewable lifetimes associated with the principals' database entries.
+   * The start time of the ticket plus the maximum renewable lifetime set by
+     the policy of the local realm.
+
+The flags field of the new ticket will have the following options set if
+they have been requested and if the policy of the local realm allows:
+FORWARDABLE, MAY-POSTDATE, POSTDATED, PROXIABLE, RENEWABLE. If the new
+ticket is post-dated (the start time is in the future), its INVALID flag
+will also be set.
+
+If all of the above succeed, the server formats a KRB_AS_REP message (see
+section 5.4.2), copying the addresses in the request into the caddr of the
+response, placing any required pre-authentication data into the padata of
+the response, and encrypts the ciphertext part in the client's key using the
+requested encryption method, and sends it to the client. See section A.2 for
+pseudocode.
+
+3.1.4. Generation of KRB_ERROR message
+
+Several errors can occur, and the Authentication Server responds by
+returning an error message, KRB_ERROR, to the client, with the error-code
+and e-text fields set to appropriate values. The error message contents and
+details are described in Section 5.9.1.
+
+3.1.5. Receipt of KRB_AS_REP message
+
+If the reply message type is KRB_AS_REP, then the client verifies that the
+cname and crealm fields in the cleartext portion of the reply match what it
+requested. If any padata fields are present, they may be used to derive the
+proper secret key to decrypt the message. The client decrypts the encrypted
+part of the response using its secret key, verifies that the nonce in the
+encrypted part matches the nonce it supplied in its request (to detect
+replays). It also verifies that the sname and srealm in the response match
+those in the request (or are otherwise expected values), and that the host
+address field is also correct. It then stores the ticket, session key, start
+and expiration times, and other information for later use. The
+key-expiration field from the encrypted part of the response may be checked
+to notify the user of impending key expiration (the client program could
+then suggest remedial action, such as a password change). See section A.3
+for pseudocode.
+
+Proper decryption of the KRB_AS_REP message is not sufficient to verify the
+identity of the user; the user and an attacker could cooperate to generate a
+KRB_AS_REP format message which decrypts properly but is not from the proper
+KDC. If the host wishes to verify the identity of the user, it must require
+the user to present application credentials which can be verified using a
+securely-stored secret key for the host. If those credentials can be
+verified, then the identity of the user can be assured.
+
+3.1.6. Receipt of KRB_ERROR message
+
+If the reply message type is KRB_ERROR, then the client interprets it as an
+error and performs whatever application-specific tasks are necessary to
+recover.
+
+
+draft-ietf-cat-kerberos-r-01                        Expires 21 May 1998
+
+
+3.2. The Client/Server Authentication Exchange
+
+                             Summary
+Message direction                         Message type    Section
+Client to Application server              KRB_AP_REQ      5.5.1
+[optional] Application server to client   KRB_AP_REP or   5.5.2
+                                          KRB_ERROR       5.9.1
+
+The client/server authentication (CS) exchange is used by network
+applications to authenticate the client to the server and vice versa. The
+client must have already acquired credentials for the server using the AS or
+TGS exchange.
+
+3.2.1. The KRB_AP_REQ message
+
+The KRB_AP_REQ contains authentication information which should be part of
+the first message in an authenticated transaction. It contains a ticket, an
+authenticator, and some additional bookkeeping information (see section
+5.5.1 for the exact format). The ticket by itself is insufficient to
+authenticate a client, since tickets are passed across the network in
+cleartext[DS90], so the authenticator is used to prevent invalid replay of
+tickets by proving to the server that the client knows the session key of
+the ticket and thus is entitled to use the ticket. The KRB_AP_REQ message is
+referred to elsewhere as the 'authentication header.'
+
+3.2.2. Generation of a KRB_AP_REQ message
+
+When a client wishes to initiate authentication to a server, it obtains
+(either through a credentials cache, the AS exchange, or the TGS exchange) a
+ticket and session key for the desired service. The client may re-use any
+tickets it holds until they expire. To use a ticket the client constructs a
+new Authenticator from the the system time, its name, and optionally an
+application specific checksum, an initial sequence number to be used in
+KRB_SAFE or KRB_PRIV messages, and/or a session subkey to be used in
+negotiations for a session key unique to this particular session.
+Authenticators may not be re-used and will be rejected if replayed to a
+server[LGDSR87]. If a sequence number is to be included, it should be
+randomly chosen so that even after many messages have been exchanged it is
+not likely to collide with other sequence numbers in use.
+
+The client may indicate a requirement of mutual authentication or the use of
+a session-key based ticket by setting the appropriate flag(s) in the
+ap-options field of the message.
+
+The Authenticator is encrypted in the session key and combined with the
+ticket to form the KRB_AP_REQ message which is then sent to the end server
+along with any additional application-specific information. See section A.9
+for pseudocode.
+
+3.2.3. Receipt of KRB_AP_REQ message
+
+Authentication is based on the server's current time of day (clocks must be
+loosely synchronized), the authenticator, and the ticket. Several errors are
+
+
+draft-ietf-cat-kerberos-r-01                        Expires 21 May 1998
+
+possible. If an error occurs, the server is expected to reply to the client
+with a KRB_ERROR message. This message may be encapsulated in the
+application protocol if its 'raw' form is not acceptable to the protocol.
+The format of error messages is described in section 5.9.1.
+
+The algorithm for verifying authentication information is as follows. If the
+message type is not KRB_AP_REQ, the server returns the KRB_AP_ERR_MSG_TYPE
+error. If the key version indicated by the Ticket in the KRB_AP_REQ is not
+one the server can use (e.g., it indicates an old key, and the server no
+longer possesses a copy of the old key), the KRB_AP_ERR_BADKEYVER error is
+returned. If the USE-SESSION-KEY flag is set in the ap-options field, it
+indicates to the server that the ticket is encrypted in the session key from
+the server's ticket-granting ticket rather than its secret key[10]. Since it
+is possible for the server to be registered in multiple realms, with
+different keys in each, the srealm field in the unencrypted portion of the
+ticket in the KRB_AP_REQ is used to specify which secret key the server
+should use to decrypt that ticket. The KRB_AP_ERR_NOKEY error code is
+returned if the server doesn't have the proper key to decipher the ticket.
+
+The ticket is decrypted using the version of the server's key specified by
+the ticket. If the decryption routines detect a modification of the ticket
+(each encryption system must provide safeguards to detect modified
+ciphertext; see section 6), the KRB_AP_ERR_BAD_INTEGRITY error is returned
+(chances are good that different keys were used to encrypt and decrypt).
+
+The authenticator is decrypted using the session key extracted from the
+decrypted ticket. If decryption shows it to have been modified, the
+KRB_AP_ERR_BAD_INTEGRITY error is returned. The name and realm of the client
+from the ticket are compared against the same fields in the authenticator.
+If they don't match, the KRB_AP_ERR_BADMATCH error is returned (they might
+not match, for example, if the wrong session key was used to encrypt the
+authenticator). The addresses in the ticket (if any) are then searched for
+an address matching the operating-system reported address of the client. If
+no match is found or the server insists on ticket addresses but none are
+present in the ticket, the KRB_AP_ERR_BADADDR error is returned.
+
+If the local (server) time and the client time in the authenticator differ
+by more than the allowable clock skew (e.g., 5 minutes), the KRB_AP_ERR_SKEW
+error is returned. If the server name, along with the client name, time and
+microsecond fields from the Authenticator match any recently-seen such
+tuples, the KRB_AP_ERR_REPEAT error is returned[11]. The server must
+remember any authenticator presented within the allowable clock skew, so
+that a replay attempt is guaranteed to fail. If a server loses track of any
+authenticator presented within the allowable clock skew, it must reject all
+requests until the clock skew interval has passed. This assures that any
+lost or re-played authenticators will fall outside the allowable clock skew
+and can no longer be successfully replayed (If this is not done, an attacker
+could conceivably record the ticket and authenticator sent over the network
+to a server, then disable the client's host, pose as the disabled host, and
+replay the ticket and authenticator to subvert the authentication.). If a
+sequence number is provided in the authenticator, the server saves it for
+later use in processing KRB_SAFE and/or KRB_PRIV messages. If a subkey is
+present, the server either saves it for later use or uses it to help
+generate its own choice for a subkey to be returned in a KRB_AP_REP message.
+
+
+draft-ietf-cat-kerberos-r-01                        Expires 21 May 1998
+
+
+The server computes the age of the ticket: local (server) time minus the
+start time inside the Ticket. If the start time is later than the current
+time by more than the allowable clock skew or if the INVALID flag is set in
+the ticket, the KRB_AP_ERR_TKT_NYV error is returned. Otherwise, if the
+current time is later than end time by more than the allowable clock skew,
+the KRB_AP_ERR_TKT_EXPIRED error is returned.
+
+If all these checks succeed without an error, the server is assured that the
+client possesses the credentials of the principal named in the ticket and
+thus, the client has been authenticated to the server. See section A.10 for
+pseudocode.
+
+Passing these checks provides only authentication of the named principal; it
+does not imply authorization to use the named service. Applications must
+make a separate authorization decisions based upon the authenticated name of
+the user, the requested operation, local acces control information such as
+that contained in a .k5login or .k5users file, and possibly a separate
+distributed authorization service.
+
+3.2.4. Generation of a KRB_AP_REP message
+
+Typically, a client's request will include both the authentication
+information and its initial request in the same message, and the server need
+not explicitly reply to the KRB_AP_REQ. However, if mutual authentication
+(not only authenticating the client to the server, but also the server to
+the client) is being performed, the KRB_AP_REQ message will have
+MUTUAL-REQUIRED set in its ap-options field, and a KRB_AP_REP message is
+required in response. As with the error message, this message may be
+encapsulated in the application protocol if its "raw" form is not acceptable
+to the application's protocol. The timestamp and microsecond field used in
+the reply must be the client's timestamp and microsecond field (as provided
+in the authenticator)[12]. If a sequence number is to be included, it should
+be randomly chosen as described above for the authenticator. A subkey may be
+included if the server desires to negotiate a different subkey. The
+KRB_AP_REP message is encrypted in the session key extracted from the
+ticket. See section A.11 for pseudocode.
+
+3.2.5. Receipt of KRB_AP_REP message
+
+If a KRB_AP_REP message is returned, the client uses the session key from
+the credentials obtained for the server[13] to decrypt the message, and
+verifies that the timestamp and microsecond fields match those in the
+Authenticator it sent to the server. If they match, then the client is
+assured that the server is genuine. The sequence number and subkey (if
+present) are retained for later use. See section A.12 for pseudocode.
+
+3.2.6. Using the encryption key
+
+After the KRB_AP_REQ/KRB_AP_REP exchange has occurred, the client and server
+share an encryption key which can be used by the application. The 'true
+session key' to be used for KRB_PRIV, KRB_SAFE, or other
+application-specific uses may be chosen by the application based on the
+subkeys in the KRB_AP_REP message and the authenticator[14]. In some cases,
+
+
+draft-ietf-cat-kerberos-r-01                        Expires 21 May 1998
+
+the use of this session key will be implicit in the protocol; in others the
+method of use must be chosen from several alternatives. We leave the
+protocol negotiations of how to use the key (e.g. selecting an encryption or
+checksum type) to the application programmer; the Kerberos protocol does not
+constrain the implementation options, but an example of how this might be
+done follows.
+
+One way that an application may choose to negotiate a key to be used for
+subequent integrity and privacy protection is for the client to propose a
+key in the subkey field of the authenticator. The server can then choose a
+key using the proposed key from the client as input, returning the new
+subkey in the subkey field of the application reply. This key could then be
+used for subsequent communication. To make this example more concrete, if
+the encryption method in use required a 56 bit key, and for whatever reason,
+one of the parties was prevented from using a key with more than 40 unknown
+bits, this method would allow the the party which is prevented from using
+more than 40 bits to either propose (if the client) an initial key with a
+known quantity for 16 of those bits, or to mask 16 of the bits (if the
+server) with the known quantity. The application implementor is warned,
+however, that this is only an example, and that an analysis of the
+particular crytosystem to be used, and the reasons for limiting the key
+length, must be made before deciding whether it is acceptable to mask bits
+of the key.
+
+With both the one-way and mutual authentication exchanges, the peers should
+take care not to send sensitive information to each other without proper
+assurances. In particular, applications that require privacy or integrity
+should use the KRB_AP_REP response from the server to client to assure both
+client and server of their peer's identity. If an application protocol
+requires privacy of its messages, it can use the KRB_PRIV message (section
+3.5). The KRB_SAFE message (section 3.4) can be used to assure integrity.
+
+3.3. The Ticket-Granting Service (TGS) Exchange
+
+                          Summary
+      Message direction       Message type     Section
+      1. Client to Kerberos   KRB_TGS_REQ      5.4.1
+      2. Kerberos to client   KRB_TGS_REP or   5.4.2
+                              KRB_ERROR        5.9.1
+
+The TGS exchange between a client and the Kerberos Ticket-Granting Server is
+initiated by a client when it wishes to obtain authentication credentials
+for a given server (which might be registered in a remote realm), when it
+wishes to renew or validate an existing ticket, or when it wishes to obtain
+a proxy ticket. In the first case, the client must already have acquired a
+ticket for the Ticket-Granting Service using the AS exchange (the
+ticket-granting ticket is usually obtained when a client initially
+authenticates to the system, such as when a user logs in). The message
+format for the TGS exchange is almost identical to that for the AS exchange.
+The primary difference is that encryption and decryption in the TGS exchange
+does not take place under the client's key. Instead, the session key from
+the ticket-granting ticket or renewable ticket, or sub-session key from an
+Authenticator is used. As is the case for all application servers, expired
+tickets are not accepted by the TGS, so once a renewable or ticket-granting
+
+
+draft-ietf-cat-kerberos-r-01                        Expires 21 May 1998
+
+ticket expires, the client must use a separate exchange to obtain valid
+tickets.
+
+The TGS exchange consists of two messages: A request (KRB_TGS_REQ) from the
+client to the Kerberos Ticket-Granting Server, and a reply (KRB_TGS_REP or
+KRB_ERROR). The KRB_TGS_REQ message includes information authenticating the
+client plus a request for credentials. The authentication information
+consists of the authentication header (KRB_AP_REQ) which includes the
+client's previously obtained ticket-granting, renewable, or invalid ticket.
+In the ticket-granting ticket and proxy cases, the request may include one
+or more of: a list of network addresses, a collection of typed authorization
+data to be sealed in the ticket for authorization use by the application
+server, or additional tickets (the use of which are described later). The
+TGS reply (KRB_TGS_REP) contains the requested credentials, encrypted in the
+session key from the ticket-granting ticket or renewable ticket, or if
+present, in the sub-session key from the Authenticator (part of the
+authentication header). The KRB_ERROR message contains an error code and
+text explaining what went wrong. The KRB_ERROR message is not encrypted. The
+KRB_TGS_REP message contains information which can be used to detect
+replays, and to associate it with the message to which it replies. The
+KRB_ERROR message also contains information which can be used to associate
+it with the message to which it replies, but the lack of encryption in the
+KRB_ERROR message precludes the ability to detect replays or fabrications of
+such messages.
+
+3.3.1. Generation of KRB_TGS_REQ message
+
+Before sending a request to the ticket-granting service, the client must
+determine in which realm the application server is registered[15]. If the
+client does not already possess a ticket-granting ticket for the appropriate
+realm, then one must be obtained. This is first attempted by requesting a
+ticket-granting ticket for the destination realm from a Kerberos server for
+which the client does posess a ticket-granting ticket (using the KRB_TGS_REQ
+message recursively). The Kerberos server may return a TGT for the desired
+realm in which case one can proceed. Alternatively, the Kerberos server may
+return a TGT for a realm which is 'closer' to the desired realm (further
+along the standard hierarchical path), in which case this step must be
+repeated with a Kerberos server in the realm specified in the returned TGT.
+If neither are returned, then the request must be retried with a Kerberos
+server for a realm higher in the hierarchy. This request will itself require
+a ticket-granting ticket for the higher realm which must be obtained by
+recursively applying these directions.
+
+Once the client obtains a ticket-granting ticket for the appropriate realm,
+it determines which Kerberos servers serve that realm, and contacts one. The
+list might be obtained through a configuration file or network service or it
+may be generated from the name of the realm; as long as the secret keys
+exchanged by realms are kept secret, only denial of service results from
+using a false Kerberos server.
+
+As in the AS exchange, the client may specify a number of options in the
+KRB_TGS_REQ message. The client prepares the KRB_TGS_REQ message, providing
+an authentication header as an element of the padata field, and including
+the same fields as used in the KRB_AS_REQ message along with several
+
+
+draft-ietf-cat-kerberos-r-01                        Expires 21 May 1998
+
+optional fields: the enc-authorization-data field for application server use
+and additional tickets required by some options.
+
+In preparing the authentication header, the client can select a sub-session
+key under which the response from the Kerberos server will be encrypted[16].
+If the sub-session key is not specified, the session key from the
+ticket-granting ticket will be used. If the enc-authorization-data is
+present, it must be encrypted in the sub-session key, if present, from the
+authenticator portion of the authentication header, or if not present, using
+the session key from the ticket-granting ticket.
+
+Once prepared, the message is sent to a Kerberos server for the destination
+realm. See section A.5 for pseudocode.
+
+3.3.2. Receipt of KRB_TGS_REQ message
+
+The KRB_TGS_REQ message is processed in a manner similar to the KRB_AS_REQ
+message, but there are many additional checks to be performed. First, the
+Kerberos server must determine which server the accompanying ticket is for
+and it must select the appropriate key to decrypt it. For a normal
+KRB_TGS_REQ message, it will be for the ticket granting service, and the
+TGS's key will be used. If the TGT was issued by another realm, then the
+appropriate inter-realm key must be used. If the accompanying ticket is not
+a ticket granting ticket for the current realm, but is for an application
+server in the current realm, the RENEW, VALIDATE, or PROXY options are
+specified in the request, and the server for which a ticket is requested is
+the server named in the accompanying ticket, then the KDC will decrypt the
+ticket in the authentication header using the key of the server for which it
+was issued. If no ticket can be found in the padata field, the
+KDC_ERR_PADATA_TYPE_NOSUPP error is returned.
+
+Once the accompanying ticket has been decrypted, the user-supplied checksum
+in the Authenticator must be verified against the contents of the request,
+and the message rejected if the checksums do not match (with an error code
+of KRB_AP_ERR_MODIFIED) or if the checksum is not keyed or not
+collision-proof (with an error code of KRB_AP_ERR_INAPP_CKSUM). If the
+checksum type is not supported, the KDC_ERR_SUMTYPE_NOSUPP error is
+returned. If the authorization-data are present, they are decrypted using
+the sub-session key from the Authenticator.
+
+If any of the decryptions indicate failed integrity checks, the
+KRB_AP_ERR_BAD_INTEGRITY error is returned.
+
+3.3.3. Generation of KRB_TGS_REP message
+
+The KRB_TGS_REP message shares its format with the KRB_AS_REP (KRB_KDC_REP),
+but with its type field set to KRB_TGS_REP. The detailed specification is in
+section 5.4.2.
+
+The response will include a ticket for the requested server. The Kerberos
+database is queried to retrieve the record for the requested server
+(including the key with which the ticket will be encrypted). If the request
+is for a ticket granting ticket for a remote realm, and if no key is shared
+with the requested realm, then the Kerberos server will select the realm
+
+
+draft-ietf-cat-kerberos-r-01                        Expires 21 May 1998
+
+"closest" to the requested realm with which it does share a key, and use
+that realm instead. This is the only case where the response from the KDC
+will be for a different server than that requested by the client.
+
+By default, the address field, the client's name and realm, the list of
+transited realms, the time of initial authentication, the expiration time,
+and the authorization data of the newly-issued ticket will be copied from
+the ticket-granting ticket (TGT) or renewable ticket. If the transited field
+needs to be updated, but the transited type is not supported, the
+KDC_ERR_TRTYPE_NOSUPP error is returned.
+
+If the request specifies an endtime, then the endtime of the new ticket is
+set to the minimum of (a) that request, (b) the endtime from the TGT, and
+(c) the starttime of the TGT plus the minimum of the maximum life for the
+application server and the maximum life for the local realm (the maximum
+life for the requesting principal was already applied when the TGT was
+issued). If the new ticket is to be a renewal, then the endtime above is
+replaced by the minimum of (a) the value of the renew_till field of the
+ticket and (b) the starttime for the new ticket plus the life
+(endtime-starttime) of the old ticket.
+
+If the FORWARDED option has been requested, then the resulting ticket will
+contain the addresses specified by the client. This option will only be
+honored if the FORWARDABLE flag is set in the TGT. The PROXY option is
+similar; the resulting ticket will contain the addresses specified by the
+client. It will be honored only if the PROXIABLE flag in the TGT is set. The
+PROXY option will not be honored on requests for additional ticket-granting
+tickets.
+
+If the requested start time is absent, indicates a time in the past, or is
+within the window of acceptable clock skew for the KDC and the POSTDATE
+option has not been specified, then the start time of the ticket is set to
+the authentication server's current time. If it indicates a time in the
+future beyond the acceptable clock skew, but the POSTDATED option has not
+been specified or the MAY-POSTDATE flag is not set in the TGT, then the
+error KDC_ERR_CANNOT_POSTDATE is returned. Otherwise, if the ticket-granting
+ticket has the MAY-POSTDATE flag set, then the resulting ticket will be
+postdated and the requested starttime is checked against the policy of the
+local realm. If acceptable, the ticket's start time is set as requested, and
+the INVALID flag is set. The postdated ticket must be validated before use
+by presenting it to the KDC after the starttime has been reached. However,
+in no case may the starttime, endtime, or renew-till time of a newly-issued
+postdated ticket extend beyond the renew-till time of the ticket-granting
+ticket.
+
+If the ENC-TKT-IN-SKEY option has been specified and an additional ticket
+has been included in the request, the KDC will decrypt the additional ticket
+using the key for the server to which the additional ticket was issued and
+verify that it is a ticket-granting ticket. If the name of the requested
+server is missing from the request, the name of the client in the additional
+ticket will be used. Otherwise the name of the requested server will be
+compared to the name of the client in the additional ticket and if
+different, the request will be rejected. If the request succeeds, the
+session key from the additional ticket will be used to encrypt the new
+
+
+draft-ietf-cat-kerberos-r-01                        Expires 21 May 1998
+
+ticket that is issued instead of using the key of the server for which the
+new ticket will be used[17].
+
+If the name of the server in the ticket that is presented to the KDC as part
+of the authentication header is not that of the ticket-granting server
+itself, the server is registered in the realm of the KDC, and the RENEW
+option is requested, then the KDC will verify that the RENEWABLE flag is set
+in the ticket, that the INVALID flag is not set in the ticket, and that the
+renew_till time is still in the future. If the VALIDATE option is rqeuested,
+the KDC will check that the starttime has passed and the INVALID flag is
+set. If the PROXY option is requested, then the KDC will check that the
+PROXIABLE flag is set in the ticket. If the tests succeed, and the ticket
+passes the hotlist check described in the next paragraph, the KDC will issue
+the appropriate new ticket.
+
+3.3.3.1. Checking for revoked tickets
+
+Whenever a request is made to the ticket-granting server, the presented
+ticket(s) is(are) checked against a hot-list of tickets which have been
+canceled. This hot-list might be implemented by storing a range of issue
+timestamps for 'suspect tickets'; if a presented ticket had an authtime in
+that range, it would be rejected. In this way, a stolen ticket-granting
+ticket or renewable ticket cannot be used to gain additional tickets
+(renewals or otherwise) once the theft has been reported. Any normal ticket
+obtained before it was reported stolen will still be valid (because they
+require no interaction with the KDC), but only until their normal expiration
+time.
+
+The ciphertext part of the response in the KRB_TGS_REP message is encrypted
+in the sub-session key from the Authenticator, if present, or the session
+key key from the ticket-granting ticket. It is not encrypted using the
+client's secret key. Furthermore, the client's key's expiration date and the
+key version number fields are left out since these values are stored along
+with the client's database record, and that record is not needed to satisfy
+a request based on a ticket-granting ticket. See section A.6 for pseudocode.
+
+3.3.3.2. Encoding the transited field
+
+If the identity of the server in the TGT that is presented to the KDC as
+part of the authentication header is that of the ticket-granting service,
+but the TGT was issued from another realm, the KDC will look up the
+inter-realm key shared with that realm and use that key to decrypt the
+ticket. If the ticket is valid, then the KDC will honor the request, subject
+to the constraints outlined above in the section describing the AS exchange.
+The realm part of the client's identity will be taken from the
+ticket-granting ticket. The name of the realm that issued the
+ticket-granting ticket will be added to the transited field of the ticket to
+be issued. This is accomplished by reading the transited field from the
+ticket-granting ticket (which is treated as an unordered set of realm
+names), adding the new realm to the set, then constructing and writing out
+its encoded (shorthand) form (this may involve a rearrangement of the
+existing encoding).
+
+Note that the ticket-granting service does not add the name of its own
+
+
+draft-ietf-cat-kerberos-r-01                        Expires 21 May 1998
+
+realm. Instead, its responsibility is to add the name of the previous realm.
+This prevents a malicious Kerberos server from intentionally leaving out its
+own name (it could, however, omit other realms' names).
+
+The names of neither the local realm nor the principal's realm are to be
+included in the transited field. They appear elsewhere in the ticket and
+both are known to have taken part in authenticating the principal. Since the
+endpoints are not included, both local and single-hop inter-realm
+authentication result in a transited field that is empty.
+
+Because the name of each realm transited is added to this field, it might
+potentially be very long. To decrease the length of this field, its contents
+are encoded. The initially supported encoding is optimized for the normal
+case of inter-realm communication: a hierarchical arrangement of realms
+using either domain or X.500 style realm names. This encoding (called
+DOMAIN-X500-COMPRESS) is now described.
+
+Realm names in the transited field are separated by a ",". The ",", "\",
+trailing "."s, and leading spaces (" ") are special characters, and if they
+are part of a realm name, they must be quoted in the transited field by
+preced- ing them with a "\".
+
+A realm name ending with a "." is interpreted as being prepended to the
+previous realm. For example, we can encode traversal of EDU, MIT.EDU,
+ATHENA.MIT.EDU, WASHINGTON.EDU, and CS.WASHINGTON.EDU as:
+
+     "EDU,MIT.,ATHENA.,WASHINGTON.EDU,CS.".
+
+Note that if ATHENA.MIT.EDU, or CS.WASHINGTON.EDU were end-points, that they
+would not be included in this field, and we would have:
+
+     "EDU,MIT.,WASHINGTON.EDU"
+
+A realm name beginning with a "/" is interpreted as being appended to the
+previous realm[18]. If it is to stand by itself, then it should be preceded
+by a space (" "). For example, we can encode traversal of /COM/HP/APOLLO,
+/COM/HP, /COM, and /COM/DEC as:
+
+     "/COM,/HP,/APOLLO, /COM/DEC".
+
+Like the example above, if /COM/HP/APOLLO and /COM/DEC are endpoints, they
+they would not be included in this field, and we would have:
+
+     "/COM,/HP"
+
+A null subfield preceding or following a "," indicates that all realms
+between the previous realm and the next realm have been traversed[19]. Thus,
+"," means that all realms along the path between the client and the server
+have been traversed. ",EDU, /COM," means that that all realms from the
+client's realm up to EDU (in a domain style hierarchy) have been traversed,
+and that everything from /COM down to the server's realm in an X.500 style
+has also been traversed. This could occur if the EDU realm in one hierarchy
+shares an inter-realm key directly with the /COM realm in another hierarchy.
+
+
+
+draft-ietf-cat-kerberos-r-01                        Expires 21 May 1998
+
+3.3.4. Receipt of KRB_TGS_REP message
+
+When the KRB_TGS_REP is received by the client, it is processed in the same
+manner as the KRB_AS_REP processing described above. The primary difference
+is that the ciphertext part of the response must be decrypted using the
+session key from the ticket-granting ticket rather than the client's secret
+key. See section A.7 for pseudocode.
+
+3.4. The KRB_SAFE Exchange
+
+The KRB_SAFE message may be used by clients requiring the ability to detect
+modifications of messages they exchange. It achieves this by including a
+keyed collision-proof checksum of the user data and some control
+information. The checksum is keyed with an encryption key (usually the last
+key negotiated via subkeys, or the session key if no negotiation has
+occured).
+
+3.4.1. Generation of a KRB_SAFE message
+
+When an application wishes to send a KRB_SAFE message, it collects its data
+and the appropriate control information and computes a checksum over them.
+The checksum algorithm should be a keyed one-way hash function (such as the
+RSA- MD5-DES checksum algorithm specified in section 6.4.5, or the DES MAC),
+generated using the sub-session key if present, or the session key.
+Different algorithms may be selected by changing the checksum type in the
+message. Unkeyed or non-collision-proof checksums are not suitable for this
+use.
+
+The control information for the KRB_SAFE message includes both a timestamp
+and a sequence number. The designer of an application using the KRB_SAFE
+message must choose at least one of the two mechanisms. This choice should
+be based on the needs of the application protocol.
+
+Sequence numbers are useful when all messages sent will be received by one's
+peer. Connection state is presently required to maintain the session key, so
+maintaining the next sequence number should not present an additional
+problem.
+
+If the application protocol is expected to tolerate lost messages without
+them being resent, the use of the timestamp is the appropriate replay
+detection mechanism. Using timestamps is also the appropriate mechanism for
+multi-cast protocols where all of one's peers share a common sub-session
+key, but some messages will be sent to a subset of one's peers.
+
+After computing the checksum, the client then transmits the information and
+checksum to the recipient in the message format specified in section 5.6.1.
+
+3.4.2. Receipt of KRB_SAFE message
+
+When an application receives a KRB_SAFE message, it verifies it as follows.
+If any error occurs, an error code is reported for use by the application.
+
+The message is first checked by verifying that the protocol version and type
+fields match the current version and KRB_SAFE, respectively. A mismatch
+
+
+draft-ietf-cat-kerberos-r-01                        Expires 21 May 1998
+
+generates a KRB_AP_ERR_BADVERSION or KRB_AP_ERR_MSG_TYPE error. The
+application verifies that the checksum used is a collision-proof keyed
+checksum, and if it is not, a KRB_AP_ERR_INAPP_CKSUM error is generated. The
+recipient verifies that the operating system's report of the sender's
+address matches the sender's address in the message, and (if a recipient
+address is specified or the recipient requires an address) that one of the
+recipient's addresses appears as the recipient's address in the message. A
+failed match for either case generates a KRB_AP_ERR_BADADDR error. Then the
+timestamp and usec and/or the sequence number fields are checked. If
+timestamp and usec are expected and not present, or they are present but not
+current, the KRB_AP_ERR_SKEW error is generated. If the server name, along
+with the client name, time and microsecond fields from the Authenticator
+match any recently-seen (sent or received[20] ) such tuples, the
+KRB_AP_ERR_REPEAT error is generated. If an incorrect sequence number is
+included, or a sequence number is expected but not present, the
+KRB_AP_ERR_BADORDER error is generated. If neither a time-stamp and usec or
+a sequence number is present, a KRB_AP_ERR_MODIFIED error is generated.
+Finally, the checksum is computed over the data and control information, and
+if it doesn't match the received checksum, a KRB_AP_ERR_MODIFIED error is
+generated.
+
+If all the checks succeed, the application is assured that the message was
+generated by its peer and was not modi- fied in transit.
+
+3.5. The KRB_PRIV Exchange
+
+The KRB_PRIV message may be used by clients requiring confidentiality and
+the ability to detect modifications of exchanged messages. It achieves this
+by encrypting the messages and adding control information.
+
+3.5.1. Generation of a KRB_PRIV message
+
+When an application wishes to send a KRB_PRIV message, it collects its data
+and the appropriate control information (specified in section 5.7.1) and
+encrypts them under an encryption key (usually the last key negotiated via
+subkeys, or the session key if no negotiation has occured). As part of the
+control information, the client must choose to use either a timestamp or a
+sequence number (or both); see the discussion in section 3.4.1 for
+guidelines on which to use. After the user data and control information are
+encrypted, the client transmits the ciphertext and some 'envelope'
+information to the recipient.
+
+3.5.2. Receipt of KRB_PRIV message
+
+When an application receives a KRB_PRIV message, it verifies it as follows.
+If any error occurs, an error code is reported for use by the application.
+
+The message is first checked by verifying that the protocol version and type
+fields match the current version and KRB_PRIV, respectively. A mismatch
+generates a KRB_AP_ERR_BADVERSION or KRB_AP_ERR_MSG_TYPE error. The
+application then decrypts the ciphertext and processes the resultant
+plaintext. If decryption shows the data to have been modified, a
+KRB_AP_ERR_BAD_INTEGRITY error is generated. The recipient verifies that the
+operating system's report of the sender's address matches the sender's
+
+
+draft-ietf-cat-kerberos-r-01                        Expires 21 May 1998
+
+address in the message, and (if a recipient address is specified or the
+recipient requires an address) that one of the recipient's addresses appears
+as the recipient's address in the message. A failed match for either case
+generates a KRB_AP_ERR_BADADDR error. Then the timestamp and usec and/or the
+sequence number fields are checked. If timestamp and usec are expected and
+not present, or they are present but not current, the KRB_AP_ERR_SKEW error
+is generated. If the server name, along with the client name, time and
+microsecond fields from the Authenticator match any recently-seen such
+tuples, the KRB_AP_ERR_REPEAT error is generated. If an incorrect sequence
+number is included, or a sequence number is expected but not present, the
+KRB_AP_ERR_BADORDER error is generated. If neither a time-stamp and usec or
+a sequence number is present, a KRB_AP_ERR_MODIFIED error is generated.
+
+If all the checks succeed, the application can assume the message was
+generated by its peer, and was securely transmitted (without intruders able
+to see the unencrypted contents).
+
+3.6. The KRB_CRED Exchange
+
+The KRB_CRED message may be used by clients requiring the ability to send
+Kerberos credentials from one host to another. It achieves this by sending
+the tickets together with encrypted data containing the session keys and
+other information associated with the tickets.
+
+3.6.1. Generation of a KRB_CRED message
+
+When an application wishes to send a KRB_CRED message it first (using the
+KRB_TGS exchange) obtains credentials to be sent to the remote host. It then
+constructs a KRB_CRED message using the ticket or tickets so obtained,
+placing the session key needed to use each ticket in the key field of the
+corresponding KrbCredInfo sequence of the encrypted part of the the KRB_CRED
+message.
+
+Other information associated with each ticket and obtained during the
+KRB_TGS exchange is also placed in the corresponding KrbCredInfo sequence in
+the encrypted part of the KRB_CRED message. The current time and, if
+specifically required by the application the nonce, s-address, and r-address
+fields, are placed in the encrypted part of the KRB_CRED message which is
+then encrypted under an encryption key previosuly exchanged in the KRB_AP
+exchange (usually the last key negotiated via subkeys, or the session key if
+no negotiation has occured).
+
+3.6.2. Receipt of KRB_CRED message
+
+When an application receives a KRB_CRED message, it verifies it. If any
+error occurs, an error code is reported for use by the application. The
+message is verified by checking that the protocol version and type fields
+match the current version and KRB_CRED, respectively. A mismatch generates a
+KRB_AP_ERR_BADVERSION or KRB_AP_ERR_MSG_TYPE error. The application then
+decrypts the ciphertext and processes the resultant plaintext. If decryption
+shows the data to have been modified, a KRB_AP_ERR_BAD_INTEGRITY error is
+generated.
+
+If present or required, the recipient verifies that the operating system's
+
+
+draft-ietf-cat-kerberos-r-01                        Expires 21 May 1998
+
+report of the sender's address matches the sender's address in the message,
+and that one of the recipient's addresses appears as the recipient's address
+in the message. A failed match for either case generates a
+KRB_AP_ERR_BADADDR error. The timestamp and usec fields (and the nonce field
+if required) are checked next. If the timestamp and usec are not present, or
+they are present but not current, the KRB_AP_ERR_SKEW error is generated.
+
+If all the checks succeed, the application stores each of the new tickets in
+its ticket cache together with the session key and other information in the
+corresponding KrbCredInfo sequence from the encrypted part of the KRB_CRED
+message.
+
+4. The Kerberos Database
+
+The Kerberos server must have access to a database contain- ing the
+principal identifiers and secret keys of principals to be authenticated[21].
+
+4.1. Database contents
+
+A database entry should contain at least the following fields:
+
+Field                Value
+
+name                 Principal's identifier
+key                  Principal's secret key
+p_kvno               Principal's key version
+max_life             Maximum lifetime for Tickets
+max_renewable_life   Maximum total lifetime for renewable Tickets
+
+The name field is an encoding of the principal's identifier. The key field
+contains an encryption key. This key is the principal's secret key. (The key
+can be encrypted before storage under a Kerberos "master key" to protect it
+in case the database is compromised but the master key is not. In that case,
+an extra field must be added to indicate the master key version used, see
+below.) The p_kvno field is the key version number of the principal's secret
+key. The max_life field contains the maximum allowable lifetime (endtime -
+starttime) for any Ticket issued for this principal. The max_renewable_life
+field contains the maximum allowable total lifetime for any renewable Ticket
+issued for this principal. (See section 3.1 for a description of how these
+lifetimes are used in determining the lifetime of a given Ticket.)
+
+A server may provide KDC service to several realms, as long as the database
+representation provides a mechanism to distinguish between principal records
+with identifiers which differ only in the realm name.
+
+When an application server's key changes, if the change is routine (i.e. not
+the result of disclosure of the old key), the old key should be retained by
+the server until all tickets that had been issued using that key have
+expired. Because of this, it is possible for several keys to be active for a
+single principal. Ciphertext encrypted in a principal's key is always tagged
+with the version of the key that was used for encryption, to help the
+recipient find the proper key for decryption.
+
+When more than one key is active for a particular principal, the principal
+
+
+draft-ietf-cat-kerberos-r-01                        Expires 21 May 1998
+
+will have more than one record in the Kerberos database. The keys and key
+version numbers will differ between the records (the rest of the fields may
+or may not be the same). Whenever Kerberos issues a ticket, or responds to a
+request for initial authentication, the most recent key (known by the
+Kerberos server) will be used for encryption. This is the key with the
+highest key version number.
+
+4.2. Additional fields
+
+Project Athena's KDC implementation uses additional fields in its database:
+
+Field        Value
+
+K_kvno       Kerberos' key version
+expiration   Expiration date for entry
+attributes   Bit field of attributes
+mod_date     Timestamp of last modification
+mod_name     Modifying principal's identifier
+
+The K_kvno field indicates the key version of the Kerberos master key under
+which the principal's secret key is encrypted.
+
+After an entry's expiration date has passed, the KDC will return an error to
+any client attempting to gain tickets as or for the principal. (A database
+may want to maintain two expiration dates: one for the principal, and one
+for the principal's current key. This allows password aging to work
+independently of the principal's expiration date. However, due to the
+limited space in the responses, the KDC must combine the key expiration and
+principal expiration date into a single value called 'key_exp', which is
+used as a hint to the user to take administrative action.)
+
+The attributes field is a bitfield used to govern the operations involving
+the principal. This field might be useful in conjunction with user
+registration procedures, for site-specific policy implementations (Project
+Athena currently uses it for their user registration process controlled by
+the system-wide database service, Moira [LGDSR87]), to identify whether a
+principal can play the role of a client or server or both, to note whether a
+server is appropriate trusted to recieve credentials delegated by a client,
+or to identify the 'string to key' conversion algorithm used for a
+principal's key[22]. Other bits are used to indicate that certain ticket
+options should not be allowed in tickets encrypted under a principal's key
+(one bit each): Disallow issuing postdated tickets, disallow issuing
+forwardable tickets, disallow issuing tickets based on TGT authentication,
+disallow issuing renewable tickets, disallow issuing proxiable tickets, and
+disallow issuing tickets for which the principal is the server.
+
+The mod_date field contains the time of last modification of the entry, and
+the mod_name field contains the name of the principal which last modified
+the entry.
+
+4.3. Frequently Changing Fields
+
+Some KDC implementations may wish to maintain the last time that a request
+was made by a particular principal. Information that might be maintained
+
+
+draft-ietf-cat-kerberos-r-01                        Expires 21 May 1998
+
+includes the time of the last request, the time of the last request for a
+ticket-granting ticket, the time of the last use of a ticket-granting
+ticket, or other times. This information can then be returned to the user in
+the last-req field (see section 5.2).
+
+Other frequently changing information that can be maintained is the latest
+expiration time for any tickets that have been issued using each key. This
+field would be used to indicate how long old keys must remain valid to allow
+the continued use of outstanding tickets.
+
+4.4. Site Constants
+
+The KDC implementation should have the following configurable constants or
+options, to allow an administrator to make and enforce policy decisions:
+
+   * The minimum supported lifetime (used to determine whether the
+     KDC_ERR_NEVER_VALID error should be returned). This constant should
+     reflect reasonable expectations of round-trip time to the KDC,
+     encryption/decryption time, and processing time by the client and
+     target server, and it should allow for a minimum 'useful' lifetime.
+   * The maximum allowable total (renewable) lifetime of a ticket
+     (renew_till - starttime).
+   * The maximum allowable lifetime of a ticket (endtime - starttime).
+   * Whether to allow the issue of tickets with empty address fields
+     (including the ability to specify that such tickets may only be issued
+     if the request specifies some authorization_data).
+   * Whether proxiable, forwardable, renewable or post-datable tickets are
+     to be issued.
+
+5. Message Specifications
+
+The following sections describe the exact contents and encoding of protocol
+messages and objects. The ASN.1 base definitions are presented in the first
+subsection. The remaining subsections specify the protocol objects (tickets
+and authenticators) and messages. Specification of encryption and checksum
+techniques, and the fields related to them, appear in section 6.
+
+5.1. ASN.1 Distinguished Encoding Representation
+
+All uses of ASN.1 in Kerberos shall use the Distinguished Encoding
+Representation of the data elements as described in the X.509 specification,
+section 8.7 [X509-88].
+
+5.2. ASN.1 Base Definitions
+
+The following ASN.1 base definitions are used in the rest of this section.
+Note that since the underscore character (_) is not permitted in ASN.1
+names, the hyphen (-) is used in its place for the purposes of ASN.1 names.
+
+Realm ::=           GeneralString
+PrincipalName ::=   SEQUENCE {
+                    name-type[0]     INTEGER,
+                    name-string[1]   SEQUENCE OF GeneralString
+}
+
+
+draft-ietf-cat-kerberos-r-01                        Expires 21 May 1998
+
+
+Kerberos realms are encoded as GeneralStrings. Realms shall not contain a
+character with the code 0 (the ASCII NUL). Most realms will usually consist
+of several components separated by periods (.), in the style of Internet
+Domain Names, or separated by slashes (/) in the style of X.500 names.
+Acceptable forms for realm names are specified in section 7. A PrincipalName
+is a typed sequence of components consisting of the following sub-fields:
+
+name-type
+     This field specifies the type of name that follows. Pre-defined values
+     for this field are specified in section 7.2. The name-type should be
+     treated as a hint. Ignoring the name type, no two names can be the same
+     (i.e. at least one of the components, or the realm, must be different).
+     This constraint may be eliminated in the future.
+name-string
+     This field encodes a sequence of components that form a name, each
+     component encoded as a GeneralString. Taken together, a PrincipalName
+     and a Realm form a principal identifier. Most PrincipalNames will have
+     only a few components (typically one or two).
+
+KerberosTime ::=   GeneralizedTime
+                   -- Specifying UTC time zone (Z)
+
+The timestamps used in Kerberos are encoded as GeneralizedTimes. An encoding
+shall specify the UTC time zone (Z) and shall not include any fractional
+portions of the seconds. It further shall not include any separators.
+Example: The only valid format for UTC time 6 minutes, 27 seconds after 9 pm
+on 6 November 1985 is 19851106210627Z.
+
+HostAddress ::=     SEQUENCE  {
+                    addr-type[0]             INTEGER,
+                    address[1]               OCTET STRING
+}
+
+HostAddresses ::=   SEQUENCE OF HostAddress
+
+The host adddress encodings consists of two fields:
+
+addr-type
+     This field specifies the type of address that follows. Pre-defined
+     values for this field are specified in section 8.1.
+address
+     This field encodes a single address of type addr-type.
+
+The two forms differ slightly. HostAddress contains exactly one address;
+HostAddresses contains a sequence of possibly many addresses.
+
+AuthorizationData ::=   SEQUENCE OF SEQUENCE {
+                        ad-type[0]               INTEGER,
+                        ad-data[1]               OCTET STRING
+}
+
+ad-data
+     This field contains authorization data to be interpreted according to
+
+
+draft-ietf-cat-kerberos-r-01                        Expires 21 May 1998
+
+     the value of the corresponding ad-type field.
+ad-type
+     This field specifies the format for the ad-data subfield. All negative
+     values are reserved for local use. Non-negative values are reserved for
+     registered use.
+
+Each sequence of type and data is refered to as an authorization element.
+Elements may be application specific, however, there is a common set of
+recursive elements that should be understood by all implementations. These
+elements contain other elements embedded within them, and the interpretation
+of the encapsulating element determines which of the embedded elements must
+be interpreted, and which may be ignored. Definitions for these common
+elements may be found in Appendix B.
+
+TicketExtensions ::= SEQUENCE OF SEQUENCE {
+           te-type[0]       INTEGER,
+           te-data[1]       OCTET STRING
+}
+
+
+
+te-data
+     This field contains opaque data that must be caried with the ticket to
+     support extensions to the Kerberos protocol including but not limited
+     to some forms of inter-realm key exchange and plaintext authorization
+     data. See appendix C for some common uses of this field.
+te-type
+     This field specifies the format for the te-data subfield. All negative
+     values are reserved for local use. Non-negative values are reserved for
+     registered use.
+
+APOptions ::=   BIT STRING {
+                  reserved(0),
+                  use-session-key(1),
+                  mutual-required(2)
+}
+
+TicketFlags ::= BIT STRING {
+                  reserved(0),
+                  forwardable(1),
+                  forwarded(2),
+                  proxiable(3),
+                  proxy(4),
+                  may-postdate(5),
+                  postdated(6),
+                  invalid(7),
+                  renewable(8),
+                  initial(9),
+                  pre-authent(10),
+                  hw-authent(11),
+                  transited-policy-checked(12),
+                  ok-as-delegate(13)
+}
+
+
+
+draft-ietf-cat-kerberos-r-01                        Expires 21 May 1998
+
+KDCOptions ::=   BIT STRING {
+                  reserved(0),
+                  forwardable(1),
+                  forwarded(2),
+                  proxiable(3),
+                  proxy(4),
+                  allow-postdate(5),
+                  postdated(6),
+                  unused7(7),
+                  renewable(8),
+                  unused9(9),
+                  unused10(10),
+                  unused11(11),
+                  unused12(12),
+                  unused13(13),
+                  disable-transited-check(26),
+                  renewable-ok(27),
+                  enc-tkt-in-skey(28),
+                  renew(30),
+                  validate(31)
+}
+
+ASN.1 Bit strings have a length and a value. When used in Kerberos for the
+APOptions, TicketFlags, and KDCOptions, the length of the bit string on
+generated values should be the smallest multiple of 32 bits needed to
+include the highest order bit that is set (1), but in no case less than 32
+bits. Implementations should accept values of bit strings of any length and
+treat the value of flags cooresponding to bits beyond the end of the bit
+string as if the bit were reset (0). Comparisonof bit strings of different
+length should treat the smaller string as if it were padded with zeros
+beyond the high order bits to the length of the longer string[23].
+
+LastReq ::=   SEQUENCE OF SEQUENCE {
+               lr-type[0]               INTEGER,
+               lr-value[1]              KerberosTime
+}
+
+lr-type
+     This field indicates how the following lr-value field is to be
+     interpreted. Negative values indicate that the information pertains
+     only to the responding server. Non-negative values pertain to all
+     servers for the realm. If the lr-type field is zero (0), then no
+     information is conveyed by the lr-value subfield. If the absolute value
+     of the lr-type field is one (1), then the lr-value subfield is the time
+     of last initial request for a TGT. If it is two (2), then the lr-value
+     subfield is the time of last initial request. If it is three (3), then
+     the lr-value subfield is the time of issue for the newest
+     ticket-granting ticket used. If it is four (4), then the lr-value
+     subfield is the time of the last renewal. If it is five (5), then the
+     lr-value subfield is the time of last request (of any type).
+lr-value
+     This field contains the time of the last request. the time must be
+     interpreted according to the contents of the accompanying lr-type
+     subfield.
+
+
+draft-ietf-cat-kerberos-r-01                        Expires 21 May 1998
+
+
+See section 6 for the definitions of Checksum, ChecksumType, EncryptedData,
+EncryptionKey, EncryptionType, and KeyType.
+
+5.3. Tickets and Authenticators
+
+This section describes the format and encryption parameters for tickets and
+authenticators. When a ticket or authenticator is included in a protocol
+message it is treated as an opaque object.
+
+5.3.1. Tickets
+
+A ticket is a record that helps a client authenticate to a service. A Ticket
+contains the following information:
+
+Ticket ::=        [APPLICATION 1] SEQUENCE {
+                  tkt-vno[0]                   INTEGER,
+                  realm[1]                     Realm,
+                  sname[2]                     PrincipalName,
+                  enc-part[3]                  EncryptedData,
+                  extensions[4]                TicketExtensions OPTIONAL
+}
+
+-- Encrypted part of ticket
+EncTicketPart ::= [APPLICATION 3] SEQUENCE {
+                  flags[0]                     TicketFlags,
+                  key[1]                       EncryptionKey,
+                  crealm[2]                    Realm,
+                  cname[3]                     PrincipalName,
+                  transited[4]                 TransitedEncoding,
+                  authtime[5]                  KerberosTime,
+                  starttime[6]                 KerberosTime OPTIONAL,
+                  endtime[7]                   KerberosTime,
+                  renew-till[8]                KerberosTime OPTIONAL,
+                  caddr[9]                     HostAddresses OPTIONAL,
+                  authorization-data[10]       AuthorizationData OPTIONAL
+}
+-- encoded Transited field
+TransitedEncoding ::=   SEQUENCE {
+                        tr-type[0]             INTEGER, -- must be registered
+                        contents[1]            OCTET STRING
+}
+
+The encoding of EncTicketPart is encrypted in the key shared by Kerberos and
+the end server (the server's secret key). See section 6 for the format of
+the ciphertext.
+
+tkt-vno
+     This field specifies the version number for the ticket format. This
+     document describes version number 5.
+realm
+     This field specifies the realm that issued a ticket. It also serves to
+     identify the realm part of the server's principal identifier. Since a
+     Kerberos server can only issue tickets for servers within its realm,
+
+
+draft-ietf-cat-kerberos-r-01                        Expires 21 May 1998
+
+     the two will always be identical.
+sname
+     This field specifies the name part of the server's identity.
+enc-part
+     This field holds the encrypted encoding of the EncTicketPart sequence.
+extensions
+     This optional field contains a sequence of extentions that may be used
+     to carry information that must be carried with the ticket to support
+     several extensions, including but not limited to plaintext
+     authorization data, tokens for exchanging inter-realm keys, and other
+     information that must be associated with a ticket for use by the
+     application server. See Appendix C for definitions of some common
+     extensions.
+
+     Note that some older versions of Kerberos did not support this field.
+     Because this is an optional field it will not break older clients, but
+     older clients might strip this field from the ticket before sending it
+     to the application server. This limits the usefulness of this ticket
+     field to environments where the ticket will not be parsed and
+     reconstructed by these older Kerberos clients.
+
+     If it is known that the client will strip this field from the ticket,
+     as an interim measure the KDC may append this field to the end of the
+     enc-part of the ticket and append a traler indicating the lenght of the
+     appended extensions field. (this paragraph is open for discussion,
+     including the form of the traler).
+flags
+     This field indicates which of various options were used or requested
+     when the ticket was issued. It is a bit-field, where the selected
+     options are indicated by the bit being set (1), and the unselected
+     options and reserved fields being reset (0). Bit 0 is the most
+     significant bit. The encoding of the bits is specified in section 5.2.
+     The flags are described in more detail above in section 2. The meanings
+     of the flags are:
+
+          Bit(s)      Name         Description
+
+          0           RESERVED
+                                   Reserved for future  expansion  of  this
+                                   field.
+
+          1           FORWARDABLE
+                                   The FORWARDABLE flag  is  normally  only
+                                   interpreted  by  the  TGS,  and  can  be
+                                   ignored by end servers.  When set,  this
+                                   flag  tells  the  ticket-granting server
+                                   that it is OK to  issue  a  new  ticket-
+                                   granting ticket with a different network
+                                   address based on the presented ticket.
+
+          2           FORWARDED
+                                   When set, this flag indicates  that  the
+                                   ticket  has either been forwarded or was
+                                   issued based on authentication involving
+
+
+draft-ietf-cat-kerberos-r-01                        Expires 21 May 1998
+
+                                   a forwarded ticket-granting ticket.
+
+          3           PROXIABLE
+                                   The  PROXIABLE  flag  is  normally  only
+                                   interpreted  by  the  TGS,  and  can  be
+                                   ignored by end servers.   The  PROXIABLE
+                                   flag  has an interpretation identical to
+                                   that of  the  FORWARDABLE  flag,  except
+                                   that   the   PROXIABLE  flag  tells  the
+                                   ticket-granting server  that  only  non-
+                                   ticket-granting  tickets  may  be issued
+                                   with different network addresses.
+
+          4           PROXY
+                                   When set, this  flag  indicates  that  a
+                                   ticket is a proxy.
+
+          5           MAY-POSTDATE
+                                   The MAY-POSTDATE flag is  normally  only
+                                   interpreted  by  the  TGS,  and  can  be
+                                   ignored by end servers.  This flag tells
+                                   the  ticket-granting server that a post-
+                                   dated ticket may be issued based on this
+                                   ticket-granting ticket.
+
+          6           POSTDATED
+                                   This flag indicates that this ticket has
+                                   been  postdated.   The  end-service  can
+                                   check the authtime field to see when the
+                                   original authentication occurred.
+
+          7           INVALID
+                                   This flag indicates  that  a  ticket  is
+                                   invalid, and it must be validated by the
+                                   KDC  before  use.   Application  servers
+                                   must reject tickets which have this flag
+                                   set.
+
+          8           RENEWABLE
+                                   The  RENEWABLE  flag  is  normally  only
+                                   interpreted  by the TGS, and can usually
+                                   be ignored by end servers (some particu-
+                                   larly careful servers may wish to disal-
+                                   low  renewable  tickets).   A  renewable
+                                   ticket  can be used to obtain a replace-
+                                   ment ticket  that  expires  at  a  later
+                                   date.
+
+          9           INITIAL
+                                   This flag indicates that this ticket was
+                                   issued  using  the  AS protocol, and not
+                                   issued  based   on   a   ticket-granting
+                                   ticket.
+
+
+
+draft-ietf-cat-kerberos-r-01                        Expires 21 May 1998
+
+          10          PRE-AUTHENT
+                                   This flag indicates that during  initial
+                                   authentication, the client was authenti-
+                                   cated by the KDC  before  a  ticket  was
+                                   issued.    The   strength  of  the  pre-
+                                   authentication method is not  indicated,
+                                   but is acceptable to the KDC.
+
+          11          HW-AUTHENT
+                                   This flag indicates  that  the  protocol
+                                   employed   for   initial  authentication
+                                   required the use of hardware expected to
+                                   be possessed solely by the named client.
+                                   The hardware  authentication  method  is
+                                   selected  by the KDC and the strength of
+                                   the method is not indicated.
+
+          12           TRANSITED   This flag indicates that the KDC for the
+                  POLICY-CHECKED   realm has checked the transited field
+                                   against a realm defined policy for
+                                   trusted certifiers.  If this flag is
+                                   reset (0), then the application server
+                                   must check the transited field itself,
+                                   and if unable to do so it must reject
+                                   the authentication.  If the flag is set
+                                   (1) then the application server may skip
+                                   its own validation of the transited
+                                   field, relying on the validation
+                                   performed by the KDC.  At its option the
+                                   application server may still apply its
+                                   own validation based on a separate
+                                   policy for acceptance.
+
+          13      OK-AS-DELEGATE   This flag indicates that the server (not
+                                   the client) specified in the ticket has
+                                   been determined by policy of the realm
+                                   to be a suitable recipient of
+                                   delegation.  A client can use the
+                                   presence of this flag to help it make a
+                                   decision whether to delegate credentials
+                                   (either grant a proxy or a forwarded
+                                   ticket granting ticket) to this server.
+                                   The client is free to ignore the value
+                                   of this flag.  When setting this flag,
+                                   an administrator should consider the
+                                   Security and placement of the server on
+                                   which the service will run, as well as
+                                   whether the service requires the use of
+                                   delegated credentials.
+
+          14          ANONYMOUS
+                                   This flag indicates that  the  principal
+                                   named in the ticket is a generic princi-
+                                   pal for the realm and does not  identify
+
+
+draft-ietf-cat-kerberos-r-01                        Expires 21 May 1998
+
+                                   the  individual  using  the ticket.  The
+                                   purpose  of  the  ticket  is   only   to
+                                   securely  distribute  a session key, and
+                                   not to identify  the  user.   Subsequent
+                                   requests  using the same ticket and ses-
+                                   sion may be  considered  as  originating
+                                   from  the  same  user, but requests with
+                                   the same username but a different ticket
+                                   are  likely  to originate from different
+                                   users.
+
+          15-31       RESERVED
+                                   Reserved for future use.
+
+key
+     This field exists in the ticket and the KDC response and is used to
+     pass the session key from Kerberos to the application server and the
+     client. The field's encoding is described in section 6.2.
+crealm
+     This field contains the name of the realm in which the client is
+     registered and in which initial authentication took place.
+cname
+     This field contains the name part of the client's principal identifier.
+transited
+     This field lists the names of the Kerberos realms that took part in
+     authenticating the user to whom this ticket was issued. It does not
+     specify the order in which the realms were transited. See section
+     3.3.3.2 for details on how this field encodes the traversed realms.
+authtime
+     This field indicates the time of initial authentication for the named
+     principal. It is the time of issue for the original ticket on which
+     this ticket is based. It is included in the ticket to provide
+     additional information to the end service, and to provide the necessary
+     information for implementation of a `hot list' service at the KDC. An
+     end service that is particularly paranoid could refuse to accept
+     tickets for which the initial authentication occurred "too far" in the
+     past. This field is also returned as part of the response from the KDC.
+     When returned as part of the response to initial authentication
+     (KRB_AS_REP), this is the current time on the Ker- beros server[24].
+starttime
+     This field in the ticket specifies the time after which the ticket is
+     valid. Together with endtime, this field specifies the life of the
+     ticket. If it is absent from the ticket, its value should be treated as
+     that of the authtime field.
+endtime
+     This field contains the time after which the ticket will not be honored
+     (its expiration time). Note that individual services may place their
+     own limits on the life of a ticket and may reject tickets which have
+     not yet expired. As such, this is really an upper bound on the
+     expiration time for the ticket.
+renew-till
+     This field is only present in tickets that have the RENEWABLE flag set
+     in the flags field. It indicates the maximum endtime that may be
+     included in a renewal. It can be thought of as the absolute expiration
+
+
+draft-ietf-cat-kerberos-r-01                        Expires 21 May 1998
+
+     time for the ticket, including all renewals.
+caddr
+     This field in a ticket contains zero (if omitted) or more (if present)
+     host addresses. These are the addresses from which the ticket can be
+     used. If there are no addresses, the ticket can be used from any
+     location. The decision by the KDC to issue or by the end server to
+     accept zero-address tickets is a policy decision and is left to the
+     Kerberos and end-service administrators; they may refuse to issue or
+     accept such tickets. The suggested and default policy, however, is that
+     such tickets will only be issued or accepted when additional
+     information that can be used to restrict the use of the ticket is
+     included in the authorization_data field. Such a ticket is a
+     capability.
+
+     Network addresses are included in the ticket to make it harder for an
+     attacker to use stolen credentials. Because the session key is not sent
+     over the network in cleartext, credentials can't be stolen simply by
+     listening to the network; an attacker has to gain access to the session
+     key (perhaps through operating system security breaches or a careless
+     user's unattended session) to make use of stolen tickets.
+
+     It is important to note that the network address from which a
+     connection is received cannot be reliably determined. Even if it could
+     be, an attacker who has compromised the client's worksta- tion could
+     use the credentials from there. Including the network addresses only
+     makes it more difficult, not impossible, for an attacker to walk off
+     with stolen credentials and then use them from a "safe" location.
+authorization-data
+     The authorization-data field is used to pass authorization data from
+     the principal on whose behalf a ticket was issued to the application
+     service. If no authorization data is included, this field will be left
+     out. Experience has shown that the name of this field is confusing, and
+     that a better name for this field would be restrictions. Unfortunately,
+     it is not possible to change the name of this field at this time.
+
+     This field contains restrictions on any authority obtained on the basis
+     of authentication using the ticket. It is possible for any principal in
+     posession of credentials to add entries to the authorization data field
+     since these entries further restrict what can be done with the ticket.
+     Such additions can be made by specifying the additional entries when a
+     new ticket is obtained during the TGS exchange, or they may be added
+     during chained delegation using the authorization data field of the
+     authenticator.
+
+     Because entries may be added to this field by the holder of
+     credentials, it is not allowable for the presence of an entry in the
+     authorization data field of a ticket to amplify the priveleges one
+     would obtain from using a ticket.
+
+     The data in this field may be specific to the end service; the field
+     will contain the names of service specific objects, and the rights to
+     those objects. The format for this field is described in section 5.2.
+     Although Kerberos is not concerned with the format of the contents of
+     the sub-fields, it does carry type information (ad-type).
+
+
+draft-ietf-cat-kerberos-r-01                        Expires 21 May 1998
+
+
+     By using the authorization_data field, a principal is able to issue a
+     proxy that is valid for a specific purpose. For example, a client
+     wishing to print a file can obtain a file server proxy to be passed to
+     the print server. By specifying the name of the file in the
+     authorization_data field, the file server knows that the print server
+     can only use the client's rights when accessing the particular file to
+     be printed.
+
+     A separate service providing authorization or certifying group
+     membership may be built using the authorization-data field. In this
+     case, the entity granting authorization (not the authorized entity),
+     obtains a ticket in its own name (e.g. the ticket is issued in the name
+     of a privelege server), and this entity adds restrictions on its own
+     authority and delegates the restricted authority through a proxy to the
+     client. The client would then present this authorization credential to
+     the application server separately from the authentication exchange.
+
+     Similarly, if one specifies the authorization-data field of a proxy and
+     leaves the host addresses blank, the resulting ticket and session key
+     can be treated as a capability. See [Neu93] for some suggested uses of
+     this field.
+
+     The authorization-data field is optional and does not have to be
+     included in a ticket.
+
+5.3.2. Authenticators
+
+An authenticator is a record sent with a ticket to a server to certify the
+client's knowledge of the encryption key in the ticket, to help the server
+detect replays, and to help choose a "true session key" to use with the
+particular session. The encoding is encrypted in the ticket's session key
+shared by the client and the server:
+
+-- Unencrypted authenticator
+Authenticator ::= [APPLICATION 2] SEQUENCE  {
+                  authenticator-vno[0]          INTEGER,
+                  crealm[1]                     Realm,
+                  cname[2]                      PrincipalName,
+                  cksum[3]                      Checksum OPTIONAL,
+                  cusec[4]                      INTEGER,
+                  ctime[5]                      KerberosTime,
+                  subkey[6]                     EncryptionKey OPTIONAL,
+                  seq-number[7]                 INTEGER OPTIONAL,
+                  authorization-data[8]         AuthorizationData OPTIONAL
+}
+
+
+authenticator-vno
+     This field specifies the version number for the format of the
+     authenticator. This document specifies version 5.
+crealm and cname
+     These fields are the same as those described for the ticket in section
+     5.3.1.
+
+
+draft-ietf-cat-kerberos-r-01                        Expires 21 May 1998
+
+cksum
+     This field contains a checksum of the the applica- tion data that
+     accompanies the KRB_AP_REQ.
+cusec
+     This field contains the microsecond part of the client's timestamp. Its
+     value (before encryption) ranges from 0 to 999999. It often appears
+     along with ctime. The two fields are used together to specify a
+     reasonably accurate timestamp.
+ctime
+     This field contains the current time on the client's host.
+subkey
+     This field contains the client's choice for an encryption key which is
+     to be used to protect this specific application session. Unless an
+     application specifies otherwise, if this field is left out the session
+     key from the ticket will be used.
+seq-number
+     This optional field includes the initial sequence number to be used by
+     the KRB_PRIV or KRB_SAFE messages when sequence numbers are used to
+     detect replays (It may also be used by application specific messages).
+     When included in the authenticator this field specifies the initial
+     sequence number for messages from the client to the server. When
+     included in the AP-REP message, the initial sequence number is that for
+     messages from the server to the client. When used in KRB_PRIV or
+     KRB_SAFE messages, it is incremented by one after each message is sent.
+
+     For sequence numbers to adequately support the detection of replays
+     they should be non-repeating, even across connection boundaries. The
+     initial sequence number should be random and uniformly distributed
+     across the full space of possible sequence numbers, so that it cannot
+     be guessed by an attacker and so that it and the successive sequence
+     numbers do not repeat other sequences.
+authorization-data
+     This field is the same as described for the ticket in section 5.3.1. It
+     is optional and will only appear when additional restrictions are to be
+     placed on the use of a ticket, beyond those carried in the ticket
+     itself.
+
+5.4. Specifications for the AS and TGS exchanges
+
+This section specifies the format of the messages used in the exchange
+between the client and the Kerberos server. The format of possible error
+messages appears in section 5.9.1.
+
+5.4.1. KRB_KDC_REQ definition
+
+The KRB_KDC_REQ message has no type of its own. Instead, its type is one of
+KRB_AS_REQ or KRB_TGS_REQ depending on whether the request is for an initial
+ticket or an additional ticket. In either case, the message is sent from the
+client to the Authentication Server to request credentials for a service.
+
+The message fields are:
+
+AS-REQ ::=         [APPLICATION 10] KDC-REQ
+TGS-REQ ::=        [APPLICATION 12] KDC-REQ
+
+
+draft-ietf-cat-kerberos-r-01                        Expires 21 May 1998
+
+
+KDC-REQ ::=        SEQUENCE {
+                   pvno[1]            INTEGER,
+                   msg-type[2]        INTEGER,
+                   padata[3]          SEQUENCE OF PA-DATA OPTIONAL,
+                   req-body[4]        KDC-REQ-BODY
+}
+
+PA-DATA ::=        SEQUENCE {
+                   padata-type[1]     INTEGER,
+                   padata-value[2]    OCTET STRING,
+                                      -- might be encoded AP-REQ
+}
+
+KDC-REQ-BODY ::=   SEQUENCE {
+                    kdc-options[0]         KDCOptions,
+                    cname[1]               PrincipalName OPTIONAL,
+                                           -- Used only in AS-REQ
+                    realm[2]               Realm, -- Server's realm
+                                           -- Also client's in AS-REQ
+                    sname[3]               PrincipalName OPTIONAL,
+                    from[4]                KerberosTime OPTIONAL,
+                    till[5]                KerberosTime OPTIONAL,
+                    rtime[6]               KerberosTime OPTIONAL,
+                    nonce[7]               INTEGER,
+                    etype[8]               SEQUENCE OF INTEGER,
+                                           -- EncryptionType,
+                                           -- in preference order
+                    addresses[9]           HostAddresses OPTIONAL,
+                enc-authorization-data[10] EncryptedData OPTIONAL,
+                                           -- Encrypted AuthorizationData
+                                           -- encoding
+                    additional-tickets[11] SEQUENCE OF Ticket OPTIONAL
+}
+
+The fields in this message are:
+
+pvno
+     This field is included in each message, and specifies the protocol
+     version number. This document specifies protocol version 5.
+msg-type
+     This field indicates the type of a protocol message. It will almost
+     always be the same as the application identifier associated with a
+     message. It is included to make the identifier more readily accessible
+     to the application. For the KDC-REQ message, this type will be
+     KRB_AS_REQ or KRB_TGS_REQ.
+padata
+     The padata (pre-authentication data) field contains a sequence of
+     authentication information which may be needed before credentials can
+     be issued or decrypted. In the case of requests for additional tickets
+     (KRB_TGS_REQ), this field will include an element with padata-type of
+     PA-TGS-REQ and data of an authentication header (ticket-granting ticket
+     and authenticator). The checksum in the authenticator (which must be
+     collision-proof) is to be computed over the KDC-REQ-BODY encoding. In
+
+
+draft-ietf-cat-kerberos-r-01                        Expires 21 May 1998
+
+     most requests for initial authentication (KRB_AS_REQ) and most replies
+     (KDC-REP), the padata field will be left out.
+
+     This field may also contain information needed by certain extensions to
+     the Kerberos protocol. For example, it might be used to initially
+     verify the identity of a client before any response is returned. This
+     is accomplished with a padata field with padata-type equal to
+     PA-ENC-TIMESTAMP and padata-value defined as follows:
+
+     padata-type     ::= PA-ENC-TIMESTAMP
+     padata-value    ::= EncryptedData -- PA-ENC-TS-ENC
+
+     PA-ENC-TS-ENC   ::= SEQUENCE {
+                     patimestamp[0]     KerberosTime, -- client's time
+                     pausec[1]          INTEGER OPTIONAL
+     }
+
+     with patimestamp containing the client's time and pausec containing the
+     microseconds which may be omitted if a client will not generate more
+     than one request per second. The ciphertext (padata-value) consists of
+     the PA-ENC-TS-ENC sequence, encrypted using the client's secret key.
+
+     [use-specified-kvno item is here for discussion and may be removed] It
+     may also be used by the client to specify the version of a key that is
+     being used for accompanying preauthentication, and/or which should be
+     used to encrypt the reply from the KDC.
+
+     PA-USE-SPECIFIED-KVNO  ::=  Integer
+
+     The KDC should only accept and abide by the value of the
+     use-specified-kvno preauthentication data field when the specified key
+     is still valid and until use of a new key is confirmed. This situation
+     is likely to occur primarily during the period during which an updated
+     key is propagating to other KDC's in a realm.
+
+     The padata field can also contain information needed to help the KDC or
+     the client select the key needed for generating or decrypting the
+     response. This form of the padata is useful for supporting the use of
+     certain token cards with Kerberos. The details of such extensions are
+     specified in separate documents. See [Pat92] for additional uses of
+     this field.
+padata-type
+     The padata-type element of the padata field indicates the way that the
+     padata-value element is to be interpreted. Negative values of
+     padata-type are reserved for unregistered use; non-negative values are
+     used for a registered interpretation of the element type.
+req-body
+     This field is a placeholder delimiting the extent of the remaining
+     fields. If a checksum is to be calculated over the request, it is
+     calculated over an encoding of the KDC-REQ-BODY sequence which is
+     enclosed within the req-body field.
+kdc-options
+     This field appears in the KRB_AS_REQ and KRB_TGS_REQ requests to the
+     KDC and indicates the flags that the client wants set on the tickets as
+
+
+draft-ietf-cat-kerberos-r-01                        Expires 21 May 1998
+
+     well as other information that is to modify the behavior of the KDC.
+     Where appropriate, the name of an option may be the same as the flag
+     that is set by that option. Although in most case, the bit in the
+     options field will be the same as that in the flags field, this is not
+     guaranteed, so it is not acceptable to simply copy the options field to
+     the flags field. There are various checks that must be made before
+     honoring an option anyway.
+
+     The kdc_options field is a bit-field, where the selected options are
+     indicated by the bit being set (1), and the unselected options and
+     reserved fields being reset (0). The encoding of the bits is specified
+     in section 5.2. The options are described in more detail above in
+     section 2. The meanings of the options are:
+
+        Bit(s)    Name                Description
+         0        RESERVED
+                                      Reserved for future  expansion  of  this
+                                      field.
+
+         1        FORWARDABLE
+                                      The FORWARDABLE  option  indicates  that
+                                      the  ticket  to be issued is to have its
+                                      forwardable flag set.  It  may  only  be
+                                      set on the initial request, or in a sub-
+                                      sequent request if  the  ticket-granting
+                                      ticket on which it is based is also for-
+                                      wardable.
+
+         2        FORWARDED
+                                      The FORWARDED option is  only  specified
+                                      in  a  request  to  the  ticket-granting
+                                      server and will only be honored  if  the
+                                      ticket-granting  ticket  in  the request
+                                      has  its  FORWARDABLE  bit  set.    This
+                                      option  indicates that this is a request
+                                      for forwarding.  The address(es) of  the
+                                      host  from which the resulting ticket is
+                                      to  be  valid  are   included   in   the
+                                      addresses field of the request.
+
+         3        PROXIABLE
+                                      The PROXIABLE option indicates that  the
+                                      ticket to be issued is to have its prox-
+                                      iable flag set.  It may only be  set  on
+                                      the  initial request, or in a subsequent
+                                      request if the ticket-granting ticket on
+                                      which it is based is also proxiable.
+
+         4        PROXY
+                                      The PROXY option indicates that this  is
+                                      a request for a proxy.  This option will
+                                      only be honored if  the  ticket-granting
+                                      ticket  in the request has its PROXIABLE
+                                      bit set.  The address(es)  of  the  host
+
+
+draft-ietf-cat-kerberos-r-01                        Expires 21 May 1998
+
+                                      from which the resulting ticket is to be
+                                       valid  are  included  in  the  addresses
+                                      field of the request.
+
+         5        ALLOW-POSTDATE
+                                      The ALLOW-POSTDATE option indicates that
+                                      the  ticket  to be issued is to have its
+                                      MAY-POSTDATE flag set.  It may  only  be
+                                      set on the initial request, or in a sub-
+                                      sequent request if  the  ticket-granting
+                                      ticket on which it is based also has its
+                                      MAY-POSTDATE flag set.
+
+         6        POSTDATED
+                                      The POSTDATED option indicates that this
+                                      is  a  request  for  a postdated ticket.
+                                      This option will only be honored if  the
+                                      ticket-granting  ticket  on  which it is
+                                      based has  its  MAY-POSTDATE  flag  set.
+                                      The  resulting ticket will also have its
+                                      INVALID flag set, and that flag  may  be
+                                      reset by a subsequent request to the KDC
+                                      after the starttime in  the  ticket  has
+                                      been reached.
+
+         7        UNUSED
+                                      This option is presently unused.
+
+         8        RENEWABLE
+                                      The RENEWABLE option indicates that  the
+                                      ticket  to  be  issued  is  to  have its
+                                      RENEWABLE flag set.  It may only be  set
+                                      on  the  initial  request,  or  when the
+                                      ticket-granting  ticket  on  which   the
+                                      request  is based is also renewable.  If
+                                      this option is requested, then the rtime
+                                      field   in   the  request  contains  the
+                                      desired absolute expiration time for the
+                                      ticket.
+
+         9-13     UNUSED
+                                      These options are presently unused.
+
+         14       REQUEST-ANONYMOUS
+                                      The REQUEST-ANONYMOUS  option  indicates
+                                      that  the  ticket to be issued is not to
+                                      identify  the  user  to  which  it   was
+                                      issued.  Instead, the principal identif-
+                                      ier is to be generic,  as  specified  by
+                                      the  policy  of  the realm (e.g. usually
+                                      anonymous@realm).  The  purpose  of  the
+                                      ticket  is only to securely distribute a
+                                      session key, and  not  to  identify  the
+                                      user.   The ANONYMOUS flag on the ticket
+
+
+draft-ietf-cat-kerberos-r-01                        Expires 21 May 1998
+
+                                      to be returned should be  set.   If  the
+                                      local  realms  policy  does  not  permit
+                                      anonymous credentials, the request is to
+                                      be rejected.
+
+         15-25    RESERVED
+                                      Reserved for future use.
+
+         26       DISABLE-TRANSITED-CHECK
+                                      By default the KDC will check the
+                                      transited field of a ticket-granting-
+                                      ticket against the policy of the local
+                                      realm before it will issue derivative
+                                      tickets based on the ticket granting
+                                      ticket.  If this flag is set in the
+                                      request, checking of the transited field
+                                      is disabled.  Tickets issued without the
+                                      performance of this check will be noted
+                                      by the reset (0) value of the
+                                      TRANSITED-POLICY-CHECKED flag,
+                                      indicating to the application server
+                                      that the tranisted field must be checked
+                                      locally.  KDC's are encouraged but not
+                                      required to honor the
+                                      DISABLE-TRANSITED-CHECK option.
+
+         27       RENEWABLE-OK
+                                      The RENEWABLE-OK option indicates that a
+                                      renewable ticket will be acceptable if a
+                                      ticket with the  requested  life  cannot
+                                      otherwise be provided.  If a ticket with
+                                      the requested life cannot  be  provided,
+                                      then  a  renewable  ticket may be issued
+                                      with  a  renew-till  equal  to  the  the
+                                      requested  endtime.   The  value  of the
+                                      renew-till field may still be limited by
+                                      local  limits, or limits selected by the
+                                      individual principal or server.
+
+         28       ENC-TKT-IN-SKEY
+                                      This option is used only by the  ticket-
+                                      granting  service.   The ENC-TKT-IN-SKEY
+                                      option indicates that the ticket for the
+                                      end  server  is  to  be encrypted in the
+                                      session key from the additional  ticket-
+                                      granting ticket provided.
+
+         29       RESERVED
+                                      Reserved for future use.
+
+         30       RENEW
+                                      This option is used only by the  ticket-
+                                      granting   service.   The  RENEW  option
+                                      indicates that the  present  request  is
+
+
+draft-ietf-cat-kerberos-r-01                        Expires 21 May 1998
+
+                                      for  a  renewal.  The ticket provided is
+                                      encrypted in  the  secret  key  for  the
+                                      server  on  which  it  is  valid.   This
+                                      option  will  only  be  honored  if  the
+                                      ticket  to  be renewed has its RENEWABLE
+                                      flag set and if the time in  its  renew-
+                                      till  field  has not passed.  The ticket
+                                      to be renewed is passed  in  the  padata
+                                      field  as  part  of  the  authentication
+                                      header.
+
+         31       VALIDATE
+                                      This option is used only by the  ticket-
+                                      granting  service.   The VALIDATE option
+                                      indicates that the request is  to  vali-
+                                      date  a  postdated ticket.  It will only
+                                      be honored if the  ticket  presented  is
+                                      postdated,  presently  has  its  INVALID
+                                      flag set, and would be otherwise  usable
+                                      at  this time.  A ticket cannot be vali-
+                                      dated before its starttime.  The  ticket
+                                      presented for validation is encrypted in
+                                      the key of the server for  which  it  is
+                                      valid  and is passed in the padata field
+                                      as part of the authentication header.
+
+cname and sname
+     These fields are the same as those described for the ticket in section
+     5.3.1. sname may only be absent when the ENC-TKT-IN-SKEY option is
+     specified. If absent, the name of the server is taken from the name of
+     the client in the ticket passed as additional-tickets.
+enc-authorization-data
+     The enc-authorization-data, if present (and it can only be present in
+     the TGS_REQ form), is an encoding of the desired authorization-data
+     encrypted under the sub-session key if present in the Authenticator, or
+     alternatively from the session key in the ticket-granting ticket, both
+     from the padata field in the KRB_AP_REQ.
+realm
+     This field specifies the realm part of the server's principal
+     identifier. In the AS exchange, this is also the realm part of the
+     client's principal identifier.
+from
+     This field is included in the KRB_AS_REQ and KRB_TGS_REQ ticket
+     requests when the requested ticket is to be postdated. It specifies the
+     desired start time for the requested ticket. If this field is omitted
+     then the KDC should use the current time instead.
+till
+     This field contains the expiration date requested by the client in a
+     ticket request. It is optional and if omitted the requested ticket is
+     to have the maximum endtime permitted according to KDC policy for the
+     parties to the authentication exchange as limited by expiration date of
+     the ticket granting ticket or other preauthentication credentials.
+rtime
+     This field is the requested renew-till time sent from a client to the
+
+
+draft-ietf-cat-kerberos-r-01                        Expires 21 May 1998
+
+     KDC in a ticket request. It is optional.
+nonce
+     This field is part of the KDC request and response. It it intended to
+     hold a random number generated by the client. If the same number is
+     included in the encrypted response from the KDC, it provides evidence
+     that the response is fresh and has not been replayed by an attacker.
+     Nonces must never be re-used. Ideally, it should be generated randomly,
+     but if the correct time is known, it may suffice[25].
+etype
+     This field specifies the desired encryption algorithm to be used in the
+     response.
+addresses
+     This field is included in the initial request for tickets, and
+     optionally included in requests for additional tickets from the
+     ticket-granting server. It specifies the addresses from which the
+     requested ticket is to be valid. Normally it includes the addresses for
+     the client's host. If a proxy is requested, this field will contain
+     other addresses. The contents of this field are usually copied by the
+     KDC into the caddr field of the resulting ticket.
+additional-tickets
+     Additional tickets may be optionally included in a request to the
+     ticket-granting server. If the ENC-TKT-IN-SKEY option has been
+     specified, then the session key from the additional ticket will be used
+     in place of the server's key to encrypt the new ticket. If more than
+     one option which requires additional tickets has been specified, then
+     the additional tickets are used in the order specified by the ordering
+     of the options bits (see kdc-options, above).
+
+The application code will be either ten (10) or twelve (12) depending on
+whether the request is for an initial ticket (AS-REQ) or for an additional
+ticket (TGS-REQ).
+
+The optional fields (addresses, authorization-data and additional-tickets)
+are only included if necessary to perform the operation specified in the
+kdc-options field.
+
+It should be noted that in KRB_TGS_REQ, the protocol version number appears
+twice and two different message types appear: the KRB_TGS_REQ message
+contains these fields as does the authentication header (KRB_AP_REQ) that is
+passed in the padata field.
+
+5.4.2. KRB_KDC_REP definition
+
+The KRB_KDC_REP message format is used for the reply from the KDC for either
+an initial (AS) request or a subsequent (TGS) request. There is no message
+type for KRB_KDC_REP. Instead, the type will be either KRB_AS_REP or
+KRB_TGS_REP. The key used to encrypt the ciphertext part of the reply
+depends on the message type. For KRB_AS_REP, the ciphertext is encrypted in
+the client's secret key, and the client's key version number is included in
+the key version number for the encrypted data. For KRB_TGS_REP, the
+ciphertext is encrypted in the sub-session key from the Authenticator, or if
+absent, the session key from the ticket-granting ticket used in the request.
+In that case, no version number will be present in the EncryptedData
+sequence.
+
+
+draft-ietf-cat-kerberos-r-01                        Expires 21 May 1998
+
+
+The KRB_KDC_REP message contains the following fields:
+
+AS-REP ::=    [APPLICATION 11] KDC-REP
+TGS-REP ::=   [APPLICATION 13] KDC-REP
+
+KDC-REP ::=   SEQUENCE {
+              pvno[0]                    INTEGER,
+              msg-type[1]                INTEGER,
+              padata[2]                  SEQUENCE OF PA-DATA OPTIONAL,
+              crealm[3]                  Realm,
+              cname[4]                   PrincipalName,
+              ticket[5]                  Ticket,
+              enc-part[6]                EncryptedData
+}
+
+EncASRepPart ::=    [APPLICATION 25[27]] EncKDCRepPart
+EncTGSRepPart ::=   [APPLICATION 26] EncKDCRepPart
+
+EncKDCRepPart ::=   SEQUENCE {
+                    key[0]               EncryptionKey,
+                    last-req[1]          LastReq,
+                    nonce[2]             INTEGER,
+                    key-expiration[3]    KerberosTime OPTIONAL,
+                    flags[4]             TicketFlags,
+                    authtime[5]          KerberosTime,
+                    starttime[6]         KerberosTime OPTIONAL,
+                    endtime[7]           KerberosTime,
+                    renew-till[8]        KerberosTime OPTIONAL,
+                    srealm[9]            Realm,
+                    sname[10]            PrincipalName,
+                    caddr[11]            HostAddresses OPTIONAL
+}
+
+pvno and msg-type
+     These fields are described above in section 5.4.1. msg-type is either
+     KRB_AS_REP or KRB_TGS_REP.
+padata
+     This field is described in detail in section 5.4.1. One possible use
+     for this field is to encode an alternate "mix-in" string to be used
+     with a string-to-key algorithm (such as is described in section 6.3.2).
+     This ability is useful to ease transitions if a realm name needs to
+     change (e.g. when a company is acquired); in such a case all existing
+     password-derived entries in the KDC database would be flagged as
+     needing a special mix-in string until the next password change.
+crealm, cname, srealm and sname
+     These fields are the same as those described for the ticket in section
+     5.3.1.
+ticket
+     The newly-issued ticket, from section 5.3.1.
+enc-part
+     This field is a place holder for the ciphertext and related information
+     that forms the encrypted part of a message. The description of the
+     encrypted part of the message follows each appearance of this field.
+
+
+draft-ietf-cat-kerberos-r-01                        Expires 21 May 1998
+
+     The encrypted part is encoded as described in section 6.1.
+key
+     This field is the same as described for the ticket in section 5.3.1.
+last-req
+     This field is returned by the KDC and specifies the time(s) of the last
+     request by a principal. Depending on what information is available,
+     this might be the last time that a request for a ticket-granting ticket
+     was made, or the last time that a request based on a ticket-granting
+     ticket was successful. It also might cover all servers for a realm, or
+     just the particular server. Some implementations may display this
+     information to the user to aid in discovering unauthorized use of one's
+     identity. It is similar in spirit to the last login time displayed when
+     logging into timesharing systems.
+nonce
+     This field is described above in section 5.4.1.
+key-expiration
+     The key-expiration field is part of the response from the KDC and
+     specifies the time that the client's secret key is due to expire. The
+     expiration might be the result of password aging or an account
+     expiration. This field will usually be left out of the TGS reply since
+     the response to the TGS request is encrypted in a session key and no
+     client information need be retrieved from the KDC database. It is up to
+     the application client (usually the login program) to take appropriate
+     action (such as notifying the user) if the expiration time is imminent.
+flags, authtime, starttime, endtime, renew-till and caddr
+     These fields are duplicates of those found in the encrypted portion of
+     the attached ticket (see section 5.3.1), provided so the client may
+     verify they match the intended request and to assist in proper ticket
+     caching. If the message is of type KRB_TGS_REP, the caddr field will
+     only be filled in if the request was for a proxy or forwarded ticket,
+     or if the user is substituting a subset of the addresses from the
+     ticket granting ticket. If the client-requested addresses are not
+     present or not used, then the addresses contained in the ticket will be
+     the same as those included in the ticket-granting ticket.
+
+5.5. Client/Server (CS) message specifications
+
+This section specifies the format of the messages used for the
+authentication of the client to the application server.
+
+5.5.1. KRB_AP_REQ definition
+
+The KRB_AP_REQ message contains the Kerberos protocol version number, the
+message type KRB_AP_REQ, an options field to indicate any options in use,
+and the ticket and authenticator themselves. The KRB_AP_REQ message is often
+referred to as the 'authentication header'.
+
+AP-REQ ::=      [APPLICATION 14] SEQUENCE {
+                pvno[0]                       INTEGER,
+                msg-type[1]                   INTEGER,
+                ap-options[2]                 APOptions,
+                ticket[3]                     Ticket,
+                authenticator[4]              EncryptedData
+}
+
+
+draft-ietf-cat-kerberos-r-01                        Expires 21 May 1998
+
+
+APOptions ::=   BIT STRING {
+                reserved(0),
+                use-session-key(1),
+                mutual-required(2)
+}
+
+
+
+pvno and msg-type
+     These fields are described above in section 5.4.1. msg-type is
+     KRB_AP_REQ.
+ap-options
+     This field appears in the application request (KRB_AP_REQ) and affects
+     the way the request is processed. It is a bit-field, where the selected
+     options are indicated by the bit being set (1), and the unselected
+     options and reserved fields being reset (0). The encoding of the bits
+     is specified in section 5.2. The meanings of the options are:
+
+          Bit(s)   Name              Description
+          0        RESERVED
+                                     Reserved for future  expansion  of  this
+                                     field.
+
+          1        USE-SESSION-KEY
+                                     The  USE-SESSION-KEY  option   indicates
+                                     that the ticket the client is presenting
+                                     to a server is encrypted in the  session
+                                     key  from  the  server's ticket-granting
+                                     ticket.  When this option is not  speci-
+                                     fied,  the  ticket  is  encrypted in the
+                                     server's secret key.
+
+          2        MUTUAL-REQUIRED
+                                     The  MUTUAL-REQUIRED  option  tells  the
+                                     server  that  the client requires mutual
+                                     authentication, and that it must respond
+                                     with a KRB_AP_REP message.
+
+          3-31     RESERVED
+                                          Reserved for future use.
+ticket
+     This field is a ticket authenticating the client to the server.
+authenticator
+     This contains the authenticator, which includes the client's choice of
+     a subkey. Its encoding is described in section 5.3.2.
+
+5.5.2. KRB_AP_REP definition
+
+The KRB_AP_REP message contains the Kerberos protocol version number, the
+message type, and an encrypted time- stamp. The message is sent in in
+response to an application request (KRB_AP_REQ) where the mutual
+authentication option has been selected in the ap-options field.
+
+
+
+draft-ietf-cat-kerberos-r-01                        Expires 21 May 1998
+
+AP-REP ::=         [APPLICATION 15] SEQUENCE {
+                   pvno[0]                           INTEGER,
+                   msg-type[1]                       INTEGER,
+                   enc-part[2]                       EncryptedData
+}
+
+EncAPRepPart ::=   [APPLICATION 27[29]] SEQUENCE {
+                   ctime[0]                          KerberosTime,
+                   cusec[1]                          INTEGER,
+                   subkey[2]                         EncryptionKey OPTIONAL,
+                   seq-number[3]                     INTEGER OPTIONAL
+}
+
+The encoded EncAPRepPart is encrypted in the shared session key of the
+ticket. The optional subkey field can be used in an application-arranged
+negotiation to choose a per association session key.
+
+pvno and msg-type
+     These fields are described above in section 5.4.1. msg-type is
+     KRB_AP_REP.
+enc-part
+     This field is described above in section 5.4.2.
+ctime
+     This field contains the current time on the client's host.
+cusec
+     This field contains the microsecond part of the client's timestamp.
+subkey
+     This field contains an encryption key which is to be used to protect
+     this specific application session. See section 3.2.6 for specifics on
+     how this field is used to negotiate a key. Unless an application
+     specifies otherwise, if this field is left out, the sub-session key
+     from the authenticator, or if also left out, the session key from the
+     ticket will be used.
+
+5.5.3. Error message reply
+
+If an error occurs while processing the application request, the KRB_ERROR
+message will be sent in response. See section 5.9.1 for the format of the
+error message. The cname and crealm fields may be left out if the server
+cannot determine their appropriate values from the corresponding KRB_AP_REQ
+message. If the authenticator was decipherable, the ctime and cusec fields
+will contain the values from it.
+
+5.6. KRB_SAFE message specification
+
+This section specifies the format of a message that can be used by either
+side (client or server) of an application to send a tamper-proof message to
+its peer. It presumes that a session key has previously been exchanged (for
+example, by using the KRB_AP_REQ/KRB_AP_REP messages).
+
+5.6.1. KRB_SAFE definition
+
+The KRB_SAFE message contains user data along with a collision-proof
+checksum keyed with the last encryption key negotiated via subkeys, or the
+
+
+draft-ietf-cat-kerberos-r-01                        Expires 21 May 1998
+
+session key if no negotiation has occured. The message fields are:
+
+KRB-SAFE ::=        [APPLICATION 20] SEQUENCE {
+                    pvno[0]                       INTEGER,
+                    msg-type[1]                   INTEGER,
+                    safe-body[2]                  KRB-SAFE-BODY,
+                    cksum[3]                      Checksum
+}
+
+KRB-SAFE-BODY ::=   SEQUENCE {
+                    user-data[0]                  OCTET STRING,
+                    timestamp[1]                  KerberosTime OPTIONAL,
+                    usec[2]                       INTEGER OPTIONAL,
+                    seq-number[3]                 INTEGER OPTIONAL,
+                    s-address[4]                  HostAddress OPTIONAL,
+                    r-address[5]                  HostAddress OPTIONAL
+}
+
+pvno and msg-type
+     These fields are described above in section 5.4.1. msg-type is
+     KRB_SAFE.
+safe-body
+     This field is a placeholder for the body of the KRB-SAFE message. It is
+     to be encoded separately and then have the checksum computed over it,
+     for use in the cksum field.
+cksum
+     This field contains the checksum of the application data. Checksum
+     details are described in section 6.4. The checksum is computed over the
+     encoding of the KRB-SAFE-BODY sequence.
+user-data
+     This field is part of the KRB_SAFE and KRB_PRIV messages and contain
+     the application specific data that is being passed from the sender to
+     the recipient.
+timestamp
+     This field is part of the KRB_SAFE and KRB_PRIV messages. Its contents
+     are the current time as known by the sender of the message. By checking
+     the timestamp, the recipient of the message is able to make sure that
+     it was recently generated, and is not a replay.
+usec
+     This field is part of the KRB_SAFE and KRB_PRIV headers. It contains
+     the microsecond part of the timestamp.
+seq-number
+     This field is described above in section 5.3.2.
+s-address
+     This field specifies the address in use by the sender of the message.
+r-address
+     This field specifies the address in use by the recipient of the
+     message. It may be omitted for some uses (such as broadcast protocols),
+     but the recipient may arbitrarily reject such messages. This field
+     along with s-address can be used to help detect messages which have
+     been incorrectly or maliciously delivered to the wrong recipient.
+
+5.7. KRB_PRIV message specification
+
+
+
+draft-ietf-cat-kerberos-r-01                        Expires 21 May 1998
+
+This section specifies the format of a message that can be used by either
+side (client or server) of an application to securely and privately send a
+message to its peer. It presumes that a session key has previously been
+exchanged (for example, by using the KRB_AP_REQ/KRB_AP_REP messages).
+
+5.7.1. KRB_PRIV definition
+
+The KRB_PRIV message contains user data encrypted in the Session Key. The
+message fields are:
+
+KRB-PRIV ::=         [APPLICATION 21] SEQUENCE {
+                     pvno[0]                           INTEGER,
+                     msg-type[1]                       INTEGER,
+                     enc-part[3]                       EncryptedData
+}
+
+EncKrbPrivPart ::=   [APPLICATION 28[31]] SEQUENCE {
+                     user-data[0]        OCTET STRING,
+                     timestamp[1]        KerberosTime OPTIONAL,
+                     usec[2]             INTEGER OPTIONAL,
+                     seq-number[3]       INTEGER OPTIONAL,
+                     s-address[4]        HostAddress OPTIONAL, -- sender's addr
+                     r-address[5]        HostAddress OPTIONAL -- recip's addr
+}
+
+pvno and msg-type
+     These fields are described above in section 5.4.1. msg-type is
+     KRB_PRIV.
+enc-part
+     This field holds an encoding of the EncKrbPrivPart sequence encrypted
+     under the session key[32]. This encrypted encoding is used for the
+     enc-part field of the KRB-PRIV message. See section 6 for the format of
+     the ciphertext.
+user-data, timestamp, usec, s-address and r-address
+     These fields are described above in section 5.6.1.
+seq-number
+     This field is described above in section 5.3.2.
+
+5.8. KRB_CRED message specification
+
+This section specifies the format of a message that can be used to send
+Kerberos credentials from one principal to another. It is presented here to
+encourage a common mechanism to be used by applications when forwarding
+tickets or providing proxies to subordinate servers. It presumes that a
+session key has already been exchanged perhaps by using the
+KRB_AP_REQ/KRB_AP_REP messages.
+
+5.8.1. KRB_CRED definition
+
+The KRB_CRED message contains a sequence of tickets to be sent and
+information needed to use the tickets, including the session key from each.
+The information needed to use the tickets is encrypted under an encryption
+key previously exchanged or transferred alongside the KRB_CRED message. The
+message fields are:
+
+
+draft-ietf-cat-kerberos-r-01                        Expires 21 May 1998
+
+
+KRB-CRED         ::= [APPLICATION 22]   SEQUENCE {
+                 pvno[0]                INTEGER,
+                 msg-type[1]            INTEGER, -- KRB_CRED
+                 tickets[2]             SEQUENCE OF Ticket,
+                 enc-part[3]            EncryptedData
+}
+
+EncKrbCredPart   ::= [APPLICATION 29]   SEQUENCE {
+                 ticket-info[0]         SEQUENCE OF KrbCredInfo,
+                 nonce[1]               INTEGER OPTIONAL,
+                 timestamp[2]           KerberosTime OPTIONAL,
+                 usec[3]                INTEGER OPTIONAL,
+                 s-address[4]           HostAddress OPTIONAL,
+                 r-address[5]           HostAddress OPTIONAL
+}
+
+KrbCredInfo      ::=                    SEQUENCE {
+                 key[0]                 EncryptionKey,
+                 prealm[1]              Realm OPTIONAL,
+                 pname[2]               PrincipalName OPTIONAL,
+                 flags[3]               TicketFlags OPTIONAL,
+                 authtime[4]            KerberosTime OPTIONAL,
+                 starttime[5]           KerberosTime OPTIONAL,
+                 endtime[6]             KerberosTime OPTIONAL
+                 renew-till[7]          KerberosTime OPTIONAL,
+                 srealm[8]              Realm OPTIONAL,
+                 sname[9]               PrincipalName OPTIONAL,
+                 caddr[10]              HostAddresses OPTIONAL
+}
+
+pvno and msg-type
+     These fields are described above in section 5.4.1. msg-type is
+     KRB_CRED.
+tickets
+     These are the tickets obtained from the KDC specifically for use by the
+     intended recipient. Successive tickets are paired with the
+     corresponding KrbCredInfo sequence from the enc-part of the KRB-CRED
+     message.
+enc-part
+     This field holds an encoding of the EncKrbCredPart sequence encrypted
+     under the session key shared between the sender and the intended
+     recipient. This encrypted encoding is used for the enc-part field of
+     the KRB-CRED message. See section 6 for the format of the ciphertext.
+nonce
+     If practical, an application may require the inclusion of a nonce
+     generated by the recipient of the message. If the same value is
+     included as the nonce in the message, it provides evidence that the
+     message is fresh and has not been replayed by an attacker. A nonce must
+     never be re-used; it should be generated randomly by the recipient of
+     the message and provided to the sender of the message in an application
+     specific manner.
+timestamp and usec
+     These fields specify the time that the KRB-CRED message was generated.
+
+
+draft-ietf-cat-kerberos-r-01                        Expires 21 May 1998
+
+     The time is used to provide assurance that the message is fresh.
+s-address and r-address
+     These fields are described above in section 5.6.1. They are used
+     optionally to provide additional assurance of the integrity of the
+     KRB-CRED message.
+key
+     This field exists in the corresponding ticket passed by the KRB-CRED
+     message and is used to pass the session key from the sender to the
+     intended recipient. The field's encoding is described in section 6.2.
+
+The following fields are optional. If present, they can be associated with
+the credentials in the remote ticket file. If left out, then it is assumed
+that the recipient of the credentials already knows their value.
+
+prealm and pname
+     The name and realm of the delegated principal identity.
+flags, authtime, starttime, endtime, renew-till, srealm, sname, and caddr
+     These fields contain the values of the correspond- ing fields from the
+     ticket found in the ticket field. Descriptions of the fields are
+     identical to the descriptions in the KDC-REP message.
+
+5.9. Error message specification
+
+This section specifies the format for the KRB_ERROR message. The fields
+included in the message are intended to return as much information as
+possible about an error. It is not expected that all the information
+required by the fields will be available for all types of errors. If the
+appropriate information is not available when the message is composed, the
+corresponding field will be left out of the message.
+
+Note that since the KRB_ERROR message is not protected by any encryption, it
+is quite possible for an intruder to synthesize or modify such a message. In
+particular, this means that the client should not use any fields in this
+message for security-critical purposes, such as setting a system clock or
+generating a fresh authenticator. The message can be useful, however, for
+advising a user on the reason for some failure.
+
+5.9.1. KRB_ERROR definition
+
+The KRB_ERROR message consists of the following fields:
+
+KRB-ERROR ::=   [APPLICATION 30] SEQUENCE {
+                pvno[0]                       INTEGER,
+                msg-type[1]                   INTEGER,
+                ctime[2]                      KerberosTime OPTIONAL,
+                cusec[3]                      INTEGER OPTIONAL,
+                stime[4]                      KerberosTime,
+                susec[5]                      INTEGER,
+                error-code[6]                 INTEGER,
+                crealm[7]                     Realm OPTIONAL,
+                cname[8]                      PrincipalName OPTIONAL,
+                realm[9]                      Realm, -- Correct realm
+                sname[10]                     PrincipalName, -- Correct name
+                e-text[11]                    GeneralString OPTIONAL,
+
+
+draft-ietf-cat-kerberos-r-01                        Expires 21 May 1998
+
+                e-data[12]                    OCTET STRING OPTIONAL,
+                e-cksum[13]                   Checksum OPTIONAL,
+                e-typed-data[14]              SEQUENCE of ETypedData OPTIONAL
+}
+
+ETypedData ::=  SEQUENCE {
+                e-data-type    [1] INTEGER,
+                e-data-value   [2] OCTET STRING,
+}
+
+
+
+pvno and msg-type
+     These fields are described above in section 5.4.1. msg-type is
+     KRB_ERROR.
+ctime
+     This field is described above in section 5.4.1.
+cusec
+     This field is described above in section 5.5.2.
+stime
+     This field contains the current time on the server. It is of type
+     KerberosTime.
+susec
+     This field contains the microsecond part of the server's timestamp. Its
+     value ranges from 0 to 999999. It appears along with stime. The two
+     fields are used in conjunction to specify a reasonably accurate
+     timestamp.
+error-code
+     This field contains the error code returned by Kerberos or the server
+     when a request fails. To interpret the value of this field see the list
+     of error codes in section 8. Implementations are encouraged to provide
+     for national language support in the display of error messages.
+crealm, cname, srealm and sname
+     These fields are described above in section 5.3.1.
+e-text
+     This field contains additional text to help explain the error code
+     associated with the failed request (for example, it might include a
+     principal name which was unknown).
+e-data
+     This field contains additional data about the error for use by the
+     application to help it recover from or handle the error. If the
+     errorcode is KDC_ERR_PREAUTH_REQUIRED, then the e-data field will
+     contain an encoding of a sequence of padata fields, each corresponding
+     to an acceptable pre-authentication method and optionally containing
+     data for the method:
+
+     METHOD-DATA ::=   SEQUENCE of PA-DATA
+
+     If the error-code is KRB_AP_ERR_METHOD, then the e-data field will
+     contain an encoding of the following sequence:
+
+     METHOD-DATA ::=   SEQUENCE {
+                         method-type[0]   INTEGER,
+                         method-data[1]   OCTET STRING OPTIONAL
+
+
+draft-ietf-cat-kerberos-r-01                        Expires 21 May 1998
+
+     }
+
+     method-type will indicate the required alternate method; method-data
+     will contain any required additional information.
+e-cksum
+     This field contains an optional checksum for the KRB-ERROR message. The
+     checksum is calculated over the Kerberos ASN.1 encoding of the
+     KRB-ERROR message with the checksum absent. The checksum is then added
+     to the KRB-ERROR structure and the message is re-encoded. The Checksum
+     should be calculated using the session key from the ticket granting
+     ticket or service ticket, where available. If the error is in response
+     to a TGS or AP request, the checksum should be calculated uing the the
+     session key from the client's ticket. If the error is in response to an
+     AS request, then the checksum should be calulated using the client's
+     secret key ONLY if there has been suitable preauthentication to prove
+     knowledge of the secret key by the client[33]. If a checksum can not be
+     computed because the key to be used is not available, no checksum will
+     be included.
+e-typed-data
+     [This field for discussion, may be deleted from final spec] This field
+     contains optional data that may be used to help the client recover from
+     the indicated error. [This could contain the METHOD-DATA specified
+     since I don't think anyone actually uses it yet. It could also contain
+     the PA-DATA sequence for the preauth required error if we had a clear
+     way to transition to the use of this field from the use of the untype
+     e-data field.] For example, this field may specify the key version of
+     the key used to verify preauthentication:
+
+     e-data-type  := 20 -- Key version number
+     e-data-value := Integer -- Key version number used to verify
+                                preauthentication 
+
+6. Encryption and Checksum Specifications
+
+The Kerberos protocols described in this document are designed to use stream
+encryption ciphers, which can be simulated using commonly available block
+encryption ciphers, such as the Data Encryption Standard, [DES77] in
+conjunction with block chaining and checksum methods [DESM80]. Encryption is
+used to prove the identities of the network entities participating in
+message exchanges. The Key Distribution Center for each realm is trusted by
+all principals registered in that realm to store a secret key in confidence.
+Proof of knowledge of this secret key is used to verify the authenticity of
+a principal.
+
+The KDC uses the principal's secret key (in the AS exchange) or a shared
+session key (in the TGS exchange) to encrypt responses to ticket requests;
+the ability to obtain the secret key or session key implies the knowledge of
+the appropriate keys and the identity of the KDC. The ability of a principal
+to decrypt the KDC response and present a Ticket and a properly formed
+Authenticator (generated with the session key from the KDC response) to a
+service verifies the identity of the principal; likewise the ability of the
+service to extract the session key from the Ticket and prove its knowledge
+thereof in a response verifies the identity of the service.
+
+
+
+draft-ietf-cat-kerberos-r-01                        Expires 21 May 1998
+
+The Kerberos protocols generally assume that the encryption used is secure
+from cryptanalysis; however, in some cases, the order of fields in the
+encrypted portions of messages are arranged to minimize the effects of
+poorly chosen keys. It is still important to choose good keys. If keys are
+derived from user-typed passwords, those passwords need to be well chosen to
+make brute force attacks more difficult. Poorly chosen keys still make easy
+targets for intruders.
+
+The following sections specify the encryption and checksum mechanisms
+currently defined for Kerberos. The encodings, chaining, and padding
+requirements for each are described. For encryption methods, it is often
+desirable to place random information (often referred to as a confounder) at
+the start of the message. The requirements for a confounder are specified
+with each encryption mechanism.
+
+Some encryption systems use a block-chaining method to improve the the
+security characteristics of the ciphertext. However, these chaining methods
+often don't provide an integrity check upon decryption. Such systems (such
+as DES in CBC mode) must be augmented with a checksum of the plain-text
+which can be verified at decryption and used to detect any tampering or
+damage. Such checksums should be good at detecting burst errors in the
+input. If any damage is detected, the decryption routine is expected to
+return an error indicating the failure of an integrity check. Each
+encryption type is expected to provide and verify an appropriate checksum.
+The specification of each encryption method sets out its checksum
+requirements.
+
+Finally, where a key is to be derived from a user's password, an algorithm
+for converting the password to a key of the appropriate type is included. It
+is desirable for the string to key function to be one-way, and for the
+mapping to be different in different realms. This is important because users
+who are registered in more than one realm will often use the same password
+in each, and it is desirable that an attacker compromising the Kerberos
+server in one realm not obtain or derive the user's key in another.
+
+For an discussion of the integrity characteristics of the candidate
+encryption and checksum methods considered for Kerberos, the the reader is
+referred to [SG92].
+
+6.1. Encryption Specifications
+
+The following ASN.1 definition describes all encrypted messages. The
+enc-part field which appears in the unencrypted part of messages in section
+5 is a sequence consisting of an encryption type, an optional key version
+number, and the ciphertext.
+
+EncryptedData ::=   SEQUENCE {
+                    etype[0]     INTEGER, -- EncryptionType
+                    kvno[1]      INTEGER OPTIONAL,
+                    cipher[2]    OCTET STRING -- ciphertext
+}
+
+
+
+
+
+draft-ietf-cat-kerberos-r-01                        Expires 21 May 1998
+
+etype
+     This field identifies which encryption algorithm was used to encipher
+     the cipher. Detailed specifications for selected encryption types
+     appear later in this section.
+kvno
+     This field contains the version number of the key under which data is
+     encrypted. It is only present in messages encrypted under long lasting
+     keys, such as principals' secret keys.
+cipher
+     This field contains the enciphered text, encoded as an OCTET STRING.
+
+The cipher field is generated by applying the specified encryption algorithm
+to data composed of the message and algorithm-specific inputs. Encryption
+mechanisms defined for use with Kerberos must take sufficient measures to
+guarantee the integrity of the plaintext, and we recommend they also take
+measures to protect against precomputed dictionary attacks. If the
+encryption algorithm is not itself capable of doing so, the protections can
+often be enhanced by adding a checksum and a confounder.
+
+The suggested format for the data to be encrypted includes a confounder, a
+checksum, the encoded plaintext, and any necessary padding. The msg-seq
+field contains the part of the protocol message described in section 5 which
+is to be encrypted. The confounder, checksum, and padding are all untagged
+and untyped, and their length is exactly sufficient to hold the appropriate
+item. The type and length is implicit and specified by the particular
+encryption type being used (etype). The format for the data to be encrypted
+is described in the following diagram:
+
+      +-----------+----------+-------------+-----+
+      |confounder |   check  |   msg-seq   | pad |
+      +-----------+----------+-------------+-----+
+
+The format cannot be described in ASN.1, but for those who prefer an
+ASN.1-like notation:
+
+CipherText ::=   ENCRYPTED       SEQUENCE {
+            confounder[0]   UNTAGGED[35] OCTET STRING(conf_length) OPTIONAL,
+            check[1]        UNTAGGED OCTET STRING(checksum_length) OPTIONAL,
+            msg-seq[2]      MsgSequence,
+            pad             UNTAGGED OCTET STRING(pad_length) OPTIONAL
+}
+
+One generates a random confounder of the appropriate length, placing it in
+confounder; zeroes out check; calculates the appropriate checksum over
+confounder, check, and msg-seq, placing the result in check; adds the
+necessary padding; then encrypts using the specified encryption type and the
+appropriate key.
+
+Unless otherwise specified, a definition of an encryption algorithm that
+specifies a checksum, a length for the confounder field, or an octet
+boundary for padding uses this ciphertext format[36]. Those fields which are
+not specified will be omitted.
+
+In the interest of allowing all implementations using a particular
+
+
+draft-ietf-cat-kerberos-r-01                        Expires 21 May 1998
+
+encryption type to communicate with all others using that type, the
+specification of an encryption type defines any checksum that is needed as
+part of the encryption process. If an alternative checksum is to be used, a
+new encryption type must be defined.
+
+Some cryptosystems require additional information beyond the key and the
+data to be encrypted. For example, DES, when used in cipher-block-chaining
+mode, requires an initialization vector. If required, the description for
+each encryption type must specify the source of such additional information.
+6.2. Encryption Keys
+
+The sequence below shows the encoding of an encryption key:
+
+       EncryptionKey ::=   SEQUENCE {
+                           keytype[0]    INTEGER,
+                           keyvalue[1]   OCTET STRING
+       }
+
+keytype
+     This field specifies the type of encryption key that follows in the
+     keyvalue field. It will almost always correspond to the encryption
+     algorithm used to generate the EncryptedData, though more than one
+     algorithm may use the same type of key (the mapping is many to one).
+     This might happen, for example, if the encryption algorithm uses an
+     alternate checksum algorithm for an integrity check, or a different
+     chaining mechanism.
+keyvalue
+     This field contains the key itself, encoded as an octet string.
+
+All negative values for the encryption key type are reserved for local use.
+All non-negative values are reserved for officially assigned type fields and
+interpreta- tions.
+
+6.3. Encryption Systems
+
+6.3.1. The NULL Encryption System (null)
+
+If no encryption is in use, the encryption system is said to be the NULL
+encryption system. In the NULL encryption system there is no checksum,
+confounder or padding. The ciphertext is simply the plaintext. The NULL Key
+is used by the null encryption system and is zero octets in length, with
+keytype zero (0).
+
+6.3.2. DES in CBC mode with a CRC-32 checksum (des-cbc-crc)
+
+The des-cbc-crc encryption mode encrypts information under the Data
+Encryption Standard [DES77] using the cipher block chaining mode [DESM80]. A
+CRC-32 checksum (described in ISO 3309 [ISO3309]) is applied to the
+confounder and message sequence (msg-seq) and placed in the cksum field. DES
+blocks are 8 bytes. As a result, the data to be encrypted (the concatenation
+of confounder, checksum, and message) must be padded to an 8 byte boundary
+before encryption. The details of the encryption of this data are identical
+to those for the des-cbc-md5 encryption mode.
+
+
+
+draft-ietf-cat-kerberos-r-01                        Expires 21 May 1998
+
+Note that, since the CRC-32 checksum is not collision-proof, an attacker
+could use a probabilistic chosen-plaintext attack to generate a valid
+message even if a confounder is used [SG92]. The use of collision-proof
+checksums is recommended for environments where such attacks represent a
+significant threat. The use of the CRC-32 as the checksum for ticket or
+authenticator is no longer mandated as an interoperability requirement for
+Kerberos Version 5 Specification 1 (See section 9.1 for specific details).
+
+6.3.3. DES in CBC mode with an MD4 checksum (des-cbc-md4)
+
+The des-cbc-md4 encryption mode encrypts information under the Data
+Encryption Standard [DES77] using the cipher block chaining mode [DESM80].
+An MD4 checksum (described in [MD492]) is applied to the confounder and
+message sequence (msg-seq) and placed in the cksum field. DES blocks are 8
+bytes. As a result, the data to be encrypted (the concatenation of
+confounder, checksum, and message) must be padded to an 8 byte boundary
+before encryption. The details of the encryption of this data are identical
+to those for the des-cbc-md5 encryption mode.
+
+6.3.4. DES in CBC mode with an MD5 checksum (des-cbc-md5)
+
+The des-cbc-md5 encryption mode encrypts information under the Data
+Encryption Standard [DES77] using the cipher block chaining mode [DESM80].
+An MD5 checksum (described in [MD5-92].) is applied to the confounder and
+message sequence (msg-seq) and placed in the cksum field. DES blocks are 8
+bytes. As a result, the data to be encrypted (the concatenation of
+confounder, checksum, and message) must be padded to an 8 byte boundary
+before encryption.
+
+Plaintext and DES ciphtertext are encoded as blocks of 8 octets which are
+concatenated to make the 64-bit inputs for the DES algorithms. The first
+octet supplies the 8 most significant bits (with the octet's MSbit used as
+the DES input block's MSbit, etc.), the second octet the next 8 bits, ...,
+and the eighth octet supplies the 8 least significant bits.
+
+Encryption under DES using cipher block chaining requires an additional
+input in the form of an initialization vector. Unless otherwise specified,
+zero should be used as the initialization vector. Kerberos' use of DES
+requires an 8 octet confounder.
+
+The DES specifications identify some 'weak' and 'semi-weak' keys; those keys
+shall not be used for encrypting messages for use in Kerberos. Additionally,
+because of the way that keys are derived for the encryption of checksums,
+keys shall not be used that yield 'weak' or 'semi-weak' keys when
+eXclusive-ORed with the hexadecimal constant F0F0F0F0F0F0F0F0.
+
+A DES key is 8 octets of data, with keytype one (1). This consists of 56
+bits of key, and 8 parity bits (one per octet). The key is encoded as a
+series of 8 octets written in MSB-first order. The bits within the key are
+also encoded in MSB order. For example, if the encryption key is
+(B1,B2,...,B7,P1,B8,...,B14,P2,B15,...,B49,P7,B50,...,B56,P8) where
+B1,B2,...,B56 are the key bits in MSB order, and P1,P2,...,P8 are the parity
+bits, the first octet of the key would be B1,B2,...,B7,P1 (with B1 as the
+MSbit). [See the FIPS 81 introduction for reference.]
+
+
+draft-ietf-cat-kerberos-r-01                        Expires 21 May 1998
+
+
+String to key transformation
+
+To generate a DES key from a text string (password), the text string
+normally must have the realm and each component of the principal's name
+appended[37], then padded with ASCII nulls to an 8 byte boundary. This
+string is then fan-folded and eXclusive-ORed with itself to form an 8 byte
+DES key. The parity is corrected on the key, and it is used to generate a
+DES CBC checksum on the initial string (with the realm and name appended).
+Next, parity is corrected on the CBC checksum. If the result matches a
+'weak' or 'semi-weak' key as described in the DES specification, it is
+eXclusive-ORed with the constant 00000000000000F0. Finally, the result is
+returned as the key. Pseudocode follows:
+
+     string_to_key(string,realm,name) {
+          odd = 1;
+          s = string + realm;
+          for(each component in name) {
+               s = s + component;
+          }
+          tempkey = NULL;
+          pad(s); /* with nulls to 8 byte boundary */
+          for(8byteblock in s) {
+               if(odd == 0)  {
+                   odd = 1;
+                   reverse(8byteblock)
+               }
+               else odd = 0;
+               tempkey = tempkey XOR 8byteblock;
+          }
+          fixparity(tempkey);
+          key = DES-CBC-check(s,tempkey);
+          fixparity(key);
+          if(is_weak_key_key(key))
+               key = key XOR 0xF0;
+          return(key);
+     }
+
+6.3.5. Triple DES EDE in outer CBC mode with an SHA1 check-sum
+(des3-cbc-sha1)
+
+The des3-cbc-sha1 encryption encodes information using three Data Encryption
+Standard transformations with three DES keys. The first key is used to
+perform a DES ECB encryption on an eight-octet data block using the first
+DES key, followed by a DES ECB decryption of the result using the second DES
+key, and a DES ECB encryption of the result using the third DES key. Because
+DES blocks are 8 bytes, the data to be encrypted (the concatenation of
+confounder, checksum, and message) must first be padded to an 8 byte
+boundary before encryption. To support the outer CBC mode, the input is
+padded to an eight-octet boundary. The first 8 octets of the data to be
+encrypted (the confounder) is exclusive-ored with an initialization vector
+of zero and then ECB encrypted using triple DES as described above.
+Subsequent blocks of 8 octets are exclusive-ored with the ciphertext
+produced by the encryption on the previous block before ECB encryption.
+
+
+draft-ietf-cat-kerberos-r-01                        Expires 21 May 1998
+
+
+An HMAC-SHA1 checksum (described in [KBC96].) is applied to the confounder
+and message sequence (msg-seq) and placed in the cksum field.
+
+Plaintext are encoded as blocks of 8 octets which are concatenated to make
+the 64-bit inputs for the DES algorithms. The first octet supplies the 8
+most significant bits (with the octet's MSbit used as the DES input block's
+MSbit, etc.), the second octet the next 8 bits, ..., and the eighth octet
+supplies the 8 least significant bits.
+
+Encryption under Triple DES using cipher block chaining requires an
+additional input in the form of an initialization vector. Unless otherwise
+specified, zero should be used as the initialization vector. Kerberos' use
+of DES requires an 8 octet confounder.
+
+The DES specifications identify some 'weak' and 'semi-weak' keys; those keys
+shall not be used for encrypting messages for use in Kerberos. Additionally,
+because of the way that keys are derived for the encryption of checksums,
+keys shall not be used that yield 'weak' or 'semi-weak' keys when
+eXclusive-ORed with the hexadecimal constant F0F0F0F0F0F0F0F0.
+
+A Triple DES key is 24 octets of data, with keytype seven (7). This consists
+of 168 bits of key, and 24 parity bits (one per octet). The key is encoded
+as a series of 24 octets written in MSB-first order, with the first 8 octets
+treated as the first DES key, the second 8 octets as the second key, and the
+third 8 octets the third DES key. The bits within each key are also encoded
+in MSB order. For example, if the encryption key is
+(B1,B2,...,B7,P1,B8,...,B14,P2,B15,...,B49,P7,B50,...,B56,P8) where
+B1,B2,...,B56 are the key bits in MSB order, and P1,P2,...,P8 are the parity
+bits, the first octet of the key would be B1,B2,...,B7,P1 (with B1 as the
+MSbit). [See the FIPS 81 introduction for reference.]
+
+Key derivation for specified operations (Horowitz)
+
+[Discussion is needed for this section, especially since it does not simply
+derive key generation, but also specifies encryption using triple DES in a
+manner that is different than the basic template that was specified for
+single DES and similar systems]
+
+In the Kerberos protocol cryptographic keys are used in a number of places.
+In order to minimize the effect of compromising a key, it is desirable to
+use a different key in each of these places. Key derivation [Horowitz96] can
+be used to construct different keys for each operation from the keys
+transported on the network or derived from the password specified by the
+user.
+
+For each place where a key is used in Kerberos, a ``key usage'' is specified
+for that purpose. The key, key usage, and encryption/checksum type together
+describe the transformation from plaintext to ciphertext. For backwards
+compatibility, this key derivation is only specified here for encryption
+methods based on triple DES. Encryption methods specified for use by
+Kerberos in the future should specify the key derivation function to be
+used.
+
+
+
+draft-ietf-cat-kerberos-r-01                        Expires 21 May 1998
+
+Kerberos requires that the ciphertext component of EncryptedData be
+tamper-resistant as well as confidential. This implies encryption and
+integrity functions, which must each use their own separate keys. So, for
+each key usage, two keys must be generated, one for encryption (Ke), and one
+for integrity (Ki):
+
+      Ke = DK(protocol key, key usage | 0xAA)
+      Ki = DK(protocol key, key usage | 0x55)
+
+where the key usage is represented as a 32 bit integer in network byte
+order. The ciphertest must be generated from the plaintext as follows:
+
+      ciphertext = E(Ke, confounder | length | plaintext | padding) |
+                   H(Ki, confounder | length | plaintext | padding)
+
+The confounder and padding are specific to the encryption algorithm E.
+
+When generating a checksum only, there is no need for a confounder or
+padding. Again, a new key (Kc) must be used. Checksums must be generated
+from the plaintext as follows:
+
+      Kc = DK(protocol key, key usage | 0x99)
+      MAC = H(Kc, length | plaintext)
+
+
+Note that each enctype is described by an encryption algorithm E and a keyed
+hash algorithm H, and each checksum type is described by a keyed hash
+algorithm H. HMAC, with an appropriate hash, is recommended for use as H.
+
+The key usage value will be taken from the following list of places where
+keys are used in the Kerberos protocol, with key usage values and Kerberos
+specification section numbers:
+
+      1.  AS-REQ PA-ENC-TIMESTAMP padata timestamp, encrypted with the
+          client key (section 5.4.1)
+      2.  AS-REP Ticket and TGS-REP Ticket (includes tgs session key or
+          application session key), encrypted with the service key
+          (section 5.4.2)
+      3.  AS-REP encrypted part (includes tgs session key or application
+          session key), encrypted with the client key (section 5.4.2)
+
+      4.  TGS-REQ KDC-REQ-BODY AuthorizationData, encrypted with the tgs
+          session key (section 5.4.1)
+      5.  TGS-REQ KDC-REQ-BODY AuthorizationData, encrypted with the tgs
+          authenticator subkey (section 5.4.1)
+      6.  TGS-REQ PA-TGS-REQ padata AP-REQ Authenticator cksum, keyed
+          with the tgs session key (sections 5.3.2, 5.4.1)
+      7.  TGS-REQ PA-TGS-REQ padata AP-REQ Authenticator (includes tgs
+          authenticator subkey), encrypted with the tgs session key
+          (section 5.3.2)
+      8.  TGS-REP encrypted part (includes application session key),
+          encrypted with the tgs session key (section 5.4.2)
+      9.  TGS-REP encrypted part (includes application session key),
+          encrypted with the tgs authenticator subkey (section 5.4.2)
+
+
+draft-ietf-cat-kerberos-r-01                        Expires 21 May 1998
+
+
+      10. AP-REQ Authenticator cksum, keyed with the application session
+          key (section 5.3.2)
+      11. AP-REQ Authenticator (includes application authenticator
+          subkey), encrypted with the application session key (section
+          5.3.2)
+      12. AP-REP encrypted part (includes application session subkey),
+          encrypted with the application session key (section 5.5.2)
+
+      13. KRB-PRIV encrypted part, encrypted with a key chosen by the
+          application (section 5.7.1)
+      14. KRB-CRED encrypted part, encrypted with a key chosen by the
+          application (section 5.6.1)
+      15. KRB-SAFE cksum, keyed with a key chosen by the application
+          (section 5.8.1)
+
+      16. Data which is defined in some specification outside of
+          Kerberos to be encrypted using Kerberos encryption type.
+      17. Data which is defined in some specification outside of
+          Kerberos to be checksummed using Kerberos checksum type.
+
+      18. KRB-ERROR checksum (e-cksum in section 5.9.1)
+      19. AD-KDCIssued checksum (ad-checksum in appendix B.1)
+      20. Checksum for Mandatory Ticket Extensions (appendix B.6)
+      21. Checksum in Authorization Data in Ticket Extensions (appendix B.7)
+
+String to key transformation
+
+To generate a DES key from a text string (password), the text string
+normally must have the realm and each component of the principal's name
+appended[38].
+
+The input string (with any salt data appended to it) is n-folded into a 24
+octet (192 bit) string. To n-fold a number X, replicate the input value to a
+length that is the least common multiple of n and the length of X. Before
+each repetition, the input X is rotated to the right by 13 bit positions.
+The successive n-bit chunks are added together using 1's-complement addition
+(addition with end-around carry) to yield a n-bit result. (This
+transformation was proposed by Richard Basch)
+
+Each successive set of 8 octets is taken as a DES key, and its parity is
+adjusted in the same manner as previously described. If any of the three
+sets of 8 octets match a 'weak' or 'semi-weak key as described in the DES
+specification, that chunk is eXclusive-ORed with the hexadecimal constant
+00000000000000F0. The resulting DES keys are then used in sequence to
+perform a Triple-DES CBC encryption of the n-folded input string (appended
+with any salt data), using a zero initial vector. Parity, weak, and
+semi-weak keys are once again corrected and the result is returned as the 24
+octet key.
+
+Pseudocode follows:
+
+     string_to_key(string,realm,name) {
+          s = string + realm;
+
+
+draft-ietf-cat-kerberos-r-01                        Expires 21 May 1998
+
+          for(each component in name) {
+               s = s + component;
+          }
+          tkey[24] = fold(s);
+          fixparity(tkey);
+          if(isweak(tkey[0-7])) tkey[0-7] = tkey[0-7] XOR 0xF0;
+          if(isweak(tkey[8-15])) tkey[8-15] = tkey[8-15] XOR 0xF0;
+          if(is_weak(tkey[16-23])) tkey[16-23] = tkey[16-23] XOR 0xF0;
+          key[24] = 3DES-CBC(data=fold(s),key=tkey,iv=0);
+          fixparity(key);
+          if(is_weak(key[0-7])) key[0-7] = key[0-7] XOR 0xF0;
+          if(is_weak(key[8-15])) key[8-15] = key[8-15] XOR 0xF0;
+          if(is_weak(key[16-23])) key[16-23] = key[16-23] XOR 0xF0;
+          return(key);
+     }
+
+6.4. Checksums
+
+The following is the ASN.1 definition used for a checksum:
+
+         Checksum ::=   SEQUENCE {
+                        cksumtype[0]   INTEGER,
+                        checksum[1]    OCTET STRING
+         }
+
+cksumtype
+     This field indicates the algorithm used to generate the accompanying
+     checksum.
+checksum
+     This field contains the checksum itself, encoded as an octet string.
+
+Detailed specification of selected checksum types appear later in this
+section. Negative values for the checksum type are reserved for local use.
+All non-negative values are reserved for officially assigned type fields and
+interpretations.
+
+Checksums used by Kerberos can be classified by two properties: whether they
+are collision-proof, and whether they are keyed. It is infeasible to find
+two plaintexts which generate the same checksum value for a collision-proof
+checksum. A key is required to perturb or initialize the algorithm in a
+keyed checksum. To prevent message-stream modification by an active
+attacker, unkeyed checksums should only be used when the checksum and
+message will be subsequently encrypted (e.g. the checksums defined as part
+of the encryption algorithms covered earlier in this section).
+
+Collision-proof checksums can be made tamper-proof if the checksum value is
+encrypted before inclusion in a message. In such cases, the composition of
+the checksum and the encryption algorithm must be considered a separate
+checksum algorithm (e.g. RSA-MD5 encrypted using DES is a new checksum
+algorithm of type RSA-MD5-DES). For most keyed checksums, as well as for the
+encrypted forms of unkeyed collision-proof checksums, Kerberos prepends a
+confounder before the checksum is calculated.
+
+6.4.1. The CRC-32 Checksum (crc32)
+
+
+draft-ietf-cat-kerberos-r-01                        Expires 21 May 1998
+
+
+The CRC-32 checksum calculates a checksum based on a cyclic redundancy check
+as described in ISO 3309 [ISO3309]. The resulting checksum is four (4)
+octets in length. The CRC-32 is neither keyed nor collision-proof. The use
+of this checksum is not recommended. An attacker using a probabilistic
+chosen-plaintext attack as described in [SG92] might be able to generate an
+alternative message that satisfies the checksum. The use of collision-proof
+checksums is recommended for environments where such attacks represent a
+significant threat.
+
+6.4.2. The RSA MD4 Checksum (rsa-md4)
+
+The RSA-MD4 checksum calculates a checksum using the RSA MD4 algorithm
+[MD4-92]. The algorithm takes as input an input message of arbitrary length
+and produces as output a 128-bit (16 octet) checksum. RSA-MD4 is believed to
+be collision-proof.
+
+6.4.3. RSA MD4 Cryptographic Checksum Using DES (rsa-md4-des)
+
+The RSA-MD4-DES checksum calculates a keyed collision-proof checksum by
+prepending an 8 octet confounder before the text, applying the RSA MD4
+checksum algorithm, and encrypting the confounder and the checksum using DES
+in cipher-block-chaining (CBC) mode using a variant of the key, where the
+variant is computed by eXclusive-ORing the key with the constant
+F0F0F0F0F0F0F0F0[39]. The initialization vector should be zero. The
+resulting checksum is 24 octets long (8 octets of which are redundant). This
+checksum is tamper-proof and believed to be collision-proof.
+
+The DES specifications identify some weak keys' and 'semi-weak keys'; those
+keys shall not be used for generating RSA-MD4 checksums for use in Kerberos.
+
+The format for the checksum is described in the follow- ing diagram:
+
++--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+|  des-cbc(confounder   +   rsa-md4(confounder+msg),key=var(key),iv=0)  |
++--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+
+The format cannot be described in ASN.1, but for those who prefer an
+ASN.1-like notation:
+
+rsa-md4-des-checksum ::=   ENCRYPTED       UNTAGGED SEQUENCE {
+                           confounder[0]   UNTAGGED OCTET STRING(8),
+                           check[1]        UNTAGGED OCTET STRING(16)
+}
+
+6.4.4. The RSA MD5 Checksum (rsa-md5)
+
+The RSA-MD5 checksum calculates a checksum using the RSA MD5 algorithm.
+[MD5-92]. The algorithm takes as input an input message of arbitrary length
+and produces as output a 128-bit (16 octet) checksum. RSA-MD5 is believed to
+be collision-proof.
+
+6.4.5. RSA MD5 Cryptographic Checksum Using DES (rsa-md5-des)
+
+
+
+draft-ietf-cat-kerberos-r-01                        Expires 21 May 1998
+
+The RSA-MD5-DES checksum calculates a keyed collision-proof checksum by
+prepending an 8 octet confounder before the text, applying the RSA MD5
+checksum algorithm, and encrypting the confounder and the checksum using DES
+in cipher-block-chaining (CBC) mode using a variant of the key, where the
+variant is computed by eXclusive-ORing the key with the hexadecimal constant
+F0F0F0F0F0F0F0F0. The initialization vector should be zero. The resulting
+checksum is 24 octets long (8 octets of which are redundant). This checksum
+is tamper-proof and believed to be collision-proof.
+
+The DES specifications identify some 'weak keys' and 'semi-weak keys'; those
+keys shall not be used for encrypting RSA-MD5 checksums for use in Kerberos.
+
+The format for the checksum is described in the following diagram:
+
++--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+|  des-cbc(confounder   +   rsa-md5(confounder+msg),key=var(key),iv=0)  |
++--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+
+The format cannot be described in ASN.1, but for those who prefer an
+ASN.1-like notation:
+
+rsa-md5-des-checksum ::=   ENCRYPTED       UNTAGGED SEQUENCE {
+                           confounder[0]   UNTAGGED OCTET STRING(8),
+                           check[1]        UNTAGGED OCTET STRING(16)
+}
+
+6.4.6. DES cipher-block chained checksum (des-mac)
+
+The DES-MAC checksum is computed by prepending an 8 octet confounder to the
+plaintext, performing a DES CBC-mode encryption on the result using the key
+and an initialization vector of zero, taking the last block of the
+ciphertext, prepending the same confounder and encrypting the pair using DES
+in cipher-block-chaining (CBC) mode using a a variant of the key, where the
+variant is computed by eXclusive-ORing the key with the hexadecimal constant
+F0F0F0F0F0F0F0F0. The initialization vector should be zero. The resulting
+checksum is 128 bits (16 octets) long, 64 bits of which are redundant. This
+checksum is tamper-proof and collision-proof.
+
+The format for the checksum is described in the following diagram:
+
++--+--+--+--+--+--+--+--+-----+-----+-----+-----+-----+-----+-----+-----+
+|   des-cbc(confounder  + des-mac(conf+msg,iv=0,key),key=var(key),iv=0) |
++--+--+--+--+--+--+--+--+-----+-----+-----+-----+-----+-----+-----+-----+
+
+The format cannot be described in ASN.1, but for those who prefer an
+ASN.1-like notation:
+
+des-mac-checksum ::=   ENCRYPTED       UNTAGGED SEQUENCE {
+                       confounder[0]   UNTAGGED OCTET STRING(8),
+                       check[1]        UNTAGGED OCTET STRING(8)
+}
+
+The DES specifications identify some 'weak' and 'semi-weak' keys; those keys
+shall not be used for generating DES-MAC checksums for use in Kerberos, nor
+
+
+draft-ietf-cat-kerberos-r-01                        Expires 21 May 1998
+
+shall a key be used whose variant is 'weak' or 'semi-weak'.
+
+6.4.7. RSA MD4 Cryptographic Checksum Using DES alternative (rsa-md4-des-k)
+
+The RSA-MD4-DES-K checksum calculates a keyed collision-proof checksum by
+applying the RSA MD4 checksum algorithm and encrypting the results using DES
+in cipher-block-chaining (CBC) mode using a DES key as both key and
+initialization vector. The resulting checksum is 16 octets long. This
+checksum is tamper-proof and believed to be collision-proof. Note that this
+checksum type is the old method for encoding the RSA-MD4-DES checksum and it
+is no longer recommended.
+
+6.4.8. DES cipher-block chained checksum alternative (des-mac-k)
+
+The DES-MAC-K checksum is computed by performing a DES CBC-mode encryption
+of the plaintext, and using the last block of the ciphertext as the checksum
+value. It is keyed with an encryption key and an initialization vector; any
+uses which do not specify an additional initialization vector will use the
+key as both key and initialization vector. The resulting checksum is 64 bits
+(8 octets) long. This checksum is tamper-proof and collision-proof. Note
+that this checksum type is the old method for encoding the DES-MAC checksum
+and it is no longer recommended. The DES specifications identify some 'weak
+keys' and 'semi-weak keys'; those keys shall not be used for generating
+DES-MAC checksums for use in Kerberos.
+
+7. Naming Constraints
+
+7.1. Realm Names
+
+Although realm names are encoded as GeneralStrings and although a realm can
+technically select any name it chooses, interoperability across realm
+boundaries requires agreement on how realm names are to be assigned, and
+what information they imply.
+
+To enforce these conventions, each realm must conform to the conventions
+itself, and it must require that any realms with which inter-realm keys are
+shared also conform to the conventions and require the same from its
+neighbors.
+
+Kerberos realm names are case sensitive. Realm names that differ only in the
+case of the characters are not equivalent. There are presently four styles
+of realm names: domain, X500, other, and reserved. Examples of each style
+follow:
+
+     domain:   ATHENA.MIT.EDU (example)
+       X500:   C=US/O=OSF (example)
+      other:   NAMETYPE:rest/of.name=without-restrictions (example)
+   reserved:   reserved, but will not conflict with above
+
+Domain names must look like domain names: they consist of components
+separated by periods (.) and they contain neither colons (:) nor slashes
+(/). Domain names must be converted to upper case when used as realm names.
+
+X.500 names contain an equal (=) and cannot contain a colon (:) before the
+
+
+draft-ietf-cat-kerberos-r-01                        Expires 21 May 1998
+
+equal. The realm names for X.500 names will be string representations of the
+names with components separated by slashes. Leading and trailing slashes
+will not be included.
+
+Names that fall into the other category must begin with a prefix that
+contains no equal (=) or period (.) and the prefix must be followed by a
+colon (:) and the rest of the name. All prefixes must be assigned before
+they may be used. Presently none are assigned.
+
+The reserved category includes strings which do not fall into the first
+three categories. All names in this category are reserved. It is unlikely
+that names will be assigned to this category unless there is a very strong
+argument for not using the 'other' category.
+
+These rules guarantee that there will be no conflicts between the various
+name styles. The following additional constraints apply to the assignment of
+realm names in the domain and X.500 categories: the name of a realm for the
+domain or X.500 formats must either be used by the organization owning (to
+whom it was assigned) an Internet domain name or X.500 name, or in the case
+that no such names are registered, authority to use a realm name may be
+derived from the authority of the parent realm. For example, if there is no
+domain name for E40.MIT.EDU, then the administrator of the MIT.EDU realm can
+authorize the creation of a realm with that name.
+
+This is acceptable because the organization to which the parent is assigned
+is presumably the organization authorized to assign names to its children in
+the X.500 and domain name systems as well. If the parent assigns a realm
+name without also registering it in the domain name or X.500 hierarchy, it
+is the parent's responsibility to make sure that there will not in the
+future exists a name identical to the realm name of the child unless it is
+assigned to the same entity as the realm name.
+
+7.2. Principal Names
+
+As was the case for realm names, conventions are needed to ensure that all
+agree on what information is implied by a principal name. The name-type
+field that is part of the principal name indicates the kind of information
+implied by the name. The name-type should be treated as a hint. Ignoring the
+name type, no two names can be the same (i.e. at least one of the
+components, or the realm, must be different). The following name types are
+defined:
+
+  name-type      value   meaning
+
+   NT-UNKNOWN        0   Name type not known
+   NT-PRINCIPAL      1   General principal name (e.g. username, or DCE principal)
+   NT-SRV-INST       2   Service and other unique instance (krbtgt)
+   NT-SRV-HST        3   Service with host name as instance (telnet, rcommands)
+   NT-SRV-XHST       4   Service with slash-separated host name components
+   NT-UID            5   Unique ID
+   NT-X500-PRINCIPAL 6   Encoded X.509 Distingished name [RFC 1779]
+
+When a name implies no information other than its uniqueness at a particular
+time the name type PRINCIPAL should be used. The principal name type should
+
+
+draft-ietf-cat-kerberos-r-01                        Expires 21 May 1998
+
+be used for users, and it might also be used for a unique server. If the
+name is a unique machine generated ID that is guaranteed never to be
+reassigned then the name type of UID should be used (note that it is
+generally a bad idea to reassign names of any type since stale entries might
+remain in access control lists).
+
+If the first component of a name identifies a service and the remaining
+components identify an instance of the service in a server specified manner,
+then the name type of SRV-INST should be used. An example of this name type
+is the Kerberos ticket-granting service whose name has a first component of
+krbtgt and a second component identifying the realm for which the ticket is
+valid.
+
+If instance is a single component following the service name and the
+instance identifies the host on which the server is running, then the name
+type SRV-HST should be used. This type is typically used for Internet
+services such as telnet and the Berkeley R commands. If the separate
+components of the host name appear as successive components following the
+name of the service, then the name type SRV-XHST should be used. This type
+might be used to identify servers on hosts with X.500 names where the slash
+(/) might otherwise be ambiguous.
+
+A name type of NT-X500-PRINCIPAL should be used when a name from an X.509
+certificiate is translated into a Kerberos name. The encoding of the X.509
+name as a Kerberos principal shall conform to the encoding rules specified
+in RFC 1779.
+
+A name type of UNKNOWN should be used when the form of the name is not
+known. When comparing names, a name of type UNKNOWN will match principals
+authenticated with names of any type. A principal authenticated with a name
+of type UNKNOWN, however, will only match other names of type UNKNOWN.
+
+Names of any type with an initial component of 'krbtgt' are reserved for the
+Kerberos ticket granting service. See section 8.2.3 for the form of such
+names.
+
+7.2.1. Name of server principals
+
+The principal identifier for a server on a host will generally be composed
+of two parts: (1) the realm of the KDC with which the server is registered,
+and (2) a two-component name of type NT-SRV-HST if the host name is an
+Internet domain name or a multi-component name of type NT-SRV-XHST if the
+name of the host is of a form such as X.500 that allows slash (/)
+separators. The first component of the two- or multi-component name will
+identify the service and the latter components will identify the host. Where
+the name of the host is not case sensitive (for example, with Internet
+domain names) the name of the host must be lower case. If specified by the
+application protocol for services such as telnet and the Berkeley R commands
+which run with system privileges, the first component may be the string
+'host' instead of a service specific identifier. When a host has an official
+name and one or more aliases, the official name of the host must be used
+when constructing the name of the server principal.
+
+8. Constants and other defined values
+
+
+draft-ietf-cat-kerberos-r-01                        Expires 21 May 1998
+
+
+8.1. Host address types
+
+All negative values for the host address type are reserved for local use.
+All non-negative values are reserved for officially assigned type fields and
+interpretations.
+
+The values of the types for the following addresses are chosen to match the
+defined address family constants in the Berkeley Standard Distributions of
+Unix. They can be found in with symbolic names AF_xxx (where xxx is an
+abbreviation of the address family name).
+
+Internet (IPv4) Addresses
+
+Internet (IPv4) addresses are 32-bit (4-octet) quantities, encoded in MSB
+order. The type of IPv4 addresses is two (2).
+
+Internet (IPv6) Addresses
+
+IPv6 addresses are 128-bit (16-octet) quantities, encoded in MSB order. The
+type of IPv6 addresses is twenty-four (24). [RFC1883] [RFC1884]. The
+following addresses (see [RFC1884]) MUST not appear in any Kerberos packet:
+
+   * the Unspecified Address
+   * the Loopback Address
+   * Link-Local addresses
+
+IPv4-mapped IPv6 addresses MUST be represented as addresses of type 2.
+
+CHAOSnet addresses
+
+CHAOSnet addresses are 16-bit (2-octet) quantities, encoded in MSB order.
+The type of CHAOSnet addresses is five (5).
+
+ISO addresses
+
+ISO addresses are variable-length. The type of ISO addresses is seven (7).
+
+Xerox Network Services (XNS) addresses
+
+XNS addresses are 48-bit (6-octet) quantities, encoded in MSB order. The
+type of XNS addresses is six (6).
+
+AppleTalk Datagram Delivery Protocol (DDP) addresses
+
+AppleTalk DDP addresses consist of an 8-bit node number and a 16-bit network
+number. The first octet of the address is the node number; the remaining two
+octets encode the network number in MSB order. The type of AppleTalk DDP
+addresses is sixteen (16).
+
+DECnet Phase IV addresses
+
+DECnet Phase IV addresses are 16-bit addresses, encoded in LSB order. The
+type of DECnet Phase IV addresses is twelve (12).
+
+
+draft-ietf-cat-kerberos-r-01                        Expires 21 May 1998
+
+
+8.2. KDC messages
+
+8.2.1. UDP/IP transport
+
+When contacting a Kerberos server (KDC) for a KRB_KDC_REQ request using UDP
+IP transport, the client shall send a UDP datagram containing only an
+encoding of the request to port 88 (decimal) at the KDC's IP address; the
+KDC will respond with a reply datagram containing only an encoding of the
+reply message (either a KRB_ERROR or a KRB_KDC_REP) to the sending port at
+the sender's IP address. Kerberos servers supporting IP transport must
+accept UDP requests on port 88 (decimal). The response to a request made
+through UDP/IP transport must also use UDP/IP transport.
+
+8.2.2. TCP/IP transport
+
+Kerberos servers (KDC's) must accept TCP requests on port 88 (decimal). When
+the KRB_KDC_REQ message is sent to the KDC over a TCP stream, a new
+connection will be established for each authentication exchange (request and
+response). The KRB_KDC_REP or KRB_ERROR message will be returned to the
+client on the same TCP stream that was established for the request. The
+connection will be broken after the reply has been received (or upon
+time-out). Care must be taken in managing TCP/IP connections with the KDC to
+prevent denial of service attacks based on the number of TCP/IP connections
+with the KDC that remain open. If multiple exchanges with the KDC are needed
+for certain forms of preauthentication, multiple TCP connections will be
+required. The response to a request made through TCP/IP transport must also
+use TCP/IP transport.
+
+The first four octets of the TCP stream used to transmit the request request
+will encode in network byte order the length of the request (KRB_KDC_REQ),
+and the length will be followed by the request itself. The response will
+similarly be preceeded by a 4 octet encoding in network byte order of the
+length of the KRB_KDC_REP or the KRB_ERROR message and will be followed by
+the KRB_KDC_REP or the KRB_ERROR response.
+
+8.2.3. OSI transport
+
+During authentication of an OSI client to an OSI server, the mutual
+authentication of an OSI server to an OSI client, the transfer of
+credentials from an OSI client to an OSI server, or during exchange of
+private or integrity checked messages, Kerberos protocol messages may be
+treated as opaque objects and the type of the authentication mechanism will
+be:
+
+OBJECT IDENTIFIER ::= {iso (1), org(3), dod(6),internet(1), security(5),kerberosv5(2)}
+
+Depending on the situation, the opaque object will be an authentication
+header (KRB_AP_REQ), an authentication reply (KRB_AP_REP), a safe message
+(KRB_SAFE), a private message (KRB_PRIV), or a credentials message
+(KRB_CRED). The opaque data contains an application code as specified in the
+ASN.1 description for each message. The application code may be used by
+Kerberos to determine the message type.
+
+
+
+draft-ietf-cat-kerberos-r-01                        Expires 21 May 1998
+
+8.2.3. Name of the TGS
+
+The principal identifier of the ticket-granting service shall be composed of
+three parts: (1) the realm of the KDC issuing the TGS ticket (2) a two-part
+name of type NT-SRV-INST, with the first part "krbtgt" and the second part
+the name of the realm which will accept the ticket-granting ticket. For
+example, a ticket-granting ticket issued by the ATHENA.MIT.EDU realm to be
+used to get tickets from the ATHENA.MIT.EDU KDC has a principal identifier
+of "ATHENA.MIT.EDU" (realm), ("krbtgt", "ATHENA.MIT.EDU") (name). A
+ticket-granting ticket issued by the ATHENA.MIT.EDU realm to be used to get
+tickets from the MIT.EDU realm has a principal identifier of
+"ATHENA.MIT.EDU" (realm), ("krbtgt", "MIT.EDU") (name).
+
+8.3. Protocol constants and associated values
+
+The following tables list constants used in the protocol and defines their
+meanings.
+
+Encryption type  etype value  block size    minimum pad size  confounder size
+NULL              0            1                 0                 0
+des-cbc-crc       1            8                 4                 8
+des-cbc-md4       2            8                 0                 8
+des-cbc-md5       3            8                 0                 8
+        4
+des3-cbc-md5      5            8                 0                 8
+        6
+des3-cbc-sha1     7            8                 0                 8
+sign-dsa-generate 8                                   (pkinit)
+encrypt-rsa-priv  9                                   (pkinit)
+encrypt-rsa-pub  10                                   (pkinit)
+rsa-pub-md5      11                                   (pkinit)
+rsa-pub-sha1     12                                   (pkinit)
+ENCTYPE_PK_CROSS 48                                   (reserved for pkcross)
+       0x8003
+
+Checksum type              sumtype value       checksum size
+CRC32                      1                   4
+rsa-md4                    2                   16
+rsa-md4-des                3                   24
+des-mac                    4                   16
+des-mac-k                  5                   8
+rsa-md4-des-k              6                   16
+rsa-md5                    7                   16
+rsa-md5-des                8                   24
+rsa-md5-des3               9                   24
+hmac-sha1-des3             10                  20  (I had this as 10, is it 12)
+
+padata type                     padata-type value
+
+PA-TGS-REQ                      1
+PA-ENC-TIMESTAMP                2
+PA-PW-SALT                      3
+                      4
+PA-ENC-UNIX-TIME                5
+
+
+draft-ietf-cat-kerberos-r-01                        Expires 21 May 1998
+
+PA-SANDIA-SECUREID              6
+PA-SESAME                       7
+PA-OSF-DCE                      8
+PA-CYBERSAFE-SECUREID           9
+PA-AFS3-SALT                    10
+PA-ETYPE-INFO                   11
+SAM-CHALLENGE                   12                  (sam/otp)
+SAM-RESPONSE                    13                  (sam/otp)
+PA-PK-AS-REQ                    14                  (pkinit)
+PA-PK-AS-REP                    15                  (pkinit)
+PA-PK-AS-SIGN                   16                  (pkinit)
+PA-PK-KEY-REQ                   17                  (pkinit)
+PA-PK-KEY-REP                   18                  (pkinit)
+PA-USE-SPECIFIED-KVNO           20
+
+authorization data type         ad-type value
+AD-KDC-ISSUED                      1
+AD-INTENDED-FOR-SERVER             2
+AD-INTENDED-FOR-APPLICATION-CLASS  3
+AD-IF-RELEVANT                     4
+AD-OR                              5
+AD-MANDATORY-TICKET-EXTENSIONS     6
+AD-IN-TICKET-EXTENSIONS            7
+reserved values                    8-63
+OSF-DCE                            64
+SESAME                             65
+
+Ticket Extension Types
+
+TE-TYPE-NULL                  0      Null ticket extension
+TE-TYPE-EXTERNAL-ADATA        1      Integrity protected authorization data
+                    2      TE-TYPE-PKCROSS-KDC  (I have reservations)
+TE-TYPE-PKCROSS-CLIENT        3      PKCROSS cross realm key ticket
+TE-TYPE-CYBERSAFE-EXT         4      Assigned to CyberSafe Corp
+                    5      TE-TYPE-DEST-HOST (I have reservations)
+
+alternate authentication type   method-type value
+reserved values                 0-63
+ATT-CHALLENGE-RESPONSE          64
+
+transited encoding type         tr-type value
+DOMAIN-X500-COMPRESS            1
+reserved values                 all others
+
+Label               Value   Meaning or MIT code
+
+pvno                    5   current Kerberos protocol version number
+
+message types
+
+KRB_AS_REQ             10   Request for initial authentication
+KRB_AS_REP             11   Response to KRB_AS_REQ request
+KRB_TGS_REQ            12   Request for authentication based on TGT
+KRB_TGS_REP            13   Response to KRB_TGS_REQ request
+
+
+draft-ietf-cat-kerberos-r-01                        Expires 21 May 1998
+
+KRB_AP_REQ             14   application request to server
+KRB_AP_REP             15   Response to KRB_AP_REQ_MUTUAL
+KRB_SAFE               20   Safe (checksummed) application message
+KRB_PRIV               21   Private (encrypted) application message
+KRB_CRED               22   Private (encrypted) message to forward credentials
+KRB_ERROR              30   Error response
+
+name types
+
+KRB_NT_UNKNOWN        0  Name type not known
+KRB_NT_PRINCIPAL      1  Just the name of the principal as in DCE, or for users
+KRB_NT_SRV_INST       2  Service and other unique instance (krbtgt)
+KRB_NT_SRV_HST        3  Service with host name as instance (telnet, rcommands)
+KRB_NT_SRV_XHST       4  Service with host as remaining components
+KRB_NT_UID            5  Unique ID
+KRB_NT_X500_PRINCIPAL 6  Encoded X.509 Distingished name [RFC 1779]
+
+error codes
+
+KDC_ERR_NONE                    0   No error
+KDC_ERR_NAME_EXP                1   Client's entry in database has expired
+KDC_ERR_SERVICE_EXP             2   Server's entry in database has expired
+KDC_ERR_BAD_PVNO                3   Requested protocol version number not 
+                                    supported
+KDC_ERR_C_OLD_MAST_KVNO         4   Client's key encrypted in old master key
+KDC_ERR_S_OLD_MAST_KVNO         5   Server's key encrypted in old master key
+KDC_ERR_C_PRINCIPAL_UNKNOWN     6   Client not found in Kerberos database
+KDC_ERR_S_PRINCIPAL_UNKNOWN     7   Server not found in Kerberos database
+KDC_ERR_PRINCIPAL_NOT_UNIQUE    8   Multiple principal entries in database
+KDC_ERR_NULL_KEY                9   The client or server has a null key
+KDC_ERR_CANNOT_POSTDATE        10   Ticket not eligible for postdating
+KDC_ERR_NEVER_VALID            11   Requested start time is later than end time
+KDC_ERR_POLICY                 12   KDC policy rejects request
+KDC_ERR_BADOPTION              13   KDC cannot accommodate requested option
+KDC_ERR_ETYPE_NOSUPP           14   KDC has no support for encryption type
+KDC_ERR_SUMTYPE_NOSUPP         15   KDC has no support for checksum type
+KDC_ERR_PADATA_TYPE_NOSUPP     16   KDC has no support for padata type
+KDC_ERR_TRTYPE_NOSUPP          17   KDC has no support for transited type
+KDC_ERR_CLIENT_REVOKED         18   Clients credentials have been revoked
+KDC_ERR_SERVICE_REVOKED        19   Credentials for server have been revoked
+KDC_ERR_TGT_REVOKED            20   TGT has been revoked
+KDC_ERR_CLIENT_NOTYET          21   Client not yet valid - try again later
+KDC_ERR_SERVICE_NOTYET         22   Server not yet valid - try again later
+KDC_ERR_KEY_EXPIRED            23   Password has expired - change password
+                                    to reset
+KDC_ERR_PREAUTH_FAILED         24   Pre-authentication information was invalid
+KDC_ERR_PREAUTH_REQUIRED       25   Additional pre-authenticationrequired [40]
+KDC_ERR_SERVER_NOMATCH         26   Requested server and ticket don't match
+KDC_ERR_MUST_USE_USER2USER     27   Server principal valid for user2user only
+KDC_ERR_PATH_NOT_ACCPETED      28   KDC Policy rejects transited path
+KRB_AP_ERR_BAD_INTEGRITY       31   Integrity check on decrypted field failed
+KRB_AP_ERR_TKT_EXPIRED         32   Ticket expired
+KRB_AP_ERR_TKT_NYV             33   Ticket not yet valid
+KRB_AP_ERR_REPEAT              34   Request is a replay
+KRB_AP_ERR_NOT_US              35   The ticket isn't for us
+KRB_AP_ERR_BADMATCH            36   Ticket and authenticator don't match
+
+
+draft-ietf-cat-kerberos-r-01                        Expires 21 May 1998
+
+KRB_AP_ERR_SKEW                37   Clock skew too great
+KRB_AP_ERR_BADADDR             38   Incorrect net address
+KRB_AP_ERR_BADVERSION          39   Protocol version mismatch
+KRB_AP_ERR_MSG_TYPE            40   Invalid msg type
+KRB_AP_ERR_MODIFIED            41   Message stream modified
+KRB_AP_ERR_BADORDER            42   Message out of order
+KRB_AP_ERR_BADKEYVER           44   Specified version of key is not available
+KRB_AP_ERR_NOKEY               45   Service key not available
+KRB_AP_ERR_MUT_FAIL            46   Mutual authentication failed
+KRB_AP_ERR_BADDIRECTION        47   Incorrect message direction
+KRB_AP_ERR_METHOD              48   Alternative authentication method required
+KRB_AP_ERR_BADSEQ              49   Incorrect sequence number in message
+KRB_AP_ERR_INAPP_CKSUM         50   Inappropriate type of checksum in message
+KRB_AP_PATH_NOT_ACCEPTED       51   Policy rejects transited path
+KRB_ERR_GENERIC                60   Generic error (description in e-text)
+KRB_ERR_FIELD_TOOLONG          61   Field is too long for this implementation
+KDC_ERROR_CLIENT_NOT_TRUSTED   62   (pkinit)
+KDC_ERROR_KDC_NOT_TRUSTED      63   (pkinit)
+KDC_ERROR_INVALID_SIG          64   (pkinit)
+KDC_ERR_KEY_TOO_WEAK           65   (pkinit)
+KDC_ERR_CERTIFICATE_MISMATCH   66   (pkinit)
+
+9. Interoperability requirements
+
+Version 5 of the Kerberos protocol supports a myriad of options. Among these
+are multiple encryption and checksum types, alternative encoding schemes for
+the transited field, optional mechanisms for pre-authentication, the
+handling of tickets with no addresses, options for mutual authentication,
+user to user authentication, support for proxies, forwarding, postdating,
+and renewing tickets, the format of realm names, and the handling of
+authorization data.
+
+In order to ensure the interoperability of realms, it is necessary to define
+a minimal configuration which must be supported by all implementations. This
+minimal configuration is subject to change as technology does. For example,
+if at some later date it is discovered that one of the required encryption
+or checksum algorithms is not secure, it will be replaced.
+
+9.1. Specification 2
+
+This section defines the second specification of these options.
+Implementations which are configured in this way can be said to support
+Kerberos Version 5 Specification 2 (5.1). Specification 1 (depricated) may
+be found in RFC1510.
+
+Transport
+
+TCP/IP and UDP/IP transport must be supported by KDCs claiming conformance
+to specification 2. Kerberos clients claiming conformance to specification 2
+must support UDP/IP transport for messages with the KDC and may support
+TCP/IP transport.
+
+Encryption and checksum methods
+
+
+
+draft-ietf-cat-kerberos-r-01                        Expires 21 May 1998
+
+The following encryption and checksum mechanisms must be supported.
+Implementations may support other mechanisms as well, but the additional
+mechanisms may only be used when communicating with principals known to also
+support them: This list is to be determined.
+
+Encryption: DES-CBC-MD5
+Checksums: CRC-32, DES-MAC, DES-MAC-K, and DES-MD5
+
+Realm Names
+
+All implementations must understand hierarchical realms in both the Internet
+Domain and the X.500 style. When a ticket granting ticket for an unknown
+realm is requested, the KDC must be able to determine the names of the
+intermediate realms between the KDCs realm and the requested realm.
+
+Transited field encoding
+
+DOMAIN-X500-COMPRESS (described in section 3.3.3.2) must be supported.
+Alternative encodings may be supported, but they may be used only when that
+encoding is supported by ALL intermediate realms.
+
+Pre-authentication methods
+
+The TGS-REQ method must be supported. The TGS-REQ method is not used on the
+initial request. The PA-ENC-TIMESTAMP method must be supported by clients
+but whether it is enabled by default may be determined on a realm by realm
+basis. If not used in the initial request and the error
+KDC_ERR_PREAUTH_REQUIRED is returned specifying PA-ENC-TIMESTAMP as an
+acceptable method, the client should retry the initial request using the
+PA-ENC-TIMESTAMP preauthentication method. Servers need not support the
+PA-ENC-TIMESTAMP method, but if not supported the server should ignore the
+presence of PA-ENC-TIMESTAMP pre-authentication in a request.
+
+Mutual authentication
+
+Mutual authentication (via the KRB_AP_REP message) must be supported.
+
+Ticket addresses and flags
+
+All KDC's must pass on tickets that carry no addresses (i.e. if a TGT
+contains no addresses, the KDC will return derivative tickets), but each
+realm may set its own policy for issuing such tickets, and each application
+server will set its own policy with respect to accepting them.
+
+Proxies and forwarded tickets must be supported. Individual realms and
+application servers can set their own policy on when such tickets will be
+accepted.
+
+All implementations must recognize renewable and postdated tickets, but need
+not actually implement them. If these options are not supported, the
+starttime and endtime in the ticket shall specify a ticket's entire useful
+life. When a postdated ticket is decoded by a server, all implementations
+shall make the presence of the postdated flag visible to the calling server.
+
+
+
+draft-ietf-cat-kerberos-r-01                        Expires 21 May 1998
+
+User-to-user authentication
+
+Support for user to user authentication (via the ENC-TKT-IN-SKEY KDC option)
+must be provided by implementations, but individual realms may decide as a
+matter of policy to reject such requests on a per-principal or realm-wide
+basis.
+
+Authorization data
+
+Implementations must pass all authorization data subfields from
+ticket-granting tickets to any derivative tickets unless directed to
+suppress a subfield as part of the definition of that registered subfield
+type (it is never incorrect to pass on a subfield, and no registered
+subfield types presently specify suppression at the KDC).
+
+Implementations must make the contents of any authorization data subfields
+available to the server when a ticket is used. Implementations are not
+required to allow clients to specify the contents of the authorization data
+fields.
+
+9.2. Recommended KDC values
+
+Following is a list of recommended values for a KDC implementation, based on
+the list of suggested configuration constants (see section 4.4).
+
+minimum lifetime              5 minutes
+maximum renewable lifetime    1 week
+maximum ticket lifetime       1 day
+empty addresses               only when suitable  restrictions  appear
+                              in authorization data
+proxiable, etc.               Allowed.
+
+10. REFERENCES
+
+[NT94]    B. Clifford Neuman and Theodore Y. Ts'o, "An  Authenti-
+          cation  Service for Computer Networks," IEEE Communica-
+          tions Magazine, Vol. 32(9), pp. 33-38 (September 1994).
+
+[MNSS87]  S. P. Miller, B. C. Neuman, J. I. Schiller, and  J.  H.
+          Saltzer,  Section  E.2.1:  Kerberos  Authentication and
+          Authorization System, M.I.T. Project Athena, Cambridge,
+          Massachusetts (December 21, 1987).
+
+[SNS88]   J. G. Steiner, B. C. Neuman, and J. I. Schiller,  "Ker-
+          beros:  An Authentication Service for Open Network Sys-
+          tems," pp. 191-202 in  Usenix  Conference  Proceedings,
+          Dallas, Texas (February, 1988).
+
+[NS78]    Roger M.  Needham  and  Michael  D.  Schroeder,  "Using
+          Encryption for Authentication in Large Networks of Com-
+          puters,"  Communications  of  the  ACM,  Vol.   21(12),
+          pp. 993-999 (December, 1978).
+
+[DS81]    Dorothy E. Denning and  Giovanni  Maria  Sacco,  "Time-
+
+
+draft-ietf-cat-kerberos-r-01                        Expires 21 May 1998
+
+          stamps  in  Key Distribution Protocols," Communications
+          of the ACM, Vol. 24(8), pp. 533-536 (August 1981).
+
+[KNT92]   John T. Kohl, B. Clifford Neuman, and Theodore Y. Ts'o,
+          "The Evolution of the Kerberos Authentication Service,"
+          in an IEEE Computer Society Text soon to  be  published
+          (June 1992).
+
+[Neu93]   B.  Clifford  Neuman,  "Proxy-Based  Authorization  and
+          Accounting  for Distributed Systems," in Proceedings of
+          the 13th International Conference on  Distributed  Com-
+          puting Systems, Pittsburgh, PA (May, 1993).
+
+[DS90]    Don Davis and Ralph Swick,  "Workstation  Services  and
+          Kerberos  Authentication  at Project Athena," Technical
+          Memorandum TM-424,  MIT Laboratory for Computer Science
+          (February 1990).
+
+[LGDSR87] P. J. Levine, M. R. Gretzinger, J. M. Diaz, W. E.  Som-
+          merfeld,  and  K. Raeburn, Section E.1: Service Manage-
+          ment System, M.I.T.  Project  Athena,  Cambridge,  Mas-
+          sachusetts (1987).
+
+[X509-88] CCITT, Recommendation X.509: The Directory  Authentica-
+          tion Framework, December 1988.
+
+[Pat92].  J. Pato, Using  Pre-Authentication  to  Avoid  Password
+          Guessing  Attacks, Open Software Foundation DCE Request
+          for Comments 26 (December 1992).
+
+[DES77]   National Bureau of Standards, U.S. Department  of  Com-
+          merce,  "Data Encryption Standard," Federal Information
+          Processing Standards Publication  46,   Washington,  DC
+          (1977).
+
+[DESM80]  National Bureau of Standards, U.S. Department  of  Com-
+          merce,  "DES  Modes  of Operation," Federal Information
+          Processing Standards Publication 81,   Springfield,  VA
+          (December 1980).
+
+[SG92]    Stuart G. Stubblebine and Virgil D. Gligor, "On Message
+          Integrity  in  Cryptographic Protocols," in Proceedings
+          of the IEEE  Symposium  on  Research  in  Security  and
+          Privacy, Oakland, California (May 1992).
+
+[IS3309]  International Organization  for  Standardization,  "ISO
+          Information  Processing  Systems - Data Communication -
+          High-Level Data Link Control Procedure -  Frame  Struc-
+          ture," IS 3309 (October 1984).  3rd Edition.
+
+[MD4-92]  R. Rivest, "The  MD4  Message  Digest  Algorithm,"  RFC
+          1320,   MIT  Laboratory  for  Computer  Science  (April
+          1992).
+
+
+
+draft-ietf-cat-kerberos-r-01                        Expires 21 May 1998
+
+[MD5-92]  R. Rivest, "The  MD5  Message  Digest  Algorithm,"  RFC
+          1321,   MIT  Laboratory  for  Computer  Science  (April
+          1992).
+
+[KBC96]   H. Krawczyk, M. Bellare, and R. Canetti, "HMAC:  Keyed-
+          Hashing  for  Message  Authentication,"  Working  Draft
+          draft-ietf-ipsec-hmac-md5-01.txt,   (August 1996).
+
+A. Pseudo-code for protocol processing
+
+This appendix provides pseudo-code describing how the messages are to be
+constructed and interpreted by clients and servers.
+
+A.1. KRB_AS_REQ generation
+
+        request.pvno := protocol version; /* pvno = 5 */
+        request.msg-type := message type; /* type = KRB_AS_REQ */
+
+        if(pa_enc_timestamp_required) then
+                request.padata.padata-type = PA-ENC-TIMESTAMP;
+                get system_time;
+                padata-body.patimestamp,pausec = system_time;
+                encrypt padata-body into request.padata.padata-value
+                        using client.key; /* derived from password */
+        endif
+
+        body.kdc-options := users's preferences;
+        body.cname := user's name;
+        body.realm := user's realm;
+        body.sname := service's name; /* usually "krbtgt",  "localrealm" */
+        if (body.kdc-options.POSTDATED is set) then
+                body.from := requested starting time;
+        else
+                omit body.from;
+        endif
+        body.till := requested end time;
+        if (body.kdc-options.RENEWABLE is set) then
+                body.rtime := requested final renewal time;
+        endif
+        body.nonce := random_nonce();
+        body.etype := requested etypes;
+        if (user supplied addresses) then
+                body.addresses := user's addresses;
+        else
+                omit body.addresses;
+        endif
+        omit body.enc-authorization-data;
+        request.req-body := body;
+
+        kerberos := lookup(name of local kerberos server (or servers));
+        send(packet,kerberos);
+
+        wait(for response);
+        if (timed_out) then
+
+
+draft-ietf-cat-kerberos-r-01                        Expires 21 May 1998
+
+                retry or use alternate server;
+        endif
+
+A.2. KRB_AS_REQ verification and KRB_AS_REP generation
+
+        decode message into req;
+
+        client := lookup(req.cname,req.realm);
+        server := lookup(req.sname,req.realm);
+
+        get system_time;
+        kdc_time := system_time.seconds;
+
+        if (!client) then
+                /* no client in Database */
+                error_out(KDC_ERR_C_PRINCIPAL_UNKNOWN);
+        endif
+        if (!server) then
+                /* no server in Database */
+                error_out(KDC_ERR_S_PRINCIPAL_UNKNOWN);
+        endif
+
+        if(client.pa_enc_timestamp_required and
+           pa_enc_timestamp not present) then
+                error_out(KDC_ERR_PREAUTH_REQUIRED(PA_ENC_TIMESTAMP));
+        endif
+
+        if(pa_enc_timestamp present) then
+                decrypt req.padata-value into decrypted_enc_timestamp
+                        using client.key;
+                        using auth_hdr.authenticator.subkey;
+                if (decrypt_error()) then
+                        error_out(KRB_AP_ERR_BAD_INTEGRITY);
+                if(decrypted_enc_timestamp is not within allowable skew) then
+                        error_out(KDC_ERR_PREAUTH_FAILED);
+                endif
+                if(decrypted_enc_timestamp and usec is replay)
+                        error_out(KDC_ERR_PREAUTH_FAILED);
+                endif
+                add decrypted_enc_timestamp and usec to replay cache;
+        endif
+
+        use_etype := first supported etype in req.etypes;
+
+        if (no support for req.etypes) then
+                error_out(KDC_ERR_ETYPE_NOSUPP);
+        endif
+
+        new_tkt.vno := ticket version; /* = 5 */
+        new_tkt.sname := req.sname;
+        new_tkt.srealm := req.srealm;
+        reset all flags in new_tkt.flags;
+
+        /* It should be noted that local policy may affect the  */
+
+
+draft-ietf-cat-kerberos-r-01                        Expires 21 May 1998
+
+        /* processing of any of these flags.  For example, some */
+        /* realms may refuse to issue renewable tickets         */
+
+        if (req.kdc-options.FORWARDABLE is set) then
+                set new_tkt.flags.FORWARDABLE;
+        endif
+        if (req.kdc-options.PROXIABLE is set) then
+                set new_tkt.flags.PROXIABLE;
+        endif
+
+        if (req.kdc-options.ALLOW-POSTDATE is set) then
+                set new_tkt.flags.MAY-POSTDATE;
+        endif
+        if ((req.kdc-options.RENEW is set) or
+            (req.kdc-options.VALIDATE is set) or
+            (req.kdc-options.PROXY is set) or
+            (req.kdc-options.FORWARDED is set) or
+            (req.kdc-options.ENC-TKT-IN-SKEY is set)) then
+                error_out(KDC_ERR_BADOPTION);
+        endif
+
+        new_tkt.session := random_session_key();
+        new_tkt.cname := req.cname;
+        new_tkt.crealm := req.crealm;
+        new_tkt.transited := empty_transited_field();
+
+        new_tkt.authtime := kdc_time;
+
+        if (req.kdc-options.POSTDATED is set) then
+           if (against_postdate_policy(req.from)) then
+                error_out(KDC_ERR_POLICY);
+           endif
+           set new_tkt.flags.POSTDATED;
+           set new_tkt.flags.INVALID;
+           new_tkt.starttime := req.from;
+        else
+           omit new_tkt.starttime; /* treated as authtime when omitted */
+        endif
+        if (req.till = 0) then
+                till := infinity;
+        else
+                till := req.till;
+        endif
+
+        new_tkt.endtime := min(till,
+                              new_tkt.starttime+client.max_life,
+                              new_tkt.starttime+server.max_life,
+                              new_tkt.starttime+max_life_for_realm);
+
+        if ((req.kdc-options.RENEWABLE-OK is set) and
+            (new_tkt.endtime < req.till)) then
+                /* we set the RENEWABLE option for later processing */
+                set req.kdc-options.RENEWABLE;
+                req.rtime := req.till;
+
+
+draft-ietf-cat-kerberos-r-01                        Expires 21 May 1998
+
+        endif
+
+        if (req.rtime = 0) then
+                rtime := infinity;
+        else
+                rtime := req.rtime;
+        endif
+
+        if (req.kdc-options.RENEWABLE is set) then
+                set new_tkt.flags.RENEWABLE;
+                new_tkt.renew-till := min(rtime,
+                                          new_tkt.starttime+client.max_rlife,
+                                          new_tkt.starttime+server.max_rlife,
+                                          new_tkt.starttime+max_rlife_for_realm);
+        else
+                omit new_tkt.renew-till; /* only present if RENEWABLE */
+        endif
+
+        if (req.addresses) then
+                new_tkt.caddr := req.addresses;
+        else
+                omit new_tkt.caddr;
+        endif
+
+        new_tkt.authorization_data := empty_authorization_data();
+
+        encode to-be-encrypted part of ticket into OCTET STRING;
+        new_tkt.enc-part := encrypt OCTET STRING
+                using etype_for_key(server.key), server.key, server.p_kvno;
+
+        /* Start processing the response */
+
+        resp.pvno := 5;
+        resp.msg-type := KRB_AS_REP;
+        resp.cname := req.cname;
+        resp.crealm := req.realm;
+        resp.ticket := new_tkt;
+
+        resp.key := new_tkt.session;
+        resp.last-req := fetch_last_request_info(client);
+        resp.nonce := req.nonce;
+        resp.key-expiration := client.expiration;
+        resp.flags := new_tkt.flags;
+
+        resp.authtime := new_tkt.authtime;
+        resp.starttime := new_tkt.starttime;
+        resp.endtime := new_tkt.endtime;
+
+        if (new_tkt.flags.RENEWABLE) then
+                resp.renew-till := new_tkt.renew-till;
+        endif
+
+        resp.realm := new_tkt.realm;
+        resp.sname := new_tkt.sname;
+
+
+draft-ietf-cat-kerberos-r-01                        Expires 21 May 1998
+
+
+        resp.caddr := new_tkt.caddr;
+
+        encode body of reply into OCTET STRING;
+
+        resp.enc-part := encrypt OCTET STRING
+                         using use_etype, client.key, client.p_kvno;
+        send(resp);
+
+A.3. KRB_AS_REP verification
+
+        decode response into resp;
+
+        if (resp.msg-type = KRB_ERROR) then
+                if(error = KDC_ERR_PREAUTH_REQUIRED(PA_ENC_TIMESTAMP)) then
+                        set pa_enc_timestamp_required;
+                        goto KRB_AS_REQ;
+                endif
+                process_error(resp);
+                return;
+        endif
+
+        /* On error, discard the response, and zero the session key */
+        /* from the response immediately */
+
+        key = get_decryption_key(resp.enc-part.kvno, resp.enc-part.etype,
+                                 resp.padata);
+        unencrypted part of resp := decode of decrypt of resp.enc-part
+                                using resp.enc-part.etype and key;
+        zero(key);
+
+        if (common_as_rep_tgs_rep_checks fail) then
+                destroy resp.key;
+                return error;
+        endif
+
+        if near(resp.princ_exp) then
+                print(warning message);
+        endif
+        save_for_later(ticket,session,client,server,times,flags);
+
+A.4. KRB_AS_REP and KRB_TGS_REP common checks
+
+        if (decryption_error() or
+            (req.cname != resp.cname) or
+            (req.realm != resp.crealm) or
+            (req.sname != resp.sname) or
+            (req.realm != resp.realm) or
+            (req.nonce != resp.nonce) or
+            (req.addresses != resp.caddr)) then
+                destroy resp.key;
+                return KRB_AP_ERR_MODIFIED;
+        endif
+
+
+
+draft-ietf-cat-kerberos-r-01                        Expires 21 May 1998
+
+        /* make sure no flags are set that shouldn't be, and that all that */
+        /* should be are set                                               */
+        if (!check_flags_for_compatability(req.kdc-options,resp.flags)) then
+                destroy resp.key;
+                return KRB_AP_ERR_MODIFIED;
+        endif
+
+        if ((req.from = 0) and
+            (resp.starttime is not within allowable skew)) then
+                destroy resp.key;
+                return KRB_AP_ERR_SKEW;
+        endif
+        if ((req.from != 0) and (req.from != resp.starttime)) then
+                destroy resp.key;
+                return KRB_AP_ERR_MODIFIED;
+        endif
+        if ((req.till != 0) and (resp.endtime > req.till)) then
+                destroy resp.key;
+                return KRB_AP_ERR_MODIFIED;
+        endif
+
+        if ((req.kdc-options.RENEWABLE is set) and
+            (req.rtime != 0) and (resp.renew-till > req.rtime)) then
+                destroy resp.key;
+                return KRB_AP_ERR_MODIFIED;
+        endif
+        if ((req.kdc-options.RENEWABLE-OK is set) and
+            (resp.flags.RENEWABLE) and
+            (req.till != 0) and
+            (resp.renew-till > req.till)) then
+                destroy resp.key;
+                return KRB_AP_ERR_MODIFIED;
+        endif
+
+A.5. KRB_TGS_REQ generation
+
+        /* Note that make_application_request might have to recursivly     */
+        /* call this routine to get the appropriate ticket-granting ticket */
+
+        request.pvno := protocol version; /* pvno = 5 */
+        request.msg-type := message type; /* type = KRB_TGS_REQ */
+
+        body.kdc-options := users's preferences;
+        /* If the TGT is not for the realm of the end-server  */
+        /* then the sname will be for a TGT for the end-realm */
+        /* and the realm of the requested ticket (body.realm) */
+        /* will be that of the TGS to which the TGT we are    */
+        /* sending applies                                    */
+        body.sname := service's name;
+        body.realm := service's realm;
+
+        if (body.kdc-options.POSTDATED is set) then
+                body.from := requested starting time;
+        else
+
+
+draft-ietf-cat-kerberos-r-01                        Expires 21 May 1998
+
+                omit body.from;
+        endif
+        body.till := requested end time;
+        if (body.kdc-options.RENEWABLE is set) then
+                body.rtime := requested final renewal time;
+        endif
+        body.nonce := random_nonce();
+        body.etype := requested etypes;
+        if (user supplied addresses) then
+                body.addresses := user's addresses;
+        else
+                omit body.addresses;
+        endif
+
+        body.enc-authorization-data := user-supplied data;
+        if (body.kdc-options.ENC-TKT-IN-SKEY) then
+                body.additional-tickets_ticket := second TGT;
+        endif
+
+        request.req-body := body;
+        check := generate_checksum (req.body,checksumtype);
+
+        request.padata[0].padata-type := PA-TGS-REQ;
+        request.padata[0].padata-value := create a KRB_AP_REQ using
+                                      the TGT and checksum
+
+        /* add in any other padata as required/supplied */
+
+        kerberos := lookup(name of local kerberose server (or servers));
+        send(packet,kerberos);
+
+        wait(for response);
+        if (timed_out) then
+                retry or use alternate server;
+        endif
+
+A.6. KRB_TGS_REQ verification and KRB_TGS_REP generation
+
+        /* note that reading the application request requires first
+        determining the server for which a ticket was issued, and choosing the
+        correct key for decryption.  The name of the server appears in the
+        plaintext part of the ticket. */
+
+        if (no KRB_AP_REQ in req.padata) then
+                error_out(KDC_ERR_PADATA_TYPE_NOSUPP);
+        endif
+        verify KRB_AP_REQ in req.padata;
+
+        /* Note that the realm in which the Kerberos server is operating is
+        determined by the instance from the ticket-granting ticket.  The realm
+        in the ticket-granting ticket is the realm under which the ticket
+        granting ticket was issued.  It is possible for a single Kerberos
+        server to support more than one realm. */
+
+
+
+draft-ietf-cat-kerberos-r-01                        Expires 21 May 1998
+
+        auth_hdr := KRB_AP_REQ;
+        tgt := auth_hdr.ticket;
+
+        if (tgt.sname is not a TGT for local realm and is not req.sname) then
+                error_out(KRB_AP_ERR_NOT_US);
+
+        realm := realm_tgt_is_for(tgt);
+
+        decode remainder of request;
+
+        if (auth_hdr.authenticator.cksum is missing) then
+                error_out(KRB_AP_ERR_INAPP_CKSUM);
+        endif
+
+        if (auth_hdr.authenticator.cksum type is not supported) then
+                error_out(KDC_ERR_SUMTYPE_NOSUPP);
+        endif
+        if (auth_hdr.authenticator.cksum is not both collision-proof and keyed) then
+                error_out(KRB_AP_ERR_INAPP_CKSUM);
+        endif
+
+        set computed_checksum := checksum(req);
+        if (computed_checksum != auth_hdr.authenticatory.cksum) then
+                error_out(KRB_AP_ERR_MODIFIED);
+        endif
+
+        server := lookup(req.sname,realm);
+
+        if (!server) then
+                if (is_foreign_tgt_name(req.sname)) then
+                        server := best_intermediate_tgs(req.sname);
+                else
+                        /* no server in Database */
+                        error_out(KDC_ERR_S_PRINCIPAL_UNKNOWN);
+                endif
+        endif
+
+        session := generate_random_session_key();
+
+        use_etype := first supported etype in req.etypes;
+
+        if (no support for req.etypes) then
+                error_out(KDC_ERR_ETYPE_NOSUPP);
+        endif
+
+        new_tkt.vno := ticket version; /* = 5 */
+        new_tkt.sname := req.sname;
+        new_tkt.srealm := realm;
+        reset all flags in new_tkt.flags;
+
+        /* It should be noted that local policy may affect the  */
+        /* processing of any of these flags.  For example, some */
+        /* realms may refuse to issue renewable tickets         */
+
+
+
+draft-ietf-cat-kerberos-r-01                        Expires 21 May 1998
+
+        new_tkt.caddr := tgt.caddr;
+        resp.caddr := NULL; /* We only include this if they change */
+        if (req.kdc-options.FORWARDABLE is set) then
+                if (tgt.flags.FORWARDABLE is reset) then
+                        error_out(KDC_ERR_BADOPTION);
+                endif
+                set new_tkt.flags.FORWARDABLE;
+        endif
+        if (req.kdc-options.FORWARDED is set) then
+                if (tgt.flags.FORWARDABLE is reset) then
+                        error_out(KDC_ERR_BADOPTION);
+                endif
+                set new_tkt.flags.FORWARDED;
+                new_tkt.caddr := req.addresses;
+                resp.caddr := req.addresses;
+        endif
+        if (tgt.flags.FORWARDED is set) then
+                set new_tkt.flags.FORWARDED;
+        endif
+
+        if (req.kdc-options.PROXIABLE is set) then
+                if (tgt.flags.PROXIABLE is reset)
+                        error_out(KDC_ERR_BADOPTION);
+                endif
+                set new_tkt.flags.PROXIABLE;
+        endif
+        if (req.kdc-options.PROXY is set) then
+                if (tgt.flags.PROXIABLE is reset) then
+                        error_out(KDC_ERR_BADOPTION);
+                endif
+                set new_tkt.flags.PROXY;
+                new_tkt.caddr := req.addresses;
+                resp.caddr := req.addresses;
+        endif
+
+        if (req.kdc-options.ALLOW-POSTDATE is set) then
+                if (tgt.flags.MAY-POSTDATE is reset)
+                        error_out(KDC_ERR_BADOPTION);
+                endif
+                set new_tkt.flags.MAY-POSTDATE;
+        endif
+        if (req.kdc-options.POSTDATED is set) then
+                if (tgt.flags.MAY-POSTDATE is reset) then
+                        error_out(KDC_ERR_BADOPTION);
+                endif
+                set new_tkt.flags.POSTDATED;
+                set new_tkt.flags.INVALID;
+                if (against_postdate_policy(req.from)) then
+                        error_out(KDC_ERR_POLICY);
+                endif
+                new_tkt.starttime := req.from;
+        endif
+
+        if (req.kdc-options.VALIDATE is set) then
+
+
+draft-ietf-cat-kerberos-r-01                        Expires 21 May 1998
+
+                if (tgt.flags.INVALID is reset) then
+                        error_out(KDC_ERR_POLICY);
+                endif
+                if (tgt.starttime > kdc_time) then
+                        error_out(KRB_AP_ERR_NYV);
+                endif
+                if (check_hot_list(tgt)) then
+                        error_out(KRB_AP_ERR_REPEAT);
+                endif
+                tkt := tgt;
+                reset new_tkt.flags.INVALID;
+        endif
+
+        if (req.kdc-options.(any flag except ENC-TKT-IN-SKEY, RENEW,
+                             and those already processed) is set) then
+                error_out(KDC_ERR_BADOPTION);
+        endif
+
+        new_tkt.authtime := tgt.authtime;
+
+        if (req.kdc-options.RENEW is set) then
+          /* Note that if the endtime has already passed, the ticket would  */
+          /* have been rejected in the initial authentication stage, so     */
+          /* there is no need to check again here                           */
+                if (tgt.flags.RENEWABLE is reset) then
+                        error_out(KDC_ERR_BADOPTION);
+                endif
+                if (tgt.renew-till < kdc_time) then
+                        error_out(KRB_AP_ERR_TKT_EXPIRED);
+                endif
+                tkt := tgt;
+                new_tkt.starttime := kdc_time;
+                old_life := tgt.endttime - tgt.starttime;
+                new_tkt.endtime := min(tgt.renew-till,
+                                       new_tkt.starttime + old_life);
+        else
+                new_tkt.starttime := kdc_time;
+                if (req.till = 0) then
+                        till := infinity;
+                else
+                        till := req.till;
+                endif
+                new_tkt.endtime := min(till,
+                                       new_tkt.starttime+client.max_life,
+                                       new_tkt.starttime+server.max_life,
+                                       new_tkt.starttime+max_life_for_realm,
+                                       tgt.endtime);
+
+                if ((req.kdc-options.RENEWABLE-OK is set) and
+                    (new_tkt.endtime < req.till) and
+                    (tgt.flags.RENEWABLE is set) then
+                        /* we set the RENEWABLE option for later processing */
+                        set req.kdc-options.RENEWABLE;
+                        req.rtime := min(req.till, tgt.renew-till);
+
+
+draft-ietf-cat-kerberos-r-01                        Expires 21 May 1998
+
+                endif
+        endif
+
+        if (req.rtime = 0) then
+                rtime := infinity;
+        else
+                rtime := req.rtime;
+        endif
+
+        if ((req.kdc-options.RENEWABLE is set) and
+            (tgt.flags.RENEWABLE is set)) then
+                set new_tkt.flags.RENEWABLE;
+                new_tkt.renew-till := min(rtime,
+                                          new_tkt.starttime+client.max_rlife,
+                                          new_tkt.starttime+server.max_rlife,
+                                          new_tkt.starttime+max_rlife_for_realm,
+                                          tgt.renew-till);
+        else
+                new_tkt.renew-till := OMIT; /* leave the renew-till field out */
+        endif
+        if (req.enc-authorization-data is present) then
+                decrypt req.enc-authorization-data into decrypted_authorization_data
+                        using auth_hdr.authenticator.subkey;
+                if (decrypt_error()) then
+                        error_out(KRB_AP_ERR_BAD_INTEGRITY);
+                endif
+        endif
+        new_tkt.authorization_data := req.auth_hdr.ticket.authorization_data +
+                                 decrypted_authorization_data;
+
+        new_tkt.key := session;
+        new_tkt.crealm := tgt.crealm;
+        new_tkt.cname := req.auth_hdr.ticket.cname;
+
+        if (realm_tgt_is_for(tgt) := tgt.realm) then
+                /* tgt issued by local realm */
+                new_tkt.transited := tgt.transited;
+        else
+                /* was issued for this realm by some other realm */
+                if (tgt.transited.tr-type not supported) then
+                        error_out(KDC_ERR_TRTYPE_NOSUPP);
+                endif
+                new_tkt.transited := compress_transited(tgt.transited + tgt.realm)
+                /* Don't check tranited field if TGT for foreign realm,
+                 * or requested not to check */
+                if (is_not_foreign_tgt_name(new_tkt.server)
+                   && req.kdc-options.DISABLE-TRANSITED-CHECK not set) then
+                        /* Check it, so end-server does not have to
+                         * but don't fail, end-server may still accept it */
+                        if (check_transited_field(new_tkt.transited) == OK)
+                              set new_tkt.flags.TRANSITED-POLICY-CHECKED;
+                        endif
+                endif
+        endif
+
+
+draft-ietf-cat-kerberos-r-01                        Expires 21 May 1998
+
+
+        encode encrypted part of new_tkt into OCTET STRING;
+        if (req.kdc-options.ENC-TKT-IN-SKEY is set) then
+                if (server not specified) then
+                        server = req.second_ticket.client;
+                endif
+                if ((req.second_ticket is not a TGT) or
+                    (req.second_ticket.client != server)) then
+                        error_out(KDC_ERR_POLICY);
+                endif
+
+                new_tkt.enc-part := encrypt OCTET STRING using
+                        using etype_for_key(second-ticket.key), second-ticket.key;
+        else
+                new_tkt.enc-part := encrypt OCTET STRING
+                        using etype_for_key(server.key), server.key, server.p_kvno;
+        endif
+
+        resp.pvno := 5;
+        resp.msg-type := KRB_TGS_REP;
+        resp.crealm := tgt.crealm;
+        resp.cname := tgt.cname;
+        resp.ticket := new_tkt;
+
+        resp.key := session;
+        resp.nonce := req.nonce;
+        resp.last-req := fetch_last_request_info(client);
+        resp.flags := new_tkt.flags;
+
+        resp.authtime := new_tkt.authtime;
+        resp.starttime := new_tkt.starttime;
+        resp.endtime := new_tkt.endtime;
+
+        omit resp.key-expiration;
+
+        resp.sname := new_tkt.sname;
+        resp.realm := new_tkt.realm;
+
+        if (new_tkt.flags.RENEWABLE) then
+                resp.renew-till := new_tkt.renew-till;
+        endif
+
+        encode body of reply into OCTET STRING;
+
+        if (req.padata.authenticator.subkey)
+                resp.enc-part := encrypt OCTET STRING using use_etype,
+                        req.padata.authenticator.subkey;
+        else resp.enc-part := encrypt OCTET STRING using use_etype, tgt.key;
+
+        send(resp);
+
+A.7. KRB_TGS_REP verification
+
+        decode response into resp;
+
+
+draft-ietf-cat-kerberos-r-01                        Expires 21 May 1998
+
+
+        if (resp.msg-type = KRB_ERROR) then
+                process_error(resp);
+                return;
+        endif
+
+        /* On error, discard the response, and zero the session key from
+        the response immediately */
+
+        if (req.padata.authenticator.subkey)
+                unencrypted part of resp := decode of decrypt of resp.enc-part
+                        using resp.enc-part.etype and subkey;
+        else unencrypted part of resp := decode of decrypt of resp.enc-part
+                                using resp.enc-part.etype and tgt's session key;
+        if (common_as_rep_tgs_rep_checks fail) then
+                destroy resp.key;
+                return error;
+        endif
+
+        check authorization_data as necessary;
+        save_for_later(ticket,session,client,server,times,flags);
+
+A.8. Authenticator generation
+
+        body.authenticator-vno := authenticator vno; /* = 5 */
+        body.cname, body.crealm := client name;
+        if (supplying checksum) then
+                body.cksum := checksum;
+        endif
+        get system_time;
+        body.ctime, body.cusec := system_time;
+        if (selecting sub-session key) then
+                select sub-session key;
+                body.subkey := sub-session key;
+        endif
+        if (using sequence numbers) then
+                select initial sequence number;
+                body.seq-number := initial sequence;
+        endif
+
+A.9. KRB_AP_REQ generation
+
+        obtain ticket and session_key from cache;
+
+        packet.pvno := protocol version; /* 5 */
+        packet.msg-type := message type; /* KRB_AP_REQ */
+
+        if (desired(MUTUAL_AUTHENTICATION)) then
+                set packet.ap-options.MUTUAL-REQUIRED;
+        else
+                reset packet.ap-options.MUTUAL-REQUIRED;
+        endif
+        if (using session key for ticket) then
+                set packet.ap-options.USE-SESSION-KEY;
+
+
+draft-ietf-cat-kerberos-r-01                        Expires 21 May 1998
+
+        else
+                reset packet.ap-options.USE-SESSION-KEY;
+        endif
+        packet.ticket := ticket; /* ticket */
+        generate authenticator;
+        encode authenticator into OCTET STRING;
+        encrypt OCTET STRING into packet.authenticator using session_key;
+
+A.10. KRB_AP_REQ verification
+
+        receive packet;
+        if (packet.pvno != 5) then
+                either process using other protocol spec
+                or error_out(KRB_AP_ERR_BADVERSION);
+        endif
+        if (packet.msg-type != KRB_AP_REQ) then
+                error_out(KRB_AP_ERR_MSG_TYPE);
+        endif
+        if (packet.ticket.tkt_vno != 5) then
+                either process using other protocol spec
+                or error_out(KRB_AP_ERR_BADVERSION);
+        endif
+        if (packet.ap_options.USE-SESSION-KEY is set) then
+                retrieve session key from ticket-granting ticket for
+                 packet.ticket.{sname,srealm,enc-part.etype};
+        else
+                retrieve service key for
+                 packet.ticket.{sname,srealm,enc-part.etype,enc-part.skvno};
+        endif
+        if (no_key_available) then
+                if (cannot_find_specified_skvno) then
+                        error_out(KRB_AP_ERR_BADKEYVER);
+                else
+                        error_out(KRB_AP_ERR_NOKEY);
+                endif
+        endif
+        decrypt packet.ticket.enc-part into decr_ticket using retrieved key;
+        if (decryption_error()) then
+                error_out(KRB_AP_ERR_BAD_INTEGRITY);
+        endif
+        decrypt packet.authenticator into decr_authenticator
+                using decr_ticket.key;
+        if (decryption_error()) then
+                error_out(KRB_AP_ERR_BAD_INTEGRITY);
+        endif
+        if (decr_authenticator.{cname,crealm} !=
+            decr_ticket.{cname,crealm}) then
+                error_out(KRB_AP_ERR_BADMATCH);
+        endif
+        if (decr_ticket.caddr is present) then
+                if (sender_address(packet) is not in decr_ticket.caddr) then
+                        error_out(KRB_AP_ERR_BADADDR);
+                endif
+        elseif (application requires addresses) then
+
+
+draft-ietf-cat-kerberos-r-01                        Expires 21 May 1998
+
+                error_out(KRB_AP_ERR_BADADDR);
+        endif
+        if (not in_clock_skew(decr_authenticator.ctime,
+                              decr_authenticator.cusec)) then
+                error_out(KRB_AP_ERR_SKEW);
+        endif
+        if (repeated(decr_authenticator.{ctime,cusec,cname,crealm})) then
+                error_out(KRB_AP_ERR_REPEAT);
+        endif
+        save_identifier(decr_authenticator.{ctime,cusec,cname,crealm});
+        get system_time;
+        if ((decr_ticket.starttime-system_time > CLOCK_SKEW) or
+            (decr_ticket.flags.INVALID is set)) then
+                /* it hasn't yet become valid */
+                error_out(KRB_AP_ERR_TKT_NYV);
+        endif
+        if (system_time-decr_ticket.endtime > CLOCK_SKEW) then
+                error_out(KRB_AP_ERR_TKT_EXPIRED);
+        endif
+        if (decr_ticket.transited) then
+            /* caller may ignore the TRANSITED-POLICY-CHECKED and do
+             * check anyway */
+            if (decr_ticket.flags.TRANSITED-POLICY-CHECKED not set) then
+                 if (check_transited_field(decr_ticket.transited) then
+                      error_out(KDC_AP_PATH_NOT_ACCPETED);
+                 endif
+            endif
+        endif
+        /* caller must check decr_ticket.flags for any pertinent details */
+        return(OK, decr_ticket, packet.ap_options.MUTUAL-REQUIRED);
+
+A.11. KRB_AP_REP generation
+
+        packet.pvno := protocol version; /* 5 */
+        packet.msg-type := message type; /* KRB_AP_REP */
+
+        body.ctime := packet.ctime;
+        body.cusec := packet.cusec;
+        if (selecting sub-session key) then
+                select sub-session key;
+                body.subkey := sub-session key;
+        endif
+        if (using sequence numbers) then
+                select initial sequence number;
+                body.seq-number := initial sequence;
+        endif
+
+        encode body into OCTET STRING;
+
+        select encryption type;
+        encrypt OCTET STRING into packet.enc-part;
+
+A.12. KRB_AP_REP verification
+
+
+
+draft-ietf-cat-kerberos-r-01                        Expires 21 May 1998
+
+        receive packet;
+        if (packet.pvno != 5) then
+                either process using other protocol spec
+                or error_out(KRB_AP_ERR_BADVERSION);
+        endif
+        if (packet.msg-type != KRB_AP_REP) then
+                error_out(KRB_AP_ERR_MSG_TYPE);
+        endif
+        cleartext := decrypt(packet.enc-part) using ticket's session key;
+        if (decryption_error()) then
+                error_out(KRB_AP_ERR_BAD_INTEGRITY);
+        endif
+        if (cleartext.ctime != authenticator.ctime) then
+                error_out(KRB_AP_ERR_MUT_FAIL);
+        endif
+        if (cleartext.cusec != authenticator.cusec) then
+                error_out(KRB_AP_ERR_MUT_FAIL);
+        endif
+        if (cleartext.subkey is present) then
+                save cleartext.subkey for future use;
+        endif
+        if (cleartext.seq-number is present) then
+                save cleartext.seq-number for future verifications;
+        endif
+        return(AUTHENTICATION_SUCCEEDED);
+
+A.13. KRB_SAFE generation
+
+        collect user data in buffer;
+
+        /* assemble packet: */
+        packet.pvno := protocol version; /* 5 */
+        packet.msg-type := message type; /* KRB_SAFE */
+
+        body.user-data := buffer; /* DATA */
+        if (using timestamp) then
+                get system_time;
+                body.timestamp, body.usec := system_time;
+        endif
+        if (using sequence numbers) then
+                body.seq-number := sequence number;
+        endif
+        body.s-address := sender host addresses;
+        if (only one recipient) then
+                body.r-address := recipient host address;
+        endif
+        checksum.cksumtype := checksum type;
+        compute checksum over body;
+        checksum.checksum := checksum value; /* checksum.checksum */
+        packet.cksum := checksum;
+        packet.safe-body := body;
+
+A.14. KRB_SAFE verification
+
+
+
+draft-ietf-cat-kerberos-r-01                        Expires 21 May 1998
+
+        receive packet;
+        if (packet.pvno != 5) then
+                either process using other protocol spec
+                or error_out(KRB_AP_ERR_BADVERSION);
+        endif
+        if (packet.msg-type != KRB_SAFE) then
+                error_out(KRB_AP_ERR_MSG_TYPE);
+        endif
+        if (packet.checksum.cksumtype is not both collision-proof and keyed) then
+                error_out(KRB_AP_ERR_INAPP_CKSUM);
+        endif
+        if (safe_priv_common_checks_ok(packet)) then
+                set computed_checksum := checksum(packet.body);
+                if (computed_checksum != packet.checksum) then
+                        error_out(KRB_AP_ERR_MODIFIED);
+                endif
+                return (packet, PACKET_IS_GENUINE);
+        else
+                return common_checks_error;
+        endif
+
+A.15. KRB_SAFE and KRB_PRIV common checks
+
+        if (packet.s-address != O/S_sender(packet)) then
+                /* O/S report of sender not who claims to have sent it */
+                error_out(KRB_AP_ERR_BADADDR);
+        endif
+        if ((packet.r-address is present) and
+            (packet.r-address != local_host_address)) then
+                /* was not sent to proper place */
+                error_out(KRB_AP_ERR_BADADDR);
+        endif
+        if (((packet.timestamp is present) and
+             (not in_clock_skew(packet.timestamp,packet.usec))) or
+            (packet.timestamp is not present and timestamp expected)) then
+                error_out(KRB_AP_ERR_SKEW);
+        endif
+        if (repeated(packet.timestamp,packet.usec,packet.s-address)) then
+                error_out(KRB_AP_ERR_REPEAT);
+        endif
+
+        if (((packet.seq-number is present) and
+             ((not in_sequence(packet.seq-number)))) or
+            (packet.seq-number is not present and sequence expected)) then
+                error_out(KRB_AP_ERR_BADORDER);
+        endif
+        if (packet.timestamp not present and packet.seq-number not present)
+        then
+                error_out(KRB_AP_ERR_MODIFIED);
+        endif
+
+        save_identifier(packet.{timestamp,usec,s-address},
+                        sender_principal(packet));
+
+        return PACKET_IS_OK;
+
+
+draft-ietf-cat-kerberos-r-01                        Expires 21 May 1998
+
+
+A.16. KRB_PRIV generation
+
+        collect user data in buffer;
+
+        /* assemble packet: */
+        packet.pvno := protocol version; /* 5 */
+        packet.msg-type := message type; /* KRB_PRIV */
+
+        packet.enc-part.etype := encryption type;
+
+        body.user-data := buffer;
+        if (using timestamp) then
+                get system_time;
+                body.timestamp, body.usec := system_time;
+        endif
+        if (using sequence numbers) then
+                body.seq-number := sequence number;
+        endif
+        body.s-address := sender host addresses;
+        if (only one recipient) then
+                body.r-address := recipient host address;
+        endif
+
+        encode body into OCTET STRING;
+
+        select encryption type;
+        encrypt OCTET STRING into packet.enc-part.cipher;
+
+A.17. KRB_PRIV verification
+
+        receive packet;
+        if (packet.pvno != 5) then
+                either process using other protocol spec
+                or error_out(KRB_AP_ERR_BADVERSION);
+        endif
+        if (packet.msg-type != KRB_PRIV) then
+                error_out(KRB_AP_ERR_MSG_TYPE);
+        endif
+
+        cleartext := decrypt(packet.enc-part) using negotiated key;
+        if (decryption_error()) then
+                error_out(KRB_AP_ERR_BAD_INTEGRITY);
+        endif
+
+        if (safe_priv_common_checks_ok(cleartext)) then
+                return(cleartext.DATA, PACKET_IS_GENUINE_AND_UNMODIFIED);
+        else
+                return common_checks_error;
+        endif
+
+A.18. KRB_CRED generation
+
+        invoke KRB_TGS; /* obtain tickets to be provided to peer */
+
+
+draft-ietf-cat-kerberos-r-01                        Expires 21 May 1998
+
+
+        /* assemble packet: */
+        packet.pvno := protocol version; /* 5 */
+        packet.msg-type := message type; /* KRB_CRED */
+
+        for (tickets[n] in tickets to be forwarded) do
+                packet.tickets[n] = tickets[n].ticket;
+        done
+
+        packet.enc-part.etype := encryption type;
+
+        for (ticket[n] in tickets to be forwarded) do
+                body.ticket-info[n].key = tickets[n].session;
+                body.ticket-info[n].prealm = tickets[n].crealm;
+                body.ticket-info[n].pname = tickets[n].cname;
+                body.ticket-info[n].flags = tickets[n].flags;
+                body.ticket-info[n].authtime = tickets[n].authtime;
+                body.ticket-info[n].starttime = tickets[n].starttime;
+                body.ticket-info[n].endtime = tickets[n].endtime;
+                body.ticket-info[n].renew-till = tickets[n].renew-till;
+                body.ticket-info[n].srealm = tickets[n].srealm;
+                body.ticket-info[n].sname = tickets[n].sname;
+                body.ticket-info[n].caddr = tickets[n].caddr;
+        done
+
+        get system_time;
+        body.timestamp, body.usec := system_time;
+
+        if (using nonce) then
+                body.nonce := nonce;
+        endif
+
+        if (using s-address) then
+                body.s-address := sender host addresses;
+        endif
+        if (limited recipients) then
+                body.r-address := recipient host address;
+        endif
+
+        encode body into OCTET STRING;
+
+        select encryption type;
+        encrypt OCTET STRING into packet.enc-part.cipher
+               using negotiated encryption key;
+
+A.19. KRB_CRED verification
+
+        receive packet;
+        if (packet.pvno != 5) then
+                either process using other protocol spec
+                or error_out(KRB_AP_ERR_BADVERSION);
+        endif
+        if (packet.msg-type != KRB_CRED) then
+                error_out(KRB_AP_ERR_MSG_TYPE);
+
+
+draft-ietf-cat-kerberos-r-01                        Expires 21 May 1998
+
+        endif
+
+        cleartext := decrypt(packet.enc-part) using negotiated key;
+        if (decryption_error()) then
+                error_out(KRB_AP_ERR_BAD_INTEGRITY);
+        endif
+        if ((packet.r-address is present or required) and
+           (packet.s-address != O/S_sender(packet)) then
+                /* O/S report of sender not who claims to have sent it */
+                error_out(KRB_AP_ERR_BADADDR);
+        endif
+        if ((packet.r-address is present) and
+            (packet.r-address != local_host_address)) then
+                /* was not sent to proper place */
+                error_out(KRB_AP_ERR_BADADDR);
+        endif
+        if (not in_clock_skew(packet.timestamp,packet.usec)) then
+                error_out(KRB_AP_ERR_SKEW);
+        endif
+        if (repeated(packet.timestamp,packet.usec,packet.s-address)) then
+                error_out(KRB_AP_ERR_REPEAT);
+        endif
+        if (packet.nonce is required or present) and
+           (packet.nonce != expected-nonce) then
+                error_out(KRB_AP_ERR_MODIFIED);
+        endif
+
+        for (ticket[n] in tickets that were forwarded) do
+                save_for_later(ticket[n],key[n],principal[n],
+                               server[n],times[n],flags[n]);
+        return
+
+A.20. KRB_ERROR generation
+
+        /* assemble packet: */
+        packet.pvno := protocol version; /* 5 */
+        packet.msg-type := message type; /* KRB_ERROR */
+
+        get system_time;
+        packet.stime, packet.susec := system_time;
+        packet.realm, packet.sname := server name;
+
+        if (client time available) then
+                packet.ctime, packet.cusec := client_time;
+        endif
+        packet.error-code := error code;
+        if (client name available) then
+                packet.cname, packet.crealm := client name;
+        endif
+        if (error text available) then
+                packet.e-text := error text;
+        endif
+        if (error data available) then
+                packet.e-data := error data;
+
+
+draft-ietf-cat-kerberos-r-01                        Expires 21 May 1998
+
+        endif
+
+B. Definition of common authorization data elements
+
+This appendix contains the definitions of common authorization data
+elements. These common authorization data elements are recursivly defined,
+meaning the ad-data for these types will itself contain a sequence of
+authorization data whose interpretation is affected by the encapsulating
+element. Depending on the meaning of the encapsulating element, the
+encapsulated elements may be ignored, might be interpreted as issued
+directly by the KDC, or they might be stored in a separate plaintext part of
+the ticket. The types of the encapsulating elements are specified as part of
+the Kerberos specification ebcause the behavior based on these values should
+be understood across implementations whereas other elements need only be
+understood by the applications which they affect.
+
+In the definitions that follow, the value of the ad-type for the element
+will be specified in the subsection number, and the value of the ad-data
+will be as shown in the ASN.1 structure that follows the subsection heading.
+
+B.1. KDC Issued
+
+AD-KDCIssued   SEQUENCE {
+               ad-checksum[0]    Checksum,
+                i-realm[1]       Realm OPTIONAL,
+                i-sname[2]       PrincipalName OPTIONAL,
+               elements[3]       AuthorizationData.
+}
+
+ad-checksum
+     A checksum over the elements field using a cryptographic checksum
+     method that is identical to the checksum used to protect the ticket
+     itself (i.e. using the same hash function and the same encryption
+     algorithm used to encrypt the ticket) and using a key derived from the
+     same key used to protect the ticket.
+i-realm, i-sname
+     The name of the issuing principal if different from the KDC itself.
+     This field would be used when the KDC can verify the authenticity of
+     elements signed by the issuing principal and it allows this KDC to
+     notify the application server of the validity of those elements.
+elements
+     A sequence of authorization data elements issued by the KDC.
+
+The KDC-issued ad-data field is intended to provide a means for Kerberos
+principal credentials to embed within themselves privilege attributes and
+other mechanisms for positive authorization, amplifying the priveleges of
+the principal beyond what can be done using a credentials without such an
+a-data element.
+
+This can not be provided without this element because the definition of the
+authorization-data field allows elements to be added at will by the bearer
+of a TGT at the time that they request service tickets and elements may also
+be added to a delegated ticket by inclusion in the authenticator.
+
+
+
+draft-ietf-cat-kerberos-r-01                        Expires 21 May 1998
+
+For KDC-issued elements this is prevented because the elements are signed by
+the KDC by including a checksum encrypted using the server's key (the same
+key used to encrypt the ticket - or a key derived from that key). Elements
+encapsulated with in the KDC-issued element will be ignored by the
+application server if this "signature" is not present. Further, elements
+encapsulated within this element from a ticket granting ticket may be
+interpreted by the KDC, and used as a basis according to policy for
+including new signed elements within derivative tickets, but they will not
+be copied to a derivative ticket directly. If they are copied directly to a
+derivative ticket by a KDC that is not aware of this element, the signature
+will not be correct for the application ticket elements, and the field will
+be ignored by the application server.
+
+This element and the elements it encapulates may be safely ignored by
+applications, application servers, and KDCs that do not implement this
+element.
+
+B.2. Intended for server
+
+AD-INTENDED-FOR-SERVER   SEQUENCE {
+         intended-server[0]     SEQUENCE OF PrincipalName
+         elements[1]            AuthorizationData
+}
+
+AD elements encapsulated within the intended-for-server element may be
+ignored if the application server is not in the list of principal names of
+intended servers. Further, a KDC issuing a ticket for an application server
+can remove this element if the application server is not in the list of
+intended servers.
+
+Application servers should check for their principal name in the
+intended-server field of this element. If their principal name is not found,
+this element should be ignored. If found, then the encapsulated elements
+should be evaluated in the same manner as if they were present in the top
+level authorization data field. Applications and application servers that do
+not implement this element should reject tickets that contain authorization
+data elements of this type.
+
+B.3. Intended for application class
+
+AD-INTENDED-FOR-APPLICATION-CLASS SEQUENCE { intended-application-class[0]
+SEQUENCE OF GeneralString elements[1] AuthorizationData } AD elements
+encapsulated within the intended-for-application-class element may be
+ignored if the application server is not in one of the named classes of
+application servers. Examples of application server classes include
+"FILESYSTEM", and other kinds of servers.
+
+This element and the elements it encapulates may be safely ignored by
+applications, application servers, and KDCs that do not implement this
+element.
+
+B.4. If relevant
+
+AD-IF-RELEVANT   AuthorizationData
+
+
+draft-ietf-cat-kerberos-r-01                        Expires 21 May 1998
+
+
+AD elements encapsulated within the if-relevant element are intended for
+interpretation only by application servers that understand the particular
+ad-type of the embedded element. Application servers that do not understand
+the type of an element embedded within the if-relevant element may ignore
+the uninterpretable element. This element promotes interoperability across
+implementations which may have local extensions for authorization.
+
+B.5. And-Or
+
+AD-AND-OR           SEQUENCE {
+                        condition-count[0]    INTEGER,
+                        elements[1]           AuthorizationData
+}
+
+When restrictive AD elements encapsulated within the and-or element are
+encountered, only the number specified in condition-count of the
+encapsulated conditions must be met in order to satisfy this element. This
+element may be used to implement an "or" operation by setting the
+condition-count field to 1, and it may specify an "and" operation by setting
+the condition count to the number of embedded elements. Application servers
+that do not implement this element must reject tickets that contain
+authorization data elements of this type.
+
+B.6. Mandatory ticket extensions
+
+AD-Mandatory-Ticket-Extensions   Checksum
+
+An authorization data element of type mandatory-ticket-extensions specifies
+a collision-proof checksum using the same has angorithm used to protect the
+integrity of the ticket itself. This checksum will be calculated over the
+entire extensions field. If there are more than one extension, all will be
+covered by the checksum. This restriction indicates that the ticket should
+not be accepted if the checksum does not match that calculated over the
+ticket extensions. Application servers that do not implement this element
+must reject tickets that contain authorization data elements of this type.
+
+B.7. Authorization Data in ticket extensions
+
+AD-IN-Ticket-Extensions   Checksum
+
+An authorization data element of type in-ticket-extensions specifies a
+collision-proof checksum using the same has angorithm used to protect the
+integrity of the ticket itself. This checksum is calculated over a separate
+external AuthorizationData field carried in the ticket extensions.
+Application servers that do not implement this element must reject tickets
+that contain authorization data elements of this type. Application servers
+that do implement this element will search the ticket extensions for
+authorization data fields, calculate the specified checksum over each
+authorization data field and look for one matching the checksum in this
+in-ticket-extensions element. If not found, then the ticket must be
+rejected. If found, the corresponding authorization data elements will be
+interpreted in the same manner as if they were contained in the top level
+authorization data field.
+
+
+draft-ietf-cat-kerberos-r-01                        Expires 21 May 1998
+
+
+Note that if multiple external authorization data fields are present in a
+ticket, each will have a corresponding element of type in-ticket-extensions
+in the top level authorization data field, and the external entries will be
+linked to the corresponding element by their checksums.
+
+C. Definition of common ticket extensions
+
+This appendix contains the definitions of common ticket extensions. Support
+for these extensions is optional. However, certain extensions have
+associated authorization data elements that may require rejection of a
+ticket containing an extension by application servers that do not implement
+the particular extension. Other extensions have been defined beyond those
+described in this specification. Such extensions are described elswhere and
+for some of those extensions the reserved number may be found in the list of
+constants.
+
+It is known that older versions of Kerberos did not support this field, and
+that some clients will strip this field from a ticket when they parse and
+then reassemble a ticket as it is passed to the application servers. The
+presence of the extension will not break such clients, but any functionaly
+dependent on the extensions will not work when such tickets are handled by
+old clients. In such situations, some implementation may use alternate
+methods to transmit the information in the extensions field.
+
+C.1. Null ticket extension
+
+TE-NullExtension   OctetString -- The empty Octet String
+
+The te-data field in the null ticket extension is an octet string of lenght
+zero. This extension may be included in a ticket granting ticket so that the
+KDC can determine on presentation of the ticket granting ticket whether the
+client software will strip the extensions field.
+
+C.2. External Authorization Data
+
+TE-ExternalAuthorizationData   AuthorizationData
+
+The te-data field in the external authorization data ticket extension is
+field of type AuthorizationData containing one or more authorization data
+elements. If present, a corresponding authorization data element will be
+present in the primary authorization data for the ticket and that element
+will contain a checksum of the external authorization data ticket extension.
+----------------------------------------------------------------------------
+[TM] Project Athena, Athena, and Kerberos are trademarks of the
+Massachusetts Institute of Technology (MIT). No commercial use of these
+trademarks may be made without prior written permission of MIT.
+
+[1] Note, however, that many applications use Kerberos' functions only upon
+the initiation of a stream-based network connection. Unless an application
+subsequently provides integrity protection for the data stream, the identity
+verification applies only to the initiation of the connection, and does not
+guarantee that subsequent messages on the connection originate from the same
+principal.
+
+
+draft-ietf-cat-kerberos-r-01                        Expires 21 May 1998
+
+
+[2] Secret and private are often used interchangeably in the literature. In
+our usage, it takes two (or more) to share a secret, thus a shared DES key
+is a secret key. Something is only private when no one but its owner knows
+it. Thus, in public key cryptosystems, one has a public and a private key.
+
+[3] Of course, with appropriate permission the client could arrange
+registration of a separately-named prin- cipal in a remote realm, and engage
+in normal exchanges with that realm's services. However, for even small
+numbers of clients this becomes cumbersome, and more automatic methods as
+described here are necessary.
+
+[4] Though it is permissible to request or issue tick- ets with no network
+addresses specified.
+
+[5] The password-changing request must not be honored unless the requester
+can provide the old password (the user's current secret key). Otherwise, it
+would be possible for someone to walk up to an unattended ses- sion and
+change another user's password.
+
+[6] To authenticate a user logging on to a local system, the credentials
+obtained in the AS exchange may first be used in a TGS exchange to obtain
+credentials for a local server. Those credentials must then be verified by a
+local server through successful completion of the Client/Server exchange.
+
+[7] "Random" means that, among other things, it should be impossible to
+guess the next session key based on knowledge of past session keys. This can
+only be achieved in a pseudo-random number generator if it is based on
+cryptographic principles. It is more desirable to use a truly random number
+generator, such as one based on measurements of random physical phenomena.
+
+[8] Tickets contain both an encrypted and unencrypted portion, so cleartext
+here refers to the entire unit, which can be copied from one message and
+replayed in another without any cryptographic skill.
+
+[9] Note that this can make applications based on unreliable transports
+difficult to code correctly. If the transport might deliver duplicated
+messages, either a new authenticator must be generated for each retry, or
+the application server must match requests and replies and replay the first
+reply in response to a detected duplicate.
+
+[10] This is used for user-to-user authentication as described in [8].
+
+[11] Note that the rejection here is restricted to authenticators from the
+same principal to the same server. Other client principals communicating
+with the same server principal should not be have their authenticators
+rejected if the time and microsecond fields happen to match some other
+client's authenticator.
+
+[12] In the Kerberos version 4 protocol, the timestamp in the reply was the
+client's timestamp plus one. This is not necessary in version 5 because
+version 5 messages are formatted in such a way that it is not possible to
+create the reply by judicious message surgery (even in encrypted form)
+without knowledge of the appropriate encryption keys.
+
+
+draft-ietf-cat-kerberos-r-01                        Expires 21 May 1998
+
+
+[13] Note that for encrypting the KRB_AP_REP message, the sub-session key is
+not used, even if present in the Authenticator.
+
+[14] Implementations of the protocol may wish to provide routines to choose
+subkeys based on session keys and random numbers and to generate a
+negotiated key to be returned in the KRB_AP_REP message.
+
+[15]This can be accomplished in several ways. It might be known beforehand
+(since the realm is part of the principal identifier), it might be stored in
+a nameserver, or it might be obtained from a configura- tion file. If the
+realm to be used is obtained from a nameserver, there is a danger of being
+spoofed if the nameservice providing the realm name is not authenti- cated.
+This might result in the use of a realm which has been compromised, and
+would result in an attacker's ability to compromise the authentication of
+the application server to the client.
+
+[16] If the client selects a sub-session key, care must be taken to ensure
+the randomness of the selected sub- session key. One approach would be to
+generate a random number and XOR it with the session key from the
+ticket-granting ticket.
+
+[17] This allows easy implementation of user-to-user authentication [8],
+which uses ticket-granting ticket session keys in lieu of secret server keys
+in situa- tions where such secret keys could be easily comprom- ised.
+
+[18] For the purpose of appending, the realm preceding the first listed
+realm is considered to be the null realm ("").
+
+[19] For the purpose of interpreting null subfields, the client's realm is
+considered to precede those in the transited field, and the server's realm
+is considered to follow them.
+
+[20] This means that a client and server running on the same host and
+communicating with one another using the KRB_SAFE messages should not share
+a common replay cache to detect KRB_SAFE replays.
+
+[21] The implementation of the Kerberos server need not combine the database
+and the server on the same machine; it is feasible to store the principal
+database in, say, a network name service, as long as the entries stored
+therein are protected from disclosure to and modification by unauthorized
+parties. However, we recommend against such strategies, as they can make
+system management and threat analysis quite complex.
+
+[22] See the discussion of the padata field in section 5.4.2 for details on
+why this can be useful.
+
+[23] Warning for implementations that unpack and repack data structures
+during the generation and verification of embedded checksums: Because any
+checksums applied to data structures must be checked against the original
+data the length of bit strings must be preserved within a data structure
+between the time that a checksum is generated through transmission to the
+time that the checksum is verified.
+
+
+
+draft-ietf-cat-kerberos-r-01                        Expires 21 May 1998
+
+[24] It is NOT recommended that this time value be used to adjust the
+workstation's clock since the workstation cannot reliably determine that
+such a KRB_AS_REP actually came from the proper KDC in a timely manner.
+
+[25] Note, however, that if the time is used as the nonce, one must make
+sure that the workstation time is monotonically increasing. If the time is
+ever reset backwards, there is a small, but finite, probability that a nonce
+will be reused.
+
+[27] An application code in the encrypted part of a message provides an
+additional check that the message was decrypted properly.
+
+[29] An application code in the encrypted part of a message provides an
+additional check that the message was decrypted properly.
+
+[31] An application code in the encrypted part of a message provides an
+additional check that the message was decrypted properly.
+
+[32] If supported by the encryption method in use, an initialization vector
+may be passed to the encryption procedure, in order to achieve proper cipher
+chaining. The initialization vector might come from the last block of the
+ciphertext from the previous KRB_PRIV message, but it is the application's
+choice whether or not to use such an initialization vector. If left out, the
+default initialization vector for the encryption algorithm will be used.
+
+[33] This prevents an attacker who generates an incorrect AS request from
+obtaining verifiable plaintext for use in an off-line password guessing
+attack.
+
+[35] In the above specification, UNTAGGED OCTET STRING(length) is the
+notation for an octet string with its tag and length removed. It is not a
+valid ASN.1 type. The tag bits and length must be removed from the
+confounder since the purpose of the confounder is so that the message starts
+with random data, but the tag and its length are fixed. For other fields,
+the length and tag would be redundant if they were included because they are
+specified by the encryption type. [36] The ordering of the fields in the
+CipherText is important. Additionally, messages encoded in this format must
+include a length as part of the msg-seq field. This allows the recipient to
+verify that the message has not been truncated. Without a length, an
+attacker could use a chosen plaintext attack to generate a message which
+could be truncated, while leaving the checksum intact. Note that if the
+msg-seq is an encoding of an ASN.1 SEQUENCE or OCTET STRING, then the length
+is part of that encoding.
+
+[37] In some cases, it may be necessary to use a different "mix-in" string
+for compatibility reasons; see the discussion of padata in section 5.4.2.
+
+[38] In some cases, it may be necessary to use a different "mix-in" string
+for compatibility reasons; see the discussion of padata in section 5.4.2.
+
+[39] A variant of the key is used to limit the use of a key to a particular
+function, separating the functions of generating a checksum from other
+encryption performed using the session key. The constant F0F0F0F0F0F0F0F0
+was chosen because it maintains key parity. The properties of DES precluded
+
+
+draft-ietf-cat-kerberos-r-01                        Expires 21 May 1998
+
+the use of the complement. The same constant is used for similar purpose in
+the Message Integrity Check in the Privacy Enhanced Mail standard.
+
+[40] This error carries additional information in the e- data field. The
+contents of the e-data field for this message is described in section 5.9.1.
diff --git a/crypto/heimdal/doc/standardisation/draft-ietf-cat-kerberos-revisions-03.txt b/crypto/heimdal/doc/standardisation/draft-ietf-cat-kerberos-revisions-03.txt
new file mode 100644
index 0000000..06d997d
--- /dev/null
+++ b/crypto/heimdal/doc/standardisation/draft-ietf-cat-kerberos-revisions-03.txt
@@ -0,0 +1,6766 @@
+
+
+
+INTERNET-DRAFT                                          Clifford Neuman
+                                                              John Kohl
+                                                          Theodore Ts'o
+                                                    November 18th, 1998
+
+The Kerberos Network Authentication Service (V5)
+
+STATUS OF THIS MEMO
+
+This document is an Internet-Draft. Internet-Drafts are working documents
+of the Internet Engineering Task Force (IETF), its areas, and its working
+groups. Note that other groups may also distribute working documents as
+Internet-Drafts.
+
+Internet-Drafts are draft documents valid for a maximum of six months and
+may be updated, replaced, or obsoleted by other documents at any time. It
+is inappropriate to use Internet-Drafts as reference material or to cite
+them other than as 'work in progress.'
+
+To learn the current status of any Internet-Draft, please check the
+'1id-abstracts.txt' listing contained in the Internet-Drafts Shadow
+Directories on ftp.ietf.org (US East Coast), nic.nordu.net (Europe),
+ftp.isi.edu (US West Coast), or munnari.oz.au (Pacific Rim).
+
+The distribution of this memo is unlimited. It is filed as
+draft-ietf-cat-kerberos-revisions-03.txt, and expires May 18th, 1999. 
+Please send comments to: krb-protocol@MIT.EDU
+
+ABSTRACT
+
+This document provides an overview and specification of Version 5 of the
+Kerberos protocol, and updates RFC1510 to clarify aspects of the protocol
+and its intended use that require more detailed or clearer explanation than
+was provided in RFC1510. This document is intended to provide a detailed
+description of the protocol, suitable for implementation, together with
+descriptions of the appropriate use of protocol messages and fields within
+those messages.
+
+This document is not intended to describe Kerberos to the end user, system
+administrator, or application developer. Higher level papers describing
+Version 5 of the Kerberos system [NT94] and documenting version 4 [SNS88],
+are available elsewhere.
+
+OVERVIEW
+
+This INTERNET-DRAFT describes the concepts and model upon which the
+Kerberos network authentication system is based. It also specifies Version
+5 of the Kerberos protocol.
+
+The motivations, goals, assumptions, and rationale behind most design
+decisions are treated cursorily; they are more fully described in a paper
+available in IEEE communications [NT94] and earlier in the Kerberos portion
+of the Athena Technical Plan [MNSS87]. The protocols have been a proposed
+standard and are being considered for advancement for draft standard
+through the IETF standard process. Comments are encouraged on the
+presentation, but only minor refinements to the protocol as implemented or
+extensions that fit within current protocol framework will be considered at
+
+Neuman, Ts'o, Kohl                                 Expires: 18 May 1999
+
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-r-03        November 18 1998
+
+
+this time.
+
+Requests for addition to an electronic mailing list for discussion of
+Kerberos, kerberos@MIT.EDU, may be addressed to kerberos-request@MIT.EDU.
+This mailing list is gatewayed onto the Usenet as the group
+comp.protocols.kerberos. Requests for further information, including
+documents and code availability, may be sent to info-kerberos@MIT.EDU.
+
+BACKGROUND
+
+The Kerberos model is based in part on Needham and Schroeder's trusted
+third-party authentication protocol [NS78] and on modifications suggested
+by Denning and Sacco [DS81]. The original design and implementation of
+Kerberos Versions 1 through 4 was the work of two former Project Athena
+staff members, Steve Miller of Digital Equipment Corporation and Clifford
+Neuman (now at the Information Sciences Institute of the University of
+Southern California), along with Jerome Saltzer, Technical Director of
+Project Athena, and Jeffrey Schiller, MIT Campus Network Manager. Many
+other members of Project Athena have also contributed to the work on
+Kerberos.
+
+Version 5 of the Kerberos protocol (described in this document) has evolved
+from Version 4 based on new requirements and desires for features not
+available in Version 4. The design of Version 5 of the Kerberos protocol
+was led by Clifford Neuman and John Kohl with much input from the
+community. The development of the MIT reference implementation was led at
+MIT by John Kohl and Theodore T'so, with help and contributed code from
+many others. Since RFC1510 was issued, extensions and revisions to the
+protocol have been proposed by many individuals. Some of these proposals
+are reflected in this document. Where such changes involved significant
+effort, the document cites the contribution of the proposer.
+
+Reference implementations of both version 4 and version 5 of Kerberos are
+publicly available and commercial implementations have been developed and
+are widely used. Details on the differences between Kerberos Versions 4 and
+5 can be found in [KNT92].
+
+1. Introduction
+
+Kerberos provides a means of verifying the identities of principals, (e.g.
+a workstation user or a network server) on an open (unprotected) network.
+This is accomplished without relying on assertions by the host operating
+system, without basing trust on host addresses, without requiring physical
+security of all the hosts on the network, and under the assumption that
+packets traveling along the network can be read, modified, and inserted at
+will[1]. Kerberos performs authentication under these conditions as a
+trusted third-party authentication service by using conventional (shared
+secret key [2] cryptography. Kerberos extensions have been proposed and
+implemented that provide for the use of public key cryptography during
+certain phases of the authentication protocol. These extensions provide for
+authentication of users registered with public key certification
+authorities, and allow the system to provide certain benefits of public key
+cryptography in situations where they are needed.
+
+The basic Kerberos authentication process proceeds as follows: A client
+sends a request to the authentication server (AS) requesting 'credentials'
+for a given server. The AS responds with these credentials, encrypted in
+the client's key. The credentials consist of 1) a 'ticket' for the server
+and 2) a temporary encryption key (often called a "session key"). The
+
+Neuman, Ts'o, Kohl                                 Expires: 18 May 1999
+
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-r-03        November 18 1998
+
+
+client transmits the ticket (which contains the client's identity and a
+copy of the session key, all encrypted in the server's key) to the server.
+The session key (now shared by the client and server) is used to
+authenticate the client, and may optionally be used to authenticate the
+server. It may also be used to encrypt further communication between the
+two parties or to exchange a separate sub-session key to be used to encrypt
+further communication.
+
+Implementation of the basic protocol consists of one or more authentication
+servers running on physically secure hosts. The authentication servers
+maintain a database of principals (i.e., users and servers) and their
+secret keys. Code libraries provide encryption and implement the Kerberos
+protocol. In order to add authentication to its transactions, a typical
+network application adds one or two calls to the Kerberos library directly
+or through the Generic Security Services Application Programming Interface,
+GSSAPI, described in separate document. These calls result in the
+transmission of the necessary messages to achieve authentication.
+
+The Kerberos protocol consists of several sub-protocols (or exchanges).
+There are two basic methods by which a client can ask a Kerberos server for
+credentials. In the first approach, the client sends a cleartext request
+for a ticket for the desired server to the AS. The reply is sent encrypted
+in the client's secret key. Usually this request is for a ticket-granting
+ticket (TGT) which can later be used with the ticket-granting server (TGS).
+In the second method, the client sends a request to the TGS. The client
+uses the TGT to authenticate itself to the TGS in the same manner as if it
+were contacting any other application server that requires Kerberos
+authentication. The reply is encrypted in the session key from the TGT.
+Though the protocol specification describes the AS and the TGS as separate
+servers, they are implemented in practice as different protocol entry
+points within a single Kerberos server.
+
+Once obtained, credentials may be used to verify the identity of the
+principals in a transaction, to ensure the integrity of messages exchanged
+between them, or to preserve privacy of the messages. The application is
+free to choose whatever protection may be necessary.
+
+To verify the identities of the principals in a transaction, the client
+transmits the ticket to the application server. Since the ticket is sent
+"in the clear" (parts of it are encrypted, but this encryption doesn't
+thwart replay) and might be intercepted and reused by an attacker,
+additional information is sent to prove that the message originated with
+the principal to whom the ticket was issued. This information (called the
+authenticator) is encrypted in the session key, and includes a timestamp.
+The timestamp proves that the message was recently generated and is not a
+replay. Encrypting the authenticator in the session key proves that it was
+generated by a party possessing the session key. Since no one except the
+requesting principal and the server know the session key (it is never sent
+over the network in the clear) this guarantees the identity of the client.
+
+The integrity of the messages exchanged between principals can also be
+guaranteed using the session key (passed in the ticket and contained in the
+credentials). This approach provides detection of both replay attacks and
+message stream modification attacks. It is accomplished by generating and
+transmitting a collision-proof checksum (elsewhere called a hash or digest
+function) of the client's message, keyed with the session key. Privacy and
+integrity of the messages exchanged between principals can be secured by
+encrypting the data to be passed using the session key contained in the
+ticket or the subsession key found in the authenticator.
+
+Neuman, Ts'o, Kohl                                 Expires: 18 May 1999
+
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-r-03        November 18 1998
+
+
+
+The authentication exchanges mentioned above require read-only access to
+the Kerberos database. Sometimes, however, the entries in the database must
+be modified, such as when adding new principals or changing a principal's
+key. This is done using a protocol between a client and a third Kerberos
+server, the Kerberos Administration Server (KADM). There is also a protocol
+for maintaining multiple copies of the Kerberos database. Neither of these
+protocols are described in this document.
+
+1.1. Cross-Realm Operation
+
+The Kerberos protocol is designed to operate across organizational
+boundaries. A client in one organization can be authenticated to a server
+in another. Each organization wishing to run a Kerberos server establishes
+its own 'realm'. The name of the realm in which a client is registered is
+part of the client's name, and can be used by the end-service to decide
+whether to honor a request.
+
+By establishing 'inter-realm' keys, the administrators of two realms can
+allow a client authenticated in the local realm to prove its identity to
+servers in other realms[3]. The exchange of inter-realm keys (a separate
+key may be used for each direction) registers the ticket-granting service
+of each realm as a principal in the other realm. A client is then able to
+obtain a ticket-granting ticket for the remote realm's ticket-granting
+service from its local realm. When that ticket-granting ticket is used, the
+remote ticket-granting service uses the inter-realm key (which usually
+differs from its own normal TGS key) to decrypt the ticket-granting ticket,
+and is thus certain that it was issued by the client's own TGS. Tickets
+issued by the remote ticket-granting service will indicate to the
+end-service that the client was authenticated from another realm.
+
+A realm is said to communicate with another realm if the two realms share
+an inter-realm key, or if the local realm shares an inter-realm key with an
+intermediate realm that communicates with the remote realm. An
+authentication path is the sequence of intermediate realms that are
+transited in communicating from one realm to another.
+
+Realms are typically organized hierarchically. Each realm shares a key with
+its parent and a different key with each child. If an inter-realm key is
+not directly shared by two realms, the hierarchical organization allows an
+authentication path to be easily constructed. If a hierarchical
+organization is not used, it may be necessary to consult a database in
+order to construct an authentication path between realms.
+
+Although realms are typically hierarchical, intermediate realms may be
+bypassed to achieve cross-realm authentication through alternate
+authentication paths (these might be established to make communication
+between two realms more efficient). It is important for the end-service to
+know which realms were transited when deciding how much faith to place in
+the authentication process. To facilitate this decision, a field in each
+ticket contains the names of the realms that were involved in
+authenticating the client.
+
+The application server is ultimately responsible for accepting or rejecting
+authentication and should check the transited field. The application server
+may choose to rely on the KDC for the application server's realm to check
+the transited field. The application server's KDC will set the
+TRANSITED-POLICY-CHECKED flag in this case. The KDC's for intermediate
+realms may also check the transited field as they issue
+
+Neuman, Ts'o, Kohl                                 Expires: 18 May 1999
+
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-r-03        November 18 1998
+
+
+ticket-granting-tickets for other realms, but they are encouraged not to do
+so. A client may request that the KDC's not check the transited field by
+setting the DISABLE-TRANSITED-CHECK flag. KDC's are encouraged but not
+required to honor this flag.
+
+1.2. Authorization
+
+As an authentication service, Kerberos provides a means of verifying the
+identity of principals on a network. Authentication is usually useful
+primarily as a first step in the process of authorization, determining
+whether a client may use a service, which objects the client is allowed to
+access, and the type of access allowed for each. Kerberos does not, by
+itself, provide authorization. Possession of a client ticket for a service
+provides only for authentication of the client to that service, and in the
+absence of a separate authorization procedure, it should not be considered
+by an application as authorizing the use of that service.
+
+Such separate authorization methods may be implemented as application
+specific access control functions and may be based on files such as the
+application server, or on separately issued authorization credentials such
+as those based on proxies [Neu93] , or on other authorization services.
+
+Applications should not be modified to accept the issuance of a service
+ticket by the Kerberos server (even by an modified Kerberos server) as
+granting authority to use the service, since such applications may become
+vulnerable to the bypass of this authorization check in an environment if
+they interoperate with other KDCs or where other options for application
+authentication (e.g. the PKTAPP proposal) are provided.
+
+1.3. Environmental assumptions
+
+Kerberos imposes a few assumptions on the environment in which it can
+properly function:
+
+   * 'Denial of service' attacks are not solved with Kerberos. There are
+     places in these protocols where an intruder can prevent an application
+     from participating in the proper authentication steps. Detection and
+     solution of such attacks (some of which can appear to be nnot-uncommon
+     'normal' failure modes for the system) is usually best left to the
+     human administrators and users.
+   * Principals must keep their secret keys secret. If an intruder somehow
+     steals a principal's key, it will be able to masquerade as that
+     principal or impersonate any server to the legitimate principal.
+   * 'Password guessing' attacks are not solved by Kerberos. If a user
+     chooses a poor password, it is possible for an attacker to
+     successfully mount an offline dictionary attack by repeatedly
+     attempting to decrypt, with successive entries from a dictionary,
+     messages obtained which are encrypted under a key derived from the
+     user's password.
+   * Each host on the network must have a clock which is 'loosely
+     synchronized' to the time of the other hosts; this synchronization is
+     used to reduce the bookkeeping needs of application servers when they
+     do replay detection. The degree of "looseness" can be configured on a
+     per-server basis, but is typically on the order of 5 minutes. If the
+     clocks are synchronized over the network, the clock synchronization
+     protocol must itself be secured from network attackers.
+   * Principal identifiers are not recycled on a short-term basis. A
+     typical mode of access control will use access control lists (ACLs) to
+     grant permissions to particular principals. If a stale ACL entry
+
+Neuman, Ts'o, Kohl                                 Expires: 18 May 1999
+
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-r-03        November 18 1998
+
+
+     remains for a deleted principal and the principal identifier is
+     reused, the new principal will inherit rights specified in the stale
+     ACL entry. By not re-using principal identifiers, the danger of
+     inadvertent access is removed.
+
+1.4. Glossary of terms
+
+Below is a list of terms used throughout this document.
+
+Authentication
+     Verifying the claimed identity of a principal.
+Authentication header
+     A record containing a Ticket and an Authenticator to be presented to a
+     server as part of the authentication process.
+Authentication path
+     A sequence of intermediate realms transited in the authentication
+     process when communicating from one realm to another.
+Authenticator
+     A record containing information that can be shown to have been
+     recently generated using the session key known only by the client and
+     server.
+Authorization
+     The process of determining whether a client may use a service, which
+     objects the client is allowed to access, and the type of access
+     allowed for each.
+Capability
+     A token that grants the bearer permission to access an object or
+     service. In Kerberos, this might be a ticket whose use is restricted
+     by the contents of the authorization data field, but which lists no
+     network addresses, together with the session key necessary to use the
+     ticket.
+Ciphertext
+     The output of an encryption function. Encryption transforms plaintext
+     into ciphertext.
+Client
+     A process that makes use of a network service on behalf of a user.
+     Note that in some cases a Server may itself be a client of some other
+     server (e.g. a print server may be a client of a file server).
+Credentials
+     A ticket plus the secret session key necessary to successfully use
+     that ticket in an authentication exchange.
+KDC
+     Key Distribution Center, a network service that supplies tickets and
+     temporary session keys; or an instance of that service or the host on
+     which it runs. The KDC services both initial ticket and
+     ticket-granting ticket requests. The initial ticket portion is
+     sometimes referred to as the Authentication Server (or service). The
+     ticket-granting ticket portion is sometimes referred to as the
+     ticket-granting server (or service).
+Kerberos
+     Aside from the 3-headed dog guarding Hades, the name given to Project
+     Athena's authentication service, the protocol used by that service, or
+     the code used to implement the authentication service.
+Plaintext
+     The input to an encryption function or the output of a decryption
+     function. Decryption transforms ciphertext into plaintext.
+Principal
+     A uniquely named client or server instance that participates in a
+     network communication.
+
+Neuman, Ts'o, Kohl                                 Expires: 18 May 1999
+
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-r-03        November 18 1998
+
+
+Principal identifier
+     The name used to uniquely identify each different principal.
+Seal
+     To encipher a record containing several fields in such a way that the
+     fields cannot be individually replaced without either knowledge of the
+     encryption key or leaving evidence of tampering.
+Secret key
+     An encryption key shared by a principal and the KDC, distributed
+     outside the bounds of the system, with a long lifetime. In the case of
+     a human user's principal, the secret key is derived from a password.
+Server
+     A particular Principal which provides a resource to network clients.
+     The server is sometimes refered to as the Application Server.
+Service
+     A resource provided to network clients; often provided by more than
+     one server (for example, remote file service).
+Session key
+     A temporary encryption key used between two principals, with a
+     lifetime limited to the duration of a single login "session".
+Sub-session key
+     A temporary encryption key used between two principals, selected and
+     exchanged by the principals using the session key, and with a lifetime
+     limited to the duration of a single association.
+Ticket
+     A record that helps a client authenticate itself to a server; it
+     contains the client's identity, a session key, a timestamp, and other
+     information, all sealed using the server's secret key. It only serves
+     to authenticate a client when presented along with a fresh
+     Authenticator.
+
+2. Ticket flag uses and requests
+
+Each Kerberos ticket contains a set of flags which are used to indicate
+various attributes of that ticket. Most flags may be requested by a client
+when the ticket is obtained; some are automatically turned on and off by a
+Kerberos server as required. The following sections explain what the
+various flags mean, and gives examples of reasons to use such a flag.
+
+2.1. Initial and pre-authenticated tickets
+
+The INITIAL flag indicates that a ticket was issued using the AS protocol
+and not issued based on a ticket-granting ticket. Application servers that
+want to require the demonstrated knowledge of a client's secret key (e.g. a
+password-changing program) can insist that this flag be set in any tickets
+they accept, and thus be assured that the client's key was recently
+presented to the application client.
+
+The PRE-AUTHENT and HW-AUTHENT flags provide addition information about the
+initial authentication, regardless of whether the current ticket was issued
+directly (in which case INITIAL will also be set) or issued on the basis of
+a ticket-granting ticket (in which case the INITIAL flag is clear, but the
+PRE-AUTHENT and HW-AUTHENT flags are carried forward from the
+ticket-granting ticket).
+
+2.2. Invalid tickets
+
+The INVALID flag indicates that a ticket is invalid. Application servers
+must reject tickets which have this flag set. A postdated ticket will
+usually be issued in this form. Invalid tickets must be validated by the
+
+Neuman, Ts'o, Kohl                                 Expires: 18 May 1999
+
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-r-03        November 18 1998
+
+
+KDC before use, by presenting them to the KDC in a TGS request with the
+VALIDATE option specified. The KDC will only validate tickets after their
+starttime has passed. The validation is required so that postdated tickets
+which have been stolen before their starttime can be rendered permanently
+invalid (through a hot-list mechanism) (see section 3.3.3.1).
+
+2.3. Renewable tickets
+
+Applications may desire to hold tickets which can be valid for long periods
+of time. However, this can expose their credentials to potential theft for
+equally long periods, and those stolen credentials would be valid until the
+expiration time of the ticket(s). Simply using short-lived tickets and
+obtaining new ones periodically would require the client to have long-term
+access to its secret key, an even greater risk. Renewable tickets can be
+used to mitigate the consequences of theft. Renewable tickets have two
+"expiration times": the first is when the current instance of the ticket
+expires, and the second is the latest permissible value for an individual
+expiration time. An application client must periodically (i.e. before it
+expires) present a renewable ticket to the KDC, with the RENEW option set
+in the KDC request. The KDC will issue a new ticket with a new session key
+and a later expiration time. All other fields of the ticket are left
+unmodified by the renewal process. When the latest permissible expiration
+time arrives, the ticket expires permanently. At each renewal, the KDC may
+consult a hot-list to determine if the ticket had been reported stolen
+since its last renewal; it will refuse to renew such stolen tickets, and
+thus the usable lifetime of stolen tickets is reduced.
+
+The RENEWABLE flag in a ticket is normally only interpreted by the
+ticket-granting service (discussed below in section 3.3). It can usually be
+ignored by application servers. However, some particularly careful
+application servers may wish to disallow renewable tickets.
+
+If a renewable ticket is not renewed by its expiration time, the KDC will
+not renew the ticket. The RENEWABLE flag is reset by default, but a client
+may request it be set by setting the RENEWABLE option in the KRB_AS_REQ
+message. If it is set, then the renew-till field in the ticket contains the
+time after which the ticket may not be renewed.
+
+2.4. Postdated tickets
+
+Applications may occasionally need to obtain tickets for use much later,
+e.g. a batch submission system would need tickets to be valid at the time
+the batch job is serviced. However, it is dangerous to hold valid tickets
+in a batch queue, since they will be on-line longer and more prone to
+theft. Postdated tickets provide a way to obtain these tickets from the KDC
+at job submission time, but to leave them "dormant" until they are
+activated and validated by a further request of the KDC. If a ticket theft
+were reported in the interim, the KDC would refuse to validate the ticket,
+and the thief would be foiled.
+
+The MAY-POSTDATE flag in a ticket is normally only interpreted by the
+ticket-granting service. It can be ignored by application servers. This
+flag must be set in a ticket-granting ticket in order to issue a postdated
+ticket based on the presented ticket. It is reset by default; it may be
+requested by a client by setting the ALLOW-POSTDATE option in the
+KRB_AS_REQ message. This flag does not allow a client to obtain a postdated
+ticket-granting ticket; postdated ticket-granting tickets can only by
+obtained by requesting the postdating in the KRB_AS_REQ message. The life
+(endtime-starttime) of a postdated ticket will be the remaining life of the
+
+Neuman, Ts'o, Kohl                                 Expires: 18 May 1999
+
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-r-03        November 18 1998
+
+
+ticket-granting ticket at the time of the request, unless the RENEWABLE
+option is also set, in which case it can be the full life
+(endtime-starttime) of the ticket-granting ticket. The KDC may limit how
+far in the future a ticket may be postdated.
+
+The POSTDATED flag indicates that a ticket has been postdated. The
+application server can check the authtime field in the ticket to see when
+the original authentication occurred. Some services may choose to reject
+postdated tickets, or they may only accept them within a certain period
+after the original authentication. When the KDC issues a POSTDATED ticket,
+it will also be marked as INVALID, so that the application client must
+present the ticket to the KDC to be validated before use.
+
+2.5. Proxiable and proxy tickets
+
+At times it may be necessary for a principal to allow a service to perform
+an operation on its behalf. The service must be able to take on the
+identity of the client, but only for a particular purpose. A principal can
+allow a service to take on the principal's identity for a particular
+purpose by granting it a proxy.
+
+The process of granting a proxy using the proxy and proxiable flags is used
+to provide credentials for use with specific services. Though conceptually
+also a proxy, user's wishing to delegate their identity for ANY purpose
+must use the ticket forwarding mechanism described in the next section to
+forward a ticket granting ticket.
+
+The PROXIABLE flag in a ticket is normally only interpreted by the
+ticket-granting service. It can be ignored by application servers. When
+set, this flag tells the ticket-granting server that it is OK to issue a
+new ticket (but not a ticket-granting ticket) with a different network
+address based on this ticket. This flag is set if requested by the client
+on initial authentication. By default, the client will request that it be
+set when requesting a ticket granting ticket, and reset when requesting any
+other ticket.
+
+This flag allows a client to pass a proxy to a server to perform a remote
+request on its behalf, e.g. a print service client can give the print
+server a proxy to access the client's files on a particular file server in
+order to satisfy a print request.
+
+In order to complicate the use of stolen credentials, Kerberos tickets are
+usually valid from only those network addresses specifically included in
+the ticket[4]. When granting a proxy, the client must specify the new
+network address from which the proxy is to be used, or indicate that the
+proxy is to be issued for use from any address.
+
+The PROXY flag is set in a ticket by the TGS when it issues a proxy ticket.
+Application servers may check this flag and at their option they may
+require additional authentication from the agent presenting the proxy in
+order to provide an audit trail.
+
+2.6. Forwardable tickets
+
+Authentication forwarding is an instance of a proxy where the service is
+granted complete use of the client's identity. An example where it might be
+used is when a user logs in to a remote system and wants authentication to
+work from that system as if the login were local.
+
+
+Neuman, Ts'o, Kohl                                 Expires: 18 May 1999
+
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-r-03        November 18 1998
+
+
+The FORWARDABLE flag in a ticket is normally only interpreted by the
+ticket-granting service. It can be ignored by application servers. The
+FORWARDABLE flag has an interpretation similar to that of the PROXIABLE
+flag, except ticket-granting tickets may also be issued with different
+network addresses. This flag is reset by default, but users may request
+that it be set by setting the FORWARDABLE option in the AS request when
+they request their initial ticket- granting ticket.
+
+This flag allows for authentication forwarding without requiring the user
+to enter a password again. If the flag is not set, then authentication
+forwarding is not permitted, but the same result can still be achieved if
+the user engages in the AS exchange specifying the requested network
+addresses and supplies a password.
+
+The FORWARDED flag is set by the TGS when a client presents a ticket with
+the FORWARDABLE flag set and requests a forwarded ticket by specifying the
+FORWARDED KDC option and supplying a set of addresses for the new ticket.
+It is also set in all tickets issued based on tickets with the FORWARDED
+flag set. Application servers may choose to process FORWARDED tickets
+differently than non-FORWARDED tickets.
+
+2.7. Other KDC options
+
+There are two additional options which may be set in a client's request of
+the KDC. The RENEWABLE-OK option indicates that the client will accept a
+renewable ticket if a ticket with the requested life cannot otherwise be
+provided. If a ticket with the requested life cannot be provided, then the
+KDC may issue a renewable ticket with a renew-till equal to the the
+requested endtime. The value of the renew-till field may still be adjusted
+by site-determined limits or limits imposed by the individual principal or
+server.
+
+The ENC-TKT-IN-SKEY option is honored only by the ticket-granting service.
+It indicates that the ticket to be issued for the end server is to be
+encrypted in the session key from the a additional second ticket-granting
+ticket provided with the request. See section 3.3.3 for specific details.
+
+3. Message Exchanges
+
+The following sections describe the interactions between network clients
+and servers and the messages involved in those exchanges.
+
+3.1. The Authentication Service Exchange
+
+                          Summary
+      Message direction       Message type    Section
+      1. Client to Kerberos   KRB_AS_REQ      5.4.1
+      2. Kerberos to client   KRB_AS_REP or   5.4.2
+                              KRB_ERROR       5.9.1
+
+The Authentication Service (AS) Exchange between the client and the
+Kerberos Authentication Server is initiated by a client when it wishes to
+obtain authentication credentials for a given server but currently holds no
+credentials. In its basic form, the client's secret key is used for
+encryption and decryption. This exchange is typically used at the
+initiation of a login session to obtain credentials for a Ticket-Granting
+Server which will subsequently be used to obtain credentials for other
+servers (see section 3.3) without requiring further use of the client's
+secret key. This exchange is also used to request credentials for services
+
+Neuman, Ts'o, Kohl                                 Expires: 18 May 1999
+
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-r-03        November 18 1998
+
+
+which must not be mediated through the Ticket-Granting Service, but rather
+require a principal's secret key, such as the password-changing service[5].
+This exchange does not by itself provide any assurance of the the identity
+of the user[6].
+
+The exchange consists of two messages: KRB_AS_REQ from the client to
+Kerberos, and KRB_AS_REP or KRB_ERROR in reply. The formats for these
+messages are described in sections 5.4.1, 5.4.2, and 5.9.1.
+
+In the request, the client sends (in cleartext) its own identity and the
+identity of the server for which it is requesting credentials. The
+response, KRB_AS_REP, contains a ticket for the client to present to the
+server, and a session key that will be shared by the client and the server.
+The session key and additional information are encrypted in the client's
+secret key. The KRB_AS_REP message contains information which can be used
+to detect replays, and to associate it with the message to which it
+replies. Various errors can occur; these are indicated by an error response
+(KRB_ERROR) instead of the KRB_AS_REP response. The error message is not
+encrypted. The KRB_ERROR message contains information which can be used to
+associate it with the message to which it replies. The lack of encryption
+in the KRB_ERROR message precludes the ability to detect replays,
+fabrications, or modifications of such messages.
+
+Without preautentication, the authentication server does not know whether
+the client is actually the principal named in the request. It simply sends
+a reply without knowing or caring whether they are the same. This is
+acceptable because nobody but the principal whose identity was given in the
+request will be able to use the reply. Its critical information is
+encrypted in that principal's key. The initial request supports an optional
+field that can be used to pass additional information that might be needed
+for the initial exchange. This field may be used for preauthentication as
+described in section [hl<>].
+
+3.1.1. Generation of KRB_AS_REQ message
+
+The client may specify a number of options in the initial request. Among
+these options are whether pre-authentication is to be performed; whether
+the requested ticket is to be renewable, proxiable, or forwardable; whether
+it should be postdated or allow postdating of derivative tickets; and
+whether a renewable ticket will be accepted in lieu of a non-renewable
+ticket if the requested ticket expiration date cannot be satisfied by a
+non-renewable ticket (due to configuration constraints; see section 4). See
+section A.1 for pseudocode.
+
+The client prepares the KRB_AS_REQ message and sends it to the KDC.
+
+3.1.2. Receipt of KRB_AS_REQ message
+
+If all goes well, processing the KRB_AS_REQ message will result in the
+creation of a ticket for the client to present to the server. The format
+for the ticket is described in section 5.3.1. The contents of the ticket
+are determined as follows.
+
+3.1.3. Generation of KRB_AS_REP message
+
+The authentication server looks up the client and server principals named
+in the KRB_AS_REQ in its database, extracting their respective keys. If
+required, the server pre-authenticates the request, and if the
+pre-authentication check fails, an error message with the code
+
+Neuman, Ts'o, Kohl                                 Expires: 18 May 1999
+
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-r-03        November 18 1998
+
+
+KDC_ERR_PREAUTH_FAILED is returned. If the server cannot accommodate the
+requested encryption type, an error message with code KDC_ERR_ETYPE_NOSUPP
+is returned. Otherwise it generates a 'random' session key[7].
+
+If there are multiple encryption keys registered for a client in the
+Kerberos database (or if the key registered supports multiple encryption
+types; e.g. DES-CBC-CRC and DES-CBC-MD5), then the etype field from the AS
+request is used by the KDC to select the encryption method to be used for
+encrypting the response to the client. If there is more than one supported,
+strong encryption type in the etype list, the first valid etype for which
+an encryption key is available is used. The encryption method used to
+respond to a TGS request is taken from the keytype of the session key found
+in the ticket granting ticket.
+
+When the etype field is present in a KDC request, whether an AS or TGS
+request, the KDC will attempt to assign the type of the random session key
+from the list of methods in the etype field. The KDC will select the
+appropriate type using the list of methods provided together with
+information from the Kerberos database indicating acceptable encryption
+methods for the application server. The KDC will not issue tickets with a
+weak session key encryption type.
+
+If the requested start time is absent, indicates a time in the past, or is
+within the window of acceptable clock skew for the KDC and the POSTDATE
+option has not been specified, then the start time of the ticket is set to
+the authentication server's current time. If it indicates a time in the
+future beyond the acceptable clock skew, but the POSTDATED option has not
+been specified then the error KDC_ERR_CANNOT_POSTDATE is returned.
+Otherwise the requested start time is checked against the policy of the
+local realm (the administrator might decide to prohibit certain types or
+ranges of postdated tickets), and if acceptable, the ticket's start time is
+set as requested and the INVALID flag is set in the new ticket. The
+postdated ticket must be validated before use by presenting it to the KDC
+after the start time has been reached.
+
+The expiration time of the ticket will be set to the minimum of the
+following:
+
+   * The expiration time (endtime) requested in the KRB_AS_REQ message.
+   * The ticket's start time plus the maximum allowable lifetime associated
+     with the client principal (the authentication server's database
+     includes a maximum ticket lifetime field in each principal's record;
+     see section 4).
+   * The ticket's start time plus the maximum allowable lifetime associated
+     with the server principal.
+   * The ticket's start time plus the maximum lifetime set by the policy of
+     the local realm.
+
+If the requested expiration time minus the start time (as determined above)
+is less than a site-determined minimum lifetime, an error message with code
+KDC_ERR_NEVER_VALID is returned. If the requested expiration time for the
+ticket exceeds what was determined as above, and if the 'RENEWABLE-OK'
+option was requested, then the 'RENEWABLE' flag is set in the new ticket,
+and the renew-till value is set as if the 'RENEWABLE' option were requested
+(the field and option names are described fully in section 5.4.1).
+
+If the RENEWABLE option has been requested or if the RENEWABLE-OK option
+has been set and a renewable ticket is to be issued, then the renew-till
+field is set to the minimum of:
+
+Neuman, Ts'o, Kohl                                 Expires: 18 May 1999
+
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-r-03        November 18 1998
+
+
+
+   * Its requested value.
+   * The start time of the ticket plus the minimum of the two maximum
+     renewable lifetimes associated with the principals' database entries.
+   * The start time of the ticket plus the maximum renewable lifetime set
+     by the policy of the local realm.
+
+The flags field of the new ticket will have the following options set if
+they have been requested and if the policy of the local realm allows:
+FORWARDABLE, MAY-POSTDATE, POSTDATED, PROXIABLE, RENEWABLE. If the new
+ticket is post-dated (the start time is in the future), its INVALID flag
+will also be set.
+
+If all of the above succeed, the server formats a KRB_AS_REP message (see
+section 5.4.2), copying the addresses in the request into the caddr of the
+response, placing any required pre-authentication data into the padata of
+the response, and encrypts the ciphertext part in the client's key using
+the requested encryption method, and sends it to the client. See section
+A.2 for pseudocode.
+
+3.1.4. Generation of KRB_ERROR message
+
+Several errors can occur, and the Authentication Server responds by
+returning an error message, KRB_ERROR, to the client, with the error-code
+and e-text fields set to appropriate values. The error message contents and
+details are described in Section 5.9.1.
+
+3.1.5. Receipt of KRB_AS_REP message
+
+If the reply message type is KRB_AS_REP, then the client verifies that the
+cname and crealm fields in the cleartext portion of the reply match what it
+requested. If any padata fields are present, they may be used to derive the
+proper secret key to decrypt the message. The client decrypts the encrypted
+part of the response using its secret key, verifies that the nonce in the
+encrypted part matches the nonce it supplied in its request (to detect
+replays). It also verifies that the sname and srealm in the response match
+those in the request (or are otherwise expected values), and that the host
+address field is also correct. It then stores the ticket, session key,
+start and expiration times, and other information for later use. The
+key-expiration field from the encrypted part of the response may be checked
+to notify the user of impending key expiration (the client program could
+then suggest remedial action, such as a password change). See section A.3
+for pseudocode.
+
+Proper decryption of the KRB_AS_REP message is not sufficient to verify the
+identity of the user; the user and an attacker could cooperate to generate
+a KRB_AS_REP format message which decrypts properly but is not from the
+proper KDC. If the host wishes to verify the identity of the user, it must
+require the user to present application credentials which can be verified
+using a securely-stored secret key for the host. If those credentials can
+be verified, then the identity of the user can be assured.
+
+3.1.6. Receipt of KRB_ERROR message
+
+If the reply message type is KRB_ERROR, then the client interprets it as an
+error and performs whatever application-specific tasks are necessary to
+recover.
+
+3.2. The Client/Server Authentication Exchange
+
+Neuman, Ts'o, Kohl                                 Expires: 18 May 1999
+
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-r-03        November 18 1998
+
+
+
+                             Summary
+Message direction                         Message type    Section
+Client to Application server              KRB_AP_REQ      5.5.1
+[optional] Application server to client   KRB_AP_REP or   5.5.2
+                                          KRB_ERROR       5.9.1
+
+The client/server authentication (CS) exchange is used by network
+applications to authenticate the client to the server and vice versa. The
+client must have already acquired credentials for the server using the AS
+or TGS exchange.
+
+3.2.1. The KRB_AP_REQ message
+
+The KRB_AP_REQ contains authentication information which should be part of
+the first message in an authenticated transaction. It contains a ticket, an
+authenticator, and some additional bookkeeping information (see section
+5.5.1 for the exact format). The ticket by itself is insufficient to
+authenticate a client, since tickets are passed across the network in
+cleartext[DS90], so the authenticator is used to prevent invalid replay of
+tickets by proving to the server that the client knows the session key of
+the ticket and thus is entitled to use the ticket. The KRB_AP_REQ message
+is referred to elsewhere as the 'authentication header.'
+
+3.2.2. Generation of a KRB_AP_REQ message
+
+When a client wishes to initiate authentication to a server, it obtains
+(either through a credentials cache, the AS exchange, or the TGS exchange)
+a ticket and session key for the desired service. The client may re-use any
+tickets it holds until they expire. To use a ticket the client constructs a
+new Authenticator from the the system time, its name, and optionally an
+application specific checksum, an initial sequence number to be used in
+KRB_SAFE or KRB_PRIV messages, and/or a session subkey to be used in
+negotiations for a session key unique to this particular session.
+Authenticators may not be re-used and will be rejected if replayed to a
+server[LGDSR87]. If a sequence number is to be included, it should be
+randomly chosen so that even after many messages have been exchanged it is
+not likely to collide with other sequence numbers in use.
+
+The client may indicate a requirement of mutual authentication or the use
+of a session-key based ticket by setting the appropriate flag(s) in the
+ap-options field of the message.
+
+The Authenticator is encrypted in the session key and combined with the
+ticket to form the KRB_AP_REQ message which is then sent to the end server
+along with any additional application-specific information. See section A.9
+for pseudocode.
+
+3.2.3. Receipt of KRB_AP_REQ message
+
+Authentication is based on the server's current time of day (clocks must be
+loosely synchronized), the authenticator, and the ticket. Several errors
+are possible. If an error occurs, the server is expected to reply to the
+client with a KRB_ERROR message. This message may be encapsulated in the
+application protocol if its 'raw' form is not acceptable to the protocol.
+The format of error messages is described in section 5.9.1.
+
+The algorithm for verifying authentication information is as follows. If
+the message type is not KRB_AP_REQ, the server returns the
+
+Neuman, Ts'o, Kohl                                 Expires: 18 May 1999
+
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-r-03        November 18 1998
+
+
+KRB_AP_ERR_MSG_TYPE error. If the key version indicated by the Ticket in
+the KRB_AP_REQ is not one the server can use (e.g., it indicates an old
+key, and the server no longer possesses a copy of the old key), the
+KRB_AP_ERR_BADKEYVER error is returned. If the USE-SESSION-KEY flag is set
+in the ap-options field, it indicates to the server that the ticket is
+encrypted in the session key from the server's ticket-granting ticket
+rather than its secret key[10]. Since it is possible for the server to be
+registered in multiple realms, with different keys in each, the srealm
+field in the unencrypted portion of the ticket in the KRB_AP_REQ is used to
+specify which secret key the server should use to decrypt that ticket. The
+KRB_AP_ERR_NOKEY error code is returned if the server doesn't have the
+proper key to decipher the ticket.
+
+The ticket is decrypted using the version of the server's key specified by
+the ticket. If the decryption routines detect a modification of the ticket
+(each encryption system must provide safeguards to detect modified
+ciphertext; see section 6), the KRB_AP_ERR_BAD_INTEGRITY error is returned
+(chances are good that different keys were used to encrypt and decrypt).
+
+The authenticator is decrypted using the session key extracted from the
+decrypted ticket. If decryption shows it to have been modified, the
+KRB_AP_ERR_BAD_INTEGRITY error is returned. The name and realm of the
+client from the ticket are compared against the same fields in the
+authenticator. If they don't match, the KRB_AP_ERR_BADMATCH error is
+returned (they might not match, for example, if the wrong session key was
+used to encrypt the authenticator). The addresses in the ticket (if any)
+are then searched for an address matching the operating-system reported
+address of the client. If no match is found or the server insists on ticket
+addresses but none are present in the ticket, the KRB_AP_ERR_BADADDR error
+is returned.
+
+If the local (server) time and the client time in the authenticator differ
+by more than the allowable clock skew (e.g., 5 minutes), the
+KRB_AP_ERR_SKEW error is returned. If the server name, along with the
+client name, time and microsecond fields from the Authenticator match any
+recently-seen such tuples, the KRB_AP_ERR_REPEAT error is returned[11]. The
+server must remember any authenticator presented within the allowable clock
+skew, so that a replay attempt is guaranteed to fail. If a server loses
+track of any authenticator presented within the allowable clock skew, it
+must reject all requests until the clock skew interval has passed. This
+assures that any lost or re-played authenticators will fall outside the
+allowable clock skew and can no longer be successfully replayed (If this is
+not done, an attacker could conceivably record the ticket and authenticator
+sent over the network to a server, then disable the client's host, pose as
+the disabled host, and replay the ticket and authenticator to subvert the
+authentication.). If a sequence number is provided in the authenticator,
+the server saves it for later use in processing KRB_SAFE and/or KRB_PRIV
+messages. If a subkey is present, the server either saves it for later use
+or uses it to help generate its own choice for a subkey to be returned in a
+KRB_AP_REP message.
+
+The server computes the age of the ticket: local (server) time minus the
+start time inside the Ticket. If the start time is later than the current
+time by more than the allowable clock skew or if the INVALID flag is set in
+the ticket, the KRB_AP_ERR_TKT_NYV error is returned. Otherwise, if the
+current time is later than end time by more than the allowable clock skew,
+the KRB_AP_ERR_TKT_EXPIRED error is returned.
+
+If all these checks succeed without an error, the server is assured that
+
+Neuman, Ts'o, Kohl                                 Expires: 18 May 1999
+
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-r-03        November 18 1998
+
+
+the client possesses the credentials of the principal named in the ticket
+and thus, the client has been authenticated to the server. See section A.10
+for pseudocode.
+
+Passing these checks provides only authentication of the named principal;
+it does not imply authorization to use the named service. Applications must
+make a separate authorization decisions based upon the authenticated name
+of the user, the requested operation, local acces control information such
+as that contained in a .k5login or .k5users file, and possibly a separate
+distributed authorization service.
+
+3.2.4. Generation of a KRB_AP_REP message
+
+Typically, a client's request will include both the authentication
+information and its initial request in the same message, and the server
+need not explicitly reply to the KRB_AP_REQ. However, if mutual
+authentication (not only authenticating the client to the server, but also
+the server to the client) is being performed, the KRB_AP_REQ message will
+have MUTUAL-REQUIRED set in its ap-options field, and a KRB_AP_REP message
+is required in response. As with the error message, this message may be
+encapsulated in the application protocol if its "raw" form is not
+acceptable to the application's protocol. The timestamp and microsecond
+field used in the reply must be the client's timestamp and microsecond
+field (as provided in the authenticator)[12]. If a sequence number is to be
+included, it should be randomly chosen as described above for the
+authenticator. A subkey may be included if the server desires to negotiate
+a different subkey. The KRB_AP_REP message is encrypted in the session key
+extracted from the ticket. See section A.11 for pseudocode.
+
+3.2.5. Receipt of KRB_AP_REP message
+
+If a KRB_AP_REP message is returned, the client uses the session key from
+the credentials obtained for the server[13] to decrypt the message, and
+verifies that the timestamp and microsecond fields match those in the
+Authenticator it sent to the server. If they match, then the client is
+assured that the server is genuine. The sequence number and subkey (if
+present) are retained for later use. See section A.12 for pseudocode.
+
+3.2.6. Using the encryption key
+
+After the KRB_AP_REQ/KRB_AP_REP exchange has occurred, the client and
+server share an encryption key which can be used by the application. The
+'true session key' to be used for KRB_PRIV, KRB_SAFE, or other
+application-specific uses may be chosen by the application based on the
+subkeys in the KRB_AP_REP message and the authenticator[14]. In some cases,
+the use of this session key will be implicit in the protocol; in others the
+method of use must be chosen from several alternatives. We leave the
+protocol negotiations of how to use the key (e.g. selecting an encryption
+or checksum type) to the application programmer; the Kerberos protocol does
+not constrain the implementation options, but an example of how this might
+be done follows.
+
+One way that an application may choose to negotiate a key to be used for
+subequent integrity and privacy protection is for the client to propose a
+key in the subkey field of the authenticator. The server can then choose a
+key using the proposed key from the client as input, returning the new
+subkey in the subkey field of the application reply. This key could then be
+used for subsequent communication. To make this example more concrete, if
+the encryption method in use required a 56 bit key, and for whatever
+
+Neuman, Ts'o, Kohl                                 Expires: 18 May 1999
+
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-r-03        November 18 1998
+
+
+reason, one of the parties was prevented from using a key with more than 40
+unknown bits, this method would allow the the party which is prevented from
+using more than 40 bits to either propose (if the client) an initial key
+with a known quantity for 16 of those bits, or to mask 16 of the bits (if
+the server) with the known quantity. The application implementor is warned,
+however, that this is only an example, and that an analysis of the
+particular crytosystem to be used, and the reasons for limiting the key
+length, must be made before deciding whether it is acceptable to mask bits
+of the key.
+
+With both the one-way and mutual authentication exchanges, the peers should
+take care not to send sensitive information to each other without proper
+assurances. In particular, applications that require privacy or integrity
+should use the KRB_AP_REP response from the server to client to assure both
+client and server of their peer's identity. If an application protocol
+requires privacy of its messages, it can use the KRB_PRIV message (section
+3.5). The KRB_SAFE message (section 3.4) can be used to assure integrity.
+
+3.3. The Ticket-Granting Service (TGS) Exchange
+
+                          Summary
+      Message direction       Message type     Section
+      1. Client to Kerberos   KRB_TGS_REQ      5.4.1
+      2. Kerberos to client   KRB_TGS_REP or   5.4.2
+                              KRB_ERROR        5.9.1
+
+The TGS exchange between a client and the Kerberos Ticket-Granting Server
+is initiated by a client when it wishes to obtain authentication
+credentials for a given server (which might be registered in a remote
+realm), when it wishes to renew or validate an existing ticket, or when it
+wishes to obtain a proxy ticket. In the first case, the client must already
+have acquired a ticket for the Ticket-Granting Service using the AS
+exchange (the ticket-granting ticket is usually obtained when a client
+initially authenticates to the system, such as when a user logs in). The
+message format for the TGS exchange is almost identical to that for the AS
+exchange. The primary difference is that encryption and decryption in the
+TGS exchange does not take place under the client's key. Instead, the
+session key from the ticket-granting ticket or renewable ticket, or
+sub-session key from an Authenticator is used. As is the case for all
+application servers, expired tickets are not accepted by the TGS, so once a
+renewable or ticket-granting ticket expires, the client must use a separate
+exchange to obtain valid tickets.
+
+The TGS exchange consists of two messages: A request (KRB_TGS_REQ) from the
+client to the Kerberos Ticket-Granting Server, and a reply (KRB_TGS_REP or
+KRB_ERROR). The KRB_TGS_REQ message includes information authenticating the
+client plus a request for credentials. The authentication information
+consists of the authentication header (KRB_AP_REQ) which includes the
+client's previously obtained ticket-granting, renewable, or invalid ticket.
+In the ticket-granting ticket and proxy cases, the request may include one
+or more of: a list of network addresses, a collection of typed
+authorization data to be sealed in the ticket for authorization use by the
+application server, or additional tickets (the use of which are described
+later). The TGS reply (KRB_TGS_REP) contains the requested credentials,
+encrypted in the session key from the ticket-granting ticket or renewable
+ticket, or if present, in the sub-session key from the Authenticator (part
+of the authentication header). The KRB_ERROR message contains an error code
+and text explaining what went wrong. The KRB_ERROR message is not
+encrypted. The KRB_TGS_REP message contains information which can be used
+
+Neuman, Ts'o, Kohl                                 Expires: 18 May 1999
+
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-r-03        November 18 1998
+
+
+to detect replays, and to associate it with the message to which it
+replies. The KRB_ERROR message also contains information which can be used
+to associate it with the message to which it replies, but the lack of
+encryption in the KRB_ERROR message precludes the ability to detect replays
+or fabrications of such messages.
+
+3.3.1. Generation of KRB_TGS_REQ message
+
+Before sending a request to the ticket-granting service, the client must
+determine in which realm the application server is registered[15]. If the
+client does not already possess a ticket-granting ticket for the
+appropriate realm, then one must be obtained. This is first attempted by
+requesting a ticket-granting ticket for the destination realm from a
+Kerberos server for which the client does posess a ticket-granting ticket
+(using the KRB_TGS_REQ message recursively). The Kerberos server may return
+a TGT for the desired realm in which case one can proceed. Alternatively,
+the Kerberos server may return a TGT for a realm which is 'closer' to the
+desired realm (further along the standard hierarchical path), in which case
+this step must be repeated with a Kerberos server in the realm specified in
+the returned TGT. If neither are returned, then the request must be retried
+with a Kerberos server for a realm higher in the hierarchy. This request
+will itself require a ticket-granting ticket for the higher realm which
+must be obtained by recursively applying these directions.
+
+Once the client obtains a ticket-granting ticket for the appropriate realm,
+it determines which Kerberos servers serve that realm, and contacts one.
+The list might be obtained through a configuration file or network service
+or it may be generated from the name of the realm; as long as the secret
+keys exchanged by realms are kept secret, only denial of service results
+from using a false Kerberos server.
+
+As in the AS exchange, the client may specify a number of options in the
+KRB_TGS_REQ message. The client prepares the KRB_TGS_REQ message, providing
+an authentication header as an element of the padata field, and including
+the same fields as used in the KRB_AS_REQ message along with several
+optional fields: the enc-authorization-data field for application server
+use and additional tickets required by some options.
+
+In preparing the authentication header, the client can select a sub-session
+key under which the response from the Kerberos server will be
+encrypted[16]. If the sub-session key is not specified, the session key
+from the ticket-granting ticket will be used. If the enc-authorization-data
+is present, it must be encrypted in the sub-session key, if present, from
+the authenticator portion of the authentication header, or if not present,
+using the session key from the ticket-granting ticket.
+
+Once prepared, the message is sent to a Kerberos server for the destination
+realm. See section A.5 for pseudocode.
+
+3.3.2. Receipt of KRB_TGS_REQ message
+
+The KRB_TGS_REQ message is processed in a manner similar to the KRB_AS_REQ
+message, but there are many additional checks to be performed. First, the
+Kerberos server must determine which server the accompanying ticket is for
+and it must select the appropriate key to decrypt it. For a normal
+KRB_TGS_REQ message, it will be for the ticket granting service, and the
+TGS's key will be used. If the TGT was issued by another realm, then the
+appropriate inter-realm key must be used. If the accompanying ticket is not
+a ticket granting ticket for the current realm, but is for an application
+
+Neuman, Ts'o, Kohl                                 Expires: 18 May 1999
+
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-r-03        November 18 1998
+
+
+server in the current realm, the RENEW, VALIDATE, or PROXY options are
+specified in the request, and the server for which a ticket is requested is
+the server named in the accompanying ticket, then the KDC will decrypt the
+ticket in the authentication header using the key of the server for which
+it was issued. If no ticket can be found in the padata field, the
+KDC_ERR_PADATA_TYPE_NOSUPP error is returned.
+
+Once the accompanying ticket has been decrypted, the user-supplied checksum
+in the Authenticator must be verified against the contents of the request,
+and the message rejected if the checksums do not match (with an error code
+of KRB_AP_ERR_MODIFIED) or if the checksum is not keyed or not
+collision-proof (with an error code of KRB_AP_ERR_INAPP_CKSUM). If the
+checksum type is not supported, the KDC_ERR_SUMTYPE_NOSUPP error is
+returned. If the authorization-data are present, they are decrypted using
+the sub-session key from the Authenticator.
+
+If any of the decryptions indicate failed integrity checks, the
+KRB_AP_ERR_BAD_INTEGRITY error is returned.
+
+3.3.3. Generation of KRB_TGS_REP message
+
+The KRB_TGS_REP message shares its format with the KRB_AS_REP
+(KRB_KDC_REP), but with its type field set to KRB_TGS_REP. The detailed
+specification is in section 5.4.2.
+
+The response will include a ticket for the requested server. The Kerberos
+database is queried to retrieve the record for the requested server
+(including the key with which the ticket will be encrypted). If the request
+is for a ticket granting ticket for a remote realm, and if no key is shared
+with the requested realm, then the Kerberos server will select the realm
+"closest" to the requested realm with which it does share a key, and use
+that realm instead. This is the only case where the response from the KDC
+will be for a different server than that requested by the client.
+
+By default, the address field, the client's name and realm, the list of
+transited realms, the time of initial authentication, the expiration time,
+and the authorization data of the newly-issued ticket will be copied from
+the ticket-granting ticket (TGT) or renewable ticket. If the transited
+field needs to be updated, but the transited type is not supported, the
+KDC_ERR_TRTYPE_NOSUPP error is returned.
+
+If the request specifies an endtime, then the endtime of the new ticket is
+set to the minimum of (a) that request, (b) the endtime from the TGT, and
+(c) the starttime of the TGT plus the minimum of the maximum life for the
+application server and the maximum life for the local realm (the maximum
+life for the requesting principal was already applied when the TGT was
+issued). If the new ticket is to be a renewal, then the endtime above is
+replaced by the minimum of (a) the value of the renew_till field of the
+ticket and (b) the starttime for the new ticket plus the life
+(endtime-starttime) of the old ticket.
+
+If the FORWARDED option has been requested, then the resulting ticket will
+contain the addresses specified by the client. This option will only be
+honored if the FORWARDABLE flag is set in the TGT. The PROXY option is
+similar; the resulting ticket will contain the addresses specified by the
+client. It will be honored only if the PROXIABLE flag in the TGT is set.
+The PROXY option will not be honored on requests for additional
+ticket-granting tickets.
+
+
+Neuman, Ts'o, Kohl                                 Expires: 18 May 1999
+
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-r-03        November 18 1998
+
+
+If the requested start time is absent, indicates a time in the past, or is
+within the window of acceptable clock skew for the KDC and the POSTDATE
+option has not been specified, then the start time of the ticket is set to
+the authentication server's current time. If it indicates a time in the
+future beyond the acceptable clock skew, but the POSTDATED option has not
+been specified or the MAY-POSTDATE flag is not set in the TGT, then the
+error KDC_ERR_CANNOT_POSTDATE is returned. Otherwise, if the
+ticket-granting ticket has the MAY-POSTDATE flag set, then the resulting
+ticket will be postdated and the requested starttime is checked against the
+policy of the local realm. If acceptable, the ticket's start time is set as
+requested, and the INVALID flag is set. The postdated ticket must be
+validated before use by presenting it to the KDC after the starttime has
+been reached. However, in no case may the starttime, endtime, or renew-till
+time of a newly-issued postdated ticket extend beyond the renew-till time
+of the ticket-granting ticket.
+
+If the ENC-TKT-IN-SKEY option has been specified and an additional ticket
+has been included in the request, the KDC will decrypt the additional
+ticket using the key for the server to which the additional ticket was
+issued and verify that it is a ticket-granting ticket. If the name of the
+requested server is missing from the request, the name of the client in the
+additional ticket will be used. Otherwise the name of the requested server
+will be compared to the name of the client in the additional ticket and if
+different, the request will be rejected. If the request succeeds, the
+session key from the additional ticket will be used to encrypt the new
+ticket that is issued instead of using the key of the server for which the
+new ticket will be used[17].
+
+If the name of the server in the ticket that is presented to the KDC as
+part of the authentication header is not that of the ticket-granting server
+itself, the server is registered in the realm of the KDC, and the RENEW
+option is requested, then the KDC will verify that the RENEWABLE flag is
+set in the ticket, that the INVALID flag is not set in the ticket, and that
+the renew_till time is still in the future. If the VALIDATE option is
+rqeuested, the KDC will check that the starttime has passed and the INVALID
+flag is set. If the PROXY option is requested, then the KDC will check that
+the PROXIABLE flag is set in the ticket. If the tests succeed, and the
+ticket passes the hotlist check described in the next paragraph, the KDC
+will issue the appropriate new ticket.
+
+3.3.3.1. Checking for revoked tickets
+
+Whenever a request is made to the ticket-granting server, the presented
+ticket(s) is(are) checked against a hot-list of tickets which have been
+canceled. This hot-list might be implemented by storing a range of issue
+timestamps for 'suspect tickets'; if a presented ticket had an authtime in
+that range, it would be rejected. In this way, a stolen ticket-granting
+ticket or renewable ticket cannot be used to gain additional tickets
+(renewals or otherwise) once the theft has been reported. Any normal ticket
+obtained before it was reported stolen will still be valid (because they
+require no interaction with the KDC), but only until their normal
+expiration time.
+
+The ciphertext part of the response in the KRB_TGS_REP message is encrypted
+in the sub-session key from the Authenticator, if present, or the session
+key key from the ticket-granting ticket. It is not encrypted using the
+client's secret key. Furthermore, the client's key's expiration date and
+the key version number fields are left out since these values are stored
+along with the client's database record, and that record is not needed to
+
+Neuman, Ts'o, Kohl                                 Expires: 18 May 1999
+
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-r-03        November 18 1998
+
+
+satisfy a request based on a ticket-granting ticket. See section A.6 for
+pseudocode.
+
+3.3.3.2. Encoding the transited field
+
+If the identity of the server in the TGT that is presented to the KDC as
+part of the authentication header is that of the ticket-granting service,
+but the TGT was issued from another realm, the KDC will look up the
+inter-realm key shared with that realm and use that key to decrypt the
+ticket. If the ticket is valid, then the KDC will honor the request,
+subject to the constraints outlined above in the section describing the AS
+exchange. The realm part of the client's identity will be taken from the
+ticket-granting ticket. The name of the realm that issued the
+ticket-granting ticket will be added to the transited field of the ticket
+to be issued. This is accomplished by reading the transited field from the
+ticket-granting ticket (which is treated as an unordered set of realm
+names), adding the new realm to the set, then constructing and writing out
+its encoded (shorthand) form (this may involve a rearrangement of the
+existing encoding).
+
+Note that the ticket-granting service does not add the name of its own
+realm. Instead, its responsibility is to add the name of the previous
+realm. This prevents a malicious Kerberos server from intentionally leaving
+out its own name (it could, however, omit other realms' names).
+
+The names of neither the local realm nor the principal's realm are to be
+included in the transited field. They appear elsewhere in the ticket and
+both are known to have taken part in authenticating the principal. Since
+the endpoints are not included, both local and single-hop inter-realm
+authentication result in a transited field that is empty.
+
+Because the name of each realm transited is added to this field, it might
+potentially be very long. To decrease the length of this field, its
+contents are encoded. The initially supported encoding is optimized for the
+normal case of inter-realm communication: a hierarchical arrangement of
+realms using either domain or X.500 style realm names. This encoding
+(called DOMAIN-X500-COMPRESS) is now described.
+
+Realm names in the transited field are separated by a ",". The ",", "\",
+trailing "."s, and leading spaces (" ") are special characters, and if they
+are part of a realm name, they must be quoted in the transited field by
+preced- ing them with a "\".
+
+A realm name ending with a "." is interpreted as being prepended to the
+previous realm. For example, we can encode traversal of EDU, MIT.EDU,
+ATHENA.MIT.EDU, WASHINGTON.EDU, and CS.WASHINGTON.EDU as:
+
+     "EDU,MIT.,ATHENA.,WASHINGTON.EDU,CS.".
+
+Note that if ATHENA.MIT.EDU, or CS.WASHINGTON.EDU were end-points, that
+they would not be included in this field, and we would have:
+
+     "EDU,MIT.,WASHINGTON.EDU"
+
+A realm name beginning with a "/" is interpreted as being appended to the
+previous realm[18]. If it is to stand by itself, then it should be preceded
+by a space (" "). For example, we can encode traversal of /COM/HP/APOLLO,
+/COM/HP, /COM, and /COM/DEC as:
+
+
+Neuman, Ts'o, Kohl                                 Expires: 18 May 1999
+
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-r-03        November 18 1998
+
+
+     "/COM,/HP,/APOLLO, /COM/DEC".
+
+Like the example above, if /COM/HP/APOLLO and /COM/DEC are endpoints, they
+they would not be included in this field, and we would have:
+
+     "/COM,/HP"
+
+A null subfield preceding or following a "," indicates that all realms
+between the previous realm and the next realm have been traversed[19].
+Thus, "," means that all realms along the path between the client and the
+server have been traversed. ",EDU, /COM," means that that all realms from
+the client's realm up to EDU (in a domain style hierarchy) have been
+traversed, and that everything from /COM down to the server's realm in an
+X.500 style has also been traversed. This could occur if the EDU realm in
+one hierarchy shares an inter-realm key directly with the /COM realm in
+another hierarchy.
+
+3.3.4. Receipt of KRB_TGS_REP message
+
+When the KRB_TGS_REP is received by the client, it is processed in the same
+manner as the KRB_AS_REP processing described above. The primary difference
+is that the ciphertext part of the response must be decrypted using the
+session key from the ticket-granting ticket rather than the client's secret
+key. See section A.7 for pseudocode.
+
+3.4. The KRB_SAFE Exchange
+
+The KRB_SAFE message may be used by clients requiring the ability to detect
+modifications of messages they exchange. It achieves this by including a
+keyed collision-proof checksum of the user data and some control
+information. The checksum is keyed with an encryption key (usually the last
+key negotiated via subkeys, or the session key if no negotiation has
+occured).
+
+3.4.1. Generation of a KRB_SAFE message
+
+When an application wishes to send a KRB_SAFE message, it collects its data
+and the appropriate control information and computes a checksum over them.
+The checksum algorithm should be a keyed one-way hash function (such as the
+RSA- MD5-DES checksum algorithm specified in section 6.4.5, or the DES
+MAC), generated using the sub-session key if present, or the session key.
+Different algorithms may be selected by changing the checksum type in the
+message. Unkeyed or non-collision-proof checksums are not suitable for this
+use.
+
+The control information for the KRB_SAFE message includes both a timestamp
+and a sequence number. The designer of an application using the KRB_SAFE
+message must choose at least one of the two mechanisms. This choice should
+be based on the needs of the application protocol.
+
+Sequence numbers are useful when all messages sent will be received by
+one's peer. Connection state is presently required to maintain the session
+key, so maintaining the next sequence number should not present an
+additional problem.
+
+If the application protocol is expected to tolerate lost messages without
+them being resent, the use of the timestamp is the appropriate replay
+detection mechanism. Using timestamps is also the appropriate mechanism for
+multi-cast protocols where all of one's peers share a common sub-session
+
+Neuman, Ts'o, Kohl                                 Expires: 18 May 1999
+
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-r-03        November 18 1998
+
+
+key, but some messages will be sent to a subset of one's peers.
+
+After computing the checksum, the client then transmits the information and
+checksum to the recipient in the message format specified in section 5.6.1.
+
+3.4.2. Receipt of KRB_SAFE message
+
+When an application receives a KRB_SAFE message, it verifies it as follows.
+If any error occurs, an error code is reported for use by the application.
+
+The message is first checked by verifying that the protocol version and
+type fields match the current version and KRB_SAFE, respectively. A
+mismatch generates a KRB_AP_ERR_BADVERSION or KRB_AP_ERR_MSG_TYPE error.
+The application verifies that the checksum used is a collision-proof keyed
+checksum, and if it is not, a KRB_AP_ERR_INAPP_CKSUM error is generated.
+The recipient verifies that the operating system's report of the sender's
+address matches the sender's address in the message, and (if a recipient
+address is specified or the recipient requires an address) that one of the
+recipient's addresses appears as the recipient's address in the message. A
+failed match for either case generates a KRB_AP_ERR_BADADDR error. Then the
+timestamp and usec and/or the sequence number fields are checked. If
+timestamp and usec are expected and not present, or they are present but
+not current, the KRB_AP_ERR_SKEW error is generated. If the server name,
+along with the client name, time and microsecond fields from the
+Authenticator match any recently-seen (sent or received[20] ) such tuples,
+the KRB_AP_ERR_REPEAT error is generated. If an incorrect sequence number
+is included, or a sequence number is expected but not present, the
+KRB_AP_ERR_BADORDER error is generated. If neither a time-stamp and usec or
+a sequence number is present, a KRB_AP_ERR_MODIFIED error is generated.
+Finally, the checksum is computed over the data and control information,
+and if it doesn't match the received checksum, a KRB_AP_ERR_MODIFIED error
+is generated.
+
+If all the checks succeed, the application is assured that the message was
+generated by its peer and was not modi- fied in transit.
+
+3.5. The KRB_PRIV Exchange
+
+The KRB_PRIV message may be used by clients requiring confidentiality and
+the ability to detect modifications of exchanged messages. It achieves this
+by encrypting the messages and adding control information.
+
+3.5.1. Generation of a KRB_PRIV message
+
+When an application wishes to send a KRB_PRIV message, it collects its data
+and the appropriate control information (specified in section 5.7.1) and
+encrypts them under an encryption key (usually the last key negotiated via
+subkeys, or the session key if no negotiation has occured). As part of the
+control information, the client must choose to use either a timestamp or a
+sequence number (or both); see the discussion in section 3.4.1 for
+guidelines on which to use. After the user data and control information are
+encrypted, the client transmits the ciphertext and some 'envelope'
+information to the recipient.
+
+3.5.2. Receipt of KRB_PRIV message
+
+When an application receives a KRB_PRIV message, it verifies it as follows.
+If any error occurs, an error code is reported for use by the application.
+
+
+Neuman, Ts'o, Kohl                                 Expires: 18 May 1999
+
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-r-03        November 18 1998
+
+
+The message is first checked by verifying that the protocol version and
+type fields match the current version and KRB_PRIV, respectively. A
+mismatch generates a KRB_AP_ERR_BADVERSION or KRB_AP_ERR_MSG_TYPE error.
+The application then decrypts the ciphertext and processes the resultant
+plaintext. If decryption shows the data to have been modified, a
+KRB_AP_ERR_BAD_INTEGRITY error is generated. The recipient verifies that
+the operating system's report of the sender's address matches the sender's
+address in the message, and (if a recipient address is specified or the
+recipient requires an address) that one of the recipient's addresses
+appears as the recipient's address in the message. A failed match for
+either case generates a KRB_AP_ERR_BADADDR error. Then the timestamp and
+usec and/or the sequence number fields are checked. If timestamp and usec
+are expected and not present, or they are present but not current, the
+KRB_AP_ERR_SKEW error is generated. If the server name, along with the
+client name, time and microsecond fields from the Authenticator match any
+recently-seen such tuples, the KRB_AP_ERR_REPEAT error is generated. If an
+incorrect sequence number is included, or a sequence number is expected but
+not present, the KRB_AP_ERR_BADORDER error is generated. If neither a
+time-stamp and usec or a sequence number is present, a KRB_AP_ERR_MODIFIED
+error is generated.
+
+If all the checks succeed, the application can assume the message was
+generated by its peer, and was securely transmitted (without intruders able
+to see the unencrypted contents).
+
+3.6. The KRB_CRED Exchange
+
+The KRB_CRED message may be used by clients requiring the ability to send
+Kerberos credentials from one host to another. It achieves this by sending
+the tickets together with encrypted data containing the session keys and
+other information associated with the tickets.
+
+3.6.1. Generation of a KRB_CRED message
+
+When an application wishes to send a KRB_CRED message it first (using the
+KRB_TGS exchange) obtains credentials to be sent to the remote host. It
+then constructs a KRB_CRED message using the ticket or tickets so obtained,
+placing the session key needed to use each ticket in the key field of the
+corresponding KrbCredInfo sequence of the encrypted part of the the
+KRB_CRED message.
+
+Other information associated with each ticket and obtained during the
+KRB_TGS exchange is also placed in the corresponding KrbCredInfo sequence
+in the encrypted part of the KRB_CRED message. The current time and, if
+specifically required by the application the nonce, s-address, and
+r-address fields, are placed in the encrypted part of the KRB_CRED message
+which is then encrypted under an encryption key previosuly exchanged in the
+KRB_AP exchange (usually the last key negotiated via subkeys, or the
+session key if no negotiation has occured).
+
+3.6.2. Receipt of KRB_CRED message
+
+When an application receives a KRB_CRED message, it verifies it. If any
+error occurs, an error code is reported for use by the application. The
+message is verified by checking that the protocol version and type fields
+match the current version and KRB_CRED, respectively. A mismatch generates
+a KRB_AP_ERR_BADVERSION or KRB_AP_ERR_MSG_TYPE error. The application then
+decrypts the ciphertext and processes the resultant plaintext. If
+decryption shows the data to have been modified, a KRB_AP_ERR_BAD_INTEGRITY
+
+Neuman, Ts'o, Kohl                                 Expires: 18 May 1999
+
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-r-03        November 18 1998
+
+
+error is generated.
+
+If present or required, the recipient verifies that the operating system's
+report of the sender's address matches the sender's address in the message,
+and that one of the recipient's addresses appears as the recipient's
+address in the message. A failed match for either case generates a
+KRB_AP_ERR_BADADDR error. The timestamp and usec fields (and the nonce
+field if required) are checked next. If the timestamp and usec are not
+present, or they are present but not current, the KRB_AP_ERR_SKEW error is
+generated.
+
+If all the checks succeed, the application stores each of the new tickets
+in its ticket cache together with the session key and other information in
+the corresponding KrbCredInfo sequence from the encrypted part of the
+KRB_CRED message.
+
+4. The Kerberos Database
+
+The Kerberos server must have access to a database contain- ing the
+principal identifiers and secret keys of principals to be
+authenticated[21].
+
+4.1. Database contents
+
+A database entry should contain at least the following fields:
+
+Field                Value
+
+name                 Principal's identifier
+key                  Principal's secret key
+p_kvno               Principal's key version
+max_life             Maximum lifetime for Tickets
+max_renewable_life   Maximum total lifetime for renewable Tickets
+
+The name field is an encoding of the principal's identifier. The key field
+contains an encryption key. This key is the principal's secret key. (The
+key can be encrypted before storage under a Kerberos "master key" to
+protect it in case the database is compromised but the master key is not.
+In that case, an extra field must be added to indicate the master key
+version used, see below.) The p_kvno field is the key version number of the
+principal's secret key. The max_life field contains the maximum allowable
+lifetime (endtime - starttime) for any Ticket issued for this principal.
+The max_renewable_life field contains the maximum allowable total lifetime
+for any renewable Ticket issued for this principal. (See section 3.1 for a
+description of how these lifetimes are used in determining the lifetime of
+a given Ticket.)
+
+A server may provide KDC service to several realms, as long as the database
+representation provides a mechanism to distinguish between principal
+records with identifiers which differ only in the realm name.
+
+When an application server's key changes, if the change is routine (i.e.
+not the result of disclosure of the old key), the old key should be
+retained by the server until all tickets that had been issued using that
+key have expired. Because of this, it is possible for several keys to be
+active for a single principal. Ciphertext encrypted in a principal's key is
+always tagged with the version of the key that was used for encryption, to
+help the recipient find the proper key for decryption.
+
+
+Neuman, Ts'o, Kohl                                 Expires: 18 May 1999
+
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-r-03        November 18 1998
+
+
+When more than one key is active for a particular principal, the principal
+will have more than one record in the Kerberos database. The keys and key
+version numbers will differ between the records (the rest of the fields may
+or may not be the same). Whenever Kerberos issues a ticket, or responds to
+a request for initial authentication, the most recent key (known by the
+Kerberos server) will be used for encryption. This is the key with the
+highest key version number.
+
+4.2. Additional fields
+
+Project Athena's KDC implementation uses additional fields in its database:
+
+Field        Value
+
+K_kvno       Kerberos' key version
+expiration   Expiration date for entry
+attributes   Bit field of attributes
+mod_date     Timestamp of last modification
+mod_name     Modifying principal's identifier
+
+The K_kvno field indicates the key version of the Kerberos master key under
+which the principal's secret key is encrypted.
+
+After an entry's expiration date has passed, the KDC will return an error
+to any client attempting to gain tickets as or for the principal. (A
+database may want to maintain two expiration dates: one for the principal,
+and one for the principal's current key. This allows password aging to work
+independently of the principal's expiration date. However, due to the
+limited space in the responses, the KDC must combine the key expiration and
+principal expiration date into a single value called 'key_exp', which is
+used as a hint to the user to take administrative action.)
+
+The attributes field is a bitfield used to govern the operations involving
+the principal. This field might be useful in conjunction with user
+registration procedures, for site-specific policy implementations (Project
+Athena currently uses it for their user registration process controlled by
+the system-wide database service, Moira [LGDSR87]), to identify whether a
+principal can play the role of a client or server or both, to note whether
+a server is appropriate trusted to recieve credentials delegated by a
+client, or to identify the 'string to key' conversion algorithm used for a
+principal's key[22]. Other bits are used to indicate that certain ticket
+options should not be allowed in tickets encrypted under a principal's key
+(one bit each): Disallow issuing postdated tickets, disallow issuing
+forwardable tickets, disallow issuing tickets based on TGT authentication,
+disallow issuing renewable tickets, disallow issuing proxiable tickets, and
+disallow issuing tickets for which the principal is the server.
+
+The mod_date field contains the time of last modification of the entry, and
+the mod_name field contains the name of the principal which last modified
+the entry.
+
+4.3. Frequently Changing Fields
+
+Some KDC implementations may wish to maintain the last time that a request
+was made by a particular principal. Information that might be maintained
+includes the time of the last request, the time of the last request for a
+ticket-granting ticket, the time of the last use of a ticket-granting
+ticket, or other times. This information can then be returned to the user
+in the last-req field (see section 5.2).
+
+Neuman, Ts'o, Kohl                                 Expires: 18 May 1999
+
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-r-03        November 18 1998
+
+
+
+Other frequently changing information that can be maintained is the latest
+expiration time for any tickets that have been issued using each key. This
+field would be used to indicate how long old keys must remain valid to
+allow the continued use of outstanding tickets.
+
+4.4. Site Constants
+
+The KDC implementation should have the following configurable constants or
+options, to allow an administrator to make and enforce policy decisions:
+
+   * The minimum supported lifetime (used to determine whether the
+     KDC_ERR_NEVER_VALID error should be returned). This constant should
+     reflect reasonable expectations of round-trip time to the KDC,
+     encryption/decryption time, and processing time by the client and
+     target server, and it should allow for a minimum 'useful' lifetime.
+   * The maximum allowable total (renewable) lifetime of a ticket
+     (renew_till - starttime).
+   * The maximum allowable lifetime of a ticket (endtime - starttime).
+   * Whether to allow the issue of tickets with empty address fields
+     (including the ability to specify that such tickets may only be issued
+     if the request specifies some authorization_data).
+   * Whether proxiable, forwardable, renewable or post-datable tickets are
+     to be issued.
+
+5. Message Specifications
+
+The following sections describe the exact contents and encoding of protocol
+messages and objects. The ASN.1 base definitions are presented in the first
+subsection. The remaining subsections specify the protocol objects (tickets
+and authenticators) and messages. Specification of encryption and checksum
+techniques, and the fields related to them, appear in section 6.
+
+Optional field in ASN.1 sequences
+
+For optional integer value and date fields in ASN.1 sequences where a
+default value has been specified, certain default values will not be
+allowed in the encoding because these values will always be represented
+through defaulting by the absence of the optional field. For example, one
+will not send a microsecond zero value because one must make sure that
+there is only one way to encode this value.
+
+Additional fields in ASN.1 sequences
+
+Implementations receiving Kerberos messages with additional fields present
+in ASN.1 sequences should carry the those fields through unmodified when
+the message is forwarded. Implementation should drop such fields if the
+sequence is reencoded.
+
+5.1. ASN.1 Distinguished Encoding Representation
+
+All uses of ASN.1 in Kerberos shall use the Distinguished Encoding
+Representation of the data elements as described in the X.509
+specification, section 8.7 [X509-88].
+
+5.3. ASN.1 Base Definitions
+
+The following ASN.1 base definitions are used in the rest of this section.
+Note that since the underscore character (_) is not permitted in ASN.1
+
+Neuman, Ts'o, Kohl                                 Expires: 18 May 1999
+
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-r-03        November 18 1998
+
+
+names, the hyphen (-) is used in its place for the purposes of ASN.1 names.
+
+Realm ::=           GeneralString
+PrincipalName ::=   SEQUENCE {
+                    name-type[0]     INTEGER,
+                    name-string[1]   SEQUENCE OF GeneralString
+}
+
+Kerberos realms are encoded as GeneralStrings. Realms shall not contain a
+character with the code 0 (the ASCII NUL). Most realms will usually consist
+of several components separated by periods (.), in the style of Internet
+Domain Names, or separated by slashes (/) in the style of X.500 names.
+Acceptable forms for realm names are specified in section 7. A
+PrincipalName is a typed sequence of components consisting of the following
+sub-fields:
+
+name-type
+     This field specifies the type of name that follows. Pre-defined values
+     for this field are specified in section 7.2. The name-type should be
+     treated as a hint. Ignoring the name type, no two names can be the
+     same (i.e. at least one of the components, or the realm, must be
+     different). This constraint may be eliminated in the future.
+name-string
+     This field encodes a sequence of components that form a name, each
+     component encoded as a GeneralString. Taken together, a PrincipalName
+     and a Realm form a principal identifier. Most PrincipalNames will have
+     only a few components (typically one or two).
+
+KerberosTime ::=   GeneralizedTime
+                   -- Specifying UTC time zone (Z)
+
+The timestamps used in Kerberos are encoded as GeneralizedTimes. An
+encoding shall specify the UTC time zone (Z) and shall not include any
+fractional portions of the seconds. It further shall not include any
+separators. Example: The only valid format for UTC time 6 minutes, 27
+seconds after 9 pm on 6 November 1985 is 19851106210627Z.
+
+HostAddress ::=     SEQUENCE  {
+                    addr-type[0]             INTEGER,
+                    address[1]               OCTET STRING
+}
+
+HostAddresses ::=   SEQUENCE OF HostAddress
+
+The host adddress encodings consists of two fields:
+
+addr-type
+     This field specifies the type of address that follows. Pre-defined
+     values for this field are specified in section 8.1.
+address
+     This field encodes a single address of type addr-type.
+
+The two forms differ slightly. HostAddress contains exactly one address;
+HostAddresses contains a sequence of possibly many addresses.
+
+AuthorizationData ::=   SEQUENCE OF SEQUENCE {
+                        ad-type[0]               INTEGER,
+                        ad-data[1]               OCTET STRING
+}
+
+Neuman, Ts'o, Kohl                                 Expires: 18 May 1999
+
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-r-03        November 18 1998
+
+
+
+ad-data
+     This field contains authorization data to be interpreted according to
+     the value of the corresponding ad-type field.
+ad-type
+     This field specifies the format for the ad-data subfield. All negative
+     values are reserved for local use. Non-negative values are reserved
+     for registered use.
+
+Each sequence of type and data is refered to as an authorization element.
+Elements may be application specific, however, there is a common set of
+recursive elements that should be understood by all implementations. These
+elements contain other elements embedded within them, and the
+interpretation of the encapsulating element determines which of the
+embedded elements must be interpreted, and which may be ignored.
+Definitions for these common elements may be found in Appendix B.
+
+TicketExtensions ::= SEQUENCE OF SEQUENCE {
+           te-type[0]       INTEGER,
+           te-data[1]       OCTET STRING
+}
+
+
+
+te-data
+     This field contains opaque data that must be caried with the ticket to
+     support extensions to the Kerberos protocol including but not limited
+     to some forms of inter-realm key exchange and plaintext authorization
+     data. See appendix C for some common uses of this field.
+te-type
+     This field specifies the format for the te-data subfield. All negative
+     values are reserved for local use. Non-negative values are reserved
+     for registered use.
+
+APOptions ::=   BIT STRING
+                  -- reserved(0),
+                  -- use-session-key(1),
+                  -- mutual-required(2)
+
+TicketFlags ::= BIT STRING
+                  -- reserved(0),
+                  -- forwardable(1),
+                  -- forwarded(2),
+                  -- proxiable(3),
+                  -- proxy(4),
+                  -- may-postdate(5),
+                  -- postdated(6),
+                  -- invalid(7),
+                  -- renewable(8),
+                  -- initial(9),
+                  -- pre-authent(10),
+                  -- hw-authent(11),
+                  -- transited-policy-checked(12),
+                  -- ok-as-delegate(13)
+
+KDCOptions ::=   BIT STRING
+                  -- reserved(0),
+                  -- forwardable(1),
+                  -- forwarded(2),
+
+Neuman, Ts'o, Kohl                                 Expires: 18 May 1999
+
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-r-03        November 18 1998
+
+
+                  -- proxiable(3),
+                  -- proxy(4),
+                  -- allow-postdate(5),
+                  -- postdated(6),
+                  -- unused7(7),
+                  -- renewable(8),
+                  -- unused9(9),
+                  -- unused10(10),
+                  -- unused11(11),
+                  -- unused12(12),
+                  -- unused13(13),
+                  -- disable-transited-check(26),
+                  -- renewable-ok(27),
+                  -- enc-tkt-in-skey(28),
+                  -- renew(30),
+                  -- validate(31)
+
+ASN.1 Bit strings have a length and a value. When used in Kerberos for the
+APOptions, TicketFlags, and KDCOptions, the length of the bit string on
+generated values should be the smallest number of bits needed to include
+the highest order bit that is set (1), but in no case less than 32 bits.
+The ASN.1 representation of the bit strings uses unnamed bits, with the
+meaning of the individual bits defined by the comments in the specification
+above. Implementations should accept values of bit strings of any length
+and treat the value of flags corresponding to bits beyond the end of the
+bit string as if the bit were reset (0). Comparison of bit strings of
+different length should treat the smaller string as if it were padded with
+zeros beyond the high order bits to the length of the longer string[23].
+
+LastReq ::=   SEQUENCE OF SEQUENCE {
+               lr-type[0]               INTEGER,
+               lr-value[1]              KerberosTime
+}
+
+lr-type
+     This field indicates how the following lr-value field is to be
+     interpreted. Negative values indicate that the information pertains
+     only to the responding server. Non-negative values pertain to all
+     servers for the realm. If the lr-type field is zero (0), then no
+     information is conveyed by the lr-value subfield. If the absolute
+     value of the lr-type field is one (1), then the lr-value subfield is
+     the time of last initial request for a TGT. If it is two (2), then the
+     lr-value subfield is the time of last initial request. If it is three
+     (3), then the lr-value subfield is the time of issue for the newest
+     ticket-granting ticket used. If it is four (4), then the lr-value
+     subfield is the time of the last renewal. If it is five (5), then the
+     lr-value subfield is the time of last request (of any type). If it is
+     (6), then the lr-value subfield is the time when the password will
+     expire.
+lr-value
+     This field contains the time of the last request. the time must be
+     interpreted according to the contents of the accompanying lr-type
+     subfield.
+
+See section 6 for the definitions of Checksum, ChecksumType, EncryptedData,
+EncryptionKey, EncryptionType, and KeyType.
+
+5.3. Tickets and Authenticators
+
+
+Neuman, Ts'o, Kohl                                 Expires: 18 May 1999
+
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-r-03        November 18 1998
+
+
+This section describes the format and encryption parameters for tickets and
+authenticators. When a ticket or authenticator is included in a protocol
+message it is treated as an opaque object.
+
+5.3.1. Tickets
+
+A ticket is a record that helps a client authenticate to a service. A
+Ticket contains the following information:
+
+Ticket ::=        [APPLICATION 1] SEQUENCE {
+                  tkt-vno[0]                   INTEGER,
+                  realm[1]                     Realm,
+                  sname[2]                     PrincipalName,
+                  enc-part[3]                  EncryptedData,
+                  extensions[4]                TicketExtensions OPTIONAL
+}
+
+-- Encrypted part of ticket
+EncTicketPart ::= [APPLICATION 3] SEQUENCE {
+                  flags[0]                     TicketFlags,
+                  key[1]                       EncryptionKey,
+                  crealm[2]                    Realm,
+                  cname[3]                     PrincipalName,
+                  transited[4]                 TransitedEncoding,
+                  authtime[5]                  KerberosTime,
+                  starttime[6]                 KerberosTime OPTIONAL,
+                  endtime[7]                   KerberosTime,
+                  renew-till[8]                KerberosTime OPTIONAL,
+                  caddr[9]                     HostAddresses OPTIONAL,
+                  authorization-data[10]       AuthorizationData OPTIONAL
+}
+-- encoded Transited field
+TransitedEncoding ::=   SEQUENCE {
+                        tr-type[0]             INTEGER, -- must be
+registered
+                        contents[1]            OCTET STRING
+}
+
+The encoding of EncTicketPart is encrypted in the key shared by Kerberos
+and the end server (the server's secret key). See section 6 for the format
+of the ciphertext.
+
+tkt-vno
+     This field specifies the version number for the ticket format. This
+     document describes version number 5.
+realm
+     This field specifies the realm that issued a ticket. It also serves to
+     identify the realm part of the server's principal identifier. Since a
+     Kerberos server can only issue tickets for servers within its realm,
+     the two will always be identical.
+sname
+     This field specifies the name part of the server's identity.
+enc-part
+     This field holds the encrypted encoding of the EncTicketPart sequence.
+extensions
+     This optional field contains a sequence of extentions that may be used
+     to carry information that must be carried with the ticket to support
+     several extensions, including but not limited to plaintext
+     authorization data, tokens for exchanging inter-realm keys, and other
+     information that must be associated with a ticket for use by the
+
+Neuman, Ts'o, Kohl                                 Expires: 18 May 1999
+
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-r-03        November 18 1998
+
+
+     application server. See Appendix C for definitions of some common
+     extensions.
+
+     Note that some older versions of Kerberos did not support this field.
+     Because this is an optional field it will not break older clients, but
+     older clients might strip this field from the ticket before sending it
+     to the application server. This limits the usefulness of this ticket
+     field to environments where the ticket will not be parsed and
+     reconstructed by these older Kerberos clients.
+
+     If it is known that the client will strip this field from the ticket,
+     as an interim measure the KDC may append this field to the end of the
+     enc-part of the ticket and append a traler indicating the lenght of
+     the appended extensions field. (this paragraph is open for discussion,
+     including the form of the traler).
+flags
+     This field indicates which of various options were used or requested
+     when the ticket was issued. It is a bit-field, where the selected
+     options are indicated by the bit being set (1), and the unselected
+     options and reserved fields being reset (0). Bit 0 is the most
+     significant bit. The encoding of the bits is specified in section 5.2.
+     The flags are described in more detail above in section 2. The
+     meanings of the flags are:
+
+          Bit(s)      Name         Description
+
+          0           RESERVED
+                                   Reserved for future  expansion  of  this
+                                   field.
+
+          1           FORWARDABLE
+                                   The FORWARDABLE flag  is  normally  only
+                                   interpreted  by  the  TGS,  and  can  be
+                                   ignored by end servers.  When set,  this
+                                   flag  tells  the  ticket-granting server
+                                   that it is OK to  issue  a  new  ticket-
+                                   granting ticket with a different network
+                                   address based on the presented ticket.
+
+          2           FORWARDED
+                                   When set, this flag indicates  that  the
+                                   ticket  has either been forwarded or was
+                                   issued based on authentication involving
+                                   a forwarded ticket-granting ticket.
+
+          3           PROXIABLE
+                                   The  PROXIABLE  flag  is  normally  only
+                                   interpreted  by  the  TGS,  and  can  be
+                                   ignored by end servers.   The  PROXIABLE
+                                   flag  has an interpretation identical to
+                                   that of  the  FORWARDABLE  flag,  except
+                                   that   the   PROXIABLE  flag  tells  the
+                                   ticket-granting server  that  only  non-
+                                   ticket-granting  tickets  may  be issued
+                                   with different network addresses.
+
+          4           PROXY
+                                   When set, this  flag  indicates  that  a
+                                   ticket is a proxy.
+
+Neuman, Ts'o, Kohl                                 Expires: 18 May 1999
+
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-r-03        November 18 1998
+
+
+
+          5           MAY-POSTDATE
+                                   The MAY-POSTDATE flag is  normally  only
+                                   interpreted  by  the  TGS,  and  can  be
+                                   ignored by end servers.  This flag tells
+                                   the  ticket-granting server that a post-
+                                   dated ticket may be issued based on this
+                                   ticket-granting ticket.
+
+          6           POSTDATED
+                                   This flag indicates that this ticket has
+                                   been  postdated.   The  end-service  can
+                                   check the authtime field to see when the
+                                   original authentication occurred.
+
+          7           INVALID
+                                   This flag indicates  that  a  ticket  is
+                                   invalid, and it must be validated by the
+                                   KDC  before  use.   Application  servers
+                                   must reject tickets which have this flag
+                                   set.
+
+          8           RENEWABLE
+                                   The  RENEWABLE  flag  is  normally  only
+                                   interpreted  by the TGS, and can usually
+                                   be ignored by end servers (some particu-
+                                   larly careful servers may wish to disal-
+                                   low  renewable  tickets).   A  renewable
+                                   ticket  can be used to obtain a replace-
+                                   ment ticket  that  expires  at  a  later
+                                   date.
+
+          9           INITIAL
+                                   This flag indicates that this ticket was
+                                   issued  using  the  AS protocol, and not
+                                   issued  based   on   a   ticket-granting
+                                   ticket.
+
+          10          PRE-AUTHENT
+                                   This flag indicates that during  initial
+                                   authentication, the client was authenti-
+                                   cated by the KDC  before  a  ticket  was
+                                   issued.    The   strength  of  the  pre-
+                                   authentication method is not  indicated,
+                                   but is acceptable to the KDC.
+
+          11          HW-AUTHENT
+                                   This flag indicates  that  the  protocol
+                                   employed   for   initial  authentication
+                                   required the use of hardware expected to
+                                   be possessed solely by the named client.
+                                   The hardware  authentication  method  is
+                                   selected  by the KDC and the strength of
+                                   the method is not indicated.
+
+          12           TRANSITED   This flag indicates that the KDC for the
+                  POLICY-CHECKED   realm has checked the transited field
+                                   against a realm defined policy for
+                                   trusted certifiers.  If this flag is
+
+Neuman, Ts'o, Kohl                                 Expires: 18 May 1999
+
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-r-03        November 18 1998
+
+
+                                   reset (0), then the application server
+                                   must check the transited field itself,
+                                   and if unable to do so it must reject
+                                   the authentication.  If the flag is set
+                                   (1) then the application server may skip
+                                   its own validation of the transited
+                                   field, relying on the validation
+                                   performed by the KDC.  At its option the
+                                   application server may still apply its
+                                   own validation based on a separate
+                                   policy for acceptance.
+
+          13      OK-AS-DELEGATE   This flag indicates that the server (not
+                                   the client) specified in the ticket has
+                                   been determined by policy of the realm
+                                   to be a suitable recipient of
+                                   delegation.  A client can use the
+                                   presence of this flag to help it make a
+                                   decision whether to delegate credentials
+                                   (either grant a proxy or a forwarded
+                                   ticket granting ticket) to this server.
+                                   The client is free to ignore the value
+                                   of this flag.  When setting this flag,
+                                   an administrator should consider the
+                                   Security and placement of the server on
+                                   which the service will run, as well as
+                                   whether the service requires the use of
+                                   delegated credentials.
+
+          14          ANONYMOUS
+                                   This flag indicates that  the  principal
+                                   named in the ticket is a generic princi-
+                                   pal for the realm and does not  identify
+                                   the  individual  using  the ticket.  The
+                                   purpose  of  the  ticket  is   only   to
+                                   securely  distribute  a session key, and
+                                   not to identify  the  user.   Subsequent
+                                   requests  using the same ticket and ses-
+                                   sion may be  considered  as  originating
+                                   from  the  same  user, but requests with
+                                   the same username but a different ticket
+                                   are  likely  to originate from different
+                                   users.
+
+          15-31       RESERVED
+                                   Reserved for future use.
+
+key
+     This field exists in the ticket and the KDC response and is used to
+     pass the session key from Kerberos to the application server and the
+     client. The field's encoding is described in section 6.2.
+crealm
+     This field contains the name of the realm in which the client is
+     registered and in which initial authentication took place.
+cname
+     This field contains the name part of the client's principal
+     identifier.
+transited
+     This field lists the names of the Kerberos realms that took part in
+
+Neuman, Ts'o, Kohl                                 Expires: 18 May 1999
+
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-r-03        November 18 1998
+
+
+     authenticating the user to whom this ticket was issued. It does not
+     specify the order in which the realms were transited. See section
+     3.3.3.2 for details on how this field encodes the traversed realms.
+     When the names of CA's are to be embedded inthe transited field (as
+     specified for some extentions to the protocol), the X.500 names of the
+     CA's should be mapped into items in the transited field using the
+     mapping defined by RFC2253.
+authtime
+     This field indicates the time of initial authentication for the named
+     principal. It is the time of issue for the original ticket on which
+     this ticket is based. It is included in the ticket to provide
+     additional information to the end service, and to provide the
+     necessary information for implementation of a `hot list' service at
+     the KDC. An end service that is particularly paranoid could refuse to
+     accept tickets for which the initial authentication occurred "too far"
+     in the past. This field is also returned as part of the response from
+     the KDC. When returned as part of the response to initial
+     authentication (KRB_AS_REP), this is the current time on the Ker-
+     beros server[24].
+starttime
+     This field in the ticket specifies the time after which the ticket is
+     valid. Together with endtime, this field specifies the life of the
+     ticket. If it is absent from the ticket, its value should be treated
+     as that of the authtime field.
+endtime
+     This field contains the time after which the ticket will not be
+     honored (its expiration time). Note that individual services may place
+     their own limits on the life of a ticket and may reject tickets which
+     have not yet expired. As such, this is really an upper bound on the
+     expiration time for the ticket.
+renew-till
+     This field is only present in tickets that have the RENEWABLE flag set
+     in the flags field. It indicates the maximum endtime that may be
+     included in a renewal. It can be thought of as the absolute expiration
+     time for the ticket, including all renewals.
+caddr
+     This field in a ticket contains zero (if omitted) or more (if present)
+     host addresses. These are the addresses from which the ticket can be
+     used. If there are no addresses, the ticket can be used from any
+     location. The decision by the KDC to issue or by the end server to
+     accept zero-address tickets is a policy decision and is left to the
+     Kerberos and end-service administrators; they may refuse to issue or
+     accept such tickets. The suggested and default policy, however, is
+     that such tickets will only be issued or accepted when additional
+     information that can be used to restrict the use of the ticket is
+     included in the authorization_data field. Such a ticket is a
+     capability.
+
+     Network addresses are included in the ticket to make it harder for an
+     attacker to use stolen credentials. Because the session key is not
+     sent over the network in cleartext, credentials can't be stolen simply
+     by listening to the network; an attacker has to gain access to the
+     session key (perhaps through operating system security breaches or a
+     careless user's unattended session) to make use of stolen tickets.
+
+     It is important to note that the network address from which a
+     connection is received cannot be reliably determined. Even if it could
+     be, an attacker who has compromised the client's worksta- tion could
+     use the credentials from there. Including the network addresses only
+
+Neuman, Ts'o, Kohl                                 Expires: 18 May 1999
+
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-r-03        November 18 1998
+
+
+     makes it more difficult, not impossible, for an attacker to walk off
+     with stolen credentials and then use them from a "safe" location.
+authorization-data
+     The authorization-data field is used to pass authorization data from
+     the principal on whose behalf a ticket was issued to the application
+     service. If no authorization data is included, this field will be left
+     out. Experience has shown that the name of this field is confusing,
+     and that a better name for this field would be restrictions.
+     Unfortunately, it is not possible to change the name of this field at
+     this time.
+
+     This field contains restrictions on any authority obtained on the
+     basis of authentication using the ticket. It is possible for any
+     principal in posession of credentials to add entries to the
+     authorization data field since these entries further restrict what can
+     be done with the ticket. Such additions can be made by specifying the
+     additional entries when a new ticket is obtained during the TGS
+     exchange, or they may be added during chained delegation using the
+     authorization data field of the authenticator.
+
+     Because entries may be added to this field by the holder of
+     credentials, it is not allowable for the presence of an entry in the
+     authorization data field of a ticket to amplify the priveleges one
+     would obtain from using a ticket.
+
+     The data in this field may be specific to the end service; the field
+     will contain the names of service specific objects, and the rights to
+     those objects. The format for this field is described in section 5.2.
+     Although Kerberos is not concerned with the format of the contents of
+     the sub-fields, it does carry type information (ad-type).
+
+     By using the authorization_data field, a principal is able to issue a
+     proxy that is valid for a specific purpose. For example, a client
+     wishing to print a file can obtain a file server proxy to be passed to
+     the print server. By specifying the name of the file in the
+     authorization_data field, the file server knows that the print server
+     can only use the client's rights when accessing the particular file to
+     be printed.
+
+     A separate service providing authorization or certifying group
+     membership may be built using the authorization-data field. In this
+     case, the entity granting authorization (not the authorized entity),
+     obtains a ticket in its own name (e.g. the ticket is issued in the
+     name of a privelege server), and this entity adds restrictions on its
+     own authority and delegates the restricted authority through a proxy
+     to the client. The client would then present this authorization
+     credential to the application server separately from the
+     authentication exchange.
+
+     Similarly, if one specifies the authorization-data field of a proxy
+     and leaves the host addresses blank, the resulting ticket and session
+     key can be treated as a capability. See [Neu93] for some suggested
+     uses of this field.
+
+     The authorization-data field is optional and does not have to be
+     included in a ticket.
+
+5.3.2. Authenticators
+
+
+Neuman, Ts'o, Kohl                                 Expires: 18 May 1999
+
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-r-03        November 18 1998
+
+
+An authenticator is a record sent with a ticket to a server to certify the
+client's knowledge of the encryption key in the ticket, to help the server
+detect replays, and to help choose a "true session key" to use with the
+particular session. The encoding is encrypted in the ticket's session key
+shared by the client and the server:
+
+-- Unencrypted authenticator
+Authenticator ::= [APPLICATION 2] SEQUENCE  {
+                  authenticator-vno[0]          INTEGER,
+                  crealm[1]                     Realm,
+                  cname[2]                      PrincipalName,
+                  cksum[3]                      Checksum OPTIONAL,
+                  cusec[4]                      INTEGER,
+                  ctime[5]                      KerberosTime,
+                  subkey[6]                     EncryptionKey OPTIONAL,
+                  seq-number[7]                 INTEGER OPTIONAL,
+                  authorization-data[8]         AuthorizationData OPTIONAL
+}
+
+
+authenticator-vno
+     This field specifies the version number for the format of the
+     authenticator. This document specifies version 5.
+crealm and cname
+     These fields are the same as those described for the ticket in section
+     5.3.1.
+cksum
+     This field contains a checksum of the the applica- tion data that
+     accompanies the KRB_AP_REQ.
+cusec
+     This field contains the microsecond part of the client's timestamp.
+     Its value (before encryption) ranges from 0 to 999999. It often
+     appears along with ctime. The two fields are used together to specify
+     a reasonably accurate timestamp.
+ctime
+     This field contains the current time on the client's host.
+subkey
+     This field contains the client's choice for an encryption key which is
+     to be used to protect this specific application session. Unless an
+     application specifies otherwise, if this field is left out the session
+     key from the ticket will be used.
+seq-number
+     This optional field includes the initial sequence number to be used by
+     the KRB_PRIV or KRB_SAFE messages when sequence numbers are used to
+     detect replays (It may also be used by application specific messages).
+     When included in the authenticator this field specifies the initial
+     sequence number for messages from the client to the server. When
+     included in the AP-REP message, the initial sequence number is that
+     for messages from the server to the client. When used in KRB_PRIV or
+     KRB_SAFE messages, it is incremented by one after each message is
+     sent. Sequence numbers fall in the range of 0 through 2^32 - 1 and
+     wrap to zero following the value 2^32 - 1.
+
+     For sequence numbers to adequately support the detection of replays
+     they should be non-repeating, even across connection boundaries. The
+     initial sequence number should be random and uniformly distributed
+     across the full space of possible sequence numbers, so that it cannot
+     be guessed by an attacker and so that it and the successive sequence
+     numbers do not repeat other sequences.
+
+Neuman, Ts'o, Kohl                                 Expires: 18 May 1999
+
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-r-03        November 18 1998
+
+
+authorization-data
+     This field is the same as described for the ticket in section 5.3.1.
+     It is optional and will only appear when additional restrictions are
+     to be placed on the use of a ticket, beyond those carried in the
+     ticket itself.
+
+5.4. Specifications for the AS and TGS exchanges
+
+This section specifies the format of the messages used in the exchange
+between the client and the Kerberos server. The format of possible error
+messages appears in section 5.9.1.
+
+5.4.1. KRB_KDC_REQ definition
+
+The KRB_KDC_REQ message has no type of its own. Instead, its type is one of
+KRB_AS_REQ or KRB_TGS_REQ depending on whether the request is for an
+initial ticket or an additional ticket. In either case, the message is sent
+from the client to the Authentication Server to request credentials for a
+service.
+
+The message fields are:
+
+AS-REQ ::=         [APPLICATION 10] KDC-REQ
+TGS-REQ ::=        [APPLICATION 12] KDC-REQ
+
+KDC-REQ ::=        SEQUENCE {
+                   pvno[1]            INTEGER,
+                   msg-type[2]        INTEGER,
+                   padata[3]          SEQUENCE OF PA-DATA OPTIONAL,
+                   req-body[4]        KDC-REQ-BODY
+}
+
+PA-DATA ::=        SEQUENCE {
+                   padata-type[1]     INTEGER,
+                   padata-value[2]    OCTET STRING,
+                                      -- might be encoded AP-REQ
+}
+
+KDC-REQ-BODY ::=   SEQUENCE {
+                    kdc-options[0]         KDCOptions,
+                    cname[1]               PrincipalName OPTIONAL,
+                                           -- Used only in AS-REQ
+                    realm[2]               Realm, -- Server's realm
+                                           -- Also client's in AS-REQ
+                    sname[3]               PrincipalName OPTIONAL,
+                    from[4]                KerberosTime OPTIONAL,
+                    till[5]                KerberosTime OPTIONAL,
+                    rtime[6]               KerberosTime OPTIONAL,
+                    nonce[7]               INTEGER,
+                    etype[8]               SEQUENCE OF INTEGER,
+                                           -- EncryptionType,
+                                           -- in preference order
+                    addresses[9]           HostAddresses OPTIONAL,
+                enc-authorization-data[10] EncryptedData OPTIONAL,
+                                           -- Encrypted AuthorizationData
+                                           -- encoding
+                    additional-tickets[11] SEQUENCE OF Ticket OPTIONAL
+}
+
+
+Neuman, Ts'o, Kohl                                 Expires: 18 May 1999
+
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-r-03        November 18 1998
+
+
+The fields in this message are:
+
+pvno
+     This field is included in each message, and specifies the protocol
+     version number. This document specifies protocol version 5.
+msg-type
+     This field indicates the type of a protocol message. It will almost
+     always be the same as the application identifier associated with a
+     message. It is included to make the identifier more readily accessible
+     to the application. For the KDC-REQ message, this type will be
+     KRB_AS_REQ or KRB_TGS_REQ.
+padata
+     The padata (pre-authentication data) field contains a sequence of
+     authentication information which may be needed before credentials can
+     be issued or decrypted. In the case of requests for additional tickets
+     (KRB_TGS_REQ), this field will include an element with padata-type of
+     PA-TGS-REQ and data of an authentication header (ticket-granting
+     ticket and authenticator). The checksum in the authenticator (which
+     must be collision-proof) is to be computed over the KDC-REQ-BODY
+     encoding. In most requests for initial authentication (KRB_AS_REQ) and
+     most replies (KDC-REP), the padata field will be left out.
+
+     This field may also contain information needed by certain extensions
+     to the Kerberos protocol. For example, it might be used to initially
+     verify the identity of a client before any response is returned. This
+     is accomplished with a padata field with padata-type equal to
+     PA-ENC-TIMESTAMP and padata-value defined as follows:
+
+     padata-type     ::= PA-ENC-TIMESTAMP
+     padata-value    ::= EncryptedData -- PA-ENC-TS-ENC
+
+     PA-ENC-TS-ENC   ::= SEQUENCE {
+                     patimestamp[0]     KerberosTime, -- client's time
+                     pausec[1]          INTEGER OPTIONAL
+     }
+
+     with patimestamp containing the client's time and pausec containing
+     the microseconds which may be omitted if a client will not generate
+     more than one request per second. The ciphertext (padata-value)
+     consists of the PA-ENC-TS-ENC sequence, encrypted using the client's
+     secret key.
+
+     [use-specified-kvno item is here for discussion and may be removed] It
+     may also be used by the client to specify the version of a key that is
+     being used for accompanying preauthentication, and/or which should be
+     used to encrypt the reply from the KDC.
+
+     PA-USE-SPECIFIED-KVNO  ::=  Integer
+
+     The KDC should only accept and abide by the value of the
+     use-specified-kvno preauthentication data field when the specified key
+     is still valid and until use of a new key is confirmed. This situation
+     is likely to occur primarily during the period during which an updated
+     key is propagating to other KDC's in a realm.
+
+     The padata field can also contain information needed to help the KDC
+     or the client select the key needed for generating or decrypting the
+     response. This form of the padata is useful for supporting the use of
+     certain token cards with Kerberos. The details of such extensions are
+
+Neuman, Ts'o, Kohl                                 Expires: 18 May 1999
+
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-r-03        November 18 1998
+
+
+     specified in separate documents. See [Pat92] for additional uses of
+     this field.
+padata-type
+     The padata-type element of the padata field indicates the way that the
+     padata-value element is to be interpreted. Negative values of
+     padata-type are reserved for unregistered use; non-negative values are
+     used for a registered interpretation of the element type.
+req-body
+     This field is a placeholder delimiting the extent of the remaining
+     fields. If a checksum is to be calculated over the request, it is
+     calculated over an encoding of the KDC-REQ-BODY sequence which is
+     enclosed within the req-body field.
+kdc-options
+     This field appears in the KRB_AS_REQ and KRB_TGS_REQ requests to the
+     KDC and indicates the flags that the client wants set on the tickets
+     as well as other information that is to modify the behavior of the
+     KDC. Where appropriate, the name of an option may be the same as the
+     flag that is set by that option. Although in most case, the bit in the
+     options field will be the same as that in the flags field, this is not
+     guaranteed, so it is not acceptable to simply copy the options field
+     to the flags field. There are various checks that must be made before
+     honoring an option anyway.
+
+     The kdc_options field is a bit-field, where the selected options are
+     indicated by the bit being set (1), and the unselected options and
+     reserved fields being reset (0). The encoding of the bits is specified
+     in section 5.2. The options are described in more detail above in
+     section 2. The meanings of the options are:
+
+        Bit(s)    Name                Description
+         0        RESERVED
+                                      Reserved for future  expansion  of
+this
+                                      field.
+
+         1        FORWARDABLE
+                                      The FORWARDABLE  option  indicates
+that
+                                      the  ticket  to be issued is to have
+its
+                                      forwardable flag set.  It  may  only
+be
+                                      set on the initial request, or in a
+sub-
+                                      sequent request if  the
+ticket-granting
+                                      ticket on which it is based is also
+for-
+                                      wardable.
+
+         2        FORWARDED
+                                      The FORWARDED option is  only
+specified
+                                      in  a  request  to  the
+ticket-granting
+                                      server and will only be honored  if
+the
+                                      ticket-granting  ticket  in  the
+request
+                                      has  its  FORWARDABLE  bit  set.
+This
+                                      option  indicates that this is a
+request
+                                      for forwarding.  The address(es) of
+the
+                                      host  from which the resulting ticket
+is
+                                      to  be  valid  are   included   in
+the
+                                      addresses field of the request.
+
+         3        PROXIABLE
+                                      The PROXIABLE option indicates that
+the
+                                      ticket to be issued is to have its
+prox-
+                                      iable flag set.  It may only be  set
+on
+
+Neuman, Ts'o, Kohl                                 Expires: 18 May 1999
+
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-r-03        November 18 1998
+
+
+                                      the  initial request, or in a
+subsequent
+                                      request if the ticket-granting ticket
+on
+                                      which it is based is also proxiable.
+
+         4        PROXY
+                                      The PROXY option indicates that this
+is
+                                      a request for a proxy.  This option
+will
+                                      only be honored if  the
+ticket-granting
+                                      ticket  in the request has its
+PROXIABLE
+                                      bit set.  The address(es)  of  the
+host
+                                      from which the resulting ticket is to
+be
+                                       valid  are  included  in  the
+addresses
+                                      field of the request.
+
+         5        ALLOW-POSTDATE
+                                      The ALLOW-POSTDATE option indicates
+that
+                                      the  ticket  to be issued is to have
+its
+                                      MAY-POSTDATE flag set.  It may  only
+be
+                                      set on the initial request, or in a
+sub-
+                                      sequent request if  the
+ticket-granting
+                                      ticket on which it is based also has
+its
+                                      MAY-POSTDATE flag set.
+
+         6        POSTDATED
+                                      The POSTDATED option indicates that
+this
+                                      is  a  request  for  a postdated
+ticket.
+                                      This option will only be honored if
+the
+                                      ticket-granting  ticket  on  which
+                                      it is based has  its  MAY-POSTDATE
+                                      flag set.
+                                      The  resulting ticket will also have
+its
+                                      INVALID flag set, and that flag  may
+be
+                                      reset by a subsequent request to the
+KDC
+                                      after the starttime in  the  ticket
+has
+                                      been reached.
+
+         7        UNUSED
+                                      This option is presently unused.
+
+         8        RENEWABLE
+                                      The RENEWABLE option indicates that
+the
+                                      ticket  to  be  issued  is  to  have
+its
+                                      RENEWABLE flag set.  It may only be
+set
+                                      on  the  initial  request,  or  when
+the
+                                      ticket-granting  ticket  on  which
+the
+                                      request  is based is also renewable.
+If
+                                      this option is requested, then the
+rtime
+                                      field   in   the  request  contains
+the
+                                      desired absolute expiration time for
+the
+                                      ticket.
+
+         9-13     UNUSED
+                                      These options are presently unused.
+
+         14       REQUEST-ANONYMOUS
+                                      The REQUEST-ANONYMOUS  option
+indicates
+                                      that  the  ticket to be issued is not
+to
+                                      identify  the  user  to  which  it
+was
+                                      issued.  Instead, the principal
+identif-
+
+Neuman, Ts'o, Kohl                                 Expires: 18 May 1999
+
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-r-03        November 18 1998
+
+
+                                      ier is to be generic,  as  specified
+by
+                                      the  policy  of  the realm (e.g.
+usually
+                                      anonymous@realm).  The  purpose  of
+the
+                                      ticket  is only to securely distribute
+a
+                                      session key, and  not  to  identify
+the
+                                      user.   The ANONYMOUS flag on the
+ticket
+                                      to be returned should be  set.   If
+the
+                                      local  realms  policy  does  not
+permit
+                                      anonymous credentials, the request is
+to
+                                      be rejected.
+
+         15-25    RESERVED
+                                      Reserved for future use.
+
+         26       DISABLE-TRANSITED-CHECK
+                                      By default the KDC will check the
+                                      transited field of a ticket-granting-
+                                      ticket against the policy of the local
+                                      realm before it will issue derivative
+                                      tickets based on the ticket granting
+                                      ticket.  If this flag is set in the
+                                      request, checking of the transited
+field
+                                      is disabled.  Tickets issued without
+the
+                                      performance of this check will be
+noted
+                                      by the reset (0) value of the
+                                      TRANSITED-POLICY-CHECKED flag,
+                                      indicating to the application server
+                                      that the tranisted field must be
+checked
+                                      locally.  KDC's are encouraged but not
+                                      required to honor the
+                                      DISABLE-TRANSITED-CHECK option.
+
+         27       RENEWABLE-OK
+                                      The RENEWABLE-OK option indicates that
+a
+                                      renewable ticket will be acceptable if
+a
+                                      ticket with the  requested  life
+cannot
+                                      otherwise be provided.  If a ticket
+with
+                                      the requested life cannot  be
+provided,
+                                      then  a  renewable  ticket may be
+issued
+                                      with  a  renew-till  equal  to  the
+the
+                                      requested  endtime.   The  value  of
+the
+                                      renew-till field may still be limited
+by
+                                      local  limits, or limits selected by
+the
+                                      individual principal or server.
+
+         28       ENC-TKT-IN-SKEY
+                                      This option is used only by the
+ticket-
+                                      granting  service.   The
+ENC-TKT-IN-SKEY
+                                      option indicates that the ticket for
+the
+                                      end  server  is  to  be encrypted in
+the
+                                      session key from the additional
+ticket-
+                                      granting ticket provided.
+
+         29       RESERVED
+                                      Reserved for future use.
+
+         30       RENEW
+                                      This option is used only by the
+ticket-
+                                      granting   service.   The  RENEW
+option
+
+Neuman, Ts'o, Kohl                                 Expires: 18 May 1999
+
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-r-03        November 18 1998
+
+
+                                      indicates that the  present  request
+is
+                                      for  a  renewal.  The ticket provided
+is
+                                      encrypted in  the  secret  key  for
+the
+                                      server  on  which  it  is  valid.
+This
+                                      option  will  only  be  honored  if
+the
+                                      ticket  to  be renewed has its
+RENEWABLE
+                                      flag set and if the time in  its
+renew-
+                                      till  field  has not passed.  The
+ticket
+                                      to be renewed is passed  in  the
+padata
+                                      field  as  part  of  the
+authentication
+                                      header.
+
+         31       VALIDATE
+                                      This option is used only by the
+ticket-
+                                      granting  service.   The VALIDATE
+option
+                                      indicates that the request is  to
+vali-
+                                      date  a  postdated ticket.  It will
+only
+                                      be honored if the  ticket  presented
+is
+                                      postdated,  presently  has  its
+INVALID
+                                      flag set, and would be otherwise
+usable
+                                      at  this time.  A ticket cannot be
+vali-
+                                      dated before its starttime.  The
+ticket
+                                      presented for validation is encrypted
+in
+                                      the key of the server for  which  it
+is
+                                      valid  and is passed in the padata
+field
+                                      as part of the authentication header.
+
+cname and sname
+     These fields are the same as those described for the ticket in section
+     5.3.1. sname may only be absent when the ENC-TKT-IN-SKEY option is
+     specified. If absent, the name of the server is taken from the name of
+     the client in the ticket passed as additional-tickets.
+enc-authorization-data
+     The enc-authorization-data, if present (and it can only be present in
+     the TGS_REQ form), is an encoding of the desired authorization-data
+     encrypted under the sub-session key if present in the Authenticator,
+     or alternatively from the session key in the ticket-granting ticket,
+     both from the padata field in the KRB_AP_REQ.
+realm
+     This field specifies the realm part of the server's principal
+     identifier. In the AS exchange, this is also the realm part of the
+     client's principal identifier.
+from
+     This field is included in the KRB_AS_REQ and KRB_TGS_REQ ticket
+     requests when the requested ticket is to be postdated. It specifies
+     the desired start time for the requested ticket. If this field is
+     omitted then the KDC should use the current time instead.
+till
+     This field contains the expiration date requested by the client in a
+     ticket request. It is optional and if omitted the requested ticket is
+     to have the maximum endtime permitted according to KDC policy for the
+     parties to the authentication exchange as limited by expiration date
+     of the ticket granting ticket or other preauthentication credentials.
+rtime
+     This field is the requested renew-till time sent from a client to the
+     KDC in a ticket request. It is optional.
+nonce
+     This field is part of the KDC request and response. It it intended to
+     hold a random number generated by the client. If the same number is
+
+Neuman, Ts'o, Kohl                                 Expires: 18 May 1999
+
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-r-03        November 18 1998
+
+
+     included in the encrypted response from the KDC, it provides evidence
+     that the response is fresh and has not been replayed by an attacker.
+     Nonces must never be re-used. Ideally, it should be generated
+     randomly, but if the correct time is known, it may suffice[25].
+etype
+     This field specifies the desired encryption algorithm to be used in
+     the response.
+addresses
+     This field is included in the initial request for tickets, and
+     optionally included in requests for additional tickets from the
+     ticket-granting server. It specifies the addresses from which the
+     requested ticket is to be valid. Normally it includes the addresses
+     for the client's host. If a proxy is requested, this field will
+     contain other addresses. The contents of this field are usually copied
+     by the KDC into the caddr field of the resulting ticket.
+additional-tickets
+     Additional tickets may be optionally included in a request to the
+     ticket-granting server. If the ENC-TKT-IN-SKEY option has been
+     specified, then the session key from the additional ticket will be
+     used in place of the server's key to encrypt the new ticket. If more
+     than one option which requires additional tickets has been specified,
+     then the additional tickets are used in the order specified by the
+     ordering of the options bits (see kdc-options, above).
+
+The application code will be either ten (10) or twelve (12) depending on
+whether the request is for an initial ticket (AS-REQ) or for an additional
+ticket (TGS-REQ).
+
+The optional fields (addresses, authorization-data and additional-tickets)
+are only included if necessary to perform the operation specified in the
+kdc-options field.
+
+It should be noted that in KRB_TGS_REQ, the protocol version number appears
+twice and two different message types appear: the KRB_TGS_REQ message
+contains these fields as does the authentication header (KRB_AP_REQ) that
+is passed in the padata field.
+
+5.4.2. KRB_KDC_REP definition
+
+The KRB_KDC_REP message format is used for the reply from the KDC for
+either an initial (AS) request or a subsequent (TGS) request. There is no
+message type for KRB_KDC_REP. Instead, the type will be either KRB_AS_REP
+or KRB_TGS_REP. The key used to encrypt the ciphertext part of the reply
+depends on the message type. For KRB_AS_REP, the ciphertext is encrypted in
+the client's secret key, and the client's key version number is included in
+the key version number for the encrypted data. For KRB_TGS_REP, the
+ciphertext is encrypted in the sub-session key from the Authenticator, or
+if absent, the session key from the ticket-granting ticket used in the
+request. In that case, no version number will be present in the
+EncryptedData sequence.
+
+The KRB_KDC_REP message contains the following fields:
+
+AS-REP ::=    [APPLICATION 11] KDC-REP
+TGS-REP ::=   [APPLICATION 13] KDC-REP
+
+KDC-REP ::=   SEQUENCE {
+              pvno[0]                    INTEGER,
+              msg-type[1]                INTEGER,
+
+Neuman, Ts'o, Kohl                                 Expires: 18 May 1999
+
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-r-03        November 18 1998
+
+
+              padata[2]                  SEQUENCE OF PA-DATA OPTIONAL,
+              crealm[3]                  Realm,
+              cname[4]                   PrincipalName,
+              ticket[5]                  Ticket,
+              enc-part[6]                EncryptedData
+}
+
+EncASRepPart ::=    [APPLICATION 25[27]] EncKDCRepPart
+EncTGSRepPart ::=   [APPLICATION 26] EncKDCRepPart
+
+EncKDCRepPart ::=   SEQUENCE {
+                    key[0]               EncryptionKey,
+                    last-req[1]          LastReq,
+                    nonce[2]             INTEGER,
+                    key-expiration[3]    KerberosTime OPTIONAL,
+                    flags[4]             TicketFlags,
+                    authtime[5]          KerberosTime,
+                    starttime[6]         KerberosTime OPTIONAL,
+                    endtime[7]           KerberosTime,
+                    renew-till[8]        KerberosTime OPTIONAL,
+                    srealm[9]            Realm,
+                    sname[10]            PrincipalName,
+                    caddr[11]            HostAddresses OPTIONAL
+}
+
+pvno and msg-type
+     These fields are described above in section 5.4.1. msg-type is either
+     KRB_AS_REP or KRB_TGS_REP.
+padata
+     This field is described in detail in section 5.4.1. One possible use
+     for this field is to encode an alternate "mix-in" string to be used
+     with a string-to-key algorithm (such as is described in section
+     6.3.2). This ability is useful to ease transitions if a realm name
+     needs to change (e.g. when a company is acquired); in such a case all
+     existing password-derived entries in the KDC database would be flagged
+     as needing a special mix-in string until the next password change.
+crealm, cname, srealm and sname
+     These fields are the same as those described for the ticket in section
+     5.3.1.
+ticket
+     The newly-issued ticket, from section 5.3.1.
+enc-part
+     This field is a place holder for the ciphertext and related
+     information that forms the encrypted part of a message. The
+     description of the encrypted part of the message follows each
+     appearance of this field. The encrypted part is encoded as described
+     in section 6.1.
+key
+     This field is the same as described for the ticket in section 5.3.1.
+last-req
+     This field is returned by the KDC and specifies the time(s) of the
+     last request by a principal. Depending on what information is
+     available, this might be the last time that a request for a
+     ticket-granting ticket was made, or the last time that a request based
+     on a ticket-granting ticket was successful. It also might cover all
+     servers for a realm, or just the particular server. Some
+     implementations may display this information to the user to aid in
+     discovering unauthorized use of one's identity. It is similar in
+     spirit to the last login time displayed when logging into timesharing
+
+Neuman, Ts'o, Kohl                                 Expires: 18 May 1999
+
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-r-03        November 18 1998
+
+
+     systems.
+nonce
+     This field is described above in section 5.4.1.
+key-expiration
+     The key-expiration field is part of the response from the KDC and
+     specifies the time that the client's secret key is due to expire. The
+     expiration might be the result of password aging or an account
+     expiration. This field will usually be left out of the TGS reply since
+     the response to the TGS request is encrypted in a session key and no
+     client information need be retrieved from the KDC database. It is up
+     to the application client (usually the login program) to take
+     appropriate action (such as notifying the user) if the expiration time
+     is imminent.
+flags, authtime, starttime, endtime, renew-till and caddr
+     These fields are duplicates of those found in the encrypted portion of
+     the attached ticket (see section 5.3.1), provided so the client may
+     verify they match the intended request and to assist in proper ticket
+     caching. If the message is of type KRB_TGS_REP, the caddr field will
+     only be filled in if the request was for a proxy or forwarded ticket,
+     or if the user is substituting a subset of the addresses from the
+     ticket granting ticket. If the client-requested addresses are not
+     present or not used, then the addresses contained in the ticket will
+     be the same as those included in the ticket-granting ticket.
+
+5.5. Client/Server (CS) message specifications
+
+This section specifies the format of the messages used for the
+authentication of the client to the application server.
+
+5.5.1. KRB_AP_REQ definition
+
+The KRB_AP_REQ message contains the Kerberos protocol version number, the
+message type KRB_AP_REQ, an options field to indicate any options in use,
+and the ticket and authenticator themselves. The KRB_AP_REQ message is
+often referred to as the 'authentication header'.
+
+AP-REQ ::=      [APPLICATION 14] SEQUENCE {
+                pvno[0]                       INTEGER,
+                msg-type[1]                   INTEGER,
+                ap-options[2]                 APOptions,
+                ticket[3]                     Ticket,
+                authenticator[4]              EncryptedData
+}
+
+APOptions ::=   BIT STRING {
+                reserved(0),
+                use-session-key(1),
+                mutual-required(2)
+}
+
+
+
+pvno and msg-type
+     These fields are described above in section 5.4.1. msg-type is
+     KRB_AP_REQ.
+ap-options
+     This field appears in the application request (KRB_AP_REQ) and affects
+     the way the request is processed. It is a bit-field, where the
+     selected options are indicated by the bit being set (1), and the
+
+Neuman, Ts'o, Kohl                                 Expires: 18 May 1999
+
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-r-03        November 18 1998
+
+
+     unselected options and reserved fields being reset (0). The encoding
+     of the bits is specified in section 5.2. The meanings of the options
+     are:
+
+          Bit(s)   Name              Description
+
+          0        RESERVED
+                                     Reserved for future  expansion  of
+this
+                                     field.
+
+          1        USE-SESSION-KEY
+                                     The  USE-SESSION-KEY  option
+indicates
+                                     that the ticket the client is
+presenting
+                                     to a server is encrypted in the
+session
+                                     key  from  the  server's
+ticket-granting
+                                     ticket.  When this option is not
+speci-
+                                     fied,  the  ticket  is  encrypted in
+the
+                                     server's secret key.
+
+          2        MUTUAL-REQUIRED
+                                     The  MUTUAL-REQUIRED  option  tells
+the
+                                     server  that  the client requires
+mutual
+                                     authentication, and that it must
+respond
+                                     with a KRB_AP_REP message.
+
+          3-31     RESERVED
+                                     Reserved for future use.
+
+ticket
+     This field is a ticket authenticating the client to the server.
+authenticator
+     This contains the authenticator, which includes the client's choice of
+     a subkey. Its encoding is described in section 5.3.2.
+
+5.5.2. KRB_AP_REP definition
+
+The KRB_AP_REP message contains the Kerberos protocol version number, the
+message type, and an encrypted time- stamp. The message is sent in in
+response to an application request (KRB_AP_REQ) where the mutual
+authentication option has been selected in the ap-options field.
+
+AP-REP ::=         [APPLICATION 15] SEQUENCE {
+                   pvno[0]                           INTEGER,
+                   msg-type[1]                       INTEGER,
+                   enc-part[2]                       EncryptedData
+}
+
+EncAPRepPart ::=   [APPLICATION 27[29]] SEQUENCE {
+                   ctime[0]                          KerberosTime,
+                   cusec[1]                          INTEGER,
+                   subkey[2]                         EncryptionKey OPTIONAL,
+                   seq-number[3]                     INTEGER OPTIONAL
+}
+
+The encoded EncAPRepPart is encrypted in the shared session key of the
+ticket. The optional subkey field can be used in an application-arranged
+negotiation to choose a per association session key.
+
+pvno and msg-type
+
+Neuman, Ts'o, Kohl                                 Expires: 18 May 1999
+
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-r-03        November 18 1998
+
+
+     These fields are described above in section 5.4.1. msg-type is
+     KRB_AP_REP.
+enc-part
+     This field is described above in section 5.4.2.
+ctime
+     This field contains the current time on the client's host.
+cusec
+     This field contains the microsecond part of the client's timestamp.
+subkey
+     This field contains an encryption key which is to be used to protect
+     this specific application session. See section 3.2.6 for specifics on
+     how this field is used to negotiate a key. Unless an application
+     specifies otherwise, if this field is left out, the sub-session key
+     from the authenticator, or if also left out, the session key from the
+     ticket will be used.
+
+5.5.3. Error message reply
+
+If an error occurs while processing the application request, the KRB_ERROR
+message will be sent in response. See section 5.9.1 for the format of the
+error message. The cname and crealm fields may be left out if the server
+cannot determine their appropriate values from the corresponding KRB_AP_REQ
+message. If the authenticator was decipherable, the ctime and cusec fields
+will contain the values from it.
+
+5.6. KRB_SAFE message specification
+
+This section specifies the format of a message that can be used by either
+side (client or server) of an application to send a tamper-proof message to
+its peer. It presumes that a session key has previously been exchanged (for
+example, by using the KRB_AP_REQ/KRB_AP_REP messages).
+
+5.6.1. KRB_SAFE definition
+
+The KRB_SAFE message contains user data along with a collision-proof
+checksum keyed with the last encryption key negotiated via subkeys, or the
+session key if no negotiation has occured. The message fields are:
+
+KRB-SAFE ::=        [APPLICATION 20] SEQUENCE {
+                    pvno[0]                       INTEGER,
+                    msg-type[1]                   INTEGER,
+                    safe-body[2]                  KRB-SAFE-BODY,
+                    cksum[3]                      Checksum
+}
+
+KRB-SAFE-BODY ::=   SEQUENCE {
+                    user-data[0]                  OCTET STRING,
+                    timestamp[1]                  KerberosTime OPTIONAL,
+                    usec[2]                       INTEGER OPTIONAL,
+                    seq-number[3]                 INTEGER OPTIONAL,
+                    s-address[4]                  HostAddress OPTIONAL,
+                    r-address[5]                  HostAddress OPTIONAL
+}
+
+pvno and msg-type
+     These fields are described above in section 5.4.1. msg-type is
+     KRB_SAFE.
+safe-body
+     This field is a placeholder for the body of the KRB-SAFE message.
+
+Neuman, Ts'o, Kohl                                 Expires: 18 May 1999
+
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-r-03        November 18 1998
+
+
+cksum
+     This field contains the checksum of the application data. Checksum
+     details are described in section 6.4. The checksum is computed over
+     the encoding of the KRB-SAFE sequence. First, the cksum is zeroed and
+     the checksum is computed over the encoding of the KRB-SAFE sequence,
+     then the checksum is set to the result of that computation, and
+     finally the KRB-SAFE sequence is encoded again.
+user-data
+     This field is part of the KRB_SAFE and KRB_PRIV messages and contain
+     the application specific data that is being passed from the sender to
+     the recipient.
+timestamp
+     This field is part of the KRB_SAFE and KRB_PRIV messages. Its contents
+     are the current time as known by the sender of the message. By
+     checking the timestamp, the recipient of the message is able to make
+     sure that it was recently generated, and is not a replay.
+usec
+     This field is part of the KRB_SAFE and KRB_PRIV headers. It contains
+     the microsecond part of the timestamp.
+seq-number
+     This field is described above in section 5.3.2.
+s-address
+     This field specifies the address in use by the sender of the message.
+r-address
+     This field specifies the address in use by the recipient of the
+     message. It may be omitted for some uses (such as broadcast
+     protocols), but the recipient may arbitrarily reject such messages.
+     This field along with s-address can be used to help detect messages
+     which have been incorrectly or maliciously delivered to the wrong
+     recipient.
+
+5.7. KRB_PRIV message specification
+
+This section specifies the format of a message that can be used by either
+side (client or server) of an application to securely and privately send a
+message to its peer. It presumes that a session key has previously been
+exchanged (for example, by using the KRB_AP_REQ/KRB_AP_REP messages).
+
+5.7.1. KRB_PRIV definition
+
+The KRB_PRIV message contains user data encrypted in the Session Key. The
+message fields are:
+
+KRB-PRIV ::=         [APPLICATION 21] SEQUENCE {
+                     pvno[0]                           INTEGER,
+                     msg-type[1]                       INTEGER,
+                     enc-part[3]                       EncryptedData
+}
+
+EncKrbPrivPart ::=   [APPLICATION 28[31]] SEQUENCE {
+                     user-data[0]        OCTET STRING,
+                     timestamp[1]        KerberosTime OPTIONAL,
+                     usec[2]             INTEGER OPTIONAL,
+                     seq-number[3]       INTEGER OPTIONAL,
+                     s-address[4]        HostAddress OPTIONAL, -- sender's
+addr
+                     r-address[5]        HostAddress OPTIONAL -- recip's
+addr
+}
+
+pvno and msg-type
+
+Neuman, Ts'o, Kohl                                 Expires: 18 May 1999
+
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-r-03        November 18 1998
+
+
+     These fields are described above in section 5.4.1. msg-type is
+     KRB_PRIV.
+enc-part
+     This field holds an encoding of the EncKrbPrivPart sequence encrypted
+     under the session key[32]. This encrypted encoding is used for the
+     enc-part field of the KRB-PRIV message. See section 6 for the format
+     of the ciphertext.
+user-data, timestamp, usec, s-address and r-address
+     These fields are described above in section 5.6.1.
+seq-number
+     This field is described above in section 5.3.2.
+
+5.8. KRB_CRED message specification
+
+This section specifies the format of a message that can be used to send
+Kerberos credentials from one principal to another. It is presented here to
+encourage a common mechanism to be used by applications when forwarding
+tickets or providing proxies to subordinate servers. It presumes that a
+session key has already been exchanged perhaps by using the
+KRB_AP_REQ/KRB_AP_REP messages.
+
+5.8.1. KRB_CRED definition
+
+The KRB_CRED message contains a sequence of tickets to be sent and
+information needed to use the tickets, including the session key from each.
+The information needed to use the tickets is encrypted under an encryption
+key previously exchanged or transferred alongside the KRB_CRED message. The
+message fields are:
+
+KRB-CRED         ::= [APPLICATION 22]   SEQUENCE {
+                 pvno[0]                INTEGER,
+                 msg-type[1]            INTEGER, -- KRB_CRED
+                 tickets[2]             SEQUENCE OF Ticket,
+                 enc-part[3]            EncryptedData
+}
+
+EncKrbCredPart   ::= [APPLICATION 29]   SEQUENCE {
+                 ticket-info[0]         SEQUENCE OF KrbCredInfo,
+                 nonce[1]               INTEGER OPTIONAL,
+                 timestamp[2]           KerberosTime OPTIONAL,
+                 usec[3]                INTEGER OPTIONAL,
+                 s-address[4]           HostAddress OPTIONAL,
+                 r-address[5]           HostAddress OPTIONAL
+}
+
+KrbCredInfo      ::=                    SEQUENCE {
+                 key[0]                 EncryptionKey,
+                 prealm[1]              Realm OPTIONAL,
+                 pname[2]               PrincipalName OPTIONAL,
+                 flags[3]               TicketFlags OPTIONAL,
+                 authtime[4]            KerberosTime OPTIONAL,
+                 starttime[5]           KerberosTime OPTIONAL,
+                 endtime[6]             KerberosTime OPTIONAL
+                 renew-till[7]          KerberosTime OPTIONAL,
+                 srealm[8]              Realm OPTIONAL,
+                 sname[9]               PrincipalName OPTIONAL,
+                 caddr[10]              HostAddresses OPTIONAL
+}
+
+
+Neuman, Ts'o, Kohl                                 Expires: 18 May 1999
+
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-r-03        November 18 1998
+
+
+pvno and msg-type
+     These fields are described above in section 5.4.1. msg-type is
+     KRB_CRED.
+tickets
+     These are the tickets obtained from the KDC specifically for use by
+     the intended recipient. Successive tickets are paired with the
+     corresponding KrbCredInfo sequence from the enc-part of the KRB-CRED
+     message.
+enc-part
+     This field holds an encoding of the EncKrbCredPart sequence encrypted
+     under the session key shared between the sender and the intended
+     recipient. This encrypted encoding is used for the enc-part field of
+     the KRB-CRED message. See section 6 for the format of the ciphertext.
+nonce
+     If practical, an application may require the inclusion of a nonce
+     generated by the recipient of the message. If the same value is
+     included as the nonce in the message, it provides evidence that the
+     message is fresh and has not been replayed by an attacker. A nonce
+     must never be re-used; it should be generated randomly by the
+     recipient of the message and provided to the sender of the message in
+     an application specific manner.
+timestamp and usec
+     These fields specify the time that the KRB-CRED message was generated.
+     The time is used to provide assurance that the message is fresh.
+s-address and r-address
+     These fields are described above in section 5.6.1. They are used
+     optionally to provide additional assurance of the integrity of the
+     KRB-CRED message.
+key
+     This field exists in the corresponding ticket passed by the KRB-CRED
+     message and is used to pass the session key from the sender to the
+     intended recipient. The field's encoding is described in section 6.2.
+
+The following fields are optional. If present, they can be associated with
+the credentials in the remote ticket file. If left out, then it is assumed
+that the recipient of the credentials already knows their value.
+
+prealm and pname
+     The name and realm of the delegated principal identity.
+flags, authtime, starttime, endtime, renew-till, srealm, sname, and caddr
+     These fields contain the values of the correspond- ing fields from the
+     ticket found in the ticket field. Descriptions of the fields are
+     identical to the descriptions in the KDC-REP message.
+
+5.9. Error message specification
+
+This section specifies the format for the KRB_ERROR message. The fields
+included in the message are intended to return as much information as
+possible about an error. It is not expected that all the information
+required by the fields will be available for all types of errors. If the
+appropriate information is not available when the message is composed, the
+corresponding field will be left out of the message.
+
+Note that since the KRB_ERROR message is not protected by any encryption,
+it is quite possible for an intruder to synthesize or modify such a
+message. In particular, this means that the client should not use any
+fields in this message for security-critical purposes, such as setting a
+system clock or generating a fresh authenticator. The message can be
+useful, however, for advising a user on the reason for some failure.
+
+Neuman, Ts'o, Kohl                                 Expires: 18 May 1999
+
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-r-03        November 18 1998
+
+
+
+5.9.1. KRB_ERROR definition
+
+The KRB_ERROR message consists of the following fields:
+
+KRB-ERROR ::=   [APPLICATION 30] SEQUENCE {
+                pvno[0]                       INTEGER,
+                msg-type[1]                   INTEGER,
+                ctime[2]                      KerberosTime OPTIONAL,
+                cusec[3]                      INTEGER OPTIONAL,
+                stime[4]                      KerberosTime,
+                susec[5]                      INTEGER,
+                error-code[6]                 INTEGER,
+                crealm[7]                     Realm OPTIONAL,
+                cname[8]                      PrincipalName OPTIONAL,
+                realm[9]                      Realm, -- Correct realm
+                sname[10]                     PrincipalName, -- Correct name
+                e-text[11]                    GeneralString OPTIONAL,
+                e-data[12]                    OCTET STRING OPTIONAL,
+                e-cksum[13]                   Checksum OPTIONAL,
+                e-typed-data[14]              SEQUENCE of ETypedData
+OPTIONAL
+}
+
+ETypedData ::=  SEQUENCE {
+                e-data-type    [1] INTEGER,
+                e-data-value   [2] OCTET STRING,
+}
+
+
+
+pvno and msg-type
+     These fields are described above in section 5.4.1. msg-type is
+     KRB_ERROR.
+ctime
+     This field is described above in section 5.4.1.
+cusec
+     This field is described above in section 5.5.2.
+stime
+     This field contains the current time on the server. It is of type
+     KerberosTime.
+susec
+     This field contains the microsecond part of the server's timestamp.
+     Its value ranges from 0 to 999999. It appears along with stime. The
+     two fields are used in conjunction to specify a reasonably accurate
+     timestamp.
+error-code
+     This field contains the error code returned by Kerberos or the server
+     when a request fails. To interpret the value of this field see the
+     list of error codes in section 8. Implementations are encouraged to
+     provide for national language support in the display of error
+     messages.
+crealm, cname, srealm and sname
+     These fields are described above in section 5.3.1.
+e-text
+     This field contains additional text to help explain the error code
+     associated with the failed request (for example, it might include a
+     principal name which was unknown).
+e-data
+     This field contains additional data about the error for use by the
+
+Neuman, Ts'o, Kohl                                 Expires: 18 May 1999
+
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-r-03        November 18 1998
+
+
+     application to help it recover from or handle the error. If the
+     errorcode is KDC_ERR_PREAUTH_REQUIRED, then the e-data field will
+     contain an encoding of a sequence of padata fields, each corresponding
+     to an acceptable pre-authentication method and optionally containing
+     data for the method:
+
+     METHOD-DATA ::=   SEQUENCE of PA-DATA
+
+     If the error-code is KRB_AP_ERR_METHOD, then the e-data field will
+     contain an encoding of the following sequence:
+
+     METHOD-DATA ::=   SEQUENCE {
+                         method-type[0]   INTEGER,
+                         method-data[1]   OCTET STRING OPTIONAL
+     }
+
+     method-type will indicate the required alternate method; method-data
+     will contain any required additional information.
+e-cksum
+     This field contains an optional checksum for the KRB-ERROR message.
+     The checksum is calculated over the Kerberos ASN.1 encoding of the
+     KRB-ERROR message with the checksum absent. The checksum is then added
+     to the KRB-ERROR structure and the message is re-encoded. The Checksum
+     should be calculated using the session key from the ticket granting
+     ticket or service ticket, where available. If the error is in response
+     to a TGS or AP request, the checksum should be calculated uing the the
+     session key from the client's ticket. If the error is in response to
+     an AS request, then the checksum should be calulated using the
+     client's secret key ONLY if there has been suitable preauthentication
+     to prove knowledge of the secret key by the client[33]. If a checksum
+     can not be computed because the key to be used is not available, no
+     checksum will be included.
+e-typed-data
+     [This field for discussion, may be deleted from final spec] This field
+     contains optional data that may be used to help the client recover
+     from the indicated error. [This could contain the METHOD-DATA
+     specified since I don't think anyone actually uses it yet. It could
+     also contain the PA-DATA sequence for the preauth required error if we
+     had a clear way to transition to the use of this field from the use of
+     the untype e-data field.] For example, this field may specify the key
+     version of the key used to verify preauthentication:
+
+     e-data-type  := 20 -- Key version number
+     e-data-value := Integer -- Key version number used to verify
+preauthentication
+
+6. Encryption and Checksum Specifications
+
+The Kerberos protocols described in this document are designed to use
+stream encryption ciphers, which can be simulated using commonly available
+block encryption ciphers, such as the Data Encryption Standard, [DES77] in
+conjunction with block chaining and checksum methods [DESM80]. Encryption
+is used to prove the identities of the network entities participating in
+message exchanges. The Key Distribution Center for each realm is trusted by
+all principals registered in that realm to store a secret key in
+confidence. Proof of knowledge of this secret key is used to verify the
+authenticity of a principal.
+
+The KDC uses the principal's secret key (in the AS exchange) or a shared
+session key (in the TGS exchange) to encrypt responses to ticket requests;
+
+Neuman, Ts'o, Kohl                                 Expires: 18 May 1999
+
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-r-03        November 18 1998
+
+
+the ability to obtain the secret key or session key implies the knowledge
+of the appropriate keys and the identity of the KDC. The ability of a
+principal to decrypt the KDC response and present a Ticket and a properly
+formed Authenticator (generated with the session key from the KDC response)
+to a service verifies the identity of the principal; likewise the ability
+of the service to extract the session key from the Ticket and prove its
+knowledge thereof in a response verifies the identity of the service.
+
+The Kerberos protocols generally assume that the encryption used is secure
+from cryptanalysis; however, in some cases, the order of fields in the
+encrypted portions of messages are arranged to minimize the effects of
+poorly chosen keys. It is still important to choose good keys. If keys are
+derived from user-typed passwords, those passwords need to be well chosen
+to make brute force attacks more difficult. Poorly chosen keys still make
+easy targets for intruders.
+
+The following sections specify the encryption and checksum mechanisms
+currently defined for Kerberos. The encodings, chaining, and padding
+requirements for each are described. For encryption methods, it is often
+desirable to place random information (often referred to as a confounder)
+at the start of the message. The requirements for a confounder are
+specified with each encryption mechanism.
+
+Some encryption systems use a block-chaining method to improve the the
+security characteristics of the ciphertext. However, these chaining methods
+often don't provide an integrity check upon decryption. Such systems (such
+as DES in CBC mode) must be augmented with a checksum of the plain-text
+which can be verified at decryption and used to detect any tampering or
+damage. Such checksums should be good at detecting burst errors in the
+input. If any damage is detected, the decryption routine is expected to
+return an error indicating the failure of an integrity check. Each
+encryption type is expected to provide and verify an appropriate checksum.
+The specification of each encryption method sets out its checksum
+requirements.
+
+Finally, where a key is to be derived from a user's password, an algorithm
+for converting the password to a key of the appropriate type is included.
+It is desirable for the string to key function to be one-way, and for the
+mapping to be different in different realms. This is important because
+users who are registered in more than one realm will often use the same
+password in each, and it is desirable that an attacker compromising the
+Kerberos server in one realm not obtain or derive the user's key in
+another.
+
+For an discussion of the integrity characteristics of the candidate
+encryption and checksum methods considered for Kerberos, the the reader is
+referred to [SG92].
+
+6.1. Encryption Specifications
+
+The following ASN.1 definition describes all encrypted messages. The
+enc-part field which appears in the unencrypted part of messages in section
+5 is a sequence consisting of an encryption type, an optional key version
+number, and the ciphertext.
+
+EncryptedData ::=   SEQUENCE {
+                    etype[0]     INTEGER, -- EncryptionType
+                    kvno[1]      INTEGER OPTIONAL,
+                    cipher[2]    OCTET STRING -- ciphertext
+
+Neuman, Ts'o, Kohl                                 Expires: 18 May 1999
+
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-r-03        November 18 1998
+
+
+}
+
+
+
+etype
+     This field identifies which encryption algorithm was used to encipher
+     the cipher. Detailed specifications for selected encryption types
+     appear later in this section.
+kvno
+     This field contains the version number of the key under which data is
+     encrypted. It is only present in messages encrypted under long lasting
+     keys, such as principals' secret keys.
+cipher
+     This field contains the enciphered text, encoded as an OCTET STRING.
+
+The cipher field is generated by applying the specified encryption
+algorithm to data composed of the message and algorithm-specific inputs.
+Encryption mechanisms defined for use with Kerberos must take sufficient
+measures to guarantee the integrity of the plaintext, and we recommend they
+also take measures to protect against precomputed dictionary attacks. If
+the encryption algorithm is not itself capable of doing so, the protections
+can often be enhanced by adding a checksum and a confounder.
+
+The suggested format for the data to be encrypted includes a confounder, a
+checksum, the encoded plaintext, and any necessary padding. The msg-seq
+field contains the part of the protocol message described in section 5
+which is to be encrypted. The confounder, checksum, and padding are all
+untagged and untyped, and their length is exactly sufficient to hold the
+appropriate item. The type and length is implicit and specified by the
+particular encryption type being used (etype). The format for the data to
+be encrypted is described in the following diagram:
+
+      +-----------+----------+-------------+-----+
+      |confounder |   check  |   msg-seq   | pad |
+      +-----------+----------+-------------+-----+
+
+The format cannot be described in ASN.1, but for those who prefer an
+ASN.1-like notation:
+
+CipherText ::=   ENCRYPTED       SEQUENCE {
+            confounder[0]   UNTAGGED[35] OCTET STRING(conf_length) OPTIONAL,
+            check[1]        UNTAGGED OCTET STRING(checksum_length) OPTIONAL,
+            msg-seq[2]      MsgSequence,
+            pad             UNTAGGED OCTET STRING(pad_length) OPTIONAL
+}
+
+One generates a random confounder of the appropriate length, placing it in
+confounder; zeroes out check; calculates the appropriate checksum over
+confounder, check, and msg-seq, placing the result in check; adds the
+necessary padding; then encrypts using the specified encryption type and
+the appropriate key.
+
+Unless otherwise specified, a definition of an encryption algorithm that
+specifies a checksum, a length for the confounder field, or an octet
+boundary for padding uses this ciphertext format[36]. Those fields which
+are not specified will be omitted.
+
+In the interest of allowing all implementations using a particular
+encryption type to communicate with all others using that type, the
+
+Neuman, Ts'o, Kohl                                 Expires: 18 May 1999
+
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-r-03        November 18 1998
+
+
+specification of an encryption type defines any checksum that is needed as
+part of the encryption process. If an alternative checksum is to be used, a
+new encryption type must be defined.
+
+Some cryptosystems require additional information beyond the key and the
+data to be encrypted. For example, DES, when used in cipher-block-chaining
+mode, requires an initialization vector. If required, the description for
+each encryption type must specify the source of such additional
+information. 6.2. Encryption Keys
+
+The sequence below shows the encoding of an encryption key:
+
+       EncryptionKey ::=   SEQUENCE {
+                           keytype[0]    INTEGER,
+                           keyvalue[1]   OCTET STRING
+       }
+
+keytype
+     This field specifies the type of encryption key that follows in the
+     keyvalue field. It will almost always correspond to the encryption
+     algorithm used to generate the EncryptedData, though more than one
+     algorithm may use the same type of key (the mapping is many to one).
+     This might happen, for example, if the encryption algorithm uses an
+     alternate checksum algorithm for an integrity check, or a different
+     chaining mechanism.
+keyvalue
+     This field contains the key itself, encoded as an octet string.
+
+All negative values for the encryption key type are reserved for local use.
+All non-negative values are reserved for officially assigned type fields
+and interpreta- tions.
+
+6.3. Encryption Systems
+
+6.3.1. The NULL Encryption System (null)
+
+If no encryption is in use, the encryption system is said to be the NULL
+encryption system. In the NULL encryption system there is no checksum,
+confounder or padding. The ciphertext is simply the plaintext. The NULL Key
+is used by the null encryption system and is zero octets in length, with
+keytype zero (0).
+
+6.3.2. DES in CBC mode with a CRC-32 checksum (des-cbc-crc)
+
+The des-cbc-crc encryption mode encrypts information under the Data
+Encryption Standard [DES77] using the cipher block chaining mode [DESM80].
+A CRC-32 checksum (described in ISO 3309 [ISO3309]) is applied to the
+confounder and message sequence (msg-seq) and placed in the cksum field.
+DES blocks are 8 bytes. As a result, the data to be encrypted (the
+concatenation of confounder, checksum, and message) must be padded to an 8
+byte boundary before encryption. The details of the encryption of this data
+are identical to those for the des-cbc-md5 encryption mode.
+
+Note that, since the CRC-32 checksum is not collision-proof, an attacker
+could use a probabilistic chosen-plaintext attack to generate a valid
+message even if a confounder is used [SG92]. The use of collision-proof
+checksums is recommended for environments where such attacks represent a
+significant threat. The use of the CRC-32 as the checksum for ticket or
+authenticator is no longer mandated as an interoperability requirement for
+
+Neuman, Ts'o, Kohl                                 Expires: 18 May 1999
+
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-r-03        November 18 1998
+
+
+Kerberos Version 5 Specification 1 (See section 9.1 for specific details).
+
+6.3.3. DES in CBC mode with an MD4 checksum (des-cbc-md4)
+
+The des-cbc-md4 encryption mode encrypts information under the Data
+Encryption Standard [DES77] using the cipher block chaining mode [DESM80].
+An MD4 checksum (described in [MD492]) is applied to the confounder and
+message sequence (msg-seq) and placed in the cksum field. DES blocks are 8
+bytes. As a result, the data to be encrypted (the concatenation of
+confounder, checksum, and message) must be padded to an 8 byte boundary
+before encryption. The details of the encryption of this data are identical
+to those for the des-cbc-md5 encryption mode.
+
+6.3.4. DES in CBC mode with an MD5 checksum (des-cbc-md5)
+
+The des-cbc-md5 encryption mode encrypts information under the Data
+Encryption Standard [DES77] using the cipher block chaining mode [DESM80].
+An MD5 checksum (described in [MD5-92].) is applied to the confounder and
+message sequence (msg-seq) and placed in the cksum field. DES blocks are 8
+bytes. As a result, the data to be encrypted (the concatenation of
+confounder, checksum, and message) must be padded to an 8 byte boundary
+before encryption.
+
+Plaintext and DES ciphtertext are encoded as blocks of 8 octets which are
+concatenated to make the 64-bit inputs for the DES algorithms. The first
+octet supplies the 8 most significant bits (with the octet's MSbit used as
+the DES input block's MSbit, etc.), the second octet the next 8 bits, ...,
+and the eighth octet supplies the 8 least significant bits.
+
+Encryption under DES using cipher block chaining requires an additional
+input in the form of an initialization vector. Unless otherwise specified,
+zero should be used as the initialization vector. Kerberos' use of DES
+requires an 8 octet confounder.
+
+The DES specifications identify some 'weak' and 'semi-weak' keys; those
+keys shall not be used for encrypting messages for use in Kerberos.
+Additionally, because of the way that keys are derived for the encryption
+of checksums, keys shall not be used that yield 'weak' or 'semi-weak' keys
+when eXclusive-ORed with the hexadecimal constant F0F0F0F0F0F0F0F0.
+
+A DES key is 8 octets of data, with keytype one (1). This consists of 56
+bits of key, and 8 parity bits (one per octet). The key is encoded as a
+series of 8 octets written in MSB-first order. The bits within the key are
+also encoded in MSB order. For example, if the encryption key is
+(B1,B2,...,B7,P1,B8,...,B14,P2,B15,...,B49,P7,B50,...,B56,P8) where
+B1,B2,...,B56 are the key bits in MSB order, and P1,P2,...,P8 are the
+parity bits, the first octet of the key would be B1,B2,...,B7,P1 (with B1
+as the MSbit). [See the FIPS 81 introduction for reference.]
+
+String to key transformation
+
+To generate a DES key from a text string (password), a "salt" is
+concatenated to the text string, and then padded with ASCII nulls to an 8
+byte boundary. This "salt" is normally the realm and each component of the
+principal's name appended. However, sometimes different salts are used ---
+for example, when a realm is renamed, or if a user changes her username, or
+for compatibility with Kerberos V4 (whose string-to-key algorithm uses a
+null string for the salt). This string is then fan-folded and
+eXclusive-ORed with itself to form an 8 byte DES key. Before
+
+Neuman, Ts'o, Kohl                                 Expires: 18 May 1999
+
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-r-03        November 18 1998
+
+
+eXclusive-ORing a block, every byte is shifted one bit to the left to leave
+the lowest bit zero. The key is the "corrected" by correcting the parity on
+the key, and if the key matches a 'weak' or 'semi-weak' key as described in
+the DES specification, it is eXclusive-ORed with the constant
+00000000000000F0. This key is then used to generate a DES CBC checksum on
+the initial string (with the salt appended). The result of the CBC checksum
+is the "corrected" as described above to form the result which is return as
+the key. Pseudocode follows:
+
+     name_to_default_salt(realm, name) {
+          s = realm
+          for(each component in name) {
+               s = s + component;
+          }
+          return s;
+     }
+
+     key_correction(key) {
+          fixparity(key);
+          if (is_weak_key_key(key))
+               key = key XOR 0xF0;
+          return(key);
+     }
+
+     string_to_key(string,salt) {
+
+          odd = 1;
+          s = string + salt;
+          tempkey = NULL;
+          pad(s); /* with nulls to 8 byte boundary */
+          for(8byteblock in s) {
+               if(odd == 0)  {
+                   odd = 1;
+                   reverse(8byteblock)
+               }
+               else odd = 0;
+               left shift every byte in 8byteblock one bit;
+               tempkey = tempkey XOR 8byteblock;
+          }
+          tempkey = key_correction(tempkey);
+          key = key_correction(DES-CBC-check(s,tempkey));
+          return(key);
+     }
+
+6.3.5. Triple DES with HMAC-SHA1 Kerberos Encryption Type with Key
+Derivation [Horowitz]
+
+NOTE: This description currently refers to documents, the contents of which
+might be bettered included by value in this spec. The description below was
+provided by Marc Horowitz, and the form in which it will finally appear is
+yet to be determined. This description is included in this version of the
+draft because it does describe the implemenation ready for use with the MIT
+implementation. Note also that the encryption identifier has been left
+unspecified here because the value from Marc Horowitz's spec conflicted
+with some other impmenentations implemented based on perevious versions of
+the specification.
+
+This encryption type is based on the Triple DES cryptosystem, the HMAC-SHA1
+[Krawczyk96] message authentication algorithm, and key derivation for
+
+Neuman, Ts'o, Kohl                                 Expires: 18 May 1999
+
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-r-03        November 18 1998
+
+
+Kerberos V5 [HorowitzB96].
+
+The des3-cbc-hmac-sha1 encryption type has been assigned the value ??. The
+hmac-sha1-des3 checksum type has been assigned the value 12.
+
+Encryption Type des3-cbc-hmac-sha1
+
+EncryptedData using this type must be generated as described in
+[Horowitz96]. The encryption algorithm is Triple DES in Outer-CBC mode. The
+keyed hash algorithm is HMAC-SHA1. Unless otherwise specified, a zero IV
+must be used. If the length of the input data is not a multiple of the
+block size, zero octets must be used to pad the plaintext to the next
+eight-octet boundary. The counfounder must be eight random octets (one
+block).
+
+Checksum Type hmac-sha1-des3
+
+Checksums using this type must be generated as described in [Horowitz96].
+The keyed hash algorithm is HMAC-SHA1.
+
+Common Requirements
+
+The EncryptionKey value is 24 octets long. The 7 most significant bits of
+each octet contain key bits, and the least significant bit is the inverse
+of the xor of the key bits.
+
+For the purposes of key derivation, the block size is 64 bits, and the key
+size is 168 bits. The 168 bits output by key derivation are converted to an
+EncryptionKey value as follows. First, the 168 bits are divided into three
+groups of 56 bits, which are expanded individually into 64 bits as follows:
+
+ 1  2  3  4  5  6  7  p
+ 9 10 11 12 13 14 15  p
+17 18 19 20 21 22 23  p
+25 26 27 28 29 30 31  p
+33 34 35 36 37 38 39  p
+41 42 43 44 45 46 47  p
+49 50 51 52 53 54 55  p
+56 48 40 32 24 16  8  p
+
+The "p" bits are parity bits computed over the data bits. The output of the
+three expansions are concatenated to form the EncryptionKey value.
+
+When the HMAC-SHA1 of a string is computed, the key is used in the
+EncryptedKey form.
+
+Key Derivation
+
+In the Kerberos protocol, cryptographic keys are used in a number of
+places. In order to minimize the effect of compromising a key, it is
+desirable to use a different key for each of these places. Key derivation
+[Horowitz96] can be used to construct different keys for each operation
+from the keys transported on the network. For this to be possible, a small
+change to the specification is necessary.
+
+This section specifies a profile for the use of key derivation [Horowitz96]
+with Kerberos. For each place where a key is used, a ``key usage'' must is
+specified for that purpose. The key, key usage, and encryption/checksum
+type together describe the transformation from plaintext to ciphertext, or
+
+Neuman, Ts'o, Kohl                                 Expires: 18 May 1999
+
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-r-03        November 18 1998
+
+
+plaintext to checksum.
+
+Key Usage Values
+
+This is a complete list of places keys are used in the kerberos protocol,
+with key usage values and RFC 1510 section numbers:
+
+ 1. AS-REQ PA-ENC-TIMESTAMP padata timestamp, encrypted with the
+    client key (section 5.4.1)
+ 2. AS-REP Ticket and TGS-REP Ticket (includes tgs session key or
+    application session key), encrypted with the service key
+    (section 5.4.2)
+ 3. AS-REP encrypted part (includes tgs session key or application
+    session key), encrypted with the client key (section 5.4.2)
+ 4. TGS-REQ KDC-REQ-BODY AuthorizationData, encrypted with the tgs
+    session key (section 5.4.1)
+ 5. TGS-REQ KDC-REQ-BODY AuthorizationData, encrypted with the tgs
+    authenticator subkey (section 5.4.1)
+ 6. TGS-REQ PA-TGS-REQ padata AP-REQ Authenticator cksum, keyed
+    with the tgs session key (sections 5.3.2, 5.4.1)
+ 7. TGS-REQ PA-TGS-REQ padata AP-REQ Authenticator (includes tgs
+    authenticator subkey), encrypted with the tgs session key
+    (section 5.3.2)
+ 8. TGS-REP encrypted part (includes application session key),
+    encrypted with the tgs session key (section 5.4.2)
+ 9. TGS-REP encrypted part (includes application session key),
+    encrypted with the tgs authenticator subkey (section 5.4.2)
+10. AP-REQ Authenticator cksum, keyed with the application session
+    key (section 5.3.2)
+11. AP-REQ Authenticator (includes application authenticator
+    subkey), encrypted with the application session key (section
+    5.3.2)
+12. AP-REP encrypted part (includes application session subkey),
+    encrypted with the application session key (section 5.5.2)
+13. KRB-PRIV encrypted part, encrypted with a key chosen by the
+    application (section 5.7.1)
+14. KRB-CRED encrypted part, encrypted with a key chosen by the
+    application (section 5.6.1)
+15. KRB-SAVE cksum, keyed with a key chosen by the application
+    (section 5.8.1)
+18. KRB-ERROR checksum (e-cksum in section 5.9.1)
+19. AD-KDCIssued checksum (ad-checksum in appendix B.1)
+20. Checksum for Mandatory Ticket Extensions (appendix B.6)
+21. Checksum in Authorization Data in Ticket Extensions (appendix B.7)
+
+Key usage values between 1024 and 2047 (inclusive) are reserved for
+application use. Applications should use even values for encryption and odd
+values for checksums within this range.
+
+A few of these key usages need a little clarification. A service which
+receives an AP-REQ has no way to know if the enclosed Ticket was part of an
+AS-REP or TGS-REP. Therefore, key usage 2 must always be used for
+generating a Ticket, whether it is in response to an AS- REQ or TGS-REQ.
+
+There might exist other documents which define protocols in terms of the
+RFC1510 encryption types or checksum types. Such documents would not know
+about key usages. In order that these documents continue to be meaningful
+until they are updated, key usages 1024 and 1025 must be used to derive
+keys for encryption and checksums, respectively. New protocols defined in
+
+Neuman, Ts'o, Kohl                                 Expires: 18 May 1999
+
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-r-03        November 18 1998
+
+
+terms of the Kerberos encryption and checksum types should use their own
+key usages. Key usages may be registered with IANA to avoid conflicts. Key
+usages must be unsigned 32 bit integers. Zero is not permitted.
+
+Defining Cryptosystems Using Key Derivation
+
+Kerberos requires that the ciphertext component of EncryptedData be
+tamper-resistant as well as confidential. This implies encryption and
+integrity functions, which must each use their own separate keys. So, for
+each key usage, two keys must be generated, one for encryption (Ke), and
+one for integrity (Ki):
+
+      Ke = DK(protocol key, key usage | 0xAA)
+      Ki = DK(protocol key, key usage | 0x55)
+
+where the protocol key is from the EncryptionKey from the wire protocol,
+and the key usage is represented as a 32 bit integer in network byte order.
+The ciphertest must be generated from the plaintext as follows:
+
+   ciphertext = E(Ke, confounder | plaintext | padding) |
+                H(Ki, confounder | plaintext | padding)
+
+The confounder and padding are specific to the encryption algorithm E.
+
+When generating a checksum only, there is no need for a confounder or
+padding. Again, a new key (Kc) must be used. Checksums must be generated
+from the plaintext as follows:
+
+      Kc = DK(protocol key, key usage | 0x99)
+
+      MAC = H(Kc, plaintext)
+
+Note that each enctype is described by an encryption algorithm E and a
+keyed hash algorithm H, and each checksum type is described by a keyed hash
+algorithm H. HMAC, with an appropriate hash, is recommended for use as H.
+
+Key Derivation from Passwords
+
+The well-known constant for password key derivation must be the byte string
+{0x6b 0x65 0x72 0x62 0x65 0x72 0x6f 0x73}. These values correspond to the
+ASCII encoding for the string "kerberos".
+
+6.4. Checksums
+
+The following is the ASN.1 definition used for a checksum:
+
+         Checksum ::=   SEQUENCE {
+                        cksumtype[0]   INTEGER,
+                        checksum[1]    OCTET STRING
+         }
+
+cksumtype
+     This field indicates the algorithm used to generate the accompanying
+     checksum.
+checksum
+     This field contains the checksum itself, encoded as an octet string.
+
+Detailed specification of selected checksum types appear later in this
+section. Negative values for the checksum type are reserved for local use.
+
+Neuman, Ts'o, Kohl                                 Expires: 18 May 1999
+
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-r-03        November 18 1998
+
+
+All non-negative values are reserved for officially assigned type fields
+and interpretations.
+
+Checksums used by Kerberos can be classified by two properties: whether
+they are collision-proof, and whether they are keyed. It is infeasible to
+find two plaintexts which generate the same checksum value for a
+collision-proof checksum. A key is required to perturb or initialize the
+algorithm in a keyed checksum. To prevent message-stream modification by an
+active attacker, unkeyed checksums should only be used when the checksum
+and message will be subsequently encrypted (e.g. the checksums defined as
+part of the encryption algorithms covered earlier in this section).
+
+Collision-proof checksums can be made tamper-proof if the checksum value is
+encrypted before inclusion in a message. In such cases, the composition of
+the checksum and the encryption algorithm must be considered a separate
+checksum algorithm (e.g. RSA-MD5 encrypted using DES is a new checksum
+algorithm of type RSA-MD5-DES). For most keyed checksums, as well as for
+the encrypted forms of unkeyed collision-proof checksums, Kerberos prepends
+a confounder before the checksum is calculated.
+
+6.4.1. The CRC-32 Checksum (crc32)
+
+The CRC-32 checksum calculates a checksum based on a cyclic redundancy
+check as described in ISO 3309 [ISO3309]. The resulting checksum is four
+(4) octets in length. The CRC-32 is neither keyed nor collision-proof. The
+use of this checksum is not recommended. An attacker using a probabilistic
+chosen-plaintext attack as described in [SG92] might be able to generate an
+alternative message that satisfies the checksum. The use of collision-proof
+checksums is recommended for environments where such attacks represent a
+significant threat.
+
+6.4.2. The RSA MD4 Checksum (rsa-md4)
+
+The RSA-MD4 checksum calculates a checksum using the RSA MD4 algorithm
+[MD4-92]. The algorithm takes as input an input message of arbitrary length
+and produces as output a 128-bit (16 octet) checksum. RSA-MD4 is believed
+to be collision-proof.
+
+6.4.3. RSA MD4 Cryptographic Checksum Using DES (rsa-md4-des)
+
+The RSA-MD4-DES checksum calculates a keyed collision-proof checksum by
+prepending an 8 octet confounder before the text, applying the RSA MD4
+checksum algorithm, and encrypting the confounder and the checksum using
+DES in cipher-block-chaining (CBC) mode using a variant of the key, where
+the variant is computed by eXclusive-ORing the key with the constant
+F0F0F0F0F0F0F0F0[39]. The initialization vector should be zero. The
+resulting checksum is 24 octets long (8 octets of which are redundant).
+This checksum is tamper-proof and believed to be collision-proof.
+
+The DES specifications identify some weak keys' and 'semi-weak keys'; those
+keys shall not be used for generating RSA-MD4 checksums for use in
+Kerberos.
+
+The format for the checksum is described in the follow- ing diagram:
+
++--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+|  des-cbc(confounder   +   rsa-md4(confounder+msg),key=var(key),iv=0)  |
++--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+
+
+Neuman, Ts'o, Kohl                                 Expires: 18 May 1999
+
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-r-03        November 18 1998
+
+
+The format cannot be described in ASN.1, but for those who prefer an
+ASN.1-like notation:
+
+rsa-md4-des-checksum ::=   ENCRYPTED       UNTAGGED SEQUENCE {
+                           confounder[0]   UNTAGGED OCTET STRING(8),
+                           check[1]        UNTAGGED OCTET STRING(16)
+}
+
+6.4.4. The RSA MD5 Checksum (rsa-md5)
+
+The RSA-MD5 checksum calculates a checksum using the RSA MD5 algorithm.
+[MD5-92]. The algorithm takes as input an input message of arbitrary length
+and produces as output a 128-bit (16 octet) checksum. RSA-MD5 is believed
+to be collision-proof.
+
+6.4.5. RSA MD5 Cryptographic Checksum Using DES (rsa-md5-des)
+
+The RSA-MD5-DES checksum calculates a keyed collision-proof checksum by
+prepending an 8 octet confounder before the text, applying the RSA MD5
+checksum algorithm, and encrypting the confounder and the checksum using
+DES in cipher-block-chaining (CBC) mode using a variant of the key, where
+the variant is computed by eXclusive-ORing the key with the hexadecimal
+constant F0F0F0F0F0F0F0F0. The initialization vector should be zero. The
+resulting checksum is 24 octets long (8 octets of which are redundant).
+This checksum is tamper-proof and believed to be collision-proof.
+
+The DES specifications identify some 'weak keys' and 'semi-weak keys';
+those keys shall not be used for encrypting RSA-MD5 checksums for use in
+Kerberos.
+
+The format for the checksum is described in the following diagram:
+
++--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+|  des-cbc(confounder   +   rsa-md5(confounder+msg),key=var(key),iv=0)  |
++--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+
+The format cannot be described in ASN.1, but for those who prefer an
+ASN.1-like notation:
+
+rsa-md5-des-checksum ::=   ENCRYPTED       UNTAGGED SEQUENCE {
+                           confounder[0]   UNTAGGED OCTET STRING(8),
+                           check[1]        UNTAGGED OCTET STRING(16)
+}
+
+6.4.6. DES cipher-block chained checksum (des-mac)
+
+The DES-MAC checksum is computed by prepending an 8 octet confounder to the
+plaintext, performing a DES CBC-mode encryption on the result using the key
+and an initialization vector of zero, taking the last block of the
+ciphertext, prepending the same confounder and encrypting the pair using
+DES in cipher-block-chaining (CBC) mode using a a variant of the key, where
+the variant is computed by eXclusive-ORing the key with the hexadecimal
+constant F0F0F0F0F0F0F0F0. The initialization vector should be zero. The
+resulting checksum is 128 bits (16 octets) long, 64 bits of which are
+redundant. This checksum is tamper-proof and collision-proof.
+
+The format for the checksum is described in the following diagram:
+
++--+--+--+--+--+--+--+--+-----+-----+-----+-----+-----+-----+-----+-----+
+
+Neuman, Ts'o, Kohl                                 Expires: 18 May 1999
+
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-r-03        November 18 1998
+
+
+|   des-cbc(confounder  + des-mac(conf+msg,iv=0,key),key=var(key),iv=0) |
++--+--+--+--+--+--+--+--+-----+-----+-----+-----+-----+-----+-----+-----+
+
+The format cannot be described in ASN.1, but for those who prefer an
+ASN.1-like notation:
+
+des-mac-checksum ::=   ENCRYPTED       UNTAGGED SEQUENCE {
+                       confounder[0]   UNTAGGED OCTET STRING(8),
+                       check[1]        UNTAGGED OCTET STRING(8)
+}
+
+The DES specifications identify some 'weak' and 'semi-weak' keys; those
+keys shall not be used for generating DES-MAC checksums for use in
+Kerberos, nor shall a key be used whose variant is 'weak' or 'semi-weak'.
+
+6.4.7. RSA MD4 Cryptographic Checksum Using DES alternative (rsa-md4-des-k)
+
+The RSA-MD4-DES-K checksum calculates a keyed collision-proof checksum by
+applying the RSA MD4 checksum algorithm and encrypting the results using
+DES in cipher-block-chaining (CBC) mode using a DES key as both key and
+initialization vector. The resulting checksum is 16 octets long. This
+checksum is tamper-proof and believed to be collision-proof. Note that this
+checksum type is the old method for encoding the RSA-MD4-DES checksum and
+it is no longer recommended.
+
+6.4.8. DES cipher-block chained checksum alternative (des-mac-k)
+
+The DES-MAC-K checksum is computed by performing a DES CBC-mode encryption
+of the plaintext, and using the last block of the ciphertext as the
+checksum value. It is keyed with an encryption key and an initialization
+vector; any uses which do not specify an additional initialization vector
+will use the key as both key and initialization vector. The resulting
+checksum is 64 bits (8 octets) long. This checksum is tamper-proof and
+collision-proof. Note that this checksum type is the old method for
+encoding the DES-MAC checksum and it is no longer recommended. The DES
+specifications identify some 'weak keys' and 'semi-weak keys'; those keys
+shall not be used for generating DES-MAC checksums for use in Kerberos.
+
+7. Naming Constraints
+
+7.1. Realm Names
+
+Although realm names are encoded as GeneralStrings and although a realm can
+technically select any name it chooses, interoperability across realm
+boundaries requires agreement on how realm names are to be assigned, and
+what information they imply.
+
+To enforce these conventions, each realm must conform to the conventions
+itself, and it must require that any realms with which inter-realm keys are
+shared also conform to the conventions and require the same from its
+neighbors.
+
+Kerberos realm names are case sensitive. Realm names that differ only in
+the case of the characters are not equivalent. There are presently four
+styles of realm names: domain, X500, other, and reserved. Examples of each
+style follow:
+
+     domain:   ATHENA.MIT.EDU (example)
+       X500:   C=US/O=OSF (example)
+
+Neuman, Ts'o, Kohl                                 Expires: 18 May 1999
+
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-r-03        November 18 1998
+
+
+      other:   NAMETYPE:rest/of.name=without-restrictions (example)
+   reserved:   reserved, but will not conflict with above
+
+Domain names must look like domain names: they consist of components
+separated by periods (.) and they contain neither colons (:) nor slashes
+(/). Domain names must be converted to upper case when used as realm names.
+
+X.500 names contain an equal (=) and cannot contain a colon (:) before the
+equal. The realm names for X.500 names will be string representations of
+the names with components separated by slashes. Leading and trailing
+slashes will not be included.
+
+Names that fall into the other category must begin with a prefix that
+contains no equal (=) or period (.) and the prefix must be followed by a
+colon (:) and the rest of the name. All prefixes must be assigned before
+they may be used. Presently none are assigned.
+
+The reserved category includes strings which do not fall into the first
+three categories. All names in this category are reserved. It is unlikely
+that names will be assigned to this category unless there is a very strong
+argument for not using the 'other' category.
+
+These rules guarantee that there will be no conflicts between the various
+name styles. The following additional constraints apply to the assignment
+of realm names in the domain and X.500 categories: the name of a realm for
+the domain or X.500 formats must either be used by the organization owning
+(to whom it was assigned) an Internet domain name or X.500 name, or in the
+case that no such names are registered, authority to use a realm name may
+be derived from the authority of the parent realm. For example, if there is
+no domain name for E40.MIT.EDU, then the administrator of the MIT.EDU realm
+can authorize the creation of a realm with that name.
+
+This is acceptable because the organization to which the parent is assigned
+is presumably the organization authorized to assign names to its children
+in the X.500 and domain name systems as well. If the parent assigns a realm
+name without also registering it in the domain name or X.500 hierarchy, it
+is the parent's responsibility to make sure that there will not in the
+future exists a name identical to the realm name of the child unless it is
+assigned to the same entity as the realm name.
+
+7.2. Principal Names
+
+As was the case for realm names, conventions are needed to ensure that all
+agree on what information is implied by a principal name. The name-type
+field that is part of the principal name indicates the kind of information
+implied by the name. The name-type should be treated as a hint. Ignoring
+the name type, no two names can be the same (i.e. at least one of the
+components, or the realm, must be different). The following name types are
+defined:
+
+  name-type      value   meaning
+
+   NT-UNKNOWN        0   Name type not known
+   NT-PRINCIPAL      1   General principal name (e.g. username, or DCE
+principal)
+   NT-SRV-INST       2   Service and other unique instance (krbtgt)
+   NT-SRV-HST        3   Service with host name as instance (telnet,
+rcommands)
+   NT-SRV-XHST       4   Service with slash-separated host name components
+   NT-UID            5   Unique ID
+   NT-X500-PRINCIPAL 6   Encoded X.509 Distingished name [RFC 1779]
+
+Neuman, Ts'o, Kohl                                 Expires: 18 May 1999
+
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-r-03        November 18 1998
+
+
+
+When a name implies no information other than its uniqueness at a
+particular time the name type PRINCIPAL should be used. The principal name
+type should be used for users, and it might also be used for a unique
+server. If the name is a unique machine generated ID that is guaranteed
+never to be reassigned then the name type of UID should be used (note that
+it is generally a bad idea to reassign names of any type since stale
+entries might remain in access control lists).
+
+If the first component of a name identifies a service and the remaining
+components identify an instance of the service in a server specified
+manner, then the name type of SRV-INST should be used. An example of this
+name type is the Kerberos ticket-granting service whose name has a first
+component of krbtgt and a second component identifying the realm for which
+the ticket is valid.
+
+If instance is a single component following the service name and the
+instance identifies the host on which the server is running, then the name
+type SRV-HST should be used. This type is typically used for Internet
+services such as telnet and the Berkeley R commands. If the separate
+components of the host name appear as successive components following the
+name of the service, then the name type SRV-XHST should be used. This type
+might be used to identify servers on hosts with X.500 names where the slash
+(/) might otherwise be ambiguous.
+
+A name type of NT-X500-PRINCIPAL should be used when a name from an X.509
+certificiate is translated into a Kerberos name. The encoding of the X.509
+name as a Kerberos principal shall conform to the encoding rules specified
+in RFC 2253.
+
+A name type of UNKNOWN should be used when the form of the name is not
+known. When comparing names, a name of type UNKNOWN will match principals
+authenticated with names of any type. A principal authenticated with a name
+of type UNKNOWN, however, will only match other names of type UNKNOWN.
+
+Names of any type with an initial component of 'krbtgt' are reserved for
+the Kerberos ticket granting service. See section 8.2.3 for the form of
+such names.
+
+7.2.1. Name of server principals
+
+The principal identifier for a server on a host will generally be composed
+of two parts: (1) the realm of the KDC with which the server is registered,
+and (2) a two-component name of type NT-SRV-HST if the host name is an
+Internet domain name or a multi-component name of type NT-SRV-XHST if the
+name of the host is of a form such as X.500 that allows slash (/)
+separators. The first component of the two- or multi-component name will
+identify the service and the latter components will identify the host.
+Where the name of the host is not case sensitive (for example, with
+Internet domain names) the name of the host must be lower case. If
+specified by the application protocol for services such as telnet and the
+Berkeley R commands which run with system privileges, the first component
+may be the string 'host' instead of a service specific identifier. When a
+host has an official name and one or more aliases, the official name of the
+host must be used when constructing the name of the server principal.
+
+8. Constants and other defined values
+
+8.1. Host address types
+
+Neuman, Ts'o, Kohl                                 Expires: 18 May 1999
+
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-r-03        November 18 1998
+
+
+
+All negative values for the host address type are reserved for local use.
+All non-negative values are reserved for officially assigned type fields
+and interpretations.
+
+The values of the types for the following addresses are chosen to match the
+defined address family constants in the Berkeley Standard Distributions of
+Unix. They can be found in with symbolic names AF_xxx (where xxx is an
+abbreviation of the address family name).
+
+Internet (IPv4) Addresses
+
+Internet (IPv4) addresses are 32-bit (4-octet) quantities, encoded in MSB
+order. The type of IPv4 addresses is two (2).
+
+Internet (IPv6) Addresses [Westerlund]
+
+IPv6 addresses are 128-bit (16-octet) quantities, encoded in MSB order. The
+type of IPv6 addresses is twenty-four (24). [RFC1883] [RFC1884]. The
+following addresses (see [RFC1884]) MUST not appear in any Kerberos packet:
+
+   * the Unspecified Address
+   * the Loopback Address
+   * Link-Local addresses
+
+IPv4-mapped IPv6 addresses MUST be represented as addresses of type 2.
+
+CHAOSnet addresses
+
+CHAOSnet addresses are 16-bit (2-octet) quantities, encoded in MSB order.
+The type of CHAOSnet addresses is five (5).
+
+ISO addresses
+
+ISO addresses are variable-length. The type of ISO addresses is seven (7).
+
+Xerox Network Services (XNS) addresses
+
+XNS addresses are 48-bit (6-octet) quantities, encoded in MSB order. The
+type of XNS addresses is six (6).
+
+AppleTalk Datagram Delivery Protocol (DDP) addresses
+
+AppleTalk DDP addresses consist of an 8-bit node number and a 16-bit
+network number. The first octet of the address is the node number; the
+remaining two octets encode the network number in MSB order. The type of
+AppleTalk DDP addresses is sixteen (16).
+
+DECnet Phase IV addresses
+
+DECnet Phase IV addresses are 16-bit addresses, encoded in LSB order. The
+type of DECnet Phase IV addresses is twelve (12).
+
+Netbios addresses
+
+Netbios addresses are 16-octet addresses typically composed of 1 to 15
+characters, trailing blank (ascii char 20) filled, with a 16th octet of
+0x0. The type of Netbios addresses is 20 (0x14).
+
+
+Neuman, Ts'o, Kohl                                 Expires: 18 May 1999
+
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-r-03        November 18 1998
+
+
+8.2. KDC messages
+
+8.2.1. UDP/IP transport
+
+When contacting a Kerberos server (KDC) for a KRB_KDC_REQ request using UDP
+IP transport, the client shall send a UDP datagram containing only an
+encoding of the request to port 88 (decimal) at the KDC's IP address; the
+KDC will respond with a reply datagram containing only an encoding of the
+reply message (either a KRB_ERROR or a KRB_KDC_REP) to the sending port at
+the sender's IP address. Kerberos servers supporting IP transport must
+accept UDP requests on port 88 (decimal). The response to a request made
+through UDP/IP transport must also use UDP/IP transport.
+
+8.2.2. TCP/IP transport [Westerlund,Danielsson]
+
+Kerberos servers (KDC's) should accept TCP requests on port 88 (decimal)
+and clients should support the sending of TCP requests on port 88
+(decimal). When the KRB_KDC_REQ message is sent to the KDC over a TCP
+stream, a new connection will be established for each authentication
+exchange (request and response). The KRB_KDC_REP or KRB_ERROR message will
+be returned to the client on the same TCP stream that was established for
+the request. The response to a request made through TCP/IP transport must
+also use TCP/IP transport. Implementors should note that some extentions to
+the Kerberos protocol will not work if any implementation not supporting
+the TCP transport is involved (client or KDC). Implementors are strongly
+urged to support the TCP transport on both the client and server and are
+advised that the current notation of "should" support will likely change in
+the future to must support. The KDC may close the TCP stream after sending
+a response, but may leave the stream open if it expects a followup - in
+which case it may close the stream at any time if resource constratints or
+other factors make it desirable to do so. Care must be taken in managing
+TCP/IP connections with the KDC to prevent denial of service attacks based
+on the number of TCP/IP connections with the KDC that remain open. If
+multiple exchanges with the KDC are needed for certain forms of
+preauthentication, multiple TCP connections may be required. A client may
+close the stream after receiving response, and should close the stream if
+it does not expect to send followup messages. The client must be prepared
+to have the stream closed by the KDC at anytime, in which case it must
+simply connect again when it is ready to send subsequent messages.
+
+The first four octets of the TCP stream used to transmit the request
+request will encode in network byte order the length of the request
+(KRB_KDC_REQ), and the length will be followed by the request itself. The
+response will similarly be preceeded by a 4 octet encoding in network byte
+order of the length of the KRB_KDC_REP or the KRB_ERROR message and will be
+followed by the KRB_KDC_REP or the KRB_ERROR response. If the sign bit is
+set on integer represented by the first 4 octets, then the next 4 octets
+will be read, extending the length of the field by another 4 octets (less 1
+bit).
+
+8.2.3. OSI transport
+
+During authentication of an OSI client to an OSI server, the mutual
+authentication of an OSI server to an OSI client, the transfer of
+credentials from an OSI client to an OSI server, or during exchange of
+private or integrity checked messages, Kerberos protocol messages may be
+treated as opaque objects and the type of the authentication mechanism will
+be:
+
+
+Neuman, Ts'o, Kohl                                 Expires: 18 May 1999
+
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-r-03        November 18 1998
+
+
+OBJECT IDENTIFIER ::= {iso (1), org(3), dod(6),internet(1),
+security(5),kerberosv5(2)}
+
+Depending on the situation, the opaque object will be an authentication
+header (KRB_AP_REQ), an authentication reply (KRB_AP_REP), a safe message
+(KRB_SAFE), a private message (KRB_PRIV), or a credentials message
+(KRB_CRED). The opaque data contains an application code as specified in
+the ASN.1 description for each message. The application code may be used by
+Kerberos to determine the message type.
+
+8.2.3. Name of the TGS
+
+The principal identifier of the ticket-granting service shall be composed
+of three parts: (1) the realm of the KDC issuing the TGS ticket (2) a
+two-part name of type NT-SRV-INST, with the first part "krbtgt" and the
+second part the name of the realm which will accept the ticket-granting
+ticket. For example, a ticket-granting ticket issued by the ATHENA.MIT.EDU
+realm to be used to get tickets from the ATHENA.MIT.EDU KDC has a principal
+identifier of "ATHENA.MIT.EDU" (realm), ("krbtgt", "ATHENA.MIT.EDU")
+(name). A ticket-granting ticket issued by the ATHENA.MIT.EDU realm to be
+used to get tickets from the MIT.EDU realm has a principal identifier of
+"ATHENA.MIT.EDU" (realm), ("krbtgt", "MIT.EDU") (name).
+
+8.3. Protocol constants and associated values
+
+The following tables list constants used in the protocol and defines their
+meanings. Ranges are specified in the "specification" section that limit
+the values of constants for which values are defined here. This allows
+implementations to make assumptions about the maximum values that will be
+received for these constants. Implementation receiving values outside the
+range specified in the "specification" section may reject the request, but
+they must recover cleanly.
+
+Encryption type  etype value  block size    minimum pad size  confounder
+size
+NULL              0            1                 0                 0
+des-cbc-crc       1            8                 4                 8
+des-cbc-md4       2            8                 0                 8
+des-cbc-md5       3            8                 0                 8
+        4
+des3-cbc-md5      5            8                 0                 8
+        6
+des3-cbc-sha1     7            8                 0                 8
+sign-dsa-generate 8                                   (pkinit)
+encrypt-rsa-priv  9                                   (pkinit)
+encrypt-rsa-pub  10                                   (pkinit)
+rsa-pub-md5      11                                   (pkinit)
+rsa-pub-sha1     12                                   (pkinit)
+des3kd-cbc-sha1  ??            8                 0                 8
+ENCTYPE_PK_CROSS 48                                   (reserved for pkcross)
+       0x8003
+
+Checksum type              sumtype value       checksum size
+CRC32                      1                   4
+rsa-md4                    2                   16
+rsa-md4-des                3                   24
+des-mac                    4                   16
+des-mac-k                  5                   8
+rsa-md4-des-k              6                   16
+rsa-md5                    7                   16
+rsa-md5-des                8                   24
+
+Neuman, Ts'o, Kohl                                 Expires: 18 May 1999
+
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-r-03        November 18 1998
+
+
+rsa-md5-des3               9                   24
+hmac-sha1-des3             12                  20  (I had this as 10, is it
+12)
+
+padata type                     padata-type value
+
+PA-TGS-REQ                      1
+PA-ENC-TIMESTAMP                2
+PA-PW-SALT                      3
+                      4
+PA-ENC-UNIX-TIME                5
+PA-SANDIA-SECUREID              6
+PA-SESAME                       7
+PA-OSF-DCE                      8
+PA-CYBERSAFE-SECUREID           9
+PA-AFS3-SALT                    10
+PA-ETYPE-INFO                   11
+SAM-CHALLENGE                   12                  (sam/otp)
+SAM-RESPONSE                    13                  (sam/otp)
+PA-PK-AS-REQ                    14                  (pkinit)
+PA-PK-AS-REP                    15                  (pkinit)
+PA-PK-AS-SIGN                   16                  (pkinit)
+PA-PK-KEY-REQ                   17                  (pkinit)
+PA-PK-KEY-REP                   18                  (pkinit)
+PA-USE-SPECIFIED-KVNO           20
+
+authorization data type         ad-type value
+AD-KDC-ISSUED                      1
+AD-INTENDED-FOR-SERVER             2
+AD-INTENDED-FOR-APPLICATION-CLASS  3
+AD-IF-RELEVANT                     4
+AD-OR                              5
+AD-MANDATORY-TICKET-EXTENSIONS     6
+AD-IN-TICKET-EXTENSIONS            7
+reserved values                    8-63
+OSF-DCE                            64
+SESAME                             65
+
+Ticket Extension Types
+
+TE-TYPE-NULL                  0      Null ticket extension
+TE-TYPE-EXTERNAL-ADATA        1      Integrity protected authorization data
+                    2      TE-TYPE-PKCROSS-KDC  (I have reservations)
+TE-TYPE-PKCROSS-CLIENT        3      PKCROSS cross realm key ticket
+TE-TYPE-CYBERSAFE-EXT         4      Assigned to CyberSafe Corp
+                    5      TE-TYPE-DEST-HOST (I have reservations)
+
+alternate authentication type   method-type value
+reserved values                 0-63
+ATT-CHALLENGE-RESPONSE          64
+
+transited encoding type         tr-type value
+DOMAIN-X500-COMPRESS            1
+reserved values                 all others
+
+Label               Value   Meaning or MIT code
+
+pvno                    5   current Kerberos protocol version number
+
+message types
+
+Neuman, Ts'o, Kohl                                 Expires: 18 May 1999
+
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-r-03        November 18 1998
+
+
+
+KRB_AS_REQ             10   Request for initial authentication
+KRB_AS_REP             11   Response to KRB_AS_REQ request
+KRB_TGS_REQ            12   Request for authentication based on TGT
+KRB_TGS_REP            13   Response to KRB_TGS_REQ request
+KRB_AP_REQ             14   application request to server
+KRB_AP_REP             15   Response to KRB_AP_REQ_MUTUAL
+KRB_SAFE               20   Safe (checksummed) application message
+KRB_PRIV               21   Private (encrypted) application message
+KRB_CRED               22   Private (encrypted) message to forward
+credentials
+KRB_ERROR              30   Error response
+
+name types
+
+KRB_NT_UNKNOWN        0  Name type not known
+KRB_NT_PRINCIPAL      1  Just the name of the principal as in DCE, or for
+users
+KRB_NT_SRV_INST       2  Service and other unique instance (krbtgt)
+KRB_NT_SRV_HST        3  Service with host name as instance (telnet,
+rcommands)
+KRB_NT_SRV_XHST       4  Service with host as remaining components
+KRB_NT_UID            5  Unique ID
+KRB_NT_X500_PRINCIPAL 6  Encoded X.509 Distingished name [RFC 2253]
+
+error codes
+
+KDC_ERR_NONE                    0   No error
+KDC_ERR_NAME_EXP                1   Client's entry in database has expired
+KDC_ERR_SERVICE_EXP             2   Server's entry in database has expired
+KDC_ERR_BAD_PVNO                3   Requested protocol version number not
+supported
+KDC_ERR_C_OLD_MAST_KVNO         4   Client's key encrypted in old master key
+KDC_ERR_S_OLD_MAST_KVNO         5   Server's key encrypted in old master key
+KDC_ERR_C_PRINCIPAL_UNKNOWN     6   Client not found in Kerberos database
+KDC_ERR_S_PRINCIPAL_UNKNOWN     7   Server not found in Kerberos database
+KDC_ERR_PRINCIPAL_NOT_UNIQUE    8   Multiple principal entries in database
+KDC_ERR_NULL_KEY                9   The client or server has a null key
+KDC_ERR_CANNOT_POSTDATE        10   Ticket not eligible for postdating
+KDC_ERR_NEVER_VALID            11   Requested start time is later than end
+time
+KDC_ERR_POLICY                 12   KDC policy rejects request
+KDC_ERR_BADOPTION              13   KDC cannot accommodate requested option
+KDC_ERR_ETYPE_NOSUPP           14   KDC has no support for encryption type
+KDC_ERR_SUMTYPE_NOSUPP         15   KDC has no support for checksum type
+KDC_ERR_PADATA_TYPE_NOSUPP     16   KDC has no support for padata type
+KDC_ERR_TRTYPE_NOSUPP          17   KDC has no support for transited type
+KDC_ERR_CLIENT_REVOKED         18   Clients credentials have been revoked
+KDC_ERR_SERVICE_REVOKED        19   Credentials for server have been revoked
+KDC_ERR_TGT_REVOKED            20   TGT has been revoked
+KDC_ERR_CLIENT_NOTYET          21   Client not yet valid - try again later
+KDC_ERR_SERVICE_NOTYET         22   Server not yet valid - try again later
+KDC_ERR_KEY_EXPIRED            23   Password has expired - change password
+to reset
+KDC_ERR_PREAUTH_FAILED         24   Pre-authentication information was
+invalid
+KDC_ERR_PREAUTH_REQUIRED       25   Additional pre-authenticationrequired
+[40]
+KDC_ERR_SERVER_NOMATCH         26   Requested server and ticket don't match
+KDC_ERR_MUST_USE_USER2USER     27   Server principal valid for user2user
+only
+KDC_ERR_PATH_NOT_ACCPETED      28   KDC Policy rejects transited path
+KRB_AP_ERR_BAD_INTEGRITY       31   Integrity check on decrypted field
+failed
+KRB_AP_ERR_TKT_EXPIRED         32   Ticket expired
+KRB_AP_ERR_TKT_NYV             33   Ticket not yet valid
+KRB_AP_ERR_REPEAT              34   Request is a replay
+KRB_AP_ERR_NOT_US              35   The ticket isn't for us
+KRB_AP_ERR_BADMATCH            36   Ticket and authenticator don't match
+
+Neuman, Ts'o, Kohl                                 Expires: 18 May 1999
+
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-r-03        November 18 1998
+
+
+KRB_AP_ERR_SKEW                37   Clock skew too great
+KRB_AP_ERR_BADADDR             38   Incorrect net address
+KRB_AP_ERR_BADVERSION          39   Protocol version mismatch
+KRB_AP_ERR_MSG_TYPE            40   Invalid msg type
+KRB_AP_ERR_MODIFIED            41   Message stream modified
+KRB_AP_ERR_BADORDER            42   Message out of order
+KRB_AP_ERR_BADKEYVER           44   Specified version of key is not
+available
+KRB_AP_ERR_NOKEY               45   Service key not available
+KRB_AP_ERR_MUT_FAIL            46   Mutual authentication failed
+KRB_AP_ERR_BADDIRECTION        47   Incorrect message direction
+KRB_AP_ERR_METHOD              48   Alternative authentication method
+required
+KRB_AP_ERR_BADSEQ              49   Incorrect sequence number in message
+KRB_AP_ERR_INAPP_CKSUM         50   Inappropriate type of checksum in
+message
+KRB_AP_PATH_NOT_ACCEPTED       51   Policy rejects transited path
+KRB_ERR_RESPONSE_TOO_BIG       52   Response too big for UDP, retry with TCP
+KRB_ERR_GENERIC                60   Generic error (description in e-text)
+KRB_ERR_FIELD_TOOLONG          61   Field is too long for this
+implementation
+KDC_ERROR_CLIENT_NOT_TRUSTED   62   (pkinit)
+KDC_ERROR_KDC_NOT_TRUSTED      63   (pkinit)
+KDC_ERROR_INVALID_SIG          64   (pkinit)
+KDC_ERR_KEY_TOO_WEAK           65   (pkinit)
+KDC_ERR_CERTIFICATE_MISMATCH   66   (pkinit)
+
+9. Interoperability requirements
+
+Version 5 of the Kerberos protocol supports a myriad of options. Among
+these are multiple encryption and checksum types, alternative encoding
+schemes for the transited field, optional mechanisms for
+pre-authentication, the handling of tickets with no addresses, options for
+mutual authentication, user to user authentication, support for proxies,
+forwarding, postdating, and renewing tickets, the format of realm names,
+and the handling of authorization data.
+
+In order to ensure the interoperability of realms, it is necessary to
+define a minimal configuration which must be supported by all
+implementations. This minimal configuration is subject to change as
+technology does. For example, if at some later date it is discovered that
+one of the required encryption or checksum algorithms is not secure, it
+will be replaced.
+
+9.1. Specification 2
+
+This section defines the second specification of these options.
+Implementations which are configured in this way can be said to support
+Kerberos Version 5 Specification 2 (5.1). Specification 1 (depricated) may
+be found in RFC1510.
+
+Transport
+
+TCP/IP and UDP/IP transport must be supported by KDCs claiming conformance
+to specification 2. Kerberos clients claiming conformance to specification
+2 must support UDP/IP transport for messages with the KDC and should
+support TCP/IP transport.
+
+Encryption and checksum methods
+
+The following encryption and checksum mechanisms must be supported.
+Implementations may support other mechanisms as well, but the additional
+mechanisms may only be used when communicating with principals known to
+
+Neuman, Ts'o, Kohl                                 Expires: 18 May 1999
+
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-r-03        November 18 1998
+
+
+also support them: This list is to be determined.
+
+Encryption: DES-CBC-MD5
+Checksums: CRC-32, DES-MAC, DES-MAC-K, and DES-MD5
+
+Realm Names
+
+All implementations must understand hierarchical realms in both the
+Internet Domain and the X.500 style. When a ticket granting ticket for an
+unknown realm is requested, the KDC must be able to determine the names of
+the intermediate realms between the KDCs realm and the requested realm.
+
+Transited field encoding
+
+DOMAIN-X500-COMPRESS (described in section 3.3.3.2) must be supported.
+Alternative encodings may be supported, but they may be used only when that
+encoding is supported by ALL intermediate realms.
+
+Pre-authentication methods
+
+The TGS-REQ method must be supported. The TGS-REQ method is not used on the
+initial request. The PA-ENC-TIMESTAMP method must be supported by clients
+but whether it is enabled by default may be determined on a realm by realm
+basis. If not used in the initial request and the error
+KDC_ERR_PREAUTH_REQUIRED is returned specifying PA-ENC-TIMESTAMP as an
+acceptable method, the client should retry the initial request using the
+PA-ENC-TIMESTAMP preauthentication method. Servers need not support the
+PA-ENC-TIMESTAMP method, but if not supported the server should ignore the
+presence of PA-ENC-TIMESTAMP pre-authentication in a request.
+
+Mutual authentication
+
+Mutual authentication (via the KRB_AP_REP message) must be supported.
+
+Ticket addresses and flags
+
+All KDC's must pass on tickets that carry no addresses (i.e. if a TGT
+contains no addresses, the KDC will return derivative tickets), but each
+realm may set its own policy for issuing such tickets, and each application
+server will set its own policy with respect to accepting them.
+
+Proxies and forwarded tickets must be supported. Individual realms and
+application servers can set their own policy on when such tickets will be
+accepted.
+
+All implementations must recognize renewable and postdated tickets, but
+need not actually implement them. If these options are not supported, the
+starttime and endtime in the ticket shall specify a ticket's entire useful
+life. When a postdated ticket is decoded by a server, all implementations
+shall make the presence of the postdated flag visible to the calling
+server.
+
+User-to-user authentication
+
+Support for user to user authentication (via the ENC-TKT-IN-SKEY KDC
+option) must be provided by implementations, but individual realms may
+decide as a matter of policy to reject such requests on a per-principal or
+realm-wide basis.
+
+
+Neuman, Ts'o, Kohl                                 Expires: 18 May 1999
+
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-r-03        November 18 1998
+
+
+Authorization data
+
+Implementations must pass all authorization data subfields from
+ticket-granting tickets to any derivative tickets unless directed to
+suppress a subfield as part of the definition of that registered subfield
+type (it is never incorrect to pass on a subfield, and no registered
+subfield types presently specify suppression at the KDC).
+
+Implementations must make the contents of any authorization data subfields
+available to the server when a ticket is used. Implementations are not
+required to allow clients to specify the contents of the authorization data
+fields.
+
+Constant ranges
+
+All protocol constants are constrained to 32 bit (signed) values unless
+further constrained by the protocol definition. This limit is provided to
+allow implementations to make assumptions about the maximum values that
+will be received for these constants. Implementation receiving values
+outside this range may reject the request, but they must recover cleanly.
+
+9.2. Recommended KDC values
+
+Following is a list of recommended values for a KDC implementation, based
+on the list of suggested configuration constants (see section 4.4).
+
+minimum lifetime              5 minutes
+maximum renewable lifetime    1 week
+maximum ticket lifetime       1 day
+empty addresses               only when suitable  restrictions  appear
+                              in authorization data
+proxiable, etc.               Allowed.
+
+10. REFERENCES
+
+[NT94]    B. Clifford Neuman and Theodore Y. Ts'o, "An  Authenti-
+          cation  Service for Computer Networks," IEEE Communica-
+          tions Magazine, Vol. 32(9), pp. 33-38 (September 1994).
+
+[MNSS87]  S. P. Miller, B. C. Neuman, J. I. Schiller, and  J.  H.
+          Saltzer,  Section  E.2.1:  Kerberos  Authentication and
+          Authorization System, M.I.T. Project Athena, Cambridge,
+          Massachusetts (December 21, 1987).
+
+[SNS88]   J. G. Steiner, B. C. Neuman, and J. I. Schiller,  "Ker-
+          beros:  An Authentication Service for Open Network Sys-
+          tems," pp. 191-202 in  Usenix  Conference  Proceedings,
+          Dallas, Texas (February, 1988).
+
+[NS78]    Roger M.  Needham  and  Michael  D.  Schroeder,  "Using
+          Encryption for Authentication in Large Networks of Com-
+          puters,"  Communications  of  the  ACM,  Vol.   21(12),
+          pp. 993-999 (December, 1978).
+
+[DS81]    Dorothy E. Denning and  Giovanni  Maria  Sacco,  "Time-
+          stamps  in  Key Distribution Protocols," Communications
+          of the ACM, Vol. 24(8), pp. 533-536 (August 1981).
+
+[KNT92]   John T. Kohl, B. Clifford Neuman, and Theodore Y. Ts'o,
+
+Neuman, Ts'o, Kohl                                 Expires: 18 May 1999
+
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-r-03        November 18 1998
+
+
+          "The Evolution of the Kerberos Authentication Service,"
+          in an IEEE Computer Society Text soon to  be  published
+          (June 1992).
+
+[Neu93]   B.  Clifford  Neuman,  "Proxy-Based  Authorization  and
+          Accounting  for Distributed Systems," in Proceedings of
+          the 13th International Conference on  Distributed  Com-
+          puting Systems, Pittsburgh, PA (May, 1993).
+
+[DS90]    Don Davis and Ralph Swick,  "Workstation  Services  and
+          Kerberos  Authentication  at Project Athena," Technical
+          Memorandum TM-424,  MIT Laboratory for Computer Science
+          (February 1990).
+
+[LGDSR87] P. J. Levine, M. R. Gretzinger, J. M. Diaz, W. E.  Som-
+          merfeld,  and  K. Raeburn, Section E.1: Service Manage-
+          ment System, M.I.T.  Project  Athena,  Cambridge,  Mas-
+          sachusetts (1987).
+
+[X509-88] CCITT, Recommendation X.509: The Directory  Authentica-
+          tion Framework, December 1988.
+
+[Pat92].  J. Pato, Using  Pre-Authentication  to  Avoid  Password
+          Guessing  Attacks, Open Software Foundation DCE Request
+          for Comments 26 (December 1992).
+
+[DES77]   National Bureau of Standards, U.S. Department  of  Com-
+          merce,  "Data Encryption Standard," Federal Information
+          Processing Standards Publication  46,   Washington,  DC
+          (1977).
+
+[DESM80]  National Bureau of Standards, U.S. Department  of  Com-
+          merce,  "DES  Modes  of Operation," Federal Information
+          Processing Standards Publication 81,   Springfield,  VA
+          (December 1980).
+
+[SG92]    Stuart G. Stubblebine and Virgil D. Gligor, "On Message
+          Integrity  in  Cryptographic Protocols," in Proceedings
+          of the IEEE  Symposium  on  Research  in  Security  and
+          Privacy, Oakland, California (May 1992).
+
+[IS3309]  International Organization  for  Standardization,  "ISO
+          Information  Processing  Systems - Data Communication -
+          High-Level Data Link Control Procedure -  Frame  Struc-
+          ture," IS 3309 (October 1984).  3rd Edition.
+
+[MD4-92]  R. Rivest, "The  MD4  Message  Digest  Algorithm,"  RFC
+          1320,   MIT  Laboratory  for  Computer  Science  (April
+          1992).
+
+[MD5-92]  R. Rivest, "The  MD5  Message  Digest  Algorithm,"  RFC
+          1321,   MIT  Laboratory  for  Computer  Science  (April
+          1992).
+
+[KBC96]   H. Krawczyk, M. Bellare, and R. Canetti, "HMAC:  Keyed-
+          Hashing  for  Message  Authentication,"  Working  Draft
+          draft-ietf-ipsec-hmac-md5-01.txt,   (August 1996).
+
+[Horowitz96] Horowitz, M., "Key Derivation for Authentication,
+
+Neuman, Ts'o, Kohl                                 Expires: 18 May 1999
+
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-r-03        November 18 1998
+
+
+          Integrity, and Privacy", draft-horowitz-key-derivation-02.txt,
+          August 1998.
+
+[HorowitzB96] Horowitz, M., "Key Derivation for Kerberos V5", draft-
+          horowitz-kerb-key-derivation-01.txt, September 1998.
+
+[Krawczyk96] Krawczyk, H., Bellare, and M., Canetti, R., "HMAC:
+          Keyed-Hashing for Message Authentication", draft-ietf-ipsec-hmac-
+          md5-01.txt, August, 1996.
+
+A. Pseudo-code for protocol processing
+
+This appendix provides pseudo-code describing how the messages are to be
+constructed and interpreted by clients and servers.
+
+A.1. KRB_AS_REQ generation
+
+        request.pvno := protocol version; /* pvno = 5 */
+        request.msg-type := message type; /* type = KRB_AS_REQ */
+
+        if(pa_enc_timestamp_required) then
+                request.padata.padata-type = PA-ENC-TIMESTAMP;
+                get system_time;
+                padata-body.patimestamp,pausec = system_time;
+                encrypt padata-body into request.padata.padata-value
+                        using client.key; /* derived from password */
+        endif
+
+        body.kdc-options := users's preferences;
+        body.cname := user's name;
+        body.realm := user's realm;
+        body.sname := service's name; /* usually "krbtgt",  "localrealm" */
+        if (body.kdc-options.POSTDATED is set) then
+                body.from := requested starting time;
+        else
+                omit body.from;
+        endif
+        body.till := requested end time;
+        if (body.kdc-options.RENEWABLE is set) then
+                body.rtime := requested final renewal time;
+        endif
+        body.nonce := random_nonce();
+        body.etype := requested etypes;
+        if (user supplied addresses) then
+                body.addresses := user's addresses;
+        else
+                omit body.addresses;
+        endif
+        omit body.enc-authorization-data;
+        request.req-body := body;
+
+        kerberos := lookup(name of local kerberos server (or servers));
+        send(packet,kerberos);
+
+        wait(for response);
+        if (timed_out) then
+                retry or use alternate server;
+        endif
+
+
+Neuman, Ts'o, Kohl                                 Expires: 18 May 1999
+
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-r-03        November 18 1998
+
+
+A.2. KRB_AS_REQ verification and KRB_AS_REP generation
+
+        decode message into req;
+
+        client := lookup(req.cname,req.realm);
+        server := lookup(req.sname,req.realm);
+
+        get system_time;
+        kdc_time := system_time.seconds;
+
+        if (!client) then
+                /* no client in Database */
+                error_out(KDC_ERR_C_PRINCIPAL_UNKNOWN);
+        endif
+        if (!server) then
+                /* no server in Database */
+                error_out(KDC_ERR_S_PRINCIPAL_UNKNOWN);
+        endif
+
+        if(client.pa_enc_timestamp_required and
+           pa_enc_timestamp not present) then
+                error_out(KDC_ERR_PREAUTH_REQUIRED(PA_ENC_TIMESTAMP));
+        endif
+
+        if(pa_enc_timestamp present) then
+                decrypt req.padata-value into decrypted_enc_timestamp
+                        using client.key;
+                        using auth_hdr.authenticator.subkey;
+                if (decrypt_error()) then
+                        error_out(KRB_AP_ERR_BAD_INTEGRITY);
+                if(decrypted_enc_timestamp is not within allowable skew)
+then
+                        error_out(KDC_ERR_PREAUTH_FAILED);
+                endif
+                if(decrypted_enc_timestamp and usec is replay)
+                        error_out(KDC_ERR_PREAUTH_FAILED);
+                endif
+                add decrypted_enc_timestamp and usec to replay cache;
+        endif
+
+        use_etype := first supported etype in req.etypes;
+
+        if (no support for req.etypes) then
+                error_out(KDC_ERR_ETYPE_NOSUPP);
+        endif
+
+        new_tkt.vno := ticket version; /* = 5 */
+        new_tkt.sname := req.sname;
+        new_tkt.srealm := req.srealm;
+        reset all flags in new_tkt.flags;
+
+        /* It should be noted that local policy may affect the  */
+        /* processing of any of these flags.  For example, some */
+        /* realms may refuse to issue renewable tickets         */
+
+        if (req.kdc-options.FORWARDABLE is set) then
+                set new_tkt.flags.FORWARDABLE;
+        endif
+        if (req.kdc-options.PROXIABLE is set) then
+                set new_tkt.flags.PROXIABLE;
+
+Neuman, Ts'o, Kohl                                 Expires: 18 May 1999
+
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-r-03        November 18 1998
+
+
+        endif
+
+        if (req.kdc-options.ALLOW-POSTDATE is set) then
+                set new_tkt.flags.MAY-POSTDATE;
+        endif
+        if ((req.kdc-options.RENEW is set) or
+            (req.kdc-options.VALIDATE is set) or
+            (req.kdc-options.PROXY is set) or
+            (req.kdc-options.FORWARDED is set) or
+            (req.kdc-options.ENC-TKT-IN-SKEY is set)) then
+                error_out(KDC_ERR_BADOPTION);
+        endif
+
+        new_tkt.session := random_session_key();
+        new_tkt.cname := req.cname;
+        new_tkt.crealm := req.crealm;
+        new_tkt.transited := empty_transited_field();
+
+        new_tkt.authtime := kdc_time;
+
+        if (req.kdc-options.POSTDATED is set) then
+           if (against_postdate_policy(req.from)) then
+                error_out(KDC_ERR_POLICY);
+           endif
+           set new_tkt.flags.POSTDATED;
+           set new_tkt.flags.INVALID;
+           new_tkt.starttime := req.from;
+        else
+           omit new_tkt.starttime; /* treated as authtime when omitted */
+        endif
+        if (req.till = 0) then
+                till := infinity;
+        else
+                till := req.till;
+        endif
+
+        new_tkt.endtime := min(till,
+                              new_tkt.starttime+client.max_life,
+                              new_tkt.starttime+server.max_life,
+                              new_tkt.starttime+max_life_for_realm);
+
+        if ((req.kdc-options.RENEWABLE-OK is set) and
+            (new_tkt.endtime < req.till)) then
+                /* we set the RENEWABLE option for later processing */
+                set req.kdc-options.RENEWABLE;
+                req.rtime := req.till;
+        endif
+
+        if (req.rtime = 0) then
+                rtime := infinity;
+        else
+                rtime := req.rtime;
+        endif
+
+        if (req.kdc-options.RENEWABLE is set) then
+                set new_tkt.flags.RENEWABLE;
+                new_tkt.renew-till := min(rtime,
+
+new_tkt.starttime+client.max_rlife,
+
+new_tkt.starttime+server.max_rlife,
+
+Neuman, Ts'o, Kohl                                 Expires: 18 May 1999
+
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-r-03        November 18 1998
+
+
+
+new_tkt.starttime+max_rlife_for_realm);
+        else
+                omit new_tkt.renew-till; /* only present if RENEWABLE */
+        endif
+
+        if (req.addresses) then
+                new_tkt.caddr := req.addresses;
+        else
+                omit new_tkt.caddr;
+        endif
+
+        new_tkt.authorization_data := empty_authorization_data();
+
+        encode to-be-encrypted part of ticket into OCTET STRING;
+        new_tkt.enc-part := encrypt OCTET STRING
+                using etype_for_key(server.key), server.key, server.p_kvno;
+
+        /* Start processing the response */
+
+        resp.pvno := 5;
+        resp.msg-type := KRB_AS_REP;
+        resp.cname := req.cname;
+        resp.crealm := req.realm;
+        resp.ticket := new_tkt;
+
+        resp.key := new_tkt.session;
+        resp.last-req := fetch_last_request_info(client);
+        resp.nonce := req.nonce;
+        resp.key-expiration := client.expiration;
+        resp.flags := new_tkt.flags;
+
+        resp.authtime := new_tkt.authtime;
+        resp.starttime := new_tkt.starttime;
+        resp.endtime := new_tkt.endtime;
+
+        if (new_tkt.flags.RENEWABLE) then
+                resp.renew-till := new_tkt.renew-till;
+        endif
+
+        resp.realm := new_tkt.realm;
+        resp.sname := new_tkt.sname;
+
+        resp.caddr := new_tkt.caddr;
+
+        encode body of reply into OCTET STRING;
+
+        resp.enc-part := encrypt OCTET STRING
+                         using use_etype, client.key, client.p_kvno;
+        send(resp);
+
+A.3. KRB_AS_REP verification
+
+        decode response into resp;
+
+        if (resp.msg-type = KRB_ERROR) then
+                if(error = KDC_ERR_PREAUTH_REQUIRED(PA_ENC_TIMESTAMP)) then
+                        set pa_enc_timestamp_required;
+                        goto KRB_AS_REQ;
+                endif
+
+Neuman, Ts'o, Kohl                                 Expires: 18 May 1999
+
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-r-03        November 18 1998
+
+
+                process_error(resp);
+                return;
+        endif
+
+        /* On error, discard the response, and zero the session key */
+        /* from the response immediately */
+
+        key = get_decryption_key(resp.enc-part.kvno, resp.enc-part.etype,
+                                 resp.padata);
+        unencrypted part of resp := decode of decrypt of resp.enc-part
+                                using resp.enc-part.etype and key;
+        zero(key);
+
+        if (common_as_rep_tgs_rep_checks fail) then
+                destroy resp.key;
+                return error;
+        endif
+
+        if near(resp.princ_exp) then
+                print(warning message);
+        endif
+        save_for_later(ticket,session,client,server,times,flags);
+
+A.4. KRB_AS_REP and KRB_TGS_REP common checks
+
+        if (decryption_error() or
+            (req.cname != resp.cname) or
+            (req.realm != resp.crealm) or
+            (req.sname != resp.sname) or
+            (req.realm != resp.realm) or
+            (req.nonce != resp.nonce) or
+            (req.addresses != resp.caddr)) then
+                destroy resp.key;
+                return KRB_AP_ERR_MODIFIED;
+        endif
+
+        /* make sure no flags are set that shouldn't be, and that all that
+*/
+        /* should be are set
+*/
+        if (!check_flags_for_compatability(req.kdc-options,resp.flags)) then
+                destroy resp.key;
+                return KRB_AP_ERR_MODIFIED;
+        endif
+
+        if ((req.from = 0) and
+            (resp.starttime is not within allowable skew)) then
+                destroy resp.key;
+                return KRB_AP_ERR_SKEW;
+        endif
+        if ((req.from != 0) and (req.from != resp.starttime)) then
+                destroy resp.key;
+                return KRB_AP_ERR_MODIFIED;
+        endif
+        if ((req.till != 0) and (resp.endtime > req.till)) then
+                destroy resp.key;
+                return KRB_AP_ERR_MODIFIED;
+        endif
+
+        if ((req.kdc-options.RENEWABLE is set) and
+            (req.rtime != 0) and (resp.renew-till > req.rtime)) then
+
+Neuman, Ts'o, Kohl                                 Expires: 18 May 1999
+
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-r-03        November 18 1998
+
+
+                destroy resp.key;
+                return KRB_AP_ERR_MODIFIED;
+        endif
+        if ((req.kdc-options.RENEWABLE-OK is set) and
+            (resp.flags.RENEWABLE) and
+            (req.till != 0) and
+            (resp.renew-till > req.till)) then
+                destroy resp.key;
+                return KRB_AP_ERR_MODIFIED;
+        endif
+
+A.5. KRB_TGS_REQ generation
+
+        /* Note that make_application_request might have to recursivly
+*/
+        /* call this routine to get the appropriate ticket-granting ticket
+*/
+
+        request.pvno := protocol version; /* pvno = 5 */
+        request.msg-type := message type; /* type = KRB_TGS_REQ */
+
+        body.kdc-options := users's preferences;
+        /* If the TGT is not for the realm of the end-server  */
+        /* then the sname will be for a TGT for the end-realm */
+        /* and the realm of the requested ticket (body.realm) */
+        /* will be that of the TGS to which the TGT we are    */
+        /* sending applies                                    */
+        body.sname := service's name;
+        body.realm := service's realm;
+
+        if (body.kdc-options.POSTDATED is set) then
+                body.from := requested starting time;
+        else
+                omit body.from;
+        endif
+        body.till := requested end time;
+        if (body.kdc-options.RENEWABLE is set) then
+                body.rtime := requested final renewal time;
+        endif
+        body.nonce := random_nonce();
+        body.etype := requested etypes;
+        if (user supplied addresses) then
+                body.addresses := user's addresses;
+        else
+                omit body.addresses;
+        endif
+
+        body.enc-authorization-data := user-supplied data;
+        if (body.kdc-options.ENC-TKT-IN-SKEY) then
+                body.additional-tickets_ticket := second TGT;
+        endif
+
+        request.req-body := body;
+        check := generate_checksum (req.body,checksumtype);
+
+        request.padata[0].padata-type := PA-TGS-REQ;
+        request.padata[0].padata-value := create a KRB_AP_REQ using
+                                      the TGT and checksum
+
+        /* add in any other padata as required/supplied */
+        kerberos := lookup(name of local kerberose server (or servers));
+
+Neuman, Ts'o, Kohl                                 Expires: 18 May 1999
+
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-r-03        November 18 1998
+
+
+        send(packet,kerberos);
+
+        wait(for response);
+        if (timed_out) then
+                retry or use alternate server;
+        endif
+
+A.6. KRB_TGS_REQ verification and KRB_TGS_REP generation
+
+        /* note that reading the application request requires first
+        determining the server for which a ticket was issued, and choosing
+the
+        correct key for decryption.  The name of the server appears in the
+        plaintext part of the ticket. */
+
+        if (no KRB_AP_REQ in req.padata) then
+                error_out(KDC_ERR_PADATA_TYPE_NOSUPP);
+        endif
+        verify KRB_AP_REQ in req.padata;
+
+        /* Note that the realm in which the Kerberos server is operating is
+        determined by the instance from the ticket-granting ticket.  The
+realm
+        in the ticket-granting ticket is the realm under which the ticket
+        granting ticket was issued.  It is possible for a single Kerberos
+        server to support more than one realm. */
+
+        auth_hdr := KRB_AP_REQ;
+        tgt := auth_hdr.ticket;
+
+        if (tgt.sname is not a TGT for local realm and is not req.sname)
+then
+                error_out(KRB_AP_ERR_NOT_US);
+
+        realm := realm_tgt_is_for(tgt);
+
+        decode remainder of request;
+
+        if (auth_hdr.authenticator.cksum is missing) then
+                error_out(KRB_AP_ERR_INAPP_CKSUM);
+        endif
+
+        if (auth_hdr.authenticator.cksum type is not supported) then
+                error_out(KDC_ERR_SUMTYPE_NOSUPP);
+        endif
+        if (auth_hdr.authenticator.cksum is not both collision-proof and
+keyed) then
+                error_out(KRB_AP_ERR_INAPP_CKSUM);
+        endif
+
+        set computed_checksum := checksum(req);
+        if (computed_checksum != auth_hdr.authenticatory.cksum) then
+                error_out(KRB_AP_ERR_MODIFIED);
+        endif
+
+        server := lookup(req.sname,realm);
+
+        if (!server) then
+                if (is_foreign_tgt_name(req.sname)) then
+                        server := best_intermediate_tgs(req.sname);
+                else
+                        /* no server in Database */
+                        error_out(KDC_ERR_S_PRINCIPAL_UNKNOWN);
+
+Neuman, Ts'o, Kohl                                 Expires: 18 May 1999
+
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-r-03        November 18 1998
+
+
+                endif
+        endif
+
+        session := generate_random_session_key();
+
+        use_etype := first supported etype in req.etypes;
+
+        if (no support for req.etypes) then
+                error_out(KDC_ERR_ETYPE_NOSUPP);
+        endif
+
+        new_tkt.vno := ticket version; /* = 5 */
+        new_tkt.sname := req.sname;
+        new_tkt.srealm := realm;
+        reset all flags in new_tkt.flags;
+
+        /* It should be noted that local policy may affect the  */
+        /* processing of any of these flags.  For example, some */
+        /* realms may refuse to issue renewable tickets         */
+
+        new_tkt.caddr := tgt.caddr;
+        resp.caddr := NULL; /* We only include this if they change */
+        if (req.kdc-options.FORWARDABLE is set) then
+                if (tgt.flags.FORWARDABLE is reset) then
+                        error_out(KDC_ERR_BADOPTION);
+                endif
+                set new_tkt.flags.FORWARDABLE;
+        endif
+        if (req.kdc-options.FORWARDED is set) then
+                if (tgt.flags.FORWARDABLE is reset) then
+                        error_out(KDC_ERR_BADOPTION);
+                endif
+                set new_tkt.flags.FORWARDED;
+                new_tkt.caddr := req.addresses;
+                resp.caddr := req.addresses;
+        endif
+        if (tgt.flags.FORWARDED is set) then
+                set new_tkt.flags.FORWARDED;
+        endif
+
+        if (req.kdc-options.PROXIABLE is set) then
+                if (tgt.flags.PROXIABLE is reset)
+                        error_out(KDC_ERR_BADOPTION);
+                endif
+                set new_tkt.flags.PROXIABLE;
+        endif
+        if (req.kdc-options.PROXY is set) then
+                if (tgt.flags.PROXIABLE is reset) then
+                        error_out(KDC_ERR_BADOPTION);
+                endif
+                set new_tkt.flags.PROXY;
+                new_tkt.caddr := req.addresses;
+                resp.caddr := req.addresses;
+        endif
+
+        if (req.kdc-options.ALLOW-POSTDATE is set) then
+                if (tgt.flags.MAY-POSTDATE is reset)
+                        error_out(KDC_ERR_BADOPTION);
+                endif
+
+Neuman, Ts'o, Kohl                                 Expires: 18 May 1999
+
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-r-03        November 18 1998
+
+
+                set new_tkt.flags.MAY-POSTDATE;
+        endif
+        if (req.kdc-options.POSTDATED is set) then
+                if (tgt.flags.MAY-POSTDATE is reset) then
+                        error_out(KDC_ERR_BADOPTION);
+                endif
+                set new_tkt.flags.POSTDATED;
+                set new_tkt.flags.INVALID;
+                if (against_postdate_policy(req.from)) then
+                        error_out(KDC_ERR_POLICY);
+                endif
+                new_tkt.starttime := req.from;
+        endif
+
+        if (req.kdc-options.VALIDATE is set) then
+                if (tgt.flags.INVALID is reset) then
+                        error_out(KDC_ERR_POLICY);
+                endif
+                if (tgt.starttime > kdc_time) then
+                        error_out(KRB_AP_ERR_NYV);
+                endif
+                if (check_hot_list(tgt)) then
+                        error_out(KRB_AP_ERR_REPEAT);
+                endif
+                tkt := tgt;
+                reset new_tkt.flags.INVALID;
+        endif
+
+        if (req.kdc-options.(any flag except ENC-TKT-IN-SKEY, RENEW,
+                             and those already processed) is set) then
+                error_out(KDC_ERR_BADOPTION);
+        endif
+
+        new_tkt.authtime := tgt.authtime;
+
+        if (req.kdc-options.RENEW is set) then
+          /* Note that if the endtime has already passed, the ticket would
+*/
+          /* have been rejected in the initial authentication stage, so
+*/
+          /* there is no need to check again here
+*/
+                if (tgt.flags.RENEWABLE is reset) then
+                        error_out(KDC_ERR_BADOPTION);
+                endif
+                if (tgt.renew-till < kdc_time) then
+                        error_out(KRB_AP_ERR_TKT_EXPIRED);
+                endif
+                tkt := tgt;
+                new_tkt.starttime := kdc_time;
+                old_life := tgt.endttime - tgt.starttime;
+                new_tkt.endtime := min(tgt.renew-till,
+                                       new_tkt.starttime + old_life);
+        else
+                new_tkt.starttime := kdc_time;
+                if (req.till = 0) then
+                        till := infinity;
+                else
+                        till := req.till;
+                endif
+
+                new_tkt.endtime := min(till,
+
+Neuman, Ts'o, Kohl                                 Expires: 18 May 1999
+
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-r-03        November 18 1998
+
+
+                                       new_tkt.starttime+client.max_life,
+                                       new_tkt.starttime+server.max_life,
+                                       new_tkt.starttime+max_life_for_realm,
+                                       tgt.endtime);
+
+                if ((req.kdc-options.RENEWABLE-OK is set) and
+                    (new_tkt.endtime < req.till) and
+                    (tgt.flags.RENEWABLE is set) then
+                        /* we set the RENEWABLE option for later processing
+*/
+                        set req.kdc-options.RENEWABLE;
+                        req.rtime := min(req.till, tgt.renew-till);
+                endif
+        endif
+
+        if (req.rtime = 0) then
+                rtime := infinity;
+        else
+                rtime := req.rtime;
+        endif
+
+        if ((req.kdc-options.RENEWABLE is set) and
+            (tgt.flags.RENEWABLE is set)) then
+                set new_tkt.flags.RENEWABLE;
+                new_tkt.renew-till := min(rtime,
+
+new_tkt.starttime+client.max_rlife,
+
+new_tkt.starttime+server.max_rlife,
+
+new_tkt.starttime+max_rlife_for_realm,
+                                          tgt.renew-till);
+        else
+                new_tkt.renew-till := OMIT; /* leave the renew-till field
+out */
+        endif
+        if (req.enc-authorization-data is present) then
+                decrypt req.enc-authorization-data into
+decrypted_authorization_data
+                        using auth_hdr.authenticator.subkey;
+                if (decrypt_error()) then
+                        error_out(KRB_AP_ERR_BAD_INTEGRITY);
+                endif
+        endif
+        new_tkt.authorization_data := req.auth_hdr.ticket.authorization_data
++
+                                 decrypted_authorization_data;
+
+        new_tkt.key := session;
+        new_tkt.crealm := tgt.crealm;
+        new_tkt.cname := req.auth_hdr.ticket.cname;
+
+        if (realm_tgt_is_for(tgt) := tgt.realm) then
+                /* tgt issued by local realm */
+                new_tkt.transited := tgt.transited;
+        else
+                /* was issued for this realm by some other realm */
+                if (tgt.transited.tr-type not supported) then
+                        error_out(KDC_ERR_TRTYPE_NOSUPP);
+                endif
+                new_tkt.transited := compress_transited(tgt.transited +
+tgt.realm)
+                /* Don't check tranited field if TGT for foreign realm,
+                 * or requested not to check */
+                if (is_not_foreign_tgt_name(new_tkt.server)
+                   && req.kdc-options.DISABLE-TRANSITED-CHECK not set) then
+
+
+Neuman, Ts'o, Kohl                                 Expires: 18 May 1999
+
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-r-03        November 18 1998
+
+
+                        /* Check it, so end-server does not have to
+                         * but don't fail, end-server may still accept it */
+                        if (check_transited_field(new_tkt.transited) == OK)
+                              set new_tkt.flags.TRANSITED-POLICY-CHECKED;
+                        endif
+                endif
+        endif
+
+        encode encrypted part of new_tkt into OCTET STRING;
+        if (req.kdc-options.ENC-TKT-IN-SKEY is set) then
+                if (server not specified) then
+                        server = req.second_ticket.client;
+                endif
+                if ((req.second_ticket is not a TGT) or
+                    (req.second_ticket.client != server)) then
+                        error_out(KDC_ERR_POLICY);
+                endif
+
+                new_tkt.enc-part := encrypt OCTET STRING using
+                        using etype_for_key(second-ticket.key),
+second-ticket.key;
+        else
+                new_tkt.enc-part := encrypt OCTET STRING
+                        using etype_for_key(server.key), server.key,
+server.p_kvno;
+        endif
+
+        resp.pvno := 5;
+        resp.msg-type := KRB_TGS_REP;
+        resp.crealm := tgt.crealm;
+        resp.cname := tgt.cname;
+        resp.ticket := new_tkt;
+
+        resp.key := session;
+        resp.nonce := req.nonce;
+        resp.last-req := fetch_last_request_info(client);
+        resp.flags := new_tkt.flags;
+
+        resp.authtime := new_tkt.authtime;
+        resp.starttime := new_tkt.starttime;
+        resp.endtime := new_tkt.endtime;
+
+        omit resp.key-expiration;
+
+        resp.sname := new_tkt.sname;
+        resp.realm := new_tkt.realm;
+
+        if (new_tkt.flags.RENEWABLE) then
+                resp.renew-till := new_tkt.renew-till;
+        endif
+
+        encode body of reply into OCTET STRING;
+
+        if (req.padata.authenticator.subkey)
+                resp.enc-part := encrypt OCTET STRING using use_etype,
+                        req.padata.authenticator.subkey;
+        else resp.enc-part := encrypt OCTET STRING using use_etype, tgt.key;
+
+        send(resp);
+
+A.7. KRB_TGS_REP verification
+
+Neuman, Ts'o, Kohl                                 Expires: 18 May 1999
+
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-r-03        November 18 1998
+
+
+
+        decode response into resp;
+
+        if (resp.msg-type = KRB_ERROR) then
+                process_error(resp);
+                return;
+        endif
+
+        /* On error, discard the response, and zero the session key from
+        the response immediately */
+
+        if (req.padata.authenticator.subkey)
+                unencrypted part of resp := decode of decrypt of
+resp.enc-part
+                        using resp.enc-part.etype and subkey;
+        else unencrypted part of resp := decode of decrypt of resp.enc-part
+                                using resp.enc-part.etype and tgt's session
+key;
+        if (common_as_rep_tgs_rep_checks fail) then
+                destroy resp.key;
+                return error;
+        endif
+
+        check authorization_data as necessary;
+        save_for_later(ticket,session,client,server,times,flags);
+
+A.8. Authenticator generation
+
+        body.authenticator-vno := authenticator vno; /* = 5 */
+        body.cname, body.crealm := client name;
+        if (supplying checksum) then
+                body.cksum := checksum;
+        endif
+        get system_time;
+        body.ctime, body.cusec := system_time;
+        if (selecting sub-session key) then
+                select sub-session key;
+                body.subkey := sub-session key;
+        endif
+        if (using sequence numbers) then
+                select initial sequence number;
+                body.seq-number := initial sequence;
+        endif
+
+A.9. KRB_AP_REQ generation
+
+        obtain ticket and session_key from cache;
+
+        packet.pvno := protocol version; /* 5 */
+        packet.msg-type := message type; /* KRB_AP_REQ */
+
+        if (desired(MUTUAL_AUTHENTICATION)) then
+                set packet.ap-options.MUTUAL-REQUIRED;
+        else
+                reset packet.ap-options.MUTUAL-REQUIRED;
+        endif
+        if (using session key for ticket) then
+                set packet.ap-options.USE-SESSION-KEY;
+        else
+                reset packet.ap-options.USE-SESSION-KEY;
+        endif
+
+Neuman, Ts'o, Kohl                                 Expires: 18 May 1999
+
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-r-03        November 18 1998
+
+
+
+        packet.ticket := ticket; /* ticket */
+        generate authenticator;
+        encode authenticator into OCTET STRING;
+        encrypt OCTET STRING into packet.authenticator using session_key;
+
+A.10. KRB_AP_REQ verification
+
+        receive packet;
+        if (packet.pvno != 5) then
+                either process using other protocol spec
+                or error_out(KRB_AP_ERR_BADVERSION);
+        endif
+        if (packet.msg-type != KRB_AP_REQ) then
+                error_out(KRB_AP_ERR_MSG_TYPE);
+        endif
+        if (packet.ticket.tkt_vno != 5) then
+                either process using other protocol spec
+                or error_out(KRB_AP_ERR_BADVERSION);
+        endif
+        if (packet.ap_options.USE-SESSION-KEY is set) then
+                retrieve session key from ticket-granting ticket for
+                 packet.ticket.{sname,srealm,enc-part.etype};
+        else
+                retrieve service key for
+                 packet.ticket.{sname,srealm,enc-part.etype,enc-part.skvno};
+        endif
+        if (no_key_available) then
+                if (cannot_find_specified_skvno) then
+                        error_out(KRB_AP_ERR_BADKEYVER);
+                else
+                        error_out(KRB_AP_ERR_NOKEY);
+                endif
+        endif
+        decrypt packet.ticket.enc-part into decr_ticket using retrieved key;
+        if (decryption_error()) then
+                error_out(KRB_AP_ERR_BAD_INTEGRITY);
+        endif
+        decrypt packet.authenticator into decr_authenticator
+                using decr_ticket.key;
+        if (decryption_error()) then
+                error_out(KRB_AP_ERR_BAD_INTEGRITY);
+        endif
+        if (decr_authenticator.{cname,crealm} !=
+            decr_ticket.{cname,crealm}) then
+                error_out(KRB_AP_ERR_BADMATCH);
+        endif
+        if (decr_ticket.caddr is present) then
+                if (sender_address(packet) is not in decr_ticket.caddr) then
+                        error_out(KRB_AP_ERR_BADADDR);
+                endif
+        elseif (application requires addresses) then
+                error_out(KRB_AP_ERR_BADADDR);
+        endif
+        if (not in_clock_skew(decr_authenticator.ctime,
+                              decr_authenticator.cusec)) then
+                error_out(KRB_AP_ERR_SKEW);
+        endif
+        if (repeated(decr_authenticator.{ctime,cusec,cname,crealm})) then
+
+Neuman, Ts'o, Kohl                                 Expires: 18 May 1999
+
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-r-03        November 18 1998
+
+
+                error_out(KRB_AP_ERR_REPEAT);
+        endif
+        save_identifier(decr_authenticator.{ctime,cusec,cname,crealm});
+        get system_time;
+        if ((decr_ticket.starttime-system_time > CLOCK_SKEW) or
+            (decr_ticket.flags.INVALID is set)) then
+                /* it hasn't yet become valid */
+                error_out(KRB_AP_ERR_TKT_NYV);
+        endif
+        if (system_time-decr_ticket.endtime > CLOCK_SKEW) then
+                error_out(KRB_AP_ERR_TKT_EXPIRED);
+        endif
+        if (decr_ticket.transited) then
+            /* caller may ignore the TRANSITED-POLICY-CHECKED and do
+             * check anyway */
+            if (decr_ticket.flags.TRANSITED-POLICY-CHECKED not set) then
+                 if (check_transited_field(decr_ticket.transited) then
+                      error_out(KDC_AP_PATH_NOT_ACCPETED);
+                 endif
+            endif
+        endif
+        /* caller must check decr_ticket.flags for any pertinent details */
+        return(OK, decr_ticket, packet.ap_options.MUTUAL-REQUIRED);
+
+A.11. KRB_AP_REP generation
+
+        packet.pvno := protocol version; /* 5 */
+        packet.msg-type := message type; /* KRB_AP_REP */
+
+        body.ctime := packet.ctime;
+        body.cusec := packet.cusec;
+        if (selecting sub-session key) then
+                select sub-session key;
+                body.subkey := sub-session key;
+        endif
+        if (using sequence numbers) then
+                select initial sequence number;
+                body.seq-number := initial sequence;
+        endif
+
+        encode body into OCTET STRING;
+
+        select encryption type;
+        encrypt OCTET STRING into packet.enc-part;
+
+A.12. KRB_AP_REP verification
+
+        receive packet;
+        if (packet.pvno != 5) then
+                either process using other protocol spec
+                or error_out(KRB_AP_ERR_BADVERSION);
+        endif
+        if (packet.msg-type != KRB_AP_REP) then
+                error_out(KRB_AP_ERR_MSG_TYPE);
+        endif
+        cleartext := decrypt(packet.enc-part) using ticket's session key;
+        if (decryption_error()) then
+                error_out(KRB_AP_ERR_BAD_INTEGRITY);
+        endif
+
+Neuman, Ts'o, Kohl                                 Expires: 18 May 1999
+
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-r-03        November 18 1998
+
+
+        if (cleartext.ctime != authenticator.ctime) then
+                error_out(KRB_AP_ERR_MUT_FAIL);
+        endif
+        if (cleartext.cusec != authenticator.cusec) then
+                error_out(KRB_AP_ERR_MUT_FAIL);
+        endif
+        if (cleartext.subkey is present) then
+                save cleartext.subkey for future use;
+        endif
+        if (cleartext.seq-number is present) then
+                save cleartext.seq-number for future verifications;
+        endif
+        return(AUTHENTICATION_SUCCEEDED);
+
+A.13. KRB_SAFE generation
+
+        collect user data in buffer;
+
+        /* assemble packet: */
+        packet.pvno := protocol version; /* 5 */
+        packet.msg-type := message type; /* KRB_SAFE */
+
+        body.user-data := buffer; /* DATA */
+        if (using timestamp) then
+                get system_time;
+                body.timestamp, body.usec := system_time;
+        endif
+        if (using sequence numbers) then
+                body.seq-number := sequence number;
+        endif
+        body.s-address := sender host addresses;
+        if (only one recipient) then
+                body.r-address := recipient host address;
+        endif
+        checksum.cksumtype := checksum type;
+        compute checksum over body;
+        checksum.checksum := checksum value; /* checksum.checksum */
+        packet.cksum := checksum;
+        packet.safe-body := body;
+
+A.14. KRB_SAFE verification
+
+        receive packet;
+        if (packet.pvno != 5) then
+                either process using other protocol spec
+                or error_out(KRB_AP_ERR_BADVERSION);
+        endif
+        if (packet.msg-type != KRB_SAFE) then
+                error_out(KRB_AP_ERR_MSG_TYPE);
+        endif
+        if (packet.checksum.cksumtype is not both collision-proof and keyed)
+then
+                error_out(KRB_AP_ERR_INAPP_CKSUM);
+        endif
+        if (safe_priv_common_checks_ok(packet)) then
+                set computed_checksum := checksum(packet.body);
+                if (computed_checksum != packet.checksum) then
+                        error_out(KRB_AP_ERR_MODIFIED);
+                endif
+                return (packet, PACKET_IS_GENUINE);
+
+Neuman, Ts'o, Kohl                                 Expires: 18 May 1999
+
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-r-03        November 18 1998
+
+
+        else
+                return common_checks_error;
+        endif
+
+A.15. KRB_SAFE and KRB_PRIV common checks
+
+        if (packet.s-address != O/S_sender(packet)) then
+                /* O/S report of sender not who claims to have sent it */
+                error_out(KRB_AP_ERR_BADADDR);
+        endif
+        if ((packet.r-address is present) and
+            (packet.r-address != local_host_address)) then
+                /* was not sent to proper place */
+                error_out(KRB_AP_ERR_BADADDR);
+        endif
+        if (((packet.timestamp is present) and
+             (not in_clock_skew(packet.timestamp,packet.usec))) or
+            (packet.timestamp is not present and timestamp expected)) then
+                error_out(KRB_AP_ERR_SKEW);
+        endif
+        if (repeated(packet.timestamp,packet.usec,packet.s-address)) then
+                error_out(KRB_AP_ERR_REPEAT);
+        endif
+
+        if (((packet.seq-number is present) and
+             ((not in_sequence(packet.seq-number)))) or
+            (packet.seq-number is not present and sequence expected)) then
+                error_out(KRB_AP_ERR_BADORDER);
+        endif
+        if (packet.timestamp not present and packet.seq-number not present)
+then
+                error_out(KRB_AP_ERR_MODIFIED);
+        endif
+
+        save_identifier(packet.{timestamp,usec,s-address},
+                        sender_principal(packet));
+
+        return PACKET_IS_OK;
+
+A.16. KRB_PRIV generation
+
+        collect user data in buffer;
+
+        /* assemble packet: */
+        packet.pvno := protocol version; /* 5 */
+        packet.msg-type := message type; /* KRB_PRIV */
+
+        packet.enc-part.etype := encryption type;
+
+        body.user-data := buffer;
+        if (using timestamp) then
+                get system_time;
+                body.timestamp, body.usec := system_time;
+        endif
+        if (using sequence numbers) then
+                body.seq-number := sequence number;
+        endif
+        body.s-address := sender host addresses;
+        if (only one recipient) then
+                body.r-address := recipient host address;
+
+Neuman, Ts'o, Kohl                                 Expires: 18 May 1999
+
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-r-03        November 18 1998
+
+
+        endif
+
+        encode body into OCTET STRING;
+
+        select encryption type;
+        encrypt OCTET STRING into packet.enc-part.cipher;
+
+A.17. KRB_PRIV verification
+
+        receive packet;
+        if (packet.pvno != 5) then
+                either process using other protocol spec
+                or error_out(KRB_AP_ERR_BADVERSION);
+        endif
+        if (packet.msg-type != KRB_PRIV) then
+                error_out(KRB_AP_ERR_MSG_TYPE);
+        endif
+
+        cleartext := decrypt(packet.enc-part) using negotiated key;
+        if (decryption_error()) then
+                error_out(KRB_AP_ERR_BAD_INTEGRITY);
+        endif
+
+        if (safe_priv_common_checks_ok(cleartext)) then
+                return(cleartext.DATA, PACKET_IS_GENUINE_AND_UNMODIFIED);
+        else
+                return common_checks_error;
+        endif
+
+A.18. KRB_CRED generation
+
+        invoke KRB_TGS; /* obtain tickets to be provided to peer */
+
+        /* assemble packet: */
+        packet.pvno := protocol version; /* 5 */
+        packet.msg-type := message type; /* KRB_CRED */
+
+        for (tickets[n] in tickets to be forwarded) do
+                packet.tickets[n] = tickets[n].ticket;
+        done
+
+        packet.enc-part.etype := encryption type;
+
+        for (ticket[n] in tickets to be forwarded) do
+                body.ticket-info[n].key = tickets[n].session;
+                body.ticket-info[n].prealm = tickets[n].crealm;
+                body.ticket-info[n].pname = tickets[n].cname;
+                body.ticket-info[n].flags = tickets[n].flags;
+                body.ticket-info[n].authtime = tickets[n].authtime;
+                body.ticket-info[n].starttime = tickets[n].starttime;
+                body.ticket-info[n].endtime = tickets[n].endtime;
+                body.ticket-info[n].renew-till = tickets[n].renew-till;
+                body.ticket-info[n].srealm = tickets[n].srealm;
+                body.ticket-info[n].sname = tickets[n].sname;
+                body.ticket-info[n].caddr = tickets[n].caddr;
+        done
+
+        get system_time;
+        body.timestamp, body.usec := system_time;
+
+Neuman, Ts'o, Kohl                                 Expires: 18 May 1999
+
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-r-03        November 18 1998
+
+
+
+        if (using nonce) then
+                body.nonce := nonce;
+        endif
+
+        if (using s-address) then
+                body.s-address := sender host addresses;
+        endif
+        if (limited recipients) then
+                body.r-address := recipient host address;
+        endif
+
+        encode body into OCTET STRING;
+
+        select encryption type;
+        encrypt OCTET STRING into packet.enc-part.cipher
+               using negotiated encryption key;
+
+A.19. KRB_CRED verification
+
+        receive packet;
+        if (packet.pvno != 5) then
+                either process using other protocol spec
+                or error_out(KRB_AP_ERR_BADVERSION);
+        endif
+        if (packet.msg-type != KRB_CRED) then
+                error_out(KRB_AP_ERR_MSG_TYPE);
+        endif
+
+        cleartext := decrypt(packet.enc-part) using negotiated key;
+        if (decryption_error()) then
+                error_out(KRB_AP_ERR_BAD_INTEGRITY);
+        endif
+        if ((packet.r-address is present or required) and
+           (packet.s-address != O/S_sender(packet)) then
+                /* O/S report of sender not who claims to have sent it */
+                error_out(KRB_AP_ERR_BADADDR);
+        endif
+        if ((packet.r-address is present) and
+            (packet.r-address != local_host_address)) then
+                /* was not sent to proper place */
+                error_out(KRB_AP_ERR_BADADDR);
+        endif
+        if (not in_clock_skew(packet.timestamp,packet.usec)) then
+                error_out(KRB_AP_ERR_SKEW);
+        endif
+        if (repeated(packet.timestamp,packet.usec,packet.s-address)) then
+                error_out(KRB_AP_ERR_REPEAT);
+        endif
+        if (packet.nonce is required or present) and
+           (packet.nonce != expected-nonce) then
+                error_out(KRB_AP_ERR_MODIFIED);
+        endif
+
+        for (ticket[n] in tickets that were forwarded) do
+                save_for_later(ticket[n],key[n],principal[n],
+                               server[n],times[n],flags[n]);
+        return
+
+
+Neuman, Ts'o, Kohl                                 Expires: 18 May 1999
+
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-r-03        November 18 1998
+
+
+A.20. KRB_ERROR generation
+
+        /* assemble packet: */
+        packet.pvno := protocol version; /* 5 */
+        packet.msg-type := message type; /* KRB_ERROR */
+
+        get system_time;
+        packet.stime, packet.susec := system_time;
+        packet.realm, packet.sname := server name;
+
+        if (client time available) then
+                packet.ctime, packet.cusec := client_time;
+        endif
+        packet.error-code := error code;
+        if (client name available) then
+                packet.cname, packet.crealm := client name;
+        endif
+        if (error text available) then
+                packet.e-text := error text;
+        endif
+        if (error data available) then
+                packet.e-data := error data;
+        endif
+
+B. Definition of common authorization data elements
+
+This appendix contains the definitions of common authorization data
+elements. These common authorization data elements are recursivly defined,
+meaning the ad-data for these types will itself contain a sequence of
+authorization data whose interpretation is affected by the encapsulating
+element. Depending on the meaning of the encapsulating element, the
+encapsulated elements may be ignored, might be interpreted as issued
+directly by the KDC, or they might be stored in a separate plaintext part
+of the ticket. The types of the encapsulating elements are specified as
+part of the Kerberos specification because the behavior based on these
+values should be understood across implementations whereas other elements
+need only be understood by the applications which they affect.
+
+In the definitions that follow, the value of the ad-type for the element
+will be specified in the subsection number, and the value of the ad-data
+will be as shown in the ASN.1 structure that follows the subsection
+heading.
+
+B.1. KDC Issued
+
+AD-KDCIssued   SEQUENCE {
+               ad-checksum[0]    Checksum,
+                i-realm[1]       Realm OPTIONAL,
+                i-sname[2]       PrincipalName OPTIONAL,
+               elements[3]       AuthorizationData.
+}
+
+ad-checksum
+     A checksum over the elements field using a cryptographic checksum
+     method that is identical to the checksum used to protect the ticket
+     itself (i.e. using the same hash function and the same encryption
+     algorithm used to encrypt the ticket) and using a key derived from the
+     same key used to protect the ticket.
+i-realm, i-sname
+
+Neuman, Ts'o, Kohl                                 Expires: 18 May 1999
+
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-r-03        November 18 1998
+
+
+     The name of the issuing principal if different from the KDC itself.
+     This field would be used when the KDC can verify the authenticity of
+     elements signed by the issuing principal and it allows this KDC to
+     notify the application server of the validity of those elements.
+elements
+     A sequence of authorization data elements issued by the KDC.
+
+The KDC-issued ad-data field is intended to provide a means for Kerberos
+principal credentials to embed within themselves privilege attributes and
+other mechanisms for positive authorization, amplifying the priveleges of
+the principal beyond what can be done using a credentials without such an
+a-data element.
+
+This can not be provided without this element because the definition of the
+authorization-data field allows elements to be added at will by the bearer
+of a TGT at the time that they request service tickets and elements may
+also be added to a delegated ticket by inclusion in the authenticator.
+
+For KDC-issued elements this is prevented because the elements are signed
+by the KDC by including a checksum encrypted using the server's key (the
+same key used to encrypt the ticket - or a key derived from that key).
+Elements encapsulated with in the KDC-issued element will be ignored by the
+application server if this "signature" is not present. Further, elements
+encapsulated within this element from a ticket granting ticket may be
+interpreted by the KDC, and used as a basis according to policy for
+including new signed elements within derivative tickets, but they will not
+be copied to a derivative ticket directly. If they are copied directly to a
+derivative ticket by a KDC that is not aware of this element, the signature
+will not be correct for the application ticket elements, and the field will
+be ignored by the application server.
+
+This element and the elements it encapulates may be safely ignored by
+applications, application servers, and KDCs that do not implement this
+element.
+
+B.2. Intended for server
+
+AD-INTENDED-FOR-SERVER   SEQUENCE {
+         intended-server[0]     SEQUENCE OF PrincipalName
+         elements[1]            AuthorizationData
+}
+
+AD elements encapsulated within the intended-for-server element may be
+ignored if the application server is not in the list of principal names of
+intended servers. Further, a KDC issuing a ticket for an application server
+can remove this element if the application server is not in the list of
+intended servers.
+
+Application servers should check for their principal name in the
+intended-server field of this element. If their principal name is not
+found, this element should be ignored. If found, then the encapsulated
+elements should be evaluated in the same manner as if they were present in
+the top level authorization data field. Applications and application
+servers that do not implement this element should reject tickets that
+contain authorization data elements of this type.
+
+B.3. Intended for application class
+
+AD-INTENDED-FOR-APPLICATION-CLASS SEQUENCE { intended-application-class[0]
+
+Neuman, Ts'o, Kohl                                 Expires: 18 May 1999
+
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-r-03        November 18 1998
+
+
+SEQUENCE OF GeneralString elements[1] AuthorizationData } AD elements
+encapsulated within the intended-for-application-class element may be
+ignored if the application server is not in one of the named classes of
+application servers. Examples of application server classes include
+"FILESYSTEM", and other kinds of servers.
+
+This element and the elements it encapulates may be safely ignored by
+applications, application servers, and KDCs that do not implement this
+element.
+
+B.4. If relevant
+
+AD-IF-RELEVANT   AuthorizationData
+
+AD elements encapsulated within the if-relevant element are intended for
+interpretation only by application servers that understand the particular
+ad-type of the embedded element. Application servers that do not understand
+the type of an element embedded within the if-relevant element may ignore
+the uninterpretable element. This element promotes interoperability across
+implementations which may have local extensions for authorization.
+
+B.5. And-Or
+
+AD-AND-OR           SEQUENCE {
+                        condition-count[0]    INTEGER,
+                        elements[1]           AuthorizationData
+}
+
+When restrictive AD elements encapsulated within the and-or element are
+encountered, only the number specified in condition-count of the
+encapsulated conditions must be met in order to satisfy this element. This
+element may be used to implement an "or" operation by setting the
+condition-count field to 1, and it may specify an "and" operation by
+setting the condition count to the number of embedded elements. Application
+servers that do not implement this element must reject tickets that contain
+authorization data elements of this type.
+
+B.6. Mandatory ticket extensions
+
+AD-Mandatory-Ticket-Extensions   Checksum
+
+An authorization data element of type mandatory-ticket-extensions specifies
+a collision-proof checksum using the same hash algorithm used to protect
+the integrity of the ticket itself. This checksum will be calculated over
+an individual extension field. If there are more than one extension,
+multiple Mandatory-Ticket-Extensions authorization data elements may be
+present, each with a checksum for a different extension field. This
+restriction indicates that the ticket should not be accepted if a ticket
+extension is not present in the ticket for which the checksum does not
+match that checksum specified in the authorization data element.
+Application servers that do not implement this element must reject tickets
+that contain authorization data elements of this type.
+
+B.7. Authorization Data in ticket extensions
+
+AD-IN-Ticket-Extensions   Checksum
+
+An authorization data element of type in-ticket-extensions specifies a
+collision-proof checksum using the same hash algorithm used to protect the
+
+Neuman, Ts'o, Kohl                                 Expires: 18 May 1999
+
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-r-03        November 18 1998
+
+
+integrity of the ticket itself. This checksum is calculated over a separate
+external AuthorizationData field carried in the ticket extensions.
+Application servers that do not implement this element must reject tickets
+that contain authorization data elements of this type. Application servers
+that do implement this element will search the ticket extensions for
+authorization data fields, calculate the specified checksum over each
+authorization data field and look for one matching the checksum in this
+in-ticket-extensions element. If not found, then the ticket must be
+rejected. If found, the corresponding authorization data elements will be
+interpreted in the same manner as if they were contained in the top level
+authorization data field.
+
+Note that if multiple external authorization data fields are present in a
+ticket, each will have a corresponding element of type in-ticket-extensions
+in the top level authorization data field, and the external entries will be
+linked to the corresponding element by their checksums.
+
+C. Definition of common ticket extensions
+
+This appendix contains the definitions of common ticket extensions. Support
+for these extensions is optional. However, certain extensions have
+associated authorization data elements that may require rejection of a
+ticket containing an extension by application servers that do not implement
+the particular extension. Other extensions have been defined beyond those
+described in this specification. Such extensions are described elswhere and
+for some of those extensions the reserved number may be found in the list
+of constants.
+
+It is known that older versions of Kerberos did not support this field, and
+that some clients will strip this field from a ticket when they parse and
+then reassemble a ticket as it is passed to the application servers. The
+presence of the extension will not break such clients, but any functionaly
+dependent on the extensions will not work when such tickets are handled by
+old clients. In such situations, some implementation may use alternate
+methods to transmit the information in the extensions field.
+
+C.1. Null ticket extension
+
+TE-NullExtension   OctetString -- The empty Octet String
+
+The te-data field in the null ticket extension is an octet string of lenght
+zero. This extension may be included in a ticket granting ticket so that
+the KDC can determine on presentation of the ticket granting ticket whether
+the client software will strip the extensions field.
+
+C.2. External Authorization Data
+
+TE-ExternalAuthorizationData   AuthorizationData
+
+The te-data field in the external authorization data ticket extension is
+field of type AuthorizationData containing one or more authorization data
+elements. If present, a corresponding authorization data element will be
+present in the primary authorization data for the ticket and that element
+will contain a checksum of the external authorization data ticket
+extension.
+  ------------------------------------------------------------------------
+[TM] Project Athena, Athena, and Kerberos are trademarks of the
+Massachusetts Institute of Technology (MIT). No commercial use of these
+trademarks may be made without prior written permission of MIT.
+
+Neuman, Ts'o, Kohl                                 Expires: 18 May 1999
+
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-r-03        November 18 1998
+
+
+
+[1] Note, however, that many applications use Kerberos' functions only upon
+the initiation of a stream-based network connection. Unless an application
+subsequently provides integrity protection for the data stream, the
+identity verification applies only to the initiation of the connection, and
+does not guarantee that subsequent messages on the connection originate
+from the same principal.
+
+[2] Secret and private are often used interchangeably in the literature. In
+our usage, it takes two (or more) to share a secret, thus a shared DES key
+is a secret key. Something is only private when no one but its owner knows
+it. Thus, in public key cryptosystems, one has a public and a private key.
+
+[3] Of course, with appropriate permission the client could arrange
+registration of a separately-named prin- cipal in a remote realm, and
+engage in normal exchanges with that realm's services. However, for even
+small numbers of clients this becomes cumbersome, and more automatic
+methods as described here are necessary.
+
+[4] Though it is permissible to request or issue tick- ets with no network
+addresses specified.
+
+[5] The password-changing request must not be honored unless the requester
+can provide the old password (the user's current secret key). Otherwise, it
+would be possible for someone to walk up to an unattended ses- sion and
+change another user's password.
+
+[6] To authenticate a user logging on to a local system, the credentials
+obtained in the AS exchange may first be used in a TGS exchange to obtain
+credentials for a local server. Those credentials must then be verified by
+a local server through successful completion of the Client/Server exchange.
+
+[7] "Random" means that, among other things, it should be impossible to
+guess the next session key based on knowledge of past session keys. This
+can only be achieved in a pseudo-random number generator if it is based on
+cryptographic principles. It is more desirable to use a truly random number
+generator, such as one based on measurements of random physical phenomena.
+
+[8] Tickets contain both an encrypted and unencrypted portion, so cleartext
+here refers to the entire unit, which can be copied from one message and
+replayed in another without any cryptographic skill.
+
+[9] Note that this can make applications based on unreliable transports
+difficult to code correctly. If the transport might deliver duplicated
+messages, either a new authenticator must be generated for each retry, or
+the application server must match requests and replies and replay the first
+reply in response to a detected duplicate.
+
+[10] This is used for user-to-user authentication as described in [8].
+
+[11] Note that the rejection here is restricted to authenticators from the
+same principal to the same server. Other client principals communicating
+with the same server principal should not be have their authenticators
+rejected if the time and microsecond fields happen to match some other
+client's authenticator.
+
+[12] In the Kerberos version 4 protocol, the timestamp in the reply was the
+client's timestamp plus one. This is not necessary in version 5 because
+version 5 messages are formatted in such a way that it is not possible to
+
+Neuman, Ts'o, Kohl                                 Expires: 18 May 1999
+
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-r-03        November 18 1998
+
+
+create the reply by judicious message surgery (even in encrypted form)
+without knowledge of the appropriate encryption keys.
+
+[13] Note that for encrypting the KRB_AP_REP message, the sub-session key
+is not used, even if present in the Authenticator.
+
+[14] Implementations of the protocol may wish to provide routines to choose
+subkeys based on session keys and random numbers and to generate a
+negotiated key to be returned in the KRB_AP_REP message.
+
+[15]This can be accomplished in several ways. It might be known beforehand
+(since the realm is part of the principal identifier), it might be stored
+in a nameserver, or it might be obtained from a configura- tion file. If
+the realm to be used is obtained from a nameserver, there is a danger of
+being spoofed if the nameservice providing the realm name is not authenti-
+cated. This might result in the use of a realm which has been compromised,
+and would result in an attacker's ability to compromise the authentication
+of the application server to the client.
+
+[16] If the client selects a sub-session key, care must be taken to ensure
+the randomness of the selected sub- session key. One approach would be to
+generate a random number and XOR it with the session key from the
+ticket-granting ticket.
+
+[17] This allows easy implementation of user-to-user authentication [8],
+which uses ticket-granting ticket session keys in lieu of secret server
+keys in situa- tions where such secret keys could be easily comprom- ised.
+
+[18] For the purpose of appending, the realm preceding the first listed
+realm is considered to be the null realm ("").
+
+[19] For the purpose of interpreting null subfields, the client's realm is
+considered to precede those in the transited field, and the server's realm
+is considered to follow them.
+
+[20] This means that a client and server running on the same host and
+communicating with one another using the KRB_SAFE messages should not share
+a common replay cache to detect KRB_SAFE replays.
+
+[21] The implementation of the Kerberos server need not combine the
+database and the server on the same machine; it is feasible to store the
+principal database in, say, a network name service, as long as the entries
+stored therein are protected from disclosure to and modification by
+unauthorized parties. However, we recommend against such strategies, as
+they can make system management and threat analysis quite complex.
+
+[22] See the discussion of the padata field in section 5.4.2 for details on
+why this can be useful.
+
+[23] Warning for implementations that unpack and repack data structures
+during the generation and verification of embedded checksums: Because any
+checksums applied to data structures must be checked against the original
+data the length of bit strings must be preserved within a data structure
+between the time that a checksum is generated through transmission to the
+time that the checksum is verified.
+
+[24] It is NOT recommended that this time value be used to adjust the
+workstation's clock since the workstation cannot reliably determine that
+such a KRB_AS_REP actually came from the proper KDC in a timely manner.
+
+Neuman, Ts'o, Kohl                                 Expires: 18 May 1999
+
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-r-03        November 18 1998
+
+
+
+[25] Note, however, that if the time is used as the nonce, one must make
+sure that the workstation time is monotonically increasing. If the time is
+ever reset backwards, there is a small, but finite, probability that a
+nonce will be reused.
+
+[27] An application code in the encrypted part of a message provides an
+additional check that the message was decrypted properly.
+
+[29] An application code in the encrypted part of a message provides an
+additional check that the message was decrypted properly.
+
+[31] An application code in the encrypted part of a message provides an
+additional check that the message was decrypted properly.
+
+[32] If supported by the encryption method in use, an initialization vector
+may be passed to the encryption procedure, in order to achieve proper
+cipher chaining. The initialization vector might come from the last block
+of the ciphertext from the previous KRB_PRIV message, but it is the
+application's choice whether or not to use such an initialization vector.
+If left out, the default initialization vector for the encryption algorithm
+will be used.
+
+[33] This prevents an attacker who generates an incorrect AS request from
+obtaining verifiable plaintext for use in an off-line password guessing
+attack.
+
+[35] In the above specification, UNTAGGED OCTET STRING(length) is the
+notation for an octet string with its tag and length removed. It is not a
+valid ASN.1 type. The tag bits and length must be removed from the
+confounder since the purpose of the confounder is so that the message
+starts with random data, but the tag and its length are fixed. For other
+fields, the length and tag would be redundant if they were included because
+they are specified by the encryption type. [36] The ordering of the fields
+in the CipherText is important. Additionally, messages encoded in this
+format must include a length as part of the msg-seq field. This allows the
+recipient to verify that the message has not been truncated. Without a
+length, an attacker could use a chosen plaintext attack to generate a
+message which could be truncated, while leaving the checksum intact. Note
+that if the msg-seq is an encoding of an ASN.1 SEQUENCE or OCTET STRING,
+then the length is part of that encoding.
+
+[37] In some cases, it may be necessary to use a different "mix-in" string
+for compatibility reasons; see the discussion of padata in section 5.4.2.
+
+[38] In some cases, it may be necessary to use a different "mix-in" string
+for compatibility reasons; see the discussion of padata in section 5.4.2.
+
+[39] A variant of the key is used to limit the use of a key to a particular
+function, separating the functions of generating a checksum from other
+encryption performed using the session key. The constant F0F0F0F0F0F0F0F0
+was chosen because it maintains key parity. The properties of DES precluded
+the use of the complement. The same constant is used for similar purpose in
+the Message Integrity Check in the Privacy Enhanced Mail standard.
+
+[40] This error carries additional information in the e- data field. The
+contents of the e-data field for this message is described in section
+5.9.1.
+
+
+Neuman, Ts'o, Kohl                                 Expires: 18 May 1999
+
diff --git a/crypto/heimdal/doc/standardisation/draft-ietf-cat-kerberos-revisions-04.txt b/crypto/heimdal/doc/standardisation/draft-ietf-cat-kerberos-revisions-04.txt
new file mode 100644
index 0000000..16af15d
--- /dev/null
+++ b/crypto/heimdal/doc/standardisation/draft-ietf-cat-kerberos-revisions-04.txt
@@ -0,0 +1,6780 @@
+INTERNET-DRAFT                                          Clifford Neuman
+                                                              John Kohl
+                                                          Theodore Ts'o
+                                                          June 25, 1999
+                                              Expires December 25, 1999
+draft-ietf-cat-kerberos-revisions-04.txt
+
+The Kerberos Network Authentication Service (V5)
+
+STATUS OF THIS MEMO
+
+This document is an Internet-Draft and is in full conformance with all
+provisions of Section 10 of RFC2026. Internet-Drafts are working documents
+of the Internet Engineering Task Force (IETF), its areas, and its working
+groups. Note that other groups may also distribute working documents as
+Internet-Drafts.
+
+Internet-Drafts are draft documents valid for a maximum of six months and
+may be updated, replaced, or obsoleted by other documents at any time. It is
+inappropriate to use Internet- Drafts as reference material or to cite them
+other than as "work in progress."
+
+The list of current Internet-Drafts can be accessed at
+http://www.ietf.org/ietf/1id-abstracts.txt
+
+The list of Internet-Draft Shadow Directories can be accessed at
+http://www.ietf.org/shadow.html. To learn the current status of any
+Internet-Draft, please check the '1id-abstracts.txt' listing contained in
+the Internet-Drafts Shadow Directories.
+
+The distribution of this memo is unlimited. It is filed as
+draft-ietf-cat-kerberos-revisions-04.txt, and expires December 25th, 1999.
+Please send comments to: krb-protocol@MIT.EDU
+
+ABSTRACT
+
+This document provides an overview and specification of Version 5 of the
+Kerberos protocol, and updates RFC1510 to clarify aspects of the protocol
+and its intended use that require more detailed or clearer explanation than
+was provided in RFC1510. This document is intended to provide a detailed
+description of the protocol, suitable for implementation, together with
+descriptions of the appropriate use of protocol messages and fields within
+those messages.
+
+This document is not intended to describe Kerberos to the end user, system
+administrator, or application developer. Higher level papers describing
+Version 5 of the Kerberos system [NT94] and documenting version 4 [SNS88],
+are available elsewhere.
+
+OVERVIEW
+
+This INTERNET-DRAFT describes the concepts and model upon which the Kerberos
+network authentication system is based. It also specifies Version 5 of the
+Kerberos protocol.
+
+Neuman, Ts'o, Kohl                                 Expires: 25 December,
+1999
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-04          June 25,
+1999
+
+The motivations, goals, assumptions, and rationale behind most design
+decisions are treated cursorily; they are more fully described in a paper
+available in IEEE communications [NT94] and earlier in the Kerberos portion
+of the Athena Technical Plan [MNSS87]. The protocols have been a proposed
+standard and are being considered for advancement for draft standard through
+the IETF standard process. Comments are encouraged on the presentation, but
+only minor refinements to the protocol as implemented or extensions that fit
+within current protocol framework will be considered at this time.
+
+Requests for addition to an electronic mailing list for discussion of
+Kerberos, kerberos@MIT.EDU, may be addressed to kerberos-request@MIT.EDU.
+This mailing list is gatewayed onto the Usenet as the group
+comp.protocols.kerberos. Requests for further information, including
+documents and code availability, may be sent to info-kerberos@MIT.EDU.
+
+BACKGROUND
+
+The Kerberos model is based in part on Needham and Schroeder's trusted
+third-party authentication protocol [NS78] and on modifications suggested by
+Denning and Sacco [DS81]. The original design and implementation of Kerberos
+Versions 1 through 4 was the work of two former Project Athena staff
+members, Steve Miller of Digital Equipment Corporation and Clifford Neuman
+(now at the Information Sciences Institute of the University of Southern
+California), along with Jerome Saltzer, Technical Director of Project
+Athena, and Jeffrey Schiller, MIT Campus Network Manager. Many other members
+of Project Athena have also contributed to the work on Kerberos.
+
+Version 5 of the Kerberos protocol (described in this document) has evolved
+from Version 4 based on new requirements and desires for features not
+available in Version 4. The design of Version 5 of the Kerberos protocol was
+led by Clifford Neuman and John Kohl with much input from the community. The
+development of the MIT reference implementation was led at MIT by John Kohl
+and Theodore T'so, with help and contributed code from many others. Since
+RFC1510 was issued, extensions and revisions to the protocol have been
+proposed by many individuals. Some of these proposals are reflected in this
+document. Where such changes involved significant effort, the document cites
+the contribution of the proposer.
+
+Reference implementations of both version 4 and version 5 of Kerberos are
+publicly available and commercial implementations have been developed and
+are widely used. Details on the differences between Kerberos Versions 4 and
+5 can be found in [KNT92].
+
+1. Introduction
+
+Kerberos provides a means of verifying the identities of principals, (e.g. a
+workstation user or a network server) on an open (unprotected) network. This
+is accomplished without relying on assertions by the host operating system,
+without basing trust on host addresses, without requiring physical security
+of all the hosts on the network, and under the assumption that packets
+traveling along the network can be read, modified, and inserted at will[1].
+Kerberos performs authentication under these conditions as a trusted
+third-party authentication service by using conventional (shared secret key
+[2] cryptography. Kerberos extensions have been proposed and implemented
+that provide for the use of public key cryptography during certain phases of
+the authentication protocol. These extensions provide for authentication of
+
+Neuman, Ts'o, Kohl                                 Expires: 25 December,
+1999
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-04          June 25,
+1999
+
+users registered with public key certification authorities, and allow the
+system to provide certain benefits of public key cryptography in situations
+where they are needed.
+
+The basic Kerberos authentication process proceeds as follows: A client
+sends a request to the authentication server (AS) requesting 'credentials'
+for a given server. The AS responds with these credentials, encrypted in the
+client's key. The credentials consist of 1) a 'ticket' for the server and 2)
+a temporary encryption key (often called a "session key"). The client
+transmits the ticket (which contains the client's identity and a copy of the
+session key, all encrypted in the server's key) to the server. The session
+key (now shared by the client and server) is used to authenticate the
+client, and may optionally be used to authenticate the server. It may also
+be used to encrypt further communication between the two parties or to
+exchange a separate sub-session key to be used to encrypt further
+communication.
+
+Implementation of the basic protocol consists of one or more authentication
+servers running on physically secure hosts. The authentication servers
+maintain a database of principals (i.e., users and servers) and their secret
+keys. Code libraries provide encryption and implement the Kerberos protocol.
+In order to add authentication to its transactions, a typical network
+application adds one or two calls to the Kerberos library directly or
+through the Generic Security Services Application Programming Interface,
+GSSAPI, described in separate document. These calls result in the
+transmission of the necessary messages to achieve authentication.
+
+The Kerberos protocol consists of several sub-protocols (or exchanges).
+There are two basic methods by which a client can ask a Kerberos server for
+credentials. In the first approach, the client sends a cleartext request for
+a ticket for the desired server to the AS. The reply is sent encrypted in
+the client's secret key. Usually this request is for a ticket-granting
+ticket (TGT) which can later be used with the ticket-granting server (TGS).
+In the second method, the client sends a request to the TGS. The client uses
+the TGT to authenticate itself to the TGS in the same manner as if it were
+contacting any other application server that requires Kerberos
+authentication. The reply is encrypted in the session key from the TGT.
+Though the protocol specification describes the AS and the TGS as separate
+servers, they are implemented in practice as different protocol entry points
+within a single Kerberos server.
+
+Once obtained, credentials may be used to verify the identity of the
+principals in a transaction, to ensure the integrity of messages exchanged
+between them, or to preserve privacy of the messages. The application is
+free to choose whatever protection may be necessary.
+
+To verify the identities of the principals in a transaction, the client
+transmits the ticket to the application server. Since the ticket is sent "in
+the clear" (parts of it are encrypted, but this encryption doesn't thwart
+replay) and might be intercepted and reused by an attacker, additional
+information is sent to prove that the message originated with the principal
+to whom the ticket was issued. This information (called the authenticator)
+is encrypted in the session key, and includes a timestamp. The timestamp
+proves that the message was recently generated and is not a replay.
+Encrypting the authenticator in the session key proves that it was generated
+by a party possessing the session key. Since no one except the requesting
+principal and the server know the session key (it is never sent over the
+network in the clear) this guarantees the identity of the client.
+
+Neuman, Ts'o, Kohl                                 Expires: 25 December,
+1999
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-04          June 25,
+1999
+
+The integrity of the messages exchanged between principals can also be
+guaranteed using the session key (passed in the ticket and contained in the
+credentials). This approach provides detection of both replay attacks and
+message stream modification attacks. It is accomplished by generating and
+transmitting a collision-proof checksum (elsewhere called a hash or digest
+function) of the client's message, keyed with the session key. Privacy and
+integrity of the messages exchanged between principals can be secured by
+encrypting the data to be passed using the session key contained in the
+ticket or the subsession key found in the authenticator.
+
+The authentication exchanges mentioned above require read-only access to the
+Kerberos database. Sometimes, however, the entries in the database must be
+modified, such as when adding new principals or changing a principal's key.
+This is done using a protocol between a client and a third Kerberos server,
+the Kerberos Administration Server (KADM). There is also a protocol for
+maintaining multiple copies of the Kerberos database. Neither of these
+protocols are described in this document.
+
+1.1. Cross-Realm Operation
+
+The Kerberos protocol is designed to operate across organizational
+boundaries. A client in one organization can be authenticated to a server in
+another. Each organization wishing to run a Kerberos server establishes its
+own 'realm'. The name of the realm in which a client is registered is part
+of the client's name, and can be used by the end-service to decide whether
+to honor a request.
+
+By establishing 'inter-realm' keys, the administrators of two realms can
+allow a client authenticated in the local realm to prove its identity to
+servers in other realms[3]. The exchange of inter-realm keys (a separate key
+may be used for each direction) registers the ticket-granting service of
+each realm as a principal in the other realm. A client is then able to
+obtain a ticket-granting ticket for the remote realm's ticket-granting
+service from its local realm. When that ticket-granting ticket is used, the
+remote ticket-granting service uses the inter-realm key (which usually
+differs from its own normal TGS key) to decrypt the ticket-granting ticket,
+and is thus certain that it was issued by the client's own TGS. Tickets
+issued by the remote ticket-granting service will indicate to the
+end-service that the client was authenticated from another realm.
+
+A realm is said to communicate with another realm if the two realms share an
+inter-realm key, or if the local realm shares an inter-realm key with an
+intermediate realm that communicates with the remote realm. An
+authentication path is the sequence of intermediate realms that are
+transited in communicating from one realm to another.
+
+Realms are typically organized hierarchically. Each realm shares a key with
+its parent and a different key with each child. If an inter-realm key is not
+directly shared by two realms, the hierarchical organization allows an
+authentication path to be easily constructed. If a hierarchical organization
+is not used, it may be necessary to consult a database in order to construct
+an authentication path between realms.
+
+Although realms are typically hierarchical, intermediate realms may be
+bypassed to achieve cross-realm authentication through alternate
+authentication paths (these might be established to make communication
+between two realms more efficient). It is important for the end-service to
+
+Neuman, Ts'o, Kohl                                 Expires: 25 December,
+1999
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-04          June 25,
+1999
+
+know which realms were transited when deciding how much faith to place in
+the authentication process. To facilitate this decision, a field in each
+ticket contains the names of the realms that were involved in authenticating
+the client.
+
+The application server is ultimately responsible for accepting or rejecting
+authentication and should check the transited field. The application server
+may choose to rely on the KDC for the application server's realm to check
+the transited field. The application server's KDC will set the
+TRANSITED-POLICY-CHECKED flag in this case. The KDC's for intermediate
+realms may also check the transited field as they issue
+ticket-granting-tickets for other realms, but they are encouraged not to do
+so. A client may request that the KDC's not check the transited field by
+setting the DISABLE-TRANSITED-CHECK flag. KDC's are encouraged but not
+required to honor this flag.
+
+1.2. Authorization
+
+As an authentication service, Kerberos provides a means of verifying the
+identity of principals on a network. Authentication is usually useful
+primarily as a first step in the process of authorization, determining
+whether a client may use a service, which objects the client is allowed to
+access, and the type of access allowed for each. Kerberos does not, by
+itself, provide authorization. Possession of a client ticket for a service
+provides only for authentication of the client to that service, and in the
+absence of a separate authorization procedure, it should not be considered
+by an application as authorizing the use of that service.
+
+Such separate authorization methods may be implemented as application
+specific access control functions and may be based on files such as the
+application server, or on separately issued authorization credentials such
+as those based on proxies [Neu93] , or on other authorization services.
+
+Applications should not be modified to accept the issuance of a service
+ticket by the Kerberos server (even by an modified Kerberos server) as
+granting authority to use the service, since such applications may become
+vulnerable to the bypass of this authorization check in an environment if
+they interoperate with other KDCs or where other options for application
+authentication (e.g. the PKTAPP proposal) are provided.
+
+1.3. Environmental assumptions
+
+Kerberos imposes a few assumptions on the environment in which it can
+properly function:
+
+   * 'Denial of service' attacks are not solved with Kerberos. There are
+     places in these protocols where an intruder can prevent an application
+     from participating in the proper authentication steps. Detection and
+     solution of such attacks (some of which can appear to be nnot-uncommon
+     'normal' failure modes for the system) is usually best left to the
+     human administrators and users.
+   * Principals must keep their secret keys secret. If an intruder somehow
+     steals a principal's key, it will be able to masquerade as that
+     principal or impersonate any server to the legitimate principal.
+   * 'Password guessing' attacks are not solved by Kerberos. If a user
+     chooses a poor password, it is possible for an attacker to successfully
+     mount an offline dictionary attack by repeatedly attempting to decrypt,
+     with successive entries from a dictionary, messages obtained which are
+     encrypted under a key derived from the user's password.
+
+Neuman, Ts'o, Kohl                                 Expires: 25 December,
+1999
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-04          June 25,
+1999
+
+   * Each host on the network must have a clock which is 'loosely
+     synchronized' to the time of the other hosts; this synchronization is
+     used to reduce the bookkeeping needs of application servers when they
+     do replay detection. The degree of "looseness" can be configured on a
+     per-server basis, but is typically on the order of 5 minutes. If the
+     clocks are synchronized over the network, the clock synchronization
+     protocol must itself be secured from network attackers.
+   * Principal identifiers are not recycled on a short-term basis. A typical
+     mode of access control will use access control lists (ACLs) to grant
+     permissions to particular principals. If a stale ACL entry remains for
+     a deleted principal and the principal identifier is reused, the new
+     principal will inherit rights specified in the stale ACL entry. By not
+     re-using principal identifiers, the danger of inadvertent access is
+     removed.
+
+1.4. Glossary of terms
+
+Below is a list of terms used throughout this document.
+
+Authentication
+     Verifying the claimed identity of a principal.
+Authentication header
+     A record containing a Ticket and an Authenticator to be presented to a
+     server as part of the authentication process.
+Authentication path
+     A sequence of intermediate realms transited in the authentication
+     process when communicating from one realm to another.
+Authenticator
+     A record containing information that can be shown to have been recently
+     generated using the session key known only by the client and server.
+Authorization
+     The process of determining whether a client may use a service, which
+     objects the client is allowed to access, and the type of access allowed
+     for each.
+Capability
+     A token that grants the bearer permission to access an object or
+     service. In Kerberos, this might be a ticket whose use is restricted by
+     the contents of the authorization data field, but which lists no
+     network addresses, together with the session key necessary to use the
+     ticket.
+Ciphertext
+     The output of an encryption function. Encryption transforms plaintext
+     into ciphertext.
+Client
+     A process that makes use of a network service on behalf of a user. Note
+     that in some cases a Server may itself be a client of some other server
+     (e.g. a print server may be a client of a file server).
+Credentials
+     A ticket plus the secret session key necessary to successfully use that
+     ticket in an authentication exchange.
+KDC
+     Key Distribution Center, a network service that supplies tickets and
+     temporary session keys; or an instance of that service or the host on
+     which it runs. The KDC services both initial ticket and ticket-granting
+     ticket requests. The initial ticket portion is sometimes referred to as
+     the Authentication Server (or service). The ticket-granting ticket
+     portion is sometimes referred to as the ticket-granting server (or
+     service).
+
+Neuman, Ts'o, Kohl                                 Expires: 25 December,
+1999
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-04          June 25,
+1999
+
+Kerberos
+     Aside from the 3-headed dog guarding Hades, the name given to Project
+     Athena's authentication service, the protocol used by that service, or
+     the code used to implement the authentication service.
+Plaintext
+     The input to an encryption function or the output of a decryption
+     function. Decryption transforms ciphertext into plaintext.
+Principal
+     A uniquely named client or server instance that participates in a
+     network communication.
+Principal identifier
+     The name used to uniquely identify each different principal.
+Seal
+     To encipher a record containing several fields in such a way that the
+     fields cannot be individually replaced without either knowledge of the
+     encryption key or leaving evidence of tampering.
+Secret key
+     An encryption key shared by a principal and the KDC, distributed
+     outside the bounds of the system, with a long lifetime. In the case of
+     a human user's principal, the secret key is derived from a password.
+Server
+     A particular Principal which provides a resource to network clients.
+     The server is sometimes refered to as the Application Server.
+Service
+     A resource provided to network clients; often provided by more than one
+     server (for example, remote file service).
+Session key
+     A temporary encryption key used between two principals, with a lifetime
+     limited to the duration of a single login "session".
+Sub-session key
+     A temporary encryption key used between two principals, selected and
+     exchanged by the principals using the session key, and with a lifetime
+     limited to the duration of a single association.
+Ticket
+     A record that helps a client authenticate itself to a server; it
+     contains the client's identity, a session key, a timestamp, and other
+     information, all sealed using the server's secret key. It only serves
+     to authenticate a client when presented along with a fresh
+     Authenticator.
+
+2. Ticket flag uses and requests
+
+Each Kerberos ticket contains a set of flags which are used to indicate
+various attributes of that ticket. Most flags may be requested by a client
+when the ticket is obtained; some are automatically turned on and off by a
+Kerberos server as required. The following sections explain what the various
+flags mean, and gives examples of reasons to use such a flag.
+
+2.1. Initial and pre-authenticated tickets
+
+The INITIAL flag indicates that a ticket was issued using the AS protocol
+and not issued based on a ticket-granting ticket. Application servers that
+want to require the demonstrated knowledge of a client's secret key (e.g. a
+password-changing program) can insist that this flag be set in any tickets
+they accept, and thus be assured that the client's key was recently
+presented to the application client.
+
+
+Neuman, Ts'o, Kohl                                 Expires: 25 December,
+1999
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-04          June 25,
+1999
+
+The PRE-AUTHENT and HW-AUTHENT flags provide addition information about the
+initial authentication, regardless of whether the current ticket was issued
+directly (in which case INITIAL will also be set) or issued on the basis of
+a ticket-granting ticket (in which case the INITIAL flag is clear, but the
+PRE-AUTHENT and HW-AUTHENT flags are carried forward from the
+ticket-granting ticket).
+
+2.2. Invalid tickets
+
+The INVALID flag indicates that a ticket is invalid. Application servers
+must reject tickets which have this flag set. A postdated ticket will
+usually be issued in this form. Invalid tickets must be validated by the KDC
+before use, by presenting them to the KDC in a TGS request with the VALIDATE
+option specified. The KDC will only validate tickets after their starttime
+has passed. The validation is required so that postdated tickets which have
+been stolen before their starttime can be rendered permanently invalid
+(through a hot-list mechanism) (see section 3.3.3.1).
+
+2.3. Renewable tickets
+
+Applications may desire to hold tickets which can be valid for long periods
+of time. However, this can expose their credentials to potential theft for
+equally long periods, and those stolen credentials would be valid until the
+expiration time of the ticket(s). Simply using short-lived tickets and
+obtaining new ones periodically would require the client to have long-term
+access to its secret key, an even greater risk. Renewable tickets can be
+used to mitigate the consequences of theft. Renewable tickets have two
+"expiration times": the first is when the current instance of the ticket
+expires, and the second is the latest permissible value for an individual
+expiration time. An application client must periodically (i.e. before it
+expires) present a renewable ticket to the KDC, with the RENEW option set in
+the KDC request. The KDC will issue a new ticket with a new session key and
+a later expiration time. All other fields of the ticket are left unmodified
+by the renewal process. When the latest permissible expiration time arrives,
+the ticket expires permanently. At each renewal, the KDC may consult a
+hot-list to determine if the ticket had been reported stolen since its last
+renewal; it will refuse to renew such stolen tickets, and thus the usable
+lifetime of stolen tickets is reduced.
+
+The RENEWABLE flag in a ticket is normally only interpreted by the
+ticket-granting service (discussed below in section 3.3). It can usually be
+ignored by application servers. However, some particularly careful
+application servers may wish to disallow renewable tickets.
+
+If a renewable ticket is not renewed by its expiration time, the KDC will
+not renew the ticket. The RENEWABLE flag is reset by default, but a client
+may request it be set by setting the RENEWABLE option in the KRB_AS_REQ
+message. If it is set, then the renew-till field in the ticket contains the
+time after which the ticket may not be renewed.
+
+
+Neuman, Ts'o, Kohl                                 Expires: 25 December,
+1999
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-04          June 25,
+1999
+
+2.4. Postdated tickets
+
+Applications may occasionally need to obtain tickets for use much later,
+e.g. a batch submission system would need tickets to be valid at the time
+the batch job is serviced. However, it is dangerous to hold valid tickets in
+a batch queue, since they will be on-line longer and more prone to theft.
+Postdated tickets provide a way to obtain these tickets from the KDC at job
+submission time, but to leave them "dormant" until they are activated and
+validated by a further request of the KDC. If a ticket theft were reported
+in the interim, the KDC would refuse to validate the ticket, and the thief
+would be foiled.
+
+The MAY-POSTDATE flag in a ticket is normally only interpreted by the
+ticket-granting service. It can be ignored by application servers. This flag
+must be set in a ticket-granting ticket in order to issue a postdated ticket
+based on the presented ticket. It is reset by default; it may be requested
+by a client by setting the ALLOW-POSTDATE option in the KRB_AS_REQ message.
+This flag does not allow a client to obtain a postdated ticket-granting
+ticket; postdated ticket-granting tickets can only by obtained by requesting
+the postdating in the KRB_AS_REQ message. The life (endtime-starttime) of a
+postdated ticket will be the remaining life of the ticket-granting ticket at
+the time of the request, unless the RENEWABLE option is also set, in which
+case it can be the full life (endtime-starttime) of the ticket-granting
+ticket. The KDC may limit how far in the future a ticket may be postdated.
+
+The POSTDATED flag indicates that a ticket has been postdated. The
+application server can check the authtime field in the ticket to see when
+the original authentication occurred. Some services may choose to reject
+postdated tickets, or they may only accept them within a certain period
+after the original authentication. When the KDC issues a POSTDATED ticket,
+it will also be marked as INVALID, so that the application client must
+present the ticket to the KDC to be validated before use.
+
+2.5. Proxiable and proxy tickets
+
+At times it may be necessary for a principal to allow a service to perform
+an operation on its behalf. The service must be able to take on the identity
+of the client, but only for a particular purpose. A principal can allow a
+service to take on the principal's identity for a particular purpose by
+granting it a proxy.
+
+The process of granting a proxy using the proxy and proxiable flags is used
+to provide credentials for use with specific services. Though conceptually
+also a proxy, user's wishing to delegate their identity for ANY purpose must
+use the ticket forwarding mechanism described in the next section to forward
+a ticket granting ticket.
+
+The PROXIABLE flag in a ticket is normally only interpreted by the
+ticket-granting service. It can be ignored by application servers. When set,
+this flag tells the ticket-granting server that it is OK to issue a new
+ticket (but not a ticket-granting ticket) with a different network address
+based on this ticket. This flag is set if requested by the client on initial
+authentication. By default, the client will request that it be set when
+requesting a ticket granting ticket, and reset when requesting any other
+ticket.
+
+
+Neuman, Ts'o, Kohl                                 Expires: 25 December,
+1999
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-04          June 25,
+1999
+
+This flag allows a client to pass a proxy to a server to perform a remote
+request on its behalf, e.g. a print service client can give the print server
+a proxy to access the client's files on a particular file server in order to
+satisfy a print request.
+
+In order to complicate the use of stolen credentials, Kerberos tickets are
+usually valid from only those network addresses specifically included in the
+ticket[4]. When granting a proxy, the client must specify the new network
+address from which the proxy is to be used, or indicate that the proxy is to
+be issued for use from any address.
+
+The PROXY flag is set in a ticket by the TGS when it issues a proxy ticket.
+Application servers may check this flag and at their option they may require
+additional authentication from the agent presenting the proxy in order to
+provide an audit trail.
+
+2.6. Forwardable tickets
+
+Authentication forwarding is an instance of a proxy where the service is
+granted complete use of the client's identity. An example where it might be
+used is when a user logs in to a remote system and wants authentication to
+work from that system as if the login were local.
+
+The FORWARDABLE flag in a ticket is normally only interpreted by the
+ticket-granting service. It can be ignored by application servers. The
+FORWARDABLE flag has an interpretation similar to that of the PROXIABLE
+flag, except ticket-granting tickets may also be issued with different
+network addresses. This flag is reset by default, but users may request that
+it be set by setting the FORWARDABLE option in the AS request when they
+request their initial ticket- granting ticket.
+
+This flag allows for authentication forwarding without requiring the user to
+enter a password again. If the flag is not set, then authentication
+forwarding is not permitted, but the same result can still be achieved if
+the user engages in the AS exchange specifying the requested network
+addresses and supplies a password.
+
+The FORWARDED flag is set by the TGS when a client presents a ticket with
+the FORWARDABLE flag set and requests a forwarded ticket by specifying the
+FORWARDED KDC option and supplying a set of addresses for the new ticket. It
+is also set in all tickets issued based on tickets with the FORWARDED flag
+set. Application servers may choose to process FORWARDED tickets differently
+than non-FORWARDED tickets.
+
+2.7. Other KDC options
+
+There are two additional options which may be set in a client's request of
+the KDC. The RENEWABLE-OK option indicates that the client will accept a
+renewable ticket if a ticket with the requested life cannot otherwise be
+provided. If a ticket with the requested life cannot be provided, then the
+KDC may issue a renewable ticket with a renew-till equal to the the
+requested endtime. The value of the renew-till field may still be adjusted
+by site-determined limits or limits imposed by the individual principal or
+server.
+
+The ENC-TKT-IN-SKEY option is honored only by the ticket-granting service.
+It indicates that the ticket to be issued for the end server is to be
+encrypted in the session key from the a additional second ticket-granting
+ticket provided with the request. See section 3.3.3 for specific details.
+
+
+Neuman, Ts'o, Kohl                                 Expires: 25 December,
+1999
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-04          June 25,
+1999
+
+3. Message Exchanges
+
+The following sections describe the interactions between network clients and
+servers and the messages involved in those exchanges.
+
+3.1. The Authentication Service Exchange
+
+                          Summary
+      Message direction       Message type    Section
+      1. Client to Kerberos   KRB_AS_REQ      5.4.1
+      2. Kerberos to client   KRB_AS_REP or   5.4.2
+                              KRB_ERROR       5.9.1
+
+The Authentication Service (AS) Exchange between the client and the Kerberos
+Authentication Server is initiated by a client when it wishes to obtain
+authentication credentials for a given server but currently holds no
+credentials. In its basic form, the client's secret key is used for
+encryption and decryption. This exchange is typically used at the initiation
+of a login session to obtain credentials for a Ticket-Granting Server which
+will subsequently be used to obtain credentials for other servers (see
+section 3.3) without requiring further use of the client's secret key. This
+exchange is also used to request credentials for services which must not be
+mediated through the Ticket-Granting Service, but rather require a
+principal's secret key, such as the password-changing service[5]. This
+exchange does not by itself provide any assurance of the the identity of the
+user[6].
+
+The exchange consists of two messages: KRB_AS_REQ from the client to
+Kerberos, and KRB_AS_REP or KRB_ERROR in reply. The formats for these
+messages are described in sections 5.4.1, 5.4.2, and 5.9.1.
+
+In the request, the client sends (in cleartext) its own identity and the
+identity of the server for which it is requesting credentials. The response,
+KRB_AS_REP, contains a ticket for the client to present to the server, and a
+session key that will be shared by the client and the server. The session
+key and additional information are encrypted in the client's secret key. The
+KRB_AS_REP message contains information which can be used to detect replays,
+and to associate it with the message to which it replies. Various errors can
+occur; these are indicated by an error response (KRB_ERROR) instead of the
+KRB_AS_REP response. The error message is not encrypted. The KRB_ERROR
+message contains information which can be used to associate it with the
+message to which it replies. The lack of encryption in the KRB_ERROR message
+precludes the ability to detect replays, fabrications, or modifications of
+such messages.
+
+Without preautentication, the authentication server does not know whether
+the client is actually the principal named in the request. It simply sends a
+reply without knowing or caring whether they are the same. This is
+acceptable because nobody but the principal whose identity was given in the
+request will be able to use the reply. Its critical information is encrypted
+in that principal's key. The initial request supports an optional field that
+can be used to pass additional information that might be needed for the
+initial exchange. This field may be used for preauthentication as described
+in section [hl<>].
+
+
+Neuman, Ts'o, Kohl                                 Expires: 25 December,
+1999
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-04          June 25,
+1999
+
+3.1.1. Generation of KRB_AS_REQ message
+
+The client may specify a number of options in the initial request. Among
+these options are whether pre-authentication is to be performed; whether the
+requested ticket is to be renewable, proxiable, or forwardable; whether it
+should be postdated or allow postdating of derivative tickets; and whether a
+renewable ticket will be accepted in lieu of a non-renewable ticket if the
+requested ticket expiration date cannot be satisfied by a non-renewable
+ticket (due to configuration constraints; see section 4). See section A.1
+for pseudocode.
+
+The client prepares the KRB_AS_REQ message and sends it to the KDC.
+
+3.1.2. Receipt of KRB_AS_REQ message
+
+If all goes well, processing the KRB_AS_REQ message will result in the
+creation of a ticket for the client to present to the server. The format for
+the ticket is described in section 5.3.1. The contents of the ticket are
+determined as follows.
+
+3.1.3. Generation of KRB_AS_REP message
+
+The authentication server looks up the client and server principals named in
+the KRB_AS_REQ in its database, extracting their respective keys. If
+required, the server pre-authenticates the request, and if the
+pre-authentication check fails, an error message with the code
+KDC_ERR_PREAUTH_FAILED is returned. If the server cannot accommodate the
+requested encryption type, an error message with code KDC_ERR_ETYPE_NOSUPP
+is returned. Otherwise it generates a 'random' session key[7].
+
+If there are multiple encryption keys registered for a client in the
+Kerberos database (or if the key registered supports multiple encryption
+types; e.g. DES-CBC-CRC and DES-CBC-MD5), then the etype field from the AS
+request is used by the KDC to select the encryption method to be used for
+encrypting the response to the client. If there is more than one supported,
+strong encryption type in the etype list, the first valid etype for which an
+encryption key is available is used. The encryption method used to respond
+to a TGS request is taken from the keytype of the session key found in the
+ticket granting ticket. [***I will change the example keytypes to be 3DES
+based examples 7/14***]
+
+When the etype field is present in a KDC request, whether an AS or TGS
+request, the KDC will attempt to assign the type of the random session key
+from the list of methods in the etype field. The KDC will select the
+appropriate type using the list of methods provided together with
+information from the Kerberos database indicating acceptable encryption
+methods for the application server. The KDC will not issue tickets with a
+weak session key encryption type.
+
+If the requested start time is absent, indicates a time in the past, or is
+within the window of acceptable clock skew for the KDC and the POSTDATE
+option has not been specified, then the start time of the ticket is set to
+the authentication server's current time. If it indicates a time in the
+future beyond the acceptable clock skew, but the POSTDATED option has not
+been specified then the error KDC_ERR_CANNOT_POSTDATE is returned. Otherwise
+the requested start time is checked against the policy of the local realm
+(the administrator might decide to prohibit certain types or ranges of
+postdated tickets), and if acceptable, the ticket's start time is set as
+
+Neuman, Ts'o, Kohl                                 Expires: 25 December,
+1999
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-04          June 25,
+1999
+
+requested and the INVALID flag is set in the new ticket. The postdated
+ticket must be validated before use by presenting it to the KDC after the
+start time has been reached.
+
+The expiration time of the ticket will be set to the minimum of the
+following:
+
+   * The expiration time (endtime) requested in the KRB_AS_REQ message.
+   * The ticket's start time plus the maximum allowable lifetime associated
+     with the client principal (the authentication server's database
+     includes a maximum ticket lifetime field in each principal's record;
+     see section 4).
+   * The ticket's start time plus the maximum allowable lifetime associated
+     with the server principal.
+   * The ticket's start time plus the maximum lifetime set by the policy of
+     the local realm.
+
+If the requested expiration time minus the start time (as determined above)
+is less than a site-determined minimum lifetime, an error message with code
+KDC_ERR_NEVER_VALID is returned. If the requested expiration time for the
+ticket exceeds what was determined as above, and if the 'RENEWABLE-OK'
+option was requested, then the 'RENEWABLE' flag is set in the new ticket,
+and the renew-till value is set as if the 'RENEWABLE' option were requested
+(the field and option names are described fully in section 5.4.1).
+
+If the RENEWABLE option has been requested or if the RENEWABLE-OK option has
+been set and a renewable ticket is to be issued, then the renew-till field
+is set to the minimum of:
+
+   * Its requested value.
+   * The start time of the ticket plus the minimum of the two maximum
+     renewable lifetimes associated with the principals' database entries.
+   * The start time of the ticket plus the maximum renewable lifetime set by
+     the policy of the local realm.
+
+The flags field of the new ticket will have the following options set if
+they have been requested and if the policy of the local realm allows:
+FORWARDABLE, MAY-POSTDATE, POSTDATED, PROXIABLE, RENEWABLE. If the new
+ticket is post-dated (the start time is in the future), its INVALID flag
+will also be set.
+
+If all of the above succeed, the server formats a KRB_AS_REP message (see
+section 5.4.2), copying the addresses in the request into the caddr of the
+response, placing any required pre-authentication data into the padata of
+the response, and encrypts the ciphertext part in the client's key using the
+requested encryption method, and sends it to the client. See section A.2 for
+pseudocode.
+
+3.1.4. Generation of KRB_ERROR message
+
+Several errors can occur, and the Authentication Server responds by
+returning an error message, KRB_ERROR, to the client, with the error-code
+and e-text fields set to appropriate values. The error message contents and
+details are described in Section 5.9.1.
+
+
+Neuman, Ts'o, Kohl                                 Expires: 25 December,
+1999
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-04          June 25,
+1999
+
+3.1.5. Receipt of KRB_AS_REP message
+
+If the reply message type is KRB_AS_REP, then the client verifies that the
+cname and crealm fields in the cleartext portion of the reply match what it
+requested. If any padata fields are present, they may be used to derive the
+proper secret key to decrypt the message. The client decrypts the encrypted
+part of the response using its secret key, verifies that the nonce in the
+encrypted part matches the nonce it supplied in its request (to detect
+replays). It also verifies that the sname and srealm in the response match
+those in the request (or are otherwise expected values), and that the host
+address field is also correct. It then stores the ticket, session key, start
+and expiration times, and other information for later use. The
+key-expiration field from the encrypted part of the response may be checked
+to notify the user of impending key expiration (the client program could
+then suggest remedial action, such as a password change). See section A.3
+for pseudocode.
+
+Proper decryption of the KRB_AS_REP message is not sufficient to verify the
+identity of the user; the user and an attacker could cooperate to generate a
+KRB_AS_REP format message which decrypts properly but is not from the proper
+KDC. If the host wishes to verify the identity of the user, it must require
+the user to present application credentials which can be verified using a
+securely-stored secret key for the host. If those credentials can be
+verified, then the identity of the user can be assured.
+
+3.1.6. Receipt of KRB_ERROR message
+
+If the reply message type is KRB_ERROR, then the client interprets it as an
+error and performs whatever application-specific tasks are necessary to
+recover.
+
+3.2. The Client/Server Authentication Exchange
+
+                             Summary
+Message direction                         Message type    Section
+Client to Application server              KRB_AP_REQ      5.5.1
+[optional] Application server to client   KRB_AP_REP or   5.5.2
+                                          KRB_ERROR       5.9.1
+
+The client/server authentication (CS) exchange is used by network
+applications to authenticate the client to the server and vice versa. The
+client must have already acquired credentials for the server using the AS or
+TGS exchange.
+
+3.2.1. The KRB_AP_REQ message
+
+The KRB_AP_REQ contains authentication information which should be part of
+the first message in an authenticated transaction. It contains a ticket, an
+authenticator, and some additional bookkeeping information (see section
+5.5.1 for the exact format). The ticket by itself is insufficient to
+authenticate a client, since tickets are passed across the network in
+cleartext[DS90], so the authenticator is used to prevent invalid replay of
+tickets by proving to the server that the client knows the session key of
+the ticket and thus is entitled to use the ticket. The KRB_AP_REQ message is
+referred to elsewhere as the 'authentication header.'
+
+
+Neuman, Ts'o, Kohl                                 Expires: 25 December,
+1999
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-04          June 25,
+1999
+
+3.2.2. Generation of a KRB_AP_REQ message
+
+When a client wishes to initiate authentication to a server, it obtains
+(either through a credentials cache, the AS exchange, or the TGS exchange) a
+ticket and session key for the desired service. The client may re-use any
+tickets it holds until they expire. To use a ticket the client constructs a
+new Authenticator from the the system time, its name, and optionally an
+application specific checksum, an initial sequence number to be used in
+KRB_SAFE or KRB_PRIV messages, and/or a session subkey to be used in
+negotiations for a session key unique to this particular session.
+Authenticators may not be re-used and will be rejected if replayed to a
+server[LGDSR87]. If a sequence number is to be included, it should be
+randomly chosen so that even after many messages have been exchanged it is
+not likely to collide with other sequence numbers in use.
+
+The client may indicate a requirement of mutual authentication or the use of
+a session-key based ticket by setting the appropriate flag(s) in the
+ap-options field of the message.
+
+The Authenticator is encrypted in the session key and combined with the
+ticket to form the KRB_AP_REQ message which is then sent to the end server
+along with any additional application-specific information. See section A.9
+for pseudocode.
+
+3.2.3. Receipt of KRB_AP_REQ message
+
+Authentication is based on the server's current time of day (clocks must be
+loosely synchronized), the authenticator, and the ticket. Several errors are
+possible. If an error occurs, the server is expected to reply to the client
+with a KRB_ERROR message. This message may be encapsulated in the
+application protocol if its 'raw' form is not acceptable to the protocol.
+The format of error messages is described in section 5.9.1.
+
+The algorithm for verifying authentication information is as follows. If the
+message type is not KRB_AP_REQ, the server returns the KRB_AP_ERR_MSG_TYPE
+error. If the key version indicated by the Ticket in the KRB_AP_REQ is not
+one the server can use (e.g., it indicates an old key, and the server no
+longer possesses a copy of the old key), the KRB_AP_ERR_BADKEYVER error is
+returned. If the USE-SESSION-KEY flag is set in the ap-options field, it
+indicates to the server that the ticket is encrypted in the session key from
+the server's ticket-granting ticket rather than its secret key[10]. Since it
+is possible for the server to be registered in multiple realms, with
+different keys in each, the srealm field in the unencrypted portion of the
+ticket in the KRB_AP_REQ is used to specify which secret key the server
+should use to decrypt that ticket. The KRB_AP_ERR_NOKEY error code is
+returned if the server doesn't have the proper key to decipher the ticket.
+
+The ticket is decrypted using the version of the server's key specified by
+the ticket. If the decryption routines detect a modification of the ticket
+(each encryption system must provide safeguards to detect modified
+ciphertext; see section 6), the KRB_AP_ERR_BAD_INTEGRITY error is returned
+(chances are good that different keys were used to encrypt and decrypt).
+
+The authenticator is decrypted using the session key extracted from the
+decrypted ticket. If decryption shows it to have been modified, the
+KRB_AP_ERR_BAD_INTEGRITY error is returned. The name and realm of the client
+from the ticket are compared against the same fields in the authenticator.
+If they don't match, the KRB_AP_ERR_BADMATCH error is returned (they might
+
+Neuman, Ts'o, Kohl                                 Expires: 25 December,
+1999
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-04          June 25,
+1999
+
+not match, for example, if the wrong session key was used to encrypt the
+authenticator). The addresses in the ticket (if any) are then searched for
+an address matching the operating-system reported address of the client. If
+no match is found or the server insists on ticket addresses but none are
+present in the ticket, the KRB_AP_ERR_BADADDR error is returned.
+
+If the local (server) time and the client time in the authenticator differ
+by more than the allowable clock skew (e.g., 5 minutes), the KRB_AP_ERR_SKEW
+error is returned. If the server name, along with the client name, time and
+microsecond fields from the Authenticator match any recently-seen such
+tuples, the KRB_AP_ERR_REPEAT error is returned[11]. The server must
+remember any authenticator presented within the allowable clock skew, so
+that a replay attempt is guaranteed to fail. If a server loses track of any
+authenticator presented within the allowable clock skew, it must reject all
+requests until the clock skew interval has passed. This assures that any
+lost or re-played authenticators will fall outside the allowable clock skew
+and can no longer be successfully replayed (If this is not done, an attacker
+could conceivably record the ticket and authenticator sent over the network
+to a server, then disable the client's host, pose as the disabled host, and
+replay the ticket and authenticator to subvert the authentication.). If a
+sequence number is provided in the authenticator, the server saves it for
+later use in processing KRB_SAFE and/or KRB_PRIV messages. If a subkey is
+present, the server either saves it for later use or uses it to help
+generate its own choice for a subkey to be returned in a KRB_AP_REP message.
+
+The server computes the age of the ticket: local (server) time minus the
+start time inside the Ticket. If the start time is later than the current
+time by more than the allowable clock skew or if the INVALID flag is set in
+the ticket, the KRB_AP_ERR_TKT_NYV error is returned. Otherwise, if the
+current time is later than end time by more than the allowable clock skew,
+the KRB_AP_ERR_TKT_EXPIRED error is returned.
+
+If all these checks succeed without an error, the server is assured that the
+client possesses the credentials of the principal named in the ticket and
+thus, the client has been authenticated to the server. See section A.10 for
+pseudocode.
+
+Passing these checks provides only authentication of the named principal; it
+does not imply authorization to use the named service. Applications must
+make a separate authorization decisions based upon the authenticated name of
+the user, the requested operation, local acces control information such as
+that contained in a .k5login or .k5users file, and possibly a separate
+distributed authorization service.
+
+3.2.4. Generation of a KRB_AP_REP message
+
+Typically, a client's request will include both the authentication
+information and its initial request in the same message, and the server need
+not explicitly reply to the KRB_AP_REQ. However, if mutual authentication
+(not only authenticating the client to the server, but also the server to
+the client) is being performed, the KRB_AP_REQ message will have
+MUTUAL-REQUIRED set in its ap-options field, and a KRB_AP_REP message is
+required in response. As with the error message, this message may be
+encapsulated in the application protocol if its "raw" form is not acceptable
+to the application's protocol. The timestamp and microsecond field used in
+the reply must be the client's timestamp and microsecond field (as provided
+in the authenticator)[12]. If a sequence number is to be included, it should
+be randomly chosen as described above for the authenticator. A subkey may be
+
+Neuman, Ts'o, Kohl                                 Expires: 25 December,
+1999
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-04          June 25,
+1999
+
+included if the server desires to negotiate a different subkey. The
+KRB_AP_REP message is encrypted in the session key extracted from the
+ticket. See section A.11 for pseudocode.
+
+3.2.5. Receipt of KRB_AP_REP message
+
+If a KRB_AP_REP message is returned, the client uses the session key from
+the credentials obtained for the server[13] to decrypt the message, and
+verifies that the timestamp and microsecond fields match those in the
+Authenticator it sent to the server. If they match, then the client is
+assured that the server is genuine. The sequence number and subkey (if
+present) are retained for later use. See section A.12 for pseudocode.
+
+3.2.6. Using the encryption key
+
+After the KRB_AP_REQ/KRB_AP_REP exchange has occurred, the client and server
+share an encryption key which can be used by the application. The 'true
+session key' to be used for KRB_PRIV, KRB_SAFE, or other
+application-specific uses may be chosen by the application based on the
+subkeys in the KRB_AP_REP message and the authenticator[14]. In some cases,
+the use of this session key will be implicit in the protocol; in others the
+method of use must be chosen from several alternatives. We leave the
+protocol negotiations of how to use the key (e.g. selecting an encryption or
+checksum type) to the application programmer; the Kerberos protocol does not
+constrain the implementation options, but an example of how this might be
+done follows.
+
+One way that an application may choose to negotiate a key to be used for
+subequent integrity and privacy protection is for the client to propose a
+key in the subkey field of the authenticator. The server can then choose a
+key using the proposed key from the client as input, returning the new
+subkey in the subkey field of the application reply. This key could then be
+used for subsequent communication. To make this example more concrete, if
+the encryption method in use required a 56 bit key, and for whatever reason,
+one of the parties was prevented from using a key with more than 40 unknown
+bits, this method would allow the the party which is prevented from using
+more than 40 bits to either propose (if the client) an initial key with a
+known quantity for 16 of those bits, or to mask 16 of the bits (if the
+server) with the known quantity. The application implementor is warned,
+however, that this is only an example, and that an analysis of the
+particular crytosystem to be used, and the reasons for limiting the key
+length, must be made before deciding whether it is acceptable to mask bits
+of the key.
+
+With both the one-way and mutual authentication exchanges, the peers should
+take care not to send sensitive information to each other without proper
+assurances. In particular, applications that require privacy or integrity
+should use the KRB_AP_REP response from the server to client to assure both
+client and server of their peer's identity. If an application protocol
+requires privacy of its messages, it can use the KRB_PRIV message (section
+3.5). The KRB_SAFE message (section 3.4) can be used to assure integrity.
+
+
+Neuman, Ts'o, Kohl                                 Expires: 25 December,
+1999
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-04          June 25,
+1999
+
+3.3. The Ticket-Granting Service (TGS) Exchange
+
+                          Summary
+      Message direction       Message type     Section
+      1. Client to Kerberos   KRB_TGS_REQ      5.4.1
+      2. Kerberos to client   KRB_TGS_REP or   5.4.2
+                              KRB_ERROR        5.9.1
+
+The TGS exchange between a client and the Kerberos Ticket-Granting Server is
+initiated by a client when it wishes to obtain authentication credentials
+for a given server (which might be registered in a remote realm), when it
+wishes to renew or validate an existing ticket, or when it wishes to obtain
+a proxy ticket. In the first case, the client must already have acquired a
+ticket for the Ticket-Granting Service using the AS exchange (the
+ticket-granting ticket is usually obtained when a client initially
+authenticates to the system, such as when a user logs in). The message
+format for the TGS exchange is almost identical to that for the AS exchange.
+The primary difference is that encryption and decryption in the TGS exchange
+does not take place under the client's key. Instead, the session key from
+the ticket-granting ticket or renewable ticket, or sub-session key from an
+Authenticator is used. As is the case for all application servers, expired
+tickets are not accepted by the TGS, so once a renewable or ticket-granting
+ticket expires, the client must use a separate exchange to obtain valid
+tickets.
+
+The TGS exchange consists of two messages: A request (KRB_TGS_REQ) from the
+client to the Kerberos Ticket-Granting Server, and a reply (KRB_TGS_REP or
+KRB_ERROR). The KRB_TGS_REQ message includes information authenticating the
+client plus a request for credentials. The authentication information
+consists of the authentication header (KRB_AP_REQ) which includes the
+client's previously obtained ticket-granting, renewable, or invalid ticket.
+In the ticket-granting ticket and proxy cases, the request may include one
+or more of: a list of network addresses, a collection of typed authorization
+data to be sealed in the ticket for authorization use by the application
+server, or additional tickets (the use of which are described later). The
+TGS reply (KRB_TGS_REP) contains the requested credentials, encrypted in the
+session key from the ticket-granting ticket or renewable ticket, or if
+present, in the sub-session key from the Authenticator (part of the
+authentication header). The KRB_ERROR message contains an error code and
+text explaining what went wrong. The KRB_ERROR message is not encrypted. The
+KRB_TGS_REP message contains information which can be used to detect
+replays, and to associate it with the message to which it replies. The
+KRB_ERROR message also contains information which can be used to associate
+it with the message to which it replies, but the lack of encryption in the
+KRB_ERROR message precludes the ability to detect replays or fabrications of
+such messages.
+
+3.3.1. Generation of KRB_TGS_REQ message
+
+Before sending a request to the ticket-granting service, the client must
+determine in which realm the application server is registered[15]. If the
+client does not already possess a ticket-granting ticket for the appropriate
+realm, then one must be obtained. This is first attempted by requesting a
+ticket-granting ticket for the destination realm from a Kerberos server for
+which the client does posess a ticket-granting ticket (using the KRB_TGS_REQ
+message recursively). The Kerberos server may return a TGT for the desired
+realm in which case one can proceed. Alternatively, the Kerberos server may
+return a TGT for a realm which is 'closer' to the desired realm (further
+
+Neuman, Ts'o, Kohl                                 Expires: 25 December,
+1999
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-04          June 25,
+1999
+
+along the standard hierarchical path), in which case this step must be
+repeated with a Kerberos server in the realm specified in the returned TGT.
+If neither are returned, then the request must be retried with a Kerberos
+server for a realm higher in the hierarchy. This request will itself require
+a ticket-granting ticket for the higher realm which must be obtained by
+recursively applying these directions.
+
+Once the client obtains a ticket-granting ticket for the appropriate realm,
+it determines which Kerberos servers serve that realm, and contacts one. The
+list might be obtained through a configuration file or network service or it
+may be generated from the name of the realm; as long as the secret keys
+exchanged by realms are kept secret, only denial of service results from
+using a false Kerberos server.
+
+As in the AS exchange, the client may specify a number of options in the
+KRB_TGS_REQ message. The client prepares the KRB_TGS_REQ message, providing
+an authentication header as an element of the padata field, and including
+the same fields as used in the KRB_AS_REQ message along with several
+optional fields: the enc-authorization-data field for application server use
+and additional tickets required by some options.
+
+In preparing the authentication header, the client can select a sub-session
+key under which the response from the Kerberos server will be encrypted[16].
+If the sub-session key is not specified, the session key from the
+ticket-granting ticket will be used. If the enc-authorization-data is
+present, it must be encrypted in the sub-session key, if present, from the
+authenticator portion of the authentication header, or if not present, using
+the session key from the ticket-granting ticket.
+
+Once prepared, the message is sent to a Kerberos server for the destination
+realm. See section A.5 for pseudocode.
+
+3.3.2. Receipt of KRB_TGS_REQ message
+
+The KRB_TGS_REQ message is processed in a manner similar to the KRB_AS_REQ
+message, but there are many additional checks to be performed. First, the
+Kerberos server must determine which server the accompanying ticket is for
+and it must select the appropriate key to decrypt it. For a normal
+KRB_TGS_REQ message, it will be for the ticket granting service, and the
+TGS's key will be used. If the TGT was issued by another realm, then the
+appropriate inter-realm key must be used. If the accompanying ticket is not
+a ticket granting ticket for the current realm, but is for an application
+server in the current realm, the RENEW, VALIDATE, or PROXY options are
+specified in the request, and the server for which a ticket is requested is
+the server named in the accompanying ticket, then the KDC will decrypt the
+ticket in the authentication header using the key of the server for which it
+was issued. If no ticket can be found in the padata field, the
+KDC_ERR_PADATA_TYPE_NOSUPP error is returned.
+
+Once the accompanying ticket has been decrypted, the user-supplied checksum
+in the Authenticator must be verified against the contents of the request,
+and the message rejected if the checksums do not match (with an error code
+of KRB_AP_ERR_MODIFIED) or if the checksum is not keyed or not
+collision-proof (with an error code of KRB_AP_ERR_INAPP_CKSUM). If the
+checksum type is not supported, the KDC_ERR_SUMTYPE_NOSUPP error is
+returned. If the authorization-data are present, they are decrypted using
+the sub-session key from the Authenticator.
+
+If any of the decryptions indicate failed integrity checks, the
+KRB_AP_ERR_BAD_INTEGRITY error is returned.
+
+Neuman, Ts'o, Kohl                                 Expires: 25 December,
+1999
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-04          June 25,
+1999
+
+3.3.3. Generation of KRB_TGS_REP message
+
+The KRB_TGS_REP message shares its format with the KRB_AS_REP (KRB_KDC_REP),
+but with its type field set to KRB_TGS_REP. The detailed specification is in
+section 5.4.2.
+
+The response will include a ticket for the requested server. The Kerberos
+database is queried to retrieve the record for the requested server
+(including the key with which the ticket will be encrypted). If the request
+is for a ticket granting ticket for a remote realm, and if no key is shared
+with the requested realm, then the Kerberos server will select the realm
+"closest" to the requested realm with which it does share a key, and use
+that realm instead. This is the only case where the response from the KDC
+will be for a different server than that requested by the client.
+
+By default, the address field, the client's name and realm, the list of
+transited realms, the time of initial authentication, the expiration time,
+and the authorization data of the newly-issued ticket will be copied from
+the ticket-granting ticket (TGT) or renewable ticket. If the transited field
+needs to be updated, but the transited type is not supported, the
+KDC_ERR_TRTYPE_NOSUPP error is returned.
+
+If the request specifies an endtime, then the endtime of the new ticket is
+set to the minimum of (a) that request, (b) the endtime from the TGT, and
+(c) the starttime of the TGT plus the minimum of the maximum life for the
+application server and the maximum life for the local realm (the maximum
+life for the requesting principal was already applied when the TGT was
+issued). If the new ticket is to be a renewal, then the endtime above is
+replaced by the minimum of (a) the value of the renew_till field of the
+ticket and (b) the starttime for the new ticket plus the life
+(endtime-starttime) of the old ticket.
+
+If the FORWARDED option has been requested, then the resulting ticket will
+contain the addresses specified by the client. This option will only be
+honored if the FORWARDABLE flag is set in the TGT. The PROXY option is
+similar; the resulting ticket will contain the addresses specified by the
+client. It will be honored only if the PROXIABLE flag in the TGT is set. The
+PROXY option will not be honored on requests for additional ticket-granting
+tickets.
+
+If the requested start time is absent, indicates a time in the past, or is
+within the window of acceptable clock skew for the KDC and the POSTDATE
+option has not been specified, then the start time of the ticket is set to
+the authentication server's current time. If it indicates a time in the
+future beyond the acceptable clock skew, but the POSTDATED option has not
+been specified or the MAY-POSTDATE flag is not set in the TGT, then the
+error KDC_ERR_CANNOT_POSTDATE is returned. Otherwise, if the ticket-granting
+ticket has the MAY-POSTDATE flag set, then the resulting ticket will be
+postdated and the requested starttime is checked against the policy of the
+local realm. If acceptable, the ticket's start time is set as requested, and
+the INVALID flag is set. The postdated ticket must be validated before use
+by presenting it to the KDC after the starttime has been reached. However,
+in no case may the starttime, endtime, or renew-till time of a newly-issued
+postdated ticket extend beyond the renew-till time of the ticket-granting
+ticket.
+
+
+Neuman, Ts'o, Kohl                                 Expires: 25 December,
+1999
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-04          June 25,
+1999
+
+If the ENC-TKT-IN-SKEY option has been specified and an additional ticket
+has been included in the request, the KDC will decrypt the additional ticket
+using the key for the server to which the additional ticket was issued and
+verify that it is a ticket-granting ticket. If the name of the requested
+server is missing from the request, the name of the client in the additional
+ticket will be used. Otherwise the name of the requested server will be
+compared to the name of the client in the additional ticket and if
+different, the request will be rejected. If the request succeeds, the
+session key from the additional ticket will be used to encrypt the new
+ticket that is issued instead of using the key of the server for which the
+new ticket will be used[17].
+
+If the name of the server in the ticket that is presented to the KDC as part
+of the authentication header is not that of the ticket-granting server
+itself, the server is registered in the realm of the KDC, and the RENEW
+option is requested, then the KDC will verify that the RENEWABLE flag is set
+in the ticket, that the INVALID flag is not set in the ticket, and that the
+renew_till time is still in the future. If the VALIDATE option is rqeuested,
+the KDC will check that the starttime has passed and the INVALID flag is
+set. If the PROXY option is requested, then the KDC will check that the
+PROXIABLE flag is set in the ticket. If the tests succeed, and the ticket
+passes the hotlist check described in the next paragraph, the KDC will issue
+the appropriate new ticket.
+
+3.3.3.1. Checking for revoked tickets
+
+Whenever a request is made to the ticket-granting server, the presented
+ticket(s) is(are) checked against a hot-list of tickets which have been
+canceled. This hot-list might be implemented by storing a range of issue
+timestamps for 'suspect tickets'; if a presented ticket had an authtime in
+that range, it would be rejected. In this way, a stolen ticket-granting
+ticket or renewable ticket cannot be used to gain additional tickets
+(renewals or otherwise) once the theft has been reported. Any normal ticket
+obtained before it was reported stolen will still be valid (because they
+require no interaction with the KDC), but only until their normal expiration
+time.
+
+The ciphertext part of the response in the KRB_TGS_REP message is encrypted
+in the sub-session key from the Authenticator, if present, or the session
+key key from the ticket-granting ticket. It is not encrypted using the
+client's secret key. Furthermore, the client's key's expiration date and the
+key version number fields are left out since these values are stored along
+with the client's database record, and that record is not needed to satisfy
+a request based on a ticket-granting ticket. See section A.6 for pseudocode.
+
+3.3.3.2. Encoding the transited field
+
+If the identity of the server in the TGT that is presented to the KDC as
+part of the authentication header is that of the ticket-granting service,
+but the TGT was issued from another realm, the KDC will look up the
+inter-realm key shared with that realm and use that key to decrypt the
+ticket. If the ticket is valid, then the KDC will honor the request, subject
+to the constraints outlined above in the section describing the AS exchange.
+The realm part of the client's identity will be taken from the
+ticket-granting ticket. The name of the realm that issued the
+ticket-granting ticket will be added to the transited field of the ticket to
+be issued. This is accomplished by reading the transited field from the
+ticket-granting ticket (which is treated as an unordered set of realm
+
+Neuman, Ts'o, Kohl                                 Expires: 25 December,
+1999
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-04          June 25,
+1999
+
+names), adding the new realm to the set, then constructing and writing out
+its encoded (shorthand) form (this may involve a rearrangement of the
+existing encoding).
+
+Note that the ticket-granting service does not add the name of its own
+realm. Instead, its responsibility is to add the name of the previous realm.
+This prevents a malicious Kerberos server from intentionally leaving out its
+own name (it could, however, omit other realms' names).
+
+The names of neither the local realm nor the principal's realm are to be
+included in the transited field. They appear elsewhere in the ticket and
+both are known to have taken part in authenticating the principal. Since the
+endpoints are not included, both local and single-hop inter-realm
+authentication result in a transited field that is empty.
+
+Because the name of each realm transited is added to this field, it might
+potentially be very long. To decrease the length of this field, its contents
+are encoded. The initially supported encoding is optimized for the normal
+case of inter-realm communication: a hierarchical arrangement of realms
+using either domain or X.500 style realm names. This encoding (called
+DOMAIN-X500-COMPRESS) is now described.
+
+Realm names in the transited field are separated by a ",". The ",", "\",
+trailing "."s, and leading spaces (" ") are special characters, and if they
+are part of a realm name, they must be quoted in the transited field by
+preced- ing them with a "\".
+
+A realm name ending with a "." is interpreted as being prepended to the
+previous realm. For example, we can encode traversal of EDU, MIT.EDU,
+ATHENA.MIT.EDU, WASHINGTON.EDU, and CS.WASHINGTON.EDU as:
+
+     "EDU,MIT.,ATHENA.,WASHINGTON.EDU,CS.".
+
+Note that if ATHENA.MIT.EDU, or CS.WASHINGTON.EDU were end-points, that they
+would not be included in this field, and we would have:
+
+     "EDU,MIT.,WASHINGTON.EDU"
+
+A realm name beginning with a "/" is interpreted as being appended to the
+previous realm[18]. If it is to stand by itself, then it should be preceded
+by a space (" "). For example, we can encode traversal of /COM/HP/APOLLO,
+/COM/HP, /COM, and /COM/DEC as:
+
+     "/COM,/HP,/APOLLO, /COM/DEC".
+
+Like the example above, if /COM/HP/APOLLO and /COM/DEC are endpoints, they
+they would not be included in this field, and we would have:
+
+     "/COM,/HP"
+
+A null subfield preceding or following a "," indicates that all realms
+between the previous realm and the next realm have been traversed[19]. Thus,
+"," means that all realms along the path between the client and the server
+have been traversed. ",EDU, /COM," means that that all realms from the
+client's realm up to EDU (in a domain style hierarchy) have been traversed,
+and that everything from /COM down to the server's realm in an X.500 style
+has also been traversed. This could occur if the EDU realm in one hierarchy
+shares an inter-realm key directly with the /COM realm in another hierarchy.
+
+
+Neuman, Ts'o, Kohl                                 Expires: 25 December,
+1999
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-04          June 25,
+1999
+
+3.3.4. Receipt of KRB_TGS_REP message
+
+When the KRB_TGS_REP is received by the client, it is processed in the same
+manner as the KRB_AS_REP processing described above. The primary difference
+is that the ciphertext part of the response must be decrypted using the
+session key from the ticket-granting ticket rather than the client's secret
+key. See section A.7 for pseudocode.
+
+3.4. The KRB_SAFE Exchange
+
+The KRB_SAFE message may be used by clients requiring the ability to detect
+modifications of messages they exchange. It achieves this by including a
+keyed collision-proof checksum of the user data and some control
+information. The checksum is keyed with an encryption key (usually the last
+key negotiated via subkeys, or the session key if no negotiation has
+occured).
+
+3.4.1. Generation of a KRB_SAFE message
+
+When an application wishes to send a KRB_SAFE message, it collects its data
+and the appropriate control information and computes a checksum over them.
+The checksum algorithm should be a keyed one-way hash function (such as the
+RSA- MD5-DES checksum algorithm specified in section 6.4.5, or the DES MAC),
+generated using the sub-session key if present, or the session key.
+Different algorithms may be selected by changing the checksum type in the
+message. Unkeyed or non-collision-proof checksums are not suitable for this
+use.
+
+The control information for the KRB_SAFE message includes both a timestamp
+and a sequence number. The designer of an application using the KRB_SAFE
+message must choose at least one of the two mechanisms. This choice should
+be based on the needs of the application protocol.
+
+Sequence numbers are useful when all messages sent will be received by one's
+peer. Connection state is presently required to maintain the session key, so
+maintaining the next sequence number should not present an additional
+problem.
+
+If the application protocol is expected to tolerate lost messages without
+them being resent, the use of the timestamp is the appropriate replay
+detection mechanism. Using timestamps is also the appropriate mechanism for
+multi-cast protocols where all of one's peers share a common sub-session
+key, but some messages will be sent to a subset of one's peers.
+
+After computing the checksum, the client then transmits the information and
+checksum to the recipient in the message format specified in section 5.6.1.
+
+3.4.2. Receipt of KRB_SAFE message
+
+When an application receives a KRB_SAFE message, it verifies it as follows.
+If any error occurs, an error code is reported for use by the application.
+
+The message is first checked by verifying that the protocol version and type
+fields match the current version and KRB_SAFE, respectively. A mismatch
+generates a KRB_AP_ERR_BADVERSION or KRB_AP_ERR_MSG_TYPE error. The
+application verifies that the checksum used is a collision-proof keyed
+checksum, and if it is not, a KRB_AP_ERR_INAPP_CKSUM error is generated. If
+the sender's address was included in the control information, the recipient
+
+Neuman, Ts'o, Kohl                                 Expires: 25 December,
+1999
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-04          June 25,
+1999
+
+verifies that the operating system's report of the sender's address matches
+the sender's address in the message, and (if a recipient address is
+specified or the recipient requires an address) that one of the recipient's
+addresses appears as the recipient's address in the message. A failed match
+for either case generates a KRB_AP_ERR_BADADDR error. Then the timestamp and
+usec and/or the sequence number fields are checked. If timestamp and usec
+are expected and not present, or they are present but not current, the
+KRB_AP_ERR_SKEW error is generated. If the server name, along with the
+client name, time and microsecond fields from the Authenticator match any
+recently-seen (sent or received[20] ) such tuples, the KRB_AP_ERR_REPEAT
+error is generated. If an incorrect sequence number is included, or a
+sequence number is expected but not present, the KRB_AP_ERR_BADORDER error
+is generated. If neither a time-stamp and usec or a sequence number is
+present, a KRB_AP_ERR_MODIFIED error is generated. Finally, the checksum is
+computed over the data and control information, and if it doesn't match the
+received checksum, a KRB_AP_ERR_MODIFIED error is generated.
+
+If all the checks succeed, the application is assured that the message was
+generated by its peer and was not modi- fied in transit.
+
+3.5. The KRB_PRIV Exchange
+
+The KRB_PRIV message may be used by clients requiring confidentiality and
+the ability to detect modifications of exchanged messages. It achieves this
+by encrypting the messages and adding control information.
+
+3.5.1. Generation of a KRB_PRIV message
+
+When an application wishes to send a KRB_PRIV message, it collects its data
+and the appropriate control information (specified in section 5.7.1) and
+encrypts them under an encryption key (usually the last key negotiated via
+subkeys, or the session key if no negotiation has occured). As part of the
+control information, the client must choose to use either a timestamp or a
+sequence number (or both); see the discussion in section 3.4.1 for
+guidelines on which to use. After the user data and control information are
+encrypted, the client transmits the ciphertext and some 'envelope'
+information to the recipient.
+
+3.5.2. Receipt of KRB_PRIV message
+
+When an application receives a KRB_PRIV message, it verifies it as follows.
+If any error occurs, an error code is reported for use by the application.
+
+The message is first checked by verifying that the protocol version and type
+fields match the current version and KRB_PRIV, respectively. A mismatch
+generates a KRB_AP_ERR_BADVERSION or KRB_AP_ERR_MSG_TYPE error. The
+application then decrypts the ciphertext and processes the resultant
+plaintext. If decryption shows the data to have been modified, a
+KRB_AP_ERR_BAD_INTEGRITY error is generated. If the sender's address was
+included in the control information, the recipient verifies that the
+operating system's report of the sender's address matches the sender's
+address in the message, and (if a recipient address is specified or the
+recipient requires an address) that one of the recipient's addresses appears
+as the recipient's address in the message. A failed match for either case
+generates a KRB_AP_ERR_BADADDR error. Then the timestamp and usec and/or the
+sequence number fields are checked. If timestamp and usec are expected and
+not present, or they are present but not current, the KRB_AP_ERR_SKEW error
+is generated. If the server name, along with the client name, time and
+
+Neuman, Ts'o, Kohl                                 Expires: 25 December,
+1999
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-04          June 25,
+1999
+
+microsecond fields from the Authenticator match any recently-seen such
+tuples, the KRB_AP_ERR_REPEAT error is generated. If an incorrect sequence
+number is included, or a sequence number is expected but not present, the
+KRB_AP_ERR_BADORDER error is generated. If neither a time-stamp and usec or
+a sequence number is present, a KRB_AP_ERR_MODIFIED error is generated.
+
+If all the checks succeed, the application can assume the message was
+generated by its peer, and was securely transmitted (without intruders able
+to see the unencrypted contents).
+
+3.6. The KRB_CRED Exchange
+
+The KRB_CRED message may be used by clients requiring the ability to send
+Kerberos credentials from one host to another. It achieves this by sending
+the tickets together with encrypted data containing the session keys and
+other information associated with the tickets.
+
+3.6.1. Generation of a KRB_CRED message
+
+When an application wishes to send a KRB_CRED message it first (using the
+KRB_TGS exchange) obtains credentials to be sent to the remote host. It then
+constructs a KRB_CRED message using the ticket or tickets so obtained,
+placing the session key needed to use each ticket in the key field of the
+corresponding KrbCredInfo sequence of the encrypted part of the the KRB_CRED
+message.
+
+Other information associated with each ticket and obtained during the
+KRB_TGS exchange is also placed in the corresponding KrbCredInfo sequence in
+the encrypted part of the KRB_CRED message. The current time and, if
+specifically required by the application the nonce, s-address, and r-address
+fields, are placed in the encrypted part of the KRB_CRED message which is
+then encrypted under an encryption key previosuly exchanged in the KRB_AP
+exchange (usually the last key negotiated via subkeys, or the session key if
+no negotiation has occured).
+
+3.6.2. Receipt of KRB_CRED message
+
+When an application receives a KRB_CRED message, it verifies it. If any
+error occurs, an error code is reported for use by the application. The
+message is verified by checking that the protocol version and type fields
+match the current version and KRB_CRED, respectively. A mismatch generates a
+KRB_AP_ERR_BADVERSION or KRB_AP_ERR_MSG_TYPE error. The application then
+decrypts the ciphertext and processes the resultant plaintext. If decryption
+shows the data to have been modified, a KRB_AP_ERR_BAD_INTEGRITY error is
+generated.
+
+If present or required, the recipient verifies that the operating system's
+report of the sender's address matches the sender's address in the message,
+and that one of the recipient's addresses appears as the recipient's address
+in the message. A failed match for either case generates a
+KRB_AP_ERR_BADADDR error. The timestamp and usec fields (and the nonce field
+if required) are checked next. If the timestamp and usec are not present, or
+they are present but not current, the KRB_AP_ERR_SKEW error is generated.
+
+If all the checks succeed, the application stores each of the new tickets in
+its ticket cache together with the session key and other information in the
+corresponding KrbCredInfo sequence from the encrypted part of the KRB_CRED
+message.
+
+
+Neuman, Ts'o, Kohl                                 Expires: 25 December,
+1999
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-04          June 25,
+1999
+
+4. The Kerberos Database
+
+The Kerberos server must have access to a database contain- ing the
+principal identifiers and secret keys of principals to be authenticated[21].
+
+4.1. Database contents
+
+A database entry should contain at least the following fields:
+
+Field                Value
+
+name                 Principal's identifier
+key                  Principal's secret key
+p_kvno               Principal's key version
+max_life             Maximum lifetime for Tickets
+max_renewable_life   Maximum total lifetime for renewable Tickets
+
+The name field is an encoding of the principal's identifier. The key field
+contains an encryption key. This key is the principal's secret key. (The key
+can be encrypted before storage under a Kerberos "master key" to protect it
+in case the database is compromised but the master key is not. In that case,
+an extra field must be added to indicate the master key version used, see
+below.) The p_kvno field is the key version number of the principal's secret
+key. The max_life field contains the maximum allowable lifetime (endtime -
+starttime) for any Ticket issued for this principal. The max_renewable_life
+field contains the maximum allowable total lifetime for any renewable Ticket
+issued for this principal. (See section 3.1 for a description of how these
+lifetimes are used in determining the lifetime of a given Ticket.)
+
+A server may provide KDC service to several realms, as long as the database
+representation provides a mechanism to distinguish between principal records
+with identifiers which differ only in the realm name.
+
+When an application server's key changes, if the change is routine (i.e. not
+the result of disclosure of the old key), the old key should be retained by
+the server until all tickets that had been issued using that key have
+expired. Because of this, it is possible for several keys to be active for a
+single principal. Ciphertext encrypted in a principal's key is always tagged
+with the version of the key that was used for encryption, to help the
+recipient find the proper key for decryption.
+
+When more than one key is active for a particular principal, the principal
+will have more than one record in the Kerberos database. The keys and key
+version numbers will differ between the records (the rest of the fields may
+or may not be the same). Whenever Kerberos issues a ticket, or responds to a
+request for initial authentication, the most recent key (known by the
+Kerberos server) will be used for encryption. This is the key with the
+highest key version number.
+
+
+Neuman, Ts'o, Kohl                                 Expires: 25 December,
+1999
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-04          June 25,
+1999
+
+4.2. Additional fields
+
+Project Athena's KDC implementation uses additional fields in its database:
+
+Field        Value
+
+K_kvno       Kerberos' key version
+expiration   Expiration date for entry
+attributes   Bit field of attributes
+mod_date     Timestamp of last modification
+mod_name     Modifying principal's identifier
+
+The K_kvno field indicates the key version of the Kerberos master key under
+which the principal's secret key is encrypted.
+
+After an entry's expiration date has passed, the KDC will return an error to
+any client attempting to gain tickets as or for the principal. (A database
+may want to maintain two expiration dates: one for the principal, and one
+for the principal's current key. This allows password aging to work
+independently of the principal's expiration date. However, due to the
+limited space in the responses, the KDC must combine the key expiration and
+principal expiration date into a single value called 'key_exp', which is
+used as a hint to the user to take administrative action.)
+
+The attributes field is a bitfield used to govern the operations involving
+the principal. This field might be useful in conjunction with user
+registration procedures, for site-specific policy implementations (Project
+Athena currently uses it for their user registration process controlled by
+the system-wide database service, Moira [LGDSR87]), to identify whether a
+principal can play the role of a client or server or both, to note whether a
+server is appropriate trusted to recieve credentials delegated by a client,
+or to identify the 'string to key' conversion algorithm used for a
+principal's key[22]. Other bits are used to indicate that certain ticket
+options should not be allowed in tickets encrypted under a principal's key
+(one bit each): Disallow issuing postdated tickets, disallow issuing
+forwardable tickets, disallow issuing tickets based on TGT authentication,
+disallow issuing renewable tickets, disallow issuing proxiable tickets, and
+disallow issuing tickets for which the principal is the server.
+
+The mod_date field contains the time of last modification of the entry, and
+the mod_name field contains the name of the principal which last modified
+the entry.
+
+4.3. Frequently Changing Fields
+
+Some KDC implementations may wish to maintain the last time that a request
+was made by a particular principal. Information that might be maintained
+includes the time of the last request, the time of the last request for a
+ticket-granting ticket, the time of the last use of a ticket-granting
+ticket, or other times. This information can then be returned to the user in
+the last-req field (see section 5.2).
+
+Other frequently changing information that can be maintained is the latest
+expiration time for any tickets that have been issued using each key. This
+field would be used to indicate how long old keys must remain valid to allow
+the continued use of outstanding tickets.
+
+
+Neuman, Ts'o, Kohl                                 Expires: 25 December,
+1999
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-04          June 25,
+1999
+
+4.4. Site Constants
+
+The KDC implementation should have the following configurable constants or
+options, to allow an administrator to make and enforce policy decisions:
+
+   * The minimum supported lifetime (used to determine whether the
+     KDC_ERR_NEVER_VALID error should be returned). This constant should
+     reflect reasonable expectations of round-trip time to the KDC,
+     encryption/decryption time, and processing time by the client and
+     target server, and it should allow for a minimum 'useful' lifetime.
+   * The maximum allowable total (renewable) lifetime of a ticket
+     (renew_till - starttime).
+   * The maximum allowable lifetime of a ticket (endtime - starttime).
+   * Whether to allow the issue of tickets with empty address fields
+     (including the ability to specify that such tickets may only be issued
+     if the request specifies some authorization_data).
+   * Whether proxiable, forwardable, renewable or post-datable tickets are
+     to be issued.
+
+5. Message Specifications
+
+The following sections describe the exact contents and encoding of protocol
+messages and objects. The ASN.1 base definitions are presented in the first
+subsection. The remaining subsections specify the protocol objects (tickets
+and authenticators) and messages. Specification of encryption and checksum
+techniques, and the fields related to them, appear in section 6.
+
+Optional field in ASN.1 sequences
+
+For optional integer value and date fields in ASN.1 sequences where a
+default value has been specified, certain default values will not be allowed
+in the encoding because these values will always be represented through
+defaulting by the absence of the optional field. For example, one will not
+send a microsecond zero value because one must make sure that there is only
+one way to encode this value.
+
+Additional fields in ASN.1 sequences
+
+Implementations receiving Kerberos messages with additional fields present
+in ASN.1 sequences should carry the those fields through, unmodified, when
+the message is forwarded. Implementations should not drop such fields if the
+sequence is reencoded.
+
+5.1. ASN.1 Distinguished Encoding Representation
+
+All uses of ASN.1 in Kerberos shall use the Distinguished Encoding
+Representation of the data elements as described in the X.509 specification,
+section 8.7 [X509-88].
+
+5.3. ASN.1 Base Definitions
+
+The following ASN.1 base definitions are used in the rest of this section.
+Note that since the underscore character (_) is not permitted in ASN.1
+names, the hyphen (-) is used in its place for the purposes of ASN.1 names.
+
+Realm ::=           GeneralString
+PrincipalName ::=   SEQUENCE {
+                    name-type[0]     INTEGER,
+                    name-string[1]   SEQUENCE OF GeneralString
+}
+
+Neuman, Ts'o, Kohl                                 Expires: 25 December,
+1999
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-04          June 25,
+1999
+
+Kerberos realms are encoded as GeneralStrings. Realms shall not contain a
+character with the code 0 (the ASCII NUL). Most realms will usually consist
+of several components separated by periods (.), in the style of Internet
+Domain Names, or separated by slashes (/) in the style of X.500 names.
+Acceptable forms for realm names are specified in section 7. A PrincipalName
+is a typed sequence of components consisting of the following sub-fields:
+
+name-type
+     This field specifies the type of name that follows. Pre-defined values
+     for this field are specified in section 7.2. The name-type should be
+     treated as a hint. Ignoring the name type, no two names can be the same
+     (i.e. at least one of the components, or the realm, must be different).
+     This constraint may be eliminated in the future.
+name-string
+     This field encodes a sequence of components that form a name, each
+     component encoded as a GeneralString. Taken together, a PrincipalName
+     and a Realm form a principal identifier. Most PrincipalNames will have
+     only a few components (typically one or two).
+
+KerberosTime ::=   GeneralizedTime
+                   -- Specifying UTC time zone (Z)
+
+The timestamps used in Kerberos are encoded as GeneralizedTimes. An encoding
+shall specify the UTC time zone (Z) and shall not include any fractional
+portions of the seconds. It further shall not include any separators.
+Example: The only valid format for UTC time 6 minutes, 27 seconds after 9 pm
+on 6 November 1985 is 19851106210627Z.
+
+HostAddress ::=     SEQUENCE  {
+                    addr-type[0]             INTEGER,
+                    address[1]               OCTET STRING
+}
+
+HostAddresses ::=   SEQUENCE OF HostAddress
+
+The host adddress encodings consists of two fields:
+
+addr-type
+     This field specifies the type of address that follows. Pre-defined
+     values for this field are specified in section 8.1.
+address
+     This field encodes a single address of type addr-type.
+
+The two forms differ slightly. HostAddress contains exactly one address;
+HostAddresses contains a sequence of possibly many addresses.
+
+AuthorizationData ::=   SEQUENCE OF SEQUENCE {
+                        ad-type[0]               INTEGER,
+                        ad-data[1]               OCTET STRING
+}
+
+ad-data
+     This field contains authorization data to be interpreted according to
+     the value of the corresponding ad-type field.
+ad-type
+     This field specifies the format for the ad-data subfield. All negative
+     values are reserved for local use. Non-negative values are reserved for
+     registered use.
+
+
+Neuman, Ts'o, Kohl                                 Expires: 25 December,
+1999
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-04          June 25,
+1999
+
+Each sequence of type and data is refered to as an authorization element.
+Elements may be application specific, however, there is a common set of
+recursive elements that should be understood by all implementations. These
+elements contain other elements embedded within them, and the interpretation
+of the encapsulating element determines which of the embedded elements must
+be interpreted, and which may be ignored. Definitions for these common
+elements may be found in Appendix B.
+
+TicketExtensions ::= SEQUENCE OF SEQUENCE {
+           te-type[0]       INTEGER,
+           te-data[1]       OCTET STRING
+}
+
+te-data
+     This field contains opaque data that must be caried with the ticket to
+     support extensions to the Kerberos protocol including but not limited
+     to some forms of inter-realm key exchange and plaintext authorization
+     data. See appendix C for some common uses of this field.
+te-type
+     This field specifies the format for the te-data subfield. All negative
+     values are reserved for local use. Non-negative values are reserved for
+     registered use.
+
+APOptions ::=   BIT STRING
+                  -- reserved(0),
+                  -- use-session-key(1),
+                  -- mutual-required(2)
+
+TicketFlags ::= BIT STRING
+                  -- reserved(0),
+                  -- forwardable(1),
+                  -- forwarded(2),
+                  -- proxiable(3),
+                  -- proxy(4),
+                  -- may-postdate(5),
+                  -- postdated(6),
+                  -- invalid(7),
+                  -- renewable(8),
+                  -- initial(9),
+                  -- pre-authent(10),
+                  -- hw-authent(11),
+                  -- transited-policy-checked(12),
+                  -- ok-as-delegate(13)
+
+KDCOptions ::=   BIT STRING
+                  -- reserved(0),
+                  -- forwardable(1),
+                  -- forwarded(2),
+                  -- proxiable(3),
+                  -- proxy(4),
+                  -- allow-postdate(5),
+                  -- postdated(6),
+                  -- unused7(7),
+                  -- renewable(8),
+                  -- unused9(9),
+                  -- unused10(10),
+
+Neuman, Ts'o, Kohl                                 Expires: 25 December,
+1999
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-04          June 25,
+1999
+
+                  -- unused11(11),
+                  -- unused12(12),
+                  -- unused13(13),
+                  -- disable-transited-check(26),
+                  -- renewable-ok(27),
+                  -- enc-tkt-in-skey(28),
+                  -- renew(30),
+                  -- validate(31)
+
+ASN.1 Bit strings have a length and a value. When used in Kerberos for the
+APOptions, TicketFlags, and KDCOptions, the length of the bit string on
+generated values should be the smallest number of bits needed to include the
+highest order bit that is set (1), but in no case less than 32 bits. The
+ASN.1 representation of the bit strings uses unnamed bits, with the meaning
+of the individual bits defined by the comments in the specification above.
+Implementations should accept values of bit strings of any length and treat
+the value of flags corresponding to bits beyond the end of the bit string as
+if the bit were reset (0). Comparison of bit strings of different length
+should treat the smaller string as if it were padded with zeros beyond the
+high order bits to the length of the longer string[23].
+
+LastReq ::=   SEQUENCE OF SEQUENCE {
+               lr-type[0]               INTEGER,
+               lr-value[1]              KerberosTime
+}
+
+lr-type
+     This field indicates how the following lr-value field is to be
+     interpreted. Negative values indicate that the information pertains
+     only to the responding server. Non-negative values pertain to all
+     servers for the realm. If the lr-type field is zero (0), then no
+     information is conveyed by the lr-value subfield. If the absolute value
+     of the lr-type field is one (1), then the lr-value subfield is the time
+     of last initial request for a TGT. If it is two (2), then the lr-value
+     subfield is the time of last initial request. If it is three (3), then
+     the lr-value subfield is the time of issue for the newest
+     ticket-granting ticket used. If it is four (4), then the lr-value
+     subfield is the time of the last renewal. If it is five (5), then the
+     lr-value subfield is the time of last request (of any type). If it is
+     (6), then the lr-value subfield is the time when the password will
+     expire.
+lr-value
+     This field contains the time of the last request. the time must be
+     interpreted according to the contents of the accompanying lr-type
+     subfield.
+
+See section 6 for the definitions of Checksum, ChecksumType, EncryptedData,
+EncryptionKey, EncryptionType, and KeyType.
+
+5.3. Tickets and Authenticators
+
+This section describes the format and encryption parameters for tickets and
+authenticators. When a ticket or authenticator is included in a protocol
+message it is treated as an opaque object.
+
+
+Neuman, Ts'o, Kohl                                 Expires: 25 December,
+1999
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-04          June 25,
+1999
+
+5.3.1. Tickets
+
+A ticket is a record that helps a client authenticate to a service. A Ticket
+contains the following information:
+
+Ticket ::=        [APPLICATION 1] SEQUENCE {
+                  tkt-vno[0]                   INTEGER,
+                  realm[1]                     Realm,
+                  sname[2]                     PrincipalName,
+                  enc-part[3]                  EncryptedData,
+                  extensions[4]                TicketExtensions OPTIONAL
+}
+
+-- Encrypted part of ticket
+EncTicketPart ::= [APPLICATION 3] SEQUENCE {
+                  flags[0]                     TicketFlags,
+                  key[1]                       EncryptionKey,
+                  crealm[2]                    Realm,
+                  cname[3]                     PrincipalName,
+                  transited[4]                 TransitedEncoding,
+                  authtime[5]                  KerberosTime,
+                  starttime[6]                 KerberosTime OPTIONAL,
+                  endtime[7]                   KerberosTime,
+                  renew-till[8]                KerberosTime OPTIONAL,
+                  caddr[9]                     HostAddresses OPTIONAL,
+                  authorization-data[10]       AuthorizationData OPTIONAL
+}
+-- encoded Transited field
+TransitedEncoding ::=   SEQUENCE {
+                        tr-type[0]             INTEGER, -- must be
+registered
+                        contents[1]            OCTET STRING
+}
+
+The encoding of EncTicketPart is encrypted in the key shared by Kerberos and
+the end server (the server's secret key). See section 6 for the format of
+the ciphertext.
+
+tkt-vno
+     This field specifies the version number for the ticket format. This
+     document describes version number 5.
+realm
+     This field specifies the realm that issued a ticket. It also serves to
+     identify the realm part of the server's principal identifier. Since a
+     Kerberos server can only issue tickets for servers within its realm,
+     the two will always be identical.
+sname
+     This field specifies all components of the name part of the server's
+     identity, including those parts that identify a specific instance of a
+     service.
+enc-part
+     This field holds the encrypted encoding of the EncTicketPart sequence.
+extensions
+     [*** This change is still subject to discussion. Several alternatives
+     for this - including none at all - will be distributed to the cat and
+     krb-protocol mailing lists before the Oslo IETF, and an alternative
+     will be selected and the spec modified by 7/14/99 ***] This optional
+     field contains a sequence of extentions that may be used to carry
+     information that must be carried with the ticket to support several
+
+Neuman, Ts'o, Kohl                                 Expires: 25 December,
+1999
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-04          June 25,
+1999
+
+     extensions, including but not limited to plaintext authorization data,
+     tokens for exchanging inter-realm keys, and other information that must
+     be associated with a ticket for use by the application server. See
+     Appendix C for definitions of some common extensions.
+
+     Note that some older versions of Kerberos did not support this field.
+     Because this is an optional field it will not break older clients, but
+     older clients might strip this field from the ticket before sending it
+     to the application server. This limits the usefulness of this ticket
+     field to environments where the ticket will not be parsed and
+     reconstructed by these older Kerberos clients.
+
+     If it is known that the client will strip this field from the ticket,
+     as an interim measure the KDC may append this field to the end of the
+     enc-part of the ticket and append a traler indicating the lenght of the
+     appended extensions field. (this paragraph is open for discussion,
+     including the form of the traler).
+flags
+     This field indicates which of various options were used or requested
+     when the ticket was issued. It is a bit-field, where the selected
+     options are indicated by the bit being set (1), and the unselected
+     options and reserved fields being reset (0). Bit 0 is the most
+     significant bit. The encoding of the bits is specified in section 5.2.
+     The flags are described in more detail above in section 2. The meanings
+     of the flags are:
+
+          Bit(s)      Name         Description
+
+          0           RESERVED
+                                   Reserved for future  expansion  of  this
+                                   field.
+
+          1           FORWARDABLE
+                                   The FORWARDABLE flag  is  normally  only
+                                   interpreted  by  the  TGS,  and  can  be
+                                   ignored by end servers.  When set,  this
+                                   flag  tells  the  ticket-granting server
+                                   that it is OK to  issue  a  new  ticket-
+                                   granting ticket with a different network
+                                   address based on the presented ticket.
+
+          2           FORWARDED
+                                   When set, this flag indicates  that  the
+                                   ticket  has either been forwarded or was
+                                   issued based on authentication involving
+                                   a forwarded ticket-granting ticket.
+
+          3           PROXIABLE
+                                   The  PROXIABLE  flag  is  normally  only
+                                   interpreted  by  the  TGS,  and  can  be
+                                   ignored by end servers.   The  PROXIABLE
+                                   flag  has an interpretation identical to
+                                   that of  the  FORWARDABLE  flag,  except
+                                   that   the   PROXIABLE  flag  tells  the
+                                   ticket-granting server  that  only  non-
+                                   ticket-granting  tickets  may  be issued
+                                   with different network addresses.
+
+
+Neuman, Ts'o, Kohl                                 Expires: 25 December,
+1999
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-04          June 25,
+1999
+
+          4           PROXY
+                                   When set, this  flag  indicates  that  a
+                                   ticket is a proxy.
+
+          5           MAY-POSTDATE
+                                   The MAY-POSTDATE flag is  normally  only
+                                   interpreted  by  the  TGS,  and  can  be
+                                   ignored by end servers.  This flag tells
+                                   the  ticket-granting server that a post-
+                                   dated ticket may be issued based on this
+                                   ticket-granting ticket.
+
+          6           POSTDATED
+                                   This flag indicates that this ticket has
+                                   been  postdated.   The  end-service  can
+                                   check the authtime field to see when the
+                                   original authentication occurred.
+
+          7           INVALID
+                                   This flag indicates  that  a  ticket  is
+                                   invalid, and it must be validated by the
+                                   KDC  before  use.   Application  servers
+                                   must reject tickets which have this flag
+                                   set.
+
+          8           RENEWABLE
+                                   The  RENEWABLE  flag  is  normally  only
+                                   interpreted  by the TGS, and can usually
+                                   be ignored by end servers (some particu-
+                                   larly careful servers may wish to disal-
+                                   low  renewable  tickets).   A  renewable
+                                   ticket  can be used to obtain a replace-
+                                   ment ticket  that  expires  at  a  later
+                                   date.
+
+          9           INITIAL
+                                   This flag indicates that this ticket was
+                                   issued  using  the  AS protocol, and not
+                                   issued  based   on   a   ticket-granting
+                                   ticket.
+
+          10          PRE-AUTHENT
+                                   This flag indicates that during  initial
+                                   authentication, the client was authenti-
+                                   cated by the KDC  before  a  ticket  was
+                                   issued.    The   strength  of  the  pre-
+                                   authentication method is not  indicated,
+                                   but is acceptable to the KDC.
+
+          11          HW-AUTHENT
+                                   This flag indicates  that  the  protocol
+                                   employed   for   initial  authentication
+                                   required the use of hardware expected to
+                                   be possessed solely by the named client.
+                                   The hardware  authentication  method  is
+                                   selected  by the KDC and the strength of
+                                   the method is not indicated.
+
+
+Neuman, Ts'o, Kohl                                 Expires: 25 December,
+1999
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-04          June 25,
+1999
+
+          12           TRANSITED   This flag indicates that the KDC for the
+                  POLICY-CHECKED   realm has checked the transited field
+                                   against a realm defined policy for
+                                   trusted certifiers.  If this flag is
+                                   reset (0), then the application server
+                                   must check the transited field itself,
+                                   and if unable to do so it must reject
+                                   the authentication.  If the flag is set
+                                   (1) then the application server may skip
+                                   its own validation of the transited
+                                   field, relying on the validation
+                                   performed by the KDC.  At its option the
+                                   application server may still apply its
+                                   own validation based on a separate
+                                   policy for acceptance.
+
+          13      OK-AS-DELEGATE   This flag indicates that the server (not
+                                   the client) specified in the ticket has
+                                   been determined by policy of the realm
+                                   to be a suitable recipient of
+                                   delegation.  A client can use the
+                                   presence of this flag to help it make a
+                                   decision whether to delegate credentials
+                                   (either grant a proxy or a forwarded
+                                   ticket granting ticket) to this server.
+                                   The client is free to ignore the value
+                                   of this flag.  When setting this flag,
+                                   an administrator should consider the
+                                   Security and placement of the server on
+                                   which the service will run, as well as
+                                   whether the service requires the use of
+                                   delegated credentials.
+
+          14          ANONYMOUS
+                                   This flag indicates that  the  principal
+                                   named in the ticket is a generic princi-
+                                   pal for the realm and does not  identify
+                                   the  individual  using  the ticket.  The
+                                   purpose  of  the  ticket  is   only   to
+                                   securely  distribute  a session key, and
+                                   not to identify  the  user.   Subsequent
+                                   requests  using the same ticket and ses-
+                                   sion may be  considered  as  originating
+                                   from  the  same  user, but requests with
+                                   the same username but a different ticket
+                                   are  likely  to originate from different
+                                   users.
+
+          15-31       RESERVED
+                                   Reserved for future use.
+
+key
+     This field exists in the ticket and the KDC response and is used to
+     pass the session key from Kerberos to the application server and the
+     client. The field's encoding is described in section 6.2.
+crealm
+     This field contains the name of the realm in which the client is
+     registered and in which initial authentication took place.
+
+Neuman, Ts'o, Kohl                                 Expires: 25 December,
+1999
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-04          June 25,
+1999
+
+cname
+     This field contains the name part of the client's principal identifier.
+transited
+     This field lists the names of the Kerberos realms that took part in
+     authenticating the user to whom this ticket was issued. It does not
+     specify the order in which the realms were transited. See section
+     3.3.3.2 for details on how this field encodes the traversed realms.
+     When the names of CA's are to be embedded inthe transited field (as
+     specified for some extentions to the protocol), the X.500 names of the
+     CA's should be mapped into items in the transited field using the
+     mapping defined by RFC2253.
+authtime
+     This field indicates the time of initial authentication for the named
+     principal. It is the time of issue for the original ticket on which
+     this ticket is based. It is included in the ticket to provide
+     additional information to the end service, and to provide the necessary
+     information for implementation of a `hot list' service at the KDC. An
+     end service that is particularly paranoid could refuse to accept
+     tickets for which the initial authentication occurred "too far" in the
+     past. This field is also returned as part of the response from the KDC.
+     When returned as part of the response to initial authentication
+     (KRB_AS_REP), this is the current time on the Ker- beros server[24].
+starttime
+     This field in the ticket specifies the time after which the ticket is
+     valid. Together with endtime, this field specifies the life of the
+     ticket. If it is absent from the ticket, its value should be treated as
+     that of the authtime field.
+endtime
+     This field contains the time after which the ticket will not be honored
+     (its expiration time). Note that individual services may place their
+     own limits on the life of a ticket and may reject tickets which have
+     not yet expired. As such, this is really an upper bound on the
+     expiration time for the ticket.
+renew-till
+     This field is only present in tickets that have the RENEWABLE flag set
+     in the flags field. It indicates the maximum endtime that may be
+     included in a renewal. It can be thought of as the absolute expiration
+     time for the ticket, including all renewals.
+caddr
+     This field in a ticket contains zero (if omitted) or more (if present)
+     host addresses. These are the addresses from which the ticket can be
+     used. If there are no addresses, the ticket can be used from any
+     location. The decision by the KDC to issue or by the end server to
+     accept zero-address tickets is a policy decision and is left to the
+     Kerberos and end-service administrators; they may refuse to issue or
+     accept such tickets. The suggested and default policy, however, is that
+     such tickets will only be issued or accepted when additional
+     information that can be used to restrict the use of the ticket is
+     included in the authorization_data field. Such a ticket is a
+     capability.
+
+     Network addresses are included in the ticket to make it harder for an
+     attacker to use stolen credentials. Because the session key is not sent
+     over the network in cleartext, credentials can't be stolen simply by
+     listening to the network; an attacker has to gain access to the session
+     key (perhaps through operating system security breaches or a careless
+     user's unattended session) to make use of stolen tickets.
+
+
+Neuman, Ts'o, Kohl                                 Expires: 25 December,
+1999
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-04          June 25,
+1999
+
+     It is important to note that the network address from which a
+     connection is received cannot be reliably determined. Even if it could
+     be, an attacker who has compromised the client's workstation could use
+     the credentials from there. Including the network addresses only makes
+     it more difficult, not impossible, for an attacker to walk off with
+     stolen credentials and then use them from a "safe" location.
+authorization-data
+     The authorization-data field is used to pass authorization data from
+     the principal on whose behalf a ticket was issued to the application
+     service. If no authorization data is included, this field will be left
+     out. Experience has shown that the name of this field is confusing, and
+     that a better name for this field would be restrictions. Unfortunately,
+     it is not possible to change the name of this field at this time.
+
+     This field contains restrictions on any authority obtained on the basis
+     of authentication using the ticket. It is possible for any principal in
+     posession of credentials to add entries to the authorization data field
+     since these entries further restrict what can be done with the ticket.
+     Such additions can be made by specifying the additional entries when a
+     new ticket is obtained during the TGS exchange, or they may be added
+     during chained delegation using the authorization data field of the
+     authenticator.
+
+     Because entries may be added to this field by the holder of
+     credentials, it is not allowable for the presence of an entry in the
+     authorization data field of a ticket to amplify the priveleges one
+     would obtain from using a ticket.
+
+     The data in this field may be specific to the end service; the field
+     will contain the names of service specific objects, and the rights to
+     those objects. The format for this field is described in section 5.2.
+     Although Kerberos is not concerned with the format of the contents of
+     the sub-fields, it does carry type information (ad-type).
+
+     By using the authorization_data field, a principal is able to issue a
+     proxy that is valid for a specific purpose. For example, a client
+     wishing to print a file can obtain a file server proxy to be passed to
+     the print server. By specifying the name of the file in the
+     authorization_data field, the file server knows that the print server
+     can only use the client's rights when accessing the particular file to
+     be printed.
+
+     A separate service providing authorization or certifying group
+     membership may be built using the authorization-data field. In this
+     case, the entity granting authorization (not the authorized entity),
+     obtains a ticket in its own name (e.g. the ticket is issued in the name
+     of a privelege server), and this entity adds restrictions on its own
+     authority and delegates the restricted authority through a proxy to the
+     client. The client would then present this authorization credential to
+     the application server separately from the authentication exchange.
+
+     Similarly, if one specifies the authorization-data field of a proxy and
+     leaves the host addresses blank, the resulting ticket and session key
+     can be treated as a capability. See [Neu93] for some suggested uses of
+     this field.
+
+     The authorization-data field is optional and does not have to be
+     included in a ticket.
+
+
+Neuman, Ts'o, Kohl                                 Expires: 25 December,
+1999
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-04          June 25,
+1999
+
+5.3.2. Authenticators
+
+An authenticator is a record sent with a ticket to a server to certify the
+client's knowledge of the encryption key in the ticket, to help the server
+detect replays, and to help choose a "true session key" to use with the
+particular session. The encoding is encrypted in the ticket's session key
+shared by the client and the server:
+
+-- Unencrypted authenticator
+Authenticator ::= [APPLICATION 2] SEQUENCE  {
+                  authenticator-vno[0]          INTEGER,
+                  crealm[1]                     Realm,
+                  cname[2]                      PrincipalName,
+                  cksum[3]                      Checksum OPTIONAL,
+                  cusec[4]                      INTEGER,
+                  ctime[5]                      KerberosTime,
+                  subkey[6]                     EncryptionKey OPTIONAL,
+                  seq-number[7]                 INTEGER OPTIONAL,
+                  authorization-data[8]         AuthorizationData OPTIONAL
+}
+
+authenticator-vno
+     This field specifies the version number for the format of the
+     authenticator. This document specifies version 5.
+crealm and cname
+     These fields are the same as those described for the ticket in section
+     5.3.1.
+cksum
+     This field contains a checksum of the the applica- tion data that
+     accompanies the KRB_AP_REQ.
+cusec
+     This field contains the microsecond part of the client's timestamp. Its
+     value (before encryption) ranges from 0 to 999999. It often appears
+     along with ctime. The two fields are used together to specify a
+     reasonably accurate timestamp.
+ctime
+     This field contains the current time on the client's host.
+subkey
+     This field contains the client's choice for an encryption key which is
+     to be used to protect this specific application session. Unless an
+     application specifies otherwise, if this field is left out the session
+     key from the ticket will be used.
+seq-number
+     This optional field includes the initial sequence number to be used by
+     the KRB_PRIV or KRB_SAFE messages when sequence numbers are used to
+     detect replays (It may also be used by application specific messages).
+     When included in the authenticator this field specifies the initial
+     sequence number for messages from the client to the server. When
+     included in the AP-REP message, the initial sequence number is that for
+     messages from the server to the client. When used in KRB_PRIV or
+     KRB_SAFE messages, it is incremented by one after each message is sent.
+     Sequence numbers fall in the range of 0 through 2^32 - 1 and wrap to
+     zero following the value 2^32 - 1.
+
+     For sequence numbers to adequately support the detection of replays
+     they should be non-repeating, even across connection boundaries. The
+     initial sequence number should be random and uniformly distributed
+
+Neuman, Ts'o, Kohl                                 Expires: 25 December,
+1999
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-04          June 25,
+1999
+
+     across the full space of possible sequence numbers, so that it cannot
+     be guessed by an attacker and so that it and the successive sequence
+     numbers do not repeat other sequences.
+authorization-data
+     This field is the same as described for the ticket in section 5.3.1. It
+     is optional and will only appear when additional restrictions are to be
+     placed on the use of a ticket, beyond those carried in the ticket
+     itself.
+
+5.4. Specifications for the AS and TGS exchanges
+
+This section specifies the format of the messages used in the exchange
+between the client and the Kerberos server. The format of possible error
+messages appears in section 5.9.1.
+
+5.4.1. KRB_KDC_REQ definition
+
+The KRB_KDC_REQ message has no type of its own. Instead, its type is one of
+KRB_AS_REQ or KRB_TGS_REQ depending on whether the request is for an initial
+ticket or an additional ticket. In either case, the message is sent from the
+client to the Authentication Server to request credentials for a service.
+
+The message fields are:
+
+AS-REQ ::=         [APPLICATION 10] KDC-REQ
+TGS-REQ ::=        [APPLICATION 12] KDC-REQ
+
+KDC-REQ ::=        SEQUENCE {
+                   pvno[1]            INTEGER,
+                   msg-type[2]        INTEGER,
+                   padata[3]          SEQUENCE OF PA-DATA OPTIONAL,
+                   req-body[4]        KDC-REQ-BODY
+}
+
+PA-DATA ::=        SEQUENCE {
+                   padata-type[1]     INTEGER,
+                   padata-value[2]    OCTET STRING,
+                                      -- might be encoded AP-REQ
+}
+
+KDC-REQ-BODY ::=   SEQUENCE {
+                    kdc-options[0]         KDCOptions,
+                    cname[1]               PrincipalName OPTIONAL,
+                                           -- Used only in AS-REQ
+                    realm[2]               Realm, -- Server's realm
+                                           -- Also client's in AS-REQ
+                    sname[3]               PrincipalName OPTIONAL,
+                    from[4]                KerberosTime OPTIONAL,
+                    till[5]                KerberosTime OPTIONAL,
+                    rtime[6]               KerberosTime OPTIONAL,
+                    nonce[7]               INTEGER,
+                    etype[8]               SEQUENCE OF INTEGER,
+                                           -- EncryptionType,
+                                           -- in preference order
+                    addresses[9]           HostAddresses OPTIONAL,
+                enc-authorization-data[10] EncryptedData OPTIONAL,
+                                           -- Encrypted AuthorizationData
+                                           -- encoding
+                    additional-tickets[11] SEQUENCE OF Ticket OPTIONAL
+}
+
+
+Neuman, Ts'o, Kohl                                 Expires: 25 December,
+1999
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-04          June 25,
+1999
+
+The fields in this message are:
+
+pvno
+     This field is included in each message, and specifies the protocol
+     version number. This document specifies protocol version 5.
+msg-type
+     This field indicates the type of a protocol message. It will almost
+     always be the same as the application identifier associated with a
+     message. It is included to make the identifier more readily accessible
+     to the application. For the KDC-REQ message, this type will be
+     KRB_AS_REQ or KRB_TGS_REQ.
+padata
+     The padata (pre-authentication data) field contains a sequence of
+     authentication information which may be needed before credentials can
+     be issued or decrypted. In the case of requests for additional tickets
+     (KRB_TGS_REQ), this field will include an element with padata-type of
+     PA-TGS-REQ and data of an authentication header (ticket-granting ticket
+     and authenticator). The checksum in the authenticator (which must be
+     collision-proof) is to be computed over the KDC-REQ-BODY encoding. In
+     most requests for initial authentication (KRB_AS_REQ) and most replies
+     (KDC-REP), the padata field will be left out.
+
+     This field may also contain information needed by certain extensions to
+     the Kerberos protocol. For example, it might be used to initially
+     verify the identity of a client before any response is returned. This
+     is accomplished with a padata field with padata-type equal to
+     PA-ENC-TIMESTAMP and padata-value defined as follows:
+
+     padata-type     ::= PA-ENC-TIMESTAMP
+     padata-value    ::= EncryptedData -- PA-ENC-TS-ENC
+
+     PA-ENC-TS-ENC   ::= SEQUENCE {
+                     patimestamp[0]     KerberosTime, -- client's time
+                     pausec[1]          INTEGER OPTIONAL
+     }
+
+     with patimestamp containing the client's time and pausec containing the
+     microseconds which may be omitted if a client will not generate more
+     than one request per second. The ciphertext (padata-value) consists of
+     the PA-ENC-TS-ENC sequence, encrypted using the client's secret key.
+
+     [use-specified-kvno item is here for discussion and may be removed] It
+     may also be used by the client to specify the version of a key that is
+     being used for accompanying preauthentication, and/or which should be
+     used to encrypt the reply from the KDC.
+
+     PA-USE-SPECIFIED-KVNO  ::=  Integer
+
+     The KDC should only accept and abide by the value of the
+     use-specified-kvno preauthentication data field when the specified key
+     is still valid and until use of a new key is confirmed. This situation
+     is likely to occur primarily during the period during which an updated
+     key is propagating to other KDC's in a realm.
+
+     The padata field can also contain information needed to help the KDC or
+     the client select the key needed for generating or decrypting the
+     response. This form of the padata is useful for supporting the use of
+     certain token cards with Kerberos. The details of such extensions are
+     specified in separate documents. See [Pat92] for additional uses of
+     this field.
+
+Neuman, Ts'o, Kohl                                 Expires: 25 December,
+1999
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-04          June 25,
+1999
+
+padata-type
+     The padata-type element of the padata field indicates the way that the
+     padata-value element is to be interpreted. Negative values of
+     padata-type are reserved for unregistered use; non-negative values are
+     used for a registered interpretation of the element type.
+req-body
+     This field is a placeholder delimiting the extent of the remaining
+     fields. If a checksum is to be calculated over the request, it is
+     calculated over an encoding of the KDC-REQ-BODY sequence which is
+     enclosed within the req-body field.
+kdc-options
+     This field appears in the KRB_AS_REQ and KRB_TGS_REQ requests to the
+     KDC and indicates the flags that the client wants set on the tickets as
+     well as other information that is to modify the behavior of the KDC.
+     Where appropriate, the name of an option may be the same as the flag
+     that is set by that option. Although in most case, the bit in the
+     options field will be the same as that in the flags field, this is not
+     guaranteed, so it is not acceptable to simply copy the options field to
+     the flags field. There are various checks that must be made before
+     honoring an option anyway.
+
+     The kdc_options field is a bit-field, where the selected options are
+     indicated by the bit being set (1), and the unselected options and
+     reserved fields being reset (0). The encoding of the bits is specified
+     in section 5.2. The options are described in more detail above in
+     section 2. The meanings of the options are:
+
+        Bit(s)    Name                Description
+         0        RESERVED
+                                      Reserved for future  expansion  of
+this
+                                      field.
+
+         1        FORWARDABLE
+                                      The FORWARDABLE  option  indicates
+that
+                                      the  ticket  to be issued is to have
+its
+                                      forwardable flag set.  It  may  only
+be
+                                      set on the initial request, or in a
+sub-
+                                      sequent request if  the
+ticket-granting
+                                      ticket on which it is based is also
+for-
+                                      wardable.
+
+         2        FORWARDED
+                                      The FORWARDED option is  only
+specified
+                                      in  a  request  to  the
+ticket-granting
+                                      server and will only be honored  if
+the
+                                      ticket-granting  ticket  in  the
+request
+                                      has  its  FORWARDABLE  bit  set.
+This
+                                      option  indicates that this is a
+request
+                                      for forwarding.  The address(es) of
+the
+                                      host  from which the resulting ticket
+is
+                                      to  be  valid  are   included   in
+the
+                                      addresses field of the request.
+
+
+Neuman, Ts'o, Kohl                                 Expires: 25 December,
+1999
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-04          June 25,
+1999
+
+         3        PROXIABLE
+                                      The PROXIABLE option indicates that
+the
+                                      ticket to be issued is to have its
+prox-
+                                      iable flag set.  It may only be  set
+on
+                                      the  initial request, or in a
+subsequent
+                                      request if the ticket-granting ticket
+on
+                                      which it is based is also proxiable.
+
+         4        PROXY
+                                      The PROXY option indicates that this
+is
+                                      a request for a proxy.  This option
+will
+                                      only be honored if  the
+ticket-granting
+                                      ticket  in the request has its
+PROXIABLE
+                                      bit set.  The address(es)  of  the
+host
+                                      from which the resulting ticket is to
+be
+                                       valid  are  included  in  the
+addresses
+                                      field of the request.
+
+         5        ALLOW-POSTDATE
+                                      The ALLOW-POSTDATE option indicates
+that
+                                      the  ticket  to be issued is to have
+its
+                                      MAY-POSTDATE flag set.  It may  only
+be
+                                      set on the initial request, or in a
+sub-
+                                      sequent request if  the
+ticket-granting
+                                      ticket on which it is based also has
+its
+                                      MAY-POSTDATE flag set.
+
+         6        POSTDATED
+                                      The POSTDATED option indicates that
+this
+                                      is  a  request  for  a postdated
+ticket.
+                                      This option will only be honored if
+the
+                                      ticket-granting  ticket  on  which it
+is
+                                      based has  its  MAY-POSTDATE  flag
+set.
+                                      The  resulting ticket will also have
+its
+                                      INVALID flag set, and that flag  may
+be
+                                      reset by a subsequent request to the
+KDC
+                                      after the starttime in  the  ticket
+has
+                                      been reached.
+
+         7        UNUSED
+                                      This option is presently unused.
+
+         8        RENEWABLE
+                                      The RENEWABLE option indicates that
+the
+                                      ticket  to  be  issued  is  to  have
+its
+                                      RENEWABLE flag set.  It may only be
+set
+                                      on  the  initial  request,  or  when
+the
+                                      ticket-granting  ticket  on  which
+the
+                                      request  is based is also renewable.
+If
+                                      this option is requested, then the
+rtime
+                                      field   in   the  request  contains
+the
+                                      desired absolute expiration time for
+the
+                                      ticket.
+
+         9-13     UNUSED
+                                      These options are presently unused.
+
+
+Neuman, Ts'o, Kohl                                 Expires: 25 December,
+1999
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-04          June 25,
+1999
+
+         14       REQUEST-ANONYMOUS
+                                      The REQUEST-ANONYMOUS  option
+indicates
+                                      that  the  ticket to be issued is not
+to
+                                      identify  the  user  to  which  it
+was
+                                      issued.  Instead, the principal
+identif-
+                                      ier is to be generic,  as  specified
+by
+                                      the  policy  of  the realm (e.g.
+usually
+                                      anonymous@realm).  The  purpose  of
+the
+                                      ticket  is only to securely distribute
+a
+                                      session key, and  not  to  identify
+the
+                                      user.   The ANONYMOUS flag on the
+ticket
+                                      to be returned should be  set.   If
+the
+                                      local  realms  policy  does  not
+permit
+                                      anonymous credentials, the request is
+to
+                                      be rejected.
+
+         15-25    RESERVED
+                                      Reserved for future use.
+
+         26       DISABLE-TRANSITED-CHECK
+                                      By default the KDC will check the
+                                      transited field of a ticket-granting-
+                                      ticket against the policy of the local
+                                      realm before it will issue derivative
+                                      tickets based on the ticket granting
+                                      ticket.  If this flag is set in the
+                                      request, checking of the transited
+field
+                                      is disabled.  Tickets issued without
+the
+                                      performance of this check will be
+noted
+                                      by the reset (0) value of the
+                                      TRANSITED-POLICY-CHECKED flag,
+                                      indicating to the application server
+                                      that the tranisted field must be
+checked
+                                      locally.  KDC's are encouraged but not
+                                      required to honor the
+                                      DISABLE-TRANSITED-CHECK option.
+
+         27       RENEWABLE-OK
+                                      The RENEWABLE-OK option indicates that
+a
+                                      renewable ticket will be acceptable if
+a
+                                      ticket with the  requested  life
+cannot
+                                      otherwise be provided.  If a ticket
+with
+                                      the requested life cannot  be
+provided,
+                                      then  a  renewable  ticket may be
+issued
+                                      with  a  renew-till  equal  to  the
+the
+                                      requested  endtime.   The  value  of
+the
+                                      renew-till field may still be limited
+by
+                                      local  limits, or limits selected by
+the
+                                      individual principal or server.
+
+         28       ENC-TKT-IN-SKEY
+                                      This option is used only by the
+ticket-
+                                      granting  service.   The
+ENC-TKT-IN-SKEY
+                                      option indicates that the ticket for
+the
+                                      end  server  is  to  be encrypted in
+the
+                                      session key from the additional
+ticket-
+                                      granting ticket provided.
+
+
+Neuman, Ts'o, Kohl                                 Expires: 25 December,
+1999
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-04          June 25,
+1999
+
+         29       RESERVED
+                                      Reserved for future use.
+
+         30       RENEW
+                                      This option is used only by the
+ticket-
+                                      granting   service.   The  RENEW
+option
+                                      indicates that the  present  request
+is
+                                      for  a  renewal.  The ticket provided
+is
+                                      encrypted in  the  secret  key  for
+the
+                                      server  on  which  it  is  valid.
+This
+                                      option  will  only  be  honored  if
+the
+                                      ticket  to  be renewed has its
+RENEWABLE
+                                      flag set and if the time in  its
+renew-
+                                      till  field  has not passed.  The
+ticket
+                                      to be renewed is passed  in  the
+padata
+                                      field  as  part  of  the
+authentication
+                                      header.
+
+         31       VALIDATE
+                                      This option is used only by the
+ticket-
+                                      granting  service.   The VALIDATE
+option
+                                      indicates that the request is  to
+vali-
+                                      date  a  postdated ticket.  It will
+only
+                                      be honored if the  ticket  presented
+is
+                                      postdated,  presently  has  its
+INVALID
+                                      flag set, and would be otherwise
+usable
+                                      at  this time.  A ticket cannot be
+vali-
+                                      dated before its starttime.  The
+ticket
+                                      presented for validation is encrypted
+in
+                                      the key of the server for  which  it
+is
+                                      valid  and is passed in the padata
+field
+                                      as part of the authentication header.
+
+cname and sname
+     These fields are the same as those described for the ticket in section
+     5.3.1. sname may only be absent when the ENC-TKT-IN-SKEY option is
+     specified. If absent, the name of the server is taken from the name of
+     the client in the ticket passed as additional-tickets.
+enc-authorization-data
+     The enc-authorization-data, if present (and it can only be present in
+     the TGS_REQ form), is an encoding of the desired authorization-data
+     encrypted under the sub-session key if present in the Authenticator, or
+     alternatively from the session key in the ticket-granting ticket, both
+     from the padata field in the KRB_AP_REQ.
+realm
+     This field specifies the realm part of the server's principal
+     identifier. In the AS exchange, this is also the realm part of the
+     client's principal identifier.
+from
+     This field is included in the KRB_AS_REQ and KRB_TGS_REQ ticket
+     requests when the requested ticket is to be postdated. It specifies the
+     desired start time for the requested ticket. If this field is omitted
+     then the KDC should use the current time instead.
+till
+     This field contains the expiration date requested by the client in a
+     ticket request. It is optional and if omitted the requested ticket is
+     to have the maximum endtime permitted according to KDC policy for the
+     parties to the authentication exchange as limited by expiration date of
+     the ticket granting ticket or other preauthentication credentials.
+
+Neuman, Ts'o, Kohl                                 Expires: 25 December,
+1999
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-04          June 25,
+1999
+
+rtime
+     This field is the requested renew-till time sent from a client to the
+     KDC in a ticket request. It is optional.
+nonce
+     This field is part of the KDC request and response. It it intended to
+     hold a random number generated by the client. If the same number is
+     included in the encrypted response from the KDC, it provides evidence
+     that the response is fresh and has not been replayed by an attacker.
+     Nonces must never be re-used. Ideally, it should be generated randomly,
+     but if the correct time is known, it may suffice[25].
+etype
+     This field specifies the desired encryption algorithm to be used in the
+     response.
+addresses
+     This field is included in the initial request for tickets, and
+     optionally included in requests for additional tickets from the
+     ticket-granting server. It specifies the addresses from which the
+     requested ticket is to be valid. Normally it includes the addresses for
+     the client's host. If a proxy is requested, this field will contain
+     other addresses. The contents of this field are usually copied by the
+     KDC into the caddr field of the resulting ticket.
+additional-tickets
+     Additional tickets may be optionally included in a request to the
+     ticket-granting server. If the ENC-TKT-IN-SKEY option has been
+     specified, then the session key from the additional ticket will be used
+     in place of the server's key to encrypt the new ticket. If more than
+     one option which requires additional tickets has been specified, then
+     the additional tickets are used in the order specified by the ordering
+     of the options bits (see kdc-options, above).
+
+The application code will be either ten (10) or twelve (12) depending on
+whether the request is for an initial ticket (AS-REQ) or for an additional
+ticket (TGS-REQ).
+
+The optional fields (addresses, authorization-data and additional-tickets)
+are only included if necessary to perform the operation specified in the
+kdc-options field.
+
+It should be noted that in KRB_TGS_REQ, the protocol version number appears
+twice and two different message types appear: the KRB_TGS_REQ message
+contains these fields as does the authentication header (KRB_AP_REQ) that is
+passed in the padata field.
+
+5.4.2. KRB_KDC_REP definition
+
+The KRB_KDC_REP message format is used for the reply from the KDC for either
+an initial (AS) request or a subsequent (TGS) request. There is no message
+type for KRB_KDC_REP. Instead, the type will be either KRB_AS_REP or
+KRB_TGS_REP. The key used to encrypt the ciphertext part of the reply
+depends on the message type. For KRB_AS_REP, the ciphertext is encrypted in
+the client's secret key, and the client's key version number is included in
+the key version number for the encrypted data. For KRB_TGS_REP, the
+ciphertext is encrypted in the sub-session key from the Authenticator, or if
+absent, the session key from the ticket-granting ticket used in the request.
+In that case, no version number will be present in the EncryptedData
+sequence.
+
+
+Neuman, Ts'o, Kohl                                 Expires: 25 December,
+1999
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-04          June 25,
+1999
+
+The KRB_KDC_REP message contains the following fields:
+
+AS-REP ::=    [APPLICATION 11] KDC-REP
+TGS-REP ::=   [APPLICATION 13] KDC-REP
+
+KDC-REP ::=   SEQUENCE {
+              pvno[0]                    INTEGER,
+              msg-type[1]                INTEGER,
+              padata[2]                  SEQUENCE OF PA-DATA OPTIONAL,
+              crealm[3]                  Realm,
+              cname[4]                   PrincipalName,
+              ticket[5]                  Ticket,
+              enc-part[6]                EncryptedData
+}
+
+EncASRepPart ::=    [APPLICATION 25[27]] EncKDCRepPart
+EncTGSRepPart ::=   [APPLICATION 26] EncKDCRepPart
+
+EncKDCRepPart ::=   SEQUENCE {
+                    key[0]               EncryptionKey,
+                    last-req[1]          LastReq,
+                    nonce[2]             INTEGER,
+                    key-expiration[3]    KerberosTime OPTIONAL,
+                    flags[4]             TicketFlags,
+                    authtime[5]          KerberosTime,
+                    starttime[6]         KerberosTime OPTIONAL,
+                    endtime[7]           KerberosTime,
+                    renew-till[8]        KerberosTime OPTIONAL,
+                    srealm[9]            Realm,
+                    sname[10]            PrincipalName,
+                    caddr[11]            HostAddresses OPTIONAL
+}
+
+pvno and msg-type
+     These fields are described above in section 5.4.1. msg-type is either
+     KRB_AS_REP or KRB_TGS_REP.
+padata
+     This field is described in detail in section 5.4.1. One possible use
+     for this field is to encode an alternate "mix-in" string to be used
+     with a string-to-key algorithm (such as is described in section 6.3.2).
+     This ability is useful to ease transitions if a realm name needs to
+     change (e.g. when a company is acquired); in such a case all existing
+     password-derived entries in the KDC database would be flagged as
+     needing a special mix-in string until the next password change.
+crealm, cname, srealm and sname
+     These fields are the same as those described for the ticket in section
+     5.3.1.
+ticket
+     The newly-issued ticket, from section 5.3.1.
+enc-part
+     This field is a place holder for the ciphertext and related information
+     that forms the encrypted part of a message. The description of the
+     encrypted part of the message follows each appearance of this field.
+     The encrypted part is encoded as described in section 6.1.
+key
+     This field is the same as described for the ticket in section 5.3.1.
+
+Neuman, Ts'o, Kohl                                 Expires: 25 December,
+1999
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-04          June 25,
+1999
+
+last-req
+     This field is returned by the KDC and specifies the time(s) of the last
+     request by a principal. Depending on what information is available,
+     this might be the last time that a request for a ticket-granting ticket
+     was made, or the last time that a request based on a ticket-granting
+     ticket was successful. It also might cover all servers for a realm, or
+     just the particular server. Some implementations may display this
+     information to the user to aid in discovering unauthorized use of one's
+     identity. It is similar in spirit to the last login time displayed when
+     logging into timesharing systems.
+nonce
+     This field is described above in section 5.4.1.
+key-expiration
+     The key-expiration field is part of the response from the KDC and
+     specifies the time that the client's secret key is due to expire. The
+     expiration might be the result of password aging or an account
+     expiration. This field will usually be left out of the TGS reply since
+     the response to the TGS request is encrypted in a session key and no
+     client information need be retrieved from the KDC database. It is up to
+     the application client (usually the login program) to take appropriate
+     action (such as notifying the user) if the expiration time is imminent.
+flags, authtime, starttime, endtime, renew-till and caddr
+     These fields are duplicates of those found in the encrypted portion of
+     the attached ticket (see section 5.3.1), provided so the client may
+     verify they match the intended request and to assist in proper ticket
+     caching. If the message is of type KRB_TGS_REP, the caddr field will
+     only be filled in if the request was for a proxy or forwarded ticket,
+     or if the user is substituting a subset of the addresses from the
+     ticket granting ticket. If the client-requested addresses are not
+     present or not used, then the addresses contained in the ticket will be
+     the same as those included in the ticket-granting ticket.
+
+5.5. Client/Server (CS) message specifications
+
+This section specifies the format of the messages used for the
+authentication of the client to the application server.
+
+5.5.1. KRB_AP_REQ definition
+
+The KRB_AP_REQ message contains the Kerberos protocol version number, the
+message type KRB_AP_REQ, an options field to indicate any options in use,
+and the ticket and authenticator themselves. The KRB_AP_REQ message is often
+referred to as the 'authentication header'.
+
+AP-REQ ::=      [APPLICATION 14] SEQUENCE {
+                pvno[0]                       INTEGER,
+                msg-type[1]                   INTEGER,
+                ap-options[2]                 APOptions,
+                ticket[3]                     Ticket,
+                authenticator[4]              EncryptedData
+}
+
+APOptions ::=   BIT STRING {
+                reserved(0),
+                use-session-key(1),
+                mutual-required(2)
+}
+
+
+Neuman, Ts'o, Kohl                                 Expires: 25 December,
+1999
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-04          June 25,
+1999
+
+pvno and msg-type
+     These fields are described above in section 5.4.1. msg-type is
+     KRB_AP_REQ.
+ap-options
+     This field appears in the application request (KRB_AP_REQ) and affects
+     the way the request is processed. It is a bit-field, where the selected
+     options are indicated by the bit being set (1), and the unselected
+     options and reserved fields being reset (0). The encoding of the bits
+     is specified in section 5.2. The meanings of the options are:
+
+         Bit(s)   Name              Description
+
+         0        RESERVED
+                                    Reserved for future  expansion  of  this
+                                    field.
+
+         1        USE-SESSION-KEY
+                                    The  USE-SESSION-KEY  option   indicates
+                                    that the ticket the client is presenting
+                                    to a server is encrypted in the  session
+                                    key  from  the  server's ticket-granting
+                                    ticket.  When this option is not  speci-
+                                    fied,  the  ticket  is  encrypted in the
+                                    server's secret key.
+
+         2        MUTUAL-REQUIRED
+                                    The  MUTUAL-REQUIRED  option  tells  the
+                                    server  that  the client requires mutual
+                                    authentication, and that it must respond
+                                    with a KRB_AP_REP message.
+
+         3-31     RESERVED
+                                    Reserved for future use.
+
+ticket
+ This field is a ticket authenticating the client to the server.
+authenticator
+ This contains the authenticator, which includes the client's choice of
+ a subkey. Its encoding is described in section 5.3.2.
+
+5.5.2. KRB_AP_REP definition
+
+The KRB_AP_REP message contains the Kerberos protocol version number, the
+message type, and an encrypted time- stamp. The message is sent in in
+response to an application request (KRB_AP_REQ) where the mutual
+authentication option has been selected in the ap-options field.
+
+AP-REP ::=         [APPLICATION 15] SEQUENCE {
+                   pvno[0]                           INTEGER,
+                   msg-type[1]                       INTEGER,
+                   enc-part[2]                       EncryptedData
+}
+
+EncAPRepPart ::=   [APPLICATION 27[29]] SEQUENCE {
+                   ctime[0]                          KerberosTime,
+                   cusec[1]                          INTEGER,
+                   subkey[2]                         EncryptionKey OPTIONAL,
+                   seq-number[3]                     INTEGER OPTIONAL
+}
+
+Neuman, Ts'o, Kohl                                 Expires: 25 December,
+1999
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-04          June 25,
+1999
+
+The encoded EncAPRepPart is encrypted in the shared session key of the
+ticket. The optional subkey field can be used in an application-arranged
+negotiation to choose a per association session key.
+
+pvno and msg-type
+     These fields are described above in section 5.4.1. msg-type is
+     KRB_AP_REP.
+enc-part
+     This field is described above in section 5.4.2.
+ctime
+     This field contains the current time on the client's host.
+cusec
+     This field contains the microsecond part of the client's timestamp.
+subkey
+     This field contains an encryption key which is to be used to protect
+     this specific application session. See section 3.2.6 for specifics on
+     how this field is used to negotiate a key. Unless an application
+     specifies otherwise, if this field is left out, the sub-session key
+     from the authenticator, or if also left out, the session key from the
+     ticket will be used.
+
+5.5.3. Error message reply
+
+If an error occurs while processing the application request, the KRB_ERROR
+message will be sent in response. See section 5.9.1 for the format of the
+error message. The cname and crealm fields may be left out if the server
+cannot determine their appropriate values from the corresponding KRB_AP_REQ
+message. If the authenticator was decipherable, the ctime and cusec fields
+will contain the values from it.
+
+5.6. KRB_SAFE message specification
+
+This section specifies the format of a message that can be used by either
+side (client or server) of an application to send a tamper-proof message to
+its peer. It presumes that a session key has previously been exchanged (for
+example, by using the KRB_AP_REQ/KRB_AP_REP messages).
+
+5.6.1. KRB_SAFE definition
+
+The KRB_SAFE message contains user data along with a collision-proof
+checksum keyed with the last encryption key negotiated via subkeys, or the
+session key if no negotiation has occured. The message fields are:
+
+KRB-SAFE ::=        [APPLICATION 20] SEQUENCE {
+                    pvno[0]                       INTEGER,
+                    msg-type[1]                   INTEGER,
+                    safe-body[2]                  KRB-SAFE-BODY,
+                    cksum[3]                      Checksum
+}
+
+KRB-SAFE-BODY ::=   SEQUENCE {
+                    user-data[0]                  OCTET STRING,
+                    timestamp[1]                  KerberosTime OPTIONAL,
+                    usec[2]                       INTEGER OPTIONAL,
+                    seq-number[3]                 INTEGER OPTIONAL,
+                    s-address[4]                  HostAddress OPTIONAL,
+                    r-address[5]                  HostAddress OPTIONAL
+}
+
+
+Neuman, Ts'o, Kohl                                 Expires: 25 December,
+1999
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-04          June 25,
+1999
+
+pvno and msg-type
+     These fields are described above in section 5.4.1. msg-type is
+     KRB_SAFE.
+safe-body
+     This field is a placeholder for the body of the KRB-SAFE message.
+cksum
+     This field contains the checksum of the application data. Checksum
+     details are described in section 6.4. The checksum is computed over the
+     encoding of the KRB-SAFE sequence. First, the cksum is zeroed and the
+     checksum is computed over the encoding of the KRB-SAFE sequence, then
+     the checksum is set to the result of that computation, and finally the
+     KRB-SAFE sequence is encoded again.
+user-data
+     This field is part of the KRB_SAFE and KRB_PRIV messages and contain
+     the application specific data that is being passed from the sender to
+     the recipient.
+timestamp
+     This field is part of the KRB_SAFE and KRB_PRIV messages. Its contents
+     are the current time as known by the sender of the message. By checking
+     the timestamp, the recipient of the message is able to make sure that
+     it was recently generated, and is not a replay.
+usec
+     This field is part of the KRB_SAFE and KRB_PRIV headers. It contains
+     the microsecond part of the timestamp.
+seq-number
+     This field is described above in section 5.3.2.
+s-address
+     This field specifies the address in use by the sender of the message.
+     It may be omitted if not required by the application protocol. The
+     application designer considering omission of this field is warned, that
+     the inclusion of this address prevents some kinds of replay attacks
+     (e.g., reflection attacks) and that it is only acceptable to omit this
+     address if there is sufficient information in the integrity protected
+     part of the application message for the recipient to unambiguously
+     determine if it was the intended recipient.
+r-address
+     This field specifies the address in use by the recipient of the
+     message. It may be omitted for some uses (such as broadcast protocols),
+     but the recipient may arbitrarily reject such messages. This field
+     along with s-address can be used to help detect messages which have
+     been incorrectly or maliciously delivered to the wrong recipient.
+
+5.7. KRB_PRIV message specification
+
+This section specifies the format of a message that can be used by either
+side (client or server) of an application to securely and privately send a
+message to its peer. It presumes that a session key has previously been
+exchanged (for example, by using the KRB_AP_REQ/KRB_AP_REP messages).
+
+5.7.1. KRB_PRIV definition
+
+The KRB_PRIV message contains user data encrypted in the Session Key. The
+message fields are:
+
+KRB-PRIV ::=         [APPLICATION 21] SEQUENCE {
+                     pvno[0]                           INTEGER,
+                     msg-type[1]                       INTEGER,
+                     enc-part[3]                       EncryptedData
+}
+
+
+Neuman, Ts'o, Kohl                                 Expires: 25 December,
+1999
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-04          June 25,
+1999
+
+EncKrbPrivPart ::=   [APPLICATION 28[31]] SEQUENCE {
+                     user-data[0]        OCTET STRING,
+                     timestamp[1]        KerberosTime OPTIONAL,
+                     usec[2]             INTEGER OPTIONAL,
+                     seq-number[3]       INTEGER OPTIONAL,
+                     s-address[4]        HostAddress OPTIONAL, -- sender's
+addr
+                     r-address[5]        HostAddress OPTIONAL -- recip's
+addr
+}
+
+pvno and msg-type
+     These fields are described above in section 5.4.1. msg-type is
+     KRB_PRIV.
+enc-part
+     This field holds an encoding of the EncKrbPrivPart sequence encrypted
+     under the session key[32]. This encrypted encoding is used for the
+     enc-part field of the KRB-PRIV message. See section 6 for the format of
+     the ciphertext.
+user-data, timestamp, usec, s-address and r-address
+     These fields are described above in section 5.6.1.
+seq-number
+     This field is described above in section 5.3.2.
+
+5.8. KRB_CRED message specification
+
+This section specifies the format of a message that can be used to send
+Kerberos credentials from one principal to another. It is presented here to
+encourage a common mechanism to be used by applications when forwarding
+tickets or providing proxies to subordinate servers. It presumes that a
+session key has already been exchanged perhaps by using the
+KRB_AP_REQ/KRB_AP_REP messages.
+
+5.8.1. KRB_CRED definition
+
+The KRB_CRED message contains a sequence of tickets to be sent and
+information needed to use the tickets, including the session key from each.
+The information needed to use the tickets is encrypted under an encryption
+key previously exchanged or transferred alongside the KRB_CRED message. The
+message fields are:
+
+KRB-CRED         ::= [APPLICATION 22]   SEQUENCE {
+                 pvno[0]                INTEGER,
+                 msg-type[1]            INTEGER, -- KRB_CRED
+                 tickets[2]             SEQUENCE OF Ticket,
+                 enc-part[3]            EncryptedData
+}
+
+EncKrbCredPart   ::= [APPLICATION 29]   SEQUENCE {
+                 ticket-info[0]         SEQUENCE OF KrbCredInfo,
+                 nonce[1]               INTEGER OPTIONAL,
+                 timestamp[2]           KerberosTime OPTIONAL,
+                 usec[3]                INTEGER OPTIONAL,
+                 s-address[4]           HostAddress OPTIONAL,
+                 r-address[5]           HostAddress OPTIONAL
+}
+
+KrbCredInfo      ::=                    SEQUENCE {
+                 key[0]                 EncryptionKey,
+                 prealm[1]              Realm OPTIONAL,
+
+Neuman, Ts'o, Kohl                                 Expires: 25 December,
+1999
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-04          June 25,
+1999
+
+                 pname[2]               PrincipalName OPTIONAL,
+                 flags[3]               TicketFlags OPTIONAL,
+                 authtime[4]            KerberosTime OPTIONAL,
+                 starttime[5]           KerberosTime OPTIONAL,
+                 endtime[6]             KerberosTime OPTIONAL
+                 renew-till[7]          KerberosTime OPTIONAL,
+                 srealm[8]              Realm OPTIONAL,
+                 sname[9]               PrincipalName OPTIONAL,
+                 caddr[10]              HostAddresses OPTIONAL
+}
+
+pvno and msg-type
+     These fields are described above in section 5.4.1. msg-type is
+     KRB_CRED.
+tickets
+     These are the tickets obtained from the KDC specifically for use by the
+     intended recipient. Successive tickets are paired with the
+     corresponding KrbCredInfo sequence from the enc-part of the KRB-CRED
+     message.
+enc-part
+     This field holds an encoding of the EncKrbCredPart sequence encrypted
+     under the session key shared between the sender and the intended
+     recipient. This encrypted encoding is used for the enc-part field of
+     the KRB-CRED message. See section 6 for the format of the ciphertext.
+nonce
+     If practical, an application may require the inclusion of a nonce
+     generated by the recipient of the message. If the same value is
+     included as the nonce in the message, it provides evidence that the
+     message is fresh and has not been replayed by an attacker. A nonce must
+     never be re-used; it should be generated randomly by the recipient of
+     the message and provided to the sender of the message in an application
+     specific manner.
+timestamp and usec
+     These fields specify the time that the KRB-CRED message was generated.
+     The time is used to provide assurance that the message is fresh.
+s-address and r-address
+     These fields are described above in section 5.6.1. They are used
+     optionally to provide additional assurance of the integrity of the
+     KRB-CRED message.
+key
+     This field exists in the corresponding ticket passed by the KRB-CRED
+     message and is used to pass the session key from the sender to the
+     intended recipient. The field's encoding is described in section 6.2.
+
+The following fields are optional. If present, they can be associated with
+the credentials in the remote ticket file. If left out, then it is assumed
+that the recipient of the credentials already knows their value.
+
+prealm and pname
+     The name and realm of the delegated principal identity.
+flags, authtime, starttime, endtime, renew-till, srealm, sname, and caddr
+     These fields contain the values of the correspond- ing fields from the
+     ticket found in the ticket field. Descriptions of the fields are
+     identical to the descriptions in the KDC-REP message.
+
+
+Neuman, Ts'o, Kohl                                 Expires: 25 December,
+1999
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-04          June 25,
+1999
+
+5.9. Error message specification
+
+This section specifies the format for the KRB_ERROR message. The fields
+included in the message are intended to return as much information as
+possible about an error. It is not expected that all the information
+required by the fields will be available for all types of errors. If the
+appropriate information is not available when the message is composed, the
+corresponding field will be left out of the message.
+
+Note that since the KRB_ERROR message is only optionally integrity
+protected, it is quite possible for an intruder to synthesize or modify such
+a message. In particular, this means that unless appropriate integrity
+protection mechanisms have been applied to the KRB_ERROR message, the client
+should not use any fields in this message for security-critical purposes,
+such as setting a system clock or generating a fresh authenticator. The
+message can be useful, however, for advising a user on the reason for some
+failure.
+
+5.9.1. KRB_ERROR definition
+
+The KRB_ERROR message consists of the following fields:
+
+KRB-ERROR ::=   [APPLICATION 30] SEQUENCE {
+                pvno[0]                       INTEGER,
+                msg-type[1]                   INTEGER,
+                ctime[2]                      KerberosTime OPTIONAL,
+                cusec[3]                      INTEGER OPTIONAL,
+                stime[4]                      KerberosTime,
+                susec[5]                      INTEGER,
+                error-code[6]                 INTEGER,
+                crealm[7]                     Realm OPTIONAL,
+                cname[8]                      PrincipalName OPTIONAL,
+                realm[9]                      Realm, -- Correct realm
+                sname[10]                     PrincipalName, -- Correct name
+                e-text[11]                    GeneralString OPTIONAL,
+                e-data[12]                    OCTET STRING OPTIONAL,
+                e-cksum[13]                   Checksum OPTIONAL,
+(*REMOVE7/14*)  e-typed-data[14]              SEQUENCE of ETypedData
+OPTIONAL
+}
+
+pvno and msg-type
+     These fields are described above in section 5.4.1. msg-type is
+     KRB_ERROR.
+ctime
+     This field is described above in section 5.4.1.
+cusec
+     This field is described above in section 5.5.2.
+stime
+     This field contains the current time on the server. It is of type
+     KerberosTime.
+susec
+     This field contains the microsecond part of the server's timestamp. Its
+     value ranges from 0 to 999999. It appears along with stime. The two
+     fields are used in conjunction to specify a reasonably accurate
+     timestamp.
+
+Neuman, Ts'o, Kohl                                 Expires: 25 December,
+1999
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-04          June 25,
+1999
+
+error-code
+     This field contains the error code returned by Kerberos or the server
+     when a request fails. To interpret the value of this field see the list
+     of error codes in section 8. Implementations are encouraged to provide
+     for national language support in the display of error messages.
+crealm, cname, srealm and sname
+     These fields are described above in section 5.3.1.
+e-text
+     This field contains additional text to help explain the error code
+     associated with the failed request (for example, it might include a
+     principal name which was unknown).
+e-data
+     This field contains additional data about the error for use by the
+     application to help it recover from or handle the error. If present,
+     this field will contain the encoding of a sequence of TypedData
+     (TYPED-DATA below), unless the errorcode is KDC_ERR_PREAUTH_REQUIRED,
+     in which case it will contain the encoding of a sequence of of padata
+     fields (METHOD-DATA below), each corresponding to an acceptable
+     pre-authentication method and optionally containing data for the
+     method:
+
+     TYPED-DATA   ::=   SEQUENCE of TypeData
+     METHOD-DATA  ::=   SEQUENCE of PA-DATA
+
+     TypedData ::=   SEQUENCE {
+                         data-type[0]   INTEGER,
+                         data-value[1]  OCTET STRING OPTIONAL
+     }
+
+     Note that e-data-types have been reserved for all PA data types defined
+     prior to July 1999. For the KDC_ERR_PREAUTH_REQUIRED message, when
+     using new PA data types defined in July 1999 or later, the METHOD-DATA
+     sequence must itself be encapsulated in an TypedData element of type
+     TD-PADATA. All new implementations interpreting the METHOD-DATA field
+     for the KDC_ERR_PREAUTH_REQUIRED message must accept a type of
+     TD-PADATA, extract the typed data field and interpret the use any
+     elements encapsulated in the TD-PADATA elements as if they were present
+     in the METHOD-DATA sequence.
+e-cksum
+     This field contains an optional checksum for the KRB-ERROR message. The
+     checksum is calculated over the Kerberos ASN.1 encoding of the
+     KRB-ERROR message with the checksum absent. The checksum is then added
+     to the KRB-ERROR structure and the message is re-encoded. The Checksum
+     should be calculated using the session key from the ticket granting
+     ticket or service ticket, where available. If the error is in response
+     to a TGS or AP request, the checksum should be calculated uing the the
+     session key from the client's ticket. If the error is in response to an
+     AS request, then the checksum should be calulated using the client's
+     secret key ONLY if there has been suitable preauthentication to prove
+     knowledge of the secret key by the client[33]. If a checksum can not be
+     computed because the key to be used is not available, no checksum will
+     be included.
+e-typed-data
+     [***Will be deleted 7/14***] This field contains optional data that may
+     be used to help the client recover from the indicated error. [This
+     could contain the METHOD-DATA specified since I don't think anyone
+     actually uses it yet. It could also contain the PA-DATA sequence for
+     the preauth required error if we had a clear way to transition to the
+
+Neuman, Ts'o, Kohl                                 Expires: 25 December,
+1999
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-04          June 25,
+1999
+
+     use of this field from the use of the untyped e-data field.] For
+     example, this field may specify the key version of the key used to
+     verify preauthentication:
+
+     e-data-type  := 20 -- Key version number
+     e-data-value := Integer -- Key version number used to
+                      verify preauthentication
+
+6. Encryption and Checksum Specifications
+
+The Kerberos protocols described in this document are designed to use stream
+encryption ciphers, which can be simulated using commonly available block
+encryption ciphers, such as the Data Encryption Standard, [DES77] in
+conjunction with block chaining and checksum methods [DESM80]. Encryption is
+used to prove the identities of the network entities participating in
+message exchanges. The Key Distribution Center for each realm is trusted by
+all principals registered in that realm to store a secret key in confidence.
+Proof of knowledge of this secret key is used to verify the authenticity of
+a principal. [*** Discussion above will change to use 3DES as example
+7/14/99 ***]
+
+The KDC uses the principal's secret key (in the AS exchange) or a shared
+session key (in the TGS exchange) to encrypt responses to ticket requests;
+the ability to obtain the secret key or session key implies the knowledge of
+the appropriate keys and the identity of the KDC. The ability of a principal
+to decrypt the KDC response and present a Ticket and a properly formed
+Authenticator (generated with the session key from the KDC response) to a
+service verifies the identity of the principal; likewise the ability of the
+service to extract the session key from the Ticket and prove its knowledge
+thereof in a response verifies the identity of the service.
+
+The Kerberos protocols generally assume that the encryption used is secure
+from cryptanalysis; however, in some cases, the order of fields in the
+encrypted portions of messages are arranged to minimize the effects of
+poorly chosen keys. It is still important to choose good keys. If keys are
+derived from user-typed passwords, those passwords need to be well chosen to
+make brute force attacks more difficult. Poorly chosen keys still make easy
+targets for intruders.
+
+The following sections specify the encryption and checksum mechanisms
+currently defined for Kerberos. The encodings, chaining, and padding
+requirements for each are described. For encryption methods, it is often
+desirable to place random information (often referred to as a confounder) at
+the start of the message. The requirements for a confounder are specified
+with each encryption mechanism.
+
+Some encryption systems use a block-chaining method to improve the the
+security characteristics of the ciphertext. However, these chaining methods
+often don't provide an integrity check upon decryption. Such systems (such
+as DES in CBC mode) must be augmented with a checksum of the plain-text
+which can be verified at decryption and used to detect any tampering or
+damage. Such checksums should be good at detecting burst errors in the
+input. If any damage is detected, the decryption routine is expected to
+return an error indicating the failure of an integrity check. Each
+encryption type is expected to provide and verify an appropriate checksum.
+The specification of each encryption method sets out its checksum
+requirements.
+
+
+Neuman, Ts'o, Kohl                                 Expires: 25 December,
+1999
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-04          June 25,
+1999
+
+Finally, where a key is to be derived from a user's password, an algorithm
+for converting the password to a key of the appropriate type is included. It
+is desirable for the string to key function to be one-way, and for the
+mapping to be different in different realms. This is important because users
+who are registered in more than one realm will often use the same password
+in each, and it is desirable that an attacker compromising the Kerberos
+server in one realm not obtain or derive the user's key in another.
+
+For an discussion of the integrity characteristics of the candidate
+encryption and checksum methods considered for Kerberos, the reader is
+referred to [SG92].
+
+6.1. Encryption Specifications
+
+The following ASN.1 definition describes all encrypted messages. The
+enc-part field which appears in the unencrypted part of messages in section
+5 is a sequence consisting of an encryption type, an optional key version
+number, and the ciphertext.
+
+EncryptedData ::=   SEQUENCE {
+                    etype[0]     INTEGER, -- EncryptionType
+                    kvno[1]      INTEGER OPTIONAL,
+                    cipher[2]    OCTET STRING -- ciphertext
+}
+
+etype
+     This field identifies which encryption algorithm was used to encipher
+     the cipher. Detailed specifications for selected encryption types
+     appear later in this section.
+kvno
+     This field contains the version number of the key under which data is
+     encrypted. It is only present in messages encrypted under long lasting
+     keys, such as principals' secret keys.
+cipher
+     This field contains the enciphered text, encoded as an OCTET STRING.
+
+The cipher field is generated by applying the specified encryption algorithm
+to data composed of the message and algorithm-specific inputs. Encryption
+mechanisms defined for use with Kerberos must take sufficient measures to
+guarantee the integrity of the plaintext, and we recommend they also take
+measures to protect against precomputed dictionary attacks. If the
+encryption algorithm is not itself capable of doing so, the protections can
+often be enhanced by adding a checksum and a confounder.
+
+The suggested format for the data to be encrypted includes a confounder, a
+checksum, the encoded plaintext, and any necessary padding. The msg-seq
+field contains the part of the protocol message described in section 5 which
+is to be encrypted. The confounder, checksum, and padding are all untagged
+and untyped, and their length is exactly sufficient to hold the appropriate
+item. The type and length is implicit and specified by the particular
+encryption type being used (etype). The format for the data to be encrypted
+is described in the following diagram:
+
+
+Neuman, Ts'o, Kohl                                 Expires: 25 December,
+1999
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-04          June 25,
+1999
+
+      +-----------+----------+-------------+-----+
+      |confounder |   check  |   msg-seq   | pad |
+      +-----------+----------+-------------+-----+
+
+The format cannot be described in ASN.1, but for those who prefer an
+ASN.1-like notation:
+
+CipherText ::=   ENCRYPTED       SEQUENCE {
+            confounder[0]   UNTAGGED[35] OCTET STRING(conf_length) OPTIONAL,
+            check[1]        UNTAGGED OCTET STRING(checksum_length) OPTIONAL,
+            msg-seq[2]      MsgSequence,
+            pad             UNTAGGED OCTET STRING(pad_length) OPTIONAL
+}
+
+One generates a random confounder of the appropriate length, placing it in
+confounder; zeroes out check; calculates the appropriate checksum over
+confounder, check, and msg-seq, placing the result in check; adds the
+necessary padding; then encrypts using the specified encryption type and the
+appropriate key.
+
+Unless otherwise specified, a definition of an encryption algorithm that
+specifies a checksum, a length for the confounder field, or an octet
+boundary for padding uses this ciphertext format[36]. Those fields which are
+not specified will be omitted.
+
+In the interest of allowing all implementations using a particular
+encryption type to communicate with all others using that type, the
+specification of an encryption type defines any checksum that is needed as
+part of the encryption process. If an alternative checksum is to be used, a
+new encryption type must be defined.
+
+Some cryptosystems require additional information beyond the key and the
+data to be encrypted. For example, DES, when used in cipher-block-chaining
+mode, requires an initialization vector. If required, the description for
+each encryption type must specify the source of such additional information.
+6.2. Encryption Keys
+
+The sequence below shows the encoding of an encryption key:
+
+       EncryptionKey ::=   SEQUENCE {
+                           keytype[0]    INTEGER,
+                           keyvalue[1]   OCTET STRING
+       }
+
+keytype
+     This field specifies the type of encryption that is to be performed
+     using the key that follows in the keyvalue field. It will always
+     correspond to the etype to be used to generate or decode the
+     EncryptedData. In cases when multiple algorithms use a common kind of
+     key (e.g., if the encryption algorithm uses an alternate checksum
+     algorithm for an integrity check, or a different chaining mechanism),
+     the keytype provides information needed to determine which algorithm is
+     to be used.
+keyvalue
+     This field contains the key itself, encoded as an octet string.
+
+All negative values for the encryption key type are reserved for local use.
+All non-negative values are reserved for officially assigned type fields and
+interpreta- tions.
+
+
+Neuman, Ts'o, Kohl                                 Expires: 25 December,
+1999
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-04          June 25,
+1999
+
+6.3. Encryption Systems
+
+6.3.1. The NULL Encryption System (null)
+
+If no encryption is in use, the encryption system is said to be the NULL
+encryption system. In the NULL encryption system there is no checksum,
+confounder or padding. The ciphertext is simply the plaintext. The NULL Key
+is used by the null encryption system and is zero octets in length, with
+keytype zero (0).
+
+6.3.2. DES in CBC mode with a CRC-32 checksum (des-cbc-crc)
+
+The des-cbc-crc encryption mode encrypts information under the Data
+Encryption Standard [DES77] using the cipher block chaining mode [DESM80]. A
+CRC-32 checksum (described in ISO 3309 [ISO3309]) is applied to the
+confounder and message sequence (msg-seq) and placed in the cksum field. DES
+blocks are 8 bytes. As a result, the data to be encrypted (the concatenation
+of confounder, checksum, and message) must be padded to an 8 byte boundary
+before encryption. The details of the encryption of this data are identical
+to those for the des-cbc-md5 encryption mode.
+
+Note that, since the CRC-32 checksum is not collision-proof, an attacker
+could use a probabilistic chosen-plaintext attack to generate a valid
+message even if a confounder is used [SG92]. The use of collision-proof
+checksums is recommended for environments where such attacks represent a
+significant threat. The use of the CRC-32 as the checksum for ticket or
+authenticator is no longer mandated as an interoperability requirement for
+Kerberos Version 5 Specification 1 (See section 9.1 for specific details).
+
+6.3.3. DES in CBC mode with an MD4 checksum (des-cbc-md4)
+
+The des-cbc-md4 encryption mode encrypts information under the Data
+Encryption Standard [DES77] using the cipher block chaining mode [DESM80].
+An MD4 checksum (described in [MD492]) is applied to the confounder and
+message sequence (msg-seq) and placed in the cksum field. DES blocks are 8
+bytes. As a result, the data to be encrypted (the concatenation of
+confounder, checksum, and message) must be padded to an 8 byte boundary
+before encryption. The details of the encryption of this data are identical
+to those for the des-cbc-md5 encryption mode.
+
+6.3.4. DES in CBC mode with an MD5 checksum (des-cbc-md5)
+
+The des-cbc-md5 encryption mode encrypts information under the Data
+Encryption Standard [DES77] using the cipher block chaining mode [DESM80].
+An MD5 checksum (described in [MD5-92].) is applied to the confounder and
+message sequence (msg-seq) and placed in the cksum field. DES blocks are 8
+bytes. As a result, the data to be encrypted (the concatenation of
+confounder, checksum, and message) must be padded to an 8 byte boundary
+before encryption.
+
+Plaintext and DES ciphtertext are encoded as blocks of 8 octets which are
+concatenated to make the 64-bit inputs for the DES algorithms. The first
+octet supplies the 8 most significant bits (with the octet's MSbit used as
+the DES input block's MSbit, etc.), the second octet the next 8 bits, ...,
+and the eighth octet supplies the 8 least significant bits.
+
+
+Neuman, Ts'o, Kohl                                 Expires: 25 December,
+1999
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-04          June 25,
+1999
+
+Encryption under DES using cipher block chaining requires an additional
+input in the form of an initialization vector. Unless otherwise specified,
+zero should be used as the initialization vector. Kerberos' use of DES
+requires an 8 octet confounder.
+
+The DES specifications identify some 'weak' and 'semi-weak' keys; those keys
+shall not be used for encrypting messages for use in Kerberos. Additionally,
+because of the way that keys are derived for the encryption of checksums,
+keys shall not be used that yield 'weak' or 'semi-weak' keys when
+eXclusive-ORed with the hexadecimal constant F0F0F0F0F0F0F0F0.
+
+A DES key is 8 octets of data, with keytype one (1). This consists of 56
+bits of key, and 8 parity bits (one per octet). The key is encoded as a
+series of 8 octets written in MSB-first order. The bits within the key are
+also encoded in MSB order. For example, if the encryption key is
+(B1,B2,...,B7,P1,B8,...,B14,P2,B15,...,B49,P7,B50,...,B56,P8) where
+B1,B2,...,B56 are the key bits in MSB order, and P1,P2,...,P8 are the parity
+bits, the first octet of the key would be B1,B2,...,B7,P1 (with B1 as the
+MSbit). [See the FIPS 81 introduction for reference.]
+
+String to key transformation
+
+To generate a DES key from a text string (password), a "salt" is
+concatenated to the text string, and then padded with ASCII nulls to an 8
+byte boundary. This "salt" is normally the realm and each component of the
+principal's name appended. However, sometimes different salts are used ---
+for example, when a realm is renamed, or if a user changes her username, or
+for compatibility with Kerberos V4 (whose string-to-key algorithm uses a
+null string for the salt). This string is then fan-folded and eXclusive-ORed
+with itself to form an 8 byte DES key. Before eXclusive-ORing a block, every
+byte is shifted one bit to the left to leave the lowest bit zero. The key is
+the "corrected" by correcting the parity on the key, and if the key matches
+a 'weak' or 'semi-weak' key as described in the DES specification, it is
+eXclusive-ORed with the constant 00000000000000F0. This key is then used to
+generate a DES CBC checksum on the initial string (with the salt appended).
+The result of the CBC checksum is the "corrected" as described above to form
+the result which is return as the key. Pseudocode follows:
+
+     name_to_default_salt(realm, name) {
+          s = realm
+          for(each component in name) {
+               s = s + component;
+          }
+          return s;
+     }
+
+     key_correction(key) {
+          fixparity(key);
+          if (is_weak_key_key(key))
+               key = key XOR 0xF0;
+          return(key);
+     }
+
+     string_to_key(string,salt) {
+
+          odd = 1;
+          s = string + salt;
+          tempkey = NULL;
+
+Neuman, Ts'o, Kohl                                 Expires: 25 December,
+1999
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-04          June 25,
+1999
+
+          pad(s); /* with nulls to 8 byte boundary */
+          for(8byteblock in s) {
+               if(odd == 0)  {
+                   odd = 1;
+                   reverse(8byteblock)
+               }
+               else odd = 0;
+               left shift every byte in 8byteblock one bit;
+               tempkey = tempkey XOR 8byteblock;
+          }
+          tempkey = key_correction(tempkey);
+          key = key_correction(DES-CBC-check(s,tempkey));
+          return(key);
+     }
+
+6.3.5. Triple DES with HMAC-SHA1 Kerberos Encryption Type with Key
+Derivation [Horowitz]
+
+[*** Note that there are several 3DES varients in use in different Kerberos
+implemenations, updates to this section will be sent to the cat list and
+krb-protocol list prior to the Oslo IETF, including the key derivation and
+non-key derivation varients ***] NOTE: This description currently refers to
+documents, the contents of which might be bettered included by value in this
+spec. The description below was provided by Marc Horowitz, and the form in
+which it will finally appear is yet to be determined. This description is
+included in this version of the draft because it does describe the
+implemenation ready for use with the MIT implementation. Note also that the
+encryption identifier has been left unspecified here because the value from
+Marc Horowitz's spec conflicted with some other impmenentations implemented
+based on perevious versions of the specification.
+
+This encryption type is based on the Triple DES cryptosystem, the HMAC-SHA1
+[Krawczyk96] message authentication algorithm, and key derivation for
+Kerberos V5 [HorowitzB96].
+
+The des3-cbc-hmac-sha1 encryption type has been assigned the value ??. The
+hmac-sha1-des3 checksum type has been assigned the value 12.
+
+Encryption Type des3-cbc-hmac-sha1
+
+EncryptedData using this type must be generated as described in
+[Horowitz96]. The encryption algorithm is Triple DES in Outer-CBC mode. The
+keyed hash algorithm is HMAC-SHA1. Unless otherwise specified, a zero IV
+must be used. If the length of the input data is not a multiple of the block
+size, zero octets must be used to pad the plaintext to the next eight-octet
+boundary. The counfounder must be eight random octets (one block).
+
+Checksum Type hmac-sha1-des3
+
+Checksums using this type must be generated as described in [Horowitz96].
+The keyed hash algorithm is HMAC-SHA1.
+
+Common Requirements
+
+The EncryptionKey value is 24 octets long. The 7 most significant bits of
+each octet contain key bits, and the least significant bit is the inverse of
+the xor of the key bits.
+
+
+Neuman, Ts'o, Kohl                                 Expires: 25 December,
+1999
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-04          June 25,
+1999
+
+For the purposes of key derivation, the block size is 64 bits, and the key
+size is 168 bits. The 168 bits output by key derivation are converted to an
+EncryptionKey value as follows. First, the 168 bits are divided into three
+groups of 56 bits, which are expanded individually into 64 bits as follows:
+
+ 1  2  3  4  5  6  7  p
+ 9 10 11 12 13 14 15  p
+17 18 19 20 21 22 23  p
+25 26 27 28 29 30 31  p
+33 34 35 36 37 38 39  p
+41 42 43 44 45 46 47  p
+49 50 51 52 53 54 55  p
+56 48 40 32 24 16  8  p
+
+The "p" bits are parity bits computed over the data bits. The output of the
+three expansions are concatenated to form the EncryptionKey value.
+
+When the HMAC-SHA1 of a string is computed, the key is used in the
+EncryptedKey form.
+
+Key Derivation
+
+In the Kerberos protocol, cryptographic keys are used in a number of places.
+In order to minimize the effect of compromising a key, it is desirable to
+use a different key for each of these places. Key derivation [Horowitz96]
+can be used to construct different keys for each operation from the keys
+transported on the network. For this to be possible, a small change to the
+specification is necessary.
+
+This section specifies a profile for the use of key derivation [Horowitz96]
+with Kerberos. For each place where a key is used, a ``key usage'' must is
+specified for that purpose. The key, key usage, and encryption/checksum type
+together describe the transformation from plaintext to ciphertext, or
+plaintext to checksum.
+
+Key Usage Values
+
+This is a complete list of places keys are used in the kerberos protocol,
+with key usage values and RFC 1510 section numbers:
+
+ 1. AS-REQ PA-ENC-TIMESTAMP padata timestamp, encrypted with the
+    client key (section 5.4.1)
+ 2. AS-REP Ticket and TGS-REP Ticket (includes tgs session key or
+    application session key), encrypted with the service key
+    (section 5.4.2)
+ 3. AS-REP encrypted part (includes tgs session key or application
+    session key), encrypted with the client key (section 5.4.2)
+ 4. TGS-REQ KDC-REQ-BODY AuthorizationData, encrypted with the tgs
+    session key (section 5.4.1)
+ 5. TGS-REQ KDC-REQ-BODY AuthorizationData, encrypted with the tgs
+    authenticator subkey (section 5.4.1)
+ 6. TGS-REQ PA-TGS-REQ padata AP-REQ Authenticator cksum, keyed
+    with the tgs session key (sections 5.3.2, 5.4.1)
+ 7. TGS-REQ PA-TGS-REQ padata AP-REQ Authenticator (includes tgs
+    authenticator subkey), encrypted with the tgs session key
+    (section 5.3.2)
+ 8. TGS-REP encrypted part (includes application session key),
+    encrypted with the tgs session key (section 5.4.2)
+
+Neuman, Ts'o, Kohl                                 Expires: 25 December,
+1999
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-04          June 25,
+1999
+
+ 9. TGS-REP encrypted part (includes application session key),
+    encrypted with the tgs authenticator subkey (section 5.4.2)
+10. AP-REQ Authenticator cksum, keyed with the application session
+    key (section 5.3.2)
+11. AP-REQ Authenticator (includes application authenticator
+    subkey), encrypted with the application session key (section
+    5.3.2)
+12. AP-REP encrypted part (includes application session subkey),
+    encrypted with the application session key (section 5.5.2)
+13. KRB-PRIV encrypted part, encrypted with a key chosen by the
+    application (section 5.7.1)
+14. KRB-CRED encrypted part, encrypted with a key chosen by the
+    application (section 5.6.1)
+15. KRB-SAVE cksum, keyed with a key chosen by the application
+    (section 5.8.1)
+18. KRB-ERROR checksum (e-cksum in section 5.9.1)
+19. AD-KDCIssued checksum (ad-checksum in appendix B.1)
+20. Checksum for Mandatory Ticket Extensions (appendix B.6)
+21. Checksum in Authorization Data in Ticket Extensions (appendix B.7)
+
+Key usage values between 1024 and 2047 (inclusive) are reserved for
+application use. Applications should use even values for encryption and odd
+values for checksums within this range.
+
+A few of these key usages need a little clarification. A service which
+receives an AP-REQ has no way to know if the enclosed Ticket was part of an
+AS-REP or TGS-REP. Therefore, key usage 2 must always be used for generating
+a Ticket, whether it is in response to an AS- REQ or TGS-REQ.
+
+There might exist other documents which define protocols in terms of the
+RFC1510 encryption types or checksum types. Such documents would not know
+about key usages. In order that these documents continue to be meaningful
+until they are updated, key usages 1024 and 1025 must be used to derive keys
+for encryption and checksums, respectively. New protocols defined in terms
+of the Kerberos encryption and checksum types should use their own key
+usages. Key usages may be registered with IANA to avoid conflicts. Key
+usages must be unsigned 32 bit integers. Zero is not permitted.
+
+Defining Cryptosystems Using Key Derivation
+
+Kerberos requires that the ciphertext component of EncryptedData be
+tamper-resistant as well as confidential. This implies encryption and
+integrity functions, which must each use their own separate keys. So, for
+each key usage, two keys must be generated, one for encryption (Ke), and one
+for integrity (Ki):
+
+      Ke = DK(protocol key, key usage | 0xAA)
+      Ki = DK(protocol key, key usage | 0x55)
+
+where the protocol key is from the EncryptionKey from the wire protocol, and
+the key usage is represented as a 32 bit integer in network byte order. The
+ciphertest must be generated from the plaintext as follows:
+
+   ciphertext = E(Ke, confounder | plaintext | padding) |
+                H(Ki, confounder | plaintext | padding)
+
+The confounder and padding are specific to the encryption algorithm E.
+
+
+Neuman, Ts'o, Kohl                                 Expires: 25 December,
+1999
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-04          June 25,
+1999
+
+When generating a checksum only, there is no need for a confounder or
+padding. Again, a new key (Kc) must be used. Checksums must be generated
+from the plaintext as follows:
+
+      Kc = DK(protocol key, key usage | 0x99)
+
+      MAC = H(Kc, plaintext)
+
+Note that each enctype is described by an encryption algorithm E and a keyed
+hash algorithm H, and each checksum type is described by a keyed hash
+algorithm H. HMAC, with an appropriate hash, is recommended for use as H.
+
+Key Derivation from Passwords
+
+The well-known constant for password key derivation must be the byte string
+{0x6b 0x65 0x72 0x62 0x65 0x72 0x6f 0x73}. These values correspond to the
+ASCII encoding for the string "kerberos".
+
+6.4. Checksums
+
+The following is the ASN.1 definition used for a checksum:
+
+         Checksum ::=   SEQUENCE {
+                        cksumtype[0]   INTEGER,
+                        checksum[1]    OCTET STRING
+         }
+
+cksumtype
+     This field indicates the algorithm used to generate the accompanying
+     checksum.
+checksum
+     This field contains the checksum itself, encoded as an octet string.
+
+Detailed specification of selected checksum types appear later in this
+section. Negative values for the checksum type are reserved for local use.
+All non-negative values are reserved for officially assigned type fields and
+interpretations.
+
+Checksums used by Kerberos can be classified by two properties: whether they
+are collision-proof, and whether they are keyed. It is infeasible to find
+two plaintexts which generate the same checksum value for a collision-proof
+checksum. A key is required to perturb or initialize the algorithm in a
+keyed checksum. To prevent message-stream modification by an active
+attacker, unkeyed checksums should only be used when the checksum and
+message will be subsequently encrypted (e.g. the checksums defined as part
+of the encryption algorithms covered earlier in this section).
+
+Collision-proof checksums can be made tamper-proof if the checksum value is
+encrypted before inclusion in a message. In such cases, the composition of
+the checksum and the encryption algorithm must be considered a separate
+checksum algorithm (e.g. RSA-MD5 encrypted using DES is a new checksum
+algorithm of type RSA-MD5-DES). For most keyed checksums, as well as for the
+encrypted forms of unkeyed collision-proof checksums, Kerberos prepends a
+confounder before the checksum is calculated.
+
+
+Neuman, Ts'o, Kohl                                 Expires: 25 December,
+1999
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-04          June 25,
+1999
+
+6.4.1. The CRC-32 Checksum (crc32)
+
+The CRC-32 checksum calculates a checksum based on a cyclic redundancy check
+as described in ISO 3309 [ISO3309]. The resulting checksum is four (4)
+octets in length. The CRC-32 is neither keyed nor collision-proof. The use
+of this checksum is not recommended. An attacker using a probabilistic
+chosen-plaintext attack as described in [SG92] might be able to generate an
+alternative message that satisfies the checksum. The use of collision-proof
+checksums is recommended for environments where such attacks represent a
+significant threat.
+
+6.4.2. The RSA MD4 Checksum (rsa-md4)
+
+The RSA-MD4 checksum calculates a checksum using the RSA MD4 algorithm
+[MD4-92]. The algorithm takes as input an input message of arbitrary length
+and produces as output a 128-bit (16 octet) checksum. RSA-MD4 is believed to
+be collision-proof.
+
+6.4.3. RSA MD4 Cryptographic Checksum Using DES (rsa-md4-des)
+
+The RSA-MD4-DES checksum calculates a keyed collision-proof checksum by
+prepending an 8 octet confounder before the text, applying the RSA MD4
+checksum algorithm, and encrypting the confounder and the checksum using DES
+in cipher-block-chaining (CBC) mode using a variant of the key, where the
+variant is computed by eXclusive-ORing the key with the constant
+F0F0F0F0F0F0F0F0[39]. The initialization vector should be zero. The
+resulting checksum is 24 octets long (8 octets of which are redundant). This
+checksum is tamper-proof and believed to be collision-proof.
+
+The DES specifications identify some weak keys' and 'semi-weak keys'; those
+keys shall not be used for generating RSA-MD4 checksums for use in Kerberos.
+
+The format for the checksum is described in the follow- ing diagram:
+
++--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+|  des-cbc(confounder   +   rsa-md4(confounder+msg),key=var(key),iv=0)  |
++--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+
+The format cannot be described in ASN.1, but for those who prefer an
+ASN.1-like notation:
+
+rsa-md4-des-checksum ::=   ENCRYPTED       UNTAGGED SEQUENCE {
+                           confounder[0]   UNTAGGED OCTET STRING(8),
+                           check[1]        UNTAGGED OCTET STRING(16)
+}
+
+6.4.4. The RSA MD5 Checksum (rsa-md5)
+
+The RSA-MD5 checksum calculates a checksum using the RSA MD5 algorithm.
+[MD5-92]. The algorithm takes as input an input message of arbitrary length
+and produces as output a 128-bit (16 octet) checksum. RSA-MD5 is believed to
+be collision-proof.
+
+6.4.5. RSA MD5 Cryptographic Checksum Using DES (rsa-md5-des)
+
+The RSA-MD5-DES checksum calculates a keyed collision-proof checksum by
+prepending an 8 octet confounder before the text, applying the RSA MD5
+checksum algorithm, and encrypting the confounder and the checksum using DES
+
+Neuman, Ts'o, Kohl                                 Expires: 25 December,
+1999
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-04          June 25,
+1999
+
+in cipher-block-chaining (CBC) mode using a variant of the key, where the
+variant is computed by eXclusive-ORing the key with the hexadecimal constant
+F0F0F0F0F0F0F0F0. The initialization vector should be zero. The resulting
+checksum is 24 octets long (8 octets of which are redundant). This checksum
+is tamper-proof and believed to be collision-proof.
+
+The DES specifications identify some 'weak keys' and 'semi-weak keys'; those
+keys shall not be used for encrypting RSA-MD5 checksums for use in Kerberos.
+
+The format for the checksum is described in the following diagram:
+
++--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+|  des-cbc(confounder   +   rsa-md5(confounder+msg),key=var(key),iv=0)  |
++--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+
+The format cannot be described in ASN.1, but for those who prefer an
+ASN.1-like notation:
+
+rsa-md5-des-checksum ::=   ENCRYPTED       UNTAGGED SEQUENCE {
+                           confounder[0]   UNTAGGED OCTET STRING(8),
+                           check[1]        UNTAGGED OCTET STRING(16)
+}
+
+6.4.6. DES cipher-block chained checksum (des-mac)
+
+The DES-MAC checksum is computed by prepending an 8 octet confounder to the
+plaintext, performing a DES CBC-mode encryption on the result using the key
+and an initialization vector of zero, taking the last block of the
+ciphertext, prepending the same confounder and encrypting the pair using DES
+in cipher-block-chaining (CBC) mode using a a variant of the key, where the
+variant is computed by eXclusive-ORing the key with the hexadecimal constant
+F0F0F0F0F0F0F0F0. The initialization vector should be zero. The resulting
+checksum is 128 bits (16 octets) long, 64 bits of which are redundant. This
+checksum is tamper-proof and collision-proof.
+
+The format for the checksum is described in the following diagram:
+
++--+--+--+--+--+--+--+--+-----+-----+-----+-----+-----+-----+-----+-----+
+|   des-cbc(confounder  + des-mac(conf+msg,iv=0,key),key=var(key),iv=0) |
++--+--+--+--+--+--+--+--+-----+-----+-----+-----+-----+-----+-----+-----+
+
+The format cannot be described in ASN.1, but for those who prefer an
+ASN.1-like notation:
+
+des-mac-checksum ::=   ENCRYPTED       UNTAGGED SEQUENCE {
+                       confounder[0]   UNTAGGED OCTET STRING(8),
+                       check[1]        UNTAGGED OCTET STRING(8)
+}
+
+The DES specifications identify some 'weak' and 'semi-weak' keys; those keys
+shall not be used for generating DES-MAC checksums for use in Kerberos, nor
+shall a key be used whose variant is 'weak' or 'semi-weak'.
+
+6.4.7. RSA MD4 Cryptographic Checksum Using DES alternative (rsa-md4-des-k)
+
+The RSA-MD4-DES-K checksum calculates a keyed collision-proof checksum by
+applying the RSA MD4 checksum algorithm and encrypting the results using DES
+in cipher-block-chaining (CBC) mode using a DES key as both key and
+
+Neuman, Ts'o, Kohl                                 Expires: 25 December,
+1999
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-04          June 25,
+1999
+
+initialization vector. The resulting checksum is 16 octets long. This
+checksum is tamper-proof and believed to be collision-proof. Note that this
+checksum type is the old method for encoding the RSA-MD4-DES checksum and it
+is no longer recommended.
+
+6.4.8. DES cipher-block chained checksum alternative (des-mac-k)
+
+The DES-MAC-K checksum is computed by performing a DES CBC-mode encryption
+of the plaintext, and using the last block of the ciphertext as the checksum
+value. It is keyed with an encryption key and an initialization vector; any
+uses which do not specify an additional initialization vector will use the
+key as both key and initialization vector. The resulting checksum is 64 bits
+(8 octets) long. This checksum is tamper-proof and collision-proof. Note
+that this checksum type is the old method for encoding the DES-MAC checksum
+and it is no longer recommended. The DES specifications identify some 'weak
+keys' and 'semi-weak keys'; those keys shall not be used for generating
+DES-MAC checksums for use in Kerberos.
+
+7. Naming Constraints
+
+7.1. Realm Names
+
+Although realm names are encoded as GeneralStrings and although a realm can
+technically select any name it chooses, interoperability across realm
+boundaries requires agreement on how realm names are to be assigned, and
+what information they imply.
+
+To enforce these conventions, each realm must conform to the conventions
+itself, and it must require that any realms with which inter-realm keys are
+shared also conform to the conventions and require the same from its
+neighbors.
+
+Kerberos realm names are case sensitive. Realm names that differ only in the
+case of the characters are not equivalent. There are presently four styles
+of realm names: domain, X500, other, and reserved. Examples of each style
+follow:
+
+     domain:   ATHENA.MIT.EDU (example)
+       X500:   C=US/O=OSF (example)
+      other:   NAMETYPE:rest/of.name=without-restrictions (example)
+   reserved:   reserved, but will not conflict with above
+
+Domain names must look like domain names: they consist of components
+separated by periods (.) and they contain neither colons (:) nor slashes
+(/). Domain names must be converted to upper case when used as realm names.
+
+X.500 names contain an equal (=) and cannot contain a colon (:) before the
+equal. The realm names for X.500 names will be string representations of the
+names with components separated by slashes. Leading and trailing slashes
+will not be included.
+
+Names that fall into the other category must begin with a prefix that
+contains no equal (=) or period (.) and the prefix must be followed by a
+colon (:) and the rest of the name. All prefixes must be assigned before
+they may be used. Presently none are assigned.
+
+
+Neuman, Ts'o, Kohl                                 Expires: 25 December,
+1999
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-04          June 25,
+1999
+
+The reserved category includes strings which do not fall into the first
+three categories. All names in this category are reserved. It is unlikely
+that names will be assigned to this category unless there is a very strong
+argument for not using the 'other' category.
+
+These rules guarantee that there will be no conflicts between the various
+name styles. The following additional constraints apply to the assignment of
+realm names in the domain and X.500 categories: the name of a realm for the
+domain or X.500 formats must either be used by the organization owning (to
+whom it was assigned) an Internet domain name or X.500 name, or in the case
+that no such names are registered, authority to use a realm name may be
+derived from the authority of the parent realm. For example, if there is no
+domain name for E40.MIT.EDU, then the administrator of the MIT.EDU realm can
+authorize the creation of a realm with that name.
+
+This is acceptable because the organization to which the parent is assigned
+is presumably the organization authorized to assign names to its children in
+the X.500 and domain name systems as well. If the parent assigns a realm
+name without also registering it in the domain name or X.500 hierarchy, it
+is the parent's responsibility to make sure that there will not in the
+future exists a name identical to the realm name of the child unless it is
+assigned to the same entity as the realm name.
+
+7.2. Principal Names
+
+As was the case for realm names, conventions are needed to ensure that all
+agree on what information is implied by a principal name. The name-type
+field that is part of the principal name indicates the kind of information
+implied by the name. The name-type should be treated as a hint. Ignoring the
+name type, no two names can be the same (i.e. at least one of the
+components, or the realm, must be different). The following name types are
+defined:
+
+  name-type      value   meaning
+
+   NT-UNKNOWN        0   Name type not known
+   NT-PRINCIPAL      1   General principal name (e.g. username, or DCE
+principal)
+   NT-SRV-INST       2   Service and other unique instance (krbtgt)
+   NT-SRV-HST        3   Service with host name as instance (telnet,
+rcommands)
+   NT-SRV-XHST       4   Service with slash-separated host name components
+   NT-UID            5   Unique ID
+   NT-X500-PRINCIPAL 6   Encoded X.509 Distingished name [RFC 1779]
+
+When a name implies no information other than its uniqueness at a particular
+time the name type PRINCIPAL should be used. The principal name type should
+be used for users, and it might also be used for a unique server. If the
+name is a unique machine generated ID that is guaranteed never to be
+reassigned then the name type of UID should be used (note that it is
+generally a bad idea to reassign names of any type since stale entries might
+remain in access control lists).
+
+If the first component of a name identifies a service and the remaining
+components identify an instance of the service in a server specified manner,
+then the name type of SRV-INST should be used. An example of this name type
+is the Kerberos ticket-granting service whose name has a first component of
+krbtgt and a second component identifying the realm for which the ticket is
+valid.
+
+
+Neuman, Ts'o, Kohl                                 Expires: 25 December,
+1999
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-04          June 25,
+1999
+
+If instance is a single component following the service name and the
+instance identifies the host on which the server is running, then the name
+type SRV-HST should be used. This type is typically used for Internet
+services such as telnet and the Berkeley R commands. If the separate
+components of the host name appear as successive components following the
+name of the service, then the name type SRV-XHST should be used. This type
+might be used to identify servers on hosts with X.500 names where the slash
+(/) might otherwise be ambiguous.
+
+A name type of NT-X500-PRINCIPAL should be used when a name from an X.509
+certificiate is translated into a Kerberos name. The encoding of the X.509
+name as a Kerberos principal shall conform to the encoding rules specified
+in RFC 2253.
+
+A name type of UNKNOWN should be used when the form of the name is not
+known. When comparing names, a name of type UNKNOWN will match principals
+authenticated with names of any type. A principal authenticated with a name
+of type UNKNOWN, however, will only match other names of type UNKNOWN.
+
+Names of any type with an initial component of 'krbtgt' are reserved for the
+Kerberos ticket granting service. See section 8.2.3 for the form of such
+names.
+
+7.2.1. Name of server principals
+
+The principal identifier for a server on a host will generally be composed
+of two parts: (1) the realm of the KDC with which the server is registered,
+and (2) a two-component name of type NT-SRV-HST if the host name is an
+Internet domain name or a multi-component name of type NT-SRV-XHST if the
+name of the host is of a form such as X.500 that allows slash (/)
+separators. The first component of the two- or multi-component name will
+identify the service and the latter components will identify the host. Where
+the name of the host is not case sensitive (for example, with Internet
+domain names) the name of the host must be lower case. If specified by the
+application protocol for services such as telnet and the Berkeley R commands
+which run with system privileges, the first component may be the string
+'host' instead of a service specific identifier. When a host has an official
+name and one or more aliases, the official name of the host must be used
+when constructing the name of the server principal.
+
+8. Constants and other defined values
+
+8.1. Host address types
+
+All negative values for the host address type are reserved for local use.
+All non-negative values are reserved for officially assigned type fields and
+interpretations.
+
+The values of the types for the following addresses are chosen to match the
+defined address family constants in the Berkeley Standard Distributions of
+Unix. They can be found in with symbolic names AF_xxx (where xxx is an
+abbreviation of the address family name).
+
+Internet (IPv4) Addresses
+
+Internet (IPv4) addresses are 32-bit (4-octet) quantities, encoded in MSB
+order. The type of IPv4 addresses is two (2).
+
+
+Neuman, Ts'o, Kohl                                 Expires: 25 December,
+1999
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-04          June 25,
+1999
+
+Internet (IPv6) Addresses [Westerlund]
+
+IPv6 addresses are 128-bit (16-octet) quantities, encoded in MSB order. The
+type of IPv6 addresses is twenty-four (24). [RFC1883] [RFC1884]. The
+following addresses (see [RFC1884]) MUST not appear in any Kerberos packet:
+
+   * the Unspecified Address
+   * the Loopback Address
+   * Link-Local addresses
+
+IPv4-mapped IPv6 addresses MUST be represented as addresses of type 2.
+
+CHAOSnet addresses
+
+CHAOSnet addresses are 16-bit (2-octet) quantities, encoded in MSB order.
+The type of CHAOSnet addresses is five (5).
+
+ISO addresses
+
+ISO addresses are variable-length. The type of ISO addresses is seven (7).
+
+Xerox Network Services (XNS) addresses
+
+XNS addresses are 48-bit (6-octet) quantities, encoded in MSB order. The
+type of XNS addresses is six (6).
+
+AppleTalk Datagram Delivery Protocol (DDP) addresses
+
+AppleTalk DDP addresses consist of an 8-bit node number and a 16-bit network
+number. The first octet of the address is the node number; the remaining two
+octets encode the network number in MSB order. The type of AppleTalk DDP
+addresses is sixteen (16).
+
+DECnet Phase IV addresses
+
+DECnet Phase IV addresses are 16-bit addresses, encoded in LSB order. The
+type of DECnet Phase IV addresses is twelve (12).
+
+Netbios addresses
+
+Netbios addresses are 16-octet addresses typically composed of 1 to 15
+characters, trailing blank (ascii char 20) filled, with a 16th octet of 0x0.
+The type of Netbios addresses is 20 (0x14).
+
+8.2. KDC messages
+
+8.2.1. UDP/IP transport
+
+When contacting a Kerberos server (KDC) for a KRB_KDC_REQ request using UDP
+IP transport, the client shall send a UDP datagram containing only an
+encoding of the request to port 88 (decimal) at the KDC's IP address; the
+KDC will respond with a reply datagram containing only an encoding of the
+reply message (either a KRB_ERROR or a KRB_KDC_REP) to the sending port at
+the sender's IP address. Kerberos servers supporting IP transport must
+accept UDP requests on port 88 (decimal). The response to a request made
+through UDP/IP transport must also use UDP/IP transport.
+
+
+Neuman, Ts'o, Kohl                                 Expires: 25 December,
+1999
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-04          June 25,
+1999
+
+8.2.2. TCP/IP transport [Westerlund,Danielsson]
+
+Kerberos servers (KDC's) should accept TCP requests on port 88 (decimal) and
+clients should support the sending of TCP requests on port 88 (decimal).
+When the KRB_KDC_REQ message is sent to the KDC over a TCP stream, a new
+connection will be established for each authentication exchange (request and
+response). The KRB_KDC_REP or KRB_ERROR message will be returned to the
+client on the same TCP stream that was established for the request. The
+response to a request made through TCP/IP transport must also use TCP/IP
+transport. Implementors should note that some extentions to the Kerberos
+protocol will not work if any implementation not supporting the TCP
+transport is involved (client or KDC). Implementors are strongly urged to
+support the TCP transport on both the client and server and are advised that
+the current notation of "should" support will likely change in the future to
+must support. The KDC may close the TCP stream after sending a response, but
+may leave the stream open if it expects a followup - in which case it may
+close the stream at any time if resource constratints or other factors make
+it desirable to do so. Care must be taken in managing TCP/IP connections
+with the KDC to prevent denial of service attacks based on the number of
+TCP/IP connections with the KDC that remain open. If multiple exchanges with
+the KDC are needed for certain forms of preauthentication, multiple TCP
+connections may be required. A client may close the stream after receiving
+response, and should close the stream if it does not expect to send followup
+messages. The client must be prepared to have the stream closed by the KDC
+at anytime, in which case it must simply connect again when it is ready to
+send subsequent messages.
+
+The first four octets of the TCP stream used to transmit the request request
+will encode in network byte order the length of the request (KRB_KDC_REQ),
+and the length will be followed by the request itself. The response will
+similarly be preceeded by a 4 octet encoding in network byte order of the
+length of the KRB_KDC_REP or the KRB_ERROR message and will be followed by
+the KRB_KDC_REP or the KRB_ERROR response. If the sign bit is set on the
+integer represented by the first 4 octets, then the next 4 octets will be
+read, extending the length of the field by another 4 octets (less the sign
+bit which is reserved for future expansion).
+
+8.2.3. OSI transport
+
+During authentication of an OSI client to an OSI server, the mutual
+authentication of an OSI server to an OSI client, the transfer of
+credentials from an OSI client to an OSI server, or during exchange of
+private or integrity checked messages, Kerberos protocol messages may be
+treated as opaque objects and the type of the authentication mechanism will
+be:
+
+OBJECT IDENTIFIER ::= {iso (1), org(3), dod(6),internet(1),
+                      security(5),kerberosv5(2)}
+
+Depending on the situation, the opaque object will be an authentication
+header (KRB_AP_REQ), an authentication reply (KRB_AP_REP), a safe message
+(KRB_SAFE), a private message (KRB_PRIV), or a credentials message
+(KRB_CRED). The opaque data contains an application code as specified in the
+ASN.1 description for each message. The application code may be used by
+Kerberos to determine the message type.
+
+
+Neuman, Ts'o, Kohl                                 Expires: 25 December,
+1999
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-04          June 25,
+1999
+
+8.2.3. Name of the TGS
+
+The principal identifier of the ticket-granting service shall be composed of
+three parts: (1) the realm of the KDC issuing the TGS ticket (2) a two-part
+name of type NT-SRV-INST, with the first part "krbtgt" and the second part
+the name of the realm which will accept the ticket-granting ticket. For
+example, a ticket-granting ticket issued by the ATHENA.MIT.EDU realm to be
+used to get tickets from the ATHENA.MIT.EDU KDC has a principal identifier
+of "ATHENA.MIT.EDU" (realm), ("krbtgt", "ATHENA.MIT.EDU") (name). A
+ticket-granting ticket issued by the ATHENA.MIT.EDU realm to be used to get
+tickets from the MIT.EDU realm has a principal identifier of
+"ATHENA.MIT.EDU" (realm), ("krbtgt", "MIT.EDU") (name).
+
+8.3. Protocol constants and associated values
+
+The following tables list constants used in the protocol and defines their
+meanings. Ranges are specified in the "specification" section that limit the
+values of constants for which values are defined here. This allows
+implementations to make assumptions about the maximum values that will be
+received for these constants. Implementation receiving values outside the
+range specified in the "specification" section may reject the request, but
+they must recover cleanly.
+
+Encryption type       etype value block size  minimum pad size  confounder
+size
+NULL                           0     1           0                 0
+des-cbc-crc                    1     8           4                 8
+des-cbc-md4                    2     8           0                 8
+des-cbc-md5                    3     8           0                 8
+                     4
+des3-cbc-md5                   5     8           0                 8
+                     6
+des3-cbc-sha1                  7     8           0                 8
+sign-dsa-generate              8
+(old-pkinit-will-remove)
+dsaWithSHA1-CmsOID             9                                 (pkinit)
+md5WithRSAEncryption-CmsOID   10                                 (pkinit)
+sha1WithRSAEncryption-CmsOID  11                                 (pkinit)
+rc2CBC-EnvOID                 12                                 (pkinit)
+rsaEncryption-EnvOID          13                      (pkinit from PKCS#1
+v1.5)
+rsaES-OAEP-ENV-OID            14                      (pkinit from PKCS#1
+v2.0)
+des-ede3-cbc-Env-OID          15                                 (pkinit)
+des3kd-cbc-sha1               ??     8                 0                 8
+ENCTYPE_PK_CROSS              48                      (reserved for pkcross)
+       0x8003
+
+Checksum type              sumtype value       checksum size
+CRC32                      1                   4
+rsa-md4                    2                   16
+rsa-md4-des                3                   24
+des-mac                    4                   16
+des-mac-k                  5                   8
+rsa-md4-des-k              6                   16
+rsa-md5                    7                   16
+rsa-md5-des                8                   24
+rsa-md5-des3               9                   24
+hmac-sha1-des3             12                  20  (I had this as 10, is it
+12)
+
+
+Neuman, Ts'o, Kohl                                 Expires: 25 December,
+1999
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-04          June 25,
+1999
+
+padata type                     padata-type value
+
+PA-TGS-REQ                      1
+PA-ENC-TIMESTAMP                2
+PA-PW-SALT                      3
+                      4
+PA-ENC-UNIX-TIME                5
+PA-SANDIA-SECUREID              6
+PA-SESAME                       7
+PA-OSF-DCE                      8
+PA-CYBERSAFE-SECUREID           9
+PA-AFS3-SALT                    10
+PA-ETYPE-INFO                   11
+SAM-CHALLENGE                   12                  (sam/otp)
+SAM-RESPONSE                    13                  (sam/otp)
+PA-PK-AS-REQ                    14                  (pkinit)
+PA-PK-AS-REP                    15                  (pkinit)
+PA-PK-AS-SIGN                   16                  (***remove on 7/14***)
+PA-PK-KEY-REQ                   17                  (***remove on 7/14***)
+PA-PK-KEY-REP                   18                  (***remove on 7/14***)
+PA-USE-SPECIFIED-KVNO           20
+SAM-REDIRECT                    21                  (sam/otp)
+PA-GET-FROM-TYPED-DATA          22
+
+data-type                     value    form of typed-data
+
+                      1-21
+TD-PADATA                       22
+TD-PKINIT-CMS-CERTIFICATES      101      CertificateSet from CMS
+TD-KRB-PRINCIPAL                102
+TD-KRB-REALM                    103
+TD-TRUSTED-CERTIFIERS           104
+TD-CERTIFICATE-INDEX            105
+
+authorization data type         ad-type value
+AD-IF-RELEVANT                     1
+AD-INTENDED-FOR-SERVER             2
+AD-INTENDED-FOR-APPLICATION-CLASS  3
+AD-KDC-ISSUED                      4
+AD-OR                              5
+AD-MANDATORY-TICKET-EXTENSIONS     6
+AD-IN-TICKET-EXTENSIONS            7
+reserved values                    8-63
+OSF-DCE                            64
+SESAME                             65
+
+Ticket Extension Types
+
+TE-TYPE-NULL                  0      Null ticket extension
+TE-TYPE-EXTERNAL-ADATA        1      Integrity protected authorization data
+                    2      TE-TYPE-PKCROSS-KDC  (I have reservations)
+TE-TYPE-PKCROSS-CLIENT        3      PKCROSS cross realm key ticket
+TE-TYPE-CYBERSAFE-EXT         4      Assigned to CyberSafe Corp
+                    5      TE-TYPE-DEST-HOST (I have reservations)
+
+
+Neuman, Ts'o, Kohl                                 Expires: 25 December,
+1999
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-04          June 25,
+1999
+
+alternate authentication type   method-type value
+reserved values                 0-63
+ATT-CHALLENGE-RESPONSE          64
+
+transited encoding type         tr-type value
+DOMAIN-X500-COMPRESS            1
+reserved values                 all others
+
+Label               Value   Meaning or MIT code
+
+pvno                    5   current Kerberos protocol version number
+
+message types
+
+KRB_AS_REQ             10   Request for initial authentication
+KRB_AS_REP             11   Response to KRB_AS_REQ request
+KRB_TGS_REQ            12   Request for authentication based on TGT
+KRB_TGS_REP            13   Response to KRB_TGS_REQ request
+KRB_AP_REQ             14   application request to server
+KRB_AP_REP             15   Response to KRB_AP_REQ_MUTUAL
+KRB_SAFE               20   Safe (checksummed) application message
+KRB_PRIV               21   Private (encrypted) application message
+KRB_CRED               22   Private (encrypted) message to forward
+credentials
+KRB_ERROR              30   Error response
+
+name types
+
+KRB_NT_UNKNOWN        0  Name type not known
+KRB_NT_PRINCIPAL      1  Just the name of the principal as in DCE, or for
+users
+KRB_NT_SRV_INST       2  Service and other unique instance (krbtgt)
+KRB_NT_SRV_HST        3  Service with host name as instance (telnet,
+rcommands)
+KRB_NT_SRV_XHST       4  Service with host as remaining components
+KRB_NT_UID            5  Unique ID
+KRB_NT_X500_PRINCIPAL 6  Encoded X.509 Distingished name [RFC 2253]
+
+error codes
+
+KDC_ERR_NONE                    0   No error
+KDC_ERR_NAME_EXP                1   Client's entry in database has expired
+KDC_ERR_SERVICE_EXP             2   Server's entry in database has expired
+KDC_ERR_BAD_PVNO                3   Requested protocol version # not
+supported
+KDC_ERR_C_OLD_MAST_KVNO         4   Client's key encrypted in old master key
+KDC_ERR_S_OLD_MAST_KVNO         5   Server's key encrypted in old master key
+KDC_ERR_C_PRINCIPAL_UNKNOWN     6   Client not found in Kerberos database
+KDC_ERR_S_PRINCIPAL_UNKNOWN     7   Server not found in Kerberos database
+KDC_ERR_PRINCIPAL_NOT_UNIQUE    8   Multiple principal entries in database
+KDC_ERR_NULL_KEY                9   The client or server has a null key
+KDC_ERR_CANNOT_POSTDATE        10   Ticket not eligible for postdating
+KDC_ERR_NEVER_VALID            11   Requested start time is later than end
+time
+KDC_ERR_POLICY                 12   KDC policy rejects request
+KDC_ERR_BADOPTION              13   KDC cannot accommodate requested option
+KDC_ERR_ETYPE_NOSUPP           14   KDC has no support for encryption type
+KDC_ERR_SUMTYPE_NOSUPP         15   KDC has no support for checksum type
+KDC_ERR_PADATA_TYPE_NOSUPP     16   KDC has no support for padata type
+KDC_ERR_TRTYPE_NOSUPP          17   KDC has no support for transited type
+KDC_ERR_CLIENT_REVOKED         18   Clients credentials have been revoked
+KDC_ERR_SERVICE_REVOKED        19   Credentials for server have been revoked
+KDC_ERR_TGT_REVOKED            20   TGT has been revoked
+
+Neuman, Ts'o, Kohl                                 Expires: 25 December,
+1999
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-04          June 25,
+1999
+
+KDC_ERR_CLIENT_NOTYET          21   Client not yet valid - try again later
+KDC_ERR_SERVICE_NOTYET         22   Server not yet valid - try again later
+KDC_ERR_KEY_EXPIRED            23   Password has expired - change password
+KDC_ERR_PREAUTH_FAILED         24   Pre-authentication information was
+invalid
+KDC_ERR_PREAUTH_REQUIRED       25   Additional pre-authenticationrequired
+[40]
+KDC_ERR_SERVER_NOMATCH         26   Requested server and ticket don't match
+KDC_ERR_MUST_USE_USER2USER     27   Server principal valid for user2user
+only
+KDC_ERR_PATH_NOT_ACCPETED      28   KDC Policy rejects transited path
+KDC_ERR_SVC_UNAVAILABLE        29   A service is not available
+KRB_AP_ERR_BAD_INTEGRITY       31   Integrity check on decrypted field
+failed
+KRB_AP_ERR_TKT_EXPIRED         32   Ticket expired
+KRB_AP_ERR_TKT_NYV             33   Ticket not yet valid
+KRB_AP_ERR_REPEAT              34   Request is a replay
+KRB_AP_ERR_NOT_US              35   The ticket isn't for us
+KRB_AP_ERR_BADMATCH            36   Ticket and authenticator don't match
+KRB_AP_ERR_SKEW                37   Clock skew too great
+KRB_AP_ERR_BADADDR             38   Incorrect net address
+KRB_AP_ERR_BADVERSION          39   Protocol version mismatch
+KRB_AP_ERR_MSG_TYPE            40   Invalid msg type
+KRB_AP_ERR_MODIFIED            41   Message stream modified
+KRB_AP_ERR_BADORDER            42   Message out of order
+KRB_AP_ERR_BADKEYVER           44   Specified version of key is not
+available
+KRB_AP_ERR_NOKEY               45   Service key not available
+KRB_AP_ERR_MUT_FAIL            46   Mutual authentication failed
+KRB_AP_ERR_BADDIRECTION        47   Incorrect message direction
+KRB_AP_ERR_METHOD              48   Alternative authentication method
+required
+KRB_AP_ERR_BADSEQ              49   Incorrect sequence number in message
+KRB_AP_ERR_INAPP_CKSUM         50   Inappropriate type of checksum in
+message
+KRB_AP_PATH_NOT_ACCEPTED       51   Policy rejects transited path
+KRB_ERR_RESPONSE_TOO_BIG       52   Response too big for UDP, retry with TCP
+KRB_ERR_GENERIC                60   Generic error (description in e-text)
+KRB_ERR_FIELD_TOOLONG          61   Field is too long for this
+implementation
+KDC_ERROR_CLIENT_NOT_TRUSTED            62 (pkinit)
+KDC_ERROR_KDC_NOT_TRUSTED               63 (pkinit)
+KDC_ERROR_INVALID_SIG                   64 (pkinit)
+KDC_ERR_KEY_TOO_WEAK                    65 (pkinit)
+KDC_ERR_CERTIFICATE_MISMATCH            66 (pkinit)
+KRB_AP_ERR_NO_TGT                       67 (user-to-user)
+KDC_ERR_WRONG_REALM                     68 (user-to-user)
+KRB_AP_ERR_USER_TO_USER_REQUIRED        69 (user-to-user)
+KDC_ERR_CANT_VERIFY_CERTIFICATE         70 (pkinit)
+KDC_ERR_INVALID_CERTIFICATE             71 (pkinit)
+KDC_ERR_REVOKED_CERTIFICATE             72 (pkinit)
+KDC_ERR_REVOCATION_STATUS_UNKNOWN       73 (pkinit)
+KDC_ERR_REVOCATION_STATUS_UNAVAILABLE   74 (pkinit)
+KDC_ERR_CLIENT_NAME_MISMATCH            75 (pkinit)
+KDC_ERR_KDC_NAME_MISMATCH               76 (pkinit)
+
+9. Interoperability requirements
+
+Version 5 of the Kerberos protocol supports a myriad of options. Among these
+are multiple encryption and checksum types, alternative encoding schemes for
+the transited field, optional mechanisms for pre-authentication, the
+handling of tickets with no addresses, options for mutual authentication,
+user to user authentication, support for proxies, forwarding, postdating,
+and renewing tickets, the format of realm names, and the handling of
+authorization data.
+
+
+Neuman, Ts'o, Kohl                                 Expires: 25 December,
+1999
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-04          June 25,
+1999
+
+In order to ensure the interoperability of realms, it is necessary to define
+a minimal configuration which must be supported by all implementations. This
+minimal configuration is subject to change as technology does. For example,
+if at some later date it is discovered that one of the required encryption
+or checksum algorithms is not secure, it will be replaced.
+
+9.1. Specification 2
+
+This section defines the second specification of these options.
+Implementations which are configured in this way can be said to support
+Kerberos Version 5 Specification 2 (5.1). Specification 1 (depricated) may
+be found in RFC1510.
+
+Transport
+
+TCP/IP and UDP/IP transport must be supported by KDCs claiming conformance
+to specification 2. Kerberos clients claiming conformance to specification 2
+must support UDP/IP transport for messages with the KDC and should support
+TCP/IP transport.
+
+Encryption and checksum methods
+
+The following encryption and checksum mechanisms must be supported.
+Implementations may support other mechanisms as well, but the additional
+mechanisms may only be used when communicating with principals known to also
+support them: This list is to be determined. [***This section will change,
+and alternatives will be sent to the cat and krb-protocol list prior to the
+Oslo IETF - change will be made 7/14/99 ***]
+
+Encryption: DES-CBC-MD5
+Checksums: CRC-32, DES-MAC, DES-MAC-K, and DES-MD5
+
+Realm Names
+
+All implementations must understand hierarchical realms in both the Internet
+Domain and the X.500 style. When a ticket granting ticket for an unknown
+realm is requested, the KDC must be able to determine the names of the
+intermediate realms between the KDCs realm and the requested realm.
+
+Transited field encoding
+
+DOMAIN-X500-COMPRESS (described in section 3.3.3.2) must be supported.
+Alternative encodings may be supported, but they may be used only when that
+encoding is supported by ALL intermediate realms.
+
+Pre-authentication methods
+
+The TGS-REQ method must be supported. The TGS-REQ method is not used on the
+initial request. The PA-ENC-TIMESTAMP method must be supported by clients
+but whether it is enabled by default may be determined on a realm by realm
+basis. If not used in the initial request and the error
+KDC_ERR_PREAUTH_REQUIRED is returned specifying PA-ENC-TIMESTAMP as an
+acceptable method, the client should retry the initial request using the
+PA-ENC-TIMESTAMP preauthentication method. Servers need not support the
+PA-ENC-TIMESTAMP method, but if not supported the server should ignore the
+presence of PA-ENC-TIMESTAMP pre-authentication in a request.
+
+
+Neuman, Ts'o, Kohl                                 Expires: 25 December,
+1999
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-04          June 25,
+1999
+
+Mutual authentication
+
+Mutual authentication (via the KRB_AP_REP message) must be supported.
+
+Ticket addresses and flags
+
+All KDC's must pass on tickets that carry no addresses (i.e. if a TGT
+contains no addresses, the KDC will return derivative tickets), but each
+realm may set its own policy for issuing such tickets, and each application
+server will set its own policy with respect to accepting them.
+
+Proxies and forwarded tickets must be supported. Individual realms and
+application servers can set their own policy on when such tickets will be
+accepted.
+
+All implementations must recognize renewable and postdated tickets, but need
+not actually implement them. If these options are not supported, the
+starttime and endtime in the ticket shall specify a ticket's entire useful
+life. When a postdated ticket is decoded by a server, all implementations
+shall make the presence of the postdated flag visible to the calling server.
+
+User-to-user authentication
+
+Support for user to user authentication (via the ENC-TKT-IN-SKEY KDC option)
+must be provided by implementations, but individual realms may decide as a
+matter of policy to reject such requests on a per-principal or realm-wide
+basis.
+
+Authorization data
+
+Implementations must pass all authorization data subfields from
+ticket-granting tickets to any derivative tickets unless directed to
+suppress a subfield as part of the definition of that registered subfield
+type (it is never incorrect to pass on a subfield, and no registered
+subfield types presently specify suppression at the KDC).
+
+Implementations must make the contents of any authorization data subfields
+available to the server when a ticket is used. Implementations are not
+required to allow clients to specify the contents of the authorization data
+fields.
+
+Constant ranges
+
+All protocol constants are constrained to 32 bit (signed) values unless
+further constrained by the protocol definition. This limit is provided to
+allow implementations to make assumptions about the maximum values that will
+be received for these constants. Implementation receiving values outside
+this range may reject the request, but they must recover cleanly.
+
+9.2. Recommended KDC values
+
+Following is a list of recommended values for a KDC implementation, based on
+the list of suggested configuration constants (see section 4.4).
+
+minimum lifetime              5 minutes
+maximum renewable lifetime    1 week
+maximum ticket lifetime       1 day
+empty addresses               only when suitable  restrictions  appear
+                              in authorization data
+proxiable, etc.               Allowed.
+
+
+Neuman, Ts'o, Kohl                                 Expires: 25 December,
+1999
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-04          June 25,
+1999
+
+10. REFERENCES
+
+[NT94]    B. Clifford Neuman and Theodore Y. Ts'o, "An  Authenti-
+          cation  Service for Computer Networks," IEEE Communica-
+          tions Magazine, Vol. 32(9), pp. 33-38 (September 1994).
+
+[MNSS87]  S. P. Miller, B. C. Neuman, J. I. Schiller, and  J.  H.
+          Saltzer,  Section  E.2.1:  Kerberos  Authentication and
+          Authorization System, M.I.T. Project Athena, Cambridge,
+          Massachusetts (December 21, 1987).
+
+[SNS88]   J. G. Steiner, B. C. Neuman, and J. I. Schiller,  "Ker-
+          beros:  An Authentication Service for Open Network Sys-
+          tems," pp. 191-202 in  Usenix  Conference  Proceedings,
+          Dallas, Texas (February, 1988).
+
+[NS78]    Roger M.  Needham  and  Michael  D.  Schroeder,  "Using
+          Encryption for Authentication in Large Networks of Com-
+          puters,"  Communications  of  the  ACM,  Vol.   21(12),
+          pp. 993-999 (December, 1978).
+
+[DS81]    Dorothy E. Denning and  Giovanni  Maria  Sacco,  "Time-
+          stamps  in  Key Distribution Protocols," Communications
+          of the ACM, Vol. 24(8), pp. 533-536 (August 1981).
+
+[KNT92]   John T. Kohl, B. Clifford Neuman, and Theodore Y. Ts'o,
+          "The Evolution of the Kerberos Authentication Service,"
+          in an IEEE Computer Society Text soon to  be  published
+          (June 1992).
+
+[Neu93]   B.  Clifford  Neuman,  "Proxy-Based  Authorization  and
+          Accounting  for Distributed Systems," in Proceedings of
+          the 13th International Conference on  Distributed  Com-
+          puting Systems, Pittsburgh, PA (May, 1993).
+
+[DS90]    Don Davis and Ralph Swick,  "Workstation  Services  and
+          Kerberos  Authentication  at Project Athena," Technical
+          Memorandum TM-424,  MIT Laboratory for Computer Science
+          (February 1990).
+
+[LGDSR87] P. J. Levine, M. R. Gretzinger, J. M. Diaz, W. E.  Som-
+          merfeld,  and  K. Raeburn, Section E.1: Service Manage-
+          ment System, M.I.T.  Project  Athena,  Cambridge,  Mas-
+          sachusetts (1987).
+
+[X509-88] CCITT, Recommendation X.509: The Directory  Authentica-
+          tion Framework, December 1988.
+
+[Pat92].  J. Pato, Using  Pre-Authentication  to  Avoid  Password
+          Guessing  Attacks, Open Software Foundation DCE Request
+          for Comments 26 (December 1992).
+
+[DES77]   National Bureau of Standards, U.S. Department  of  Com-
+          merce,  "Data Encryption Standard," Federal Information
+          Processing Standards Publication  46,   Washington,  DC
+          (1977).
+
+
+Neuman, Ts'o, Kohl                                 Expires: 25 December,
+1999
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-04          June 25,
+1999
+
+[DESM80]  National Bureau of Standards, U.S. Department  of  Com-
+          merce,  "DES  Modes  of Operation," Federal Information
+          Processing Standards Publication 81,   Springfield,  VA
+          (December 1980).
+
+[SG92]    Stuart G. Stubblebine and Virgil D. Gligor, "On Message
+          Integrity  in  Cryptographic Protocols," in Proceedings
+          of the IEEE  Symposium  on  Research  in  Security  and
+          Privacy, Oakland, California (May 1992).
+
+[IS3309]  International Organization  for  Standardization,  "ISO
+          Information  Processing  Systems - Data Communication -
+          High-Level Data Link Control Procedure -  Frame  Struc-
+          ture," IS 3309 (October 1984).  3rd Edition.
+
+[MD4-92]  R. Rivest, "The  MD4  Message  Digest  Algorithm,"  RFC
+          1320,   MIT  Laboratory  for  Computer  Science  (April
+          1992).
+
+[MD5-92]  R. Rivest, "The  MD5  Message  Digest  Algorithm,"  RFC
+          1321,   MIT  Laboratory  for  Computer  Science  (April
+          1992).
+
+[KBC96]   H. Krawczyk, M. Bellare, and R. Canetti, "HMAC:  Keyed-
+          Hashing  for  Message  Authentication,"  Working  Draft
+          draft-ietf-ipsec-hmac-md5-01.txt,   (August 1996).
+
+[Horowitz96] Horowitz, M., "Key Derivation for Authentication,
+          Integrity, and Privacy", draft-horowitz-key-derivation-02.txt,
+          August 1998.
+
+[HorowitzB96] Horowitz, M., "Key Derivation for Kerberos V5", draft-
+          horowitz-kerb-key-derivation-01.txt, September 1998.
+
+[Krawczyk96] Krawczyk, H., Bellare, and M., Canetti, R., "HMAC:
+          Keyed-Hashing for Message Authentication", draft-ietf-ipsec-hmac-
+          md5-01.txt, August, 1996.
+
+
+Neuman, Ts'o, Kohl                                 Expires: 25 December,
+1999
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-04          June 25,
+1999
+
+A. Pseudo-code for protocol processing
+
+This appendix provides pseudo-code describing how the messages are to be
+constructed and interpreted by clients and servers.
+
+A.1. KRB_AS_REQ generation
+
+        request.pvno := protocol version; /* pvno = 5 */
+        request.msg-type := message type; /* type = KRB_AS_REQ */
+
+        if(pa_enc_timestamp_required) then
+                request.padata.padata-type = PA-ENC-TIMESTAMP;
+                get system_time;
+                padata-body.patimestamp,pausec = system_time;
+                encrypt padata-body into request.padata.padata-value
+                        using client.key; /* derived from password */
+        endif
+
+        body.kdc-options := users's preferences;
+        body.cname := user's name;
+        body.realm := user's realm;
+        body.sname := service's name; /* usually "krbtgt",  "localrealm" */
+        if (body.kdc-options.POSTDATED is set) then
+                body.from := requested starting time;
+        else
+                omit body.from;
+        endif
+        body.till := requested end time;
+        if (body.kdc-options.RENEWABLE is set) then
+                body.rtime := requested final renewal time;
+        endif
+        body.nonce := random_nonce();
+        body.etype := requested etypes;
+        if (user supplied addresses) then
+                body.addresses := user's addresses;
+        else
+                omit body.addresses;
+        endif
+        omit body.enc-authorization-data;
+        request.req-body := body;
+
+        kerberos := lookup(name of local kerberos server (or servers));
+        send(packet,kerberos);
+
+        wait(for response);
+        if (timed_out) then
+                retry or use alternate server;
+        endif
+
+
+Neuman, Ts'o, Kohl                                 Expires: 25 December,
+1999
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-04          June 25,
+1999
+
+A.2. KRB_AS_REQ verification and KRB_AS_REP generation
+
+        decode message into req;
+
+        client := lookup(req.cname,req.realm);
+        server := lookup(req.sname,req.realm);
+
+        get system_time;
+        kdc_time := system_time.seconds;
+
+        if (!client) then
+                /* no client in Database */
+                error_out(KDC_ERR_C_PRINCIPAL_UNKNOWN);
+        endif
+        if (!server) then
+                /* no server in Database */
+                error_out(KDC_ERR_S_PRINCIPAL_UNKNOWN);
+        endif
+
+        if(client.pa_enc_timestamp_required and
+           pa_enc_timestamp not present) then
+                error_out(KDC_ERR_PREAUTH_REQUIRED(PA_ENC_TIMESTAMP));
+        endif
+
+        if(pa_enc_timestamp present) then
+                decrypt req.padata-value into decrypted_enc_timestamp
+                        using client.key;
+                        using auth_hdr.authenticator.subkey;
+                if (decrypt_error()) then
+                        error_out(KRB_AP_ERR_BAD_INTEGRITY);
+                if(decrypted_enc_timestamp is not within allowable skew)
+then
+                        error_out(KDC_ERR_PREAUTH_FAILED);
+                endif
+                if(decrypted_enc_timestamp and usec is replay)
+                        error_out(KDC_ERR_PREAUTH_FAILED);
+                endif
+                add decrypted_enc_timestamp and usec to replay cache;
+        endif
+
+        use_etype := first supported etype in req.etypes;
+
+        if (no support for req.etypes) then
+                error_out(KDC_ERR_ETYPE_NOSUPP);
+        endif
+
+        new_tkt.vno := ticket version; /* = 5 */
+        new_tkt.sname := req.sname;
+        new_tkt.srealm := req.srealm;
+        reset all flags in new_tkt.flags;
+
+        /* It should be noted that local policy may affect the  */
+        /* processing of any of these flags.  For example, some */
+        /* realms may refuse to issue renewable tickets         */
+
+        if (req.kdc-options.FORWARDABLE is set) then
+                set new_tkt.flags.FORWARDABLE;
+        endif
+        if (req.kdc-options.PROXIABLE is set) then
+
+Neuman, Ts'o, Kohl                                 Expires: 25 December,
+1999
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-04          June 25,
+1999
+
+                set new_tkt.flags.PROXIABLE;
+        endif
+
+        if (req.kdc-options.ALLOW-POSTDATE is set) then
+                set new_tkt.flags.MAY-POSTDATE;
+        endif
+        if ((req.kdc-options.RENEW is set) or
+            (req.kdc-options.VALIDATE is set) or
+            (req.kdc-options.PROXY is set) or
+            (req.kdc-options.FORWARDED is set) or
+            (req.kdc-options.ENC-TKT-IN-SKEY is set)) then
+                error_out(KDC_ERR_BADOPTION);
+        endif
+
+        new_tkt.session := random_session_key();
+        new_tkt.cname := req.cname;
+        new_tkt.crealm := req.crealm;
+        new_tkt.transited := empty_transited_field();
+
+        new_tkt.authtime := kdc_time;
+
+        if (req.kdc-options.POSTDATED is set) then
+           if (against_postdate_policy(req.from)) then
+                error_out(KDC_ERR_POLICY);
+           endif
+           set new_tkt.flags.POSTDATED;
+           set new_tkt.flags.INVALID;
+           new_tkt.starttime := req.from;
+        else
+           omit new_tkt.starttime; /* treated as authtime when omitted */
+        endif
+        if (req.till = 0) then
+                till := infinity;
+        else
+                till := req.till;
+        endif
+
+        new_tkt.endtime := min(till,
+                              new_tkt.starttime+client.max_life,
+                              new_tkt.starttime+server.max_life,
+                              new_tkt.starttime+max_life_for_realm);
+
+        if ((req.kdc-options.RENEWABLE-OK is set) and
+            (new_tkt.endtime < req.till)) then
+                /* we set the RENEWABLE option for later processing */
+                set req.kdc-options.RENEWABLE;
+                req.rtime := req.till;
+        endif
+
+        if (req.rtime = 0) then
+                rtime := infinity;
+        else
+                rtime := req.rtime;
+        endif
+
+        if (req.kdc-options.RENEWABLE is set) then
+                set new_tkt.flags.RENEWABLE;
+                new_tkt.renew-till := min(rtime,
+
+Neuman, Ts'o, Kohl                                 Expires: 25 December,
+1999
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-04          June 25,
+1999
+
+                                     new_tkt.starttime+client.max_rlife,
+                                     new_tkt.starttime+server.max_rlife,
+                                     new_tkt.starttime+max_rlife_for_realm);
+        else
+                omit new_tkt.renew-till; /* only present if RENEWABLE */
+        endif
+
+        if (req.addresses) then
+                new_tkt.caddr := req.addresses;
+        else
+                omit new_tkt.caddr;
+        endif
+
+        new_tkt.authorization_data := empty_authorization_data();
+
+        encode to-be-encrypted part of ticket into OCTET STRING;
+        new_tkt.enc-part := encrypt OCTET STRING
+                using etype_for_key(server.key), server.key, server.p_kvno;
+
+        /* Start processing the response */
+
+        resp.pvno := 5;
+        resp.msg-type := KRB_AS_REP;
+        resp.cname := req.cname;
+        resp.crealm := req.realm;
+        resp.ticket := new_tkt;
+
+        resp.key := new_tkt.session;
+        resp.last-req := fetch_last_request_info(client);
+        resp.nonce := req.nonce;
+        resp.key-expiration := client.expiration;
+        resp.flags := new_tkt.flags;
+
+        resp.authtime := new_tkt.authtime;
+        resp.starttime := new_tkt.starttime;
+        resp.endtime := new_tkt.endtime;
+
+        if (new_tkt.flags.RENEWABLE) then
+                resp.renew-till := new_tkt.renew-till;
+        endif
+
+        resp.realm := new_tkt.realm;
+        resp.sname := new_tkt.sname;
+
+        resp.caddr := new_tkt.caddr;
+
+        encode body of reply into OCTET STRING;
+
+        resp.enc-part := encrypt OCTET STRING
+                         using use_etype, client.key, client.p_kvno;
+        send(resp);
+
+
+Neuman, Ts'o, Kohl                                 Expires: 25 December,
+1999
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-04          June 25,
+1999
+
+A.3. KRB_AS_REP verification
+
+        decode response into resp;
+
+        if (resp.msg-type = KRB_ERROR) then
+                if(error = KDC_ERR_PREAUTH_REQUIRED(PA_ENC_TIMESTAMP)) then
+                        set pa_enc_timestamp_required;
+                        goto KRB_AS_REQ;
+                endif
+                process_error(resp);
+                return;
+        endif
+
+        /* On error, discard the response, and zero the session key */
+        /* from the response immediately */
+
+        key = get_decryption_key(resp.enc-part.kvno, resp.enc-part.etype,
+                                 resp.padata);
+        unencrypted part of resp := decode of decrypt of resp.enc-part
+                                using resp.enc-part.etype and key;
+        zero(key);
+
+        if (common_as_rep_tgs_rep_checks fail) then
+                destroy resp.key;
+                return error;
+        endif
+
+        if near(resp.princ_exp) then
+                print(warning message);
+        endif
+        save_for_later(ticket,session,client,server,times,flags);
+
+A.4. KRB_AS_REP and KRB_TGS_REP common checks
+
+        if (decryption_error() or
+            (req.cname != resp.cname) or
+            (req.realm != resp.crealm) or
+            (req.sname != resp.sname) or
+            (req.realm != resp.realm) or
+            (req.nonce != resp.nonce) or
+            (req.addresses != resp.caddr)) then
+                destroy resp.key;
+                return KRB_AP_ERR_MODIFIED;
+        endif
+
+        /* make sure no flags are set that shouldn't be, and that all that
+*/
+        /* should be are set
+*/
+        if (!check_flags_for_compatability(req.kdc-options,resp.flags)) then
+                destroy resp.key;
+                return KRB_AP_ERR_MODIFIED;
+        endif
+
+        if ((req.from = 0) and
+            (resp.starttime is not within allowable skew)) then
+                destroy resp.key;
+                return KRB_AP_ERR_SKEW;
+        endif
+        if ((req.from != 0) and (req.from != resp.starttime)) then
+
+Neuman, Ts'o, Kohl                                 Expires: 25 December,
+1999
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-04          June 25,
+1999
+
+                destroy resp.key;
+                return KRB_AP_ERR_MODIFIED;
+        endif
+        if ((req.till != 0) and (resp.endtime > req.till)) then
+                destroy resp.key;
+                return KRB_AP_ERR_MODIFIED;
+        endif
+
+        if ((req.kdc-options.RENEWABLE is set) and
+            (req.rtime != 0) and (resp.renew-till > req.rtime)) then
+                destroy resp.key;
+                return KRB_AP_ERR_MODIFIED;
+        endif
+        if ((req.kdc-options.RENEWABLE-OK is set) and
+            (resp.flags.RENEWABLE) and
+            (req.till != 0) and
+            (resp.renew-till > req.till)) then
+                destroy resp.key;
+                return KRB_AP_ERR_MODIFIED;
+        endif
+
+A.5. KRB_TGS_REQ generation
+
+        /* Note that make_application_request might have to recursivly
+*/
+        /* call this routine to get the appropriate ticket-granting ticket
+*/
+
+        request.pvno := protocol version; /* pvno = 5 */
+        request.msg-type := message type; /* type = KRB_TGS_REQ */
+
+        body.kdc-options := users's preferences;
+        /* If the TGT is not for the realm of the end-server  */
+        /* then the sname will be for a TGT for the end-realm */
+        /* and the realm of the requested ticket (body.realm) */
+        /* will be that of the TGS to which the TGT we are    */
+        /* sending applies                                    */
+        body.sname := service's name;
+        body.realm := service's realm;
+
+        if (body.kdc-options.POSTDATED is set) then
+                body.from := requested starting time;
+        else
+                omit body.from;
+        endif
+        body.till := requested end time;
+        if (body.kdc-options.RENEWABLE is set) then
+                body.rtime := requested final renewal time;
+        endif
+        body.nonce := random_nonce();
+        body.etype := requested etypes;
+        if (user supplied addresses) then
+                body.addresses := user's addresses;
+        else
+                omit body.addresses;
+        endif
+
+        body.enc-authorization-data := user-supplied data;
+        if (body.kdc-options.ENC-TKT-IN-SKEY) then
+                body.additional-tickets_ticket := second TGT;
+
+Neuman, Ts'o, Kohl                                 Expires: 25 December,
+1999
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-04          June 25,
+1999
+
+        endif
+
+        request.req-body := body;
+        check := generate_checksum (req.body,checksumtype);
+
+        request.padata[0].padata-type := PA-TGS-REQ;
+        request.padata[0].padata-value := create a KRB_AP_REQ using
+                                      the TGT and checksum
+
+        /* add in any other padata as required/supplied */
+
+        kerberos := lookup(name of local kerberose server (or servers));
+        send(packet,kerberos);
+
+        wait(for response);
+        if (timed_out) then
+                retry or use alternate server;
+        endif
+
+A.6. KRB_TGS_REQ verification and KRB_TGS_REP generation
+
+        /* note that reading the application request requires first
+        determining the server for which a ticket was issued, and choosing
+the
+        correct key for decryption.  The name of the server appears in the
+        plaintext part of the ticket. */
+
+        if (no KRB_AP_REQ in req.padata) then
+                error_out(KDC_ERR_PADATA_TYPE_NOSUPP);
+        endif
+        verify KRB_AP_REQ in req.padata;
+
+        /* Note that the realm in which the Kerberos server is operating is
+        determined by the instance from the ticket-granting ticket.  The
+realm
+        in the ticket-granting ticket is the realm under which the ticket
+        granting ticket was issued.  It is possible for a single Kerberos
+        server to support more than one realm. */
+
+        auth_hdr := KRB_AP_REQ;
+        tgt := auth_hdr.ticket;
+
+        if (tgt.sname is not a TGT for local realm and is not req.sname)
+then
+                error_out(KRB_AP_ERR_NOT_US);
+
+        realm := realm_tgt_is_for(tgt);
+
+        decode remainder of request;
+
+        if (auth_hdr.authenticator.cksum is missing) then
+                error_out(KRB_AP_ERR_INAPP_CKSUM);
+        endif
+
+        if (auth_hdr.authenticator.cksum type is not supported) then
+                error_out(KDC_ERR_SUMTYPE_NOSUPP);
+        endif
+        if (auth_hdr.authenticator.cksum is not both collision-proof and
+            keyed) then
+                error_out(KRB_AP_ERR_INAPP_CKSUM);
+        endif
+
+Neuman, Ts'o, Kohl                                 Expires: 25 December,
+1999
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-04          June 25,
+1999
+
+        set computed_checksum := checksum(req);
+        if (computed_checksum != auth_hdr.authenticatory.cksum) then
+                error_out(KRB_AP_ERR_MODIFIED);
+        endif
+
+        server := lookup(req.sname,realm);
+
+        if (!server) then
+                if (is_foreign_tgt_name(req.sname)) then
+                        server := best_intermediate_tgs(req.sname);
+                else
+                        /* no server in Database */
+                        error_out(KDC_ERR_S_PRINCIPAL_UNKNOWN);
+                endif
+        endif
+
+        session := generate_random_session_key();
+
+        use_etype := first supported etype in req.etypes;
+
+        if (no support for req.etypes) then
+                error_out(KDC_ERR_ETYPE_NOSUPP);
+        endif
+
+        new_tkt.vno := ticket version; /* = 5 */
+        new_tkt.sname := req.sname;
+        new_tkt.srealm := realm;
+        reset all flags in new_tkt.flags;
+
+        /* It should be noted that local policy may affect the  */
+        /* processing of any of these flags.  For example, some */
+        /* realms may refuse to issue renewable tickets         */
+
+        new_tkt.caddr := tgt.caddr;
+        resp.caddr := NULL; /* We only include this if they change */
+        if (req.kdc-options.FORWARDABLE is set) then
+                if (tgt.flags.FORWARDABLE is reset) then
+                        error_out(KDC_ERR_BADOPTION);
+                endif
+                set new_tkt.flags.FORWARDABLE;
+        endif
+        if (req.kdc-options.FORWARDED is set) then
+                if (tgt.flags.FORWARDABLE is reset) then
+                        error_out(KDC_ERR_BADOPTION);
+                endif
+                set new_tkt.flags.FORWARDED;
+                new_tkt.caddr := req.addresses;
+                resp.caddr := req.addresses;
+        endif
+        if (tgt.flags.FORWARDED is set) then
+                set new_tkt.flags.FORWARDED;
+        endif
+
+        if (req.kdc-options.PROXIABLE is set) then
+                if (tgt.flags.PROXIABLE is reset)
+                        error_out(KDC_ERR_BADOPTION);
+                endif
+
+Neuman, Ts'o, Kohl                                 Expires: 25 December,
+1999
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-04          June 25,
+1999
+
+                set new_tkt.flags.PROXIABLE;
+        endif
+        if (req.kdc-options.PROXY is set) then
+                if (tgt.flags.PROXIABLE is reset) then
+                        error_out(KDC_ERR_BADOPTION);
+                endif
+                set new_tkt.flags.PROXY;
+                new_tkt.caddr := req.addresses;
+                resp.caddr := req.addresses;
+        endif
+
+        if (req.kdc-options.ALLOW-POSTDATE is set) then
+                if (tgt.flags.MAY-POSTDATE is reset)
+                        error_out(KDC_ERR_BADOPTION);
+                endif
+                set new_tkt.flags.MAY-POSTDATE;
+        endif
+        if (req.kdc-options.POSTDATED is set) then
+                if (tgt.flags.MAY-POSTDATE is reset) then
+                        error_out(KDC_ERR_BADOPTION);
+                endif
+                set new_tkt.flags.POSTDATED;
+                set new_tkt.flags.INVALID;
+                if (against_postdate_policy(req.from)) then
+                        error_out(KDC_ERR_POLICY);
+                endif
+                new_tkt.starttime := req.from;
+        endif
+
+        if (req.kdc-options.VALIDATE is set) then
+                if (tgt.flags.INVALID is reset) then
+                        error_out(KDC_ERR_POLICY);
+                endif
+                if (tgt.starttime > kdc_time) then
+                        error_out(KRB_AP_ERR_NYV);
+                endif
+                if (check_hot_list(tgt)) then
+                        error_out(KRB_AP_ERR_REPEAT);
+                endif
+                tkt := tgt;
+                reset new_tkt.flags.INVALID;
+        endif
+
+        if (req.kdc-options.(any flag except ENC-TKT-IN-SKEY, RENEW,
+                             and those already processed) is set) then
+                error_out(KDC_ERR_BADOPTION);
+        endif
+
+        new_tkt.authtime := tgt.authtime;
+
+        if (req.kdc-options.RENEW is set) then
+          /* Note that if the endtime has already passed, the ticket would
+*/
+          /* have been rejected in the initial authentication stage, so
+*/
+          /* there is no need to check again here
+*/
+                if (tgt.flags.RENEWABLE is reset) then
+                        error_out(KDC_ERR_BADOPTION);
+                endif
+                if (tgt.renew-till < kdc_time) then
+
+Neuman, Ts'o, Kohl                                 Expires: 25 December,
+1999
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-04          June 25,
+1999
+
+                        error_out(KRB_AP_ERR_TKT_EXPIRED);
+                endif
+                tkt := tgt;
+                new_tkt.starttime := kdc_time;
+                old_life := tgt.endttime - tgt.starttime;
+                new_tkt.endtime := min(tgt.renew-till,
+                                       new_tkt.starttime + old_life);
+        else
+                new_tkt.starttime := kdc_time;
+                if (req.till = 0) then
+                        till := infinity;
+                else
+                        till := req.till;
+                endif
+                new_tkt.endtime := min(till,
+                                       new_tkt.starttime+client.max_life,
+                                       new_tkt.starttime+server.max_life,
+                                       new_tkt.starttime+max_life_for_realm,
+                                       tgt.endtime);
+
+                if ((req.kdc-options.RENEWABLE-OK is set) and
+                    (new_tkt.endtime < req.till) and
+                    (tgt.flags.RENEWABLE is set) then
+                        /* we set the RENEWABLE option for later processing
+*/
+                        set req.kdc-options.RENEWABLE;
+                        req.rtime := min(req.till, tgt.renew-till);
+                endif
+        endif
+
+        if (req.rtime = 0) then
+                rtime := infinity;
+        else
+                rtime := req.rtime;
+        endif
+
+        if ((req.kdc-options.RENEWABLE is set) and
+            (tgt.flags.RENEWABLE is set)) then
+                set new_tkt.flags.RENEWABLE;
+                new_tkt.renew-till := min(rtime,
+                                      new_tkt.starttime+client.max_rlife,
+                                      new_tkt.starttime+server.max_rlife,
+                                      new_tkt.starttime+max_rlife_for_realm,
+                                      tgt.renew-till);
+        else
+              new_tkt.renew-till := OMIT; /* leave the renew-till field out
+*/
+        endif
+        if (req.enc-authorization-data is present) then
+          decrypt req.enc-authorization-data into
+decrypted_authorization_data
+                  using auth_hdr.authenticator.subkey;
+          if (decrypt_error()) then
+                  error_out(KRB_AP_ERR_BAD_INTEGRITY);
+          endif
+        endif
+        new_tkt.authorization_data := req.auth_hdr.ticket.authorization_data
++
+                                 decrypted_authorization_data;
+
+        new_tkt.key := session;
+        new_tkt.crealm := tgt.crealm;
+
+Neuman, Ts'o, Kohl                                 Expires: 25 December,
+1999
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-04          June 25,
+1999
+
+        new_tkt.cname := req.auth_hdr.ticket.cname;
+
+        if (realm_tgt_is_for(tgt) := tgt.realm) then
+                /* tgt issued by local realm */
+                new_tkt.transited := tgt.transited;
+        else
+                /* was issued for this realm by some other realm */
+                if (tgt.transited.tr-type not supported) then
+                        error_out(KDC_ERR_TRTYPE_NOSUPP);
+                endif
+            new_tkt.transited := compress_transited(tgt.transited +
+tgt.realm)
+                /* Don't check tranited field if TGT for foreign realm,
+                 * or requested not to check */
+                if (is_not_foreign_tgt_name(new_tkt.server)
+                   && req.kdc-options.DISABLE-TRANSITED-CHECK not set) then
+                        /* Check it, so end-server does not have to
+                         * but don't fail, end-server may still accept it */
+                        if (check_transited_field(new_tkt.transited) == OK)
+                              set new_tkt.flags.TRANSITED-POLICY-CHECKED;
+                        endif
+                endif
+        endif
+
+        encode encrypted part of new_tkt into OCTET STRING;
+        if (req.kdc-options.ENC-TKT-IN-SKEY is set) then
+                if (server not specified) then
+                        server = req.second_ticket.client;
+                endif
+                if ((req.second_ticket is not a TGT) or
+                    (req.second_ticket.client != server)) then
+                        error_out(KDC_ERR_POLICY);
+                endif
+
+                new_tkt.enc-part := encrypt OCTET STRING using
+                 using etype_for_key(second-ticket.key), second-ticket.key;
+        else
+                new_tkt.enc-part := encrypt OCTET STRING
+                 using etype_for_key(server.key), server.key, server.p_kvno;
+        endif
+
+        resp.pvno := 5;
+        resp.msg-type := KRB_TGS_REP;
+        resp.crealm := tgt.crealm;
+        resp.cname := tgt.cname;
+        resp.ticket := new_tkt;
+
+        resp.key := session;
+        resp.nonce := req.nonce;
+        resp.last-req := fetch_last_request_info(client);
+        resp.flags := new_tkt.flags;
+
+        resp.authtime := new_tkt.authtime;
+        resp.starttime := new_tkt.starttime;
+        resp.endtime := new_tkt.endtime;
+
+        omit resp.key-expiration;
+
+        resp.sname := new_tkt.sname;
+
+Neuman, Ts'o, Kohl                                 Expires: 25 December,
+1999
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-04          June 25,
+1999
+
+        resp.realm := new_tkt.realm;
+
+        if (new_tkt.flags.RENEWABLE) then
+                resp.renew-till := new_tkt.renew-till;
+        endif
+
+        encode body of reply into OCTET STRING;
+
+        if (req.padata.authenticator.subkey)
+                resp.enc-part := encrypt OCTET STRING using use_etype,
+                        req.padata.authenticator.subkey;
+        else resp.enc-part := encrypt OCTET STRING using use_etype, tgt.key;
+
+        send(resp);
+
+A.7. KRB_TGS_REP verification
+
+        decode response into resp;
+
+        if (resp.msg-type = KRB_ERROR) then
+                process_error(resp);
+                return;
+        endif
+
+        /* On error, discard the response, and zero the session key from
+        the response immediately */
+
+        if (req.padata.authenticator.subkey)
+                unencrypted part of resp := decode of decrypt of
+resp.enc-part
+                        using resp.enc-part.etype and subkey;
+        else unencrypted part of resp := decode of decrypt of resp.enc-part
+                            using resp.enc-part.etype and tgt's session key;
+        if (common_as_rep_tgs_rep_checks fail) then
+                destroy resp.key;
+                return error;
+        endif
+
+        check authorization_data as necessary;
+        save_for_later(ticket,session,client,server,times,flags);
+
+A.8. Authenticator generation
+
+        body.authenticator-vno := authenticator vno; /* = 5 */
+        body.cname, body.crealm := client name;
+        if (supplying checksum) then
+                body.cksum := checksum;
+        endif
+        get system_time;
+        body.ctime, body.cusec := system_time;
+        if (selecting sub-session key) then
+                select sub-session key;
+                body.subkey := sub-session key;
+        endif
+        if (using sequence numbers) then
+                select initial sequence number;
+                body.seq-number := initial sequence;
+        endif
+
+
+Neuman, Ts'o, Kohl                                 Expires: 25 December,
+1999
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-04          June 25,
+1999
+
+A.9. KRB_AP_REQ generation
+
+        obtain ticket and session_key from cache;
+
+        packet.pvno := protocol version; /* 5 */
+        packet.msg-type := message type; /* KRB_AP_REQ */
+
+        if (desired(MUTUAL_AUTHENTICATION)) then
+                set packet.ap-options.MUTUAL-REQUIRED;
+        else
+                reset packet.ap-options.MUTUAL-REQUIRED;
+        endif
+        if (using session key for ticket) then
+                set packet.ap-options.USE-SESSION-KEY;
+        else
+                reset packet.ap-options.USE-SESSION-KEY;
+        endif
+        packet.ticket := ticket; /* ticket */
+        generate authenticator;
+        encode authenticator into OCTET STRING;
+        encrypt OCTET STRING into packet.authenticator using session_key;
+
+A.10. KRB_AP_REQ verification
+
+        receive packet;
+        if (packet.pvno != 5) then
+                either process using other protocol spec
+                or error_out(KRB_AP_ERR_BADVERSION);
+        endif
+        if (packet.msg-type != KRB_AP_REQ) then
+                error_out(KRB_AP_ERR_MSG_TYPE);
+        endif
+        if (packet.ticket.tkt_vno != 5) then
+                either process using other protocol spec
+                or error_out(KRB_AP_ERR_BADVERSION);
+        endif
+        if (packet.ap_options.USE-SESSION-KEY is set) then
+                retrieve session key from ticket-granting ticket for
+                 packet.ticket.{sname,srealm,enc-part.etype};
+        else
+                retrieve service key for
+                 packet.ticket.{sname,srealm,enc-part.etype,enc-part.skvno};
+        endif
+        if (no_key_available) then
+                if (cannot_find_specified_skvno) then
+                        error_out(KRB_AP_ERR_BADKEYVER);
+                else
+                        error_out(KRB_AP_ERR_NOKEY);
+                endif
+        endif
+        decrypt packet.ticket.enc-part into decr_ticket using retrieved key;
+        if (decryption_error()) then
+                error_out(KRB_AP_ERR_BAD_INTEGRITY);
+        endif
+        decrypt packet.authenticator into decr_authenticator
+                using decr_ticket.key;
+        if (decryption_error()) then
+                error_out(KRB_AP_ERR_BAD_INTEGRITY);
+
+Neuman, Ts'o, Kohl                                 Expires: 25 December,
+1999
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-04          June 25,
+1999
+
+        endif
+        if (decr_authenticator.{cname,crealm} !=
+            decr_ticket.{cname,crealm}) then
+                error_out(KRB_AP_ERR_BADMATCH);
+        endif
+        if (decr_ticket.caddr is present) then
+                if (sender_address(packet) is not in decr_ticket.caddr) then
+                        error_out(KRB_AP_ERR_BADADDR);
+                endif
+        elseif (application requires addresses) then
+                error_out(KRB_AP_ERR_BADADDR);
+        endif
+        if (not in_clock_skew(decr_authenticator.ctime,
+                              decr_authenticator.cusec)) then
+                error_out(KRB_AP_ERR_SKEW);
+        endif
+        if (repeated(decr_authenticator.{ctime,cusec,cname,crealm})) then
+                error_out(KRB_AP_ERR_REPEAT);
+        endif
+        save_identifier(decr_authenticator.{ctime,cusec,cname,crealm});
+        get system_time;
+        if ((decr_ticket.starttime-system_time > CLOCK_SKEW) or
+            (decr_ticket.flags.INVALID is set)) then
+                /* it hasn't yet become valid */
+                error_out(KRB_AP_ERR_TKT_NYV);
+        endif
+        if (system_time-decr_ticket.endtime > CLOCK_SKEW) then
+                error_out(KRB_AP_ERR_TKT_EXPIRED);
+        endif
+        if (decr_ticket.transited) then
+            /* caller may ignore the TRANSITED-POLICY-CHECKED and do
+             * check anyway */
+            if (decr_ticket.flags.TRANSITED-POLICY-CHECKED not set) then
+                 if (check_transited_field(decr_ticket.transited) then
+                      error_out(KDC_AP_PATH_NOT_ACCPETED);
+                 endif
+            endif
+        endif
+        /* caller must check decr_ticket.flags for any pertinent details */
+        return(OK, decr_ticket, packet.ap_options.MUTUAL-REQUIRED);
+
+
+Neuman, Ts'o, Kohl                                 Expires: 25 December,
+1999
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-04          June 25,
+1999
+
+A.11. KRB_AP_REP generation
+
+        packet.pvno := protocol version; /* 5 */
+        packet.msg-type := message type; /* KRB_AP_REP */
+
+        body.ctime := packet.ctime;
+        body.cusec := packet.cusec;
+        if (selecting sub-session key) then
+                select sub-session key;
+                body.subkey := sub-session key;
+        endif
+        if (using sequence numbers) then
+                select initial sequence number;
+                body.seq-number := initial sequence;
+        endif
+
+        encode body into OCTET STRING;
+
+        select encryption type;
+        encrypt OCTET STRING into packet.enc-part;
+
+A.12. KRB_AP_REP verification
+
+        receive packet;
+        if (packet.pvno != 5) then
+                either process using other protocol spec
+                or error_out(KRB_AP_ERR_BADVERSION);
+        endif
+        if (packet.msg-type != KRB_AP_REP) then
+                error_out(KRB_AP_ERR_MSG_TYPE);
+        endif
+        cleartext := decrypt(packet.enc-part) using ticket's session key;
+        if (decryption_error()) then
+                error_out(KRB_AP_ERR_BAD_INTEGRITY);
+        endif
+        if (cleartext.ctime != authenticator.ctime) then
+                error_out(KRB_AP_ERR_MUT_FAIL);
+        endif
+        if (cleartext.cusec != authenticator.cusec) then
+                error_out(KRB_AP_ERR_MUT_FAIL);
+        endif
+        if (cleartext.subkey is present) then
+                save cleartext.subkey for future use;
+        endif
+        if (cleartext.seq-number is present) then
+                save cleartext.seq-number for future verifications;
+        endif
+        return(AUTHENTICATION_SUCCEEDED);
+
+
+Neuman, Ts'o, Kohl                                 Expires: 25 December,
+1999
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-04          June 25,
+1999
+
+A.13. KRB_SAFE generation
+
+        collect user data in buffer;
+
+        /* assemble packet: */
+        packet.pvno := protocol version; /* 5 */
+        packet.msg-type := message type; /* KRB_SAFE */
+
+        body.user-data := buffer; /* DATA */
+        if (using timestamp) then
+                get system_time;
+                body.timestamp, body.usec := system_time;
+        endif
+        if (using sequence numbers) then
+                body.seq-number := sequence number;
+        endif
+        body.s-address := sender host addresses;
+        if (only one recipient) then
+                body.r-address := recipient host address;
+        endif
+        checksum.cksumtype := checksum type;
+        compute checksum over body;
+        checksum.checksum := checksum value; /* checksum.checksum */
+        packet.cksum := checksum;
+        packet.safe-body := body;
+
+A.14. KRB_SAFE verification
+
+        receive packet;
+        if (packet.pvno != 5) then
+                either process using other protocol spec
+                or error_out(KRB_AP_ERR_BADVERSION);
+        endif
+        if (packet.msg-type != KRB_SAFE) then
+                error_out(KRB_AP_ERR_MSG_TYPE);
+        endif
+        if (packet.checksum.cksumtype is not both collision-proof
+              and keyed) then
+                error_out(KRB_AP_ERR_INAPP_CKSUM);
+        endif
+        if (safe_priv_common_checks_ok(packet)) then
+                set computed_checksum := checksum(packet.body);
+                if (computed_checksum != packet.checksum) then
+                        error_out(KRB_AP_ERR_MODIFIED);
+                endif
+                return (packet, PACKET_IS_GENUINE);
+        else
+                return common_checks_error;
+        endif
+
+A.15. KRB_SAFE and KRB_PRIV common checks
+
+        if (packet.s-address != O/S_sender(packet)) then
+                /* O/S report of sender not who claims to have sent it */
+                error_out(KRB_AP_ERR_BADADDR);
+        endif
+        if ((packet.r-address is present) and
+            (packet.r-address != local_host_address)) then
+
+Neuman, Ts'o, Kohl                                 Expires: 25 December,
+1999
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-04          June 25,
+1999
+
+                /* was not sent to proper place */
+                error_out(KRB_AP_ERR_BADADDR);
+        endif
+        if (((packet.timestamp is present) and
+             (not in_clock_skew(packet.timestamp,packet.usec))) or
+            (packet.timestamp is not present and timestamp expected)) then
+                error_out(KRB_AP_ERR_SKEW);
+        endif
+        if (repeated(packet.timestamp,packet.usec,packet.s-address)) then
+                error_out(KRB_AP_ERR_REPEAT);
+        endif
+
+        if (((packet.seq-number is present) and
+             ((not in_sequence(packet.seq-number)))) or
+            (packet.seq-number is not present and sequence expected)) then
+                error_out(KRB_AP_ERR_BADORDER);
+        endif
+        if (packet.timestamp not present and packet.seq-number
+              not present) then
+                error_out(KRB_AP_ERR_MODIFIED);
+        endif
+
+        save_identifier(packet.{timestamp,usec,s-address},
+                        sender_principal(packet));
+
+        return PACKET_IS_OK;
+
+A.16. KRB_PRIV generation
+
+        collect user data in buffer;
+
+        /* assemble packet: */
+        packet.pvno := protocol version; /* 5 */
+        packet.msg-type := message type; /* KRB_PRIV */
+
+        packet.enc-part.etype := encryption type;
+
+        body.user-data := buffer;
+        if (using timestamp) then
+                get system_time;
+                body.timestamp, body.usec := system_time;
+        endif
+        if (using sequence numbers) then
+                body.seq-number := sequence number;
+        endif
+        body.s-address := sender host addresses;
+        if (only one recipient) then
+                body.r-address := recipient host address;
+        endif
+
+        encode body into OCTET STRING;
+
+        select encryption type;
+        encrypt OCTET STRING into packet.enc-part.cipher;
+
+
+Neuman, Ts'o, Kohl                                 Expires: 25 December,
+1999
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-04          June 25,
+1999
+
+A.17. KRB_PRIV verification
+
+        receive packet;
+        if (packet.pvno != 5) then
+                either process using other protocol spec
+                or error_out(KRB_AP_ERR_BADVERSION);
+        endif
+        if (packet.msg-type != KRB_PRIV) then
+                error_out(KRB_AP_ERR_MSG_TYPE);
+        endif
+
+        cleartext := decrypt(packet.enc-part) using negotiated key;
+        if (decryption_error()) then
+                error_out(KRB_AP_ERR_BAD_INTEGRITY);
+        endif
+
+        if (safe_priv_common_checks_ok(cleartext)) then
+                return(cleartext.DATA, PACKET_IS_GENUINE_AND_UNMODIFIED);
+        else
+                return common_checks_error;
+        endif
+
+A.18. KRB_CRED generation
+
+        invoke KRB_TGS; /* obtain tickets to be provided to peer */
+
+        /* assemble packet: */
+        packet.pvno := protocol version; /* 5 */
+        packet.msg-type := message type; /* KRB_CRED */
+
+        for (tickets[n] in tickets to be forwarded) do
+                packet.tickets[n] = tickets[n].ticket;
+        done
+
+        packet.enc-part.etype := encryption type;
+
+        for (ticket[n] in tickets to be forwarded) do
+                body.ticket-info[n].key = tickets[n].session;
+                body.ticket-info[n].prealm = tickets[n].crealm;
+                body.ticket-info[n].pname = tickets[n].cname;
+                body.ticket-info[n].flags = tickets[n].flags;
+                body.ticket-info[n].authtime = tickets[n].authtime;
+                body.ticket-info[n].starttime = tickets[n].starttime;
+                body.ticket-info[n].endtime = tickets[n].endtime;
+                body.ticket-info[n].renew-till = tickets[n].renew-till;
+                body.ticket-info[n].srealm = tickets[n].srealm;
+                body.ticket-info[n].sname = tickets[n].sname;
+                body.ticket-info[n].caddr = tickets[n].caddr;
+        done
+
+        get system_time;
+        body.timestamp, body.usec := system_time;
+
+        if (using nonce) then
+                body.nonce := nonce;
+        endif
+
+        if (using s-address) then
+
+Neuman, Ts'o, Kohl                                 Expires: 25 December,
+1999
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-04          June 25,
+1999
+
+                body.s-address := sender host addresses;
+        endif
+        if (limited recipients) then
+                body.r-address := recipient host address;
+        endif
+
+        encode body into OCTET STRING;
+
+        select encryption type;
+        encrypt OCTET STRING into packet.enc-part.cipher
+               using negotiated encryption key;
+
+A.19. KRB_CRED verification
+
+        receive packet;
+        if (packet.pvno != 5) then
+                either process using other protocol spec
+                or error_out(KRB_AP_ERR_BADVERSION);
+        endif
+        if (packet.msg-type != KRB_CRED) then
+                error_out(KRB_AP_ERR_MSG_TYPE);
+        endif
+
+        cleartext := decrypt(packet.enc-part) using negotiated key;
+        if (decryption_error()) then
+                error_out(KRB_AP_ERR_BAD_INTEGRITY);
+        endif
+        if ((packet.r-address is present or required) and
+           (packet.s-address != O/S_sender(packet)) then
+                /* O/S report of sender not who claims to have sent it */
+                error_out(KRB_AP_ERR_BADADDR);
+        endif
+        if ((packet.r-address is present) and
+            (packet.r-address != local_host_address)) then
+                /* was not sent to proper place */
+                error_out(KRB_AP_ERR_BADADDR);
+        endif
+        if (not in_clock_skew(packet.timestamp,packet.usec)) then
+                error_out(KRB_AP_ERR_SKEW);
+        endif
+        if (repeated(packet.timestamp,packet.usec,packet.s-address)) then
+                error_out(KRB_AP_ERR_REPEAT);
+        endif
+        if (packet.nonce is required or present) and
+           (packet.nonce != expected-nonce) then
+                error_out(KRB_AP_ERR_MODIFIED);
+        endif
+
+        for (ticket[n] in tickets that were forwarded) do
+                save_for_later(ticket[n],key[n],principal[n],
+                               server[n],times[n],flags[n]);
+        return
+
+
+Neuman, Ts'o, Kohl                                 Expires: 25 December,
+1999
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-04          June 25,
+1999
+
+A.20. KRB_ERROR generation
+
+        /* assemble packet: */
+        packet.pvno := protocol version; /* 5 */
+        packet.msg-type := message type; /* KRB_ERROR */
+
+        get system_time;
+        packet.stime, packet.susec := system_time;
+        packet.realm, packet.sname := server name;
+
+        if (client time available) then
+                packet.ctime, packet.cusec := client_time;
+        endif
+        packet.error-code := error code;
+        if (client name available) then
+                packet.cname, packet.crealm := client name;
+        endif
+        if (error text available) then
+                packet.e-text := error text;
+        endif
+        if (error data available) then
+                packet.e-data := error data;
+        endif
+
+
+Neuman, Ts'o, Kohl                                 Expires: 25 December,
+1999
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-04          June 25,
+1999
+
+B. Definition of common authorization data elements
+
+This appendix contains the definitions of common authorization data
+elements. These common authorization data elements are recursivly defined,
+meaning the ad-data for these types will itself contain a sequence of
+authorization data whose interpretation is affected by the encapsulating
+element. Depending on the meaning of the encapsulating element, the
+encapsulated elements may be ignored, might be interpreted as issued
+directly by the KDC, or they might be stored in a separate plaintext part of
+the ticket. The types of the encapsulating elements are specified as part of
+the Kerberos specification because the behavior based on these values should
+be understood across implementations whereas other elements need only be
+understood by the applications which they affect.
+
+In the definitions that follow, the value of the ad-type for the element
+will be specified in the subsection number, and the value of the ad-data
+will be as shown in the ASN.1 structure that follows the subsection heading.
+
+B.1. If relevant
+
+AD-IF-RELEVANT   AuthorizationData
+
+AD elements encapsulated within the if-relevant element are intended for
+interpretation only by application servers that understand the particular
+ad-type of the embedded element. Application servers that do not understand
+the type of an element embedded within the if-relevant element may ignore
+the uninterpretable element. This element promotes interoperability across
+implementations which may have local extensions for authorization.
+
+B.2. Intended for server
+
+AD-INTENDED-FOR-SERVER   SEQUENCE {
+         intended-server[0]     SEQUENCE OF PrincipalName
+         elements[1]            AuthorizationData
+}
+
+AD elements encapsulated within the intended-for-server element may be
+ignored if the application server is not in the list of principal names of
+intended servers. Further, a KDC issuing a ticket for an application server
+can remove this element if the application server is not in the list of
+intended servers.
+
+Application servers should check for their principal name in the
+intended-server field of this element. If their principal name is not found,
+this element should be ignored. If found, then the encapsulated elements
+should be evaluated in the same manner as if they were present in the top
+level authorization data field. Applications and application servers that do
+not implement this element should reject tickets that contain authorization
+data elements of this type.
+
+
+Neuman, Ts'o, Kohl                                 Expires: 25 December,
+1999
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-04          June 25,
+1999
+
+B.3. Intended for application class
+
+AD-INTENDED-FOR-APPLICATION-CLASS SEQUENCE { intended-application-class[0]
+SEQUENCE OF GeneralString elements[1] AuthorizationData } AD elements
+encapsulated within the intended-for-application-class element may be
+ignored if the application server is not in one of the named classes of
+application servers. Examples of application server classes include
+"FILESYSTEM", and other kinds of servers.
+
+This element and the elements it encapulates may be safely ignored by
+applications, application servers, and KDCs that do not implement this
+element.
+
+B.4. KDC Issued
+
+AD-KDCIssued   SEQUENCE {
+               ad-checksum[0]    Checksum,
+                i-realm[1]       Realm OPTIONAL,
+                i-sname[2]       PrincipalName OPTIONAL,
+               elements[3]       AuthorizationData.
+}
+
+ad-checksum
+     A checksum over the elements field using a cryptographic checksum
+     method that is identical to the checksum used to protect the ticket
+     itself (i.e. using the same hash function and the same encryption
+     algorithm used to encrypt the ticket) and using a key derived from the
+     same key used to protect the ticket.
+i-realm, i-sname
+     The name of the issuing principal if different from the KDC itself.
+     This field would be used when the KDC can verify the authenticity of
+     elements signed by the issuing principal and it allows this KDC to
+     notify the application server of the validity of those elements.
+elements
+     A sequence of authorization data elements issued by the KDC.
+
+The KDC-issued ad-data field is intended to provide a means for Kerberos
+principal credentials to embed within themselves privilege attributes and
+other mechanisms for positive authorization, amplifying the priveleges of
+the principal beyond what can be done using a credentials without such an
+a-data element.
+
+This can not be provided without this element because the definition of the
+authorization-data field allows elements to be added at will by the bearer
+of a TGT at the time that they request service tickets and elements may also
+be added to a delegated ticket by inclusion in the authenticator.
+
+For KDC-issued elements this is prevented because the elements are signed by
+the KDC by including a checksum encrypted using the server's key (the same
+key used to encrypt the ticket - or a key derived from that key). Elements
+encapsulated with in the KDC-issued element will be ignored by the
+application server if this "signature" is not present. Further, elements
+encapsulated within this element from a ticket granting ticket may be
+interpreted by the KDC, and used as a basis according to policy for
+including new signed elements within derivative tickets, but they will not
+be copied to a derivative ticket directly. If they are copied directly to a
+derivative ticket by a KDC that is not aware of this element, the signature
+will not be correct for the application ticket elements, and the field will
+be ignored by the application server.
+
+This element and the elements it encapulates may be safely ignored by
+applications, application servers, and KDCs that do not implement this
+element.
+
+
+Neuman, Ts'o, Kohl                                 Expires: 25 December,
+1999
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-04          June 25,
+1999
+
+B.5. And-Or
+
+AD-AND-OR           SEQUENCE {
+                        condition-count[0]    INTEGER,
+                        elements[1]           AuthorizationData
+}
+
+When restrictive AD elements encapsulated within the and-or element are
+encountered, only the number specified in condition-count of the
+encapsulated conditions must be met in order to satisfy this element. This
+element may be used to implement an "or" operation by setting the
+condition-count field to 1, and it may specify an "and" operation by setting
+the condition count to the number of embedded elements. Application servers
+that do not implement this element must reject tickets that contain
+authorization data elements of this type.
+
+B.6. Mandatory ticket extensions
+
+AD-Mandatory-Ticket-Extensions   Checksum
+
+An authorization data element of type mandatory-ticket-extensions specifies
+a collision-proof checksum using the same hash algorithm used to protect the
+integrity of the ticket itself. This checksum will be calculated over an
+individual extension field. If there are more than one extension, multiple
+Mandatory-Ticket-Extensions authorization data elements may be present, each
+with a checksum for a different extension field. This restriction indicates
+that the ticket should not be accepted if a ticket extension is not present
+in the ticket for which the checksum does not match that checksum specified
+in the authorization data element. Application servers that do not implement
+this element must reject tickets that contain authorization data elements of
+this type.
+
+B.7. Authorization Data in ticket extensions
+
+AD-IN-Ticket-Extensions   Checksum
+
+An authorization data element of type in-ticket-extensions specifies a
+collision-proof checksum using the same hash algorithm used to protect the
+integrity of the ticket itself. This checksum is calculated over a separate
+external AuthorizationData field carried in the ticket extensions.
+Application servers that do not implement this element must reject tickets
+that contain authorization data elements of this type. Application servers
+that do implement this element will search the ticket extensions for
+authorization data fields, calculate the specified checksum over each
+authorization data field and look for one matching the checksum in this
+in-ticket-extensions element. If not found, then the ticket must be
+rejected. If found, the corresponding authorization data elements will be
+interpreted in the same manner as if they were contained in the top level
+authorization data field.
+
+Note that if multiple external authorization data fields are present in a
+ticket, each will have a corresponding element of type in-ticket-extensions
+in the top level authorization data field, and the external entries will be
+linked to the corresponding element by their checksums.
+
+
+Neuman, Ts'o, Kohl                                 Expires: 25 December,
+1999
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-04          June 25,
+1999
+
+C. Definition of common ticket extensions
+
+This appendix contains the definitions of common ticket extensions. Support
+for these extensions is optional. However, certain extensions have
+associated authorization data elements that may require rejection of a
+ticket containing an extension by application servers that do not implement
+the particular extension. Other extensions have been defined beyond those
+described in this specification. Such extensions are described elswhere and
+for some of those extensions the reserved number may be found in the list of
+constants.
+
+It is known that older versions of Kerberos did not support this field, and
+that some clients will strip this field from a ticket when they parse and
+then reassemble a ticket as it is passed to the application servers. The
+presence of the extension will not break such clients, but any functionaly
+dependent on the extensions will not work when such tickets are handled by
+old clients. In such situations, some implementation may use alternate
+methods to transmit the information in the extensions field.
+
+C.1. Null ticket extension
+
+TE-NullExtension   OctetString -- The empty Octet String
+
+The te-data field in the null ticket extension is an octet string of lenght
+zero. This extension may be included in a ticket granting ticket so that the
+KDC can determine on presentation of the ticket granting ticket whether the
+client software will strip the extensions field.
+
+C.2. External Authorization Data
+
+TE-ExternalAuthorizationData   AuthorizationData
+
+The te-data field in the external authorization data ticket extension is
+field of type AuthorizationData containing one or more authorization data
+elements. If present, a corresponding authorization data element will be
+present in the primary authorization data for the ticket and that element
+will contain a checksum of the external authorization data ticket extension.
+  ------------------------------------------------------------------------
+[TM] Project Athena, Athena, and Kerberos are trademarks of the
+Massachusetts Institute of Technology (MIT). No commercial use of these
+trademarks may be made without prior written permission of MIT.
+
+[1] Note, however, that many applications use Kerberos' functions only upon
+the initiation of a stream-based network connection. Unless an application
+subsequently provides integrity protection for the data stream, the identity
+verification applies only to the initiation of the connection, and does not
+guarantee that subsequent messages on the connection originate from the same
+principal.
+
+[2] Secret and private are often used interchangeably in the literature. In
+our usage, it takes two (or more) to share a secret, thus a shared DES key
+is a secret key. Something is only private when no one but its owner knows
+it. Thus, in public key cryptosystems, one has a public and a private key.
+
+[3] Of course, with appropriate permission the client could arrange
+registration of a separately-named prin- cipal in a remote realm, and engage
+in normal exchanges with that realm's services. However, for even small
+numbers of clients this becomes cumbersome, and more automatic methods as
+described here are necessary.
+
+
+Neuman, Ts'o, Kohl                                 Expires: 25 December,
+1999
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-04          June 25,
+1999
+
+[4] Though it is permissible to request or issue tick- ets with no network
+addresses specified.
+
+[5] The password-changing request must not be honored unless the requester
+can provide the old password (the user's current secret key). Otherwise, it
+would be possible for someone to walk up to an unattended ses- sion and
+change another user's password.
+
+[6] To authenticate a user logging on to a local system, the credentials
+obtained in the AS exchange may first be used in a TGS exchange to obtain
+credentials for a local server. Those credentials must then be verified by a
+local server through successful completion of the Client/Server exchange.
+
+[7] "Random" means that, among other things, it should be impossible to
+guess the next session key based on knowledge of past session keys. This can
+only be achieved in a pseudo-random number generator if it is based on
+cryptographic principles. It is more desirable to use a truly random number
+generator, such as one based on measurements of random physical phenomena.
+
+[8] Tickets contain both an encrypted and unencrypted portion, so cleartext
+here refers to the entire unit, which can be copied from one message and
+replayed in another without any cryptographic skill.
+
+[9] Note that this can make applications based on unreliable transports
+difficult to code correctly. If the transport might deliver duplicated
+messages, either a new authenticator must be generated for each retry, or
+the application server must match requests and replies and replay the first
+reply in response to a detected duplicate.
+
+[10] This is used for user-to-user authentication as described in [8].
+
+[11] Note that the rejection here is restricted to authenticators from the
+same principal to the same server. Other client principals communicating
+with the same server principal should not be have their authenticators
+rejected if the time and microsecond fields happen to match some other
+client's authenticator.
+
+[12] In the Kerberos version 4 protocol, the timestamp in the reply was the
+client's timestamp plus one. This is not necessary in version 5 because
+version 5 messages are formatted in such a way that it is not possible to
+create the reply by judicious message surgery (even in encrypted form)
+without knowledge of the appropriate encryption keys.
+
+[13] Note that for encrypting the KRB_AP_REP message, the sub-session key is
+not used, even if present in the Authenticator.
+
+[14] Implementations of the protocol may wish to provide routines to choose
+subkeys based on session keys and random numbers and to generate a
+negotiated key to be returned in the KRB_AP_REP message.
+
+[15]This can be accomplished in several ways. It might be known beforehand
+(since the realm is part of the principal identifier), it might be stored in
+a nameserver, or it might be obtained from a configura- tion file. If the
+realm to be used is obtained from a nameserver, there is a danger of being
+spoofed if the nameservice providing the realm name is not authenti- cated.
+This might result in the use of a realm which has been compromised, and
+would result in an attacker's ability to compromise the authentication of
+the application server to the client.
+
+
+Neuman, Ts'o, Kohl                                 Expires: 25 December,
+1999
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-04          June 25,
+1999
+
+[16] If the client selects a sub-session key, care must be taken to ensure
+the randomness of the selected sub- session key. One approach would be to
+generate a random number and XOR it with the session key from the
+ticket-granting ticket.
+
+[17] This allows easy implementation of user-to-user authentication [8],
+which uses ticket-granting ticket session keys in lieu of secret server keys
+in situa- tions where such secret keys could be easily comprom- ised.
+
+[18] For the purpose of appending, the realm preceding the first listed
+realm is considered to be the null realm ("").
+
+[19] For the purpose of interpreting null subfields, the client's realm is
+considered to precede those in the transited field, and the server's realm
+is considered to follow them.
+
+[20] This means that a client and server running on the same host and
+communicating with one another using the KRB_SAFE messages should not share
+a common replay cache to detect KRB_SAFE replays.
+
+[21] The implementation of the Kerberos server need not combine the database
+and the server on the same machine; it is feasible to store the principal
+database in, say, a network name service, as long as the entries stored
+therein are protected from disclosure to and modification by unauthorized
+parties. However, we recommend against such strategies, as they can make
+system management and threat analysis quite complex.
+
+[22] See the discussion of the padata field in section 5.4.2 for details on
+why this can be useful.
+
+[23] Warning for implementations that unpack and repack data structures
+during the generation and verification of embedded checksums: Because any
+checksums applied to data structures must be checked against the original
+data the length of bit strings must be preserved within a data structure
+between the time that a checksum is generated through transmission to the
+time that the checksum is verified.
+
+[24] It is NOT recommended that this time value be used to adjust the
+workstation's clock since the workstation cannot reliably determine that
+such a KRB_AS_REP actually came from the proper KDC in a timely manner.
+
+[25] Note, however, that if the time is used as the nonce, one must make
+sure that the workstation time is monotonically increasing. If the time is
+ever reset backwards, there is a small, but finite, probability that a nonce
+will be reused.
+
+[27] An application code in the encrypted part of a message provides an
+additional check that the message was decrypted properly.
+
+[29] An application code in the encrypted part of a message provides an
+additional check that the message was decrypted properly.
+
+[31] An application code in the encrypted part of a message provides an
+additional check that the message was decrypted properly.
+
+
+Neuman, Ts'o, Kohl                                 Expires: 25 December,
+1999
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-04          June 25,
+1999
+
+[32] If supported by the encryption method in use, an initialization vector
+may be passed to the encryption procedure, in order to achieve proper cipher
+chaining. The initialization vector might come from the last block of the
+ciphertext from the previous KRB_PRIV message, but it is the application's
+choice whether or not to use such an initialization vector. If left out, the
+default initialization vector for the encryption algorithm will be used.
+
+[33] This prevents an attacker who generates an incorrect AS request from
+obtaining verifiable plaintext for use in an off-line password guessing
+attack.
+
+[35] In the above specification, UNTAGGED OCTET STRING(length) is the
+notation for an octet string with its tag and length removed. It is not a
+valid ASN.1 type. The tag bits and length must be removed from the
+confounder since the purpose of the confounder is so that the message starts
+with random data, but the tag and its length are fixed. For other fields,
+the length and tag would be redundant if they were included because they are
+specified by the encryption type. [36] The ordering of the fields in the
+CipherText is important. Additionally, messages encoded in this format must
+include a length as part of the msg-seq field. This allows the recipient to
+verify that the message has not been truncated. Without a length, an
+attacker could use a chosen plaintext attack to generate a message which
+could be truncated, while leaving the checksum intact. Note that if the
+msg-seq is an encoding of an ASN.1 SEQUENCE or OCTET STRING, then the length
+is part of that encoding.
+
+[37] In some cases, it may be necessary to use a different "mix-in" string
+for compatibility reasons; see the discussion of padata in section 5.4.2.
+
+[38] In some cases, it may be necessary to use a different "mix-in" string
+for compatibility reasons; see the discussion of padata in section 5.4.2.
+
+[39] A variant of the key is used to limit the use of a key to a particular
+function, separating the functions of generating a checksum from other
+encryption performed using the session key. The constant F0F0F0F0F0F0F0F0
+was chosen because it maintains key parity. The properties of DES precluded
+the use of the complement. The same constant is used for similar purpose in
+the Message Integrity Check in the Privacy Enhanced Mail standard.
+
+[40] This error carries additional information in the e- data field. The
+contents of the e-data field for this message is described in section 5.9.1.
diff --git a/crypto/heimdal/doc/standardisation/draft-ietf-cat-kerberos-revisions-05.txt b/crypto/heimdal/doc/standardisation/draft-ietf-cat-kerberos-revisions-05.txt
new file mode 100644
index 0000000..1592124
--- /dev/null
+++ b/crypto/heimdal/doc/standardisation/draft-ietf-cat-kerberos-revisions-05.txt
@@ -0,0 +1,6866 @@
+INTERNET-DRAFT                                           Clifford Neuman
+                                                               John Kohl
+                                                           Theodore Ts'o
+                                                          March 10, 2000
+                                              Expires September 10, 2000
+
+The Kerberos Network Authentication Service (V5)
+draft-ietf-cat-kerberos-revisions-05.txt
+
+STATUS OF THIS MEMO
+
+This document is an Internet-Draft and is in full conformance with all
+provisions of Section 10 of RFC 2026. Internet-Drafts are working documents
+of the Internet Engineering Task Force (IETF), its areas, and its working
+groups. Note that other groups may also distribute working documents as
+Internet-Drafts.
+
+Internet-Drafts are draft documents valid for a maximum of six months and
+may be updated, replaced, or obsoleted by other documents at any time. It is
+inappropriate to use Internet-Drafts as reference material or to cite them
+other than as "work in progress."
+
+The list of current Internet-Drafts can be accessed at
+http://www.ietf.org/ietf/1id-abstracts.txt
+
+The list of Internet-Draft Shadow Directories can be accessed at
+http://www.ietf.org/shadow.html.
+
+To learn the current status of any Internet-Draft, please check the
+"1id-abstracts.txt" listing contained in the Internet-Drafts Shadow
+Directories on ftp.ietf.org (US East Coast), nic.nordu.net (Europe),
+ftp.isi.edu (US West Coast), or munnari.oz.au (Pacific Rim).
+
+The distribution of this memo is unlimited. It is filed as
+draft-ietf-cat-kerberos-revisions-05.txt, and expires September 10, 2000.
+Please send comments to: krb-protocol@MIT.EDU
+
+ABSTRACT
+
+This document provides an overview and specification of Version 5 of the
+Kerberos protocol, and updates RFC1510 to clarify aspects of the protocol
+and its intended use that require more detailed or clearer explanation than
+was provided in RFC1510. This document is intended to provide a detailed
+description of the protocol, suitable for implementation, together with
+descriptions of the appropriate use of protocol messages and fields within
+those messages.
+
+This document is not intended to describe Kerberos to the end user, system
+administrator, or application developer. Higher level papers describing
+Version 5 of the Kerberos system [NT94] and documenting version 4 [SNS88],
+are available elsewhere.
+
+OVERVIEW
+
+This INTERNET-DRAFT describes the concepts and model upon which the Kerberos
+network authentication system is based. It also specifies Version 5 of the
+Kerberos protocol.
+
+The motivations, goals, assumptions, and rationale behind most design
+decisions are treated cursorily; they are more fully described in a paper
+
+Neuman, Ts'o, Kohl                                Expires: 10 September, 2000
+
+
+
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-05          June 25, 1999
+
+available in IEEE communications [NT94] and earlier in the Kerberos portion
+of the Athena Technical Plan [MNSS87]. The protocols have been a proposed
+standard and are being considered for advancement for draft standard through
+the IETF standard process. Comments are encouraged on the presentation, but
+only minor refinements to the protocol as implemented or extensions that fit
+within current protocol framework will be considered at this time.
+
+Requests for addition to an electronic mailing list for discussion of
+Kerberos, kerberos@MIT.EDU, may be addressed to kerberos-request@MIT.EDU.
+This mailing list is gatewayed onto the Usenet as the group
+comp.protocols.kerberos. Requests for further information, including
+documents and code availability, may be sent to info-kerberos@MIT.EDU.
+
+BACKGROUND
+
+The Kerberos model is based in part on Needham and Schroeder's trusted
+third-party authentication protocol [NS78] and on modifications suggested by
+Denning and Sacco [DS81]. The original design and implementation of Kerberos
+Versions 1 through 4 was the work of two former Project Athena staff
+members, Steve Miller of Digital Equipment Corporation and Clifford Neuman
+(now at the Information Sciences Institute of the University of Southern
+California), along with Jerome Saltzer, Technical Director of Project
+Athena, and Jeffrey Schiller, MIT Campus Network Manager. Many other members
+of Project Athena have also contributed to the work on Kerberos.
+
+Version 5 of the Kerberos protocol (described in this document) has evolved
+from Version 4 based on new requirements and desires for features not
+available in Version 4. The design of Version 5 of the Kerberos protocol was
+led by Clifford Neuman and John Kohl with much input from the community. The
+development of the MIT reference implementation was led at MIT by John Kohl
+and Theodore T'so, with help and contributed code from many others. Since
+RFC1510 was issued, extensions and revisions to the protocol have been
+proposed by many individuals. Some of these proposals are reflected in this
+document. Where such changes involved significant effort, the document cites
+the contribution of the proposer.
+
+Reference implementations of both version 4 and version 5 of Kerberos are
+publicly available and commercial implementations have been developed and
+are widely used. Details on the differences between Kerberos Versions 4 and
+5 can be found in [KNT92].
+
+1. Introduction
+
+Kerberos provides a means of verifying the identities of principals, (e.g. a
+workstation user or a network server) on an open (unprotected) network. This
+is accomplished without relying on assertions by the host operating system,
+without basing trust on host addresses, without requiring physical security
+of all the hosts on the network, and under the assumption that packets
+traveling along the network can be read, modified, and inserted at will[1].
+Kerberos performs authentication under these conditions as a trusted
+third-party authentication service by using conventional (shared secret key
+[2] cryptography. Kerberos extensions have been proposed and implemented
+that provide for the use of public key cryptography during certain phases of
+the authentication protocol. These extensions provide for authentication of
+users registered with public key certification authorities, and allow the
+system to provide certain benefits of public key cryptography in situations
+where they are needed.
+
+The basic Kerberos authentication process proceeds as follows: A client
+
+Neuman, Ts'o, Kohl                                Expires: 10 September, 2000
+
+
+
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-05          June 25, 1999
+
+sends a request to the authentication server (AS) requesting 'credentials'
+for a given server. The AS responds with these credentials, encrypted in the
+client's key. The credentials consist of 1) a 'ticket' for the server and 2)
+a temporary encryption key (often called a "session key"). The client
+transmits the ticket (which contains the client's identity and a copy of the
+session key, all encrypted in the server's key) to the server. The session
+key (now shared by the client and server) is used to authenticate the
+client, and may optionally be used to authenticate the server. It may also
+be used to encrypt further communication between the two parties or to
+exchange a separate sub-session key to be used to encrypt further
+communication.
+
+Implementation of the basic protocol consists of one or more authentication
+servers running on physically secure hosts. The authentication servers
+maintain a database of principals (i.e., users and servers) and their secret
+keys. Code libraries provide encryption and implement the Kerberos protocol.
+In order to add authentication to its transactions, a typical network
+application adds one or two calls to the Kerberos library directly or
+through the Generic Security Services Application Programming Interface,
+GSSAPI, described in separate document. These calls result in the
+transmission of the necessary messages to achieve authentication.
+
+The Kerberos protocol consists of several sub-protocols (or exchanges).
+There are two basic methods by which a client can ask a Kerberos server for
+credentials. In the first approach, the client sends a cleartext request for
+a ticket for the desired server to the AS. The reply is sent encrypted in
+the client's secret key. Usually this request is for a ticket-granting
+ticket (TGT) which can later be used with the ticket-granting server (TGS).
+In the second method, the client sends a request to the TGS. The client uses
+the TGT to authenticate itself to the TGS in the same manner as if it were
+contacting any other application server that requires Kerberos
+authentication. The reply is encrypted in the session key from the TGT.
+Though the protocol specification describes the AS and the TGS as separate
+servers, they are implemented in practice as different protocol entry points
+within a single Kerberos server.
+
+Once obtained, credentials may be used to verify the identity of the
+principals in a transaction, to ensure the integrity of messages exchanged
+between them, or to preserve privacy of the messages. The application is
+free to choose whatever protection may be necessary.
+
+To verify the identities of the principals in a transaction, the client
+transmits the ticket to the application server. Since the ticket is sent "in
+the clear" (parts of it are encrypted, but this encryption doesn't thwart
+replay) and might be intercepted and reused by an attacker, additional
+information is sent to prove that the message originated with the principal
+to whom the ticket was issued. This information (called the authenticator)
+is encrypted in the session key, and includes a timestamp. The timestamp
+proves that the message was recently generated and is not a replay.
+Encrypting the authenticator in the session key proves that it was generated
+by a party possessing the session key. Since no one except the requesting
+principal and the server know the session key (it is never sent over the
+network in the clear) this guarantees the identity of the client.
+
+The integrity of the messages exchanged between principals can also be
+guaranteed using the session key (passed in the ticket and contained in the
+credentials). This approach provides detection of both replay attacks and
+message stream modification attacks. It is accomplished by generating and
+transmitting a collision-proof checksum (elsewhere called a hash or digest
+
+Neuman, Ts'o, Kohl                                Expires: 10 September, 2000
+
+
+
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-05          June 25, 1999
+
+function) of the client's message, keyed with the session key. Privacy and
+integrity of the messages exchanged between principals can be secured by
+encrypting the data to be passed using the session key contained in the
+ticket or the subsession key found in the authenticator.
+
+The authentication exchanges mentioned above require read-only access to the
+Kerberos database. Sometimes, however, the entries in the database must be
+modified, such as when adding new principals or changing a principal's key.
+This is done using a protocol between a client and a third Kerberos server,
+the Kerberos Administration Server (KADM). There is also a protocol for
+maintaining multiple copies of the Kerberos database. Neither of these
+protocols are described in this document.
+
+1.1. Cross-Realm Operation
+
+The Kerberos protocol is designed to operate across organizational
+boundaries. A client in one organization can be authenticated to a server in
+another. Each organization wishing to run a Kerberos server establishes its
+own 'realm'. The name of the realm in which a client is registered is part
+of the client's name, and can be used by the end-service to decide whether
+to honor a request.
+
+By establishing 'inter-realm' keys, the administrators of two realms can
+allow a client authenticated in the local realm to prove its identity to
+servers in other realms[3]. The exchange of inter-realm keys (a separate key
+may be used for each direction) registers the ticket-granting service of
+each realm as a principal in the other realm. A client is then able to
+obtain a ticket-granting ticket for the remote realm's ticket-granting
+service from its local realm. When that ticket-granting ticket is used, the
+remote ticket-granting service uses the inter-realm key (which usually
+differs from its own normal TGS key) to decrypt the ticket-granting ticket,
+and is thus certain that it was issued by the client's own TGS. Tickets
+issued by the remote ticket-granting service will indicate to the
+end-service that the client was authenticated from another realm.
+
+A realm is said to communicate with another realm if the two realms share an
+inter-realm key, or if the local realm shares an inter-realm key with an
+intermediate realm that communicates with the remote realm. An
+authentication path is the sequence of intermediate realms that are
+transited in communicating from one realm to another.
+
+Realms are typically organized hierarchically. Each realm shares a key with
+its parent and a different key with each child. If an inter-realm key is not
+directly shared by two realms, the hierarchical organization allows an
+authentication path to be easily constructed. If a hierarchical organization
+is not used, it may be necessary to consult a database in order to construct
+an authentication path between realms.
+
+Although realms are typically hierarchical, intermediate realms may be
+bypassed to achieve cross-realm authentication through alternate
+authentication paths (these might be established to make communication
+between two realms more efficient). It is important for the end-service to
+know which realms were transited when deciding how much faith to place in
+the authentication process. To facilitate this decision, a field in each
+ticket contains the names of the realms that were involved in authenticating
+the client.
+
+The application server is ultimately responsible for accepting or rejecting
+authentication and should check the transited field. The application server
+
+Neuman, Ts'o, Kohl                                Expires: 10 September, 2000
+
+
+
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-05          June 25, 1999
+
+may choose to rely on the KDC for the application server's realm to check
+the transited field. The application server's KDC will set the
+TRANSITED-POLICY-CHECKED flag in this case. The KDC's for intermediate
+realms may also check the transited field as they issue
+ticket-granting-tickets for other realms, but they are encouraged not to do
+so. A client may request that the KDC's not check the transited field by
+setting the DISABLE-TRANSITED-CHECK flag. KDC's are encouraged but not
+required to honor this flag.
+
+1.2. Authorization
+
+As an authentication service, Kerberos provides a means of verifying the
+identity of principals on a network. Authentication is usually useful
+primarily as a first step in the process of authorization, determining
+whether a client may use a service, which objects the client is allowed to
+access, and the type of access allowed for each. Kerberos does not, by
+itself, provide authorization. Possession of a client ticket for a service
+provides only for authentication of the client to that service, and in the
+absence of a separate authorization procedure, it should not be considered
+by an application as authorizing the use of that service.
+
+Such separate authorization methods may be implemented as application
+specific access control functions and may be based on files such as the
+application server, or on separately issued authorization credentials such
+as those based on proxies [Neu93], or on other authorization services.
+Separately authenticated authorization credentials may be embedded in a
+tickets authorization data when encapsulated by the kdc-issued authorization
+data element.
+
+Applications should not be modified to accept the mere issuance of a service
+ticket by the Kerberos server (even by a modified Kerberos server) as
+granting authority to use the service, since such applications may become
+vulnerable to the bypass of this authorization check in an environment if
+they interoperate with other KDCs or where other options for application
+authentication (e.g. the PKTAPP proposal) are provided.
+
+1.3. Environmental assumptions
+
+Kerberos imposes a few assumptions on the environment in which it can
+properly function:
+
+   * 'Denial of service' attacks are not solved with Kerberos. There are
+     places in these protocols where an intruder can prevent an application
+     from participating in the proper authentication steps. Detection and
+     solution of such attacks (some of which can appear to be nnot-uncommon
+     'normal' failure modes for the system) is usually best left to the
+     human administrators and users.
+   * Principals must keep their secret keys secret. If an intruder somehow
+     steals a principal's key, it will be able to masquerade as that
+     principal or impersonate any server to the legitimate principal.
+   * 'Password guessing' attacks are not solved by Kerberos. If a user
+     chooses a poor password, it is possible for an attacker to successfully
+     mount an offline dictionary attack by repeatedly attempting to decrypt,
+     with successive entries from a dictionary, messages obtained which are
+     encrypted under a key derived from the user's password.
+   * Each host on the network must have a clock which is 'loosely
+     synchronized' to the time of the other hosts; this synchronization is
+     used to reduce the bookkeeping needs of application servers when they
+     do replay detection. The degree of "looseness" can be configured on a
+
+Neuman, Ts'o, Kohl                                Expires: 10 September, 2000
+
+
+
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-05          June 25, 1999
+
+     per-server basis, but is typically on the order of 5 minutes. If the
+     clocks are synchronized over the network, the clock synchronization
+     protocol must itself be secured from network attackers.
+   * Principal identifiers are not recycled on a short-term basis. A typical
+     mode of access control will use access control lists (ACLs) to grant
+     permissions to particular principals. If a stale ACL entry remains for
+     a deleted principal and the principal identifier is reused, the new
+     principal will inherit rights specified in the stale ACL entry. By not
+     re-using principal identifiers, the danger of inadvertent access is
+     removed.
+
+1.4. Glossary of terms
+
+Below is a list of terms used throughout this document.
+
+Authentication
+     Verifying the claimed identity of a principal.
+Authentication header
+     A record containing a Ticket and an Authenticator to be presented to a
+     server as part of the authentication process.
+Authentication path
+     A sequence of intermediate realms transited in the authentication
+     process when communicating from one realm to another.
+Authenticator
+     A record containing information that can be shown to have been recently
+     generated using the session key known only by the client and server.
+Authorization
+     The process of determining whether a client may use a service, which
+     objects the client is allowed to access, and the type of access allowed
+     for each.
+Capability
+     A token that grants the bearer permission to access an object or
+     service. In Kerberos, this might be a ticket whose use is restricted by
+     the contents of the authorization data field, but which lists no
+     network addresses, together with the session key necessary to use the
+     ticket.
+Ciphertext
+     The output of an encryption function. Encryption transforms plaintext
+     into ciphertext.
+Client
+     A process that makes use of a network service on behalf of a user. Note
+     that in some cases a Server may itself be a client of some other server
+     (e.g. a print server may be a client of a file server).
+Credentials
+     A ticket plus the secret session key necessary to successfully use that
+     ticket in an authentication exchange.
+KDC
+     Key Distribution Center, a network service that supplies tickets and
+     temporary session keys; or an instance of that service or the host on
+     which it runs. The KDC services both initial ticket and ticket-granting
+     ticket requests. The initial ticket portion is sometimes referred to as
+     the Authentication Server (or service). The ticket-granting ticket
+     portion is sometimes referred to as the ticket-granting server (or
+     service).
+Kerberos
+     Aside from the 3-headed dog guarding Hades, the name given to Project
+     Athena's authentication service, the protocol used by that service, or
+     the code used to implement the authentication service.
+Plaintext
+
+Neuman, Ts'o, Kohl                                Expires: 10 September, 2000
+
+
+
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-05          June 25, 1999
+
+     The input to an encryption function or the output of a decryption
+     function. Decryption transforms ciphertext into plaintext.
+Principal
+     A uniquely named client or server instance that participates in a
+     network communication.
+Principal identifier
+     The name used to uniquely identify each different principal.
+Seal
+     To encipher a record containing several fields in such a way that the
+     fields cannot be individually replaced without either knowledge of the
+     encryption key or leaving evidence of tampering.
+Secret key
+     An encryption key shared by a principal and the KDC, distributed
+     outside the bounds of the system, with a long lifetime. In the case of
+     a human user's principal, the secret key is derived from a password.
+Server
+     A particular Principal which provides a resource to network clients.
+     The server is sometimes refered to as the Application Server.
+Service
+     A resource provided to network clients; often provided by more than one
+     server (for example, remote file service).
+Session key
+     A temporary encryption key used between two principals, with a lifetime
+     limited to the duration of a single login "session".
+Sub-session key
+     A temporary encryption key used between two principals, selected and
+     exchanged by the principals using the session key, and with a lifetime
+     limited to the duration of a single association.
+Ticket
+     A record that helps a client authenticate itself to a server; it
+     contains the client's identity, a session key, a timestamp, and other
+     information, all sealed using the server's secret key. It only serves
+     to authenticate a client when presented along with a fresh
+     Authenticator.
+
+2. Ticket flag uses and requests
+
+Each Kerberos ticket contains a set of flags which are used to indicate
+various attributes of that ticket. Most flags may be requested by a client
+when the ticket is obtained; some are automatically turned on and off by a
+Kerberos server as required. The following sections explain what the various
+flags mean, and gives examples of reasons to use such a flag.
+
+2.1. Initial and pre-authenticated tickets
+
+The INITIAL flag indicates that a ticket was issued using the AS protocol
+and not issued based on a ticket-granting ticket. Application servers that
+want to require the demonstrated knowledge of a client's secret key (e.g. a
+password-changing program) can insist that this flag be set in any tickets
+they accept, and thus be assured that the client's key was recently
+presented to the application client.
+
+The PRE-AUTHENT and HW-AUTHENT flags provide addition information about the
+initial authentication, regardless of whether the current ticket was issued
+directly (in which case INITIAL will also be set) or issued on the basis of
+a ticket-granting ticket (in which case the INITIAL flag is clear, but the
+PRE-AUTHENT and HW-AUTHENT flags are carried forward from the
+ticket-granting ticket).
+
+
+Neuman, Ts'o, Kohl                                Expires: 10 September, 2000
+
+
+
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-05          June 25, 1999
+
+2.2. Invalid tickets
+
+The INVALID flag indicates that a ticket is invalid. Application servers
+must reject tickets which have this flag set. A postdated ticket will
+usually be issued in this form. Invalid tickets must be validated by the KDC
+before use, by presenting them to the KDC in a TGS request with the VALIDATE
+option specified. The KDC will only validate tickets after their starttime
+has passed. The validation is required so that postdated tickets which have
+been stolen before their starttime can be rendered permanently invalid
+(through a hot-list mechanism) (see section 3.3.3.1).
+
+2.3. Renewable tickets
+
+Applications may desire to hold tickets which can be valid for long periods
+of time. However, this can expose their credentials to potential theft for
+equally long periods, and those stolen credentials would be valid until the
+expiration time of the ticket(s). Simply using short-lived tickets and
+obtaining new ones periodically would require the client to have long-term
+access to its secret key, an even greater risk. Renewable tickets can be
+used to mitigate the consequences of theft. Renewable tickets have two
+"expiration times": the first is when the current instance of the ticket
+expires, and the second is the latest permissible value for an individual
+expiration time. An application client must periodically (i.e. before it
+expires) present a renewable ticket to the KDC, with the RENEW option set in
+the KDC request. The KDC will issue a new ticket with a new session key and
+a later expiration time. All other fields of the ticket are left unmodified
+by the renewal process. When the latest permissible expiration time arrives,
+the ticket expires permanently. At each renewal, the KDC may consult a
+hot-list to determine if the ticket had been reported stolen since its last
+renewal; it will refuse to renew such stolen tickets, and thus the usable
+lifetime of stolen tickets is reduced.
+
+The RENEWABLE flag in a ticket is normally only interpreted by the
+ticket-granting service (discussed below in section 3.3). It can usually be
+ignored by application servers. However, some particularly careful
+application servers may wish to disallow renewable tickets.
+
+If a renewable ticket is not renewed by its expiration time, the KDC will
+not renew the ticket. The RENEWABLE flag is reset by default, but a client
+may request it be set by setting the RENEWABLE option in the KRB_AS_REQ
+message. If it is set, then the renew-till field in the ticket contains the
+time after which the ticket may not be renewed.
+
+2.4. Postdated tickets
+
+Applications may occasionally need to obtain tickets for use much later,
+e.g. a batch submission system would need tickets to be valid at the time
+the batch job is serviced. However, it is dangerous to hold valid tickets in
+a batch queue, since they will be on-line longer and more prone to theft.
+Postdated tickets provide a way to obtain these tickets from the KDC at job
+submission time, but to leave them "dormant" until they are activated and
+validated by a further request of the KDC. If a ticket theft were reported
+in the interim, the KDC would refuse to validate the ticket, and the thief
+would be foiled.
+
+The MAY-POSTDATE flag in a ticket is normally only interpreted by the
+ticket-granting service. It can be ignored by application servers. This flag
+must be set in a ticket-granting ticket in order to issue a postdated ticket
+based on the presented ticket. It is reset by default; it may be requested
+
+Neuman, Ts'o, Kohl                                Expires: 10 September, 2000
+
+
+
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-05          June 25, 1999
+
+by a client by setting the ALLOW-POSTDATE option in the KRB_AS_REQ message.
+This flag does not allow a client to obtain a postdated ticket-granting
+ticket; postdated ticket-granting tickets can only by obtained by requesting
+the postdating in the KRB_AS_REQ message. The life (endtime-starttime) of a
+postdated ticket will be the remaining life of the ticket-granting ticket at
+the time of the request, unless the RENEWABLE option is also set, in which
+case it can be the full life (endtime-starttime) of the ticket-granting
+ticket. The KDC may limit how far in the future a ticket may be postdated.
+
+The POSTDATED flag indicates that a ticket has been postdated. The
+application server can check the authtime field in the ticket to see when
+the original authentication occurred. Some services may choose to reject
+postdated tickets, or they may only accept them within a certain period
+after the original authentication. When the KDC issues a POSTDATED ticket,
+it will also be marked as INVALID, so that the application client must
+present the ticket to the KDC to be validated before use.
+
+2.5. Proxiable and proxy tickets
+
+At times it may be necessary for a principal to allow a service to perform
+an operation on its behalf. The service must be able to take on the identity
+of the client, but only for a particular purpose. A principal can allow a
+service to take on the principal's identity for a particular purpose by
+granting it a proxy.
+
+The process of granting a proxy using the proxy and proxiable flags is used
+to provide credentials for use with specific services. Though conceptually
+also a proxy, user's wishing to delegate their identity for ANY purpose must
+use the ticket forwarding mechanism described in the next section to forward
+a ticket granting ticket.
+
+The PROXIABLE flag in a ticket is normally only interpreted by the
+ticket-granting service. It can be ignored by application servers. When set,
+this flag tells the ticket-granting server that it is OK to issue a new
+ticket (but not a ticket-granting ticket) with a different network address
+based on this ticket. This flag is set if requested by the client on initial
+authentication. By default, the client will request that it be set when
+requesting a ticket granting ticket, and reset when requesting any other
+ticket.
+
+This flag allows a client to pass a proxy to a server to perform a remote
+request on its behalf, e.g. a print service client can give the print server
+a proxy to access the client's files on a particular file server in order to
+satisfy a print request.
+
+In order to complicate the use of stolen credentials, Kerberos tickets are
+usually valid from only those network addresses specifically included in the
+ticket[4]. When granting a proxy, the client must specify the new network
+address from which the proxy is to be used, or indicate that the proxy is to
+be issued for use from any address.
+
+The PROXY flag is set in a ticket by the TGS when it issues a proxy ticket.
+Application servers may check this flag and at their option they may require
+additional authentication from the agent presenting the proxy in order to
+provide an audit trail.
+
+2.6. Forwardable tickets
+
+Authentication forwarding is an instance of a proxy where the service is
+
+Neuman, Ts'o, Kohl                                Expires: 10 September, 2000
+
+
+
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-05          June 25, 1999
+
+granted complete use of the client's identity. An example where it might be
+used is when a user logs in to a remote system and wants authentication to
+work from that system as if the login were local.
+
+The FORWARDABLE flag in a ticket is normally only interpreted by the
+ticket-granting service. It can be ignored by application servers. The
+FORWARDABLE flag has an interpretation similar to that of the PROXIABLE
+flag, except ticket-granting tickets may also be issued with different
+network addresses. This flag is reset by default, but users may request that
+it be set by setting the FORWARDABLE option in the AS request when they
+request their initial ticket- granting ticket.
+
+This flag allows for authentication forwarding without requiring the user to
+enter a password again. If the flag is not set, then authentication
+forwarding is not permitted, but the same result can still be achieved if
+the user engages in the AS exchange specifying the requested network
+addresses and supplies a password.
+
+The FORWARDED flag is set by the TGS when a client presents a ticket with
+the FORWARDABLE flag set and requests a forwarded ticket by specifying the
+FORWARDED KDC option and supplying a set of addresses for the new ticket. It
+is also set in all tickets issued based on tickets with the FORWARDED flag
+set. Application servers may choose to process FORWARDED tickets differently
+than non-FORWARDED tickets.
+
+2.7. Other KDC options
+
+There are two additional options which may be set in a client's request of
+the KDC. The RENEWABLE-OK option indicates that the client will accept a
+renewable ticket if a ticket with the requested life cannot otherwise be
+provided. If a ticket with the requested life cannot be provided, then the
+KDC may issue a renewable ticket with a renew-till equal to the the
+requested endtime. The value of the renew-till field may still be adjusted
+by site-determined limits or limits imposed by the individual principal or
+server.
+
+The ENC-TKT-IN-SKEY option is honored only by the ticket-granting service.
+It indicates that the ticket to be issued for the end server is to be
+encrypted in the session key from the a additional second ticket-granting
+ticket provided with the request. See section 3.3.3 for specific details.
+
+3. Message Exchanges
+
+The following sections describe the interactions between network clients and
+servers and the messages involved in those exchanges.
+
+3.1. The Authentication Service Exchange
+
+                          Summary
+      Message direction       Message type    Section
+      1. Client to Kerberos   KRB_AS_REQ      5.4.1
+      2. Kerberos to client   KRB_AS_REP or   5.4.2
+                              KRB_ERROR       5.9.1
+
+The Authentication Service (AS) Exchange between the client and the Kerberos
+Authentication Server is initiated by a client when it wishes to obtain
+authentication credentials for a given server but currently holds no
+credentials. In its basic form, the client's secret key is used for
+encryption and decryption. This exchange is typically used at the initiation
+
+Neuman, Ts'o, Kohl                                Expires: 10 September, 2000
+
+
+
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-05          June 25, 1999
+
+of a login session to obtain credentials for a Ticket-Granting Server which
+will subsequently be used to obtain credentials for other servers (see
+section 3.3) without requiring further use of the client's secret key. This
+exchange is also used to request credentials for services which must not be
+mediated through the Ticket-Granting Service, but rather require a
+principal's secret key, such as the password-changing service[5]. This
+exchange does not by itself provide any assurance of the the identity of the
+user[6].
+
+The exchange consists of two messages: KRB_AS_REQ from the client to
+Kerberos, and KRB_AS_REP or KRB_ERROR in reply. The formats for these
+messages are described in sections 5.4.1, 5.4.2, and 5.9.1.
+
+In the request, the client sends (in cleartext) its own identity and the
+identity of the server for which it is requesting credentials. The response,
+KRB_AS_REP, contains a ticket for the client to present to the server, and a
+session key that will be shared by the client and the server. The session
+key and additional information are encrypted in the client's secret key. The
+KRB_AS_REP message contains information which can be used to detect replays,
+and to associate it with the message to which it replies. Various errors can
+occur; these are indicated by an error response (KRB_ERROR) instead of the
+KRB_AS_REP response. The error message is not encrypted. The KRB_ERROR
+message contains information which can be used to associate it with the
+message to which it replies. The lack of encryption in the KRB_ERROR message
+precludes the ability to detect replays, fabrications, or modifications of
+such messages.
+
+Without preautentication, the authentication server does not know whether
+the client is actually the principal named in the request. It simply sends a
+reply without knowing or caring whether they are the same. This is
+acceptable because nobody but the principal whose identity was given in the
+request will be able to use the reply. Its critical information is encrypted
+in that principal's key. The initial request supports an optional field that
+can be used to pass additional information that might be needed for the
+initial exchange. This field may be used for preauthentication as described
+in section [hl<>].
+
+3.1.1. Generation of KRB_AS_REQ message
+
+The client may specify a number of options in the initial request. Among
+these options are whether pre-authentication is to be performed; whether the
+requested ticket is to be renewable, proxiable, or forwardable; whether it
+should be postdated or allow postdating of derivative tickets; and whether a
+renewable ticket will be accepted in lieu of a non-renewable ticket if the
+requested ticket expiration date cannot be satisfied by a non-renewable
+ticket (due to configuration constraints; see section 4). See section A.1
+for pseudocode.
+
+The client prepares the KRB_AS_REQ message and sends it to the KDC.
+
+3.1.2. Receipt of KRB_AS_REQ message
+
+If all goes well, processing the KRB_AS_REQ message will result in the
+creation of a ticket for the client to present to the server. The format for
+the ticket is described in section 5.3.1. The contents of the ticket are
+determined as follows.
+
+3.1.3. Generation of KRB_AS_REP message
+
+
+Neuman, Ts'o, Kohl                                Expires: 10 September, 2000
+
+
+
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-05          June 25, 1999
+
+The authentication server looks up the client and server principals named in
+the KRB_AS_REQ in its database, extracting their respective keys. If
+required, the server pre-authenticates the request, and if the
+pre-authentication check fails, an error message with the code
+KDC_ERR_PREAUTH_FAILED is returned. If the server cannot accommodate the
+requested encryption type, an error message with code KDC_ERR_ETYPE_NOSUPP
+is returned. Otherwise it generates a 'random' session key[7].
+
+If there are multiple encryption keys registered for a client in the
+Kerberos database (or if the key registered supports multiple encryption
+types; e.g. DES-CBC-CRC and DES-CBC-MD5), then the etype field from the AS
+request is used by the KDC to select the encryption method to be used for
+encrypting the response to the client. If there is more than one supported,
+strong encryption type in the etype list, the first valid etype for which an
+encryption key is available is used. The encryption method used to respond
+to a TGS request is taken from the keytype of the session key found in the
+ticket granting ticket. [***I will change the example keytypes to be 3DES
+based examples 7/14***]
+
+When the etype field is present in a KDC request, whether an AS or TGS
+request, the KDC will attempt to assign the type of the random session key
+from the list of methods in the etype field. The KDC will select the
+appropriate type using the list of methods provided together with
+information from the Kerberos database indicating acceptable encryption
+methods for the application server. The KDC will not issue tickets with a
+weak session key encryption type.
+
+If the requested start time is absent, indicates a time in the past, or is
+within the window of acceptable clock skew for the KDC and the POSTDATE
+option has not been specified, then the start time of the ticket is set to
+the authentication server's current time. If it indicates a time in the
+future beyond the acceptable clock skew, but the POSTDATED option has not
+been specified then the error KDC_ERR_CANNOT_POSTDATE is returned. Otherwise
+the requested start time is checked against the policy of the local realm
+(the administrator might decide to prohibit certain types or ranges of
+postdated tickets), and if acceptable, the ticket's start time is set as
+requested and the INVALID flag is set in the new ticket. The postdated
+ticket must be validated before use by presenting it to the KDC after the
+start time has been reached.
+
+The expiration time of the ticket will be set to the minimum of the
+following:
+
+   * The expiration time (endtime) requested in the KRB_AS_REQ message.
+   * The ticket's start time plus the maximum allowable lifetime associated
+     with the client principal (the authentication server's database
+     includes a maximum ticket lifetime field in each principal's record;
+     see section 4).
+   * The ticket's start time plus the maximum allowable lifetime associated
+     with the server principal.
+   * The ticket's start time plus the maximum lifetime set by the policy of
+     the local realm.
+
+If the requested expiration time minus the start time (as determined above)
+is less than a site-determined minimum lifetime, an error message with code
+KDC_ERR_NEVER_VALID is returned. If the requested expiration time for the
+ticket exceeds what was determined as above, and if the 'RENEWABLE-OK'
+option was requested, then the 'RENEWABLE' flag is set in the new ticket,
+and the renew-till value is set as if the 'RENEWABLE' option were requested
+
+Neuman, Ts'o, Kohl                                Expires: 10 September, 2000
+
+
+
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-05          June 25, 1999
+
+(the field and option names are described fully in section 5.4.1).
+
+If the RENEWABLE option has been requested or if the RENEWABLE-OK option has
+been set and a renewable ticket is to be issued, then the renew-till field
+is set to the minimum of:
+
+   * Its requested value.
+   * The start time of the ticket plus the minimum of the two maximum
+     renewable lifetimes associated with the principals' database entries.
+   * The start time of the ticket plus the maximum renewable lifetime set by
+     the policy of the local realm.
+
+The flags field of the new ticket will have the following options set if
+they have been requested and if the policy of the local realm allows:
+FORWARDABLE, MAY-POSTDATE, POSTDATED, PROXIABLE, RENEWABLE. If the new
+ticket is post-dated (the start time is in the future), its INVALID flag
+will also be set.
+
+If all of the above succeed, the server formats a KRB_AS_REP message (see
+section 5.4.2), copying the addresses in the request into the caddr of the
+response, placing any required pre-authentication data into the padata of
+the response, and encrypts the ciphertext part in the client's key using the
+requested encryption method, and sends it to the client. See section A.2 for
+pseudocode.
+
+3.1.4. Generation of KRB_ERROR message
+
+Several errors can occur, and the Authentication Server responds by
+returning an error message, KRB_ERROR, to the client, with the error-code
+and e-text fields set to appropriate values. The error message contents and
+details are described in Section 5.9.1.
+
+3.1.5. Receipt of KRB_AS_REP message
+
+If the reply message type is KRB_AS_REP, then the client verifies that the
+cname and crealm fields in the cleartext portion of the reply match what it
+requested. If any padata fields are present, they may be used to derive the
+proper secret key to decrypt the message. The client decrypts the encrypted
+part of the response using its secret key, verifies that the nonce in the
+encrypted part matches the nonce it supplied in its request (to detect
+replays). It also verifies that the sname and srealm in the response match
+those in the request (or are otherwise expected values), and that the host
+address field is also correct. It then stores the ticket, session key, start
+and expiration times, and other information for later use. The
+key-expiration field from the encrypted part of the response may be checked
+to notify the user of impending key expiration (the client program could
+then suggest remedial action, such as a password change). See section A.3
+for pseudocode.
+
+Proper decryption of the KRB_AS_REP message is not sufficient to verify the
+identity of the user; the user and an attacker could cooperate to generate a
+KRB_AS_REP format message which decrypts properly but is not from the proper
+KDC. If the host wishes to verify the identity of the user, it must require
+the user to present application credentials which can be verified using a
+securely-stored secret key for the host. If those credentials can be
+verified, then the identity of the user can be assured.
+
+3.1.6. Receipt of KRB_ERROR message
+
+
+Neuman, Ts'o, Kohl                                Expires: 10 September, 2000
+
+
+
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-05          June 25, 1999
+
+If the reply message type is KRB_ERROR, then the client interprets it as an
+error and performs whatever application-specific tasks are necessary to
+recover.
+
+3.2. The Client/Server Authentication Exchange
+
+                             Summary
+Message direction                         Message type    Section
+Client to Application server              KRB_AP_REQ      5.5.1
+[optional] Application server to client   KRB_AP_REP or   5.5.2
+                                          KRB_ERROR       5.9.1
+
+The client/server authentication (CS) exchange is used by network
+applications to authenticate the client to the server and vice versa. The
+client must have already acquired credentials for the server using the AS or
+TGS exchange.
+
+3.2.1. The KRB_AP_REQ message
+
+The KRB_AP_REQ contains authentication information which should be part of
+the first message in an authenticated transaction. It contains a ticket, an
+authenticator, and some additional bookkeeping information (see section
+5.5.1 for the exact format). The ticket by itself is insufficient to
+authenticate a client, since tickets are passed across the network in
+cleartext[DS90], so the authenticator is used to prevent invalid replay of
+tickets by proving to the server that the client knows the session key of
+the ticket and thus is entitled to use the ticket. The KRB_AP_REQ message is
+referred to elsewhere as the 'authentication header.'
+
+3.2.2. Generation of a KRB_AP_REQ message
+
+When a client wishes to initiate authentication to a server, it obtains
+(either through a credentials cache, the AS exchange, or the TGS exchange) a
+ticket and session key for the desired service. The client may re-use any
+tickets it holds until they expire. To use a ticket the client constructs a
+new Authenticator from the the system time, its name, and optionally an
+application specific checksum, an initial sequence number to be used in
+KRB_SAFE or KRB_PRIV messages, and/or a session subkey to be used in
+negotiations for a session key unique to this particular session.
+Authenticators may not be re-used and will be rejected if replayed to a
+server[LGDSR87]. If a sequence number is to be included, it should be
+randomly chosen so that even after many messages have been exchanged it is
+not likely to collide with other sequence numbers in use.
+
+The client may indicate a requirement of mutual authentication or the use of
+a session-key based ticket by setting the appropriate flag(s) in the
+ap-options field of the message.
+
+The Authenticator is encrypted in the session key and combined with the
+ticket to form the KRB_AP_REQ message which is then sent to the end server
+along with any additional application-specific information. See section A.9
+for pseudocode.
+
+3.2.3. Receipt of KRB_AP_REQ message
+
+Authentication is based on the server's current time of day (clocks must be
+loosely synchronized), the authenticator, and the ticket. Several errors are
+possible. If an error occurs, the server is expected to reply to the client
+with a KRB_ERROR message. This message may be encapsulated in the
+
+Neuman, Ts'o, Kohl                                Expires: 10 September, 2000
+
+
+
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-05          June 25, 1999
+
+application protocol if its 'raw' form is not acceptable to the protocol.
+The format of error messages is described in section 5.9.1.
+
+The algorithm for verifying authentication information is as follows. If the
+message type is not KRB_AP_REQ, the server returns the KRB_AP_ERR_MSG_TYPE
+error. If the key version indicated by the Ticket in the KRB_AP_REQ is not
+one the server can use (e.g., it indicates an old key, and the server no
+longer possesses a copy of the old key), the KRB_AP_ERR_BADKEYVER error is
+returned. If the USE-SESSION-KEY flag is set in the ap-options field, it
+indicates to the server that the ticket is encrypted in the session key from
+the server's ticket-granting ticket rather than its secret key[10]. Since it
+is possible for the server to be registered in multiple realms, with
+different keys in each, the srealm field in the unencrypted portion of the
+ticket in the KRB_AP_REQ is used to specify which secret key the server
+should use to decrypt that ticket. The KRB_AP_ERR_NOKEY error code is
+returned if the server doesn't have the proper key to decipher the ticket.
+
+The ticket is decrypted using the version of the server's key specified by
+the ticket. If the decryption routines detect a modification of the ticket
+(each encryption system must provide safeguards to detect modified
+ciphertext; see section 6), the KRB_AP_ERR_BAD_INTEGRITY error is returned
+(chances are good that different keys were used to encrypt and decrypt).
+
+The authenticator is decrypted using the session key extracted from the
+decrypted ticket. If decryption shows it to have been modified, the
+KRB_AP_ERR_BAD_INTEGRITY error is returned. The name and realm of the client
+from the ticket are compared against the same fields in the authenticator.
+If they don't match, the KRB_AP_ERR_BADMATCH error is returned (they might
+not match, for example, if the wrong session key was used to encrypt the
+authenticator). The addresses in the ticket (if any) are then searched for
+an address matching the operating-system reported address of the client. If
+no match is found or the server insists on ticket addresses but none are
+present in the ticket, the KRB_AP_ERR_BADADDR error is returned.
+
+If the local (server) time and the client time in the authenticator differ
+by more than the allowable clock skew (e.g., 5 minutes), the KRB_AP_ERR_SKEW
+error is returned. If the server name, along with the client name, time and
+microsecond fields from the Authenticator match any recently-seen such
+tuples, the KRB_AP_ERR_REPEAT error is returned[11]. The server must
+remember any authenticator presented within the allowable clock skew, so
+that a replay attempt is guaranteed to fail. If a server loses track of any
+authenticator presented within the allowable clock skew, it must reject all
+requests until the clock skew interval has passed. This assures that any
+lost or re-played authenticators will fall outside the allowable clock skew
+and can no longer be successfully replayed (If this is not done, an attacker
+could conceivably record the ticket and authenticator sent over the network
+to a server, then disable the client's host, pose as the disabled host, and
+replay the ticket and authenticator to subvert the authentication.). If a
+sequence number is provided in the authenticator, the server saves it for
+later use in processing KRB_SAFE and/or KRB_PRIV messages. If a subkey is
+present, the server either saves it for later use or uses it to help
+generate its own choice for a subkey to be returned in a KRB_AP_REP message.
+
+The server computes the age of the ticket: local (server) time minus the
+start time inside the Ticket. If the start time is later than the current
+time by more than the allowable clock skew or if the INVALID flag is set in
+the ticket, the KRB_AP_ERR_TKT_NYV error is returned. Otherwise, if the
+current time is later than end time by more than the allowable clock skew,
+the KRB_AP_ERR_TKT_EXPIRED error is returned.
+
+Neuman, Ts'o, Kohl                                Expires: 10 September, 2000
+
+
+
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-05          June 25, 1999
+
+
+If all these checks succeed without an error, the server is assured that the
+client possesses the credentials of the principal named in the ticket and
+thus, the client has been authenticated to the server. See section A.10 for
+pseudocode.
+
+Passing these checks provides only authentication of the named principal; it
+does not imply authorization to use the named service. Applications must
+make a separate authorization decisions based upon the authenticated name of
+the user, the requested operation, local acces control information such as
+that contained in a .k5login or .k5users file, and possibly a separate
+distributed authorization service.
+
+3.2.4. Generation of a KRB_AP_REP message
+
+Typically, a client's request will include both the authentication
+information and its initial request in the same message, and the server need
+not explicitly reply to the KRB_AP_REQ. However, if mutual authentication
+(not only authenticating the client to the server, but also the server to
+the client) is being performed, the KRB_AP_REQ message will have
+MUTUAL-REQUIRED set in its ap-options field, and a KRB_AP_REP message is
+required in response. As with the error message, this message may be
+encapsulated in the application protocol if its "raw" form is not acceptable
+to the application's protocol. The timestamp and microsecond field used in
+the reply must be the client's timestamp and microsecond field (as provided
+in the authenticator)[12]. If a sequence number is to be included, it should
+be randomly chosen as described above for the authenticator. A subkey may be
+included if the server desires to negotiate a different subkey. The
+KRB_AP_REP message is encrypted in the session key extracted from the
+ticket. See section A.11 for pseudocode.
+
+3.2.5. Receipt of KRB_AP_REP message
+
+If a KRB_AP_REP message is returned, the client uses the session key from
+the credentials obtained for the server[13] to decrypt the message, and
+verifies that the timestamp and microsecond fields match those in the
+Authenticator it sent to the server. If they match, then the client is
+assured that the server is genuine. The sequence number and subkey (if
+present) are retained for later use. See section A.12 for pseudocode.
+
+3.2.6. Using the encryption key
+
+After the KRB_AP_REQ/KRB_AP_REP exchange has occurred, the client and server
+share an encryption key which can be used by the application. The 'true
+session key' to be used for KRB_PRIV, KRB_SAFE, or other
+application-specific uses may be chosen by the application based on the
+subkeys in the KRB_AP_REP message and the authenticator[14]. In some cases,
+the use of this session key will be implicit in the protocol; in others the
+method of use must be chosen from several alternatives. We leave the
+protocol negotiations of how to use the key (e.g. selecting an encryption or
+checksum type) to the application programmer; the Kerberos protocol does not
+constrain the implementation options, but an example of how this might be
+done follows.
+
+One way that an application may choose to negotiate a key to be used for
+subequent integrity and privacy protection is for the client to propose a
+key in the subkey field of the authenticator. The server can then choose a
+key using the proposed key from the client as input, returning the new
+subkey in the subkey field of the application reply. This key could then be
+
+Neuman, Ts'o, Kohl                                Expires: 10 September, 2000
+
+
+
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-05          June 25, 1999
+
+used for subsequent communication. To make this example more concrete, if
+the encryption method in use required a 56 bit key, and for whatever reason,
+one of the parties was prevented from using a key with more than 40 unknown
+bits, this method would allow the the party which is prevented from using
+more than 40 bits to either propose (if the client) an initial key with a
+known quantity for 16 of those bits, or to mask 16 of the bits (if the
+server) with the known quantity. The application implementor is warned,
+however, that this is only an example, and that an analysis of the
+particular crytosystem to be used, and the reasons for limiting the key
+length, must be made before deciding whether it is acceptable to mask bits
+of the key.
+
+With both the one-way and mutual authentication exchanges, the peers should
+take care not to send sensitive information to each other without proper
+assurances. In particular, applications that require privacy or integrity
+should use the KRB_AP_REP response from the server to client to assure both
+client and server of their peer's identity. If an application protocol
+requires privacy of its messages, it can use the KRB_PRIV message (section
+3.5). The KRB_SAFE message (section 3.4) can be used to assure integrity.
+
+3.3. The Ticket-Granting Service (TGS) Exchange
+
+                          Summary
+      Message direction       Message type     Section
+      1. Client to Kerberos   KRB_TGS_REQ      5.4.1
+      2. Kerberos to client   KRB_TGS_REP or   5.4.2
+                              KRB_ERROR        5.9.1
+
+The TGS exchange between a client and the Kerberos Ticket-Granting Server is
+initiated by a client when it wishes to obtain authentication credentials
+for a given server (which might be registered in a remote realm), when it
+wishes to renew or validate an existing ticket, or when it wishes to obtain
+a proxy ticket. In the first case, the client must already have acquired a
+ticket for the Ticket-Granting Service using the AS exchange (the
+ticket-granting ticket is usually obtained when a client initially
+authenticates to the system, such as when a user logs in). The message
+format for the TGS exchange is almost identical to that for the AS exchange.
+The primary difference is that encryption and decryption in the TGS exchange
+does not take place under the client's key. Instead, the session key from
+the ticket-granting ticket or renewable ticket, or sub-session key from an
+Authenticator is used. As is the case for all application servers, expired
+tickets are not accepted by the TGS, so once a renewable or ticket-granting
+ticket expires, the client must use a separate exchange to obtain valid
+tickets.
+
+The TGS exchange consists of two messages: A request (KRB_TGS_REQ) from the
+client to the Kerberos Ticket-Granting Server, and a reply (KRB_TGS_REP or
+KRB_ERROR). The KRB_TGS_REQ message includes information authenticating the
+client plus a request for credentials. The authentication information
+consists of the authentication header (KRB_AP_REQ) which includes the
+client's previously obtained ticket-granting, renewable, or invalid ticket.
+In the ticket-granting ticket and proxy cases, the request may include one
+or more of: a list of network addresses, a collection of typed authorization
+data to be sealed in the ticket for authorization use by the application
+server, or additional tickets (the use of which are described later). The
+TGS reply (KRB_TGS_REP) contains the requested credentials, encrypted in the
+session key from the ticket-granting ticket or renewable ticket, or if
+present, in the sub-session key from the Authenticator (part of the
+authentication header). The KRB_ERROR message contains an error code and
+
+Neuman, Ts'o, Kohl                                Expires: 10 September, 2000
+
+
+
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-05          June 25, 1999
+
+text explaining what went wrong. The KRB_ERROR message is not encrypted. The
+KRB_TGS_REP message contains information which can be used to detect
+replays, and to associate it with the message to which it replies. The
+KRB_ERROR message also contains information which can be used to associate
+it with the message to which it replies, but the lack of encryption in the
+KRB_ERROR message precludes the ability to detect replays or fabrications of
+such messages.
+
+3.3.1. Generation of KRB_TGS_REQ message
+
+Before sending a request to the ticket-granting service, the client must
+determine in which realm the application server is registered[15]. If the
+client does not already possess a ticket-granting ticket for the appropriate
+realm, then one must be obtained. This is first attempted by requesting a
+ticket-granting ticket for the destination realm from a Kerberos server for
+which the client does posess a ticket-granting ticket (using the KRB_TGS_REQ
+message recursively). The Kerberos server may return a TGT for the desired
+realm in which case one can proceed. Alternatively, the Kerberos server may
+return a TGT for a realm which is 'closer' to the desired realm (further
+along the standard hierarchical path), in which case this step must be
+repeated with a Kerberos server in the realm specified in the returned TGT.
+If neither are returned, then the request must be retried with a Kerberos
+server for a realm higher in the hierarchy. This request will itself require
+a ticket-granting ticket for the higher realm which must be obtained by
+recursively applying these directions.
+
+Once the client obtains a ticket-granting ticket for the appropriate realm,
+it determines which Kerberos servers serve that realm, and contacts one. The
+list might be obtained through a configuration file or network service or it
+may be generated from the name of the realm; as long as the secret keys
+exchanged by realms are kept secret, only denial of service results from
+using a false Kerberos server.
+
+As in the AS exchange, the client may specify a number of options in the
+KRB_TGS_REQ message. The client prepares the KRB_TGS_REQ message, providing
+an authentication header as an element of the padata field, and including
+the same fields as used in the KRB_AS_REQ message along with several
+optional fields: the enc-authorization-data field for application server use
+and additional tickets required by some options.
+
+In preparing the authentication header, the client can select a sub-session
+key under which the response from the Kerberos server will be encrypted[16].
+If the sub-session key is not specified, the session key from the
+ticket-granting ticket will be used. If the enc-authorization-data is
+present, it must be encrypted in the sub-session key, if present, from the
+authenticator portion of the authentication header, or if not present, using
+the session key from the ticket-granting ticket.
+
+Once prepared, the message is sent to a Kerberos server for the destination
+realm. See section A.5 for pseudocode.
+
+3.3.2. Receipt of KRB_TGS_REQ message
+
+The KRB_TGS_REQ message is processed in a manner similar to the KRB_AS_REQ
+message, but there are many additional checks to be performed. First, the
+Kerberos server must determine which server the accompanying ticket is for
+and it must select the appropriate key to decrypt it. For a normal
+KRB_TGS_REQ message, it will be for the ticket granting service, and the
+TGS's key will be used. If the TGT was issued by another realm, then the
+
+Neuman, Ts'o, Kohl                                Expires: 10 September, 2000
+
+
+
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-05          June 25, 1999
+
+appropriate inter-realm key must be used. If the accompanying ticket is not
+a ticket granting ticket for the current realm, but is for an application
+server in the current realm, the RENEW, VALIDATE, or PROXY options are
+specified in the request, and the server for which a ticket is requested is
+the server named in the accompanying ticket, then the KDC will decrypt the
+ticket in the authentication header using the key of the server for which it
+was issued. If no ticket can be found in the padata field, the
+KDC_ERR_PADATA_TYPE_NOSUPP error is returned.
+
+Once the accompanying ticket has been decrypted, the user-supplied checksum
+in the Authenticator must be verified against the contents of the request,
+and the message rejected if the checksums do not match (with an error code
+of KRB_AP_ERR_MODIFIED) or if the checksum is not keyed or not
+collision-proof (with an error code of KRB_AP_ERR_INAPP_CKSUM). If the
+checksum type is not supported, the KDC_ERR_SUMTYPE_NOSUPP error is
+returned. If the authorization-data are present, they are decrypted using
+the sub-session key from the Authenticator.
+
+If any of the decryptions indicate failed integrity checks, the
+KRB_AP_ERR_BAD_INTEGRITY error is returned.
+
+3.3.3. Generation of KRB_TGS_REP message
+
+The KRB_TGS_REP message shares its format with the KRB_AS_REP (KRB_KDC_REP),
+but with its type field set to KRB_TGS_REP. The detailed specification is in
+section 5.4.2.
+
+The response will include a ticket for the requested server. The Kerberos
+database is queried to retrieve the record for the requested server
+(including the key with which the ticket will be encrypted). If the request
+is for a ticket granting ticket for a remote realm, and if no key is shared
+with the requested realm, then the Kerberos server will select the realm
+"closest" to the requested realm with which it does share a key, and use
+that realm instead. This is the only case where the response from the KDC
+will be for a different server than that requested by the client.
+
+By default, the address field, the client's name and realm, the list of
+transited realms, the time of initial authentication, the expiration time,
+and the authorization data of the newly-issued ticket will be copied from
+the ticket-granting ticket (TGT) or renewable ticket. If the transited field
+needs to be updated, but the transited type is not supported, the
+KDC_ERR_TRTYPE_NOSUPP error is returned.
+
+If the request specifies an endtime, then the endtime of the new ticket is
+set to the minimum of (a) that request, (b) the endtime from the TGT, and
+(c) the starttime of the TGT plus the minimum of the maximum life for the
+application server and the maximum life for the local realm (the maximum
+life for the requesting principal was already applied when the TGT was
+issued). If the new ticket is to be a renewal, then the endtime above is
+replaced by the minimum of (a) the value of the renew_till field of the
+ticket and (b) the starttime for the new ticket plus the life
+(endtime-starttime) of the old ticket.
+
+If the FORWARDED option has been requested, then the resulting ticket will
+contain the addresses specified by the client. This option will only be
+honored if the FORWARDABLE flag is set in the TGT. The PROXY option is
+similar; the resulting ticket will contain the addresses specified by the
+client. It will be honored only if the PROXIABLE flag in the TGT is set. The
+PROXY option will not be honored on requests for additional ticket-granting
+
+Neuman, Ts'o, Kohl                                Expires: 10 September, 2000
+
+
+
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-05          June 25, 1999
+
+tickets.
+
+If the requested start time is absent, indicates a time in the past, or is
+within the window of acceptable clock skew for the KDC and the POSTDATE
+option has not been specified, then the start time of the ticket is set to
+the authentication server's current time. If it indicates a time in the
+future beyond the acceptable clock skew, but the POSTDATED option has not
+been specified or the MAY-POSTDATE flag is not set in the TGT, then the
+error KDC_ERR_CANNOT_POSTDATE is returned. Otherwise, if the ticket-granting
+ticket has the MAY-POSTDATE flag set, then the resulting ticket will be
+postdated and the requested starttime is checked against the policy of the
+local realm. If acceptable, the ticket's start time is set as requested, and
+the INVALID flag is set. The postdated ticket must be validated before use
+by presenting it to the KDC after the starttime has been reached. However,
+in no case may the starttime, endtime, or renew-till time of a newly-issued
+postdated ticket extend beyond the renew-till time of the ticket-granting
+ticket.
+
+If the ENC-TKT-IN-SKEY option has been specified and an additional ticket
+has been included in the request, the KDC will decrypt the additional ticket
+using the key for the server to which the additional ticket was issued and
+verify that it is a ticket-granting ticket. If the name of the requested
+server is missing from the request, the name of the client in the additional
+ticket will be used. Otherwise the name of the requested server will be
+compared to the name of the client in the additional ticket and if
+different, the request will be rejected. If the request succeeds, the
+session key from the additional ticket will be used to encrypt the new
+ticket that is issued instead of using the key of the server for which the
+new ticket will be used[17].
+
+If the name of the server in the ticket that is presented to the KDC as part
+of the authentication header is not that of the ticket-granting server
+itself, the server is registered in the realm of the KDC, and the RENEW
+option is requested, then the KDC will verify that the RENEWABLE flag is set
+in the ticket, that the INVALID flag is not set in the ticket, and that the
+renew_till time is still in the future. If the VALIDATE option is rqeuested,
+the KDC will check that the starttime has passed and the INVALID flag is
+set. If the PROXY option is requested, then the KDC will check that the
+PROXIABLE flag is set in the ticket. If the tests succeed, and the ticket
+passes the hotlist check described in the next paragraph, the KDC will issue
+the appropriate new ticket.
+
+3.3.3.1. Checking for revoked tickets
+
+Whenever a request is made to the ticket-granting server, the presented
+ticket(s) is(are) checked against a hot-list of tickets which have been
+canceled. This hot-list might be implemented by storing a range of issue
+timestamps for 'suspect tickets'; if a presented ticket had an authtime in
+that range, it would be rejected. In this way, a stolen ticket-granting
+ticket or renewable ticket cannot be used to gain additional tickets
+(renewals or otherwise) once the theft has been reported. Any normal ticket
+obtained before it was reported stolen will still be valid (because they
+require no interaction with the KDC), but only until their normal expiration
+time.
+
+The ciphertext part of the response in the KRB_TGS_REP message is encrypted
+in the sub-session key from the Authenticator, if present, or the session
+key key from the ticket-granting ticket. It is not encrypted using the
+client's secret key. Furthermore, the client's key's expiration date and the
+
+Neuman, Ts'o, Kohl                                Expires: 10 September, 2000
+
+
+
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-05          June 25, 1999
+
+key version number fields are left out since these values are stored along
+with the client's database record, and that record is not needed to satisfy
+a request based on a ticket-granting ticket. See section A.6 for pseudocode.
+
+3.3.3.2. Encoding the transited field
+
+If the identity of the server in the TGT that is presented to the KDC as
+part of the authentication header is that of the ticket-granting service,
+but the TGT was issued from another realm, the KDC will look up the
+inter-realm key shared with that realm and use that key to decrypt the
+ticket. If the ticket is valid, then the KDC will honor the request, subject
+to the constraints outlined above in the section describing the AS exchange.
+The realm part of the client's identity will be taken from the
+ticket-granting ticket. The name of the realm that issued the
+ticket-granting ticket will be added to the transited field of the ticket to
+be issued. This is accomplished by reading the transited field from the
+ticket-granting ticket (which is treated as an unordered set of realm
+names), adding the new realm to the set, then constructing and writing out
+its encoded (shorthand) form (this may involve a rearrangement of the
+existing encoding).
+
+Note that the ticket-granting service does not add the name of its own
+realm. Instead, its responsibility is to add the name of the previous realm.
+This prevents a malicious Kerberos server from intentionally leaving out its
+own name (it could, however, omit other realms' names).
+
+The names of neither the local realm nor the principal's realm are to be
+included in the transited field. They appear elsewhere in the ticket and
+both are known to have taken part in authenticating the principal. Since the
+endpoints are not included, both local and single-hop inter-realm
+authentication result in a transited field that is empty.
+
+Because the name of each realm transited is added to this field, it might
+potentially be very long. To decrease the length of this field, its contents
+are encoded. The initially supported encoding is optimized for the normal
+case of inter-realm communication: a hierarchical arrangement of realms
+using either domain or X.500 style realm names. This encoding (called
+DOMAIN-X500-COMPRESS) is now described.
+
+Realm names in the transited field are separated by a ",". The ",", "\",
+trailing "."s, and leading spaces (" ") are special characters, and if they
+are part of a realm name, they must be quoted in the transited field by
+preced- ing them with a "\".
+
+A realm name ending with a "." is interpreted as being prepended to the
+previous realm. For example, we can encode traversal of EDU, MIT.EDU,
+ATHENA.MIT.EDU, WASHINGTON.EDU, and CS.WASHINGTON.EDU as:
+
+     "EDU,MIT.,ATHENA.,WASHINGTON.EDU,CS.".
+
+Note that if ATHENA.MIT.EDU, or CS.WASHINGTON.EDU were end-points, that they
+would not be included in this field, and we would have:
+
+     "EDU,MIT.,WASHINGTON.EDU"
+
+A realm name beginning with a "/" is interpreted as being appended to the
+previous realm[18]. If it is to stand by itself, then it should be preceded
+by a space (" "). For example, we can encode traversal of /COM/HP/APOLLO,
+/COM/HP, /COM, and /COM/DEC as:
+
+Neuman, Ts'o, Kohl                                Expires: 10 September, 2000
+
+
+
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-05          June 25, 1999
+
+
+     "/COM,/HP,/APOLLO, /COM/DEC".
+
+Like the example above, if /COM/HP/APOLLO and /COM/DEC are endpoints, they
+they would not be included in this field, and we would have:
+
+     "/COM,/HP"
+
+A null subfield preceding or following a "," indicates that all realms
+between the previous realm and the next realm have been traversed[19]. Thus,
+"," means that all realms along the path between the client and the server
+have been traversed. ",EDU, /COM," means that that all realms from the
+client's realm up to EDU (in a domain style hierarchy) have been traversed,
+and that everything from /COM down to the server's realm in an X.500 style
+has also been traversed. This could occur if the EDU realm in one hierarchy
+shares an inter-realm key directly with the /COM realm in another hierarchy.
+
+3.3.4. Receipt of KRB_TGS_REP message
+
+When the KRB_TGS_REP is received by the client, it is processed in the same
+manner as the KRB_AS_REP processing described above. The primary difference
+is that the ciphertext part of the response must be decrypted using the
+session key from the ticket-granting ticket rather than the client's secret
+key. See section A.7 for pseudocode.
+
+3.4. The KRB_SAFE Exchange
+
+The KRB_SAFE message may be used by clients requiring the ability to detect
+modifications of messages they exchange. It achieves this by including a
+keyed collision-proof checksum of the user data and some control
+information. The checksum is keyed with an encryption key (usually the last
+key negotiated via subkeys, or the session key if no negotiation has
+occured).
+
+3.4.1. Generation of a KRB_SAFE message
+
+When an application wishes to send a KRB_SAFE message, it collects its data
+and the appropriate control information and computes a checksum over them.
+The checksum algorithm should be a keyed one-way hash function (such as the
+RSA- MD5-DES checksum algorithm specified in section 6.4.5, or the DES MAC),
+generated using the sub-session key if present, or the session key.
+Different algorithms may be selected by changing the checksum type in the
+message. Unkeyed or non-collision-proof checksums are not suitable for this
+use.
+
+The control information for the KRB_SAFE message includes both a timestamp
+and a sequence number. The designer of an application using the KRB_SAFE
+message must choose at least one of the two mechanisms. This choice should
+be based on the needs of the application protocol.
+
+Sequence numbers are useful when all messages sent will be received by one's
+peer. Connection state is presently required to maintain the session key, so
+maintaining the next sequence number should not present an additional
+problem.
+
+If the application protocol is expected to tolerate lost messages without
+them being resent, the use of the timestamp is the appropriate replay
+detection mechanism. Using timestamps is also the appropriate mechanism for
+multi-cast protocols where all of one's peers share a common sub-session
+
+Neuman, Ts'o, Kohl                                Expires: 10 September, 2000
+
+
+
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-05          June 25, 1999
+
+key, but some messages will be sent to a subset of one's peers.
+
+After computing the checksum, the client then transmits the information and
+checksum to the recipient in the message format specified in section 5.6.1.
+
+3.4.2. Receipt of KRB_SAFE message
+
+When an application receives a KRB_SAFE message, it verifies it as follows.
+If any error occurs, an error code is reported for use by the application.
+
+The message is first checked by verifying that the protocol version and type
+fields match the current version and KRB_SAFE, respectively. A mismatch
+generates a KRB_AP_ERR_BADVERSION or KRB_AP_ERR_MSG_TYPE error. The
+application verifies that the checksum used is a collision-proof keyed
+checksum, and if it is not, a KRB_AP_ERR_INAPP_CKSUM error is generated. If
+the sender's address was included in the control information, the recipient
+verifies that the operating system's report of the sender's address matches
+the sender's address in the message, and (if a recipient address is
+specified or the recipient requires an address) that one of the recipient's
+addresses appears as the recipient's address in the message. A failed match
+for either case generates a KRB_AP_ERR_BADADDR error. Then the timestamp and
+usec and/or the sequence number fields are checked. If timestamp and usec
+are expected and not present, or they are present but not current, the
+KRB_AP_ERR_SKEW error is generated. If the server name, along with the
+client name, time and microsecond fields from the Authenticator match any
+recently-seen (sent or received[20] ) such tuples, the KRB_AP_ERR_REPEAT
+error is generated. If an incorrect sequence number is included, or a
+sequence number is expected but not present, the KRB_AP_ERR_BADORDER error
+is generated. If neither a time-stamp and usec or a sequence number is
+present, a KRB_AP_ERR_MODIFIED error is generated. Finally, the checksum is
+computed over the data and control information, and if it doesn't match the
+received checksum, a KRB_AP_ERR_MODIFIED error is generated.
+
+If all the checks succeed, the application is assured that the message was
+generated by its peer and was not modi- fied in transit.
+
+3.5. The KRB_PRIV Exchange
+
+The KRB_PRIV message may be used by clients requiring confidentiality and
+the ability to detect modifications of exchanged messages. It achieves this
+by encrypting the messages and adding control information.
+
+3.5.1. Generation of a KRB_PRIV message
+
+When an application wishes to send a KRB_PRIV message, it collects its data
+and the appropriate control information (specified in section 5.7.1) and
+encrypts them under an encryption key (usually the last key negotiated via
+subkeys, or the session key if no negotiation has occured). As part of the
+control information, the client must choose to use either a timestamp or a
+sequence number (or both); see the discussion in section 3.4.1 for
+guidelines on which to use. After the user data and control information are
+encrypted, the client transmits the ciphertext and some 'envelope'
+information to the recipient.
+
+3.5.2. Receipt of KRB_PRIV message
+
+When an application receives a KRB_PRIV message, it verifies it as follows.
+If any error occurs, an error code is reported for use by the application.
+
+
+Neuman, Ts'o, Kohl                                Expires: 10 September, 2000
+
+
+
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-05          June 25, 1999
+
+The message is first checked by verifying that the protocol version and type
+fields match the current version and KRB_PRIV, respectively. A mismatch
+generates a KRB_AP_ERR_BADVERSION or KRB_AP_ERR_MSG_TYPE error. The
+application then decrypts the ciphertext and processes the resultant
+plaintext. If decryption shows the data to have been modified, a
+KRB_AP_ERR_BAD_INTEGRITY error is generated. If the sender's address was
+included in the control information, the recipient verifies that the
+operating system's report of the sender's address matches the sender's
+address in the message, and (if a recipient address is specified or the
+recipient requires an address) that one of the recipient's addresses appears
+as the recipient's address in the message. A failed match for either case
+generates a KRB_AP_ERR_BADADDR error. Then the timestamp and usec and/or the
+sequence number fields are checked. If timestamp and usec are expected and
+not present, or they are present but not current, the KRB_AP_ERR_SKEW error
+is generated. If the server name, along with the client name, time and
+microsecond fields from the Authenticator match any recently-seen such
+tuples, the KRB_AP_ERR_REPEAT error is generated. If an incorrect sequence
+number is included, or a sequence number is expected but not present, the
+KRB_AP_ERR_BADORDER error is generated. If neither a time-stamp and usec or
+a sequence number is present, a KRB_AP_ERR_MODIFIED error is generated.
+
+If all the checks succeed, the application can assume the message was
+generated by its peer, and was securely transmitted (without intruders able
+to see the unencrypted contents).
+
+3.6. The KRB_CRED Exchange
+
+The KRB_CRED message may be used by clients requiring the ability to send
+Kerberos credentials from one host to another. It achieves this by sending
+the tickets together with encrypted data containing the session keys and
+other information associated with the tickets.
+
+3.6.1. Generation of a KRB_CRED message
+
+When an application wishes to send a KRB_CRED message it first (using the
+KRB_TGS exchange) obtains credentials to be sent to the remote host. It then
+constructs a KRB_CRED message using the ticket or tickets so obtained,
+placing the session key needed to use each ticket in the key field of the
+corresponding KrbCredInfo sequence of the encrypted part of the the KRB_CRED
+message.
+
+Other information associated with each ticket and obtained during the
+KRB_TGS exchange is also placed in the corresponding KrbCredInfo sequence in
+the encrypted part of the KRB_CRED message. The current time and, if
+specifically required by the application the nonce, s-address, and r-address
+fields, are placed in the encrypted part of the KRB_CRED message which is
+then encrypted under an encryption key previosuly exchanged in the KRB_AP
+exchange (usually the last key negotiated via subkeys, or the session key if
+no negotiation has occured).
+
+3.6.2. Receipt of KRB_CRED message
+
+When an application receives a KRB_CRED message, it verifies it. If any
+error occurs, an error code is reported for use by the application. The
+message is verified by checking that the protocol version and type fields
+match the current version and KRB_CRED, respectively. A mismatch generates a
+KRB_AP_ERR_BADVERSION or KRB_AP_ERR_MSG_TYPE error. The application then
+decrypts the ciphertext and processes the resultant plaintext. If decryption
+shows the data to have been modified, a KRB_AP_ERR_BAD_INTEGRITY error is
+
+Neuman, Ts'o, Kohl                                Expires: 10 September, 2000
+
+
+
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-05          June 25, 1999
+
+generated.
+
+If present or required, the recipient verifies that the operating system's
+report of the sender's address matches the sender's address in the message,
+and that one of the recipient's addresses appears as the recipient's address
+in the message. A failed match for either case generates a
+KRB_AP_ERR_BADADDR error. The timestamp and usec fields (and the nonce field
+if required) are checked next. If the timestamp and usec are not present, or
+they are present but not current, the KRB_AP_ERR_SKEW error is generated.
+
+If all the checks succeed, the application stores each of the new tickets in
+its ticket cache together with the session key and other information in the
+corresponding KrbCredInfo sequence from the encrypted part of the KRB_CRED
+message.
+
+4. The Kerberos Database
+
+The Kerberos server must have access to a database containing the principal
+identifiers and secret keys of principals to be authenticated[21].
+
+4.1. Database contents
+
+A database entry should contain at least the following fields:
+
+Field                Value
+
+name                 Principal's identifier
+key                  Principal's secret key
+p_kvno               Principal's key version
+max_life             Maximum lifetime for Tickets
+max_renewable_life   Maximum total lifetime for renewable Tickets
+
+The name field is an encoding of the principal's identifier. The key field
+contains an encryption key. This key is the principal's secret key. (The key
+can be encrypted before storage under a Kerberos "master key" to protect it
+in case the database is compromised but the master key is not. In that case,
+an extra field must be added to indicate the master key version used, see
+below.) The p_kvno field is the key version number of the principal's secret
+key. The max_life field contains the maximum allowable lifetime (endtime -
+starttime) for any Ticket issued for this principal. The max_renewable_life
+field contains the maximum allowable total lifetime for any renewable Ticket
+issued for this principal. (See section 3.1 for a description of how these
+lifetimes are used in determining the lifetime of a given Ticket.)
+
+A server may provide KDC service to several realms, as long as the database
+representation provides a mechanism to distinguish between principal records
+with identifiers which differ only in the realm name.
+
+When an application server's key changes, if the change is routine (i.e. not
+the result of disclosure of the old key), the old key should be retained by
+the server until all tickets that had been issued using that key have
+expired. Because of this, it is possible for several keys to be active for a
+single principal. Ciphertext encrypted in a principal's key is always tagged
+with the version of the key that was used for encryption, to help the
+recipient find the proper key for decryption.
+
+When more than one key is active for a particular principal, the principal
+will have more than one record in the Kerberos database. The keys and key
+version numbers will differ between the records (the rest of the fields may
+
+Neuman, Ts'o, Kohl                                Expires: 10 September, 2000
+
+
+
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-05          June 25, 1999
+
+or may not be the same). Whenever Kerberos issues a ticket, or responds to a
+request for initial authentication, the most recent key (known by the
+Kerberos server) will be used for encryption. This is the key with the
+highest key version number.
+
+4.2. Additional fields
+
+Project Athena's KDC implementation uses additional fields in its database:
+
+Field        Value
+
+K_kvno       Kerberos' key version
+expiration   Expiration date for entry
+attributes   Bit field of attributes
+mod_date     Timestamp of last modification
+mod_name     Modifying principal's identifier
+
+The K_kvno field indicates the key version of the Kerberos master key under
+which the principal's secret key is encrypted.
+
+After an entry's expiration date has passed, the KDC will return an error to
+any client attempting to gain tickets as or for the principal. (A database
+may want to maintain two expiration dates: one for the principal, and one
+for the principal's current key. This allows password aging to work
+independently of the principal's expiration date. However, due to the
+limited space in the responses, the KDC must combine the key expiration and
+principal expiration date into a single value called 'key_exp', which is
+used as a hint to the user to take administrative action.)
+
+The attributes field is a bitfield used to govern the operations involving
+the principal. This field might be useful in conjunction with user
+registration procedures, for site-specific policy implementations (Project
+Athena currently uses it for their user registration process controlled by
+the system-wide database service, Moira [LGDSR87]), to identify whether a
+principal can play the role of a client or server or both, to note whether a
+server is appropriate trusted to recieve credentials delegated by a client,
+or to identify the 'string to key' conversion algorithm used for a
+principal's key[22]. Other bits are used to indicate that certain ticket
+options should not be allowed in tickets encrypted under a principal's key
+(one bit each): Disallow issuing postdated tickets, disallow issuing
+forwardable tickets, disallow issuing tickets based on TGT authentication,
+disallow issuing renewable tickets, disallow issuing proxiable tickets, and
+disallow issuing tickets for which the principal is the server.
+
+The mod_date field contains the time of last modification of the entry, and
+the mod_name field contains the name of the principal which last modified
+the entry.
+
+4.3. Frequently Changing Fields
+
+Some KDC implementations may wish to maintain the last time that a request
+was made by a particular principal. Information that might be maintained
+includes the time of the last request, the time of the last request for a
+ticket-granting ticket, the time of the last use of a ticket-granting
+ticket, or other times. This information can then be returned to the user in
+the last-req field (see section 5.2).
+
+Other frequently changing information that can be maintained is the latest
+expiration time for any tickets that have been issued using each key. This
+
+Neuman, Ts'o, Kohl                                Expires: 10 September, 2000
+
+
+
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-05          June 25, 1999
+
+field would be used to indicate how long old keys must remain valid to allow
+the continued use of outstanding tickets.
+
+4.4. Site Constants
+
+The KDC implementation should have the following configurable constants or
+options, to allow an administrator to make and enforce policy decisions:
+
+   * The minimum supported lifetime (used to determine whether the
+     KDC_ERR_NEVER_VALID error should be returned). This constant should
+     reflect reasonable expectations of round-trip time to the KDC,
+     encryption/decryption time, and processing time by the client and
+     target server, and it should allow for a minimum 'useful' lifetime.
+   * The maximum allowable total (renewable) lifetime of a ticket
+     (renew_till - starttime).
+   * The maximum allowable lifetime of a ticket (endtime - starttime).
+   * Whether to allow the issue of tickets with empty address fields
+     (including the ability to specify that such tickets may only be issued
+     if the request specifies some authorization_data).
+   * Whether proxiable, forwardable, renewable or post-datable tickets are
+     to be issued.
+
+5. Message Specifications
+
+The following sections describe the exact contents and encoding of protocol
+messages and objects. The ASN.1 base definitions are presented in the first
+subsection. The remaining subsections specify the protocol objects (tickets
+and authenticators) and messages. Specification of encryption and checksum
+techniques, and the fields related to them, appear in section 6.
+
+Optional field in ASN.1 sequences
+
+For optional integer value and date fields in ASN.1 sequences where a
+default value has been specified, certain default values will not be allowed
+in the encoding because these values will always be represented through
+defaulting by the absence of the optional field. For example, one will not
+send a microsecond zero value because one must make sure that there is only
+one way to encode this value.
+
+Additional fields in ASN.1 sequences
+
+Implementations receiving Kerberos messages with additional fields present
+in ASN.1 sequences should carry the those fields through, unmodified, when
+the message is forwarded. Implementations should not drop such fields if the
+sequence is reencoded.
+
+5.1. ASN.1 Distinguished Encoding Representation
+
+All uses of ASN.1 in Kerberos shall use the Distinguished Encoding
+Representation of the data elements as described in the X.509 specification,
+section 8.7 [X509-88].
+
+5.3. ASN.1 Base Definitions
+
+The following ASN.1 base definitions are used in the rest of this section.
+Note that since the underscore character (_) is not permitted in ASN.1
+names, the hyphen (-) is used in its place for the purposes of ASN.1 names.
+
+Realm ::=           GeneralString
+
+Neuman, Ts'o, Kohl                                Expires: 10 September, 2000
+
+
+
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-05          June 25, 1999
+
+PrincipalName ::=   SEQUENCE {
+                    name-type[0]     INTEGER,
+                    name-string[1]   SEQUENCE OF GeneralString
+}
+
+Kerberos realms are encoded as GeneralStrings. Realms shall not contain a
+character with the code 0 (the ASCII NUL). Most realms will usually consist
+of several components separated by periods (.), in the style of Internet
+Domain Names, or separated by slashes (/) in the style of X.500 names.
+Acceptable forms for realm names are specified in section 7. A PrincipalName
+is a typed sequence of components consisting of the following sub-fields:
+
+name-type
+     This field specifies the type of name that follows. Pre-defined values
+     for this field are specified in section 7.2. The name-type should be
+     treated as a hint. Ignoring the name type, no two names can be the same
+     (i.e. at least one of the components, or the realm, must be different).
+     This constraint may be eliminated in the future.
+name-string
+     This field encodes a sequence of components that form a name, each
+     component encoded as a GeneralString. Taken together, a PrincipalName
+     and a Realm form a principal identifier. Most PrincipalNames will have
+     only a few components (typically one or two).
+
+KerberosTime ::=   GeneralizedTime
+                   -- Specifying UTC time zone (Z)
+
+The timestamps used in Kerberos are encoded as GeneralizedTimes. An encoding
+shall specify the UTC time zone (Z) and shall not include any fractional
+portions of the seconds. It further shall not include any separators.
+Example: The only valid format for UTC time 6 minutes, 27 seconds after 9 pm
+on 6 November 1985 is 19851106210627Z.
+
+HostAddress ::=     SEQUENCE  {
+                    addr-type[0]             INTEGER,
+                    address[1]               OCTET STRING
+}
+
+HostAddresses ::=   SEQUENCE OF HostAddress
+
+The host adddress encodings consists of two fields:
+
+addr-type
+     This field specifies the type of address that follows. Pre-defined
+     values for this field are specified in section 8.1.
+address
+     This field encodes a single address of type addr-type.
+
+The two forms differ slightly. HostAddress contains exactly one address;
+HostAddresses contains a sequence of possibly many addresses.
+
+AuthorizationData ::=   SEQUENCE OF SEQUENCE {
+                        ad-type[0]               INTEGER,
+                        ad-data[1]               OCTET STRING
+}
+
+ad-data
+     This field contains authorization data to be interpreted according to
+     the value of the corresponding ad-type field.
+
+Neuman, Ts'o, Kohl                                Expires: 10 September, 2000
+
+
+
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-05          June 25, 1999
+
+ad-type
+     This field specifies the format for the ad-data subfield. All negative
+     values are reserved for local use. Non-negative values are reserved for
+     registered use.
+
+Each sequence of type and data is refered to as an authorization element.
+Elements may be application specific, however, there is a common set of
+recursive elements that should be understood by all implementations. These
+elements contain other elements embedded within them, and the interpretation
+of the encapsulating element determines which of the embedded elements must
+be interpreted, and which may be ignored. Definitions for these common
+elements may be found in Appendix B.
+
+TicketExtensions ::= SEQUENCE OF SEQUENCE {
+           te-type[0]       INTEGER,
+           te-data[1]       OCTET STRING
+}
+
+
+
+te-data
+     This field contains opaque data that must be caried with the ticket to
+     support extensions to the Kerberos protocol including but not limited
+     to some forms of inter-realm key exchange and plaintext authorization
+     data. See appendix C for some common uses of this field.
+te-type
+     This field specifies the format for the te-data subfield. All negative
+     values are reserved for local use. Non-negative values are reserved for
+     registered use.
+
+APOptions ::=   BIT STRING
+                  -- reserved(0),
+                  -- use-session-key(1),
+                  -- mutual-required(2)
+
+TicketFlags ::= BIT STRING
+                  -- reserved(0),
+                  -- forwardable(1),
+                  -- forwarded(2),
+                  -- proxiable(3),
+                  -- proxy(4),
+                  -- may-postdate(5),
+                  -- postdated(6),
+                  -- invalid(7),
+                  -- renewable(8),
+                  -- initial(9),
+                  -- pre-authent(10),
+                  -- hw-authent(11),
+                  -- transited-policy-checked(12),
+                  -- ok-as-delegate(13)
+
+KDCOptions ::=   BIT STRING
+                  -- reserved(0),
+                  -- forwardable(1),
+                  -- forwarded(2),
+                  -- proxiable(3),
+                  -- proxy(4),
+                  -- allow-postdate(5),
+                  -- postdated(6),
+
+Neuman, Ts'o, Kohl                                Expires: 10 September, 2000
+
+
+
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-05          June 25, 1999
+
+                  -- unused7(7),
+                  -- renewable(8),
+                  -- unused9(9),
+                  -- unused10(10),
+                  -- unused11(11),
+                  -- unused12(12),
+                  -- unused13(13),
+                  -- disable-transited-check(26),
+                  -- renewable-ok(27),
+                  -- enc-tkt-in-skey(28),
+                  -- renew(30),
+                  -- validate(31)
+
+ASN.1 Bit strings have a length and a value. When used in Kerberos for the
+APOptions, TicketFlags, and KDCOptions, the length of the bit string on
+generated values should be the smallest number of bits needed to include the
+highest order bit that is set (1), but in no case less than 32 bits. The
+ASN.1 representation of the bit strings uses unnamed bits, with the meaning
+of the individual bits defined by the comments in the specification above.
+Implementations should accept values of bit strings of any length and treat
+the value of flags corresponding to bits beyond the end of the bit string as
+if the bit were reset (0). Comparison of bit strings of different length
+should treat the smaller string as if it were padded with zeros beyond the
+high order bits to the length of the longer string[23].
+
+LastReq ::=   SEQUENCE OF SEQUENCE {
+               lr-type[0]               INTEGER,
+               lr-value[1]              KerberosTime
+}
+
+lr-type
+     This field indicates how the following lr-value field is to be
+     interpreted. Negative values indicate that the information pertains
+     only to the responding server. Non-negative values pertain to all
+     servers for the realm. If the lr-type field is zero (0), then no
+     information is conveyed by the lr-value subfield. If the absolute value
+     of the lr-type field is one (1), then the lr-value subfield is the time
+     of last initial request for a TGT. If it is two (2), then the lr-value
+     subfield is the time of last initial request. If it is three (3), then
+     the lr-value subfield is the time of issue for the newest
+     ticket-granting ticket used. If it is four (4), then the lr-value
+     subfield is the time of the last renewal. If it is five (5), then the
+     lr-value subfield is the time of last request (of any type). If it is
+     (6), then the lr-value subfield is the time when the password will
+     expire.
+lr-value
+     This field contains the time of the last request. the time must be
+     interpreted according to the contents of the accompanying lr-type
+     subfield.
+
+See section 6 for the definitions of Checksum, ChecksumType, EncryptedData,
+EncryptionKey, EncryptionType, and KeyType.
+
+5.3. Tickets and Authenticators
+
+This section describes the format and encryption parameters for tickets and
+authenticators. When a ticket or authenticator is included in a protocol
+message it is treated as an opaque object.
+
+
+Neuman, Ts'o, Kohl                                Expires: 10 September, 2000
+
+
+
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-05          June 25, 1999
+
+5.3.1. Tickets
+
+A ticket is a record that helps a client authenticate to a service. A Ticket
+contains the following information:
+
+Ticket ::=        [APPLICATION 1] SEQUENCE {
+                  tkt-vno[0]                   INTEGER,
+                  realm[1]                     Realm,
+                  sname[2]                     PrincipalName,
+                  enc-part[3]                  EncryptedData,
+                  extensions[4]                TicketExtensions OPTIONAL
+}
+
+-- Encrypted part of ticket
+EncTicketPart ::= [APPLICATION 3] SEQUENCE {
+                  flags[0]                     TicketFlags,
+                  key[1]                       EncryptionKey,
+                  crealm[2]                    Realm,
+                  cname[3]                     PrincipalName,
+                  transited[4]                 TransitedEncoding,
+                  authtime[5]                  KerberosTime,
+                  starttime[6]                 KerberosTime OPTIONAL,
+                  endtime[7]                   KerberosTime,
+                  renew-till[8]                KerberosTime OPTIONAL,
+                  caddr[9]                     HostAddresses OPTIONAL,
+                  authorization-data[10]       AuthorizationData OPTIONAL
+}
+-- encoded Transited field
+TransitedEncoding ::=   SEQUENCE {
+                        tr-type[0]             INTEGER, -- must be registered
+                        contents[1]            OCTET STRING
+}
+
+The encoding of EncTicketPart is encrypted in the key shared by Kerberos and
+the end server (the server's secret key). See section 6 for the format of
+the ciphertext.
+
+tkt-vno
+     This field specifies the version number for the ticket format. This
+     document describes version number 5.
+realm
+     This field specifies the realm that issued a ticket. It also serves to
+     identify the realm part of the server's principal identifier. Since a
+     Kerberos server can only issue tickets for servers within its realm,
+     the two will always be identical.
+sname
+     This field specifies all components of the name part of the server's
+     identity, including those parts that identify a specific instance of a
+     service.
+enc-part
+     This field holds the encrypted encoding of the EncTicketPart sequence.
+extensions
+     This optional field contains a sequence of extentions that may be used
+     to carry information that must be carried with the ticket to support
+     several extensions, including but not limited to plaintext
+     authorization data, tokens for exchanging inter-realm keys, and other
+     information that must be associated with a ticket for use by the
+     application server. See Appendix C for definitions of some common
+     extensions.
+
+Neuman, Ts'o, Kohl                                Expires: 10 September, 2000
+
+
+
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-05          June 25, 1999
+
+
+     Note that some older versions of Kerberos did not support this field.
+     Because this is an optional field it will not break older clients, but
+     older clients might strip this field from the ticket before sending it
+     to the application server. This limits the usefulness of this ticket
+     field to environments where the ticket will not be parsed and
+     reconstructed by these older Kerberos clients.
+
+     If it is known that the client will strip this field from the ticket,
+     as an interim measure the KDC may append this field to the end of the
+     enc-part of the ticket and append a traler indicating the lenght of the
+     appended extensions field. (this paragraph is open for discussion,
+     including the form of the traler).
+flags
+     This field indicates which of various options were used or requested
+     when the ticket was issued. It is a bit-field, where the selected
+     options are indicated by the bit being set (1), and the unselected
+     options and reserved fields being reset (0). Bit 0 is the most
+     significant bit. The encoding of the bits is specified in section 5.2.
+     The flags are described in more detail above in section 2. The meanings
+     of the flags are:
+
+          Bit(s)      Name         Description
+
+          0           RESERVED
+                                   Reserved for future  expansion  of  this
+                                   field.
+
+          1           FORWARDABLE
+                                   The FORWARDABLE flag  is  normally  only
+                                   interpreted  by  the  TGS,  and  can  be
+                                   ignored by end servers.  When set,  this
+                                   flag  tells  the  ticket-granting server
+                                   that it is OK to  issue  a  new  ticket-
+                                   granting ticket with a different network
+                                   address based on the presented ticket.
+
+          2           FORWARDED
+                                   When set, this flag indicates  that  the
+                                   ticket  has either been forwarded or was
+                                   issued based on authentication involving
+                                   a forwarded ticket-granting ticket.
+
+          3           PROXIABLE
+                                   The  PROXIABLE  flag  is  normally  only
+                                   interpreted  by  the  TGS,  and  can  be
+                                   ignored by end servers.   The  PROXIABLE
+                                   flag  has an interpretation identical to
+                                   that of  the  FORWARDABLE  flag,  except
+                                   that   the   PROXIABLE  flag  tells  the
+                                   ticket-granting server  that  only  non-
+                                   ticket-granting  tickets  may  be issued
+                                   with different network addresses.
+
+          4           PROXY
+                                   When set, this  flag  indicates  that  a
+                                   ticket is a proxy.
+
+          5           MAY-POSTDATE
+
+Neuman, Ts'o, Kohl                                Expires: 10 September, 2000
+
+
+
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-05          June 25, 1999
+
+                                   The MAY-POSTDATE flag is  normally  only
+                                   interpreted  by  the  TGS,  and  can  be
+                                   ignored by end servers.  This flag tells
+                                   the  ticket-granting server that a post-
+                                   dated ticket may be issued based on this
+                                   ticket-granting ticket.
+
+          6           POSTDATED
+                                   This flag indicates that this ticket has
+                                   been  postdated.   The  end-service  can
+                                   check the authtime field to see when the
+                                   original authentication occurred.
+
+          7           INVALID
+                                   This flag indicates  that  a  ticket  is
+                                   invalid, and it must be validated by the
+                                   KDC  before  use.   Application  servers
+                                   must reject tickets which have this flag
+                                   set.
+
+          8           RENEWABLE
+                                   The  RENEWABLE  flag  is  normally  only
+                                   interpreted  by the TGS, and can usually
+                                   be ignored by end servers (some particu-
+                                   larly careful servers may wish to disal-
+                                   low  renewable  tickets).   A  renewable
+                                   ticket  can be used to obtain a replace-
+                                   ment ticket  that  expires  at  a  later
+                                   date.
+
+          9           INITIAL
+                                   This flag indicates that this ticket was
+                                   issued  using  the  AS protocol, and not
+                                   issued  based   on   a   ticket-granting
+                                   ticket.
+
+          10          PRE-AUTHENT
+                                   This flag indicates that during  initial
+                                   authentication, the client was authenti-
+                                   cated by the KDC  before  a  ticket  was
+                                   issued.    The   strength  of  the  pre-
+                                   authentication method is not  indicated,
+                                   but is acceptable to the KDC.
+
+          11          HW-AUTHENT
+                                   This flag indicates  that  the  protocol
+                                   employed   for   initial  authentication
+                                   required the use of hardware expected to
+                                   be possessed solely by the named client.
+                                   The hardware  authentication  method  is
+                                   selected  by the KDC and the strength of
+                                   the method is not indicated.
+
+          12           TRANSITED   This flag indicates that the KDC for the
+                  POLICY-CHECKED   realm has checked the transited field
+                                   against a realm defined policy for
+                                   trusted certifiers.  If this flag is
+                                   reset (0), then the application server
+                                   must check the transited field itself,
+
+Neuman, Ts'o, Kohl                                Expires: 10 September, 2000
+
+
+
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-05          June 25, 1999
+
+                                   and if unable to do so it must reject
+                                   the authentication.  If the flag is set
+                                   (1) then the application server may skip
+                                   its own validation of the transited
+                                   field, relying on the validation
+                                   performed by the KDC.  At its option the
+                                   application server may still apply its
+                                   own validation based on a separate
+                                   policy for acceptance.
+
+          13      OK-AS-DELEGATE   This flag indicates that the server (not
+                                   the client) specified in the ticket has
+                                   been determined by policy of the realm
+                                   to be a suitable recipient of
+                                   delegation.  A client can use the
+                                   presence of this flag to help it make a
+                                   decision whether to delegate credentials
+                                   (either grant a proxy or a forwarded
+                                   ticket granting ticket) to this server.
+                                   The client is free to ignore the value
+                                   of this flag.  When setting this flag,
+                                   an administrator should consider the
+                                   Security and placement of the server on
+                                   which the service will run, as well as
+                                   whether the service requires the use of
+                                   delegated credentials.
+
+          14          ANONYMOUS
+                                   This flag indicates that  the  principal
+                                   named in the ticket is a generic princi-
+                                   pal for the realm and does not  identify
+                                   the  individual  using  the ticket.  The
+                                   purpose  of  the  ticket  is   only   to
+                                   securely  distribute  a session key, and
+                                   not to identify  the  user.   Subsequent
+                                   requests  using the same ticket and ses-
+                                   sion may be  considered  as  originating
+                                   from  the  same  user, but requests with
+                                   the same username but a different ticket
+                                   are  likely  to originate from different
+                                   users.
+
+          15-31       RESERVED
+                                   Reserved for future use.
+
+key
+     This field exists in the ticket and the KDC response and is used to
+     pass the session key from Kerberos to the application server and the
+     client. The field's encoding is described in section 6.2.
+crealm
+     This field contains the name of the realm in which the client is
+     registered and in which initial authentication took place.
+cname
+     This field contains the name part of the client's principal identifier.
+transited
+     This field lists the names of the Kerberos realms that took part in
+     authenticating the user to whom this ticket was issued. It does not
+     specify the order in which the realms were transited. See section
+     3.3.3.2 for details on how this field encodes the traversed realms.
+
+Neuman, Ts'o, Kohl                                Expires: 10 September, 2000
+
+
+
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-05          June 25, 1999
+
+     When the names of CA's are to be embedded inthe transited field (as
+     specified for some extentions to the protocol), the X.500 names of the
+     CA's should be mapped into items in the transited field using the
+     mapping defined by RFC2253.
+authtime
+     This field indicates the time of initial authentication for the named
+     principal. It is the time of issue for the original ticket on which
+     this ticket is based. It is included in the ticket to provide
+     additional information to the end service, and to provide the necessary
+     information for implementation of a `hot list' service at the KDC. An
+     end service that is particularly paranoid could refuse to accept
+     tickets for which the initial authentication occurred "too far" in the
+     past. This field is also returned as part of the response from the KDC.
+     When returned as part of the response to initial authentication
+     (KRB_AS_REP), this is the current time on the Kerberos server[24].
+starttime
+     This field in the ticket specifies the time after which the ticket is
+     valid. Together with endtime, this field specifies the life of the
+     ticket. If it is absent from the ticket, its value should be treated as
+     that of the authtime field.
+endtime
+     This field contains the time after which the ticket will not be honored
+     (its expiration time). Note that individual services may place their
+     own limits on the life of a ticket and may reject tickets which have
+     not yet expired. As such, this is really an upper bound on the
+     expiration time for the ticket.
+renew-till
+     This field is only present in tickets that have the RENEWABLE flag set
+     in the flags field. It indicates the maximum endtime that may be
+     included in a renewal. It can be thought of as the absolute expiration
+     time for the ticket, including all renewals.
+caddr
+     This field in a ticket contains zero (if omitted) or more (if present)
+     host addresses. These are the addresses from which the ticket can be
+     used. If there are no addresses, the ticket can be used from any
+     location. The decision by the KDC to issue or by the end server to
+     accept zero-address tickets is a policy decision and is left to the
+     Kerberos and end-service administrators; they may refuse to issue or
+     accept such tickets. The suggested and default policy, however, is that
+     such tickets will only be issued or accepted when additional
+     information that can be used to restrict the use of the ticket is
+     included in the authorization_data field. Such a ticket is a
+     capability.
+
+     Network addresses are included in the ticket to make it harder for an
+     attacker to use stolen credentials. Because the session key is not sent
+     over the network in cleartext, credentials can't be stolen simply by
+     listening to the network; an attacker has to gain access to the session
+     key (perhaps through operating system security breaches or a careless
+     user's unattended session) to make use of stolen tickets.
+
+     It is important to note that the network address from which a
+     connection is received cannot be reliably determined. Even if it could
+     be, an attacker who has compromised the client's workstation could use
+     the credentials from there. Including the network addresses only makes
+     it more difficult, not impossible, for an attacker to walk off with
+     stolen credentials and then use them from a "safe" location.
+authorization-data
+     The authorization-data field is used to pass authorization data from
+
+Neuman, Ts'o, Kohl                                Expires: 10 September, 2000
+
+
+
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-05          June 25, 1999
+
+     the principal on whose behalf a ticket was issued to the application
+     service. If no authorization data is included, this field will be left
+     out. Experience has shown that the name of this field is confusing, and
+     that a better name for this field would be restrictions. Unfortunately,
+     it is not possible to change the name of this field at this time.
+
+     This field contains restrictions on any authority obtained on the basis
+     of authentication using the ticket. It is possible for any principal in
+     posession of credentials to add entries to the authorization data field
+     since these entries further restrict what can be done with the ticket.
+     Such additions can be made by specifying the additional entries when a
+     new ticket is obtained during the TGS exchange, or they may be added
+     during chained delegation using the authorization data field of the
+     authenticator.
+
+     Because entries may be added to this field by the holder of
+     credentials, except when an entry is separately authenticated by
+     encapulation in the kdc-issued element, it is not allowable for the
+     presence of an entry in the authorization data field of a ticket to
+     amplify the priveleges one would obtain from using a ticket.
+
+     The data in this field may be specific to the end service; the field
+     will contain the names of service specific objects, and the rights to
+     those objects. The format for this field is described in section 5.2.
+     Although Kerberos is not concerned with the format of the contents of
+     the sub-fields, it does carry type information (ad-type).
+
+     By using the authorization_data field, a principal is able to issue a
+     proxy that is valid for a specific purpose. For example, a client
+     wishing to print a file can obtain a file server proxy to be passed to
+     the print server. By specifying the name of the file in the
+     authorization_data field, the file server knows that the print server
+     can only use the client's rights when accessing the particular file to
+     be printed.
+
+     A separate service providing authorization or certifying group
+     membership may be built using the authorization-data field. In this
+     case, the entity granting authorization (not the authorized entity),
+     may obtain a ticket in its own name (e.g. the ticket is issued in the
+     name of a privelege server), and this entity adds restrictions on its
+     own authority and delegates the restricted authority through a proxy to
+     the client. The client would then present this authorization credential
+     to the application server separately from the authentication exchange.
+     Alternatively, such authorization credentials may be embedded in the
+     ticket authenticating the authorized entity, when the authorization is
+     separately authenticated using the kdc-issued authorization data
+     element (see B.4).
+
+     Similarly, if one specifies the authorization-data field of a proxy and
+     leaves the host addresses blank, the resulting ticket and session key
+     can be treated as a capability. See [Neu93] for some suggested uses of
+     this field.
+
+     The authorization-data field is optional and does not have to be
+     included in a ticket.
+
+5.3.2. Authenticators
+
+An authenticator is a record sent with a ticket to a server to certify the
+
+Neuman, Ts'o, Kohl                                Expires: 10 September, 2000
+
+
+
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-05          June 25, 1999
+
+client's knowledge of the encryption key in the ticket, to help the server
+detect replays, and to help choose a "true session key" to use with the
+particular session. The encoding is encrypted in the ticket's session key
+shared by the client and the server:
+
+-- Unencrypted authenticator
+Authenticator ::= [APPLICATION 2] SEQUENCE  {
+                  authenticator-vno[0]          INTEGER,
+                  crealm[1]                     Realm,
+                  cname[2]                      PrincipalName,
+                  cksum[3]                      Checksum OPTIONAL,
+                  cusec[4]                      INTEGER,
+                  ctime[5]                      KerberosTime,
+                  subkey[6]                     EncryptionKey OPTIONAL,
+                  seq-number[7]                 INTEGER OPTIONAL,
+                  authorization-data[8]         AuthorizationData OPTIONAL
+}
+
+
+authenticator-vno
+     This field specifies the version number for the format of the
+     authenticator. This document specifies version 5.
+crealm and cname
+     These fields are the same as those described for the ticket in section
+     5.3.1.
+cksum
+     This field contains a checksum of the the applica- tion data that
+     accompanies the KRB_AP_REQ.
+cusec
+     This field contains the microsecond part of the client's timestamp. Its
+     value (before encryption) ranges from 0 to 999999. It often appears
+     along with ctime. The two fields are used together to specify a
+     reasonably accurate timestamp.
+ctime
+     This field contains the current time on the client's host.
+subkey
+     This field contains the client's choice for an encryption key which is
+     to be used to protect this specific application session. Unless an
+     application specifies otherwise, if this field is left out the session
+     key from the ticket will be used.
+seq-number
+     This optional field includes the initial sequence number to be used by
+     the KRB_PRIV or KRB_SAFE messages when sequence numbers are used to
+     detect replays (It may also be used by application specific messages).
+     When included in the authenticator this field specifies the initial
+     sequence number for messages from the client to the server. When
+     included in the AP-REP message, the initial sequence number is that for
+     messages from the server to the client. When used in KRB_PRIV or
+     KRB_SAFE messages, it is incremented by one after each message is sent.
+     Sequence numbers fall in the range of 0 through 2^32 - 1 and wrap to
+     zero following the value 2^32 - 1.
+
+     For sequence numbers to adequately support the detection of replays
+     they should be non-repeating, even across connection boundaries. The
+     initial sequence number should be random and uniformly distributed
+     across the full space of possible sequence numbers, so that it cannot
+     be guessed by an attacker and so that it and the successive sequence
+     numbers do not repeat other sequences.
+authorization-data
+
+Neuman, Ts'o, Kohl                                Expires: 10 September, 2000
+
+
+
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-05          June 25, 1999
+
+     This field is the same as described for the ticket in section 5.3.1. It
+     is optional and will only appear when additional restrictions are to be
+     placed on the use of a ticket, beyond those carried in the ticket
+     itself.
+
+5.4. Specifications for the AS and TGS exchanges
+
+This section specifies the format of the messages used in the exchange
+between the client and the Kerberos server. The format of possible error
+messages appears in section 5.9.1.
+
+5.4.1. KRB_KDC_REQ definition
+
+The KRB_KDC_REQ message has no type of its own. Instead, its type is one of
+KRB_AS_REQ or KRB_TGS_REQ depending on whether the request is for an initial
+ticket or an additional ticket. In either case, the message is sent from the
+client to the Authentication Server to request credentials for a service.
+
+The message fields are:
+
+AS-REQ ::=         [APPLICATION 10] KDC-REQ
+TGS-REQ ::=        [APPLICATION 12] KDC-REQ
+
+KDC-REQ ::=        SEQUENCE {
+                   pvno[1]            INTEGER,
+                   msg-type[2]        INTEGER,
+                   padata[3]          SEQUENCE OF PA-DATA OPTIONAL,
+                   req-body[4]        KDC-REQ-BODY
+}
+
+PA-DATA ::=        SEQUENCE {
+                   padata-type[1]     INTEGER,
+                   padata-value[2]    OCTET STRING,
+                                      -- might be encoded AP-REQ
+}
+
+KDC-REQ-BODY ::=   SEQUENCE {
+                    kdc-options[0]         KDCOptions,
+                    cname[1]               PrincipalName OPTIONAL,
+                                           -- Used only in AS-REQ
+                    realm[2]               Realm, -- Server's realm
+                                           -- Also client's in AS-REQ
+                    sname[3]               PrincipalName OPTIONAL,
+                    from[4]                KerberosTime OPTIONAL,
+                    till[5]                KerberosTime OPTIONAL,
+                    rtime[6]               KerberosTime OPTIONAL,
+                    nonce[7]               INTEGER,
+                    etype[8]               SEQUENCE OF INTEGER,
+                                           -- EncryptionType,
+                                           -- in preference order
+                    addresses[9]           HostAddresses OPTIONAL,
+                enc-authorization-data[10] EncryptedData OPTIONAL,
+                                           -- Encrypted AuthorizationData
+                                           -- encoding
+                    additional-tickets[11] SEQUENCE OF Ticket OPTIONAL
+}
+
+The fields in this message are:
+
+
+Neuman, Ts'o, Kohl                                Expires: 10 September, 2000
+
+
+
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-05          June 25, 1999
+
+pvno
+     This field is included in each message, and specifies the protocol
+     version number. This document specifies protocol version 5.
+msg-type
+     This field indicates the type of a protocol message. It will almost
+     always be the same as the application identifier associated with a
+     message. It is included to make the identifier more readily accessible
+     to the application. For the KDC-REQ message, this type will be
+     KRB_AS_REQ or KRB_TGS_REQ.
+padata
+     The padata (pre-authentication data) field contains a sequence of
+     authentication information which may be needed before credentials can
+     be issued or decrypted. In the case of requests for additional tickets
+     (KRB_TGS_REQ), this field will include an element with padata-type of
+     PA-TGS-REQ and data of an authentication header (ticket-granting ticket
+     and authenticator). The checksum in the authenticator (which must be
+     collision-proof) is to be computed over the KDC-REQ-BODY encoding. In
+     most requests for initial authentication (KRB_AS_REQ) and most replies
+     (KDC-REP), the padata field will be left out.
+
+     This field may also contain information needed by certain extensions to
+     the Kerberos protocol. For example, it might be used to initially
+     verify the identity of a client before any response is returned. This
+     is accomplished with a padata field with padata-type equal to
+     PA-ENC-TIMESTAMP and padata-value defined as follows:
+
+     padata-type     ::= PA-ENC-TIMESTAMP
+     padata-value    ::= EncryptedData -- PA-ENC-TS-ENC
+
+     PA-ENC-TS-ENC   ::= SEQUENCE {
+                     patimestamp[0]     KerberosTime, -- client's time
+                     pausec[1]          INTEGER OPTIONAL
+     }
+
+     with patimestamp containing the client's time and pausec containing the
+     microseconds which may be omitted if a client will not generate more
+     than one request per second. The ciphertext (padata-value) consists of
+     the PA-ENC-TS-ENC sequence, encrypted using the client's secret key.
+
+     [use-specified-kvno item is here for discussion and may be removed] It
+     may also be used by the client to specify the version of a key that is
+     being used for accompanying preauthentication, and/or which should be
+     used to encrypt the reply from the KDC.
+
+     PA-USE-SPECIFIED-KVNO  ::=  Integer
+
+     The KDC should only accept and abide by the value of the
+     use-specified-kvno preauthentication data field when the specified key
+     is still valid and until use of a new key is confirmed. This situation
+     is likely to occur primarily during the period during which an updated
+     key is propagating to other KDC's in a realm.
+
+     The padata field can also contain information needed to help the KDC or
+     the client select the key needed for generating or decrypting the
+     response. This form of the padata is useful for supporting the use of
+     certain token cards with Kerberos. The details of such extensions are
+     specified in separate documents. See [Pat92] for additional uses of
+     this field.
+padata-type
+
+Neuman, Ts'o, Kohl                                Expires: 10 September, 2000
+
+
+
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-05          June 25, 1999
+
+     The padata-type element of the padata field indicates the way that the
+     padata-value element is to be interpreted. Negative values of
+     padata-type are reserved for unregistered use; non-negative values are
+     used for a registered interpretation of the element type.
+req-body
+     This field is a placeholder delimiting the extent of the remaining
+     fields. If a checksum is to be calculated over the request, it is
+     calculated over an encoding of the KDC-REQ-BODY sequence which is
+     enclosed within the req-body field.
+kdc-options
+     This field appears in the KRB_AS_REQ and KRB_TGS_REQ requests to the
+     KDC and indicates the flags that the client wants set on the tickets as
+     well as other information that is to modify the behavior of the KDC.
+     Where appropriate, the name of an option may be the same as the flag
+     that is set by that option. Although in most case, the bit in the
+     options field will be the same as that in the flags field, this is not
+     guaranteed, so it is not acceptable to simply copy the options field to
+     the flags field. There are various checks that must be made before
+     honoring an option anyway.
+
+     The kdc_options field is a bit-field, where the selected options are
+     indicated by the bit being set (1), and the unselected options and
+     reserved fields being reset (0). The encoding of the bits is specified
+     in section 5.2. The options are described in more detail above in
+     section 2. The meanings of the options are:
+
+        Bit(s)    Name                Description
+         0        RESERVED
+                                      Reserved for future  expansion  of  this
+                                      field.
+
+         1        FORWARDABLE
+                                      The FORWARDABLE  option  indicates  that
+                                      the  ticket  to be issued is to have its
+                                      forwardable flag set.  It  may  only  be
+                                      set on the initial request, or in a sub-
+                                      sequent request if  the  ticket-granting
+                                      ticket on which it is based is also for-
+                                      wardable.
+
+         2        FORWARDED
+                                      The FORWARDED option is  only  specified
+                                      in  a  request  to  the  ticket-granting
+                                      server and will only be honored  if  the
+                                      ticket-granting  ticket  in  the request
+                                      has  its  FORWARDABLE  bit  set.    This
+                                      option  indicates that this is a request
+                                      for forwarding.  The address(es) of  the
+                                      host  from which the resulting ticket is
+                                      to  be  valid  are   included   in   the
+                                      addresses field of the request.
+
+         3        PROXIABLE
+                                      The PROXIABLE option indicates that  the
+                                      ticket to be issued is to have its prox-
+                                      iable flag set.  It may only be  set  on
+                                      the  initial request, or in a subsequent
+                                      request if the ticket-granting ticket on
+                                      which it is based is also proxiable.
+
+Neuman, Ts'o, Kohl                                Expires: 10 September, 2000
+
+
+
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-05          June 25, 1999
+
+
+         4        PROXY
+                                      The PROXY option indicates that this  is
+                                      a request for a proxy.  This option will
+                                      only be honored if  the  ticket-granting
+                                      ticket  in the request has its PROXIABLE
+                                      bit set.  The address(es)  of  the  host
+                                      from which the resulting ticket is to be
+                                       valid  are  included  in  the  addresses
+                                      field of the request.
+
+         5        ALLOW-POSTDATE
+                                      The ALLOW-POSTDATE option indicates that
+                                      the  ticket  to be issued is to have its
+                                      MAY-POSTDATE flag set.  It may  only  be
+                                      set on the initial request, or in a sub-
+                                      sequent request if  the  ticket-granting
+                                      ticket on which it is based also has its
+                                      MAY-POSTDATE flag set.
+
+         6        POSTDATED
+                                      The POSTDATED option indicates that this
+                                      is  a  request  for  a postdated ticket.
+                                      This option will only be honored if  the
+                                      ticket-granting  ticket  on  which it is
+                                      based has  its  MAY-POSTDATE  flag  set.
+                                      The  resulting ticket will also have its
+                                      INVALID flag set, and that flag  may  be
+                                      reset by a subsequent request to the KDC
+                                      after the starttime in  the  ticket  has
+                                      been reached.
+
+         7        UNUSED
+                                      This option is presently unused.
+
+         8        RENEWABLE
+                                      The RENEWABLE option indicates that  the
+                                      ticket  to  be  issued  is  to  have its
+                                      RENEWABLE flag set.  It may only be  set
+                                      on  the  initial  request,  or  when the
+                                      ticket-granting  ticket  on  which   the
+                                      request  is based is also renewable.  If
+                                      this option is requested, then the rtime
+                                      field   in   the  request  contains  the
+                                      desired absolute expiration time for the
+                                      ticket.
+
+         9-13     UNUSED
+                                      These options are presently unused.
+
+         14       REQUEST-ANONYMOUS
+                                      The REQUEST-ANONYMOUS  option  indicates
+                                      that  the  ticket to be issued is not to
+                                      identify  the  user  to  which  it   was
+                                      issued.  Instead, the principal identif-
+                                      ier is to be generic,  as  specified  by
+                                      the  policy  of  the realm (e.g. usually
+                                      anonymous@realm).  The  purpose  of  the
+                                      ticket  is only to securely distribute a
+
+Neuman, Ts'o, Kohl                                Expires: 10 September, 2000
+
+
+
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-05          June 25, 1999
+
+                                      session key, and  not  to  identify  the
+                                      user.   The ANONYMOUS flag on the ticket
+                                      to be returned should be  set.   If  the
+                                      local  realms  policy  does  not  permit
+                                      anonymous credentials, the request is to
+                                      be rejected.
+
+         15-25    RESERVED
+                                      Reserved for future use.
+
+         26       DISABLE-TRANSITED-CHECK
+                                      By default the KDC will check the
+                                      transited field of a ticket-granting-
+                                      ticket against the policy of the local
+                                      realm before it will issue derivative
+                                      tickets based on the ticket granting
+                                      ticket.  If this flag is set in the
+                                      request, checking of the transited field
+                                      is disabled.  Tickets issued without the
+                                      performance of this check will be noted
+                                      by the reset (0) value of the
+                                      TRANSITED-POLICY-CHECKED flag,
+                                      indicating to the application server
+                                      that the tranisted field must be checked
+                                      locally.  KDC's are encouraged but not
+                                      required to honor the
+                                      DISABLE-TRANSITED-CHECK option.
+
+         27       RENEWABLE-OK
+                                      The RENEWABLE-OK option indicates that a
+                                      renewable ticket will be acceptable if a
+                                      ticket with the  requested  life  cannot
+                                      otherwise be provided.  If a ticket with
+                                      the requested life cannot  be  provided,
+                                      then  a  renewable  ticket may be issued
+                                      with  a  renew-till  equal  to  the  the
+                                      requested  endtime.   The  value  of the
+                                      renew-till field may still be limited by
+                                      local  limits, or limits selected by the
+                                      individual principal or server.
+
+         28       ENC-TKT-IN-SKEY
+                                      This option is used only by the  ticket-
+                                      granting  service.   The ENC-TKT-IN-SKEY
+                                      option indicates that the ticket for the
+                                      end  server  is  to  be encrypted in the
+                                      session key from the additional  ticket-
+                                      granting ticket provided.
+
+         29       RESERVED
+                                      Reserved for future use.
+
+         30       RENEW
+                                      This option is used only by the  ticket-
+                                      granting   service.   The  RENEW  option
+                                      indicates that the  present  request  is
+                                      for  a  renewal.  The ticket provided is
+                                      encrypted in  the  secret  key  for  the
+                                      server  on  which  it  is  valid.   This
+
+Neuman, Ts'o, Kohl                                Expires: 10 September, 2000
+
+
+
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-05          June 25, 1999
+
+                                      option  will  only  be  honored  if  the
+                                      ticket  to  be renewed has its RENEWABLE
+                                      flag set and if the time in  its  renew-
+                                      till  field  has not passed.  The ticket
+                                      to be renewed is passed  in  the  padata
+                                      field  as  part  of  the  authentication
+                                      header.
+
+         31       VALIDATE
+                                      This option is used only by the  ticket-
+                                      granting  service.   The VALIDATE option
+                                      indicates that the request is  to  vali-
+                                      date  a  postdated ticket.  It will only
+                                      be honored if the  ticket  presented  is
+                                      postdated,  presently  has  its  INVALID
+                                      flag set, and would be otherwise  usable
+                                      at  this time.  A ticket cannot be vali-
+                                      dated before its starttime.  The  ticket
+                                      presented for validation is encrypted in
+                                      the key of the server for  which  it  is
+                                      valid  and is passed in the padata field
+                                      as part of the authentication header.
+
+cname and sname
+     These fields are the same as those described for the ticket in section
+     5.3.1. sname may only be absent when the ENC-TKT-IN-SKEY option is
+     specified. If absent, the name of the server is taken from the name of
+     the client in the ticket passed as additional-tickets.
+enc-authorization-data
+     The enc-authorization-data, if present (and it can only be present in
+     the TGS_REQ form), is an encoding of the desired authorization-data
+     encrypted under the sub-session key if present in the Authenticator, or
+     alternatively from the session key in the ticket-granting ticket, both
+     from the padata field in the KRB_AP_REQ.
+realm
+     This field specifies the realm part of the server's principal
+     identifier. In the AS exchange, this is also the realm part of the
+     client's principal identifier.
+from
+     This field is included in the KRB_AS_REQ and KRB_TGS_REQ ticket
+     requests when the requested ticket is to be postdated. It specifies the
+     desired start time for the requested ticket. If this field is omitted
+     then the KDC should use the current time instead.
+till
+     This field contains the expiration date requested by the client in a
+     ticket request. It is optional and if omitted the requested ticket is
+     to have the maximum endtime permitted according to KDC policy for the
+     parties to the authentication exchange as limited by expiration date of
+     the ticket granting ticket or other preauthentication credentials.
+rtime
+     This field is the requested renew-till time sent from a client to the
+     KDC in a ticket request. It is optional.
+nonce
+     This field is part of the KDC request and response. It it intended to
+     hold a random number generated by the client. If the same number is
+     included in the encrypted response from the KDC, it provides evidence
+     that the response is fresh and has not been replayed by an attacker.
+     Nonces must never be re-used. Ideally, it should be generated randomly,
+     but if the correct time is known, it may suffice[25].
+
+Neuman, Ts'o, Kohl                                Expires: 10 September, 2000
+
+
+
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-05          June 25, 1999
+
+etype
+     This field specifies the desired encryption algorithm to be used in the
+     response.
+addresses
+     This field is included in the initial request for tickets, and
+     optionally included in requests for additional tickets from the
+     ticket-granting server. It specifies the addresses from which the
+     requested ticket is to be valid. Normally it includes the addresses for
+     the client's host. If a proxy is requested, this field will contain
+     other addresses. The contents of this field are usually copied by the
+     KDC into the caddr field of the resulting ticket.
+additional-tickets
+     Additional tickets may be optionally included in a request to the
+     ticket-granting server. If the ENC-TKT-IN-SKEY option has been
+     specified, then the session key from the additional ticket will be used
+     in place of the server's key to encrypt the new ticket. If more than
+     one option which requires additional tickets has been specified, then
+     the additional tickets are used in the order specified by the ordering
+     of the options bits (see kdc-options, above).
+
+The application code will be either ten (10) or twelve (12) depending on
+whether the request is for an initial ticket (AS-REQ) or for an additional
+ticket (TGS-REQ).
+
+The optional fields (addresses, authorization-data and additional-tickets)
+are only included if necessary to perform the operation specified in the
+kdc-options field.
+
+It should be noted that in KRB_TGS_REQ, the protocol version number appears
+twice and two different message types appear: the KRB_TGS_REQ message
+contains these fields as does the authentication header (KRB_AP_REQ) that is
+passed in the padata field.
+
+5.4.2. KRB_KDC_REP definition
+
+The KRB_KDC_REP message format is used for the reply from the KDC for either
+an initial (AS) request or a subsequent (TGS) request. There is no message
+type for KRB_KDC_REP. Instead, the type will be either KRB_AS_REP or
+KRB_TGS_REP. The key used to encrypt the ciphertext part of the reply
+depends on the message type. For KRB_AS_REP, the ciphertext is encrypted in
+the client's secret key, and the client's key version number is included in
+the key version number for the encrypted data. For KRB_TGS_REP, the
+ciphertext is encrypted in the sub-session key from the Authenticator, or if
+absent, the session key from the ticket-granting ticket used in the request.
+In that case, no version number will be present in the EncryptedData
+sequence.
+
+The KRB_KDC_REP message contains the following fields:
+
+AS-REP ::=    [APPLICATION 11] KDC-REP
+TGS-REP ::=   [APPLICATION 13] KDC-REP
+
+KDC-REP ::=   SEQUENCE {
+              pvno[0]                    INTEGER,
+              msg-type[1]                INTEGER,
+              padata[2]                  SEQUENCE OF PA-DATA OPTIONAL,
+              crealm[3]                  Realm,
+              cname[4]                   PrincipalName,
+              ticket[5]                  Ticket,
+
+Neuman, Ts'o, Kohl                                Expires: 10 September, 2000
+
+
+
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-05          June 25, 1999
+
+              enc-part[6]                EncryptedData
+}
+
+EncASRepPart ::=    [APPLICATION 25[27]] EncKDCRepPart
+EncTGSRepPart ::=   [APPLICATION 26] EncKDCRepPart
+
+EncKDCRepPart ::=   SEQUENCE {
+                    key[0]               EncryptionKey,
+                    last-req[1]          LastReq,
+                    nonce[2]             INTEGER,
+                    key-expiration[3]    KerberosTime OPTIONAL,
+                    flags[4]             TicketFlags,
+                    authtime[5]          KerberosTime,
+                    starttime[6]         KerberosTime OPTIONAL,
+                    endtime[7]           KerberosTime,
+                    renew-till[8]        KerberosTime OPTIONAL,
+                    srealm[9]            Realm,
+                    sname[10]            PrincipalName,
+                    caddr[11]            HostAddresses OPTIONAL
+}
+
+pvno and msg-type
+     These fields are described above in section 5.4.1. msg-type is either
+     KRB_AS_REP or KRB_TGS_REP.
+padata
+     This field is described in detail in section 5.4.1. One possible use
+     for this field is to encode an alternate "mix-in" string to be used
+     with a string-to-key algorithm (such as is described in section 6.3.2).
+     This ability is useful to ease transitions if a realm name needs to
+     change (e.g. when a company is acquired); in such a case all existing
+     password-derived entries in the KDC database would be flagged as
+     needing a special mix-in string until the next password change.
+crealm, cname, srealm and sname
+     These fields are the same as those described for the ticket in section
+     5.3.1.
+ticket
+     The newly-issued ticket, from section 5.3.1.
+enc-part
+     This field is a place holder for the ciphertext and related information
+     that forms the encrypted part of a message. The description of the
+     encrypted part of the message follows each appearance of this field.
+     The encrypted part is encoded as described in section 6.1.
+key
+     This field is the same as described for the ticket in section 5.3.1.
+last-req
+     This field is returned by the KDC and specifies the time(s) of the last
+     request by a principal. Depending on what information is available,
+     this might be the last time that a request for a ticket-granting ticket
+     was made, or the last time that a request based on a ticket-granting
+     ticket was successful. It also might cover all servers for a realm, or
+     just the particular server. Some implementations may display this
+     information to the user to aid in discovering unauthorized use of one's
+     identity. It is similar in spirit to the last login time displayed when
+     logging into timesharing systems.
+nonce
+     This field is described above in section 5.4.1.
+key-expiration
+     The key-expiration field is part of the response from the KDC and
+     specifies the time that the client's secret key is due to expire. The
+
+Neuman, Ts'o, Kohl                                Expires: 10 September, 2000
+
+
+
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-05          June 25, 1999
+
+     expiration might be the result of password aging or an account
+     expiration. This field will usually be left out of the TGS reply since
+     the response to the TGS request is encrypted in a session key and no
+     client information need be retrieved from the KDC database. It is up to
+     the application client (usually the login program) to take appropriate
+     action (such as notifying the user) if the expiration time is imminent.
+flags, authtime, starttime, endtime, renew-till and caddr
+     These fields are duplicates of those found in the encrypted portion of
+     the attached ticket (see section 5.3.1), provided so the client may
+     verify they match the intended request and to assist in proper ticket
+     caching. If the message is of type KRB_TGS_REP, the caddr field will
+     only be filled in if the request was for a proxy or forwarded ticket,
+     or if the user is substituting a subset of the addresses from the
+     ticket granting ticket. If the client-requested addresses are not
+     present or not used, then the addresses contained in the ticket will be
+     the same as those included in the ticket-granting ticket.
+
+5.5. Client/Server (CS) message specifications
+
+This section specifies the format of the messages used for the
+authentication of the client to the application server.
+
+5.5.1. KRB_AP_REQ definition
+
+The KRB_AP_REQ message contains the Kerberos protocol version number, the
+message type KRB_AP_REQ, an options field to indicate any options in use,
+and the ticket and authenticator themselves. The KRB_AP_REQ message is often
+referred to as the 'authentication header'.
+
+AP-REQ ::=      [APPLICATION 14] SEQUENCE {
+                pvno[0]                       INTEGER,
+                msg-type[1]                   INTEGER,
+                ap-options[2]                 APOptions,
+                ticket[3]                     Ticket,
+                authenticator[4]              EncryptedData
+}
+
+APOptions ::=   BIT STRING {
+                reserved(0),
+                use-session-key(1),
+                mutual-required(2)
+}
+
+
+
+pvno and msg-type
+     These fields are described above in section 5.4.1. msg-type is
+     KRB_AP_REQ.
+ap-options
+     This field appears in the application request (KRB_AP_REQ) and affects
+     the way the request is processed. It is a bit-field, where the selected
+     options are indicated by the bit being set (1), and the unselected
+     options and reserved fields being reset (0). The encoding of the bits
+     is specified in section 5.2. The meanings of the options are:
+
+       Bit(s)   Name              Description
+
+       0        RESERVED
+                                  Reserved for future  expansion  of  this
+
+Neuman, Ts'o, Kohl                                Expires: 10 September, 2000
+
+
+
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-05          June 25, 1999
+
+                                  field.
+
+       1        USE-SESSION-KEY
+                                  The  USE-SESSION-KEY  option   indicates
+                                  that the ticket the client is presenting
+                                  to a server is encrypted in the  session
+                                  key  from  the  server's ticket-granting
+                                  ticket.  When this option is not  speci-
+                                  fied,  the  ticket  is  encrypted in the
+                                  server's secret key.
+
+       2        MUTUAL-REQUIRED
+                                  The  MUTUAL-REQUIRED  option  tells  the
+                                  server  that  the client requires mutual
+                                  authentication, and that it must respond
+                                  with a KRB_AP_REP message.
+
+       3-31     RESERVED
+                                  Reserved for future use.
+
+ticket
+     This field is a ticket authenticating the client to the server.
+authenticator
+     This contains the authenticator, which includes the client's choice of
+     a subkey. Its encoding is described in section 5.3.2.
+
+5.5.2. KRB_AP_REP definition
+
+The KRB_AP_REP message contains the Kerberos protocol version number, the
+message type, and an encrypted time- stamp. The message is sent in in
+response to an application request (KRB_AP_REQ) where the mutual
+authentication option has been selected in the ap-options field.
+
+AP-REP ::=         [APPLICATION 15] SEQUENCE {
+                   pvno[0]                           INTEGER,
+                   msg-type[1]                       INTEGER,
+                   enc-part[2]                       EncryptedData
+}
+
+EncAPRepPart ::=   [APPLICATION 27[29]] SEQUENCE {
+                   ctime[0]                          KerberosTime,
+                   cusec[1]                          INTEGER,
+                   subkey[2]                         EncryptionKey OPTIONAL,
+                   seq-number[3]                     INTEGER OPTIONAL
+}
+
+The encoded EncAPRepPart is encrypted in the shared session key of the
+ticket. The optional subkey field can be used in an application-arranged
+negotiation to choose a per association session key.
+
+pvno and msg-type
+     These fields are described above in section 5.4.1. msg-type is
+     KRB_AP_REP.
+enc-part
+     This field is described above in section 5.4.2.
+ctime
+     This field contains the current time on the client's host.
+cusec
+     This field contains the microsecond part of the client's timestamp.
+
+Neuman, Ts'o, Kohl                                Expires: 10 September, 2000
+
+
+
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-05          June 25, 1999
+
+subkey
+     This field contains an encryption key which is to be used to protect
+     this specific application session. See section 3.2.6 for specifics on
+     how this field is used to negotiate a key. Unless an application
+     specifies otherwise, if this field is left out, the sub-session key
+     from the authenticator, or if also left out, the session key from the
+     ticket will be used.
+
+5.5.3. Error message reply
+
+If an error occurs while processing the application request, the KRB_ERROR
+message will be sent in response. See section 5.9.1 for the format of the
+error message. The cname and crealm fields may be left out if the server
+cannot determine their appropriate values from the corresponding KRB_AP_REQ
+message. If the authenticator was decipherable, the ctime and cusec fields
+will contain the values from it.
+
+5.6. KRB_SAFE message specification
+
+This section specifies the format of a message that can be used by either
+side (client or server) of an application to send a tamper-proof message to
+its peer. It presumes that a session key has previously been exchanged (for
+example, by using the KRB_AP_REQ/KRB_AP_REP messages).
+
+5.6.1. KRB_SAFE definition
+
+The KRB_SAFE message contains user data along with a collision-proof
+checksum keyed with the last encryption key negotiated via subkeys, or the
+session key if no negotiation has occured. The message fields are:
+
+KRB-SAFE ::=        [APPLICATION 20] SEQUENCE {
+                    pvno[0]                       INTEGER,
+                    msg-type[1]                   INTEGER,
+                    safe-body[2]                  KRB-SAFE-BODY,
+                    cksum[3]                      Checksum
+}
+
+KRB-SAFE-BODY ::=   SEQUENCE {
+                    user-data[0]                  OCTET STRING,
+                    timestamp[1]                  KerberosTime OPTIONAL,
+                    usec[2]                       INTEGER OPTIONAL,
+                    seq-number[3]                 INTEGER OPTIONAL,
+                    s-address[4]                  HostAddress OPTIONAL,
+                    r-address[5]                  HostAddress OPTIONAL
+}
+
+pvno and msg-type
+     These fields are described above in section 5.4.1. msg-type is
+     KRB_SAFE.
+safe-body
+     This field is a placeholder for the body of the KRB-SAFE message.
+cksum
+     This field contains the checksum of the application data. Checksum
+     details are described in section 6.4. The checksum is computed over the
+     encoding of the KRB-SAFE sequence. First, the cksum is zeroed and the
+     checksum is computed over the encoding of the KRB-SAFE sequence, then
+     the checksum is set to the result of that computation, and finally the
+     KRB-SAFE sequence is encoded again.
+user-data
+
+Neuman, Ts'o, Kohl                                Expires: 10 September, 2000
+
+
+
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-05          June 25, 1999
+
+     This field is part of the KRB_SAFE and KRB_PRIV messages and contain
+     the application specific data that is being passed from the sender to
+     the recipient.
+timestamp
+     This field is part of the KRB_SAFE and KRB_PRIV messages. Its contents
+     are the current time as known by the sender of the message. By checking
+     the timestamp, the recipient of the message is able to make sure that
+     it was recently generated, and is not a replay.
+usec
+     This field is part of the KRB_SAFE and KRB_PRIV headers. It contains
+     the microsecond part of the timestamp.
+seq-number
+     This field is described above in section 5.3.2.
+s-address
+     This field specifies the address in use by the sender of the message.
+     It may be omitted if not required by the application protocol. The
+     application designer considering omission of this field is warned, that
+     the inclusion of this address prevents some kinds of replay attacks
+     (e.g., reflection attacks) and that it is only acceptable to omit this
+     address if there is sufficient information in the integrity protected
+     part of the application message for the recipient to unambiguously
+     determine if it was the intended recipient.
+r-address
+     This field specifies the address in use by the recipient of the
+     message. It may be omitted for some uses (such as broadcast protocols),
+     but the recipient may arbitrarily reject such messages. This field
+     along with s-address can be used to help detect messages which have
+     been incorrectly or maliciously delivered to the wrong recipient.
+
+5.7. KRB_PRIV message specification
+
+This section specifies the format of a message that can be used by either
+side (client or server) of an application to securely and privately send a
+message to its peer. It presumes that a session key has previously been
+exchanged (for example, by using the KRB_AP_REQ/KRB_AP_REP messages).
+
+5.7.1. KRB_PRIV definition
+
+The KRB_PRIV message contains user data encrypted in the Session Key. The
+message fields are:
+
+KRB-PRIV ::=         [APPLICATION 21] SEQUENCE {
+                     pvno[0]                           INTEGER,
+                     msg-type[1]                       INTEGER,
+                     enc-part[3]                       EncryptedData
+}
+
+EncKrbPrivPart ::=   [APPLICATION 28[31]] SEQUENCE {
+                     user-data[0]        OCTET STRING,
+                     timestamp[1]        KerberosTime OPTIONAL,
+                     usec[2]             INTEGER OPTIONAL,
+                     seq-number[3]       INTEGER OPTIONAL,
+                     s-address[4]        HostAddress OPTIONAL, -- sender's addr
+                     r-address[5]        HostAddress OPTIONAL -- recip's addr
+}
+
+pvno and msg-type
+     These fields are described above in section 5.4.1. msg-type is
+     KRB_PRIV.
+
+Neuman, Ts'o, Kohl                                Expires: 10 September, 2000
+
+
+
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-05          June 25, 1999
+
+enc-part
+     This field holds an encoding of the EncKrbPrivPart sequence encrypted
+     under the session key[32]. This encrypted encoding is used for the
+     enc-part field of the KRB-PRIV message. See section 6 for the format of
+     the ciphertext.
+user-data, timestamp, usec, s-address and r-address
+     These fields are described above in section 5.6.1.
+seq-number
+     This field is described above in section 5.3.2.
+
+5.8. KRB_CRED message specification
+
+This section specifies the format of a message that can be used to send
+Kerberos credentials from one principal to another. It is presented here to
+encourage a common mechanism to be used by applications when forwarding
+tickets or providing proxies to subordinate servers. It presumes that a
+session key has already been exchanged perhaps by using the
+KRB_AP_REQ/KRB_AP_REP messages.
+
+5.8.1. KRB_CRED definition
+
+The KRB_CRED message contains a sequence of tickets to be sent and
+information needed to use the tickets, including the session key from each.
+The information needed to use the tickets is encrypted under an encryption
+key previously exchanged or transferred alongside the KRB_CRED message. The
+message fields are:
+
+KRB-CRED         ::= [APPLICATION 22]   SEQUENCE {
+                 pvno[0]                INTEGER,
+                 msg-type[1]            INTEGER, -- KRB_CRED
+                 tickets[2]             SEQUENCE OF Ticket,
+                 enc-part[3]            EncryptedData
+}
+
+EncKrbCredPart   ::= [APPLICATION 29]   SEQUENCE {
+                 ticket-info[0]         SEQUENCE OF KrbCredInfo,
+                 nonce[1]               INTEGER OPTIONAL,
+                 timestamp[2]           KerberosTime OPTIONAL,
+                 usec[3]                INTEGER OPTIONAL,
+                 s-address[4]           HostAddress OPTIONAL,
+                 r-address[5]           HostAddress OPTIONAL
+}
+
+KrbCredInfo      ::=                    SEQUENCE {
+                 key[0]                 EncryptionKey,
+                 prealm[1]              Realm OPTIONAL,
+                 pname[2]               PrincipalName OPTIONAL,
+                 flags[3]               TicketFlags OPTIONAL,
+                 authtime[4]            KerberosTime OPTIONAL,
+                 starttime[5]           KerberosTime OPTIONAL,
+                 endtime[6]             KerberosTime OPTIONAL
+                 renew-till[7]          KerberosTime OPTIONAL,
+                 srealm[8]              Realm OPTIONAL,
+                 sname[9]               PrincipalName OPTIONAL,
+                 caddr[10]              HostAddresses OPTIONAL
+}
+
+pvno and msg-type
+     These fields are described above in section 5.4.1. msg-type is
+
+Neuman, Ts'o, Kohl                                Expires: 10 September, 2000
+
+
+
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-05          June 25, 1999
+
+     KRB_CRED.
+tickets
+     These are the tickets obtained from the KDC specifically for use by the
+     intended recipient. Successive tickets are paired with the
+     corresponding KrbCredInfo sequence from the enc-part of the KRB-CRED
+     message.
+enc-part
+     This field holds an encoding of the EncKrbCredPart sequence encrypted
+     under the session key shared between the sender and the intended
+     recipient. This encrypted encoding is used for the enc-part field of
+     the KRB-CRED message. See section 6 for the format of the ciphertext.
+nonce
+     If practical, an application may require the inclusion of a nonce
+     generated by the recipient of the message. If the same value is
+     included as the nonce in the message, it provides evidence that the
+     message is fresh and has not been replayed by an attacker. A nonce must
+     never be re-used; it should be generated randomly by the recipient of
+     the message and provided to the sender of the message in an application
+     specific manner.
+timestamp and usec
+     These fields specify the time that the KRB-CRED message was generated.
+     The time is used to provide assurance that the message is fresh.
+s-address and r-address
+     These fields are described above in section 5.6.1. They are used
+     optionally to provide additional assurance of the integrity of the
+     KRB-CRED message.
+key
+     This field exists in the corresponding ticket passed by the KRB-CRED
+     message and is used to pass the session key from the sender to the
+     intended recipient. The field's encoding is described in section 6.2.
+
+The following fields are optional. If present, they can be associated with
+the credentials in the remote ticket file. If left out, then it is assumed
+that the recipient of the credentials already knows their value.
+
+prealm and pname
+     The name and realm of the delegated principal identity.
+flags, authtime, starttime, endtime, renew-till, srealm, sname, and caddr
+     These fields contain the values of the correspond- ing fields from the
+     ticket found in the ticket field. Descriptions of the fields are
+     identical to the descriptions in the KDC-REP message.
+
+5.9. Error message specification
+
+This section specifies the format for the KRB_ERROR message. The fields
+included in the message are intended to return as much information as
+possible about an error. It is not expected that all the information
+required by the fields will be available for all types of errors. If the
+appropriate information is not available when the message is composed, the
+corresponding field will be left out of the message.
+
+Note that since the KRB_ERROR message is only optionally integrity
+protected, it is quite possible for an intruder to synthesize or modify such
+a message. In particular, this means that unless appropriate integrity
+protection mechanisms have been applied to the KRB_ERROR message, the client
+should not use any fields in this message for security-critical purposes,
+such as setting a system clock or generating a fresh authenticator. The
+message can be useful, however, for advising a user on the reason for some
+failure.
+
+Neuman, Ts'o, Kohl                                Expires: 10 September, 2000
+
+
+
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-05          June 25, 1999
+
+
+5.9.1. KRB_ERROR definition
+
+The KRB_ERROR message consists of the following fields:
+
+KRB-ERROR ::=   [APPLICATION 30] SEQUENCE {
+                pvno[0]                       INTEGER,
+                msg-type[1]                   INTEGER,
+                ctime[2]                      KerberosTime OPTIONAL,
+                cusec[3]                      INTEGER OPTIONAL,
+                stime[4]                      KerberosTime,
+                susec[5]                      INTEGER,
+                error-code[6]                 INTEGER,
+                crealm[7]                     Realm OPTIONAL,
+                cname[8]                      PrincipalName OPTIONAL,
+                realm[9]                      Realm, -- Correct realm
+                sname[10]                     PrincipalName, -- Correct name
+                e-text[11]                    GeneralString OPTIONAL,
+                e-data[12]                    OCTET STRING OPTIONAL,
+                e-cksum[13]                   Checksum OPTIONAL,
+}
+
+
+
+pvno and msg-type
+     These fields are described above in section 5.4.1. msg-type is
+     KRB_ERROR.
+ctime
+     This field is described above in section 5.4.1.
+cusec
+     This field is described above in section 5.5.2.
+stime
+     This field contains the current time on the server. It is of type
+     KerberosTime.
+susec
+     This field contains the microsecond part of the server's timestamp. Its
+     value ranges from 0 to 999999. It appears along with stime. The two
+     fields are used in conjunction to specify a reasonably accurate
+     timestamp.
+error-code
+     This field contains the error code returned by Kerberos or the server
+     when a request fails. To interpret the value of this field see the list
+     of error codes in section 8. Implementations are encouraged to provide
+     for national language support in the display of error messages.
+crealm, cname, srealm and sname
+     These fields are described above in section 5.3.1.
+e-text
+     This field contains additional text to help explain the error code
+     associated with the failed request (for example, it might include a
+     principal name which was unknown).
+e-data
+     This field contains additional data about the error for use by the
+     application to help it recover from or handle the error. If present,
+     this field will contain the encoding of a sequence of TypedData
+     (TYPED-DATA below), unless the errorcode is KDC_ERR_PREAUTH_REQUIRED,
+     in which case it will contain the encoding of a sequence of of padata
+     fields (METHOD-DATA below), each corresponding to an acceptable
+     pre-authentication method and optionally containing data for the
+     method:
+
+Neuman, Ts'o, Kohl                                Expires: 10 September, 2000
+
+
+
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-05          June 25, 1999
+
+
+     TYPED-DATA   ::=   SEQUENCE of TypeData
+     METHOD-DATA  ::=   SEQUENCE of PA-DATA
+
+     TypedData ::=   SEQUENCE {
+                         data-type[0]   INTEGER,
+                         data-value[1]  OCTET STRING OPTIONAL
+     }
+
+     Note that e-data-types have been reserved for all PA data types defined
+     prior to July 1999. For the KDC_ERR_PREAUTH_REQUIRED message, when
+     using new PA data types defined in July 1999 or later, the METHOD-DATA
+     sequence must itself be encapsulated in an TypedData element of type
+     TD-PADATA. All new implementations interpreting the METHOD-DATA field
+     for the KDC_ERR_PREAUTH_REQUIRED message must accept a type of
+     TD-PADATA, extract the typed data field and interpret the use any
+     elements encapsulated in the TD-PADATA elements as if they were present
+     in the METHOD-DATA sequence.
+e-cksum
+     This field contains an optional checksum for the KRB-ERROR message. The
+     checksum is calculated over the Kerberos ASN.1 encoding of the
+     KRB-ERROR message with the checksum absent. The checksum is then added
+     to the KRB-ERROR structure and the message is re-encoded. The Checksum
+     should be calculated using the session key from the ticket granting
+     ticket or service ticket, where available. If the error is in response
+     to a TGS or AP request, the checksum should be calculated uing the the
+     session key from the client's ticket. If the error is in response to an
+     AS request, then the checksum should be calulated using the client's
+     secret key ONLY if there has been suitable preauthentication to prove
+     knowledge of the secret key by the client[33]. If a checksum can not be
+     computed because the key to be used is not available, no checksum will
+     be included.
+
+     6. Encryption and Checksum Specifications
+
+     The Kerberos protocols described in this document are designed to use
+     stream encryption ciphers, which can be simulated using commonly
+     available block encryption ciphers, such as the Data Encryption
+     Standard [DES77], and triple DES variants, in conjunction with block
+     chaining and checksum methods [DESM80]. Encryption is used to prove the
+     identities of the network entities participating in message exchanges.
+     The Key Distribution Center for each realm is trusted by all principals
+     registered in that realm to store a secret key in confidence. Proof of
+     knowledge of this secret key is used to verify the authenticity of a
+     principal.
+
+     The KDC uses the principal's secret key (in the AS exchange) or a
+     shared session key (in the TGS exchange) to encrypt responses to ticket
+     requests; the ability to obtain the secret key or session key implies
+     the knowledge of the appropriate keys and the identity of the KDC. The
+     ability of a principal to decrypt the KDC response and present a Ticket
+     and a properly formed Authenticator (generated with the session key
+     from the KDC response) to a service verifies the identity of the
+     principal; likewise the ability of the service to extract the session
+     key from the Ticket and prove its knowledge thereof in a response
+     verifies the identity of the service.
+
+     The Kerberos protocols generally assume that the encryption used is
+     secure from cryptanalysis; however, in some cases, the order of fields
+
+Neuman, Ts'o, Kohl                                Expires: 10 September, 2000
+
+
+
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-05          June 25, 1999
+
+     in the encrypted portions of messages are arranged to minimize the
+     effects of poorly chosen keys. It is still important to choose good
+     keys. If keys are derived from user-typed passwords, those passwords
+     need to be well chosen to make brute force attacks more difficult.
+     Poorly chosen keys still make easy targets for intruders.
+
+     The following sections specify the encryption and checksum mechanisms
+     currently defined for Kerberos. The encodings, chaining, and padding
+     requirements for each are described. For encryption methods, it is
+     often desirable to place random information (often referred to as a
+     confounder) at the start of the message. The requirements for a
+     confounder are specified with each encryption mechanism.
+
+     Some encryption systems use a block-chaining method to improve the the
+     security characteristics of the ciphertext. However, these chaining
+     methods often don't provide an integrity check upon decryption. Such
+     systems (such as DES in CBC mode) must be augmented with a checksum of
+     the plain-text which can be verified at decryption and used to detect
+     any tampering or damage. Such checksums should be good at detecting
+     burst errors in the input. If any damage is detected, the decryption
+     routine is expected to return an error indicating the failure of an
+     integrity check. Each encryption type is expected to provide and verify
+     an appropriate checksum. The specification of each encryption method
+     sets out its checksum requirements.
+
+     Finally, where a key is to be derived from a user's password, an
+     algorithm for converting the password to a key of the appropriate type
+     is included. It is desirable for the string to key function to be
+     one-way, and for the mapping to be different in different realms. This
+     is important because users who are registered in more than one realm
+     will often use the same password in each, and it is desirable that an
+     attacker compromising the Kerberos server in one realm not obtain or
+     derive the user's key in another.
+
+     For an discussion of the integrity characteristics of the candidate
+     encryption and checksum methods considered for Kerberos, the reader is
+     referred to [SG92].
+
+     6.1. Encryption Specifications
+
+     The following ASN.1 definition describes all encrypted messages. The
+     enc-part field which appears in the unencrypted part of messages in
+     section 5 is a sequence consisting of an encryption type, an optional
+     key version number, and the ciphertext.
+
+     EncryptedData ::=   SEQUENCE {
+                         etype[0]     INTEGER, -- EncryptionType
+                         kvno[1]      INTEGER OPTIONAL,
+                         cipher[2]    OCTET STRING -- ciphertext
+     }
+
+
+
+     etype
+          This field identifies which encryption algorithm was used to
+          encipher the cipher. Detailed specifications for selected
+          encryption types appear later in this section.
+     kvno
+          This field contains the version number of the key under which data
+
+Neuman, Ts'o, Kohl                                Expires: 10 September, 2000
+
+
+
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-05          June 25, 1999
+
+          is encrypted. It is only present in messages encrypted under long
+          lasting keys, such as principals' secret keys.
+     cipher
+          This field contains the enciphered text, encoded as an OCTET
+          STRING.
+     The cipher field is generated by applying the specified encryption
+     algorithm to data composed of the message and algorithm-specific
+     inputs. Encryption mechanisms defined for use with Kerberos must take
+     sufficient measures to guarantee the integrity of the plaintext, and we
+     recommend they also take measures to protect against precomputed
+     dictionary attacks. If the encryption algorithm is not itself capable
+     of doing so, the protections can often be enhanced by adding a checksum
+     and a confounder.
+
+     The suggested format for the data to be encrypted includes a
+     confounder, a checksum, the encoded plaintext, and any necessary
+     padding. The msg-seq field contains the part of the protocol message
+     described in section 5 which is to be encrypted. The confounder,
+     checksum, and padding are all untagged and untyped, and their length is
+     exactly sufficient to hold the appropriate item. The type and length is
+     implicit and specified by the particular encryption type being used
+     (etype). The format for the data to be encrypted for some methods is
+     described in the following diagram, but other methods may deviate from
+     this layour - so long as the definition of the method defines the
+     layout actually in use.
+
+           +-----------+----------+-------------+-----+
+           |confounder |   check  |   msg-seq   | pad |
+           +-----------+----------+-------------+-----+
+
+     The format cannot be described in ASN.1, but for those who prefer an
+     ASN.1-like notation:
+
+     CipherText ::=   ENCRYPTED       SEQUENCE {
+          confounder[0]   UNTAGGED[35] OCTET STRING(conf_length) OPTIONAL,
+          check[1]        UNTAGGED OCTET STRING(checksum_length) OPTIONAL,
+          msg-seq[2]      MsgSequence,
+          pad             UNTAGGED OCTET STRING(pad_length) OPTIONAL
+     }
+
+     One generates a random confounder of the appropriate length, placing it
+     in confounder; zeroes out check; calculates the appropriate checksum
+     over confounder, check, and msg-seq, placing the result in check; adds
+     the necessary padding; then encrypts using the specified encryption
+     type and the appropriate key.
+
+     Unless otherwise specified, a definition of an encryption algorithm
+     that specifies a checksum, a length for the confounder field, or an
+     octet boundary for padding uses this ciphertext format[36]. Those
+     fields which are not specified will be omitted.
+
+     In the interest of allowing all implementations using a particular
+     encryption type to communicate with all others using that type, the
+     specification of an encryption type defines any checksum that is needed
+     as part of the encryption process. If an alternative checksum is to be
+     used, a new encryption type must be defined.
+
+     Some cryptosystems require additional information beyond the key and
+     the data to be encrypted. For example, DES, when used in
+
+Neuman, Ts'o, Kohl                                Expires: 10 September, 2000
+
+
+
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-05          June 25, 1999
+
+     cipher-block-chaining mode, requires an initialization vector. If
+     required, the description for each encryption type must specify the
+     source of such additional information. 6.2. Encryption Keys
+
+     The sequence below shows the encoding of an encryption key:
+
+            EncryptionKey ::=   SEQUENCE {
+                                keytype[0]    INTEGER,
+                                keyvalue[1]   OCTET STRING
+            }
+
+     keytype
+          This field specifies the type of encryption that is to be
+          performed using the key that follows in the keyvalue field. It
+          will always correspond to the etype to be used to generate or
+          decode the EncryptedData. In cases when multiple algorithms use a
+          common kind of key (e.g., if the encryption algorithm uses an
+          alternate checksum algorithm for an integrity check, or a
+          different chaining mechanism), the keytype provides information
+          needed to determine which algorithm is to be used.
+     keyvalue
+          This field contains the key itself, encoded as an octet string.
+     All negative values for the encryption key type are reserved for local
+     use. All non-negative values are reserved for officially assigned type
+     fields and interpreta- tions.
+
+     6.3. Encryption Systems
+
+     6.3.1. The NULL Encryption System (null)
+
+     If no encryption is in use, the encryption system is said to be the
+     NULL encryption system. In the NULL encryption system there is no
+     checksum, confounder or padding. The ciphertext is simply the
+     plaintext. The NULL Key is used by the null encryption system and is
+     zero octets in length, with keytype zero (0).
+
+     6.3.2. DES in CBC mode with a CRC-32 checksum (des-cbc-crc)
+
+     The des-cbc-crc encryption mode encrypts information under the Data
+     Encryption Standard [DES77] using the cipher block chaining mode
+     [DESM80]. A CRC-32 checksum (described in ISO 3309 [ISO3309]) is
+     applied to the confounder and message sequence (msg-seq) and placed in
+     the cksum field. DES blocks are 8 bytes. As a result, the data to be
+     encrypted (the concatenation of confounder, checksum, and message) must
+     be padded to an 8 byte boundary before encryption. The details of the
+     encryption of this data are identical to those for the des-cbc-md5
+     encryption mode.
+
+     Note that, since the CRC-32 checksum is not collision-proof, an
+     attacker could use a probabilistic chosen-plaintext attack to generate
+     a valid message even if a confounder is used [SG92]. The use of
+     collision-proof checksums is recommended for environments where such
+     attacks represent a significant threat. The use of the CRC-32 as the
+     checksum for ticket or authenticator is no longer mandated as an
+     interoperability requirement for Kerberos Version 5 Specification 1
+     (See section 9.1 for specific details).
+
+     6.3.3. DES in CBC mode with an MD4 checksum (des-cbc-md4)
+
+
+Neuman, Ts'o, Kohl                                Expires: 10 September, 2000
+
+
+
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-05          June 25, 1999
+
+     The des-cbc-md4 encryption mode encrypts information under the Data
+     Encryption Standard [DES77] using the cipher block chaining mode
+     [DESM80]. An MD4 checksum (described in [MD492]) is applied to the
+     confounder and message sequence (msg-seq) and placed in the cksum
+     field. DES blocks are 8 bytes. As a result, the data to be encrypted
+     (the concatenation of confounder, checksum, and message) must be padded
+     to an 8 byte boundary before encryption. The details of the encryption
+     of this data are identical to those for the des-cbc-md5 encryption
+     mode.
+
+     6.3.4. DES in CBC mode with an MD5 checksum (des-cbc-md5)
+
+     The des-cbc-md5 encryption mode encrypts information under the Data
+     Encryption Standard [DES77] using the cipher block chaining mode
+     [DESM80]. An MD5 checksum (described in [MD5-92].) is applied to the
+     confounder and message sequence (msg-seq) and placed in the cksum
+     field. DES blocks are 8 bytes. As a result, the data to be encrypted
+     (the concatenation of confounder, checksum, and message) must be padded
+     to an 8 byte boundary before encryption.
+
+     Plaintext and DES ciphtertext are encoded as blocks of 8 octets which
+     are concatenated to make the 64-bit inputs for the DES algorithms. The
+     first octet supplies the 8 most significant bits (with the octet's
+     MSbit used as the DES input block's MSbit, etc.), the second octet the
+     next 8 bits, ..., and the eighth octet supplies the 8 least significant
+     bits.
+
+     Encryption under DES using cipher block chaining requires an additional
+     input in the form of an initialization vector. Unless otherwise
+     specified, zero should be used as the initialization vector. Kerberos'
+     use of DES requires an 8 octet confounder.
+
+     The DES specifications identify some 'weak' and 'semi-weak' keys; those
+     keys shall not be used for encrypting messages for use in Kerberos.
+     Additionally, because of the way that keys are derived for the
+     encryption of checksums, keys shall not be used that yield 'weak' or
+     'semi-weak' keys when eXclusive-ORed with the hexadecimal constant
+     F0F0F0F0F0F0F0F0.
+
+     A DES key is 8 octets of data, with keytype one (1). This consists of
+     56 bits of key, and 8 parity bits (one per octet). The key is encoded
+     as a series of 8 octets written in MSB-first order. The bits within the
+     key are also encoded in MSB order. For example, if the encryption key
+     is (B1,B2,...,B7,P1,B8,...,B14,P2,B15,...,B49,P7,B50,...,B56,P8) where
+     B1,B2,...,B56 are the key bits in MSB order, and P1,P2,...,P8 are the
+     parity bits, the first octet of the key would be B1,B2,...,B7,P1 (with
+     B1 as the MSbit). [See the FIPS 81 introduction for reference.]
+
+     String to key transformation
+
+     To generate a DES key from a text string (password), a "salt" is
+     concatenated to the text string, and then padded with ASCII nulls to an
+     8 byte boundary. This "salt" is normally the realm and each component
+     of the principal's name appended. However, sometimes different salts
+     are used --- for example, when a realm is renamed, or if a user changes
+     her username, or for compatibility with Kerberos V4 (whose
+     string-to-key algorithm uses a null string for the salt). This string
+     is then fan-folded and eXclusive-ORed with itself to form an 8 byte DES
+     key. Before eXclusive-ORing a block, every byte is shifted one bit to
+
+Neuman, Ts'o, Kohl                                Expires: 10 September, 2000
+
+
+
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-05          June 25, 1999
+
+     the left to leave the lowest bit zero. The key is the "corrected" by
+     correcting the parity on the key, and if the key matches a 'weak' or
+     'semi-weak' key as described in the DES specification, it is
+     eXclusive-ORed with the constant 00000000000000F0. This key is then
+     used to generate a DES CBC checksum on the initial string (with the
+     salt appended). The result of the CBC checksum is the "corrected" as
+     described above to form the result which is return as the key.
+     Pseudocode follows:
+
+          name_to_default_salt(realm, name) {
+               s = realm
+               for(each component in name) {
+                    s = s + component;
+               }
+               return s;
+          }
+
+          key_correction(key) {
+               fixparity(key);
+               if (is_weak_key_key(key))
+                    key = key XOR 0xF0;
+               return(key);
+          }
+
+          string_to_key(string,salt) {
+
+               odd = 1;
+               s = string + salt;
+               tempkey = NULL;
+               pad(s); /* with nulls to 8 byte boundary */
+               for(8byteblock in s) {
+                    if(odd == 0)  {
+                        odd = 1;
+                        reverse(8byteblock)
+                    }
+                    else odd = 0;
+                    left shift every byte in 8byteblock one bit;
+                    tempkey = tempkey XOR 8byteblock;
+               }
+               tempkey = key_correction(tempkey);
+               key = key_correction(DES-CBC-check(s,tempkey));
+               return(key);
+          }
+
+     6.3.5. Triple DES with HMAC-SHA1 Kerberos Encryption Type with and
+     without Key Derivation [Original draft by Marc Horowitz, revisions by
+     David Miller]
+
+     This encryption type is based on the Triple DES cryptosystem, the
+     HMAC-SHA1 [Krawczyk96] message authentication algorithm, and key
+     derivation for Kerberos V5 [HorowitzB96]. Key derivation may or may not
+     be used in conjunction with the use of Triple DES keys.
+
+     Algorithm Identifiers
+
+     The des3-cbc-hmac-sha1 encryption type has been assigned the value 7.
+     The des3-cbc-hmac-sha1-kd encryption type, specifying the key
+     derivation variant of the encryption type, has been assigned the value
+     16. The hmac-sha1-des3 checksum type has been assigned the value 13.
+
+Neuman, Ts'o, Kohl                                Expires: 10 September, 2000
+
+
+
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-05          June 25, 1999
+
+     The hmac-sha1-des3-kd checksum type, specifying the key derivation
+     variant of the checksum, has been assigned the value 12.
+
+     Triple DES Key Production
+
+     The EncryptionKey value is 24 octets long. The 7 most significant bits
+     of each octet contain key bits, and the least significant bit is the
+     inverse of the xor of the key bits.
+
+     For the purposes of key derivation, the block size is 64 bits, and the
+     key size is 168 bits. The 168 bits output by key derivation are
+     converted to an EncryptionKey value as follows. First, the 168 bits are
+     divided into three groups of 56 bits, which are expanded individually
+     into 64 bits as follows:
+
+      1  2  3  4  5  6  7  p
+      9 10 11 12 13 14 15  p
+     17 18 19 20 21 22 23  p
+     25 26 27 28 29 30 31  p
+     33 34 35 36 37 38 39  p
+     41 42 43 44 45 46 47  p
+     49 50 51 52 53 54 55  p
+     56 48 40 32 24 16  8  p
+
+     The "p" bits are parity bits computed over the data bits. The output of
+     the three expansions are concatenated to form the EncryptionKey value.
+
+     When the HMAC-SHA1 of a string is computed, the key is used in the
+     EncryptedKey form.
+
+     The string-to-key function is used to tranform UNICODE passwords into
+     DES3 keys. The DES3 string-to-key function relies on the "N-fold"
+     algorithm, which is detailed in [9]. The description of the N-fold
+     algorithm in that document is as follows:
+        o To n-fold a number X, replicate the input value to a length that
+          is the least common multiple of n and the length of X. Before each
+          repetition, the input is rotated to the right by 13 bit positions.
+          The successive n-bit chunks are added together using
+          1's-complement addition (that is, addition with end-around carry)
+          to yield an n-bit result"
+        o The n-fold algorithm, as with DES string-to-key, is applied to the
+          password string concatenated with a salt value. The salt value is
+          derived in the same was as for the DES string-to-key algorithm.
+          For 3-key triple DES then, the operation will involve a 168-fold
+          of the input password string. The remainder of the string-to-key
+          function for DES3 is shown here in pseudocode:
+
+     DES3string-to-key(passwordString, key)
+
+         salt = name_to_default_salt(realm, name)
+         s = passwordString + salt
+         tmpKey1 = 168-fold(s)
+         parityFix(tmpKey1);
+         if not weakKey(tmpKey1)
+             /*
+              * Encrypt temp key in itself with a
+              * zero initialization vector
+              *
+              * Function signature is DES3encrypt(plain, key, iv)
+
+Neuman, Ts'o, Kohl                                Expires: 10 September, 2000
+
+
+
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-05          June 25, 1999
+
+              * with cipher as the return value
+              */
+             tmpKey2 = DES3encrypt(tmpKey1, tmpKey1, zeroIvec)
+             /*
+              * Encrypt resultant temp key in itself with third component
+              * of first temp key as initialization vector
+              */
+             key = DES3encrypt(tmpKey2, tmpKey1, tmpKey1[2])
+             parityFix(key)
+             if not weakKey(key)
+                  return SUCCESS
+             else
+                  return FAILURE
+         else
+             return FAILURE
+
+     The weakKey function above is the same weakKey function used with DES
+     keys, but applied to each of the three single DES keys that comprise
+     the triple DES key.
+
+     The lengths of UNICODE encoded character strings include the trailing
+     terminator character (0).
+
+     Encryption Types des3-cbc-hmac-sha1 and des3-cbc-hmac-sha1-kd
+
+     EncryptedData using this type must be generated as described in
+     [Horowitz96]. The encryption algorithm is Triple DES in Outer-CBC mode.
+     The checksum algorithm is HMAC-SHA1. If the key derivation variant of
+     the encryption type is used, encryption key values are modified
+     according to the method under the Key Derivation section below.
+
+     Unless otherwise specified, a zero IV must be used.
+
+     If the length of the input data is not a multiple of the block size,
+     zero octets must be used to pad the plaintext to the next eight-octet
+     boundary. The counfounder must be eight random octets (one block).
+
+     Checksum Types hmac-sha1-des3 and hmac-sha1-des3-kd
+
+     Checksums using this type must be generated as described in
+     [Horowitz96]. The keyed hash algorithm is HMAC-SHA1. If the key
+     derivation variant of the checksum type is used, checksum key values
+     are modified according to the method under the Key Derivation section
+     below.
+
+     Key Derivation
+
+     In the Kerberos protocol, cryptographic keys are used in a number of
+     places. In order to minimize the effect of compromising a key, it is
+     desirable to use a different key for each of these places. Key
+     derivation [Horowitz96] can be used to construct different keys for
+     each operation from the keys transported on the network. For this to be
+     possible, a small change to the specification is necessary.
+
+     This section specifies a profile for the use of key derivation
+     [Horowitz96] with Kerberos. For each place where a key is used, a ``key
+     usage'' must is specified for that purpose. The key, key usage, and
+     encryption/checksum type together describe the transformation from
+     plaintext to ciphertext, or plaintext to checksum.
+
+Neuman, Ts'o, Kohl                                Expires: 10 September, 2000
+
+
+
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-05          June 25, 1999
+
+
+     Key Usage Values
+
+     This is a complete list of places keys are used in the kerberos
+     protocol, with key usage values and RFC 1510 section numbers:
+
+      1. AS-REQ PA-ENC-TIMESTAMP padata timestamp, encrypted with the
+         client key (section 5.4.1)
+      2. AS-REP Ticket and TGS-REP Ticket (includes tgs session key or
+         application session key), encrypted with the service key
+         (section 5.4.2)
+      3. AS-REP encrypted part (includes tgs session key or application
+         session key), encrypted with the client key (section 5.4.2)
+      4. TGS-REQ KDC-REQ-BODY AuthorizationData, encrypted with the tgs
+         session key (section 5.4.1)
+      5. TGS-REQ KDC-REQ-BODY AuthorizationData, encrypted with the tgs
+         authenticator subkey (section 5.4.1)
+      6. TGS-REQ PA-TGS-REQ padata AP-REQ Authenticator cksum, keyed
+         with the tgs session key (sections 5.3.2, 5.4.1)
+      7. TGS-REQ PA-TGS-REQ padata AP-REQ Authenticator (includes tgs
+         authenticator subkey), encrypted with the tgs session key
+         (section 5.3.2)
+      8. TGS-REP encrypted part (includes application session key),
+         encrypted with the tgs session key (section 5.4.2)
+      9. TGS-REP encrypted part (includes application session key),
+         encrypted with the tgs authenticator subkey (section 5.4.2)
+     10. AP-REQ Authenticator cksum, keyed with the application session
+         key (section 5.3.2)
+     11. AP-REQ Authenticator (includes application authenticator
+         subkey), encrypted with the application session key (section
+         5.3.2)
+     12. AP-REP encrypted part (includes application session subkey),
+         encrypted with the application session key (section 5.5.2)
+     13. KRB-PRIV encrypted part, encrypted with a key chosen by the
+         application (section 5.7.1)
+     14. KRB-CRED encrypted part, encrypted with a key chosen by the
+         application (section 5.6.1)
+     15. KRB-SAVE cksum, keyed with a key chosen by the application
+         (section 5.8.1)
+     18. KRB-ERROR checksum (e-cksum in section 5.9.1)
+     19. AD-KDCIssued checksum (ad-checksum in appendix B.1)
+     20. Checksum for Mandatory Ticket Extensions (appendix B.6)
+     21. Checksum in Authorization Data in Ticket Extensions (appendix B.7)
+
+     Key usage values between 1024 and 2047 (inclusive) are reserved for
+     application use. Applications should use even values for encryption and
+     odd values for checksums within this range.
+
+     A few of these key usages need a little clarification. A service which
+     receives an AP-REQ has no way to know if the enclosed Ticket was part
+     of an AS-REP or TGS-REP. Therefore, key usage 2 must always be used for
+     generating a Ticket, whether it is in response to an AS- REQ or
+     TGS-REQ.
+
+     There might exist other documents which define protocols in terms of
+     the RFC1510 encryption types or checksum types. Such documents would
+     not know about key usages. In order that these documents continue to be
+     meaningful until they are updated, key usages 1024 and 1025 must be
+     used to derive keys for encryption and checksums, respectively. New
+
+Neuman, Ts'o, Kohl                                Expires: 10 September, 2000
+
+
+
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-05          June 25, 1999
+
+     protocols defined in terms of the Kerberos encryption and checksum
+     types should use their own key usages. Key usages may be registered
+     with IANA to avoid conflicts. Key usages must be unsigned 32 bit
+     integers. Zero is not permitted.
+
+     Defining Cryptosystems Using Key Derivation
+
+     Kerberos requires that the ciphertext component of EncryptedData be
+     tamper-resistant as well as confidential. This implies encryption and
+     integrity functions, which must each use their own separate keys. So,
+     for each key usage, two keys must be generated, one for encryption
+     (Ke), and one for integrity (Ki):
+
+           Ke = DK(protocol key, key usage | 0xAA)
+           Ki = DK(protocol key, key usage | 0x55)
+
+     where the protocol key is from the EncryptionKey from the wire
+     protocol, and the key usage is represented as a 32 bit integer in
+     network byte order. The ciphertest must be generated from the plaintext
+     as follows:
+
+        ciphertext = E(Ke, confounder | plaintext | padding) |
+                     H(Ki, confounder | plaintext | padding)
+
+     The confounder and padding are specific to the encryption algorithm E.
+
+     When generating a checksum only, there is no need for a confounder or
+     padding. Again, a new key (Kc) must be used. Checksums must be
+     generated from the plaintext as follows:
+
+           Kc = DK(protocol key, key usage | 0x99)
+           MAC = H(Kc, plaintext)
+
+     Note that each enctype is described by an encryption algorithm E and a
+     keyed hash algorithm H, and each checksum type is described by a keyed
+     hash algorithm H. HMAC, with an appropriate hash, is required for use
+     as H.
+
+     Key Derivation from Passwords
+
+     The well-known constant for password key derivation must be the byte
+     string {0x6b 0x65 0x72 0x62 0x65 0x72 0x6f 0x73}. These values
+     correspond to the ASCII encoding for the string "kerberos".
+
+     6.4. Checksums
+
+     The following is the ASN.1 definition used for a checksum:
+
+              Checksum ::=   SEQUENCE {
+                             cksumtype[0]   INTEGER,
+                             checksum[1]    OCTET STRING
+              }
+
+     cksumtype
+          This field indicates the algorithm used to generate the
+          accompanying checksum.
+     checksum
+          This field contains the checksum itself, encoded as an octet
+          string.
+
+Neuman, Ts'o, Kohl                                Expires: 10 September, 2000
+
+
+
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-05          June 25, 1999
+
+     Detailed specification of selected checksum types appear later in this
+     section. Negative values for the checksum type are reserved for local
+     use. All non-negative values are reserved for officially assigned type
+     fields and interpretations.
+
+     Checksums used by Kerberos can be classified by two properties: whether
+     they are collision-proof, and whether they are keyed. It is infeasible
+     to find two plaintexts which generate the same checksum value for a
+     collision-proof checksum. A key is required to perturb or initialize
+     the algorithm in a keyed checksum. To prevent message-stream
+     modification by an active attacker, unkeyed checksums should only be
+     used when the checksum and message will be subsequently encrypted (e.g.
+     the checksums defined as part of the encryption algorithms covered
+     earlier in this section).
+
+     Collision-proof checksums can be made tamper-proof if the checksum
+     value is encrypted before inclusion in a message. In such cases, the
+     composition of the checksum and the encryption algorithm must be
+     considered a separate checksum algorithm (e.g. RSA-MD5 encrypted using
+     DES is a new checksum algorithm of type RSA-MD5-DES). For most keyed
+     checksums, as well as for the encrypted forms of unkeyed
+     collision-proof checksums, Kerberos prepends a confounder before the
+     checksum is calculated.
+
+     6.4.1. The CRC-32 Checksum (crc32)
+
+     The CRC-32 checksum calculates a checksum based on a cyclic redundancy
+     check as described in ISO 3309 [ISO3309]. The resulting checksum is
+     four (4) octets in length. The CRC-32 is neither keyed nor
+     collision-proof. The use of this checksum is not recommended. An
+     attacker using a probabilistic chosen-plaintext attack as described in
+     [SG92] might be able to generate an alternative message that satisfies
+     the checksum. The use of collision-proof checksums is recommended for
+     environments where such attacks represent a significant threat.
+
+     6.4.2. The RSA MD4 Checksum (rsa-md4)
+
+     The RSA-MD4 checksum calculates a checksum using the RSA MD4 algorithm
+     [MD4-92]. The algorithm takes as input an input message of arbitrary
+     length and produces as output a 128-bit (16 octet) checksum. RSA-MD4 is
+     believed to be collision-proof.
+
+     6.4.3. RSA MD4 Cryptographic Checksum Using DES (rsa-md4-des)
+
+     The RSA-MD4-DES checksum calculates a keyed collision-proof checksum by
+     prepending an 8 octet confounder before the text, applying the RSA MD4
+     checksum algorithm, and encrypting the confounder and the checksum
+     using DES in cipher-block-chaining (CBC) mode using a variant of the
+     key, where the variant is computed by eXclusive-ORing the key with the
+     constant F0F0F0F0F0F0F0F0[39]. The initialization vector should be
+     zero. The resulting checksum is 24 octets long (8 octets of which are
+     redundant). This checksum is tamper-proof and believed to be
+     collision-proof.
+
+     The DES specifications identify some weak keys' and 'semi-weak keys';
+     those keys shall not be used for generating RSA-MD4 checksums for use
+     in Kerberos.
+
+     The format for the checksum is described in the follow- ing diagram:
+
+Neuman, Ts'o, Kohl                                Expires: 10 September, 2000
+
+
+
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-05          June 25, 1999
+
+
+     +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+     |  des-cbc(confounder   +   rsa-md4(confounder+msg),key=var(key),iv=0)  |
+     +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+
+     The format cannot be described in ASN.1, but for those who prefer an
+     ASN.1-like notation:
+
+     rsa-md4-des-checksum ::=   ENCRYPTED       UNTAGGED SEQUENCE {
+                                confounder[0]   UNTAGGED OCTET STRING(8),
+                                check[1]        UNTAGGED OCTET STRING(16)
+     }
+
+     6.4.4. The RSA MD5 Checksum (rsa-md5)
+
+     The RSA-MD5 checksum calculates a checksum using the RSA MD5 algorithm.
+     [MD5-92]. The algorithm takes as input an input message of arbitrary
+     length and produces as output a 128-bit (16 octet) checksum. RSA-MD5 is
+     believed to be collision-proof.
+
+     6.4.5. RSA MD5 Cryptographic Checksum Using DES (rsa-md5-des)
+
+     The RSA-MD5-DES checksum calculates a keyed collision-proof checksum by
+     prepending an 8 octet confounder before the text, applying the RSA MD5
+     checksum algorithm, and encrypting the confounder and the checksum
+     using DES in cipher-block-chaining (CBC) mode using a variant of the
+     key, where the variant is computed by eXclusive-ORing the key with the
+     hexadecimal constant F0F0F0F0F0F0F0F0. The initialization vector should
+     be zero. The resulting checksum is 24 octets long (8 octets of which
+     are redundant). This checksum is tamper-proof and believed to be
+     collision-proof.
+
+     The DES specifications identify some 'weak keys' and 'semi-weak keys';
+     those keys shall not be used for encrypting RSA-MD5 checksums for use
+     in Kerberos.
+
+     The format for the checksum is described in the following diagram:
+
+     +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+     |  des-cbc(confounder   +   rsa-md5(confounder+msg),key=var(key),iv=0)  |
+     +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+
+     The format cannot be described in ASN.1, but for those who prefer an
+     ASN.1-like notation:
+
+     rsa-md5-des-checksum ::=   ENCRYPTED       UNTAGGED SEQUENCE {
+                                confounder[0]   UNTAGGED OCTET STRING(8),
+                                check[1]        UNTAGGED OCTET STRING(16)
+     }
+
+     6.4.6. DES cipher-block chained checksum (des-mac)
+
+     The DES-MAC checksum is computed by prepending an 8 octet confounder to
+     the plaintext, performing a DES CBC-mode encryption on the result using
+     the key and an initialization vector of zero, taking the last block of
+     the ciphertext, prepending the same confounder and encrypting the pair
+     using DES in cipher-block-chaining (CBC) mode using a a variant of the
+     key, where the variant is computed by eXclusive-ORing the key with the
+     hexadecimal constant F0F0F0F0F0F0F0F0. The initialization vector should
+
+Neuman, Ts'o, Kohl                                Expires: 10 September, 2000
+
+
+
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-05          June 25, 1999
+
+     be zero. The resulting checksum is 128 bits (16 octets) long, 64 bits
+     of which are redundant. This checksum is tamper-proof and
+     collision-proof.
+
+     The format for the checksum is described in the following diagram:
+
+     +--+--+--+--+--+--+--+--+-----+-----+-----+-----+-----+-----+-----+-----+
+     |   des-cbc(confounder  + des-mac(conf+msg,iv=0,key),key=var(key),iv=0) |
+     +--+--+--+--+--+--+--+--+-----+-----+-----+-----+-----+-----+-----+-----+
+
+     The format cannot be described in ASN.1, but for those who prefer an
+     ASN.1-like notation:
+
+     des-mac-checksum ::=   ENCRYPTED       UNTAGGED SEQUENCE {
+                            confounder[0]   UNTAGGED OCTET STRING(8),
+                            check[1]        UNTAGGED OCTET STRING(8)
+     }
+
+     The DES specifications identify some 'weak' and 'semi-weak' keys; those
+     keys shall not be used for generating DES-MAC checksums for use in
+     Kerberos, nor shall a key be used whose variant is 'weak' or
+     'semi-weak'.
+
+     6.4.7. RSA MD4 Cryptographic Checksum Using DES alternative
+     (rsa-md4-des-k)
+
+     The RSA-MD4-DES-K checksum calculates a keyed collision-proof checksum
+     by applying the RSA MD4 checksum algorithm and encrypting the results
+     using DES in cipher-block-chaining (CBC) mode using a DES key as both
+     key and initialization vector. The resulting checksum is 16 octets
+     long. This checksum is tamper-proof and believed to be collision-proof.
+     Note that this checksum type is the old method for encoding the
+     RSA-MD4-DES checksum and it is no longer recommended.
+
+     6.4.8. DES cipher-block chained checksum alternative (des-mac-k)
+
+     The DES-MAC-K checksum is computed by performing a DES CBC-mode
+     encryption of the plaintext, and using the last block of the ciphertext
+     as the checksum value. It is keyed with an encryption key and an
+     initialization vector; any uses which do not specify an additional
+     initialization vector will use the key as both key and initialization
+     vector. The resulting checksum is 64 bits (8 octets) long. This
+     checksum is tamper-proof and collision-proof. Note that this checksum
+     type is the old method for encoding the DES-MAC checksum and it is no
+     longer recommended. The DES specifications identify some 'weak keys'
+     and 'semi-weak keys'; those keys shall not be used for generating
+     DES-MAC checksums for use in Kerberos.
+
+     7. Naming Constraints
+
+     7.1. Realm Names
+
+     Although realm names are encoded as GeneralStrings and although a realm
+     can technically select any name it chooses, interoperability across
+     realm boundaries requires agreement on how realm names are to be
+     assigned, and what information they imply.
+
+     To enforce these conventions, each realm must conform to the
+     conventions itself, and it must require that any realms with which
+
+Neuman, Ts'o, Kohl                                Expires: 10 September, 2000
+
+
+
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-05          June 25, 1999
+
+     inter-realm keys are shared also conform to the conventions and require
+     the same from its neighbors.
+
+     Kerberos realm names are case sensitive. Realm names that differ only
+     in the case of the characters are not equivalent. There are presently
+     four styles of realm names: domain, X500, other, and reserved. Examples
+     of each style follow:
+
+          domain:   ATHENA.MIT.EDU (example)
+            X500:   C=US/O=OSF (example)
+           other:   NAMETYPE:rest/of.name=without-restrictions (example)
+        reserved:   reserved, but will not conflict with above
+
+     Domain names must look like domain names: they consist of components
+     separated by periods (.) and they contain neither colons (:) nor
+     slashes (/). Domain names must be converted to upper case when used as
+     realm names.
+
+     X.500 names contain an equal (=) and cannot contain a colon (:) before
+     the equal. The realm names for X.500 names will be string
+     representations of the names with components separated by slashes.
+     Leading and trailing slashes will not be included.
+
+     Names that fall into the other category must begin with a prefix that
+     contains no equal (=) or period (.) and the prefix must be followed by
+     a colon (:) and the rest of the name. All prefixes must be assigned
+     before they may be used. Presently none are assigned.
+
+     The reserved category includes strings which do not fall into the first
+     three categories. All names in this category are reserved. It is
+     unlikely that names will be assigned to this category unless there is a
+     very strong argument for not using the 'other' category.
+
+     These rules guarantee that there will be no conflicts between the
+     various name styles. The following additional constraints apply to the
+     assignment of realm names in the domain and X.500 categories: the name
+     of a realm for the domain or X.500 formats must either be used by the
+     organization owning (to whom it was assigned) an Internet domain name
+     or X.500 name, or in the case that no such names are registered,
+     authority to use a realm name may be derived from the authority of the
+     parent realm. For example, if there is no domain name for E40.MIT.EDU,
+     then the administrator of the MIT.EDU realm can authorize the creation
+     of a realm with that name.
+
+     This is acceptable because the organization to which the parent is
+     assigned is presumably the organization authorized to assign names to
+     its children in the X.500 and domain name systems as well. If the
+     parent assigns a realm name without also registering it in the domain
+     name or X.500 hierarchy, it is the parent's responsibility to make sure
+     that there will not in the future exists a name identical to the realm
+     name of the child unless it is assigned to the same entity as the realm
+     name.
+
+     7.2. Principal Names
+
+     As was the case for realm names, conventions are needed to ensure that
+     all agree on what information is implied by a principal name. The
+     name-type field that is part of the principal name indicates the kind
+     of information implied by the name. The name-type should be treated as
+
+Neuman, Ts'o, Kohl                                Expires: 10 September, 2000
+
+
+
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-05          June 25, 1999
+
+     a hint. Ignoring the name type, no two names can be the same (i.e. at
+     least one of the components, or the realm, must be different). The
+     following name types are defined:
+
+ name-type      value   meaning
+
+  NT-UNKNOWN        0  Name type not known
+  NT-PRINCIPAL      1  General principal name (e.g. username, or DCE principal)
+  NT-SRV-INST       2  Service and other unique instance (krbtgt)
+  NT-SRV-HST        3  Service with host name as instance (telnet, rcommands)
+  NT-SRV-XHST       4  Service with slash-separated host name components
+  NT-UID            5  Unique ID
+  NT-X500-PRINCIPAL 6  Encoded X.509 Distingished name [RFC 1779]
+
+     When a name implies no information other than its uniqueness at a
+     particular time the name type PRINCIPAL should be used. The principal
+     name type should be used for users, and it might also be used for a
+     unique server. If the name is a unique machine generated ID that is
+     guaranteed never to be reassigned then the name type of UID should be
+     used (note that it is generally a bad idea to reassign names of any
+     type since stale entries might remain in access control lists).
+
+     If the first component of a name identifies a service and the remaining
+     components identify an instance of the service in a server specified
+     manner, then the name type of SRV-INST should be used. An example of
+     this name type is the Kerberos ticket-granting service whose name has a
+     first component of krbtgt and a second component identifying the realm
+     for which the ticket is valid.
+
+     If instance is a single component following the service name and the
+     instance identifies the host on which the server is running, then the
+     name type SRV-HST should be used. This type is typically used for
+     Internet services such as telnet and the Berkeley R commands. If the
+     separate components of the host name appear as successive components
+     following the name of the service, then the name type SRV-XHST should
+     be used. This type might be used to identify servers on hosts with
+     X.500 names where the slash (/) might otherwise be ambiguous.
+
+     A name type of NT-X500-PRINCIPAL should be used when a name from an
+     X.509 certificiate is translated into a Kerberos name. The encoding of
+     the X.509 name as a Kerberos principal shall conform to the encoding
+     rules specified in RFC 2253.
+
+     A name type of UNKNOWN should be used when the form of the name is not
+     known. When comparing names, a name of type UNKNOWN will match
+     principals authenticated with names of any type. A principal
+     authenticated with a name of type UNKNOWN, however, will only match
+     other names of type UNKNOWN.
+
+     Names of any type with an initial component of 'krbtgt' are reserved
+     for the Kerberos ticket granting service. See section 8.2.3 for the
+     form of such names.
+
+     7.2.1. Name of server principals
+
+     The principal identifier for a server on a host will generally be
+     composed of two parts: (1) the realm of the KDC with which the server
+     is registered, and (2) a two-component name of type NT-SRV-HST if the
+     host name is an Internet domain name or a multi-component name of type
+
+Neuman, Ts'o, Kohl                                Expires: 10 September, 2000
+
+
+
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-05          June 25, 1999
+
+     NT-SRV-XHST if the name of the host is of a form such as X.500 that
+     allows slash (/) separators. The first component of the two- or
+     multi-component name will identify the service and the latter
+     components will identify the host. Where the name of the host is not
+     case sensitive (for example, with Internet domain names) the name of
+     the host must be lower case. If specified by the application protocol
+     for services such as telnet and the Berkeley R commands which run with
+     system privileges, the first component may be the string 'host' instead
+     of a service specific identifier. When a host has an official name and
+     one or more aliases, the official name of the host must be used when
+     constructing the name of the server principal.
+
+     8. Constants and other defined values
+
+     8.1. Host address types
+
+     All negative values for the host address type are reserved for local
+     use. All non-negative values are reserved for officially assigned type
+     fields and interpretations.
+
+     The values of the types for the following addresses are chosen to match
+     the defined address family constants in the Berkeley Standard
+     Distributions of Unix. They can be found in with symbolic names AF_xxx
+     (where xxx is an abbreviation of the address family name).
+
+     Internet (IPv4) Addresses
+
+     Internet (IPv4) addresses are 32-bit (4-octet) quantities, encoded in
+     MSB order. The type of IPv4 addresses is two (2).
+
+     Internet (IPv6) Addresses [Westerlund]
+
+     IPv6 addresses are 128-bit (16-octet) quantities, encoded in MSB order.
+     The type of IPv6 addresses is twenty-four (24). [RFC1883] [RFC1884].
+     The following addresses (see [RFC1884]) MUST not appear in any Kerberos
+     packet:
+        o the Unspecified Address
+        o the Loopback Address
+        o Link-Local addresses
+     IPv4-mapped IPv6 addresses MUST be represented as addresses of type 2.
+
+     CHAOSnet addresses
+
+     CHAOSnet addresses are 16-bit (2-octet) quantities, encoded in MSB
+     order. The type of CHAOSnet addresses is five (5).
+
+     ISO addresses
+
+     ISO addresses are variable-length. The type of ISO addresses is seven
+     (7).
+
+     Xerox Network Services (XNS) addresses
+
+     XNS addresses are 48-bit (6-octet) quantities, encoded in MSB order.
+     The type of XNS addresses is six (6).
+
+     AppleTalk Datagram Delivery Protocol (DDP) addresses
+
+     AppleTalk DDP addresses consist of an 8-bit node number and a 16-bit
+
+Neuman, Ts'o, Kohl                                Expires: 10 September, 2000
+
+
+
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-05          June 25, 1999
+
+     network number. The first octet of the address is the node number; the
+     remaining two octets encode the network number in MSB order. The type
+     of AppleTalk DDP addresses is sixteen (16).
+
+     DECnet Phase IV addresses
+
+     DECnet Phase IV addresses are 16-bit addresses, encoded in LSB order.
+     The type of DECnet Phase IV addresses is twelve (12).
+
+     Netbios addresses
+
+     Netbios addresses are 16-octet addresses typically composed of 1 to 15
+     characters, trailing blank (ascii char 20) filled, with a 16th octet of
+     0x0. The type of Netbios addresses is 20 (0x14).
+
+     8.2. KDC messages
+
+     8.2.1. UDP/IP transport
+
+     When contacting a Kerberos server (KDC) for a KRB_KDC_REQ request using
+     UDP IP transport, the client shall send a UDP datagram containing only
+     an encoding of the request to port 88 (decimal) at the KDC's IP
+     address; the KDC will respond with a reply datagram containing only an
+     encoding of the reply message (either a KRB_ERROR or a KRB_KDC_REP) to
+     the sending port at the sender's IP address. Kerberos servers
+     supporting IP transport must accept UDP requests on port 88 (decimal).
+     The response to a request made through UDP/IP transport must also use
+     UDP/IP transport.
+
+     8.2.2. TCP/IP transport [Westerlund,Danielsson]
+
+     Kerberos servers (KDC's) should accept TCP requests on port 88
+     (decimal) and clients should support the sending of TCP requests on
+     port 88 (decimal). When the KRB_KDC_REQ message is sent to the KDC over
+     a TCP stream, a new connection will be established for each
+     authentication exchange (request and response). The KRB_KDC_REP or
+     KRB_ERROR message will be returned to the client on the same TCP stream
+     that was established for the request. The response to a request made
+     through TCP/IP transport must also use TCP/IP transport. Implementors
+     should note that some extentions to the Kerberos protocol will not work
+     if any implementation not supporting the TCP transport is involved
+     (client or KDC). Implementors are strongly urged to support the TCP
+     transport on both the client and server and are advised that the
+     current notation of "should" support will likely change in the future
+     to must support. The KDC may close the TCP stream after sending a
+     response, but may leave the stream open if it expects a followup - in
+     which case it may close the stream at any time if resource constratints
+     or other factors make it desirable to do so. Care must be taken in
+     managing TCP/IP connections with the KDC to prevent denial of service
+     attacks based on the number of TCP/IP connections with the KDC that
+     remain open. If multiple exchanges with the KDC are needed for certain
+     forms of preauthentication, multiple TCP connections may be required. A
+     client may close the stream after receiving response, and should close
+     the stream if it does not expect to send followup messages. The client
+     must be prepared to have the stream closed by the KDC at anytime, in
+     which case it must simply connect again when it is ready to send
+     subsequent messages.
+
+     The first four octets of the TCP stream used to transmit the request
+
+Neuman, Ts'o, Kohl                                Expires: 10 September, 2000
+
+
+
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-05          June 25, 1999
+
+     request will encode in network byte order the length of the request
+     (KRB_KDC_REQ), and the length will be followed by the request itself.
+     The response will similarly be preceeded by a 4 octet encoding in
+     network byte order of the length of the KRB_KDC_REP or the KRB_ERROR
+     message and will be followed by the KRB_KDC_REP or the KRB_ERROR
+     response. If the sign bit is set on the integer represented by the
+     first 4 octets, then the next 4 octets will be read, extending the
+     length of the field by another 4 octets (less the sign bit which is
+     reserved for future expansion).
+
+     8.2.3. OSI transport
+
+     During authentication of an OSI client to an OSI server, the mutual
+     authentication of an OSI server to an OSI client, the transfer of
+     credentials from an OSI client to an OSI server, or during exchange of
+     private or integrity checked messages, Kerberos protocol messages may
+     be treated as opaque objects and the type of the authentication
+     mechanism will be:
+
+     OBJECT IDENTIFIER ::= {iso (1), org(3), dod(6),internet(1), security(5),kerberosv5(2)}
+
+     Depending on the situation, the opaque object will be an authentication
+     header (KRB_AP_REQ), an authentication reply (KRB_AP_REP), a safe
+     message (KRB_SAFE), a private message (KRB_PRIV), or a credentials
+     message (KRB_CRED). The opaque data contains an application code as
+     specified in the ASN.1 description for each message. The application
+     code may be used by Kerberos to determine the message type.
+
+     8.2.3. Name of the TGS
+
+     The principal identifier of the ticket-granting service shall be
+     composed of three parts: (1) the realm of the KDC issuing the TGS
+     ticket (2) a two-part name of type NT-SRV-INST, with the first part
+     "krbtgt" and the second part the name of the realm which will accept
+     the ticket-granting ticket. For example, a ticket-granting ticket
+     issued by the ATHENA.MIT.EDU realm to be used to get tickets from the
+     ATHENA.MIT.EDU KDC has a principal identifier of "ATHENA.MIT.EDU"
+     (realm), ("krbtgt", "ATHENA.MIT.EDU") (name). A ticket-granting ticket
+     issued by the ATHENA.MIT.EDU realm to be used to get tickets from the
+     MIT.EDU realm has a principal identifier of "ATHENA.MIT.EDU" (realm),
+     ("krbtgt", "MIT.EDU") (name).
+
+     8.3. Protocol constants and associated values
+
+     The following tables list constants used in the protocol and defines
+     their meanings. Ranges are specified in the "specification" section
+     that limit the values of constants for which values are defined here.
+     This allows implementations to make assumptions about the maximum
+     values that will be received for these constants. Implementation
+     receiving values outside the range specified in the "specification"
+     section may reject the request, but they must recover cleanly.
+
+  Encryption type       etype value block size  minimum pad size  confounder size
+  NULL                           0     1           0                 0
+  des-cbc-crc                    1     8           4                 8
+  des-cbc-md4                    2     8           0                 8
+  des-cbc-md5                    3     8           0                 8
+  <reserved>                     4
+  des3-cbc-md5                   5     8           0                 8
+
+Neuman, Ts'o, Kohl                                Expires: 10 September, 2000
+
+
+
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-05          June 25, 1999
+
+  <reserved>                     6
+  des3-cbc-sha1                  7     8           0                 8
+  dsaWithSHA1-CmsOID             9                                 (pkinit)
+  md5WithRSAEncryption-CmsOID   10                                 (pkinit)
+  sha1WithRSAEncryption-CmsOID  11                                 (pkinit)
+  rc2CBC-EnvOID                 12                                 (pkinit)
+  rsaEncryption-EnvOID          13                 (pkinit from PKCS#1 v1.5)
+  rsaES-OAEP-ENV-OID            14                 (pkinit from PKCS#1 v2.0)
+  des-ede3-cbc-Env-OID          15                                 (pkinit)
+  des3-cbc-sha1-kd              16                                 (Tom Yu)
+  rc4-hmac                      23                                 (swift)
+  rc4-hmac-exp                  24                                 (swift)
+
+  ENCTYPE_PK_CROSS              48                      (reserved for pkcross)
+  <reserved>                    0x8003
+
+  Checksum type              sumtype value       checksum size
+  CRC32                      1                   4
+  rsa-md4                    2                   16
+  rsa-md4-des                3                   24
+  des-mac                    4                   16
+  des-mac-k                  5                   8
+  rsa-md4-des-k              6                   16 (drop rsa ?)
+  rsa-md5                    7                   16 (drop rsa ?)
+  rsa-md5-des                8                   24 (drop rsa ?)
+  rsa-md5-des3               9                   24 (drop rsa ?)
+  hmac-sha1-des3-kd          12                  20
+  hmac-sha1-des3             13                  20
+
+  padata type                     padata-type value
+
+  PA-TGS-REQ                      1
+  PA-ENC-TIMESTAMP                2
+  PA-PW-SALT                      3
+  <reserved>                      4
+  PA-ENC-UNIX-TIME                5                  (depricated)
+  PA-SANDIA-SECUREID              6
+  PA-SESAME                       7
+  PA-OSF-DCE                      8
+  PA-CYBERSAFE-SECUREID           9
+  PA-AFS3-SALT                    10
+  PA-ETYPE-INFO                   11
+  PA-SAM-CHALLENGE                12                  (sam/otp)
+  PA-SAM-RESPONSE                 13                  (sam/otp)
+  PA-PK-AS-REQ                    14                  (pkinit)
+  PA-PK-AS-REP                    15                  (pkinit)
+  PA-USE-SPECIFIED-KVNO           20
+  PA-SAM-REDIRECT                 21                  (sam/otp)
+  PA-GET-FROM-TYPED-DATA          22
+  PA-SAM-ETYPE-INFO               23                  (sam/otp)
+
+data-type                     value    form of typed-data
+
+<reserved>                      1-21
+TD-PADATA                       22
+TD-PKINIT-CMS-CERTIFICATES      101      CertificateSet from CMS
+TD-KRB-PRINCIPAL                102
+TD-KRB-REALM                    103
+TD-TRUSTED-CERTIFIERS           104
+
+Neuman, Ts'o, Kohl                                Expires: 10 September, 2000
+
+
+
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-05          June 25, 1999
+
+TD-CERTIFICATE-INDEX            105
+
+authorization data type         ad-type value
+AD-IF-RELEVANT                     1
+AD-INTENDED-FOR-SERVER             2
+AD-INTENDED-FOR-APPLICATION-CLASS  3
+AD-KDC-ISSUED                      4
+AD-OR                              5
+AD-MANDATORY-TICKET-EXTENSIONS     6
+AD-IN-TICKET-EXTENSIONS            7
+reserved values                    8-63
+OSF-DCE                            64
+SESAME                             65
+AD-OSF-DCE-PKI-CERTID              66         (hemsath@us.ibm.com)
+
+Ticket Extension Types
+
+TE-TYPE-NULL                  0      Null ticket extension
+TE-TYPE-EXTERNAL-ADATA        1      Integrity protected authorization data
+<reserved>                    2      TE-TYPE-PKCROSS-KDC  (I have reservations)
+TE-TYPE-PKCROSS-CLIENT        3      PKCROSS cross realm key ticket
+TE-TYPE-CYBERSAFE-EXT         4      Assigned to CyberSafe Corp
+<reserved>                    5      TE-TYPE-DEST-HOST (I have reservations)
+
+alternate authentication type   method-type value
+reserved values                 0-63
+ATT-CHALLENGE-RESPONSE          64
+
+transited encoding type         tr-type value
+DOMAIN-X500-COMPRESS            1
+reserved values                 all others
+
+Label               Value   Meaning or MIT code
+
+pvno                    5   current Kerberos protocol version number
+
+message types
+
+KRB_AS_REQ             10   Request for initial authentication
+KRB_AS_REP             11   Response to KRB_AS_REQ request
+KRB_TGS_REQ            12   Request for authentication based on TGT
+KRB_TGS_REP            13   Response to KRB_TGS_REQ request
+KRB_AP_REQ             14   application request to server
+KRB_AP_REP             15   Response to KRB_AP_REQ_MUTUAL
+KRB_SAFE               20   Safe (checksummed) application message
+KRB_PRIV               21   Private (encrypted) application message
+KRB_CRED               22   Private (encrypted) message to forward credentials
+KRB_ERROR              30   Error response
+
+name types
+
+KRB_NT_UNKNOWN        0  Name type not known
+KRB_NT_PRINCIPAL      1  Just the name of the principal as in DCE, or for users
+KRB_NT_SRV_INST       2  Service and other unique instance (krbtgt)
+KRB_NT_SRV_HST        3  Service with host name as instance (telnet, rcommands)
+KRB_NT_SRV_XHST       4  Service with host as remaining components
+KRB_NT_UID            5  Unique ID
+KRB_NT_X500_PRINCIPAL 6  Encoded X.509 Distingished name [RFC 2253]
+
+
+Neuman, Ts'o, Kohl                                Expires: 10 September, 2000
+
+
+
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-05          June 25, 1999
+
+error codes
+
+KDC_ERR_NONE                    0   No error
+KDC_ERR_NAME_EXP                1   Client's entry in database has expired
+KDC_ERR_SERVICE_EXP             2   Server's entry in database has expired
+KDC_ERR_BAD_PVNO                3   Requested prot vers number not supported
+KDC_ERR_C_OLD_MAST_KVNO         4   Client's key encrypted in old master key
+KDC_ERR_S_OLD_MAST_KVNO         5   Server's key encrypted in old master key
+KDC_ERR_C_PRINCIPAL_UNKNOWN     6   Client not found in Kerberos database
+KDC_ERR_S_PRINCIPAL_UNKNOWN     7   Server not found in Kerberos database
+KDC_ERR_PRINCIPAL_NOT_UNIQUE    8   Multiple principal entries in database
+KDC_ERR_NULL_KEY                9   The client or server has a null key
+KDC_ERR_CANNOT_POSTDATE        10   Ticket not eligible for postdating
+KDC_ERR_NEVER_VALID            11   Requested start time is later than end time
+KDC_ERR_POLICY                 12   KDC policy rejects request
+KDC_ERR_BADOPTION              13   KDC cannot accommodate requested option
+KDC_ERR_ETYPE_NOSUPP           14   KDC has no support for encryption type
+KDC_ERR_SUMTYPE_NOSUPP         15   KDC has no support for checksum type
+KDC_ERR_PADATA_TYPE_NOSUPP     16   KDC has no support for padata type
+KDC_ERR_TRTYPE_NOSUPP          17   KDC has no support for transited type
+KDC_ERR_CLIENT_REVOKED         18   Clients credentials have been revoked
+KDC_ERR_SERVICE_REVOKED        19   Credentials for server have been revoked
+KDC_ERR_TGT_REVOKED            20   TGT has been revoked
+KDC_ERR_CLIENT_NOTYET          21   Client not yet valid - try again later
+KDC_ERR_SERVICE_NOTYET         22   Server not yet valid - try again later
+KDC_ERR_KEY_EXPIRED            23   Password has expired - change password
+KDC_ERR_PREAUTH_FAILED         24   Pre-authentication information was invalid
+KDC_ERR_PREAUTH_REQUIRED       25   Additional pre-authenticationrequired [40]
+KDC_ERR_SERVER_NOMATCH         26   Requested server and ticket don't match
+KDC_ERR_MUST_USE_USER2USER     27   Server principal valid for user2user only
+KDC_ERR_PATH_NOT_ACCPETED      28   KDC Policy rejects transited path
+KDC_ERR_SVC_UNAVAILABLE        29   A service is not available
+KRB_AP_ERR_BAD_INTEGRITY       31   Integrity check on decrypted field failed
+KRB_AP_ERR_TKT_EXPIRED         32   Ticket expired
+KRB_AP_ERR_TKT_NYV             33   Ticket not yet valid
+KRB_AP_ERR_REPEAT              34   Request is a replay
+KRB_AP_ERR_NOT_US              35   The ticket isn't for us
+KRB_AP_ERR_BADMATCH            36   Ticket and authenticator don't match
+KRB_AP_ERR_SKEW                37   Clock skew too great
+KRB_AP_ERR_BADADDR             38   Incorrect net address
+KRB_AP_ERR_BADVERSION          39   Protocol version mismatch
+KRB_AP_ERR_MSG_TYPE            40   Invalid msg type
+KRB_AP_ERR_MODIFIED            41   Message stream modified
+KRB_AP_ERR_BADORDER            42   Message out of order
+KRB_AP_ERR_BADKEYVER           44   Specified version of key is not available
+KRB_AP_ERR_NOKEY               45   Service key not available
+KRB_AP_ERR_MUT_FAIL            46   Mutual authentication failed
+KRB_AP_ERR_BADDIRECTION        47   Incorrect message direction
+KRB_AP_ERR_METHOD              48   Alternative authentication method required
+KRB_AP_ERR_BADSEQ              49   Incorrect sequence number in message
+KRB_AP_ERR_INAPP_CKSUM         50   Inappropriate type of checksum in message
+KRB_AP_PATH_NOT_ACCEPTED       51   Policy rejects transited path
+KRB_ERR_RESPONSE_TOO_BIG       52   Response too big for UDP, retry with TCP
+KRB_ERR_GENERIC                60   Generic error (description in e-text)
+KRB_ERR_FIELD_TOOLONG          61   Field is too long for this implementation
+KDC_ERROR_CLIENT_NOT_TRUSTED            62 (pkinit)
+KDC_ERROR_KDC_NOT_TRUSTED               63 (pkinit)
+KDC_ERROR_INVALID_SIG                   64 (pkinit)
+KDC_ERR_KEY_TOO_WEAK                    65 (pkinit)
+
+Neuman, Ts'o, Kohl                                Expires: 10 September, 2000
+
+
+
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-05          June 25, 1999
+
+KDC_ERR_CERTIFICATE_MISMATCH            66 (pkinit)
+KRB_AP_ERR_NO_TGT                       67 (user-to-user)
+KDC_ERR_WRONG_REALM                     68 (user-to-user)
+KRB_AP_ERR_USER_TO_USER_REQUIRED        69 (user-to-user)
+KDC_ERR_CANT_VERIFY_CERTIFICATE         70 (pkinit)
+KDC_ERR_INVALID_CERTIFICATE             71 (pkinit)
+KDC_ERR_REVOKED_CERTIFICATE             72 (pkinit)
+KDC_ERR_REVOCATION_STATUS_UNKNOWN       73 (pkinit)
+KDC_ERR_REVOCATION_STATUS_UNAVAILABLE   74 (pkinit)
+KDC_ERR_CLIENT_NAME_MISMATCH            75 (pkinit)
+KDC_ERR_KDC_NAME_MISMATCH               76 (pkinit)
+
+     9. Interoperability requirements
+
+     Version 5 of the Kerberos protocol supports a myriad of options. Among
+     these are multiple encryption and checksum types, alternative encoding
+     schemes for the transited field, optional mechanisms for
+     pre-authentication, the handling of tickets with no addresses, options
+     for mutual authentication, user to user authentication, support for
+     proxies, forwarding, postdating, and renewing tickets, the format of
+     realm names, and the handling of authorization data.
+
+     In order to ensure the interoperability of realms, it is necessary to
+     define a minimal configuration which must be supported by all
+     implementations. This minimal configuration is subject to change as
+     technology does. For example, if at some later date it is discovered
+     that one of the required encryption or checksum algorithms is not
+     secure, it will be replaced.
+
+     9.1. Specification 2
+
+     This section defines the second specification of these options.
+     Implementations which are configured in this way can be said to support
+     Kerberos Version 5 Specification 2 (5.1). Specification 1 (depricated)
+     may be found in RFC1510.
+
+     Transport
+
+     TCP/IP and UDP/IP transport must be supported by KDCs claiming
+     conformance to specification 2. Kerberos clients claiming conformance
+     to specification 2 must support UDP/IP transport for messages with the
+     KDC and should support TCP/IP transport.
+
+     Encryption and checksum methods
+
+     The following encryption and checksum mechanisms must be supported.
+     Implementations may support other mechanisms as well, but the
+     additional mechanisms may only be used when communicating with
+     principals known to also support them: This list is to be determined.
+
+     Encryption: DES-CBC-MD5, one triple des variant (tbd)
+     Checksums: CRC-32, DES-MAC, DES-MAC-K, and DES-MD5 (tbd)
+
+     Realm Names
+
+     All implementations must understand hierarchical realms in both the
+     Internet Domain and the X.500 style. When a ticket granting ticket for
+     an unknown realm is requested, the KDC must be able to determine the
+     names of the intermediate realms between the KDCs realm and the
+
+Neuman, Ts'o, Kohl                                Expires: 10 September, 2000
+
+
+
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-05          June 25, 1999
+
+     requested realm.
+
+     Transited field encoding
+
+     DOMAIN-X500-COMPRESS (described in section 3.3.3.2) must be supported.
+     Alternative encodings may be supported, but they may be used only when
+     that encoding is supported by ALL intermediate realms.
+
+     Pre-authentication methods
+
+     The TGS-REQ method must be supported. The TGS-REQ method is not used on
+     the initial request. The PA-ENC-TIMESTAMP method must be supported by
+     clients but whether it is enabled by default may be determined on a
+     realm by realm basis. If not used in the initial request and the error
+     KDC_ERR_PREAUTH_REQUIRED is returned specifying PA-ENC-TIMESTAMP as an
+     acceptable method, the client should retry the initial request using
+     the PA-ENC-TIMESTAMP preauthentication method. Servers need not support
+     the PA-ENC-TIMESTAMP method, but if not supported the server should
+     ignore the presence of PA-ENC-TIMESTAMP pre-authentication in a
+     request.
+
+     Mutual authentication
+
+     Mutual authentication (via the KRB_AP_REP message) must be supported.
+
+     Ticket addresses and flags
+
+     All KDC's must pass on tickets that carry no addresses (i.e. if a TGT
+     contains no addresses, the KDC will return derivative tickets), but
+     each realm may set its own policy for issuing such tickets, and each
+     application server will set its own policy with respect to accepting
+     them.
+
+     Proxies and forwarded tickets must be supported. Individual realms and
+     application servers can set their own policy on when such tickets will
+     be accepted.
+
+     All implementations must recognize renewable and postdated tickets, but
+     need not actually implement them. If these options are not supported,
+     the starttime and endtime in the ticket shall specify a ticket's entire
+     useful life. When a postdated ticket is decoded by a server, all
+     implementations shall make the presence of the postdated flag visible
+     to the calling server.
+
+     User-to-user authentication
+
+     Support for user to user authentication (via the ENC-TKT-IN-SKEY KDC
+     option) must be provided by implementations, but individual realms may
+     decide as a matter of policy to reject such requests on a per-principal
+     or realm-wide basis.
+
+     Authorization data
+
+     Implementations must pass all authorization data subfields from
+     ticket-granting tickets to any derivative tickets unless directed to
+     suppress a subfield as part of the definition of that registered
+     subfield type (it is never incorrect to pass on a subfield, and no
+     registered subfield types presently specify suppression at the KDC).
+
+
+Neuman, Ts'o, Kohl                                Expires: 10 September, 2000
+
+
+
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-05          June 25, 1999
+
+     Implementations must make the contents of any authorization data
+     subfields available to the server when a ticket is used.
+     Implementations are not required to allow clients to specify the
+     contents of the authorization data fields.
+
+     Constant ranges
+
+     All protocol constants are constrained to 32 bit (signed) values unless
+     further constrained by the protocol definition. This limit is provided
+     to allow implementations to make assumptions about the maximum values
+     that will be received for these constants. Implementation receiving
+     values outside this range may reject the request, but they must recover
+     cleanly.
+
+     9.2. Recommended KDC values
+
+     Following is a list of recommended values for a KDC implementation,
+     based on the list of suggested configuration constants (see section
+     4.4).
+
+     minimum lifetime              5 minutes
+     maximum renewable lifetime    1 week
+     maximum ticket lifetime       1 day
+     empty addresses               only when suitable  restrictions  appear
+                                   in authorization data
+     proxiable, etc.               Allowed.
+
+     10. REFERENCES
+
+     [NT94]    B. Clifford Neuman and Theodore Y. Ts'o, "An  Authenti-
+               cation  Service for Computer Networks," IEEE Communica-
+               tions Magazine, Vol. 32(9), pp. 33-38 (September 1994).
+
+     [MNSS87]  S. P. Miller, B. C. Neuman, J. I. Schiller, and  J.  H.
+               Saltzer,  Section  E.2.1:  Kerberos  Authentication and
+               Authorization System, M.I.T. Project Athena, Cambridge,
+               Massachusetts (December 21, 1987).
+
+     [SNS88]   J. G. Steiner, B. C. Neuman, and J. I. Schiller,  "Ker-
+               beros:  An Authentication Service for Open Network Sys-
+               tems," pp. 191-202 in  Usenix  Conference  Proceedings,
+               Dallas, Texas (February, 1988).
+
+     [NS78]    Roger M.  Needham  and  Michael  D.  Schroeder,  "Using
+               Encryption for Authentication in Large Networks of Com-
+               puters,"  Communications  of  the  ACM,  Vol.   21(12),
+               pp. 993-999 (December, 1978).
+
+     [DS81]    Dorothy E. Denning and  Giovanni  Maria  Sacco,  "Time-
+               stamps  in  Key Distribution Protocols," Communications
+               of the ACM, Vol. 24(8), pp. 533-536 (August 1981).
+
+     [KNT92]   John T. Kohl, B. Clifford Neuman, and Theodore Y. Ts'o,
+               "The Evolution of the Kerberos Authentication Service,"
+               in an IEEE Computer Society Text soon to  be  published
+               (June 1992).
+
+     [Neu93]   B.  Clifford  Neuman,  "Proxy-Based  Authorization  and
+               Accounting  for Distributed Systems," in Proceedings of
+
+Neuman, Ts'o, Kohl                                Expires: 10 September, 2000
+
+
+
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-05          June 25, 1999
+
+               the 13th International Conference on  Distributed  Com-
+               puting Systems, Pittsburgh, PA (May, 1993).
+
+     [DS90]    Don Davis and Ralph Swick,  "Workstation  Services  and
+               Kerberos  Authentication  at Project Athena," Technical
+               Memorandum TM-424,  MIT Laboratory for Computer Science
+               (February 1990).
+
+     [LGDSR87] P. J. Levine, M. R. Gretzinger, J. M. Diaz, W. E.  Som-
+               merfeld,  and  K. Raeburn, Section E.1: Service Manage-
+               ment System, M.I.T.  Project  Athena,  Cambridge,  Mas-
+               sachusetts (1987).
+
+     [X509-88] CCITT, Recommendation X.509: The Directory  Authentica-
+               tion Framework, December 1988.
+
+     [Pat92].  J. Pato, Using  Pre-Authentication  to  Avoid  Password
+               Guessing  Attacks, Open Software Foundation DCE Request
+               for Comments 26 (December 1992).
+
+     [DES77]   National Bureau of Standards, U.S. Department  of  Com-
+               merce,  "Data Encryption Standard," Federal Information
+               Processing Standards Publication  46,   Washington,  DC
+               (1977).
+
+     [DESM80]  National Bureau of Standards, U.S. Department  of  Com-
+               merce,  "DES  Modes  of Operation," Federal Information
+               Processing Standards Publication 81,   Springfield,  VA
+               (December 1980).
+
+     [SG92]    Stuart G. Stubblebine and Virgil D. Gligor, "On Message
+               Integrity  in  Cryptographic Protocols," in Proceedings
+               of the IEEE  Symposium  on  Research  in  Security  and
+               Privacy, Oakland, California (May 1992).
+
+     [IS3309]  International Organization  for  Standardization,  "ISO
+               Information  Processing  Systems - Data Communication -
+               High-Level Data Link Control Procedure -  Frame  Struc-
+               ture," IS 3309 (October 1984).  3rd Edition.
+
+     [MD4-92]  R. Rivest, "The  MD4  Message  Digest  Algorithm,"  RFC
+               1320,   MIT  Laboratory  for  Computer  Science  (April
+               1992).
+
+     [MD5-92]  R. Rivest, "The  MD5  Message  Digest  Algorithm,"  RFC
+               1321,   MIT  Laboratory  for  Computer  Science  (April
+               1992).
+
+     [KBC96]   H. Krawczyk, M. Bellare, and R. Canetti, "HMAC:  Keyed-
+               Hashing  for  Message  Authentication,"  Working  Draft
+               draft-ietf-ipsec-hmac-md5-01.txt,   (August 1996).
+
+     [Horowitz96] Horowitz, M., "Key Derivation for Authentication,
+               Integrity, and Privacy", draft-horowitz-key-derivation-02.txt,
+               August 1998.
+
+     [HorowitzB96] Horowitz, M., "Key Derivation for Kerberos V5", draft-
+               horowitz-kerb-key-derivation-01.txt, September 1998.
+
+
+Neuman, Ts'o, Kohl                                Expires: 10 September, 2000
+
+
+
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-05          June 25, 1999
+
+     [Krawczyk96] Krawczyk, H., Bellare, and M., Canetti, R., "HMAC:
+               Keyed-Hashing for Message Authentication", draft-ietf-ipsec-hmac-
+               md5-01.txt, August, 1996.
+
+     A. Pseudo-code for protocol processing
+
+     This appendix provides pseudo-code describing how the messages are to
+     be constructed and interpreted by clients and servers.
+
+     A.1. KRB_AS_REQ generation
+
+             request.pvno := protocol version; /* pvno = 5 */
+             request.msg-type := message type; /* type = KRB_AS_REQ */
+
+             if(pa_enc_timestamp_required) then
+                     request.padata.padata-type = PA-ENC-TIMESTAMP;
+                     get system_time;
+                     padata-body.patimestamp,pausec = system_time;
+                     encrypt padata-body into request.padata.padata-value
+                             using client.key; /* derived from password */
+             endif
+
+             body.kdc-options := users's preferences;
+             body.cname := user's name;
+             body.realm := user's realm;
+             body.sname := service's name; /* usually "krbtgt", 
+                                              "localrealm" */
+
+             if (body.kdc-options.POSTDATED is set) then
+                     body.from := requested starting time;
+             else
+                     omit body.from;
+             endif
+             body.till := requested end time;
+             if (body.kdc-options.RENEWABLE is set) then
+                     body.rtime := requested final renewal time;
+             endif
+             body.nonce := random_nonce();
+             body.etype := requested etypes;
+             if (user supplied addresses) then
+                     body.addresses := user's addresses;
+             else
+                     omit body.addresses;
+             endif
+             omit body.enc-authorization-data;
+             request.req-body := body;
+
+             kerberos := lookup(name of local kerberos server (or servers));
+             send(packet,kerberos);
+
+             wait(for response);
+             if (timed_out) then
+                     retry or use alternate server;
+             endif
+
+     A.2. KRB_AS_REQ verification and KRB_AS_REP generation
+
+             decode message into req;
+
+
+Neuman, Ts'o, Kohl                                Expires: 10 September, 2000
+
+
+
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-05          June 25, 1999
+
+             client := lookup(req.cname,req.realm);
+             server := lookup(req.sname,req.realm);
+
+             get system_time;
+             kdc_time := system_time.seconds;
+
+             if (!client) then
+                     /* no client in Database */
+                     error_out(KDC_ERR_C_PRINCIPAL_UNKNOWN);
+             endif
+             if (!server) then
+                     /* no server in Database */
+                     error_out(KDC_ERR_S_PRINCIPAL_UNKNOWN);
+             endif
+
+             if(client.pa_enc_timestamp_required and
+                pa_enc_timestamp not present) then
+                     error_out(KDC_ERR_PREAUTH_REQUIRED(PA_ENC_TIMESTAMP));
+             endif
+
+             if(pa_enc_timestamp present) then
+                     decrypt req.padata-value into decrypted_enc_timestamp
+                             using client.key;
+                             using auth_hdr.authenticator.subkey;
+                     if (decrypt_error()) then
+                             error_out(KRB_AP_ERR_BAD_INTEGRITY);
+                     if(decrypted_enc_timestamp is not within allowable skew) 
+                         then
+                             error_out(KDC_ERR_PREAUTH_FAILED);
+                     endif
+                     if(decrypted_enc_timestamp and usec is replay)
+                             error_out(KDC_ERR_PREAUTH_FAILED);
+                     endif
+                     add decrypted_enc_timestamp and usec to replay cache;
+             endif
+
+             use_etype := first supported etype in req.etypes;
+
+             if (no support for req.etypes) then
+                     error_out(KDC_ERR_ETYPE_NOSUPP);
+             endif
+
+             new_tkt.vno := ticket version; /* = 5 */
+             new_tkt.sname := req.sname;
+             new_tkt.srealm := req.srealm;
+             reset all flags in new_tkt.flags;
+
+             /* It should be noted that local policy may affect the  */
+             /* processing of any of these flags.  For example, some */
+             /* realms may refuse to issue renewable tickets         */
+
+             if (req.kdc-options.FORWARDABLE is set) then
+                     set new_tkt.flags.FORWARDABLE;
+             endif
+             if (req.kdc-options.PROXIABLE is set) then
+                     set new_tkt.flags.PROXIABLE;
+             endif
+
+             if (req.kdc-options.ALLOW-POSTDATE is set) then
+
+Neuman, Ts'o, Kohl                                Expires: 10 September, 2000
+
+
+
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-05          June 25, 1999
+
+                     set new_tkt.flags.MAY-POSTDATE;
+             endif
+             if ((req.kdc-options.RENEW is set) or
+                 (req.kdc-options.VALIDATE is set) or
+                 (req.kdc-options.PROXY is set) or
+                 (req.kdc-options.FORWARDED is set) or
+                 (req.kdc-options.ENC-TKT-IN-SKEY is set)) then
+                     error_out(KDC_ERR_BADOPTION);
+             endif
+
+             new_tkt.session := random_session_key();
+             new_tkt.cname := req.cname;
+             new_tkt.crealm := req.crealm;
+             new_tkt.transited := empty_transited_field();
+
+             new_tkt.authtime := kdc_time;
+
+             if (req.kdc-options.POSTDATED is set) then
+                if (against_postdate_policy(req.from)) then
+                     error_out(KDC_ERR_POLICY);
+                endif
+                set new_tkt.flags.POSTDATED;
+                set new_tkt.flags.INVALID;
+                new_tkt.starttime := req.from;
+             else
+                omit new_tkt.starttime; /* treated as authtime when omitted */
+             endif
+             if (req.till = 0) then
+                     till := infinity;
+             else
+                     till := req.till;
+             endif
+
+             new_tkt.endtime := min(till,
+                                   new_tkt.starttime+client.max_life,
+                                   new_tkt.starttime+server.max_life,
+                                   new_tkt.starttime+max_life_for_realm);
+
+             if ((req.kdc-options.RENEWABLE-OK is set) and
+                 (new_tkt.endtime < req.till)) then
+                     /* we set the RENEWABLE option for later processing */
+                     set req.kdc-options.RENEWABLE;
+                     req.rtime := req.till;
+             endif
+
+             if (req.rtime = 0) then
+                     rtime := infinity;
+             else
+                     rtime := req.rtime;
+             endif
+
+             if (req.kdc-options.RENEWABLE is set) then
+                     set new_tkt.flags.RENEWABLE;
+                     new_tkt.renew-till := min(rtime,
+                                     new_tkt.starttime+client.max_rlife,
+                                     new_tkt.starttime+server.max_rlife,
+                                     new_tkt.starttime+max_rlife_for_realm);
+             else
+                     omit new_tkt.renew-till; /* only present if RENEWABLE */
+
+Neuman, Ts'o, Kohl                                Expires: 10 September, 2000
+
+
+
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-05          June 25, 1999
+
+             endif
+
+             if (req.addresses) then
+                     new_tkt.caddr := req.addresses;
+             else
+                     omit new_tkt.caddr;
+             endif
+
+             new_tkt.authorization_data := empty_authorization_data();
+
+             encode to-be-encrypted part of ticket into OCTET STRING;
+             new_tkt.enc-part := encrypt OCTET STRING
+                  using etype_for_key(server.key), server.key, server.p_kvno;
+
+             /* Start processing the response */
+
+             resp.pvno := 5;
+             resp.msg-type := KRB_AS_REP;
+             resp.cname := req.cname;
+             resp.crealm := req.realm;
+             resp.ticket := new_tkt;
+
+             resp.key := new_tkt.session;
+             resp.last-req := fetch_last_request_info(client);
+             resp.nonce := req.nonce;
+             resp.key-expiration := client.expiration;
+             resp.flags := new_tkt.flags;
+
+             resp.authtime := new_tkt.authtime;
+             resp.starttime := new_tkt.starttime;
+             resp.endtime := new_tkt.endtime;
+
+             if (new_tkt.flags.RENEWABLE) then
+                     resp.renew-till := new_tkt.renew-till;
+             endif
+
+             resp.realm := new_tkt.realm;
+             resp.sname := new_tkt.sname;
+
+             resp.caddr := new_tkt.caddr;
+
+             encode body of reply into OCTET STRING;
+
+             resp.enc-part := encrypt OCTET STRING
+                              using use_etype, client.key, client.p_kvno;
+             send(resp);
+
+     A.3. KRB_AS_REP verification
+
+             decode response into resp;
+
+             if (resp.msg-type = KRB_ERROR) then
+                  if(error = KDC_ERR_PREAUTH_REQUIRED(PA_ENC_TIMESTAMP)) then
+                             set pa_enc_timestamp_required;
+                             goto KRB_AS_REQ;
+                     endif
+                     process_error(resp);
+                     return;
+             endif
+
+Neuman, Ts'o, Kohl                                Expires: 10 September, 2000
+
+
+
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-05          June 25, 1999
+
+
+             /* On error, discard the response, and zero the session key */
+             /* from the response immediately */
+
+             key = get_decryption_key(resp.enc-part.kvno, resp.enc-part.etype,
+                                      resp.padata);
+             unencrypted part of resp := decode of decrypt of resp.enc-part
+                                     using resp.enc-part.etype and key;
+             zero(key);
+
+             if (common_as_rep_tgs_rep_checks fail) then
+                     destroy resp.key;
+                     return error;
+             endif
+
+             if near(resp.princ_exp) then
+                     print(warning message);
+             endif
+             save_for_later(ticket,session,client,server,times,flags);
+
+     A.4. KRB_AS_REP and KRB_TGS_REP common checks
+
+             if (decryption_error() or
+                 (req.cname != resp.cname) or
+                 (req.realm != resp.crealm) or
+                 (req.sname != resp.sname) or
+                 (req.realm != resp.realm) or
+                 (req.nonce != resp.nonce) or
+                 (req.addresses != resp.caddr)) then
+                     destroy resp.key;
+                     return KRB_AP_ERR_MODIFIED;
+             endif
+
+      /* make sure no flags are set that shouldn't be, and that all that */
+      /* should be are set                                               */
+         if (!check_flags_for_compatability(req.kdc-options,resp.flags)) then
+                     destroy resp.key;
+                     return KRB_AP_ERR_MODIFIED;
+             endif
+
+             if ((req.from = 0) and
+                 (resp.starttime is not within allowable skew)) then
+                     destroy resp.key;
+                     return KRB_AP_ERR_SKEW;
+             endif
+             if ((req.from != 0) and (req.from != resp.starttime)) then
+                     destroy resp.key;
+                     return KRB_AP_ERR_MODIFIED;
+             endif
+             if ((req.till != 0) and (resp.endtime > req.till)) then
+                     destroy resp.key;
+                     return KRB_AP_ERR_MODIFIED;
+             endif
+
+             if ((req.kdc-options.RENEWABLE is set) and
+                 (req.rtime != 0) and (resp.renew-till > req.rtime)) then
+                     destroy resp.key;
+                     return KRB_AP_ERR_MODIFIED;
+             endif
+
+Neuman, Ts'o, Kohl                                Expires: 10 September, 2000
+
+
+
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-05          June 25, 1999
+
+             if ((req.kdc-options.RENEWABLE-OK is set) and
+                 (resp.flags.RENEWABLE) and
+                 (req.till != 0) and
+                 (resp.renew-till > req.till)) then
+                     destroy resp.key;
+                     return KRB_AP_ERR_MODIFIED;
+             endif
+
+     A.5. KRB_TGS_REQ generation
+
+       /* Note that make_application_request might have to recursivly     */
+       /* call this routine to get the appropriate ticket-granting ticket */
+
+             request.pvno := protocol version; /* pvno = 5 */
+             request.msg-type := message type; /* type = KRB_TGS_REQ */
+
+             body.kdc-options := users's preferences;
+             /* If the TGT is not for the realm of the end-server  */
+             /* then the sname will be for a TGT for the end-realm */
+             /* and the realm of the requested ticket (body.realm) */
+             /* will be that of the TGS to which the TGT we are    */
+             /* sending applies                                    */
+             body.sname := service's name;
+             body.realm := service's realm;
+
+             if (body.kdc-options.POSTDATED is set) then
+                     body.from := requested starting time;
+             else
+                     omit body.from;
+             endif
+             body.till := requested end time;
+             if (body.kdc-options.RENEWABLE is set) then
+                     body.rtime := requested final renewal time;
+             endif
+             body.nonce := random_nonce();
+             body.etype := requested etypes;
+             if (user supplied addresses) then
+                     body.addresses := user's addresses;
+             else
+                     omit body.addresses;
+             endif
+
+             body.enc-authorization-data := user-supplied data;
+             if (body.kdc-options.ENC-TKT-IN-SKEY) then
+                     body.additional-tickets_ticket := second TGT;
+             endif
+
+             request.req-body := body;
+             check := generate_checksum (req.body,checksumtype);
+
+             request.padata[0].padata-type := PA-TGS-REQ;
+             request.padata[0].padata-value := create a KRB_AP_REQ using
+                                           the TGT and checksum
+
+             /* add in any other padata as required/supplied */
+
+             kerberos := lookup(name of local kerberose server (or servers));
+             send(packet,kerberos);
+
+
+Neuman, Ts'o, Kohl                                Expires: 10 September, 2000
+
+
+
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-05          June 25, 1999
+
+             wait(for response);
+             if (timed_out) then
+                     retry or use alternate server;
+             endif
+
+     A.6. KRB_TGS_REQ verification and KRB_TGS_REP generation
+
+             /* note that reading the application request requires first
+             determining the server for which a ticket was issued, and
+             choosing the correct key for decryption.  The name of the
+             server appears in the plaintext part of the ticket. */
+
+             if (no KRB_AP_REQ in req.padata) then
+                     error_out(KDC_ERR_PADATA_TYPE_NOSUPP);
+             endif
+             verify KRB_AP_REQ in req.padata;
+
+             /* Note that the realm in which the Kerberos server is
+             operating is determined by the instance from the
+             ticket-granting ticket.  The realm in the ticket-granting
+             ticket is the realm under which the ticket granting
+             ticket was issued.  It is possible for a single Kerberos 
+             server to support more than one realm. */
+
+             auth_hdr := KRB_AP_REQ;
+             tgt := auth_hdr.ticket;
+
+             if (tgt.sname is not a TGT for local realm and is not req.sname) 
+                   then
+                     error_out(KRB_AP_ERR_NOT_US);
+
+             realm := realm_tgt_is_for(tgt);
+
+             decode remainder of request;
+
+             if (auth_hdr.authenticator.cksum is missing) then
+                     error_out(KRB_AP_ERR_INAPP_CKSUM);
+             endif
+
+             if (auth_hdr.authenticator.cksum type is not supported) then
+                     error_out(KDC_ERR_SUMTYPE_NOSUPP);
+             endif
+             if (auth_hdr.authenticator.cksum is not both collision-proof 
+                 and keyed) then
+                     error_out(KRB_AP_ERR_INAPP_CKSUM);
+             endif
+
+             set computed_checksum := checksum(req);
+             if (computed_checksum != auth_hdr.authenticatory.cksum) then
+                     error_out(KRB_AP_ERR_MODIFIED);
+             endif
+
+             server := lookup(req.sname,realm);
+
+             if (!server) then
+                     if (is_foreign_tgt_name(req.sname)) then
+                             server := best_intermediate_tgs(req.sname);
+                     else
+                             /* no server in Database */
+
+Neuman, Ts'o, Kohl                                Expires: 10 September, 2000
+
+
+
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-05          June 25, 1999
+
+                             error_out(KDC_ERR_S_PRINCIPAL_UNKNOWN);
+                     endif
+             endif
+
+             session := generate_random_session_key();
+
+             use_etype := first supported etype in req.etypes;
+
+             if (no support for req.etypes) then
+                     error_out(KDC_ERR_ETYPE_NOSUPP);
+             endif
+
+             new_tkt.vno := ticket version; /* = 5 */
+             new_tkt.sname := req.sname;
+             new_tkt.srealm := realm;
+             reset all flags in new_tkt.flags;
+
+             /* It should be noted that local policy may affect the  */
+             /* processing of any of these flags.  For example, some */
+             /* realms may refuse to issue renewable tickets         */
+
+             new_tkt.caddr := tgt.caddr;
+             resp.caddr := NULL; /* We only include this if they change */
+             if (req.kdc-options.FORWARDABLE is set) then
+                     if (tgt.flags.FORWARDABLE is reset) then
+                             error_out(KDC_ERR_BADOPTION);
+                     endif
+                     set new_tkt.flags.FORWARDABLE;
+             endif
+             if (req.kdc-options.FORWARDED is set) then
+                     if (tgt.flags.FORWARDABLE is reset) then
+                             error_out(KDC_ERR_BADOPTION);
+                     endif
+                     set new_tkt.flags.FORWARDED;
+                     new_tkt.caddr := req.addresses;
+                     resp.caddr := req.addresses;
+             endif
+             if (tgt.flags.FORWARDED is set) then
+                     set new_tkt.flags.FORWARDED;
+             endif
+
+             if (req.kdc-options.PROXIABLE is set) then
+                     if (tgt.flags.PROXIABLE is reset)
+                             error_out(KDC_ERR_BADOPTION);
+                     endif
+                     set new_tkt.flags.PROXIABLE;
+             endif
+             if (req.kdc-options.PROXY is set) then
+                     if (tgt.flags.PROXIABLE is reset) then
+                             error_out(KDC_ERR_BADOPTION);
+                     endif
+                     set new_tkt.flags.PROXY;
+                     new_tkt.caddr := req.addresses;
+                     resp.caddr := req.addresses;
+             endif
+
+             if (req.kdc-options.ALLOW-POSTDATE is set) then
+                     if (tgt.flags.MAY-POSTDATE is reset)
+                             error_out(KDC_ERR_BADOPTION);
+
+Neuman, Ts'o, Kohl                                Expires: 10 September, 2000
+
+
+
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-05          June 25, 1999
+
+                     endif
+                     set new_tkt.flags.MAY-POSTDATE;
+             endif
+             if (req.kdc-options.POSTDATED is set) then
+                     if (tgt.flags.MAY-POSTDATE is reset) then
+                             error_out(KDC_ERR_BADOPTION);
+                     endif
+                     set new_tkt.flags.POSTDATED;
+                     set new_tkt.flags.INVALID;
+                     if (against_postdate_policy(req.from)) then
+                             error_out(KDC_ERR_POLICY);
+                     endif
+                     new_tkt.starttime := req.from;
+             endif
+
+             if (req.kdc-options.VALIDATE is set) then
+                     if (tgt.flags.INVALID is reset) then
+                             error_out(KDC_ERR_POLICY);
+                     endif
+                     if (tgt.starttime > kdc_time) then
+                             error_out(KRB_AP_ERR_NYV);
+                     endif
+                     if (check_hot_list(tgt)) then
+                             error_out(KRB_AP_ERR_REPEAT);
+                     endif
+                     tkt := tgt;
+                     reset new_tkt.flags.INVALID;
+             endif
+
+             if (req.kdc-options.(any flag except ENC-TKT-IN-SKEY, RENEW,
+                                  and those already processed) is set) then
+                     error_out(KDC_ERR_BADOPTION);
+             endif
+
+             new_tkt.authtime := tgt.authtime;
+
+             if (req.kdc-options.RENEW is set) then
+      /* Note that if the endtime has already passed, the ticket would  */
+      /* have been rejected in the initial authentication stage, so     */
+      /* there is no need to check again here                           */
+                     if (tgt.flags.RENEWABLE is reset) then
+                             error_out(KDC_ERR_BADOPTION);
+                     endif
+                     if (tgt.renew-till < kdc_time) then
+                             error_out(KRB_AP_ERR_TKT_EXPIRED);
+                     endif
+                     tkt := tgt;
+                     new_tkt.starttime := kdc_time;
+                     old_life := tgt.endttime - tgt.starttime;
+                     new_tkt.endtime := min(tgt.renew-till,
+                                            new_tkt.starttime + old_life);
+             else
+                     new_tkt.starttime := kdc_time;
+                     if (req.till = 0) then
+                             till := infinity;
+                     else
+                             till := req.till;
+                     endif
+                     new_tkt.endtime := min(till,
+
+Neuman, Ts'o, Kohl                                Expires: 10 September, 2000
+
+
+
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-05          June 25, 1999
+
+                                            new_tkt.starttime+client.max_life,
+                                            new_tkt.starttime+server.max_life,
+                                            new_tkt.starttime+max_life_for_realm,
+                                            tgt.endtime);
+
+                     if ((req.kdc-options.RENEWABLE-OK is set) and
+                         (new_tkt.endtime < req.till) and
+                         (tgt.flags.RENEWABLE is set) then
+                             /* we set the RENEWABLE option for later processing */
+                             set req.kdc-options.RENEWABLE;
+                             req.rtime := min(req.till, tgt.renew-till);
+                     endif
+             endif
+
+             if (req.rtime = 0) then
+                     rtime := infinity;
+             else
+                     rtime := req.rtime;
+             endif
+
+             if ((req.kdc-options.RENEWABLE is set) and
+                 (tgt.flags.RENEWABLE is set)) then
+                     set new_tkt.flags.RENEWABLE;
+                     new_tkt.renew-till := min(rtime,
+                                       new_tkt.starttime+client.max_rlife,
+                                       new_tkt.starttime+server.max_rlife,
+                                       new_tkt.starttime+max_rlife_for_realm,
+                                       tgt.renew-till);
+             else
+                     new_tkt.renew-till := OMIT; /* leave the
+                                                   renew-till field out */ 
+             endif
+             if (req.enc-authorization-data is present) then
+                     decrypt req.enc-authorization-data into
+                                  decrypted_authorization_data
+                             using auth_hdr.authenticator.subkey;
+                     if (decrypt_error()) then
+                             error_out(KRB_AP_ERR_BAD_INTEGRITY);
+                     endif
+             endif
+             new_tkt.authorization_data :=
+                     req.auth_hdr.ticket.authorization_data + 
+                                      decrypted_authorization_data;
+
+             new_tkt.key := session;
+             new_tkt.crealm := tgt.crealm;
+             new_tkt.cname := req.auth_hdr.ticket.cname;
+
+             if (realm_tgt_is_for(tgt) := tgt.realm) then
+                     /* tgt issued by local realm */
+                     new_tkt.transited := tgt.transited;
+             else
+                     /* was issued for this realm by some other realm */
+                     if (tgt.transited.tr-type not supported) then
+                             error_out(KDC_ERR_TRTYPE_NOSUPP);
+                     endif
+                     new_tkt.transited :=
+                         compress_transited(tgt.transited + tgt.realm) 
+                     /* Don't check tranited field if TGT for foreign realm,
+
+Neuman, Ts'o, Kohl                                Expires: 10 September, 2000
+
+
+
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-05          June 25, 1999
+
+                      * or requested not to check */
+                     if (is_not_foreign_tgt_name(new_tkt.server)
+                        && req.kdc-options.DISABLE-TRANSITED-CHECK not
+                             set) then 
+                          /* Check it, so end-server does not have to
+                           * but don't fail, end-server may still accept it */
+                          if (check_transited_field(new_tkt.transited) == OK)
+                                   set new_tkt.flags.TRANSITED-POLICY-CHECKED;
+                             endif
+                     endif
+             endif
+
+             encode encrypted part of new_tkt into OCTET STRING;
+             if (req.kdc-options.ENC-TKT-IN-SKEY is set) then
+                     if (server not specified) then
+                             server = req.second_ticket.client;
+                     endif
+                     if ((req.second_ticket is not a TGT) or
+                         (req.second_ticket.client != server)) then
+                             error_out(KDC_ERR_POLICY);
+                     endif
+
+                     new_tkt.enc-part := encrypt OCTET STRING using
+                             using etype_for_key(second-ticket.key),
+                             second-ticket.key; 
+             else
+                     new_tkt.enc-part := encrypt OCTET STRING
+                             using etype_for_key(server.key),
+                             server.key, server.p_kvno; 
+             endif
+
+             resp.pvno := 5;
+             resp.msg-type := KRB_TGS_REP;
+             resp.crealm := tgt.crealm;
+             resp.cname := tgt.cname;
+             resp.ticket := new_tkt;
+
+             resp.key := session;
+             resp.nonce := req.nonce;
+             resp.last-req := fetch_last_request_info(client);
+             resp.flags := new_tkt.flags;
+
+             resp.authtime := new_tkt.authtime;
+             resp.starttime := new_tkt.starttime;
+             resp.endtime := new_tkt.endtime;
+
+             omit resp.key-expiration;
+
+             resp.sname := new_tkt.sname;
+             resp.realm := new_tkt.realm;
+
+             if (new_tkt.flags.RENEWABLE) then
+                     resp.renew-till := new_tkt.renew-till;
+             endif
+
+             encode body of reply into OCTET STRING;
+
+             if (req.padata.authenticator.subkey)
+                     resp.enc-part := encrypt OCTET STRING using use_etype,
+
+Neuman, Ts'o, Kohl                                Expires: 10 September, 2000
+
+
+
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-05          June 25, 1999
+
+                             req.padata.authenticator.subkey;
+             else resp.enc-part := encrypt OCTET STRING using
+                                         use_etype, tgt.key; 
+
+             send(resp);
+
+     A.7. KRB_TGS_REP verification
+
+             decode response into resp;
+
+             if (resp.msg-type = KRB_ERROR) then
+                     process_error(resp);
+                     return;
+             endif
+
+             /* On error, discard the response, and zero the session key from
+             the response immediately */
+
+             if (req.padata.authenticator.subkey)
+                     unencrypted part of resp := decode of decrypt of
+                             resp.enc-part 
+                             using resp.enc-part.etype and subkey;
+             else unencrypted part of resp := decode of decrypt of
+                              resp.enc-part 
+                                     using resp.enc-part.etype and
+                                      tgt's session key; 
+             if (common_as_rep_tgs_rep_checks fail) then
+                     destroy resp.key;
+                     return error;
+             endif
+
+             check authorization_data as necessary;
+             save_for_later(ticket,session,client,server,times,flags);
+
+     A.8. Authenticator generation
+
+             body.authenticator-vno := authenticator vno; /* = 5 */
+             body.cname, body.crealm := client name;
+             if (supplying checksum) then
+                     body.cksum := checksum;
+             endif
+             get system_time;
+             body.ctime, body.cusec := system_time;
+             if (selecting sub-session key) then
+                     select sub-session key;
+                     body.subkey := sub-session key;
+             endif
+             if (using sequence numbers) then
+                     select initial sequence number;
+                     body.seq-number := initial sequence;
+             endif
+
+     A.9. KRB_AP_REQ generation
+
+             obtain ticket and session_key from cache;
+
+             packet.pvno := protocol version; /* 5 */
+             packet.msg-type := message type; /* KRB_AP_REQ */
+
+
+Neuman, Ts'o, Kohl                                Expires: 10 September, 2000
+
+
+
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-05          June 25, 1999
+
+             if (desired(MUTUAL_AUTHENTICATION)) then
+                     set packet.ap-options.MUTUAL-REQUIRED;
+             else
+                     reset packet.ap-options.MUTUAL-REQUIRED;
+             endif
+             if (using session key for ticket) then
+                     set packet.ap-options.USE-SESSION-KEY;
+             else
+                     reset packet.ap-options.USE-SESSION-KEY;
+             endif
+             packet.ticket := ticket; /* ticket */
+             generate authenticator;
+             encode authenticator into OCTET STRING;
+             encrypt OCTET STRING into packet.authenticator using session_key;
+
+     A.10. KRB_AP_REQ verification
+
+             receive packet;
+             if (packet.pvno != 5) then
+                     either process using other protocol spec
+                     or error_out(KRB_AP_ERR_BADVERSION);
+             endif
+             if (packet.msg-type != KRB_AP_REQ) then
+                     error_out(KRB_AP_ERR_MSG_TYPE);
+             endif
+             if (packet.ticket.tkt_vno != 5) then
+                     either process using other protocol spec
+                     or error_out(KRB_AP_ERR_BADVERSION);
+             endif
+             if (packet.ap_options.USE-SESSION-KEY is set) then
+                     retrieve session key from ticket-granting ticket for
+                      packet.ticket.{sname,srealm,enc-part.etype};
+             else
+                     retrieve service key for
+                   packet.ticket.{sname,srealm,enc-part.etype,enc-part.skvno}; 
+             endif
+             if (no_key_available) then
+                     if (cannot_find_specified_skvno) then
+                             error_out(KRB_AP_ERR_BADKEYVER);
+                     else
+                             error_out(KRB_AP_ERR_NOKEY);
+                     endif
+             endif
+             decrypt packet.ticket.enc-part into decr_ticket using
+                      retrieved key; 
+             if (decryption_error()) then
+                     error_out(KRB_AP_ERR_BAD_INTEGRITY);
+             endif
+             decrypt packet.authenticator into decr_authenticator
+                     using decr_ticket.key;
+             if (decryption_error()) then
+                     error_out(KRB_AP_ERR_BAD_INTEGRITY);
+             endif
+             if (decr_authenticator.{cname,crealm} !=
+                 decr_ticket.{cname,crealm}) then
+                     error_out(KRB_AP_ERR_BADMATCH);
+             endif
+             if (decr_ticket.caddr is present) then
+                     if (sender_address(packet) is not in
+
+Neuman, Ts'o, Kohl                                Expires: 10 September, 2000
+
+
+
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-05          June 25, 1999
+
+                                    decr_ticket.caddr) then 
+                             error_out(KRB_AP_ERR_BADADDR);
+                     endif
+             elseif (application requires addresses) then
+                     error_out(KRB_AP_ERR_BADADDR);
+             endif
+             if (not in_clock_skew(decr_authenticator.ctime,
+                                   decr_authenticator.cusec)) then
+                     error_out(KRB_AP_ERR_SKEW);
+             endif
+             if (repeated(decr_authenticator.{ctime,cusec,cname,crealm})) then
+                     error_out(KRB_AP_ERR_REPEAT);
+             endif
+             save_identifier(decr_authenticator.{ctime,cusec,cname,crealm});
+             get system_time;
+             if ((decr_ticket.starttime-system_time > CLOCK_SKEW) or
+                 (decr_ticket.flags.INVALID is set)) then
+                     /* it hasn't yet become valid */
+                     error_out(KRB_AP_ERR_TKT_NYV);
+             endif
+             if (system_time-decr_ticket.endtime > CLOCK_SKEW) then
+                     error_out(KRB_AP_ERR_TKT_EXPIRED);
+             endif
+             if (decr_ticket.transited) then
+                 /* caller may ignore the TRANSITED-POLICY-CHECKED and do
+                  * check anyway */
+                 if (decr_ticket.flags.TRANSITED-POLICY-CHECKED not set) then
+                      if (check_transited_field(decr_ticket.transited) then
+                           error_out(KDC_AP_PATH_NOT_ACCPETED);
+                      endif
+                 endif
+             endif
+           /* caller must check decr_ticket.flags for any pertinent details */
+           return(OK, decr_ticket, packet.ap_options.MUTUAL-REQUIRED);
+
+     A.11. KRB_AP_REP generation
+
+             packet.pvno := protocol version; /* 5 */
+             packet.msg-type := message type; /* KRB_AP_REP */
+
+             body.ctime := packet.ctime;
+             body.cusec := packet.cusec;
+             if (selecting sub-session key) then
+                     select sub-session key;
+                     body.subkey := sub-session key;
+             endif
+             if (using sequence numbers) then
+                     select initial sequence number;
+                     body.seq-number := initial sequence;
+             endif
+
+             encode body into OCTET STRING;
+
+             select encryption type;
+             encrypt OCTET STRING into packet.enc-part;
+
+     A.12. KRB_AP_REP verification
+
+             receive packet;
+
+Neuman, Ts'o, Kohl                                Expires: 10 September, 2000
+
+
+
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-05          June 25, 1999
+
+             if (packet.pvno != 5) then
+                     either process using other protocol spec
+                     or error_out(KRB_AP_ERR_BADVERSION);
+             endif
+             if (packet.msg-type != KRB_AP_REP) then
+                     error_out(KRB_AP_ERR_MSG_TYPE);
+             endif
+             cleartext := decrypt(packet.enc-part) using ticket's session key;
+             if (decryption_error()) then
+                     error_out(KRB_AP_ERR_BAD_INTEGRITY);
+             endif
+             if (cleartext.ctime != authenticator.ctime) then
+                     error_out(KRB_AP_ERR_MUT_FAIL);
+             endif
+             if (cleartext.cusec != authenticator.cusec) then
+                     error_out(KRB_AP_ERR_MUT_FAIL);
+             endif
+             if (cleartext.subkey is present) then
+                     save cleartext.subkey for future use;
+             endif
+             if (cleartext.seq-number is present) then
+                     save cleartext.seq-number for future verifications;
+             endif
+             return(AUTHENTICATION_SUCCEEDED);
+
+     A.13. KRB_SAFE generation
+
+             collect user data in buffer;
+
+             /* assemble packet: */
+             packet.pvno := protocol version; /* 5 */
+             packet.msg-type := message type; /* KRB_SAFE */
+
+             body.user-data := buffer; /* DATA */
+             if (using timestamp) then
+                     get system_time;
+                     body.timestamp, body.usec := system_time;
+             endif
+             if (using sequence numbers) then
+                     body.seq-number := sequence number;
+             endif
+             body.s-address := sender host addresses;
+             if (only one recipient) then
+                     body.r-address := recipient host address;
+             endif
+             checksum.cksumtype := checksum type;
+             compute checksum over body;
+             checksum.checksum := checksum value; /* checksum.checksum */
+             packet.cksum := checksum;
+             packet.safe-body := body;
+
+     A.14. KRB_SAFE verification
+
+             receive packet;
+             if (packet.pvno != 5) then
+                     either process using other protocol spec
+                     or error_out(KRB_AP_ERR_BADVERSION);
+             endif
+             if (packet.msg-type != KRB_SAFE) then
+
+Neuman, Ts'o, Kohl                                Expires: 10 September, 2000
+
+
+
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-05          June 25, 1999
+
+                     error_out(KRB_AP_ERR_MSG_TYPE);
+             endif
+             if (packet.checksum.cksumtype is not both collision-proof
+                 and keyed) then 
+                     error_out(KRB_AP_ERR_INAPP_CKSUM);
+             endif
+             if (safe_priv_common_checks_ok(packet)) then
+                     set computed_checksum := checksum(packet.body);
+                     if (computed_checksum != packet.checksum) then
+                             error_out(KRB_AP_ERR_MODIFIED);
+                     endif
+                     return (packet, PACKET_IS_GENUINE);
+             else
+                     return common_checks_error;
+             endif
+
+     A.15. KRB_SAFE and KRB_PRIV common checks
+
+             if (packet.s-address != O/S_sender(packet)) then
+                     /* O/S report of sender not who claims to have sent it */
+                     error_out(KRB_AP_ERR_BADADDR);
+             endif
+             if ((packet.r-address is present) and
+                 (packet.r-address != local_host_address)) then
+                     /* was not sent to proper place */
+                     error_out(KRB_AP_ERR_BADADDR);
+             endif
+             if (((packet.timestamp is present) and
+                  (not in_clock_skew(packet.timestamp,packet.usec))) or
+                 (packet.timestamp is not present and timestamp expected)) then
+                     error_out(KRB_AP_ERR_SKEW);
+             endif
+             if (repeated(packet.timestamp,packet.usec,packet.s-address)) then
+                     error_out(KRB_AP_ERR_REPEAT);
+             endif
+
+             if (((packet.seq-number is present) and
+                  ((not in_sequence(packet.seq-number)))) or
+                 (packet.seq-number is not present and sequence expected)) then
+                     error_out(KRB_AP_ERR_BADORDER);
+             endif
+             if (packet.timestamp not present and packet.seq-number
+                   not present) then 
+                     error_out(KRB_AP_ERR_MODIFIED);
+             endif
+
+             save_identifier(packet.{timestamp,usec,s-address},
+                             sender_principal(packet));
+
+             return PACKET_IS_OK;
+
+     A.16. KRB_PRIV generation
+
+             collect user data in buffer;
+
+             /* assemble packet: */
+             packet.pvno := protocol version; /* 5 */
+             packet.msg-type := message type; /* KRB_PRIV */
+
+
+Neuman, Ts'o, Kohl                                Expires: 10 September, 2000
+
+
+
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-05          June 25, 1999
+
+             packet.enc-part.etype := encryption type;
+
+             body.user-data := buffer;
+             if (using timestamp) then
+                     get system_time;
+                     body.timestamp, body.usec := system_time;
+             endif
+             if (using sequence numbers) then
+                     body.seq-number := sequence number;
+             endif
+             body.s-address := sender host addresses;
+             if (only one recipient) then
+                     body.r-address := recipient host address;
+             endif
+
+             encode body into OCTET STRING;
+
+             select encryption type;
+             encrypt OCTET STRING into packet.enc-part.cipher;
+
+     A.17. KRB_PRIV verification
+
+             receive packet;
+             if (packet.pvno != 5) then
+                     either process using other protocol spec
+                     or error_out(KRB_AP_ERR_BADVERSION);
+             endif
+             if (packet.msg-type != KRB_PRIV) then
+                     error_out(KRB_AP_ERR_MSG_TYPE);
+             endif
+
+             cleartext := decrypt(packet.enc-part) using negotiated key;
+             if (decryption_error()) then
+                     error_out(KRB_AP_ERR_BAD_INTEGRITY);
+             endif
+
+             if (safe_priv_common_checks_ok(cleartext)) then
+                     return(cleartext.DATA, PACKET_IS_GENUINE_AND_UNMODIFIED);
+             else
+                     return common_checks_error;
+             endif
+
+     A.18. KRB_CRED generation
+
+             invoke KRB_TGS; /* obtain tickets to be provided to peer */
+
+             /* assemble packet: */
+             packet.pvno := protocol version; /* 5 */
+             packet.msg-type := message type; /* KRB_CRED */
+
+             for (tickets[n] in tickets to be forwarded) do
+                     packet.tickets[n] = tickets[n].ticket;
+             done
+
+             packet.enc-part.etype := encryption type;
+
+             for (ticket[n] in tickets to be forwarded) do
+                     body.ticket-info[n].key = tickets[n].session;
+                     body.ticket-info[n].prealm = tickets[n].crealm;
+
+Neuman, Ts'o, Kohl                                Expires: 10 September, 2000
+
+
+
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-05          June 25, 1999
+
+                     body.ticket-info[n].pname = tickets[n].cname;
+                     body.ticket-info[n].flags = tickets[n].flags;
+                     body.ticket-info[n].authtime = tickets[n].authtime;
+                     body.ticket-info[n].starttime = tickets[n].starttime;
+                     body.ticket-info[n].endtime = tickets[n].endtime;
+                     body.ticket-info[n].renew-till = tickets[n].renew-till;
+                     body.ticket-info[n].srealm = tickets[n].srealm;
+                     body.ticket-info[n].sname = tickets[n].sname;
+                     body.ticket-info[n].caddr = tickets[n].caddr;
+             done
+
+             get system_time;
+             body.timestamp, body.usec := system_time;
+
+             if (using nonce) then
+                     body.nonce := nonce;
+             endif
+
+             if (using s-address) then
+                     body.s-address := sender host addresses;
+             endif
+             if (limited recipients) then
+                     body.r-address := recipient host address;
+             endif
+
+             encode body into OCTET STRING;
+
+             select encryption type;
+             encrypt OCTET STRING into packet.enc-part.cipher
+                    using negotiated encryption key;
+
+     A.19. KRB_CRED verification
+
+             receive packet;
+             if (packet.pvno != 5) then
+                     either process using other protocol spec
+                     or error_out(KRB_AP_ERR_BADVERSION);
+             endif
+             if (packet.msg-type != KRB_CRED) then
+                     error_out(KRB_AP_ERR_MSG_TYPE);
+             endif
+
+             cleartext := decrypt(packet.enc-part) using negotiated key;
+             if (decryption_error()) then
+                     error_out(KRB_AP_ERR_BAD_INTEGRITY);
+             endif
+             if ((packet.r-address is present or required) and
+                (packet.s-address != O/S_sender(packet)) then
+                     /* O/S report of sender not who claims to have sent it */
+                     error_out(KRB_AP_ERR_BADADDR);
+             endif
+             if ((packet.r-address is present) and
+                 (packet.r-address != local_host_address)) then
+                     /* was not sent to proper place */
+                     error_out(KRB_AP_ERR_BADADDR);
+             endif
+             if (not in_clock_skew(packet.timestamp,packet.usec)) then
+                     error_out(KRB_AP_ERR_SKEW);
+             endif
+
+Neuman, Ts'o, Kohl                                Expires: 10 September, 2000
+
+
+
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-05          June 25, 1999
+
+             if (repeated(packet.timestamp,packet.usec,packet.s-address)) then
+                     error_out(KRB_AP_ERR_REPEAT);
+             endif
+             if (packet.nonce is required or present) and
+                (packet.nonce != expected-nonce) then
+                     error_out(KRB_AP_ERR_MODIFIED);
+             endif
+
+             for (ticket[n] in tickets that were forwarded) do
+                     save_for_later(ticket[n],key[n],principal[n],
+                                    server[n],times[n],flags[n]);
+             return
+
+     A.20. KRB_ERROR generation
+
+             /* assemble packet: */
+             packet.pvno := protocol version; /* 5 */
+             packet.msg-type := message type; /* KRB_ERROR */
+
+             get system_time;
+             packet.stime, packet.susec := system_time;
+             packet.realm, packet.sname := server name;
+
+             if (client time available) then
+                     packet.ctime, packet.cusec := client_time;
+             endif
+             packet.error-code := error code;
+             if (client name available) then
+                     packet.cname, packet.crealm := client name;
+             endif
+             if (error text available) then
+                     packet.e-text := error text;
+             endif
+             if (error data available) then
+                     packet.e-data := error data;
+             endif
+
+     B. Definition of common authorization data elements
+
+     This appendix contains the definitions of common authorization data
+     elements. These common authorization data elements are recursivly
+     defined, meaning the ad-data for these types will itself contain a
+     sequence of authorization data whose interpretation is affected by the
+     encapsulating element. Depending on the meaning of the encapsulating
+     element, the encapsulated elements may be ignored, might be interpreted
+     as issued directly by the KDC, or they might be stored in a separate
+     plaintext part of the ticket. The types of the encapsulating elements
+     are specified as part of the Kerberos specification because the
+     behavior based on these values should be understood across
+     implementations whereas other elements need only be understood by the
+     applications which they affect.
+
+     In the definitions that follow, the value of the ad-type for the
+     element will be specified in the subsection number, and the value of
+     the ad-data will be as shown in the ASN.1 structure that follows the
+     subsection heading.
+
+     B.1. If relevant
+
+
+Neuman, Ts'o, Kohl                                Expires: 10 September, 2000
+
+
+
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-05          June 25, 1999
+
+     AD-IF-RELEVANT   AuthorizationData
+
+     AD elements encapsulated within the if-relevant element are intended
+     for interpretation only by application servers that understand the
+     particular ad-type of the embedded element. Application servers that do
+     not understand the type of an element embedded within the if-relevant
+     element may ignore the uninterpretable element. This element promotes
+     interoperability across implementations which may have local extensions
+     for authorization.
+
+     B.2. Intended for server
+
+     AD-INTENDED-FOR-SERVER   SEQUENCE {
+              intended-server[0]     SEQUENCE OF PrincipalName
+              elements[1]            AuthorizationData
+     }
+
+     AD elements encapsulated within the intended-for-server element may be
+     ignored if the application server is not in the list of principal names
+     of intended servers. Further, a KDC issuing a ticket for an application
+     server can remove this element if the application server is not in the
+     list of intended servers.
+
+     Application servers should check for their principal name in the
+     intended-server field of this element. If their principal name is not
+     found, this element should be ignored. If found, then the encapsulated
+     elements should be evaluated in the same manner as if they were present
+     in the top level authorization data field. Applications and application
+     servers that do not implement this element should reject tickets that
+     contain authorization data elements of this type.
+
+     B.3. Intended for application class
+
+     AD-INTENDED-FOR-APPLICATION-CLASS SEQUENCE {
+     intended-application-class[0] SEQUENCE OF GeneralString elements[1]
+     AuthorizationData } AD elements encapsulated within the
+     intended-for-application-class element may be ignored if the
+     application server is not in one of the named classes of application
+     servers. Examples of application server classes include "FILESYSTEM",
+     and other kinds of servers.
+
+     This element and the elements it encapulates may be safely ignored by
+     applications, application servers, and KDCs that do not implement this
+     element.
+
+     B.4. KDC Issued
+
+     AD-KDCIssued   SEQUENCE {
+                    ad-checksum[0]    Checksum,
+                     i-realm[1]       Realm OPTIONAL,
+                     i-sname[2]       PrincipalName OPTIONAL,
+                    elements[3]       AuthorizationData.
+     }
+
+     ad-checksum
+          A checksum over the elements field using a cryptographic checksum
+          method that is identical to the checksum used to protect the
+          ticket itself (i.e. using the same hash function and the same
+          encryption algorithm used to encrypt the ticket) and using a key
+
+Neuman, Ts'o, Kohl                                Expires: 10 September, 2000
+
+
+
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-05          June 25, 1999
+
+          derived from the same key used to protect the ticket.
+     i-realm, i-sname
+          The name of the issuing principal if different from the KDC
+          itself. This field would be used when the KDC can verify the
+          authenticity of elements signed by the issuing principal and it
+          allows this KDC to notify the application server of the validity
+          of those elements.
+     elements
+          A sequence of authorization data elements issued by the KDC.
+     The KDC-issued ad-data field is intended to provide a means for
+     Kerberos principal credentials to embed within themselves privilege
+     attributes and other mechanisms for positive authorization, amplifying
+     the priveleges of the principal beyond what can be done using a
+     credentials without such an a-data element.
+
+     This can not be provided without this element because the definition of
+     the authorization-data field allows elements to be added at will by the
+     bearer of a TGT at the time that they request service tickets and
+     elements may also be added to a delegated ticket by inclusion in the
+     authenticator.
+
+     For KDC-issued elements this is prevented because the elements are
+     signed by the KDC by including a checksum encrypted using the server's
+     key (the same key used to encrypt the ticket - or a key derived from
+     that key). Elements encapsulated with in the KDC-issued element will be
+     ignored by the application server if this "signature" is not present.
+     Further, elements encapsulated within this element from a ticket
+     granting ticket may be interpreted by the KDC, and used as a basis
+     according to policy for including new signed elements within derivative
+     tickets, but they will not be copied to a derivative ticket directly.
+     If they are copied directly to a derivative ticket by a KDC that is not
+     aware of this element, the signature will not be correct for the
+     application ticket elements, and the field will be ignored by the
+     application server.
+
+     This element and the elements it encapulates may be safely ignored by
+     applications, application servers, and KDCs that do not implement this
+     element.
+
+     B.5. And-Or
+
+     AD-AND-OR           SEQUENCE {
+                             condition-count[0]    INTEGER,
+                             elements[1]           AuthorizationData
+     }
+
+     When restrictive AD elements encapsulated within the and-or element are
+     encountered, only the number specified in condition-count of the
+     encapsulated conditions must be met in order to satisfy this element.
+     This element may be used to implement an "or" operation by setting the
+     condition-count field to 1, and it may specify an "and" operation by
+     setting the condition count to the number of embedded elements.
+     Application servers that do not implement this element must reject
+     tickets that contain authorization data elements of this type.
+
+     B.6. Mandatory ticket extensions
+
+     AD-Mandatory-Ticket-Extensions   Checksum
+
+
+Neuman, Ts'o, Kohl                                Expires: 10 September, 2000
+
+
+
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-05          June 25, 1999
+
+     An authorization data element of type mandatory-ticket-extensions
+     specifies a collision-proof checksum using the same hash algorithm used
+     to protect the integrity of the ticket itself. This checksum will be
+     calculated over an individual extension field. If there are more than
+     one extension, multiple Mandatory-Ticket-Extensions authorization data
+     elements may be present, each with a checksum for a different extension
+     field. This restriction indicates that the ticket should not be
+     accepted if a ticket extension is not present in the ticket for which
+     the checksum does not match that checksum specified in the
+     authorization data element. Application servers that do not implement
+     this element must reject tickets that contain authorization data
+     elements of this type.
+
+     B.7. Authorization Data in ticket extensions
+
+     AD-IN-Ticket-Extensions   Checksum
+
+     An authorization data element of type in-ticket-extensions specifies a
+     collision-proof checksum using the same hash algorithm used to protect
+     the integrity of the ticket itself. This checksum is calculated over a
+     separate external AuthorizationData field carried in the ticket
+     extensions. Application servers that do not implement this element must
+     reject tickets that contain authorization data elements of this type.
+     Application servers that do implement this element will search the
+     ticket extensions for authorization data fields, calculate the
+     specified checksum over each authorization data field and look for one
+     matching the checksum in this in-ticket-extensions element. If not
+     found, then the ticket must be rejected. If found, the corresponding
+     authorization data elements will be interpreted in the same manner as
+     if they were contained in the top level authorization data field.
+
+     Note that if multiple external authorization data fields are present in
+     a ticket, each will have a corresponding element of type
+     in-ticket-extensions in the top level authorization data field, and the
+     external entries will be linked to the corresponding element by their
+     checksums.
+
+     C. Definition of common ticket extensions
+
+     This appendix contains the definitions of common ticket extensions.
+     Support for these extensions is optional. However, certain extensions
+     have associated authorization data elements that may require rejection
+     of a ticket containing an extension by application servers that do not
+     implement the particular extension. Other extensions have been defined
+     beyond those described in this specification. Such extensions are
+     described elswhere and for some of those extensions the reserved number
+     may be found in the list of constants.
+
+     It is known that older versions of Kerberos did not support this field,
+     and that some clients will strip this field from a ticket when they
+     parse and then reassemble a ticket as it is passed to the application
+     servers. The presence of the extension will not break such clients, but
+     any functionaly dependent on the extensions will not work when such
+     tickets are handled by old clients. In such situations, some
+     implementation may use alternate methods to transmit the information in
+     the extensions field.
+
+     C.1. Null ticket extension
+
+
+Neuman, Ts'o, Kohl                                Expires: 10 September, 2000
+
+
+
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-05          June 25, 1999
+
+     TE-NullExtension   OctetString -- The empty Octet String
+
+     The te-data field in the null ticket extension is an octet string of
+     lenght zero. This extension may be included in a ticket granting ticket
+     so that the KDC can determine on presentation of the ticket granting
+     ticket whether the client software will strip the extensions field.
+
+     C.2. External Authorization Data
+
+     TE-ExternalAuthorizationData   AuthorizationData
+
+     The te-data field in the external authorization data ticket extension
+     is field of type AuthorizationData containing one or more authorization
+     data elements. If present, a corresponding authorization data element
+     will be present in the primary authorization data for the ticket and
+     that element will contain a checksum of the external authorization data
+     ticket extension.
+     -----------------------------------------------------------------------
+     [TM] Project Athena, Athena, and Kerberos are trademarks of the
+     Massachusetts Institute of Technology (MIT). No commercial use of these
+     trademarks may be made without prior written permission of MIT.
+
+     [1] Note, however, that many applications use Kerberos' functions only
+     upon the initiation of a stream-based network connection. Unless an
+     application subsequently provides integrity protection for the data
+     stream, the identity verification applies only to the initiation of the
+     connection, and does not guarantee that subsequent messages on the
+     connection originate from the same principal.
+
+     [2] Secret and private are often used interchangeably in the
+     literature. In our usage, it takes two (or more) to share a secret,
+     thus a shared DES key is a secret key. Something is only private when
+     no one but its owner knows it. Thus, in public key cryptosystems, one
+     has a public and a private key.
+
+     [3] Of course, with appropriate permission the client could arrange
+     registration of a separately-named prin- cipal in a remote realm, and
+     engage in normal exchanges with that realm's services. However, for
+     even small numbers of clients this becomes cumbersome, and more
+     automatic methods as described here are necessary.
+
+     [4] Though it is permissible to request or issue tick- ets with no
+     network addresses specified.
+
+     [5] The password-changing request must not be honored unless the
+     requester can provide the old password (the user's current secret key).
+     Otherwise, it would be possible for someone to walk up to an unattended
+     ses- sion and change another user's password.
+
+     [6] To authenticate a user logging on to a local system, the
+     credentials obtained in the AS exchange may first be used in a TGS
+     exchange to obtain credentials for a local server. Those credentials
+     must then be verified by a local server through successful completion
+     of the Client/Server exchange.
+
+     [7] "Random" means that, among other things, it should be impossible to
+     guess the next session key based on knowledge of past session keys.
+     This can only be achieved in a pseudo-random number generator if it is
+     based on cryptographic principles. It is more desirable to use a truly
+
+Neuman, Ts'o, Kohl                                Expires: 10 September, 2000
+
+
+
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-05          June 25, 1999
+
+     random number generator, such as one based on measurements of random
+     physical phenomena.
+
+     [8] Tickets contain both an encrypted and unencrypted portion, so
+     cleartext here refers to the entire unit, which can be copied from one
+     message and replayed in another without any cryptographic skill.
+
+     [9] Note that this can make applications based on unreliable transports
+     difficult to code correctly. If the transport might deliver duplicated
+     messages, either a new authenticator must be generated for each retry,
+     or the application server must match requests and replies and replay
+     the first reply in response to a detected duplicate.
+
+     [10] This is used for user-to-user authentication as described in [8].
+
+     [11] Note that the rejection here is restricted to authenticators from
+     the same principal to the same server. Other client principals
+     communicating with the same server principal should not be have their
+     authenticators rejected if the time and microsecond fields happen to
+     match some other client's authenticator.
+
+     [12] In the Kerberos version 4 protocol, the timestamp in the reply was
+     the client's timestamp plus one. This is not necessary in version 5
+     because version 5 messages are formatted in such a way that it is not
+     possible to create the reply by judicious message surgery (even in
+     encrypted form) without knowledge of the appropriate encryption keys.
+
+     [13] Note that for encrypting the KRB_AP_REP message, the sub-session
+     key is not used, even if present in the Authenticator.
+
+     [14] Implementations of the protocol may wish to provide routines to
+     choose subkeys based on session keys and random numbers and to generate
+     a negotiated key to be returned in the KRB_AP_REP message.
+
+     [15]This can be accomplished in several ways. It might be known
+     beforehand (since the realm is part of the principal identifier), it
+     might be stored in a nameserver, or it might be obtained from a
+     configura- tion file. If the realm to be used is obtained from a
+     nameserver, there is a danger of being spoofed if the nameservice
+     providing the realm name is not authenti- cated. This might result in
+     the use of a realm which has been compromised, and would result in an
+     attacker's ability to compromise the authentication of the application
+     server to the client.
+
+     [16] If the client selects a sub-session key, care must be taken to
+     ensure the randomness of the selected sub- session key. One approach
+     would be to generate a random number and XOR it with the session key
+     from the ticket-granting ticket.
+
+     [17] This allows easy implementation of user-to-user authentication
+     [8], which uses ticket-granting ticket session keys in lieu of secret
+     server keys in situa- tions where such secret keys could be easily
+     comprom- ised.
+
+     [18] For the purpose of appending, the realm preceding the first listed
+     realm is considered to be the null realm ("").
+
+     [19] For the purpose of interpreting null subfields, the client's realm
+     is considered to precede those in the transited field, and the server's
+
+Neuman, Ts'o, Kohl                                Expires: 10 September, 2000
+
+
+
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-05          June 25, 1999
+
+     realm is considered to follow them.
+
+     [20] This means that a client and server running on the same host and
+     communicating with one another using the KRB_SAFE messages should not
+     share a common replay cache to detect KRB_SAFE replays.
+
+     [21] The implementation of the Kerberos server need not combine the
+     database and the server on the same machine; it is feasible to store
+     the principal database in, say, a network name service, as long as the
+     entries stored therein are protected from disclosure to and
+     modification by unauthorized parties. However, we recommend against
+     such strategies, as they can make system management and threat analysis
+     quite complex.
+
+     [22] See the discussion of the padata field in section 5.4.2 for
+     details on why this can be useful.
+
+     [23] Warning for implementations that unpack and repack data structures
+     during the generation and verification of embedded checksums: Because
+     any checksums applied to data structures must be checked against the
+     original data the length of bit strings must be preserved within a data
+     structure between the time that a checksum is generated through
+     transmission to the time that the checksum is verified.
+
+     [24] It is NOT recommended that this time value be used to adjust the
+     workstation's clock since the workstation cannot reliably determine
+     that such a KRB_AS_REP actually came from the proper KDC in a timely
+     manner.
+
+     [25] Note, however, that if the time is used as the nonce, one must
+     make sure that the workstation time is monotonically increasing. If the
+     time is ever reset backwards, there is a small, but finite, probability
+     that a nonce will be reused.
+
+     [27] An application code in the encrypted part of a message provides an
+     additional check that the message was decrypted properly.
+
+     [29] An application code in the encrypted part of a message provides an
+     additional check that the message was decrypted properly.
+
+     [31] An application code in the encrypted part of a message provides an
+     additional check that the message was decrypted properly.
+
+     [32] If supported by the encryption method in use, an initialization
+     vector may be passed to the encryption procedure, in order to achieve
+     proper cipher chaining. The initialization vector might come from the
+     last block of the ciphertext from the previous KRB_PRIV message, but it
+     is the application's choice whether or not to use such an
+     initialization vector. If left out, the default initialization vector
+     for the encryption algorithm will be used.
+
+     [33] This prevents an attacker who generates an incorrect AS request
+     from obtaining verifiable plaintext for use in an off-line password
+     guessing attack.
+
+     [35] In the above specification, UNTAGGED OCTET STRING(length) is the
+     notation for an octet string with its tag and length removed. It is not
+     a valid ASN.1 type. The tag bits and length must be removed from the
+     confounder since the purpose of the confounder is so that the message
+
+Neuman, Ts'o, Kohl                                Expires: 10 September, 2000
+
+
+
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-05          June 25, 1999
+
+     starts with random data, but the tag and its length are fixed. For
+     other fields, the length and tag would be redundant if they were
+     included because they are specified by the encryption type. [36] The
+     ordering of the fields in the CipherText is important. Additionally,
+     messages encoded in this format must include a length as part of the
+     msg-seq field. This allows the recipient to verify that the message has
+     not been truncated. Without a length, an attacker could use a chosen
+     plaintext attack to generate a message which could be truncated, while
+     leaving the checksum intact. Note that if the msg-seq is an encoding of
+     an ASN.1 SEQUENCE or OCTET STRING, then the length is part of that
+     encoding.
+
+     [37] In some cases, it may be necessary to use a different "mix-in"
+     string for compatibility reasons; see the discussion of padata in
+     section 5.4.2.
+
+     [38] In some cases, it may be necessary to use a different "mix-in"
+     string for compatibility reasons; see the discussion of padata in
+     section 5.4.2.
+
+     [39] A variant of the key is used to limit the use of a key to a
+     particular function, separating the functions of generating a checksum
+     from other encryption performed using the session key. The constant
+     F0F0F0F0F0F0F0F0 was chosen because it maintains key parity. The
+     properties of DES precluded the use of the complement. The same
+     constant is used for similar purpose in the Message Integrity Check in
+     the Privacy Enhanced Mail standard.
+
+     [40] This error carries additional information in the e- data field.
+     The contents of the e-data field for this message is described in
+     section 5.9.1.
diff --git a/crypto/heimdal/doc/standardisation/draft-ietf-cat-kerberos-revisions-06.txt b/crypto/heimdal/doc/standardisation/draft-ietf-cat-kerberos-revisions-06.txt
new file mode 100644
index 0000000..ae79e8a
--- /dev/null
+++ b/crypto/heimdal/doc/standardisation/draft-ietf-cat-kerberos-revisions-06.txt
@@ -0,0 +1,7301 @@
+INTERNET-DRAFT                                              Clifford Neuman
+                                                                  John Kohl
+                                                              Theodore Ts'o
+                                                              July 14, 2000
+                                                   Expires January 14, 2001
+
+The Kerberos Network Authentication Service (V5)
+
+
+draft-ietf-cat-kerberos-revisions-06.txt
+
+STATUS OF THIS MEMO
+
+This document is an Internet-Draft and is in full conformance with all
+provisions of Section 10 of RFC 2026. Internet-Drafts are working documents
+of the Internet Engineering Task Force (IETF), its areas, and its working
+groups. Note that other groups may also distribute working documents as
+Internet-Drafts.
+
+Internet-Drafts are draft documents valid for a maximum of six months and
+may be updated, replaced, or obsoleted by other documents at any time. It
+is inappropriate to use Internet-Drafts as reference material or to cite
+them other than as "work in progress."
+
+The list of current Internet-Drafts can be accessed at
+http://www.ietf.org/ietf/1id-abstracts.txt
+
+The list of Internet-Draft Shadow Directories can be accessed at
+http://www.ietf.org/shadow.html.
+
+To learn the current status of any Internet-Draft, please check the
+"1id-abstracts.txt" listing contained in the Internet-Drafts Shadow
+Directories on ftp.ietf.org (US East Coast), nic.nordu.net (Europe),
+ftp.isi.edu (US West Coast), or munnari.oz.au (Pacific Rim).
+
+The distribution of this memo is unlimited. It is filed as
+draft-ietf-cat-kerberos-revisions-06.txt, and expires January 14, 2001.
+Please send comments to: krb-protocol@MIT.EDU
+
+     This document is getting closer to a last call, but there are several
+     issues to be discussed. Some, but not all of these issues, are
+     highlighted in comments in the draft. We hope to resolve these issues
+     on the mailing list for the Kerberos working group, leading up to and
+     during the Pittsburgh IETF on a section by section basis, since this
+     is a long document, and it has been difficult to consider it as a
+     whole. Once sections are agreed to, it is out intent to issue the more
+     formal WG and IETF last calls.
+
+ABSTRACT
+
+This document provides an overview and specification of Version 5 of the
+Kerberos protocol, and updates RFC1510 to clarify aspects of the protocol
+and its intended use that require more detailed or clearer explanation than
+was provided in RFC1510. This document is intended to provide a detailed
+description of the protocol, suitable for implementation, together with
+descriptions of the appropriate use of protocol messages and fields within
+those messages.
+
+This document is not intended to describe Kerberos to the end user, system
+administrator, or application developer. Higher level papers describing
+Version 5 of the Kerberos system [NT94] and documenting version 4 [SNS88],
+are available elsewhere.
+
+
+Neuman, Ts'o, Kohl                                   Expires: 14 January
+2001
+
+^L
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-06          July 14,
+2000
+
+OVERVIEW
+
+This INTERNET-DRAFT describes the concepts and model upon which the
+Kerberos network authentication system is based. It also specifies Version
+5 of the Kerberos protocol.
+
+The motivations, goals, assumptions, and rationale behind most design
+decisions are treated cursorily; they are more fully described in a paper
+available in IEEE communications [NT94] and earlier in the Kerberos portion
+of the Athena Technical Plan [MNSS87]. The protocols have been a proposed
+standard and are being considered for advancement for draft standard
+through the IETF standard process. Comments are encouraged on the
+presentation, but only minor refinements to the protocol as implemented or
+extensions that fit within current protocol framework will be considered at
+this time.
+
+Requests for addition to an electronic mailing list for discussion of
+Kerberos, kerberos@MIT.EDU, may be addressed to kerberos-request@MIT.EDU.
+This mailing list is gatewayed onto the Usenet as the group
+comp.protocols.kerberos. Requests for further information, including
+documents and code availability, may be sent to info-kerberos@MIT.EDU.
+
+BACKGROUND
+
+The Kerberos model is based in part on Needham and Schroeder's trusted
+third-party authentication protocol [NS78] and on modifications suggested
+by Denning and Sacco [DS81]. The original design and implementation of
+Kerberos Versions 1 through 4 was the work of two former Project Athena
+staff members, Steve Miller of Digital Equipment Corporation and Clifford
+Neuman (now at the Information Sciences Institute of the University of
+Southern California), along with Jerome Saltzer, Technical Director of
+Project Athena, and Jeffrey Schiller, MIT Campus Network Manager. Many
+other members of Project Athena have also contributed to the work on
+Kerberos.
+
+Version 5 of the Kerberos protocol (described in this document) has evolved
+from Version 4 based on new requirements and desires for features not
+available in Version 4. The design of Version 5 of the Kerberos protocol
+was led by Clifford Neuman and John Kohl with much input from the
+community. The development of the MIT reference implementation was led at
+MIT by John Kohl and Theodore T'so, with help and contributed code from
+many others. Since RFC1510 was issued, extensions and revisions to the
+protocol have been proposed by many individuals. Some of these proposals
+are reflected in this document. Where such changes involved significant
+effort, the document cites the contribution of the proposer.
+
+Reference implementations of both version 4 and version 5 of Kerberos are
+publicly available and commercial implementations have been developed and
+are widely used. Details on the differences between Kerberos Versions 4 and
+5 can be found in [KNT92].
+
+1. Introduction
+
+Kerberos provides a means of verifying the identities of principals, (e.g.
+a workstation user or a network server) on an open (unprotected) network.
+This is accomplished without relying on assertions by the host operating
+system, without basing trust on host addresses, without requiring physical
+security of all the hosts on the network, and under the assumption that
+packets traveling along the network can be read, modified, and inserted at
+will[1]. Kerberos performs authentication under these conditions as a
+trusted third-party authentication service by using conventional (shared
+secret key [2] cryptography. Kerberos extensions have been proposed and
+implemented that provide for the use of public key cryptography during
+certain phases of the authentication protocol. These extensions provide for
+
+Neuman, Ts'o, Kohl                                   Expires: 14 January
+2001
+
+^L
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-06          July 14,
+2000
+
+authentication of users registered with public key certification
+authorities, and allow the system to provide certain benefits of public key
+cryptography in situations where they are needed.
+
+The basic Kerberos authentication process proceeds as follows: A client
+sends a request to the authentication server (AS) requesting 'credentials'
+for a given server. The AS responds with these credentials, encrypted in
+the client's key. The credentials consist of 1) a 'ticket' for the server
+and 2) a temporary encryption key (often called a "session key"). The
+client transmits the ticket (which contains the client's identity and a
+copy of the session key, all encrypted in the server's key) to the server.
+The session key (now shared by the client and server) is used to
+authenticate the client, and may optionally be used to authenticate the
+server. It may also be used to encrypt further communication between the
+two parties or to exchange a separate sub-session key to be used to encrypt
+further communication.
+
+Implementation of the basic protocol consists of one or more authentication
+servers running on physically secure hosts. The authentication servers
+maintain a database of principals (i.e., users and servers) and their
+secret keys. Code libraries provide encryption and implement the Kerberos
+protocol. In order to add authentication to its transactions, a typical
+network application adds one or two calls to the Kerberos library directly
+or through the Generic Security Services Application Programming Interface,
+GSSAPI, described in separate document. These calls result in the
+transmission of the necessary messages to achieve authentication.
+
+The Kerberos protocol consists of several sub-protocols (or exchanges).
+There are two basic methods by which a client can ask a Kerberos server for
+credentials. In the first approach, the client sends a cleartext request
+for a ticket for the desired server to the AS. The reply is sent encrypted
+in the client's secret key. Usually this request is for a ticket-granting
+ticket (TGT) which can later be used with the ticket-granting server (TGS).
+In the second method, the client sends a request to the TGS. The client
+uses the TGT to authenticate itself to the TGS in the same manner as if it
+were contacting any other application server that requires Kerberos
+authentication. The reply is encrypted in the session key from the TGT.
+Though the protocol specification describes the AS and the TGS as separate
+servers, they are implemented in practice as different protocol entry
+points within a single Kerberos server.
+
+Once obtained, credentials may be used to verify the identity of the
+principals in a transaction, to ensure the integrity of messages exchanged
+between them, or to preserve privacy of the messages. The application is
+free to choose whatever protection may be necessary.
+
+To verify the identities of the principals in a transaction, the client
+transmits the ticket to the application server. Since the ticket is sent
+"in the clear" (parts of it are encrypted, but this encryption doesn't
+thwart replay) and might be intercepted and reused by an attacker,
+additional information is sent to prove that the message originated with
+the principal to whom the ticket was issued. This information (called the
+authenticator) is encrypted in the session key, and includes a timestamp.
+The timestamp proves that the message was recently generated and is not a
+replay. Encrypting the authenticator in the session key proves that it was
+generated by a party possessing the session key. Since no one except the
+requesting principal and the server know the session key (it is never sent
+over the network in the clear) this guarantees the identity of the client.
+
+The integrity of the messages exchanged between principals can also be
+guaranteed using the session key (passed in the ticket and contained in the
+credentials). This approach provides detection of both replay attacks and
+message stream modification attacks. It is accomplished by generating and
+transmitting a collision-proof checksum (elsewhere called a hash or digest
+function) of the client's message, keyed with the session key. Privacy and
+
+Neuman, Ts'o, Kohl                                   Expires: 14 January
+2001
+
+^L
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-06          July 14,
+2000
+
+integrity of the messages exchanged between principals can be secured by
+encrypting the data to be passed using the session key contained in the
+ticket or the subsession key found in the authenticator.
+
+The authentication exchanges mentioned above require read-only access to
+the Kerberos database. Sometimes, however, the entries in the database must
+be modified, such as when adding new principals or changing a principal's
+key. This is done using a protocol between a client and a third Kerberos
+server, the Kerberos Administration Server (KADM). There is also a protocol
+for maintaining multiple copies of the Kerberos database. Neither of these
+protocols are described in this document.
+
+1.1. Cross-Realm Operation
+
+The Kerberos protocol is designed to operate across organizational
+boundaries. A client in one organization can be authenticated to a server
+in another. Each organization wishing to run a Kerberos server establishes
+its own 'realm'. The name of the realm in which a client is registered is
+part of the client's name, and can be used by the end-service to decide
+whether to honor a request.
+
+By establishing 'inter-realm' keys, the administrators of two realms can
+allow a client authenticated in the local realm to prove its identity to
+servers in other realms[3]. The exchange of inter-realm keys (a separate
+key may be used for each direction) registers the ticket-granting service
+of each realm as a principal in the other realm. A client is then able to
+obtain a ticket-granting ticket for the remote realm's ticket-granting
+service from its local realm. When that ticket-granting ticket is used, the
+remote ticket-granting service uses the inter-realm key (which usually
+differs from its own normal TGS key) to decrypt the ticket-granting ticket,
+and is thus certain that it was issued by the client's own TGS. Tickets
+issued by the remote ticket-granting service will indicate to the
+end-service that the client was authenticated from another realm.
+
+A realm is said to communicate with another realm if the two realms share
+an inter-realm key, or if the local realm shares an inter-realm key with an
+intermediate realm that communicates with the remote realm. An
+authentication path is the sequence of intermediate realms that are
+transited in communicating from one realm to another.
+
+Realms are typically organized hierarchically. Each realm shares a key with
+its parent and a different key with each child. If an inter-realm key is
+not directly shared by two realms, the hierarchical organization allows an
+authentication path to be easily constructed. If a hierarchical
+organization is not used, it may be necessary to consult a database in
+order to construct an authentication path between realms.
+
+Although realms are typically hierarchical, intermediate realms may be
+bypassed to achieve cross-realm authentication through alternate
+authentication paths (these might be established to make communication
+between two realms more efficient). It is important for the end-service to
+know which realms were transited when deciding how much faith to place in
+the authentication process. To facilitate this decision, a field in each
+ticket contains the names of the realms that were involved in
+authenticating the client.
+
+The application server is ultimately responsible for accepting or rejecting
+authentication and should check the transited field. The application server
+may choose to rely on the KDC for the application server's realm to check
+the transited field. The application server's KDC will set the
+TRANSITED-POLICY-CHECKED flag in this case. The KDC's for intermediate
+realms may also check the transited field as they issue
+ticket-granting-tickets for other realms, but they are encouraged not to do
+so. A client may request that the KDC's not check the transited field by
+setting the DISABLE-TRANSITED-CHECK flag. KDC's are encouraged but not
+required to honor this flag.
+
+
+Neuman, Ts'o, Kohl                                   Expires: 14 January
+2001
+
+^L
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-06          July 14,
+2000
+
+     [JBrezak] Should there be a section here on how clients determine what
+     realm a service is in? Something like:
+
+     The client may not immediately know what realm a particular service
+     principal is in. There are 2 basic mechanisms that can be used to
+     determine the realm of a service. The first requires that the client
+     fully specify the service principal including the realm in the
+     Kerberos protocol request. If the Kerberos server for the specified
+     realm does not have a principal that exactly matches the service in
+     the request, the Kerberos server will return an error indicating that
+     the service principal was not found. Alternatively the client can make
+     a request providing just the service principal name and requesting
+     name canonicalization from the Kerberos server. The Kerberos server
+     will attempt to locate a service principal in its database that best
+     matches the request principal or provide a referral to another
+     Kerberos realm that may be contain the requested service principal.
+
+1.2. Authorization
+
+As an authentication service, Kerberos provides a means of verifying the
+identity of principals on a network. Authentication is usually useful
+primarily as a first step in the process of authorization, determining
+whether a client may use a service, which objects the client is allowed to
+access, and the type of access allowed for each. Kerberos does not, by
+itself, provide authorization. Possession of a client ticket for a service
+provides only for authentication of the client to that service, and in the
+absence of a separate authorization procedure, it should not be considered
+by an application as authorizing the use of that service.
+
+Such separate authorization methods may be implemented as application
+specific access control functions and may be based on files such as the
+application server, or on separately issued authorization credentials such
+as those based on proxies [Neu93], or on other authorization services.
+Separately authenticated authorization credentials may be embedded in a
+tickets authorization data when encapsulated by the kdc-issued
+authorization data element.
+
+Applications should not be modified to accept the mere issuance of a
+service ticket by the Kerberos server (even by a modified Kerberos server)
+as granting authority to use the service, since such applications may
+become vulnerable to the bypass of this authorization check in an
+environment if they interoperate with other KDCs or where other options for
+application authentication (e.g. the PKTAPP proposal) are provided.
+
+1.3. Environmental assumptions
+
+Kerberos imposes a few assumptions on the environment in which it can
+properly function:
+
+   * 'Denial of service' attacks are not solved with Kerberos. There are
+     places in these protocols where an intruder can prevent an application
+     from participating in the proper authentication steps. Detection and
+     solution of such attacks (some of which can appear to be nnot-uncommon
+     'normal' failure modes for the system) is usually best left to the
+     human administrators and users.
+   * Principals must keep their secret keys secret. If an intruder somehow
+     steals a principal's key, it will be able to masquerade as that
+     principal or impersonate any server to the legitimate principal.
+   * 'Password guessing' attacks are not solved by Kerberos. If a user
+     chooses a poor password, it is possible for an attacker to
+     successfully mount an offline dictionary attack by repeatedly
+     attempting to decrypt, with successive entries from a dictionary,
+     messages obtained which are encrypted under a key derived from the
+     user's password.
+
+Neuman, Ts'o, Kohl                                   Expires: 14 January
+2001
+
+^L
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-06          July 14,
+2000
+
+   * Each host on the network must have a clock which is 'loosely
+     synchronized' to the time of the other hosts; this synchronization is
+     used to reduce the bookkeeping needs of application servers when they
+     do replay detection. The degree of "looseness" can be configured on a
+     per-server basis, but is typically on the order of 5 minutes. If the
+     clocks are synchronized over the network, the clock synchronization
+     protocol must itself be secured from network attackers.
+   * Principal identifiers are not recycled on a short-term basis. A
+     typical mode of access control will use access control lists (ACLs) to
+     grant permissions to particular principals. If a stale ACL entry
+     remains for a deleted principal and the principal identifier is
+     reused, the new principal will inherit rights specified in the stale
+     ACL entry. By not re-using principal identifiers, the danger of
+     inadvertent access is removed.
+
+1.4. Glossary of terms
+
+Below is a list of terms used throughout this document.
+
+Authentication
+     Verifying the claimed identity of a principal.
+Authentication header
+     A record containing a Ticket and an Authenticator to be presented to a
+     server as part of the authentication process.
+Authentication path
+     A sequence of intermediate realms transited in the authentication
+     process when communicating from one realm to another.
+Authenticator
+     A record containing information that can be shown to have been
+     recently generated using the session key known only by the client and
+     server.
+Authorization
+     The process of determining whether a client may use a service, which
+     objects the client is allowed to access, and the type of access
+     allowed for each.
+Capability
+     A token that grants the bearer permission to access an object or
+     service. In Kerberos, this might be a ticket whose use is restricted
+     by the contents of the authorization data field, but which lists no
+     network addresses, together with the session key necessary to use the
+     ticket.
+Ciphertext
+     The output of an encryption function. Encryption transforms plaintext
+     into ciphertext.
+Client
+     A process that makes use of a network service on behalf of a user.
+     Note that in some cases a Server may itself be a client of some other
+     server (e.g. a print server may be a client of a file server).
+Credentials
+     A ticket plus the secret session key necessary to successfully use
+     that ticket in an authentication exchange.
+KDC
+     Key Distribution Center, a network service that supplies tickets and
+     temporary session keys; or an instance of that service or the host on
+     which it runs. The KDC services both initial ticket and
+     ticket-granting ticket requests. The initial ticket portion is
+     sometimes referred to as the Authentication Server (or service). The
+     ticket-granting ticket portion is sometimes referred to as the
+     ticket-granting server (or service).
+Kerberos
+     Aside from the 3-headed dog guarding Hades, the name given to Project
+     Athena's authentication service, the protocol used by that service, or
+     the code used to implement the authentication service.
+Plaintext
+     The input to an encryption function or the output of a decryption
+     function. Decryption transforms ciphertext into plaintext.
+
+Neuman, Ts'o, Kohl                                   Expires: 14 January
+2001
+
+^L
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-06          July 14,
+2000
+
+Principal
+     A uniquely named client or server instance that participates in a
+     network communication.
+Principal identifier
+     The name used to uniquely identify each different principal.
+Seal
+     To encipher a record containing several fields in such a way that the
+     fields cannot be individually replaced without either knowledge of the
+     encryption key or leaving evidence of tampering.
+Secret key
+     An encryption key shared by a principal and the KDC, distributed
+     outside the bounds of the system, with a long lifetime. In the case of
+     a human user's principal, the secret key is derived from a password.
+Server
+     A particular Principal which provides a resource to network clients.
+     The server is sometimes refered to as the Application Server.
+Service
+     A resource provided to network clients; often provided by more than
+     one server (for example, remote file service).
+Session key
+     A temporary encryption key used between two principals, with a
+     lifetime limited to the duration of a single login "session".
+Sub-session key
+     A temporary encryption key used between two principals, selected and
+     exchanged by the principals using the session key, and with a lifetime
+     limited to the duration of a single association.
+Ticket
+     A record that helps a client authenticate itself to a server; it
+     contains the client's identity, a session key, a timestamp, and other
+     information, all sealed using the server's secret key. It only serves
+     to authenticate a client when presented along with a fresh
+     Authenticator.
+
+2. Ticket flag uses and requests
+
+Each Kerberos ticket contains a set of flags which are used to indicate
+various attributes of that ticket. Most flags may be requested by a client
+when the ticket is obtained; some are automatically turned on and off by a
+Kerberos server as required. The following sections explain what the
+various flags mean, and gives examples of reasons to use such a flag.
+
+2.1. Initial and pre-authenticated tickets
+
+The INITIAL flag indicates that a ticket was issued using the AS protocol
+and not issued based on a ticket-granting ticket. Application servers that
+want to require the demonstrated knowledge of a client's secret key (e.g. a
+password-changing program) can insist that this flag be set in any tickets
+they accept, and thus be assured that the client's key was recently
+presented to the application client.
+
+The PRE-AUTHENT and HW-AUTHENT flags provide addition information about the
+initial authentication, regardless of whether the current ticket was issued
+directly (in which case INITIAL will also be set) or issued on the basis of
+a ticket-granting ticket (in which case the INITIAL flag is clear, but the
+PRE-AUTHENT and HW-AUTHENT flags are carried forward from the
+ticket-granting ticket).
+
+2.2. Invalid tickets
+
+The INVALID flag indicates that a ticket is invalid. Application servers
+must reject tickets which have this flag set. A postdated ticket will
+usually be issued in this form. Invalid tickets must be validated by the
+KDC before use, by presenting them to the KDC in a TGS request with the
+VALIDATE option specified. The KDC will only validate tickets after their
+starttime has passed. The validation is required so that postdated tickets
+which have been stolen before their starttime can be rendered permanently
+invalid (through a hot-list mechanism) (see section 3.3.3.1).
+
+
+Neuman, Ts'o, Kohl                                   Expires: 14 January
+2001
+
+^L
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-06          July 14,
+2000
+
+2.3. Renewable tickets
+
+Applications may desire to hold tickets which can be valid for long periods
+of time. However, this can expose their credentials to potential theft for
+equally long periods, and those stolen credentials would be valid until the
+expiration time of the ticket(s). Simply using short-lived tickets and
+obtaining new ones periodically would require the client to have long-term
+access to its secret key, an even greater risk. Renewable tickets can be
+used to mitigate the consequences of theft. Renewable tickets have two
+"expiration times": the first is when the current instance of the ticket
+expires, and the second is the latest permissible value for an individual
+expiration time. An application client must periodically (i.e. before it
+expires) present a renewable ticket to the KDC, with the RENEW option set
+in the KDC request. The KDC will issue a new ticket with a new session key
+and a later expiration time. All other fields of the ticket are left
+unmodified by the renewal process. When the latest permissible expiration
+time arrives, the ticket expires permanently. At each renewal, the KDC may
+consult a hot-list to determine if the ticket had been reported stolen
+since its last renewal; it will refuse to renew such stolen tickets, and
+thus the usable lifetime of stolen tickets is reduced.
+
+The RENEWABLE flag in a ticket is normally only interpreted by the
+ticket-granting service (discussed below in section 3.3). It can usually be
+ignored by application servers. However, some particularly careful
+application servers may wish to disallow renewable tickets.
+
+If a renewable ticket is not renewed by its expiration time, the KDC will
+not renew the ticket. The RENEWABLE flag is reset by default, but a client
+may request it be set by setting the RENEWABLE option in the KRB_AS_REQ
+message. If it is set, then the renew-till field in the ticket contains the
+time after which the ticket may not be renewed.
+
+2.4. Postdated tickets
+
+Applications may occasionally need to obtain tickets for use much later,
+e.g. a batch submission system would need tickets to be valid at the time
+the batch job is serviced. However, it is dangerous to hold valid tickets
+in a batch queue, since they will be on-line longer and more prone to
+theft. Postdated tickets provide a way to obtain these tickets from the KDC
+at job submission time, but to leave them "dormant" until they are
+activated and validated by a further request of the KDC. If a ticket theft
+were reported in the interim, the KDC would refuse to validate the ticket,
+and the thief would be foiled.
+
+The MAY-POSTDATE flag in a ticket is normally only interpreted by the
+ticket-granting service. It can be ignored by application servers. This
+flag must be set in a ticket-granting ticket in order to issue a postdated
+ticket based on the presented ticket. It is reset by default; it may be
+requested by a client by setting the ALLOW-POSTDATE option in the
+KRB_AS_REQ message. This flag does not allow a client to obtain a postdated
+ticket-granting ticket; postdated ticket-granting tickets can only by
+obtained by requesting the postdating in the KRB_AS_REQ message. The life
+(endtime-starttime) of a postdated ticket will be the remaining life of the
+ticket-granting ticket at the time of the request, unless the RENEWABLE
+option is also set, in which case it can be the full life
+(endtime-starttime) of the ticket-granting ticket. The KDC may limit how
+far in the future a ticket may be postdated.
+
+The POSTDATED flag indicates that a ticket has been postdated. The
+application server can check the authtime field in the ticket to see when
+the original authentication occurred. Some services may choose to reject
+postdated tickets, or they may only accept them within a certain period
+after the original authentication. When the KDC issues a POSTDATED ticket,
+it will also be marked as INVALID, so that the application client must
+present the ticket to the KDC to be validated before use.
+
+
+Neuman, Ts'o, Kohl                                   Expires: 14 January
+2001
+
+^L
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-06          July 14,
+2000
+
+2.5. Proxiable and proxy tickets
+
+At times it may be necessary for a principal to allow a service to perform
+an operation on its behalf. The service must be able to take on the
+identity of the client, but only for a particular purpose. A principal can
+allow a service to take on the principal's identity for a particular
+purpose by granting it a proxy.
+
+The process of granting a proxy using the proxy and proxiable flags is used
+to provide credentials for use with specific services. Though conceptually
+also a proxy, user's wishing to delegate their identity for ANY purpose
+must use the ticket forwarding mechanism described in the next section to
+forward a ticket granting ticket.
+
+The PROXIABLE flag in a ticket is normally only interpreted by the
+ticket-granting service. It can be ignored by application servers. When
+set, this flag tells the ticket-granting server that it is OK to issue a
+new ticket (but not a ticket-granting ticket) with a different network
+address based on this ticket. This flag is set if requested by the client
+on initial authentication. By default, the client will request that it be
+set when requesting a ticket granting ticket, and reset when requesting any
+other ticket.
+
+This flag allows a client to pass a proxy to a server to perform a remote
+request on its behalf, e.g. a print service client can give the print
+server a proxy to access the client's files on a particular file server in
+order to satisfy a print request.
+
+In order to complicate the use of stolen credentials, Kerberos tickets are
+usually valid from only those network addresses specifically included in
+the ticket[4]. When granting a proxy, the client must specify the new
+network address from which the proxy is to be used, or indicate that the
+proxy is to be issued for use from any address.
+
+The PROXY flag is set in a ticket by the TGS when it issues a proxy ticket.
+Application servers may check this flag and at their option they may
+require additional authentication from the agent presenting the proxy in
+order to provide an audit trail.
+
+2.6. Forwardable tickets
+
+Authentication forwarding is an instance of a proxy where the service is
+granted complete use of the client's identity. An example where it might be
+used is when a user logs in to a remote system and wants authentication to
+work from that system as if the login were local.
+
+The FORWARDABLE flag in a ticket is normally only interpreted by the
+ticket-granting service. It can be ignored by application servers. The
+FORWARDABLE flag has an interpretation similar to that of the PROXIABLE
+flag, except ticket-granting tickets may also be issued with different
+network addresses. This flag is reset by default, but users may request
+that it be set by setting the FORWARDABLE option in the AS request when
+they request their initial ticket- granting ticket.
+
+This flag allows for authentication forwarding without requiring the user
+to enter a password again. If the flag is not set, then authentication
+forwarding is not permitted, but the same result can still be achieved if
+the user engages in the AS exchange specifying the requested network
+addresses and supplies a password.
+
+The FORWARDED flag is set by the TGS when a client presents a ticket with
+the FORWARDABLE flag set and requests a forwarded ticket by specifying the
+FORWARDED KDC option and supplying a set of addresses for the new ticket.
+It is also set in all tickets issued based on tickets with the FORWARDED
+flag set. Application servers may choose to process FORWARDED tickets
+differently than non-FORWARDED tickets.
+
+
+Neuman, Ts'o, Kohl                                   Expires: 14 January
+2001
+
+^L
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-06          July 14,
+2000
+
+2.7 Name canonicalization [JBrezak]
+
+If a client does not have the full name information for a principal, it can
+request that the Kerberos server attempt to lookup the name in its database
+and return a canonical form of the requested principal or a referral to a
+realm that has the requested principal in its namespace. Name
+canonicalization allows a principal to have alternate names. Name
+canonicalization must not be used to locate principal names supplied from
+wildcards and is not a mechanism to be used to search a Kerberos database.
+
+The CANONICALIZE flag in a ticket request is used to indicate to the
+Kerberos server that the client will accept an alternative name to the
+principal in the request or a referral to another realm. Both the AS and
+TGS must be able to interpret requests with this flag.
+
+By using this flag, the client can avoid extensive configuration needed to
+map specific host names to a particular realm.
+
+2.8. Other KDC options
+
+There are two additional options which may be set in a client's request of
+the KDC. The RENEWABLE-OK option indicates that the client will accept a
+renewable ticket if a ticket with the requested life cannot otherwise be
+provided. If a ticket with the requested life cannot be provided, then the
+KDC may issue a renewable ticket with a renew-till equal to the the
+requested endtime. The value of the renew-till field may still be adjusted
+by site-determined limits or limits imposed by the individual principal or
+server.
+
+The ENC-TKT-IN-SKEY option is honored only by the ticket-granting service.
+It indicates that the ticket to be issued for the end server is to be
+encrypted in the session key from the a additional second ticket-granting
+ticket provided with the request. See section 3.3.3 for specific details.
+
+3. Message Exchanges
+
+The following sections describe the interactions between network clients
+and servers and the messages involved in those exchanges.
+
+3.1. The Authentication Service Exchange
+
+                          Summary
+      Message direction       Message type    Section
+      1. Client to Kerberos   KRB_AS_REQ      5.4.1
+      2. Kerberos to client   KRB_AS_REP or   5.4.2
+                              KRB_ERROR       5.9.1
+
+The Authentication Service (AS) Exchange between the client and the
+Kerberos Authentication Server is initiated by a client when it wishes to
+obtain authentication credentials for a given server but currently holds no
+credentials. In its basic form, the client's secret key is used for
+encryption and decryption. This exchange is typically used at the
+initiation of a login session to obtain credentials for a Ticket-Granting
+Server which will subsequently be used to obtain credentials for other
+servers (see section 3.3) without requiring further use of the client's
+secret key. This exchange is also used to request credentials for services
+which must not be mediated through the Ticket-Granting Service, but rather
+require a principal's secret key, such as the password-changing service[5].
+This exchange does not by itself provide any assurance of the the identity
+of the user[6].
+
+The exchange consists of two messages: KRB_AS_REQ from the client to
+Kerberos, and KRB_AS_REP or KRB_ERROR in reply. The formats for these
+messages are described in sections 5.4.1, 5.4.2, and 5.9.1.
+
+
+Neuman, Ts'o, Kohl                                   Expires: 14 January
+2001
+
+^L
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-06          July 14,
+2000
+
+In the request, the client sends (in cleartext) its own identity and the
+identity of the server for which it is requesting credentials. The
+response, KRB_AS_REP, contains a ticket for the client to present to the
+server, and a session key that will be shared by the client and the server.
+The session key and additional information are encrypted in the client's
+secret key. The KRB_AS_REP message contains information which can be used
+to detect replays, and to associate it with the message to which it
+replies. Various errors can occur; these are indicated by an error response
+(KRB_ERROR) instead of the KRB_AS_REP response. The error message is not
+encrypted. The KRB_ERROR message contains information which can be used to
+associate it with the message to which it replies. The lack of encryption
+in the KRB_ERROR message precludes the ability to detect replays,
+fabrications, or modifications of such messages.
+
+Without preautentication, the authentication server does not know whether
+the client is actually the principal named in the request. It simply sends
+a reply without knowing or caring whether they are the same. This is
+acceptable because nobody but the principal whose identity was given in the
+request will be able to use the reply. Its critical information is
+encrypted in that principal's key. The initial request supports an optional
+field that can be used to pass additional information that might be needed
+for the initial exchange. This field may be used for preauthentication as
+described in section [hl<>].
+
+3.1.1. Generation of KRB_AS_REQ message
+
+The client may specify a number of options in the initial request. Among
+these options are whether pre-authentication is to be performed; whether
+the requested ticket is to be renewable, proxiable, or forwardable; whether
+it should be postdated or allow postdating of derivative tickets; whether
+the client requests name-canonicalization; and whether a renewable ticket
+will be accepted in lieu of a non-renewable ticket if the requested ticket
+expiration date cannot be satisfied by a non-renewable ticket (due to
+configuration constraints; see section 4). See section A.1 for pseudocode.
+
+The client prepares the KRB_AS_REQ message and sends it to the KDC.
+
+3.1.2. Receipt of KRB_AS_REQ message
+
+If all goes well, processing the KRB_AS_REQ message will result in the
+creation of a ticket for the client to present to the server. The format
+for the ticket is described in section 5.3.1. The contents of the ticket
+are determined as follows.
+
+3.1.3. Generation of KRB_AS_REP message
+
+The authentication server looks up the client and server principals named
+in the KRB_AS_REQ in its database, extracting their respective keys.  If
+the requested client principal named in the request is not found in its
+database, then an error message with a KDC_ERR_C_PRINCIPAL_UNKNOWN is
+returned. If the request had the CANONICALIZE option set, then the AS can
+attempt to lookup the client principal name in an alternate database, if it
+is found an error message with a KDC_ERR_WRONG_REALM error code and the
+cname and crealm in the error message must contain the true client
+principal name and realm.
+
+If required, the server pre-authenticates the request, and if the
+pre-authentication check fails, an error message with the code
+KDC_ERR_PREAUTH_FAILED is returned. If the server cannot accommodate the
+requested encryption type, an error message with code KDC_ERR_ETYPE_NOSUPP
+is returned. Otherwise it generates a 'random' session key[7].
+
+
+Neuman, Ts'o, Kohl                                   Expires: 14 January
+2001
+
+^L
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-06          July 14,
+2000
+
+If there are multiple encryption keys registered for a client in the
+Kerberos database (or if the key registered supports multiple encryption
+types; e.g. DES3-CBC-SHA1 and DES3-CBC-SHA1-KD), then the etype field from
+the AS request is used by the KDC to select the encryption method to be
+used for encrypting the response to the client. If there is more than one
+supported, strong encryption type in the etype list, the first valid etype
+for which an encryption key is available is used. The encryption method
+used to respond to a TGS request is taken from the keytype of the session
+key found in the ticket granting ticket.
+
+     JBrezak - the behavior of PW-SALT, and ETYPE-INFO should be explained
+     here; also about using keys that have different string-to-key
+     functions like AFSsalt
+
+When the etype field is present in a KDC request, whether an AS or TGS
+request, the KDC will attempt to assign the type of the random session key
+from the list of methods in the etype field. The KDC will select the
+appropriate type using the list of methods provided together with
+information from the Kerberos database indicating acceptable encryption
+methods for the application server. The KDC will not issue tickets with a
+weak session key encryption type.
+
+If the requested start time is absent, indicates a time in the past, or is
+within the window of acceptable clock skew for the KDC and the POSTDATE
+option has not been specified, then the start time of the ticket is set to
+the authentication server's current time. If it indicates a time in the
+future beyond the acceptable clock skew, but the POSTDATED option has not
+been specified then the error KDC_ERR_CANNOT_POSTDATE is returned.
+Otherwise the requested start time is checked against the policy of the
+local realm (the administrator might decide to prohibit certain types or
+ranges of postdated tickets), and if acceptable, the ticket's start time is
+set as requested and the INVALID flag is set in the new ticket. The
+postdated ticket must be validated before use by presenting it to the KDC
+after the start time has been reached.
+
+The expiration time of the ticket will be set to the minimum of the
+following:
+
+   * The expiration time (endtime) requested in the KRB_AS_REQ message.
+   * The ticket's start time plus the maximum allowable lifetime associated
+     with the client principal (the authentication server's database
+     includes a maximum ticket lifetime field in each principal's record;
+     see section 4).
+   * The ticket's start time plus the maximum allowable lifetime associated
+     with the server principal.
+   * The ticket's start time plus the maximum lifetime set by the policy of
+     the local realm.
+
+If the requested expiration time minus the start time (as determined above)
+is less than a site-determined minimum lifetime, an error message with code
+KDC_ERR_NEVER_VALID is returned. If the requested expiration time for the
+ticket exceeds what was determined as above, and if the 'RENEWABLE-OK'
+option was requested, then the 'RENEWABLE' flag is set in the new ticket,
+and the renew-till value is set as if the 'RENEWABLE' option were requested
+(the field and option names are described fully in section 5.4.1).
+
+If the RENEWABLE option has been requested or if the RENEWABLE-OK option
+has been set and a renewable ticket is to be issued, then the renew-till
+field is set to the minimum of:
+
+   * Its requested value.
+   * The start time of the ticket plus the minimum of the two maximum
+     renewable lifetimes associated with the principals' database entries.
+   * The start time of the ticket plus the maximum renewable lifetime set
+     by the policy of the local realm.
+
+
+Neuman, Ts'o, Kohl                                   Expires: 14 January
+2001
+
+^L
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-06          July 14,
+2000
+
+The flags field of the new ticket will have the following options set if
+they have been requested and if the policy of the local realm allows:
+FORWARDABLE, MAY-POSTDATE, POSTDATED, PROXIABLE, RENEWABLE. If the new
+ticket is post-dated (the start time is in the future), its INVALID flag
+will also be set.
+
+If all of the above succeed, the server formats a KRB_AS_REP message (see
+section 5.4.2), copying the addresses in the request into the caddr of the
+response, placing any required pre-authentication data into the padata of
+the response, and encrypts the ciphertext part in the client's key using
+the requested encryption method, and sends it to the client. See section
+A.2 for pseudocode.
+
+3.1.4. Generation of KRB_ERROR message
+
+Several errors can occur, and the Authentication Server responds by
+returning an error message, KRB_ERROR, to the client, with the error-code
+and e-text fields set to appropriate values. The error message contents and
+details are described in Section 5.9.1.
+
+3.1.5. Receipt of KRB_AS_REP message
+
+If the reply message type is KRB_AS_REP, then the client verifies that the
+cname and crealm fields in the cleartext portion of the reply match what it
+requested. If any padata fields are present, they may be used to derive the
+proper secret key to decrypt the message. The client decrypts the encrypted
+part of the response using its secret key, verifies that the nonce in the
+encrypted part matches the nonce it supplied in its request (to detect
+replays). It also verifies that the sname and srealm in the response match
+those in the request (or are otherwise expected values), and that the host
+address field is also correct. It then stores the ticket, session key,
+start and expiration times, and other information for later use. The
+key-expiration field from the encrypted part of the response may be checked
+to notify the user of impending key expiration (the client program could
+then suggest remedial action, such as a password change). See section A.3
+for pseudocode.
+
+Proper decryption of the KRB_AS_REP message is not sufficient to verify the
+identity of the user; the user and an attacker could cooperate to generate
+a KRB_AS_REP format message which decrypts properly but is not from the
+proper KDC. If the host wishes to verify the identity of the user, it must
+require the user to present application credentials which can be verified
+using a securely-stored secret key for the host. If those credentials can
+be verified, then the identity of the user can be assured.
+
+3.1.6. Receipt of KRB_ERROR message
+
+If the reply message type is KRB_ERROR, then the client interprets it as an
+error and performs whatever application-specific tasks are necessary to
+recover. If the client set the CANONICALIZE option and a
+KDC_ERR_WRONG_REALM error was returned, the AS request should be retried to
+the realm and client principal name specified in the error message crealm
+and cname field respectively.
+
+3.2. The Client/Server Authentication Exchange
+
+                             Summary
+Message direction                         Message type    Section
+Client to Application server              KRB_AP_REQ      5.5.1
+[optional] Application server to client   KRB_AP_REP or   5.5.2
+                                          KRB_ERROR       5.9.1
+
+The client/server authentication (CS) exchange is used by network
+applications to authenticate the client to the server and vice versa. The
+client must have already acquired credentials for the server using the AS
+or TGS exchange.
+
+
+Neuman, Ts'o, Kohl                                   Expires: 14 January
+2001
+
+^L
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-06          July 14,
+2000
+
+3.2.1. The KRB_AP_REQ message
+
+The KRB_AP_REQ contains authentication information which should be part of
+the first message in an authenticated transaction. It contains a ticket, an
+authenticator, and some additional bookkeeping information (see section
+5.5.1 for the exact format). The ticket by itself is insufficient to
+authenticate a client, since tickets are passed across the network in
+cleartext[DS90], so the authenticator is used to prevent invalid replay of
+tickets by proving to the server that the client knows the session key of
+the ticket and thus is entitled to use the ticket. The KRB_AP_REQ message
+is referred to elsewhere as the 'authentication header.'
+
+3.2.2. Generation of a KRB_AP_REQ message
+
+When a client wishes to initiate authentication to a server, it obtains
+(either through a credentials cache, the AS exchange, or the TGS exchange)
+a ticket and session key for the desired service. The client may re-use any
+tickets it holds until they expire. To use a ticket the client constructs a
+new Authenticator from the the system time, its name, and optionally an
+application specific checksum, an initial sequence number to be used in
+KRB_SAFE or KRB_PRIV messages, and/or a session subkey to be used in
+negotiations for a session key unique to this particular session.
+Authenticators may not be re-used and will be rejected if replayed to a
+server[LGDSR87]. If a sequence number is to be included, it should be
+randomly chosen so that even after many messages have been exchanged it is
+not likely to collide with other sequence numbers in use.
+
+The client may indicate a requirement of mutual authentication or the use
+of a session-key based ticket by setting the appropriate flag(s) in the
+ap-options field of the message.
+
+The Authenticator is encrypted in the session key and combined with the
+ticket to form the KRB_AP_REQ message which is then sent to the end server
+along with any additional application-specific information. See section A.9
+for pseudocode.
+
+3.2.3. Receipt of KRB_AP_REQ message
+
+Authentication is based on the server's current time of day (clocks must be
+loosely synchronized), the authenticator, and the ticket. Several errors
+are possible. If an error occurs, the server is expected to reply to the
+client with a KRB_ERROR message. This message may be encapsulated in the
+application protocol if its 'raw' form is not acceptable to the protocol.
+The format of error messages is described in section 5.9.1.
+
+The algorithm for verifying authentication information is as follows. If
+the message type is not KRB_AP_REQ, the server returns the
+KRB_AP_ERR_MSG_TYPE error. If the key version indicated by the Ticket in
+the KRB_AP_REQ is not one the server can use (e.g., it indicates an old
+key, and the server no longer possesses a copy of the old key), the
+KRB_AP_ERR_BADKEYVER error is returned. If the USE-SESSION-KEY flag is set
+in the ap-options field, it indicates to the server that the ticket is
+encrypted in the session key from the server's ticket-granting ticket
+rather than its secret key[10]. Since it is possible for the server to be
+registered in multiple realms, with different keys in each, the srealm
+field in the unencrypted portion of the ticket in the KRB_AP_REQ is used to
+specify which secret key the server should use to decrypt that ticket. The
+KRB_AP_ERR_NOKEY error code is returned if the server doesn't have the
+proper key to decipher the ticket.
+
+The ticket is decrypted using the version of the server's key specified by
+the ticket. If the decryption routines detect a modification of the ticket
+(each encryption system must provide safeguards to detect modified
+ciphertext; see section 6), the KRB_AP_ERR_BAD_INTEGRITY error is returned
+(chances are good that different keys were used to encrypt and decrypt).
+
+
+Neuman, Ts'o, Kohl                                   Expires: 14 January
+2001
+
+^L
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-06          July 14,
+2000
+
+The authenticator is decrypted using the session key extracted from the
+decrypted ticket. If decryption shows it to have been modified, the
+KRB_AP_ERR_BAD_INTEGRITY error is returned. The name and realm of the
+client from the ticket are compared against the same fields in the
+authenticator. If they don't match, the KRB_AP_ERR_BADMATCH error is
+returned (they might not match, for example, if the wrong session key was
+used to encrypt the authenticator). The addresses in the ticket (if any)
+are then searched for an address matching the operating-system reported
+address of the client. If no match is found or the server insists on ticket
+addresses but none are present in the ticket, the KRB_AP_ERR_BADADDR error
+is returned.
+
+If the local (server) time and the client time in the authenticator differ
+by more than the allowable clock skew (e.g., 5 minutes), the
+KRB_AP_ERR_SKEW error is returned. If the server name, along with the
+client name, time and microsecond fields from the Authenticator match any
+recently-seen such tuples, the KRB_AP_ERR_REPEAT error is returned[11]. The
+server must remember any authenticator presented within the allowable clock
+skew, so that a replay attempt is guaranteed to fail. If a server loses
+track of any authenticator presented within the allowable clock skew, it
+must reject all requests until the clock skew interval has passed. This
+assures that any lost or re-played authenticators will fall outside the
+allowable clock skew and can no longer be successfully replayed (If this is
+not done, an attacker could conceivably record the ticket and authenticator
+sent over the network to a server, then disable the client's host, pose as
+the disabled host, and replay the ticket and authenticator to subvert the
+authentication.). If a sequence number is provided in the authenticator,
+the server saves it for later use in processing KRB_SAFE and/or KRB_PRIV
+messages. If a subkey is present, the server either saves it for later use
+or uses it to help generate its own choice for a subkey to be returned in a
+KRB_AP_REP message.
+
+The server computes the age of the ticket: local (server) time minus the
+start time inside the Ticket. If the start time is later than the current
+time by more than the allowable clock skew or if the INVALID flag is set in
+the ticket, the KRB_AP_ERR_TKT_NYV error is returned. Otherwise, if the
+current time is later than end time by more than the allowable clock skew,
+the KRB_AP_ERR_TKT_EXPIRED error is returned.
+
+If all these checks succeed without an error, the server is assured that
+the client possesses the credentials of the principal named in the ticket
+and thus, the client has been authenticated to the server. See section A.10
+for pseudocode.
+
+Passing these checks provides only authentication of the named principal;
+it does not imply authorization to use the named service. Applications must
+make a separate authorization decisions based upon the authenticated name
+of the user, the requested operation, local acces control information such
+as that contained in a .k5login or .k5users file, and possibly a separate
+distributed authorization service.
+
+3.2.4. Generation of a KRB_AP_REP message
+
+Typically, a client's request will include both the authentication
+information and its initial request in the same message, and the server
+need not explicitly reply to the KRB_AP_REQ. However, if mutual
+authentication (not only authenticating the client to the server, but also
+the server to the client) is being performed, the KRB_AP_REQ message will
+
+Neuman, Ts'o, Kohl                                   Expires: 14 January
+2001
+
+^L
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-06          July 14,
+2000
+
+have MUTUAL-REQUIRED set in its ap-options field, and a KRB_AP_REP message
+is required in response. As with the error message, this message may be
+encapsulated in the application protocol if its "raw" form is not
+acceptable to the application's protocol. The timestamp and microsecond
+field used in the reply must be the client's timestamp and microsecond
+field (as provided in the authenticator)[12]. If a sequence number is to be
+included, it should be randomly chosen as described above for the
+authenticator. A subkey may be included if the server desires to negotiate
+a different subkey. The KRB_AP_REP message is encrypted in the session key
+extracted from the ticket. See section A.11 for pseudocode.
+
+3.2.5. Receipt of KRB_AP_REP message
+
+If a KRB_AP_REP message is returned, the client uses the session key from
+the credentials obtained for the server[13] to decrypt the message, and
+verifies that the timestamp and microsecond fields match those in the
+Authenticator it sent to the server. If they match, then the client is
+assured that the server is genuine. The sequence number and subkey (if
+present) are retained for later use. See section A.12 for pseudocode.
+
+3.2.6. Using the encryption key
+
+After the KRB_AP_REQ/KRB_AP_REP exchange has occurred, the client and
+server share an encryption key which can be used by the application. The
+'true session key' to be used for KRB_PRIV, KRB_SAFE, or other
+application-specific uses may be chosen by the application based on the
+subkeys in the KRB_AP_REP message and the authenticator[14]. In some cases,
+the use of this session key will be implicit in the protocol; in others the
+method of use must be chosen from several alternatives. We leave the
+protocol negotiations of how to use the key (e.g. selecting an encryption
+or checksum type) to the application programmer; the Kerberos protocol does
+not constrain the implementation options, but an example of how this might
+be done follows.
+
+One way that an application may choose to negotiate a key to be used for
+subequent integrity and privacy protection is for the client to propose a
+key in the subkey field of the authenticator. The server can then choose a
+key using the proposed key from the client as input, returning the new
+subkey in the subkey field of the application reply. This key could then be
+used for subsequent communication. To make this example more concrete, if
+the encryption method in use required a 56 bit key, and for whatever
+reason, one of the parties was prevented from using a key with more than 40
+unknown bits, this method would allow the the party which is prevented from
+using more than 40 bits to either propose (if the client) an initial key
+with a known quantity for 16 of those bits, or to mask 16 of the bits (if
+the server) with the known quantity. The application implementor is warned,
+however, that this is only an example, and that an analysis of the
+particular crytosystem to be used, and the reasons for limiting the key
+length, must be made before deciding whether it is acceptable to mask bits
+of the key.
+
+With both the one-way and mutual authentication exchanges, the peers should
+take care not to send sensitive information to each other without proper
+assurances. In particular, applications that require privacy or integrity
+should use the KRB_AP_REP response from the server to client to assure both
+client and server of their peer's identity. If an application protocol
+requires privacy of its messages, it can use the KRB_PRIV message (section
+3.5). The KRB_SAFE message (section 3.4) can be used to assure integrity.
+
+
+Neuman, Ts'o, Kohl                                   Expires: 14 January
+2001
+
+^L
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-06          July 14,
+2000
+
+3.3. The Ticket-Granting Service (TGS) Exchange
+
+                          Summary
+      Message direction       Message type     Section
+      1. Client to Kerberos   KRB_TGS_REQ      5.4.1
+      2. Kerberos to client   KRB_TGS_REP or   5.4.2
+                              KRB_ERROR        5.9.1
+
+The TGS exchange between a client and the Kerberos Ticket-Granting Server
+is initiated by a client when it wishes to obtain authentication
+credentials for a given server (which might be registered in a remote
+realm), when it wishes to renew or validate an existing ticket, or when it
+wishes to obtain a proxy ticket. In the first case, the client must already
+have acquired a ticket for the Ticket-Granting Service using the AS
+exchange (the ticket-granting ticket is usually obtained when a client
+initially authenticates to the system, such as when a user logs in). The
+message format for the TGS exchange is almost identical to that for the AS
+exchange. The primary difference is that encryption and decryption in the
+TGS exchange does not take place under the client's key. Instead, the
+session key from the ticket-granting ticket or renewable ticket, or
+sub-session key from an Authenticator is used. As is the case for all
+application servers, expired tickets are not accepted by the TGS, so once a
+renewable or ticket-granting ticket expires, the client must use a separate
+exchange to obtain valid tickets.
+
+The TGS exchange consists of two messages: A request (KRB_TGS_REQ) from the
+client to the Kerberos Ticket-Granting Server, and a reply (KRB_TGS_REP or
+KRB_ERROR). The KRB_TGS_REQ message includes information authenticating the
+client plus a request for credentials. The authentication information
+consists of the authentication header (KRB_AP_REQ) which includes the
+client's previously obtained ticket-granting, renewable, or invalid ticket.
+In the ticket-granting ticket and proxy cases, the request may include one
+or more of: a list of network addresses, a collection of typed
+authorization data to be sealed in the ticket for authorization use by the
+application server, or additional tickets (the use of which are described
+later). The TGS reply (KRB_TGS_REP) contains the requested credentials,
+encrypted in the session key from the ticket-granting ticket or renewable
+ticket, or if present, in the sub-session key from the Authenticator (part
+of the authentication header). The KRB_ERROR message contains an error code
+and text explaining what went wrong. The KRB_ERROR message is not
+encrypted. The KRB_TGS_REP message contains information which can be used
+to detect replays, and to associate it with the message to which it
+replies. The KRB_ERROR message also contains information which can be used
+to associate it with the message to which it replies, but the lack of
+encryption in the KRB_ERROR message precludes the ability to detect replays
+or fabrications of such messages.
+
+3.3.1. Generation of KRB_TGS_REQ message
+
+Before sending a request to the ticket-granting service, the client must
+determine in which realm the application server is registered[15], if it is
+known. If the client does know the service principal name and realm and it
+does not already possess a ticket-granting ticket for the appropriate
+realm, then one must be obtained. This is first attempted by requesting a
+ticket-granting ticket for the destination realm from a Kerberos server for
+which the client does posess a ticket-granting ticket (using the
+KRB_TGS_REQ message recursively). The Kerberos server may return a TGT for
+the desired realm in which case one can proceed.
+
+If the client does not know the realm of the service or the true service
+principal name, then the CANONICALIZE option must be used in the request.
+This will cause the TGS to locate the service principal based on the target
+service name in the ticket and return the service principal name in the
+response. Alternatively, the Kerberos server may return a TGT for a realm
+which is 'closer' to the desired realm (further along the standard
+
+Neuman, Ts'o, Kohl                                   Expires: 14 January
+2001
+
+^L
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-06          July 14,
+2000
+
+hierarchical path) or the realm that may contain the requested service
+principal name in a request with the CANONCALIZE option set [JBrezak], in
+which case this step must be repeated with a Kerberos server in the realm
+specified in the returned TGT. If neither are returned, then the request
+must be retried with a Kerberos server for a realm higher in the hierarchy.
+This request will itself require a ticket-granting ticket for the higher
+realm which must be obtained by recursively applying these directions.
+
+Once the client obtains a ticket-granting ticket for the appropriate realm,
+it determines which Kerberos servers serve that realm, and contacts one.
+The list might be obtained through a configuration file or network service
+or it may be generated from the name of the realm; as long as the secret
+keys exchanged by realms are kept secret, only denial of service results
+from using a false Kerberos server.
+
+As in the AS exchange, the client may specify a number of options in the
+KRB_TGS_REQ message. The client prepares the KRB_TGS_REQ message, providing
+an authentication header as an element of the padata field, and including
+the same fields as used in the KRB_AS_REQ message along with several
+optional fields: the enc-authorization-data field for application server
+use and additional tickets required by some options.
+
+In preparing the authentication header, the client can select a sub-session
+key under which the response from the Kerberos server will be
+encrypted[16]. If the sub-session key is not specified, the session key
+from the ticket-granting ticket will be used. If the enc-authorization-data
+is present, it must be encrypted in the sub-session key, if present, from
+the authenticator portion of the authentication header, or if not present,
+using the session key from the ticket-granting ticket.
+
+Once prepared, the message is sent to a Kerberos server for the destination
+realm. See section A.5 for pseudocode.
+
+3.3.2. Receipt of KRB_TGS_REQ message
+
+The KRB_TGS_REQ message is processed in a manner similar to the KRB_AS_REQ
+message, but there are many additional checks to be performed. First, the
+Kerberos server must determine which server the accompanying ticket is for
+and it must select the appropriate key to decrypt it. For a normal
+KRB_TGS_REQ message, it will be for the ticket granting service, and the
+TGS's key will be used. If the TGT was issued by another realm, then the
+appropriate inter-realm key must be used. If the accompanying ticket is not
+a ticket granting ticket for the current realm, but is for an application
+server in the current realm, the RENEW, VALIDATE, or PROXY options are
+specified in the request, and the server for which a ticket is requested is
+the server named in the accompanying ticket, then the KDC will decrypt the
+ticket in the authentication header using the key of the server for which
+it was issued. If no ticket can be found in the padata field, the
+KDC_ERR_PADATA_TYPE_NOSUPP error is returned.
+
+Once the accompanying ticket has been decrypted, the user-supplied checksum
+in the Authenticator must be verified against the contents of the request,
+and the message rejected if the checksums do not match (with an error code
+of KRB_AP_ERR_MODIFIED) or if the checksum is not keyed or not
+collision-proof (with an error code of KRB_AP_ERR_INAPP_CKSUM). If the
+checksum type is not supported, the KDC_ERR_SUMTYPE_NOSUPP error is
+returned. If the authorization-data are present, they are decrypted using
+the sub-session key from the Authenticator.
+
+If any of the decryptions indicate failed integrity checks, the
+KRB_AP_ERR_BAD_INTEGRITY error is returned. If the CANONICALIZE option is
+set in the KRB_TGS_REQ, then the requested service name may not be the true
+principal name or the service may not be in the TGS realm.
+
+
+Neuman, Ts'o, Kohl                                   Expires: 14 January
+2001
+
+^L
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-06          July 14,
+2000
+
+3.3.3. Generation of KRB_TGS_REP message
+
+The KRB_TGS_REP message shares its format with the KRB_AS_REP
+(KRB_KDC_REP), but with its type field set to KRB_TGS_REP. The detailed
+specification is in section 5.4.2.
+
+The response will include a ticket for the requested server. The Kerberos
+database is queried to retrieve the record for the requested server
+(including the key with which the ticket will be encrypted). If the request
+is for a ticket granting ticket for a remote realm, and if no key is shared
+with the requested realm, then the Kerberos server will select the realm
+"closest" to the requested realm with which it does share a key, and use
+that realm instead. If the CANONICALIZE option is set, the TGS may return a
+ticket containing the server name of the true service principal. If the
+requested server cannot be found in the TGS database, then a TGT for
+another trusted realm may be returned instead of a ticket for the service.
+This TGT is a referral mechanism to cause the client to retry the request
+to the realm of the TGT. These are the only cases where the response for
+the KDC will be for a different server than that requested by the client.
+
+By default, the address field, the client's name and realm, the list of
+transited realms, the time of initial authentication, the expiration time,
+and the authorization data of the newly-issued ticket will be copied from
+the ticket-granting ticket (TGT) or renewable ticket. If the transited
+field needs to be updated, but the transited type is not supported, the
+KDC_ERR_TRTYPE_NOSUPP error is returned.
+
+If the request specifies an endtime, then the endtime of the new ticket is
+set to the minimum of (a) that request, (b) the endtime from the TGT, and
+(c) the starttime of the TGT plus the minimum of the maximum life for the
+application server and the maximum life for the local realm (the maximum
+life for the requesting principal was already applied when the TGT was
+issued). If the new ticket is to be a renewal, then the endtime above is
+replaced by the minimum of (a) the value of the renew_till field of the
+ticket and (b) the starttime for the new ticket plus the life
+(endtime-starttime) of the old ticket.
+
+If the FORWARDED option has been requested, then the resulting ticket will
+contain the addresses specified by the client. This option will only be
+honored if the FORWARDABLE flag is set in the TGT. The PROXY option is
+similar; the resulting ticket will contain the addresses specified by the
+client. It will be honored only if the PROXIABLE flag in the TGT is set.
+The PROXY option will not be honored on requests for additional
+ticket-granting tickets.
+
+If the requested start time is absent, indicates a time in the past, or is
+within the window of acceptable clock skew for the KDC and the POSTDATE
+option has not been specified, then the start time of the ticket is set to
+the authentication server's current time. If it indicates a time in the
+future beyond the acceptable clock skew, but the POSTDATED option has not
+been specified or the MAY-POSTDATE flag is not set in the TGT, then the
+error KDC_ERR_CANNOT_POSTDATE is returned. Otherwise, if the
+ticket-granting ticket has the MAY-POSTDATE flag set, then the resulting
+ticket will be postdated and the requested starttime is checked against the
+policy of the local realm. If acceptable, the ticket's start time is set as
+requested, and the INVALID flag is set. The postdated ticket must be
+validated before use by presenting it to the KDC after the starttime has
+been reached. However, in no case may the starttime, endtime, or renew-till
+time of a newly-issued postdated ticket extend beyond the renew-till time
+of the ticket-granting ticket.
+
+If the ENC-TKT-IN-SKEY option has been specified and an additional ticket
+has been included in the request, the KDC will decrypt the additional
+ticket using the key for the server to which the additional ticket was
+issued and verify that it is a ticket-granting ticket. If the name of the
+
+Neuman, Ts'o, Kohl                                   Expires: 14 January
+2001
+
+^L
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-06          July 14,
+2000
+
+requested server is missing from the request, the name of the client in the
+additional ticket will be used. Otherwise the name of the requested server
+will be compared to the name of the client in the additional ticket and if
+different, the request will be rejected. If the request succeeds, the
+session key from the additional ticket will be used to encrypt the new
+ticket that is issued instead of using the key of the server for which the
+new ticket will be used[17].
+
+If the name of the server in the ticket that is presented to the KDC as
+part of the authentication header is not that of the ticket-granting server
+itself, the server is registered in the realm of the KDC, and the RENEW
+option is requested, then the KDC will verify that the RENEWABLE flag is
+set in the ticket, that the INVALID flag is not set in the ticket, and that
+the renew_till time is still in the future. If the VALIDATE option is
+rqeuested, the KDC will check that the starttime has passed and the INVALID
+flag is set. If the PROXY option is requested, then the KDC will check that
+the PROXIABLE flag is set in the ticket. If the tests succeed, and the
+ticket passes the hotlist check described in the next paragraph, the KDC
+will issue the appropriate new ticket.
+
+3.3.3.1. Checking for revoked tickets
+
+Whenever a request is made to the ticket-granting server, the presented
+ticket(s) is(are) checked against a hot-list of tickets which have been
+canceled. This hot-list might be implemented by storing a range of issue
+timestamps for 'suspect tickets'; if a presented ticket had an authtime in
+that range, it would be rejected. In this way, a stolen ticket-granting
+ticket or renewable ticket cannot be used to gain additional tickets
+(renewals or otherwise) once the theft has been reported. Any normal ticket
+obtained before it was reported stolen will still be valid (because they
+require no interaction with the KDC), but only until their normal
+expiration time.
+
+The ciphertext part of the response in the KRB_TGS_REP message is encrypted
+in the sub-session key from the Authenticator, if present, or the session
+key key from the ticket-granting ticket. It is not encrypted using the
+client's secret key. Furthermore, the client's key's expiration date and
+the key version number fields are left out since these values are stored
+along with the client's database record, and that record is not needed to
+satisfy a request based on a ticket-granting ticket. See section A.6 for
+pseudocode.
+
+3.3.3.2. Encoding the transited field
+
+If the identity of the server in the TGT that is presented to the KDC as
+part of the authentication header is that of the ticket-granting service,
+but the TGT was issued from another realm, the KDC will look up the
+inter-realm key shared with that realm and use that key to decrypt the
+ticket. If the ticket is valid, then the KDC will honor the request,
+subject to the constraints outlined above in the section describing the AS
+exchange. The realm part of the client's identity will be taken from the
+ticket-granting ticket. The name of the realm that issued the
+ticket-granting ticket will be added to the transited field of the ticket
+to be issued. This is accomplished by reading the transited field from the
+ticket-granting ticket (which is treated as an unordered set of realm
+names), adding the new realm to the set, then constructing and writing out
+its encoded (shorthand) form (this may involve a rearrangement of the
+existing encoding).
+
+Note that the ticket-granting service does not add the name of its own
+realm. Instead, its responsibility is to add the name of the previous
+realm. This prevents a malicious Kerberos server from intentionally leaving
+out its own name (it could, however, omit other realms' names).
+
+
+Neuman, Ts'o, Kohl                                   Expires: 14 January
+2001
+
+^L
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-06          July 14,
+2000
+
+The names of neither the local realm nor the principal's realm are to be
+included in the transited field. They appear elsewhere in the ticket and
+both are known to have taken part in authenticating the principal. Since
+the endpoints are not included, both local and single-hop inter-realm
+authentication result in a transited field that is empty.
+
+Because the name of each realm transited is added to this field, it might
+potentially be very long. To decrease the length of this field, its
+contents are encoded. The initially supported encoding is optimized for the
+normal case of inter-realm communication: a hierarchical arrangement of
+realms using either domain or X.500 style realm names. This encoding
+(called DOMAIN-X500-COMPRESS) is now described.
+
+Realm names in the transited field are separated by a ",". The ",", "\",
+trailing "."s, and leading spaces (" ") are special characters, and if they
+are part of a realm name, they must be quoted in the transited field by
+preced- ing them with a "\".
+
+A realm name ending with a "." is interpreted as being prepended to the
+previous realm. For example, we can encode traversal of EDU, MIT.EDU,
+ATHENA.MIT.EDU, WASHINGTON.EDU, and CS.WASHINGTON.EDU as:
+
+     "EDU,MIT.,ATHENA.,WASHINGTON.EDU,CS.".
+
+Note that if ATHENA.MIT.EDU, or CS.WASHINGTON.EDU were end-points, that
+they would not be included in this field, and we would have:
+
+     "EDU,MIT.,WASHINGTON.EDU"
+
+A realm name beginning with a "/" is interpreted as being appended to the
+previous realm[18]. If it is to stand by itself, then it should be preceded
+by a space (" "). For example, we can encode traversal of /COM/HP/APOLLO,
+/COM/HP, /COM, and /COM/DEC as:
+
+     "/COM,/HP,/APOLLO, /COM/DEC".
+
+Like the example above, if /COM/HP/APOLLO and /COM/DEC are endpoints, they
+they would not be included in this field, and we would have:
+
+     "/COM,/HP"
+
+A null subfield preceding or following a "," indicates that all realms
+between the previous realm and the next realm have been traversed[19].
+Thus, "," means that all realms along the path between the client and the
+server have been traversed. ",EDU, /COM," means that that all realms from
+the client's realm up to EDU (in a domain style hierarchy) have been
+traversed, and that everything from /COM down to the server's realm in an
+X.500 style has also been traversed. This could occur if the EDU realm in
+one hierarchy shares an inter-realm key directly with the /COM realm in
+another hierarchy.
+
+3.3.4. Receipt of KRB_TGS_REP message
+
+When the KRB_TGS_REP is received by the client, it is processed in the same
+manner as the KRB_AS_REP processing described above. The primary difference
+is that the ciphertext part of the response must be decrypted using the
+session key from the ticket-granting ticket rather than the client's secret
+key. The server name returned in the reply is the true principal name of
+the service. See section A.7 for pseudocode.
+
+
+Neuman, Ts'o, Kohl                                   Expires: 14 January
+2001
+
+^L
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-06          July 14,
+2000
+
+3.4. The KRB_SAFE Exchange
+
+The KRB_SAFE message may be used by clients requiring the ability to detect
+modifications of messages they exchange. It achieves this by including a
+keyed collision-proof checksum of the user data and some control
+information. The checksum is keyed with an encryption key (usually the last
+key negotiated via subkeys, or the session key if no negotiation has
+occured).
+
+3.4.1. Generation of a KRB_SAFE message
+
+When an application wishes to send a KRB_SAFE message, it collects its data
+and the appropriate control information and computes a checksum over them.
+The checksum algorithm should be a keyed one-way hash function (such as the
+RSA- MD5-DES checksum algorithm specified in section 6.4.5, or the DES
+MAC), generated using the sub-session key if present, or the session key.
+Different algorithms may be selected by changing the checksum type in the
+message. Unkeyed or non-collision-proof checksums are not suitable for this
+use.
+
+The control information for the KRB_SAFE message includes both a timestamp
+and a sequence number. The designer of an application using the KRB_SAFE
+message must choose at least one of the two mechanisms. This choice should
+be based on the needs of the application protocol.
+
+Sequence numbers are useful when all messages sent will be received by
+one's peer. Connection state is presently required to maintain the session
+key, so maintaining the next sequence number should not present an
+additional problem.
+
+If the application protocol is expected to tolerate lost messages without
+them being resent, the use of the timestamp is the appropriate replay
+detection mechanism. Using timestamps is also the appropriate mechanism for
+multi-cast protocols where all of one's peers share a common sub-session
+key, but some messages will be sent to a subset of one's peers.
+
+After computing the checksum, the client then transmits the information and
+checksum to the recipient in the message format specified in section 5.6.1.
+
+3.4.2. Receipt of KRB_SAFE message
+
+When an application receives a KRB_SAFE message, it verifies it as follows.
+If any error occurs, an error code is reported for use by the application.
+
+The message is first checked by verifying that the protocol version and
+type fields match the current version and KRB_SAFE, respectively. A
+mismatch generates a KRB_AP_ERR_BADVERSION or KRB_AP_ERR_MSG_TYPE error.
+The application verifies that the checksum used is a collision-proof keyed
+checksum, and if it is not, a KRB_AP_ERR_INAPP_CKSUM error is generated. If
+the sender's address was included in the control information, the recipient
+verifies that the operating system's report of the sender's address matches
+the sender's address in the message, and (if a recipient address is
+specified or the recipient requires an address) that one of the recipient's
+addresses appears as the recipient's address in the message. A failed match
+for either case generates a KRB_AP_ERR_BADADDR error. Then the timestamp
+and usec and/or the sequence number fields are checked. If timestamp and
+usec are expected and not present, or they are present but not current, the
+KRB_AP_ERR_SKEW error is generated. If the server name, along with the
+client name, time and microsecond fields from the Authenticator match any
+recently-seen (sent or received[20] ) such tuples, the KRB_AP_ERR_REPEAT
+error is generated. If an incorrect sequence number is included, or a
+sequence number is expected but not present, the KRB_AP_ERR_BADORDER error
+is generated. If neither a time-stamp and usec or a sequence number is
+present, a KRB_AP_ERR_MODIFIED error is generated. Finally, the checksum is
+computed over the data and control information, and if it doesn't match the
+received checksum, a KRB_AP_ERR_MODIFIED error is generated.
+
+
+Neuman, Ts'o, Kohl                                   Expires: 14 January
+2001
+
+^L
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-06          July 14,
+2000
+
+If all the checks succeed, the application is assured that the message was
+generated by its peer and was not modi- fied in transit.
+
+3.5. The KRB_PRIV Exchange
+
+The KRB_PRIV message may be used by clients requiring confidentiality and
+the ability to detect modifications of exchanged messages. It achieves this
+by encrypting the messages and adding control information.
+
+3.5.1. Generation of a KRB_PRIV message
+
+When an application wishes to send a KRB_PRIV message, it collects its data
+and the appropriate control information (specified in section 5.7.1) and
+encrypts them under an encryption key (usually the last key negotiated via
+subkeys, or the session key if no negotiation has occured). As part of the
+control information, the client must choose to use either a timestamp or a
+sequence number (or both); see the discussion in section 3.4.1 for
+guidelines on which to use. After the user data and control information are
+encrypted, the client transmits the ciphertext and some 'envelope'
+information to the recipient.
+
+3.5.2. Receipt of KRB_PRIV message
+
+When an application receives a KRB_PRIV message, it verifies it as follows.
+If any error occurs, an error code is reported for use by the application.
+
+The message is first checked by verifying that the protocol version and
+type fields match the current version and KRB_PRIV, respectively. A
+mismatch generates a KRB_AP_ERR_BADVERSION or KRB_AP_ERR_MSG_TYPE error.
+The application then decrypts the ciphertext and processes the resultant
+plaintext. If decryption shows the data to have been modified, a
+KRB_AP_ERR_BAD_INTEGRITY error is generated. If the sender's address was
+included in the control information, the recipient verifies that the
+operating system's report of the sender's address matches the sender's
+address in the message, and (if a recipient address is specified or the
+recipient requires an address) that one of the recipient's addresses
+appears as the recipient's address in the message. A failed match for
+either case generates a KRB_AP_ERR_BADADDR error. Then the timestamp and
+usec and/or the sequence number fields are checked. If timestamp and usec
+are expected and not present, or they are present but not current, the
+KRB_AP_ERR_SKEW error is generated. If the server name, along with the
+client name, time and microsecond fields from the Authenticator match any
+recently-seen such tuples, the KRB_AP_ERR_REPEAT error is generated. If an
+incorrect sequence number is included, or a sequence number is expected but
+not present, the KRB_AP_ERR_BADORDER error is generated. If neither a
+time-stamp and usec or a sequence number is present, a KRB_AP_ERR_MODIFIED
+error is generated.
+
+If all the checks succeed, the application can assume the message was
+generated by its peer, and was securely transmitted (without intruders able
+to see the unencrypted contents).
+
+3.6. The KRB_CRED Exchange
+
+The KRB_CRED message may be used by clients requiring the ability to send
+Kerberos credentials from one host to another. It achieves this by sending
+the tickets together with encrypted data containing the session keys and
+other information associated with the tickets.
+
+
+Neuman, Ts'o, Kohl                                   Expires: 14 January
+2001
+
+^L
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-06          July 14,
+2000
+
+3.6.1. Generation of a KRB_CRED message
+
+When an application wishes to send a KRB_CRED message it first (using the
+KRB_TGS exchange) obtains credentials to be sent to the remote host. It
+then constructs a KRB_CRED message using the ticket or tickets so obtained,
+placing the session key needed to use each ticket in the key field of the
+corresponding KrbCredInfo sequence of the encrypted part of the the
+KRB_CRED message.
+
+Other information associated with each ticket and obtained during the
+KRB_TGS exchange is also placed in the corresponding KrbCredInfo sequence
+in the encrypted part of the KRB_CRED message. The current time and, if
+specifically required by the application the nonce, s-address, and
+r-address fields, are placed in the encrypted part of the KRB_CRED message
+which is then encrypted under an encryption key previosuly exchanged in the
+KRB_AP exchange (usually the last key negotiated via subkeys, or the
+session key if no negotiation has occured).
+
+3.6.2. Receipt of KRB_CRED message
+
+When an application receives a KRB_CRED message, it verifies it. If any
+error occurs, an error code is reported for use by the application. The
+message is verified by checking that the protocol version and type fields
+match the current version and KRB_CRED, respectively. A mismatch generates
+a KRB_AP_ERR_BADVERSION or KRB_AP_ERR_MSG_TYPE error. The application then
+decrypts the ciphertext and processes the resultant plaintext. If
+decryption shows the data to have been modified, a KRB_AP_ERR_BAD_INTEGRITY
+error is generated.
+
+If present or required, the recipient verifies that the operating system's
+report of the sender's address matches the sender's address in the message,
+and that one of the recipient's addresses appears as the recipient's
+address in the message. A failed match for either case generates a
+KRB_AP_ERR_BADADDR error. The timestamp and usec fields (and the nonce
+field if required) are checked next. If the timestamp and usec are not
+present, or they are present but not current, the KRB_AP_ERR_SKEW error is
+generated.
+
+If all the checks succeed, the application stores each of the new tickets
+in its ticket cache together with the session key and other information in
+the corresponding KrbCredInfo sequence from the encrypted part of the
+KRB_CRED message.
+
+4. The Kerberos Database
+
+The Kerberos server must have access to a database containing the principal
+identifiers and secret keys of principals to be authenticated[21].
+
+4.1. Database contents
+
+A database entry should contain at least the following fields:
+
+Field                Value
+
+name                 Principal's identifier
+key                  Principal's secret key
+p_kvno               Principal's key version
+max_life             Maximum lifetime for Tickets
+max_renewable_life   Maximum total lifetime for renewable Tickets
+
+The name field is an encoding of the principal's identifier. The key field
+contains an encryption key. This key is the principal's secret key. (The
+key can be encrypted before storage under a Kerberos "master key" to
+protect it in case the database is compromised but the master key is not.
+In that case, an extra field must be added to indicate the master key
+
+Neuman, Ts'o, Kohl                                   Expires: 14 January
+2001
+
+^L
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-06          July 14,
+2000
+
+version used, see below.) The p_kvno field is the key version number of the
+principal's secret key. The max_life field contains the maximum allowable
+lifetime (endtime - starttime) for any Ticket issued for this principal.
+The max_renewable_life field contains the maximum allowable total lifetime
+for any renewable Ticket issued for this principal. (See section 3.1 for a
+description of how these lifetimes are used in determining the lifetime of
+a given Ticket.)
+
+A server may provide KDC service to several realms, as long as the database
+representation provides a mechanism to distinguish between principal
+records with identifiers which differ only in the realm name.
+
+When an application server's key changes, if the change is routine (i.e.
+not the result of disclosure of the old key), the old key should be
+retained by the server until all tickets that had been issued using that
+key have expired. Because of this, it is possible for several keys to be
+active for a single principal. Ciphertext encrypted in a principal's key is
+always tagged with the version of the key that was used for encryption, to
+help the recipient find the proper key for decryption.
+
+When more than one key is active for a particular principal, the principal
+will have more than one record in the Kerberos database. The keys and key
+version numbers will differ between the records (the rest of the fields may
+or may not be the same). Whenever Kerberos issues a ticket, or responds to
+a request for initial authentication, the most recent key (known by the
+Kerberos server) will be used for encryption. This is the key with the
+highest key version number.
+
+4.2. Additional fields
+
+Project Athena's KDC implementation uses additional fields in its database:
+
+Field        Value
+
+K_kvno       Kerberos' key version
+expiration   Expiration date for entry
+attributes   Bit field of attributes
+mod_date     Timestamp of last modification
+mod_name     Modifying principal's identifier
+
+The K_kvno field indicates the key version of the Kerberos master key under
+which the principal's secret key is encrypted.
+
+After an entry's expiration date has passed, the KDC will return an error
+to any client attempting to gain tickets as or for the principal. (A
+database may want to maintain two expiration dates: one for the principal,
+and one for the principal's current key. This allows password aging to work
+independently of the principal's expiration date. However, due to the
+limited space in the responses, the KDC must combine the key expiration and
+principal expiration date into a single value called 'key_exp', which is
+used as a hint to the user to take administrative action.)
+
+The attributes field is a bitfield used to govern the operations involving
+the principal. This field might be useful in conjunction with user
+registration procedures, for site-specific policy implementations (Project
+Athena currently uses it for their user registration process controlled by
+the system-wide database service, Moira [LGDSR87]), to identify whether a
+principal can play the role of a client or server or both, to note whether
+a server is appropriate trusted to recieve credentials delegated by a
+client, or to identify the 'string to key' conversion algorithm used for a
+principal's key[22]. Other bits are used to indicate that certain ticket
+options should not be allowed in tickets encrypted under a principal's key
+(one bit each): Disallow issuing postdated tickets, disallow issuing
+forwardable tickets, disallow issuing tickets based on TGT authentication,
+disallow issuing renewable tickets, disallow issuing proxiable tickets, and
+disallow issuing tickets for which the principal is the server.
+
+
+Neuman, Ts'o, Kohl                                   Expires: 14 January
+2001
+
+^L
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-06          July 14,
+2000
+
+The mod_date field contains the time of last modification of the entry, and
+the mod_name field contains the name of the principal which last modified
+the entry.
+
+4.3. Frequently Changing Fields
+
+Some KDC implementations may wish to maintain the last time that a request
+was made by a particular principal. Information that might be maintained
+includes the time of the last request, the time of the last request for a
+ticket-granting ticket, the time of the last use of a ticket-granting
+ticket, or other times. This information can then be returned to the user
+in the last-req field (see section 5.2).
+
+Other frequently changing information that can be maintained is the latest
+expiration time for any tickets that have been issued using each key. This
+field would be used to indicate how long old keys must remain valid to
+allow the continued use of outstanding tickets.
+
+4.4. Site Constants
+
+The KDC implementation should have the following configurable constants or
+options, to allow an administrator to make and enforce policy decisions:
+
+   * The minimum supported lifetime (used to determine whether the
+     KDC_ERR_NEVER_VALID error should be returned). This constant should
+     reflect reasonable expectations of round-trip time to the KDC,
+     encryption/decryption time, and processing time by the client and
+     target server, and it should allow for a minimum 'useful' lifetime.
+   * The maximum allowable total (renewable) lifetime of a ticket
+     (renew_till - starttime).
+   * The maximum allowable lifetime of a ticket (endtime - starttime).
+   * Whether to allow the issue of tickets with empty address fields
+     (including the ability to specify that such tickets may only be issued
+     if the request specifies some authorization_data).
+   * Whether proxiable, forwardable, renewable or post-datable tickets are
+     to be issued.
+
+5. Message Specifications
+
+The following sections describe the exact contents and encoding of protocol
+messages and objects. The ASN.1 base definitions are presented in the first
+subsection. The remaining subsections specify the protocol objects (tickets
+and authenticators) and messages. Specification of encryption and checksum
+techniques, and the fields related to them, appear in section 6.
+
+Optional field in ASN.1 sequences
+
+For optional integer value and date fields in ASN.1 sequences where a
+default value has been specified, certain default values will not be
+allowed in the encoding because these values will always be represented
+through defaulting by the absence of the optional field. For example, one
+will not send a microsecond zero value because one must make sure that
+there is only one way to encode this value.
+
+Additional fields in ASN.1 sequences
+
+Implementations receiving Kerberos messages with additional fields present
+in ASN.1 sequences should carry the those fields through, unmodified, when
+the message is forwarded. Implementations should not drop such fields if
+the sequence is reencoded.
+
+5.1. ASN.1 Distinguished Encoding Representation
+
+All uses of ASN.1 in Kerberos shall use the Distinguished Encoding
+Representation of the data elements as described in the X.509
+specification, section 8.7 [X509-88].
+
+
+Neuman, Ts'o, Kohl                                   Expires: 14 January
+2001
+
+^L
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-06          July 14,
+2000
+
+5.2. ASN.1 Base Definitions
+
+The following ASN.1 base definitions are used in the rest of this section.
+Note that since the underscore character (_) is not permitted in ASN.1
+names, the hyphen (-) is used in its place for the purposes of ASN.1 names.
+
+Realm ::=           GeneralString
+PrincipalName ::=   SEQUENCE {
+                    name-type[0]     INTEGER,
+                    name-string[1]   SEQUENCE OF GeneralString
+}
+
+Kerberos realms are encoded as GeneralStrings. Realms shall not contain a
+character with the code 0 (the ASCII NUL). Most realms will usually consist
+of several components separated by periods (.), in the style of Internet
+Domain Names, or separated by slashes (/) in the style of X.500 names.
+Acceptable forms for realm names are specified in section 7. A
+PrincipalName is a typed sequence of components consisting of the following
+sub-fields:
+
+name-type
+     This field specifies the type of name that follows. Pre-defined values
+     for this field are specified in section 7.2. The name-type should be
+     treated as a hint. Ignoring the name type, no two names can be the
+     same (i.e. at least one of the components, or the realm, must be
+     different). This constraint may be eliminated in the future.
+name-string
+     This field encodes a sequence of components that form a name, each
+     component encoded as a GeneralString. Taken together, a PrincipalName
+     and a Realm form a principal identifier. Most PrincipalNames will have
+     only a few components (typically one or two).
+
+KerberosTime ::=   GeneralizedTime
+                   -- Specifying UTC time zone (Z)
+
+The timestamps used in Kerberos are encoded as GeneralizedTimes. An
+encoding shall specify the UTC time zone (Z) and shall not include any
+fractional portions of the seconds. It further shall not include any
+separators. Example: The only valid format for UTC time 6 minutes, 27
+seconds after 9 pm on 6 November 1985 is 19851106210627Z.
+
+HostAddress ::=     SEQUENCE  {
+                    addr-type[0]             INTEGER,
+                    address[1]               OCTET STRING
+}
+
+HostAddresses ::=   SEQUENCE OF HostAddress
+
+The host adddress encodings consists of two fields:
+
+addr-type
+     This field specifies the type of address that follows. Pre-defined
+     values for this field are specified in section 8.1.
+address
+     This field encodes a single address of type addr-type.
+
+The two forms differ slightly. HostAddress contains exactly one address;
+HostAddresses contains a sequence of possibly many addresses.
+
+AuthorizationData ::=   SEQUENCE OF SEQUENCE {
+                        ad-type[0]               INTEGER,
+                        ad-data[1]               OCTET STRING
+}
+
+
+Neuman, Ts'o, Kohl                                   Expires: 14 January
+2001
+
+^L
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-06          July 14,
+2000
+
+ad-data
+     This field contains authorization data to be interpreted according to
+     the value of the corresponding ad-type field.
+ad-type
+     This field specifies the format for the ad-data subfield. All negative
+     values are reserved for local use. Non-negative values are reserved
+     for registered use.
+
+Each sequence of type and data is refered to as an authorization element.
+Elements may be application specific, however, there is a common set of
+recursive elements that should be understood by all implementations. These
+elements contain other elements embedded within them, and the
+interpretation of the encapsulating element determines which of the
+embedded elements must be interpreted, and which may be ignored.
+Definitions for these common elements may be found in Appendix B.
+
+TicketExtensions ::= SEQUENCE OF SEQUENCE {
+           te-type[0]       INTEGER,
+           te-data[1]       OCTET STRING
+}
+
+
+
+te-data
+     This field contains opaque data that must be caried with the ticket to
+     support extensions to the Kerberos protocol including but not limited
+     to some forms of inter-realm key exchange and plaintext authorization
+     data. See appendix C for some common uses of this field.
+te-type
+     This field specifies the format for the te-data subfield. All negative
+     values are reserved for local use. Non-negative values are reserved
+     for registered use.
+
+APOptions ::=   BIT STRING
+                  -- reserved(0),
+                  -- use-session-key(1),
+                  -- mutual-required(2)
+
+TicketFlags ::= BIT STRING
+                  -- reserved(0),
+                  -- forwardable(1),
+                  -- forwarded(2),
+                  -- proxiable(3),
+                  -- proxy(4),
+                  -- may-postdate(5),
+                  -- postdated(6),
+                  -- invalid(7),
+                  -- renewable(8),
+                  -- initial(9),
+                  -- pre-authent(10),
+                  -- hw-authent(11),
+                  -- transited-policy-checked(12),
+                  -- ok-as-delegate(13)
+
+KDCOptions ::=   BIT STRING io
+                  -- reserved(0),
+                  -- forwardable(1),
+                  -- forwarded(2),
+                  -- proxiable(3),
+                  -- proxy(4),
+                  -- allow-postdate(5),
+                  -- postdated(6),
+                  -- unused7(7),
+                  -- renewable(8),
+                  -- unused9(9),
+
+Neuman, Ts'o, Kohl                                   Expires: 14 January
+2001
+
+^L
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-06          July 14,
+2000
+
+                  -- unused10(10),
+                  -- unused11(11),
+                  -- unused12(12),
+                  -- unused13(13),
+                  -- requestanonymous(14),
+                  -- canonicalize(15),
+                  -- disable-transited-check(26),
+                  -- renewable-ok(27),
+                  -- enc-tkt-in-skey(28),
+                  -- renew(30),
+                  -- validate(31)
+
+ASN.1 Bit strings have a length and a value. When used in Kerberos for the
+APOptions, TicketFlags, and KDCOptions, the length of the bit string on
+generated values should be the smallest number of bits needed to include
+the highest order bit that is set (1), but in no case less than 32 bits.
+The ASN.1 representation of the bit strings uses unnamed bits, with the
+meaning of the individual bits defined by the comments in the specification
+above. Implementations should accept values of bit strings of any length
+and treat the value of flags corresponding to bits beyond the end of the
+bit string as if the bit were reset (0). Comparison of bit strings of
+different length should treat the smaller string as if it were padded with
+zeros beyond the high order bits to the length of the longer string[23].
+
+LastReq ::=   SEQUENCE OF SEQUENCE {
+               lr-type[0]               INTEGER,
+               lr-value[1]              KerberosTime
+}
+
+lr-type
+     This field indicates how the following lr-value field is to be
+     interpreted. Negative values indicate that the information pertains
+     only to the responding server. Non-negative values pertain to all
+     servers for the realm. If the lr-type field is zero (0), then no
+     information is conveyed by the lr-value subfield. If the absolute
+     value of the lr-type field is one (1), then the lr-value subfield is
+     the time of last initial request for a TGT. If it is two (2), then the
+     lr-value subfield is the time of last initial request. If it is three
+     (3), then the lr-value subfield is the time of issue for the newest
+     ticket-granting ticket used. If it is four (4), then the lr-value
+     subfield is the time of the last renewal. If it is five (5), then the
+     lr-value subfield is the time of last request (of any type). If it is
+     (6), then the lr-value subfield is the time when the password will
+     expire.
+lr-value
+     This field contains the time of the last request. the time must be
+     interpreted according to the contents of the accompanying lr-type
+     subfield.
+
+See section 6 for the definitions of Checksum, ChecksumType, EncryptedData,
+EncryptionKey, EncryptionType, and KeyType.
+
+5.3. Tickets and Authenticators
+
+This section describes the format and encryption parameters for tickets and
+authenticators. When a ticket or authenticator is included in a protocol
+message it is treated as an opaque object.
+
+
+Neuman, Ts'o, Kohl                                   Expires: 14 January
+2001
+
+^L
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-06          July 14,
+2000
+
+5.3.1. Tickets
+
+A ticket is a record that helps a client authenticate to a service. A
+Ticket contains the following information:
+
+Ticket ::=        [APPLICATION 1] SEQUENCE {
+                  tkt-vno[0]                   INTEGER,
+                  realm[1]                     Realm,
+                  sname[2]                     PrincipalName,
+                  enc-part[3]                  EncryptedData,
+                  extensions[4]                TicketExtensions OPTIONAL
+}
+
+-- Encrypted part of ticket
+EncTicketPart ::= [APPLICATION 3] SEQUENCE {
+                  flags[0]                     TicketFlags,
+                  key[1]                       EncryptionKey,
+                  crealm[2]                    Realm,
+                  cname[3]                     PrincipalName,
+                  transited[4]                 TransitedEncoding,
+                  authtime[5]                  KerberosTime,
+                  starttime[6]                 KerberosTime OPTIONAL,
+                  endtime[7]                   KerberosTime,
+                  renew-till[8]                KerberosTime OPTIONAL,
+                  caddr[9]                     HostAddresses OPTIONAL,
+                  authorization-data[10]       AuthorizationData OPTIONAL
+}
+-- encoded Transited field
+TransitedEncoding ::=   SEQUENCE {
+                        tr-type[0]             INTEGER, -- must be
+registered
+                        contents[1]            OCTET STRING
+}
+
+The encoding of EncTicketPart is encrypted in the key shared by Kerberos
+and the end server (the server's secret key). See section 6 for the format
+of the ciphertext.
+
+tkt-vno
+     This field specifies the version number for the ticket format. This
+     document describes version number 5.
+realm
+     This field specifies the realm that issued a ticket. It also serves to
+     identify the realm part of the server's principal identifier. Since a
+     Kerberos server can only issue tickets for servers within its realm,
+     the two will always be identical.
+sname
+     This field specifies all components of the name part of the server's
+     identity, including those parts that identify a specific instance of a
+     service.
+enc-part
+     This field holds the encrypted encoding of the EncTicketPart sequence.
+extensions
+     This optional field contains a sequence of extentions that may be used
+     to carry information that must be carried with the ticket to support
+     several extensions, including but not limited to plaintext
+     authorization data, tokens for exchanging inter-realm keys, and other
+     information that must be associated with a ticket for use by the
+     application server. See Appendix C for definitions of some common
+     extensions.
+
+     Note that some older versions of Kerberos did not support this field.
+     Because this is an optional field it will not break older clients, but
+     older clients might strip this field from the ticket before sending it
+     to the application server. This limits the usefulness of this ticket
+     field to environments where the ticket will not be parsed and
+     reconstructed by these older Kerberos clients.
+
+
+Neuman, Ts'o, Kohl                                   Expires: 14 January
+2001
+
+^L
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-06          July 14,
+2000
+
+     If it is known that the client will strip this field from the ticket,
+     as an interim measure the KDC may append this field to the end of the
+     enc-part of the ticket and append a traler indicating the lenght of
+     the appended extensions field. (this paragraph is open for discussion,
+     including the form of the traler).
+flags
+     This field indicates which of various options were used or requested
+     when the ticket was issued. It is a bit-field, where the selected
+     options are indicated by the bit being set (1), and the unselected
+     options and reserved fields being reset (0). Bit 0 is the most
+     significant bit. The encoding of the bits is specified in section 5.2.
+     The flags are described in more detail above in section 2. The
+     meanings of the flags are:
+
+          Bit(s)      Name         Description
+
+          0           RESERVED
+                                   Reserved for future  expansion  of  this
+                                   field.
+
+          1           FORWARDABLE
+                                   The FORWARDABLE flag  is  normally  only
+                                   interpreted  by  the  TGS,  and  can  be
+                                   ignored by end servers.  When set,  this
+                                   flag  tells  the  ticket-granting server
+                                   that it is OK to  issue  a  new  ticket-
+                                   granting ticket with a different network
+                                   address based on the presented ticket.
+
+          2           FORWARDED
+                                   When set, this flag indicates  that  the
+                                   ticket  has either been forwarded or was
+                                   issued based on authentication involving
+                                   a forwarded ticket-granting ticket.
+
+          3           PROXIABLE
+                                   The  PROXIABLE  flag  is  normally  only
+                                   interpreted  by  the  TGS,  and  can  be
+                                   ignored by end servers.   The  PROXIABLE
+                                   flag  has an interpretation identical to
+                                   that of  the  FORWARDABLE  flag,  except
+                                   that   the   PROXIABLE  flag  tells  the
+                                   ticket-granting server  that  only  non-
+                                   ticket-granting  tickets  may  be issued
+                                   with different network addresses.
+
+          4           PROXY
+                                   When set, this  flag  indicates  that  a
+                                   ticket is a proxy.
+
+          5           MAY-POSTDATE
+                                   The MAY-POSTDATE flag is  normally  only
+                                   interpreted  by  the  TGS,  and  can  be
+                                   ignored by end servers.  This flag tells
+                                   the  ticket-granting server that a post-
+                                   dated ticket may be issued based on this
+                                   ticket-granting ticket.
+
+          6           POSTDATED
+                                   This flag indicates that this ticket has
+                                   been  postdated.   The  end-service  can
+                                   check the authtime field to see when the
+                                   original authentication occurred.
+
+
+Neuman, Ts'o, Kohl                                   Expires: 14 January
+2001
+
+^L
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-06          July 14,
+2000
+
+          7           INVALID
+                                   This flag indicates  that  a  ticket  is
+                                   invalid, and it must be validated by the
+                                   KDC  before  use.   Application  servers
+                                   must reject tickets which have this flag
+                                   set.
+
+          8           RENEWABLE
+                                   The  RENEWABLE  flag  is  normally  only
+                                   interpreted  by the TGS, and can usually
+                                   be ignored by end servers (some particu-
+                                   larly careful servers may wish to disal-
+                                   low  renewable  tickets).   A  renewable
+                                   ticket  can be used to obtain a replace-
+                                   ment ticket  that  expires  at  a  later
+                                   date.
+
+          9           INITIAL
+                                   This flag indicates that this ticket was
+                                   issued  using  the  AS protocol, and not
+                                   issued  based   on   a   ticket-granting
+                                   ticket.
+
+          10          PRE-AUTHENT
+                                   This flag indicates that during  initial
+                                   authentication, the client was authenti-
+                                   cated by the KDC  before  a  ticket  was
+                                   issued.    The   strength  of  the  pre-
+                                   authentication method is not  indicated,
+                                   but is acceptable to the KDC.
+
+          11          HW-AUTHENT
+                                   This flag indicates  that  the  protocol
+                                   employed   for   initial  authentication
+                                   required the use of hardware expected to
+                                   be possessed solely by the named client.
+                                   The hardware  authentication  method  is
+                                   selected  by the KDC and the strength of
+                                   the method is not indicated.
+
+          12           TRANSITED   This flag indicates that the KDC for the
+                  POLICY-CHECKED   realm has checked the transited field
+                                   against a realm defined policy for
+                                   trusted certifiers.  If this flag is
+                                   reset (0), then the application server
+                                   must check the transited field itself,
+                                   and if unable to do so it must reject
+                                   the authentication.  If the flag is set
+                                   (1) then the application server may skip
+                                   its own validation of the transited
+                                   field, relying on the validation
+                                   performed by the KDC.  At its option the
+                                   application server may still apply its
+                                   own validation based on a separate
+                                   policy for acceptance.
+
+          13      OK-AS-DELEGATE   This flag indicates that the server (not
+                                   the client) specified in the ticket has
+                                   been determined by policy of the realm
+                                   to be a suitable recipient of
+                                   delegation.  A client can use the
+                                   presence of this flag to help it make a
+                                   decision whether to delegate credentials
+                                   (either grant a proxy or a forwarded
+                                   ticket granting ticket) to this server.
+
+Neuman, Ts'o, Kohl                                   Expires: 14 January
+2001
+
+^L
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-06          July 14,
+2000
+
+                                   The client is free to ignore the value
+                                   of this flag.  When setting this flag,
+                                   an administrator should consider the
+                                   Security and placement of the server on
+                                   which the service will run, as well as
+                                   whether the service requires the use of
+                                   delegated credentials.
+
+          14          ANONYMOUS
+                                   This flag indicates that  the  principal
+                                   named in the ticket is a generic princi-
+                                   pal for the realm and does not  identify
+                                   the  individual  using  the ticket.  The
+                                   purpose  of  the  ticket  is   only   to
+                                   securely  distribute  a session key, and
+                                   not to identify  the  user.   Subsequent
+                                   requests  using the same ticket and ses-
+                                   sion may be  considered  as  originating
+                                   from  the  same  user, but requests with
+                                   the same username but a different ticket
+                                   are  likely  to originate from different
+                                   users.
+
+          15-31       RESERVED
+                                   Reserved for future use.
+
+key
+     This field exists in the ticket and the KDC response and is used to
+     pass the session key from Kerberos to the application server and the
+     client. The field's encoding is described in section 6.2.
+crealm
+     This field contains the name of the realm in which the client is
+     registered and in which initial authentication took place.
+cname
+     This field contains the name part of the client's principal
+     identifier.
+transited
+     This field lists the names of the Kerberos realms that took part in
+     authenticating the user to whom this ticket was issued. It does not
+     specify the order in which the realms were transited. See section
+     3.3.3.2 for details on how this field encodes the traversed realms.
+     When the names of CA's are to be embedded inthe transited field (as
+     specified for some extentions to the protocol), the X.500 names of the
+     CA's should be mapped into items in the transited field using the
+     mapping defined by RFC2253.
+authtime
+     This field indicates the time of initial authentication for the named
+     principal. It is the time of issue for the original ticket on which
+     this ticket is based. It is included in the ticket to provide
+     additional information to the end service, and to provide the
+     necessary information for implementation of a `hot list' service at
+     the KDC. An end service that is particularly paranoid could refuse to
+     accept tickets for which the initial authentication occurred "too far"
+     in the past. This field is also returned as part of the response from
+     the KDC. When returned as part of the response to initial
+     authentication (KRB_AS_REP), this is the current time on the Kerberos
+     server[24].
+starttime
+     This field in the ticket specifies the time after which the ticket is
+     valid. Together with endtime, this field specifies the life of the
+     ticket. If it is absent from the ticket, its value should be treated
+     as that of the authtime field.
+
+Neuman, Ts'o, Kohl                                   Expires: 14 January
+2001
+
+^L
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-06          July 14,
+2000
+
+endtime
+     This field contains the time after which the ticket will not be
+     honored (its expiration time). Note that individual services may place
+     their own limits on the life of a ticket and may reject tickets which
+     have not yet expired. As such, this is really an upper bound on the
+     expiration time for the ticket.
+renew-till
+     This field is only present in tickets that have the RENEWABLE flag set
+     in the flags field. It indicates the maximum endtime that may be
+     included in a renewal. It can be thought of as the absolute expiration
+     time for the ticket, including all renewals.
+caddr
+     This field in a ticket contains zero (if omitted) or more (if present)
+     host addresses. These are the addresses from which the ticket can be
+     used. If there are no addresses, the ticket can be used from any
+     location. The decision by the KDC to issue or by the end server to
+     accept zero-address tickets is a policy decision and is left to the
+     Kerberos and end-service administrators; they may refuse to issue or
+     accept such tickets. The suggested and default policy, however, is
+     that such tickets will only be issued or accepted when additional
+     information that can be used to restrict the use of the ticket is
+     included in the authorization_data field. Such a ticket is a
+     capability.
+
+     Network addresses are included in the ticket to make it harder for an
+     attacker to use stolen credentials. Because the session key is not
+     sent over the network in cleartext, credentials can't be stolen simply
+     by listening to the network; an attacker has to gain access to the
+     session key (perhaps through operating system security breaches or a
+     careless user's unattended session) to make use of stolen tickets.
+
+     It is important to note that the network address from which a
+     connection is received cannot be reliably determined. Even if it could
+     be, an attacker who has compromised the client's workstation could use
+     the credentials from there. Including the network addresses only makes
+     it more difficult, not impossible, for an attacker to walk off with
+     stolen credentials and then use them from a "safe" location.
+authorization-data
+     The authorization-data field is used to pass authorization data from
+     the principal on whose behalf a ticket was issued to the application
+     service. If no authorization data is included, this field will be left
+     out. Experience has shown that the name of this field is confusing,
+     and that a better name for this field would be restrictions.
+     Unfortunately, it is not possible to change the name of this field at
+     this time.
+
+     This field contains restrictions on any authority obtained on the
+     basis of authentication using the ticket. It is possible for any
+     principal in posession of credentials to add entries to the
+     authorization data field since these entries further restrict what can
+     be done with the ticket. Such additions can be made by specifying the
+     additional entries when a new ticket is obtained during the TGS
+     exchange, or they may be added during chained delegation using the
+     authorization data field of the authenticator.
+
+     Because entries may be added to this field by the holder of
+     credentials, except when an entry is separately authenticated by
+     encapulation in the kdc-issued element, it is not allowable for the
+     presence of an entry in the authorization data field of a ticket to
+     amplify the priveleges one would obtain from using a ticket.
+
+     The data in this field may be specific to the end service; the field
+     will contain the names of service specific objects, and the rights to
+     those objects. The format for this field is described in section 5.2.
+     Although Kerberos is not concerned with the format of the contents of
+     the sub-fields, it does carry type information (ad-type).
+
+
+Neuman, Ts'o, Kohl                                   Expires: 14 January
+2001
+
+^L
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-06          July 14,
+2000
+
+     By using the authorization_data field, a principal is able to issue a
+     proxy that is valid for a specific purpose. For example, a client
+     wishing to print a file can obtain a file server proxy to be passed to
+     the print server. By specifying the name of the file in the
+     authorization_data field, the file server knows that the print server
+     can only use the client's rights when accessing the particular file to
+     be printed.
+
+     A separate service providing authorization or certifying group
+     membership may be built using the authorization-data field. In this
+     case, the entity granting authorization (not the authorized entity),
+     may obtain a ticket in its own name (e.g. the ticket is issued in the
+     name of a privelege server), and this entity adds restrictions on its
+     own authority and delegates the restricted authority through a proxy
+     to the client. The client would then present this authorization
+     credential to the application server separately from the
+     authentication exchange. Alternatively, such authorization credentials
+     may be embedded in the ticket authenticating the authorized entity,
+     when the authorization is separately authenticated using the
+     kdc-issued authorization data element (see B.4).
+
+     Similarly, if one specifies the authorization-data field of a proxy
+     and leaves the host addresses blank, the resulting ticket and session
+     key can be treated as a capability. See [Neu93] for some suggested
+     uses of this field.
+
+     The authorization-data field is optional and does not have to be
+     included in a ticket.
+
+5.3.2. Authenticators
+
+An authenticator is a record sent with a ticket to a server to certify the
+client's knowledge of the encryption key in the ticket, to help the server
+detect replays, and to help choose a "true session key" to use with the
+particular session. The encoding is encrypted in the ticket's session key
+shared by the client and the server:
+
+-- Unencrypted authenticator
+Authenticator ::= [APPLICATION 2] SEQUENCE  {
+                  authenticator-vno[0]          INTEGER,
+                  crealm[1]                     Realm,
+                  cname[2]                      PrincipalName,
+                  cksum[3]                      Checksum OPTIONAL,
+                  cusec[4]                      INTEGER,
+                  ctime[5]                      KerberosTime,
+                  subkey[6]                     EncryptionKey OPTIONAL,
+                  seq-number[7]                 INTEGER OPTIONAL,
+                  authorization-data[8]         AuthorizationData OPTIONAL
+}
+
+
+authenticator-vno
+     This field specifies the version number for the format of the
+     authenticator. This document specifies version 5.
+crealm and cname
+     These fields are the same as those described for the ticket in section
+     5.3.1.
+cksum
+     This field contains a checksum of the the applica- tion data that
+     accompanies the KRB_AP_REQ.
+cusec
+     This field contains the microsecond part of the client's timestamp.
+     Its value (before encryption) ranges from 0 to 999999. It often
+     appears along with ctime. The two fields are used together to specify
+     a reasonably accurate timestamp.
+
+Neuman, Ts'o, Kohl                                   Expires: 14 January
+2001
+
+^L
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-06          July 14,
+2000
+
+ctime
+     This field contains the current time on the client's host.
+subkey
+     This field contains the client's choice for an encryption key which is
+     to be used to protect this specific application session. Unless an
+     application specifies otherwise, if this field is left out the session
+     key from the ticket will be used.
+seq-number
+     This optional field includes the initial sequence number to be used by
+     the KRB_PRIV or KRB_SAFE messages when sequence numbers are used to
+     detect replays (It may also be used by application specific messages).
+     When included in the authenticator this field specifies the initial
+     sequence number for messages from the client to the server. When
+     included in the AP-REP message, the initial sequence number is that
+     for messages from the server to the client. When used in KRB_PRIV or
+     KRB_SAFE messages, it is incremented by one after each message is
+     sent. Sequence numbers fall in the range of 0 through 2^32 - 1 and
+     wrap to zero following the value 2^32 - 1.
+
+     For sequence numbers to adequately support the detection of replays
+     they should be non-repeating, even across connection boundaries. The
+     initial sequence number should be random and uniformly distributed
+     across the full space of possible sequence numbers, so that it cannot
+     be guessed by an attacker and so that it and the successive sequence
+     numbers do not repeat other sequences.
+authorization-data
+     This field is the same as described for the ticket in section 5.3.1.
+     It is optional and will only appear when additional restrictions are
+     to be placed on the use of a ticket, beyond those carried in the
+     ticket itself.
+
+5.4. Specifications for the AS and TGS exchanges
+
+This section specifies the format of the messages used in the exchange
+between the client and the Kerberos server. The format of possible error
+messages appears in section 5.9.1.
+
+5.4.1. KRB_KDC_REQ definition
+
+The KRB_KDC_REQ message has no type of its own. Instead, its type is one of
+KRB_AS_REQ or KRB_TGS_REQ depending on whether the request is for an
+initial ticket or an additional ticket. In either case, the message is sent
+from the client to the Authentication Server to request credentials for a
+service.
+
+The message fields are:
+
+AS-REQ ::=         [APPLICATION 10] KDC-REQ
+TGS-REQ ::=        [APPLICATION 12] KDC-REQ
+
+KDC-REQ ::=        SEQUENCE {
+                   pvno[1]            INTEGER,
+                   msg-type[2]        INTEGER,
+                   padata[3]          SEQUENCE OF PA-DATA OPTIONAL,
+                   req-body[4]        KDC-REQ-BODY
+}
+
+PA-DATA ::=        SEQUENCE {
+                   padata-type[1]     INTEGER,
+                   padata-value[2]    OCTET STRING,
+                                      -- might be encoded AP-REQ
+}
+
+
+Neuman, Ts'o, Kohl                                   Expires: 14 January
+2001
+
+^L
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-06          July 14,
+2000
+
+KDC-REQ-BODY ::=   SEQUENCE {
+                    kdc-options[0]         KDCOptions,
+                    cname[1]               PrincipalName OPTIONAL,
+                                           -- Used only in AS-REQ
+                    realm[2]               Realm, -- Server's realm
+                                           -- Also client's in AS-REQ
+                    sname[3]               PrincipalName OPTIONAL,
+                    from[4]                KerberosTime OPTIONAL,
+                    till[5]                KerberosTime OPTIONAL,
+                    rtime[6]               KerberosTime OPTIONAL,
+                    nonce[7]               INTEGER,
+                    etype[8]               SEQUENCE OF INTEGER,
+                                           -- EncryptionType,
+                                           -- in preference order
+                    addresses[9]           HostAddresses OPTIONAL,
+                enc-authorization-data[10] EncryptedData OPTIONAL,
+                                           -- Encrypted AuthorizationData
+                                           -- encoding
+                    additional-tickets[11] SEQUENCE OF Ticket OPTIONAL
+}
+
+The fields in this message are:
+
+pvno
+     This field is included in each message, and specifies the protocol
+     version number. This document specifies protocol version 5.
+msg-type
+     This field indicates the type of a protocol message. It will almost
+     always be the same as the application identifier associated with a
+     message. It is included to make the identifier more readily accessible
+     to the application. For the KDC-REQ message, this type will be
+     KRB_AS_REQ or KRB_TGS_REQ.
+padata
+     The padata (pre-authentication data) field contains a sequence of
+     authentication information which may be needed before credentials can
+     be issued or decrypted. In the case of requests for additional tickets
+     (KRB_TGS_REQ), this field will include an element with padata-type of
+     PA-TGS-REQ and data of an authentication header (ticket-granting
+     ticket and authenticator). The checksum in the authenticator (which
+     must be collision-proof) is to be computed over the KDC-REQ-BODY
+     encoding. In most requests for initial authentication (KRB_AS_REQ) and
+     most replies (KDC-REP), the padata field will be left out.
+
+     This field may also contain information needed by certain extensions
+     to the Kerberos protocol. For example, it might be used to initially
+     verify the identity of a client before any response is returned. When
+     this field is used to authenticate or pre-authenticate a request, it
+     should contain a keyed checksum over the KDC-REQ-BODY to bind the
+     pre-authentication data to rest of the request. The KDC, as a matter
+     of policy, may decide whether to honor a KDC-REQ which includes any
+     pre-authentication data that does not contain the checksum field.
+     PA-ENC-TIMESTAMP defines a pre-authentication data type that is used
+     for authenticating a client by way of an encrypted timestamp. This is
+     accomplished with a padata field with padata-type equal to
+     PA-ENC-TIMESTAMP and padata-value defined as follows (query: the
+     checksum is new in this definition. If the optional field will break
+     things we can keep the old PA-ENC-TS-ENC, and define a new alternate
+     form that includes the checksum). :
+
+
+Neuman, Ts'o, Kohl                                   Expires: 14 January
+2001
+
+^L
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-06          July 14,
+2000
+
+          padata-type     ::= PA-ENC-TIMESTAMP
+          padata-value    ::= EncryptedData -- PA-ENC-TS-ENC
+
+          PA-ENC-TS-ENC   ::= SEQUENCE {
+                          patimestamp[0]     KerberosTime, -- client's time
+                          pausec[1]          INTEGER OPTIONAL,
+                          pachecksum[2]      checksum OPTIONAL
+                                             -- keyed checksum of
+KDC-REQ-BODY
+          }
+
+     with patimestamp containing the client's time and pausec containing
+     the microseconds which may be omitted if a client will not generate
+     more than one request per second. The ciphertext (padata-value)
+     consists of the PA-ENC-TS-ENC sequence, encrypted using the client's
+     secret key.
+
+     [use-specified-kvno item is here for discussion and may be removed] It
+     may also be used by the client to specify the version of a key that is
+     being used for accompanying preauthentication, and/or which should be
+     used to encrypt the reply from the KDC.
+
+     PA-USE-SPECIFIED-KVNO  ::=  Integer
+
+     The KDC should only accept and abide by the value of the
+     use-specified-kvno preauthentication data field when the specified key
+     is still valid and until use of a new key is confirmed. This situation
+     is likely to occur primarily during the period during which an updated
+     key is propagating to other KDC's in a realm.
+
+     The padata field can also contain information needed to help the KDC
+     or the client select the key needed for generating or decrypting the
+     response. This form of the padata is useful for supporting the use of
+     certain token cards with Kerberos. The details of such extensions are
+     specified in separate documents. See [Pat92] for additional uses of
+     this field.
+padata-type
+     The padata-type element of the padata field indicates the way that the
+     padata-value element is to be interpreted. Negative values of
+     padata-type are reserved for unregistered use; non-negative values are
+     used for a registered interpretation of the element type.
+req-body
+     This field is a placeholder delimiting the extent of the remaining
+     fields. If a checksum is to be calculated over the request, it is
+     calculated over an encoding of the KDC-REQ-BODY sequence which is
+     enclosed within the req-body field.
+kdc-options
+     This field appears in the KRB_AS_REQ and KRB_TGS_REQ requests to the
+     KDC and indicates the flags that the client wants set on the tickets
+     as well as other information that is to modify the behavior of the
+     KDC. Where appropriate, the name of an option may be the same as the
+     flag that is set by that option. Although in most case, the bit in the
+     options field will be the same as that in the flags field, this is not
+     guaranteed, so it is not acceptable to simply copy the options field
+     to the flags field. There are various checks that must be made before
+     honoring an option anyway.
+
+     The kdc_options field is a bit-field, where the selected options are
+     indicated by the bit being set (1), and the unselected options and
+     reserved fields being reset (0). The encoding of the bits is specified
+     in section 5.2. The options are described in more detail above in
+     section 2. The meanings of the options are:
+
+
+Neuman, Ts'o, Kohl                                   Expires: 14 January
+2001
+
+^L
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-06          July 14,
+2000
+
+        Bit(s)    Name                Description
+         0        RESERVED
+                                      Reserved for future  expansion  of
+this
+                                      field.
+
+         1        FORWARDABLE
+                                      The FORWARDABLE  option  indicates
+that
+                                      the  ticket  to be issued is to have
+its
+                                      forwardable flag set.  It  may  only
+be
+                                      set on the initial request, or in a
+sub-
+                                      sequent request if  the
+ticket-granting
+                                      ticket on which it is based is also
+for-
+                                      wardable.
+
+         2        FORWARDED
+                                      The FORWARDED option is  only
+specified
+                                      in  a  request  to  the
+ticket-granting
+                                      server and will only be honored  if
+the
+                                      ticket-granting  ticket  in  the
+request
+                                      has  its  FORWARDABLE  bit  set.
+This
+                                      option  indicates that this is a
+request
+                                      for forwarding.  The address(es) of
+the
+                                      host  from which the resulting ticket
+is
+                                      to  be  valid  are   included   in
+the
+                                      addresses field of the request.
+
+         3        PROXIABLE
+                                      The PROXIABLE option indicates that
+the
+                                      ticket to be issued is to have its
+prox-
+                                      iable flag set.  It may only be  set
+on
+                                      the  initial request, or in a
+subsequent
+                                      request if the ticket-granting ticket
+on
+                                      which it is based is also proxiable.
+
+         4        PROXY
+                                      The PROXY option indicates that this
+is
+                                      a request for a proxy.  This option
+will
+                                      only be honored if  the
+ticket-granting
+                                      ticket  in the request has its
+PROXIABLE
+                                      bit set.  The address(es)  of  the
+host
+                                      from which the resulting ticket is to
+be
+                                       valid  are  included  in  the
+addresses
+                                      field of the request.
+
+         5        ALLOW-POSTDATE
+                                      The ALLOW-POSTDATE option indicates
+that
+                                      the  ticket  to be issued is to have
+its
+                                      MAY-POSTDATE flag set.  It may  only
+be
+                                      set on the initial request, or in a
+sub-
+                                      sequent request if  the
+ticket-granting
+                                      ticket on which it is based also has
+its
+                                      MAY-POSTDATE flag set.
+
+         6        POSTDATED
+                                      The POSTDATED option indicates that
+this
+                                      is  a  request  for  a postdated
+ticket.
+                                      This option will only be honored if
+the
+                                      ticket-granting  ticket  on  which it
+is
+                                      based has  its  MAY-POSTDATE  flag
+set.
+                                      The  resulting ticket will also have
+its
+                                      INVALID flag set, and that flag  may
+be
+                                      reset by a subsequent request to the
+KDC
+                                      after the starttime in  the  ticket
+has
+                                      been reached.
+
+
+Neuman, Ts'o, Kohl                                   Expires: 14 January
+2001
+
+^L
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-06          July 14,
+2000
+
+         7        UNUSED
+                                      This option is presently unused.
+
+         8        RENEWABLE
+                                      The RENEWABLE option indicates that
+the
+                                      ticket  to  be  issued  is  to  have
+its
+                                      RENEWABLE flag set.  It may only be
+set
+                                      on  the  initial  request,  or  when
+the
+                                      ticket-granting  ticket  on  which
+the
+                                      request  is based is also renewable.
+If
+                                      this option is requested, then the
+rtime
+                                      field   in   the  request  contains
+the
+                                      desired absolute expiration time for
+the
+                                      ticket.
+
+         9       RESERVED
+                                      Reserved for PK-Cross
+
+         10-13     UNUSED
+                                      These options are presently unused.
+
+         14       REQUEST-ANONYMOUS
+                                      The REQUEST-ANONYMOUS  option
+indicates
+                                      that  the  ticket to be issued is not
+to
+                                      identify  the  user  to  which  it
+was
+                                      issued.  Instead, the principal
+identif-
+                                      ier is to be generic,  as  specified
+by
+                                      the  policy  of  the realm (e.g.
+usually
+                                      anonymous@realm).  The  purpose  of
+the
+                                      ticket  is only to securely distribute
+a
+                                      session key, and  not  to  identify
+the
+                                      user.   The ANONYMOUS flag on the
+ticket
+                                      to be returned should be  set.   If
+the
+                                      local  realms  policy  does  not
+permit
+                                      anonymous credentials, the request is
+to
+                                      be rejected.
+
+         15      CANONICALIZE
+                                      The CANONICALIZE option indicates that
+                                      the client will accept the return of a
+                                      true server name instead of the name
+                                      specified in the request. In addition
+                                      the client will be able to process
+                                      any TGT referrals that will direct
+                                      the client to another realm to locate
+                                      the requested server. If a KDC does
+                                      not support name- canonicalization,
+                                      the option is ignored and the
+                                      appropriate
+                                      KDC_ERR_C_PRINCIPAL_UNKNOWN or
+                                      KDC_ERR_S_PRINCIPAL_UNKNOWN error is
+                                      returned. [JBrezak]
+
+         16-25    RESERVED
+                                      Reserved for future use.
+
+         26       DISABLE-TRANSITED-CHECK
+                                      By default the KDC will check the
+                                      transited field of a ticket-granting-
+                                      ticket against the policy of the local
+                                      realm before it will issue derivative
+                                      tickets based on the ticket granting
+                                      ticket.  If this flag is set in the
+                                      request, checking of the transited
+field
+                                      is disabled.  Tickets issued without
+the
+
+Neuman, Ts'o, Kohl                                   Expires: 14 January
+2001
+
+^L
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-06          July 14,
+2000
+
+                                      performance of this check will be
+noted
+                                      by the reset (0) value of the
+                                      TRANSITED-POLICY-CHECKED flag,
+                                      indicating to the application server
+                                      that the tranisted field must be
+checked
+                                      locally.  KDC's are encouraged but not
+                                      required to honor the
+                                      DISABLE-TRANSITED-CHECK option.
+
+         27       RENEWABLE-OK
+                                      The RENEWABLE-OK option indicates that
+a
+                                      renewable ticket will be acceptable if
+a
+                                      ticket with the  requested  life
+cannot
+                                      otherwise be provided.  If a ticket
+with
+                                      the requested life cannot  be
+provided,
+                                      then  a  renewable  ticket may be
+issued
+                                      with  a  renew-till  equal  to  the
+the
+                                      requested  endtime.   The  value  of
+the
+                                      renew-till field may still be limited
+by
+                                      local  limits, or limits selected by
+the
+                                      individual principal or server.
+
+         28       ENC-TKT-IN-SKEY
+                                      This option is used only by the
+ticket-
+                                      granting  service.   The
+ENC-TKT-IN-SKEY
+                                      option indicates that the ticket for
+the
+                                      end  server  is  to  be encrypted in
+the
+                                      session key from the additional
+ticket-
+                                      granting ticket provided.
+
+         29       RESERVED
+                                      Reserved for future use.
+
+         30       RENEW
+                                      This option is used only by the
+ticket-
+                                      granting   service.   The  RENEW
+option
+                                      indicates that the  present  request
+is
+                                      for  a  renewal.  The ticket provided
+is
+                                      encrypted in  the  secret  key  for
+the
+                                      server  on  which  it  is  valid.
+This
+                                      option  will  only  be  honored  if
+the
+                                      ticket  to  be renewed has its
+RENEWABLE
+                                      flag set and if the time in  its
+renew-
+                                      till  field  has not passed.  The
+ticket
+                                      to be renewed is passed  in  the
+padata
+                                      field  as  part  of  the
+authentication
+                                      header.
+
+         31       VALIDATE
+                                      This option is used only by the
+ticket-
+                                      granting  service.   The VALIDATE
+option
+                                      indicates that the request is  to
+vali-
+                                      date  a  postdated ticket.  It will
+only
+                                      be honored if the  ticket  presented
+is
+                                      postdated,  presently  has  its
+INVALID
+                                      flag set, and would be otherwise
+usable
+                                      at  this time.  A ticket cannot be
+vali-
+                                      dated before its starttime.  The
+ticket
+                                      presented for validation is encrypted
+in
+                                      the key of the server for  which  it
+is
+                                      valid  and is passed in the padata
+field
+                                      as part of the authentication header.
+
+
+Neuman, Ts'o, Kohl                                   Expires: 14 January
+2001
+
+^L
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-06          July 14,
+2000
+
+cname and sname
+     These fields are the same as those described for the ticket in section
+     5.3.1. sname may only be absent when the ENC-TKT-IN-SKEY option is
+     specified. If absent, the name of the server is taken from the name of
+     the client in the ticket passed as additional-tickets.
+enc-authorization-data
+     The enc-authorization-data, if present (and it can only be present in
+     the TGS_REQ form), is an encoding of the desired authorization-data
+     encrypted under the sub-session key if present in the Authenticator,
+     or alternatively from the session key in the ticket-granting ticket,
+     both from the padata field in the KRB_AP_REQ.
+realm
+     This field specifies the realm part of the server's principal
+     identifier. In the AS exchange, this is also the realm part of the
+     client's principal identifier. If the CANONICALIZE option is set, the
+     realm is used as a hint to the KDC for its database lookup.
+from
+     This field is included in the KRB_AS_REQ and KRB_TGS_REQ ticket
+     requests when the requested ticket is to be postdated. It specifies
+     the desired start time for the requested ticket. If this field is
+     omitted then the KDC should use the current time instead.
+till
+     This field contains the expiration date requested by the client in a
+     ticket request. It is optional and if omitted the requested ticket is
+     to have the maximum endtime permitted according to KDC policy for the
+     parties to the authentication exchange as limited by expiration date
+     of the ticket granting ticket or other preauthentication credentials.
+rtime
+     This field is the requested renew-till time sent from a client to the
+     KDC in a ticket request. It is optional.
+nonce
+     This field is part of the KDC request and response. It it intended to
+     hold a random number generated by the client. If the same number is
+     included in the encrypted response from the KDC, it provides evidence
+     that the response is fresh and has not been replayed by an attacker.
+     Nonces must never be re-used. Ideally, it should be generated
+     randomly, but if the correct time is known, it may suffice[25].
+etype
+     This field specifies the desired encryption algorithm to be used in
+     the response.
+addresses
+     This field is included in the initial request for tickets, and
+     optionally included in requests for additional tickets from the
+     ticket-granting server. It specifies the addresses from which the
+     requested ticket is to be valid. Normally it includes the addresses
+     for the client's host. If a proxy is requested, this field will
+     contain other addresses. The contents of this field are usually copied
+     by the KDC into the caddr field of the resulting ticket.
+additional-tickets
+     Additional tickets may be optionally included in a request to the
+     ticket-granting server. If the ENC-TKT-IN-SKEY option has been
+     specified, then the session key from the additional ticket will be
+     used in place of the server's key to encrypt the new ticket. When he
+     ENC-TKT-IN-SKEY option is used for user-to-user authentication, this
+     addional ticket may be a TGT issued by the local realm or an
+     inter-realm TGT issued for the current KDC's realm by a remote KDC. If
+     more than one option which requires additional tickets has been
+     specified, then the additional tickets are used in the order specified
+     by the ordering of the options bits (see kdc-options, above).
+
+The application code will be either ten (10) or twelve (12) depending on
+whether the request is for an initial ticket (AS-REQ) or for an additional
+ticket (TGS-REQ).
+
+
+Neuman, Ts'o, Kohl                                   Expires: 14 January
+2001
+
+^L
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-06          July 14,
+2000
+
+The optional fields (addresses, authorization-data and additional-tickets)
+are only included if necessary to perform the operation specified in the
+kdc-options field.
+
+It should be noted that in KRB_TGS_REQ, the protocol version number appears
+twice and two different message types appear: the KRB_TGS_REQ message
+contains these fields as does the authentication header (KRB_AP_REQ) that
+is passed in the padata field.
+
+5.4.2. KRB_KDC_REP definition
+
+The KRB_KDC_REP message format is used for the reply from the KDC for
+either an initial (AS) request or a subsequent (TGS) request. There is no
+message type for KRB_KDC_REP. Instead, the type will be either KRB_AS_REP
+or KRB_TGS_REP. The key used to encrypt the ciphertext part of the reply
+depends on the message type. For KRB_AS_REP, the ciphertext is encrypted in
+the client's secret key, and the client's key version number is included in
+the key version number for the encrypted data. For KRB_TGS_REP, the
+ciphertext is encrypted in the sub-session key from the Authenticator, or
+if absent, the session key from the ticket-granting ticket used in the
+request. In that case, no version number will be present in the
+EncryptedData sequence.
+
+The KRB_KDC_REP message contains the following fields:
+
+AS-REP ::=    [APPLICATION 11] KDC-REP
+TGS-REP ::=   [APPLICATION 13] KDC-REP
+
+KDC-REP ::=   SEQUENCE {
+              pvno[0]                    INTEGER,
+              msg-type[1]                INTEGER,
+              padata[2]                  SEQUENCE OF PA-DATA OPTIONAL,
+              crealm[3]                  Realm,
+              cname[4]                   PrincipalName,
+              ticket[5]                  Ticket,
+              enc-part[6]                EncryptedData
+}
+
+EncASRepPart ::=    [APPLICATION 25[27]] EncKDCRepPart
+EncTGSRepPart ::=   [APPLICATION 26] EncKDCRepPart
+
+EncKDCRepPart ::=   SEQUENCE {
+                    key[0]               EncryptionKey,
+                    last-req[1]          LastReq,
+                    nonce[2]             INTEGER,
+                    key-expiration[3]    KerberosTime OPTIONAL,
+                    flags[4]             TicketFlags,
+                    authtime[5]          KerberosTime,
+                    starttime[6]         KerberosTime OPTIONAL,
+                    endtime[7]           KerberosTime,
+                    renew-till[8]        KerberosTime OPTIONAL,
+                    srealm[9]            Realm,
+                    sname[10]            PrincipalName,
+                    caddr[11]            HostAddresses OPTIONAL
+}
+
+pvno and msg-type
+     These fields are described above in section 5.4.1. msg-type is either
+     KRB_AS_REP or KRB_TGS_REP.
+
+Neuman, Ts'o, Kohl                                   Expires: 14 January
+2001
+
+^L
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-06          July 14,
+2000
+
+padata
+     This field is described in detail in section 5.4.1. One possible use
+     for this field is to encode an alternate "mix-in" string to be used
+     with a string-to-key algorithm (such as is described in section
+     6.3.2). This ability is useful to ease transitions if a realm name
+     needs to change (e.g. when a company is acquired); in such a case all
+     existing password-derived entries in the KDC database would be flagged
+     as needing a special mix-in string until the next password change.
+crealm, cname, srealm and sname
+     These fields are the same as those described for the ticket in section
+     5.3.1.
+ticket
+     The newly-issued ticket, from section 5.3.1.
+enc-part
+     This field is a place holder for the ciphertext and related
+     information that forms the encrypted part of a message. The
+     description of the encrypted part of the message follows each
+     appearance of this field. The encrypted part is encoded as described
+     in section 6.1.
+key
+     This field is the same as described for the ticket in section 5.3.1.
+last-req
+     This field is returned by the KDC and specifies the time(s) of the
+     last request by a principal. Depending on what information is
+     available, this might be the last time that a request for a
+     ticket-granting ticket was made, or the last time that a request based
+     on a ticket-granting ticket was successful. It also might cover all
+     servers for a realm, or just the particular server. Some
+     implementations may display this information to the user to aid in
+     discovering unauthorized use of one's identity. It is similar in
+     spirit to the last login time displayed when logging into timesharing
+     systems.
+nonce
+     This field is described above in section 5.4.1.
+key-expiration
+     The key-expiration field is part of the response from the KDC and
+     specifies the time that the client's secret key is due to expire. The
+     expiration might be the result of password aging or an account
+     expiration. This field will usually be left out of the TGS reply since
+     the response to the TGS request is encrypted in a session key and no
+     client information need be retrieved from the KDC database. It is up
+     to the application client (usually the login program) to take
+     appropriate action (such as notifying the user) if the expiration time
+     is imminent.
+flags, authtime, starttime, endtime, renew-till and caddr
+     These fields are duplicates of those found in the encrypted portion of
+     the attached ticket (see section 5.3.1), provided so the client may
+     verify they match the intended request and to assist in proper ticket
+     caching. If the message is of type KRB_TGS_REP, the caddr field will
+     only be filled in if the request was for a proxy or forwarded ticket,
+     or if the user is substituting a subset of the addresses from the
+     ticket granting ticket. If the client-requested addresses are not
+     present or not used, then the addresses contained in the ticket will
+     be the same as those included in the ticket-granting ticket.
+
+5.5. Client/Server (CS) message specifications
+
+This section specifies the format of the messages used for the
+authentication of the client to the application server.
+
+
+Neuman, Ts'o, Kohl                                   Expires: 14 January
+2001
+
+^L
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-06          July 14,
+2000
+
+5.5.1. KRB_AP_REQ definition
+
+The KRB_AP_REQ message contains the Kerberos protocol version number, the
+message type KRB_AP_REQ, an options field to indicate any options in use,
+and the ticket and authenticator themselves. The KRB_AP_REQ message is
+often referred to as the 'authentication header'.
+
+AP-REQ ::=      [APPLICATION 14] SEQUENCE {
+                pvno[0]                       INTEGER,
+                msg-type[1]                   INTEGER,
+                ap-options[2]                 APOptions,
+                ticket[3]                     Ticket,
+                authenticator[4]              EncryptedData
+}
+
+APOptions ::=   BIT STRING {
+                reserved(0),
+                use-session-key(1),
+                mutual-required(2)
+}
+
+
+
+pvno and msg-type
+     These fields are described above in section 5.4.1. msg-type is
+     KRB_AP_REQ.
+ap-options
+     This field appears in the application request (KRB_AP_REQ) and affects
+     the way the request is processed. It is a bit-field, where the
+     selected options are indicated by the bit being set (1), and the
+     unselected options and reserved fields being reset (0). The encoding
+     of the bits is specified in section 5.2. The meanings of the options
+     are:
+
+	  Bit(s)   Name              Description
+
+	  0        RESERVED
+				     Reserved for future  expansion  of  this
+				     field.
+
+	  1        USE-SESSION-KEY
+				     The  USE-SESSION-KEY  option   indicates
+				     that the ticket the client is presenting
+				     to a server is encrypted in the  session
+				     key  from  the  server's ticket-granting
+				     ticket.  When this option is not  speci-
+				     fied,  the  ticket  is  encrypted in the
+				     server's secret key.
+
+	  2        MUTUAL-REQUIRED
+				     The  MUTUAL-REQUIRED  option  tells  the
+				     server  that  the client requires mutual
+				     authentication, and that it must respond
+				     with a KRB_AP_REP message.
+
+	  3-31     RESERVED
+				     Reserved for future use.
+
+ticket
+     This field is a ticket authenticating the client to the server.
+authenticator
+     This contains the authenticator, which includes the client's choice of
+     a subkey. Its encoding is described in section 5.3.2.
+
+
+Neuman, Ts'o, Kohl                                   Expires: 14 January
+2001
+
+^L
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-06          July 14,
+2000
+
+5.5.2. KRB_AP_REP definition
+
+The KRB_AP_REP message contains the Kerberos protocol version number, the
+message type, and an encrypted time- stamp. The message is sent in in
+response to an application request (KRB_AP_REQ) where the mutual
+authentication option has been selected in the ap-options field.
+
+AP-REP ::=         [APPLICATION 15] SEQUENCE {
+                   pvno[0]                           INTEGER,
+                   msg-type[1]                       INTEGER,
+                   enc-part[2]                       EncryptedData
+}
+
+EncAPRepPart ::=   [APPLICATION 27[29]] SEQUENCE {
+                   ctime[0]                          KerberosTime,
+                   cusec[1]                          INTEGER,
+                   subkey[2]                         EncryptionKey OPTIONAL,
+                   seq-number[3]                     INTEGER OPTIONAL
+}
+
+The encoded EncAPRepPart is encrypted in the shared session key of the
+ticket. The optional subkey field can be used in an application-arranged
+negotiation to choose a per association session key.
+
+pvno and msg-type
+     These fields are described above in section 5.4.1. msg-type is
+     KRB_AP_REP.
+enc-part
+     This field is described above in section 5.4.2.
+ctime
+     This field contains the current time on the client's host.
+cusec
+     This field contains the microsecond part of the client's timestamp.
+subkey
+     This field contains an encryption key which is to be used to protect
+     this specific application session. See section 3.2.6 for specifics on
+     how this field is used to negotiate a key. Unless an application
+     specifies otherwise, if this field is left out, the sub-session key
+     from the authenticator, or if also left out, the session key from the
+     ticket will be used.
+
+5.5.3. Error message reply
+
+If an error occurs while processing the application request, the KRB_ERROR
+message will be sent in response. See section 5.9.1 for the format of the
+error message. The cname and crealm fields may be left out if the server
+cannot determine their appropriate values from the corresponding KRB_AP_REQ
+message. If the authenticator was decipherable, the ctime and cusec fields
+will contain the values from it.
+
+5.6. KRB_SAFE message specification
+
+This section specifies the format of a message that can be used by either
+side (client or server) of an application to send a tamper-proof message to
+its peer. It presumes that a session key has previously been exchanged (for
+example, by using the KRB_AP_REQ/KRB_AP_REP messages).
+
+
+Neuman, Ts'o, Kohl                                   Expires: 14 January
+2001
+
+^L
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-06          July 14,
+2000
+
+5.6.1. KRB_SAFE definition
+
+The KRB_SAFE message contains user data along with a collision-proof
+checksum keyed with the last encryption key negotiated via subkeys, or the
+session key if no negotiation has occured. The message fields are:
+
+KRB-SAFE ::=        [APPLICATION 20] SEQUENCE {
+                    pvno[0]                       INTEGER,
+                    msg-type[1]                   INTEGER,
+                    safe-body[2]                  KRB-SAFE-BODY,
+                    cksum[3]                      Checksum
+}
+
+KRB-SAFE-BODY ::=   SEQUENCE {
+                    user-data[0]                  OCTET STRING,
+                    timestamp[1]                  KerberosTime OPTIONAL,
+                    usec[2]                       INTEGER OPTIONAL,
+                    seq-number[3]                 INTEGER OPTIONAL,
+                    s-address[4]                  HostAddress OPTIONAL,
+                    r-address[5]                  HostAddress OPTIONAL
+}
+
+pvno and msg-type
+     These fields are described above in section 5.4.1. msg-type is
+     KRB_SAFE.
+safe-body
+     This field is a placeholder for the body of the KRB-SAFE message.
+cksum
+     This field contains the checksum of the application data. Checksum
+     details are described in section 6.4. The checksum is computed over
+     the encoding of the KRB-SAFE sequence. First, the cksum is zeroed and
+     the checksum is computed over the encoding of the KRB-SAFE sequence,
+     then the checksum is set to the result of that computation, and
+     finally the KRB-SAFE sequence is encoded again.
+user-data
+     This field is part of the KRB_SAFE and KRB_PRIV messages and contain
+     the application specific data that is being passed from the sender to
+     the recipient.
+timestamp
+     This field is part of the KRB_SAFE and KRB_PRIV messages. Its contents
+     are the current time as known by the sender of the message. By
+     checking the timestamp, the recipient of the message is able to make
+     sure that it was recently generated, and is not a replay.
+usec
+     This field is part of the KRB_SAFE and KRB_PRIV headers. It contains
+     the microsecond part of the timestamp.
+seq-number
+     This field is described above in section 5.3.2.
+s-address
+     This field specifies the address in use by the sender of the message.
+     It may be omitted if not required by the application protocol. The
+     application designer considering omission of this field is warned,
+     that the inclusion of this address prevents some kinds of replay
+     attacks (e.g., reflection attacks) and that it is only acceptable to
+     omit this address if there is sufficient information in the integrity
+     protected part of the application message for the recipient to
+     unambiguously determine if it was the intended recipient.
+r-address
+     This field specifies the address in use by the recipient of the
+     message. It may be omitted for some uses (such as broadcast
+     protocols), but the recipient may arbitrarily reject such messages.
+     This field along with s-address can be used to help detect messages
+     which have been incorrectly or maliciously delivered to the wrong
+     recipient.
+
+
+Neuman, Ts'o, Kohl                                   Expires: 14 January
+2001
+
+^L
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-06          July 14,
+2000
+
+5.7. KRB_PRIV message specification
+
+This section specifies the format of a message that can be used by either
+side (client or server) of an application to securely and privately send a
+message to its peer. It presumes that a session key has previously been
+exchanged (for example, by using the KRB_AP_REQ/KRB_AP_REP messages).
+
+5.7.1. KRB_PRIV definition
+
+The KRB_PRIV message contains user data encrypted in the Session Key. The
+message fields are:
+
+KRB-PRIV ::=         [APPLICATION 21] SEQUENCE {
+                     pvno[0]                           INTEGER,
+                     msg-type[1]                       INTEGER,
+                     enc-part[3]                       EncryptedData
+}
+
+EncKrbPrivPart ::=   [APPLICATION 28[31]] SEQUENCE {
+                     user-data[0]        OCTET STRING,
+                     timestamp[1]        KerberosTime OPTIONAL,
+                     usec[2]             INTEGER OPTIONAL,
+                     seq-number[3]       INTEGER OPTIONAL,
+                     s-address[4]        HostAddress OPTIONAL, -- sender's
+addr
+                     r-address[5]        HostAddress OPTIONAL -- recip's
+addr
+}
+
+pvno and msg-type
+     These fields are described above in section 5.4.1. msg-type is
+     KRB_PRIV.
+enc-part
+     This field holds an encoding of the EncKrbPrivPart sequence encrypted
+     under the session key[32]. This encrypted encoding is used for the
+     enc-part field of the KRB-PRIV message. See section 6 for the format
+     of the ciphertext.
+user-data, timestamp, usec, s-address and r-address
+     These fields are described above in section 5.6.1.
+seq-number
+     This field is described above in section 5.3.2.
+
+5.8. KRB_CRED message specification
+
+This section specifies the format of a message that can be used to send
+Kerberos credentials from one principal to another. It is presented here to
+encourage a common mechanism to be used by applications when forwarding
+tickets or providing proxies to subordinate servers. It presumes that a
+session key has already been exchanged perhaps by using the
+KRB_AP_REQ/KRB_AP_REP messages.
+
+5.8.1. KRB_CRED definition
+
+The KRB_CRED message contains a sequence of tickets to be sent and
+information needed to use the tickets, including the session key from each.
+The information needed to use the tickets is encrypted under an encryption
+key previously exchanged or transferred alongside the KRB_CRED message. The
+message fields are:
+
+KRB-CRED         ::= [APPLICATION 22]   SEQUENCE {
+                 pvno[0]                INTEGER,
+                 msg-type[1]            INTEGER, -- KRB_CRED
+                 tickets[2]             SEQUENCE OF Ticket,
+                 enc-part[3]            EncryptedData
+}
+
+
+Neuman, Ts'o, Kohl                                   Expires: 14 January
+2001
+
+^L
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-06          July 14,
+2000
+
+EncKrbCredPart   ::= [APPLICATION 29]   SEQUENCE {
+                 ticket-info[0]         SEQUENCE OF KrbCredInfo,
+                 nonce[1]               INTEGER OPTIONAL,
+                 timestamp[2]           KerberosTime OPTIONAL,
+                 usec[3]                INTEGER OPTIONAL,
+                 s-address[4]           HostAddress OPTIONAL,
+                 r-address[5]           HostAddress OPTIONAL
+}
+
+KrbCredInfo      ::=                    SEQUENCE {
+                 key[0]                 EncryptionKey,
+                 prealm[1]              Realm OPTIONAL,
+                 pname[2]               PrincipalName OPTIONAL,
+                 flags[3]               TicketFlags OPTIONAL,
+                 authtime[4]            KerberosTime OPTIONAL,
+                 starttime[5]           KerberosTime OPTIONAL,
+                 endtime[6]             KerberosTime OPTIONAL
+                 renew-till[7]          KerberosTime OPTIONAL,
+                 srealm[8]              Realm OPTIONAL,
+                 sname[9]               PrincipalName OPTIONAL,
+                 caddr[10]              HostAddresses OPTIONAL
+}
+
+pvno and msg-type
+     These fields are described above in section 5.4.1. msg-type is
+     KRB_CRED.
+tickets
+     These are the tickets obtained from the KDC specifically for use by
+     the intended recipient. Successive tickets are paired with the
+     corresponding KrbCredInfo sequence from the enc-part of the KRB-CRED
+     message.
+enc-part
+     This field holds an encoding of the EncKrbCredPart sequence encrypted
+     under the session key shared between the sender and the intended
+     recipient. This encrypted encoding is used for the enc-part field of
+     the KRB-CRED message. See section 6 for the format of the ciphertext.
+nonce
+     If practical, an application may require the inclusion of a nonce
+     generated by the recipient of the message. If the same value is
+     included as the nonce in the message, it provides evidence that the
+     message is fresh and has not been replayed by an attacker. A nonce
+     must never be re-used; it should be generated randomly by the
+     recipient of the message and provided to the sender of the message in
+     an application specific manner.
+timestamp and usec
+     These fields specify the time that the KRB-CRED message was generated.
+     The time is used to provide assurance that the message is fresh.
+s-address and r-address
+     These fields are described above in section 5.6.1. They are used
+     optionally to provide additional assurance of the integrity of the
+     KRB-CRED message.
+key
+     This field exists in the corresponding ticket passed by the KRB-CRED
+     message and is used to pass the session key from the sender to the
+     intended recipient. The field's encoding is described in section 6.2.
+
+The following fields are optional. If present, they can be associated with
+the credentials in the remote ticket file. If left out, then it is assumed
+that the recipient of the credentials already knows their value.
+
+prealm and pname
+     The name and realm of the delegated principal identity.
+flags, authtime, starttime, endtime, renew-till, srealm, sname, and caddr
+     These fields contain the values of the correspond- ing fields from the
+     ticket found in the ticket field. Descriptions of the fields are
+     identical to the descriptions in the KDC-REP message.
+
+
+Neuman, Ts'o, Kohl                                   Expires: 14 January
+2001
+
+^L
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-06          July 14,
+2000
+
+5.9. Error message specification
+
+This section specifies the format for the KRB_ERROR message. The fields
+included in the message are intended to return as much information as
+possible about an error. It is not expected that all the information
+required by the fields will be available for all types of errors. If the
+appropriate information is not available when the message is composed, the
+corresponding field will be left out of the message.
+
+Note that since the KRB_ERROR message is only optionally integrity
+protected, it is quite possible for an intruder to synthesize or modify
+such a message. In particular, this means that unless appropriate integrity
+protection mechanisms have been applied to the KRB_ERROR message, the
+client should not use any fields in this message for security-critical
+purposes, such as setting a system clock or generating a fresh
+authenticator. The message can be useful, however, for advising a user on
+the reason for some failure.
+
+5.9.1. KRB_ERROR definition
+
+The KRB_ERROR message consists of the following fields:
+
+KRB-ERROR ::=   [APPLICATION 30] SEQUENCE {
+                pvno[0]                       INTEGER,
+                msg-type[1]                   INTEGER,
+                ctime[2]                      KerberosTime OPTIONAL,
+                cusec[3]                      INTEGER OPTIONAL,
+                stime[4]                      KerberosTime,
+                susec[5]                      INTEGER,
+                error-code[6]                 INTEGER,
+                crealm[7]                     Realm OPTIONAL,
+                cname[8]                      PrincipalName OPTIONAL,
+                realm[9]                      Realm, -- Correct realm
+                sname[10]                     PrincipalName, -- Correct name
+                e-text[11]                    GeneralString OPTIONAL,
+                e-data[12]                    OCTET STRING OPTIONAL,
+                e-cksum[13]                   Checksum OPTIONAL,
+}
+
+
+
+pvno and msg-type
+     These fields are described above in section 5.4.1. msg-type is
+     KRB_ERROR.
+ctime
+     This field is described above in section 5.4.1.
+cusec
+     This field is described above in section 5.5.2.
+stime
+     This field contains the current time on the server. It is of type
+     KerberosTime.
+susec
+     This field contains the microsecond part of the server's timestamp.
+     Its value ranges from 0 to 999999. It appears along with stime. The
+     two fields are used in conjunction to specify a reasonably accurate
+     timestamp.
+error-code
+     This field contains the error code returned by Kerberos or the server
+     when a request fails. To interpret the value of this field see the
+     list of error codes in section 8. Implementations are encouraged to
+     provide for national language support in the display of error
+     messages.
+crealm, cname, srealm and sname
+     These fields are described above in section 5.3.1.
+
+Neuman, Ts'o, Kohl                                   Expires: 14 January
+2001
+
+^L
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-06          July 14,
+2000
+
+e-text
+     This field contains additional text to help explain the error code
+     associated with the failed request (for example, it might include a
+     principal name which was unknown).
+e-data
+     This field contains additional data about the error for use by the
+     application to help it recover from or handle the error. If present,
+     this field will contain the encoding of a sequence of TypedData
+     (TYPED-DATA below), unless the errorcode is KDC_ERR_PREAUTH_REQUIRED,
+     in which case it will contain the encoding of a sequence of of padata
+     fields (METHOD-DATA below), each corresponding to an acceptable
+     pre-authentication method and optionally containing data for the
+     method:
+
+     TYPED-DATA   ::=   SEQUENCE of TypeData
+     METHOD-DATA  ::=   SEQUENCE of PA-DATA
+
+     TypedData ::=   SEQUENCE {
+                         data-type[0]   INTEGER,
+                         data-value[1]  OCTET STRING OPTIONAL
+     }
+
+     Note that e-data-types have been reserved for all PA data types
+     defined prior to July 1999. For the KDC_ERR_PREAUTH_REQUIRED message,
+     when using new PA data types defined in July 1999 or later, the
+     METHOD-DATA sequence must itself be encapsulated in an TypedData
+     element of type TD-PADATA. All new implementations interpreting the
+     METHOD-DATA field for the KDC_ERR_PREAUTH_REQUIRED message must accept
+     a type of TD-PADATA, extract the typed data field and interpret the
+     use any elements encapsulated in the TD-PADATA elements as if they
+     were present in the METHOD-DATA sequence.
+e-cksum
+     This field contains an optional checksum for the KRB-ERROR message.
+     The checksum is calculated over the Kerberos ASN.1 encoding of the
+     KRB-ERROR message with the checksum absent. The checksum is then added
+     to the KRB-ERROR structure and the message is re-encoded. The Checksum
+     should be calculated using the session key from the ticket granting
+     ticket or service ticket, where available. If the error is in response
+     to a TGS or AP request, the checksum should be calculated uing the the
+     session key from the client's ticket. If the error is in response to
+     an AS request, then the checksum should be calulated using the
+     client's secret key ONLY if there has been suitable preauthentication
+     to prove knowledge of the secret key by the client[33]. If a checksum
+     can not be computed because the key to be used is not available, no
+     checksum will be included.
+
+     6. Encryption and Checksum Specifications
+
+     The Kerberos protocols described in this document are designed to use
+     stream encryption ciphers, which can be simulated using commonly
+     available block encryption ciphers, such as the Data Encryption
+     Standard [DES77], and triple DES variants, in conjunction with block
+     chaining and checksum methods [DESM80]. Encryption is used to prove
+     the identities of the network entities participating in message
+     exchanges. The Key Distribution Center for each realm is trusted by
+     all principals registered in that realm to store a secret key in
+     confidence. Proof of knowledge of this secret key is used to verify
+     the authenticity of a principal.
+
+     The KDC uses the principal's secret key (in the AS exchange) or a
+     shared session key (in the TGS exchange) to encrypt responses to
+     ticket requests; the ability to obtain the secret key or session key
+     implies the knowledge of the appropriate keys and the identity of the
+     KDC. The ability of a principal to decrypt the KDC response and
+     present a Ticket and a properly formed Authenticator (generated with
+
+Neuman, Ts'o, Kohl                                   Expires: 14 January
+2001
+
+^L
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-06          July 14,
+2000
+
+     the session key from the KDC response) to a service verifies the
+     identity of the principal; likewise the ability of the service to
+     extract the session key from the Ticket and prove its knowledge
+     thereof in a response verifies the identity of the service.
+
+     The Kerberos protocols generally assume that the encryption used is
+     secure from cryptanalysis; however, in some cases, the order of fields
+     in the encrypted portions of messages are arranged to minimize the
+     effects of poorly chosen keys. It is still important to choose good
+     keys. If keys are derived from user-typed passwords, those passwords
+     need to be well chosen to make brute force attacks more difficult.
+     Poorly chosen keys still make easy targets for intruders.
+
+     The following sections specify the encryption and checksum mechanisms
+     currently defined for Kerberos. The encodings, chaining, and padding
+     requirements for each are described. For encryption methods, it is
+     often desirable to place random information (often referred to as a
+     confounder) at the start of the message. The requirements for a
+     confounder are specified with each encryption mechanism.
+
+     Some encryption systems use a block-chaining method to improve the the
+     security characteristics of the ciphertext. However, these chaining
+     methods often don't provide an integrity check upon decryption. Such
+     systems (such as DES in CBC mode) must be augmented with a checksum of
+     the plain-text which can be verified at decryption and used to detect
+     any tampering or damage. Such checksums should be good at detecting
+     burst errors in the input. If any damage is detected, the decryption
+     routine is expected to return an error indicating the failure of an
+     integrity check. Each encryption type is expected to provide and
+     verify an appropriate checksum. The specification of each encryption
+     method sets out its checksum requirements.
+
+     Finally, where a key is to be derived from a user's password, an
+     algorithm for converting the password to a key of the appropriate type
+     is included. It is desirable for the string to key function to be
+     one-way, and for the mapping to be different in different realms. This
+     is important because users who are registered in more than one realm
+     will often use the same password in each, and it is desirable that an
+     attacker compromising the Kerberos server in one realm not obtain or
+     derive the user's key in another.
+
+     For an discussion of the integrity characteristics of the candidate
+     encryption and checksum methods considered for Kerberos, the reader is
+     referred to [SG92].
+
+     6.1. Encryption Specifications
+
+     The following ASN.1 definition describes all encrypted messages. The
+     enc-part field which appears in the unencrypted part of messages in
+     section 5 is a sequence consisting of an encryption type, an optional
+     key version number, and the ciphertext.
+
+     EncryptedData ::=   SEQUENCE {
+                         etype[0]     INTEGER, -- EncryptionType
+                         kvno[1]      INTEGER OPTIONAL,
+                         cipher[2]    OCTET STRING -- ciphertext
+     }
+
+
+
+     etype
+          This field identifies which encryption algorithm was used to
+          encipher the cipher. Detailed specifications for selected
+          encryption types appear later in this section.
+
+Neuman, Ts'o, Kohl                                   Expires: 14 January
+2001
+
+^L
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-06          July 14,
+2000
+
+     kvno
+          This field contains the version number of the key under which
+          data is encrypted. It is only present in messages encrypted under
+          long lasting keys, such as principals' secret keys.
+     cipher
+          This field contains the enciphered text, encoded as an OCTET
+          STRING.
+     The cipher field is generated by applying the specified encryption
+     algorithm to data composed of the message and algorithm-specific
+     inputs. Encryption mechanisms defined for use with Kerberos must take
+     sufficient measures to guarantee the integrity of the plaintext, and
+     we recommend they also take measures to protect against precomputed
+     dictionary attacks. If the encryption algorithm is not itself capable
+     of doing so, the protections can often be enhanced by adding a
+     checksum and a confounder.
+
+     The suggested format for the data to be encrypted includes a
+     confounder, a checksum, the encoded plaintext, and any necessary
+     padding. The msg-seq field contains the part of the protocol message
+     described in section 5 which is to be encrypted. The confounder,
+     checksum, and padding are all untagged and untyped, and their length
+     is exactly sufficient to hold the appropriate item. The type and
+     length is implicit and specified by the particular encryption type
+     being used (etype). The format for the data to be encrypted for some
+     methods is described in the following diagram, but other methods may
+     deviate from this layour - so long as the definition of the method
+     defines the layout actually in use.
+
+           +-----------+----------+-------------+-----+
+           |confounder |   check  |   msg-seq   | pad |
+           +-----------+----------+-------------+-----+
+
+     The format cannot be described in ASN.1, but for those who prefer an
+     ASN.1-like notation:
+
+     CipherText ::=   ENCRYPTED       SEQUENCE {
+             confounder[0]   UNTAGGED[35] OCTET STRING(conf_length)
+OPTIONAL,
+             check[1]        UNTAGGED OCTET STRING(checksum_length)
+OPTIONAL,
+             msg-seq[2]      MsgSequence,
+             pad             UNTAGGED OCTET STRING(pad_length) OPTIONAL
+     }
+
+     One generates a random confounder of the appropriate length, placing
+     it in confounder; zeroes out check; calculates the appropriate
+     checksum over confounder, check, and msg-seq, placing the result in
+     check; adds the necessary padding; then encrypts using the specified
+     encryption type and the appropriate key.
+
+     Unless otherwise specified, a definition of an encryption algorithm
+     that specifies a checksum, a length for the confounder field, or an
+     octet boundary for padding uses this ciphertext format[36]. Those
+     fields which are not specified will be omitted.
+
+     In the interest of allowing all implementations using a particular
+     encryption type to communicate with all others using that type, the
+     specification of an encryption type defines any checksum that is
+     needed as part of the encryption process. If an alternative checksum
+     is to be used, a new encryption type must be defined.
+
+     Some cryptosystems require additional information beyond the key and
+     the data to be encrypted. For example, DES, when used in
+     cipher-block-chaining mode, requires an initialization vector. If
+     required, the description for each encryption type must specify the
+     source of such additional information. 6.2. Encryption Keys
+
+
+Neuman, Ts'o, Kohl                                   Expires: 14 January
+2001
+
+^L
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-06          July 14,
+2000
+
+     The sequence below shows the encoding of an encryption key:
+
+            EncryptionKey ::=   SEQUENCE {
+                                keytype[0]    INTEGER,
+                                keyvalue[1]   OCTET STRING
+            }
+
+     keytype
+          This field specifies the type of encryption that is to be
+          performed using the key that follows in the keyvalue field. It
+          will always correspond to the etype to be used to generate or
+          decode the EncryptedData. In cases when multiple algorithms use a
+          common kind of key (e.g., if the encryption algorithm uses an
+          alternate checksum algorithm for an integrity check, or a
+          different chaining mechanism), the keytype provides information
+          needed to determine which algorithm is to be used.
+     keyvalue
+          This field contains the key itself, encoded as an octet string.
+     All negative values for the encryption key type are reserved for local
+     use. All non-negative values are reserved for officially assigned type
+     fields and interpreta- tions.
+
+     6.3. Encryption Systems
+
+     6.3.1. The NULL Encryption System (null)
+
+     If no encryption is in use, the encryption system is said to be the
+     NULL encryption system. In the NULL encryption system there is no
+     checksum, confounder or padding. The ciphertext is simply the
+     plaintext. The NULL Key is used by the null encryption system and is
+     zero octets in length, with keytype zero (0).
+
+     6.3.2. DES in CBC mode with a CRC-32 checksum (des-cbc-crc)
+
+     The des-cbc-crc encryption mode encrypts information under the Data
+     Encryption Standard [DES77] using the cipher block chaining mode
+     [DESM80]. A CRC-32 checksum (described in ISO 3309 [ISO3309]) is
+     applied to the confounder and message sequence (msg-seq) and placed in
+     the cksum field. DES blocks are 8 bytes. As a result, the data to be
+     encrypted (the concatenation of confounder, checksum, and message)
+     must be padded to an 8 byte boundary before encryption. The details of
+     the encryption of this data are identical to those for the des-cbc-md5
+     encryption mode.
+
+     Note that, since the CRC-32 checksum is not collision-proof, an
+     attacker could use a probabilistic chosen-plaintext attack to generate
+     a valid message even if a confounder is used [SG92]. The use of
+     collision-proof checksums is recommended for environments where such
+     attacks represent a significant threat. The use of the CRC-32 as the
+     checksum for ticket or authenticator is no longer mandated as an
+     interoperability requirement for Kerberos Version 5 Specification 1
+     (See section 9.1 for specific details).
+
+     6.3.3. DES in CBC mode with an MD4 checksum (des-cbc-md4)
+
+     The des-cbc-md4 encryption mode encrypts information under the Data
+     Encryption Standard [DES77] using the cipher block chaining mode
+     [DESM80]. An MD4 checksum (described in [MD492]) is applied to the
+     confounder and message sequence (msg-seq) and placed in the cksum
+     field. DES blocks are 8 bytes. As a result, the data to be encrypted
+     (the concatenation of confounder, checksum, and message) must be
+     padded to an 8 byte boundary before encryption. The details of the
+     encryption of this data are identical to those for the des-cbc-md5
+     encryption mode.
+
+
+Neuman, Ts'o, Kohl                                   Expires: 14 January
+2001
+
+^L
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-06          July 14,
+2000
+
+     6.3.4. DES in CBC mode with an MD5 checksum (des-cbc-md5)
+
+     The des-cbc-md5 encryption mode encrypts information under the Data
+     Encryption Standard [DES77] using the cipher block chaining mode
+     [DESM80]. An MD5 checksum (described in [MD5-92].) is applied to the
+     confounder and message sequence (msg-seq) and placed in the cksum
+     field. DES blocks are 8 bytes. As a result, the data to be encrypted
+     (the concatenation of confounder, checksum, and message) must be
+     padded to an 8 byte boundary before encryption.
+
+     Plaintext and DES ciphtertext are encoded as blocks of 8 octets which
+     are concatenated to make the 64-bit inputs for the DES algorithms. The
+     first octet supplies the 8 most significant bits (with the octet's
+     MSbit used as the DES input block's MSbit, etc.), the second octet the
+     next 8 bits, ..., and the eighth octet supplies the 8 least
+     significant bits.
+
+     Encryption under DES using cipher block chaining requires an
+     additional input in the form of an initialization vector. Unless
+     otherwise specified, zero should be used as the initialization vector.
+     Kerberos' use of DES requires an 8 octet confounder.
+
+     The DES specifications identify some 'weak' and 'semi-weak' keys;
+     those keys shall not be used for encrypting messages for use in
+     Kerberos. Additionally, because of the way that keys are derived for
+     the encryption of checksums, keys shall not be used that yield 'weak'
+     or 'semi-weak' keys when eXclusive-ORed with the hexadecimal constant
+     F0F0F0F0F0F0F0F0.
+
+     A DES key is 8 octets of data, with keytype one (1). This consists of
+     56 bits of key, and 8 parity bits (one per octet). The key is encoded
+     as a series of 8 octets written in MSB-first order. The bits within
+     the key are also encoded in MSB order. For example, if the encryption
+     key is (B1,B2,...,B7,P1,B8,...,B14,P2,B15,...,B49,P7,B50,...,B56,P8)
+     where B1,B2,...,B56 are the key bits in MSB order, and P1,P2,...,P8
+     are the parity bits, the first octet of the key would be
+     B1,B2,...,B7,P1 (with B1 as the MSbit). [See the FIPS 81 introduction
+     for reference.]
+
+     String to key transformation
+
+     To generate a DES key from a text string (password), a "salt" is
+     concatenated to the text string, and then padded with ASCII nulls to
+     an 8 byte boundary. This "salt" is normally the realm and each
+     component of the principal's name appended. However, sometimes
+     different salts are used --- for example, when a realm is renamed, or
+     if a user changes her username, or for compatibility with Kerberos V4
+     (whose string-to-key algorithm uses a null string for the salt). This
+     string is then fan-folded and eXclusive-ORed with itself to form an 8
+     byte DES key. Before eXclusive-ORing a block, every byte is shifted
+     one bit to the left to leave the lowest bit zero. The key is the
+     "corrected" by correcting the parity on the key, and if the key
+     matches a 'weak' or 'semi-weak' key as described in the DES
+     specification, it is eXclusive-ORed with the constant
+     00000000000000F0. This key is then used to generate a DES CBC checksum
+     on the initial string (with the salt appended). The result of the CBC
+     checksum is the "corrected" as described above to form the result
+     which is return as the key. Pseudocode follows:
+
+
+Neuman, Ts'o, Kohl                                   Expires: 14 January
+2001
+
+^L
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-06          July 14,
+2000
+
+          name_to_default_salt(realm, name) {
+               s = realm
+               for(each component in name) {
+                    s = s + component;
+               }
+               return s;
+          }
+
+          key_correction(key) {
+               fixparity(key);
+               if (is_weak_key_key(key))
+                    key = key XOR 0xF0;
+               return(key);
+          }
+
+          string_to_key(string,salt) {
+
+               odd = 1;
+               s = string + salt;
+               tempkey = NULL;
+               pad(s); /* with nulls to 8 byte boundary */
+               for(8byteblock in s) {
+                    if(odd == 0)  {
+                        odd = 1;
+                        reverse(8byteblock)
+                    }
+                    else odd = 0;
+                    left shift every byte in 8byteblock one bit;
+                    tempkey = tempkey XOR 8byteblock;
+               }
+               tempkey = key_correction(tempkey);
+               key = key_correction(DES-CBC-check(s,tempkey));
+               return(key);
+          }
+
+     6.3.5. Triple DES with HMAC-SHA1 Kerberos Encryption Type with and
+     without Key Derivation [Original draft by Marc Horowitz, revisions by
+     David Miller]
+
+          There are still a few pieces of this specification to be included
+          by falue, rather than by reference. This will be done before the
+          Pittsburgh IETF.
+     This encryption type is based on the Triple DES cryptosystem, the
+     HMAC-SHA1 [Krawczyk96] message authentication algorithm, and key
+     derivation for Kerberos V5 [HorowitzB96]. Key derivation may or may
+     not be used in conjunction with the use of Triple DES keys.
+
+     Algorithm Identifiers
+
+     The des3-cbc-hmac-sha1 encryption type has been assigned the value 7.
+     The des3-cbc-hmac-sha1-kd encryption type, specifying the key
+     derivation variant of the encryption type, has been assigned the value
+     16. The hmac-sha1-des3 checksum type has been assigned the value 13.
+     The hmac-sha1-des3-kd checksum type, specifying the key derivation
+     variant of the checksum, has been assigned the value 12.
+
+     Triple DES Key Production
+
+     The EncryptionKey value is 24 octets long. The 7 most significant bits
+     of each octet contain key bits, and the least significant bit is the
+     inverse of the xor of the key bits.
+
+
+Neuman, Ts'o, Kohl                                   Expires: 14 January
+2001
+
+^L
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-06          July 14,
+2000
+
+     For the purposes of key derivation, the block size is 64 bits, and the
+     key size is 168 bits. The 168 bits output by key derivation are
+     converted to an EncryptionKey value as follows. First, the 168 bits
+     are divided into three groups of 56 bits, which are expanded
+     individually into 64 bits as follows:
+
+      1  2  3  4  5  6  7  p
+      9 10 11 12 13 14 15  p
+     17 18 19 20 21 22 23  p
+     25 26 27 28 29 30 31  p
+     33 34 35 36 37 38 39  p
+     41 42 43 44 45 46 47  p
+     49 50 51 52 53 54 55  p
+     56 48 40 32 24 16  8  p
+
+     The "p" bits are parity bits computed over the data bits. The output
+     of the three expansions are concatenated to form the EncryptionKey
+     value.
+
+     When the HMAC-SHA1 of a string is computed, the key is used in the
+     EncryptedKey form.
+
+     The string-to-key function is used to tranform UNICODE passwords into
+     DES3 keys. The DES3 string-to-key function relies on the "N-fold"
+     algorithm, which is detailed in [9]. The description of the N-fold
+     algorithm in that document is as follows:
+        o To n-fold a number X, replicate the input value to a length that
+          is the least common multiple of n and the length of X. Before
+          each repetition, the input is rotated to the right by 13 bit
+          positions. The successive n-bit chunks are added together using
+          1's-complement addition (that is, addition with end-around carry)
+          to yield an n-bit result"
+        o The n-fold algorithm, as with DES string-to-key, is applied to
+          the password string concatenated with a salt value. The salt
+          value is derived in the same was as for the DES string-to-key
+          algorithm. For 3-key triple DES then, the operation will involve
+          a 168-fold of the input password string. The remainder of the
+          string-to-key function for DES3 is shown here in pseudocode:
+
+     DES3string-to-key(passwordString, key)
+
+         salt = name_to_default_salt(realm, name)
+         s = passwordString + salt
+         tmpKey1 = 168-fold(s)
+         parityFix(tmpKey1);
+         if not weakKey(tmpKey1)
+             /*
+              * Encrypt temp key in itself with a
+              * zero initialization vector
+              *
+              * Function signature is DES3encrypt(plain, key, iv)
+              * with cipher as the return value
+              */
+             tmpKey2 = DES3encrypt(tmpKey1, tmpKey1, zeroIvec)
+             /*
+              * Encrypt resultant temp key in itself with third component
+              * of first temp key as initialization vector
+              */
+             key = DES3encrypt(tmpKey2, tmpKey1, tmpKey1[2])
+             parityFix(key)
+             if not weakKey(key)
+                  return SUCCESS
+             else
+                  return FAILURE
+         else
+             return FAILURE
+
+
+Neuman, Ts'o, Kohl                                   Expires: 14 January
+2001
+
+^L
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-06          July 14,
+2000
+
+     The weakKey function above is the same weakKey function used with DES
+     keys, but applied to each of the three single DES keys that comprise
+     the triple DES key.
+
+     The lengths of UNICODE encoded character strings include the trailing
+     terminator character (0).
+
+     Encryption Types des3-cbc-hmac-sha1 and des3-cbc-hmac-sha1-kd
+
+     EncryptedData using this type must be generated as described in
+     [Horowitz96]. The encryption algorithm is Triple DES in Outer-CBC
+     mode. The checksum algorithm is HMAC-SHA1. If the key derivation
+     variant of the encryption type is used, encryption key values are
+     modified according to the method under the Key Derivation section
+     below.
+
+     Unless otherwise specified, a zero IV must be used.
+
+     If the length of the input data is not a multiple of the block size,
+     zero octets must be used to pad the plaintext to the next eight-octet
+     boundary. The counfounder must be eight random octets (one block).
+
+     Checksum Types hmac-sha1-des3 and hmac-sha1-des3-kd
+
+     Checksums using this type must be generated as described in
+     [Horowitz96]. The keyed hash algorithm is HMAC-SHA1. If the key
+     derivation variant of the checksum type is used, checksum key values
+     are modified according to the method under the Key Derivation section
+     below.
+
+     Key Derivation
+
+     In the Kerberos protocol, cryptographic keys are used in a number of
+     places. In order to minimize the effect of compromising a key, it is
+     desirable to use a different key for each of these places. Key
+     derivation [Horowitz96] can be used to construct different keys for
+     each operation from the keys transported on the network. For this to
+     be possible, a small change to the specification is necessary.
+
+     This section specifies a profile for the use of key derivation
+     [Horowitz96] with Kerberos. For each place where a key is used, a
+     ``key usage'' must is specified for that purpose. The key, key usage,
+     and encryption/checksum type together describe the transformation from
+     plaintext to ciphertext, or plaintext to checksum.
+
+     Key Usage Values
+
+     This is a complete list of places keys are used in the kerberos
+     protocol, with key usage values and RFC 1510 section numbers:
+
+      1. AS-REQ PA-ENC-TIMESTAMP padata timestamp, encrypted with the
+         client key (section 5.4.1)
+      2. AS-REP Ticket and TGS-REP Ticket (includes tgs session key or
+         application session key), encrypted with the service key
+         (section 5.4.2)
+      3. AS-REP encrypted part (includes tgs session key or application
+         session key), encrypted with the client key (section 5.4.2)
+      4. TGS-REQ KDC-REQ-BODY AuthorizationData, encrypted with the tgs
+         session key (section 5.4.1)
+      5. TGS-REQ KDC-REQ-BODY AuthorizationData, encrypted with the tgs
+         authenticator subkey (section 5.4.1)
+      6. TGS-REQ PA-TGS-REQ padata AP-REQ Authenticator cksum, keyed
+         with the tgs session key (sections 5.3.2, 5.4.1)
+      7. TGS-REQ PA-TGS-REQ padata AP-REQ Authenticator (includes tgs
+         authenticator subkey), encrypted with the tgs session key
+         (section 5.3.2)
+
+Neuman, Ts'o, Kohl                                   Expires: 14 January
+2001
+
+^L
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-06          July 14,
+2000
+
+      8. TGS-REP encrypted part (includes application session key),
+         encrypted with the tgs session key (section 5.4.2)
+      9. TGS-REP encrypted part (includes application session key),
+         encrypted with the tgs authenticator subkey (section 5.4.2)
+     10. AP-REQ Authenticator cksum, keyed with the application session
+         key (section 5.3.2)
+     11. AP-REQ Authenticator (includes application authenticator
+         subkey), encrypted with the application session key (section
+         5.3.2)
+     12. AP-REP encrypted part (includes application session subkey),
+         encrypted with the application session key (section 5.5.2)
+     13. KRB-PRIV encrypted part, encrypted with a key chosen by the
+         application (section 5.7.1)
+     14. KRB-CRED encrypted part, encrypted with a key chosen by the
+         application (section 5.6.1)
+     15. KRB-SAVE cksum, keyed with a key chosen by the application
+         (section 5.8.1)
+     18. KRB-ERROR checksum (e-cksum in section 5.9.1)
+     19. AD-KDCIssued checksum (ad-checksum in appendix B.1)
+     20. Checksum for Mandatory Ticket Extensions (appendix B.6)
+     21. Checksum in Authorization Data in Ticket Extensions (appendix B.7)
+
+     Key usage values between 1024 and 2047 (inclusive) are reserved for
+     application use. Applications should use even values for encryption
+     and odd values for checksums within this range.
+
+     A few of these key usages need a little clarification. A service which
+     receives an AP-REQ has no way to know if the enclosed Ticket was part
+     of an AS-REP or TGS-REP. Therefore, key usage 2 must always be used
+     for generating a Ticket, whether it is in response to an AS- REQ or
+     TGS-REQ.
+
+     There might exist other documents which define protocols in terms of
+     the RFC1510 encryption types or checksum types. Such documents would
+     not know about key usages. In order that these documents continue to
+     be meaningful until they are updated, key usages 1024 and 1025 must be
+     used to derive keys for encryption and checksums, respectively. New
+     protocols defined in terms of the Kerberos encryption and checksum
+     types should use their own key usages. Key usages may be registered
+     with IANA to avoid conflicts. Key usages must be unsigned 32 bit
+     integers. Zero is not permitted.
+
+     Defining Cryptosystems Using Key Derivation
+
+     Kerberos requires that the ciphertext component of EncryptedData be
+     tamper-resistant as well as confidential. This implies encryption and
+     integrity functions, which must each use their own separate keys. So,
+     for each key usage, two keys must be generated, one for encryption
+     (Ke), and one for integrity (Ki):
+
+           Ke = DK(protocol key, key usage | 0xAA)
+           Ki = DK(protocol key, key usage | 0x55)
+
+     where the protocol key is from the EncryptionKey from the wire
+     protocol, and the key usage is represented as a 32 bit integer in
+     network byte order. The ciphertest must be generated from the
+     plaintext as follows:
+
+        ciphertext = E(Ke, confounder | plaintext | padding) |
+                     H(Ki, confounder | plaintext | padding)
+
+     The confounder and padding are specific to the encryption algorithm E.
+
+
+Neuman, Ts'o, Kohl                                   Expires: 14 January
+2001
+
+^L
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-06          July 14,
+2000
+
+     When generating a checksum only, there is no need for a confounder or
+     padding. Again, a new key (Kc) must be used. Checksums must be
+     generated from the plaintext as follows:
+
+           Kc = DK(protocol key, key usage | 0x99)
+           MAC = H(Kc, plaintext)
+
+     Note that each enctype is described by an encryption algorithm E and a
+     keyed hash algorithm H, and each checksum type is described by a keyed
+     hash algorithm H. HMAC, with an appropriate hash, is required for use
+     as H.
+
+     Key Derivation from Passwords
+
+     The well-known constant for password key derivation must be the byte
+     string {0x6b 0x65 0x72 0x62 0x65 0x72 0x6f 0x73}. These values
+     correspond to the ASCII encoding for the string "kerberos".
+
+     6.4. Checksums
+
+     The following is the ASN.1 definition used for a checksum:
+
+              Checksum ::=   SEQUENCE {
+                             cksumtype[0]   INTEGER,
+                             checksum[1]    OCTET STRING
+              }
+
+     cksumtype
+          This field indicates the algorithm used to generate the
+          accompanying checksum.
+     checksum
+          This field contains the checksum itself, encoded as an octet
+          string.
+     Detailed specification of selected checksum types appear later in this
+     section. Negative values for the checksum type are reserved for local
+     use. All non-negative values are reserved for officially assigned type
+     fields and interpretations.
+
+     Checksums used by Kerberos can be classified by two properties:
+     whether they are collision-proof, and whether they are keyed. It is
+     infeasible to find two plaintexts which generate the same checksum
+     value for a collision-proof checksum. A key is required to perturb or
+     initialize the algorithm in a keyed checksum. To prevent
+     message-stream modification by an active attacker, unkeyed checksums
+     should only be used when the checksum and message will be subsequently
+     encrypted (e.g. the checksums defined as part of the encryption
+     algorithms covered earlier in this section).
+
+     Collision-proof checksums can be made tamper-proof if the checksum
+     value is encrypted before inclusion in a message. In such cases, the
+     composition of the checksum and the encryption algorithm must be
+     considered a separate checksum algorithm (e.g. RSA-MD5 encrypted using
+     DES is a new checksum algorithm of type RSA-MD5-DES). For most keyed
+     checksums, as well as for the encrypted forms of unkeyed
+     collision-proof checksums, Kerberos prepends a confounder before the
+     checksum is calculated.
+
+
+Neuman, Ts'o, Kohl                                   Expires: 14 January
+2001
+
+^L
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-06          July 14,
+2000
+
+     6.4.1. The CRC-32 Checksum (crc32)
+
+     The CRC-32 checksum calculates a checksum based on a cyclic redundancy
+     check as described in ISO 3309 [ISO3309]. The resulting checksum is
+     four (4) octets in length. The CRC-32 is neither keyed nor
+     collision-proof. The use of this checksum is not recommended. An
+     attacker using a probabilistic chosen-plaintext attack as described in
+     [SG92] might be able to generate an alternative message that satisfies
+     the checksum. The use of collision-proof checksums is recommended for
+     environments where such attacks represent a significant threat.
+
+     6.4.2. The RSA MD4 Checksum (rsa-md4)
+
+     The RSA-MD4 checksum calculates a checksum using the RSA MD4 algorithm
+     [MD4-92]. The algorithm takes as input an input message of arbitrary
+     length and produces as output a 128-bit (16 octet) checksum. RSA-MD4
+     is believed to be collision-proof.
+
+     6.4.3. RSA MD4 Cryptographic Checksum Using DES (rsa-md4-des)
+
+     The RSA-MD4-DES checksum calculates a keyed collision-proof checksum
+     by prepending an 8 octet confounder before the text, applying the RSA
+     MD4 checksum algorithm, and encrypting the confounder and the checksum
+     using DES in cipher-block-chaining (CBC) mode using a variant of the
+     key, where the variant is computed by eXclusive-ORing the key with the
+     constant F0F0F0F0F0F0F0F0[39]. The initialization vector should be
+     zero. The resulting checksum is 24 octets long (8 octets of which are
+     redundant). This checksum is tamper-proof and believed to be
+     collision-proof.
+
+     The DES specifications identify some weak keys' and 'semi-weak keys';
+     those keys shall not be used for generating RSA-MD4 checksums for use
+     in Kerberos.
+
+     The format for the checksum is described in the follow- ing diagram:
+
+
++--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+     |  des-cbc(confounder   +   rsa-md4(confounder+msg),key=var(key),iv=0)
+|
+
++--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+
+     The format cannot be described in ASN.1, but for those who prefer an
+     ASN.1-like notation:
+
+     rsa-md4-des-checksum ::=   ENCRYPTED       UNTAGGED SEQUENCE {
+                                confounder[0]   UNTAGGED OCTET STRING(8),
+                                check[1]        UNTAGGED OCTET STRING(16)
+     }
+
+     6.4.4. The RSA MD5 Checksum (rsa-md5)
+
+     The RSA-MD5 checksum calculates a checksum using the RSA MD5
+     algorithm. [MD5-92]. The algorithm takes as input an input message of
+     arbitrary length and produces as output a 128-bit (16 octet) checksum.
+     RSA-MD5 is believed to be collision-proof.
+
+     6.4.5. RSA MD5 Cryptographic Checksum Using DES (rsa-md5-des)
+
+     The RSA-MD5-DES checksum calculates a keyed collision-proof checksum
+     by prepending an 8 octet confounder before the text, applying the RSA
+     MD5 checksum algorithm, and encrypting the confounder and the checksum
+     using DES in cipher-block-chaining (CBC) mode using a variant of the
+     key, where the variant is computed by eXclusive-ORing the key with the
+     hexadecimal constant F0F0F0F0F0F0F0F0. The initialization vector
+     should be zero. The resulting checksum is 24 octets long (8 octets of
+     which are redundant). This checksum is tamper-proof and believed to be
+     collision-proof.
+
+
+Neuman, Ts'o, Kohl                                   Expires: 14 January
+2001
+
+^L
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-06          July 14,
+2000
+
+     The DES specifications identify some 'weak keys' and 'semi-weak keys';
+     those keys shall not be used for encrypting RSA-MD5 checksums for use
+     in Kerberos.
+
+     The format for the checksum is described in the following diagram:
+
+
++--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+     |  des-cbc(confounder   +   rsa-md5(confounder+msg),key=var(key),iv=0)
+|
+
++--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+
+     The format cannot be described in ASN.1, but for those who prefer an
+     ASN.1-like notation:
+
+     rsa-md5-des-checksum ::=   ENCRYPTED       UNTAGGED SEQUENCE {
+                                confounder[0]   UNTAGGED OCTET STRING(8),
+                                check[1]        UNTAGGED OCTET STRING(16)
+     }
+
+     6.4.6. DES cipher-block chained checksum (des-mac)
+
+     The DES-MAC checksum is computed by prepending an 8 octet confounder
+     to the plaintext, performing a DES CBC-mode encryption on the result
+     using the key and an initialization vector of zero, taking the last
+     block of the ciphertext, prepending the same confounder and encrypting
+     the pair using DES in cipher-block-chaining (CBC) mode using a a
+     variant of the key, where the variant is computed by eXclusive-ORing
+     the key with the hexadecimal constant F0F0F0F0F0F0F0F0. The
+     initialization vector should be zero. The resulting checksum is 128
+     bits (16 octets) long, 64 bits of which are redundant. This checksum
+     is tamper-proof and collision-proof.
+
+     The format for the checksum is described in the following diagram:
+
+
++--+--+--+--+--+--+--+--+-----+-----+-----+-----+-----+-----+-----+-----+
+     |   des-cbc(confounder  + des-mac(conf+msg,iv=0,key),key=var(key),iv=0)
+|
+
++--+--+--+--+--+--+--+--+-----+-----+-----+-----+-----+-----+-----+-----+
+
+     The format cannot be described in ASN.1, but for those who prefer an
+     ASN.1-like notation:
+
+     des-mac-checksum ::=   ENCRYPTED       UNTAGGED SEQUENCE {
+                            confounder[0]   UNTAGGED OCTET STRING(8),
+                            check[1]        UNTAGGED OCTET STRING(8)
+     }
+
+     The DES specifications identify some 'weak' and 'semi-weak' keys;
+     those keys shall not be used for generating DES-MAC checksums for use
+     in Kerberos, nor shall a key be used whose variant is 'weak' or
+     'semi-weak'.
+
+     6.4.7. RSA MD4 Cryptographic Checksum Using DES alternative
+     (rsa-md4-des-k)
+
+     The RSA-MD4-DES-K checksum calculates a keyed collision-proof checksum
+     by applying the RSA MD4 checksum algorithm and encrypting the results
+     using DES in cipher-block-chaining (CBC) mode using a DES key as both
+     key and initialization vector. The resulting checksum is 16 octets
+     long. This checksum is tamper-proof and believed to be
+     collision-proof. Note that this checksum type is the old method for
+     encoding the RSA-MD4-DES checksum and it is no longer recommended.
+
+
+Neuman, Ts'o, Kohl                                   Expires: 14 January
+2001
+
+^L
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-06          July 14,
+2000
+
+     6.4.8. DES cipher-block chained checksum alternative (des-mac-k)
+
+     The DES-MAC-K checksum is computed by performing a DES CBC-mode
+     encryption of the plaintext, and using the last block of the
+     ciphertext as the checksum value. It is keyed with an encryption key
+     and an initialization vector; any uses which do not specify an
+     additional initialization vector will use the key as both key and
+     initialization vector. The resulting checksum is 64 bits (8 octets)
+     long. This checksum is tamper-proof and collision-proof. Note that
+     this checksum type is the old method for encoding the DES-MAC checksum
+     and it is no longer recommended. The DES specifications identify some
+     'weak keys' and 'semi-weak keys'; those keys shall not be used for
+     generating DES-MAC checksums for use in Kerberos.
+
+     7. Naming Constraints
+
+     7.1. Realm Names
+
+     Although realm names are encoded as GeneralStrings and although a
+     realm can technically select any name it chooses, interoperability
+     across realm boundaries requires agreement on how realm names are to
+     be assigned, and what information they imply.
+
+     To enforce these conventions, each realm must conform to the
+     conventions itself, and it must require that any realms with which
+     inter-realm keys are shared also conform to the conventions and
+     require the same from its neighbors.
+
+     Kerberos realm names are case sensitive. Realm names that differ only
+     in the case of the characters are not equivalent. There are presently
+     four styles of realm names: domain, X500, other, and reserved.
+     Examples of each style follow:
+
+          domain:   ATHENA.MIT.EDU (example)
+            X500:   C=US/O=OSF (example)
+           other:   NAMETYPE:rest/of.name=without-restrictions (example)
+        reserved:   reserved, but will not conflict with above
+
+     Domain names must look like domain names: they consist of components
+     separated by periods (.) and they contain neither colons (:) nor
+     slashes (/). Though domain names themselves are case insensitive, in
+     order for realms to match, the case must match as well. When
+     establishing a new realm name based on an internet domain name it is
+     recommended by convention that the characters be converted to upper
+     case.
+
+     X.500 names contain an equal (=) and cannot contain a colon (:) before
+     the equal. The realm names for X.500 names will be string
+     representations of the names with components separated by slashes.
+     Leading and trailing slashes will not be included.
+
+     Names that fall into the other category must begin with a prefix that
+     contains no equal (=) or period (.) and the prefix must be followed by
+     a colon (:) and the rest of the name. All prefixes must be assigned
+     before they may be used. Presently none are assigned.
+
+     The reserved category includes strings which do not fall into the
+     first three categories. All names in this category are reserved. It is
+     unlikely that names will be assigned to this category unless there is
+     a very strong argument for not using the 'other' category.
+
+
+Neuman, Ts'o, Kohl                                   Expires: 14 January
+2001
+
+^L
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-06          July 14,
+2000
+
+     These rules guarantee that there will be no conflicts between the
+     various name styles. The following additional constraints apply to the
+     assignment of realm names in the domain and X.500 categories: the name
+     of a realm for the domain or X.500 formats must either be used by the
+     organization owning (to whom it was assigned) an Internet domain name
+     or X.500 name, or in the case that no such names are registered,
+     authority to use a realm name may be derived from the authority of the
+     parent realm. For example, if there is no domain name for E40.MIT.EDU,
+     then the administrator of the MIT.EDU realm can authorize the creation
+     of a realm with that name.
+
+     This is acceptable because the organization to which the parent is
+     assigned is presumably the organization authorized to assign names to
+     its children in the X.500 and domain name systems as well. If the
+     parent assigns a realm name without also registering it in the domain
+     name or X.500 hierarchy, it is the parent's responsibility to make
+     sure that there will not in the future exists a name identical to the
+     realm name of the child unless it is assigned to the same entity as
+     the realm name.
+
+     7.2. Principal Names
+
+     As was the case for realm names, conventions are needed to ensure that
+     all agree on what information is implied by a principal name. The
+     name-type field that is part of the principal name indicates the kind
+     of information implied by the name. The name-type should be treated as
+     a hint. Ignoring the name type, no two names can be the same (i.e. at
+     least one of the components, or the realm, must be different). The
+     following name types are defined:
+
+     name-type      value   meaning
+
+    NT-UNKNOWN        0   Name type not known
+    NT-PRINCIPAL      1   General principal name (e.g. username, DCE
+principal)
+    NT-SRV-INST       2   Service and other unique instance (krbtgt)
+    NT-SRV-HST        3   Service with host name as instance (telnet, rcmds)
+    NT-SRV-XHST       4   Service with slash-separated host name components
+    NT-UID            5   Unique ID
+    NT-X500-PRINCIPAL 6   Encoded X.509 Distingished name [RFC 1779]
+    NT-SMTP-NAME      7   Name in form of SMTP email name (e.g.
+user@foo.com)
+
+     When a name implies no information other than its uniqueness at a
+     particular time the name type PRINCIPAL should be used. The principal
+     name type should be used for users, and it might also be used for a
+     unique server. If the name is a unique machine generated ID that is
+     guaranteed never to be reassigned then the name type of UID should be
+     used (note that it is generally a bad idea to reassign names of any
+     type since stale entries might remain in access control lists).
+
+     If the first component of a name identifies a service and the
+     remaining components identify an instance of the service in a server
+     specified manner, then the name type of SRV-INST should be used. An
+     example of this name type is the Kerberos ticket-granting service
+     whose name has a first component of krbtgt and a second component
+     identifying the realm for which the ticket is valid.
+
+     If instance is a single component following the service name and the
+     instance identifies the host on which the server is running, then the
+     name type SRV-HST should be used. This type is typically used for
+     Internet services such as telnet and the Berkeley R commands. If the
+     separate components of the host name appear as successive components
+     following the name of the service, then the name type SRV-XHST should
+     be used. This type might be used to identify servers on hosts with
+     X.500 names where the slash (/) might otherwise be ambiguous.
+
+
+Neuman, Ts'o, Kohl                                   Expires: 14 January
+2001
+
+^L
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-06          July 14,
+2000
+
+     A name type of NT-X500-PRINCIPAL should be used when a name from an
+     X.509 certificiate is translated into a Kerberos name. The encoding of
+     the X.509 name as a Kerberos principal shall conform to the encoding
+     rules specified in RFC 2253.
+
+     A name type of SMTP allows a name to be of a form that resembles a
+     SMTP email name. This name type can be used in conjunction with
+     name-canonicalization to allow a free-form of username to be specified
+     as a client name and allow the KDC to determine the Kerberos principal
+     name for the requested name. [JBrezak]
+
+     A name type of UNKNOWN should be used when the form of the name is not
+     known. When comparing names, a name of type UNKNOWN will match
+     principals authenticated with names of any type. A principal
+     authenticated with a name of type UNKNOWN, however, will only match
+     other names of type UNKNOWN.
+
+     Names of any type with an initial component of 'krbtgt' are reserved
+     for the Kerberos ticket granting service. See section 8.2.3 for the
+     form of such names.
+
+     7.2.1. Name of server principals
+
+     The principal identifier for a server on a host will generally be
+     composed of two parts: (1) the realm of the KDC with which the server
+     is registered, and (2) a two-component name of type NT-SRV-HST if the
+     host name is an Internet domain name or a multi-component name of type
+     NT-SRV-XHST if the name of the host is of a form such as X.500 that
+     allows slash (/) separators. The first component of the two- or
+     multi-component name will identify the service and the latter
+     components will identify the host. Where the name of the host is not
+     case sensitive (for example, with Internet domain names) the name of
+     the host must be lower case. If specified by the application protocol
+     for services such as telnet and the Berkeley R commands which run with
+     system privileges, the first component may be the string 'host'
+     instead of a service specific identifier. When a host has an official
+     name and one or more aliases, the official name of the host must be
+     used when constructing the name of the server principal.
+
+     8. Constants and other defined values
+
+     8.1. Host address types
+
+     All negative values for the host address type are reserved for local
+     use. All non-negative values are reserved for officially assigned type
+     fields and interpretations.
+
+     The values of the types for the following addresses are chosen to
+     match the defined address family constants in the Berkeley Standard
+     Distributions of Unix. They can be found in with symbolic names AF_xxx
+     (where xxx is an abbreviation of the address family name).
+
+     Internet (IPv4) Addresses
+
+     Internet (IPv4) addresses are 32-bit (4-octet) quantities, encoded in
+     MSB order. The type of IPv4 addresses is two (2).
+
+     Internet (IPv6) Addresses [Westerlund]
+
+
+Neuman, Ts'o, Kohl                                   Expires: 14 January
+2001
+
+^L
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-06          July 14,
+2000
+
+     IPv6 addresses are 128-bit (16-octet) quantities, encoded in MSB
+     order. The type of IPv6 addresses is twenty-four (24). [RFC1883]
+     [RFC1884]. The following addresses (see [RFC1884]) MUST not appear in
+     any Kerberos packet:
+        o the Unspecified Address
+        o the Loopback Address
+        o Link-Local addresses
+     IPv4-mapped IPv6 addresses MUST be represented as addresses of type 2.
+
+     CHAOSnet addresses
+
+     CHAOSnet addresses are 16-bit (2-octet) quantities, encoded in MSB
+     order. The type of CHAOSnet addresses is five (5).
+
+     ISO addresses
+
+     ISO addresses are variable-length. The type of ISO addresses is seven
+     (7).
+
+     Xerox Network Services (XNS) addresses
+
+     XNS addresses are 48-bit (6-octet) quantities, encoded in MSB order.
+     The type of XNS addresses is six (6).
+
+     AppleTalk Datagram Delivery Protocol (DDP) addresses
+
+     AppleTalk DDP addresses consist of an 8-bit node number and a 16-bit
+     network number. The first octet of the address is the node number; the
+     remaining two octets encode the network number in MSB order. The type
+     of AppleTalk DDP addresses is sixteen (16).
+
+     DECnet Phase IV addresses
+
+     DECnet Phase IV addresses are 16-bit addresses, encoded in LSB order.
+     The type of DECnet Phase IV addresses is twelve (12).
+
+     Netbios addresses
+
+     Netbios addresses are 16-octet addresses typically composed of 1 to 15
+     characters, trailing blank (ascii char 20) filled, with a 16th octet
+     of 0x0. The type of Netbios addresses is 20 (0x14).
+
+     8.2. KDC messages
+
+     8.2.1. UDP/IP transport
+
+     When contacting a Kerberos server (KDC) for a KRB_KDC_REQ request
+     using UDP IP transport, the client shall send a UDP datagram
+     containing only an encoding of the request to port 88 (decimal) at the
+     KDC's IP address; the KDC will respond with a reply datagram
+     containing only an encoding of the reply message (either a KRB_ERROR
+     or a KRB_KDC_REP) to the sending port at the sender's IP address.
+     Kerberos servers supporting IP transport must accept UDP requests on
+     port 88 (decimal). The response to a request made through UDP/IP
+     transport must also use UDP/IP transport.
+
+     8.2.2. TCP/IP transport [Westerlund,Danielsson]
+
+     Kerberos servers (KDC's) should accept TCP requests on port 88
+     (decimal) and clients should support the sending of TCP requests on
+     port 88 (decimal). When the KRB_KDC_REQ message is sent to the KDC
+     over a TCP stream, a new connection will be established for each
+     authentication exchange (request and response). The KRB_KDC_REP or
+     KRB_ERROR message will be returned to the client on the same TCP
+     stream that was established for the request. The response to a request
+
+Neuman, Ts'o, Kohl                                   Expires: 14 January
+2001
+
+^L
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-06          July 14,
+2000
+
+     made through TCP/IP transport must also use TCP/IP transport.
+     Implementors should note that some extentions to the Kerberos protocol
+     will not work if any implementation not supporting the TCP transport
+     is involved (client or KDC). Implementors are strongly urged to
+     support the TCP transport on both the client and server and are
+     advised that the current notation of "should" support will likely
+     change in the future to must support. The KDC may close the TCP stream
+     after sending a response, but may leave the stream open if it expects
+     a followup - in which case it may close the stream at any time if
+     resource constratints or other factors make it desirable to do so.
+     Care must be taken in managing TCP/IP connections with the KDC to
+     prevent denial of service attacks based on the number of TCP/IP
+     connections with the KDC that remain open. If multiple exchanges with
+     the KDC are needed for certain forms of preauthentication, multiple
+     TCP connections may be required. A client may close the stream after
+     receiving response, and should close the stream if it does not expect
+     to send followup messages. The client must be prepared to have the
+     stream closed by the KDC at anytime, in which case it must simply
+     connect again when it is ready to send subsequent messages.
+
+     The first four octets of the TCP stream used to transmit the request
+     request will encode in network byte order the length of the request
+     (KRB_KDC_REQ), and the length will be followed by the request itself.
+     The response will similarly be preceeded by a 4 octet encoding in
+     network byte order of the length of the KRB_KDC_REP or the KRB_ERROR
+     message and will be followed by the KRB_KDC_REP or the KRB_ERROR
+     response. If the sign bit is set on the integer represented by the
+     first 4 octets, then the next 4 octets will be read, extending the
+     length of the field by another 4 octets (less the sign bit which is
+     reserved for future expansion).
+
+     8.2.3. OSI transport
+
+     During authentication of an OSI client to an OSI server, the mutual
+     authentication of an OSI server to an OSI client, the transfer of
+     credentials from an OSI client to an OSI server, or during exchange of
+     private or integrity checked messages, Kerberos protocol messages may
+     be treated as opaque objects and the type of the authentication
+     mechanism will be:
+
+     OBJECT IDENTIFIER ::= {iso (1), org(3), dod(6),internet(1),
+security(5),kerberosv5(2)}
+
+     Depending on the situation, the opaque object will be an
+     authentication header (KRB_AP_REQ), an authentication reply
+     (KRB_AP_REP), a safe message (KRB_SAFE), a private message (KRB_PRIV),
+     or a credentials message (KRB_CRED). The opaque data contains an
+     application code as specified in the ASN.1 description for each
+     message. The application code may be used by Kerberos to determine the
+     message type.
+
+     8.2.3. Name of the TGS
+
+     The principal identifier of the ticket-granting service shall be
+     composed of three parts: (1) the realm of the KDC issuing the TGS
+     ticket (2) a two-part name of type NT-SRV-INST, with the first part
+     "krbtgt" and the second part the name of the realm which will accept
+     the ticket-granting ticket. For example, a ticket-granting ticket
+     issued by the ATHENA.MIT.EDU realm to be used to get tickets from the
+     ATHENA.MIT.EDU KDC has a principal identifier of "ATHENA.MIT.EDU"
+     (realm), ("krbtgt", "ATHENA.MIT.EDU") (name). A ticket-granting ticket
+     issued by the ATHENA.MIT.EDU realm to be used to get tickets from the
+     MIT.EDU realm has a principal identifier of "ATHENA.MIT.EDU" (realm),
+     ("krbtgt", "MIT.EDU") (name).
+
+
+Neuman, Ts'o, Kohl                                   Expires: 14 January
+2001
+
+^L
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-06          July 14,
+2000
+
+     8.3. Protocol constants and associated values
+
+     The following tables list constants used in the protocol and defines
+     their meanings. Ranges are specified in the "specification" section
+     that limit the values of constants for which values are defined here.
+     This allows implementations to make assumptions about the maximum
+     values that will be received for these constants. Implementation
+     receiving values outside the range specified in the "specification"
+     section may reject the request, but they must recover cleanly.
+
+     Encryption type       etype value block size  minimum pad  confounder
+size
+     NULL                           0     1           0            0
+     des-cbc-crc                    1     8           4            8
+     des-cbc-md4                    2     8           0            8
+     des-cbc-md5                    3     8           0            8
+     reserved                       4
+     des3-cbc-md5                   5     8           0                 8
+     reserved                       6
+     des3-cbc-sha1                  7     8           0                 8
+     dsaWithSHA1-CmsOID             9
+(pkinit)
+     md5WithRSAEncryption-CmsOID   10
+(pkinit)
+     sha1WithRSAEncryption-CmsOID  11
+(pkinit)
+     rc2CBC-EnvOID                 12
+(pkinit)
+     rsaEncryption-EnvOID          13                (pkinit from PKCS#1
+v1.5)
+     rsaES-OAEP-ENV-OID            14                (pkinit from PKCS#1
+v2.0)
+     des-ede3-cbc-Env-OID          15
+(pkinit)
+     des3-cbc-sha1-kd              16                                 (Tom
+Yu)
+     rc4-hmac                      23
+(swift)
+     rc4-hmac-exp                  24
+(swift)
+
+     reserved                      0x8003
+
+     Checksum type              sumtype value       checksum size
+     CRC32                      1                   4
+     rsa-md4                    2                   16
+     rsa-md4-des                3                   24
+     des-mac                    4                   16
+     des-mac-k                  5                   8
+     rsa-md4-des-k              6                   16 (drop rsa ?)
+     rsa-md5                    7                   16 (drop rsa ?)
+     rsa-md5-des                8                   24 (drop rsa ?)
+     rsa-md5-des3               9                   24 (drop rsa ?)
+     hmac-sha1-des3-kd          12                  20
+     hmac-sha1-des3             13                  20
+     sha1 (unkeyed)             14                  20
+
+     padata type                     padata-type value
+
+     PA-TGS-REQ                      1
+     PA-ENC-TIMESTAMP                2
+     PA-PW-SALT                      3
+     reserved                        4
+     PA-ENC-UNIX-TIME                5                  (depricated)
+     PA-SANDIA-SECUREID              6
+     PA-SESAME                       7
+     PA-OSF-DCE                      8
+     PA-CYBERSAFE-SECUREID           9
+     PA-AFS3-SALT                    10
+     PA-ETYPE-INFO                   11
+     PA-SAM-CHALLENGE                12                  (sam/otp)
+     PA-SAM-RESPONSE                 13                  (sam/otp)
+     PA-PK-AS-REQ                    14                  (pkinit)
+     PA-PK-AS-REP                    15                  (pkinit)
+     PA-USE-SPECIFIED-KVNO           20
+     PA-SAM-REDIRECT                 21                  (sam/otp)
+     PA-GET-FROM-TYPED-DATA          22
+     PA-SAM-ETYPE-INFO               23                  (sam/otp)
+
+
+Neuman, Ts'o, Kohl                                   Expires: 14 January
+2001
+
+^L
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-06          July 14,
+2000
+
+     data-type                     value    form of typed-data
+
+     reserved                        1-21
+     TD-PADATA                       22
+     TD-PKINIT-CMS-CERTIFICATES      101      CertificateSet from CMS
+     TD-KRB-PRINCIPAL                102
+     TD-KRB-REALM                    103
+     TD-TRUSTED-CERTIFIERS           104
+     TD-CERTIFICATE-INDEX            105
+     TD-APP-DEFINED-ERROR            106
+
+     authorization data type         ad-type value
+     AD-IF-RELEVANT                     1
+     AD-INTENDED-FOR-SERVER             2
+     AD-INTENDED-FOR-APPLICATION-CLASS  3
+     AD-KDC-ISSUED                      4
+     AD-OR                              5
+     AD-MANDATORY-TICKET-EXTENSIONS     6
+     AD-IN-TICKET-EXTENSIONS            7
+     reserved values                    8-63
+     OSF-DCE                            64
+     SESAME                             65
+     AD-OSF-DCE-PKI-CERTID              66    (hemsath@us.ibm.com)
+     AD-WIN200-PAC                     128
+(jbrezak@exchange.microsoft.com)
+
+     Ticket Extension Types
+
+     TE-TYPE-NULL                  0     Null ticket extension
+     TE-TYPE-EXTERNAL-ADATA        1     Integrity protected authorization
+data
+     reserved                      2     TE-TYPE-PKCROSS-KDC
+     TE-TYPE-PKCROSS-CLIENT        3     PKCROSS cross realm key ticket
+     TE-TYPE-CYBERSAFE-EXT         4     Assigned to CyberSafe Corp
+     reserved                      5     TE-TYPE-DEST-HOST
+
+     alternate authentication type   method-type value
+     reserved values                 0-63
+     ATT-CHALLENGE-RESPONSE          64
+
+     transited encoding type         tr-type value
+     DOMAIN-X500-COMPRESS            1
+     reserved values                 all others
+
+     Label               Value   Meaning or MIT code
+
+     pvno                    5   current Kerberos protocol version number
+
+     message types
+
+     KRB_AS_REQ             10   Request for initial authentication
+     KRB_AS_REP             11   Response to KRB_AS_REQ request
+     KRB_TGS_REQ            12   Request for authentication based on TGT
+     KRB_TGS_REP            13   Response to KRB_TGS_REQ request
+     KRB_AP_REQ             14   application request to server
+     KRB_AP_REP             15   Response to KRB_AP_REQ_MUTUAL
+     KRB_SAFE               20   Safe (checksummed) application message
+     KRB_PRIV               21   Private (encrypted) application message
+     KRB_CRED               22   Private (encrypted) message to forward
+credentials
+     KRB_ERROR              30   Error response
+
+
+Neuman, Ts'o, Kohl                                   Expires: 14 January
+2001
+
+^L
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-06          July 14,
+2000
+
+     name types
+
+     KRB_NT_UNKNOWN        0  Name type not known
+     KRB_NT_PRINCIPAL      1  Just the name of the principal as in DCE, or
+for users
+     KRB_NT_SRV_INST       2  Service and other unique instance (krbtgt)
+     KRB_NT_SRV_HST        3  Service with host name as instance (telnet,
+rcommands)
+     KRB_NT_SRV_XHST       4  Service with host as remaining components
+     KRB_NT_UID            5  Unique ID
+     KRB_NT_X500_PRINCIPAL 6  Encoded X.509 Distingished name [RFC 2253]
+
+     error codes
+
+     KDC_ERR_NONE                    0   No error
+     KDC_ERR_NAME_EXP                1   Client's entry in database has
+expired
+     KDC_ERR_SERVICE_EXP             2   Server's entry in database has
+expired
+     KDC_ERR_BAD_PVNO                3   Requested protocol version number
+not supported
+     KDC_ERR_C_OLD_MAST_KVNO         4   Client's key encrypted in old
+master key
+     KDC_ERR_S_OLD_MAST_KVNO         5   Server's key encrypted in old
+master key
+     KDC_ERR_C_PRINCIPAL_UNKNOWN     6   Client not found in Kerberos
+database
+     KDC_ERR_S_PRINCIPAL_UNKNOWN     7   Server not found in Kerberos
+database
+     KDC_ERR_PRINCIPAL_NOT_UNIQUE    8   Multiple principal entries in
+database
+     KDC_ERR_NULL_KEY                9   The client or server has a null key
+     KDC_ERR_CANNOT_POSTDATE        10   Ticket not eligible for postdating
+     KDC_ERR_NEVER_VALID            11   Requested start time is later than
+end time
+     KDC_ERR_POLICY                 12   KDC policy rejects request
+     KDC_ERR_BADOPTION              13   KDC cannot accommodate requested
+option
+     KDC_ERR_ETYPE_NOSUPP           14   KDC has no support for encryption
+type
+     KDC_ERR_SUMTYPE_NOSUPP         15   KDC has no support for checksum
+type
+     KDC_ERR_PADATA_TYPE_NOSUPP     16   KDC has no support for padata type
+     KDC_ERR_TRTYPE_NOSUPP          17   KDC has no support for transited
+type
+     KDC_ERR_CLIENT_REVOKED         18   Clients credentials have been
+revoked
+     KDC_ERR_SERVICE_REVOKED        19   Credentials for server have been
+revoked
+     KDC_ERR_TGT_REVOKED            20   TGT has been revoked
+     KDC_ERR_CLIENT_NOTYET          21   Client not yet valid - try again
+later
+     KDC_ERR_SERVICE_NOTYET         22   Server not yet valid - try again
+later
+     KDC_ERR_KEY_EXPIRED            23   Password has expired - change
+password to reset
+     KDC_ERR_PREAUTH_FAILED         24   Pre-authentication information was
+invalid
+     KDC_ERR_PREAUTH_REQUIRED       25   Additional
+pre-authenticationrequired [40]
+     KDC_ERR_SERVER_NOMATCH         26   Requested server and ticket don't
+match
+     KDC_ERR_MUST_USE_USER2USER     27   Server principal valid for
+user2user only
+     KDC_ERR_PATH_NOT_ACCPETED      28   KDC Policy rejects transited path
+     KDC_ERR_SVC_UNAVAILABLE        29   A service is not available
+     KRB_AP_ERR_BAD_INTEGRITY       31   Integrity check on decrypted field
+failed
+     KRB_AP_ERR_TKT_EXPIRED         32   Ticket expired
+     KRB_AP_ERR_TKT_NYV             33   Ticket not yet valid
+     KRB_AP_ERR_REPEAT              34   Request is a replay
+     KRB_AP_ERR_NOT_US              35   The ticket isn't for us
+     KRB_AP_ERR_BADMATCH            36   Ticket and authenticator don't
+match
+     KRB_AP_ERR_SKEW                37   Clock skew too great
+     KRB_AP_ERR_BADADDR             38   Incorrect net address
+     KRB_AP_ERR_BADVERSION          39   Protocol version mismatch
+     KRB_AP_ERR_MSG_TYPE            40   Invalid msg type
+     KRB_AP_ERR_MODIFIED            41   Message stream modified
+     KRB_AP_ERR_BADORDER            42   Message out of order
+     KRB_AP_ERR_BADKEYVER           44   Specified version of key is not
+available
+     KRB_AP_ERR_NOKEY               45   Service key not available
+     KRB_AP_ERR_MUT_FAIL            46   Mutual authentication failed
+     KRB_AP_ERR_BADDIRECTION        47   Incorrect message direction
+     KRB_AP_ERR_METHOD              48   Alternative authentication method
+required
+     KRB_AP_ERR_BADSEQ              49   Incorrect sequence number in
+message
+     KRB_AP_ERR_INAPP_CKSUM         50   Inappropriate type of checksum in
+message
+     KRB_AP_PATH_NOT_ACCEPTED       51   Policy rejects transited path
+     KRB_ERR_RESPONSE_TOO_BIG       52   Response too big for UDP, retry
+with TCP
+     KRB_ERR_GENERIC                60   Generic error (description in
+e-text)
+     KRB_ERR_FIELD_TOOLONG          61   Field is too long for this
+implementation
+
+Neuman, Ts'o, Kohl                                   Expires: 14 January
+2001
+
+^L
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-06          July 14,
+2000
+
+     KDC_ERROR_CLIENT_NOT_TRUSTED            62 (pkinit)
+     KDC_ERROR_KDC_NOT_TRUSTED               63 (pkinit)
+     KDC_ERROR_INVALID_SIG                   64 (pkinit)
+     KDC_ERR_KEY_TOO_WEAK                    65 (pkinit)
+     KDC_ERR_CERTIFICATE_MISMATCH            66 (pkinit)
+     KRB_AP_ERR_NO_TGT                       67 (user-to-user)
+     KDC_ERR_WRONG_REALM                     68 (user-to-user)
+     KRB_AP_ERR_USER_TO_USER_REQUIRED        69 (user-to-user)
+     KDC_ERR_CANT_VERIFY_CERTIFICATE         70 (pkinit)
+     KDC_ERR_INVALID_CERTIFICATE             71 (pkinit)
+     KDC_ERR_REVOKED_CERTIFICATE             72 (pkinit)
+     KDC_ERR_REVOCATION_STATUS_UNKNOWN       73 (pkinit)
+     KDC_ERR_REVOCATION_STATUS_UNAVAILABLE   74 (pkinit)
+     KDC_ERR_CLIENT_NAME_MISMATCH            75 (pkinit)
+     KDC_ERR_KDC_NAME_MISMATCH               76 (pkinit)
+
+     9. Interoperability requirements
+
+     Version 5 of the Kerberos protocol supports a myriad of options. Among
+     these are multiple encryption and checksum types, alternative encoding
+     schemes for the transited field, optional mechanisms for
+     pre-authentication, the handling of tickets with no addresses, options
+     for mutual authentication, user to user authentication, support for
+     proxies, forwarding, postdating, and renewing tickets, the format of
+     realm names, and the handling of authorization data.
+
+     In order to ensure the interoperability of realms, it is necessary to
+     define a minimal configuration which must be supported by all
+     implementations. This minimal configuration is subject to change as
+     technology does. For example, if at some later date it is discovered
+     that one of the required encryption or checksum algorithms is not
+     secure, it will be replaced.
+
+     9.1. Specification 2
+
+     This section defines the second specification of these options.
+     Implementations which are configured in this way can be said to
+     support Kerberos Version 5 Specification 2 (5.1). Specification 1
+     (depricated) may be found in RFC1510.
+
+     Transport
+
+     TCP/IP and UDP/IP transport must be supported by KDCs claiming
+     conformance to specification 2. Kerberos clients claiming conformance
+     to specification 2 must support UDP/IP transport for messages with the
+     KDC and should support TCP/IP transport.
+
+     Encryption and checksum methods
+
+     The following encryption and checksum mechanisms must be supported.
+     Implementations may support other mechanisms as well, but the
+     additional mechanisms may only be used when communicating with
+     principals known to also support them: This list is to be determined.
+
+     Encryption: DES-CBC-MD5, one triple des variant (tbd)
+     Checksums: CRC-32, DES-MAC, DES-MAC-K, and DES-MD5 (tbd)
+
+     Realm Names
+
+     All implementations must understand hierarchical realms in both the
+     Internet Domain and the X.500 style. When a ticket granting ticket for
+     an unknown realm is requested, the KDC must be able to determine the
+     names of the intermediate realms between the KDCs realm and the
+     requested realm.
+
+
+Neuman, Ts'o, Kohl                                   Expires: 14 January
+2001
+
+^L
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-06          July 14,
+2000
+
+     Transited field encoding
+
+     DOMAIN-X500-COMPRESS (described in section 3.3.3.2) must be supported.
+     Alternative encodings may be supported, but they may be used only when
+     that encoding is supported by ALL intermediate realms.
+
+     Pre-authentication methods
+
+     The TGS-REQ method must be supported. The TGS-REQ method is not used
+     on the initial request. The PA-ENC-TIMESTAMP method must be supported
+     by clients but whether it is enabled by default may be determined on a
+     realm by realm basis. If not used in the initial request and the error
+     KDC_ERR_PREAUTH_REQUIRED is returned specifying PA-ENC-TIMESTAMP as an
+     acceptable method, the client should retry the initial request using
+     the PA-ENC-TIMESTAMP preauthentication method. Servers need not
+     support the PA-ENC-TIMESTAMP method, but if not supported the server
+     should ignore the presence of PA-ENC-TIMESTAMP pre-authentication in a
+     request.
+
+     Mutual authentication
+
+     Mutual authentication (via the KRB_AP_REP message) must be supported.
+
+     Ticket addresses and flags
+
+     All KDC's must pass on tickets that carry no addresses (i.e. if a TGT
+     contains no addresses, the KDC will return derivative tickets), but
+     each realm may set its own policy for issuing such tickets, and each
+     application server will set its own policy with respect to accepting
+     them.
+
+     Proxies and forwarded tickets must be supported. Individual realms and
+     application servers can set their own policy on when such tickets will
+     be accepted.
+
+     All implementations must recognize renewable and postdated tickets,
+     but need not actually implement them. If these options are not
+     supported, the starttime and endtime in the ticket shall specify a
+     ticket's entire useful life. When a postdated ticket is decoded by a
+     server, all implementations shall make the presence of the postdated
+     flag visible to the calling server.
+
+     User-to-user authentication
+
+     Support for user to user authentication (via the ENC-TKT-IN-SKEY KDC
+     option) must be provided by implementations, but individual realms may
+     decide as a matter of policy to reject such requests on a
+     per-principal or realm-wide basis.
+
+     Authorization data
+
+     Implementations must pass all authorization data subfields from
+     ticket-granting tickets to any derivative tickets unless directed to
+     suppress a subfield as part of the definition of that registered
+     subfield type (it is never incorrect to pass on a subfield, and no
+     registered subfield types presently specify suppression at the KDC).
+
+     Implementations must make the contents of any authorization data
+     subfields available to the server when a ticket is used.
+     Implementations are not required to allow clients to specify the
+     contents of the authorization data fields.
+
+
+Neuman, Ts'o, Kohl                                   Expires: 14 January
+2001
+
+^L
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-06          July 14,
+2000
+
+     Constant ranges
+
+     All protocol constants are constrained to 32 bit (signed) values
+     unless further constrained by the protocol definition. This limit is
+     provided to allow implementations to make assumptions about the
+     maximum values that will be received for these constants.
+     Implementation receiving values outside this range may reject the
+     request, but they must recover cleanly.
+
+     9.2. Recommended KDC values
+
+     Following is a list of recommended values for a KDC implementation,
+     based on the list of suggested configuration constants (see section
+     4.4).
+
+     minimum lifetime              5 minutes
+     maximum renewable lifetime    1 week
+     maximum ticket lifetime       1 day
+     empty addresses               only when suitable  restrictions  appear
+                                   in authorization data
+     proxiable, etc.               Allowed.
+
+     10. REFERENCES
+
+     [NT94]    B. Clifford Neuman and Theodore Y. Ts'o, "An  Authenti-
+               cation  Service for Computer Networks," IEEE Communica-
+               tions Magazine, Vol. 32(9), pp. 33-38 (September 1994).
+
+     [MNSS87]  S. P. Miller, B. C. Neuman, J. I. Schiller, and  J.  H.
+               Saltzer,  Section  E.2.1:  Kerberos  Authentication and
+               Authorization System, M.I.T. Project Athena, Cambridge,
+               Massachusetts (December 21, 1987).
+
+     [SNS88]   J. G. Steiner, B. C. Neuman, and J. I. Schiller,  "Ker-
+               beros:  An Authentication Service for Open Network Sys-
+               tems," pp. 191-202 in  Usenix  Conference  Proceedings,
+               Dallas, Texas (February, 1988).
+
+     [NS78]    Roger M.  Needham  and  Michael  D.  Schroeder,  "Using
+               Encryption for Authentication in Large Networks of Com-
+               puters,"  Communications  of  the  ACM,  Vol.   21(12),
+               pp. 993-999 (December, 1978).
+
+     [DS81]    Dorothy E. Denning and  Giovanni  Maria  Sacco,  "Time-
+               stamps  in  Key Distribution Protocols," Communications
+               of the ACM, Vol. 24(8), pp. 533-536 (August 1981).
+
+     [KNT92]   John T. Kohl, B. Clifford Neuman, and Theodore Y. Ts'o,
+               "The Evolution of the Kerberos Authentication Service,"
+               in an IEEE Computer Society Text soon to  be  published
+               (June 1992).
+
+     [Neu93]   B.  Clifford  Neuman,  "Proxy-Based  Authorization  and
+               Accounting  for Distributed Systems," in Proceedings of
+               the 13th International Conference on  Distributed  Com-
+               puting Systems, Pittsburgh, PA (May, 1993).
+
+     [DS90]    Don Davis and Ralph Swick,  "Workstation  Services  and
+               Kerberos  Authentication  at Project Athena," Technical
+               Memorandum TM-424,  MIT Laboratory for Computer Science
+               (February 1990).
+
+
+Neuman, Ts'o, Kohl                                   Expires: 14 January
+2001
+
+^L
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-06          July 14,
+2000
+
+     [LGDSR87] P. J. Levine, M. R. Gretzinger, J. M. Diaz, W. E.  Som-
+               merfeld,  and  K. Raeburn, Section E.1: Service Manage-
+               ment System, M.I.T.  Project  Athena,  Cambridge,  Mas-
+               sachusetts (1987).
+
+     [X509-88] CCITT, Recommendation X.509: The Directory  Authentica-
+               tion Framework, December 1988.
+
+     [Pat92].  J. Pato, Using  Pre-Authentication  to  Avoid  Password
+               Guessing  Attacks, Open Software Foundation DCE Request
+               for Comments 26 (December 1992).
+
+     [DES77]   National Bureau of Standards, U.S. Department  of  Com-
+               merce,  "Data Encryption Standard," Federal Information
+               Processing Standards Publication  46,   Washington,  DC
+               (1977).
+
+     [DESM80]  National Bureau of Standards, U.S. Department  of  Com-
+               merce,  "DES  Modes  of Operation," Federal Information
+               Processing Standards Publication 81,   Springfield,  VA
+               (December 1980).
+
+     [SG92]    Stuart G. Stubblebine and Virgil D. Gligor, "On Message
+               Integrity  in  Cryptographic Protocols," in Proceedings
+               of the IEEE  Symposium  on  Research  in  Security  and
+               Privacy, Oakland, California (May 1992).
+
+     [IS3309]  International Organization  for  Standardization,  "ISO
+               Information  Processing  Systems - Data Communication -
+               High-Level Data Link Control Procedure -  Frame  Struc-
+               ture," IS 3309 (October 1984).  3rd Edition.
+
+     [MD4-92]  R. Rivest, "The  MD4  Message  Digest  Algorithm,"  RFC
+               1320,   MIT  Laboratory  for  Computer  Science  (April
+               1992).
+
+     [MD5-92]  R. Rivest, "The  MD5  Message  Digest  Algorithm,"  RFC
+               1321,   MIT  Laboratory  for  Computer  Science  (April
+               1992).
+
+     [KBC96]   H. Krawczyk, M. Bellare, and R. Canetti, "HMAC:  Keyed-
+               Hashing  for  Message  Authentication,"  Working  Draft
+               draft-ietf-ipsec-hmac-md5-01.txt,   (August 1996).
+
+     [Horowitz96] Horowitz, M., "Key Derivation for Authentication,
+               Integrity, and Privacy",
+draft-horowitz-key-derivation-02.txt,
+               August 1998.
+
+     [HorowitzB96] Horowitz, M., "Key Derivation for Kerberos V5", draft-
+               horowitz-kerb-key-derivation-01.txt, September 1998.
+
+     [Krawczyk96] Krawczyk, H., Bellare, and M., Canetti, R., "HMAC:
+               Keyed-Hashing for Message Authentication",
+draft-ietf-ipsec-hmac-
+               md5-01.txt, August, 1996.
+
+     A. Pseudo-code for protocol processing
+
+     This appendix provides pseudo-code describing how the messages are to
+     be constructed and interpreted by clients and servers.
+
+
+Neuman, Ts'o, Kohl                                   Expires: 14 January
+2001
+
+^L
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-06          July 14,
+2000
+
+     A.1. KRB_AS_REQ generation
+
+             request.pvno := protocol version; /* pvno = 5 */
+             request.msg-type := message type; /* type = KRB_AS_REQ */
+
+             if(pa_enc_timestamp_required) then
+                     request.padata.padata-type = PA-ENC-TIMESTAMP;
+                     get system_time;
+                     padata-body.patimestamp,pausec = system_time;
+                     encrypt padata-body into request.padata.padata-value
+                             using client.key; /* derived from password */
+             endif
+
+             body.kdc-options := users's preferences;
+             body.cname := user's name;
+             body.realm := user's realm;
+             body.sname := service's name; /* usually "krbtgt",
+"localrealm" */
+             if (body.kdc-options.POSTDATED is set) then
+                     body.from := requested starting time;
+             else
+                     omit body.from;
+             endif
+             body.till := requested end time;
+             if (body.kdc-options.RENEWABLE is set) then
+                     body.rtime := requested final renewal time;
+             endif
+             body.nonce := random_nonce();
+             body.etype := requested etypes;
+             if (user supplied addresses) then
+                     body.addresses := user's addresses;
+             else
+                     omit body.addresses;
+             endif
+             omit body.enc-authorization-data;
+             request.req-body := body;
+
+             kerberos := lookup(name of local kerberos server (or servers));
+             send(packet,kerberos);
+
+             wait(for response);
+             if (timed_out) then
+                     retry or use alternate server;
+             endif
+
+     A.2. KRB_AS_REQ verification and KRB_AS_REP generation
+
+             decode message into req;
+
+             client := lookup(req.cname,req.realm);
+             server := lookup(req.sname,req.realm);
+
+             get system_time;
+             kdc_time := system_time.seconds;
+
+             if (!client) then
+                     /* no client in Database */
+                     error_out(KDC_ERR_C_PRINCIPAL_UNKNOWN);
+             endif
+             if (!server) then
+                     /* no server in Database */
+                     error_out(KDC_ERR_S_PRINCIPAL_UNKNOWN);
+             endif
+
+             if(client.pa_enc_timestamp_required and
+                pa_enc_timestamp not present) then
+
+Neuman, Ts'o, Kohl                                   Expires: 14 January
+2001
+
+^L
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-06          July 14,
+2000
+
+                     error_out(KDC_ERR_PREAUTH_REQUIRED(PA_ENC_TIMESTAMP));
+             endif
+
+             if(pa_enc_timestamp present) then
+                     decrypt req.padata-value into decrypted_enc_timestamp
+                             using client.key;
+                             using auth_hdr.authenticator.subkey;
+                     if (decrypt_error()) then
+                             error_out(KRB_AP_ERR_BAD_INTEGRITY);
+                     if(decrypted_enc_timestamp is not within allowable
+skew) then
+                             error_out(KDC_ERR_PREAUTH_FAILED);
+                     endif
+                     if(decrypted_enc_timestamp and usec is replay)
+                             error_out(KDC_ERR_PREAUTH_FAILED);
+                     endif
+                     add decrypted_enc_timestamp and usec to replay cache;
+             endif
+
+             use_etype := first supported etype in req.etypes;
+
+             if (no support for req.etypes) then
+                     error_out(KDC_ERR_ETYPE_NOSUPP);
+             endif
+
+             new_tkt.vno := ticket version; /* = 5 */
+             new_tkt.sname := req.sname;
+             new_tkt.srealm := req.srealm;
+             reset all flags in new_tkt.flags;
+
+             /* It should be noted that local policy may affect the  */
+             /* processing of any of these flags.  For example, some */
+             /* realms may refuse to issue renewable tickets         */
+
+             if (req.kdc-options.FORWARDABLE is set) then
+                     set new_tkt.flags.FORWARDABLE;
+             endif
+             if (req.kdc-options.PROXIABLE is set) then
+                     set new_tkt.flags.PROXIABLE;
+             endif
+
+             if (req.kdc-options.ALLOW-POSTDATE is set) then
+                     set new_tkt.flags.MAY-POSTDATE;
+             endif
+             if ((req.kdc-options.RENEW is set) or
+                 (req.kdc-options.VALIDATE is set) or
+                 (req.kdc-options.PROXY is set) or
+                 (req.kdc-options.FORWARDED is set) or
+                 (req.kdc-options.ENC-TKT-IN-SKEY is set)) then
+                     error_out(KDC_ERR_BADOPTION);
+             endif
+
+             new_tkt.session := random_session_key();
+             new_tkt.cname := req.cname;
+             new_tkt.crealm := req.crealm;
+             new_tkt.transited := empty_transited_field();
+
+             new_tkt.authtime := kdc_time;
+
+             if (req.kdc-options.POSTDATED is set) then
+                if (against_postdate_policy(req.from)) then
+                     error_out(KDC_ERR_POLICY);
+                endif
+                set new_tkt.flags.POSTDATED;
+                set new_tkt.flags.INVALID;
+                new_tkt.starttime := req.from;
+
+Neuman, Ts'o, Kohl                                   Expires: 14 January
+2001
+
+^L
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-06          July 14,
+2000
+
+             else
+                omit new_tkt.starttime; /* treated as authtime when omitted
+*/
+             endif
+             if (req.till = 0) then
+                     till := infinity;
+             else
+                     till := req.till;
+             endif
+
+             new_tkt.endtime := min(till,
+                                   new_tkt.starttime+client.max_life,
+                                   new_tkt.starttime+server.max_life,
+                                   new_tkt.starttime+max_life_for_realm);
+
+             if ((req.kdc-options.RENEWABLE-OK is set) and
+                 (new_tkt.endtime < req.till)) then
+                     /* we set the RENEWABLE option for later processing */
+                     set req.kdc-options.RENEWABLE;
+                     req.rtime := req.till;
+             endif
+
+             if (req.rtime = 0) then
+                     rtime := infinity;
+             else
+                     rtime := req.rtime;
+             endif
+
+             if (req.kdc-options.RENEWABLE is set) then
+                     set new_tkt.flags.RENEWABLE;
+                     new_tkt.renew-till := min(rtime,
+
+new_tkt.starttime+client.max_rlife,
+
+new_tkt.starttime+server.max_rlife,
+
+new_tkt.starttime+max_rlife_for_realm);
+             else
+                     omit new_tkt.renew-till; /* only present if RENEWABLE
+*/
+             endif
+
+             if (req.addresses) then
+                     new_tkt.caddr := req.addresses;
+             else
+                     omit new_tkt.caddr;
+             endif
+
+             new_tkt.authorization_data := empty_authorization_data();
+
+             encode to-be-encrypted part of ticket into OCTET STRING;
+             new_tkt.enc-part := encrypt OCTET STRING
+                     using etype_for_key(server.key), server.key,
+server.p_kvno;
+
+             /* Start processing the response */
+
+             resp.pvno := 5;
+             resp.msg-type := KRB_AS_REP;
+             resp.cname := req.cname;
+             resp.crealm := req.realm;
+             resp.ticket := new_tkt;
+
+             resp.key := new_tkt.session;
+             resp.last-req := fetch_last_request_info(client);
+             resp.nonce := req.nonce;
+             resp.key-expiration := client.expiration;
+             resp.flags := new_tkt.flags;
+
+             resp.authtime := new_tkt.authtime;
+             resp.starttime := new_tkt.starttime;
+
+Neuman, Ts'o, Kohl                                   Expires: 14 January
+2001
+
+^L
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-06          July 14,
+2000
+
+             resp.endtime := new_tkt.endtime;
+
+             if (new_tkt.flags.RENEWABLE) then
+                     resp.renew-till := new_tkt.renew-till;
+             endif
+
+             resp.realm := new_tkt.realm;
+             resp.sname := new_tkt.sname;
+
+             resp.caddr := new_tkt.caddr;
+
+             encode body of reply into OCTET STRING;
+
+             resp.enc-part := encrypt OCTET STRING
+                              using use_etype, client.key, client.p_kvno;
+             send(resp);
+
+     A.3. KRB_AS_REP verification
+
+             decode response into resp;
+
+             if (resp.msg-type = KRB_ERROR) then
+                     if(error = KDC_ERR_PREAUTH_REQUIRED(PA_ENC_TIMESTAMP))
+then
+                             set pa_enc_timestamp_required;
+                             goto KRB_AS_REQ;
+                     endif
+                     process_error(resp);
+                     return;
+             endif
+
+             /* On error, discard the response, and zero the session key */
+             /* from the response immediately */
+
+             key = get_decryption_key(resp.enc-part.kvno,
+resp.enc-part.etype,
+                                      resp.padata);
+             unencrypted part of resp := decode of decrypt of resp.enc-part
+                                     using resp.enc-part.etype and key;
+             zero(key);
+
+             if (common_as_rep_tgs_rep_checks fail) then
+                     destroy resp.key;
+                     return error;
+             endif
+
+             if near(resp.princ_exp) then
+                     print(warning message);
+             endif
+             save_for_later(ticket,session,client,server,times,flags);
+
+     A.4. KRB_AS_REP and KRB_TGS_REP common checks
+
+             if (decryption_error() or
+                 (req.cname != resp.cname) or
+                 (req.realm != resp.crealm) or
+                 (req.sname != resp.sname) or
+                 (req.realm != resp.realm) or
+                 (req.nonce != resp.nonce) or
+                 (req.addresses != resp.caddr)) then
+                     destroy resp.key;
+                     return KRB_AP_ERR_MODIFIED;
+             endif
+
+             /* make sure no flags are set that shouldn't be, and that all
+that */
+             /* should be are set
+*/
+             if (!check_flags_for_compatability(req.kdc-options,resp.flags))
+then
+
+Neuman, Ts'o, Kohl                                   Expires: 14 January
+2001
+
+^L
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-06          July 14,
+2000
+
+                     destroy resp.key;
+                     return KRB_AP_ERR_MODIFIED;
+             endif
+
+             if ((req.from = 0) and
+                 (resp.starttime is not within allowable skew)) then
+                     destroy resp.key;
+                     return KRB_AP_ERR_SKEW;
+             endif
+             if ((req.from != 0) and (req.from != resp.starttime)) then
+                     destroy resp.key;
+                     return KRB_AP_ERR_MODIFIED;
+             endif
+             if ((req.till != 0) and (resp.endtime > req.till)) then
+                     destroy resp.key;
+                     return KRB_AP_ERR_MODIFIED;
+             endif
+
+             if ((req.kdc-options.RENEWABLE is set) and
+                 (req.rtime != 0) and (resp.renew-till > req.rtime)) then
+                     destroy resp.key;
+                     return KRB_AP_ERR_MODIFIED;
+             endif
+             if ((req.kdc-options.RENEWABLE-OK is set) and
+                 (resp.flags.RENEWABLE) and
+                 (req.till != 0) and
+                 (resp.renew-till > req.till)) then
+                     destroy resp.key;
+                     return KRB_AP_ERR_MODIFIED;
+             endif
+
+     A.5. KRB_TGS_REQ generation
+
+             /* Note that make_application_request might have to recursivly
+*/
+             /* call this routine to get the appropriate ticket-granting
+ticket */
+
+             request.pvno := protocol version; /* pvno = 5 */
+             request.msg-type := message type; /* type = KRB_TGS_REQ */
+
+             body.kdc-options := users's preferences;
+             /* If the TGT is not for the realm of the end-server  */
+             /* then the sname will be for a TGT for the end-realm */
+             /* and the realm of the requested ticket (body.realm) */
+             /* will be that of the TGS to which the TGT we are    */
+             /* sending applies                                    */
+             body.sname := service's name;
+             body.realm := service's realm;
+
+             if (body.kdc-options.POSTDATED is set) then
+                     body.from := requested starting time;
+             else
+                     omit body.from;
+             endif
+             body.till := requested end time;
+             if (body.kdc-options.RENEWABLE is set) then
+                     body.rtime := requested final renewal time;
+             endif
+             body.nonce := random_nonce();
+             body.etype := requested etypes;
+             if (user supplied addresses) then
+                     body.addresses := user's addresses;
+             else
+                     omit body.addresses;
+             endif
+
+
+Neuman, Ts'o, Kohl                                   Expires: 14 January
+2001
+
+^L
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-06          July 14,
+2000
+
+             body.enc-authorization-data := user-supplied data;
+             if (body.kdc-options.ENC-TKT-IN-SKEY) then
+                     body.additional-tickets_ticket := second TGT;
+             endif
+
+             request.req-body := body;
+             check := generate_checksum (req.body,checksumtype);
+
+             request.padata[0].padata-type := PA-TGS-REQ;
+             request.padata[0].padata-value := create a KRB_AP_REQ using
+                                           the TGT and checksum
+
+             /* add in any other padata as required/supplied */
+
+             kerberos := lookup(name of local kerberose server (or
+servers));
+             send(packet,kerberos);
+
+             wait(for response);
+             if (timed_out) then
+                     retry or use alternate server;
+             endif
+
+     A.6. KRB_TGS_REQ verification and KRB_TGS_REP generation
+
+             /* note that reading the application request requires first
+             determining the server for which a ticket was issued, and
+choosing the
+             correct key for decryption.  The name of the server appears in
+the
+             plaintext part of the ticket. */
+
+             if (no KRB_AP_REQ in req.padata) then
+                     error_out(KDC_ERR_PADATA_TYPE_NOSUPP);
+             endif
+             verify KRB_AP_REQ in req.padata;
+
+             /* Note that the realm in which the Kerberos server is
+operating is
+             determined by the instance from the ticket-granting ticket.
+The realm
+             in the ticket-granting ticket is the realm under which the
+ticket
+             granting ticket was issued.  It is possible for a single
+Kerberos
+             server to support more than one realm. */
+
+             auth_hdr := KRB_AP_REQ;
+             tgt := auth_hdr.ticket;
+
+             if (tgt.sname is not a TGT for local realm and is not
+req.sname) then
+                     error_out(KRB_AP_ERR_NOT_US);
+
+             realm := realm_tgt_is_for(tgt);
+
+             decode remainder of request;
+
+             if (auth_hdr.authenticator.cksum is missing) then
+                     error_out(KRB_AP_ERR_INAPP_CKSUM);
+             endif
+
+             if (auth_hdr.authenticator.cksum type is not supported) then
+                     error_out(KDC_ERR_SUMTYPE_NOSUPP);
+             endif
+             if (auth_hdr.authenticator.cksum is not both collision-proof
+and keyed) then
+                     error_out(KRB_AP_ERR_INAPP_CKSUM);
+             endif
+
+             set computed_checksum := checksum(req);
+             if (computed_checksum != auth_hdr.authenticatory.cksum) then
+                     error_out(KRB_AP_ERR_MODIFIED);
+             endif
+
+Neuman, Ts'o, Kohl                                   Expires: 14 January
+2001
+
+^L
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-06          July 14,
+2000
+
+
+             server := lookup(req.sname,realm);
+
+             if (!server) then
+                     if (is_foreign_tgt_name(req.sname)) then
+                             server := best_intermediate_tgs(req.sname);
+                     else
+                             /* no server in Database */
+                             error_out(KDC_ERR_S_PRINCIPAL_UNKNOWN);
+                     endif
+             endif
+
+             session := generate_random_session_key();
+
+             use_etype := first supported etype in req.etypes;
+
+             if (no support for req.etypes) then
+                     error_out(KDC_ERR_ETYPE_NOSUPP);
+             endif
+
+             new_tkt.vno := ticket version; /* = 5 */
+             new_tkt.sname := req.sname;
+             new_tkt.srealm := realm;
+             reset all flags in new_tkt.flags;
+
+             /* It should be noted that local policy may affect the  */
+             /* processing of any of these flags.  For example, some */
+             /* realms may refuse to issue renewable tickets         */
+
+             new_tkt.caddr := tgt.caddr;
+             resp.caddr := NULL; /* We only include this if they change */
+             if (req.kdc-options.FORWARDABLE is set) then
+                     if (tgt.flags.FORWARDABLE is reset) then
+                             error_out(KDC_ERR_BADOPTION);
+                     endif
+                     set new_tkt.flags.FORWARDABLE;
+             endif
+             if (req.kdc-options.FORWARDED is set) then
+                     if (tgt.flags.FORWARDABLE is reset) then
+                             error_out(KDC_ERR_BADOPTION);
+                     endif
+                     set new_tkt.flags.FORWARDED;
+                     new_tkt.caddr := req.addresses;
+                     resp.caddr := req.addresses;
+             endif
+             if (tgt.flags.FORWARDED is set) then
+                     set new_tkt.flags.FORWARDED;
+             endif
+
+             if (req.kdc-options.PROXIABLE is set) then
+                     if (tgt.flags.PROXIABLE is reset)
+                             error_out(KDC_ERR_BADOPTION);
+                     endif
+                     set new_tkt.flags.PROXIABLE;
+             endif
+             if (req.kdc-options.PROXY is set) then
+                     if (tgt.flags.PROXIABLE is reset) then
+                             error_out(KDC_ERR_BADOPTION);
+                     endif
+                     set new_tkt.flags.PROXY;
+                     new_tkt.caddr := req.addresses;
+                     resp.caddr := req.addresses;
+             endif
+
+             if (req.kdc-options.ALLOW-POSTDATE is set) then
+
+Neuman, Ts'o, Kohl                                   Expires: 14 January
+2001
+
+^L
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-06          July 14,
+2000
+
+                     if (tgt.flags.MAY-POSTDATE is reset)
+                             error_out(KDC_ERR_BADOPTION);
+                     endif
+                     set new_tkt.flags.MAY-POSTDATE;
+             endif
+             if (req.kdc-options.POSTDATED is set) then
+                     if (tgt.flags.MAY-POSTDATE is reset) then
+                             error_out(KDC_ERR_BADOPTION);
+                     endif
+                     set new_tkt.flags.POSTDATED;
+                     set new_tkt.flags.INVALID;
+                     if (against_postdate_policy(req.from)) then
+                             error_out(KDC_ERR_POLICY);
+                     endif
+                     new_tkt.starttime := req.from;
+             endif
+
+             if (req.kdc-options.VALIDATE is set) then
+                     if (tgt.flags.INVALID is reset) then
+                             error_out(KDC_ERR_POLICY);
+                     endif
+                     if (tgt.starttime > kdc_time) then
+                             error_out(KRB_AP_ERR_NYV);
+                     endif
+                     if (check_hot_list(tgt)) then
+                             error_out(KRB_AP_ERR_REPEAT);
+                     endif
+                     tkt := tgt;
+                     reset new_tkt.flags.INVALID;
+             endif
+
+             if (req.kdc-options.(any flag except ENC-TKT-IN-SKEY, RENEW,
+                                  and those already processed) is set) then
+                     error_out(KDC_ERR_BADOPTION);
+             endif
+
+             new_tkt.authtime := tgt.authtime;
+
+             if (req.kdc-options.RENEW is set) then
+               /* Note that if the endtime has already passed, the ticket
+would  */
+               /* have been rejected in the initial authentication stage, so
+*/
+               /* there is no need to check again here
+*/
+                     if (tgt.flags.RENEWABLE is reset) then
+                             error_out(KDC_ERR_BADOPTION);
+                     endif
+                     if (tgt.renew-till < kdc_time) then
+                             error_out(KRB_AP_ERR_TKT_EXPIRED);
+                     endif
+                     tkt := tgt;
+                     new_tkt.starttime := kdc_time;
+                     old_life := tgt.endttime - tgt.starttime;
+                     new_tkt.endtime := min(tgt.renew-till,
+                                            new_tkt.starttime + old_life);
+             else
+                     new_tkt.starttime := kdc_time;
+                     if (req.till = 0) then
+                             till := infinity;
+                     else
+                             till := req.till;
+                     endif
+                     new_tkt.endtime := min(till,
+
+new_tkt.starttime+client.max_life,
+
+new_tkt.starttime+server.max_life,
+
+new_tkt.starttime+max_life_for_realm,
+                                            tgt.endtime);
+
+Neuman, Ts'o, Kohl                                   Expires: 14 January
+2001
+
+^L
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-06          July 14,
+2000
+
+
+                     if ((req.kdc-options.RENEWABLE-OK is set) and
+                         (new_tkt.endtime < req.till) and
+                         (tgt.flags.RENEWABLE is set) then
+                             /* we set the RENEWABLE option for later
+processing */
+                             set req.kdc-options.RENEWABLE;
+                             req.rtime := min(req.till, tgt.renew-till);
+                     endif
+             endif
+
+             if (req.rtime = 0) then
+                     rtime := infinity;
+             else
+                     rtime := req.rtime;
+             endif
+
+             if ((req.kdc-options.RENEWABLE is set) and
+                 (tgt.flags.RENEWABLE is set)) then
+                     set new_tkt.flags.RENEWABLE;
+                     new_tkt.renew-till := min(rtime,
+
+new_tkt.starttime+client.max_rlife,
+
+new_tkt.starttime+server.max_rlife,
+
+new_tkt.starttime+max_rlife_for_realm,
+                                               tgt.renew-till);
+             else
+                     new_tkt.renew-till := OMIT; /* leave the renew-till
+field out */
+             endif
+             if (req.enc-authorization-data is present) then
+                     decrypt req.enc-authorization-data into
+decrypted_authorization_data
+                             using auth_hdr.authenticator.subkey;
+                     if (decrypt_error()) then
+                             error_out(KRB_AP_ERR_BAD_INTEGRITY);
+                     endif
+             endif
+             new_tkt.authorization_data :=
+req.auth_hdr.ticket.authorization_data +
+                                      decrypted_authorization_data;
+
+             new_tkt.key := session;
+             new_tkt.crealm := tgt.crealm;
+             new_tkt.cname := req.auth_hdr.ticket.cname;
+
+             if (realm_tgt_is_for(tgt) := tgt.realm) then
+                     /* tgt issued by local realm */
+                     new_tkt.transited := tgt.transited;
+             else
+                     /* was issued for this realm by some other realm */
+                     if (tgt.transited.tr-type not supported) then
+                             error_out(KDC_ERR_TRTYPE_NOSUPP);
+                     endif
+                     new_tkt.transited := compress_transited(tgt.transited +
+tgt.realm)
+                     /* Don't check tranited field if TGT for foreign realm,
+                      * or requested not to check */
+                     if (is_not_foreign_tgt_name(new_tkt.server)
+                        && req.kdc-options.DISABLE-TRANSITED-CHECK not set)
+then
+                             /* Check it, so end-server does not have to
+                              * but don't fail, end-server may still accept
+it */
+                             if (check_transited_field(new_tkt.transited) ==
+OK)
+                                   set
+new_tkt.flags.TRANSITED-POLICY-CHECKED;
+                             endif
+                     endif
+             endif
+
+             encode encrypted part of new_tkt into OCTET STRING;
+             if (req.kdc-options.ENC-TKT-IN-SKEY is set) then
+                     if (server not specified) then
+
+Neuman, Ts'o, Kohl                                   Expires: 14 January
+2001
+
+^L
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-06          July 14,
+2000
+
+                             server = req.second_ticket.client;
+                     endif
+                     if ((req.second_ticket is not a TGT) or
+                         (req.second_ticket.client != server)) then
+                             error_out(KDC_ERR_POLICY);
+                     endif
+
+                     new_tkt.enc-part := encrypt OCTET STRING using
+                             using etype_for_key(second-ticket.key),
+second-ticket.key;
+             else
+                     new_tkt.enc-part := encrypt OCTET STRING
+                             using etype_for_key(server.key), server.key,
+server.p_kvno;
+             endif
+
+             resp.pvno := 5;
+             resp.msg-type := KRB_TGS_REP;
+             resp.crealm := tgt.crealm;
+             resp.cname := tgt.cname;
+             resp.ticket := new_tkt;
+
+             resp.key := session;
+             resp.nonce := req.nonce;
+             resp.last-req := fetch_last_request_info(client);
+             resp.flags := new_tkt.flags;
+
+             resp.authtime := new_tkt.authtime;
+             resp.starttime := new_tkt.starttime;
+             resp.endtime := new_tkt.endtime;
+
+             omit resp.key-expiration;
+
+             resp.sname := new_tkt.sname;
+             resp.realm := new_tkt.realm;
+
+             if (new_tkt.flags.RENEWABLE) then
+                     resp.renew-till := new_tkt.renew-till;
+             endif
+
+             encode body of reply into OCTET STRING;
+
+             if (req.padata.authenticator.subkey)
+                     resp.enc-part := encrypt OCTET STRING using use_etype,
+                             req.padata.authenticator.subkey;
+             else resp.enc-part := encrypt OCTET STRING using use_etype,
+tgt.key;
+
+             send(resp);
+
+     A.7. KRB_TGS_REP verification
+
+             decode response into resp;
+
+             if (resp.msg-type = KRB_ERROR) then
+                     process_error(resp);
+                     return;
+             endif
+
+             /* On error, discard the response, and zero the session key
+from
+             the response immediately */
+
+             if (req.padata.authenticator.subkey)
+                     unencrypted part of resp := decode of decrypt of
+resp.enc-part
+                             using resp.enc-part.etype and subkey;
+             else unencrypted part of resp := decode of decrypt of
+resp.enc-part
+                                     using resp.enc-part.etype and tgt's
+session key;
+             if (common_as_rep_tgs_rep_checks fail) then
+
+Neuman, Ts'o, Kohl                                   Expires: 14 January
+2001
+
+^L
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-06          July 14,
+2000
+
+                     destroy resp.key;
+                     return error;
+             endif
+
+             check authorization_data as necessary;
+             save_for_later(ticket,session,client,server,times,flags);
+
+     A.8. Authenticator generation
+
+             body.authenticator-vno := authenticator vno; /* = 5 */
+             body.cname, body.crealm := client name;
+             if (supplying checksum) then
+                     body.cksum := checksum;
+             endif
+             get system_time;
+             body.ctime, body.cusec := system_time;
+             if (selecting sub-session key) then
+                     select sub-session key;
+                     body.subkey := sub-session key;
+             endif
+             if (using sequence numbers) then
+                     select initial sequence number;
+                     body.seq-number := initial sequence;
+             endif
+
+     A.9. KRB_AP_REQ generation
+
+             obtain ticket and session_key from cache;
+
+             packet.pvno := protocol version; /* 5 */
+             packet.msg-type := message type; /* KRB_AP_REQ */
+
+             if (desired(MUTUAL_AUTHENTICATION)) then
+                     set packet.ap-options.MUTUAL-REQUIRED;
+             else
+                     reset packet.ap-options.MUTUAL-REQUIRED;
+             endif
+             if (using session key for ticket) then
+                     set packet.ap-options.USE-SESSION-KEY;
+             else
+                     reset packet.ap-options.USE-SESSION-KEY;
+             endif
+             packet.ticket := ticket; /* ticket */
+             generate authenticator;
+             encode authenticator into OCTET STRING;
+             encrypt OCTET STRING into packet.authenticator using
+session_key;
+
+     A.10. KRB_AP_REQ verification
+
+             receive packet;
+             if (packet.pvno != 5) then
+                     either process using other protocol spec
+                     or error_out(KRB_AP_ERR_BADVERSION);
+             endif
+             if (packet.msg-type != KRB_AP_REQ) then
+                     error_out(KRB_AP_ERR_MSG_TYPE);
+             endif
+             if (packet.ticket.tkt_vno != 5) then
+                     either process using other protocol spec
+                     or error_out(KRB_AP_ERR_BADVERSION);
+             endif
+             if (packet.ap_options.USE-SESSION-KEY is set) then
+                     retrieve session key from ticket-granting ticket for
+                      packet.ticket.{sname,srealm,enc-part.etype};
+             else
+
+Neuman, Ts'o, Kohl                                   Expires: 14 January
+2001
+
+^L
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-06          July 14,
+2000
+
+                     retrieve service key for
+
+packet.ticket.{sname,srealm,enc-part.etype,enc-part.skvno};
+             endif
+             if (no_key_available) then
+                     if (cannot_find_specified_skvno) then
+                             error_out(KRB_AP_ERR_BADKEYVER);
+                     else
+                             error_out(KRB_AP_ERR_NOKEY);
+                     endif
+             endif
+             decrypt packet.ticket.enc-part into decr_ticket using retrieved
+key;
+             if (decryption_error()) then
+                     error_out(KRB_AP_ERR_BAD_INTEGRITY);
+             endif
+             decrypt packet.authenticator into decr_authenticator
+                     using decr_ticket.key;
+             if (decryption_error()) then
+                     error_out(KRB_AP_ERR_BAD_INTEGRITY);
+             endif
+             if (decr_authenticator.{cname,crealm} !=
+                 decr_ticket.{cname,crealm}) then
+                     error_out(KRB_AP_ERR_BADMATCH);
+             endif
+             if (decr_ticket.caddr is present) then
+                     if (sender_address(packet) is not in decr_ticket.caddr)
+then
+                             error_out(KRB_AP_ERR_BADADDR);
+                     endif
+             elseif (application requires addresses) then
+                     error_out(KRB_AP_ERR_BADADDR);
+             endif
+             if (not in_clock_skew(decr_authenticator.ctime,
+                                   decr_authenticator.cusec)) then
+                     error_out(KRB_AP_ERR_SKEW);
+             endif
+             if (repeated(decr_authenticator.{ctime,cusec,cname,crealm}))
+then
+                     error_out(KRB_AP_ERR_REPEAT);
+             endif
+             save_identifier(decr_authenticator.{ctime,cusec,cname,crealm});
+             get system_time;
+             if ((decr_ticket.starttime-system_time > CLOCK_SKEW) or
+                 (decr_ticket.flags.INVALID is set)) then
+                     /* it hasn't yet become valid */
+                     error_out(KRB_AP_ERR_TKT_NYV);
+             endif
+             if (system_time-decr_ticket.endtime > CLOCK_SKEW) then
+                     error_out(KRB_AP_ERR_TKT_EXPIRED);
+             endif
+             if (decr_ticket.transited) then
+                 /* caller may ignore the TRANSITED-POLICY-CHECKED and do
+                  * check anyway */
+                 if (decr_ticket.flags.TRANSITED-POLICY-CHECKED not set)
+then
+                      if (check_transited_field(decr_ticket.transited) then
+                           error_out(KDC_AP_PATH_NOT_ACCPETED);
+                      endif
+                 endif
+             endif
+             /* caller must check decr_ticket.flags for any pertinent
+details */
+             return(OK, decr_ticket, packet.ap_options.MUTUAL-REQUIRED);
+
+     A.11. KRB_AP_REP generation
+
+             packet.pvno := protocol version; /* 5 */
+             packet.msg-type := message type; /* KRB_AP_REP */
+
+             body.ctime := packet.ctime;
+
+Neuman, Ts'o, Kohl                                   Expires: 14 January
+2001
+
+^L
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-06          July 14,
+2000
+
+             body.cusec := packet.cusec;
+             if (selecting sub-session key) then
+                     select sub-session key;
+                     body.subkey := sub-session key;
+             endif
+             if (using sequence numbers) then
+                     select initial sequence number;
+                     body.seq-number := initial sequence;
+             endif
+
+             encode body into OCTET STRING;
+
+             select encryption type;
+             encrypt OCTET STRING into packet.enc-part;
+
+     A.12. KRB_AP_REP verification
+
+             receive packet;
+             if (packet.pvno != 5) then
+                     either process using other protocol spec
+                     or error_out(KRB_AP_ERR_BADVERSION);
+             endif
+             if (packet.msg-type != KRB_AP_REP) then
+                     error_out(KRB_AP_ERR_MSG_TYPE);
+             endif
+             cleartext := decrypt(packet.enc-part) using ticket's session
+key;
+             if (decryption_error()) then
+                     error_out(KRB_AP_ERR_BAD_INTEGRITY);
+             endif
+             if (cleartext.ctime != authenticator.ctime) then
+                     error_out(KRB_AP_ERR_MUT_FAIL);
+             endif
+             if (cleartext.cusec != authenticator.cusec) then
+                     error_out(KRB_AP_ERR_MUT_FAIL);
+             endif
+             if (cleartext.subkey is present) then
+                     save cleartext.subkey for future use;
+             endif
+             if (cleartext.seq-number is present) then
+                     save cleartext.seq-number for future verifications;
+             endif
+             return(AUTHENTICATION_SUCCEEDED);
+
+     A.13. KRB_SAFE generation
+
+             collect user data in buffer;
+
+             /* assemble packet: */
+             packet.pvno := protocol version; /* 5 */
+             packet.msg-type := message type; /* KRB_SAFE */
+
+             body.user-data := buffer; /* DATA */
+             if (using timestamp) then
+                     get system_time;
+                     body.timestamp, body.usec := system_time;
+             endif
+             if (using sequence numbers) then
+                     body.seq-number := sequence number;
+             endif
+             body.s-address := sender host addresses;
+             if (only one recipient) then
+                     body.r-address := recipient host address;
+             endif
+             checksum.cksumtype := checksum type;
+             compute checksum over body;
+
+Neuman, Ts'o, Kohl                                   Expires: 14 January
+2001
+
+^L
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-06          July 14,
+2000
+
+             checksum.checksum := checksum value; /* checksum.checksum */
+             packet.cksum := checksum;
+             packet.safe-body := body;
+
+     A.14. KRB_SAFE verification
+
+             receive packet;
+             if (packet.pvno != 5) then
+                     either process using other protocol spec
+                     or error_out(KRB_AP_ERR_BADVERSION);
+             endif
+             if (packet.msg-type != KRB_SAFE) then
+                     error_out(KRB_AP_ERR_MSG_TYPE);
+             endif
+             if (packet.checksum.cksumtype is not both collision-proof and
+keyed) then
+                     error_out(KRB_AP_ERR_INAPP_CKSUM);
+             endif
+             if (safe_priv_common_checks_ok(packet)) then
+                     set computed_checksum := checksum(packet.body);
+                     if (computed_checksum != packet.checksum) then
+                             error_out(KRB_AP_ERR_MODIFIED);
+                     endif
+                     return (packet, PACKET_IS_GENUINE);
+             else
+                     return common_checks_error;
+             endif
+
+     A.15. KRB_SAFE and KRB_PRIV common checks
+
+             if (packet.s-address != O/S_sender(packet)) then
+                     /* O/S report of sender not who claims to have sent it
+*/
+                     error_out(KRB_AP_ERR_BADADDR);
+             endif
+             if ((packet.r-address is present) and
+                 (packet.r-address != local_host_address)) then
+                     /* was not sent to proper place */
+                     error_out(KRB_AP_ERR_BADADDR);
+             endif
+             if (((packet.timestamp is present) and
+                  (not in_clock_skew(packet.timestamp,packet.usec))) or
+                 (packet.timestamp is not present and timestamp expected))
+then
+                     error_out(KRB_AP_ERR_SKEW);
+             endif
+             if (repeated(packet.timestamp,packet.usec,packet.s-address))
+then
+                     error_out(KRB_AP_ERR_REPEAT);
+             endif
+
+             if (((packet.seq-number is present) and
+                  ((not in_sequence(packet.seq-number)))) or
+                 (packet.seq-number is not present and sequence expected))
+then
+                     error_out(KRB_AP_ERR_BADORDER);
+             endif
+             if (packet.timestamp not present and packet.seq-number not
+present) then
+                     error_out(KRB_AP_ERR_MODIFIED);
+             endif
+
+             save_identifier(packet.{timestamp,usec,s-address},
+                             sender_principal(packet));
+
+             return PACKET_IS_OK;
+
+
+Neuman, Ts'o, Kohl                                   Expires: 14 January
+2001
+
+^L
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-06          July 14,
+2000
+
+     A.16. KRB_PRIV generation
+
+             collect user data in buffer;
+
+             /* assemble packet: */
+             packet.pvno := protocol version; /* 5 */
+             packet.msg-type := message type; /* KRB_PRIV */
+
+             packet.enc-part.etype := encryption type;
+
+             body.user-data := buffer;
+             if (using timestamp) then
+                     get system_time;
+                     body.timestamp, body.usec := system_time;
+             endif
+             if (using sequence numbers) then
+                     body.seq-number := sequence number;
+             endif
+             body.s-address := sender host addresses;
+             if (only one recipient) then
+                     body.r-address := recipient host address;
+             endif
+
+             encode body into OCTET STRING;
+
+             select encryption type;
+             encrypt OCTET STRING into packet.enc-part.cipher;
+
+     A.17. KRB_PRIV verification
+
+             receive packet;
+             if (packet.pvno != 5) then
+                     either process using other protocol spec
+                     or error_out(KRB_AP_ERR_BADVERSION);
+             endif
+             if (packet.msg-type != KRB_PRIV) then
+                     error_out(KRB_AP_ERR_MSG_TYPE);
+             endif
+
+             cleartext := decrypt(packet.enc-part) using negotiated key;
+             if (decryption_error()) then
+                     error_out(KRB_AP_ERR_BAD_INTEGRITY);
+             endif
+
+             if (safe_priv_common_checks_ok(cleartext)) then
+                     return(cleartext.DATA,
+PACKET_IS_GENUINE_AND_UNMODIFIED);
+             else
+                     return common_checks_error;
+             endif
+
+     A.18. KRB_CRED generation
+
+             invoke KRB_TGS; /* obtain tickets to be provided to peer */
+
+             /* assemble packet: */
+             packet.pvno := protocol version; /* 5 */
+             packet.msg-type := message type; /* KRB_CRED */
+
+             for (tickets[n] in tickets to be forwarded) do
+                     packet.tickets[n] = tickets[n].ticket;
+             done
+
+             packet.enc-part.etype := encryption type;
+
+             for (ticket[n] in tickets to be forwarded) do
+
+Neuman, Ts'o, Kohl                                   Expires: 14 January
+2001
+
+^L
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-06          July 14,
+2000
+
+                     body.ticket-info[n].key = tickets[n].session;
+                     body.ticket-info[n].prealm = tickets[n].crealm;
+                     body.ticket-info[n].pname = tickets[n].cname;
+                     body.ticket-info[n].flags = tickets[n].flags;
+                     body.ticket-info[n].authtime = tickets[n].authtime;
+                     body.ticket-info[n].starttime = tickets[n].starttime;
+                     body.ticket-info[n].endtime = tickets[n].endtime;
+                     body.ticket-info[n].renew-till = tickets[n].renew-till;
+                     body.ticket-info[n].srealm = tickets[n].srealm;
+                     body.ticket-info[n].sname = tickets[n].sname;
+                     body.ticket-info[n].caddr = tickets[n].caddr;
+             done
+
+             get system_time;
+             body.timestamp, body.usec := system_time;
+
+             if (using nonce) then
+                     body.nonce := nonce;
+             endif
+
+             if (using s-address) then
+                     body.s-address := sender host addresses;
+             endif
+             if (limited recipients) then
+                     body.r-address := recipient host address;
+             endif
+
+             encode body into OCTET STRING;
+
+             select encryption type;
+             encrypt OCTET STRING into packet.enc-part.cipher
+                    using negotiated encryption key;
+
+     A.19. KRB_CRED verification
+
+             receive packet;
+             if (packet.pvno != 5) then
+                     either process using other protocol spec
+                     or error_out(KRB_AP_ERR_BADVERSION);
+             endif
+             if (packet.msg-type != KRB_CRED) then
+                     error_out(KRB_AP_ERR_MSG_TYPE);
+             endif
+
+             cleartext := decrypt(packet.enc-part) using negotiated key;
+             if (decryption_error()) then
+                     error_out(KRB_AP_ERR_BAD_INTEGRITY);
+             endif
+             if ((packet.r-address is present or required) and
+                (packet.s-address != O/S_sender(packet)) then
+                     /* O/S report of sender not who claims to have sent it
+*/
+                     error_out(KRB_AP_ERR_BADADDR);
+             endif
+             if ((packet.r-address is present) and
+                 (packet.r-address != local_host_address)) then
+                     /* was not sent to proper place */
+                     error_out(KRB_AP_ERR_BADADDR);
+             endif
+             if (not in_clock_skew(packet.timestamp,packet.usec)) then
+                     error_out(KRB_AP_ERR_SKEW);
+             endif
+             if (repeated(packet.timestamp,packet.usec,packet.s-address))
+then
+                     error_out(KRB_AP_ERR_REPEAT);
+             endif
+             if (packet.nonce is required or present) and
+
+Neuman, Ts'o, Kohl                                   Expires: 14 January
+2001
+
+^L
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-06          July 14,
+2000
+
+                (packet.nonce != expected-nonce) then
+                     error_out(KRB_AP_ERR_MODIFIED);
+             endif
+
+             for (ticket[n] in tickets that were forwarded) do
+                     save_for_later(ticket[n],key[n],principal[n],
+                                    server[n],times[n],flags[n]);
+             return
+
+     A.20. KRB_ERROR generation
+
+             /* assemble packet: */
+             packet.pvno := protocol version; /* 5 */
+             packet.msg-type := message type; /* KRB_ERROR */
+
+             get system_time;
+             packet.stime, packet.susec := system_time;
+             packet.realm, packet.sname := server name;
+
+             if (client time available) then
+                     packet.ctime, packet.cusec := client_time;
+             endif
+             packet.error-code := error code;
+             if (client name available) then
+                     packet.cname, packet.crealm := client name;
+             endif
+             if (error text available) then
+                     packet.e-text := error text;
+             endif
+             if (error data available) then
+                     packet.e-data := error data;
+             endif
+
+     B. Definition of common authorization data elements
+
+     This appendix contains the definitions of common authorization data
+     elements. These common authorization data elements are recursivly
+     defined, meaning the ad-data for these types will itself contain a
+     sequence of authorization data whose interpretation is affected by the
+     encapsulating element. Depending on the meaning of the encapsulating
+     element, the encapsulated elements may be ignored, might be
+     interpreted as issued directly by the KDC, or they might be stored in
+     a separate plaintext part of the ticket. The types of the
+     encapsulating elements are specified as part of the Kerberos
+     specification because the behavior based on these values should be
+     understood across implementations whereas other elements need only be
+     understood by the applications which they affect.
+
+     In the definitions that follow, the value of the ad-type for the
+     element will be specified in the subsection number, and the value of
+     the ad-data will be as shown in the ASN.1 structure that follows the
+     subsection heading.
+
+     B.1. If relevant
+
+     AD-IF-RELEVANT   AuthorizationData
+
+     AD elements encapsulated within the if-relevant element are intended
+     for interpretation only by application servers that understand the
+     particular ad-type of the embedded element. Application servers that
+     do not understand the type of an element embedded within the
+     if-relevant element may ignore the uninterpretable element. This
+     element promotes interoperability across implementations which may
+     have local extensions for authorization.
+
+
+Neuman, Ts'o, Kohl                                   Expires: 14 January
+2001
+
+^L
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-06          July 14,
+2000
+
+     B.2. Intended for server
+
+     AD-INTENDED-FOR-SERVER   SEQUENCE {
+              intended-server[0]     SEQUENCE OF PrincipalName
+              elements[1]            AuthorizationData
+     }
+
+     AD elements encapsulated within the intended-for-server element may be
+     ignored if the application server is not in the list of principal
+     names of intended servers. Further, a KDC issuing a ticket for an
+     application server can remove this element if the application server
+     is not in the list of intended servers.
+
+     Application servers should check for their principal name in the
+     intended-server field of this element. If their principal name is not
+     found, this element should be ignored. If found, then the encapsulated
+     elements should be evaluated in the same manner as if they were
+     present in the top level authorization data field. Applications and
+     application servers that do not implement this element should reject
+     tickets that contain authorization data elements of this type.
+
+     B.3. Intended for application class
+
+     AD-INTENDED-FOR-APPLICATION-CLASS SEQUENCE {
+     intended-application-class[0] SEQUENCE OF GeneralString elements[1]
+     AuthorizationData } AD elements encapsulated within the
+     intended-for-application-class element may be ignored if the
+     application server is not in one of the named classes of application
+     servers. Examples of application server classes include "FILESYSTEM",
+     and other kinds of servers.
+
+     This element and the elements it encapulates may be safely ignored by
+     applications, application servers, and KDCs that do not implement this
+     element.
+
+     B.4. KDC Issued
+
+     AD-KDCIssued   SEQUENCE {
+                    ad-checksum[0]    Checksum,
+                     i-realm[1]       Realm OPTIONAL,
+                     i-sname[2]       PrincipalName OPTIONAL,
+                    elements[3]       AuthorizationData.
+     }
+
+     ad-checksum
+          A checksum over the elements field using a cryptographic checksum
+          method that is identical to the checksum used to protect the
+          ticket itself (i.e. using the same hash function and the same
+          encryption algorithm used to encrypt the ticket) and using a key
+          derived from the same key used to protect the ticket.
+     i-realm, i-sname
+          The name of the issuing principal if different from the KDC
+          itself. This field would be used when the KDC can verify the
+          authenticity of elements signed by the issuing principal and it
+          allows this KDC to notify the application server of the validity
+          of those elements.
+     elements
+          A sequence of authorization data elements issued by the KDC.
+     The KDC-issued ad-data field is intended to provide a means for
+     Kerberos principal credentials to embed within themselves privilege
+     attributes and other mechanisms for positive authorization, amplifying
+     the priveleges of the principal beyond what can be done using a
+     credentials without such an a-data element.
+
+
+Neuman, Ts'o, Kohl                                   Expires: 14 January
+2001
+
+^L
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-06          July 14,
+2000
+
+     This can not be provided without this element because the definition
+     of the authorization-data field allows elements to be added at will by
+     the bearer of a TGT at the time that they request service tickets and
+     elements may also be added to a delegated ticket by inclusion in the
+     authenticator.
+
+     For KDC-issued elements this is prevented because the elements are
+     signed by the KDC by including a checksum encrypted using the server's
+     key (the same key used to encrypt the ticket - or a key derived from
+     that key). Elements encapsulated with in the KDC-issued element will
+     be ignored by the application server if this "signature" is not
+     present. Further, elements encapsulated within this element from a
+     ticket granting ticket may be interpreted by the KDC, and used as a
+     basis according to policy for including new signed elements within
+     derivative tickets, but they will not be copied to a derivative ticket
+     directly. If they are copied directly to a derivative ticket by a KDC
+     that is not aware of this element, the signature will not be correct
+     for the application ticket elements, and the field will be ignored by
+     the application server.
+
+     This element and the elements it encapulates may be safely ignored by
+     applications, application servers, and KDCs that do not implement this
+     element.
+
+     B.5. And-Or
+
+     AD-AND-OR           SEQUENCE {
+                             condition-count[0]    INTEGER,
+                             elements[1]           AuthorizationData
+     }
+
+     When restrictive AD elements encapsulated within the and-or element
+     are encountered, only the number specified in condition-count of the
+     encapsulated conditions must be met in order to satisfy this element.
+     This element may be used to implement an "or" operation by setting the
+     condition-count field to 1, and it may specify an "and" operation by
+     setting the condition count to the number of embedded elements.
+     Application servers that do not implement this element must reject
+     tickets that contain authorization data elements of this type.
+
+     B.6. Mandatory ticket extensions
+
+     AD-Mandatory-Ticket-Extensions           SEQUENCE {
+                             te-type[0]       INTEGER,
+                             te-checksum[0]    Checksum
+     }
+
+     An authorization data element of type mandatory-ticket-extensions
+     specifies the type and a collision-proof checksum using the same hash
+     algorithm used to protect the integrity of the ticket itself. This
+     checksum will be calculated over an individual extension field of the
+     type indicated. If there are more than one extension, multiple
+     Mandatory-Ticket-Extensions authorization data elements may be
+     present, each with a checksum for a different extension field. This
+     restriction indicates that the ticket should not be accepted if a
+     ticket extension is not present in the ticket for which the type and
+     checksum do not match that checksum specified in the authorization
+     data element. Note that although the type is redundant for the
+     purposes of the comparison, it makes the comparison easier when
+     multiple extensions are present. Application servers that do not
+     implement this element must reject tickets that contain authorization
+     data elements of this type.
+
+
+Neuman, Ts'o, Kohl                                   Expires: 14 January
+2001
+
+^L
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-06          July 14,
+2000
+
+     B.7. Authorization Data in ticket extensions
+
+     AD-IN-Ticket-Extensions   Checksum
+
+     An authorization data element of type in-ticket-extensions specifies a
+     collision-proof checksum using the same hash algorithm used to protect
+     the integrity of the ticket itself. This checksum is calculated over a
+     separate external AuthorizationData field carried in the ticket
+     extensions. Application servers that do not implement this element
+     must reject tickets that contain authorization data elements of this
+     type. Application servers that do implement this element will search
+     the ticket extensions for authorization data fields, calculate the
+     specified checksum over each authorization data field and look for one
+     matching the checksum in this in-ticket-extensions element. If not
+     found, then the ticket must be rejected. If found, the corresponding
+     authorization data elements will be interpreted in the same manner as
+     if they were contained in the top level authorization data field.
+
+     Note that if multiple external authorization data fields are present
+     in a ticket, each will have a corresponding element of type
+     in-ticket-extensions in the top level authorization data field, and
+     the external entries will be linked to the corresponding element by
+     their checksums.
+
+     C. Definition of common ticket extensions
+
+     This appendix contains the definitions of common ticket extensions.
+     Support for these extensions is optional. However, certain extensions
+     have associated authorization data elements that may require rejection
+     of a ticket containing an extension by application servers that do not
+     implement the particular extension. Other extensions have been defined
+     beyond those described in this specification. Such extensions are
+     described elswhere and for some of those extensions the reserved
+     number may be found in the list of constants.
+
+     It is known that older versions of Kerberos did not support this
+     field, and that some clients will strip this field from a ticket when
+     they parse and then reassemble a ticket as it is passed to the
+     application servers. The presence of the extension will not break such
+     clients, but any functionaly dependent on the extensions will not work
+     when such tickets are handled by old clients. In such situations, some
+     implementation may use alternate methods to transmit the information
+     in the extensions field.
+
+     C.1. Null ticket extension
+
+     TE-NullExtension   OctetString -- The empty Octet String
+
+     The te-data field in the null ticket extension is an octet string of
+     lenght zero. This extension may be included in a ticket granting
+     ticket so that the KDC can determine on presentation of the ticket
+     granting ticket whether the client software will strip the extensions
+     field.
+
+     C.2. External Authorization Data
+
+     TE-ExternalAuthorizationData   AuthorizationData
+
+     The te-data field in the external authorization data ticket extension
+     is field of type AuthorizationData containing one or more
+     authorization data elements. If present, a corresponding authorization
+     data element will be present in the primary authorization data for the
+     ticket and that element will contain a checksum of the external
+     authorization data ticket extension.
+
+Neuman, Ts'o, Kohl                                   Expires: 14 January
+2001
+
+^L
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-06          July 14,
+2000
+
+     ----------------------------------------------------------------------
+     [TM] Project Athena, Athena, and Kerberos are trademarks of the
+     Massachusetts Institute of Technology (MIT). No commercial use of
+     these trademarks may be made without prior written permission of MIT.
+
+     [1] Note, however, that many applications use Kerberos' functions only
+     upon the initiation of a stream-based network connection. Unless an
+     application subsequently provides integrity protection for the data
+     stream, the identity verification applies only to the initiation of
+     the connection, and does not guarantee that subsequent messages on the
+     connection originate from the same principal.
+
+     [2] Secret and private are often used interchangeably in the
+     literature. In our usage, it takes two (or more) to share a secret,
+     thus a shared DES key is a secret key. Something is only private when
+     no one but its owner knows it. Thus, in public key cryptosystems, one
+     has a public and a private key.
+
+     [3] Of course, with appropriate permission the client could arrange
+     registration of a separately-named prin- cipal in a remote realm, and
+     engage in normal exchanges with that realm's services. However, for
+     even small numbers of clients this becomes cumbersome, and more
+     automatic methods as described here are necessary.
+
+     [4] Though it is permissible to request or issue tick- ets with no
+     network addresses specified.
+
+     [5] The password-changing request must not be honored unless the
+     requester can provide the old password (the user's current secret
+     key). Otherwise, it would be possible for someone to walk up to an
+     unattended ses- sion and change another user's password.
+
+     [6] To authenticate a user logging on to a local system, the
+     credentials obtained in the AS exchange may first be used in a TGS
+     exchange to obtain credentials for a local server. Those credentials
+     must then be verified by a local server through successful completion
+     of the Client/Server exchange.
+
+     [7] "Random" means that, among other things, it should be impossible
+     to guess the next session key based on knowledge of past session keys.
+     This can only be achieved in a pseudo-random number generator if it is
+     based on cryptographic principles. It is more desirable to use a truly
+     random number generator, such as one based on measurements of random
+     physical phenomena.
+
+     [8] Tickets contain both an encrypted and unencrypted portion, so
+     cleartext here refers to the entire unit, which can be copied from one
+     message and replayed in another without any cryptographic skill.
+
+     [9] Note that this can make applications based on unreliable
+     transports difficult to code correctly. If the transport might deliver
+     duplicated messages, either a new authenticator must be generated for
+     each retry, or the application server must match requests and replies
+     and replay the first reply in response to a detected duplicate.
+
+     [10] This is used for user-to-user authentication as described in [8].
+
+     [11] Note that the rejection here is restricted to authenticators from
+     the same principal to the same server. Other client principals
+     communicating with the same server principal should not be have their
+     authenticators rejected if the time and microsecond fields happen to
+     match some other client's authenticator.
+
+
+Neuman, Ts'o, Kohl                                   Expires: 14 January
+2001
+
+^L
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-06          July 14,
+2000
+
+     [12] In the Kerberos version 4 protocol, the timestamp in the reply
+     was the client's timestamp plus one. This is not necessary in version
+     5 because version 5 messages are formatted in such a way that it is
+     not possible to create the reply by judicious message surgery (even in
+     encrypted form) without knowledge of the appropriate encryption keys.
+
+     [13] Note that for encrypting the KRB_AP_REP message, the sub-session
+     key is not used, even if present in the Authenticator.
+
+     [14] Implementations of the protocol may wish to provide routines to
+     choose subkeys based on session keys and random numbers and to
+     generate a negotiated key to be returned in the KRB_AP_REP message.
+
+     [15]This can be accomplished in several ways. It might be known
+     beforehand (since the realm is part of the principal identifier), it
+     might be stored in a nameserver, or it might be obtained from a
+     configura- tion file. If the realm to be used is obtained from a
+     nameserver, there is a danger of being spoofed if the nameservice
+     providing the realm name is not authenti- cated. This might result in
+     the use of a realm which has been compromised, and would result in an
+     attacker's ability to compromise the authentication of the application
+     server to the client.
+
+     [16] If the client selects a sub-session key, care must be taken to
+     ensure the randomness of the selected sub- session key. One approach
+     would be to generate a random number and XOR it with the session key
+     from the ticket-granting ticket.
+
+     [17] This allows easy implementation of user-to-user authentication
+     [8], which uses ticket-granting ticket session keys in lieu of secret
+     server keys in situa- tions where such secret keys could be easily
+     comprom- ised.
+
+     [18] For the purpose of appending, the realm preceding the first
+     listed realm is considered to be the null realm ("").
+
+     [19] For the purpose of interpreting null subfields, the client's
+     realm is considered to precede those in the transited field, and the
+     server's realm is considered to follow them.
+
+     [20] This means that a client and server running on the same host and
+     communicating with one another using the KRB_SAFE messages should not
+     share a common replay cache to detect KRB_SAFE replays.
+
+     [21] The implementation of the Kerberos server need not combine the
+     database and the server on the same machine; it is feasible to store
+     the principal database in, say, a network name service, as long as the
+     entries stored therein are protected from disclosure to and
+     modification by unauthorized parties. However, we recommend against
+     such strategies, as they can make system management and threat
+     analysis quite complex.
+
+     [22] See the discussion of the padata field in section 5.4.2 for
+     details on why this can be useful.
+
+     [23] Warning for implementations that unpack and repack data
+     structures during the generation and verification of embedded
+     checksums: Because any checksums applied to data structures must be
+     checked against the original data the length of bit strings must be
+     preserved within a data structure between the time that a checksum is
+     generated through transmission to the time that the checksum is
+     verified.
+
+
+Neuman, Ts'o, Kohl                                   Expires: 14 January
+2001
+
+^L
+
+INTERNET-DRAFT    draft-ietf-cat-kerberos-revisions-06          July 14,
+2000
+
+     [24] It is NOT recommended that this time value be used to adjust the
+     workstation's clock since the workstation cannot reliably determine
+     that such a KRB_AS_REP actually came from the proper KDC in a timely
+     manner.
+
+     [25] Note, however, that if the time is used as the nonce, one must
+     make sure that the workstation time is monotonically increasing. If
+     the time is ever reset backwards, there is a small, but finite,
+     probability that a nonce will be reused.
+
+     [27] An application code in the encrypted part of a message provides
+     an additional check that the message was decrypted properly.
+
+     [29] An application code in the encrypted part of a message provides
+     an additional check that the message was decrypted properly.
+
+     [31] An application code in the encrypted part of a message provides
+     an additional check that the message was decrypted properly.
+
+     [32] If supported by the encryption method in use, an initialization
+     vector may be passed to the encryption procedure, in order to achieve
+     proper cipher chaining. The initialization vector might come from the
+     last block of the ciphertext from the previous KRB_PRIV message, but
+     it is the application's choice whether or not to use such an
+     initialization vector. If left out, the default initialization vector
+     for the encryption algorithm will be used.
+
+     [33] This prevents an attacker who generates an incorrect AS request
+     from obtaining verifiable plaintext for use in an off-line password
+     guessing attack.
+
+     [35] In the above specification, UNTAGGED OCTET STRING(length) is the
+     notation for an octet string with its tag and length removed. It is
+     not a valid ASN.1 type. The tag bits and length must be removed from
+     the confounder since the purpose of the confounder is so that the
+     message starts with random data, but the tag and its length are fixed.
+     For other fields, the length and tag would be redundant if they were
+     included because they are specified by the encryption type. [36] The
+     ordering of the fields in the CipherText is important. Additionally,
+     messages encoded in this format must include a length as part of the
+     msg-seq field. This allows the recipient to verify that the message
+     has not been truncated. Without a length, an attacker could use a
+     chosen plaintext attack to generate a message which could be
+     truncated, while leaving the checksum intact. Note that if the msg-seq
+     is an encoding of an ASN.1 SEQUENCE or OCTET STRING, then the length
+     is part of that encoding.
+
+     [37] In some cases, it may be necessary to use a different "mix-in"
+     string for compatibility reasons; see the discussion of padata in
+     section 5.4.2.
+
+     [38] In some cases, it may be necessary to use a different "mix-in"
+     string for compatibility reasons; see the discussion of padata in
+     section 5.4.2.
+
+     [39] A variant of the key is used to limit the use of a key to a
+     particular function, separating the functions of generating a checksum
+     from other encryption performed using the session key. The constant
+     F0F0F0F0F0F0F0F0 was chosen because it maintains key parity. The
+     properties of DES precluded the use of the complement. The same
+     constant is used for similar purpose in the Message Integrity Check in
+     the Privacy Enhanced Mail standard.
+
+     [40] This error carries additional information in the e- data field.
+     The contents of the e-data field for this message is described in
+     section 5.9.1.
+
+
diff --git a/crypto/heimdal/doc/standardisation/draft-ietf-cat-kerberos-set-passwd-02.txt b/crypto/heimdal/doc/standardisation/draft-ietf-cat-kerberos-set-passwd-02.txt
new file mode 100644
index 0000000..6f7dae0d
--- /dev/null
+++ b/crypto/heimdal/doc/standardisation/draft-ietf-cat-kerberos-set-passwd-02.txt
@@ -0,0 +1,325 @@
+
+INTERNET-DRAFT                                        Mike Swift 
+draft-ietf-cat-kerberos-set-passwd-02.txt             Microsoft
+March 2000                                            Jonathan Trostle
+                                                      Cisco Systems
+                                                      John Brezak
+                                                      Microsoft
+                                                      Bill Gossman
+                                                      Cybersafe
+
+              Kerberos Set/Change Password: Version 2
+
+
+0. Status Of This Memo
+
+   This document is an Internet-Draft and is in full conformance with 
+   all provisions of Section 10 of RFC2026 [1]. 
+
+   Internet-Drafts are working documents of the Internet Engineering
+   Task Force (IETF), its areas, and its working groups.  Note that
+   other groups may also distribute working documents as 
+   Internet-Drafts.
+
+   Internet-Drafts are draft documents valid for a maximum of six
+   months and may be updated, replaced, or obsoleted by other
+   documents at any time.  It is inappropriate to use Internet-
+   Drafts as reference material or to cite them other than as
+   "work in progress."
+
+   The list of current Internet-Drafts can be accessed at
+   http://www.ietf.org/ietf/1id-abstracts.txt
+
+   The list of Internet-Draft Shadow Directories can be accessed at
+   http://www.ietf.org/shadow.html.
+
+   Comments and suggestions on this document are encouraged.  Comments 
+   on this document should be sent to the CAT working group discussion 
+   list:
+                       ietf-cat-wg@stanford.edu
+
+1. Abstract
+
+   The Kerberos (RFC 1510 [3]) change password protocol (Horowitz [4]), 
+   does not allow for an administrator to set a password for a new user. 
+   This functionality is useful in some environments, and this proposal 
+   extends [4] to allow password setting. The changes are: adding new 
+   fields to the request message to indicate the principal which is 
+   having its password set, not requiring the initial flag in the service 
+   ticket, using a new protocol version number, and adding three new 
+   result codes. We also extend the set/change protocol to allow a 
+   client to send a sequence of keys to the KDC instead of a cleartext 
+   password. If in the cleartext password case, the cleartext password 
+   fails to satisfy password policy, the server should use the result    
+   code KRB5_KPASSWD_POLICY_REJECT.
+
+2. Conventions used in this document 
+    
+   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 
+
+   "SHOULD", "SHOULD NOT", "RECOMMENDED",  "MAY", and "OPTIONAL" in 
+   this document are to be interpreted as described in RFC-2119 [2]. 
+   
+3. The Protocol
+
+   The service must accept requests on UDP port 464 and TCP port 464 as 
+   well. The protocol consists of a single request message followed by 
+   a single reply message.  For UDP transport, each message must be fully 
+   contained in a single UDP packet.
+
+   For TCP transport, there is a 4 octet header in network byte order
+   precedes the message and specifies the length of the message. This
+   requirement is consistent with the TCP transport header in 1510bis.
+
+Request Message
+
+       0                   1                   2                   3
+       0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+      |         message length        |    protocol version number    |
+      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+      |          AP_REQ length        |         AP-REQ data           /
+      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+      /                        KRB-PRIV message                       /
+      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+
+   All 16 bit fields are in network byte order. 
+
+   message length field: contains the number of bytes in the message 
+   including this field.
+
+   protocol version number: contains the hex constant 0x0002 (network
+   byte order).
+
+   AP-REQ length: length of AP-REQ data, in bytes. If the length is zero, 
+   then the last field contains a KRB-ERROR message instead of a KRB-PRIV 
+   message.
+
+   AP-REQ data: (see [3]) The AP-REQ message must be for the service 
+   principal kadmin/changepw@REALM, where REALM is the REALM of the user 
+   who wishes to change/set his password.  The ticket in the AP-REQ must 
+   must include a subkey in the Authenticator. To enable setting of 
+   passwords/keys, it is not required that the initial flag be set in the 
+   Kerberos service ticket. The initial flag is required for change requests,
+   but not for set password requests. We have the following definitions:
+
+                    old passwd   initial flag  target principal can be
+                    in request?  required?     distinct from 
+                                               authenticating principal?
+                                              
+   change password:  yes         yes           no
+
+   set password:     no          no            yes
+
+   set key:          no          policy        yes
+                                 determined
+
+   KRB-PRIV message (see [3]) This KRB-PRIV message must be generated 
+   using the subkey from the authenticator in the AP-REQ data. 
+
+   The user-data component of the message consists of the following ASN.1 
+   structure encoded as an OCTET STRING:
+
+   ChangePasswdData :: =  SEQUENCE {
+                       newpasswdorkeys[0]   NewPasswdOrKeys,
+                       targname[1]          PrincipalName OPTIONAL,
+                         -- only present in set password: the principal
+                         -- which will have its password set
+                       targrealm[2]         Realm OPTIONAL, 
+                         -- only present in set password: the realm for 
+                         -- the principal which will have its password set
+
+                       }
+
+   NewPasswdOrKeys :: = CHOICE {
+                       passwords[0]  PasswordSequence,       
+                       keyseq[1]     KeySequences
+   }
+                         
+   KeySequences :: = SEQUENCE OF KeySequence
+
+   KeySequence :: = SEQUENCE {
+                       key[0]        EncryptionKey,
+                       salt[1]       OCTET STRING OPTIONAL,
+                       salt-type[2]  INTEGER OPTIONAL
+   }
+
+   PasswordSequence :: = SEQUENCE {
+                       newpasswd[0]  OCTET STRING,
+                       oldpasswd[1]  OCTET STRING OPTIONAL
+                         -- oldpasswd always present for change password
+                         -- but not present for set password 
+   }
+
+   The server must verify the AP-REQ message, check whether the client 
+   principal in the ticket is authorized to set or change the password 
+   (either for that principal, or for the principal in the targname 
+   field if present), and decrypt the new password/keys. The server 
+   also checks whether the initial flag is required for this request, 
+   replying with status 0x0007 if it is not set and should be. An 
+   authorization failure is cause to respond with status 0x0005. For 
+   forward compatibility, the server should be prepared to ignore fields 
+   after targrealm in the structure that it does not understand. 
+
+   The newpasswdorkeys field contains either the new cleartext password 
+   (with the old cleartext password for a change password operation), 
+   or a sequence of encryption keys with their respective salts. 
+
+   In the cleartext password case, if the old password is sent in the
+   request, the request is defined to be a change password request. If
+   the old password is not present in the request, the request is a set
+   password request. The server should apply policy checks to the old 
+   and new password after verifying that the old password is valid. 
+   The server can check validity by obtaining a key from the old 
+   password with a keytype that is present in the KDC database for the 
+   user and comparing the keys for equality. The server then generates 
+   the appropriate keytypes from the password and stores them in the KDC 
+
+   database. If all goes well, status 0x0000 is returned to the client 
+   in the reply message (see below). For a change password operation,
+   the initial flag in the service ticket MUST be set. 
+
+   In the key sequence case, the sequence of keys is sent to the set
+   password service. For a principal that can act as a server, its 
+   preferred keytype should be sent as the first key in the sequence, 
+   but the KDC is not required to honor this preference. Application 
+   servers should use the key sequence option for changing/setting their 
+   keys. The set password service should check that all keys are in the
+   proper format, returning the KRB5_KPASSWD_MALFORMED error otherwise. 
+
+Reply Message
+
+       0                   1                   2                   3
+       0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+      |         message length        |    protocol version number    |
+      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+      |          AP_REP length        |         AP-REP data           /
+      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+      /                          KRB-PRIV message                     /
+      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+
+
+   All 16 bit fields are in network byte order. 
+
+   message length field: contains the number of bytes in the message 
+   including this field.
+
+   protocol version number: contains the hex constant 0x0002 (network
+   byte order). (The reply message has the same format as in [4]).
+
+   AP-REP length: length of AP-REP data, in bytes. If the length is zero, 
+   then the last field contains a KRB-ERROR message instead of a KRB-PRIV 
+   message.
+
+   AP-REP data: the AP-REP is the response to the AP-REQ in the request 
+   packet.
+   
+   KRB-PRIV from [4]: This KRB-PRIV message must be generated using the 
+   subkey in the authenticator in the AP-REQ data.
+
+   The server will respond with a KRB-PRIV message unless it cannot
+   validate the client AP-REQ or KRB-PRIV message, in which case it will
+   respond with a KRB-ERROR message. NOTE: Unlike change password version
+   1, the KRB-ERROR message will be sent back without any encapsulation. 
+
+   The user-data component of the KRB-PRIV message, or e-data component 
+   of the KRB-ERROR message, must consist of the following data.
+
+       0                   1                   2                   3
+       0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+      |          result code          |        result string          /
+      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+      |                             edata                             /
+      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+
+      result code (16 bits) (result codes 0-4 are from [4]):
+         The result code must have one of the following values (network
+         byte order):
+         KRB5_KPASSWD_SUCCESS      0 request succeeds (This value is not 
+                                     allowed in a KRB-ERROR message)
+         KRB5_KPASSWD_MALFORMED    1 request fails due to being malformed
+         KRB5_KPASSWD_HARDERROR    2 request fails due to "hard" error in
+                                     processing the request (for example, 
+                                     there is a resource or other problem 
+                                     causing the request to fail)
+         KRB5_KPASSWD_AUTHERROR    3 request fails due to an error in 
+                                     authentication processing
+         KRB5_KPASSWD_SOFTERROR    4 request fails due to a soft error 
+                                     in processing the request 
+         KRB5_KPASSWD_ACCESSDENIED 5 requestor not authorized
+         KRB5_KPASSWD_BAD_VERSION  6 protocol version unsupported
+         KRB5_KPASSWD_INITIAL_FLAG_NEEDED 7 initial flag required
+         KRB5_KPASSWD_POLICY_REJECT 8 new cleartext password fails policy;
+         the result string should include a text message to be presented
+         to the user.
+         KRB5_KPASSWD_BAD_PRINCIPAL 9 target principal does not exist
+         (only in response to a set password request).
+         KRB5_KPASSWD_ETYPE_NOSUPP 10 the request contains a key sequence
+         containing at least one etype that is not supported by the KDC.
+         The response edata contains an ASN.1 encoded PKERB-ETYPE-INFO 
+         type that specifies the etypes that the KDC supports:
+         
+         KERB-ETYPE-INFO-ENTRY :: = SEQUENCE {
+                encryption-type[0]  INTEGER,
+                salt[1]             OCTET STRING OPTIONAL -- not sent
+         }
+
+         PKERB-ETYPE-INFO ::= SEQUENCE OF KERB-ETYPE-INFO-ENTRY
+
+         The client should retry the request using only etypes (keytypes)
+         that are contained within the PKERB-ETYPE-INFO structure in the
+         previous response. 
+         0xFFFF if the request fails for some other reason.
+         The client must interpret any non-zero result code as a failure.
+      result string - from [4]:
+         This field is a UTF-8 encoded string which should be displayed
+         to the user by the client. Specific reasons for a password 
+         set/change policy failure is one use for this string. 
+      edata: used to convey additional information as defined by the 
+         result code. 
+
+4. References
+
+   [1] Bradner, S., "The Internet Standards Process -- Revision 3", BCP 
+       9, RFC 2026, October 1996. 
+    
+   [2] Bradner, S., "Key words for use in RFCs to Indicate Requirement 
+       Levels", BCP 14, RFC 2119, March 1997 
+ 
+   [3] J. Kohl, C. Neuman. The Kerberos Network Authentication
+       Service (V5), Request for Comments 1510.
+
+   [4] M. Horowitz. Kerberos Change Password Protocol,
+       ftp://ds.internic.net/internet-drafts/
+       draft-ietf-cat-kerb-chg-password-02.txt
+
+5. Expiration Date
+
+   This draft expires in September 2000.
+
+6. Authors' Addresses
+
+   Jonathan Trostle
+   Cisco Systems
+   170 W. Tasman Dr.
+   San Jose, CA 95134
+   Email: jtrostle@cisco.com
+
+   Mike Swift 
+   1 Microsoft Way
+   Redmond, WA 98052
+   Email: mikesw@microsoft.com
+
+   John Brezak
+   1 Microsoft Way
+   Redmond, WA 98052
+   Email: jbrezak@microsoft.com
+
+   Bill Gossman
+   Cybersafe Corporation
+   1605 NW Sammamish Rd.
+   Issaquah, WA 98027-5378
+   Email: bill.gossman@cybersafe.com
+
diff --git a/crypto/heimdal/doc/standardisation/draft-ietf-cat-kerberos-set-passwd-03.txt b/crypto/heimdal/doc/standardisation/draft-ietf-cat-kerberos-set-passwd-03.txt
new file mode 100644
index 0000000..0319f8b
--- /dev/null
+++ b/crypto/heimdal/doc/standardisation/draft-ietf-cat-kerberos-set-passwd-03.txt
@@ -0,0 +1,345 @@
+
+INTERNET-DRAFT                                        Mike Swift 
+draft-ietf-cat-kerberos-set-passwd-03.txt             Microsoft
+April 2000                                            Jonathan Trostle
+                                                      Cisco Systems
+                                                      John Brezak
+                                                      Microsoft
+                                                      Bill Gossman
+                                                      Cybersafe
+
+              Kerberos Set/Change Password: Version 2
+
+
+0. Status Of This Memo
+
+   This document is an Internet-Draft and is in full conformance with 
+   all provisions of Section 10 of RFC2026 [1]. 
+
+   Internet-Drafts are working documents of the Internet Engineering
+   Task Force (IETF), its areas, and its working groups.  Note that
+   other groups may also distribute working documents as 
+   Internet-Drafts.
+
+   Internet-Drafts are draft documents valid for a maximum of six
+   months and may be updated, replaced, or obsoleted by other
+   documents at any time.  It is inappropriate to use Internet-
+   Drafts as reference material or to cite them other than as
+   "work in progress."
+
+   The list of current Internet-Drafts can be accessed at
+   http://www.ietf.org/ietf/1id-abstracts.txt
+
+   The list of Internet-Draft Shadow Directories can be accessed at
+   http://www.ietf.org/shadow.html.
+
+   Comments and suggestions on this document are encouraged.  Comments 
+   on this document should be sent to the CAT working group discussion 
+   list:
+                       ietf-cat-wg@stanford.edu
+
+1. Abstract
+
+   The Kerberos (RFC 1510 [3]) change password protocol (Horowitz [4]), 
+   does not allow for an administrator to set a password for a new user. 
+   This functionality is useful in some environments, and this proposal 
+   extends [4] to allow password setting. The changes are: adding new 
+   fields to the request message to indicate the principal which is 
+   having its password set, not requiring the initial flag in the service 
+   ticket, using a new protocol version number, and adding three new 
+   result codes. We also extend the set/change protocol to allow a 
+   client to send a sequence of keys to the KDC instead of a cleartext 
+   password. If in the cleartext password case, the cleartext password 
+   fails to satisfy password policy, the server should use the result    
+   code KRB5_KPASSWD_POLICY_REJECT.
+
+2. Conventions used in this document 
+    
+   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 
+
+   "SHOULD", "SHOULD NOT", "RECOMMENDED",  "MAY", and "OPTIONAL" in 
+   this document are to be interpreted as described in RFC-2119 [2]. 
+   
+3. The Protocol
+
+   The service must accept requests on UDP port 464 and TCP port 464 as 
+   well. The protocol consists of a single request message followed by 
+   a single reply message.  For UDP transport, each message must be fully 
+   contained in a single UDP packet.
+
+   For TCP transport, there is a 4 octet header in network byte order
+   precedes the message and specifies the length of the message. This
+   requirement is consistent with the TCP transport header in 1510bis.
+
+Request Message
+
+       0                   1                   2                   3
+       0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+      |         message length        |    protocol version number    |
+      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+      |          AP_REQ length        |         AP-REQ data           /
+      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+      /                        KRB-PRIV message                       /
+      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+
+   All 16 bit fields are in network byte order. 
+
+   message length field: contains the number of bytes in the message 
+   including this field.
+
+   protocol version number: contains the hex constant 0x0002 (network
+   byte order).
+
+   AP-REQ length: length of AP-REQ data, in bytes. If the length is zero, 
+   then the last field contains a KRB-ERROR message instead of a KRB-PRIV 
+   message.
+
+   AP-REQ data: (see [3]) For a change password/key request, the AP-REQ 
+   message service ticket sname, srealm principal identifier is 
+   kadmin/changepw@REALM where REALM is the realm of the change password 
+   service. The same applies to a set password/key request except the 
+   principal identifier is kadmin/setpw@REALM. The ticket in the AP-REQ 
+   must include a subkey in the Authenticator. To enable setting of 
+   passwords/keys, it is not required that the initial flag be set in the 
+   Kerberos service ticket. The initial flag is required for change requests,
+   but not for set requests. We have the following definitions:
+
+                    old passwd   initial flag  target principal can be
+                    in request?  required?     distinct from 
+                                               authenticating principal?
+                                              
+   change password:  yes         yes           no
+
+   set password:     no          policy (*)    yes
+
+   set key:          no          policy (*)    yes
+                                 
+   change key:       no          yes           no
+
+   policy (*): implementations SHOULD allow administrators to set the
+   initial flag required for set requests policy to either yes or no.
+   Clients MUST be able to retry set requests that fail due to error 7
+   (initial flag required) with an initial ticket. Clients SHOULD NOT
+   cache service tickets targetted at kadmin/changepw.
+
+   KRB-PRIV message (see [3]) This KRB-PRIV message must be generated 
+   using the subkey from the authenticator in the AP-REQ data. 
+
+   The user-data component of the message consists of the following ASN.1 
+   structure encoded as an OCTET STRING:
+
+   ChangePasswdData :: =  SEQUENCE {
+                       newpasswdorkeys[0]   NewPasswdOrKeys,
+                       targname[1]          PrincipalName OPTIONAL,
+                         -- only present in set password/key: the principal
+                         -- which will have its password or keys set. Not
+                         -- present in a set request if the client principal
+                         -- from the ticket is the principal having its 
+                         -- passwords or keys set.
+                       targrealm[2]         Realm OPTIONAL, 
+                         -- only present in set password/key: the realm for 
+                         -- the principal which will have its password or
+                         -- keys set. Not present in a set request if the 
+                         -- client principal from the ticket is the principal 
+                         -- having its passwords or keys set.
+                       }
+
+   NewPasswdOrKeys :: = CHOICE {
+                       passwords[0]  PasswordSequence,  -- change/set passwd   
+                       keyseq[1]     KeySequences       -- change/set key
+   }
+                         
+   KeySequences :: = SEQUENCE OF KeySequence
+
+   KeySequence :: = SEQUENCE {
+                       key[0]        EncryptionKey,
+                       salt[1]       OCTET STRING OPTIONAL,
+                       salt-type[2]  INTEGER OPTIONAL
+   }
+
+   PasswordSequence :: = SEQUENCE {
+                       newpasswd[0]  OCTET STRING,
+                       oldpasswd[1]  OCTET STRING OPTIONAL
+                         -- oldpasswd always present for change password
+                         -- but not present for set password, set key, or
+                         -- change key
+   }
+
+   The server must verify the AP-REQ message, check whether the client 
+   principal in the ticket is authorized to set or change the password 
+   (either for that principal, or for the principal in the targname 
+   field if present), and decrypt the new password/keys. The server 
+   also checks whether the initial flag is required for this request, 
+   replying with status 0x0007 if it is not set and should be. An 
+   authorization failure is cause to respond with status 0x0005. For 
+   forward compatibility, the server should be prepared to ignore fields 
+   after targrealm in the structure that it does not understand. 
+
+   The newpasswdorkeys field contains either the new cleartext password 
+   (with the old cleartext password for a change password operation), 
+   or a sequence of encryption keys with their respective salts. 
+
+   In the cleartext password case, if the old password is sent in the
+   request, the request MUST be a change password request. If the old 
+   password is not present in the request, the request MUST be a set
+   password request. The server should apply policy checks to the old 
+   and new password after verifying that the old password is valid. 
+   The server can check validity by obtaining a key from the old 
+   password with a keytype that is present in the KDC database for the 
+   user and comparing the keys for equality. The server then generates 
+   the appropriate keytypes from the password and stores them in the KDC 
+   database. If all goes well, status 0x0000 is returned to the client 
+   in the reply message (see below). For a change password operation,
+   the initial flag in the service ticket MUST be set. 
+
+   In the key sequence case, the sequence of keys is sent to the change
+   or set password service (kadmin/changepw or kadmin/setpw respectively). 
+   For a principal that can act as a server, its preferred keytype should 
+   be sent as the first key in the sequence, but the KDC is not required 
+   to honor this preference. Application servers should use the key 
+   sequence option for changing/setting their keys. The change/set password 
+   services should check that all keys are in the proper format, returning 
+   the KRB5_KPASSWD_MALFORMED error otherwise. 
+
+Reply Message
+
+       0                   1                   2                   3
+       0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+      |         message length        |    protocol version number    |
+      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+      |          AP_REP length        |         AP-REP data           /
+      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+      /                          KRB-PRIV message                     /
+      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+
+
+   All 16 bit fields are in network byte order. 
+
+   message length field: contains the number of bytes in the message 
+   including this field.
+
+   protocol version number: contains the hex constant 0x0002 (network
+   byte order). (The reply message has the same format as in [4]).
+
+   AP-REP length: length of AP-REP data, in bytes. If the length is zero, 
+   then the last field contains a KRB-ERROR message instead of a KRB-PRIV 
+   message.
+
+   AP-REP data: the AP-REP is the response to the AP-REQ in the request 
+   packet.
+   
+   KRB-PRIV from [4]: This KRB-PRIV message must be generated using the 
+   subkey in the authenticator in the AP-REQ data.
+
+   The server will respond with a KRB-PRIV message unless it cannot
+   validate the client AP-REQ or KRB-PRIV message, in which case it will
+   respond with a KRB-ERROR message. NOTE: Unlike change password version
+   1, the KRB-ERROR message will be sent back without any encapsulation. 
+
+   The user-data component of the KRB-PRIV message, or e-data component 
+   of the KRB-ERROR message, must consist of the following data.
+
+       0                   1                   2                   3
+       0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+      |          result code          |        result string          /
+      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+      |                             edata                             /
+      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+
+      result code (16 bits) (result codes 0-4 are from [4]):
+         The result code must have one of the following values (network
+         byte order):
+         KRB5_KPASSWD_SUCCESS      0 request succeeds (This value is not 
+                                     allowed in a KRB-ERROR message)
+         KRB5_KPASSWD_MALFORMED    1 request fails due to being malformed
+         KRB5_KPASSWD_HARDERROR    2 request fails due to "hard" error in
+                                     processing the request (for example, 
+                                     there is a resource or other problem 
+                                     causing the request to fail)
+         KRB5_KPASSWD_AUTHERROR    3 request fails due to an error in 
+                                     authentication processing
+         KRB5_KPASSWD_SOFTERROR    4 request fails due to a soft error 
+                                     in processing the request 
+         KRB5_KPASSWD_ACCESSDENIED 5 requestor not authorized
+         KRB5_KPASSWD_BAD_VERSION  6 protocol version unsupported
+         KRB5_KPASSWD_INITIAL_FLAG_NEEDED 7 initial flag required
+         KRB5_KPASSWD_POLICY_REJECT 8 new cleartext password fails policy;
+         the result string should include a text message to be presented
+         to the user.
+         KRB5_KPASSWD_BAD_PRINCIPAL 9 target principal does not exist
+         (only in response to a set password request).
+         KRB5_KPASSWD_ETYPE_NOSUPP 10 the request contains a key sequence
+         containing at least one etype that is not supported by the KDC.
+         The response edata contains an ASN.1 encoded PKERB-ETYPE-INFO 
+         type that specifies the etypes that the KDC supports:
+         
+         KERB-ETYPE-INFO-ENTRY :: = SEQUENCE {
+                encryption-type[0]  INTEGER,
+                salt[1]             OCTET STRING OPTIONAL -- not sent
+         }
+
+         PKERB-ETYPE-INFO ::= SEQUENCE OF KERB-ETYPE-INFO-ENTRY
+
+         The client should retry the request using only etypes (keytypes)
+         that are contained within the PKERB-ETYPE-INFO structure in the
+         previous response. 
+         0xFFFF if the request fails for some other reason.
+         The client must interpret any non-zero result code as a failure.
+      result string - from [4]:
+         This field is a UTF-8 encoded string which should be displayed
+         to the user by the client. Specific reasons for a password 
+
+         set/change policy failure is one use for this string. 
+      edata: used to convey additional information as defined by the 
+         result code. 
+
+4. Acknowledgements
+  
+   The authors thank Tony Andrea for his input to the document.
+
+5. References
+
+   [1] Bradner, S., "The Internet Standards Process -- Revision 3", BCP 
+       9, RFC 2026, October 1996. 
+    
+   [2] Bradner, S., "Key words for use in RFCs to Indicate Requirement 
+       Levels", BCP 14, RFC 2119, March 1997 
+ 
+   [3] J. Kohl, C. Neuman. The Kerberos Network Authentication
+       Service (V5), Request for Comments 1510.
+
+   [4] M. Horowitz. Kerberos Change Password Protocol,
+       ftp://ds.internic.net/internet-drafts/
+       draft-ietf-cat-kerb-chg-password-02.txt
+
+6. Expiration Date
+
+   This draft expires in October 2000.
+
+7. Authors' Addresses
+
+   Jonathan Trostle
+   Cisco Systems
+   170 W. Tasman Dr.
+   San Jose, CA 95134
+   Email: jtrostle@cisco.com
+
+   Mike Swift 
+   1 Microsoft Way
+   Redmond, WA 98052
+   Email: mikesw@microsoft.com
+
+   John Brezak
+   1 Microsoft Way
+   Redmond, WA 98052
+   Email: jbrezak@microsoft.com
+
+   Bill Gossman
+   Cybersafe Corporation
+   1605 NW Sammamish Rd.
+   Issaquah, WA 98027-5378
+   Email: bill.gossman@cybersafe.com
+
diff --git a/crypto/heimdal/doc/standardisation/draft-ietf-cat-krb-dns-locate-00.txt b/crypto/heimdal/doc/standardisation/draft-ietf-cat-krb-dns-locate-00.txt
new file mode 100644
index 0000000..e76a0e4
--- /dev/null
+++ b/crypto/heimdal/doc/standardisation/draft-ietf-cat-krb-dns-locate-00.txt
@@ -0,0 +1,250 @@
+INTERNET-DRAFT                                             Ken Hornstein
+<draft-ietf-cat-krb-dns-locate-00.txt>                               NRL
+June 21, 1999                                             Jeffrey Altman
+Expires: December 21, 1999                           Columbia University
+
+          Distributing Kerberos KDC and Realm Information with DNS
+
+Status of this Memo
+
+   This document is an Internet-Draft and is in full conformance with
+   all provisions of Section 10 of RFC2026.
+
+   Internet-Drafts are working documents of the Internet Engineering
+   Task Force (IETF), its areas, and its working groups.  Note that
+   other groups may also distribute working documents as Internet-
+   Drafts.
+
+   Internet-Drafts are draft documents valid for a maximum of six months
+   and may be updated, replaced, or obsoleted by other documents at any
+   time.  It is inappropriate to use Internet- Drafts as reference
+   material or to cite them other than as "work in progress."
+
+   The list of current Internet-Drafts can be accessed at
+   http://www.ietf.org/ietf/1id-abstracts.txt
+
+   The list of Internet-Draft Shadow Directories can be accessed at
+   http://www.ietf.org/shadow.html.
+
+   Distribution of this memo is unlimited.  It is filed as <draft-ietf-
+   cat-krb-dns-locate-00.txt>, and expires on December 21, 1999.  Please
+   send comments to the authors.
+
+Abstract
+
+   Neither the Kerberos V5 protocol [RFC1510] nor the Kerberos V4 proto-
+   col [RFC????] describe any mechanism for clients to learn critical
+   configuration information necessary for proper operation of the pro-
+   tocol.  Such information includes the location of Kerberos key dis-
+   tribution centers or a mapping between DNS domains and Kerberos
+   realms.
+
+   Current Kerberos implementations generally store such configuration
+   information in a file on each client machine.  Experience has shown
+   this method of storing configuration information presents problems
+   with out-of-date information and scaling problems, especially when
+
+Hornstein, Altman                                               [Page 1]
+
+RFC DRAFT                                                  June 21, 1999
+
+   using cross-realm authentication.
+
+   This memo describes a method for using the Domain Name System
+   [RFC1035] for storing such configuration information.  Specifically,
+   methods for storing KDC location and hostname/domain name to realm
+   mapping information are discussed.
+
+Overview - KDC location information
+
+   KDC location information is to be stored using the DNS SRV RR [RFC
+   2052].  The format of this RR is as follows:
+
+   Service.Proto.Realm TTL Class SRV Priority Weight Port Target
+
+   The Service name for Kerberos is always "_kerberos".
+
+   The Proto can be either "_udp" or "_tcp".  If these records are to be
+   used, a "_udp" record MUST be included.  If the Kerberos implementa-
+   tion supports TCP transport, a "_tcp" record SHOULD be included.
+
+   The Realm is the Kerberos realm that this record corresponds to.
+
+   TTL, Class, SRV, Priority, Weight, Port, and Target have the standard
+   meaning as defined in RFC 2052.
+
+Example - KDC location information
+
+   These are DNS records for a Kerberos realm ASDF.COM.  It has two Ker-
+   beros servers, kdc1.asdf.com and kdc2.asdf.com.  Queries should be
+   directed to kdc1.asdf.com first as per the specified priority.
+   Weights are not used in these records.
+
+   _kerberos._udp.ASDF.COM.        IN      SRV     0 0 88 kdc1.asdf.com.
+   _kerberos._udp.ASDF.COM.        IN      SRV     1 0 88 kdc2.asdf.com.
+
+Overview - KAdmin location information
+
+   Kadmin location information is to be stored using the DNS SRV RR [RFC
+   2052].  The format of this RR is as follows:
+
+   Service.Proto.Realm TTL Class SRV Priority Weight Port Target
+
+   The Service name for Kadmin is always "_kadmin".
+
+   The Proto can be either "_udp" or "_tcp".  If these records are to be
+   used, a "_tcp" record MUST be included.  If the Kadmin implementation
+   supports UDP transport, a "_udp" record SHOULD be included.
+
+Hornstein, Altman                                               [Page 2]
+
+RFC DRAFT                                                  June 21, 1999
+
+   The Realm is the Kerberos realm that this record corresponds to.
+
+   TTL, Class, SRV, Priority, Weight, Port, and Target have the standard
+   meaning as defined in RFC 2052.
+
+Example - Kadmin location information
+
+   These are DNS records for a Kerberos realm ASDF.COM.  It has one Kad-
+   min server, kdc1.asdf.com.
+
+   _kadmin._tcp.ASDF.COM.  IN      SRV     0 0 88 kdc1.asdf.com.
+
+Overview - Hostname/domain name to Kerberos realm mapping
+
+   Information on the mapping of DNS hostnames and domain names to Ker-
+   beros realms is stored using DNS TXT records [RFC 1035].  These
+   records have the following format.
+
+   Service.Name TTL Class TXT Realm
+
+   The Service field is always "_kerberos", and prefixes all entries of
+   this type.
+
+   The Name is a DNS hostname or domain name.  This is explained in
+   greater detail below.
+
+   TTL, Class, and TXT have the standard DNS meaning as defined in RFC
+   1035.
+
+   The Realm is the data for the TXT RR, and consists simply of the Ker-
+   beros realm that corresponds to the Name specified.
+
+   When a Kerberos client wishes to utilize a host-specific service, it
+   will perform a DNS TXT query, using the hostname in the Name field of
+   the DNS query.  If the record is not found, the first label of the
+   name is stripped and the query is retried.
+
+   Compliant implementations MUST query the full hostname and the most
+   specific domain name (the hostname with the first label removed).
+   Compliant implementations SHOULD try stripping all subsequent labels
+   until a match is found or the Name field is empty.
+
+Example - Hostname/domain name to Kerberos realm mapping
+
+   For the previously mentioned ASDF.COM realm and domain, some sample
+   records might be as follows:
+
+   _kerberos.asdf.com.             IN      TXT     "ASDF.COM"
+
+Hornstein, Altman                                               [Page 3]
+
+RFC DRAFT                                                  June 21, 1999
+
+   _kerberos.mrkserver.asdf.com.   IN      TXT     "MARKETING.ASDF.COM"
+   _kerberos.salesserver.asdf.com. IN      TXT     "SALES.ASDF.COM"
+
+   Let us suppose that in this case, a Kerberos client wishes to use a
+   Kerberized service on the host foo.asdf.com.  It would first query:
+
+   _kerberos.foo.asdf.com. IN TXT
+
+   Finding no match, it would then query:
+
+   _kerberos.asdf.com. IN TXT
+
+   And find an answer of ASDF.COM.  This would be the realm that
+   foo.asdf.com resides in.
+
+   If another Kerberos client wishes to use a Kerberized service on the
+   host salesserver.asdf.com, it would query:
+
+   _kerberos.salesserver.asdf.com IN TXT
+
+   And find an answer of SALES.ASDF.COM.
+
+Security considerations
+
+   As DNS is deployed today, it is an unsecure service.  Thus the infor-
+   mation returned by it cannot be trusted.  However, the use of DNS to
+   store this configuration information does not introduce any new secu-
+   rity risks to the Kerberos protocol.
+
+   Current practice is to use hostnames to indicate KDC hosts (stored in
+   some implementation-dependent location, but generally a local config
+   file).  These hostnames are vulnerable to the standard set of DNS
+   attacks (denial of service, spoofed entries, etc).  The design of the
+   Kerberos protocol limits attacks of this sort to denial of service.
+   However, the use of SRV records does not change this attack in any
+   way.  They have the same vulnerabilities that already exist in the
+   common practice of using hostnames for KDC locations.
+
+   The same holds true for the TXT records used to indicate the domain
+   name to realm mapping.  Current practice is to configure these map-
+   pings locally.  But this again is vulnerable to spoofing via CNAME
+   records that point to hosts in other domains.  This has the same
+   effect as a spoofed TXT record.
+
+   While the described protocol does not introduce any new security
+   risks to the best of our knowledge, implementations SHOULD provide a
+   way of specifying this information locally without the use of DNS.
+   However, to make this feature worthwhile a lack of any configuration
+
+Hornstein, Altman                                               [Page 4]
+
+RFC DRAFT                                                  June 21, 1999
+
+   information on a client should be interpretted as permission to use
+   DNS.
+
+Expiration
+
+   This Internet-Draft expires on December 21, 1999.
+
+References
+
+   [RFC1510]
+        The Kerberos Network Authentication System; Kohl, Newman; Sep-
+        tember 1993.
+
+   [RFC1035]
+        Domain Names - Implementation and Specification; Mockapetris;
+        November 1987
+
+   [RFC2052]
+        A DNS RR for specifying the location of services (DNS SRV); Gul-
+        brandsen, Vixie; October 1996
+
+Authors' Addresses
+
+   Ken Hornstein
+   US Naval Research Laboratory
+   Bldg A-49, Room 2
+   4555 Overlook Avenue
+   Washington DC  20375 USA
+
+   Phone: +1 (202) 404-4765
+   EMail: kenh@cmf.nrl.navy.mil
+
+   Jeffrey Altman
+   The Kermit Project
+   Columbia University
+   612 West 115th Street #716
+   New York NY 10025-7799 USA
+
+   Phone: +1 (212) 854-1344
+   EMail: jaltman@columbia.edu
+
+Hornstein, Altman                                               [Page 5]
diff --git a/crypto/heimdal/doc/standardisation/draft-ietf-cat-krb-dns-locate-02.txt b/crypto/heimdal/doc/standardisation/draft-ietf-cat-krb-dns-locate-02.txt
new file mode 100644
index 0000000..bd31750
--- /dev/null
+++ b/crypto/heimdal/doc/standardisation/draft-ietf-cat-krb-dns-locate-02.txt
@@ -0,0 +1,339 @@
+
+
+
+
+
+
+INTERNET-DRAFT                                             Ken Hornstein
+<draft-ietf-cat-krb-dns-locate-02.txt>                               NRL
+March 10, 2000                                            Jeffrey Altman
+Expires: September 10, 2000                          Columbia University
+
+
+
+          Distributing Kerberos KDC and Realm Information with DNS
+
+
+Status of this Memo
+
+   This document is an Internet-Draft and is in full conformance with
+   all provisions of Section 10 of RFC2026.
+
+   Internet-Drafts are working documents of the Internet Engineering
+   Task Force (IETF), its areas, and its working groups.  Note that
+   other groups may also distribute working documents as Internet-
+   Drafts.
+
+   Internet-Drafts are draft documents valid for a maximum of six months
+   and may be updated, replaced, or obsoleted by other documents at any
+   time.  It is inappropriate to use Internet- Drafts as reference
+   material or to cite them other than as "work in progress."
+
+   The list of current Internet-Drafts can be accessed at
+   http://www.ietf.org/ietf/1id-abstracts.txt
+
+   The list of Internet-Draft Shadow Directories can be accessed at
+   http://www.ietf.org/shadow.html.
+
+   Distribution of this memo is unlimited.  It is filed as <draft-ietf-
+   cat-krb-dns-locate-02.txt>, and expires on September 10, 2000.  Please
+   send comments to the authors.
+
+Abstract
+
+   Neither the Kerberos V5 protocol [RFC1510] nor the Kerberos V4 proto-
+   col [RFC????] describe any mechanism for clients to learn critical
+   configuration information necessary for proper operation of the pro-
+   tocol.  Such information includes the location of Kerberos key dis-
+   tribution centers or a mapping between DNS domains and Kerberos
+   realms.
+
+   Current Kerberos implementations generally store such configuration
+   information in a file on each client machine.  Experience has shown
+   this method of storing configuration information presents problems
+   with out-of-date information and scaling problems, especially when
+
+
+
+Hornstein, Altman                                               [Page 1]
+
+RFC DRAFT                                                 March 10, 2000
+
+
+   using cross-realm authentication.
+
+   This memo describes a method for using the Domain Name System
+   [RFC1035] for storing such configuration information.  Specifically,
+   methods for storing KDC location and hostname/domain name to realm
+   mapping information are discussed.
+
+DNS vs. Kerberos - Case Sensitivity of Realm Names
+
+   In Kerberos, realm names are case sensitive.  While it is strongly
+   encouraged that all realm names be all upper case this recommendation
+   has not been adopted by all sites.  Some sites use all lower case
+   names and other use mixed case.  DNS on the other hand is case insen-
+   sitive for queries but is case preserving for responses to TXT
+   queries.  Since "MYREALM", "myrealm", and "MyRealm" are all different
+   it is necessary that the DNS entries be distinguishable.
+
+   Since the recommend realm names are all upper case, we will not
+   require any quoting to be applied to upper case names.  If the realm
+   name contains lower case characters each character is to be quoted by
+   a '=' character.  So "MyRealm" would be represented as "M=yR=e=a=l=m"
+   and "myrealm" as "=m=y=r=e=a=l=m".  If the realm name contains the
+   '=' character it will be represented as "==".
+
+
+Overview - KDC location information
+
+   KDC location information is to be stored using the DNS SRV RR [RFC
+   2052].  The format of this RR is as follows:
+
+   Service.Proto.Realm TTL Class SRV Priority Weight Port Target
+
+   The Service name for Kerberos is always "_kerberos".
+
+   The Proto can be either "_udp" or "_tcp".  If these records are to be
+   used, a "_udp" record MUST be included.  If the Kerberos implementa-
+   tion supports TCP transport, a "_tcp" record SHOULD be included.
+
+   The Realm is the Kerberos realm that this record corresponds to.
+
+   TTL, Class, SRV, Priority, Weight, Port, and Target have the standard
+   meaning as defined in RFC 2052.
+
+Example - KDC location information
+
+   These are DNS records for a Kerberos realm ASDF.COM.  It has two Ker-
+   beros servers, kdc1.asdf.com and kdc2.asdf.com.  Queries should be
+   directed to kdc1.asdf.com first as per the specified priority.
+
+
+
+Hornstein, Altman                                               [Page 2]
+
+RFC DRAFT                                                 March 10, 2000
+
+
+   Weights are not used in these records.
+
+   _kerberos._udp.ASDF.COM.        IN      SRV     0 0 88 kdc1.asdf.com.
+   _kerberos._udp.ASDF.COM.        IN      SRV     1 0 88 kdc2.asdf.com.
+
+Overview - Kerberos password changing server location information
+
+   Kerberos password changing server [KERB-CHG] location is to be stored
+   using the DNS SRV RR [RFC 2052].  The format of this RR is as fol-
+   lows:
+
+   Service.Proto.Realm TTL Class SRV Priority Weight Port Target
+
+   The Service name for the password server is always "_kpasswd".
+
+   The Proto MUST be "_udp".
+
+   The Realm is the Kerberos realm that this record corresponds to.
+
+   TTL, Class, SRV, Priority, Weight, Port, and Target have the standard
+   meaning as defined in RFC 2052.
+
+Overview - Kerberos admin server location information
+
+   Kerberos admin location information is to be stored using the DNS SRV
+   RR [RFC 2052].  The format of this RR is as follows:
+
+   Service.Proto.Realm TTL Class SRV Priority Weight Port Target
+
+   The Service name for the admin server is always "_kerberos-adm".
+
+   The Proto can be either "_udp" or "_tcp".  If these records are to be
+   used, a "_tcp" record MUST be included.  If the Kerberos admin imple-
+   mentation supports UDP transport, a "_udp" record SHOULD be included.
+
+   The Realm is the Kerberos realm that this record corresponds to.
+
+   TTL, Class, SRV, Priority, Weight, Port, and Target have the standard
+   meaning as defined in RFC 2052.
+
+   Note that there is no formal definition of a Kerberos admin protocol,
+   so the use of this record is optional and implementation-dependent.
+
+Example - Kerberos administrative server location information
+
+   These are DNS records for a Kerberos realm ASDF.COM.  It has one
+   administrative server, kdc1.asdf.com.
+
+
+
+
+Hornstein, Altman                                               [Page 3]
+
+RFC DRAFT                                                 March 10, 2000
+
+
+   _kerberos-adm._tcp.ASDF.COM.    IN      SRV     0 0 88 kdc1.asdf.com.
+
+Overview - Hostname/domain name to Kerberos realm mapping
+
+   Information on the mapping of DNS hostnames and domain names to Ker-
+   beros realms is stored using DNS TXT records [RFC 1035].  These
+   records have the following format.
+
+   Service.Name TTL Class TXT Realm
+
+   The Service field is always "_kerberos", and prefixes all entries of
+   this type.
+
+   The Name is a DNS hostname or domain name.  This is explained in
+   greater detail below.
+
+   TTL, Class, and TXT have the standard DNS meaning as defined in RFC
+   1035.
+
+   The Realm is the data for the TXT RR, and consists simply of the Ker-
+   beros realm that corresponds to the Name specified.
+
+   When a Kerberos client wishes to utilize a host-specific service, it
+   will perform a DNS TXT query, using the hostname in the Name field of
+   the DNS query.  If the record is not found, the first label of the
+   name is stripped and the query is retried.
+
+   Compliant implementations MUST query the full hostname and the most
+   specific domain name (the hostname with the first label removed).
+   Compliant implementations SHOULD try stripping all subsequent labels
+   until a match is found or the Name field is empty.
+
+Example - Hostname/domain name to Kerberos realm mapping
+
+   For the previously mentioned ASDF.COM realm and domain, some sample
+   records might be as follows:
+
+   _kerberos.asdf.com.             IN      TXT     "ASDF.COM"
+   _kerberos.mrkserver.asdf.com.   IN      TXT     "MARKETING.ASDF.COM"
+   _kerberos.salesserver.asdf.com. IN      TXT     "SALES.ASDF.COM"
+
+   Let us suppose that in this case, a Kerberos client wishes to use a
+   Kerberized service on the host foo.asdf.com.  It would first query:
+
+   _kerberos.foo.asdf.com. IN TXT
+
+   Finding no match, it would then query:
+
+
+
+
+Hornstein, Altman                                               [Page 4]
+
+RFC DRAFT                                                 March 10, 2000
+
+
+   _kerberos.asdf.com. IN TXT
+
+   And find an answer of ASDF.COM.  This would be the realm that
+   foo.asdf.com resides in.
+
+   If another Kerberos client wishes to use a Kerberized service on the
+   host salesserver.asdf.com, it would query:
+
+   _kerberos.salesserver.asdf.com IN TXT
+
+   And find an answer of SALES.ASDF.COM.
+
+Security considerations
+
+   As DNS is deployed today, it is an unsecure service.  Thus the infor-
+   mation returned by it cannot be trusted.
+
+   Current practice for REALM to KDC mapping is to use hostnames to
+   indicate KDC hosts (stored in some implementation-dependent location,
+   but generally a local config file).  These hostnames are vulnerable
+   to the standard set of DNS attacks (denial of service, spoofed
+   entries, etc).  The design of the Kerberos protocol limits attacks of
+   this sort to denial of service.  However, the use of SRV records does
+   not change this attack in any way.  They have the same vulnerabili-
+   ties that already exist in the common practice of using hostnames for
+   KDC locations.
+
+   Current practice for HOSTNAME to REALM mapping is to provide a local
+   configuration of mappings of hostname or domain name to realm which
+   are then mapped to KDCs.  But this again is vulnerable to spoofing
+   via CNAME records that point to hosts in other domains.  This has the
+   same effect as when a TXT record is spoofed.  In a realm with no
+   cross-realm trusts this is a DoS attack.  However, when cross-realm
+   trusts are used it is possible to redirect a client to use a comprom-
+   ised realm.
+
+   This is not an exploit of the Kerberos protocol but of the Kerberos
+   trust model.  The same can be done to any application that must
+   resolve the hostname in order to determine which domain a non-FQDN
+   belongs to.
+
+   Implementations SHOULD provide a way of specifying this information
+   locally without the use of DNS.  However, to make this feature
+   worthwhile a lack of any configuration information on a client should
+   be interpretted as permission to use DNS.
+
+
+
+
+
+
+Hornstein, Altman                                               [Page 5]
+
+RFC DRAFT                                                 March 10, 2000
+
+
+Expiration
+
+   This Internet-Draft expires on September 10, 2000.
+
+References
+
+
+   [RFC1510]
+        The Kerberos Network Authentication System; Kohl, Newman; Sep-
+        tember 1993.
+
+   [RFC1035]
+        Domain Names - Implementation and Specification; Mockapetris;
+        November 1987
+
+   [RFC2782]
+        A DNS RR for specifying the location of services (DNS SRV); Gul-
+        brandsen, Vixie; Feburary 2000
+
+   [KERB-CHG]
+        Kerberos Change Password Protocol; Horowitz;
+        ftp://ds.internic.net/internet-drafts/draft-ietf-cat-kerb-chg-
+        password-02.txt
+
+Authors' Addresses
+
+   Ken Hornstein
+   US Naval Research Laboratory
+   Bldg A-49, Room 2
+   4555 Overlook Avenue
+   Washington DC  20375 USA
+
+   Phone: +1 (202) 404-4765
+   EMail: kenh@cmf.nrl.navy.mil
+
+   Jeffrey Altman
+   The Kermit Project
+   Columbia University
+   612 West 115th Street #716
+   New York NY 10025-7799 USA
+
+   Phone: +1 (212) 854-1344
+   EMail: jaltman@columbia.edu
+
+
+
+
+
+
+
+
+Hornstein, Altman                                               [Page 6]
+
diff --git a/crypto/heimdal/doc/standardisation/draft-ietf-cat-krb5gss-mech2-03.txt b/crypto/heimdal/doc/standardisation/draft-ietf-cat-krb5gss-mech2-03.txt
new file mode 100644
index 0000000..11e5dc9
--- /dev/null
+++ b/crypto/heimdal/doc/standardisation/draft-ietf-cat-krb5gss-mech2-03.txt
@@ -0,0 +1,1333 @@
+
+INTERNET-DRAFT                                                    Tom Yu
+Common Authentication Technology WG                                  MIT
+draft-ietf-cat-krb5gss-mech2-03.txt                        04 March 2000
+
+           The Kerberos Version 5 GSSAPI Mechanism, Version 2
+
+Status of This Memo
+
+   This document is an Internet-Draft and is in full conformance with
+   all provisions of Section 10 of RFC2026.
+
+   Internet-Drafts are working documents of the Internet Engineering
+   Task Force (IETF), its areas, and its working groups.  Note that
+   other groups may also distribute working documents as Internet-
+   Drafts.
+
+   Internet-Drafts are draft documents valid for a maximum of six months
+   and may be updated, replaced, or obsoleted by other documents at any
+   time.  It is inappropriate to use Internet-Drafts as reference
+   material or to cite them other than as "work in progress."
+
+   The list of current Internet-Drafts can be accessed at
+   http://www.ietf.org/ietf/1id-abstracts.txt
+
+   The list of Internet-Draft Shadow Directories can be accessed at
+   http://www.ietf.org/shadow.html.
+
+   Comments on this document should be sent to
+   "ietf-cat-wg@lists.stanford.edu", the IETF Common Authentication
+   Technology WG discussion list.
+
+Abstract
+
+   This document defines protocols, procedures, and conventions to be
+   employed by peers implementing the Generic Security Service
+   Application Program Interface (as specified in RFC 2743) when using
+   Kerberos Version 5 technology (as specified in RFC 1510).  This
+   obsoletes RFC 1964.
+
+Acknowledgements
+
+   Much of the material in this specification is based on work done for
+   Cygnus Solutions by Marc Horowitz.
+
+Table of Contents
+
+   Status of This Memo ............................................    1
+   Abstract .......................................................    1
+   Acknowledgements ...............................................    1
+   Table of Contents ..............................................    1
+   1.  Introduction ...............................................    3
+   2.  Token Formats ..............................................    3
+      2.1.  Packet Notation .......................................    3
+
+Yu                  Document Expiration: 04 Sep 2000            [Page 1]
+
+Internet-Draft             krb5-gss-mech2-03                  March 2000
+
+      2.2.  Mechanism OID .........................................    4
+      2.3.  Context Establishment .................................    4
+         2.3.1.  Option Format ....................................    4
+            2.3.1.1.  Delegated Credentials Option ................    5
+            2.3.1.2.  Null Option .................................    5
+         2.3.2.  Initial Token ....................................    6
+            2.3.2.1.  Data to be Checksummed in APREQ .............    8
+         2.3.3.  Response Token ...................................   10
+      2.4.  Per-message Tokens ....................................   12
+         2.4.1.  Sequence Number Usage ............................   12
+         2.4.2.  MIC Token ........................................   12
+            2.4.2.1.  Data to be Checksummed in MIC Token .........   13
+         2.4.3.  Wrap Token .......................................   14
+            2.4.3.1.  Wrap Token With Integrity Only ..............   14
+            2.4.3.2.  Wrap Token With Integrity and Encryption
+                      .............................................   15
+               2.4.3.2.1.  Data to be Encrypted in Wrap Token .....   16
+   3.  ASN.1 Encoding of Octet Strings ............................   17
+   4.  Name Types .................................................   18
+      4.1.  Mandatory Name Forms ..................................   18
+         4.1.1.  Kerberos Principal Name Form .....................   18
+         4.1.2.  Exported Name Object Form for Kerberos5
+                 Mechanism ........................................   19
+   5.  Credentials ................................................   20
+   6.  Parameter Definitions ......................................   20
+      6.1.  Minor Status Codes ....................................   20
+         6.1.1.  Non-Kerberos-specific codes ......................   21
+         6.1.2.  Kerberos-specific-codes ..........................   21
+   7.  Kerberos Protocol Dependencies .............................   22
+   8.  Security Considerations ....................................   22
+   9.  References .................................................   22
+   10.  Author's Address ..........................................   23
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Yu                  Document Expiration: 04 Sep 2000            [Page 2]
+
+Internet-Draft             krb5-gss-mech2-03                  March 2000
+
+1.  Introduction
+
+   The original Kerberos 5 GSSAPI mechanism[RFC1964] has a number of
+   shortcomings.  This document attempts to remedy them by defining a
+   completely new Kerberos 5 GSSAPI mechanism.
+
+   The context establishment token format requires that the
+   authenticator of AP-REQ messages contain a cleartext data structure
+   in its checksum field, which is a needless and potentially confusing
+   overloading of that field.  This is implemented by a special checksum
+   algorithm whose purpose is to copy the input data directly into the
+   checksum field of the authenticator.
+
+   The number assignments for checksum algorithms and for encryption
+   types are inconsistent between the Kerberos protocol and the original
+   GSSAPI mechanism.  If new encryption or checksum algorithms are added
+   to the Kerberos protocol at some point, the GSSAPI mechanism will
+   need to be separately updated to use these new algorithms.
+
+   The original mechanism specifies a crude method of key derivation (by
+   using the XOR of the context key with a fixed constant), which is
+   incompatible with newer cryptosystems which specify key derivation
+   procedures themselves.  The original mechanism also assumes that both
+   checksums and cryptosystem blocksizes are eight bytes.
+
+   Defining all GSSAPI tokens for the new Kerberos 5 mechanism in terms
+   of the Kerberos protocol specification ensures that new encryption
+   types and checksum types may be automatically used as they are
+   defined for the Kerberos protocol.
+
+2.  Token Formats
+
+   All tokens, not just the initial token, are framed as the
+   InitialContextToken described in RFC 2743 section 3.1.  The
+   innerContextToken element of the token will not itself be encoded in
+   ASN.1, with the exception of caller-provided application data.
+
+   One rationale for avoiding the use of ASN.1 in the inner token is
+   that some implementors may wish to implement this mechanism in a
+   kernel or other similarly constrained application where handling of
+   full ASN.1 encoding may be cumbersome.  Also, due to the poor
+   availability of the relevant standards documents, ASN.1 encoders and
+   decoders are difficult to implement completely correctly, so keeping
+   ASN.1 usage to a minimum decreases the probability of bugs in the
+   implementation of the mechanism.  In particular, bit strings need to
+   be transferred at certain points in this mechanism.  There are many
+   conflicting common misunderstandings of how to encode and decode
+   ASN.1 bit strings, which have led difficulties in the implementaion
+   of the Kerberos protocol.
+
+
+
+
+
+Yu                  Document Expiration: 04 Sep 2000            [Page 3]
+
+Internet-Draft             krb5-gss-mech2-03                  March 2000
+
+2.1.  Packet Notation
+
+   The order of transmission of this protocol is described at the octet
+   level.  Packet diagrams depict bits in the order of transmission,
+   assuming that individual octets are transmitted with the most
+   significant bit (MSB) first.  The diagrams read from left to right
+   and from top to bottom, as in printed English.  In each octet, bit
+   number 7 is the MSB and bit number 0 is the LSB.
+
+   Numbers prefixed by the characters "0x" are in hexadecimal notation,
+   as in the C programming language.  Even though packet diagrams are
+   drawn 16 bits wide, no padding should be used to align the ends of
+   variable-length fields to a 32-bit or 16-bit boundary.
+
+   All integer fields are in network byte order.  All other fields have
+   the size shown in the diagrams, with the exception of variable length
+   fields.
+
+2.2.  Mechanism OID
+
+   The Object Identifier (OID) of the new krb5 v2 mechanism is:
+
+   {iso(1) member-body(2) us(840) mit(113554) infosys(1) gssapi(2)
+   krb5v2(3)}
+
+
+2.3.  Context Establishment
+
+2.3.1.  Option Format
+
+   Context establishment tokens, i.e., the initial ones that the
+   GSS_Init_sec_context() and the GSS_Accept_sec_context() calls emit
+   while a security context is being set up, may contain options that
+   influence the subsequent behavior of the context.  This document
+   describes only a small set of options, but additional types may be
+   added by documents intended to supplement this one.  The generic
+   format is as follows:
+
+  bit| 7 | 6 | 5 | 4 | 3 | 2 | 1 | 0 | 7 | 6 | 5 | 4 | 3 | 2 | 1 | 0 |
+byte +-------------------------------+-------------------------------+
+  0  |                          option type                          |
+     +-------------------------------+-------------------------------+
+  2  |                                                               |
+     +--                  option length (32 bits)                  --+
+  4  |                                                               |
+     +-------------------------------+-------------------------------+
+  6  |                               .                               |
+     /                 option data (variable length)                 /
+     |                               .                               |
+     +-------------------------------+-------------------------------+
+
+
+
+
+Yu                  Document Expiration: 04 Sep 2000            [Page 4]
+
+Internet-Draft             krb5-gss-mech2-03                  March 2000
+
+   option type (16 bits)
+        The type identifier of the following option.
+
+   option length (32 bits)
+        The length in bytes of the following option.
+
+   option data (variable length)
+        The actual option data.
+
+   Any number of options may appear in an initator or acceptor token.
+   The final option in a token must be the null option, in order to mark
+   the end of the list.  Option type 0xffff is reserved.
+
+   The initiator and acceptor shall ignore any options that they do not
+   understand.
+
+2.3.1.1.  Delegated Credentials Option
+
+   Only the initiator may use this option.  The format of the delegated
+   credentials option is as follows:
+
+  bit| 7 | 6 | 5 | 4 | 3 | 2 | 1 | 0 | 7 | 6 | 5 | 4 | 3 | 2 | 1 | 0 |
+byte +-------------------------------+-------------------------------+
+  0  |                     option type = 0x00001                     |
+     +-------------------------------+-------------------------------+
+  2  |                                                               |
+     +--                      KRB-CRED length                      --+
+  4  |                                                               |
+     +-------------------------------+-------------------------------+
+  6  |                               .                               |
+     /                        KRB-CRED message                       /
+     |                               .                               |
+     +-------------------------------+-------------------------------+
+
+
+   option type (16 bits)
+        The option type for this option shall be 0x0001.
+
+   KRB-CRED length (32 bits)
+        The length in bytes of the following KRB-CRED message.
+
+   KRB-CRED message (variable length)
+        The option data for this option shall be the KRB-CRED message
+        that contains the credentials being delegated (forwarded) to the
+        context acceptor.  Only the initiator may use this option.
+
+2.3.1.2.  Null Option
+
+   The Null option terminates the option list, and must be used by both
+   the initiator and the acceptor.  Its format is as follows:
+
+
+
+
+Yu                  Document Expiration: 04 Sep 2000            [Page 5]
+
+Internet-Draft             krb5-gss-mech2-03                  March 2000
+
+  bit| 7 | 6 | 5 | 4 | 3 | 2 | 1 | 0 | 7 | 6 | 5 | 4 | 3 | 2 | 1 | 0 |
+byte +-------------------------------+-------------------------------+
+  0  |                        option type = 0                        |
+     +-------------------------------+-------------------------------+
+  2  |                                                               |
+     +--                         length = 0                        --+
+  4  |                                                               |
+     +-------------------------------+-------------------------------+
+
+
+   option type (16 bits)
+        The option type of this option must be zero.
+
+   option length (32 bits)
+        The length of this option must be zero.
+
+2.3.2.  Initial Token
+
+   This is the initial token sent by the context initiator, generated by
+   GSS_Init_sec_context().
+
+  bit| 7 | 6 | 5 | 4 | 3 | 2 | 1 | 0 | 7 | 6 | 5 | 4 | 3 | 2 | 1 | 0 |
+byte +-------------------------------+-------------------------------+
+  0  |                   initial token id = 0x0101                   |
+     +-------------------------------+-------------------------------+
+  2  |                                                               |
+     +--         reserved flag bits          +-----------------------+
+  4  |                                       | I | C | S | R | M | D |
+     +-------------------------------+-------------------------------+
+  6  |                      checksum type count                      |
+     +-------------------------------+-------------------------------+
+  8  |                               .                               |
+     /                       checksum type list                      /
+     |                               .                               |
+     +-------------------------------+-------------------------------+
+  n  |                               .                               |
+     /                            options                            /
+     |                               .                               |
+     +-------------------------------+-------------------------------+
+  m  |                                                               |
+     +--                       AP-REQ length                       --+
+ m+2 |                                                               |
+     +-------------------------------+-------------------------------+
+ m+4 |                               .                               |
+     /                          AP-REQ data                          /
+     |                               .                               |
+     +-------------------------------+-------------------------------+
+
+
+   initial token ID (16 bits)
+        Contains the integer 0x0101, which identifies this as the
+        initial token in the context setup.
+
+
+Yu                  Document Expiration: 04 Sep 2000            [Page 6]
+
+Internet-Draft             krb5-gss-mech2-03                  March 2000
+
+   reserved flag bits (26 bits)
+        These bits are reserved for future expansion.  They must be set
+        to zero by the initiator and be ignored by the acceptor.
+
+   I flag (1 bit)
+        0x00000020 -- GSS_C_INTEG_FLAG
+
+   C flag (1 bit)
+        0x00000010 -- GSS_C_CONF_FLAG
+
+   S flag (1 bit)
+        0x00000008 -- GSS_C_SEQUENCE_FLAG
+
+   R flag (1 bit)
+        0x00000004 -- GSS_C_REPLAY_FLAG
+
+   M flag (1 bit)
+        0x00000002 -- GSS_C_MUTUAL_FLAG
+
+   D flag (1 bit)
+        0x00000001 -- GSS_C_DELEG_FLAG; This flag must be set if the
+        "delegated credentials" option is included.
+
+   checksum type count (16 bits)
+        The number of checksum types supported by the initiator.
+
+   checksum type list (variable length)
+        A list of Kerberos checksum types, as defined in RFC 1510
+        section 6.4. These checksum types must be collision-proof and
+        keyed with the context key; no checksum types that are
+        incompatible with the encryption key shall be used.  Each
+        checksum type number shall be 32 bits wide.  This list should
+        contain all the checksum types supported by the initiator.  If
+        mutual authentication is not used, then this list shall contain
+        only one checksum type.
+
+   options (variable length)
+        The context initiation options, described in section 2.3.1.
+
+   AP-REQ length (32 bits)
+        The length of the following KRB_AP_REQ message.
+
+   AP-REQ data (variable length)
+        The AP-REQ message as described in RFC 1510.  The checksum in
+        the authenticator will be computed over the items listed in the
+        next section.
+
+   The optional sequence number field shall be used in the AP-REQ.  The
+   initiator should generate a subkey in the authenticator, and the
+   acceptor should generate a subkey in the AP-REP.  The key used for
+   the per-message tokens will be the AP-REP subkey, or if that is not
+   present, the authenticator subkey, or if that is not present, the
+   session key.  When subkeys are generated, it is strongly recommended
+
+Yu                  Document Expiration: 04 Sep 2000            [Page 7]
+
+Internet-Draft             krb5-gss-mech2-03                  March 2000
+
+   that they be of the same type as the associated session key.
+
+   XXX The above is not secure.  There should be an algorithmic process
+   to arrive at a subsession key which both sides of the authentication
+   exchange can perform based on the ticket sessions key and data known
+   to both parties, and this should probably be part of the revised
+   Kerberos protocol rather than bound to the GSSAPI mechanism.
+
+2.3.2.1.  Data to be Checksummed in AP-REQ
+
+   The checksum in the AP-REQ message is calculated over the following
+   items.  Like in the actual tokens, no padding should be added to
+   force integer fields to align on 32 bit boundaries.  This particular
+   set of data should not be sent as a part of any token; it merely
+   specifies what is to be checksummed in the AP-REQ.  The items in this
+   encoding that precede the initial token ID correspond to the channel
+   bindings passed to GSS_Init_sec_context().
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Yu                  Document Expiration: 04 Sep 2000            [Page 8]
+
+Internet-Draft             krb5-gss-mech2-03                  March 2000
+
+  bit| 7 | 6 | 5 | 4 | 3 | 2 | 1 | 0 | 7 | 6 | 5 | 4 | 3 | 2 | 1 | 0 |
+byte +-------------------------------+-------------------------------+
+  0  |                                                               |
+     +--                   initiator address type                  --+
+  2  |                                                               |
+     +-------------------------------+-------------------------------+
+  4  |                    initiator address length                   |
+     +-------------------------------+-------------------------------+
+  6  |                               .                               |
+     /                       initiator address                       /
+     |                               .                               |
+     +-------------------------------+-------------------------------+
+  n  |                                                               |
+     +--                   acceptor address type                   --+
+     |                                                               |
+     +-------------------------------+-------------------------------+
+ n+4 |                    acceptor address length                    |
+     +-------------------------------+-------------------------------+
+ n+6 |                               .                               |
+     /                        acceptor address                       /
+     |                               .                               |
+     +-------------------------------+-------------------------------+
+  m  |                               .                               |
+     /                        application data                       /
+     |                               .                               |
+     +-------------------------------+-------------------------------+
+  k  |                   initial token id = 0x0101                   |
+     +-------------------------------+-------------------------------+
+ k+2 |                                                               |
+     +--                           flags                           --+
+ k+4 |                                                               |
+     +-------------------------------+-------------------------------+
+ k+6 |                      checksum type count                      |
+     +-------------------------------+-------------------------------+
+ k+8 |                               .                               |
+     /                       checksum type list                      /
+     |                               .                               |
+     +-------------------------------+-------------------------------+
+  j  |                               .                               |
+     /                            options                            /
+     |                               .                               |
+     +-------------------------------+-------------------------------+
+
+
+   initiator address type (32 bits)
+        The initiator address type, as defined in the Kerberos protocol
+        specification.  If no initiator address is provided, this must
+        be zero.
+
+   initiator address length (16 bits)
+        The length in bytes of the following initiator address.  If
+        there is no inititator address provided, this must be zero.
+
+
+Yu                  Document Expiration: 04 Sep 2000            [Page 9]
+
+Internet-Draft             krb5-gss-mech2-03                  March 2000
+
+   initiator address (variable length)
+        The actual initiator address, in network byte order.
+
+   acceptor address type (32 bits)
+        The acceptor address type, as defined in the Kerberos protocol
+        specification.  If no acceptor address is provided, this must be
+        zero.
+
+   acceptor address length (16 bits)
+        The length in bytes of the following acceptor address.  This
+        must be zero is there is no acceptor address provided.
+
+   initiator address (variable length)
+        The actual acceptor address, in network byte order.
+
+   applicatation data (variable length)
+        The application data, if provided, encoded as a ASN.1 octet
+        string using DER.  If no application data are passed as input
+        channel bindings, this shall be a zero-length ASN.1 octet
+        string.
+
+   initial token ID (16 bits)
+        The initial token ID from the initial token.
+
+   flags (32 bits)
+        The context establishment flags from the initial token.
+
+   checksum type count (16 bits)
+        The number of checksum types supported by the initiator.
+
+   checksum type list (variable length)
+        The same list of checksum types contained in the initial token.
+
+   options (variable length)
+        The options list from the initial token.
+
+2.3.3.  Response Token
+
+   This is the reponse token sent by the context acceptor, if mutual
+   authentication is enabled.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Yu                  Document Expiration: 04 Sep 2000           [Page 10]
+
+Internet-Draft             krb5-gss-mech2-03                  March 2000
+
+  bit| 7 | 6 | 5 | 4 | 3 | 2 | 1 | 0 | 7 | 6 | 5 | 4 | 3 | 2 | 1 | 0 |
+byte +-------------------------------+-------------------------------+
+  0  |                   response token id = 0x0202                  |
+     +-------------------------------+-------------------------------+
+  2  |                                                               |
+     +--                  reserved flag bits                 +-------+
+  4  |                                                       | D | E |
+     +-------------------------------+-------------------------------+
+  6  |                                                               |
+     +--                       checksum type                       --+
+  8  |                                                               |
+     +-------------------------------+-------------------------------+
+ 10  |                               .                               |
+     /                            options                            /
+     |                               .                               |
+     +-------------------------------+-------------------------------+
+  n  |                                                               |
+     +--                 AP-REP or KRB-ERROR length                --+
+ n+2 |                                                               |
+     +-------------------------------+-------------------------------+
+ n+4 |                               .                               |
+     /                    AP-REP or KRB-ERROR data                   /
+     |                               .                               |
+     +-------------------------------+-------------------------------+
+  m  |                               .                               |
+     /                            MIC data                           /
+     |                               .                               |
+     +-------------------------------+-------------------------------+
+
+
+   response token id (16 bits)
+        Contains the integer 0x0202, which identifies this as the
+        response token in the context setup.
+
+   reserved flag bits (30 bits)
+        These bits are reserved for future expansion.  They must be set
+        to zero by the acceptor and be ignored by the initiator.
+
+   D flag -- delegated creds accepted (1 bit)
+        0x00000002 -- If this flag is set, the acceptor processed the
+        delegated credentials, and GSS_C_DELEG_FLAG should be returned
+        to the caller.
+
+   E flag -- error (1 bit)
+        0x00000001 -- If this flag is set, a KRB-ERROR message shall be
+        present, rather than an AP-REP message.  If this flag is not
+        set, an AP-REP message shall be present.
+
+   checksum type count (16 bits)
+        The number of checksum types supported by both the initiator and
+        the acceptor.
+
+
+
+Yu                  Document Expiration: 04 Sep 2000           [Page 11]
+
+Internet-Draft             krb5-gss-mech2-03                  March 2000
+
+   checksum type (32 bits)
+        A Kerberos checksum type, as defined in RFC 1510 section 6.4.
+        This checksum type must be among the types listed by the
+        initiator, and will be used in for subsequent checksums
+        generated during this security context.
+
+   options (variable length)
+        The option list, as described earlier.  At this time, no options
+        are defined for the acceptor, but an implementation might make
+        use of these options to acknowledge an option from the initial
+        token.  After all the options are specified, a null option must
+        be used to terminate the list.
+
+   AP-REP or KRB-ERROR length (32 bits)
+        Depending on the value of the error flag, length in bytes of the
+        AP-REP or KRB-ERROR message.
+
+   AP-REP or KRB-ERROR data (variable length)
+        Depending on the value of the error flag, the AP-REP or
+        KRB-ERROR message as described in RFC 1510.  If this field
+        contains an AP-REP message, the sequence number field in the
+        AP-REP shall be filled.  If this is a KRB-ERROR message, no
+        further fields will be in this message.
+
+   MIC data (variable length)
+        A MIC token, as described in section 2.4.2, computed over the
+        concatentation of the response token ID, flags, checksum length
+        and type fields, and all option fields.  This field and the
+        preceding length field must not be present if the error flag is
+        set.
+
+2.4.  Per-message Tokens
+
+2.4.1.  Sequence Number Usage
+
+   Sequence numbers for per-message tokens are 31 bit unsigned integers,
+   which are incremented by 1 after each token.  An overflow condition
+   should result in a wraparound of the sequence number to zero.  The
+   initiator and acceptor each keep their own sequence numbers per
+   connection.
+
+   The intial sequence number for tokens sent from the initiator to the
+   acceptor shall be the least significant 31 bits of sequence number in
+   the AP-REQ message.  The initial sequence number for tokens sent from
+   the acceptor to the initiator shall be the least significant 31 bits
+   of the sequence number in the AP-REP message if mutual authentication
+   is used; if mutual authentication is not used, the initial sequence
+   number from acceptor to initiator shall be the least significant 31
+   bits of the sequence number in the AP-REQ message.
+
+
+
+
+
+Yu                  Document Expiration: 04 Sep 2000           [Page 12]
+
+Internet-Draft             krb5-gss-mech2-03                  March 2000
+
+2.4.2.  MIC Token
+
+   Use of the GSS_GetMIC() call yields a token, separate from the user
+   data being protected, which can be used to verify the integrity of
+   that data when it is received.  The MIC token has the following
+   format:
+
+  bit| 7 | 6 | 5 | 4 | 3 | 2 | 1 | 0 | 7 | 6 | 5 | 4 | 3 | 2 | 1 | 0 |
+byte +-------------------------------+-------------------------------+
+  0  |                     MIC token id = 0x0303                     |
+     +-------------------------------+-------------------------------+
+  2  | D |                                                           |
+     +---+                     sequence number                     --+
+  4  |                                                               |
+     +-------------------------------+-------------------------------+
+  6  |                        checksum length                        |
+     +-------------------------------+-------------------------------+
+  8  |                               .                               |
+     /                         checksum data                         /
+     |                               .                               |
+     +-------------------------------+-------------------------------+
+
+
+   MIC token id (16 bits)
+        Contains the integer 0x0303, which identifies this as a MIC
+        token.
+
+   D -- direction bit (1 bit)
+        This bit shall be zero if the message is sent from the context
+        initiator.  If the message is sent from the context acceptor,
+        this bit shall be one.
+
+   sequence number (31 bits)
+        The sequence number.
+
+   checksum length (16 bits)
+        The number of bytes in the following checksum data field.
+
+   checksum data (variable length)
+        The checksum itself, as defined in RFC 1510 section 6.4.  The
+        checksum is calculated over the encoding described in the
+        following section.  The key usage GSS_TOK_MIC -- 22 [XXX need to
+        register this] shall be used in cryptosystems that support key
+        derivation.
+
+   The mechanism implementation shall only use the checksum type
+   returned by the acceptor in the case of mutual authentication.  If
+   mutual authentication is not requested, then only the checksum type
+   in the initiator token shall be used.
+
+
+
+
+
+Yu                  Document Expiration: 04 Sep 2000           [Page 13]
+
+Internet-Draft             krb5-gss-mech2-03                  March 2000
+
+2.4.2.1.  Data to be Checksummed in MIC Token
+
+   The checksum in the MIC token shall be calculated over the following
+   elements.  This set of data is not actually included in the token as
+   is; the description only appears for the purpose of specifying the
+   method of calculating the checksum.
+
+  bit| 7 | 6 | 5 | 4 | 3 | 2 | 1 | 0 | 7 | 6 | 5 | 4 | 3 | 2 | 1 | 0 |
+byte +-------------------------------+-------------------------------+
+  0  |                     MIC token id = 0x0303                     |
+     +-------------------------------+-------------------------------+
+  2  | D |                                                           |
+     +---+                     sequence number                     --+
+  4  |                                                               |
+     +-------------------------------+-------------------------------+
+  6  |                               .                               |
+     /                        application data                       /
+     |                               .                               |
+     +-------------------------------+-------------------------------+
+
+
+   MIC token ID (16 bits)
+        The MIC token ID from the MIC message.
+
+   D -- direction bit (1 bit)
+        This bit shall be zero if the message is sent from the context
+        initiator.  If the message is sent from the context acceptor,
+        this bit shall be one.
+
+   sequence number (31 bits)
+        The sequence number.
+
+   application data (variable length)
+        The application-supplied data, encoded as an ASN.1 octet string
+        using DER.
+
+2.4.3.  Wrap Token
+
+   Use of the GSS_Wrap() call yields a token which encapsulates the
+   input user data (optionally encrypted) along with associated
+   integrity check quantities.
+
+2.4.3.1.  Wrap Token With Integrity Only
+
+
+
+
+
+
+
+
+
+
+
+Yu                  Document Expiration: 04 Sep 2000           [Page 14]
+
+Internet-Draft             krb5-gss-mech2-03                  March 2000
+
+  bit| 7 | 6 | 5 | 4 | 3 | 2 | 1 | 0 | 7 | 6 | 5 | 4 | 3 | 2 | 1 | 0 |
+byte +-------------------------------+-------------------------------+
+  0  |                integrity wrap token id = 0x0404               |
+     +-------------------------------+-------------------------------+
+  2  | D |                                                           |
+     +---+                     sequence number                     --+
+  4  |                                                               |
+     +-------------------------------+-------------------------------+
+  6  |                               .                               |
+     /                        application data                       /
+     |                               .                               |
+     +-------------------------------+-------------------------------+
+  n  |                        checksum length                        |
+     +-------------------------------+-------------------------------+
+ n+2 |                               .                               |
+     /                         checksum data                         /
+     |                               .                               |
+     +-------------------------------+-------------------------------+
+
+
+   integrity wrap token id (16 bits)
+        Contains the integer 0x0404, which identifies this as a Wrap
+        token with integrity only.
+
+   D -- direction bit (1 bit)
+        This bit shall be zero if the message is sent from the context
+        initiator.  If the message is sent from the context acceptor,
+        this bit shall be one.
+
+   sequence number (31 bits)
+        The sequence number.
+
+   application data (variable length)
+        The application-supplied data, encoded as an ASN.1 octet string
+        using DER.
+
+   checksum length (16 bits)
+        The number of bytes in the following checksum data field.
+
+   checksum data (variable length)
+        The checksum itself, as defined in RFC 1510 section 6.4,
+        computed over the concatenation of the token ID, sequence
+        number, direction field, application data length, and
+        application data, as in the MIC token checksum in the previous
+        section.  The key usage GSS_TOK_WRAP_INTEG -- 23 [XXX need to
+        register this] shall be used in cryptosystems that support key
+        derivation.
+
+   The mechanism implementation should only use checksum types which it
+   knows to be valid for both peers, as described for MIC tokens.
+
+
+
+
+Yu                  Document Expiration: 04 Sep 2000           [Page 15]
+
+Internet-Draft             krb5-gss-mech2-03                  March 2000
+
+2.4.3.2.  Wrap Token With Integrity and Encryption
+
+  bit| 7 | 6 | 5 | 4 | 3 | 2 | 1 | 0 | 7 | 6 | 5 | 4 | 3 | 2 | 1 | 0 |
+byte +-------------------------------+-------------------------------+
+     |                encrypted wrap token id = 0x0505               |
+     +-------------------------------+-------------------------------+
+  2  |                               .                               |
+     /                         encrypted data                        /
+     |                               .                               |
+     +-------------------------------+-------------------------------+
+
+
+   encrypted wrap token id (16 bits)
+        Contains the integer 0x0505, which identifies this as a Wrap
+        token with integrity and encryption.
+
+   encrypted data (variable length)
+        The encrypted data itself, as defined in RFC 1510 section 6.3,
+        encoded as an ASN.1 octet string using DER.  Note that this is
+        not the ASN.1 type EncryptedData as defined in RFC 1510
+        section 6.1, but rather the ciphertext without encryption type
+        or kvno information.  The encryption is performed using the
+        key/enctype exchanged during context setup.  The confounder and
+        checksum are as specified in the Kerberos protocol
+        specification.  The key usage GSS_TOK_WRAP_PRIV -- 24 [XXX need
+        to register this] shall be used in cryptosystems that support
+        key derivation.  The actual data to be encrypted are specified
+        below.
+
+2.4.3.2.1.  Data to be Encrypted in Wrap Token
+
+  bit| 7 | 6 | 5 | 4 | 3 | 2 | 1 | 0 | 7 | 6 | 5 | 4 | 3 | 2 | 1 | 0 |
+byte +-------------------------------+-------------------------------+
+  0  | D |                                                           |
+     +---+                     sequence number                     --+
+  2  |                                                               |
+     +-------------------------------+-------------------------------+
+  4  |                               .                               |
+     /                        application data                       /
+     |                               .                               |
+     +-------------------------------+-------------------------------+
+
+
+   D -- direction bit (1 bit)
+        This bit shall be zero if the message is sent from the context
+        initiator.  If the message is sent from the context acceptor,
+        this bit shall be one.
+
+   sequence number (31 bits)
+        The sequence number.
+
+   application data (variable length)
+        The application-supplied data, encoded as an ASN.1 octet string
+
+Yu                  Document Expiration: 04 Sep 2000           [Page 16]
+
+Internet-Draft             krb5-gss-mech2-03                  March 2000
+
+        using DER.
+
+3.  ASN.1 Encoding of Octet Strings
+
+   In order to encode arbitirarly-sized application data, ASN.1 octet
+   string encoding is in this protocol.  The Distinguished Encoding
+   Rules (DER) shall always be used in such cases.  For reference
+   purposes, the DER encoding of an ASN.1 octet string, adapted from
+   ITU-T X.690, follows:
+
+   +--------+-------//-------+-------//-------+
+   |00000100| length octets  |contents octets |
+   +--------+-------//-------+-------//-------+
+    |
+    +-- identifier octet = 0x04 = [UNIVERSAL 4]
+
+
+   In this section only, the bits in each octet shall be numbered as in
+   the ASN.1 specification, from 8 to 1, with bit 8 being the MSB of the
+   octet, and with bit 1 being the LSB of the octet.
+
+   identifier octet (8 bits)
+        Contains the constant 0x04, the tag for primitive encoding of an
+        octet string with the default (UNIVERSAL 4) tag.
+
+   length octets (variable length)
+        Contains the length of the contents octets, in definite form
+        (since this encoding uses DER).
+
+   contents octets (variable length)
+        The contents of the octet string.
+
+   The length octets shall consist of either a short form (one byte
+   only), which is to be used only if the number of octets in the
+   contents octets is less than or equal to 127, or a long form, which
+   is to be used in all other cases.  The short form shall consist of a
+   single octet with bit 8 (the MSB) equal to zero, and the remaining
+   bits encoding the number of contents octets (which may be zero) as an
+   unsigned binary integer.
+
+   The long form shall consist of an initial octet and one or more
+   subsequent octets.  The first octet shall have bit 8 (the MSB) set to
+   one, and the remaining bits shall encode the number of subsequent
+   octets in the length encoding as an unsigned binary integer.  The
+   length must be encoded in the minimum number of octets.  An initial
+   octet of 0xFF is reserved by the ASN.1 specification.  Bits 8 to 1 of
+   the first subsequent octet, followed by bits 8 to 1 of each
+   subsequent octet in order, shall be the encoding of an unsigned
+   binary integer, with bit 8 of the first octet being the most
+   significant bit.  Thus, the length encoding within is in network byte
+   order.
+
+
+
+Yu                  Document Expiration: 04 Sep 2000           [Page 17]
+
+Internet-Draft             krb5-gss-mech2-03                  March 2000
+
+   An initial length octet of 0x80 shall not be used, as that is
+   reserved by the ASN.1 specification for indefinite lengths in
+   conjunction with constructed contents encodings, which are not to be
+   used with DER.
+
+4.  Name Types
+
+   This section discusses the name types which may be passed as input to
+   the Kerberos 5 GSSAPI mechanism's GSS_Import_name() call, and their
+   associated identifier values.  It defines interface elements in
+   support of portability, and assumes use of C language bindings per
+   RFC 2744.  In addition to specifying OID values for name type
+   identifiers, symbolic names are included and recommended to GSSAPI
+   implementors in the interests of convenience to callers.  It is
+   understood that not all implementations of the Kerberos 5 GSSAPI
+   mechanism need support all name types in this list, and that
+   additional name forms will likely be added to this list over time.
+   Further, the definitions of some or all name types may later migrate
+   to other, mechanism-independent, specifications.  The occurrence of a
+   name type in this specification is specifically not intended to
+   suggest that the type may be supported only by an implementation of
+   the Kerberos 5 mechanism.  In particular, the occurrence of the
+   string "_KRB5_" in the symbolic name strings constitutes a means to
+   unambiguously register the name strings, avoiding collision with
+   other documents; it is not meant to limit the name types' usage or
+   applicability.
+
+   For purposes of clarification to GSSAPI implementors, this section's
+   discussion of some name forms describes means through which those
+   forms can be supported with existing Kerberos technology.  These
+   discussions are not intended to preclude alternative implementation
+   strategies for support of the name forms within Kerberos mechanisms
+   or mechanisms based on other technologies.  To enhance application
+   portability, implementors of mechanisms are encouraged to support
+   name forms as defined in this section, even if their mechanisms are
+   independent of Kerberos 5.
+
+4.1.  Mandatory Name Forms
+
+   This section discusses name forms which are to be supported by all
+   conformant implementations of the Kerberos 5 GSSAPI mechanism.
+
+4.1.1.  Kerberos Principal Name Form
+
+   This name form shall be represented by the Object Identifier {iso(1)
+   member-body(2) us(840) mit(113554) infosys(1) gssapi(2) krb5(2)
+   krb5_name(1)}.  The recommended symbolic name for this type is
+   "GSS_KRB5_NT_PRINCIPAL_NAME".
+
+   This name type corresponds to the single-string representation of a
+   Kerberos name.  (Within the MIT Kerberos 5 implementation, such names
+   are parseable with the krb5_parse_name() function.)  The elements
+   included within this name representation are as follows, proceeding
+
+Yu                  Document Expiration: 04 Sep 2000           [Page 18]
+
+Internet-Draft             krb5-gss-mech2-03                  March 2000
+
+   from the beginning of the string:
+
+        (1) One or more principal name components; if more than one
+        principal name component is included, the components are
+        separated by '/'.  Arbitrary octets may be included within
+        principal name components, with the following constraints and
+        special considerations:
+
+           (1a) Any occurrence of the characters '@' or '/' within a
+           name component must be immediately preceded by the '\'
+           quoting character, to prevent interpretation as a component
+           or realm separator.
+
+           (1b) The ASCII newline, tab, backspace, and null characters
+           may occur directly within the component or may be
+           represented, respectively, by '\n', '\t', '\b', or '\0'.
+
+           (1c) If the '\' quoting character occurs outside the contexts
+           described in (1a) and (1b) above, the following character is
+           interpreted literally.  As a special case, this allows the
+           doubled representation '\\' to represent a single occurrence
+           of the quoting character.
+
+           (1d) An occurrence of the '\' quoting character as the last
+           character of a component is illegal.
+
+        (2) Optionally, a '@' character, signifying that a realm name
+        immediately follows. If no realm name element is included, the
+        local realm name is assumed.  The '/' , ':', and null characters
+        may not occur within a realm name; the '@', newline, tab, and
+        backspace characters may be included using the quoting
+        conventions described in (1a), (1b), and (1c) above.
+
+4.1.2.  Exported Name Object Form for Kerberos 5 Mechanism
+
+   When generated by the Kerberos 5 mechanism, the Mechanism OID within
+   the exportable name shall be that of the original Kerberos 5
+   mechanism[RFC1964].  The Mechanism OID for the original Kerberos 5
+   mechanism is:
+
+   {iso(1) member-body(2) us(840) mit(113554) infosys(1) gssapi(2)
+   krb5(2)}
+
+   The name component within the exportable name shall be a contiguous
+   string with structure as defined for the Kerberos Principal Name
+   Form.
+
+   In order to achieve a distinguished encoding for comparison purposes,
+   the following additional constraints are imposed on the export
+   operation:
+
+        (1) all occurrences of the characters '@', '/', and '\' within
+        principal components or realm names shall be quoted with an
+
+Yu                  Document Expiration: 04 Sep 2000           [Page 19]
+
+Internet-Draft             krb5-gss-mech2-03                  March 2000
+
+        immediately-preceding '\'.
+
+        (2) all occurrences of the null, backspace, tab, or newline
+        characters within principal components or realm names will be
+        represented, respectively, with '\0', '\b', '\t', or '\n'.
+
+        (3) the '\' quoting character shall not be emitted within an
+        exported name except to accomodate cases (1) and (2).
+
+5.  Credentials
+
+   The Kerberos 5 protocol uses different credentials (in the GSSAPI
+   sense) for initiating and accepting security contexts.  Normal
+   clients receive a ticket-granting ticket (TGT) and an associated
+   session key at "login" time; the pair of a TGT and its corresponding
+   session key forms a credential which is suitable for initiating
+   security contexts.  A ticket-granting ticket, its session key, and
+   any other (ticket, key) pairs obtained through use of the
+   ticket-granting-ticket, are typically stored in a Kerberos 5
+   credentials cache, sometimes known as a ticket file.
+
+   The encryption key used by the Kerberos server to seal tickets for a
+   particular application service forms the credentials suitable for
+   accepting security contexts.  These service keys are typically stored
+   in a Kerberos 5 key table (keytab), or srvtab file (the Kerberos 4
+   terminology).  In addition to their use as accepting credentials,
+   these service keys may also be used to obtain initiating credentials
+   for their service principal.
+
+   The Kerberos 5 mechanism's credential handle may contain references
+   to either or both types of credentials.  It is a local matter how the
+   Kerberos 5 mechanism implementation finds the appropriate Kerberos 5
+   credentials cache or key table.
+
+   However, when the Kerberos 5 mechanism attempts to obtain initiating
+   credentials for a service principal which are not available in a
+   credentials cache, and the key for that service principal is
+   available in a Kerberos 5 key table, the mechanism should use the
+   service key to obtain initiating credentials for that service.  This
+   should be accomplished by requesting a ticket-granting-ticket from
+   the Kerberos Key Distribution Center (KDC), and decrypting the KDC's
+   reply using the service key.
+
+6.  Parameter Definitions
+
+   This section defines parameter values used by the Kerberos V5 GSSAPI
+   mechanism.  It defines interface elements in support of portability,
+   and assumes use of C language bindings per RFC 2744.
+
+6.1.  Minor Status Codes
+
+   This section recommends common symbolic names for minor_status values
+   to be returned by the Kerberos 5 GSSAPI mechanism.  Use of these
+
+Yu                  Document Expiration: 04 Sep 2000           [Page 20]
+
+Internet-Draft             krb5-gss-mech2-03                  March 2000
+
+   definitions will enable independent implementors to enhance
+   application portability across different implementations of the
+   mechanism defined in this specification.  (In all cases,
+   implementations of GSS_Display_status() will enable callers to
+   convert minor_status indicators to text representations.)  Each
+   implementation should make available, through include files or other
+   means, a facility to translate these symbolic names into the concrete
+   values which a particular GSSAPI implementation uses to represent the
+   minor_status values specified in this section.
+
+   It is recognized that this list may grow over time, and that the need
+   for additional minor_status codes specific to particular
+   implementations may arise.  It is recommended, however, that
+   implementations should return a minor_status value as defined on a
+   mechanism-wide basis within this section when that code is accurately
+   representative of reportable status rather than using a separate,
+   implementation-defined code.
+
+6.1.1.  Non-Kerberos-specific codes
+
+   These symbols should likely be incorporated into the generic GSSAPI
+   C-bindings document, since they really are more general.
+
+GSS_KRB5_S_G_BAD_SERVICE_NAME
+        /* "No @ in SERVICE-NAME name string" */
+GSS_KRB5_S_G_BAD_STRING_UID
+        /* "STRING-UID-NAME contains nondigits" */
+GSS_KRB5_S_G_NOUSER
+        /* "UID does not resolve to username" */
+GSS_KRB5_S_G_VALIDATE_FAILED
+        /* "Validation error" */
+GSS_KRB5_S_G_BUFFER_ALLOC
+        /* "Couldn't allocate gss_buffer_t data" */
+GSS_KRB5_S_G_BAD_MSG_CTX
+        /* "Message context invalid" */
+GSS_KRB5_S_G_WRONG_SIZE
+        /* "Buffer is the wrong size" */
+GSS_KRB5_S_G_BAD_USAGE
+        /* "Credential usage type is unknown" */
+GSS_KRB5_S_G_UNKNOWN_QOP
+        /* "Unknown quality of protection specified" */
+
+
+6.1.2.  Kerberos-specific-codes
+
+
+
+
+
+
+
+
+
+
+Yu                  Document Expiration: 04 Sep 2000           [Page 21]
+
+Internet-Draft             krb5-gss-mech2-03                  March 2000
+
+GSS_KRB5_S_KG_CCACHE_NOMATCH
+        /* "Principal in credential cache does not match desired name" */
+GSS_KRB5_S_KG_KEYTAB_NOMATCH
+        /* "No principal in keytab matches desired name" */
+GSS_KRB5_S_KG_TGT_MISSING
+        /* "Credential cache has no TGT" */
+GSS_KRB5_S_KG_NO_SUBKEY
+        /* "Authenticator has no subkey" */
+GSS_KRB5_S_KG_CONTEXT_ESTABLISHED
+        /* "Context is already fully established" */
+GSS_KRB5_S_KG_BAD_SIGN_TYPE
+        /* "Unknown signature type in token" */
+GSS_KRB5_S_KG_BAD_LENGTH
+        /* "Invalid field length in token" */
+GSS_KRB5_S_KG_CTX_INCOMPLETE
+        /* "Attempt to use incomplete security context" */
+
+
+7.  Kerberos Protocol Dependencies
+
+   This protocol makes several assumptions about the Kerberos protocol,
+   which may require changes to the successor of RFC 1510.
+
+   Sequence numbers, checksum types, and address types are assumed to be
+   no wider than 32 bits.  The Kerberos protocol specification might
+   need to be modified to accomodate this.  This obviously requires some
+   further discussion.
+
+   Key usages need to be registered within the Kerberos protocol for use
+   with GSSAPI per-message tokens.  The current specification of the
+   Kerberos protocol does not include descriptions of key derivations or
+   key usages, but planned revisions to the protocol will include them.
+
+   This protocol also makes the assumption that any cryptosystem used
+   with the session key will include integrity protection, i.e., it
+   assumes that no "raw" cryptosystems will be used.
+
+8.  Security Considerations
+
+   The GSSAPI is a security protocol; therefore, security considerations
+   are discussed throughout this document.  The original Kerberos 5
+   GSSAPI mechanism's constraints on possible cryptosystems and checksum
+   types do not permit it to be readily extended to accomodate more
+   secure cryptographic technologies with larger checksums or encryption
+   block sizes.  Sites are strongly encouraged to adopt the mechanism
+   specified in this document in the light of recent publicity about the
+   deficiencies of DES.
+
+9.  References
+
+   [X.680] ISO/IEC, "Information technology -- Abstract Syntax Notation
+   One (ASN.1): Specification of basic notation", ITU-T X.680 (1997) |
+   ISO/IEC 8824-1:1998
+
+Yu                  Document Expiration: 04 Sep 2000           [Page 22]
+
+Internet-Draft             krb5-gss-mech2-03                  March 2000
+
+   [X.690] ISO/IEC, "Information technology -- ASN.1 encoding rules:
+   Specification of Basic Encoding Rules (BER), Canonical Encoding Rules
+   (CER) and Distinguished Encoding Rules (DER)", ITU-T X.690 (1997) |
+   ISO/IEC 8825-1:1998.
+
+   [RFC1510] Kohl, J., Neumann, C., "The Kerberos Network Authentication
+   Service (V5)", RFC 1510.
+
+   [RFC1964] Linn, J., "The Kerberos Version 5 GSS-API Mechanism",
+   RFC 1964.
+
+   [RFC2743] Linn, J., "Generic Security Service Application Program
+   Interface, Version 2, Update 1", RFC 2743.
+
+   [RFC2744] Wray, J., "Generic Security Service API Version 2:
+   C-bindings", RFC 2744.
+
+10.  Author's Address
+
+   Tom Yu
+   Massachusetts Institute of Technology
+   Room E40-345
+   77 Massachusetts Avenue
+   Cambridge, MA 02139
+   USA
+
+   email: tlyu@mit.edu
+   phone: +1 617 253 1753
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Yu                  Document Expiration: 04 Sep 2000           [Page 23]
+
diff --git a/crypto/heimdal/doc/standardisation/draft-ietf-ftpext-mlst-08.txt b/crypto/heimdal/doc/standardisation/draft-ietf-ftpext-mlst-08.txt
new file mode 100644
index 0000000..885cf49
--- /dev/null
+++ b/crypto/heimdal/doc/standardisation/draft-ietf-ftpext-mlst-08.txt
@@ -0,0 +1,3415 @@
+FTPEXT Working Group                                              R. Elz
+Internet Draft                                   University of Melbourne
+Expiration Date: April 2000
+                                                              P. Hethmon
+                                                        Hethmon Brothers
+
+                                                            October 1999
+
+
+                           Extensions to FTP
+
+
+                     draft-ietf-ftpext-mlst-08.txt
+
+Status of this Memo
+
+   This document is an Internet-Draft and is NOT offered in accordance
+   with Section 10 of RFC2026, and the author does not provide the IETF
+   with any rights other than to publish as an Internet-Draft.
+
+   Internet-Drafts are working documents of the Internet Engineering
+   Task Force (IETF), its areas, and its working groups.  Note that
+   other groups may also distribute working documents as Internet-
+   Drafts.
+
+   Internet-Drafts are draft documents valid for a maximum of six months
+   and may be updated, replaced, or obsoleted by other documents at any
+   time.  It is inappropriate to use Internet-Drafts as reference
+   material or to cite them other than as "work in progress."
+
+   The list of current Internet-Drafts can be accessed at
+   http://www.ietf.org/ietf/1id-abstracts.txt.
+
+   To view the list Internet-Draft Shadow Directories, see
+   http://www.ietf.org/shadow.html.
+
+   This entire section has been prepended to this document automatically
+   during formatting without any direct involvement by the author(s) of
+   this draft.
+
+
+
+
+
+
+
+
+
+
+
+
+Elz & Hethmon             [Expires April 2000]                  [Page 1]
+
+
+Internet Draft       draft-ietf-ftpext-mlst-08.txt          October 1999
+
+
+Abstract
+
+   In order to overcome the problems caused by the undefined format of
+   the current FTP LIST command output, a new command is needed to
+   transfer standardized listing information from Server-FTP to User-
+   FTP.  Commands to enable this are defined in this document.
+
+   In order to allow consenting clients and servers to interact more
+   freely, a quite basic, and optional, virtual file store structure is
+   defined.
+
+   This proposal also extends the FTP protocol to allow character sets
+   other than US-ASCII[1] by allowing the transmission of 8-bit
+   characters and the recommended use of UTF-8[2] encoding.
+
+   Much implemented, but long undocumented, mechanisms to permit
+   restarts of interrupted data transfers in STREAM mode, are also
+   included here.
+
+   Lastly, the HOST command has been added to allow a style of "virtual
+   site" to be constructed.
+
+   Changed in this version of this document: Minor corrections as
+   discussed on the mailing list, including fixing many typographical
+   errors; Additional examples.  This paragraph will be deleted from the
+   final version of this document.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Elz & Hethmon             [Expires April 2000]                  [Page 2]
+
+
+Internet Draft       draft-ietf-ftpext-mlst-08.txt          October 1999
+
+
+
+
+Table of Contents
+
+          Abstract  ................................................   2
+    1     Introduction  ............................................   4
+    2     Document Conventions  ....................................   4
+    2.1   Basic Tokens  ............................................   5
+    2.2   Pathnames  ...............................................   5
+    2.3   Times  ...................................................   7
+    2.4   Server Replies  ..........................................   8
+    3     File Modification Time (MDTM)  ...........................   8
+    3.1   Syntax  ..................................................   9
+    3.2   Error responses  .........................................   9
+    3.3   FEAT response for MDTM  ..................................   9
+    3.4   MDTM Examples  ...........................................  10
+    4     File SIZE  ...............................................  11
+    4.1   Syntax  ..................................................  11
+    4.2   Error responses  .........................................  11
+    4.3   FEAT response for SIZE  ..................................  12
+    4.4   Size Examples  ...........................................  12
+    5     Restart of Interrupted Transfer (REST)  ..................  13
+    5.1   Restarting in STREAM Mode  ...............................  13
+    5.2   Error Recovery and Restart  ..............................  14
+    5.3   Syntax  ..................................................  14
+    5.4   FEAT response for REST  ..................................  16
+    5.5   REST Example  ............................................  16
+    6     Virtual FTP servers  .....................................  16
+    6.1   The HOST command  ........................................  18
+    6.2   Syntax of the HOST command  ..............................  18
+    6.3   HOST command semantics  ..................................  19
+    6.4   HOST command errors  .....................................  21
+    6.5   FEAT response for HOST command  ..........................  22
+    7     A Trivial Virtual File Store (TVFS)  .....................  23
+    7.1   TVFS File Names  .........................................  23
+    7.2   TVFS Path Names  .........................................  24
+    7.3   FEAT Response for TVFS  ..................................  25
+    7.4   OPTS for TVFS  ...........................................  26
+    7.5   TVFS Examples  ...........................................  26
+    8     Listings for Machine Processing (MLST and MLSD)  .........  28
+    8.1   Format of MLSx Requests  .................................  29
+    8.2   Format of MLSx Response  .................................  29
+    8.3   Filename encoding  .......................................  32
+    8.4   Format of Facts  .........................................  33
+    8.5   Standard Facts  ..........................................  33
+    8.6   System Dependent and Local Facts  ........................  41
+    8.7   MLSx Examples  ...........................................  42
+    8.8   FEAT response for MLSx  ..................................  50
+
+
+
+Elz & Hethmon             [Expires April 2000]                  [Page 3]
+
+
+Internet Draft       draft-ietf-ftpext-mlst-08.txt          October 1999
+
+
+    8.9   OPTS parameters for MLST  ................................  51
+    9     Impact On Other FTP Commands  ............................  55
+   10     Character sets and Internationalization  .................  56
+   11     IANA Considerations  .....................................  56
+   11.1   The OS specific fact registry  ...........................  56
+   11.2   The OS specific filetype registry  .......................  57
+   12     Security Considerations  .................................  57
+   13     References  ..............................................  58
+          Acknowledgments  .........................................  59
+          Copyright  ...............................................  60
+          Editors' Addresses  ......................................  60
+
+
+
+
+1. Introduction
+
+   This document amends the File Transfer Protocol (FTP) [3].  Five new
+   commands are added: "SIZE", "HOST", "MDTM", "MLST", and "MLSD".  The
+   existing command "REST" is modified.  Of those, the "SIZE" and "MDTM"
+   commands, and the modifications to "REST" have been in wide use for
+   many years.  The others are new.
+
+   These commands allow a client to restart an interrupted transfer in
+   transfer modes not previously supported in any documented way, to
+   support the notion of virtual hosts, and to obtain a directory
+   listing in a machine friendly, predictable, format.
+
+   An optional structure for the server's file store (NVFS) is also
+   defined, allowing servers that support such a structure to convey
+   that information to clients in a standard way, thus allowing clients
+   more certainty in constructing and interpreting path names.
+
+2. Document Conventions
+
+   This document makes use of the document conventions defined in BCP14
+   [4].  That provides the interpretation of capitalized imperative
+   words like MUST, SHOULD, etc.
+
+   This document also uses notation defined in STD 9 [3].  In
+   particular, the terms "reply", "user", "NVFS", "file", "pathname",
+   "FTP commands", "DTP", "user-FTP process", "user-PI", "user-DTP",
+   "server-FTP process", "server-PI", "server-DTP", "mode", "type",
+   "NVT", "control connection", "data connection", and "ASCII", are all
+   used here as defined there.
+
+   Syntax required is defined using the Augmented BNF defined in [5].
+   Some general ABNF definitions are required throughout the document,
+
+
+
+Elz & Hethmon             [Expires April 2000]                  [Page 4]
+
+
+Internet Draft       draft-ietf-ftpext-mlst-08.txt          October 1999
+
+
+   those will be defined later in this section.  At first reading, it
+   may be wise to simply recall that these definitions exist here, and
+   skip to the next section.
+
+2.1. Basic Tokens
+
+   This document imports the core definitions given in Appendix A of
+   [5].  There definitions will be found for basic ABNF elements like
+   ALPHA, DIGIT, SP, etc.  To that, the following terms are added for
+   use in this document.
+
+        TCHAR          = VCHAR / SP / HTAB    ; visible plus white space
+        RCHAR          = ALPHA / DIGIT / "," / "." / ":" / "!" /
+                         "@" / "#" / "$" / "%" / "^" /
+                         "&" / "(" / ")" / "-" / "_" /
+                         "+" / "?" / "/" / "\" / "'" /
+                         DQUOTE   ; <"> -- double quote character (%x22)
+
+   The VCHAR (from [5]), TCHAR, and RCHAR types give basic character
+   types from varying sub-sets of the ASCII character set for use in
+   various commands and responses.
+
+        token          = 1*RCHAR
+
+   A "token" is a string whose precise meaning depends upon the context
+   in which it is used.  In some cases it will be a value from a set of
+   possible values maintained elsewhere.  In others it might be a string
+   invented by one party to an FTP conversation from whatever sources it
+   finds relevant.
+
+   Note that in ABNF, string literals are case insensitive.  That
+   convention is preserved in this document, and implies that FTP
+   commands added by this specification have names that can be
+   represented in any case.  That is, "MDTM" is the same as "mdtm",
+   "Mdtm" and "MdTm" etc.  However note that ALPHA, in particular, is
+   case sensitive.  That implies that a "token" is a case sensitive
+   value.  That implication is correct.
+
+2.2. Pathnames
+
+   Various FTP commands take pathnames as arguments, or return pathnames
+   in responses.  When the MLST command is supported, as indicated in
+   the response to the FEAT command [6], pathnames are to be transferred
+   in one of the following two formats.
+
+
+
+
+
+
+
+Elz & Hethmon             [Expires April 2000]                  [Page 5]
+
+
+Internet Draft       draft-ietf-ftpext-mlst-08.txt          October 1999
+
+
+        pathname       = utf-8-name / raw
+        utf-8-name     = <a UTF-8 encoded Unicode string>
+        raw            = <any string not being a valid UTF-8 encoding>
+
+   Which format is used is at the option of the user-PI or server-PI
+   sending the pathname.  UTF-8 encodings [2] contain enough internal
+   structure that it is always, in practice, possible to determine
+   whether a UTF-8 or raw encoding has been used, in those cases where
+   it matters.  While it is useful for the user-PI to be able to
+   correctly display a pathname received from the server-PI to the user,
+   it is far more important for the user-PI to be able to retain and
+   retransmit the identical pathname when required.  Implementations are
+   advised against converting a UTF-8 pathname to a local encoding, and
+   then attempting to invert the encoding later.  Note that ASCII is a
+   subset of UTF-8.
+
+   Unless otherwise specified, the pathname is terminated by the CRLF
+   that terminates the FTP command, or by the CRLF that ends a reply.
+   Any trailing spaces preceding that CRLF form part of the name.
+   Exactly one space will precede the pathname and serve as a separator
+   from the preceding syntax element.  Any additional spaces form part
+   of the pathname.  See [7] for a fuller explanation of the character
+   encoding issues.  All implementations supporting MLST MUST support
+   [7].
+
+   Implementations should also beware that the control connection uses
+   Telnet NVT conventions [8], and that the Telnet IAC character, if
+   part of a pathname sent over the control connection, MUST be
+   correctly escaped as defined by the Telnet protocol.
+
+   Implementors should also be aware that although Telnet NVT
+   conventions are used over the control connections, Telnet option
+   negotiation MUST NOT be attempted.  See section 4.1.2.12 of [9].
+
+2.2.1. Pathname Syntax
+
+   Except where TVFS is supported (see section 7) this specification
+   imposes no syntax upon pathnames.  Nor does it restrict the character
+   set from which pathnames are created.  This does not imply that the
+   NVFS is required to make sense of all possible pathnames.  Server-PIs
+   may restrict the syntax of valid pathnames in their NVFS in any
+   manner appropriate to their implementation or underlying file system.
+   Similarly, a server-PI may parse the pathname, and assign meaning to
+   the components detected.
+
+
+
+
+
+
+
+Elz & Hethmon             [Expires April 2000]                  [Page 6]
+
+
+Internet Draft       draft-ietf-ftpext-mlst-08.txt          October 1999
+
+
+2.2.2. Wildcarding
+
+   For the commands defined in this specification, all pathnames are to
+   be treated literally.  That is, for a pathname given as a parameter
+   to a command, the file whose name is identical to the pathname given
+   is implied.  No characters from the pathname may be treated as
+   special or "magic", thus no pattern matching (other than for exact
+   equality) between the pathname given and the files present in the
+   NVFS of the Server-FTP is permitted.
+
+   Clients that desire some form of pattern matching functionality must
+   obtain a listing of the relevant directory, or directories, and
+   implement their own filename selection procedures.
+
+2.3. Times
+
+   The syntax of a time value is:
+
+        time-val       = 14DIGIT [ "." 1*DIGIT ]
+
+   The leading, mandatory, fourteen digits are to be interpreted as, in
+   order from the leftmost, four digits giving the year, with a range of
+   1000-9999, two digits giving the month of the year, with a range of
+   01-12, two digits giving the day of the month, with a range of 01-31,
+   two digits giving the hour of the day, with a range of 00-23, two
+   digits giving minutes past the hour, with a range of 00-59, and
+   finally, two digits giving seconds past the minute, with a range of
+   00-60 (with 60 being used only at a leap second).  Years in the tenth
+   century, and earlier, cannot be expressed.  This is not considered a
+   serious defect of the protocol.
+
+   The optional digits, which are preceded by a period, give decimal
+   fractions of a second.  These may be given to whatever precision is
+   appropriate to the circumstance, however implementations MUST NOT add
+   precision to time-vals where that precision does not exist in the
+   underlying value being transmitted.
+
+   Symbolically, a time-val may be viewed as
+
+        YYYYMMDDHHMMSS.sss
+
+   The "." and subsequent digits ("sss") are optional.  However the "."
+   MUST NOT appear unless at least one following digit also appears.
+
+   Time values are always represented in UTC (GMT), and in the Gregorian
+   calendar regardless of what calendar may have been in use at the date
+   and time indicated at the location of the server-PI.
+
+
+
+
+Elz & Hethmon             [Expires April 2000]                  [Page 7]
+
+
+Internet Draft       draft-ietf-ftpext-mlst-08.txt          October 1999
+
+
+   The technical differences between GMT, TAI, UTC, UT1, UT2, etc, are
+   not considered here.  A server-FTP process should always use the same
+   time reference, so the times it returns will be consistent.  Clients
+   are not expected to be time synchronized with the server, so the
+   possible difference in times that might be reported by the different
+   time standards is not considered important.
+
+2.4. Server Replies
+
+   Section 4.2 of [3] defines the format and meaning of replies by the
+   server-PI to FTP commands from the user-PI.  Those reply conventions
+   are used here without change.
+
+        error-response = error-code SP *TCHAR CRLF
+        error-code     = ("4" / "5") 2DIGIT
+
+   Implementors should note that the ABNF syntax (which was not used in
+   [3]) used in this document, and other FTP related documents,
+   sometimes shows replies using the one line format.  Unless otherwise
+   explicitly stated, that is not intended to imply that multi-line
+   responses are not permitted.  Implementors should assume that, unless
+   stated to the contrary, any reply to any FTP command (including QUIT)
+   may be of the multi-line format described in [3].
+
+   Throughout this document, replies will be identified by the three
+   digit code that is their first element.  Thus the term "500 reply"
+   means a reply from the server-PI using the three digit code "500".
+
+3. File Modification Time (MDTM)
+
+   The FTP command, MODIFICATION TIME (MDTM), can be used to determine
+   when a file in the server NVFS was last modified.  This command has
+   existed in many FTP servers for many years, as an adjunct to the REST
+   command for STREAM mode, thus is widely available.  However, where
+   supported, the "modify" fact which can be provided in the result from
+   the new MLST command is recommended as a superior alternative.
+
+   When attempting to restart a RETRieve, if the User-FTP makes use of
+   the MDTM command, or "modify" fact, it can check and see if the
+   modification time of the source file is more recent than the
+   modification time of the partially transferred file.  If it is, then
+   most likely the source file has changed and it would be unsafe to
+   restart the previously incomplete file transfer.
+
+   When attempting to restart a STORe, the User FTP can use the MDTM
+   command to discover the modification time of the partially
+   transferred file.  If it is older than the modification time of the
+   file that is about to be STORed, then most likely the source file has
+
+
+
+Elz & Hethmon             [Expires April 2000]                  [Page 8]
+
+
+Internet Draft       draft-ietf-ftpext-mlst-08.txt          October 1999
+
+
+   changed and it would be unsafe to restart the file transfer.
+
+   Note that using MLST (described below) where available, can provide
+   this information, and much more, thus giving an even better
+   indication that a file has changed, and that restarting a transfer
+   would not give valid results.
+
+   Note that this is applicable to any RESTart attempt, regardless of
+   the mode of the file transfer.
+
+3.1. Syntax
+
+   The syntax for the MDTM command is:
+
+        mdtm          = "MdTm" SP pathname CRLF
+
+   As with all FTP commands, the "MDTM" command label is interpreted in
+   a case insensitive manner.
+
+   The "pathname" specifies an object in the NVFS which may be the
+   object of a RETR command.  Attempts to query the modification time of
+   files that are unable to be retrieved generate undefined responses.
+
+   The server-PI will respond to the MDTM command with a 213 reply
+   giving the last modification time of the file whose pathname was
+   supplied, or a 550 reply if the file does not exist, the modification
+   time is unavailable, or some other error has occurred.
+
+        mdtm-response = "213" SP time-val CRLF /
+                        error-response
+
+3.2. Error responses
+
+   Where the command is correctly parsed, but the modification time is
+   not available, either because the pathname identifies no existing
+   entity, or because the information is not available for the entity
+   named, then a 550 reply should be sent.  Where the command cannot be
+   correctly parsed, a 500 or 501 reply should be sent, as specified in
+   [3].
+
+3.3. FEAT response for MDTM
+
+   When replying to the FEAT command [6], an FTP server process that
+   supports the MDTM command MUST include a line containing the single
+   word "MDTM".  This MAY be sent in upper or lower case, or a mixture
+   of both (it is case insensitive) but SHOULD be transmitted in upper
+   case only.  That is, the response SHOULD be
+
+
+
+
+Elz & Hethmon             [Expires April 2000]                  [Page 9]
+
+
+Internet Draft       draft-ietf-ftpext-mlst-08.txt          October 1999
+
+
+        C> Feat
+        S> 211- <any descriptive text>
+        S>  ...
+        S>  MDTM
+        S>  ...
+        S> 211 End
+
+   The ellipses indicate place holders where other features may be
+   included, and are not required.  The one space indentation of the
+   feature lines is mandatory [6].
+
+3.4. MDTM Examples
+
+   If we assume the existence of three files, A B and C, and a directory
+   D, and no other files at all, then the MTDM command may behave as
+   indicated.  The "C>" lines are commands from user-PI to server-PI,
+   the "S>" lines are server-PI replies.
+
+        C> MDTM A
+        S> 213 19980615100045.014
+        C> MDTM B
+        S> 213 19980615100045.014
+        C> MDTM C
+        S> 213 19980705132316
+        C> MDTM D
+        S> 550 D is not retrievable
+        C> MDTM E
+        S> 550 No file named "E"
+        C> mdtm file6
+        S> 213 19990929003355
+        C> MdTm 19990929043300 File6
+        S> 213 19991005213102
+        C> MdTm 19990929043300 file6
+        S> 550 19990929043300 file6: No such file or directory.
+
+   From that we can conclude that both A and B were last modified at the
+   same time (to the nearest millisecond), and that C was modified 21
+   days and several hours later.
+
+   The times are in GMT, so file A was modified on the 15th of June,
+   1998, at approximately 11am in London (summer time was then in
+   effect), or perhaps at 8pm in Melbourne, Australia, or at 6am in New
+   York.  All of those represent the same absolute time of course.  The
+   location where the file was modified, and consequently the local wall
+   clock time at that location, is not available.
+
+   There is no file named "E" in the current directory, but there are
+   files named both "file6" and "19990929043300 File6".  The
+
+
+
+Elz & Hethmon             [Expires April 2000]                 [Page 10]
+
+
+Internet Draft       draft-ietf-ftpext-mlst-08.txt          October 1999
+
+
+   modification times of those files were obtained.  There is no file
+   named "19990929043300 file6".
+
+4. File SIZE
+
+   The FTP command, SIZE OF FILE (SIZE), is used to obtain the transfer
+   size of a file from the server-FTP process.  That is, the exact
+   number of octets (8 bit bytes) which would be transmitted over the
+   data connection should that file be transmitted.  This value will
+   change depending on the current STRUcture, MODE and TYPE of the data
+   connection, or a data connection which would be created were one
+   created now.  Thus, the result of the SIZE command is dependent on
+   the currently established STRU, MODE and TYPE parameters.
+
+   The SIZE command returns how many octets would be transferred if the
+   file were to be transferred using the current transfer structure,
+   mode and type.  This command is normally used in conjunction with the
+   RESTART (REST) command.  The server-PI might need to read the
+   partially transferred file, do any appropriate conversion, and count
+   the number of octets that would be generated when sending the file in
+   order to correctly respond to this command.  Estimates of the file
+   transfer size MUST NOT be returned, only precise information is
+   acceptable.
+
+4.1. Syntax
+
+   The syntax of the SIZE command is:
+
+        size          = "Size" SP pathname CRLF
+
+   The server-PI will respond to the SIZE command with a 213 reply
+   giving the transfer size of the file whose pathname was supplied, or
+   an error response if the file does not exist, the size is
+   unavailable, or some other error has occurred.  The value returned is
+   in a format suitable for use with the RESTART (REST) command for mode
+   STREAM, provided the transfer mode and type are not altered.
+
+        size-response = "213" SP 1*DIGIT CRLF /
+                        error-response
+
+4.2. Error responses
+
+   Where the command is correctly parsed, but the size is not available,
+   either because the pathname identifies no existing entity, or because
+   the entity named cannot be transferred in the current MODE and TYPE
+   (or at all), then a 550 reply should be sent.  Where the command
+   cannot be correctly parsed, a 500 or 501 reply should be sent, as
+   specified in [3].
+
+
+
+Elz & Hethmon             [Expires April 2000]                 [Page 11]
+
+
+Internet Draft       draft-ietf-ftpext-mlst-08.txt          October 1999
+
+
+4.3. FEAT response for SIZE
+
+   When replying to the FEAT command [6], an FTP server process that
+   supports the SIZE command MUST include a line containing the single
+   word "SIZE".  This word is case insensitive, and MAY be sent in any
+   mixture of upper or lower case, however it SHOULD be sent in upper
+   case.  That is, the response SHOULD be
+
+        C> FEAT
+        S> 211- <any descriptive text>
+        S>  ...
+        S>  SIZE
+        S>  ...
+        S> 211 END
+
+   The ellipses indicate place holders where other features may be
+   included, and are not required.  The one space indentation of the
+   feature lines is mandatory [6].
+
+4.4. Size Examples
+
+   Consider a text file "Example" stored on a Unix(TM) server where each
+   end of line is represented by a single octet.  Assume the file
+   contains 112 lines, and 1830 octets total.  Then the SIZE command
+   would produce:
+
+        C> TYPE I
+        S> 200 Type set to I.
+        C> size Example
+        S> 213 1830
+        C> TYPE A
+        S> 200 Type set to A.
+        C> Size Example
+        S> 213 1942
+
+   Notice that with TYPE=A the SIZE command reports an extra 112 octets.
+   Those are the extra octets that need to be inserted, one at the end
+   of each line, to provide correct end of line semantics for a transfer
+   using TYPE=A.  Other systems might need to make other changes to the
+   transfer format of files when converting between TYPEs and MODEs.
+   The SIZE command takes all of that into account.
+
+   Since calculating the size of a file with this degree of precision
+   may take considerable effort on the part of the server-PI, user-PIs
+   should not used this command unless this precision is essential (such
+   as when about to restart an interrupted transfer).  For other uses,
+   the "Size" fact of the MLST command (see section 8.5.7) ought be
+   requested.
+
+
+
+Elz & Hethmon             [Expires April 2000]                 [Page 12]
+
+
+Internet Draft       draft-ietf-ftpext-mlst-08.txt          October 1999
+
+
+5. Restart of Interrupted Transfer (REST)
+
+   To avoid having to resend the entire file if the file is only
+   partially transferred, both sides need some way to be able to agree
+   on where in the data stream to restart the data transfer.
+
+   The FTP specification [3] includes three modes of data transfer,
+   Stream, Block and Compressed.  In Block and Compressed modes, the
+   data stream that is transferred over the data connection is
+   formatted, allowing the embedding of restart markers into the stream.
+   The sending DTP can include a restart marker with whatever
+   information it needs to be able to restart a file transfer at that
+   point.  The receiving DTP can keep a list of these restart markers,
+   and correlate them with how the file is being saved.  To restart the
+   file transfer, the receiver just sends back that last restart marker,
+   and both sides know how to resume the data transfer.  Note that there
+   are some flaws in the description of the restart mechanism in RFC 959
+   [3].  See section 4.1.3.4 of RFC 1123 [9] for the corrections.
+
+5.1. Restarting in STREAM Mode
+
+   In Stream mode, the data connection contains just a stream of
+   unformatted octets of data.  Explicit restart markers thus cannot be
+   inserted into the data stream, they would be indistinguishable from
+   data.  For this reason, the FTP specification [3] did not provide the
+   ability to do restarts in stream mode.  However, there is not really
+   a need to have explicit restart markers in this case, as restart
+   markers can be implied by the octet offset into the data stream.
+
+   Because the data stream defines the file in STREAM mode, a different
+   data stream would represent a different file.  Thus, an offset will
+   always represent the same position within a file.  On the other hand,
+   in other modes than STREAM, the same file can be transferred using
+   quite different octet sequences, and yet be reconstructed into the
+   one identical file.  Thus an offset into the data stream in transfer
+   modes other than STREAM would not give an unambiguous restart point.
+
+   If the data representation TYPE is IMAGE, and the STRUcture is File,
+   for many systems the file will be stored exactly in the same format
+   as it is sent across the data connection.  It is then usually very
+   easy for the receiver to determine how much data was previously
+   received, and notify the sender of the offset where the transfer
+   should be restarted.  In other representation types and structures
+   more effort will be required, but it remains always possible to
+   determine the offset with finite, but perhaps non-negligible, effort.
+   In the worst case an FTP process may need to open a data connection
+   to itself, set the appropriate transfer type and structure, and
+   actually transmit the file, counting the transmitted octets.
+
+
+
+Elz & Hethmon             [Expires April 2000]                 [Page 13]
+
+
+Internet Draft       draft-ietf-ftpext-mlst-08.txt          October 1999
+
+
+   If the user-FTP process is intending to restart a retrieve, it will
+   directly calculate the restart marker, and send that information in
+   the RESTart command.  However, if the user-FTP process is intending
+   to restart sending the file, it needs to be able to determine how
+   much data was previously sent, and correctly received and saved.  A
+   new FTP command is needed to get this information.  This is the
+   purpose of the SIZE command, as documented in section 4.
+
+5.2. Error Recovery and Restart
+
+   STREAM MODE transfers with FILE STRUcture may be restarted even
+   though no restart marker has been transferred in addition to the data
+   itself.  This is done by using the SIZE command, if needed, in
+   combination with the RESTART (REST) command, and one of the standard
+   file transfer commands.
+
+   When using TYPE ASCII or IMAGE, the SIZE command will return the
+   number of octets that would actually be transferred if the file were
+   to be sent between the two systems.  I.e. with type IMAGE, the SIZE
+   normally would be the number of octets in the file.  With type ASCII,
+   the SIZE would be the number of octets in the file including any
+   modifications required to satisfy the TYPE ASCII CR-LF end of line
+   convention.
+
+5.3. Syntax
+
+   The syntax for the REST command when the current transfer mode is
+   STREAM is:
+
+        rest          = "Rest" SP 1*DIGIT CRLF
+
+   The numeric value gives the number of octets of the immediately
+   following transfer to not actually send, effectively causing the
+   transmission to be restarted at a later point.  A value of zero
+   effectively disables restart, causing the entire file to be
+   transmitted.  The server-PI will respond to the REST command with a
+   350 reply, indicating that the REST parameter has been saved, and
+   that another command, which should be either RETR or STOR, should
+   then follow to complete the restart.
+
+        rest-response = "350" SP *TCHAR CRLF /
+                        error-response
+
+   Server-FTP processes may permit transfer commands other than RETR and
+   STOR, such as APPE and STOU, to complete a restart, however, this is
+   not recommended.  STOU (store unique) is undefined in this usage, as
+   storing the remainder of a file into a unique filename is rarely
+   going to be useful.  If APPE (append) is permitted, it MUST act
+
+
+
+Elz & Hethmon             [Expires April 2000]                 [Page 14]
+
+
+Internet Draft       draft-ietf-ftpext-mlst-08.txt          October 1999
+
+
+   identically to STOR when a restart marker has been set.  That is, in
+   both cases, octets from the data connection are placed into the file
+   at the location indicated by the restart marker value.
+
+   The REST command is intended to complete a failed transfer.  Use with
+   RETR is comparatively well defined in all cases, as the client bears
+   the responsibility of merging the retrieved data with the partially
+   retrieved file.  If it chooses to use the data obtained other than to
+   complete an earlier transfer, or if it chooses to re-retrieve data
+   that had been retrieved before, that is its choice.  With STOR,
+   however, the server must insert the data into the file named.  The
+   results are undefined if a client uses REST to do other than restart
+   to complete a transfer of a file which had previously failed to
+   completely transfer.  In particular, if the restart marker set with a
+   REST command is not at the end of the data currently stored at the
+   server, as reported by the server, or if insufficient data are
+   provided in a STOR that follows a REST to extend the destination file
+   to at least its previous size, then the effects are undefined.
+
+   The REST command must be the last command issued before the data
+   transfer command which is to cause a restarted rather than complete
+   file transfer.  The effect of issuing a REST command at any other
+   time is undefined.  The server-PI may react to a badly positioned
+   REST command by issuing an error response to the following command,
+   not being a restartable data transfer command, or it may save the
+   restart value and apply it to the next data transfer command, or it
+   may silently ignore the inappropriate restart attempt.  Because of
+   this, a user-PI that has issued a REST command, but which has not
+   successfully transmitted the following data transfer command for any
+   reason, should send another REST command before the next data
+   transfer command.  If that transfer is not to be restarted, then
+   "REST 0" should be issued.
+
+   An error-response will follow a REST command only when the server
+   does not implement the command, or the restart marker value is
+   syntactically invalid for the current transfer mode.  That is, in
+   STREAM mode, if something other than one or more digits appears in
+   the parameter to the REST command.  Any other errors, including such
+   problems as restart marker out of range, should be reported when the
+   following transfer command is issued.  Such errors will cause that
+   transfer request to be rejected with an error indicating the invalid
+   restart attempt.
+
+
+
+
+
+
+
+
+
+Elz & Hethmon             [Expires April 2000]                 [Page 15]
+
+
+Internet Draft       draft-ietf-ftpext-mlst-08.txt          October 1999
+
+
+5.4. FEAT response for REST
+
+   Where a server-FTP process supports RESTart in STREAM mode, as
+   specified here, it MUST include in the response to the FEAT command
+   [6], a line containing exactly the string "REST STREAM".  This string
+   is not case sensitive, but SHOULD be transmitted in upper case.
+   Where REST is not supported at all, or supported only in block or
+   compressed modes, the REST line MUST NOT be included in the FEAT
+   response.  Where required, the response SHOULD be
+
+        C> feat
+        S> 211- <any descriptive text>
+        S>  ...
+        S>  REST STREAM
+        S>  ...
+        S> 211 end
+
+   The ellipses indicate place holders where other features may be
+   included, and are not required.  The one space indentation of the
+   feature lines is mandatory [6].
+
+5.5. REST Example
+
+   Assume that the transfer of a largish file has previously been
+   interrupted after 802816 octets had been received, that the previous
+   transfer was with TYPE=I, and that it has been verified that the file
+   on the server has not since changed.
+
+        C> TYPE I
+        S> 200 Type set to I.
+        C> PORT 127,0,0,1,15,107
+        S> 200 PORT command successful.
+        C> REST 802816
+        S> 350 Restarting at 802816. Send STORE or RETRIEVE
+        C> RETR cap60.pl198.tar
+        S> 150 Opening BINARY mode data connection
+        [...]
+        S> 226 Transfer complete.
+
+6. Virtual FTP servers
+
+   It has become common in the Internet for many domain names to be
+   allocated to a single IP address.  This has introduced the concept of
+   a "virtual host", where a host appears to exist as an independent
+   entity, but in reality shares all of its resources with one, or more,
+   other such hosts.
+
+
+
+
+
+Elz & Hethmon             [Expires April 2000]                 [Page 16]
+
+
+Internet Draft       draft-ietf-ftpext-mlst-08.txt          October 1999
+
+
+   Such an arrangement presents some problems for FTP Servers, as all
+   the FTP Server can detect is an incoming FTP connection to a
+   particular IP address.  That is, all domain names which share the IP
+   address also share the FTP server, and more importantly, its NVFS.
+   This means that the various virtual hosts cannot offer different
+   virtual file systems to clients, nor can they offer different
+   authentication systems.
+
+   No scheme can overcome this without modifications of some kind to the
+   user-PI and the user-FTP process.  That process is the only entity
+   that knows which virtual host is required.  It has performed the
+   domain name to IP address translation, and thus has the original
+   domain name available.
+
+   One method which could be used to allow a style of virtual host would
+   be for the client to simply send a "CWD" command after connecting,
+   using the virtual host name as the argument to the CWD command.  This
+   would allow the server-FTP process to implement the file stores of
+   the virtual hosts as sub-directories in its NVFS.  This is simple,
+   and supported by essentially all server-FTP implementations without
+   requiring any code changes.
+
+   While that method is simple to describe, and to implement, it suffers
+   from several drawbacks.  First, the "CWD" command is available only
+   after the user-PI has authenticated itself to the server-FTP process.
+   Thus, all virtual hosts would be required to share a common
+   authentication scheme.  Second, either the server-FTP process needs
+   to be modified to understand the special nature of this first CWD
+   command, negating most of the advantage of this scheme, or all users
+   must see the same identical NVFS view upon connecting (they must
+   connect in the same initial directory) or the NVFS must implement the
+   full set of virtual host directories at each possible initial
+   directory for any possible user, or the virtual host will not be
+   truly transparent.  Third, and again unless the server is specially
+   modified, a user connecting this way to a virtual host would be able
+   to trivially move to any other virtual host supported at the same
+   server-FTP process, exposing the nature of the virtual host.
+
+   Other schemes overloading other existing FTP commands have also been
+   proposed.  None of those have sufficient merit to be worth
+   discussion.
+
+   The conclusion from the examination of the possibilities seems to be
+   that to obtain an adequate emulation of "real" FTP servers, server
+   modifications to support virtual hosts are required.  A new command
+   seems most likely to provide the support required.
+
+
+
+
+
+Elz & Hethmon             [Expires April 2000]                 [Page 17]
+
+
+Internet Draft       draft-ietf-ftpext-mlst-08.txt          October 1999
+
+
+6.1. The HOST command
+
+   A new command "HOST" is added to the FTP command set to allow
+   server-FTP process to determine to which of possibly many virtual
+   hosts the client wishes to connect.  This command is intended to be
+   issued before the user is authenticated, allowing the authentication
+   scheme, and set of legal users, to be dependent upon the virtual host
+   chosen.  Server-FTP processes may, if they desire, permit the HOST
+   command to be issued after the user has been authenticated, or may
+   treat that as an erroneous sequence of commands.  The behavior of the
+   server-FTP process which does allow late HOST commands is undefined.
+   One reasonable interpretation would be for the user-PI to be returned
+   to the state that existed after the TCP connection was first
+   established, before user authentication.
+
+   Servers should note that the response to the HOST command is a
+   sensible time to send their "welcome" message.  This allows the
+   message to be personalized for any virtual hosts that are supported,
+   and also allows the client to have determined supported languages, or
+   representations, for the message, and other messages, via the FEAT
+   response, and selected an appropriate one via the LANG command.  See
+   [7] for more information.
+
+6.2. Syntax of the HOST command
+
+   The HOST command is defined as follows.
+
+        host-command     = "Host" SP hostname CRLF
+        hostname         = 1*DNCHAR 1*( "." 1*DNCHAR ) [ "." ]
+        DNCHAR           = ALPHA / DIGIT / "-" / "_" / "$" /
+                           "!" / "%" / "[" / "]" / ":"
+        host-response    = host-ok / error-response
+        host-ok          = "220" [ SP *TCHAR ] CRLF
+
+   As with all FTP commands, the "host" command word is case
+   independent, and may be specified in any character case desired.
+
+   The "hostname" given as a parameter specifies the virtual host to
+   which access is desired.  It should normally be the same name that
+   was used to obtain the IP address to which the FTP control connection
+   was made, after any client conversions to convert an abbreviated or
+   local alias to a complete (fully qualified) domain name, but before
+   resolving a DNS alias (owner of a CNAME resource record) to its
+   canonical name.
+
+   If the client was given a network literal address, and consequently
+   was not required to derive it from a hostname, it should send the
+   HOST command with the network address, as specified to it, enclosed
+
+
+
+Elz & Hethmon             [Expires April 2000]                 [Page 18]
+
+
+Internet Draft       draft-ietf-ftpext-mlst-08.txt          October 1999
+
+
+   in brackets (after eliminating any syntax, which might also be
+   brackets, but is not required to be, from which the server deduced
+   that a literal address had been specified.) That is, for example
+
+                         HOST [10.1.2.3]
+
+   should be sent if the client had been instructed to connect to
+   "10.1.2.3", or "[10.1.2.3]", or perhaps even IPv4:10.1.2.3.  The
+   method of indicating to a client that a literal address is to be used
+   is beyond the scope of this specification.
+
+   The parameter is otherwise to be treated as a "complete domain name",
+   as that term is defined in section 3.1 of RFC 1034 [10].  That
+   implies that the name is to be treated as a case independent string,
+   in that upper case ASCII characters are to be treated as equivalent
+   to the corresponding lower case ASCII characters, but otherwise
+   preserved as given.  It also implies some limits on the length of the
+   parameter and of the components that create its internal structure.
+   Those limits are not altered in any way here.
+
+   RFC 1034 imposes no other restrictions upon what kinds of names can
+   be stored in the DNS.  Nor does RFC 1035.  This specification,
+   however, allows only a restricted set of names for the purposes of
+   the HOST command.  Those restrictions can be inferred from the ABNF
+   grammar given for the "hostname".
+
+6.3. HOST command semantics
+
+   Upon receiving the HOST command, before authenticating the user-PI, a
+   server-FTP process should validate that the hostname given represents
+   a valid virtual host for that server, and if so, establish the
+   appropriate environment for that virtual host.  The meaning of that
+   is not specified here, and may range from doing nothing at all, or
+   performing a simple change of working directory, to much more
+   elaborate state changes, as required.
+
+   If the hostname specified is unknown at the server, or if the server
+   is otherwise unwilling to treat the particular connection as a
+   connection to the hostname specified, the server will respond with a
+   504 reply.
+
+   Note: servers may require that the name specified is in some sense
+   equivalent to the particular network address that was used to reach
+   the server.
+
+   If the hostname specified would normally be acceptable, but for any
+   reason is temporarily unavailable, the server SHOULD reply to the
+   HOST command with a 434 reply.
+
+
+
+Elz & Hethmon             [Expires April 2000]                 [Page 19]
+
+
+Internet Draft       draft-ietf-ftpext-mlst-08.txt          October 1999
+
+
+   The "220" reply code for the HOST command is the same as the code
+   used on the initial connection established "welcome" message.  This
+   is done deliberately so as to allow the implementation to implement
+   the front end FTP server as a wrapper which simply waits for the HOST
+   command, and then invokes an older, RFC959 compliant, server in the
+   appropriate environment for the particular hostname received.
+
+6.3.1. The REIN command
+
+   As specified in [3], the REIN command returns the state of the
+   connection to that it was immediately after the transport connection
+   was opened.  That is not changed here.  The effect of a HOST command
+   will be lost if a REIN command is performed, a new HOST command must
+   be issued.
+
+   Implementors of user-FTP should be aware that server-FTP
+   implementations which implement the HOST command as a wrapper around
+   older implementations will be unable to correctly implement the REIN
+   command.  In such an implementation, REIN will typically return the
+   server-FTP to the state that existed immediately after the HOST
+   command was issued, instead of to the state immediately after the
+   connection was opened.
+
+6.3.2. User-PI usage of HOST
+
+   A user-PI that conforms to this specification, MUST send the HOST
+   command after opening the transport connection, or after any REIN
+   command, before attempting to authenticate the user with the USER
+   command.
+
+   The following state diagram shows a typical sequence of flow of
+   control, where the "B" (begin) state is assumed to occur after the
+   transport connection has opened, or a REIN command has succeeded.
+   Other commands (such as FEAT [6]) which require no authentication may
+   have intervened.  This diagram is modeled upon (and largely borrowed
+   from) the similar diagram in section 6 of [3].
+
+   In this diagram, a three digit reply indicates that precise server
+   reply code, a single digit on a reply path indicates any server reply
+   beginning with that digit, other than any three digit replies that
+   might take another path.
+
+
+
+
+
+
+
+
+
+
+Elz & Hethmon             [Expires April 2000]                 [Page 20]
+
+
+Internet Draft       draft-ietf-ftpext-mlst-08.txt          October 1999
+
+
+
+              +---+   HOST    +---+ 1,3,5
+              | B |---------->| W |-----------------
+              +---+           +---+                 |
+                               | |                  |
+                     2,500,502 | | 4,501,503,504    |
+                 --------------   -------------     |
+                |                              |    |
+                V                   1          |    V
+              +---+   USER    +---+-------------->+---+
+              |   |---------->| W | 2       ----->| E |
+              +---+           +---+------  |  --->+---+
+                               | |       | | | |
+                             3 | | 4,5   | | | |
+                 --------------   -----  | | | |
+                |                      | | | | |
+                |                      | | | | |
+                |                 ---------  | |
+                |               1|     | |   | |
+                V                |     | |   | |
+              +---+   PASS    +---+ 2  |  ------->+---+
+              |   |---------->| W |-------------->| S |
+              +---+           +---+   ----------->+---+
+                               | |   | |     | |
+                             3 | |4,5| |     | |
+                 --------------   --------   | |
+                |                    | |  |  |  ----
+                |                    | |  |  |      |
+                |                 -----------       |
+                |             1,3|   | |  |         |
+                V                |  2| |  |         V
+              +---+   ACCT    +---+--  |   ------>+---+
+              |   |---------->| W | 4,5 --------->| F |
+              +---+           +---+-------------->+---+
+
+6.4. HOST command errors
+
+   The server-PI shall reply with a 500 or 502 reply if the HOST command
+   is unrecognized or unimplemented.  A 503 reply may be sent if the
+   HOST command is given after a previous HOST command, or after a user
+   has been authenticated.  Alternately, the server may accept the
+   command at such a time, with server defined behavior.  A 501 reply
+   should be sent if the hostname given is syntactically invalid, and a
+   504 reply if a syntactically valid hostname is not a valid virtual
+   host name for the server.
+
+   In all such cases the server-FTP process should act as if no HOST
+   command had been given.
+
+
+
+Elz & Hethmon             [Expires April 2000]                 [Page 21]
+
+
+Internet Draft       draft-ietf-ftpext-mlst-08.txt          October 1999
+
+
+   A user-PI receiving a 500 or 502 reply should assume that the
+   server-PI does not implement the HOST command style virtual server.
+   It may then proceed to login as if the HOST command had succeeded,
+   and perhaps, attempt a CWD command to the hostname after
+   authenticating the user.
+
+   A user-PI receiving some other error reply should assume that the
+   virtual HOST is unavailable, and terminate communications.
+
+   A server-PI that receives a USER command, beginning the
+   authentication sequence, without having received a HOST command
+   SHOULD NOT reject the USER command.  Clients conforming to earlier
+   FTP specifications do not send HOST commands.  In this case the
+   server may act as if some default virtual host had been explicitly
+   selected, or may enter an environment different from that of all
+   supported virtual hosts, perhaps one in which a union of all
+   available accounts exists, and which presents a NVFS which appears to
+   contain sub-directories containing the NVFS for all virtual hosts
+   supported.
+
+6.5. FEAT response for HOST command
+
+   A server-FTP process that supports the host command, and virtual FTP
+   servers, MUST include in the response to the FEAT command [6], a
+   feature line indicating that the HOST command is supported.  This
+   line should contain the single word "HOST".  This MAY be sent in
+   upper or lower case, or a mixture of both (it is case insensitive)
+   but SHOULD be transmitted in upper case only.  That is, the response
+   SHOULD be
+
+        C> Feat
+        S> 211- <any descriptive text>
+        S>  ...
+        S>  HOST
+        S>  ...
+        S> 211 End
+
+   The ellipses indicate place holders where other features may be
+   included, and are not required.  The one space indentation of the
+   feature lines is mandatory [6].
+
+
+
+
+
+
+
+
+
+
+
+Elz & Hethmon             [Expires April 2000]                 [Page 22]
+
+
+Internet Draft       draft-ietf-ftpext-mlst-08.txt          October 1999
+
+
+7. A Trivial Virtual File Store (TVFS)
+
+   Traditionally, FTP has placed almost no constraints upon the file
+   store (NVFS) provided by a server.  This specification does not alter
+   that.  However, it has become common for servers to attempt to
+   provide at least file system naming conventions modeled loosely upon
+   those of the UNIX(TM) file system.  That is, a tree structured file
+   system, built of directories, each of which can contain other
+   directories, or other kinds of files, or both.  Each file and
+   directory has a file name relative to the directory that contains it,
+   except for the directory at the root of the tree, which is contained
+   in no other directory, and hence has no name of its own.
+
+   That which has so far been described is perfectly consistent with the
+   standard FTP NVFS and access mechanisms.  The "CWD" command is used
+   to move from one directory to an embedded directory.  "CDUP" may be
+   provided to return to the parent directory, and the various file
+   manipulation commands ("RETR", "STOR", the rename commands, etc) are
+   used to manipulate files within the current directory.
+
+   However, it is often useful to be able to reference files other than
+   by changing directories, especially as FTP provides no guaranteed
+   mechanism to return to a previous directory.  The Trivial Virtual
+   File Store (TVFS), if implemented, provides that mechanism.
+
+7.1. TVFS File Names
+
+   Where a server implements the TVFS, no elementary filename shall
+   contain the character "/".  Where the underlying natural file store
+   permits files, or directories, to contain the "/" character in their
+   names, a server-PI implementing TVFS must encode that character in
+   some manner whenever file or directory names are being returned to
+   the user-PI, and reverse that encoding whenever such names are being
+   accepted from the user-PI.
+
+   The encoding method to be used is not specified here.  Where some
+   other character is illegal in file and directory names in the
+   underlying file store, a simple transliteration may be sufficient.
+   Where there is no suitable substitute character a more complex
+   encoding scheme, possibly using an escape character, is likely to be
+   required.
+
+   With the one exception of the unnamed root directory, a TVFS file
+   name may not be empty.  That is, all other file names contain at
+   least one character.
+
+   With the sole exception of the "/" character, any valid IS10646
+   character [11] may be used in a TVFS filename.  When transmitted,
+
+
+
+Elz & Hethmon             [Expires April 2000]                 [Page 23]
+
+
+Internet Draft       draft-ietf-ftpext-mlst-08.txt          October 1999
+
+
+   file name characters are encoded using the UTF-8 encoding [2].
+
+7.2. TVFS Path Names
+
+   A TVFS "Path Name" combines the file or directory name of a target
+   file or directory, with the directory names of zero or more enclosing
+   directories, so as to allow the target file or directory to be
+   referenced other than when the server's "current working directory"
+   is the directory directly containing the target file or directory.
+
+   By definition, every TVFS file or directory name is also a TVFS path
+   name.  Such a path name is valid to reference the file from the
+   directory containing the name, that is, when that directory is the
+   server-FTP's current working directory.
+
+   Other TVFS path names are constructed by prefixing a path name by a
+   name of a directory from which the path is valid, and separating the
+   two with the "/" character.  Such a path name is valid to reference
+   the file or directory from the directory containing the newly added
+   directory name.
+
+   Where a path name has been extended to the point where the directory
+   added is the unnamed root directory, the path name will begin with
+   the "/" character.  Such a path is known as a fully qualified path
+   name.  Fully qualified paths may, obviously, not be further extended,
+   as, by definition, no directory contains the root directory.  Being
+   unnamed, it cannot be represented in any other directory.  A fully
+   qualified path name is valid to reference the named file or directory
+   from any location (that is, regardless of what the current working
+   directory may be) in the virtual file store.
+
+   Any path name which is not a fully qualified path name may be
+   referred to as a "relative path name" and will only correctly
+   reference the intended file when the current working directory of the
+   server-FTP is a directory from which the relative path name is valid.
+
+   As a special case, the path name "/" is defined to be a fully
+   qualified path name referring to the root directory.  That is, the
+   root directory does not have a directory (or file) name, but does
+   have a path name.  This special path name may be used only as is as a
+   reference to the root directory.  It may not be combined with other
+   path names using the rules above, as doing so would lead to a path
+   name containing two consecutive "/" characters, which is an undefined
+   sequence.
+
+
+
+
+
+
+
+Elz & Hethmon             [Expires April 2000]                 [Page 24]
+
+
+Internet Draft       draft-ietf-ftpext-mlst-08.txt          October 1999
+
+
+7.2.1. Notes
+
+     + It is not required, or expected, that there be only one fully
+       qualified path name that will reference any particular file or
+       directory.
+     + As a caveat, though the TVFS file store is basically tree
+       structured, there is no requirement that any file or directory
+       have only one parent directory.
+     + As defined, no TVFS path name will ever contain two consecutive
+       "/" characters.  Such a name is not illegal however, and may be
+       defined by the server for any purpose that suits it.  Clients
+       implementing this specification should not assume any semantics
+       at all for such names.
+     + Similarly, other than the special case path that refers to the
+       root directory, no TVFS path name constructed as defined here
+       will ever end with the "/" character.  Such names are also not
+       illegal, but are undefined.
+     + While any legal IS10646 character is permitted to occur in a TVFS
+       file or directory name, other than "/", server FTP
+       implementations are not required to support all possible IS10646
+       characters.  The subset supported is entirely at the discretion
+       of the server.  The case (where it exists) of the characters that
+       make up file, directory, and path names may be significant.
+       Unless determined otherwise by means unspecified here, clients
+       should assume that all such names are comprised of characters
+       whose case is significant.  Servers are free to treat case (or
+       any other attribute) of a name as irrelevant, and hence map two
+       names which appear to be distinct onto the same underlying file.
+     + There are no defined "magic" names, like ".", ".." or "C:".
+       Servers may implement such names, with any semantics they choose,
+       but are not required to do so.
+     + TVFS imposes no particular semantics or properties upon files,
+       guarantees no access control schemes, or any of the other common
+       properties of a file store.  Only the naming scheme is defined.
+
+7.3. FEAT Response for TVFS
+
+   In response to the FEAT command [6] a server that wishes to indicate
+   support for the TVFS as defined here will include a line that begins
+   with the four characters "TVFS" (in any case, or mixture of cases,
+   upper case is not required).  Servers SHOULD send upper case.
+
+   Such a response to the FEAT command MUST NOT be returned unless the
+   server implements TVFS as defined here.
+
+   Later specifications may add to the TVFS definition.  Such additions
+   should be notified by means of additional text appended to the TVFS
+   feature line.  Such specifications, if any, will define the extra
+
+
+
+Elz & Hethmon             [Expires April 2000]                 [Page 25]
+
+
+Internet Draft       draft-ietf-ftpext-mlst-08.txt          October 1999
+
+
+   text.
+
+   Until such a specification is defined, servers should not include
+   anything after "TVFS" in the TVFS feature line.  Clients, however,
+   should be prepared to deal with arbitrary text following the four
+   defined characters, and simply ignore it if unrecognized.
+
+   A typical response to the FEAT command issued by a server
+   implementing only this specification would be:
+
+        C> feat
+        S> 211- <any descriptive text>
+        S>  ...
+        S>  TVFS
+        S>  ...
+        S> 211 end
+
+   The ellipses indicate place holders where other features may be
+   included, and are not required.  The one space indentation of the
+   feature lines is mandatory [6], and is not counted as one of the
+   first four characters for the purposes of this feature listing.
+
+   The TVFS feature adds no new commands to the FTP command repertoire.
+
+7.4. OPTS for TVFS
+
+   There are no options in this TVFS specification, and hence there is
+   no OPTS command defined.
+
+7.5. TVFS Examples
+
+   Assume a TVFS file store is comprised of a root directory, which
+   contains two directories (A and B) and two non-directory files (X and
+   Y).  The A directory contains two directories (C and D) and one other
+   file (Z).  The B directory contains just two non-directory files (P
+   and Q) and the C directory also two non-directory files (also named P
+   and Q, by chance).  The D directory is empty, that is, contains no
+   files or directories.
+
+
+
+
+
+
+
+
+
+
+
+
+
+Elz & Hethmon             [Expires April 2000]                 [Page 26]
+
+
+Internet Draft       draft-ietf-ftpext-mlst-08.txt          October 1999
+
+
+   This structure may depicted graphically as...
+
+                      (unnamed root)
+                        /  |  \   \
+                       /   |   \   \
+                      A    X    B   Y
+                     /|\       / \
+                    / | \     /   \
+                   C  D  Z   P     Q
+                  / \
+                 /   \
+                P     Q
+
+   Given this structure, the following fully qualified path names exist.
+
+        /
+        /A
+        /B
+        /X
+        /Y
+        /A/C
+        /A/D
+        /A/Z
+        /A/C/P
+        /A/C/Q
+        /B/P
+        /B/Q
+
+   It is clear that none of the paths / /A /B or /A/D refer to the same
+   directory, as the contents of each is different.  Nor do any of / /A
+   /A/C or /A/D.  However /A/C and /B might be the same directory, there
+   is insufficient information given to tell.  Any of the other path
+   names (/X /Y /A/Z /A/C/P /A/C/Q /B/P and /B/Q) may refer to the same
+   underlying files, in almost any combination.
+
+   If the current working directory of the server-FTP is /A then the
+   following path names, in addition to all the fully qualified path
+   names, are valid
+
+        C
+        D
+        Z
+        C/P
+        C/Q
+
+   These all refer to the same files or directories as the corresponding
+   fully qualified path with "/A/" prepended.
+
+
+
+
+Elz & Hethmon             [Expires April 2000]                 [Page 27]
+
+
+Internet Draft       draft-ietf-ftpext-mlst-08.txt          October 1999
+
+
+   That those path names all exist does not imply that the TVFS sever
+   will necessarily grant any kind of access rights to the named paths,
+   or that access to the same file via different path names will
+   necessarily be granted equal rights.
+
+   None of the following relative paths are valid when the current
+   directory is /A
+
+        A
+        B
+        X
+        Y
+        B/P
+        B/Q
+        P
+        Q
+
+   Any of those could be made valid by changing the server-FTP's current
+   working directory to the appropriate directory.  Note that the paths
+   "P" and "Q" might refer to different files depending upon which
+   directory is selected to cause those to become valid TVFS relative
+   paths.
+
+8. Listings for Machine Processing (MLST and MLSD)
+
+   The MLST and MLSD commands are intended to standardize the file and
+   directory information returned by the Server-FTP process.  These
+   commands differ from the LIST command in that the format of the
+   replies is strictly defined although extensible.
+
+   Two commands are defined, MLST which provides data about exactly the
+   object named on its command line, and no others.  MLSD on the other
+   hand will list the contents of a directory if a directory is named,
+   otherwise a 501 reply will be returned.  In either case, if no object
+   is named, the current directory is assumed.  That will cause MLST to
+   send a one line response, describing the current directory itself,
+   and MLSD to list the contents of the current directory.
+
+   In the following, the term MLSx will be used wherever either MLST or
+   MLSD may be inserted.
+
+   The MLST and MLSD commands also extend the FTP protocol as presented
+   in RFC 959 [3] and RFC 1123 [9] to allow that transmission of 8-bit
+   data over the control connection.  Note this is not specifying
+   character sets which are 8-bit, but specifying that FTP
+   implementations are to specifically allow the transmission and
+   reception of 8-bit bytes, with all bits significant, over the control
+   connection.  That is, all 256 possible octet values are permitted.
+
+
+
+Elz & Hethmon             [Expires April 2000]                 [Page 28]
+
+
+Internet Draft       draft-ietf-ftpext-mlst-08.txt          October 1999
+
+
+   The MLSx command allows both UTF-8/Unicode and "raw" forms as
+   arguments, and in responses both to the MLST and MLSD commands, and
+   all other FTP commands which take pathnames as arguments.
+
+8.1. Format of MLSx Requests
+
+   The MLST and MLSD commands each allow a single optional argument.
+   This argument may be either a directory name or, for MLST only, a
+   filename.  For these purposes, a "filename" is the name of any entity
+   in the server NVFS which is not a directory.  Where TVFS is
+   supported, any TVFS relative path name valid in the current working
+   directory, or any TVFS fully qualified path name, may be given.  If a
+   directory name is given then MLSD must return a listing of the
+   contents of the named directory, otherwise it issues a 501 reply, and
+   does not open a data connection.  In all cases for MLST, a single set
+   of fact lines (usually a single fact line) containing the information
+   about the named file or directory shall be returned over the control
+   connection, without opening a data connection.
+
+   If no argument is given then MLSD must return a listing of the
+   contents of the current working directory, and MLST must return a
+   listing giving information about the current working directory
+   itself.  For these purposes, the contents of a directory are whatever
+   filenames (not pathnames) the server-PI will allow to be referenced
+   when the current working directory is the directory named, and which
+   the server-PI desires to reveal to the user-PI.
+
+   No title, header, or summary, lines, or any other formatting, other
+   than as is specified below, is ever returned in the output of an MLST
+   or MLSD command.
+
+   If the Client-FTP sends an invalid argument, the Server-FTP MUST
+   reply with an error code of 501.
+
+   The syntax for the MLSx command is:
+
+        mlst             = "MLst" [ SP pathname ] CRLF
+        mlsd             = "MLsD" [ SP pathname ] CRLF
+
+8.2. Format of MLSx Response
+
+   The format of a response to an MLSx command is as follows:
+
+        mlst-response    = control-response / error-response
+        mlsd-response    = ( initial-response final-response ) /
+                           error-response
+
+
+
+
+
+Elz & Hethmon             [Expires April 2000]                 [Page 29]
+
+
+Internet Draft       draft-ietf-ftpext-mlst-08.txt          October 1999
+
+
+        control-response = "250-" [ response-message ] CRLF
+                           1*( SP entry CRLF )
+                           "250" [ SP response-message ] CRLF
+
+        initial-response = "150" [ SP response-message ] CRLF
+        final-response   = "226" SP response-message CRLF
+
+        response-message = *TCHAR
+
+        data-response    = *( entry CRLF )
+
+        entry            = [ facts ] SP pathname
+        facts            = 1*( fact ";" )
+        fact             = factname "=" value
+        factname         = "Size" / "Modify" / "Create" /
+                           "Type" / "Unique" / "Perm" /
+                           "Lang" / "Media-Type" / "CharSet" /
+                           os-depend-fact / local-fact
+        os-depend-fact   = <IANA assigned OS name> "." token
+        local-fact       = "X." token
+        value            = *RCHAR
+
+   Upon receipt of a MLSx command, the server will verify the parameter,
+   and if invalid return an error-response.  For this purpose, the
+   parameter should be considered to be invalid if the client issuing
+   the command does not have permission to perform the request
+   operation.
+
+   If valid, then for an MLST command, the server-PI will send the first
+   (leading) line of the control response, the entry for the pathname
+   given, or the current directory if no pathname was provided, and the
+   terminating line.  Normally exactly one entry would be returned, more
+   entries are permitted only when required to represent a file that is
+   to have multiple "Type" facts returned.
+
+   Note that for MLST the fact set is preceded by a space.  That is
+   provided to guarantee that the fact set cannot be accidentally
+   interpreted as the terminating line of the control response, but is
+   required even when that would not be possible.  Exactly one space
+   exists between the set of facts and the pathname.  Where no facts are
+   present, there will be exactly two leading spaces before the
+   pathname.  No spaces are permitted in the facts, any other spaces in
+   the response are to be treated as being a part of the pathname.
+
+   If the command was an MLSD command, the server will open a data
+   connection as indicated in section 3.2 of RFC959 [3].  If that fails,
+   the server will return an error-response.  If all is OK, the server
+   will return the initial-response, send the appropriate data-response
+
+
+
+Elz & Hethmon             [Expires April 2000]                 [Page 30]
+
+
+Internet Draft       draft-ietf-ftpext-mlst-08.txt          October 1999
+
+
+   over the new data connection, close that connection, and then send
+   the final-response over the control connection.  The grammar above
+   defines the format for the data-response, which defines the format of
+   the data returned over the data connection established.
+
+   The data connection opened for a MLSD response shall be a connection
+   as if the "TYPE L 8", "MODE S", and "STRU F" commands had been given,
+   whatever FTP transfer type, mode and structure had actually been set,
+   and without causing those settings to be altered for future commands.
+   That is, this transfer type shall be set for the duration of the data
+   connection established for this command only.  While the content of
+   the data sent can be viewed as a series of lines, implementations
+   should note that there is no maximum line length defined.
+   Implementations should be prepared to deal with arbitrarily long
+   lines.
+
+   The facts part of the specification would contain a series of "file
+   facts" about the file or directory named on the same line.  Typical
+   information to be presented would include file size, last
+   modification time, creation time, a unique identifier, and a
+   file/directory flag.
+
+   The complete format for a successful reply to the MLSD command would
+   be:
+
+        facts SP pathname CRLF
+        facts SP pathname CRLF
+        facts SP pathname CRLF
+        ...
+
+   Note that the format is intended for machine processing, not human
+   viewing, and as such the format is very rigid.  Implementations MUST
+   NOT vary the format by, for example, inserting extra spaces for
+   readability, replacing spaces by tabs, including header or title
+   lines, or inserting blank lines, or in any other way alter this
+   format.  Exactly one space is always required after the set of facts
+   (which may be empty).  More spaces may be present on a line if, and
+   only if, the file name presented contains significant spaces.  The
+   set of facts must not contain any spaces anywhere inside it.  Facts
+   should be provided in each output line only if they both provide
+   relevant information about the file named on the same line, and they
+   are in the set requested by the user-PI.  There is no requirement
+   that the same set of facts be provided for each file, or that the
+   facts presented occur in the same order for each file.
+
+
+
+
+
+
+
+Elz & Hethmon             [Expires April 2000]                 [Page 31]
+
+
+Internet Draft       draft-ietf-ftpext-mlst-08.txt          October 1999
+
+
+8.3. Filename encoding
+
+   An FTP implementation supporting the MLSx commands must be 8-bit
+   clean.  This is necessary in order to transmit UTF-8 encoded
+   filenames.  This specification recommends the use of UTF-8 encoded
+   filenames.  FTP implementations SHOULD use UTF-8 whenever possible to
+   encourage the maximum interoperability.
+
+   Filenames are not restricted to UTF-8, however treatment of arbitrary
+   character encodings is not specified by this standard.  Applications
+   are encouraged to treat non-UTF-8 encodings of filenames as octet
+   sequences.
+
+   Note that this encoding is unrelated to that of the contents of the
+   file, even if the file contains character data.
+
+   Further information about filename encoding for FTP may be found in
+   "Internationalization of the File Transfer Protocol" [7].
+
+8.3.1. Notes about the Filename
+
+   The filename returned in the MLST response should be the same name as
+   was specified in the MLST command, or, where TVFS is supported, a
+   fully qualified TVFS path naming the same file.  Where no argument
+   was given to the MLST command, the server-PI may either include an
+   empty filename in the response, or it may supply a name that refers
+   to the current directory, if such a name is available.  Where TVFS is
+   supported, a fully qualified path name of the current directory
+   SHOULD be returned.
+
+   Filenames returned in the output from an MLSD command SHOULD be
+   unqualified names within the directory named, or the current
+   directory if no argument was given.  That is, the directory named in
+   the MLSD command SHOULD NOT appear as a component of the filenames
+   returned.
+
+   If the server-FTP process is able, and the "type" fact is being
+   returned, it MAY return in the MLSD response, an entry whose type is
+   "cdir", which names the directory from which the contents of the
+   listing were obtained.  Where TVFS is supported, the name MAY be the
+   fully qualified path name of the directory, or MAY be any other path
+   name which is valid to refer to that directory from the current
+   working directory of the server-FTP.  Where more than one name
+   exists, multiple of these entries may be returned.  In a sense, the
+   "cdir" entry can be viewed as a heading for the MLSD output.
+   However, it is not required to be the first entry returned, and may
+   occur anywhere within the listing.
+
+
+
+
+Elz & Hethmon             [Expires April 2000]                 [Page 32]
+
+
+Internet Draft       draft-ietf-ftpext-mlst-08.txt          October 1999
+
+
+   When TVFS is supported, a user-PI can refer to any file or directory
+   in the listing by combining a type "cdir" name, with the appropriate
+   name from the directory listing using the procedure defined in
+   section 7.2.
+
+   Alternatively, whether TVFS is supported or not, the user-PI can
+   issue a CWD command ([3]) giving a name of type "cdir" from the
+   listing returned, and from that point reference the files returned in
+   the MLSD response from which the cdir was obtained by using the
+   filename components of the listing.
+
+8.4. Format of Facts
+
+   The "facts" for a file in a reply to a MLSx command consist of
+   information about that file.  The facts are a series of keyword=value
+   pairs each followed by semi-colon (";") characters.  An individual
+   fact may not contain a semi-colon in its name or value.  The complete
+   series of facts may not contain the space character.  See the
+   definition or "RCHAR" in section 2.1 for a list of the characters
+   that can occur in a fact value.  Not all are applicable to all facts.
+
+   A sample of a typical series of facts would be: (spread over two
+   lines for presentation here only)
+
+        size=4161;lang=en-US;modify=19970214165800;create=19961001124534;
+        type=file;x.myfact=foo,bar;
+
+8.5. Standard Facts
+
+   This document defines a standard set of facts as follows:
+
+        size       -- Size in octets
+        modify     -- Last modification time
+        create     -- Creation time
+        type       -- Entry type
+        unique     -- Unique id of file/directory
+        perm       -- File permissions, whether read, write, execute is
+                      allowed for the login id.
+        lang       -- Language of the filename per IANA[12] registry.
+        media-type -- MIME media-type of file contents per IANA registry.
+        charset    -- Character set per IANA registry (if not UTF-8)
+
+   Fact names are case-insensitive.  Size, size, SIZE, and SiZe are the
+   same fact.
+
+   Further operating system specific keywords could be specified by
+   using the IANA operating system name as a prefix (examples only):
+
+
+
+
+Elz & Hethmon             [Expires April 2000]                 [Page 33]
+
+
+Internet Draft       draft-ietf-ftpext-mlst-08.txt          October 1999
+
+
+        OS/2.ea   -- OS/2 extended attributes
+        MACOS.rf  -- MacIntosh resource forks
+        UNIX.mode -- Unix file modes (permissions)
+
+   Implementations may define keywords for experimental, or private use.
+   All such keywords MUST begin with the two character sequence "x.".
+   As type names are case independent, "x." and "X." are equivalent.
+   For example:
+
+        x.ver  -- Version information
+        x.desc -- File description
+        x.type -- File type
+
+8.5.1. The type Fact
+
+   The type fact needs a special description.  Part of the problem with
+   current practices is deciding when a file is a directory.  If it is a
+   directory, is it the current directory, a regular directory, or a
+   parent directory?  The MLST specification makes this unambiguous
+   using the type fact.  The type fact given specifies information about
+   the object listed on the same line of the MLST response.
+
+   Five values are possible for the type fact:
+
+        file         -- a file entry
+        cdir         -- the listed directory
+        pdir         -- a parent directory
+        dir          -- a directory or sub-directory
+        OS.name=type -- an OS or file system dependent file type
+
+   The syntax is defined to be:
+
+        type-fact       = type-label "=" type-val
+        type-label      = "Type"
+        type-val        = "File" / "cdir" / "pdir" / "dir" /
+                          os-type
+
+8.5.1.1. type=file
+
+   The presence of the type=file fact indicates the listed entry is a
+   file containing non-system data.  That is, it may be transferred from
+   one system to another of quite different characteristics, and perhaps
+   still be meaningful.
+
+8.5.1.2. type=cdir
+
+   The type=cdir fact indicates the listed entry contains a pathname of
+   the directory whose contents are listed.  An entry of this type will
+
+
+
+Elz & Hethmon             [Expires April 2000]                 [Page 34]
+
+
+Internet Draft       draft-ietf-ftpext-mlst-08.txt          October 1999
+
+
+   only be returned as a part of the result of an MLSD command when the
+   type fact is included, and provides a name for the listed directory,
+   and facts about that directory.  In a sense, it can be viewed as
+   representing the title of the listing, in a machine friendly format.
+   It may appear at any point of the listing, it is not restricted to
+   appearing at the start, though frequently may do so, and may occur
+   multiple times.  It MUST NOT be included if the type fact is not
+   included, or there would be no way for the user-PI to distinguish the
+   name of the directory from an entry in the directory.
+
+   Where TVFS is supported by the server-FTP, this name may be used to
+   construct path names with which to refer to the files and directories
+   returned in the same MLSD output (see section 7.2).  These path names
+   are only expected to work when the server-PI's position in the NVFS
+   file tree is the same as its position when the MLSD command was
+   issued, unless a fully qualified path name results.
+
+   Where TVFS is not supported, the only defined semantics associated
+   with a "type=cdir" entry are that, provided the current working
+   directory of the server-PI has not been changed, a pathname of type
+   "cdir" may be used as an argument to a CWD command, which will cause
+   the current directory of the server-PI to change so that the
+   directory which was listed in its current working directory.
+
+8.5.1.3. type=dir
+
+   If present, the type=dir entry gives the name of a directory.  Such
+   an entry typically cannot be transferred from one system to another
+   using RETR, etc, but should (permissions permitting) be able to be
+   the object of an MLSD command.
+
+8.5.1.4. type=pdir
+
+   If present, which will occur only in the response to a MLSD command
+   when the type fact is included, the type=pdir entry represents a
+   pathname of the parent directory of the listed directory.  As well as
+   having the properties of a type=dir, a CWD command that uses the
+   pathname from this entry should change the user to a parent directory
+   of the listed directory.  If the listed directory is the current
+   directory, a CDUP command may also have the effect of changing to the
+   named directory.  User-FTP processes should note not all responses
+   will include this information, and that some systems may provide
+   multiple type=pdir responses.
+
+   Where TVFS is supported, a "type=pdir" name may be a relative path
+   name, or a fully qualified path name.  A relative path name will be
+   relative to the directory being listed, not to the current directory
+   of the server-PI at the time.
+
+
+
+Elz & Hethmon             [Expires April 2000]                 [Page 35]
+
+
+Internet Draft       draft-ietf-ftpext-mlst-08.txt          October 1999
+
+
+   For the purposes of this type value, a "parent directory" is any
+   directory in which there is an entry of type=dir which refers to the
+   directory in which the type=pdir entity was found.  Thus it is not
+   required that all entities with type=pdir refer to the same
+   directory.  The "unique" fact (if supported) can be used to determine
+   whether there is a relationship between the type=pdir entries or not.
+
+8.5.1.5. System defined types
+
+   Files types that are specific to a specific operating system, or file
+   system, can be encoded using the "OS." type names.  The format is:
+
+        os-type   = "OS." os-name "=" os-type
+        os-name   = <an IANA registered operating system name>
+        os-type   = token
+
+   The "os-name" indicates the specific system type which supports the
+   particular localtype.  OS specific types are registered by the IANA
+   using the procedures specified in section 11.  The "os-type" provides
+   the system dependent information as to the type of the file listed.
+   The os-name and os-type strings in an os-type are case independent.
+   "OS.unix=block" and "OS.Unix=BLOCK" represent the same type (or
+   would, if such a type were registered.)
+
+   Note: Where the underlying system supports a file type which is
+   essentially an indirect pointer to another file, the NVFS
+   representation of that type should normally be to represent the file
+   which the reference indicates.  That is, the underlying basic file
+   will appear more than once in the NVFS, each time with the "unique"
+   fact (see immediately following section) containing the same value,
+   indicating that the same file is represented by all such names.
+   User-PIs transferring the file need then transfer it only once, and
+   then insert their own form of indirect reference to construct
+   alternate names where desired, or perhaps even copy the local file if
+   that is the only way to provide two names with the same content.  A
+   file which would be a reference to another file, if only the other
+   file actually existed, may be represented in any OS dependent manner
+   appropriate, or not represented at all.
+
+8.5.1.6. Multiple types
+
+   Where a file is such that it may validly, and sensibly, treated by
+   the server-PI as being of more than one of the above types, then
+   multiple entries should be returned, each with its own "Type" fact of
+   the appropriate type, and each containing the same pathname.  This
+   may occur, for example, with a structured file, which may contain
+   sub-files, and where the server-PI permits the structured file to be
+   treated as a unit, or treated as a directory allowing the sub-files
+
+
+
+Elz & Hethmon             [Expires April 2000]                 [Page 36]
+
+
+Internet Draft       draft-ietf-ftpext-mlst-08.txt          October 1999
+
+
+   within it to be referenced.
+
+8.5.2. The unique Fact
+
+   The unique fact is used to present a unique identifier for a file or
+   directory in the NVFS accessed via a server-FTP process.  The value
+   of this fact should be the same for any number of pathnames that
+   refer to the same underlying file.  The fact should have different
+   values for names which reference distinct files.  The mapping between
+   files, and unique fact tokens should be maintained, and remain
+   consistent, for at least the lifetime of the control connection from
+   user-PI to server-PI.
+
+        unique-fact  = "Unique" "=" token
+
+   This fact would be expected to be used by Server-FTPs whose host
+   system allows things such as symbolic links so that the same file may
+   be represented in more than one directory on the server.  The only
+   conclusion that should be drawn is that if two different names each
+   have the same value for the unique fact, they refer to the same
+   underlying object.  The value of the unique fact (the token) should
+   be considered an opaque string for comparison purposes, and is a case
+   dependent value.  The tokens "A" and "a" do not represent the same
+   underlying object.
+
+8.5.3. The modify Fact
+
+   The modify fact is used to determine the last time the content of the
+   file (or directory) indicated was modified.  Any change of substance
+   to the file should cause this value to alter.  That is, if a change
+   is made to a file such that the results of a RETR command would
+   differ, then the value of the modify fact should alter.  User-PIs
+   should not assume that a different modify fact value indicates that
+   the file contents are necessarily different than when last retrieved.
+   Some systems may alter the value of the modify fact for other
+   reasons, though this is discouraged wherever possible.  Also a file
+   may alter, and then be returned to its previous content, which would
+   often be indicated as two incremental alterations to the value of the
+   modify fact.
+
+   For directories, this value should alter whenever a change occurs to
+   the directory such that different filenames would (or might) be
+   included in MLSD output of that directory.
+
+
+
+
+
+
+
+
+Elz & Hethmon             [Expires April 2000]                 [Page 37]
+
+
+Internet Draft       draft-ietf-ftpext-mlst-08.txt          October 1999
+
+
+        modify-fact  = "Modify" "=" time-val
+
+8.5.4. The create Fact
+
+   The create fact indicates when a file, or directory, was first
+   created.  Exactly what "creation" is for this purpose is not
+   specified here, and may vary from server to server.  About all that
+   can be said about the value returned is that it can never indicate a
+   later time than the modify fact.
+
+        create-fact  = "Create" "=" time-val
+
+   Implementation Note: Implementors of this fact on UNIX(TM) systems
+        should note that the unix "stat" "st_ctime" field does not give
+        creation time, and that unix file systems do not record creation
+        time at all.  Unix (and POSIX) implementations will normally not
+        include this fact.
+
+8.5.5. The perm Fact
+
+   The perm fact is used to indicate access rights the current FTP user
+   has over the object listed.  Its value is always an unordered
+   sequence of alphabetic characters.
+
+        perm-fact    = "Perm" "=" *pvals
+        pvals        = "a" / "c" / "d" / "e" / "f" /
+                       "l" / "m" / "p" / "r" / "w"
+
+   There are ten permission indicators currently defined.  Many are
+   meaningful only when used with a particular type of object.  The
+   indicators are case independent, "d" and "D" are the same indicator.
+
+   The "a" permission applies to objects of type=file, and indicates
+   that the APPE (append) command may be applied to the file named.
+
+   The "c" permission applies to objects of type=dir (and type=pdir,
+   type=cdir).  It indicates that files may be created in the directory
+   named.  That is, that a STOU command is likely to succeed, and that
+   STOR and APPE commands might succeed if the file named did not
+   previously exist, but is to be created in the directory object that
+   has the "c" permission.  It also indicates that the RNTO command is
+   likely to succeed for names in the directory.
+
+   The "d" permission applies to all types.  It indicates that the
+   object named may be deleted, that is, that the RMD command may be
+   applied to it if it is a directory, and otherwise that the DELE
+   command may be applied to it.
+
+
+
+
+Elz & Hethmon             [Expires April 2000]                 [Page 38]
+
+
+Internet Draft       draft-ietf-ftpext-mlst-08.txt          October 1999
+
+
+   The "e" permission applies to the directory types.  When set on an
+   object of type=dir, type=cdir, or type=pdir it indicates that a CWD
+   command naming the object should succeed, and the user should be able
+   to enter the directory named.  For type=pdir it also indicates that
+   the CDUP command may succeed (if this particular pathname is the one
+   to which a CDUP would apply.)
+
+   The "f" permission for objects indicates that the object named may be
+   renamed - that is, may be the object of an RNFR command.
+
+   The "l" permission applies to the directory file types, and indicates
+   that the listing commands, LIST, NLST, and MLSD may be applied to the
+   directory in question.
+
+   The "m" permission applies to directory types, and indicates that the
+   MKD command may be used to create a new directory within the
+   directory under consideration.
+
+   The "p" permission applies to directory types, and indicates that
+   objects in the directory may be deleted, or (stretching naming a
+   little) that the directory may be purged.  Note: it does not indicate
+   that the RMD command may be used to remove the directory named
+   itself, the "d" permission indicator indicates that.
+
+   The "r" permission applies to type=file objects, and for some
+   systems, perhaps to other types of objects, and indicates that the
+   RETR command may be applied to that object.
+
+   The "w" permission applies to type=file objects, and for some
+   systems, perhaps to other types of objects, and indicates that the
+   STOR command may be applied to the object named.
+
+   Note: That a permission indicator is set can never imply that the
+        appropriate command is guaranteed to work - just that it might.
+        Other system specific limitations, such as limitations on
+        available space for storing files, may cause an operation to
+        fail, where the permission flags may have indicated that it was
+        likely to succeed.  The permissions are a guide only.
+
+   Implementation note: The permissions are described here as they apply
+        to FTP commands.  They may not map easily into particular
+        permissions available on the server's operating system.  Servers
+        are expected to synthesize these permission bits from the
+        permission information available from operating system.  For
+        example, to correctly determine whether the "D" permission bit
+        should be set on a directory for a server running on the
+        UNIX(TM) operating system, the server should check that the
+        directory named is empty, and that the user has write permission
+
+
+
+Elz & Hethmon             [Expires April 2000]                 [Page 39]
+
+
+Internet Draft       draft-ietf-ftpext-mlst-08.txt          October 1999
+
+
+        on both the directory under consideration, and its parent
+        directory.
+
+        Some systems may have more specific permissions than those
+        listed here, such systems should map those to the flags defined
+        as best they are able.  Other systems may have only more broad
+        access controls.  They will generally have just a few possible
+        permutations of permission flags, however they should attempt to
+        correctly represent what is permitted.
+
+8.5.6. The lang Fact
+
+   The lang fact describes the natural language of the filename for use
+   in display purposes.  Values used here should be taken from the
+   language registry of the IANA.  See [13] for the syntax, and
+   procedures, related to language tags.
+
+        lang-fact  = "Lang" "=" token
+
+   Server-FTP implementations MUST NOT guess language values.  Language
+   values must be determined in an unambiguous way such as file system
+   tagging of language or by user configuration.  Note that the lang
+   fact provides no information at all about the content of a file, only
+   about the encoding of its name.
+
+8.5.7. The size Fact
+
+   The size fact applies to non-directory file types and should always
+   reflect the approximate size of the file.  This should be as accurate
+   as the server can make it, without going to extraordinary lengths,
+   such as reading the entire file.  The size is expressed in units of
+   octets of data in the file.
+
+   Given limitations in some systems, Client-FTP implementations must
+   understand this size may not be precise and may change between the
+   time of a MLST and RETR operation.
+
+   Clients that need highly accurate size information for some
+   particular reason should use the SIZE command as defined in section
+   4.  The most common need for this accuracy is likely to be in
+   conjunction with the REST command described in section 5.  The size
+   fact, on the other hand, should be used for purposes such as
+   indicating to a human user the approximate size of the file to be
+   transferred, and perhaps to give an idea of expected transfer
+   completion time.
+
+
+
+
+
+
+Elz & Hethmon             [Expires April 2000]                 [Page 40]
+
+
+Internet Draft       draft-ietf-ftpext-mlst-08.txt          October 1999
+
+
+        size-fact  = "Size" "=" 1*DIGIT
+
+8.5.8. The media-type Fact
+
+   The media-type fact represents the IANA media type of the file named,
+   and applies only to non-directory types.  The list of values used
+   must follow the guidelines set by the IANA registry.
+
+        media-type  = "Media-Type" "=" <per IANA guidelines>
+
+   Server-FTP implementations MUST NOT guess media type values.  Media
+   type values must be determined in an unambiguous way such as file
+   system tagging of media-type or by user configuration.  This fact
+   gives information about the content of the file named.  Both the
+   primary media type, and any appropriate subtype should be given,
+   separated by a slash "/" as is traditional.
+
+8.5.9. The charset Fact
+
+   The charset fact provides the IANA character set name, or alias, for
+   the encoded pathnames in a MLSx response.  The default character set
+   is UTF-8 unless specified otherwise.  FTP implementations SHOULD use
+   UTF-8 if possible to encourage maximum interoperability.  The value
+   of this fact applies to the pathname only, and provides no
+   information about the contents of the file.
+
+        charset-type  = "Charset" "=" token
+
+8.5.10. Required facts
+
+   Servers are not required to support any particular set of the
+   available facts.  However, servers SHOULD, if conceivably possible,
+   support at least the type, perm, size, unique, and modify facts.
+
+8.6. System Dependent and Local Facts
+
+   By using an system dependent fact, or a local fact, a server-PI may
+   communicate to the user-PI information about the file named which is
+   peculiar to the underlying file system.
+
+8.6.1. System Dependent Facts
+
+   System dependent fact names are labeled by prefixing a label
+   identifying the specific information returned by the name of the
+   appropriate operating system from the IANA maintained list of
+   operating system names.
+
+
+
+
+
+Elz & Hethmon             [Expires April 2000]                 [Page 41]
+
+
+Internet Draft       draft-ietf-ftpext-mlst-08.txt          October 1999
+
+
+   The value of an OS dependent fact may be whatever is appropriate to
+   convey the information available.  It must be encoded as a "token" as
+   defined in section 2.1 however.
+
+   In order to allow reliable interoperation between users of system
+   dependent facts, the IANA will maintain a registry of system
+   dependent fact names, their syntax, and the interpretation to be
+   given to their values.  Registrations of system dependent facts are
+   to be accomplished according to the procedures of section 11.
+
+8.6.2. Local Facts
+
+   Implementations may also make available other facts of their own
+   choosing.  As the method of interpretation of such information will
+   generally not be widely understood, server-PIs should be aware that
+   clients will typically ignore any local facts provided.  As there is
+   no registration of locally defined facts, it is entirely possible
+   that different servers will use the same local fact name to provide
+   vastly different information.  Hence user-PIs should be hesitant
+   about making any use of any information in a locally defined fact
+   without some other specific assurance that the particular fact is one
+   that they do comprehend.
+
+   Local fact names all begin with the sequence "X.".  The rest of the
+   name is a "token" (see section 2.1).  The value of a local fact can
+   be anything at all, provided it can be encoded as a "token".
+
+8.7. MLSx Examples
+
+   The following examples are all taken from dialogues between existing
+   FTP clients and servers.  Because of this, not all possible
+   variations of possible response formats are shown in the examples.
+   This should not be taken as limiting the options of other server
+   implementors.  Where the examples show OS dependent information, that
+   is to be treated as being purely for the purposes of demonstration of
+   some possible OS specific information that could be defined.  As at
+   the time of the writing of this document, no OS specific facts or
+   file types have been defined, the examples shown here should not be
+   treated as in any way to be preferred over other possible similar
+   definitions.  Consult the IANA registries to determine what types and
+   facts have been defined.
+
+   In the examples shown, only relevant commands and responses have been
+   included.  This is not to imply that other commands (including
+   authentication, directory modification, PORT or PASV commands, or
+   similar) would not be present in an actual connection, or were not,
+   in fact, actually used in the examples before editing.  Note also
+   that the formats shown are those that are transmitted between client
+
+
+
+Elz & Hethmon             [Expires April 2000]                 [Page 42]
+
+
+Internet Draft       draft-ietf-ftpext-mlst-08.txt          October 1999
+
+
+   and server, not formats which would normally ever be reported to the
+   user of the client.
+
+   In the examples, lines that begin "C> " were sent over the control
+   connection from the client to the server, lines that begin "S> " were
+   sent over the control connection from the server to the client, and
+   lines that begin "D> " were sent from the server to the client over a
+   data connection created just to send those lines and closed
+   immediately after.  No examples here show data transferred over a
+   data connection from the client to the server.  In all cases, the
+   prefixes shown above, including the one space, have been added for
+   the purposes of this document, and are not a part of the data
+   exchanged between client and server.
+
+8.7.1. Simple MLST
+
+ C> PWD
+ S> 257 "/tmp" is current directory.
+ C> MLst cap60.pl198.tar.gz
+ S> 250- Listing cap60.pl198.tar.gz
+ S>  Type=file;Size=1024990;Perm=r; /tmp/cap60.pl198.tar.gz
+ S> 250 End
+
+   The client first asked to be told the current directory of the
+   server.  This was purely for the purposes of clarity of this example.
+   The client then requested facts about a specific file.  The server
+   returned the "250-" first control-response line, followed by a single
+   line of facts about the file, followed by the terminating "250 "
+   line.  The text on the control-response line and the terminating line
+   can be anything the server decides to send.  Notice that the fact
+   line is indented by a single space.  Notice also that there are no
+   spaces in the set of facts returned, until the single space before
+   the filename.  The filename returned on the fact line is a fully
+   qualified pathname of the file listed.  The facts returned show that
+   the line refers to a file, that file contains approximately 1024990
+   bytes, though more or less than that may be transferred if the file
+   is retrieved, and a different number may be required to store the
+   file at the client's file store, and the connected user has
+   permission to retrieve the file but not to do anything else
+   particularly interesting.
+
+8.7.2. MLST of a directory
+
+ C> PWD
+ S> 257 "/" is current directory.
+ C> MLst tmp
+ S> 250- Listing tmp
+ S>  Type=dir;Modify=19981107085215;Perm=el; /tmp
+
+
+
+Elz & Hethmon             [Expires April 2000]                 [Page 43]
+
+
+Internet Draft       draft-ietf-ftpext-mlst-08.txt          October 1999
+
+
+ S> 250 End
+
+   Again the PWD is just for the purposes of demonstration for the
+   example.  The MLST fact line this time shows that the file listed is
+   a directory, that it was last modified at 08:52:15 on the 7th of
+   November, 1998 UTC, and that the user has permission to enter the
+   directory, and to list its contents, but not to modify it in any way.
+   Again, the fully qualified path name of the directory listed is
+   given.
+
+8.7.3. MLSD of a directory
+
+ C> MLSD tmp
+ S> 150 BINARY connection open for MLSD tmp
+ D> Type=cdir;Modify=19981107085215;Perm=el; tmp
+ D> Type=cdir;Modify=19981107085215;Perm=el; /tmp
+ D> Type=pdir;Modify=19990112030508;Perm=el; ..
+ D> Type=file;Size=25730;Modify=19940728095854;Perm=; capmux.tar.z
+ D> Type=file;Size=1830;Modify=19940916055648;Perm=r; hatch.c
+ D> Type=file;Size=25624;Modify=19951003165342;Perm=r; MacIP-02.txt
+ D> Type=file;Size=2154;Modify=19950501105033;Perm=r; uar.netbsd.patch
+ D> Type=file;Size=54757;Modify=19951105101754;Perm=r; iptnnladev.1.0.sit.hqx
+ D> Type=file;Size=226546;Modify=19970515023901;Perm=r; melbcs.tif
+ D> Type=file;Size=12927;Modify=19961025135602;Perm=r; tardis.1.6.sit.hqx
+ D> Type=file;Size=17867;Modify=19961025135602;Perm=r; timelord.1.4.sit.hqx
+ D> Type=file;Size=224907;Modify=19980615100045;Perm=r; uar.1.2.3.sit.hqx
+ D> Type=file;Size=1024990;Modify=19980130010322;Perm=r; cap60.pl198.tar.gz
+ S> 226 MLSD completed
+
+   In this example notice that there is no leading space on the fact
+   lines returned over the data connection.  Also notice that two lines
+   of "type=cdir" have been given.  These show two alternate names for
+   the directory listed, one a fully qualified pathname, and the other a
+   local name relative to the servers current directory when the MLSD
+   was performed.  Note that all other filenames in the output are
+   relative to the directory listed, though the server could, if it
+   chose, give a fully qualified path name for the "type=pdir" line.
+   This server has chosen not to.  The other files listed present a
+   fairly boring set of files that are present in the listed directory.
+   Note that there is no particular order in which they are listed.
+   They are not sorted by filename, by size, or by modify time.  Note
+   also that the "perm" fact has an empty value for the file
+   "capmux.tar.z" indicating that the connected user has no permissions
+   at all for that file.  This server has chosen to present the "cdir"
+   and "pdir" lines before the lines showing the content of the
+   directory, it is not required to do so.  The "size" fact does not
+   provide any meaningful information for a directory, so is not
+   included in the fact lines for the directory types shown.
+
+
+
+Elz & Hethmon             [Expires April 2000]                 [Page 44]
+
+
+Internet Draft       draft-ietf-ftpext-mlst-08.txt          October 1999
+
+
+8.7.4. A more complex example
+
+ C> MLst test
+ S> 250- Listing test
+ S>  Type=dir;Perm=el;Unique=keVO1+ZF4 test
+ S> 250 End
+ C> MLSD test
+ S> 150 BINARY connection open for MLSD test
+ D> Type=cdir;Perm=el;Unique=keVO1+ZF4; test
+ D> Type=pdir;Perm=e;Unique=keVO1+d?3; ..
+ D> Type=OS.unix=slink:/foobar;Perm=;Unique=keVO1+4G4; foobar
+ D> Type=OS.unix=chr-13/29;Perm=;Unique=keVO1+5G4; device
+ D> Type=OS.unix=blk-11/108;Perm=;Unique=keVO1+6G4; block
+ D> Type=file;Perm=awr;Unique=keVO1+8G4; writable
+ D> Type=dir;Perm=cpmel;Unique=keVO1+7G4; promiscuous
+ D> Type=dir;Perm=;Unique=keVO1+1t2; no-exec
+ D> Type=file;Perm=r;Unique=keVO1+EG4; two words
+ D> Type=file;Perm=r;Unique=keVO1+IH4;  leading space
+ D> Type=file;Perm=r;Unique=keVO1+1G4; file1
+ D> Type=dir;Perm=cpmel;Unique=keVO1+7G4; incoming
+ D> Type=file;Perm=r;Unique=keVO1+1G4; file2
+ D> Type=file;Perm=r;Unique=keVO1+1G4; file3
+ D> Type=file;Perm=r;Unique=keVO1+1G4; file4
+ S> 226 MLSD completed
+ C> MLSD test/incoming
+ S> 150 BINARY connection open for MLSD test/incoming
+ D> Type=cdir;Perm=cpmel;Unique=keVO1+7G4; test/incoming
+ D> Type=pdir;Perm=el;Unique=keVO1+ZF4; ..
+ D> Type=file;Perm=awdrf;Unique=keVO1+EH4; bar
+ D> Type=file;Perm=awdrf;Unique=keVO1+LH4;
+ D> Type=file;Perm=rf;Unique=keVO1+1G4; file5
+ D> Type=file;Perm=rf;Unique=keVO1+1G4; file6
+ D> Type=dir;Perm=cpmdelf;Unique=keVO1+!s2; empty
+ S> 226 MLSD completed
+
+   For the purposes of this example the fact set requested has been
+   modified to delete the "size" and "modify" facts, and add the
+   "unique" fact.  First, facts about a filename have been obtained via
+   MLST.  Note that no fully qualified path name was given this time.
+   That was because the server was unable to determine that information.
+   Then having determined that the filename represents a directory, that
+   directory has been listed.  That listing also shows no fully
+   qualified path name, for the same reason, thus has but a single
+   "type=cdir" line.  This directory (which was created especially for
+   the purpose) contains several interesting files.  There are some with
+   OS dependent file types, several sub-directories, and several
+   ordinary files.
+
+
+
+
+Elz & Hethmon             [Expires April 2000]                 [Page 45]
+
+
+Internet Draft       draft-ietf-ftpext-mlst-08.txt          October 1999
+
+
+   Not much can be said here about the OS dependent file types, as none
+   of the information shown there should be treated as any more than
+   possibilities.  It can be seen that the OS type of the server is
+   "unix" though, which is one of the OS types in the IANA registry of
+   Operating System names.
+
+   Of the three directories listed, "no-exec" has no permission granted
+   to this user to access at all.  From the "Unique" fact values, it can
+   be determined that "promiscuous" and "incoming" in fact represent the
+   same directory.  Its permissions show that the connected user has
+   permission to do essentially anything other than to delete the
+   directory.  That directory was later listed.  It happens that the
+   directory can not be deleted because it is not empty.
+
+   Of the normal files listed, two contain spaces in their names.  The
+   file called " leading space" actually contains two spaces in its
+   name, one before the "l" and one between the "g" and the "s".  The
+   two spaces that separate the facts from the visible part of the path
+   name make that clear.  The file "writable" has the "a" and "w"
+   permission bits set, and consequently the connected user should be
+   able to STOR or APPE to that file.
+
+   The other four file names, "file1", "file2", "file3", and "file4" all
+   represent the same underlying file, as can be seen from the values of
+   the "unique" facts of each.  It happens that "file1" and "file2" are
+   Unix "hard" links, and that "file3" and "file4" are "soft" or
+   "symbolic" links to the first two.  None of that information is
+   available via standard MLST facts, it is sufficient for the purposes
+   of FTP to note that all represent the same file, and that the same
+   data would be fetched no matter which of them was retrieved, and that
+   all would be simultaneously modified were data stored in any.
+
+   Finally, the sub-directory "incoming" is listed.  Since "promiscuous"
+   is the same directory there would be no point listing it as well.  In
+   that directory, the files "file5" and "file6" represent still more
+   names for the "file1" file we have seen before.  Notice the entry
+   between that for "bar" and "file5".  Though it is not possible to
+   easily represent it in this document, that shows a file with a name
+   comprising exactly three spaces ("   ").  A client will have no
+   difficulty determining that name from the output presented to it
+   however.  The directory "empty" is, as its name implies, empty,
+   though that is not shown here.  It can, however, be deleted, as can
+   file "bar" and the file whose name is three spaces.  All the files
+   that reside in this directory can be renamed.  This is a consequence
+   of the UNIX semantics of the directory that contains them being
+   modifiable.
+
+
+
+
+
+Elz & Hethmon             [Expires April 2000]                 [Page 46]
+
+
+Internet Draft       draft-ietf-ftpext-mlst-08.txt          October 1999
+
+
+8.7.5. More accurate time information
+
+ C> MLst file1
+ S> 250- Listing file1
+ S>  Type=file;Modify=19990929003355.237; file1
+ S> 250 End
+
+   In this example, the server-FTP is indicating that "file1" was last
+   modified 237 milliseconds after 00:33:55 UTC on the 29th of
+   September, 1999.
+
+8.7.6. A different server
+
+ C> MLST
+ S> 250-Begin
+ S>  type=dir;unique=AQkAAAAAAAABCAAA; /
+ S> 250 End.
+ C> MLSD .
+ S> 150 Opening ASCII mode data connection for MLS.
+ D> type=cdir;unique=AQkAAAAAAAABCAAA; /
+ D> type=dir;unique=AQkAAAAAAAABEAAA; bin
+ D> type=dir;unique=AQkAAAAAAAABGAAA; etc
+ D> type=dir;unique=AQkAAAAAAAAB8AwA; halflife
+ D> type=dir;unique=AQkAAAAAAAABoAAA; incoming
+ D> type=dir;unique=AQkAAAAAAAABIAAA; lib
+ D> type=dir;unique=AQkAAAAAAAABWAEA; linux
+ D> type=dir;unique=AQkAAAAAAAABKAEA; ncftpd
+ D> type=dir;unique=AQkAAAAAAAABGAEA; outbox
+ D> type=dir;unique=AQkAAAAAAAABuAAA; quake2
+ D> type=dir;unique=AQkAAAAAAAABQAEA; winstuff
+ S> 226 Listing completed.
+ C> MLSD linux
+ S> 150 Opening ASCII mode data connection for MLS.
+ D> type=cdir;unique=AQkAAAAAAAABWAEA; /linux
+ D> type=pdir;unique=AQkAAAAAAAABCAAA; /
+ D> type=dir;unique=AQkAAAAAAAABeAEA; firewall
+ D> type=file;size=12;unique=AQkAAAAAAAACWAEA; helo_world
+ D> type=dir;unique=AQkAAAAAAAABYAEA; kernel
+ D> type=dir;unique=AQkAAAAAAAABmAEA; scripts
+ D> type=dir;unique=AQkAAAAAAAABkAEA; security
+ S> 226 Listing completed.
+ C> MLSD linux/kernel
+ S> 150 Opening ASCII mode data connection for MLS.
+ D> type=cdir;unique=AQkAAAAAAAABYAEA; /linux/kernel
+ D> type=pdir;unique=AQkAAAAAAAABWAEA; /linux
+ D> type=file;size=6704;unique=AQkAAAAAAAADYAEA; k.config
+ D> type=file;size=7269221;unique=AQkAAAAAAAACYAEA; linux-2.0.36.tar.gz
+ D> type=file;size=12514594;unique=AQkAAAAAAAAEYAEA; linux-2.1.130.tar.gz
+
+
+
+Elz & Hethmon             [Expires April 2000]                 [Page 47]
+
+
+Internet Draft       draft-ietf-ftpext-mlst-08.txt          October 1999
+
+
+ S> 226 Listing completed.
+
+   Note that this server returns its "unique" fact value in quite a
+   different format.  It also returns fully qualified path names for the
+   "pdir" entry.
+
+8.7.7. Some IANA files
+
+ C> MLSD .
+ S> 150 BINARY connection open for MLSD .
+ D> Type=cdir;Modify=19990219183438; /iana/assignments
+ D> Type=pdir;Modify=19990112030453; ..
+ D> Type=dir;Modify=19990219073522; media-types
+ D> Type=dir;Modify=19990112033515; character-set-info
+ D> Type=dir;Modify=19990112033529; languages
+ D> Type=file;Size=44242;Modify=19990217230400; character-sets
+ D> Type=file;Size=1947;Modify=19990209215600; operating-system-names
+ S> 226 MLSD completed
+ C> MLSD media-types
+ S> 150 BINARY connection open for MLSD media-types
+ D> Type=cdir;Modify=19990219073522; media-types
+ D> Type=cdir;Modify=19990219073522; /iana/assignments/media-types
+ D> Type=pdir;Modify=19990219183438; ..
+ D> Type=dir;Modify=19990112033045; text
+ D> Type=dir;Modify=19990219183442; image
+ D> Type=dir;Modify=19990112033216; multipart
+ D> Type=dir;Modify=19990112033254; video
+ D> Type=file;Size=30249;Modify=19990218032700; media-types
+ S> 226 MLSD completed
+ C> MLSD character-set-info
+ S> 150 BINARY connection open for MLSD character-set-info
+ D> Type=cdir;Modify=19990112033515; character-set-info
+ D> Type=cdir;Modify=19990112033515; /iana/assignments/character-set-info
+ D> Type=pdir;Modify=19990219183438; ..
+ D> Type=file;Size=1234;Modify=19980903020400; windows-1251
+ D> Type=file;Size=4557;Modify=19980922001400; tis-620
+ D> Type=file;Size=801;Modify=19970324130000; ibm775
+ D> Type=file;Size=552;Modify=19970320130000; ibm866
+ D> Type=file;Size=922;Modify=19960505140000; windows-1258
+ S> 226 MLSD completed
+ C> MLSD languages
+ S> 150 BINARY connection open for MLSD languages
+ D> Type=cdir;Modify=19990112033529; languages
+ D> Type=cdir;Modify=19990112033529; /iana/assignments/languages
+ D> Type=pdir;Modify=19990219183438; ..
+ D> Type=file;Size=2391;Modify=19980309130000; default
+ D> Type=file;Size=943;Modify=19980309130000; tags
+ D> Type=file;Size=870;Modify=19971026130000; navajo
+
+
+
+Elz & Hethmon             [Expires April 2000]                 [Page 48]
+
+
+Internet Draft       draft-ietf-ftpext-mlst-08.txt          October 1999
+
+
+ D> Type=file;Size=699;Modify=19950911140000; no-bok
+ S> 226 MLSD completed
+ C> PWD
+ S> 257 "/iana/assignments" is current directory.
+
+   This example shows some of the IANA maintained files that are
+   relevant for this specification in MLSD format.  Note that these
+   listings have been edited by deleting many entries, the actual
+   listings are much longer.
+
+8.7.8. A stress test of case (in)dependence
+
+   The following example is intended to make clear some cases where case
+   dependent strings are permitted in the MLSx commands, and where case
+   independent strings are required.
+
+ C> MlsD .
+ S> 150 BINARY connection open for MLSD .
+ D> Type=pdir;Modify=19990929011228;Perm=el;Unique=keVO1+ZF4; ..
+ D> Type=file;Size=4096;Modify=19990929011440;Perm=r;Unique=keVO1+Bd8; FILE2
+ D> Type=file;Size=4096;Modify=19990929011440;Perm=r;Unique=keVO1+aG8; file3
+ D> Type=file;Size=4096;Modify=19990929011440;Perm=r;Unique=keVO1+ag8; FILE3
+ D> Type=file;Size=4096;Modify=19990929011440;Perm=r;Unique=keVO1+bD8; file1
+ D> Type=file;Size=4096;Modify=19990929011440;Perm=r;Unique=keVO1+bD8; file2
+ D> Type=file;Size=4096;Modify=19990929011440;Perm=r;Unique=keVO1+Ag8; File3
+ D> Type=file;Size=4096;Modify=19990929011440;Perm=r;Unique=keVO1+bD8; File1
+ D> Type=file;Size=4096;Modify=19990929011440;Perm=r;Unique=keVO1+Bd8; File2
+ D> Type=file;Size=4096;Modify=19990929011440;Perm=r;Unique=keVO1+bd8; FILE1
+ S> 226 MLSD completed
+
+   Note first that the "MLSD" command, shown here as "MlsD" is case
+   independent.  Clients may issue this command in any case, or
+   combination of cases, they desire.  This is the case for all FTP
+   commands.
+
+   Next, notice the labels of the facts.  These are also case
+   independent strings, Server-FTP is permitted to return them in any
+   case they desire.  User-FTP must be prepared to deal with any case,
+   though it may do this by mapping the labels to a common case if
+   desired.
+
+   Then, notice that there are nine objects of "type" file returned.  In
+   a case independent NVFS these would represent three different file
+   names, "file1", "file2", and "file3".  With a case dependent NVFS all
+   nine represent different file names.  Either is possible, server-FTPs
+   may implement a case dependent or a case independent NVFS.  User-FTPs
+   must allow for case dependent selection of files to manipulate on the
+   server.
+
+
+
+Elz & Hethmon             [Expires April 2000]                 [Page 49]
+
+
+Internet Draft       draft-ietf-ftpext-mlst-08.txt          October 1999
+
+
+   Lastly, notice that the value of the "unique" fact is case dependent.
+   In the example shown, "file1", "File1", and "file2" all have the same
+   "unique" fact value "keVO1+bD8", and thus all represent the same
+   underlying file.  On the other hand, "FILE1" has a different "unique"
+   fact value ("keVO1+bd8") and hence represents a different file.
+   Similarly, "FILE2" and "File2" are two names for the same underlying
+   file, whereas "file3", "File3" and "FILE3" all represent different
+   underlying files.
+
+   That the approximate sizes ("size" fact) and last modification times
+   ("modify" fact) are the same in all cases might be no more than a
+   coincidence.
+
+   It is not suggested that the operators of server-FTPs create NVFS
+   which stress the protocols to this extent, however both user and
+   server implementations must be prepared to deal with such extreme
+   examples.
+
+8.8. FEAT response for MLSx
+
+   When responding to the FEAT command, a server-FTP process that
+   supports MLST, and MLSD, plus internationalization of pathnames, MUST
+   indicate that this support exists.  It does this by including a MLST
+   feature line.  As well as indicating the basic support, the MLST
+   feature line indicates which MLST facts are available from the
+   server, and which of those will be returned if no subsequent "OPTS
+   MLST" command is sent.
+
+        mlst-feat     = SP "MLST" [SP factlist] CRLF
+        factlist      = 1*( factname ["*"] ";" )
+
+   The initial space shown in the mlst-feat response is that required by
+   the FEAT command, two spaces are not permitted.  If no factlist is
+   given, then the server-FTP process is indicating that it supports
+   MLST, but implements no facts.  Only pathnames can be returned.  This
+   would be a minimal MLST implementation, and useless for most
+   practical purposes.  Where the factlist is present, the factnames
+   included indicate the facts supported by the server.  Where the
+   optional asterisk appears after a factname, that fact will be
+   included in MLST format responses, until an "OPTS MLST" is given to
+   alter the list of facts returned.  After that, subsequent FEAT
+   commands will return the asterisk to show the facts selected by the
+   most recent "OPTS MLST".
+
+   Note that there is no distinct FEAT output for MLSD.  The presence of
+   the MLST feature indicates that both MLST and MLSD are supported.
+
+
+
+
+
+Elz & Hethmon             [Expires April 2000]                 [Page 50]
+
+
+Internet Draft       draft-ietf-ftpext-mlst-08.txt          October 1999
+
+
+8.8.1. Examples
+
+ C> Feat
+ S> 211- Features supported
+ S>  REST STREAM
+ S>  MDTM
+ S>  SIZE
+ S>  TVFS
+ S>  UTF8
+ S>  MLST Type*;Size*;Modify*;Perm*;Unique*;UNIX.mode;UNIX.chgd;X.hidden;
+ S> 211 End
+
+   Aside from some features irrelevant here, this server indicates that
+   it supports MLST including several, but not all, standard facts, all
+   of which it will send by default.  It also supports two OS dependent
+   facts, and one locally defined fact.  The latter three must be
+   requested expressly by the client for this server to supply them.
+
+ C> Feat
+ S> 211-Extensions supported:
+ S>  CLNT
+ S>  MDTM
+ S>  MLST type*;size*;modify*;UNIX.mode*;UNIX.owner;UNIX.group;unique;
+ S>  PASV
+ S>  REST STREAM
+ S>  SIZE
+ S>  TVFS
+ S>  Compliance Level: 19981201 (IETF mlst-05)
+ S> 211 End.
+
+   Again, in addition to some irrelevant features here, this server
+   indicates that it supports MLST, four of the standard facts, one of
+   which ("unique") is not enabled by default, and several OS dependent
+   facts, one of which is provided by the server by default.  This
+   server actually supported more OS dependent facts.  Others were
+   deleted for the purposes of this document to comply with document
+   formatting restrictions.
+
+8.9. OPTS parameters for MLST
+
+   For the MLSx commands, the Client-FTP may specify a list of facts it
+   wishes to be returned in all subsequent MLSx commands until another
+   OPTS MLST command is sent.  The format is specified by:
+
+
+
+
+
+
+
+
+Elz & Hethmon             [Expires April 2000]                 [Page 51]
+
+
+Internet Draft       draft-ietf-ftpext-mlst-08.txt          October 1999
+
+
+        mlst-opts     = "OPTS" SP "MLST"
+                        [ SP 1*( factname ";" ) ]
+
+   By sending the "OPTS MLST" command, the client requests the server to
+   include only the facts listed as arguments to the command in
+   subsequent output from MLSx commands.  Facts not included in the
+   "OPTS MLST" command MUST NOT be returned by the server.  Facts that
+   are included should be returned for each entry returned from the MLSx
+   command where they meaningfully apply.  Facts requested that are not
+   supported, or which are inappropriate to the file or directory being
+   listed should simply be omitted from the MLSx output.  This is not an
+   error.  Note that where no factname arguments are present, the client
+   is requesting that only the file names be returned.  In this case,
+   and in any other case where no facts are included in the result, the
+   space that separates the fact names and their values from the file
+   name is still required.  That is, the first character of the output
+   line will be a space, (or two characters will be spaces when the line
+   is returned over the control connection,) and the file name will
+   start immediately thereafter.
+
+   Clients should note that generating values for some facts can be
+   possible, but very expensive, for some servers.  It is generally
+   acceptable to retrieve any of the facts that the server offers as its
+   default set before any "OPTS MLST" command has been given, however
+   clients should use particular caution before requesting any facts not
+   in that set.  That is, while other facts may be available from the
+   server, clients should refrain from requesting such facts unless
+   there is a particular operational requirement for that particular
+   information, which ought be more significant than perhaps simply
+   improving the information displayed to an end user.
+
+   Note, there is no "OPTS MLSD" command, the fact names set with the
+   "OPTS MLST" command apply to both MLST and MLSD commands.
+
+   Servers are not required to accept "OPTS MLST" commands before
+   authentication of the user-PI, but may choose to permit them.
+
+8.9.1. OPTS MLST Response
+
+   The "response-message" from [6] to a successful OPTS MLST command has
+   the following syntax.
+
+        mlst-opt-resp = "MLST OPTS" [ SP 1*( factname ";" ) ]
+
+   This defines the "response-message" as used in the "opts-good"
+   message in RFC2389 [6].
+
+
+
+
+
+Elz & Hethmon             [Expires April 2000]                 [Page 52]
+
+
+Internet Draft       draft-ietf-ftpext-mlst-08.txt          October 1999
+
+
+   The facts named in the response are those which the server will now
+   include in MLST (and MLSD) response, after the processing of the
+   "OPTS MLST" command.  Any facts from the request not supported by the
+   server will be omitted from this response message.  If no facts will
+   be included, the list of facts will be empty.  Note that the list of
+   facts returned will be the same as those marked by a trailing
+   asterisk ("*") in a subsequent FEAT command response.  There is no
+   requirement that the order of the facts returned be the same as that
+   in which they were requested, or that in which they will be listed in
+   a FEAT command response, or that in which facts are returned in MLST
+   responses.  The fixed string "MLST OPTS" in the response may be
+   returned in any case, or mixture of cases.
+
+8.9.2. Examples
+
+ C> Feat
+ S> 211- Features supported
+ S>  MLST Type*;Size;Modify*;Perm;Unique;UNIX.mode;UNIX.chgd;X.hidden;
+ S> 211 End
+ C> OptS Mlst Type;UNIX.mode;Perm;
+ S> 201 MLST OPTS Type;Perm;UNIX.mode;
+ C> Feat
+ S> 211- Features supported
+ S>  MLST Type*;Size;Modify;Perm*;Unique;UNIX.mode*;UNIX.chgd;X.hidden;
+ S> 211 End
+ C> opts MLst lang;type;charset;create;
+ S> 201 MLST OPTS Type;
+ C> Feat
+ S> 211- Features supported
+ S>  MLST Type*;Size;Modify;Perm;Unique;UNIX.mode;UNIX.chgd;X.hidden;
+ S> 211 End
+ C> OPTS mlst size;frogs;
+ S> 201 MLST OPTS Size;
+ C> Feat
+ S> 211- Features supported
+ S>  MLST Type;Size*;Modify;Perm;Unique;UNIX.mode;UNIX.chgd;X.hidden;
+ S> 211 End
+ C> opts MLst unique type;
+ S> 501 Invalid MLST options
+ C> Feat
+ S> 211- Features supported
+ S>  MLST Type;Size*;Modify;Perm;Unique;UNIX.mode;UNIX.chgd;X.hidden;
+ S> 211 End
+
+   For the purposes of this example, features other than MLST have been
+   deleted from the output to avoid clutter.  The example shows the
+   initial default feature output for MLST.  The facts requested are
+   then changed by the client.  The first change shows facts that are
+
+
+
+Elz & Hethmon             [Expires April 2000]                 [Page 53]
+
+
+Internet Draft       draft-ietf-ftpext-mlst-08.txt          October 1999
+
+
+   available from the server being selected.  Subsequent FEAT output
+   shows the altered features as being returned.  The client then
+   attempts to select some standard features which the server does not
+   support.  This is not an error, however the server simply ignores the
+   requests for unsupported features, as the FEAT output that follows
+   shows.  Then, the client attempts to request a non-standard, and
+   unsupported, feature.  The server ignores that, and selects only the
+   supported features requested.  Lastly, the client sends a request
+   containing a syntax error (spaces cannot appear in the factlist.) The
+   server-FTP sends an error response and completely ignores the
+   request, leaving the fact set selected as it had been previously.
+
+   Note that in all cases, except the error response, the response lists
+   the facts that have been selected.
+
+ C> Feat
+ S> 211- Features supported
+ S>  MLST Type*;Size*;Modify*;Perm*;Unique*;UNIX.mode;UNIX.chgd;X.hidden;
+ S> 211 End
+ C> Opts MLST
+ S> 201 MLST OPTS
+ C> Feat
+ S> 211- Features supported
+ S>  MLST Type;Size;Modify;Perm;Unique;UNIX.mode;UNIX.chgd;X.hidden;
+ S> 211 End
+ C> MLst tmp
+ S> 250- Listing tmp
+ S>   /tmp
+ S> 250 End
+ C> OPTS mlst unique;size;
+ S> 201 MLST OPTS Size;Unique;
+ C>  MLst tmp
+ S> 250- Listing tmp
+ S>  Unique=keVO1+YZ5; /tmp
+ S> 250 End
+ C> OPTS mlst unique;type;modify;
+ S> 201 MLST OPTS Type;Modify;Unique;
+ C> MLst tmp
+ S> 250- Listing tmp
+ S>  Type=dir;Modify=19990930152225;Unique=keVO1+YZ5; /tmp
+ S> 250 End
+ C> OPTS mlst fish;cakes;
+ S> 201 MLST OPTS
+ C> MLst tmp
+ S> 250- Listing tmp
+ S>   /tmp
+ S> 250 End
+ C> OptS Mlst Modify;Unique;
+
+
+
+Elz & Hethmon             [Expires April 2000]                 [Page 54]
+
+
+Internet Draft       draft-ietf-ftpext-mlst-08.txt          October 1999
+
+
+ S> 201 MLST OPTS Modify;Unique;
+ C> MLst tmp
+ S> 250- Listing tmp
+ S>  Modify=19990930152225;Unique=keVO1+YZ5; /tmp
+ S> 250 End
+ C> opts MLst fish cakes;
+ S> 501 Invalid MLST options
+ C>  MLst tmp
+ S> 250- Listing tmp
+ S>  Modify=19990930152225;Unique=keVO1+YZ5; /tmp
+ S> 250 End
+
+   This example shows the effect of changing the facts requested upon
+   subsequent MLST commands.  Notice that a syntax error leaves the set
+   of selected facts unchanged.  Also notice exactly two spaces
+   preceding the pathname when no facts were selected, either
+   deliberately, or because none of the facts requested were available.
+
+9. Impact On Other FTP Commands
+
+   Along with the introduction of MLST, traditional FTP commands must be
+   extended to allow for the use of more than US-ASCII or EBCDIC
+   character sets.  In general, the support of MLST requires support for
+   arbitrary character sets wherever filenames and directory names are
+   allowed.  This applies equally to both arguments given to the
+   following commands and to the replies from them, as appropriate.
+
+        CWD
+        RETR
+        STOR
+        STOU
+        APPE
+        RNFR
+        RNTO
+        DELE
+        RMD
+        MKD
+        PWD
+        STAT
+
+   The arguments to all of these commands should be processed the same
+   way that MLST commands and responses are processed with respect to
+   handling embedded spaces, CRs and NULs.  See section 2.2.
+
+
+
+
+
+
+
+
+Elz & Hethmon             [Expires April 2000]                 [Page 55]
+
+
+Internet Draft       draft-ietf-ftpext-mlst-08.txt          October 1999
+
+
+10. Character sets and Internationalization
+
+   FTP commands are protocol elements, and are always expressed in
+   ASCII.  FTP responses are composed of the numeric code, which is a
+   protocol element, and a message, which is often expected to convey
+   information to the user.  It is not expected that users normally
+   interact directly with the protocol elements, rather the user FTP-
+   process constructs the commands, and interprets the results, in the
+   manner best suited for the particular user.  Explanatory text in
+   responses generally has no particular meaning to the protocol.  The
+   numeric codes provide all necessary information.  Server-PIs are free
+   to provide the text in any language that can be adequately
+   represented in ASCII, or where an alternative language and
+   representation has been negotiated (see [7]) in that language and
+   representation.
+
+   Pathnames are expected to be encoded in UTF-8 allowing essentially
+   any character to be represented in a pathname.  Meaningful pathnames
+   are defined by the server NVFS.
+
+   No restrictions at all are placed upon the contents of files
+   transferred using the FTP protocols.  Unless the "media-type" fact is
+   provided in a MLSx response nor is any advice given here which would
+   allow determining the content type.  That information is assumed to
+   be obtained via other means.
+
+11. IANA Considerations
+
+   This specification makes use of some lists of values currently
+   maintained by the IANA, and creates two new lists for the IANA to
+   maintain.  It does not add any values to any existing registries.
+
+   The existing IANA registries used by this specification are modified
+   using mechanisms specified elsewhere.
+
+11.1. The OS specific fact registry
+
+   A registry of OS specific fact names shall be maintained by the IANA.
+   The OS names for the OS portion of the fact name must be taken from
+   the IANA's list of registered OS names.  To add a fact name to this
+   OS specific registry of OS specific facts, an applicant must send to
+   the IANA a request, in which is specified the OS name, the OS
+   specific fact name, a definition of the syntax of the fact value,
+   which must conform to the syntax of a token as given in this
+   document, and a specification of the semantics to be associated with
+   the particular fact and its values.  Upon receipt of such an
+   application, and if the combination of OS name and OS specific fact
+   name has not been previously defined, the IANA will add the
+
+
+
+Elz & Hethmon             [Expires April 2000]                 [Page 56]
+
+
+Internet Draft       draft-ietf-ftpext-mlst-08.txt          October 1999
+
+
+   specification to the registry.
+
+   Any examples of OS specific facts found in this document are to be
+   treated as examples of possible OS specific facts, and do not form a
+   part of the IANA's registry merely because of being included in this
+   document.
+
+11.2. The OS specific filetype registry
+
+   A registry of OS specific file types shall be maintained by the IANA.
+   The OS names for the OS portion of the fact name must be taken from
+   the IANA's list of registered OS names.  To add a file type to this
+   OS specific registry of OS specific file types, an applicant must
+   send to the IANA a request, in which is specified the OS name, the OS
+   specific file type, a definition of the syntax of the fact value,
+   which must conform to the syntax of a token as given in this
+   document, and a specification of the semantics to be associated with
+   the particular fact and its values.  Upon receipt of such an
+   application, and if the combination of OS name and OS specific file
+   type has not been previously defined, the IANA will add the
+   specification to the registry.
+
+   Any examples of OS specific file types found in this document are to
+   be treated as potential OS specific file types only, and do not form
+   a part of the IANA's registry merely because of being included in
+   this document.
+
+12. Security Considerations
+
+   This memo does not directly concern security.  It is not believed
+   that any of the mechanisms documented here impact in any particular
+   way upon the security of FTP.
+
+   Implementing the SIZE command, and perhaps some of the facts of the
+   MDLx commands, may impose a considerable load on the server, which
+   could lead to denial of service attacks.  Servers have, however,
+   implemented this for many years, without significant reported
+   difficulties.
+
+   With the introduction of virtual hosts to FTP, and the possible
+   accompanying multiple authentication environments, server
+   implementors will need to take some care to ensure that integrity is
+   maintained.
+
+   The FEAT and OPTS commands may be issued before the FTP
+   authentication has occurred [6].  This allows unauthenticated clients
+   to determine which of the features defined here are supported, and to
+   negotiate the fact list for MLSx output.  No actual MLSx commands may
+
+
+
+Elz & Hethmon             [Expires April 2000]                 [Page 57]
+
+
+Internet Draft       draft-ietf-ftpext-mlst-08.txt          October 1999
+
+
+   be issued however, and no problems with permitting the selection of
+   the format prior to authentication are foreseen.
+
+   A general discussion of issues related to the security of FTP can be
+   found in [14].
+
+13. References
+
+   [1]  Coded Character Set--7-bit American Standard Code for Information
+        Interchange, ANSI X3.4-1986.
+
+   [2]  Yergeau, F., "UTF-8, a transformation format of Unicode and ISO
+        10646", RFC 2044, October 1996.
+
+   [3]  Postel, J., Reynolds, J., "File Transfer Protocol (FTP)",
+        STD 9, RFC 959, October 1985
+
+   [4]  Bradner, S., "Key words for use in RFCs to Indicate
+        Requirement Levels", BCP 14, RFC 2119, March 1997
+
+   [5]  Crocker, D., Overell, P., "Augmented BNF for Syntax
+        Specifications: ABNF", RFC 2234, November 1997
+
+   [6]  Hethmon, P., Elz, R., "Feature negotiation mechanism for the
+        File Transfer Protocol", RFC 2389, August 1998
+
+   [7]  Curtin, W., "Internationalization of the File Transfer Protocol",
+        RFC 2640, July 1999
+
+   [8]  Postel, J., Reynolds, J., "Telnet protocol Specification"
+        STD 8, RFC 854, May 1983
+
+   [9]  Braden, R,. "Requirements for Internet Hosts -- Application
+        and Support", STD 3, RFC 1123, October 1989
+
+   [10] Mockapetris, P., "Domain Names - Concepts and Facilities"
+        STD 13, RFC 1034, November 1987
+
+   [11] ISO/IEC 10646-1:1993  "Universal multiple-octet coded character set
+        (UCS) -- Part 1: Architecture and basic multilingual plane",
+        International Standard -- Information Technology, 1993
+
+   [12] Internet Assigned Numbers Authority.  http://www.iana.org
+        Email: iana@iana.org.
+
+   [13] Alvestrand, H., "Tags for the Identification of Languages"
+        RFC 1766, March 1995
+
+
+
+
+Elz & Hethmon             [Expires April 2000]                 [Page 58]
+
+
+Internet Draft       draft-ietf-ftpext-mlst-08.txt          October 1999
+
+
+   [14] Allman, M., Ostermann, S., "FTP Security Considerations"
+        RFC 2577, May 1999
+
+Acknowledgments
+
+   This document is a product of the FTPEXT working group of the IETF.
+
+   The following people are among those who have contributed to this
+   document:
+
+        Alex Belits
+        D. J. Bernstein
+        Dave Cridland
+        Martin J. Duerst
+        Mike Gleason
+        Mark Harris
+        Alun Jones
+        James Matthews
+        Luke Mewburn
+        Jan Mikkelsen
+        Keith Moore
+        Buz Owen
+        Mark Symons
+        Stephen Tihor
+        and the entire FTPEXT working group of the IETF.
+
+   Apologies are offered to any inadvertently omitted.
+
+   Bernhard Rosenkraenzer suggested the HOST command, and initially
+   described it.
+
+   The description of the modifications to the REST command and the MDTM
+   and SIZE commands comes from a set of modifications suggested for
+   RFC959 by Rick Adams in 1989.  A draft containing just those
+   commands, edited by David Borman, has been merged with this document.
+
+   Mike Gleason provided access to the FTP server used in some of the
+   examples.
+
+   All of the examples in this document are taken from actual
+   client/server exchanges, though some have been edited for brevity, or
+   to meet document formatting requirements.
+
+
+
+
+
+
+
+
+
+Elz & Hethmon             [Expires April 2000]                 [Page 59]
+
+
+Internet Draft       draft-ietf-ftpext-mlst-08.txt          October 1999
+
+
+Copyright
+
+   This document is in the public domain.  Any and all copyright
+   protection that might apply in any jurisdiction is expressly
+   disclaimed.
+
+Editors' Addresses
+
+   Robert Elz
+   University of Melbourne
+   Department of Computer Science
+   Parkville, Vic   3052
+   Australia
+
+   Email: kre@munnari.OZ.AU
+
+
+   Paul Hethmon
+   Hethmon Brothers
+   2305 Chukar Road
+   Knoxville, TN 37923 USA
+
+   Phone: +1 423 690 8990
+   Email: phethmon@hethmon.com
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Elz & Hethmon             [Expires April 2000]                 [Page 60]
diff --git a/crypto/heimdal/doc/standardisation/draft-ietf-krb-wg-kerberos-referrals-00.txt b/crypto/heimdal/doc/standardisation/draft-ietf-krb-wg-kerberos-referrals-00.txt
new file mode 100644
index 0000000..5845995
--- /dev/null
+++ b/crypto/heimdal/doc/standardisation/draft-ietf-krb-wg-kerberos-referrals-00.txt
@@ -0,0 +1,725 @@
+
+
+Kerberos Working Group                                         M. Swift 
+Internet Draft                                         University of WA 
+Document: draft-ietf-krb-wg-kerberos-referrals-00.txt         J. Brezak 
+Category: Standards Track                                     Microsoft 
+                                                             J. Trostle 
+                                                          Cisco Systems 
+                                                             K. Raeburn 
+                                                                    MIT 
+                                                          February 2001 
+
+ 
+           Generating KDC Referrals to locate Kerberos realms 
+ 
+ 
+Status of this Memo 
+ 
+   This document is an Internet-Draft and is in full conformance with 
+   all provisions of Section 10 of RFC2026 [1].  
+    
+   Internet-Drafts are working documents of the Internet Engineering 
+   Task Force (IETF), its areas, and its working groups. Note that 
+   other groups may also distribute working documents as Internet-
+   Drafts. Internet-Drafts are draft documents valid for a maximum of 
+   six months and may be updated, replaced, or obsoleted by other 
+   documents at any time. It is inappropriate to use Internet- Drafts 
+   as reference material or to cite them other than as "work in 
+   progress."  
+    
+   The list of current Internet-Drafts can be accessed at 
+   http://www.ietf.org/ietf/1id-abstracts.txt  
+   The list of Internet-Draft Shadow Directories can be accessed at 
+   http://www.ietf.org/shadow.html. 
+    
+1. Abstract 
+    
+   The draft documents a new method for a Kerberos Key Distribution 
+   Center (KDC) to respond to client requests for kerberos tickets when 
+   the client does not have detailed configuration information on the 
+   realms of users or services. The KDC will handle requests for 
+   principals in other realms by returning either a referral error or a 
+   cross-realm TGT to another realm on the referral path. The clients 
+   will use this referral information to reach the realm of the target 
+   principal and then receive the ticket. 
+    
+2. Conventions used in this document 
+    
+   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 
+   "SHOULD", "SHOULD NOT", "RECOMMENDED",  "MAY", and "OPTIONAL" in 
+   this document are to be interpreted as described in RFC-2119 [2]. 
+    
+3. Introduction 
+    
+
+
+  
+Swift                 Category - Standards Track                     1 
+
+
+
+
+
+
+
+
+                            KDC Referrals               February 2001 
+ 
+ 
+   Current implementations of the Kerberos AS and TGS protocols, as 
+   defined in RFC 1510 [3], use principal names constructed from a 
+   known user or service name and realm. A service name is typically 
+   constructed from a name of the service and the DNS host name of the 
+   computer that is providing the service. Many existing deployments of 
+   Kerberos use a single Kerberos realm where all users and services 
+   would be using the same realm. However in an environment where there 
+   are multiple trusted Kerberos realms, the client needs to be able to 
+   determine what realm a particular user or service is in before 
+   making an AS or TGS request. Traditionally this requires client 
+   configuration to make this possible. 
+    
+   When having to deal with multiple trusted realms, users are forced 
+   to know what realm they are in before they can obtain a ticket 
+   granting ticket (TGT) with an AS request. However, in many cases the 
+   user would like to use a more familiar name that is not directly 
+   related to the realm of their Kerberos principal name. A good 
+   example of this is an RFC-822 style email name. This document 
+   describes a mechanism that would allow a user to specify a user 
+   principal name that is an alias for the user's Kerberos principal 
+   name. In practice this would be the name that the user specifies to 
+   obtain a TGT from a Kerberos KDC. The user principal name no longer 
+   has a direct relationship with the Kerberos principal or realm. Thus 
+   the administrator is able to move the user's principal to other 
+   realms without the user having to know that it happened. 
+    
+   Once a user has a TGT, they would like to be able to access services 
+   in any trusted Kerberos realm. To do this requires that the client 
+   be able to determine what realm the target service's host is in 
+   before making the TGS request. Current implementations of Kerberos 
+   typically have a table that maps DNS host names to corresponding 
+   Kerberos realms. In order for this to work on the client, each 
+   application canonicalizes the host name of the service by doing a 
+   DNS lookup followed by a reverse lookup using the returned IP 
+   address. The returned primary host name is then used in the 
+   construction of the principal name for the target service. In order 
+   for the correct realm to be added for the target host, the mapping 
+   table [domain_to_realm] is consulted for the realm corresponding to 
+   the DNS host name. The corresponding realm is then used to complete 
+   the target service principal name. 
+    
+   This traditional mechanism requires that each client have very 
+   detailed configuration information about the hosts that are 
+   providing services and their corresponding realms. Having client 
+   side configuration information can be very costly from an 
+   administration point of view - especially if there are many realms 
+   and computers in the environment. 
+    
+   Current implementations of Kerberos also have difficulty with 
+   services on hosts that can have multiple host names (multi-homed 
+   hosts). Traditionally, each host name would need to have a distinct 
+   principal and a corresponding key. An extreme example of this would 
+   be a Web server with multiple host names for each domain that it is 
+  
+Swift                 Category - Standards Track                     2 
+
+
+
+
+
+
+
+
+                            KDC Referrals               February 2001 
+ 
+ 
+   supporting. Principal aliases allow multi-homed hosts to have a 
+   single Kerberos principal (with a single key) that can have 
+   identities for each distinct host name. This mechanism allows the 
+   Kerberos client to request a service ticket for the distinct 
+   hostname and allows the KDC to return a ticket for the single 
+   principal that the host is using. This canonical principal name 
+   allows the host to only have to manage a single key for all of the 
+   identities that it supports. In addition, the client only needs to 
+   know the realm of the canonical service name, not all of the 
+   identities. 
+    
+   This draft proposes a solution for these problems and simplifies 
+   administration by minimizing the configuration information needed on 
+   each computer using Kerberos. Specifically it describes a mechanism 
+   to allow the KDC to handle Canonicalization of names, provide for 
+   principal aliases for users and services and provide a mechanism for 
+   the KDC to determine the trusted realm authentication path by being 
+   able to generate referrals to other realms in order to locate 
+   principals. 
+    
+   To rectify these problems, this draft introduces three new kinds of   
+   KDC referrals: 
+        
+   1. AS ticket referrals, in which the client doesn't know which realm 
+      contains a user account.  
+   2. TGS ticket referrals, in which the client doesn't know which 
+      realm contains a server account.  
+   3. Cross realm shortcut referrals, in which the KDC chooses the next 
+      path on a referral chain 
+    
+4. Realm Organization Model 
+    
+   This draft assumes that the world of principals is arranged on 
+   multiple levels: the realm, the enterprise, and the world. A KDC may 
+   issue tickets for any principal in its realm or cross-realm tickets 
+   for realms with which it has a direct trust relationship. The KDC 
+   also has access to a trusted name service that can resolve any name 
+   from within its enterprise into a realm. This trusted name service 
+   removes the need to use an untrusted DNS lookup for name resolution. 
+    
+   For example, consider the following configuration, where lines 
+   indicate trust relationships: 
+    
+                  MS.COM  
+                /        \ 
+               /          \ 
+        OFFICE.MS.COM    NT.MS.COM 
+    
+   In this configuration, all users in the MS.COM enterprise could have 
+   a principal name such as alice@MS.COM, with the same realm portion. 
+   In addition, servers at MS.COM should be able to have DNS host names 
+   from any DNS domain independent of what Kerberos realm their 
+   principal resides in. 
+  
+Swift                 Category - Standards Track                     3 
+
+
+
+
+
+
+
+
+                            KDC Referrals               February 2001 
+ 
+ 
+    
+5. Principal Names 
+    
+5.1 Service Principal Names 
+    
+   The standard Kerberos model in RFC 1510 [3] gives each Kerberos 
+   principal a single name. However, if a service is reachable by 
+   several addresses, it is useful for a principal to have multiple 
+   names. Consider a service running on a multi-homed machine. Rather 
+   than requiring a separate principal and password for each name it 
+   exports, a single account with multiple names could be used. 
+    
+   Multiple names are also useful for services in that clients need not 
+   perform DNS lookups to resolve a host name into a full DNS address. 
+   Instead, the service may have a name for each of its supported host 
+   names, including its IP address. Nonetheless, it is still convenient 
+   for the service to not have to be aware of all these names. Thus a 
+   new name may be added to DNS for a service by updating DNS and the 
+   KDC database without having to notify the service. In addition, it 
+   implies that these aliases are globally unique: they do not include 
+   a specifier dictating what realm contains the principal. Thus, an 
+   alias for a server is of the form "class/instance/name" and may be 
+   transmitted as any name type. 
+    
+5.2 Client Principal Names 
+    
+   Similarly, a client account may also have multiple principal names. 
+   More useful, though, is a globally unique name that allows 
+   unification of email and security principal names. For example, all 
+   users at MS may have a client principal name of the form 
+   "joe@MS.COM" even though the principals are contained in multiple 
+   realms. This global name is again an alias for the true client 
+   principal name, which is indicates what realm contains the 
+   principal. Thus, accounts "alice" in the realm ntdev.MS.COM and 
+   "bob" in office.MS.COM may logon as "alice@MS.COM" and "bob@MS.COM". 
+   This requires a new client principal name type, as the AS-REQ 
+   message only contains a single realm field, and the realm portion of 
+   this name doesn't correspond to any Kerberos realm. Thus, the entire 
+   name "alice@MS.COM" is transmitted in the client name field of the 
+   AS-REQ message, with a name type of KRB-NT-ENTERPRISE-PRINCIPAL. 
+    
+        KRB-NT-ENTERPRISE-PRINCIPAL     10 
+    
+5.3 Name Canonicalization 
+    
+   In order to support name aliases, the Kerberos client must 
+   explicitly request the name-canonicalization KDC option (bit 15) in 
+   the ticket flags for the TGS-REQ. This flag indicates to the KDC 
+   that the client is prepared to receive a reply with a different 
+   client or server principal name than the request. Thus, the 
+   KDCOptions types is redefined as: 
+    
+        KDCOptions ::=   BIT STRING { 
+  
+Swift                 Category - Standards Track                     4 
+
+
+
+
+
+
+
+
+                            KDC Referrals               February 2001 
+ 
+ 
+                          reserved(0), 
+                          forwardable(1), 
+                          forwarded(2), 
+                          proxiable(3), 
+                          proxy(4), 
+                          allow-postdate(5), 
+                          postdated(6), 
+                          unused7(7), 
+                          renewable(8), 
+                          unused9(9), 
+                          unused10(10), 
+                          unused11(11), 
+                          name-canonicalize(15), 
+                          renewable-ok(27), 
+                          enc-tkt-in-skey(28), 
+                          renew(30), 
+                          validate(31) 
+         } 
+    
+6. Client Referrals 
+    
+   The simplest form of ticket referral is for a user requesting a 
+   ticket using an AS-REQ. In this case, the client machine will send 
+   the AS request to a convenient trusted realm, either the realm of 
+   the client machine or the realm of the client name. In the case of 
+   the name Alice@MS.COM, the client may optimistically choose to send 
+   the request to MS.COM. 
+    
+   The client will send the string "alice@MS.COM" in the client 
+   principal name field using the KRB-NT-ENTERPRISE-PRINCIPAL name type 
+   with the crealm set to MS.COM. The KDC will try to lookup the name 
+   in its local account database. If the account is present in the 
+   crealm of the request, it MUST return a KDC reply structure with the 
+   appropriate ticket. If the account is not present in the crealm 
+   specified in the request and the name-canonicalize flag in the 
+   KDCoptions is set, the KDC will try to lookup the entire name, 
+   Alice@MS.COM, using a name service. If this lookup is unsuccessful, 
+   it MUST return the error KDC_ERR_C_PRINCIPAL_UNKNOWN. If the lookup 
+   is successful, it MUST return an error KDC_ERR_WRONG_REALM (0x44) 
+   and in the error message the cname and crealm field MUST contain the 
+   client name and the true realm of the client. If the KDC contains 
+   the account locally, it MUST return a normal ticket. The client name 
+   and realm portions of the ticket and KDC reply message MUST be the 
+   client's true name in the realm, not the globally unique name. 
+    
+   If the client receives a KDC_ERR_WRONG_REALM error, it will issue a 
+   new AS request with the same client principal name used to generate 
+   the first referral to the realm specified by the crealm field of the 
+   kerberos error message from the first request. This request MUST 
+   produce a valid AS response with a ticket for the canonical user 
+   name. The ticket MUST also include the ticket extension containing 
+   the TE-REFERRAL-DATA with the referred-names set to the name from 
+
+  
+Swift                 Category - Standards Track                     5 
+
+
+
+
+
+
+
+
+                            KDC Referrals               February 2001 
+ 
+ 
+   the AS request. Any other error or referral will terminate the 
+   request and result in a failed AS request. 
+    
+7. Server Referrals 
+    
+   The server referral mechanism is a bit more complex than the client 
+   referral mechanism. The primary problem is that the KDC must return 
+   a referral ticket rather than an error message, so it will include 
+   in the TGS response information about what realm contains the 
+   service. This is done by returning information about the server name 
+   in the pre-auth data field of the KDC reply. 
+    
+   If the KDC resolves the server principal name into a principal in 
+   its realm, it may return a normal ticket. If the name-canonicalize 
+   flag in the KDCoptions is not set, then the KDC MUST only look up 
+   the name as a normal principal name. Otherwise, it MUST search all 
+   aliases as well. The server principal name in both the ticket and 
+   the KDC reply MUST be the true server principal name instead of one 
+   of the aliases. This frees the application server from needing to 
+   know about all its aliases. 
+    
+   If the name-canonicalize flag in the KDCoptions is set and the KDC 
+   doesn't find the principal locally, the KDC can return a cross-realm 
+   ticket granting ticket to the next hop on the trust path towards a 
+   realm that may be able to resolve the principal name. 
+    
+   If the KDC can determine the service principal's realm, it can 
+   return the server realm as ticket extension data. The ticket 
+   extension MUST be encrypted using the session key from the ticket, 
+   and the same etype as is used to protect the TGS reply body. 
+    
+   The data itself is an ASN.1 encoded structure containing the 
+   server's realm, and if known, canonical principal name and alias 
+   names. The first name in the sequence is the canonical principal 
+   name. 
+    
+                TE-REFERRAL-INFO        20 
+                 
+                TE-REFERRAL-DATA ::= SEQUENCE { 
+                        referred-server-realm[0]  KERB-REALM 
+                        referred-names[1]         SEQUENCE OF 
+                        PrincipalNames OPTIONAL 
+                } 
+    
+    
+   The client can use this information to request a chain of cross-
+   realm ticket granting tickets until it reaches the realm of the 
+   server, and can then expect to receive a valid service ticket. 
+    
+   In order to facilitate cross-realm interoperability, a client SHOULD 
+   NOT send short names in TGS requests to the KDC. A short name is 
+   defined as a Kerberos name that includes a DNS name that is not 
+   fully qualified. The client MAY use forward DNS lookups to obtain 
+  
+Swift                 Category - Standards Track                     6 
+
+
+
+
+
+
+
+
+                            KDC Referrals               February 2001 
+ 
+ 
+   the long name that corresponds to the user entered short name (the 
+   short name will be a prefix of the corresponding long name). 
+    
+   The client may use the referred-names field to tell if it already 
+   has a ticket to the server in its ticket cache. 
+    
+   The client can use this information to request a chain of cross-
+   realm ticket granting tickets until it reaches the realm of the 
+   server, and can then expect to receive a valid service ticket. 
+   However an implementation should limit the number of referrals that 
+   it processes to avoid infinite referral loops. A suggested limit is 
+   5 referrals before giving up. 
+    
+8. Cross Realm Routing 
+    
+   The current Kerberos protocol requires the client to explicitly 
+   request a cross-realm TGT for each pair of realms on a referral 
+   chain. As a result, the client machines need to be aware of the 
+   trust hierarchy and of any short-cut trusts (those that aren't 
+   parent-child trusts). This requires more configurations on the 
+   client. Instead, the client should be able to request a TGT to the 
+   target realm from each realm on the route. The KDC will determine 
+   the best path for the client and return a cross-realm TGT. The 
+   client has to be aware that a request for a cross-realm TGT may 
+   return a TGT for a realm different from the one requested. 
+    
+9. Security Considerations 
+ 
+   The original Kerberos specification stated that the server principal 
+   name in the KDC reply was the same as the server name in the 
+   request. These protocol changes break that assumption, so the client 
+   may be vulnerable to a denial of service attack by an attacker that 
+   replays replies from previous requests. It can verify that the 
+   request was one of its own by checking the client-address field or 
+   authtime field, though, so the damage is limited and detectable. 
+    
+   For the AS exchange case, it is important that the logon mechanism 
+   not trust a name that has not been used to authenticate the user. 
+   For example, the name that the user enters as part of a logon 
+   exchange may not be the name that the user authenticates as, given 
+   that the KDC_ERR_WRONG_REALM error may have been returned. The 
+   relevant Kerberos naming information for logon (if any), is the 
+   client name and client realm in the service ticket targeted at the 
+   workstation that was obtained using the user's initial TGT. 
+    
+   How the client name and client realm is mapped into a local account 
+   for logon is a local matter, but the client logon mechanism MUST use 
+   additional information such as the client realm and/or authorization 
+   attributes from the service ticket presented to the workstation by 
+   the user, when mapping the logon credentials to a local account on 
+   the workstation. 
+    
+10. Discussion 
+  
+Swift                 Category - Standards Track                     7 
+
+
+
+
+
+
+
+
+                            KDC Referrals               February 2001 
+ 
+ 
+ 
+   This section contains issues and suggestions that need to be 
+   incorporated into this draft. From Ken Raeburn [raeburn@mit.edu]: 
+    
+   1) No means to do name canonicalization if you're not 
+      authenticating. Is it okay to require credentials in order to do 
+      canonicalization? If so, how about this: Send a TGS_REQ for the 
+      service name you have.  If you get back a TGS_REP for a service, 
+      great; pull out the name and throw out the credentials.  If you 
+      get back a TGS_REP for a TGT service, ask again in the specified 
+      realm.  If you get back a KRB_ERROR because policy prohibits you 
+      from authenticating to that service, we can add to the 
+      specification that the {realm,sname} in the KRB_ERROR must be the 
+      canonical name, and the checksum must be used.  As long as the 
+      checksum is present, it's still a secure exchange with the KDC.  
+       
+      If we have to be able to do name canonicalization without any 
+      sort of credentials, either client-side (tickets) or server-side 
+      (tickets automatically acquired via service key), I think we just 
+      lose. But maybe GSSAPI should be changed if that's the case. 
+    
+   2) Can't refer to another realm and specify a different service name 
+      to give to that realm's KDC.  The local KDC can tell you a 
+      different service name or a different realm name, but not both. 
+      This comes up in the "gnuftp.raeburn.org CNAME ftp.gnu.org" type 
+      of case I've mentioned. 
+       
+      Except ... the KDC-REP structure includes padata and ticket 
+      extensions fields that are extensible.  We could add a required 
+      value to one of them -- perhaps only in the case where you return 
+      a TGT when not asked -- that contains signed information about 
+      the principal name to ask for in the other realm.  (It would have 
+      to be required, otherwise a man-in-the-middle could make it go 
+      away.) Signing would be done using the session key for the TGS. 
+    
+   3) Secure canonicalization of service name in AS_REQ. If the 
+      response is an AS_REP, we need a way to tell that the altered 
+      server name wasn't a result of a MITM attack on the AS_REQ 
+      message.  Again, the KDC-REP extensible fields could have a new 
+      required value added when name canonicalization happens, 
+      indicating what the original principal name (in the AS_REQ 
+      message) was, and signed using the same key as protects the 
+      AS_REP.  If it doesn't match what the client requested, the 
+      messages were altered in transit. 
+    
+   4) Client name needs referral to another realm, and server name 
+      needs canonicalization of some sort. The above fixes wouldn't 
+      work for this case, and I'm not even sure which KDC should be 
+      doing the canonicalization anyways. 
+    
+    
+   The other-principal-name datum would probably look something like: 
+    
+  
+Swift                 Category - Standards Track                     8 
+
+
+
+
+
+
+
+
+                            KDC Referrals               February 2001 
+ 
+ 
+       PrincipalAndNonce ::= SEQUENCE { 
+                    name[0]     PrincipalName, 
+                    nonce[1]    INTEGER         -- copied from KDC_REQ 
+       } 
+       SignedPrincipal ::= SEQUENCE { 
+                    name-and-nonce[0]   PrincipalAndNonce, 
+                    cksum[1]    Checksum 
+       } 
+       {PA,TE}-ORIGINAL-SERVER-PRINCIPAL ::= SignedPrincipal 
+       {PA,TE}-REMOTE-SERVER-PRINCIPAL ::= SignedPrincipal 
+    
+   with the checksum computed over the encoding of the 'name-and-nonce' 
+   field, and appropriate PA- or TE- numbers assigned.  I don't have a 
+   strong opinion on whether it'd be a pa-data or ticket extension; 
+   conceptually it seems like an abuse of either, but, well, I think 
+   I'd rather abuse them than leave the facility both in and 
+   inadequate. 
+    
+   The nonce is needed because multiple exchanges may be made with the 
+   same key, and these extension fields aren't packed in with the other 
+   encrypted data in the same response, so a MITM could pick apart 
+   multiple messages and mix-and-match components.  (In a TGS_REQ 
+   exchange, a subsession key would help, but it's not required.) 
+    
+   The extension field would be required to prevent a MITM from 
+   discarding the field from a response; a flag bit in a protected part 
+   of the message (probably in 'flags' in EncKDCRepPart) could also let 
+   us know of a cases where the information can be omitted, namely, 
+   when no name change is done.  Perhaps the bit should be set to 
+   indicate that a name change *was* done, and clear if it wasn't, 
+   making the no-change case more directly compatible with RFC1510. 
+ 
+11. References 
+    
+ 
+   1  Bradner, S., "The Internet Standards Process -- Revision 3", BCP 
+      9, RFC 2026, October 1996. 
+    
+   2  Bradner, S., "Key words for use in RFCs to Indicate Requirement 
+      Levels", BCP 14, RFC 2119, March 1997 
+    
+   3  Kohl, J., Neuman, C., "The Kerberos Network Authentication 
+      Service (V5)", RFC 1510, September 1993 
+    
+    
+12. Author's Addresses 
+    
+   Michael Swift 
+   University of Washington 
+   Seattle, Washington 
+   Email: mikesw@cs.washington.edu 
+    
+   John Brezak 
+  
+Swift                 Category - Standards Track                     9 
+
+
+
+
+
+
+
+
+                            KDC Referrals               February 2001 
+ 
+ 
+   Microsoft 
+   One Microsoft Way 
+   Redmond, Washington 
+   Email: jbrezak@Microsoft.com 
+    
+   Jonathan Trostle 
+   Cisco Systems 
+   170 W. Tasman Dr. 
+   San Jose, CA 95134 
+   Email: jtrostle@cisco.com 
+    
+   Kenneth Raeburn 
+   Massachusetts Institute of Technology 77 
+   Massachusetts Avenue 
+   Cambridge, Massachusetts 02139 
+   Email: raeburn@mit.edu
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+  
+Swift                 Category - Standards Track                    10 
+
+
+
+
+
+
+
+
+                            KDC Referrals               February 2001 
+ 
+ 
+   Full Copyright Statement 
+
+   Copyright (C) The Internet Society (1999).  All Rights Reserved. 
+    
+   This document and translations of it may be copied and furnished to 
+   others, and derivative works that comment on or otherwise explain it 
+   or assist in its implementation may be prepared, copied, published 
+   and distributed, in whole or in part, without restriction of any 
+   kind, provided that the above copyright notice and this paragraph 
+   are included on all such copies and derivative works.  However, this   
+   document itself may not be modified in any way, such as by removing   
+   the copyright notice or references to the Internet Society or other   
+   Internet organizations, except as needed for the purpose of 
+   developing Internet standards in which case the procedures for 
+   copyrights defined in the Internet Standards process must be 
+   followed, or as required to translate it into languages other than 
+   English. 
+    
+   The limited permissions granted above are perpetual and will not be 
+   revoked by the Internet Society or its successors or assigns. 
+    
+   This document and the information contained herein is provided on an 
+   "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING 
+   TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING 
+   BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION 
+   HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF 
+   MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE." 
+    
+    
+    
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+  
+Swift                 Category - Standards Track                    11 
+
+
+
+
+
+
+
diff --git a/crypto/heimdal/doc/standardisation/draft-raeburn-cat-gssapi-krb5-3des-00.txt b/crypto/heimdal/doc/standardisation/draft-raeburn-cat-gssapi-krb5-3des-00.txt
new file mode 100644
index 0000000..24325fd
--- /dev/null
+++ b/crypto/heimdal/doc/standardisation/draft-raeburn-cat-gssapi-krb5-3des-00.txt
@@ -0,0 +1,281 @@
+CAT Working Group                                           K. Raeburn
+Internet-draft                                                     MIT
+Category:                                                July 14, 2000
+Updates: RFC 1964
+Document: draft-raeburn-cat-gssapi-krb5-3des-00.txt
+
+        Triple-DES Support for the Kerberos 5 GSSAPI Mechanism
+
+Status of this Memo
+ 
+   This document is an Internet-Draft and is in full conformance with
+   all provisions of Section 10 of RFC2026 [RFC2026]. Internet-Drafts
+   are working documents of the Internet Engineering Task Force
+   (IETF), its areas, and its working groups. Note that other groups
+   may also distribute working documents as
+   Internet-Drafts. Internet-Drafts are draft documents valid for a
+   maximum of six months and may be updated, replaced, or obsoleted by
+   other documents at any time. It is inappropriate to use
+   Internet-Drafts as reference material or to cite them other than as
+   "work in progress."
+     
+   The list of current Internet-Drafts can be accessed at 
+   http://www.ietf.org/ietf/1id-abstracts.txt  
+
+   The list of Internet-Draft Shadow Directories can be accessed at 
+   http://www.ietf.org/shadow.html. 
+    
+1. Abstract 
+
+   The MIT Kerberos 5 release version 1.2 includes support for
+   triple-DES with key derivation [KrbRev].  Recent work by the EFF
+   [EFF] has demonstrated the vulnerability of single-DES mechanisms
+   to brute-force attacks by sufficiently motivated and well-funded
+   parties.
+
+   The GSSAPI Kerberos 5 mechanism definition [GSSAPI-KRB5]
+   specifically enumerates encryption and checksum types,
+   independently of how such schemes may be used in Kerberos.  In the
+   long run, a new Kerberos-based mechanism, which does not require
+   separately enumerating for the GSSAPI mechanism each of the
+   encryption types defined by Kerberos, appears to be a better
+   approach.  Efforts to produce such a specification are under way.
+
+   In the interest of providing increased security in the interim,
+   however, MIT is proposing adding support for triple-DES to the
+   existing mechanism, as described here.
+
+2. Conventions Used in this Document
+
+   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
+   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in
+   this document are to be interpreted as described in RFC 2119.
+
+3. New Algorithm Identifiers
+
+   One new sealing algorithm is defined, for use in WRAP tokens:
+
+   02 00 - DES3-KD
+
+   This algorithm uses triple-DES with key derivation, with a usage
+   value KG_USAGE_SEAL.  Padding is still to 8-byte multiples, and the
+   IV for encrypting application data is zero.
+
+   One new signing algorithm is defined, for use in MIC, Wrap, and
+   Delete tokens:
+
+   04 00 - HMAC SHA1 DES3-KD
+
+   This algorithm generates an HMAC using SHA-1 and a derived DES3 key
+   with usage KG_USAGE_SIGN, as (ought to be described) in [KrbRev].
+
+   [XXX: The current [KrbRev] description refers to expired I-Ds from
+   Marc Horowitz.  The text in [KrbRev] may be inadequate to produce
+   an interoperable implementation.]
+
+   The checksum size for this algorithm is 20 octets.  See section 5.3
+   below for the use of checksum lengths of other than eight bytes.
+
+4. Key Derivation
+
+   For purposes of key derivation, we add three new usage values to the
+   list defined in [KrbRev]; one for signing messages, one for
+   sealing messages, and one for encrypting sequence numbers:
+
+   #define KG_USAGE_SEAL 22
+   #define KG_USAGE_SIGN 23
+   #define KG_USAGE_SEQ  24
+
+5. Adjustments to Previous Definitions
+
+5.1. Quality of Protection
+
+   The GSSAPI specification [GSSAPI] says that a zero QOP value
+   indicates the "default".  The original specification for the
+   Kerberos 5 mechanism says that a zero QOP value (or a QOP value
+   with the appropriate bits clear) means DES encryption.
+
+   Rather than continue to force the use of plain DES when the
+   application doesn't use mechanism-specific QOP values, the better
+   choice appears to be to redefine the DES QOP value as some non-zero
+   value, and define a triple-DES value as well.  Then a zero value
+   continues to imply the default, which would be triple-DES
+   protection when given a triple-DES session key.
+
+   Our values are:
+
+   GSS_KRB5_INTEG_C_QOP_HMAC_SHA1        0x0004
+            /* SHA-1 checksum encrypted with key derivation */
+
+   GSS_KRB5_CONF_C_QOP_DES               0x0100
+            /* plain DES encryption */
+   GSS_KRB5_CONF_C_QOP_DES3_KD           0x0200
+            /* triple-DES with key derivation */
+
+   Rather than open the question of whether to specify means for
+   deriving a key of one type given a key of another type, and the
+   security implications of whether to generate a long key from a
+   shorter one, our implementation will simply return an error if the
+   QOP value specified does not correspond to the session key type.
+
+   [Implementation note: MIT's code does not implement QoP, and
+   returns an error for any non-zero QoP value.]
+
+5.2. MIC Sequence Number Encryption
+
+   The sequence numbers are encrypted in the context key (as defined
+   in [GSSAPI-KRB5] -- this will be either the Kerberos session key or
+   asubkey provided by the context initiator), using whatever
+   encryption system is designated by the type of that context key.
+   The IV is formed from the first N bytes of the SGN_CKSUM field,
+   where N is the number of bytes needed for the IV.  (With all
+   algorithms described here and in [GSSAPI-KRB5], the checksum is at
+   least as large as the IV.)
+
+5.3. Message Layout
+
+   Both MIC and Wrap tokens, as defined in [GSSAPI-KRB5], contain an
+   checksum field SGN_CKSUM.  In [GSSAPI-KRB5], this field was
+   specified as being 8 bytes long.  We now change this size to be
+   "defined by the checksum algorithm", and retroactively amend the
+   descriptions of all the checksum algorithms described in
+   [GSSAPI-KRB5] to explicitly specify 8-byte output.  Application
+   data continues to immediately follow the checksum field in the Wrap
+   token.
+
+   The revised message descriptions are thus:
+
+   MIC:
+
+   Byte no          Name           Description
+    0..1           TOK_ID          Identification field.
+    2..3           SGN_ALG         Integrity algorithm indicator.
+    4..7           Filler          Contains ff ff ff ff
+    8..15          SND_SEQ         Sequence number field.
+    16..s+15       SGN_CKSUM       Checksum of "to-be-signed data",
+                                   calculated according to algorithm
+                                   specified in SGN_ALG field.
+
+   Wrap:
+
+   Byte no          Name           Description
+    0..1           TOK_ID          Identification field.
+                                   Tokens emitted by GSS_Wrap() contain
+                                   the hex value 02 01 in this field.
+    2..3           SGN_ALG         Checksum algorithm indicator.
+    4..5           SEAL_ALG        Sealing algorithm indicator.
+    6..7           Filler          Contains ff ff
+    8..15          SND_SEQ         Encrypted sequence number field.
+    16..s+15       SGN_CKSUM       Checksum of plaintext padded data,
+                                   calculated according to algorithm
+                                   specified in SGN_ALG field.
+    s+16..last     Data            encrypted or plaintext padded data
+
+   Where "s" indicates the size of the checksum.
+
+   As indicated above in section 2, we define the HMAC SHA1 DES3-KD
+   checksum algorithm to produce a 20-byte output, so encrypted data
+   begins at byte 36.
+
+6. Backwards Compatibility Considerations
+
+   The context initiator SHOULD request of the KDC credentials using
+   session-key cryptosystem types supported by that implementation; if
+   the only types returned by the KDC are not supported by the
+   mechanism implementation, it MUST indicate a failure.  This may
+   seem obvious, but early implementations of both Kerberos and the
+   GSSAPI Kerberos mechanism supported only DES keys, so the
+   cryptosystem compatibility question was easy to overlook.
+
+   Under the current mechanism, no negotiation of algorithm types
+   occurs, so server-side (acceptor) implementations cannot request
+   that clients not use algorithm types not understood by the server.
+   However, administration of the server's Kerberos data has to be
+   done in communication with the KDC, and it is from the KDC that the
+   client will request credentials.  The KDC could therefore be tasked
+   with limiting session keys for a given service to types actually
+   supported by the Kerberos and GSSAPI software on the server.
+
+   This does have a drawback for cases where a service principal name
+   is used both for GSSAPI-based and non-GSSAPI-based communication,
+   if the GSSAPI implementation does not understand triple-DES but the
+   Kerberos implementation does.  It means that triple-DES session
+   keys cannot be issued for that service principal, which keeps the
+   protection of non-GSSAPI services weaker than necessary.  However,
+   in the most recent MIT releases thus far, while triple-DES support
+   has been present, it has required additional work to enable, so it
+   is not likely to be in use for many services.
+
+   It would also be possible to have clients attempt to get single-DES
+   session keys before trying to get triple-DES session keys, and have
+   the KDC refuse to issue the single-DES keys only for the most
+   critical of services, for which single-DES protection is considered
+   inadequate.  However, that would eliminate the possibility of
+   connecting with the more secure cryptosystem to any service that
+   can be accessed with the weaker cryptosystem.
+
+   We have chosen to go with the former approach, putting the burden
+   on the KDC administration and gaining the best protection possible
+   for GSSAPI services, possibly at the cost of protection of
+   non-GSSAPI Kerberos services running earlier versions of the
+   software.
+
+6. Security Considerations
+
+   Various tradeoffs arise regarding the mixing of new and old
+   software, or GSSAPI-based and non-GSSAPI Kerberos authentication.
+   They are discussed in section 5.
+
+7. References
+
+   [EFF] Electronic Frontier Foundation, "Cracking DES: Secrets of
+   Encryption Research, Wiretap Politics, and Chip Design", O'Reilly &
+   Associates, Inc., May, 1998.
+
+   [GSSAPI] Linn, J., "Generic Security Service Application Program
+   Interface Version 2, Update 1", RFC 2743, January, 2000.
+
+   [GSSAPI-KRB5] Linn, J., "The Kerberos Version 5 GSS-API Mechanism",
+   RFC 1964, June, 1996.
+
+   [KrbRev] Neuman, C., Kohl, J., Ts'o, T., "The Kerberos Network
+   Authentication Service (V5)",
+   draft-ietf-cat-kerberos-revisions-05.txt, March 10, 2000.
+
+   [RFC2026] Bradner, S., "The Internet Standards Process -- Revision
+   3", RFC 2026, October, 1996.
+
+8. Author's Address
+
+   Kenneth Raeburn
+   Massachusetts Institute of Technology
+   77 Massachusetts Avenue
+   Cambridge, MA 02139
+
+9. Full Copyright Statement
+
+   Copyright (C) The Internet Society (2000).  All Rights Reserved. 
+    
+   This document and translations of it may be copied and furnished to 
+   others, and derivative works that comment on or otherwise explain it 
+   or assist in its implementation may be prepared, copied, published 
+   and distributed, in whole or in part, without restriction of any 
+   kind, provided that the above copyright notice and this paragraph 
+   are included on all such copies and derivative works.  However, this   
+   document itself may not be modified in any way, such as by removing   
+   the copyright notice or references to the Internet Society or other   
+   Internet organizations, except as needed for the purpose of 
+   developing Internet standards in which case the procedures for 
+   copyrights defined in the Internet Standards process must be 
+   followed, or as required to translate it into languages other than 
+   English. 
+    
+   The limited permissions granted above are perpetual and will not be 
+   revoked by the Internet Society or its successors or assigns. 
+    
+   This document and the information contained herein is provided on an 
+   "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING 
+   TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING 
+   BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION 
+   HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF 
+   MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE." 
diff --git a/crypto/heimdal/doc/standardisation/draft-raeburn-krb-gssapi-krb5-3des-01.txt b/crypto/heimdal/doc/standardisation/draft-raeburn-krb-gssapi-krb5-3des-01.txt
new file mode 100644
index 0000000..64ca1ac
--- /dev/null
+++ b/crypto/heimdal/doc/standardisation/draft-raeburn-krb-gssapi-krb5-3des-01.txt
@@ -0,0 +1,395 @@
+
+
+
+
+
+
+Kerberos Working Group                                        K. Raeburn
+Category: Informational                                              MIT
+Document: draft-raeburn-krb-gssapi-krb5-3des-01.txt    November 24, 2000
+
+
+         Triple-DES Support for the Kerberos 5 GSSAPI Mechanism
+
+Status of this Memo
+
+   This document is an Internet-Draft and is in full conformance with
+   all provisions of Section 10 of RFC2026 [1]. Internet-Drafts are
+   working documents of the Internet Engineering Task Force (IETF), its
+   areas, and its working groups. Note that other groups may also
+   distribute working documents as Internet-Drafts. Internet-Drafts are
+   draft documents valid for a maximum of six months and may be updated,
+   replaced, or obsoleted by other documents at any time. It is
+   inappropriate to use Internet-Drafts as reference material or to cite
+   them other than as "work in progress."
+
+   The list of current Internet-Drafts can be accessed at
+   http://www.ietf.org/ietf/1id-abstracts.txt
+
+   The list of Internet-Draft Shadow Directories can be accessed at
+   http://www.ietf.org/shadow.html.
+
+1. Abstract
+
+   The GSSAPI Kerberos 5 mechanism definition [GSSAPI-KRB5] specifically
+   enumerates encryption and checksum types, independently of how such
+   schemes may be used in Kerberos.  In the long run, a new Kerberos-
+   based mechanism, which does not require separately enumerating for
+   the GSSAPI mechanism each of the various encryption types defined by
+   Kerberos, is probably a better approach.  Various people have
+   expressed interest in designing one, but the work has not yet been
+   completed.
+
+   The MIT Kerberos 5 release version 1.2 includes support for triple-
+   DES with key derivation [KrbRev].  Recent work by the EFF [EFF] has
+   demonstrated the vulnerability of single-DES mechanisms to brute-
+   force attacks by sufficiently motivated and well-funded parties.  So,
+   in the interest of providing increased security in the near term, MIT
+   is adding support for triple-DES to the existing mechanism
+   implementation we ship, as an interim measure.
+
+
+
+
+
+
+
+
+Raeburn                                                         [Page 1]
+
+INTERNET DRAFT       Triple-DES for GSSAPI Kerberos        November 2000
+
+
+2. New Algorithm Identifiers
+
+   One new sealing algorithm is defined, for use in Wrap tokens.
+
+
+   +--------------------------------------------------------------------+
+   |          name                                octet values          |
+   +--------------------------------------------------------------------+
+   |         DES3-KD                                 02 00              |
+   +--------------------------------------------------------------------+
+
+   This algorithm uses triple-DES with key derivation, with a usage
+   value KG_USAGE_SEAL.  (Unlike the EncryptedData definition in
+   [KrbRev], no integrity protection is needed, so this is "raw" triple-
+   DES, with no checksum attached to the encrypted data.)  Padding is
+   still to 8-byte multiples, and the IV for encrypting application data
+   is zero.
+
+   One new signing algorithm is defined, for use in MIC, Wrap, and
+   Delete tokens.
+
+
+   +--------------------------------------------------------------------+
+   |             name                               octet values        |
+   +--------------------------------------------------------------------+
+   |       HMAC SHA1 DES3-KD                           04 00            |
+   +--------------------------------------------------------------------+
+
+   This algorithm generates an HMAC using SHA-1 and a derived DES3 key
+   with usage KG_USAGE_SIGN, as described in [KrbRev].
+
+   [N.B.: The current [KrbRev] description refers to expired I-Ds from
+   Marc Horowitz.  The text in [KrbRev] may be inadequate to produce an
+   interoperable implementation.]
+
+   The checksum size for this algorithm is 20 octets.  See section 4.3
+   below for the use of checksum lengths of other than eight bytes.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Raeburn                                                         [Page 2]
+
+INTERNET DRAFT       Triple-DES for GSSAPI Kerberos        November 2000
+
+
+3. Key Derivation
+
+   For purposes of key derivation, we add three new usage values to the
+   list defined in [KrbRev]; one for signing messages, one for sealing
+   messages, and one for encrypting sequence numbers:
+
+
+   +--------------------------------------------------------------------+
+   |             name                                    value          |
+   +--------------------------------------------------------------------+
+   |         KG_USAGE_SEAL                                22            |
+   |         KG_USAGE_SIGN                                23            |
+   |         KG_USAGE_SEQ                                 24            |
+   +--------------------------------------------------------------------+
+
+4. Adjustments to Previous Definitions
+
+4.1. Quality of Protection
+
+   The GSSAPI specification [GSSAPI] says that a zero QOP value
+   indicates the "default".  The original specification for the Kerberos
+   5 mechanism says that a zero QOP value (or a QOP value with the
+   appropriate bits clear) means DES encryption.
+
+   Rather than forcing the use of plain DES when the application doesn't
+   use mechanism-specific QOP values, we redefine the explicit DES QOP
+   value as a non-zero value, and define a triple-DES value as well.
+   Then a zero value continues to imply the default, which would be
+   triple-DES protection when given a triple-DES session key.
+
+   Our values are:
+
+   +--------------------------------------------------------------------+
+   |             name                  value      meaning               |
+   +--------------------------------------------------------------------+
+   | GSS_KRB5_INTEG_C_QOP_HMAC_SHA1    0x0004     SHA-1 HMAC, using     |
+   |                                              key derivation        |
+   |                                                                    |
+   |    GSS_KRB5_CONF_C_QOP_DES        0x0100     plain DES encryption  |
+   |                                                                    |
+   |  GSS_KRB5_CONF_C_QOP_DES3_KD      0x0200     triple-DES with key   |
+   |                                              derivation            |
+   +--------------------------------------------------------------------+
+
+   Rather than attempt to specify a generic mechanism for deriving a key
+   of one type given a key of another type, and evaluate the security
+   implications of using a short key to generate a longer key to satisfy
+   the requested quality of protection, our implementation will simply
+
+
+
+Raeburn                                                         [Page 3]
+
+INTERNET DRAFT       Triple-DES for GSSAPI Kerberos        November 2000
+
+
+   return an error if the nonzero QOP value specified does not
+   correspond to the session key type.
+
+4.2. MIC Sequence Number Encryption
+
+   The sequence numbers are encrypted in the context key (as defined in
+   [GSSAPI-KRB5] -- this will be either the Kerberos session key or
+   asubkey provided by the context initiator), using whatever encryption
+   system is designated by the type of that context key.  The IV is
+   formed from the first N bytes of the SGN_CKSUM field, where N is the
+   number of bytes needed for the IV.  (With all algorithms described
+   here and in [GSSAPI-KRB5], the checksum is at least as large as the
+   IV.)
+
+4.3. Message Layout
+
+   Both MIC and Wrap tokens, as defined in [GSSAPI-KRB5], contain an
+   checksum field SGN_CKSUM.  In [GSSAPI-KRB5], this field was specified
+   as being 8 bytes long.  We now change this size to be "defined by the
+   checksum algorithm", and retroactively amend the descriptions of all
+   the checksum algorithms described in [GSSAPI-KRB5] to explicitly
+   specify 8-byte output.  Application data continues to immediately
+   follow the checksum field in the Wrap token.
+
+   The revised message descriptions are thus:
+
+   MIC token:
+
+   Byte #             Name                Description
+   ----------------------------------------------------------------------
+    0..1              TOK_ID              Identification field.
+    2..3              SGN_ALG             Integrity algorithm indicator.
+    4..7              Filler              Contains ff ff ff ff
+    8..15             SND_SEQ             Sequence number field.
+   16..s+15           SGN_CKSUM           Checksum of "to-be-signed
+                                          data", calculated according to
+                                          algorithm specified in SGN_ALG
+                                          field.
+
+
+
+
+
+
+
+
+
+
+
+
+
+Raeburn                                                         [Page 4]
+
+INTERNET DRAFT       Triple-DES for GSSAPI Kerberos        November 2000
+
+
+   Wrap token:
+
+   Byte #           Name             Description
+   ----------------------------------------------------------------------
+    0..1            TOK_ID           Identification field.  Tokens
+                                     emitted by GSS_Wrap() contain the
+                                     hex value 02 01 in this field.
+    2..3            SGN_ALG          Checksum algorithm indicator.
+    4..5            SEAL_ALG         Sealing algorithm indicator.
+    6..7            Filler           Contains ff ff
+    8..15           SND_SEQ          Encrypted sequence number field.
+   16..s+15         SGN_CKSUM        Checksum of plaintext padded data,
+                                     calculated according to algorithm
+                                     specified in SGN_ALG field.
+   s+16..last       Data             encrypted or plaintext padded data
+
+
+   Where "s" indicates the size of the checksum.
+
+   As indicated above in section 2, we define the HMAC SHA1 DES3-KD
+   checksum algorithm to produce a 20-byte output, so encrypted data
+   begins at byte 36.
+
+5. Backwards Compatibility Considerations
+
+   The context initiator should request of the KDC credentials using
+   session-key cryptosystem types supported by that implementation; if
+   the only types returned by the KDC are not supported by the mechanism
+   implementation, it should indicate a failure.  This may seem obvious,
+   but early implementations of both Kerberos and the GSSAPI Kerberos
+   mechanism supported only DES keys, so the cryptosystem compatibility
+   question was easy to overlook.
+
+   Under the current mechanism, no negotiation of algorithm types
+   occurs, so server-side (acceptor) implementations cannot request that
+   clients not use algorithm types not understood by the server.
+   However, administration of the server's Kerberos data (e.g., the
+   service key) has to be done in communication with the KDC, and it is
+   from the KDC that the client will request credentials.  The KDC could
+   therefore be tasked with limiting session keys for a given service to
+   types actually supported by the Kerberos and GSSAPI software on the
+   server.
+
+   This does have a drawback for cases where a service principal name is
+   used both for GSSAPI-based and non-GSSAPI-based communication (most
+   notably the "host" service key), if the GSSAPI implementation does
+   not understand triple-DES but the Kerberos implementation does.  It
+   means that triple-DES session keys cannot be issued for that service
+
+
+
+Raeburn                                                         [Page 5]
+
+INTERNET DRAFT       Triple-DES for GSSAPI Kerberos        November 2000
+
+
+   principal, which keeps the protection of non-GSSAPI services weaker
+   than necessary.
+
+   It would also be possible to have clients attempt to get single-DES
+   session keys before trying to get triple-DES session keys, and have
+   the KDC refuse to issue the single-DES keys only for the most
+   critical of services, for which single-DES protection is considered
+   inadequate.  However, that would eliminate the possibility of
+   connecting with the more secure cryptosystem to any service that can
+   be accessed with the weaker cryptosystem.
+
+   For MIT's 1.2 release, we chose to go with the former approach,
+   putting the burden on the KDC administration and gaining the best
+   protection possible for GSSAPI services, possibly at the cost of
+   weaker protection of non-GSSAPI Kerberos services running earlier
+   versions of the software.
+
+6. Security Considerations
+
+   Various tradeoffs arise regarding the mixing of new and old software,
+   or GSSAPI-based and non-GSSAPI Kerberos authentication.  They are
+   discussed in section 5.
+
+7. References
+
+   [EFF] Electronic Frontier Foundation, "Cracking DES: Secrets of
+   Encryption Research, Wiretap Politics, and Chip Design", O'Reilly &
+   Associates, Inc., May, 1998.
+
+   [GSSAPI] Linn, J., "Generic Security Service Application Program
+   Interface Version 2, Update 1", RFC 2743, January, 2000.
+
+   [GSSAPI-KRB5] Linn, J., "The Kerberos Version 5 GSS-API Mechanism",
+   RFC 1964, June, 1996.
+
+   [KrbRev] Neuman, C., Kohl, J., Ts'o, T., "The Kerberos Network
+   Authentication Service (V5)", draft-ietf-cat-kerberos-
+   revisions-06.txt, July 4, 2000.
+
+8. Author's Address
+
+   Kenneth Raeburn Massachusetts Institute of Technology 77
+   Massachusetts Avenue Cambridge, MA 02139
+
+9. Full Copyright Statement
+
+   Copyright (C) The Internet Society (2000).  All Rights Reserved.
+
+
+
+
+Raeburn                                                         [Page 6]
+
+INTERNET DRAFT       Triple-DES for GSSAPI Kerberos        November 2000
+
+
+   This document and translations of it may be copied and furnished to
+   others, and derivative works that comment on or otherwise explain it
+   or assist in its implementation may be prepared, copied, published
+   and distributed, in whole or in part, without restriction of any
+   kind, provided that the above copyright notice and this paragraph are
+   included on all such copies and derivative works.  However, this
+   document itself may not be modified in any way, such as by removing
+   the copyright notice or references to the Internet Society or other
+   Internet organizations, except as needed for the purpose of
+   developing Internet standards in which case the procedures for
+   copyrights defined in the Internet Standards process must be
+   followed, or as required to translate it into languages other than
+   English.
+
+   The limited permissions granted above are perpetual and will not be
+   revoked by the Internet Society or its successors or assigns.
+
+   This document and the information contained herein is provided on an
+   "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
+   TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
+   BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
+   HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
+   MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE."
+
+10. Document Change History
+
+>From -00 to -01:
+
+   Converted master to GNU troff and tbl, rewriting tables in the
+   process.
+
+   Specify informational category only.  Modify some text to emphasize
+   that this document intends to describe MIT's extensions.
+
+   Point out that while EncryptedData for 3des-kd includes a checksum,
+   DES3-KD GSS encryption does not.
+
+   Shorten backwards-compatibility descriptions a little.
+
+   Submit to Kerberos working group rather than CAT.
+
+
+
+
+
+
+
+
+
+
+
+Raeburn                                                         [Page 7]
+
diff --git a/crypto/heimdal/doc/standardisation/draft-smedvinsky-dhc-kerbauth-01.txt b/crypto/heimdal/doc/standardisation/draft-smedvinsky-dhc-kerbauth-01.txt
new file mode 100644
index 0000000..321c5ba
--- /dev/null
+++ b/crypto/heimdal/doc/standardisation/draft-smedvinsky-dhc-kerbauth-01.txt
@@ -0,0 +1,929 @@
+
+
+DHC Working Group                                          S. Medvinsky
+Internet Draft                                                 Motorola
+Document: <draft-smedvinsky-dhc-kerbauth-01.txt>
+Category: Standards Track                                    P.Lalwaney
+Expires: January 2001                                             Nokia
+
+                                                              July 2000
+
+
+        Kerberos V Authentication Mode for Uninitialized Clients
+
+
+Status of this Memo
+
+   This document is an Internet-Draft and is in full conformance with
+   all provisions of Section 10 of RFC2026.
+
+   Internet-Drafts are working documents of the Internet Engineering
+   Task Force (IETF), its areas, and its working groups. Note that
+   other groups may also distribute working documents as Internet-
+   Drafts. Internet-Drafts are draft documents valid for a maximum of
+   six months and may be updated, replaced, or obsoleted by other
+   documents at any time. It is inappropriate to use Internet- Drafts
+   as reference material or to cite them other than as "work in
+   progress."
+
+   The list of current Internet-Drafts can be accessed at
+   http://www.ietf.org/ietf/1id-abstracts.txt
+
+   The list of Internet-Draft Shadow Directories can be accessed at
+   http://www.ietf.org/shadow.html.
+
+   The distribution of this memo is unlimited.  It is filed as <draft-
+   smedvinsky-dhc-kerbauth-01.txt>, and expires January 2001. Please
+   send comments to the authors.
+
+
+
+1. Abstract
+
+   The Dynamic Host Configuration Protocol (DHCP) [1] includes an
+   option that allows authentication of all DHCP messages, as specified
+   in [2].  This document specifies a DHCP authentication mode based on
+   Kerberos V tickets. This provides mutual authentication between a
+   DHCP client and server, as well as authentication of all DHCP
+   messages.
+
+   This document specifies Kerberos message exchanges between an
+   uninitialized client and the KDC (Key Distribution Center) using an
+   IAKERB proxy [7] so that the Kerberos key management phase is
+   decoupled from, and precedes the address allocation and network
+   configuration phase that uses the DHCP authentication option.  In
+   order to make use of the IAKERB proxy, this document specifies a
+   transport mechanism that works with an uninitialized client (i.e. a
+
+Kerberos V Authentication Mode for Uninitialized Clients     July 2000
+
+
+   client without an assigned IP address). In addition, the document
+   specifies the format of the Kerberos authenticator to be used with
+   the DHCP authentication option.
+
+2. Conventions used in this document
+
+   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
+   "SHOULD", "SHOULD NOT", "RECOMMENDED",  "MAY", and "OPTIONAL" in
+   this document are to be interpreted as described in RFC-2119.
+
+3. Introduction
+
+   3.1 Terminology
+
+   o "DHCP client"
+
+   A DHCP client is an Internet host using DHCP to obtain configuration
+   parameters such as a network address.
+
+   o "DHCP server"
+
+   A DHCP server is an Internet host that returns configuration
+   parameters to DHCP clients.
+
+   O "Ticket"
+
+   A Kerberos term for a record that helps a client authenticate itself
+   to a server; it contains the client's identity, a session key, a
+   timestamp, and other information, all sealed using the server's
+   secret key. It only serves to authenticate a client when presented
+   along with a fresh Authenticator.
+
+   o "Key Distribution Center"
+
+   Key Distribution Center, a network service that supplies tickets and
+   temporary session keys; or an instance of that service or the host
+   on which it runs. The KDC services both initial ticket and Ticket-
+   Granting Ticket (TGT) requests. The initial ticket portion is
+   sometimes referred to as the Authentication Server (or service. The
+   Ticket-Granting Ticket portion is sometimes referred to as the
+   Ticket-Granting Server (or service).
+
+   o "Realm"
+
+   A Kerberos administrative domain that represents a group of
+   principals registered at a KDC.  A single KDC may be responsible for
+   one or more realms.  A fully qualified principal name includes a
+   realm name along with a principal name unique within that realm.
+
+3.2 Protocol Overview
+
+
+
+S. Medvinsky, P. Lalwaney                                          -2-        
+
+Kerberos V Authentication Mode for Uninitialized Clients     July 2000
+
+
+   DHCP as defined in [1] defines the protocol exchanges for a client
+   to obtain its IP address and network configuration information from
+   a DHCP Server. Kerberos V5 as described in [6] defines the protocol
+   and message exchanges to mutually authenticate two parties. It is
+   our goal to provide authentication support for DHCP using Kerberos.
+   This implies that the Kerberos key management exchange has to take
+   place before a client gets its IP address from the DHCP Server.
+   Kerberos assumes that the client has a network address and can
+   contact the Key Distribution Center to obtain its credentials for
+   authenticated communication with an application server.
+
+   In this specification we utilize the key exchange using an IAKERB
+   proxy described in [7]. This does not require any changes to either
+   the IAKERB or the Kerberos V5 specification.  This document also
+   specifies a particular transport that allows an uninitialized client
+   to contact an IAKERB proxy.
+
+   The Kerberos ticket returned from the key management exchange
+   discussed in Section 5 of this document is passed to the DHCP Server
+   inside the DHCP authentication option with the new Kerberos
+   authenticator type. This is described in Section 6 of this draft.
+
+
+3.3 Related Work
+
+   A prior Internet Draft [3] outlined the use of Kerberos-based
+   authentication for DHCP. The proposal tightly coupled the Kerberos
+   client state machines and the DHCP client state machines. As a
+   result, the Kerberos key management messages were carried in DHCP
+   messages, along with the Kerberos authenticators. In addition, the
+   first DHCP message exchange (request, offer) is not authenticated.
+
+   We propose a protocol exchange where Kerberos key management is
+   decoupled from and precedes authenticated DHCP exchanges. This
+   implies that the Kerberos ticket returned in the initial key
+   management exchange could be used to authenticate servers assigning
+   addresses by non-DHCP address assignment mechanisms like RSIP [4]
+   and for service specific parameter provisioning mechanisms using SLP
+   [5].
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+S. Medvinsky, P. Lalwaney                                          -3-        
+
+Kerberos V Authentication Mode for Uninitialized Clients     July 2000
+
+
+
+4. System Architecture
+
+
+     Client
+    --------                            --------
+   |        |   5.Authenticated DHCP   |        |
+   |  DHCP  |<------------------------>| DHCP   |
+   | client |                          | server |
+   |        |                          |        |
+   |        |                          |        |
+   |Kerberos|                          |        |
+   | Client |                          |        |
+    --------                            --------
+       ^
+       |
+       |
+       |
+       |                                -------
+        ------------------------------>|       |
+         Kerberos Key Mgmt             | Proxy |
+         messages:                     |       |
+          1. AS Request  / 2.AS Reply   -------
+          3. TGS Request / 4.TGS Reply     ^
+                                           | Kerberos
+                                           | Key Mgmt messages
+                                           v (1, 2, 3, 4)
+                                        --------
+                                       |        |
+                                       |  KDC   |
+                                       |        |
+                                        --------
+
+     Figure 1: System blocks and message interactions between them
+
+
+   In this architecture, the DHCP client obtains a Kerberos ticket from
+   the Key Distribution Center (KDC) using standard Kerberos messages,
+   as specified in [6].  The client, however, contacts the KDC via a
+   proxy server, according to the IAKERB mechanism, described in [7].
+   The are several reasons why a client has to go through this proxy in
+   order to contact the KDC:
+
+  a)The client may not know the host address of the KDC and may be
+     sending its first request message as a broadcast on a local
+     network.  The KDC may not be located on the local network, and
+     even if it were - it will be unable to communicate with a client
+     without an IP address.  This document describes a specific
+     mechanism that may be used by a client to communicate with the
+     Kerberos proxy.
+
+
+
+S. Medvinsky, P. Lalwaney                                          -4-        
+
+Kerberos V Authentication Mode for Uninitialized Clients     July 2000
+
+
+  b)The client may not know its Kerberos realm name.  The proxy is
+     able to fill in the missing client realm name in an AS Request
+     message, as specified in IAKERB.  Note that in the case that
+     PKINIT pre-authenticator is used [8], the realm name in the AS
+     Request may be the KDC realm name and not the clientÆs realm name.
+
+  c) The client does not know the realm name of the DHCP server.
+
+     According to IAKERB, when the client sends a TGS Request with a
+     missing server realm name, the proxy will return to the client an
+     error message containing the missing realm name.
+
+     Note that in this case the proxy could return the client a wrong
+     realm name and the client could be fooled into obtaining a ticket
+     for the wrong DHCP server (on the same local network).  However,
+     the wrong DHCP server must still be a registered principal in a
+     KDC database.  In some circumstances this may be an acceptable
+     compromise.  Also, see the security considerations section.
+
+     IAKERB describes the proxy as part of an application server - the
+     DHCP server in this case.  However, in this document we are not
+     requiring the proxy to be integrated with the DHCP server.  The
+     same IAKERB mechanisms apply in the more general case, where the
+     proxy is an independent application.  This proxy, however, MUST be
+     reachable by a client via a local network broadcast.
+
+     After a client has obtained a Kerberos ticket for the DHCP server,
+     it will use it as part of an authentication option in the DHCP
+     messages.  The only extension to the DHCP protocol is the addition
+     of a new authenticator type based on Kerberos tickets.
+
+4.1 Cross-Realm Authentication
+
+   Figure 1 shows a client communicating with a single KDC via a proxy.
+   However, the DHCP clientÆs realm may be different from the DHCP
+   serverÆs realm.  In that case, the client may need to first contact
+   the KDC in its local realm to obtain a cross-realm TGT.  Then, the
+   client would use the cross-realm TGT to contact the KDC in the DHCP
+   serverÆs realm, as specified in [6].
+
+   In the following example a client doesnÆt know its realm or the DHCP
+   serverÆs realm, which happens to be different from the clientÆs
+   realm.  Here are the steps in obtaining the ticket for the DHCP
+   server (based on [6] and [7]):
+
+        1) The client sends AS Request with NULL realm to the proxy.
+        2) The proxy fills in the realm and forwards the AS Request to
+           the KDC in the clientÆs realm.
+        3) The KDC issues a TGT and sends back an AS Reply to the
+           proxy.
+        4) The proxy forwards AS Reply to the client.
+
+
+S. Medvinsky, P. Lalwaney                                          -5-        
+
+Kerberos V Authentication Mode for Uninitialized Clients     July 2000
+
+
+        5) The client sends TGS Request for a principal name "dhcpsrvr"
+           with NULL realm to the proxy.
+        6) The proxy returns KRB_AP_ERR_REALM_REQUIRED error with the
+           DHCP serverÆs realm to the client.
+        7) The client sends another TGS Request for a cross-realm TGT
+           to the proxy.
+        8) The proxy forwards the TGS Request to the KDC in the
+           clientÆs realm.
+        9) The KDC issues a cross-realm TGT and sends back a TGS Reply
+           to the proxy.
+       10) The proxy forwards TGS Reply to the client.
+       11) The client sends a TGS Request to the proxy for a principal
+       "dhcpsrvr" with the realm name filled in, using a cross-realm
+       TGT.
+       12) The proxy forwards TGS Request to the KDC in the DHCP      
+       server's realm.
+       13) The KDC issues a ticket for the DHCP server and sends TGS
+       Reply back to the proxy.
+       14) The proxy forwards TGS Reply to the client.
+
+   In a most general case, the client may need to contact any number of
+   KDCs in different realms before it can get a ticket for the DHCP
+   server.  In each case, the client would contact a KDC via the proxy
+   server, as specified in Section 5 of this document.
+
+4.2 Public Key Authentication
+
+   This specification also allows clients to perform public key
+   authentication to the KDC, based on the PKINIT specification [8].
+   In this case, the size of an AS Request and AS Reply messages is
+   likely to exceed the size of typical link MTU's.
+
+   Here is an example, where PKINIT is used by a DHCP client that is
+   not a registered principal in the KDC principal database:
+
+        1) The client sends AS Request with a PKINIT Request pre-
+           authenticator to the proxy.  This includes the clientÆs
+           signature and X.509 certificate.  The KDC realm field is
+           left as NULL.
+        2) The proxy fills in the realm and forwards the AS Request to
+           the KDC in the filled in realm.  This is the realm of the
+           DHCP server.  Here, the clientÆs realm is the name of a
+           Certification Authority - not the same as the KDC realm.
+        3) The KDC issues a TGT and sends back an AS Reply with a
+           PKINIT Reply pre-authenticator to the proxy.
+        4) The proxy forwards the AS Reply to the client.
+        5) The client sends TGS Request for a principal name "dhcpsrvr"
+           with the realm found in the TGT to the proxy.
+        6) The proxy forwards TGS Request to the KDC in the DHCP
+           serverÆs realm.
+        7) The KDC issues a ticket for the DHCP server and sends TGS
+           Reply back to the proxy.
+
+S. Medvinsky, P. Lalwaney                                          -6-        
+
+Kerberos V Authentication Mode for Uninitialized Clients     July 2000
+
+
+        8) The proxy forwards TGS Reply to the client.
+
+
+   5. Key Management Exchange that Precedes Network Address Allocation
+
+   An uninitialized host (e.g. on power-on and reset) does not have a
+   network address. It does have a link layer address or hardware
+   address. At this time, the client may not have any information on
+   its realm or the realm of the address allocation server (DHCP
+   Server).
+
+   In the Kerberos key management exchange, a client gets its ticket
+   granting ticket (TGT) by contacting the Authentication Server in the
+   KDC using the AS_Request / Reply messages (shown as messages 1 and 2
+   in Figure 1). The client then contacts the Ticket Granting Server in
+   the KDC to get the DHCP server ticket (to be used for mutual
+   authentication with the DHCP server) using the TGS_REQ / TGS_REP
+   messages (shown as messages 3 and 4 in the above figure).  It is
+   also possible for the client to obtain a DHCP server ticket directly
+   with the AS Request / Reply exchange, without the use of the TGT.
+
+   In the use of Kerberos for DHCP authentication, the client (a) does
+   not have an IP/network address (b) does not know he KDCÆs IP address
+   (c) the KDC may not be on the local network and (d) the client may
+   not know the DHCP ServerÆs IP address and realm.  We therefore
+   require a Kerberos proxy on the local network to accept broadcast
+   Kerberos request messages (AS_REQ and TGS_REQ) from uninitialized
+   clients and relay them to the appropriate KDC.
+
+   The uninitialized client formulates a broadcast AS_REQ or TGS_REQ as
+   follows:
+
+   The request payload contains the client hardware address in
+   addresses field with a negative value for the address type. Kerberos
+   v5 [6] allows for the usage of negative address types for "local"
+   use. Note that IAKERB [7] discourages the use of the addresses field
+   as network addresses may not be known or may change in situation
+   where proxies are used. In this draft we incorporate the negative
+   values permitted in the Kerberos transport in the address type field
+   of both the AS_REQ and TGS_REQ messages. The negative value SHOULD
+   be the negative number of the hardware address type "htype" value
+   (from assigned numbers RFC) used in RFC 2131. The address field of
+   the message contains the clients hardware address.
+
+   The request payload is UDP encapsulated and addressed to port 88 on
+   the server/proxy. The UDP source port is selected by the client. The
+   source and destination network addresses are the all-zeroÆs address
+   and the broadcast address, respectively. For IPv4, the source IP
+   address is set to 0.0.0.0 and the destination IP address is set to
+   255.255.255.255. The data link layer header source address
+   corresponds to the link layer/hardware address of the client. The
+
+
+S. Medvinsky, P. Lalwaney                                          -7-        
+
+Kerberos V Authentication Mode for Uninitialized Clients     July 2000
+
+
+   destination link layer address is the broadcast address at the link
+   layer (e.g. for Ethernet the address is ffffffff).
+
+   In the case where AS_REQ message contains a PKINIT pre-authenticator
+   for public key-based client authentication (based on [8]), the
+   message will probably not fit into a single UDP packet given typical
+   link MTU's.
+
+   It is assumed that the proxy server on a network is configured with
+   a list of KDCÆs, their realms and their IP addresses. The proxy
+   server will act as a client to the KDC and forward standard Kerberos
+   messages to/from the KDC using unicast UDP or TCP transport
+   mechanisms, according to [6].
+
+   Upon receiving a broadcast request from a client, the proxy MUST
+   record the clientÆs hardware address that appears as the source
+   address on the frame as well as in the addresses field of the
+   request message. Based on the realm of the KDC specified in the
+   request, the proxy determines the KDC to which this message is
+   relayed as a unicast message from the proxy to the KDC.  In the case
+   that the client left the KDC realm name as NULL, it is up to the
+   proxy to first determine the correct realm name and fill it in the
+   request (according to [7]).
+
+   On receiving a request, the KDC formulates a response (AS_REP or
+   TGS_REP). It includes the clientÆs addresses field in the encrypted
+   part of the ticket (according to [6]). This response is unicast to
+   the proxy.
+
+   Upon receiving the reply, the proxy MUST first determine the
+   previously saved hardware address of the client.  The proxy
+   broadcasts the reply on its local network. This is a network layer
+   broadcast. At the link level, it uses the hardware address obtained
+   from the addresses field of the request.
+
+   The client on receiving the response (link layer destination address
+   as its hardware address, network layer address is the broadcast
+   address) must verify that the hardware address in the ticket
+   corresponds to its link layer address.
+
+   Upon receiving a TGS_REP (or an AS_REP with the application server
+   ticket) from the proxy, the client will have enough information to
+   securely communicate with the application server (the DHCP Server in
+   this case), as specified in the following section.
+
+
+
+
+
+
+
+
+
+S. Medvinsky, P. Lalwaney                                          -8-        
+
+Kerberos V Authentication Mode for Uninitialized Clients     July 2000
+
+
+    6. Authenticated Message Exchange Between the DHCP Client and the
+   DHCP Server
+
+   The ticket returned in the TGS response is used by the DHCP client
+   in the construction of the Kerberos authenticator.  The Kerberos
+   ticket serves two purposes: to establish a shared session key with
+   the DHCP server, and is also included as part of a Kerberos
+   authenticator in the DHCP request.
+
+   If the size of the authenticator is greater than 255 bytes, the DHCP
+   authentication option is repeated multiple times.  When the values
+   of all the authentication options are concatenated together, they
+   will make up the complete authenticator.
+
+   Once the session key is established, the Kerberos structure
+   containing the ticket (AP REQ) can be omitted from the authenticator
+   for subsequent messages sent by both the DHCP client and the DHCP
+   server.
+
+   The Kerberos authenticator for a DHCP request message is specified
+   below:
+
+   0                   1                   2                   3
+   0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+   |     Code      |    Length     |    Protocol   |   Algorithm   |
+   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+   |                                                               |
+   +              Replay Detection (64 bits)                       +
+   |                                                               |
+   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+   |                                                               |
+   +              Authentication token (n octets)           ...    +
+   |                                                               |
+   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+
+   The format of this authenticator is in accordance with [2]. The code
+   for the authentication option is TBD, and the length field contains
+   the length of the remainder of the option, starting with the
+   protocol field.
+
+   The value of the protocol field for this authenticator MUST be set
+   to 2.
+
+   The algorithm field MUST take one of the following values:
+        1 - HMAC-MD5
+        2 - HMAC-SHA-1
+
+   Replay protection field is a monotonically increasing counter field.
+   When the Kerberos AP REQ structure is present in the authenticator
+   the counter may be set to any value.  The AP REQ contains its own
+   replay protection mechanism in the form of a timestamp.
+
+S. Medvinsky, P. Lalwaney                                          -9-        
+
+Kerberos V Authentication Mode for Uninitialized Clients     July 2000
+
+
+
+   Once the session key has been established and the AP REQ is not
+   included in the authenticator, this field MUST be monotonically
+   increasing in the messages sent by the client.
+
+   Kerberos authenticator token consists of type-length-value
+   attributes:
+
+   0                   1                   2                   3
+   0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+   |     Type      |  Reserved     |       Payload Length          |
+   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+   |                           attribute value...
+   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+
+   The following attributes are included in the Kerberos authenticator
+   token:
+
+   Type         Attribute Name          Value
+   --------------------------------------------------------------------
+   0            Message Integrity Code  Depends on the value of the
+                                        algorithm field.  Its length is
+                                        16 bytes for HMAC-MD5 [9, 10]
+                                        and 20 bytes for HMAC-SHA-1
+                                        [11, 10].  The HMAC key must be
+                                        derived from Kerberos session
+                                        key found in the Kerberos
+                                        ticket according to the key
+                                        derivation rules in [6]:
+
+                                          HMAC Key = DK(sess key,
+                                                      key usage | 0x99)
+
+                                        Here, DK is defined in [12] and
+                                        the key usage value for DHCP is
+                                        TBD.
+
+                                        The HMAC is calculated over the
+                                        entire DHCP message. The
+                                        Message Integrity Code
+                                        attribute MUST be set to all 0s
+                                        for the computation of the
+                                        HMAC.  Because a DHCP relay
+                                        agent may alter the values of
+                                        the 'giaddr' and 'hops' fields
+                                        in the DHCP message, the
+                                        contents of those two fields
+                                        MUST also be set to zero for
+                                        the computation of the HMAC.
+                                        Rules specified in Section 3 of
+                                        [2] for the exclusion and
+
+S. Medvinsky, P. Lalwaney                                         -10-        
+
+Kerberos V Authentication Mode for Uninitialized Clients     July 2000
+
+
+                                        processing of the relay agent
+                                        information are applicable here
+                                        too.
+
+                                        This field MUST always be
+                                        present in the Kerberos
+                                        authenticator.
+
+   1            AP_REQ                  ASN.1 encoding of a Kerberos
+                                        AP_REQ message, as specified
+                                        in [6]. This MUST be included
+                                        by the client when establishing
+                                        a new session key.  In all
+                                        other cases, this attribute
+                                        MUST be omitted.
+
+   AP_REQ contains the Kerberos ticket for the DHCP server and also
+   contains information needed by the DHCP server to authenticate the
+   client.  After verifying the AP_REQ and decrypting the Kerberos
+   ticket, the DHCP server is able to extract a session key which it
+   now shares with the DHCP client.
+
+   The Kerberos authenticator token contains its own replay protection
+   mechanism inside the AP_REQ structure.  The AP_REQ contains a
+   timestamp that must be within an agreed upon time window at the DHCP
+   server.  However, this does not require the DHCP clients to maintain
+   an accurate clock between reboots.  Kerberos allows clients to
+   synchronize their clock with the KDC with the help of Kerberos
+   KRB_AP_ERR_SKEW error message, as specified in [6].
+
+   The DHCP server MUST save both the session key and its associated
+   expiration time found in the Kerberos ticket.  Up until the
+   expiration time, the server must accept client requests with the
+   Kerberos authenticator that does not include the AP REQ, using the
+   saved session key in calculating HMAC values.
+
+   The Kerberos authenticator inside all DHCP server responses MUST NOT
+   contain the AP REQ and MUST use the saved Kerberos session key in
+   calculating HMAC values.
+
+   When the session key expires, it is the client's responsibility to
+   obtain a new ticket from the KDC and to include an AP REQ inside the
+   Kerberos authenticator for the next DHCP request message.
+
+
+
+
+
+
+
+
+
+
+S. Medvinsky, P. Lalwaney                                         -11-        
+
+Kerberos V Authentication Mode for Uninitialized Clients     July 2000
+
+
+7. Detailed message flows for Kerberos and DHCP message Exchanges
+
+   The following flow depicts the Kerberos exchange in which a AS REQ
+   message is used to directly request the DHCP Server ticket. There
+   are no changes to transport mechanisms below when the additional
+   phase of using TGS requests/responses with TGTÆs is used.
+
+   Client                         IAKERB Proxy                 KDC
+
+   KB-client-------- AS_REQ ------>
+
+   AS REQ Address type = - (htype)
+   AS REQ Address= hw address
+
+   src UDP port = senders port
+   destination UDP port = 88
+
+   src IP = 0.0.0.0
+   destination IP = 255.255.255.255
+
+   src link layer address =
+   clientÆs HW/link address [e.g Ethernet address]
+
+   destination link layer address =
+   link broadcast address [e.g. ffffffff for Ethernet]
+
+
+                                         --------------------------->
+                                            (unicast to UDP port 88)
+
+
+
+                                          <--------------------------
+                                             (unicast AS REP)
+                                         Encrypted portion of ticket
+                                         Includes clients HW address
+
+
+      <---------------AS_REP -----------
+
+
+     Ticket includes clientÆs hardware address
+
+     src UDP port = 88
+     destination UDP port = copied from src port in AS_REQ
+
+     src IP = ProxyÆs IP address
+     destination IP = 255.255.255.255
+
+     src link layer address = ProxyÆs HW/link address
+     destination link layer address =
+         ClientÆs link layer address from AS_REQ
+
+
+S. Medvinsky, P. Lalwaney                                         -12-        
+
+Kerberos V Authentication Mode for Uninitialized Clients     July 2000
+
+
+
+
+
+    The client uses the ticket received from the KDC in the DHCP
+Authentication option as described in Section 6.
+
+
+     Client
+     DHCP-client                                   DHCP Server
+
+             ------DHCPDISCOVER ---->
+             (Auth Protocol = 2, includes Kerberos
+              authenticator with AP REQ )
+                                   -----------------------------------
+                                   |  HMAC  |     AP   REQ           |
+                                    ----------------------------------
+                                            | Ticket| Client Authent |
+                                            --------------------------
+
+                                         1. Server decrypts ticket
+                                         (inside AP REQ) with service
+                                         key
+                                         2. Server decrypts client
+                                         authenticator (inside AP REQ)
+                                         and checks content and
+                                         checksum to validate the
+                                         client.
+                                         3. Recompute HMAC with session
+                                         key and compare.
+
+
+          <-------DHCPOFFER----------
+          (Auth Protocol = 2, no AP REQ )
+
+
+
+         ---------DHCPREQUEST------->
+         (Auth Protocol = 2, no AP REQ)
+
+
+          <--------DHCPACK-------------
+           (Auth Protocol = 2, no AP REQ )
+
+
+
+
+8. Security Considerations
+
+   DHCP clients that do not know the DHCP serverÆs realm name will get
+   it from the proxy, as specified in IAKERB [7].  Since the proxy is
+   not authenticated, a DHCP client can be fooled into obtaining a
+   ticket for the wrong DHCP server in the wrong realm.
+
+S. Medvinsky, P. Lalwaney                                         -13-        
+
+Kerberos V Authentication Mode for Uninitialized Clients     July 2000
+
+
+
+   This could happen when the client leaves out the server realm name
+   in a TGS Request message to the proxy.  It is also possible,
+   however, for a client to directly request a DHCP server ticket with
+   an AS Request message.  In those cases, the same situation occurs
+   when the client leaves out the realm name in an AS Request.
+
+   This wrong DHCP server is still registered as a valid principal in a
+   database of a KDC that can be trusted by the client.  In some
+   circumstances a client may assume that a DHCP server that is a
+   Kerberos principal registered with a trusted KDC will not attempt to
+   deliberately misconfigure a client.
+
+   This specification provides a tradeoff between:
+
+        1) The DHCP clients knowing DHCP serverÆs realm ahead of time,
+           which provides for full 2-way authentication at the cost of
+           an additional configuration parameter.
+        2) The DHCP clients not requiring any additional configuration
+           information, besides a password or a key (and a public key
+           certificate if PKINIT is used).  This is at the cost of not
+           being able to fully authenticate the identity of the DHCP
+           server.
+
+
+
+9. References
+
+
+   [1]Droms, R., Arbaugh, W., "Dynamic Host Configuration Protocol",
+      RFC 2131, Bucknell University, March 1997.
+
+   [2]Droms, R., Arbaugh, W., "Authentication for DHCP Messages",
+      draft-ietf-dhc-authentication-13.txt, June 2000.
+
+   [3]Hornstein, K., Lemon, T., "DHCP Authentication Via Kerberos V",
+      draft-hornstein-dhc-kerbauth-02.txt, February 2000.
+
+   [4]Borella, M., Grabelsky, D., Lo, J., Tuniguchi, K., "Realm
+      Specific IP: Protocol Specification ", draft-ietf-nat-rsip-
+      protocol-06.txt, March 2000.
+
+   [5]Guttman, E., Perkins, C., Veizades, J., Day, M., "Service
+      Location Protocol, Version 2", RFC 2608, June 1999.
+
+   [6]Neuman, C., Kohl, J., Ts'o, T., "The Kerberos Network
+      Authentication Service (V5)", draft-ietf-cat-kerberos-revisions-
+      05.txt, March 2000.
+
+
+
+
+
+S. Medvinsky, P. Lalwaney                                         -14-        
+
+Kerberos V Authentication Mode for Uninitialized Clients     July 2000
+
+
+
+   [7]Swift, M., Trostle, J., "Initial Authentication and Pass Through
+      Authentication Using Kerberos V5 and the GSS-API (IAKERB)",
+      draft-ietf-cat-iakerb-03.txt, September 1999.
+
+   [8]Tung, B., C. Neuman, M. Hur, A. Medvinsky, S. Medvinsky, J. Wray,
+      J. Trostle, "Public Key Cryptography for Initial Authentication
+      in Kerberos", draft-ietf-cat-pk-init-11.txt, March 2000.
+
+   [9]Rivest, R., "The MD5 Message-Digest Algorithm", RFC 1321, April
+      1992.
+
+   [10]Krawczyk H., M. Bellare and R. Canetti, "HMAC: Keyed-Hashing for
+      Message Authentication," RFC 2104, February 1997.
+
+   [11]NIST, FIPS PUB 180-1, "Secure Hash Standard", April 1995.
+
+   [12]Horowitz, M., "Key Derivation for Authentication, Integrity, and
+      Privacy", draft-horowitz-key-derivation-02.txt, August 1998.
+
+   [13]Bradner, S. "The Internet Standards Process -- Revision 3", RFC
+   2026.
+
+
+
+ 10. Author's Addresses
+
+   Sasha Medvinsky
+   Motorola
+   6450 Sequence Drive
+   San Diego, CA 92121
+   Email: smedvinsky@gi.com
+
+   Poornima Lalwaney
+   Nokia
+   12278 Scripps Summit Drive
+   San Diego, CA  92131
+   Email: poornima.lalwaney@nokia.com
+
+
+11. Expiration
+
+   This memo is filed as <draft-smedvinsky-dhc-kerbauth-01.txt>, and
+   expires January 1, 2001.
+
+
+
+12. Intellectual Property Notices
+
+
+
+
+
+
+S. Medvinsky, P. Lalwaney                                         -15-        
+
+Kerberos V Authentication Mode for Uninitialized Clients    March 2000
+
+
+      This section contains two notices as required by [13] for
+   standards track documents.  Per [13], section 10.4(A):
+
+     The IETF takes no position regarding the validity or scope of any
+   intellectual property or other rights that might be claimed to
+   pertain to the implementation or use of the technology described in
+   this document or the extent to which any license under such rights
+   might or might not be available; neither does it represent that it
+   has made any effort to identify any such rights. Information on the
+   IETF's procedures with respect to rights in standards-track and
+   standards-related documentation can be found in BCP-11. Copies of
+   claims of rights made available for publication and any assurances
+   of licenses to be made available, or the result of an attempt made
+   to obtain a general license or permission for the use of such
+   proprietary rights by implementers or users of this specification
+   can be obtained from the IETF Secretariat.
+
+      Per [13] section 10.4(D):
+
+      The IETF has been notified of intellectual property rights
+   claimed in regard to some or all of the specification contained in
+   this document.  For more information consult the online list of
+   claimed rights.
+
+   13. Full Copyright Statement
+
+   Copyright (C) The Internet Society (1999).  All Rights Reserved.
+
+   This document and translations of it may be copied and furnished to
+   others, and derivative works that comment on or otherwise explain it
+   or assist in its implementation may be prepared, copied, published
+   and distributed, in whole or in part, without restriction of any
+   kind, provided that the above copyright notice and this paragraph
+   are included on all such copies and derivative works.  However, this
+   document itself may not be modified in any way, such as by removing
+   the copyright notice or references to the Internet Society or other
+   Internet organizations, except as needed for the purpose of
+   developing Internet standards in which case the procedures for
+   copyrights defined in the Internet Standards process must be
+   followed, or as required to translate it into languages other than
+   English.  The limited permissions granted above are perpetual and
+   will not be revoked by the Internet Society or its successors or
+   assigns. This document and the information contained herein is
+   provided on an "AS IS" basis and THE INTERNET SOCIETY AND THE
+   INTERNET ENGINEERING TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR
+   IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF
+   THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
+   WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
+
+
+
+
+
+S. Medvinsky, P. Lalwaney                                         -16-
+
\ No newline at end of file
diff --git a/crypto/heimdal/doc/standardisation/draft-swift-win2k-krb-referrals-01.txt b/crypto/heimdal/doc/standardisation/draft-swift-win2k-krb-referrals-01.txt
new file mode 100644
index 0000000..85d7456
--- /dev/null
+++ b/crypto/heimdal/doc/standardisation/draft-swift-win2k-krb-referrals-01.txt
@@ -0,0 +1,5 @@
+This Internet-Draft has expired and is no longer available.
+
+Unrevised documents placed in the Internet-Drafts directories have a
+maximum life of six months. After that time, they must be updated, or
+they will be deleted. This document was deleted on July 17, 2000.
diff --git a/crypto/heimdal/doc/standardisation/draft-swift-win2k-krb-user2user-01.txt b/crypto/heimdal/doc/standardisation/draft-swift-win2k-krb-user2user-01.txt
new file mode 100644
index 0000000..85d7456
--- /dev/null
+++ b/crypto/heimdal/doc/standardisation/draft-swift-win2k-krb-user2user-01.txt
@@ -0,0 +1,5 @@
+This Internet-Draft has expired and is no longer available.
+
+Unrevised documents placed in the Internet-Drafts directories have a
+maximum life of six months. After that time, they must be updated, or
+they will be deleted. This document was deleted on July 17, 2000.
diff --git a/crypto/heimdal/doc/standardisation/draft-thomas-snmpv3-kerbusm-00.txt b/crypto/heimdal/doc/standardisation/draft-thomas-snmpv3-kerbusm-00.txt
new file mode 100644
index 0000000..68c170b
--- /dev/null
+++ b/crypto/heimdal/doc/standardisation/draft-thomas-snmpv3-kerbusm-00.txt
@@ -0,0 +1,1140 @@
+
+
+
+
+
+
+INTERNET-DRAFT   Kerberized USM Keying    M. Thomas
+                                          Cisco Systems
+                                          K. McCloghrie
+                                          Cisco Systems
+                                          July 13, 2000
+
+
+
+
+
+
+                         Kerberized USM Keying
+
+                   draft-thomas-snmpv3-kerbusm-00.txt
+
+
+
+Status of this Memo
+
+   This document is an Internet-Draft and is in full conformance with
+   all provisions of Section 10 of RFC2026.  Internet-Drafts are working
+   documents of the Internet Engineering Task Force (IETF), its areas,
+   and its working groups.  Note that other groups may also distribute
+   working documents as Internet-Drafts.
+
+   Internet-Drafts are draft documents valid for a maximum of six months
+   and may be updated, replaced, or obsoleted by other documents at any
+   time.  It is inappropriate to use Internet-Drafts as reference
+   material or to cite them other than as "work in progress."
+
+   The list of current Internet-Drafts can be accessed at
+   http://www.ietf.org/ietf/1id-abstracts.txt
+
+   The list of Internet-Draft Shadow Directories can be accessed at
+   http://www.ietf.org/shadow.html.
+
+Abstract
+
+   The KerbUSM MIB provides a means of leveraging a trusted third party
+   authentication and authorization mechanism using Kerberos for SNMP V3
+   USM users and their associated VACM views. The MIB encodes the normal
+   Kerberos AP-REQ and AP-REP means of both authenticating and creating
+   a shared secret between the SNMP V3 Manager and Agent.
+
+The SNMP Management Framework
+
+   The SNMP Management Framework presently consists of five major
+   components:  An overall architecture, described in RFC 2571
+
+
+
+Thomas               draft-thomas-snmpv3-kerbusm-00             [Page 1]
+
+
+
+
+
+INTERNET-DRAFT           Kerberized USM Keying              13 July 2000
+
+
+   [RFC2571].  Mechanisms for describing and naming objects and events
+   for the purpose of management.  The first version of this Structure
+   of Management Information (SMI) is called SMIv1 and described in STD
+   16, RFC 1155 [RFC1155], STD 16, RFC 1212 [RFC1212] and RFC 1215
+   [RFC1215].  The second version, called SMIv2, is described in STD 58,
+   RFC 2578 [RFC2578], STD 58, RFC 2579 [RFC2579] and STD 58, RFC 2580
+   [RFC2580].  Message protocols for transferring management
+   information.  The first version of the SNMP message protocol is
+   called SNMPv1 and described in STD 15, RFC 1157 [RFC1157].  A second
+   version of the SNMP message protocol, which is not an Internet
+   standards track protocol, is called SNMPv2c and described in RFC 1901
+   [RFC1901] and RFC 1906 [RFC1906].  The third version of the message
+   protocol is called SNMPv3 and described in RFC 1906 [RFC1906], RFC
+   2572 [RFC2572] and RFC 2574 [RFC2574].  Protocol operations for
+   accessing management information.  The first set of protocol
+   operations and associated PDU formats is described in STD 15, RFC
+   1157 [RFC1157].  A second set of protocol operations and associated
+   PDU formats is described in RFC 1905 [RFC1905].  A set of fundamental
+   applications described in RFC 2573 [RFC2573] and the view-based
+   access control mechanism described in RFC 2575 [RFC2575].
+
+   A more detailed introduction to the current SNMP Management Framework
+   can be found in RFC 2570 [RFC2570].
+
+   Managed objects are accessed via a virtual information store, termed
+   the Management Information Base or MIB.  Objects in the MIB are
+   defined using the mechanisms defined in the SMI.
+
+   This memo specifies a MIB module that is compliant to the SMIv2.  A
+   MIB conforming to the SMIv1 can be produced through the appropriate
+   translations.  The resulting translated MIB must be semantically
+   equivalent, except where objects or events are omitted because no
+   translation is possible (use of Counter64).  Some machine readable
+   information in SMIv2 will be converted into textual descriptions in
+   SMIv1 during the translation process.  However, this loss of machine
+   readable information is not considered to change the semantics of the
+   MIB.
+
+
+Introduction
+
+   The User based Security Model of SNMP V3 (USM) [2] provides a means
+   of associating different users with different access privileges of
+   the various MIB's that an agent supports. In conjunction with the
+   View based Access Control Model of SNMP V3 (VACM) [3], SNMP V3
+   provides a means of providing resistance from various threats both
+   from outside attacks such as spoofing, and inside attacks such as an
+   user having, say, SET access to MIB variable for which they are not
+
+
+
+Thomas               draft-thomas-snmpv3-kerbusm-00             [Page 2]
+
+
+
+
+
+INTERNET-DRAFT           Kerberized USM Keying              13 July 2000
+
+
+   authorized.
+
+   SNMP V3, unfortunately, does not specify a means of doing key
+   distribution between the managers and the agents. For small numbers
+   of agents and managers, the O(n*m) manual keying is a cumbersome, but
+   possibly tractable problem. For a large number of agents with
+   distribution of managers, the key distribution quickly goes from
+   cumbersome to unmanageable. Also: there is always the lingering
+   concern of the security precautions taken for keys on either local
+   management stations, or even directories.
+
+   Kerberos [1] provides a means of centralizing key management into an
+   authentication and authorization server known as a Key Distribution
+   Center (KDC).  At a minimum, Kerberos changes the key distribution
+   problem from a O(n*m) problem to a O(n) problem since keys are shared
+   between the KDC and the Kerberos principals rather directly between
+   each host pair. Kerberos also provides a means to use public key
+   based authentication which can be used to further scale down the
+   number of pre-shared secrets required. Furthermore, a KDC is intended
+   and explicitly expected to be a standalone server which is managed
+   with a much higher level of security concern than a management
+   station or even a central directory which may host many services and
+   thus be exposed to many more possible vectors of attack.
+
+   The MIB defined in this memo describes a means of using the desirable
+   properties of Kerberos within the context of SNMP V3. Kerberos
+   defines a standardized means of communicating with the KDC as well as
+   a standard format of Kerberos tickets which Kerberos principals
+   exchange in order to authenticate to one another. The actual means of
+   exchanging tickets, however, is left as application specific. This
+   MIB defines the SNMP MIB designed to transport Kerberos tickets and
+   by doing so set up SNMP V3 USM keys for authentication and privacy.
+
+   It should be noted that using Kerberos does introduce reliance on a
+   key network element, the KDC. This flies in the face of one of SNMP's
+   dictums of working when the network is misbehaving. While this is a
+   valid concern, the risk of reliance on the KDC can be significantly
+   diminished with a few common sense actions. Since Kerberos tickets
+   can have long life times (days, weeks) a manager of key network
+   elements can and should maintain Kerberos tickets well ahead ticket
+   expiration so that likelihood of not being able to rekey a session
+   while the network is misbehaving is minimized. For non-critical, but
+   high fanout elements such as user CPE, etc, requiring a pre-fetched
+   ticket may not be practical, which puts the KDC into the critical
+   path. However, if all KDC's are unreachable, the non-critical network
+   elements are probably the least of the worries.
+
+
+
+
+
+Thomas               draft-thomas-snmpv3-kerbusm-00             [Page 3]
+
+
+
+
+
+INTERNET-DRAFT           Kerberized USM Keying              13 July 2000
+
+
+Operation
+
+   The normal Kerberos application ticket exchange is accomplished by  a
+   client  first  fetching  a  service ticket from a KDC for the service
+   principal and then sending an AP-REQ  to  a  server  to  authenticate
+   itself  to  the  server. The server then sends a AP-REP to finish the
+   exchange. This MIB maps Kerberos' concept of client and  server  into
+   the  SNMP  V3  concept  of  Manager and Agent by designating that the
+   Kerberos Client is the SNMP V3 Agent. Although  it  could  be  argued
+   that an Agent is really a server, in practice there may be many, many
+   agents and relatively few managers. Also: Kerberos clients  may  make
+   use  of  public  key authentication as defined in [4], and it is very
+   advantageous to take advantage of that capability for  Agents  rather
+   than Managers.
+
+   The MIB is intended to be stateless and map USM users to Kerberos
+   principals. This mapping is explicitly done by putting a Kerberos
+   principal name into the usmUserSecurityName in the usmUser MIB and
+   instatiating the krbUsmMibEntry for the usmUserEntry. MIB variables
+   are accessed with INFORM's or TRAP PDU's and SET's to perform a
+   normal Kerberos AP-REQ/AP-REP exchange transaction which causes the
+   keys for a USM user to be derived and installed. The basic structure
+   of the MIB is a table which augements usmUserEntry's with a Kerberos
+   principal name as well as the transaction varbinds. In the normal
+   case, multiple varbinds should be sent in a single PDU which prevents
+   various race conditions, as well as increasing efficiency.
+
+   It should be noted that this MIB is silent on the subject of how the
+   Agent and Manager find the KDC. In practice, this may be either
+   statically provisioned or use either DNS SRV records (RFC 2782) or
+   Service Location (RFC 2608). This MIB is does not provide for a means
+   of doing cipher suite negotiation either. It is expected that the
+   choices for ciphers in the USM MIB will reflect site specific choices
+   for ciphers. This matches well with the general philosophy of
+   centralized keying.
+
+Keying Transactions
+
+   The following shows an error free transaction:
+
+   Note: optional steps or parameters are shown like [ ]
+
+
+
+
+
+
+
+
+
+
+Thomas               draft-thomas-snmpv3-kerbusm-00             [Page 4]
+
+
+
+
+
+INTERNET-DRAFT           Kerberized USM Keying              13 July 2000
+
+
+
+    Agent                       Manager                            KDC
+ +--                                                               --+
+ | 1) <-------------------------------                               |
+ |     SET (krbUsmPrinTable[usmUserName].krbUsmMibNonce = xxxx;      |
+ |          [ krbUsmPrinTable[usmUserName].krbUsmMibTgt =            |
+ |                                  TGT[usmUserSecurityName] ]);     |
+ |                                                                   |
+ | 2) ------------------------------->                               |
+ |    Response                                                       |
+ +--                     (optional)                                --+
+
+   3) --------------------------------------------------------------->
+        TGS-REQ (krbUsmPrinTable[usmUserName].krbUsmMibMgrPrinName
+                 [, krbUsmPrinTable[usmUserName].krbUsmMibTgt]);
+
+   4) <--------------------------------------------------------------
+        Tick[usmUserSecurityName] = TGS-REP ();
+
+   5)  ------------------------------>
+        INFORM (krbUsmPrinTable[usmUserName].krbUsmMibApReq =
+                   AP_REQ[Tick[usmUserSecurityName]];
+                   [ krbUsmPrinTable[usmUserName].krbUsmMibNonce = xxxx]);
+
+   6)  <------------------------------
+        SET (krbUsmPrinTable[usmUserName].krbUsmMibApRep = AP_REP[]);
+
+
+   7)  ------------------------------>
+       Response
+
+
+   The above flow translates to:
+
+
+   1)  This step is used when the Manager does not currently have a ses-
+       sion with the Agent but wishes to start one. The Manager MAY
+       place a ticket granting ticket into the krbUsmMibMgrTgt varbind
+       in the same PDU as the krbUsmMibNonce if it does not share a
+       secret with the KDC (as would be the case if the Manager used
+       PKinit to do initial authentication with the KDC).
+
+
+   2)  This step acknowledges the SET. There are no MIB specific errors
+       which can happen here.
+
+
+   3)  If the Agent is not already in possession of a service ticket for
+
+
+
+Thomas               draft-thomas-snmpv3-kerbusm-00             [Page 5]
+
+
+
+
+
+INTERNET-DRAFT           Kerberized USM Keying              13 July 2000
+
+
+       the Manager in its ticket cache, it MUST request a service ticket
+       from the Agent's KDC for the service principal given by
+       krbUsmMibMgrPrinName in the row that the krbUsmMibNonce was SET
+       in, optionally adding a krbUsmMibMgrTgt.  If the TGT is speci-
+       fied, the Manager's TGT must be placed in the additional-tickets
+       field with the ENC-TKT-IN-SKEY option set in the TGS-REQ to
+       obtain a service ticket (see section 3.3.3 of [1]).
+
+       Note:   a Kerberos TGS-REQ is but one way to obtain a service
+               ticket. An Agent may use any normal Kerberos means to
+               obtain the service ticket. This flow has also elided ini-
+               tial authentication (ie, AS-REQ) and any cross realm con-
+               siderations, though those may be necessary prerequisites
+               to obtaining the service ticket.
+
+   4)  If step 3 was performed, this step receives the ticket or an
+       error from the KDC.
+
+
+   5)  This step sends a krbUsmMibApReq to the Manager via an INFORM or
+       TRAP PDU.  If the message is the result of a request by the
+       Manager, krbUsmMibNonce received from the Manager MUST be sent in
+       the same PDU. If the Manager did not initiate the transaction,
+       the Agent MUST NOT send a krbUsmMibNonce varbind. The Agent also
+       MUST check krbUsmMibUnsolicitedNotify is not false, otherwise it
+       MUST abort the transaction.  All krbUsmMibApReq's MUST contain a
+       sequence nonce so that the resulting krbUsmMibApRep can provide a
+       proof of the freshness of the message to prevent replay attacks.
+
+       If the Agent encounters an error either generated by the KDC or
+       internally, the Agent MUST send an INFORM or TRAP PDU indicating
+       the error in the form of a KRB-ERROR placed in krbUsmMibApReq
+       with the same rules applied to krbUsmMibNonce and krbUsmMibUnsol-
+       icitedNotify above. If the Agent suspects that it is being
+       attacked by a purported Manager which is generating many failed
+       TGS-REQ's to the KDC, it SHOULD meter its TGS-REQ transactions
+       for that Manager to the KDC using an exponential backoff mechan-
+       ism truncated at 10 seconds.
+
+
+
+   6)  Upon recepit of an INFORM or TRAP PDU with a krbUsmMibApReq, a
+       Manager may accept the AP-REQ. If it is accompanied with a
+       krbUsmMibNonce it MUST correlate it with any outstanding transac-
+       tions using its stored nonce for the transaction. If it does not
+       correlate with a current nonce, the request MUST be rejected as
+       it may be a replay.
+
+
+
+
+Thomas               draft-thomas-snmpv3-kerbusm-00             [Page 6]
+
+
+
+
+
+INTERNET-DRAFT           Kerberized USM Keying              13 July 2000
+
+
+       If the Manager chooses to reject an unsolicited keying request,
+       it SHOULD send a WrongValue Error to the Agent with the krbUsmMi-
+       bApReq as the subject of the WrongValue. If an Agent receives a
+       WrongValue Error from a Manager it MUST cease retransmission of
+       the INFORM or TRAP PDU's so as to mitigate event avalanches by
+       Agents. There is a possible denial of service attack here, but it
+       must be weighed against the larger problem of network congestion,
+       flapping, etc. Therefore, if the Agent finds that it cannot can-
+       cel an unsolicited Notify (ie, it must be reliable), it MUST use
+       a truncated exponential backoff mechanism with the maximum trun-
+       cation interval set to 10 minutes.
+
+       Otherwise, the Manager MUST send a SET PDU to the Agent which
+       contains a krbUsmMibApRep.
+
+
+   7)  If the Agent detects an error (including detecting replays) in
+       the final AP-REP, it MUST send a WrongValue error with a pointer
+       to the krbUsmMibApRep varbind to indicate its inability to estab-
+       lish the security association. Otherwise, receipt of the positive
+       acknowledgement from the final SET indicates to the Manager that
+       the proper keys have been installed on the Agent in the USM MIB.
+
+Unsolicited Agent Keying Requests
+
+   An Agent may find that it needs to set up a security association for
+   a USM user in order to notify a Manager of some event. When the Agent
+   engine receives a request for a notify, it SHOULD check to see if
+   keying material has been established for the user and that the keying
+   material is valid. If the keying material is not valid and the USM
+   user has been tagged as being a Kerberos principal in a realm, the
+   Agent SHOULD first try to instantiate a security association by
+   obtaining a service ticket for the USM User and follow steps 3-7 of
+   the flow above. This insures that the USM User will have proper key-
+   ing material and providing a mechanism to allow for casual security
+   associations to be built up and torn down. This is especially useful
+   for Agents which may not normally need to be under constant Manager
+   supervision, such as the case with high fan out user residential CPE
+   and other SNMP managed "appliances". In all cases, the Agent MUST NOT
+   send an unsolicited Notify if krbUsmUnsolicitedNotify is set to
+   false.
+
+   How the Agent obtains the Manager's address, how it determines
+   whether a Manager, realm, and whether it can be keyed using this MIB
+   is outside of the scope of this memo.
+
+   Note:   Although the MIB allows for a Manager to set up a session
+           using User-User mode of Kerberos by sending a TGT along with
+
+
+
+Thomas               draft-thomas-snmpv3-kerbusm-00             [Page 7]
+
+
+
+
+
+INTERNET-DRAFT           Kerberized USM Keying              13 July 2000
+
+
+           the nonce, this, is limited to Manager initiated sessions
+           only since there is no easy way to store the Manager's ticket
+           in the MIB since it is publicly writable and as such would be
+           subject to denial of service attacks. Another method might be
+           to have the Agent send a krbUsmMibNonce to the Manager which
+           would tell it to instigate a session. Overall, it seems like
+           a marginal feature to allow a PKinit authenticated user be
+           the target of unsolicited informs and it would complicate the
+           transactions. For this reason, this scenario has been omitted
+           in favor of simplicity.
+
+Retransmissions
+
+   Since this MIB defines not only variables, but transactions, discus-
+   sion of the retransmission state machine is in order. There are two
+   similar but different state machines for the Manager Solicited and
+   Agent Unsolicited transactions.  There is one timer Timeout which
+   SHOULD take into consideration round trip considerations and MUST
+   implement a truncated exponential backoff mechanism. In addition, in
+   the case where an Agent makes an unsolicited Agent keying request,
+   the Agent SHOULD perform an initial random backoff if the keying
+   request to the Manager may result in a restart avalanche. A suitable
+   method is described in section 4.3.4 of [5].
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Thomas               draft-thomas-snmpv3-kerbusm-00             [Page 8]
+
+
+
+
+
+INTERNET-DRAFT           Kerberized USM Keying              13 July 2000
+
+
+
+Manager Solicited Retransmission State Machine
+
+                Timeout
+                 +---+
+                 |   |
+                 |   V
+              +-----------+ Set-Ack (2) +----------+
+              |           |------------>|          |
+              | Set-Nonce |             |  Ap-Req  |
+              |   (1)     |<------------|   (5)    |
+              +-----------+   Timeout   +----------+
+                   ^                         |
+                   |                         | Set-Ap-Rep
+                   |      +----------+       |  (6)
+                   +------|          |<------+
+                  Timeout | Estab-wt |
+                          |   (7)    |
+                          +----------+
+                               |
+                               |  Set-Ap-Rep-Ack (7)
+                               V
+                          +----------+
+                          |          |
+                          |  Estab   |
+                          |          |
+
+                          +----------+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Thomas               draft-thomas-snmpv3-kerbusm-00             [Page 9]
+
+
+
+
+
+INTERNET-DRAFT           Kerberized USM Keying              13 July 2000
+
+
+
+Agent Unsolicited Retransmission State Machine
+
+                             Timeout
+                              +---+
+                              |   |
+                              |   V
+                          +----------+
+                          |          |
+                   +----> |  Ap-Req  |-------+
+                   |      |   (5)    |       |
+                   |      +----------+       |
+                   |                         |
+                   |                         | Set-Ap-Rep
+                   |      +----------+       |  (6)
+                   +------|          |<------+
+                  Timeout | Estab-wt |
+                          |   (7)    |
+                          +----------+
+                               |
+                               |  Set-Ap-Rep-Ack (7)
+                               V
+                          +----------+
+                          |          |
+                          |  Estab   |
+                          |          |
+                          +----------+
+
+Session Duration and Failures
+
+   The KerbUsmMib uses the ticket lifetime to determine the life of the
+   USM session. The Agent MUST keep track of whether the ticket which
+   instigated the session is valid whenever it forms PDU's for that par-
+   ticular user. If a session expires, or if it wasn't valid to begin
+   with (from the Agent's perspective), the Agent MUST reject the PDU by
+   sending a XXX Error [mat: help me here Keith... what does USM say
+   about this?].
+
+   Kerberos also inherently implies adding state to the Agent and
+   Manager since they share not only a key, but a lifetime associated
+   with that key. This is in some sense soft state because failure of an
+   Agent will cause it to reject PDU's for Managers with whom it does
+   not share a secret. The Manager can use the Error PDU's as an indica-
+   tion that it needs to reauthenticate with the Agent, taking care not
+   to loop. The Manager is even easier: when it reboots, it can either
+   check its credential cache to reconstruct state or cause the Agent to
+   reauthenticate to the Manager with its service ticket by initiating a
+   authentication transaction with the manager.
+
+
+
+Thomas               draft-thomas-snmpv3-kerbusm-00            [Page 10]
+
+
+
+
+
+INTERNET-DRAFT           Kerberized USM Keying              13 July 2000
+
+
+Manager Collisions
+
+   Managers may freely set up keys for different USM users using this
+   MIB without problem since they access different rows in the krbUsm-
+   PrinTable. However, multiple Managers trying to set up keys for the
+   same USM user is possible but discouraged. The requirement for the
+   Manager is that they MUST share the same service key with the KDC so
+   that they can all decrypt the same service ticket. There are two race
+   conditions, however, which are not well handled:
+
+
+
+1)  At the end of a ticket lifetime, one manager may request the agent
+    to refresh its service ticket causing a new session key to be
+    installed for the USM user leaving the other managers with stale
+    keys. The workaround here is that the Agent will reject the stale
+    manager's PDU's which should inform them to do their own rekeying
+    operations.
+
+
+2)  If multiple managers try to access the same row at the same time,
+    the Agent SHOULD try to keep the transactions separate based on the
+    nonce values. The Managers or the Agents SHOULD NOT break the
+    krbUsmMibNonce and any other additional varbinds into separate PDU's
+    as this may result in a meta stable state. Given normal MTU sizes,
+    this should not be an issue in practice, and this should  at worst
+    devolve into the case above.
+
+   In all cases, the krbUsmMibNonce MUST be the last value to be
+   transmitted, though its position within a PDU is unimportant.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Thomas               draft-thomas-snmpv3-kerbusm-00            [Page 11]
+
+
+
+
+
+INTERNET-DRAFT           Kerberized USM Keying              13 July 2000
+
+
+
+   KrbUSM MIB
+
+   KRB-USM-MIB DEFINITIONS ::= BEGIN
+   IMPORTS
+       MODULE-IDENTITY,
+       OBJECT-TYPE, OBJECT-IDENTITY,
+       snmpModules, Counter32, Unsigned32 FROM SNMPv2-SMI
+       TruthValue, DisplayString          FROM SNMPv2-TC
+       usmUserEntry                       FROM SNMP-USER-BASED-SM-MIB
+
+
+
+   krbUsmMib MODULE-IDENTITY
+           LAST-UPDATED "00071300Z"
+           ORGANIZATION "IETF SNMP V3 Working Group"
+           CONTACT-INFO
+             "Michael Thomas
+              Cisco Systems
+              375 E Tasman Drive
+              San Jose, Ca 95134
+              Phone: +1 408-525-5386
+              Fax: +1 801-382-5284
+              email: mat@cisco.com"
+           DESCRIPTION
+              "This MIB contains the MIB variables to
+               exchange Kerberos credentials and a session
+               key to be used to authenticate and set up
+               USM keys"
+
+           ::= { snmpModules nnn }   -- not sure what needs to be here.
+   krbUsmMibObjects OBJECT INDENTIFIER ::= { krbUsmMib 1 }
+
+   krbUsmMibAuthInAttemps
+               SYNTAX      Counter32
+               MAX-ACCESS  read-only
+               STATUS      current
+               DESCRIPTION
+                   "Counter of the number of Kerberos
+                    authorization attempts as defined by
+                    receipt of a PDU from a Manager with a
+                     krbUsmMibNonce set in the principal table."
+               ::= { krbUsmMibObjects 1 }
+
+   krbUsmMibAuthOutAttemps
+               SYNTAX      Counter32
+               MAX-ACCESS  read-only
+               STATUS      current
+
+
+
+Thomas               draft-thomas-snmpv3-kerbusm-00            [Page 12]
+
+
+
+
+
+INTERNET-DRAFT           Kerberized USM Keying              13 July 2000
+
+
+               DESCRIPTION
+                   "Counter of the number of unsolicited Kerberos
+                    authorization attempts as defined by
+                    an Agent sending an INFORM or TRAP PDU with a
+                    krbUsmMibApRep but without krbUsmApMibNonce
+                    varbind."
+               ::= { krbUsmMibObjects 2 }
+   krbUsmMibAuthInFail
+               SYNTAX      Counter32
+               MAX-ACCESS  read-only
+               STATUS      current
+               DESCRIPTION
+                   "Counter of the number of Kerberos
+                    authorization failures as defined by
+                    a Manager setting the krbUsmMibNonce
+                    in the principal table which results
+                    in some sort of failure to install keys
+                    in the requested USM user entry."
+               ::= { krbUsmMibObjects 3 }
+
+   krbUsmMibAuthOutFail
+               SYNTAX      Counter32
+               MAX-ACCESS  read-only
+               STATUS      current
+               DESCRIPTION
+                   "Counter of the number of unsolicited Kerberos
+                    authorization failures as defined by
+                    an Agent sending an INFORM or TRAP PDU with a
+                    krbUsmMibApRep but without a krbUsmMibNonce
+                    varbind which does not result in keys being
+                    installed for that USM user entry."
+               ::= { krbUsmMibObjects 4 }
+
+   krbUsmMibPrinTable OBJECT-TYPE
+               SYNTAX      SEQUENCE OF krbUsmMibEntry
+               MAX-ACCESS  not-accessible
+               STATUS      current
+               DESCRIPTION
+                   "Table which maps Kerberos principals with USM
+                    users as well as the per user variables to key
+                    up sessions"
+               ::= { krbUsmMibObjects 5 }
+
+   krbUsmMibPrinEntry OBJECT-TYPE
+               SYNTAX     KrbUsmMibPrinEntry
+               MAX-ACCESS  not-accessible
+               STATUS      current
+               DESCRIPTION
+
+
+
+Thomas               draft-thomas-snmpv3-kerbusm-00            [Page 13]
+
+
+
+
+
+INTERNET-DRAFT           Kerberized USM Keying              13 July 2000
+
+
+                   "an entry into the krbMibPrinTable which is a
+                    parallel table to UsmUserEntry table"
+               AUGMENTS { usmUserEntry }
+               ::= { krbUsmMibPrinTable 1 }
+
+   KrbUsmMibPrinEntry SEQUENCE
+    {
+                   krbUsmMibApReq                  OCTET STRING,
+                   krbUsmMibApRep                  OCTET STRING,
+                   krbUsmMibNonce                  OCTET STRING,
+                   krbUsmMibMgrTGT                 OCTET STRING,
+                   krbUsmMibUnsolicitedNotify      TruthValue,
+    }
+
+
+   krbUsmMibApReq OBJECT-TYPE
+               SYNTAX      OCTET STRING
+               MAX-ACCESS  accessible-for-notify
+               STATUS      current
+               DESCRIPTION
+                   "This variable contains a DER encoded Kerberos
+                    AP-REQ or KRB-ERROR for the USM user which is
+                    to be keyed. This is sent from the Agent to
+                    the Manager in an INFORM or TRAP request.
+                    KRB-ERROR MUST only be sent to the Manager
+                    if it is in response to a keying request from
+                    the Manager.
+                   "
+               ::= { krbUsmMibPrinEntry 1 }
+
+   krbUsmMibApRep OBJECT-TYPE
+               SYNTAX      OCTET STRING
+               MAX-ACCESS  read-write
+               STATUS      current
+               DESCRIPTION
+                   "This variable contains the DER encoded response
+                    to an AP-REQ. This variable is SET by the
+                    Manager to acknowledge receipt of an AP-REQ. If
+                    krbUsmMibApRep contains a Kerberos AP-REP, the
+                    Agent must derive keys from the session key
+                    of the Kerberos ticket in the AP-REQ and place
+                    them in the USM database in a manner specified
+                    by [RFC2574]. If the Manager detects an error,
+                    it will instead place a KRB-ERROR in this
+                    variable to inform the Agent of the error.
+
+                    This variable is in effect a write-only variable.
+                    attempts to read this variable will result in a
+
+
+
+Thomas               draft-thomas-snmpv3-kerbusm-00            [Page 14]
+
+
+
+
+
+INTERNET-DRAFT           Kerberized USM Keying              13 July 2000
+
+
+                    null octet string being returned"
+               ::= { krbUsmMibPrinEntry 2 }
+
+   krbUsmMibNonce OBJECT-TYPE
+               SYNTAX      OCTET STRING
+               MAX-ACCESS  read-write
+               STATUS      current
+               DESCRIPTION
+                   "SET'ing a krbUsmMibnonce allows a Manager to
+                    determine whether an INFORM or TRAP from an
+                    Agent is an outstanding keying request, or
+                    unsolicited from the Agent. The Manager
+                    initiates keying for a particular USM user
+                    by writing a nonce into the row for which
+                    desires to establish a security association.
+                    The nonce is an ASCII string of the form
+                    ``host:port?nonce'' where:
+
+                    host:  is either an FQDN, or valid ipv4 or ipv6
+                           numerical notation of the Manager which
+                           desires to initiate keying
+                    port:  is the destination port at which that the
+                           Manager may be contacted
+                    nonce: is a number generated by the Manager to
+                           correlate the transaction
+
+                    The same nonce MUST be sent to the Manager in a
+                    subsequent INFORM or TRAP with a krbUsmApReq.
+                    The Agent MUST use the host address and port
+                    supplied in the nonce as the destination of a
+                    subsequent INFORM or TRAP. Unsolicited keying
+                    requests MUST NOT contain a nonce, and should
+                    instead use the destination stored Notifies of
+                    this type.
+
+                    Nonces MUST be highly collision resistant either
+                    using a time based method or a suitable random
+                    number generator. Managers MUST never create
+                    nonces which are 0.
+
+                    This variable is in effect a write-only variable.
+                    Attempts to read this variable will result in a
+                    nonce of value 0 being returned"
+
+
+               ::= { krbUsmMibPrinEntry 3 }
+
+
+
+
+
+Thomas               draft-thomas-snmpv3-kerbusm-00            [Page 15]
+
+
+
+
+
+INTERNET-DRAFT           Kerberized USM Keying              13 July 2000
+
+
+   krbUsmMibMgrTgt OBJECT-TYPE
+               SYNTAX      OCTET STRING
+               MAX-ACCESS  read-write
+               STATUS      current
+               DESCRIPTION
+                   "If the Manager does not possess a symmetric
+                    key with the KDC as would be the case with
+                    a Manager using PKinit for authentication,
+                    the Manager MUST SET its DER encoded ticket
+                    granting ticket into KrbUsmMgrTgt along
+                    with krbUsmMibNonce.
+
+                    The agent will then attach the Manager's TGT
+                    into the additional tickets field of the
+                    TGS-REQ message to the KDC to get a User-User
+                    service ticket.
+
+                    This variable is in effect a write-only variable.
+                    Attempts to read this variable will result in a
+                    null octet string being returned"
+               ::= { krbUsmMibPrinEntry 4 }
+
+
+   krbUsmMibUnsolicitedNotify OBJECT-TYPE
+               SYNTAX      TruthValue
+               MAX-ACCESS  read-write
+               STATUS      current
+               DESCRIPTION
+                   "If this variable is false, the Agent MUST NOT
+                    send unsolicited INFORM or TRAP PDU's to the
+                    Manager.
+
+                    Attempts to SET this variable by the no-auth
+                    no-priv user MUST be rejected."
+               ::= { krbUsmMibPrinEntry 5 }
+
+   --
+   -- Conformance section... nothing optional.
+
+   krbUsmMibCompliences MODULE-COMPLIANCE
+               STATUS       current
+               DESCRIPTION "The compliance statement for SNMP
+                            engines whichimplement the KRB-USM-MIB
+                   "
+               MODULE       -- this module
+                       MANDATORY-GROUPS { krbUsmMib }
+       ::= { krbUsmMibCompliances 1 }
+
+
+
+
+Thomas               draft-thomas-snmpv3-kerbusm-00            [Page 16]
+
+
+
+
+
+INTERNET-DRAFT           Kerberized USM Keying              13 July 2000
+
+
+   END
+
+
+Key Derivation
+
+   The session key provides the basis for the keying material for the
+   USM user specified in the AP-REQ.  The actual keys for use for the
+   authentication and privacy are produced using the cryptographic hash-
+   ing function used to protect the ticket itself.  The keying material
+   is derived using this function, F(key, salt), using successive
+   interations of F over the salt string "SNMPV3RULZ%d", where %d is a
+   monotonic counter starting at zero. The bits are taken directly from
+   the successive interations to produce two keys of appropriate size
+   (as specified in the USM user row) for the authentication transform
+   first, and the privacy transform second. If the authentication
+   transform is null, the first bits of the derived key are used for the
+   privacy transform.
+
+Security Considerations
+
+   Various elements of this MIB must be readable and writable as the
+   no-auth, no-priv user. Unless specifically necessary for the key
+   negotiation, elements of this MIB SHOULD be protected by VACM views
+   which limit access. In particular, there is no reason anything in
+   this MIB should be visible to a no-auth, no-priv user with the excep-
+   tion of KrbUsmMibApReq, KrbUsmMibApRep, KrbUsmMibNonce, and
+   KrbUsmMibMgrTgt, and then only with the restrictions placed on them
+   in the MIB. As such, probing attacks are still possible, but should
+   not be profitable: all of the writable variables with interesting
+   information in them are defined in such a way as to be write only.
+
+   There are some interesting denial of service attacks which are possi-
+   ble by attackers spoofing managers and putting load on the KDC to
+   generate unnecessary tickets. For large numbers or agents this could
+   be problematic. This can probably be mitigated by the KDC prioritiz-
+   ing TGS-REQ's though.
+
+
+References
+
+[1]         The CAT Working Group,  J.  Kohl,  C.Neuman,  "The  Kerberos
+            Network  Authentication  Service  (V5)", RFC 1510, September
+            1993
+
+[2]         The SNMPV3 Working Group, U.  Blumenthal,  B.  Wijnen,  "The
+            User-based Security Model of SNMP V3", RFC 2574, April 1999
+
+[3]         The SNMPV3 Working Group, B. Wijnen, R. Presuhn,
+
+
+
+Thomas               draft-thomas-snmpv3-kerbusm-00            [Page 17]
+
+
+
+
+
+INTERNET-DRAFT           Kerberized USM Keying              13 July 2000
+
+
+            K.McCloghrie, "The View-based Access Control Model of SNMP
+            V3", RFC 2575, April 1999
+
+[4]         The CAT Working Group, Tung, et al, "Public Key Cryptography
+            for Initial Authentication in Kerberos", draft-ietf-cat-pk-
+            init-11, November 1999
+
+[5]         Arango, et al, "Media Gateway Control Protocl (MGCP)", RFC
+            2705, October 1999
+
+
+[RFC2571]   Harrington, D., Presuhn, R., and B. Wijnen, An Architecture
+            for Describing SNMP Management Frameworks, RFC 2571, April
+            1999.
+
+[RFC1155]   Rose, M., and K. McCloghrie, Structure and Identification of
+            Management Information for TCP/IP-based Internets, STD 16,
+            RFC 1155, May 1990.
+
+[RFC1212]   Rose, M., and K. McCloghrie, Concise MIB Definitions, STD
+            16, RFC 1212, March 1991.
+
+[RFC1215]   M. Rose, A Convention for Defining Traps for use with the
+            SNMP, RFC 1215, March 1991.
+
+[RFC2578]   McCloghrie, K., Perkins, D., Schoenwaelder, J., Case, J.,
+            Rose, M., and S. Waldbusser, Structure of Management Infor-
+            mation Version 2 (SMIv2), STD 58, RFC 2578, April 1999.
+
+[RFC2579]   McCloghrie, K., Perkins, D., Schoenwaelder, J., Case, J.,
+            Rose, M., and S. Waldbusser, Textual Conventions for SMIv2,
+            STD 58, RFC 2579, April 1999.
+
+[RFC2580]   McCloghrie, K., Perkins, D., Schoenwaelder, J., Case, J.,
+            Rose, M., and S. Waldbusser, Conformance Statements for
+            SMIv2, STD 58, RFC 2580, April 1999.
+
+[RFC1157]   Case, J., Fedor, M., Schoffstall, M., and J. Davin, Simple
+            Network Management Protocol, STD 15, RFC 1157, May 1990.
+
+[RFC1901]   Case, J., McCloghrie, K., Rose, M., and S. Waldbusser,
+            Introduction to Community-based SNMPv2, RFC 1901, January
+            1996.
+
+[RFC1906]   Case, J., McCloghrie, K., Rose, M., and S. Waldbusser, Tran-
+            sport Mappings for Version 2 of the Simple Network Manage-
+            ment Protocol (SNMPv2), RFC 1906, January 1996.
+
+
+
+
+Thomas               draft-thomas-snmpv3-kerbusm-00            [Page 18]
+
+
+
+
+
+INTERNET-DRAFT           Kerberized USM Keying              13 July 2000
+
+
+[RFC2572]   Case, J., Harrington D., Presuhn R., and B. Wijnen, Message
+            Processing and Dispatching for the Simple Network Management
+            Protocol (SNMP), RFC 2572, April 1999.
+
+[RFC2574]   Blumenthal, U., and B. Wijnen, User-based Security Model
+            (USM) for version 3 of the Simple Network Management Proto-
+            col (SNMPv3), RFC 2574, April 1999.
+
+[RFC1905]   Case, J., McCloghrie, K., Rose, M., and S. Waldbusser, Pro-
+            tocol Operations for Version 2 of the Simple Network Manage-
+            ment Protocol (SNMPv2), RFC 1905, January 1996.
+
+[RFC2573]   Levi, D., Meyer, P., and B. Stewart, SNMPv3 Applications,
+            RFC 2573, April 1999.
+
+[RFC2575]   Wijnen, B., Presuhn, R., and K. McCloghrie, View-based
+            Access Control Model (VACM) for the Simple Network Manage-
+            ment Protocol (SNMP), RFC 2575, April 1999.
+
+[RFC2570]   Case, J., Mundy, R., Partain, D., and B. Stewart, Introduc-
+            tion to Version 3 of the Internet-standard Network Manage-
+            ment Framework, RFC 2570, April 1999.
+
+Author's Address
+
+          Michael Thomas
+          Cisco Systems
+          375 E Tasman Rd
+          San Jose, Ca, 95134, USA
+          Tel: +1 408-525-5386
+          email: mat@cisco.com
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Thomas               draft-thomas-snmpv3-kerbusm-00            [Page 19]
+
+
diff --git a/crypto/heimdal/doc/standardisation/draft-trostle-win2k-cat-kerberos-set-passwd-00.txt b/crypto/heimdal/doc/standardisation/draft-trostle-win2k-cat-kerberos-set-passwd-00.txt
new file mode 100644
index 0000000..b89108a
--- /dev/null
+++ b/crypto/heimdal/doc/standardisation/draft-trostle-win2k-cat-kerberos-set-passwd-00.txt
@@ -0,0 +1,227 @@
+
+CAT Working Group                                     Mike Swift 
+draft-trostle-win2k-cat-kerberos-set-passwd-00.txt    Microsoft               
+February 2000                                         Jonathan Trostle
+Category: Informational                               Cisco Systems
+                                                      John Brezak
+                                                      Microsoft
+
+         Extending Change Password for Setting Kerberos Passwords
+
+
+0. Status Of This Memo
+
+   This document is an Internet-Draft and is in full conformance with 
+   all provisions of Section 10 of RFC2026. 
+
+   Internet-Drafts are working documents of the Internet Engineering
+   Task Force (IETF), its areas, and its working groups.  Note that
+   other groups may also distribute working documents as 
+   Internet-Drafts.
+
+   Internet-Drafts are draft documents valid for a maximum of six
+   months and may be updated, replaced, or obsoleted by other
+   documents at any time.  It is inappropriate to use Internet-
+   Drafts as reference material or to cite them other than as
+   "work in progress."
+
+   The list of current Internet-Drafts can be accessed at
+   http://www.ietf.org/ietf/1id-abstracts.txt
+
+   The list of Internet-Draft Shadow Directories can be accessed at
+   http://www.ietf.org/shadow.html.
+
+   Comments and suggestions on this document are encouraged.  Comments 
+   on this document should be sent to the CAT working group discussion 
+   list:
+                       ietf-cat-wg@stanford.edu
+
+1. Abstract
+
+   The Kerberos [1] change password protocol [2], does not allow for 
+   an administrator to set a password for a new user. This functionality
+   is useful in some environments, and this proposal extends [2] to
+   allow password setting. The changes are: adding new fields to the 
+   request message to indicate the principal which is having its 
+   password set, not requiring the initial flag in the service ticket, 
+   using a new protocol version number, and adding three new result 
+   codes. 
+   
+2. The Protocol
+
+   The service must accept requests on UDP port 464 and TCP port 464 as 
+   well. The protocol consists of a single request message followed by 
+   a single reply message.  For UDP transport, each message must be fully 
+   contained in a single UDP packet.
+
+   For TCP transport, there is a 4 octet header in network byte order
+   precedes the message and specifies the length of the message. This
+
+   requirement is consistent with the TCP transport header in 1510bis.
+
+Request Message
+
+       0                   1                   2                   3
+       0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+      |         message length        |    protocol version number    |
+      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+      |          AP_REQ length        |         AP_REQ data           /
+      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+      /                        KRB-PRIV message                       /
+      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+
+   All 16 bit fields are in big-endian order. 
+
+   message length field: contains the number of bytes in the message 
+   including this field.
+
+   protocol version number: contains the hex constant 0xff80 (big-endian 
+   integer).
+
+   AP-REQ length: length of AP-REQ data, in bytes. If the length is zero, 
+   then the last field contains a KRB-ERROR message instead of a KRB-PRIV 
+   message.
+
+   AP-REQ data: (see [1]) The AP-REQ message must be for the service 
+   principal kadmin/changepw@REALM, where REALM is the REALM of the user 
+   who wishes to change/set his password. The ticket in the AP-REQ must 
+   must include a subkey in the Authenticator. To enable setting of 
+   passwords, it is not required that the initial flag be set in the 
+   Kerberos service ticket.
+
+   KRB-PRIV message (see [1]) This KRB-PRIV message must be generated 
+   using the subkey from the authenticator in the AP-REQ data. 
+
+   The user-data component of the message consists of the following ASN.1 
+   structure encoded as an OCTET STRING:
+
+   ChangePasswdData ::=  SEQUENCE {
+                       newpasswd[0]   OCTET STRING,
+                       targname[2]    PrincipalName OPTIONAL,
+                       targrealm[3]   Realm OPTIONAL
+                       }  
+
+   The server must verify the AP-REQ message, check whether the client 
+   principal in the ticket is authorized to set/change the password 
+   (either for that principal, or for the principal in the targname 
+   field if present), and decrypt the new password. The server also 
+   checks whether the initial flag is required for this request, 
+   replying with status 0x0007 if it is not set and should be. An 
+   authorization failure is cause to respond with status 0x0005. For 
+   forward compatibility, the server should be prepared to ignore fields 
+   after targrealm in the structure that it does not understand. 
+
+   The newpasswd field contains the cleartext password, and the server 
+   should apply any local policy checks including password policy checks. 
+   The server then generates the appropriate keytypes from the password
+
+   and stores them in the KDC database. If all goes well, status 0x0000 
+   is returned to the client in the reply message (see below).
+
+Reply Message
+
+       0                   1                   2                   3
+       0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+      |         message length        |    protocol version number    |
+      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+      |          AP_REP length        |         AP-REP data           /
+      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+      /                         KRB-PRIV message                      /
+      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+
+
+   All 16 bit fields are in big-endian order. 
+
+   message length field: contains the number of bytes in the message 
+   including this field.
+
+   protocol version number: contains the hex constant 0x0001 (big-endian 
+   integer). (The reply message has the same format as in [2]).
+
+   AP-REP length: length of AP-REP data, in bytes. If the length is zero, 
+   then the last field contains a KRB-ERROR message instead of a KRB-PRIV 
+   message.
+
+   AP-REP data: the AP-REP is the response to the AP-REQ in the request 
+   packet.
+   
+   KRB-PRIV from [2]: This KRB-PRIV message must be generated using the 
+   subkey in the authenticator in the AP-REQ data.
+
+   The server will respond with a KRB-PRIV message unless it cannot
+   decode the client AP-REQ or KRB-PRIV message, in which case it will
+   respond with a KRB-ERROR message. NOTE: Unlike change password version
+   1, the KRB-ERROR message will be sent back without any encapsulation.
+
+   The user-data component of the KRB-PRIV message, or e-data component 
+   of the KRB-ERROR message, must consist of the following data.
+
+       0                   1                   2                   3
+       0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+      |          result code          |        result string          /
+      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+
+      result code (16 bits) (result codes 0-4 are from [2]):
+         The result code must have one of the following values (big-
+         endian integer):
+         KRB5_KPASSWD_SUCCESS      0 request succeeds (This value is not 
+                                     allowed in a KRB-ERROR message)
+         KRB5_KPASSWD_MALFORMED    1 request fails due to being malformed
+         KRB5_KPASSWD_HARDERROR    2 request fails due to "hard" error in
+                                     processing the request (for example, 
+                                     there is a resource or other problem 
+                                     causing the request to fail)
+
+         KRB5_KPASSWD_AUTHERROR    3 request fails due to an error in 
+                                     authentication processing
+         KRB5_KPASSWD_SOFTERROR    4 request fails due to a "soft" error 
+                                     in processing the request 
+         KRB5_KPASSWD_ACCESSDENIED 5 requestor not authorized
+         KRB5_KPASSWD_BAD_VERSION  6 protocol version unsupported
+         KRB5_KPASSWD_INITIAL_FLAG_NEEDED 7 initial flag required
+         0xFFFF if the request fails for some other reason.
+         Although only a few non-zero result codes are specified here,
+         the client should accept any non-zero result code as indicating
+         failure.
+      result string - from [2]:
+         This field should contain information which the server thinks
+         might be useful to the user, such as feedback about policy
+         failures.  The string must be encoded in UTF-8.  It may be
+         omitted if the server does not wish to include it.  If it is
+         present, the client should display the string to the user.
+         This field is analogous to the string which follows the numeric
+         code in SMTP, FTP, and similar protocols.
+
+3. References
+ 
+   [1] J. Kohl, C. Neuman. The Kerberos Network Authentication
+   Service (V5). Request for Comments 1510.
+
+   [2] M. Horowitz. Kerberos Change Password Protocol.
+   ftp://ds.internic.net/internet-drafts/
+   draft-ietf-cat-kerb-chg-password-02.txt
+
+4. Expiration Date
+
+   This draft expires in August 2000.   
+
+5. Authors' Addresses
+
+   Jonathan Trostle
+   Cisco Systems
+   170 W. Tasman Dr.
+   San Jose, CA 95134
+   Email: jtrostle@cisco.com
+
+   Mike Swift 
+   1 Microsoft Way
+   Redmond, WA 98052
+   mikesw@microsoft.com
+
+   John Brezak
+   1 Microsoft Way
+   Redmond, WA 98052
+   jbrezak@microsoft.com
diff --git a/crypto/heimdal/doc/standardisation/draft-tso-telnet-krb5-04.txt b/crypto/heimdal/doc/standardisation/draft-tso-telnet-krb5-04.txt
new file mode 100644
index 0000000..e9611e3
--- /dev/null
+++ b/crypto/heimdal/doc/standardisation/draft-tso-telnet-krb5-04.txt
@@ -0,0 +1,327 @@
+Network Working Group                                    T. Ts'o, Editor
+Internet-Draft                     Massachusetts Institute of Technology
+draft-tso-telnet-krb5-04.txt                                  April 2000
+
+               Telnet Authentication: Kerberos Version 5
+
+Status of this Memo
+
+   This document is an Internet-Draft and is in full conformance with
+   all provisions of Section 10 of RFC2026.  Internet-Drafts are working
+   documents of the Internet Engineering Task Force (IETF), its areas,
+   and its working groups.  Note that other groups may also distribute
+   working documents as Internet-Drafts.
+
+   Internet-Drafts are draft documents valid for a maximum of six months
+   and may be updated, replaced, or obsoleted by other documents at any
+   time.  It is inappropriate to use Internet-Drafts as reference mate-
+   rial or to cite them other than as "work in progress."
+
+   The list of current Internet-Drafts can be accessed at
+   http://www.ietf.org/ietf/1id-abstracts.txt
+
+   The list of Internet-Draft Shadow Directories can be accessed at
+   http://www.ietf.org/shadow.html.
+
+   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
+   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
+   document are to be interpreted as described in RFC 2119.
+
+0. Abstract
+
+   This document describes how Kerberos Version 5 [1] is used with the
+   telnet protocol.   It describes an telnet authentication sub-option
+   to be used with the telnet authentication option [2].   This mecha-
+   nism can also used to provide keying material to provide data confi-
+   dentiality services in conjuction with the telnet encryption option
+   [3].
+
+1. Command Names and Codes
+
+   Authentication Types
+
+      KERBEROS_V5    2
+
+   Sub-option Commands
+
+                           Expires Sept 2000                    [Page 1]
+
+Internet-Draft        Kerberos Version 5 for Telnet           April 2000
+
+      AUTH               0
+      REJECT             1
+      ACCEPT             2
+      RESPONSE           3
+      FORWARD            4
+      FORWARD_ACCEPT     5
+      FORWARD_REJECT     6
+
+2.  Command Meanings
+
+   IAC SB AUTHENTICATION IS <authentication-type-pair> AUTH <Kerberos V5
+   KRB_AP_REQ message> IAC SE
+
+      This is used to pass the Kerberos V5 [1] KRB_AP_REQ message to the
+      remote side of the connection.  The first octet of the <authenti-
+      cation-type-pair> value is KERBEROS_V5, to indicate that Version 5
+      of Kerberos is being used.  The Kerberos V5 authenticator in the
+      KRB_AP_REQ message     must contain a Kerberos V5 checksum of the
+      two-byte authentication type pair.  This checksum must be verified
+      by the server to assure that the authentication type pair was cor-
+      rectly negotiated.  The Kerberos V5 authenticator must also in-
+      clude the optional subkey field, which shall be filled in with a
+      randomly chosen key.  This key shall be used for encryption pur-
+      poses if encryption is negotiated, and shall be used as the nego-
+      tiated session key (i.e., used as keyid 0) for the purposes of the
+      telnet encryption option; if the subkey is not filled in, then the
+      ticket session key will be used instead.
+
+      If data confidentiality services is desired the ENCRYPT_US-
+      ING_TELOPT flag must be set in the authentication-type-pair as
+      specified in [2].
+
+   IAC SB AUTHENTICATION REPLY <authentication-type-pair> ACCEPT IAC SE
+
+      This command indicates that the authentication was successful.
+
+      If the AUTH_HOW_MUTUAL bit is set in the second octet of the au-
+      thentication-type-pair, the RESPONSE command must be sent before
+      the ACCEPT command is sent.
+
+   IAC SB AUTHENTICATION REPLY <authentication-type-pair> REJECT <op-
+   tional reason for rejection> IAC SE
+
+      This command indicates that the authentication was not successful,
+      and if there is any more data in the sub-option, it is an ASCII
+      text message of the reason for the rejection.
+
+   IAC SB AUTHENTICATION REPLY <authentication-type-pair> RESPONSE
+   <KRB_AP_REP message> IAC SE
+
+                           Expires Sept 2000                    [Page 2]
+
+Internet-Draft        Kerberos Version 5 for Telnet           April 2000
+
+      This command is used to perform mutual authentication.  It is only
+      used when the AUTH_HOW_MUTUAL bit is set in the second octet of
+      the authentication-type-pair.  After an AUTH command is verified,
+      a RESPONSE command is sent which contains a Kerberos V5 KRB_AP_REP
+      message to perform the mutual authentication.
+
+   IAC SB AUTHENTICATION <authentication-type-pair> FORWARD <KRB_CRED
+   message> IAC SE
+
+      This command is used to forward kerberos credentials for use by
+      the remote session.  The credentials are passed as a Kerberos V5
+      KRB_CRED message which includes, among other things, the forwarded
+      Kerberos ticket and a session key associated with the ticket. Part
+      of the KRB_CRED message is encrypted in the key previously ex-
+      changed for the telnet session by the AUTH suboption.
+
+   IAC SB AUTHENTICATION <authentication-type-pair> FORWARD_ACCEPT IAC
+   SE
+
+      This command indicates that the credential forwarding was success-
+      ful.
+
+   IAC SB AUTHENTICATION <authentication-type-pair> FORWARD_REJECT <op-
+   tional reason for rejection> IAC SE
+
+      This command indicates that the credential forwarding was not suc-
+      cessful, and if there is any more data in the sub-option, it is an
+      ASCII text message of the reason for the rejection.
+
+3.  Implementation Rules
+
+   If the second octet of the authentication-type-pair has the AUTH_WHO
+   bit set to AUTH_CLIENT_TO_SERVER, then the client sends the initial
+   AUTH command, and the server responds with either ACCEPT or REJECT.
+   In addition, if the AUTH_HOW bit is set to AUTH_HOW_MUTUAL, the serv-
+   er will send a RESPONSE before it sends the ACCEPT.
+
+   If the second octet of the authentication-type-pair has the AUTH_WHO
+   bit set to AUTH_SERVER_TO_CLIENT, then the server sends the initial
+   AUTH command, and the client responds with either ACCEPT or REJECT.
+   In addition, if the AUTH_HOW bit is set to AUTH_HOW_MUTUAL, the
+   client will send a RESPONSE before it sends the ACCEPT.
+
+   The Kerberos principal used by the server will generally be of the
+   form "host/<hostname>@realm".  That is, the first component of the
+   Kerberos principal is "host"; the second component is the fully qual-
+   ified lower-case hostname of the server; and the realm is the Ker-
+   beros realm to which the server belongs.
+
+                           Expires Sept 2000                    [Page 3]
+
+Internet-Draft        Kerberos Version 5 for Telnet           April 2000
+
+   Any Telnet IAC characters that occur in the KRB_AP_REQ or KRB_AP_REP
+   messages, the KRB_CRED structure, or the optional rejection text
+   string must be doubled as specified in [4].  Otherwise the following
+   byte might be mis-interpreted as a Telnet command.
+
+4.  Examples
+
+   User "joe" may wish to log in as user "pete" on machine "foo".  If
+   "pete" has set things up on "foo" to allow "joe" access to his ac-
+   count, then the client would send IAC SB AUTHENTICATION NAME "pete"
+   IAC SE IAC SB AUTHENTICATION IS KERBEROS_V5 AUTH <KRB_AP_REQ_MESSAGE>
+   IAC SE
+
+   The server would then authenticate the user as "joe" from the
+   KRB_AP_REQ_MESSAGE, and if the KRB_AP_REQ_MESSAGE was accepted by
+   Kerberos, and if "pete" has allowed "joe" to use his account, the
+   server would then continue the authentication sequence by sending a
+   RESPONSE (to do mutual authentication, if it was requested) followed
+   by the ACCEPT.
+
+   If forwarding has been requested, the client then sends IAC SB AU-
+   THENTICATION IS KERBEROS_V5 CLIENT|MUTUAL FORWARD <KRB_CRED structure
+   with credentials to be forwarded> IAC SE.  If the server succeeds in
+   reading the forwarded credentials, the server sends FORWARD_ACCEPT
+   else, a FORWARD_REJECT is sent back.
+
+       Client                           Server
+                                        IAC DO AUTHENTICATION
+       IAC WILL AUTHENTICATION
+
+       [ The server is now free to request authentication information.
+         ]
+
+                                        IAC SB AUTHENTICATION SEND
+                                        KERBEROS_V5 CLIENT|MUTUAL
+                                        KERBEROS_V5 CLIENT|ONE_WAY IAC
+                                        SE
+
+       [ The server has requested mutual Version 5 Kerberos
+         authentication.  If mutual authentication is not supported,
+         then the server is willing to do one-way authentication.
+
+         The client will now respond with the name of the user that it
+         wants to log in as, and the Kerberos ticket.  ]
+
+       IAC SB AUTHENTICATION NAME
+       "pete" IAC SE
+       IAC SB AUTHENTICATION IS
+       KERBEROS_V5 CLIENT|MUTUAL AUTH
+       <KRB_AP_REQ message> IAC SE
+
+                           Expires Sept 2000                    [Page 4]
+
+Internet-Draft        Kerberos Version 5 for Telnet           April 2000
+
+       [ Since mutual authentication is desired, the server sends across
+         a RESPONSE to prove that it really is the right server.  ]
+
+                                        IAC SB AUTHENTICATION REPLY
+                                        KERBEROS_V5 CLIENT|MUTUAL
+                                        RESPONSE <KRB_AP_REP message>
+                                        IAC SE
+
+       [ The server responds with an ACCEPT command to state that the
+         authentication was successful.  ]
+
+                                        IAC SB AUTHENTICATION REPLY KER-
+                                        BEROS_V5 CLIENT|MUTUAL ACCEPT
+                                        IAC SE
+
+       [ If so requested, the client now sends the FORWARD command to
+         forward credentials to the remote site.  ]
+
+       IAC SB AUTHENTICATION IS KER-
+       BEROS_V5 CLIENT|MUTUAL
+       FORWARD <KRB_CRED message> IAC
+       SE
+
+       [ The server responds with a FORWARD_ACCEPT command to state that
+         the credential forwarding was successful.  ]
+
+                           Expires Sept 2000                    [Page 5]
+
+Internet-Draft        Kerberos Version 5 for Telnet           April 2000
+
+                                        IAC SB AUTHENTICATION REPLY KER-
+                                        BEROS_V5 CLIENT|MUTUAL FOR-
+                                        WARD_ACCEPT IAC SE
+
+5. Security Considerations
+
+   The selection of the random session key in the Kerberos V5 authenti-
+   cator is critical, since this key will be used for encrypting the
+   telnet data stream if encryption is enabled.  It is strongly advised
+   that the random key selection be done using cryptographic techniques
+   that involve the Kerberos ticket's session key.  For example, using
+   the current time, encrypting it with the ticket session key, and then
+   correcting for key parity is a strong way to generate a subsession
+   key, since the ticket session key is assumed to be never disclosed to
+   an attacker.
+
+   Care should be taken before forwarding a user's Kerberos credentials
+   to the remote server.  If the remote server is not trustworthy, this
+   could result in the user's credentials being compromised.  Hence, the
+   user interface should not forward credentials by default; it would be
+   far safer to either require the user to explicitly request creden-
+   tials forwarding for each connection, or to have a trusted list of
+   hosts for which credentials forwarding is enabled, but to not enable
+   credentials forwarding by default for all machines.
+
+6. IANA Considerations
+
+   The authentication type KERBEROS_V5 and its associated suboption values
+   are registered with IANA.  Any suboption values used to extend 
+   the protocol as described in this document must be registered
+   with IANA before use.  IANA is instructed not to issue new suboption
+   values without submission of documentation of their use.
+
+7. Acknowledgments
+
+   This document was originally written by Dave Borman of Cray Research,
+   Inc.  Theodore Ts'o of MIT revised it to reflect the latest implemen-
+   tation experience.  Cliff Neuman and Prasad Upasani of USC's Informa-
+   tion Sciences Institute developed the credential forwarding support.
+
+   In addition, the contributions of the Telnet Working Group are also
+   gratefully acknowledged.
+
+8. References
+
+   [1] Kohl, J. and B. Neuman, "The Kerberos Network Authentication Sys-
+       tem (V5)", RFC 1510, USC/Information Sciences Institute, Septem-
+       ber 1993.
+
+   [2] Internet Engineering Task Force, "Telnet Authentication", draft-
+       tso-telnet-auth-enc-04.txt, T. Ts'o, Editor, VA Linux Systems,
+           April 2000.
+
+   [3] Internet Engineering Task Force, "Telnet Data Encryption Option",
+       draft-tso-telnet-encryption-04.txt, T. Ts'o, Editor, VA Linux
+       Systems,     April 2000.
+
+   [4] Postel, J.B. and J. Reynolds, "Telnet Option Specifications", RFC
+
+                           Expires Sept 2000                    [Page 6]
+
+Internet-Draft        Kerberos Version 5 for Telnet           April 2000
+
+       855, STD 8, USC/Information Sciences Institute, May 1983.
+
+Editor's Address
+
+   Theodore Ts'o
+   Massachusetts Institute of Technology
+   MIT Room E40-343
+   77 Massachusetts Avenue
+   Cambridge, MA 02139
+
+   Phone: (617) 253-8091
+   EMail: tytso@mit.edu
+
+                           Expires Sept 2000                    [Page 7]
+
+
+    Jeffrey Altman * Sr.Software Designer * Kermit-95 for Win32 and OS/2
+                 The Kermit Project * Columbia University
+              612 West 115th St #716 * New York, NY * 10025
+  http://www.kermit-project.org/k95.html * kermit-support@kermit-project.org
+
+
diff --git a/crypto/heimdal/doc/standardisation/rc4-hmac.txt b/crypto/heimdal/doc/standardisation/rc4-hmac.txt
new file mode 100644
index 0000000..202d44e
--- /dev/null
+++ b/crypto/heimdal/doc/standardisation/rc4-hmac.txt
@@ -0,0 +1,587 @@
+CAT working group                                              M. Swift 
+Internet Draft                                                J. Brezak 
+Document: draft-brezak-win2k-krb-rc4-hmac-03.txt              Microsoft 
+Category: Informational                                       June 2000 
+ 
+ 
+           The Windows 2000 RC4-HMAC Kerberos encryption type 
+ 
+ 
+Status of this Memo 
+ 
+   This document is an Internet-Draft and is in full conformance with 
+   all provisions of Section 10 of RFC2026 [1]. Internet-Drafts are 
+   working documents of the Internet Engineering Task Force (IETF), its 
+   areas, and its working groups. Note that other groups may also 
+   distribute working documents as Internet-Drafts. Internet-Drafts are 
+   draft documents valid for a maximum of six months and may be 
+   updated, replaced, or obsoleted by other documents at any time. It 
+   is inappropriate to use Internet- Drafts as reference material or to 
+   cite them other than as "work in progress." 
+     
+   The list of current Internet-Drafts can be accessed at 
+   http://www.ietf.org/ietf/1id-abstracts.txt  
+   The list of Internet-Draft Shadow Directories can be accessed at 
+   http://www.ietf.org/shadow.html. 
+    
+1. Abstract 
+    
+   The Windows 2000 implementation of Kerberos introduces a new 
+   encryption type based on the RC4 encryption algorithm and using an 
+   MD5 HMAC for checksum. This is offered as an alternative to using 
+   the existing DES based encryption types. 
+    
+   The RC4-HMAC encryption types are used to ease upgrade of existing 
+   Windows NT environments, provide strong crypto (128-bit key 
+   lengths), and provide exportable (meet United States government 
+   export restriction requirements) encryption. 
+    
+   The Windows 2000 implementation of Kerberos contains new encryption 
+   and checksum types for two reasons: for export reasons early in the 
+   development process, 56 bit DES encryption could not be exported, 
+   and because upon upgrade from Windows NT 4.0 to Windows 2000, 
+   accounts will not have the appropriate DES keying material to do the 
+   standard DES encryption. Furthermore, 3DES is not available for 
+   export, and there was a desire to use a single flavor of encryption 
+   in the product for both US and international products. 
+    
+   As a result, there are two new encryption types and one new checksum 
+   type introduced in Windows 2000. 
+    
+    
+2. Conventions used in this document 
+    
+
+  
+Swift                  Category - Informational                      1 
+
+                Windows 2000 RC4-HMAC Kerberos E-Type       June 2000 
+ 
+ 
+   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 
+   "SHOULD", "SHOULD NOT", "RECOMMENDED",  "MAY", and "OPTIONAL" in 
+   this document are to be interpreted as described in RFC-2119 [2]. 
+    
+3. Key Generation 
+    
+   On upgrade from existing Windows NT domains, the user accounts would 
+   not have a DES based key available to enable the use of DES base 
+   encryption types specified in RFC 1510. The key used for RC4-HMAC is 
+   the same as the existing Windows NT key (NT Password Hash) for 
+   compatibility reasons. Once the account password is changed, the DES 
+   based keys are created and maintained. Once the DES keys are 
+   available DES based encryption types can be used with Kerberos.  
+    
+   The RC4-HMAC String to key function is defined as follow: 
+    
+   String2Key(password) 
+    
+        K = MD4(UNICODE(password)) 
+         
+   The RC4-HMAC keys are generated by using the Windows UNICODE version 
+   of the password. Each Windows UNICODE character is encoded in 
+   little-endian format of 2 octets each. Then performing an MD4 [6] 
+   hash operation on just the UNICODE characters of the password (not 
+   including the terminating zero octets). 
+    
+   For an account with a password of "foo", this String2Key("foo") will 
+   return: 
+    
+        0xac, 0x8e, 0x65, 0x7f, 0x83, 0xdf, 0x82, 0xbe, 
+        0xea, 0x5d, 0x43, 0xbd, 0xaf, 0x78, 0x00, 0xcc 
+    
+4. Basic Operations 
+    
+   The MD5 HMAC function is defined in [3]. It is used in this 
+   encryption type for checksum operations. Refer to [3] for details on 
+   its operation. In this document this function is referred to as 
+   HMAC(Key, Data) returning the checksum using the specified key on 
+   the data. 
+    
+   The basic MD5 hash operation is used in this encryption type and 
+   defined in [7]. In this document this function is referred to as 
+   MD5(Data) returning the checksum of the data. 
+    
+   RC4 is a stream cipher licensed by RSA Data Security [RSADSI]. A       
+   compatible cipher is described in [8]. In this document the function 
+   is referred to as RC4(Key, Data) returning the encrypted data using 
+   the specified key on the data. 
+    
+   These encryption types use key derivation as defined in [9] (RFC-
+   1510BIS) in Section titled "Key Derivation". With each message, the 
+   message type (T) is used as a component of the keying material. This 
+   summarizes the different key derivation values used in the various 
+  
+Swift                  Category - Informational                      2 
+
+                Windows 2000 RC4-HMAC Kerberos E-Type       June 2000 
+ 
+ 
+   operations. Note that these differ from the key derivations used in 
+   other Kerberos encryption types. 
+    
+        T = 1 for TS-ENC-TS in the AS-Request 
+        T = 8 for the AS-Reply  
+        T = 7 for the Authenticator in the TGS-Request 
+        T = 8 for the TGS-Reply  
+        T = 2 for the Server Ticket in the AP-Request 
+        T = 11 for the Authenticator in the AP-Request 
+        T = 12 for the Server returned AP-Reply 
+        T = 15 in the generation of checksum for the MIC token 
+        T = 0 in the generation of sequence number for the MIC token  
+        T = 13 in the generation of checksum for the WRAP token 
+        T = 0 in the generation of sequence number for the WRAP token  
+        T = 0 in the generation of encrypted data for the WRAPPED token 
+    
+   All strings in this document are ASCII unless otherwise specified. 
+   The lengths of ASCII encoded character strings include the trailing 
+   terminator character (0). 
+    
+   The concat(a,b,c,...) function will return the logical concatenation 
+   (left to right) of the values of the arguments. 
+    
+   The nonce(n) function returns a pseudo-random number of "n" octets. 
+    
+5. Checksum Types 
+    
+   There is one checksum type used in this encryption type. The 
+   Kerberos constant for this type is: 
+        #define KERB_CHECKSUM_HMAC_MD5 (-138) 
+    
+   The function is defined as follows: 
+    
+   K - is the Key 
+   T - the message type, encoded as a little-endian four byte integer 
+    
+   CHKSUM(K, T, data) 
+    
+        Ksign = HMAC(K, "signaturekey")  //includes zero octet at end 
+        tmp = MD5(concat(T, data)) 
+        CHKSUM = HMAC(Ksign, tmp) 
+    
+    
+6. Encryption Types 
+    
+   There are two encryption types used in these encryption types. The 
+   Kerberos constants for these types are: 
+        #define KERB_ETYPE_RC4_HMAC             23 
+        #define KERB_ETYPE_RC4_HMAC_EXP         24 
+    
+   The basic encryption function is defined as follow: 
+    
+   T = the message type, encoded as a little-endian four byte integer. 
+  
+Swift                  Category - Informational                      3 
+
+                Windows 2000 RC4-HMAC Kerberos E-Type       June 2000 
+ 
+ 
+    
+        BYTE L40[14] = "fortybits"; 
+        BYTE SK = "signaturekey"; 
+         
+        ENCRYPT (K, fRC4_EXP, T, data, data_len, edata, edata_len) 
+        { 
+            if (fRC4_EXP){ 
+                *((DWORD *)(L40+10)) = T; 
+                HMAC (K, L40, 10 + 4, K1); 
+            }else{ 
+                HMAC (K, &T, 4, K1); 
+            } 
+            memcpy (K2, K1, 16); 
+            if (fRC4_EXP) memset (K1+7, 0xAB, 9); 
+            add_8_random_bytes(data, data_len, conf_plus_data); 
+            HMAC (K2, conf_plus_data, 8 + data_len, checksum); 
+            HMAC (K1, checksum, 16, K3); 
+            RC4(K3, conf_plus_data, 8 + data_len, edata + 16); 
+            memcpy (edata, checksum, 16); 
+            edata_len = 16 + 8 + data_len; 
+        }         
+         
+        DECRYPT (K, fRC4_EXP, T, edata, edata_len, data, data_len) 
+        { 
+            if (fRC4_EXP){ 
+                *((DWORD *)(L40+10)) = T; 
+                HMAC (K, L40, 14, K1); 
+            }else{ 
+                HMAC (K, &T, 4, K1); 
+            } 
+            memcpy (K2, K1, 16); 
+            if (fRC4_EXP) memset (K1+7, 0xAB, 9); 
+            HMAC (K1, edata, 16, K3); // checksum is at edata 
+            RC4(K3, edata + 16, edata_len - 16, edata + 16); 
+            data_len = edata_len - 16 - 8; 
+            memcpy (data, edata + 16 + 8, data_len); 
+             
+            // verify generated and received checksums 
+            HMAC (K2, edata + 16, edata_len - 16, checksum); 
+            if (memcmp(edata, checksum, 16) != 0)  
+                printf("CHECKSUM ERROR  !!!!!!\n"); 
+        } 
+    
+   The header field on the encrypted data in KDC messages is: 
+    
+        typedef struct _RC4_MDx_HEADER { 
+            UCHAR Checksum[16]; 
+            UCHAR Confounder[8]; 
+        } RC4_MDx_HEADER, *PRC4_MDx_HEADER; 
+         
+   The KDC message is encrypted using the ENCRYPT function not 
+   including the Checksum in the RC4_MDx_HEADER. 
+    
+  
+Swift                  Category - Informational                      4 
+
+                Windows 2000 RC4-HMAC Kerberos E-Type       June 2000 
+ 
+ 
+   The character constant "fortybits" evolved from the time when a 40-
+   bit key length was all that was exportable from the United States. 
+   It is now used to recognize that the key length is of "exportable" 
+   length. In this description, the key size is actually 56-bits. 
+    
+7. Key Strength Negotiation 
+    
+   A Kerberos client and server can negotiate over key length if they 
+   are using mutual authentication. If the client is unable to perform 
+   full strength encryption, it may propose a key in the "subkey" field 
+   of the authenticator, using a weaker encryption type. The server 
+   must then either return the same key or suggest its own key in the 
+   subkey field of the AP reply message. The key used to encrypt data 
+   is derived from the key returned by the server. If the client is 
+   able to perform strong encryption but the server is not, it may 
+   propose a subkey in the AP reply without first being sent a subkey 
+   in the authenticator. 
+ 
+8. GSSAPI Kerberos V5 Mechanism Type  
+ 
+8.1 Mechanism Specific Changes 
+    
+   The GSSAPI per-message tokens also require new checksum and 
+   encryption types. The GSS-API per-message tokens must be changed to 
+   support these new encryption types (See [5] Section 1.2.2). The 
+   sealing algorithm identifier (SEAL_ALG) for an RC4 based encryption 
+   is: 
+        Byte 4..5 SEAL_ALG      0x10 0x00 - RC4 
+    
+   The signing algorithm identifier (SGN_ALG) for MD5 HMAC is: 
+        Byte 2..3 SGN ALG       0x11 0x00 - HMAC 
+    
+   The only support quality of protection is: 
+        #define GSS_KRB5_INTEG_C_QOP_DEFAULT    0x0 
+    
+   In addition, when using an RC4 based encryption type, the sequence 
+   number is sent in big-endian rather than little-endian order. 
+    
+   The Windows 2000 implementation also defines new GSSAPI flags in the 
+   initial token passed when initializing a security context. These 
+   flags are passed in the checksum field of the authenticator (See [5] 
+   Section 1.1.1). 
+    
+   GSS_C_DCE_STYLE - This flag was added for use with Microsoft’s 
+   implementation of DCE RPC, which initially expected three legs of 
+   authentication. Setting this flag causes an extra AP reply to be 
+   sent from the client back to the server after receiving the server’s 
+   AP reply. In addition, the context negotiation tokens do not have 
+   GSSAPI framing - they are raw AP message and do not include object 
+   identifiers. 
+        #define GSS_C_DCE_STYLE                 0x1000 
+    
+
+  
+Swift                  Category - Informational                      5 
+
+                Windows 2000 RC4-HMAC Kerberos E-Type       June 2000 
+ 
+ 
+   GSS_C_IDENTIFY_FLAG - This flag allows the client to indicate to the 
+   server that it should only allow the server application to identify 
+   the client by name and ID, but not to impersonate the client. 
+        #define GSS_C_IDENTIFY_FLAG             0x2000 
+         
+   GSS_C_EXTENDED_ERROR_FLAG - Setting this flag indicates that the 
+   client wants to be informed of extended error information. In 
+   particular, Windows 2000 status codes may be returned in the data 
+   field of a Kerberos error message. This allows the client to 
+   understand a server failure more precisely. In addition, the server 
+   may return errors to the client that are normally handled at the 
+   application layer in the server, in order to let the client try to 
+   recover. After receiving an error message, the client may attempt to 
+   resubmit an AP request. 
+        #define GSS_C_EXTENDED_ERROR_FLAG       0x4000 
+    
+   These flags are only used if a client is aware of these conventions 
+   when using the SSPI on the Windows platform, they are not generally 
+   used by default. 
+    
+   When NetBIOS addresses are used in the GSSAPI, they are identified 
+   by the GSS_C_AF_NETBIOS value. This value is defined as: 
+        #define GSS_C_AF_NETBIOS                0x14 
+   NetBios addresses are 16-octet addresses typically composed of 1 to 
                                                                 th
   15 characters, trailing blank (ascii char 20) filled, with a 16  
+   octet of 0x0. 
+    
+8.2 GSSAPI Checksum Type 
+    
+   The GSSAPI checksum type and algorithm is defined in Section 5. Only 
+   the first 8 octets of the checksum are used. The resulting checksum 
+   is stored in the SGN_CKSUM field (See [5] Section 1.2) for 
+   GSS_GetMIC() and GSS_Wrap(conf_flag=FALSE). 
+    
+        MIC (K, fRC4_EXP, seq_num, MIC_hdr, msg, msg_len, 
+             MIC_seq, MIC_checksum) 
+        { 
+            HMAC (K, SK, 13, K4); 
+            T = 15; 
+            memcpy (T_plus_hdr_plus_msg + 00, &T, 4); 
+            memcpy (T_plus_hdr_plus_msg + 04, MIC_hdr, 8);  
+                                                // 0101 1100 FFFFFFFF 
+            memcpy (T_plus_hdr_plus_msg + 12, msg, msg_len); 
+            MD5 (T_hdr_msg, 4 + 8 + msg_len, MD5_of_T_hdr_msg); 
+            HMAC (K4, MD5_of_T_hdr_msg, CHKSUM); 
+            memcpy (MIC_checksum, CHKSUM, 8); // use only first 8 bytes 
+          
+            T = 0; 
+            if (fRC4_EXP){  
+                *((DWORD *)(L40+10)) = T; 
+                HMAC (K, L40, 14, K5); 
+            }else{ 
+                HMAC (K, &T, 4, K5); 
+  
+Swift                  Category - Informational                      6 
+
+                Windows 2000 RC4-HMAC Kerberos E-Type       June 2000 
+ 
+ 
+            } 
+            if (fRC4_EXP) memset(K5+7, 0xAB, 9); 
+            HMAC(K5, MIT_checksum, 8, K6); 
+            copy_seq_num_in_big_endian(seq_num, seq_plus_direction); 
+        //0x12345678 
+            copy_direction_flag (direction_flag, seq_plus_direction + 
+        4); //0x12345678FFFFFFFF 
+            RC4(K6, seq_plus_direction, 8, MIC_seq); 
+        } 
+    
+8.3 GSSAPI Encryption Types 
+    
+   There are two encryption types for GSSAPI message tokens, one that 
+   is 128 bits in strength, and one that is 56 bits in strength as 
+   defined in Section 6. 
+    
+   All padding is rounded up to 1 byte. One byte is needed to say that 
+   there is 1 byte of padding. The DES based mechanism type uses 8 byte 
+   padding. See [5] Section 1.2.2.3. 
+    
+   The encryption mechanism used for GSS wrap based messages is as 
+   follow: 
+    
+    
+        WRAP (K, fRC4_EXP, seq_num, WRAP_hdr, msg, msg_len, 
+              WRAP_seq, WRAP_checksum, edata, edata_len) 
+        { 
+            HMAC (K, SK, 13, K7); 
+            T = 13; 
+            PAD = 1; 
+            memcpy (T_hdr_conf_msg_pad + 00, &T, 4); 
+            memcpy (T_hdr_conf_msg_pad + 04, WRAP_hdr, 8); // 0101 1100 
+        FFFFFFFF 
+            memcpy (T_hdr_conf_msg_pad + 12, msg, msg_len); 
+            memcpy (T_hdr_conf_msg_pad + 12 + msg_len, &PAD, 1); 
+            MD5 (T_hdr_conf_msg_pad, 
+                 4 + 8 + 8 + msg_len + 1, 
+                 MD5_of_T_hdr_conf_msg_pad); 
+            HMAC (K7, MD5_of_T_hdr_conf_msg_pad, CHKSUM); 
+            memcpy (WRAP_checksum, CHKSUM, 8); // use only first 8 
+        bytes 
+          
+            T = 0; 
+            if (fRC4_EXP){  
+                *((DWORD *)(L40+10)) = T; 
+                HMAC (K, L40, 14, K8); 
+            }else{ 
+                HMAC (K, &T, 4, K8); 
+            } 
+            if (fRC4_EXP) memset(K8+7, 0xAB, 9); 
+            HMAC(K8, WRAP_checksum, 8, K9); 
+            copy_seq_num_in_big_endian(seq_num, seq_plus_direction); 
+        //0x12345678 
+  
+Swift                  Category - Informational                      7 
+
+                Windows 2000 RC4-HMAC Kerberos E-Type       June 2000 
+ 
+ 
+            copy_direction_flag (direction_flag, seq_plus_direction + 
+        4); //0x12345678FFFFFFFF 
+            RC4(K9, seq_plus_direction, 8, WRAP_seq); 
+          
+            for (i = 0; i < 16; i++) K10 [i] ^= 0xF0; // XOR each byte 
+        of key with 0xF0 
+            T = 0; 
+            if (fRC4_EXP){ 
+                *(DWORD *)(L40+10) = T; 
+                HMAC(K10, L40, 14, K11); 
+                memset(K11+7, 0xAB, 9); 
+            }else{ 
+                HMAC(K10, &T, 4, K11);  
+            } 
+            HMAC(K11, seq_num, 4, K12); 
+            RC4(K12, T_hdr_conf_msg_pad + 4 + 8, 8 + msg_len + 1, 
+        edata); /* skip T & hdr */ 
+            edata_len = 8 + msg_len + 1; // conf + msg_len + pad 
+         } 
+          
+    
+   The character constant "fortybits" evolved from the time when a 40-
+   bit key length was all that was exportable from the United States. 
+   It is now used to recognize that the key length is of "exportable" 
+   length. In this description, the key size is actually 56-bits. 
+    
+9. Security Considerations 
+ 
+   Care must be taken in implementing this encryption type because it 
+   uses a stream cipher. If a different IV isn’t used in each direction 
+   when using a session key, the encryption is weak. By using the 
+   sequence number as an IV, this is avoided. 
+    
+10. Acknowledgements 
+    
+   We would like to thank Salil Dangi for the valuable input in 
+   refining the descriptions of the functions and review input. 
+     
+11. References 
+ 
+   1  Bradner, S., "The Internet Standards Process -- Revision 3", BCP 
+      9, RFC 2026, October 1996. 
+    
+   2  Bradner, S., "Key words for use in RFCs to Indicate Requirement 
+      Levels", BCP 14, RFC 2119, March 1997 
+    
+   3  Krawczyk, H., Bellare, M., Canetti, R.,"HMAC: Keyed-Hashing for 
+      Message Authentication", RFC 2104, February 1997 
+    
+   4  Kohl, J., Neuman, C., "The Kerberos Network Authentication 
+      Service (V5)", RFC 1510, September 1993 
+ 
+ 
+  
+Swift                  Category - Informational                      8 
+
+                Windows 2000 RC4-HMAC Kerberos E-Type       June 2000 
+ 
+ 
+ 
+   5  Linn, J., "The Kerberos Version 5 GSS-API Mechanism", RFC-1964, 
+      June 1996 
+ 
+   6  R. Rivest, "The MD4 Message-Digest Algorithm", RFC-1320, April 
+      1992 
+ 
+   7  R. Rivest, "The MD5 Message-Digest Algorithm", RFC-1321, April 
+      1992 
+ 
+   8  Thayer, R. and K. Kaukonen, "A Stream Cipher Encryption             
+      Algorithm", Work in Progress. 
+ 
+   9  RC4 is a proprietary encryption algorithm available under license 
+      from RSA Data Security Inc.  For licensing information, contact: 
+       
+         RSA Data Security, Inc. 
+         100 Marine Parkway 
+         Redwood City, CA 94065-1031 
+ 
+   10 Neuman, C., Kohl, J., Ts'o, T., "The Kerberos Network 
+      Authentication Service (V5)", draft-ietf-cat-kerberos-revisions-
+      04.txt, June 25, 1999 
+ 
+    
+12. Author's Addresses 
+    
+   Mike Swift 
+   Dept. of Computer Science 
+   Sieg Hall 
+   University of Washington 
+   Seattle, WA 98105 
+   Email: mikesw@cs.washington.edu  
+    
+   John Brezak 
+   Microsoft 
+   One Microsoft Way 
+   Redmond, Washington 
+   Email: jbrezak@microsoft.com 
+    
+    
+
+
+
+
+
+
+
+
+
+
+
+
+  
+Swift                  Category - Informational                      9 
+
+                Windows 2000 RC4-HMAC Kerberos E-Type    October 1999 
+ 
+ 
+    
+13. Full Copyright Statement 
+ 
+   "Copyright (C) The Internet Society (2000). All Rights Reserved. 
+    
+   This document and translations of it may be copied and          
+   furnished to others, and derivative works that comment on or          
+   otherwise explain it or assist in its implementation may be          
+   prepared, copied, published and distributed, in whole or in          
+   part, without restriction of any kind, provided that the above          
+   copyright notice and this paragraph are included on all such          
+   copies and derivative works.  However, this document itself may          
+   not be modified in any way, such as by removing the copyright          
+   notice or references to the Internet Society or other Internet          
+   organizations, except as needed for the purpose of developing          
+   Internet standards in which case the procedures for copyrights          
+   defined in the Internet Standards process must be followed, or          
+   as required to translate it into languages other than English. 
+    
+   The limited permissions granted above are perpetual and will          
+   not be revoked by the Internet Society or its successors or          
+   assigns. 
+    
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+  
+Swift                  Category - Informational                     10 
+
diff --git a/crypto/heimdal/doc/standardisation/rfc1508.txt b/crypto/heimdal/doc/standardisation/rfc1508.txt
new file mode 100644
index 0000000..132b855
--- /dev/null
+++ b/crypto/heimdal/doc/standardisation/rfc1508.txt
@@ -0,0 +1,2747 @@
+
+
+
+
+
+
+Network Working Group                                            J. Linn
+Request for Comments: 1508                         Geer Zolot Associates
+                                                          September 1993
+
+
+         Generic Security Service Application Program Interface
+
+Status of this Memo
+
+   This RFC specifies an Internet standards track protocol for the
+   Internet community, and requests discussion and suggestions for
+   improvements.  Please refer to the current edition of the "Internet
+   Official Protocol Standards" for the standardization state and status
+   of this protocol.  Distribution of this memo is unlimited.
+
+Abstract
+
+   This Generic Security Service Application Program Interface (GSS-API)
+   definition provides security services to callers in a generic
+   fashion, supportable with a range of underlying mechanisms and
+   technologies and hence allowing source-level portability of
+   applications to different environments. This specification defines
+   GSS-API services and primitives at a level independent of underlying
+   mechanism and programming language environment, and is to be
+   complemented by other, related specifications:
+
+        documents defining specific parameter bindings for particular
+        language environments
+
+        documents defining token formats, protocols, and procedures to
+        be implemented in order to realize GSS-API services atop
+        particular security mechanisms
+
+Table of Contents
+
+   1. GSS-API Characteristics and Concepts .......................    2
+   1.1. GSS-API Constructs .......................................    5
+   1.1.1.  Credentials ...........................................    5
+   1.1.2.  Tokens ................................................    6
+   1.1.3.  Security Contexts .....................................    7
+   1.1.4.  Mechanism Types .......................................    8
+   1.1.5.  Naming ................................................    9
+   1.1.6.  Channel Bindings ......................................   10
+   1.2.  GSS-API Features and Issues .............................   11
+   1.2.1.  Status Reporting ......................................   11
+   1.2.2.  Per-Message Security Service Availability .............   12
+   1.2.3.  Per-Message Replay Detection and Sequencing ...........   13
+   1.2.4.  Quality of Protection .................................   15
+
+
+
+Linn                                                            [Page 1]
+
+RFC 1508               Generic Security Interface         September 1993
+
+
+   2. Interface Descriptions .....................................   15
+   2.1.  Credential management calls .............................   17
+   2.1.1.  GSS_Acquire_cred call .................................   17
+   2.1.2.  GSS_Release_cred call .................................   19
+   2.1.3.  GSS_Inquire_cred call .................................   20
+   2.2.  Context-level calls .....................................   21
+   2.2.1.  GSS_Init_sec_context call .............................   21
+   2.2.2.  GSS_Accept_sec_context call ...........................   26
+   2.2.3.  GSS_Delete_sec_context call ...........................   29
+   2.2.4.  GSS_Process_context_token call ........................   30
+   2.2.5.  GSS_Context_time call .................................   31
+   2.3.  Per-message calls .......................................   32
+   2.3.1.  GSS_Sign call .........................................   32
+   2.3.2.  GSS_Verify call .......................................   33
+   2.3.3.  GSS_Seal call .........................................   35
+   2.3.4.  GSS_Unseal call .......................................   36
+   2.4.  Support calls ...........................................   37
+   2.4.1.  GSS_Display_status call ...............................   37
+   2.4.2.  GSS_Indicate_mechs call ...............................   38
+   2.4.3.  GSS_Compare_name call .................................   38
+   2.4.4.  GSS_Display_name call .................................   39
+   2.4.5.  GSS_Import_name call ..................................   40
+   2.4.6.  GSS_Release_name call .................................   41
+   2.4.7.  GSS_Release_buffer call ...............................   41
+   2.4.8.  GSS_Release_oid_set call ..............................   42
+   3. Mechanism-Specific Example Scenarios .......................   42
+   3.1.  Kerberos V5, single-TGT .................................   43
+   3.2.  Kerberos V5, double-TGT .................................   43
+   3.3.  X.509 Authentication Framework ..........................   44
+   4. Related Activities .........................................   45
+   5. Acknowledgments ............................................   46
+   6. Security Considerations ....................................   46
+   7. Author's Address ...........................................   46
+   Appendix A ....................................................   47
+   Appendix B ....................................................   48
+   Appendix C ....................................................   49
+
+1. GSS-API Characteristics and Concepts
+
+   The operational paradigm in which GSS-API operates is as follows. A
+   typical GSS-API caller is itself a communications protocol, calling
+   on GSS-API in order to protect its communications with
+   authentication, integrity, and/or confidentiality security services.
+   A GSS-API caller accepts tokens provided to it by its local GSS-API
+   implementation and transfers the tokens to a peer on a remote system;
+   that peer passes the received tokens to its local GSS-API
+   implementation for processing. The security services available
+   through GSS-API in this fashion are implementable (and have been
+
+
+
+Linn                                                            [Page 2]
+
+RFC 1508               Generic Security Interface         September 1993
+
+
+   implemented) over a range of underlying mechanisms based on secret-
+   key and public-key cryptographic technologies.
+
+   The GSS-API separates the operations of initializing a security
+   context between peers, achieving peer entity authentication (This
+   security service definition, and other definitions used in this
+   document, corresponds to that provided in International Standard ISO
+   7498-2-1988(E), Security Architecture.) (GSS_Init_sec_context() and
+   GSS_Accept_sec_context() calls), from the operations of providing
+   per-message data origin authentication and data integrity protection
+   (GSS_Sign() and GSS_Verify() calls) for messages subsequently
+   transferred in conjunction with that context. Per-message GSS_Seal()
+   and GSS_Unseal() calls provide the data origin authentication and
+   data integrity services which GSS_Sign() and GSS_Verify() offer, and
+   also support selection of confidentiality services as a caller
+   option.  Additional calls provide supportive functions to the GSS-
+   API's users.
+
+   The following paragraphs provide an example illustrating the
+   dataflows involved in use of the GSS-API by a client and server in a
+   mechanism-independent fashion, establishing a security context and
+   transferring a protected message. The example assumes that credential
+   acquisition has already been completed.  The example assumes that the
+   underlying authentication technology is capable of authenticating a
+   client to a server using elements carried within a single token, and
+   of authenticating the server to the client (mutual authentication)
+   with a single returned token; this assumption holds for presently-
+   documented CAT mechanisms but is not necessarily true for other
+   cryptographic technologies and associated protocols.
+
+   The client calls GSS_Init_sec_context()  to establish a security
+   context to the server identified by targ_name, and elects to set the
+   mutual_req_flag so that mutual authentication is performed in the
+   course of context establishment. GSS_Init_sec_context()  returns an
+   output_token to be passed to the server, and indicates
+   GSS_CONTINUE_NEEDED status pending completion of the mutual
+   authentication sequence. Had mutual_req_flag not been set, the
+   initial call to GSS_Init_sec_context()  would have returned
+   GSS_COMPLETE status. The client sends the output_token to the server.
+
+   The server passes the received token as the input_token parameter to
+   GSS_Accept_sec_context().  GSS_Accept_sec_context indicates
+   GSS_COMPLETE status, provides the client's authenticated identity in
+   the src_name result, and provides an output_token to be passed to the
+   client. The server sends the output_token to the client.
+
+   The client passes the received token as the input_token parameter to
+   a successor call to GSS_Init_sec_context(),  which processes data
+
+
+
+Linn                                                            [Page 3]
+
+RFC 1508               Generic Security Interface         September 1993
+
+
+   included in the token in order to achieve mutual authentication from
+   the client's viewpoint. This call to GSS_Init_sec_context()  returns
+   GSS_COMPLETE status, indicating successful mutual authentication and
+   the completion of context establishment for this example.
+
+   The client generates a data message and passes it to GSS_Seal().
+   GSS_Seal() performs data origin authentication, data integrity, and
+   (optionally) confidentiality processing on the message and
+   encapsulates the result into output_message, indicating GSS_COMPLETE
+   status. The client sends the output_message to the server.
+
+   The server passes the received message to GSS_Unseal().  GSS_Unseal
+   inverts the encapsulation performed by GSS_Seal(),  deciphers the
+   message if the optional confidentiality feature was applied, and
+   validates the data origin authentication and data integrity checking
+   quantities. GSS_Unseal()  indicates successful validation by
+   returning GSS_COMPLETE status along with the resultant
+   output_message.
+
+   For purposes of this example, we assume that the server knows by
+   out-of-band means that this context will have no further use after
+   one protected message is transferred from client to server. Given
+   this premise, the server now calls GSS_Delete_sec_context() to flush
+   context-level information. GSS_Delete_sec_context() returns a
+   context_token for the server to pass to the client.
+
+   The client passes the returned context_token to
+   GSS_Process_context_token(),  which returns GSS_COMPLETE status after
+   deleting context-level information at the client system.
+
+   The GSS-API design assumes and addresses several basic goals,
+   including:
+
+      Mechanism independence: The GSS-API defines an interface to
+      cryptographically implemented strong authentication and other
+      security services at a generic level which is independent of
+      particular underlying mechanisms. For example, GSS-API-provided
+      services can be implemented by secret-key technologies (e.g.,
+      Kerberos) or public-key approaches (e.g., X.509).
+
+      Protocol environment independence: The GSS-API is independent of
+      the communications protocol suites with which it is employed,
+      permitting use in a broad range of protocol environments. In
+      appropriate environments, an intermediate implementation "veneer"
+      which is oriented to a particular communication protocol (e.g.,
+      Remote Procedure Call (RPC)) may be interposed between
+      applications which call that protocol and the GSS-API, thereby
+      invoking GSS-API facilities in conjunction with that protocol's
+
+
+
+Linn                                                            [Page 4]
+
+RFC 1508               Generic Security Interface         September 1993
+
+
+      communications invocations.
+
+      Protocol association independence: The GSS-API's security context
+      construct is independent of communications protocol association
+      constructs. This characteristic allows a single GSS-API
+      implementation to be utilized by a variety of invoking protocol
+      modules on behalf of those modules' calling applications. GSS-API
+      services can also be invoked directly by applications, wholly
+      independent of protocol associations.
+
+      Suitability to a range of implementation placements: GSS-API
+      clients are not constrained to reside within any Trusted Computing
+      Base (TCB) perimeter defined on a system where the GSS-API is
+      implemented; security services are specified in a manner suitable
+      to both intra-TCB and extra-TCB callers.
+
+1.1. GSS-API Constructs
+
+   This section describes the basic elements comprising the GSS-API.
+
+1.1.1.  Credentials
+
+   Credentials structures provide the prerequisites enabling peers to
+   establish security contexts with each other. A caller may designate
+   that its default credential be used for context establishment calls
+   without presenting an explicit handle to that credential.
+   Alternately, those GSS-API callers which need to make explicit
+   selection of particular credentials structures may make references to
+   those credentials through GSS-API-provided credential handles
+   ("cred_handles").
+
+   A single credential structure may be used for initiation of outbound
+   contexts and acceptance of inbound contexts. Callers needing to
+   operate in only one of these modes may designate this fact when
+   credentials are acquired for use, allowing underlying mechanisms to
+   optimize their processing and storage requirements. The credential
+   elements defined by a particular mechanism may contain multiple
+   cryptographic keys, e.g., to enable authentication and message
+   encryption to be performed with different algorithms.
+
+   A single credential structure may accommodate credential information
+   associated with multiple underlying mechanisms (mech_types); a
+   credential structure's contents will vary depending on the set of
+   mech_types supported by a particular GSS-API implementation.
+   Commonly, a single mech_type will be used for all security contexts
+   established by a particular initiator to a particular target; the
+   primary motivation for supporting credential sets representing
+   multiple mech_types is to allow initiators on systems which are
+
+
+
+Linn                                                            [Page 5]
+
+RFC 1508               Generic Security Interface         September 1993
+
+
+   equipped to handle multiple types to initiate contexts to targets on
+   other systems which can accommodate only a subset of the set
+   supported at the initiator's system.
+
+   It is the responsibility of underlying system-specific mechanisms and
+   OS functions below the GSS-API to ensure that the ability to acquire
+   and use credentials associated with a given identity is constrained
+   to appropriate processes within a system. This responsibility should
+   be taken seriously by implementors, as the ability for an entity to
+   utilize a principal's credentials is equivalent to the entity's
+   ability to successfully assert that principal's identity.
+
+   Once a set of GSS-API credentials is established, the transferability
+   of that credentials set to other processes or analogous constructs
+   within a system is a local matter, not defined by the GSS-API. An
+   example local policy would be one in which any credentials received
+   as a result of login to a given user account, or of delegation of
+   rights to that account, are accessible by, or transferable to,
+   processes running under that account.
+
+   The credential establishment process (particularly when performed on
+   behalf of users rather than server processes) is likely to require
+   access to passwords or other quantities which should be protected
+   locally and exposed for the shortest time possible. As a result, it
+   will often be appropriate for preliminary credential establishment to
+   be performed through local means at user login time, with the
+   result(s) cached for subsequent reference. These preliminary
+   credentials would be set aside (in a system-specific fashion) for
+   subsequent use, either:
+
+      to be accessed by an invocation of the GSS-API GSS_Acquire_cred()
+      call, returning an explicit handle to reference that credential
+
+      as the default credentials installed on behalf of a process
+
+1.1.2. Tokens
+
+   Tokens are data elements transferred between GSS-API callers, and are
+   divided into two classes. Context-level tokens are exchanged in order
+   to establish and manage a security context between peers. Per-message
+   tokens are exchanged in conjunction with an established context to
+   provide protective security services for corresponding data messages.
+   The internal contents of both classes of tokens are specific to the
+   particular underlying mechanism used to support the GSS-API; Appendix
+   B of this document provides a uniform recommendation for designers of
+   GSS-API support mechanisms, encapsulating mechanism-specific
+   information along with a globally-interpretable mechanism identifier.
+
+
+
+
+Linn                                                            [Page 6]
+
+RFC 1508               Generic Security Interface         September 1993
+
+
+   Tokens are opaque from the viewpoint of GSS-API callers. They are
+   generated within the GSS-API implementation at an end system,
+   provided to a GSS-API caller to be transferred to the peer GSS-API
+   caller at a remote end system, and processed by the GSS-API
+   implementation at that remote end system. Tokens may be output by
+   GSS-API primitives (and are to be transferred to GSS-API peers)
+   independent of the status indications which those primitives
+   indicate. Token transfer may take place in an in-band manner,
+   integrated into the same protocol stream used by the GSS-API callers
+   for other data transfers, or in an out-of-band manner across a
+   logically separate channel.
+
+   Development of GSS-API support primitives based on a particular
+   underlying cryptographic technique and protocol does not necessarily
+   imply that GSS-API callers invoking that GSS-API mechanism type will
+   be able to interoperate with peers invoking the same technique and
+   protocol outside the GSS-API paradigm.  For example, the format of
+   GSS-API tokens defined in conjunction with a particular mechanism,
+   and the techniques used to integrate those tokens into callers'
+   protocols, may not be the same as those used by non-GSS-API callers
+   of the same underlying technique.
+
+1.1.3.  Security Contexts
+
+   Security contexts are established between peers, using credentials
+   established locally in conjunction with each peer or received by
+   peers via delegation. Multiple contexts may exist simultaneously
+   between a pair of peers, using the same or different sets of
+   credentials. Coexistence of multiple contexts using different
+   credentials allows graceful rollover when credentials expire.
+   Distinction among multiple contexts based on the same credentials
+   serves applications by distinguishing different message streams in a
+   security sense.
+
+   The GSS-API is independent of underlying protocols and addressing
+   structure, and depends on its callers to transport GSS-API-provided
+   data elements. As a result of these factors, it is a caller
+   responsibility to parse communicated messages, separating GSS-API-
+   related data elements from caller-provided data.  The GSS-API is
+   independent of connection vs. connectionless orientation of the
+   underlying communications service.
+
+   No correlation between security context and communications protocol
+   association is dictated. (The optional channel binding facility,
+   discussed in Section 1.1.6 of this document, represents an
+   intentional exception to this rule, supporting additional protection
+   features within GSS-API supporting mechanisms.) This separation
+   allows the GSS-API to be used in a wide range of communications
+
+
+
+Linn                                                            [Page 7]
+
+RFC 1508               Generic Security Interface         September 1993
+
+
+   environments, and also simplifies the calling sequences of the
+   individual calls. In many cases (depending on underlying security
+   protocol, associated mechanism, and availability of cached
+   information), the state information required for context setup can be
+   sent concurrently with initial signed user data, without interposing
+   additional message exchanges.
+
+1.1.4.  Mechanism Types
+
+   In order to successfully establish a security context with a target
+   peer, it is necessary to identify an appropriate underlying mechanism
+   type (mech_type) which both initiator and target peers support. The
+   definition of a mechanism embodies not only the use of a particular
+   cryptographic technology (or a hybrid or choice among alternative
+   cryptographic technologies), but also definition of the syntax and
+   semantics of data element exchanges which that mechanism will employ
+   in order to support security services.
+
+   It is recommended that callers initiating contexts specify the
+   "default" mech_type value, allowing system-specific functions within
+   or invoked by the GSS-API implementation to select the appropriate
+   mech_type, but callers may direct that a particular mech_type be
+   employed when necessary.
+
+   The means for identifying a shared mech_type to establish a security
+   context with a peer will vary in different environments and
+   circumstances; examples include (but are not limited to):
+
+      use of a fixed mech_type, defined by configuration, within an
+      environment
+
+      syntactic convention on a target-specific basis, through
+      examination of a target's name
+
+      lookup of a target's name in a naming service or other database in
+      order to identify mech_types supported by that target
+
+      explicit negotiation between GSS-API callers in advance of
+      security context setup
+
+   When transferred between GSS-API peers, mech_type specifiers (per
+   Appendix B, represented as Object Identifiers (OIDs)) serve to
+   qualify the interpretation of associated tokens. (The structure and
+   encoding of Object Identifiers is defined in ISO/IEC 8824,
+   "Specification of Abstract Syntax Notation One (ASN.1)" and in
+   ISO/IEC 8825, "Specification of Basic Encoding Rules for Abstract
+   Syntax Notation One (ASN.1)".) Use of hierarchically structured OIDs
+   serves to preclude ambiguous interpretation of mech_type specifiers.
+
+
+
+Linn                                                            [Page 8]
+
+RFC 1508               Generic Security Interface         September 1993
+
+
+   The OID representing the DASS MechType, for example, is
+   1.3.12.2.1011.7.5.
+
+1.1.5.  Naming
+
+   The GSS-API avoids prescription of naming structures, treating the
+   names transferred across the interface in order to initiate and
+   accept security contexts as opaque octet string quantities.  This
+   approach supports the GSS-API's goal of implementability atop a range
+   of underlying security mechanisms, recognizing the fact that
+   different mechanisms process and authenticate names which are
+   presented in different forms. Generalized services offering
+   translation functions among arbitrary sets of naming environments are
+   outside the scope of the GSS-API; availability and use of local
+   conversion functions to translate among the naming formats supported
+   within a given end system is anticipated.
+
+   Two distinct classes of name representations are used in conjunction
+   with different GSS-API parameters:
+
+      a printable form (denoted by OCTET STRING), for acceptance from
+      and presentation to users; printable name forms are accompanied by
+      OID tags identifying the namespace to which they correspond
+
+      an internal form (denoted by INTERNAL NAME), opaque to callers and
+      defined by individual GSS-API implementations; GSS-API
+      implementations supporting multiple namespace types are
+      responsible for maintaining internal tags to disambiguate the
+      interpretation of particular names
+
+      Tagging of printable names allows GSS-API callers and underlying
+      GSS-API mechanisms to disambiguate name types and to determine
+      whether an associated name's type is one which they are capable of
+      processing, avoiding aliasing problems which could result from
+      misinterpreting a name of one type as a name of another type.
+
+   In addition to providing means for names to be tagged with types,
+   this specification defines primitives to support a level of naming
+   environment independence for certain calling applications. To provide
+   basic services oriented towards the requirements of callers which
+   need not themselves interpret the internal syntax and semantics of
+   names, GSS-API calls for name comparison (GSS_Compare_name()),
+   human-readable display (GSS_Display_name()),  input conversion
+   (GSS_Import_name()), and internal name deallocation
+   (GSS_Release_name())  functions are defined. (It is anticipated that
+   these proposed GSS-API calls will be implemented in many end systems
+   based on system-specific name manipulation primitives already extant
+   within those end systems; inclusion within the GSS-API is intended to
+
+
+
+Linn                                                            [Page 9]
+
+RFC 1508               Generic Security Interface         September 1993
+
+
+   offer GSS-API callers a portable means to perform specific
+   operations, supportive of authorization and audit requirements, on
+   authenticated names.)
+
+   GSS_Import_name()  implementations can, where appropriate, support
+   more than one printable syntax corresponding to a given namespace
+   (e.g., alternative printable representations for X.500 Distinguished
+   Names), allowing flexibility for their callers to select among
+   alternative representations. GSS_Display_name() implementations
+   output a printable syntax selected as appropriate to their
+   operational environments; this selection is a local matter. Callers
+   desiring portability across alternative printable syntaxes should
+   refrain from implementing comparisons based on printable name forms
+   and should instead use the GSS_Compare_name()  call to determine
+   whether or not one internal-format name matches another.
+
+1.1.6.  Channel Bindings
+
+   The GSS-API accommodates the concept of caller-provided channel
+   binding ("chan_binding") information, used by GSS-API callers to bind
+   the establishment of a security context to relevant characteristics
+   (e.g., addresses, transformed representations of encryption keys) of
+   the underlying communications channel and of protection mechanisms
+   applied to that communications channel.  Verification by one peer of
+   chan_binding information provided by the other peer to a context
+   serves to protect against various active attacks. The caller
+   initiating a security context must determine the chan_binding values
+   before making the GSS_Init_sec_context()  call, and consistent values
+   must be provided by both peers to a context. Callers should not
+   assume that underlying mechanisms provide confidentiality protection
+   for channel binding information.
+
+   Use or non-use of the GSS-API channel binding facility is a caller
+   option, and GSS-API supporting mechanisms can support operation in an
+   environment where NULL channel bindings are presented. When non-NULL
+   channel bindings are used, certain mechanisms will offer enhanced
+   security value by interpreting the bindings' content (rather than
+   simply representing those bindings, or signatures computed on them,
+   within tokens) and will therefore depend on presentation of specific
+   data in a defined format. To this end, agreements among mechanism
+   implementors are defining conventional interpretations for the
+   contents of channel binding arguments, including address specifiers
+   (with content dependent on communications protocol environment) for
+   context initiators and acceptors. (These conventions are being
+   incorporated into related documents.) In order for GSS-API callers to
+   be portable across multiple mechanisms and achieve the full security
+   functionality available from each mechanism, it is strongly
+   recommended that GSS-API callers provide channel bindings consistent
+
+
+
+Linn                                                           [Page 10]
+
+RFC 1508               Generic Security Interface         September 1993
+
+
+   with these conventions and those of the networking environment in
+   which they operate.
+
+1.2.  GSS-API Features and Issues
+
+   This section describes aspects of GSS-API operations, of the security
+   services which the GSS-API provides, and provides commentary on
+   design issues.
+
+1.2.1.  Status Reporting
+
+   Each GSS-API call provides two status return values. Major_status
+   values provide a mechanism-independent indication of call status
+   (e.g., GSS_COMPLETE, GSS_FAILURE, GSS_CONTINUE_NEEDED), sufficient to
+   drive normal control flow within the caller in a generic fashion.
+   Table 1 summarizes the defined major_status return codes in tabular
+   fashion.
+
+   Table 1: GSS-API Major Status Codes
+
+      FATAL ERROR CODES
+
+      GSS_BAD_BINDINGS             channel binding mismatch
+      GSS_BAD_MECH                 unsupported mechanism requested
+      GSS_BAD_NAME                 invalid name provided
+      GSS_BAD_NAMETYPE             name of unsupported type provided
+      GSS_BAD_STATUS               invalid input status selector
+      GSS_BAD_SIG                  token had invalid signature
+      GSS_CONTEXT_EXPIRED          specified security context expired
+      GSS_CREDENTIALS_EXPIRED      expired credentials detected
+      GSS_DEFECTIVE_CREDENTIAL     defective credential detected
+      GSS_DEFECTIVE_TOKEN          defective token detected
+      GSS_FAILURE                  failure, unspecified at GSS-API
+                                   level
+      GSS_NO_CONTEXT               no valid security context specified
+      GSS_NO_CRED                  no valid credentials provided
+
+      INFORMATORY STATUS CODES
+
+      GSS_COMPLETE                 normal completion
+      GSS_CONTINUE_NEEDED          continuation call to routine
+                                   required
+      GSS_DUPLICATE_TOKEN          duplicate per-message token
+                                   detected
+      GSS_OLD_TOKEN                timed-out per-message token
+                                   detected
+      GSS_UNSEQ_TOKEN              out-of-order per-message token
+                                   detected
+
+
+
+Linn                                                           [Page 11]
+
+RFC 1508               Generic Security Interface         September 1993
+
+
+   Minor_status provides more detailed status information which may
+   include status codes specific to the underlying security mechanism.
+   Minor_status values are not specified in this document.
+
+   GSS_CONTINUE_NEEDED major_status returns, and optional message
+   outputs, are provided in GSS_Init_sec_context()  and
+   GSS_Accept_sec_context()  calls so that different mechanisms'
+   employment of different numbers of messages within their
+   authentication sequences need not be reflected in separate code paths
+   within calling applications. Instead, such cases are accomodated with
+   sequences of continuation calls to GSS_Init_sec_context()  and
+   GSS_Accept_sec_context().  The same mechanism is used to encapsulate
+   mutual authentication within the GSS-API's context initiation calls.
+
+   For mech_types which require interactions with third-party servers in
+   order to establish a security context, GSS-API context establishment
+   calls may block pending completion of such third-party interactions.
+   On the other hand, no GSS-API calls pend on serialized interactions
+   with GSS-API peer entities.  As a result, local GSS-API status
+   returns cannot reflect unpredictable or asynchronous exceptions
+   occurring at remote peers, and reflection of such status information
+   is a caller responsibility outside the GSS-API.
+
+1.2.2. Per-Message Security Service Availability
+
+   When a context is established, two flags are returned to indicate the
+   set of per-message protection security services which will be
+   available on the context:
+
+      the integ_avail flag indicates whether per-message integrity and
+      data origin authentication services are available
+
+      the conf_avail flag indicates whether per-message confidentiality
+      services are available, and will never be returned TRUE unless the
+      integ_avail flag is also returned TRUE
+
+      GSS-API callers desiring per-message security services should
+      check the values of these flags at context establishment time, and
+      must be aware that a returned FALSE value for integ_avail means
+      that invocation of GSS_Sign()  or GSS_Seal() primitives on the
+      associated context will apply no cryptographic protection to user
+      data messages.
+
+   The GSS-API per-message protection service primitives, as the
+   category name implies, are oriented to operation at the granularity
+   of protocol data units. They perform cryptographic operations on the
+   data units, transfer cryptographic control information in tokens,
+   and, in the case of GSS_Seal(), encapsulate the protected data unit.
+
+
+
+Linn                                                           [Page 12]
+
+RFC 1508               Generic Security Interface         September 1993
+
+
+   As such, these primitives are not oriented to efficient data
+   protection for stream-paradigm protocols (e.g., Telnet) if
+   cryptography must be applied on an octet-by-octet basis.
+
+1.2.3. Per-Message Replay Detection and Sequencing
+
+   Certain underlying mech_types are expected to offer support for
+   replay detection and/or sequencing of messages transferred on the
+   contexts they support. These optionally-selectable protection
+   features are distinct from replay detection and sequencing features
+   applied to the context establishment operation itself; the presence
+   or absence of context-level replay or sequencing features is wholly a
+   function of the underlying mech_type's capabilities, and is not
+   selected or omitted as a caller option.
+
+   The caller initiating a context provides flags (replay_det_req_flag
+   and sequence_req_flag) to specify whether the use of per-message
+   replay detection and sequencing features is desired on the context
+   being established. The GSS-API implementation at the initiator system
+   can determine whether these features are supported (and whether they
+   are optionally selectable) as a function of mech_type, without need
+   for bilateral negotiation with the target. When enabled, these
+   features provide recipients with indicators as a result of GSS-API
+   processing of incoming messages, identifying whether those messages
+   were detected as duplicates or out-of-sequence. Detection of such
+   events does not prevent a suspect message from being provided to a
+   recipient; the appropriate course of action on a suspect message is a
+   matter of caller policy.
+
+   The semantics of the replay detection and sequencing services applied
+   to received messages, as visible across the interface which the GSS-
+   API provides to its clients, are as follows:
+
+   When replay_det_state is TRUE, the possible major_status returns for
+   well-formed and correctly signed messages are as follows:
+
+      1. GSS_COMPLETE indicates that the message was within the window
+      (of time or sequence space) allowing replay events to be detected,
+      and that the message was not a replay of a previously-processed
+      message within that window.
+
+      2. GSS_DUPLICATE_TOKEN indicates that the signature on the
+      received message was correct, but that the message was recognized
+      as a duplicate of a previously-processed message.
+
+      3. GSS_OLD_TOKEN indicates that the signature on the received
+      message was correct, but that the message is too old to be checked
+      for duplication.
+
+
+
+Linn                                                           [Page 13]
+
+RFC 1508               Generic Security Interface         September 1993
+
+
+   When sequence_state is TRUE, the possible major_status returns for
+   well-formed and correctly signed messages are as follows:
+
+      1. GSS_COMPLETE indicates that the message was within the window
+      (of time or sequence space) allowing replay events to be detected,
+      and that the message was not a replay of a previously-processed
+      message within that window.
+
+      2. GSS_DUPLICATE_TOKEN indicates that the signature on the
+      received message was correct, but that the message was recognized
+      as a duplicate of a previously-processed message.
+
+      3. GSS_OLD_TOKEN indicates that the signature on the received
+      message was correct, but that the token is too old to be checked
+      for duplication.
+
+      4. GSS_UNSEQ_TOKEN indicates that the signature on the received
+      message was correct, but that it is earlier in a sequenced stream
+      than a message already processed on the context.  [Note:
+      Mechanisms can be architected to provide a stricter form of
+      sequencing service, delivering particular messages to recipients
+      only after all predecessor messages in an ordered stream have been
+      delivered.  This type of support is incompatible with the GSS-API
+      paradigm in which recipients receive all messages, whether in
+      order or not, and provide them (one at a time, without intra-GSS-
+      API message buffering) to GSS-API routines for validation.  GSS-
+      API facilities provide supportive functions, aiding clients to
+      achieve strict message stream integrity in an efficient manner in
+      conjunction with sequencing provisions in communications
+      protocols, but the GSS-API does not offer this level of message
+      stream integrity service by itself.]
+
+   As the message stream integrity features (especially sequencing) may
+   interfere with certain applications' intended communications
+   paradigms, and since support for such features is likely to be
+   resource intensive, it is highly recommended that mech_types
+   supporting these features allow them to be activated selectively on
+   initiator request when a context is established. A context initiator
+   and target are provided with corresponding indicators
+   (replay_det_state and sequence_state), signifying whether these
+   features are active on a given context.
+
+   An example mech_type supporting per-message replay detection could
+   (when replay_det_state is TRUE) implement the feature as follows: The
+   underlying mechanism would insert timestamps in data elements output
+   by GSS_Sign() and GSS_Seal(), and would maintain (within a time-
+   limited window) a cache (qualified by originator-recipient pair)
+   identifying received data elements processed by GSS_Verify() and
+
+
+
+Linn                                                           [Page 14]
+
+RFC 1508               Generic Security Interface         September 1993
+
+
+   GSS_Unseal(). When this feature is active, exception status returns
+   (GSS_DUPLICATE_TOKEN, GSS_ OLD_TOKEN) will be provided when
+   GSS_Verify() or GSS_Unseal() is presented with a message which is
+   either a detected duplicate of a prior message or which is too old to
+   validate against a cache of recently received messages.
+
+1.2.4.  Quality of Protection
+
+   Some mech_types will provide their users with fine granularity
+   control over the means used to provide per-message protection,
+   allowing callers to trade off security processing overhead
+   dynamically against the protection requirements of particular
+   messages. A per-message quality-of-protection parameter (analogous to
+   quality-of-service, or QOS) selects among different QOP options
+   supported by that mechanism. On context establishment for a multi-QOP
+   mech_type, context-level data provides the prerequisite data for a
+   range of protection qualities.
+
+   It is expected that the majority of callers will not wish to exert
+   explicit mechanism-specific QOP control and will therefore request
+   selection of a default QOP. Definitions of, and choices among, non-
+   default QOP values are mechanism-specific, and no ordered sequences
+   of QOP values can be assumed equivalent across different mechanisms.
+   Meaningful use of non-default QOP values demands that callers be
+   familiar with the QOP definitions of an underlying mechanism or
+   mechanisms, and is therefore a non-portable construct.
+
+2.  Interface Descriptions
+
+   This section describes the GSS-API's service interface, dividing the
+   set of calls offered into four groups. Credential management calls
+   are related to the acquisition and release of credentials by
+   principals. Context-level calls are related to the management of
+   security contexts between principals. Per-message calls are related
+   to the protection of individual messages on established security
+   contexts. Support calls provide ancillary functions useful to GSS-API
+   callers. Table 2 groups and summarizes the calls in tabular fashion.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Linn                                                           [Page 15]
+
+RFC 1508               Generic Security Interface         September 1993
+
+
+      Table 2:  GSS-API Calls
+
+      CREDENTIAL MANAGEMENT
+
+      GSS_Acquire_cred             acquire credentials for use
+      GSS_Release_cred             release credentials after use
+      GSS_Inquire_cred             display information about
+                                   credentials
+
+      CONTEXT-LEVEL CALLS
+
+      GSS_Init_sec_context         initiate outbound security context
+      GSS_Accept_sec_context       accept inbound security context
+      GSS_Delete_sec_context       flush context when no longer needed
+      GSS_Process_context_token    process received control token on
+                                   context
+      GSS_Context_time             indicate validity time remaining on
+                                   context
+
+      PER-MESSAGE CALLS
+
+      GSS_Sign                     apply signature, receive as token
+                                   separate from message
+      GSS_Verify                   validate signature token along with
+                                   message
+      GSS_Seal                     sign, optionally encrypt,
+                                   encapsulate
+      GSS_Unseal                   decapsulate, decrypt if needed,
+                                   validate signature
+
+      SUPPORT CALLS
+
+      GSS_Display_status           translate status codes to printable
+                                   form
+      GSS_Indicate_mechs           indicate mech_types supported on
+                                   local system
+      GSS_Compare_name             compare two names for equality
+      GSS_Display_name             translate name to printable form
+      GSS_Import_name              convert printable name to
+                                   normalized form
+      GSS_Release_name             free storage of normalized-form
+                                   name
+      GSS_Release_buffer           free storage of printable name
+      GSS_Release_oid_set          free storage of OID set object
+
+
+
+
+
+
+
+Linn                                                           [Page 16]
+
+RFC 1508               Generic Security Interface         September 1993
+
+
+2.1.  Credential management calls
+
+   These GSS-API calls provide functions related to the management of
+   credentials. Their characterization with regard to whether or not
+   they may block pending exchanges with other network entities (e.g.,
+   directories or authentication servers) depends in part on OS-specific
+   (extra-GSS-API) issues, so is not specified in this document.
+
+   The GSS_Acquire_cred()  call is defined within the GSS-API in support
+   of application portability, with a particular orientation towards
+   support of portable server applications. It is recognized that (for
+   certain systems and mechanisms) credentials for interactive users may
+   be managed differently from credentials for server processes; in such
+   environments, it is the GSS-API implementation's responsibility to
+   distinguish these cases and the procedures for making this
+   distinction are a local matter. The GSS_Release_cred()  call provides
+   a means for callers to indicate to the GSS-API that use of a
+   credentials structure is no longer required. The GSS_Inquire_cred()
+   call allows callers to determine information about a credentials
+   structure.
+
+2.1.1.  GSS_Acquire_cred call
+
+   Inputs:
+
+   o  desired_name INTERNAL NAME, -NULL requests locally-determined
+      default
+
+   o  lifetime_req INTEGER,-in seconds; 0 requests default
+
+   o  desired_mechs SET OF OBJECT IDENTIFIER,-empty set requests
+      system-selected default
+
+   o  cred_usage INTEGER-0=INITIATE-AND-ACCEPT, 1=INITIATE-ONLY,
+      2=ACCEPT-ONLY
+
+   Outputs:
+
+   o  major_status INTEGER,
+
+   o  minor_status INTEGER,
+
+   o  output_cred_handle OCTET STRING,
+
+   o  actual_mechs SET OF OBJECT IDENTIFIER,
+
+   o  lifetime_rec INTEGER -in seconds, or reserved value for
+      INDEFINITE
+
+
+
+Linn                                                           [Page 17]
+
+RFC 1508               Generic Security Interface         September 1993
+
+
+   Return major_status codes:
+
+   o  GSS_COMPLETE indicates that requested credentials were
+      successfully established, for the duration indicated in
+      lifetime_rec, suitable for the usage requested in cred_usage, for
+      the set of mech_types indicated in actual_mechs, and that those
+      credentials can be referenced for subsequent use with the handle
+      returned in output_cred_handle.
+
+   o  GSS_BAD_MECH indicates that a mech_type unsupported by the GSS-API
+      implementation type was requested, causing the credential
+      establishment operation to fail.
+
+   o  GSS_BAD_NAMETYPE indicates that the provided desired_name is
+      uninterpretable or of a type unsupported by the supporting GSS-API
+      implementation, so no credentials could be established for the
+      accompanying desired_name.
+
+   o  GSS_BAD_NAME indicates that the provided desired_name is
+      inconsistent in terms of internally-incorporated type specifier
+      information, so no credentials could be established for the
+      accompanying desired_name.
+
+   o  GSS_FAILURE indicates that credential establishment failed for
+      reasons unspecified at the GSS-API level, including lack of
+      authorization to establish and use credentials associated with the
+      identity named in the input desired_name argument.
+
+   GSS_Acquire_cred()  is used to acquire credentials so that a
+   principal can (as a function of the input cred_usage parameter)
+   initiate and/or accept security contexts under the identity
+   represented by the desired_name input argument. On successful
+   completion, the returned output_cred_handle result provides a handle
+   for subsequent references to the acquired credentials.  Typically,
+   single-user client processes using only default credentials for
+   context establishment purposes will have no need to invoke this call.
+
+   A caller may provide the value NULL for desired_name, signifying a
+   request for credentials corresponding to a default principal
+   identity.  The procedures used by GSS-API implementations to select
+   the appropriate principal identity in response to this form of
+   request are local matters. It is possible that multiple pre-
+   established credentials may exist for the same principal identity
+   (for example, as a result of multiple user login sessions) when
+   GSS_Acquire_cred() is called; the means used in such cases to select
+   a specific credential are local matters.  The input lifetime_req
+   argument to GSS_Acquire_cred() may provide useful information for
+   local GSS-API implementations to employ in making this disambiguation
+
+
+
+Linn                                                           [Page 18]
+
+RFC 1508               Generic Security Interface         September 1993
+
+
+   in a manner which will best satisfy a caller's intent.
+
+   The lifetime_rec result indicates the length of time for which the
+   acquired credentials will be valid, as an offset from the present. A
+   mechanism may return a reserved value indicating INDEFINITE if no
+   constraints on credential lifetime are imposed.  A caller of
+   GSS_Acquire_cred()  can request a length of time for which acquired
+   credentials are to be valid (lifetime_req argument), beginning at the
+   present, or can request credentials with a default validity interval.
+   (Requests for postdated credentials are not supported within the
+   GSS-API.) Certain mechanisms and implementations may bind in
+   credential validity period specifiers at a point preliminary to
+   invocation of the GSS_Acquire_cred() call (e.g., in conjunction with
+   user login procedures). As a result, callers requesting non-default
+   values for lifetime_req must recognize that such requests cannot
+   always be honored and must be prepared to accommodate the use of
+   returned credentials with different lifetimes as indicated in
+   lifetime_rec.
+
+   The caller of GSS_Acquire_cred() can explicitly specify a set of
+   mech_types which are to be accommodated in the returned credentials
+   (desired_mechs argument), or can request credentials for a system-
+   defined default set of mech_types. Selection of the system-specified
+   default set is recommended in the interests of application
+   portability. The actual_mechs return value may be interrogated by the
+   caller to determine the set of mechanisms with which the returned
+   credentials may be used.
+
+2.1.2.  GSS_Release_cred call
+
+   Input:
+
+   o  cred_handle OCTET STRING-NULL specifies default credentials
+
+   Outputs:
+
+   o  major_status INTEGER,
+
+   o  minor_status INTEGER
+
+   Return major_status codes:
+
+   o  GSS_COMPLETE indicates that the credentials referenced by the
+      input cred_handle were released for purposes of subsequent access
+      by the caller. The effect on other processes which may be
+      authorized shared access to such credentials is a local matter.
+
+
+
+
+
+Linn                                                           [Page 19]
+
+RFC 1508               Generic Security Interface         September 1993
+
+
+   o  GSS_NO_CRED indicates that no release operation was performed,
+      either because the input cred_handle was invalid or because the
+      caller lacks authorization to access the referenced credentials.
+
+   o  GSS_FAILURE indicates that the release operation failed for
+      reasons unspecified at the GSS-API level.
+
+   Provides a means for a caller to explicitly request that credentials
+   be released when their use is no longer required. Note that system-
+   specific credential management functions are also likely to exist,
+   for example to assure that credentials shared among processes are
+   properly deleted when all affected processes terminate, even if no
+   explicit release requests are issued by those processes.  Given the
+   fact that multiple callers are not precluded from gaining authorized
+   access to the same credentials, invocation of GSS_Release_cred()
+   cannot be assumed to delete a particular set of credentials on a
+   system-wide basis.
+
+2.1.3.  GSS_Inquire_cred call
+
+      Input:
+
+      o  cred_handle OCTET STRING -NULL specifies default credentials
+
+      Outputs:
+
+      o  major_status INTEGER,
+
+      o  minor_status INTEGER,
+
+      o  cred_name INTERNAL NAME,
+
+      o  lifetime_rec INTEGER -in seconds, or reserved value for
+         INDEFINITE
+
+      o  cred_usage INTEGER, -0=INITIATE-AND-ACCEPT, 1=INITIATE-ONLY,
+         2=ACCEPT-ONLY
+
+      o  mech_set SET OF OBJECT IDENTIFIER
+
+      Return major_status codes:
+
+      o  GSS_COMPLETE indicates that the credentials referenced by the
+         input cred_handle argument were valid, and that the output
+         cred_name, lifetime_rec, and cred_usage values represent,
+         respectively, the credentials' associated principal name,
+         remaining lifetime, suitable usage modes, and supported
+         mechanism types.
+
+
+
+Linn                                                           [Page 20]
+
+RFC 1508               Generic Security Interface         September 1993
+
+
+      o  GSS_NO_CRED indicates that no information could be returned
+         about the referenced credentials, either because the input
+         cred_handle was invalid or because the caller lacks
+         authorization to access the referenced credentials.
+
+      o  GSS_FAILURE indicates that the release operation failed for
+         reasons unspecified at the GSS-API level.
+
+   The GSS_Inquire_cred()  call is defined primarily for the use of
+   those callers which make use of default credentials rather than
+   acquiring credentials explicitly with GSS_Acquire_cred().  It enables
+   callers to determine a credential structure's associated principal
+   name, remaining validity period, usability for security context
+   initiation and/or acceptance, and supported mechanisms.
+
+2.2.  Context-level calls
+
+   This group of calls is devoted to the establishment and management of
+   security contexts between peers. A context's initiator calls
+   GSS_Init_sec_context(),  resulting in generation of a token which the
+   caller passes to the target. At the target, that token is passed to
+   GSS_Accept_sec_context().  Depending on the underlying mech_type and
+   specified options, additional token exchanges may be performed in the
+   course of context establishment; such exchanges are accommodated by
+   GSS_CONTINUE_NEEDED status returns from GSS_Init_sec_context()  and
+   GSS_Accept_sec_context().  Either party to an established context may
+   invoke GSS_Delete_sec_context()  to flush context information when a
+   context is no longer required. GSS_Process_context_token()  is used
+   to process received tokens carrying context-level control
+   information. GSS_Context_time()  allows a caller to determine the
+   length of time for which an established context will remain valid.
+
+2.2.1.  GSS_Init_sec_context call
+
+   Inputs:
+
+   o  claimant_cred_handle OCTET STRING, -NULL specifies "use
+      default"
+
+   o  input_context_handle INTEGER, -0 specifies "none assigned
+      yet"
+
+   o  targ_name INTERNAL NAME,
+
+   o  mech_type OBJECT IDENTIFIER, -NULL parameter specifies "use
+      default"
+
+   o  deleg_req_flag BOOLEAN,
+
+
+
+Linn                                                           [Page 21]
+
+RFC 1508               Generic Security Interface         September 1993
+
+
+   o  mutual_req_flag BOOLEAN,
+
+   o  replay_det_req_flag BOOLEAN,
+
+   o  sequence_req_flag BOOLEAN,
+
+   o  lifetime_req INTEGER,-0 specifies default lifetime
+
+   o  chan_bindings OCTET STRING,
+
+   o  input_token OCTET STRING-NULL or token received from target
+
+   Outputs:
+
+   o  major_status INTEGER,
+
+   o  minor_status INTEGER,
+
+   o  output_context_handle INTEGER,
+
+   o  mech_type OBJECT IDENTIFIER, -actual mechanism always
+      indicated, never NULL
+
+   o  output_token OCTET STRING, -NULL or token to pass to context
+      target
+
+   o  deleg_state BOOLEAN,
+
+   o  mutual_state BOOLEAN,
+
+   o  replay_det_state BOOLEAN,
+
+   o  sequence_state BOOLEAN,
+
+   o  conf_avail BOOLEAN,
+
+   o  integ_avail BOOLEAN,
+
+   o  lifetime_rec INTEGER - in seconds, or reserved value for
+      INDEFINITE
+
+   This call may block pending network interactions for those mech_types
+   in which an authentication server or other network entity must be
+   consulted on behalf of a context initiator in order to generate an
+   output_token suitable for presentation to a specified target.
+
+   Return major_status codes:
+
+
+
+
+Linn                                                           [Page 22]
+
+RFC 1508               Generic Security Interface         September 1993
+
+
+   o  GSS_COMPLETE indicates that context-level information was
+      successfully initialized, and that the returned output_token will
+      provide sufficient information for the target to perform per-
+      message processing on the newly-established context.
+
+   o  GSS_CONTINUE_NEEDED indicates that control information in the
+      returned output_token must be sent to the target, and that a reply
+      must be received and passed as the input_token argument to a
+      continuation call to GSS_Init_sec_context(),  before per-message
+      processing can be performed in conjunction with this context.
+
+   o  GSS_DEFECTIVE_TOKEN indicates that consistency checks performed on
+      the input_token failed, preventing further processing from being
+      performed based on that token.
+
+   o  GSS_DEFECTIVE_CREDENTIAL indicates that consistency checks
+      performed on the credential structure referenced by
+      claimant_cred_handle failed, preventing further processing from
+      being performed using that credential structure.
+
+   o  GSS_BAD_SIG indicates that the received input_token contains an
+      incorrect signature, so context setup cannot be accomplished.
+
+   o  GSS_NO_CRED indicates that no context was established, either
+      because the input cred_handle was invalid, because the referenced
+      credentials are valid for context acceptor use only, or because
+      the caller lacks authorization to access the referenced
+      credentials.
+
+   o  GSS_CREDENTIALS_EXPIRED indicates that the credentials provided
+      through the input claimant_cred_handle argument are no longer
+      valid, so context establishment cannot be completed.
+
+   o  GSS_BAD_BINDINGS indicates that a mismatch between the caller-
+      provided chan_bindings and those extracted from the input_token
+      was detected, signifying a security-relevant event and preventing
+      context establishment. (This result will be returned by
+      GSS_Init_sec_context only for contexts where mutual_state is
+      TRUE.)
+
+   o  GSS_NO_CONTEXT indicates that no valid context was recognized for
+      the input context_handle provided; this major status will be
+      returned only for successor calls following GSS_CONTINUE_NEEDED
+      status returns.
+
+   o  GSS_BAD_NAMETYPE indicates that the provided targ_name is of a
+      type uninterpretable or unsupported by the supporting GSS-API
+      implementation, so context establishment cannot be completed.
+
+
+
+Linn                                                           [Page 23]
+
+RFC 1508               Generic Security Interface         September 1993
+
+
+   o  GSS_BAD_NAME indicates that the provided targ_name is inconsistent
+      in terms of internally-incorporated type specifier information, so
+      context establishment cannot be accomplished.
+
+   o  GSS_FAILURE indicates that context setup could not be accomplished
+      for reasons unspecified at the GSS-API level, and that no
+      interface-defined recovery action is available.
+
+   This routine is used by a context initiator, and ordinarily emits one
+   (or, for the case of a multi-step exchange, more than one)
+   output_token suitable for use by the target within the selected
+   mech_type's protocol. Using information in the credentials structure
+   referenced by claimant_cred_handle, GSS_Init_sec_context()
+   initializes the data structures required to establish a security
+   context with target targ_name. The claimant_cred_handle must
+   correspond to the same valid credentials structure on the initial
+   call to GSS_Init_sec_context()  and on any successor calls resulting
+   from GSS_CONTINUE_NEEDED status returns; different protocol sequences
+   modeled by the GSS_CONTINUE_NEEDED mechanism will require access to
+   credentials at different points in the context establishment
+   sequence.
+
+   The input_context_handle argument is 0, specifying "not yet
+   assigned", on the first GSS_Init_sec_context()  call relating to a
+   given context. That call returns an output_context_handle for future
+   references to this context. When continuation attempts to
+   GSS_Init_sec_context()  are needed to perform context establishment,
+   the previously-returned non-zero handle value is entered into the
+   input_context_handle argument and will be echoed in the returned
+   output_context_handle argument. On such continuation attempts (and
+   only on continuation attempts) the input_token value is used, to
+   provide the token returned from the context's target.
+
+   The chan_bindings argument is used by the caller to provide
+   information binding the security context to security-related
+   characteristics (e.g., addresses, cryptographic keys) of the
+   underlying communications channel. See Section 1.1.6 of this document
+   for more discussion of this argument's usage.
+
+   The input_token argument contains a message received from the target,
+   and is significant only on a call to GSS_Init_sec_context() which
+   follows a previous return indicating GSS_CONTINUE_NEEDED
+   major_status.
+
+   It is the caller's responsibility to establish a communications path
+   to the target, and to transmit any returned output_token (independent
+   of the accompanying returned major_status value) to the target over
+   that path. The output_token can, however, be transmitted along with
+
+
+
+Linn                                                           [Page 24]
+
+RFC 1508               Generic Security Interface         September 1993
+
+
+   the first application-provided input message to be processed by
+   GSS_Sign() or GSS_Seal() in conjunction with a successfully-
+   established context.
+
+   The initiator may request various context-level functions through
+   input flags: the deleg_req_flag requests delegation of access rights,
+   the mutual_req_flag requests mutual authentication, the
+   replay_det_req_flag requests that replay detection features be
+   applied to messages transferred on the established context, and the
+   sequence_req_flag requests that sequencing be enforced. (See Section
+   1.2.3 for more information on replay detection and sequencing
+   features.)
+
+   Not all of the optionally-requestable features will be available in
+   all underlying mech_types; the corresponding return state values
+   (deleg_state, mutual_state, replay_det_state, sequence_state)
+   indicate, as a function of mech_type processing capabilities and
+   initiator-provided input flags, the set of features which will be
+   active on the context. These state indicators' values are undefined
+   unless the routine's major_status indicates COMPLETE. Failure to
+   provide the precise set of features requested by the caller does not
+   cause context establishment to fail; it is the caller's prerogative
+   to delete the context if the feature set provided is unsuitable for
+   the caller's use.  The returned mech_type value indicates the
+   specific mechanism employed on the context, and will never indicate
+   the value for "default".
+
+   The conf_avail return value indicates whether the context supports
+   per-message confidentiality services, and so informs the caller
+   whether or not a request for encryption through the conf_req_flag
+   input to GSS_Seal() can be honored. In similar fashion, the
+   integ_avail return value indicates whether per-message integrity
+   services are available (through either GSS_Sign() or GSS_Seal()) on
+   the established context.
+
+   The lifetime_req input specifies a desired upper bound for the
+   lifetime of the context to be established, with a value of 0 used to
+   request a default lifetime. The lifetime_rec return value indicates
+   the length of time for which the context will be valid, expressed as
+   an offset from the present; depending on mechanism capabilities,
+   credential lifetimes, and local policy, it may not correspond to the
+   value requested in lifetime_req.  If no constraints on context
+   lifetime are imposed, this may be indicated by returning a reserved
+   value representing INDEFINITE lifetime_req. The values of conf_avail,
+   integ_avail, and lifetime_rec are undefined unless the routine's
+   major_status indicates COMPLETE.
+
+   If the mutual_state is TRUE, this fact will be reflected within the
+
+
+
+Linn                                                           [Page 25]
+
+RFC 1508               Generic Security Interface         September 1993
+
+
+   output_token. A call to GSS_Accept_sec_context() at the target in
+   conjunction with such a context will return a token, to be processed
+   by a continuation call to GSS_Init_sec_context(), in order to achieve
+   mutual authentication.
+
+2.2.2.  GSS_Accept_sec_context call
+
+   Inputs:
+
+   o  acceptor_cred_handle OCTET STRING,-NULL specifies "use
+      default"
+
+   o  input_context_handle INTEGER, -0 specifies "not yet assigned"
+
+   o  chan_bindings OCTET STRING,
+
+   o  input_token OCTET STRING
+
+   Outputs:
+
+   o  major_status INTEGER,
+
+   o  minor_status INTEGER,
+
+   o  src_name INTERNAL NAME,
+
+   o  mech_type OBJECT IDENTIFIER,
+
+   o  output_context_handle INTEGER,
+
+   o  deleg_state BOOLEAN,
+
+   o  mutual_state BOOLEAN,
+
+   o  replay_det_state BOOLEAN,
+
+   o  sequence_state BOOLEAN,
+
+   o  conf_avail BOOLEAN,
+
+   o  integ_avail BOOLEAN,
+
+   o  lifetime_rec INTEGER, - in seconds, or reserved value for
+      INDEFINITE
+
+   o  delegated_cred_handle OCTET STRING,
+
+   o  output_token OCTET STRING -NULL or token to pass to context
+
+
+
+Linn                                                           [Page 26]
+
+RFC 1508               Generic Security Interface         September 1993
+
+
+      initiator
+
+   This call may block pending network interactions for those mech_types
+   in which a directory service or other network entity must be
+   consulted on behalf of a context acceptor in order to validate a
+   received input_token.
+
+   Return major_status codes:
+
+   o  GSS_COMPLETE indicates that context-level data structures were
+      successfully initialized, and that per-message processing can now
+      be performed in conjunction with this context.
+
+   o  GSS_CONTINUE_NEEDED indicates that control information in the
+      returned output_token must be sent to the initiator, and that a
+      response must be received and passed as the input_token argument
+      to a continuation call to GSS_Accept_sec_context(), before per-
+      message processing can be performed in conjunction with this
+      context.
+
+   o  GSS_DEFECTIVE_TOKEN indicates that consistency checks performed on
+      the input_token failed, preventing further processing from being
+      performed based on that token.
+
+   o  GSS_DEFECTIVE_CREDENTIAL indicates that consistency checks
+      performed on the credential structure referenced by
+      acceptor_cred_handle failed, preventing further processing from
+      being performed using that credential structure.
+
+   o  GSS_BAD_SIG indicates that the received input_token contains an
+      incorrect signature, so context setup cannot be accomplished.
+
+   o  GSS_DUPLICATE_TOKEN indicates that the signature on the received
+      input_token was correct, but that the input_token was recognized
+      as a duplicate of an input_token already processed. No new context
+      is established.
+
+   o  GSS_OLD_TOKEN indicates that the signature on the received
+      input_token was correct, but that the input_token is too old to be
+      checked for duplication against previously-processed input_tokens.
+      No new context is established.
+
+   o  GSS_NO_CRED indicates that no context was established, either
+      because the input cred_handle was invalid, because the referenced
+      credentials are valid for context initiator use only, or because
+      the caller lacks authorization to access the referenced
+      credentials.
+
+
+
+
+Linn                                                           [Page 27]
+
+RFC 1508               Generic Security Interface         September 1993
+
+
+   o  GSS_CREDENTIALS_EXPIRED indicates that the credentials provided
+      through the input acceptor_cred_handle argument are no longer
+      valid, so context establishment cannot be completed.
+
+   o  GSS_BAD_BINDINGS indicates that a mismatch between the caller-
+      provided chan_bindings and those extracted from the input_token
+      was detected, signifying a security-relevant event and preventing
+      context establishment.
+
+   o GSS_NO_CONTEXT indicates that no valid context was recognized for
+      the input context_handle provided; this major status will be
+      returned only for successor calls following GSS_CONTINUE_NEEDED
+      status returns.
+
+   o  GSS_FAILURE indicates that context setup could not be accomplished
+      for reasons unspecified at the GSS-API level, and that no
+      interface-defined recovery action is available.
+
+   The GSS_Accept_sec_context()  routine is used by a context target.
+   Using information in the credentials structure referenced by the
+   input acceptor_cred_handle, it verifies the incoming input_token and
+   (following the successful completion of a context establishment
+   sequence) returns the authenticated src_name and the mech_type used.
+   The acceptor_cred_handle must correspond to the same valid
+   credentials structure on the initial call to GSS_Accept_sec_context()
+   and on any successor calls resulting from GSS_CONTINUE_NEEDED status
+   returns; different protocol sequences modeled by the
+   GSS_CONTINUE_NEEDED mechanism will require access to credentials at
+   different points in the context establishment sequence.
+
+   The input_context_handle argument is 0, specifying "not yet
+   assigned", on the first GSS_Accept_sec_context()  call relating to a
+   given context. That call returns an output_context_handle for future
+   references to this context; when continuation attempts to
+   GSS_Accept_sec_context()  are needed to perform context
+   establishment, that handle value will be entered into the
+   input_context_handle argument.
+
+   The chan_bindings argument is used by the caller to provide
+   information binding the security context to security-related
+   characteristics (e.g., addresses, cryptographic keys) of the
+   underlying communications channel. See Section 1.1.6 of this document
+   for more discussion of this argument's usage.
+
+   The returned state results (deleg_state, mutual_state,
+   replay_det_state, and sequence_state) reflect the same context state
+   values as returned to GSS_Init_sec_context()'s  caller at the
+   initiator system.
+
+
+
+Linn                                                           [Page 28]
+
+RFC 1508               Generic Security Interface         September 1993
+
+
+   The conf_avail return value indicates whether the context supports
+   per-message confidentiality services, and so informs the caller
+   whether or not a request for encryption through the conf_req_flag
+   input to GSS_Seal()  can be honored. In similar fashion, the
+   integ_avail return value indicates whether per-message integrity
+   services are available (through either GSS_Sign()  or GSS_Seal())  on
+   the established context.
+
+   The lifetime_rec return value indicates the length of time for which
+   the context will be valid, expressed as an offset from the present.
+   The values of deleg_state, mutual_state, replay_det_state,
+   sequence_state, conf_avail, integ_avail, and lifetime_rec are
+   undefined unless the accompanying major_status indicates COMPLETE.
+
+   The delegated_cred_handle result is significant only when deleg_state
+   is TRUE, and provides a means for the target to reference the
+   delegated credentials. The output_token result, when non-NULL,
+   provides a context-level token to be returned to the context
+   initiator to continue a multi-step context establishment sequence. As
+   noted with GSS_Init_sec_context(),  any returned token should be
+   transferred to the context's peer (in this case, the context
+   initiator), independent of the value of the accompanying returned
+   major_status.
+
+   Note: A target must be able to distinguish a context-level
+   input_token, which is passed to GSS_Accept_sec_context(),  from the
+   per-message data elements passed to GSS_Verify()  or GSS_Unseal().
+   These data elements may arrive in a single application message, and
+   GSS_Accept_sec_context()  must be performed before per-message
+   processing can be performed successfully.
+
+2.2.3. GSS_Delete_sec_context call
+
+   Input:
+
+   o  context_handle INTEGER
+
+   Outputs:
+
+   o  major_status INTEGER,
+
+   o  minor_status INTEGER,
+
+   o  output_context_token OCTET STRING
+
+   Return major_status codes:
+
+
+
+
+
+Linn                                                           [Page 29]
+
+RFC 1508               Generic Security Interface         September 1993
+
+
+   o  GSS_COMPLETE indicates that the context was recognized, that
+      relevant context-specific information was flushed, and that the
+      returned output_context_token is ready for transfer to the
+      context's peer.
+
+   o  GSS_NO_CONTEXT indicates that no valid context was recognized for
+      the input context_handle provide, so no deletion was performed.
+
+   o  GSS_FAILURE indicates that the context is recognized, but that the
+      GSS_Delete_sec_context()  operation could not be performed for
+      reasons unspecified at the GSS-API level.
+
+   This call may block pending network interactions for mech_types in
+   which active notification must be made to a central server when a
+   security context is to be deleted.
+
+   This call can be made by either peer in a security context, to flush
+   context-specific information and to return an output_context_token
+   which can be passed to the context's peer informing it that the
+   peer's corresponding context information can also be flushed. (Once a
+   context is established, the peers involved are expected to retain
+   cached credential and context-related information until the
+   information's expiration time is reached or until a
+   GSS_Delete_sec_context() call is made.) Attempts to perform per-
+   message processing on a deleted context will result in error returns.
+
+2.2.4.  GSS_Process_context_token call
+
+   Inputs:
+
+   o  context_handle INTEGER,
+
+   o  input_context_token OCTET STRING
+
+   Outputs:
+
+   o  major_status INTEGER,
+
+   o  minor_status INTEGER,
+
+   Return major_status codes:
+
+   o  GSS_COMPLETE indicates that the input_context_token was
+      successfully processed in conjunction with the context referenced
+      by context_handle.
+
+   o  GSS_DEFECTIVE_TOKEN indicates that consistency checks performed on
+      the received context_token failed, preventing further processing
+
+
+
+Linn                                                           [Page 30]
+
+RFC 1508               Generic Security Interface         September 1993
+
+
+      from being performed with that token.
+
+   o  GSS_NO_CONTEXT indicates that no valid context was recognized for
+      the input context_handle provided.
+
+   o  GSS_FAILURE indicates that the context is recognized, but that the
+      GSS_Process_context_token()  operation could not be performed for
+      reasons unspecified at the GSS-API level.
+
+   This call is used to process context_tokens received from a peer once
+   a context has been established, with corresponding impact on
+   context-level state information. One use for this facility is
+   processing of the context_tokens generated by
+   GSS_Delete_sec_context();  GSS_Process_context_token() will not block
+   pending network interactions for that purpose. Another use is to
+   process tokens indicating remote-peer context establishment failures
+   after the point where the local GSS-API implementation has already
+   indicated GSS_COMPLETE status.
+
+2.2.5.  GSS_Context_time call
+
+   Input:
+
+   o  context_handle INTEGER,
+
+   Outputs:
+
+   o  major_status INTEGER,
+
+   o  minor_status INTEGER,
+
+   o  lifetime_rec INTEGER - in seconds, or reserved value for
+      INDEFINITE
+
+   Return major_status codes:
+
+   o  GSS_COMPLETE indicates that the referenced context is valid, and
+      will remain valid for the amount of time indicated in
+      lifetime_rec.
+
+   o  GSS_CONTEXT_EXPIRED indicates that data items related to the
+      referenced context have expired.
+
+   o  GSS_CREDENTIALS_EXPIRED indicates that the context is recognized,
+      but that its associated credentials have expired.
+
+   o  GSS_NO_CONTEXT indicates that no valid context was recognized for
+      the input context_handle provided.
+
+
+
+Linn                                                           [Page 31]
+
+RFC 1508               Generic Security Interface         September 1993
+
+
+   o  GSS_FAILURE indicates that the requested operation failed for
+      reasons unspecified at the GSS-API level.
+
+   This call is used to determine the amount of time for which a
+   currently established context will remain valid.
+
+2.3.  Per-message calls
+
+   This group of calls is used to perform per-message protection
+   processing on an established security context. None of these calls
+   block pending network interactions. These calls may be invoked by a
+   context's initiator or by the context's target.  The four members of
+   this group should be considered as two pairs; the output from
+   GSS_Sign()  is properly input to GSS_Verify(),  and the output from
+   GSS_Seal() is properly input to GSS_Unseal().
+
+   GSS_Sign()  and GSS_Verify() support data origin authentication and
+   data integrity services. When GSS_Sign()  is invoked on an input
+   message, it yields a per-message token containing data items which
+   allow underlying mechanisms to provide the specified security
+   services. The original message, along with the generated per-message
+   token, is passed to the remote peer; these two data elements are
+   processed by GSS_Verify(),  which validates the message in
+   conjunction with the separate token.
+
+   GSS_Seal()  and GSS_Unseal() support caller-requested confidentiality
+   in addition to the data origin authentication and data integrity
+   services offered by GSS_Sign()  and GSS_Verify(). GSS_Seal()  outputs
+   a single data element, encapsulating optionally enciphered user data
+   as well as associated token data items.  The data element output from
+   GSS_Seal()  is passed to the remote peer and processed by
+   GSS_Unseal()  at that system. GSS_Unseal() combines decipherment (as
+   required) with validation of data items related to authentication and
+   integrity.
+
+2.3.1.  GSS_Sign call
+
+   Inputs:
+
+   o  context_handle INTEGER,
+
+   o  qop_req INTEGER,-0 specifies default QOP
+
+   o  message OCTET STRING
+
+   Outputs:
+
+   o  major_status INTEGER,
+
+
+
+Linn                                                           [Page 32]
+
+RFC 1508               Generic Security Interface         September 1993
+
+
+   o  minor_status INTEGER,
+
+   o  per_msg_token OCTET STRING
+
+   Return major_status codes:
+
+   o  GSS_COMPLETE indicates that a signature, suitable for an
+      established security context, was successfully applied and that
+      the message and corresponding per_msg_token are ready for
+      transmission.
+
+   o  GSS_CONTEXT_EXPIRED indicates that context-related data items have
+      expired, so that the requested operation cannot be performed.
+
+   o  GSS_CREDENTIALS_EXPIRED indicates that the context is recognized,
+      but that its associated credentials have expired, so that the
+      requested operation cannot be performed.
+
+   o  GSS_NO_CONTEXT indicates that no valid context was recognized for
+      the input context_handle provided.
+
+   o  GSS_FAILURE indicates that the context is recognized, but that the
+      requested operation could not be performed for reasons unspecified
+      at the GSS-API level.
+
+   Using the security context referenced by context_handle, apply a
+   signature to the input message (along with timestamps and/or other
+   data included in support of mech_type-specific mechanisms) and return
+   the result in per_msg_token. The qop_req parameter allows quality-
+   of-protection control. The caller passes the message and the
+   per_msg_token to the target.
+
+   The GSS_Sign()  function completes before the message and
+   per_msg_token is sent to the peer; successful application of
+   GSS_Sign()  does not guarantee that a corresponding GSS_Verify() has
+   been (or can necessarily be) performed successfully when the message
+   arrives at the destination.
+
+2.3.2.  GSS_Verify call
+
+   Inputs:
+
+   o  context_handle INTEGER,
+
+   o  message OCTET STRING,
+
+   o  per_msg_token OCTET STRING
+
+
+
+
+Linn                                                           [Page 33]
+
+RFC 1508               Generic Security Interface         September 1993
+
+
+   Outputs:
+
+   o  qop_state INTEGER,
+
+   o  major_status INTEGER,
+
+   o  minor_status INTEGER,
+
+   Return major_status codes:
+
+   o  GSS_COMPLETE indicates that the message was successfully verified.
+
+   o  GSS_DEFECTIVE_TOKEN indicates that consistency checks performed on
+      the received per_msg_token failed, preventing further processing
+      from being performed with that token.
+
+   o  GSS_BAD_SIG indicates that the received per_msg_token contains an
+      incorrect signature for the message.
+
+   o  GSS_DUPLICATE_TOKEN, GSS_OLD_TOKEN, and GSS_UNSEQ_TOKEN values
+      appear in conjunction with the optional per-message replay
+      detection features described in Section 1.2.3; their semantics are
+      described in that section.
+
+   o  GSS_CONTEXT_EXPIRED indicates that context-related data items have
+      expired, so that the requested operation cannot be performed.
+
+   o  GSS_CREDENTIALS_EXPIRED indicates that the context is recognized,
+      but that its associated credentials have expired, so that the
+      requested operation cannot be performed.
+
+   o  GSS_NO_CONTEXT indicates that no valid context was recognized for
+      the input context_handle provided.
+
+   o  GSS_FAILURE indicates that the context is recognized, but that the
+      GSS_Verify()  operation could not be performed for reasons
+      unspecified at the GSS-API level.
+
+   Using the security context referenced by context_handle, verify that
+   the input per_msg_token contains an appropriate signature for the
+   input message, and apply any active replay detection or sequencing
+   features. Return an indication of the quality-of-protection applied
+   to the processed message in the qop_state result.
+
+
+
+
+
+
+
+
+Linn                                                           [Page 34]
+
+RFC 1508               Generic Security Interface         September 1993
+
+
+2.3.3. GSS_Seal call
+
+   Inputs:
+
+   o  context_handle INTEGER,
+
+   o  conf_req_flag BOOLEAN,
+
+   o  qop_req INTEGER,-0 specifies default QOP
+
+   o  input_message OCTET STRING
+
+   Outputs:
+
+   o  major_status INTEGER,
+
+   o  minor_status INTEGER,
+
+   o  conf_state BOOLEAN,
+
+   o  output_message OCTET STRING
+
+   Return major_status codes:
+
+   o  GSS_COMPLETE indicates that the input_message was successfully
+      processed and that the output_message is ready for transmission.
+
+   o  GSS_CONTEXT_EXPIRED indicates that context-related data items have
+      expired, so that the requested operation cannot be performed.
+
+   o  GSS_CREDENTIALS_EXPIRED indicates that the context is recognized,
+      but that its associated credentials have expired, so that the
+      requested operation cannot be performed.
+
+   o  GSS_NO_CONTEXT indicates that no valid context was recognized for
+      the input context_handle provided.
+
+   o  GSS_FAILURE indicates that the context is recognized, but that the
+      GSS_Seal()  operation could not be performed for reasons
+      unspecified at the GSS-API level.
+
+   Performs the data origin authentication and data integrity functions
+   of GSS_Sign().  If the input conf_req_flag is TRUE, requests that
+   confidentiality be applied to the input_message.  Confidentiality may
+   not be supported in all mech_types or by all implementations; the
+   returned conf_state flag indicates whether confidentiality was
+   provided for the input_message. The qop_req parameter allows
+   quality-of-protection control.
+
+
+
+Linn                                                           [Page 35]
+
+RFC 1508               Generic Security Interface         September 1993
+
+
+   In all cases, the GSS_Seal()  call yields a single output_message
+   data element containing (optionally enciphered) user data as well as
+   control information.
+
+2.3.4. GSS_Unseal call
+
+   Inputs:
+
+   o  context_handle INTEGER,
+
+   o  input_message OCTET STRING
+
+   Outputs:
+
+   o  conf_state BOOLEAN,
+
+   o  qop_state INTEGER,
+
+   o  major_status INTEGER,
+
+   o  minor_status INTEGER,
+
+   o  output_message OCTET STRING
+
+   Return major_status codes:
+
+   o  GSS_COMPLETE indicates that the input_message was successfully
+      processed and that the resulting output_message is available.
+
+   o  GSS_DEFECTIVE_TOKEN indicates that consistency checks performed on
+      the per_msg_token extracted from the input_message failed,
+      preventing further processing from being performed.
+
+   o  GSS_BAD_SIG indicates that an incorrect signature was detected for
+      the message.
+
+   o  GSS_DUPLICATE_TOKEN, GSS_OLD_TOKEN, and GSS_UNSEQ_TOKEN values
+      appear in conjunction with the optional per-message replay
+      detection features described in Section 1.2.3; their semantics are
+      described in that section.
+
+   o  GSS_CONTEXT_EXPIRED indicates that context-related data items have
+      expired, so that the requested operation cannot be performed.
+
+   o  GSS_CREDENTIALS_EXPIRED indicates that the context is recognized,
+      but that its associated credentials have expired, so that the
+      requested operation cannot be performed.
+
+
+
+
+Linn                                                           [Page 36]
+
+RFC 1508               Generic Security Interface         September 1993
+
+
+   o  GSS_NO_CONTEXT indicates that no valid context was recognized for
+      the input context_handle provided.
+
+   o  GSS_FAILURE indicates that the context is recognized, but that the
+      GSS_Unseal()  operation could not be performed for reasons
+      unspecified at the GSS-API level.
+
+   Processes a data element generated (and optionally enciphered) by
+   GSS_Seal(),  provided as input_message. The returned conf_state value
+   indicates whether confidentiality was applied to the input_message.
+   If conf_state is TRUE, GSS_Unseal()  deciphers the input_message.
+   Returns an indication of the quality-of-protection applied to the
+   processed message in the qop_state result. GSS_Seal()  performs the
+   data integrity and data origin authentication checking functions of
+   GSS_Verify()  on the plaintext data. Plaintext data is returned in
+   output_message.
+
+2.4.  Support calls
+
+   This group of calls provides support functions useful to GSS-API
+   callers, independent of the state of established contexts. Their
+   characterization with regard to blocking or non-blocking status in
+   terms of network interactions is unspecified.
+
+2.4.1.  GSS_Display_status call
+
+   Inputs:
+
+   o  status_value INTEGER,-GSS-API major_status or minor_status
+      return value
+
+   o  status_type INTEGER,-1 if major_status, 2 if minor_status
+
+   o  mech_type OBJECT IDENTIFIER-mech_type to be used for minor_
+      status translation
+
+   Outputs:
+
+   o  major_status INTEGER,
+
+   o  minor_status INTEGER,
+
+   o  status_string_set SET OF OCTET STRING
+
+   Return major_status codes:
+
+   o  GSS_COMPLETE indicates that a valid printable status
+      representation (possibly representing more than one status event
+
+
+
+Linn                                                           [Page 37]
+
+RFC 1508               Generic Security Interface         September 1993
+
+
+      encoded within the status_value) is available in the returned
+      status_string_set.
+
+   o  GSS_BAD_MECH indicates that translation in accordance with an
+      unsupported mech_type was requested, so translation could not be
+      performed.
+
+   o  GSS_BAD_STATUS indicates that the input status_value was invalid,
+      or that the input status_type carried a value other than 1 or 2,
+      so translation could not be performed.
+
+   o  GSS_FAILURE indicates that the requested operation could not be
+      performed for reasons unspecified at the GSS-API level.
+
+   Provides a means for callers to translate GSS-API-returned major and
+   minor status codes into printable string representations.
+
+2.4.2.  GSS_Indicate_mechs call
+
+   Input:
+
+   o  (none)
+
+   Outputs:
+
+   o  major_status INTEGER,
+
+   o  minor_status INTEGER,
+
+   o  mech_set SET OF OBJECT IDENTIFIER
+
+   Return major_status codes:
+
+   o  GSS_COMPLETE indicates that a set of available mechanisms has
+      been returned in mech_set.
+
+   o  GSS_FAILURE indicates that the requested operation could not
+      be performed for reasons unspecified at the GSS-API level.
+
+   Allows callers to determine the set of mechanism types available on
+   the local system. This call is intended for support of specialized
+   callers who need to request non-default mech_type sets from
+   GSS_Acquire_cred(),  and should not be needed by other callers.
+
+2.4.3.  GSS_Compare_name call
+
+   Inputs:
+
+
+
+
+Linn                                                           [Page 38]
+
+RFC 1508               Generic Security Interface         September 1993
+
+
+   o  name1 INTERNAL NAME,
+
+   o  name2 INTERNAL NAME
+
+   Outputs:
+
+   o  major_status INTEGER,
+
+   o  minor_status INTEGER,
+
+   o  name_equal BOOLEAN
+
+   Return major_status codes:
+
+   o  GSS_COMPLETE indicates that name1 and name2 were comparable, and
+      that the name_equal result indicates whether name1 and name2 were
+      equal or unequal.
+
+   o  GSS_BAD_NAMETYPE indicates that one or both of name1 and name2
+      contained internal type specifiers uninterpretable by the
+      supporting GSS-API implementation, or that the two names' types
+      are different and incomparable, so the equality comparison could
+      not be completed.
+
+   o  GSS_BAD_NAME indicates that one or both of the input names was
+      ill-formed in terms of its internal type specifier, so the
+      equality comparison could not be completed.
+
+   o  GSS_FAILURE indicates that the requested operation could not be
+      performed for reasons unspecified at the GSS-API level.
+
+   Allows callers to compare two internal name representations for
+   equality.
+
+2.4.4.  GSS_Display_name call
+
+   Inputs:
+
+   o  name INTERNAL NAME
+
+   Outputs:
+
+   o  major_status INTEGER,
+
+   o  minor_status INTEGER,
+
+   o  name_string OCTET STRING,
+
+
+
+
+Linn                                                           [Page 39]
+
+RFC 1508               Generic Security Interface         September 1993
+
+
+   o  name_type OBJECT IDENTIFIER
+
+   Return major_status codes:
+
+   o  GSS_COMPLETE indicates that a valid printable name representation
+      is available in the returned name_string.
+
+   o  GSS_BAD_NAMETYPE indicates that the provided name was of a type
+      uninterpretable by the supporting GSS-API implementation, so no
+      printable representation could be generated.
+
+   o  GSS_BAD_NAME indicates that the contents of the provided name were
+      inconsistent with the internally-indicated name type, so no
+      printable representation could be generated.
+
+   o  GSS_FAILURE indicates that the requested operation could not be
+      performed for reasons unspecified at the GSS-API level.
+
+   Allows callers to translate an internal name representation into a
+   printable form with associated namespace type descriptor. The syntax
+   of the printable form is a local matter.
+
+2.4.5.  GSS_Import_name call
+
+   Inputs:
+
+   o  input_name_string OCTET STRING,
+
+   o  input_name_type OBJECT IDENTIFIER
+
+   Outputs:
+
+   o  major_status INTEGER,
+
+   o  minor_status INTEGER,
+
+   o  output_name INTERNAL NAME
+
+   Return major_status codes:
+
+   o  GSS_COMPLETE indicates that a valid name representation is output
+      in output_name and described by the type value in
+      output_name_type.
+
+   o  GSS_BAD_NAMETYPE indicates that the input_name_type is unsupported
+      by the GSS-API implementation, so the import operation could not
+      be completed.
+
+
+
+
+Linn                                                           [Page 40]
+
+RFC 1508               Generic Security Interface         September 1993
+
+
+   o  GSS_BAD_NAME indicates that the provided input_name_string is
+      ill-formed in terms of the input_name_type, so the import
+      operation could not be completed.
+
+   o  GSS_FAILURE indicates that the requested operation could not be
+      performed for reasons unspecified at the GSS-API level.
+
+   Allows callers to provide a printable name representation, designate
+   the type of namespace in conjunction with which it should be parsed,
+   and convert that printable representation to an internal form
+   suitable for input to other GSS-API routines.  The syntax of the
+   input_name is a local matter.
+
+2.4.6. GSS_Release_name call
+
+   Inputs:
+
+   o  name INTERNAL NAME
+
+   Outputs:
+
+   o  major_status INTEGER,
+
+   o  minor_status INTEGER
+
+   Return major_status codes:
+
+   o  GSS_COMPLETE indicates that the storage associated with the input
+      name was successfully released.
+
+   o  GSS_BAD_NAME indicates that the input name argument did not
+      contain a valid name.
+
+   o  GSS_FAILURE indicates that the requested operation could not be
+      performed for reasons unspecified at the GSS-API level.
+
+   Allows callers to release the storage associated with an internal
+   name representation.
+
+2.4.7. GSS_Release_buffer call
+
+   Inputs:
+
+   o  buffer OCTET STRING
+
+   Outputs:
+
+   o  major_status INTEGER,
+
+
+
+Linn                                                           [Page 41]
+
+RFC 1508               Generic Security Interface         September 1993
+
+
+   o  minor_status INTEGER
+
+   Return major_status codes:
+
+   o  GSS_COMPLETE indicates that the storage associated with the input
+      buffer was successfully released.
+
+   o  GSS_FAILURE indicates that the requested operation could not be
+      performed for reasons unspecified at the GSS-API level.
+
+   Allows callers to release the storage associated with an OCTET STRING
+   buffer allocated by another GSS-API call.
+
+2.4.8. GSS_Release_oid_set call
+
+   Inputs:
+
+   o  buffer SET OF OBJECT IDENTIFIER
+
+   Outputs:
+
+   o  major_status INTEGER,
+
+   o  minor_status INTEGER
+
+   Return major_status codes:
+
+   o  GSS_COMPLETE indicates that the storage associated with the input
+      object identifier set was successfully released.
+
+   o  GSS_FAILURE indicates that the requested operation could not be
+      performed for reasons unspecified at the GSS-API level.
+
+   Allows callers to release the storage associated with an object
+   identifier set object allocated by another GSS-API call.
+
+3.  Mechanism-Specific Example Scenarios
+
+   This section provides illustrative overviews of the use of various
+   candidate mechanism types to support the GSS-API. These discussions
+   are intended primarily for readers familiar with specific security
+   technologies, demonstrating how GSS-API functions can be used and
+   implemented by candidate underlying mechanisms. They should not be
+   regarded as constrictive to implementations or as defining the only
+   means through which GSS-API functions can be realized with a
+   particular underlying technology, and do not demonstrate all GSS-API
+   features with each technology.
+
+
+
+
+Linn                                                           [Page 42]
+
+RFC 1508               Generic Security Interface         September 1993
+
+
+3.1. Kerberos V5, single-TGT
+
+   OS-specific login functions yield a TGT to the local realm Kerberos
+   server; TGT is placed in a credentials structure for the client.
+   Client calls GSS_Acquire_cred()  to acquire a cred_handle in order to
+   reference the credentials for use in establishing security contexts.
+
+   Client calls GSS_Init_sec_context().  If the requested service is
+   located in a different realm, GSS_Init_sec_context()  gets the
+   necessary TGT/key pairs needed to traverse the path from local to
+   target realm; these data are placed in the owner's TGT cache. After
+   any needed remote realm resolution, GSS_Init_sec_context()  yields a
+   service ticket to the requested service with a corresponding session
+   key; these data are stored in conjunction with the context. GSS-API
+   code sends KRB_TGS_REQ request(s) and receives KRB_TGS_REP
+   response(s) (in the successful case) or KRB_ERROR.
+
+   Assuming success, GSS_Init_sec_context()  builds a Kerberos-formatted
+   KRB_AP_REQ message, and returns it in output_token.  The client sends
+   the output_token to the service.
+
+   The service passes the received token as the input_token argument to
+   GSS_Accept_sec_context(),  which verifies the authenticator, provides
+   the service with the client's authenticated name, and returns an
+   output_context_handle.
+
+   Both parties now hold the session key associated with the service
+   ticket, and can use this key in subsequent GSS_Sign(), GSS_Verify(),
+   GSS_Seal(), and GSS_Unseal() operations.
+
+3.2. Kerberos V5, double-TGT
+
+   TGT acquisition as above.
+
+   Note: To avoid unnecessary frequent invocations of error paths when
+   implementing the GSS-API atop Kerberos V5, it seems appropriate to
+   represent "single-TGT K-V5" and "double-TGT K-V5" with separate
+   mech_types, and this discussion makes that assumption.
+
+   Based on the (specified or defaulted) mech_type,
+   GSS_Init_sec_context()  determines that the double-TGT protocol
+   should be employed for the specified target. GSS_Init_sec_context()
+   returns GSS_CONTINUE_NEEDED major_status, and its returned
+   output_token contains a request to the service for the service's TGT.
+   (If a service TGT with suitably long remaining lifetime already
+   exists in a cache, it may be usable, obviating the need for this
+   step.) The client passes the output_token to the service.  Note: this
+   scenario illustrates a different use for the GSS_CONTINUE_NEEDED
+
+
+
+Linn                                                           [Page 43]
+
+RFC 1508               Generic Security Interface         September 1993
+
+
+   status return facility than for support of mutual authentication;
+   note that both uses can coexist as successive operations within a
+   single context establishment operation.
+
+   The service passes the received token as the input_token argument to
+   GSS_Accept_sec_context(),  which recognizes it as a request for TGT.
+   (Note that current Kerberos V5 defines no intra-protocol mechanism to
+   represent such a request.) GSS_Accept_sec_context()  returns
+   GSS_CONTINUE_NEEDED major_status and provides the service's TGT in
+   its output_token. The service sends the output_token to the client.
+
+   The client passes the received token as the input_token argument to a
+   continuation of GSS_Init_sec_context(). GSS_Init_sec_context() caches
+   the received service TGT and uses it as part of a service ticket
+   request to the Kerberos authentication server, storing the returned
+   service ticket and session key in conjunction with the context.
+   GSS_Init_sec_context()  builds a Kerberos-formatted authenticator,
+   and returns it in output_token along with GSS_COMPLETE return
+   major_status. The client sends the output_token to the service.
+
+   Service passes the received token as the input_token argument to a
+   continuation call to GSS_Accept_sec_context().
+   GSS_Accept_sec_context()  verifies the authenticator, provides the
+   service with the client's authenticated name, and returns
+   major_status GSS_COMPLETE.
+
+   GSS_Sign(),  GSS_Verify(), GSS_Seal(), and GSS_Unseal()  as above.
+
+3.3.  X.509 Authentication Framework
+
+   This example illustrates use of the GSS-API in conjunction with
+   public-key mechanisms, consistent with the X.509 Directory
+   Authentication Framework.
+
+   The GSS_Acquire_cred()  call establishes a credentials structure,
+   making the client's private key accessible for use on behalf of the
+   client.
+
+   The client calls GSS_Init_sec_context(),  which interrogates the
+   Directory to acquire (and validate) a chain of public-key
+   certificates, thereby collecting the public key of the service.  The
+   certificate validation operation determines that suitable signatures
+   were applied by trusted authorities and that those certificates have
+   not expired. GSS_Init_sec_context()  generates a secret key for use
+   in per-message protection operations on the context, and enciphers
+   that secret key under the service's public key.
+
+   The enciphered secret key, along with an authenticator quantity
+
+
+
+Linn                                                           [Page 44]
+
+RFC 1508               Generic Security Interface         September 1993
+
+
+   signed with the client's private key, is included in the output_token
+   from GSS_Init_sec_context().  The output_token also carries a
+   certification path, consisting of a certificate chain leading from
+   the service to the client; a variant approach would defer this path
+   resolution to be performed by the service instead of being asserted
+   by the client. The client application sends the output_token to the
+   service.
+
+   The service passes the received token as the input_token argument to
+   GSS_Accept_sec_context().  GSS_Accept_sec_context() validates the
+   certification path, and as a result determines a certified binding
+   between the client's distinguished name and the client's public key.
+   Given that public key, GSS_Accept_sec_context() can process the
+   input_token's authenticator quantity and verify that the client's
+   private key was used to sign the input_token. At this point, the
+   client is authenticated to the service. The service uses its private
+   key to decipher the enciphered secret key provided to it for per-
+   message protection operations on the context.
+
+   The client calls GSS_Sign()  or GSS_Seal() on a data message, which
+   causes per-message authentication, integrity, and (optional)
+   confidentiality facilities to be applied to that message. The service
+   uses the context's shared secret key to perform corresponding
+   GSS_Verify()  and GSS_Unseal() calls.
+
+4.  Related Activities
+
+   In order to implement the GSS-API atop existing, emerging, and future
+   security mechanisms:
+
+      object identifiers must be assigned to candidate GSS-API
+      mechanisms and the name types which they support
+
+      concrete data element formats must be defined for candidate
+      mechanisms
+
+   Calling applications must implement formatting conventions which will
+   enable them to distinguish GSS-API tokens from other data carried in
+   their application protocols.
+
+   Concrete language bindings are required for the programming
+   environments in which the GSS-API is to be employed; such bindings
+   for the C language are available in an associated RFC.
+
+
+
+
+
+
+
+
+Linn                                                           [Page 45]
+
+RFC 1508               Generic Security Interface         September 1993
+
+
+5.  Acknowledgments
+
+   This proposal is the result of a collaborative effort.
+   Acknowledgments are due to the many members of the IETF Security Area
+   Advisory Group (SAAG) and the Common Authentication Technology (CAT)
+   Working Group for their contributions at meetings and by electronic
+   mail. Acknowledgments are also due to Kannan Alagappan, Doug Barlow,
+   Bill Brown, Cliff Kahn, Charlie Kaufman, Butler Lampson, Richard
+   Pitkin, Joe Tardo, and John Wray of Digital Equipment Corporation,
+   and John Carr, John Kohl, Jon Rochlis, Jeff Schiller, and Ted T'so of
+   MIT and Project Athena.  Joe Pato and Bill Sommerfeld of HP/Apollo,
+   Walt Tuvell of OSF, and Bill Griffith and Mike Merritt of AT&T,
+   provided inputs which helped to focus and clarify directions.
+   Precursor work by Richard Pitkin, presented to meetings of the
+   Trusted Systems Interoperability Group (TSIG), helped to demonstrate
+   the value of a generic, mechanism-independent security service API.
+
+6. Security Considerations
+
+   Security issues are discussed throughout this memo.
+
+7. Author's Address
+
+   John Linn
+   Geer Zolot Associates
+   One Main St.
+   Cambridge, MA  02142  USA
+
+   Phone: +1 617.374.3700
+   Email: Linn@gza.com
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Linn                                                           [Page 46]
+
+RFC 1508               Generic Security Interface         September 1993
+
+
+APPENDIX  A
+
+PACS AND AUTHORIZATION SERVICES
+
+   Consideration has been given to modifying the GSS-API service
+   interface to recognize and manipulate Privilege Attribute
+   Certificates (PACs) as in ECMA 138, carrying authorization data as a
+   side effect of establishing a security context, but no such
+   modifications have been incorporated at this time. This appendix
+   provides rationale for this decision and discusses compatibility
+   alternatives between PACs and the GSS-API which do not require that
+   PACs be made visible to GSS-API callers.
+
+   Existing candidate mechanism types such as Kerberos and X.509 do not
+   incorporate PAC manipulation features, and exclusion of such
+   mechanisms from the set of candidates equipped to fully support the
+   GSS-API seems inappropriate. Inclusion (and GSS-API visibility) of a
+   feature supported by only a limited number of mechanisms could
+   encourage the development of ostensibly portable applications which
+   would in fact have only limited portability.
+
+   The status quo, in which PACs are not visible across the GSS-API
+   interface, does not preclude implementations in which PACs are
+   carried transparently, within the tokens defined and used for certain
+   mech_types, and stored within peers' credentials and context-level
+   data structures. While invisible to API callers, such PACs could be
+   used by operating system or other local functions as inputs in the
+   course of mediating access requests made by callers. This course of
+   action allows dynamic selection of PAC contents, if such selection is
+   administratively-directed rather than caller-directed.
+
+   In a distributed computing environment, authentication must span
+   different systems; the need for such authentication provides
+   motivation for GSS-API definition and usage. Heterogeneous systems in
+   a network can intercommunicate, with globally authenticated names
+   comprising the common bond between locally defined access control
+   policies. Access control policies to which authentication provides
+   inputs are often local, or specific to particular operating systems
+   or environments. If the GSS-API made particular authorization models
+   visible across its service interface, its scope of application would
+   become less general. The current GSS-API paradigm is consistent with
+   the precedent set by Kerberos, neither defining the interpretation of
+   authorization-related data nor enforcing access controls based on
+   such data.
+
+   The GSS-API is a general interface, whose callers may reside inside
+   or outside any defined TCB or NTCB boundaries. Given this
+   characteristic, it appears more realistic to provide facilities which
+
+
+
+Linn                                                           [Page 47]
+
+RFC 1508               Generic Security Interface         September 1993
+
+
+   provide "value-added" security services to its callers than to offer
+   facilities which enforce restrictions on those callers. Authorization
+   decisions must often be mediated below the GSS-API level in a local
+   manner against (or in spite of) applications, and cannot be
+   selectively invoked or omitted at those applications' discretion.
+   Given that the GSS-API's placement prevents it from providing a
+   comprehensive solution to the authorization issue, the value of a
+   partial contribution specific to particular authorization models is
+   debatable.
+
+APPENDIX  B
+
+MECHANISM-INDEPENDENT TOKEN FORMAT
+
+   This appendix specifies a mechanism-independent level of
+   encapsulating representation for the initial token of a GSS-API
+   context establishment sequence, incorporating an identifier of the
+   mechanism type to be used on that context. Use of this format (with
+   ASN.1-encoded data elements represented in BER, constrained in the
+   interests of parsing simplicity to the Distinguished Encoding Rule
+   (DER) BER subset defined in X.509, clause 8.7) is recommended to the
+   designers of GSS-API implementations based on various mechanisms, so
+   that tokens can be interpreted unambiguously at GSS-API peers. There
+   is no requirement that the mechanism-specific innerContextToken,
+   innerMsgToken, and sealedUserData data elements be encoded in ASN.1
+   BER.
+
+          -- optional top-level token definitions to
+          -- frame different mechanisms
+
+          GSS-API DEFINITIONS ::=
+
+          BEGIN
+
+          MechType ::= OBJECT IDENTIFIER
+          -- data structure definitions
+
+          -- callers must be able to distinguish among
+          -- InitialContextToken, SubsequentContextToken,
+          -- PerMsgToken, and SealedMessage data elements
+          -- based on the usage in which they occur
+
+          InitialContextToken ::=
+          -- option indication (delegation, etc.) indicated within
+          -- mechanism-specific token
+          [APPLICATION 0] IMPLICIT SEQUENCE {
+                  thisMech MechType,
+                  innerContextToken ANY DEFINED BY thisMech
+
+
+
+Linn                                                           [Page 48]
+
+RFC 1508               Generic Security Interface         September 1993
+
+
+                     -- contents mechanism-specific
+                  }
+
+          SubsequentContextToken ::= innerContextToken ANY
+          -- interpretation based on predecessor InitialContextToken
+
+          PerMsgToken ::=
+          -- as emitted by GSS_Sign and processed by GSS_Verify
+                  innerMsgToken ANY
+
+          SealedMessage ::=
+          -- as emitted by GSS_Seal and processed by GSS_Unseal
+          -- includes internal, mechanism-defined indicator
+          -- of whether or not encrypted
+                  sealedUserData ANY
+
+          END
+
+APPENDIX  C
+
+MECHANISM DESIGN CONSTRAINTS
+
+   The following constraints on GSS-API mechanism designs are adopted in
+   response to observed caller protocol requirements, and adherence
+   thereto is anticipated in subsequent descriptions of GSS-API
+   mechanisms to be documented in standards-track Internet
+   specifications.
+
+   Use of the approach defined in Appendix B of this specification,
+   applying a mechanism type tag to the InitialContextToken, is
+   required.
+
+   It is strongly recommended that mechanisms offering per-message
+   protection services also offer at least one of the replay detection
+   and sequencing services, as mechanisms offering neither of the latter
+   will fail to satisfy recognized requirements of certain candidate
+   caller protocols.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Linn                                                           [Page 49]
+
\ No newline at end of file
diff --git a/crypto/heimdal/doc/standardisation/rfc1509.txt b/crypto/heimdal/doc/standardisation/rfc1509.txt
new file mode 100644
index 0000000..f36cd80
--- /dev/null
+++ b/crypto/heimdal/doc/standardisation/rfc1509.txt
@@ -0,0 +1,2691 @@
+
+
+
+
+
+
+Network Working Group                                            J. Wray
+Request for Comments: 1509                 Digital Equipment Corporation
+                                                          September 1993
+
+
+               Generic Security Service API : C-bindings
+
+Status of this Memo
+
+   This RFC specifies an Internet standards track protocol for the
+   Internet community, and requests discussion and suggestions for
+   improvements.  Please refer to the current edition of the "Internet
+   Official Protocol Standards" for the standardization state and status
+   of this protocol.  Distribution of this memo is unlimited.
+
+Abstract
+
+   This document specifies C language bindings for the Generic Security
+   Service Application Program Interface (GSS-API), which is described
+   at a language-independent conceptual level in other documents.
+
+   The Generic Security Service Application Programming Interface (GSS-
+   API) provides security services to its callers, and is intended for
+   implementation atop alternative underlying cryptographic mechanisms.
+   Typically, GSS-API callers will be application protocols into which
+   security enhancements are integrated through invocation of services
+   provided by the GSS-API. The GSS-API allows a caller application to
+   authenticate a principal identity associated with a peer application,
+   to delegate rights to a peer, and to apply security services such as
+   confidentiality and integrity on a per-message basis.
+
+1. INTRODUCTION
+
+   The Generic Security Service Application Programming Interface [1]
+   provides security services to calling applications.  It allows a
+   communicating application to authenticate the user associated with
+   another application, to delegate rights to another application, and
+   to apply security services such as confidentiality and integrity on a
+   per-message basis.
+
+   There are four stages to using the GSSAPI:
+
+   (a) The application acquires a set of credentials with which it may
+       prove its identity to other processes.  The application's
+       credentials vouch for its global identity, which may or may not
+       be related to the local username under which it is running.
+
+
+
+
+
+Wray                                                            [Page 1]
+
+RFC 1509            GSSAPI - Overview and C bindings      September 1993
+
+
+   (b) A pair of communicating applications establish a joint security
+       context using their credentials.  The security context is a
+       pair of GSSAPI data structures that contain shared state
+       information, which is required in order that per-message
+       security services may be provided.  As part of the
+       establishment of a security context, the context initiator is
+       authenticated to the responder, and may require that the
+       responder is authenticated in turn.  The initiator may
+       optionally give the responder the right to initiate further
+       security contexts.  This transfer of rights is termed
+       delegation, and is achieved by creating a set of credentials,
+       similar to those used by the originating application, but which
+       may be used by the responder.  To establish and maintain the
+       shared information that makes up the security context, certain
+       GSSAPI calls will return a token data structure, which is a
+       cryptographically protected opaque data type.  The caller of
+       such a GSSAPI routine is responsible for transferring the token
+       to the peer application, which should then pass it to a
+       corresponding GSSAPI routine which will decode it and extract
+       the information.
+
+   (c) Per-message services are invoked to apply either:
+
+       (i) integrity and data origin authentication, or
+
+       (ii) confidentiality, integrity and data origin authentication
+            to application data, which are treated by GSSAPI as
+            arbitrary octet-strings.  The application transmitting a
+            message that it wishes to protect will call the appropriate
+            GSSAPI routine (sign or seal) to apply protection, specifying
+            the appropriate security context, and send the result to the
+            receiving application.  The receiver will pass the received
+            data to the corresponding decoding routine (verify or unseal)
+            to remove the protection and validate the data.
+
+   (d) At the completion of a communications session (which may extend
+       across several connections), the peer applications call GSSAPI
+       routines to delete the security context.  Multiple contexts may
+       also be used (either successively or simultaneously) within a
+       single communications association.
+
+2. GSSAPI Routines
+
+   This section lists the functions performed by each of the GSSAPI
+   routines and discusses their major parameters, describing how they
+   are to be passed to the routines.  The routines are listed in figure
+   4-1.
+
+
+
+
+Wray                                                            [Page 2]
+
+RFC 1509            GSSAPI - Overview and C bindings      September 1993
+
+
+                      Figure 4-1  GSSAPI Routines
+
+
+            Routine                               Function
+
+            gss_acquire_cred               Assume a global identity
+
+            gss_release_cred               Discard credentials
+
+            gss_init_sec_context           Initiate a security context
+                                           with a peer application
+
+            gss_accept_sec_context         Accept a security context
+                                           initiated by a peer
+                                           application
+
+            gss_process_context_token      Process a token on a security
+                                           context from a peer
+                                           application
+
+            gss_delete_sec_context         Discard a security context
+
+            gss_context_time               Determine for how long a
+                                           context will remain valid
+
+            gss_sign                       Sign a message; integrity
+                                           service
+
+            gss_verify                     Check signature on a message
+
+            gss_seal                       Sign (optionally encrypt) a
+                                           message; confidentiality
+                                           service
+
+            gss_unseal                     Verify (optionally decrypt)
+                                           message
+
+            gss_display_status             Convert an API status code
+                                           to text
+
+            gss_indicate_mechs             Determine underlying
+                                           authentication mechanism
+
+            gss_compare_name               Compare two internal-form
+                                           names
+
+            gss_display_name               Convert opaque name to text
+
+
+
+
+Wray                                                            [Page 3]
+
+RFC 1509            GSSAPI - Overview and C bindings      September 1993
+
+
+            gss_import_name                Convert a textual name to
+                                           internal-form
+
+            gss_release_name               Discard an internal-form
+                                           name
+
+            gss_release_buffer             Discard a buffer
+
+            gss_release_oid_set            Discard a set of object
+                                           identifiers
+
+            gss_inquire_cred               Determine information about
+                                           a credential
+
+   Individual GSSAPI implementations may augment these routines by
+   providing additional mechanism-specific routines if required
+   functionality is not available from the generic forms.  Applications
+   are encouraged to use the generic routines wherever possible on
+   portability grounds.
+
+2.1. Data Types and Calling Conventions
+
+   The following conventions are used by the GSSAPI:
+
+2.1.1. Structured data types
+
+   Wherever these GSSAPI C-bindings describe structured data, only
+   fields that must be provided by all GSSAPI implementation are
+   documented.  Individual implementations may provide additional
+   fields, either for internal use within GSSAPI routines, or for use by
+   non-portable applications.
+
+2.1.2. Integer types
+
+   GSSAPI defines the following integer data type:
+
+                 OM_uint32      32-bit unsigned integer
+
+   Where guaranteed minimum bit-count is important, this portable data
+   type is used by the GSSAPI routine definitions. Individual GSSAPI
+   implementations will include appropriate typedef definitions to map
+   this type onto a built-in data type.
+
+2.1.3. String and similar data
+
+   Many of the GSSAPI routines take arguments and return values that
+   describe contiguous multiple-byte data.  All such data is passed
+   between the GSSAPI and the caller using the gss_buffer_t data type.
+
+
+
+Wray                                                            [Page 4]
+
+RFC 1509            GSSAPI - Overview and C bindings      September 1993
+
+
+   This data type is a pointer to a buffer descriptor, which consists of
+   a length field that contains the total number of bytes in the datum,
+   and a value field which contains a pointer to the actual datum:
+
+                 typedef struct gss_buffer_desc_struct {
+                    size_t  length;
+                    void    *value;
+                 } gss_buffer_desc, *gss_buffer_t;
+
+   Storage for data passed to the application by a GSSAPI routine using
+   the gss_buffer_t conventions is allocated by the GSSAPI routine.  The
+   application may free this storage by invoking the gss_release_buffer
+   routine.  Allocation of the gss_buffer_desc object is always the
+   responsibility of the application;  Unused gss_buffer_desc objects
+   may be initialized to the value GSS_C_EMPTY_BUFFER.
+
+2.1.3.1. Opaque data types
+
+   Certain multiple-word data items are considered opaque data types at
+   the GSSAPI, because their internal structure has no significance
+   either to the GSSAPI or to the caller.  Examples of such opaque data
+   types are the input_token parameter to gss_init_sec_context (which is
+   opaque to the caller), and the input_message parameter to gss_seal
+   (which is opaque to the GSSAPI).  Opaque data is passed between the
+   GSSAPI and the application using the gss_buffer_t datatype.
+
+2.1.3.2. Character strings
+
+   Certain multiple-word data items may be regarded as simple ISO
+   Latin-1 character strings.  An example of this is the
+   input_name_buffer parameter to gss_import_name.  Some GSSAPI routines
+   also return character strings.  Character strings are passed between
+   the application and the GSSAPI using the gss_buffer_t datatype,
+   defined earlier.
+
+2.1.4. Object Identifiers
+
+   Certain GSSAPI procedures take parameters of the type gss_OID, or
+   Object identifier.  This is a type containing ISO-defined tree-
+   structured values, and is used by the GSSAPI caller to select an
+   underlying security mechanism.  A value of type gss_OID has the
+   following structure:
+
+                 typedef struct gss_OID_desc_struct {
+                    OM_uint32 length;
+                    void      *elements;
+                 } gss_OID_desc, *gss_OID;
+
+
+
+
+Wray                                                            [Page 5]
+
+RFC 1509            GSSAPI - Overview and C bindings      September 1993
+
+
+   The elements field of this structure points to the first byte of an
+   octet string containing the ASN.1 BER encoding of the value of the
+   gss_OID.  The length field contains the number of bytes in this
+   value.  For example, the  gss_OID value corresponding to {iso(1)
+   identified- oganization(3) icd-ecma(12) member-company(2) dec(1011)
+   cryptoAlgorithms(7) SPX(5)} meaning SPX (Digital's X.509
+   authentication mechanism) has a length field of 7 and an elements
+   field pointing to seven octets containing the following octal values:
+   53,14,2,207,163,7,5. GSSAPI implementations should provide constant
+   gss_OID values to allow callers to request any supported mechanism,
+   although applications are encouraged on portability grounds to accept
+   the default mechanism.   gss_OID values should also be provided to
+   allow applications to specify particular name types (see section
+   2.1.10).  Applications should treat gss_OID_desc values returned by
+   GSSAPI routines as read-only.  In particular, the application should
+   not attempt to deallocate them.  The gss_OID_desc datatype is
+   equivalent to the X/Open OM_object_identifier datatype [2].
+
+2.1.5. Object Identifier Sets
+
+   Certain GSSAPI procedures take parameters of the type gss_OID_set.
+   This type represents one or more object identifiers (section 2.1.4).
+   A gss_OID_set object has the following structure:
+
+                 typedef struct gss_OID_set_desc_struct {
+                    int       count;
+                    gss_OID   elements;
+                 } gss_OID_set_desc, *gss_OID_set;
+
+   The count field contains the number of OIDs within the set.  The
+   elements field is a pointer to an array of gss_OID_desc objects, each
+   of which describes a single OID. gss_OID_set values are used to name
+   the available mechanisms supported by the GSSAPI, to request the use
+   of specific mechanisms, and to indicate which mechanisms a given
+   credential supports.  Storage associated with gss_OID_set values
+   returned to the application by the GSSAPI may be deallocated by the
+   gss_release_oid_set routine.
+
+2.1.6. Credentials
+
+   A credential handle is a caller-opaque atomic datum that identifies a
+   GSSAPI credential data structure.  It is represented by the caller-
+   opaque type gss_cred_id_t, which may be implemented as either an
+   arithmetic or a pointer type.  Credentials describe a principal, and
+   they give their holder the ability to act as that principal.  The
+   GSSAPI does not make the actual credentials available to
+   applications; instead the credential handle is used to identify a
+   particular credential, held internally by GSSAPI or underlying
+
+
+
+Wray                                                            [Page 6]
+
+RFC 1509            GSSAPI - Overview and C bindings      September 1993
+
+
+   mechanism.  Thus the credential handle contains no security-relavent
+   information, and requires no special protection by the application.
+   Depending on the implementation, a given credential handle may refer
+   to different credentials when presented to the GSSAPI by different
+   callers.  Individual GSSAPI implementations should define both the
+   scope of a credential handle and the scope of a credential itself
+   (which must be at least as wide as that of a handle).  Possibilities
+   for credential handle scope include the process that acquired the
+   handle, the acquiring process and its children, or all processes
+   sharing some local identification information (e.g., UID).  If no
+   handles exist by which a given credential may be reached, the GSSAPI
+   may delete the credential.
+
+   Certain routines allow credential handle parameters to be omitted to
+   indicate the use of a default credential.  The mechanism by which a
+   default credential is established and its scope should be defined by
+   the individual GSSAPI implementation.
+
+2.1.7. Contexts
+
+   The gss_ctx_id_t data type contains a caller-opaque atomic value that
+   identifies one end of a GSSAPI security context.  It may be
+   implemented as either an arithmetic or a pointer type. Depending on
+   the implementation, a given gss_ctx_id_t value may refer to different
+   GSSAPI security contexts when presented to the GSSAPI by different
+   callers.  The security context holds state information about each end
+   of a peer communication, including cryptographic state information.
+   Individual GSSAPI implementations should define the scope of a
+   context.  Since no way is provided by which a new gss_ctx_id_t value
+   may be obtained for an existing context, the scope of a context
+   should be the same as the scope of a gss_ctx_id_t.
+
+2.1.8. Authentication tokens
+
+   A token is a caller-opaque type that GSSAPI uses to maintain
+   synchronization between the context data structures at each end of a
+   GSSAPI security context.  The token is a cryptographically protected
+   bit-string, generated by the underlying mechanism at one end of a
+   GSSAPI security context for use by the peer mechanism at the other
+   end.  Encapsulation (if required) and transfer of the token are the
+   responsibility of the peer applications.  A token is passed between
+   the GSSAPI and the application using the gss_buffer_t conventions.
+
+2.1.9. Status values
+
+   One or more status codes are returned by each GSSAPI routine.  Two
+   distinct sorts of status codes are returned.  These are termed GSS
+   status codes and Mechanism status codes.
+
+
+
+Wray                                                            [Page 7]
+
+RFC 1509            GSSAPI - Overview and C bindings      September 1993
+
+
+2.1.9.1. GSS status codes
+
+   GSSAPI routines return GSS status codes as their OM_uint32 function
+   value.  These codes indicate errors that are independent of the
+   underlying mechanism used to provide the security service.  The
+   errors that can be indicated via a GSS status code are either generic
+   API routine errors (errors that are defined in the GSSAPI
+   specification) or calling errors (errors that are specific to these
+   bindings).
+
+   A GSS status code can indicate a single fatal generic API error from
+   the routine and a single calling error.  In addition, supplementary
+   status information may be indicated via the setting of bits in the
+   supplementary info field of a GSS status code.
+
+   These errors are encoded into the 32-bit GSS status code as follows:
+
+      MSB                                                        LSB
+      |------------------------------------------------------------|
+      | Calling Error | Routine Error  |    Supplementary Info     |
+      |------------------------------------------------------------|
+   Bit 31           24 23            16 15                        0
+
+   Hence if a GSSAPI routine returns a GSS status code whose upper 16
+   bits contain a non-zero value, the call failed.  If the calling error
+   field is non-zero, the invoking application's call of the routine was
+   erroneous.  Calling errors are defined in table 5-1.  If the routine
+   error field is non-zero, the routine failed for one of the routine-
+   specific reasons listed below in table 5-2.  Whether or not the upper
+   16 bits indicate a failure or a success, the routine may indicate
+   additional information by setting bits in the supplementary info
+   field of the status code.  The meaning of individual bits is listed
+   below in table 5-3.
+
+                     Table 5-1  Calling Errors
+
+              Name                    Value in        Meaning
+                                        Field
+         GSS_S_CALL_INACCESSIBLE_READ     1           A required input
+                                                      parameter could
+                                                      not be read.
+         GSS_S_CALL_INACCESSIBLE_WRITE    2           A required output
+                                                      parameter could
+                                                      not be written.
+         GSS_S_CALL_BAD_STRUCTURE         3           A parameter was
+                                                      malformed
+
+
+
+
+
+Wray                                                            [Page 8]
+
+RFC 1509            GSSAPI - Overview and C bindings      September 1993
+
+
+                     Table 5-2  Routine Errors
+
+               Name             Value in       Meaning
+                                 Field
+
+         GSS_S_BAD_MECH             1      An unsupported mechanism was
+                                           requested
+         GSS_S_BAD_NAME             2      An invalid name was supplied
+         GSS_S_BAD_NAMETYPE         3      A supplied name was of an
+                                           unsupported type
+         GSS_S_BAD_BINDINGS         4      Incorrect channel bindings
+                                           were supplied
+         GSS_S_BAD_STATUS           5      An invalid status code was
+                                           supplied
+
+         GSS_S_BAD_SIG              6      A token had an invalid
+                                           signature
+         GSS_S_NO_CRED              7      No credentials were supplied
+         GSS_S_NO_CONTEXT           8      No context has been
+                                           established
+         GSS_S_DEFECTIVE_TOKEN      9      A token was invalid
+         GSS_S_DEFECTIVE_CREDENTIAL 10     A credential was invalid
+         GSS_S_CREDENTIALS_EXPIRED  11     The referenced credentials
+                                           have expired
+         GSS_S_CONTEXT_EXPIRED      12     The context has expired
+         GSS_S_FAILURE              13     Miscellaneous failure
+                                           (see text)
+
+                     Table 5-3  Supplementary Status Bits
+
+         Name                Bit Number         Meaning
+         GSS_S_CONTINUE_NEEDED   0 (LSB)  The routine must be called
+                                          again to complete its
+                                          function.
+                                          See routine documentation for
+                                          detailed description.
+         GSS_S_DUPLICATE_TOKEN   1        The token was a duplicate of
+                                          an earlier token
+         GSS_S_OLD_TOKEN         2        The token's validity period
+                                          has expired
+         GSS_S_UNSEQ_TOKEN       3        A later token has already been
+                                          processed
+
+   The routine documentation also uses the name GSS_S_COMPLETE, which is
+   a zero value, to indicate an absence of any API errors or
+   supplementary information bits.
+
+
+
+
+
+Wray                                                            [Page 9]
+
+RFC 1509            GSSAPI - Overview and C bindings      September 1993
+
+
+   All GSS_S_xxx symbols equate to complete OM_uint32 status codes,
+   rather than to bitfield values.  For example, the actual value of the
+   symbol GSS_S_BAD_NAMETYPE (value 3 in the routine error field) is 3
+   << 16.
+
+   The macros GSS_CALLING_ERROR(), GSS_ROUTINE_ERROR() and
+   GSS_SUPPLEMENTARY_INFO() are provided, each of which takes a GSS
+   status code and removes all but the relevant field.  For example, the
+   value obtained by applying GSS_ROUTINE_ERROR to a status code removes
+   the calling errors and supplementary info fields, leaving only the
+   routine errors field.  The values delivered by these macros may be
+   directly compared with a GSS_S_xxx symbol of the appropriate type.
+   The macro GSS_ERROR() is also provided, which when applied to a GSS
+   status code returns a non-zero value if the status code indicated a
+   calling or routine error, and a zero value otherwise.
+
+   A GSSAPI implementation may choose to signal calling errors in a
+   platform-specific manner instead of, or in addition to the routine
+   value; routine errors and supplementary info should be returned via
+   routine status values only.
+
+2.1.9.2. Mechanism-specific status codes
+
+   GSSAPI routines return a minor_status parameter, which is used to
+   indicate specialized errors from the underlying security mechanism.
+   This parameter may contain a single mechanism-specific error,
+   indicated by a OM_uint32 value.
+
+   The minor_status parameter will always be set by a GSSAPI routine,
+   even if it returns a calling error or one of the generic API errors
+   indicated above as fatal, although other output parameters may remain
+   unset in such cases.  However, output parameters that are expected to
+   return pointers to storage allocated by a routine must always set set
+   by the routine, even in the event of an error, although in such cases
+   the GSSAPI routine may elect to set the returned parameter value to
+   NULL to indicate that no storage was actually allocated.  Any length
+   field associated with such pointers (as in a gss_buffer_desc
+   structure) should also be set to zero in such cases.
+
+   The GSS status code GSS_S_FAILURE is used to indicate that the
+   underlying mechanism detected an error for which no specific GSS
+   status code is defined.  The mechanism status code will provide more
+   details about the error.
+
+2.1.10. Names
+
+   A name is used to identify a person or entity.  GSSAPI authenticates
+   the relationship between a name and the entity claiming the name.
+
+
+
+Wray                                                           [Page 10]
+
+RFC 1509            GSSAPI - Overview and C bindings      September 1993
+
+
+   Two distinct representations are defined for names:
+
+        (a) A printable form, for presentation to a user
+
+        (b) An internal form, for presentation at the API
+
+   The syntax of a printable name is defined by the GSSAPI
+   implementation, and may be dependent on local system configuration,
+   or on individual user preference.  The internal form provides a
+   canonical representation of the name that is independent of
+   configuration.
+
+   A given GSSAPI implementation may support names drawn from multiple
+   namespaces.  In such an implementation, the internal form of the name
+   must include fields that identify the namespace from which the name
+   is drawn.  The namespace from which a printable name is drawn is
+   specified by an accompanying object identifier.
+
+   Routines (gss_import_name and  gss_display_name) are provided to
+   convert names between their printable representations and the
+   gss_name_t type.  gss_import_name may support multiple syntaxes for
+   each supported namespace, allowing users the freedom to choose a
+   preferred name representation.  gss_display_name should use an
+   implementation-chosen preferred syntax for each supported name-type.
+
+   Comparison of internal-form names is accomplished via the
+   gss_compare_names routine.  This removes the need for the application
+   program to understand the syntaxes of the various printable names
+   that a given GSSAPI implementation may support.
+
+   Storage is allocated by routines that return gss_name_t values.  A
+   procedure, gss_release_name, is provided to free storage associated
+   with a name.
+
+2.1.11. Channel Bindings
+
+   GSSAPI supports the use of user-specified tags to identify a given
+   context to the peer application.  These tags are used to identify the
+   particular communications channel that carries the context.  Channel
+   bindings are communicated to the GSSAPI using the following
+   structure:
+
+
+
+
+
+
+
+
+
+
+Wray                                                           [Page 11]
+
+RFC 1509            GSSAPI - Overview and C bindings      September 1993
+
+
+                 typedef struct gss_channel_bindings_struct {
+                    OM_uint32       initiator_addrtype;
+                    gss_buffer_desc initiator_address;
+                    OM_uint32       acceptor_addrtype;
+                    gss_buffer_desc acceptor_address;
+                    gss_buffer_desc application_data;
+                 } *gss_channel_bindings_t;
+
+   The initiator_addrtype and acceptor_addrtype fields denote the type
+   of addresses contained in the initiator_address and acceptor_address
+   buffers.  The address type should be one of the following:
+
+          GSS_C_AF_UNSPEC      Unspecified address type
+          GSS_C_AF_LOCAL       Host-local address type
+          GSS_C_AF_INET        DARPA Internet address type
+          GSS_C_AF_IMPLINK     ARPAnet IMP address type (eg IP)
+          GSS_C_AF_PUP         pup protocols (eg BSP) address type
+          GSS_C_AF_CHAOS       MIT CHAOS protocol address type
+          GSS_C_AF_NS          XEROX NS address type
+          GSS_C_AF_NBS         nbs address type
+          GSS_C_AF_ECMA        ECMA address type
+          GSS_C_AF_DATAKIT     datakit protocols address type
+          GSS_C_AF_CCITT       CCITT protocols (eg X.25)
+          GSS_C_AF_SNA         IBM SNA address type
+          GSS_C_AF_DECnet      DECnet address type
+          GSS_C_AF_DLI         Direct data link interface address type
+          GSS_C_AF_LAT         LAT address type
+          GSS_C_AF_HYLINK      NSC Hyperchannel address type
+          GSS_C_AF_APPLETALK   AppleTalk address type
+          GSS_C_AF_BSC         BISYNC 2780/3780 address type
+          GSS_C_AF_DSS         Distributed system services address type
+          GSS_C_AF_OSI         OSI TP4 address type
+          GSS_C_AF_X25         X25
+          GSS_C_AF_NULLADDR    No address specified
+
+   Note that these name address families rather than specific addressing
+   formats.  For address families that contain several alternative
+   address forms, the initiator_address and acceptor_address fields must
+   contain sufficient information to determine which address form is
+   used.  When not otherwise specified, addresses should be specified in
+   network byte-order.
+
+   Conceptually, the GSSAPI concatenates the initiator_addrtype,
+   initiator_address, acceptor_addrtype, acceptor_address and
+   application_data to form an octet string.  The mechanism signs this
+   octet string, and binds the signature to the context establishment
+   token emitted by gss_init_sec_context.  The same bindings are
+   presented by the context acceptor to gss_accept_sec_context, and a
+
+
+
+Wray                                                           [Page 12]
+
+RFC 1509            GSSAPI - Overview and C bindings      September 1993
+
+
+   signature is calculated in the same way.  The calculated signature is
+   compared with that found in the token, and if the signatures differ,
+   gss_accept_sec_context will return a GSS_S_BAD_BINDINGS error, and
+   the context will not be established.  Some mechanisms may include the
+   actual channel binding data in the token (rather than just a
+   signature); applications should therefore not use confidential data
+   as channel-binding components.  Individual mechanisms may impose
+   additional constraints on addresses and address types that may appear
+   in channel bindings.  For example, a mechanism may verify that the
+   initiator_address field of the channel bindings presented to
+   gss_init_sec_context contains the correct network address of the host
+   system.
+
+2.1.12. Optional parameters
+
+   Various parameters are described as optional.  This means that they
+   follow a convention whereby a default value may be requested.  The
+   following conventions are used for omitted parameters.  These
+   conventions apply only to those parameters that are explicitly
+   documented as optional.
+
+2.1.12.1. gss_buffer_t types
+
+   Specify GSS_C_NO_BUFFER as a value.  For an input parameter this
+   signifies that default behavior is requested, while for an output
+   parameter it indicates that the information that would be returned
+   via the parameter is not required by the application.
+
+2.1.12.2. Integer types (input)
+
+   Individual parameter documentation lists values to be used to
+   indicate default actions.
+
+2.1.12.3. Integer types (output)
+
+   Specify NULL as the value for the pointer.
+
+2.1.12.4. Pointer types
+
+   Specify NULL as the value.
+
+2.1.12.5. Object IDs
+
+   Specify GSS_C_NULL_OID as the value.
+
+2.1.12.6. Object ID Sets
+
+   Specify GSS_C_NULL_OID_SET as the value.
+
+
+
+Wray                                                           [Page 13]
+
+RFC 1509            GSSAPI - Overview and C bindings      September 1993
+
+
+2.1.12.7. Credentials
+
+   Specify GSS_C_NO_CREDENTIAL to use the default credential handle.
+
+2.1.12.8. Channel Bindings
+
+   Specify GSS_C_NO_CHANNEL_BINDINGS to indicate that channel bindings
+   are not to be used.
+
+3. GSSAPI routine descriptions
+
+2.1. gss_acquire_cred
+
+      OM_uint32  gss_acquire_cred (
+                     OM_uint32 *     minor_status,
+                     gss_name_t      desired_name,
+                     OM_uint32       time_req,
+                     gss_OID_set     desired_mechs,
+                     int             cred_usage,
+                     gss_cred_id_t * output_cred_handle,
+                     gss_OID_set *   actual_mechs,
+                      OM_int32 *      time_rec)
+   Purpose:
+
+   Allows an application to acquire a handle for a pre-existing
+   credential by name.  GSSAPI implementations must impose a local
+   access-control policy on callers of this routine to prevent
+   unauthorized callers from acquiring credentials to which they are not
+   entitled.  This routine is not intended to provide a "login to the
+   network" function, as such a function would result in the creation of
+   new credentials rather than merely acquiring a handle to existing
+   credentials.  Such functions, if required, should be defined in
+   implementation-specific extensions to the API.
+
+   If credential acquisition is time-consuming for a mechanism, the
+   mechanism may chooses to delay the actual acquisition until the
+   credential is required (e.g., by gss_init_sec_context or
+   gss_accept_sec_context).  Such mechanism-specific implementation
+   decisions should be invisible to the calling application; thus a call
+   of gss_inquire_cred immediately following the call of
+   gss_acquire_cred must return valid credential data, and may therefore
+   incur the overhead of a deferred credential acquisition.
+
+   Parameters:
+
+      desired_name      gss_name_t, read
+                        Name of principal whose credential
+                        should be acquired
+
+
+
+Wray                                                           [Page 14]
+
+RFC 1509            GSSAPI - Overview and C bindings      September 1993
+
+
+      time_req          integer, read
+                        number of seconds that credentials
+                        should remain valid
+
+      desired_mechs     Set of Object IDs, read
+                        set of underlying security mechanisms that
+                        may be used.  GSS_C_NULL_OID_SET may be used
+                        to obtain an implementation-specific default.
+
+      cred_usage        integer, read
+                        GSS_C_BOTH - Credentials may be used
+                                     either to initiate or accept
+                                     security contexts.
+                        GSS_C_INITIATE - Credentials will only be
+                                         used to initiate security
+                                         contexts.
+                        GSS_C_ACCEPT - Credentials will only be used to
+                                       accept security contexts.
+
+      output_cred_handle   gss_cred_id_t, modify
+                           The returned credential handle.
+
+      actual_mechs      Set of Object IDs, modify, optional
+                        The set of mechanisms for which the
+                        credential is valid.  Specify NULL
+                        if not required.
+
+      time_rec          Integer, modify, optional
+                        Actual number of seconds for which the
+                        returned credentials will remain valid.  If the
+                        implementation does not support expiration of
+                        credentials, the value GSS_C_INDEFINITE will
+                        be returned. Specify NULL if not required
+
+      minor_status      Integer, modify
+                        Mechanism specific status code.
+   Function value:
+
+      GSS status code:
+
+      GSS_S_COMPLETE    Successful completion
+
+      GSS_S_BAD_MECH    Unavailable mechanism requested
+
+      GSS_S_BAD_NAMETYPE Type contained within desired_name parameter is
+                        not supported
+
+      GSS_S_BAD_NAME    Value supplied for desired_name parameter is
+
+
+
+Wray                                                           [Page 15]
+
+RFC 1509            GSSAPI - Overview and C bindings      September 1993
+
+
+                        ill-formed.
+
+      GSS_S_FAILURE     Unspecified failure.  The minor_status parameter
+                        contains more detailed information
+
+3.2. gss_release_cred
+
+      OM_uint32  gss_release_cred (
+                     OM_uint32 *     minor_status,
+                     gss_cred_id_t * cred_handle)
+
+   Purpose:
+
+   Informs GSSAPI that the specified credential handle is no longer
+   required by the process.  When all processes have released a
+   credential, it will be deleted.
+
+   Parameters:
+
+      cred_handle       gss_cred_id_t, modify, optional
+                        buffer containing opaque credential
+                        handle.  If  GSS_C_NO_CREDENTIAL  is supplied,
+                        the default credential will be released
+
+      minor_status      integer, modify
+                        Mechanism specific status code.
+
+   Function value:
+
+      GSS status code:
+
+      GSS_S_COMPLETE    Successful completion
+
+      GSS_S_NO_CRED     Credentials could not be accessed.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Wray                                                           [Page 16]
+
+RFC 1509            GSSAPI - Overview and C bindings      September 1993
+
+
+3.3. gss_init_sec_context
+
+      OM_uint32  gss_init_sec_context (
+                     OM_uint32 *     minor_status,
+                     gss_cred_id_t   claimant_cred_handle,
+                     gss_ctx_id_t *  context_handle,
+                     gss_name_t      target_name,
+                     gss_OID         mech_type,
+                     int             req_flags,
+                     int             time_req,
+                     gss_channel_bindings_t
+                                     input_chan_bindings,
+                     gss_buffer_t    input_token
+                     gss_OID *       actual_mech_type,
+                     gss_buffer_t    output_token,
+                     int *           ret_flags,
+                     OM_uint32 *     time_rec )
+
+   Purpose:
+
+   Initiates the establishment of a security context between the
+   application and a remote peer.  Initially, the input_token parameter
+   should be specified as GSS_C_NO_BUFFER.  The routine may return a
+   output_token which should be transferred to the peer application,
+   where the peer application will present it to gss_accept_sec_context.
+   If no token need be sent, gss_init_sec_context will indicate this by
+   setting the length field of the output_token argument to zero.  To
+   complete the context establishment, one or more reply tokens may be
+   required from the peer application; if so, gss_init_sec_context will
+   return a status indicating GSS_S_CONTINUE_NEEDED in which case it
+   should be called again when the reply token is received from the peer
+   application, passing the token to gss_init_sec_context via the
+   input_token parameters.
+
+   The values returned via the ret_flags and time_rec parameters are not
+   defined unless the routine returns GSS_S_COMPLETE.
+
+   Parameters:
+
+      claimant_cred_handle  gss_cred_id_t, read, optional
+                            handle for credentials claimed.  Supply
+                            GSS_C_NO_CREDENTIAL to use default
+                            credentials.
+
+      context_handle    gss_ctx_id_t, read/modify
+                        context handle for new context.  Supply
+                        GSS_C_NO_CONTEXT for first call; use value
+                        returned by first call in continuation calls.
+
+
+
+Wray                                                           [Page 17]
+
+RFC 1509            GSSAPI - Overview and C bindings      September 1993
+
+
+      target_name       gss_name_t, read
+                        Name of target
+
+      mech_type         OID, read, optional
+                        Object ID of desired mechanism. Supply
+                        GSS_C_NULL_OID to obtain an implementation
+                        specific default
+
+      req_flags         bit-mask, read
+                        Contains four independent flags, each of
+                        which requests that the context support a
+                        specific service option.  Symbolic
+                        names are provided for each flag, and the
+                        symbolic names corresponding to the required
+                        flags should be logically-ORed
+                        together to form the bit-mask value.  The
+                        flags are:
+
+                        GSS_C_DELEG_FLAG
+                              True - Delegate credentials to remote peer
+                              False - Don't delegate
+                        GSS_C_MUTUAL_FLAG
+                              True - Request that remote peer
+                                     authenticate itself
+                              False - Authenticate self to remote peer
+                                      only
+                        GSS_C_REPLAY_FLAG
+                              True - Enable replay detection for signed
+                                     or sealed messages
+                              False - Don't attempt to detect
+                                      replayed messages
+                        GSS_C_SEQUENCE_FLAG
+                              True - Enable detection of out-of-sequence
+                                     signed or sealed messages
+                              False - Don't attempt to detect
+                                      out-of-sequence messages
+
+      time_req          integer, read
+                        Desired number of seconds for which context
+                        should remain valid.  Supply 0 to request a
+                        default validity period.
+
+      input_chan_bindings     channel bindings, read
+                              Application-specified bindings.  Allows
+                              application to securely bind channel
+                              identification information to the security
+                              context.
+
+
+
+
+Wray                                                           [Page 18]
+
+RFC 1509            GSSAPI - Overview and C bindings      September 1993
+
+
+      input_token       buffer, opaque, read, optional (see text)
+                        Token received from peer application.
+                        Supply GSS_C_NO_BUFFER on initial call.
+
+      actual_mech_type  OID, modify
+                        actual mechanism used.
+
+      output_token      buffer, opaque, modify
+                        token to be sent to peer application.  If
+                        the length field of the returned buffer is
+                        zero, no token need be sent to the peer
+                        application.
+
+      ret_flags         bit-mask, modify
+                        Contains six independent flags, each of which
+                        indicates that the context supports a specific
+                        service option.  Symbolic names are provided
+                        for each flag, and the symbolic names
+                        corresponding to the required flags should be
+                        logically-ANDed with the ret_flags value to test
+                        whether a given option is supported by the
+                        context.  The flags are:
+
+                        GSS_C_DELEG_FLAG
+                              True - Credentials were delegated to
+                                     the remote peer
+                              False - No credentials were delegated
+                        GSS_C_MUTUAL_FLAG
+                              True - Remote peer has been asked to
+                                     authenticated itself
+                              False - Remote peer has not been asked to
+                                      authenticate itself
+                        GSS_C_REPLAY_FLAG
+                              True - replay of signed or sealed messages
+                                     will be detected
+                              False - replayed messages will not be
+                                      detected
+                        GSS_C_SEQUENCE_FLAG
+                              True - out-of-sequence signed or sealed
+                                     messages will be detected
+                              False - out-of-sequence messages will not
+                                      be detected
+                        GSS_C_CONF_FLAG
+                              True - Confidentiality service may be
+                                     invoked by calling seal routine
+                              False - No confidentiality service (via
+                                      seal) available. seal will provide
+                                      message encapsulation, data-origin
+
+
+
+Wray                                                           [Page 19]
+
+RFC 1509            GSSAPI - Overview and C bindings      September 1993
+
+
+                                      authentication and integrity
+                                      services only.
+                        GSS_C_INTEG_FLAG
+                              True - Integrity service may be invoked by
+                                     calling either gss_sign or gss_seal
+                                     routines.
+                              False - Per-message integrity service
+                                      unavailable.
+
+      time_rec          integer, modify, optional
+                        number of seconds for which the context
+                        will remain valid. If the implementation does
+                        not support credential expiration, the value
+                        GSS_C_INDEFINITE will be returned.  Specify
+                        NULL if not required.
+
+      minor_status      integer, modify
+                        Mechanism specific status code.
+
+   Function value:
+
+   GSS status code:
+
+   GSS_S_COMPLETE    Successful completion
+
+   GSS_S_CONTINUE_NEEDED Indicates that a token from the peer
+                     application is required to complete thecontext, and
+                     that gss_init_sec_context must be called again with
+                     that token.
+
+   GSS_S_DEFECTIVE_TOKEN Indicates that consistency checks performed on
+                     the input_token failed
+
+   GSS_S_DEFECTIVE_CREDENTIAL Indicates that consistency checks
+                     performed on the credential failed.
+
+   GSS_S_NO_CRED     The supplied credentials were not valid for context
+                     initiation, or the credential handle did not
+                     reference any credentials.
+
+   GSS_S_CREDENTIALS_EXPIRED The referenced credentials have expired
+
+   GSS_S_BAD_BINDINGS The input_token contains different channel
+                     bindings to those specified via the
+                     input_chan_bindings parameter
+
+   GSS_S_BAD_SIG     The input_token contains an invalid signature, or a
+                     signature that could not be verified
+
+
+
+Wray                                                           [Page 20]
+
+RFC 1509            GSSAPI - Overview and C bindings      September 1993
+
+
+   GSS_S_OLD_TOKEN   The input_token was too old.  This is a fatal error
+                     during context establishment
+
+   GSS_S_DUPLICATE_TOKEN The input_token is valid, but is a duplicate of
+                     a token already processed.  This is a fatal error
+                     during context establishment.
+
+   GSS_S_NO_CONTEXT  Indicates that the supplied context handle did not
+                     refer to a valid context
+
+   GSS_S_BAD_NAMETYPE The provided target_name parameter contained an
+                     invalid or unsupported type of name
+
+   GSS_S_BAD_NAME    The provided target_name parameter was ill-formed.
+
+   GSS_S_FAILURE     Failure.  See minor_status for more information
+
+3.4. gss_accept_sec_context
+
+      OM_uint32  gss_accept_sec_context (
+                     OM_uint32 *     minor_status,
+                     gss_ctx_id_t *  context_handle,
+                     gss_cred_id_t   verifier_cred_handle,
+                     gss_buffer_t    input_token_buffer
+                     gss_channel_bindings_t
+                                     input_chan_bindings,
+                     gss_name_t *    src_name,
+                     gss_OID *       mech_type,
+                     gss_buffer_t    output_token,
+                     int *           ret_flags,
+                     OM_uint32 *     time_rec,
+                     gss_cred_id_t * delegated_cred_handle)
+
+   Purpose:
+
+   Allows a remotely initiated security context between the application
+   and a remote peer to be established.  The routine may return a
+   output_token which should be transferred to the peer application,
+   where the peer application will present it to gss_init_sec_context.
+   If no token need be sent, gss_accept_sec_context will indicate this
+   by setting the length field of the output_token argument to zero.  To
+   complete the context establishment, one or more reply tokens may be
+   required from the peer application; if so, gss_accept_sec_context
+   will return a status flag of GSS_S_CONTINUE_NEEDED, in which case it
+   should be called again when the reply token is received from the peer
+   application, passing the token to gss_accept_sec_context via the
+   input_token parameters.
+
+
+
+
+Wray                                                           [Page 21]
+
+RFC 1509            GSSAPI - Overview and C bindings      September 1993
+
+
+   The values returned via the src_name, ret_flags, time_rec, and
+   delegated_cred_handle parameters are not defined unless the routine
+   returns GSS_S_COMPLETE.
+
+   Parameters:
+
+      context_handle    gss_ctx_id_t, read/modify
+                        context handle for new context.  Supply
+                        GSS_C_NO_CONTEXT for first call; use value
+                        returned in subsequent calls.
+
+      verifier_cred_handle    gss_cred_id_t, read, optional
+                              Credential handle claimed by context
+      acceptor.
+                              Specify GSS_C_NO_CREDENTIAL to use default
+                              credentials.  If GSS_C_NO_CREDENTIAL is
+                              specified, but the caller has no default
+                              credentials established, an
+                              implementation-defined default credential
+                              may be used.
+
+      input_token_buffer      buffer, opaque, read
+                              token obtained from remote application
+
+      input_chan_bindings     channel bindings, read
+                              Application-specified bindings.  Allows
+                              application to securely bind channel
+                              identification information to the security
+                              context.
+
+      src_name          gss_name_t, modify, optional
+                        Authenticated name of context initiator.
+                        After use, this name should be deallocated by
+                        passing it to gss_release_name.  If not required,
+                        specify NULL.
+
+      mech_type         Object ID, modify
+                        Security mechanism used.  The returned
+                        OID value will be a pointer into static
+                        storage, and should be treated as read-only
+                        by the caller.
+
+      output_token      buffer, opaque, modify
+                        Token to be passed to peer application. If the
+                        length field of the returned token buffer is 0,
+                        then no token need be passed to the peer
+                        application.
+
+
+
+
+Wray                                                           [Page 22]
+
+RFC 1509            GSSAPI - Overview and C bindings      September 1993
+
+
+      ret_flags         bit-mask, modify
+                        Contains six independent flags, each of
+                        which indicates that the context supports a
+                        specific service option.  Symbolic names are
+                        provided for each flag, and the symbolic names
+                        corresponding to the required flags
+                        should be logically-ANDed with the ret_flags
+                        value to test whether a given option is
+                        supported by the context.  The flags are:
+                        GSS_C_DELEG_FLAG
+                              True - Delegated credentials are available
+                                     via the delegated_cred_handle
+                                     parameter
+                              False - No credentials were delegated
+                        GSS_C_MUTUAL_FLAG
+                              True - Remote peer asked for mutual
+                                     authentication
+                              False - Remote peer did not ask for mutual
+                                      authentication
+                        GSS_C_REPLAY_FLAG
+                              True - replay of signed or sealed messages
+                                     will be detected
+                              False - replayed messages will not be
+                                      detected
+                        GSS_C_SEQUENCE_FLAG
+                              True - out-of-sequence signed or sealed
+                                     messages will be detected
+                              False - out-of-sequence messages will not
+                                      be detected
+                        GSS_C_CONF_FLAG
+                              True - Confidentiality service may be
+                                     invoked by calling seal routine
+                              False - No confidentiality service (via
+                                      seal) available. seal will
+                                      provide message encapsulation,
+                                      data-origin authentication and
+                                      integrity services only.
+                        GSS_C_INTEG_FLAG
+                              True - Integrity service may be invoked
+                                     by calling either gss_sign or
+                                     gss_seal routines.
+                              False - Per-message integrity service
+                                      unavailable.
+
+      time_rec          integer, modify, optional
+                        number of seconds for which the context
+                        will remain valid. Specify NULL if not required.
+
+
+
+
+Wray                                                           [Page 23]
+
+RFC 1509            GSSAPI - Overview and C bindings      September 1993
+
+
+      delegated_cred_handle
+                        gss_cred_id_t, modify
+                        credential handle for credentials received from
+                        context initiator.  Only valid if deleg_flag in
+                        ret_flags is true.
+
+      minor_status      integer, modify
+                        Mechanism specific status code.
+
+   Function value:
+
+      GSS status code:
+
+      GSS_S_COMPLETE    Successful completion
+
+      GSS_S_CONTINUE_NEEDED Indicates that a token from the peer
+                        application is required to complete the context,
+                        and that gss_accept_sec_context must be called
+                        again with that token.
+
+      GSS_S_DEFECTIVE_TOKEN Indicates that consistency checks
+                        performed on the input_token failed.
+
+      GSS_S_DEFECTIVE_CREDENTIAL Indicates that consistency checks
+                        performed on the credential failed.
+
+      GSS_S_NO_CRED The supplied credentials were not valid for
+                        context acceptance, or the credential handle
+                        did not reference any credentials.
+
+      GSS_S_CREDENTIALS_EXPIRED The referenced credentials have
+                        expired.
+
+      GSS_S_BAD_BINDINGS The input_token contains different channel
+                        bindings to those specified via the
+                        input_chan_bindings parameter.
+
+      GSS_S_NO_CONTEXT Indicates that the supplied context handle did
+                       not refer to a valid context.
+
+      GSS_S_BAD_SIG    The input_token contains an invalid signature.
+
+      GSS_S_OLD_TOKEN   The input_token was too old.  This is a fatal
+                        error during context establishment.
+
+      GSS_S_DUPLICATE_TOKEN The input_token is valid, but is a
+                        duplicate of a token already processed.  This
+                        is a fatal error during context establishment.
+
+
+
+Wray                                                           [Page 24]
+
+RFC 1509            GSSAPI - Overview and C bindings      September 1993
+
+
+      GSS_S_FAILURE     Failure.  See minor_status for more information.
+
+3.5. gss_process_context_token
+
+      OM_uint32  gss_process_context_token (
+                     OM_uint32 *     minor_status,
+                     gss_ctx_id_t    context_handle,
+                     gss_buffer_t    token_buffer)
+
+   Purpose:
+
+   Provides a way to pass a token to the security service.  Usually,
+   tokens are associated either with context establishment (when they
+   would be passed to gss_init_sec_context or gss_accept_sec_context) or
+   with per-message security service (when they would be passed to
+   gss_verify or gss_unseal).  Occasionally, tokens may be received at
+   other times, and gss_process_context_token allows such tokens to be
+   passed to the underlying security service for processing.  At
+   present, such additional tokens may only be generated by
+   gss_delete_sec_context.  GSSAPI implementation may use this service
+   to implement deletion of the security context.
+
+   Parameters:
+
+      context_handle    gss_ctx_id_t, read
+                        context handle of context on which token is to
+                        be processed
+
+      token_buffer      buffer, opaque, read
+                        pointer to first byte of token to process
+
+      minor_status      integer, modify
+                        Implementation specific status code.
+
+   Function value:
+
+      GSS status code:
+
+      GSS_S_COMPLETE    Successful completion
+
+      GSS_S_DEFECTIVE_TOKEN Indicates that consistency checks
+                        performed on the token failed
+
+      GSS_S_FAILURE     Failure.  See minor_status for more information
+
+      GSS_S_NO_CONTEXT The context_handle did not refer to a valid
+                       context
+
+
+
+
+Wray                                                           [Page 25]
+
+RFC 1509            GSSAPI - Overview and C bindings      September 1993
+
+
+3.6. gss_delete_sec_context
+
+      OM_uint32  gss_delete_sec_context (
+                     OM_uint32 *     minor_status,
+                     gss_ctx_id_t *  context_handle,
+                     gss_buffer_t    output_token)
+
+   Purpose:
+
+   Delete a security context.  gss_delete_sec_context will delete the
+   local data structures associated with the specified security context,
+   and generate an output_token, which when passed to the peer
+   gss_process_context_token will instruct it to do likewise.  No
+   further security services may be obtained using the context specified
+   by context_handle.
+
+   Parameters:
+
+      minor_status      integer, modify
+                        Mechanism specific status code.
+
+      context_handle    gss_ctx_id_t, modify
+                        context handle identifying context to delete.
+
+      output_token      buffer, opaque, modify
+                        token to be sent to remote application to
+                        instruct it to also delete the context
+
+   Function value:
+
+      GSS status code:
+
+      GSS_S_COMPLETE    Successful completion
+
+      GSS_S_FAILURE     Failure, see minor_status for more information
+
+      GSS_S_NO_CONTEXT  No valid context was supplied
+
+3.7. gss_context_time
+
+      OM_uint32  gss_context_time (
+                     OM_uint32 *     minor_status,
+                     gss_ctx_id_t    context_handle,
+                     OM_uint32 *     time_rec)
+   Purpose:
+
+   Determines the number of seconds for which the specified context will
+   remain valid.
+
+
+
+Wray                                                           [Page 26]
+
+RFC 1509            GSSAPI - Overview and C bindings      September 1993
+
+
+      Parameters:
+
+      minor_status      integer, modify
+                        Implementation specific status code.
+
+      context_handle    gss_ctx_id_t, read
+                        Identifies the context to be interrogated.
+
+      time_rec          integer, modify
+                        Number of seconds that the context will remain
+                        valid.  If the context has already expired,
+                        zero will be returned.
+   Function value:
+
+      GSS status code:
+
+      GSS_S_COMPLETE    Successful completion
+
+      GSS_S_CONTEXT_EXPIRED The context has already expired
+
+      GSS_S_CREDENTIALS_EXPIRED The context is recognized, but
+                        associated credentials have expired
+
+      GSS_S_NO_CONTEXT The context_handle parameter did not identify a
+                        valid context
+
+3.8. gss_sign
+
+      OM_uint32  gss_sign (
+                     OM_uint32 *     minor_status,
+                     gss_ctx_id_t    context_handle,
+                     int             qop_req,
+                     gss_buffer_t    message_buffer,
+                     gss_buffer_t    msg_token)
+   Purpose:
+
+   Generates a cryptographic signature for the supplied message, and
+   places the signature in a token for transfer to the peer application.
+   The qop_req parameter allows a choice between several cryptographic
+   algorithms, if supported by the chosen mechanism.
+
+   Parameters:
+
+      minor_status      integer, modify
+                        Implementation specific status code.
+
+      context_handle    gss_ctx_id_t, read
+                        identifies the context on which the message
+
+
+
+Wray                                                           [Page 27]
+
+RFC 1509            GSSAPI - Overview and C bindings      September 1993
+
+
+                        will be sent
+
+      qop_req           integer, read, optional
+                        Specifies requested quality of protection.
+                        Callers are encouraged, on portability grounds,
+                        to accept the default quality of protection
+                        offered by the chosen mechanism, which may be
+                        requested by specifying GSS_C_QOP_DEFAULT for
+                        this parameter.  If an unsupported protection
+                        strength is requested, gss_sign will return a
+                        major_status of GSS_S_FAILURE.
+
+      message_buffer    buffer, opaque, read
+                        message to be signed
+
+      msg_token         buffer, opaque, modify
+                        buffer to receive token
+
+   Function value:
+
+      GSS status code:
+
+      GSS_S_COMPLETE    Successful completion
+
+      GSS_S_CONTEXT_EXPIRED The context has already expired
+
+      GSS_S_CREDENTIALS_EXPIRED The context is recognized, but
+                        associated credentials have expired
+
+      GSS_S_NO_CONTEXT  The context_handle parameter did not identify a
+                        valid context
+
+      GSS_S_FAILURE     Failure. See minor_status for more information.
+
+3.9. gss_verify
+
+      OM_uint32  gss_verify (
+                     OM_uint32 *     minor_status,
+                     gss_ctx_id_t    context_handle,
+                     gss_buffer_t    message_buffer,
+                     gss_buffer_t    token_buffer,
+                     int *           qop_state)
+   Purpose:
+
+   Verifies that a cryptographic signature, contained in the token
+   parameter, fits the supplied message.  The qop_state parameter allows
+   a message recipient to determine the strength of protection that was
+   applied to the message.
+
+
+
+Wray                                                           [Page 28]
+
+RFC 1509            GSSAPI - Overview and C bindings      September 1993
+
+
+   Parameters:
+
+      minor_status      integer, modify
+                        Mechanism specific status code.
+
+      context_handle    gss_ctx_id_t, read
+                        identifies the context on which the message
+                        arrived
+
+      message_buffer    buffer, opaque, read
+                        message to be verified
+
+      token_buffer      buffer, opaque, read
+                        token associated with message
+
+      qop_state         integer, modify
+                        quality of protection gained from signature
+
+   Function value:
+
+      GSS status code:
+
+      GSS_S_COMPLETE    Successful completion
+
+      GSS_S_DEFECTIVE_TOKEN The token failed consistency checks
+
+      GSS_S_BAD_SIG     The signature was incorrect
+
+      GSS_S_DUPLICATE_TOKEN The token was valid, and contained a correct
+                        signature for the message, but it had already
+                        been processed
+
+      GSS_S_OLD_TOKEN   The token was valid, and contained a correct
+                        signature for the message, but it is too old
+
+      GSS_S_UNSEQ_TOKEN The token was valid, and contained a correct
+                        signature for the message, but has been
+                        verified out of sequence; an earlier token has
+                        been signed or sealed by the remote
+                        application, but not yet been processed
+                        locally.
+
+      GSS_S_CONTEXT_EXPIRED The context has already expired
+
+      GSS_S_CREDENTIALS_EXPIRED The context is recognized, but
+                        associated credentials have expired
+
+
+
+
+
+Wray                                                           [Page 29]
+
+RFC 1509            GSSAPI - Overview and C bindings      September 1993
+
+
+      GSS_S_NO_CONTEXT  The context_handle parameter did not identify a
+                        valid context
+
+      GSS_S_FAILURE     Failure.  See minor_status for more information.
+
+3.10. gss_seal
+
+      OM_uint32  gss_seal (
+                     OM_uint32 *     minor_status,
+                     gss_ctx_id_t    context_handle,
+                     int             conf_req_flag,
+                     int             qop_req
+                     gss_buffer_t    input_message_buffer,
+                     int *           conf_state,
+                     gss_buffer_t    output_message_buffer)
+
+   Purpose:
+
+   Cryptographically signs and optionally encrypts the specified
+   input_message.  The output_message contains both the signature and
+   the message.  The qop_req parameter allows a choice between several
+   cryptographic algorithms, if supported by the chosen mechanism.
+
+   Parameters:
+
+      minor_status      integer, modify
+                        Mechanism specific status code.
+
+      context_handle    gss_ctx_id_t, read
+                        identifies the context on which the message
+                        will be sent
+
+      conf_req_flag     boolean, read
+                        True - Both confidentiality and integrity
+                               services are requested
+                        False - Only integrity service is requested
+
+      qop_req           integer, read, optional
+                        Specifies required quality of protection.  A
+                        mechanism-specific default may be requested by
+                        setting qop_req to GSS_C_QOP_DEFAULT.  If an
+                        unsupported protection strength is requested,
+                        gss_seal will return a major_status of
+                        GSS_S_FAILURE.
+
+      input_message_buffer   buffer, opaque, read
+                             message to be sealed
+
+
+
+
+Wray                                                           [Page 30]
+
+RFC 1509            GSSAPI - Overview and C bindings      September 1993
+
+
+      conf_state        boolean, modify
+                        True - Confidentiality, data origin
+                               authentication and integrity services
+                               have been applied
+                        False - Integrity and data origin services only
+                                has been applied.
+
+      output_message_buffer  buffer, opaque, modify
+                             buffer to receive sealed message
+
+   Function value:
+
+      GSS status code:
+
+      GSS_S_COMPLETE    Successful completion
+
+      GSS_S_CONTEXT_EXPIRED The context has already expired
+
+      GSS_S_CREDENTIALS_EXPIRED The context is recognized, but
+                        associated credentials have expired
+
+      GSS_S_NO_CONTEXT  The context_handle parameter did not identify a
+                        valid context
+
+      GSS_S_FAILURE     Failure.  See minor_status for more information.
+
+3.11. gss_unseal
+
+      OM_uint32  gss_unseal (
+                     OM_uint32 *     minor_status,
+                     gss_ctx_id_t    context_handle,
+                     gss_buffer_t    input_message_buffer,
+                     gss_buffer_t    output_message_buffer,
+                     int *           conf_state,
+                     int *           qop_state)
+
+   Purpose:
+
+   Converts a previously sealed message back to a usable form, verifying
+   the embedded signature.  The conf_state parameter indicates whether
+   the message was encrypted; the qop_state parameter indicates the
+   strength of protection that was used to provide the confidentiality
+   and integrity services.
+
+   Parameters:
+
+      minor_status      integer, modify
+                        Mechanism specific status code.
+
+
+
+Wray                                                           [Page 31]
+
+RFC 1509            GSSAPI - Overview and C bindings      September 1993
+
+
+      context_handle    gss_ctx_id_t, read
+                        identifies the context on which the message
+                        arrived
+
+      input_message_buffer   buffer, opaque, read
+                             sealed message
+
+      output_message_buffer  buffer, opaque, modify
+                             buffer to receive unsealed message
+
+      conf_state        boolean, modify
+                        True - Confidentiality and integrity protection
+                               were used
+                        False - Inteegrity service only was used
+
+      qop_state         integer, modify
+                        quality of protection gained from signature
+
+   Function value:
+
+      GSS status code:
+
+      GSS_S_COMPLETE    Successful completion
+
+      GSS_S_DEFECTIVE_TOKEN The token failed consistency checks
+
+      GSS_S_BAD_SIG     The signature was incorrect
+
+      GSS_S_DUPLICATE_TOKEN The token was valid, and contained a
+                        correct signature for the message, but it had
+                        already been processed
+
+      GSS_S_OLD_TOKEN The token was valid, and contained a correct
+                        signature for the message, but it is too old
+
+      GSS_S_UNSEQ_TOKEN The token was valid, and contained a correct
+                        signature for the message, but has been
+                        verified out of sequence; an earlier token has
+                        been signed or sealed by the remote
+                        application, but not yet been processed
+                        locally.
+
+      GSS_S_CONTEXT_EXPIRED The context has already expired
+
+      GSS_S_CREDENTIALS_EXPIRED The context is recognized, but
+                        associated credentials have expired
+
+
+
+
+
+Wray                                                           [Page 32]
+
+RFC 1509            GSSAPI - Overview and C bindings      September 1993
+
+
+      GSS_S_NO_CONTEXT  The context_handle parameter did not identify a
+                        valid context
+
+      GSS_S_FAILURE     Failure.  See minor_status for more information.
+
+3.12. gss_display_status
+
+      OM_uint32  gss_display_status (
+                     OM_uint32 *     minor_status,
+                     int             status_value,
+                     int             status_type,
+                     gss_OID         mech_type,
+                     int *           message_context,
+                     gss_buffer_t    status_string)
+
+   Purpose:
+
+   Allows an application to obtain a textual representation of a GSSAPI
+   status code, for display to the user or for logging purposes.  Since
+   some status values may indicate multiple errors, applications may
+   need to call gss_display_status multiple times, each call generating
+   a single text string.  The message_context parameter is used to
+   indicate which error message should be extracted from a given
+   status_value; message_context should be initialized to 0, and
+   gss_display_status will return a non-zero value if there are further
+   messages to extract.
+
+   Parameters:
+
+      minor_status      integer, modify
+                        Mechanism specific status code.
+
+      status_value      integer, read
+                        Status value to be converted
+
+      status_type       integer, read
+                        GSS_C_GSS_CODE - status_value is a GSS status
+                                         code
+                        GSS_C_MECH_CODE - status_value is a mechanism
+                                          status code
+
+      mech_type         Object ID, read, optional
+                        Underlying mechanism (used to interpret a
+                        minor status value) Supply GSS_C_NULL_OID to
+                        obtain the system default.
+
+      message_context   integer, read/modify
+                        Should be initialized to zero by caller
+
+
+
+Wray                                                           [Page 33]
+
+RFC 1509            GSSAPI - Overview and C bindings      September 1993
+
+
+                        on first call.  If further messages are
+                        contained in the status_value parameter,
+                        message_context will be non-zero on return,
+                        and this value should be passed back to
+                        subsequent calls, along with the same
+                        status_value, status_type and mech_type
+                        parameters.
+
+      status_string     buffer, character string, modify
+                        textual interpretation of the status_value
+
+   Function value:
+
+      GSS status code:
+
+      GSS_S_COMPLETE    Successful completion
+
+      GSS_S_BAD_MECH    Indicates that translation in accordance with
+                        an unsupported mechanism type was requested
+
+      GSS_S_BAD_STATUS The status value was not recognized, or the
+                        status type was neither GSS_C_GSS_CODE nor
+                        GSS_C_MECH_CODE.
+
+
+3.13. gss_indicate_mechs
+
+      OM_uint32  gss_indicate_mechs (
+                     OM_uint32 *     minor_status,
+                     gss_OID_set *   mech_set)
+
+   Purpose:
+
+         Allows an application to determine which underlying security
+         mechanisms are available.
+
+   Parameters:
+
+      minor_status      integer, modify
+                        Mechanism specific status code.
+
+      mech_set          set of Object IDs, modify
+                        set of implementation-supported mechanisms.
+                        The returned gss_OID_set value will be a
+                        pointer into static storage, and should be
+                        treated as read-only by the caller.
+
+
+
+
+
+Wray                                                           [Page 34]
+
+RFC 1509            GSSAPI - Overview and C bindings      September 1993
+
+
+   Function value:
+
+      GSS status code:
+
+      GSS_S_COMPLETE    Successful completion
+
+3.14. gss_compare_name
+
+      OM_uint32  gss_compare_name (
+                     OM_uint32 *     minor_status,
+                     gss_name_t      name1,
+                     gss_name_t      name2,
+                     int *           name_equal)
+
+   Purpose:
+
+   Allows an application to compare two internal-form names to determine
+   whether they refer to the same entity.
+
+   Parameters:
+
+      minor_status      integer, modify
+                        Mechanism specific status code.
+
+      name1             gss_name_t, read
+                        internal-form  name
+
+      name2             gss_name_t, read
+                        internal-form  name
+
+      name_equal        boolean, modify
+                        True - names refer to same entity
+                        False - names refer to different entities
+                                (strictly, the names are not known to
+                                refer to the same identity).
+   Function value:
+
+      GSS status code:
+
+      GSS_S_COMPLETE    Successful completion
+
+      GSS_S_BAD_NAMETYPE The type contained within either name1 or
+                        name2 was unrecognized, or the names were of
+                        incomparable types.
+
+      GSS_S_BAD_NAME    One or both of name1 or name2 was ill-formed
+
+
+
+
+
+Wray                                                           [Page 35]
+
+RFC 1509            GSSAPI - Overview and C bindings      September 1993
+
+
+3.15. gss_display_name
+
+      OM_uint32  gss_display_name (
+                     OM_uint32 *     minor_status,
+                     gss_name_t      input_name,
+                     gss_buffer_t    output_name_buffer,
+                     gss_OID *       output_name_type)
+
+   Purpose:
+
+   Allows an application to obtain a textual representation of an opaque
+   internal-form  name for display purposes.  The syntax of a printable
+   name is defined by the GSSAPI implementation.
+
+   Parameters:
+
+      minor_status      integer, modify
+                        Mechanism specific status code.
+
+      input_name        gss_name_t, read
+                        name to be displayed
+
+      output_name_buffer   buffer, character-string, modify
+                           buffer to receive textual name string
+
+      output_name_type  Object ID, modify
+                        The type of the returned name.  The returned
+                        gss_OID will be a pointer into static storage,
+                        and should be treated as read-only by the caller
+
+   Function value:
+
+      GSS status code:
+
+      GSS_S_COMPLETE    Successful completion
+
+      GSS_S_BAD_NAMETYPE The type of input_name was not recognized
+
+      GSS_S_BAD_NAME    input_name was ill-formed
+
+3.16. gss_import_name
+
+      OM_uint32 gss_import_name (
+                    OM_uint32 *     minor_status,
+                    gss_buffer_t    input_name_buffer,
+                    gss_OID         input_name_type,
+                    gss_name_t *    output_name)
+
+
+
+
+Wray                                                           [Page 36]
+
+RFC 1509            GSSAPI - Overview and C bindings      September 1993
+
+
+   Purpose:
+
+   Convert a printable name to internal form.
+
+   Parameters:
+
+      minor_status      integer, modify
+                        Mechanism specific status code
+
+      input_name_buffer    buffer, character-string, read
+                           buffer containing printable name to convert
+
+      input_name_type   Object ID, read, optional
+                        Object Id specifying type of printable
+                        name.  Applications may specify either
+                        GSS_C_NULL_OID to use a local system-specific
+                        printable syntax, or an OID registered by the
+                        GSSAPI implementation to name a particular
+                        namespace.
+
+      output_name       gss_name_t, modify
+                        returned name in internal form
+
+   Function value:
+
+      GSS status code
+
+      GSS_S_COMPLETE    Successful completion
+
+      GSS_S_BAD_NAMETYPE The input_name_type was unrecognized
+
+      GSS_S_BAD_NAME    The input_name parameter could not be
+                        interpreted as a name of the specified type
+
+3.17. gss_release_name
+
+      OM_uint32 gss_release_name (
+                    OM_uint32 *     minor_status,
+                    gss_name_t *    name)
+
+   Purpose:
+
+   Free GSSAPI-allocated storage associated with an internal form name.
+
+   Parameters:
+
+      minor_status      integer, modify
+                        Mechanism specific status code
+
+
+
+Wray                                                           [Page 37]
+
+RFC 1509            GSSAPI - Overview and C bindings      September 1993
+
+
+      name              gss_name_t, modify
+                        The name to be deleted
+
+   Function value:
+
+      GSS status code
+
+      GSS_S_COMPLETE    Successful completion
+
+      GSS_S_BAD_NAME    The name parameter did not contain a valid name
+
+3.18. gss_release_buffer
+
+      OM_uint32 gss_release_buffer (
+                    OM_uint32 *     minor_status,
+                    gss_buffer_t    buffer)
+
+   Purpose:
+
+   Free storage associated with a buffer format name.  The storage must
+   have been allocated by a GSSAPI routine.  In addition to freeing the
+   associated storage, the routine will zero the length field in the
+   buffer parameter.
+
+   Parameters:
+
+      minor_status      integer, modify
+                        Mechanism specific status code
+
+      buffer            buffer, modify
+                        The storage associated with the buffer will be
+                        deleted.  The gss_buffer_desc object will not
+                        be freed, but its length field will be zeroed.
+
+   Function value:
+
+      GSS status code
+
+      GSS_S_COMPLETE    Successful completion
+
+3.19. gss_release_oid_set
+
+      OM_uint32 gss_release_oid_set (
+                    OM_uint32 *     minor_status,
+                    gss_OID_set *   set)
+
+   Purpose:
+
+
+
+
+Wray                                                           [Page 38]
+
+RFC 1509            GSSAPI - Overview and C bindings      September 1993
+
+
+   Free storage associated with a gss_OID_set object.  The storage must
+   have been allocated by a GSSAPI routine.
+
+   Parameters:
+
+      minor_status      integer, modify
+                        Mechanism specific status code
+
+      set               Set of Object IDs, modify
+                        The storage associated with the gss_OID_set
+                        will be deleted.
+
+   Function value:
+
+      GSS status code
+
+      GSS_S_COMPLETE    Successful completion
+
+3.20. gss_inquire_cred
+
+      OM_uint32 gss_inquire_cred (
+                    OM_uint32  *    minor_status,
+                    gss_cred_id_t   cred_handle,
+                    gss_name_t *    name,
+                    OM_uint32 *     lifetime,
+                    int *           cred_usage,
+                    gss_OID_set *   mechanisms )
+
+   Purpose:
+
+   Obtains information about a credential.  The caller must already have
+   obtained a handle that refers to the credential.
+
+   Parameters:
+
+      minor_status      integer, modify
+                        Mechanism specific status code
+
+      cred_handle       gss_cred_id_t, read
+                        A handle that refers to the target credential.
+                        Specify GSS_C_NO_CREDENTIAL to inquire about
+                        the default credential.
+
+      name              gss_name_t, modify
+                        The name whose identity the credential asserts.
+                        Specify NULL if not required.
+
+      lifetime          Integer, modify
+
+
+
+Wray                                                           [Page 39]
+
+RFC 1509            GSSAPI - Overview and C bindings      September 1993
+
+
+                        The number of seconds for which the credential
+                        will remain valid.  If the credential has
+                        expired, this parameter will be set to zero.
+                        If the implementation does not support
+                        credential expiration, the value
+                        GSS_C_INDEFINITE will be returned.  Specify
+                        NULL if not required.
+
+      cred_usage        Integer, modify
+                        How the credential may be used.  One of the
+                        following:
+                           GSS_C_INITIATE
+                           GSS_C_ACCEPT
+                           GSS_C_BOTH
+                        Specify NULL if not required.
+
+      mechanisms        gss_OID_set, modify
+                        Set of mechanisms supported by the credential.
+                        Specify NULL if not required.
+
+   Function value:
+
+      GSS status code
+
+      GSS_S_COMPLETE    Successful completion
+
+      GSS_S_NO_CRED     The referenced credentials could not be
+                        accessed.
+
+      GSS_S_DEFECTIVE_CREDENTIAL The referenced credentials were
+                        invalid.
+
+      GSS_S_CREDENTIALS_EXPIRED The referenced credentials have expired.
+                        If the lifetime parameter was not passed as
+                        NULL, it will be set to 0.
+
+
+  #ifndef GSSAPI_H_
+  #define GSSAPI_H_
+
+  /*
+   * First, define the platform-dependent types.
+   */
+  typedef <platform-specific> OM_uint32;
+  typedef <platform-specific> gss_ctx_id_t;
+  typedef <platform-specific> gss_cred_id_t;
+  typedef <platform-specific> gss_name_t;
+
+
+
+
+Wray                                                           [Page 40]
+
+RFC 1509            GSSAPI - Overview and C bindings      September 1993
+
+
+  /*
+   * Note that a platform supporting the xom.h X/Open header file
+   * may make use of that header for the definitions of OM_uint32
+   * and the structure to which gss_OID_desc equates.
+   */
+
+  typedef struct gss_OID_desc_struct {
+        OM_uint32 length;
+        void      *elements;
+  } gss_OID_desc, *gss_OID;
+
+  typedef struct gss_OID_set_desc_struct  {
+        int     count;
+        gss_OID elements;
+  } gss_OID_set_desc, *gss_OID_set;
+
+  typedef struct gss_buffer_desc_struct {
+        size_t length;
+        void *value;
+  } gss_buffer_desc, *gss_buffer_t;
+
+  typedef struct gss_channel_bindings_struct {
+        OM_uint32 initiator_addrtype;
+        gss_buffer_desc initiator_address;
+        OM_uint32 acceptor_addrtype;
+        gss_buffer_desc acceptor_address;
+        gss_buffer_desc application_data;
+  } *gss_channel_bindings_t;
+
+
+  /*
+   * Six independent flags each of which indicates that a context
+   * supports a specific service option.
+   */
+  #define GSS_C_DELEG_FLAG 1
+  #define GSS_C_MUTUAL_FLAG 2
+  #define GSS_C_REPLAY_FLAG 4
+  #define GSS_C_SEQUENCE_FLAG 8
+  #define GSS_C_CONF_FLAG 16
+  #define GSS_C_INTEG_FLAG 32
+
+
+  /*
+   * Credential usage options
+   */
+  #define GSS_C_BOTH 0
+  #define GSS_C_INITIATE 1
+  #define GSS_C_ACCEPT 2
+
+
+
+Wray                                                           [Page 41]
+
+RFC 1509            GSSAPI - Overview and C bindings      September 1993
+
+
+  /*
+   * Status code types for gss_display_status
+   */
+  #define GSS_C_GSS_CODE 1
+  #define GSS_C_MECH_CODE 2
+
+  /*
+   * The constant definitions for channel-bindings address families
+   */
+  #define GSS_C_AF_UNSPEC     0;
+  #define GSS_C_AF_LOCAL      1;
+  #define GSS_C_AF_INET       2;
+  #define GSS_C_AF_IMPLINK    3;
+  #define GSS_C_AF_PUP        4;
+  #define GSS_C_AF_CHAOS      5;
+  #define GSS_C_AF_NS         6;
+  #define GSS_C_AF_NBS        7;
+  #define GSS_C_AF_ECMA       8;
+  #define GSS_C_AF_DATAKIT    9;
+  #define GSS_C_AF_CCITT      10;
+  #define GSS_C_AF_SNA        11;
+  #define GSS_C_AF_DECnet     12;
+  #define GSS_C_AF_DLI        13;
+  #define GSS_C_AF_LAT        14;
+  #define GSS_C_AF_HYLINK     15;
+  #define GSS_C_AF_APPLETALK  16;
+  #define GSS_C_AF_BSC        17;
+  #define GSS_C_AF_DSS        18;
+  #define GSS_C_AF_OSI        19;
+  #define GSS_C_AF_X25        21;
+
+  #define GSS_C_AF_NULLADDR   255;
+
+  #define GSS_C_NO_BUFFER ((gss_buffer_t) 0)
+  #define GSS_C_NULL_OID ((gss_OID) 0)
+  #define GSS_C_NULL_OID_SET ((gss_OID_set) 0)
+  #define GSS_C_NO_CONTEXT ((gss_ctx_id_t) 0)
+  #define GSS_C_NO_CREDENTIAL ((gss_cred_id_t) 0)
+  #define GSS_C_NO_CHANNEL_BINDINGS ((gss_channel_bindings_t) 0)
+  #define GSS_C_EMPTY_BUFFER {0, NULL}
+
+  /*
+   * Define the default Quality of Protection for per-message
+   * services.  Note that an implementation that offers multiple
+   * levels of QOP may either reserve a value (for example zero,
+   * as assumed here) to mean "default protection", or alternatively
+   * may simply equate GSS_C_QOP_DEFAULT to a specific explicit QOP
+   * value.
+
+
+
+Wray                                                           [Page 42]
+
+RFC 1509            GSSAPI - Overview and C bindings      September 1993
+
+
+   */
+  #define GSS_C_QOP_DEFAULT 0
+
+  /*
+   * Expiration time of 2^32-1 seconds means infinite lifetime for a
+   * credential or security context
+   */
+  #define GSS_C_INDEFINITE 0xfffffffful
+
+
+  /* Major status codes */
+
+  #define GSS_S_COMPLETE 0
+
+  /*
+   * Some "helper" definitions to make the status code macros obvious.
+   */
+  #define GSS_C_CALLING_ERROR_OFFSET 24
+  #define GSS_C_ROUTINE_ERROR_OFFSET 16
+  #define GSS_C_SUPPLEMENTARY_OFFSET 0
+  #define GSS_C_CALLING_ERROR_MASK 0377ul
+  #define GSS_C_ROUTINE_ERROR_MASK 0377ul
+  #define GSS_C_SUPPLEMENTARY_MASK 0177777ul
+
+  /*
+   * The macros that test status codes for error conditions
+   */
+  #define GSS_CALLING_ERROR(x) \
+    (x & (GSS_C_CALLING_ERROR_MASK << GSS_C_CALLING_ERROR_OFFSET))
+  #define GSS_ROUTINE_ERROR(x) \
+    (x & (GSS_C_ROUTINE_ERROR_MASK << GSS_C_ROUTINE_ERROR_OFFSET))
+  #define GSS_SUPPLEMENTARY_INFO(x) \
+    (x & (GSS_C_SUPPLEMENTARY_MASK << GSS_C_SUPPLEMENTARY_OFFSET))
+  #define GSS_ERROR(x) \
+    ((GSS_CALLING_ERROR(x) != 0) || (GSS_ROUTINE_ERROR(x) != 0))
+
+
+  /*
+   * Now the actual status code definitions
+   */
+
+  /*
+   * Calling errors:
+   */
+  #define GSS_S_CALL_INACCESSIBLE_READ \
+                               (1ul << GSS_C_CALLING_ERROR_OFFSET)
+  #define GSS_S_CALL_INACCESSIBLE_WRITE \
+                               (2ul << GSS_C_CALLING_ERROR_OFFSET)
+
+
+
+Wray                                                           [Page 43]
+
+RFC 1509            GSSAPI - Overview and C bindings      September 1993
+
+
+  #define GSS_S_CALL_BAD_STRUCTURE \
+                               (3ul << GSS_C_CALLING_ERROR_OFFSET)
+
+  /*
+   * Routine errors:
+   */
+  #define GSS_S_BAD_MECH (1ul << GSS_C_ROUTINE_ERROR_OFFSET)
+  #define GSS_S_BAD_NAME (2ul << GSS_C_ROUTINE_ERROR_OFFSET)
+  #define GSS_S_BAD_NAMETYPE (3ul << GSS_C_ROUTINE_ERROR_OFFSET)
+  #define GSS_S_BAD_BINDINGS (4ul << GSS_C_ROUTINE_ERROR_OFFSET)
+  #define GSS_S_BAD_STATUS (5ul << GSS_C_ROUTINE_ERROR_OFFSET)
+  #define GSS_S_BAD_SIG (6ul << GSS_C_ROUTINE_ERROR_OFFSET)
+  #define GSS_S_NO_CRED (7ul << GSS_C_ROUTINE_ERROR_OFFSET)
+  #define GSS_S_NO_CONTEXT (8ul << GSS_C_ROUTINE_ERROR_OFFSET)
+  #define GSS_S_DEFECTIVE_TOKEN (9ul << GSS_C_ROUTINE_ERROR_OFFSET)
+  #define GSS_S_DEFECTIVE_CREDENTIAL (10ul << GSS_C_ROUTINE_ERROR_OFFSET)
+  #define GSS_S_CREDENTIALS_EXPIRED (11ul << GSS_C_ROUTINE_ERROR_OFFSET)
+  #define GSS_S_CONTEXT_EXPIRED (12ul << GSS_C_ROUTINE_ERROR_OFFSET)
+  #define GSS_S_FAILURE (13ul << GSS_C_ROUTINE_ERROR_OFFSET)
+
+  /*
+   * Supplementary info bits:
+   */
+  #define GSS_S_CONTINUE_NEEDED (1ul << (GSS_C_SUPPLEMENTARY_OFFSET + 0))
+  #define GSS_S_DUPLICATE_TOKEN (1ul << (GSS_C_SUPPLEMENTARY_OFFSET + 1))
+  #define GSS_S_OLD_TOKEN (1ul << (GSS_C_SUPPLEMENTARY_OFFSET + 2))
+  #define GSS_S_UNSEQ_TOKEN (1ul << (GSS_C_SUPPLEMENTARY_OFFSET + 3))
+
+
+  /*
+   * Finally, function prototypes for the GSSAPI routines.
+   */
+
+  OM_uint32 gss_acquire_cred
+             (OM_uint32*,       /* minor_status */
+              gss_name_t,       /* desired_name */
+              OM_uint32,        /* time_req */
+              gss_OID_set,      /* desired_mechs */
+              int,              /* cred_usage */
+              gss_cred_id_t*,   /* output_cred_handle */
+              gss_OID_set*,     /* actual_mechs */
+              OM_uint32*        /* time_rec */
+             );
+
+  OM_uint32 gss_release_cred,
+             (OM_uint32*,       /* minor_status */
+              gss_cred_id_t*    /* cred_handle */
+             );
+
+
+
+Wray                                                           [Page 44]
+
+RFC 1509            GSSAPI - Overview and C bindings      September 1993
+
+
+  OM_uint32 gss_init_sec_context
+             (OM_uint32*,       /* minor_status */
+              gss_cred_id_t,    /* claimant_cred_handle */
+              gss_ctx_id_t*,    /* context_handle */
+              gss_name_t,       /* target_name */
+              gss_OID,          /* mech_type */
+              int,              /* req_flags */
+              OM_uint32,        /* time_req */
+              gss_channel_bindings_t,
+                                /* input_chan_bindings */
+              gss_buffer_t,     /* input_token */
+              gss_OID*,         /* actual_mech_type */
+              gss_buffer_t,     /* output_token */
+              int*,             /* ret_flags */
+              OM_uint32*        /* time_rec */
+             );
+
+  OM_uint32 gss_accept_sec_context
+             (OM_uint32*,       /* minor_status */
+              gss_ctx_id_t*,    /* context_handle */
+              gss_cred_id_t,    /* verifier_cred_handle */
+              gss_buffer_t,     /* input_token_buffer */
+              gss_channel_bindings_t,
+                                /* input_chan_bindings */
+              gss_name_t*,      /* src_name */
+              gss_OID*,         /* mech_type */
+              gss_buffer_t,     /* output_token */
+              int*,             /* ret_flags */
+              OM_uint32*,       /* time_rec */
+              gss_cred_id_t*    /* delegated_cred_handle */
+             );
+
+  OM_uint32 gss_process_context_token
+             (OM_uint32*,       /* minor_status */
+              gss_ctx_id_t,     /* context_handle */
+              gss_buffer_t      /* token_buffer */
+             );
+
+  OM_uint32 gss_delete_sec_context
+             (OM_uint32*,       /* minor_status */
+              gss_ctx_id_t*,    /* context_handle */
+              gss_buffer_t      /* output_token */
+             );
+
+
+
+
+
+
+
+
+Wray                                                           [Page 45]
+
+RFC 1509            GSSAPI - Overview and C bindings      September 1993
+
+
+  OM_uint32 gss_context_time
+             (OM_uint32*,       /* minor_status */
+              gss_ctx_id_t,     /* context_handle */
+              OM_uint32*        /* time_rec */
+             );
+
+  OM_uint32 gss_sign
+             (OM_uint32*,       /* minor_status */
+              gss_ctx_id_t,     /* context_handle */
+              int,              /* qop_req */
+              gss_buffer_t,     /* message_buffer */
+              gss_buffer_t      /* message_token */
+             );
+
+  OM_uitn32 gss_verify
+             (OM_uint32*,       /* minor_status */
+              gss_ctx_id_t,     /* context_handle */
+              gss_buffer_t,     /* message_buffer */
+              gss_buffer_t,     /* token_buffer */
+              int*              /* qop_state */
+             );
+
+  OM_uint32 gss_seal
+             (OM_uint32*,       /* minor_status */
+              gss_ctx_id_t,     /* context_handle */
+              int,              /* conf_req_flag */
+              int,              /* qop_req */
+              gss_buffer_t,     /* input_message_buffer */
+              int*,             /* conf_state */
+              gss_buffer_t      /* output_message_buffer */
+             );
+
+  OM_uint32 gss_unseal
+             (OM_uint32*,       /* minor_status */
+              gss_ctx_id_t,     /* context_handle */
+              gss_buffer_t,     /* input_message_buffer */
+              gss_buffer_t,     /* output_message_buffer */
+              int*,             /* conf_state */
+              int*              /* qop_state */
+             );
+
+
+
+
+
+
+
+
+
+
+
+Wray                                                           [Page 46]
+
+RFC 1509            GSSAPI - Overview and C bindings      September 1993
+
+
+  OM_uint32 gss_display_status
+             (OM_uint32*,       /* minor_status */
+              OM_uint32,        /* status_value */
+              int,              /* status_type */
+              gss_OID,          /* mech_type */
+              int*,             /* message_context */
+              gss_buffer_t      /* status_string */
+             );
+
+  OM_uint32 gss_indicate_mechs
+             (OM_uint32*,       /* minor_status */
+              gss_OID_set*      /* mech_set */
+             );
+
+  OM_uint32 gss_compare_name
+             (OM_uint32*,       /* minor_status */
+              gss_name_t,       /* name1 */
+              gss_name_t,       /* name2 */
+              int*              /* name_equal */
+             );
+
+  OM_uint32 gss_display_name,
+             (OM_uint32*,      /* minor_status */
+              gss_name_t,      /* input_name */
+              gss_buffer_t,     /* output_name_buffer */
+              gss_OID*         /* output_name_type */
+             );
+
+  OM_uint32 gss_import_name
+             (OM_uint32*,       /* minor_status */
+              gss_buffer_t,     /* input_name_buffer */
+              gss_OID,          /* input_name_type */
+              gss_name_t*       /* output_name */
+             );
+
+  OM_uint32 gss_release_name
+             (OM_uint32*,       /* minor_status */
+              gss_name_t*       /* input_name */
+             );
+
+  OM_uint32 gss_release_buffer
+             (OM_uint32*,       /* minor_status */
+              gss_buffer_t      /* buffer */
+             );
+
+  OM_uint32 gss_release_oid_set
+             (OM_uint32*,       /* minor_status */
+              gss_OID_set*      /* set */
+
+
+
+Wray                                                           [Page 47]
+
+RFC 1509            GSSAPI - Overview and C bindings      September 1993
+
+
+             );
+
+  OM_uint32 gss_inquire_cred
+             (OM_uint32 *,      /* minor_status */
+              gss_cred_id_t,    /* cred_handle */
+              gss_name_t *,     /* name */
+              OM_uint32 *,      /* lifetime */
+              int *,            /* cred_usage */
+              gss_OID_set *     /* mechanisms */
+             );
+
+
+
+  #endif /* GSSAPI_H_ */
+
+References
+
+   [1] Linn, J., "Generic Security Service Application Program
+       Interface", RFC 1508, Geer Zolot Associate, September 1993.
+
+   [2] "OSI Object Management API Specification, Version 2.0 t", X.400
+       API Association & X/Open Company Limited, August 24, 1990.
+       Specification of datatypes and routines for manipulating
+       information objects.
+
+Security Considerations
+
+   Security issues are discussed throughout this memo.
+
+Author's Address
+
+   John Wray
+   Digital Equipment Corporation
+   550 King Street, LKG2-2/AA6
+   Littleton, MA  01460
+   USA
+
+   Phone: +1-508-486-5210
+   EMail: Wray@tuxedo.enet.dec.com
+
+
+
+
+
+
+
+
+
+
+
+
+Wray                                                           [Page 48]
+
\ No newline at end of file
diff --git a/crypto/heimdal/doc/standardisation/rfc1510.txt b/crypto/heimdal/doc/standardisation/rfc1510.txt
new file mode 100644
index 0000000..bc810cc
--- /dev/null
+++ b/crypto/heimdal/doc/standardisation/rfc1510.txt
@@ -0,0 +1,6275 @@
+
+
+
+
+
+
+Network Working Group                                            J. Kohl
+Request for Comments: 1510                 Digital Equipment Corporation
+                                                               C. Neuman
+                                                                     ISI
+                                                          September 1993
+
+
+            The Kerberos Network Authentication Service (V5)
+
+Status of this Memo
+
+   This RFC specifies an Internet standards track protocol for the
+   Internet community, and requests discussion and suggestions for
+   improvements.  Please refer to the current edition of the "Internet
+   Official Protocol Standards" for the standardization state and status
+   of this protocol.  Distribution of this memo is unlimited.
+
+Abstract
+
+   This document gives an overview and specification of Version 5 of the
+   protocol for the Kerberos network authentication system. Version 4,
+   described elsewhere [1,2], is presently in production use at MIT's
+   Project Athena, and at other Internet sites.
+
+Overview
+
+   Project Athena, Athena, Athena MUSE, Discuss, Hesiod, Kerberos,
+   Moira, and Zephyr are trademarks of the Massachusetts Institute of
+   Technology (MIT).  No commercial use of these trademarks may be made
+   without prior written permission of MIT.
+
+   This RFC describes the concepts and model upon which the Kerberos
+   network authentication system is based. It also specifies Version 5
+   of the Kerberos protocol.
+
+   The motivations, goals, assumptions, and rationale behind most design
+   decisions are treated cursorily; for Version 4 they are fully
+   described in the Kerberos portion of the Athena Technical Plan [1].
+   The protocols are under review, and are not being submitted for
+   consideration as an Internet standard at this time.  Comments are
+   encouraged.  Requests for addition to an electronic mailing list for
+   discussion of Kerberos, kerberos@MIT.EDU, may be addressed to
+   kerberos-request@MIT.EDU.  This mailing list is gatewayed onto the
+   Usenet as the group comp.protocols.kerberos.  Requests for further
+   information, including documents and code availability, may be sent
+   to info-kerberos@MIT.EDU.
+
+
+
+
+
+Kohl & Neuman                                                   [Page 1]
+
+RFC 1510                        Kerberos                  September 1993
+
+
+Background
+
+   The Kerberos model is based in part on Needham and Schroeder's
+   trusted third-party authentication protocol [3] and on modifications
+   suggested by Denning and Sacco [4].  The original design and
+   implementation of Kerberos Versions 1 through 4 was the work of two
+   former Project Athena staff members, Steve Miller of Digital
+   Equipment Corporation and Clifford Neuman (now at the Information
+   Sciences Institute of the University of Southern California), along
+   with Jerome Saltzer, Technical Director of Project Athena, and
+   Jeffrey Schiller, MIT Campus Network Manager.  Many other members of
+   Project Athena have also contributed to the work on Kerberos.
+   Version 4 is publicly available, and has seen wide use across the
+   Internet.
+
+   Version 5 (described in this document) has evolved from Version 4
+   based on new requirements and desires for features not available in
+   Version 4.  Details on the differences between Kerberos Versions 4
+   and 5 can be found in [5].
+
+Table of Contents
+
+   1. Introduction .......................................    5
+   1.1. Cross-Realm Operation ............................    7
+   1.2. Environmental assumptions ........................    8
+   1.3. Glossary of terms ................................    9
+   2. Ticket flag uses and requests ......................   12
+   2.1. Initial and pre-authenticated tickets ............   12
+   2.2. Invalid tickets ..................................   12
+   2.3. Renewable tickets ................................   12
+   2.4. Postdated tickets ................................   13
+   2.5. Proxiable and proxy tickets ......................   14
+   2.6. Forwardable tickets ..............................   15
+   2.7. Other KDC options ................................   15
+   3. Message Exchanges ..................................   16
+   3.1. The Authentication Service Exchange ..............   16
+   3.1.1. Generation of KRB_AS_REQ message ...............   17
+   3.1.2. Receipt of KRB_AS_REQ message ..................   17
+   3.1.3. Generation of KRB_AS_REP message ...............   17
+   3.1.4. Generation of KRB_ERROR message ................   19
+   3.1.5. Receipt of KRB_AS_REP message ..................   19
+   3.1.6. Receipt of KRB_ERROR message ...................   20
+   3.2. The Client/Server Authentication Exchange ........   20
+   3.2.1. The KRB_AP_REQ message .........................   20
+   3.2.2. Generation of a KRB_AP_REQ message .............   20
+   3.2.3. Receipt of KRB_AP_REQ message ..................   21
+   3.2.4. Generation of a KRB_AP_REP message .............   23
+   3.2.5. Receipt of KRB_AP_REP message ..................   23
+
+
+
+Kohl & Neuman                                                   [Page 2]
+
+RFC 1510                        Kerberos                  September 1993
+
+
+   3.2.6. Using the encryption key .......................   24
+   3.3. The Ticket-Granting Service (TGS) Exchange .......   24
+   3.3.1. Generation of KRB_TGS_REQ message ..............   25
+   3.3.2. Receipt of KRB_TGS_REQ message .................   26
+   3.3.3. Generation of KRB_TGS_REP message ..............   27
+   3.3.3.1. Encoding the transited field .................   29
+   3.3.4. Receipt of KRB_TGS_REP message .................   31
+   3.4. The KRB_SAFE Exchange ............................   31
+   3.4.1. Generation of a KRB_SAFE message ...............   31
+   3.4.2. Receipt of KRB_SAFE message ....................   32
+   3.5. The KRB_PRIV Exchange ............................   33
+   3.5.1. Generation of a KRB_PRIV message ...............   33
+   3.5.2. Receipt of KRB_PRIV message ....................   33
+   3.6. The KRB_CRED Exchange ............................   34
+   3.6.1. Generation of a KRB_CRED message ...............   34
+   3.6.2. Receipt of KRB_CRED message ....................   34
+   4. The Kerberos Database ..............................   35
+   4.1. Database contents ................................   35
+   4.2. Additional fields ................................   36
+   4.3. Frequently Changing Fields .......................   37
+   4.4. Site Constants ...................................   37
+   5. Message Specifications .............................   38
+   5.1. ASN.1 Distinguished Encoding Representation ......   38
+   5.2. ASN.1 Base Definitions ...........................   38
+   5.3. Tickets and Authenticators .......................   42
+   5.3.1. Tickets ........................................   42
+   5.3.2. Authenticators .................................   47
+   5.4. Specifications for the AS and TGS exchanges ......   49
+   5.4.1. KRB_KDC_REQ definition .........................   49
+   5.4.2. KRB_KDC_REP definition .........................   56
+   5.5. Client/Server (CS) message specifications ........   58
+   5.5.1. KRB_AP_REQ definition ..........................   58
+   5.5.2. KRB_AP_REP definition ..........................   60
+   5.5.3. Error message reply ............................   61
+   5.6. KRB_SAFE message specification ...................   61
+   5.6.1. KRB_SAFE definition ............................   61
+   5.7. KRB_PRIV message specification ...................   62
+   5.7.1. KRB_PRIV definition ............................   62
+   5.8. KRB_CRED message specification ...................   63
+   5.8.1. KRB_CRED definition ............................   63
+   5.9. Error message specification ......................   65
+   5.9.1. KRB_ERROR definition ...........................   66
+   6. Encryption and Checksum Specifications .............   67
+   6.1. Encryption Specifications ........................   68
+   6.2. Encryption Keys ..................................   71
+   6.3. Encryption Systems ...............................   71
+   6.3.1. The NULL Encryption System (null) ..............   71
+   6.3.2. DES in CBC mode with a CRC-32 checksum (descbc-crc)71
+
+
+
+Kohl & Neuman                                                   [Page 3]
+
+RFC 1510                        Kerberos                  September 1993
+
+
+   6.3.3. DES in CBC mode with an MD4 checksum (descbc-md4)  72
+   6.3.4. DES in CBC mode with an MD5 checksum (descbc-md5)  72
+   6.4. Checksums ........................................   74
+   6.4.1. The CRC-32 Checksum (crc32) ....................   74
+   6.4.2. The RSA MD4 Checksum (rsa-md4) .................   75
+   6.4.3. RSA MD4 Cryptographic Checksum Using DES
+   (rsa-md4-des) .........................................   75
+   6.4.4. The RSA MD5 Checksum (rsa-md5) .................   76
+   6.4.5. RSA MD5 Cryptographic Checksum Using DES
+   (rsa-md5-des) .........................................   76
+   6.4.6. DES cipher-block chained checksum (des-mac)
+   6.4.7. RSA MD4 Cryptographic Checksum Using DES
+   alternative (rsa-md4-des-k) ...........................   77
+   6.4.8. DES cipher-block chained checksum alternative
+   (des-mac-k) ...........................................   77
+   7. Naming Constraints .................................   78
+   7.1. Realm Names ......................................   77
+   7.2. Principal Names ..................................   79
+   7.2.1. Name of server principals ......................   80
+   8. Constants and other defined values .................   80
+   8.1. Host address types ...............................   80
+   8.2. KDC messages .....................................   81
+   8.2.1. IP transport ...................................   81
+   8.2.2. OSI transport ..................................   82
+   8.2.3. Name of the TGS ................................   82
+   8.3. Protocol constants and associated values .........   82
+   9. Interoperability requirements ......................   86
+   9.1. Specification 1 ..................................   86
+   9.2. Recommended KDC values ...........................   88
+   10. Acknowledgments ...................................   88
+   11. References ........................................   89
+   12. Security Considerations ...........................   90
+   13. Authors' Addresses ................................   90
+   A. Pseudo-code for protocol processing ................   91
+   A.1. KRB_AS_REQ generation ............................   91
+   A.2. KRB_AS_REQ verification and KRB_AS_REP generation    92
+   A.3. KRB_AS_REP verification ..........................   95
+   A.4. KRB_AS_REP and KRB_TGS_REP common checks .........   96
+   A.5. KRB_TGS_REQ generation ...........................   97
+   A.6. KRB_TGS_REQ verification and KRB_TGS_REP generation  98
+   A.7. KRB_TGS_REP verification .........................  104
+   A.8. Authenticator generation .........................  104
+   A.9. KRB_AP_REQ generation ............................  105
+   A.10. KRB_AP_REQ verification .........................  105
+   A.11. KRB_AP_REP generation ...........................  106
+   A.12. KRB_AP_REP verification .........................  107
+   A.13. KRB_SAFE generation .............................  107
+   A.14. KRB_SAFE verification ...........................  108
+
+
+
+Kohl & Neuman                                                   [Page 4]
+
+RFC 1510                        Kerberos                  September 1993
+
+
+   A.15. KRB_SAFE and KRB_PRIV common checks .............  108
+   A.16. KRB_PRIV generation .............................  109
+   A.17. KRB_PRIV verification ...........................  110
+   A.18. KRB_CRED generation .............................  110
+   A.19. KRB_CRED verification ...........................  111
+   A.20. KRB_ERROR generation ............................  112
+
+1.  Introduction
+
+   Kerberos provides a means of verifying the identities of principals,
+   (e.g., a workstation user or a network server) on an open
+   (unprotected) network.  This is accomplished without relying on
+   authentication by the host operating system, without basing trust on
+   host addresses, without requiring physical security of all the hosts
+   on the network, and under the assumption that packets traveling along
+   the network can be read, modified, and inserted at will. (Note,
+   however, that many applications use Kerberos' functions only upon the
+   initiation of a stream-based network connection, and assume the
+   absence of any "hijackers" who might subvert such a connection.  Such
+   use implicitly trusts the host addresses involved.)  Kerberos
+   performs authentication under these conditions as a trusted third-
+   party authentication service by using conventional cryptography,
+   i.e., shared secret key.  (shared secret key - Secret and private are
+   often used interchangeably in the literature.  In our usage, it takes
+   two (or more) to share a secret, thus a shared DES key is a secret
+   key.  Something is only private when no one but its owner knows it.
+   Thus, in public key cryptosystems, one has a public and a private
+   key.)
+
+   The authentication process proceeds as follows: A client sends a
+   request to the authentication server (AS) requesting "credentials"
+   for a given server.  The AS responds with these credentials,
+   encrypted in the client's key.  The credentials consist of 1) a
+   "ticket" for the server and 2) a temporary encryption key (often
+   called a "session key").  The client transmits the ticket (which
+   contains the client's identity and a copy of the session key, all
+   encrypted in the server's key) to the server.  The session key (now
+   shared by the client and server) is used to authenticate the client,
+   and may optionally be used to authenticate the server.  It may also
+   be used to encrypt further communication between the two parties or
+   to exchange a separate sub-session key to be used to encrypt further
+   communication.
+
+   The implementation consists of one or more authentication servers
+   running on physically secure hosts.  The authentication servers
+   maintain a database of principals (i.e., users and servers) and their
+   secret keys. Code libraries provide encryption and implement the
+   Kerberos protocol.  In order to add authentication to its
+
+
+
+Kohl & Neuman                                                   [Page 5]
+
+RFC 1510                        Kerberos                  September 1993
+
+
+   transactions, a typical network application adds one or two calls to
+   the Kerberos library, which results in the transmission of the
+   necessary messages to achieve authentication.
+
+   The Kerberos protocol consists of several sub-protocols (or
+   exchanges).  There are two methods by which a client can ask a
+   Kerberos server for credentials.  In the first approach, the client
+   sends a cleartext request for a ticket for the desired server to the
+   AS. The reply is sent encrypted in the client's secret key. Usually
+   this request is for a ticket-granting ticket (TGT) which can later be
+   used with the ticket-granting server (TGS).  In the second method,
+   the client sends a request to the TGS.  The client sends the TGT to
+   the TGS in the same manner as if it were contacting any other
+   application server which requires Kerberos credentials.  The reply is
+   encrypted in the session key from the TGT.
+
+   Once obtained, credentials may be used to verify the identity of the
+   principals in a transaction, to ensure the integrity of messages
+   exchanged between them, or to preserve privacy of the messages.  The
+   application is free to choose whatever protection may be necessary.
+
+   To verify the identities of the principals in a transaction, the
+   client transmits the ticket to the server.  Since the ticket is sent
+   "in the clear" (parts of it are encrypted, but this encryption
+   doesn't thwart replay) and might be intercepted and reused by an
+   attacker, additional information is sent to prove that the message
+   was originated by the principal to whom the ticket was issued.  This
+   information (called the authenticator) is encrypted in the session
+   key, and includes a timestamp.  The timestamp proves that the message
+   was recently generated and is not a replay.  Encrypting the
+   authenticator in the session key proves that it was generated by a
+   party possessing the session key.  Since no one except the requesting
+   principal and the server know the session key (it is never sent over
+   the network in the clear) this guarantees the identity of the client.
+
+   The integrity of the messages exchanged between principals can also
+   be guaranteed using the session key (passed in the ticket and
+   contained in the credentials).  This approach provides detection of
+   both replay attacks and message stream modification attacks.  It is
+   accomplished by generating and transmitting a collision-proof
+   checksum (elsewhere called a hash or digest function) of the client's
+   message, keyed with the session key.  Privacy and integrity of the
+   messages exchanged between principals can be secured by encrypting
+   the data to be passed using the session key passed in the ticket, and
+   contained in the credentials.
+
+   The authentication exchanges mentioned above require read-only access
+   to the Kerberos database.  Sometimes, however, the entries in the
+
+
+
+Kohl & Neuman                                                   [Page 6]
+
+RFC 1510                        Kerberos                  September 1993
+
+
+   database must be modified, such as when adding new principals or
+   changing a principal's key.  This is done using a protocol between a
+   client and a third Kerberos server, the Kerberos Administration
+   Server (KADM).  The administration protocol is not described in this
+   document. There is also a protocol for maintaining multiple copies of
+   the Kerberos database, but this can be considered an implementation
+   detail and may vary to support different database technologies.
+
+1.1.  Cross-Realm Operation
+
+   The Kerberos protocol is designed to operate across organizational
+   boundaries.  A client in one organization can be authenticated to a
+   server in another.  Each organization wishing to run a Kerberos
+   server establishes its own "realm".  The name of the realm in which a
+   client is registered is part of the client's name, and can be used by
+   the end-service to decide whether to honor a request.
+
+   By establishing "inter-realm" keys, the administrators of two realms
+   can allow a client authenticated in the local realm to use its
+   authentication remotely (Of course, with appropriate permission the
+   client could arrange registration of a separately-named principal in
+   a remote realm, and engage in normal exchanges with that realm's
+   services. However, for even small numbers of clients this becomes
+   cumbersome, and more automatic methods as described here are
+   necessary).  The exchange of inter-realm keys (a separate key may be
+   used for each direction) registers the ticket-granting service of
+   each realm as a principal in the other realm.  A client is then able
+   to obtain a ticket-granting ticket for the remote realm's ticket-
+   granting service from its local realm. When that ticket-granting
+   ticket is used, the remote ticket-granting service uses the inter-
+   realm key (which usually differs from its own normal TGS key) to
+   decrypt the ticket-granting ticket, and is thus certain that it was
+   issued by the client's own TGS. Tickets issued by the remote ticket-
+   granting service will indicate to the end-service that the client was
+   authenticated from another realm.
+
+   A realm is said to communicate with another realm if the two realms
+   share an inter-realm key, or if the local realm shares an inter-realm
+   key with an intermediate realm that communicates with the remote
+   realm.  An authentication path is the sequence of intermediate realms
+   that are transited in communicating from one realm to another.
+
+   Realms are typically organized hierarchically. Each realm shares a
+   key with its parent and a different key with each child.  If an
+   inter-realm key is not directly shared by two realms, the
+   hierarchical organization allows an authentication path to be easily
+   constructed.  If a hierarchical organization is not used, it may be
+   necessary to consult some database in order to construct an
+
+
+
+Kohl & Neuman                                                   [Page 7]
+
+RFC 1510                        Kerberos                  September 1993
+
+
+   authentication path between realms.
+
+   Although realms are typically hierarchical, intermediate realms may
+   be bypassed to achieve cross-realm authentication through alternate
+   authentication paths (these might be established to make
+   communication between two realms more efficient).  It is important
+   for the end-service to know which realms were transited when deciding
+   how much faith to place in the authentication process. To facilitate
+   this decision, a field in each ticket contains the names of the
+   realms that were involved in authenticating the client.
+
+1.2.  Environmental assumptions
+
+   Kerberos imposes a few assumptions on the environment in which it can
+   properly function:
+
+   +    "Denial of service" attacks are not solved with Kerberos.  There
+        are places in these protocols where an intruder intruder can
+        prevent an application from participating in the proper
+        authentication steps.  Detection and solution of such attacks
+        (some of which can appear to be not-uncommon "normal" failure
+        modes for the system) is usually best left to the human
+        administrators and users.
+
+   +    Principals must keep their secret keys secret.  If an intruder
+        somehow steals a principal's key, it will be able to masquerade
+        as that principal or impersonate any server to the legitimate
+        principal.
+
+   +    "Password guessing" attacks are not solved by Kerberos.  If a
+        user chooses a poor password, it is possible for an attacker to
+        successfully mount an offline dictionary attack by repeatedly
+        attempting to decrypt, with successive entries from a
+        dictionary, messages obtained which are encrypted under a key
+        derived from the user's password.
+
+   +    Each host on the network must have a clock which is "loosely
+        synchronized" to the time of the other hosts; this
+        synchronization is used to reduce the bookkeeping needs of
+        application servers when they do replay detection.  The degree
+        of "looseness" can be configured on a per-server basis.  If the
+        clocks are synchronized over the network, the clock
+        synchronization protocol must itself be secured from network
+        attackers.
+
+   +    Principal identifiers are not recycled on a short-term basis.  A
+        typical mode of access control will use access control lists
+        (ACLs) to grant permissions to particular principals.  If a
+
+
+
+Kohl & Neuman                                                   [Page 8]
+
+RFC 1510                        Kerberos                  September 1993
+
+
+        stale ACL entry remains for a deleted principal and the
+        principal identifier is reused, the new principal will inherit
+        rights specified in the stale ACL entry. By not re-using
+        principal identifiers, the danger of inadvertent access is
+        removed.
+
+1.3.  Glossary of terms
+
+   Below is a list of terms used throughout this document.
+
+
+   Authentication      Verifying the claimed identity of a
+                       principal.
+
+
+   Authentication header A record containing a Ticket and an
+                         Authenticator to be presented to a
+                         server as part of the authentication
+                         process.
+
+
+   Authentication path  A sequence of intermediate realms transited
+                        in the authentication process when
+                        communicating from one realm to another.
+
+   Authenticator       A record containing information that can
+                       be shown to have been recently generated
+                       using the session key known only by  the
+                       client and server.
+
+
+   Authorization       The process of determining whether a
+                       client may use a service, which objects
+                       the client is allowed to access, and the
+                       type of access allowed for each.
+
+
+   Capability          A token that grants the bearer permission
+                       to access an object or service.  In
+                       Kerberos, this might be a ticket whose
+                       use is restricted by the contents of the
+                       authorization data field, but which
+                       lists no network addresses, together
+                       with the session key necessary to use
+                       the ticket.
+
+
+
+
+
+
+Kohl & Neuman                                                   [Page 9]
+
+RFC 1510                        Kerberos                  September 1993
+
+
+   Ciphertext          The output of an encryption function.
+                       Encryption transforms plaintext into
+                       ciphertext.
+
+
+   Client              A process that makes use of a network
+                       service on behalf of a user.  Note that
+                       in some cases a Server may itself be a
+                       client of some other server (e.g., a
+                       print server may be a client of a file
+                       server).
+
+
+   Credentials         A ticket plus the secret session key
+                       necessary to successfully use that
+                       ticket in an authentication exchange.
+
+
+   KDC                 Key Distribution Center, a network service
+                       that supplies tickets and temporary
+                       session keys; or an instance of that
+                       service or the host on which it runs.
+                       The KDC services both initial ticket and
+                       ticket-granting ticket requests.  The
+                       initial ticket portion is sometimes
+                       referred to as the Authentication Server
+                       (or service).  The ticket-granting
+                       ticket portion is sometimes referred to
+                       as the ticket-granting server (or service).
+
+   Kerberos            Aside from the 3-headed dog guarding
+                       Hades, the name given to Project
+                       Athena's authentication service, the
+                       protocol used by that service, or the
+                       code used to implement the authentication
+                       service.
+
+
+   Plaintext           The input to an encryption function  or
+                       the output of a decryption function.
+                       Decryption transforms ciphertext into
+                       plaintext.
+
+
+   Principal           A uniquely named client or server
+                       instance that participates in a network
+                       communication.
+
+
+
+
+Kohl & Neuman                                                  [Page 10]
+
+RFC 1510                        Kerberos                  September 1993
+
+
+   Principal identifier The name used to uniquely identify each
+                        different principal.
+
+
+   Seal                To encipher a record containing several
+                       fields in such a way that the fields
+                       cannot be individually replaced without
+                       either knowledge of the encryption key
+                       or leaving evidence of tampering.
+
+
+   Secret key          An encryption key shared by a principal
+                       and the KDC, distributed outside the
+                       bounds of the system, with a long lifetime.
+                       In the case of a human user's
+                       principal, the secret key is derived
+                       from a password.
+
+
+   Server              A particular Principal which provides a
+                       resource to network clients.
+
+
+   Service             A resource provided to network clients;
+                       often provided by more than one server
+                       (for example, remote file service).
+
+
+   Session key         A temporary encryption key used between
+                       two principals, with a lifetime limited
+                       to the duration of a single login "session".
+
+
+   Sub-session key     A temporary encryption key used between
+                       two principals, selected and exchanged
+                       by the principals using the session key,
+                       and with a lifetime limited to the duration
+                       of a single association.
+
+
+   Ticket              A record that helps a client authenticate
+                       itself to a server; it contains the
+                       client's identity, a session key, a
+                       timestamp, and other information, all
+                       sealed using the server's secret key.
+                       It only serves to authenticate a client
+                       when presented along with a fresh
+                       Authenticator.
+
+
+
+Kohl & Neuman                                                  [Page 11]
+
+RFC 1510                        Kerberos                  September 1993
+
+
+2.  Ticket flag uses and requests
+
+   Each Kerberos ticket contains a set of flags which are used to
+   indicate various attributes of that ticket.  Most flags may be
+   requested by a client when the ticket is obtained; some are
+   automatically turned on and off by a Kerberos server as required.
+   The following sections explain what the various flags mean, and gives
+   examples of reasons to use such a flag.
+
+2.1.  Initial and pre-authenticated tickets
+
+   The INITIAL flag indicates that a ticket was issued using the AS
+   protocol and not issued based on a ticket-granting ticket.
+   Application servers that want to require the knowledge of a client's
+   secret key (e.g., a passwordchanging program) can insist that this
+   flag be set in any tickets they accept, and thus be assured that the
+   client's key was recently presented to the application client.
+
+   The PRE-AUTHENT and HW-AUTHENT flags provide addition information
+   about the initial authentication, regardless of whether the current
+   ticket was issued directly (in which case INITIAL will also be set)
+   or issued on the basis of a ticket-granting ticket (in which case the
+   INITIAL flag is clear, but the PRE-AUTHENT and HW-AUTHENT flags are
+   carried forward from the ticket-granting ticket).
+
+2.2.  Invalid tickets
+
+   The INVALID flag indicates that a ticket is invalid.  Application
+   servers must reject tickets which have this flag set.  A postdated
+   ticket will usually be issued in this form. Invalid tickets must be
+   validated by the KDC before use, by presenting them to the KDC in a
+   TGS request with the VALIDATE option specified.  The KDC will only
+   validate tickets after their starttime has passed.  The validation is
+   required so that postdated tickets which have been stolen before
+   their starttime can be rendered permanently invalid (through a hot-
+   list mechanism).
+
+2.3.  Renewable tickets
+
+   Applications may desire to hold tickets which can be valid for long
+   periods of time.  However, this can expose their credentials to
+   potential theft for equally long periods, and those stolen
+   credentials would be valid until the expiration time of the
+   ticket(s).  Simply using shortlived tickets and obtaining new ones
+   periodically would require the client to have long-term access to its
+   secret key, an even greater risk.  Renewable tickets can be used to
+   mitigate the consequences of theft.  Renewable tickets have two
+   "expiration times": the first is when the current instance of the
+
+
+
+Kohl & Neuman                                                  [Page 12]
+
+RFC 1510                        Kerberos                  September 1993
+
+
+   ticket expires, and the second is the latest permissible value for an
+   individual expiration time.  An application client must periodically
+   (i.e., before it expires) present a renewable ticket to the KDC, with
+   the RENEW option set in the KDC request.  The KDC will issue a new
+   ticket with a new session key and a later expiration time.  All other
+   fields of the ticket are left unmodified by the renewal process.
+   When the latest permissible expiration time arrives, the ticket
+   expires permanently.  At each renewal, the KDC may consult a hot-list
+   to determine if the ticket had been reported stolen since its last
+   renewal; it will refuse to renew such stolen tickets, and thus the
+   usable lifetime of stolen tickets is reduced.
+
+   The RENEWABLE flag in a ticket is normally only interpreted by the
+   ticket-granting service (discussed below in section 3.3).  It can
+   usually be ignored by application servers.  However, some
+   particularly careful application servers may wish to disallow
+   renewable tickets.
+
+   If a renewable ticket is not renewed by its  expiration time, the KDC
+   will not renew the ticket.  The RENEWABLE flag is reset by default,
+   but a client may request it be  set  by setting  the RENEWABLE option
+   in the KRB_AS_REQ message.  If it is set, then the renew-till field
+   in the ticket  contains the time after which the ticket may not be
+   renewed.
+
+2.4.  Postdated tickets
+
+   Applications may occasionally need to obtain tickets for use much
+   later, e.g., a batch submission system would need tickets to be valid
+   at the time the batch job is serviced.  However, it is dangerous to
+   hold valid tickets in a batch queue, since they will be on-line
+   longer and more prone to theft.  Postdated tickets provide a way to
+   obtain these tickets from the KDC at job submission time, but to
+   leave them "dormant" until they are activated and validated by a
+   further request of the KDC.  If a ticket theft were reported in the
+   interim, the KDC would refuse to validate the ticket, and the thief
+   would be foiled.
+
+   The MAY-POSTDATE flag in a ticket is normally only interpreted by the
+   ticket-granting service.  It can be ignored by application servers.
+   This flag must be set in a ticket-granting ticket in order to issue a
+   postdated ticket based on the presented ticket. It is reset by
+   default; it may be requested by a client by setting the ALLOW-
+   POSTDATE option in the KRB_AS_REQ message.  This flag does not allow
+   a client to obtain a postdated ticket-granting ticket; postdated
+   ticket-granting tickets can only by obtained by requesting the
+   postdating in the KRB_AS_REQ message.  The life (endtime-starttime)
+   of a postdated ticket will be the remaining life of the ticket-
+
+
+
+Kohl & Neuman                                                  [Page 13]
+
+RFC 1510                        Kerberos                  September 1993
+
+
+   granting ticket at the time of the request, unless the RENEWABLE
+   option is also set, in which case it can be the full life (endtime-
+   starttime) of the ticket-granting ticket.  The KDC may limit how far
+   in the future a ticket may be postdated.
+
+   The POSTDATED flag indicates that a ticket has been postdated.  The
+   application server can check the authtime field in the ticket to see
+   when the original authentication occurred.  Some services may choose
+   to reject postdated tickets, or they may only accept them within a
+   certain period after the original authentication. When the KDC issues
+   a POSTDATED ticket, it will also be marked as INVALID, so that the
+   application client must present the ticket to the KDC to be validated
+   before use.
+
+2.5.  Proxiable and proxy tickets
+
+   At times it may be necessary for a principal to allow a service  to
+   perform an operation on its behalf.  The service must be able to take
+   on the identity of the client, but only for  a particular purpose.  A
+   principal can allow a service to take on the principal's identity for
+   a particular purpose by granting it a proxy.
+
+   The PROXIABLE flag in a ticket is normally only interpreted by the
+   ticket-granting service. It can be ignored by application servers.
+   When set, this flag tells the ticket-granting server that it is OK to
+   issue a new ticket (but not a ticket-granting ticket) with a
+   different network address based on this ticket.  This flag is set by
+   default.
+
+   This flag allows a client to pass a proxy to a server to perform a
+   remote request on its behalf, e.g., a print service client can give
+   the print server a proxy to access the client's files on a particular
+   file server in order to satisfy a print request.
+
+   In order to complicate the use of stolen credentials, Kerberos
+   tickets are usually valid from only those network addresses
+   specifically included in the ticket (It is permissible to request or
+   issue tickets with no network addresses specified, but we do not
+   recommend it).  For this reason, a client wishing to grant a proxy
+   must request a new ticket valid for the network address of the
+   service to be granted the proxy.
+
+   The PROXY flag is set in a ticket by the  TGS  when  it issues a
+   proxy ticket.  Application servers may check this flag and require
+   additional authentication  from  the  agent presenting the proxy in
+   order to provide an audit trail.
+
+
+
+
+
+Kohl & Neuman                                                  [Page 14]
+
+RFC 1510                        Kerberos                  September 1993
+
+
+2.6.  Forwardable tickets
+
+   Authentication forwarding is an instance of the proxy case where the
+   service is granted complete use of the client's identity.  An example
+   where it might be used is when a user logs in to a remote system and
+   wants authentication to work from that system as if the login were
+   local.
+
+   The FORWARDABLE flag in a ticket is normally only interpreted by the
+   ticket-granting service.  It can be ignored by application servers.
+   The FORWARDABLE flag has an interpretation similar to that of the
+   PROXIABLE flag, except ticket-granting tickets may also be issued
+   with different network addresses.  This flag is reset by default, but
+   users may request that it be set by setting the FORWARDABLE option in
+   the AS request when they request their initial ticket-granting
+   ticket.
+
+   This flag allows for authentication forwarding without requiring the
+   user to enter a password again.  If the flag is not set, then
+   authentication forwarding is not permitted, but the same end result
+   can still be achieved if the user engages in the AS exchange with the
+   requested network addresses and supplies a password.
+
+   The FORWARDED flag is set by the TGS when a client presents a ticket
+   with the FORWARDABLE flag set and requests it be set by specifying
+   the FORWARDED KDC option and supplying a set of addresses for the new
+   ticket.  It is also set in all tickets issued based on tickets with
+   the FORWARDED flag set.  Application servers may wish to process
+   FORWARDED tickets differently than non-FORWARDED tickets.
+
+2.7.  Other KDC options
+
+   There are two additional options which may be set in a client's
+   request of the KDC.  The RENEWABLE-OK option indicates that the
+   client will accept a renewable ticket if a ticket with the requested
+   life cannot otherwise be provided.  If a ticket with the requested
+   life cannot be provided, then the KDC may issue a renewable ticket
+   with a renew-till equal to the the requested endtime.  The value of
+   the renew-till field may still be adjusted by site-determined limits
+   or limits imposed by the individual principal or server.
+
+   The ENC-TKT-IN-SKEY option is honored only by the ticket-granting
+   service.  It indicates that the to-be-issued ticket for the end
+   server is to be encrypted in the session key from the additional
+   ticket-granting ticket provided with the request.  See section 3.3.3
+   for specific details.
+
+
+
+
+
+Kohl & Neuman                                                  [Page 15]
+
+RFC 1510                        Kerberos                  September 1993
+
+
+3.  Message Exchanges
+
+   The following sections describe the interactions between network
+   clients and servers and the messages involved in those exchanges.
+
+3.1.  The Authentication Service Exchange
+
+                             Summary
+
+         Message direction       Message type    Section
+         1. Client to Kerberos   KRB_AS_REQ      5.4.1
+         2. Kerberos to client   KRB_AS_REP or   5.4.2
+                                 KRB_ERROR       5.9.1
+
+   The Authentication Service (AS) Exchange between the client and the
+   Kerberos Authentication Server is usually initiated by a client when
+   it wishes to obtain authentication credentials for a given server but
+   currently holds no credentials.  The client's secret key is used for
+   encryption and decryption.  This exchange is typically used at the
+   initiation of a login session, to obtain credentials for a Ticket-
+   Granting Server, which will subsequently be used to obtain
+   credentials for other servers (see section 3.3) without requiring
+   further use of the client's secret key.  This exchange is also used
+   to request credentials for services which must not be mediated
+   through the Ticket-Granting Service, but rather require a principal's
+   secret key, such as the password-changing service.  (The password-
+   changing request must not be honored unless the requester can provide
+   the old password (the user's current secret key).  Otherwise, it
+   would be possible for someone to walk up to an unattended session and
+   change another user's password.)  This exchange does not by itself
+   provide any assurance of the the identity of the user.  (To
+   authenticate a user logging on to a local system, the credentials
+   obtained in the AS exchange may first be used in a TGS exchange to
+   obtain credentials for a local server.  Those credentials must then
+   be verified by the local server through successful completion of the
+   Client/Server exchange.)
+
+   The exchange consists of two messages: KRB_AS_REQ from the client to
+   Kerberos, and KRB_AS_REP or KRB_ERROR in reply. The formats for these
+   messages are described in sections 5.4.1, 5.4.2, and 5.9.1.
+
+   In the request, the client sends (in cleartext) its own identity and
+   the identity of the server for which it is requesting credentials.
+   The response, KRB_AS_REP, contains a ticket for the client to present
+   to the server, and a session key that will be shared by the client
+   and the server.  The session key and additional information are
+   encrypted in the client's secret key.  The KRB_AS_REP message
+   contains information which can be used to detect replays, and to
+
+
+
+Kohl & Neuman                                                  [Page 16]
+
+RFC 1510                        Kerberos                  September 1993
+
+
+   associate it with the message to which it replies.  Various errors
+   can occur; these are indicated by an error response (KRB_ERROR)
+   instead of the KRB_AS_REP response.  The error message is not
+   encrypted.  The KRB_ERROR message also contains information which can
+   be used to associate it with the message to which it replies.  The
+   lack of encryption in the KRB_ERROR message precludes the ability to
+   detect replays or fabrications of such messages.
+
+   In the normal case the authentication server does not know whether
+   the client is actually the principal named in the request.  It simply
+   sends a reply without knowing or caring whether they are the same.
+   This is acceptable because nobody but the principal whose identity
+   was given in the request will be able to use the reply. Its critical
+   information is encrypted in that principal's key.  The initial
+   request supports an optional field that can be used to pass
+   additional information that might be needed for the initial exchange.
+   This field may be used for preauthentication if desired, but the
+   mechanism is not currently specified.
+
+3.1.1. Generation of KRB_AS_REQ message
+
+   The client may specify a number of options in the initial request.
+   Among these options are whether preauthentication is to be performed;
+   whether the requested ticket is to be renewable, proxiable, or
+   forwardable; whether it should be postdated or allow postdating of
+   derivative tickets; and whether a renewable ticket will be accepted
+   in lieu of a non-renewable ticket if the requested ticket expiration
+   date cannot be satisfied by a nonrenewable ticket (due to
+   configuration constraints; see section 4).  See section A.1 for
+   pseudocode.
+
+   The client prepares the KRB_AS_REQ message and sends it to the KDC.
+
+3.1.2. Receipt of KRB_AS_REQ message
+
+   If all goes well, processing the KRB_AS_REQ message will result in
+   the creation of a ticket for the client to present to the server.
+   The format for the ticket is described in section 5.3.1.  The
+   contents of the ticket are determined as follows.
+
+3.1.3. Generation of KRB_AS_REP message
+
+   The authentication server looks up the client and server principals
+   named in the KRB_AS_REQ in its database, extracting their respective
+   keys.  If required, the server pre-authenticates the request, and if
+   the pre-authentication check fails, an error message with the code
+   KDC_ERR_PREAUTH_FAILED is returned. If the server cannot accommodate
+   the requested encryption type, an error message with code
+
+
+
+Kohl & Neuman                                                  [Page 17]
+
+RFC 1510                        Kerberos                  September 1993
+
+
+   KDC_ERR_ETYPE_NOSUPP is returned. Otherwise it generates a "random"
+   session key ("Random" means that, among other things, it should be
+   impossible to guess the next session key based on knowledge of past
+   session keys.  This can only be achieved in a pseudo-random number
+   generator if it is based on cryptographic principles.  It would be
+   more desirable to use a truly random number generator, such as one
+   based on measurements of random physical phenomena.).
+
+   If the requested start time is absent or indicates a time in the
+   past, then the start time of the ticket is set to the authentication
+   server's current time. If it indicates a time in the future, but the
+   POSTDATED option has not been specified, then the error
+   KDC_ERR_CANNOT_POSTDATE is returned.  Otherwise the requested start
+   time is checked against the policy of the local realm (the
+   administrator might decide to prohibit certain types or ranges of
+   postdated tickets), and if acceptable, the ticket's start time is set
+   as requested and the INVALID flag is set in the new ticket. The
+   postdated ticket must be validated before use by presenting it to the
+   KDC after the start time has been reached.
+
+   The expiration time of the ticket will be set to the minimum of the
+   following:
+
+   +The expiration time (endtime) requested in the KRB_AS_REQ
+    message.
+
+   +The ticket's start time plus the maximum allowable lifetime
+    associated with the client principal (the authentication
+    server's database includes a maximum ticket lifetime field
+    in each principal's record; see section 4).
+
+   +The ticket's start time plus the maximum allowable lifetime
+    associated with the server principal.
+
+   +The ticket's start time plus the maximum lifetime set by
+    the policy of the local realm.
+
+   If the requested expiration time minus the start time (as determined
+   above) is less than a site-determined minimum lifetime, an error
+   message with code KDC_ERR_NEVER_VALID is returned.  If the requested
+   expiration time for the ticket exceeds what was determined as above,
+   and if the "RENEWABLE-OK" option was requested, then the "RENEWABLE"
+   flag is set in the new ticket, and the renew-till value is set as if
+   the "RENEWABLE" option were requested (the field and option names are
+   described fully in section 5.4.1).  If the RENEWABLE option has been
+   requested or if the RENEWABLE-OK option has been set and a renewable
+   ticket is to be issued, then the renew-till field is set to the
+   minimum of:
+
+
+
+Kohl & Neuman                                                  [Page 18]
+
+RFC 1510                        Kerberos                  September 1993
+
+
+   +Its requested value.
+
+   +The start time of the ticket plus the minimum of the two
+    maximum renewable lifetimes associated with the principals'
+    database entries.
+
+   +The start time of the ticket plus the maximum renewable
+    lifetime set by the policy of the local realm.
+
+   The flags field of the new ticket will have the following options set
+   if they have been requested and if the policy of the local realm
+   allows: FORWARDABLE, MAY-POSTDATE, POSTDATED, PROXIABLE, RENEWABLE.
+   If the new ticket is postdated (the start time is in the future), its
+   INVALID flag will also be set.
+
+   If all of the above succeed, the server formats a KRB_AS_REP message
+   (see section 5.4.2), copying the addresses in the request into the
+   caddr of the response, placing any required pre-authentication data
+   into the padata of the response, and encrypts the ciphertext part in
+   the client's key using the requested encryption method, and sends it
+   to the client.  See section A.2 for pseudocode.
+
+3.1.4. Generation of KRB_ERROR message
+
+   Several errors can occur, and the Authentication Server responds by
+   returning an error message, KRB_ERROR, to the client, with the
+   error-code and e-text fields set to appropriate values.  The error
+   message contents and details are described in Section 5.9.1.
+
+3.1.5. Receipt of KRB_AS_REP message
+
+   If the reply message type is KRB_AS_REP, then the client verifies
+   that the cname and crealm fields in the cleartext portion of the
+   reply match what it requested.  If any padata fields are present,
+   they may be used to derive the proper secret key to decrypt the
+   message.  The client decrypts the encrypted part of the response
+   using its secret key, verifies that the nonce in the encrypted part
+   matches the nonce it supplied in its request (to detect replays).  It
+   also verifies that the sname and srealm in the response match those
+   in the request, and that the host address field is also correct.  It
+   then stores the ticket, session key, start and expiration times, and
+   other information for later use.  The key-expiration field from the
+   encrypted part of the response may be checked to notify the user of
+   impending key expiration (the client program could then suggest
+   remedial action, such as a password change).  See section A.3 for
+   pseudocode.
+
+   Proper decryption of the KRB_AS_REP message is not sufficient to
+
+
+
+Kohl & Neuman                                                  [Page 19]
+
+RFC 1510                        Kerberos                  September 1993
+
+
+   verify the identity of the user; the user and an attacker could
+   cooperate to generate a KRB_AS_REP format message which decrypts
+   properly but is not from the proper KDC.  If the host wishes to
+   verify the identity of the user, it must require the user to present
+   application credentials which can be verified using a securely-stored
+   secret key.  If those credentials can be verified, then the identity
+   of the user can be assured.
+
+3.1.6. Receipt of KRB_ERROR message
+
+   If the reply message type is KRB_ERROR, then the client interprets it
+   as an error and performs whatever application-specific tasks are
+   necessary to recover.
+
+3.2.  The Client/Server Authentication Exchange
+
+                        Summary
+
+   Message direction                         Message type    Section
+   Client to Application server              KRB_AP_REQ      5.5.1
+   [optional] Application server to client   KRB_AP_REP or   5.5.2
+                                             KRB_ERROR       5.9.1
+
+   The client/server authentication (CS) exchange is used by network
+   applications to authenticate the client to the server and vice versa.
+   The client must have already acquired credentials for the server
+   using the AS or TGS exchange.
+
+3.2.1. The KRB_AP_REQ message
+
+   The KRB_AP_REQ contains authentication information which should be
+   part of the first message in an authenticated transaction.  It
+   contains a ticket, an authenticator, and some additional bookkeeping
+   information (see section 5.5.1 for the exact format).  The ticket by
+   itself is insufficient to authenticate a client, since tickets are
+   passed across the network in cleartext(Tickets contain both an
+   encrypted and unencrypted portion, so cleartext here refers to the
+   entire unit, which can be copied from one message and replayed in
+   another without any cryptographic skill.), so the authenticator is
+   used to prevent invalid replay of tickets by proving to the server
+   that the client knows the session key of the ticket and thus is
+   entitled to use it.  The KRB_AP_REQ message is referred to elsewhere
+   as the "authentication header."
+
+3.2.2. Generation of a KRB_AP_REQ message
+
+   When a client wishes to initiate authentication to a server, it
+   obtains (either through a credentials cache, the AS exchange, or the
+
+
+
+Kohl & Neuman                                                  [Page 20]
+
+RFC 1510                        Kerberos                  September 1993
+
+
+   TGS exchange) a ticket and session key for the desired service.  The
+   client may re-use any tickets it holds until they expire.  The client
+   then constructs a new Authenticator from the the system time, its
+   name, and optionally an application specific checksum, an initial
+   sequence number to be used in KRB_SAFE or KRB_PRIV messages, and/or a
+   session subkey to be used in negotiations for a session key unique to
+   this particular session.  Authenticators may not be re-used and will
+   be rejected if replayed to a server (Note that this can make
+   applications based on unreliable transports difficult to code
+   correctly, if the transport might deliver duplicated messages.  In
+   such cases, a new authenticator must be generated for each retry.).
+   If a sequence number is to be included, it should be randomly chosen
+   so that even after many messages have been exchanged it is not likely
+   to collide with other sequence numbers in use.
+
+   The client may indicate a requirement of mutual authentication or the
+   use of a session-key based ticket by setting the appropriate flag(s)
+   in the ap-options field of the message.
+
+   The Authenticator is encrypted in the session key and combined with
+   the ticket to form the KRB_AP_REQ message which is then sent to the
+   end server along with any additional application-specific
+   information.  See section A.9 for pseudocode.
+
+3.2.3. Receipt of KRB_AP_REQ message
+
+   Authentication is based on the server's current time of day (clocks
+   must be loosely synchronized), the authenticator, and the ticket.
+   Several errors are possible.  If an error occurs, the server is
+   expected to reply to the client with a KRB_ERROR message.  This
+   message may be encapsulated in the application protocol if its "raw"
+   form is not acceptable to the protocol. The format of error messages
+   is described in section 5.9.1.
+
+   The algorithm for verifying authentication information is as follows.
+   If the message type is not KRB_AP_REQ, the server returns the
+   KRB_AP_ERR_MSG_TYPE error. If the key version indicated by the Ticket
+   in the KRB_AP_REQ is not one the server can use (e.g., it indicates
+   an old key, and the server no longer possesses a copy of the old
+   key), the KRB_AP_ERR_BADKEYVER error is returned.  If the USE-
+   SESSION-KEY flag is set in the ap-options field, it indicates to the
+   server that the ticket is encrypted in the session key from the
+   server's ticket-granting ticket rather than its secret key (This is
+   used for user-to-user authentication as described in [6]).  Since it
+   is possible for the server to be registered in multiple realms, with
+   different keys in each, the srealm field in the unencrypted portion
+   of the ticket in the KRB_AP_REQ is used to specify which secret key
+   the server should use to decrypt that ticket.  The KRB_AP_ERR_NOKEY
+
+
+
+Kohl & Neuman                                                  [Page 21]
+
+RFC 1510                        Kerberos                  September 1993
+
+
+   error code is returned if the server doesn't have the proper key to
+   decipher the ticket.
+
+   The ticket is decrypted using the version of the server's key
+   specified by the ticket.  If the decryption routines detect a
+   modification of the ticket (each encryption system must provide
+   safeguards to detect modified ciphertext; see section 6), the
+   KRB_AP_ERR_BAD_INTEGRITY error is returned (chances are good that
+   different keys were used to encrypt and decrypt).
+
+   The authenticator is decrypted using the session key extracted from
+   the decrypted ticket.  If decryption shows it to have been modified,
+   the KRB_AP_ERR_BAD_INTEGRITY error is returned.  The name and realm
+   of the client from the ticket are compared against the same fields in
+   the authenticator.  If they don't match, the KRB_AP_ERR_BADMATCH
+   error is returned (they might not match, for example, if the wrong
+   session key was used to encrypt the authenticator).  The addresses in
+   the ticket (if any) are then searched for an address matching the
+   operating-system reported address of the client.  If no match is
+   found or the server insists on ticket addresses but none are present
+   in the ticket, the KRB_AP_ERR_BADADDR error is returned.
+
+   If the local (server) time and the client time in the authenticator
+   differ by more than the allowable clock skew (e.g., 5 minutes), the
+   KRB_AP_ERR_SKEW error is returned.  If the server name, along with
+   the client name, time and microsecond fields from the Authenticator
+   match any recently-seen such tuples, the KRB_AP_ERR_REPEAT error is
+   returned (Note that the rejection here is restricted to
+   authenticators from the same principal to the same server.  Other
+   client principals communicating with the same server principal should
+   not be have their authenticators rejected if the time and microsecond
+   fields happen to match some other client's authenticator.).  The
+   server must remember any authenticator presented within the allowable
+   clock skew, so that a replay attempt is guaranteed to fail. If a
+   server loses track of any authenticator presented within the
+   allowable clock skew, it must reject all requests until the clock
+   skew interval has passed.  This assures that any lost or re-played
+   authenticators will fall outside the allowable clock skew and can no
+   longer be successfully replayed (If this is not done, an attacker
+   could conceivably record the ticket and authenticator sent over the
+   network to a server, then disable the client's host, pose as the
+   disabled host, and replay the ticket and authenticator to subvert the
+   authentication.).  If a sequence number is provided in the
+   authenticator, the server saves it for later use in processing
+   KRB_SAFE and/or KRB_PRIV messages.  If a subkey is present, the
+   server either saves it for later use or uses it to help generate its
+   own choice for a subkey to be returned in a KRB_AP_REP message.
+
+
+
+
+Kohl & Neuman                                                  [Page 22]
+
+RFC 1510                        Kerberos                  September 1993
+
+
+   The server computes the age of the ticket: local (server) time minus
+   the start time inside the Ticket.  If the start time is later than
+   the current time by more than the allowable clock skew or if the
+   INVALID flag is set in the ticket, the KRB_AP_ERR_TKT_NYV error is
+   returned.  Otherwise, if the current time is later than end time by
+   more than the allowable clock skew, the KRB_AP_ERR_TKT_EXPIRED error
+   is returned.
+
+   If all these checks succeed without an error, the server is assured
+   that the client possesses the credentials of the principal named in
+   the ticket and thus, the client has been authenticated to the server.
+   See section A.10 for pseudocode.
+
+3.2.4. Generation of a KRB_AP_REP message
+
+   Typically, a client's request will include both the authentication
+   information and its initial request in the same message, and the
+   server need not explicitly reply to the KRB_AP_REQ.  However, if
+   mutual authentication (not only authenticating the client to the
+   server, but also the server to the client) is being performed, the
+   KRB_AP_REQ message will have MUTUAL-REQUIRED set in its ap-options
+   field, and a KRB_AP_REP message is required in response.  As with the
+   error message, this message may be encapsulated in the application
+   protocol if its "raw" form is not acceptable to the application's
+   protocol.  The timestamp and microsecond field used in the reply must
+   be the client's timestamp and microsecond field (as provided in the
+   authenticator). [Note: In the Kerberos version 4 protocol, the
+   timestamp in the reply was the client's timestamp plus one.  This is
+   not necessary in version 5 because version 5 messages are formatted
+   in such a way that it is not possible to create the reply by
+   judicious message surgery (even in encrypted form) without knowledge
+   of the appropriate encryption keys.]  If a sequence number is to be
+   included, it should be randomly chosen as described above for the
+   authenticator.  A subkey may be included if the server desires to
+   negotiate a different subkey.  The KRB_AP_REP message is encrypted in
+   the session key extracted from the ticket.  See section A.11 for
+   pseudocode.
+
+3.2.5. Receipt of KRB_AP_REP message
+
+   If a KRB_AP_REP message is returned, the client uses the session key
+   from the credentials obtained for the server (Note that for
+   encrypting the KRB_AP_REP message, the sub-session key is not used,
+   even if present in the Authenticator.) to decrypt the message, and
+   verifies that the timestamp and microsecond fields match those in the
+   Authenticator it sent to the server.  If they match, then the client
+   is assured that the server is genuine. The sequence number and subkey
+   (if present) are retained for later use.  See section A.12 for
+
+
+
+Kohl & Neuman                                                  [Page 23]
+
+RFC 1510                        Kerberos                  September 1993
+
+
+   pseudocode.
+
+3.2.6. Using the encryption key
+
+   After the KRB_AP_REQ/KRB_AP_REP exchange has occurred, the client and
+   server share an encryption key which can be used by the application.
+   The "true session key" to be used for KRB_PRIV, KRB_SAFE, or other
+   application-specific uses may be chosen by the application based on
+   the subkeys in the KRB_AP_REP message and the authenticator
+   (Implementations of the protocol may wish to provide routines to
+   choose subkeys based on session keys and random numbers and to
+   orchestrate a negotiated key to be returned in the KRB_AP_REP
+   message.).  In some cases, the use of this session key will be
+   implicit in the protocol; in others the method of use must be chosen
+   from a several alternatives.  We leave the protocol negotiations of
+   how to use the key (e.g., selecting an encryption or checksum type)
+   to the application programmer; the Kerberos protocol does not
+   constrain the implementation options.
+
+   With both the one-way and mutual authentication exchanges, the peers
+   should take care not to send sensitive information to each other
+   without proper assurances.  In particular, applications that require
+   privacy or integrity should use the KRB_AP_REP or KRB_ERROR responses
+   from the server to client to assure both client and server of their
+   peer's identity.  If an application protocol requires privacy of its
+   messages, it can use the KRB_PRIV message (section 3.5). The KRB_SAFE
+   message (section 3.4) can be used to assure integrity.
+
+3.3.  The Ticket-Granting Service (TGS) Exchange
+
+                             Summary
+
+         Message direction       Message type     Section
+         1. Client to Kerberos   KRB_TGS_REQ      5.4.1
+         2. Kerberos to client   KRB_TGS_REP or   5.4.2
+                                 KRB_ERROR        5.9.1
+
+   The TGS exchange between a client and the Kerberos Ticket-Granting
+   Server is initiated by a client when it wishes to obtain
+   authentication credentials for a given server (which might be
+   registered in a remote realm), when it wishes to renew or validate an
+   existing ticket, or when it wishes to obtain a proxy ticket.  In the
+   first case, the client must already have acquired a ticket for the
+   Ticket-Granting Service using the AS exchange (the ticket-granting
+   ticket is usually obtained when a client initially authenticates to
+   the system, such as when a user logs in).  The message format for the
+   TGS exchange is almost identical to that for the AS exchange.  The
+   primary difference is that encryption and decryption in the TGS
+
+
+
+Kohl & Neuman                                                  [Page 24]
+
+RFC 1510                        Kerberos                  September 1993
+
+
+   exchange does not take place under the client's key.  Instead, the
+   session key from the ticket-granting ticket or renewable ticket, or
+   sub-session key from an Authenticator is used.  As is the case for
+   all application servers, expired tickets are not accepted by the TGS,
+   so once a renewable or ticket-granting ticket expires, the client
+   must use a separate exchange to obtain valid tickets.
+
+   The TGS exchange consists of two messages: A request (KRB_TGS_REQ)
+   from the client to the Kerberos Ticket-Granting Server, and a reply
+   (KRB_TGS_REP or KRB_ERROR).  The KRB_TGS_REQ message includes
+   information authenticating the client plus a request for credentials.
+   The authentication information consists of the authentication header
+   (KRB_AP_REQ) which includes the client's previously obtained ticket-
+   granting, renewable, or invalid ticket.  In the ticket-granting
+   ticket and proxy cases, the request may include one or more of: a
+   list of network addresses, a collection of typed authorization data
+   to be sealed in the ticket for authorization use by the application
+   server, or additional tickets (the use of which are described later).
+   The TGS reply (KRB_TGS_REP) contains the requested credentials,
+   encrypted in the session key from the ticket-granting ticket or
+   renewable ticket, or if present, in the subsession key from the
+   Authenticator (part of the authentication header). The KRB_ERROR
+   message contains an error code and text explaining what went wrong.
+   The KRB_ERROR message is not encrypted.  The KRB_TGS_REP message
+   contains information which can be used to detect replays, and to
+   associate it with the message to which it replies.  The KRB_ERROR
+   message also contains information which can be used to associate it
+   with the message to which it replies, but the lack of encryption in
+   the KRB_ERROR message precludes the ability to detect replays or
+   fabrications of such messages.
+
+3.3.1. Generation of KRB_TGS_REQ message
+
+   Before sending a request to the ticket-granting service, the client
+   must determine in which realm the application server is registered
+   [Note: This can be accomplished in several ways.  It might be known
+   beforehand (since the realm is part of the principal identifier), or
+   it might be stored in a nameserver.  Presently, however, this
+   information is obtained from a configuration file.  If the realm to
+   be used is obtained from a nameserver, there is a danger of being
+   spoofed if the nameservice providing the realm name is not
+   authenticated.  This might result in the use of a realm which has
+   been compromised, and would result in an attacker's ability to
+   compromise the authentication of the application server to the
+   client.].  If the client does not already possess a ticket-granting
+   ticket for the appropriate realm, then one must be obtained.  This is
+   first attempted by requesting a ticket-granting ticket for the
+   destination realm from the local Kerberos server (using the
+
+
+
+Kohl & Neuman                                                  [Page 25]
+
+RFC 1510                        Kerberos                  September 1993
+
+
+   KRB_TGS_REQ message recursively).  The Kerberos server may return a
+   TGT for the desired realm in which case one can proceed.
+   Alternatively, the Kerberos server may return a TGT for a realm which
+   is "closer" to the desired realm (further along the standard
+   hierarchical path), in which case this step must be repeated with a
+   Kerberos server in the realm specified in the returned TGT.  If
+   neither are returned, then the request must be retried with a
+   Kerberos server for a realm higher in the hierarchy.  This request
+   will itself require a ticket-granting ticket for the higher realm
+   which must be obtained by recursively applying these directions.
+
+   Once the client obtains a ticket-granting ticket for the appropriate
+   realm, it determines which Kerberos servers serve that realm, and
+   contacts one. The list might be obtained through a configuration file
+   or network service; as long as the secret keys exchanged by realms
+   are kept secret, only denial of service results from a false Kerberos
+   server.
+
+   As in the AS exchange, the client may specify a number of options in
+   the KRB_TGS_REQ message.  The client prepares the KRB_TGS_REQ
+   message, providing an authentication header as an element of the
+   padata field, and including the same fields as used in the KRB_AS_REQ
+   message along with several optional fields: the enc-authorization-
+   data field for application server use and additional tickets required
+   by some options.
+
+   In preparing the authentication header, the client can select a sub-
+   session key under which the response from the Kerberos server will be
+   encrypted (If the client selects a sub-session key, care must be
+   taken to ensure the randomness of the selected subsession key.  One
+   approach would be to generate a random number and XOR it with the
+   session key from the ticket-granting ticket.). If the sub-session key
+   is not specified, the session key from the ticket-granting ticket
+   will be used.  If the enc-authorization-data is present, it must be
+   encrypted in the sub-session key, if present, from the authenticator
+   portion of the authentication header, or if not present in the
+   session key from the ticket-granting ticket.
+
+   Once prepared, the message is sent to a Kerberos server for the
+   destination realm.  See section A.5 for pseudocode.
+
+3.3.2. Receipt of KRB_TGS_REQ message
+
+   The KRB_TGS_REQ message is processed in a manner similar to the
+   KRB_AS_REQ message, but there are many additional checks to be
+   performed.  First, the Kerberos server must determine which server
+   the accompanying ticket is for and it must select the appropriate key
+   to decrypt it. For a normal KRB_TGS_REQ message, it will be for the
+
+
+
+Kohl & Neuman                                                  [Page 26]
+
+RFC 1510                        Kerberos                  September 1993
+
+
+   ticket granting service, and the TGS's key will be used.  If the TGT
+   was issued by another realm, then the appropriate inter-realm key
+   must be used.  If the accompanying ticket is not a ticket granting
+   ticket for the current realm, but is for an application server in the
+   current realm, the RENEW, VALIDATE, or PROXY options are specified in
+   the request, and the server for which a ticket is requested is the
+   server named in the accompanying ticket, then the KDC will decrypt
+   the ticket in the authentication header using the key of the server
+   for which it was issued.  If no ticket can be found in the padata
+   field, the KDC_ERR_PADATA_TYPE_NOSUPP error is returned.
+
+   Once the accompanying ticket has been decrypted, the user-supplied
+   checksum in the Authenticator must be verified against the contents
+   of the request, and the message rejected if the checksums do not
+   match (with an error code of KRB_AP_ERR_MODIFIED) or if the checksum
+   is not keyed or not collision-proof (with an error code of
+   KRB_AP_ERR_INAPP_CKSUM).  If the checksum type is not supported, the
+   KDC_ERR_SUMTYPE_NOSUPP error is returned.  If the authorization-data
+   are present, they are decrypted using the sub-session key from the
+   Authenticator.
+
+   If any of the decryptions indicate failed integrity checks, the
+   KRB_AP_ERR_BAD_INTEGRITY error is returned.
+
+3.3.3. Generation of KRB_TGS_REP message
+
+   The KRB_TGS_REP message shares its format with the KRB_AS_REP
+   (KRB_KDC_REP), but with its type field set to KRB_TGS_REP.  The
+   detailed specification is in section 5.4.2.
+
+   The response will include a ticket for the requested server.  The
+   Kerberos database is queried to retrieve the record for the requested
+   server (including the key with which the ticket will be encrypted).
+   If the request is for a ticket granting ticket for a remote realm,
+   and if no key is shared with the requested realm, then the Kerberos
+   server will select the realm "closest" to the requested realm with
+   which it does share a key, and use that realm instead. This is the
+   only case where the response from the KDC will be for a different
+   server than that requested by the client.
+
+   By default, the address field, the client's name and realm, the list
+   of transited realms, the time of initial authentication, the
+   expiration time, and the authorization data of the newly-issued
+   ticket will be copied from the ticket-granting ticket (TGT) or
+   renewable ticket.  If the transited field needs to be updated, but
+   the transited type is not supported, the KDC_ERR_TRTYPE_NOSUPP error
+   is returned.
+
+
+
+
+Kohl & Neuman                                                  [Page 27]
+
+RFC 1510                        Kerberos                  September 1993
+
+
+   If the request specifies an endtime, then the endtime of the new
+   ticket is set to the minimum of (a) that request, (b) the endtime
+   from the TGT, and (c) the starttime of the TGT plus the minimum of
+   the maximum life for the application server and the maximum life for
+   the local realm (the maximum life for the requesting principal was
+   already applied when the TGT was issued).  If the new ticket is to be
+   a renewal, then the endtime above is replaced by the minimum of (a)
+   the value of the renew_till field of the ticket and (b) the starttime
+   for the new ticket plus the life (endtimestarttime) of the old
+   ticket.
+
+   If the FORWARDED option has been requested, then the resulting ticket
+   will contain the addresses specified by the client.  This option will
+   only be honored if the FORWARDABLE flag is set in the TGT.  The PROXY
+   option is similar; the resulting ticket will contain the addresses
+   specified by the client.  It will be honored only if the PROXIABLE
+   flag in the TGT is set.  The PROXY option will not be honored on
+   requests for additional ticket-granting tickets.
+
+   If the requested start time is absent or indicates a time in the
+   past, then the start time of the ticket is set to the authentication
+   server's current time.  If it indicates a time in the future, but the
+   POSTDATED option has not been specified or the MAY-POSTDATE flag is
+   not set in the TGT, then the error KDC_ERR_CANNOT_POSTDATE is
+   returned.  Otherwise, if the ticket-granting ticket has the
+   MAYPOSTDATE flag set, then the resulting ticket will be postdated and
+   the requested starttime is checked against the policy of the local
+   realm. If acceptable, the ticket's start time is set as requested,
+   and the INVALID flag is set.  The postdated ticket must be validated
+   before use by presenting it to the KDC after the starttime has been
+   reached. However, in no case may the starttime, endtime, or renew-
+   till time of a newly-issued postdated ticket extend beyond the
+   renew-till time of the ticket-granting ticket.
+
+   If the ENC-TKT-IN-SKEY option has been specified and an additional
+   ticket has been included in the request, the KDC will decrypt the
+   additional ticket using the key for the server to which the
+   additional ticket was issued and verify that it is a ticket-granting
+   ticket.  If the name of the requested server is missing from the
+   request, the name of the client in the additional ticket will be
+   used.  Otherwise the name of the requested server will be compared to
+   the name of the client in the additional ticket and if different, the
+   request will be rejected.  If the request succeeds, the session key
+   from the additional ticket will be used to encrypt the new ticket
+   that is issued instead of using the key of the server for which the
+   new ticket will be used (This allows easy implementation of user-to-
+   user authentication [6], which uses ticket-granting ticket session
+   keys in lieu of secret server keys in situations where such secret
+
+
+
+Kohl & Neuman                                                  [Page 28]
+
+RFC 1510                        Kerberos                  September 1993
+
+
+   keys could be easily compromised.).
+
+   If the name of the server in the ticket that is presented to the KDC
+   as part of the authentication header is not that of the ticket-
+   granting server itself, and the server is registered in the realm of
+   the KDC, If the RENEW option is requested, then the KDC will verify
+   that the RENEWABLE flag is set in the ticket and that the renew_till
+   time is still in the future.  If the VALIDATE option is rqeuested,
+   the KDC will check that the starttime has passed and the INVALID flag
+   is set.  If the PROXY option is requested, then the KDC will check
+   that the PROXIABLE flag is set in the ticket.  If the tests succeed,
+   the KDC will issue the appropriate new ticket.
+
+   Whenever a request is made to the ticket-granting server, the
+   presented ticket(s) is(are) checked against a hot-list of tickets
+   which have been canceled.  This hot-list might be implemented by
+   storing a range of issue dates for "suspect tickets"; if a presented
+   ticket had an authtime in that range, it would be rejected.  In this
+   way, a stolen ticket-granting ticket or renewable ticket cannot be
+   used to gain additional tickets (renewals or otherwise) once the
+   theft has been reported.  Any normal ticket obtained before it was
+   reported stolen will still be valid (because they require no
+   interaction with the KDC), but only until their normal expiration
+   time.
+
+   The ciphertext part of the response in the KRB_TGS_REP message is
+   encrypted in the sub-session key from the Authenticator, if present,
+   or the session key key from the ticket-granting ticket.  It is not
+   encrypted using the client's secret key.  Furthermore, the client's
+   key's expiration date and the key version number fields are left out
+   since these values are stored along with the client's database
+   record, and that record is not needed to satisfy a request based on a
+   ticket-granting ticket.  See section A.6 for pseudocode.
+
+3.3.3.1.  Encoding the transited field
+
+   If the identity of the server in the TGT that is presented to the KDC
+   as part of the authentication header is that of the ticket-granting
+   service, but the TGT was issued from another realm, the KDC will look
+   up the inter-realm key shared with that realm and use that key to
+   decrypt the ticket.  If the ticket is valid, then the KDC will honor
+   the request, subject to the constraints outlined above in the section
+   describing the AS exchange.  The realm part of the client's identity
+   will be taken from the ticket-granting ticket.  The name of the realm
+   that issued the ticket-granting ticket will be added to the transited
+   field of the ticket to be issued.  This is accomplished by reading
+   the transited field from the ticket-granting ticket (which is treated
+   as an unordered set of realm names), adding the new realm to the set,
+
+
+
+Kohl & Neuman                                                  [Page 29]
+
+RFC 1510                        Kerberos                  September 1993
+
+
+   then constructing and writing out its encoded (shorthand) form (this
+   may involve a rearrangement of the existing encoding).
+
+   Note that the ticket-granting service does not add the name of its
+   own realm.  Instead, its responsibility is to add the name of the
+   previous realm.  This prevents a malicious Kerberos server from
+   intentionally leaving out its own name (it could, however, omit other
+   realms' names).
+
+   The names of neither the local realm nor the principal's realm are to
+   be included in the transited field.  They appear elsewhere in the
+   ticket and both are known to have taken part in authenticating the
+   principal.  Since the endpoints are not included, both local and
+   single-hop inter-realm authentication result in a transited field
+   that is empty.
+
+   Because the name of each realm transited  is  added  to this field,
+   it might potentially be very long.  To decrease the length of this
+   field, its contents are encoded.  The initially supported encoding is
+   optimized for the normal case of inter-realm communication: a
+   hierarchical arrangement of realms using either domain or X.500 style
+   realm names. This encoding (called DOMAIN-X500-COMPRESS) is now
+   described.
+
+   Realm names in the transited field are separated by a ",".  The ",",
+   "\", trailing "."s, and leading spaces (" ") are special characters,
+   and if they are part of a realm name, they must be quoted in the
+   transited field by preceding them with a "\".
+
+   A realm name ending with a "." is interpreted as  being prepended to
+   the previous realm.  For example, we can encode traversal of EDU,
+   MIT.EDU,  ATHENA.MIT.EDU,  WASHINGTON.EDU, and CS.WASHINGTON.EDU as:
+
+              "EDU,MIT.,ATHENA.,WASHINGTON.EDU,CS.".
+
+   Note that if ATHENA.MIT.EDU, or CS.WASHINGTON.EDU were endpoints,
+   that they would not be included in this field, and we would have:
+
+              "EDU,MIT.,WASHINGTON.EDU"
+
+   A realm name beginning with a "/" is interpreted as being appended to
+   the previous realm (For the purpose of appending, the realm preceding
+   the first listed realm is considered to be the null realm ("")).  If
+   it is to stand by itself, then it should be preceded by a space ("
+   ").  For example, we can encode traversal of /COM/HP/APOLLO, /COM/HP,
+   /COM, and /COM/DEC as:
+
+              "/COM,/HP,/APOLLO, /COM/DEC".
+
+
+
+Kohl & Neuman                                                  [Page 30]
+
+RFC 1510                        Kerberos                  September 1993
+
+
+   Like the example above, if /COM/HP/APOLLO and /COM/DEC are endpoints,
+   they they would not be included in this field, and we would have:
+
+              "/COM,/HP"
+
+   A null subfield preceding or following a "," indicates that all
+   realms between the previous realm and the next realm have been
+   traversed (For the purpose of interpreting null subfields, the
+   client's realm is considered to precede those in the transited field,
+   and the server's realm is considered to follow them.). Thus, ","
+   means that all realms along the path between the client and the
+   server have been traversed.  ",EDU, /COM," means that that all realms
+   from the client's realm up to EDU (in a domain style hierarchy) have
+   been traversed, and that everything from /COM down to the server's
+   realm in an X.500 style has also been traversed.  This could occur if
+   the EDU realm in one hierarchy shares an inter-realm key directly
+   with the /COM realm in another hierarchy.
+
+3.3.4. Receipt of KRB_TGS_REP message
+
+   When the KRB_TGS_REP is received by the client, it is processed in
+   the same manner as the KRB_AS_REP processing described above.  The
+   primary difference is that the ciphertext part of the response must
+   be decrypted using the session key from the ticket-granting ticket
+   rather than the client's secret key.  See section A.7 for pseudocode.
+
+3.4.  The KRB_SAFE Exchange
+
+   The KRB_SAFE message may be used by clients requiring the ability to
+   detect modifications of messages they exchange.  It achieves this by
+   including a keyed collisionproof checksum of the user data and some
+   control information.  The checksum is keyed with an encryption key
+   (usually the last key negotiated via subkeys, or the session key if
+   no negotiation has occured).
+
+3.4.1. Generation of a KRB_SAFE message
+
+   When an application wishes to send a KRB_SAFE message, it collects
+   its data and the appropriate control information and computes a
+   checksum over them.  The checksum algorithm should be some sort of
+   keyed one-way hash function (such as the RSA-MD5-DES checksum
+   algorithm specified in section 6.4.5, or the DES MAC), generated
+   using the sub-session key if present, or the session key.  Different
+   algorithms may be selected by changing the checksum type in the
+   message.  Unkeyed or non-collision-proof checksums are not suitable
+   for this use.
+
+   The control information for the KRB_SAFE message includes both a
+
+
+
+Kohl & Neuman                                                  [Page 31]
+
+RFC 1510                        Kerberos                  September 1993
+
+
+   timestamp and a sequence number.  The designer of an application
+   using the KRB_SAFE message must choose at least one of the two
+   mechanisms.  This choice should be based on the needs of the
+   application protocol.
+
+   Sequence numbers are useful when all messages sent will be received
+   by one's peer.  Connection state is presently required to maintain
+   the session key, so maintaining the next sequence number should not
+   present an additional problem.
+
+   If the application protocol is expected to tolerate lost messages
+   without them being resent, the use of the timestamp is the
+   appropriate replay detection mechanism.  Using timestamps is also the
+   appropriate mechanism for multi-cast protocols where all of one's
+   peers share a common sub-session key, but some messages will be sent
+   to a subset of one's peers.
+
+   After computing the checksum, the client then transmits the
+   information and checksum to the recipient in the message format
+   specified in section 5.6.1.
+
+3.4.2. Receipt of KRB_SAFE message
+
+   When an application receives a KRB_SAFE message, it verifies it as
+   follows.  If any error occurs, an error code is reported for use by
+   the application.
+
+   The message is first checked by verifying that the protocol version
+   and type fields match the current version and KRB_SAFE, respectively.
+   A mismatch generates a KRB_AP_ERR_BADVERSION or KRB_AP_ERR_MSG_TYPE
+   error.  The application verifies that the checksum used is a
+   collisionproof keyed checksum, and if it is not, a
+   KRB_AP_ERR_INAPP_CKSUM error is generated.  The recipient verifies
+   that the operating system's report of the sender's address matches
+   the sender's address in the message, and (if a recipient address is
+   specified or the recipient requires an address) that one of the
+   recipient's addresses appears as the recipient's address in the
+   message.  A failed match for either case generates a
+   KRB_AP_ERR_BADADDR error.  Then the timestamp and usec and/or the
+   sequence number fields are checked.  If timestamp and usec are
+   expected and not present, or they are present but not current, the
+   KRB_AP_ERR_SKEW error is generated.  If the server name, along with
+   the client name, time and microsecond fields from the Authenticator
+   match any recently-seen such tuples, the KRB_AP_ERR_REPEAT error is
+   generated.  If an incorrect sequence number is included, or a
+   sequence number is expected but not present, the KRB_AP_ERR_BADORDER
+   error is generated.  If neither a timestamp and usec or a sequence
+   number is present, a KRB_AP_ERR_MODIFIED error is generated.
+
+
+
+Kohl & Neuman                                                  [Page 32]
+
+RFC 1510                        Kerberos                  September 1993
+
+
+   Finally, the checksum is computed over the data and control
+   information, and if it doesn't match the received checksum, a
+   KRB_AP_ERR_MODIFIED error is generated.
+
+   If all the checks succeed, the application is assured that the
+   message was generated by its peer and was not modified in transit.
+
+3.5.  The KRB_PRIV Exchange
+
+   The KRB_PRIV message may be used by clients requiring confidentiality
+   and the ability to detect modifications of exchanged messages.  It
+   achieves this by encrypting the messages and adding control
+   information.
+
+3.5.1. Generation of a KRB_PRIV message
+
+   When an application wishes to send a KRB_PRIV message, it collects
+   its data and the appropriate control information (specified in
+   section 5.7.1) and encrypts them under an encryption key (usually the
+   last key negotiated via subkeys, or the session key if no negotiation
+   has occured).  As part of the control information, the client must
+   choose to use either a timestamp or a sequence number (or both); see
+   the discussion in section 3.4.1 for guidelines on which to use.
+   After the user data and control information are encrypted, the client
+   transmits the ciphertext and some "envelope" information to the
+   recipient.
+
+3.5.2. Receipt of KRB_PRIV message
+
+   When an application receives a KRB_PRIV message, it verifies it as
+   follows.  If any error occurs, an error code is reported for use by
+   the application.
+
+   The message is first checked by verifying that the protocol version
+   and type fields match the current version and KRB_PRIV, respectively.
+   A mismatch generates a KRB_AP_ERR_BADVERSION or KRB_AP_ERR_MSG_TYPE
+   error.  The application then decrypts the ciphertext and processes
+   the resultant plaintext. If decryption shows the data to have been
+   modified, a KRB_AP_ERR_BAD_INTEGRITY error is generated.  The
+   recipient verifies that the operating system's report of the sender's
+   address matches the sender's address in the message, and (if a
+   recipient address is specified or the recipient requires an address)
+   that one of the recipient's addresses appears as the recipient's
+   address in the message.  A failed match for either case generates a
+   KRB_AP_ERR_BADADDR error.  Then the timestamp and usec and/or the
+   sequence number fields are checked. If timestamp and usec are
+   expected and not present, or they are present but not current, the
+   KRB_AP_ERR_SKEW error is generated.  If the server name, along with
+
+
+
+Kohl & Neuman                                                  [Page 33]
+
+RFC 1510                        Kerberos                  September 1993
+
+
+   the client name, time and microsecond fields from the Authenticator
+   match any recently-seen such tuples, the KRB_AP_ERR_REPEAT error is
+   generated.  If an incorrect sequence number is included, or a
+   sequence number is expected but not present, the KRB_AP_ERR_BADORDER
+   error is generated.  If neither a timestamp and usec or a sequence
+   number is present, a KRB_AP_ERR_MODIFIED error is generated.
+
+   If all the checks succeed, the application can assume the message was
+   generated by its peer, and was securely transmitted (without
+   intruders able to see the unencrypted contents).
+
+3.6.  The KRB_CRED Exchange
+
+   The KRB_CRED message may be used by clients requiring the ability to
+   send Kerberos credentials from one host to another.  It achieves this
+   by sending the tickets together with encrypted data containing the
+   session keys and other information associated with the tickets.
+
+3.6.1. Generation of a KRB_CRED message
+
+   When an application wishes to send a KRB_CRED message it first (using
+   the KRB_TGS exchange) obtains credentials to be sent to the remote
+   host.  It then constructs a KRB_CRED message using the ticket or
+   tickets so obtained, placing the session key needed to use each
+   ticket in the key field of the corresponding KrbCredInfo sequence of
+   the encrypted part of the the KRB_CRED message.
+
+   Other information associated with each ticket and obtained during the
+   KRB_TGS exchange is also placed in the corresponding KrbCredInfo
+   sequence in the encrypted part of the KRB_CRED message.  The current
+   time and, if specifically required by the application the nonce, s-
+   address, and raddress fields, are placed in the encrypted part of the
+   KRB_CRED message which is then encrypted under an encryption key
+   previosuly exchanged in the KRB_AP exchange (usually the last key
+   negotiated via subkeys, or the session key if no negotiation has
+   occured).
+
+3.6.2. Receipt of KRB_CRED message
+
+   When an application receives a KRB_CRED message, it verifies it.  If
+   any error occurs, an error code is reported for use by the
+   application.  The message is verified by checking that the protocol
+   version and type fields match the current version and KRB_CRED,
+   respectively.  A mismatch generates a KRB_AP_ERR_BADVERSION or
+   KRB_AP_ERR_MSG_TYPE error.  The application then decrypts the
+   ciphertext and processes the resultant plaintext. If decryption shows
+   the data to have been modified, a KRB_AP_ERR_BAD_INTEGRITY error is
+   generated.
+
+
+
+Kohl & Neuman                                                  [Page 34]
+
+RFC 1510                        Kerberos                  September 1993
+
+
+   If present or required, the recipient verifies that the operating
+   system's report of the sender's address matches the sender's address
+   in the message, and that one of the recipient's addresses appears as
+   the recipient's address in the message.  A failed match for either
+   case generates a KRB_AP_ERR_BADADDR error.  The timestamp and usec
+   fields (and the nonce field if required) are checked next.  If the
+   timestamp and usec are not present, or they are present but not
+   current, the KRB_AP_ERR_SKEW error is generated.
+
+   If all the checks succeed, the application stores each of the new
+   tickets in its ticket cache together with the session key and other
+   information in the corresponding KrbCredInfo sequence from the
+   encrypted part of the KRB_CRED message.
+
+4.  The Kerberos Database
+
+   The Kerberos server must have access to a database containing the
+   principal identifiers and secret keys of principals to be
+   authenticated (The implementation of the Kerberos server need not
+   combine the database and the server on the same machine; it is
+   feasible to store the principal database in, say, a network name
+   service, as long as the entries stored therein are protected from
+   disclosure to and modification by unauthorized parties.  However, we
+   recommend against such strategies, as they can make system management
+   and threat analysis quite complex.).
+
+4.1.  Database contents
+
+   A database entry should contain at least the following fields:
+
+   Field                Value
+
+   name                 Principal's identifier
+   key                  Principal's secret key
+   p_kvno               Principal's key version
+   max_life             Maximum lifetime for Tickets
+   max_renewable_life   Maximum total lifetime for renewable
+                        Tickets
+
+   The name field is an encoding of the principal's identifier.  The key
+   field contains an encryption key.  This key is the principal's secret
+   key.  (The key can be encrypted before storage under a Kerberos
+   "master key" to protect it in case the database is compromised but
+   the master key is not.  In that case, an extra field must be added to
+   indicate the master key version used, see below.) The p_kvno field is
+   the key version number of the principal's secret key.  The max_life
+   field contains the maximum allowable lifetime (endtime - starttime)
+   for any Ticket issued for this principal.  The max_renewable_life
+
+
+
+Kohl & Neuman                                                  [Page 35]
+
+RFC 1510                        Kerberos                  September 1993
+
+
+   field contains the maximum allowable total lifetime for any renewable
+   Ticket issued for this principal.  (See section 3.1 for a description
+   of how these lifetimes are used in determining the lifetime of a
+   given Ticket.)
+
+   A server may provide KDC service to several realms, as long as the
+   database representation provides a mechanism to distinguish between
+   principal records with identifiers which differ only in the realm
+   name.
+
+   When an application server's key changes, if the change is routine
+   (i.e.,  not the result of disclosure of the old key), the old key
+   should be retained by the server until all tickets that had been
+   issued using that key have expired.  Because of this, it is possible
+   for several keys to be active for a single principal.  Ciphertext
+   encrypted in a principal's key is always tagged with the version of
+   the key that was used for encryption, to help the recipient find the
+   proper key for decryption.
+
+   When more than one key is active for a particular principal, the
+   principal will have more than one record in the Kerberos database.
+   The keys and key version numbers will differ between the records (the
+   rest of the fields may or may not be the same). Whenever Kerberos
+   issues a ticket, or responds to a request for initial authentication,
+   the most recent key (known by the Kerberos server) will be used for
+   encryption.  This is the key with the highest key version number.
+
+4.2.  Additional fields
+
+   Project Athena's KDC implementation uses additional fields in its
+   database:
+
+   Field        Value
+
+   K_kvno       Kerberos' key version
+   expiration   Expiration date for entry
+   attributes   Bit field of attributes
+   mod_date     Timestamp of last modification
+   mod_name     Modifying principal's identifier
+
+   The K_kvno field indicates the key version of the Kerberos master key
+   under which the principal's secret key is encrypted.
+
+   After an entry's expiration date has passed, the KDC will return an
+   error to any client attempting to gain tickets as or for the
+   principal.  (A database may want to maintain two expiration dates:
+   one for the principal, and one for the principal's current key.  This
+   allows password aging to work independently of the principal's
+
+
+
+Kohl & Neuman                                                  [Page 36]
+
+RFC 1510                        Kerberos                  September 1993
+
+
+   expiration date.  However, due to the limited space in the responses,
+   the KDC must combine the key expiration and principal expiration date
+   into a single value called "key_exp", which is used as a hint to the
+   user to take administrative action.)
+
+   The attributes field is a bitfield used to govern the operations
+   involving the principal.  This field might be useful in conjunction
+   with user registration procedures, for site-specific policy
+   implementations (Project Athena currently uses it for their user
+   registration process controlled by the system-wide database service,
+   Moira [7]), or to identify the "string to key" conversion algorithm
+   used for a principal's key.  (See the discussion of the padata field
+   in section 5.4.2 for details on why this can be useful.)  Other bits
+   are used to indicate that certain ticket options should not be
+   allowed in tickets encrypted under a principal's key (one bit each):
+   Disallow issuing postdated tickets, disallow issuing forwardable
+   tickets, disallow issuing tickets based on TGT authentication,
+   disallow issuing renewable tickets, disallow issuing proxiable
+   tickets, and disallow issuing tickets for which the principal is the
+   server.
+
+   The mod_date field contains the time of last modification of the
+   entry, and the mod_name field contains the name of the principal
+   which last modified the entry.
+
+4.3.  Frequently Changing Fields
+
+   Some KDC implementations may wish to maintain the last time that a
+   request was made by a particular principal.  Information that might
+   be maintained includes the time of the last request, the time of the
+   last request for a ticket-granting ticket, the time of the last use
+   of a ticket-granting ticket, or other times.  This information can
+   then be returned to the user in the last-req field (see section 5.2).
+
+   Other frequently changing information that can be maintained is the
+   latest expiration time for any tickets that have been issued using
+   each key.  This field would be used to indicate how long old keys
+   must remain valid to allow the continued use of outstanding tickets.
+
+4.4.  Site Constants
+
+   The KDC implementation should have the following configurable
+   constants or options, to allow an administrator to make and enforce
+   policy decisions:
+
+   + The minimum supported lifetime (used to determine whether the
+      KDC_ERR_NEVER_VALID error should be returned). This constant
+      should reflect reasonable expectations of round-trip time to the
+
+
+
+Kohl & Neuman                                                  [Page 37]
+
+RFC 1510                        Kerberos                  September 1993
+
+
+      KDC, encryption/decryption time, and processing time by the client
+      and target server, and it should allow for a minimum "useful"
+      lifetime.
+
+   + The maximum allowable total (renewable) lifetime of a ticket
+      (renew_till - starttime).
+
+   + The maximum allowable lifetime of a ticket (endtime - starttime).
+
+   + Whether to allow the issue of tickets with empty address fields
+      (including the ability to specify that such tickets may only be
+      issued if the request specifies some authorization_data).
+
+   + Whether proxiable, forwardable, renewable or post-datable tickets
+      are to be issued.
+
+5.  Message Specifications
+
+   The following sections describe the exact contents and encoding of
+   protocol messages and objects.  The ASN.1 base definitions are
+   presented in the first subsection.  The remaining subsections specify
+   the protocol objects (tickets and authenticators) and messages.
+   Specification of encryption and checksum techniques, and the fields
+   related to them, appear in section 6.
+
+5.1.  ASN.1 Distinguished Encoding Representation
+
+   All uses of ASN.1 in Kerberos shall use the Distinguished Encoding
+   Representation of the data elements as described in the X.509
+   specification, section 8.7 [8].
+
+5.2.  ASN.1 Base Definitions
+
+   The following ASN.1 base definitions are used in the rest of this
+   section. Note that since the underscore character (_) is not
+   permitted in ASN.1 names, the hyphen (-) is used in its place for the
+   purposes of ASN.1 names.
+
+   Realm ::=           GeneralString
+   PrincipalName ::=   SEQUENCE {
+                       name-type[0]     INTEGER,
+                       name-string[1]   SEQUENCE OF GeneralString
+   }
+
+   Kerberos realms are encoded as GeneralStrings. Realms shall not
+   contain a character with the code 0 (the ASCII NUL).  Most realms
+   will usually consist of several components separated by periods (.),
+   in the style of Internet Domain Names, or separated by slashes (/) in
+
+
+
+Kohl & Neuman                                                  [Page 38]
+
+RFC 1510                        Kerberos                  September 1993
+
+
+   the style of X.500 names.  Acceptable forms for realm names are
+   specified in section 7.  A PrincipalName is a typed sequence of
+   components consisting of the following sub-fields:
+
+   name-type This field specifies the type of name that follows.
+             Pre-defined values for this field are
+             specified in section 7.2.  The name-type should be
+             treated as a hint.  Ignoring the name type, no two
+             names can be the same (i.e., at least one of the
+             components, or the realm, must be different).
+             This constraint may be eliminated in the future.
+
+   name-string This field encodes a sequence of components that
+               form a name, each component encoded as a General
+               String.  Taken together, a PrincipalName and a Realm
+               form a principal identifier.  Most PrincipalNames
+               will have only a few components (typically one or two).
+
+           KerberosTime ::=   GeneralizedTime
+                              -- Specifying UTC time zone (Z)
+
+   The timestamps used in Kerberos are encoded as GeneralizedTimes.  An
+   encoding shall specify the UTC time zone (Z) and shall not include
+   any fractional portions of the seconds.  It further shall not include
+   any separators.  Example: The only valid format for UTC time 6
+   minutes, 27 seconds after 9 pm on 6 November 1985 is 19851106210627Z.
+
+    HostAddress ::=     SEQUENCE  {
+                        addr-type[0]             INTEGER,
+                        address[1]               OCTET STRING
+    }
+
+    HostAddresses ::=   SEQUENCE OF SEQUENCE {
+                        addr-type[0]             INTEGER,
+                        address[1]               OCTET STRING
+    }
+
+
+   The host adddress encodings consists of two fields:
+
+   addr-type  This field specifies the type of  address that
+              follows. Pre-defined values for this field are
+              specified in section 8.1.
+
+
+   address   This field encodes a single address of type addr-type.
+
+   The two forms differ slightly. HostAddress contains exactly one
+
+
+
+Kohl & Neuman                                                  [Page 39]
+
+RFC 1510                        Kerberos                  September 1993
+
+
+   address; HostAddresses contains a sequence of possibly many
+   addresses.
+
+   AuthorizationData ::=   SEQUENCE OF SEQUENCE {
+                           ad-type[0]               INTEGER,
+                           ad-data[1]               OCTET STRING
+   }
+
+
+   ad-data   This field contains authorization data to be
+             interpreted according to the value of the
+             corresponding ad-type field.
+
+   ad-type   This field specifies the format for the ad-data
+             subfield.  All negative values are reserved for
+             local use.  Non-negative values are reserved for
+             registered use.
+
+                   APOptions ::=   BIT STRING {
+                                   reserved(0),
+                                   use-session-key(1),
+                                   mutual-required(2)
+                   }
+
+
+                   TicketFlags ::=   BIT STRING {
+                                     reserved(0),
+                                     forwardable(1),
+                                     forwarded(2),
+                                     proxiable(3),
+                                     proxy(4),
+                                     may-postdate(5),
+                                     postdated(6),
+                                     invalid(7),
+                                     renewable(8),
+                                     initial(9),
+                                     pre-authent(10),
+                                     hw-authent(11)
+                   }
+
+                  KDCOptions ::=   BIT STRING {
+                                   reserved(0),
+                                   forwardable(1),
+                                   forwarded(2),
+                                   proxiable(3),
+                                   proxy(4),
+                                   allow-postdate(5),
+                                   postdated(6),
+
+
+
+Kohl & Neuman                                                  [Page 40]
+
+RFC 1510                        Kerberos                  September 1993
+
+
+                                   unused7(7),
+                                   renewable(8),
+                                   unused9(9),
+                                   unused10(10),
+                                   unused11(11),
+                                   renewable-ok(27),
+                                   enc-tkt-in-skey(28),
+                                   renew(30),
+                                   validate(31)
+                  }
+
+
+            LastReq ::=   SEQUENCE OF SEQUENCE {
+                          lr-type[0]               INTEGER,
+                          lr-value[1]              KerberosTime
+            }
+
+   lr-type   This field indicates how the following lr-value
+             field is to be interpreted.  Negative values indicate
+             that the information pertains only to the
+             responding server.  Non-negative values pertain to
+             all servers for the realm.
+
+             If the lr-type field is zero (0), then no information
+             is conveyed by the lr-value subfield.  If the
+             absolute value of the lr-type field is one (1),
+             then the lr-value subfield is the time of last
+             initial request for a TGT.  If it is two (2), then
+             the lr-value subfield is the time of last initial
+             request.  If it is three (3), then the lr-value
+             subfield is the time of issue for the newest
+             ticket-granting ticket used. If it is four (4),
+             then the lr-value subfield is the time of the last
+             renewal.  If it is five (5), then the lr-value
+             subfield is the time of last request (of any
+             type).
+
+   lr-value  This field contains the time of the last request.
+             The time must be interpreted according to the contents
+             of the accompanying lr-type subfield.
+
+   See section 6 for the definitions of Checksum, ChecksumType,
+   EncryptedData, EncryptionKey, EncryptionType, and KeyType.
+
+
+
+
+
+
+
+
+Kohl & Neuman                                                  [Page 41]
+
+RFC 1510                        Kerberos                  September 1993
+
+
+5.3.  Tickets and Authenticators
+
+   This section describes the format and encryption parameters for
+   tickets and authenticators.  When a ticket or authenticator is
+   included in a protocol message it is treated as an opaque object.
+
+5.3.1. Tickets
+
+   A ticket is a record that helps a client authenticate to a service.
+   A Ticket contains the following information:
+
+Ticket ::=                    [APPLICATION 1] SEQUENCE {
+                              tkt-vno[0]                   INTEGER,
+                              realm[1]                     Realm,
+                              sname[2]                     PrincipalName,
+                              enc-part[3]                  EncryptedData
+}
+-- Encrypted part of ticket
+EncTicketPart ::=     [APPLICATION 3] SEQUENCE {
+                      flags[0]             TicketFlags,
+                      key[1]               EncryptionKey,
+                      crealm[2]            Realm,
+                      cname[3]             PrincipalName,
+                      transited[4]         TransitedEncoding,
+                      authtime[5]          KerberosTime,
+                      starttime[6]         KerberosTime OPTIONAL,
+                      endtime[7]           KerberosTime,
+                      renew-till[8]        KerberosTime OPTIONAL,
+                      caddr[9]             HostAddresses OPTIONAL,
+                      authorization-data[10]   AuthorizationData OPTIONAL
+}
+-- encoded Transited field
+TransitedEncoding ::=         SEQUENCE {
+                              tr-type[0]  INTEGER, -- must be registered
+                              contents[1]          OCTET STRING
+}
+
+   The encoding of EncTicketPart is encrypted in the key shared by
+   Kerberos and the end server (the server's secret key).  See section 6
+   for the format of the ciphertext.
+
+   tkt-vno   This field specifies the version number for the ticket
+             format.  This document describes version number 5.
+
+   realm     This field specifies the realm that issued a ticket.  It
+             also serves to identify the realm part of the server's
+             principal identifier.  Since a Kerberos server can only
+             issue tickets for servers within its realm, the two will
+
+
+
+Kohl & Neuman                                                  [Page 42]
+
+RFC 1510                        Kerberos                  September 1993
+
+
+             always be identical.
+
+   sname     This field specifies the name part of the server's
+             identity.
+
+   enc-part  This field holds the encrypted encoding of the
+             EncTicketPart sequence.
+
+   flags     This field indicates which of various options were used or
+             requested when the ticket was issued.  It is a bit-field,
+             where the selected options are indicated by the bit being
+             set (1), and the unselected options and reserved fields
+             being reset (0).  Bit 0 is the most significant bit.  The
+             encoding of the bits is specified in section 5.2.  The
+             flags are described in more detail above in section 2.  The
+             meanings of the flags are:
+
+             Bit(s)    Name        Description
+
+             0         RESERVED    Reserved for future expansion of this
+                                   field.
+
+             1         FORWARDABLE The FORWARDABLE flag is normally only
+                                   interpreted by the TGS, and can be
+                                   ignored by end servers.  When set,
+                                   this flag tells the ticket-granting
+                                   server that it is OK to issue a new
+                                   ticket- granting ticket with a
+                                   different network address based on
+                                   the presented ticket.
+
+             2         FORWARDED   When set, this flag indicates that
+                                   the ticket has either been forwarded
+                                   or was issued based on authentication
+                                   involving a forwarded ticket-granting
+                                   ticket.
+
+             3         PROXIABLE   The PROXIABLE flag is normally only
+                                   interpreted by the TGS, and can be
+                                   ignored by end servers. The PROXIABLE
+                                   flag has an interpretation identical
+                                   to that of the FORWARDABLE flag,
+                                   except that the PROXIABLE flag tells
+                                   the ticket-granting server that only
+                                   non- ticket-granting tickets may be
+                                   issued with different network
+                                   addresses.
+
+
+
+
+Kohl & Neuman                                                  [Page 43]
+
+RFC 1510                        Kerberos                  September 1993
+
+
+             4         PROXY      When set, this flag indicates that a
+                                   ticket is a proxy.
+
+             5         MAY-POSTDATE The MAY-POSTDATE flag is normally
+                                   only interpreted by the TGS, and can
+                                   be ignored by end servers.  This flag
+                                   tells the ticket-granting server that
+                                   a post- dated ticket may be issued
+                                   based on this ticket-granting ticket.
+
+             6         POSTDATED   This flag indicates that this ticket
+                                   has been postdated.  The end-service
+                                   can check the authtime field to see
+                                   when the original authentication
+                                   occurred.
+
+             7         INVALID     This flag indicates that a ticket is
+                                   invalid, and it must be validated by
+                                   the KDC before use.  Application
+                                   servers must reject tickets which
+                                   have this flag set.
+
+             8         RENEWABLE   The RENEWABLE flag is normally only
+                                   interpreted by the TGS, and can
+                                   usually be ignored by end servers
+                                   (some particularly careful servers
+                                   may wish to disallow renewable
+                                   tickets).  A renewable ticket can be
+                                   used to obtain a replacement ticket
+                                   that expires at a later date.
+
+             9         INITIAL     This flag indicates that this ticket
+                                   was issued using the AS protocol, and
+                                   not issued based on a ticket-granting
+                                   ticket.
+
+             10        PRE-AUTHENT This flag indicates that during
+                                   initial authentication, the client
+                                   was authenticated by the KDC before a
+                                   ticket was issued.  The strength of
+                                   the preauthentication method is not
+                                   indicated, but is acceptable to the
+                                   KDC.
+
+             11        HW-AUTHENT  This flag indicates that the protocol
+                                   employed for initial authentication
+                                   required the use of hardware expected
+                                   to be possessed solely by the named
+
+
+
+Kohl & Neuman                                                  [Page 44]
+
+RFC 1510                        Kerberos                  September 1993
+
+
+                                   client.  The hardware authentication
+                                   method is selected by the KDC and the
+                                   strength of the method is not
+                                   indicated.
+
+             12-31     RESERVED    Reserved for future use.
+
+   key       This field exists in the ticket and the KDC response and is
+             used to pass the session key from Kerberos to the
+             application server and the client.  The field's encoding is
+             described in section 6.2.
+
+   crealm    This field contains the name of the realm in which the
+             client is registered and in which initial authentication
+             took place.
+
+   cname     This field contains the name part of the client's principal
+             identifier.
+
+   transited This field lists the names of the Kerberos realms that took
+             part in authenticating the user to whom this ticket was
+             issued.  It does not specify the order in which the realms
+             were transited.  See section 3.3.3.1 for details on how
+             this field encodes the traversed realms.
+
+   authtime  This field indicates the time of initial authentication for
+             the named principal.  It is the time of issue for the
+             original ticket on which this ticket is based.  It is
+             included in the ticket to provide additional information to
+             the end service, and  to provide  the necessary information
+             for implementation of a `hot list' service at the KDC.   An
+             end service that is particularly paranoid could refuse to
+             accept tickets for which the initial authentication
+             occurred "too far" in the past.
+
+             This field is also returned as part of the response from
+             the KDC.  When returned as part of the response to initial
+             authentication (KRB_AS_REP), this is the current time on
+             the Kerberos server (It is NOT recommended that this time
+             value be used to adjust the workstation's clock since the
+             workstation cannot reliably determine that such a
+             KRB_AS_REP actually came from the proper KDC in a timely
+             manner.).
+
+   starttime This field in the ticket specifies the time after which the
+             ticket is valid.  Together with endtime, this field
+             specifies the life of the ticket.   If it is absent from
+             the ticket, its value should be treated as that of the
+
+
+
+Kohl & Neuman                                                  [Page 45]
+
+RFC 1510                        Kerberos                  September 1993
+
+
+             authtime field.
+
+   endtime   This field contains the time after which the ticket will
+             not be honored (its expiration time).  Note that individual
+             services may place their own limits on the life of a ticket
+             and may reject tickets which have not yet expired.  As
+             such, this is really an upper bound on the expiration time
+             for the ticket.
+
+   renew-till This field is only present in tickets that have the
+             RENEWABLE flag set in the flags field.  It indicates the
+             maximum endtime that may be included in a renewal.  It can
+             be thought of as the absolute expiration time for the
+             ticket, including all renewals.
+
+   caddr     This field in a ticket contains zero (if omitted) or more
+             (if present) host addresses.  These are the addresses from
+             which the ticket can be used.  If there are no addresses,
+             the ticket can be used from any location.  The decision
+             by the KDC to issue or by the end server to accept zero-
+             address tickets is a policy decision and is left to the
+             Kerberos and end-service administrators; they may refuse to
+             issue or accept such tickets.  The suggested and default
+             policy, however, is that such tickets will only be issued
+             or accepted when additional information that can be used to
+             restrict the use of the ticket is included in the
+             authorization_data field.  Such a ticket is a capability.
+
+             Network addresses are included in the ticket to make it
+             harder for an attacker to use stolen credentials. Because
+             the session key is not sent over the network in cleartext,
+             credentials can't be stolen simply by listening to the
+             network; an attacker has to gain access to the session key
+             (perhaps through operating system security breaches or a
+             careless user's unattended session) to make use of stolen
+             tickets.
+
+             It is important to note that the network address from which
+             a connection is received cannot be reliably determined.
+             Even if it could be, an attacker who has compromised the
+             client's workstation could use the credentials from there.
+             Including the network addresses only makes it more
+             difficult, not impossible, for an attacker to walk off with
+             stolen credentials and then use them from a "safe"
+             location.
+
+
+
+
+
+
+Kohl & Neuman                                                  [Page 46]
+
+RFC 1510                        Kerberos                  September 1993
+
+
+   authorization-data The authorization-data field is used to pass
+             authorization data from the principal on whose behalf a
+             ticket was issued to the application service.  If no
+             authorization data is included, this field will be left
+             out.  The data in this field are specific to the end
+             service.  It is expected that the field will contain the
+             names of service specific objects, and the rights to those
+             objects.  The format for this field is described in section
+             5.2.  Although Kerberos is not concerned with the format of
+             the contents of the subfields, it does carry type
+             information (ad-type).
+
+             By using the authorization_data field, a principal is able
+             to issue a proxy that is valid for a specific purpose.  For
+             example, a client wishing to print a file can obtain a file
+             server proxy to be passed to the print server.  By
+             specifying the name of the file in the authorization_data
+             field, the file server knows that the print server can only
+             use the client's rights when accessing the particular file
+             to be printed.
+
+             It is interesting to note that if one specifies the
+             authorization-data field of a proxy and leaves the host
+             addresses blank, the resulting ticket and session key can
+             be treated as a capability.  See [9] for some suggested
+             uses of this field.
+
+             The authorization-data field is optional and does not have
+             to be included in a ticket.
+
+5.3.2. Authenticators
+
+   An authenticator is a record sent with a ticket to a server to
+   certify the client's knowledge of the encryption key in the ticket,
+   to help the server detect replays, and to help choose a "true session
+   key" to use with the particular session.  The encoding is encrypted
+   in the ticket's session key shared by the client and the server:
+
+-- Unencrypted authenticator
+Authenticator ::=    [APPLICATION 2] SEQUENCE    {
+               authenticator-vno[0]          INTEGER,
+               crealm[1]                     Realm,
+               cname[2]                      PrincipalName,
+               cksum[3]                      Checksum OPTIONAL,
+               cusec[4]                      INTEGER,
+               ctime[5]                      KerberosTime,
+               subkey[6]                     EncryptionKey OPTIONAL,
+               seq-number[7]                 INTEGER OPTIONAL,
+
+
+
+Kohl & Neuman                                                  [Page 47]
+
+RFC 1510                        Kerberos                  September 1993
+
+
+               authorization-data[8]         AuthorizationData OPTIONAL
+                     }
+
+   authenticator-vno This field specifies the version number for the
+             format of the authenticator. This document specifies
+             version 5.
+
+   crealm and cname These fields are the same as those described for the
+             ticket in section 5.3.1.
+
+   cksum     This field contains a checksum of the the application data
+             that accompanies the KRB_AP_REQ.
+
+   cusec     This field contains the microsecond part of the client's
+             timestamp.  Its value (before encryption) ranges from 0 to
+             999999.  It often appears along with ctime.  The two fields
+             are used together to specify a reasonably accurate
+             timestamp.
+
+   ctime     This field contains the current time on the client's host.
+
+   subkey    This field contains the client's choice for an encryption
+             key which is to be used to protect this specific
+             application session. Unless an application specifies
+             otherwise, if this field is left out the session key from
+             the ticket will be used.
+
+   seq-number This optional field includes the initial sequence number
+             to be used by the KRB_PRIV or KRB_SAFE messages when
+             sequence numbers are used to detect replays (It may also be
+             used by application specific messages).  When included in
+             the authenticator this field specifies the initial sequence
+             number for messages from the client to the server.  When
+             included in the AP-REP message, the initial sequence number
+             is that for messages from the server to the client.  When
+             used in KRB_PRIV or KRB_SAFE messages, it is incremented by
+             one after each message is sent.
+
+             For sequence numbers to adequately support the detection of
+             replays they should be non-repeating, even across
+             connection boundaries. The initial sequence number should
+             be random and uniformly distributed across the full space
+             of possible sequence numbers, so that it cannot be guessed
+             by an attacker and so that it and the successive sequence
+             numbers do not repeat other sequences.
+
+
+
+
+
+
+Kohl & Neuman                                                  [Page 48]
+
+RFC 1510                        Kerberos                  September 1993
+
+
+   authorization-data This field is the same as described for the ticket
+             in section 5.3.1.  It is optional and will only appear when
+             additional restrictions are to be placed on the use of a
+             ticket, beyond those carried in the ticket itself.
+
+5.4.  Specifications for the AS and TGS exchanges
+
+   This section specifies the format of the messages used in exchange
+   between the client and the Kerberos server.  The format of possible
+   error messages appears in section 5.9.1.
+
+5.4.1. KRB_KDC_REQ definition
+
+   The KRB_KDC_REQ message has no type of its own.  Instead, its type is
+   one of KRB_AS_REQ or KRB_TGS_REQ depending on whether the request is
+   for an initial ticket or an additional ticket.  In either case, the
+   message is sent from the client to the Authentication Server to
+   request credentials for a service.
+
+The message fields are:
+
+AS-REQ ::=         [APPLICATION 10] KDC-REQ
+TGS-REQ ::=        [APPLICATION 12] KDC-REQ
+
+KDC-REQ ::=        SEQUENCE {
+           pvno[1]               INTEGER,
+           msg-type[2]           INTEGER,
+           padata[3]             SEQUENCE OF PA-DATA OPTIONAL,
+           req-body[4]           KDC-REQ-BODY
+}
+
+PA-DATA ::=        SEQUENCE {
+           padata-type[1]        INTEGER,
+           padata-value[2]       OCTET STRING,
+                         -- might be encoded AP-REQ
+}
+
+KDC-REQ-BODY ::=   SEQUENCE {
+            kdc-options[0]       KDCOptions,
+            cname[1]             PrincipalName OPTIONAL,
+                         -- Used only in AS-REQ
+            realm[2]             Realm, -- Server's realm
+                         -- Also client's in AS-REQ
+            sname[3]             PrincipalName OPTIONAL,
+            from[4]              KerberosTime OPTIONAL,
+            till[5]              KerberosTime,
+            rtime[6]             KerberosTime OPTIONAL,
+            nonce[7]             INTEGER,
+
+
+
+Kohl & Neuman                                                  [Page 49]
+
+RFC 1510                        Kerberos                  September 1993
+
+
+            etype[8]             SEQUENCE OF INTEGER, -- EncryptionType,
+                         -- in preference order
+            addresses[9]         HostAddresses OPTIONAL,
+            enc-authorization-data[10]   EncryptedData OPTIONAL,
+                         -- Encrypted AuthorizationData encoding
+            additional-tickets[11]       SEQUENCE OF Ticket OPTIONAL
+}
+
+   The fields in this message are:
+
+   pvno      This field is included in each message, and specifies the
+             protocol version number.  This document specifies protocol
+             version 5.
+
+   msg-type  This field indicates the type of a protocol message.  It
+             will almost always be the same as the application
+             identifier associated with a message.  It is included to
+             make the identifier more readily accessible to the
+             application.  For the KDC-REQ message, this type will be
+             KRB_AS_REQ or KRB_TGS_REQ.
+
+   padata    The padata (pre-authentication data) field contains a of
+             authentication information which may be needed before
+             credentials can be issued or decrypted.  In the case of
+             requests for additional tickets (KRB_TGS_REQ), this field
+             will include an element with padata-type of PA-TGS-REQ and
+             data of an authentication header (ticket-granting ticket
+             and authenticator). The checksum in the authenticator
+             (which must be collisionproof) is to be computed over the
+             KDC-REQ-BODY encoding.  In most requests for initial
+             authentication (KRB_AS_REQ) and most replies (KDC-REP), the
+             padata field will be left out.
+
+             This field may also contain information needed by certain
+             extensions to the Kerberos protocol.  For example, it might
+             be used to initially verify the identity of a client before
+             any response is returned.  This is accomplished with a
+             padata field with padata-type equal to PA-ENC-TIMESTAMP and
+             padata-value defined as follows:
+
+   padata-type     ::= PA-ENC-TIMESTAMP
+   padata-value    ::= EncryptedData -- PA-ENC-TS-ENC
+
+   PA-ENC-TS-ENC   ::= SEQUENCE {
+           patimestamp[0]               KerberosTime, -- client's time
+           pausec[1]                    INTEGER OPTIONAL
+   }
+
+
+
+
+Kohl & Neuman                                                  [Page 50]
+
+RFC 1510                        Kerberos                  September 1993
+
+
+             with patimestamp containing the client's time and pausec
+             containing the microseconds which may be omitted if a
+             client will not generate more than one request per second.
+             The ciphertext (padata-value) consists of the PA-ENC-TS-ENC
+             sequence, encrypted using the client's secret key.
+
+             The padata field can also contain information needed to
+             help the KDC or the client select the key needed for
+             generating or decrypting the response.  This form of the
+             padata is useful for supporting the use of certain
+             "smartcards" with Kerberos.  The details of such extensions
+             are beyond the scope of this specification.  See [10] for
+             additional uses of this field.
+
+   padata-type The padata-type element of the padata field indicates the
+             way that the padata-value element is to be interpreted.
+             Negative values of padata-type are reserved for
+             unregistered use; non-negative values are used for a
+             registered interpretation of the element type.
+
+   req-body  This field is a placeholder delimiting the extent of the
+             remaining fields.  If a checksum is to be calculated over
+             the request, it is calculated over an encoding of the KDC-
+             REQ-BODY sequence which is enclosed within the req-body
+             field.
+
+   kdc-options This field appears in the KRB_AS_REQ and KRB_TGS_REQ
+             requests to the KDC and indicates the flags that the client
+             wants set on the tickets as well as other information that
+             is to modify the behavior of the KDC. Where appropriate,
+             the name of an option may be the same as the flag that is
+             set by that option.  Although in most case, the bit in the
+             options field will be the same as that in the flags field,
+             this is not guaranteed, so it is not acceptable to simply
+             copy the options field to the flags field.  There are
+             various checks that must be made before honoring an option
+             anyway.
+
+             The kdc_options field is a bit-field, where the selected
+             options are indicated by the bit being set (1), and the
+             unselected options and reserved fields being reset (0).
+             The encoding of the bits is specified in section 5.2.  The
+             options are described in more detail above in section 2.
+             The meanings of the options are:
+
+
+
+
+
+
+
+Kohl & Neuman                                                  [Page 51]
+
+RFC 1510                        Kerberos                  September 1993
+
+
+             Bit(s)  Name         Description
+
+             0       RESERVED     Reserved for future expansion of this
+                                  field.
+
+             1       FORWARDABLE  The FORWARDABLE option indicates that
+                                  the ticket to be issued is to have its
+                                  forwardable flag set.  It may only be
+                                  set on the initial request, or in a
+                                  subsequent request if the ticket-
+                                  granting ticket on which it is based
+                                  is also forwardable.
+
+             2       FORWARDED    The FORWARDED option is only specified
+                                  in a request to the ticket-granting
+                                  server and will only be honored if the
+                                  ticket-granting ticket in the request
+                                  has its FORWARDABLE bit set.  This
+                                  option indicates that this is a
+                                  request for forwarding. The
+                                  address(es) of the host from which the
+                                  resulting ticket is to be valid are
+                                  included in the addresses field of the
+                                  request.
+
+
+             3       PROXIABLE    The PROXIABLE option indicates that
+                                  the ticket to be issued is to have its
+                                  proxiable flag set. It may only be set
+                                  on the initial request, or in a
+                                  subsequent request if the ticket-
+                                  granting ticket on which it is based
+                                  is also proxiable.
+
+             4       PROXY        The PROXY option indicates that this
+                                  is a request for a proxy.  This option
+                                  will only be honored if the ticket-
+                                  granting ticket in the request has its
+                                  PROXIABLE bit set.  The address(es) of
+                                  the host from which the resulting
+                                  ticket is to be valid are included in
+                                  the addresses field of the request.
+
+             5       ALLOW-POSTDATE The ALLOW-POSTDATE option indicates
+                                  that the ticket to be issued is to
+                                  have its MAY-POSTDATE flag set.  It
+                                  may only be set on the initial
+                                  request, or in a subsequent request if
+
+
+
+Kohl & Neuman                                                  [Page 52]
+
+RFC 1510                        Kerberos                  September 1993
+
+
+                                  the ticket-granting ticket on which it
+                                  is based also has its MAY-POSTDATE
+                                  flag set.
+
+             6       POSTDATED    The POSTDATED option indicates that
+                                  this is a request for a postdated
+                                  ticket.  This option will only be
+                                  honored if the ticket-granting ticket
+                                  on which it is based has its MAY-
+                                  POSTDATE flag set.  The resulting
+                                  ticket will also have its INVALID flag
+                                  set, and that flag may be reset by a
+                                  subsequent request to the KDC after
+                                  the starttime in the ticket has been
+                                  reached.
+
+             7       UNUSED       This option is presently unused.
+
+             8       RENEWABLE    The RENEWABLE option indicates that
+                                  the ticket to be issued is to have its
+                                  RENEWABLE flag set.  It may only be
+                                  set on the initial request, or when
+                                  the ticket-granting ticket on which
+                                  the request is based is also
+                                  renewable.  If this option is
+                                  requested, then the rtime field in the
+                                  request contains the desired absolute
+                                  expiration time for the ticket.
+
+             9-26    RESERVED     Reserved for future use.
+
+             27      RENEWABLE-OK The RENEWABLE-OK option indicates that
+                                  a renewable ticket will be acceptable
+                                  if a ticket with the requested life
+                                  cannot otherwise be provided.  If a
+                                  ticket with the requested life cannot
+                                  be provided, then a renewable ticket
+                                  may be issued with a renew-till equal
+                                  to the the requested endtime.  The
+                                  value of the renew-till field may
+                                  still be limited by local limits, or
+                                  limits selected by the individual
+                                  principal or server.
+
+             28      ENC-TKT-IN-SKEY This option is used only by the
+                                  ticket-granting service.  The ENC-
+                                  TKT-IN-SKEY option indicates that the
+                                  ticket for the end server is to be
+
+
+
+Kohl & Neuman                                                  [Page 53]
+
+RFC 1510                        Kerberos                  September 1993
+
+
+                                  encrypted in the session key from the
+                                  additional ticket-granting ticket
+                                  provided.
+
+             29      RESERVED     Reserved for future use.
+
+             30      RENEW        This option is used only by the
+                                  ticket-granting service.  The RENEW
+                                  option indicates that the present
+                                  request is for a renewal.  The ticket
+                                  provided is encrypted in the secret
+                                  key for the server on which it is
+                                  valid.  This option will only be
+                                  honored if the ticket to be renewed
+                                  has its RENEWABLE flag set and if the
+                                  time in its renew till field has not
+                                  passed.  The ticket to be renewed is
+                                  passed in the padata field as part of
+                                  the authentication header.
+
+             31      VALIDATE     This option is used only by the
+                                  ticket-granting service.  The VALIDATE
+                                  option indicates that the request is
+                                  to validate a postdated ticket.  It
+                                  will only be honored if the ticket
+                                  presented is postdated, presently has
+                                  its INVALID flag set, and would be
+                                  otherwise usable at this time.  A
+                                  ticket cannot be validated before its
+                                  starttime.  The ticket presented for
+                                  validation is encrypted in the key of
+                                  the server for which it is valid and
+                                  is passed in the padata field as part
+                                  of the authentication header.
+
+   cname and sname These fields are the same as those described for the
+             ticket in section 5.3.1.  sname may only be absent when the
+             ENC-TKT-IN-SKEY option is specified.  If absent, the name
+             of the server is taken from the name of the client in the
+             ticket passed as additional-tickets.
+
+   enc-authorization-data The enc-authorization-data, if present (and it
+             can only be present in the TGS_REQ form), is an encoding of
+             the desired authorization-data encrypted under the sub-
+             session key if present in the Authenticator, or
+             alternatively from the session key in the ticket-granting
+             ticket, both from the padata field in the KRB_AP_REQ.
+
+
+
+
+Kohl & Neuman                                                  [Page 54]
+
+RFC 1510                        Kerberos                  September 1993
+
+
+   realm     This field specifies the realm part of the server's
+             principal identifier. In the AS exchange, this is also the
+             realm part of the client's principal identifier.
+
+   from      This field is included in the KRB_AS_REQ and KRB_TGS_REQ
+             ticket requests when the requested ticket is to be
+             postdated.  It specifies the desired start time for the
+             requested ticket.
+
+   till      This field contains the expiration date requested by the
+             client in a ticket request.
+
+   rtime     This field is the requested renew-till time sent from a
+             client to the KDC in a ticket request.  It is optional.
+
+   nonce     This field is part of the KDC request and response.  It it
+             intended to hold a random number generated by the client.
+             If the same number is included in the encrypted response
+             from the KDC, it provides evidence that the response is
+             fresh and has not been replayed by an attacker.  Nonces
+             must never be re-used.  Ideally, it should be gen erated
+             randomly, but if the correct time is known, it may suffice
+             (Note, however, that if the time is used as the nonce, one
+             must make sure that the workstation time is monotonically
+             increasing.  If the time is ever reset backwards, there is
+             a small, but finite, probability that a nonce will be
+             reused.).
+
+   etype     This field specifies the desired encryption algorithm to be
+             used in the response.
+
+   addresses This field is included in the initial request for tickets,
+             and optionally included in requests for additional tickets
+             from the ticket-granting server.  It specifies the
+             addresses from which the requested ticket is to be valid.
+             Normally it includes the addresses for the client's host.
+             If a proxy is requested, this field will contain other
+             addresses.  The contents of this field are usually copied
+             by the KDC into the caddr field of the resulting ticket.
+
+   additional-tickets Additional tickets may be optionally included in a
+             request to the ticket-granting server.  If the ENC-TKT-IN-
+             SKEY option has been specified, then the session key from
+             the additional ticket will be used in place of the server's
+             key to encrypt the new ticket.  If more than one option
+             which requires additional tickets has been specified, then
+             the additional tickets are used in the order specified by
+             the ordering of the options bits (see kdc-options, above).
+
+
+
+Kohl & Neuman                                                  [Page 55]
+
+RFC 1510                        Kerberos                  September 1993
+
+
+   The application code will be either ten (10) or twelve (12) depending
+   on whether the request is for an initial ticket (AS-REQ) or for an
+   additional ticket (TGS-REQ).
+
+   The optional fields (addresses, authorization-data and additional-
+   tickets) are only included if necessary to perform the operation
+   specified in the kdc-options field.
+
+   It should be noted that in KRB_TGS_REQ, the protocol version number
+   appears twice and two different message types appear: the KRB_TGS_REQ
+   message contains these fields as does the authentication header
+   (KRB_AP_REQ) that is passed in the padata field.
+
+5.4.2. KRB_KDC_REP definition
+
+   The KRB_KDC_REP message format is used for the reply from the KDC for
+   either an initial (AS) request or a subsequent (TGS) request.  There
+   is no message type for KRB_KDC_REP.  Instead, the type will be either
+   KRB_AS_REP or KRB_TGS_REP.  The key used to encrypt the ciphertext
+   part of the reply depends on the message type.  For KRB_AS_REP, the
+   ciphertext is encrypted in the client's secret key, and the client's
+   key version number is included in the key version number for the
+   encrypted data.  For KRB_TGS_REP, the ciphertext is encrypted in the
+   sub-session key from the Authenticator, or if absent, the session key
+   from the ticket-granting ticket used in the request.  In that case,
+   no version number will be present in the EncryptedData sequence.
+
+   The KRB_KDC_REP message contains the following fields:
+
+   AS-REP ::=    [APPLICATION 11] KDC-REP
+   TGS-REP ::=   [APPLICATION 13] KDC-REP
+
+   KDC-REP ::=   SEQUENCE {
+                 pvno[0]                    INTEGER,
+                 msg-type[1]                INTEGER,
+                 padata[2]                  SEQUENCE OF PA-DATA OPTIONAL,
+                 crealm[3]                  Realm,
+                 cname[4]                   PrincipalName,
+                 ticket[5]                  Ticket,
+                 enc-part[6]                EncryptedData
+   }
+
+   EncASRepPart ::=    [APPLICATION 25[25]] EncKDCRepPart
+   EncTGSRepPart ::=   [APPLICATION 26] EncKDCRepPart
+
+   EncKDCRepPart ::=   SEQUENCE {
+               key[0]                       EncryptionKey,
+               last-req[1]                  LastReq,
+
+
+
+Kohl & Neuman                                                  [Page 56]
+
+RFC 1510                        Kerberos                  September 1993
+
+
+               nonce[2]                     INTEGER,
+               key-expiration[3]            KerberosTime OPTIONAL,
+               flags[4]                     TicketFlags,
+               authtime[5]                  KerberosTime,
+               starttime[6]                 KerberosTime OPTIONAL,
+               endtime[7]                   KerberosTime,
+               renew-till[8]                KerberosTime OPTIONAL,
+               srealm[9]                    Realm,
+               sname[10]                    PrincipalName,
+               caddr[11]                    HostAddresses OPTIONAL
+   }
+
+   NOTE: In EncASRepPart, the application code in the encrypted
+         part of a message provides an additional check that
+         the message was decrypted properly.
+
+   pvno and msg-type These fields are described above in section 5.4.1.
+             msg-type is either KRB_AS_REP or KRB_TGS_REP.
+
+   padata    This field is described in detail in section 5.4.1.  One
+             possible use for this field is to encode an alternate
+             "mix-in" string to be used with a string-to-key algorithm
+             (such as is described in section 6.3.2). This ability is
+             useful to ease transitions if a realm name needs to change
+             (e.g., when a company is acquired); in such a case all
+             existing password-derived entries in the KDC database would
+             be flagged as needing a special mix-in string until the
+             next password change.
+
+   crealm, cname, srealm and sname These fields are the same as those
+             described for the ticket in section 5.3.1.
+
+   ticket    The newly-issued ticket, from section 5.3.1.
+
+   enc-part  This field is a place holder for the ciphertext and related
+             information that forms the encrypted part of a message.
+             The description of the encrypted part of the message
+             follows each appearance of this field.  The encrypted part
+             is encoded as described in section 6.1.
+
+   key       This field is the same as described for the ticket in
+             section 5.3.1.
+
+   last-req  This field is returned by the KDC and specifies the time(s)
+             of the last request by a principal.  Depending on what
+             information is available, this might be the last time that
+             a request for a ticket-granting ticket was made, or the
+             last time that a request based on a ticket-granting ticket
+
+
+
+Kohl & Neuman                                                  [Page 57]
+
+RFC 1510                        Kerberos                  September 1993
+
+
+             was successful.  It also might cover all servers for a
+             realm, or just the particular server. Some implementations
+             may display this information to the user to aid in
+             discovering unauthorized use of one's identity.  It is
+             similar in spirit to the last login time displayed when
+             logging into timesharing systems.
+
+   nonce     This field is described above in section 5.4.1.
+
+   key-expiration The key-expiration field is part of the response from
+             the KDC and specifies the time that the client's secret key
+             is due to expire.  The expiration might be the result of
+             password aging or an account expiration.  This field will
+             usually be left out of the TGS reply since the response to
+             the TGS request is encrypted in a session key and no client
+             information need be retrieved from the KDC database.  It is
+             up to the application client (usually the login program) to
+             take appropriate action (such as notifying the user) if the
+             expira    tion time is imminent.
+
+   flags, authtime, starttime, endtime, renew-till and caddr These
+             fields are duplicates of those found in the encrypted
+             portion of the attached ticket (see section 5.3.1),
+             provided so the client may verify they match the intended
+             request and to assist in proper ticket caching.  If the
+             message is of type KRB_TGS_REP, the caddr field will only
+             be filled in if the request was for a proxy or forwarded
+             ticket, or if the user is substituting a subset of the
+             addresses from the ticket granting ticket.  If the client-
+             requested addresses are not present or not used, then the
+             addresses contained in the ticket will be the same as those
+             included in the ticket-granting ticket.
+
+5.5.  Client/Server (CS) message specifications
+
+   This section specifies the format of the messages used for the
+   authentication of the client to the application server.
+
+5.5.1. KRB_AP_REQ definition
+
+   The KRB_AP_REQ message contains the Kerberos protocol version number,
+   the message type KRB_AP_REQ, an options field to indicate any options
+   in use, and the ticket and authenticator themselves.  The KRB_AP_REQ
+   message is often referred to as the "authentication header".
+
+   AP-REQ ::=      [APPLICATION 14] SEQUENCE {
+                   pvno[0]                       INTEGER,
+                   msg-type[1]                   INTEGER,
+
+
+
+Kohl & Neuman                                                  [Page 58]
+
+RFC 1510                        Kerberos                  September 1993
+
+
+                   ap-options[2]                 APOptions,
+                   ticket[3]                     Ticket,
+                   authenticator[4]              EncryptedData
+   }
+
+   APOptions ::=   BIT STRING {
+                   reserved(0),
+                   use-session-key(1),
+                   mutual-required(2)
+   }
+
+   pvno and msg-type These fields are described above in section 5.4.1.
+             msg-type is KRB_AP_REQ.
+
+   ap-options This field appears in the application request (KRB_AP_REQ)
+             and affects the way the request is processed.  It is a
+             bit-field, where the selected options are indicated by the
+             bit being set (1), and the unselected options and reserved
+             fields being reset (0).  The encoding of the bits is
+             specified in section 5.2.  The meanings of the options are:
+
+             Bit(s)  Name           Description
+
+             0       RESERVED       Reserved for future expansion of
+                                  this field.
+
+             1       USE-SESSION-KEYThe USE-SESSION-KEY option indicates
+                                  that the ticket the client is
+                                  presenting to a server is encrypted in
+                                  the session key from the server's
+                                  ticket-granting ticket. When this
+                                  option is not specified, the ticket is
+                                  encrypted in the server's secret key.
+
+             2       MUTUAL-REQUIREDThe MUTUAL-REQUIRED option tells the
+                                  server that the client requires mutual
+                                  authentication, and that it must
+                                  respond with a KRB_AP_REP message.
+
+             3-31    RESERVED       Reserved for future use.
+
+   ticket    This field is a ticket authenticating the client to the
+             server.
+
+   authenticator This contains the authenticator, which includes the
+             client's choice of a subkey.  Its encoding is described in
+             section 5.3.2.
+
+
+
+
+Kohl & Neuman                                                  [Page 59]
+
+RFC 1510                        Kerberos                  September 1993
+
+
+5.5.2.  KRB_AP_REP definition
+
+   The KRB_AP_REP message contains the Kerberos protocol version number,
+   the message type, and an encrypted timestamp. The message is sent in
+   in response to an application request (KRB_AP_REQ) where the mutual
+   authentication option has been selected in the ap-options field.
+
+   AP-REP ::=         [APPLICATION 15] SEQUENCE {
+              pvno[0]                   INTEGER,
+              msg-type[1]               INTEGER,
+              enc-part[2]               EncryptedData
+   }
+
+   EncAPRepPart ::=   [APPLICATION 27]     SEQUENCE {
+              ctime[0]                  KerberosTime,
+              cusec[1]                  INTEGER,
+              subkey[2]                 EncryptionKey OPTIONAL,
+              seq-number[3]             INTEGER OPTIONAL
+   }
+
+   NOTE: in EncAPRepPart, the application code in the encrypted part of
+   a message provides an additional check that the message was decrypted
+   properly.
+
+   The encoded EncAPRepPart is encrypted in the shared session key of
+   the ticket.  The optional subkey field can be used in an
+   application-arranged negotiation to choose a per association session
+   key.
+
+   pvno and msg-type These fields are described above in section 5.4.1.
+             msg-type is KRB_AP_REP.
+
+   enc-part  This field is described above in section 5.4.2.
+
+   ctime     This field contains the current time on the client's host.
+
+   cusec     This field contains the microsecond part of the client's
+             timestamp.
+
+   subkey    This field contains an encryption key which is to be used
+             to protect this specific application session.  See section
+             3.2.6 for specifics on how this field is used to negotiate
+             a key.  Unless an application specifies otherwise, if this
+             field is left out, the sub-session key from the
+             authenticator, or if also left out, the session key from
+             the ticket will be used.
+
+
+
+
+
+Kohl & Neuman                                                  [Page 60]
+
+RFC 1510                        Kerberos                  September 1993
+
+
+5.5.3. Error message reply
+
+   If an error occurs while processing the application request, the
+   KRB_ERROR message will be sent in response.  See section 5.9.1 for
+   the format of the error message.  The cname and crealm fields may be
+   left out if the server cannot determine their appropriate values from
+   the corresponding KRB_AP_REQ message.  If the authenticator was
+   decipherable, the ctime and cusec fields will contain the values from
+   it.
+
+5.6.  KRB_SAFE message specification
+
+   This section specifies the format of a message that can be used by
+   either side (client or server) of an application to send a tamper-
+   proof message to its peer. It presumes that a session key has
+   previously been exchanged (for example, by using the
+   KRB_AP_REQ/KRB_AP_REP messages).
+
+5.6.1. KRB_SAFE definition
+
+   The KRB_SAFE message contains user data along with a collision-proof
+   checksum keyed with the session key.  The message fields are:
+
+   KRB-SAFE ::=        [APPLICATION 20] SEQUENCE {
+               pvno[0]               INTEGER,
+               msg-type[1]           INTEGER,
+               safe-body[2]          KRB-SAFE-BODY,
+               cksum[3]              Checksum
+   }
+
+   KRB-SAFE-BODY ::=   SEQUENCE {
+               user-data[0]          OCTET STRING,
+               timestamp[1]          KerberosTime OPTIONAL,
+               usec[2]               INTEGER OPTIONAL,
+               seq-number[3]         INTEGER OPTIONAL,
+               s-address[4]          HostAddress,
+               r-address[5]          HostAddress OPTIONAL
+   }
+
+   pvno and msg-type These fields are described above in section 5.4.1.
+             msg-type is KRB_SAFE.
+
+   safe-body This field is a placeholder for the body of the KRB-SAFE
+             message.  It is to be encoded separately and then have the
+             checksum computed over it, for use in the cksum field.
+
+   cksum     This field contains the checksum of the application data.
+             Checksum details are described in section 6.4.  The
+
+
+
+Kohl & Neuman                                                  [Page 61]
+
+RFC 1510                        Kerberos                  September 1993
+
+
+             checksum is computed over the encoding of the KRB-SAFE-BODY
+             sequence.
+
+   user-data This field is part of the KRB_SAFE and KRB_PRIV messages
+             and contain the application specific data that is being
+             passed from the sender to the recipient.
+
+   timestamp This field is part of the KRB_SAFE and KRB_PRIV messages.
+             Its contents are the current time as known by the sender of
+             the message. By checking the timestamp, the recipient of
+             the message is able to make sure that it was recently
+             generated, and is not a replay.
+
+   usec      This field is part of the KRB_SAFE and KRB_PRIV headers.
+             It contains the microsecond part of the timestamp.
+
+   seq-number This field is described above in section 5.3.2.
+
+   s-address This field specifies the address in use by the sender of
+             the message.
+
+   r-address This field specifies the address in use by the recipient of
+             the message.  It may be omitted for some uses (such as
+             broadcast protocols), but the recipient may arbitrarily
+             reject such messages.  This field along with s-address can
+             be used to help detect messages which have been incorrectly
+             or maliciously delivered to the wrong recipient.
+
+5.7.  KRB_PRIV message specification
+
+   This section specifies the format of a message that can be used by
+   either side (client or server) of an application to securely and
+   privately send a message to its peer.  It presumes that a session key
+   has previously been exchanged (for example, by using the
+   KRB_AP_REQ/KRB_AP_REP messages).
+
+5.7.1. KRB_PRIV definition
+
+   The KRB_PRIV message contains user data encrypted in the Session Key.
+   The message fields are:
+
+   KRB-PRIV ::=         [APPLICATION 21] SEQUENCE {
+                pvno[0]                   INTEGER,
+                msg-type[1]               INTEGER,
+                enc-part[3]               EncryptedData
+   }
+
+
+
+
+
+Kohl & Neuman                                                  [Page 62]
+
+RFC 1510                        Kerberos                  September 1993
+
+
+   EncKrbPrivPart ::=   [APPLICATION 28] SEQUENCE {
+                user-data[0]              OCTET STRING,
+                timestamp[1]              KerberosTime OPTIONAL,
+                usec[2]                   INTEGER OPTIONAL,
+                seq-number[3]             INTEGER OPTIONAL,
+                s-address[4]              HostAddress, -- sender's addr
+                r-address[5]              HostAddress OPTIONAL
+                                                      -- recip's addr
+   }
+
+   NOTE: In EncKrbPrivPart, the application code in the encrypted part
+   of a message provides an additional check that the message was
+   decrypted properly.
+
+   pvno and msg-type These fields are described above in section 5.4.1.
+             msg-type is KRB_PRIV.
+
+   enc-part  This field holds an encoding of the EncKrbPrivPart sequence
+             encrypted under the session key (If supported by the
+             encryption method in use, an initialization vector may be
+             passed to the encryption procedure, in order to achieve
+             proper cipher chaining.  The initialization vector might
+             come from the last block of the ciphertext from the
+             previous KRB_PRIV message, but it is the application's
+             choice whether or not to use such an initialization vector.
+             If left out, the default initialization vector for the
+             encryption algorithm will be used.).  This encrypted
+             encoding is used for the enc-part field of the KRB-PRIV
+             message.  See section 6 for the format of the ciphertext.
+
+   user-data, timestamp, usec, s-address and r-address These fields are
+             described above in section 5.6.1.
+
+   seq-number This field is described above in section 5.3.2.
+
+5.8.  KRB_CRED message specification
+
+   This section specifies the format of a message that can be used to
+   send Kerberos credentials from one principal to another.  It is
+   presented here to encourage a common mechanism to be used by
+   applications when forwarding tickets or providing proxies to
+   subordinate servers.  It presumes that a session key has already been
+   exchanged perhaps by using the KRB_AP_REQ/KRB_AP_REP messages.
+
+5.8.1. KRB_CRED definition
+
+   The KRB_CRED message contains a sequence of tickets to be sent and
+   information needed to use the tickets, including the session key from
+
+
+
+Kohl & Neuman                                                  [Page 63]
+
+RFC 1510                        Kerberos                  September 1993
+
+
+   each.  The information needed to use the tickets is encryped under an
+   encryption key previously exchanged.  The message fields are:
+
+   KRB-CRED         ::= [APPLICATION 22]   SEQUENCE {
+                    pvno[0]                INTEGER,
+                    msg-type[1]            INTEGER, -- KRB_CRED
+                    tickets[2]             SEQUENCE OF Ticket,
+                    enc-part[3]            EncryptedData
+   }
+
+   EncKrbCredPart   ::= [APPLICATION 29]   SEQUENCE {
+                    ticket-info[0]         SEQUENCE OF KrbCredInfo,
+                    nonce[1]               INTEGER OPTIONAL,
+                    timestamp[2]           KerberosTime OPTIONAL,
+                    usec[3]                INTEGER OPTIONAL,
+                    s-address[4]           HostAddress OPTIONAL,
+                    r-address[5]           HostAddress OPTIONAL
+   }
+
+   KrbCredInfo      ::=                    SEQUENCE {
+                    key[0]                 EncryptionKey,
+                    prealm[1]              Realm OPTIONAL,
+                    pname[2]               PrincipalName OPTIONAL,
+                    flags[3]               TicketFlags OPTIONAL,
+                    authtime[4]            KerberosTime OPTIONAL,
+                    starttime[5]           KerberosTime OPTIONAL,
+                    endtime[6]             KerberosTime OPTIONAL
+                    renew-till[7]          KerberosTime OPTIONAL,
+                    srealm[8]              Realm OPTIONAL,
+                    sname[9]               PrincipalName OPTIONAL,
+                    caddr[10]              HostAddresses OPTIONAL
+   }
+
+
+   pvno and msg-type These fields are described above in section 5.4.1.
+             msg-type is KRB_CRED.
+
+   tickets
+               These are the tickets obtained from the KDC specifically
+             for use by the intended recipient.  Successive tickets are
+             paired with the corresponding KrbCredInfo sequence from the
+             enc-part of the KRB-CRED message.
+
+   enc-part  This field holds an encoding of the EncKrbCredPart sequence
+             encrypted under the session key shared between the sender
+             and the intended recipient.  This encrypted encoding is
+             used for the enc-part field of the KRB-CRED message.  See
+             section 6 for the format of the ciphertext.
+
+
+
+Kohl & Neuman                                                  [Page 64]
+
+RFC 1510                        Kerberos                  September 1993
+
+
+   nonce     If practical, an application may require the inclusion of a
+             nonce generated by the recipient of the message. If the
+             same value is included as the nonce in the message, it
+             provides evidence that the message is fresh and has not
+             been replayed by an attacker.  A nonce must never be re-
+             used; it should be generated randomly by the recipient of
+             the message and provided to the sender of the mes  sage in
+             an application specific manner.
+
+   timestamp and usec These fields specify the time that the KRB-CRED
+             message was generated.  The time is used to provide
+             assurance that the message is fresh.
+
+   s-address and r-address These fields are described above in section
+             5.6.1.  They are used optionally to provide additional
+             assurance of the integrity of the KRB-CRED message.
+
+   key       This field exists in the corresponding ticket passed by the
+             KRB-CRED message and is used to pass the session key from
+             the sender to the intended recipient.  The field's encoding
+             is described in section 6.2.
+
+   The following fields are optional.   If present, they can be
+   associated with the credentials in the remote ticket file.  If left
+   out, then it is assumed that the recipient of the credentials already
+   knows their value.
+
+   prealm and pname The name and realm of the delegated principal
+             identity.
+
+   flags, authtime,  starttime,  endtime, renew-till,  srealm, sname,
+             and caddr These fields contain the values of the
+             corresponding fields from the ticket found in the ticket
+             field.  Descriptions of the fields are identical to the
+             descriptions in the KDC-REP message.
+
+5.9.  Error message specification
+
+   This section specifies the format for the KRB_ERROR message.  The
+   fields included in the message are intended to return as much
+   information as possible about an error.  It is not expected that all
+   the information required by the fields will be available for all
+   types of errors.  If the appropriate information is not available
+   when the message is composed, the corresponding field will be left
+   out of the message.
+
+   Note that since the KRB_ERROR message is not protected by any
+   encryption, it is quite possible for an intruder to synthesize or
+
+
+
+Kohl & Neuman                                                  [Page 65]
+
+RFC 1510                        Kerberos                  September 1993
+
+
+   modify such a message.  In particular, this means that the client
+   should not use any fields in this message for security-critical
+   purposes, such as setting a system clock or generating a fresh
+   authenticator.  The message can be useful, however, for advising a
+   user on the reason for some failure.
+
+5.9.1. KRB_ERROR definition
+
+   The KRB_ERROR message consists of the following fields:
+
+   KRB-ERROR ::=   [APPLICATION 30] SEQUENCE {
+                   pvno[0]               INTEGER,
+                   msg-type[1]           INTEGER,
+                   ctime[2]              KerberosTime OPTIONAL,
+                   cusec[3]              INTEGER OPTIONAL,
+                   stime[4]              KerberosTime,
+                   susec[5]              INTEGER,
+                   error-code[6]         INTEGER,
+                   crealm[7]             Realm OPTIONAL,
+                   cname[8]              PrincipalName OPTIONAL,
+                   realm[9]              Realm, -- Correct realm
+                   sname[10]             PrincipalName, -- Correct name
+                   e-text[11]            GeneralString OPTIONAL,
+                   e-data[12]            OCTET STRING OPTIONAL
+   }
+
+   pvno and msg-type These fields are described above in section 5.4.1.
+             msg-type is KRB_ERROR.
+
+   ctime     This field is described above in section 5.4.1.
+
+   cusec     This field is described above in section 5.5.2.
+
+   stime     This field contains the current time on the server.  It is
+             of type KerberosTime.
+
+   susec     This field contains the microsecond part of the server's
+             timestamp.  Its value ranges from 0 to 999. It appears
+             along with stime. The two fields are used in conjunction to
+             specify a reasonably accurate timestamp.
+
+   error-code This field contains the error code returned by Kerberos or
+             the server when a request fails.  To interpret the value of
+             this field see the list of error codes in section 8.
+             Implementations are encouraged to provide for national
+             language support in the display of error messages.
+
+   crealm, cname, srealm and sname These fields are described above in
+
+
+
+Kohl & Neuman                                                  [Page 66]
+
+RFC 1510                        Kerberos                  September 1993
+
+
+             section 5.3.1.
+
+   e-text    This field contains additional text to help explain the
+             error code associated with the failed request (for example,
+             it might include a principal name which was unknown).
+
+   e-data    This field contains additional data about the error for use
+             by the application to help it recover from or handle the
+             error.  If the errorcode is KDC_ERR_PREAUTH_REQUIRED, then
+             the e-data field will contain an encoding of a sequence of
+             padata fields, each corresponding to an acceptable pre-
+             authentication method and optionally containing data for
+             the method:
+
+      METHOD-DATA ::=    SEQUENCE of PA-DATA
+
+   If the error-code is KRB_AP_ERR_METHOD, then the e-data field will
+   contain an encoding of the following sequence:
+
+      METHOD-DATA ::=    SEQUENCE {
+                         method-type[0]   INTEGER,
+                         method-data[1]   OCTET STRING OPTIONAL
+       }
+
+   method-type will indicate the required alternate method; method-data
+   will contain any required additional information.
+
+6.  Encryption and Checksum Specifications
+
+   The Kerberos protocols described in this document are designed to use
+   stream encryption ciphers, which can be simulated using commonly
+   available block encryption ciphers, such as the Data Encryption
+   Standard [11], in conjunction with block chaining and checksum
+   methods [12].  Encryption is used to prove the identities of the
+   network entities participating in message exchanges.  The Key
+   Distribution Center for each realm is trusted by all principals
+   registered in that realm to store a secret key in confidence.  Proof
+   of knowledge of this secret key is used to verify the authenticity of
+   a principal.
+
+   The KDC uses the principal's secret key (in the AS exchange) or a
+   shared session key (in the TGS exchange) to encrypt responses to
+   ticket requests; the ability to obtain the secret key or session key
+   implies the knowledge of the appropriate keys and the identity of the
+   KDC. The ability of a principal to decrypt the KDC response and
+   present a Ticket and a properly formed Authenticator (generated with
+   the session key from the KDC response) to a service verifies the
+   identity of the principal; likewise the ability of the service to
+
+
+
+Kohl & Neuman                                                  [Page 67]
+
+RFC 1510                        Kerberos                  September 1993
+
+
+   extract the session key from the Ticket and prove its knowledge
+   thereof in a response verifies the identity of the service.
+
+   The Kerberos protocols generally assume that the encryption used is
+   secure from cryptanalysis; however, in some cases, the order of
+   fields in the encrypted portions of messages are arranged to minimize
+   the effects of poorly chosen keys.  It is still important to choose
+   good keys.  If keys are derived from user-typed passwords, those
+   passwords need to be well chosen to make brute force attacks more
+   difficult.  Poorly chosen keys still make easy targets for intruders.
+
+   The following sections specify the encryption and checksum mechanisms
+   currently defined for Kerberos.  The encodings, chaining, and padding
+   requirements for each are described.  For encryption methods, it is
+   often desirable to place random information (often referred to as a
+   confounder) at the start of the message.  The requirements for a
+   confounder are specified with each encryption mechanism.
+
+   Some encryption systems use a block-chaining method to improve the
+   the security characteristics of the ciphertext.  However, these
+   chaining methods often don't provide an integrity check upon
+   decryption.  Such systems (such as DES in CBC mode) must be augmented
+   with a checksum of the plaintext which can be verified at decryption
+   and used to detect any tampering or damage.  Such checksums should be
+   good at detecting burst errors in the input.  If any damage is
+   detected, the decryption routine is expected to return an error
+   indicating the failure of an integrity check. Each encryption type is
+   expected to provide and verify an appropriate checksum. The
+   specification of each encryption method sets out its checksum
+   requirements.
+
+   Finally, where a key is to be derived from a user's password, an
+   algorithm for converting the password to a key of the appropriate
+   type is included.  It is desirable for the string to key function to
+   be one-way, and for the mapping to be different in different realms.
+   This is important because users who are registered in more than one
+   realm will often use the same password in each, and it is desirable
+   that an attacker compromising the Kerberos server in one realm not
+   obtain or derive the user's key in another.
+
+   For a discussion of the integrity characteristics of the candidate
+   encryption and checksum methods considered for Kerberos, the the
+   reader is referred to [13].
+
+6.1.  Encryption Specifications
+
+   The following ASN.1 definition describes all encrypted messages.  The
+   enc-part field which appears in the unencrypted part of messages in
+
+
+
+Kohl & Neuman                                                  [Page 68]
+
+RFC 1510                        Kerberos                  September 1993
+
+
+   section 5 is a sequence consisting of an encryption type, an optional
+   key version number, and the ciphertext.
+
+   EncryptedData ::=   SEQUENCE {
+                       etype[0]     INTEGER, -- EncryptionType
+                       kvno[1]      INTEGER OPTIONAL,
+                       cipher[2]    OCTET STRING -- ciphertext
+   }
+
+   etype     This field identifies which encryption algorithm was used
+             to encipher the cipher.  Detailed specifications for
+             selected encryption types appear later in this section.
+
+   kvno      This field contains the version number of the key under
+             which data is encrypted.  It is only present in messages
+             encrypted under long lasting keys, such as principals'
+             secret keys.
+
+   cipher    This field contains the enciphered text, encoded as an
+             OCTET STRING.
+
+   The cipher field is generated by applying the specified encryption
+   algorithm to data composed of the message and algorithm-specific
+   inputs.  Encryption mechanisms defined for use with Kerberos must
+   take sufficient measures to guarantee the integrity of the plaintext,
+   and we recommend they also take measures to protect against
+   precomputed dictionary attacks.  If the encryption algorithm is not
+   itself capable of doing so, the protections can often be enhanced by
+   adding a checksum and a confounder.
+
+   The suggested format for the data to be encrypted includes a
+   confounder, a checksum, the encoded plaintext, and any necessary
+   padding.  The msg-seq field contains the part of the protocol message
+   described in section 5 which is to be encrypted.  The confounder,
+   checksum, and padding are all untagged and untyped, and their length
+   is exactly sufficient to hold the appropriate item.  The type and
+   length is implicit and specified by the particular encryption type
+   being used (etype).  The format for the data to be encrypted is
+   described in the following diagram:
+
+         +-----------+----------+-------------+-----+
+         |confounder |   check  |   msg-seq   | pad |
+         +-----------+----------+-------------+-----+
+
+   The format cannot be described in ASN.1, but for those who prefer an
+   ASN.1-like notation:
+
+
+
+
+
+Kohl & Neuman                                                  [Page 69]
+
+RFC 1510                        Kerberos                  September 1993
+
+
+CipherText ::=   ENCRYPTED       SEQUENCE {
+         confounder[0]   UNTAGGED OCTET STRING(conf_length)     OPTIONAL,
+         check[1]        UNTAGGED OCTET STRING(checksum_length) OPTIONAL,
+         msg-seq[2]      MsgSequence,
+         pad             UNTAGGED OCTET STRING(pad_length) OPTIONAL
+}
+
+   In the above specification, UNTAGGED OCTET STRING(length) is the
+   notation for an octet string with its tag and length removed.  It is
+   not a valid ASN.1 type.  The tag bits and length must be removed from
+   the confounder since the purpose of the confounder is so that the
+   message starts with random data, but the tag and its length are
+   fixed.  For other fields, the length and tag would be redundant if
+   they were included because they are specified by the encryption type.
+
+   One generates a random confounder of the appropriate length, placing
+   it in confounder; zeroes out check; calculates the appropriate
+   checksum over confounder, check, and msg-seq, placing the result in
+   check; adds the necessary padding; then encrypts using the specified
+   encryption type and the appropriate key.
+
+   Unless otherwise specified, a definition of an encryption algorithm
+   that specifies a checksum, a length for the confounder field, or an
+   octet boundary for padding uses this ciphertext format (The ordering
+   of the fields in the CipherText is important.  Additionally, messages
+   encoded in this format must include a length as part of the msg-seq
+   field.  This allows the recipient to verify that the message has not
+   been truncated.  Without a length, an attacker could use a chosen
+   plaintext attack to generate a message which could be truncated,
+   while leaving the checksum intact.  Note that if the msg-seq is an
+   encoding of an ASN.1 SEQUENCE or OCTET STRING, then the length is
+   part of that encoding.). Those fields which are not specified will be
+   omitted.
+
+   In the interest of allowing all implementations using a particular
+   encryption type to communicate with all others using that type, the
+   specification of an encryption type defines any checksum that is
+   needed as part of the encryption process.  If an alternative checksum
+   is to be used, a new encryption type must be defined.
+
+   Some cryptosystems require additional information beyond the key and
+   the data to be encrypted. For example, DES, when used in cipher-
+   block-chaining mode, requires an initialization vector.  If required,
+   the description for each encryption type must specify the source of
+   such additional information.
+
+
+
+
+
+
+Kohl & Neuman                                                  [Page 70]
+
+RFC 1510                        Kerberos                  September 1993
+
+
+6.2.  Encryption Keys
+
+   The sequence below shows the encoding of an encryption key:
+
+          EncryptionKey ::=   SEQUENCE {
+                              keytype[0]    INTEGER,
+                              keyvalue[1]   OCTET STRING
+          }
+
+   keytype   This field specifies the type of encryption key that
+             follows in the keyvalue field.  It will almost always
+             correspond to the encryption algorithm used to generate the
+             EncryptedData, though more than one algorithm may use the
+             same type of key (the mapping is many to one).  This might
+             happen, for example, if the encryption algorithm uses an
+             alternate checksum algorithm for an integrity check, or a
+             different chaining mechanism.
+
+   keyvalue  This field contains the key itself, encoded as an octet
+             string.
+
+   All negative values for the  encryption key type are reserved for
+   local use.  All non-negative values are reserved for officially
+   assigned type fields and interpretations.
+
+6.3.  Encryption Systems
+
+6.3.1. The NULL Encryption System (null)
+
+   If no encryption is in use, the encryption system is said to be the
+   NULL encryption system.  In the NULL encryption system there is no
+   checksum, confounder or padding.  The ciphertext is simply the
+   plaintext.  The NULL Key is used by the null encryption system and is
+   zero octets in length, with keytype zero (0).
+
+6.3.2. DES in CBC mode with a CRC-32 checksum (des-cbc-crc)
+
+   The des-cbc-crc encryption mode encrypts information under the Data
+   Encryption Standard [11] using the cipher block chaining mode [12].
+   A CRC-32 checksum (described in ISO 3309 [14]) is applied to the
+   confounder and message sequence (msg-seq) and placed in the cksum
+   field.  DES blocks are 8 bytes.  As a result, the data to be
+   encrypted (the concatenation of confounder, checksum, and message)
+   must be padded to an 8 byte boundary before encryption.  The details
+   of the encryption of this data are identical to those for the des-
+   cbc-md5 encryption mode.
+
+   Note that, since the CRC-32 checksum is not collisionproof, an
+
+
+
+Kohl & Neuman                                                  [Page 71]
+
+RFC 1510                        Kerberos                  September 1993
+
+
+   attacker could use a probabilistic chosenplaintext attack to generate
+   a valid message even if a confounder is used [13]. The use of
+   collision-proof checksums is recommended for environments where such
+   attacks represent a significant threat.  The use of the CRC-32 as the
+   checksum for ticket or authenticator is no longer mandated as an
+   interoperability requirement for Kerberos Version 5 Specification 1
+   (See section 9.1 for specific details).
+
+6.3.3. DES in CBC mode with an MD4 checksum (des-cbc-md4)
+
+   The des-cbc-md4 encryption mode encrypts information under the Data
+   Encryption Standard [11] using the cipher block chaining mode [12].
+   An MD4 checksum (described in [15]) is applied to the confounder and
+   message sequence (msg-seq) and placed in the cksum field.  DES blocks
+   are 8 bytes.  As a result, the data to be encrypted (the
+   concatenation of confounder, checksum, and message) must be padded to
+   an 8 byte boundary before encryption.  The details of the encryption
+   of this data are identical to those for the descbc-md5 encryption
+   mode.
+
+6.3.4. DES in CBC mode with an MD5 checksum (des-cbc-md5)
+
+   The des-cbc-md5 encryption mode encrypts information under the Data
+   Encryption Standard [11] using the cipher block chaining mode [12].
+   An MD5 checksum (described in [16]) is applied to the confounder and
+   message sequence (msg-seq) and placed in the cksum field.  DES blocks
+   are 8 bytes.  As a result, the data to be encrypted (the
+   concatenation of confounder, checksum, and message) must be padded to
+   an 8 byte boundary before encryption.
+
+   Plaintext and DES ciphtertext are encoded as 8-octet blocks which are
+   concatenated to make the 64-bit inputs for the DES algorithms.  The
+   first octet supplies the 8 most significant bits (with the octet's
+   MSbit used as the DES input block's MSbit, etc.), the second octet
+   the next 8 bits, ..., and the eighth octet supplies the 8 least
+   significant bits.
+
+   Encryption under DES using cipher block chaining requires an
+   additional input in the form of an initialization vector.  Unless
+   otherwise specified, zero should be used as the initialization
+   vector.  Kerberos' use of DES requires an 8-octet confounder.
+
+   The DES specifications identify some "weak" and "semiweak" keys;
+   those keys shall not be used for encrypting messages for use in
+   Kerberos.  Additionally, because of the way that keys are derived for
+   the encryption of checksums, keys shall not be used that yield "weak"
+   or "semi-weak" keys when eXclusive-ORed with the constant
+   F0F0F0F0F0F0F0F0.
+
+
+
+Kohl & Neuman                                                  [Page 72]
+
+RFC 1510                        Kerberos                  September 1993
+
+
+   A DES key is 8 octets of data, with keytype one (1).  This consists
+   of 56 bits of key, and 8 parity bits (one per octet).  The key is
+   encoded as a series of 8 octets written in MSB-first order. The bits
+   within the key are also encoded in MSB order.  For example, if the
+   encryption key is:
+   (B1,B2,...,B7,P1,B8,...,B14,P2,B15,...,B49,P7,B50,...,B56,P8) where
+   B1,B2,...,B56 are the key bits in MSB order, and P1,P2,...,P8 are the
+   parity bits, the first octet of the key would be B1,B2,...,B7,P1
+   (with B1 as the MSbit).  [See the FIPS 81 introduction for
+   reference.]
+
+   To generate a DES key from a text string (password), the text string
+   normally must have the realm and each component of the principal's
+   name appended(In some cases, it may be necessary to use a different
+   "mix-in" string for compatibility reasons; see the discussion of
+   padata in section 5.4.2.), then padded with ASCII nulls to an 8 byte
+   boundary.  This string is then fan-folded and eXclusive-ORed with
+   itself to form an 8 byte DES key.  The parity is corrected on the
+   key, and it is used to generate a DES CBC checksum on the initial
+   string (with the realm and name appended).  Next, parity is corrected
+   on the CBC checksum.  If the result matches a "weak" or "semiweak"
+   key as described in the DES specification, it is eXclusive-ORed with
+   the constant 00000000000000F0.  Finally, the result is returned as
+   the key.  Pseudocode follows:
+
+        string_to_key(string,realm,name) {
+             odd = 1;
+             s = string + realm;
+             for(each component in name) {
+                  s = s + component;
+             }
+             tempkey = NULL;
+             pad(s); /* with nulls to 8 byte boundary */
+             for(8byteblock in s) {
+                  if(odd == 0)  {
+                      odd = 1;
+                      reverse(8byteblock)
+                  }
+                  else odd = 0;
+                  tempkey = tempkey XOR 8byteblock;
+             }
+             fixparity(tempkey);
+             key = DES-CBC-check(s,tempkey);
+             fixparity(key);
+             if(is_weak_key_key(key))
+                  key = key XOR 0xF0;
+             return(key);
+        }
+
+
+
+Kohl & Neuman                                                  [Page 73]
+
+RFC 1510                        Kerberos                  September 1993
+
+
+6.4.  Checksums
+
+   The following is the ASN.1 definition used for a checksum:
+
+            Checksum ::=   SEQUENCE {
+                           cksumtype[0]   INTEGER,
+                           checksum[1]    OCTET STRING
+            }
+
+   cksumtype This field indicates the algorithm used to generate the
+             accompanying checksum.
+
+   checksum  This field contains the checksum itself, encoded
+             as an octet string.
+
+   Detailed specification of selected checksum types appear later in
+   this section.  Negative values for the checksum type are reserved for
+   local use.  All non-negative values are reserved for officially
+   assigned type fields and interpretations.
+
+   Checksums used by Kerberos can be classified by two properties:
+   whether they are collision-proof, and whether they are keyed.  It is
+   infeasible to find two plaintexts which generate the same checksum
+   value for a collision-proof checksum.  A key is required to perturb
+   or initialize the algorithm in a keyed checksum.  To prevent
+   message-stream modification by an active attacker, unkeyed checksums
+   should only be used when the checksum and message will be
+   subsequently encrypted (e.g., the checksums defined as part of the
+   encryption algorithms covered earlier in this section).  Collision-
+   proof checksums can be made tamper-proof as well if the checksum
+   value is encrypted before inclusion in a message.  In such cases, the
+   composition of the checksum and the encryption algorithm must be
+   considered a separate checksum algorithm (e.g., RSA-MD5 encrypted
+   using DES is a new checksum algorithm of type RSA-MD5-DES).  For most
+   keyed checksums, as well as for the encrypted forms of collisionproof
+   checksums, Kerberos prepends a confounder before the checksum is
+   calculated.
+
+6.4.1. The CRC-32 Checksum (crc32)
+
+   The CRC-32 checksum calculates a checksum based on a cyclic
+   redundancy check as described in ISO 3309 [14].  The resulting
+   checksum is four (4) octets in length.  The CRC-32 is neither keyed
+   nor collision-proof.  The use of this checksum is not recommended.
+   An attacker using a probabilistic chosen-plaintext attack as
+   described in [13] might be able to generate an alternative message
+   that satisfies the checksum.  The use of collision-proof checksums is
+   recommended for environments where such attacks represent a
+
+
+
+Kohl & Neuman                                                  [Page 74]
+
+RFC 1510                        Kerberos                  September 1993
+
+
+   significant threat.
+
+6.4.2. The RSA MD4 Checksum (rsa-md4)
+
+   The RSA-MD4 checksum calculates a checksum using the RSA MD4
+   algorithm [15].  The algorithm takes as input an input message of
+   arbitrary length and produces as output a 128-bit (16 octet)
+   checksum.  RSA-MD4 is believed to be collision-proof.
+
+6.4.3. RSA MD4 Cryptographic Checksum Using DES (rsa-md4des)
+
+   The RSA-MD4-DES checksum calculates a keyed collisionproof checksum
+   by prepending an 8 octet confounder before the text, applying the RSA
+   MD4 checksum algorithm, and encrypting the confounder and the
+   checksum using DES in cipher-block-chaining (CBC) mode using a
+   variant of the key, where the variant is computed by eXclusive-ORing
+   the key with the constant F0F0F0F0F0F0F0F0 (A variant of the key is
+   used to limit the use of a key to a particular function, separating
+   the functions of generating a checksum from other encryption
+   performed using the session key.  The constant F0F0F0F0F0F0F0F0 was
+   chosen because it maintains key parity.  The properties of DES
+   precluded the use of the complement.  The same constant is used for
+   similar purpose in the Message Integrity Check in the Privacy
+   Enhanced Mail standard.).  The initialization vector should be zero.
+   The resulting checksum is 24 octets long (8 octets of which are
+   redundant).  This checksum is tamper-proof and believed to be
+   collision-proof.
+
+   The DES specifications identify some "weak keys"; those keys shall
+   not be used for generating RSA-MD4 checksums for use in Kerberos.
+
+   The format for the checksum is described in the following diagram:
+
+      +--+--+--+--+--+--+--+--
+      |  des-cbc(confounder
+      +--+--+--+--+--+--+--+--
+
+                    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+                        rsa-md4(confounder+msg),key=var(key),iv=0)  |
+                    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+
+   The format cannot be described in ASN.1, but for those who prefer an
+   ASN.1-like notation:
+
+   rsa-md4-des-checksum ::=   ENCRYPTED       UNTAGGED SEQUENCE {
+                              confounder[0]   UNTAGGED OCTET STRING(8),
+                              check[1]        UNTAGGED OCTET STRING(16)
+   }
+
+
+
+Kohl & Neuman                                                  [Page 75]
+
+RFC 1510                        Kerberos                  September 1993
+
+
+6.4.4. The RSA MD5 Checksum (rsa-md5)
+
+   The RSA-MD5 checksum calculates a checksum using the RSA MD5
+   algorithm [16].  The algorithm takes as input an input message of
+   arbitrary length and produces as output a 128-bit (16 octet)
+   checksum.  RSA-MD5 is believed to be collision-proof.
+
+6.4.5. RSA MD5 Cryptographic Checksum Using DES (rsa-md5des)
+
+   The RSA-MD5-DES checksum calculates a keyed collisionproof checksum
+   by prepending an 8 octet confounder before the text, applying the RSA
+   MD5 checksum algorithm, and encrypting the confounder and the
+   checksum using DES in cipher-block-chaining (CBC) mode using a
+   variant of the key, where the variant is computed by eXclusive-ORing
+   the key with the constant F0F0F0F0F0F0F0F0.  The initialization
+   vector should be zero.  The resulting checksum is 24 octets long (8
+   octets of which are redundant).  This checksum is tamper-proof and
+   believed to be collision-proof.
+
+   The DES specifications identify some "weak keys"; those keys shall
+   not be used for encrypting RSA-MD5 checksums for use in Kerberos.
+
+   The format for the checksum is described in the following diagram:
+
+      +--+--+--+--+--+--+--+--
+      |  des-cbc(confounder
+      +--+--+--+--+--+--+--+--
+
+                     +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+                         rsa-md5(confounder+msg),key=var(key),iv=0)  |
+                     +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+
+   The format cannot be described in ASN.1, but for those who prefer an
+   ASN.1-like notation:
+
+   rsa-md5-des-checksum ::=   ENCRYPTED       UNTAGGED SEQUENCE {
+                              confounder[0]   UNTAGGED OCTET STRING(8),
+                              check[1]        UNTAGGED OCTET STRING(16)
+   }
+
+6.4.6. DES cipher-block chained checksum (des-mac)
+
+   The DES-MAC checksum is computed by prepending an 8 octet confounder
+   to the plaintext, performing a DES CBC-mode encryption on the result
+   using the key and an initialization vector of zero, taking the last
+   block of the ciphertext, prepending the same confounder and
+   encrypting the pair using DES in cipher-block-chaining (CBC) mode
+   using a a variant of the key, where the variant is computed by
+
+
+
+Kohl & Neuman                                                  [Page 76]
+
+RFC 1510                        Kerberos                  September 1993
+
+
+   eXclusive-ORing the key with the constant F0F0F0F0F0F0F0F0.  The
+   initialization vector should be zero.  The resulting checksum is 128
+   bits (16 octets) long, 64 bits of which are redundant. This checksum
+   is tamper-proof and collision-proof.
+
+   The format for the checksum is described in the following diagram:
+
+      +--+--+--+--+--+--+--+--
+      |   des-cbc(confounder
+      +--+--+--+--+--+--+--+--
+
+                     +-----+-----+-----+-----+-----+-----+-----+-----+
+                       des-mac(conf+msg,iv=0,key),key=var(key),iv=0) |
+                     +-----+-----+-----+-----+-----+-----+-----+-----+
+
+   The format cannot be described in ASN.1, but for those who prefer an
+   ASN.1-like notation:
+
+   des-mac-checksum ::=    ENCRYPTED       UNTAGGED SEQUENCE {
+                           confounder[0]   UNTAGGED OCTET STRING(8),
+                           check[1]        UNTAGGED OCTET STRING(8)
+   }
+
+   The DES specifications identify some "weak" and "semiweak" keys;
+   those keys shall not be used for generating DES-MAC checksums for use
+   in Kerberos, nor shall a key be used whose veriant is "weak" or
+   "semi-weak".
+
+6.4.7. RSA MD4 Cryptographic Checksum Using DES alternative
+       (rsa-md4-des-k)
+
+   The RSA-MD4-DES-K checksum calculates a keyed collision-proof
+   checksum by applying the RSA MD4 checksum algorithm and encrypting
+   the results using DES in cipherblock-chaining (CBC) mode using a DES
+   key as both key and initialization vector. The resulting checksum is
+   16 octets long. This checksum is tamper-proof and believed to be
+   collision-proof.  Note that this checksum type is the old method for
+   encoding the RSA-MD4-DES checksum and it is no longer recommended.
+
+6.4.8. DES cipher-block chained checksum alternative (desmac-k)
+
+   The DES-MAC-K checksum is computed by performing a DES CBC-mode
+   encryption of the plaintext, and using the last block of the
+   ciphertext as the checksum value. It is keyed with an encryption key
+   and an initialization vector; any uses which do not specify an
+   additional initialization vector will use the key as both key and
+   initialization vector.  The resulting checksum is 64 bits (8 octets)
+   long. This checksum is tamper-proof and collision-proof.  Note that
+
+
+
+Kohl & Neuman                                                  [Page 77]
+
+RFC 1510                        Kerberos                  September 1993
+
+
+   this checksum type is the old method for encoding the DESMAC checksum
+   and it is no longer recommended.
+
+   The DES specifications identify some "weak keys"; those keys shall
+   not be used for generating DES-MAC checksums for use in Kerberos.
+
+7.  Naming Constraints
+
+7.1.  Realm Names
+
+   Although realm names are encoded as GeneralStrings and although a
+   realm can technically select any name it chooses, interoperability
+   across realm boundaries requires agreement on how realm names are to
+   be assigned, and what information they imply.
+
+   To enforce these conventions, each realm must conform to the
+   conventions itself, and it must require that any realms with which
+   inter-realm keys are shared also conform to the conventions and
+   require the same from its neighbors.
+
+   There are presently four styles of realm names: domain, X500, other,
+   and reserved.  Examples of each style follow:
+
+        domain:   host.subdomain.domain (example)
+          X500:   C=US/O=OSF (example)
+         other:   NAMETYPE:rest/of.name=without-restrictions (example)
+      reserved:   reserved, but will not conflict with above
+
+   Domain names must look like domain names: they consist of components
+   separated by periods (.) and they contain neither colons (:) nor
+   slashes (/).
+
+   X.500 names contain an equal (=) and cannot contain a colon (:)
+   before the equal.  The realm names for X.500 names will be string
+   representations of the names with components separated by slashes.
+   Leading and trailing slashes will not be included.
+
+   Names that fall into the other category must begin with a prefix that
+   contains no equal (=) or period (.) and the prefix must be followed
+   by a colon (:) and the rest of the name. All prefixes must be
+   assigned before they may be used.  Presently none are assigned.
+
+   The reserved category includes strings which do not fall into the
+   first three categories.  All names in this category are reserved. It
+   is unlikely that names will be assigned to this category unless there
+   is a very strong argument for not using the "other" category.
+
+   These rules guarantee that there will be no conflicts between the
+
+
+
+Kohl & Neuman                                                  [Page 78]
+
+RFC 1510                        Kerberos                  September 1993
+
+
+   various name styles.  The following additional constraints apply to
+   the assignment of realm names in the domain and X.500 categories: the
+   name of a realm for the domain or X.500 formats must either be used
+   by the organization owning (to whom it was assigned) an Internet
+   domain name or X.500 name, or in the case that no such names are
+   registered, authority to use a realm name may be derived from the
+   authority of the parent realm.  For example, if there is no domain
+   name for E40.MIT.EDU, then the administrator of the MIT.EDU realm can
+   authorize the creation of a realm with that name.
+
+   This is acceptable because the organization to which the parent is
+   assigned is presumably the organization authorized to assign names to
+   its children in the X.500 and domain name systems as well.  If the
+   parent assigns a realm name without also registering it in the domain
+   name or X.500 hierarchy, it is the parent's responsibility to make
+   sure that there will not in the future exists a name identical to the
+   realm name of the child unless it is assigned to the same entity as
+   the realm name.
+
+7.2.  Principal Names
+
+   As was the case for realm names, conventions are needed to ensure
+   that all agree on what information is implied by a principal name.
+   The name-type field that is part of the principal name indicates the
+   kind of information implied by the name.  The name-type should be
+   treated as a hint.  Ignoring the name type, no two names can be the
+   same (i.e., at least one of the components, or the realm, must be
+   different).  This constraint may be eliminated in the future.  The
+   following name types are defined:
+
+      name-type      value   meaning
+      NT-UNKNOWN       0     Name type not known
+      NT-PRINCIPAL     1     Just the name of the principal as in
+                             DCE, or for users
+      NT-SRV-INST      2     Service and other unique instance (krbtgt)
+      NT-SRV-HST       3     Service with host name as instance
+                             (telnet, rcommands)
+      NT-SRV-XHST      4     Service with host as remaining components
+      NT-UID           5     Unique ID
+
+   When a name implies no information other than its uniqueness at a
+   particular time the name type PRINCIPAL should be used.  The
+   principal name type should be used for users, and it might also be
+   used for a unique server.  If the name is a unique machine generated
+   ID that is guaranteed never to be reassigned then the name type of
+   UID should be used (note that it is generally a bad idea to reassign
+   names of any type since stale entries might remain in access control
+   lists).
+
+
+
+Kohl & Neuman                                                  [Page 79]
+
+RFC 1510                        Kerberos                  September 1993
+
+
+   If the first component of a name identifies a service and the
+   remaining components identify an instance of the service in a server
+   specified manner, then the name type of SRV-INST should be used.  An
+   example of this name type is the Kerberos ticket-granting ticket
+   which has a first component of krbtgt and a second component
+   identifying the realm for which the ticket is valid.
+
+   If instance is a single component following the service name and the
+   instance identifies the host on which the server is running, then the
+   name type SRV-HST should be used. This type is typically used for
+   Internet services such as telnet and the Berkeley R commands.  If the
+   separate components of the host name appear as successive components
+   following the name of the service, then the name type SRVXHST should
+   be used.  This type might be used to identify servers on hosts with
+   X.500 names where the slash (/) might otherwise be ambiguous.
+
+   A name type of UNKNOWN should be used when the form of the name is
+   not known. When comparing names, a name of type UNKNOWN will match
+   principals authenticated with names of any type.  A principal
+   authenticated with a name of type UNKNOWN, however, will only match
+   other names of type UNKNOWN.
+
+   Names of any type with an initial component of "krbtgt" are reserved
+   for the Kerberos ticket granting service.  See section 8.2.3 for the
+   form of such names.
+
+7.2.1. Name of server principals
+
+   The principal identifier for a server on a host will generally be
+   composed of two parts: (1) the realm of the KDC with which the server
+   is registered, and (2) a two-component name of type NT-SRV-HST if the
+   host name is an Internet domain name or a multi-component name of
+   type NT-SRV-XHST if the name of the host is of a form such as X.500
+   that allows slash (/) separators.  The first component of the two- or
+   multi-component name will identify the service and the latter
+   components will identify the host.  Where the name of the host is not
+   case sensitive (for example, with Internet domain names) the name of
+   the host must be lower case.  For services such as telnet and the
+   Berkeley R commands which run with system privileges, the first
+   component will be the string "host" instead of a service specific
+   identifier.
+
+8.  Constants and other defined values
+
+8.1.  Host address types
+
+   All negative values for the host address type are reserved for local
+   use.  All non-negative values are reserved for officially assigned
+
+
+
+Kohl & Neuman                                                  [Page 80]
+
+RFC 1510                        Kerberos                  September 1993
+
+
+   type fields and interpretations.
+
+   The values of the types for the following addresses are chosen to
+   match the defined address family constants in the Berkeley Standard
+   Distributions of Unix.  They can be found in <sys/socket.h> with
+   symbolic names AF_xxx (where xxx is an abbreviation of the address
+   family name).
+
+
+   Internet addresses
+
+      Internet addresses are 32-bit (4-octet) quantities, encoded in MSB
+      order.  The type of internet addresses is two (2).
+
+   CHAOSnet addresses
+
+      CHAOSnet addresses are 16-bit (2-octet) quantities, encoded in MSB
+      order.  The type of CHAOSnet addresses is five (5).
+
+   ISO addresses
+
+      ISO addresses are variable-length.  The type of ISO addresses is
+      seven (7).
+
+   Xerox Network Services (XNS) addresses
+
+      XNS addresses are 48-bit (6-octet) quantities, encoded in MSB
+      order.  The type of XNS addresses is six (6).
+
+   AppleTalk Datagram Delivery Protocol (DDP) addresses
+
+      AppleTalk DDP addresses consist of an 8-bit node number and a 16-
+      bit network number.  The first octet of the address is the node
+      number; the remaining two octets encode the network number in MSB
+      order. The type of AppleTalk DDP addresses is sixteen (16).
+
+   DECnet Phase IV addresses
+
+      DECnet Phase IV addresses are 16-bit addresses, encoded in LSB
+      order.  The type of DECnet Phase IV addresses is twelve (12).
+
+8.2.  KDC messages
+
+8.2.1. IP transport
+
+   When contacting a Kerberos server (KDC) for a KRB_KDC_REQ request
+   using IP transport, the client shall send a UDP datagram containing
+   only an encoding of the request to port 88 (decimal) at the KDC's IP
+
+
+
+Kohl & Neuman                                                  [Page 81]
+
+RFC 1510                        Kerberos                  September 1993
+
+
+   address; the KDC will respond with a reply datagram containing only
+   an encoding of the reply message (either a KRB_ERROR or a
+   KRB_KDC_REP) to the sending port at the sender's IP address.
+
+8.2.2. OSI transport
+
+   During authentication of an OSI client to and OSI server, the mutual
+   authentication of an OSI server to an OSI client, the transfer of
+   credentials from an OSI client to an OSI server, or during exchange
+   of private or integrity checked messages, Kerberos protocol messages
+   may be treated as opaque objects and the type of the authentication
+   mechanism will be:
+
+   OBJECT IDENTIFIER ::= {iso (1), org(3), dod(5),internet(1),
+                          security(5), kerberosv5(2)}
+
+   Depending on the situation, the opaque object will be an
+   authentication header (KRB_AP_REQ), an authentication reply
+   (KRB_AP_REP), a safe message (KRB_SAFE), a private message
+   (KRB_PRIV), or a credentials message (KRB_CRED).  The opaque data
+   contains an application code as specified in the ASN.1 description
+   for each message.  The application code may be used by Kerberos to
+   determine the message type.
+
+8.2.3. Name of the TGS
+
+   The principal identifier of the ticket-granting service shall be
+   composed of three parts: (1) the realm of the KDC issuing the TGS
+   ticket (2) a two-part name of type NT-SRVINST, with the first part
+   "krbtgt" and the second part the name of the realm which will accept
+   the ticket-granting ticket.  For example, a ticket-granting ticket
+   issued by the ATHENA.MIT.EDU realm to be used to get tickets from the
+   ATHENA.MIT.EDU KDC has a principal identifier of "ATHENA.MIT.EDU"
+   (realm), ("krbtgt", "ATHENA.MIT.EDU") (name).  A ticket-granting
+   ticket issued by the ATHENA.MIT.EDU realm to be used to get tickets
+   from the MIT.EDU realm has a principal identifier of "ATHENA.MIT.EDU"
+   (realm), ("krbtgt", "MIT.EDU") (name).
+
+8.3.  Protocol constants and associated values
+
+   The following tables list constants used in the protocol and defines
+   their meanings.
+
+
+
+
+
+
+
+
+
+Kohl & Neuman                                                  [Page 82]
+
+RFC 1510                        Kerberos                  September 1993
+
+
+---------------+-----------+----------+----------------+---------------
+Encryption type|etype value|block size|minimum pad size|confounder size
+---------------+-----------+----------+----------------+---------------
+NULL                0            1              0              0
+des-cbc-crc         1            8              4              8
+des-cbc-md4         2            8              0              8
+des-cbc-md5         3            8              0              8
+
+-------------------------------+-------------------+-------------
+Checksum type                  |sumtype value      |checksum size
+-------------------------------+-------------------+-------------
+CRC32                           1                   4
+rsa-md4                         2                   16
+rsa-md4-des                     3                   24
+des-mac                         4                   16
+des-mac-k                       5                   8
+rsa-md4-des-k                   6                   16
+rsa-md5                         7                   16
+rsa-md5-des                     8                   24
+
+-------------------------------+-----------------
+padata type                    |padata-type value
+-------------------------------+-----------------
+PA-TGS-REQ                      1
+PA-ENC-TIMESTAMP                2
+PA-PW-SALT                      3
+
+-------------------------------+-------------
+authorization data type        |ad-type value
+-------------------------------+-------------
+reserved values                 0-63
+OSF-DCE                         64
+SESAME                          65
+
+-------------------------------+-----------------
+alternate authentication type  |method-type value
+-------------------------------+-----------------
+reserved values                 0-63
+ATT-CHALLENGE-RESPONSE          64
+
+-------------------------------+-------------
+transited encoding type        |tr-type value
+-------------------------------+-------------
+DOMAIN-X500-COMPRESS            1
+reserved values                 all others
+
+
+
+
+
+
+Kohl & Neuman                                                  [Page 83]
+
+RFC 1510                        Kerberos                  September 1993
+
+
+--------------+-------+-----------------------------------------
+Label         |Value  |Meaning or MIT code
+--------------+-------+-----------------------------------------
+
+pvno             5     current Kerberos protocol version number
+
+message types
+
+KRB_AS_REQ      10     Request for initial authentication
+KRB_AS_REP      11     Response to KRB_AS_REQ request
+KRB_TGS_REQ     12     Request for authentication based on TGT
+KRB_TGS_REP     13     Response to KRB_TGS_REQ request
+KRB_AP_REQ      14     application request to server
+KRB_AP_REP      15     Response to KRB_AP_REQ_MUTUAL
+KRB_SAFE        20     Safe (checksummed) application message
+KRB_PRIV        21     Private (encrypted) application message
+KRB_CRED        22     Private (encrypted) message to forward
+                       credentials
+KRB_ERROR       30     Error response
+
+name types
+
+KRB_NT_UNKNOWN   0   Name type not known
+KRB_NT_PRINCIPAL 1   Just the name of the principal as in DCE, or
+                     for users
+KRB_NT_SRV_INST  2   Service and other unique instance (krbtgt)
+KRB_NT_SRV_HST   3   Service with host name as instance (telnet,
+                     rcommands)
+KRB_NT_SRV_XHST  4   Service with host as remaining components
+KRB_NT_UID       5   Unique ID
+
+error codes
+
+KDC_ERR_NONE                   0   No error
+KDC_ERR_NAME_EXP               1   Client's entry in database has
+                                   expired
+KDC_ERR_SERVICE_EXP            2   Server's entry in database has
+                                   expired
+KDC_ERR_BAD_PVNO               3   Requested protocol version number
+                                   not supported
+KDC_ERR_C_OLD_MAST_KVNO        4   Client's key encrypted in old
+                                   master key
+KDC_ERR_S_OLD_MAST_KVNO        5   Server's key encrypted in old
+                                   master key
+KDC_ERR_C_PRINCIPAL_UNKNOWN    6   Client not found in Kerberos database
+KDC_ERR_S_PRINCIPAL_UNKNOWN    7   Server not found in Kerberos database
+KDC_ERR_PRINCIPAL_NOT_UNIQUE   8   Multiple principal entries in
+                                   database
+
+
+
+Kohl & Neuman                                                  [Page 84]
+
+RFC 1510                        Kerberos                  September 1993
+
+
+KDC_ERR_NULL_KEY               9   The client or server has a null key
+KDC_ERR_CANNOT_POSTDATE       10   Ticket not eligible for postdating
+KDC_ERR_NEVER_VALID           11   Requested start time is later than
+                                   end time
+KDC_ERR_POLICY                12   KDC policy rejects request
+KDC_ERR_BADOPTION             13   KDC cannot accommodate requested
+                                   option
+KDC_ERR_ETYPE_NOSUPP          14   KDC has no support for encryption
+                                   type
+KDC_ERR_SUMTYPE_NOSUPP        15   KDC has no support for checksum type
+KDC_ERR_PADATA_TYPE_NOSUPP    16   KDC has no support for padata type
+KDC_ERR_TRTYPE_NOSUPP         17   KDC has no support for transited type
+KDC_ERR_CLIENT_REVOKED        18   Clients credentials have been revoked
+KDC_ERR_SERVICE_REVOKED       19   Credentials for server have been
+                                   revoked
+KDC_ERR_TGT_REVOKED           20   TGT has been revoked
+KDC_ERR_CLIENT_NOTYET         21   Client not yet valid - try again
+                                   later
+KDC_ERR_SERVICE_NOTYET        22   Server not yet valid - try again
+                                   later
+KDC_ERR_KEY_EXPIRED           23   Password has expired - change
+                                   password to reset
+KDC_ERR_PREAUTH_FAILED        24   Pre-authentication information
+                                   was invalid
+KDC_ERR_PREAUTH_REQUIRED      25   Additional pre-authentication
+                                   required*
+KRB_AP_ERR_BAD_INTEGRITY      31   Integrity check on decrypted field
+                                   failed
+KRB_AP_ERR_TKT_EXPIRED        32   Ticket expired
+KRB_AP_ERR_TKT_NYV            33   Ticket not yet valid
+KRB_AP_ERR_REPEAT             34   Request is a replay
+KRB_AP_ERR_NOT_US             35   The ticket isn't for us
+KRB_AP_ERR_BADMATCH           36   Ticket and authenticator don't match
+KRB_AP_ERR_SKEW               37   Clock skew too great
+KRB_AP_ERR_BADADDR            38   Incorrect net address
+KRB_AP_ERR_BADVERSION         39   Protocol version mismatch
+KRB_AP_ERR_MSG_TYPE           40   Invalid msg type
+KRB_AP_ERR_MODIFIED           41   Message stream modified
+KRB_AP_ERR_BADORDER           42   Message out of order
+KRB_AP_ERR_BADKEYVER          44   Specified version of key is not
+                                   available
+KRB_AP_ERR_NOKEY              45   Service key not available
+KRB_AP_ERR_MUT_FAIL           46   Mutual authentication failed
+KRB_AP_ERR_BADDIRECTION       47   Incorrect message direction
+KRB_AP_ERR_METHOD             48   Alternative authentication method
+                                   required*
+KRB_AP_ERR_BADSEQ             49   Incorrect sequence number in message
+KRB_AP_ERR_INAPP_CKSUM        50   Inappropriate type of checksum in
+
+
+
+Kohl & Neuman                                                  [Page 85]
+
+RFC 1510                        Kerberos                  September 1993
+
+
+                                   message
+KRB_ERR_GENERIC               60   Generic error (description in e-text)
+KRB_ERR_FIELD_TOOLONG         61   Field is too long for this
+                                   implementation
+
+   *This error carries additional information in the e-data field.  The
+   contents of the e-data field for this message is described in section
+   5.9.1.
+
+9.  Interoperability requirements
+
+   Version 5 of the Kerberos protocol supports a myriad of options.
+   Among these are multiple encryption and checksum types, alternative
+   encoding schemes for the transited field, optional mechanisms for
+   pre-authentication, the handling of tickets with no addresses,
+   options for mutual authentication, user to user authentication,
+   support for proxies, forwarding, postdating, and renewing tickets,
+   the format of realm names, and the handling of authorization data.
+
+   In order to ensure the interoperability of realms, it is necessary to
+   define a minimal configuration which must be supported by all
+   implementations.  This minimal configuration is subject to change as
+   technology does. For example, if at some later date it is discovered
+   that one of the required encryption or checksum algorithms is not
+   secure, it will be replaced.
+
+9.1.  Specification 1
+
+   This section defines the first specification of these options.
+   Implementations which are configured in this way can be said to
+   support Kerberos Version 5 Specification 1 (5.1).
+
+   Encryption and checksum methods
+
+   The following encryption and checksum mechanisms must be supported.
+   Implementations may support other mechanisms as well, but the
+   additional mechanisms may only be used when communicating with
+   principals known to also support them: Encryption: DES-CBC-MD5
+   Checksums: CRC-32, DES-MAC, DES-MAC-K, and DES-MD5
+
+   Realm Names
+
+   All implementations must understand hierarchical realms in both the
+   Internet Domain and the X.500 style.  When a ticket granting ticket
+   for an unknown realm is requested, the KDC must be able to determine
+   the names of the intermediate realms between the KDCs realm and the
+   requested realm.
+
+
+
+
+Kohl & Neuman                                                  [Page 86]
+
+RFC 1510                        Kerberos                  September 1993
+
+
+   Transited field encoding
+
+   DOMAIN-X500-COMPRESS (described in section 3.3.3.1) must be
+   supported.  Alternative encodings may be supported, but they may be
+   used only when that encoding is supported by ALL intermediate realms.
+
+   Pre-authentication methods
+
+   The TGS-REQ method must be supported.  The TGS-REQ method is not used
+   on the initial request. The PA-ENC-TIMESTAMP method must be supported
+   by clients but whether it is enabled by default may be determined on
+   a realm by realm basis. If not used in the initial request and the
+   error KDC_ERR_PREAUTH_REQUIRED is returned specifying PA-ENCTIMESTAMP
+   as an acceptable method, the client should retry the initial request
+   using the PA-ENC-TIMESTAMP preauthentication method. Servers need not
+   support the PAENC-TIMESTAMP method, but if not supported the server
+   should ignore the presence of PA-ENC-TIMESTAMP pre-authentication in
+   a request.
+
+   Mutual authentication
+
+   Mutual authentication (via the KRB_AP_REP message) must be supported.
+
+   Ticket addresses and flags
+
+   All KDC's must pass on tickets that carry no addresses (i.e.,  if a
+   TGT contains no addresses, the KDC will return derivative tickets),
+   but each realm may set its own policy for issuing such tickets, and
+   each application server will set its own policy with respect to
+   accepting them. By default, servers should not accept them.
+
+   Proxies and forwarded tickets must be supported.  Individual realms
+   and application servers can set their own policy on when such tickets
+   will be accepted.
+
+   All implementations must recognize renewable and postdated tickets,
+   but need not actually implement them.  If these options are not
+   supported, the starttime and endtime in the ticket shall specify a
+   ticket's entire useful life.  When a postdated ticket is decoded by a
+   server, all implementations shall make the presence of the postdated
+   flag visible to the calling server.
+
+   User-to-user authentication
+
+   Support for user to user authentication (via the ENC-TKTIN-SKEY KDC
+   option) must be provided by implementations, but individual realms
+   may decide as a matter of policy to reject such requests on a per-
+   principal or realm-wide basis.
+
+
+
+Kohl & Neuman                                                  [Page 87]
+
+RFC 1510                        Kerberos                  September 1993
+
+
+   Authorization data
+
+   Implementations must pass all authorization data subfields from
+   ticket-granting tickets to any derivative tickets unless directed to
+   suppress a subfield as part of the definition of that registered
+   subfield type (it is never incorrect to pass on a subfield, and no
+   registered subfield types presently specify suppression at the KDC).
+
+   Implementations must make the contents of any authorization data
+   subfields available to the server when a ticket is used.
+   Implementations are not required to allow clients to specify the
+   contents of the authorization data fields.
+
+9.2.  Recommended KDC values
+
+   Following is a list of recommended values for a KDC implementation,
+   based on the list of suggested configuration constants (see section
+   4.4).
+
+   minimum lifetime                5 minutes
+
+   maximum renewable lifetime      1 week
+
+   maximum ticket lifetime         1 day
+
+   empty addresses                 only when suitable restrictions appear
+                                   in authorization data
+
+   proxiable, etc.                 Allowed.
+
+10.  Acknowledgments
+
+   Early versions of this document, describing version 4 of the
+   protocol, were written by Jennifer Steiner (formerly at Project
+   Athena); these drafts provided an excellent starting point for this
+   current version 5 specification.  Many people in the Internet
+   community have contributed ideas and suggested protocol changes for
+   version 5. Notable contributions came from Ted Anderson, Steve
+   Bellovin and Michael Merritt [17], Daniel Bernstein, Mike Burrows,
+   Donald Davis, Ravi Ganesan, Morrie Gasser, Virgil Gligor, Bill
+   Griffeth, Mark Lillibridge, Mark Lomas, Steve Lunt, Piers McMahon,
+   Joe Pato, William Sommerfeld, Stuart Stubblebine, Ralph Swick, Ted
+   T'so, and Stanley Zanarotti.  Many others commented and helped shape
+   this specification into its current form.
+
+
+
+
+
+
+
+Kohl & Neuman                                                  [Page 88]
+
+RFC 1510                        Kerberos                  September 1993
+
+
+11.  References
+
+   [1]  Miller, S., Neuman, C., Schiller, J., and  J. Saltzer, "Section
+        E.2.1: Kerberos  Authentication and Authorization System",
+        M.I.T. Project Athena, Cambridge, Massachusetts, December 21,
+        1987.
+
+   [2]  Steiner, J., Neuman, C., and J. Schiller, "Kerberos: An
+        Authentication Service for Open Network Systems", pp. 191-202 in
+        Usenix Conference Proceedings, Dallas, Texas, February, 1988.
+
+   [3]  Needham, R., and M. Schroeder, "Using Encryption for
+        Authentication in Large Networks of Computers", Communications
+        of the ACM, Vol. 21 (12), pp. 993-999, December 1978.
+
+   [4]  Denning, D., and G. Sacco, "Time stamps in Key Distribution
+        Protocols", Communications of the ACM, Vol. 24 (8), pp. 533-536,
+        August 1981.
+
+   [5]  Kohl, J., Neuman, C., and T. Ts'o, "The Evolution of the
+        Kerberos Authentication Service", in an IEEE Computer Society
+        Text soon to be published, June 1992.
+
+   [6]  Davis, D., and R. Swick, "Workstation Services and Kerberos
+        Authentication at Project Athena", Technical Memorandum TM-424,
+        MIT Laboratory for Computer Science, February 1990.
+
+   [7]  Levine, P., Gretzinger, M, Diaz, J., Sommerfeld, W., and K.
+        Raeburn, "Section E.1: Service Management System, M.I.T.
+        Project Athena, Cambridge, Mas sachusetts (1987).
+
+   [8]  CCITT, Recommendation X.509: The Directory Authentication
+        Framework, December 1988.
+
+   [9]  Neuman, C., "Proxy-Based Authorization and Accounting for
+        Distributed Systems," in Proceedings of the 13th International
+        Conference on Distributed Computing Systems", Pittsburgh, PA,
+        May 1993.
+
+   [10] Pato, J., "Using Pre-Authentication to Avoid Password Guessing
+        Attacks", Open Software Foundation DCE Request for Comments 26,
+        December 1992.
+
+   [11] National Bureau of Standards, U.S. Department of Commerce, "Data
+        Encryption Standard", Federal Information Processing Standards
+        Publication 46, Washington, DC (1977).
+
+
+
+
+
+Kohl & Neuman                                                  [Page 89]
+
+RFC 1510                        Kerberos                  September 1993
+
+
+   [12] National Bureau of Standards, U.S. Department of Commerce, "DES
+        Modes of Operation", Federal Information Processing Standards
+        Publication 81, Springfield, VA, December 1980.
+
+   [13] Stubblebine S., and V. Gligor, "On Message Integrity in
+        Cryptographic Protocols", in Proceedings of the IEEE Symposium
+        on Research in Security and Privacy, Oakland, California, May
+        1992.
+
+   [14] International Organization for Standardization, "ISO Information
+        Processing Systems - Data Communication High-Level Data Link
+        Control Procedure - Frame Structure", IS 3309, October 1984, 3rd
+        Edition.
+
+   [15] Rivest, R., "The MD4 Message Digest Algorithm", RFC 1320, MIT
+        Laboratory for Computer Science, April 1992.
+
+   [16] Rivest, R., "The MD5 Message Digest Algorithm", RFC 1321, MIT
+        Laboratory for Computer Science, April 1992.
+
+   [17] Bellovin S., and M. Merritt, "Limitations of the Kerberos
+        Authentication System", Computer Communications Review, Vol.
+        20(5), pp. 119-132, October 1990.
+
+12.  Security Considerations
+
+   Security issues are discussed throughout this memo.
+
+13.  Authors' Addresses
+
+   John Kohl
+   Digital Equipment Corporation
+   110 Spit Brook Road, M/S ZKO3-3/U14
+   Nashua, NH  03062
+
+   Phone: 603-881-2481
+   EMail: jtkohl@zk3.dec.com
+
+
+   B. Clifford Neuman
+   USC/Information Sciences Institute
+   4676 Admiralty Way #1001
+   Marina del Rey, CA 90292-6695
+
+   Phone: 310-822-1511
+   EMail: bcn@isi.edu
+
+
+
+
+
+Kohl & Neuman                                                  [Page 90]
+
+RFC 1510                        Kerberos                  September 1993
+
+
+A.  Pseudo-code for protocol processing
+
+   This appendix provides pseudo-code describing how the messages are to
+   be constructed and interpreted by clients and servers.
+
+A.1.  KRB_AS_REQ generation
+        request.pvno := protocol version; /* pvno = 5 */
+        request.msg-type := message type; /* type = KRB_AS_REQ */
+
+        if(pa_enc_timestamp_required) then
+                request.padata.padata-type = PA-ENC-TIMESTAMP;
+                get system_time;
+                padata-body.patimestamp,pausec = system_time;
+                encrypt padata-body into request.padata.padata-value
+                        using client.key; /* derived from password */
+        endif
+
+        body.kdc-options := users's preferences;
+        body.cname := user's name;
+        body.realm := user's realm;
+        body.sname := service's name; /* usually "krbtgt",
+                                         "localrealm" */
+        if (body.kdc-options.POSTDATED is set) then
+                body.from := requested starting time;
+        else
+                omit body.from;
+        endif
+        body.till := requested end time;
+        if (body.kdc-options.RENEWABLE is set) then
+                body.rtime := requested final renewal time;
+        endif
+        body.nonce := random_nonce();
+        body.etype := requested etypes;
+        if (user supplied addresses) then
+                body.addresses := user's addresses;
+        else
+                omit body.addresses;
+        endif
+        omit body.enc-authorization-data;
+        request.req-body := body;
+
+        kerberos := lookup(name of local kerberos server (or servers));
+        send(packet,kerberos);
+
+        wait(for response);
+        if (timed_out) then
+                retry or use alternate server;
+        endif
+
+
+
+Kohl & Neuman                                                  [Page 91]
+
+RFC 1510                        Kerberos                  September 1993
+
+
+A.2.  KRB_AS_REQ verification and KRB_AS_REP generation
+        decode message into req;
+
+        client := lookup(req.cname,req.realm);
+        server := lookup(req.sname,req.realm);
+        get system_time;
+        kdc_time := system_time.seconds;
+
+        if (!client) then
+                /* no client in Database */
+                error_out(KDC_ERR_C_PRINCIPAL_UNKNOWN);
+        endif
+        if (!server) then
+                /* no server in Database */
+                error_out(KDC_ERR_S_PRINCIPAL_UNKNOWN);
+        endif
+
+        if(client.pa_enc_timestamp_required and
+           pa_enc_timestamp not present) then
+                error_out(KDC_ERR_PREAUTH_REQUIRED(PA_ENC_TIMESTAMP));
+        endif
+
+        if(pa_enc_timestamp present) then
+                decrypt req.padata-value into decrypted_enc_timestamp
+                        using client.key;
+                        using auth_hdr.authenticator.subkey;
+                if (decrypt_error()) then
+                        error_out(KRB_AP_ERR_BAD_INTEGRITY);
+                if(decrypted_enc_timestamp is not within allowable
+                        skew) then error_out(KDC_ERR_PREAUTH_FAILED);
+                endif
+                if(decrypted_enc_timestamp and usec is replay)
+                        error_out(KDC_ERR_PREAUTH_FAILED);
+                endif
+                add decrypted_enc_timestamp and usec to replay cache;
+        endif
+
+        use_etype := first supported etype in req.etypes;
+
+        if (no support for req.etypes) then
+                error_out(KDC_ERR_ETYPE_NOSUPP);
+        endif
+
+        new_tkt.vno := ticket version; /* = 5 */
+        new_tkt.sname := req.sname;
+        new_tkt.srealm := req.srealm;
+        reset all flags in new_tkt.flags;
+
+
+
+
+Kohl & Neuman                                                  [Page 92]
+
+RFC 1510                        Kerberos                  September 1993
+
+
+        /* It should be noted that local policy may affect the  */
+        /* processing of any of these flags.  For example, some */
+        /* realms may refuse to issue renewable tickets         */
+
+        if (req.kdc-options.FORWARDABLE is set) then
+                set new_tkt.flags.FORWARDABLE;
+        endif
+        if (req.kdc-options.PROXIABLE is set) then
+                set new_tkt.flags.PROXIABLE;
+        endif
+        if (req.kdc-options.ALLOW-POSTDATE is set) then
+                set new_tkt.flags.ALLOW-POSTDATE;
+        endif
+        if ((req.kdc-options.RENEW is set) or
+            (req.kdc-options.VALIDATE is set) or
+            (req.kdc-options.PROXY is set) or
+            (req.kdc-options.FORWARDED is set) or
+            (req.kdc-options.ENC-TKT-IN-SKEY is set)) then
+                error_out(KDC_ERR_BADOPTION);
+        endif
+
+        new_tkt.session := random_session_key();
+        new_tkt.cname := req.cname;
+        new_tkt.crealm := req.crealm;
+        new_tkt.transited := empty_transited_field();
+
+        new_tkt.authtime := kdc_time;
+
+        if (req.kdc-options.POSTDATED is set) then
+           if (against_postdate_policy(req.from)) then
+                error_out(KDC_ERR_POLICY);
+           endif
+           set new_tkt.flags.INVALID;
+           new_tkt.starttime := req.from;
+        else
+           omit new_tkt.starttime; /* treated as authtime when
+                                      omitted */
+        endif
+        if (req.till = 0) then
+                till := infinity;
+        else
+                till := req.till;
+        endif
+
+        new_tkt.endtime := min(till,
+                              new_tkt.starttime+client.max_life,
+                              new_tkt.starttime+server.max_life,
+                              new_tkt.starttime+max_life_for_realm);
+
+
+
+Kohl & Neuman                                                  [Page 93]
+
+RFC 1510                        Kerberos                  September 1993
+
+
+        if ((req.kdc-options.RENEWABLE-OK is set) and
+            (new_tkt.endtime < req.till)) then
+                /* we set the RENEWABLE option for later processing */
+                set req.kdc-options.RENEWABLE;
+                req.rtime := req.till;
+        endif
+
+        if (req.rtime = 0) then
+                rtime := infinity;
+        else
+                rtime := req.rtime;
+        endif
+
+        if (req.kdc-options.RENEWABLE is set) then
+                set new_tkt.flags.RENEWABLE;
+                new_tkt.renew-till := min(rtime,
+                new_tkt.starttime+client.max_rlife,
+                new_tkt.starttime+server.max_rlife,
+                new_tkt.starttime+max_rlife_for_realm);
+        else
+                omit new_tkt.renew-till; /* only present if RENEWABLE */
+        endif
+
+        if (req.addresses) then
+                new_tkt.caddr := req.addresses;
+        else
+                omit new_tkt.caddr;
+        endif
+
+        new_tkt.authorization_data := empty_authorization_data();
+
+        encode to-be-encrypted part of ticket into OCTET STRING;
+        new_tkt.enc-part := encrypt OCTET STRING
+            using etype_for_key(server.key), server.key, server.p_kvno;
+
+
+        /* Start processing the response */
+
+        resp.pvno := 5;
+        resp.msg-type := KRB_AS_REP;
+        resp.cname := req.cname;
+        resp.crealm := req.realm;
+        resp.ticket := new_tkt;
+
+        resp.key := new_tkt.session;
+        resp.last-req := fetch_last_request_info(client);
+        resp.nonce := req.nonce;
+        resp.key-expiration := client.expiration;
+
+
+
+Kohl & Neuman                                                  [Page 94]
+
+RFC 1510                        Kerberos                  September 1993
+
+
+        resp.flags := new_tkt.flags;
+
+        resp.authtime := new_tkt.authtime;
+        resp.starttime := new_tkt.starttime;
+        resp.endtime := new_tkt.endtime;
+
+        if (new_tkt.flags.RENEWABLE) then
+                resp.renew-till := new_tkt.renew-till;
+        endif
+
+        resp.realm := new_tkt.realm;
+        resp.sname := new_tkt.sname;
+
+        resp.caddr := new_tkt.caddr;
+
+        encode body of reply into OCTET STRING;
+
+        resp.enc-part := encrypt OCTET STRING
+                         using use_etype, client.key, client.p_kvno;
+        send(resp);
+
+A.3.  KRB_AS_REP verification
+        decode response into resp;
+
+        if (resp.msg-type = KRB_ERROR) then
+                if(error = KDC_ERR_PREAUTH_REQUIRED(PA_ENC_TIMESTAMP))
+                        then set pa_enc_timestamp_required;
+                        goto KRB_AS_REQ;
+                endif
+                process_error(resp);
+                return;
+        endif
+
+        /* On error, discard the response, and zero the session key */
+        /* from the response immediately */
+
+        key = get_decryption_key(resp.enc-part.kvno, resp.enc-part.etype,
+                                 resp.padata);
+        unencrypted part of resp := decode of decrypt of resp.enc-part
+                                using resp.enc-part.etype and key;
+        zero(key);
+
+        if (common_as_rep_tgs_rep_checks fail) then
+                destroy resp.key;
+                return error;
+        endif
+
+        if near(resp.princ_exp) then
+
+
+
+Kohl & Neuman                                                  [Page 95]
+
+RFC 1510                        Kerberos                  September 1993
+
+
+                print(warning message);
+        endif
+        save_for_later(ticket,session,client,server,times,flags);
+
+A.4.  KRB_AS_REP and KRB_TGS_REP common checks
+        if (decryption_error() or
+            (req.cname != resp.cname) or
+            (req.realm != resp.crealm) or
+            (req.sname != resp.sname) or
+            (req.realm != resp.realm) or
+            (req.nonce != resp.nonce) or
+            (req.addresses != resp.caddr)) then
+                destroy resp.key;
+                return KRB_AP_ERR_MODIFIED;
+        endif
+
+        /* make sure no flags are set that shouldn't be, and that  */
+        /* all that should be are set                              */
+        if (!check_flags_for_compatability(req.kdc-options,resp.flags))
+                then destroy resp.key;
+                return KRB_AP_ERR_MODIFIED;
+        endif
+
+        if ((req.from = 0) and
+            (resp.starttime is not within allowable skew)) then
+                destroy resp.key;
+                return KRB_AP_ERR_SKEW;
+        endif
+        if ((req.from != 0) and (req.from != resp.starttime)) then
+                destroy resp.key;
+                return KRB_AP_ERR_MODIFIED;
+        endif
+        if ((req.till != 0) and (resp.endtime > req.till)) then
+                destroy resp.key;
+                return KRB_AP_ERR_MODIFIED;
+        endif
+
+        if ((req.kdc-options.RENEWABLE is set) and
+            (req.rtime != 0) and (resp.renew-till > req.rtime)) then
+                destroy resp.key;
+                return KRB_AP_ERR_MODIFIED;
+        endif
+        if ((req.kdc-options.RENEWABLE-OK is set) and
+            (resp.flags.RENEWABLE) and
+            (req.till != 0) and
+            (resp.renew-till > req.till)) then
+                destroy resp.key;
+                return KRB_AP_ERR_MODIFIED;
+
+
+
+Kohl & Neuman                                                  [Page 96]
+
+RFC 1510                        Kerberos                  September 1993
+
+
+        endif
+
+A.5.  KRB_TGS_REQ generation
+        /* Note that make_application_request might have to     */
+        /* recursivly call this routine to get the appropriate  */
+        /* ticket-granting ticket                               */
+
+        request.pvno := protocol version; /* pvno = 5 */
+        request.msg-type := message type; /* type = KRB_TGS_REQ */
+
+        body.kdc-options := users's preferences;
+        /* If the TGT is not for the realm of the end-server  */
+        /* then the sname will be for a TGT for the end-realm */
+        /* and the realm of the requested ticket (body.realm) */
+        /* will be that of the TGS to which the TGT we are    */
+        /* sending applies                                    */
+        body.sname := service's name;
+        body.realm := service's realm;
+
+        if (body.kdc-options.POSTDATED is set) then
+                body.from := requested starting time;
+        else
+                omit body.from;
+        endif
+        body.till := requested end time;
+        if (body.kdc-options.RENEWABLE is set) then
+                body.rtime := requested final renewal time;
+        endif
+        body.nonce := random_nonce();
+        body.etype := requested etypes;
+        if (user supplied addresses) then
+                body.addresses := user's addresses;
+        else
+                omit body.addresses;
+        endif
+
+        body.enc-authorization-data := user-supplied data;
+        if (body.kdc-options.ENC-TKT-IN-SKEY) then
+                body.additional-tickets_ticket := second TGT;
+        endif
+
+        request.req-body := body;
+        check := generate_checksum (req.body,checksumtype);
+
+        request.padata[0].padata-type := PA-TGS-REQ;
+        request.padata[0].padata-value := create a KRB_AP_REQ using
+                                      the TGT and checksum
+
+
+
+
+Kohl & Neuman                                                  [Page 97]
+
+RFC 1510                        Kerberos                  September 1993
+
+
+        /* add in any other padata as required/supplied */
+
+        kerberos := lookup(name of local kerberose server (or servers));
+        send(packet,kerberos);
+
+        wait(for response);
+        if (timed_out) then
+                retry or use alternate server;
+        endif
+
+A.6.  KRB_TGS_REQ verification and KRB_TGS_REP generation
+        /* note that reading the application request requires first
+        determining the server for which a ticket was issued, and
+        choosing the correct key for decryption.  The name of the
+        server appears in the plaintext part of the ticket. */
+
+        if (no KRB_AP_REQ in req.padata) then
+                error_out(KDC_ERR_PADATA_TYPE_NOSUPP);
+        endif
+        verify KRB_AP_REQ in req.padata;
+
+        /* Note that the realm in which the Kerberos server is
+        operating is determined by the instance from the
+        ticket-granting ticket.  The realm in the ticket-granting
+        ticket is the realm under which the ticket granting ticket was
+        issued.  It is possible for a single Kerberos server to
+        support more than one realm. */
+
+        auth_hdr := KRB_AP_REQ;
+        tgt := auth_hdr.ticket;
+
+        if (tgt.sname is not a TGT for local realm and is not
+                req.sname) then error_out(KRB_AP_ERR_NOT_US);
+
+        realm := realm_tgt_is_for(tgt);
+
+        decode remainder of request;
+
+        if (auth_hdr.authenticator.cksum is missing) then
+                error_out(KRB_AP_ERR_INAPP_CKSUM);
+        endif
+        if (auth_hdr.authenticator.cksum type is not supported) then
+                error_out(KDC_ERR_SUMTYPE_NOSUPP);
+        endif
+        if (auth_hdr.authenticator.cksum is not both collision-proof
+            and keyed)  then
+                error_out(KRB_AP_ERR_INAPP_CKSUM);
+        endif
+
+
+
+Kohl & Neuman                                                  [Page 98]
+
+RFC 1510                        Kerberos                  September 1993
+
+
+        set computed_checksum := checksum(req);
+        if (computed_checksum != auth_hdr.authenticatory.cksum) then
+                error_out(KRB_AP_ERR_MODIFIED);
+        endif
+
+        server := lookup(req.sname,realm);
+
+        if (!server) then
+                if (is_foreign_tgt_name(server)) then
+                        server := best_intermediate_tgs(server);
+                else
+                        /* no server in Database */
+                        error_out(KDC_ERR_S_PRINCIPAL_UNKNOWN);
+                endif
+        endif
+
+        session := generate_random_session_key();
+
+
+        use_etype := first supported etype in req.etypes;
+
+        if (no support for req.etypes) then
+                error_out(KDC_ERR_ETYPE_NOSUPP);
+        endif
+
+        new_tkt.vno := ticket version; /* = 5 */
+        new_tkt.sname := req.sname;
+        new_tkt.srealm := realm;
+        reset all flags in new_tkt.flags;
+
+        /* It should be noted that local policy may affect the  */
+        /* processing of any of these flags.  For example, some */
+        /* realms may refuse to issue renewable tickets         */
+
+        new_tkt.caddr := tgt.caddr;
+        resp.caddr := NULL; /* We only include this if they change */
+        if (req.kdc-options.FORWARDABLE is set) then
+                if (tgt.flags.FORWARDABLE is reset) then
+                        error_out(KDC_ERR_BADOPTION);
+                endif
+                set new_tkt.flags.FORWARDABLE;
+        endif
+        if (req.kdc-options.FORWARDED is set) then
+                if (tgt.flags.FORWARDABLE is reset) then
+                        error_out(KDC_ERR_BADOPTION);
+                endif
+                set new_tkt.flags.FORWARDED;
+                new_tkt.caddr := req.addresses;
+
+
+
+Kohl & Neuman                                                  [Page 99]
+
+RFC 1510                        Kerberos                  September 1993
+
+
+                resp.caddr := req.addresses;
+        endif
+        if (tgt.flags.FORWARDED is set) then
+                set new_tkt.flags.FORWARDED;
+        endif
+
+        if (req.kdc-options.PROXIABLE is set) then
+                if (tgt.flags.PROXIABLE is reset)
+                        error_out(KDC_ERR_BADOPTION);
+                endif
+                set new_tkt.flags.PROXIABLE;
+        endif
+        if (req.kdc-options.PROXY is set) then
+                if (tgt.flags.PROXIABLE is reset) then
+                        error_out(KDC_ERR_BADOPTION);
+                endif
+                set new_tkt.flags.PROXY;
+                new_tkt.caddr := req.addresses;
+                resp.caddr := req.addresses;
+        endif
+
+        if (req.kdc-options.POSTDATE is set) then
+                if (tgt.flags.POSTDATE is reset)
+                        error_out(KDC_ERR_BADOPTION);
+                endif
+                set new_tkt.flags.POSTDATE;
+        endif
+        if (req.kdc-options.POSTDATED is set) then
+                if (tgt.flags.POSTDATE is reset) then
+                        error_out(KDC_ERR_BADOPTION);
+                endif
+                set new_tkt.flags.POSTDATED;
+                set new_tkt.flags.INVALID;
+                if (against_postdate_policy(req.from)) then
+                        error_out(KDC_ERR_POLICY);
+                endif
+                new_tkt.starttime := req.from;
+        endif
+
+
+        if (req.kdc-options.VALIDATE is set) then
+                if (tgt.flags.INVALID is reset) then
+                        error_out(KDC_ERR_POLICY);
+                endif
+                if (tgt.starttime > kdc_time) then
+                        error_out(KRB_AP_ERR_NYV);
+                endif
+                if (check_hot_list(tgt)) then
+
+
+
+Kohl & Neuman                                                 [Page 100]
+
+RFC 1510                        Kerberos                  September 1993
+
+
+                        error_out(KRB_AP_ERR_REPEAT);
+                endif
+                tkt := tgt;
+                reset new_tkt.flags.INVALID;
+        endif
+
+        if (req.kdc-options.(any flag except ENC-TKT-IN-SKEY, RENEW,
+                             and those already processed) is set) then
+                error_out(KDC_ERR_BADOPTION);
+        endif
+
+        new_tkt.authtime := tgt.authtime;
+
+        if (req.kdc-options.RENEW is set) then
+          /* Note that if the endtime has already passed, the ticket */
+          /* would have been rejected in the initial authentication  */
+          /* stage, so there is no need to check again here          */
+                if (tgt.flags.RENEWABLE is reset) then
+                        error_out(KDC_ERR_BADOPTION);
+                endif
+                if (tgt.renew-till >= kdc_time) then
+                        error_out(KRB_AP_ERR_TKT_EXPIRED);
+                endif
+                tkt := tgt;
+                new_tkt.starttime := kdc_time;
+                old_life := tgt.endttime - tgt.starttime;
+                new_tkt.endtime := min(tgt.renew-till,
+                                       new_tkt.starttime + old_life);
+        else
+                new_tkt.starttime := kdc_time;
+                if (req.till = 0) then
+                        till := infinity;
+                else
+                        till := req.till;
+                endif
+                new_tkt.endtime := min(till,
+                                   new_tkt.starttime+client.max_life,
+                                   new_tkt.starttime+server.max_life,
+                                   new_tkt.starttime+max_life_for_realm,
+                                   tgt.endtime);
+
+                if ((req.kdc-options.RENEWABLE-OK is set) and
+                    (new_tkt.endtime < req.till) and
+                    (tgt.flags.RENEWABLE is set) then
+                        /* we set the RENEWABLE option for later  */
+                        /* processing                             */
+                        set req.kdc-options.RENEWABLE;
+                        req.rtime := min(req.till, tgt.renew-till);
+
+
+
+Kohl & Neuman                                                 [Page 101]
+
+RFC 1510                        Kerberos                  September 1993
+
+
+                endif
+        endif
+
+        if (req.rtime = 0) then
+                rtime := infinity;
+        else
+                rtime := req.rtime;
+        endif
+
+        if ((req.kdc-options.RENEWABLE is set) and
+            (tgt.flags.RENEWABLE is set)) then
+                set new_tkt.flags.RENEWABLE;
+                new_tkt.renew-till := min(rtime,
+                new_tkt.starttime+client.max_rlife,
+                new_tkt.starttime+server.max_rlife,
+                new_tkt.starttime+max_rlife_for_realm,
+                tgt.renew-till);
+        else
+                new_tkt.renew-till := OMIT;
+                              /* leave the renew-till field out */
+        endif
+        if (req.enc-authorization-data is present) then
+                decrypt req.enc-authorization-data
+                        into    decrypted_authorization_data
+                        using auth_hdr.authenticator.subkey;
+                if (decrypt_error()) then
+                        error_out(KRB_AP_ERR_BAD_INTEGRITY);
+                endif
+        endif
+        new_tkt.authorization_data :=
+        req.auth_hdr.ticket.authorization_data +
+                                 decrypted_authorization_data;
+
+        new_tkt.key := session;
+        new_tkt.crealm := tgt.crealm;
+        new_tkt.cname := req.auth_hdr.ticket.cname;
+
+        if (realm_tgt_is_for(tgt) := tgt.realm) then
+                /* tgt issued by local realm */
+                new_tkt.transited := tgt.transited;
+        else
+                /* was issued for this realm by some other realm */
+                if (tgt.transited.tr-type not supported) then
+                        error_out(KDC_ERR_TRTYPE_NOSUPP);
+                endif
+                new_tkt.transited
+                   := compress_transited(tgt.transited + tgt.realm)
+        endif
+
+
+
+Kohl & Neuman                                                 [Page 102]
+
+RFC 1510                        Kerberos                  September 1993
+
+
+        encode encrypted part of new_tkt into OCTET STRING;
+        if (req.kdc-options.ENC-TKT-IN-SKEY is set) then
+                if (server not specified) then
+                        server = req.second_ticket.client;
+                endif
+                if ((req.second_ticket is not a TGT) or
+                    (req.second_ticket.client != server)) then
+                        error_out(KDC_ERR_POLICY);
+                endif
+
+                new_tkt.enc-part := encrypt OCTET STRING using
+                        using etype_for_key(second-ticket.key),
+                                                      second-ticket.key;
+        else
+                new_tkt.enc-part := encrypt OCTET STRING
+                        using etype_for_key(server.key), server.key,
+                                                      server.p_kvno;
+        endif
+
+        resp.pvno := 5;
+        resp.msg-type := KRB_TGS_REP;
+        resp.crealm := tgt.crealm;
+        resp.cname := tgt.cname;
+        resp.ticket := new_tkt;
+
+        resp.key := session;
+        resp.nonce := req.nonce;
+        resp.last-req := fetch_last_request_info(client);
+        resp.flags := new_tkt.flags;
+
+        resp.authtime := new_tkt.authtime;
+        resp.starttime := new_tkt.starttime;
+        resp.endtime := new_tkt.endtime;
+
+        omit resp.key-expiration;
+
+        resp.sname := new_tkt.sname;
+        resp.realm := new_tkt.realm;
+
+        if (new_tkt.flags.RENEWABLE) then
+                resp.renew-till := new_tkt.renew-till;
+        endif
+
+
+        encode body of reply into OCTET STRING;
+
+        if (req.padata.authenticator.subkey)
+                resp.enc-part := encrypt OCTET STRING using use_etype,
+
+
+
+Kohl & Neuman                                                 [Page 103]
+
+RFC 1510                        Kerberos                  September 1993
+
+
+                        req.padata.authenticator.subkey;
+        else resp.enc-part := encrypt OCTET STRING
+                              using use_etype, tgt.key;
+
+        send(resp);
+
+A.7.  KRB_TGS_REP verification
+        decode response into resp;
+
+        if (resp.msg-type = KRB_ERROR) then
+                process_error(resp);
+                return;
+        endif
+
+        /* On error, discard the response, and zero the session key from
+        the response immediately */
+
+        if (req.padata.authenticator.subkey)
+                unencrypted part of resp :=
+                        decode of decrypt of resp.enc-part
+                        using resp.enc-part.etype and subkey;
+        else unencrypted part of resp :=
+                        decode of decrypt of resp.enc-part
+                        using resp.enc-part.etype and tgt's session key;
+        if (common_as_rep_tgs_rep_checks fail) then
+                destroy resp.key;
+                return error;
+        endif
+
+        check authorization_data as necessary;
+        save_for_later(ticket,session,client,server,times,flags);
+
+A.8.  Authenticator generation
+        body.authenticator-vno := authenticator vno; /* = 5 */
+        body.cname, body.crealm := client name;
+        if (supplying checksum) then
+                body.cksum := checksum;
+        endif
+        get system_time;
+        body.ctime, body.cusec := system_time;
+        if (selecting sub-session key) then
+                select sub-session key;
+                body.subkey := sub-session key;
+        endif
+        if (using sequence numbers) then
+                select initial sequence number;
+                body.seq-number := initial sequence;
+        endif
+
+
+
+Kohl & Neuman                                                 [Page 104]
+
+RFC 1510                        Kerberos                  September 1993
+
+
+A.9.  KRB_AP_REQ generation
+        obtain ticket and session_key from cache;
+
+        packet.pvno := protocol version; /* 5 */
+        packet.msg-type := message type; /* KRB_AP_REQ */
+
+        if (desired(MUTUAL_AUTHENTICATION)) then
+                set packet.ap-options.MUTUAL-REQUIRED;
+        else
+                reset packet.ap-options.MUTUAL-REQUIRED;
+        endif
+        if (using session key for ticket) then
+                set packet.ap-options.USE-SESSION-KEY;
+        else
+                reset packet.ap-options.USE-SESSION-KEY;
+        endif
+        packet.ticket := ticket; /* ticket */
+        generate authenticator;
+        encode authenticator into OCTET STRING;
+        encrypt OCTET STRING into packet.authenticator
+                             using session_key;
+
+A.10.  KRB_AP_REQ verification
+        receive packet;
+        if (packet.pvno != 5) then
+                either process using other protocol spec
+                or error_out(KRB_AP_ERR_BADVERSION);
+        endif
+        if (packet.msg-type != KRB_AP_REQ) then
+                error_out(KRB_AP_ERR_MSG_TYPE);
+        endif
+        if (packet.ticket.tkt_vno != 5) then
+                either process using other protocol spec
+                or error_out(KRB_AP_ERR_BADVERSION);
+        endif
+        if (packet.ap_options.USE-SESSION-KEY is set) then
+                retrieve session key from ticket-granting ticket for
+                 packet.ticket.{sname,srealm,enc-part.etype};
+        else
+           retrieve service key for
+           packet.ticket.{sname,srealm,enc-part.etype,enc-part.skvno};
+        endif
+        if (no_key_available) then
+                if (cannot_find_specified_skvno) then
+                        error_out(KRB_AP_ERR_BADKEYVER);
+                else
+                        error_out(KRB_AP_ERR_NOKEY);
+                endif
+
+
+
+Kohl & Neuman                                                 [Page 105]
+
+RFC 1510                        Kerberos                  September 1993
+
+
+        endif
+        decrypt packet.ticket.enc-part into decr_ticket
+                                       using retrieved key;
+        if (decryption_error()) then
+                error_out(KRB_AP_ERR_BAD_INTEGRITY);
+        endif
+        decrypt packet.authenticator into decr_authenticator
+                using decr_ticket.key;
+        if (decryption_error()) then
+                error_out(KRB_AP_ERR_BAD_INTEGRITY);
+        endif
+        if (decr_authenticator.{cname,crealm} !=
+            decr_ticket.{cname,crealm}) then
+                error_out(KRB_AP_ERR_BADMATCH);
+        endif
+        if (decr_ticket.caddr is present) then
+                if (sender_address(packet) is not in decr_ticket.caddr)
+                        then error_out(KRB_AP_ERR_BADADDR);
+                endif
+        elseif (application requires addresses) then
+                error_out(KRB_AP_ERR_BADADDR);
+        endif
+        if (not in_clock_skew(decr_authenticator.ctime,
+                              decr_authenticator.cusec)) then
+                error_out(KRB_AP_ERR_SKEW);
+        endif
+        if (repeated(decr_authenticator.{ctime,cusec,cname,crealm}))
+                then error_out(KRB_AP_ERR_REPEAT);
+        endif
+        save_identifier(decr_authenticator.{ctime,cusec,cname,crealm});
+        get system_time;
+        if ((decr_ticket.starttime-system_time > CLOCK_SKEW) or
+            (decr_ticket.flags.INVALID is set)) then
+                /* it hasn't yet become valid */
+                error_out(KRB_AP_ERR_TKT_NYV);
+        endif
+        if (system_time-decr_ticket.endtime > CLOCK_SKEW) then
+                error_out(KRB_AP_ERR_TKT_EXPIRED);
+        endif
+        /* caller must check decr_ticket.flags for any pertinent */
+        /* details */
+        return(OK, decr_ticket, packet.ap_options.MUTUAL-REQUIRED);
+
+A.11.  KRB_AP_REP generation
+        packet.pvno := protocol version; /* 5 */
+        packet.msg-type := message type; /* KRB_AP_REP */
+        body.ctime := packet.ctime;
+        body.cusec := packet.cusec;
+
+
+
+Kohl & Neuman                                                 [Page 106]
+
+RFC 1510                        Kerberos                  September 1993
+
+
+        if (selecting sub-session key) then
+                select sub-session key;
+                body.subkey := sub-session key;
+        endif
+        if (using sequence numbers) then
+                select initial sequence number;
+                body.seq-number := initial sequence;
+        endif
+
+        encode body into OCTET STRING;
+
+        select encryption type;
+        encrypt OCTET STRING into packet.enc-part;
+
+A.12.  KRB_AP_REP verification
+        receive packet;
+        if (packet.pvno != 5) then
+                either process using other protocol spec
+                or error_out(KRB_AP_ERR_BADVERSION);
+        endif
+        if (packet.msg-type != KRB_AP_REP) then
+                error_out(KRB_AP_ERR_MSG_TYPE);
+        endif
+        cleartext := decrypt(packet.enc-part)
+                     using ticket's session key;
+        if (decryption_error()) then
+                error_out(KRB_AP_ERR_BAD_INTEGRITY);
+        endif
+        if (cleartext.ctime != authenticator.ctime) then
+                error_out(KRB_AP_ERR_MUT_FAIL);
+        endif
+        if (cleartext.cusec != authenticator.cusec) then
+                error_out(KRB_AP_ERR_MUT_FAIL);
+        endif
+        if (cleartext.subkey is present) then
+                save cleartext.subkey for future use;
+        endif
+        if (cleartext.seq-number is present) then
+                save cleartext.seq-number for future verifications;
+        endif
+        return(AUTHENTICATION_SUCCEEDED);
+
+A.13.  KRB_SAFE generation
+        collect user data in buffer;
+
+        /* assemble packet: */
+        packet.pvno := protocol version; /* 5 */
+        packet.msg-type := message type; /* KRB_SAFE */
+
+
+
+Kohl & Neuman                                                 [Page 107]
+
+RFC 1510                        Kerberos                  September 1993
+
+
+        body.user-data := buffer; /* DATA */
+        if (using timestamp) then
+                get system_time;
+                body.timestamp, body.usec := system_time;
+        endif
+        if (using sequence numbers) then
+                body.seq-number := sequence number;
+        endif
+        body.s-address := sender host addresses;
+        if (only one recipient) then
+                body.r-address := recipient host address;
+        endif
+        checksum.cksumtype := checksum type;
+        compute checksum over body;
+        checksum.checksum := checksum value; /* checksum.checksum */
+        packet.cksum := checksum;
+        packet.safe-body := body;
+
+A.14.  KRB_SAFE verification
+        receive packet;
+        if (packet.pvno != 5) then
+                either process using other protocol spec
+                or error_out(KRB_AP_ERR_BADVERSION);
+        endif
+        if (packet.msg-type != KRB_SAFE) then
+                error_out(KRB_AP_ERR_MSG_TYPE);
+        endif
+        if (packet.checksum.cksumtype is not both collision-proof
+                                             and keyed) then
+                error_out(KRB_AP_ERR_INAPP_CKSUM);
+        endif
+        if (safe_priv_common_checks_ok(packet)) then
+                set computed_checksum := checksum(packet.body);
+                if (computed_checksum != packet.checksum) then
+                        error_out(KRB_AP_ERR_MODIFIED);
+                endif
+                return (packet, PACKET_IS_GENUINE);
+        else
+                return common_checks_error;
+        endif
+
+A.15.  KRB_SAFE and KRB_PRIV common checks
+        if (packet.s-address != O/S_sender(packet)) then
+            /* O/S report of sender not who claims to have sent it */
+            error_out(KRB_AP_ERR_BADADDR);
+        endif
+        if ((packet.r-address is present) and
+            (packet.r-address != local_host_address)) then
+
+
+
+Kohl & Neuman                                                 [Page 108]
+
+RFC 1510                        Kerberos                  September 1993
+
+
+                /* was not sent to proper place */
+                error_out(KRB_AP_ERR_BADADDR);
+        endif
+        if (((packet.timestamp is present) and
+             (not in_clock_skew(packet.timestamp,packet.usec))) or
+            (packet.timestamp is not present and timestamp expected))
+                then error_out(KRB_AP_ERR_SKEW);
+        endif
+        if (repeated(packet.timestamp,packet.usec,packet.s-address))
+                then error_out(KRB_AP_ERR_REPEAT);
+        endif
+        if (((packet.seq-number is present) and
+             ((not in_sequence(packet.seq-number)))) or
+            (packet.seq-number is not present and sequence expected))
+                then error_out(KRB_AP_ERR_BADORDER);
+        endif
+        if (packet.timestamp not present and
+            packet.seq-number not present) then
+                error_out(KRB_AP_ERR_MODIFIED);
+        endif
+
+        save_identifier(packet.{timestamp,usec,s-address},
+                        sender_principal(packet));
+
+        return PACKET_IS_OK;
+
+A.16.  KRB_PRIV generation
+        collect user data in buffer;
+
+        /* assemble packet: */
+        packet.pvno := protocol version; /* 5 */
+        packet.msg-type := message type; /* KRB_PRIV */
+
+        packet.enc-part.etype := encryption type;
+
+        body.user-data := buffer;
+        if (using timestamp) then
+                get system_time;
+                body.timestamp, body.usec := system_time;
+        endif
+        if (using sequence numbers) then
+                body.seq-number := sequence number;
+        endif
+        body.s-address := sender host addresses;
+        if (only one recipient) then
+                body.r-address := recipient host address;
+        endif
+
+
+
+
+Kohl & Neuman                                                 [Page 109]
+
+RFC 1510                        Kerberos                  September 1993
+
+
+        encode body into OCTET STRING;
+
+        select encryption type;
+        encrypt OCTET STRING into packet.enc-part.cipher;
+
+A.17.  KRB_PRIV verification
+        receive packet;
+        if (packet.pvno != 5) then
+                either process using other protocol spec
+                or error_out(KRB_AP_ERR_BADVERSION);
+        endif
+        if (packet.msg-type != KRB_PRIV) then
+                error_out(KRB_AP_ERR_MSG_TYPE);
+        endif
+
+        cleartext := decrypt(packet.enc-part) using negotiated key;
+        if (decryption_error()) then
+                error_out(KRB_AP_ERR_BAD_INTEGRITY);
+        endif
+
+        if (safe_priv_common_checks_ok(cleartext)) then
+            return(cleartext.DATA, PACKET_IS_GENUINE_AND_UNMODIFIED);
+        else
+                return common_checks_error;
+        endif
+
+A.18.  KRB_CRED generation
+        invoke KRB_TGS; /* obtain tickets to be provided to peer */
+
+        /* assemble packet: */
+        packet.pvno := protocol version; /* 5 */
+        packet.msg-type := message type; /* KRB_CRED */
+
+        for (tickets[n] in tickets to be forwarded) do
+                packet.tickets[n] = tickets[n].ticket;
+        done
+
+        packet.enc-part.etype := encryption type;
+
+        for (ticket[n] in tickets to be forwarded) do
+                body.ticket-info[n].key = tickets[n].session;
+                body.ticket-info[n].prealm = tickets[n].crealm;
+                body.ticket-info[n].pname = tickets[n].cname;
+                body.ticket-info[n].flags = tickets[n].flags;
+                body.ticket-info[n].authtime = tickets[n].authtime;
+                body.ticket-info[n].starttime = tickets[n].starttime;
+                body.ticket-info[n].endtime = tickets[n].endtime;
+                body.ticket-info[n].renew-till = tickets[n].renew-till;
+
+
+
+Kohl & Neuman                                                 [Page 110]
+
+RFC 1510                        Kerberos                  September 1993
+
+
+                body.ticket-info[n].srealm = tickets[n].srealm;
+                body.ticket-info[n].sname = tickets[n].sname;
+                body.ticket-info[n].caddr = tickets[n].caddr;
+        done
+
+        get system_time;
+        body.timestamp, body.usec := system_time;
+
+        if (using nonce) then
+                body.nonce := nonce;
+        endif
+
+        if (using s-address) then
+                body.s-address := sender host addresses;
+        endif
+        if (limited recipients) then
+                body.r-address := recipient host address;
+        endif
+
+        encode body into OCTET STRING;
+
+        select encryption type;
+        encrypt OCTET STRING into packet.enc-part.cipher
+        using negotiated encryption key;
+
+A.19.  KRB_CRED verification
+        receive packet;
+        if (packet.pvno != 5) then
+                either process using other protocol spec
+                or error_out(KRB_AP_ERR_BADVERSION);
+        endif
+        if (packet.msg-type != KRB_CRED) then
+                error_out(KRB_AP_ERR_MSG_TYPE);
+        endif
+
+        cleartext := decrypt(packet.enc-part) using negotiated key;
+        if (decryption_error()) then
+                error_out(KRB_AP_ERR_BAD_INTEGRITY);
+        endif
+        if ((packet.r-address is present or required) and
+           (packet.s-address != O/S_sender(packet)) then
+            /* O/S report of sender not who claims to have sent it */
+            error_out(KRB_AP_ERR_BADADDR);
+        endif
+        if ((packet.r-address is present) and
+            (packet.r-address != local_host_address)) then
+                /* was not sent to proper place */
+                error_out(KRB_AP_ERR_BADADDR);
+
+
+
+Kohl & Neuman                                                 [Page 111]
+
+RFC 1510                        Kerberos                  September 1993
+
+
+        endif
+        if (not in_clock_skew(packet.timestamp,packet.usec)) then
+                error_out(KRB_AP_ERR_SKEW);
+        endif
+        if (repeated(packet.timestamp,packet.usec,packet.s-address))
+                then error_out(KRB_AP_ERR_REPEAT);
+        endif
+        if (packet.nonce is required or present) and
+           (packet.nonce != expected-nonce) then
+                error_out(KRB_AP_ERR_MODIFIED);
+        endif
+
+        for (ticket[n] in tickets that were forwarded) do
+                save_for_later(ticket[n],key[n],principal[n],
+                               server[n],times[n],flags[n]);
+        return
+
+A.20.  KRB_ERROR generation
+
+        /* assemble packet: */
+        packet.pvno := protocol version; /* 5 */
+        packet.msg-type := message type; /* KRB_ERROR */
+
+        get system_time;
+        packet.stime, packet.susec := system_time;
+        packet.realm, packet.sname := server name;
+
+        if (client time available) then
+                packet.ctime, packet.cusec := client_time;
+        endif
+        packet.error-code := error code;
+        if (client name available) then
+                packet.cname, packet.crealm := client name;
+        endif
+        if (error text available) then
+                packet.e-text := error text;
+        endif
+        if (error data available) then
+                packet.e-data := error data;
+        endif
+
+
+
+
+
+
+
+
+
+
+
+Kohl & Neuman                                                 [Page 112]
+
\ No newline at end of file
diff --git a/crypto/heimdal/doc/standardisation/rfc1750.txt b/crypto/heimdal/doc/standardisation/rfc1750.txt
new file mode 100644
index 0000000..56d478c
--- /dev/null
+++ b/crypto/heimdal/doc/standardisation/rfc1750.txt
@@ -0,0 +1,1683 @@
+
+
+
+
+
+
+Network Working Group                                   D. Eastlake, 3rd
+Request for Comments: 1750                                           DEC
+Category: Informational                                       S. Crocker
+                                                               Cybercash
+                                                             J. Schiller
+                                                                     MIT
+                                                           December 1994
+
+
+                Randomness Recommendations for Security
+
+Status of this Memo
+
+   This memo provides information for the Internet community.  This memo
+   does not specify an Internet standard of any kind.  Distribution of
+   this memo is unlimited.
+
+Abstract
+
+   Security systems today are built on increasingly strong cryptographic
+   algorithms that foil pattern analysis attempts. However, the security
+   of these systems is dependent on generating secret quantities for
+   passwords, cryptographic keys, and similar quantities.  The use of
+   pseudo-random processes to generate secret quantities can result in
+   pseudo-security.  The sophisticated attacker of these security
+   systems may find it easier to reproduce the environment that produced
+   the secret quantities, searching the resulting small set of
+   possibilities, than to locate the quantities in the whole of the
+   number space.
+
+   Choosing random quantities to foil a resourceful and motivated
+   adversary is surprisingly difficult.  This paper points out many
+   pitfalls in using traditional pseudo-random number generation
+   techniques for choosing such quantities.  It recommends the use of
+   truly random hardware techniques and shows that the existing hardware
+   on many systems can be used for this purpose.  It provides
+   suggestions to ameliorate the problem when a hardware solution is not
+   available.  And it gives examples of how large such quantities need
+   to be for some particular applications.
+
+
+
+
+
+
+
+
+
+
+
+
+Eastlake, Crocker & Schiller                                    [Page 1]
+
+RFC 1750        Randomness Recommendations for Security    December 1994
+
+
+Acknowledgements
+
+   Comments on this document that have been incorporated were received
+   from (in alphabetic order) the following:
+
+        David M. Balenson (TIS)
+        Don Coppersmith (IBM)
+        Don T. Davis (consultant)
+        Carl Ellison (Stratus)
+        Marc Horowitz (MIT)
+        Christian Huitema (INRIA)
+        Charlie Kaufman (IRIS)
+        Steve Kent (BBN)
+        Hal Murray (DEC)
+        Neil Haller (Bellcore)
+        Richard Pitkin (DEC)
+        Tim Redmond (TIS)
+        Doug Tygar (CMU)
+
+Table of Contents
+
+   1. Introduction........................................... 3
+   2. Requirements........................................... 4
+   3. Traditional Pseudo-Random Sequences.................... 5
+   4. Unpredictability....................................... 7
+   4.1 Problems with Clocks and Serial Numbers............... 7
+   4.2 Timing and Content of External Events................  8
+   4.3 The Fallacy of Complex Manipulation..................  8
+   4.4 The Fallacy of Selection from a Large Database.......  9
+   5. Hardware for Randomness............................... 10
+   5.1 Volume Required...................................... 10
+   5.2 Sensitivity to Skew.................................. 10
+   5.2.1 Using Stream Parity to De-Skew..................... 11
+   5.2.2 Using Transition Mappings to De-Skew............... 12
+   5.2.3 Using FFT to De-Skew............................... 13
+   5.2.4 Using Compression to De-Skew....................... 13
+   5.3 Existing Hardware Can Be Used For Randomness......... 14
+   5.3.1 Using Existing Sound/Video Input................... 14
+   5.3.2 Using Existing Disk Drives......................... 14
+   6. Recommended Non-Hardware Strategy..................... 14
+   6.1 Mixing Functions..................................... 15
+   6.1.1 A Trivial Mixing Function.......................... 15
+   6.1.2 Stronger Mixing Functions.......................... 16
+   6.1.3 Diff-Hellman as a Mixing Function.................. 17
+   6.1.4 Using a Mixing Function to Stretch Random Bits..... 17
+   6.1.5 Other Factors in Choosing a Mixing Function........ 18
+   6.2 Non-Hardware Sources of Randomness................... 19
+   6.3 Cryptographically Strong Sequences................... 19
+
+
+
+Eastlake, Crocker & Schiller                                    [Page 2]
+
+RFC 1750        Randomness Recommendations for Security    December 1994
+
+
+   6.3.1 Traditional Strong Sequences....................... 20
+   6.3.2 The Blum Blum Shub Sequence Generator.............. 21
+   7. Key Generation Standards.............................. 22
+   7.1 US DoD Recommendations for Password Generation....... 23
+   7.2 X9.17 Key Generation................................. 23
+   8. Examples of Randomness Required....................... 24
+   8.1  Password Generation................................. 24
+   8.2 A Very High Security Cryptographic Key............... 25
+   8.2.1 Effort per Key Trial............................... 25
+   8.2.2 Meet in the Middle Attacks......................... 26
+   8.2.3 Other Considerations............................... 26
+   9. Conclusion............................................ 27
+   10. Security Considerations.............................. 27
+   References............................................... 28
+   Authors' Addresses....................................... 30
+
+1. Introduction
+
+   Software cryptography is coming into wider use.  Systems like
+   Kerberos, PEM, PGP, etc. are maturing and becoming a part of the
+   network landscape [PEM].  These systems provide substantial
+   protection against snooping and spoofing.  However, there is a
+   potential flaw.  At the heart of all cryptographic systems is the
+   generation of secret, unguessable (i.e., random) numbers.
+
+   For the present, the lack of generally available facilities for
+   generating such unpredictable numbers is an open wound in the design
+   of cryptographic software.  For the software developer who wants to
+   build a key or password generation procedure that runs on a wide
+   range of hardware, the only safe strategy so far has been to force
+   the local installation to supply a suitable routine to generate
+   random numbers.  To say the least, this is an awkward, error-prone
+   and unpalatable solution.
+
+   It is important to keep in mind that the requirement is for data that
+   an adversary has a very low probability of guessing or determining.
+   This will fail if pseudo-random data is used which only meets
+   traditional statistical tests for randomness or which is based on
+   limited range sources, such as clocks.  Frequently such random
+   quantities are determinable by an adversary searching through an
+   embarrassingly small space of possibilities.
+
+   This informational document suggests techniques for producing random
+   quantities that will be resistant to such attack.  It recommends that
+   future systems include hardware random number generation or provide
+   access to existing hardware that can be used for this purpose.  It
+   suggests methods for use if such hardware is not available.  And it
+   gives some estimates of the number of random bits required for sample
+
+
+
+Eastlake, Crocker & Schiller                                    [Page 3]
+
+RFC 1750        Randomness Recommendations for Security    December 1994
+
+
+   applications.
+
+2. Requirements
+
+   Probably the most commonly encountered randomness requirement today
+   is the user password. This is usually a simple character string.
+   Obviously, if a password can be guessed, it does not provide
+   security.  (For re-usable passwords, it is desirable that users be
+   able to remember the password.  This may make it advisable to use
+   pronounceable character strings or phrases composed on ordinary
+   words.  But this only affects the format of the password information,
+   not the requirement that the password be very hard to guess.)
+
+   Many other requirements come from the cryptographic arena.
+   Cryptographic techniques can be used to provide a variety of services
+   including confidentiality and authentication.  Such services are
+   based on quantities, traditionally called "keys", that are unknown to
+   and unguessable by an adversary.
+
+   In some cases, such as the use of symmetric encryption with the one
+   time pads [CRYPTO*] or the US Data Encryption Standard [DES], the
+   parties who wish to communicate confidentially and/or with
+   authentication must all know the same secret key.  In other cases,
+   using what are called asymmetric or "public key" cryptographic
+   techniques, keys come in pairs.  One key of the pair is private and
+   must be kept secret by one party, the other is public and can be
+   published to the world.  It is computationally infeasible to
+   determine the private key from the public key [ASYMMETRIC, CRYPTO*].
+
+   The frequency and volume of the requirement for random quantities
+   differs greatly for different cryptographic systems.  Using pure RSA
+   [CRYPTO*], random quantities are required when the key pair is
+   generated, but thereafter any number of messages can be signed
+   without any further need for randomness.  The public key Digital
+   Signature Algorithm that has been proposed by the US National
+   Institute of Standards and Technology (NIST) requires good random
+   numbers for each signature.  And encrypting with a one time pad, in
+   principle the strongest possible encryption technique, requires a
+   volume of randomness equal to all the messages to be processed.
+
+   In most of these cases, an adversary can try to determine the
+   "secret" key by trial and error.  (This is possible as long as the
+   key is enough smaller than the message that the correct key can be
+   uniquely identified.)  The probability of an adversary succeeding at
+   this must be made acceptably low, depending on the particular
+   application.  The size of the space the adversary must search is
+   related to the amount of key "information" present in the information
+   theoretic sense [SHANNON].  This depends on the number of different
+
+
+
+Eastlake, Crocker & Schiller                                    [Page 4]
+
+RFC 1750        Randomness Recommendations for Security    December 1994
+
+
+   secret values possible and the probability of each value as follows:
+
+                      -----
+                       \
+        Bits-of-info =  \  - p   * log  ( p  )
+                        /     i       2    i
+                       /
+                      -----
+
+   where i varies from 1 to the number of possible secret values and p
+   sub i is the probability of the value numbered i.  (Since p sub i is
+   less than one, the log will be negative so each term in the sum will
+   be non-negative.)
+
+   If there are 2^n different values of equal probability, then n bits
+   of information are present and an adversary would, on the average,
+   have to try half of the values, or 2^(n-1) , before guessing the
+   secret quantity.  If the probability of different values is unequal,
+   then there is less information present and fewer guesses will, on
+   average, be required by an adversary.  In particular, any values that
+   the adversary can know are impossible, or are of low probability, can
+   be initially ignored by an adversary, who will search through the
+   more probable values first.
+
+   For example, consider a cryptographic system that uses 56 bit keys.
+   If these 56 bit keys are derived by using a fixed pseudo-random
+   number generator that is seeded with an 8 bit seed, then an adversary
+   needs to search through only 256 keys (by running the pseudo-random
+   number generator with every possible seed), not the 2^56 keys that
+   may at first appear to be the case. Only 8 bits of "information" are
+   in these 56 bit keys.
+
+3. Traditional Pseudo-Random Sequences
+
+   Most traditional sources of random numbers use deterministic sources
+   of "pseudo-random" numbers.  These typically start with a "seed"
+   quantity and use numeric or logical operations to produce a sequence
+   of values.
+
+   [KNUTH] has a classic exposition on pseudo-random numbers.
+   Applications he mentions are simulation of natural phenomena,
+   sampling, numerical analysis, testing computer programs, decision
+   making, and games.  None of these have the same characteristics as
+   the sort of security uses we are talking about.  Only in the last two
+   could there be an adversary trying to find the random quantity.
+   However, in these cases, the adversary normally has only a single
+   chance to use a guessed value.  In guessing passwords or attempting
+   to break an encryption scheme, the adversary normally has many,
+
+
+
+Eastlake, Crocker & Schiller                                    [Page 5]
+
+RFC 1750        Randomness Recommendations for Security    December 1994
+
+
+   perhaps unlimited, chances at guessing the correct value and should
+   be assumed to be aided by a computer.
+
+   For testing the "randomness" of numbers, Knuth suggests a variety of
+   measures including statistical and spectral.  These tests check
+   things like autocorrelation between different parts of a "random"
+   sequence or distribution of its values.  They could be met by a
+   constant stored random sequence, such as the "random" sequence
+   printed in the CRC Standard Mathematical Tables [CRC].
+
+   A typical pseudo-random number generation technique, known as a
+   linear congruence pseudo-random number generator, is modular
+   arithmetic where the N+1th value is calculated from the Nth value by
+
+        V    = ( V  * a + b )(Mod c)
+         N+1      N
+
+   The above technique has a strong relationship to linear shift
+   register pseudo-random number generators, which are well understood
+   cryptographically [SHIFT*].  In such generators bits are introduced
+   at one end of a shift register as the Exclusive Or (binary sum
+   without carry) of bits from selected fixed taps into the register.
+
+   For example:
+
+      +----+     +----+     +----+                      +----+
+      | B  | <-- | B  | <-- | B  | <--  . . . . . . <-- | B  | <-+
+      |  0 |     |  1 |     |  2 |                      |  n |   |
+      +----+     +----+     +----+                      +----+   |
+        |                     |            |                     |
+        |                     |            V                  +-----+
+        |                     V            +----------------> |     |
+        V                     +-----------------------------> | XOR |
+        +---------------------------------------------------> |     |
+                                                              +-----+
+
+
+       V    = ( ( V  * 2 ) + B .xor. B ... )(Mod 2^n)
+        N+1         N         0       2
+
+   The goodness of traditional pseudo-random number generator algorithms
+   is measured by statistical tests on such sequences.  Carefully chosen
+   values of the initial V and a, b, and c or the placement of shift
+   register tap in the above simple processes can produce excellent
+   statistics.
+
+
+
+
+
+
+Eastlake, Crocker & Schiller                                    [Page 6]
+
+RFC 1750        Randomness Recommendations for Security    December 1994
+
+
+   These sequences may be adequate in simulations (Monte Carlo
+   experiments) as long as the sequence is orthogonal to the structure
+   of the space being explored.  Even there, subtle patterns may cause
+   problems.  However, such sequences are clearly bad for use in
+   security applications.  They are fully predictable if the initial
+   state is known.  Depending on the form of the pseudo-random number
+   generator, the sequence may be determinable from observation of a
+   short portion of the sequence [CRYPTO*, STERN].  For example, with
+   the generators above, one can determine V(n+1) given knowledge of
+   V(n).  In fact, it has been shown that with these techniques, even if
+   only one bit of the pseudo-random values is released, the seed can be
+   determined from short sequences.
+
+   Not only have linear congruent generators been broken, but techniques
+   are now known for breaking all polynomial congruent generators
+   [KRAWCZYK].
+
+4. Unpredictability
+
+   Randomness in the traditional sense described in section 3 is NOT the
+   same as the unpredictability required for security use.
+
+   For example, use of a widely available constant sequence, such as
+   that from the CRC tables, is very weak against an adversary. Once
+   they learn of or guess it, they can easily break all security, future
+   and past, based on the sequence [CRC].  Yet the statistical
+   properties of these tables are good.
+
+   The following sections describe the limitations of some randomness
+   generation techniques and sources.
+
+4.1 Problems with Clocks and Serial Numbers
+
+   Computer clocks, or similar operating system or hardware values,
+   provide significantly fewer real bits of unpredictability than might
+   appear from their specifications.
+
+   Tests have been done on clocks on numerous systems and it was found
+   that their behavior can vary widely and in unexpected ways.  One
+   version of an operating system running on one set of hardware may
+   actually provide, say, microsecond resolution in a clock while a
+   different configuration of the "same" system may always provide the
+   same lower bits and only count in the upper bits at much lower
+   resolution.  This means that successive reads on the clock may
+   produce identical values even if enough time has passed that the
+   value "should" change based on the nominal clock resolution. There
+   are also cases where frequently reading a clock can produce
+   artificial sequential values because of extra code that checks for
+
+
+
+Eastlake, Crocker & Schiller                                    [Page 7]
+
+RFC 1750        Randomness Recommendations for Security    December 1994
+
+
+   the clock being unchanged between two reads and increases it by one!
+   Designing portable application code to generate unpredictable numbers
+   based on such system clocks is particularly challenging because the
+   system designer does not always know the properties of the system
+   clocks that the code will execute on.
+
+   Use of a hardware serial number such as an Ethernet address may also
+   provide fewer bits of uniqueness than one would guess.  Such
+   quantities are usually heavily structured and subfields may have only
+   a limited range of possible values or values easily guessable based
+   on approximate date of manufacture or other data.  For example, it is
+   likely that most of the Ethernet cards installed on Digital Equipment
+   Corporation (DEC) hardware within DEC were manufactured by DEC
+   itself, which significantly limits the range of built in addresses.
+
+   Problems such as those described above related to clocks and serial
+   numbers make code to produce unpredictable quantities difficult if
+   the code is to be ported across a variety of computer platforms and
+   systems.
+
+4.2 Timing and Content of External Events
+
+   It is possible to measure the timing and content of mouse movement,
+   key strokes, and similar user events.  This is a reasonable source of
+   unguessable data with some qualifications.  On some machines, inputs
+   such as key strokes are buffered.  Even though the user's inter-
+   keystroke timing may have sufficient variation and unpredictability,
+   there might not be an easy way to access that variation.  Another
+   problem is that no standard method exists to sample timing details.
+   This makes it hard to build standard software intended for
+   distribution to a large range of machines based on this technique.
+
+   The amount of mouse movement or the keys actually hit are usually
+   easier to access than timings but may yield less unpredictability as
+   the user may provide highly repetitive input.
+
+   Other external events, such as network packet arrival times, can also
+   be used with care.  In particular, the possibility of manipulation of
+   such times by an adversary must be considered.
+
+4.3 The Fallacy of Complex Manipulation
+
+   One strategy which may give a misleading appearance of
+   unpredictability is to take a very complex algorithm (or an excellent
+   traditional pseudo-random number generator with good statistical
+   properties) and calculate a cryptographic key by starting with the
+   current value of a computer system clock as the seed.  An adversary
+   who knew roughly when the generator was started would have a
+
+
+
+Eastlake, Crocker & Schiller                                    [Page 8]
+
+RFC 1750        Randomness Recommendations for Security    December 1994
+
+
+   relatively small number of seed values to test as they would know
+   likely values of the system clock.  Large numbers of pseudo-random
+   bits could be generated but the search space an adversary would need
+   to check could be quite small.
+
+   Thus very strong and/or complex manipulation of data will not help if
+   the adversary can learn what the manipulation is and there is not
+   enough unpredictability in the starting seed value.  Even if they can
+   not learn what the manipulation is, they may be able to use the
+   limited number of results stemming from a limited number of seed
+   values to defeat security.
+
+   Another serious strategy error is to assume that a very complex
+   pseudo-random number generation algorithm will produce strong random
+   numbers when there has been no theory behind or analysis of the
+   algorithm.  There is a excellent example of this fallacy right near
+   the beginning of chapter 3 in [KNUTH] where the author describes a
+   complex algorithm.  It was intended that the machine language program
+   corresponding to the algorithm would be so complicated that a person
+   trying to read the code without comments wouldn't know what the
+   program was doing.  Unfortunately, actual use of this algorithm
+   showed that it almost immediately converged to a single repeated
+   value in one case and a small cycle of values in another case.
+
+   Not only does complex manipulation not help you if you have a limited
+   range of seeds but blindly chosen complex manipulation can destroy
+   the randomness in a good seed!
+
+4.4 The Fallacy of Selection from a Large Database
+
+   Another strategy that can give a misleading appearance of
+   unpredictability is selection of a quantity randomly from a database
+   and assume that its strength is related to the total number of bits
+   in the database.  For example, typical USENET servers as of this date
+   process over 35 megabytes of information per day.  Assume a random
+   quantity was selected by fetching 32 bytes of data from a random
+   starting point in this data.  This does not yield 32*8 = 256 bits
+   worth of unguessability.  Even after allowing that much of the data
+   is human language and probably has more like 2 or 3 bits of
+   information per byte, it doesn't yield 32*2.5 = 80 bits of
+   unguessability.  For an adversary with access to the same 35
+   megabytes the unguessability rests only on the starting point of the
+   selection.  That is, at best, about 25 bits of unguessability in this
+   case.
+
+   The same argument applies to selecting sequences from the data on a
+   CD ROM or Audio CD recording or any other large public database.  If
+   the adversary has access to the same database, this "selection from a
+
+
+
+Eastlake, Crocker & Schiller                                    [Page 9]
+
+RFC 1750        Randomness Recommendations for Security    December 1994
+
+
+   large volume of data" step buys very little.  However, if a selection
+   can be made from data to which the adversary has no access, such as
+   system buffers on an active multi-user system, it may be of some
+   help.
+
+5. Hardware for Randomness
+
+   Is there any hope for strong portable randomness in the future?
+   There might be.  All that's needed is a physical source of
+   unpredictable numbers.
+
+   A thermal noise or radioactive decay source and a fast, free-running
+   oscillator would do the trick directly [GIFFORD].  This is a trivial
+   amount of hardware, and could easily be included as a standard part
+   of a computer system's architecture.  Furthermore, any system with a
+   spinning disk or the like has an adequate source of randomness
+   [DAVIS].  All that's needed is the common perception among computer
+   vendors that this small additional hardware and the software to
+   access it is necessary and useful.
+
+5.1 Volume Required
+
+   How much unpredictability is needed?  Is it possible to quantify the
+   requirement in, say, number of random bits per second?
+
+   The answer is not very much is needed.  For DES, the key is 56 bits
+   and, as we show in an example in Section 8, even the highest security
+   system is unlikely to require a keying material of over 200 bits.  If
+   a series of keys are needed, it can be generated from a strong random
+   seed using a cryptographically strong sequence as explained in
+   Section 6.3.  A few hundred random bits generated once a day would be
+   enough using such techniques.  Even if the random bits are generated
+   as slowly as one per second and it is not possible to overlap the
+   generation process, it should be tolerable in high security
+   applications to wait 200 seconds occasionally.
+
+   These numbers are trivial to achieve.  It could be done by a person
+   repeatedly tossing a coin.  Almost any hardware process is likely to
+   be much faster.
+
+5.2 Sensitivity to Skew
+
+   Is there any specific requirement on the shape of the distribution of
+   the random numbers?  The good news is the distribution need not be
+   uniform.  All that is needed is a conservative estimate of how non-
+   uniform it is to bound performance.  Two simple techniques to de-skew
+   the bit stream are given below and stronger techniques are mentioned
+   in Section 6.1.2 below.
+
+
+
+Eastlake, Crocker & Schiller                                   [Page 10]
+
+RFC 1750        Randomness Recommendations for Security    December 1994
+
+
+5.2.1 Using Stream Parity to De-Skew
+
+   Consider taking a sufficiently long string of bits and map the string
+   to "zero" or "one".  The mapping will not yield a perfectly uniform
+   distribution, but it can be as close as desired.  One mapping that
+   serves the purpose is to take the parity of the string.  This has the
+   advantages that it is robust across all degrees of skew up to the
+   estimated maximum skew and is absolutely trivial to implement in
+   hardware.
+
+   The following analysis gives the number of bits that must be sampled:
+
+   Suppose the ratio of ones to zeros is 0.5 + e : 0.5 - e, where e is
+   between 0 and 0.5 and is a measure of the "eccentricity" of the
+   distribution.  Consider the distribution of the parity function of N
+   bit samples.  The probabilities that the parity will be one or zero
+   will be the sum of the odd or even terms in the binomial expansion of
+   (p + q)^N, where p = 0.5 + e, the probability of a one, and q = 0.5 -
+   e, the probability of a zero.
+
+   These sums can be computed easily as
+
+                         N            N
+        1/2 * ( ( p + q )  + ( p - q )  )
+   and
+                         N            N
+        1/2 * ( ( p + q )  - ( p - q )  ).
+
+   (Which one corresponds to the probability the parity will be 1
+   depends on whether N is odd or even.)
+
+   Since p + q = 1 and p - q = 2e, these expressions reduce to
+
+                       N
+        1/2 * [1 + (2e) ]
+   and
+                       N
+        1/2 * [1 - (2e) ].
+
+   Neither of these will ever be exactly 0.5 unless e is zero, but we
+   can bring them arbitrarily close to 0.5.  If we want the
+   probabilities to be within some delta d of 0.5, i.e. then
+
+                            N
+        ( 0.5 + ( 0.5 * (2e)  ) )  <  0.5 + d.
+
+
+
+
+
+
+Eastlake, Crocker & Schiller                                   [Page 11]
+
+RFC 1750        Randomness Recommendations for Security    December 1994
+
+
+   Solving for N yields N > log(2d)/log(2e).  (Note that 2e is less than
+   1, so its log is negative.  Division by a negative number reverses
+   the sense of an inequality.)
+
+   The following table gives the length of the string which must be
+   sampled for various degrees of skew in order to come within 0.001 of
+   a 50/50 distribution.
+
+                       +---------+--------+-------+
+                       | Prob(1) |    e   |    N  |
+                       +---------+--------+-------+
+                       |   0.5   |  0.00  |    1  |
+                       |   0.6   |  0.10  |    4  |
+                       |   0.7   |  0.20  |    7  |
+                       |   0.8   |  0.30  |   13  |
+                       |   0.9   |  0.40  |   28  |
+                       |   0.95  |  0.45  |   59  |
+                       |   0.99  |  0.49  |  308  |
+                       +---------+--------+-------+
+
+   The last entry shows that even if the distribution is skewed 99% in
+   favor of ones, the parity of a string of 308 samples will be within
+   0.001 of a 50/50 distribution.
+
+5.2.2 Using Transition Mappings to De-Skew
+
+   Another technique, originally due to von Neumann [VON NEUMANN], is to
+   examine a bit stream as a sequence of non-overlapping pairs. You
+   could then discard any 00 or 11 pairs found, interpret 01 as a 0 and
+   10 as a 1.  Assume the probability of a 1 is 0.5+e and the
+   probability of a 0 is 0.5-e where e is the eccentricity of the source
+   and described in the previous section.  Then the probability of each
+   pair is as follows:
+
+            +------+-----------------------------------------+
+            | pair |            probability                  |
+            +------+-----------------------------------------+
+            |  00  | (0.5 - e)^2          =  0.25 - e + e^2  |
+            |  01  | (0.5 - e)*(0.5 + e)  =  0.25     - e^2  |
+            |  10  | (0.5 + e)*(0.5 - e)  =  0.25     - e^2  |
+            |  11  | (0.5 + e)^2          =  0.25 + e + e^2  |
+            +------+-----------------------------------------+
+
+   This technique will completely eliminate any bias but at the expense
+   of taking an indeterminate number of input bits for any particular
+   desired number of output bits.  The probability of any particular
+   pair being discarded is 0.5 + 2e^2 so the expected number of input
+   bits to produce X output bits is X/(0.25 - e^2).
+
+
+
+Eastlake, Crocker & Schiller                                   [Page 12]
+
+RFC 1750        Randomness Recommendations for Security    December 1994
+
+
+   This technique assumes that the bits are from a stream where each bit
+   has the same probability of being a 0 or 1 as any other bit in the
+   stream and that bits are not correlated, i.e., that the bits are
+   identical independent distributions.  If alternate bits were from two
+   correlated sources, for example, the above analysis breaks down.
+
+   The above technique also provides another illustration of how a
+   simple statistical analysis can mislead if one is not always on the
+   lookout for patterns that could be exploited by an adversary.  If the
+   algorithm were mis-read slightly so that overlapping successive bits
+   pairs were used instead of non-overlapping pairs, the statistical
+   analysis given is the same; however, instead of provided an unbiased
+   uncorrelated series of random 1's and 0's, it instead produces a
+   totally predictable sequence of exactly alternating 1's and 0's.
+
+5.2.3 Using FFT to De-Skew
+
+   When real world data consists of strongly biased or correlated bits,
+   it may still contain useful amounts of randomness.  This randomness
+   can be extracted through use of the discrete Fourier transform or its
+   optimized variant, the FFT.
+
+   Using the Fourier transform of the data, strong correlations can be
+   discarded.  If adequate data is processed and remaining correlations
+   decay, spectral lines approaching statistical independence and
+   normally distributed randomness can be produced [BRILLINGER].
+
+5.2.4 Using Compression to De-Skew
+
+   Reversible compression techniques also provide a crude method of de-
+   skewing a skewed bit stream.  This follows directly from the
+   definition of reversible compression and the formula in Section 2
+   above for the amount of information in a sequence.  Since the
+   compression is reversible, the same amount of information must be
+   present in the shorter output than was present in the longer input.
+   By the Shannon information equation, this is only possible if, on
+   average, the probabilities of the different shorter sequences are
+   more uniformly distributed than were the probabilities of the longer
+   sequences.  Thus the shorter sequences are de-skewed relative to the
+   input.
+
+   However, many compression techniques add a somewhat predicatable
+   preface to their output stream and may insert such a sequence again
+   periodically in their output or otherwise introduce subtle patterns
+   of their own.  They should be considered only a rough technique
+   compared with those described above or in Section 6.1.2.  At a
+   minimum, the beginning of the compressed sequence should be skipped
+   and only later bits used for applications requiring random bits.
+
+
+
+Eastlake, Crocker & Schiller                                   [Page 13]
+
+RFC 1750        Randomness Recommendations for Security    December 1994
+
+
+5.3 Existing Hardware Can Be Used For Randomness
+
+   As described below, many computers come with hardware that can, with
+   care, be used to generate truly random quantities.
+
+5.3.1 Using Existing Sound/Video Input
+
+   Increasingly computers are being built with inputs that digitize some
+   real world analog source, such as sound from a microphone or video
+   input from a camera.  Under appropriate circumstances, such input can
+   provide reasonably high quality random bits.  The "input" from a
+   sound digitizer with no source plugged in or a camera with the lens
+   cap on, if the system has enough gain to detect anything, is
+   essentially thermal noise.
+
+   For example, on a SPARCstation, one can read from the /dev/audio
+   device with nothing plugged into the microphone jack.  Such data is
+   essentially random noise although it should not be trusted without
+   some checking in case of hardware failure.  It will, in any case,
+   need to be de-skewed as described elsewhere.
+
+   Combining this with compression to de-skew one can, in UNIXese,
+   generate a huge amount of medium quality random data by doing
+
+        cat /dev/audio | compress - >random-bits-file
+
+5.3.2 Using Existing Disk Drives
+
+   Disk drives have small random fluctuations in their rotational speed
+   due to chaotic air turbulence [DAVIS].  By adding low level disk seek
+   time instrumentation to a system, a series of measurements can be
+   obtained that include this randomness. Such data is usually highly
+   correlated so that significant processing is needed, including FFT
+   (see section 5.2.3).  Nevertheless experimentation has shown that,
+   with such processing, disk drives easily produce 100 bits a minute or
+   more of excellent random data.
+
+   Partly offsetting this need for processing is the fact that disk
+   drive failure will normally be rapidly noticed.  Thus, problems with
+   this method of random number generation due to hardware failure are
+   very unlikely.
+
+6. Recommended Non-Hardware Strategy
+
+   What is the best overall strategy for meeting the requirement for
+   unguessable random numbers in the absence of a reliable hardware
+   source?  It is to obtain random input from a large number of
+   uncorrelated sources and to mix them with a strong mixing function.
+
+
+
+Eastlake, Crocker & Schiller                                   [Page 14]
+
+RFC 1750        Randomness Recommendations for Security    December 1994
+
+
+   Such a function will preserve the randomness present in any of the
+   sources even if other quantities being combined are fixed or easily
+   guessable.  This may be advisable even with a good hardware source as
+   hardware can also fail, though this should be weighed against any
+   increase in the chance of overall failure due to added software
+   complexity.
+
+6.1 Mixing Functions
+
+   A strong mixing function is one which combines two or more inputs and
+   produces an output where each output bit is a different complex non-
+   linear function of all the input bits.  On average, changing any
+   input bit will change about half the output bits.  But because the
+   relationship is complex and non-linear, no particular output bit is
+   guaranteed to change when any particular input bit is changed.
+
+   Consider the problem of converting a stream of bits that is skewed
+   towards 0 or 1 to a shorter stream which is more random, as discussed
+   in Section 5.2 above.  This is simply another case where a strong
+   mixing function is desired, mixing the input bits to produce a
+   smaller number of output bits.  The technique given in Section 5.2.1
+   of using the parity of a number of bits is simply the result of
+   successively Exclusive Or'ing them which is examined as a trivial
+   mixing function immediately below.  Use of stronger mixing functions
+   to extract more of the randomness in a stream of skewed bits is
+   examined in Section 6.1.2.
+
+6.1.1 A Trivial Mixing Function
+
+   A trivial example for single bit inputs is the Exclusive Or function,
+   which is equivalent to addition without carry, as show in the table
+   below.  This is a degenerate case in which the one output bit always
+   changes for a change in either input bit.  But, despite its
+   simplicity, it will still provide a useful illustration.
+
+                   +-----------+-----------+----------+
+                   |  input 1  |  input 2  |  output  |
+                   +-----------+-----------+----------+
+                   |     0     |     0     |     0    |
+                   |     0     |     1     |     1    |
+                   |     1     |     0     |     1    |
+                   |     1     |     1     |     0    |
+                   +-----------+-----------+----------+
+
+   If inputs 1 and 2 are uncorrelated and combined in this fashion then
+   the output will be an even better (less skewed) random bit than the
+   inputs.  If we assume an "eccentricity" e as defined in Section 5.2
+   above, then the output eccentricity relates to the input eccentricity
+
+
+
+Eastlake, Crocker & Schiller                                   [Page 15]
+
+RFC 1750        Randomness Recommendations for Security    December 1994
+
+
+   as follows:
+
+        e       = 2 * e        * e
+         output        input 1    input 2
+
+   Since e is never greater than 1/2, the eccentricity is always
+   improved except in the case where at least one input is a totally
+   skewed constant.  This is illustrated in the following table where
+   the top and left side values are the two input eccentricities and the
+   entries are the output eccentricity:
+
+     +--------+--------+--------+--------+--------+--------+--------+
+     |    e   |  0.00  |  0.10  |  0.20  |  0.30  |  0.40  |  0.50  |
+     +--------+--------+--------+--------+--------+--------+--------+
+     |  0.00  |  0.00  |  0.00  |  0.00  |  0.00  |  0.00  |  0.00  |
+     |  0.10  |  0.00  |  0.02  |  0.04  |  0.06  |  0.08  |  0.10  |
+     |  0.20  |  0.00  |  0.04  |  0.08  |  0.12  |  0.16  |  0.20  |
+     |  0.30  |  0.00  |  0.06  |  0.12  |  0.18  |  0.24  |  0.30  |
+     |  0.40  |  0.00  |  0.08  |  0.16  |  0.24  |  0.32  |  0.40  |
+     |  0.50  |  0.00  |  0.10  |  0.20  |  0.30  |  0.40  |  0.50  |
+     +--------+--------+--------+--------+--------+--------+--------+
+
+   However, keep in mind that the above calculations assume that the
+   inputs are not correlated.  If the inputs were, say, the parity of
+   the number of minutes from midnight on two clocks accurate to a few
+   seconds, then each might appear random if sampled at random intervals
+   much longer than a minute.  Yet if they were both sampled and
+   combined with xor, the result would be zero most of the time.
+
+6.1.2 Stronger Mixing Functions
+
+   The US Government Data Encryption Standard [DES] is an example of a
+   strong mixing function for multiple bit quantities.  It takes up to
+   120 bits of input (64 bits of "data" and 56 bits of "key") and
+   produces 64 bits of output each of which is dependent on a complex
+   non-linear function of all input bits.  Other strong encryption
+   functions with this characteristic can also be used by considering
+   them to mix all of their key and data input bits.
+
+   Another good family of mixing functions are the "message digest" or
+   hashing functions such as The US Government Secure Hash Standard
+   [SHS] and the MD2, MD4, MD5 [MD2, MD4, MD5] series.  These functions
+   all take an arbitrary amount of input and produce an output mixing
+   all the input bits. The MD* series produce 128 bits of output and SHS
+   produces 160 bits.
+
+
+
+
+
+
+Eastlake, Crocker & Schiller                                   [Page 16]
+
+RFC 1750        Randomness Recommendations for Security    December 1994
+
+
+   Although the message digest functions are designed for variable
+   amounts of input, DES and other encryption functions can also be used
+   to combine any number of inputs.  If 64 bits of output is adequate,
+   the inputs can be packed into a 64 bit data quantity and successive
+   56 bit keys, padding with zeros if needed, which are then used to
+   successively encrypt using DES in Electronic Codebook Mode [DES
+   MODES].  If more than 64 bits of output are needed, use more complex
+   mixing.  For example, if inputs are packed into three quantities, A,
+   B, and C, use DES to encrypt A with B as a key and then with C as a
+   key to produce the 1st part of the output, then encrypt B with C and
+   then A for more output and, if necessary, encrypt C with A and then B
+   for yet more output.  Still more output can be produced by reversing
+   the order of the keys given above to stretch things. The same can be
+   done with the hash functions by hashing various subsets of the input
+   data to produce multiple outputs.  But keep in mind that it is
+   impossible to get more bits of "randomness" out than are put in.
+
+   An example of using a strong mixing function would be to reconsider
+   the case of a string of 308 bits each of which is biased 99% towards
+   zero.  The parity technique given in Section 5.2.1 above reduced this
+   to one bit with only a 1/1000 deviance from being equally likely a
+   zero or one.  But, applying the equation for information given in
+   Section 2, this 308 bit sequence has 5 bits of information in it.
+   Thus hashing it with SHS or MD5 and taking the bottom 5 bits of the
+   result would yield 5 unbiased random bits as opposed to the single
+   bit given by calculating the parity of the string.
+
+6.1.3 Diffie-Hellman as a Mixing Function
+
+   Diffie-Hellman exponential key exchange is a technique that yields a
+   shared secret between two parties that can be made computationally
+   infeasible for a third party to determine even if they can observe
+   all the messages between the two communicating parties.  This shared
+   secret is a mixture of initial quantities generated by each of them
+   [D-H].  If these initial quantities are random, then the shared
+   secret contains the combined randomness of them both, assuming they
+   are uncorrelated.
+
+6.1.4 Using a Mixing Function to Stretch Random Bits
+
+   While it is not necessary for a mixing function to produce the same
+   or fewer bits than its inputs, mixing bits cannot "stretch" the
+   amount of random unpredictability present in the inputs.  Thus four
+   inputs of 32 bits each where there is 12 bits worth of
+   unpredicatability (such as 4,096 equally probable values) in each
+   input cannot produce more than 48 bits worth of unpredictable output.
+   The output can be expanded to hundreds or thousands of bits by, for
+   example, mixing with successive integers, but the clever adversary's
+
+
+
+Eastlake, Crocker & Schiller                                   [Page 17]
+
+RFC 1750        Randomness Recommendations for Security    December 1994
+
+
+   search space is still 2^48 possibilities.  Furthermore, mixing to
+   fewer bits than are input will tend to strengthen the randomness of
+   the output the way using Exclusive Or to produce one bit from two did
+   above.
+
+   The last table in Section 6.1.1 shows that mixing a random bit with a
+   constant bit with Exclusive Or will produce a random bit.  While this
+   is true, it does not provide a way to "stretch" one random bit into
+   more than one.  If, for example, a random bit is mixed with a 0 and
+   then with a 1, this produces a two bit sequence but it will always be
+   either 01 or 10.  Since there are only two possible values, there is
+   still only the one bit of original randomness.
+
+6.1.5 Other Factors in Choosing a Mixing Function
+
+   For local use, DES has the advantages that it has been widely tested
+   for flaws, is widely documented, and is widely implemented with
+   hardware and software implementations available all over the world
+   including source code available by anonymous FTP.  The SHS and MD*
+   family are younger algorithms which have been less tested but there
+   is no particular reason to believe they are flawed.  Both MD5 and SHS
+   were derived from the earlier MD4 algorithm.  They all have source
+   code available by anonymous FTP [SHS, MD2, MD4, MD5].
+
+   DES and SHS have been vouched for the the US National Security Agency
+   (NSA) on the basis of criteria that primarily remain secret.  While
+   this is the cause of much speculation and doubt, investigation of DES
+   over the years has indicated that NSA involvement in modifications to
+   its design, which originated with IBM, was primarily to strengthen
+   it.  No concealed or special weakness has been found in DES.  It is
+   almost certain that the NSA modification to MD4 to produce the SHS
+   similarly strengthened the algorithm, possibly against threats not
+   yet known in the public cryptographic community.
+
+   DES, SHS, MD4, and MD5 are royalty free for all purposes.  MD2 has
+   been freely licensed only for non-profit use in connection with
+   Privacy Enhanced Mail [PEM].  Between the MD* algorithms, some people
+   believe that, as with "Goldilocks and the Three Bears", MD2 is strong
+   but too slow, MD4 is fast but too weak, and MD5 is just right.
+
+   Another advantage of the MD* or similar hashing algorithms over
+   encryption algorithms is that they are not subject to the same
+   regulations imposed by the US Government prohibiting the unlicensed
+   export or import of encryption/decryption software and hardware.  The
+   same should be true of DES rigged to produce an irreversible hash
+   code but most DES packages are oriented to reversible encryption.
+
+
+
+
+
+Eastlake, Crocker & Schiller                                   [Page 18]
+
+RFC 1750        Randomness Recommendations for Security    December 1994
+
+
+6.2 Non-Hardware Sources of Randomness
+
+   The best source of input for mixing would be a hardware randomness
+   such as disk drive timing affected by air turbulence, audio input
+   with thermal noise, or radioactive decay.  However, if that is not
+   available there are other possibilities.  These include system
+   clocks, system or input/output buffers, user/system/hardware/network
+   serial numbers and/or addresses and timing, and user input.
+   Unfortunately, any of these sources can produce limited or
+   predicatable values under some circumstances.
+
+   Some of the sources listed above would be quite strong on multi-user
+   systems where, in essence, each user of the system is a source of
+   randomness.  However, on a small single user system, such as a
+   typical IBM PC or Apple Macintosh, it might be possible for an
+   adversary to assemble a similar configuration.  This could give the
+   adversary inputs to the mixing process that were sufficiently
+   correlated to those used originally as to make exhaustive search
+   practical.
+
+   The use of multiple random inputs with a strong mixing function is
+   recommended and can overcome weakness in any particular input.  For
+   example, the timing and content of requested "random" user keystrokes
+   can yield hundreds of random bits but conservative assumptions need
+   to be made.  For example, assuming a few bits of randomness if the
+   inter-keystroke interval is unique in the sequence up to that point
+   and a similar assumption if the key hit is unique but assuming that
+   no bits of randomness are present in the initial key value or if the
+   timing or key value duplicate previous values.  The results of mixing
+   these timings and characters typed could be further combined with
+   clock values and other inputs.
+
+   This strategy may make practical portable code to produce good random
+   numbers for security even if some of the inputs are very weak on some
+   of the target systems.  However, it may still fail against a high
+   grade attack on small single user systems, especially if the
+   adversary has ever been able to observe the generation process in the
+   past.  A hardware based random source is still preferable.
+
+6.3 Cryptographically Strong Sequences
+
+   In cases where a series of random quantities must be generated, an
+   adversary may learn some values in the sequence.  In general, they
+   should not be able to predict other values from the ones that they
+   know.
+
+
+
+
+
+
+Eastlake, Crocker & Schiller                                   [Page 19]
+
+RFC 1750        Randomness Recommendations for Security    December 1994
+
+
+   The correct technique is to start with a strong random seed, take
+   cryptographically strong steps from that seed [CRYPTO2, CRYPTO3], and
+   do not reveal the complete state of the generator in the sequence
+   elements.  If each value in the sequence can be calculated in a fixed
+   way from the previous value, then when any value is compromised, all
+   future values can be determined.  This would be the case, for
+   example, if each value were a constant function of the previously
+   used values, even if the function were a very strong, non-invertible
+   message digest function.
+
+   It should be noted that if your technique for generating a sequence
+   of key values is fast enough, it can trivially be used as the basis
+   for a confidentiality system.  If two parties use the same sequence
+   generating technique and start with the same seed material, they will
+   generate identical sequences.  These could, for example, be xor'ed at
+   one end with data being send, encrypting it, and xor'ed with this
+   data as received, decrypting it due to the reversible properties of
+   the xor operation.
+
+6.3.1 Traditional Strong Sequences
+
+   A traditional way to achieve a strong sequence has been to have the
+   values be produced by hashing the quantities produced by
+   concatenating the seed with successive integers or the like and then
+   mask the values obtained so as to limit the amount of generator state
+   available to the adversary.
+
+   It may also be possible to use an "encryption" algorithm with a
+   random key and seed value to encrypt and feedback some or all of the
+   output encrypted value into the value to be encrypted for the next
+   iteration.  Appropriate feedback techniques will usually be
+   recommended with the encryption algorithm.  An example is shown below
+   where shifting and masking are used to combine the cypher output
+   feedback.  This type of feedback is recommended by the US Government
+   in connection with DES [DES MODES].
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Eastlake, Crocker & Schiller                                   [Page 20]
+
+RFC 1750        Randomness Recommendations for Security    December 1994
+
+
+      +---------------+
+      |       V       |
+      |  |     n      |
+      +--+------------+
+            |      |           +---------+
+            |      +---------> |         |      +-----+
+         +--+                  | Encrypt | <--- | Key |
+         |           +-------- |         |      +-----+
+         |           |         +---------+
+         V           V
+      +------------+--+
+      |      V     |  |
+      |       n+1     |
+      +---------------+
+
+   Note that if a shift of one is used, this is the same as the shift
+   register technique described in Section 3 above but with the all
+   important difference that the feedback is determined by a complex
+   non-linear function of all bits rather than a simple linear or
+   polynomial combination of output from a few bit position taps.
+
+   It has been shown by Donald W. Davies that this sort of shifted
+   partial output feedback significantly weakens an algorithm compared
+   will feeding all of the output bits back as input.  In particular,
+   for DES, repeated encrypting a full 64 bit quantity will give an
+   expected repeat in about 2^63 iterations.  Feeding back anything less
+   than 64 (and more than 0) bits will give an expected repeat in
+   between 2**31 and 2**32 iterations!
+
+   To predict values of a sequence from others when the sequence was
+   generated by these techniques is equivalent to breaking the
+   cryptosystem or inverting the "non-invertible" hashing involved with
+   only partial information available.  The less information revealed
+   each iteration, the harder it will be for an adversary to predict the
+   sequence.  Thus it is best to use only one bit from each value.  It
+   has been shown that in some cases this makes it impossible to break a
+   system even when the cryptographic system is invertible and can be
+   broken if all of each generated value was revealed.
+
+6.3.2 The Blum Blum Shub Sequence Generator
+
+   Currently the generator which has the strongest public proof of
+   strength is called the Blum Blum Shub generator after its inventors
+   [BBS].  It is also very simple and is based on quadratic residues.
+   It's only disadvantage is that is is computationally intensive
+   compared with the traditional techniques give in 6.3.1 above.  This
+   is not a serious draw back if it is used for moderately infrequent
+   purposes, such as generating session keys.
+
+
+
+Eastlake, Crocker & Schiller                                   [Page 21]
+
+RFC 1750        Randomness Recommendations for Security    December 1994
+
+
+   Simply choose two large prime numbers, say p and q, which both have
+   the property that you get a remainder of 3 if you divide them by 4.
+   Let n = p * q.  Then you choose a random number x relatively prime to
+   n.  The initial seed for the generator and the method for calculating
+   subsequent values are then
+
+                   2
+        s    =  ( x  )(Mod n)
+         0
+
+                   2
+        s    = ( s   )(Mod n)
+         i+1      i
+
+   You must be careful to use only a few bits from the bottom of each s.
+   It is always safe to use only the lowest order bit.  If you use no
+   more than the
+
+                  log  ( log  ( s  ) )
+                     2      2    i
+
+   low order bits, then predicting any additional bits from a sequence
+   generated in this manner is provable as hard as factoring n.  As long
+   as the initial x is secret, you can even make n public if you want.
+
+   An intersting characteristic of this generator is that you can
+   directly calculate any of the s values.  In particular
+
+                     i
+               ( ( 2  )(Mod (( p - 1 ) * ( q - 1 )) ) )
+      s  = ( s                                          )(Mod n)
+       i      0
+
+   This means that in applications where many keys are generated in this
+   fashion, it is not necessary to save them all.  Each key can be
+   effectively indexed and recovered from that small index and the
+   initial s and n.
+
+7. Key Generation Standards
+
+   Several public standards are now in place for the generation of keys.
+   Two of these are described below.  Both use DES but any equally
+   strong or stronger mixing function could be substituted.
+
+
+
+
+
+
+
+
+Eastlake, Crocker & Schiller                                   [Page 22]
+
+RFC 1750        Randomness Recommendations for Security    December 1994
+
+
+7.1 US DoD Recommendations for Password Generation
+
+   The United States Department of Defense has specific recommendations
+   for password generation [DoD].  They suggest using the US Data
+   Encryption Standard [DES] in Output Feedback Mode [DES MODES] as
+   follows:
+
+        use an initialization vector determined from
+             the system clock,
+             system ID,
+             user ID, and
+             date and time;
+        use a key determined from
+             system interrupt registers,
+             system status registers, and
+             system counters; and,
+        as plain text, use an external randomly generated 64 bit
+        quantity such as 8 characters typed in by a system
+        administrator.
+
+   The password can then be calculated from the 64 bit "cipher text"
+   generated in 64-bit Output Feedback Mode.  As many bits as are needed
+   can be taken from these 64 bits and expanded into a pronounceable
+   word, phrase, or other format if a human being needs to remember the
+   password.
+
+7.2 X9.17 Key Generation
+
+   The American National Standards Institute has specified a method for
+   generating a sequence of keys as follows:
+
+        s  is the initial 64 bit seed
+         0
+
+        g  is the sequence of generated 64 bit key quantities
+         n
+
+        k is a random key reserved for generating this key sequence
+
+        t is the time at which a key is generated to as fine a resolution
+            as is available (up to 64 bits).
+
+        DES ( K, Q ) is the DES encryption of quantity Q with key K
+
+
+
+
+
+
+
+
+Eastlake, Crocker & Schiller                                   [Page 23]
+
+RFC 1750        Randomness Recommendations for Security    December 1994
+
+
+        g    = DES ( k, DES ( k, t ) .xor. s  )
+         n                                  n
+
+        s    = DES ( k, DES ( k, t ) .xor. g  )
+         n+1                                n
+
+   If g sub n is to be used as a DES key, then every eighth bit should
+   be adjusted for parity for that use but the entire 64 bit unmodified
+   g should be used in calculating the next s.
+
+8. Examples of Randomness Required
+
+   Below are two examples showing rough calculations of needed
+   randomness for security.  The first is for moderate security
+   passwords while the second assumes a need for a very high security
+   cryptographic key.
+
+8.1  Password Generation
+
+   Assume that user passwords change once a year and it is desired that
+   the probability that an adversary could guess the password for a
+   particular account be less than one in a thousand.  Further assume
+   that sending a password to the system is the only way to try a
+   password.  Then the crucial question is how often an adversary can
+   try possibilities.  Assume that delays have been introduced into a
+   system so that, at most, an adversary can make one password try every
+   six seconds.  That's 600 per hour or about 15,000 per day or about
+   5,000,000 tries in a year.  Assuming any sort of monitoring, it is
+   unlikely someone could actually try continuously for a year.  In
+   fact, even if log files are only checked monthly, 500,000 tries is
+   more plausible before the attack is noticed and steps taken to change
+   passwords and make it harder to try more passwords.
+
+   To have a one in a thousand chance of guessing the password in
+   500,000 tries implies a universe of at least 500,000,000 passwords or
+   about 2^29.  Thus 29 bits of randomness are needed. This can probably
+   be achieved using the US DoD recommended inputs for password
+   generation as it has 8 inputs which probably average over 5 bits of
+   randomness each (see section 7.1).  Using a list of 1000 words, the
+   password could be expressed as a three word phrase (1,000,000,000
+   possibilities) or, using case insensitive letters and digits, six
+   would suffice ((26+10)^6 = 2,176,782,336 possibilities).
+
+   For a higher security password, the number of bits required goes up.
+   To decrease the probability by 1,000 requires increasing the universe
+   of passwords by the same factor which adds about 10 bits.  Thus to
+   have only a one in a million chance of a password being guessed under
+   the above scenario would require 39 bits of randomness and a password
+
+
+
+Eastlake, Crocker & Schiller                                   [Page 24]
+
+RFC 1750        Randomness Recommendations for Security    December 1994
+
+
+   that was a four word phrase from a 1000 word list or eight
+   letters/digits.  To go to a one in 10^9 chance, 49 bits of randomness
+   are needed implying a five word phrase or ten letter/digit password.
+
+   In a real system, of course, there are also other factors.  For
+   example, the larger and harder to remember passwords are, the more
+   likely users are to write them down resulting in an additional risk
+   of compromise.
+
+8.2 A Very High Security Cryptographic Key
+
+   Assume that a very high security key is needed for symmetric
+   encryption / decryption between two parties.  Assume an adversary can
+   observe communications and knows the algorithm being used.  Within
+   the field of random possibilities, the adversary can try key values
+   in hopes of finding the one in use.  Assume further that brute force
+   trial of keys is the best the adversary can do.
+
+8.2.1 Effort per Key Trial
+
+   How much effort will it take to try each key?  For very high security
+   applications it is best to assume a low value of effort.  Even if it
+   would clearly take tens of thousands of computer cycles or more to
+   try a single key, there may be some pattern that enables huge blocks
+   of key values to be tested with much less effort per key.  Thus it is
+   probably best to assume no more than a couple hundred cycles per key.
+   (There is no clear lower bound on this as computers operate in
+   parallel on a number of bits and a poor encryption algorithm could
+   allow many keys or even groups of keys to be tested in parallel.
+   However, we need to assume some value and can hope that a reasonably
+   strong algorithm has been chosen for our hypothetical high security
+   task.)
+
+   If the adversary can command a highly parallel processor or a large
+   network of work stations, 2*10^10 cycles per second is probably a
+   minimum assumption for availability today.  Looking forward just a
+   couple years, there should be at least an order of magnitude
+   improvement.  Thus assuming 10^9 keys could be checked per second or
+   3.6*10^11 per hour or 6*10^13 per week or 2.4*10^14 per month is
+   reasonable.  This implies a need for a minimum of 51 bits of
+   randomness in keys to be sure they cannot be found in a month.  Even
+   then it is possible that, a few years from now, a highly determined
+   and resourceful adversary could break the key in 2 weeks (on average
+   they need try only half the keys).
+
+
+
+
+
+
+
+Eastlake, Crocker & Schiller                                   [Page 25]
+
+RFC 1750        Randomness Recommendations for Security    December 1994
+
+
+8.2.2 Meet in the Middle Attacks
+
+   If chosen or known plain text and the resulting encrypted text are
+   available, a "meet in the middle" attack is possible if the structure
+   of the encryption algorithm allows it.  (In a known plain text
+   attack, the adversary knows all or part of the messages being
+   encrypted, possibly some standard header or trailer fields.  In a
+   chosen plain text attack, the adversary can force some chosen plain
+   text to be encrypted, possibly by "leaking" an exciting text that
+   would then be sent by the adversary over an encrypted channel.)
+
+   An oversimplified explanation of the meet in the middle attack is as
+   follows: the adversary can half-encrypt the known or chosen plain
+   text with all possible first half-keys, sort the output, then half-
+   decrypt the encoded text with all the second half-keys.  If a match
+   is found, the full key can be assembled from the halves and used to
+   decrypt other parts of the message or other messages.  At its best,
+   this type of attack can halve the exponent of the work required by
+   the adversary while adding a large but roughly constant factor of
+   effort.  To be assured of safety against this, a doubling of the
+   amount of randomness in the key to a minimum of 102 bits is required.
+
+   The meet in the middle attack assumes that the cryptographic
+   algorithm can be decomposed in this way but we can not rule that out
+   without a deep knowledge of the algorithm.  Even if a basic algorithm
+   is not subject to a meet in the middle attack, an attempt to produce
+   a stronger algorithm by applying the basic algorithm twice (or two
+   different algorithms sequentially) with different keys may gain less
+   added security than would be expected.  Such a composite algorithm
+   would be subject to a meet in the middle attack.
+
+   Enormous resources may be required to mount a meet in the middle
+   attack but they are probably within the range of the national
+   security services of a major nation.  Essentially all nations spy on
+   other nations government traffic and several nations are believed to
+   spy on commercial traffic for economic advantage.
+
+8.2.3 Other Considerations
+
+   Since we have not even considered the possibilities of special
+   purpose code breaking hardware or just how much of a safety margin we
+   want beyond our assumptions above, probably a good minimum for a very
+   high security cryptographic key is 128 bits of randomness which
+   implies a minimum key length of 128 bits.  If the two parties agree
+   on a key by Diffie-Hellman exchange [D-H], then in principle only
+   half of this randomness would have to be supplied by each party.
+   However, there is probably some correlation between their random
+   inputs so it is probably best to assume that each party needs to
+
+
+
+Eastlake, Crocker & Schiller                                   [Page 26]
+
+RFC 1750        Randomness Recommendations for Security    December 1994
+
+
+   provide at least 96 bits worth of randomness for very high security
+   if Diffie-Hellman is used.
+
+   This amount of randomness is beyond the limit of that in the inputs
+   recommended by the US DoD for password generation and could require
+   user typing timing, hardware random number generation, or other
+   sources.
+
+   It should be noted that key length calculations such at those above
+   are controversial and depend on various assumptions about the
+   cryptographic algorithms in use.  In some cases, a professional with
+   a deep knowledge of code breaking techniques and of the strength of
+   the algorithm in use could be satisfied with less than half of the
+   key size derived above.
+
+9. Conclusion
+
+   Generation of unguessable "random" secret quantities for security use
+   is an essential but difficult task.
+
+   We have shown that hardware techniques to produce such randomness
+   would be relatively simple.  In particular, the volume and quality
+   would not need to be high and existing computer hardware, such as
+   disk drives, can be used.  Computational techniques are available to
+   process low quality random quantities from multiple sources or a
+   larger quantity of such low quality input from one source and produce
+   a smaller quantity of higher quality, less predictable key material.
+   In the absence of hardware sources of randomness, a variety of user
+   and software sources can frequently be used instead with care;
+   however, most modern systems already have hardware, such as disk
+   drives or audio input, that could be used to produce high quality
+   randomness.
+
+   Once a sufficient quantity of high quality seed key material (a few
+   hundred bits) is available, strong computational techniques are
+   available to produce cryptographically strong sequences of
+   unpredicatable quantities from this seed material.
+
+10. Security Considerations
+
+   The entirety of this document concerns techniques and recommendations
+   for generating unguessable "random" quantities for use as passwords,
+   cryptographic keys, and similar security uses.
+
+
+
+
+
+
+
+
+Eastlake, Crocker & Schiller                                   [Page 27]
+
+RFC 1750        Randomness Recommendations for Security    December 1994
+
+
+References
+
+   [ASYMMETRIC] - Secure Communications and Asymmetric Cryptosystems,
+   edited by Gustavus J. Simmons, AAAS Selected Symposium 69, Westview
+   Press, Inc.
+
+   [BBS] - A Simple Unpredictable Pseudo-Random Number Generator, SIAM
+   Journal on Computing, v. 15, n. 2, 1986, L. Blum, M. Blum, & M. Shub.
+
+   [BRILLINGER] - Time Series: Data Analysis and Theory, Holden-Day,
+   1981, David Brillinger.
+
+   [CRC] - C.R.C. Standard Mathematical Tables, Chemical Rubber
+   Publishing Company.
+
+   [CRYPTO1] - Cryptography: A Primer, A Wiley-Interscience Publication,
+   John Wiley & Sons, 1981, Alan G. Konheim.
+
+   [CRYPTO2] - Cryptography:  A New Dimension in Computer Data Security,
+   A Wiley-Interscience Publication, John Wiley & Sons, 1982, Carl H.
+   Meyer & Stephen M. Matyas.
+
+   [CRYPTO3] - Applied Cryptography: Protocols, Algorithms, and Source
+   Code in C, John Wiley & Sons, 1994, Bruce Schneier.
+
+   [DAVIS] - Cryptographic Randomness from Air Turbulence in Disk
+   Drives, Advances in Cryptology - Crypto '94, Springer-Verlag Lecture
+   Notes in Computer Science #839, 1984, Don Davis, Ross Ihaka, and
+   Philip Fenstermacher.
+
+   [DES] -  Data Encryption Standard, United States of America,
+   Department of Commerce, National Institute of Standards and
+   Technology, Federal Information Processing Standard (FIPS) 46-1.
+   - Data Encryption Algorithm, American National Standards Institute,
+   ANSI X3.92-1981.
+   (See also FIPS 112, Password Usage, which includes FORTRAN code for
+   performing DES.)
+
+   [DES MODES] - DES Modes of Operation, United States of America,
+   Department of Commerce, National Institute of Standards and
+   Technology, Federal Information Processing Standard (FIPS) 81.
+   - Data Encryption Algorithm - Modes of Operation, American National
+   Standards Institute, ANSI X3.106-1983.
+
+   [D-H] - New Directions in Cryptography, IEEE Transactions on
+   Information Technology, November, 1976, Whitfield Diffie and Martin
+   E. Hellman.
+
+
+
+
+Eastlake, Crocker & Schiller                                   [Page 28]
+
+RFC 1750        Randomness Recommendations for Security    December 1994
+
+
+   [DoD] - Password Management Guideline, United States of America,
+   Department of Defense, Computer Security Center, CSC-STD-002-85.
+   (See also FIPS 112, Password Usage, which incorporates CSC-STD-002-85
+   as one of its appendices.)
+
+   [GIFFORD] - Natural Random Number, MIT/LCS/TM-371, September 1988,
+   David K. Gifford
+
+   [KNUTH] - The Art of Computer Programming, Volume 2: Seminumerical
+   Algorithms, Chapter 3: Random Numbers. Addison Wesley Publishing
+   Company, Second Edition 1982, Donald E. Knuth.
+
+   [KRAWCZYK] - How to Predict Congruential Generators, Journal of
+   Algorithms, V. 13, N. 4, December 1992, H. Krawczyk
+
+   [MD2] - The MD2 Message-Digest Algorithm, RFC1319, April 1992, B.
+   Kaliski
+   [MD4] - The MD4 Message-Digest Algorithm, RFC1320, April 1992, R.
+   Rivest
+   [MD5] - The MD5 Message-Digest Algorithm, RFC1321, April 1992, R.
+   Rivest
+
+   [PEM] - RFCs 1421 through 1424:
+   - RFC 1424, Privacy Enhancement for Internet Electronic Mail: Part
+   IV: Key Certification and Related Services, 02/10/1993, B. Kaliski
+   - RFC 1423, Privacy Enhancement for Internet Electronic Mail: Part
+   III: Algorithms, Modes, and Identifiers, 02/10/1993, D. Balenson
+   - RFC 1422, Privacy Enhancement for Internet Electronic Mail: Part
+   II: Certificate-Based Key Management, 02/10/1993, S. Kent
+   - RFC 1421, Privacy Enhancement for Internet Electronic Mail: Part I:
+   Message Encryption and Authentication Procedures, 02/10/1993, J. Linn
+
+   [SHANNON] - The Mathematical Theory of Communication, University of
+   Illinois Press, 1963, Claude E. Shannon.  (originally from:  Bell
+   System Technical Journal, July and October 1948)
+
+   [SHIFT1] - Shift Register Sequences, Aegean Park Press, Revised
+   Edition 1982, Solomon W. Golomb.
+
+   [SHIFT2] - Cryptanalysis of Shift-Register Generated Stream Cypher
+   Systems, Aegean Park Press, 1984, Wayne G. Barker.
+
+   [SHS] - Secure Hash Standard, United States of American, National
+   Institute of Science and Technology, Federal Information Processing
+   Standard (FIPS) 180, April 1993.
+
+   [STERN] - Secret Linear Congruential Generators are not
+   Cryptograhically Secure, Proceedings of IEEE STOC, 1987, J. Stern.
+
+
+
+Eastlake, Crocker & Schiller                                   [Page 29]
+
+RFC 1750        Randomness Recommendations for Security    December 1994
+
+
+   [VON NEUMANN] - Various techniques used in connection with random
+   digits, von Neumann's Collected Works, Vol. 5, Pergamon Press, 1963,
+   J. von Neumann.
+
+Authors' Addresses
+
+   Donald E. Eastlake 3rd
+   Digital Equipment Corporation
+   550 King Street, LKG2-1/BB3
+   Littleton, MA 01460
+
+   Phone:   +1 508 486 6577(w)  +1 508 287 4877(h)
+   EMail:   dee@lkg.dec.com
+
+
+   Stephen D. Crocker
+   CyberCash Inc.
+   2086 Hunters Crest Way
+   Vienna, VA 22181
+
+   Phone:   +1 703-620-1222(w)  +1 703-391-2651 (fax)
+   EMail:   crocker@cybercash.com
+
+
+   Jeffrey I. Schiller
+   Massachusetts Institute of Technology
+   77 Massachusetts Avenue
+   Cambridge, MA 02139
+
+   Phone:   +1 617 253 0161(w)
+   EMail:   jis@mit.edu
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Eastlake, Crocker & Schiller                                   [Page 30]
+
diff --git a/crypto/heimdal/doc/standardisation/rfc1831.txt b/crypto/heimdal/doc/standardisation/rfc1831.txt
new file mode 100644
index 0000000..0556c9e
--- /dev/null
+++ b/crypto/heimdal/doc/standardisation/rfc1831.txt
@@ -0,0 +1,1011 @@
+
+
+
+
+
+
+Network Working Group                                      R. Srinivasan
+Request for Comments: 1831                              Sun Microsystems
+Category: Standards Track                                    August 1995
+
+
+      RPC: Remote Procedure Call Protocol Specification Version 2
+
+Status of this Memo
+
+   This document specifies an Internet standards track protocol for the
+   Internet community, and requests discussion and suggestions for
+   improvements.  Please refer to the current edition of the "Internet
+   Official Protocol Standards" (STD 1) for the standardization state
+   and status of this protocol.  Distribution of this memo is unlimited.
+
+ABSTRACT
+
+   This document describes the ONC Remote Procedure Call (ONC RPC
+   Version 2) protocol as it is currently deployed and accepted.  "ONC"
+   stands for "Open Network Computing".
+
+TABLE OF CONTENTS
+
+      1. INTRODUCTION                                              2
+      2. TERMINOLOGY                                               2
+      3. THE RPC MODEL                                             2
+      4. TRANSPORTS AND SEMANTICS                                  4
+      5. BINDING AND RENDEZVOUS INDEPENDENCE                       5
+      6. AUTHENTICATION                                            5
+      7. RPC PROTOCOL REQUIREMENTS                                 5
+      7.1 RPC Programs and Procedures                              6
+      7.2 Authentication                                           7
+      7.3 Program Number Assignment                                8
+      7.4 Other Uses of the RPC Protocol                           8
+      7.4.1 Batching                                               8
+      7.4.2 Broadcast Remote Procedure Calls                       8
+      8. THE RPC MESSAGE PROTOCOL                                  9
+      9. AUTHENTICATION PROTOCOLS                                 12
+      9.1 Null Authentication                                     13
+      10. RECORD MARKING STANDARD                                 13
+      11. THE RPC LANGUAGE                                        13
+      11.1 An Example Service Described in the RPC Language       13
+      11.2 The RPC Language Specification                         14
+      11.3 Syntax Notes                                           15
+      APPENDIX A: SYSTEM AUTHENTICATION                           16
+      REFERENCES                                                  17
+      Security Considerations                                     18
+      Author's Address                                            18
+
+
+
+Srinivasan                  Standards Track                     [Page 1]
+
+RFC 1831        Remote Procedure Call Protocol Version 2     August 1995
+
+
+1. INTRODUCTION
+
+   This document specifies version two of the message protocol used in
+   ONC Remote Procedure Call (RPC).  The message protocol is specified
+   with the eXternal Data Representation (XDR) language [9].  This
+   document assumes that the reader is familiar with XDR.  It does not
+   attempt to justify remote procedure calls systems or describe their
+   use.  The paper by Birrell and Nelson [1] is recommended as an
+   excellent background for the remote procedure call concept.
+
+2. TERMINOLOGY
+
+   This document discusses clients, calls, servers, replies, services,
+   programs, procedures, and versions.  Each remote procedure call has
+   two sides: an active client side that makes the call to a server,
+   which sends back a reply.  A network service is a collection of one
+   or more remote programs.  A remote program implements one or more
+   remote procedures; the procedures, their parameters, and results are
+   documented in the specific program's protocol specification.  A
+   server may support more than one version of a remote program in order
+   to be compatible with changing protocols.
+
+   For example, a network file service may be composed of two programs.
+   One program may deal with high-level applications such as file system
+   access control and locking.  The other may deal with low-level file
+   input and output and have procedures like "read" and "write".  A
+   client of the network file service would call the procedures
+   associated with the two programs of the service on behalf of the
+   client.
+
+   The terms client and server only apply to a particular transaction; a
+   particular hardware entity (host) or software entity (process or
+   program) could operate in both roles at different times.  For
+   example, a program that supplies remote execution service could also
+   be a client of a network file service.
+
+3. THE RPC MODEL
+
+   The ONC RPC protocol is based on the remote procedure call model,
+   which is similar to the local procedure call model.  In the local
+   case, the caller places arguments to a procedure in some well-
+   specified location (such as a register window).  It then transfers
+   control to the procedure, and eventually regains control.  At that
+   point, the results of the procedure are extracted from the well-
+   specified location, and the caller continues execution.
+
+
+
+
+
+
+Srinivasan                  Standards Track                     [Page 2]
+
+RFC 1831        Remote Procedure Call Protocol Version 2     August 1995
+
+
+   The remote procedure call model is similar.  One thread of control
+   logically winds through two processes: the caller's process, and a
+   server's process.  The caller process first sends a call message to
+   the server process and waits (blocks) for a reply message.  The call
+   message includes the procedure's parameters, and the reply message
+   includes the procedure's results.  Once the reply message is
+   received, the results of the procedure are extracted, and caller's
+   execution is resumed.
+
+   On the server side, a process is dormant awaiting the arrival of a
+   call message.  When one arrives, the server process extracts the
+   procedure's parameters, computes the results, sends a reply message,
+   and then awaits the next call message.
+
+   In this model, only one of the two processes is active at any given
+   time.  However, this model is only given as an example.  The ONC RPC
+   protocol makes no restrictions on the concurrency model implemented,
+   and others are possible.  For example, an implementation may choose
+   to have RPC calls be asynchronous, so that the client may do useful
+   work while waiting for the reply from the server.  Another
+   possibility is to have the server create a separate task to process
+   an incoming call, so that the original server can be free to receive
+   other requests.
+
+   There are a few important ways in which remote procedure calls differ
+   from local procedure calls:
+
+      1. Error handling: failures of the remote server or network must
+      be handled when using remote procedure calls.
+
+      2. Global variables and side-effects: since the server does not
+      have access to the client's address space, hidden arguments cannot
+      be passed as global variables or returned as side effects.
+
+      3. Performance:  remote procedures usually operate one or more
+      orders of magnitude slower than local procedure calls.
+
+      4. Authentication: since remote procedure calls can be transported
+      over unsecured networks, authentication may be necessary.
+      Authentication prevents one entity from masquerading as some other
+      entity.
+
+   The conclusion is that even though there are tools to automatically
+   generate client and server libraries for a given service, protocols
+   must still be designed carefully.
+
+
+
+
+
+
+Srinivasan                  Standards Track                     [Page 3]
+
+RFC 1831        Remote Procedure Call Protocol Version 2     August 1995
+
+
+4. TRANSPORTS AND SEMANTICS
+
+   The RPC protocol can be implemented on several different transport
+   protocols.  The RPC protocol does not care how a message is passed
+   from one process to another, but only with specification and
+   interpretation of messages.  However, the application may wish to
+   obtain information about (and perhaps control over) the transport
+   layer through an interface not specified in this document.  For
+   example, the transport protocol may impose a restriction on the
+   maximum size of RPC messages, or it may be stream-oriented like TCP
+   with no size limit.  The client and server must agree on their
+   transport protocol choices.
+
+   It is important to point out that RPC does not try to implement any
+   kind of reliability and that the application may need to be aware of
+   the type of transport protocol underneath RPC.  If it knows it is
+   running on top of a reliable transport such as TCP [6], then most of
+   the work is already done for it.  On the other hand, if it is running
+   on top of an unreliable transport such as UDP [7], it must implement
+   its own time-out, retransmission, and duplicate detection policies as
+   the RPC protocol does not provide these services.
+
+   Because of transport independence, the RPC protocol does not attach
+   specific semantics to the remote procedures or their execution
+   requirements.  Semantics can be inferred from (but should be
+   explicitly specified by) the underlying transport protocol.  For
+   example, consider RPC running on top of an unreliable transport such
+   as UDP.  If an application retransmits RPC call messages after time-
+   outs, and does not receive a reply, it cannot infer anything about
+   the number of times the procedure was executed.  If it does receive a
+   reply, then it can infer that the procedure was executed at least
+   once.
+
+   A server may wish to remember previously granted requests from a
+   client and not regrant them in order to insure some degree of
+   execute-at-most-once semantics.  A server can do this by taking
+   advantage of the transaction ID that is packaged with every RPC
+   message.  The main use of this transaction ID is by the client RPC
+   entity in matching replies to calls.  However, a client application
+   may choose to reuse its previous transaction ID when retransmitting a
+   call.  The server may choose to remember this ID after executing a
+   call and not execute calls with the same ID in order to achieve some
+   degree of execute-at-most-once semantics.  The server is not allowed
+   to examine this ID in any other way except as a test for equality.
+
+   On the other hand, if using a "reliable" transport such as TCP, the
+   application can infer from a reply message that the procedure was
+   executed exactly once, but if it receives no reply message, it cannot
+
+
+
+Srinivasan                  Standards Track                     [Page 4]
+
+RFC 1831        Remote Procedure Call Protocol Version 2     August 1995
+
+
+   assume that the remote procedure was not executed.  Note that even if
+   a connection-oriented protocol like TCP is used, an application still
+   needs time-outs and reconnection to handle server crashes.
+
+   There are other possibilities for transports besides datagram- or
+   connection-oriented protocols.  For example, a request-reply protocol
+   such as VMTP [2] is perhaps a natural transport for RPC.  ONC RPC
+   uses both TCP and UDP transport protocols.  Section 10 (RECORD
+   MARKING STANDARD) describes the mechanism employed by ONC RPC to
+   utilize a connection-oriented, stream-oriented transport such as TCP.
+
+5. BINDING AND RENDEZVOUS INDEPENDENCE
+
+   The act of binding a particular client to a particular service and
+   transport parameters is NOT part of this RPC protocol specification.
+   This important and necessary function is left up to some higher-level
+   software.
+
+   Implementors could think of the RPC protocol as the jump-subroutine
+   instruction ("JSR") of a network; the loader (binder) makes JSR
+   useful, and the loader itself uses JSR to accomplish its task.
+   Likewise, the binding software makes RPC useful, possibly using RPC
+   to accomplish this task.
+
+6. AUTHENTICATION
+
+   The RPC protocol provides the fields necessary for a client to
+   identify itself to a service, and vice-versa, in each call and reply
+   message.  Security and access control mechanisms can be built on top
+   of this message authentication.  Several different authentication
+   protocols can be supported.  A field in the RPC header indicates
+   which protocol is being used. More information on specific
+   authentication protocols is in section 9: "Authentication Protocols".
+
+7. RPC PROTOCOL REQUIREMENTS
+
+   The RPC protocol must provide for the following:
+
+      (1) Unique specification of a procedure to be called.
+      (2) Provisions for matching response messages to request messages.
+      (3) Provisions for authenticating the caller to service and
+          vice-versa.
+
+
+
+
+
+
+
+
+
+Srinivasan                  Standards Track                     [Page 5]
+
+RFC 1831        Remote Procedure Call Protocol Version 2     August 1995
+
+
+   Besides these requirements, features that detect the following are
+   worth supporting because of protocol roll-over errors, implementation
+   bugs, user error, and network administration:
+
+      (1) RPC protocol mismatches.
+      (2) Remote program protocol version mismatches.
+      (3) Protocol errors (such as misspecification of a procedure's
+          parameters).
+      (4) Reasons why remote authentication failed.
+      (5) Any other reasons why the desired procedure was not called.
+
+7.1 RPC Programs and Procedures
+
+   The RPC call message has three unsigned integer fields -- remote
+   program number, remote program version number, and remote procedure
+   number -- which uniquely identify the procedure to be called.
+   Program numbers are administered by a central authority
+   (rpc@sun.com).  Once implementors have a program number, they can
+   implement their remote program; the first implementation would most
+   likely have the version number 1.  Because most new protocols evolve,
+   a version field of the call message identifies which version of the
+   protocol the caller is using.  Version numbers enable support of both
+   old and new protocols through the same server process.
+
+   The procedure number identifies the procedure to be called.  These
+   numbers are documented in the specific program's protocol
+   specification.  For example, a file service's protocol specification
+   may state that its procedure number 5 is "read" and procedure number
+   12 is "write".
+
+   Just as remote program protocols may change over several versions,
+   the actual RPC message protocol could also change.  Therefore, the
+   call message also has in it the RPC version number, which is always
+   equal to two for the version of RPC described here.
+
+   The reply message to a request message has enough information to
+   distinguish the following error conditions:
+
+      (1) The remote implementation of RPC does not support protocol
+      version 2.  The lowest and highest supported RPC version numbers
+      are returned.
+
+      (2) The remote program is not available on the remote system.
+
+      (3) The remote program does not support the requested version
+      number.  The lowest and highest supported remote program version
+      numbers are returned.
+
+
+
+
+Srinivasan                  Standards Track                     [Page 6]
+
+RFC 1831        Remote Procedure Call Protocol Version 2     August 1995
+
+
+      (4) The requested procedure number does not exist.  (This is
+      usually a client side protocol or programming error.)
+
+      (5) The parameters to the remote procedure appear to be garbage
+      from the server's point of view.  (Again, this is usually caused
+      by a disagreement about the protocol between client and service.)
+
+7.2 Authentication
+
+   Provisions for authentication of caller to service and vice-versa are
+   provided as a part of the RPC protocol.  The call message has two
+   authentication fields, the credential and verifier.  The reply
+   message has one authentication field, the response verifier.  The RPC
+   protocol specification defines all three fields to be the following
+   opaque type (in the eXternal Data Representation (XDR) language [9]):
+
+      enum auth_flavor {
+         AUTH_NONE       = 0,
+         AUTH_SYS        = 1,
+         AUTH_SHORT      = 2
+         /* and more to be defined */
+      };
+
+      struct opaque_auth {
+         auth_flavor flavor;
+         opaque body<400>;
+      };
+
+   In other words, any "opaque_auth" structure is an "auth_flavor"
+   enumeration followed by up to 400 bytes which are opaque to
+   (uninterpreted by) the RPC protocol implementation.
+
+   The interpretation and semantics of the data contained within the
+   authentication fields is specified by individual, independent
+   authentication protocol specifications.  (Section 9 defines the
+   various authentication protocols.)
+
+   If authentication parameters were rejected, the reply message
+   contains information stating why they were rejected.
+
+
+
+
+
+
+
+
+
+
+
+
+Srinivasan                  Standards Track                     [Page 7]
+
+RFC 1831        Remote Procedure Call Protocol Version 2     August 1995
+
+
+7.3 Program Number Assignment
+
+   Program numbers are given out in groups of hexadecimal 20000000
+   (decimal 536870912) according to the following chart:
+
+              0 - 1fffffff   defined by rpc@sun.com
+       20000000 - 3fffffff   defined by user
+       40000000 - 5fffffff   transient
+       60000000 - 7fffffff   reserved
+       80000000 - 9fffffff   reserved
+       a0000000 - bfffffff   reserved
+       c0000000 - dfffffff   reserved
+       e0000000 - ffffffff   reserved
+
+   The first group is a range of numbers administered by rpc@sun.com and
+   should be identical for all sites.  The second range is for
+   applications peculiar to a particular site.  This range is intended
+   primarily for debugging new programs.  When a site develops an
+   application that might be of general interest, that application
+   should be given an assigned number in the first range.  Application
+   developers may apply for blocks of RPC program numbers in the first
+   range by sending electronic mail to "rpc@sun.com".  The third group
+   is for applications that generate program numbers dynamically.  The
+   final groups are reserved for future use, and should not be used.
+
+7.4 Other Uses of the RPC Protocol
+
+   The intended use of this protocol is for calling remote procedures.
+   Normally, each call message is matched with a reply message.
+   However, the protocol itself is a message-passing protocol with which
+   other (non-procedure call) protocols can be implemented.
+
+7.4.1 Batching
+
+   Batching is useful when a client wishes to send an arbitrarily large
+   sequence of call messages to a server.  Batching typically uses
+   reliable byte stream protocols (like TCP) for its transport.  In the
+   case of batching, the client never waits for a reply from the server,
+   and the server does not send replies to batch calls.  A sequence of
+   batch calls is usually terminated by a legitimate remote procedure
+   call operation in order to flush the pipeline and get positive
+   acknowledgement.
+
+7.4.2 Broadcast Remote Procedure Calls
+
+   In broadcast protocols, the client sends a broadcast call to the
+   network and waits for numerous replies.  This requires the use of
+   packet-based protocols (like UDP) as its transport protocol.  Servers
+
+
+
+Srinivasan                  Standards Track                     [Page 8]
+
+RFC 1831        Remote Procedure Call Protocol Version 2     August 1995
+
+
+   that support broadcast protocols usually respond only when the call
+   is successfully processed and are silent in the face of errors, but
+   this varies with the application.
+
+   The principles of broadcast RPC also apply to multicasting - an RPC
+   request can be sent to a multicast address.
+
+8. THE RPC MESSAGE PROTOCOL
+
+   This section defines the RPC message protocol in the XDR data
+   description language [9].
+
+      enum msg_type {
+         CALL  = 0,
+         REPLY = 1
+      };
+
+   A reply to a call message can take on two forms: The message was
+   either accepted or rejected.
+
+      enum reply_stat {
+         MSG_ACCEPTED = 0,
+         MSG_DENIED   = 1
+      };
+
+   Given that a call message was accepted, the following is the status
+   of an attempt to call a remote procedure.
+
+      enum accept_stat {
+         SUCCESS       = 0, /* RPC executed successfully             */
+         PROG_UNAVAIL  = 1, /* remote hasn't exported program        */
+         PROG_MISMATCH = 2, /* remote can't support version #        */
+         PROC_UNAVAIL  = 3, /* program can't support procedure       */
+         GARBAGE_ARGS  = 4, /* procedure can't decode params         */
+         SYSTEM_ERR    = 5  /* errors like memory allocation failure */
+      };
+
+   Reasons why a call message was rejected:
+
+      enum reject_stat {
+         RPC_MISMATCH = 0, /* RPC version number != 2          */
+         AUTH_ERROR = 1    /* remote can't authenticate caller */
+      };
+
+   Why authentication failed:
+
+      enum auth_stat {
+         AUTH_OK           = 0,  /* success                          */
+
+
+
+Srinivasan                  Standards Track                     [Page 9]
+
+RFC 1831        Remote Procedure Call Protocol Version 2     August 1995
+
+
+         /*
+          * failed at remote end
+          */
+         AUTH_BADCRED      = 1,  /* bad credential (seal broken)     */
+         AUTH_REJECTEDCRED = 2,  /* client must begin new session    */
+         AUTH_BADVERF      = 3,  /* bad verifier (seal broken)       */
+         AUTH_REJECTEDVERF = 4,  /* verifier expired or replayed     */
+         AUTH_TOOWEAK      = 5,  /* rejected for security reasons    */
+         /*
+          * failed locally
+          */
+         AUTH_INVALIDRESP  = 6,  /* bogus response verifier          */
+         AUTH_FAILED       = 7   /* reason unknown                   */
+      };
+
+   The RPC message:
+
+   All messages start with a transaction identifier, xid, followed by a
+   two-armed discriminated union.  The union's discriminant is a
+   msg_type which switches to one of the two types of the message.  The
+   xid of a REPLY message always matches that of the initiating CALL
+   message.  NB: The xid field is only used for clients matching reply
+   messages with call messages or for servers detecting retransmissions;
+   the service side cannot treat this id as any type of sequence number.
+
+      struct rpc_msg {
+         unsigned int xid;
+         union switch (msg_type mtype) {
+         case CALL:
+            call_body cbody;
+         case REPLY:
+            reply_body rbody;
+         } body;
+      };
+
+   Body of an RPC call:
+
+   In version 2 of the RPC protocol specification, rpcvers must be equal
+   to 2.  The fields prog, vers, and proc specify the remote program,
+   its version number, and the procedure within the remote program to be
+   called.  After these fields are two authentication parameters:  cred
+   (authentication credential) and verf (authentication verifier).  The
+   two authentication parameters are followed by the parameters to the
+   remote procedure, which are specified by the specific program
+   protocol.
+
+   The purpose of the authentication verifier is to validate the
+   authentication credential.  Note that these two items are
+
+
+
+Srinivasan                  Standards Track                    [Page 10]
+
+RFC 1831        Remote Procedure Call Protocol Version 2     August 1995
+
+
+   historically separate, but are always used together as one logical
+   entity.
+
+      struct call_body {
+         unsigned int rpcvers;       /* must be equal to two (2) */
+         unsigned int prog;
+         unsigned int vers;
+         unsigned int proc;
+         opaque_auth  cred;
+         opaque_auth  verf;
+         /* procedure specific parameters start here */
+      };
+
+   Body of a reply to an RPC call:
+
+      union reply_body switch (reply_stat stat) {
+      case MSG_ACCEPTED:
+         accepted_reply areply;
+      case MSG_DENIED:
+         rejected_reply rreply;
+      } reply;
+
+   Reply to an RPC call that was accepted by the server:
+
+   There could be an error even though the call was accepted.  The first
+   field is an authentication verifier that the server generates in
+   order to validate itself to the client.  It is followed by a union
+   whose discriminant is an enum accept_stat.  The SUCCESS arm of the
+   union is protocol specific.  The PROG_UNAVAIL, PROC_UNAVAIL,
+   GARBAGE_ARGS, and SYSTEM_ERR arms of the union are void.  The
+   PROG_MISMATCH arm specifies the lowest and highest version numbers of
+   the remote program supported by the server.
+
+      struct accepted_reply {
+         opaque_auth verf;
+         union switch (accept_stat stat) {
+         case SUCCESS:
+            opaque results[0];
+            /*
+             * procedure-specific results start here
+             */
+          case PROG_MISMATCH:
+             struct {
+                unsigned int low;
+                unsigned int high;
+             } mismatch_info;
+          default:
+             /*
+
+
+
+Srinivasan                  Standards Track                    [Page 11]
+
+RFC 1831        Remote Procedure Call Protocol Version 2     August 1995
+
+
+              * Void.  Cases include PROG_UNAVAIL, PROC_UNAVAIL,
+              * GARBAGE_ARGS, and SYSTEM_ERR.
+              */
+             void;
+          } reply_data;
+      };
+
+   Reply to an RPC call that was rejected by the server:
+
+   The call can be rejected for two reasons: either the server is not
+   running a compatible version of the RPC protocol (RPC_MISMATCH), or
+   the server rejects the identity of the caller (AUTH_ERROR). In case
+   of an RPC version mismatch, the server returns the lowest and highest
+   supported RPC version numbers.  In case of invalid authentication,
+   failure status is returned.
+
+      union rejected_reply switch (reject_stat stat) {
+      case RPC_MISMATCH:
+         struct {
+            unsigned int low;
+            unsigned int high;
+         } mismatch_info;
+      case AUTH_ERROR:
+         auth_stat stat;
+      };
+
+9. AUTHENTICATION PROTOCOLS
+
+   As previously stated, authentication parameters are opaque, but
+   open-ended to the rest of the RPC protocol.  This section defines two
+   standard "flavors" of authentication.  Implementors are free to
+   invent new authentication types, with the same rules of flavor number
+   assignment as there is for program number assignment.  The "flavor"
+   of a credential or verifier refers to the value of the "flavor" field
+   in the opaque_auth structure. Flavor numbers, like RPC program
+   numbers, are also administered centrally, and developers may assign
+   new flavor numbers by applying through electronic mail to
+   "rpc@sun.com".  Credentials and verifiers are represented as variable
+   length opaque data (the "body" field in the opaque_auth structure).
+
+   In this document, two flavors of authentication are described.  Of
+   these, Null authentication (described in the next subsection) is
+   mandatory - it must be available in all implementations.  System
+   authentication is described in Appendix A.  It is strongly
+   recommended that implementors include System authentication in their
+   implementations.  Many applications use this style of authentication,
+   and availability of this flavor in an implementation will enhance
+   interoperability.
+
+
+
+Srinivasan                  Standards Track                    [Page 12]
+
+RFC 1831        Remote Procedure Call Protocol Version 2     August 1995
+
+
+9.1 Null Authentication
+
+   Often calls must be made where the client does not care about its
+   identity or the server does not care who the client is.  In this
+   case, the flavor of the RPC message's credential, verifier, and reply
+   verifier is "AUTH_NONE".  Opaque data associated with "AUTH_NONE" is
+   undefined.  It is recommended that the length of the opaque data be
+   zero.
+
+10. RECORD MARKING STANDARD
+
+   When RPC messages are passed on top of a byte stream transport
+   protocol (like TCP), it is necessary to delimit one message from
+   another in order to detect and possibly recover from protocol errors.
+   This is called record marking (RM).  One RPC message fits into one RM
+   record.
+
+   A record is composed of one or more record fragments.  A record
+   fragment is a four-byte header followed by 0 to (2**31) - 1 bytes of
+   fragment data.  The bytes encode an unsigned binary number; as with
+   XDR integers, the byte order is from highest to lowest.  The number
+   encodes two values -- a boolean which indicates whether the fragment
+   is the last fragment of the record (bit value 1 implies the fragment
+   is the last fragment) and a 31-bit unsigned binary value which is the
+   length in bytes of the fragment's data.  The boolean value is the
+   highest-order bit of the header; the length is the 31 low-order bits.
+   (Note that this record specification is NOT in XDR standard form!)
+
+11. THE RPC LANGUAGE
+
+   Just as there was a need to describe the XDR data-types in a formal
+   language, there is also need to describe the procedures that operate
+   on these XDR data-types in a formal language as well.  The RPC
+   Language is an extension to the XDR language, with the addition of
+   "program", "procedure", and "version" declarations.  The following
+   example is used to describe the essence of the language.
+
+11.1 An Example Service Described in the RPC Language
+
+   Here is an example of the specification of a simple ping program.
+
+   program PING_PROG {
+         /*
+          * Latest and greatest version
+          */
+         version PING_VERS_PINGBACK {
+            void
+            PINGPROC_NULL(void) = 0;
+
+
+
+Srinivasan                  Standards Track                    [Page 13]
+
+RFC 1831        Remote Procedure Call Protocol Version 2     August 1995
+
+
+            /*
+             * Ping the client, return the round-trip time
+             * (in microseconds). Returns -1 if the operation
+             * timed out.
+             */
+            int
+            PINGPROC_PINGBACK(void) = 1;
+         } = 2;
+
+         /*
+          * Original version
+          */
+         version PING_VERS_ORIG {
+            void
+            PINGPROC_NULL(void) = 0;
+         } = 1;
+      } = 1;
+
+      const PING_VERS = 2;      /* latest version */
+
+   The first version described is PING_VERS_PINGBACK with two
+   procedures, PINGPROC_NULL and PINGPROC_PINGBACK.  PINGPROC_NULL takes
+   no arguments and returns no results, but it is useful for computing
+   round-trip times from the client to the server and back again.  By
+   convention, procedure 0 of any RPC protocol should have the same
+   semantics, and never require any kind of authentication.  The second
+   procedure is used for the client to have the server do a reverse ping
+   operation back to the client, and it returns the amount of time (in
+   microseconds) that the operation used.  The next version,
+   PING_VERS_ORIG, is the original version of the protocol and it does
+   not contain PINGPROC_PINGBACK procedure. It is useful for
+   compatibility with old client programs, and as this program matures
+   it may be dropped from the protocol entirely.
+
+11.2 The RPC Language Specification
+
+   The RPC language is identical to the XDR language defined in RFC
+   1014, except for the added definition of a "program-def" described
+   below.
+
+   program-def:
+      "program" identifier "{"
+         version-def
+         version-def *
+      "}" "=" constant ";"
+
+   version-def:
+      "version" identifier "{"
+
+
+
+Srinivasan                  Standards Track                    [Page 14]
+
+RFC 1831        Remote Procedure Call Protocol Version 2     August 1995
+
+
+          procedure-def
+          procedure-def *
+      "}" "=" constant ";"
+
+   procedure-def:
+      type-specifier identifier "(" type-specifier
+        ("," type-specifier )* ")" "=" constant ";"
+
+11.3 Syntax Notes
+
+   (1) The following keywords are added and cannot be used as
+   identifiers: "program" and "version";
+
+   (2) A version name cannot occur more than once within the scope of a
+   program definition. Nor can a version number occur more than once
+   within the scope of a program definition.
+
+   (3) A procedure name cannot occur more than once within the scope of
+   a version definition. Nor can a procedure number occur more than once
+   within the scope of version definition.
+
+   (4) Program identifiers are in the same name space as constant and
+   type identifiers.
+
+   (5) Only unsigned constants can be assigned to programs, versions and
+   procedures.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Srinivasan                  Standards Track                    [Page 15]
+
+RFC 1831        Remote Procedure Call Protocol Version 2     August 1995
+
+
+APPENDIX A: SYSTEM AUTHENTICATION
+
+   The client may wish to identify itself, for example, as it is
+   identified on a UNIX(tm) system.  The flavor of the client credential
+   is "AUTH_SYS".  The opaque data constituting the credential encodes
+   the following structure:
+
+      struct authsys_parms {
+         unsigned int stamp;
+         string machinename<255>;
+         unsigned int uid;
+         unsigned int gid;
+         unsigned int gids<16>;
+      };
+
+   The "stamp" is an arbitrary ID which the caller machine may generate.
+   The "machinename" is the name of the caller's machine (like
+   "krypton").  The "uid" is the caller's effective user ID.  The "gid"
+   is the caller's effective group ID.  The "gids" is a counted array of
+   groups which contain the caller as a member.  The verifier
+   accompanying the credential should have "AUTH_NONE" flavor value
+   (defined above).  Note this credential is only unique within a
+   particular domain of machine names, uids, and gids.
+
+   The flavor value of the verifier received in the reply message from
+   the server may be "AUTH_NONE" or "AUTH_SHORT".  In the case of
+   "AUTH_SHORT", the bytes of the reply verifier's string encode an
+   opaque structure.  This new opaque structure may now be passed to the
+   server instead of the original "AUTH_SYS" flavor credential.  The
+   server may keep a cache which maps shorthand opaque structures
+   (passed back by way of an "AUTH_SHORT" style reply verifier) to the
+   original credentials of the caller.  The caller can save network
+   bandwidth and server cpu cycles by using the shorthand credential.
+
+   The server may flush the shorthand opaque structure at any time.  If
+   this happens, the remote procedure call message will be rejected due
+   to an authentication error.  The reason for the failure will be
+   "AUTH_REJECTEDCRED".  At this point, the client may wish to try the
+   original "AUTH_SYS" style of credential.
+
+   It should be noted that use of this flavor of authentication does not
+   guarantee any security for the users or providers of a service, in
+   itself.  The authentication provided by this scheme can be considered
+   legitimate only when applications using this scheme and the network
+   can be secured externally, and privileged transport addresses are
+   used for the communicating end-points (an example of this is the use
+   of privileged TCP/UDP ports in Unix systems - note that not all
+   systems enforce privileged transport address mechanisms).
+
+
+
+Srinivasan                  Standards Track                    [Page 16]
+
+RFC 1831        Remote Procedure Call Protocol Version 2     August 1995
+
+
+REFERENCES
+
+   [1]  Birrell, A. D.  & Nelson, B. J., "Implementing Remote Procedure
+        Calls", XEROX CSL-83-7, October 1983.
+
+   [2]  Cheriton, D., "VMTP: Versatile Message Transaction Protocol",
+        Preliminary Version 0.3, Stanford University, January 1987.
+
+   [3]  Diffie & Hellman, "New Directions in Cryptography", IEEE
+        Transactions on Information Theory IT-22, November 1976.
+
+   [4]  Mills, D., "Network Time Protocol", RFC 1305, UDEL,
+        March 1992.
+
+   [5]  National Bureau of Standards, "Data Encryption Standard",
+        Federal Information Processing Standards Publication 46, January
+        1977.
+
+   [6]  Postel, J., "Transmission Control Protocol - DARPA Internet
+        Program Protocol Specification", STD 7, RFC 793, USC/Information
+        Sciences Institute, September 1981.
+
+   [7]  Postel, J., "User Datagram Protocol", STD 6, RFC 768,
+        USC/Information Sciences Institute, August 1980.
+
+   [8]  Reynolds, J., and Postel, J., "Assigned Numbers", STD 2,
+        RFC 1700, USC/Information Sciences Institute, October 1994.
+
+   [9]  Srinivasan, R., "XDR: External Data Representation Standard",
+        RFC 1832, Sun Microsystems, Inc., August 1995.
+
+   [10] Miller, S., Neuman, C., Schiller, J., and  J. Saltzer, "Section
+        E.2.1: Kerberos  Authentication and Authorization System",
+        M.I.T. Project Athena, Cambridge, Massachusetts, December 21,
+        1987.
+
+   [11] Steiner, J., Neuman, C., and J. Schiller, "Kerberos: An
+        Authentication Service for Open Network Systems", pp. 191-202 in
+        Usenix Conference Proceedings, Dallas, Texas, February 1988.
+
+   [12] Kohl, J. and C. Neuman, "The Kerberos Network Authentication
+        Service (V5)", RFC 1510, Digital Equipment Corporation,
+        USC/Information Sciences Institute, September 1993.
+
+
+
+
+
+
+
+
+Srinivasan                  Standards Track                    [Page 17]
+
+RFC 1831        Remote Procedure Call Protocol Version 2     August 1995
+
+
+Security Considerations
+
+   Security issues are not discussed in this memo.
+
+Author's Address
+
+   Raj Srinivasan
+   Sun Microsystems, Inc.
+   ONC Technologies
+   2550 Garcia Avenue
+   M/S MTV-5-40
+   Mountain View, CA  94043
+   USA
+
+   Phone: 415-336-2478
+   Fax:   415-336-6015
+   EMail: raj@eng.sun.com
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Srinivasan                  Standards Track                    [Page 18]
+
diff --git a/crypto/heimdal/doc/standardisation/rfc1964.txt b/crypto/heimdal/doc/standardisation/rfc1964.txt
new file mode 100644
index 0000000..f2960b9
--- /dev/null
+++ b/crypto/heimdal/doc/standardisation/rfc1964.txt
@@ -0,0 +1,1123 @@
+
+
+
+
+
+
+Network Working Group                                            J. Linn
+Request for Comments: 1964                       OpenVision Technologies
+Category: Standards Track                                      June 1996
+
+
+                The Kerberos Version 5 GSS-API Mechanism
+
+Status of this Memo
+
+   This document specifies an Internet standards track protocol for the
+   Internet community, and requests discussion and suggestions for
+   improvements.  Please refer to the current edition of the "Internet
+   Official Protocol Standards" (STD 1) for the standardization state
+   and status of this protocol.  Distribution of this memo is unlimited.
+
+ABSTRACT
+
+   This specification defines protocols, procedures, and conventions to
+   be employed by peers implementing the Generic Security Service
+   Application Program Interface (as specified in RFCs 1508 and 1509)
+   when using Kerberos Version 5 technology (as specified in RFC 1510).
+
+ACKNOWLEDGMENTS
+
+   Much of the material in this memo is based on working documents
+   drafted by John Wray of Digital Equipment Corporation and on
+   discussions, implementation activities, and interoperability testing
+   involving Marc Horowitz, Ted Ts'o, and John Wray.  Particular thanks
+   are due to each of these individuals for their contributions towards
+   development and availability of GSS-API support within the Kerberos
+   Version 5 code base.
+
+1. Token Formats
+
+   This section discusses protocol-visible characteristics of the GSS-
+   API mechanism to be implemented atop Kerberos V5 security technology
+   per RFC-1508 and RFC-1510; it defines elements of protocol for
+   interoperability and is independent of language bindings per RFC-
+   1509.
+
+   Tokens transferred between GSS-API peers (for security context
+   management and per-message protection purposes) are defined.  The
+   data elements exchanged between a GSS-API endpoint implementation and
+   the Kerberos KDC are not specific to GSS-API usage and are therefore
+   defined within RFC-1510 rather than within this specification.
+
+
+
+
+
+
+Linn                        Standards Track                     [Page 1]
+
+RFC 1964               Kerberos Version 5 GSS-API              June 1996
+
+
+   To support ongoing experimentation, testing, and evolution of the
+   specification, the Kerberos V5 GSS-API mechanism as defined in this
+   and any successor memos will be identified with the following Object
+   Identifier, as defined in RFC-1510, until the specification is
+   advanced to the level of Proposed Standard RFC:
+
+   {iso(1), org(3), dod(5), internet(1), security(5), kerberosv5(2)}
+
+   Upon advancement to the level of Proposed Standard RFC, the Kerberos
+   V5 GSS-API mechanism will be identified by an Object Identifier
+   having the value:
+
+   {iso(1) member-body(2) United States(840) mit(113554) infosys(1)
+   gssapi(2) krb5(2)}
+
+1.1. Context Establishment Tokens
+
+   Per RFC-1508, Appendix B, the initial context establishment token
+   will be enclosed within framing as follows:
+
+   InitialContextToken ::=
+   [APPLICATION 0] IMPLICIT SEQUENCE {
+           thisMech        MechType
+                   -- MechType is OBJECT IDENTIFIER
+                   -- representing "Kerberos V5"
+           innerContextToken ANY DEFINED BY thisMech
+                   -- contents mechanism-specific;
+                   -- ASN.1 usage within innerContextToken
+                   -- is not required
+           }
+
+   The innerContextToken of the initial context token will consist of a
+   Kerberos V5 KRB_AP_REQ message, preceded by a two-byte token-id
+   (TOK_ID) field, which shall contain the value 01 00.
+
+   The above GSS-API framing shall be applied to all tokens emitted by
+   the Kerberos V5 GSS-API mechanism, including KRB_AP_REP, KRB_ERROR,
+   context-deletion, and per-message tokens, not just to the initial
+   token in a context establishment sequence.  While not required by
+   RFC-1508, this enables implementations to perform enhanced error-
+   checking. The innerContextToken field of context establishment tokens
+   for the Kerberos V5 GSS-API mechanism will contain a Kerberos message
+   (KRB_AP_REQ, KRB_AP_REP or KRB_ERROR), preceded by a 2-byte TOK_ID
+   field containing 01 00 for KRB_AP_REQ messages, 02 00 for KRB_AP_REP
+   messages and 03 00 for KRB_ERROR messages.
+
+
+
+
+
+
+Linn                        Standards Track                     [Page 2]
+
+RFC 1964               Kerberos Version 5 GSS-API              June 1996
+
+
+1.1.1. Initial Token
+
+   Relevant KRB_AP_REQ syntax (from RFC-1510) is as follows:
+
+   AP-REQ ::= [APPLICATION 14] SEQUENCE {
+           pvno [0]        INTEGER,        -- indicates Version 5
+           msg-type [1]    INTEGER,        -- indicates KRB_AP_REQ
+           ap-options[2]   APOptions,
+           ticket[3]       Ticket,
+           authenticator[4]        EncryptedData
+   }
+
+   APOptions ::= BIT STRING {
+           reserved (0),
+           use-session-key (1),
+           mutual-required (2)
+   }
+
+   Ticket ::= [APPLICATION 1] SEQUENCE {
+           tkt-vno [0]     INTEGER,        -- indicates Version 5
+           realm [1]       Realm,
+           sname [2]       PrincipalName,
+           enc-part [3]    EncryptedData
+   }
+
+   -- Encrypted part of ticket
+   EncTicketPart ::= [APPLICATION 3] SEQUENCE {
+           flags[0]        TicketFlags,
+           key[1]          EncryptionKey,
+           crealm[2]       Realm,
+           cname[3]        PrincipalName,
+           transited[4]    TransitedEncoding,
+           authtime[5]     KerberosTime,
+           starttime[6]    KerberosTime OPTIONAL,
+           endtime[7]      KerberosTime,
+           renew-till[8]   KerberosTime OPTIONAL,
+           caddr[9]        HostAddresses OPTIONAL,
+           authorization-data[10]  AuthorizationData OPTIONAL
+   }
+
+   -- Unencrypted authenticator
+   Authenticator ::= [APPLICATION 2] SEQUENCE  {
+           authenticator-vno[0]    INTEGER,
+           crealm[1]               Realm,
+           cname[2]                PrincipalName,
+           cksum[3]                Checksum OPTIONAL,
+           cusec[4]                INTEGER,
+           ctime[5]                KerberosTime,
+
+
+
+Linn                        Standards Track                     [Page 3]
+
+RFC 1964               Kerberos Version 5 GSS-API              June 1996
+
+
+           subkey[6]               EncryptionKey OPTIONAL,
+           seq-number[7]           INTEGER OPTIONAL,
+           authorization-data[8]   AuthorizationData OPTIONAL
+   }
+
+   For purposes of this specification, the authenticator shall include
+   the optional sequence number, and the checksum field shall be used to
+   convey channel binding, service flags, and optional delegation
+   information.  The checksum will have a type of 0x8003 (a value being
+   registered within the Kerberos protocol specification), and a value
+   field of at least 24 bytes in length.  The length of the value field
+   is extended beyond 24 bytes if and only if an optional facility to
+   carry a Kerberos-defined KRB_CRED message for delegation purposes is
+   supported by an implementation and active on a context. When
+   delegation is active, a TGT with its FORWARDABLE flag set will be
+   transferred within the KRB_CRED message.
+
+   The checksum value field's format is as follows:
+
+   Byte    Name    Description
+   0..3    Lgth    Number of bytes in Bnd field;
+                   Currently contains hex 10 00 00 00
+                   (16, represented in little-endian form)
+   4..19   Bnd     MD5 hash of channel bindings, taken over all non-null
+                   components of bindings, in order of declaration.
+                   Integer fields within channel bindings are represented
+                   in little-endian order for the purposes of the MD5
+                   calculation.
+   20..23  Flags   Bit vector of context-establishment flags,
+                   with values consistent with RFC-1509, p. 41:
+                           GSS_C_DELEG_FLAG:       1
+                           GSS_C_MUTUAL_FLAG:      2
+                           GSS_C_REPLAY_FLAG:      4
+                           GSS_C_SEQUENCE_FLAG:    8
+                           GSS_C_CONF_FLAG:        16
+                           GSS_C_INTEG_FLAG:       32
+                   The resulting bit vector is encoded into bytes 20..23
+                   in little-endian form.
+   24..25  DlgOpt  The Delegation Option identifier (=1) [optional]
+   26..27  Dlgth   The length of the Deleg field. [optional]
+   28..n   Deleg   A KRB_CRED message (n = Dlgth + 29) [optional]
+
+   In computing the contents of the "Bnd" field, the following detailed
+   points apply:
+
+        (1) Each integer field shall be formatted into four bytes, using
+        little-endian byte ordering, for purposes of MD5 hash
+        computation.
+
+
+
+Linn                        Standards Track                     [Page 4]
+
+RFC 1964               Kerberos Version 5 GSS-API              June 1996
+
+
+        (2) All input length fields within gss_buffer_desc elements of a
+        gss_channel_bindings_struct, even those which are zero-valued,
+        shall be included in the hash calculation; the value elements of
+        gss_buffer_desc elements shall be dereferenced, and the
+        resulting data shall be included within the hash computation,
+        only for the case of gss_buffer_desc elements having non-zero
+        length specifiers.
+
+        (3) If the caller passes the value GSS_C_NO_BINDINGS instead of
+        a valid channel bindings structure, the Bnd field shall be set
+        to 16 zero-valued bytes.
+
+   In the initial Kerberos V5 GSS-API mechanism token (KRB_AP_REQ token)
+   from initiator to target, the GSS_C_DELEG_FLAG, GSS_C_MUTUAL_FLAG,
+   GSS_C_REPLAY_FLAG, and GSS_C_SEQUENCE_FLAG values shall each be set
+   as the logical AND of the initiator's corresponding request flag to
+   GSS_Init_sec_context() and a Boolean indicator of whether that
+   optional service is available to GSS_Init_sec_context()'s caller.
+   GSS_C_CONF_FLAG and GSS_C_INTEG_FLAG, for which no corresponding
+   context-level input indicator flags to GSS_Init_sec_context() exist,
+   shall each be set to indicate whether their respective per-message
+   protection services are available for use on the context being
+   established.
+
+   When input source address channel binding values are provided by a
+   caller (i.e., unless the input argument is GSS_C_NO_BINDINGS or the
+   source address specifier value within the input structure is
+   GSS_C_NULL_ADDRTYPE), and the corresponding token received from the
+   context's peer bears address restrictions, it is recommended that an
+   implementation of the Kerberos V5 GSS-API mechanism should check that
+   the source address as provided by the caller matches that in the
+   received token, and should return the GSS_S_BAD_BINDINGS major_status
+   value if a mismatch is detected. Note: discussion is ongoing about
+   the strength of recommendation to be made in this area, and on the
+   circumstances under which such a recommendation should be applicable;
+   implementors are therefore advised that changes on this matter may be
+   included in subsequent versions of this specification.
+
+1.1.2. Response Tokens
+
+   A context establishment sequence based on the Kerberos V5 mechanism
+   will perform one-way authentication (without confirmation or any
+   return token from target to initiator in response to the initiator's
+   KRB_AP_REQ) if the mutual_req bit is not set in the application's
+   call to GSS_Init_sec_context().  Applications requiring confirmation
+   that their authentication was successful should request mutual
+   authentication, resulting in a "mutual-required" indication within
+   KRB_AP_REQ APoptions and the setting of the mutual_req bit in the
+
+
+
+Linn                        Standards Track                     [Page 5]
+
+RFC 1964               Kerberos Version 5 GSS-API              June 1996
+
+
+   flags field of the authenticator checksum.  In response to such a
+   request, the context target will reply to the initiator with a token
+   containing either a KRB_AP_REP or KRB_ERROR, completing the mutual
+   context establishment exchange.
+
+   Relevant KRB_AP_REP syntax is as follows:
+
+   AP-REP ::= [APPLICATION 15] SEQUENCE {
+           pvno [0]        INTEGER,        -- represents Kerberos V5
+           msg-type [1]    INTEGER,        -- represents KRB_AP_REP
+           enc-part [2]    EncryptedData
+   }
+
+   EncAPRepPart ::= [APPLICATION 27] SEQUENCE {
+           ctime [0]       KerberosTime,
+           cusec [1]       INTEGER,
+           subkey [2]      EncryptionKey OPTIONAL,
+           seq-number [3]  INTEGER OPTIONAL
+   }
+
+   The optional seq-number element within the AP-REP's EncAPRepPart
+   shall be included.
+
+   The syntax of KRB_ERROR is as follows:
+
+   KRB-ERROR ::=   [APPLICATION 30] SEQUENCE {
+           pvno[0]         INTEGER,
+           msg-type[1]     INTEGER,
+           ctime[2]        KerberosTime OPTIONAL,
+           cusec[3]        INTEGER OPTIONAL,
+           stime[4]        KerberosTime,
+           susec[5]        INTEGER,
+           error-code[6]   INTEGER,
+           crealm[7]       Realm OPTIONAL,
+           cname[8]        PrincipalName OPTIONAL,
+           realm[9]        Realm, -- Correct realm
+           sname[10]       PrincipalName, -- Correct name
+           e-text[11]      GeneralString OPTIONAL,
+           e-data[12]      OCTET STRING OPTIONAL
+   }
+
+   Values to be transferred in the error-code field of a KRB-ERROR
+   message are defined in [RFC-1510], not in this specification.
+
+
+
+
+
+
+
+
+Linn                        Standards Track                     [Page 6]
+
+RFC 1964               Kerberos Version 5 GSS-API              June 1996
+
+
+1.2. Per-Message and Context Deletion Tokens
+
+   Three classes of tokens are defined in this section: "MIC" tokens,
+   emitted by calls to GSS_GetMIC() (formerly GSS_Sign()) and consumed
+   by calls to GSS_VerifyMIC() (formerly GSS_Verify()), "Wrap" tokens,
+   emitted by calls to GSS_Wrap() (formerly GSS_Seal()) and consumed by
+   calls to GSS_Unwrap() (formerly GSS_Unseal()), and context deletion
+   tokens, emitted by calls to GSS_Delete_sec_context() and consumed by
+   calls to GSS_Process_context_token().  Note: References to GSS-API
+   per-message routines in the remainder of this specification will be
+   based on those routines' newer recommended names rather than those
+   names' predecessors.
+
+   Several variants of cryptographic keys are used in generation and
+   processing of per-message tokens:
+
+        (1) context key: uses Kerberos session key (or subkey, if
+        present in authenticator emitted by context initiator) directly
+
+        (2) confidentiality key: forms variant of context key by
+        exclusive-OR with the hexadecimal constant f0f0f0f0f0f0f0f0.
+
+        (3) MD2.5 seed key: forms variant of context key by reversing
+        the bytes of the context key (i.e. if the original key is the
+        8-byte sequence {aa, bb, cc, dd, ee, ff, gg, hh}, the seed key
+        will be {hh, gg, ff, ee, dd, cc, bb, aa}).
+
+1.2.1. Per-message Tokens - MIC
+
+Use of the GSS_GetMIC() call yields a token, separate from the user
+data being protected, which can be used to verify the integrity of
+that data as received.  The token has the following format:
+
+   Byte no          Name           Description
+    0..1           TOK_ID          Identification field.
+                                   Tokens emitted by GSS_GetMIC() contain
+                                   the hex value 01 01 in this field.
+    2..3           SGN_ALG         Integrity algorithm indicator.
+                                   00 00 - DES MAC MD5
+                                   01 00 - MD2.5
+                                   02 00 - DES MAC
+    4..7           Filler          Contains ff ff ff ff
+    8..15          SND_SEQ         Sequence number field.
+    16..23         SGN_CKSUM       Checksum of "to-be-signed data",
+                                   calculated according to algorithm
+                                   specified in SGN_ALG field.
+
+
+
+
+
+Linn                        Standards Track                     [Page 7]
+
+RFC 1964               Kerberos Version 5 GSS-API              June 1996
+
+
+   GSS-API tokens must be encapsulated within the higher-level protocol
+   by the application; no embedded length field is necessary.
+
+1.2.1.1. Checksum
+
+   Checksum calculation procedure (common to all algorithms): Checksums
+   are calculated over the data field, logically prepended by the first
+   8 bytes of the plaintext packet header.  The resulting value binds
+   the data to the packet type and signature algorithm identifier
+   fields.
+
+   DES MAC MD5 algorithm: The checksum is formed by computing an MD5
+   [RFC-1321] hash over the plaintext data, and then computing a DES-CBC
+   MAC on the 16-byte MD5 result.  A standard 64-bit DES-CBC MAC is
+   computed per [FIPS-PUB-113], employing the context key and a zero IV.
+   The 8-byte result is stored in the SGN_CKSUM field.
+
+   MD2.5 algorithm: The checksum is formed by first DES-CBC encrypting a
+   16-byte zero-block, using a zero IV and a key formed by reversing the
+   bytes of the context key (i.e. if the original key is the 8-byte
+   sequence {aa, bb, cc, dd, ee, ff, gg, hh}, the checksum key will be
+   {hh, gg, ff, ee, dd, cc, bb, aa}).   The resulting 16-byte value is
+   logically prepended to the to-be-signed data.  A standard MD5
+   checksum is calculated over the combined data, and the first 8 bytes
+   of the result are stored in the SGN_CKSUM field.  Note 1: we refer to
+   this algorithm informally as "MD2.5" to connote the fact that it uses
+   half of the 128 bits generated by MD5; use of only a subset of the
+   MD5 bits is intended to protect against the prospect that data could
+   be postfixed to an existing message with corresponding modifications
+   being made to the checksum.  Note 2: This algorithm is fairly novel
+   and has received more limited evaluation than that to which other
+   integrity algorithms have been subjected.  An initial, limited
+   evaluation indicates that it may be significantly weaker than DES MAC
+   MD5.
+
+   DES-MAC algorithm: A standard 64-bit DES-CBC MAC is computed on the
+   plaintext data per [FIPS-PUB-113], employing the context key and a
+   zero IV. Padding procedures to accomodate plaintext data lengths
+   which may not be integral multiples of 8 bytes are defined in [FIPS-
+   PUB-113].  The result is an 8-byte value, which is stored in the
+   SGN_CKSUM field.  Support for this algorithm may not be present in
+   all implementations.
+
+1.2.1.2. Sequence Number
+
+   Sequence number field: The 8 byte plaintext sequence number field is
+   formed from the sender's four-byte sequence number as follows.  If
+   the four bytes of the sender's sequence number are named s0, s1, s2
+
+
+
+Linn                        Standards Track                     [Page 8]
+
+RFC 1964               Kerberos Version 5 GSS-API              June 1996
+
+
+   and s3 (from least to most significant), the plaintext sequence
+   number field is the 8 byte sequence: (s0, s1, s2, s3, di, di, di,
+   di), where 'di' is the direction-indicator (Hex 0 - sender is the
+   context initiator, Hex FF - sender is the context acceptor).  The
+   field is then DES-CBC encrypted using the context key and an IV
+   formed from the first 8 bytes of the previously calculated SGN_CKSUM
+   field. After sending a GSS_GetMIC() or GSS_Wrap() token, the sender's
+   sequence number is incremented by one.
+
+   The receiver of the token will first verify the SGN_CKSUM field.  If
+   valid, the sequence number field may be decrypted and compared to the
+   expected sequence number.  The repetition of the (effectively 1-bit)
+   direction indicator within the sequence number field provides
+   redundancy so that the receiver may verify that the decryption
+   succeeded.
+
+   Since the checksum computation is used as an IV to the sequence
+   number decryption, attempts to splice a checksum and sequence number
+   from different messages will be detected.  The direction indicator
+   will detect packets that have been maliciously reflected.
+
+   The sequence number provides a basis for detection of replayed
+   tokens.  Replay detection can be performed using state information
+   retained on received sequence numbers, interpreted in conjunction
+   with the security context on which they arrive.
+
+   Provision of per-message replay and out-of-sequence detection
+   services is optional for implementations of the Kerberos V5 GSS-API
+   mechanism.  Further, it is recommended that implementations of the
+   Kerberos V5 GSS-API mechanism which offer these services should honor
+   a caller's request that the services be disabled on a context.
+   Specifically, if replay_det_req_flag is input FALSE, replay_det_state
+   should be returned FALSE and the GSS_DUPLICATE_TOKEN and
+   GSS_OLD_TOKEN stati should not be indicated as a result of duplicate
+   detection when tokens are processed; if sequence_req_flag is input
+   FALSE, sequence_state should be returned FALSE and
+   GSS_DUPLICATE_TOKEN, GSS_OLD_TOKEN, and GSS_UNSEQ_TOKEN stati should
+   not be indicated as a result of out-of-sequence detection when tokens
+   are processed.
+
+1.2.2. Per-message Tokens - Wrap
+
+   Use of the GSS_Wrap() call yields a token which encapsulates the
+   input user data (optionally encrypted) along with associated
+   integrity check quantities. The token emitted by GSS_Wrap() consists
+   of an integrity header whose format is identical to that emitted by
+   GSS_GetMIC() (except that the TOK_ID field contains the value 02 01),
+   followed by a body portion that contains either the plaintext data
+
+
+
+Linn                        Standards Track                     [Page 9]
+
+RFC 1964               Kerberos Version 5 GSS-API              June 1996
+
+
+   (if SEAL_ALG = ff ff) or encrypted data for any other supported value
+   of SEAL_ALG.  Currently, only SEAL_ALG = 00 00 is supported, and
+   means that DES-CBC encryption is being used to protect the data.
+
+   The GSS_Wrap() token has the following format:
+
+   Byte no          Name           Description
+    0..1           TOK_ID          Identification field.
+                                   Tokens emitted by GSS_Wrap() contain
+                                   the hex value 02 01 in this field.
+    2..3           SGN_ALG         Checksum algorithm indicator.
+                                   00 00 - DES MAC MD5
+                                   01 00 - MD2.5
+                                   02 00 - DES MAC
+    4..5           SEAL_ALG        ff ff - none
+                                   00 00 - DES
+    6..7           Filler          Contains ff ff
+    8..15          SND_SEQ         Encrypted sequence number field.
+    16..23         SGN_CKSUM       Checksum of plaintext padded data,
+                                   calculated according to algorithm
+                                   specified in SGN_ALG field.
+    24..last       Data            encrypted or plaintext padded data
+
+   GSS-API tokens must be encapsulated within the higher-level protocol
+   by the application; no embedded length field is necessary.
+
+1.2.2.1. Checksum
+
+   Checksum calculation procedure (common to all algorithms): Checksums
+   are calculated over the plaintext padded data field, logically
+   prepended by the first 8 bytes of the plaintext packet header.  The
+   resulting signature binds the data to the packet type, protocol
+   version, and signature algorithm identifier fields.
+
+   DES MAC MD5 algorithm: The checksum is formed by computing an MD5
+   hash over the plaintext padded data, and then computing a DES-CBC MAC
+   on the 16-byte MD5 result.  A standard 64-bit DES-CBC MAC is computed
+   per [FIPS-PUB-113], employing the context key and a zero IV. The 8-
+   byte result is stored in the SGN_CKSUM field.
+
+   MD2.5 algorithm: The checksum is formed by first DES-CBC encrypting a
+   16-byte zero-block, using a zero IV and a key formed by reversing the
+   bytes of the context key (i.e., if the original key is the 8-byte
+   sequence {aa, bb, cc, dd, ee, ff, gg, hh}, the checksum key will be
+   {hh, gg, ff, ee, dd, cc, bb, aa}). The resulting 16-byte value is
+   logically pre-pended to the "to-be-signed data".  A standard MD5
+   checksum is calculated over the combined data, and the first 8 bytes
+   of the result are stored in the SGN_CKSUM field.
+
+
+
+Linn                        Standards Track                    [Page 10]
+
+RFC 1964               Kerberos Version 5 GSS-API              June 1996
+
+
+   DES-MAC algorithm: A standard 64-bit DES-CBC MAC is computed on the
+   plaintext padded data per [FIPS-PUB-113], employing the context key
+   and a zero IV. The plaintext padded data is already assured to be an
+   integral multiple of 8 bytes; no additional padding is required or
+   applied in order to accomplish MAC calculation.  The result is an 8-
+   byte value, which is stored in the SGN_CKSUM field.  Support for this
+   lgorithm may not be present in all implementations.
+
+1.2.2.2. Sequence Number
+
+   Sequence number field: The 8 byte plaintext sequence number field is
+   formed from the sender's four-byte sequence number as follows.  If
+   the four bytes of the sender's sequence number are named s0, s1, s2
+   and s3 (from least to most significant), the plaintext sequence
+   number field is the 8 byte sequence: (s0, s1, s2, s3, di, di, di,
+   di), where 'di' is the direction-indicator (Hex 0 - sender is the
+   context initiator, Hex FF - sender is the context acceptor).
+
+   The field is then DES-CBC encrypted using the context key and an IV
+   formed from the first 8 bytes of the SEAL_CKSUM field.
+
+   After sending a GSS_GetMIC() or GSS_Wrap() token, the sender's
+   sequence numbers are incremented by one.
+
+1.2.2.3. Padding
+
+   Data padding: Before encryption and/or signature calculation,
+   plaintext data is padded to the next highest multiple of 8 bytes, by
+   appending between 1 and 8 bytes, the value of each such byte being
+   the total number of pad bytes.  For example, given data of length 20
+   bytes, four pad bytes will be appended, and each byte will contain
+   the hex value 04.  An 8-byte random confounder is prepended to the
+   data, and signatures are calculated over the resulting padded
+   plaintext.
+
+   After padding, the data is encrypted according to the algorithm
+   specified in the SEAL_ALG field.  For SEAL_ALG=DES (the only non-null
+   algorithm currently supported), the data is encrypted using DES-CBC,
+   with an IV of zero.  The key used is derived from the established
+   context key by XOR-ing the context key with the hexadecimal constant
+   f0f0f0f0f0f0f0f0.
+
+1.2.3. Context deletion token
+
+   The token emitted by GSS_Delete_sec_context() is based on the packet
+   format for tokens emitted by GSS_GetMIC().  The context-deletion
+   token has the following format:
+
+
+
+
+Linn                        Standards Track                    [Page 11]
+
+RFC 1964               Kerberos Version 5 GSS-API              June 1996
+
+
+   Byte no          Name           Description
+    0..1           TOK_ID          Identification field.
+                                   Tokens emitted by
+                                   GSS_Delete_sec_context() contain
+                                   the hex value 01 02 in this field.
+    2..3           SGN_ALG         Integrity algorithm indicator.
+                                   00 00 - DES MAC MD5
+                                   01 00 - MD2.5
+                                   02 00 - DES MAC
+    4..7           Filler          Contains ff ff ff ff
+    8..15          SND_SEQ         Sequence number field.
+    16..23         SGN_CKSUM       Checksum of "to-be-signed data",
+                                   calculated according to algorithm
+                                   specified in SGN_ALG field.
+
+   SGN_ALG and SND_SEQ will be calculated as for tokens emitted by
+   GSS_GetMIC().  The SGN_CKSUM will be calculated as for tokens emitted
+   by GSS_GetMIC(), except that the user-data component of the "to-be-
+   signed" data will be a zero-length string.
+
+2. Name Types and Object Identifiers
+
+   This section discusses the name types which may be passed as input to
+   the Kerberos V5 GSS-API mechanism's GSS_Import_name() call, and their
+   associated identifier values.  It defines interface elements in
+   support of portability, and assumes use of C language bindings per
+   RFC-1509.  In addition to specifying OID values for name type
+   identifiers, symbolic names are included and recommended to GSS-API
+   implementors in the interests of convenience to callers.  It is
+   understood that not all implementations of the Kerberos V5 GSS-API
+   mechanism need support all name types in this list, and that
+   additional name forms will likely be added to this list over time.
+   Further, the definitions of some or all name types may later migrate
+   to other, mechanism-independent, specifications. The occurrence of a
+   name type in this specification is specifically not intended to
+   suggest that the type may be supported only by an implementation of
+   the Kerberos V5 mechanism.   In particular, the occurrence of the
+   string "_KRB5_" in the symbolic name strings constitutes a means to
+   unambiguously register the name strings, avoiding collision with
+   other documents; it is not meant to limit the name types' usage or
+   applicability.
+
+   For purposes of clarification to GSS-API implementors, this section's
+   discussion of some name forms describes means through which those
+   forms can be supported with existing Kerberos technology.  These
+   discussions are not intended to preclude alternative implementation
+   strategies for support of the name forms within Kerberos mechanisms
+   or mechanisms based on other technologies.  To enhance application
+
+
+
+Linn                        Standards Track                    [Page 12]
+
+RFC 1964               Kerberos Version 5 GSS-API              June 1996
+
+
+   portability, implementors of mechanisms are encouraged to support
+   name forms as defined in this section, even if their mechanisms are
+   independent of Kerberos V5.
+
+2.1. Mandatory Name Forms
+
+   This section discusses name forms which are to be supported by all
+   conformant implementations of the Kerberos V5 GSS-API mechanism.
+
+2.1.1. Kerberos Principal Name Form
+
+   This name form shall be represented by the Object Identifier {iso(1)
+   member-body(2) United States(840) mit(113554) infosys(1) gssapi(2)
+   krb5(2) krb5_name(1)}.  The recommended symbolic name for this type
+   is "GSS_KRB5_NT_PRINCIPAL_NAME".
+
+   This name type corresponds to the single-string representation of a
+   Kerberos name.  (Within the MIT Kerberos V5 implementation, such
+   names are parseable with the krb5_parse_name() function.)  The
+   elements included within this name representation are as follows,
+   proceeding from the beginning of the string:
+
+        (1) One or more principal name components; if more than one
+        principal name component is included, the components are
+        separated by `/`.  Arbitrary octets may be included within
+        principal name components, with the following constraints and
+        special considerations:
+
+           (1a) Any occurrence of the characters `@` or `/` within a
+           name component must be immediately preceded by the `\`
+           quoting character, to prevent interpretation as a component
+           or realm separator.
+
+           (1b) The ASCII newline, tab, backspace, and null characters
+           may occur directly within the component or may be
+           represented, respectively, by `\n`, `\t`, `\b`, or `\0`.
+
+           (1c) If the `\` quoting character occurs outside the contexts
+           described in (1a) and (1b) above, the following character is
+           interpreted literally.  As a special case, this allows the
+           doubled representation `\\` to represent a single occurrence
+           of the quoting character.
+
+           (1d) An occurrence of the `\` quoting character as the last
+           character of a component is illegal.
+
+
+
+
+
+
+Linn                        Standards Track                    [Page 13]
+
+RFC 1964               Kerberos Version 5 GSS-API              June 1996
+
+
+        (2) Optionally, a `@` character, signifying that a realm name
+        immediately follows. If no realm name element is included, the
+        local realm name is assumed.  The `/` , `:`, and null characters
+        may not occur within a realm name; the `@`, newline, tab, and
+        backspace characters may be included using the quoting
+        conventions described in (1a), (1b), and (1c) above.
+
+2.1.2. Host-Based Service Name Form
+
+   This name form has been incorporated at the mechanism-independent
+   GSS-API level as of GSS-API, Version 2.  This subsection retains the
+   Object Identifier and symbolic name assignments previously made at
+   the Kerberos V5 GSS-API mechanism level, and adopts the definition as
+   promoted to the mechanism-independent level.
+
+   This name form shall be represented by the Object Identifier {iso(1)
+   member-body(2) United States(840) mit(113554) infosys(1) gssapi(2)
+   generic(1) service_name(4)}.  The previously recommended symbolic
+   name for this type is "GSS_KRB5_NT_HOSTBASED_SERVICE_NAME".  The
+   currently preferred symbolic name for this type is
+   "GSS_C_NT_HOSTBASED_SERVICE".
+
+   This name type is used to represent services associated with host
+   computers.  This name form is constructed using two elements,
+   "service" and "hostname", as follows:
+
+      service@hostname
+
+   When a reference to a name of this type is resolved, the "hostname"
+   is canonicalized by attempting a DNS lookup and using the fully-
+   qualified domain name which is returned, or by using the "hostname"
+   as provided if the DNS lookup fails.  The canonicalization operation
+   also maps the host's name into lower-case characters.
+
+   The "hostname" element may be omitted. If no "@" separator is
+   included, the entire name is interpreted as the service specifier,
+   with the "hostname" defaulted to the canonicalized name of the local
+   host.
+
+   Values for the "service" element will be registered with the IANA.
+
+2.1.3. Exported Name Object Form for Kerberos V5 Mechanism
+
+   Support for this name form is not required for GSS-V1
+   implementations, but will be required for use in conjunction with the
+   GSS_Export_name() call planned for GSS-API Version 2.  Use of this
+   name form will be signified by a "GSS-API Exported Name Object" OID
+   value which will be defined at the mechanism-independent level for
+
+
+
+Linn                        Standards Track                    [Page 14]
+
+RFC 1964               Kerberos Version 5 GSS-API              June 1996
+
+
+   GSS-API Version 2.
+
+   This name type represents a self-describing object, whose framing
+   structure will be defined at the mechanism-independent level for
+   GSS-API Version 2.  When generated by the Kerberos V5 mechanism, the
+   Mechanism OID within the exportable name shall be that of the
+   Kerberos V5 mechanism.  The name component within the exportable name
+   shall be a contiguous string with structure as defined for the
+   Kerberos Principal Name Form.
+
+   In order to achieve a distinguished encoding for comparison purposes,
+   the following additional constraints are imposed on the export
+   operation:
+
+        (1) all occurrences of the characters `@`,  `/`, and `\` within
+        principal components or realm names shall be quoted with an
+        immediately-preceding `\`.
+
+        (2) all occurrences of the null, backspace, tab, or newline
+        characters within principal components or realm names will be
+        represented, respectively, with `\0`, `\b`, `\t`, or `\n`.
+
+        (3) the `\` quoting character shall not be emitted within an
+        exported name except to accomodate cases (1) and (2).
+
+2.2. Optional Name Forms
+
+   This section discusses additional name forms which may optionally be
+   supported by implementations of the Kerberos V5 GSS-API mechanism.
+   It is recognized that some of the name forms cited here are derived
+   from UNIX(tm) operating system platforms; some listed forms may be
+   irrelevant to non-UNIX platforms, and definition of additional forms
+   corresponding to such platforms may also be appropriate.  It is also
+   recognized that OS-specific functions outside GSS-API are likely to
+   exist in order to perform translations among these forms, and that
+   GSS-API implementations supporting these forms may themselves be
+   layered atop such OS-specific functions.  Inclusion of this support
+   within GSS-API implementations is intended as a convenience to
+   applications.
+
+2.2.1. User Name Form
+
+   This name form shall be represented by the Object Identifier {iso(1)
+   member-body(2) United States(840) mit(113554) infosys(1) gssapi(2)
+   generic(1) user_name(1)}.  The recommended symbolic name for this
+   type is "GSS_KRB5_NT_USER_NAME".
+
+   This name type is used to indicate a named user on a local system.
+
+
+
+Linn                        Standards Track                    [Page 15]
+
+RFC 1964               Kerberos Version 5 GSS-API              June 1996
+
+
+   Its interpretation is OS-specific.  This name form is constructed as:
+
+      username
+
+   Assuming that users' principal names are the same as their local
+   operating system names, an implementation of GSS_Import_name() based
+   on Kerberos V5 technology can process names of this form by
+   postfixing an "@" sign and the name of the local realm.
+
+2.2.2. Machine UID Form
+
+   This name form shall be represented by the Object Identifier {iso(1)
+   member-body(2) United States(840) mit(113554) infosys(1) gssapi(2)
+   generic(1) machine_uid_name(2)}.  The recommended symbolic name for
+   this type is "GSS_KRB5_NT_MACHINE_UID_NAME".
+
+   This name type is used to indicate a numeric user identifier
+   corresponding to a user on a local system.  Its interpretation is
+   OS-specific.  The gss_buffer_desc representing a name of this type
+   should contain a locally-significant uid_t, represented in host byte
+   order.  The GSS_Import_name() operation resolves this uid into a
+   username, which is then treated as the User Name Form.
+
+2.2.3. String UID Form
+
+   This name form shall be represented by the Object Identifier {iso(1)
+   member-body(2) United States(840) mit(113554) infosys(1) gssapi(2)
+   generic(1) string_uid_name(3)}.  The recommended symbolic name for
+   this type is "GSS_KRB5_NT_STRING_UID_NAME".
+
+   This name type is used to indicate a string of digits representing
+   the numeric user identifier of a user on a local system.  Its
+   interpretation is OS-specific. This name type is similar to the
+   Machine UID Form, except that the buffer contains a string
+   representing the uid_t.
+
+3. Credentials Management
+
+   The Kerberos V5 protocol uses different credentials (in the GSSAPI
+   sense) for initiating and accepting security contexts.  Normal
+   clients receive a ticket-granting ticket (TGT) and an associated
+   session key at "login" time; the pair of a TGT and its corresponding
+   session key forms a credential which is suitable for initiating
+   security contexts.  A ticket-granting ticket, its session key, and
+   any other (ticket, key) pairs obtained through use of the ticket-
+   granting-ticket, are typically stored in a Kerberos V5 credentials
+   cache, sometimes known as a ticket file.
+
+
+
+
+Linn                        Standards Track                    [Page 16]
+
+RFC 1964               Kerberos Version 5 GSS-API              June 1996
+
+
+   The encryption key used by the Kerberos server to seal tickets for a
+   particular application service forms the credentials suitable for
+   accepting security contexts.  These service keys are typically stored
+   in a Kerberos V5 key table, or srvtab file.  In addition to their use
+   as accepting credentials, these service keys may also be used to
+   obtain initiating credentials for their service principal.
+
+   The Kerberos V5 mechanism's credential handle may contain references
+   to either or both types of credentials.  It is a local matter how the
+   Kerberos V5 mechanism implementation finds the appropriate Kerberos
+   V5 credentials cache or key table.
+
+   However, when the Kerberos V5 mechanism attempts to obtain initiating
+   credentials for a service principal which are not available in a
+   credentials cache, and the key for that service principal is
+   available in a Kerberos V5 key table, the mechanism should use the
+   service key to obtain initiating credentials for that service.  This
+   should be accomplished by requesting a ticket-granting-ticket from
+   the Kerberos Key Distribution Center (KDC), and decrypting the KDC's
+   reply using the service key.
+
+4. Parameter Definitions
+
+   This section defines parameter values used by the Kerberos V5 GSS-API
+   mechanism.  It defines interface elements in support of portability,
+   and assumes use of C language bindings per RFC-1509.
+
+4.1. Minor Status Codes
+
+   This section recommends common symbolic names for minor_status values
+   to be returned by the Kerberos V5 GSS-API mechanism.  Use of these
+   definitions will enable independent implementors to enhance
+   application portability across different implementations of the
+   mechanism defined in this specification.  (In all cases,
+   implementations of GSS_Display_status() will enable callers to
+   convert minor_status indicators to text representations.) Each
+   implementation should make available, through include files or other
+   means, a facility to translate these symbolic names into the concrete
+   values which a particular GSS-API implementation uses to represent
+   the minor_status values specified in this section.
+
+   It is recognized that this list may grow over time, and that the need
+   for additional minor_status codes specific to particular
+   implementations may arise.  It is recommended, however, that
+   implementations should return a minor_status value as defined on a
+   mechanism-wide basis within this section when that code is accurately
+   representative of reportable status rather than using a separate,
+   implementation-defined code.
+
+
+
+Linn                        Standards Track                    [Page 17]
+
+RFC 1964               Kerberos Version 5 GSS-API              June 1996
+
+
+4.1.1. Non-Kerberos-specific codes
+
+   GSS_KRB5_S_G_BAD_SERVICE_NAME
+           /* "No @ in SERVICE-NAME name string" */
+   GSS_KRB5_S_G_BAD_STRING_UID
+           /* "STRING-UID-NAME contains nondigits" */
+   GSS_KRB5_S_G_NOUSER
+           /* "UID does not resolve to username" */
+   GSS_KRB5_S_G_VALIDATE_FAILED
+           /* "Validation error" */
+   GSS_KRB5_S_G_BUFFER_ALLOC
+           /* "Couldn't allocate gss_buffer_t data" */
+   GSS_KRB5_S_G_BAD_MSG_CTX
+           /* "Message context invalid" */
+   GSS_KRB5_S_G_WRONG_SIZE
+           /* "Buffer is the wrong size" */
+   GSS_KRB5_S_G_BAD_USAGE
+           /* "Credential usage type is unknown" */
+   GSS_KRB5_S_G_UNKNOWN_QOP
+           /* "Unknown quality of protection specified" */
+
+4.1.2. Kerberos-specific-codes
+
+   GSS_KRB5_S_KG_CCACHE_NOMATCH
+           /* "Principal in credential cache does not match desired name" */
+   GSS_KRB5_S_KG_KEYTAB_NOMATCH
+           /* "No principal in keytab matches desired name" */
+   GSS_KRB5_S_KG_TGT_MISSING
+           /* "Credential cache has no TGT" */
+   GSS_KRB5_S_KG_NO_SUBKEY
+           /* "Authenticator has no subkey" */
+   GSS_KRB5_S_KG_CONTEXT_ESTABLISHED
+           /* "Context is already fully established" */
+   GSS_KRB5_S_KG_BAD_SIGN_TYPE
+           /* "Unknown signature type in token" */
+   GSS_KRB5_S_KG_BAD_LENGTH
+           /* "Invalid field length in token" */
+   GSS_KRB5_S_KG_CTX_INCOMPLETE
+           /* "Attempt to use incomplete security context" */
+
+4.2. Quality of Protection Values
+
+   This section defines Quality of Protection (QOP) values to be used
+   with the Kerberos V5 GSS-API mechanism as input to GSS_Wrap() and
+   GSS_GetMIC() routines in order to select among alternate integrity
+   and confidentiality algorithms. Additional QOP values may be added in
+   future versions of this specification.  Non-overlapping bit positions
+   are and will be employed in order that both integrity and
+
+
+
+Linn                        Standards Track                    [Page 18]
+
+RFC 1964               Kerberos Version 5 GSS-API              June 1996
+
+
+   confidentiality QOP may be selected within a single parameter, via
+   inclusive-OR of the specified integrity and confidentiality values.
+
+4.2.1. Integrity Algorithms
+
+   The following Quality of Protection (QOP) values are currently
+   defined for the Kerberos V5 GSS-API mechanism, and are used to select
+   among alternate integrity checking algorithms.
+
+   GSS_KRB5_INTEG_C_QOP_MD5        (numeric value: 1)
+           /* Integrity using partial MD5 ("MD2.5") of plaintext */
+
+   GSS_KRB5_INTEG_C_QOP_DES_MD5    (numeric value: 2)
+           /* Integrity using DES MAC of MD5 of plaintext */
+
+   GSS_KRB5_INTEG_C_QOP_DES_MAC    (numeric value: 3)
+           /* Integrity using DES MAC of plaintext */
+
+4.2.2. Confidentiality Algorithms
+
+   Only one confidentiality QOP value is currently defined for the
+   Kerberos V5 GSS-API mechanism:
+
+   GSS_KRB5_CONF_C_QOP_DES         (numeric value: 0)
+           /* Confidentiality with DES */
+
+   Note: confidentiality QOP should be indicated only by GSS-API calls
+   capable of providing confidentiality services. If non-zero
+   confidentiality QOP values are defined in future to represent
+   different algorithms, therefore, the bit positions containing those
+   values should be cleared before being returned by implementations of
+   GSS_GetMIC() and GSS_VerifyMIC().
+
+4.3. Buffer Sizes
+
+   All implementations of this specification shall be capable of
+   accepting buffers of at least 16 Kbytes as input to GSS_GetMIC(),
+   GSS_VerifyMIC(), and GSS_Wrap(), and shall be capable of accepting
+   the output_token generated by GSS_Wrap() for a 16 Kbyte input buffer
+   as input to GSS_Unwrap(). Support for larger buffer sizes is optional
+   but recommended.
+
+
+
+
+
+
+
+
+
+
+Linn                        Standards Track                    [Page 19]
+
+RFC 1964               Kerberos Version 5 GSS-API              June 1996
+
+
+5. Security Considerations
+
+   Security issues are discussed throughout this memo.
+
+6. References
+
+
+   [RFC-1321]: Rivest, R., "The MD5 Message-Digest Algorithm", RFC
+   1321, April 1992.
+
+   [RFC-1508]: Linn, J., "Generic Security Service Application Program
+   Interface", RFC 1508, September 1993.
+
+   [RFC-1509]: Wray, J., "Generic Security Service Application Program
+   Interface: C-bindings", RFC 1509, September 1993.
+
+   [RFC-1510]: Kohl, J., and C. Neuman, "The Kerberos Network
+   Authentication Service (V5)", RFC 1510, September 1993.
+
+   [FIPS-PUB-113]: National Bureau of Standards, Federal Information
+   Processing Standard 113, "Computer Data Authentication", May 1985.
+
+AUTHOR'S ADDRESS
+
+   John Linn
+   OpenVision Technologies
+   One Main St.
+   Cambridge, MA  02142  USA
+
+   Phone: +1 617.374.2245
+   EMail: John.Linn@ov.com
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Linn                        Standards Track                    [Page 20]
+
diff --git a/crypto/heimdal/doc/standardisation/rfc2078.txt b/crypto/heimdal/doc/standardisation/rfc2078.txt
new file mode 100644
index 0000000..1dd1e4a
--- /dev/null
+++ b/crypto/heimdal/doc/standardisation/rfc2078.txt
@@ -0,0 +1,4763 @@
+
+
+
+
+
+
+Network Working Group                                           J. Linn
+Request for Comments: 2078                      OpenVision Technologies
+Category: Standards Track                                  January 1997
+Obsoletes: 1508
+
+
+   Generic Security Service Application Program Interface, Version 2
+
+Status of this Memo
+
+   This document specifies an Internet standards track protocol for the
+   Internet community, and requests discussion and suggestions for
+   improvements.  Please refer to the current edition of the "Internet
+   Official Protocol Standards" (STD 1) for the standardization state
+   and status of this protocol.  Distribution of this memo is unlimited.
+
+Abstract
+
+   The Generic Security Service Application Program Interface (GSS-API),
+   as defined in RFC-1508, provides security services to callers in a
+   generic fashion, supportable with a range of underlying mechanisms
+   and technologies and hence allowing source-level portability of
+   applications to different environments. This specification defines
+   GSS-API services and primitives at a level independent of underlying
+   mechanism and programming language environment, and is to be
+   complemented by other, related specifications:
+
+      documents defining specific parameter bindings for particular
+      language environments
+
+      documents defining token formats, protocols, and procedures to be
+      implemented in order to realize GSS-API services atop particular
+      security mechanisms
+
+   This memo revises RFC-1508, making specific, incremental changes in
+   response to implementation experience and liaison requests. It is
+   intended, therefore, that this memo or a successor version thereto
+   will become the basis for subsequent progression of the GSS-API
+   specification on the standards track.
+
+Table of Contents
+
+   1: GSS-API Characteristics and Concepts..........................  3
+   1.1: GSS-API Constructs..........................................  6
+   1.1.1:  Credentials..............................................  6
+   1.1.1.1: Credential Constructs and Concepts......................  6
+   1.1.1.2: Credential Management...................................  7
+   1.1.1.3: Default Credential Resolution...........................  8
+
+
+
+Linn                        Standards Track                     [Page 1]
+
+RFC 2078                        GSS-API                     January 1997
+
+
+   1.1.2: Tokens....................................................  9
+   1.1.3:  Security Contexts........................................ 10
+   1.1.4:  Mechanism Types.......................................... 11
+   1.1.5:  Naming................................................... 12
+   1.1.6:  Channel Bindings......................................... 14
+   1.2:  GSS-API Features and Issues................................ 15
+   1.2.1:  Status Reporting......................................... 15
+   1.2.2: Per-Message Security Service Availability................. 17
+   1.2.3: Per-Message Replay Detection and Sequencing............... 18
+   1.2.4:  Quality of Protection.................................... 20
+   1.2.5: Anonymity Support......................................... 21
+   1.2.6: Initialization............................................ 22
+   1.2.7: Per-Message Protection During Context Establishment....... 22
+   1.2.8: Implementation Robustness................................. 23
+   2:  Interface Descriptions....................................... 23
+   2.1:  Credential management calls................................ 25
+   2.1.1:  GSS_Acquire_cred call.................................... 26
+   2.1.2:  GSS_Release_cred call.................................... 28
+   2.1.3:  GSS_Inquire_cred call.................................... 29
+   2.1.4:  GSS_Add_cred call........................................ 31
+   2.1.5:  GSS_Inquire_cred_by_mech call............................ 33
+   2.2:  Context-level calls........................................ 34
+   2.2.1:  GSS_Init_sec_context call................................ 34
+   2.2.2:  GSS_Accept_sec_context call.............................. 40
+   2.2.3:  GSS_Delete_sec_context call.............................. 44
+   2.2.4:  GSS_Process_context_token call........................... 46
+   2.2.5:  GSS_Context_time call.................................... 47
+   2.2.6:  GSS_Inquire_context call................................. 47
+   2.2.7:  GSS_Wrap_size_limit call................................. 49
+   2.2.8:  GSS_Export_sec_context call.............................. 50
+   2.2.9:  GSS_Import_sec_context call.............................. 52
+   2.3:  Per-message calls.......................................... 53
+   2.3.1:  GSS_GetMIC call.......................................... 54
+   2.3.2:  GSS_VerifyMIC call....................................... 55
+   2.3.3:  GSS_Wrap call............................................ 56
+   2.3.4:  GSS_Unwrap call.......................................... 58
+   2.4:  Support calls.............................................. 59
+   2.4.1:  GSS_Display_status call.................................. 60
+   2.4.2:  GSS_Indicate_mechs call.................................. 60
+   2.4.3:  GSS_Compare_name call.................................... 61
+   2.4.4:  GSS_Display_name call.................................... 62
+   2.4.5:  GSS_Import_name call..................................... 63
+   2.4.6:  GSS_Release_name call.................................... 64
+   2.4.7:  GSS_Release_buffer call.................................. 65
+   2.4.8:  GSS_Release_OID_set call................................. 65
+   2.4.9:  GSS_Create_empty_OID_set call............................ 66
+   2.4.10: GSS_Add_OID_set_member call.............................. 67
+   2.4.11: GSS_Test_OID_set_member call............................. 67
+
+
+
+Linn                        Standards Track                     [Page 2]
+
+RFC 2078                        GSS-API                     January 1997
+
+
+   2.4.12: GSS_Release_OID call..................................... 68
+   2.4.13: GSS_OID_to_str call...................................... 68
+   2.4.14: GSS_Str_to_OID call...................................... 69
+   2.4.15: GSS_Inquire_names_for_mech call.......................... 69
+   2.4.16: GSS_Inquire_mechs_for_name call.......................... 70
+   2.4.17: GSS_Canonicalize_name call............................... 71
+   2.4.18: GSS_Export_name call..................................... 72
+   2.4.19: GSS_Duplicate_name call.................................. 73
+   3: Data Structure Definitions for GSS-V2 Usage................... 73
+   3.1: Mechanism-Independent Token Format.......................... 74
+   3.2: Mechanism-Independent Exported Name Object Format........... 77
+   4: Name Type Definitions......................................... 77
+   4.1: Host-Based Service Name Form................................ 77
+   4.2: User Name Form.............................................. 78
+   4.3: Machine UID Form............................................ 78
+   4.4: String UID Form............................................. 79
+   5:  Mechanism-Specific Example Scenarios......................... 79
+   5.1: Kerberos V5, single-TGT..................................... 79
+   5.2: Kerberos V5, double-TGT..................................... 80
+   5.3:  X.509 Authentication Framework............................. 81
+   6:  Security Considerations...................................... 82
+   7:  Related Activities........................................... 82
+   Appendix A: Mechanism Design Constraints......................... 83
+   Appendix B: Compatibility with GSS-V1............................ 83
+
+1: GSS-API Characteristics and Concepts
+
+   GSS-API operates in the following paradigm.  A typical GSS-API caller
+   is itself a communications protocol, calling on GSS-API in order to
+   protect its communications with authentication, integrity, and/or
+   confidentiality security services.  A GSS-API caller accepts tokens
+   provided to it by its local GSS-API implementation and transfers the
+   tokens to a peer on a remote system; that peer passes the received
+   tokens to its local GSS-API implementation for processing. The
+   security services available through GSS-API in this fashion are
+   implementable (and have been implemented) over a range of underlying
+   mechanisms based on secret-key and public-key cryptographic
+   technologies.
+
+   The GSS-API separates the operations of initializing a security
+   context between peers, achieving peer entity authentication (This
+   security service definition, and other definitions used in this
+   document, corresponds to that provided in International Standard ISO
+   7498-2-1988(E), Security Architecture.) (GSS_Init_sec_context()  and
+   GSS_Accept_sec_context() calls), from the operations of providing
+   per-message data origin authentication and data integrity protection
+   (GSS_GetMIC()  and GSS_VerifyMIC()  calls) for messages subsequently
+   transferred in conjunction with that context.  When establishing a
+
+
+
+Linn                        Standards Track                     [Page 3]
+
+RFC 2078                        GSS-API                     January 1997
+
+
+   security context, the GSS-API enables a context initiator to
+   optionally permit its credentials to be delegated, meaning that the
+   context acceptor may initiate further security contexts on behalf of
+   the initiating caller. Per-message GSS_Wrap()  and GSS_Unwrap() calls
+   provide the data origin authentication and data integrity services
+   which GSS_GetMIC()  and GSS_VerifyMIC() offer, and also support
+   selection of confidentiality services as a caller option.  Additional
+   calls provide supportive functions to the GSS-API's users.
+
+   The following paragraphs provide an example illustrating the
+   dataflows involved in use of the GSS-API by a client and server in a
+   mechanism-independent fashion, establishing a security context and
+   transferring a protected message. The example assumes that credential
+   acquisition has already been completed.  The example assumes that the
+   underlying authentication technology is capable of authenticating a
+   client to a server using elements carried within a single token, and
+   of authenticating the server to the client (mutual authentication)
+   with a single returned token; this assumption holds for presently-
+   documented CAT mechanisms but is not necessarily true for other
+   cryptographic technologies and associated protocols.
+
+   The client calls GSS_Init_sec_context()  to establish a security
+   context to the server identified by targ_name, and elects to set the
+   mutual_req_flag so that mutual authentication is performed in the
+   course of context establishment. GSS_Init_sec_context()  returns an
+   output_token to be passed to the server, and indicates
+   GSS_S_CONTINUE_NEEDED status pending completion of the mutual
+   authentication sequence. Had mutual_req_flag not been set, the
+   initial call to GSS_Init_sec_context()  would have returned
+   GSS_S_COMPLETE status. The client sends the output_token to the
+   server.
+
+   The server passes the received token as the input_token parameter to
+   GSS_Accept_sec_context().  GSS_Accept_sec_context indicates
+   GSS_S_COMPLETE status, provides the client's authenticated identity
+   in the src_name result, and provides an output_token to be passed to
+   the client. The server sends the output_token to the client.
+
+   The client passes the received token as the input_token parameter to
+   a successor call to GSS_Init_sec_context(),  which processes data
+   included in the token in order to achieve mutual authentication from
+   the client's viewpoint. This call to GSS_Init_sec_context()  returns
+   GSS_S_COMPLETE status, indicating successful mutual authentication
+   and the completion of context establishment for this example.
+
+   The client generates a data message and passes it to GSS_Wrap().
+   GSS_Wrap() performs data origin authentication, data integrity, and
+   (optionally) confidentiality processing on the message and
+
+
+
+Linn                        Standards Track                     [Page 4]
+
+RFC 2078                        GSS-API                     January 1997
+
+
+   encapsulates the result into output_message, indicating
+   GSS_S_COMPLETE status. The client sends the output_message to the
+   server.
+
+   The server passes the received message to GSS_Unwrap().  GSS_Unwrap()
+   inverts the encapsulation performed by GSS_Wrap(),  deciphers the
+   message if the optional confidentiality feature was applied, and
+   validates the data origin authentication and data integrity checking
+   quantities. GSS_Unwrap()  indicates successful validation by
+   returning GSS_S_COMPLETE status along with the resultant
+   output_message.
+
+   For purposes of this example, we assume that the server knows by
+   out-of-band means that this context will have no further use after
+   one protected message is transferred from client to server. Given
+   this premise, the server now calls GSS_Delete_sec_context() to flush
+   context-level information.  Optionally, the server-side application
+   may provide a token buffer to GSS_Delete_sec_context(), to receive a
+   context_token to be transferred to the client in order to request
+   that client-side context-level information be deleted.
+
+   If a context_token is transferred, the client passes the
+   context_token to GSS_Process_context_token(), which returns
+   GSS_S_COMPLETE status after deleting context-level information at the
+   client system.
+
+   The GSS-API design assumes and addresses several basic goals,
+   including:
+
+      Mechanism independence: The GSS-API defines an interface to
+      cryptographically implemented strong authentication and other
+      security services at a generic level which is independent of
+      particular underlying mechanisms. For example, GSS-API-provided
+      services can be implemented by secret-key technologies (e.g.,
+      Kerberos) or public-key approaches (e.g., X.509).
+
+      Protocol environment independence: The GSS-API is independent of
+      the communications protocol suites with which it is employed,
+      permitting use in a broad range of protocol environments. In
+      appropriate environments, an intermediate implementation "veneer"
+      which is oriented to a particular communication protocol (e.g.,
+      Remote Procedure Call (RPC)) may be interposed between
+      applications which call that protocol and the GSS-API, thereby
+      invoking GSS-API facilities in conjunction with that protocol's
+      communications invocations.
+
+      Protocol association independence: The GSS-API's security context
+      construct is independent of communications protocol association
+
+
+
+Linn                        Standards Track                     [Page 5]
+
+RFC 2078                        GSS-API                     January 1997
+
+
+      constructs. This characteristic allows a single GSS-API
+      implementation to be utilized by a variety of invoking protocol
+      modules on behalf of those modules' calling applications. GSS-API
+      services can also be invoked directly by applications, wholly
+      independent of protocol associations.
+
+      Suitability to a range of implementation placements: GSS-API
+      clients are not constrained to reside within any Trusted Computing
+      Base (TCB) perimeter defined on a system where the GSS-API is
+      implemented; security services are specified in a manner suitable
+      to both intra-TCB and extra-TCB callers.
+
+1.1: GSS-API Constructs
+
+   This section describes the basic elements comprising the GSS-API.
+
+1.1.1:  Credentials
+
+1.1.1.1: Credential Constructs and Concepts
+
+   Credentials provide the prerequisites which permit GSS-API peers to
+   establish security contexts with each other. A caller may designate
+   that the credential elements which are to be applied for context
+   initiation or acceptance be selected by default.  Alternately, those
+   GSS-API callers which need to make explicit selection of particular
+   credentials structures may make references to those credentials
+   through GSS-API-provided credential handles ("cred_handles").  In all
+   cases, callers' credential references are indirect, mediated by GSS-
+   API implementations and not requiring callers to access the selected
+   credential elements.
+
+   A single credential structure may be used to initiate outbound
+   contexts and to accept inbound contexts. Callers needing to operate
+   in only one of these modes may designate this fact when credentials
+   are acquired for use, allowing underlying mechanisms to optimize
+   their processing and storage requirements. The credential elements
+   defined by a particular mechanism may contain multiple cryptographic
+   keys, e.g., to enable authentication and message encryption to be
+   performed with different algorithms.
+
+   A GSS-API credential structure may contain multiple credential
+   elements, each containing mechanism-specific information for a
+   particular underlying mechanism (mech_type), but the set of elements
+   within a given credential structure represent a common entity.  A
+   credential structure's contents will vary depending on the set of
+   mech_types supported by a particular GSS-API implementation. Each
+   credential element identifies the data needed by its mechanism in
+   order to establish contexts on behalf of a particular principal, and
+
+
+
+Linn                        Standards Track                     [Page 6]
+
+RFC 2078                        GSS-API                     January 1997
+
+
+   may contain separate credential references for use in context
+   initiation and context acceptance.  Multiple credential elements
+   within a given credential having overlapping combinations of
+   mechanism, usage mode, and validity period are not permitted.
+
+   Commonly, a single mech_type will be used for all security contexts
+   established by a particular initiator to a particular target. A major
+   motivation for supporting credential sets representing multiple
+   mech_types is to allow initiators on systems which are equipped to
+   handle multiple types to initiate contexts to targets on other
+   systems which can accommodate only a subset of the set supported at
+   the initiator's system.
+
+1.1.1.2: Credential Management
+
+   It is the responsibility of underlying system-specific mechanisms and
+   OS functions below the GSS-API to ensure that the ability to acquire
+   and use credentials associated with a given identity is constrained
+   to appropriate processes within a system. This responsibility should
+   be taken seriously by implementors, as the ability for an entity to
+   utilize a principal's credentials is equivalent to the entity's
+   ability to successfully assert that principal's identity.
+
+   Once a set of GSS-API credentials is established, the transferability
+   of that credentials set to other processes or analogous constructs
+   within a system is a local matter, not defined by the GSS-API. An
+   example local policy would be one in which any credentials received
+   as a result of login to a given user account, or of delegation of
+   rights to that account, are accessible by, or transferable to,
+   processes running under that account.
+
+   The credential establishment process (particularly when performed on
+   behalf of users rather than server processes) is likely to require
+   access to passwords or other quantities which should be protected
+   locally and exposed for the shortest time possible. As a result, it
+   will often be appropriate for preliminary credential establishment to
+   be performed through local means at user login time, with the
+   result(s) cached for subsequent reference. These preliminary
+   credentials would be set aside (in a system-specific fashion) for
+   subsequent use, either:
+
+      to be accessed by an invocation of the GSS-API GSS_Acquire_cred()
+      call, returning an explicit handle to reference that credential
+
+      to comprise default credential elements to be installed, and to be
+      used when default credential behavior is requested on behalf of a
+      process
+
+
+
+
+Linn                        Standards Track                     [Page 7]
+
+RFC 2078                        GSS-API                     January 1997
+
+
+1.1.1.3: Default Credential Resolution
+
+   The gss_init_sec_context and gss_accept_sec_context routines allow
+   the value GSS_C_NO_CREDENTIAL to be specified as their credential
+   handle parameter.  This special credential-handle indicates a desire
+   by the application to act as a default principal.  While individual
+   GSS-API implementations are free to determine such default behavior
+   as appropriate to the mechanism, the following default behavior by
+   these routines is recommended for portability:
+
+   GSS_Init_sec_context:
+
+      (i) If there is only a single principal capable of initiating
+      security contexts that the application is authorized to act on
+      behalf of, then that principal shall be used, otherwise
+
+      (ii) If the platform maintains a concept of a default network-
+      identity, and if the application is authorized to act on behalf of
+      that identity for the purpose of initiating security contexts,
+      then the principal corresponding to that identity shall be used,
+      otherwise
+
+      (iii) If the platform maintains a concept of a default local
+      identity, and provides a means to map local identities into
+      network-identities, and if the application is authorized to act on
+      behalf of the network-identity image of the default local identity
+      for the purpose of initiating security contexts, then the
+      principal corresponding to that identity shall be used, otherwise
+
+      (iv) A user-configurable default identity should be used.
+
+   GSS_Accept_sec_context:
+
+      (i) If there is only a single authorized principal identity
+      capable of accepting security contexts, then that principal shall
+      be used, otherwise
+
+      (ii) If the mechanism can determine the identity of the target
+      principal by examining the context-establishment token, and if the
+      accepting application is authorized to act as that principal for
+      the purpose of accepting security contexts, then that principal
+      identity shall be used, otherwise
+
+      (iii) If the mechanism supports context acceptance by any
+      principal, and mutual authentication was not requested, any
+      principal that the application is authorized to accept security
+      contexts under may be used, otherwise
+
+
+
+
+Linn                        Standards Track                     [Page 8]
+
+RFC 2078                        GSS-API                     January 1997
+
+
+      (iv) A user-configurable default identity shall be used.
+
+   The purpose of the above rules is to allow security contexts to be
+   established by both initiator and acceptor using the default behavior
+   wherever possible.  Applications requesting default behavior are
+   likely to be more portable across mechanisms and platforms than ones
+   that use GSS_Acquire_cred to request a specific identity.
+
+1.1.2: Tokens
+
+   Tokens are data elements transferred between GSS-API callers, and are
+   divided into two classes. Context-level tokens are exchanged in order
+   to establish and manage a security context between peers. Per-message
+   tokens relate to an established context and are exchanged to provide
+   protective security services (i.e., data origin authentication,
+   integrity, and optional confidentiality) for corresponding data
+   messages.
+
+   The first context-level token obtained from GSS_Init_sec_context() is
+   required to indicate at its very beginning a globally-interpretable
+   mechanism identifier, i.e., an Object Identifier (OID) of the
+   security mechanism. The remaining part of this token as well as the
+   whole content of all other tokens are specific to the particular
+   underlying mechanism used to support the GSS-API. Section 3 of this
+   document provides, for designers of GSS-API support mechanisms, the
+   description of the header of the first context-level token which is
+   then followed by mechanism-specific information.
+
+   Tokens' contents are opaque from the viewpoint of GSS-API callers.
+   They are generated within the GSS-API implementation at an end
+   system, provided to a GSS-API caller to be transferred to the peer
+   GSS-API caller at a remote end system, and processed by the GSS-API
+   implementation at that remote end system. Tokens may be output by
+   GSS-API calls (and should be transferred to GSS-API peers) whether or
+   not the calls' status indicators indicate successful completion.
+   Token transfer may take place in an in-band manner, integrated into
+   the same protocol stream used by the GSS-API callers for other data
+   transfers, or in an out-of-band manner across a logically separate
+   channel.
+
+   Different GSS-API tokens are used for different purposes (e.g.,
+   context initiation, context acceptance, protected message data on an
+   established context), and it is the responsibility of a GSS-API
+   caller receiving tokens to distinguish their types, associate them
+   with corresponding security contexts, and pass them to appropriate
+   GSS-API processing routines.  Depending on the caller protocol
+   environment, this distinction may be accomplished in several ways.
+
+
+
+
+Linn                        Standards Track                     [Page 9]
+
+RFC 2078                        GSS-API                     January 1997
+
+
+   The following examples illustrate means through which tokens' types
+   may be distinguished:
+
+      - implicit tagging based on state information (e.g., all tokens on
+      a new association are considered to be context establishment
+      tokens until context establishment is completed, at which point
+      all tokens are considered to be wrapped data objects for that
+      context),
+
+      - explicit tagging at the caller protocol level,
+
+      - a hybrid of these approaches.
+
+   Commonly, the encapsulated data within a token includes internal
+   mechanism-specific tagging information, enabling mechanism-level
+   processing modules to distinguish tokens used within the mechanism
+   for different purposes.  Such internal mechanism-level tagging is
+   recommended to mechanism designers, and enables mechanisms to
+   determine whether a caller has passed a particular token for
+   processing by an inappropriate GSS-API routine.
+
+   Development of GSS-API support primitives based on a particular
+   underlying cryptographic technique and protocol (i.e., conformant to
+   a specific GSS-API mechanism definition) does not necessarily imply
+   that GSS-API callers using that GSS-API mechanism will be able to
+   interoperate with peers invoking the same technique and protocol
+   outside the GSS-API paradigm, or with peers implementing a different
+   GSS-API mechanism based on the same underlying technology.  The
+   format of GSS-API tokens defined in conjunction with a particular
+   mechanism, and the techniques used to integrate those tokens into
+   callers' protocols, may not be interoperable with the tokens used by
+   non-GSS-API callers of the same underlying technique.
+
+1.1.3:  Security Contexts
+
+   Security contexts are established between peers, using credentials
+   established locally in conjunction with each peer or received by
+   peers via delegation. Multiple contexts may exist simultaneously
+   between a pair of peers, using the same or different sets of
+   credentials. Coexistence of multiple contexts using different
+   credentials allows graceful rollover when credentials expire.
+   Distinction among multiple contexts based on the same credentials
+   serves applications by distinguishing different message streams in a
+   security sense.
+
+   The GSS-API is independent of underlying protocols and addressing
+   structure, and depends on its callers to transport GSS-API-provided
+   data elements. As a result of these factors, it is a caller
+
+
+
+Linn                        Standards Track                    [Page 10]
+
+RFC 2078                        GSS-API                     January 1997
+
+
+   responsibility to parse communicated messages, separating GSS-API-
+   related data elements from caller-provided data.  The GSS-API is
+   independent of connection vs. connectionless orientation of the
+   underlying communications service.
+
+   No correlation between security context and communications protocol
+   association is dictated. (The optional channel binding facility,
+   discussed in Section 1.1.6 of this document, represents an
+   intentional exception to this rule, supporting additional protection
+   features within GSS-API supporting mechanisms.) This separation
+   allows the GSS-API to be used in a wide range of communications
+   environments, and also simplifies the calling sequences of the
+   individual calls. In many cases (depending on underlying security
+   protocol, associated mechanism, and availability of cached
+   information), the state information required for context setup can be
+   sent concurrently with initial signed user data, without interposing
+   additional message exchanges.
+
+1.1.4:  Mechanism Types
+
+   In order to successfully establish a security context with a target
+   peer, it is necessary to identify an appropriate underlying mechanism
+   type (mech_type) which both initiator and target peers support. The
+   definition of a mechanism embodies not only the use of a particular
+   cryptographic technology (or a hybrid or choice among alternative
+   cryptographic technologies), but also definition of the syntax and
+   semantics of data element exchanges which that mechanism will employ
+   in order to support security services.
+
+   It is recommended that callers initiating contexts specify the
+   "default" mech_type value, allowing system-specific functions within
+   or invoked by the GSS-API implementation to select the appropriate
+   mech_type, but callers may direct that a particular mech_type be
+   employed when necessary.
+
+   The means for identifying a shared mech_type to establish a security
+   context with a peer will vary in different environments and
+   circumstances; examples include (but are not limited to):
+
+      use of a fixed mech_type, defined by configuration, within an
+      environment
+
+      syntactic convention on a target-specific basis, through
+      examination of a target's name
+
+      lookup of a target's name in a naming service or other database in
+      order to identify mech_types supported by that target
+
+
+
+
+Linn                        Standards Track                    [Page 11]
+
+RFC 2078                        GSS-API                     January 1997
+
+
+      explicit negotiation between GSS-API callers in advance of
+      security context setup
+
+   When transferred between GSS-API peers, mech_type specifiers (per
+   Section 3, represented as Object Identifiers (OIDs)) serve to qualify
+   the interpretation of associated tokens. (The structure and encoding
+   of Object Identifiers is defined in ISO/IEC 8824, "Specification of
+   Abstract Syntax Notation One (ASN.1)" and in ISO/IEC 8825,
+   "Specification of Basic Encoding Rules for Abstract Syntax Notation
+   One (ASN.1)".) Use of hierarchically structured OIDs serves to
+   preclude ambiguous interpretation of mech_type specifiers. The OID
+   representing the DASS MechType, for example, is 1.3.12.2.1011.7.5,
+   and that of the Kerberos V5 mechanism, once advanced to the level of
+   Proposed Standard, will be 1.2.840.113554.1.2.2.
+
+1.1.5:  Naming
+
+   The GSS-API avoids prescribing naming structures, treating the names
+   which are transferred across the interface in order to initiate and
+   accept security contexts as opaque objects.  This approach supports
+   the GSS-API's goal of implementability atop a range of underlying
+   security mechanisms, recognizing the fact that different mechanisms
+   process and authenticate names which are presented in different
+   forms. Generalized services offering translation functions among
+   arbitrary sets of naming environments are outside the scope of the
+   GSS-API; availability and use of local conversion functions to
+   translate among the naming formats supported within a given end
+   system is anticipated.
+
+   Different classes of name representations are used in conjunction
+   with different GSS-API parameters:
+
+      - Internal form (denoted in this document by INTERNAL NAME),
+      opaque to callers and defined by individual GSS-API
+      implementations.  GSS-API implementations supporting multiple
+      namespace types must maintain internal tags to disambiguate the
+      interpretation of particular names.  A Mechanism Name (MN) is a
+      special case of INTERNAL NAME, guaranteed to contain elements
+      corresponding to one and only one mechanism; calls which are
+      guaranteed to emit MNs or which require MNs as input are so
+      identified within this specification.
+
+      - Contiguous string ("flat") form (denoted in this document by
+      OCTET STRING); accompanied by OID tags identifying the namespace
+      to which they correspond.  Depending on tag value, flat names may
+      or may not be printable strings for direct acceptance from and
+      presentation to users. Tagging of flat names allows GSS-API
+      callers and underlying GSS-API mechanisms to disambiguate name
+
+
+
+Linn                        Standards Track                    [Page 12]
+
+RFC 2078                        GSS-API                     January 1997
+
+
+      types and to determine whether an associated name's type is one
+      which they are capable of processing, avoiding aliasing problems
+      which could result from misinterpreting a name of one type as a
+      name of another type.
+
+      - The GSS-API Exported Name Object, a special case of flat name
+      designated by a reserved OID value, carries a canonicalized form
+      of a name suitable for binary comparisons.
+
+   In addition to providing means for names to be tagged with types,
+   this specification defines primitives to support a level of naming
+   environment independence for certain calling applications. To provide
+   basic services oriented towards the requirements of callers which
+   need not themselves interpret the internal syntax and semantics of
+   names, GSS-API calls for name comparison (GSS_Compare_name()),
+   human-readable display (GSS_Display_name()), input conversion
+   (GSS_Import_name()), internal name deallocation (GSS_Release_name()),
+   and internal name duplication (GSS_Duplicate_name()) functions are
+   defined. (It is anticipated that these proposed GSS-API calls will be
+   implemented in many end systems based on system-specific name
+   manipulation primitives already extant within those end systems;
+   inclusion within the GSS-API is intended to offer GSS-API callers a
+   portable means to perform specific operations, supportive of
+   authorization and audit requirements, on authenticated names.)
+
+   GSS_Import_name() implementations can, where appropriate, support
+   more than one printable syntax corresponding to a given namespace
+   (e.g., alternative printable representations for X.500 Distinguished
+   Names), allowing flexibility for their callers to select among
+   alternative representations. GSS_Display_name() implementations
+   output a printable syntax selected as appropriate to their
+   operational environments; this selection is a local matter. Callers
+   desiring portability across alternative printable syntaxes should
+   refrain from implementing comparisons based on printable name forms
+   and should instead use the GSS_Compare_name()  call to determine
+   whether or not one internal-format name matches another.
+
+   The GSS_Canonicalize_name() and GSS_Export_name() calls enable
+   callers to acquire and process Exported Name Objects, canonicalized
+   and translated in accordance with the procedures of a particular
+   GSS-API mechanism.  Exported Name Objects can, in turn, be input to
+   GSS_Import_name(), yielding equivalent MNs. These facilities are
+   designed specifically to enable efficient storage and comparison of
+   names (e.g., for use in access control lists).
+
+
+
+
+
+
+
+Linn                        Standards Track                    [Page 13]
+
+RFC 2078                        GSS-API                     January 1997
+
+
+   The following diagram illustrates the intended dataflow among name-
+   related GSS-API processing routines.
+
+                        GSS-API library defaults
+                               |
+                               |
+                               V                         text, for
+   text -------------->  internal_name (IN) -----------> display only
+         import_name()          /          display_name()
+                               /
+                              /
+                             /
+    accept_sec_context()    /
+          |                /
+          |               /
+          |              /  canonicalize_name()
+          |             /
+          |            /
+          |           /
+          |          /
+          |         /
+          |        |
+          V        V     <---------------------
+    single mechanism        import_name()         exported name: flat
+    internal_name (MN)                            binary "blob" usable
+                         ---------------------->  for access control
+                            export_name()
+
+1.1.6:  Channel Bindings
+
+   The GSS-API accommodates the concept of caller-provided channel
+   binding ("chan_binding") information.  Channel bindings are used to
+   strengthen the quality with which peer entity authentication is
+   provided during context establishment, by limiting the scope within
+   which an intercepted context establishment token can be reused by an
+   attacker. Specifically, they enable GSS-API callers to bind the
+   establishment of a security context to relevant characteristics
+   (e.g., addresses, transformed representations of encryption keys) of
+   the underlying communications channel, of protection mechanisms
+   applied to that communications channel, and to application-specific
+   data.
+
+   The caller initiating a security context must determine the
+   appropriate channel binding values to provide as input to the
+   GSS_Init_sec_context() call, and consistent values must be provided
+   to GSS_Accept_sec_context() by the context's target, in order for
+   both peers' GSS-API mechanisms to validate that received tokens
+   possess correct channel-related characteristics. Use or non-use of
+
+
+
+Linn                        Standards Track                    [Page 14]
+
+RFC 2078                        GSS-API                     January 1997
+
+
+   the GSS-API channel binding facility is a caller option.  GSS-API
+   mechanisms can operate in an environment where NULL channel bindings
+   are presented; mechanism implementors are encouraged, but not
+   required, to make use of caller-provided channel binding data within
+   their mechanisms. Callers should not assume that underlying
+   mechanisms provide confidentiality protection for channel binding
+   information.
+
+   When non-NULL channel bindings are provided by callers, certain
+   mechanisms can offer enhanced security value by interpreting the
+   bindings' content (rather than simply representing those bindings, or
+   integrity check values computed on them, within tokens) and will
+   therefore depend on presentation of specific data in a defined
+   format. To this end, agreements among mechanism implementors are
+   defining conventional interpretations for the contents of channel
+   binding arguments, including address specifiers (with content
+   dependent on communications protocol environment) for context
+   initiators and acceptors. (These conventions are being incorporated
+   in GSS-API mechanism specifications and into the GSS-API C language
+   bindings specification.) In order for GSS-API callers to be portable
+   across multiple mechanisms and achieve the full security
+   functionality which each mechanism can provide, it is strongly
+   recommended that GSS-API callers provide channel bindings consistent
+   with these conventions and those of the networking environment in
+   which they operate.
+
+1.2:  GSS-API Features and Issues
+
+   This section describes aspects of GSS-API operations, of the security
+   services which the GSS-API provides, and provides commentary on
+   design issues.
+
+1.2.1:  Status Reporting
+
+   Each GSS-API call provides two status return values. Major_status
+   values provide a mechanism-independent indication of call status
+   (e.g., GSS_S_COMPLETE, GSS_S_FAILURE, GSS_S_CONTINUE_NEEDED),
+   sufficient to drive normal control flow within the caller in a
+   generic fashion. Table 1 summarizes the defined major_status return
+   codes in tabular fashion.
+
+
+
+
+
+
+
+
+
+
+
+Linn                        Standards Track                    [Page 15]
+
+RFC 2078                        GSS-API                     January 1997
+
+
+Table 1: GSS-API Major Status Codes
+
+   FATAL ERROR CODES
+
+   GSS_S_BAD_BINDINGS            channel binding mismatch
+   GSS_S_BAD_MECH                unsupported mechanism requested
+   GSS_S_BAD_NAME                invalid name provided
+   GSS_S_BAD_NAMETYPE            name of unsupported type provided
+   GSS_S_BAD_STATUS              invalid input status selector
+   GSS_S_BAD_SIG                 token had invalid integrity check
+   GSS_S_CONTEXT_EXPIRED         specified security context expired
+   GSS_S_CREDENTIALS_EXPIRED     expired credentials detected
+   GSS_S_DEFECTIVE_CREDENTIAL    defective credential detected
+   GSS_S_DEFECTIVE_TOKEN         defective token detected
+   GSS_S_FAILURE                 failure, unspecified at GSS-API
+                                   level
+   GSS_S_NO_CONTEXT              no valid security context specified
+   GSS_S_NO_CRED                 no valid credentials provided
+   GSS_S_BAD_QOP                 unsupported QOP value
+   GSS_S_UNAUTHORIZED            operation unauthorized
+   GSS_S_UNAVAILABLE             operation unavailable
+   GSS_S_DUPLICATE_ELEMENT       duplicate credential element requested
+   GSS_S_NAME_NOT_MN             name contains multi-mechanism elements
+
+   INFORMATORY STATUS CODES
+
+   GSS_S_COMPLETE                normal completion
+   GSS_S_CONTINUE_NEEDED         continuation call to routine
+                                  required
+   GSS_S_DUPLICATE_TOKEN         duplicate per-message token
+                                  detected
+   GSS_S_OLD_TOKEN               timed-out per-message token
+                                  detected
+   GSS_S_UNSEQ_TOKEN             reordered (early) per-message token
+                                  detected
+   GSS_S_GAP_TOKEN               skipped predecessor token(s)
+                                  detected
+
+   Minor_status provides more detailed status information which may
+   include status codes specific to the underlying security mechanism.
+   Minor_status values are not specified in this document.
+
+   GSS_S_CONTINUE_NEEDED major_status returns, and optional message
+   outputs, are provided in GSS_Init_sec_context() and
+   GSS_Accept_sec_context()  calls so that different mechanisms'
+   employment of different numbers of messages within their
+   authentication sequences need not be reflected in separate code paths
+   within calling applications. Instead, such cases are accommodated
+
+
+
+Linn                        Standards Track                    [Page 16]
+
+RFC 2078                        GSS-API                     January 1997
+
+
+   with sequences of continuation calls to GSS_Init_sec_context()  and
+   GSS_Accept_sec_context().  The same mechanism is used to encapsulate
+   mutual authentication within the GSS-API's context initiation calls.
+
+   For mech_types which require interactions with third-party servers in
+   order to establish a security context, GSS-API context establishment
+   calls may block pending completion of such third-party interactions.
+
+   On the other hand, no GSS-API calls pend on serialized interactions
+   with GSS-API peer entities.  As a result, local GSS-API status
+   returns cannot reflect unpredictable or asynchronous exceptions
+   occurring at remote peers, and reflection of such status information
+   is a caller responsibility outside the GSS-API.
+
+1.2.2: Per-Message Security Service Availability
+
+   When a context is established, two flags are returned to indicate the
+   set of per-message protection security services which will be
+   available on the context:
+
+      the integ_avail flag indicates whether per-message integrity and
+      data origin authentication services are available
+
+      the conf_avail flag indicates whether per-message confidentiality
+      services are available, and will never be returned TRUE unless the
+      integ_avail flag is also returned TRUE
+
+      GSS-API callers desiring per-message security services should
+      check the values of these flags at context establishment time, and
+      must be aware that a returned FALSE value for integ_avail means
+      that invocation of GSS_GetMIC()  or GSS_Wrap() primitives on the
+      associated context will apply no cryptographic protection to user
+      data messages.
+
+   The GSS-API per-message integrity and data origin authentication
+   services provide assurance to a receiving caller that protection was
+   applied to a message by the caller's peer on the security context,
+   corresponding to the entity named at context initiation.  The GSS-API
+   per-message confidentiality service provides assurance to a sending
+   caller that the message's content is protected from access by
+   entities other than the context's named peer.
+
+
+
+
+
+
+
+
+
+
+Linn                        Standards Track                    [Page 17]
+
+RFC 2078                        GSS-API                     January 1997
+
+
+   The GSS-API per-message protection service primitives, as the
+   category name implies, are oriented to operation at the granularity
+   of protocol data units. They perform cryptographic operations on the
+   data units, transfer cryptographic control information in tokens,
+   and, in the case of GSS_Wrap(), encapsulate the protected data unit.
+   As such, these primitives are not oriented to efficient data
+   protection for stream-paradigm protocols (e.g., Telnet) if
+   cryptography must be applied on an octet-by-octet basis.
+
+1.2.3: Per-Message Replay Detection and Sequencing
+
+   Certain underlying mech_types offer support for replay detection
+   and/or sequencing of messages transferred on the contexts they
+   support. These optionally-selectable protection features are distinct
+   from replay detection and sequencing features applied to the context
+   establishment operation itself; the presence or absence of context-
+   level replay or sequencing features is wholly a function of the
+   underlying mech_type's capabilities, and is not selected or omitted
+   as a caller option.
+
+   The caller initiating a context provides flags (replay_det_req_flag
+   and sequence_req_flag) to specify whether the use of per-message
+   replay detection and sequencing features is desired on the context
+   being established. The GSS-API implementation at the initiator system
+   can determine whether these features are supported (and whether they
+   are optionally selectable) as a function of mech_type, without need
+   for bilateral negotiation with the target. When enabled, these
+   features provide recipients with indicators as a result of GSS-API
+   processing of incoming messages, identifying whether those messages
+   were detected as duplicates or out-of-sequence. Detection of such
+   events does not prevent a suspect message from being provided to a
+   recipient; the appropriate course of action on a suspect message is a
+   matter of caller policy.
+
+   The semantics of the replay detection and sequencing services applied
+   to received messages, as visible across the interface which the GSS-
+   API provides to its clients, are as follows:
+
+   When replay_det_state is TRUE, the possible major_status returns for
+   well-formed and correctly signed messages are as follows:
+
+      1. GSS_S_COMPLETE indicates that the message was within the window
+      (of time or sequence space) allowing replay events to be detected,
+      and that the message was not a replay of a previously-processed
+      message within that window.
+
+
+
+
+
+
+Linn                        Standards Track                    [Page 18]
+
+RFC 2078                        GSS-API                     January 1997
+
+
+      2. GSS_S_DUPLICATE_TOKEN indicates that the cryptographic
+      checkvalue on the received message was correct, but that the
+      message was recognized as a duplicate of a previously-processed
+      message.
+
+      3. GSS_S_OLD_TOKEN indicates that the cryptographic checkvalue on
+      the received message was correct, but that the message is too old
+      to be checked for duplication.
+
+   When sequence_state is TRUE, the possible major_status returns for
+   well-formed and correctly signed messages are as follows:
+
+      1. GSS_S_COMPLETE indicates that the message was within the window
+      (of time or sequence space) allowing replay events to be detected,
+      that the message was not a replay of a previously-processed
+      message within that window, and that no predecessor sequenced
+      messages are missing relative to the last received message (if
+      any) processed on the context with a correct cryptographic
+      checkvalue.
+
+      2. GSS_S_DUPLICATE_TOKEN indicates that the integrity check value
+      on the received message was correct, but that the message was
+      recognized as a duplicate of a previously-processed message.
+
+      3. GSS_S_OLD_TOKEN indicates that the integrity check value on the
+      received message was correct, but that the token is too old to be
+      checked for duplication.
+
+      4. GSS_S_UNSEQ_TOKEN indicates that the cryptographic checkvalue
+      on the received message was correct, but that it is earlier in a
+      sequenced stream than a message already processed on the context.
+      [Note: Mechanisms can be architected to provide a stricter form of
+      sequencing service, delivering particular messages to recipients
+      only after all predecessor messages in an ordered stream have been
+      delivered.  This type of support is incompatible with the GSS-API
+      paradigm in which recipients receive all messages, whether in
+      order or not, and provide them (one at a time, without intra-GSS-
+      API message buffering) to GSS-API routines for validation.  GSS-
+      API facilities provide supportive functions, aiding clients to
+      achieve strict message stream integrity in an efficient manner in
+      conjunction with sequencing provisions in communications
+      protocols, but the GSS-API does not offer this level of message
+      stream integrity service by itself.]
+
+
+
+
+
+
+
+
+Linn                        Standards Track                    [Page 19]
+
+RFC 2078                        GSS-API                     January 1997
+
+
+      5. GSS_S_GAP_TOKEN indicates that the cryptographic checkvalue on
+      the received message was correct, but that one or more predecessor
+      sequenced messages have not been successfully processed relative
+      to the last received message (if any) processed on the context
+      with a correct cryptographic checkvalue.
+
+   As the message stream integrity features (especially sequencing) may
+   interfere with certain applications' intended communications
+   paradigms, and since support for such features is likely to be
+   resource intensive, it is highly recommended that mech_types
+   supporting these features allow them to be activated selectively on
+   initiator request when a context is established. A context initiator
+   and target are provided with corresponding indicators
+   (replay_det_state and sequence_state), signifying whether these
+   features are active on a given context.
+
+   An example mech_type supporting per-message replay detection could
+   (when replay_det_state is TRUE) implement the feature as follows: The
+   underlying mechanism would insert timestamps in data elements output
+   by GSS_GetMIC()  and GSS_Wrap(), and would maintain (within a time-
+   limited window) a cache (qualified by originator-recipient pair)
+   identifying received data elements processed by GSS_VerifyMIC()  and
+   GSS_Unwrap(). When this feature is active, exception status returns
+   (GSS_S_DUPLICATE_TOKEN, GSS_S_OLD_TOKEN) will be provided when
+   GSS_VerifyMIC()  or GSS_Unwrap() is presented with a message which is
+   either a detected duplicate of a prior message or which is too old to
+   validate against a cache of recently received messages.
+
+1.2.4:  Quality of Protection
+
+   Some mech_types provide their users with fine granularity control
+   over the means used to provide per-message protection, allowing
+   callers to trade off security processing overhead dynamically against
+   the protection requirements of particular messages. A per-message
+   quality-of-protection parameter (analogous to quality-of-service, or
+   QOS) selects among different QOP options supported by that mechanism.
+   On context establishment for a multi-QOP mech_type, context-level
+   data provides the prerequisite data for a range of protection
+   qualities.
+
+   It is expected that the majority of callers will not wish to exert
+   explicit mechanism-specific QOP control and will therefore request
+   selection of a default QOP. Definitions of, and choices among, non-
+   default QOP values are mechanism-specific, and no ordered sequences
+   of QOP values can be assumed equivalent across different mechanisms.
+   Meaningful use of non-default QOP values demands that callers be
+   familiar with the QOP definitions of an underlying mechanism or
+   mechanisms, and is therefore a non-portable construct.  The
+
+
+
+Linn                        Standards Track                    [Page 20]
+
+RFC 2078                        GSS-API                     January 1997
+
+
+   GSS_S_BAD_QOP major_status value is defined in order to indicate that
+   a provided QOP value is unsupported for a security context, most
+   likely because that value is unrecognized by the underlying
+   mechanism.
+
+1.2.5: Anonymity Support
+
+   In certain situations or environments, an application may wish to
+   authenticate a peer and/or protect communications using GSS-API per-
+   message services without revealing its own identity.  For example,
+   consider an application which provides read access to a research
+   database, and which permits queries by arbitrary requestors.  A
+   client of such a service might wish to authenticate the service, to
+   establish trust in the information received from it, but might not
+   wish to disclose its identity to the service for privacy reasons.
+
+   In ordinary GSS-API usage, a context initiator's identity is made
+   available to the context acceptor as part of the context
+   establishment process.  To provide for anonymity support, a facility
+   (input anon_req_flag to GSS_Init_sec_context()) is provided through
+   which context initiators may request that their identity not be
+   provided to the context acceptor.  Mechanisms are not required to
+   honor this request, but a caller will be informed (via returned
+   anon_state indicator from GSS_Init_sec_context()) whether or not the
+   request is honored. Note that authentication as the anonymous
+   principal does not necessarily imply that credentials are not
+   required in order to establish a context.
+
+   The following Object Identifier value is provided as a means to
+   identify anonymous names, and can be compared against in order to
+   determine, in a mechanism-independent fashion, whether a name refers
+   to an anonymous principal:
+
+   {1(iso), 3(org), 6(dod), 1(internet), 5(security), 6(nametypes),
+   3(gss-anonymous-name)}
+
+   The recommended symbolic name corresponding to this definition is
+   GSS_C_NT_ANONYMOUS.
+
+   Four possible combinations of anon_state and mutual_state are
+   possible, with the following results:
+
+      anon_state == FALSE, mutual_state == FALSE: initiator
+      authenticated to target.
+
+      anon_state == FALSE, mutual_state == TRUE: initiator authenticated
+      to target, target authenticated to initiator.
+
+
+
+
+Linn                        Standards Track                    [Page 21]
+
+RFC 2078                        GSS-API                     January 1997
+
+
+      anon_state == TRUE, mutual_state == FALSE: initiator authenticated
+      as anonymous principal to target.
+
+      anon_state == TRUE, mutual_state == TRUE: initiator authenticated
+      as anonymous principal to target, target authenticated to
+      initiator.
+
+1.2.6: Initialization
+
+   No initialization calls (i.e., calls which must be invoked prior to
+   invocation of other facilities in the interface) are defined in GSS-
+   API.  As an implication of this fact, GSS-API implementations must
+   themselves be self-initializing.
+
+1.2.7: Per-Message Protection During Context Establishment
+
+   A facility is defined in GSS-V2 to enable protection and buffering of
+   data messages for later transfer while a security context's
+   establishment is in GSS_S_CONTINUE_NEEDED status, to be used in cases
+   where the caller side already possesses the necessary session key to
+   enable this processing. Specifically, a new state Boolean, called
+   prot_ready_state, is added to the set of information returned by
+   GSS_Init_sec_context(), GSS_Accept_sec_context(), and
+   GSS_Inquire_context().
+
+   For context establishment calls, this state Boolean is valid and
+   interpretable when the associated major_status is either
+   GSS_S_CONTINUE_NEEDED, or GSS_S_COMPLETE.  Callers of GSS-API (both
+   initiators and acceptors) can assume that per-message protection (via
+   GSS_Wrap(), GSS_Unwrap(), GSS_GetMIC() and GSS_VerifyMIC()) is
+   available and ready for use if either: prot_ready_state == TRUE, or
+   major_status == GSS_S_COMPLETE, though mutual authentication (if
+   requested) cannot be guaranteed until GSS_S_COMPLETE is returned.
+
+   This achieves full, transparent backward compatibility for GSS-API V1
+   callers, who need not even know of the existence of prot_ready_state,
+   and who will get the expected behavior from GSS_S_COMPLETE, but who
+   will not be able to use per-message protection before GSS_S_COMPLETE
+   is returned.
+
+   It is not a requirement that GSS-V2 mechanisms ever return TRUE
+   prot_ready_state before completion of context establishment (indeed,
+   some mechanisms will not evolve usable message protection keys,
+   especially at the context acceptor, before context establishment is
+   complete).  It is expected but not required that GSS-V2 mechanisms
+   will return TRUE prot_ready_state upon completion of context
+   establishment if they support per-message protection at all (however
+   GSS-V2 applications should not assume that TRUE prot_ready_state will
+
+
+
+Linn                        Standards Track                    [Page 22]
+
+RFC 2078                        GSS-API                     January 1997
+
+
+   always be returned together with the GSS_S_COMPLETE major_status,
+   since GSS-V2 implementations may continue to support GSS-V1 mechanism
+   code, which will never return TRUE prot_ready_state).
+
+   When prot_ready_state is returned TRUE, mechanisms shall also set
+   those context service indicator flags (deleg_state, mutual_state,
+   replay_det_state, sequence_state, anon_state, trans_state,
+   conf_avail, integ_avail) which represent facilities confirmed, at
+   that time, to be available on the context being established.  In
+   situations where prot_ready_state is returned before GSS_S_COMPLETE,
+   it is possible that additional facilities may be confirmed and
+   subsequently indicated when GSS_S_COMPLETE is returned.
+
+1.2.8: Implementation Robustness
+
+   This section recommends aspects of GSS-API implementation behavior in
+   the interests of overall robustness.
+
+   If a token is presented for processing on a GSS-API security context
+   and that token is determined to be invalid for that context, the
+   context's state should not be disrupted for purposes of processing
+   subsequent valid tokens.
+
+   Certain local conditions at a GSS-API implementation (e.g.,
+   unavailability of memory) may preclude, temporarily or permanently,
+   the successful processing of tokens on a GSS-API security context,
+   typically generating GSS_S_FAILURE major_status returns along with
+   locally-significant minor_status.  For robust operation under such
+   conditions, the following recommendations are made:
+
+      Failing calls should free any memory they allocate, so that
+      callers may retry without causing further loss of resources.
+
+      Failure of an individual call on an established context should not
+      preclude subsequent calls from succeeding on the same context.
+
+      Whenever possible, it should be possible for
+      GSS_Delete_sec_context() calls to be successfully processed even
+      if other calls cannot succeed, thereby enabling context-related
+      resources to be released.
+
+2:  Interface Descriptions
+
+   This section describes the GSS-API's service interface, dividing the
+   set of calls offered into four groups. Credential management calls
+   are related to the acquisition and release of credentials by
+   principals. Context-level calls are related to the management of
+   security contexts between principals. Per-message calls are related
+
+
+
+Linn                        Standards Track                    [Page 23]
+
+RFC 2078                        GSS-API                     January 1997
+
+
+   to the protection of individual messages on established security
+   contexts. Support calls provide ancillary functions useful to GSS-API
+   callers. Table 2 groups and summarizes the calls in tabular fashion.
+
+Table 2:  GSS-API Calls
+
+   CREDENTIAL MANAGEMENT
+
+   GSS_Acquire_cred             acquire credentials for use
+   GSS_Release_cred             release credentials after use
+   GSS_Inquire_cred             display information about
+                                credentials
+   GSS_Add_cred                 construct credentials incrementally
+   GSS_Inquire_cred_by_mech     display per-mechanism credential
+                                information
+
+   CONTEXT-LEVEL CALLS
+
+   GSS_Init_sec_context         initiate outbound security context
+   GSS_Accept_sec_context       accept inbound security context
+   GSS_Delete_sec_context       flush context when no longer needed
+   GSS_Process_context_token    process received control token on
+                                context
+   GSS_Context_time             indicate validity time remaining on
+                                      context
+   GSS_Inquire_context          display information about context
+   GSS_Wrap_size_limit          determine GSS_Wrap token size limit
+   GSS_Export_sec_context       transfer context to other process
+   GSS_Import_sec_context       import transferred context
+
+   PER-MESSAGE CALLS
+
+   GSS_GetMIC                   apply integrity check, receive as
+                                token separate from message
+   GSS_VerifyMIC                validate integrity check token
+                                along with message
+   GSS_Wrap                     sign, optionally encrypt,
+                                encapsulate
+   GSS_Unwrap                   decapsulate, decrypt if needed,
+                                validate integrity check
+
+
+
+
+
+
+
+
+
+
+
+Linn                        Standards Track                    [Page 24]
+
+RFC 2078                        GSS-API                     January 1997
+
+
+   SUPPORT CALLS
+
+   GSS_Display_status           translate status codes to printable
+                                form
+   GSS_Indicate_mechs           indicate mech_types supported on
+                                local system
+   GSS_Compare_name             compare two names for equality
+   GSS_Display_name             translate name to printable form
+   GSS_Import_name              convert printable name to
+                                normalized form
+   GSS_Release_name             free storage of normalized-form
+                                name
+   GSS_Release_buffer           free storage of printable name
+   GSS_Release_OID              free storage of OID object
+   GSS_Release_OID_set          free storage of OID set object
+   GSS_Create_empty_OID_set     create empty OID set
+   GSS_Add_OID_set_member       add member to OID set
+   GSS_Test_OID_set_member      test if OID is member of OID set
+   GSS_OID_to_str               display OID as string
+   GSS_Str_to_OID               construct OID from string
+   GSS_Inquire_names_for_mech   indicate name types supported by
+                                mechanism
+   GSS_Inquire_mechs_for_name   indicates mechanisms supporting name
+                                type
+   GSS_Canonicalize_name        translate name to per-mechanism form
+   GSS_Export_name              externalize per-mechanism name
+   GSS_Duplicate_name           duplicate name object
+
+2.1:  Credential management calls
+
+   These GSS-API calls provide functions related to the management of
+   credentials. Their characterization with regard to whether or not
+   they may block pending exchanges with other network entities (e.g.,
+   directories or authentication servers) depends in part on OS-specific
+   (extra-GSS-API) issues, so is not specified in this document.
+
+   The GSS_Acquire_cred() call is defined within the GSS-API in support
+   of application portability, with a particular orientation towards
+   support of portable server applications. It is recognized that (for
+   certain systems and mechanisms) credentials for interactive users may
+   be managed differently from credentials for server processes; in such
+   environments, it is the GSS-API implementation's responsibility to
+   distinguish these cases and the procedures for making this
+   distinction are a local matter. The GSS_Release_cred()  call provides
+   a means for callers to indicate to the GSS-API that use of a
+   credentials structure is no longer required. The GSS_Inquire_cred()
+   call allows callers to determine information about a credentials
+   structure.  The GSS_Add_cred() call enables callers to append
+
+
+
+Linn                        Standards Track                    [Page 25]
+
+RFC 2078                        GSS-API                     January 1997
+
+
+   elements to an existing credential structure, allowing iterative
+   construction of a multi-mechanism credential. The
+   GSS_Inquire_cred_by_mech() call enables callers to extract per-
+   mechanism information describing a credentials structure.
+
+2.1.1:  GSS_Acquire_cred call
+
+   Inputs:
+
+   o  desired_name INTERNAL NAME, -NULL requests locally-determined
+      default
+
+   o  lifetime_req INTEGER,-in seconds; 0 requests default
+
+   o  desired_mechs SET OF OBJECT IDENTIFIER,-empty set requests
+      system-selected default
+
+   o  cred_usage INTEGER -0=INITIATE-AND-ACCEPT, 1=INITIATE-ONLY,
+      2=ACCEPT-ONLY
+
+   Outputs:
+
+   o  major_status INTEGER,
+
+   o  minor_status INTEGER,
+
+   o  output_cred_handle CREDENTIAL HANDLE,
+
+   o  actual_mechs SET OF OBJECT IDENTIFIER,
+
+   o  lifetime_rec INTEGER -in seconds, or reserved value for
+      INDEFINITE
+
+   Return major_status codes:
+
+   o  GSS_S_COMPLETE indicates that requested credentials were
+      successfully established, for the duration indicated in
+      lifetime_rec, suitable for the usage requested in cred_usage,
+      for the set of mech_types indicated in actual_mechs, and that
+      those credentials can be referenced for subsequent use with
+      the handle returned in output_cred_handle.
+
+   o  GSS_S_BAD_MECH indicates that a mech_type unsupported by the
+      GSS-API implementation type was requested, causing the
+      credential establishment operation to fail.
+
+
+
+
+
+
+Linn                        Standards Track                    [Page 26]
+
+RFC 2078                        GSS-API                     January 1997
+
+
+   o  GSS_S_BAD_NAMETYPE indicates that the provided desired_name is
+      uninterpretable or of a type unsupported by the applicable
+      underlying GSS-API mechanism(s), so no credentials could be
+      established for the accompanying desired_name.
+
+   o  GSS_S_BAD_NAME indicates that the provided desired_name is
+      inconsistent in terms of internally-incorporated type specifier
+      information, so no credentials could be established for the
+      accompanying desired_name.
+
+   o  GSS_S_FAILURE indicates that credential establishment failed
+      for reasons unspecified at the GSS-API level, including lack
+      of authorization to establish and use credentials associated
+      with the identity named in the input desired_name argument.
+
+   GSS_Acquire_cred()  is used to acquire credentials so that a
+   principal can (as a function of the input cred_usage parameter)
+   initiate and/or accept security contexts under the identity
+   represented by the desired_name input argument. On successful
+   completion, the returned output_cred_handle result provides a handle
+   for subsequent references to the acquired credentials.  Typically,
+   single-user client processes requesting that default credential
+   behavior be applied for context establishment purposes will have no
+   need to invoke this call.
+
+   A caller may provide the value NULL for desired_name, signifying a
+   request for credentials corresponding to a principal identity
+   selected by default for the caller. The procedures used by GSS-API
+   implementations to select the appropriate principal identity in
+   response to such a request are local matters. It is possible that
+   multiple pre-established credentials may exist for the same principal
+   identity (for example, as a result of multiple user login sessions)
+   when GSS_Acquire_cred() is called; the means used in such cases to
+   select a specific credential are local matters.  The input
+   lifetime_req argument to GSS_Acquire_cred() may provide useful
+   information for local GSS-API implementations to employ in making
+   this disambiguation in a manner which will best satisfy a caller's
+   intent.
+
+   The lifetime_rec result indicates the length of time for which the
+   acquired credentials will be valid, as an offset from the present. A
+   mechanism may return a reserved value indicating INDEFINITE if no
+   constraints on credential lifetime are imposed.  A caller of
+   GSS_Acquire_cred()  can request a length of time for which acquired
+   credentials are to be valid (lifetime_req argument), beginning at the
+   present, or can request credentials with a default validity interval.
+   (Requests for postdated credentials are not supported within the
+   GSS-API.) Certain mechanisms and implementations may bind in
+
+
+
+Linn                        Standards Track                    [Page 27]
+
+RFC 2078                        GSS-API                     January 1997
+
+
+   credential validity period specifiers at a point preliminary to
+   invocation of the GSS_Acquire_cred() call (e.g., in conjunction with
+   user login procedures). As a result, callers requesting non-default
+   values for lifetime_req must recognize that such requests cannot
+   always be honored and must be prepared to accommodate the use of
+   returned credentials with different lifetimes as indicated in
+   lifetime_rec.
+
+   The caller of GSS_Acquire_cred()  can explicitly specify a set of
+   mech_types which are to be accommodated in the returned credentials
+   (desired_mechs argument), or can request credentials for a system-
+   defined default set of mech_types. Selection of the system-specified
+   default set is recommended in the interests of application
+   portability. The actual_mechs return value may be interrogated by the
+   caller to determine the set of mechanisms with which the returned
+   credentials may be used.
+
+2.1.2:  GSS_Release_cred call
+
+   Input:
+
+   o  cred_handle CREDENTIAL HANDLE - NULL specifies that
+      the credential elements used when default credential behavior
+      is requested be released.
+
+   Outputs:
+
+   o  major_status INTEGER,
+
+   o  minor_status INTEGER
+
+   Return major_status codes:
+
+   o  GSS_S_COMPLETE indicates that the credentials referenced by the
+      input cred_handle were released for purposes of subsequent
+      access by the caller. The effect on other processes which may
+      be authorized shared access to such credentials is a local
+      matter.
+
+   o  GSS_S_NO_CRED indicates that no release operation was
+      performed, either because the input cred_handle was invalid or
+      because the caller lacks authorization to access the
+      referenced credentials.
+
+   o  GSS_S_FAILURE indicates that the release operation failed for
+      reasons unspecified at the GSS-API level.
+
+
+
+
+
+Linn                        Standards Track                    [Page 28]
+
+RFC 2078                        GSS-API                     January 1997
+
+
+   Provides a means for a caller to explicitly request that credentials
+   be released when their use is no longer required. Note that system-
+   specific credential management functions are also likely to exist,
+   for example to assure that credentials shared among processes are
+   properly deleted when all affected processes terminate, even if no
+   explicit release requests are issued by those processes. Given the
+   fact that multiple callers are not precluded from gaining authorized
+   access to the same credentials, invocation of GSS_Release_cred()
+   cannot be assumed to delete a particular set of credentials on a
+   system-wide basis.
+
+2.1.3:  GSS_Inquire_cred call
+
+   Input:
+
+   o  cred_handle CREDENTIAL HANDLE -NULL specifies that the
+      credential elements used when default credential behavior is
+      requested are to be queried
+
+   Outputs:
+
+   o  major_status INTEGER,
+
+   o  minor_status INTEGER,
+
+   o  cred_name INTERNAL NAME,
+
+   o  lifetime_rec INTEGER -in seconds, or reserved value for
+      INDEFINITE
+
+   o  cred_usage INTEGER, -0=INITIATE-AND-ACCEPT, 1=INITIATE-ONLY,
+      2=ACCEPT-ONLY
+
+   o  mech_set SET OF OBJECT IDENTIFIER
+
+   Return major_status codes:
+
+   o  GSS_S_COMPLETE indicates that the credentials referenced by the
+      input cred_handle argument were valid, and that the output
+      cred_name, lifetime_rec, and cred_usage values represent,
+      respectively, the credentials' associated principal name,
+      remaining lifetime, suitable usage modes, and supported
+      mechanism types.
+
+   o  GSS_S_NO_CRED indicates that no information could be returned
+      about the referenced credentials, either because the input
+      cred_handle was invalid or because the caller lacks
+      authorization to access the referenced credentials.
+
+
+
+Linn                        Standards Track                    [Page 29]
+
+RFC 2078                        GSS-API                     January 1997
+
+
+   o  GSS_S_DEFECTIVE_CREDENTIAL indicates that the referenced
+      credentials are invalid.
+
+   o  GSS_S_CREDENTIALS_EXPIRED indicates that the referenced
+      credentials have expired.
+
+   o  GSS_S_FAILURE indicates that the operation failed for
+      reasons unspecified at the GSS-API level.
+
+   The GSS_Inquire_cred() call is defined primarily for the use of those
+   callers which request use of default credential behavior rather than
+   acquiring credentials explicitly with GSS_Acquire_cred().  It enables
+   callers to determine a credential structure's associated principal
+   name, remaining validity period, usability for security context
+   initiation and/or acceptance, and supported mechanisms.
+
+   For a multi-mechanism credential, the returned "lifetime" specifier
+   indicates the shortest lifetime of any of the mechanisms' elements in
+   the credential (for either context initiation or acceptance
+   purposes).
+
+   GSS_Inquire_cred() should indicate INITIATE-AND-ACCEPT for
+   "cred_usage" if both of the following conditions hold:
+
+      (1) there exists in the credential an element which allows context
+      initiation using some mechanism
+
+      (2) there exists in the credential an element which allows context
+      acceptance using some mechanism (allowably, but not necessarily,
+      one of the same mechanism(s) qualifying for (1)).
+
+   If condition (1) holds but not condition (2), GSS_Inquire_cred()
+   should indicate INITIATE-ONLY for "cred_usage".  If condition (2)
+   holds but not condition (1), GSS_Inquire_cred() should indicate
+   ACCEPT-ONLY for "cred_usage".
+
+   Callers requiring finer disambiguation among available combinations
+   of lifetimes, usage modes, and mechanisms should call the
+   GSS_Inquire_cred_by_mech() routine, passing that routine one of the
+   mech OIDs returned by GSS_Inquire_cred().
+
+
+
+
+
+
+
+
+
+
+
+Linn                        Standards Track                    [Page 30]
+
+RFC 2078                        GSS-API                     January 1997
+
+
+2.1.4:  GSS_Add_cred call
+
+   Inputs:
+
+   o  input_cred_handle CREDENTIAL HANDLE - handle to credential
+      structure created with prior GSS_Acquire_cred() or
+      GSS_Add_cred() call, or NULL to append elements to the set
+      which are applied for the caller when default credential
+      behavior is specified.
+
+   o  desired_name INTERNAL NAME - NULL requests locally-determined
+      default
+
+   o  initiator_time_req INTEGER - in seconds; 0 requests default
+
+   o  acceptor_time_req INTEGER - in seconds; 0 requests default
+
+   o  desired_mech OBJECT IDENTIFIER
+
+   o  cred_usage INTEGER - 0=INITIATE-AND-ACCEPT, 1=INITIATE-ONLY,
+       2=ACCEPT-ONLY
+
+   Outputs:
+
+   o  major_status INTEGER,
+
+   o  minor_status INTEGER,
+
+   o  output_cred_handle CREDENTIAL HANDLE, - NULL to request that
+      credential elements be added "in place" to the credential
+      structure  identified by input_cred_handle, non-NULL pointer
+      to request that a new credential structure and handle be created.
+
+   o  actual_mechs SET OF OBJECT IDENTIFIER,
+
+   o  initiator_time_rec INTEGER - in seconds, or reserved value for
+      INDEFINITE
+
+   o  acceptor_time_rec INTEGER - in seconds, or reserved value for
+      INDEFINITE
+
+   o  cred_usage INTEGER, -0=INITIATE-AND-ACCEPT, 1=INITIATE-ONLY,
+      2=ACCEPT-ONLY
+
+   o  mech_set SET OF OBJECT IDENTIFIER -- full set of mechanisms
+      supported by resulting credential.
+
+
+
+
+
+Linn                        Standards Track                    [Page 31]
+
+RFC 2078                        GSS-API                     January 1997
+
+
+   Return major_status codes:
+
+   o  GSS_S_COMPLETE indicates that the credentials referenced by
+      the input_cred_handle argument were valid, and that the
+      resulting credential from GSS_Add_cred() is valid for the
+      durations indicated in initiator_time_rec and acceptor_time_rec,
+      suitable for the usage requested in cred_usage, and for the
+      mechanisms indicated in actual_mechs.
+
+   o  GSS_S_DUPLICATE_ELEMENT indicates that the input desired_mech
+      specified a mechanism for which the referenced credential
+      already contained a credential element with overlapping
+      cred_usage and validity time specifiers.
+
+   o  GSS_S_BAD_MECH indicates that the input desired_mech specified
+      a mechanism unsupported by the GSS-API implementation, causing
+      the GSS_Add_cred() operation to fail.
+
+   o  GSS_S_BAD_NAMETYPE indicates that the provided desired_name
+      is uninterpretable or of a type unsupported by the applicable
+      underlying GSS-API mechanism(s), so the GSS_Add_cred() operation
+      could not be performed for that name.
+
+   o  GSS_S_BAD_NAME indicates that the provided desired_name is
+      inconsistent in terms of internally-incorporated type specifier
+      information, so the GSS_Add_cred() operation could not be
+      performed for that name.
+
+   o  GSS_S_NO_CRED indicates that the input_cred_handle referenced
+      invalid or inaccessible credentials.
+
+   o  GSS_S_FAILURE indicates that the operation failed for
+      reasons unspecified at the GSS-API level, including lack of
+      authorization to establish or use credentials representing
+      the requested identity.
+
+   GSS_Add_cred() enables callers to construct credentials iteratively
+   by adding credential elements in successive operations, corresponding
+   to different mechanisms.  This offers particular value in multi-
+   mechanism environments, as the major_status and minor_status values
+   returned on each iteration are individually visible and can therefore
+   be interpreted unambiguously on a per-mechanism basis.
+
+   The same input desired_name, or default reference, should be used on
+   all GSS_Acquire_cred() and GSS_Add_cred() calls corresponding to a
+   particular credential.
+
+
+
+
+
+Linn                        Standards Track                    [Page 32]
+
+RFC 2078                        GSS-API                     January 1997
+
+
+2.1.5:  GSS_Inquire_cred_by_mech call
+
+   Inputs:
+
+   o  cred_handle CREDENTIAL HANDLE  -- NULL specifies that the
+      credential elements used when default credential behavior is
+      requested are to be queried
+
+   o  mech_type OBJECT IDENTIFIER  -- specific mechanism for
+      which credentials are being queried
+
+   Outputs:
+
+   o  major_status INTEGER,
+
+   o  minor_status INTEGER,
+
+   o  cred_name INTERNAL NAME, -- guaranteed to be MN
+
+   o  lifetime_rec_initiate INTEGER -- in seconds, or reserved value for
+      INDEFINITE
+
+   o  lifetime_rec_accept INTEGER -- in seconds, or reserved value for
+      INDEFINITE
+
+   o  cred_usage INTEGER, -0=INITIATE-AND-ACCEPT, 1=INITIATE-ONLY,
+      2=ACCEPT-ONLY
+
+   Return major_status codes:
+
+   o  GSS_S_COMPLETE indicates that the credentials referenced by the
+      input cred_handle argument were valid, that the mechanism
+      indicated by the input mech_type was represented with elements
+      within those credentials, and that the output cred_name,
+      lifetime_rec_initiate, lifetime_rec_accept, and cred_usage values
+      represent, respectively, the credentials' associated principal
+      name, remaining lifetimes, and suitable usage modes.
+
+   o  GSS_S_NO_CRED indicates that no information could be returned
+      about the referenced credentials, either because the input
+      cred_handle was invalid or because the caller lacks
+      authorization to access the referenced credentials.
+
+   o  GSS_S_DEFECTIVE_CREDENTIAL indicates that the referenced
+      credentials are invalid.
+
+   o  GSS_S_CREDENTIALS_EXPIRED indicates that the referenced
+      credentials have expired.
+
+
+
+Linn                        Standards Track                    [Page 33]
+
+RFC 2078                        GSS-API                     January 1997
+
+
+   o  GSS_S_BAD_MECH indicates that the referenced credentials do not
+      contain elements for the requested mechanism.
+
+   o  GSS_S_FAILURE indicates that the operation failed for reasons
+      unspecified at the GSS-API level.
+
+   The GSS_Inquire_cred_by_mech() call enables callers in multi-
+   mechanism environments to acquire specific data about available
+   combinations of lifetimes, usage modes, and mechanisms within a
+   credential structure.  The lifetime_rec_initiate result indicates the
+   available lifetime for context initiation purposes; the
+   lifetime_rec_accept result indicates the available lifetime for
+   context acceptance purposes.
+
+2.2:  Context-level calls
+
+   This group of calls is devoted to the establishment and management of
+   security contexts between peers. A context's initiator calls
+   GSS_Init_sec_context(),  resulting in generation of a token which the
+   caller passes to the target. At the target, that token is passed to
+   GSS_Accept_sec_context().  Depending on the underlying mech_type and
+   specified options, additional token exchanges may be performed in the
+   course of context establishment; such exchanges are accommodated by
+   GSS_S_CONTINUE_NEEDED status returns from GSS_Init_sec_context()  and
+   GSS_Accept_sec_context().
+
+   Either party to an established context may invoke
+   GSS_Delete_sec_context() to flush context information when a context
+   is no longer required. GSS_Process_context_token()  is used to
+   process received tokens carrying context-level control information.
+   GSS_Context_time()  allows a caller to determine the length of time
+   for which an established context will remain valid.
+   GSS_Inquire_context() returns status information describing context
+   characteristics. GSS_Wrap_size_limit() allows a caller to determine
+   the size of a token which will be generated by a GSS_Wrap()
+   operation.  GSS_Export_sec_context() and GSS_Import_sec_context()
+   enable transfer of active contexts between processes on an end
+   system.
+
+2.2.1:  GSS_Init_sec_context call
+
+   Inputs:
+
+   o  claimant_cred_handle CREDENTIAL HANDLE, -NULL specifies "use
+      default"
+
+   o  input_context_handle CONTEXT HANDLE, -0 specifies "none assigned
+      yet"
+
+
+
+Linn                        Standards Track                    [Page 34]
+
+RFC 2078                        GSS-API                     January 1997
+
+
+   o  targ_name INTERNAL NAME,
+
+   o  mech_type OBJECT IDENTIFIER, -NULL parameter specifies "use
+      default"
+
+   o  deleg_req_flag BOOLEAN,
+
+   o  mutual_req_flag BOOLEAN,
+
+   o  replay_det_req_flag BOOLEAN,
+
+   o  sequence_req_flag BOOLEAN,
+
+   o  anon_req_flag BOOLEAN,
+
+   o  lifetime_req INTEGER,-0 specifies default lifetime
+
+   o  chan_bindings OCTET STRING,
+
+   o  input_token OCTET STRING-NULL or token received from target
+
+   Outputs:
+
+   o  major_status INTEGER,
+
+   o  minor_status INTEGER,
+
+   o  output_context_handle CONTEXT HANDLE,
+
+   o  mech_type OBJECT IDENTIFIER, -actual mechanism always
+      indicated, never NULL
+
+   o  output_token OCTET STRING, -NULL or token to pass to context
+      target
+
+   o  deleg_state BOOLEAN,
+
+   o  mutual_state BOOLEAN,
+
+   o  replay_det_state BOOLEAN,
+
+   o  sequence_state BOOLEAN,
+
+   o  anon_state BOOLEAN,
+
+   o  trans_state BOOLEAN,
+
+   o  prot_ready_state BOOLEAN, -- see Section 1.2.7
+
+
+
+Linn                        Standards Track                    [Page 35]
+
+RFC 2078                        GSS-API                     January 1997
+
+
+   o  conf_avail BOOLEAN,
+
+   o  integ_avail BOOLEAN,
+
+   o  lifetime_rec INTEGER - in seconds, or reserved value for
+      INDEFINITE
+
+   This call may block pending network interactions for those mech_types
+   in which an authentication server or other network entity must be
+   consulted on behalf of a context initiator in order to generate an
+   output_token suitable for presentation to a specified target.
+
+   Return major_status codes:
+
+   o  GSS_S_COMPLETE indicates that context-level information was
+      successfully initialized, and that the returned output_token
+      will provide sufficient information for the target to perform
+      per-message processing on the newly-established context.
+
+   o  GSS_S_CONTINUE_NEEDED indicates that control information in the
+      returned output_token must be sent to the target, and that a
+      reply must be received and passed as the input_token argument
+      to a continuation call to GSS_Init_sec_context(),  before
+      per-message processing can be performed in conjunction with
+      this context.
+
+   o  GSS_S_DEFECTIVE_TOKEN indicates that consistency checks
+      performed on the input_token failed, preventing further
+      processing from being performed based on that token.
+
+   o  GSS_S_DEFECTIVE_CREDENTIAL indicates that consistency checks
+      performed on the credential structure referenced by
+      claimant_cred_handle failed, preventing further processing from
+      being performed using that credential structure.
+
+   o  GSS_S_BAD_SIG indicates that the received input_token
+      contains an incorrect integrity check, so context setup cannot
+      be accomplished.
+
+   o  GSS_S_NO_CRED indicates that no context was established,
+      either because the input cred_handle was invalid, because the
+      referenced credentials are valid for context acceptor use
+      only, or because the caller lacks authorization to access the
+      referenced credentials.
+
+   o  GSS_S_CREDENTIALS_EXPIRED indicates that the credentials
+      provided through the input claimant_cred_handle argument are no
+      longer valid, so context establishment cannot be completed.
+
+
+
+Linn                        Standards Track                    [Page 36]
+
+RFC 2078                        GSS-API                     January 1997
+
+
+   o  GSS_S_BAD_BINDINGS indicates that a mismatch between the
+      caller-provided chan_bindings and those extracted from the
+      input_token was detected, signifying a security-relevant
+      event and preventing context establishment. (This result will
+      be returned by GSS_Init_sec_context only for contexts where
+      mutual_state is TRUE.)
+
+   o  GSS_S_OLD_TOKEN indicates that the input_token is too old to
+      be checked for integrity. This is a fatal error during context
+      establishment.
+
+   o  GSS_S_DUPLICATE_TOKEN indicates that the input token has a
+      correct integrity check, but is a duplicate of a token already
+      processed. This is a fatal error during context establishment.
+
+   o  GSS_S_NO_CONTEXT indicates that no valid context was recognized
+      for the input context_handle provided; this major status will
+      be returned only for successor calls following GSS_S_CONTINUE_
+      NEEDED status returns.
+
+   o  GSS_S_BAD_NAMETYPE indicates that the provided targ_name is
+      of a type uninterpretable or unsupported by the applicable
+      underlying GSS-API mechanism(s), so context establishment
+      cannot be completed.
+
+   o  GSS_S_BAD_NAME indicates that the provided targ_name is
+      inconsistent in terms of internally-incorporated type specifier
+      information, so context establishment cannot be accomplished.
+
+   o  GSS_S_BAD_MECH indicates receipt of a context establishment token
+      or of a caller request specifying a mechanism unsupported by
+      the local system or with the caller's active credentials
+
+   o  GSS_S_FAILURE indicates that context setup could not be
+      accomplished for reasons unspecified at the GSS-API level, and
+      that no interface-defined recovery action is available.
+
+   This routine is used by a context initiator, and ordinarily emits one
+   (or, for the case of a multi-step exchange, more than one)
+   output_token suitable for use by the target within the selected
+   mech_type's protocol. Using information in the credentials structure
+   referenced by claimant_cred_handle, GSS_Init_sec_context()
+   initializes the data structures required to establish a security
+   context with target targ_name. The targ_name may be any valid
+   INTERNAL NAME; it need not be an MN. The claimant_cred_handle must
+   correspond to the same valid credentials structure on the initial
+   call to GSS_Init_sec_context()  and on any successor calls resulting
+   from GSS_S_CONTINUE_NEEDED status returns; different protocol
+
+
+
+Linn                        Standards Track                    [Page 37]
+
+RFC 2078                        GSS-API                     January 1997
+
+
+   sequences modeled by the GSS_S_CONTINUE_NEEDED facility will require
+   access to credentials at different points in the context
+   establishment sequence.
+
+   The input_context_handle argument is 0, specifying "not yet
+   assigned", on the first GSS_Init_sec_context()  call relating to a
+   given context. If successful (i.e., if accompanied by major_status
+   GSS_S_COMPLETE or GSS_S_CONTINUE_NEEDED), and only if successful, the
+   initial GSS_Init_sec_context() call returns a non-zero
+   output_context_handle for use in future references to this context.
+   Once a non-zero output_context_handle has been returned, GSS-API
+   callers should call GSS_Delete_sec_context() to release context-
+   related resources if errors occur in later phases of context
+   establishment, or when an established context is no longer required.
+
+   When continuation attempts to GSS_Init_sec_context() are needed to
+   perform context establishment, the previously-returned non-zero
+   handle value is entered into the input_context_handle argument and
+   will be echoed in the returned output_context_handle argument. On
+   such continuation attempts (and only on continuation attempts) the
+   input_token value is used, to provide the token returned from the
+   context's target.
+
+   The chan_bindings argument is used by the caller to provide
+   information binding the security context to security-related
+   characteristics (e.g., addresses, cryptographic keys) of the
+   underlying communications channel. See Section 1.1.6 of this document
+   for more discussion of this argument's usage.
+
+   The input_token argument contains a message received from the target,
+   and is significant only on a call to GSS_Init_sec_context()  which
+   follows a previous return indicating GSS_S_CONTINUE_NEEDED
+   major_status.
+
+   It is the caller's responsibility to establish a communications path
+   to the target, and to transmit any returned output_token (independent
+   of the accompanying returned major_status value) to the target over
+   that path. The output_token can, however, be transmitted along with
+   the first application-provided input message to be processed by
+   GSS_GetMIC() or GSS_Wrap() in conjunction with a successfully-
+   established context.
+
+   The initiator may request various context-level functions through
+   input flags: the deleg_req_flag requests delegation of access rights,
+   the mutual_req_flag requests mutual authentication, the
+   replay_det_req_flag requests that replay detection features be
+   applied to messages transferred on the established context, and the
+   sequence_req_flag requests that sequencing be enforced. (See Section
+
+
+
+Linn                        Standards Track                    [Page 38]
+
+RFC 2078                        GSS-API                     January 1997
+
+
+   1.2.3 for more information on replay detection and sequencing
+   features.)  The anon_req_flag requests that the initiator's identity
+   not be transferred within tokens to be sent to the acceptor.
+
+   Not all of the optionally-requestable features will be available in
+   all underlying mech_types. The corresponding return state values
+   deleg_state, mutual_state, replay_det_state, and sequence_state
+   indicate, as a function of mech_type processing capabilities and
+   initiator-provided input flags, the set of features which will be
+   active on the context.  The returned trans_state value indicates
+   whether the context is transferable to other processes through use of
+   GSS_Export_sec_context().  These state indicators' values are
+   undefined unless either the routine's major_status indicates
+   GSS_S_COMPLETE, or TRUE prot_ready_state is returned along with
+   GSS_S_CONTINUE_NEEDED major_status; for the latter case, it is
+   possible that additional features, not confirmed or indicated along
+   with TRUE prot_ready_state, will be confirmed and indicated when
+   GSS_S_COMPLETE is subsequently returned.
+
+   The returned anon_state and prot_ready_state values are significant
+   for both GSS_S_COMPLETE and GSS_S_CONTINUE_NEEDED major_status
+   returns from GSS_Init_sec_context().  When anon_state is returned
+   TRUE, this indicates that neither the current token nor its
+   predecessors delivers or has delivered the initiator's identity.
+   Callers wishing to perform context establishment only if anonymity
+   support is provided should transfer a returned token from
+   GSS_Init_sec_context() to the peer only if it is accompanied by a
+   TRUE anon_state indicator.  When prot_ready_state is returned TRUE in
+   conjunction with GSS_S_CONTINUE_NEEDED major_status, this indicates
+   that per-message protection operations may be applied on the context:
+   see Section 1.2.7 for further discussion of this facility.
+
+   Failure to provide the precise set of features requested by the
+   caller does not cause context establishment to fail; it is the
+   caller's prerogative to delete the context if the feature set
+   provided is unsuitable for the caller's use.
+
+   The returned mech_type value indicates the specific mechanism
+   employed on the context, is valid only along with major_status
+   GSS_S_COMPLETE, and will never indicate the value for "default".
+   Note that, for the case of certain mechanisms which themselves
+   perform negotiation, the returned mech_type result may indicate
+   selection of a mechanism identified by an OID different than that
+   passed in the input mech_type argument.
+
+   The conf_avail return value indicates whether the context supports
+   per-message confidentiality services, and so informs the caller
+   whether or not a request for encryption through the conf_req_flag
+
+
+
+Linn                        Standards Track                    [Page 39]
+
+RFC 2078                        GSS-API                     January 1997
+
+
+   input to GSS_Wrap()  can be honored. In similar fashion, the
+   integ_avail return value indicates whether per-message integrity
+   services are available (through either GSS_GetMIC() or GSS_Wrap()) on
+   the established context. These state indicators' values are undefined
+   unless either the routine's major_status indicates GSS_S_COMPLETE, or
+   TRUE prot_ready_state is returned along with GSS_S_CONTINUE_NEEDED
+   major_status.
+
+   The lifetime_req input specifies a desired upper bound for the
+   lifetime of the context to be established, with a value of 0 used to
+   request a default lifetime. The lifetime_rec return value indicates
+   the length of time for which the context will be valid, expressed as
+   an offset from the present; depending on mechanism capabilities,
+   credential lifetimes, and local policy, it may not correspond to the
+   value requested in lifetime_req.  If no constraints on context
+   lifetime are imposed, this may be indicated by returning a reserved
+   value representing INDEFINITE lifetime_req. The value of lifetime_rec
+   is undefined unless the routine's major_status indicates
+   GSS_S_COMPLETE.
+
+   If the mutual_state is TRUE, this fact will be reflected within the
+   output_token. A call to GSS_Accept_sec_context()  at the target in
+   conjunction with such a context will return a token, to be processed
+   by a continuation call to GSS_Init_sec_context(),  in order to
+   achieve mutual authentication.
+
+2.2.2:  GSS_Accept_sec_context call
+
+   Inputs:
+
+   o  acceptor_cred_handle CREDENTIAL HANDLE, -- NULL specifies
+      "use default"
+
+   o  input_context_handle CONTEXT HANDLE, -- 0 specifies
+      "not yet assigned"
+
+   o  chan_bindings OCTET STRING,
+
+   o  input_token OCTET STRING
+
+   Outputs:
+
+   o  major_status INTEGER,
+
+   o  minor_status INTEGER,
+
+   o  src_name INTERNAL NAME, -- guaranteed to be MN
+
+
+
+
+Linn                        Standards Track                    [Page 40]
+
+RFC 2078                        GSS-API                     January 1997
+
+
+   o  mech_type OBJECT IDENTIFIER,
+
+   o  output_context_handle CONTEXT HANDLE,
+
+   o  deleg_state BOOLEAN,
+
+   o  mutual_state BOOLEAN,
+
+   o  replay_det_state BOOLEAN,
+
+   o  sequence_state BOOLEAN,
+
+   o  anon_state BOOLEAN,
+
+   o  trans_state BOOLEAN,
+
+   o  prot_ready_state BOOLEAN, -- see Section 1.2.7 for discussion
+
+   o  conf_avail BOOLEAN,
+
+   o  integ_avail BOOLEAN,
+
+   o  lifetime_rec INTEGER, - in seconds, or reserved value for
+      INDEFINITE
+
+   o  delegated_cred_handle CREDENTIAL HANDLE,
+
+   o  output_token OCTET STRING -NULL or token to pass to context
+      initiator
+
+   This call may block pending network interactions for those mech_types
+   in which a directory service or other network entity must be
+   consulted on behalf of a context acceptor in order to validate a
+   received input_token.
+
+   Return major_status codes:
+
+   o  GSS_S_COMPLETE indicates that context-level data structures
+      were successfully initialized, and that per-message processing
+      can now be performed in conjunction with this context.
+
+   o  GSS_S_CONTINUE_NEEDED indicates that control information in the
+      returned output_token must be sent to the initiator, and that
+      a response must be received and passed as the input_token
+      argument to a continuation call to GSS_Accept_sec_context(),
+      before per-message processing can be performed in conjunction
+      with this context.
+
+
+
+
+Linn                        Standards Track                    [Page 41]
+
+RFC 2078                        GSS-API                     January 1997
+
+
+   o  GSS_S_DEFECTIVE_TOKEN indicates that consistency checks performed
+      on the input_token failed, preventing further processing from
+      being performed based on that token.
+
+   o  GSS_S_DEFECTIVE_CREDENTIAL indicates that consistency checks
+      performed on the credential structure referenced by
+      acceptor_cred_handle failed, preventing further processing from
+      being performed using that credential structure.
+
+   o  GSS_S_BAD_SIG indicates that the received input_token contains
+      an incorrect integrity check, so context setup cannot be
+      accomplished.
+
+   o  GSS_S_DUPLICATE_TOKEN indicates that the integrity check on the
+      received input_token was correct, but that the input_token
+      was recognized as a duplicate of an input_token already
+      processed. No new context is established.
+
+   o  GSS_S_OLD_TOKEN indicates that the integrity check on the received
+      input_token was correct, but that the input_token is too old
+      to be checked for duplication against previously-processed
+      input_tokens. No new context is established.
+
+   o  GSS_S_NO_CRED indicates that no context was established, either
+      because the input cred_handle was invalid, because the
+      referenced credentials are valid for context initiator use
+      only, or because the caller lacks authorization to access the
+      referenced credentials.
+
+   o  GSS_S_CREDENTIALS_EXPIRED indicates that the credentials provided
+      through the input acceptor_cred_handle argument are no
+      longer valid, so context establishment cannot be completed.
+
+   o  GSS_S_BAD_BINDINGS indicates that a mismatch between the
+      caller-provided chan_bindings and those extracted from the
+      input_token was detected, signifying a security-relevant
+      event and preventing context establishment.
+
+   o  GSS_S_NO_CONTEXT indicates that no valid context was recognized
+      for the input context_handle provided; this major status will
+      be returned only for successor calls following GSS_S_CONTINUE_
+      NEEDED status returns.
+
+   o  GSS_S_BAD_MECH indicates receipt of a context establishment token
+      specifying a mechanism unsupported by the local system or with
+      the caller's active credentials.
+
+
+
+
+
+Linn                        Standards Track                    [Page 42]
+
+RFC 2078                        GSS-API                     January 1997
+
+
+   o  GSS_S_FAILURE indicates that context setup could not be
+      accomplished for reasons unspecified at the GSS-API level, and
+      that no interface-defined recovery action is available.
+
+   The GSS_Accept_sec_context()  routine is used by a context target.
+   Using information in the credentials structure referenced by the
+   input acceptor_cred_handle, it verifies the incoming input_token and
+   (following the successful completion of a context establishment
+   sequence) returns the authenticated src_name and the mech_type used.
+   The returned src_name is guaranteed to be an MN, processed by the
+   mechanism under which the context was established. The
+   acceptor_cred_handle must correspond to the same valid credentials
+   structure on the initial call to GSS_Accept_sec_context() and on any
+   successor calls resulting from GSS_S_CONTINUE_NEEDED status returns;
+   different protocol sequences modeled by the GSS_S_CONTINUE_NEEDED
+   mechanism will require access to credentials at different points in
+   the context establishment sequence.
+
+   The input_context_handle argument is 0, specifying "not yet
+   assigned", on the first GSS_Accept_sec_context()  call relating to a
+   given context.  If successful (i.e., if accompanied by major_status
+   GSS_S_COMPLETE or GSS_S_CONTINUE_NEEDED), and only if successful, the
+   initial GSS_Accept_sec_context() call returns a non-zero
+   output_context_handle for use in future references to this context.
+   Once a non-zero output_context_handle has been returned, GSS-API
+   callers should call GSS_Delete_sec_context() to release context-
+   related resources if errors occur in later phases of context
+   establishment, or when an established context is no longer required.
+
+   The chan_bindings argument is used by the caller to provide
+   information binding the security context to security-related
+   characteristics (e.g., addresses, cryptographic keys) of the
+   underlying communications channel. See Section 1.1.6 of this document
+   for more discussion of this argument's usage.
+
+   The returned state results (deleg_state, mutual_state,
+   replay_det_state, sequence_state, anon_state, trans_state, and
+   prot_ready_state) reflect the same information as described for
+   GSS_Init_sec_context(), and their values are significant under the
+   same return state conditions.
+
+
+
+
+
+
+
+
+
+
+
+Linn                        Standards Track                    [Page 43]
+
+RFC 2078                        GSS-API                     January 1997
+
+
+   The conf_avail return value indicates whether the context supports
+   per-message confidentiality services, and so informs the caller
+   whether or not a request for encryption through the conf_req_flag
+   input to GSS_Wrap()  can be honored. In similar fashion, the
+   integ_avail return value indicates whether per-message integrity
+   services are available (through either GSS_GetMIC()  or GSS_Wrap())
+   on the established context.  These values are significant under the
+   same return state conditions as described under
+   GSS_Init_sec_context().
+
+   The lifetime_rec return value is significant only in conjunction with
+   GSS_S_COMPLETE major_status, and indicates the length of time for
+   which the context will be valid, expressed as an offset from the
+   present.
+
+   The mech_type return value indicates the specific mechanism employed
+   on the context, is valid only along with major_status GSS_S_COMPLETE,
+   and will never indicate the value for "default".
+
+   The delegated_cred_handle result is significant only when deleg_state
+   is TRUE, and provides a means for the target to reference the
+   delegated credentials. The output_token result, when non-NULL,
+   provides a context-level token to be returned to the context
+   initiator to continue a multi-step context establishment sequence. As
+   noted with GSS_Init_sec_context(),  any returned token should be
+   transferred to the context's peer (in this case, the context
+   initiator), independent of the value of the accompanying returned
+   major_status.
+
+   Note: A target must be able to distinguish a context-level
+   input_token, which is passed to GSS_Accept_sec_context(),  from the
+   per-message data elements passed to GSS_VerifyMIC()  or GSS_Unwrap().
+   These data elements may arrive in a single application message, and
+   GSS_Accept_sec_context()  must be performed before per-message
+   processing can be performed successfully.
+
+2.2.3: GSS_Delete_sec_context call
+
+   Input:
+
+   o  context_handle CONTEXT HANDLE
+
+   Outputs:
+
+   o  major_status INTEGER,
+
+   o  minor_status INTEGER,
+
+
+
+
+Linn                        Standards Track                    [Page 44]
+
+RFC 2078                        GSS-API                     January 1997
+
+
+   o  output_context_token OCTET STRING
+
+   Return major_status codes:
+
+   o  GSS_S_COMPLETE indicates that the context was recognized, and that
+      relevant context-specific information was flushed.  If the caller
+      provides a non-null buffer to receive an output_context_token, and
+      the mechanism returns a non-NULL token into that buffer, the
+      returned output_context_token is ready for transfer to the
+      context's peer.
+
+   o  GSS_S_NO_CONTEXT indicates that no valid context was recognized
+      for the input context_handle provided, so no deletion was
+      performed.
+
+   o  GSS_S_FAILURE indicates that the context is recognized, but
+      that the GSS_Delete_sec_context()  operation could not be
+      performed for reasons unspecified at the GSS-API level.
+
+   This call may block pending network interactions for mech_types in
+   which active notification must be made to a central server when a
+   security context is to be deleted.
+
+   This call can be made by either peer in a security context, to flush
+   context-specific information.  If a non-null output_context_token
+   parameter is provided by the caller, an output_context_token may be
+   returned to the caller.  If an output_context_token is provided to
+   the caller, it can be passed to the context's peer to inform the
+   peer's GSS-API implementation that the peer's corresponding context
+   information can also be flushed. (Once a context is established, the
+   peers involved are expected to retain cached credential and context-
+   related information until the information's expiration time is
+   reached or until a GSS_Delete_sec_context() call is made.)
+
+   The facility for context_token usage to signal context deletion is
+   retained for compatibility with GSS-API Version 1.  For current
+   usage, it is recommended that both peers to a context invoke
+   GSS_Delete_sec_context() independently, passing a null
+   output_context_token buffer to indicate that no context_token is
+   required.  Implementations of GSS_Delete_sec_context() should delete
+   relevant locally-stored context information.
+
+   Attempts to perform per-message processing on a deleted context will
+   result in error returns.
+
+
+
+
+
+
+
+Linn                        Standards Track                    [Page 45]
+
+RFC 2078                        GSS-API                     January 1997
+
+
+2.2.4:  GSS_Process_context_token call
+
+   Inputs:
+
+   o  context_handle CONTEXT HANDLE,
+
+   o  input_context_token OCTET STRING
+
+   Outputs:
+
+   o  major_status INTEGER,
+
+   o  minor_status INTEGER,
+
+   Return major_status codes:
+
+   o  GSS_S_COMPLETE indicates that the input_context_token was
+      successfully processed in conjunction with the context
+      referenced by context_handle.
+
+   o  GSS_S_DEFECTIVE_TOKEN indicates that consistency checks
+      performed on the received context_token failed, preventing
+      further processing from being performed with that token.
+
+   o  GSS_S_NO_CONTEXT indicates that no valid context was recognized
+      for the input context_handle provided.
+
+   o  GSS_S_FAILURE indicates that the context is recognized, but
+      that the GSS_Process_context_token()  operation could not be
+      performed for reasons unspecified at the GSS-API level.
+
+   This call is used to process context_tokens received from a peer once
+   a context has been established, with corresponding impact on
+   context-level state information. One use for this facility is
+   processing of the context_tokens generated by
+   GSS_Delete_sec_context();  GSS_Process_context_token() will not block
+   pending network interactions for that purpose. Another use is to
+   process tokens indicating remote-peer context establishment failures
+   after the point where the local GSS-API implementation has already
+   indicated GSS_S_COMPLETE status.
+
+
+
+
+
+
+
+
+
+
+
+Linn                        Standards Track                    [Page 46]
+
+RFC 2078                        GSS-API                     January 1997
+
+
+2.2.5:  GSS_Context_time call
+
+   Input:
+
+   o  context_handle CONTEXT HANDLE,
+
+   Outputs:
+
+   o  major_status INTEGER,
+
+   o  minor_status INTEGER,
+
+   o  lifetime_rec INTEGER - in seconds, or reserved value for
+      INDEFINITE
+
+   Return major_status codes:
+
+   o  GSS_S_COMPLETE indicates that the referenced context is valid,
+      and will remain valid for the amount of time indicated in
+      lifetime_rec.
+
+   o  GSS_S_CONTEXT_EXPIRED indicates that data items related to the
+      referenced context have expired.
+
+   o  GSS_S_CREDENTIALS_EXPIRED indicates that the context is
+      recognized, but that its associated credentials have expired.
+
+   o  GSS_S_NO_CONTEXT indicates that no valid context was recognized
+      for the input context_handle provided.
+
+   o  GSS_S_FAILURE indicates that the requested operation failed for
+       reasons unspecified at the GSS-API level.
+
+   This call is used to determine the amount of time for which a
+   currently established context will remain valid.
+
+2.2.6:   GSS_Inquire_context call
+
+   Input:
+
+   o  context_handle CONTEXT HANDLE,
+
+   Outputs:
+
+   o  major_status INTEGER,
+
+   o  minor_status INTEGER,
+
+
+
+
+Linn                        Standards Track                    [Page 47]
+
+RFC 2078                        GSS-API                     January 1997
+
+
+   o  src_name INTERNAL NAME,  -- name of context initiator,
+                               -- guaranteed to be MN
+
+   o  targ_name INTERNAL NAME,  -- name of context target,
+                                -- guaranteed to be MN
+
+
+   o  lifetime_rec INTEGER -- in seconds, or reserved value for
+      INDEFINITE,
+
+   o  mech_type OBJECT IDENTIFIER, -- the mechanism supporting this
+      security context
+
+   o  deleg_state BOOLEAN,
+
+   o  mutual_state BOOLEAN,
+
+   o  replay_det_state BOOLEAN,
+
+   o  sequence_state BOOLEAN,
+
+   o  anon_state BOOLEAN,
+
+   o  trans_state BOOLEAN,
+
+   o  prot_ready_state BOOLEAN,
+
+   o  conf_avail BOOLEAN,
+
+   o  integ_avail BOOLEAN,
+
+   o  locally_initiated BOOLEAN, -- TRUE if initiator, FALSE if acceptor
+
+   Return major_status codes:
+
+   o  GSS_S_COMPLETE indicates that the referenced context is valid
+      and that src_name, targ_name, lifetime_rec, mech_type, deleg_state,
+      mutual_state, replay_det_state, sequence_state, anon_state,
+      trans_state, prot_ready_state, conf_avail, integ_avail, and
+      locally_initiated return values describe the corresponding
+      characteristics of the context.
+
+   o  GSS_S_CONTEXT_EXPIRED indicates that the provided input
+      context_handle is recognized, but that the referenced context
+      has expired.  Return values other than major_status and
+      minor_status are undefined.
+
+
+
+
+
+Linn                        Standards Track                    [Page 48]
+
+RFC 2078                        GSS-API                     January 1997
+
+
+   o  GSS_S_NO_CONTEXT indicates that no valid context was recognized
+      for the input context_handle provided. Return values other than
+      major_status and minor_status are undefined.
+
+   o  GSS_S_FAILURE indicates that the requested operation failed for
+     reasons unspecified at the GSS-API level. Return values other than
+         major_status and minor_status are undefined.
+
+   This call is used to extract information describing characteristics
+   of a security context.
+
+2.2.7:   GSS_Wrap_size_limit call
+
+   Inputs:
+
+   o  context_handle CONTEXT HANDLE,
+
+   o  qop INTEGER,
+
+   o  output_size INTEGER
+
+   Outputs:
+
+   o  major_status INTEGER,
+
+   o  minor_status INTEGER,
+
+   o  max_input_size INTEGER
+
+   Return major_status codes:
+
+   o  GSS_S_COMPLETE indicates a successful token size determination:
+   an input message with a length in octets equal to the
+   returned max_input_size value will, when passed to GSS_Wrap()
+   for processing on the context identified by the context_handle
+   parameter and with the quality of protection specifier provided
+   in the qop parameter, yield an output token no larger than the
+   value of the provided output_size parameter.
+
+   o  GSS_S_CONTEXT_EXPIRED indicates that the provided input
+   context_handle is recognized, but that the referenced context
+   has expired.  Return values other than major_status and
+   minor_status are undefined.
+
+   o  GSS_S_NO_CONTEXT indicates that no valid context was recognized
+   for the input context_handle provided. Return values other than
+   major_status and minor_status are undefined.
+
+
+
+
+Linn                        Standards Track                    [Page 49]
+
+RFC 2078                        GSS-API                     January 1997
+
+
+   o  GSS_S_BAD_QOP indicates that the provided QOP value is not
+   recognized or supported for the context.
+
+   o  GSS_S_FAILURE indicates that the requested operation failed for
+   reasons unspecified at the GSS-API level. Return values other than
+   major_status and minor_status are undefined.
+
+   This call is used to determine the largest input datum which may be
+   passed to GSS_Wrap() without yielding an output token larger than a
+   caller-specified value.
+
+2.2.8:   GSS_Export_sec_context call
+
+   Inputs:
+
+   o  context_handle CONTEXT HANDLE
+
+   Outputs:
+
+   o  major_status INTEGER,
+
+   o  minor_status INTEGER,
+
+   o  interprocess_token OCTET STRING
+
+   Return major_status codes:
+
+   o  GSS_S_COMPLETE indicates that the referenced context has been
+   successfully exported to a representation in the interprocess_token,
+   and is no longer available for use by the caller.
+
+   o  GSS_S_UNAVAILABLE indicates that the context export facility
+   is not available for use on the referenced context.  (This status
+   should occur only for contexts for which the trans_state value is
+   FALSE.) Return values other than major_status and minor_status are
+   undefined.
+
+   o GSS_S_CONTEXT_EXPIRED indicates that the provided input
+   context_handle is recognized, but that the referenced context has
+   expired.  Return values other than major_status and minor_status are
+   undefined.
+
+   o  GSS_S_NO_CONTEXT indicates that no valid context was recognized
+   for the input context_handle provided. Return values other than
+   major_status and minor_status are undefined.
+
+
+
+
+
+
+Linn                        Standards Track                    [Page 50]
+
+RFC 2078                        GSS-API                     January 1997
+
+
+   o  GSS_S_FAILURE indicates that the requested operation failed for
+   reasons unspecified at the GSS-API level. Return values other than
+   major_status and minor_status are undefined.
+
+   This call generates an interprocess token for transfer to another
+   process within an end system, in order to transfer control of a
+   security context to that process.  The recipient of the interprocess
+   token will call GSS_Import_sec_context() to accept the transfer.  The
+   GSS_Export_sec_context() operation is defined for use only with
+   security contexts which are fully and successfully established (i.e.,
+   those for which GSS_Init_sec_context() and GSS_Accept_sec_context()
+   have returned GSS_S_COMPLETE major_status).
+
+   To ensure portability, a caller of GSS_Export_sec_context() must not
+   assume that a context may continue to be used once it has been
+   exported; following export, the context referenced by the
+   context_handle cannot be assumed to remain valid.  Further, portable
+   callers must not assume that a given interprocess token can be
+   imported by GSS_Import_sec_context() more than once, thereby creating
+   multiple instantiations of a single context.  GSS-API implementations
+   may detect and reject attempted multiple imports, but are not
+   required to do so.
+
+   The internal representation contained within the interprocess token
+   is an implementation-defined local matter.  Interprocess tokens
+   cannot be assumed to be transferable across different GSS-API
+   implementations.
+
+   It is recommended that GSS-API implementations adopt policies suited
+   to their operational environments in order to define the set of
+   processes eligible to import a context, but specific constraints in
+   this area are local matters.  Candidate examples include transfers
+   between processes operating on behalf of the same user identity, or
+   processes comprising a common job.  However, it may be impossible to
+   enforce such policies in some implementations.
+
+   In support of the above goals, implementations may protect the
+   transferred context data by using cryptography to protect data within
+   the interprocess token, or by using interprocess tokens as a means to
+   reference local interprocess communication facilities (protected by
+   other means) rather than storing the context data directly within the
+   tokens.
+
+   Transfer of an open context may, for certain mechanisms and
+   implementations, reveal data about the credential which was used to
+   establish the context.  Callers should, therefore, be cautious about
+   the trustworthiness of processes to which they transfer contexts.
+   Although the GSS-API implementation may provide its own set of
+
+
+
+Linn                        Standards Track                    [Page 51]
+
+RFC 2078                        GSS-API                     January 1997
+
+
+   protections over the exported context, the caller is responsible for
+   protecting the interprocess token from disclosure, and for taking
+   care that the context is transferred to an appropriate destination
+   process.
+
+2.2.9:   GSS_Import_sec_context call
+
+   Inputs:
+
+   o  interprocess_token OCTET STRING
+
+   Outputs:
+
+   o  major_status INTEGER,
+
+   o  minor_status INTEGER,
+
+   o  context_handle CONTEXT HANDLE
+
+   Return major_status codes:
+
+   o  GSS_S_COMPLETE indicates that the context represented by the
+   input interprocess_token has been successfully transferred to
+   the caller, and is available for future use via the output
+   context_handle.
+
+   o  GSS_S_CONTEXT_EXPIRED indicates that the context represented by
+   the input interprocess_token has expired. Return values other
+   than major_status and minor_status are undefined.
+
+   o  GSS_S_NO_CONTEXT indicates that the context represented by the
+   input interprocess_token was invalid. Return values other than
+   major_status and minor_status are undefined.
+
+   o  GSS_S_DEFECTIVE_TOKEN indicates that the input interprocess_token
+   was defective.  Return values other than major_status and
+   minor_status are undefined.
+
+   o  GSS_S_UNAVAILABLE indicates that the context import facility
+   is not available for use on the referenced context.  Return values
+   other than major_status and minor_status are undefined.
+
+   o  GSS_S_UNAUTHORIZED indicates that the context represented by
+   the input interprocess_token is unauthorized for transfer to the
+   caller. Return values other than major_status and minor_status
+   are undefined.
+
+
+
+
+
+Linn                        Standards Track                    [Page 52]
+
+RFC 2078                        GSS-API                     January 1997
+
+
+   o  GSS_S_FAILURE indicates that the requested operation failed for
+   reasons unspecified at the GSS-API level. Return values other than
+   major_status and minor_status are undefined.
+
+   This call processes an interprocess token generated by
+   GSS_Export_sec_context(), making the transferred context available
+   for use by the caller.  After a successful GSS_Import_sec_context()
+   operation, the imported context is available for use by the importing
+   process.
+
+   For further discussion of the security and authorization issues
+   regarding this call, please see the discussion in Section 2.2.8.
+
+2.3:  Per-message calls
+
+   This group of calls is used to perform per-message protection
+   processing on an established security context. None of these calls
+   block pending network interactions. These calls may be invoked by a
+   context's initiator or by the context's target.  The four members of
+   this group should be considered as two pairs; the output from
+   GSS_GetMIC()  is properly input to GSS_VerifyMIC(),  and the output
+   from GSS_Wrap() is properly input to GSS_Unwrap().
+
+   GSS_GetMIC() and GSS_VerifyMIC() support data origin authentication
+   and data integrity services. When GSS_GetMIC()  is invoked on an
+   input message, it yields a per-message token containing data items
+   which allow underlying mechanisms to provide the specified security
+   services. The original message, along with the generated per-message
+   token, is passed to the remote peer; these two data elements are
+   processed by GSS_VerifyMIC(),  which validates the message in
+   conjunction with the separate token.
+
+   GSS_Wrap() and GSS_Unwrap() support caller-requested confidentiality
+   in addition to the data origin authentication and data integrity
+   services offered by GSS_GetMIC()  and GSS_VerifyMIC(). GSS_Wrap()
+   outputs a single data element, encapsulating optionally enciphered
+   user data as well as associated token data items.  The data element
+   output from GSS_Wrap()  is passed to the remote peer and processed by
+   GSS_Unwrap()  at that system. GSS_Unwrap() combines decipherment (as
+   required) with validation of data items related to authentication and
+   integrity.
+
+
+
+
+
+
+
+
+
+
+Linn                        Standards Track                    [Page 53]
+
+RFC 2078                        GSS-API                     January 1997
+
+
+2.3.1:  GSS_GetMIC call
+
+   Note: This call is functionally equivalent to the GSS_Sign call as
+   defined in previous versions of this specification. In the interests
+   of backward compatibility, it is recommended that implementations
+   support this function under both names for the present; future
+   references to this function as GSS_Sign are deprecated.
+
+   Inputs:
+
+   o  context_handle CONTEXT HANDLE,
+
+   o  qop_req INTEGER,-0 specifies default QOP
+
+   o  message OCTET STRING
+
+   Outputs:
+
+   o  major_status INTEGER,
+
+   o  minor_status INTEGER,
+
+   o  per_msg_token OCTET STRING
+
+   Return major_status codes:
+
+   o  GSS_S_COMPLETE indicates that an integrity check, suitable for an
+      established security context, was successfully applied and
+      that the message and corresponding per_msg_token are ready
+      for transmission.
+
+   o  GSS_S_CONTEXT_EXPIRED indicates that context-related data
+      items have expired, so that the requested operation cannot be
+      performed.
+
+   o  GSS_S_CREDENTIALS_EXPIRED indicates that the context is recognized,
+      but that its associated credentials have expired, so
+      that the requested operation cannot be performed.
+
+   o  GSS_S_NO_CONTEXT indicates that no valid context was recognized
+      for the input context_handle provided.
+
+   o  GSS_S_BAD_QOP indicates that the provided QOP value is not
+      recognized or supported for the context.
+
+   o  GSS_S_FAILURE indicates that the context is recognized, but
+      that the requested operation could not be performed for
+      reasons unspecified at the GSS-API level.
+
+
+
+Linn                        Standards Track                    [Page 54]
+
+RFC 2078                        GSS-API                     January 1997
+
+
+   Using the security context referenced by context_handle, apply an
+   integrity check to the input message (along with timestamps and/or
+   other data included in support of mech_type-specific mechanisms) and
+   return the result in per_msg_token. The qop_req parameter,
+   interpretation of which is discussed in Section 1.2.4, allows
+   quality-of-protection control. The caller passes the message and the
+   per_msg_token to the target.
+
+   The GSS_GetMIC()  function completes before the message and
+   per_msg_token is sent to the peer; successful application of
+   GSS_GetMIC()  does not guarantee that a corresponding GSS_VerifyMIC()
+   has been (or can necessarily be) performed successfully when the
+   message arrives at the destination.
+
+   Mechanisms which do not support per-message protection services
+   should return GSS_S_FAILURE if this routine is called.
+
+2.3.2:  GSS_VerifyMIC call
+
+   Note: This call is functionally equivalent to the GSS_Verify call as
+   defined in previous versions of this specification. In the interests
+   of backward compatibility, it is recommended that implementations
+   support this function under both names for the present; future
+   references to this function as GSS_Verify are deprecated.
+
+   Inputs:
+
+   o  context_handle CONTEXT HANDLE,
+
+   o  message OCTET STRING,
+
+   o  per_msg_token OCTET STRING
+
+   Outputs:
+
+   o  qop_state INTEGER,
+
+   o  major_status INTEGER,
+
+   o  minor_status INTEGER,
+
+   Return major_status codes:
+
+   o  GSS_S_COMPLETE indicates that the message was successfully
+      verified.
+
+
+
+
+
+
+Linn                        Standards Track                    [Page 55]
+
+RFC 2078                        GSS-API                     January 1997
+
+
+   o  GSS_S_DEFECTIVE_TOKEN indicates that consistency checks performed
+      on the received per_msg_token failed, preventing
+      further processing from being performed with that token.
+
+   o  GSS_S_BAD_SIG indicates that the received per_msg_token contains
+      an incorrect integrity check for the message.
+
+   o  GSS_S_DUPLICATE_TOKEN, GSS_S_OLD_TOKEN, GSS_S_UNSEQ_TOKEN,
+      and GSS_S_GAP_TOKEN values appear in conjunction with the
+      optional per-message replay detection features described
+      in Section 1.2.3; their semantics are described in that section.
+
+   o  GSS_S_CONTEXT_EXPIRED indicates that context-related data
+      items have expired, so that the requested operation cannot be
+      performed.
+
+   o  GSS_S_CREDENTIALS_EXPIRED indicates that the context is
+   recognized,
+      but that its associated credentials have expired, so
+      that the requested operation cannot be performed.
+
+   o  GSS_S_NO_CONTEXT indicates that no valid context was recognized
+      for the input context_handle provided.
+
+   o  GSS_S_FAILURE indicates that the context is recognized, but
+      that the GSS_VerifyMIC() operation could not be performed for
+      reasons unspecified at the GSS-API level.
+
+   Using the security context referenced by context_handle, verify that
+   the input per_msg_token contains an appropriate integrity check for
+   the input message, and apply any active replay detection or
+   sequencing features. Return an indication of the quality-of-
+   protection applied to the processed message in the qop_state result.
+   Since the GSS_VerifyMIC() routine never provides a confidentiality
+   service, its implementations should not return non-zero values in the
+   confidentiality fields of the output qop_state.
+
+   Mechanisms which do not support per-message protection services
+   should return GSS_S_FAILURE if this routine is called.
+
+2.3.3: GSS_Wrap call
+
+   Note: This call is functionally equivalent to the GSS_Seal call as
+   defined in previous versions of this specification. In the interests
+   of backward compatibility, it is recommended that implementations
+   support this function under both names for the present; future
+   references to this function as GSS_Seal are deprecated.
+
+
+
+
+Linn                        Standards Track                    [Page 56]
+
+RFC 2078                        GSS-API                     January 1997
+
+
+   Inputs:
+
+   o  context_handle CONTEXT HANDLE,
+
+   o  conf_req_flag BOOLEAN,
+
+   o  qop_req INTEGER,-0 specifies default QOP
+
+   o  input_message OCTET STRING
+
+   Outputs:
+
+   o  major_status INTEGER,
+
+   o  minor_status INTEGER,
+
+   o  conf_state BOOLEAN,
+
+   o  output_message OCTET STRING
+
+   Return major_status codes:
+
+   o  GSS_S_COMPLETE indicates that the input_message was successfully
+      processed and that the output_message is ready for
+      transmission.
+
+   o  GSS_S_CONTEXT_EXPIRED indicates that context-related data
+      items have expired, so that the requested operation cannot be
+      performed.
+
+   o  GSS_S_CREDENTIALS_EXPIRED indicates that the context is
+   recognized,
+      but that its associated credentials have expired, so
+      that the requested operation cannot be performed.
+
+   o  GSS_S_NO_CONTEXT indicates that no valid context was recognized
+      for the input context_handle provided.
+
+   o  GSS_S_BAD_QOP indicates that the provided QOP value is not
+      recognized or supported for the context.
+
+   o  GSS_S_FAILURE indicates that the context is recognized, but
+      that the GSS_Wrap()  operation could not be performed for
+      reasons unspecified at the GSS-API level.
+
+   Performs the data origin authentication and data integrity functions
+   of GSS_GetMIC().  If the input conf_req_flag is TRUE, requests that
+   confidentiality be applied to the input_message.  Confidentiality may
+
+
+
+Linn                        Standards Track                    [Page 57]
+
+RFC 2078                        GSS-API                     January 1997
+
+
+   not be supported in all mech_types or by all implementations; the
+   returned conf_state flag indicates whether confidentiality was
+   provided for the input_message. The qop_req parameter, interpretation
+   of which is discussed in Section 1.2.4, allows quality-of-protection
+   control.
+
+   In all cases, the GSS_Wrap()  call yields a single output_message
+   data element containing (optionally enciphered) user data as well as
+   control information.
+
+   Mechanisms which do not support per-message protection services
+   should return GSS_S_FAILURE if this routine is called.
+
+2.3.4: GSS_Unwrap call
+
+   Note: This call is functionally equivalent to the GSS_Unseal call as
+   defined in previous versions of this specification. In the interests
+   of backward compatibility, it is recommended that implementations
+   support this function under both names for the present; future
+   references to this function as GSS_Unseal are deprecated.
+
+   Inputs:
+
+   o  context_handle CONTEXT HANDLE,
+
+   o  input_message OCTET STRING
+
+   Outputs:
+
+   o  conf_state BOOLEAN,
+
+   o  qop_state INTEGER,
+
+   o  major_status INTEGER,
+
+   o  minor_status INTEGER,
+
+   o  output_message OCTET STRING
+
+   Return major_status codes:
+
+   o  GSS_S_COMPLETE indicates that the input_message was
+      successfully processed and that the resulting output_message is
+      available.
+
+   o  GSS_S_DEFECTIVE_TOKEN indicates that consistency checks performed
+      on the per_msg_token extracted from the input_message
+      failed, preventing further processing from being performed.
+
+
+
+Linn                        Standards Track                    [Page 58]
+
+RFC 2078                        GSS-API                     January 1997
+
+
+   o  GSS_S_BAD_SIG indicates that an incorrect integrity check was
+   detected
+      for the message.
+
+   o  GSS_S_DUPLICATE_TOKEN, GSS_S_OLD_TOKEN, GSS_S_UNSEQ_TOKEN,
+      and GSS_S_GAP_TOKEN values appear in conjunction with the
+      optional per-message replay detection features described
+      in Section 1.2.3; their semantics are described in that section.
+
+   o  GSS_S_CONTEXT_EXPIRED indicates that context-related data
+      items have expired, so that the requested operation cannot be
+      performed.
+
+   o  GSS_S_CREDENTIALS_EXPIRED indicates that the context is
+   recognized,
+      but that its associated credentials have expired, so
+      that the requested operation cannot be performed.
+
+   o  GSS_S_NO_CONTEXT indicates that no valid context was recognized
+      for the input context_handle provided.
+
+   o  GSS_S_FAILURE indicates that the context is recognized, but
+      that the GSS_Unwrap()  operation could not be performed for
+      reasons unspecified at the GSS-API level.
+
+   Processes a data element generated (and optionally enciphered) by
+   GSS_Wrap(),  provided as input_message. The returned conf_state value
+   indicates whether confidentiality was applied to the input_message.
+   If conf_state is TRUE, GSS_Unwrap()  deciphers the input_message.
+   Returns an indication of the quality-of-protection applied to the
+   processed message in the qop_state result. GSS_Wrap()  performs the
+   data integrity and data origin authentication checking functions of
+   GSS_VerifyMIC()  on the plaintext data. Plaintext data is returned in
+   output_message.
+
+   Mechanisms which do not support per-message protection services
+   should return GSS_S_FAILURE if this routine is called.
+
+2.4:  Support calls
+
+   This group of calls provides support functions useful to GSS-API
+   callers, independent of the state of established contexts. Their
+   characterization with regard to blocking or non-blocking status in
+   terms of network interactions is unspecified.
+
+
+
+
+
+
+
+Linn                        Standards Track                    [Page 59]
+
+RFC 2078                        GSS-API                     January 1997
+
+
+2.4.1:  GSS_Display_status call
+
+   Inputs:
+
+   o  status_value INTEGER,-GSS-API major_status or minor_status
+      return value
+
+   o  status_type INTEGER,-1 if major_status, 2 if minor_status
+
+   o  mech_type OBJECT IDENTIFIER-mech_type to be used for minor_
+      status translation
+
+   Outputs:
+
+   o  major_status INTEGER,
+
+   o  minor_status INTEGER,
+
+   o  status_string_set SET OF OCTET STRING
+
+   Return major_status codes:
+
+   o  GSS_S_COMPLETE indicates that a valid printable status
+      representation (possibly representing more than one status event
+      encoded within the status_value) is available in the returned
+      status_string_set.
+
+   o  GSS_S_BAD_MECH indicates that translation in accordance with an
+      unsupported mech_type was requested, so translation could not
+      be performed.
+
+   o  GSS_S_BAD_STATUS indicates that the input status_value was
+      invalid, or that the input status_type carried a value other
+      than 1 or 2, so translation could not be performed.
+
+   o  GSS_S_FAILURE indicates that the requested operation could not
+      be performed for reasons unspecified at the GSS-API level.
+
+   Provides a means for callers to translate GSS-API-returned major and
+   minor status codes into printable string representations.
+
+2.4.2:  GSS_Indicate_mechs call
+
+   Input:
+
+   o  (none)
+
+
+
+
+
+Linn                        Standards Track                    [Page 60]
+
+RFC 2078                        GSS-API                     January 1997
+
+
+   Outputs:
+
+   o  major_status INTEGER,
+
+   o  minor_status INTEGER,
+
+   o  mech_set SET OF OBJECT IDENTIFIER
+
+   Return major_status codes:
+
+   o  GSS_S_COMPLETE indicates that a set of available mechanisms has
+      been returned in mech_set.
+
+   o  GSS_S_FAILURE indicates that the requested operation could not
+      be performed for reasons unspecified at the GSS-API level.
+
+   Allows callers to determine the set of mechanism types available on
+   the local system. This call is intended for support of specialized
+   callers who need to request non-default mech_type sets from
+   GSS_Acquire_cred(),  and should not be needed by other callers.
+
+2.4.3:  GSS_Compare_name call
+
+   Inputs:
+
+   o  name1 INTERNAL NAME,
+
+   o  name2 INTERNAL NAME
+
+   Outputs:
+
+   o  major_status INTEGER,
+
+   o  minor_status INTEGER,
+
+   o  name_equal BOOLEAN
+
+   Return major_status codes:
+
+   o  GSS_S_COMPLETE indicates that name1 and name2 were comparable,
+      and that the name_equal result indicates whether name1 and
+      name2 represent the same entity.
+
+   o  GSS_S_BAD_NAMETYPE indicates that one or both of name1 and
+      name2 contained internal type specifiers uninterpretable
+      by the applicable underlying GSS-API mechanism(s), or that
+      the two names' types are different and incomparable, so that
+      the comparison operation could not be completed.
+
+
+
+Linn                        Standards Track                    [Page 61]
+
+RFC 2078                        GSS-API                     January 1997
+
+
+   o  GSS_S_BAD_NAME indicates that one or both of the input names
+      was ill-formed in terms of its internal type specifier, so
+      the comparison operation could not be completed.
+
+   o  GSS_S_FAILURE indicates that the call's operation could not
+      be performed for reasons unspecified at the GSS-API level.
+
+   Allows callers to compare two internal name representations to
+   determine whether they refer to the same entity.  If either name
+   presented to GSS_Compare_name() denotes an anonymous principal,
+   GSS_Compare_name() shall indicate FALSE.  It is not required that
+   either or both inputs name1 and name2 be MNs; for some
+   implementations and cases, GSS_S_BAD_NAMETYPE may be returned,
+   indicating name incomparability, for the case where neither input
+   name is an MN.
+
+2.4.4:  GSS_Display_name call
+
+   Inputs:
+
+   o  name INTERNAL NAME
+
+   Outputs:
+
+   o  major_status INTEGER,
+
+   o  minor_status INTEGER,
+
+   o  name_string OCTET STRING,
+
+   o  name_type OBJECT IDENTIFIER
+
+   Return major_status codes:
+
+   o  GSS_S_COMPLETE indicates that a valid printable name
+      representation is available in the returned name_string.
+
+   o  GSS_S_BAD_NAMETYPE indicates that the provided name was of a
+      type uninterpretable by the applicable underlying GSS-API
+      mechanism(s), so no printable representation could be generated.
+
+   o  GSS_S_BAD_NAME indicates that the contents of the provided name
+      were inconsistent with the internally-indicated name type, so
+      no printable representation could be generated.
+
+   o  GSS_S_FAILURE indicates that the requested operation could not
+      be performed for reasons unspecified at the GSS-API level.
+
+
+
+
+Linn                        Standards Track                    [Page 62]
+
+RFC 2078                        GSS-API                     January 1997
+
+
+   Allows callers to translate an internal name representation into a
+   printable form with associated namespace type descriptor. The syntax
+   of the printable form is a local matter.
+
+   If the input name represents an anonymous identity, a reserved value
+   (GSS_C_NT_ANONYMOUS) shall be returned for name_type.
+
+2.4.5:  GSS_Import_name call
+
+   Inputs:
+
+   o  input_name_string OCTET STRING,
+
+   o  input_name_type OBJECT IDENTIFIER
+
+   Outputs:
+
+   o  major_status INTEGER,
+
+   o  minor_status INTEGER,
+
+   o  output_name INTERNAL NAME
+
+   Return major_status codes:
+
+   o  GSS_S_COMPLETE indicates that a valid name representation is
+      output in output_name and described by the type value in
+      output_name_type.
+
+   o  GSS_S_BAD_NAMETYPE indicates that the input_name_type is unsupported
+      by the applicable underlying GSS-API mechanism(s), so the import
+      operation could not be completed.
+
+   o  GSS_S_BAD_NAME indicates that the provided input_name_string
+      is ill-formed in terms of the input_name_type, so the import
+      operation could not be completed.
+
+   o  GSS_S_FAILURE indicates that the requested operation could not
+      be performed for reasons unspecified at the GSS-API level.
+
+   Allows callers to provide a name representation as a contiguous octet
+   string, designate the type of namespace in conjunction with which it
+   should be parsed, and convert that representation to an internal form
+   suitable for input to other GSS-API routines.  The syntax of the
+   input_name_string is defined in conjunction with its associated name
+   type; depending on the input_name_type, the associated
+   input_name_string may or may not be a printable string. Note: The
+   input_name_type argument serves to describe and qualify the
+
+
+
+Linn                        Standards Track                    [Page 63]
+
+RFC 2078                        GSS-API                     January 1997
+
+
+   interpretation of the associated input_name_string; it does not
+   specify the data type of the returned output_name.
+
+   If a mechanism claims support for a particular name type, its
+   GSS_Import_name() operation shall be able to accept all possible
+   values conformant to the external name syntax as defined for that
+   name type.  These imported values may correspond to:
+
+      (1) locally registered entities (for which credentials may be
+      acquired),
+
+      (2) non-local entities (for which local credentials cannot be
+      acquired, but which may be referenced as targets of initiated
+      security contexts or initiators of accepted security contexts), or
+      to
+
+      (3) neither of the above.
+
+   Determination of whether a particular name belongs to class (1), (2),
+   or (3) as described above is not guaranteed to be performed by the
+   GSS_Import_name() function.
+
+   The internal name generated by a GSS_Import_name() operation may be a
+   single-mechanism MN, and is likely to be an MN within a single-
+   mechanism implementation, but portable callers must not depend on
+   this property (and must not, therefore, assume that the output from
+   GSS_Import_name() can be passed directly to GSS_Export_name() without
+   first being processed through GSS_Canonicalize_name()).
+
+2.4.6: GSS_Release_name call
+
+   Inputs:
+
+   o  name INTERNAL NAME
+
+   Outputs:
+
+   o  major_status INTEGER,
+
+   o  minor_status INTEGER
+
+   Return major_status codes:
+
+   o  GSS_S_COMPLETE indicates that the storage associated with the
+      input name was successfully released.
+
+   o  GSS_S_BAD_NAME indicates that the input name argument did not
+      contain a valid name.
+
+
+
+Linn                        Standards Track                    [Page 64]
+
+RFC 2078                        GSS-API                     January 1997
+
+
+   o  GSS_S_FAILURE indicates that the requested operation could not
+      be performed for reasons unspecified at the GSS-API level.
+
+   Allows callers to release the storage associated with an internal
+   name representation.  This call's specific behavior depends on the
+   language and programming environment within which a GSS-API
+   implementation operates, and is therefore detailed within applicable
+   bindings specifications; in particular, this call may be superfluous
+   within bindings where memory management is automatic.
+
+2.4.7: GSS_Release_buffer call
+
+   Inputs:
+
+   o  buffer OCTET STRING
+
+   Outputs:
+
+   o  major_status INTEGER,
+
+   o  minor_status INTEGER
+
+   Return major_status codes:
+
+   o  GSS_S_COMPLETE indicates that the storage associated with the
+      input buffer was successfully released.
+
+   o  GSS_S_FAILURE indicates that the requested operation could not
+      be performed for reasons unspecified at the GSS-API level.
+
+   Allows callers to release the storage associated with an OCTET STRING
+   buffer allocated by another GSS-API call.  This call's specific
+   behavior depends on the language and programming environment within
+   which a GSS-API implementation operates, and is therefore detailed
+   within applicable bindings specifications; in particular, this call
+   may be superfluous within bindings where memory management is
+   automatic.
+
+2.4.8: GSS_Release_OID_set call
+
+   Inputs:
+
+   o  buffer SET OF OBJECT IDENTIFIER
+
+   Outputs:
+
+   o  major_status INTEGER,
+
+
+
+
+Linn                        Standards Track                    [Page 65]
+
+RFC 2078                        GSS-API                     January 1997
+
+
+   o  minor_status INTEGER
+
+   Return major_status codes:
+
+   o  GSS_S_COMPLETE indicates that the storage associated with the
+      input object identifier set was successfully released.
+
+   o  GSS_S_FAILURE indicates that the requested operation could not
+      be performed for reasons unspecified at the GSS-API level.
+
+   Allows callers to release the storage associated with an object
+   identifier set object allocated by another GSS-API call.  This call's
+   specific behavior depends on the language and programming environment
+   within which a GSS-API implementation operates, and is therefore
+   detailed within applicable bindings specifications; in particular,
+   this call may be superfluous within bindings where memory management
+   is automatic.
+
+2.4.9: GSS_Create_empty_OID_set call
+
+   Inputs:
+
+   o  (none)
+
+   Outputs:
+
+   o  major_status INTEGER,
+
+   o  minor_status INTEGER,
+
+   o  oid_set SET OF OBJECT IDENTIFIER
+
+   Return major_status codes:
+
+   o  GSS_S_COMPLETE indicates successful completion
+
+   o  GSS_S_FAILURE indicates that the operation failed
+
+   Creates an object identifier set containing no object identifiers, to
+   which members may be subsequently added using the
+   GSS_Add_OID_set_member() routine.  These routines are intended to be
+   used to construct sets of mechanism object identifiers, for input to
+   GSS_Acquire_cred().
+
+
+
+
+
+
+
+
+Linn                        Standards Track                    [Page 66]
+
+RFC 2078                        GSS-API                     January 1997
+
+
+2.4.10: GSS_Add_OID_set_member call
+
+   Inputs:
+
+   o  member_oid OBJECT IDENTIFIER,
+
+   o  oid_set SET OF OBJECT IDENTIFIER
+
+   Outputs:
+
+   o  major_status INTEGER,
+
+   o  minor_status INTEGER,
+
+   Return major_status codes:
+
+   o  GSS_S_COMPLETE indicates successful completion
+
+   o  GSS_S_FAILURE indicates that the operation failed
+
+   Adds an Object Identifier to an Object Identifier set.  This routine
+   is intended for use in conjunction with GSS_Create_empty_OID_set()
+   when constructing a set of mechanism OIDs for input to
+   GSS_Acquire_cred().
+
+2.4.11: GSS_Test_OID_set_member call
+
+   Inputs:
+
+   o  member OBJECT IDENTIFIER,
+
+   o  set SET OF OBJECT IDENTIFIER
+
+   Outputs:
+
+   o  major_status INTEGER,
+
+   o  minor_status INTEGER,
+
+   o  present BOOLEAN
+
+   Return major_status codes:
+
+   o  GSS_S_COMPLETE indicates successful completion
+
+   o  GSS_S_FAILURE indicates that the operation failed
+
+
+
+
+
+Linn                        Standards Track                    [Page 67]
+
+RFC 2078                        GSS-API                     January 1997
+
+
+   Interrogates an Object Identifier set to determine whether a
+   specified Object Identifier is a member.  This routine is intended to
+   be used with OID sets returned by GSS_Indicate_mechs(),
+   GSS_Acquire_cred(), and GSS_Inquire_cred().
+
+2.4.12: GSS_Release_OID call
+
+   Inputs:
+
+   o  oid OBJECT IDENTIFIER
+
+   Outputs:
+
+   o  major_status INTEGER,
+
+   o  minor_status INTEGER
+
+   Return major_status codes:
+
+   o  GSS_S_COMPLETE indicates successful completion
+
+   o  GSS_S_FAILURE indicates that the operation failed
+
+   Allows the caller to release the storage associated with an OBJECT
+   IDENTIFIER buffer allocated by another GSS-API call. This call's
+   specific behavior depends on the language and programming environment
+   within which a GSS-API implementation operates, and is therefore
+   detailed within applicable bindings specifications; in particular,
+   this call may be superfluous within bindings where memory management
+   is automatic.
+
+2.4.13: GSS_OID_to_str call
+
+   Inputs:
+
+   o  oid OBJECT IDENTIFIER
+
+   Outputs:
+
+   o  major_status INTEGER,
+
+   o  minor_status INTEGER,
+
+   o  oid_str OCTET STRING
+
+   Return major_status codes:
+
+   o  GSS_S_COMPLETE indicates successful completion
+
+
+
+Linn                        Standards Track                    [Page 68]
+
+RFC 2078                        GSS-API                     January 1997
+
+
+   o  GSS_S_FAILURE indicates that the operation failed
+
+   The function GSS_OID_to_str() returns a string representing the input
+   OID in numeric ASN.1 syntax format (curly-brace enclosed, space-
+   delimited, e.g., "{2 16 840 1 113687 1 2 1}"). The string is
+   releasable using GSS_Release_buffer(). If the input "oid" does not
+   represent a syntactically valid object identifier, GSS_S_FAILURE
+   status is returned and the returned oid_str result is NULL.
+
+2.4.14: GSS_Str_to_OID call
+
+   Inputs:
+
+   o  oid_str OCTET STRING
+
+   Outputs:
+
+   o  major_status INTEGER,
+
+   o  minor_status INTEGER,
+
+   o  oid OBJECT IDENTIFIER
+
+   Return major_status codes:
+
+   o  GSS_S_COMPLETE indicates successful completion
+
+   o  GSS_S_FAILURE indicates that the operation failed
+
+   The function GSS_Str_to_OID() constructs and returns an OID from its
+   printable form; implementations should be able to accept the numeric
+   ASN.1 syntax form as described for GSS_OID_to_str(), and this form
+   should be used for portability, but implementations of this routine
+   may also accept other formats (e.g., "1.2.3.3"). The OID is suitable
+   for release using the function GSS_Release_OID(). If the input
+   oid_str cannot be translated into an OID, GSS_S_FAILURE status is
+   returned and the "oid" result is NULL.
+
+2.4.15:  GSS_Inquire_names_for_mech call
+
+   Input:
+
+   o  input_mech_type OBJECT IDENTIFIER, -- mechanism type
+
+   Outputs:
+
+   o  major_status INTEGER,
+
+
+
+
+Linn                        Standards Track                    [Page 69]
+
+RFC 2078                        GSS-API                     January 1997
+
+
+   o  minor_status INTEGER,
+
+   o  name_type_set SET OF OBJECT IDENTIFIER
+
+   Return major_status codes:
+
+   o  GSS_S_COMPLETE indicates that the output name_type_set contains
+      a list of name types which are supported by the locally available
+      mechanism identified by input_mech_type.
+
+   o  GSS_S_BAD_MECH indicates that the mechanism identified by
+      input_mech_type was unsupported within the local implementation,
+      causing the query to fail.
+
+   o  GSS_S_FAILURE indicates that the requested operation could not
+      be performed for reasons unspecified at the GSS-API level.
+
+   Allows callers to determine the set of name types which are
+   supportable by a specific locally-available mechanism.
+
+2.4.16: GSS_Inquire_mechs_for_name call
+
+   Inputs:
+
+   o  input_name INTERNAL NAME,
+
+   Outputs:
+
+   o  major_status INTEGER,
+
+   o  minor_status INTEGER,
+
+   o  mech_types SET OF OBJECT IDENTIFIER
+
+   Return major_status codes:
+
+   o  GSS_S_COMPLETE indicates that a set of object identifiers,
+      corresponding to the set of mechanisms suitable for processing
+      the input_name, is available in mech_types.
+
+   o  GSS_S_BAD_NAME indicates that the input_name could not be
+      processed.
+
+   o  GSS_S_BAD_NAMETYPE indicates that the type of the input_name
+      is unsupported by the GSS-API implementation.
+
+   o  GSS_S_FAILURE indicates that the requested operation could not
+      be performed for reasons unspecified at the GSS-API level.
+
+
+
+Linn                        Standards Track                    [Page 70]
+
+RFC 2078                        GSS-API                     January 1997
+
+
+   This routine returns the mechanism set with which the input_name may
+   be processed.  After use, the mech_types object should be freed by
+   the caller via the GSS_Release_OID_set() call.  Note: it is
+   anticipated that implementations of GSS_Inquire_mechs_for_name() will
+   commonly operate based on type information describing the
+   capabilities of available mechanisms; it is not guaranteed that all
+   identified mechanisms will necessarily be able to canonicalize (via
+   GSS_Canonicalize_name()) a particular name.
+
+2.4.17: GSS_Canonicalize_name call
+
+   Inputs:
+
+   o  input_name INTERNAL NAME,
+
+   o  mech_type OBJECT IDENTIFIER  -- must be explicit mechanism,
+                                      not "default" specifier
+
+   Outputs:
+
+   o  major_status INTEGER,
+
+   o  minor_status INTEGER,
+
+   o  output_name INTERNAL NAME
+
+   Return major_status codes:
+
+   o  GSS_S_COMPLETE indicates that a mechanism-specific reduction of
+      the input_name, as processed by the mechanism identified by
+      mech_type, is available in output_name.
+
+   o  GSS_S_BAD_MECH indicates that the identified mechanism is
+      unsupported.
+
+   o  GSS_S_BAD_NAMETYPE indicates that the input name does not
+      contain an element with suitable type for processing by the
+      identified mechanism.
+
+   o  GSS_S_BAD_NAME indicates that the input name contains an
+      element with suitable type for processing by the identified
+      mechanism, but that this element could not be processed
+      successfully.
+
+   o  GSS_S_FAILURE indicates that the requested operation could not
+      be performed for reasons unspecified at the GSS-API level.
+
+
+
+
+
+Linn                        Standards Track                    [Page 71]
+
+RFC 2078                        GSS-API                     January 1997
+
+
+   This routine reduces a GSS-API internal name, which may in general
+   contain elements corresponding to multiple mechanisms, to a
+   mechanism-specific Mechanism Name (MN) by applying the translations
+   corresponding to the mechanism identified by mech_type.
+
+2.4.18: GSS_Export_name call
+
+   Inputs:
+
+   o  input_name INTERNAL NAME, -- required to be MN
+
+   Outputs:
+
+   o  major_status INTEGER,
+
+   o  minor_status INTEGER,
+
+   o  output_name OCTET STRING
+
+   Return major_status codes:
+
+   o  GSS_S_COMPLETE indicates that a flat representation of the
+      input name is available in output_name.
+
+   o  GSS_S_NAME_NOT_MN indicates that the input name contained
+      elements corresponding to multiple mechanisms, so cannot
+      be exported into a single-mechanism flat form.
+
+   o  GSS_S_BAD_NAME indicates that the input name was an MN,
+      but could not be processed.
+
+   o  GSS_S_BAD_NAMETYPE indicates that the input name was an MN,
+      but that its type is unsupported by the GSS-API implementation.
+
+   o  GSS_S_FAILURE indicates that the requested operation could not
+      be performed for reasons unspecified at the GSS-API level.
+
+   This routine creates a flat name representation, suitable for
+   bytewise comparison or for input to GSS_Import_name() in conjunction
+   with the reserved GSS-API Exported Name Object OID, from a internal-
+   form Mechanism Name (MN) as emitted, e.g., by GSS_Canonicalize_name()
+   or GSS_Accept_sec_context().
+
+   The emitted GSS-API Exported Name Object is self-describing; no
+   associated parameter-level OID need be emitted by this call.  This
+   flat representation consists of a mechanism-independent wrapper
+   layer, defined in Section 3.2 of this document, enclosing a
+   mechanism-defined name representation.
+
+
+
+Linn                        Standards Track                    [Page 72]
+
+RFC 2078                        GSS-API                     January 1997
+
+
+   In all cases, the flat name output by GSS_Export_name() to correspond
+   to a particular input MN must be invariant over time within a
+   particular installation.
+
+   The GSS_S_NAME_NOT_MN status code is provided to enable
+   implementations to reject input names which are not MNs.  It is not,
+   however, required for purposes of conformance to this specification
+   that all non-MN input names must necessarily be rejected.
+
+2.4.19: GSS_Duplicate_name call
+
+   Inputs:
+
+   o  src_name INTERNAL NAME
+
+   Outputs:
+
+   o  major_status INTEGER,
+
+   o  minor_status INTEGER,
+
+   o  dest_name INTERNAL NAME
+
+   Return major_status codes:
+
+   o  GSS_S_COMPLETE indicates that dest_name references an internal
+      name object containing the same name as passed to src_name.
+
+   o  GSS_S_BAD_NAME indicates that the input name was invalid.
+
+   o  GSS_S_BAD_NAMETYPE indicates that the input name's type
+      is unsupported by the GSS-API implementation.
+
+   o  GSS_S_FAILURE indicates that the requested operation could not
+      be performed for reasons unspecified at the GSS-API level.
+
+   This routine takes input internal name src_name, and returns another
+   reference (dest_name) to that name which can be used even if src_name
+   is later freed.  (Note: This may be implemented by copying or through
+   use of reference counts.)
+
+3: Data Structure Definitions for GSS-V2 Usage
+
+   Subsections of this section define, for interoperability and
+   portability purposes, certain data structures for use with GSS-V2.
+
+
+
+
+
+
+Linn                        Standards Track                    [Page 73]
+
+RFC 2078                        GSS-API                     January 1997
+
+
+3.1: Mechanism-Independent Token Format
+
+   This section specifies a mechanism-independent level of encapsulating
+   representation for the initial token of a GSS-API context
+   establishment sequence, incorporating an identifier of the mechanism
+   type to be used on that context and enabling tokens to be interpreted
+   unambiguously at GSS-API peers. Use of this format is required for
+   initial context establishment tokens of Internet standards-track
+   GSS-API mechanisms; use in non-initial tokens is optional.
+
+   The encoding format for the token tag is derived from ASN.1 and DER
+   (per illustrative ASN.1 syntax included later within this
+   subsection), but its concrete representation is defined directly in
+   terms of octets rather than at the ASN.1 level in order to facilitate
+   interoperable implementation without use of general ASN.1 processing
+   code.  The token tag consists of the following elements, in order:
+
+      1. 0x60 -- Tag for [APPLICATION 0] SEQUENCE; indicates that
+      constructed form, definite length encoding follows.
+
+      2. Token length octets, specifying length of subsequent data
+      (i.e., the summed lengths of elements 3-5 in this list, and of the
+      mechanism-defined token object following the tag).  This element
+      comprises a variable number of octets:
+
+      2a. If the indicated value is less than 128, it shall be
+      represented in a single octet with bit 8 (high order) set to "0"
+      and the remaining bits representing the value.
+
+      2b. If the indicated value is 128 or more, it shall be represented
+      in two or more octets, with bit 8 of the first octet set to "1"
+      and the remaining bits of the first octet specifying the number of
+      additional octets.  The subsequent octets carry the value, 8 bits
+      per octet, most significant digit first.  The minimum number of
+      octets shall be used to encode the length (i.e., no octets
+      representing leading zeros shall be included within the length
+      encoding).
+
+      3. 0x06 -- Tag for OBJECT IDENTIFIER
+
+      4. Object identifier length -- length (number of octets) of the
+      encoded object identifier contained in element 5, encoded per
+      rules as described in 2a. and 2b. above.
+
+      5. Object identifier octets -- variable number of octets, encoded
+      per ASN.1 BER rules:
+
+
+
+
+
+Linn                        Standards Track                    [Page 74]
+
+RFC 2078                        GSS-API                     January 1997
+
+
+      5a. The first octet contains the sum of two values: (1) the top-
+      level object identifier component, multiplied by 40 (decimal), and
+      (2) the second-level object identifier component.  This special
+      case is the only point within an object identifier encoding where
+      a single octet represents contents of more than one component.
+
+      5b. Subsequent octets, if required, encode successively-lower
+      components in the represented object identifier.  A component's
+      encoding may span multiple octets, encoding 7 bits per octet (most
+      significant bits first) and with bit 8 set to "1" on all but the
+      final octet in the component's encoding.  The minimum number of
+      octets shall be used to encode each component (i.e., no octets
+      representing leading zeros shall be included within a component's
+      encoding).
+
+      (Note: In many implementations, elements 3-5 may be stored and
+      referenced as a contiguous string constant.)
+
+   The token tag is immediately followed by a mechanism-defined token
+   object.  Note that no independent size specifier intervenes following
+   the object identifier value to indicate the size of the mechanism-
+   defined token object.  While ASN.1 usage within mechanism-defined
+   tokens is permitted, there is no requirement that the mechanism-
+   specific innerContextToken, innerMsgToken, and sealedUserData data
+   elements must employ ASN.1 BER/DER encoding conventions.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Linn                        Standards Track                    [Page 75]
+
+RFC 2078                        GSS-API                     January 1997
+
+
+   The following ASN.1 syntax is included for descriptive purposes only,
+   to illustrate structural relationships among token and tag objects.
+   For interoperability purposes, token and tag encoding shall be
+   performed using the concrete encoding procedures described earlier in
+   this subsection.
+
+       GSS-API DEFINITIONS ::=
+
+       BEGIN
+
+       MechType ::= OBJECT IDENTIFIER
+       -- data structure definitions
+
+       -- callers must be able to distinguish among
+       -- InitialContextToken, SubsequentContextToken,
+       -- PerMsgToken, and SealedMessage data elements
+       -- based on the usage in which they occur
+
+       InitialContextToken ::=
+       -- option indication (delegation, etc.) indicated within
+       -- mechanism-specific token
+       [APPLICATION 0] IMPLICIT SEQUENCE {
+               thisMech MechType,
+               innerContextToken ANY DEFINED BY thisMech
+                  -- contents mechanism-specific
+                  -- ASN.1 structure not required
+               }
+
+       SubsequentContextToken ::= innerContextToken ANY
+       -- interpretation based on predecessor InitialContextToken
+       -- ASN.1 structure not required
+
+       PerMsgToken ::=
+       -- as emitted by GSS_GetMIC and processed by GSS_VerifyMIC
+       -- ASN.1 structure not required
+               innerMsgToken ANY
+
+       SealedMessage ::=
+       -- as emitted by GSS_Wrap and processed by GSS_Unwrap
+       -- includes internal, mechanism-defined indicator
+       -- of whether or not encrypted
+       -- ASN.1 structure not required
+               sealedUserData ANY
+
+       END
+
+
+
+
+
+
+Linn                        Standards Track                    [Page 76]
+
+RFC 2078                        GSS-API                     January 1997
+
+
+3.2: Mechanism-Independent Exported Name Object Format
+
+   This section specifies a mechanism-independent level of encapsulating
+   representation for names exported via the GSS_Export_name() call,
+   including an object identifier representing the exporting mechanism.
+   The format of names encapsulated via this representation shall be
+   defined within individual mechanism drafts.  Name objects of this
+   type will be identified with the following Object Identifier:
+
+   {1(iso), 3(org), 6(dod), 1(internet), 5(security), 6(nametypes),
+   4(gss-api-exported-name)}
+
+   No name type OID is included in this mechanism-independent level of
+   format definition, since (depending on individual mechanism
+   specifications) the enclosed name may be implicitly typed or may be
+   explicitly typed using a means other than OID encoding.
+
+        Length    Name          Description
+
+        2               TOK_ID          Token Identifier
+                                        For exported name objects, this
+                                        must be hex 04 01.
+        2               MECH_OID_LEN    Length of the Mechanism OID
+        MECH_OID_LEN    MECH_OID        Mechanism OID, in DER
+        4               NAME_LEN        Length of name
+        NAME_LEN        NAME            Exported name; format defined in
+                                        applicable mechanism draft.
+
+4: Name Type Definitions
+
+   This section includes definitions for name types and associated
+   syntaxes which are defined in a mechanism-independent fashion at the
+   GSS-API level rather than being defined in individual mechanism
+   specifications.
+
+4.1: Host-Based Service Name Form
+
+   The following Object Identifier value is provided as a means to
+   identify this name form:
+
+   {1(iso), 3(org), 6(dod), 1(internet), 5(security), 6(nametypes),
+   2(gss-host-based-services)}
+
+   The recommended symbolic name for this type is
+   "GSS_C_NT_HOSTBASED_SERVICE".
+
+
+
+
+
+
+Linn                        Standards Track                    [Page 77]
+
+RFC 2078                        GSS-API                     January 1997
+
+
+   This name type is used to represent services associated with host
+   computers.  This name form is constructed using two elements,
+   "service" and "hostname", as follows:
+
+                             service@hostname
+
+   When a reference to a name of this type is resolved, the "hostname"
+   is canonicalized by attempting a DNS lookup and using the fully-
+   qualified domain name which is returned, or by using the "hostname"
+   as provided if the DNS lookup fails.  The canonicalization operation
+   also maps the host's name into lower-case characters.
+
+   The "hostname" element may be omitted. If no "@" separator is
+   included, the entire name is interpreted as the service specifier,
+   with the "hostname" defaulted to the canonicalized name of the local
+   host.
+
+   Values for the "service" element are registered with the IANA.
+
+4.2: User Name Form
+
+   This name form shall be represented by the Object Identifier {iso(1)
+   member-body(2) United States(840) mit(113554) infosys(1) gssapi(2)
+   generic(1) user_name(1)}. The recommended mechanism-independent
+   symbolic name for this type is "GSS_C_NT_USER_NAME". (Note: the same
+   name form and OID is defined within the Kerberos V5 GSS-API
+   mechanism, but the symbolic name recommended there begins with a
+   "GSS_KRB5_NT_" prefix.)
+
+   This name type is used to indicate a named user on a local system.
+   Its interpretation is OS-specific.  This name form is constructed as:
+
+                                 username
+
+4.3: Machine UID Form
+
+   This name form shall be represented by the Object Identifier {iso(1)
+   member-body(2) United States(840) mit(113554) infosys(1) gssapi(2)
+   generic(1) machine_uid_name(2)}.  The recommended mechanism-
+   independent symbolic name for this type is
+   "GSS_C_NT_MACHINE_UID_NAME".  (Note: the same name form and OID is
+   defined within the Kerberos V5 GSS-API mechanism, but the symbolic
+   name recommended there begins with a "GSS_KRB5_NT_" prefix.)
+
+   This name type is used to indicate a numeric user identifier
+   corresponding to a user on a local system.  Its interpretation is
+   OS-specific.  The gss_buffer_desc representing a name of this type
+   should contain a locally-significant uid_t, represented in host byte
+
+
+
+Linn                        Standards Track                    [Page 78]
+
+RFC 2078                        GSS-API                     January 1997
+
+
+   order.  The GSS_Import_name() operation resolves this uid into a
+   username, which is then treated as the User Name Form.
+
+4.4: String UID Form
+
+   This name form shall be represented by the Object Identifier {iso(1)
+   member-body(2) United States(840) mit(113554) infosys(1) gssapi(2)
+   generic(1) string_uid_name(3)}.  The recommended symbolic name for
+   this type is "GSS_C_NT_STRING_UID_NAME".  (Note: the same name form
+   and OID is defined within the Kerberos V5 GSS-API mechanism, but the
+   symbolic name recommended there begins with a "GSS_KRB5_NT_" prefix.)
+
+   This name type is used to indicate a string of digits representing
+   the numeric user identifier of a user on a local system.  Its
+   interpretation is OS-specific. This name type is similar to the
+   Machine UID Form, except that the buffer contains a string
+   representing the uid_t.
+
+5:  Mechanism-Specific Example Scenarios
+
+   This section provides illustrative overviews of the use of various
+   candidate mechanism types to support the GSS-API. These discussions
+   are intended primarily for readers familiar with specific security
+   technologies, demonstrating how GSS-API functions can be used and
+   implemented by candidate underlying mechanisms. They should not be
+   regarded as constrictive to implementations or as defining the only
+   means through which GSS-API functions can be realized with a
+   particular underlying technology, and do not demonstrate all GSS-API
+   features with each technology.
+
+5.1: Kerberos V5, single-TGT
+
+   OS-specific login functions yield a TGT to the local realm Kerberos
+   server; TGT is placed in a credentials structure for the client.
+   Client calls GSS_Acquire_cred()  to acquire a cred_handle in order to
+   reference the credentials for use in establishing security contexts.
+
+   Client calls GSS_Init_sec_context().  If the requested service is
+   located in a different realm, GSS_Init_sec_context()  gets the
+   necessary TGT/key pairs needed to traverse the path from local to
+   target realm; these data are placed in the owner's TGT cache. After
+   any needed remote realm resolution, GSS_Init_sec_context()  yields a
+   service ticket to the requested service with a corresponding session
+   key; these data are stored in conjunction with the context. GSS-API
+   code sends KRB_TGS_REQ request(s) and receives KRB_TGS_REP
+   response(s) (in the successful case) or KRB_ERROR.
+
+
+
+
+
+Linn                        Standards Track                    [Page 79]
+
+RFC 2078                        GSS-API                     January 1997
+
+
+   Assuming success, GSS_Init_sec_context()  builds a Kerberos-formatted
+   KRB_AP_REQ message, and returns it in output_token.  The client sends
+   the output_token to the service.
+
+   The service passes the received token as the input_token argument to
+   GSS_Accept_sec_context(),  which verifies the authenticator, provides
+   the service with the client's authenticated name, and returns an
+   output_context_handle.
+
+   Both parties now hold the session key associated with the service
+   ticket, and can use this key in subsequent GSS_GetMIC(),
+   GSS_VerifyMIC(),  GSS_Wrap(), and GSS_Unwrap() operations.
+
+5.2: Kerberos V5, double-TGT
+
+   TGT acquisition as above.
+
+   Note: To avoid unnecessary frequent invocations of error paths when
+   implementing the GSS-API atop Kerberos V5, it seems appropriate to
+   represent "single-TGT K-V5" and "double-TGT K-V5" with separate
+   mech_types, and this discussion makes that assumption.
+
+   Based on the (specified or defaulted) mech_type,
+   GSS_Init_sec_context()  determines that the double-TGT protocol
+   should be employed for the specified target. GSS_Init_sec_context()
+   returns GSS_S_CONTINUE_NEEDED major_status, and its returned
+   output_token contains a request to the service for the service's TGT.
+   (If a service TGT with suitably long remaining lifetime already
+   exists in a cache, it may be usable, obviating the need for this
+   step.) The client passes the output_token to the service.  Note: this
+   scenario illustrates a different use for the GSS_S_CONTINUE_NEEDED
+   status return facility than for support of mutual authentication;
+   note that both uses can coexist as successive operations within a
+   single context establishment operation.
+
+   The service passes the received token as the input_token argument to
+   GSS_Accept_sec_context(),  which recognizes it as a request for TGT.
+   (Note that current Kerberos V5 defines no intra-protocol mechanism to
+   represent such a request.) GSS_Accept_sec_context()  returns
+   GSS_S_CONTINUE_NEEDED major_status and provides the service's TGT in
+   its output_token. The service sends the output_token to the client.
+
+   The client passes the received token as the input_token argument to a
+   continuation of GSS_Init_sec_context(). GSS_Init_sec_context() caches
+   the received service TGT and uses it as part of a service ticket
+   request to the Kerberos authentication server, storing the returned
+   service ticket and session key in conjunction with the context.
+   GSS_Init_sec_context()  builds a Kerberos-formatted authenticator,
+
+
+
+Linn                        Standards Track                    [Page 80]
+
+RFC 2078                        GSS-API                     January 1997
+
+
+   and returns it in output_token along with GSS_S_COMPLETE return
+   major_status. The client sends the output_token to the service.
+
+   Service passes the received token as the input_token argument to a
+   continuation call to GSS_Accept_sec_context().
+   GSS_Accept_sec_context()  verifies the authenticator, provides the
+   service with the client's authenticated name, and returns
+   major_status GSS_S_COMPLETE.
+
+   GSS_GetMIC(),  GSS_VerifyMIC(), GSS_Wrap(), and GSS_Unwrap()  as
+   above.
+
+5.3:  X.509 Authentication Framework
+
+   This example illustrates use of the GSS-API in conjunction with
+   public-key mechanisms, consistent with the X.509 Directory
+   Authentication Framework.
+
+   The GSS_Acquire_cred()  call establishes a credentials structure,
+   making the client's private key accessible for use on behalf of the
+   client.
+
+   The client calls GSS_Init_sec_context(),  which interrogates the
+   Directory to acquire (and validate) a chain of public-key
+   certificates, thereby collecting the public key of the service.  The
+   certificate validation operation determines that suitable integrity
+   checks were applied by trusted authorities and that those
+   certificates have not expired. GSS_Init_sec_context()  generates a
+   secret key for use in per-message protection operations on the
+   context, and enciphers that secret key under the service's public
+   key.
+
+   The enciphered secret key, along with an authenticator quantity
+   signed with the client's private key, is included in the output_token
+   from GSS_Init_sec_context().  The output_token also carries a
+   certification path, consisting of a certificate chain leading from
+   the service to the client; a variant approach would defer this path
+   resolution to be performed by the service instead of being asserted
+   by the client. The client application sends the output_token to the
+   service.
+
+   The service passes the received token as the input_token argument to
+   GSS_Accept_sec_context().  GSS_Accept_sec_context() validates the
+   certification path, and as a result determines a certified binding
+   between the client's distinguished name and the client's public key.
+   Given that public key, GSS_Accept_sec_context() can process the
+   input_token's authenticator quantity and verify that the client's
+   private key was used to sign the input_token. At this point, the
+
+
+
+Linn                        Standards Track                    [Page 81]
+
+RFC 2078                        GSS-API                     January 1997
+
+
+   client is authenticated to the service. The service uses its private
+   key to decipher the enciphered secret key provided to it for per-
+   message protection operations on the context.
+
+   The client calls GSS_GetMIC()  or GSS_Wrap() on a data message, which
+   causes per-message authentication, integrity, and (optional)
+   confidentiality facilities to be applied to that message. The service
+   uses the context's shared secret key to perform corresponding
+   GSS_VerifyMIC()  and GSS_Unwrap() calls.
+
+6:  Security Considerations
+
+   Security issues are discussed throughout this memo.
+
+7:  Related Activities
+
+   In order to implement the GSS-API atop existing, emerging, and future
+   security mechanisms:
+
+      object identifiers must be assigned to candidate GSS-API
+      mechanisms and the name types which they support
+
+      concrete data element formats and processing procedures must be
+      defined for candidate mechanisms
+
+   Calling applications must implement formatting conventions which will
+   enable them to distinguish GSS-API tokens from other data carried in
+   their application protocols.
+
+   Concrete language bindings are required for the programming
+   environments in which the GSS-API is to be employed, as RFC-1509
+   defines for the C programming language and GSS-V1.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Linn                        Standards Track                    [Page 82]
+
+RFC 2078                        GSS-API                     January 1997
+
+
+APPENDIX A
+
+MECHANISM DESIGN CONSTRAINTS
+
+   The following constraints on GSS-API mechanism designs are adopted in
+   response to observed caller protocol requirements, and adherence
+   thereto is anticipated in subsequent descriptions of GSS-API
+   mechanisms to be documented in standards-track Internet
+   specifications.
+
+   It is strongly recommended that mechanisms offering per-message
+   protection services also offer at least one of the replay detection
+   and sequencing services, as mechanisms offering neither of the latter
+   will fail to satisfy recognized requirements of certain candidate
+   caller protocols.
+
+APPENDIX B
+
+                         COMPATIBILITY WITH GSS-V1
+
+   It is the intent of this document to define an interface and
+   procedures which preserve compatibility between GSS-V1 (RFC-1508)
+   callers and GSS- V2 providers.  All calls defined in GSS-V1 are
+   preserved, and it has been a goal that GSS-V1 callers should be able
+   to operate atop GSS-V2 provider implementations.  Certain detailed
+   changes, summarized in this section, have been made in order to
+   resolve omissions identified in GSS-V1.
+
+   The following GSS-V1 constructs, while supported within GSS-V2, are
+   deprecated:
+
+      Names for per-message processing routines: GSS_Seal() deprecated
+      in favor of GSS_Wrap(); GSS_Sign() deprecated in favor of
+      GSS_GetMIC(); GSS_Unseal() deprecated in favor of GSS_Unwrap();
+      GSS_Verify() deprecated in favor of GSS_VerifyMIC().
+
+      GSS_Delete_sec_context() facility for context_token usage,
+      allowing mechanisms to signal context deletion, is retained for
+      compatibility with GSS-V1.  For current usage, it is recommended
+      that both peers to a context invoke GSS_Delete_sec_context()
+      independently, passing a null output_context_token buffer to
+      indicate that no context_token is required.  Implementations of
+      GSS_Delete_sec_context() should delete relevant locally-stored
+      context information.
+
+
+
+
+
+
+
+Linn                        Standards Track                    [Page 83]
+
+RFC 2078                        GSS-API                     January 1997
+
+
+   This GSS-V2 specification adds the following calls which are not
+   present in GSS-V1:
+
+      Credential management calls: GSS_Add_cred(),
+      GSS_Inquire_cred_by_mech().
+
+      Context-level calls: GSS_Inquire_context(), GSS_Wrap_size_limit(),
+      GSS_Export_sec_context(), GSS_Import_sec_context().
+
+      Per-message calls: No new calls.  Existing calls have been renamed.
+
+      Support calls: GSS_Create_empty_OID_set(),
+      GSS_Add_OID_set_member(), GSS_Test_OID_set_member(),
+      GSS_Release_OID(), GSS_OID_to_str(), GSS_Str_to_OID(),
+      GSS_Inquire_names_for_mech(), GSS_Inquire_mechs_for_name(),
+      GSS_Canonicalize_name(), GSS_Export_name(), GSS_Duplicate_name().
+
+   This GSS-V2 specification introduces three new facilities applicable
+   to security contexts, indicated using the following context state
+   values which are not present in GSS-V1:
+
+      anon_state, set TRUE to indicate that a context's initiator is
+      anonymous from the viewpoint of the target; Section 1.2.5 of this
+      specification provides a summary description of the GSS-V2
+      anonymity support facility, support and use of which is optional.
+
+      prot_ready_state, set TRUE to indicate that a context may be used
+      for per-message protection before final completion of context
+      establishment; Section 1.2.7 of this specification provides a
+      summary description of the GSS-V2 facility enabling mechanisms to
+      selectively permit per-message protection during context
+      establishment, support and use of which is optional.
+
+      trans_state, set TRUE to indicate that a context is transferable to
+      another process using the GSS-V2 GSS_Export_sec_context() facility.
+
+   These state values are represented (at the C bindings level) in
+   positions within a bit vector which are unused in GSS-V1, and may be
+   safely ignored by GSS-V1 callers.
+
+   Relative to GSS-V1, GSS-V2 provides additional guidance to GSS-API
+   implementors in the following areas: implementation robustness,
+   credential management, behavior in multi-mechanism configurations,
+   naming support, and inclusion of optional sequencing services.  The
+   token tagging facility as defined in GSS-V2, Section 3.1, is now
+   described directly in terms of octets to facilitate interoperable
+   implementation without general ASN.1 processing code; the
+   corresponding ASN.1 syntax, included for descriptive purposes, is
+
+
+
+Linn                        Standards Track                    [Page 84]
+
+RFC 2078                        GSS-API                     January 1997
+
+
+   unchanged from that in GSS-V1. For use in conjunction with added
+   naming support facilities, a new Exported Name Object construct is
+   added.  Additional name types are introduced in Section 4.
+
+   This GSS-V2 specification adds the following major_status values
+   which are not defined in GSS-V1:
+
+     GSS_S_BAD_QOP                 unsupported QOP value
+     GSS_S_UNAUTHORIZED            operation unauthorized
+     GSS_S_UNAVAILABLE             operation unavailable
+     GSS_S_DUPLICATE_ELEMENT       duplicate credential element requested
+     GSS_S_NAME_NOT_MN             name contains multi-mechanism elements
+     GSS_S_GAP_TOKEN               skipped predecessor token(s)
+                                    detected
+
+   Of these added status codes, only two values are defined to be
+   returnable by calls existing in GSS-V1: GSS_S_BAD_QOP (returnable by
+   GSS_GetMIC() and GSS_Wrap()), and GSS_S_GAP_TOKEN (returnable by
+   GSS_VerifyMIC() and GSS_Unwrap()).
+
+   Additionally, GSS-V2 descriptions of certain calls present in GSS-V1
+   have been updated to allow return of additional major_status values
+   from the set as defined in GSS-V1: GSS_Inquire_cred() has
+   GSS_S_DEFECTIVE_CREDENTIAL and GSS_S_CREDENTIALS_EXPIRED defined as
+   returnable, GSS_Init_sec_context() has GSS_S_OLD_TOKEN,
+   GSS_S_DUPLICATE_TOKEN, and GSS_S_BAD_MECH defined as returnable, and
+   GSS_Accept_sec_context() has GSS_S_BAD_MECH defined as returnable.
+
+Author's Address
+
+   John Linn
+   OpenVision Technologies
+   One Main St.
+   Cambridge, MA  02142  USA
+
+   Phone: +1 617.374.2245
+   EMail: John.Linn@ov.com
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Linn                        Standards Track                    [Page 85]
+
diff --git a/crypto/heimdal/doc/standardisation/rfc2203.txt b/crypto/heimdal/doc/standardisation/rfc2203.txt
new file mode 100644
index 0000000..2f6a8a0
--- /dev/null
+++ b/crypto/heimdal/doc/standardisation/rfc2203.txt
@@ -0,0 +1,1291 @@
+
+
+
+
+
+
+Network Working Group                                          M. Eisler
+Request for Comments: 2203                                       A. Chiu
+Category: Standards Track                                        L. Ling
+                                                          September 1997
+
+
+                   RPCSEC_GSS Protocol Specification
+
+Status of this Memo
+
+   This document specifies an Internet standards track protocol for the
+   Internet community, and requests discussion and suggestions for
+   improvements.  Please refer to the current edition of the "Internet
+   Official Protocol Standards" (STD 1) for the standardization state
+   and status of this protocol.  Distribution of this memo is unlimited.
+
+Abstract
+
+   This memo describes an ONC/RPC security flavor that allows RPC
+   protocols to access the Generic Security Services Application
+   Programming Interface (referred to henceforth as GSS-API).
+
+Table of Contents
+
+   1.  Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 2
+   2.  The ONC RPC Message Protocol . . . . . . . . . . . . . . . . . 2
+   3.  Flavor Number Assignment . . . . . . . . . . . . . . . . . . . 3
+   4.  New auth_stat Values . . . . . . . . . . . . . . . . . . . . . 3
+   5.  Elements of the RPCSEC_GSS Security Protocol . . . . . . . . . 3
+   5.1.  Version Selection  . . . . . . . . . . . . . . . . . . . . . 5
+   5.2.  Context Creation . . . . . . . . . . . . . . . . . . . . . . 5
+   5.2.1.  Mechanism and QOP Selection  . . . . . . . . . . . . . . . 5
+   5.2.2.  Context Creation Requests  . . . . . . . . . . . . . . . . 6
+   5.2.3.  Context Creation Responses . . . . . . . . . . . . . . . . 8
+   5.2.3.1.  Context Creation Response - Successful Acceptance  . . . 8
+   5.2.3.1.1.  Client Processing of Successful Context Creation
+               Responses  . . . . . . . . . . . . . . . . . . . . . . 9
+   5.2.3.2.  Context Creation Response - Unsuccessful Cases . . . . . 9
+   5.3.  RPC Data Exchange  . . . . . . . . . . . . . . . . . . . .  10
+   5.3.1.  RPC Request Header . . . . . . . . . . . . . . . . . . .  10
+   5.3.2.  RPC Request Data . . . . . . . . . . . . . . . . . . . .  11
+   5.3.2.1.  RPC Request Data - No Data Integrity . . . . . . . . .  11
+   5.3.2.2.  RPC Request Data - With Data Integrity . . . . . . . .  11
+   5.3.2.3.  RPC Request Data - With Data Privacy . . . . . . . . .  12
+   5.3.3.  Server Processing of RPC Data Requests . . . . . . . . .  12
+   5.3.3.1.  Context Management . . . . . . . . . . . . . . . . . .  12
+   5.3.3.2.  Server Reply - Request Accepted  . . . . . . . . . . .  14
+   5.3.3.3.  Server Reply - Request Denied  . . . . . . . . . . . .  15
+
+
+
+Eisler, et. al.             Standards Track                     [Page 1]
+
+RFC 2203           RPCSEC_GSS Protocol Specification      September 1997
+
+
+   5.3.3.4.  Mapping of GSS-API Errors to Server Responses  . . . .  16
+   5.3.3.4.1.  GSS_GetMIC() Failure . . . . . . . . . . . . . . . .  16
+   5.3.3.4.2.  GSS_VerifyMIC() Failure  . . . . . . . . . . . . . .  16
+   5.3.3.4.3.  GSS_Unwrap() Failure . . . . . . . . . . . . . . . .  16
+   5.3.3.4.4.  GSS_Wrap() Failure . . . . . . . . . . . . . . . . .  16
+   5.4.  Context Destruction  . . . . . . . . . . . . . . . . . . .  17
+   6.  Set of GSS-API Mechanisms  . . . . . . . . . . . . . . . . .  17
+   7.  Security Considerations  . . . . . . . . . . . . . . . . . .  18
+   7.1.  Privacy of Call Header . . . . . . . . . . . . . . . . . .  18
+   7.2.  Sequence Number Attacks  . . . . . . . . . . . . . . . . .  18
+   7.2.1.  Sequence Numbers Above the Window  . . . . . . . . . . .  18
+   7.2.2.  Sequence Numbers Within or Below the Window  . . . . . .  18
+   7.3.  Message Stealing Attacks . . . . . . . . . . . . . . . . .  19
+   Appendix A. GSS-API Major Status Codes . . . . . . . . . . . . .  20
+   Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . .  22
+   Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . .  23
+
+1.  Introduction
+
+   This document describes the protocol used by the RPCSEC_GSS security
+   flavor.  Security flavors have been called authentication flavors for
+   historical reasons. This memo recognizes that there are two other
+   security services besides authentication, integrity, and privacy, and
+   so defines a new RPCSEC_GSS security flavor.
+
+   The protocol is described using the XDR language [Srinivasan-xdr].
+   The reader is assumed to be familiar with ONC RPC and the security
+   flavor mechanism [Srinivasan-rpc].  The reader is also assumed to be
+   familiar with the GSS-API framework [Linn].  The RPCSEC_GSS security
+   flavor uses GSS-API interfaces to provide security services that are
+   independent of the underlying security mechanism.
+
+2.  The ONC RPC Message Protocol
+
+   This memo refers to the following XDR types of the ONC RPC protocol,
+   which are described in the document entitled Remote Procedure Call
+   Protocol Specification Version 2 [Srinivasan-rpc]:
+
+      msg_type
+      reply_stat
+      auth_flavor
+      accept_stat
+      reject_stat
+      auth_stat
+      opaque_auth
+      rpc_msg
+      call_body
+      reply_body
+
+
+
+Eisler, et. al.             Standards Track                     [Page 2]
+
+RFC 2203           RPCSEC_GSS Protocol Specification      September 1997
+
+
+      accepted_reply
+      rejected_reply
+
+3.  Flavor Number Assignment
+
+   The RPCSEC_GSS security flavor has been assigned the value of 6:
+
+      enum auth_flavor {
+          ...
+          RPCSEC_GSS = 6      /* RPCSEC_GSS security flavor */
+      };
+
+4.  New auth_stat Values
+
+   RPCSEC_GSS requires the addition of two new values to the auth_stat
+   enumerated type definition:
+
+      enum auth_stat {
+              ...
+              /*
+               * RPCSEC_GSS errors
+               */
+              RPCSEC_GSS_CREDPROBLEM = 13,
+              RPCSEC_GSS_CTXPROBLEM = 14
+      };
+
+   The descriptions of these two new values are defined later in this
+   memo.
+
+5.  Elements of the RPCSEC_GSS Security Protocol
+
+   An RPC session based on the RPCSEC_GSS security flavor consists of
+   three phases: context creation, RPC data exchange, and context
+   destruction.  In the following discussion, protocol elements for
+   these three phases are described.
+
+   The following description of the RPCSEC_GSS protocol uses some of the
+   definitions within XDR language description of the RPC protocol.
+
+   Context creation and destruction use control messages that are not
+   dispatched to service procedures registered by an RPC server.  The
+   program and version numbers used in these control messages are the
+   same as the RPC service's program and version numbers.  The procedure
+   number used is NULLPROC (zero).  A field in the credential
+   information (the gss_proc field which is defined in the
+   rpc_gss_cred_t structure below) specifies whether a message is to be
+   interpreted as a control message or a regular RPC message.  If this
+   field is set to RPCSEC_GSS_DATA, no control action is implied; in
+
+
+
+Eisler, et. al.             Standards Track                     [Page 3]
+
+RFC 2203           RPCSEC_GSS Protocol Specification      September 1997
+
+
+   this case, it is a regular data message.  If this field is set to any
+   other value, a control action is implied.  This is described in the
+   following sections.
+
+   Just as with normal RPC data exchange messages, the transaction
+   identifier (the xid field in struct rpc_msg), should be set to unique
+   values on each call for context creation and context destruction.
+
+   The following definitions are used for describing the protocol.
+
+      /* RPCSEC_GSS control procedures */
+
+
+      enum rpc_gss_proc_t {
+              RPCSEC_GSS_DATA = 0,
+              RPCSEC_GSS_INIT = 1,
+              RPCSEC_GSS_CONTINUE_INIT = 2,
+              RPCSEC_GSS_DESTROY = 3
+      };
+
+      /* RPCSEC_GSS services */
+
+      enum rpc_gss_service_t {
+          /* Note: the enumerated value for 0 is reserved. */
+          rpc_gss_svc_none = 1,
+          rpc_gss_svc_integrity = 2,
+          rpc_gss_svc_privacy = 3
+      };
+
+      /* Credential */
+
+      /*
+       * Note: version 0 is reserved for possible future
+       * definition of a version negotiation protocol
+       *
+       */
+      #define RPCSEC_GSS_VERS_1 1
+
+      struct rpc_gss_cred_t {
+          union switch (unsigned int version) { /* version of
+                                                      RPCSEC_GSS */
+          case RPCSEC_GSS_VERS_1:
+              struct {
+                  rpc_gss_proc_t gss_proc;  /* control procedure */
+                  unsigned int seq_num;   /* sequence number */
+                  rpc_gss_service_t service; /* service used */
+                  opaque handle<>;       /* context handle */
+              } rpc_gss_cred_vers_1_t;
+
+
+
+Eisler, et. al.             Standards Track                     [Page 4]
+
+RFC 2203           RPCSEC_GSS Protocol Specification      September 1997
+
+
+          }
+      };
+
+      /* Maximum sequence number value */
+
+      #define MAXSEQ 0x80000000
+
+5.1.  Version Selection
+
+   This document defines just one protocol version (RPCSEC_GSS_VERS_1).
+   The client should assume that the server supports RPCSEC_GSS_VERS_1
+   and issue a Context Creation message (as described in the section
+   RPCSEC_GSS_VERS_1, the RPC response will have a reply_stat of
+   MSG_DENIED, a rejection status of AUTH_ERROR, and an auth_stat of
+   AUTH_REJECTED_CRED.
+
+5.2.  Context Creation
+
+   Before RPC data is exchanged on a session using the RPCSEC_GSS
+   flavor, a context must be set up between the client and the server.
+   Context creation may involve zero or more RPC exchanges.  The number
+   of exchanges depends on the security mechanism.
+
+5.2.1.  Mechanism and QOP Selection
+
+   There is no facility in the RPCSEC_GSS protocol to negotiate GSS-API
+   mechanism identifiers or QOP values. At minimum, it is expected that
+   implementations of the RPCSEC_GSS protocol provide a means to:
+
+   *    specify mechanism identifiers, QOP values, and RPCSEC_GSS
+        service values on the client side, and to
+
+   *    enforce mechanism identifiers, QOP values, and RPCSEC_GSS
+        service values on a per-request basis on the server side.
+
+   It is necessary that above capabilities exist so that applications
+   have the means to conform the required set of required set of
+   <mechanism, QOP, service> tuples (See the section entitled Set of
+   GSS-API Mechanisms).  An application may negotiate <mechanism, QOP,
+   service> selection within its protocol or via an out of band
+   protocol. Hence it may be necessary for RPCSEC_GSS implementations to
+   provide programming interfaces for the specification and enforcement
+   of <mechanism, QOP, service>.
+
+   Additionally, implementations may depend on negotiation schemes
+   constructed as pseudo-mechanisms under the GSS-API.  Because such
+   schemes are below the GSS-API layer, the RPCSEC_GSS protocol, as
+   specified in this document, can make use of them.
+
+
+
+Eisler, et. al.             Standards Track                     [Page 5]
+
+RFC 2203           RPCSEC_GSS Protocol Specification      September 1997
+
+
+5.2.2.  Context Creation Requests
+
+   The first RPC request from the client to the server initiates context
+   creation.  Within the RPC message protocol's call_body structure,
+   rpcvers is set to 2. prog and vers are always those for the service
+   being accessed.  The proc is always set to NULLPROC (zero).
+
+   Within the RPC message protocol's cred structure, flavor is set to
+   RPCSEC_GSS (6).  The opaque data of the cred structure (the body
+   field) constituting the credential encodes the rpc_gss_cred_t
+   structure defined previously.
+
+   The values of the fields contained in the rpc_gss_cred_t structure
+   are set as follows.  The version field is set to the version of the
+   RPCSEC_GSS protocol the client wants to use.  The remainder of this
+   memo documents version RPCSEC_GSS_VERS_1 of RPCSEC_GSS, and so the
+   version field would be set to RPCSEC_GSS_VERS_1.  The gss_proc field
+   must be set to RPCSEC_GSS_INIT for the first creation request.  In
+   subsequent creation requests, the gss_proc field must be set to
+   RPCSEC_GSS_CONTINUE_INIT.  In a creation request, the seq_num and
+   service fields are undefined and both must be ignored by the server.
+   In the first creation request, the handle field is NULL (opaque data
+   of zero length).  In subsequent creation requests, handle must be
+   equal to the value returned by the server.  The handle field serves
+   as the identifier for the context, and will not change for the
+   duration of the context, including responses to
+   RPCSEC_GSS_CONTINUE_INIT.
+
+   The verifier field in the RPC message header is also described by the
+   opaque_auth structure.  All creation requests have the NULL verifier
+   (AUTH_NONE flavor with zero length opaque data).
+
+   Following the verifier are the call data (procedure specific
+   parameters).  Note that the proc field of the call_body structure is
+   set to NULLPROC, and thus normally there would be zero octets
+   following the verifier.  However, since there is no RPC data exchange
+   during a context creation, it is safe to transfer information
+   following the verifier.  It is necessary to "overload" the call data
+   in this way, rather than pack the GSS-API token into the RPC header,
+   because RPC Version 2 restricts the amount of data that can be sent
+   in the header.  The opaque body of the credential and verifier fields
+   can be each at most 400 octets long, and GSS tokens can be longer
+   than 800 octets.
+
+
+
+
+
+
+
+
+Eisler, et. al.             Standards Track                     [Page 6]
+
+RFC 2203           RPCSEC_GSS Protocol Specification      September 1997
+
+
+   The call data for a context creation request is described by the
+   following structure for all creation requests:
+
+      struct rpc_gss_init_arg {
+          opaque gss_token<>;
+      };
+
+   Here, gss_token is the token returned by the call to  GSS-API's
+   GSS_Init_sec_context() routine, opaquely encoded.  The value of this
+   field will likely be different in each creation request, if there is
+   more than one creation request.  If no token is returned by the call
+   to GSS_Init_sec_context(), the context must have been created
+   (assuming no errors), and there will not be any more creation
+   requests.
+
+   When GSS_Init_sec_context() is called, the parameters
+   replay_det_req_flag and sequence_req_flag must be turned off. The
+   reasons for this are:
+
+   *    ONC RPC can be used over unreliable transports and provides no
+        layer to reliably re-assemble messages. Thus it is possible for
+        gaps in message sequencing to occur, as well as out of order
+        messages.
+
+   *    RPC servers can be multi-threaded, and thus the order in which
+        GSS-API messages are signed or wrapped can be different from the
+        order in which the messages are verified or unwrapped, even if
+        the requests are sent on reliable transports.
+
+   *    To maximize convenience of implementation, the order in which an
+        ONC RPC entity will verify the header and verify/unwrap the body
+        of an RPC call or reply is left unspecified.
+
+   The RPCSEC_GSS protocol provides for protection from replay attack,
+   yet tolerates out-of-order delivery or processing of messages and
+   tolerates dropped requests.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Eisler, et. al.             Standards Track                     [Page 7]
+
+RFC 2203           RPCSEC_GSS Protocol Specification      September 1997
+
+
+5.2.3.  Context Creation Responses
+
+5.2.3.1.  Context Creation Response - Successful Acceptance
+
+   The response to a successful creation request has an MSG_ACCEPTED
+   response with a status of SUCCESS.  The results field encodes a
+   response with the following structure:
+
+      struct rpc_gss_init_res {
+              opaque handle<>;
+              unsigned int gss_major;
+              unsigned int gss_minor;
+              unsigned int seq_window;
+              opaque gss_token<>;
+      };
+
+   Here, handle is non-NULL opaque data that serves as the context
+   identifier. The client must use this value in all subsequent requests
+   whether control messages or otherwise).  The gss_major and gss_minor
+   fields contain the results of the call to GSS_Accept_sec_context()
+   executed by the server.  The values for the gss_major field are
+   defined in Appendix A of this document.  The values for the gss_minor
+   field are GSS-API mechanism specific and are defined in the
+   mechanism's specification.  If gss_major is not one of GSS_S_COMPLETE
+   or GSS_S_CONTINUE_NEEDED, the context setup has failed; in this case
+   handle and gss_token must be set to NULL by the server.  The value of
+   gss_minor is dependent on the value of gss_major and the security
+   mechanism used.  The gss_token field contains any token returned by
+   the GSS_Accept_sec_context() call executed by the server.  A token
+   may be returned for both successful values of gss_major.  If the
+   value is GSS_S_COMPLETE, it indicates that the server is not
+   expecting any more tokens, and the RPC Data Exchange phase must begin
+   on the subsequent request from the client. If the value is
+   GSS_S_CONTINUE_NEEDED, the server is expecting another token.  Hence
+   the client must send at least one more creation request (with
+   gss_proc set to RPCSEC_GSS_CONTINUE_INIT in the request's credential)
+   carrying the required token.
+
+   In a successful response, the seq_window field is set to the sequence
+   window length supported by the server for this context.  This window
+   specifies the maximum number of client requests that may be
+   outstanding for this context. The server will accept "seq_window"
+   requests at a time, and these may be out of order.  The client may
+   use this number to determine the number of threads that can
+   simultaneously send requests on this context.
+
+
+
+
+
+
+Eisler, et. al.             Standards Track                     [Page 8]
+
+RFC 2203           RPCSEC_GSS Protocol Specification      September 1997
+
+
+   If gss_major is GSS_S_COMPLETE, the verifier's (the verf element in
+   the response) flavor field is set to RPCSEC_GSS, and the body field
+   set to the checksum of the seq_window (in network order). The QOP
+   used for this checksum is 0 (zero), which is the default QOP.  For
+   all other values of gss_major, a NULL verifier (AUTH_NONE flavor with
+   zero-length opaque data) is used.
+
+5.2.3.1.1.  Client Processing of Successful Context Creation Responses
+
+   If the value of gss_major in the response is GSS_S_CONTINUE_NEEDED,
+   then the client, per the GSS-API specification, must invoke
+   GSS_Init_sec_context() using the token returned in gss_token in the
+   context creation response. The client must then generate a context
+   creation request, with gss_proc set to RPCSEC_GSS_CONTINUE_INIT.
+
+   If the value of gss_major in the response is GSS_S_COMPLETE, and if
+   the client's previous invocation of GSS_Init_sec_context() returned a
+   gss_major value of GSS_S_CONTINUE_NEEDED, then the client, per the
+   GSS-API specification, must invoke GSS_Init_sec_context() using the
+   token returned in gss_token in the context creation response. If
+   GSS_Init_sec_context() returns GSS_S_COMPLETE, the context is
+   successfully set up, and the RPC data exchange phase must begin on
+   the subsequent request from the client.
+
+5.2.3.2.  Context Creation Response - Unsuccessful Cases
+
+   An MSG_ACCEPTED reply (to a creation request) with an acceptance
+   status of other than SUCCESS has a NULL verifier (flavor set to
+   AUTH_NONE, and zero length opaque data in the body field), and is
+   formulated as usual for different status values.
+
+   An MSG_DENIED reply (to a creation request) is also formulated as
+   usual.  Note that MSG_DENIED could be returned because the server's
+   RPC implementation does not recognize the RPCSEC_GSS security flavor.
+   RFC 1831 does not specify the appropriate reply status in this
+   instance, but common implementation practice appears to be to return
+   a rejection status of AUTH_ERROR with an auth_stat of
+   AUTH_REJECTEDCRED. Even though two new values (RPCSEC_GSS_CREDPROBLEM
+   and RPCSEC_GSS_CTXPROBLEM) have been defined for the auth_stat type,
+   neither of these two can be returned in responses to context creation
+   requests.  The auth_stat new values can be used for responses to
+   normal (data) requests.  This is described later.
+
+   MSG_DENIED might also be returned if the RPCSEC_GSS version number in
+   the credential is not supported on the server. In that case, the
+   server returns a rejection status of AUTH_ERROR, with an auth_stat of
+
+   AUTH_REJECTED_CRED.
+
+
+
+Eisler, et. al.             Standards Track                     [Page 9]
+
+RFC 2203           RPCSEC_GSS Protocol Specification      September 1997
+
+
+5.3.  RPC Data Exchange
+
+   The data exchange phase is entered after a context has been
+   successfully set up. The format of the data exchanged depends on the
+   security service used for the request.  Although clients can change
+   the security service and QOP used on a per-request basis, this may
+   not be acceptable to all RPC services; some RPC services may "lock"
+   the data exchange phase into using the QOP and service used on the
+   first data exchange message.  For all three modes of service (no data
+   integrity, data integrity, data privacy), the RPC request header has
+   the same format.
+
+5.3.1.  RPC Request Header
+
+   The credential has the opaque_auth structure described earlier.  The
+   flavor field is set to RPCSEC_GSS.  The credential body is created by
+   XDR encoding the rpc_gss_cred_t structure listed earlier into an
+   octet stream, and then opaquely encoding this octet stream as the
+   body field.
+
+   Values of the fields contained in the rpc_gss_cred_t structure are
+   set as follows.  The version field is set to same version value that
+   was used to create the context, which within the scope of this memo
+   will always be RPCSEC_GSS_VERS_1.  The gss_proc field is set to
+   RPCSEC_GSS_DATA.  The service field is set to indicate the desired
+   service (one of rpc_gss_svc_none, rpc_gss_svc_integrity, or
+   rpc_gss_svc_privacy).  The handle field is set to the context handle
+   value received from the RPC server during context creation.  The
+   seq_num field can start at any value below MAXSEQ, and must be
+   incremented (by one or more) for successive requests.  Use of
+   sequence numbers is described in detail when server processing of the
+   request is discussed.
+
+   The verifier has the opaque_auth structure described earlier.  The
+   flavor field is set to RPCSEC_GSS.  The body field is set as follows.
+   The checksum of the RPC header (up to and including the credential)
+   is computed using the GSS_GetMIC() call with the desired QOP.  This
+   returns the checksum as an opaque octet stream and its length.  This
+   is encoded into the body field.  Note that the QOP is not explicitly
+   specified anywhere in the request.  It is implicit in the checksum or
+   encrypted data.  The same QOP value as is used for the header
+   checksum must also be used for the data (for checksumming or
+   encrypting), unless the service used for the request is
+   rpc_gss_svc_none.
+
+
+
+
+
+
+
+Eisler, et. al.             Standards Track                    [Page 10]
+
+RFC 2203           RPCSEC_GSS Protocol Specification      September 1997
+
+
+5.3.2.  RPC Request Data
+
+5.3.2.1.  RPC Request Data - No Data Integrity
+
+   If the service specified is rpc_gss_svc_none, the data (procedure
+   arguments) are not integrity or privacy protected.  They are sent in
+   exactly the same way as they would be if the AUTH_NONE flavor were
+   used (following the verifier).  Note, however, that since the RPC
+   header is integrity protected, the sender will still be authenticated
+   in this case.
+
+5.3.2.2.  RPC Request Data - With Data Integrity
+
+   When data integrity is used, the request data is represented as
+   follows:
+
+      struct rpc_gss_integ_data {
+          opaque databody_integ<>;
+          opaque checksum<>;
+      };
+
+   The databody_integ field is created as follows.  A structure
+   consisting of a sequence number followed by the procedure arguments
+   is constructed. This is shown below as the type rpc_gss_data_t:
+
+      struct rpc_gss_data_t {
+          unsigned int seq_num;
+          proc_req_arg_t arg;
+      };
+
+   Here, seq_num must have the same value as in the credential.  The
+   type proc_req_arg_t is the procedure specific XDR type describing the
+   procedure arguments (and so is not specified here).  The octet stream
+   corresponding to the XDR encoded rpc_gss_data_t structure and its
+   length are placed in the databody_integ field. Note that because the
+   XDR type of databody_integ is opaque, the XDR encoding of
+   databody_integ will include an initial four octet length field,
+   followed by the XDR encoded octet stream of rpc_gss_data_t.
+
+   The checksum field represents the checksum of the XDR encoded octet
+   stream corresponding to the XDR encoded rpc_gss_data_t structure
+   (note, this is not the checksum of the databody_integ field).  This
+   is obtained using the GSS_GetMIC() call, with the same QOP as was
+   used to compute the header checksum (in the verifier). The
+
+
+
+
+
+
+
+Eisler, et. al.             Standards Track                    [Page 11]
+
+RFC 2203           RPCSEC_GSS Protocol Specification      September 1997
+
+
+   GSS_GetMIC() call returns the checksum as an opaque octet stream and
+   its length. The checksum field of struct rpc_gss_integ_data has an
+   XDR type of opaque. Thus the checksum length from GSS_GetMIC() is
+   encoded as a four octet  length field, followed by the checksum,
+   padded to a multiple of four octets.
+
+5.3.2.3.  RPC Request Data - With Data Privacy
+
+   When data privacy is used, the request data is represented as
+   follows:
+
+      struct rpc_gss_priv_data {
+          opaque databody_priv<>
+      };
+
+   The databody_priv field is created as follows.  The rpc_gss_data_t
+   structure described earlier is constructed again in the same way as
+   for the case of data integrity.  Next, the GSS_Wrap() call is invoked
+   to encrypt the octet stream corresponding to the rpc_gss_data_t
+   structure, using the same value for QOP (argument qop_req to
+   GSS_Wrap()) as was used for the header checksum (in the verifier) and
+   conf_req_flag (an argument to GSS_Wrap()) of TRUE.  The GSS_Wrap()
+   call returns an opaque octet stream (representing the encrypted
+   rpc_gss_data_t structure) and its length, and this is encoded as the
+   databody_priv field. Since databody_priv has an XDR type of opaque,
+   the length returned by GSS_Wrap() is encoded as the four octet
+   length, followed by the encrypted octet stream (padded to a multiple
+   of four octets).
+
+5.3.3.  Server Processing of RPC Data Requests
+
+5.3.3.1.  Context Management
+
+   When a request is received by the server, the following are verified
+   to be acceptable:
+
+   *    the version number in the credential
+
+   *    the service specified in the credential
+
+   *    the context handle specified in the credential
+
+   *    the header checksum in the verifier (via GSS_VerifyMIC())
+
+   *    the sequence number (seq_num) specified in the credential (more
+        on this follows)
+
+
+
+
+
+Eisler, et. al.             Standards Track                    [Page 12]
+
+RFC 2203           RPCSEC_GSS Protocol Specification      September 1997
+
+
+   The gss_proc field in the credential must be set to RPCSEC_GSS_DATA
+   for data requests (otherwise, the message will be interpreted as a
+   control message).
+
+   The server maintains a window of "seq_window" sequence numbers,
+   starting with the last sequence number seen and extending backwards.
+   If a sequence number higher than the last number seen is received
+   (AND if GSS_VerifyMIC() on the header checksum from the verifier
+   returns GSS_S_COMPLETE), the window is moved forward to the new
+   sequence number.  If the last sequence number seen is N, the server
+   is prepared to receive requests with sequence numbers in the range N
+   through (N - seq_window + 1), both inclusive.  If the sequence number
+   received falls below this range, it is silently discarded.  If the
+   sequence number is within this range, and the server has not seen it,
+   the request is accepted, and the server turns on a bit to "remember"
+   that this sequence number has been seen.  If the server determines
+   that it has already seen a sequence number within the window, the
+   request is silently discarded. The server should select a seq_window
+   value based on the number requests it expects to process
+   simultaneously. For example, in a threaded implementation seq_window
+   might be equal to the number of server threads. There are no known
+   security issues with selecting a large window. The primary issue is
+   how much space the server is willing to allocate to keep track of
+   requests received within the window.
+
+   The reason for discarding requests silently is that the server is
+   unable to determine if the duplicate or out of range request was due
+   to a sequencing problem in the client, network, or the operating
+   system, or due to some quirk in routing, or a replay attack by an
+   intruder.  Discarding the request allows the client to recover after
+   timing out, if indeed the duplication was unintentional or well
+   intended.  Note that a consequence of the silent discard is that
+   clients may increment the seq_num by more than one. The effect of
+   this is that the window will move forward more quickly. It is not
+   believed that there is any benefit to doing this.
+
+   Note that the sequence number algorithm requires that the client
+   increment the sequence number even if it is retrying a request with
+   the same RPC transaction identifier.  It is not infrequent for
+   clients to get into a situation where they send two or more attempts
+   and a slow server sends the reply for the first attempt. With
+   RPCSEC_GSS, each request and reply will have a unique sequence
+   number. If the client wishes to improve turn around time on the RPC
+   call, it can cache the RPCSEC_GSS sequence number of each request it
+   sends. Then when it receives a response with a matching RPC
+   transaction identifier, it can compute the checksum of each sequence
+   number in the cache to try to match the checksum in the reply's
+   verifier.
+
+
+
+Eisler, et. al.             Standards Track                    [Page 13]
+
+RFC 2203           RPCSEC_GSS Protocol Specification      September 1997
+
+
+   The data is decoded according to the service specified in the
+   credential.  In the case of integrity or privacy, the server ensures
+   that the QOP value is acceptable, and that it is the same as that
+   used for the header checksum in the verifier.  Also, in the case of
+   integrity or privacy, the server will reject the message (with a
+   reply status of MSG_ACCEPTED, and an acceptance status of
+   GARBAGE_ARGS) if the sequence number embedded in the request body is
+   different from the sequence number in the credential.
+
+5.3.3.2.  Server Reply - Request Accepted
+
+   An MSG_ACCEPTED reply to a request in the data exchange phase will
+   have the verifier's (the verf element in the response) flavor field
+   set to RPCSEC_GSS, and the body field set to the checksum (the output
+   of GSS_GetMIC()) of the sequence number (in network order) of the
+   corresponding request.  The QOP used is the same as the QOP used for
+   the corresponding request.
+
+   If the status of the reply is not SUCCESS, the rest of the message is
+   formatted as usual.
+
+   If the status of the message is SUCCESS, the format of the rest of
+   the message depends on the service specified in the corresponding
+   request message. Basically, what follows the verifier in this case
+   are the procedure results, formatted in different ways depending on
+   the requested service.
+
+   If no data integrity was requested, the procedure results are
+   formatted as for the AUTH_NONE security flavor.
+
+   If data integrity was requested, the results are encoded in exactly
+   the same way as the procedure arguments were in the corresponding
+   request.  See the section 'RPC Request Data - With Data Integrity.'
+   The only difference is that the structure representing the
+   procedure's result - proc_res_arg_t - must be substituted in place of
+   the request argument structure proc_req_arg_t.  The QOP used for the
+   checksum must be the same as that used for constructing the reply
+   verifier.
+
+   If data privacy was requested, the results are encoded in exactly the
+   same way as the procedure arguments were in the corresponding
+   request.  See the section 'RPC Request Data - With Data Privacy.' The
+   QOP used for  encryption must be the same as that used for
+   constructing the reply verifier.
+
+
+
+
+
+
+
+Eisler, et. al.             Standards Track                    [Page 14]
+
+RFC 2203           RPCSEC_GSS Protocol Specification      September 1997
+
+
+5.3.3.3.  Server Reply - Request Denied
+
+   An MSG_DENIED reply (to a data request) is formulated as usual.  Two
+   new values (RPCSEC_GSS_CREDPROBLEM and RPCSEC_GSS_CTXPROBLEM) have
+   been defined for the auth_stat type.  When the reason for denial of
+   the request is a reject_stat of AUTH_ERROR, one of the two new
+   auth_stat values could be returned in addition to the existing
+   values.  These two new values have special significance from the
+   existing reasons for denial of a request.
+
+   The server maintains a list of contexts for the clients that are
+   currently in session with it.  Normally, a context is destroyed when
+   the client ends the session corresponding to it.  However, due to
+   resource constraints, the server may destroy a context prematurely
+   (on an LRU basis, or if the server machine is rebooted, for example).
+   In this case, when a client request comes in, there may not be a
+   context corresponding to its handle. The server rejects the request,
+   with the reason RPCSEC_GSS_CREDPROBLEM in this case.  Upon receiving
+   this error, the client must refresh the context - that is,
+   reestablish it after destroying the old one - and try the request
+   again.  This error is also returned if the context handle matches
+   that of a different context that was allocated after the client's
+   context was destroyed (this will be detected by a failure in
+   verifying the header checksum).
+
+   If the GSS_VerifyMIC() call on the header checksum (contained in the
+   verifier) fails to return GSS_S_COMPLETE, the server rejects the
+   request and returns an auth_stat of RPCSEC_GSS_CREDPROBLEM.
+
+   When the client's sequence number exceeds the maximum the server will
+   allow, the server will reject the request with the reason
+   RPCSEC_GSS_CTXPROBLEM.  Also, if security credentials become stale
+   while in use (due to ticket expiry in the case of the Kerberos V5
+   mechanism, for example), the failures which result cause the
+   RPCSEC_GSS_CTXPROBLEM reason to be returned.  In these cases also,
+   the client must refresh the context, and retry the request.
+
+   For other errors, retrying will not rectify the problem and the
+   client must not refresh the context until the problem causing the
+   client request to be denied is rectified.
+
+   If the version field in the credential does not match the version of
+   RPCSEC_GSS that was used when the context was created, the
+   AUTH_BADCRED value is returned.
+
+   If there is a problem with the credential, such a bad length, illegal
+   control procedure, or an illegal service, the appropriate auth_stat
+   status is AUTH_BADCRED.
+
+
+
+Eisler, et. al.             Standards Track                    [Page 15]
+
+RFC 2203           RPCSEC_GSS Protocol Specification      September 1997
+
+
+   Other errors can be returned as appropriate.
+
+5.3.3.4.  Mapping of GSS-API Errors to Server Responses
+
+   During the data exchange phase, the server may invoke GSS_GetMIC(),
+   GSS_VerifyMIC(), GSS_Unwrap(), and GSS_Wrap(). If any of these
+   routines fail to return GSS_S_COMPLETE, then various unsuccessful
+   responses can be returned. The are described as follows for each of
+   the aforementioned four interfaces.
+
+5.3.3.4.1.  GSS_GetMIC() Failure
+
+   When GSS_GetMIC() is called to generate the verifier in the response,
+   a failure results in an RPC response with a reply status of
+   MSG_DENIED, reject status of AUTH_ERROR and an auth status of
+   RPCSEC_GSS_CTXPROBLEM.
+
+   When GSS_GetMIC() is called to sign the call results (service is
+   rpc_gss_svc_integrity), a failure results in no RPC response being
+   sent. Since ONC RPC server applications will typically control when a
+   response is sent, the failure indication will be returned to the
+   server application and it can take appropriate action (such as
+   logging the error).
+
+5.3.3.4.2.  GSS_VerifyMIC() Failure
+
+   When GSS_VerifyMIC() is called to verify the verifier in request, a
+   failure results in an RPC response with a reply status of MSG_DENIED,
+   reject status of AUTH_ERROR and an auth status of
+   RPCSEC_GSS_CREDPROBLEM.
+
+   When GSS_VerifyMIC() is called to verify the call arguments (service
+   is rpc_gss_svc_integrity), a failure results in an RPC response with
+   a reply status of MSG_ACCEPTED, and an acceptance status of
+   GARBAGE_ARGS.
+
+5.3.3.4.3.  GSS_Unwrap() Failure
+
+   When GSS_Unwrap() is called to decrypt the call arguments (service is
+   rpc_gss_svc_privacy), a failure results in an RPC response with a
+   reply status of MSG_ACCEPTED, and an acceptance status of
+   GARBAGE_ARGS.
+
+5.3.3.4.4.  GSS_Wrap() Failure
+
+   When GSS_Wrap() is called to encrypt the call results (service is
+   rpc_gss_svc_privacy), a failure results in no RPC response being
+   sent. Since ONC RPC server applications will typically control when a
+
+
+
+Eisler, et. al.             Standards Track                    [Page 16]
+
+RFC 2203           RPCSEC_GSS Protocol Specification      September 1997
+
+
+   response is sent, the failure indication will be returned to the
+   application and it can take appropriate action (such as logging the
+   error).
+
+5.4.  Context Destruction
+
+   When the client is done using the session, it must send a control
+   message informing the server that it no longer requires the context.
+   This message is formulated just like a data request packet, with the
+   following differences:  the credential has gss_proc set to
+   RPCSEC_GSS_DESTROY, the procedure specified in the header is
+   NULLPROC, and there are no procedure arguments.  The sequence number
+   in the request must be valid, and the header checksum in the verifier
+   must be valid, for the server to accept the message.  The server
+   sends a response as it would to a data request.  The client and
+   server must then destroy the context for the session.
+
+   If the request to destroy the context fails for some reason, the
+   client need not take any special action.  The server must be prepared
+   to deal with situations where clients never inform the server that
+   they no longer are in session and so don't need the server to
+   maintain a context.  An LRU mechanism or an aging mechanism should be
+   employed by the server to clean up in such cases.
+
+6.  Set of GSS-API Mechanisms
+
+   RPCSEC_GSS is effectively a "pass-through" to the GSS-API layer, and
+   as such it is inappropriate for the RPCSEC_GSS specification to
+   enumerate a minimum set of required security mechanisms and/or
+   quality of protections.
+
+   If an application protocol specification references RPCSEC_GSS, the
+   protocol specification must list a mandatory set of { mechanism, QOP,
+   service } triples, such that an implementation cannot claim
+   conformance to the protocol specification unless it implements the
+   set of triples. Within each triple, mechanism is a GSS-API security
+   mechanism, QOP is a valid quality-of-protection within the mechanism,
+   and service is either rpc_gss_svc_integrity or rpc_gss_svc_privacy.
+
+   For example, a network filing protocol built on RPC that depends on
+   RPCSEC_GSS for security, might require that Kerberos V5 with the
+   default QOP using the rpc_gss_svc_integrity service be supported by
+   implementations conforming to the network filing protocol
+   specification.
+
+
+
+
+
+
+
+Eisler, et. al.             Standards Track                    [Page 17]
+
+RFC 2203           RPCSEC_GSS Protocol Specification      September 1997
+
+
+7.  Security Considerations
+
+7.1.  Privacy of Call Header
+
+   The reader will note that for the privacy option, only the call
+   arguments and results are encrypted. Information about the
+   application in the form of RPC program number, program version
+   number, and program procedure number is transmitted in the clear.
+   Encrypting these fields in the RPC call header would have changed the
+   size and format of the call header. This would have required revising
+   the RPC protocol which was beyond the scope of this proposal. Storing
+   the encrypted numbers in the credential would have obviated a
+   protocol change, but would have introduced more overloading of fields
+   and would have made implementations of RPC more complex. Even if the
+   fields were encrypted somehow, in most cases an attacker can
+   determine the program number and version number by examining the
+   destination address of the request and querying the rpcbind service
+   on the destination host [Srinivasan-bind].  In any case, even by not
+   encrypting the three numbers, RPCSEC_GSS still improves the state of
+   security over what existing RPC services have had available
+   previously. Implementors of new RPC services that are concerned about
+   this risk may opt to design in a "sub-procedure" field that is
+   included in the service specific call arguments.
+
+7.2.  Sequence Number Attacks
+
+7.2.1.  Sequence Numbers Above the Window
+
+   An attacker cannot coax the server into raising the sequence number
+   beyond the range the legitimate client is aware of (and thus engineer
+   a denial of server attack) without constructing an RPC request that
+   will pass the header checksum. If the cost of verifying the header
+   checksum is sufficiently large (depending on the speed of the
+   processor doing the checksum and the cost of checksum algorithm), it
+   is possible to envision a denial of service attack (vandalism, in the
+   form of wasting processing resources) whereby the attacker sends
+   requests that are above the window. The simplest method might be for
+   the attacker to monitor the network traffic and then choose a
+   sequence number that is far above the current sequence number. Then
+   the attacker can send bogus requests using the above window sequence
+   number.
+
+7.2.2.  Sequence Numbers Within or Below the Window
+
+   If the attacker sends requests that are within or below the window,
+   then even if the header checksum is successfully verified, the server
+   will silently discard the requests because the server assumes it has
+   already processed the request. In this case, a server can optimize by
+
+
+
+Eisler, et. al.             Standards Track                    [Page 18]
+
+RFC 2203           RPCSEC_GSS Protocol Specification      September 1997
+
+
+   skipping the header checksum verification if the sequence number is
+   below the window, or if it is within the window, not attempt the
+   checksum verification if the sequence number has already been seen.
+
+7.3.  Message Stealing Attacks
+
+   This proposal does not address attacks where an attacker can block or
+   steal messages without being detected by the server. To implement
+   such protection would be tantamount to assuming a state in the RPC
+   service. RPCSEC_GSS does not worsen this situation.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Eisler, et. al.             Standards Track                    [Page 19]
+
+RFC 2203           RPCSEC_GSS Protocol Specification      September 1997
+
+
+Appendix A. GSS-API Major Status Codes
+
+   The GSS-API definition [Linn] does not include numerical values for
+   the various GSS-API major status codes. It is expected that this will
+   be addressed in future RFC. Until then, this appendix defines the
+   values for each GSS-API major status code listed in the GSS-API
+   definition.  If in the future, the GSS-API definition defines values
+   for the codes that are different than what follows, then implementors
+   of RPCSEC_GSS will be obliged to map them into the values defined
+   below. If in the future, the GSS-API definition defines additional
+   status codes not defined below, then the RPCSEC_GSS definition will
+   subsume those additional values.
+
+   Here are the definitions of each GSS_S_* major status that the
+   implementor of RPCSEC_GSS can expect in the gss_major major field of
+   rpc_gss_init_res.  These definitions are not in RPC description
+   language form.  The numbers are in base 16 (hexadecimal):
+
+      GSS_S_COMPLETE                  0x00000000
+      GSS_S_CONTINUE_NEEDED           0x00000001
+      GSS_S_DUPLICATE_TOKEN           0x00000002
+      GSS_S_OLD_TOKEN                 0x00000004
+      GSS_S_UNSEQ_TOKEN               0x00000008
+      GSS_S_GAP_TOKEN                 0x00000010
+      GSS_S_BAD_MECH                  0x00010000
+      GSS_S_BAD_NAME                  0x00020000
+      GSS_S_BAD_NAMETYPE              0x00030000
+      GSS_S_BAD_BINDINGS              0x00040000
+      GSS_S_BAD_STATUS                0x00050000
+      GSS_S_BAD_MIC                   0x00060000
+      GSS_S_BAD_SIG                   0x00060000
+      GSS_S_NO_CRED                   0x00070000
+      GSS_S_NO_CONTEXT                0x00080000
+      GSS_S_DEFECTIVE_TOKEN           0x00090000
+      GSS_S_DEFECTIVE_CREDENTIAL      0x000a0000
+      GSS_S_CREDENTIALS_EXPIRED       0x000b0000
+      GSS_S_CONTEXT_EXPIRED           0x000c0000
+      GSS_S_FAILURE                   0x000d0000
+      GSS_S_BAD_QOP                   0x000e0000
+      GSS_S_UNAUTHORIZED              0x000f0000
+      GSS_S_UNAVAILABLE               0x00100000
+      GSS_S_DUPLICATE_ELEMENT         0x00110000
+      GSS_S_NAME_NOT_MN               0x00120000
+      GSS_S_CALL_INACCESSIBLE_READ    0x01000000
+      GSS_S_CALL_INACCESSIBLE_WRITE   0x02000000
+      GSS_S_CALL_BAD_STRUCTURE        0x03000000
+
+
+
+
+
+Eisler, et. al.             Standards Track                    [Page 20]
+
+RFC 2203           RPCSEC_GSS Protocol Specification      September 1997
+
+
+   Note that the GSS-API major status is split into three fields as
+   follows:
+
+        Most Significant Bit                     Least Significant Bit
+        |------------------------------------------------------------|
+        | Calling Error | Routine Error  |    Supplementary Info     |
+        |------------------------------------------------------------|
+      Bit 31           24 23            16 15                        0
+
+   Up to one status in the Calling Error field can be logically ORed
+   with up to one status in the Routine Error field which in turn can be
+   logically ORed with zero or more statuses in the Supplementary Info
+   field. If the resulting major status has a non-zero Calling Error
+   and/or a non-zero Routine Error, then the applicable GSS-API
+   operation has failed.  For purposes of RPCSEC_GSS, this means that
+   the GSS_Accept_sec_context() call executed by the server has failed.
+
+   If the major status is equal GSS_S_COMPLETE, then this indicates the
+   absence of any Errors or Supplementary Info.
+
+   The meanings of most of the GSS_S_* status are defined in the GSS-API
+   definition, which the exceptions of:
+
+   GSS_S_BAD_MIC       This code has the same meaning as GSS_S_BAD_SIG.
+
+   GSS_S_CALL_INACCESSIBLE_READ
+                        A required input parameter could not be read.
+
+   GSS_S_CALL_INACCESSIBLE_WRITE
+                        A required input parameter could not be written.
+
+   GSS_S_CALL_BAD_STRUCTURE
+                       A parameter was malformed.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Eisler, et. al.             Standards Track                    [Page 21]
+
+RFC 2203           RPCSEC_GSS Protocol Specification      September 1997
+
+
+Acknowledgements
+
+   Much of the protocol was based on the AUTH_GSSAPI security flavor
+   developed by Open Vision Technologies [Jaspan].  In particular, we
+   acknowledge Barry Jaspan, Marc Horowitz, John Linn, and Ellen
+   McDermott.
+
+   Raj Srinivasan designed RPCSEC_GSS [Eisler] with input from Mike
+   Eisler.  Raj, Roland Schemers, Lin Ling, and Alex Chiu contributed to
+   Sun Microsystems' implementation of RPCSEC_GSS.
+
+   Brent Callaghan, Marc Horowitz, Barry Jaspan, John Linn, Hilarie
+   Orman, Martin Rex, Ted Ts'o, and John Wroclawski analyzed the
+   specification and gave valuable feedback.
+
+   Steve Nahm and Kathy Slattery reviewed various drafts of this
+   specification.
+
+   Much of content of Appendix A was excerpted from John Wray's Work in
+   Progress on GSS-API Version 2 C-bindings.
+
+References
+
+   [Eisler]            Eisler, M., Schemers, R., and Srinivasan, R.
+                       (1996).  "Security Mechanism Independence in ONC
+                       RPC," Proceedings of the Sixth Annual USENIX
+                       Security Symposium, pp. 51-65.
+
+   [Jaspan]            Jaspan, B. (1995). "GSS-API Security for ONC
+                       RPC," `95 Proceedings of The Internet Society
+                       Symposium on Network and Distributed System
+                       Security, pp. 144- 151.
+
+   [Linn]              Linn, J., "Generic Security Service Application
+                       Program Interface, Version 2", RFC 2078, January
+                       1997.
+
+   [Srinivasan-bind]   Srinivasan, R., "Binding Protocols for
+                       ONC RPC Version 2", RFC 1833, August 1995.
+
+   [Srinivasan-rpc]    Srinivasan, R., "RPC: Remote Procedure Call
+                       Protocol Specification Version 2", RFC 1831,
+                       August 1995.
+
+   [Srinivasan-xdr]    Srinivasan, R., "XDR: External Data
+                       Representation Standard", RFC 1832, August 1995.
+
+
+
+
+
+Eisler, et. al.             Standards Track                    [Page 22]
+
+RFC 2203           RPCSEC_GSS Protocol Specification      September 1997
+
+
+Authors' Addresses
+
+   Michael Eisler
+   Sun Microsystems, Inc.
+   M/S UCOS03
+   2550 Garcia Avenue
+   Mountain View, CA 94043
+
+   Phone: +1 (719) 599-9026
+   EMail: mre@eng.sun.com
+
+
+   Alex Chiu
+   Sun Microsystems, Inc.
+   M/S UMPK17-203
+   2550 Garcia Avenue
+   Mountain View, CA 94043
+
+   Phone: +1 (415) 786-6465
+   EMail: hacker@eng.sun.com
+
+
+   Lin Ling
+   Sun Microsystems, Inc.
+   M/S UMPK17-201
+   2550 Garcia Avenue
+   Mountain View, CA 94043
+
+   Phone: +1 (415) 786-5084
+   EMail: lling@eng.sun.com
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Eisler, et. al.             Standards Track                    [Page 23]
+
diff --git a/crypto/heimdal/doc/standardisation/rfc2228.txt b/crypto/heimdal/doc/standardisation/rfc2228.txt
new file mode 100644
index 0000000..1fbfcbf
--- /dev/null
+++ b/crypto/heimdal/doc/standardisation/rfc2228.txt
@@ -0,0 +1,1515 @@
+
+
+
+
+
+
+Network Working Group                                        M. Horowitz
+Request for Comments: 2228                              Cygnus Solutions
+Updates: 959                                                     S. Lunt
+Category: Standards Track                                       Bellcore
+                                                            October 1997
+
+                        FTP Security Extensions
+
+Status of this Memo
+
+   This document specifies an Internet standards track protocol for the
+   Internet community, and requests discussion and suggestions for
+   improvements.  Please refer to the current edition of the "Internet
+   Official Protocol Standards" (STD 1) for the standardization state
+   and status of this protocol.  Distribution of this memo is unlimited.
+
+Copyright Notice
+
+   Copyright (C) The Internet Society (1997).  All Rights Reserved.
+
+Abstract
+
+   This document defines extensions to the FTP specification STD 9, RFC
+   959, "FILE TRANSFER PROTOCOL (FTP)" (October 1985).  These extensions
+   provide strong authentication, integrity, and confidentiality on both
+   the control and data channels with the introduction of new optional
+   commands, replies, and file transfer encodings.
+
+   The following new optional commands are introduced in this
+   specification:
+
+      AUTH (Authentication/Security Mechanism),
+      ADAT (Authentication/Security Data),
+      PROT (Data Channel Protection Level),
+      PBSZ (Protection Buffer Size),
+      CCC (Clear Command Channel),
+      MIC (Integrity Protected Command),
+      CONF (Confidentiality Protected Command), and
+      ENC (Privacy Protected Command).
+
+   A new class of reply types (6yz) is also introduced for protected
+   replies.
+
+   None of the above commands are required to be implemented, but
+   interdependencies exist.  These dependencies are documented with the
+   commands.
+
+   Note that this specification is compatible with STD 9, RFC 959.
+
+
+
+Horowitz & Lunt             Standards Track                     [Page 1]
+
+RFC 2228                FTP Security Extensions             October 1997
+
+
+1.  Introduction
+
+   The File Transfer Protocol (FTP) currently defined in STD 9, RFC 959
+   and in place on the Internet uses usernames and passwords passed in
+   cleartext to authenticate clients to servers (via the USER and PASS
+   commands).  Except for services such as "anonymous" FTP archives,
+   this represents a security risk whereby passwords can be stolen
+   through monitoring of local and wide-area networks.  This either aids
+   potential attackers through password exposure and/or limits
+   accessibility of files by FTP servers who cannot or will not accept
+   the inherent security risks.
+
+   Aside from the problem of authenticating users in a secure manner,
+   there is also the problem of authenticating servers, protecting
+   sensitive data and/or verifying its integrity.  An attacker may be
+   able to access valuable or sensitive data merely by monitoring a
+   network, or through active means may be able to delete or modify the
+   data being transferred so as to corrupt its integrity.  An active
+   attacker may also initiate spurious file transfers to and from a site
+   of the attacker's choice, and may invoke other commands on the
+   server.  FTP does not currently have any provision for the encryption
+   or verification of the authenticity of commands, replies, or
+   transferred data.  Note that these security services have value even
+   to anonymous file access.
+
+   Current practice for sending files securely is generally either:
+
+      1.  via FTP of files pre-encrypted under keys which are manually
+          distributed,
+
+      2.  via electronic mail containing an encoding of a file encrypted
+          under keys which are manually distributed,
+
+      3.  via a PEM message, or
+
+      4.  via the rcp command enhanced to use Kerberos.
+
+   None of these means could be considered even a de facto standard, and
+   none are truly interactive.  A need exists to securely transfer files
+   using FTP in a secure manner which is supported within the FTP
+   protocol in a consistent manner and which takes advantage of existing
+   security infrastructure and technology.  Extensions are necessary to
+   the FTP specification if these security services are to be introduced
+   into the protocol in an interoperable way.
+
+
+
+
+
+
+
+Horowitz & Lunt             Standards Track                     [Page 2]
+
+RFC 2228                FTP Security Extensions             October 1997
+
+
+   Although the FTP control connection follows the Telnet protocol, and
+   Telnet has defined an authentication and encryption option [TELNET-
+   SEC], [RFC-1123] explicitly forbids the use of Telnet option
+   negotiation over the control connection (other than Synch and IP).
+
+   Also, the Telnet authentication and encryption option does not
+   provide for integrity protection only (without confidentiality), and
+   does not address the protection of the data channel.
+
+2.  FTP Security Overview
+
+   At the highest level, the FTP security extensions seek to provide an
+   abstract mechanism for authenticating and/or authorizing connections,
+   and integrity and/or confidentiality protecting commands, replies,
+   and data transfers.
+
+   In the context of FTP security, authentication is the establishment
+   of a client's identity and/or a server's identity in a secure way,
+   usually using cryptographic techniques.  The basic FTP protocol does
+   not have a concept of authentication.
+
+   Authorization is the process of validating a user for login.  The
+   basic authorization process involves the USER, PASS, and ACCT
+   commands.  With the FTP security extensions, authentication
+   established using a security mechanism may also be used to make the
+   authorization decision.
+
+   Without the security extensions, authentication of the client, as
+   this term is usually understood, never happens.  FTP authorization is
+   accomplished with a password, passed on the network in the clear as
+   the argument to the PASS command.  The possessor of this password is
+   assumed to be authorized to transfer files as the user named in the
+   USER command, but the identity of the client is never securely
+   established.
+
+   An FTP security interaction begins with a client telling the server
+   what security mechanism it wants to use with the AUTH command.  The
+   server will either accept this mechanism, reject this mechanism, or,
+   in the case of a server which does not implement the security
+   extensions, reject the command completely.  The client may try
+   multiple security mechanisms until it requests one which the server
+   accepts.  This allows a rudimentary form of negotiation to take
+   place.  (If more complex negotiation is desired, this may be
+   implemented as a security mechanism.)  The server's reply will
+   indicate if the client must respond with additional data for the
+
+
+
+
+
+
+Horowitz & Lunt             Standards Track                     [Page 3]
+
+RFC 2228                FTP Security Extensions             October 1997
+
+
+   security mechanism to interpret.  If none is needed, this will
+   usually mean that the mechanism is one where the password (specified
+   by the PASS command) is to be interpreted differently, such as with a
+   token or one-time password system.
+
+   If the server requires additional security information, then the
+   client and server will enter into a security data exchange.  The
+   client will send an ADAT command containing the first block of
+   security data.  The server's reply will indicate if the data exchange
+   is complete, if there was an error, or if more data is needed.  The
+   server's reply can optionally contain security data for the client to
+   interpret.  If more data is needed, the client will send another ADAT
+   command containing the next block of data, and await the server's
+   reply.  This exchange can continue as many times as necessary.  Once
+   this exchange completes, the client and server have established a
+   security association.  This security association may include
+   authentication (client, server, or mutual) and keying information for
+   integrity and/or confidentiality, depending on the mechanism in use.
+
+   The term "security data" here is carefully chosen.  The purpose of
+   the security data exchange is to establish a security association,
+   which might not actually include any authentication at all, between
+   the client and the server as described above.  For instance, a
+   Diffie-Hellman exchange establishes a secret key, but no
+   authentication takes place.  If an FTP server has an RSA key pair but
+   the client does not, then the client can authenticate the server, but
+   the server cannot authenticate the client.
+
+   Once a security association is established, authentication which is a
+   part of this association may be used instead of or in addition to the
+   standard username/password exchange for authorizing a user to connect
+   to the server.  A username specified by the USER command is always
+   required to specify the identity to be used on the server.
+
+   In order to prevent an attacker from inserting or deleting commands
+   on the control stream, if the security association supports
+   integrity, then the server and client must use integrity protection
+   on the control stream, unless it first transmits a CCC command to
+   turn off this requirement.  Integrity protection is performed with
+   the MIC and ENC commands, and the 63z reply codes.  The CCC command
+   and its reply must be transmitted with integrity protection.
+   Commands and replies may be transmitted without integrity (that is,
+   in the clear or with confidentiality only) only if no security
+   association is established, the negotiated security association does
+   not support integrity, or the CCC command has succeeded.
+
+
+
+
+
+
+Horowitz & Lunt             Standards Track                     [Page 4]
+
+RFC 2228                FTP Security Extensions             October 1997
+
+
+   Once the client and server have negotiated with the PBSZ command an
+   acceptable buffer size for encapsulating protected data over the data
+   channel, the security mechanism may also be used to protect data
+   channel transfers.
+
+   Policy is not specified by this document.  In particular, client and
+   server implementations may choose to implement restrictions on what
+   operations can be performed depending on the security association
+   which exists.  For example, a server may require that a client
+   authorize via a security mechanism rather than using a password,
+   require that the client provide a one-time password from a token,
+   require at least integrity protection on the command channel, or
+   require that certain files only be transmitted encrypted.  An
+   anonymous ftp client might refuse to do file transfers without
+   integrity protection in order to insure the validity of files
+   downloaded.
+
+   No particular set of functionality is required, except as
+   dependencies described in the next section.  This means that none of
+   authentication, integrity, or confidentiality are required of an
+   implementation, although a mechanism which does none of these is not
+   of much use.  For example, it is acceptable for a mechanism to
+   implement only integrity protection, one-way authentication and/or
+   encryption, encryption without any authentication or integrity
+   protection, or any other subset of functionality if policy or
+   technical considerations make this desirable.  Of course, one peer
+   might require as a matter of policy stronger protection than the
+   other is able to provide, preventing perfect interoperability.
+
+3.  New FTP Commands
+
+   The following commands are optional, but dependent on each other.
+   They are extensions to the FTP Access Control Commands.
+
+   The reply codes documented here are generally described as
+   recommended, rather than required.  The intent is that reply codes
+   describing the full range of success and failure modes exist, but
+   that servers be allowed to limit information presented to the client.
+   For example, a server might implement a particular security
+   mechanism, but have a policy restriction against using it.  The
+   server should respond with a 534 reply code in this case, but may
+   respond with a 504 reply code if it does not wish to divulge that the
+   disallowed mechanism is supported.  If the server does choose to use
+   a different reply code than the recommended one, it should try to use
+   a reply code which only differs in the last digit.  In all cases, the
+   server must use a reply code which is documented as returnable from
+   the command received, and this reply code must begin with the same
+   digit as the recommended reply code for the situation.
+
+
+
+Horowitz & Lunt             Standards Track                     [Page 5]
+
+RFC 2228                FTP Security Extensions             October 1997
+
+
+   AUTHENTICATION/SECURITY MECHANISM (AUTH)
+
+      The argument field is a Telnet string identifying a supported
+      mechanism.  This string is case-insensitive.  Values must be
+      registered with the IANA, except that values beginning with "X-"
+      are reserved for local use.
+
+      If the server does not recognize the AUTH command, it must respond
+      with reply code 500.  This is intended to encompass the large
+      deployed base of non-security-aware ftp servers, which will
+      respond with reply code 500 to any unrecognized command.  If the
+      server does recognize the AUTH command but does not implement the
+      security extensions, it should respond with reply code 502.
+
+      If the server does not understand the named security mechanism, it
+      should respond with reply code 504.
+
+      If the server is not willing to accept the named security
+      mechanism, it should respond with reply code 534.
+
+      If the server is not able to accept the named security mechanism,
+      such as if a required resource is unavailable, it should respond
+      with reply code 431.
+
+      If the server is willing to accept the named security mechanism,
+      but requires security data, it must respond with reply code 334.
+
+      If the server is willing to accept the named security mechanism,
+      and does not require any security data, it must respond with reply
+      code 234.
+
+      If the server is responding with a 334 reply code, it may include
+      security data as described in the next section.
+
+      Some servers will allow the AUTH command to be reissued in order
+      to establish new authentication.  The AUTH command, if accepted,
+      removes any state associated with prior FTP Security commands.
+      The server must also require that the user reauthorize (that is,
+      reissue some or all of the USER, PASS, and ACCT commands) in this
+      case (see section 4 for an explanation of "authorize" in this
+      context).
+
+
+
+
+
+
+
+
+
+
+Horowitz & Lunt             Standards Track                     [Page 6]
+
+RFC 2228                FTP Security Extensions             October 1997
+
+
+   AUTHENTICATION/SECURITY DATA (ADAT)
+
+      The argument field is a Telnet string representing base 64 encoded
+      security data (see Section 9, "Base 64 Encoding").  If a reply
+      code indicating success is returned, the server may also use a
+      string of the form "ADAT=base64data" as the text part of the reply
+      if it wishes to convey security data back to the client.
+
+      The data in both cases is specific to the security mechanism
+      specified by the previous AUTH command.  The ADAT command, and the
+      associated replies, allow the client and server to conduct an
+      arbitrary security protocol.  The security data exchange must
+      include enough information for both peers to be aware of which
+      optional features are available.  For example, if the client does
+      not support data encryption, the server must be made aware of
+      this, so it will know not to send encrypted command channel
+      replies.  It is strongly recommended that the security mechanism
+      provide sequencing on the command channel, to insure that commands
+      are not deleted, reordered, or replayed.
+
+      The ADAT command must be preceded by a successful AUTH command,
+      and cannot be issued once a security data exchange completes
+      (successfully or unsuccessfully), unless it is preceded by an AUTH
+      command to reset the security state.
+
+      If the server has not yet received an AUTH command, or if a prior
+      security data exchange completed, but the security state has not
+      been reset with an AUTH command, it should respond with reply code
+      503.
+
+      If the server cannot base 64 decode the argument, it should
+      respond with reply code 501.
+
+      If the server rejects the security data (if a checksum fails, for
+      instance), it should respond with reply code 535.
+
+      If the server accepts the security data, and requires additional
+      data, it should respond with reply code 335.
+
+      If the server accepts the security data, but does not require any
+      additional data (i.e., the security data exchange has completed
+      successfully), it must respond with reply code 235.
+
+      If the server is responding with a 235 or 335 reply code, then it
+      may include security data in the text part of the reply as
+      specified above.
+
+
+
+
+
+Horowitz & Lunt             Standards Track                     [Page 7]
+
+RFC 2228                FTP Security Extensions             October 1997
+
+
+      If the ADAT command returns an error, the security data exchange
+      will fail, and the client must reset its internal security state.
+      If the client becomes unsynchronized with the server (for example,
+      the server sends a 234 reply code to an AUTH command, but the
+      client has more data to transmit), then the client must reset the
+      server's security state.
+
+   PROTECTION BUFFER SIZE (PBSZ)
+
+      The argument is a decimal integer representing the maximum size,
+      in bytes, of the encoded data blocks to be sent or received during
+      file transfer.  This number shall be no greater than can be
+      represented in a 32-bit unsigned integer.
+
+      This command allows the FTP client and server to negotiate a
+      maximum protected buffer size for the connection.  There is no
+      default size; the client must issue a PBSZ command before it can
+      issue the first PROT command.
+
+      The PBSZ command must be preceded by a successful security data
+      exchange.
+
+      If the server cannot parse the argument, or if it will not fit in
+      32 bits, it should respond with a 501 reply code.
+
+      If the server has not completed a security data exchange with the
+      client, it should respond with a 503 reply code.
+
+      Otherwise, the server must reply with a 200 reply code.  If the
+      size provided by the client is too large for the server, it must
+      use a string of the form "PBSZ=number" in the text part of the
+      reply to indicate a smaller buffer size.  The client and the
+      server must use the smaller of the two buffer sizes if both buffer
+      sizes are specified.
+
+   DATA CHANNEL PROTECTION LEVEL (PROT)
+
+      The argument is a single Telnet character code specifying the data
+      channel protection level.
+
+      This command indicates to the server what type of data channel
+      protection the client and server will be using.  The following
+      codes are assigned:
+
+         C - Clear
+         S - Safe
+         E - Confidential
+         P - Private
+
+
+
+Horowitz & Lunt             Standards Track                     [Page 8]
+
+RFC 2228                FTP Security Extensions             October 1997
+
+
+      The default protection level if no other level is specified is
+      Clear.  The Clear protection level indicates that the data channel
+      will carry the raw data of the file transfer, with no security
+      applied.  The Safe protection level indicates that the data will
+      be integrity protected.  The Confidential protection level
+      indicates that the data will be confidentiality protected.  The
+      Private protection level indicates that the data will be integrity
+      and confidentiality protected.
+
+      It is reasonable for a security mechanism not to provide all data
+      channel protection levels.  It is also reasonable for a mechanism
+      to provide more protection at a level than is required (for
+      instance, a mechanism might provide Confidential protection, but
+      include integrity-protection in that encoding, due to API or other
+      considerations).
+
+      The PROT command must be preceded by a successful protection
+      buffer size negotiation.
+
+      If the server does not understand the specified protection level,
+      it should respond with reply code 504.
+
+      If the current security mechanism does not support the specified
+      protection level, the server should respond with reply code 536.
+
+      If the server has not completed a protection buffer size
+      negotiation with the client, it should respond with a 503 reply
+      code.
+
+      The PROT command will be rejected and the server should reply 503
+      if no previous PBSZ command was issued.
+
+      If the server is not willing to accept the specified protection
+      level, it should respond with reply code 534.
+
+      If the server is not able to accept the specified protection
+      level, such as if a required resource is unavailable, it should
+      respond with reply code 431.
+
+      Otherwise, the server must reply with a 200 reply code to indicate
+      that the specified protection level is accepted.
+
+   CLEAR COMMAND CHANNEL (CCC)
+
+      This command does not take an argument.
+
+
+
+
+
+
+Horowitz & Lunt             Standards Track                     [Page 9]
+
+RFC 2228                FTP Security Extensions             October 1997
+
+
+      It is desirable in some environments to use a security mechanism
+      to authenticate and/or authorize the client and server, but not to
+      perform any integrity checking on the subsequent commands.  This
+      might be used in an environment where IP security is in place,
+      insuring that the hosts are authenticated and that TCP streams
+      cannot be tampered, but where user authentication is desired.
+
+      If unprotected commands are allowed on any connection, then an
+      attacker could insert a command on the control stream, and the
+      server would have no way to know that it was invalid.  In order to
+      prevent such attacks, once a security data exchange completes
+      successfully, if the security mechanism supports integrity, then
+      integrity (via the MIC or ENC command, and 631 or 632 reply) must
+      be used, until the CCC command is issued to enable non-integrity
+      protected control channel messages.  The CCC command itself must
+      be integrity protected.
+
+      Once the CCC command completes successfully, if a command is not
+      protected, then the reply to that command must also not be
+      protected.  This is to support interoperability with clients which
+      do not support protection once the CCC command has been issued.
+
+      This command must be preceded by a successful security data
+      exchange.
+
+      If the command is not integrity-protected, the server must respond
+      with a 533 reply code.
+
+      If the server is not willing to turn off the integrity
+      requirement, it should respond with a 534 reply code.
+
+      Otherwise, the server must reply with a 200 reply code to indicate
+      that unprotected commands and replies may now be used on the
+      command channel.
+
+   INTEGRITY PROTECTED COMMAND (MIC) and
+   CONFIDENTIALITY PROTECTED COMMAND (CONF) and
+   PRIVACY PROTECTED COMMAND (ENC)
+
+      The argument field of MIC is a Telnet string consisting of a base
+      64 encoded "safe" message produced by a security mechanism
+      specific message integrity procedure.  The argument field of CONF
+      is a Telnet string consisting of a base 64 encoded "confidential"
+      message produced by a security mechanism specific confidentiality
+      procedure.  The argument field of ENC is a Telnet string
+      consisting of a base 64 encoded "private" message produced by a
+      security mechanism specific message integrity and confidentiality
+      procedure.
+
+
+
+Horowitz & Lunt             Standards Track                    [Page 10]
+
+RFC 2228                FTP Security Extensions             October 1997
+
+
+      The server will decode and/or verify the encoded message.
+
+      This command must be preceded by a successful security data
+      exchange.
+
+      A server may require that the first command after a successful
+      security data exchange be CCC, and not implement the protection
+      commands at all.  In this case, the server should respond with a
+      502 reply code.
+
+      If the server cannot base 64 decode the argument, it should
+      respond with a 501 reply code.
+
+      If the server has not completed a security data exchange with the
+      client, it should respond with a 503 reply code.
+
+      If the server has completed a security data exchange with the
+      client using a mechanism which supports integrity, and requires a
+      CCC command due to policy or implementation limitations, it should
+      respond with a 503 reply code.
+
+      If the server rejects the command because it is not supported by
+      the current security mechanism, the server should respond with
+      reply code 537.
+
+      If the server rejects the command (if a checksum fails, for
+      instance), it should respond with reply code 535.
+
+      If the server is not willing to accept the command (if privacy is
+      required by policy, for instance, or if a CONF command is received
+      before a CCC command), it should respond with reply code 533.
+
+      Otherwise, the command will be interpreted as an FTP command.  An
+      end-of-line code need not be included, but if one is included, it
+      must be a Telnet end-of-line code, not a local end-of-line code.
+
+      The server may require that, under some or all circumstances, all
+      commands be protected.  In this case, it should make a 533 reply
+      to commands other than MIC, CONF, and ENC.
+
+4.  Login Authorization
+
+   The security data exchange may, among other things, establish the
+   identity of the client in a secure way to the server.  This identity
+   may be used as one input to the login authorization process.
+
+
+
+
+
+
+Horowitz & Lunt             Standards Track                    [Page 11]
+
+RFC 2228                FTP Security Extensions             October 1997
+
+
+   In response to the FTP login commands (AUTH, PASS, ACCT), the server
+   may choose to change the sequence of commands and replies specified
+   by RFC 959 as follows.  There are also some new replies available.
+
+   If the server is willing to allow the user named by the USER command
+   to log in based on the identity established by the security data
+   exchange, it should respond with reply code 232.
+
+   If the security mechanism requires a challenge/response password, it
+   should respond to the USER command with reply code 336.  The text
+   part of the reply should contain the challenge.  The client must
+   display the challenge to the user before prompting for the password
+   in this case.  This is particularly relevant to more sophisticated
+   clients or graphical user interfaces which provide dialog boxes or
+   other modal input.  These clients should be careful not to prompt for
+   the password before the username has been sent to the server, in case
+   the user needs the challenge in the 336 reply to construct a valid
+   password.
+
+5.  New FTP Replies
+
+   The new reply codes are divided into two classes.  The first class is
+   new replies made necessary by the new FTP Security commands.  The
+   second class is a new reply type to indicate protected replies.
+
+   5.1.  New individual reply codes
+
+      232 User logged in, authorized by security data exchange.
+      234 Security data exchange complete.
+      235 [ADAT=base64data]
+            ; This reply indicates that the security data exchange
+            ; completed successfully.  The square brackets are not
+            ; to be included in the reply, but indicate that
+            ; security data in the reply is optional.
+
+      334 [ADAT=base64data]
+            ; This reply indicates that the requested security mechanism
+            ; is ok, and includes security data to be used by the client
+            ; to construct the next command.  The square brackets are not
+            ; to be included in the reply, but indicate that
+            ; security data in the reply is optional.
+      335 [ADAT=base64data]
+            ; This reply indicates that the security data is
+            ; acceptable, and more is required to complete the
+            ; security data exchange.  The square brackets
+            ; are not to be included in the reply, but indicate
+            ; that security data in the reply is optional.
+
+
+
+
+Horowitz & Lunt             Standards Track                    [Page 12]
+
+RFC 2228                FTP Security Extensions             October 1997
+
+
+      336 Username okay, need password.  Challenge is "...."
+            ; The exact representation of the challenge should be chosen
+            ; by the mechanism to be sensible to the human user of the
+            ; system.
+
+      431 Need some unavailable resource to process security.
+
+      533 Command protection level denied for policy reasons.
+      534 Request denied for policy reasons.
+      535 Failed security check (hash, sequence, etc).
+      536 Requested PROT level not supported by mechanism.
+      537 Command protection level not supported by security mechanism.
+
+   5.2.  Protected replies.
+
+      One new reply type is introduced:
+
+         6yz   Protected reply
+
+            There are three reply codes of this type.  The first, reply
+            code 631 indicates an integrity protected reply.  The
+            second, reply code 632, indicates a confidentiality and
+            integrity protected reply.  the third, reply code 633,
+            indicates a confidentiality protected reply.
+
+            The text part of a 631 reply is a Telnet string consisting
+            of a base 64 encoded "safe" message produced by a security
+            mechanism specific message integrity procedure.  The text
+            part of a 632 reply is a Telnet string consisting of a base
+            64 encoded "private" message produced by a security
+            mechanism specific message confidentiality and integrity
+            procedure.  The text part of a 633 reply is a Telnet string
+            consisting of a base 64 encoded "confidential" message
+            produced by a security mechanism specific message
+            confidentiality procedure.
+
+            The client will decode and verify the encoded reply.  How
+            failures decoding or verifying replies are handled is
+            implementation-specific.  An end-of-line code need not be
+            included, but if one is included, it must be a Telnet end-
+            of-line code, not a local end-of-line code.
+
+            A protected reply may only be sent if a security data
+            exchange has succeeded.
+
+            The 63z reply may be a multiline reply.  In this case, the
+            plaintext reply must be broken up into a number of
+            fragments.  Each fragment must be protected, then base 64
+
+
+
+Horowitz & Lunt             Standards Track                    [Page 13]
+
+RFC 2228                FTP Security Extensions             October 1997
+
+
+            encoded in order into a separate line of the multiline
+            reply.  There need not be any correspondence between the
+            line breaks in the plaintext reply and the encoded reply.
+            Telnet end-of-line codes must appear in the plaintext of the
+            encoded reply, except for the final end-of-line code, which
+            is optional.
+
+            The multiline reply must be formatted more strictly than the
+            continuation specification in RFC 959.  In particular, each
+            line before the last must be formed by the reply code,
+            followed immediately by a hyphen, followed by a base 64
+            encoded fragment of the reply.
+
+            For example, if the plaintext reply is
+
+               123-First line
+               Second line
+                 234 A line beginning with numbers
+               123 The last line
+
+            then the resulting protected reply could be any of the
+            following (the first example has a line break only to fit
+            within the margins):
+
+  631 base64(protect("123-First line\r\nSecond line\r\n  234 A line
+  631-base64(protect("123-First line\r\n"))
+  631-base64(protect("Second line\r\n"))
+  631-base64(protect("  234 A line beginning with numbers\r\n"))
+  631 base64(protect("123 The last line"))
+
+  631-base64(protect("123-First line\r\nSecond line\r\n  234 A line b"))
+  631 base64(protect("eginning with numbers\r\n123 The last line\r\n"))
+
+6.  Data Channel Encapsulation
+
+   When data transfers are protected between the client and server (in
+   either direction), certain transformations and encapsulations must be
+   performed so that the recipient can properly decode the transmitted
+   file.
+
+   The sender must apply all protection services after transformations
+   associated with the representation type, file structure, and transfer
+   mode have been performed.  The data sent over the data channel is,
+   for the purposes of protection, to be treated as a byte stream.
+
+   When performing a data transfer in an authenticated manner, the
+   authentication checks are performed on individual blocks of the file,
+   rather than on the file as a whole. Consequently, it is possible for
+
+
+
+Horowitz & Lunt             Standards Track                    [Page 14]
+
+RFC 2228                FTP Security Extensions             October 1997
+
+
+   insertion attacks to insert blocks into the data stream (i.e.,
+   replays) that authenticate correctly, but result in a corrupted file
+   being undetected by the receiver. To guard against such attacks, the
+   specific security mechanism employed should include mechanisms to
+   protect against such attacks.  Many GSS-API mechanisms usable with
+   the specification in Appendix I, and the Kerberos mechanism in
+   Appendix II do so.
+
+   The sender must take the input byte stream, and break it up into
+   blocks such that each block, when encoded using a security mechanism
+   specific procedure, will be no larger than the buffer size negotiated
+   by the client with the PBSZ command.  Each block must be encoded,
+   then transmitted with the length of the encoded block prepended as a
+   four byte unsigned integer, most significant byte first.
+
+   When the end of the file is reached, the sender must encode a block
+   of zero bytes, and send this final block to the recipient before
+   closing the data connection.
+
+   The recipient will read the four byte length, read a block of data
+   that many bytes long, then decode and verify this block with a
+   security mechanism specific procedure.  This must be repeated until a
+   block encoding a buffer of zero bytes is received.  This indicates
+   the end of the encoded byte stream.
+
+   Any transformations associated with the representation type, file
+   structure, and transfer mode are to be performed by the recipient on
+   the byte stream resulting from the above process.
+
+   When using block transfer mode, the sender's (cleartext) buffer size
+   is independent of the block size.
+
+   The server will reply 534 to a STOR, STOU, RETR, LIST, NLST, or APPE
+   command if the current protection level is not at the level dictated
+   by the server's security requirements for the particular file
+   transfer.
+
+   If any data protection services fail at any time during data transfer
+   at the server end (including an attempt to send a buffer size greater
+   than the negotiated maximum), the server will send a 535 reply to the
+   data transfer command (either STOR, STOU, RETR, LIST, NLST, or APPE).
+
+
+
+
+
+
+
+
+
+
+Horowitz & Lunt             Standards Track                    [Page 15]
+
+RFC 2228                FTP Security Extensions             October 1997
+
+
+7.  Potential policy considerations
+
+   While there are no restrictions on client and server policy, there
+   are a few recommendations which an implementation should implement.
+
+    - Once a security data exchange takes place, a server should require
+      all commands be protected (with integrity and/or confidentiality),
+      and it should protect all replies.  Replies should use the same
+      level of protection as the command which produced them.  This
+      includes replies which indicate failure of the MIC, CONF, and ENC
+      commands.  In particular, it is not meaningful to require that
+      AUTH and ADAT be protected; it is meaningful and useful to require
+      that PROT and PBSZ be protected.  In particular, the use of CCC is
+      not recommended, but is defined in the interest of
+      interoperability between implementations which might desire such
+      functionality.
+
+    - A client should encrypt the PASS command whenever possible.  It is
+      reasonable for the server to refuse to accept a non-encrypted PASS
+      command if the server knows encryption is available.
+
+    - Although no security commands are required to be implemented, it
+      is recommended that an implementation provide all commands which
+      can be implemented, given the mechanisms supported and the policy
+      considerations of the site (export controls, for instance).
+
+8.  Declarative specifications
+
+   These sections are modelled after sections 5.3 and 5.4 of RFC 959,
+   which describe the same information, except for the standard FTP
+   commands and replies.
+
+   8.1.  FTP Security commands and arguments
+
+      AUTH <SP> <mechanism-name> <CRLF>
+      ADAT <SP> <base64data> <CRLF>
+      PROT <SP> <prot-code> <CRLF>
+      PBSZ <SP> <decimal-integer> <CRLF>
+      MIC <SP> <base64data> <CRLF>
+      CONF <SP> <base64data> <CRLF>
+      ENC <SP> <base64data> <CRLF>
+
+      <mechanism-name> ::= <string>
+      <base64data> ::= <string>
+              ; must be formatted as described in section 9
+      <prot-code> ::= C | S | E | P
+      <decimal-integer> ::= any decimal integer from 1 to (2^32)-1
+
+
+
+
+Horowitz & Lunt             Standards Track                    [Page 16]
+
+RFC 2228                FTP Security Extensions             October 1997
+
+
+   8.2.  Command-Reply sequences
+
+      Security Association Setup
+         AUTH
+            234
+            334
+            502, 504, 534, 431
+            500, 501, 421
+         ADAT
+            235
+            335
+            503, 501, 535
+            500, 501, 421
+      Data protection negotiation commands
+         PBSZ
+            200
+            503
+            500, 501, 421, 530
+         PROT
+            200
+            504, 536, 503, 534, 431
+            500, 501, 421, 530
+      Command channel protection commands
+         MIC
+            535, 533
+            500, 501, 421
+         CONF
+            535, 533
+            500, 501, 421
+         ENC
+            535, 533
+            500, 501, 421
+      Security-Enhanced login commands (only new replies listed)
+         USER
+            232
+            336
+      Data channel commands (only new replies listed)
+         STOR
+            534, 535
+         STOU
+            534, 535
+         RETR
+            534, 535
+
+
+
+
+
+
+
+
+Horowitz & Lunt             Standards Track                    [Page 17]
+
+RFC 2228                FTP Security Extensions             October 1997
+
+
+         LIST
+            534, 535
+         NLST
+            534, 535
+         APPE
+            534, 535
+
+      In addition to these reply codes, any security command can return
+      500, 501, 502, 533, or 421.  Any ftp command can return a reply
+      code encapsulated in a 631, 632, or 633 reply once a security data
+      exchange has completed successfully.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Horowitz & Lunt             Standards Track                    [Page 18]
+
+RFC 2228                FTP Security Extensions             October 1997
+
+
+9.  State Diagrams
+
+   This section includes a state diagram which demonstrates the flow of
+   authentication and authorization in a security enhanced FTP
+   implementation.  The rectangular blocks show states where the client
+   must issue a command, and the diamond blocks show states where the
+   server must issue a response.
+
+
+          ,------------------,  USER
+       __\| Unauthenticated  |_________\
+      |  /| (new connection) |         /|
+      |   `------------------'          |
+      |            |                    |
+      |            | AUTH               |
+      |            V                    |
+      |           / \                   |
+      | 4yz,5yz  /   \   234            |
+      |<--------<     >------------->.  |
+      |          \   /               |  |
+      |           \_/                |  |
+      |            |                 |  |
+      |            | 334             |  |
+      |            V                 |  |
+      |  ,--------------------,      |  |
+      |  | Need Security Data |<--.  |  |
+      |  `--------------------'   |  |  |
+      |            |              |  |  |
+      |            | ADAT         |  |  |
+      |            V              |  |  |
+      |           / \             |  |  |
+      | 4yz,5yz  /   \   335      |  |  |
+      `<--------<     >-----------'  |  |
+                 \   /               |  |
+                  \_/                |  |
+                   |                 |  |
+                   | 235             |  |
+                   V                 |  |
+           ,---------------.         |  |
+      ,--->| Authenticated |<--------'  |  After the client and server
+      |    `---------------'            |  have completed authenti-
+      |            |                    |  cation, command must be
+      |            | USER               |  integrity-protected if
+      |            |                    |  integrity is available.  The
+      |            |<-------------------'  CCC command may be issued to
+      |            V                       relax this restriction.
+
+
+
+
+
+Horowitz & Lunt             Standards Track                    [Page 19]
+
+RFC 2228                FTP Security Extensions             October 1997
+
+
+      |           / \
+      | 4yz,5yz  /   \   2yz
+      |<--------<     >------------->.
+      |          \   /               |
+      |           \_/                |
+      |            |                 |
+      |            | 3yz             |
+      |            V                 |
+      |    ,---------------.         |
+      |    | Need Password |         |
+      |    `---------------'         |
+      |            |                 |
+      |            | PASS            |
+      |            V                 |
+      |           / \                |
+      | 4yz,5yz  /   \   2yz         |
+      |<--------<     >------------->|
+      |          \   /               |
+      |           \_/                |
+      |            |                 |
+      |            | 3yz             |
+      |            V                 |
+      |    ,--------------.          |
+      |    | Need Account |          |
+      |    `--------------'          |
+      |            |                 |
+      |            | ACCT            |
+      |            V                 |
+      |           / \                |
+      | 4yz,5yz  /   \   2yz         |
+      `<--------<     >------------->|
+                 \   /               |
+                  \_/                |
+                   |                 |
+                   | 3yz             |
+                   V                 |
+             ,-------------.         |
+             | Authorized  |/________|
+             | (Logged in) |\
+             `-------------'
+
+
+
+
+
+
+
+
+
+
+
+Horowitz & Lunt             Standards Track                    [Page 20]
+
+RFC 2228                FTP Security Extensions             October 1997
+
+
+10.  Base 64 Encoding
+
+   Base 64 encoding is the same as the Printable Encoding described in
+   Section 4.3.2.4 of [RFC-1421], except that line breaks must not be
+   included. This encoding is defined as follows.
+
+   Proceeding from left to right, the bit string resulting from the
+   mechanism specific protection routine is encoded into characters
+   which are universally representable at all sites, though not
+   necessarily with the same bit patterns (e.g., although the character
+   "E" is represented in an ASCII-based system as hexadecimal 45 and as
+   hexadecimal C5 in an EBCDIC-based system, the local significance of
+   the two representations is equivalent).
+
+   A 64-character subset of International Alphabet IA5 is used, enabling
+   6 bits to be represented per printable character.  (The proposed
+   subset of characters is represented identically in IA5 and ASCII.)
+   The character "=" signifies a special processing function used for
+   padding within the printable encoding procedure.
+
+   The encoding process represents 24-bit groups of input bits as output
+   strings of 4 encoded characters.  Proceeding from left to right
+   across a 24-bit input group output from the security mechanism
+   specific message protection procedure, each 6-bit group is used as an
+   index into an array of 64 printable characters, namely "[A-Z][a-
+   z][0-9]+/".  The character referenced by the index is placed in the
+   output string.  These characters are selected so as to be universally
+   representable, and the set excludes characters with particular
+   significance to Telnet (e.g., "<CR>", "<LF>", IAC).
+
+   Special processing is performed if fewer than 24 bits are available
+   in an input group at the end of a message.  A full encoding quantum
+   is always completed at the end of a message.  When fewer than 24
+   input bits are available in an input group, zero bits are added (on
+   the right) to form an integral number of 6-bit groups.  Output
+   character positions which are not required to represent actual input
+   data are set to the character "=".  Since all canonically encoded
+   output is an integral number of octets, only the following cases can
+   arise: (1) the final quantum of encoding input is an integral
+   multiple of 24 bits; here, the final unit of encoded output will be
+   an integral multiple of 4 characters with no "=" padding, (2) the
+   final quantum of encoding input is exactly 8 bits; here, the final
+   unit of encoded output will be two characters followed by two "="
+   padding characters, or (3) the final quantum of encoding input is
+   exactly 16 bits; here, the final unit of encoded output will be three
+   characters followed by one "=" padding character.
+
+
+
+
+
+Horowitz & Lunt             Standards Track                    [Page 21]
+
+RFC 2228                FTP Security Extensions             October 1997
+
+
+   Implementors must keep in mind that the base 64 encodings in ADAT,
+   MIC, CONF, and ENC commands, and in 63z replies may be arbitrarily
+   long.  Thus, the entire line must be read before it can be processed.
+   Several successive reads on the control channel may be necessary.  It
+   is not appropriate to for a server to reject a command containing a
+   base 64 encoding simply because it is too long (assuming that the
+   decoding is otherwise well formed in the context in which it was
+   sent).
+
+   Case must not be ignored when reading commands and replies containing
+   base 64 encodings.
+
+11.  Security Considerations
+
+   This entire document deals with security considerations related to
+   the File Transfer Protocol.
+
+   Third party file transfers cannot be secured using these extensions,
+   since a security context cannot be established between two servers
+   using these facilities (no control connection exists between servers
+   over which to pass ADAT tokens).  Further work in this area is
+   deferred.
+
+12.  Acknowledgements
+
+   I would like to thank the members of the CAT WG, as well as all
+   participants in discussions on the "cat-ietf@mit.edu" mailing list,
+   for their contributions to this document.  I would especially like to
+   thank Sam Sjogren, John Linn, Ted Ts'o, Jordan Brown, Michael Kogut,
+   Derrick Brashear, John Gardiner Myers, Denis Pinkas, and Karri Balk
+   for their contributions to this work.  Of course, without Steve Lunt,
+   the author of the first six revisions of this document, it would not
+   exist at all.
+
+13.  References
+
+   [TELNET-SEC] Borman, D., "Telnet Authentication and Encryption
+      Option", Work in Progress.
+
+   [RFC-1123] Braden, R., "Requirements for Internet Hosts --
+      Application and Support", STD 3, RFC 1123, October 1989.
+
+   [RFC-1421] Linn, J., "Privacy Enhancement for Internet Electronic
+      Mail: Part I: Message Encryption and Authentication Procedures",
+      RFC 1421, February 1993.
+
+
+
+
+
+
+Horowitz & Lunt             Standards Track                    [Page 22]
+
+RFC 2228                FTP Security Extensions             October 1997
+
+
+14.  Author's Address
+
+   Marc Horowitz
+   Cygnus Solutions
+   955 Massachusetts Avenue
+   Cambridge, MA 02139
+
+   Phone: +1 617 354 7688
+   EMail: marc@cygnus.com
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Horowitz & Lunt             Standards Track                    [Page 23]
+
+RFC 2228                FTP Security Extensions             October 1997
+
+
+Appendix I: Specification under the GSSAPI
+
+   In order to maximise the utility of new security mechanisms, it is
+   desirable that new mechanisms be implemented as GSSAPI mechanisms
+   rather than as FTP security mechanisms.  This will enable existing
+   ftp implementations to support the new mechanisms more easily, since
+   little or no code will need to be changed.  In addition, the
+   mechanism will be usable by other protocols, such as IMAP, which are
+   built on top of the GSSAPI, with no additional specification or
+   implementation work needed by the mechanism designers.
+
+   The security mechanism name (for the AUTH command) associated with
+   all mechanisms employing the GSSAPI is GSSAPI.  If the server
+   supports a security mechanism employing the GSSAPI, it must respond
+   with a 334 reply code indicating that an ADAT command is expected
+   next.
+
+   The client must begin the authentication exchange by calling
+   GSS_Init_Sec_Context, passing in 0 for input_context_handle
+   (initially), and a targ_name equal to output_name from
+   GSS_Import_Name called with input_name_type of Host-Based Service and
+   input_name_string of "ftp@hostname" where "hostname" is the fully
+   qualified host name of the server with all letters in lower case.
+   (Failing this, the client may try again using input_name_string of
+   "host@hostname".) The output_token must then be base 64 encoded and
+   sent to the server as the argument to an ADAT command.  If
+   GSS_Init_Sec_Context returns GSS_S_CONTINUE_NEEDED, then the client
+   must expect a token to be returned in the reply to the ADAT command.
+   This token must subsequently be passed to another call to
+   GSS_Init_Sec_Context.  In this case, if GSS_Init_Sec_Context returns
+   no output_token, then the reply code from the server for the previous
+   ADAT command must have been 235.  If GSS_Init_Sec_Context returns
+   GSS_S_COMPLETE, then no further tokens are expected from the server,
+   and the client must consider the server authenticated.
+
+   The server must base 64 decode the argument to the ADAT command and
+   pass the resultant token to GSS_Accept_Sec_Context as input_token,
+   setting acceptor_cred_handle to NULL (for "use default credentials"),
+   and 0 for input_context_handle (initially).  If an output_token is
+   returned, it must be base 64 encoded and returned to the client by
+   including "ADAT=base64string" in the text of the reply.  If
+   GSS_Accept_Sec_Context returns GSS_S_COMPLETE, the reply code must be
+   235, and the server must consider the client authenticated.  If
+   GSS_Accept_Sec_Context returns GSS_S_CONTINUE_NEEDED, the reply code
+   must be 335.  Otherwise, the reply code should be 535, and the text
+   of the reply should contain a descriptive error message.
+
+
+
+
+
+Horowitz & Lunt             Standards Track                    [Page 24]
+
+RFC 2228                FTP Security Extensions             October 1997
+
+
+   The chan_bindings input to GSS_Init_Sec_Context and
+   GSS_Accept_Sec_Context should use the client internet address and
+   server internet address as the initiator and acceptor addresses,
+   respectively.  The address type for both should be GSS_C_AF_INET. No
+   application data should be specified.
+
+   Since GSSAPI supports anonymous peers to security contexts, it is
+   possible that the client's authentication of the server does not
+   actually establish an identity.
+
+   The procedure associated with MIC commands, 631 replies, and Safe
+   file transfers is:
+
+      GSS_Wrap for the sender, with conf_flag == FALSE
+
+      GSS_Unwrap for the receiver
+
+   The procedure associated with ENC commands, 632 replies, and Private
+   file transfers is:
+
+      GSS_Wrap for the sender, with conf_flag == TRUE
+      GSS_Unwrap for the receiver
+
+   CONF commands and 633 replies are not supported.
+
+   Both the client and server should inspect the value of conf_avail to
+   determine whether the peer supports confidentiality services.
+
+   When the security state is reset (when AUTH is received a second
+   time, or when REIN is received), this should be done by calling the
+   GSS_Delete_sec_context function.
+
+Appendix II:  Specification under Kerberos version 4
+
+   The security mechanism name (for the AUTH command) associated with
+   Kerberos Version 4 is KERBEROS_V4.  If the server supports
+   KERBEROS_V4, it must respond with a 334 reply code indicating that an
+   ADAT command is expected next.
+
+   The client must retrieve a ticket for the Kerberos principal
+   "ftp.hostname@realm" by calling krb_mk_req(3) with a principal name
+   of "ftp", an instance equal to the first part of the canonical host
+   name of the server with all letters in lower case (as returned by
+   krb_get_phost(3)), the server's realm name (as returned by
+   krb_realmofhost(3)), and an arbitrary checksum.  The ticket must then
+   be base 64 encoded and sent as the argument to an ADAT command.
+
+
+
+
+
+Horowitz & Lunt             Standards Track                    [Page 25]
+
+RFC 2228                FTP Security Extensions             October 1997
+
+
+   If the "ftp" principal name is not a registered principal in the
+   Kerberos database, then the client may fall back on the "rcmd"
+   principal name (same instance and realm).  However, servers must
+   accept only one or the other of these principal names, and must not
+   be willing to accept either.  Generally, if the server has a key for
+   the "ftp" principal in its srvtab, then that principal only must be
+   used, otherwise the "rcmd" principal only must be used.
+
+   The server must base 64 decode the argument to the ADAT command and
+   pass the result to krb_rd_req(3).  The server must add one to the
+   checksum from the authenticator, convert the result to network byte
+   order (most significant byte first), and sign it using
+   krb_mk_safe(3), and base 64 encode the result.  Upon success, the
+   server must reply to the client with a 235 code and include
+   "ADAT=base64string" in the text of the reply.  Upon failure, the
+   server should reply 535.
+
+   Upon receipt of the 235 reply from the server, the client must parse
+   the text of the reply for the base 64 encoded data, decode it,
+   convert it from network byte order, and pass the result to
+   krb_rd_safe(3).  The client must consider the server authenticated if
+   the resultant checksum is equal to one plus the value previously
+   sent.
+
+   The procedure associated with MIC commands, 631 replies, and Safe
+   file transfers is:
+
+      krb_mk_safe(3) for the sender
+      krb_rd_safe(3) for the receiver
+
+   The procedure associated with ENC commands, 632 replies, and Private
+   file transfers is:
+
+      krb_mk_priv(3) for the sender
+      krb_rd_priv(3) for the receiver
+
+   CONF commands and 633 replies are not supported.
+
+   Note that this specification for KERBEROS_V4 contains no provision
+   for negotiating alternate means for integrity and confidentiality
+   routines.  Note also that the ADAT exchange does not convey whether
+   the peer supports confidentiality services.
+
+   In order to stay within the allowed PBSZ, implementors must take note
+   that a cleartext buffer will grow by 31 bytes when processed by
+   krb_mk_safe(3) and will grow by 26 bytes when processed by
+   krb_mk_priv(3).
+
+
+
+
+Horowitz & Lunt             Standards Track                    [Page 26]
+
+RFC 2228                FTP Security Extensions             October 1997
+
+
+Full Copyright Statement
+
+   Copyright (C) The Internet Society (1997).  All Rights Reserved.
+
+   This document and translations of it may be copied and furnished to
+   others, and derivative works that comment on or otherwise explain it
+   or assist in its implmentation may be prepared, copied, published
+   andand distributed, in whole or in part, without restriction of any
+   kind, provided that the above copyright notice and this paragraph are
+   included on all such copies and derivative works.  However, this
+   document itself may not be modified in any way, such as by removing
+   the copyright notice or references to the Internet Society or other
+   Internet organizations, except as needed for the purpose of
+   developing Internet standards in which case the procedures for
+   copyrights defined in the Internet Standards process must be
+   followed, or as required to translate it into languages other than
+   English.
+
+   The limited permissions granted above are perpetual and will not be
+   revoked by the Internet Society or its successors or assigns.
+
+   This document and the information contained herein is provided on an
+   "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
+   TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
+   BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
+   HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
+   MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Horowitz & Lunt             Standards Track                    [Page 27]
+
diff --git a/crypto/heimdal/doc/standardisation/rfc2743.txt b/crypto/heimdal/doc/standardisation/rfc2743.txt
new file mode 100644
index 0000000..e5da571
--- /dev/null
+++ b/crypto/heimdal/doc/standardisation/rfc2743.txt
@@ -0,0 +1,5659 @@
+
+
+
+
+
+
+Network Working Group                                            J. Linn
+Request for Comments: 2743                              RSA Laboratories
+Obsoletes: 2078                                             January 2000
+Category: Standards Track
+
+
+         Generic Security Service Application Program Interface
+                          Version 2, Update 1
+
+
+Status of this Memo
+
+   This document specifies an Internet standards track protocol for the
+   Internet community, and requests discussion and suggestions for
+   improvements.  Please refer to the current edition of the "Internet
+   Official Protocol Standards" (STD 1) for the standardization state
+   and status of this protocol.  Distribution of this memo is unlimited.
+
+Copyright Notice
+
+   Copyright (C) The Internet Society (2000).  All Rights Reserved.
+
+Abstract
+
+   The Generic Security Service Application Program Interface (GSS-API),
+   Version 2, as defined in [RFC-2078], provides security services to
+   callers in a generic fashion, supportable with a range of underlying
+   mechanisms and technologies and hence allowing source-level
+   portability of applications to different environments. This
+   specification defines GSS-API services and primitives at a level
+   independent of underlying mechanism and programming language
+   environment, and is to be complemented by other, related
+   specifications:
+
+      documents defining specific parameter bindings for particular
+      language environments
+
+      documents defining token formats, protocols, and procedures to be
+      implemented in order to realize GSS-API services atop particular
+      security mechanisms
+
+   This memo obsoletes [RFC-2078], making specific, incremental changes
+   in response to implementation experience and liaison requests. It is
+   intended, therefore, that this memo or a successor version thereto
+   will become the basis for subsequent progression of the GSS-API
+   specification on the standards track.
+
+
+
+
+
+Linn                        Standards Track                     [Page 1]
+
+RFC 2743                        GSS-API                     January 2000
+
+
+TABLE OF CONTENTS
+
+   1: GSS-API Characteristics and Concepts . . . . . . . . . . . .  4
+   1.1: GSS-API Constructs . . . . . . . . . . . . . . . . . . . .  6
+   1.1.1:  Credentials . . . . . . . . . . . . . . . . . . . . . .  6
+   1.1.1.1: Credential Constructs and Concepts . . . . . . . . . .  6
+   1.1.1.2: Credential Management  . . . . . . . . . . . . . . . .  7
+   1.1.1.3: Default Credential Resolution  . . . . . . . . . . . .  8
+   1.1.2: Tokens . . . . . . . . . . . . . . . . . . . . . . . . .  9
+   1.1.3:  Security Contexts . . . . . . . . . . . . . . . . . . . 11
+   1.1.4:  Mechanism Types . . . . . . . . . . . . . . . . . . . . 12
+   1.1.5:  Naming  . . . . . . . . . . . . . . . . . . . . . . . . 13
+   1.1.6:  Channel Bindings  . . . . . . . . . . . . . . . . . . . 16
+   1.2:  GSS-API Features and Issues . . . . . . . . . . . . . . . 17
+   1.2.1:  Status Reporting  and Optional Service Support  . . . . 17
+   1.2.1.1: Status Reporting . . . . . . . . . . . . . . . . . . . 17
+   1.2.1.2: Optional Service Support . . . . . . . . . . . . . . . 19
+   1.2.2: Per-Message Security Service Availability  . . . . . . . 20
+   1.2.3: Per-Message Replay Detection and Sequencing  . . . . . . 21
+   1.2.4:  Quality of Protection . . . . . . . . . . . . . . . . . 24
+   1.2.5: Anonymity Support  . . . . . . . . . . . . . . . . . . . 25
+   1.2.6: Initialization . . . . . . . . . . . . . . . . . . . . . 25
+   1.2.7: Per-Message Protection During Context Establishment  . . 26
+   1.2.8: Implementation Robustness  . . . . . . . . . . . . . . . 27
+   1.2.9: Delegation . . . . . . . . . . . . . . . . . . . . . . . 28
+   1.2.10: Interprocess Context Transfer . . . . . . . . . . . . . 28
+   2:  Interface Descriptions  . . . . . . . . . . . . . . . . . . 29
+   2.1:  Credential management calls . . . . . . . . . . . . . . . 31
+   2.1.1:  GSS_Acquire_cred call . . . . . . . . . . . . . . . . . 31
+   2.1.2:  GSS_Release_cred call . . . . . . . . . . . . . . . . . 34
+   2.1.3:  GSS_Inquire_cred call . . . . . . . . . . . . . . . . . 35
+   2.1.4:  GSS_Add_cred call . . . . . . . . . . . . . . . . . . . 37
+   2.1.5:  GSS_Inquire_cred_by_mech call . . . . . . . . . . . . . 40
+   2.2:  Context-level calls . . . . . . . . . . . . . . . . . . . 41
+   2.2.1:  GSS_Init_sec_context call . . . . . . . . . . . . . . . 42
+   2.2.2:  GSS_Accept_sec_context call . . . . . . . . . . . . . . 49
+   2.2.3:  GSS_Delete_sec_context call . . . . . . . . . . . . . . 53
+   2.2.4:  GSS_Process_context_token call  . . . . . . . . . . . . 54
+   2.2.5:  GSS_Context_time call . . . . . . . . . . . . . . . . . 55
+   2.2.6:  GSS_Inquire_context call  . . . . . . . . . . . . . . . 56
+   2.2.7:  GSS_Wrap_size_limit call  . . . . . . . . . . . . . . . 57
+   2.2.8:  GSS_Export_sec_context call . . . . . . . . . . . . . . 59
+   2.2.9:  GSS_Import_sec_context call . . . . . . . . . . . . . . 61
+   2.3:  Per-message calls . . . . . . . . . . . . . . . . . . . . 62
+   2.3.1:  GSS_GetMIC call . . . . . . . . . . . . . . . . . . . . 63
+   2.3.2:  GSS_VerifyMIC call  . . . . . . . . . . . . . . . . . . 64
+   2.3.3:  GSS_Wrap call . . . . . . . . . . . . . . . . . . . . . 65
+   2.3.4:  GSS_Unwrap call . . . . . . . . . . . . . . . . . . . . 66
+
+
+
+Linn                        Standards Track                     [Page 2]
+
+RFC 2743                        GSS-API                     January 2000
+
+
+   2.4:  Support calls . . . . . . . . . . . . . . . . . . . . . . 68
+   2.4.1:  GSS_Display_status call . . . . . . . . . . . . . . . . 68
+   2.4.2:  GSS_Indicate_mechs call . . . . . . . . . . . . . . . . 69
+   2.4.3:  GSS_Compare_name call . . . . . . . . . . . . . . . . . 70
+   2.4.4:  GSS_Display_name call . . . . . . . . . . . . . . . . . 71
+   2.4.5:  GSS_Import_name call  . . . . . . . . . . . . . . . . . 72
+   2.4.6:  GSS_Release_name call . . . . . . . . . . . . . . . . . 73
+   2.4.7:  GSS_Release_buffer call . . . . . . . . . . . . . . . . 74
+   2.4.8:  GSS_Release_OID_set call  . . . . . . . . . . . . . . . 74
+   2.4.9:  GSS_Create_empty_OID_set call . . . . . . . . . . . . . 75
+   2.4.10: GSS_Add_OID_set_member call . . . . . . . . . . . . . . 76
+   2.4.11: GSS_Test_OID_set_member call  . . . . . . . . . . . . . 76
+   2.4.12: GSS_Inquire_names_for_mech call . . . . . . . . . . . . 77
+   2.4.13: GSS_Inquire_mechs_for_name call . . . . . . . . . . . . 77
+   2.4.14: GSS_Canonicalize_name call  . . . . . . . . . . . . . . 78
+   2.4.15: GSS_Export_name call  . . . . . . . . . . . . . . . . . 79
+   2.4.16: GSS_Duplicate_name call . . . . . . . . . . . . . . . . 80
+   3: Data Structure Definitions for GSS-V2 Usage  . . . . . . . . 81
+   3.1: Mechanism-Independent Token Format . . . . . . . . . . . . 81
+   3.2: Mechanism-Independent Exported Name Object Format  . . . . 84
+   4: Name Type Definitions  . . . . . . . . . . . . . . . . . . . 85
+   4.1: Host-Based Service Name Form . . . . . . . . . . . . . . . 85
+   4.2: User Name Form . . . . . . . . . . . . . . . . . . . . . . 86
+   4.3: Machine UID Form . . . . . . . . . . . . . . . . . . . . . 87
+   4.4: String UID Form  . . . . . . . . . . . . . . . . . . . . . 87
+   4.5: Anonymous Nametype . . . . . . . . . . . . . . . . . . . . 87
+   4.6: GSS_C_NO_OID . . . . . . . . . . . . . . . . . . . . . . . 88
+   4.7: Exported Name Object . . . . . . . . . . . . . . . . . . . 88
+   4.8: GSS_C_NO_NAME  . . . . . . . . . . . . . . . . . . . . . . 88
+   5:  Mechanism-Specific Example Scenarios  . . . . . . . . . . . 88
+   5.1: Kerberos V5, single-TGT  . . . . . . . . . . . . . . . . . 89
+   5.2: Kerberos V5, double-TGT  . . . . . . . . . . . . . . . . . 89
+   5.3:  X.509 Authentication Framework  . . . . . . . . . . . . . 90
+   6:  Security Considerations . . . . . . . . . . . . . . . . . . 91
+   7:  Related Activities  . . . . . . . . . . . . . . . . . . . . 92
+   8:  Referenced Documents  . . . . . . . . . . . . . . . . . . . 93
+   Appendix A: Mechanism Design Constraints  . . . . . . . . . . . 94
+   Appendix B: Compatibility with GSS-V1 . . . . . . . . . . . . . 94
+   Appendix C: Changes Relative to RFC-2078  . . . . . . . . . . . 96
+   Author's Address  . . . . . . . . . . . . . . . . . . . . . . .100
+   Full Copyright Statement  . . . . . . . . . . . . . . . . . . .101
+
+
+
+
+
+
+
+
+
+
+Linn                        Standards Track                     [Page 3]
+
+RFC 2743                        GSS-API                     January 2000
+
+
+1: GSS-API Characteristics and Concepts
+
+   GSS-API operates in the following paradigm.  A typical GSS-API caller
+   is itself a communications protocol, calling on GSS-API in order to
+   protect its communications with authentication, integrity, and/or
+   confidentiality security services.  A GSS-API caller accepts tokens
+   provided to it by its local GSS-API implementation and transfers the
+   tokens to a peer on a remote system; that peer passes the received
+   tokens to its local GSS-API implementation for processing. The
+   security services available through GSS-API in this fashion are
+   implementable (and have been implemented) over a range of underlying
+   mechanisms based on secret-key and public-key cryptographic
+   technologies.
+
+   The GSS-API separates the operations of initializing a security
+   context between peers, achieving peer entity authentication
+   (GSS_Init_sec_context() and GSS_Accept_sec_context() calls), from the
+   operations of providing per-message data origin authentication and
+   data integrity protection (GSS_GetMIC() and GSS_VerifyMIC() calls)
+   for messages subsequently transferred in conjunction with that
+   context.  (The definition for the peer entity authentication service,
+   and other definitions used in this document, corresponds to that
+   provided in [ISO-7498-2].) When establishing a security context, the
+   GSS-API enables a context initiator to optionally permit its
+   credentials to be delegated, meaning that the context acceptor may
+   initiate further security contexts on behalf of the initiating
+   caller. Per-message GSS_Wrap() and GSS_Unwrap() calls provide the
+   data origin authentication and data integrity services which
+   GSS_GetMIC() and GSS_VerifyMIC() offer, and also support selection of
+   confidentiality services as a caller option. Additional calls provide
+   supportive functions to the GSS-API's users.
+
+   The following paragraphs provide an example illustrating the
+   dataflows involved in use of the GSS-API by a client and server in a
+   mechanism-independent fashion, establishing a security context and
+   transferring a protected message. The example assumes that credential
+   acquisition has already been completed.  The example also assumes
+   that the underlying authentication technology is capable of
+   authenticating a client to a server using elements carried within a
+   single token, and of authenticating the server to the client (mutual
+   authentication) with a single returned token; this assumption holds
+   for some presently-documented CAT mechanisms but is not necessarily
+   true for other cryptographic technologies and associated protocols.
+
+   The client calls GSS_Init_sec_context() to establish a security
+   context to the server identified by targ_name, and elects to set the
+   mutual_req_flag so that mutual authentication is performed in the
+   course of context establishment. GSS_Init_sec_context() returns an
+
+
+
+Linn                        Standards Track                     [Page 4]
+
+RFC 2743                        GSS-API                     January 2000
+
+
+   output_token to be passed to the server, and indicates
+   GSS_S_CONTINUE_NEEDED status pending completion of the mutual
+   authentication sequence. Had mutual_req_flag not been set, the
+   initial call to GSS_Init_sec_context() would have returned
+   GSS_S_COMPLETE status. The client sends the output_token to the
+   server.
+
+   The server passes the received token as the input_token parameter to
+   GSS_Accept_sec_context().  GSS_Accept_sec_context indicates
+   GSS_S_COMPLETE status, provides the client's authenticated identity
+   in the src_name result, and provides an output_token to be passed to
+   the client. The server sends the output_token to the client.
+
+   The client passes the received token as the input_token parameter to
+   a successor call to GSS_Init_sec_context(), which processes data
+   included in the token in order to achieve mutual authentication from
+   the client's viewpoint. This call to GSS_Init_sec_context() returns
+   GSS_S_COMPLETE status, indicating successful mutual authentication
+   and the completion of context establishment for this example.
+
+   The client generates a data message and passes it to GSS_Wrap().
+   GSS_Wrap() performs data origin authentication, data integrity, and
+   (optionally) confidentiality processing on the message and
+   encapsulates the result into output_message, indicating
+   GSS_S_COMPLETE status. The client sends the output_message to the
+   server.
+
+   The server passes the received message to GSS_Unwrap().  GSS_Unwrap()
+   inverts the encapsulation performed by GSS_Wrap(), deciphers the
+   message if the optional confidentiality feature was applied, and
+   validates the data origin authentication and data integrity checking
+   quantities. GSS_Unwrap() indicates successful validation by returning
+   GSS_S_COMPLETE status along with the resultant output_message.
+
+   For purposes of this example, we assume that the server knows by
+   out-of-band means that this context will have no further use after
+   one protected message is transferred from client to server. Given
+   this premise, the server now calls GSS_Delete_sec_context() to flush
+   context-level information.  Optionally, the server-side application
+   may provide a token buffer to GSS_Delete_sec_context(), to receive a
+   context_token to be transferred to the client in order to request
+   that client-side context-level information be deleted.
+
+   If a context_token is transferred, the client passes the
+   context_token to GSS_Process_context_token(), which returns
+   GSS_S_COMPLETE status after deleting context-level information at the
+   client system.
+
+
+
+
+Linn                        Standards Track                     [Page 5]
+
+RFC 2743                        GSS-API                     January 2000
+
+
+   The GSS-API design assumes and addresses several basic goals,
+   including:
+
+      Mechanism independence: The GSS-API defines an interface to
+      cryptographically implemented strong authentication and other
+      security services at a generic level which is independent of
+      particular underlying mechanisms. For example, GSS-API-provided
+      services have been implemented using secret-key technologies
+      (e.g., Kerberos, per [RFC-1964]) and with public-key approaches
+      (e.g., SPKM, per [RFC-2025]).
+
+      Protocol environment independence: The GSS-API is independent of
+      the communications protocol suites with which it is employed,
+      permitting use in a broad range of protocol environments. In
+      appropriate environments, an intermediate implementation "veneer"
+      which is oriented to a particular communication protocol may be
+      interposed between applications which call that protocol and the
+      GSS-API (e.g., as defined in [RFC-2203] for Open Network Computing
+      Remote Procedure Call (RPC)), thereby invoking GSS-API facilities
+      in conjunction with that protocol's communications invocations.
+
+      Protocol association independence: The GSS-API's security context
+      construct is independent of communications protocol association
+      constructs. This characteristic allows a single GSS-API
+      implementation to be utilized by a variety of invoking protocol
+      modules on behalf of those modules' calling applications. GSS-API
+      services can also be invoked directly by applications, wholly
+      independent of protocol associations.
+
+      Suitability to a range of implementation placements: GSS-API
+      clients are not constrained to reside within any Trusted Computing
+      Base (TCB) perimeter defined on a system where the GSS-API is
+      implemented; security services are specified in a manner suitable
+      to both intra-TCB and extra-TCB callers.
+
+1.1: GSS-API Constructs
+
+   This section describes the basic elements comprising the GSS-API.
+
+1.1.1:  Credentials
+
+1.1.1.1: Credential Constructs and Concepts
+
+   Credentials provide the prerequisites which permit GSS-API peers to
+   establish security contexts with each other. A caller may designate
+   that the credential elements which are to be applied for context
+   initiation or acceptance be selected by default.  Alternately, those
+   GSS-API callers which need to make explicit selection of particular
+
+
+
+Linn                        Standards Track                     [Page 6]
+
+RFC 2743                        GSS-API                     January 2000
+
+
+   credentials structures may make references to those credentials
+   through GSS-API-provided credential handles ("cred_handles").  In all
+   cases, callers' credential references are indirect, mediated by GSS-
+   API implementations and not requiring callers to access the selected
+   credential elements.
+
+   A single credential structure may be used to initiate outbound
+   contexts and to accept inbound contexts. Callers needing to operate
+   in only one of these modes may designate this fact when credentials
+   are acquired for use, allowing underlying mechanisms to optimize
+   their processing and storage requirements. The credential elements
+   defined by a particular mechanism may contain multiple cryptographic
+   keys, e.g., to enable authentication and message encryption to be
+   performed with different algorithms.
+
+   A GSS-API credential structure may contain multiple credential
+   elements, each containing mechanism-specific information for a
+   particular underlying mechanism (mech_type), but the set of elements
+   within a given credential structure represent a common entity.  A
+   credential structure's contents will vary depending on the set of
+   mech_types supported by a particular GSS-API implementation. Each
+   credential element identifies the data needed by its mechanism in
+   order to establish contexts on behalf of a particular principal, and
+   may contain separate credential references for use in context
+   initiation and context acceptance.  Multiple credential elements
+   within a given credential having overlapping combinations of
+   mechanism, usage mode, and validity period are not permitted.
+
+   Commonly, a single mech_type will be used for all security contexts
+   established by a particular initiator to a particular target. A major
+   motivation for supporting credential sets representing multiple
+   mech_types is to allow initiators on systems which are equipped to
+   handle multiple types to initiate contexts to targets on other
+   systems which can accommodate only a subset of the set supported at
+   the initiator's system.
+
+1.1.1.2: Credential Management
+
+   It is the responsibility of underlying system-specific mechanisms and
+   OS functions below the GSS-API to ensure that the ability to acquire
+   and use credentials associated with a given identity is constrained
+   to appropriate processes within a system. This responsibility should
+   be taken seriously by implementors, as the ability for an entity to
+   utilize a principal's credentials is equivalent to the entity's
+   ability to successfully assert that principal's identity.
+
+
+
+
+
+
+Linn                        Standards Track                     [Page 7]
+
+RFC 2743                        GSS-API                     January 2000
+
+
+   Once a set of GSS-API credentials is established, the transferability
+   of that credentials set to other processes or analogous constructs
+   within a system is a local matter, not defined by the GSS-API. An
+   example local policy would be one in which any credentials received
+   as a result of login to a given user account, or of delegation of
+   rights to that account, are accessible by, or transferable to,
+   processes running under that account.
+
+   The credential establishment process (particularly when performed on
+   behalf of users rather than server processes) is likely to require
+   access to passwords or other quantities which should be protected
+   locally and exposed for the shortest time possible. As a result, it
+   will often be appropriate for preliminary credential establishment to
+   be performed through local means at user login time, with the
+   result(s) cached for subsequent reference. These preliminary
+   credentials would be set aside (in a system-specific fashion) for
+   subsequent use, either:
+
+      to be accessed by an invocation of the GSS-API GSS_Acquire_cred()
+      call, returning an explicit handle to reference that credential
+
+      to comprise default credential elements to be installed, and to be
+      used when default credential behavior is requested on behalf of a
+      process
+
+1.1.1.3: Default Credential Resolution
+
+   The GSS_Init_sec_context() and GSS_Accept_sec_context() routines
+   allow the value GSS_C_NO_CREDENTIAL to be specified as their
+   credential handle parameter.  This special credential handle
+   indicates a desire by the application to act as a default principal.
+   In support of application portability, support for the default
+   resolution behavior described below for initiator credentials
+   (GSS_Init_sec_context() usage) is mandated; support for the default
+   resolution behavior described below for acceptor credentials
+   (GSS_Accept_sec_context() usage) is recommended. If default
+   credential resolution fails, GSS_S_NO_CRED status is to be returned.
+
+      GSS_Init_sec_context:
+
+         (i) If there is only a single principal capable of initiating
+         security contexts that the application is authorized to act on
+         behalf of, then that principal shall be used, otherwise
+
+
+
+
+
+
+
+
+Linn                        Standards Track                     [Page 8]
+
+RFC 2743                        GSS-API                     January 2000
+
+
+         (ii) If the platform maintains a concept of a default network-
+         identity, and if the application is authorized to act on behalf
+         of that identity for the purpose of initiating security
+         contexts, then the principal corresponding to that identity
+         shall be used, otherwise
+
+         (iii) If the platform maintains a concept of a default local
+         identity, and provides a means to map local identities into
+         network-identities, and if the application is authorized to act
+         on behalf of the network-identity image of the default local
+         identity for the purpose of initiating security contexts, then
+         the principal corresponding to that identity shall be used,
+         otherwise
+
+         (iv) A user-configurable default identity should be used.
+
+      GSS_Accept_sec_context:
+
+         (i) If there is only a single authorized principal identity
+         capable of accepting security contexts, then that principal
+         shall be used, otherwise
+
+         (ii) If the mechanism can determine the identity of the target
+         principal by examining the context-establishment token, and if
+         the accepting application is authorized to act as that
+         principal for the purpose of accepting security contexts, then
+         that principal identity shall be used, otherwise
+
+         (iii) If the mechanism supports context acceptance by any
+         principal, and mutual authentication was not requested, any
+         principal that the application is authorized to accept security
+         contexts under may be used, otherwise
+
+         (iv) A user-configurable default identity shall be used.
+
+   The purpose of the above rules is to allow security contexts to be
+   established by both initiator and acceptor using the default behavior
+   wherever possible.  Applications requesting default behavior are
+   likely to be more portable across mechanisms and platforms than those
+   that use GSS_Acquire_cred() to request a specific identity.
+
+1.1.2: Tokens
+
+   Tokens are data elements transferred between GSS-API callers, and are
+   divided into two classes. Context-level tokens are exchanged in order
+   to establish and manage a security context between peers. Per-message
+   tokens relate to an established context and are exchanged to provide
+
+
+
+
+Linn                        Standards Track                     [Page 9]
+
+RFC 2743                        GSS-API                     January 2000
+
+
+   protective security services (i.e., data origin authentication,
+   integrity, and optional confidentiality) for corresponding data
+   messages.
+
+   The first context-level token obtained from GSS_Init_sec_context() is
+   required to indicate at its very beginning a globally-interpretable
+   mechanism identifier, i.e., an Object Identifier (OID) of the
+   security mechanism. The remaining part of this token as well as the
+   whole content of all other tokens are specific to the particular
+   underlying mechanism used to support the GSS-API. Section 3.1 of this
+   document provides, for designers of GSS-API mechanisms, the
+   description of the header of the first context-level token which is
+   then followed by mechanism-specific information.
+
+   Tokens' contents are opaque from the viewpoint of GSS-API callers.
+   They are generated within the GSS-API implementation at an end
+   system, provided to a GSS-API caller to be transferred to the peer
+   GSS-API caller at a remote end system, and processed by the GSS-API
+   implementation at that remote end system.
+
+   Context-level tokens may be output by GSS-API calls (and should be
+   transferred to GSS-API peers) whether or not the calls' status
+   indicators indicate successful completion.  Per-message tokens, in
+   contrast, are to be returned only upon successful completion of per-
+   message calls. Zero-length tokens are never returned by GSS routines
+   for transfer to a peer. Token transfer may take place in an in-band
+   manner, integrated into the same protocol stream used by the GSS-API
+   callers for other data transfers, or in an out-of-band manner across
+   a logically separate channel.
+
+   Different GSS-API tokens are used for different purposes (e.g.,
+   context initiation, context acceptance, protected message data on an
+   established context), and it is the responsibility of a GSS-API
+   caller receiving tokens to distinguish their types, associate them
+   with corresponding security contexts, and pass them to appropriate
+   GSS-API processing routines.  Depending on the caller protocol
+   environment, this distinction may be accomplished in several ways.
+
+   The following examples illustrate means through which tokens' types
+   may be distinguished:
+
+      - implicit tagging based on state information (e.g., all tokens on
+      a new association are considered to be context establishment
+      tokens until context establishment is completed, at which point
+      all tokens are considered to be wrapped data objects for that
+      context),
+
+
+
+
+
+Linn                        Standards Track                    [Page 10]
+
+RFC 2743                        GSS-API                     January 2000
+
+
+      - explicit tagging at the caller protocol level,
+
+      - a hybrid of these approaches.
+
+   Commonly, the encapsulated data within a token includes internal
+   mechanism-specific tagging information, enabling mechanism-level
+   processing modules to distinguish tokens used within the mechanism
+   for different purposes.  Such internal mechanism-level tagging is
+   recommended to mechanism designers, and enables mechanisms to
+   determine whether a caller has passed a particular token for
+   processing by an inappropriate GSS-API routine.
+
+   Development of GSS-API mechanisms based on a particular underlying
+   cryptographic technique and protocol (i.e., conformant to a specific
+   GSS-API mechanism definition) does not necessarily imply that GSS-API
+   callers using that GSS-API mechanism will be able to interoperate
+   with peers invoking the same technique and protocol outside the GSS-
+   API paradigm, or with peers implementing a different GSS-API
+   mechanism based on the same underlying technology.  The format of
+   GSS-API tokens defined in conjunction with a particular mechanism,
+   and the techniques used to integrate those tokens into callers'
+   protocols, may not be interoperable with the tokens used by non-GSS-
+   API callers of the same underlying technique.
+
+1.1.3:  Security Contexts
+
+   Security contexts are established between peers, using credentials
+   established locally in conjunction with each peer or received by
+   peers via delegation. Multiple contexts may exist simultaneously
+   between a pair of peers, using the same or different sets of
+   credentials. Coexistence of multiple contexts using different
+   credentials allows graceful rollover when credentials expire.
+   Distinction among multiple contexts based on the same credentials
+   serves applications by distinguishing different message streams in a
+   security sense.
+
+   The GSS-API is independent of underlying protocols and addressing
+   structure, and depends on its callers to transport GSS-API-provided
+   data elements. As a result of these factors, it is a caller
+   responsibility to parse communicated messages, separating GSS-API-
+   related data elements from caller-provided data.  The GSS-API is
+   independent of connection vs. connectionless orientation of the
+   underlying communications service.
+
+   No correlation between security context and communications protocol
+   association is dictated. (The optional channel binding facility,
+   discussed in Section 1.1.6 of this document, represents an
+   intentional exception to this rule, supporting additional protection
+
+
+
+Linn                        Standards Track                    [Page 11]
+
+RFC 2743                        GSS-API                     January 2000
+
+
+   features within GSS-API supporting mechanisms.) This separation
+   allows the GSS-API to be used in a wide range of communications
+   environments, and also simplifies the calling sequences of the
+   individual calls. In many cases (depending on underlying security
+   protocol, associated mechanism, and availability of cached
+   information), the state information required for context setup can be
+   sent concurrently with initial signed user data, without interposing
+   additional message exchanges.  Messages may be protected and
+   transferred in both directions on an established GSS-API security
+   context concurrently; protection of messages in one direction does
+   not interfere with protection of messages in the reverse direction.
+
+   GSS-API implementations are expected to retain inquirable context
+   data on a context until the context is released by a caller, even
+   after the context has expired, although underlying cryptographic data
+   elements may be deleted after expiration in order to limit their
+   exposure.
+
+1.1.4:  Mechanism Types
+
+   In order to successfully establish a security context with a target
+   peer, it is necessary to identify an appropriate underlying mechanism
+   type (mech_type) which both initiator and target peers support. The
+   definition of a mechanism embodies not only the use of a particular
+   cryptographic technology (or a hybrid or choice among alternative
+   cryptographic technologies), but also definition of the syntax and
+   semantics of data element exchanges which that mechanism will employ
+   in order to support security services.
+
+   It is recommended that callers initiating contexts specify the
+   "default" mech_type value, allowing system-specific functions within
+   or invoked by the GSS-API implementation to select the appropriate
+   mech_type, but callers may direct that a particular mech_type be
+   employed when necessary.
+
+   For GSS-API purposes, the phrase "negotiating mechanism" refers to a
+   mechanism which itself performs negotiation in order to select a
+   concrete mechanism which is shared between peers and is then used for
+   context establishment.  Only those mechanisms which are defined in
+   their specifications as negotiating mechanisms are to yield selected
+   mechanisms with different identifier values than the value which is
+   input by a GSS-API caller, except for the case of a caller requesting
+   the "default" mech_type.
+
+   The means for identifying a shared mech_type to establish a security
+   context with a peer will vary in different environments and
+   circumstances; examples include (but are not limited to):
+
+
+
+
+Linn                        Standards Track                    [Page 12]
+
+RFC 2743                        GSS-API                     January 2000
+
+
+      use of a fixed mech_type, defined by configuration, within an
+      environment
+
+      syntactic convention on a target-specific basis, through
+      examination of a target's name lookup of a target's name in a
+      naming service or other database in order to identify mech_types
+      supported by that target
+
+      explicit negotiation between GSS-API callers in advance of
+      security context setup
+
+      use of a negotiating mechanism
+
+   When transferred between GSS-API peers, mech_type specifiers (per
+   Section 3 of this document, represented as Object Identifiers (OIDs))
+   serve to qualify the interpretation of associated tokens. (The
+   structure and encoding of Object Identifiers is defined in [ISOIEC-
+   8824] and [ISOIEC-8825].) Use of hierarchically structured OIDs
+   serves to preclude ambiguous interpretation of mech_type specifiers.
+   The OID representing the DASS ([RFC-1507]) MechType, for example, is
+   1.3.12.2.1011.7.5, and that of the Kerberos V5 mechanism ([RFC-
+   1964]), having been advanced to the level of Proposed Standard, is
+   1.2.840.113554.1.2.2.
+
+1.1.5:  Naming
+
+   The GSS-API avoids prescribing naming structures, treating the names
+   which are transferred across the interface in order to initiate and
+   accept security contexts as opaque objects.  This approach supports
+   the GSS-API's goal of implementability atop a range of underlying
+   security mechanisms, recognizing the fact that different mechanisms
+   process and authenticate names which are presented in different
+   forms. Generalized services offering translation functions among
+   arbitrary sets of naming environments are outside the scope of the
+   GSS-API; availability and use of local conversion functions to
+   translate among the naming formats supported within a given end
+   system is anticipated.
+
+   Different classes of name representations are used in conjunction
+   with different GSS-API parameters:
+
+      - Internal form (denoted in this document by INTERNAL NAME),
+      opaque to callers and defined by individual GSS-API
+      implementations.  GSS-API implementations supporting multiple
+      namespace types must maintain internal tags to disambiguate the
+      interpretation of particular names.  A Mechanism Name (MN) is a
+      special case of INTERNAL NAME, guaranteed to contain elements
+
+
+
+
+Linn                        Standards Track                    [Page 13]
+
+RFC 2743                        GSS-API                     January 2000
+
+
+      corresponding to one and only one mechanism; calls which are
+      guaranteed to emit MNs or which require MNs as input are so
+      identified within this specification.
+
+      - Contiguous string ("flat") form (denoted in this document by
+      OCTET STRING); accompanied by OID tags identifying the namespace
+      to which they correspond.  Depending on tag value, flat names may
+      or may not be printable strings for direct acceptance from and
+      presentation to users. Tagging of flat names allows GSS-API
+      callers and underlying GSS-API mechanisms to disambiguate name
+      types and to determine whether an associated name's type is one
+      which they are capable of processing, avoiding aliasing problems
+      which could result from misinterpreting a name of one type as a
+      name of another type.
+
+      - The GSS-API Exported Name Object, a special case of flat name
+      designated by a reserved OID value, carries a canonicalized form
+      of a name suitable for binary comparisons.
+
+   In addition to providing means for names to be tagged with types,
+   this specification defines primitives to support a level of naming
+   environment independence for certain calling applications. To provide
+   basic services oriented towards the requirements of callers which
+   need not themselves interpret the internal syntax and semantics of
+   names, GSS-API calls for name comparison (GSS_Compare_name()),
+   human-readable display (GSS_Display_name()), input conversion
+   (GSS_Import_name()), internal name deallocation (GSS_Release_name()),
+   and internal name duplication (GSS_Duplicate_name()) functions are
+   defined. (It is anticipated that these proposed GSS-API calls will be
+   implemented in many end systems based on system-specific name
+   manipulation primitives already extant within those end systems;
+   inclusion within the GSS-API is intended to offer GSS-API callers a
+   portable means to perform specific operations, supportive of
+   authorization and audit requirements, on authenticated names.)
+
+   GSS_Import_name() implementations can, where appropriate, support
+   more than one printable syntax corresponding to a given namespace
+   (e.g., alternative printable representations for X.500 Distinguished
+   Names), allowing flexibility for their callers to select among
+   alternative representations. GSS_Display_name() implementations
+   output a printable syntax selected as appropriate to their
+   operational environments; this selection is a local matter. Callers
+   desiring portability across alternative printable syntaxes should
+   refrain from implementing comparisons based on printable name forms
+   and should instead use the GSS_Compare_name()  call to determine
+   whether or not one internal-format name matches another.
+
+
+
+
+
+Linn                        Standards Track                    [Page 14]
+
+RFC 2743                        GSS-API                     January 2000
+
+
+   When used in large access control lists, the overhead of invoking
+   GSS_Import_name() and GSS_Compare_name() on each name from the ACL
+   may be prohibitive.  As an alternative way of supporting this case,
+   GSS-API defines a special form of the contiguous string name which
+   may be compared directly (e.g., with memcmp()).  Contiguous names
+   suitable for comparison are generated by the GSS_Export_name()
+   routine, which requires an MN as input.  Exported names may be re-
+   imported by the GSS_Import_name() routine, and the resulting internal
+   name will also be an MN.  The symbolic constant GSS_C_NT_EXPORT_NAME
+   identifies the "export name" type. Structurally, an exported name
+   object consists of a header containing an OID identifying the
+   mechanism that authenticated the name, and a trailer containing the
+   name itself, where the syntax of the trailer is defined by the
+   individual mechanism specification.  The precise format of an
+   exported name is defined in Section 3.2 of this specification.
+
+   Note that the results obtained by using GSS_Compare_name() will in
+   general be different from those obtained by invoking
+   GSS_Canonicalize_name() and GSS_Export_name(), and then comparing the
+   exported names.  The first series of operations determines whether
+   two (unauthenticated) names identify the same principal; the second
+   whether a particular mechanism would authenticate them as the same
+   principal.  These two operations will in general give the same
+   results only for MNs.
+
+   The following diagram illustrates the intended dataflow among name-
+   related GSS-API processing routines.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Linn                        Standards Track                    [Page 15]
+
+RFC 2743                        GSS-API                     January 2000
+
+
+                        GSS-API library defaults
+                               |
+                               |
+                               V                         text, for
+   text -------------->  internal_name (IN) -----------> display only
+         import_name()          /          display_name()
+                               /
+                              /
+                             /
+    accept_sec_context()    /
+          |                /
+          |               /
+          |              /  canonicalize_name()
+          |             /
+          |            /
+          |           /
+          |          /
+          |         /
+          |        |
+          V        V     <---------------------
+    single mechanism        import_name()         exported name: flat
+    internal_name (MN)                            binary "blob" usable
+                         ---------------------->  for access control
+                            export_name()
+
+1.1.6:  Channel Bindings
+
+   The GSS-API accommodates the concept of caller-provided channel
+   binding ("chan_binding") information.  Channel bindings are used to
+   strengthen the quality with which peer entity authentication is
+   provided during context establishment, by limiting the scope within
+   which an intercepted context establishment token can be reused by an
+   attacker. Specifically, they enable GSS-API callers to bind the
+   establishment of a security context to relevant characteristics
+   (e.g., addresses, transformed representations of encryption keys) of
+   the underlying communications channel, of protection mechanisms
+   applied to that communications channel, and to application-specific
+   data.
+
+   The caller initiating a security context must determine the
+   appropriate channel binding values to provide as input to the
+   GSS_Init_sec_context() call, and consistent values must be provided
+   to GSS_Accept_sec_context() by the context's target, in order for
+   both peers' GSS-API mechanisms to validate that received tokens
+   possess correct channel-related characteristics. Use or non-use of
+   the GSS-API channel binding facility is a caller option.  GSS-API
+   mechanisms can operate in an environment where NULL channel bindings
+   are presented; mechanism implementors are encouraged, but not
+
+
+
+Linn                        Standards Track                    [Page 16]
+
+RFC 2743                        GSS-API                     January 2000
+
+
+   required, to make use of caller-provided channel binding data within
+   their mechanisms. Callers should not assume that underlying
+   mechanisms provide confidentiality protection for channel binding
+   information.
+
+   When non-NULL channel bindings are provided by callers, certain
+   mechanisms can offer enhanced security value by interpreting the
+   bindings' content (rather than simply representing those bindings, or
+   integrity check values computed on them, within tokens) and will
+   therefore depend on presentation of specific data in a defined
+   format. To this end, agreements among mechanism implementors are
+   defining conventional interpretations for the contents of channel
+   binding arguments, including address specifiers (with content
+   dependent on communications protocol environment) for context
+   initiators and acceptors. (These conventions are being incorporated
+   in GSS-API mechanism specifications and into the GSS-API C language
+   bindings specification.) In order for GSS-API callers to be portable
+   across multiple mechanisms and achieve the full security
+   functionality which each mechanism can provide, it is strongly
+   recommended that GSS-API callers provide channel bindings consistent
+   with these conventions and those of the networking environment in
+   which they operate.
+
+1.2:  GSS-API Features and Issues
+
+   This section describes aspects of GSS-API operations, of the security
+   services which the GSS-API provides, and provides commentary on
+   design issues.
+
+1.2.1:  Status Reporting and Optional Service Support
+
+1.2.1.1: Status Reporting
+
+   Each GSS-API call provides two status return values. Major_status
+   values provide a mechanism-independent indication of call status
+   (e.g., GSS_S_COMPLETE, GSS_S_FAILURE, GSS_S_CONTINUE_NEEDED),
+   sufficient to drive normal control flow within the caller in a
+   generic fashion. Table 1 summarizes the defined major_status return
+   codes in tabular fashion.
+
+   Sequencing-related informatory major_status codes
+   (GSS_S_DUPLICATE_TOKEN, GSS_S_OLD_TOKEN, GSS_S_UNSEQ_TOKEN, and
+   GSS_S_GAP_TOKEN) can be indicated in conjunction with either
+   GSS_S_COMPLETE or GSS_S_FAILURE status for GSS-API per-message calls.
+   For context establishment calls, these sequencing-related codes will
+   be indicated only in conjunction with GSS_S_FAILURE status (never in
+
+
+
+
+
+Linn                        Standards Track                    [Page 17]
+
+RFC 2743                        GSS-API                     January 2000
+
+
+   conjunction with GSS_S_COMPLETE or GSS_S_CONTINUE_NEEDED), and,
+   therefore, always correspond to fatal failures if encountered during
+   the context establishment phase.
+
+   Table 1: GSS-API Major Status Codes
+
+   FATAL ERROR CODES
+
+   GSS_S_BAD_BINDINGS            channel binding mismatch
+   GSS_S_BAD_MECH                unsupported mechanism requested
+   GSS_S_BAD_NAME                invalid name provided
+   GSS_S_BAD_NAMETYPE            name of unsupported type provided
+   GSS_S_BAD_STATUS              invalid input status selector
+   GSS_S_BAD_SIG                 token had invalid integrity check
+   GSS_S_BAD_MIC                   preferred alias for GSS_S_BAD_SIG
+   GSS_S_CONTEXT_EXPIRED         specified security context expired
+   GSS_S_CREDENTIALS_EXPIRED     expired credentials detected
+   GSS_S_DEFECTIVE_CREDENTIAL    defective credential detected
+   GSS_S_DEFECTIVE_TOKEN         defective token detected
+   GSS_S_FAILURE                 failure, unspecified at GSS-API
+                                   level
+   GSS_S_NO_CONTEXT              no valid security context specified
+   GSS_S_NO_CRED                 no valid credentials provided
+   GSS_S_BAD_QOP                 unsupported QOP value
+   GSS_S_UNAUTHORIZED            operation unauthorized
+   GSS_S_UNAVAILABLE             operation unavailable
+   GSS_S_DUPLICATE_ELEMENT       duplicate credential element requested
+   GSS_S_NAME_NOT_MN             name contains multi-mechanism elements
+
+   INFORMATORY STATUS CODES
+
+   GSS_S_COMPLETE                normal completion
+   GSS_S_CONTINUE_NEEDED         continuation call to routine
+                                  required
+   GSS_S_DUPLICATE_TOKEN         duplicate per-message token
+                                  detected
+   GSS_S_OLD_TOKEN               timed-out per-message token
+                                  detected
+   GSS_S_UNSEQ_TOKEN             reordered (early) per-message token
+                                  detected
+   GSS_S_GAP_TOKEN               skipped predecessor token(s)
+                                  detected
+
+   Minor_status provides more detailed status information which may
+   include status codes specific to the underlying security mechanism.
+   Minor_status values are not specified in this document.
+
+
+
+
+
+Linn                        Standards Track                    [Page 18]
+
+RFC 2743                        GSS-API                     January 2000
+
+
+   GSS_S_CONTINUE_NEEDED major_status returns, and optional message
+   outputs, are provided in GSS_Init_sec_context() and
+   GSS_Accept_sec_context() calls so that different mechanisms'
+   employment of different numbers of messages within their
+   authentication sequences need not be reflected in separate code paths
+   within calling applications. Instead, such cases are accommodated
+   with sequences of continuation calls to GSS_Init_sec_context()  and
+   GSS_Accept_sec_context().  The same facility is used to encapsulate
+   mutual authentication within the GSS-API's context initiation calls.
+
+   For mech_types which require interactions with third-party servers in
+   order to establish a security context, GSS-API context establishment
+   calls may block pending completion of such third-party interactions.
+   On the other hand, no GSS-API calls pend on serialized interactions
+   with GSS-API peer entities.  As a result, local GSS-API status
+   returns cannot reflect unpredictable or asynchronous exceptions
+   occurring at remote peers, and reflection of such status information
+   is a caller responsibility outside the GSS-API.
+
+1.2.1.2: Optional Service Support
+
+   A context initiator may request various optional services at context
+   establishment time. Each of these services is requested by setting a
+   flag in the req_flags input parameter to GSS_Init_sec_context().
+
+   The optional services currently defined are:
+
+      - Delegation - The (usually temporary) transfer of rights from
+      initiator to acceptor, enabling the acceptor to authenticate
+      itself as an agent of the initiator.
+
+      - Mutual Authentication - In addition to the initiator
+      authenticating its identity to the context acceptor, the context
+      acceptor should also authenticate itself to the initiator.
+
+      - Replay detection - In addition to providing message integrity
+      services, GSS_GetMIC() and GSS_Wrap() should include message
+      numbering information to enable GSS_VerifyMIC() and GSS_Unwrap()
+      to detect if a message has been duplicated.
+
+      - Out-of-sequence detection - In addition to providing message
+      integrity services, GSS_GetMIC() and GSS_Wrap() should include
+      message sequencing information to enable GSS_VerifyMIC() and
+      GSS_Unwrap() to detect if a message has been received out of
+      sequence.
+
+
+
+
+
+
+Linn                        Standards Track                    [Page 19]
+
+RFC 2743                        GSS-API                     January 2000
+
+
+      - Anonymous authentication - The establishment of the security
+      context should not reveal the initiator's identity to the context
+      acceptor.
+
+      - Available per-message confidentiality - requests that per-
+      message confidentiality services be available on the context.
+
+      - Available per-message integrity - requests that per-message
+      integrity services be available on the context.
+
+   Any currently undefined bits within such flag arguments should be
+   ignored by GSS-API implementations when presented by an application,
+   and should be set to zero when returned to the application by the
+   GSS-API implementation.
+
+   Some mechanisms may not support all optional services, and some
+   mechanisms may only support some services in conjunction with others.
+   Both GSS_Init_sec_context() and GSS_Accept_sec_context() inform the
+   applications which services will be available from the context when
+   the establishment phase is complete, via the ret_flags output
+   parameter.  In general, if the security mechanism is capable of
+   providing a requested service, it should do so, even if additional
+   services must be enabled in order to provide the requested service.
+   If the mechanism is incapable of providing a requested service, it
+   should proceed without the service, leaving the application to abort
+   the context establishment process if it considers the requested
+   service to be mandatory.
+
+   Some mechanisms may specify that support for some services is
+   optional, and that implementors of the mechanism need not provide it.
+   This is most commonly true of the confidentiality service, often
+   because of legal restrictions on the use of data-encryption, but may
+   apply to any of the services.  Such mechanisms are required to send
+   at least one token from acceptor to initiator during context
+   establishment when the initiator indicates a desire to use such a
+   service, so that the initiating GSS-API can correctly indicate
+   whether the service is supported by the acceptor's GSS-API.
+
+1.2.2: Per-Message Security Service Availability
+
+   When a context is established, two flags are returned to indicate the
+   set of per-message protection security services which will be
+   available on the context:
+
+      the integ_avail flag indicates whether per-message integrity and
+      data origin authentication services are available
+
+
+
+
+
+Linn                        Standards Track                    [Page 20]
+
+RFC 2743                        GSS-API                     January 2000
+
+
+      the conf_avail flag indicates whether per-message confidentiality
+      services are available, and will never be returned TRUE unless the
+      integ_avail flag is also returned TRUE
+
+   GSS-API callers desiring per-message security services should check
+   the values of these flags at context establishment time, and must be
+   aware that a returned FALSE value for integ_avail means that
+   invocation of GSS_GetMIC() or GSS_Wrap() primitives on the associated
+   context will apply no cryptographic protection to user data messages.
+
+   The GSS-API per-message integrity and data origin authentication
+   services provide assurance to a receiving caller that protection was
+   applied to a message by the caller's peer on the security context,
+   corresponding to the entity named at context initiation.  The GSS-API
+   per-message confidentiality service provides assurance to a sending
+   caller that the message's content is protected from access by
+   entities other than the context's named peer.
+
+   The GSS-API per-message protection service primitives, as the
+   category name implies, are oriented to operation at the granularity
+   of protocol data units. They perform cryptographic operations on the
+   data units, transfer cryptographic control information in tokens,
+   and, in the case of GSS_Wrap(), encapsulate the protected data unit.
+   As such, these primitives are not oriented to efficient data
+   protection for stream-paradigm protocols (e.g., Telnet) if
+   cryptography must be applied on an octet-by-octet basis.
+
+1.2.3: Per-Message Replay Detection and Sequencing
+
+   Certain underlying mech_types offer support for replay detection
+   and/or sequencing of messages transferred on the contexts they
+   support. These optionally-selectable protection features are distinct
+   from replay detection and sequencing features applied to the context
+   establishment operation itself; the presence or absence of context-
+   level replay or sequencing features is wholly a function of the
+   underlying mech_type's capabilities, and is not selected or omitted
+   as a caller option.
+
+   The caller initiating a context provides flags (replay_det_req_flag
+   and sequence_req_flag) to specify whether the use of per-message
+   replay detection and sequencing features is desired on the context
+   being established. The GSS-API implementation at the initiator system
+   can determine whether these features are supported (and whether they
+   are optionally selectable) as a function of the selected mechanism,
+   without need for bilateral negotiation with the target. When enabled,
+   these features provide recipients with indicators as a result of
+   GSS-API processing of incoming messages, identifying whether those
+   messages were detected as duplicates or out-of-sequence. Detection of
+
+
+
+Linn                        Standards Track                    [Page 21]
+
+RFC 2743                        GSS-API                     January 2000
+
+
+   such events does not prevent a suspect message from being provided to
+   a recipient; the appropriate course of action on a suspect message is
+   a matter of caller policy.
+
+   The semantics of the replay detection and sequencing services applied
+   to received messages, as visible across the interface which the GSS-
+   API provides to its clients, are as follows:
+
+   When replay_det_state is TRUE, the possible major_status returns for
+   well-formed and correctly signed messages are as follows:
+
+      1. GSS_S_COMPLETE, without concurrent indication of
+      GSS_S_DUPLICATE_TOKEN or GSS_S_OLD_TOKEN, indicates that the
+      message was within the window (of time or sequence space) allowing
+      replay events to be detected, and that the message was not a
+      replay of a previously-processed message within that window.
+
+      2. GSS_S_DUPLICATE_TOKEN indicates that the cryptographic
+      checkvalue on the received message was correct, but that the
+      message was recognized as a duplicate of a previously-processed
+      message.  In addition to identifying duplicated tokens originated
+      by a context's peer, this status may also be used to identify
+      reflected copies of locally-generated tokens; it is recommended
+      that mechanism designers include within their protocols facilities
+      to detect and report such tokens.
+
+      3. GSS_S_OLD_TOKEN indicates that the cryptographic checkvalue on
+      the received message was correct, but that the message is too old
+      to be checked for duplication.
+
+   When sequence_state is TRUE, the possible major_status returns for
+   well-formed and correctly signed messages are as follows:
+
+      1. GSS_S_COMPLETE, without concurrent indication of
+      GSS_S_DUPLICATE_TOKEN, GSS_S_OLD_TOKEN, GSS_S_UNSEQ_TOKEN, or
+      GSS_S_GAP_TOKEN, indicates that the message was within the window
+      (of time or sequence space) allowing replay events to be detected,
+      that the message was not a replay of a previously-processed
+      message within that window, and that no predecessor sequenced
+      messages are missing relative to the last received message (if
+      any) processed on the context with a correct cryptographic
+      checkvalue.
+
+      2. GSS_S_DUPLICATE_TOKEN indicates that the integrity check value
+      on the received message was correct, but that the message was
+      recognized as a duplicate of a previously-processed message.  In
+      addition to identifying duplicated tokens originated by a
+      context's peer, this status may also be used to identify reflected
+
+
+
+Linn                        Standards Track                    [Page 22]
+
+RFC 2743                        GSS-API                     January 2000
+
+
+      copies of locally-generated tokens; it is recommended that
+      mechanism designers include within their protocols facilities to
+      detect and report such tokens.
+
+      3. GSS_S_OLD_TOKEN indicates that the integrity check value on the
+      received message was correct, but that the token is too old to be
+      checked for duplication.
+
+      4. GSS_S_UNSEQ_TOKEN indicates that the cryptographic checkvalue
+      on the received message was correct, but that it is earlier in a
+      sequenced stream than a message already processed on the context.
+      [Note: Mechanisms can be architected to provide a stricter form of
+      sequencing service, delivering particular messages to recipients
+      only after all predecessor messages in an ordered stream have been
+      delivered.  This type of support is incompatible with the GSS-API
+      paradigm in which recipients receive all messages, whether in
+      order or not, and provide them (one at a time, without intra-GSS-
+      API message buffering) to GSS-API routines for validation.  GSS-
+      API facilities provide supportive functions, aiding clients to
+      achieve strict message stream integrity in an efficient manner in
+      conjunction with sequencing provisions in communications
+      protocols, but the GSS-API does not offer this level of message
+      stream integrity service by itself.]
+
+      5. GSS_S_GAP_TOKEN indicates that the cryptographic checkvalue on
+      the received message was correct, but that one or more predecessor
+      sequenced messages have not been successfully processed relative
+      to the last received message (if any) processed on the context
+      with a correct cryptographic checkvalue.
+
+   As the message stream integrity features (especially sequencing) may
+   interfere with certain applications' intended communications
+   paradigms, and since support for such features is likely to be
+   resource intensive, it is highly recommended that mech_types
+   supporting these features allow them to be activated selectively on
+   initiator request when a context is established. A context initiator
+   and target are provided with corresponding indicators
+   (replay_det_state and sequence_state), signifying whether these
+   features are active on a given context.
+
+   An example mech_type supporting per-message replay detection could
+   (when replay_det_state is TRUE) implement the feature as follows: The
+   underlying mechanism would insert timestamps in data elements output
+   by GSS_GetMIC() and GSS_Wrap(), and would maintain (within a time-
+   limited window) a cache (qualified by originator-recipient pair)
+   identifying received data elements processed by GSS_VerifyMIC() and
+   GSS_Unwrap(). When this feature is active, exception status returns
+   (GSS_S_DUPLICATE_TOKEN, GSS_S_OLD_TOKEN) will be provided when
+
+
+
+Linn                        Standards Track                    [Page 23]
+
+RFC 2743                        GSS-API                     January 2000
+
+
+   GSS_VerifyMIC() or GSS_Unwrap() is presented with a message which is
+   either a detected duplicate of a prior message or which is too old to
+   validate against a cache of recently received messages.
+
+1.2.4:  Quality of Protection
+
+   Some mech_types provide their users with fine granularity control
+   over the means used to provide per-message protection, allowing
+   callers to trade off security processing overhead dynamically against
+   the protection requirements of particular messages. A per-message
+   quality-of-protection parameter (analogous to quality-of-service, or
+   QOS) selects among different QOP options supported by that mechanism.
+   On context establishment for a multi-QOP mech_type, context-level
+   data provides the prerequisite data for a range of protection
+   qualities.
+
+   It is expected that the majority of callers will not wish to exert
+   explicit mechanism-specific QOP control and will therefore request
+   selection of a default QOP. Definitions of, and choices among, non-
+   default QOP values are mechanism-specific, and no ordered sequences
+   of QOP values can be assumed equivalent across different mechanisms.
+   Meaningful use of non-default QOP values demands that callers be
+   familiar with the QOP definitions of an underlying mechanism or
+   mechanisms, and is therefore a non-portable construct.  The
+   GSS_S_BAD_QOP major_status value is defined in order to indicate that
+   a provided QOP value is unsupported for a security context, most
+   likely because that value is unrecognized by the underlying
+   mechanism.
+
+   In the interests of interoperability, mechanisms which allow optional
+   support of particular QOP values shall satisfy one of the following
+   conditions.  Either:
+
+      (i) All implementations of the mechanism are required to be
+      capable of processing messages protected using any QOP value,
+      regardless of whether they can apply protection corresponding to
+      that QOP, or
+
+      (ii) The set of mutually-supported receiver QOP values must be
+      determined during context establishment, and messages may be
+      protected by either peer using only QOP values from this
+      mutually-supported set.
+
+   NOTE: (i) is just a special-case of (ii), where implementations are
+   required to support all QOP values on receipt.
+
+
+
+
+
+
+Linn                        Standards Track                    [Page 24]
+
+RFC 2743                        GSS-API                     January 2000
+
+
+1.2.5: Anonymity Support
+
+   In certain situations or environments, an application may wish to
+   authenticate a peer and/or protect communications using GSS-API per-
+   message services without revealing its own identity.  For example,
+   consider an application which provides read access to a research
+   database, and which permits queries by arbitrary requestors.  A
+   client of such a service might wish to authenticate the service, to
+   establish trust in the information received from it, but might not
+   wish to disclose its identity to the service for privacy reasons.
+
+   In ordinary GSS-API usage, a context initiator's identity is made
+   available to the context acceptor as part of the context
+   establishment process.  To provide for anonymity support, a facility
+   (input anon_req_flag to GSS_Init_sec_context()) is provided through
+   which context initiators may request that their identity not be
+   provided to the context acceptor.  Mechanisms are not required to
+   honor this request, but a caller will be informed (via returned
+   anon_state indicator from GSS_Init_sec_context()) whether or not the
+   request is honored. Note that authentication as the anonymous
+   principal does not necessarily imply that credentials are not
+   required in order to establish a context.
+
+   Section 4.5 of this document defines the Object Identifier value used
+   to identify an anonymous principal.
+
+   Four possible combinations of anon_state and mutual_state are
+   possible, with the following results:
+
+      anon_state == FALSE, mutual_state == FALSE: initiator
+      authenticated to target.
+
+      anon_state == FALSE, mutual_state == TRUE: initiator authenticated
+      to target, target authenticated to initiator.
+
+      anon_state == TRUE, mutual_state == FALSE: initiator authenticated
+      as anonymous principal to target.
+
+      anon_state == TRUE, mutual_state == TRUE: initiator authenticated
+      as anonymous principal to target, target authenticated to
+      initiator.
+
+1.2.6: Initialization
+
+   No initialization calls (i.e., calls which must be invoked prior to
+   invocation of other facilities in the interface) are defined in GSS-
+   API.  As an implication of this fact, GSS-API implementations must
+   themselves be self-initializing.
+
+
+
+Linn                        Standards Track                    [Page 25]
+
+RFC 2743                        GSS-API                     January 2000
+
+
+1.2.7: Per-Message Protection During Context Establishment
+
+   A facility is defined in GSS-V2 to enable protection and buffering of
+   data messages for later transfer while a security context's
+   establishment is in GSS_S_CONTINUE_NEEDED status, to be used in cases
+   where the caller side already possesses the necessary session key to
+   enable this processing. Specifically, a new state Boolean, called
+   prot_ready_state, is added to the set of information returned by
+   GSS_Init_sec_context(), GSS_Accept_sec_context(), and
+   GSS_Inquire_context().
+
+   For context establishment calls, this state Boolean is valid and
+   interpretable when the associated major_status is either
+   GSS_S_CONTINUE_NEEDED, or GSS_S_COMPLETE.  Callers of GSS-API (both
+   initiators and acceptors) can assume that per-message protection (via
+   GSS_Wrap(), GSS_Unwrap(), GSS_GetMIC() and GSS_VerifyMIC()) is
+   available and ready for use if either: prot_ready_state == TRUE, or
+   major_status == GSS_S_COMPLETE, though mutual authentication (if
+   requested) cannot be guaranteed until GSS_S_COMPLETE is returned.
+   Callers making use of per-message protection services in advance of
+   GSS_S_COMPLETE status should be aware of the possibility that a
+   subsequent context establishment step may fail, and that certain
+   context data (e.g., mech_type) as returned for subsequent calls may
+   change.
+
+   This approach achieves full, transparent backward compatibility for
+   GSS-API V1 callers, who need not even know of the existence of
+   prot_ready_state, and who will get the expected behavior from
+   GSS_S_COMPLETE, but who will not be able to use per-message
+   protection before GSS_S_COMPLETE is returned.
+
+   It is not a requirement that GSS-V2 mechanisms ever return TRUE
+   prot_ready_state before completion of context establishment (indeed,
+   some mechanisms will not evolve usable message protection keys,
+   especially at the context acceptor, before context establishment is
+   complete).  It is expected but not required that GSS-V2 mechanisms
+   will return TRUE prot_ready_state upon completion of context
+   establishment if they support per-message protection at all (however
+   GSS-V2 applications should not assume that TRUE prot_ready_state will
+   always be returned together with the GSS_S_COMPLETE major_status,
+   since GSS-V2 implementations may continue to support GSS-V1 mechanism
+   code, which will never return TRUE prot_ready_state).
+
+   When prot_ready_state is returned TRUE, mechanisms shall also set
+   those context service indicator flags (deleg_state, mutual_state,
+   replay_det_state, sequence_state, anon_state, trans_state,
+   conf_avail, integ_avail) which represent facilities confirmed, at
+   that time, to be available on the context being established.  In
+
+
+
+Linn                        Standards Track                    [Page 26]
+
+RFC 2743                        GSS-API                     January 2000
+
+
+   situations where prot_ready_state is returned before GSS_S_COMPLETE,
+   it is possible that additional facilities may be confirmed and
+   subsequently indicated when GSS_S_COMPLETE is returned.
+
+1.2.8: Implementation Robustness
+
+   This section recommends aspects of GSS-API implementation behavior in
+   the interests of overall robustness.
+
+   Invocation of GSS-API calls is to incur no undocumented side effects
+   visible at the GSS-API level.
+
+   If a token is presented for processing on a GSS-API security context
+   and that token generates a fatal error in processing or is otherwise
+   determined to be invalid for that context, the context's state should
+   not be disrupted for purposes of processing subsequent valid tokens.
+
+   Certain local conditions at a GSS-API implementation (e.g.,
+   unavailability of memory) may preclude, temporarily or permanently,
+   the successful processing of tokens on a GSS-API security context,
+   typically generating GSS_S_FAILURE major_status returns along with
+   locally-significant minor_status.  For robust operation under such
+   conditions, the following recommendations are made:
+
+      Failing calls should free any memory they allocate, so that
+      callers may retry without causing further loss of resources.
+
+      Failure of an individual call on an established context should not
+      preclude subsequent calls from succeeding on the same context.
+
+      Whenever possible, it should be possible for
+      GSS_Delete_sec_context() calls to be successfully processed even
+      if other calls cannot succeed, thereby enabling context-related
+      resources to be released.
+
+   A failure of GSS_GetMIC() or GSS_Wrap() due to an attempt to use an
+   unsupported QOP will not interfere with context validity, nor shall
+   such a failure impact the ability of the application to subsequently
+   invoke GSS_GetMIC() or GSS_Wrap() using a supported QOP. Any state
+   information concerning sequencing of outgoing messages shall be
+   unchanged by an unsuccessful call of GSS_GetMIC() or GSS_Wrap().
+
+
+
+
+
+
+
+
+
+
+Linn                        Standards Track                    [Page 27]
+
+RFC 2743                        GSS-API                     January 2000
+
+
+1.2.9: Delegation
+
+   The GSS-API allows delegation to be controlled by the initiating
+   application via a Boolean parameter to GSS_Init_sec_context(), the
+   routine that establishes a security context.  Some mechanisms do not
+   support delegation, and for such mechanisms attempts by an
+   application to enable delegation are ignored.
+
+   The acceptor of a security context for which the initiator enabled
+   delegation will receive (via the delegated_cred_handle parameter of
+   GSS_Accept_sec_context()) a credential handle that contains the
+   delegated identity, and this credential handle may be used to
+   initiate subsequent GSS-API security contexts as an agent or delegate
+   of the initiator.  If the original initiator's identity is "A" and
+   the delegate's identity is "B", then, depending on the underlying
+   mechanism, the identity embodied by the delegated credential may be
+   either "A" or "B acting for A".
+
+   For many mechanisms that support delegation, a simple Boolean does
+   not provide enough control.  Examples of additional aspects of
+   delegation control that a mechanism might provide to an application
+   are duration of delegation, network addresses from which delegation
+   is valid, and constraints on the tasks that may be performed by a
+   delegate.  Such controls are presently outside the scope of the GSS-
+   API.  GSS-API implementations supporting mechanisms offering
+   additional controls should provide extension routines that allow
+   these controls to be exercised (perhaps by modifying the initiator's
+   GSS-API credential prior to its use in establishing a context).
+   However, the simple delegation control provided by GSS-API should
+   always be able to over-ride other mechanism-specific delegation
+   controls; if the application instructs GSS_Init_sec_context() that
+   delegation is not desired, then the implementation must not permit
+   delegation to occur.  This is an exception to the general rule that a
+   mechanism may enable services even if they are not requested;
+   delegation may only be provided at the explicit request of the
+   application.
+
+1.2.10: Interprocess Context Transfer
+
+   GSS-API V2 provides routines (GSS_Export_sec_context() and
+   GSS_Import_sec_context()) which allow a security context to be
+   transferred between processes on a single machine.  The most common
+   use for such a feature is a client-server design where the server is
+   implemented as a single process that accepts incoming security
+   contexts, which then launches child processes to deal with the data
+   on these contexts.  In such a design, the child processes must have
+   access to the security context data structure created within the
+
+
+
+
+Linn                        Standards Track                    [Page 28]
+
+RFC 2743                        GSS-API                     January 2000
+
+
+   parent by its call to GSS_Accept_sec_context() so that they can use
+   per-message protection services and delete the security context when
+   the communication session ends.
+
+   Since the security context data structure is expected to contain
+   sequencing information, it is impractical in general to share a
+   context between processes.  Thus GSS-API provides a call
+   (GSS_Export_sec_context()) that the process which currently owns the
+   context can call to declare that it has no intention to use the
+   context subsequently, and to create an inter-process token containing
+   information needed by the adopting process to successfully import the
+   context.  After successful completion of this call, the original
+   security context is made inaccessible to the calling process by GSS-
+   API, and any context handles referring to this context are no longer
+   valid.  The originating process transfers the inter-process token to
+   the adopting process, which passes it to GSS_Import_sec_context(),
+   and a fresh context handle is created such that it is functionally
+   identical to the original context.
+
+   The inter-process token may contain sensitive data from the original
+   security context (including cryptographic keys).  Applications using
+   inter-process tokens to transfer security contexts must take
+   appropriate steps to protect these tokens in transit.
+   Implementations are not required to support the inter-process
+   transfer of security contexts.  The ability to transfer a security
+   context is indicated when the context is created, by
+   GSS_Init_sec_context() or GSS_Accept_sec_context() indicating a TRUE
+   trans_state return value.
+
+2:  Interface Descriptions
+
+   This section describes the GSS-API's service interface, dividing the
+   set of calls offered into four groups. Credential management calls
+   are related to the acquisition and release of credentials by
+   principals. Context-level calls are related to the management of
+   security contexts between principals. Per-message calls are related
+   to the protection of individual messages on established security
+   contexts. Support calls provide ancillary functions useful to GSS-API
+   callers. Table 2 groups and summarizes the calls in tabular fashion.
+
+   Table 2:  GSS-API Calls
+
+   CREDENTIAL MANAGEMENT
+
+   GSS_Acquire_cred             acquire credentials for use
+   GSS_Release_cred             release credentials after use
+   GSS_Inquire_cred             display information about
+                                credentials
+
+
+
+Linn                        Standards Track                    [Page 29]
+
+RFC 2743                        GSS-API                     January 2000
+
+
+   GSS_Add_cred                 construct credentials incrementally
+   GSS_Inquire_cred_by_mech     display per-mechanism credential
+                                  information
+
+   CONTEXT-LEVEL CALLS
+
+   GSS_Init_sec_context         initiate outbound security context
+   GSS_Accept_sec_context       accept inbound security context
+   GSS_Delete_sec_context       flush context when no longer needed
+   GSS_Process_context_token    process received control token on
+                                  context
+   GSS_Context_time             indicate validity time remaining on
+                                     context
+   GSS_Inquire_context          display information about context
+   GSS_Wrap_size_limit          determine GSS_Wrap token size limit
+   GSS_Export_sec_context       transfer context to other process
+   GSS_Import_sec_context       import transferred context
+
+   PER-MESSAGE CALLS
+
+   GSS_GetMIC                   apply integrity check, receive as
+                                  token separate from message
+   GSS_VerifyMIC                validate integrity check token
+                                  along with message
+   GSS_Wrap                     sign, optionally encrypt,
+                                  encapsulate
+   GSS_Unwrap                   decapsulate, decrypt if needed,
+                                  validate integrity check
+
+   SUPPORT CALLS
+
+   GSS_Display_status           translate status codes to printable
+                                  form
+   GSS_Indicate_mechs           indicate mech_types supported on
+                                  local system
+   GSS_Compare_name             compare two names for equality
+   GSS_Display_name             translate name to printable form
+   GSS_Import_name              convert printable name to
+                                  normalized form
+   GSS_Release_name             free storage of normalized-form
+                                  name
+   GSS_Release_buffer           free storage of general GSS-allocated
+                                  object
+   GSS_Release_OID_set          free storage of OID set object
+   GSS_Create_empty_OID_set     create empty OID set
+   GSS_Add_OID_set_member       add member to OID set
+   GSS_Test_OID_set_member      test if OID is member of OID set
+   GSS_Inquire_names_for_mech   indicate name types supported by
+
+
+
+Linn                        Standards Track                    [Page 30]
+
+RFC 2743                        GSS-API                     January 2000
+
+
+                                  mechanism
+   GSS_Inquire_mechs_for_name   indicates mechanisms supporting name
+                                  type
+   GSS_Canonicalize_name        translate name to per-mechanism form
+   GSS_Export_name              externalize per-mechanism name
+   GSS_Duplicate_name           duplicate name object
+
+2.1:  Credential management calls
+
+   These GSS-API calls provide functions related to the management of
+   credentials. Their characterization with regard to whether or not
+   they may block pending exchanges with other network entities (e.g.,
+   directories or authentication servers) depends in part on OS-specific
+   (extra-GSS-API) issues, so is not specified in this document.
+
+   The GSS_Acquire_cred() call is defined within the GSS-API in support
+   of application portability, with a particular orientation towards
+   support of portable server applications. It is recognized that (for
+   certain systems and mechanisms) credentials for interactive users may
+   be managed differently from credentials for server processes; in such
+   environments, it is the GSS-API implementation's responsibility to
+   distinguish these cases and the procedures for making this
+   distinction are a local matter. The GSS_Release_cred() call provides
+   a means for callers to indicate to the GSS-API that use of a
+   credentials structure is no longer required. The GSS_Inquire_cred()
+   call allows callers to determine information about a credentials
+   structure.  The GSS_Add_cred() call enables callers to append
+   elements to an existing credential structure, allowing iterative
+   construction of a multi-mechanism credential. The
+   GSS_Inquire_cred_by_mech() call enables callers to extract per-
+   mechanism information describing a credentials structure.
+
+2.1.1:  GSS_Acquire_cred call
+
+   Inputs:
+
+   o  desired_name INTERNAL NAME, -- NULL requests locally-determined
+   -- default
+
+   o  lifetime_req INTEGER, -- in seconds; 0 requests default
+
+   o  desired_mechs SET OF OBJECT IDENTIFIER, -- NULL requests
+   -- system-selected default
+
+   o  cred_usage INTEGER -- 0=INITIATE-AND-ACCEPT, 1=INITIATE-ONLY,
+   -- 2=ACCEPT-ONLY
+
+
+
+
+
+Linn                        Standards Track                    [Page 31]
+
+RFC 2743                        GSS-API                     January 2000
+
+
+   Outputs:
+
+   o  major_status INTEGER,
+
+   o  minor_status INTEGER,
+
+   o  output_cred_handle CREDENTIAL HANDLE, -- if returned non-NULL,
+   -- caller must release with GSS_Release_cred()
+
+   o  actual_mechs SET OF OBJECT IDENTIFIER, -- if returned non-NULL,
+   -- caller must release with GSS_Release_oid_set()
+
+   o  lifetime_rec INTEGER -- in seconds, or reserved value for
+   -- INDEFINITE
+
+   Return major_status codes:
+
+   o  GSS_S_COMPLETE indicates that requested credentials were
+   successfully established, for the duration indicated in lifetime_rec,
+   suitable for the usage requested in cred_usage, for the set of
+   mech_types indicated in actual_mechs, and that those credentials can
+   be referenced for subsequent use with the handle returned in
+   output_cred_handle.
+
+   o  GSS_S_BAD_MECH indicates that a mech_type unsupported by the GSS-
+   API implementation type was requested, causing the credential
+   establishment operation to fail.
+
+   o  GSS_S_BAD_NAMETYPE indicates that the provided desired_name is
+   uninterpretable or of a type unsupported by the applicable underlying
+   GSS-API mechanism(s), so no credentials could be established for the
+   accompanying desired_name.
+
+   o  GSS_S_BAD_NAME indicates that the provided desired_name is
+   inconsistent in terms of internally-incorporated type specifier
+   information, so no credentials could be established for the
+   accompanying desired_name.
+
+   o  GSS_S_CREDENTIALS_EXPIRED indicates that underlying credential
+   elements corresponding to the requested desired_name have expired, so
+   requested credentials could not be established.
+
+   o GSS_S_NO_CRED indicates that no credential elements corresponding
+   to the requested desired_name and usage could be accessed, so
+   requested credentials could not be established.  In particular, this
+   status should be returned upon temporary user-fixable conditions
+
+
+
+
+
+Linn                        Standards Track                    [Page 32]
+
+RFC 2743                        GSS-API                     January 2000
+
+
+   preventing successful credential establishment and upon lack of
+   authorization to establish and use credentials associated with the
+   identity named in the input desired_name argument.
+
+   o  GSS_S_FAILURE indicates that credential establishment failed for
+   reasons unspecified at the GSS-API level.
+
+   GSS_Acquire_cred() is used to acquire credentials so that a principal
+   can (as a function of the input cred_usage parameter) initiate and/or
+   accept security contexts under the identity represented by the
+   desired_name input argument. On successful completion, the returned
+   output_cred_handle result provides a handle for subsequent references
+   to the acquired credentials.  Typically, single-user client processes
+   requesting that default credential behavior be applied for context
+   establishment purposes will have no need to invoke this call.
+
+   A caller may provide the value NULL (GSS_C_NO_NAME) for desired_name,
+   which will be interpreted as a request for a credential handle that
+   will invoke default behavior when passed to GSS_Init_sec_context(),
+   if cred_usage is GSS_C_INITIATE or GSS_C_BOTH, or
+   GSS_Accept_sec_context(), if cred_usage is GSS_C_ACCEPT or
+   GSS_C_BOTH.  It is possible that multiple pre-established credentials
+   may exist for the same principal identity (for example, as a result
+   of multiple user login sessions) when GSS_Acquire_cred() is called;
+   the means used in such cases to select a specific credential are
+   local matters.  The input lifetime_req argument to GSS_Acquire_cred()
+   may provide useful information for local GSS-API implementations to
+   employ in making this disambiguation in a manner which will best
+   satisfy a caller's intent.
+
+   This routine is expected to be used primarily by context acceptors,
+   since implementations are likely to provide mechanism-specific ways
+   of obtaining GSS-API initiator credentials from the system login
+   process.  Some implementations may therefore not support the
+   acquisition of GSS_C_INITIATE or GSS_C_BOTH credentials via
+   GSS_Acquire_cred() for any name other than GSS_C_NO_NAME, or a name
+   resulting from applying GSS_Inquire_context() to an active context,
+   or a name resulting from applying GSS_Inquire_cred() against a
+   credential handle corresponding to default behavior. It is important
+   to recognize that the explicit name which is yielded by resolving a
+   default reference may change over time, e.g., as a result of local
+   credential element management operations outside GSS-API; once
+   resolved, however, the value of such an explicit name will remain
+   constant.
+
+   The lifetime_rec result indicates the length of time for which the
+   acquired credentials will be valid, as an offset from the present. A
+   mechanism may return a reserved value indicating INDEFINITE if no
+
+
+
+Linn                        Standards Track                    [Page 33]
+
+RFC 2743                        GSS-API                     January 2000
+
+
+   constraints on credential lifetime are imposed.  A caller of
+   GSS_Acquire_cred() can request a length of time for which acquired
+   credentials are to be valid (lifetime_req argument), beginning at the
+   present, or can request credentials with a default validity interval.
+   (Requests for postdated credentials are not supported within the
+   GSS-API.) Certain mechanisms and implementations may bind in
+   credential validity period specifiers at a point preliminary to
+   invocation of the GSS_Acquire_cred() call (e.g., in conjunction with
+   user login procedures). As a result, callers requesting non-default
+   values for lifetime_req must recognize that such requests cannot
+   always be honored and must be prepared to accommodate the use of
+   returned credentials with different lifetimes as indicated in
+   lifetime_rec.
+
+   The caller of GSS_Acquire_cred() can explicitly specify a set of
+   mech_types which are to be accommodated in the returned credentials
+   (desired_mechs argument), or can request credentials for a system-
+   defined default set of mech_types. Selection of the system-specified
+   default set is recommended in the interests of application
+   portability. The actual_mechs return value may be interrogated by the
+   caller to determine the set of mechanisms with which the returned
+   credentials may be used.
+
+2.1.2:  GSS_Release_cred call
+
+   Input:
+
+   o  cred_handle CREDENTIAL HANDLE -- if GSS_C_NO_CREDENTIAL
+   -- is specified, the call will complete successfully, but
+   -- will have no effect; no credential elements will be
+   -- released.
+
+   Outputs:
+
+   o  major_status INTEGER,
+
+   o  minor_status INTEGER
+
+   Return major_status codes:
+
+   o  GSS_S_COMPLETE indicates that the credentials referenced by the
+   input cred_handle were released for purposes of subsequent access by
+   the caller. The effect on other processes which may be authorized
+   shared access to such credentials is a local matter.
+
+
+
+
+
+
+
+Linn                        Standards Track                    [Page 34]
+
+RFC 2743                        GSS-API                     January 2000
+
+
+   o  GSS_S_NO_CRED indicates that no release operation was performed,
+   either because the input cred_handle was invalid or because the
+   caller lacks authorization to access the referenced credentials.
+
+   o  GSS_S_FAILURE indicates that the release operation failed for
+   reasons unspecified at the GSS-API level.
+
+   Provides a means for a caller to explicitly request that credentials
+   be released when their use is no longer required. Note that system-
+   specific credential management functions are also likely to exist,
+   for example to assure that credentials shared among processes are
+   properly deleted when all affected processes terminate, even if no
+   explicit release requests are issued by those processes. Given the
+   fact that multiple callers are not precluded from gaining authorized
+   access to the same credentials, invocation of GSS_Release_cred()
+   cannot be assumed to delete a particular set of credentials on a
+   system-wide basis.
+
+2.1.3:  GSS_Inquire_cred call
+
+   Input:
+
+   o  cred_handle CREDENTIAL HANDLE -- if GSS_C_NO_CREDENTIAL
+   -- is specified, default initiator credentials are queried
+
+   Outputs:
+
+   o  major_status INTEGER,
+
+   o  minor_status INTEGER,
+
+   o  cred_name INTERNAL NAME,  -- caller must release with
+   -- GSS_Release_name()
+
+   o  lifetime_rec INTEGER -- in seconds, or reserved value for
+   -- INDEFINITE
+
+   o  cred_usage INTEGER, -- 0=INITIATE-AND-ACCEPT, 1=INITIATE-ONLY,
+   -- 2=ACCEPT-ONLY
+
+   o  mech_set SET OF OBJECT IDENTIFIER  -- caller must release
+   -- with GSS_Release_oid_set()
+
+
+
+
+
+
+
+
+
+Linn                        Standards Track                    [Page 35]
+
+RFC 2743                        GSS-API                     January 2000
+
+
+   Return major_status codes:
+
+   o  GSS_S_COMPLETE indicates that the credentials referenced by the
+   input cred_handle argument were valid, and that the output cred_name,
+   lifetime_rec, and cred_usage values represent, respectively, the
+   credentials' associated principal name, remaining lifetime, suitable
+   usage modes, and supported mechanism types.
+
+   o  GSS_S_NO_CRED indicates that no information could be returned
+   about the referenced credentials, either because the input
+   cred_handle was invalid or because the caller lacks authorization to
+   access the referenced credentials.
+
+   o  GSS_S_DEFECTIVE_CREDENTIAL indicates that the referenced
+   credentials are invalid.
+
+   o  GSS_S_CREDENTIALS_EXPIRED indicates that the referenced
+   credentials have expired.
+
+   o  GSS_S_FAILURE indicates that the operation failed for reasons
+   unspecified at the GSS-API level.
+
+   The GSS_Inquire_cred() call is defined primarily for the use of those
+   callers which request use of default credential behavior rather than
+   acquiring credentials explicitly with GSS_Acquire_cred().  It enables
+   callers to determine a credential structure's associated principal
+   name, remaining validity period, usability for security context
+   initiation and/or acceptance, and supported mechanisms.
+
+   For a multi-mechanism credential, the returned "lifetime" specifier
+   indicates the shortest lifetime of any of the mechanisms' elements in
+   the credential (for either context initiation or acceptance
+   purposes).
+
+   GSS_Inquire_cred() should indicate INITIATE-AND-ACCEPT for
+   "cred_usage" if both of the following conditions hold:
+
+      (1) there exists in the credential an element which allows context
+      initiation using some mechanism
+
+      (2) there exists in the credential an element which allows context
+      acceptance using some mechanism (allowably, but not necessarily,
+      one of the same mechanism(s) qualifying for (1)).
+
+   If condition (1) holds but not condition (2), GSS_Inquire_cred()
+   should indicate INITIATE-ONLY for "cred_usage".  If condition (2)
+   holds but not condition (1), GSS_Inquire_cred() should indicate
+   ACCEPT-ONLY for "cred_usage".
+
+
+
+Linn                        Standards Track                    [Page 36]
+
+RFC 2743                        GSS-API                     January 2000
+
+
+   Callers requiring finer disambiguation among available combinations
+   of lifetimes, usage modes, and mechanisms should call the
+   GSS_Inquire_cred_by_mech() routine, passing that routine one of the
+   mech OIDs returned by GSS_Inquire_cred().
+
+2.1.4:  GSS_Add_cred call
+
+   Inputs:
+
+   o  input_cred_handle CREDENTIAL HANDLE -- handle to credential
+   -- structure created with prior GSS_Acquire_cred() or
+   -- GSS_Add_cred() call; see text for definition of behavior
+   -- when GSS_C_NO_CREDENTIAL provided.
+
+   o  desired_name INTERNAL NAME
+
+   o  initiator_time_req INTEGER -- in seconds; 0 requests default
+
+   o  acceptor_time_req INTEGER -- in seconds; 0 requests default
+
+   o  desired_mech OBJECT IDENTIFIER
+
+   o  cred_usage INTEGER -- 0=INITIATE-AND-ACCEPT, 1=INITIATE-ONLY,
+   -- 2=ACCEPT-ONLY
+
+   Outputs:
+
+   o  major_status INTEGER,
+
+   o  minor_status INTEGER,
+
+   o  output_cred_handle CREDENTIAL HANDLE, -- NULL to request that
+   -- credential elements be added "in place" to the credential
+   -- structure identified by input_cred_handle,
+   -- non-NULL pointer to request that
+   -- a new credential structure and handle be created.
+   -- if credential handle returned, caller must release with
+   -- GSS_Release_cred()
+
+   o  actual_mechs SET OF OBJECT IDENTIFIER, -- if returned, caller must
+   -- release with GSS_Release_oid_set()
+
+   o  initiator_time_rec INTEGER -- in seconds, or reserved value for
+   -- INDEFINITE
+
+   o  acceptor_time_rec INTEGER -- in seconds, or reserved value for
+   -- INDEFINITE
+
+
+
+
+Linn                        Standards Track                    [Page 37]
+
+RFC 2743                        GSS-API                     January 2000
+
+
+   o  cred_usage INTEGER, -- 0=INITIATE-AND-ACCEPT, 1=INITIATE-ONLY,
+   -- 2=ACCEPT-ONLY
+
+   o  mech_set SET OF OBJECT IDENTIFIER -- full set of mechanisms
+   -- supported by resulting credential.
+
+   Return major_status codes:
+
+   o  GSS_S_COMPLETE indicates that the credentials referenced by the
+   input_cred_handle argument were valid, and that the resulting
+   credential from GSS_Add_cred() is valid for the durations indicated
+   in initiator_time_rec and acceptor_time_rec, suitable for the usage
+   requested in cred_usage, and for the mechanisms indicated in
+   actual_mechs.
+
+   o  GSS_S_DUPLICATE_ELEMENT indicates that the input desired_mech
+   specified a mechanism for which the referenced credential already
+   contained a credential element with overlapping cred_usage and
+   validity time specifiers.
+
+   o  GSS_S_BAD_MECH indicates that the input desired_mech specified a
+   mechanism unsupported by the GSS-API implementation, causing the
+   GSS_Add_cred() operation to fail.
+
+   o  GSS_S_BAD_NAMETYPE indicates that the provided desired_name is
+   uninterpretable or of a type unsupported by the applicable underlying
+   GSS-API mechanism(s), so the GSS_Add_cred() operation could not be
+   performed for that name.
+
+   o  GSS_S_BAD_NAME indicates that the provided desired_name is
+   inconsistent in terms of internally-incorporated type specifier
+   information, so the GSS_Add_cred() operation could not be performed
+   for that name.
+
+   o  GSS_S_NO_CRED indicates that the input_cred_handle referenced
+   invalid or inaccessible credentials. In particular, this status
+   should be returned upon temporary user-fixable conditions preventing
+   successful credential establishment or upon lack of authorization to
+   establish or use credentials representing the requested identity.
+
+   o  GSS_S_CREDENTIALS_EXPIRED indicates that referenced credential
+   elements have expired, so the GSS_Add_cred() operation could not be
+   performed.
+
+   o  GSS_S_FAILURE indicates that the operation failed for reasons
+   unspecified at the GSS-API level.
+
+
+
+
+
+Linn                        Standards Track                    [Page 38]
+
+RFC 2743                        GSS-API                     January 2000
+
+
+   GSS_Add_cred() enables callers to construct credentials iteratively
+   by adding credential elements in successive operations, corresponding
+   to different mechanisms.  This offers particular value in multi-
+   mechanism environments, as the major_status and minor_status values
+   returned on each iteration are individually visible and can therefore
+   be interpreted unambiguously on a per-mechanism basis. A credential
+   element is identified by the name of the principal to which it
+   refers.  GSS-API implementations must impose a local access control
+   policy on callers of this routine to prevent unauthorized callers
+   from acquiring credential elements to which they are not entitled.
+   This routine is not intended to provide a "login to the network"
+   function, as such a function would involve the creation of new
+   mechanism-specific authentication data, rather than merely acquiring
+   a GSS-API handle to existing data.  Such functions, if required,
+   should be defined in implementation-specific extension routines.
+
+   If credential acquisition is time-consuming for a mechanism, the
+   mechanism may choose to delay the actual acquisition until the
+   credential is required (e.g. by GSS_Init_sec_context() or
+   GSS_Accept_sec_context()).  Such mechanism-specific implementation
+   decisions should be invisible to the calling application; thus a call
+   of GSS_Inquire_cred() immediately following the call of
+   GSS_Acquire_cred() must return valid credential data, and may
+   therefore incur the overhead of a deferred credential acquisition.
+
+   If GSS_C_NO_CREDENTIAL is specified as input_cred_handle, a non-NULL
+   output_cred_handle must be supplied.  For the case of
+   GSS_C_NO_CREDENTIAL as input_cred_handle, GSS_Add_cred() will create
+   the credential referenced by its output_cred_handle based on default
+   behavior.  That is, the call will have the same effect as if the
+   caller had previously called GSS_Acquire_cred(), specifying the same
+   usage and passing GSS_C_NO_NAME as the desired_name parameter
+   (thereby obtaining an explicit credential handle corresponding to
+   default behavior), had passed that credential handle to
+   GSS_Add_cred(), and had finally called GSS_Release_cred() on the
+   credential handle received from GSS_Acquire_cred().
+
+   This routine is expected to be used primarily by context acceptors,
+   since implementations are likely to provide mechanism-specific ways
+   of obtaining GSS-API initiator credentials from the system login
+   process.  Some implementations may therefore not support the
+   acquisition of GSS_C_INITIATE or GSS_C_BOTH credentials via
+   GSS_Acquire_cred() for any name other than GSS_C_NO_NAME, or a name
+   resulting from applying GSS_Inquire_context() to an active context,
+   or a name resulting from applying GSS_Inquire_cred() against a
+   credential handle corresponding to default behavior. It is important
+   to recognize that the explicit name which is yielded by resolving a
+   default reference may change over time, e.g., as a result of local
+
+
+
+Linn                        Standards Track                    [Page 39]
+
+RFC 2743                        GSS-API                     January 2000
+
+
+   credential element management operations outside GSS-API; once
+   resolved, however, the value of such an explicit name will remain
+   constant.
+
+   A caller may provide the value NULL (GSS_C_NO_NAME) for desired_name,
+   which will be interpreted as a request for a credential handle that
+   will invoke default behavior when passed to GSS_Init_sec_context(),
+   if cred_usage is GSS_C_INITIATE or GSS_C_BOTH, or
+   GSS_Accept_sec_context(), if cred_usage is GSS_C_ACCEPT or
+   GSS_C_BOTH.
+
+   The same input desired_name, or default reference, should be used on
+   all GSS_Acquire_cred() and GSS_Add_cred() calls corresponding to a
+   particular credential.
+
+2.1.5:  GSS_Inquire_cred_by_mech call
+
+   Inputs:
+
+   o  cred_handle CREDENTIAL HANDLE -- if GSS_C_NO_CREDENTIAL
+   -- specified, default initiator credentials are queried
+
+   o  mech_type OBJECT IDENTIFIER  -- specific mechanism for
+   -- which credentials are being queried
+
+   Outputs:
+
+   o  major_status INTEGER,
+
+   o  minor_status INTEGER,
+
+   o  cred_name INTERNAL NAME, -- guaranteed to be MN; caller must
+   -- release with GSS_Release_name()
+
+   o  lifetime_rec_initiate INTEGER -- in seconds, or reserved value for
+   -- INDEFINITE
+
+   o  lifetime_rec_accept INTEGER -- in seconds, or reserved value for
+   -- INDEFINITE
+
+   o  cred_usage INTEGER, -- 0=INITIATE-AND-ACCEPT, 1=INITIATE-ONLY,
+   -- 2=ACCEPT-ONLY
+
+   Return major_status codes:
+
+   o  GSS_S_COMPLETE indicates that the credentials referenced by the
+   input cred_handle argument were valid, that the mechanism indicated
+   by the input mech_type was represented with elements within those
+
+
+
+Linn                        Standards Track                    [Page 40]
+
+RFC 2743                        GSS-API                     January 2000
+
+
+   credentials, and that the output cred_name, lifetime_rec_initiate,
+   lifetime_rec_accept, and cred_usage values represent, respectively,
+   the credentials' associated principal name, remaining lifetimes, and
+   suitable usage modes.
+
+   o  GSS_S_NO_CRED indicates that no information could be returned
+   about the referenced credentials, either because the input
+   cred_handle was invalid or because the caller lacks authorization to
+   access the referenced credentials.
+
+   o  GSS_S_DEFECTIVE_CREDENTIAL indicates that the referenced
+   credentials are invalid.
+
+   o  GSS_S_CREDENTIALS_EXPIRED indicates that the referenced
+   credentials have expired.
+
+   o  GSS_S_BAD_MECH indicates that the referenced credentials do not
+   contain elements for the requested mechanism.
+
+   o  GSS_S_FAILURE indicates that the operation failed for reasons
+   unspecified at the GSS-API level.
+
+   The GSS_Inquire_cred_by_mech() call enables callers in multi-
+   mechanism environments to acquire specific data about available
+   combinations of lifetimes, usage modes, and mechanisms within a
+   credential structure.  The lifetime_rec_initiate result indicates the
+   available lifetime for context initiation purposes; the
+   lifetime_rec_accept result indicates the available lifetime for
+   context acceptance purposes.
+
+2.2:  Context-level calls
+
+   This group of calls is devoted to the establishment and management of
+   security contexts between peers. A context's initiator calls
+   GSS_Init_sec_context(), resulting in generation of a token which the
+   caller passes to the target. At the target, that token is passed to
+   GSS_Accept_sec_context(). Depending on the underlying mech_type and
+   specified options, additional token exchanges may be performed in the
+   course of context establishment; such exchanges are accommodated by
+   GSS_S_CONTINUE_NEEDED status returns from GSS_Init_sec_context() and
+   GSS_Accept_sec_context().
+
+   Either party to an established context may invoke
+   GSS_Delete_sec_context() to flush context information when a context
+   is no longer required. GSS_Process_context_token() is used to process
+   received tokens carrying context-level control information.
+   GSS_Context_time() allows a caller to determine the length of time
+   for which an established context will remain valid.
+
+
+
+Linn                        Standards Track                    [Page 41]
+
+RFC 2743                        GSS-API                     January 2000
+
+
+   GSS_Inquire_context() returns status information describing context
+   characteristics. GSS_Wrap_size_limit() allows a caller to determine
+   the size of a token which will be generated by a GSS_Wrap()
+   operation.  GSS_Export_sec_context() and GSS_Import_sec_context()
+   enable transfer of active contexts between processes on an end
+   system.
+
+2.2.1:  GSS_Init_sec_context call
+
+   Inputs:
+
+   o  claimant_cred_handle CREDENTIAL HANDLE, -- NULL specifies "use
+   -- default"
+
+   o  input_context_handle CONTEXT HANDLE, -- 0
+   -- (GSS_C_NO_CONTEXT) specifies "none assigned yet"
+
+   o  targ_name INTERNAL NAME,
+
+   o  mech_type OBJECT IDENTIFIER, -- NULL parameter specifies "use
+   -- default"
+
+   o  deleg_req_flag BOOLEAN,
+
+   o  mutual_req_flag BOOLEAN,
+
+   o  replay_det_req_flag BOOLEAN,
+
+   o  sequence_req_flag BOOLEAN,
+
+   o  anon_req_flag BOOLEAN,
+
+   o  conf_req_flag BOOLEAN,
+
+   o  integ_req_flag BOOLEAN,
+
+   o  lifetime_req INTEGER, -- 0 specifies default lifetime
+
+   o  chan_bindings OCTET STRING,
+
+   o  input_token OCTET STRING -- NULL or token received from target
+
+   Outputs:
+
+   o  major_status INTEGER,
+
+   o  minor_status INTEGER,
+
+
+
+
+Linn                        Standards Track                    [Page 42]
+
+RFC 2743                        GSS-API                     January 2000
+
+
+   o  output_context_handle CONTEXT HANDLE,  -- once returned non-NULL,
+   -- caller must release with GSS_Delete_sec_context()
+
+   o  mech_type OBJECT IDENTIFIER, -- actual mechanism always
+   -- indicated, never NULL; caller should treat as read-only
+   -- and should not attempt to release
+
+   o  output_token OCTET STRING, -- NULL or token to pass to context
+   -- target; caller must release with GSS_Release_buffer()
+
+   o  deleg_state BOOLEAN,
+
+   o  mutual_state BOOLEAN,
+
+   o  replay_det_state BOOLEAN,
+
+   o  sequence_state BOOLEAN,
+
+   o  anon_state BOOLEAN,
+
+   o  trans_state BOOLEAN,
+
+   o  prot_ready_state BOOLEAN, -- see Section 1.2.7
+
+   o  conf_avail BOOLEAN,
+
+   o  integ_avail BOOLEAN,
+
+   o  lifetime_rec INTEGER -- in seconds, or reserved value for
+   -- INDEFINITE
+
+   This call may block pending network interactions for those mech_types
+   in which an authentication server or other network entity must be
+   consulted on behalf of a context initiator in order to generate an
+   output_token suitable for presentation to a specified target.
+
+   Return major_status codes:
+
+   o  GSS_S_COMPLETE indicates that context-level information was
+   successfully initialized, and that the returned output_token will
+   provide sufficient information for the target to perform per-message
+   processing on the newly-established context.
+
+   o  GSS_S_CONTINUE_NEEDED indicates that control information in the
+   returned output_token must be sent to the target, and that a reply
+   must be received and passed as the input_token argument
+
+
+
+
+
+Linn                        Standards Track                    [Page 43]
+
+RFC 2743                        GSS-API                     January 2000
+
+
+   to a continuation call to GSS_Init_sec_context(), before per-message
+   processing can be performed in conjunction with this context (unless
+   the prot_ready_state value is concurrently returned TRUE).
+
+   o  GSS_S_DEFECTIVE_TOKEN indicates that consistency checks performed
+   on the input_token failed, preventing further processing from being
+   performed based on that token.
+
+   o  GSS_S_DEFECTIVE_CREDENTIAL indicates that consistency checks
+   performed on the credential structure referenced by
+   claimant_cred_handle failed, preventing further processing from being
+   performed using that credential structure.
+
+   o  GSS_S_BAD_SIG (GSS_S_BAD_MIC) indicates that the received
+   input_token contains an incorrect integrity check, so context setup
+   cannot be accomplished.
+
+   o  GSS_S_NO_CRED indicates that no context was established, either
+   because the input cred_handle was invalid, because the referenced
+   credentials are valid for context acceptor use only, because the
+   caller lacks authorization to access the referenced credentials, or
+   because the resolution of default credentials failed.
+
+   o  GSS_S_CREDENTIALS_EXPIRED indicates that the credentials provided
+   through the input claimant_cred_handle argument are no longer valid,
+   so context establishment cannot be completed.
+
+   o  GSS_S_BAD_BINDINGS indicates that a mismatch between the caller-
+   provided chan_bindings and those extracted from the input_token was
+   detected, signifying a security-relevant event and preventing context
+   establishment. (This result will be returned by
+   GSS_Init_sec_context() only for contexts where mutual_state is TRUE.)
+
+   o  GSS_S_OLD_TOKEN indicates that the input_token is too old to be
+   checked for integrity. This is a fatal error during context
+   establishment.
+
+   o  GSS_S_DUPLICATE_TOKEN indicates that the input token has a correct
+   integrity check, but is a duplicate of a token already processed.
+   This is a fatal error during context establishment.
+
+   o  GSS_S_NO_CONTEXT indicates that no valid context was recognized
+   for the input context_handle provided; this major status will be
+   returned only for successor calls following GSS_S_CONTINUE_ NEEDED
+   status returns.
+
+
+
+
+
+
+Linn                        Standards Track                    [Page 44]
+
+RFC 2743                        GSS-API                     January 2000
+
+
+   o  GSS_S_BAD_NAMETYPE indicates that the provided targ_name is of a
+   type uninterpretable or unsupported by the applicable underlying
+   GSS-API mechanism(s), so context establishment cannot be completed.
+
+   o  GSS_S_BAD_NAME indicates that the provided targ_name is
+   inconsistent in terms of internally-incorporated type specifier
+   information, so context establishment cannot be accomplished.
+
+   o  GSS_S_BAD_MECH indicates receipt of a context establishment token
+   or of a caller request specifying a mechanism unsupported by the
+   local system or with the caller's active credentials
+
+   o  GSS_S_FAILURE indicates that context setup could not be
+   accomplished for reasons unspecified at the GSS-API level, and that
+   no interface-defined recovery action is available.
+
+   This routine is used by a context initiator, and ordinarily emits an
+   output_token suitable for use by the target within the selected
+   mech_type's protocol.  For the case of a multi-step exchange, this
+   output_token will be one in a series, each generated by a successive
+   call. Using information in the credentials structure referenced by
+   claimant_cred_handle, GSS_Init_sec_context() initializes the data
+   structures required to establish a security context with target
+   targ_name.
+
+   The targ_name may be any valid INTERNAL NAME; it need not be an MN.
+   In addition to support for other name types, it is recommended (newly
+   as of GSS-V2, Update 1) that mechanisms be able to accept
+   GSS_C_NO_NAME as an input type for targ_name.  While recommended,
+   such support is not required, and it is recognized that not all
+   mechanisms can construct tokens without explicitly naming the context
+   target, even when mutual authentication of the target is not
+   obtained.  Callers wishing to make use of this facility and concerned
+   with portability should be aware that support for GSS_C_NO_NAME as
+   input targ_name type is unlikely to be provided within mechanism
+   definitions specified prior to GSS-V2, Update 1.
+
+   The claimant_cred_handle must correspond to the same valid
+   credentials structure on the initial call to GSS_Init_sec_context()
+   and on any successor calls resulting from GSS_S_CONTINUE_NEEDED
+   status returns; different protocol sequences modeled by the
+   GSS_S_CONTINUE_NEEDED facility will require access to credentials at
+   different points in the context establishment sequence.
+
+   The caller-provided input_context_handle argument is to be 0
+   (GSS_C_NO_CONTEXT), specifying "not yet assigned", on the first
+   GSS_Init_sec_context()  call relating to a given context. If
+   successful (i.e., if accompanied by major_status GSS_S_COMPLETE or
+
+
+
+Linn                        Standards Track                    [Page 45]
+
+RFC 2743                        GSS-API                     January 2000
+
+
+   GSS_S_CONTINUE_NEEDED), and only if successful, the initial
+   GSS_Init_sec_context() call returns a non-zero output_context_handle
+   for use in future references to this context.  Once a non-zero
+   output_context_handle has been returned, GSS-API callers should call
+   GSS_Delete_sec_context() to release context-related resources if
+   errors occur in later phases of context establishment, or when an
+   established context is no longer required. If GSS_Init_sec_context()
+   is passed the handle of a context which is already fully established,
+   GSS_S_FAILURE status is returned.
+
+   When continuation attempts to GSS_Init_sec_context() are needed to
+   perform context establishment, the previously-returned non-zero
+   handle value is entered into the input_context_handle argument and
+   will be echoed in the returned output_context_handle argument. On
+   such continuation attempts (and only on continuation attempts) the
+   input_token value is used, to provide the token returned from the
+   context's target.
+
+   The chan_bindings argument is used by the caller to provide
+   information binding the security context to security-related
+   characteristics (e.g., addresses, cryptographic keys) of the
+   underlying communications channel. See Section 1.1.6 of this document
+   for more discussion of this argument's usage.
+
+   The input_token argument contains a message received from the target,
+   and is significant only on a call to GSS_Init_sec_context() which
+   follows a previous return indicating GSS_S_CONTINUE_NEEDED
+   major_status.
+
+   It is the caller's responsibility to establish a communications path
+   to the target, and to transmit any returned output_token (independent
+   of the accompanying returned major_status value) to the target over
+   that path. The output_token can, however, be transmitted along with
+   the first application-provided input message to be processed by
+   GSS_GetMIC() or GSS_Wrap() in conjunction with a successfully-
+   established context. (Note: when the GSS-V2 prot_ready_state
+   indicator is returned TRUE, it can be possible to transfer a
+   protected message before context establishment is complete:  see also
+   Section 1.2.7)
+
+   The initiator may request various context-level functions through
+   input flags: the deleg_req_flag requests delegation of access rights,
+   the mutual_req_flag requests mutual authentication, the
+   replay_det_req_flag requests that replay detection features be
+   applied to messages transferred on the established context, and the
+   sequence_req_flag requests that sequencing be enforced. (See Section
+
+
+
+
+
+Linn                        Standards Track                    [Page 46]
+
+RFC 2743                        GSS-API                     January 2000
+
+
+   1.2.3 for more information on replay detection and sequencing
+   features.)  The anon_req_flag requests that the initiator's identity
+   not be transferred within tokens to be sent to the acceptor.
+
+   The conf_req_flag and integ_req_flag provide informatory inputs to
+   the GSS-API implementation as to whether, respectively, per-message
+   confidentiality and per-message integrity services will be required
+   on the context.  This information is important as an input to
+   negotiating mechanisms.  It is important to recognize, however, that
+   the inclusion of these flags (which are newly defined for GSS-V2)
+   introduces a backward incompatibility with callers implemented to
+   GSS-V1, where the flags were not defined.  Since no GSS-V1 callers
+   would set these flags, even if per-message services are desired,
+   GSS-V2 mechanism implementations which enable such services
+   selectively based on the flags' values may fail to provide them to
+   contexts established for GSS-V1 callers.  It may be appropriate under
+   certain circumstances, therefore, for such mechanism implementations
+   to infer these service request flags to be set if a caller is known
+   to be implemented to GSS-V1.
+
+   Not all of the optionally-requestable features will be available in
+   all underlying mech_types. The corresponding return state values
+   deleg_state, mutual_state, replay_det_state, and sequence_state
+   indicate, as a function of mech_type processing capabilities and
+   initiator-provided input flags, the set of features which will be
+   active on the context.  The returned trans_state value indicates
+   whether the context is transferable to other processes through use of
+   GSS_Export_sec_context().  These state indicators' values are
+   undefined unless either the routine's major_status indicates
+   GSS_S_COMPLETE, or TRUE prot_ready_state is returned along with
+   GSS_S_CONTINUE_NEEDED major_status; for the latter case, it is
+   possible that additional features, not confirmed or indicated along
+   with TRUE prot_ready_state, will be confirmed and indicated when
+   GSS_S_COMPLETE is subsequently returned.
+
+   The returned anon_state and prot_ready_state values are significant
+   for both GSS_S_COMPLETE and GSS_S_CONTINUE_NEEDED major_status
+   returns from GSS_Init_sec_context(). When anon_state is returned
+   TRUE, this indicates that neither the current token nor its
+   predecessors delivers or has delivered the initiator's identity.
+   Callers wishing to perform context establishment only if anonymity
+   support is provided should transfer a returned token from
+   GSS_Init_sec_context() to the peer only if it is accompanied by a
+   TRUE anon_state indicator.  When prot_ready_state is returned TRUE in
+   conjunction with GSS_S_CONTINUE_NEEDED major_status, this indicates
+   that per-message protection operations may be applied on the context:
+   see Section 1.2.7 for further discussion of this facility.
+
+
+
+
+Linn                        Standards Track                    [Page 47]
+
+RFC 2743                        GSS-API                     January 2000
+
+
+   Failure to provide the precise set of features requested by the
+   caller does not cause context establishment to fail; it is the
+   caller's prerogative to delete the context if the feature set
+   provided is unsuitable for the caller's use.
+
+   The returned mech_type value indicates the specific mechanism
+   employed on the context; it will never indicate the value for
+   "default".  A valid mech_type result must be returned along with a
+   GSS_S_COMPLETE status return; GSS-API implementations may (but are
+   not required to) also return mech_type along with predecessor calls
+   indicating GSS_S_CONTINUE_NEEDED status or (if a mechanism is
+   determinable) in conjunction with fatal error cases.  For the case of
+   mechanisms which themselves perform negotiation, the returned
+   mech_type result may indicate selection of a mechanism identified by
+   an OID different than that passed in the input mech_type argument,
+   and the returned value may change between successive calls returning
+   GSS_S_CONTINUE_NEEDED and the final call returning GSS_S_COMPLETE.
+
+   The conf_avail return value indicates whether the context supports
+   per-message confidentiality services, and so informs the caller
+   whether or not a request for encryption through the conf_req_flag
+   input to GSS_Wrap() can be honored. In similar fashion, the
+   integ_avail return value indicates whether per-message integrity
+   services are available (through either GSS_GetMIC() or GSS_Wrap()) on
+   the established context. These state indicators' values are undefined
+   unless either the routine's major_status indicates GSS_S_COMPLETE, or
+   TRUE prot_ready_state is returned along with GSS_S_CONTINUE_NEEDED
+   major_status.
+
+   The lifetime_req input specifies a desired upper bound for the
+   lifetime of the context to be established, with a value of 0 used to
+   request a default lifetime. The lifetime_rec return value indicates
+   the length of time for which the context will be valid, expressed as
+   an offset from the present; depending on mechanism capabilities,
+   credential lifetimes, and local policy, it may not correspond to the
+   value requested in lifetime_req.  If no constraints on context
+   lifetime are imposed, this may be indicated by returning a reserved
+   value representing INDEFINITE lifetime_req. The value of lifetime_rec
+   is undefined unless the routine's major_status indicates
+   GSS_S_COMPLETE.
+
+   If the mutual_state is TRUE, this fact will be reflected within the
+   output_token. A call to GSS_Accept_sec_context() at the target in
+   conjunction with such a context will return a token, to be processed
+   by a continuation call to GSS_Init_sec_context(), in order to achieve
+   mutual authentication.
+
+
+
+
+
+Linn                        Standards Track                    [Page 48]
+
+RFC 2743                        GSS-API                     January 2000
+
+
+2.2.2:  GSS_Accept_sec_context call
+
+   Inputs:
+
+   o  acceptor_cred_handle CREDENTIAL HANDLE, -- NULL specifies
+   -- "use default"
+
+   o  input_context_handle CONTEXT HANDLE, -- 0
+   -- (GSS_C_NO_CONTEXT) specifies "not yet assigned"
+
+   o  chan_bindings OCTET STRING,
+
+   o  input_token OCTET STRING
+
+   Outputs:
+
+   o  major_status INTEGER,
+
+   o  minor_status INTEGER,
+
+   o  src_name INTERNAL NAME, -- guaranteed to be MN
+   -- once returned, caller must release with GSS_Release_name()
+
+   o  mech_type OBJECT IDENTIFIER, -- caller should treat as
+   -- read-only; does not need to be released
+
+   o  output_context_handle CONTEXT HANDLE, -- once returned
+   -- non-NULL in context establishment sequence, caller
+   -- must release with GSS_Delete_sec_context()
+
+   o  deleg_state BOOLEAN,
+
+   o  mutual_state BOOLEAN,
+
+   o  replay_det_state BOOLEAN,
+
+   o  sequence_state BOOLEAN,
+
+   o  anon_state BOOLEAN,
+
+   o  trans_state BOOLEAN,
+
+   o  prot_ready_state BOOLEAN, -- see Section 1.2.7 for discussion
+
+   o  conf_avail BOOLEAN,
+
+   o  integ_avail BOOLEAN,
+
+
+
+
+Linn                        Standards Track                    [Page 49]
+
+RFC 2743                        GSS-API                     January 2000
+
+
+   o  lifetime_rec INTEGER, -- in seconds, or reserved value for
+   -- INDEFINITE
+
+   o  delegated_cred_handle CREDENTIAL HANDLE, -- if returned non-NULL,
+   -- caller must release with GSS_Release_cred()
+
+   o  output_token OCTET STRING -- NULL or token to pass to context
+   -- initiator; if returned non-NULL, caller must release with
+   -- GSS_Release_buffer()
+
+   This call may block pending network interactions for those mech_types
+   in which a directory service or other network entity must be
+   consulted on behalf of a context acceptor in order to validate a
+   received input_token.
+
+   Return major_status codes:
+
+   o  GSS_S_COMPLETE indicates that context-level data structures were
+   successfully initialized, and that per-message processing can now be
+   performed in conjunction with this context.
+
+   o  GSS_S_CONTINUE_NEEDED indicates that control information in the
+   returned output_token must be sent to the initiator, and that a
+   response must be received and passed as the input_token argument to a
+   continuation call to GSS_Accept_sec_context(), before per-message
+   processing can be performed in conjunction with this context.
+
+   o  GSS_S_DEFECTIVE_TOKEN indicates that consistency checks performed
+   on the input_token failed, preventing further processing from being
+   performed based on that token.
+
+   o  GSS_S_DEFECTIVE_CREDENTIAL indicates that consistency checks
+   performed on the credential structure referenced by
+   acceptor_cred_handle failed, preventing further processing from being
+   performed using that credential structure.
+
+   o  GSS_S_BAD_SIG (GSS_S_BAD_MIC) indicates that the received
+   input_token contains an incorrect integrity check, so context setup
+   cannot be accomplished.
+
+   o  GSS_S_DUPLICATE_TOKEN indicates that the integrity check on the
+   received input_token was correct, but that the input_token was
+   recognized as a duplicate of an input_token already processed. No new
+   context is established.
+
+
+
+
+
+
+
+Linn                        Standards Track                    [Page 50]
+
+RFC 2743                        GSS-API                     January 2000
+
+
+   o  GSS_S_OLD_TOKEN indicates that the integrity check on the received
+   input_token was correct, but that the input_token is too old to be
+   checked for duplication against previously-processed input_tokens. No
+   new context is established.
+
+   o  GSS_S_NO_CRED indicates that no context was established, either
+   because the input cred_handle was invalid, because the referenced
+   credentials are valid for context initiator use only, because the
+   caller lacks authorization to access the referenced credentials, or
+   because the procedure for default credential resolution failed.
+
+   o  GSS_S_CREDENTIALS_EXPIRED indicates that the credentials provided
+   through the input acceptor_cred_handle argument are no longer valid,
+   so context establishment cannot be completed.
+
+   o  GSS_S_BAD_BINDINGS indicates that a mismatch between the caller-
+   provided chan_bindings and those extracted from the input_token was
+   detected, signifying a security-relevant event and preventing context
+   establishment.
+
+   o  GSS_S_NO_CONTEXT indicates that no valid context was recognized
+   for the input context_handle provided; this major status will be
+   returned only for successor calls following GSS_S_CONTINUE_ NEEDED
+   status returns.
+
+   o  GSS_S_BAD_MECH indicates receipt of a context establishment token
+   specifying a mechanism unsupported by the local system or with the
+   caller's active credentials.
+
+   o  GSS_S_FAILURE indicates that context setup could not be
+   accomplished for reasons unspecified at the GSS-API level, and that
+   no interface-defined recovery action is available.
+
+   The GSS_Accept_sec_context() routine is used by a context target.
+   Using information in the credentials structure referenced by the
+   input acceptor_cred_handle, it verifies the incoming input_token and
+   (following the successful completion of a context establishment
+   sequence) returns the authenticated src_name and the mech_type used.
+   The returned src_name is guaranteed to be an MN, processed by the
+   mechanism under which the context was established. The
+   acceptor_cred_handle must correspond to the same valid credentials
+   structure on the initial call to GSS_Accept_sec_context() and on any
+   successor calls resulting from GSS_S_CONTINUE_NEEDED status returns;
+   different protocol sequences modeled by the GSS_S_CONTINUE_NEEDED
+   mechanism will require access to credentials at different points in
+   the context establishment sequence.
+
+
+
+
+
+Linn                        Standards Track                    [Page 51]
+
+RFC 2743                        GSS-API                     January 2000
+
+
+   The caller-provided input_context_handle argument is to be 0
+   (GSS_C_NO_CONTEXT), specifying "not yet assigned", on the first
+   GSS_Accept_sec_context() call relating to a given context. If
+   successful (i.e., if accompanied by major_status GSS_S_COMPLETE or
+   GSS_S_CONTINUE_NEEDED), and only if successful, the initial
+   GSS_Accept_sec_context() call returns a non-zero
+   output_context_handle for use in future references to this context.
+   Once a non-zero output_context_handle has been returned, GSS-API
+   callers should call GSS_Delete_sec_context() to release context-
+   related resources if errors occur in later phases of context
+   establishment, or when an established context is no longer required.
+   If GSS_Accept_sec_context() is passed the handle of a context which
+   is already fully established, GSS_S_FAILURE status is returned.
+
+   The chan_bindings argument is used by the caller to provide
+   information binding the security context to security-related
+   characteristics (e.g., addresses, cryptographic keys) of the
+   underlying communications channel. See Section 1.1.6 of this document
+   for more discussion of this argument's usage.
+
+   The returned state results (deleg_state, mutual_state,
+   replay_det_state, sequence_state, anon_state, trans_state, and
+   prot_ready_state) reflect the same information as described for
+   GSS_Init_sec_context(), and their values are significant under the
+   same return state conditions.
+
+   The conf_avail return value indicates whether the context supports
+   per-message confidentiality services, and so informs the caller
+   whether or not a request for encryption through the conf_req_flag
+   input to GSS_Wrap() can be honored. In similar fashion, the
+   integ_avail return value indicates whether per-message integrity
+   services are available (through either GSS_GetMIC()  or GSS_Wrap())
+   on the established context.  These values are significant under the
+   same return state conditions as described under
+   GSS_Init_sec_context().
+
+   The lifetime_rec return value is significant only in conjunction with
+   GSS_S_COMPLETE major_status, and indicates the length of time for
+   which the context will be valid, expressed as an offset from the
+   present.
+
+   The returned mech_type value indicates the specific mechanism
+   employed on the context; it will never indicate the value for
+   "default".  A valid mech_type result must be returned whenever
+   GSS_S_COMPLETE status is indicated; GSS-API implementations may (but
+   are not required to) also return mech_type along with predecessor
+   calls indicating GSS_S_CONTINUE_NEEDED status or (if a mechanism is
+   determinable) in conjunction with fatal error cases.  For the case of
+
+
+
+Linn                        Standards Track                    [Page 52]
+
+RFC 2743                        GSS-API                     January 2000
+
+
+   mechanisms which themselves perform negotiation, the returned
+   mech_type result may indicate selection of a mechanism identified by
+   an OID different than that passed in the input mech_type argument,
+   and the returned value may change between successive calls returning
+   GSS_S_CONTINUE_NEEDED and the final call returning GSS_S_COMPLETE.
+
+   The delegated_cred_handle result is significant only when deleg_state
+   is TRUE, and provides a means for the target to reference the
+   delegated credentials. The output_token result, when non-NULL,
+   provides a context-level token to be returned to the context
+   initiator to continue a multi-step context establishment sequence. As
+   noted with GSS_Init_sec_context(), any returned token should be
+   transferred to the context's peer (in this case, the context
+   initiator), independent of the value of the accompanying returned
+   major_status.
+
+   Note: A target must be able to distinguish a context-level
+   input_token, which is passed to GSS_Accept_sec_context(), from the
+   per-message data elements passed to GSS_VerifyMIC()  or GSS_Unwrap().
+   These data elements may arrive in a single application message, and
+   GSS_Accept_sec_context() must be performed before per-message
+   processing can be performed successfully.
+
+2.2.3: GSS_Delete_sec_context call
+
+   Input:
+
+   o  context_handle CONTEXT HANDLE
+
+   Outputs:
+
+   o  major_status INTEGER,
+
+   o  minor_status INTEGER,
+
+   o  output_context_token OCTET STRING
+
+   Return major_status codes:
+
+   o  GSS_S_COMPLETE indicates that the context was recognized, and that
+   relevant context-specific information was flushed.  If the caller
+   provides a non-null buffer to receive an output_context_token, and
+   the mechanism returns a non-NULL token into that buffer, the returned
+   output_context_token is ready for transfer to the context's peer.
+
+   o  GSS_S_NO_CONTEXT indicates that no valid context was recognized
+   for the input context_handle provided, so no deletion was performed.
+
+
+
+
+Linn                        Standards Track                    [Page 53]
+
+RFC 2743                        GSS-API                     January 2000
+
+
+   o  GSS_S_FAILURE indicates that the context is recognized, but that
+   the GSS_Delete_sec_context() operation could not be performed for
+   reasons unspecified at the GSS-API level.
+
+   This call can be made by either peer in a security context, to flush
+   context-specific information. Once a non-zero output_context_handle
+   has been returned by context establishment calls, GSS-API callers
+   should call GSS_Delete_sec_context() to release context-related
+   resources if errors occur in later phases of context establishment,
+   or when an established context is no longer required.  This call may
+   block pending network interactions for mech_types in which active
+   notification must be made to a central server when a security context
+   is to be deleted.
+
+   If a non-null output_context_token parameter is provided by the
+   caller, an output_context_token may be returned to the caller.  If an
+   output_context_token is provided to the caller, it can be passed to
+   the context's peer to inform the peer's GSS-API implementation that
+   the peer's corresponding context information can also be flushed.
+   (Once a context is established, the peers involved are expected to
+   retain cached credential and context-related information until the
+   information's expiration time is reached or until a
+   GSS_Delete_sec_context() call is made.)
+
+   The facility for context_token usage to signal context deletion is
+   retained for compatibility with GSS-API Version 1.  For current
+   usage, it is recommended that both peers to a context invoke
+   GSS_Delete_sec_context() independently, passing a null
+   output_context_token buffer to indicate that no context_token is
+   required.  Implementations of GSS_Delete_sec_context() should delete
+   relevant locally-stored context information.
+
+   Attempts to perform per-message processing on a deleted context will
+   result in error returns.
+
+2.2.4:  GSS_Process_context_token call
+
+   Inputs:
+
+   o  context_handle CONTEXT HANDLE,
+
+   o  input_context_token OCTET STRING
+
+   Outputs:
+
+   o  major_status INTEGER,
+
+   o  minor_status INTEGER,
+
+
+
+Linn                        Standards Track                    [Page 54]
+
+RFC 2743                        GSS-API                     January 2000
+
+
+   Return major_status codes:
+
+   o  GSS_S_COMPLETE indicates that the input_context_token was
+   successfully processed in conjunction with the context referenced by
+   context_handle.
+
+   o  GSS_S_DEFECTIVE_TOKEN indicates that consistency checks performed
+   on the received context_token failed, preventing further processing
+   from being performed with that token.
+
+   o  GSS_S_NO_CONTEXT indicates that no valid context was recognized
+   for the input context_handle provided.
+
+   o  GSS_S_FAILURE indicates that the context is recognized, but that
+   the GSS_Process_context_token() operation could not be performed for
+   reasons unspecified at the GSS-API level.
+
+   This call is used to process context_tokens received from a peer once
+   a context has been established, with corresponding impact on
+   context-level state information. One use for this facility is
+   processing of the context_tokens generated by
+   GSS_Delete_sec_context(); GSS_Process_context_token() will not block
+   pending network interactions for that purpose. Another use is to
+   process tokens indicating remote-peer context establishment failures
+   after the point where the local GSS-API implementation has already
+   indicated GSS_S_COMPLETE status.
+
+2.2.5:  GSS_Context_time call
+
+   Input:
+
+   o  context_handle CONTEXT HANDLE,
+
+   Outputs:
+
+   o  major_status INTEGER,
+
+   o  minor_status INTEGER,
+
+   o  lifetime_rec INTEGER -- in seconds, or reserved value for
+   -- INDEFINITE
+
+   Return major_status codes:
+
+   o  GSS_S_COMPLETE indicates that the referenced context is valid, and
+   will remain valid for the amount of time indicated in lifetime_rec.
+
+
+
+
+
+Linn                        Standards Track                    [Page 55]
+
+RFC 2743                        GSS-API                     January 2000
+
+
+   o  GSS_S_CONTEXT_EXPIRED indicates that data items related to the
+   referenced context have expired.
+
+   o  GSS_S_NO_CONTEXT indicates that no valid context was recognized
+   for the input context_handle provided.
+
+   o  GSS_S_FAILURE indicates that the requested operation failed for
+   reasons unspecified at the GSS-API level.
+
+   This call is used to determine the amount of time for which a
+   currently established context will remain valid.
+
+2.2.6: GSS_Inquire_context call
+
+   Input:
+
+   o  context_handle CONTEXT HANDLE,
+
+   Outputs:
+
+   o  major_status INTEGER,
+
+   o  minor_status INTEGER,
+
+   o  src_name INTERNAL NAME,  -- name of context initiator,
+   -- guaranteed to be MN;
+   -- caller must release with GSS_Release_name() if returned
+
+   o  targ_name INTERNAL NAME,  -- name of context target,
+   -- guaranteed to be MN;
+   -- caller must release with GSS_Release_name() if returned
+
+   o  lifetime_rec INTEGER -- in seconds, or reserved value for
+   -- INDEFINITE or EXPIRED
+
+   o  mech_type OBJECT IDENTIFIER, -- the mechanism supporting this
+   -- security context; caller should treat as read-only and not
+   -- attempt to release
+
+   o  deleg_state BOOLEAN,
+
+   o  mutual_state BOOLEAN,
+
+   o  replay_det_state BOOLEAN,
+
+   o  sequence_state BOOLEAN,
+
+   o  anon_state BOOLEAN,
+
+
+
+Linn                        Standards Track                    [Page 56]
+
+RFC 2743                        GSS-API                     January 2000
+
+
+   o  trans_state BOOLEAN,
+
+   o  prot_ready_state BOOLEAN,
+
+   o  conf_avail BOOLEAN,
+
+   o  integ_avail BOOLEAN,
+
+   o  locally_initiated BOOLEAN, -- TRUE if initiator, FALSE if acceptor
+
+   o  open BOOLEAN, -- TRUE if context fully established, FALSE
+   -- if partly established (in CONTINUE_NEEDED state)
+
+   Return major_status codes:
+
+   o  GSS_S_COMPLETE indicates that the referenced context is valid and
+   that deleg_state, mutual_state, replay_det_state, sequence_state,
+   anon_state, trans_state, prot_ready_state, conf_avail, integ_avail,
+   locally_initiated, and open return values describe the corresponding
+   characteristics of the context.  If open is TRUE, lifetime_rec is
+   also returned: if open is TRUE and the context peer's name is known,
+   src_name and targ_name are valid in addition to the values listed
+   above.  The mech_type value must be returned for contexts where open
+   is TRUE and may be returned for contexts where open is FALSE.
+
+   o  GSS_S_NO_CONTEXT indicates that no valid context was recognized
+   for the input context_handle provided. Return values other than
+   major_status and minor_status are undefined.
+
+   o  GSS_S_FAILURE indicates that the requested operation failed for
+   reasons unspecified at the GSS-API level. Return values other than
+   major_status and minor_status are undefined.
+
+   This call is used to extract information describing characteristics
+   of a security context.  Note that GSS-API implementations are
+   expected to retain inquirable context data on a context until the
+   context is released by a caller, even after the context has expired,
+   although underlying cryptographic data elements may be deleted after
+   expiration in order to limit their exposure.
+
+2.2.7:   GSS_Wrap_size_limit call
+
+   Inputs:
+
+   o  context_handle CONTEXT HANDLE,
+
+   o  conf_req_flag BOOLEAN,
+
+
+
+
+Linn                        Standards Track                    [Page 57]
+
+RFC 2743                        GSS-API                     January 2000
+
+
+   o  qop INTEGER,
+
+   o  output_size INTEGER
+
+   Outputs:
+
+   o  major_status INTEGER,
+
+   o  minor_status INTEGER,
+
+   o  max_input_size INTEGER
+
+   Return major_status codes:
+
+   o  GSS_S_COMPLETE indicates a successful token size determination:
+   an input message with a length in octets equal to the returned
+   max_input_size value will, when passed to GSS_Wrap() for processing
+   on the context identified by the context_handle parameter with the
+   confidentiality request state as provided in conf_req_flag and with
+   the quality of protection specifier provided in the qop parameter,
+   yield an output token no larger than the value of the provided
+   output_size parameter.
+
+   o  GSS_S_CONTEXT_EXPIRED indicates that the provided input
+   context_handle is recognized, but that the referenced context has
+   expired.  Return values other than major_status and minor_status are
+   undefined.
+
+   o  GSS_S_NO_CONTEXT indicates that no valid context was recognized
+   for the input context_handle provided. Return values other than
+   major_status and minor_status are undefined.
+
+   o  GSS_S_BAD_QOP indicates that the provided QOP value is not
+   recognized or supported for the context.
+
+   o  GSS_S_FAILURE indicates that the requested operation failed for
+   reasons unspecified at the GSS-API level. Return values other than
+   major_status and minor_status are undefined.
+
+   This call is used to determine the largest input datum which may be
+   passed to GSS_Wrap() without yielding an output token larger than a
+   caller-specified value.
+
+
+
+
+
+
+
+
+
+Linn                        Standards Track                    [Page 58]
+
+RFC 2743                        GSS-API                     January 2000
+
+
+2.2.8:   GSS_Export_sec_context call
+
+   Inputs:
+
+   o  context_handle CONTEXT HANDLE
+
+   Outputs:
+
+   o  major_status INTEGER,
+
+   o  minor_status INTEGER,
+
+   o  interprocess_token OCTET STRING  -- caller must release
+   -- with GSS_Release_buffer()
+
+   Return major_status codes:
+
+   o  GSS_S_COMPLETE indicates that the referenced context has been
+   successfully exported to a representation in the interprocess_token,
+   and is no longer available for use by the caller.
+
+   o  GSS_S_UNAVAILABLE indicates that the context export facility is
+   not available for use on the referenced context.  (This status should
+   occur only for contexts for which the trans_state value is FALSE.)
+   Return values other than major_status and minor_status are undefined.
+
+   o  GSS_S_CONTEXT_EXPIRED indicates that the provided input
+   context_handle is recognized, but that the referenced context has
+   expired.  Return values other than major_status and minor_status are
+   undefined.
+
+   o  GSS_S_NO_CONTEXT indicates that no valid context was recognized
+   for the input context_handle provided. Return values other than
+   major_status and minor_status are undefined.
+
+   o  GSS_S_FAILURE indicates that the requested operation failed for
+   reasons unspecified at the GSS-API level. Return values other than
+   major_status and minor_status are undefined.
+
+   This call generates an interprocess token for transfer to another
+   process within an end system, in order to transfer control of a
+   security context to that process.  The recipient of the interprocess
+   token will call GSS_Import_sec_context() to accept the transfer.  The
+   GSS_Export_sec_context() operation is defined for use only with
+   security contexts which are fully and successfully established (i.e.,
+   those for which GSS_Init_sec_context() and GSS_Accept_sec_context()
+   have returned GSS_S_COMPLETE major_status).
+
+
+
+
+Linn                        Standards Track                    [Page 59]
+
+RFC 2743                        GSS-API                     January 2000
+
+
+   A successful GSS_Export_sec_context() operation deactivates the
+   security context for the calling process; for this case, the GSS-API
+   implementation shall deallocate all process-wide resources associated
+   with the security context and shall set the context_handle to
+   GSS_C_NO_CONTEXT.  In the event of an error that makes it impossible
+   to complete export of the security context, the GSS-API
+   implementation must not return an interprocess token and should
+   strive to leave the security context referenced by the context_handle
+   untouched.  If this is impossible, it is permissible for the
+   implementation to delete the security context, provided that it also
+   sets the context_handle parameter to GSS_C_NO_CONTEXT.
+
+   Portable callers must not assume that a given interprocess token can
+   be imported by GSS_Import_sec_context() more than once, thereby
+   creating multiple instantiations of a single context.  GSS-API
+   implementations may detect and reject attempted multiple imports, but
+   are not required to do so.
+
+   The internal representation contained within the interprocess token
+   is an implementation-defined local matter.  Interprocess tokens
+   cannot be assumed to be transferable across different GSS-API
+   implementations.
+
+   It is recommended that GSS-API implementations adopt policies suited
+   to their operational environments in order to define the set of
+   processes eligible to import a context, but specific constraints in
+   this area are local matters.  Candidate examples include transfers
+   between processes operating on behalf of the same user identity, or
+   processes comprising a common job.  However, it may be impossible to
+   enforce such policies in some implementations.
+
+   In support of the above goals, implementations may protect the
+   transferred context data by using cryptography to protect data within
+   the interprocess token, or by using interprocess tokens as a means to
+   reference local interprocess communication facilities (protected by
+   other means) rather than storing the context data directly within the
+   tokens.
+
+   Transfer of an open context may, for certain mechanisms and
+   implementations, reveal data about the credential which was used to
+   establish the context.  Callers should, therefore, be cautious about
+   the trustworthiness of processes to which they transfer contexts.
+   Although the GSS-API implementation may provide its own set of
+   protections over the exported context, the caller is responsible for
+   protecting the interprocess token from disclosure, and for taking
+   care that the context is transferred to an appropriate destination
+   process.
+
+
+
+
+Linn                        Standards Track                    [Page 60]
+
+RFC 2743                        GSS-API                     January 2000
+
+
+2.2.9:   GSS_Import_sec_context call
+
+   Inputs:
+
+   o  interprocess_token OCTET STRING
+
+   Outputs:
+
+   o  major_status INTEGER,
+
+   o  minor_status INTEGER,
+
+   o  context_handle CONTEXT HANDLE  -- if successfully returned,
+   -- caller must release with GSS_Delete_sec_context()
+
+   Return major_status codes:
+
+   o  GSS_S_COMPLETE indicates that the context represented by the input
+   interprocess_token has been successfully transferred to the caller,
+   and is available for future use via the output context_handle.
+
+   o  GSS_S_NO_CONTEXT indicates that the context represented by the
+   input interprocess_token was invalid. Return values other than
+   major_status and minor_status are undefined.
+
+   o  GSS_S_DEFECTIVE_TOKEN indicates that the input interprocess_token
+   was defective.  Return values other than major_status and
+   minor_status are undefined.
+
+   o  GSS_S_UNAVAILABLE indicates that the context import facility is
+   not available for use on the referenced context.  Return values other
+   than major_status and minor_status are undefined.
+
+   o  GSS_S_UNAUTHORIZED indicates that the context represented by the
+   input interprocess_token is unauthorized for transfer to the caller.
+   Return values other than major_status and minor_status are undefined.
+
+   o  GSS_S_FAILURE indicates that the requested operation failed for
+   reasons unspecified at the GSS-API level. Return values other than
+   major_status and minor_status are undefined.
+
+   This call processes an interprocess token generated by
+   GSS_Export_sec_context(), making the transferred context available
+   for use by the caller.  After a successful GSS_Import_sec_context()
+   operation, the imported context is available for use by the importing
+   process. In particular, the imported context is usable for all per-
+   message operations and may be deleted or exported by its importer.
+   The inability to receive delegated credentials through
+
+
+
+Linn                        Standards Track                    [Page 61]
+
+RFC 2743                        GSS-API                     January 2000
+
+
+   gss_import_sec_context() precludes establishment of new contexts
+   based on information delegated to the importer's end system within
+   the context which is being imported, unless those delegated
+   credentials are obtained through separate routines (e.g., XGSS-API
+   calls) outside the GSS-V2 definition.
+
+   For further discussion of the security and authorization issues
+   regarding this call, please see the discussion in Section 2.2.8.
+
+2.3:  Per-message calls
+
+   This group of calls is used to perform per-message protection
+   processing on an established security context. None of these calls
+   block pending network interactions. These calls may be invoked by a
+   context's initiator or by the context's target.  The four members of
+   this group should be considered as two pairs; the output from
+   GSS_GetMIC() is properly input to GSS_VerifyMIC(), and the output
+   from GSS_Wrap() is properly input to GSS_Unwrap().
+
+   GSS_GetMIC() and GSS_VerifyMIC() support data origin authentication
+   and data integrity services. When GSS_GetMIC() is invoked on an input
+   message, it yields a per-message token containing data items which
+   allow underlying mechanisms to provide the specified security
+   services. The original message, along with the generated per-message
+   token, is passed to the remote peer; these two data elements are
+   processed by GSS_VerifyMIC(), which validates the message in
+   conjunction with the separate token.
+
+   GSS_Wrap() and GSS_Unwrap() support caller-requested confidentiality
+   in addition to the data origin authentication and data integrity
+   services offered by GSS_GetMIC() and GSS_VerifyMIC(). GSS_Wrap()
+   outputs a single data element, encapsulating optionally enciphered
+   user data as well as associated token data items.  The data element
+   output from GSS_Wrap() is passed to the remote peer and processed by
+   GSS_Unwrap() at that system. GSS_Unwrap() combines decipherment (as
+   required) with validation of data items related to authentication and
+   integrity.
+
+   Although zero-length tokens are never returned by GSS calls for
+   transfer to a context's peer, a zero-length object may be passed by a
+   caller into GSS_Wrap(), in which case the corresponding peer calling
+   GSS_Unwrap() on the transferred token will receive a zero-length
+   object as output from GSS_Unwrap().  Similarly, GSS_GetMIC() can be
+   called on an empty object, yielding a MIC which GSS_VerifyMIC() will
+   successfully verify against the active security context in
+   conjunction with a zero-length object.
+
+
+
+
+
+Linn                        Standards Track                    [Page 62]
+
+RFC 2743                        GSS-API                     January 2000
+
+
+2.3.1:  GSS_GetMIC call
+
+   Note: This call is functionally equivalent to the GSS_Sign call as
+   defined in previous versions of this specification. In the interests
+   of backward compatibility, it is recommended that implementations
+   support this function under both names for the present; future
+   references to this function as GSS_Sign are deprecated.
+
+   Inputs:
+
+   o  context_handle CONTEXT HANDLE,
+
+   o  qop_req INTEGER, -- 0 specifies default QOP
+
+   o  message OCTET STRING
+
+   Outputs:
+
+   o  major_status INTEGER,
+
+   o  minor_status INTEGER,
+
+   o  per_msg_token OCTET STRING  -- caller must release
+   -- with GSS_Release_buffer()
+
+   Return major_status codes:
+
+   o  GSS_S_COMPLETE indicates that an integrity check, suitable for an
+   established security context, was successfully applied and that the
+   message and corresponding per_msg_token are ready for transmission.
+
+   o  GSS_S_CONTEXT_EXPIRED indicates that context-related data items
+   have expired, so that the requested operation cannot be performed.
+
+   o  GSS_S_NO_CONTEXT indicates that no context was recognized for the
+   input context_handle provided.
+
+   o  GSS_S_BAD_QOP indicates that the provided QOP value is not
+   recognized or supported for the context.
+
+   o  GSS_S_FAILURE indicates that the context is recognized, but that
+   the requested operation could not be performed for reasons
+   unspecified at the GSS-API level.
+
+   Using the security context referenced by context_handle, apply an
+   integrity check to the input message (along with timestamps and/or
+   other data included in support of mech_type-specific mechanisms) and
+   (if GSS_S_COMPLETE status is indicated) return the result in
+
+
+
+Linn                        Standards Track                    [Page 63]
+
+RFC 2743                        GSS-API                     January 2000
+
+
+   per_msg_token. The qop_req parameter, interpretation of which is
+   discussed in Section 1.2.4, allows quality-of-protection control. The
+   caller passes the message and the per_msg_token to the target.
+
+   The GSS_GetMIC() function completes before the message and
+   per_msg_token is sent to the peer; successful application of
+   GSS_GetMIC() does not guarantee that a corresponding GSS_VerifyMIC()
+   has been (or can necessarily be) performed successfully when the
+   message arrives at the destination.
+
+   Mechanisms which do not support per-message protection services
+   should return GSS_S_FAILURE if this routine is called.
+
+2.3.2:  GSS_VerifyMIC call
+
+   Note: This call is functionally equivalent to the GSS_Verify call as
+   defined in previous versions of this specification. In the interests
+   of backward compatibility, it is recommended that implementations
+   support this function under both names for the present; future
+   references to this function as GSS_Verify are deprecated.
+
+   Inputs:
+
+   o  context_handle CONTEXT HANDLE,
+
+   o  message OCTET STRING,
+
+   o  per_msg_token OCTET STRING
+
+   Outputs:
+
+   o  qop_state INTEGER,
+
+   o  major_status INTEGER,
+
+   o  minor_status INTEGER,
+
+   Return major_status codes:
+
+   o  GSS_S_COMPLETE indicates that the message was successfully
+   verified.
+
+   o  GSS_S_DEFECTIVE_TOKEN indicates that consistency checks performed
+   on the received per_msg_token failed, preventing further processing
+   from being performed with that token.
+
+   o  GSS_S_BAD_SIG (GSS_S_BAD_MIC) indicates that the received
+   per_msg_token contains an incorrect integrity check for the message.
+
+
+
+Linn                        Standards Track                    [Page 64]
+
+RFC 2743                        GSS-API                     January 2000
+
+
+   o  GSS_S_DUPLICATE_TOKEN, GSS_S_OLD_TOKEN, GSS_S_UNSEQ_TOKEN, and
+   GSS_S_GAP_TOKEN values appear in conjunction with the optional per-
+   message replay detection features described in Section 1.2.3; their
+   semantics are described in that section.
+
+   o  GSS_S_CONTEXT_EXPIRED indicates that context-related data items
+   have expired, so that the requested operation cannot be performed.
+
+   o  GSS_S_NO_CONTEXT indicates that no context was recognized for the
+   input context_handle provided.
+
+   o  GSS_S_FAILURE indicates that the context is recognized, but that
+   the GSS_VerifyMIC() operation could not be performed for reasons
+   unspecified at the GSS-API level.
+
+   Using the security context referenced by context_handle, verify that
+   the input per_msg_token contains an appropriate integrity check for
+   the input message, and apply any active replay detection or
+   sequencing features. Returns an indication of the quality-of-
+   protection applied to the processed message in the qop_state result.
+
+   Mechanisms which do not support per-message protection services
+   should return GSS_S_FAILURE if this routine is called.
+
+2.3.3: GSS_Wrap call
+
+   Note: This call is functionally equivalent to the GSS_Seal call as
+   defined in previous versions of this specification. In the interests
+   of backward compatibility, it is recommended that implementations
+   support this function under both names for the present; future
+   references to this function as GSS_Seal are deprecated.
+
+   Inputs:
+
+   o  context_handle CONTEXT HANDLE,
+
+   o  conf_req_flag BOOLEAN,
+
+   o  qop_req INTEGER, -- 0 specifies default QOP
+
+   o  input_message OCTET STRING
+
+   Outputs:
+
+   o  major_status INTEGER,
+
+   o  minor_status INTEGER,
+
+
+
+
+Linn                        Standards Track                    [Page 65]
+
+RFC 2743                        GSS-API                     January 2000
+
+
+   o  conf_state BOOLEAN,
+
+   o  output_message OCTET STRING  -- caller must release with
+   -- GSS_Release_buffer()
+
+   Return major_status codes:
+
+   o  GSS_S_COMPLETE indicates that the input_message was successfully
+   processed and that the output_message is ready for transmission.
+
+   o  GSS_S_CONTEXT_EXPIRED indicates that context-related data items
+   have expired, so that the requested operation cannot be performed.
+
+   o  GSS_S_NO_CONTEXT indicates that no context was recognized for the
+   input context_handle provided.
+
+   o  GSS_S_BAD_QOP indicates that the provided QOP value is not
+   recognized or supported for the context.
+
+   o  GSS_S_FAILURE indicates that the context is recognized, but that
+   the GSS_Wrap() operation could not be performed for reasons
+   unspecified at the GSS-API level.
+
+   Performs the data origin authentication and data integrity functions
+   of GSS_GetMIC().  If the input conf_req_flag is TRUE, requests that
+   confidentiality be applied to the input_message.  Confidentiality may
+   not be supported in all mech_types or by all implementations; the
+   returned conf_state flag indicates whether confidentiality was
+   provided for the input_message. The qop_req parameter, interpretation
+   of which is discussed in Section 1.2.4, allows quality-of-protection
+   control.
+
+   When GSS_S_COMPLETE status is returned, the GSS_Wrap() call yields a
+   single output_message data element containing (optionally enciphered)
+   user data as well as control information.
+
+   Mechanisms which do not support per-message protection services
+   should return GSS_S_FAILURE if this routine is called.
+
+2.3.4: GSS_Unwrap call
+
+   Note: This call is functionally equivalent to the GSS_Unseal call as
+   defined in previous versions of this specification. In the interests
+   of backward compatibility, it is recommended that implementations
+   support this function under both names for the present; future
+   references to this function as GSS_Unseal are deprecated.
+
+
+
+
+
+Linn                        Standards Track                    [Page 66]
+
+RFC 2743                        GSS-API                     January 2000
+
+
+   Inputs:
+
+   o  context_handle CONTEXT HANDLE,
+
+   o  input_message OCTET STRING
+
+   Outputs:
+
+   o  conf_state BOOLEAN,
+
+   o  qop_state INTEGER,
+
+   o  major_status INTEGER,
+
+   o  minor_status INTEGER,
+
+   o  output_message OCTET STRING  -- caller must release with
+   -- GSS_Release_buffer()
+
+   Return major_status codes:
+
+   o  GSS_S_COMPLETE indicates that the input_message was successfully
+   processed and that the resulting output_message is available.
+
+   o  GSS_S_DEFECTIVE_TOKEN indicates that consistency checks performed
+   on the per_msg_token extracted from the input_message failed,
+   preventing further processing from being performed.
+
+   o  GSS_S_BAD_SIG (GSS_S_BAD_MIC) indicates that an incorrect
+   integrity check was detected for the message.
+
+   o  GSS_S_DUPLICATE_TOKEN, GSS_S_OLD_TOKEN, GSS_S_UNSEQ_TOKEN, and
+   GSS_S_GAP_TOKEN values appear in conjunction with the optional per-
+   message replay detection features described in Section 1.2.3; their
+   semantics are described in that section.
+
+   o  GSS_S_CONTEXT_EXPIRED indicates that context-related data items
+   have expired, so that the requested operation cannot be performed.
+
+   o  GSS_S_NO_CONTEXT indicates that no context was recognized for the
+   input context_handle provided.
+
+   o  GSS_S_FAILURE indicates that the context is recognized, but that
+   the GSS_Unwrap() operation could not be performed for reasons
+   unspecified at the GSS-API level.
+
+
+
+
+
+
+Linn                        Standards Track                    [Page 67]
+
+RFC 2743                        GSS-API                     January 2000
+
+
+   Processes a data element generated (and optionally enciphered) by
+   GSS_Wrap(), provided as input_message. The returned conf_state value
+   indicates whether confidentiality was applied to the input_message.
+   If conf_state is TRUE, GSS_Unwrap() has deciphered the input_message.
+   Returns an indication of the quality-of-protection applied to the
+   processed message in the qop_state result. GSS_Unwrap() performs the
+   data integrity and data origin authentication checking functions of
+   GSS_VerifyMIC() on the plaintext data. Plaintext data is returned in
+   output_message.
+
+   Mechanisms which do not support per-message protection services
+   should return GSS_S_FAILURE if this routine is called.
+
+2.4:  Support calls
+
+   This group of calls provides support functions useful to GSS-API
+   callers, independent of the state of established contexts. Their
+   characterization with regard to blocking or non-blocking status in
+   terms of network interactions is unspecified.
+
+2.4.1:  GSS_Display_status call
+
+   Inputs:
+
+   o  status_value INTEGER, -- GSS-API major_status or minor_status
+   -- return value
+
+   o  status_type INTEGER, -- 1 if major_status, 2 if minor_status
+
+   o  mech_type OBJECT IDENTIFIER -- mech_type to be used for
+   -- minor_status translation
+
+   Outputs:
+
+   o  major_status INTEGER,
+
+   o  minor_status INTEGER,
+
+   o  status_string_set SET OF OCTET STRING  -- required calls for
+   -- release by caller are specific to language bindings
+
+   Return major_status codes:
+
+   o  GSS_S_COMPLETE indicates that a valid printable status
+   representation (possibly representing more than one status event
+   encoded within the status_value) is available in the returned
+   status_string_set.
+
+
+
+
+Linn                        Standards Track                    [Page 68]
+
+RFC 2743                        GSS-API                     January 2000
+
+
+   o  GSS_S_BAD_MECH indicates that translation in accordance with an
+   unsupported mech_type was requested, so translation could not be
+   performed.
+
+   o  GSS_S_BAD_STATUS indicates that the input status_value was
+   invalid, or that the input status_type carried a value other than 1
+   or 2, so translation could not be performed.
+
+   o  GSS_S_FAILURE indicates that the requested operation could not be
+   performed for reasons unspecified at the GSS-API level.
+
+   Provides a means for callers to translate GSS-API-returned major and
+   minor status codes into printable string representations.  Note: some
+   language bindings may employ an iterative approach in order to emit
+   successive status components; this approach is acceptable but not
+   required for conformance with the current specification.
+
+   Although not contemplated in [RFC-2078], it has been observed that
+   some existing GSS-API implementations return GSS_S_CONTINUE_NEEDED
+   status when iterating through successive messages returned from
+   GSS_Display_status(). This behavior is deprecated;
+   GSS_S_CONTINUE_NEEDED should be returned only by
+   GSS_Init_sec_context() and GSS_Accept_sec_context().  For maximal
+   portability, however, it is recommended that defensive callers be
+   able to accept and ignore GSS_S_CONTINUE_NEEDED status if indicated
+   by GSS_Display_status() or any other call other than
+   GSS_Init_sec_context() or GSS_Accept_sec_context().
+
+2.4.2:  GSS_Indicate_mechs call
+
+   Input:
+
+   o  (none)
+
+   Outputs:
+
+   o  major_status INTEGER,
+
+   o  minor_status INTEGER,
+
+   o  mech_set SET OF OBJECT IDENTIFIER  -- caller must release
+   -- with GSS_Release_oid_set()
+
+   Return major_status codes:
+
+   o  GSS_S_COMPLETE indicates that a set of available mechanisms has
+   been returned in mech_set.
+
+
+
+
+Linn                        Standards Track                    [Page 69]
+
+RFC 2743                        GSS-API                     January 2000
+
+
+   o  GSS_S_FAILURE indicates that the requested operation could not be
+   performed for reasons unspecified at the GSS-API level.
+
+   Allows callers to determine the set of mechanism types available on
+   the local system. This call is intended for support of specialized
+   callers who need to request non-default mech_type sets from GSS-API
+   calls which accept input mechanism type specifiers.
+
+2.4.3:  GSS_Compare_name call
+
+   Inputs:
+
+   o  name1 INTERNAL NAME,
+
+   o  name2 INTERNAL NAME
+
+   Outputs:
+
+   o  major_status INTEGER,
+
+   o  minor_status INTEGER,
+
+   o  name_equal BOOLEAN
+
+   Return major_status codes:
+
+   o  GSS_S_COMPLETE indicates that name1 and name2 were comparable, and
+   that the name_equal result indicates whether name1 and name2
+   represent the same entity.
+
+   o  GSS_S_BAD_NAMETYPE indicates that the two input names' types are
+   different and incomparable, so that the comparison operation could
+   not be completed.
+
+   o  GSS_S_BAD_NAME indicates that one or both of the input names was
+   ill-formed in terms of its internal type specifier, so the comparison
+   operation could not be completed.
+
+   o  GSS_S_FAILURE indicates that the call's operation could not be
+   performed for reasons unspecified at the GSS-API level.
+
+   Allows callers to compare two internal name representations to
+   determine whether they refer to the same entity.  If either name
+   presented to GSS_Compare_name() denotes an anonymous principal,
+   GSS_Compare_name() shall indicate FALSE.  It is not required that
+   either or both inputs name1 and name2 be MNs; for some
+
+
+
+
+
+Linn                        Standards Track                    [Page 70]
+
+RFC 2743                        GSS-API                     January 2000
+
+
+   implementations and cases, GSS_S_BAD_NAMETYPE may be returned,
+   indicating name incomparability, for the case where neither input
+   name is an MN.
+
+2.4.4:  GSS_Display_name call
+
+   Inputs:
+
+   o  name INTERNAL NAME
+
+   Outputs:
+
+   o  major_status INTEGER,
+
+   o  minor_status INTEGER,
+
+   o  name_string OCTET STRING, -- caller must release
+   -- with GSS_Release_buffer()
+
+   o  name_type OBJECT IDENTIFIER  -- caller should treat
+   -- as read-only; does not need to be released
+
+   Return major_status codes:
+
+   o  GSS_S_COMPLETE indicates that a valid printable name
+   representation is available in the returned name_string.
+
+   o  GSS_S_BAD_NAME indicates that the contents of the provided name
+   were inconsistent with the internally-indicated name type, so no
+   printable representation could be generated.
+
+   o  GSS_S_FAILURE indicates that the requested operation could not be
+   performed for reasons unspecified at the GSS-API level.
+
+   Allows callers to translate an internal name representation into a
+   printable form with associated namespace type descriptor. The syntax
+   of the printable form is a local matter.
+
+   If the input name represents an anonymous identity, a reserved value
+   (GSS_C_NT_ANONYMOUS) shall be returned for name_type.
+
+   The GSS_C_NO_OID name type is to be returned only when the
+   corresponding internal name was created through import with
+   GSS_C_NO_OID. It is acceptable for mechanisms to normalize names
+   imported with GSS_C_NO_OID into other supported types and, therefore,
+   to display them with types other than GSS_C_NO_OID.
+
+
+
+
+
+Linn                        Standards Track                    [Page 71]
+
+RFC 2743                        GSS-API                     January 2000
+
+
+2.4.5:  GSS_Import_name call
+
+   Inputs:
+
+   o  input_name_string OCTET STRING,
+
+   o  input_name_type OBJECT IDENTIFIER
+
+   Outputs:
+
+   o  major_status INTEGER,
+
+   o  minor_status INTEGER,
+
+   o  output_name INTERNAL NAME  -- caller must release with
+   -- GSS_Release_name()
+
+   Return major_status codes:
+
+   o  GSS_S_COMPLETE indicates that a valid name representation is
+   output in output_name and described by the type value in
+   output_name_type.
+
+   o  GSS_S_BAD_NAMETYPE indicates that the input_name_type is
+   unsupported by the applicable underlying GSS-API mechanism(s), so the
+   import operation could not be completed.
+
+   o  GSS_S_BAD_NAME indicates that the provided input_name_string is
+   ill-formed in terms of the input_name_type, so the import operation
+   could not be completed.
+
+   o  GSS_S_BAD_MECH indicates that the input presented for import was
+   an exported name object and that its enclosed mechanism type was not
+   recognized or was unsupported by the GSS-API implementation.
+
+   o  GSS_S_FAILURE indicates that the requested operation could not be
+   performed for reasons unspecified at the GSS-API level.
+
+   Allows callers to provide a name representation as a contiguous octet
+   string, designate the type of namespace in conjunction with which it
+   should be parsed, and convert that representation to an internal form
+   suitable for input to other GSS-API routines.  The syntax of the
+   input_name_string is defined in conjunction with its associated name
+   type; depending on the input_name_type, the associated
+   input_name_string may or may not be a printable string.  If the
+   input_name_type's value is GSS_C_NO_OID, a mechanism-specific default
+   printable syntax (which shall be specified in the corresponding GSS-
+   V2 mechanism specification) is assumed for the input_name_string;
+
+
+
+Linn                        Standards Track                    [Page 72]
+
+RFC 2743                        GSS-API                     January 2000
+
+
+   other input_name_type values as registered by GSS-API implementations
+   can be used to indicate specific non-default name syntaxes. Note: The
+   input_name_type argument serves to describe and qualify the
+   interpretation of the associated input_name_string; it does not
+   specify the data type of the returned output_name.
+
+   If a mechanism claims support for a particular name type, its
+   GSS_Import_name() operation shall be able to accept all possible
+   values conformant to the external name syntax as defined for that
+   name type.  These imported values may correspond to:
+
+      (1) locally registered entities (for which credentials may be
+      acquired),
+
+      (2) non-local entities (for which local credentials cannot be
+      acquired, but which may be referenced as targets of initiated
+      security contexts or initiators of accepted security contexts), or
+      to
+
+      (3) neither of the above.
+
+   Determination of whether a particular name belongs to class (1), (2),
+   or (3) as described above is not guaranteed to be performed by the
+   GSS_Import_name() function.
+
+   The internal name generated by a GSS_Import_name() operation may be a
+   single-mechanism MN, and is likely to be an MN within a single-
+   mechanism implementation, but portable callers must not depend on
+   this property (and must not, therefore, assume that the output from
+   GSS_Import_name() can be passed directly to GSS_Export_name() without
+   first being processed through GSS_Canonicalize_name()).
+
+2.4.6: GSS_Release_name call
+
+   Inputs:
+
+   o  name INTERNAL NAME
+
+   Outputs:
+
+   o  major_status INTEGER,
+
+   o  minor_status INTEGER
+
+   Return major_status codes:
+
+   o  GSS_S_COMPLETE indicates that the storage associated with the
+   input name was successfully released.
+
+
+
+Linn                        Standards Track                    [Page 73]
+
+RFC 2743                        GSS-API                     January 2000
+
+
+   o  GSS_S_BAD_NAME indicates that the input name argument did not
+   contain a valid name.
+
+   o  GSS_S_FAILURE indicates that the requested operation could not be
+   performed for reasons unspecified at the GSS-API level.
+
+   Allows callers to release the storage associated with an internal
+   name representation.  This call's specific behavior depends on the
+   language and programming environment within which a GSS-API
+   implementation operates, and is therefore detailed within applicable
+   bindings specifications; in particular, implementation and invocation
+   of this call may be superfluous (and may be omitted) within bindings
+   where memory management is automatic.
+
+2.4.7: GSS_Release_buffer call
+
+   Inputs:
+
+   o  buffer OCTET STRING
+
+   Outputs:
+
+   o  major_status INTEGER,
+
+   o  minor_status INTEGER
+
+   Return major_status codes:
+
+   o  GSS_S_COMPLETE indicates that the storage associated with the
+   input buffer was successfully released.
+
+   o  GSS_S_FAILURE indicates that the requested operation could not be
+   performed for reasons unspecified at the GSS-API level.
+
+   Allows callers to release the storage associated with an OCTET STRING
+   buffer allocated by another GSS-API call.  This call's specific
+   behavior depends on the language and programming environment within
+   which a GSS-API implementation operates, and is therefore detailed
+   within applicable bindings specifications; in particular,
+   implementation and invocation of this call may be superfluous (and
+   may be omitted) within bindings where memory management is automatic.
+
+2.4.8: GSS_Release_OID_set call
+
+   Inputs:
+
+   o  buffer SET OF OBJECT IDENTIFIER
+
+
+
+
+Linn                        Standards Track                    [Page 74]
+
+RFC 2743                        GSS-API                     January 2000
+
+
+   Outputs:
+
+   o  major_status INTEGER,
+
+   o  minor_status INTEGER
+
+   Return major_status codes:
+
+   o  GSS_S_COMPLETE indicates that the storage associated with the
+   input object identifier set was successfully released.
+
+   o  GSS_S_FAILURE indicates that the requested operation could not be
+   performed for reasons unspecified at the GSS-API level.
+
+   Allows callers to release the storage associated with an object
+   identifier set object allocated by another GSS-API call.  This call's
+   specific behavior depends on the language and programming environment
+   within which a GSS-API implementation operates, and is therefore
+   detailed within applicable bindings specifications; in particular,
+   implementation and invocation of this call may be superfluous (and
+   may be omitted) within bindings where memory management is automatic.
+
+2.4.9: GSS_Create_empty_OID_set call
+
+   Inputs:
+
+   o  (none)
+
+   Outputs:
+
+   o  major_status INTEGER,
+
+   o  minor_status INTEGER,
+
+   o  oid_set SET OF OBJECT IDENTIFIER  -- caller must release
+   -- with GSS_Release_oid_set()
+
+   Return major_status codes:
+
+   o  GSS_S_COMPLETE indicates successful completion
+
+   o  GSS_S_FAILURE indicates that the operation failed
+
+   Creates an object identifier set containing no object identifiers, to
+   which members may be subsequently added using the
+   GSS_Add_OID_set_member() routine.  These routines are intended to be
+   used to construct sets of mechanism object identifiers, for input to
+   GSS_Acquire_cred().
+
+
+
+Linn                        Standards Track                    [Page 75]
+
+RFC 2743                        GSS-API                     January 2000
+
+
+2.4.10: GSS_Add_OID_set_member call
+
+   Inputs:
+
+   o  member_oid OBJECT IDENTIFIER,
+
+   o  oid_set SET OF OBJECT IDENTIFIER
+
+   Outputs:
+
+   o  major_status INTEGER,
+
+   o  minor_status INTEGER,
+
+   Return major_status codes:
+
+   o  GSS_S_COMPLETE indicates successful completion
+
+   o  GSS_S_FAILURE indicates that the operation failed
+
+   Adds an Object Identifier to an Object Identifier set.  This routine
+   is intended for use in conjunction with GSS_Create_empty_OID_set()
+   when constructing a set of mechanism OIDs for input to
+   GSS_Acquire_cred().
+
+2.4.11: GSS_Test_OID_set_member call
+
+   Inputs:
+
+   o  member OBJECT IDENTIFIER,
+
+   o  set SET OF OBJECT IDENTIFIER
+
+   Outputs:
+
+   o  major_status INTEGER,
+
+   o  minor_status INTEGER,
+
+   o  present BOOLEAN
+
+   Return major_status codes:
+
+   o  GSS_S_COMPLETE indicates successful completion
+
+   o  GSS_S_FAILURE indicates that the operation failed
+
+
+
+
+
+Linn                        Standards Track                    [Page 76]
+
+RFC 2743                        GSS-API                     January 2000
+
+
+   Interrogates an Object Identifier set to determine whether a
+   specified Object Identifier is a member.  This routine is intended to
+   be used with OID sets returned by GSS_Indicate_mechs(),
+   GSS_Acquire_cred(), and GSS_Inquire_cred().
+
+2.4.12:  GSS_Inquire_names_for_mech call
+
+   Input:
+
+   o  input_mech_type OBJECT IDENTIFIER, -- mechanism type
+
+   Outputs:
+
+   o  major_status INTEGER,
+
+   o  minor_status INTEGER,
+
+   o  name_type_set SET OF OBJECT IDENTIFIER -- caller must release
+   -- with GSS_Release_oid_set()
+
+   Return major_status codes:
+
+   o  GSS_S_COMPLETE indicates that the output name_type_set contains a
+   list of name types which are supported by the locally available
+   mechanism identified by input_mech_type.
+
+   o  GSS_S_BAD_MECH indicates that the mechanism identified by
+   input_mech_type was unsupported within the local implementation,
+   causing the query to fail.
+
+   o  GSS_S_FAILURE indicates that the requested operation could not be
+   performed for reasons unspecified at the GSS-API level.
+
+   Allows callers to determine the set of name types which are
+   supportable by a specific locally-available mechanism.
+
+2.4.13: GSS_Inquire_mechs_for_name call
+
+   Inputs:
+
+   o  input_name INTERNAL NAME,
+
+   Outputs:
+
+   o  major_status INTEGER,
+
+   o  minor_status INTEGER,
+
+
+
+
+Linn                        Standards Track                    [Page 77]
+
+RFC 2743                        GSS-API                     January 2000
+
+
+   o  mech_types SET OF OBJECT IDENTIFIER  -- caller must release
+   -- with GSS_Release_oid_set()
+
+   Return major_status codes:
+
+   o  GSS_S_COMPLETE indicates that a set of object identifiers,
+   corresponding to the set of mechanisms suitable for processing the
+   input_name, is available in mech_types.
+
+   o  GSS_S_BAD_NAME indicates that the input_name was ill-formed and
+   could not be processed.
+
+   o  GSS_S_BAD_NAMETYPE indicates that the input_name parameter
+   contained an invalid name type or a name type unsupported by the
+   GSS-API implementation.
+
+   o  GSS_S_FAILURE indicates that the requested operation could not be
+   performed for reasons unspecified at the GSS-API level.
+
+   This routine returns the mechanism set with which the input_name may
+   be processed.
+
+   Each mechanism returned will recognize at least one element within
+   the name. It is permissible for this routine to be implemented within
+   a mechanism-independent GSS-API layer, using the type information
+   contained within the presented name, and based on registration
+   information provided by individual mechanism implementations.  This
+   means that the returned mech_types result may indicate that a
+   particular mechanism will understand a particular name when in fact
+   it would refuse to accept that name as input to
+   GSS_Canonicalize_name(), GSS_Init_sec_context(), GSS_Acquire_cred(),
+   or GSS_Add_cred(), due to some property of the particular name rather
+   than a property of the name type.  Thus, this routine should be used
+   only as a pre-filter for a call to a subsequent mechanism-specific
+   routine.
+
+2.4.14: GSS_Canonicalize_name call
+
+   Inputs:
+
+   o  input_name INTERNAL NAME,
+
+   o  mech_type OBJECT IDENTIFIER  -- must be explicit mechanism,
+   -- not "default" specifier or identifier of negotiating mechanism
+
+   Outputs:
+
+   o  major_status INTEGER,
+
+
+
+Linn                        Standards Track                    [Page 78]
+
+RFC 2743                        GSS-API                     January 2000
+
+
+   o  minor_status INTEGER,
+
+   o  output_name INTERNAL NAME  -- caller must release with
+   -- GSS_Release_name()
+
+   Return major_status codes:
+
+   o  GSS_S_COMPLETE indicates that a mechanism-specific reduction of
+   the input_name, as processed by the mechanism identified by
+   mech_type, is available in output_name.
+
+   o  GSS_S_BAD_MECH indicates that the identified mechanism is
+   unsupported for this operation; this may correspond either to a
+   mechanism wholly unsupported by the local GSS-API implementation or
+   to a negotiating mechanism with which the canonicalization operation
+   cannot be performed.
+
+   o  GSS_S_BAD_NAMETYPE indicates that the input name does not contain
+   an element with suitable type for processing by the identified
+   mechanism.
+
+   o  GSS_S_BAD_NAME indicates that the input name contains an element
+   with suitable type for processing by the identified mechanism, but
+   that this element could not be processed successfully.
+
+   o  GSS_S_FAILURE indicates that the requested operation could not be
+   performed for reasons unspecified at the GSS-API level.
+
+   This routine reduces a GSS-API internal name input_name, which may in
+   general contain elements corresponding to multiple mechanisms, to a
+   mechanism-specific Mechanism Name (MN) output_name by applying the
+   translations corresponding to the mechanism identified by mech_type.
+   The contents of input_name are unaffected by the
+   GSS_Canonicalize_name() operation.  References to output_name will
+   remain valid until output_name is released, independent of whether or
+   not input_name is subsequently released.
+
+2.4.15: GSS_Export_name call
+
+   Inputs:
+
+   o  input_name INTERNAL NAME, -- required to be MN
+
+   Outputs:
+
+   o  major_status INTEGER,
+
+   o  minor_status INTEGER,
+
+
+
+Linn                        Standards Track                    [Page 79]
+
+RFC 2743                        GSS-API                     January 2000
+
+
+   o  output_name OCTET STRING  -- caller must release
+   -- with GSS_Release_buffer()
+
+   Return major_status codes:
+
+   o  GSS_S_COMPLETE indicates that a flat representation of the input
+   name is available in output_name.
+
+   o  GSS_S_NAME_NOT_MN indicates that the input name contained elements
+   corresponding to multiple mechanisms, so cannot be exported into a
+   single-mechanism flat form.
+
+   o  GSS_S_BAD_NAME indicates that the input name was an MN, but could
+   not be processed.
+
+   o  GSS_S_BAD_NAMETYPE indicates that the input name was an MN, but
+   that its type is unsupported by the GSS-API implementation.
+
+   o  GSS_S_FAILURE indicates that the requested operation could not be
+   performed for reasons unspecified at the GSS-API level.
+
+   This routine creates a flat name representation, suitable for
+   bytewise comparison or for input to GSS_Import_name() in conjunction
+   with the reserved GSS-API Exported Name Object OID, from a internal-
+   form Mechanism Name (MN) as emitted, e.g., by GSS_Canonicalize_name()
+   or GSS_Accept_sec_context().
+
+   The emitted GSS-API Exported Name Object is self-describing; no
+   associated parameter-level OID need be emitted by this call.  This
+   flat representation consists of a mechanism-independent wrapper
+   layer, defined in Section 3.2 of this document, enclosing a
+   mechanism-defined name representation.
+
+   In all cases, the flat name output by GSS_Export_name() to correspond
+   to a particular input MN must be invariant over time within a
+   particular installation.
+
+   The GSS_S_NAME_NOT_MN status code is provided to enable
+   implementations to reject input names which are not MNs.  It is not,
+   however, required for purposes of conformance to this specification
+   that all non-MN input names must necessarily be rejected.
+
+2.4.16: GSS_Duplicate_name call
+
+   Inputs:
+
+   o  src_name INTERNAL NAME
+
+
+
+
+Linn                        Standards Track                    [Page 80]
+
+RFC 2743                        GSS-API                     January 2000
+
+
+   Outputs:
+
+   o  major_status INTEGER,
+
+   o  minor_status INTEGER,
+
+   o  dest_name INTERNAL NAME  -- caller must release
+   -- with GSS_Release_name()
+
+   Return major_status codes:
+
+   o  GSS_S_COMPLETE indicates that dest_name references an internal
+   name object containing the same name as passed to src_name.
+
+   o  GSS_S_BAD_NAME indicates that the input name was invalid.
+
+   o  GSS_S_FAILURE indicates that the requested operation could not be
+   performed for reasons unspecified at the GSS-API level.
+
+   This routine takes input internal name src_name, and returns another
+   reference (dest_name) to that name which can be used even if src_name
+   is later freed.  (Note: This may be implemented by copying or through
+   use of reference counts.)
+
+3: Data Structure Definitions for GSS-V2 Usage
+
+   Subsections of this section define, for interoperability and
+   portability purposes, certain data structures for use with GSS-V2.
+
+3.1: Mechanism-Independent Token Format
+
+   This section specifies a mechanism-independent level of encapsulating
+   representation for the initial token of a GSS-API context
+   establishment sequence, incorporating an identifier of the mechanism
+   type to be used on that context and enabling tokens to be interpreted
+   unambiguously at GSS-API peers. Use of this format is required for
+   initial context establishment tokens of Internet standards-track
+   GSS-API mechanisms; use in non-initial tokens is optional.
+
+   The encoding format for the token tag is derived from ASN.1 and DER
+   (per illustrative ASN.1 syntax included later within this
+   subsection), but its concrete representation is defined directly in
+   terms of octets rather than at the ASN.1 level in order to facilitate
+   interoperable implementation without use of general ASN.1 processing
+   code.  The token tag consists of the following elements, in order:
+
+      1. 0x60 -- Tag for [APPLICATION 0] SEQUENCE; indicates that
+      -- constructed form, definite length encoding follows.
+
+
+
+Linn                        Standards Track                    [Page 81]
+
+RFC 2743                        GSS-API                     January 2000
+
+
+      2. Token length octets, specifying length of subsequent data
+      (i.e., the summed lengths of elements 3-5 in this list, and of the
+      mechanism-defined token object following the tag).  This element
+      comprises a variable number of octets:
+
+         2a. If the indicated value is less than 128, it shall be
+         represented in a single octet with bit 8 (high order) set to
+         "0" and the remaining bits representing the value.
+
+         2b. If the indicated value is 128 or more, it shall be
+         represented in two or more octets, with bit 8 of the first
+         octet set to "1" and the remaining bits of the first octet
+         specifying the number of additional octets.  The subsequent
+         octets carry the value, 8 bits per octet, most significant
+         digit first.  The minimum number of octets shall be used to
+         encode the length (i.e., no octets representing leading zeros
+         shall be included within the length encoding).
+
+      3. 0x06 -- Tag for OBJECT IDENTIFIER
+
+      4. Object identifier length -- length (number of octets) of
+      -- the encoded object identifier contained in element 5,
+      -- encoded per rules as described in 2a. and 2b. above.
+
+      5. Object identifier octets -- variable number of octets,
+      -- encoded per ASN.1 BER rules:
+
+         5a. The first octet contains the sum of two values: (1) the
+         top-level object identifier component, multiplied by 40
+         (decimal), and (2) the second-level object identifier
+         component.  This special case is the only point within an
+         object identifier encoding where a single octet represents
+         contents of more than one component.
+
+         5b. Subsequent octets, if required, encode successively-lower
+         components in the represented object identifier.  A component's
+         encoding may span multiple octets, encoding 7 bits per octet
+         (most significant bits first) and with bit 8 set to "1" on all
+         but the final octet in the component's encoding.  The minimum
+         number of octets shall be used to encode each component (i.e.,
+         no octets representing leading zeros shall be included within a
+         component's encoding).
+
+      (Note: In many implementations, elements 3-5 may be stored and
+      referenced as a contiguous string constant.)
+
+
+
+
+
+
+Linn                        Standards Track                    [Page 82]
+
+RFC 2743                        GSS-API                     January 2000
+
+
+   The token tag is immediately followed by a mechanism-defined token
+   object.  Note that no independent size specifier intervenes following
+   the object identifier value to indicate the size of the mechanism-
+   defined token object.  While ASN.1 usage within mechanism-defined
+   tokens is permitted, there is no requirement that the mechanism-
+   specific innerContextToken, innerMsgToken, and sealedUserData data
+   elements must employ ASN.1 BER/DER encoding conventions.
+
+   The following ASN.1 syntax is included for descriptive purposes only,
+   to illustrate structural relationships among token and tag objects.
+   For interoperability purposes, token and tag encoding shall be
+   performed using the concrete encoding procedures described earlier in
+   this subsection.
+
+      GSS-API DEFINITIONS ::=
+
+      BEGIN
+
+      MechType ::= OBJECT IDENTIFIER
+      -- data structure definitions
+      -- callers must be able to distinguish among
+      -- InitialContextToken, SubsequentContextToken,
+      -- PerMsgToken, and SealedMessage data elements
+      -- based on the usage in which they occur
+
+      InitialContextToken ::=
+      -- option indication (delegation, etc.) indicated within
+      -- mechanism-specific token
+      [APPLICATION 0] IMPLICIT SEQUENCE {
+              thisMech MechType,
+              innerContextToken ANY DEFINED BY thisMech
+                 -- contents mechanism-specific
+                 -- ASN.1 structure not required
+              }
+
+      SubsequentContextToken ::= innerContextToken ANY
+      -- interpretation based on predecessor InitialContextToken
+      -- ASN.1 structure not required
+
+      PerMsgToken ::=
+      -- as emitted by GSS_GetMIC and processed by GSS_VerifyMIC
+      -- ASN.1 structure not required
+              innerMsgToken ANY
+
+      SealedMessage ::=
+      -- as emitted by GSS_Wrap and processed by GSS_Unwrap
+      -- includes internal, mechanism-defined indicator
+      -- of whether or not encrypted
+
+
+
+Linn                        Standards Track                    [Page 83]
+
+RFC 2743                        GSS-API                     January 2000
+
+
+      -- ASN.1 structure not required
+              sealedUserData ANY
+
+      END
+
+3.2: Mechanism-Independent Exported Name Object Format
+
+   This section specifies a mechanism-independent level of encapsulating
+   representation for names exported via the GSS_Export_name() call,
+   including an object identifier representing the exporting mechanism.
+   The format of names encapsulated via this representation shall be
+   defined within individual mechanism drafts.  The Object Identifier
+   value to indicate names of this type is defined in Section 4.7 of
+   this document.
+
+   No name type OID is included in this mechanism-independent level of
+   format definition, since (depending on individual mechanism
+   specifications) the enclosed name may be implicitly typed or may be
+   explicitly typed using a means other than OID encoding.
+
+   The bytes within MECH_OID_LEN and NAME_LEN elements are represented
+   most significant byte first (equivalently, in IP network byte order).
+
+        Length    Name          Description
+
+        2               TOK_ID          Token Identifier
+                                        For exported name objects, this
+                                        must be hex 04 01.
+        2               MECH_OID_LEN    Length of the Mechanism OID
+        MECH_OID_LEN    MECH_OID        Mechanism OID, in DER
+        4               NAME_LEN        Length of name
+        NAME_LEN        NAME            Exported name; format defined in
+                                        applicable mechanism draft.
+
+   A concrete example of the contents of an exported name object,
+   derived from the Kerberos Version 5 mechanism, is as follows:
+
+   04 01 00 0B 06 09 2A 86 48 86 F7 12 01 02 02 hx xx xx xl pp qq ... zz
+
+   04 01        mandatory token identifier
+
+   00 0B        2-byte length of the immediately following DER-encoded
+                ASN.1 value of type OID, most significant octet first
+
+
+
+
+
+
+
+
+Linn                        Standards Track                    [Page 84]
+
+RFC 2743                        GSS-API                     January 2000
+
+
+   06 09 2A 86 48 86 F7 12 01 02 02    DER-encoded ASN.1 value
+                                       of type OID; Kerberos V5
+                                       mechanism OID indicates
+                                       Kerberos V5 exported name
+
+          in Detail:      06                  Identifier octet (6=OID)
+                          09                           Length octet(s)
+                          2A 86 48 86 F7 12 01 02 02   Content octet(s)
+
+   hx xx xx xl   4-byte length of the immediately following exported
+                 name blob, most significant octet first
+
+   pp qq ... zz  exported name blob of specified length,
+                 bits and bytes specified in the
+                 (Kerberos 5) GSS-API v2 mechanism spec
+
+4: Name Type Definitions
+
+   This section includes definitions for name types and associated
+   syntaxes which are defined in a mechanism-independent fashion at the
+   GSS-API level rather than being defined in individual mechanism
+   specifications.
+
+4.1: Host-Based Service Name Form
+
+   This name form shall be represented by the Object Identifier:
+
+   {iso(1) member-body(2) United States(840) mit(113554) infosys(1)
+   "gssapi(2) generic(1) service_name(4)}.
+
+   The recommended symbolic name for this type is
+   "GSS_C_NT_HOSTBASED_SERVICE".
+
+   For reasons of compatibility with existing implementations, it is
+   recommended that this OID be used rather than the alternate value as
+   included in [RFC-2078]:
+
+   {1(iso), 3(org), 6(dod), 1(internet), 5(security), 6(nametypes),
+   2(gss-host-based-services)}
+
+   While it is not recommended that this alternate value be emitted on
+   output by GSS implementations, it is recommended that it be accepted
+   on input as equivalent to the recommended value.
+
+
+
+
+
+
+
+
+Linn                        Standards Track                    [Page 85]
+
+RFC 2743                        GSS-API                     January 2000
+
+
+   This name type is used to represent services associated with host
+   computers.  Support for this name form is recommended to mechanism
+   designers in the interests of portability, but is not mandated by
+   this specification. This name form is constructed using two elements,
+   "service" and "hostname", as follows:
+
+   service@hostname
+
+   When a reference to a name of this type is resolved, the "hostname"
+   may (as an example implementation strategy) be canonicalized by
+   attempting a DNS lookup and using the fully-qualified domain name
+   which is returned, or by using the "hostname" as provided if the DNS
+   lookup fails.  The canonicalization operation also maps the host's
+   name into lower-case characters.
+
+   The "hostname" element may be omitted. If no "@" separator is
+   included, the entire name is interpreted as the service specifier,
+   with the "hostname" defaulted to the canonicalized name of the local
+   host.
+
+   Documents specifying means for GSS integration into a particular
+   protocol should state either:
+
+      (a) that a specific IANA-registered name associated with that
+      protocol shall be used for the "service" element (this admits, if
+      needed, the possibility that a single name can be registered and
+      shared among a related set of protocols), or
+
+      (b) that the generic name "host" shall be used for the "service"
+      element, or
+
+      (c) that, for that protocol, fallback in specified order (a, then
+      b) or (b, then a) shall be applied.
+
+   IANA registration of specific names per (a) should be handled in
+   accordance with the "Specification Required" assignment policy,
+   defined by BCP 26, RFC 2434 as follows: "Values and their meaning
+   must be documented in an RFC or other available reference, in
+   sufficient detail so that interoperability between independent
+   implementations is possible."
+
+4.2: User Name Form
+
+   This name form shall be represented by the Object Identifier {iso(1)
+   member-body(2) United States(840) mit(113554) infosys(1) gssapi(2)
+   generic(1) user_name(1)}. The recommended mechanism-independent
+   symbolic name for this type is "GSS_C_NT_USER_NAME". (Note: the same
+
+
+
+
+Linn                        Standards Track                    [Page 86]
+
+RFC 2743                        GSS-API                     January 2000
+
+
+   name form and OID is defined within the Kerberos V5 GSS-API
+   mechanism, but the symbolic name recommended there begins with a
+   "GSS_KRB5_NT_" prefix.)
+
+   This name type is used to indicate a named user on a local system.
+   Its syntax and interpretation may be OS-specific. This name form is
+   constructed as:
+
+   username
+
+4.3: Machine UID Form
+
+   This name form shall be represented by the Object Identifier {iso(1)
+   member-body(2) United States(840) mit(113554) infosys(1) gssapi(2)
+   generic(1) machine_uid_name(2)}.  The recommended mechanism-
+   independent symbolic name for this type is
+   "GSS_C_NT_MACHINE_UID_NAME".  (Note: the same name form and OID is
+   defined within the Kerberos V5 GSS-API mechanism, but the symbolic
+   name recommended there begins with a "GSS_KRB5_NT_" prefix.)
+
+   This name type is used to indicate a numeric user identifier
+   corresponding to a user on a local system.  Its interpretation is
+   OS-specific.  The gss_buffer_desc representing a name of this type
+   should contain a locally-significant user ID, represented in host
+   byte order.  The GSS_Import_name() operation resolves this uid into a
+   username, which is then treated as the User Name Form.
+
+4.4: String UID Form
+
+   This name form shall be represented by the Object Identifier {iso(1)
+   member-body(2) United States(840) mit(113554) infosys(1) gssapi(2)
+   generic(1) string_uid_name(3)}.  The recommended symbolic name for
+   this type is "GSS_C_NT_STRING_UID_NAME".  (Note: the same name form
+   and OID is defined within the Kerberos V5 GSS-API mechanism, but the
+   symbolic name recommended there begins with a "GSS_KRB5_NT_" prefix.)
+
+   This name type is used to indicate a string of digits representing
+   the numeric user identifier of a user on a local system.  Its
+   interpretation is OS-specific. This name type is similar to the
+   Machine UID Form, except that the buffer contains a string
+   representing the user ID.
+
+4.5: Anonymous Nametype
+
+   The following Object Identifier value is provided as a means to
+   identify anonymous names, and can be compared against in order to
+   determine, in a mechanism-independent fashion, whether a name refers
+   to an anonymous principal:
+
+
+
+Linn                        Standards Track                    [Page 87]
+
+RFC 2743                        GSS-API                     January 2000
+
+
+   {1(iso), 3(org), 6(dod), 1(internet), 5(security), 6(nametypes),
+   3(gss-anonymous-name)}
+
+   The recommended symbolic name corresponding to this definition is
+   GSS_C_NT_ANONYMOUS.
+
+4.6: GSS_C_NO_OID
+
+   The recommended symbolic name GSS_C_NO_OID corresponds to a null
+   input value instead of an actual object identifier.  Where specified,
+   it indicates interpretation of an associated name based on a
+   mechanism-specific default printable syntax.
+
+4.7: Exported Name Object
+
+   Name objects of the Mechanism-Independent Exported Name Object type,
+   as defined in Section 3.2 of this document, will be identified with
+   the following Object Identifier:
+
+   {1(iso), 3(org), 6(dod), 1(internet), 5(security), 6(nametypes),
+   4(gss-api-exported-name)}
+
+   The recommended symbolic name corresponding to this definition is
+   GSS_C_NT_EXPORT_NAME.
+
+4.8: GSS_C_NO_NAME
+
+   The recommended symbolic name GSS_C_NO_NAME indicates that no name is
+   being passed within a particular value of a parameter used for the
+   purpose of transferring names. Note: GSS_C_NO_NAME is not an actual
+   name type, and is not represented by an OID; its acceptability in
+   lieu of an actual name is confined to specific calls
+   (GSS_Acquire_cred(), GSS_Add_cred(), and GSS_Init_sec_context()) with
+   usages as identified within this specification.
+
+5:  Mechanism-Specific Example Scenarios
+
+   This section provides illustrative overviews of the use of various
+   candidate mechanism types to support the GSS-API. These discussions
+   are intended primarily for readers familiar with specific security
+   technologies, demonstrating how GSS-API functions can be used and
+   implemented by candidate underlying mechanisms. They should not be
+   regarded as constrictive to implementations or as defining the only
+   means through which GSS-API functions can be realized with a
+   particular underlying technology, and do not demonstrate all GSS-API
+   features with each technology.
+
+
+
+
+
+Linn                        Standards Track                    [Page 88]
+
+RFC 2743                        GSS-API                     January 2000
+
+
+5.1: Kerberos V5, single-TGT
+
+   OS-specific login functions yield a TGT to the local realm Kerberos
+   server; TGT is placed in a credentials structure for the client.
+   Client calls GSS_Acquire_cred()  to acquire a cred_handle in order to
+   reference the credentials for use in establishing security contexts.
+
+   Client calls GSS_Init_sec_context().  If the requested service is
+   located in a different realm, GSS_Init_sec_context()  gets the
+   necessary TGT/key pairs needed to traverse the path from local to
+   target realm; these data are placed in the owner's TGT cache. After
+   any needed remote realm resolution, GSS_Init_sec_context() yields a
+   service ticket to the requested service with a corresponding session
+   key; these data are stored in conjunction with the context. GSS-API
+   code sends KRB_TGS_REQ request(s) and receives KRB_TGS_REP
+   response(s) (in the successful case) or KRB_ERROR.
+
+   Assuming success, GSS_Init_sec_context()  builds a Kerberos-formatted
+   KRB_AP_REQ message, and returns it in output_token.  The client sends
+   the output_token to the service.
+
+   The service passes the received token as the input_token argument to
+   GSS_Accept_sec_context(),  which verifies the authenticator, provides
+   the service with the client's authenticated name, and returns an
+   output_context_handle.
+
+   Both parties now hold the session key associated with the service
+   ticket, and can use this key in subsequent GSS_GetMIC(),
+   GSS_VerifyMIC(),  GSS_Wrap(), and GSS_Unwrap() operations.
+
+5.2: Kerberos V5, double-TGT
+
+   TGT acquisition as above.
+
+   Note: To avoid unnecessary frequent invocations of error paths when
+   implementing the GSS-API atop Kerberos V5, it seems appropriate to
+   represent "single-TGT K-V5" and "double-TGT K-V5" with separate
+   mech_types, and this discussion makes that assumption.
+
+   Based on the (specified or defaulted) mech_type,
+   GSS_Init_sec_context()  determines that the double-TGT protocol
+   should be employed for the specified target. GSS_Init_sec_context()
+   returns GSS_S_CONTINUE_NEEDED major_status, and its returned
+   output_token contains a request to the service for the service's TGT.
+   (If a service TGT with suitably long remaining lifetime already
+   exists in a cache, it may be usable, obviating the need for this
+   step.) The client passes the output_token to the service.  Note: this
+   scenario illustrates a different use for the GSS_S_CONTINUE_NEEDED
+
+
+
+Linn                        Standards Track                    [Page 89]
+
+RFC 2743                        GSS-API                     January 2000
+
+
+   status return facility than for support of mutual authentication;
+   note that both uses can coexist as successive operations within a
+   single context establishment operation.
+
+   The service passes the received token as the input_token argument to
+   GSS_Accept_sec_context(),  which recognizes it as a request for TGT.
+   (Note that current Kerberos V5 defines no intra-protocol mechanism to
+   represent such a request.) GSS_Accept_sec_context() returns
+   GSS_S_CONTINUE_NEEDED major_status and provides the service's TGT in
+   its output_token. The service sends the output_token to the client.
+
+   The client passes the received token as the input_token argument to a
+   continuation of GSS_Init_sec_context(). GSS_Init_sec_context() caches
+   the received service TGT and uses it as part of a service ticket
+   request to the Kerberos authentication server, storing the returned
+   service ticket and session key in conjunction with the context.
+   GSS_Init_sec_context() builds a Kerberos-formatted authenticator, and
+   returns it in output_token along with GSS_S_COMPLETE return
+   major_status. The client sends the output_token to the service.
+
+   Service passes the received token as the input_token argument to a
+   continuation call to GSS_Accept_sec_context().
+   GSS_Accept_sec_context()  verifies the authenticator, provides the
+   service with the client's authenticated name, and returns
+   major_status GSS_S_COMPLETE.
+
+   GSS_GetMIC(),  GSS_VerifyMIC(), GSS_Wrap(), and GSS_Unwrap()  as
+   above.
+
+5.3:  X.509 Authentication Framework
+
+   This example illustrates use of the GSS-API in conjunction with
+   public-key mechanisms, consistent with the X.509 Directory
+   Authentication Framework.
+
+   The GSS_Acquire_cred() call establishes a credentials structure,
+   making the client's private key accessible for use on behalf of the
+   client.
+
+   The client calls GSS_Init_sec_context(), which interrogates the
+   Directory to acquire (and validate) a chain of public-key
+   certificates, thereby collecting the public key of the service.  The
+   certificate validation operation determines that suitable integrity
+   checks were applied by trusted authorities and that those
+   certificates have not expired. GSS_Init_sec_context() generates a
+   secret key for use in per-message protection operations on the
+   context, and enciphers that secret key under the service's public
+   key.
+
+
+
+Linn                        Standards Track                    [Page 90]
+
+RFC 2743                        GSS-API                     January 2000
+
+
+   The enciphered secret key, along with an authenticator quantity
+   signed with the client's private key, is included in the output_token
+   from GSS_Init_sec_context().  The output_token also carries a
+   certification path, consisting of a certificate chain leading from
+   the service to the client; a variant approach would defer this path
+   resolution to be performed by the service instead of being asserted
+   by the client. The client application sends the output_token to the
+   service.
+
+   The service passes the received token as the input_token argument to
+   GSS_Accept_sec_context(). GSS_Accept_sec_context() validates the
+   certification path, and as a result determines a certified binding
+   between the client's distinguished name and the client's public key.
+   Given that public key, GSS_Accept_sec_context() can process the
+   input_token's authenticator quantity and verify that the client's
+   private key was used to sign the input_token. At this point, the
+   client is authenticated to the service. The service uses its private
+   key to decipher the enciphered secret key provided to it for per-
+   message protection operations on the context.
+
+   The client calls GSS_GetMIC() or GSS_Wrap() on a data message, which
+   causes per-message authentication, integrity, and (optional)
+   confidentiality facilities to be applied to that message. The service
+   uses the context's shared secret key to perform corresponding
+   GSS_VerifyMIC()  and GSS_Unwrap() calls.
+
+6:  Security Considerations
+
+   This document specifies a service interface for security facilities
+   and services; as such, security considerations are considered
+   throughout the specification.  Nonetheless, it is appropriate to
+   summarize certain specific points relevant to GSS-API implementors
+   and calling applications.  Usage of the GSS-API interface does not in
+   itself provide security services or assurance; instead, these
+   attributes are dependent on the underlying mechanism(s) which support
+   a GSS-API implementation.  Callers must be attentive to the requests
+   made to GSS-API calls and to the status indicators returned by GSS-
+   API, as these specify the security service characteristics which
+   GSS-API will provide.  When the interprocess context transfer
+   facility is used, appropriate local controls should be applied to
+   constrain access to interprocess tokens and to the sensitive data
+   which they contain.
+
+
+
+
+
+
+
+
+
+Linn                        Standards Track                    [Page 91]
+
+RFC 2743                        GSS-API                     January 2000
+
+
+7:  Related Activities
+
+   In order to implement the GSS-API atop existing, emerging, and future
+   security mechanisms:
+
+      object identifiers must be assigned to candidate GSS-API
+      mechanisms and the name types which they support
+
+      concrete data element formats and processing procedures must be
+      defined for candidate mechanisms
+
+   Calling applications must implement formatting conventions which will
+   enable them to distinguish GSS-API tokens from other data carried in
+   their application protocols.
+
+   Concrete language bindings are required for the programming
+   environments in which the GSS-API is to be employed, as [RFC-1509]
+   defines for the C programming language and GSS-V1.  C Language
+   bindings for GSS-V2 are defined in [RFC-2744].
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Linn                        Standards Track                    [Page 92]
+
+RFC 2743                        GSS-API                     January 2000
+
+
+8:  Referenced Documents
+
+   [ISO-7498-2]  International Standard ISO 7498-2-1988(E), Security
+                 Architecture.
+
+   [ISOIEC-8824] ISO/IEC 8824, "Specification of Abstract Syntax
+                 Notation One (ASN.1)".
+
+   [ISOIEC-8825] ISO/IEC 8825, "Specification of Basic Encoding Rules
+                 for Abstract Syntax Notation One (ASN.1)".)
+
+   [RFC-1507]:   Kaufman, C., "DASS: Distributed Authentication Security
+                 Service", RFC 1507, September 1993.
+
+   [RFC-1508]:   Linn, J., "Generic Security Service Application Program
+                 Interface", RFC 1508, September 1993.
+
+   [RFC-1509]:   Wray, J., "Generic Security Service API: C-bindings",
+                 RFC 1509, September 1993.
+
+   [RFC-1964]:   Linn, J., "The Kerberos Version 5 GSS-API Mechanism",
+                 RFC 1964, June 1996.
+
+   [RFC-2025]:   Adams, C., "The Simple Public-Key GSS-API Mechanism
+                 (SPKM)", RFC 2025, October 1996.
+
+   [RFC-2078]:   Linn, J., "Generic Security Service Application Program
+                 Interface, Version 2", RFC 2078, January 1997.
+
+   [RFC-2203]:   Eisler, M., Chiu, A. and L. Ling, "RPCSEC_GSS Protocol
+                 Specification", RFC 2203, September 1997.
+
+   [RFC-2744]:   Wray, J., "Generic Security Service API Version 2 :
+                 C-bindings", RFC 2744, January 2000.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Linn                        Standards Track                    [Page 93]
+
+RFC 2743                        GSS-API                     January 2000
+
+
+APPENDIX A
+
+MECHANISM DESIGN CONSTRAINTS
+
+   The following constraints on GSS-API mechanism designs are adopted in
+   response to observed caller protocol requirements, and adherence
+   thereto is anticipated in subsequent descriptions of GSS-API
+   mechanisms to be documented in standards-track Internet
+   specifications.
+
+   It is strongly recommended that mechanisms offering per-message
+   protection services also offer at least one of the replay detection
+   and sequencing services, as mechanisms offering neither of the latter
+   will fail to satisfy recognized requirements of certain candidate
+   caller protocols.
+
+APPENDIX B
+
+COMPATIBILITY WITH GSS-V1
+
+   It is the intent of this document to define an interface and
+   procedures which preserve compatibility between GSS-V1 [RFC-1508]
+   callers and GSS-V2 providers.  All calls defined in GSS-V1 are
+   preserved, and it has been a goal that GSS-V1 callers should be able
+   to operate atop GSS-V2 provider implementations.  Certain detailed
+   changes, summarized in this section, have been made in order to
+   resolve omissions identified in GSS-V1.
+
+   The following GSS-V1 constructs, while supported within GSS-V2, are
+   deprecated:
+
+      Names for per-message processing routines: GSS_Seal() deprecated
+      in favor of GSS_Wrap(); GSS_Sign() deprecated in favor of
+      GSS_GetMIC(); GSS_Unseal() deprecated in favor of GSS_Unwrap();
+      GSS_Verify() deprecated in favor of GSS_VerifyMIC().
+
+      GSS_Delete_sec_context() facility for context_token usage,
+      allowing mechanisms to signal context deletion, is retained for
+      compatibility with GSS-V1.  For current usage, it is recommended
+      that both peers to a context invoke GSS_Delete_sec_context()
+      independently, passing a null output_context_token buffer to
+      indicate that no context_token is required.  Implementations of
+      GSS_Delete_sec_context() should delete relevant locally-stored
+      context information.
+
+   This GSS-V2 specification adds the following calls which are not
+   present in GSS-V1:
+
+
+
+
+Linn                        Standards Track                    [Page 94]
+
+RFC 2743                        GSS-API                     January 2000
+
+
+      Credential management calls: GSS_Add_cred(),
+      GSS_Inquire_cred_by_mech().
+
+      Context-level calls: GSS_Inquire_context(), GSS_Wrap_size_limit(),
+      GSS_Export_sec_context(), GSS_Import_sec_context().
+
+      Per-message calls: No new calls.  Existing calls have been
+      renamed.
+
+      Support calls: GSS_Create_empty_OID_set(),
+      GSS_Add_OID_set_member(), GSS_Test_OID_set_member(),
+      GSS_Inquire_names_for_mech(), GSS_Inquire_mechs_for_name(),
+      GSS_Canonicalize_name(), GSS_Export_name(), GSS_Duplicate_name().
+
+   This GSS-V2 specification introduces three new facilities applicable
+   to security contexts, indicated using the following context state
+   values which are not present in GSS-V1:
+
+      anon_state, set TRUE to indicate that a context's initiator is
+      anonymous from the viewpoint of the target; Section 1.2.5 of this
+      specification provides a summary description of the GSS-V2
+      anonymity support facility, support and use of which is optional.
+
+      prot_ready_state, set TRUE to indicate that a context may be used
+      for per-message protection before final completion of context
+      establishment; Section 1.2.7 of this specification provides a
+      summary description of the GSS-V2 facility enabling mechanisms to
+      selectively permit per-message protection during context
+      establishment, support and use of which is optional.
+
+      trans_state, set TRUE to indicate that a context is transferable
+      to another process using the GSS-V2 GSS_Export_sec_context()
+      facility.
+
+   These state values are represented (at the C bindings level) in
+   positions within a bit vector which are unused in GSS-V1, and may be
+   safely ignored by GSS-V1 callers.
+
+   New conf_req_flag and integ_req_flag inputs are defined for
+   GSS_Init_sec_context(), primarily to provide information to
+   negotiating mechanisms.  This introduces a compatibility issue with
+   GSS-V1 callers, discussed in section 2.2.1 of this specification.
+
+
+
+
+
+
+
+
+
+Linn                        Standards Track                    [Page 95]
+
+RFC 2743                        GSS-API                     January 2000
+
+
+   Relative to GSS-V1, GSS-V2 provides additional guidance to GSS-API
+   implementors in the following areas: implementation robustness,
+   credential management, behavior in multi-mechanism configurations,
+   naming support, and inclusion of optional sequencing services.  The
+   token tagging facility as defined in GSS-V2, Section 3.1, is now
+   described directly in terms of octets to facilitate interoperable
+   implementation without general ASN.1 processing code; the
+   corresponding ASN.1 syntax, included for descriptive purposes, is
+   unchanged from that in GSS-V1. For use in conjunction with added
+   naming support facilities, a new Exported Name Object construct is
+   added.  Additional name types are introduced in Section 4.
+
+   This GSS-V2 specification adds the following major_status values
+   which are not defined in GSS-V1:
+
+        GSS_S_BAD_QOP                 unsupported QOP value
+        GSS_S_UNAUTHORIZED            operation unauthorized
+        GSS_S_UNAVAILABLE             operation unavailable
+        GSS_S_DUPLICATE_ELEMENT       duplicate credential element
+                                        requested
+        GSS_S_NAME_NOT_MN                   name contains multi-mechanism
+                                        elements
+        GSS_S_GAP_TOKEN               skipped predecessor token(s)
+                                        detected
+
+   Of these added status codes, only two values are defined to be
+   returnable by calls existing in GSS-V1: GSS_S_BAD_QOP (returnable by
+   GSS_GetMIC() and GSS_Wrap()), and GSS_S_GAP_TOKEN (returnable by
+   GSS_VerifyMIC() and GSS_Unwrap()).
+
+   Additionally, GSS-V2 descriptions of certain calls present in GSS-V1
+   have been updated to allow return of additional major_status values
+   from the set as defined in GSS-V1: GSS_Inquire_cred() has
+   GSS_S_DEFECTIVE_CREDENTIAL and GSS_S_CREDENTIALS_EXPIRED defined as
+   returnable, GSS_Init_sec_context() has GSS_S_OLD_TOKEN,
+   GSS_S_DUPLICATE_TOKEN, and GSS_S_BAD_MECH defined as returnable, and
+   GSS_Accept_sec_context() has GSS_S_BAD_MECH defined as returnable.
+
+APPENDIX C
+
+CHANGES RELATIVE TO RFC-2078
+
+   This document incorporates a number of changes relative to RFC-2078,
+   made primarily in response to implementation experience, for purposes
+   of alignment with the GSS-V2 C language bindings document, and to add
+   informative clarification.  This section summarizes technical changes
+   incorporated.
+
+
+
+
+Linn                        Standards Track                    [Page 96]
+
+RFC 2743                        GSS-API                     January 2000
+
+
+   General:
+
+      Clarified usage of object release routines, and incorporated
+      statement that some may be omitted within certain operating
+      environments.
+
+      Removed GSS_Release_OID, GSS_OID_to_str(), and GSS_Str_to_OID()
+      routines.
+
+      Clarified circumstances under which zero-length tokens may validly
+      exist as inputs and outputs to/from GSS-API calls.
+
+      Added GSS_S_BAD_MIC status code as alias for GSS_S_BAD_SIG.
+
+      For GSS_Display_status(), deferred to language bindings the choice
+      of whether to return multiple status values in parallel or via
+      iteration, and added commentary deprecating return of
+      GSS_S_CONTINUE_NEEDED.
+
+      Adapted and incorporated clarifying material on optional service
+      support, delegation, and interprocess context transfer from C
+      bindings document.
+
+      Added and updated references to related documents, and to current
+      status of cited Kerberos mechanism OID.
+
+      Added general statement about GSS-API calls having no side effects
+      visible at the GSS-API level.
+
+   Context-related (including per-message protection issues):
+
+      Clarified GSS_Delete_sec_context() usage for partially-established
+      contexts.
+
+      Added clarification on GSS_Export_sec_context() and
+      GSS_Import_sec_context() behavior and context usage following an
+      export-import sequence.
+
+      Added informatory conf_req_flag, integ_req_flag inputs to
+      GSS_Init_sec_context().  (Note: this facility introduces a
+      backward incompatibility with GSS-V1 callers, discussed in Section
+      2.2.1; this implication was recognized and accepted in working
+      group discussion.)
+
+      Stated that GSS_S_FAILURE is to be returned if
+      GSS_Init_sec_context() or GSS_Accept_sec_context() is passed the
+      handle of a context which is already fully established.
+
+
+
+
+Linn                        Standards Track                    [Page 97]
+
+RFC 2743                        GSS-API                     January 2000
+
+
+      Re GSS_Inquire_sec_context(), stated that src_name and targ_name
+      are not returned until GSS_S_COMPLETE status is reached; removed
+      use of GSS_S_CONTEXT_EXPIRED status code (replacing with EXPIRED
+      lifetime return value); stated requirement to retain inquirable
+      data until context released by caller; added result value
+      indicating whether or not context is fully open.
+
+      Added discussion of interoperability conditions for mechanisms
+      permitting optional support of QOPs. Removed reference to
+      structured QOP elements in GSS_Verify_MIC().
+
+      Added discussion of use of GSS_S_DUPLICATE_TOKEN status to
+      indicate reflected per-message tokens.
+
+      Clarified use of informational sequencing codes from per-message
+      protection calls in conjunction with GSS_S_COMPLETE and
+      GSS_S_FAILURE major_status returns, adjusting status code
+      descriptions accordingly.
+
+      Added specific statements about impact of GSS_GetMIC() and
+      GSS_Wrap() failures on context state information, and generalized
+      existing statements about impact of processing failures on
+      received per-message tokens.
+
+      For GSS_Init_sec_context() and GSS_Accept_sec_context(), permitted
+      returned mech_type to be valid before GSS_S_COMPLETE, recognizing
+      that the value may change on successive continuation calls in the
+      negotiated mechanism case.
+
+      Deleted GSS_S_CONTEXT_EXPIRED status from
+      GSS_Import_sec_context().
+
+      Added conf_req_flag input to GSS_Wrap_size_limit().
+
+      Stated requirement for mechanisms' support of per-message
+      protection services to be usable concurrently in both directions
+      on a context.
+
+   Credential-related:
+
+      For GSS_Acquire_cred() and GSS_Add_cred(), aligned with C bindings
+      statement of likely non-support for INITIATE or BOTH credentials
+      if input name is neither empty nor a name resulting from applying
+      GSS_Inquire_cred() against the default credential.  Further,
+      stated that an explicit name returned by GSS_Inquire_context()
+      should also be accepted.  Added commentary about potentially
+      time-variant results of default resolution and attendant
+      implications.  Aligned with C bindings re behavior when
+
+
+
+Linn                        Standards Track                    [Page 98]
+
+RFC 2743                        GSS-API                     January 2000
+
+
+      GSS_C_NO_NAME provided for desired_name. In GSS_Acquire_cred(),
+      stated that NULL, rather than empty OID set, should be used for
+      desired_mechs in order to request default mechanism set.
+
+      Added GSS_S_CREDENTIALS_EXPIRED as returnable major_status for
+      GSS_Acquire_cred(), GSS_Add_cred(), also specifying GSS_S_NO_CRED
+      as appropriate return for temporary, user-fixable credential
+      unavailability.  GSS_Acquire_cred() and GSS_Add_cred() are also to
+      return GSS_S_NO_CRED if an authorization failure is encountered
+      upon credential acquisition.
+
+      Removed GSS_S_CREDENTIALS_EXPIRED status return from per-message
+      protection, GSS_Context_time(), and GSS_Inquire_context() calls.
+
+      For GSS_Add_cred(), aligned with C bindings' description of
+      behavior when addition of elements to the default credential is
+      requested.
+
+      Upgraded recommended default credential resolution algorithm to
+      status of requirement for initiator credentials.
+
+      For GSS_Release_cred(), GSS_Inquire_cred(), and
+      GSS_Inquire_cred_by_mech(), clarified behavior for input
+      GSS_C_NO_CREDENTIAL.
+
+   Name-related:
+
+      Aligned GSS_Inquire_mechs_for_name() description with C bindings.
+
+      Removed GSS_S_BAD_NAMETYPE status return from
+      GSS_Duplicate_name(), GSS_Display_name(); constrained its
+      applicability for GSS_Compare_name().
+
+      Aligned with C bindings statement re GSS_Import_name() behavior
+      with GSS_C_NO_OID input name type, and stated that GSS-V2
+      mechanism specifications are to define processing procedures
+      applicable to their mechanisms.  Also clarified GSS_C_NO_OID usage
+      with GSS_Display_name().
+
+      Downgraded reference to name canonicalization via DNS lookup to an
+      example.
+
+      For GSS_Canonicalize_name(), stated that neither negotiated
+      mechanisms nor the default mechanism are supported input
+      mech_types for this operation, and specified GSS_S_BAD_MECH status
+      to be returned in this case.  Clarified that the
+      GSS_Canonicalize_name() operation is non-destructive to its input
+      name.
+
+
+
+Linn                        Standards Track                    [Page 99]
+
+RFC 2743                        GSS-API                     January 2000
+
+
+      Clarified semantics of GSS_C_NT_USER_NAME name type.
+
+      Added descriptions of additional name types.  Also added
+      discussion of GSS_C_NO_NAME and its constrained usage with
+      specific GSS calls.
+
+      Adapted and incorporated C bindings discussion about name
+      comparisons with exported name objects.
+
+      Added recommendation to mechanism designers for support of host-
+      based service name type, deferring any requirement statement to
+      individual mechanism specifications.  Added discussion of host-
+      based service's service name element and proposed approach for
+      IANA registration policy therefor.
+
+      Clarified byte ordering within exported name object.  Stated that
+      GSS_S_BAD_MECH is to be returned if, in the course of attempted
+      import of an exported name object, the name object's enclosed
+      mechanism type is unrecognized or unsupported.
+
+      Stated that mechanisms may optionally accept GSS_C_NO_NAME as an
+      input target name to GSS_Init_sec_context(), with comment that
+      such support is unlikely within mechanisms predating GSS-V2,
+      Update 1.
+
+AUTHOR'S ADDRESS
+
+   John Linn
+   RSA Laboratories
+   20 Crosby Drive
+   Bedford, MA  01730 USA
+
+   Phone: +1 781.687.7817
+   EMail: jlinn@rsasecurity.com
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Linn                        Standards Track                   [Page 100]
+
+RFC 2743                        GSS-API                     January 2000
+
+
+Full Copyright Statement
+
+   Copyright (C) The Internet Society (2000).  All Rights Reserved.
+
+   This document and translations of it may be copied and furnished to
+   others, and derivative works that comment on or otherwise explain it
+   or assist in its implementation may be prepared, copied, published
+   and distributed, in whole or in part, without restriction of any
+   kind, provided that the above copyright notice and this paragraph are
+   included on all such copies and derivative works.  However, this
+   document itself may not be modified in any way, such as by removing
+   the copyright notice or references to the Internet Society or other
+   Internet organizations, except as needed for the purpose of
+   developing Internet standards in which case the procedures for
+   copyrights defined in the Internet Standards process must be
+   followed, or as required to translate it into languages other than
+   English.
+
+   The limited permissions granted above are perpetual and will not be
+   revoked by the Internet Society or its successors or assigns.
+
+   This document and the information contained herein is provided on an
+   "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
+   TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
+   BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
+   HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
+   MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
+
+Acknowledgement
+
+   Funding for the RFC Editor function is currently provided by the
+   Internet Society.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Linn                        Standards Track                   [Page 101]
+
diff --git a/crypto/heimdal/doc/standardisation/rfc2744.txt b/crypto/heimdal/doc/standardisation/rfc2744.txt
new file mode 100644
index 0000000..7f0c619
--- /dev/null
+++ b/crypto/heimdal/doc/standardisation/rfc2744.txt
@@ -0,0 +1,5659 @@
+
+
+
+
+
+
+Network Working Group                                             J. Wray
+Request for Comments: 2744                                Iris Associates
+Obsoletes: 1509                                              January 2000
+Category: Standards Track
+
+
+          Generic Security Service API Version 2 : C-bindings
+
+Status of this Memo
+
+   This document specifies an Internet standards track protocol for the
+   Internet community, and requests discussion and suggestions for
+   improvements.  Please refer to the current edition of the "Internet
+   Official Protocol Standards" (STD 1) for the standardization state
+   and status of this protocol.  Distribution of this memo is unlimited.
+
+Copyright Notice
+
+   Copyright (C) The Internet Society (2000).  All Rights Reserved.
+
+Abstract
+
+   This document specifies C language bindings for Version 2, Update 1
+   of the Generic Security Service Application Program Interface (GSS-
+   API), which is described at a language-independent conceptual level
+   in RFC-2743 [GSSAPI].  It obsoletes RFC-1509, making specific
+   incremental changes in response to implementation experience and
+   liaison requests.  It is intended, therefore, that this memo or a
+   successor version thereof will become the basis for subsequent
+   progression of the GSS-API specification on the standards track.
+
+   The Generic Security Service Application Programming Interface
+   provides security services to its callers, and is intended for
+   implementation atop a variety of underlying cryptographic mechanisms.
+   Typically, GSS-API callers will be application protocols into which
+   security enhancements are integrated through invocation of services
+   provided by the GSS-API. The GSS-API allows a caller application to
+   authenticate a principal identity associated with a peer application,
+   to delegate rights to a peer, and to apply security services such as
+   confidentiality and integrity on a per-message basis.
+
+
+
+
+
+
+
+
+
+
+
+Wray                        Standards Track                     [Page 1]
+
+RFC 2744                 GSS-API V2: C-bindings             January 2000
+
+
+1.   Introduction
+
+   The Generic Security Service Application Programming Interface
+   [GSSAPI] provides security services to calling applications.  It
+   allows a communicating application to authenticate the user
+   associated with another application, to delegate rights to another
+   application, and to apply security services such as confidentiality
+   and integrity on a per-message basis.
+
+   There are four stages to using the GSS-API:
+
+   a) The application acquires a set of credentials with which it may
+      prove its identity to other processes. The application's
+      credentials vouch for its global identity, which may or may not be
+      related to any local username under which it may be running.
+
+   b) A pair of communicating applications establish a joint security
+      context using their credentials.  The security context is a pair
+      of GSS-API data structures that contain shared state information,
+      which is required in order that per-message security services may
+      be provided.  Examples of state that might be shared between
+      applications as part of a security context are cryptographic keys,
+      and message sequence numbers.  As part of the establishment of a
+      security context, the context initiator is authenticated to the
+      responder, and may require that the responder is authenticated in
+      turn.  The initiator may optionally give the responder the right
+      to initiate further security contexts, acting as an agent or
+      delegate of the initiator.  This transfer of rights is termed
+      delegation, and is achieved by creating a set of credentials,
+      similar to those used by the initiating application, but which may
+      be used by the responder.
+
+      To establish and maintain the shared information that makes up the
+      security context, certain GSS-API calls will return a token data
+      structure, which is an opaque data type that may contain
+      cryptographically protected data.  The caller of such a GSS-API
+      routine is responsible for transferring the token to the peer
+      application, encapsulated if necessary in an application-
+      application protocol.  On receipt of such a token, the peer
+      application should pass it to a corresponding GSS-API routine
+      which will decode the token and extract the information, updating
+      the security context state information accordingly.
+
+
+
+
+
+
+
+
+
+Wray                        Standards Track                     [Page 2]
+
+RFC 2744                 GSS-API V2: C-bindings             January 2000
+
+
+   c) Per-message services are invoked to apply either:
+
+      integrity and data origin authentication, or confidentiality,
+      integrity and data origin authentication to application data,
+      which are treated by GSS-API as arbitrary octet-strings.  An
+      application transmitting a message that it wishes to protect will
+      call the appropriate GSS-API routine (gss_get_mic or gss_wrap) to
+      apply protection, specifying the appropriate security context, and
+      send the resulting token to the receiving application.  The
+      receiver will pass the received token (and, in the case of data
+      protected by gss_get_mic, the accompanying message-data) to the
+      corresponding decoding routine (gss_verify_mic or gss_unwrap) to
+      remove the protection and validate the data.
+
+   d) At the completion of a communications session (which may extend
+      across several transport connections), each application calls a
+      GSS-API routine to delete the security context.  Multiple contexts
+      may also be used (either successively or simultaneously) within a
+      single communications association, at the option of the
+      applications.
+
+2.   GSS-API Routines
+
+      This section lists the routines that make up the GSS-API, and
+      offers a brief description of the purpose of each routine.
+      Detailed descriptions of each routine are listed in alphabetical
+      order in section 5.
+
+   Table 2-1  GSS-API Credential-management Routines
+
+   Routine                Section              Function
+   -------                -------              --------
+   gss_acquire_cred           5.2  Assume a global identity; Obtain
+                                   a GSS-API credential handle for
+                                   pre-existing credentials.
+   gss_add_cred               5.3  Construct credentials
+                                   incrementally
+   gss_inquire_cred           5.21 Obtain information about a
+                                   credential
+   gss_inquire_cred_by_mech   5.22 Obtain per-mechanism information
+                                   about a credential.
+   gss_release_cred           5.27 Discard a credential handle.
+
+
+
+
+
+
+
+
+
+Wray                        Standards Track                     [Page 3]
+
+RFC 2744                 GSS-API V2: C-bindings             January 2000
+
+
+   Table 2-2  GSS-API Context-Level Routines
+
+   Routine                 Section              Function
+   -------                 -------              --------
+   gss_init_sec_context       5.19 Initiate a security context with
+                                   a peer application
+   gss_accept_sec_context     5.1  Accept a security context
+                                   initiated by a
+                                   peer application
+   gss_delete_sec_context     5.9  Discard a security context
+   gss_process_context_token  5.25 Process a token on a security
+                                   context from a peer application
+   gss_context_time           5.7  Determine for how long a context
+                                   will remain valid
+   gss_inquire_context        5.20 Obtain information about a
+                                   security context
+   gss_wrap_size_limit        5.34 Determine token-size limit for
+                                   gss_wrap on a context
+   gss_export_sec_context     5.14 Transfer a security context to
+                                   another process
+   gss_import_sec_context     5.17 Import a transferred context
+
+
+   Table 2-3  GSS-API Per-message Routines
+
+   Routine                 Section              Function
+   -------                 -------              --------
+   gss_get_mic                5.15 Calculate a cryptographic message
+                                   integrity code (MIC) for a
+                                   message; integrity service
+   gss_verify_mic             5.32 Check a MIC against a message;
+                                   verify integrity of a received
+                                   message
+   gss_wrap                   5.33 Attach a MIC to a message, and
+                                   optionally encrypt the message
+                                   content;
+                                   confidentiality service
+   gss_unwrap                 5.31 Verify a message with attached
+                                   MIC, and decrypt message content
+                                   if necessary.
+
+
+
+
+
+
+
+
+
+
+
+Wray                        Standards Track                     [Page 4]
+
+RFC 2744                 GSS-API V2: C-bindings             January 2000
+
+
+   Table 2-4  GSS-API Name manipulation Routines
+
+   Routine                 Section              Function
+   -------                 -------              --------
+   gss_import_name            5.16 Convert a contiguous string name
+                                   to internal-form
+   gss_display_name           5.10 Convert internal-form name to
+                                   text
+   gss_compare_name           5.6  Compare two internal-form names
+
+   gss_release_name           5.28 Discard an internal-form name
+   gss_inquire_names_for_mech 5.24 List the name-types supported by
+                                   the specified mechanism
+   gss_inquire_mechs_for_name 5.23 List mechanisms that support the
+                                   specified name-type
+   gss_canonicalize_name      5.5  Convert an internal name to an MN
+   gss_export_name            5.13 Convert an MN to export form
+   gss_duplicate_name         5.12 Create a copy of an internal name
+
+
+   Table 2-5  GSS-API Miscellaneous Routines
+
+   Routine                Section              Function
+   -------                -------              --------
+   gss_add_oid_set_member    5.4  Add an object identifier to
+                                  a set
+   gss_display_status        5.11 Convert a GSS-API status code
+                                  to text
+   gss_indicate_mechs        5.18 Determine available underlying
+                                  authentication mechanisms
+   gss_release_buffer        5.26 Discard a buffer
+   gss_release_oid_set       5.29 Discard a set of object
+                                  identifiers
+   gss_create_empty_oid_set  5.8  Create a set containing no
+                                  object identifiers
+   gss_test_oid_set_member   5.30 Determines whether an object
+                                       identifier is a member of a set.
+
+   Individual GSS-API implementations may augment these routines by
+   providing additional mechanism-specific routines if required
+   functionality is not available from the generic forms. Applications
+   are encouraged to use the generic routines wherever possible on
+   portability grounds.
+
+
+
+
+
+
+
+
+Wray                        Standards Track                     [Page 5]
+
+RFC 2744                 GSS-API V2: C-bindings             January 2000
+
+
+3.   Data Types and Calling Conventions
+
+   The following conventions are used by the GSS-API C-language
+   bindings:
+
+3.1. Integer types
+
+   GSS-API uses the following integer data type:
+
+   OM_uint32    32-bit unsigned integer
+
+   Where guaranteed minimum bit-count is important, this portable data
+   type is used by the GSS-API routine definitions.  Individual GSS-API
+   implementations will include appropriate typedef definitions to map
+   this type onto a built-in data type.  If the platform supports the
+   X/Open xom.h header file, the OM_uint32 definition contained therein
+   should be used; the GSS-API header file in Appendix A contains logic
+   that will detect the prior inclusion of xom.h, and will not attempt
+   to re-declare OM_uint32.  If the X/Open header file is not available
+   on the platform, the GSS-API implementation should use the smallest
+   natural unsigned integer type that provides at least 32 bits of
+   precision.
+
+3.2. String and similar data
+
+   Many of the GSS-API routines take arguments and return values that
+   describe contiguous octet-strings.  All such data is passed between
+   the GSS-API and the caller using the gss_buffer_t data type.  This
+   data type is a pointer to a buffer descriptor, which consists of a
+   length field that contains the total number of bytes in the datum,
+   and a value field which contains a pointer to the actual datum:
+
+   typedef struct gss_buffer_desc_struct {
+      size_t    length;
+      void      *value;
+   } gss_buffer_desc, *gss_buffer_t;
+
+   Storage for data returned to the application by a GSS-API routine
+   using the gss_buffer_t conventions is allocated by the GSS-API
+   routine.  The application may free this storage by invoking the
+   gss_release_buffer routine.  Allocation of the gss_buffer_desc object
+   is always the responsibility of the application;  unused
+   gss_buffer_desc objects may be initialized to the value
+   GSS_C_EMPTY_BUFFER.
+
+
+
+
+
+
+
+Wray                        Standards Track                     [Page 6]
+
+RFC 2744                 GSS-API V2: C-bindings             January 2000
+
+
+3.2.1. Opaque data types
+
+   Certain multiple-word data items are considered opaque data types at
+   the GSS-API, because their internal structure has no significance
+   either to the GSS-API or to the caller.  Examples of such opaque data
+   types are the input_token parameter to gss_init_sec_context (which is
+   opaque to the caller), and the input_message parameter to gss_wrap
+   (which is opaque to the GSS-API).  Opaque data is passed between the
+   GSS-API and the application using the gss_buffer_t datatype.
+
+3.2.2. Character strings
+
+   Certain multiple-word data items may be regarded as simple ISO
+   Latin-1 character strings.  Examples are the printable strings passed
+   to gss_import_name via the input_name_buffer parameter. Some GSS-API
+   routines also return character strings.  All such character strings
+   are passed between the application and the GSS-API implementation
+   using the gss_buffer_t datatype, which is a pointer to a
+   gss_buffer_desc object.
+
+   When a gss_buffer_desc object describes a printable string, the
+   length field of the gss_buffer_desc should only count printable
+   characters within the string.  In particular, a trailing NUL
+   character should NOT be included in the length count, nor should
+   either the GSS-API implementation or the application assume the
+   presence of an uncounted trailing NUL.
+
+3.3. Object Identifiers
+
+   Certain GSS-API procedures take parameters of the type gss_OID, or
+   Object identifier.  This is a type containing ISO-defined tree-
+   structured values, and is used by the GSS-API caller to select an
+   underlying security mechanism and to specify namespaces.  A value of
+   type gss_OID has the following structure:
+
+   typedef struct gss_OID_desc_struct {
+      OM_uint32   length;
+      void        *elements;
+   } gss_OID_desc, *gss_OID;
+
+   The elements field of this structure points to the first byte of an
+   octet string containing the ASN.1 BER encoding of the value portion
+   of the normal BER TLV encoding of the gss_OID.  The length field
+   contains the number of bytes in this value.  For example, the gss_OID
+   value corresponding to {iso(1) identified-organization(3) icd-
+   ecma(12) member-company(2) dec(1011) cryptoAlgorithms(7) DASS(5)},
+   meaning the DASS X.509 authentication mechanism, has a length field
+   of 7 and an elements field pointing to seven octets containing the
+
+
+
+Wray                        Standards Track                     [Page 7]
+
+RFC 2744                 GSS-API V2: C-bindings             January 2000
+
+
+   following octal values: 53,14,2,207,163,7,5. GSS-API implementations
+   should provide constant gss_OID values to allow applications to
+   request any supported mechanism, although applications are encouraged
+   on portability grounds to accept the default mechanism.  gss_OID
+   values should also be provided to allow applications to specify
+   particular name types (see section 3.10).  Applications should treat
+   gss_OID_desc values returned by GSS-API routines as read-only.  In
+   particular, the application should not attempt to deallocate them
+   with free().  The gss_OID_desc datatype is equivalent to the X/Open
+   OM_object_identifier datatype[XOM].
+
+3.4. Object Identifier Sets
+
+   Certain GSS-API procedures take parameters of the type gss_OID_set.
+   This type represents one or more object identifiers (section 2.3).  A
+   gss_OID_set object has the following structure:
+
+   typedef struct gss_OID_set_desc_struct {
+      size_t    count;
+      gss_OID   elements;
+   } gss_OID_set_desc, *gss_OID_set;
+
+   The count field contains the number of OIDs within the set.  The
+   elements field is a pointer to an array of gss_OID_desc objects, each
+   of which describes a single OID.  gss_OID_set values are used to name
+   the available mechanisms supported by the GSS-API, to request the use
+   of specific mechanisms, and to indicate which mechanisms a given
+   credential supports.
+
+   All OID sets returned to the application by GSS-API are dynamic
+   objects (the gss_OID_set_desc, the "elements" array of the set, and
+   the "elements" array of each member OID are all dynamically
+   allocated), and this storage must be deallocated by the application
+   using the gss_release_oid_set() routine.
+
+3.5. Credentials
+
+   A credential handle is a caller-opaque atomic datum that identifies a
+   GSS-API credential data structure.  It is represented by the caller-
+   opaque type gss_cred_id_t, which should be implemented as a pointer
+   or arithmetic type.  If a pointer implementation is chosen, care must
+   be taken to ensure that two gss_cred_id_t values may be compared with
+   the == operator.
+
+   GSS-API credentials can contain mechanism-specific principal
+   authentication data for multiple mechanisms.  A GSS-API credential is
+   composed of a set of credential-elements, each of which is applicable
+   to a single mechanism.  A credential may contain at most one
+
+
+
+Wray                        Standards Track                     [Page 8]
+
+RFC 2744                 GSS-API V2: C-bindings             January 2000
+
+
+   credential-element for each supported mechanism. A credential-element
+   identifies the data needed by a single mechanism to authenticate a
+   single principal, and conceptually contains two credential-references
+   that describe the actual mechanism-specific authentication data, one
+   to be used by GSS-API for initiating contexts,  and one to be used
+   for accepting contexts.  For mechanisms that do not distinguish
+   between acceptor and initiator credentials, both references would
+   point to the same underlying mechanism-specific authentication data.
+
+   Credentials describe a set of mechanism-specific principals, and give
+   their holder the ability to act as any of those principals. All
+   principal identities asserted by a single GSS-API credential should
+   belong to the same entity, although enforcement of this property is
+   an implementation-specific matter.  The GSS-API does not make the
+   actual credentials available to applications; instead a credential
+   handle is used to identify a particular credential, held internally
+   by GSS-API.  The combination of GSS-API credential handle and
+   mechanism identifies the principal whose identity will be asserted by
+   the credential when used with that mechanism.
+
+   The gss_init_sec_context and gss_accept_sec_context routines allow
+   the value GSS_C_NO_CREDENTIAL to be specified as their credential
+   handle parameter.  This special credential-handle indicates a desire
+   by the application to act as a default principal.  While individual
+   GSS-API implementations are free to determine such default behavior
+   as appropriate to the mechanism, the following default behavior by
+   these routines is recommended for portability:
+
+   gss_init_sec_context
+
+      1) If there is only a single principal capable of initiating
+         security contexts for the chosen mechanism that the application
+         is authorized to act on behalf of, then that principal shall be
+         used, otherwise
+
+      2) If the platform maintains a concept of a default network-
+         identity for the chosen mechanism, and if the application is
+         authorized to act on behalf of that identity for the purpose of
+         initiating security contexts, then the principal corresponding
+         to that identity shall be used, otherwise
+
+      3) If the platform maintains a concept of a default local
+         identity, and provides a means to map local identities into
+         network-identities for the chosen mechanism, and if the
+         application is authorized to act on behalf of the network-
+         identity image of the default local identity for the purpose of
+
+
+
+
+
+Wray                        Standards Track                     [Page 9]
+
+RFC 2744                 GSS-API V2: C-bindings             January 2000
+
+
+         initiating security contexts using the chosen mechanism, then
+         the principal corresponding to that identity shall be used,
+         otherwise
+
+      4) A user-configurable default identity should be used.
+
+   gss_accept_sec_context
+
+      1) If there is only a single authorized principal identity capable
+         of accepting security contexts for the chosen mechanism, then
+         that principal shall be used, otherwise
+
+      2) If the mechanism can determine the identity of the target
+         principal by examining the context-establishment token, and if
+         the accepting application is authorized to act as that
+         principal for the purpose of accepting security contexts using
+         the chosen mechanism, then that principal identity shall be
+         used, otherwise
+
+      3) If the mechanism supports context acceptance by any principal,
+         and if mutual authentication was not requested, any principal
+         that the application is authorized to accept security contexts
+         under using the chosen mechanism may be used, otherwise
+
+      4)A user-configurable default identity shall be used.
+
+   The purpose of the above rules is to allow security contexts to be
+   established by both initiator and acceptor using the default behavior
+   wherever possible.  Applications requesting default behavior are
+   likely to be more portable across mechanisms and platforms than ones
+   that use gss_acquire_cred to request a specific identity.
+
+3.6. Contexts
+
+   The gss_ctx_id_t data type contains a caller-opaque atomic value that
+   identifies one end of a GSS-API security context.  It should be
+   implemented as a pointer or arithmetic type.  If a pointer type is
+   chosen, care should be taken to ensure that two gss_ctx_id_t values
+   may be compared with the == operator.
+
+   The security context holds state information about each end of a peer
+   communication, including cryptographic state information.
+
+
+
+
+
+
+
+
+
+Wray                        Standards Track                    [Page 10]
+
+RFC 2744                 GSS-API V2: C-bindings             January 2000
+
+
+3.7. Authentication tokens
+
+   A token is a caller-opaque type that GSS-API uses to maintain
+   synchronization between the context data structures at each end of a
+   GSS-API security context.  The token is a cryptographically protected
+   octet-string, generated by the underlying mechanism at one end of a
+   GSS-API security context for use by the peer mechanism at the other
+   end.  Encapsulation (if required) and transfer of the token are the
+   responsibility of the peer applications.  A token is passed between
+   the GSS-API and the application using the gss_buffer_t conventions.
+
+3.8. Interprocess tokens
+
+   Certain GSS-API routines are intended to transfer data between
+   processes in multi-process programs.  These routines use a caller-
+   opaque octet-string, generated by the GSS-API in one process for use
+   by the GSS-API in another process.  The calling application is
+   responsible for transferring such tokens between processes in an OS-
+   specific manner.  Note that, while GSS-API implementors are
+   encouraged to avoid placing sensitive information within interprocess
+   tokens, or to cryptographically protect them, many implementations
+   will be unable to avoid placing key material or other sensitive data
+   within them.  It is the application's responsibility to ensure that
+   interprocess tokens are protected in transit, and transferred only to
+   processes that are trustworthy. An interprocess token is passed
+   between the GSS-API and the application using the gss_buffer_t
+   conventions.
+
+3.9. Status values
+
+   Every GSS-API routine returns two distinct values to report status
+   information to the caller: GSS status codes and Mechanism status
+   codes.
+
+3.9.1. GSS status codes
+
+   GSS-API routines return GSS status codes as their OM_uint32 function
+   value.  These codes indicate errors that are independent of the
+   underlying mechanism(s) used to provide the security service.  The
+   errors that can be indicated via a GSS status code are either generic
+   API routine errors (errors that are defined in the GSS-API
+   specification) or calling errors (errors that are specific to these
+   language bindings).
+
+   A GSS status code can indicate a single fatal generic API error from
+   the routine and a single calling error.  In addition, supplementary
+   status information may be indicated via the setting of bits in the
+   supplementary info field of a GSS status code.
+
+
+
+Wray                        Standards Track                    [Page 11]
+
+RFC 2744                 GSS-API V2: C-bindings             January 2000
+
+
+   These errors are encoded into the 32-bit GSS status code as follows:
+
+      MSB                                                        LSB
+      |------------------------------------------------------------|
+      |  Calling Error | Routine Error  |    Supplementary Info    |
+      |------------------------------------------------------------|
+   Bit 31            24 23            16 15                       0
+
+   Hence if a GSS-API routine returns a GSS status code whose upper 16
+   bits contain a non-zero value, the call failed.  If the calling error
+   field is non-zero, the invoking application's call of the routine was
+   erroneous.  Calling errors are defined in table 5-1.  If the routine
+   error field is non-zero, the routine failed for one of the routine-
+   specific reasons listed below in table 5-2.  Whether or not the upper
+   16 bits indicate a failure or a success, the routine may indicate
+   additional information by setting bits in the supplementary info
+   field of the status code. The meaning of individual bits is listed
+   below in table 5-3.
+
+   Table 3-1  Calling Errors
+
+   Name                   Value in field           Meaning
+   ----                   --------------           -------
+   GSS_S_CALL_INACCESSIBLE_READ  1       A required input parameter
+                                         could not be read
+   GSS_S_CALL_INACCESSIBLE_WRITE 2       A required output parameter
+                                          could not be written.
+   GSS_S_CALL_BAD_STRUCTURE      3       A parameter was malformed
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Wray                        Standards Track                    [Page 12]
+
+RFC 2744                 GSS-API V2: C-bindings             January 2000
+
+
+   Table 3-2  Routine Errors
+
+   Name                   Value in field           Meaning
+   ----                   --------------           -------
+   GSS_S_BAD_MECH                1       An unsupported mechanism
+                                         was requested
+   GSS_S_BAD_NAME                2       An invalid name was
+                                         supplied
+   GSS_S_BAD_NAMETYPE            3       A supplied name was of an
+                                         unsupported type
+   GSS_S_BAD_BINDINGS            4       Incorrect channel bindings
+                                         were supplied
+   GSS_S_BAD_STATUS              5       An invalid status code was
+                                         supplied
+   GSS_S_BAD_MIC GSS_S_BAD_SIG   6       A token had an invalid MIC
+   GSS_S_NO_CRED                 7       No credentials were
+                                         supplied, or the
+                                         credentials were
+                                         unavailable or
+                                         inaccessible.
+   GSS_S_NO_CONTEXT              8       No context has been
+                                         established
+   GSS_S_DEFECTIVE_TOKEN         9       A token was invalid
+   GSS_S_DEFECTIVE_CREDENTIAL   10       A credential was invalid
+   GSS_S_CREDENTIALS_EXPIRED    11       The referenced credentials
+                                         have expired
+   GSS_S_CONTEXT_EXPIRED        12       The context has expired
+   GSS_S_FAILURE                13       Miscellaneous failure (see
+                                         text)
+   GSS_S_BAD_QOP                14       The quality-of-protection
+                                         requested could not be
+                                         provided
+   GSS_S_UNAUTHORIZED           15       The operation is forbidden
+                                         by local security policy
+   GSS_S_UNAVAILABLE            16       The operation or option is
+                                         unavailable
+   GSS_S_DUPLICATE_ELEMENT      17       The requested credential
+                                         element already exists
+   GSS_S_NAME_NOT_MN            18       The provided name was not a
+                                         mechanism name
+
+
+
+
+
+
+
+
+
+
+
+Wray                        Standards Track                    [Page 13]
+
+RFC 2744                 GSS-API V2: C-bindings             January 2000
+
+
+   Table 3-3  Supplementary Status Bits
+
+   Name                   Bit Number           Meaning
+   ----                   ----------           -------
+   GSS_S_CONTINUE_NEEDED   0 (LSB)   Returned only by
+                                     gss_init_sec_context or
+                                     gss_accept_sec_context. The
+                                     routine must be called again
+                                     to complete its function.
+                                     See routine documentation for
+                                     detailed description
+   GSS_S_DUPLICATE_TOKEN   1         The token was a duplicate of
+                                     an earlier token
+   GSS_S_OLD_TOKEN         2         The token's validity period
+                                     has expired
+   GSS_S_UNSEQ_TOKEN       3         A later token has already been
+                                     processed
+   GSS_S_GAP_TOKEN         4         An expected per-message token
+                                     was not received
+
+   The routine documentation also uses the name GSS_S_COMPLETE, which is
+   a zero value, to indicate an absence of any API errors or
+   supplementary information bits.
+
+   All GSS_S_xxx symbols equate to complete OM_uint32 status codes,
+   rather than to bitfield values.  For example, the actual value of the
+   symbol GSS_S_BAD_NAMETYPE (value 3 in the routine error field) is
+   3<<16.  The macros GSS_CALLING_ERROR(), GSS_ROUTINE_ERROR() and
+   GSS_SUPPLEMENTARY_INFO() are provided, each of which takes a GSS
+   status code and removes all but the relevant field.  For example, the
+   value obtained by applying GSS_ROUTINE_ERROR to a status code removes
+   the calling errors and supplementary info fields, leaving only the
+   routine errors field.  The values delivered by these macros may be
+   directly compared with a GSS_S_xxx symbol of the appropriate type.
+   The macro GSS_ERROR() is also provided, which when applied to a GSS
+   status code returns a non-zero value if the status code indicated a
+   calling or routine error, and a zero value otherwise.  All macros
+   defined by GSS-API evaluate their argument(s) exactly once.
+
+   A GSS-API implementation may choose to signal calling errors in a
+   platform-specific manner instead of, or in addition to the routine
+   value;  routine errors and supplementary info should be returned via
+   major status values only.
+
+   The GSS major status code GSS_S_FAILURE is used to indicate that the
+   underlying mechanism detected an error for which no specific GSS
+   status code is defined.  The mechanism-specific status code will
+   provide more details about the error.
+
+
+
+Wray                        Standards Track                    [Page 14]
+
+RFC 2744                 GSS-API V2: C-bindings             January 2000
+
+
+3.9.2. Mechanism-specific status codes
+
+   GSS-API routines return a minor_status parameter, which is used to
+   indicate specialized errors from the underlying security mechanism.
+   This parameter may contain a single mechanism-specific error,
+   indicated by a OM_uint32 value.
+
+   The minor_status parameter will always be set by a GSS-API routine,
+   even if it returns a calling error or one of the generic API errors
+   indicated above as fatal, although most other output parameters may
+   remain unset in such cases.  However, output parameters that are
+   expected to return pointers to storage allocated by a routine must
+   always be set by the routine, even in the event of an error, although
+   in such cases the GSS-API routine may elect to set the returned
+   parameter value to NULL to indicate that no storage was actually
+   allocated.  Any length field associated with such pointers (as in a
+   gss_buffer_desc structure) should also be set to zero in such cases.
+
+3.10. Names
+
+   A name is used to identify a person or entity.  GSS-API authenticates
+   the relationship between a name and the entity claiming the name.
+
+   Since different authentication mechanisms may employ different
+   namespaces for identifying their principals, GSSAPI's naming support
+   is necessarily complex in multi-mechanism environments (or even in
+   some single-mechanism environments where the underlying mechanism
+   supports multiple namespaces).
+
+   Two distinct representations are defined for names:
+
+   An internal form.  This is the GSS-API "native" format for names,
+      represented by the implementation-specific gss_name_t type.  It is
+      opaque to GSS-API callers.  A single gss_name_t object may contain
+      multiple names from different namespaces, but all names should
+      refer to the same entity.  An example of such an internal name
+      would be the name returned from a call to the gss_inquire_cred
+      routine, when applied to a credential containing credential
+      elements for multiple authentication mechanisms employing
+      different namespaces.  This gss_name_t object will contain a
+      distinct name for the entity for each authentication mechanism.
+
+      For GSS-API implementations supporting multiple namespaces,
+      objects of type gss_name_t must contain sufficient information to
+      determine the namespace to which each primitive name belongs.
+
+
+
+
+
+
+Wray                        Standards Track                    [Page 15]
+
+RFC 2744                 GSS-API V2: C-bindings             January 2000
+
+
+   Mechanism-specific contiguous octet-string forms.  A format
+      capable of containing a single name (from a single namespace).
+      Contiguous string names are always accompanied by an object
+      identifier specifying the namespace to which the name belongs, and
+      their format is dependent on the authentication mechanism that
+      employs the name.  Many, but not all, contiguous string names will
+      be printable, and may therefore be used by GSS-API applications
+      for communication with their users.
+
+   Routines (gss_import_name and gss_display_name) are provided to
+   convert names between contiguous string representations and the
+   internal gss_name_t type.  gss_import_name may support multiple
+   syntaxes for each supported namespace, allowing users the freedom to
+   choose a preferred name representation. gss_display_name should use
+   an implementation-chosen printable syntax for each supported name-
+   type.
+
+   If an application calls gss_display_name(), passing the internal name
+   resulting from a call to gss_import_name(), there is no guarantee the
+   the resulting contiguous string name will be the same as the original
+   imported string name.  Nor do name-space identifiers necessarily
+   survive unchanged after a journey through the internal name-form.  An
+   example of this might be a mechanism that authenticates X.500 names,
+   but provides an algorithmic mapping of Internet DNS names into X.500.
+   That mechanism's implementation of gss_import_name() might, when
+   presented with a DNS name, generate an internal name that contained
+   both the original DNS name and the equivalent X.500 name.
+   Alternatively, it might only store the X.500 name.  In the latter
+   case, gss_display_name() would most likely generate a printable X.500
+   name, rather than the original DNS name.
+
+   The process of authentication delivers to the context acceptor an
+   internal name.  Since this name has been authenticated by a single
+   mechanism, it contains only a single name (even if the internal name
+   presented by the context initiator to gss_init_sec_context had
+   multiple components).  Such names are termed internal mechanism
+   names, or "MN"s and the names emitted by gss_accept_sec_context() are
+   always of this type.  Since some applications may require MNs without
+   wanting to incur the overhead of an authentication operation, a
+   second function, gss_canonicalize_name(), is provided to convert a
+   general internal name into an MN.
+
+   Comparison of internal-form names may be accomplished via the
+   gss_compare_name() routine, which returns true if the two names being
+   compared refer to the same entity.  This removes the need for the
+   application program to understand the syntaxes of the various
+   printable names that a given GSS-API implementation may support.
+   Since GSS-API assumes that all primitive names contained within a
+
+
+
+Wray                        Standards Track                    [Page 16]
+
+RFC 2744                 GSS-API V2: C-bindings             January 2000
+
+
+   given internal name refer to the same entity, gss_compare_name() can
+   return true if the two names have at least one primitive name in
+   common.  If the implementation embodies knowledge of equivalence
+   relationships between names taken from different namespaces, this
+   knowledge may also allow successful comparison of internal names
+   containing no overlapping primitive elements.
+
+   When used in large access control lists, the overhead of invoking
+   gss_import_name() and gss_compare_name() on each name from the ACL
+   may be prohibitive.  As an alternative way of supporting this case,
+   GSS-API defines a special form of the contiguous string name which
+   may be compared directly (e.g. with memcmp()).  Contiguous names
+   suitable for comparison are generated by the gss_export_name()
+   routine, which requires an MN as input.  Exported names may be re-
+   imported by the gss_import_name() routine, and the resulting internal
+   name will also be an MN.  The gss_OID constant GSS_C_NT_EXPORT_NAME
+   indentifies the "export name" type, and the value of this constant is
+   given in Appendix A.  Structurally, an exported name object consists
+   of a header containing an OID identifying the mechanism that
+   authenticated the name, and a trailer containing the name itself,
+   where the syntax of the trailer is defined by the individual
+   mechanism specification.   The precise format of an export name is
+   defined in the language-independent GSS-API specification [GSSAPI].
+
+   Note that the results obtained by using gss_compare_name() will in
+   general be different from those obtained by invoking
+   gss_canonicalize_name() and gss_export_name(), and then comparing the
+   exported names.  The first series of operation determines whether two
+   (unauthenticated) names identify the same principal; the second
+   whether a particular mechanism would authenticate them as the same
+   principal.  These two operations will in general give the same
+   results only for MNs.
+
+   The gss_name_t datatype should be implemented as a pointer type. To
+   allow the compiler to aid the application programmer by performing
+   type-checking, the use of (void *) is discouraged.  A pointer to an
+   implementation-defined type is the preferred choice.
+
+   Storage is allocated by routines that return gss_name_t values. A
+   procedure, gss_release_name, is provided to free storage associated
+   with an internal-form name.
+
+
+
+
+
+
+
+
+
+
+Wray                        Standards Track                    [Page 17]
+
+RFC 2744                 GSS-API V2: C-bindings             January 2000
+
+
+3.11. Channel Bindings
+
+   GSS-API supports the use of user-specified tags to identify a given
+   context to the peer application.  These tags are intended to be used
+   to identify the particular communications channel that carries the
+   context.  Channel bindings are communicated to the GSS-API using the
+   following structure:
+
+   typedef struct gss_channel_bindings_struct {
+      OM_uint32       initiator_addrtype;
+      gss_buffer_desc initiator_address;
+      OM_uint32       acceptor_addrtype;
+      gss_buffer_desc acceptor_address;
+      gss_buffer_desc application_data;
+   } *gss_channel_bindings_t;
+
+   The initiator_addrtype and acceptor_addrtype fields denote the type
+   of addresses contained in the initiator_address and acceptor_address
+   buffers.  The address type should be one of the following:
+
+   GSS_C_AF_UNSPEC     Unspecified address type
+   GSS_C_AF_LOCAL      Host-local address type
+   GSS_C_AF_INET       Internet address type (e.g. IP)
+   GSS_C_AF_IMPLINK    ARPAnet IMP address type
+   GSS_C_AF_PUP        pup protocols (eg BSP) address type
+   GSS_C_AF_CHAOS      MIT CHAOS protocol address type
+   GSS_C_AF_NS         XEROX NS address type
+   GSS_C_AF_NBS        nbs address type
+   GSS_C_AF_ECMA       ECMA address type
+   GSS_C_AF_DATAKIT    datakit protocols address type
+   GSS_C_AF_CCITT      CCITT protocols
+   GSS_C_AF_SNA        IBM SNA address type
+   GSS_C_AF_DECnet     DECnet address type
+   GSS_C_AF_DLI        Direct data link interface address type
+   GSS_C_AF_LAT        LAT address type
+   GSS_C_AF_HYLINK     NSC Hyperchannel address type
+   GSS_C_AF_APPLETALK  AppleTalk address type
+   GSS_C_AF_BSC        BISYNC 2780/3780 address type
+   GSS_C_AF_DSS        Distributed system services address type
+   GSS_C_AF_OSI        OSI TP4 address type
+   GSS_C_AF_X25        X.25
+   GSS_C_AF_NULLADDR   No address specified
+
+   Note that these symbols name address families rather than specific
+   addressing formats.  For address families that contain several
+   alternative address forms, the initiator_address and acceptor_address
+   fields must contain sufficient information to determine which address
+
+
+
+
+Wray                        Standards Track                    [Page 18]
+
+RFC 2744                 GSS-API V2: C-bindings             January 2000
+
+
+   form is used.  When not otherwise specified, addresses should be
+   specified in network byte-order (that is, native byte-ordering for
+   the address family).
+
+   Conceptually, the GSS-API concatenates the initiator_addrtype,
+   initiator_address, acceptor_addrtype, acceptor_address and
+   application_data to form an octet string.  The mechanism calculates a
+   MIC over this octet string, and binds the MIC to the context
+   establishment token emitted by gss_init_sec_context. The same
+   bindings are presented by the context acceptor to
+   gss_accept_sec_context, and a MIC is calculated in the same way. The
+   calculated MIC is compared with that found in the token, and if the
+   MICs differ, gss_accept_sec_context will return a GSS_S_BAD_BINDINGS
+   error, and the context will not be established.  Some mechanisms may
+   include the actual channel binding data in the token (rather than
+   just a MIC); applications should therefore not use confidential data
+   as channel-binding components.
+
+   Individual mechanisms may impose additional constraints on addresses
+   and address types that may appear in channel bindings.  For example,
+   a mechanism may verify that the initiator_address field of the
+   channel bindings presented to gss_init_sec_context contains the
+   correct network address of the host system.  Portable applications
+   should therefore ensure that they either provide correct information
+   for the address fields, or omit addressing information, specifying
+   GSS_C_AF_NULLADDR as the address-types.
+
+3.12. Optional parameters
+
+   Various parameters are described as optional.  This means that they
+   follow a convention whereby a default value may be requested.  The
+   following conventions are used for omitted parameters.  These
+   conventions apply only to those parameters that are explicitly
+   documented as optional.
+
+3.12.1. gss_buffer_t types
+
+   Specify GSS_C_NO_BUFFER as a value.  For an input parameter this
+   signifies that default behavior is requested, while for an output
+   parameter it indicates that the information that would be returned
+   via the parameter is not required by the application.
+
+3.12.2. Integer types (input)
+
+   Individual parameter documentation lists values to be used to
+   indicate default actions.
+
+
+
+
+
+Wray                        Standards Track                    [Page 19]
+
+RFC 2744                 GSS-API V2: C-bindings             January 2000
+
+
+3.12.3. Integer types (output)
+
+   Specify NULL as the value for the pointer.
+
+3.12.4. Pointer types
+
+   Specify NULL as the value.
+
+3.12.5. Object IDs
+
+   Specify GSS_C_NO_OID as the value.
+
+3.12.6. Object ID Sets
+
+   Specify GSS_C_NO_OID_SET as the value.
+
+3.12.7. Channel Bindings
+
+   Specify GSS_C_NO_CHANNEL_BINDINGS to indicate that channel bindings
+   are not to be used.
+
+4.   Additional Controls
+
+   This section discusses the optional services that a context initiator
+   may request of the GSS-API at context establishment. Each of these
+   services is requested by setting a flag in the req_flags input
+   parameter to gss_init_sec_context.
+
+   The optional services currently defined are:
+
+   Delegation - The (usually temporary) transfer of rights from
+       initiator to acceptor, enabling the acceptor to authenticate
+       itself as an agent of the initiator.
+
+   Mutual Authentication - In addition to the initiator authenticating
+       its identity to the context acceptor, the context acceptor should
+       also authenticate itself to the initiator.
+
+   Replay detection - In addition to providing message integrity
+       services, gss_get_mic and gss_wrap should include message
+       numbering information to enable gss_verify_mic and gss_unwrap to
+       detect if a message has been duplicated.
+
+   Out-of-sequence detection - In addition to providing message
+       integrity services, gss_get_mic and gss_wrap should include
+       message sequencing information to enable gss_verify_mic and
+       gss_unwrap to detect if a message has been received out of
+       sequence.
+
+
+
+Wray                        Standards Track                    [Page 20]
+
+RFC 2744                 GSS-API V2: C-bindings             January 2000
+
+
+   Anonymous authentication - The establishment of the security context
+       should not reveal the initiator's identity to the context
+       acceptor.
+
+   Any currently undefined bits within such flag arguments should be
+   ignored by GSS-API implementations when presented by an application,
+   and should be set to zero when returned to the application by the
+   GSS-API implementation.
+
+   Some mechanisms may not support all optional services, and some
+   mechanisms may only support some services in conjunction with others.
+   Both gss_init_sec_context and gss_accept_sec_context inform the
+   applications which services will be available from the context when
+   the establishment phase is complete, via the ret_flags output
+   parameter.  In general, if the security mechanism is capable of
+   providing a requested service, it should do so, even if additional
+   services must be enabled in order to provide the requested service.
+   If the mechanism is incapable of providing a requested service, it
+   should proceed without the service, leaving the application to abort
+   the context establishment process if it considers the requested
+   service to be mandatory.
+
+   Some mechanisms may specify that support for some services is
+   optional, and that implementors of the mechanism need not provide it.
+   This is most commonly true of the confidentiality service, often
+   because of legal restrictions on the use of data-encryption, but may
+   apply to any of the services.  Such mechanisms are required to send
+   at least one token from acceptor to initiator during context
+   establishment when the initiator indicates a desire to use such a
+   service, so that the initiating GSS-API can correctly indicate
+   whether the service is supported by the acceptor's GSS-API.
+
+4.1. Delegation
+
+   The GSS-API allows delegation to be controlled by the initiating
+   application via a boolean parameter to gss_init_sec_context(), the
+   routine that establishes a security context.  Some mechanisms do not
+   support delegation, and for such mechanisms attempts by an
+   application to enable delegation are ignored.
+
+   The acceptor of a security context for which the initiator enabled
+   delegation will receive (via the delegated_cred_handle parameter of
+   gss_accept_sec_context) a credential handle that contains the
+   delegated identity, and this credential handle may be used to
+   initiate subsequent GSS-API security contexts as an agent or delegate
+   of the initiator.  If the original initiator's identity is "A" and
+   the delegate's identity is "B", then, depending on the underlying
+   mechanism, the identity embodied by the delegated credential may be
+
+
+
+Wray                        Standards Track                    [Page 21]
+
+RFC 2744                 GSS-API V2: C-bindings             January 2000
+
+
+   either "A" or "B acting for A".
+
+   For many mechanisms that support delegation, a simple boolean does
+   not provide enough control.  Examples of additional aspects of
+   delegation control that a mechanism might provide to an application
+   are duration of delegation, network addresses from which delegation
+   is valid, and constraints on the tasks that may be performed by a
+   delegate.  Such controls are presently outside the scope of the GSS-
+   API.  GSS-API implementations supporting mechanisms offering
+   additional controls should provide extension routines that allow
+   these controls to be exercised (perhaps by modifying the initiator's
+   GSS-API credential prior to its use in establishing a context).
+   However, the simple delegation control provided by GSS-API should
+   always be able to over-ride other mechanism-specific delegation
+   controls - If the application instructs gss_init_sec_context() that
+   delegation is not desired, then the implementation must not permit
+   delegation to occur. This is an exception to the general rule that a
+   mechanism may enable services even if they are not requested -
+   delegation may only be provided at the explicit request of the
+   application.
+
+4.2. Mutual authentication
+
+   Usually, a context acceptor will require that a context initiator
+   authenticate itself so that the acceptor may make an access-control
+   decision prior to performing a service for the initiator.  In some
+   cases, the initiator may also request that the acceptor authenticate
+   itself.  GSS-API allows the initiating application to request this
+   mutual authentication service by setting a flag when calling
+   gss_init_sec_context.
+
+   The initiating application is informed as to whether or not the
+   context acceptor has authenticated itself.  Note that some mechanisms
+   may not support mutual authentication, and other mechanisms may
+   always perform mutual authentication, whether or not the initiating
+   application requests it.  In particular, mutual authentication my be
+   required by some mechanisms in order to support replay or out-of-
+   sequence message detection, and for such mechanisms a request for
+   either of these services will automatically enable mutual
+   authentication.
+
+
+
+
+
+
+
+
+
+
+
+Wray                        Standards Track                    [Page 22]
+
+RFC 2744                 GSS-API V2: C-bindings             January 2000
+
+
+4.3. Replay and out-of-sequence detection
+
+   The GSS-API may provide detection of mis-ordered message once a
+   security context has been established.  Protection may be applied to
+   messages by either application, by calling either gss_get_mic or
+   gss_wrap, and verified by the peer application by calling
+   gss_verify_mic or gss_unwrap.
+
+   gss_get_mic calculates a cryptographic MIC over an application
+   message, and returns that MIC in a token.  The application should
+   pass both the token and the message to the peer application, which
+   presents them to gss_verify_mic.
+
+   gss_wrap calculates a cryptographic MIC of an application message,
+   and places both the MIC and the message inside a single token.  The
+   Application should pass the token to the peer application, which
+   presents it to gss_unwrap to extract the message and verify the MIC.
+
+   Either pair of routines may be capable of detecting out-of-sequence
+   message delivery, or duplication of messages. Details of such mis-
+   ordered messages are indicated through supplementary status bits in
+   the major status code returned by gss_verify_mic or gss_unwrap.  The
+   relevant supplementary bits are:
+
+   GSS_S_DUPLICATE_TOKEN - The token is a duplicate of one that has
+                    already been received and processed.  Only
+                    contexts that claim to provide replay detection
+                    may set this bit.
+   GSS_S_OLD_TOKEN - The token is too old to determine whether or
+                    not it is a duplicate.  Contexts supporting
+                    out-of-sequence detection but not replay
+                    detection should always set this bit if
+                    GSS_S_UNSEQ_TOKEN is set; contexts that support
+                    replay detection should only set this bit if the
+                    token is so old that it cannot be checked for
+                    duplication.
+   GSS_S_UNSEQ_TOKEN - A later token has already been processed.
+   GSS_S_GAP_TOKEN - An earlier token has not yet been received.
+
+   A mechanism need not maintain a list of all tokens that have been
+   processed in order to support these status codes.  A typical
+   mechanism might retain information about only the most recent "N"
+   tokens processed, allowing it to distinguish duplicates and missing
+   tokens within the most recent "N" messages; the receipt of a token
+   older than the most recent "N" would result in a GSS_S_OLD_TOKEN
+   status.
+
+
+
+
+
+Wray                        Standards Track                    [Page 23]
+
+RFC 2744                 GSS-API V2: C-bindings             January 2000
+
+
+4.4. Anonymous Authentication
+
+   In certain situations, an application may wish to initiate the
+   authentication process to authenticate a peer, without revealing its
+   own identity.  As an example, consider an application providing
+   access to a database containing medical information, and offering
+   unrestricted access to the service.  A client of such a service might
+   wish to authenticate the service (in order to establish trust in any
+   information retrieved from it), but might not wish the service to be
+   able to obtain the client's identity (perhaps due to privacy concerns
+   about the specific inquiries, or perhaps simply to avoid being placed
+   on mailing-lists).
+
+   In normal use of the GSS-API, the initiator's identity is made
+   available to the acceptor as a result of the context establishment
+   process.  However, context initiators may request that their identity
+   not be revealed to the context acceptor. Many mechanisms do not
+   support anonymous authentication, and for such mechanisms the request
+   will not be honored.  An authentication token will be still be
+   generated, but the application is always informed if a requested
+   service is unavailable, and has the option to abort context
+   establishment if anonymity is valued above the other security
+   services that would require a context to be established.
+
+   In addition to informing the application that a context is
+   established anonymously (via the ret_flags outputs from
+   gss_init_sec_context and gss_accept_sec_context), the optional
+   src_name output from gss_accept_sec_context and gss_inquire_context
+   will, for such contexts, return a reserved internal-form name,
+   defined by the implementation.
+
+   When presented to gss_display_name, this reserved internal-form name
+   will result in a printable name that is syntactically distinguishable
+   from any valid principal name supported by the implementation,
+   associated with a name-type object identifier with the value
+   GSS_C_NT_ANONYMOUS, whose value us given in Appendix A.  The
+   printable form of an anonymous name should be chosen such that it
+   implies anonymity, since this name may appear in, for example, audit
+   logs.  For example, the string "<anonymous>" might be a good choice,
+   if no valid printable names supported by the implementation can begin
+   with "<" and end with ">".
+
+4.5. Confidentiality
+
+   If a context supports the confidentiality service, gss_wrap may be
+   used to encrypt application messages.  Messages are selectively
+   encrypted, under the control of the conf_req_flag input parameter to
+   gss_wrap.
+
+
+
+Wray                        Standards Track                    [Page 24]
+
+RFC 2744                 GSS-API V2: C-bindings             January 2000
+
+
+4.6. Inter-process context transfer
+
+   GSS-API V2 provides routines (gss_export_sec_context and
+   gss_import_sec_context) which allow a security context to be
+   transferred between processes on a single machine.  The most common
+   use for such a feature is a client-server design where the server is
+   implemented as a single process that accepts incoming security
+   contexts, which then launches child processes to deal with the data
+   on these contexts.  In such a design, the child processes must have
+   access to the security context data structure created within the
+   parent by its call to gss_accept_sec_context so that they can use
+   per-message protection services and delete the security context when
+   the communication session ends.
+
+   Since the security context data structure is expected to contain
+   sequencing information, it is impractical in general to share a
+   context between processes.  Thus GSS-API provides a call
+   (gss_export_sec_context) that the process which currently owns the
+   context can call to declare that it has no intention to use the
+   context subsequently, and to create an inter-process token containing
+   information needed by the adopting process to successfully import the
+   context.  After successful completion of gss_export_sec_context, the
+   original security context is made inaccessible to the calling process
+   by GSS-API, and any context handles referring to this context are no
+   longer valid.  The originating process transfers the inter-process
+   token to the adopting process, which passes it to
+   gss_import_sec_context, and a fresh gss_ctx_id_t is created such that
+   it is functionally identical to the original context.
+
+   The inter-process token may contain sensitive data from the original
+   security context (including cryptographic keys). Applications using
+   inter-process tokens to transfer security contexts must take
+   appropriate steps to protect these tokens in transit.
+
+   Implementations are not required to support the inter-process
+   transfer of security contexts.  The ability to transfer a security
+   context is indicated when the context is created, by
+   gss_init_sec_context or gss_accept_sec_context setting the
+   GSS_C_TRANS_FLAG bit in their ret_flags parameter.
+
+4.7. The use of incomplete contexts
+
+   Some mechanisms may allow the per-message services to be used before
+   the context establishment process is complete.  For example, a
+   mechanism may include sufficient information in its initial context-
+   level token for the context acceptor to immediately decode messages
+   protected with gss_wrap or gss_get_mic.  For such a mechanism, the
+   initiating application need not wait until subsequent context-level
+
+
+
+Wray                        Standards Track                    [Page 25]
+
+RFC 2744                 GSS-API V2: C-bindings             January 2000
+
+
+   tokens have been sent and received before invoking the per-message
+   protection services.
+
+   The ability of a context to provide per-message services in advance
+   of complete context establishment is indicated by the setting of the
+   GSS_C_PROT_READY_FLAG bit in the ret_flags parameter from
+   gss_init_sec_context and gss_accept_sec_context. Applications wishing
+   to use per-message protection services on partially-established
+   contexts should check this flag before attempting to invoke gss_wrap
+   or gss_get_mic.
+
+5. GSS-API Routine Descriptions
+
+   In addition to the explicit major status codes documented here, the
+   code GSS_S_FAILURE may be returned by any routine, indicating an
+   implementation-specific or mechanism-specific error condition,
+   further details of which are reported via the minor_status parameter.
+
+5.1. gss_accept_sec_context
+
+   OM_uint32 gss_accept_sec_context (
+     OM_uint32           *minor_status,
+     gss_ctx_id_t        *context_handle,
+     const gss_cred_id_t acceptor_cred_handle,
+     const gss_buffer_t  input_token_buffer,
+     const gss_channel_bindings_t  input_chan_bindings,
+     const gss_name_t    *src_name,
+     gss_OID             *mech_type,
+     gss_buffer_t        output_token,
+     OM_uint32           *ret_flags,
+     OM_uint32           *time_rec,
+     gss_cred_id_t       *delegated_cred_handle)
+
+   Purpose:
+
+   Allows a remotely initiated security context between the application
+   and a remote peer to be established.  The routine may return a
+   output_token which should be transferred to the peer application,
+   where the peer application will present it to gss_init_sec_context.
+   If no token need be sent, gss_accept_sec_context will indicate this
+   by setting the length field of the output_token argument to zero.  To
+   complete the context establishment, one or more reply tokens may be
+   required from the peer application; if so, gss_accept_sec_context
+   will return a status flag of GSS_S_CONTINUE_NEEDED, in which case it
+   should be called again when the reply token is received from the peer
+   application, passing the token to gss_accept_sec_context via the
+   input_token parameters.
+
+
+
+
+Wray                        Standards Track                    [Page 26]
+
+RFC 2744                 GSS-API V2: C-bindings             January 2000
+
+
+   Portable applications should be constructed to use the token length
+   and return status to determine whether a token needs to be sent or
+   waited for.  Thus a typical portable caller should always invoke
+   gss_accept_sec_context within a loop:
+
+   gss_ctx_id_t context_hdl = GSS_C_NO_CONTEXT;
+
+   do {
+     receive_token_from_peer(input_token);
+     maj_stat = gss_accept_sec_context(&min_stat,
+                                       &context_hdl,
+                                       cred_hdl,
+                                       input_token,
+                                       input_bindings,
+                                       &client_name,
+                                       &mech_type,
+                                       output_token,
+                                       &ret_flags,
+                                       &time_rec,
+                                       &deleg_cred);
+     if (GSS_ERROR(maj_stat)) {
+       report_error(maj_stat, min_stat);
+     };
+     if (output_token->length != 0) {
+       send_token_to_peer(output_token);
+
+       gss_release_buffer(&min_stat, output_token);
+     };
+     if (GSS_ERROR(maj_stat)) {
+       if (context_hdl != GSS_C_NO_CONTEXT)
+         gss_delete_sec_context(&min_stat,
+                                &context_hdl,
+                                GSS_C_NO_BUFFER);
+       break;
+     };
+   } while (maj_stat & GSS_S_CONTINUE_NEEDED);
+
+   Whenever the routine returns a major status that includes the value
+   GSS_S_CONTINUE_NEEDED, the context is not fully established and the
+   following restrictions apply to the output parameters:
+
+   The value returned via the time_rec parameter is undefined Unless the
+   accompanying ret_flags parameter contains the bit
+   GSS_C_PROT_READY_FLAG, indicating that per-message services may be
+   applied in advance of a successful completion status, the value
+   returned via the mech_type parameter may be undefined until the
+   routine returns a major status value of GSS_S_COMPLETE.
+
+
+
+
+Wray                        Standards Track                    [Page 27]
+
+RFC 2744                 GSS-API V2: C-bindings             January 2000
+
+
+   The values of the GSS_C_DELEG_FLAG,
+   GSS_C_MUTUAL_FLAG,GSS_C_REPLAY_FLAG, GSS_C_SEQUENCE_FLAG,
+   GSS_C_CONF_FLAG,GSS_C_INTEG_FLAG and GSS_C_ANON_FLAG bits returned
+   via the ret_flags parameter should contain the values that the
+   implementation expects would be valid if context establishment were
+   to succeed.
+
+   The values of the GSS_C_PROT_READY_FLAG and GSS_C_TRANS_FLAG bits
+   within ret_flags should indicate the actual state at the time
+   gss_accept_sec_context returns, whether or not the context is fully
+   established.
+
+   Although this requires that GSS-API implementations set the
+   GSS_C_PROT_READY_FLAG in the final ret_flags returned to a caller
+   (i.e. when accompanied by a GSS_S_COMPLETE status code), applications
+   should not rely on this behavior as the flag was not defined in
+   Version 1 of the GSS-API. Instead, applications should be prepared to
+   use per-message services after a successful context establishment,
+   according to the GSS_C_INTEG_FLAG and GSS_C_CONF_FLAG values.
+
+   All other bits within the ret_flags argument should be set to zero.
+   While the routine returns GSS_S_CONTINUE_NEEDED, the values returned
+   via the ret_flags argument indicate the services that the
+   implementation expects to be available from the established context.
+
+   If the initial call of gss_accept_sec_context() fails, the
+   implementation should not create a context object, and should leave
+   the value of the context_handle parameter set to GSS_C_NO_CONTEXT to
+   indicate this.  In the event of a failure on a subsequent call, the
+   implementation is permitted to delete the "half-built" security
+   context (in which case it should set the context_handle parameter to
+   GSS_C_NO_CONTEXT), but the preferred behavior is to leave the
+   security context (and the context_handle parameter) untouched for the
+   application to delete (using gss_delete_sec_context).
+
+   During context establishment, the informational status bits
+   GSS_S_OLD_TOKEN and GSS_S_DUPLICATE_TOKEN indicate fatal errors, and
+   GSS-API mechanisms should always return them in association with a
+   routine error of GSS_S_FAILURE.  This requirement for pairing did not
+   exist in version 1 of the GSS-API specification, so applications that
+   wish to run over version 1 implementations must special-case these
+   codes.
+
+
+
+
+
+
+
+
+
+Wray                        Standards Track                    [Page 28]
+
+RFC 2744                 GSS-API V2: C-bindings             January 2000
+
+
+   Parameters:
+
+   context_handle    gss_ctx_id_t, read/modify context handle for new
+                        context.  Supply GSS_C_NO_CONTEXT for first
+                        call; use value returned in subsequent calls.
+                        Once gss_accept_sec_context() has returned a
+                        value via this parameter, resources have been
+                        assigned to the corresponding context, and must
+                        be freed by the application after use with a
+                        call to gss_delete_sec_context().
+
+
+   acceptor_cred_handle  gss_cred_id_t, read Credential handle claimed
+                         by context acceptor. Specify
+                         GSS_C_NO_CREDENTIAL to accept the context as a
+                         default principal.  If GSS_C_NO_CREDENTIAL is
+                         specified, but no default acceptor principal is
+                         defined, GSS_S_NO_CRED will be returned.
+
+   input_token_buffer   buffer, opaque, read token obtained from remote
+                        application.
+
+   input_chan_bindings  channel bindings, read, optional Application-
+                        specified bindings.  Allows application to
+                        securely bind channel identification information
+                        to the security context.  If channel bindings
+                        are not used, specify GSS_C_NO_CHANNEL_BINDINGS.
+
+   src_name             gss_name_t, modify, optional Authenticated name
+                        of context initiator.  After use, this name
+                        should be deallocated by passing it to
+                        gss_release_name().  If not required, specify
+                        NULL.
+
+   mech_type            Object ID, modify, optional Security mechanism
+                        used.  The returned OID value will be a pointer
+                        into static storage, and should be treated as
+                        read-only by the caller (in particular, it does
+                        not need to be freed).  If not required, specify
+                        NULL.
+
+   output_token         buffer, opaque, modify Token to be passed to
+                        peer application.  If the length field of the
+                        returned token buffer is 0, then no token need
+                        be passed to the peer application.  If a non-
+                        zero length field is returned, the associated
+                        storage must be freed after use by the
+                        application with a call to gss_release_buffer().
+
+
+
+Wray                        Standards Track                    [Page 29]
+
+RFC 2744                 GSS-API V2: C-bindings             January 2000
+
+
+   ret_flags            bit-mask, modify, optional Contains various
+                        independent flags, each of which indicates that
+                        the context supports a specific service option.
+                        If not needed, specify NULL.  Symbolic names are
+                        provided for each flag, and the symbolic names
+                        corresponding to the required flags should be
+                        logically-ANDed with the ret_flags value to test
+                        whether a given option is supported by the
+                        context.  The flags are:
+                        GSS_C_DELEG_FLAG
+                        True - Delegated credentials are available
+                               via the delegated_cred_handle
+                               parameter
+                        False - No credentials were delegated
+                        GSS_C_MUTUAL_FLAG
+                        True - Remote peer asked for mutual
+                               authentication
+                        False - Remote peer did not ask for mutual
+                                authentication
+                        GSS_C_REPLAY_FLAG
+                        True - replay of protected messages
+                               will be detected
+                        False - replayed messages will not be
+                                detected
+                        GSS_C_SEQUENCE_FLAG
+                        True - out-of-sequence protected
+                               messages will be detected
+                        False - out-of-sequence messages will not
+                                be detected
+                        GSS_C_CONF_FLAG
+                        True - Confidentiality service may be
+                               invoked by calling the gss_wrap
+                               routine
+                        False - No confidentiality service (via
+                                gss_wrap) available. gss_wrap will
+                                provide message encapsulation,
+                                data-origin authentication and
+                                integrity services only.
+                        GSS_C_INTEG_FLAG
+                        True - Integrity service may be invoked by
+                               calling either gss_get_mic or
+                               gss_wrap routines.
+                        False - Per-message integrity service
+                                unavailable.
+                        GSS_C_ANON_FLAG
+                        True - The initiator does not wish to
+                               be authenticated; the src_name
+                               parameter (if requested) contains
+
+
+
+Wray                        Standards Track                    [Page 30]
+
+RFC 2744                 GSS-API V2: C-bindings             January 2000
+
+
+                               an anonymous internal name.
+                        False - The initiator has been
+                                authenticated normally.
+                        GSS_C_PROT_READY_FLAG
+                        True - Protection services (as specified
+                               by the states of the GSS_C_CONF_FLAG
+                               and GSS_C_INTEG_FLAG) are available
+                               if the accompanying major status
+                               return value is either GSS_S_COMPLETE
+                               or GSS_S_CONTINUE_NEEDED.
+                        False - Protection services (as specified
+                                by the states of the GSS_C_CONF_FLAG
+                                and GSS_C_INTEG_FLAG) are available
+                                only if the accompanying major status
+                                return value is GSS_S_COMPLETE.
+                        GSS_C_TRANS_FLAG
+                        True - The resultant security context may
+                               be transferred to other processes via
+                               a call to gss_export_sec_context().
+                        False - The security context is not
+                                transferable.
+                        All other bits should be set to zero.
+
+   time_rec             Integer, modify, optional
+                        number of seconds for which the context will
+                        remain valid. Specify NULL if not required.
+
+   delegated_cred_handle
+                        gss_cred_id_t, modify, optional credential
+                        handle for credentials received from context
+                        initiator.  Only valid if deleg_flag in
+                        ret_flags is true, in which case an explicit
+                        credential handle (i.e. not GSS_C_NO_CREDENTIAL)
+                        will be returned; if deleg_flag is false,
+                        gss_accept_context() will set this parameter to
+                        GSS_C_NO_CREDENTIAL.  If a credential handle is
+                        returned, the associated resources must be
+                        released by the application after use with a
+                        call to gss_release_cred().  Specify NULL if not
+                        required.
+
+   minor_status         Integer, modify
+                        Mechanism specific status code.
+
+   GSS_S_CONTINUE_NEEDED Indicates that a token from the peer
+                         application is required to complete the
+                         context, and that gss_accept_sec_context must
+                         be called again with that token.
+
+
+
+Wray                        Standards Track                    [Page 31]
+
+RFC 2744                 GSS-API V2: C-bindings             January 2000
+
+
+   GSS_S_DEFECTIVE_TOKEN Indicates that consistency checks performed on
+                         the input_token failed.
+
+   GSS_S_DEFECTIVE_CREDENTIAL Indicates that consistency checks
+                         performed on the credential failed.
+
+   GSS_S_NO_CRED     The supplied credentials were not valid for context
+                         acceptance, or the credential handle did not
+                         reference any credentials.
+
+   GSS_S_CREDENTIALS_EXPIRED The referenced credentials have expired.
+
+   GSS_S_BAD_BINDINGS  The input_token contains different channel
+                         bindings to those specified via the
+                         input_chan_bindings parameter.
+
+   GSS_S_NO_CONTEXT  Indicates that the supplied context handle did not
+                         refer to a valid context.
+
+   GSS_S_BAD_SIG     The input_token contains an invalid MIC.
+
+   GSS_S_OLD_TOKEN   The input_token was too old.  This is a fatal error
+                         during context establishment.
+
+   GSS_S_DUPLICATE_TOKEN The input_token is valid, but is a duplicate of
+                         a token already processed.  This is a fatal
+                         error during context establishment.
+
+   GSS_S_BAD_MECH    The received token specified a mechanism that is
+                         not supported by the implementation or the
+                         provided credential.
+
+5.2. gss_acquire_cred
+
+   OM_uint32 gss_acquire_cred (
+     OM_uint32         *minor_status,
+     const gss_name_t  desired_name,
+     OM_uint32         time_req,
+     const gss_OID_set desired_mechs,
+     gss_cred_usage_t  cred_usage,
+     gss_cred_id_t     *output_cred_handle,
+     gss_OID_set       *actual_mechs,
+     OM_uint32         *time_rec)
+
+
+
+
+
+
+
+
+Wray                        Standards Track                    [Page 32]
+
+RFC 2744                 GSS-API V2: C-bindings             January 2000
+
+
+   Purpose:
+
+   Allows an application to acquire a handle for a pre-existing
+   credential by name.  GSS-API implementations must impose a local
+   access-control policy on callers of this routine to prevent
+   unauthorized callers from acquiring credentials to which they are not
+   entitled.  This routine is not intended to provide a "login to the
+   network" function, as such a function would involve the creation of
+   new credentials rather than merely acquiring a handle to existing
+   credentials.  Such functions, if required, should be defined in
+   implementation-specific extensions to the API.
+
+   If desired_name is GSS_C_NO_NAME, the call is interpreted as a
+   request for a credential handle that will invoke default behavior
+   when passed to gss_init_sec_context() (if cred_usage is
+   GSS_C_INITIATE or GSS_C_BOTH) or gss_accept_sec_context() (if
+   cred_usage is GSS_C_ACCEPT or GSS_C_BOTH).
+
+   Mechanisms should honor the desired_mechs parameter, and return a
+   credential that is suitable to use only with the requested
+   mechanisms.  An exception to this is the case where one underlying
+   credential element can be shared by multiple mechanisms; in this case
+   it is permissible for an implementation to indicate all mechanisms
+   with which the credential element may be used.  If desired_mechs is
+   an empty set, behavior is undefined.
+
+   This routine is expected to be used primarily by context acceptors,
+   since implementations are likely to provide mechanism-specific ways
+   of obtaining GSS-API initiator credentials from the system login
+   process.  Some implementations may therefore not support the
+   acquisition of GSS_C_INITIATE or GSS_C_BOTH credentials via
+   gss_acquire_cred for any name other than GSS_C_NO_NAME, or a name
+   produced by applying either gss_inquire_cred to a valid credential,
+   or gss_inquire_context to an active context.
+
+   If credential acquisition is time-consuming for a mechanism, the
+   mechanism may choose to delay the actual acquisition until the
+   credential is required (e.g. by gss_init_sec_context or
+   gss_accept_sec_context).  Such mechanism-specific implementation
+   decisions should be invisible to the calling application; thus a call
+   of gss_inquire_cred immediately following the call of
+   gss_acquire_cred must return valid credential data, and may therefore
+   incur the overhead of a deferred credential acquisition.
+
+
+
+
+
+
+
+
+Wray                        Standards Track                    [Page 33]
+
+RFC 2744                 GSS-API V2: C-bindings             January 2000
+
+
+   Parameters:
+
+   desired_name      gss_name_t, read
+                     Name of principal whose credential
+                     should be acquired
+
+   time_req          Integer, read, optional
+                     number of seconds that credentials
+                     should remain valid. Specify GSS_C_INDEFINITE
+                     to request that the credentials have the maximum
+                     permitted lifetime.
+
+   desired_mechs     Set of Object IDs, read, optional
+                     set of underlying security mechanisms that
+                     may be used.  GSS_C_NO_OID_SET may be used
+                     to obtain an implementation-specific default.
+
+   cred_usage        gss_cred_usage_t, read
+                     GSS_C_BOTH - Credentials may be used
+                        either to initiate or accept
+                        security contexts.
+                     GSS_C_INITIATE - Credentials will only be
+                        used to initiate security contexts.
+                     GSS_C_ACCEPT - Credentials will only be used to
+                        accept security contexts.
+
+   output_cred_handle  gss_cred_id_t, modify
+                       The returned credential handle.  Resources
+                       associated with this credential handle must
+                       be released by the application after use
+                       with a call to gss_release_cred().
+
+   actual_mechs      Set of Object IDs, modify, optional
+                     The set of mechanisms for which the
+                     credential is valid.  Storage associated
+                     with the returned OID-set must be released by
+                     the application after use with a call to
+                     gss_release_oid_set().  Specify NULL if not
+                     required.
+
+   time_rec          Integer, modify, optional
+                     Actual number of seconds for which the
+                     returned credentials will remain valid.  If the
+                     implementation does not support expiration of
+                     credentials, the value GSS_C_INDEFINITE will
+                     be returned. Specify NULL if not required
+
+
+
+
+
+Wray                        Standards Track                    [Page 34]
+
+RFC 2744                 GSS-API V2: C-bindings             January 2000
+
+
+   minor_status      Integer, modify
+                     Mechanism specific status code.
+
+   Function value:  GSS status code
+
+   GSS_S_COMPLETE    Successful completion
+
+   GSS_S_BAD_MECH    Unavailable mechanism requested
+
+   GSS_S_BAD_NAMETYPE Type contained within desired_name parameter
+                      is not supported
+
+   GSS_S_BAD_NAME    Value supplied for desired_name parameter is ill
+                     formed.
+
+   GSS_S_CREDENTIALS_EXPIRED The credentials could not be acquired
+                             Because they have expired.
+
+   GSS_S_NO_CRED     No credentials were found for the specified name.
+
+5.3. gss_add_cred
+
+   OM_uint32 gss_add_cred (
+     OM_uint32           *minor_status,
+     const gss_cred_id_t input_cred_handle,
+     const gss_name_t    desired_name,
+     const gss_OID       desired_mech,
+     gss_cred_usage_t    cred_usage,
+     OM_uint32           initiator_time_req,
+     OM_uint32           acceptor_time_req,
+     gss_cred_id_t       *output_cred_handle,
+     gss_OID_set         *actual_mechs,
+     OM_uint32           *initiator_time_rec,
+     OM_uint32           *acceptor_time_rec)
+
+   Purpose:
+
+   Adds a credential-element to a credential.  The credential-element is
+   identified by the name of the principal to which it refers.  GSS-API
+   implementations must impose a local access-control policy on callers
+   of this routine to prevent unauthorized callers from acquiring
+   credential-elements to which they are not entitled. This routine is
+   not intended to provide a "login to the network" function, as such a
+   function would involve the creation of new mechanism-specific
+   authentication data, rather than merely acquiring a GSS-API handle to
+   existing data.  Such functions, if required, should be defined in
+   implementation-specific extensions to the API.
+
+
+
+
+Wray                        Standards Track                    [Page 35]
+
+RFC 2744                 GSS-API V2: C-bindings             January 2000
+
+
+   If desired_name is GSS_C_NO_NAME, the call is interpreted as a
+   request to add a credential element that will invoke default behavior
+   when passed to gss_init_sec_context() (if cred_usage is
+   GSS_C_INITIATE or GSS_C_BOTH) or gss_accept_sec_context() (if
+   cred_usage is GSS_C_ACCEPT or GSS_C_BOTH).
+
+   This routine is expected to be used primarily by context acceptors,
+   since implementations are likely to provide mechanism-specific ways
+   of obtaining GSS-API initiator credentials from the system login
+   process.  Some implementations may therefore not support the
+   acquisition of GSS_C_INITIATE or GSS_C_BOTH credentials via
+   gss_acquire_cred for any name other than GSS_C_NO_NAME, or a name
+   produced by applying either gss_inquire_cred to a valid credential,
+   or gss_inquire_context to an active context.
+
+   If credential acquisition is time-consuming for a mechanism, the
+   mechanism may choose to delay the actual acquisition until the
+   credential is required (e.g. by gss_init_sec_context or
+   gss_accept_sec_context).  Such mechanism-specific implementation
+   decisions should be invisible to the calling application; thus a call
+   of gss_inquire_cred immediately following the call of gss_add_cred
+   must return valid credential data, and may therefore incur the
+   overhead of a deferred credential acquisition.
+
+   This routine can be used to either compose a new credential
+   containing all credential-elements of the original in addition to the
+   newly-acquire credential-element, or to add the new credential-
+   element to an existing credential. If NULL is specified for the
+   output_cred_handle parameter argument, the new credential-element
+   will be added to the credential identified by input_cred_handle; if a
+   valid pointer is specified for the output_cred_handle parameter, a
+   new credential handle will be created.
+
+   If GSS_C_NO_CREDENTIAL is specified as the input_cred_handle,
+   gss_add_cred will compose a credential (and set the
+   output_cred_handle parameter accordingly) based on default behavior.
+   That is, the call will have the same effect as if the application had
+   first made a call to gss_acquire_cred(), specifying the same usage
+   and passing GSS_C_NO_NAME as the desired_name parameter to obtain an
+   explicit credential handle embodying default behavior, passed this
+   credential handle to gss_add_cred(), and finally called
+   gss_release_cred() on the first credential handle.
+
+   If GSS_C_NO_CREDENTIAL is specified as the input_cred_handle
+   parameter, a non-NULL output_cred_handle must be supplied.
+
+
+
+
+
+
+Wray                        Standards Track                    [Page 36]
+
+RFC 2744                 GSS-API V2: C-bindings             January 2000
+
+
+   Parameters:
+
+   minor_status      Integer, modify
+                     Mechanism specific status code.
+
+   input_cred_handle gss_cred_id_t, read, optional
+                     The credential to which a credential-element
+                     will be added.  If GSS_C_NO_CREDENTIAL is
+                     specified, the routine will compose the new
+                     credential based on default behavior (see
+                     description above).  Note that, while the
+                     credential-handle is not modified by
+                     gss_add_cred(), the underlying credential
+                     will be modified if output_credential_handle
+                     is NULL.
+
+   desired_name      gss_name_t, read.
+                     Name of principal whose credential
+                     should be acquired.
+
+   desired_mech      Object ID, read
+                     Underlying security mechanism with which the
+                     credential may be used.
+
+   cred_usage        gss_cred_usage_t, read
+                     GSS_C_BOTH - Credential may be used
+                     either to initiate or accept
+                     security contexts.
+                     GSS_C_INITIATE - Credential will only be
+                                      used to initiate security
+                                      contexts.
+                     GSS_C_ACCEPT - Credential will only be used to
+                                    accept security contexts.
+
+   initiator_time_req Integer, read, optional
+                      number of seconds that the credential
+                      should remain valid for initiating security
+                      contexts.  This argument is ignored if the
+                      composed credentials are of type GSS_C_ACCEPT.
+                      Specify GSS_C_INDEFINITE to request that the
+                      credentials have the maximum permitted
+                      initiator lifetime.
+
+   acceptor_time_req Integer, read, optional
+                     number of seconds that the credential
+                     should remain valid for accepting security
+                     contexts.  This argument is ignored if the
+                     composed credentials are of type GSS_C_INITIATE.
+
+
+
+Wray                        Standards Track                    [Page 37]
+
+RFC 2744                 GSS-API V2: C-bindings             January 2000
+
+
+                     Specify GSS_C_INDEFINITE to request that the
+                     credentials have the maximum permitted initiator
+                     lifetime.
+
+   output_cred_handle gss_cred_id_t, modify, optional
+                      The returned credential handle, containing
+                      the new credential-element and all the
+                      credential-elements from input_cred_handle.
+                      If a valid pointer to a gss_cred_id_t is
+                      supplied for this parameter, gss_add_cred
+                      creates a new credential handle containing all
+                      credential-elements from the input_cred_handle
+                      and the newly acquired credential-element; if
+                      NULL is specified for this parameter, the newly
+                      acquired credential-element will be added
+                      to the credential identified by input_cred_handle.
+
+                      The resources associated with any credential
+                      handle returned via this parameter must be
+                      released by the application after use with a
+                      call to gss_release_cred().
+
+   actual_mechs      Set of Object IDs, modify, optional
+                     The complete set of mechanisms for which
+                     the new credential is valid.  Storage for
+                     the returned OID-set must be freed by the
+                     application after use with a call to
+                     gss_release_oid_set(). Specify NULL if
+                     not required.
+
+   initiator_time_rec Integer, modify, optional
+                      Actual number of seconds for which the
+                      returned credentials will remain valid for
+                      initiating contexts using the specified
+                      mechanism.  If the implementation or mechanism
+                      does not support expiration of credentials, the
+                      value GSS_C_INDEFINITE will be returned. Specify
+                      NULL if not required
+
+   acceptor_time_rec Integer, modify, optional
+                     Actual number of seconds for which the
+                     returned credentials will remain valid for
+                     accepting security contexts using the specified
+                     mechanism.  If the implementation or mechanism
+                     does not support expiration of credentials, the
+                     value GSS_C_INDEFINITE will be returned. Specify
+                     NULL if not required
+
+
+
+
+Wray                        Standards Track                    [Page 38]
+
+RFC 2744                 GSS-API V2: C-bindings             January 2000
+
+
+   Function value:   GSS status code
+
+   GSS_S_COMPLETE    Successful completion
+
+   GSS_S_BAD_MECH    Unavailable mechanism requested
+
+   GSS_S_BAD_NAMETYPE Type contained within desired_name parameter
+                     is not supported
+
+   GSS_S_BAD_NAME    Value supplied for desired_name parameter is
+                     ill-formed.
+
+   GSS_S_DUPLICATE_ELEMENT The credential already contains an element
+                     for the requested mechanism with overlapping
+                     usage and validity period.
+
+   GSS_S_CREDENTIALS_EXPIRED The required credentials could not be
+                     added because they have expired.
+
+   GSS_S_NO_CRED     No credentials were found for the specified name.
+
+5.4. gss_add_oid_set_member
+
+   OM_uint32 gss_add_oid_set_member (
+     OM_uint32       *minor_status,
+     const gss_OID   member_oid,
+     gss_OID_set     *oid_set)
+
+   Purpose:
+
+   Add an Object Identifier to an Object Identifier set.  This routine
+   is intended for use in conjunction with gss_create_empty_oid_set when
+   constructing a set of mechanism OIDs for input to gss_acquire_cred.
+   The oid_set parameter must refer to an OID-set that was created by
+   GSS-API (e.g. a set returned by gss_create_empty_oid_set()). GSS-API
+   creates a copy of the member_oid and inserts this copy into the set,
+   expanding the storage allocated to the OID-set's elements array if
+   necessary.  The routine may add the new member OID anywhere within
+   the elements array, and implementations should verify that the new
+   member_oid is not already contained within the elements array; if the
+   member_oid is already present, the oid_set should remain unchanged.
+
+   Parameters:
+
+      minor_status      Integer, modify
+                        Mechanism specific status code
+
+
+
+
+
+Wray                        Standards Track                    [Page 39]
+
+RFC 2744                 GSS-API V2: C-bindings             January 2000
+
+
+      member_oid        Object ID, read
+                        The object identifier to copied into
+                        the set.
+
+      oid_set           Set of Object ID, modify
+                        The set in which the object identifier
+                        should be inserted.
+
+   Function value:   GSS status code
+
+      GSS_S_COMPLETE    Successful completion
+
+5.5. gss_canonicalize_name
+
+   OM_uint32 gss_canonicalize_name (
+     OM_uint32        *minor_status,
+     const gss_name_t input_name,
+     const gss_OID    mech_type,
+     gss_name_t       *output_name)
+
+   Purpose:
+
+   Generate a canonical mechanism name (MN) from an arbitrary internal
+   name.  The mechanism name is the name that would be returned to a
+   context acceptor on successful authentication of a context where the
+   initiator used the input_name in a successful call to
+   gss_acquire_cred, specifying an OID set containing <mech_type> as its
+   only member, followed by a call to gss_init_sec_context, specifying
+   <mech_type> as the authentication mechanism.
+
+   Parameters:
+
+   minor_status      Integer, modify
+                     Mechanism specific status code
+
+   input_name        gss_name_t, read
+                     The name for which a canonical form is
+                     desired
+
+   mech_type         Object ID, read
+                     The authentication mechanism for which the
+                     canonical form of the name is desired.  The
+                     desired mechanism must be specified explicitly;
+                     no default is provided.
+
+
+
+
+
+
+
+Wray                        Standards Track                    [Page 40]
+
+RFC 2744                 GSS-API V2: C-bindings             January 2000
+
+
+   output_name       gss_name_t, modify
+                     The resultant canonical name.  Storage
+                     associated with this name must be freed by
+                     the application after use with a call to
+                     gss_release_name().
+
+   Function value:   GSS status code
+
+   GSS_S_COMPLETE    Successful completion.
+
+   GSS_S_BAD_MECH    The identified mechanism is not supported.
+
+   GSS_S_BAD_NAMETYPE The provided internal name contains no elements
+                     that could be processed by the specified
+                     mechanism.
+
+   GSS_S_BAD_NAME    The provided internal name was ill-formed.
+
+5.6. gss_compare_name
+
+   OM_uint32 gss_compare_name (
+     OM_uint32        *minor_status,
+     const gss_name_t name1,
+     const gss_name_t name2,
+     int              *name_equal)
+
+   Purpose:
+
+   Allows an application to compare two internal-form names to determine
+   whether they refer to the same entity.
+
+   If either name presented to gss_compare_name denotes an anonymous
+   principal, the routines should indicate that the two names do not
+   refer to the same identity.
+
+   Parameters:
+
+   minor_status      Integer, modify
+                     Mechanism specific status code.
+
+   name1             gss_name_t, read
+                     internal-form name
+
+   name2             gss_name_t, read
+                     internal-form name
+
+
+
+
+
+
+Wray                        Standards Track                    [Page 41]
+
+RFC 2744                 GSS-API V2: C-bindings             January 2000
+
+
+   name_equal        boolean, modify
+                     non-zero - names refer to same entity
+                     zero - names refer to different entities
+                           (strictly, the names are not known
+                           to refer to the same identity).
+
+   Function value:   GSS status code
+
+   GSS_S_COMPLETE    Successful completion
+
+   GSS_S_BAD_NAMETYPE The two names were of incomparable types.
+
+   GSS_S_BAD_NAME    One or both of name1 or name2 was ill-formed.
+
+5.7. gss_context_time
+
+   OM_uint32 gss_context_time (
+     OM_uint32          *minor_status,
+     const gss_ctx_id_t context_handle,
+     OM_uint32          *time_rec)
+
+   Purpose:
+
+   Determines the number of seconds for which the specified context will
+   remain valid.
+
+   Parameters:
+
+   minor_status      Integer, modify
+                     Implementation specific status code.
+
+   context_handle    gss_ctx_id_t, read
+                     Identifies the context to be interrogated.
+
+   time_rec          Integer, modify
+                     Number of seconds that the context will remain
+                     valid.  If the context has already expired,
+                     zero will be returned.
+
+   Function value:   GSS status code
+
+   GSS_S_COMPLETE    Successful completion
+
+   GSS_S_CONTEXT_EXPIRED The context has already expired
+
+   GSS_S_NO_CONTEXT  The context_handle parameter did not identify
+                     a valid context
+
+
+
+
+Wray                        Standards Track                    [Page 42]
+
+RFC 2744                 GSS-API V2: C-bindings             January 2000
+
+
+5.8. gss_create_empty_oid_set
+
+   OM_uint32 gss_create_empty_oid_set (
+     OM_uint32    *minor_status,
+     gss_OID_set  *oid_set)
+
+   Purpose:
+
+   Create an object-identifier set containing no object identifiers, to
+   which members may be subsequently added using the
+   gss_add_oid_set_member() routine.  These routines are intended to be
+   used to construct sets of mechanism object identifiers, for input to
+   gss_acquire_cred.
+
+   Parameters:
+
+   minor_status      Integer, modify
+                     Mechanism specific status code
+
+   oid_set           Set of Object IDs, modify
+                     The empty object identifier set.
+                     The routine will allocate the
+                     gss_OID_set_desc object, which the
+                     application must free after use with
+                     a call to gss_release_oid_set().
+
+   Function value:   GSS status code
+
+   GSS_S_COMPLETE    Successful completion
+
+5.9. gss_delete_sec_context
+
+   OM_uint32 gss_delete_sec_context (
+     OM_uint32    *minor_status,
+     gss_ctx_id_t *context_handle,
+     gss_buffer_t output_token)
+
+   Purpose:
+
+   Delete a security context.  gss_delete_sec_context will delete the
+   local data structures associated with the specified security context,
+   and may generate an output_token, which when passed to the peer
+   gss_process_context_token will instruct it to do likewise.  If no
+   token is required by the mechanism, the GSS-API should set the length
+   field of the output_token (if provided) to zero.  No further security
+   services may be obtained using the context specified by
+   context_handle.
+
+
+
+
+Wray                        Standards Track                    [Page 43]
+
+RFC 2744                 GSS-API V2: C-bindings             January 2000
+
+
+   In addition to deleting established security contexts,
+   gss_delete_sec_context must also be able to delete "half-built"
+   security contexts resulting from an incomplete sequence of
+   gss_init_sec_context()/gss_accept_sec_context() calls.
+
+   The output_token parameter is retained for compatibility with version
+   1 of the GSS-API.  It is recommended that both peer applications
+   invoke gss_delete_sec_context passing the value GSS_C_NO_BUFFER for
+   the output_token parameter, indicating that no token is required, and
+   that gss_delete_sec_context should simply delete local context data
+   structures.  If the application does pass a valid buffer to
+   gss_delete_sec_context, mechanisms are encouraged to return a zero-
+   length token, indicating that no peer action is necessary, and that
+   no token should be transferred by the application.
+
+   Parameters:
+
+   minor_status      Integer, modify
+                     Mechanism specific status code.
+
+   context_handle    gss_ctx_id_t, modify
+                     context handle identifying context to delete.
+                     After deleting the context, the GSS-API will set
+                     this context handle to GSS_C_NO_CONTEXT.
+
+   output_token      buffer, opaque, modify, optional
+                     token to be sent to remote application to
+                     instruct it to also delete the context.  It
+                     is recommended that applications specify
+                     GSS_C_NO_BUFFER for this parameter, requesting
+                     local deletion only.  If a buffer parameter is
+                     provided by the application, the mechanism may
+                     return a token in it;  mechanisms that implement
+                     only local deletion should set the length field of
+                     this token to zero to indicate to the application
+                     that no token is to be sent to the peer.
+
+   Function value:   GSS status code
+
+   GSS_S_COMPLETE    Successful completion
+
+   GSS_S_NO_CONTEXT  No valid context was supplied
+
+
+
+
+
+
+
+
+
+Wray                        Standards Track                    [Page 44]
+
+RFC 2744                 GSS-API V2: C-bindings             January 2000
+
+
+5.10.gss_display_name
+
+   OM_uint32 gss_display_name (
+     OM_uint32        *minor_status,
+     const gss_name_t input_name,
+     gss_buffer_t     output_name_buffer,
+     gss_OID          *output_name_type)
+
+   Purpose:
+
+   Allows an application to obtain a textual representation of an opaque
+   internal-form  name for display purposes.  The syntax of a printable
+   name is defined by the GSS-API implementation.
+
+   If input_name denotes an anonymous principal, the implementation
+   should return the gss_OID value GSS_C_NT_ANONYMOUS as the
+   output_name_type, and a textual name that is syntactically distinct
+   from all valid supported printable names in output_name_buffer.
+
+   If input_name was created by a call to gss_import_name, specifying
+   GSS_C_NO_OID as the name-type, implementations that employ lazy
+   conversion between name types may return GSS_C_NO_OID via the
+   output_name_type parameter.
+
+   Parameters:
+
+   minor_status      Integer, modify
+                     Mechanism specific status code.
+
+   input_name        gss_name_t, read
+                     name to be displayed
+
+   output_name_buffer  buffer, character-string, modify
+                     buffer to receive textual name string.
+                     The application must free storage associated
+                     with this name after use with a call to
+                     gss_release_buffer().
+
+   output_name_type  Object ID, modify, optional
+                     The type of the returned name.  The returned
+                     gss_OID will be a pointer into static storage,
+                     and should be treated as read-only by the caller
+                     (in particular, the application should not attempt
+                     to free it). Specify NULL if not required.
+
+
+
+
+
+
+
+Wray                        Standards Track                    [Page 45]
+
+RFC 2744                 GSS-API V2: C-bindings             January 2000
+
+
+   Function value:   GSS status code
+
+   GSS_S_COMPLETE    Successful completion
+
+   GSS_S_BAD_NAME    input_name was ill-formed
+
+5.11.gss_display_status
+
+   OM_uint32 gss_display_status (
+     OM_uint32      *minor_status,
+     OM_uint32      status_value,
+     int            status_type,
+     const gss_OID  mech_type,
+     OM_uint32      *message_context,
+     gss_buffer_t   status_string)
+
+   Purpose:
+
+   Allows an application to obtain a textual representation of a GSS-API
+   status code, for display to the user or for logging purposes.  Since
+   some status values may indicate multiple conditions, applications may
+   need to call gss_display_status multiple times, each call generating
+   a single text string.  The message_context parameter is used by
+   gss_display_status to store state information about which error
+   messages have already been extracted from a given status_value;
+   message_context must be initialized to 0 by the application prior to
+   the first call, and gss_display_status will return a non-zero value
+   in this parameter if there are further messages to extract.
+
+   The message_context parameter contains all state information required
+   by gss_display_status in order to extract further messages from the
+   status_value;  even when a non-zero value is returned in this
+   parameter, the application is not required to call gss_display_status
+   again unless subsequent messages are desired.  The following code
+   extracts all messages from a given status code and prints them to
+   stderr:
+
+   OM_uint32 message_context;
+   OM_uint32 status_code;
+   OM_uint32 maj_status;
+   OM_uint32 min_status;
+   gss_buffer_desc status_string;
+
+          ...
+
+   message_context = 0;
+
+   do {
+
+
+
+Wray                        Standards Track                    [Page 46]
+
+RFC 2744                 GSS-API V2: C-bindings             January 2000
+
+
+     maj_status = gss_display_status (
+                     &min_status,
+                     status_code,
+                     GSS_C_GSS_CODE,
+                     GSS_C_NO_OID,
+                     &message_context,
+                     &status_string)
+
+     fprintf(stderr,
+             "%.*s\n",
+            (int)status_string.length,
+
+            (char *)status_string.value);
+
+     gss_release_buffer(&min_status, &status_string);
+
+   } while (message_context != 0);
+
+
+   Parameters:
+
+   minor_status      Integer, modify
+                     Mechanism specific status code.
+
+   status_value      Integer, read
+                     Status value to be converted
+
+   status_type       Integer, read
+                     GSS_C_GSS_CODE - status_value is a GSS status
+                     code
+
+   GSS_C_MECH_CODE - status_value is a mechanism
+                     status code
+
+   mech_type         Object ID, read, optional
+                     Underlying mechanism (used to interpret a
+                     minor status value) Supply GSS_C_NO_OID to
+                     obtain the system default.
+
+   message_context   Integer, read/modify
+                     Should be initialized to zero by the
+                     application prior to the first call.
+                     On return from gss_display_status(),
+                     a non-zero status_value parameter indicates
+                     that additional messages may be extracted
+                     from the status code via subsequent calls
+
+
+
+
+
+Wray                        Standards Track                    [Page 47]
+
+RFC 2744                 GSS-API V2: C-bindings             January 2000
+
+
+                     to gss_display_status(), passing the same
+                     status_value, status_type, mech_type, and
+                     message_context parameters.
+
+   status_string     buffer, character string, modify
+                     textual interpretation of the status_value.
+                     Storage associated with this parameter must
+                     be freed by the application after use with
+                     a call to gss_release_buffer().
+
+   Function value:   GSS status code
+
+   GSS_S_COMPLETE    Successful completion
+
+   GSS_S_BAD_MECH    Indicates that translation in accordance with
+                     an unsupported mechanism type was requested
+
+   GSS_S_BAD_STATUS  The status value was not recognized, or the
+                     status type was neither GSS_C_GSS_CODE nor
+                     GSS_C_MECH_CODE.
+
+5.12. gss_duplicate_name
+
+   OM_uint32 gss_duplicate_name (
+     OM_uint32        *minor_status,
+     const gss_name_t src_name,
+     gss_name_t       *dest_name)
+
+   Purpose:
+
+   Create an exact duplicate of the existing internal name src_name.
+   The new dest_name will be independent of src_name (i.e. src_name and
+   dest_name must both be released, and the release of one shall not
+   affect the validity of the other).
+
+   Parameters:
+
+   minor_status      Integer, modify
+                     Mechanism specific status code.
+
+   src_name          gss_name_t, read
+                     internal name to be duplicated.
+
+   dest_name         gss_name_t, modify
+                     The resultant copy of <src_name>.
+                     Storage associated with this name must
+                     be freed by the application after use
+                     with a call to gss_release_name().
+
+
+
+Wray                        Standards Track                    [Page 48]
+
+RFC 2744                 GSS-API V2: C-bindings             January 2000
+
+
+   Function value:   GSS status code
+
+   GSS_S_COMPLETE    Successful completion
+
+   GSS_S_BAD_NAME    The src_name parameter was ill-formed.
+
+5.13. gss_export_name
+
+   OM_uint32 gss_export_name (
+     OM_uint32        *minor_status,
+     const gss_name_t input_name,
+     gss_buffer_t     exported_name)
+
+   Purpose:
+
+   To produce a canonical contiguous string representation of a
+   mechanism name (MN), suitable for direct comparison (e.g. with
+   memcmp) for use in authorization functions (e.g. matching entries in
+   an access-control list).  The <input_name> parameter must specify a
+   valid MN (i.e. an internal name generated by gss_accept_sec_context
+   or by gss_canonicalize_name).
+
+   Parameters:
+
+   minor_status      Integer, modify
+                     Mechanism specific status code
+
+   input_name        gss_name_t, read
+                     The MN to be exported
+
+   exported_name     gss_buffer_t, octet-string, modify
+                     The canonical contiguous string form of
+                     <input_name>.  Storage associated with
+                     this string must freed by the application
+                     after use with gss_release_buffer().
+
+   Function value:   GSS status code
+
+   GSS_S_COMPLETE    Successful completion
+
+   GSS_S_NAME_NOT_MN The provided internal name was not a mechanism
+                     name.
+
+   GSS_S_BAD_NAME    The provided internal name was ill-formed.
+
+   GSS_S_BAD_NAMETYPE The internal name was of a type not supported
+                     by the GSS-API implementation.
+
+
+
+
+Wray                        Standards Track                    [Page 49]
+
+RFC 2744                 GSS-API V2: C-bindings             January 2000
+
+
+5.14. gss_export_sec_context
+
+   OM_uint32 gss_export_sec_context (
+     OM_uint32    *minor_status,
+     gss_ctx_id_t *context_handle,
+     gss_buffer_t interprocess_token)
+
+   Purpose:
+
+   Provided to support the sharing of work between multiple processes.
+   This routine will typically be used by the context-acceptor, in an
+   application where a single process receives incoming connection
+   requests and accepts security contexts over them, then passes the
+   established context to one or more other processes for message
+   exchange. gss_export_sec_context() deactivates the security context
+   for the calling process and creates an interprocess token which, when
+   passed to gss_import_sec_context in another process, will re-activate
+   the context in the second process. Only a single instantiation of a
+   given context may be active at any one time; a subsequent attempt by
+   a context exporter to access the exported security context will fail.
+
+   The implementation may constrain the set of processes by which the
+   interprocess token may be imported, either as a function of local
+   security policy, or as a result of implementation decisions.  For
+   example, some implementations may constrain contexts to be passed
+   only between processes that run under the same account, or which are
+   part of the same process group.
+
+   The interprocess token may contain security-sensitive information
+   (for example cryptographic keys).  While mechanisms are encouraged to
+   either avoid placing such sensitive information within interprocess
+   tokens, or to encrypt the token before returning it to the
+   application, in a typical object-library GSS-API implementation this
+   may not be possible. Thus the application must take care to protect
+   the interprocess token, and ensure that any process to which the
+   token is transferred is trustworthy.
+
+   If creation of the interprocess token is successful, the
+   implementation shall deallocate all process-wide resources associated
+   with the security context, and set the context_handle to
+   GSS_C_NO_CONTEXT.  In the event of an error that makes it impossible
+   to complete the export of the security context, the implementation
+   must not return an interprocess token, and should strive to leave the
+   security context referenced by the context_handle parameter
+   untouched.  If this is impossible, it is permissible for the
+   implementation to delete the security context, providing it also sets
+   the context_handle parameter to GSS_C_NO_CONTEXT.
+
+
+
+
+Wray                        Standards Track                    [Page 50]
+
+RFC 2744                 GSS-API V2: C-bindings             January 2000
+
+
+   Parameters:
+
+   minor_status      Integer, modify
+                     Mechanism specific status code
+
+   context_handle    gss_ctx_id_t, modify
+                     context handle identifying the context to
+                     transfer.
+
+   interprocess_token   buffer, opaque, modify
+                        token to be transferred to target process.
+                        Storage associated with this token must be
+                        freed by the application after use with a
+                        call to gss_release_buffer().
+
+   Function value:   GSS status code
+
+   GSS_S_COMPLETE    Successful completion
+
+   GSS_S_CONTEXT_EXPIRED The context has expired
+
+   GSS_S_NO_CONTEXT  The context was invalid
+
+   GSS_S_UNAVAILABLE The operation is not supported.
+
+5.15. gss_get_mic
+
+   OM_uint32 gss_get_mic (
+     OM_uint32          *minor_status,
+     const gss_ctx_id_t context_handle,
+     gss_qop_t             qop_req,
+     const gss_buffer_t message_buffer,
+     gss_buffer_t       msg_token)
+
+   Purpose:
+
+   Generates a cryptographic MIC for the supplied message, and places
+   the MIC in a token for transfer to the peer application. The qop_req
+   parameter allows a choice between several cryptographic algorithms,
+   if supported by the chosen mechanism.
+
+   Since some application-level protocols may wish to use tokens emitted
+   by gss_wrap() to provide "secure framing", implementations must
+   support derivation of MICs from zero-length messages.
+
+
+
+
+
+
+
+Wray                        Standards Track                    [Page 51]
+
+RFC 2744                 GSS-API V2: C-bindings             January 2000
+
+
+   Parameters:
+
+   minor_status      Integer, modify
+                     Implementation specific status code.
+
+   context_handle    gss_ctx_id_t, read
+                     identifies the context on which the message
+                     will be sent
+
+   qop_req           gss_qop_t, read, optional
+                     Specifies requested quality of protection.
+                     Callers are encouraged, on portability grounds,
+                     to accept the default quality of protection
+                     offered by the chosen mechanism, which may be
+                     requested by specifying GSS_C_QOP_DEFAULT for
+                     this parameter.  If an unsupported protection
+                     strength is requested, gss_get_mic will return a
+                     major_status of GSS_S_BAD_QOP.
+
+   message_buffer    buffer, opaque, read
+                     message to be protected
+
+   msg_token         buffer, opaque, modify
+                     buffer to receive token.  The application must
+                     free storage associated with this buffer after
+                     use with a call to gss_release_buffer().
+
+   Function value:   GSS status code
+
+   GSS_S_COMPLETE    Successful completion
+
+   GSS_S_CONTEXT_EXPIRED The context has already expired
+
+   GSS_S_NO_CONTEXT  The context_handle parameter did not identify
+                     a valid context
+
+   GSS_S_BAD_QOP     The specified QOP is not supported by the
+                     mechanism.
+
+5.16. gss_import_name
+
+   OM_uint32 gss_import_name (
+     OM_uint32          *minor_status,
+     const gss_buffer_t input_name_buffer,
+     const gss_OID      input_name_type,
+     gss_name_t         *output_name)
+
+
+
+
+
+Wray                        Standards Track                    [Page 52]
+
+RFC 2744                 GSS-API V2: C-bindings             January 2000
+
+
+   Purpose:
+
+   Convert a contiguous string name to internal form.  In general, the
+   internal name returned (via the <output_name> parameter) will not be
+   an MN; the exception to this is if the <input_name_type> indicates
+   that the contiguous string provided via the <input_name_buffer>
+   parameter is of type GSS_C_NT_EXPORT_NAME, in which case the returned
+   internal name will be an MN for the mechanism that exported the name.
+
+   Parameters:
+
+   minor_status      Integer, modify
+                     Mechanism specific status code
+
+   input_name_buffer  buffer, octet-string, read
+                     buffer containing contiguous string name to convert
+
+   input_name_type   Object ID, read, optional
+                     Object ID specifying type of printable
+                     name.  Applications may specify either
+                     GSS_C_NO_OID to use a mechanism-specific
+                     default printable syntax, or an OID recognized
+                     by the GSS-API implementation to name a
+                     specific namespace.
+
+   output_name       gss_name_t, modify
+                     returned name in internal form.  Storage
+                     associated with this name must be freed
+                     by the application after use with a call
+                     to gss_release_name().
+
+   Function value:   GSS status code
+
+   GSS_S_COMPLETE    Successful completion
+
+   GSS_S_BAD_NAMETYPE The input_name_type was unrecognized
+
+   GSS_S_BAD_NAME    The input_name parameter could not be interpreted
+                     as a name of the specified type
+
+   GSS_S_BAD_MECH    The input name-type was GSS_C_NT_EXPORT_NAME,
+                     but the mechanism contained within the
+                     input-name is not supported
+
+
+
+
+
+
+
+
+Wray                        Standards Track                    [Page 53]
+
+RFC 2744                 GSS-API V2: C-bindings             January 2000
+
+
+5.17. gss_import_sec_context
+
+   OM_uint32 gss_import_sec_context (
+     OM_uint32          *minor_status,
+     const gss_buffer_t interprocess_token,
+     gss_ctx_id_t       *context_handle)
+
+   Purpose:
+
+   Allows a process to import a security context established by another
+   process.  A given interprocess token may be imported only once.  See
+   gss_export_sec_context.
+
+   Parameters:
+
+   minor_status      Integer, modify
+                     Mechanism specific status code
+
+   interprocess_token  buffer, opaque, modify
+                       token received from exporting process
+
+   context_handle    gss_ctx_id_t, modify
+                     context handle of newly reactivated context.
+                     Resources associated with this context handle
+                     must be released by the application after use
+                     with a call to gss_delete_sec_context().
+
+   Function value:   GSS status code
+
+   GSS_S_COMPLETE    Successful completion.
+
+   GSS_S_NO_CONTEXT  The token did not contain a valid context
+   reference.
+
+   GSS_S_DEFECTIVE_TOKEN The token was invalid.
+
+   GSS_S_UNAVAILABLE The operation is unavailable.
+
+   GSS_S_UNAUTHORIZED Local policy prevents the import of this context
+                      by the current process.
+
+5.18. gss_indicate_mechs
+
+   OM_uint32 gss_indicate_mechs (
+     OM_uint32   *minor_status,
+     gss_OID_set *mech_set)
+
+
+
+
+
+Wray                        Standards Track                    [Page 54]
+
+RFC 2744                 GSS-API V2: C-bindings             January 2000
+
+
+   Purpose:
+
+   Allows an application to determine which underlying security
+   mechanisms are available.
+
+   Parameters:
+
+   minor_status      Integer, modify
+                     Mechanism specific status code.
+
+   mech_set          set of Object IDs, modify
+                     set of implementation-supported mechanisms.
+                     The returned gss_OID_set value will be a
+                     dynamically-allocated OID set, that should
+                     be released by the caller after use with a
+                     call to gss_release_oid_set().
+
+   Function value:   GSS status code
+
+   GSS_S_COMPLETE    Successful completion
+
+5.19. gss_init_sec_context
+
+   OM_uint32 gss_init_sec_context (
+     OM_uint32                    *minor_status,
+     const gss_cred_id_t          initiator_cred_handle,
+     gss_ctx_id_t                 *context_handle,\
+     const gss_name_t             target_name,
+     const gss_OID                mech_type,
+     OM_uint32                    req_flags,
+     OM_uint32                    time_req,
+     const gss_channel_bindings_t input_chan_bindings,
+     const gss_buffer_t           input_token
+     gss_OID                      *actual_mech_type,
+     gss_buffer_t                 output_token,
+     OM_uint32                    *ret_flags,
+     OM_uint32                    *time_rec )
+
+   Purpose:
+
+   Initiates the establishment of a security context between the
+   application and a remote peer.  Initially, the input_token parameter
+   should be specified either as GSS_C_NO_BUFFER, or as a pointer to a
+   gss_buffer_desc object whose length field contains the value zero.
+   The routine may return a output_token which should be transferred to
+   the peer application, where the peer application will present it to
+   gss_accept_sec_context.  If no token need be sent,
+   gss_init_sec_context will indicate this by setting the length field
+
+
+
+Wray                        Standards Track                    [Page 55]
+
+RFC 2744                 GSS-API V2: C-bindings             January 2000
+
+
+   of the output_token argument to zero. To complete the context
+   establishment, one or more reply tokens may be required from the peer
+   application; if so, gss_init_sec_context will return a status
+   containing the supplementary information bit GSS_S_CONTINUE_NEEDED.
+   In this case, gss_init_sec_context should be called again when the
+   reply token is received from the peer application, passing the reply
+   token to gss_init_sec_context via the input_token parameters.
+
+   Portable applications should be constructed to use the token length
+   and return status to determine whether a token needs to be sent or
+   waited for.  Thus a typical portable caller should always invoke
+   gss_init_sec_context within a loop:
+
+   int context_established = 0;
+   gss_ctx_id_t context_hdl = GSS_C_NO_CONTEXT;
+          ...
+   input_token->length = 0;
+
+   while (!context_established) {
+     maj_stat = gss_init_sec_context(&min_stat,
+                                     cred_hdl,
+                                     &context_hdl,
+                                     target_name,
+                                     desired_mech,
+                                     desired_services,
+                                     desired_time,
+                                     input_bindings,
+                                     input_token,
+                                     &actual_mech,
+                                     output_token,
+                                     &actual_services,
+                                     &actual_time);
+     if (GSS_ERROR(maj_stat)) {
+       report_error(maj_stat, min_stat);
+     };
+
+     if (output_token->length != 0) {
+       send_token_to_peer(output_token);
+       gss_release_buffer(&min_stat, output_token)
+     };
+     if (GSS_ERROR(maj_stat)) {
+
+       if (context_hdl != GSS_C_NO_CONTEXT)
+         gss_delete_sec_context(&min_stat,
+                                &context_hdl,
+                                GSS_C_NO_BUFFER);
+       break;
+     };
+
+
+
+Wray                        Standards Track                    [Page 56]
+
+RFC 2744                 GSS-API V2: C-bindings             January 2000
+
+
+     if (maj_stat & GSS_S_CONTINUE_NEEDED) {
+       receive_token_from_peer(input_token);
+     } else {
+       context_established = 1;
+     };
+   };
+
+   Whenever the routine returns a major status that includes the value
+   GSS_S_CONTINUE_NEEDED, the context is not fully established and the
+   following restrictions apply to the output parameters:
+
+      The value returned via the time_rec parameter is undefined Unless
+      the accompanying ret_flags parameter contains the bit
+      GSS_C_PROT_READY_FLAG, indicating that per-message services may be
+      applied in advance of a successful completion status, the value
+      returned via the actual_mech_type parameter is undefined until the
+      routine returns a major status value of GSS_S_COMPLETE.
+
+      The values of the GSS_C_DELEG_FLAG, GSS_C_MUTUAL_FLAG,
+      GSS_C_REPLAY_FLAG, GSS_C_SEQUENCE_FLAG, GSS_C_CONF_FLAG,
+      GSS_C_INTEG_FLAG and GSS_C_ANON_FLAG bits returned via the
+      ret_flags parameter should contain the values that the
+      implementation expects would be valid if context establishment
+      were to succeed.  In particular, if the application has requested
+      a service such as delegation or anonymous authentication via the
+      req_flags argument, and such a service is unavailable from the
+      underlying mechanism, gss_init_sec_context should generate a token
+      that will not provide the service, and indicate via the ret_flags
+      argument that the service will not be supported.  The application
+      may choose to abort the context establishment by calling
+      gss_delete_sec_context (if it cannot continue in the absence of
+      the service), or it may choose to transmit the token and continue
+      context establishment (if the service was merely desired but not
+      mandatory).
+
+      The values of the GSS_C_PROT_READY_FLAG and GSS_C_TRANS_FLAG bits
+      within ret_flags should indicate the actual state at the time
+      gss_init_sec_context returns, whether or not the context is fully
+      established.
+
+      GSS-API implementations that support per-message protection are
+      encouraged to set the GSS_C_PROT_READY_FLAG in the final ret_flags
+      returned to a caller (i.e. when accompanied by a GSS_S_COMPLETE
+      status code).  However, applications should not rely on this
+      behavior as the flag was not defined in Version 1 of the GSS-API.
+      Instead, applications should determine what per-message services
+      are available after a successful context establishment according
+      to the GSS_C_INTEG_FLAG and GSS_C_CONF_FLAG values.
+
+
+
+Wray                        Standards Track                    [Page 57]
+
+RFC 2744                 GSS-API V2: C-bindings             January 2000
+
+
+      All other bits within the ret_flags argument should be set to
+      zero.
+
+   If the initial call of gss_init_sec_context() fails, the
+   implementation should not create a context object, and should leave
+   the value of the context_handle parameter set to GSS_C_NO_CONTEXT to
+   indicate this.  In the event of a failure on a subsequent call, the
+   implementation is permitted to delete the "half-built" security
+   context (in which case it should set the context_handle parameter to
+   GSS_C_NO_CONTEXT), but the preferred behavior is to leave the
+   security context untouched for the application to delete (using
+   gss_delete_sec_context).
+
+   During context establishment, the informational status bits
+   GSS_S_OLD_TOKEN and GSS_S_DUPLICATE_TOKEN indicate fatal errors, and
+   GSS-API mechanisms should always return them in association with a
+   routine error of GSS_S_FAILURE.  This requirement for pairing did not
+   exist in version 1 of the GSS-API specification, so applications that
+   wish to run over version 1 implementations must special-case these
+   codes.
+
+   Parameters:
+
+   minor_status      Integer,  modify
+                     Mechanism specific status code.
+
+   initiator_cred_handle  gss_cred_id_t, read, optional
+                          handle for credentials claimed.  Supply
+                          GSS_C_NO_CREDENTIAL to act as a default
+                          initiator principal.  If no default
+                          initiator is defined, the function will
+                          return GSS_S_NO_CRED.
+
+   context_handle    gss_ctx_id_t, read/modify
+                     context handle for new context.  Supply
+                     GSS_C_NO_CONTEXT for first call; use value
+                     returned by first call in continuation calls.
+                     Resources associated with this context-handle
+                     must be released by the application after use
+                     with a call to gss_delete_sec_context().
+
+   target_name       gss_name_t, read
+                     Name of target
+
+   mech_type         OID, read, optional
+                     Object ID of desired mechanism. Supply
+                     GSS_C_NO_OID to obtain an implementation
+                     specific default
+
+
+
+Wray                        Standards Track                    [Page 58]
+
+RFC 2744                 GSS-API V2: C-bindings             January 2000
+
+
+   req_flags         bit-mask, read
+                     Contains various independent flags, each of
+                     which requests that the context support a
+                     specific service option.  Symbolic
+                     names are provided for each flag, and the
+                     symbolic names corresponding to the required
+                     flags should be logically-ORed
+                     together to form the bit-mask value.  The
+                     flags are:
+
+                     GSS_C_DELEG_FLAG
+                       True - Delegate credentials to remote peer
+                       False - Don't delegate
+
+                     GSS_C_MUTUAL_FLAG
+                       True - Request that remote peer
+                              authenticate itself
+                       False - Authenticate self to remote peer
+                               only
+
+                     GSS_C_REPLAY_FLAG
+                       True - Enable replay detection for
+                              messages protected with gss_wrap
+                              or gss_get_mic
+                       False - Don't attempt to detect
+                               replayed messages
+
+                     GSS_C_SEQUENCE_FLAG
+                       True - Enable detection of out-of-sequence
+                              protected messages
+                       False - Don't attempt to detect
+                               out-of-sequence messages
+
+                     GSS_C_CONF_FLAG
+                       True - Request that confidentiality service
+                              be made available (via gss_wrap)
+                       False - No per-message confidentiality service
+                               is required.
+
+                     GSS_C_INTEG_FLAG
+                       True - Request that integrity service be
+                              made available (via gss_wrap or
+                              gss_get_mic)
+                       False - No per-message integrity service
+                               is required.
+
+
+
+
+
+
+Wray                        Standards Track                    [Page 59]
+
+RFC 2744                 GSS-API V2: C-bindings             January 2000
+
+
+                     GSS_C_ANON_FLAG
+                       True - Do not reveal the initiator's
+                              identity to the acceptor.
+                       False - Authenticate normally.
+
+   time_req          Integer, read, optional
+                     Desired number of seconds for which context
+                     should remain valid.  Supply 0 to request a
+                     default validity period.
+
+   input_chan_bindings  channel bindings, read, optional
+                        Application-specified bindings.  Allows
+                        application to securely bind channel
+                        identification information to the security
+                        context.  Specify GSS_C_NO_CHANNEL_BINDINGS
+                        if channel bindings are not used.
+
+   input_token       buffer, opaque, read, optional (see text)
+                     Token received from peer application.
+                     Supply GSS_C_NO_BUFFER, or a pointer to
+                     a buffer containing the value GSS_C_EMPTY_BUFFER
+                     on initial call.
+
+   actual_mech_type  OID, modify, optional
+                     Actual mechanism used.  The OID returned via
+                     this parameter will be a pointer to static
+                     storage that should be treated as read-only;
+                     In particular the application should not attempt
+                     to free it.  Specify NULL if not required.
+
+   output_token      buffer, opaque, modify
+                     token to be sent to peer application.  If
+                     the length field of the returned buffer is
+                     zero, no token need be sent to the peer
+                     application.  Storage associated with this
+                     buffer must be freed by the application
+                     after use with a call to gss_release_buffer().
+
+   ret_flags         bit-mask, modify, optional
+                     Contains various independent flags, each of which
+                     indicates that the context supports a specific
+                     service option.  Specify NULL if not
+                     required.  Symbolic names are provided
+                     for each flag, and the symbolic names
+                     corresponding to the required flags should be
+                     logically-ANDed with the ret_flags value to test
+                     whether a given option is supported by the
+                     context.  The flags are:
+
+
+
+Wray                        Standards Track                    [Page 60]
+
+RFC 2744                 GSS-API V2: C-bindings             January 2000
+
+
+                     GSS_C_DELEG_FLAG
+                       True - Credentials were delegated to
+                              the remote peer
+                       False - No credentials were delegated
+
+                     GSS_C_MUTUAL_FLAG
+                       True - The remote peer has authenticated
+                              itself.
+                       False - Remote peer has not authenticated
+                               itself.
+
+                     GSS_C_REPLAY_FLAG
+                       True - replay of protected messages
+                              will be detected
+                       False - replayed messages will not be
+                               detected
+
+                     GSS_C_SEQUENCE_FLAG
+                       True - out-of-sequence protected
+                              messages will be detected
+                       False - out-of-sequence messages will
+                               not be detected
+
+                     GSS_C_CONF_FLAG
+                       True - Confidentiality service may be
+                              invoked by calling gss_wrap routine
+                       False - No confidentiality service (via
+                               gss_wrap) available. gss_wrap will
+                               provide message encapsulation,
+                               data-origin authentication and
+                               integrity services only.
+
+                     GSS_C_INTEG_FLAG
+                       True - Integrity service may be invoked by
+                              calling either gss_get_mic or gss_wrap
+                              routines.
+                       False - Per-message integrity service
+                               unavailable.
+
+                     GSS_C_ANON_FLAG
+                       True - The initiator's identity has not been
+                              revealed, and will not be revealed if
+                              any emitted token is passed to the
+                              acceptor.
+                       False - The initiator's identity has been or
+                               will be authenticated normally.
+
+                     GSS_C_PROT_READY_FLAG
+
+
+
+Wray                        Standards Track                    [Page 61]
+
+RFC 2744                 GSS-API V2: C-bindings             January 2000
+
+
+                       True - Protection services (as specified
+                              by the states of the GSS_C_CONF_FLAG
+                              and GSS_C_INTEG_FLAG) are available for
+                              use if the accompanying major status
+                              return value is either GSS_S_COMPLETE or
+                              GSS_S_CONTINUE_NEEDED.
+                       False - Protection services (as specified
+                               by the states of the GSS_C_CONF_FLAG
+                               and GSS_C_INTEG_FLAG) are available
+                               only if the accompanying major status
+                               return value is GSS_S_COMPLETE.
+
+                     GSS_C_TRANS_FLAG
+                       True - The resultant security context may
+                              be transferred to other processes via
+                              a call to gss_export_sec_context().
+                       False - The security context is not
+                               transferable.
+
+                     All other bits should be set to zero.
+
+   time_rec          Integer, modify, optional
+                     number of seconds for which the context
+                     will remain valid. If the implementation does
+                     not support context expiration, the value
+                     GSS_C_INDEFINITE will be returned.  Specify
+                     NULL if not required.
+
+   Function value:   GSS status code
+
+   GSS_S_COMPLETE    Successful completion
+
+   GSS_S_CONTINUE_NEEDED Indicates that a token from the peer
+                         application is required to complete the
+                         context, and that gss_init_sec_context
+                         must be called again with that token.
+
+   GSS_S_DEFECTIVE_TOKEN Indicates that consistency checks performed
+                         on the input_token failed
+
+   GSS_S_DEFECTIVE_CREDENTIAL Indicates that consistency checks
+                              performed on the credential failed.
+
+   GSS_S_NO_CRED     The supplied credentials were not valid for
+                     context initiation, or the credential handle
+                     did not reference any credentials.
+
+   GSS_S_CREDENTIALS_EXPIRED The referenced credentials have expired
+
+
+
+Wray                        Standards Track                    [Page 62]
+
+RFC 2744                 GSS-API V2: C-bindings             January 2000
+
+
+   GSS_S_BAD_BINDINGS The input_token contains different channel
+                      bindings to those specified via the
+                      input_chan_bindings parameter
+
+   GSS_S_BAD_SIG     The input_token contains an invalid MIC, or a MIC
+                     that could not be verified
+
+   GSS_S_OLD_TOKEN   The input_token was too old.  This is a fatal
+                     error during context establishment
+
+   GSS_S_DUPLICATE_TOKEN The input_token is valid, but is a duplicate
+                         of a token already processed.  This is a
+                         fatal error during context establishment.
+
+   GSS_S_NO_CONTEXT  Indicates that the supplied context handle did
+                     not refer to a valid context
+
+   GSS_S_BAD_NAMETYPE The provided target_name parameter contained an
+                      invalid or unsupported type of name
+
+   GSS_S_BAD_NAME    The provided target_name parameter was ill-formed.
+
+   GSS_S_BAD_MECH    The specified mechanism is not supported by the
+                     provided credential, or is unrecognized by the
+                     implementation.
+
+5.20. gss_inquire_context
+
+   OM_uint32 gss_inquire_context (
+     OM_uint32          *minor_status,
+     const gss_ctx_id_t context_handle,
+     gss_name_t         *src_name,
+     gss_name_t         *targ_name,
+     OM_uint32          *lifetime_rec,
+     gss_OID            *mech_type,
+     OM_uint32          *ctx_flags,
+     int                *locally_initiated,
+     int                *open )
+
+   Purpose:
+
+   Obtains information about a security context.  The caller must
+   already have obtained a handle that refers to the context, although
+   the context need not be fully established.
+
+
+
+
+
+
+
+Wray                        Standards Track                    [Page 63]
+
+RFC 2744                 GSS-API V2: C-bindings             January 2000
+
+
+   Parameters:
+
+   minor_status      Integer, modify
+                     Mechanism specific status code
+
+   context_handle    gss_ctx_id_t, read
+                     A handle that refers to the security context.
+
+   src_name          gss_name_t, modify, optional
+                     The name of the context initiator.
+                     If the context was established using anonymous
+                     authentication, and if the application invoking
+                     gss_inquire_context is the context acceptor,
+                     an anonymous name will be returned.  Storage
+                     associated with this name must be freed by the
+                     application after use with a call to
+                     gss_release_name().  Specify NULL if not
+                     required.
+
+   targ_name         gss_name_t, modify, optional
+                     The name of the context acceptor.
+                     Storage associated with this name must be
+                     freed by the application after use with a call
+                     to gss_release_name().  If the context acceptor
+                     did not authenticate itself, and if the initiator
+                     did not specify a target name in its call to
+                     gss_init_sec_context(), the value GSS_C_NO_NAME
+                     will be returned.  Specify NULL if not required.
+
+   lifetime_rec      Integer, modify, optional
+                     The number of seconds for which the context
+                     will remain valid.  If the context has
+                     expired, this parameter will be set to zero.
+                     If the implementation does not support
+                     context expiration, the value
+                     GSS_C_INDEFINITE will be returned.  Specify
+                     NULL if not required.
+
+   mech_type         gss_OID, modify, optional
+                     The security mechanism providing the
+                     context.  The returned OID will be a
+                     pointer to static storage that should
+                     be treated as read-only by the application;
+                     in particular the application should not
+                     attempt to free it.  Specify NULL if not
+                     required.
+
+
+
+
+
+Wray                        Standards Track                    [Page 64]
+
+RFC 2744                 GSS-API V2: C-bindings             January 2000
+
+
+   ctx_flags         bit-mask, modify, optional
+                     Contains various independent flags, each of
+                     which indicates that the context supports
+                     (or is expected to support, if ctx_open is
+                     false) a specific service option.  If not
+                     needed, specify NULL.  Symbolic names are
+                     provided for each flag, and the symbolic names
+                     corresponding to the required flags
+                     should be logically-ANDed with the ret_flags
+                     value to test whether a given option is
+                     supported by the context.  The flags are:
+
+                     GSS_C_DELEG_FLAG
+                       True - Credentials were delegated from
+                              the initiator to the acceptor.
+                       False - No credentials were delegated
+
+                     GSS_C_MUTUAL_FLAG
+                       True - The acceptor was authenticated
+                              to the initiator
+                       False - The acceptor did not authenticate
+                               itself.
+
+                     GSS_C_REPLAY_FLAG
+                       True - replay of protected messages
+                              will be detected
+                       False - replayed messages will not be
+                               detected
+
+                     GSS_C_SEQUENCE_FLAG
+                       True - out-of-sequence protected
+                              messages will be detected
+                       False - out-of-sequence messages will not
+                               be detected
+
+                     GSS_C_CONF_FLAG
+                       True - Confidentiality service may be invoked
+                              by calling gss_wrap routine
+                       False - No confidentiality service (via
+                               gss_wrap) available. gss_wrap will
+                               provide message encapsulation,
+                               data-origin authentication and
+                               integrity services only.
+
+                     GSS_C_INTEG_FLAG
+                       True - Integrity service may be invoked by
+                              calling either gss_get_mic or gss_wrap
+                              routines.
+
+
+
+Wray                        Standards Track                    [Page 65]
+
+RFC 2744                 GSS-API V2: C-bindings             January 2000
+
+
+                       False - Per-message integrity service
+                               unavailable.
+
+                     GSS_C_ANON_FLAG
+                       True - The initiator's identity will not
+                              be revealed to the acceptor.
+                              The src_name parameter (if
+                              requested) contains an anonymous
+                              internal name.
+                       False - The initiator has been
+                               authenticated normally.
+
+                     GSS_C_PROT_READY_FLAG
+                       True - Protection services (as specified
+                              by the states of the GSS_C_CONF_FLAG
+                              and GSS_C_INTEG_FLAG) are available
+                              for use.
+                       False - Protection services (as specified
+                               by the states of the GSS_C_CONF_FLAG
+                               and GSS_C_INTEG_FLAG) are available
+                               only if the context is fully
+                               established (i.e. if the open parameter
+                               is non-zero).
+
+                     GSS_C_TRANS_FLAG
+                       True - The resultant security context may
+                              be transferred to other processes via
+                              a call to gss_export_sec_context().
+                       False - The security context is not
+                               transferable.
+
+   locally_initiated Boolean, modify
+                     Non-zero if the invoking application is the
+                     context initiator.
+                     Specify NULL if not required.
+
+   open              Boolean, modify
+                     Non-zero if the context is fully established;
+                     Zero if a context-establishment token
+                     is expected from the peer application.
+                     Specify NULL if not required.
+
+   Function value:   GSS status code
+
+   GSS_S_COMPLETE    Successful completion
+
+   GSS_S_NO_CONTEXT  The referenced context could not be accessed.
+
+
+
+
+Wray                        Standards Track                    [Page 66]
+
+RFC 2744                 GSS-API V2: C-bindings             January 2000
+
+
+5.21. gss_inquire_cred
+
+   OM_uint32 gss_inquire_cred (
+     OM_uint32           *minor_status,
+     const gss_cred_id_t cred_handle,
+     gss_name_t          *name,
+     OM_uint32           *lifetime,
+     gss_cred_usage_t    *cred_usage,
+     gss_OID_set         *mechanisms )
+
+   Purpose:
+
+   Obtains information about a credential.
+
+   Parameters:
+
+   minor_status      Integer, modify
+                     Mechanism specific status code
+
+   cred_handle       gss_cred_id_t, read
+                     A handle that refers to the target credential.
+                     Specify GSS_C_NO_CREDENTIAL to inquire about
+                     the default initiator principal.
+
+   name              gss_name_t, modify, optional
+                     The name whose identity the credential asserts.
+                     Storage associated with this name should be freed
+                     by the application after use with a call to
+                     gss_release_name().  Specify NULL if not required.
+
+   lifetime          Integer, modify, optional
+                     The number of seconds for which the credential
+                     will remain valid.  If the credential has
+                     expired, this parameter will be set to zero.
+                     If the implementation does not support
+                     credential expiration, the value
+                     GSS_C_INDEFINITE will be returned.  Specify
+                     NULL if not required.
+
+   cred_usage        gss_cred_usage_t, modify, optional
+                     How the credential may be used.  One of the
+                     following:
+                     GSS_C_INITIATE
+                     GSS_C_ACCEPT
+                     GSS_C_BOTH
+                     Specify NULL if not required.
+
+
+
+
+
+Wray                        Standards Track                    [Page 67]
+
+RFC 2744                 GSS-API V2: C-bindings             January 2000
+
+
+   mechanisms        gss_OID_set, modify, optional
+                     Set of mechanisms supported by the credential.
+                     Storage associated with this OID set must be
+                     freed by the application after use with a call
+                     to gss_release_oid_set().  Specify NULL if not
+                     required.
+
+   Function value:   GSS status code
+
+   GSS_S_COMPLETE    Successful completion
+
+   GSS_S_NO_CRED     The referenced credentials could not be accessed.
+
+   GSS_S_DEFECTIVE_CREDENTIAL The referenced credentials were invalid.
+
+   GSS_S_CREDENTIALS_EXPIRED The referenced credentials have expired.
+                     If the lifetime parameter was not passed as NULL,
+                     it will be set to 0.
+
+5.22. gss_inquire_cred_by_mech
+
+   OM_uint32 gss_inquire_cred_by_mech (
+     OM_uint32           *minor_status,
+     const gss_cred_id_t cred_handle,
+     const gss_OID       mech_type,
+     gss_name_t          *name,
+     OM_uint32           *initiator_lifetime,
+     OM_uint32           *acceptor_lifetime,
+     gss_cred_usage_t    *cred_usage )
+
+   Purpose:
+
+   Obtains per-mechanism information about a credential.
+
+   Parameters:
+
+   minor_status      Integer, modify
+                     Mechanism specific status code
+
+   cred_handle       gss_cred_id_t, read
+                     A handle that refers to the target credential.
+                     Specify GSS_C_NO_CREDENTIAL to inquire about
+                     the default initiator principal.
+
+   mech_type         gss_OID, read
+                     The mechanism for which information should be
+                     returned.
+
+
+
+
+Wray                        Standards Track                    [Page 68]
+
+RFC 2744                 GSS-API V2: C-bindings             January 2000
+
+
+   name              gss_name_t, modify, optional
+                     The name whose identity the credential asserts.
+                     Storage associated with this name must be
+                     freed by the application after use with a call
+                     to gss_release_name().  Specify NULL if not
+                     required.
+
+   initiator_lifetime  Integer, modify, optional
+                     The number of seconds for which the credential
+                     will remain capable of initiating security contexts
+                     under the specified mechanism.  If the credential
+                     can no longer be used to initiate contexts, or if
+                     the credential usage for this mechanism is
+                     GSS_C_ACCEPT, this parameter will be set to zero.
+                     If the implementation does not support expiration
+                     of initiator credentials, the value
+                     GSS_C_INDEFINITE will be returned.  Specify NULL
+                     if not required.
+
+   acceptor_lifetime Integer, modify, optional
+                     The number of seconds for which the credential
+                     will remain capable of accepting security contexts
+                     under the specified mechanism.  If the credential
+                     can no longer be used to accept contexts, or if
+                     the credential usage for this mechanism is
+                     GSS_C_INITIATE, this parameter will be set to zero.
+
+                     If the implementation does not support expiration
+                     of acceptor credentials, the value GSS_C_INDEFINITE
+                     will be returned.  Specify NULL if not required.
+
+   cred_usage        gss_cred_usage_t, modify, optional
+                     How the credential may be used with the specified
+                     mechanism.  One of the following:
+                       GSS_C_INITIATE
+                       GSS_C_ACCEPT
+                       GSS_C_BOTH
+                     Specify NULL if not required.
+
+   Function value:   GSS status code
+
+   GSS_S_COMPLETE    Successful completion
+
+   GSS_S_NO_CRED     The referenced credentials could not be accessed.
+
+   GSS_S_DEFECTIVE_CREDENTIAL The referenced credentials were invalid.
+
+
+
+
+
+Wray                        Standards Track                    [Page 69]
+
+RFC 2744                 GSS-API V2: C-bindings             January 2000
+
+
+   GSS_S_CREDENTIALS_EXPIRED The referenced credentials have expired.
+                    If the lifetime parameter was not passed as NULL,
+                    it will be set to 0.
+
+5.23. gss_inquire_mechs_for_name
+
+   OM_uint32 gss_inquire_mechs_for_name (
+     OM_uint32        *minor_status,
+     const gss_name_t input_name,
+     gss_OID_set      *mech_types )
+
+   Purpose:
+
+   Returns the set of mechanisms supported by the GSS-API implementation
+   that may be able to process the specified name.
+
+   Each mechanism returned will recognize at least one element within
+   the name.  It is permissible for this routine to be implemented
+   within a mechanism-independent GSS-API layer, using the type
+   information contained within the presented name, and based on
+   registration information provided by individual mechanism
+   implementations.  This means that the returned mech_types set may
+   indicate that a particular mechanism will understand the name when in
+   fact it would refuse to accept the name as input to
+   gss_canonicalize_name, gss_init_sec_context, gss_acquire_cred or
+   gss_add_cred (due to some property of the specific name, as opposed
+   to the name type).  Thus this routine should be used only as a pre-
+   filter for a call to a subsequent mechanism-specific routine.
+
+   Parameters:
+
+   minor_status      Integer, modify
+                     Implementation specific status code.
+
+   input_name        gss_name_t, read
+                     The name to which the inquiry relates.
+
+   mech_types        gss_OID_set, modify
+                     Set of mechanisms that may support the
+                     specified name.  The returned OID set
+                     must be freed by the caller after use
+                     with a call to gss_release_oid_set().
+
+   Function value:   GSS status code
+
+   GSS_S_COMPLETE    Successful completion
+
+   GSS_S_BAD_NAME    The input_name parameter was ill-formed.
+
+
+
+Wray                        Standards Track                    [Page 70]
+
+RFC 2744                 GSS-API V2: C-bindings             January 2000
+
+
+   GSS_S_BAD_NAMETYPE The input_name parameter contained an invalid or
+                      unsupported type of name
+
+5.24. gss_inquire_names_for_mech
+
+   OM_uint32 gss_inquire_names_for_mech (
+     OM_uint32     *minor_status,
+     const gss_OID mechanism,
+     gss_OID_set   *name_types)
+
+   Purpose:
+
+   Returns the set of nametypes supported by the specified mechanism.
+
+   Parameters:
+
+   minor_status      Integer, modify
+                     Implementation specific status code.
+
+   mechanism         gss_OID, read
+                     The mechanism to be interrogated.
+
+   name_types        gss_OID_set, modify
+                     Set of name-types supported by the specified
+                     mechanism.  The returned OID set must be
+                     freed by the application after use with a
+                     call to gss_release_oid_set().
+
+   Function value:   GSS status code
+
+   GSS_S_COMPLETE    Successful completion
+
+5.25. gss_process_context_token
+
+   OM_uint32 gss_process_context_token (
+     OM_uint32          *minor_status,
+     const gss_ctx_id_t context_handle,
+     const gss_buffer_t token_buffer)
+
+        Purpose:
+
+   Provides a way to pass an asynchronous token to the security service.
+   Most context-level tokens are emitted and processed synchronously by
+   gss_init_sec_context and gss_accept_sec_context, and the application
+   is informed as to whether further tokens are expected by the
+   GSS_C_CONTINUE_NEEDED major status bit.  Occasionally, a mechanism
+   may need to emit a context-level token at a point when the peer
+   entity is not expecting a token.  For example, the initiator's final
+
+
+
+Wray                        Standards Track                    [Page 71]
+
+RFC 2744                 GSS-API V2: C-bindings             January 2000
+
+
+   call to gss_init_sec_context may emit a token and return a status of
+   GSS_S_COMPLETE, but the acceptor's call to gss_accept_sec_context may
+   fail.  The acceptor's mechanism may wish to send a token containing
+   an error indication to the initiator, but the initiator is not
+   expecting a token at this point, believing that the context is fully
+   established.  Gss_process_context_token provides a way to pass such a
+   token to the mechanism at any time.
+
+   Parameters:
+
+   minor_status      Integer, modify
+                     Implementation specific status code.
+
+   context_handle    gss_ctx_id_t, read
+                     context handle of context on which token is to
+                     be processed
+
+   token_buffer      buffer, opaque, read
+                     token to process
+
+   Function value:   GSS status code
+
+   GSS_S_COMPLETE    Successful completion
+
+   GSS_S_DEFECTIVE_TOKEN Indicates that consistency checks performed
+                     on the token failed
+
+   GSS_S_NO_CONTEXT  The context_handle did not refer to a valid context
+
+5.26. gss_release_buffer
+
+   OM_uint32 gss_release_buffer (
+     OM_uint32    *minor_status,
+     gss_buffer_t buffer)
+
+   Purpose:
+
+   Free storage associated with a buffer.  The storage must have been
+   allocated by a GSS-API routine.  In addition to freeing the
+   associated storage, the routine will zero the length field in the
+   descriptor to which the buffer parameter refers, and implementations
+   are encouraged to additionally set the pointer field in the
+   descriptor to NULL.  Any buffer object returned by a GSS-API routine
+   may be passed to gss_release_buffer (even if there is no storage
+   associated with the buffer).
+
+
+
+
+
+
+Wray                        Standards Track                    [Page 72]
+
+RFC 2744                 GSS-API V2: C-bindings             January 2000
+
+
+   Parameters:
+
+   minor_status      Integer, modify
+                     Mechanism specific status code
+
+   buffer            buffer, modify
+                     The storage associated with the buffer will be
+                     deleted.  The gss_buffer_desc object will not
+                     be freed, but its length field will be zeroed.
+
+
+   Function value:   GSS status code
+
+   GSS_S_COMPLETE    Successful completion
+
+5.27. gss_release_cred
+
+   OM_uint32 gss_release_cred (
+     OM_uint32     *minor_status,
+     gss_cred_id_t *cred_handle)
+
+   Purpose:
+
+   Informs GSS-API that the specified credential handle is no longer
+   required by the application, and frees associated resources.
+   Implementations are encouraged to set the cred_handle to
+   GSS_C_NO_CREDENTIAL on successful completion of this call.
+
+   Parameters:
+
+   cred_handle       gss_cred_id_t, modify, optional
+                     Opaque handle identifying credential
+                     to be released.  If GSS_C_NO_CREDENTIAL
+                     is supplied, the routine will complete
+                     successfully, but will do nothing.
+
+   minor_status      Integer, modify
+                     Mechanism specific status code.
+
+   Function value:   GSS status code
+
+   GSS_S_COMPLETE    Successful completion
+
+   GSS_S_NO_CRED     Credentials could not be accessed.
+
+
+
+
+
+
+
+Wray                        Standards Track                    [Page 73]
+
+RFC 2744                 GSS-API V2: C-bindings             January 2000
+
+
+5.28. gss_release_name
+
+   OM_uint32 gss_release_name (
+     OM_uint32  *minor_status,
+     gss_name_t *name)
+
+   Purpose:
+
+   Free GSSAPI-allocated storage associated with an internal-form name.
+   Implementations are encouraged to set the name to GSS_C_NO_NAME on
+   successful completion of this call.
+
+   Parameters:
+
+   minor_status      Integer, modify
+                     Mechanism specific status code
+
+   name              gss_name_t, modify
+                     The name to be deleted
+
+   Function value:   GSS status code
+
+   GSS_S_COMPLETE    Successful completion
+
+   GSS_S_BAD_NAME    The name parameter did not contain a valid name
+
+5.29. gss_release_oid_set
+
+   OM_uint32 gss_release_oid_set (
+     OM_uint32   *minor_status,
+     gss_OID_set *set)
+
+   Purpose:
+
+   Free storage associated with a GSSAPI-generated gss_OID_set object.
+   The set parameter must refer to an OID-set that was returned from a
+   GSS-API routine.  gss_release_oid_set() will free the storage
+   associated with each individual member OID, the OID set's elements
+   array, and the gss_OID_set_desc.
+
+   Implementations are encouraged to set the gss_OID_set parameter to
+   GSS_C_NO_OID_SET on successful completion of this routine.
+
+   Parameters:
+
+   minor_status      Integer, modify
+                     Mechanism specific status code
+
+
+
+
+Wray                        Standards Track                    [Page 74]
+
+RFC 2744                 GSS-API V2: C-bindings             January 2000
+
+
+   set               Set of Object IDs, modify
+                     The storage associated with the gss_OID_set
+                     will be deleted.
+
+   Function value:   GSS status code
+
+   GSS_S_COMPLETE    Successful completion
+
+5.30. gss_test_oid_set_member
+
+   OM_uint32 gss_test_oid_set_member (
+     OM_uint32         *minor_status,
+     const gss_OID     member,
+     const gss_OID_set set,
+     int               *present)
+
+   Purpose:
+
+   Interrogate an Object Identifier set to determine whether a specified
+   Object Identifier is a member.  This routine is intended to be used
+   with OID sets returned by gss_indicate_mechs(), gss_acquire_cred(),
+   and gss_inquire_cred(), but will also work with user-generated sets.
+
+   Parameters:
+
+   minor_status      Integer, modify
+                     Mechanism specific status code
+
+   member            Object ID, read
+                     The object identifier whose presence
+                     is to be tested.
+
+   set               Set of Object ID, read
+                     The Object Identifier set.
+
+   present           Boolean, modify
+                     non-zero if the specified OID is a member
+                     of the set, zero if not.
+
+   Function value:   GSS status code
+
+   GSS_S_COMPLETE    Successful completion
+
+
+
+
+
+
+
+
+
+Wray                        Standards Track                    [Page 75]
+
+RFC 2744                 GSS-API V2: C-bindings             January 2000
+
+
+5.31. gss_unwrap
+
+   OM_uint32 gss_unwrap (
+     OM_uint32          *minor_status,
+     const gss_ctx_id_t context_handle,
+     const gss_buffer_t input_message_buffer,
+     gss_buffer_t       output_message_buffer,
+     int                *conf_state,
+     gss_qop_t          *qop_state)
+
+   Purpose:
+
+   Converts a message previously protected by gss_wrap back to a usable
+   form, verifying the embedded MIC.  The conf_state parameter indicates
+   whether the message was encrypted; the qop_state parameter indicates
+   the strength of protection that was used to provide the
+   confidentiality and integrity services.
+
+   Since some application-level protocols may wish to use tokens emitted
+   by gss_wrap() to provide "secure framing", implementations must
+   support the wrapping and unwrapping of zero-length messages.
+
+   Parameters:
+
+   minor_status      Integer, modify
+                     Mechanism specific status code.
+
+   context_handle    gss_ctx_id_t, read
+                     Identifies the context on which the message
+                     arrived
+
+   input_message_buffer  buffer, opaque, read
+                     protected message
+
+   output_message_buffer  buffer, opaque, modify
+                     Buffer to receive unwrapped message.
+                     Storage associated with this buffer must
+                     be freed by the application after use use
+                     with a call to gss_release_buffer().
+
+   conf_state        boolean, modify, optional
+                     Non-zero - Confidentiality and integrity
+                                protection were used
+                     Zero - Integrity service only was used
+                     Specify NULL if not required
+
+
+
+
+
+
+Wray                        Standards Track                    [Page 76]
+
+RFC 2744                 GSS-API V2: C-bindings             January 2000
+
+
+   qop_state         gss_qop_t, modify, optional
+                     Quality of protection provided.
+                     Specify NULL if not required
+
+   Function value:   GSS status code
+
+   GSS_S_COMPLETE    Successful completion
+
+   GSS_S_DEFECTIVE_TOKEN The token failed consistency checks
+
+   GSS_S_BAD_SIG     The MIC was incorrect
+
+   GSS_S_DUPLICATE_TOKEN The token was valid, and contained a correct
+                         MIC for the message, but it had already been
+                         processed
+
+   GSS_S_OLD_TOKEN   The token was valid, and contained a correct MIC
+                     for the message, but it is too old to check for
+                     duplication.
+
+   GSS_S_UNSEQ_TOKEN The token was valid, and contained a correct MIC
+                     for the message, but has been verified out of
+                     sequence; a later token has already been
+                     received.
+
+   GSS_S_GAP_TOKEN   The token was valid, and contained a correct MIC
+                     for the message, but has been verified out of
+                     sequence; an earlier expected token has not yet
+                     been received.
+
+   GSS_S_CONTEXT_EXPIRED The context has already expired
+
+   GSS_S_NO_CONTEXT  The context_handle parameter did not identify
+                     a valid context
+
+5.32. gss_verify_mic
+
+   OM_uint32 gss_verify_mic (
+     OM_uint32          *minor_status,
+     const gss_ctx_id_t context_handle,
+     const gss_buffer_t message_buffer,
+     const gss_buffer_t token_buffer,
+     gss_qop_t          *qop_state)
+
+
+
+
+
+
+
+
+Wray                        Standards Track                    [Page 77]
+
+RFC 2744                 GSS-API V2: C-bindings             January 2000
+
+
+   Purpose:
+
+   Verifies that a cryptographic MIC, contained in the token parameter,
+   fits the supplied message.  The qop_state parameter allows a message
+   recipient to determine the strength of protection that was applied to
+   the message.
+
+   Since some application-level protocols may wish to use tokens emitted
+   by gss_wrap() to provide "secure framing", implementations must
+   support the calculation and verification of MICs over zero-length
+   messages.
+
+   Parameters:
+
+   minor_status      Integer, modify
+                     Mechanism specific status code.
+
+   context_handle    gss_ctx_id_t, read
+                     Identifies the context on which the message
+                     arrived
+
+   message_buffer    buffer, opaque, read
+                     Message to be verified
+
+   token_buffer      buffer, opaque, read
+                     Token associated with message
+
+   qop_state         gss_qop_t, modify, optional
+                     quality of protection gained from MIC
+                     Specify NULL if not required
+
+   Function value:   GSS status code
+
+   GSS_S_COMPLETE    Successful completion
+
+   GSS_S_DEFECTIVE_TOKEN The token failed consistency checks
+
+   GSS_S_BAD_SIG     The MIC was incorrect
+
+   GSS_S_DUPLICATE_TOKEN The token was valid, and contained a correct
+                     MIC for the message, but it had already been
+                     processed
+
+   GSS_S_OLD_TOKEN   The token was valid, and contained a correct MIC
+                     for the message, but it is too old to check for
+                     duplication.
+
+
+
+
+
+Wray                        Standards Track                    [Page 78]
+
+RFC 2744                 GSS-API V2: C-bindings             January 2000
+
+
+   GSS_S_UNSEQ_TOKEN The token was valid, and contained a correct MIC
+                     for the message, but has been verified out of
+                     sequence; a later token has already been received.
+
+   GSS_S_GAP_TOKEN   The token was valid, and contained a correct MIC
+                     for the message, but has been verified out of
+                     sequence; an earlier expected token has not yet
+                     been received.
+
+   GSS_S_CONTEXT_EXPIRED The context has already expired
+
+   GSS_S_NO_CONTEXT  The context_handle parameter did not identify a
+                     valid context
+
+5.33. gss_wrap
+
+   OM_uint32 gss_wrap (
+     OM_uint32          *minor_status,
+     const gss_ctx_id_t context_handle,
+     int               conf_req_flag,
+     gss_qop_t          qop_req
+     const gss_buffer_t input_message_buffer,
+     int                *conf_state,
+     gss_buffer_t       output_message_buffer )
+
+   Purpose:
+
+   Attaches a cryptographic MIC and optionally encrypts the specified
+   input_message.  The output_message contains both the MIC and the
+   message.  The qop_req parameter allows a choice between several
+   cryptographic algorithms, if supported by the chosen mechanism.
+
+   Since some application-level protocols may wish to use tokens emitted
+   by gss_wrap() to provide "secure framing", implementations must
+   support the wrapping of zero-length messages.
+
+   Parameters:
+
+   minor_status      Integer, modify
+                     Mechanism specific status code.
+
+   context_handle    gss_ctx_id_t, read
+                     Identifies the context on which the message
+                     will be sent
+
+
+
+
+
+
+
+Wray                        Standards Track                    [Page 79]
+
+RFC 2744                 GSS-API V2: C-bindings             January 2000
+
+
+   conf_req_flag     boolean, read
+                     Non-zero - Both confidentiality and integrity
+                                services are requested
+                     Zero - Only integrity service is requested
+
+   qop_req           gss_qop_t, read, optional
+                     Specifies required quality of protection.  A
+                     mechanism-specific default may be requested by
+                     setting qop_req to GSS_C_QOP_DEFAULT.  If an
+                     unsupported protection strength is requested,
+                     gss_wrap will return a major_status of
+                     GSS_S_BAD_QOP.
+
+   input_message_buffer  buffer, opaque, read
+                     Message to be protected
+
+   conf_state        boolean, modify, optional
+                     Non-zero - Confidentiality, data origin
+                                authentication and integrity
+                                services have been applied
+                     Zero - Integrity and data origin services only
+                            has been applied.
+                     Specify NULL if not required
+
+   output_message_buffer  buffer, opaque, modify
+                     Buffer to receive protected message.
+                     Storage associated with this message must
+                     be freed by the application after use with
+                     a call to gss_release_buffer().
+
+   Function value:   GSS status code
+
+   GSS_S_COMPLETE    Successful completion
+
+   GSS_S_CONTEXT_EXPIRED The context has already expired
+
+   GSS_S_NO_CONTEXT  The context_handle parameter did not identify a
+                     valid context
+
+   GSS_S_BAD_QOP     The specified QOP is not supported by the
+                     mechanism.
+
+
+
+
+
+
+
+
+
+
+Wray                        Standards Track                    [Page 80]
+
+RFC 2744                 GSS-API V2: C-bindings             January 2000
+
+
+5.34. gss_wrap_size_limit
+
+   OM_uint32 gss_wrap_size_limit (
+     OM_uint32          *minor_status,
+     const gss_ctx_id_t context_handle,
+     int                conf_req_flag,
+     gss_qop_t          qop_req,
+     OM_uint32          req_output_size,
+     OM_uint32          *max_input_size)
+
+   Purpose:
+
+   Allows an application to determine the maximum message size that, if
+   presented to gss_wrap with the same conf_req_flag and qop_req
+   parameters, will result in an output token containing no more than
+   req_output_size bytes.
+
+   This call is intended for use by applications that communicate over
+   protocols that impose a maximum message size.  It enables the
+   application to fragment messages prior to applying protection.
+
+   GSS-API implementations are recommended but not required to detect
+   invalid QOP values when gss_wrap_size_limit() is called. This routine
+   guarantees only a maximum message size, not the availability of
+   specific QOP values for message protection.
+
+   Successful completion of this call does not guarantee that gss_wrap
+   will be able to protect a message of length max_input_size bytes,
+   since this ability may depend on the availability of system resources
+   at the time that gss_wrap is called.  However, if the implementation
+   itself imposes an upper limit on the length of messages that may be
+   processed by gss_wrap, the implementation should not return a value
+   via max_input_bytes that is greater than this length.
+
+   Parameters:
+
+   minor_status      Integer, modify
+                     Mechanism specific status code
+
+   context_handle    gss_ctx_id_t, read
+                     A handle that refers to the security over
+                     which the messages will be sent.
+
+   conf_req_flag     Boolean, read
+                     Indicates whether gss_wrap will be asked
+                     to apply confidentiality protection in
+
+
+
+
+
+Wray                        Standards Track                    [Page 81]
+
+RFC 2744                 GSS-API V2: C-bindings             January 2000
+
+
+                     addition to integrity protection.  See
+                     the routine description for gss_wrap
+                     for more details.
+
+   qop_req           gss_qop_t, read
+                     Indicates the level of protection that
+                     gss_wrap will be asked to provide.  See
+                     the routine description for gss_wrap for
+                     more details.
+
+   req_output_size   Integer, read
+                     The desired maximum size for tokens emitted
+                     by gss_wrap.
+
+   max_input_size    Integer, modify
+                     The maximum input message size that may
+                     be presented to gss_wrap in order to
+                     guarantee that the emitted token shall
+                     be no larger than req_output_size bytes.
+
+   Function value:   GSS status code
+
+   GSS_S_COMPLETE    Successful completion
+
+   GSS_S_NO_CONTEXT  The referenced context could not be accessed.
+
+   GSS_S_CONTEXT_EXPIRED The context has expired.
+
+   GSS_S_BAD_QOP     The specified QOP is not supported by the
+                     mechanism.
+
+6.   Security Considerations
+
+   This document specifies a service interface for security facilities
+   and services; as such, security considerations appear throughout the
+   specification. Nonetheless, it is appropriate to summarize certain
+   specific points relevant to GSS-API implementors and calling
+   applications. Usage of the GSS-API interface does not in itself
+   provide security services or assurance; instead, these attributes are
+   dependent on the underlying mechanism(s) which support a GSS-API
+   implementation. Callers must be attentive to the requests made to
+   GSS-API calls and to the status indicators returned by GSS-API, as
+   these specify the security service characteristics which GSS-API will
+   provide. When the interprocess context transfer facility is used,
+   appropriate local controls should be applied to constrain access to
+   interprocess tokens and to the sensitive data which they contain.
+
+
+
+
+
+Wray                        Standards Track                    [Page 82]
+
+RFC 2744                 GSS-API V2: C-bindings             January 2000
+
+
+   Appendix A. GSS-API C header file gssapi.h
+
+   C-language GSS-API implementations should include a copy of the
+   following header-file.
+
+   #ifndef GSSAPI_H_
+   #define GSSAPI_H_
+
+
+
+   /*
+    * First, include stddef.h to get size_t defined.
+    */
+   #include <stddef.h>
+
+   /*
+    * If the platform supports the xom.h header file, it should be
+    * included here.
+    */
+   #include <xom.h>
+
+
+   /*
+    * Now define the three implementation-dependent types.
+    */
+   typedef <platform-specific> gss_ctx_id_t;
+   typedef <platform-specific> gss_cred_id_t;
+   typedef <platform-specific> gss_name_t;
+
+   /*
+    * The following type must be defined as the smallest natural
+    * unsigned integer supported by the platform that has at least
+    * 32 bits of precision.
+    */
+   typedef <platform-specific> gss_uint32;
+
+
+   #ifdef OM_STRING
+   /*
+    * We have included the xom.h header file.  Verify that OM_uint32
+    * is defined correctly.
+    */
+
+   #if sizeof(gss_uint32) != sizeof(OM_uint32)
+   #error Incompatible definition of OM_uint32 from xom.h
+   #endif
+
+   typedef OM_object_identifier gss_OID_desc, *gss_OID;
+
+
+
+Wray                        Standards Track                    [Page 83]
+
+RFC 2744                 GSS-API V2: C-bindings             January 2000
+
+
+   #else
+
+   /*
+    * We can't use X/Open definitions, so roll our own.
+    */
+
+   typedef gss_uint32 OM_uint32;
+
+   typedef struct gss_OID_desc_struct {
+     OM_uint32 length;
+     void      *elements;
+   } gss_OID_desc, *gss_OID;
+
+   #endif
+
+   typedef struct gss_OID_set_desc_struct  {
+     size_t     count;
+     gss_OID    elements;
+   } gss_OID_set_desc, *gss_OID_set;
+
+   typedef struct gss_buffer_desc_struct {
+     size_t length;
+     void *value;
+   } gss_buffer_desc, *gss_buffer_t;
+
+   typedef struct gss_channel_bindings_struct {
+     OM_uint32 initiator_addrtype;
+     gss_buffer_desc initiator_address;
+     OM_uint32 acceptor_addrtype;
+     gss_buffer_desc acceptor_address;
+     gss_buffer_desc application_data;
+   } *gss_channel_bindings_t;
+
+   /*
+    * For now, define a QOP-type as an OM_uint32
+    */
+   typedef OM_uint32 gss_qop_t;
+
+   typedef int gss_cred_usage_t;
+
+   /*
+    * Flag bits for context-level services.
+    */
+
+
+
+
+
+
+
+
+Wray                        Standards Track                    [Page 84]
+
+RFC 2744                 GSS-API V2: C-bindings             January 2000
+
+
+   #define GSS_C_DELEG_FLAG      1
+   #define GSS_C_MUTUAL_FLAG     2
+   #define GSS_C_REPLAY_FLAG     4
+   #define GSS_C_SEQUENCE_FLAG   8
+   #define GSS_C_CONF_FLAG       16
+   #define GSS_C_INTEG_FLAG      32
+   #define GSS_C_ANON_FLAG       64
+   #define GSS_C_PROT_READY_FLAG 128
+   #define GSS_C_TRANS_FLAG      256
+
+   /*
+    * Credential usage options
+    */
+   #define GSS_C_BOTH     0
+   #define GSS_C_INITIATE 1
+   #define GSS_C_ACCEPT   2
+
+   /*
+    * Status code types for gss_display_status
+    */
+   #define GSS_C_GSS_CODE  1
+   #define GSS_C_MECH_CODE 2
+
+   /*
+    * The constant definitions for channel-bindings address families
+    */
+   #define GSS_C_AF_UNSPEC     0
+   #define GSS_C_AF_LOCAL      1
+   #define GSS_C_AF_INET       2
+   #define GSS_C_AF_IMPLINK    3
+   #define GSS_C_AF_PUP        4
+   #define GSS_C_AF_CHAOS      5
+   #define GSS_C_AF_NS         6
+   #define GSS_C_AF_NBS        7
+   #define GSS_C_AF_ECMA       8
+   #define GSS_C_AF_DATAKIT    9
+   #define GSS_C_AF_CCITT      10
+   #define GSS_C_AF_SNA        11
+   #define GSS_C_AF_DECnet     12
+   #define GSS_C_AF_DLI        13
+   #define GSS_C_AF_LAT        14
+   #define GSS_C_AF_HYLINK     15
+   #define GSS_C_AF_APPLETALK  16
+   #define GSS_C_AF_BSC        17
+   #define GSS_C_AF_DSS        18
+   #define GSS_C_AF_OSI        19
+   #define GSS_C_AF_X25        21
+
+
+
+
+Wray                        Standards Track                    [Page 85]
+
+RFC 2744                 GSS-API V2: C-bindings             January 2000
+
+
+   #define GSS_C_AF_NULLADDR   255
+
+   /*
+    * Various Null values
+    */
+   #define GSS_C_NO_NAME ((gss_name_t) 0)
+   #define GSS_C_NO_BUFFER ((gss_buffer_t) 0)
+   #define GSS_C_NO_OID ((gss_OID) 0)
+   #define GSS_C_NO_OID_SET ((gss_OID_set) 0)
+   #define GSS_C_NO_CONTEXT ((gss_ctx_id_t) 0)
+   #define GSS_C_NO_CREDENTIAL ((gss_cred_id_t) 0)
+   #define GSS_C_NO_CHANNEL_BINDINGS ((gss_channel_bindings_t) 0)
+   #define GSS_C_EMPTY_BUFFER {0, NULL}
+
+   /*
+    * Some alternate names for a couple of the above
+    * values.  These are defined for V1 compatibility.
+    */
+   #define GSS_C_NULL_OID GSS_C_NO_OID
+   #define GSS_C_NULL_OID_SET GSS_C_NO_OID_SET
+
+   /*
+    * Define the default Quality of Protection for per-message
+    * services.  Note that an implementation that offers multiple
+    * levels of QOP may define GSS_C_QOP_DEFAULT to be either zero
+    * (as done here) to mean "default protection", or to a specific
+    * explicit QOP value.  However, a value of 0 should always be
+    * interpreted by a GSS-API implementation as a request for the
+    * default protection level.
+    */
+   #define GSS_C_QOP_DEFAULT 0
+
+   /*
+    * Expiration time of 2^32-1 seconds means infinite lifetime for a
+    * credential or security context
+    */
+   #define GSS_C_INDEFINITE 0xfffffffful
+
+   /*
+    * The implementation must reserve static storage for a
+    * gss_OID_desc object containing the value
+    * {10, (void *)"\x2a\x86\x48\x86\xf7\x12"
+    * "\x01\x02\x01\x01"},
+    * corresponding to an object-identifier value of
+    * {iso(1) member-body(2) United States(840) mit(113554)
+    * infosys(1) gssapi(2) generic(1) user_name(1)}.  The constant
+    * GSS_C_NT_USER_NAME should be initialized to point
+    * to that gss_OID_desc.
+
+
+
+Wray                        Standards Track                    [Page 86]
+
+RFC 2744                 GSS-API V2: C-bindings             January 2000
+
+
+    */
+   extern gss_OID GSS_C_NT_USER_NAME;
+
+   /*
+    * The implementation must reserve static storage for a
+    * gss_OID_desc object containing the value
+    * {10, (void *)"\x2a\x86\x48\x86\xf7\x12"
+    *              "\x01\x02\x01\x02"},
+    * corresponding to an object-identifier value of
+    * {iso(1) member-body(2) United States(840) mit(113554)
+    * infosys(1) gssapi(2) generic(1) machine_uid_name(2)}.
+    * The constant GSS_C_NT_MACHINE_UID_NAME should be
+    * initialized to point to that gss_OID_desc.
+    */
+   extern gss_OID GSS_C_NT_MACHINE_UID_NAME;
+
+   /*
+    * The implementation must reserve static storage for a
+    * gss_OID_desc object containing the value
+    * {10, (void *)"\x2a\x86\x48\x86\xf7\x12"
+    *              "\x01\x02\x01\x03"},
+    * corresponding to an object-identifier value of
+    * {iso(1) member-body(2) United States(840) mit(113554)
+    * infosys(1) gssapi(2) generic(1) string_uid_name(3)}.
+    * The constant GSS_C_NT_STRING_UID_NAME should be
+    * initialized to point to that gss_OID_desc.
+    */
+   extern gss_OID GSS_C_NT_STRING_UID_NAME;
+
+   /*
+    * The implementation must reserve static storage for a
+    * gss_OID_desc object containing the value
+    * {6, (void *)"\x2b\x06\x01\x05\x06\x02"},
+    * corresponding to an object-identifier value of
+    * {iso(1) org(3) dod(6) internet(1) security(5)
+    * nametypes(6) gss-host-based-services(2)).  The constant
+    * GSS_C_NT_HOSTBASED_SERVICE_X should be initialized to point
+    * to that gss_OID_desc.  This is a deprecated OID value, and
+    * implementations wishing to support hostbased-service names
+    * should instead use the GSS_C_NT_HOSTBASED_SERVICE OID,
+    * defined below, to identify such names;
+    * GSS_C_NT_HOSTBASED_SERVICE_X should be accepted a synonym
+    * for GSS_C_NT_HOSTBASED_SERVICE when presented as an input
+    * parameter, but should not be emitted by GSS-API
+    * implementations
+    */
+   extern gss_OID GSS_C_NT_HOSTBASED_SERVICE_X;
+
+
+
+
+Wray                        Standards Track                    [Page 87]
+
+RFC 2744                 GSS-API V2: C-bindings             January 2000
+
+
+   /*
+    * The implementation must reserve static storage for a
+    * gss_OID_desc object containing the value
+    * {10, (void *)"\x2a\x86\x48\x86\xf7\x12"
+    *              "\x01\x02\x01\x04"}, corresponding to an
+    * object-identifier value of {iso(1) member-body(2)
+    * Unites States(840) mit(113554) infosys(1) gssapi(2)
+    * generic(1) service_name(4)}.  The constant
+    * GSS_C_NT_HOSTBASED_SERVICE should be initialized
+    * to point to that gss_OID_desc.
+    */
+   extern gss_OID GSS_C_NT_HOSTBASED_SERVICE;
+
+   /*
+    * The implementation must reserve static storage for a
+    * gss_OID_desc object containing the value
+    * {6, (void *)"\x2b\x06\01\x05\x06\x03"},
+    * corresponding to an object identifier value of
+    * {1(iso), 3(org), 6(dod), 1(internet), 5(security),
+    * 6(nametypes), 3(gss-anonymous-name)}.  The constant
+    * and GSS_C_NT_ANONYMOUS should be initialized to point
+    * to that gss_OID_desc.
+    */
+   extern gss_OID GSS_C_NT_ANONYMOUS;
+
+
+   /*
+    * The implementation must reserve static storage for a
+    * gss_OID_desc object containing the value
+    * {6, (void *)"\x2b\x06\x01\x05\x06\x04"},
+    * corresponding to an object-identifier value of
+    * {1(iso), 3(org), 6(dod), 1(internet), 5(security),
+    * 6(nametypes), 4(gss-api-exported-name)}.  The constant
+    * GSS_C_NT_EXPORT_NAME should be initialized to point
+    * to that gss_OID_desc.
+    */
+   extern gss_OID GSS_C_NT_EXPORT_NAME;
+
+
+   /* Major status codes */
+
+   #define GSS_S_COMPLETE 0
+
+   /*
+    * Some "helper" definitions to make the status code macros obvious.
+    */
+   #define GSS_C_CALLING_ERROR_OFFSET 24
+   #define GSS_C_ROUTINE_ERROR_OFFSET 16
+
+
+
+Wray                        Standards Track                    [Page 88]
+
+RFC 2744                 GSS-API V2: C-bindings             January 2000
+
+
+   #define GSS_C_SUPPLEMENTARY_OFFSET 0
+   #define GSS_C_CALLING_ERROR_MASK 0377ul
+   #define GSS_C_ROUTINE_ERROR_MASK 0377ul
+   #define GSS_C_SUPPLEMENTARY_MASK 0177777ul
+
+   /*
+    * The macros that test status codes for error conditions.
+    * Note that the GSS_ERROR() macro has changed slightly from
+    * the V1 GSS-API so that it now evaluates its argument
+    * only once.
+    */
+   #define GSS_CALLING_ERROR(x) \
+    (x & (GSS_C_CALLING_ERROR_MASK << GSS_C_CALLING_ERROR_OFFSET))
+   #define GSS_ROUTINE_ERROR(x) \
+    (x & (GSS_C_ROUTINE_ERROR_MASK << GSS_C_ROUTINE_ERROR_OFFSET))
+   #define GSS_SUPPLEMENTARY_INFO(x) \
+    (x & (GSS_C_SUPPLEMENTARY_MASK << GSS_C_SUPPLEMENTARY_OFFSET))
+   #define GSS_ERROR(x) \
+    (x & ((GSS_C_CALLING_ERROR_MASK << GSS_C_CALLING_ERROR_OFFSET) | \
+          (GSS_C_ROUTINE_ERROR_MASK << GSS_C_ROUTINE_ERROR_OFFSET)))
+
+   /*
+    * Now the actual status code definitions
+    */
+
+   /*
+    * Calling errors:
+
+    */
+   #define GSS_S_CALL_INACCESSIBLE_READ \
+   (1ul << GSS_C_CALLING_ERROR_OFFSET)
+   #define GSS_S_CALL_INACCESSIBLE_WRITE \
+   (2ul << GSS_C_CALLING_ERROR_OFFSET)
+   #define GSS_S_CALL_BAD_STRUCTURE \
+   (3ul << GSS_C_CALLING_ERROR_OFFSET)
+
+   /*
+    * Routine errors:
+    */
+   #define GSS_S_BAD_MECH             (1ul <<
+   GSS_C_ROUTINE_ERROR_OFFSET)
+   #define GSS_S_BAD_NAME             (2ul <<
+   GSS_C_ROUTINE_ERROR_OFFSET)
+   #define GSS_S_BAD_NAMETYPE         (3ul <<
+   GSS_C_ROUTINE_ERROR_OFFSET)
+   #define GSS_S_BAD_BINDINGS         (4ul <<
+   GSS_C_ROUTINE_ERROR_OFFSET)
+   #define GSS_S_BAD_STATUS           (5ul <<
+
+
+
+Wray                        Standards Track                    [Page 89]
+
+RFC 2744                 GSS-API V2: C-bindings             January 2000
+
+
+   GSS_C_ROUTINE_ERROR_OFFSET)
+   #define GSS_S_BAD_SIG              (6ul <<
+   GSS_C_ROUTINE_ERROR_OFFSET)
+   #define GSS_S_BAD_MIC GSS_S_BAD_SIG
+   #define GSS_S_NO_CRED              (7ul <<
+   GSS_C_ROUTINE_ERROR_OFFSET)
+   #define GSS_S_NO_CONTEXT           (8ul <<
+   GSS_C_ROUTINE_ERROR_OFFSET)
+   #define GSS_S_DEFECTIVE_TOKEN      (9ul <<
+   GSS_C_ROUTINE_ERROR_OFFSET)
+   #define GSS_S_DEFECTIVE_CREDENTIAL (10ul <<
+   GSS_C_ROUTINE_ERROR_OFFSET)
+   #define GSS_S_CREDENTIALS_EXPIRED  (11ul <<
+   GSS_C_ROUTINE_ERROR_OFFSET)
+   #define GSS_S_CONTEXT_EXPIRED      (12ul <<
+   GSS_C_ROUTINE_ERROR_OFFSET)
+   #define GSS_S_FAILURE              (13ul <<
+   GSS_C_ROUTINE_ERROR_OFFSET)
+   #define GSS_S_BAD_QOP              (14ul <<
+   GSS_C_ROUTINE_ERROR_OFFSET)
+   #define GSS_S_UNAUTHORIZED         (15ul <<
+   GSS_C_ROUTINE_ERROR_OFFSET)
+   #define GSS_S_UNAVAILABLE          (16ul <<
+   GSS_C_ROUTINE_ERROR_OFFSET)
+   #define GSS_S_DUPLICATE_ELEMENT    (17ul <<
+   GSS_C_ROUTINE_ERROR_OFFSET)
+   #define GSS_S_NAME_NOT_MN          (18ul <<
+   GSS_C_ROUTINE_ERROR_OFFSET)
+
+   /*
+    * Supplementary info bits:
+    */
+   #define GSS_S_CONTINUE_NEEDED \
+            (1ul << (GSS_C_SUPPLEMENTARY_OFFSET + 0))
+   #define GSS_S_DUPLICATE_TOKEN \
+            (1ul << (GSS_C_SUPPLEMENTARY_OFFSET + 1))
+   #define GSS_S_OLD_TOKEN \
+            (1ul << (GSS_C_SUPPLEMENTARY_OFFSET + 2))
+   #define GSS_S_UNSEQ_TOKEN \
+            (1ul << (GSS_C_SUPPLEMENTARY_OFFSET + 3))
+   #define GSS_S_GAP_TOKEN \
+            (1ul << (GSS_C_SUPPLEMENTARY_OFFSET + 4))
+
+   /*
+    * Finally, function prototypes for the GSS-API routines.
+    */
+
+
+
+
+
+Wray                        Standards Track                    [Page 90]
+
+RFC 2744                 GSS-API V2: C-bindings             January 2000
+
+
+   OM_uint32 gss_acquire_cred
+                 (OM_uint32 ,             /*  minor_status */
+                  const gss_name_t,       /* desired_name */
+                  OM_uint32,              /* time_req */
+                  const gss_OID_set,      /* desired_mechs */
+                  gss_cred_usage_t,       /* cred_usage */
+                  gss_cred_id_t ,         /* output_cred_handle */
+                  gss_OID_set ,           /* actual_mechs */
+                  OM_uint32 *             /* time_rec */
+                 );
+
+   OM_uint32 gss_release_cred
+                 (OM_uint32 ,             /* minor_status */
+                  gss_cred_id_t *         /* cred_handle */
+                 );
+
+   OM_uint32 gss_init_sec_context
+                 (OM_uint32 ,             /* minor_status */
+                  const gss_cred_id_t,    /* initiator_cred_handle */
+                  gss_ctx_id_t ,          /* context_handle */
+                  const gss_name_t,       /* target_name */
+                  const gss_OID,          /* mech_type */
+                  OM_uint32,              /* req_flags */
+                  OM_uint32,              /* time_req */
+                  const gss_channel_bindings_t,
+                                          /* input_chan_bindings */
+                  const gss_buffer_t,     /* input_token */
+                  gss_OID ,               /* actual_mech_type */
+                  gss_buffer_t,           /* output_token */
+                  OM_uint32 ,             /* ret_flags */
+                  OM_uint32 *             /* time_rec */
+                 );
+
+   OM_uint32 gss_accept_sec_context
+                 (OM_uint32 ,             /* minor_status */
+                  gss_ctx_id_t ,          /* context_handle */
+                  const gss_cred_id_t,    /* acceptor_cred_handle */
+                  const gss_buffer_t,     /* input_token_buffer */
+                  const gss_channel_bindings_t,
+                                          /* input_chan_bindings */
+                  gss_name_t ,            /* src_name */
+                  gss_OID ,               /* mech_type */
+                  gss_buffer_t,           /* output_token */
+                  OM_uint32 ,             /* ret_flags */
+                  OM_uint32 ,             /* time_rec */
+                  gss_cred_id_t *         /* delegated_cred_handle */
+                 );
+
+
+
+
+Wray                        Standards Track                    [Page 91]
+
+RFC 2744                 GSS-API V2: C-bindings             January 2000
+
+
+   OM_uint32 gss_process_context_token
+                 (OM_uint32 ,             /* minor_status */
+                  const gss_ctx_id_t,     /* context_handle */
+                  const gss_buffer_t      /* token_buffer */
+                 );
+
+   OM_uint32 gss_delete_sec_context
+                 (OM_uint32 ,             /* minor_status */
+                  gss_ctx_id_t ,          /* context_handle */
+                  gss_buffer_t            /* output_token */
+                 );
+
+   OM_uint32 gss_context_time
+                 (OM_uint32 ,             /* minor_status */
+                  const gss_ctx_id_t,     /* context_handle */
+                  OM_uint32 *             /* time_rec */
+                 );
+
+   OM_uint32 gss_get_mic
+                 (OM_uint32 ,             /* minor_status */
+                  const gss_ctx_id_t,     /* context_handle */
+                  gss_qop_t,              /* qop_req */
+                  const gss_buffer_t,     /* message_buffer */
+                  gss_buffer_t            /* message_token */
+                 );
+
+   OM_uint32 gss_verify_mic
+                 (OM_uint32 ,             /* minor_status */
+                  const gss_ctx_id_t,     /* context_handle */
+                  const gss_buffer_t,     /* message_buffer */
+                  const gss_buffer_t,     /* token_buffer */
+                  gss_qop_t *             /* qop_state */
+                 );
+
+   OM_uint32 gss_wrap
+                 (OM_uint32 ,             /* minor_status */
+                  const gss_ctx_id_t,     /* context_handle */
+                  int,                    /* conf_req_flag */
+                  gss_qop_t,              /* qop_req */
+                  const gss_buffer_t,     /* input_message_buffer */
+                  int ,                   /* conf_state */
+                  gss_buffer_t            /* output_message_buffer */
+                 );
+
+
+
+
+
+
+
+
+Wray                        Standards Track                    [Page 92]
+
+RFC 2744                 GSS-API V2: C-bindings             January 2000
+
+
+   OM_uint32 gss_unwrap
+                 (OM_uint32 ,             /* minor_status */
+                  const gss_ctx_id_t,     /* context_handle */
+                  const gss_buffer_t,     /* input_message_buffer */
+                  gss_buffer_t,           /* output_message_buffer */
+                  int ,                   /* conf_state */
+                  gss_qop_t *             /* qop_state */
+                 );
+
+
+
+   OM_uint32 gss_display_status
+                 (OM_uint32 ,             /* minor_status */
+                  OM_uint32,              /* status_value */
+                  int,                    /* status_type */
+                  const gss_OID,          /* mech_type */
+                  OM_uint32 ,             /* message_context */
+                  gss_buffer_t            /* status_string */
+                 );
+
+   OM_uint32 gss_indicate_mechs
+                 (OM_uint32 ,             /* minor_status */
+                  gss_OID_set *           /* mech_set */
+                 );
+
+   OM_uint32 gss_compare_name
+                 (OM_uint32 ,             /* minor_status */
+                  const gss_name_t,       /* name1 */
+                  const gss_name_t,       /* name2 */
+                  int *                   /* name_equal */
+                 );
+
+   OM_uint32 gss_display_name
+                 (OM_uint32 ,             /* minor_status */
+                  const gss_name_t,       /* input_name */
+                  gss_buffer_t,           /* output_name_buffer */
+                  gss_OID *               /* output_name_type */
+                 );
+
+   OM_uint32 gss_import_name
+                 (OM_uint32 ,             /* minor_status */
+                  const gss_buffer_t,     /* input_name_buffer */
+                  const gss_OID,          /* input_name_type */
+                  gss_name_t *            /* output_name */
+                 );
+
+
+
+
+
+
+Wray                        Standards Track                    [Page 93]
+
+RFC 2744                 GSS-API V2: C-bindings             January 2000
+
+
+   OM_uint32 gss_export_name
+                 (OM_uint32,              /* minor_status */
+                  const gss_name_t,       /* input_name */
+                  gss_buffer_t            /* exported_name */
+                 );
+
+   OM_uint32 gss_release_name
+                 (OM_uint32 *,            /* minor_status */
+                  gss_name_t *            /* input_name */
+                 );
+
+   OM_uint32 gss_release_buffer
+                 (OM_uint32 ,             /* minor_status */
+                  gss_buffer_t            /* buffer */
+                 );
+
+   OM_uint32 gss_release_oid_set
+                 (OM_uint32 ,             /* minor_status */
+                  gss_OID_set *           /* set */
+                 );
+
+   OM_uint32 gss_inquire_cred
+                 (OM_uint32 ,             /* minor_status */
+                  const gss_cred_id_t,    /* cred_handle */
+                  gss_name_t ,            /* name */
+                  OM_uint32 ,             /* lifetime */
+                  gss_cred_usage_t ,      /* cred_usage */
+                  gss_OID_set *           /* mechanisms */
+                 );
+
+   OM_uint32 gss_inquire_context (
+                  OM_uint32 ,             /* minor_status */
+                  const gss_ctx_id_t,     /* context_handle */
+                  gss_name_t ,            /* src_name */
+                  gss_name_t ,            /* targ_name */
+                  OM_uint32 ,             /* lifetime_rec */
+                  gss_OID ,               /* mech_type */
+                  OM_uint32 ,             /* ctx_flags */
+                  int ,                   /* locally_initiated */
+                  int *                   /* open */
+                 );
+
+
+
+
+
+
+
+
+
+
+Wray                        Standards Track                    [Page 94]
+
+RFC 2744                 GSS-API V2: C-bindings             January 2000
+
+
+   OM_uint32 gss_wrap_size_limit (
+                  OM_uint32 ,             /* minor_status */
+                  const gss_ctx_id_t,     /* context_handle */
+                  int,                    /* conf_req_flag */
+                  gss_qop_t,              /* qop_req */
+                  OM_uint32,              /* req_output_size */
+                  OM_uint32 *             /* max_input_size */
+                 );
+
+   OM_uint32 gss_add_cred (
+                  OM_uint32 ,             /* minor_status */
+                  const gss_cred_id_t,    /* input_cred_handle */
+                  const gss_name_t,       /* desired_name */
+                  const gss_OID,          /* desired_mech */
+                  gss_cred_usage_t,       /* cred_usage */
+                  OM_uint32,              /* initiator_time_req */
+                  OM_uint32,              /* acceptor_time_req */
+                  gss_cred_id_t ,         /* output_cred_handle */
+                  gss_OID_set ,           /* actual_mechs */
+                  OM_uint32 ,             /* initiator_time_rec */
+                  OM_uint32 *             /* acceptor_time_rec */
+                 );
+
+   OM_uint32 gss_inquire_cred_by_mech (
+                  OM_uint32 ,             /* minor_status */
+                  const gss_cred_id_t,    /* cred_handle */
+                  const gss_OID,          /* mech_type */
+                  gss_name_t ,            /* name */
+                  OM_uint32 ,             /* initiator_lifetime */
+                  OM_uint32 ,             /* acceptor_lifetime */
+                  gss_cred_usage_t *      /* cred_usage */
+                 );
+
+   OM_uint32 gss_export_sec_context (
+                  OM_uint32 ,             /* minor_status */
+                  gss_ctx_id_t ,          /* context_handle */
+                  gss_buffer_t            /* interprocess_token */
+                 );
+
+   OM_uint32 gss_import_sec_context (
+                  OM_uint32 ,             /* minor_status */
+                  const gss_buffer_t,     /* interprocess_token */
+                  gss_ctx_id_t *          /* context_handle */
+                 );
+
+
+
+
+
+
+
+Wray                        Standards Track                    [Page 95]
+
+RFC 2744                 GSS-API V2: C-bindings             January 2000
+
+
+   OM_uint32 gss_create_empty_oid_set (
+                  OM_uint32 ,             /* minor_status */
+                  gss_OID_set *           /* oid_set */
+                 );
+
+   OM_uint32 gss_add_oid_set_member (
+                  OM_uint32 ,             /* minor_status */
+                  const gss_OID,          /* member_oid */
+                  gss_OID_set *           /* oid_set */
+                 );
+
+   OM_uint32 gss_test_oid_set_member (
+                  OM_uint32 ,             /* minor_status */
+                  const gss_OID,          /* member */
+                  const gss_OID_set,      /* set */
+                  int *                   /* present */
+                 );
+
+   OM_uint32 gss_inquire_names_for_mech (
+                  OM_uint32 ,             /* minor_status */
+                  const gss_OID,          /* mechanism */
+                  gss_OID_set *           /* name_types */
+                 );
+
+   OM_uint32 gss_inquire_mechs_for_name (
+                  OM_uint32 ,             /* minor_status */
+                  const gss_name_t,       /* input_name */
+                  gss_OID_set *           /* mech_types */
+                 );
+
+   OM_uint32 gss_canonicalize_name (
+                  OM_uint32 ,             /* minor_status */
+                  const gss_name_t,       /* input_name */
+                  const gss_OID,          /* mech_type */
+                  gss_name_t *            /* output_name */
+                 );
+
+   OM_uint32 gss_duplicate_name (
+                  OM_uint32 ,             /* minor_status */
+                  const gss_name_t,       /* src_name */
+                  gss_name_t *            /* dest_name */
+                 );
+
+   /*
+    * The following routines are obsolete variants of gss_get_mic,
+    * gss_verify_mic, gss_wrap and gss_unwrap.  They should be
+    * provided by GSS-API V2 implementations for backwards
+    * compatibility with V1 applications.  Distinct entrypoints
+
+
+
+Wray                        Standards Track                    [Page 96]
+
+RFC 2744                 GSS-API V2: C-bindings             January 2000
+
+
+    * (as opposed to #defines) should be provided, both to allow
+    * GSS-API V1 applications to link against GSS-API V2
+      implementations,
+    * and to retain the slight parameter type differences between the
+    * obsolete versions of these routines and their current forms.
+    */
+
+   OM_uint32 gss_sign
+                 (OM_uint32 ,        /* minor_status */
+                  gss_ctx_id_t,      /* context_handle */
+                  int,               /* qop_req */
+                  gss_buffer_t,      /* message_buffer */
+                  gss_buffer_t       /* message_token */
+                 );
+
+
+   OM_uint32 gss_verify
+                 (OM_uint32 ,        /* minor_status */
+                  gss_ctx_id_t,      /* context_handle */
+                  gss_buffer_t,      /* message_buffer */
+                  gss_buffer_t,      /* token_buffer */
+                  int *              /* qop_state */
+                 );
+
+   OM_uint32 gss_seal
+                 (OM_uint32 ,        /* minor_status */
+                  gss_ctx_id_t,      /* context_handle */
+                  int,               /* conf_req_flag */
+                  int,               /* qop_req */
+                  gss_buffer_t,      /* input_message_buffer */
+                  int ,              /* conf_state */
+                  gss_buffer_t       /* output_message_buffer */
+                 );
+
+
+   OM_uint32 gss_unseal
+                 (OM_uint32 ,        /* minor_status */
+                  gss_ctx_id_t,      /* context_handle */
+                  gss_buffer_t,      /* input_message_buffer */
+                  gss_buffer_t,      /* output_message_buffer */
+                  int ,              /* conf_state */
+                  int *              /* qop_state */
+                 );
+
+   #endif /* GSSAPI_H_ */
+
+
+
+
+
+
+Wray                        Standards Track                    [Page 97]
+
+RFC 2744                 GSS-API V2: C-bindings             January 2000
+
+
+Appendix B. Additional constraints for application binary portability
+
+   The purpose of this C-bindings document is to encourage source-level
+   portability of applications across GSS-API implementations on
+   different platforms and atop different mechanisms.  Additional goals
+   that have not been explicitly addressed by this document are link-
+   time and run-time portability.
+
+   Link-time portability provides the ability to compile an application
+   against one implementation of GSS-API, and then link it against a
+   different implementation on the same platform.  It is a stricter
+   requirement than source-level portability.
+
+   Run-time portability differs from link-time portability only on those
+   platforms that implement dynamically loadable GSS-API
+   implementations, but do not offer load-time symbol resolution. On
+   such platforms, run-time portability is a stricter requirement than
+   link-time portability, and will typically include the precise
+   placement of the various GSS-API routines within library entrypoint
+   vectors.
+
+   Individual platforms will impose their own rules that must be
+   followed to achieve link-time (and run-time, if different)
+   portability.  In order to ensure either form of binary portability,
+   an ABI specification must be written for GSS-API implementations on
+   that platform.  However, it is recognized that there are some issues
+   that are likely to be common to all such ABI specifications. This
+   appendix is intended to be a repository for such common issues, and
+   contains some suggestions that individual ABI specifications may
+   choose to reference. Since machine architectures vary greatly, it may
+   not be possible or desirable to follow these suggestions on all
+   platforms.
+
+B.1. Pointers
+
+   While ANSI-C provides a single pointer type for each declared type,
+   plus a single (void *) type, some platforms (notably those using
+   segmented memory architectures) augment this with various modified
+   pointer types (e.g. far pointers, near pointers). These language
+   bindings assume ANSI-C, and thus do not address such non-standard
+   implementations.  GSS-API implementations for such platforms must
+   choose an appropriate memory model, and should use it consistently
+   throughout.  For example, if a memory model is chosen that requires
+   the use of far pointers when passing routine parameters, then far
+   pointers should also be used within the structures defined by GSS-
+   API.
+
+
+
+
+
+Wray                        Standards Track                    [Page 98]
+
+RFC 2744                 GSS-API V2: C-bindings             January 2000
+
+
+B.2. Internal structure alignment
+
+   GSS-API defines several data-structures containing differently-sized
+   fields.  An ABI specification should include a detailed description
+   of how the fields of such structures are aligned, and if there is any
+   internal padding in these data structures.  The use of compiler
+   defaults for the platform is recommended.
+
+B.3. Handle types
+
+   The C bindings specify that the gss_cred_id_t and gss_ctx_id_t types
+   should be implemented as either pointer or arithmetic types, and that
+   if pointer types are used, care should be taken to ensure that two
+   handles may be compared with the == operator. Note that ANSI-C does
+   not guarantee that two pointer values may be compared with the ==
+   operator unless either the two pointers point to members of a single
+   array, or at least one of the pointers contains a NULL value.
+
+   For binary portability, additional constraints are required. The
+   following is an attempt at defining platform-independent constraints.
+
+   The size of the handle type must be the same as sizeof(void *), using
+   the appropriate memory model.
+
+   The == operator for the chosen type must be a simple bit-wise
+   comparison.  That is, for two in-memory handle objects h1 and h2, the
+   boolean value of the expression
+
+      (h1 == h2)
+
+   should always be the same as the boolean value of the expression
+
+      (memcmp(&h1, &h2, sizeof(h1)) == 0)
+
+   The actual use of the type (void *) for handle types is discouraged,
+   not for binary portability reasons, but since it effectively disables
+   much of the compile-time type-checking that the compiler can
+   otherwise perform, and is therefore not "programmer-friendly".  If a
+   pointer implementation is desired, and if the platform's
+   implementation of pointers permits, the handles should be implemented
+   as pointers to distinct implementation-defined types.
+
+B.4. The gss_name_t type
+
+   The gss_name_t type, representing the internal name object, should be
+   implemented as a pointer type.  The use of the (void *) type is
+   discouraged as it does not allow the compiler to perform strong
+   type-checking.  However, the pointer type chosen should be of the
+
+
+
+Wray                        Standards Track                    [Page 99]
+
+RFC 2744                 GSS-API V2: C-bindings             January 2000
+
+
+   same size as the (void *) type.  Provided this rule is obeyed, ABI
+   specifications need not further constrain the implementation of
+   gss_name_t objects.
+
+B.5. The int and size_t types
+
+   Some platforms may support differently sized implementations of the
+   "int" and "size_t" types, perhaps chosen through compiler switches,
+   and perhaps dependent on memory model.  An ABI specification for such
+   a platform should include required implementations for these types.
+   It is recommended that the default implementation (for the chosen
+   memory model, if appropriate) is chosen.
+
+B.6. Procedure-calling conventions
+
+   Some platforms support a variety of different binary conventions for
+   calling procedures.  Such conventions cover things like the format of
+   the stack frame, the order in which the routine parameters are pushed
+   onto the stack, whether or not a parameter count is pushed onto the
+   stack, whether some argument(s) or return values are to be passed in
+   registers, and whether the called routine or the caller is
+   responsible for removing the stack frame on return.  For such
+   platforms, an ABI specification should specify which calling
+   convention is to be used for GSS-API implementations.
+
+References
+
+   [GSSAPI]    Linn, J., "Generic Security Service Application Program
+               Interface Version 2, Update 1", RFC 2743, January 2000.
+
+   [XOM]       OSI Object Management API Specification, Version 2.0 t",
+               X.400 API Association & X/Open Company Limited, August
+               24, 1990 Specification of datatypes and routines for
+               manipulating information objects.
+
+Author's Address
+
+   John Wray
+   Iris Associates
+   5 Technology Park Drive,
+   Westford, MA  01886
+   USA
+
+   Phone: +1-978-392-6689
+   EMail: John_Wray@Iris.com
+
+
+
+
+
+
+Wray                        Standards Track                   [Page 100]
+
+RFC 2744                 GSS-API V2: C-bindings             January 2000
+
+
+Full Copyright Statement
+
+   Copyright (C) The Internet Society (2000).  All Rights Reserved.
+
+   This document and translations of it may be copied and furnished to
+   others, and derivative works that comment on or otherwise explain it
+   or assist in its implementation may be prepared, copied, published
+   and distributed, in whole or in part, without restriction of any
+   kind, provided that the above copyright notice and this paragraph are
+   included on all such copies and derivative works.  However, this
+   document itself may not be modified in any way, such as by removing
+   the copyright notice or references to the Internet Society or other
+   Internet organizations, except as needed for the purpose of
+   developing Internet standards in which case the procedures for
+   copyrights defined in the Internet Standards process must be
+   followed, or as required to translate it into languages other than
+   English.
+
+   The limited permissions granted above are perpetual and will not be
+   revoked by the Internet Society or its successors or assigns.
+
+   This document and the information contained herein is provided on an
+   "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
+   TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
+   BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
+   HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
+   MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
+
+Acknowledgement
+
+   Funding for the RFC Editor function is currently provided by the
+   Internet Society.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Wray                        Standards Track                   [Page 101]
+
diff --git a/crypto/heimdal/doc/whatis.texi b/crypto/heimdal/doc/whatis.texi
new file mode 100644
index 0000000..eff52d7
--- /dev/null
+++ b/crypto/heimdal/doc/whatis.texi
@@ -0,0 +1,151 @@
+@c $Id: whatis.texi,v 1.5 2001/01/28 22:11:23 assar Exp $
+
+@node What is Kerberos?, Building and Installing, Introduction, Top
+@chapter What is Kerberos?
+
+@quotation
+@flushleft
+        Now this Cerberus had three heads of dogs,
+        the tail of a dragon, and on his back the
+        heads of all sorts of snakes.
+        --- Pseudo-Apollodorus Library 2.5.12
+@end flushleft
+@end quotation
+
+Kerberos is a system for authenticating users and services on a network.
+It is built upon the assumption that the network is ``unsafe''.  For
+example, data sent over the network can be eavesdropped and altered, and
+addresses can also be faked.  Therefore they cannot be used for
+authentication purposes.
+@cindex authentication
+
+Kerberos is a trusted third-party service.  That means that there is a
+third party (the kerberos server) that is trusted by all the entities on
+the network (users and services, usually called @dfn{principals}).  All
+principals share a secret password (or key) with the kerberos server and
+this enables principals to verify that the messages from the kerberos
+server are authentic.  Thus trusting the kerberos server, users and
+services can authenticate each other.
+
+@section Basic mechanism
+
+@ifinfo
+@macro sub{arg}
+<\arg\>
+@end macro
+@end ifinfo
+
+@tex
+@def@xsub#1{$_{#1}$}
+@global@let@sub=@xsub
+@end tex
+
+@ifhtml
+@macro sub{arg}
+<\arg\>
+@end macro
+@end ifhtml
+
+@quotation
+@strong{Note:} This discussion is about Kerberos version 4, but version
+5 works similarly.
+@end quotation
+
+In Kerberos, principals use @dfn{tickets} to prove that they are who
+they claim to be. In the following example, @var{A} is the initiator of
+the authentication exchange, usually a user, and @var{B} is the service
+that @var{A} wishes to use.
+
+To obtain a ticket for a specific service, @var{A} sends a ticket
+request to the kerberos server. The request contains @var{A}'s and
+@var{B}'s names (along with some other fields). The kerberos server
+checks that both @var{A} and @var{B} are valid principals.
+
+Having verified the validity of the principals, it creates a packet
+containing @var{A}'s and @var{B}'s names, @var{A}'s network address
+(@var{A@sub{addr}}), the current time (@var{t@sub{issue}}), the lifetime
+of the ticket (@var{life}), and a secret @dfn{session key}
+@cindex session key
+(@var{K@sub{AB}}). This packet is encrypted with @var{B}'s secret key
+(@var{K@sub{B}}).  The actual ticket (@var{T@sub{AB}}) looks like this:
+(@{@var{A}, @var{B}, @var{A@sub{addr}}, @var{t@sub{issue}}, @var{life},
+@var{K@sub{AB}}@}@var{K@sub{B}}).
+
+The reply to @var{A} consists of the ticket (@var{T@sub{AB}}), @var{B}'s
+name, the current time, the lifetime of the ticket, and the session key, all
+encrypted in @var{A}'s secret key (@{@var{B}, @var{t@sub{issue}},
+@var{life}, @var{K@sub{AB}}, @var{T@sub{AB}}@}@var{K@sub{A}}). @var{A}
+decrypts the reply and retains it for later use.
+
+@sp 1
+
+Before sending a message to @var{B}, @var{A} creates an authenticator
+consisting of @var{A}'s name, @var{A}'s address, the current time, and a
+``checksum'' chosen by @var{A}, all encrypted with the secret session
+key (@{@var{A}, @var{A@sub{addr}}, @var{t@sub{current}},
+@var{checksum}@}@var{K@sub{AB}}). This is sent together with the ticket
+received from the kerberos server to @var{B}.  Upon reception, @var{B}
+decrypts the ticket using @var{B}'s secret key.  Since the ticket
+contains the session key that the authenticator was encrypted with,
+@var{B} can now also decrypt the authenticator. To verify that @var{A}
+really is @var{A}, @var{B} now has to compare the contents of the ticket
+with that of the authenticator. If everything matches, @var{B} now
+considers @var{A} as properly authenticated.
+
+@c (here we should have some more explanations)
+
+@section Different attacks
+
+@subheading Impersonating A
+
+An impostor, @var{C} could steal the authenticator and the ticket as it
+is transmitted across the network, and use them to impersonate
+@var{A}. The address in the ticket and the authenticator was added to
+make it more difficult to perform this attack.  To succeed @var{C} will
+have to either use the same machine as @var{A} or fake the source
+addresses of the packets. By including the time stamp in the
+authenticator, @var{C} does not have much time in which to mount the
+attack.
+
+@subheading Impersonating B
+
+@var{C} can hijack @var{B}'s network address, and when @var{A} sends
+her credentials, @var{C} just pretend to verify them. @var{C} can't
+be sure that she is talking to @var{A}.
+
+@section Defense strategies
+
+It would be possible to add a @dfn{replay cache}
+@cindex replay cache
+to the server side.  The idea is to save the authenticators sent during
+the last few minutes, so that @var{B} can detect when someone is trying
+to retransmit an already used message. This is somewhat impractical
+(mostly regarding efficiency), and is not part of Kerberos 4; MIT
+Kerberos 5 contains it.
+
+To authenticate @var{B}, @var{A} might request that @var{B} sends
+something back that proves that @var{B} has access to the session
+key. An example of this is the checksum that @var{A} sent as part of the
+authenticator. One typical procedure is to add one to the checksum,
+encrypt it with the session key and send it back to @var{A}.  This is
+called @dfn{mutual authentication}.
+
+The session key can also be used to add cryptographic checksums to the
+messages sent between @var{A} and @var{B} (known as @dfn{message
+integrity}).  Encryption can also be added (@dfn{message
+confidentiality}). This is probably the best approach in all cases.
+@cindex integrity
+@cindex confidentiality
+
+@section Further reading
+
+The original paper on Kerberos from 1988 is @cite{Kerberos: An
+Authentication Service for Open Network Systems}, by Jennifer Steiner,
+Clifford Neuman and Jeffrey I. Schiller.
+
+A less technical description can be found in @cite{Designing an
+Authentication System: a Dialogue in Four Scenes} by Bill Bryant, also
+from 1988.
+
+These documents can be found on our web-page at
+@url{http://www.pdc.kth.se/kth-krb/}.
diff --git a/crypto/heimdal/doc/win2k.texi b/crypto/heimdal/doc/win2k.texi
new file mode 100644
index 0000000..1d48677
--- /dev/null
+++ b/crypto/heimdal/doc/win2k.texi
@@ -0,0 +1,284 @@
+@c $Id: win2k.texi,v 1.13 2001/02/24 05:09:24 assar Exp $
+
+@node Windows 2000 compatability, Programming with Kerberos, Kerberos 4 issues, Top
+@comment  node-name,  next,  previous,  up
+@chapter Windows 2000 compatability
+
+Windows 2000 (formerly known as Windows NT 5) from Microsoft implements
+Kerberos 5.  Their implementation, however, has some quirks,
+peculiarities, and bugs.  This chapter is a short summary of the things
+that we have found out while trying to test Heimdal against Windows
+2000.  Another big problem with the Kerberos implementation in Windows
+2000 is that the available documentation is more focused on getting
+things to work rather than how they work and not that useful in figuring
+out how things really work.
+
+This information should apply to Heimdal @value{VERSION} and Windows
+2000 Professional.  It's of course subject all the time and mostly consists of
+our not so inspired guesses.  Hopefully it's still somewhat useful.
+
+@menu
+* Configuring Windows 2000 to use a Heimdal KDC::  
+* Inter-Realm keys (trust) between Windows 2000 and a Heimdal KDC::  
+* Create account mappings::     
+* Encryption types::            
+* Authorization data::          
+* Quirks of Windows 2000 KDC::  
+* Useful links when reading about the Windows 2000::  
+@end menu
+
+@node Configuring Windows 2000 to use a Heimdal KDC, Inter-Realm keys (trust) between Windows 2000 and a Heimdal KDC, Windows 2000 compatability, Windows 2000 compatability
+@comment node-name, next, precious, up
+@section Configuring Windows 2000 to use a Heimdal KDC
+
+You need the command line program called @code{ksetup.exe} which is available
+in the file @code{SUPPORT/TOOLS/SUPPORT.CAB} on the Windows 2000 Professional
+CD-ROM. This program is used to configure the Kerberos settings on a
+Workstation.
+
+@code{Ksetup} store the domain information under the registry key:
+@code{HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\LSA\Kerberos\Domains}.
+
+Use the kadmin program in Heimdal to create a host principal in the
+Kerberos realm.
+
+@example
+unix% kadmin
+kadmin> ank -pw password host/datan.my.domain
+@end example
+
+You must configure the Workstation as a member of a workgroup, as opposed
+to a member in an NT domain, and specify the KDC server of the realm
+as follows:
+@example
+C:> ksetup /setdomain MY.REALM
+C:> ksetup /addkdc MY.REALM kdc.my.domain
+@end example
+
+Set the machine password, i.e. create the local keytab:
+@example
+C:> ksetup /setmachpassword password
+@end example
+
+The workstation must now be rebooted.
+
+A mapping between local NT users and Kerberos principals must be specified,
+you have two choices:
+
+@example
+C:> ksetup /mapuser user@@MY.REALM nt_user
+@end example
+
+This will map a user to a specific principal, this allows you to have
+other usernames in the realm than in your NT user database. (Don't ask
+me why on earth you would want that...)
+
+You can also say:
+@example
+C:> ksetup /mapuser * *
+@end example
+The Windows machine will now map any user to the corresponding principal,
+for example @samp{nisse} to the principal @samp{nisse@@MY.REALM}.
+(This is most likely what you want.)
+
+@node Inter-Realm keys (trust) between Windows 2000 and a Heimdal KDC, Create account mappings, Configuring Windows 2000 to use a Heimdal KDC, Windows 2000 compatability
+@comment node-name, next, precious, up
+@section Inter-Realm keys (trust) between Windows 2000 and a Heimdal KDC
+
+See also the Step-by-Step guide from Microsoft, referenced below.
+
+Install Windows 2000, and create a new controller (Active Directory
+Server) for the domain.
+
+By default the trust will be non-transitive. This means that only users
+directly from the trusted domain may authenticate. This can be changed
+to transitive by using the @code{netdom.exe} tool.
+
+You need to tell Windows 2000 on what hosts to find the KDCs for the
+non-Windows realm with @code{ksetup}, see @xref{Configuring Windows 2000
+to use a Heimdal KDC}.
+
+This need to be done on all computers that want enable cross-realm
+login with @code{Mapped Names}.
+
+Then you need to add the inter-realm keys on the Windows kdc. Start the
+Domain Tree Management tool. (Found in Programs, Administrative tools,
+Active Directory Domains and Trusts).
+
+Right click on Properties of your domain, select the Trust tab.  Press
+Add on the appropriate trust windows and enter domain name and
+password. When prompted if this is a non-Windows Kerberos realm, press
+OK.
+
+Do not forget to add trusts in both directions.
+
+You also need to add the inter-realm keys to the Heimdal KDC. There are
+some tweaks that you need to do to @file{krb5.conf} beforehand.
+
+@example
+[libdefaults]
+	default_etypes = des-cbc-crc
+	default_etypes_des = des-cbc-crc
+@end example
+
+since otherwise checksum types that are not understood by Windows 2000
+will be generated (@xref{Quirks of Windows 2000 KDC}.).
+
+Another issue is salting.  Since Windows 2000 does not seem to
+understand Kerberos 4 salted hashes you might need to turn off anything
+similar to the following if you have it, at least while adding the
+principals that are going to share keys with Windows 2000.
+
+@example
+	[kadmin]default_keys = des3:pw-salt des:pw-salt des:pw-salt:
+@end example
+
+You must also set:
+
+Once that is also done, you can add the required inter-realm keys:
+
+@example
+kadmin add krbtgt/NT.REALM.EXAMPLE.COM@@EXAMPLE.COM
+kadmin add krbtgt/REALM.EXAMPLE.COM@@NT.EXAMPLE.COM
+@end example
+
+Use the same passwords for both keys.
+
+Do not forget to reboot before trying the new realm-trust (after running
+@code{ksetup}). It looks like it might work, but packets are never sent to the
+non-Windows KDC.
+
+@node Create account mappings, Encryption types, Inter-Realm keys (trust) between Windows 2000 and a Heimdal KDC, Windows 2000 compatability
+@comment node-name, next, precious, up
+@section Create account mappings
+
+Start the @code{Active Directory Users and Computers} tool. Select the
+View menu, that is in the left corner just below the real menu (or press
+Alt-V), and select Advanced Features. Right click on the user that you
+are going to do a name mapping for and choose Name mapping.
+
+Click on the Kerberos Names tab and add a new principal from the
+non-Windows domain.
+
+@node Encryption types, Authorization data, Create account mappings, Windows 2000 compatability
+@comment  node-name,  next,  previous,  up
+@section Encryption types
+
+Windows 2000 supports both the standard DES encryptions (des-cbc-crc and
+des-cbc-md5) and its own proprietary encryption that is based on MD4 and
+rc4 that is documented in and is supposed to be described in
+@file{draft-brezak-win2k-krb-rc4-hmac-03.txt}.  New users will get both
+MD4 and DES keys.  Users that are converted from a NT4 database, will
+only have MD4 passwords and will need a password change to get a DES
+key.
+
+Heimdal implements both of these encryption types, but since DES is the
+standard and the hmac-code is somewhat newer, it is likely to work better.
+
+@node Authorization data, Quirks of Windows 2000 KDC, Encryption types, Windows 2000 compatability
+@comment  node-name,  next,  previous,  up
+@section Authorization data
+
+The Windows 2000 KDC also adds extra authorization data in tickets.
+It is at this point unclear what triggers it to do this.  The format of
+this data is only available under a ``secret'' license from Microsoft,
+which prohibits you implementing it.
+
+A simple way of getting hold of the data to be able to understand it
+better is described here.
+
+@enumerate
+@item Find the client example on using the SSPI in the SDK documentation.
+@item Change ``AuthSamp'' in the source code to lowercase.
+@item Build the program.
+@item Add the ``authsamp'' principal with a known password to the
+database.  Make sure it has a DES key.
+@item Run @kbd{ktutil add} to add the key for that principal to a
+keytab.
+@item Run @kbd{appl/test/nt_gss_server -p 2000 -s authsamp
+--dump-auth=file} where file is an appropriate file.
+@item It should authenticate and dump for you the authorization data in
+the file.
+@item The tool @kbd{lib/asn1/asn1_print} is somewhat useful for
+analyzing the data.
+@end enumerate
+
+@node Quirks of Windows 2000 KDC, Useful links when reading about the Windows 2000, Authorization data, Windows 2000 compatability
+@comment  node-name,  next,  previous,  up
+@section Quirks of Windows 2000 KDC
+
+There are some issues with salts and Windows 2000.  Using an empty salt,
+which is the only one that Kerberos 4 supported and is therefore known
+as a Kerberos 4 compatible salt does not work, as far as we can tell
+from out experiments and users reports.  Therefore, you have to make
+sure you keep around keys with all the different types of salts that are
+required.
+
+Microsoft seems also to have forgotten to implement the checksum
+algorithms @samp{rsa-md4-des} and @samp{rsa-md5-des}. This can make Name
+mapping (@pxref{Create account mappings}) fail if a @code{des-cbc-md5} key
+is used. To make the KDC return only @code{des-cbc-crc} you must delete
+the @code{des-cbc-md5} key from the kdc using the @code{kadmin
+del_enctype} command.
+
+@example
+kadmin del_enctype lha des-cbc-md5
+@end example
+
+You should also add the following entries to the @file{krb5.conf} file:
+
+@example
+[libdefaults]
+	default_etypes = des-cbc-crc
+	default_etypes_des = des-cbc-crc
+@end example
+
+These configuration options will make sure that no checksums of the
+unsupported types are generated.
+
+@node Useful links when reading about the Windows 2000,  , Quirks of Windows 2000 KDC, Windows 2000 compatability
+@comment  node-name,  next,  previous,  up
+@section Useful links when reading about the Windows 2000
+
+There are lots of text about Kerberos on Microsoft's web site, here is a
+short list of the interesting documents that we have managed to find.
+
+@itemize @bullet
+
+@item Step-by-Step Guide to Kerberos 5 (krb5 1.0) Interoperability -
+@url{http://www.microsoft.com/windows2000/library/planning/security/kerbsteps.asp}
+Kerberos GSS-API (in Windows-ize SSPI), Windows as a client in a
+non-Windows KDC realm, adding unix clients to a Windows 2000 KDC, and
+adding cross-realm trust (@xref{Inter-Realm keys (trust) between Windows 2000
+and a Heimdal KDC}.).
+
+@item Windows 2000 Kerberos Authentication - 
+@url{http://www.microsoft.com/TechNet/win2000/win2ksrv/technote/kerberos.asp}
+White paper that describes how Kerberos is used in Windows 2000.
+
+@item Overview of kerberos -
+@url{http://support.microsoft.com/support/kb/articles/Q248/7/58.ASP}
+Links to useful other links.
+
+@item Klist for windows - 
+@url{http://msdn.microsoft.com/library/periodic/period00/security0500.htm}
+Describes where to get a klist for Windows 2000.
+
+@item Event logging for kerberos -
+@url{http://support.microsoft.com/support/kb/articles/Q262/1/77.ASP}.
+Basicly it say that you can add a registry key
+@code{HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters\LogLevel}
+with value DWORD equal to 1, and then you'll get logging in the Event
+Logger.
+
+@item Access to the active directory through LDAP
+@url{http://msdn.microsoft.com/library/techart/kerberossamp.htm}
+
+@end itemize
+
+Other useful programs include these:
+
+@itemize @bullet
+@item pwdump2
+@url{http://www.webspan.net/~tas/pwdump2/}
+@end itemize
diff --git a/crypto/heimdal/etc/services.append b/crypto/heimdal/etc/services.append
new file mode 100644
index 0000000..0d4559a
--- /dev/null
+++ b/crypto/heimdal/etc/services.append
@@ -0,0 +1,29 @@
+#
+# $Id: services.append,v 1.5 2000/06/07 02:52:51 assar Exp $
+#
+# Kerberos services
+#
+kerberos	88/udp		kerberos-sec	# Kerberos v5 UDP
+kerberos	88/tcp		kerberos-sec	# Kerberos v5 TCP
+kpasswd		464/udp				# password changing
+kpasswd		464/tdp				# password changing
+klogin		543/tcp				# Kerberos authenticated rlogin
+kshell		544/tcp		krcmd		# and remote shell
+ekshell		545/tcp		      # Kerberos encrypted remote shell -kfall
+ekshell2	2106/tcp	      # What U of Colorado @ Boulder uses?
+kerberos-adm	749/udp				# v5 kadmin
+kerberos-adm	749/tcp				# v5 kadmin
+kerberos-iv	750/udp		kdc		# Kerberos authentication--udp
+kerberos-iv	750/tcp		kdc		# Kerberos authentication--tcp
+kerberos_master 751/udp				# v4 kadmin
+kerberos_master 751/tcp				# v4 kadmin
+krb_prop	754/tcp		hprop		# Kerberos slave propagation
+kpop		1109/tcp			# Pop with Kerberos
+eklogin		2105/tcp			# Kerberos encrypted rlogin
+rkinit		2108/tcp			# Kerberos remote kinit
+kf		2110/tcp			# forward credentials
+kx		2111/tcp			# X over kerberos
+kip		2112/tcp			# IP over kerberos
+kauth		2120/tcp			# Remote kauth
+iprop		2121/tcp			# incremental propagation
+krb524		4444/udp			# MIT 5->4
diff --git a/crypto/heimdal/include/Makefile.am b/crypto/heimdal/include/Makefile.am
new file mode 100644
index 0000000..8ca0f75
--- /dev/null
+++ b/crypto/heimdal/include/Makefile.am
@@ -0,0 +1,51 @@
+# $Id: Makefile.am,v 1.31 2000/07/02 16:08:29 assar Exp $
+
+include $(top_srcdir)/Makefile.am.common
+
+SUBDIRS = kadm5
+
+noinst_PROGRAMS = bits
+CHECK_LOCAL =
+
+INCLUDES = -DHOST=\"$(CANONICAL_HOST)\"
+
+include_HEADERS = krb5-types.h
+
+krb5-types.h: bits$(EXEEXT)
+	./bits$(EXEEXT) krb5-types.h
+
+CLEANFILES =		\
+	asn1.h		\
+	asn1_err.h	\
+	base64.h	\
+	com_err.h	\
+	com_right.h	\
+	der.h		\
+	des.h		\
+	editline.h	\
+	err.h		\
+	getarg.h	\
+	glob.h		\
+	gssapi.h	\
+	hdb.h		\
+	hdb_asn1.h	\
+	hdb_err.h	\
+	heim_err.h	\
+	kafs.h		\
+	krb5-protos.h	\
+	krb5-private.h	\
+	krb5-types.h	\
+	krb5.h		\
+	krb5_err.h	\
+	md4.h		\
+	md5.h		\
+	rc4.h		\
+	otp.h		\
+	parse_time.h	\
+	parse_units.h	\
+	resolve.h	\
+	roken-common.h	\
+	roken.h		\
+	sha.h		\
+	sl.h		\
+	xdbm.h
diff --git a/crypto/heimdal/include/Makefile.in b/crypto/heimdal/include/Makefile.in
new file mode 100644
index 0000000..b335bc8
--- /dev/null
+++ b/crypto/heimdal/include/Makefile.in
@@ -0,0 +1,727 @@
+# Makefile.in generated automatically by automake 1.4b from Makefile.am
+
+# Copyright 1994, 1995, 1996, 1997, 1998, 1999, 2000
+# Free Software Foundation, Inc.
+# This Makefile.in is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+
+SHELL = @SHELL@
+
+srcdir = @srcdir@
+top_srcdir = @top_srcdir@
+VPATH = @srcdir@
+prefix = @prefix@
+exec_prefix = @exec_prefix@
+
+bindir = @bindir@
+sbindir = @sbindir@
+libexecdir = @libexecdir@
+datadir = @datadir@
+sysconfdir = @sysconfdir@
+sharedstatedir = @sharedstatedir@
+localstatedir = @localstatedir@
+libdir = @libdir@
+infodir = @infodir@
+mandir = @mandir@
+includedir = @includedir@
+oldincludedir = /usr/include
+
+pkgdatadir = $(datadir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkgincludedir = $(includedir)/@PACKAGE@
+
+top_builddir = ..
+
+ACLOCAL = @ACLOCAL@
+AUTOCONF = @AUTOCONF@
+AUTOMAKE = @AUTOMAKE@
+AUTOHEADER = @AUTOHEADER@
+
+INSTALL = @INSTALL@
+INSTALL_PROGRAM = @INSTALL_PROGRAM@
+INSTALL_DATA = @INSTALL_DATA@
+INSTALL_SCRIPT = @INSTALL_SCRIPT@
+INSTALL_STRIP_FLAG =
+transform = @program_transform_name@
+
+NORMAL_INSTALL = :
+PRE_INSTALL = :
+POST_INSTALL = :
+NORMAL_UNINSTALL = :
+PRE_UNINSTALL = :
+POST_UNINSTALL = :
+
+@SET_MAKE@
+host_alias = @host_alias@
+host_triplet = @host@
+AIX_EXTRA_KAFS = @AIX_EXTRA_KAFS@
+AMDEP = @AMDEP@
+AMTAR = @AMTAR@
+AS = @AS@
+AWK = @AWK@
+CANONICAL_HOST = @CANONICAL_HOST@
+CATMAN = @CATMAN@
+CATMANEXT = @CATMANEXT@
+CC = @CC@
+CPP = @CPP@
+CXX = @CXX@
+CXXCPP = @CXXCPP@
+DBLIB = @DBLIB@
+DEPDIR = @DEPDIR@
+DIR_des = @DIR_des@
+DIR_roken = @DIR_roken@
+DLLTOOL = @DLLTOOL@
+EXEEXT = @EXEEXT@
+EXTRA_LIB45 = @EXTRA_LIB45@
+GROFF = @GROFF@
+INCLUDES_roken = @INCLUDES_roken@
+INCLUDE_ = @INCLUDE_@
+LEX = @LEX@
+LIBOBJS = @LIBOBJS@
+LIBTOOL = @LIBTOOL@
+LIB_ = @LIB_@
+LIB_AUTH_SUBDIRS = @LIB_AUTH_SUBDIRS@
+LIB_des = @LIB_des@
+LIB_des_appl = @LIB_des_appl@
+LIB_kdb = @LIB_kdb@
+LIB_otp = @LIB_otp@
+LIB_roken = @LIB_roken@
+LIB_security = @LIB_security@
+LN_S = @LN_S@
+LTLIBOBJS = @LTLIBOBJS@
+MAKEINFO = @MAKEINFO@
+NEED_WRITEAUTH_FALSE = @NEED_WRITEAUTH_FALSE@
+NEED_WRITEAUTH_TRUE = @NEED_WRITEAUTH_TRUE@
+NROFF = @NROFF@
+OBJDUMP = @OBJDUMP@
+OBJEXT = @OBJEXT@
+PACKAGE = @PACKAGE@
+RANLIB = @RANLIB@
+STRIP = @STRIP@
+VERSION = @VERSION@
+VOID_RETSIGTYPE = @VOID_RETSIGTYPE@
+WFLAGS = @WFLAGS@
+WFLAGS_NOIMPLICITINT = @WFLAGS_NOIMPLICITINT@
+WFLAGS_NOUNUSED = @WFLAGS_NOUNUSED@
+YACC = @YACC@
+dpagaix_CFLAGS = @dpagaix_CFLAGS@
+dpagaix_LDADD = @dpagaix_LDADD@
+install_sh = @install_sh@
+
+# $Id: Makefile.am,v 1.31 2000/07/02 16:08:29 assar Exp $
+
+
+# $Id: Makefile.am.common,v 1.3 1999/04/01 14:58:43 joda Exp $
+
+
+# $Id: Makefile.am.common,v 1.26 2001/05/21 13:27:48 joda Exp $
+
+
+AUTOMAKE_OPTIONS = foreign no-dependencies
+
+SUFFIXES = .et .h .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .x
+
+INCLUDES = -DHOST=\"$(CANONICAL_HOST)\"
+
+AM_CFLAGS =  $(WFLAGS)
+
+CP = cp
+
+COMPILE_ET = $(top_builddir)/lib/com_err/compile_et
+
+buildinclude = $(top_builddir)/include
+
+LIB_XauReadAuth = @LIB_XauReadAuth@
+LIB_crypt = @LIB_crypt@
+LIB_dbm_firstkey = @LIB_dbm_firstkey@
+LIB_dbopen = @LIB_dbopen@
+LIB_dlopen = @LIB_dlopen@
+LIB_dn_expand = @LIB_dn_expand@
+LIB_el_init = @LIB_el_init@
+LIB_getattr = @LIB_getattr@
+LIB_gethostbyname = @LIB_gethostbyname@
+LIB_getpwent_r = @LIB_getpwent_r@
+LIB_getpwnam_r = @LIB_getpwnam_r@
+LIB_getsockopt = @LIB_getsockopt@
+LIB_logout = @LIB_logout@
+LIB_logwtmp = @LIB_logwtmp@
+LIB_odm_initialize = @LIB_odm_initialize@
+LIB_pidfile = @LIB_pidfile@
+LIB_readline = @LIB_readline@
+LIB_res_search = @LIB_res_search@
+LIB_setpcred = @LIB_setpcred@
+LIB_setsockopt = @LIB_setsockopt@
+LIB_socket = @LIB_socket@
+LIB_syslog = @LIB_syslog@
+LIB_tgetent = @LIB_tgetent@
+
+LIBS = @LIBS@
+
+HESIODLIB = @HESIODLIB@
+HESIODINCLUDE = @HESIODINCLUDE@
+INCLUDE_hesiod = @INCLUDE_hesiod@
+LIB_hesiod = @LIB_hesiod@
+
+INCLUDE_krb4 = @INCLUDE_krb4@
+LIB_krb4 = @LIB_krb4@
+
+INCLUDE_openldap = @INCLUDE_openldap@
+LIB_openldap = @LIB_openldap@
+
+INCLUDE_readline = @INCLUDE_readline@
+
+LEXLIB = @LEXLIB@
+
+NROFF_MAN = groff -mandoc -Tascii
+
+@KRB4_TRUE@LIB_kafs = @KRB4_TRUE@$(top_builddir)/lib/kafs/libkafs.la $(AIX_EXTRA_KAFS)
+
+@KRB5_TRUE@LIB_krb5 = @KRB5_TRUE@$(top_builddir)/lib/krb5/libkrb5.la \
+@KRB5_TRUE@	$(top_builddir)/lib/asn1/libasn1.la
+@KRB5_TRUE@LIB_gssapi = @KRB5_TRUE@$(top_builddir)/lib/gssapi/libgssapi.la
+
+@DCE_TRUE@LIB_kdfs = @DCE_TRUE@$(top_builddir)/lib/kdfs/libkdfs.la
+CHECK_LOCAL = 
+
+SUBDIRS = kadm5
+
+noinst_PROGRAMS = bits
+
+include_HEADERS = krb5-types.h
+
+CLEANFILES = \
+	asn1.h		\
+	asn1_err.h	\
+	base64.h	\
+	com_err.h	\
+	com_right.h	\
+	der.h		\
+	des.h		\
+	editline.h	\
+	err.h		\
+	getarg.h	\
+	glob.h		\
+	gssapi.h	\
+	hdb.h		\
+	hdb_asn1.h	\
+	hdb_err.h	\
+	heim_err.h	\
+	kafs.h		\
+	krb5-protos.h	\
+	krb5-private.h	\
+	krb5-types.h	\
+	krb5.h		\
+	krb5_err.h	\
+	md4.h		\
+	md5.h		\
+	rc4.h		\
+	otp.h		\
+	parse_time.h	\
+	parse_units.h	\
+	resolve.h	\
+	roken-common.h	\
+	roken.h		\
+	sha.h		\
+	sl.h		\
+	xdbm.h
+
+subdir = include
+mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs
+CONFIG_HEADER = config.h
+CONFIG_CLEAN_FILES = 
+noinst_PROGRAMS =  bits$(EXEEXT)
+PROGRAMS =  $(noinst_PROGRAMS)
+
+
+DEFS = @DEFS@ -I. -I$(srcdir) -I.
+CPPFLAGS = @CPPFLAGS@
+LDFLAGS = @LDFLAGS@
+X_CFLAGS = @X_CFLAGS@
+X_LIBS = @X_LIBS@
+X_EXTRA_LIBS = @X_EXTRA_LIBS@
+X_PRE_LIBS = @X_PRE_LIBS@
+bits_SOURCES = bits.c
+bits_OBJECTS =  bits.$(OBJEXT)
+bits_LDADD = $(LDADD)
+bits_DEPENDENCIES = 
+bits_LDFLAGS = 
+COMPILE = $(CC) $(DEFS) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) --mode=compile $(CC) $(DEFS) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+CFLAGS = @CFLAGS@
+CCLD = $(CC)
+LINK = $(LIBTOOL) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) $(LDFLAGS) -o $@
+DIST_SOURCES =  bits.c
+HEADERS =  $(include_HEADERS)
+
+depcomp = 
+DIST_COMMON =  $(include_HEADERS) ./stamp-h.in Makefile.am Makefile.in \
+config.h.in
+
+
+DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
+
+GZIP_ENV = --best
+DIST_SUBDIRS =  $(SUBDIRS)
+SOURCES = bits.c
+OBJECTS = bits.$(OBJEXT)
+
+all: all-redirect
+.SUFFIXES:
+.SUFFIXES: .et .h .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .x .c .lo .o .obj
+$(srcdir)/Makefile.in: Makefile.am $(top_srcdir)/configure.in $(ACLOCAL_M4) $(top_srcdir)/Makefile.am.common $(top_srcdir)/cf/Makefile.am.common
+	cd $(top_srcdir) && $(AUTOMAKE) --foreign include/Makefile
+
+Makefile: $(srcdir)/Makefile.in  $(top_builddir)/config.status
+	cd $(top_builddir) \
+	  && CONFIG_FILES=$(subdir)/$@ CONFIG_HEADERS= $(SHELL) ./config.status
+
+
+config.h: stamp-h
+	@if test ! -f $@; then \
+		rm -f stamp-h; \
+		$(MAKE) stamp-h; \
+	else :; fi
+stamp-h: $(srcdir)/config.h.in $(top_builddir)/config.status
+	@rm -f stamp-h stamp-hT
+	@echo timestamp > stamp-hT 2> /dev/null
+	cd $(top_builddir) \
+	  && CONFIG_FILES= CONFIG_HEADERS=include/config.h \
+	     $(SHELL) ./config.status
+	@mv stamp-hT stamp-h
+$(srcdir)/config.h.in: $(srcdir)/./stamp-h.in
+	@if test ! -f $@; then \
+		rm -f $(srcdir)/./stamp-h.in; \
+		$(MAKE) $(srcdir)/./stamp-h.in; \
+	else :; fi
+$(srcdir)/./stamp-h.in: $(top_srcdir)/configure.in $(ACLOCAL_M4) $(top_srcdir)/acconfig.h
+	@rm -f $(srcdir)/./stamp-h.in $(srcdir)/./stamp-h.inT
+	@echo timestamp > $(srcdir)/./stamp-h.inT 2> /dev/null
+	cd $(top_srcdir) && $(AUTOHEADER)
+	@mv $(srcdir)/./stamp-h.inT $(srcdir)/./stamp-h.in
+
+mostlyclean-hdr:
+
+clean-hdr:
+
+distclean-hdr:
+	-rm -f config.h
+
+maintainer-clean-hdr:
+
+mostlyclean-noinstPROGRAMS:
+
+clean-noinstPROGRAMS:
+	-test -z "$(noinst_PROGRAMS)" || rm -f $(noinst_PROGRAMS)
+
+distclean-noinstPROGRAMS:
+
+maintainer-clean-noinstPROGRAMS:
+
+mostlyclean-compile:
+	-rm -f *.o core *.core
+	-rm -f *.$(OBJEXT)
+
+clean-compile:
+
+distclean-compile:
+	-rm -f *.tab.c
+
+maintainer-clean-compile:
+
+mostlyclean-libtool:
+	-rm -f *.lo
+
+clean-libtool:
+	-rm -rf .libs _libs
+
+distclean-libtool:
+
+maintainer-clean-libtool:
+
+bits$(EXEEXT): $(bits_OBJECTS) $(bits_DEPENDENCIES)
+	@rm -f bits$(EXEEXT)
+	$(LINK) $(bits_LDFLAGS) $(bits_OBJECTS) $(bits_LDADD) $(LIBS)
+.c.o:
+	$(COMPILE) -c $<
+.c.obj:
+	$(COMPILE) -c `cygpath -w $<`
+.c.lo:
+	$(LTCOMPILE) -c -o $@ $<
+
+install-includeHEADERS: $(include_HEADERS)
+	@$(NORMAL_INSTALL)
+	$(mkinstalldirs) $(DESTDIR)$(includedir)
+	@list='$(include_HEADERS)'; for p in $$list; do \
+	  if test -f "$$p"; then d= ; else d="$(srcdir)/"; fi; \
+	  f="`echo $$p | sed -e 's|^.*/||'`"; \
+	  echo " $(INSTALL_DATA) $$d$$p $(DESTDIR)$(includedir)/$$f"; \
+	  $(INSTALL_DATA) $$d$$p $(DESTDIR)$(includedir)/$$f; \
+	done
+
+uninstall-includeHEADERS:
+	@$(NORMAL_UNINSTALL)
+	@list='$(include_HEADERS)'; for p in $$list; do \
+	  f="`echo $$p | sed -e 's|^.*/||'`"; \
+	  echo " rm -f $(DESTDIR)$(includedir)/$$f"; \
+	  rm -f $(DESTDIR)$(includedir)/$$f; \
+	done
+
+# This directory's subdirectories are mostly independent; you can cd
+# into them and run `make' without going through this Makefile.
+# To change the values of `make' variables: instead of editing Makefiles,
+# (1) if the variable is set in `config.status', edit `config.status'
+#     (which will cause the Makefiles to be regenerated when you run `make');
+# (2) otherwise, pass the desired values on the `make' command line.
+
+all-recursive install-data-recursive install-exec-recursive \
+installdirs-recursive install-recursive uninstall-recursive  \
+check-recursive installcheck-recursive info-recursive dvi-recursive:
+	@set fnord $(MAKEFLAGS); amf=$$2; \
+	dot_seen=no; \
+	target=`echo $@ | sed s/-recursive//`; \
+	list='$(SUBDIRS)'; for subdir in $$list; do \
+	  echo "Making $$target in $$subdir"; \
+	  if test "$$subdir" = "."; then \
+	    dot_seen=yes; \
+	    local_target="$$target-am"; \
+	  else \
+	    local_target="$$target"; \
+	  fi; \
+	  (cd $$subdir && $(MAKE) $(AM_MAKEFLAGS) $$local_target) \
+	   || case "$$amf" in *=*) exit 1;; *k*) fail=yes;; *) exit 1;; esac; \
+	done; \
+	if test "$$dot_seen" = "no"; then \
+	  $(MAKE) $(AM_MAKEFLAGS) "$$target-am" || exit 1; \
+	fi; test -z "$$fail"
+
+mostlyclean-recursive clean-recursive distclean-recursive \
+maintainer-clean-recursive:
+	@set fnord $(MAKEFLAGS); amf=$$2; \
+	dot_seen=no; \
+	case "$@" in \
+	  distclean-* | maintainer-clean-*) list='$(DIST_SUBDIRS)' ;; \
+	  *) list='$(SUBDIRS)' ;; \
+	esac; \
+	rev=''; for subdir in $$list; do \
+	  if test "$$subdir" = "."; then :; else \
+	    rev="$$subdir $$rev"; \
+	  fi; \
+	done; \
+	rev="$$rev ."; \
+	target=`echo $@ | sed s/-recursive//`; \
+	for subdir in $$rev; do \
+	  echo "Making $$target in $$subdir"; \
+	  if test "$$subdir" = "."; then \
+	    local_target="$$target-am"; \
+	  else \
+	    local_target="$$target"; \
+	  fi; \
+	  (cd $$subdir && $(MAKE) $(AM_MAKEFLAGS) $$local_target) \
+	   || case "$$amf" in *=*) exit 1;; *k*) fail=yes;; *) exit 1;; esac; \
+	done && test -z "$$fail"
+tags-recursive:
+	list='$(SUBDIRS)'; for subdir in $$list; do \
+	  test "$$subdir" = . || (cd $$subdir && $(MAKE) $(AM_MAKEFLAGS) tags); \
+	done
+
+tags: TAGS
+
+ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
+	list='$(SOURCES) $(HEADERS) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '    { files[$$0] = 1; } \
+	       END { for (i in files) print i; }'`; \
+	mkid -fID $$unique $(LISP)
+
+TAGS: tags-recursive $(HEADERS) $(SOURCES) config.h.in $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	tags=; \
+	here=`pwd`; \
+	list='$(SUBDIRS)'; for subdir in $$list; do \
+   if test "$$subdir" = .; then :; else \
+	    test -f $$subdir/TAGS && tags="$$tags -i $$here/$$subdir/TAGS"; \
+   fi; \
+	done; \
+	list='$(SOURCES) $(HEADERS) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '    { files[$$0] = 1; } \
+	       END { for (i in files) print i; }'`; \
+	test -z "$(ETAGS_ARGS)config.h.in$$unique$(LISP)$$tags" \
+	  || etags $(ETAGS_ARGS) $$tags config.h.in $$unique $(LISP)
+
+GTAGS:
+	here=`CDPATH=: && cd $(top_builddir) && pwd` \
+	  && cd $(top_srcdir) \
+	  && gtags -i $$here
+
+mostlyclean-tags:
+
+clean-tags:
+
+distclean-tags:
+	-rm -f TAGS ID
+
+maintainer-clean-tags:
+
+distdir = $(top_builddir)/$(PACKAGE)-$(VERSION)/$(subdir)
+
+distdir: $(DISTFILES)
+	@for file in $(DISTFILES); do \
+	  d=$(srcdir); \
+	  if test -d $$d/$$file; then \
+	    cp -pR $$d/$$file $(distdir) \
+	    || exit 1; \
+	  else \
+	    test -f $(distdir)/$$file \
+	    || cp -p $$d/$$file $(distdir)/$$file \
+	    || exit 1; \
+	  fi; \
+	done
+	for subdir in $(SUBDIRS); do \
+	  if test "$$subdir" = .; then :; else \
+	    test -d $(distdir)/$$subdir \
+	    || mkdir $(distdir)/$$subdir \
+	    || exit 1; \
+	    (cd $$subdir && $(MAKE) $(AM_MAKEFLAGS) top_distdir=../$(top_distdir) distdir=../$(distdir)/$$subdir distdir) \
+	      || exit 1; \
+	  fi; \
+	done
+	$(MAKE) $(AM_MAKEFLAGS) top_distdir="$(top_distdir)" distdir="$(distdir)" dist-hook
+info-am:
+info: info-recursive
+dvi-am:
+dvi: dvi-recursive
+check-am: all-am
+	$(MAKE) $(AM_MAKEFLAGS) check-local
+check: check-recursive
+installcheck-am:
+installcheck: installcheck-recursive
+all-recursive-am: config.h
+	$(MAKE) $(AM_MAKEFLAGS) all-recursive
+
+install-exec-am:
+	@$(NORMAL_INSTALL)
+	$(MAKE) $(AM_MAKEFLAGS) install-exec-hook
+install-exec: install-exec-recursive
+
+install-data-am: install-includeHEADERS install-data-local
+install-data: install-data-recursive
+
+install-am: all-am
+	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
+install: install-recursive
+uninstall-am: uninstall-includeHEADERS
+uninstall: uninstall-recursive
+all-am: Makefile $(PROGRAMS) $(HEADERS) config.h all-local
+all-redirect: all-recursive-am
+install-strip:
+	$(MAKE) $(AM_MAKEFLAGS) INSTALL_STRIP_FLAG=-s install
+installdirs: installdirs-recursive
+installdirs-am:
+	$(mkinstalldirs)  $(DESTDIR)$(includedir)
+
+
+mostlyclean-generic:
+
+clean-generic:
+	-test -z "$(CLEANFILES)" || rm -f $(CLEANFILES)
+
+distclean-generic:
+	-rm -f Makefile $(CONFIG_CLEAN_FILES)
+	-rm -f config.cache config.log stamp-h stamp-h[0-9]*
+
+maintainer-clean-generic:
+	-rm -f Makefile.in
+mostlyclean-am:  mostlyclean-hdr mostlyclean-noinstPROGRAMS \
+		mostlyclean-compile mostlyclean-libtool \
+		mostlyclean-tags mostlyclean-generic
+
+mostlyclean: mostlyclean-recursive
+
+clean-am:  clean-hdr clean-noinstPROGRAMS clean-compile clean-libtool \
+		clean-tags clean-generic mostlyclean-am
+
+clean: clean-recursive
+
+distclean-am:  distclean-hdr distclean-noinstPROGRAMS distclean-compile \
+		distclean-libtool distclean-tags distclean-generic \
+		clean-am
+	-rm -f libtool
+
+distclean: distclean-recursive
+
+maintainer-clean-am:  maintainer-clean-hdr \
+		maintainer-clean-noinstPROGRAMS \
+		maintainer-clean-compile maintainer-clean-libtool \
+		maintainer-clean-tags maintainer-clean-generic \
+		distclean-am
+	@echo "This command is intended for maintainers to use;"
+	@echo "it deletes files that may require special tools to rebuild."
+
+maintainer-clean: maintainer-clean-recursive
+
+.PHONY: mostlyclean-hdr distclean-hdr clean-hdr maintainer-clean-hdr \
+mostlyclean-noinstPROGRAMS distclean-noinstPROGRAMS \
+clean-noinstPROGRAMS maintainer-clean-noinstPROGRAMS \
+mostlyclean-compile distclean-compile clean-compile \
+maintainer-clean-compile mostlyclean-libtool distclean-libtool \
+clean-libtool maintainer-clean-libtool uninstall-includeHEADERS \
+install-includeHEADERS install-recursive uninstall-recursive \
+install-data-recursive uninstall-data-recursive install-exec-recursive \
+uninstall-exec-recursive installdirs-recursive uninstalldirs-recursive \
+all-recursive check-recursive installcheck-recursive info-recursive \
+dvi-recursive mostlyclean-recursive distclean-recursive clean-recursive \
+maintainer-clean-recursive tags tags-recursive mostlyclean-tags \
+distclean-tags clean-tags maintainer-clean-tags distdir info-am info \
+dvi-am dvi check-local check check-am installcheck-am installcheck \
+all-recursive-am install-exec-am install-exec install-data-local \
+install-data-am install-data install-am install uninstall-am uninstall \
+all-local all-redirect all-am all install-strip installdirs-am \
+installdirs mostlyclean-generic distclean-generic clean-generic \
+maintainer-clean-generic clean mostlyclean distclean maintainer-clean
+
+
+install-suid-programs:
+	@foo='$(bin_SUIDS)'; \
+	for file in $$foo; do \
+	x=$(DESTDIR)$(bindir)/$$file; \
+	if chown 0:0 $$x && chmod u+s $$x; then :; else \
+	echo "*"; \
+	echo "* Failed to install $$x setuid root"; \
+	echo "*"; \
+	fi; done
+
+install-exec-hook: install-suid-programs
+
+install-build-headers:: $(include_HEADERS) $(build_HEADERZ)
+	@foo='$(include_HEADERS) $(build_HEADERZ)'; \
+	for f in $$foo; do \
+		f=`basename $$f`; \
+		if test -f "$(srcdir)/$$f"; then file="$(srcdir)/$$f"; \
+		else file="$$f"; fi; \
+		if cmp -s  $$file $(buildinclude)/$$f 2> /dev/null ; then \
+		: ; else \
+			echo " $(CP) $$file $(buildinclude)/$$f"; \
+			$(CP) $$file $(buildinclude)/$$f; \
+		fi ; \
+	done
+
+all-local: install-build-headers
+#NROFF_MAN = nroff -man
+.1.cat1:
+	$(NROFF_MAN) $< > $@
+.3.cat3:
+	$(NROFF_MAN) $< > $@
+.5.cat5:
+	$(NROFF_MAN) $< > $@
+.8.cat8:
+	$(NROFF_MAN) $< > $@
+
+dist-cat1-mans:
+	@foo='$(man1_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.1) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat1/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-cat3-mans:
+	@foo='$(man3_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.3) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat3/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-cat5-mans:
+	@foo='$(man5_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.5) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat5/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-cat8-mans:
+	@foo='$(man8_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.8) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat8/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-hook: dist-cat1-mans dist-cat3-mans dist-cat5-mans dist-cat8-mans
+
+install-cat-mans:
+	$(SHELL) $(top_srcdir)/cf/install-catman.sh "$(INSTALL_DATA)" "$(mkinstalldirs)" "$(srcdir)" "$(DESTDIR)$(mandir)" '$(CATMANEXT)' $(man_MANS) $(man1_MANS) $(man3_MANS) $(man5_MANS) $(man8_MANS)
+
+install-data-local: install-cat-mans
+
+.et.h:
+	$(COMPILE_ET) $<
+.et.c:
+	$(COMPILE_ET) $<
+
+.x.c:
+	@cmp -s $< $@ 2> /dev/null || cp $< $@
+
+check-local::
+	@foo='$(CHECK_LOCAL)'; \
+	  if test "$$foo"; then \
+	  failed=0; all=0; \
+	  for i in $$foo; do \
+	    all=`expr $$all + 1`; \
+	    if ./$$i --version > /dev/null 2>&1; then \
+	      echo "PASS: $$i"; \
+	    else \
+	      echo "FAIL: $$i"; \
+	      failed=`expr $$failed + 1`; \
+	    fi; \
+	  done; \
+	  if test "$$failed" -eq 0; then \
+	    banner="All $$all tests passed"; \
+	  else \
+	    banner="$$failed of $$all tests failed"; \
+	  fi; \
+	  dashes=`echo "$$banner" | sed s/./=/g`; \
+	  echo "$$dashes"; \
+	  echo "$$banner"; \
+	  echo "$$dashes"; \
+	  test "$$failed" -eq 0; \
+	fi
+
+krb5-types.h: bits$(EXEEXT)
+	./bits$(EXEEXT) krb5-types.h
+
+# Tell versions [3.59,3.63) of GNU make to not export all variables.
+# Otherwise a system limit (for SysV at least) may be exceeded.
+.NOEXPORT:
diff --git a/crypto/heimdal/include/bits.c b/crypto/heimdal/include/bits.c
new file mode 100644
index 0000000..0c8fcdd
--- /dev/null
+++ b/crypto/heimdal/include/bits.c
@@ -0,0 +1,220 @@
+/*
+ * Copyright (c) 1997 - 2000 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+RCSID("$Id: bits.c,v 1.18 2000/08/27 05:42:46 assar Exp $");
+#endif
+#include <stdio.h>
+#include <string.h>
+#include <stdlib.h>
+#include <ctype.h>
+
+#define BITSIZE(TYPE)						\
+{								\
+    int b = 0; TYPE x = 1, zero = 0; char *pre = "u";		\
+    char tmp[128], tmp2[128];					\
+    while(x){ x <<= 1; b++; if(x < zero) pre=""; }		\
+    if(b >= len){						\
+        int tabs;						\
+	sprintf(tmp, "%sint%d_t" , pre, len);			\
+	sprintf(tmp2, "typedef %s %s;", #TYPE, tmp);		\
+	tabs = 5 - strlen(tmp2) / 8;				\
+        fprintf(f, "%s", tmp2);					\
+	while(tabs-- > 0) fprintf(f, "\t");			\
+	fprintf(f, "/* %2d bits */\n", b);			\
+        return;                                                 \
+    }								\
+}
+
+#ifndef HAVE___ATTRIBUTE__
+#define __attribute__(x)
+#endif
+
+static void
+try_signed(FILE *f, int len)  __attribute__ ((unused));
+
+static void
+try_unsigned(FILE *f, int len) __attribute__ ((unused));
+
+static int
+print_bt(FILE *f, int flag) __attribute__ ((unused));
+
+static void
+try_signed(FILE *f, int len)
+{
+    BITSIZE(signed char);
+    BITSIZE(short);
+    BITSIZE(int);
+    BITSIZE(long);
+#ifdef HAVE_LONG_LONG
+    BITSIZE(long long);
+#endif
+    fprintf(f, "/* There is no %d bit type */\n", len);
+}
+
+static void
+try_unsigned(FILE *f, int len)
+{
+    BITSIZE(unsigned char);
+    BITSIZE(unsigned short);
+    BITSIZE(unsigned int);
+    BITSIZE(unsigned long);
+#ifdef HAVE_LONG_LONG
+    BITSIZE(unsigned long long);
+#endif
+    fprintf(f, "/* There is no %d bit type */\n", len);
+}
+
+static int
+print_bt(FILE *f, int flag)
+{
+    if(flag == 0){
+	fprintf(f, "/* For compatibility with various type definitions */\n");
+	fprintf(f, "#ifndef __BIT_TYPES_DEFINED__\n");
+	fprintf(f, "#define __BIT_TYPES_DEFINED__\n");
+	fprintf(f, "\n");
+    }
+    return 1;
+}
+
+int main(int argc, char **argv)
+{
+    FILE *f;
+    int flag;
+    char *fn, *hb;
+    
+    if(argc < 2){
+	fn = "bits.h";
+	hb = "__BITS_H__";
+	f = stdout;
+    } else {
+	char *p;
+	fn = argv[1];
+	hb = malloc(strlen(fn) + 5);
+	sprintf(hb, "__%s__", fn);
+	for(p = hb; *p; p++){
+	    if(!isalnum((unsigned char)*p))
+		*p = '_';
+	}
+	f = fopen(argv[1], "w");
+    }
+    fprintf(f, "/* %s -- this file was generated for %s by\n", fn, HOST);
+    fprintf(f, "   %*s    %s */\n\n", (int)strlen(fn), "", 
+	    "$Id: bits.c,v 1.18 2000/08/27 05:42:46 assar Exp $");
+    fprintf(f, "#ifndef %s\n", hb);
+    fprintf(f, "#define %s\n", hb);
+    fprintf(f, "\n");
+#ifdef HAVE_SYS_TYPES_H
+    fprintf(f, "#include <sys/types.h>\n");
+#endif
+#ifdef HAVE_INTTYPES_H
+    fprintf(f, "#include <inttypes.h>\n");
+#endif
+#ifdef HAVE_SYS_BITYPES_H
+    fprintf(f, "#include <sys/bitypes.h>\n");
+#endif
+#ifdef HAVE_BIND_BITYPES_H
+    fprintf(f, "#include <bind/bitypes.h>\n");
+#endif
+#ifdef HAVE_NETINET_IN6_MACHTYPES_H
+    fprintf(f, "#include <netinet/in6_machtypes.h>\n");
+#endif
+    fprintf(f, "\n");
+
+    flag = 0;
+#ifndef HAVE_INT8_T
+    flag = print_bt(f, flag);
+    try_signed (f, 8);
+#endif /* HAVE_INT8_T */
+#ifndef HAVE_INT16_T
+    flag = print_bt(f, flag);
+    try_signed (f, 16);
+#endif /* HAVE_INT16_T */
+#ifndef HAVE_INT32_T
+    flag = print_bt(f, flag);
+    try_signed (f, 32);
+#endif /* HAVE_INT32_T */
+#if 0
+#ifndef HAVE_INT64_T
+    flag = print_bt(f, flag);
+    try_signed (f, 64);
+#endif /* HAVE_INT64_T */
+#endif
+
+#ifndef HAVE_UINT8_T
+    flag = print_bt(f, flag);
+    try_unsigned (f, 8);
+#endif /* HAVE_UINT8_T */
+#ifndef HAVE_UINT16_T
+    flag = print_bt(f, flag);
+    try_unsigned (f, 16);
+#endif /* HAVE_UINT16_T */
+#ifndef HAVE_UINT32_T
+    flag = print_bt(f, flag);
+    try_unsigned (f, 32);
+#endif /* HAVE_UINT32_T */
+#if 0
+#ifndef HAVE_UINT64_T
+    flag = print_bt(f, flag);
+    try_unsigned (f, 64);
+#endif /* HAVE_UINT64_T */
+#endif
+
+#define X(S) fprintf(f, "typedef uint" #S "_t u_int" #S "_t;\n")
+#ifndef HAVE_U_INT8_T
+    flag = print_bt(f, flag);
+    X(8);
+#endif /* HAVE_U_INT8_T */
+#ifndef HAVE_U_INT16_T
+    flag = print_bt(f, flag);
+    X(16);
+#endif /* HAVE_U_INT16_T */
+#ifndef HAVE_U_INT32_T
+    flag = print_bt(f, flag);
+    X(32);
+#endif /* HAVE_U_INT32_T */
+#if 0
+#ifndef HAVE_U_INT64_T
+    flag = print_bt(f, flag);
+    X(64);
+#endif /* HAVE_U_INT64_T */
+#endif
+
+    if(flag){
+	fprintf(f, "\n");
+	fprintf(f, "#endif /* __BIT_TYPES_DEFINED__ */\n\n");
+    }
+    fprintf(f, "#endif /* %s */\n", hb);
+    return 0;
+}
diff --git a/crypto/heimdal/include/config.h.in b/crypto/heimdal/include/config.h.in
new file mode 100644
index 0000000..151344d
--- /dev/null
+++ b/crypto/heimdal/include/config.h.in
@@ -0,0 +1,1304 @@
+/* include/config.h.in.  Generated automatically from configure.in by autoheader.  */
+
+#ifndef RCSID
+#define RCSID(msg) static /**/const char *const rcsid[] = { (const char *)rcsid, "\100(#)" msg }
+#endif
+
+#undef BINDIR 
+#undef LIBDIR
+#undef LIBEXECDIR
+#undef SBINDIR
+
+#undef HAVE_INT8_T
+#undef HAVE_INT16_T
+#undef HAVE_INT32_T
+#undef HAVE_INT64_T
+#undef HAVE_U_INT8_T
+#undef HAVE_U_INT16_T
+#undef HAVE_U_INT32_T
+#undef HAVE_U_INT64_T
+
+/* Maximum values on all known systems */
+#define MaxHostNameLen (64+4)
+#define MaxPathLen (1024+4)
+
+
+
+/* Define if you want authentication support in telnet. */
+#undef AUTHENTICATION
+
+/* Define if realloc(NULL) doesn't work. */
+#undef BROKEN_REALLOC
+
+/* Define if you want support for DCE/DFS PAG's. */
+#undef DCE
+
+/* Define if you want to use DES encryption in telnet. */
+#undef DES_ENCRYPTION
+
+/* Define this to enable diagnostics in telnet. */
+#undef DIAGNOSTICS
+
+/* Define if you want encryption support in telnet. */
+#undef ENCRYPTION
+
+/* define if sys/param.h defines the endiness */
+#undef ENDIANESS_IN_SYS_PARAM_H
+
+/* Define this if you want support for broken ENV_{VAR,VAL} telnets. */
+#undef ENV_HACK
+
+/* define if prototype of gethostbyaddr is compatible with struct hostent
+   *gethostbyaddr(const void *, size_t, int) */
+#undef GETHOSTBYADDR_PROTO_COMPATIBLE
+
+/* define if prototype of gethostbyname is compatible with struct hostent
+   *gethostbyname(const char *) */
+#undef GETHOSTBYNAME_PROTO_COMPATIBLE
+
+/* define if prototype of getservbyname is compatible with struct servent
+   *getservbyname(const char *, const char *) */
+#undef GETSERVBYNAME_PROTO_COMPATIBLE
+
+/* define if prototype of getsockname is compatible with int getsockname(int,
+   struct sockaddr*, socklen_t*) */
+#undef GETSOCKNAME_PROTO_COMPATIBLE
+
+/* Define if you have the <arpa/ftp.h> header file. */
+#undef HAVE_ARPA_FTP_H
+
+/* Define if you have the <arpa/inet.h> header file. */
+#undef HAVE_ARPA_INET_H
+
+/* Define if you have the <arpa/nameser.h> header file. */
+#undef HAVE_ARPA_NAMESER_H
+
+/* Define if you have the <arpa/telnet.h> header file. */
+#undef HAVE_ARPA_TELNET_H
+
+/* Define if you have the `asnprintf' function. */
+#undef HAVE_ASNPRINTF
+
+/* Define if you have the `asprintf' function. */
+#undef HAVE_ASPRINTF
+
+/* Define if you have the <bind/bitypes.h> header file. */
+#undef HAVE_BIND_BITYPES_H
+
+/* Define if you have the <bsdsetjmp.h> header file. */
+#undef HAVE_BSDSETJMP_H
+
+/* Define if you have the `bswap16' function. */
+#undef HAVE_BSWAP16
+
+/* Define if you have the `bswap32' function. */
+#undef HAVE_BSWAP32
+
+/* Define if you have the <capability.h> header file. */
+#undef HAVE_CAPABILITY_H
+
+/* Define if you have the `cap_set_proc' function. */
+#undef HAVE_CAP_SET_PROC
+
+/* Define if you have the `cgetent' function. */
+#undef HAVE_CGETENT
+
+/* Define if you have the `chown' function. */
+#undef HAVE_CHOWN
+
+/* Define if you have the <config.h> header file. */
+#undef HAVE_CONFIG_H
+
+/* Define if you have the `copyhostent' function. */
+#undef HAVE_COPYHOSTENT
+
+/* Define if you have the `crypt' function. */
+#undef HAVE_CRYPT
+
+/* Define if you have the <crypt.h> header file. */
+#undef HAVE_CRYPT_H
+
+/* Define if you have the <curses.h> header file. */
+#undef HAVE_CURSES_H
+
+/* Define if you have the `daemon' function. */
+#undef HAVE_DAEMON
+
+/* Define if you have the `dbm_firstkey' function. */
+#undef HAVE_DBM_FIRSTKEY
+
+/* Define if you have the <dbm.h> header file. */
+#undef HAVE_DBM_H
+
+/* Define if you have the `dbopen' function. */
+#undef HAVE_DBOPEN
+
+/* Define if you have the <db_185.h> header file. */
+#undef HAVE_DB_185_H
+
+/* Define if you have the `db_create' function. */
+#undef HAVE_DB_CREATE
+
+/* Define if you have the <db.h> header file. */
+#undef HAVE_DB_H
+
+/* Define if you have the `des_cbc_encrypt' function. */
+#undef HAVE_DES_CBC_ENCRYPT
+
+/* Define if you have the <dirent.h> header file. */
+#undef HAVE_DIRENT_H
+
+/* Define if you have the <dlfcn.h> header file. */
+#undef HAVE_DLFCN_H
+
+/* Define if you have the `dlopen' function. */
+#undef HAVE_DLOPEN
+
+/* Define if you have the `dn_expand' function. */
+#undef HAVE_DN_EXPAND
+
+/* Define if you have the `el_init' function. */
+#undef HAVE_EL_INIT
+
+/* define if your system declares environ */
+#undef HAVE_ENVIRON_DECLARATION
+
+/* Define if you have the `err' function. */
+#undef HAVE_ERR
+
+/* Define if you have the <errno.h> header file. */
+#undef HAVE_ERRNO_H
+
+/* Define if you have the `errx' function. */
+#undef HAVE_ERRX
+
+/* Define if you have the <err.h> header file. */
+#undef HAVE_ERR_H
+
+/* Define if you have the `fchown' function. */
+#undef HAVE_FCHOWN
+
+/* Define if you have the `fcntl' function. */
+#undef HAVE_FCNTL
+
+/* Define if you have the <fcntl.h> header file. */
+#undef HAVE_FCNTL_H
+
+/* Define if you have the `flock' function. */
+#undef HAVE_FLOCK
+
+/* Define if you have the `fnmatch' function. */
+#undef HAVE_FNMATCH
+
+/* Define if you have the <fnmatch.h> header file. */
+#undef HAVE_FNMATCH_H
+
+/* Define if el_init takes four arguments. */
+#undef HAVE_FOUR_VALUED_EL_INIT
+
+/* define if krb_put_int takes four arguments. */
+#undef HAVE_FOUR_VALUED_KRB_PUT_INT
+
+/* Define if you have the `freeaddrinfo' function. */
+#undef HAVE_FREEADDRINFO
+
+/* Define if you have the `freehostent' function. */
+#undef HAVE_FREEHOSTENT
+
+/* Define if you have the `gai_strerror' function. */
+#undef HAVE_GAI_STRERROR
+
+/* Define if you have the <gdbm/ndbm.h> header file. */
+#undef HAVE_GDBM_NDBM_H
+
+/* Define if you have the `getaddrinfo' function. */
+#undef HAVE_GETADDRINFO
+
+/* Define if you have the `getconfattr' function. */
+#undef HAVE_GETCONFATTR
+
+/* Define if you have the `getcwd' function. */
+#undef HAVE_GETCWD
+
+/* Define if you have the `getdtablesize' function. */
+#undef HAVE_GETDTABLESIZE
+
+/* Define if you have the `getegid' function. */
+#undef HAVE_GETEGID
+
+/* Define if you have the `geteuid' function. */
+#undef HAVE_GETEUID
+
+/* Define if you have the `getgid' function. */
+#undef HAVE_GETGID
+
+/* Define if you have the `gethostbyname' function. */
+#undef HAVE_GETHOSTBYNAME
+
+/* Define if you have the `gethostbyname2' function. */
+#undef HAVE_GETHOSTBYNAME2
+
+/* Define if you have the `gethostname' function. */
+#undef HAVE_GETHOSTNAME
+
+/* Define if you have the `getifaddrs' function. */
+#undef HAVE_GETIFADDRS
+
+/* Define if you have the `getipnodebyaddr' function. */
+#undef HAVE_GETIPNODEBYADDR
+
+/* Define if you have the `getipnodebyname' function. */
+#undef HAVE_GETIPNODEBYNAME
+
+/* Define if you have the `getlogin' function. */
+#undef HAVE_GETLOGIN
+
+/* Define if you have a working getmsg. */
+#undef HAVE_GETMSG
+
+/* Define if you have the `getnameinfo' function. */
+#undef HAVE_GETNAMEINFO
+
+/* Define if you have the `getopt' function. */
+#undef HAVE_GETOPT
+
+/* Define if you have the `getprogname' function. */
+#undef HAVE_GETPROGNAME
+
+/* Define if you have the `getpwnam_r' function. */
+#undef HAVE_GETPWNAM_R
+
+/* Define if you have the `getrlimit' function. */
+#undef HAVE_GETRLIMIT
+
+/* Define if you have the `getsockopt' function. */
+#undef HAVE_GETSOCKOPT
+
+/* Define if you have the `getspnam' function. */
+#undef HAVE_GETSPNAM
+
+/* Define if you have the `gettimeofday' function. */
+#undef HAVE_GETTIMEOFDAY
+
+/* Define if you have the `getudbnam' function. */
+#undef HAVE_GETUDBNAM
+
+/* Define if you have the `getuid' function. */
+#undef HAVE_GETUID
+
+/* Define if you have the `getusershell' function. */
+#undef HAVE_GETUSERSHELL
+
+/* define if you have a glob() that groks GLOB_BRACE, GLOB_NOCHECK,
+   GLOB_QUOTE, GLOB_TILDE, and GLOB_LIMIT */
+#undef HAVE_GLOB
+
+/* Define if you have the `grantpt' function. */
+#undef HAVE_GRANTPT
+
+/* Define if you have the <grp.h> header file. */
+#undef HAVE_GRP_H
+
+/* Define if you have the `hstrerror' function. */
+#undef HAVE_HSTRERROR
+
+/* Define if you have the `h_errlist' variable. */
+#undef HAVE_H_ERRLIST
+
+/* define if your system declares h_errlist */
+#undef HAVE_H_ERRLIST_DECLARATION
+
+/* Define if you have the `h_errno' variable. */
+#undef HAVE_H_ERRNO
+
+/* define if your system declares h_errno */
+#undef HAVE_H_ERRNO_DECLARATION
+
+/* Define if you have the `h_nerr' variable. */
+#undef HAVE_H_NERR
+
+/* define if your system declares h_nerr */
+#undef HAVE_H_NERR_DECLARATION
+
+/* Define if you have the <ifaddrs.h> header file. */
+#undef HAVE_IFADDRS_H
+
+/* Define if you have the `inet_aton' function. */
+#undef HAVE_INET_ATON
+
+/* Define if you have the `inet_ntop' function. */
+#undef HAVE_INET_NTOP
+
+/* Define if you have the `inet_pton' function. */
+#undef HAVE_INET_PTON
+
+/* Define if you have the `initgroups' function. */
+#undef HAVE_INITGROUPS
+
+/* Define if you have the `innetgr' function. */
+#undef HAVE_INNETGR
+
+/* Define if you have the <inttypes.h> header file. */
+#undef HAVE_INTTYPES_H
+
+/* Define if you have the <io.h> header file. */
+#undef HAVE_IO_H
+
+/* Define if you have IPv6. */
+#undef HAVE_IPV6
+
+/* Define if you have the `iruserok' function. */
+#undef HAVE_IRUSEROK
+
+/* Define if you have the `krb_disable_debug' function. */
+#undef HAVE_KRB_DISABLE_DEBUG
+
+/* Define if you have the `krb_enable_debug' function. */
+#undef HAVE_KRB_ENABLE_DEBUG
+
+/* Define if you have the `krb_get_our_ip_for_realm' function. */
+#undef HAVE_KRB_GET_OUR_IP_FOR_REALM
+
+/* Define if you have the <limits.h> header file. */
+#undef HAVE_LIMITS_H
+
+/* Define if you have the `logwtmp' function. */
+#undef HAVE_LOGWTMP
+
+/* Define if the system has the type `long long'. */
+#undef HAVE_LONG_LONG
+
+/* Define if you have the `lstat' function. */
+#undef HAVE_LSTAT
+
+/* Define if you have the <maillock.h> header file. */
+#undef HAVE_MAILLOCK_H
+
+/* Define if you have the `MD4_Init' function. */
+#undef HAVE_MD4_INIT
+
+/* Define if you have the `MD5_Init' function. */
+#undef HAVE_MD5_INIT
+
+/* Define if you have the `memmove' function. */
+#undef HAVE_MEMMOVE
+
+/* Define if you have the `mkstemp' function. */
+#undef HAVE_MKSTEMP
+
+/* Define if you have the `mktime' function. */
+#undef HAVE_MKTIME
+
+/* Define if you have the <ndbm.h> header file. */
+#undef HAVE_NDBM_H
+
+/* Define if you have the <netdb.h> header file. */
+#undef HAVE_NETDB_H
+
+/* Define if you have the <netinet6/in6.h> header file. */
+#undef HAVE_NETINET6_IN6_H
+
+/* Define if you have the <netinet6/in6_var.h> header file. */
+#undef HAVE_NETINET6_IN6_VAR_H
+
+/* Define if you have the <netinet/in6.h> header file. */
+#undef HAVE_NETINET_IN6_H
+
+/* Define if you have the <netinet/in6_machtypes.h> header file. */
+#undef HAVE_NETINET_IN6_MACHTYPES_H
+
+/* Define if you have the <netinet/in6_var.h> header file. */
+#undef HAVE_NETINET_IN6_VAR_H
+
+/* Define if you have the <netinet/in.h> header file. */
+#undef HAVE_NETINET_IN_H
+
+/* Define if you have the <netinet/in_systm.h> header file. */
+#undef HAVE_NETINET_IN_SYSTM_H
+
+/* Define if you have the <netinet/ip.h> header file. */
+#undef HAVE_NETINET_IP_H
+
+/* Define if you have the <netinet/tcp.h> header file. */
+#undef HAVE_NETINET_TCP_H
+
+/* Define if you want to use Netinfo instead of krb5.conf. */
+#undef HAVE_NETINFO
+
+/* Define if you have the <netinfo/ni.h> header file. */
+#undef HAVE_NETINFO_NI_H
+
+/* Define if you have the <net/if.h> header file. */
+#undef HAVE_NET_IF_H
+
+/* Define if you have the <openssl/des.h> header file. */
+#undef HAVE_OPENSSL_DES_H
+
+/* Define if you have the <openssl/md4.h> header file. */
+#undef HAVE_OPENSSL_MD4_H
+
+/* Define if you have the <openssl/md5.h> header file. */
+#undef HAVE_OPENSSL_MD5_H
+
+/* Define if you have the <openssl/rc4.h> header file. */
+#undef HAVE_OPENSSL_RC4_H
+
+/* Define if you have the <openssl/sha.h> header file. */
+#undef HAVE_OPENSSL_SHA_H
+
+/* define if your system declares optarg */
+#undef HAVE_OPTARG_DECLARATION
+
+/* define if your system declares opterr */
+#undef HAVE_OPTERR_DECLARATION
+
+/* define if your system declares optind */
+#undef HAVE_OPTIND_DECLARATION
+
+/* define if your system declares optopt */
+#undef HAVE_OPTOPT_DECLARATION
+
+/* Define to enable basic OSF C2 support. */
+#undef HAVE_OSFC2
+
+/* Define if you have the <paths.h> header file. */
+#undef HAVE_PATHS_H
+
+/* Define if you have the `pidfile' function. */
+#undef HAVE_PIDFILE
+
+/* Define if you have the <pthread.h> header file. */
+#undef HAVE_PTHREAD_H
+
+/* Define if you have the `ptsname' function. */
+#undef HAVE_PTSNAME
+
+/* Define if you have the <pty.h> header file. */
+#undef HAVE_PTY_H
+
+/* Define if you have the `putenv' function. */
+#undef HAVE_PUTENV
+
+/* Define if you have the <pwd.h> header file. */
+#undef HAVE_PWD_H
+
+/* Define if you have the `rand' function. */
+#undef HAVE_RAND
+
+/* Define if you have the `random' function. */
+#undef HAVE_RANDOM
+
+/* Define if you have the `RC4' function. */
+#undef HAVE_RC4
+
+/* Define if you have the `rcmd' function. */
+#undef HAVE_RCMD
+
+/* Define if you have a readline compatible library. */
+#undef HAVE_READLINE
+
+/* Define if you have the `readv' function. */
+#undef HAVE_READV
+
+/* Define if you have the `recvmsg' function. */
+#undef HAVE_RECVMSG
+
+/* Define if you have the <resolv.h> header file. */
+#undef HAVE_RESOLV_H
+
+/* Define if you have the `res_search' function. */
+#undef HAVE_RES_SEARCH
+
+/* Define if you have the `revoke' function. */
+#undef HAVE_REVOKE
+
+/* Define if you have the <rpcsvc/dbm.h> header file. */
+#undef HAVE_RPCSVC_DBM_H
+
+/* Define if you have the <rpcsvc/ypclnt.h> header file. */
+#undef HAVE_RPCSVC_YPCLNT_H
+
+/* Define if you have the <sac.h> header file. */
+#undef HAVE_SAC_H
+
+/* Define if the system has the type `sa_family_t'. */
+#undef HAVE_SA_FAMILY_T
+
+/* Define if you have the <security/pam_modules.h> header file. */
+#undef HAVE_SECURITY_PAM_MODULES_H
+
+/* Define if you have the `select' function. */
+#undef HAVE_SELECT
+
+/* Define if you have the `sendmsg' function. */
+#undef HAVE_SENDMSG
+
+/* Define if you have the `setegid' function. */
+#undef HAVE_SETEGID
+
+/* Define if you have the `setenv' function. */
+#undef HAVE_SETENV
+
+/* Define if you have the `seteuid' function. */
+#undef HAVE_SETEUID
+
+/* Define if you have the `setitimer' function. */
+#undef HAVE_SETITIMER
+
+/* Define if you have the `setlim' function. */
+#undef HAVE_SETLIM
+
+/* Define if you have the `setlogin' function. */
+#undef HAVE_SETLOGIN
+
+/* Define if you have the `setpcred' function. */
+#undef HAVE_SETPCRED
+
+/* Define if you have the `setpgid' function. */
+#undef HAVE_SETPGID
+
+/* Define if you have the `setproctitle' function. */
+#undef HAVE_SETPROCTITLE
+
+/* Define if you have the `setprogname' function. */
+#undef HAVE_SETPROGNAME
+
+/* Define if you have the `setregid' function. */
+#undef HAVE_SETREGID
+
+/* Define if you have the `setresgid' function. */
+#undef HAVE_SETRESGID
+
+/* Define if you have the `setresuid' function. */
+#undef HAVE_SETRESUID
+
+/* Define if you have the `setreuid' function. */
+#undef HAVE_SETREUID
+
+/* Define if you have the `setsid' function. */
+#undef HAVE_SETSID
+
+/* Define if you have the `setsockopt' function. */
+#undef HAVE_SETSOCKOPT
+
+/* Define if you have the `setutent' function. */
+#undef HAVE_SETUTENT
+
+/* Define if you have the `sgi_getcapabilitybyname' function. */
+#undef HAVE_SGI_GETCAPABILITYBYNAME
+
+/* Define if you have the <sgtty.h> header file. */
+#undef HAVE_SGTTY_H
+
+/* Define if you have the `SHA1_Init' function. */
+#undef HAVE_SHA1_INIT
+
+/* Define if you have the <shadow.h> header file. */
+#undef HAVE_SHADOW_H
+
+/* Define if you have the <siad.h> header file. */
+#undef HAVE_SIAD_H
+
+/* Define if you have the `sigaction' function. */
+#undef HAVE_SIGACTION
+
+/* Define if you have the <signal.h> header file. */
+#undef HAVE_SIGNAL_H
+
+/* define if you have a working snprintf */
+#undef HAVE_SNPRINTF
+
+/* Define if you have the `socket' function. */
+#undef HAVE_SOCKET
+
+/* Define if the system has the type `socklen_t'. */
+#undef HAVE_SOCKLEN_T
+
+/* Define if you have the <standards.h> header file. */
+#undef HAVE_STANDARDS_H
+
+/* Define if you have the `strcasecmp' function. */
+#undef HAVE_STRCASECMP
+
+/* Define if you have the `strdup' function. */
+#undef HAVE_STRDUP
+
+/* Define if you have the `strerror' function. */
+#undef HAVE_STRERROR
+
+/* Define if you have the `strftime' function. */
+#undef HAVE_STRFTIME
+
+/* Define if you have the `strlcat' function. */
+#undef HAVE_STRLCAT
+
+/* Define if you have the `strlcpy' function. */
+#undef HAVE_STRLCPY
+
+/* Define if you have the `strlwr' function. */
+#undef HAVE_STRLWR
+
+/* Define if you have the `strncasecmp' function. */
+#undef HAVE_STRNCASECMP
+
+/* Define if you have the `strndup' function. */
+#undef HAVE_STRNDUP
+
+/* Define if you have the `strnlen' function. */
+#undef HAVE_STRNLEN
+
+/* Define if you have the <stropts.h> header file. */
+#undef HAVE_STROPTS_H
+
+/* Define if you have the `strptime' function. */
+#undef HAVE_STRPTIME
+
+/* Define if you have the `strsep' function. */
+#undef HAVE_STRSEP
+
+/* Define if you have the `strsep_copy' function. */
+#undef HAVE_STRSEP_COPY
+
+/* Define if you have the `strstr' function. */
+#undef HAVE_STRSTR
+
+/* Define if you have the `strsvis' function. */
+#undef HAVE_STRSVIS
+
+/* Define if you have the `strtok_r' function. */
+#undef HAVE_STRTOK_R
+
+/* Define if the system has the type `struct addrinfo'. */
+#undef HAVE_STRUCT_ADDRINFO
+
+/* Define if the system has the type `struct ifaddrs'. */
+#undef HAVE_STRUCT_IFADDRS
+
+/* Define if the system has the type `struct sockaddr'. */
+#undef HAVE_STRUCT_SOCKADDR
+
+/* Define if struct sockaddr has field sa_len. */
+#undef HAVE_STRUCT_SOCKADDR_SA_LEN
+
+/* Define if the system has the type `struct sockaddr_storage'. */
+#undef HAVE_STRUCT_SOCKADDR_STORAGE
+
+/* define if you have struct spwd */
+#undef HAVE_STRUCT_SPWD
+
+/* Define if struct tm has field tm_gmtoff. */
+#undef HAVE_STRUCT_TM_TM_GMTOFF
+
+/* Define if struct tm has field tm_zone. */
+#undef HAVE_STRUCT_TM_TM_ZONE
+
+/* Define if struct utmpx has field ut_exit. */
+#undef HAVE_STRUCT_UTMPX_UT_EXIT
+
+/* Define if struct utmpx has field ut_syslen. */
+#undef HAVE_STRUCT_UTMPX_UT_SYSLEN
+
+/* Define if struct utmp has field ut_addr. */
+#undef HAVE_STRUCT_UTMP_UT_ADDR
+
+/* Define if struct utmp has field ut_host. */
+#undef HAVE_STRUCT_UTMP_UT_HOST
+
+/* Define if struct utmp has field ut_id. */
+#undef HAVE_STRUCT_UTMP_UT_ID
+
+/* Define if struct utmp has field ut_pid. */
+#undef HAVE_STRUCT_UTMP_UT_PID
+
+/* Define if struct utmp has field ut_type. */
+#undef HAVE_STRUCT_UTMP_UT_TYPE
+
+/* Define if struct utmp has field ut_user. */
+#undef HAVE_STRUCT_UTMP_UT_USER
+
+/* define if struct winsize is declared in sys/termios.h */
+#undef HAVE_STRUCT_WINSIZE
+
+/* Define if you have the `strunvis' function. */
+#undef HAVE_STRUNVIS
+
+/* Define if you have the `strupr' function. */
+#undef HAVE_STRUPR
+
+/* Define if you have the `strvis' function. */
+#undef HAVE_STRVIS
+
+/* Define if you have the `strvisx' function. */
+#undef HAVE_STRVISX
+
+/* Define if you have the `svis' function. */
+#undef HAVE_SVIS
+
+/* Define if you have the `swab' function. */
+#undef HAVE_SWAB
+
+/* Define if you have the `sysconf' function. */
+#undef HAVE_SYSCONF
+
+/* Define if you have the `sysctl' function. */
+#undef HAVE_SYSCTL
+
+/* Define if you have the `syslog' function. */
+#undef HAVE_SYSLOG
+
+/* Define if you have the <syslog.h> header file. */
+#undef HAVE_SYSLOG_H
+
+/* Define if you have the <sys/bitypes.h> header file. */
+#undef HAVE_SYS_BITYPES_H
+
+/* Define if you have the <sys/bswap.h> header file. */
+#undef HAVE_SYS_BSWAP_H
+
+/* Define if you have the <sys/capability.h> header file. */
+#undef HAVE_SYS_CAPABILITY_H
+
+/* Define if you have the <sys/category.h> header file. */
+#undef HAVE_SYS_CATEGORY_H
+
+/* Define if you have the <sys/file.h> header file. */
+#undef HAVE_SYS_FILE_H
+
+/* Define if you have the <sys/filio.h> header file. */
+#undef HAVE_SYS_FILIO_H
+
+/* Define if you have the <sys/ioccom.h> header file. */
+#undef HAVE_SYS_IOCCOM_H
+
+/* Define if you have the <sys/ioctl.h> header file. */
+#undef HAVE_SYS_IOCTL_H
+
+/* Define if you have the <sys/param.h> header file. */
+#undef HAVE_SYS_PARAM_H
+
+/* Define if you have the <sys/proc.h> header file. */
+#undef HAVE_SYS_PROC_H
+
+/* Define if you have the <sys/ptyio.h> header file. */
+#undef HAVE_SYS_PTYIO_H
+
+/* Define if you have the <sys/ptyvar.h> header file. */
+#undef HAVE_SYS_PTYVAR_H
+
+/* Define if you have the <sys/pty.h> header file. */
+#undef HAVE_SYS_PTY_H
+
+/* Define if you have the <sys/resource.h> header file. */
+#undef HAVE_SYS_RESOURCE_H
+
+/* Define if you have the <sys/select.h> header file. */
+#undef HAVE_SYS_SELECT_H
+
+/* Define if you have the <sys/socket.h> header file. */
+#undef HAVE_SYS_SOCKET_H
+
+/* Define if you have the <sys/sockio.h> header file. */
+#undef HAVE_SYS_SOCKIO_H
+
+/* Define if you have the <sys/stat.h> header file. */
+#undef HAVE_SYS_STAT_H
+
+/* Define if you have the <sys/stream.h> header file. */
+#undef HAVE_SYS_STREAM_H
+
+/* Define if you have the <sys/stropts.h> header file. */
+#undef HAVE_SYS_STROPTS_H
+
+/* Define if you have the <sys/strtty.h> header file. */
+#undef HAVE_SYS_STRTTY_H
+
+/* Define if you have the <sys/str_tty.h> header file. */
+#undef HAVE_SYS_STR_TTY_H
+
+/* Define if you have the <sys/syscall.h> header file. */
+#undef HAVE_SYS_SYSCALL_H
+
+/* Define if you have the <sys/sysctl.h> header file. */
+#undef HAVE_SYS_SYSCTL_H
+
+/* Define if you have the <sys/termio.h> header file. */
+#undef HAVE_SYS_TERMIO_H
+
+/* Define if you have the <sys/timeb.h> header file. */
+#undef HAVE_SYS_TIMEB_H
+
+/* Define if you have the <sys/times.h> header file. */
+#undef HAVE_SYS_TIMES_H
+
+/* Define if you have the <sys/time.h> header file. */
+#undef HAVE_SYS_TIME_H
+
+/* Define if you have the <sys/tty.h> header file. */
+#undef HAVE_SYS_TTY_H
+
+/* Define if you have the <sys/types.h> header file. */
+#undef HAVE_SYS_TYPES_H
+
+/* Define if you have the <sys/uio.h> header file. */
+#undef HAVE_SYS_UIO_H
+
+/* Define if you have the <sys/un.h> header file. */
+#undef HAVE_SYS_UN_H
+
+/* Define if you have the <sys/utsname.h> header file. */
+#undef HAVE_SYS_UTSNAME_H
+
+/* Define if you have the <sys/wait.h> header file. */
+#undef HAVE_SYS_WAIT_H
+
+/* Define if you have the <termios.h> header file. */
+#undef HAVE_TERMIOS_H
+
+/* Define if you have the <termio.h> header file. */
+#undef HAVE_TERMIO_H
+
+/* Define if you have the <term.h> header file. */
+#undef HAVE_TERM_H
+
+/* Define if you have the `tgetent' function. */
+#undef HAVE_TGETENT
+
+/* Define if you have the `timegm' function. */
+#undef HAVE_TIMEGM
+
+/* Define if you have the `timezone' variable. */
+#undef HAVE_TIMEZONE
+
+/* define if your system declares timezone */
+#undef HAVE_TIMEZONE_DECLARATION
+
+/* Define if you have the <time.h> header file. */
+#undef HAVE_TIME_H
+
+/* Define if you have the <tmpdir.h> header file. */
+#undef HAVE_TMPDIR_H
+
+/* Define if you have the `ttyname' function. */
+#undef HAVE_TTYNAME
+
+/* Define if you have the `ttyslot' function. */
+#undef HAVE_TTYSLOT
+
+/* Define if you have the <udb.h> header file. */
+#undef HAVE_UDB_H
+
+/* Define if you have the `umask' function. */
+#undef HAVE_UMASK
+
+/* Define if you have the `uname' function. */
+#undef HAVE_UNAME
+
+/* Define if you have the <unistd.h> header file. */
+#undef HAVE_UNISTD_H
+
+/* Define if you have the `unlockpt' function. */
+#undef HAVE_UNLOCKPT
+
+/* Define if you have the `unsetenv' function. */
+#undef HAVE_UNSETENV
+
+/* Define if you have the `unvis' function. */
+#undef HAVE_UNVIS
+
+/* Define if you have the <userconf.h> header file. */
+#undef HAVE_USERCONF_H
+
+/* Define if you have the <usersec.h> header file. */
+#undef HAVE_USERSEC_H
+
+/* Define if you have the <util.h> header file. */
+#undef HAVE_UTIL_H
+
+/* Define if you have the <utmpx.h> header file. */
+#undef HAVE_UTMPX_H
+
+/* Define if you have the <utmp.h> header file. */
+#undef HAVE_UTMP_H
+
+/* Define if you have the `vasnprintf' function. */
+#undef HAVE_VASNPRINTF
+
+/* Define if you have the `vasprintf' function. */
+#undef HAVE_VASPRINTF
+
+/* Define if you have the `verr' function. */
+#undef HAVE_VERR
+
+/* Define if you have the `verrx' function. */
+#undef HAVE_VERRX
+
+/* Define if you have the `vhangup' function. */
+#undef HAVE_VHANGUP
+
+/* Define if you have the `vis' function. */
+#undef HAVE_VIS
+
+/* Define if you have the <vis.h> header file. */
+#undef HAVE_VIS_H
+
+/* define if you have a working vsnprintf */
+#undef HAVE_VSNPRINTF
+
+/* Define if you have the `vsyslog' function. */
+#undef HAVE_VSYSLOG
+
+/* Define if you have the `vwarn' function. */
+#undef HAVE_VWARN
+
+/* Define if you have the `vwarnx' function. */
+#undef HAVE_VWARNX
+
+/* Define if you have the `warn' function. */
+#undef HAVE_WARN
+
+/* Define if you have the `warnx' function. */
+#undef HAVE_WARNX
+
+/* Define if you have the <winsock.h> header file. */
+#undef HAVE_WINSOCK_H
+
+/* Define if you have the `writev' function. */
+#undef HAVE_WRITEV
+
+/* define if struct winsize has ws_xpixel */
+#undef HAVE_WS_XPIXEL
+
+/* define if struct winsize has ws_ypixel */
+#undef HAVE_WS_YPIXEL
+
+/* Define if you have the `XauFileName' function. */
+#undef HAVE_XAUFILENAME
+
+/* Define if you have the `XauReadAuth' function. */
+#undef HAVE_XAUREADAUTH
+
+/* Define if you have the `XauWriteAuth' function. */
+#undef HAVE_XAUWRITEAUTH
+
+/* Define if you have the `yp_get_default_domain' function. */
+#undef HAVE_YP_GET_DEFAULT_DOMAIN
+
+/* Define if you have the `_getpty' function. */
+#undef HAVE__GETPTY
+
+/* Define if you have the `_scrsize' function. */
+#undef HAVE__SCRSIZE
+
+/* define if your compiler has __attribute__ */
+#undef HAVE___ATTRIBUTE__
+
+/* Define if you have the `__progname' variable. */
+#undef HAVE___PROGNAME
+
+/* define if your system declares __progname */
+#undef HAVE___PROGNAME_DECLARATION
+
+/* Define if you have the hesiod package. */
+#undef HESIOD
+
+/* Define if you want to use the KDC as a kaserver. */
+#undef KASERVER
+
+/* Define if you want support in hprop for reading kaserver databases */
+#undef KASERVER_DB
+
+/* Define if you have the krb4 package. */
+#undef KRB4
+
+/* Enable Kerberos 5 support in applications. */
+#undef KRB5
+
+/* Define if krb_mk_req takes cons char * */
+#undef KRB_MK_REQ_CONST
+
+/* Define to zero if your krb.h doesn't */
+#undef KRB_VERIFY_NOT_SECURE
+
+/* Define to one if your krb.h doesn't */
+#undef KRB_VERIFY_SECURE
+
+/* Define to two if your krb.h doesn't */
+#undef KRB_VERIFY_SECURE_FAIL
+
+/* define if the system is missing a prototype for asnprintf() */
+#undef NEED_ASNPRINTF_PROTO
+
+/* define if the system is missing a prototype for asprintf() */
+#undef NEED_ASPRINTF_PROTO
+
+/* define if the system is missing a prototype for crypt() */
+#undef NEED_CRYPT_PROTO
+
+/* define if the system is missing a prototype for gethostname() */
+#undef NEED_GETHOSTNAME_PROTO
+
+/* define if the system is missing a prototype for getusershell() */
+#undef NEED_GETUSERSHELL_PROTO
+
+/* define if the system is missing a prototype for glob() */
+#undef NEED_GLOB_PROTO
+
+/* define if the system is missing a prototype for hstrerror() */
+#undef NEED_HSTRERROR_PROTO
+
+/* define if the system is missing a prototype for inet_aton() */
+#undef NEED_INET_ATON_PROTO
+
+/* define if the system is missing a prototype for mkstemp() */
+#undef NEED_MKSTEMP_PROTO
+
+/* define if the system is missing a prototype for setenv() */
+#undef NEED_SETENV_PROTO
+
+/* define if the system is missing a prototype for snprintf() */
+#undef NEED_SNPRINTF_PROTO
+
+/* define if the system is missing a prototype for strsep() */
+#undef NEED_STRSEP_PROTO
+
+/* define if the system is missing a prototype for strtok_r() */
+#undef NEED_STRTOK_R_PROTO
+
+/* define if the system is missing a prototype for unsetenv() */
+#undef NEED_UNSETENV_PROTO
+
+/* define if the system is missing a prototype for vasnprintf() */
+#undef NEED_VASNPRINTF_PROTO
+
+/* define if the system is missing a prototype for vasprintf() */
+#undef NEED_VASPRINTF_PROTO
+
+/* define if the system is missing a prototype for vsnprintf() */
+#undef NEED_VSNPRINTF_PROTO
+
+/* Define this to enable old environment option in telnet. */
+#undef OLD_ENVIRON
+
+/* Define if you have the openldap package. */
+#undef OPENLDAP
+
+/* define if prototype of openlog is compatible with void openlog(const char
+   *, int, int) */
+#undef OPENLOG_PROTO_COMPATIBLE
+
+/* Define if you want OTP support in applications. */
+#undef OTP
+
+/* Name of package */
+#undef PACKAGE
+
+/* Define if getlogin has POSIX flavour (and not BSD). */
+#undef POSIX_GETLOGIN
+
+/* Define if getpwnam_r has POSIX flavour. */
+#undef POSIX_GETPWNAM_R
+
+/* Define if you have the readline package. */
+#undef READLINE
+
+/* Define as the return type of signal handlers (`int' or `void'). */
+#undef RETSIGTYPE
+
+/* Define if you have the ANSI C header files. */
+#undef STDC_HEADERS
+
+/* Define if you have streams ptys. */
+#undef STREAMSPTY
+
+/* Define to what version of SunOS you are running. */
+#undef SunOS
+
+/* Define if you can safely include both <sys/time.h> and <time.h>. */
+#undef TIME_WITH_SYS_TIME
+
+/* Define if your <sys/time.h> declares `struct tm'. */
+#undef TM_IN_SYS_TIME
+
+/* Version number of package */
+#undef VERSION
+
+/* Define if signal handlers return void. */
+#undef VOID_RETSIGTYPE
+
+/* define if target is big endian */
+#undef WORDS_BIGENDIAN
+
+/* Define if the X Window System is missing or not being used. */
+#undef X_DISPLAY_MISSING
+
+/* Define if `lex' declares `yytext' as a `char *' by default, not a `char[]'.
+   */
+#undef YYTEXT_POINTER
+
+/* Define to empty if `const' does not conform to ANSI C. */
+#undef const
+
+/* Define to `int' if <sys/types.h> doesn't define. */
+#undef gid_t
+
+/* Define as `__inline' if that's what the C compiler calls it, or to nothing
+   if it is not supported. */
+#undef inline
+
+/* Define this to what the type mode_t should be. */
+#undef mode_t
+
+/* Define to `long' if <sys/types.h> does not define. */
+#undef off_t
+
+/* Define to `int' if <sys/types.h> does not define. */
+#undef pid_t
+
+/* Define this to what the type sig_atomic_t should be. */
+#undef sig_atomic_t
+
+/* Define to `unsigned' if <sys/types.h> does not define. */
+#undef size_t
+
+/* Define this to what the type ssize_t should be. */
+#undef ssize_t
+
+/* Define to `int' if <sys/types.h> doesn't define. */
+#undef uid_t
+
+#ifdef VOID_RETSIGTYPE
+#define SIGRETURN(x) return
+#else
+#define SIGRETURN(x) return (RETSIGTYPE)(x)
+#endif
+
+#ifdef BROKEN_REALLOC
+#define realloc(X, Y) isoc_realloc((X), (Y))
+#define isoc_realloc(X, Y) ((X) ? realloc((X), (Y)) : malloc(Y))
+#endif
+
+#if defined(HAVE_FOUR_VALUED_KRB_PUT_INT) || !defined(KRB4)
+#define KRB_PUT_INT(F, T, L, S) krb_put_int((F), (T), (L), (S))
+#else
+#define KRB_PUT_INT(F, T, L, S) krb_put_int((F), (T), (S))
+#endif
+
+
+#ifdef VOID_RETSIGTYPE
+#define SIGRETURN(x) return
+#else
+#define SIGRETURN(x) return (RETSIGTYPE)(x)
+#endif
+
+#ifdef BROKEN_REALLOC
+#define realloc(X, Y) isoc_realloc((X), (Y))
+#define isoc_realloc(X, Y) ((X) ? realloc((X), (Y)) : malloc(Y))
+#endif
+
+#undef BINDIR 
+#undef LIBDIR
+#undef LIBEXECDIR
+#undef SBINDIR
+
+#undef BINDIR 
+#undef LIBDIR
+#undef LIBEXECDIR
+#undef SBINDIR
+
+#undef HAVE_INT8_T
+#undef HAVE_INT16_T
+#undef HAVE_INT32_T
+#undef HAVE_INT64_T
+#undef HAVE_U_INT8_T
+#undef HAVE_U_INT16_T
+#undef HAVE_U_INT32_T
+#undef HAVE_U_INT64_T
+#undef HAVE_UINT8_T
+#undef HAVE_UINT16_T
+#undef HAVE_UINT32_T
+#undef HAVE_UINT64_T
+
+#if defined(HAVE_FOUR_VALUED_KRB_PUT_INT) || !defined(KRB4)
+#define KRB_PUT_INT(F, T, L, S) krb_put_int((F), (T), (L), (S))
+#else
+#define KRB_PUT_INT(F, T, L, S) krb_put_int((F), (T), (S))
+#endif
+
+#ifdef BROKEN_REALLOC
+#define realloc(X, Y) isoc_realloc((X), (Y))
+#define isoc_realloc(X, Y) ((X) ? realloc((X), (Y)) : malloc(Y))
+#endif
+
+#ifdef VOID_RETSIGTYPE
+#define SIGRETURN(x) return
+#else
+#define SIGRETURN(x) return (RETSIGTYPE)(x)
+#endif
+
+#define RCSID(msg) \
+static /**/const char *const rcsid[] = { (const char *)rcsid, "\100(#)" msg }
+
+#undef PROTOTYPES
+
+/* Maximum values on all known systems */
+#define MaxHostNameLen (64+4)
+#define MaxPathLen (1024+4)
+
+#if defined(HAVE_SGTTY_H) && defined(__NeXT__)
+#define SGTTY
+#endif
+
+/*
+ * Define NDBM if you are using the 4.3 ndbm library (which is part of
+ * libc).  If not defined, 4.2 dbm will be assumed.
+ */
+#if defined(HAVE_DBM_FIRSTKEY)
+#define NDBM
+#endif
+
+/* telnet stuff ----------------------------------------------- */
+
+#if defined(ENCRYPTION) && !defined(AUTHENTICATION)
+#define AUTHENTICATION 1
+#endif
+
+/* Set this to the default system lead string for telnetd 
+ * can contain %-escapes: %s=sysname, %m=machine, %r=os-release
+ * %v=os-version, %t=tty, %h=hostname, %d=date and time
+ */
+#undef USE_IM
+
+/* Used with login -p */
+#undef LOGIN_ARGS
+
+/* set this to a sensible login */
+#ifndef LOGIN_PATH
+#define LOGIN_PATH BINDIR "/login"
+#endif
+
+/* random defines */
+
+/*
+ * Defining this enables lots of useful (and used) extensions on
+ * glibc-based systems such as Linux
+ */
+
+#define _GNU_SOURCE
+
+/*
+ * this assumes that KRB_C_BIGENDIAN is used.
+ * if we can find out endianess at compile-time, do so,
+ * otherwise WORDS_BIGENDIAN should already have been defined
+ */
+
+#if ENDIANESS_IN_SYS_PARAM_H
+#  include <sys/types.h>
+#  include <sys/param.h>
+#  if BYTE_ORDER == BIG_ENDIAN
+#  define WORDS_BIGENDIAN 1
+#  endif
+#endif
+
+#ifdef ROKEN_RENAME
+#include "roken_rename.h"
+#endif
diff --git a/crypto/heimdal/include/kadm5/Makefile.am b/crypto/heimdal/include/kadm5/Makefile.am
new file mode 100644
index 0000000..e0647b8
--- /dev/null
+++ b/crypto/heimdal/include/kadm5/Makefile.am
@@ -0,0 +1,5 @@
+# $Id: Makefile.am,v 1.6 1999/03/20 13:58:17 joda Exp $
+
+include $(top_srcdir)/Makefile.am.common
+
+CLEANFILES = admin.h kadm5_err.h private.h
diff --git a/crypto/heimdal/include/kadm5/Makefile.in b/crypto/heimdal/include/kadm5/Makefile.in
new file mode 100644
index 0000000..384afce
--- /dev/null
+++ b/crypto/heimdal/include/kadm5/Makefile.in
@@ -0,0 +1,437 @@
+# Makefile.in generated automatically by automake 1.4b from Makefile.am
+
+# Copyright 1994, 1995, 1996, 1997, 1998, 1999, 2000
+# Free Software Foundation, Inc.
+# This Makefile.in is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+
+SHELL = @SHELL@
+
+srcdir = @srcdir@
+top_srcdir = @top_srcdir@
+VPATH = @srcdir@
+prefix = @prefix@
+exec_prefix = @exec_prefix@
+
+bindir = @bindir@
+sbindir = @sbindir@
+libexecdir = @libexecdir@
+datadir = @datadir@
+sysconfdir = @sysconfdir@
+sharedstatedir = @sharedstatedir@
+localstatedir = @localstatedir@
+libdir = @libdir@
+infodir = @infodir@
+mandir = @mandir@
+includedir = @includedir@
+oldincludedir = /usr/include
+
+pkgdatadir = $(datadir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkgincludedir = $(includedir)/@PACKAGE@
+
+top_builddir = ../..
+
+ACLOCAL = @ACLOCAL@
+AUTOCONF = @AUTOCONF@
+AUTOMAKE = @AUTOMAKE@
+AUTOHEADER = @AUTOHEADER@
+
+INSTALL = @INSTALL@
+INSTALL_PROGRAM = @INSTALL_PROGRAM@
+INSTALL_DATA = @INSTALL_DATA@
+INSTALL_SCRIPT = @INSTALL_SCRIPT@
+INSTALL_STRIP_FLAG =
+transform = @program_transform_name@
+
+NORMAL_INSTALL = :
+PRE_INSTALL = :
+POST_INSTALL = :
+NORMAL_UNINSTALL = :
+PRE_UNINSTALL = :
+POST_UNINSTALL = :
+
+@SET_MAKE@
+host_alias = @host_alias@
+host_triplet = @host@
+AIX_EXTRA_KAFS = @AIX_EXTRA_KAFS@
+AMDEP = @AMDEP@
+AMTAR = @AMTAR@
+AS = @AS@
+AWK = @AWK@
+CANONICAL_HOST = @CANONICAL_HOST@
+CATMAN = @CATMAN@
+CATMANEXT = @CATMANEXT@
+CC = @CC@
+CPP = @CPP@
+CXX = @CXX@
+CXXCPP = @CXXCPP@
+DBLIB = @DBLIB@
+DEPDIR = @DEPDIR@
+DIR_des = @DIR_des@
+DIR_roken = @DIR_roken@
+DLLTOOL = @DLLTOOL@
+EXEEXT = @EXEEXT@
+EXTRA_LIB45 = @EXTRA_LIB45@
+GROFF = @GROFF@
+INCLUDES_roken = @INCLUDES_roken@
+INCLUDE_ = @INCLUDE_@
+LEX = @LEX@
+LIBOBJS = @LIBOBJS@
+LIBTOOL = @LIBTOOL@
+LIB_ = @LIB_@
+LIB_AUTH_SUBDIRS = @LIB_AUTH_SUBDIRS@
+LIB_des = @LIB_des@
+LIB_des_appl = @LIB_des_appl@
+LIB_kdb = @LIB_kdb@
+LIB_otp = @LIB_otp@
+LIB_roken = @LIB_roken@
+LIB_security = @LIB_security@
+LN_S = @LN_S@
+LTLIBOBJS = @LTLIBOBJS@
+MAKEINFO = @MAKEINFO@
+NEED_WRITEAUTH_FALSE = @NEED_WRITEAUTH_FALSE@
+NEED_WRITEAUTH_TRUE = @NEED_WRITEAUTH_TRUE@
+NROFF = @NROFF@
+OBJDUMP = @OBJDUMP@
+OBJEXT = @OBJEXT@
+PACKAGE = @PACKAGE@
+RANLIB = @RANLIB@
+STRIP = @STRIP@
+VERSION = @VERSION@
+VOID_RETSIGTYPE = @VOID_RETSIGTYPE@
+WFLAGS = @WFLAGS@
+WFLAGS_NOIMPLICITINT = @WFLAGS_NOIMPLICITINT@
+WFLAGS_NOUNUSED = @WFLAGS_NOUNUSED@
+YACC = @YACC@
+dpagaix_CFLAGS = @dpagaix_CFLAGS@
+dpagaix_LDADD = @dpagaix_LDADD@
+install_sh = @install_sh@
+
+# $Id: Makefile.am,v 1.6 1999/03/20 13:58:17 joda Exp $
+
+
+# $Id: Makefile.am.common,v 1.3 1999/04/01 14:58:43 joda Exp $
+
+
+# $Id: Makefile.am.common,v 1.26 2001/05/21 13:27:48 joda Exp $
+
+
+AUTOMAKE_OPTIONS = foreign no-dependencies
+
+SUFFIXES = .et .h .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .x
+
+INCLUDES = -I$(top_builddir)/include $(INCLUDES_roken)
+
+AM_CFLAGS =  $(WFLAGS)
+
+CP = cp
+
+COMPILE_ET = $(top_builddir)/lib/com_err/compile_et
+
+buildinclude = $(top_builddir)/include
+
+LIB_XauReadAuth = @LIB_XauReadAuth@
+LIB_crypt = @LIB_crypt@
+LIB_dbm_firstkey = @LIB_dbm_firstkey@
+LIB_dbopen = @LIB_dbopen@
+LIB_dlopen = @LIB_dlopen@
+LIB_dn_expand = @LIB_dn_expand@
+LIB_el_init = @LIB_el_init@
+LIB_getattr = @LIB_getattr@
+LIB_gethostbyname = @LIB_gethostbyname@
+LIB_getpwent_r = @LIB_getpwent_r@
+LIB_getpwnam_r = @LIB_getpwnam_r@
+LIB_getsockopt = @LIB_getsockopt@
+LIB_logout = @LIB_logout@
+LIB_logwtmp = @LIB_logwtmp@
+LIB_odm_initialize = @LIB_odm_initialize@
+LIB_pidfile = @LIB_pidfile@
+LIB_readline = @LIB_readline@
+LIB_res_search = @LIB_res_search@
+LIB_setpcred = @LIB_setpcred@
+LIB_setsockopt = @LIB_setsockopt@
+LIB_socket = @LIB_socket@
+LIB_syslog = @LIB_syslog@
+LIB_tgetent = @LIB_tgetent@
+
+LIBS = @LIBS@
+
+HESIODLIB = @HESIODLIB@
+HESIODINCLUDE = @HESIODINCLUDE@
+INCLUDE_hesiod = @INCLUDE_hesiod@
+LIB_hesiod = @LIB_hesiod@
+
+INCLUDE_krb4 = @INCLUDE_krb4@
+LIB_krb4 = @LIB_krb4@
+
+INCLUDE_openldap = @INCLUDE_openldap@
+LIB_openldap = @LIB_openldap@
+
+INCLUDE_readline = @INCLUDE_readline@
+
+LEXLIB = @LEXLIB@
+
+NROFF_MAN = groff -mandoc -Tascii
+
+@KRB4_TRUE@LIB_kafs = @KRB4_TRUE@$(top_builddir)/lib/kafs/libkafs.la $(AIX_EXTRA_KAFS)
+
+@KRB5_TRUE@LIB_krb5 = @KRB5_TRUE@$(top_builddir)/lib/krb5/libkrb5.la \
+@KRB5_TRUE@	$(top_builddir)/lib/asn1/libasn1.la
+@KRB5_TRUE@LIB_gssapi = @KRB5_TRUE@$(top_builddir)/lib/gssapi/libgssapi.la
+
+@DCE_TRUE@LIB_kdfs = @DCE_TRUE@$(top_builddir)/lib/kdfs/libkdfs.la
+
+CHECK_LOCAL = $(PROGRAMS)
+
+CLEANFILES = admin.h kadm5_err.h private.h
+subdir = include/kadm5
+mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs
+CONFIG_HEADER = ../../include/config.h
+CONFIG_CLEAN_FILES = 
+CFLAGS = @CFLAGS@
+COMPILE = $(CC) $(DEFS) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) --mode=compile $(CC) $(DEFS) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+CCLD = $(CC)
+LINK = $(LIBTOOL) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) $(LDFLAGS) -o $@
+DIST_SOURCES = 
+depcomp = 
+DIST_COMMON =  Makefile.am Makefile.in
+
+
+DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
+
+GZIP_ENV = --best
+all: all-redirect
+.SUFFIXES:
+.SUFFIXES: .et .h .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .x
+$(srcdir)/Makefile.in: Makefile.am $(top_srcdir)/configure.in $(ACLOCAL_M4) $(top_srcdir)/Makefile.am.common $(top_srcdir)/cf/Makefile.am.common
+	cd $(top_srcdir) && $(AUTOMAKE) --foreign include/kadm5/Makefile
+
+Makefile: $(srcdir)/Makefile.in  $(top_builddir)/config.status
+	cd $(top_builddir) \
+	  && CONFIG_FILES=$(subdir)/$@ CONFIG_HEADERS= $(SHELL) ./config.status
+
+tags: TAGS
+TAGS:
+
+
+distdir = $(top_builddir)/$(PACKAGE)-$(VERSION)/$(subdir)
+
+distdir: $(DISTFILES)
+	@for file in $(DISTFILES); do \
+	  d=$(srcdir); \
+	  if test -d $$d/$$file; then \
+	    cp -pR $$d/$$file $(distdir) \
+	    || exit 1; \
+	  else \
+	    test -f $(distdir)/$$file \
+	    || cp -p $$d/$$file $(distdir)/$$file \
+	    || exit 1; \
+	  fi; \
+	done
+	$(MAKE) $(AM_MAKEFLAGS) top_distdir="$(top_distdir)" distdir="$(distdir)" dist-hook
+info-am:
+info: info-am
+dvi-am:
+dvi: dvi-am
+check-am: all-am
+	$(MAKE) $(AM_MAKEFLAGS) check-local
+check: check-am
+installcheck-am:
+installcheck: installcheck-am
+install-exec-am:
+	@$(NORMAL_INSTALL)
+	$(MAKE) $(AM_MAKEFLAGS) install-exec-hook
+install-exec: install-exec-am
+
+install-data-am: install-data-local
+install-data: install-data-am
+
+install-am: all-am
+	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
+install: install-am
+uninstall-am:
+uninstall: uninstall-am
+all-am: Makefile all-local
+all-redirect: all-am
+install-strip:
+	$(MAKE) $(AM_MAKEFLAGS) INSTALL_STRIP_FLAG=-s install
+installdirs:
+
+
+mostlyclean-generic:
+
+clean-generic:
+	-test -z "$(CLEANFILES)" || rm -f $(CLEANFILES)
+
+distclean-generic:
+	-rm -f Makefile $(CONFIG_CLEAN_FILES)
+	-rm -f config.cache config.log stamp-h stamp-h[0-9]*
+
+maintainer-clean-generic:
+	-rm -f Makefile.in
+mostlyclean-am:  mostlyclean-generic
+
+mostlyclean: mostlyclean-am
+
+clean-am:  clean-generic mostlyclean-am
+
+clean: clean-am
+
+distclean-am:  distclean-generic clean-am
+	-rm -f libtool
+
+distclean: distclean-am
+
+maintainer-clean-am:  maintainer-clean-generic distclean-am
+	@echo "This command is intended for maintainers to use;"
+	@echo "it deletes files that may require special tools to rebuild."
+
+maintainer-clean: maintainer-clean-am
+
+.PHONY: tags distdir info-am info dvi-am dvi check-local check check-am \
+installcheck-am installcheck install-exec-am install-exec \
+install-data-local install-data-am install-data install-am install \
+uninstall-am uninstall all-local all-redirect all-am all install-strip \
+installdirs mostlyclean-generic distclean-generic clean-generic \
+maintainer-clean-generic clean mostlyclean distclean maintainer-clean
+
+
+install-suid-programs:
+	@foo='$(bin_SUIDS)'; \
+	for file in $$foo; do \
+	x=$(DESTDIR)$(bindir)/$$file; \
+	if chown 0:0 $$x && chmod u+s $$x; then :; else \
+	echo "*"; \
+	echo "* Failed to install $$x setuid root"; \
+	echo "*"; \
+	fi; done
+
+install-exec-hook: install-suid-programs
+
+install-build-headers:: $(include_HEADERS) $(build_HEADERZ)
+	@foo='$(include_HEADERS) $(build_HEADERZ)'; \
+	for f in $$foo; do \
+		f=`basename $$f`; \
+		if test -f "$(srcdir)/$$f"; then file="$(srcdir)/$$f"; \
+		else file="$$f"; fi; \
+		if cmp -s  $$file $(buildinclude)/$$f 2> /dev/null ; then \
+		: ; else \
+			echo " $(CP) $$file $(buildinclude)/$$f"; \
+			$(CP) $$file $(buildinclude)/$$f; \
+		fi ; \
+	done
+
+all-local: install-build-headers
+#NROFF_MAN = nroff -man
+.1.cat1:
+	$(NROFF_MAN) $< > $@
+.3.cat3:
+	$(NROFF_MAN) $< > $@
+.5.cat5:
+	$(NROFF_MAN) $< > $@
+.8.cat8:
+	$(NROFF_MAN) $< > $@
+
+dist-cat1-mans:
+	@foo='$(man1_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.1) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat1/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-cat3-mans:
+	@foo='$(man3_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.3) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat3/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-cat5-mans:
+	@foo='$(man5_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.5) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat5/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-cat8-mans:
+	@foo='$(man8_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.8) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat8/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-hook: dist-cat1-mans dist-cat3-mans dist-cat5-mans dist-cat8-mans
+
+install-cat-mans:
+	$(SHELL) $(top_srcdir)/cf/install-catman.sh "$(INSTALL_DATA)" "$(mkinstalldirs)" "$(srcdir)" "$(DESTDIR)$(mandir)" '$(CATMANEXT)' $(man_MANS) $(man1_MANS) $(man3_MANS) $(man5_MANS) $(man8_MANS)
+
+install-data-local: install-cat-mans
+
+.et.h:
+	$(COMPILE_ET) $<
+.et.c:
+	$(COMPILE_ET) $<
+
+.x.c:
+	@cmp -s $< $@ 2> /dev/null || cp $< $@
+
+check-local::
+	@foo='$(CHECK_LOCAL)'; \
+	  if test "$$foo"; then \
+	  failed=0; all=0; \
+	  for i in $$foo; do \
+	    all=`expr $$all + 1`; \
+	    if ./$$i --version > /dev/null 2>&1; then \
+	      echo "PASS: $$i"; \
+	    else \
+	      echo "FAIL: $$i"; \
+	      failed=`expr $$failed + 1`; \
+	    fi; \
+	  done; \
+	  if test "$$failed" -eq 0; then \
+	    banner="All $$all tests passed"; \
+	  else \
+	    banner="$$failed of $$all tests failed"; \
+	  fi; \
+	  dashes=`echo "$$banner" | sed s/./=/g`; \
+	  echo "$$dashes"; \
+	  echo "$$banner"; \
+	  echo "$$dashes"; \
+	  test "$$failed" -eq 0; \
+	fi
+
+# Tell versions [3.59,3.63) of GNU make to not export all variables.
+# Otherwise a system limit (for SysV at least) may be exceeded.
+.NOEXPORT:
diff --git a/crypto/heimdal/include/stamp-h.in b/crypto/heimdal/include/stamp-h.in
new file mode 100644
index 0000000..e69de29
--- /dev/null
+++ b/crypto/heimdal/include/stamp-h.in
diff --git a/crypto/heimdal/install-sh b/crypto/heimdal/install-sh
new file mode 100755
index 0000000..89fc9b0
--- /dev/null
+++ b/crypto/heimdal/install-sh
@@ -0,0 +1,238 @@
+#! /bin/sh
+#
+# install - install a program, script, or datafile
+# This comes from X11R5.
+#
+# Calling this script install-sh is preferred over install.sh, to prevent
+# `make' implicit rules from creating a file called install from it
+# when there is no Makefile.
+#
+# This script is compatible with the BSD install script, but was written
+# from scratch.
+#
+
+
+# set DOITPROG to echo to test this script
+
+# Don't use :- since 4.3BSD and earlier shells don't like it.
+doit="${DOITPROG-}"
+
+
+# put in absolute paths if you don't have them in your path; or use env. vars.
+
+mvprog="${MVPROG-mv}"
+cpprog="${CPPROG-cp}"
+chmodprog="${CHMODPROG-chmod}"
+chownprog="${CHOWNPROG-chown}"
+chgrpprog="${CHGRPPROG-chgrp}"
+stripprog="${STRIPPROG-strip}"
+rmprog="${RMPROG-rm}"
+mkdirprog="${MKDIRPROG-mkdir}"
+
+tranformbasename=""
+transform_arg=""
+instcmd="$mvprog"
+chmodcmd="$chmodprog 0755"
+chowncmd=""
+chgrpcmd=""
+stripcmd=""
+rmcmd="$rmprog -f"
+mvcmd="$mvprog"
+src=""
+dst=""
+dir_arg=""
+
+while [ x"$1" != x ]; do
+    case $1 in
+	-c) instcmd="$cpprog"
+	    shift
+	    continue;;
+
+	-d) dir_arg=true
+	    shift
+	    continue;;
+
+	-m) chmodcmd="$chmodprog $2"
+	    shift
+	    shift
+	    continue;;
+
+	-o) chowncmd="$chownprog $2"
+	    shift
+	    shift
+	    continue;;
+
+	-g) chgrpcmd="$chgrpprog $2"
+	    shift
+	    shift
+	    continue;;
+
+	-s) stripcmd="$stripprog"
+	    shift
+	    continue;;
+
+	-t=*) transformarg=`echo $1 | sed 's/-t=//'`
+	    shift
+	    continue;;
+
+	-b=*) transformbasename=`echo $1 | sed 's/-b=//'`
+	    shift
+	    continue;;
+
+	*)  if [ x"$src" = x ]
+	    then
+		src=$1
+	    else
+		# this colon is to work around a 386BSD /bin/sh bug
+		:
+		dst=$1
+	    fi
+	    shift
+	    continue;;
+    esac
+done
+
+if [ x"$src" = x ]
+then
+	echo "install:	no input file specified"
+	exit 1
+else
+	true
+fi
+
+if [ x"$dir_arg" != x ]; then
+	dst=$src
+	src=""
+	
+	if [ -d $dst ]; then
+		instcmd=:
+	else
+		instcmd=mkdir
+	fi
+else
+
+# Waiting for this to be detected by the "$instcmd $src $dsttmp" command
+# might cause directories to be created, which would be especially bad 
+# if $src (and thus $dsttmp) contains '*'.
+
+	if [ -f $src -o -d $src ]
+	then
+		true
+	else
+		echo "install:  $src does not exist"
+		exit 1
+	fi
+	
+	if [ x"$dst" = x ]
+	then
+		echo "install:	no destination specified"
+		exit 1
+	else
+		true
+	fi
+
+# If destination is a directory, append the input filename; if your system
+# does not like double slashes in filenames, you may need to add some logic
+
+	if [ -d $dst ]
+	then
+		dst="$dst"/`basename $src`
+	else
+		true
+	fi
+fi
+
+## this sed command emulates the dirname command
+dstdir=`echo $dst | sed -e 's,[^/]*$,,;s,/$,,;s,^$,.,'`
+
+# Make sure that the destination directory exists.
+#  this part is taken from Noah Friedman's mkinstalldirs script
+
+# Skip lots of stat calls in the usual case.
+if [ ! -d "$dstdir" ]; then
+defaultIFS='	
+'
+IFS="${IFS-${defaultIFS}}"
+
+oIFS="${IFS}"
+# Some sh's can't handle IFS=/ for some reason.
+IFS='%'
+set - `echo ${dstdir} | sed -e 's@/@%@g' -e 's@^%@/@'`
+IFS="${oIFS}"
+
+pathcomp=''
+
+while [ $# -ne 0 ] ; do
+	pathcomp="${pathcomp}${1}"
+	shift
+
+	if [ ! -d "${pathcomp}" ] ;
+        then
+		$mkdirprog "${pathcomp}"
+	else
+		true
+	fi
+
+	pathcomp="${pathcomp}/"
+done
+fi
+
+if [ x"$dir_arg" != x ]
+then
+	$doit $instcmd $dst &&
+
+	if [ x"$chowncmd" != x ]; then $doit $chowncmd $dst; else true ; fi &&
+	if [ x"$chgrpcmd" != x ]; then $doit $chgrpcmd $dst; else true ; fi &&
+	if [ x"$stripcmd" != x ]; then $doit $stripcmd $dst; else true ; fi &&
+	if [ x"$chmodcmd" != x ]; then $doit $chmodcmd $dst; else true ; fi
+else
+
+# If we're going to rename the final executable, determine the name now.
+
+	if [ x"$transformarg" = x ] 
+	then
+		dstfile=`basename $dst`
+	else
+		dstfile=`basename $dst $transformbasename | 
+			sed $transformarg`$transformbasename
+	fi
+
+# don't allow the sed command to completely eliminate the filename
+
+	if [ x"$dstfile" = x ] 
+	then
+		dstfile=`basename $dst`
+	else
+		true
+	fi
+
+# Make a temp file name in the proper directory.
+
+	dsttmp=$dstdir/#inst.$$#
+
+# Move or copy the file name to the temp name
+
+	$doit $instcmd $src $dsttmp &&
+
+	trap "rm -f ${dsttmp}" 0 &&
+
+# and set any options; do chmod last to preserve setuid bits
+
+# If any of these fail, we abort the whole thing.  If we want to
+# ignore errors from any of these, just make sure not to ignore
+# errors from the above "$doit $instcmd $src $dsttmp" command.
+
+	if [ x"$chowncmd" != x ]; then $doit $chowncmd $dsttmp; else true;fi &&
+	if [ x"$chgrpcmd" != x ]; then $doit $chgrpcmd $dsttmp; else true;fi &&
+	if [ x"$stripcmd" != x ]; then $doit $stripcmd $dsttmp; else true;fi &&
+	if [ x"$chmodcmd" != x ]; then $doit $chmodcmd $dsttmp; else true;fi &&
+
+# Now rename the file to the real destination.
+
+	$doit $rmcmd -f $dstdir/$dstfile &&
+	$doit $mvcmd $dsttmp $dstdir/$dstfile 
+
+fi &&
+
+
+exit 0
diff --git a/crypto/heimdal/kadmin/ChangeLog b/crypto/heimdal/kadmin/ChangeLog
new file mode 100644
index 0000000..ccc615e
--- /dev/null
+++ b/crypto/heimdal/kadmin/ChangeLog
@@ -0,0 +1,498 @@
+2001-05-17  Assar Westerlund  <assar@sics.se>
+
+	* kadm_conn.c (start_server): fix krb5_eai_to_heim_errno call
+
+2001-05-15  Assar Westerlund  <assar@sics.se>
+
+	* kadmin.c (main): some error cleaning required
+
+2001-05-14  Assar Westerlund  <assar@sics.se>
+
+	* kadmind.c: new krb5_config_parse_file
+	* kadmin.c: new krb5_config_parse_file
+	* kadm_conn.c: update to new krb5_sockaddr2address
+
+2001-05-07  Assar Westerlund  <assar@sics.se>
+
+	* kadmin_locl.h (foreach_principal): update prototype
+	* get.c (getit): new foreach_principal
+	* ext.c (ext_keytab): new foreach_principal
+	* del.c (del_entry): new foreach_principal
+	* cpw.c (cpw_entry): new foreach_principal
+	* util.c (foreach_principal): add `funcname' and try printing the
+	error string
+
+2001-05-04  Johan Danielsson  <joda@pdc.kth.se>
+
+	* rename.c: fix argument number test
+	
+2001-04-19  Johan Danielsson  <joda@pdc.kth.se>
+
+	* del_enctype.c: fix argument count check after getarg change;
+	spotted by mark@MCS.VUW.AC.NZ
+
+2001-02-15  Assar Westerlund  <assar@sics.se>
+
+	* kadmind.c (main): use a `struct sockaddr_storage' to be able to
+	store all types of addresses
+
+2001-02-07  Assar Westerlund  <assar@sics.se>
+
+	* kadmin.c: add --keytab / _K, from Leif Johansson
+	<leifj@it.su.se>
+
+2001-01-29  Assar Westerlund  <assar@sics.se>
+
+	* kadm_conn.c (spawn_child): close the newly created socket in the
+	packet, it's not used.  from <shadow@dementia.org>
+	* version4.c (decode_packet): check success of
+	krb5_425_conv_principal.  from <shadow@dementia.org>
+
+2001-01-12  Assar Westerlund  <assar@sics.se>
+
+	* util.c (parse_attributes): make empty string mean no attributes,
+	specifying the empty string at the command line should give you no
+	attributes, but just pressing return at the prompt gives you
+	default attributes
+	(edit_entry): only pick up values from the default principal if they
+	aren't set in the principal being edited
+
+2001-01-04  Assar Westerlund  <assar@sics.se>
+
+	* load.c (doit): print an error and bail out if storing an entry
+	in the database fails.  The most likely reason for it failing is
+	out-of-space.
+
+2000-12-31  Assar Westerlund  <assar@sics.se>
+
+	* kadmind.c (main): handle krb5_init_context failure consistently
+	* kadmin.c (main): handle krb5_init_context failure consistently
+	* add-random-users.c (add_user): handle krb5_init_context failure
+	consistently
+
+	* kadm_conn.c (spawn_child): use a struct sockaddr_storage
+
+2000-12-15  Johan Danielsson  <joda@pdc.kth.se>
+
+	* get.c: avoid asprintf'ing NULL strings
+
+2000-12-14  Johan Danielsson  <joda@pdc.kth.se>
+
+	* load.c: fix option parsing
+
+2000-11-16  Assar Westerlund  <assar@sics.se>
+
+	* kadm_conn.c (wait_for_connection): check for fd's being too
+	large to select on
+
+2000-11-09  Johan Danielsson  <joda@pdc.kth.se>
+
+	* get.c: don't try to print modifier name if it isn't set (from
+	Jacques A. Vidrine" <n@nectar.com>)
+
+2000-09-19  Assar Westerlund  <assar@sics.se>
+
+	* server.c (kadmind_loop): send in keytab to v4 handling function
+	* version4.c: allow the specification of what keytab to use
+
+	* get.c (print_entry_long): actually print the actual saltvalue
+	used if it's not the default
+
+2000-09-10  Johan Danielsson  <joda@pdc.kth.se>
+
+	* kadmin.c: add option parsing, and add `privs' as an alias for
+	`privileges'
+
+	* init.c: complain if there's no realm name specified
+
+	* rename.c: add option parsing
+
+	* load.c: add option parsing
+
+	* get.c: make `get' and `list' aliases to each other, but with
+	different defaults
+
+	* del_enctype.c: add option parsing
+
+	* del.c: add option parsing
+
+	* ank.c: calling the command `add' make more sense from an english
+	pov
+
+	* Makefile.am: add kadmin manpage
+
+	* kadmin.8: short manpage
+
+	* kadmin.c: `quit' should be a alias for `exit', not `help'
+
+2000-08-27  Assar Westerlund  <assar@sics.se>
+
+	* server.c (handle_v5): do not try to perform stupid stunts when
+	printing errors
+
+2000-08-19  Assar Westerlund  <assar@sics.se>
+
+	* util.c (str2time_t): add alias for `now'.
+
+2000-08-18  Assar Westerlund  <assar@sics.se>
+
+	* server.c (handle_v5): accept any kadmin/admin@* principal as the
+	server
+	* kadmind.c: remove extra prototype of kadmind_loop
+	* kadmin_locl.h (kadmind_loop): add prototype
+	
+	* init.c (usage): print init-usage and not add-dito
+	
+2000-08-07  Johan Danielsson  <joda@pdc.kth.se>
+
+	* kadmind.c: use roken_getsockname
+
+2000-08-07  Assar Westerlund  <assar@sics.se>
+
+	* kadmind.c, kadm_conn.c: use socklen_t instead of int where
+	appropriate.  From <thorpej@netbsd.org>
+
+2000-08-04  Johan Danielsson  <joda@pdc.kth.se>
+
+	* Makefile.am: link with pidfile library
+
+	* kadmind.c: write a pid file, and setup password quality
+	functions
+
+	* kadmin_locl.h: util.h
+
+2000-07-27  Assar Westerlund  <assar@sics.se>
+
+	* version4.c (decode_packet): be totally consistent with the
+	prototype of des_cbc_cksum
+	* kadmind.c: use sa_size instead of sa_len, some systems define
+	this to emulate anonymous unions
+	* kadm_conn.c: use sa_size instead of sa_len, some systems define
+	this to emulate anonymous unions
+
+2000-07-24  Assar Westerlund  <assar@sics.se>
+
+	* kadmin.c (commands): add quit
+	* load.c (doit): truncate the log since there's no way of knowing
+	what changes are going to be added
+
+2000-07-23  Assar Westerlund  <assar@sics.se>
+
+	* util.c (str2time_t): be more careful with strptime that might
+	zero out the `struct tm'
+
+2000-07-22  Johan Danielsson  <joda@pdc.kth.se>
+
+	* kadm_conn.c: make the parent process wait for children and
+	terminate after receiving a signal, also terminate on SIGINT
+
+2000-07-22  Assar Westerlund  <assar@sics.se>
+
+	* version4.c: map both princ_expire_time and pw_expiration to v4
+	principal expiration
+
+2000-07-22  Johan Danielsson  <joda@pdc.kth.se>
+
+	* version4.c (handle_v4): check for termination
+
+	* server.c (v5_loop): check for termination
+
+	* kadm_conn.c (wait_term): if we're doing something, set just set
+	a flag otherwise exit rightaway
+
+	* server.c: use krb5_read_priv_message; (v5_loop): check for EOF
+
+2000-07-21  Assar Westerlund  <assar@sics.se>
+
+	* kadm_conn.c: remove sys/select.h.  make signal handlers
+	type-correct and static
+
+	* kadmin_locl.h: add limits.h and sys/select.h
+
+2000-07-20  Assar Westerlund  <assar@sics.se>
+
+	* init.c (init): also create `kadmin/hprop'
+	* kadmind.c: ports is a string argument
+	* kadm_conn.c (start_server): fix printf format
+
+	* kadmin_locl.h: add <sys/select.h>
+	* kadm_conn.c: remove sys/select.h.  make signal handlers
+	type-correct and static
+
+	* kadmin_locl.h: add limits.h and sys/select.h
+
+2000-07-17  Johan Danielsson  <joda@pdc.kth.se>
+
+	* kadm_conn.c: put all processes in a new process group
+
+	* server.c (v5_loop): use krb5_{read,write}_priv_message
+
+2000-07-11  Johan Danielsson  <joda@pdc.kth.se>
+
+	* version4.c: change log strings to match the v5 counterparts
+
+	* mod.c: allow setting kvno
+
+	* kadmind.c: if stdin is not a socket create and listen to sockets
+
+	* kadm_conn.c: socket creation functions
+
+	* util.c (deltat2str): treat 0 and INT_MAX as never
+
+2000-07-08  Assar Westerlund  <assar@sics.se>
+
+	* Makefile.am (INCLUDES): add ../lib/krb5
+	* kadmin_locl.h: add krb5_locl.h (since we just use some stuff
+	from there)
+
+2000-06-07  Assar Westerlund  <assar@sics.se>
+
+	* add-random-users.c: new testing program that adds a number of
+	randomly generated users
+
+2000-04-12  Assar Westerlund  <assar@sics.se>
+
+	* cpw.c (do_cpw_entry): call set_password if no argument is given,
+	it will prompt for the password.
+	* kadmin.c: make help only print the commands that are actually
+	available.
+
+2000-04-03  Assar Westerlund  <assar@sics.se>
+
+	* del_enctype.c (del_enctype): set ignore correctly
+
+2000-04-02  Assar Westerlund  <assar@sics.se>
+
+	* kadmin.c (main): make parse errors a fatal error
+	* init.c (init): create changepw/kerberos with disallow-tgt and
+	pwchange attributes
+
+2000-03-23  Assar Westerlund  <assar@sics.se>
+
+	* util.c (hex2n, parse_des_key): add
+	* server.c (kadmind_dispatch): add kadm_chpass_with_key
+	* cpw.c: add --key
+	* ank.c: add --key
+
+2000-02-16  Assar Westerlund  <assar@sics.se>
+
+	* load.c (doit): check return value from parse_hdbflags2int
+	correctly
+
+2000-01-25  Assar Westerlund  <assar@sics.se>
+
+	* load.c: checking all parsing for errors and all memory
+	allocations also
+
+2000-01-02  Assar Westerlund  <assar@sics.se>
+
+	* server.c: check initial flag in ticket and allow users to change
+	their own password if it's set
+	* ext.c (do_ext_keytab): set timestamp
+
+1999-12-14  Assar Westerlund  <assar@sics.se>
+
+	* del_enctype.c (usage): don't use arg_printusage
+
+1999-11-25  Assar Westerlund  <assar@sics.se>
+
+	* del_enctype.c (del_enctype): try not to leak memory
+
+	* version4.c (kadm_ser_mod): use kadm5_s_modify_principal (no
+ 	_with_key)
+
+	* kadmin.c: add `del_enctype'
+
+	* del_enctype.c (del_enctype): new function for deleting enctypes
+	from a principal
+
+	* Makefile.am (kadmin_SOURCES): add del_enctype.c
+
+1999-11-09  Johan Danielsson  <joda@pdc.kth.se>
+
+	* server.c: cope with old clients
+
+	* kadmin_locl.h: remove version string
+
+1999-10-17  Assar Westerlund  <assar@sics.se>
+
+	* Makefile.am (kadmin_LDADD): add LIB_dlopen
+
+1999-10-01  Assar Westerlund  <assar@sics.se>
+
+	* ank.c (add_one_principal): `password' can cactually be NULL in
+ 	the overwrite code, check for it.
+
+1999-09-20  Assar Westerlund  <assar@sics.se>
+
+	* mod.c (mod_entry): print the correct principal name in error
+ 	messages.  From Love <lha@e.kth.se>
+
+1999-09-10  Assar Westerlund  <assar@sics.se>
+
+	* init.c (init): also create `changepw/kerberos'
+
+	* version4.c: only create you loose packets when we fail decoding
+ 	and not when an operation is not performed for some reason
+	(decode_packet): read the service key from the hdb
+	(dispatch, decode_packet): return proper error messages
+
+	* version4.c (kadm_ser_cpw): add password quality functions
+
+1999-08-27  Johan Danielsson  <joda@pdc.kth.se>
+
+	* server.c (handle_v5): give more informative message if
+	KRB5_KT_NOTFOUND
+
+1999-08-26  Johan Danielsson  <joda@pdc.kth.se>
+
+	* kadmind.c: use HDB keytabs
+
+1999-08-25  Assar Westerlund  <assar@sics.se>
+
+	* cpw.c (set_password): use correct variable.  From Love
+ 	<lha@e.kth.se>
+
+	* server.c (v5_loop): use correct error code
+
+	* ank.c (add_one_principal): initialize `default_ent'
+
+1999-08-21  Assar Westerlund  <assar@sics.se>
+
+	* random_password.c: new file, stolen from krb4
+
+	* kadmin_locl.h: add prototype for random_password
+
+	* cpw.c: add support for --random-password
+
+	* ank.c: add support for --random-password
+
+	* Makefile.am (kadmin_SOURCES): add random_password.c
+
+1999-08-19  Assar Westerlund  <assar@sics.se>
+
+	* util.c (edit_timet): break when we manage to parse the time not
+ 	the inverse.
+
+	* mod.c: add parsing of lots of options.  From Love
+ 	<lha@stacken.kth.se>
+
+	* ank.c: add setting of expiration and password expiration
+
+	* kadmin_locl.h: update util.c prototypes
+
+	* util.c: move-around.  clean-up, rename, make consistent (and
+ 	some other weird stuff).  based on patches from Love
+ 	<lha@stacken.kth.se>
+
+	* version4.c (kadm_ser_cpw): initialize password
+	(handle_v4): remove unused variable `ret'
+
+1999-08-16  Assar Westerlund  <assar@sics.se>
+
+	* version4.c (handle_v4): more error checking and more correct
+ 	error messages
+
+	* server.c (v5_loop, kadmind_loop): more error checking and more
+ 	correct error messages
+
+1999-07-24  Assar Westerlund  <assar@sics.se>
+
+	* util.c (str2timeval, edit_time): functions for parsing and
+ 	editing times.  Based on patches from Love <lha@stacken.kth.se>.
+	(edit_entry): call new functions
+
+	* mod.c (mod_entry): allow modifying expiration times
+
+	* kadmin_locl.h (str2timeval): add prototype
+
+	* ank.c (add_one_principal): allow setting expiration times
+
+1999-07-03  Assar Westerlund  <assar@sics.se>
+
+	* server.c (v5_loop): handle data allocation with krb5_data_alloc
+ 	and check return value
+
+1999-06-23  Assar Westerlund  <assar@sics.se>
+
+	* version4.c (kadm_ser_cpw): read the key in the strange order
+ 	it's sent
+
+	* util.c (edit_entry): look at default
+	(edit_time): always set mask even if value == 0
+
+	* kadmin_locl.h (edit_entry): update
+
+	* ank.c: make ank use the values of the default principal for
+ 	prompting
+
+	* version4.c (values_to_ent): convert key data correctly
+
+1999-05-23  Assar Westerlund  <assar@sics.se>
+
+	* init.c (create_random_entry): more correct setting of mask
+
+1999-05-21  Assar Westerlund  <assar@sics.se>
+
+	* server.c (handle_v5): read sendauth version correctly.
+
+1999-05-14  Assar Westerlund  <assar@sics.se>
+
+	* version4.c (error_code): try to handle really old krb4
+ 	distributions
+
+1999-05-11  Assar Westerlund  <assar@sics.se>
+
+	* init.c (init): initialize realm_max_life and realm_max_rlife
+
+1999-05-07  Assar Westerlund  <assar@sics.se>
+
+	* ank.c (add_new_key): initialize more variables
+
+1999-05-04  Assar Westerlund  <assar@sics.se>
+
+	* version4.c (kadm_ser_cpw): always allow a user to change her
+ 	password
+	(kadm_ser_*): make logging work
+	clean-up and restructure
+	
+	* kadmin_locl.h (set_entry): add prototype
+
+	* kadmin.c (usage): update usage string
+
+	* init.c (init): new arguments realm-max-ticket-life and
+ 	realm-max-renewable-life
+
+	* util.c (edit_time, edit_attributes): don't do anything if it's
+ 	already set
+	(set_entry): new function
+
+	* ank.c (add_new_key): new options for setting max-ticket-life,
+ 	max-renewable-life, and attributes
+
+	* server.c (v5_loop): remove unused variable
+
+	* kadmin_locl.h: add prototypes
+
+	* version4.c: re-insert krb_err.h and other miss
+
+	* server.c (kadmind_loop): break-up and restructure
+
+	* version4.c: add ACL checks more error code checks restructure
+	
+1999-05-03  Johan Danielsson  <joda@pdc.kth.se>
+
+	* load.c: check for (un-)encrypted keys
+
+	* dump.c: use hdb_print_entry
+	
+	* version4.c: version 4 support
+
+	* Makefile.am: link with krb4
+
+	* kadmin_locl.h: include <sys/un.h>
+
+	* server.c: move from lib/kadm5, and add basic support for krb4
+	kadmin protocol
+
+	* kadmind.c: move recvauth to kadmind_loop()
diff --git a/crypto/heimdal/kadmin/Makefile.am b/crypto/heimdal/kadmin/Makefile.am
new file mode 100644
index 0000000..5852198
--- /dev/null
+++ b/crypto/heimdal/kadmin/Makefile.am
@@ -0,0 +1,74 @@
+# $Id: Makefile.am,v 1.32 2000/11/15 22:51:12 assar Exp $
+
+include $(top_srcdir)/Makefile.am.common
+
+INCLUDES += $(INCLUDE_readline) $(INCLUDE_krb4) -I$(srcdir)/../lib/krb5
+
+sbin_PROGRAMS = kadmin
+
+libexec_PROGRAMS = kadmind
+
+man_MANS = kadmin.8 kadmind.8
+
+noinst_PROGRAMS = add_random_users
+
+kadmin_SOURCES =				\
+	ank.c					\
+	cpw.c					\
+	del.c					\
+	del_enctype.c				\
+	dump.c					\
+	ext.c					\
+	get.c					\
+	init.c					\
+	kadmin.c				\
+	load.c					\
+	mod.c					\
+	rename.c				\
+	util.c					\
+	random_password.c			\
+	kadmin_locl.h
+
+if KRB4
+KRB4LIB = $(LIB_krb4)
+version4_c = version4.c
+endif
+
+kadmind_SOURCES =				\
+	kadmind.c				\
+	server.c				\
+	kadmin_locl.h				\
+	$(version4_c)				\
+	kadm_conn.c
+
+EXTRA_kadmind_SOURCES = version4.c
+
+add_random_users_SOURCES = add-random-users.c
+
+COMMON_LDADD = \
+	$(top_builddir)/lib/hdb/libhdb.la \
+	$(LIB_openldap) \
+	$(top_builddir)/lib/krb5/libkrb5.la \
+	$(LIB_des) \
+	$(top_builddir)/lib/asn1/libasn1.la \
+	$(LIB_roken) \
+	$(DBLIB)
+
+kadmind_LDADD = $(KRB4LIB) $(top_builddir)/lib/kadm5/libkadm5srv.la \
+	$(COMMON_LDADD) \
+	$(LIB_pidfile) \
+	$(LIB_dlopen)
+
+kadmin_LDADD = \
+	$(top_builddir)/lib/kadm5/libkadm5clnt.la \
+	$(top_builddir)/lib/kadm5/libkadm5srv.la \
+	$(top_builddir)/lib/sl/libsl.la \
+	$(LIB_readline) \
+	$(COMMON_LDADD) \
+	$(LIB_dlopen)
+
+add_random_users_LDADD = \
+	$(top_builddir)/lib/kadm5/libkadm5clnt.la \
+	$(top_builddir)/lib/kadm5/libkadm5srv.la \
+	$(COMMON_LDADD) \
+	$(LIB_dlopen)
diff --git a/crypto/heimdal/kadmin/Makefile.in b/crypto/heimdal/kadmin/Makefile.in
new file mode 100644
index 0000000..dd2ec13
--- /dev/null
+++ b/crypto/heimdal/kadmin/Makefile.in
@@ -0,0 +1,767 @@
+# Makefile.in generated automatically by automake 1.4b from Makefile.am
+
+# Copyright 1994, 1995, 1996, 1997, 1998, 1999, 2000
+# Free Software Foundation, Inc.
+# This Makefile.in is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+
+SHELL = @SHELL@
+
+srcdir = @srcdir@
+top_srcdir = @top_srcdir@
+VPATH = @srcdir@
+prefix = @prefix@
+exec_prefix = @exec_prefix@
+
+bindir = @bindir@
+sbindir = @sbindir@
+libexecdir = @libexecdir@
+datadir = @datadir@
+sysconfdir = @sysconfdir@
+sharedstatedir = @sharedstatedir@
+localstatedir = @localstatedir@
+libdir = @libdir@
+infodir = @infodir@
+mandir = @mandir@
+includedir = @includedir@
+oldincludedir = /usr/include
+
+pkgdatadir = $(datadir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkgincludedir = $(includedir)/@PACKAGE@
+
+top_builddir = ..
+
+ACLOCAL = @ACLOCAL@
+AUTOCONF = @AUTOCONF@
+AUTOMAKE = @AUTOMAKE@
+AUTOHEADER = @AUTOHEADER@
+
+INSTALL = @INSTALL@
+INSTALL_PROGRAM = @INSTALL_PROGRAM@
+INSTALL_DATA = @INSTALL_DATA@
+INSTALL_SCRIPT = @INSTALL_SCRIPT@
+INSTALL_STRIP_FLAG =
+transform = @program_transform_name@
+
+NORMAL_INSTALL = :
+PRE_INSTALL = :
+POST_INSTALL = :
+NORMAL_UNINSTALL = :
+PRE_UNINSTALL = :
+POST_UNINSTALL = :
+
+@SET_MAKE@
+host_alias = @host_alias@
+host_triplet = @host@
+AIX_EXTRA_KAFS = @AIX_EXTRA_KAFS@
+AMDEP = @AMDEP@
+AMTAR = @AMTAR@
+AS = @AS@
+AWK = @AWK@
+CANONICAL_HOST = @CANONICAL_HOST@
+CATMAN = @CATMAN@
+CATMANEXT = @CATMANEXT@
+CC = @CC@
+CPP = @CPP@
+CXX = @CXX@
+CXXCPP = @CXXCPP@
+DBLIB = @DBLIB@
+DEPDIR = @DEPDIR@
+DIR_des = @DIR_des@
+DIR_roken = @DIR_roken@
+DLLTOOL = @DLLTOOL@
+EXEEXT = @EXEEXT@
+EXTRA_LIB45 = @EXTRA_LIB45@
+GROFF = @GROFF@
+INCLUDES_roken = @INCLUDES_roken@
+INCLUDE_ = @INCLUDE_@
+LEX = @LEX@
+LIBOBJS = @LIBOBJS@
+LIBTOOL = @LIBTOOL@
+LIB_ = @LIB_@
+LIB_AUTH_SUBDIRS = @LIB_AUTH_SUBDIRS@
+LIB_des = @LIB_des@
+LIB_des_appl = @LIB_des_appl@
+LIB_kdb = @LIB_kdb@
+LIB_otp = @LIB_otp@
+LIB_roken = @LIB_roken@
+LIB_security = @LIB_security@
+LN_S = @LN_S@
+LTLIBOBJS = @LTLIBOBJS@
+MAKEINFO = @MAKEINFO@
+NEED_WRITEAUTH_FALSE = @NEED_WRITEAUTH_FALSE@
+NEED_WRITEAUTH_TRUE = @NEED_WRITEAUTH_TRUE@
+NROFF = @NROFF@
+OBJDUMP = @OBJDUMP@
+OBJEXT = @OBJEXT@
+PACKAGE = @PACKAGE@
+RANLIB = @RANLIB@
+STRIP = @STRIP@
+VERSION = @VERSION@
+VOID_RETSIGTYPE = @VOID_RETSIGTYPE@
+WFLAGS = @WFLAGS@
+WFLAGS_NOIMPLICITINT = @WFLAGS_NOIMPLICITINT@
+WFLAGS_NOUNUSED = @WFLAGS_NOUNUSED@
+YACC = @YACC@
+dpagaix_CFLAGS = @dpagaix_CFLAGS@
+dpagaix_LDADD = @dpagaix_LDADD@
+install_sh = @install_sh@
+
+# $Id: Makefile.am,v 1.32 2000/11/15 22:51:12 assar Exp $
+
+
+# $Id: Makefile.am.common,v 1.3 1999/04/01 14:58:43 joda Exp $
+
+
+# $Id: Makefile.am.common,v 1.26 2001/05/21 13:27:48 joda Exp $
+
+
+AUTOMAKE_OPTIONS = foreign no-dependencies
+
+SUFFIXES = .et .h .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .x
+
+INCLUDES = -I$(top_builddir)/include $(INCLUDES_roken) $(INCLUDE_readline) $(INCLUDE_krb4) -I$(srcdir)/../lib/krb5
+
+AM_CFLAGS =  $(WFLAGS)
+
+CP = cp
+
+COMPILE_ET = $(top_builddir)/lib/com_err/compile_et
+
+buildinclude = $(top_builddir)/include
+
+LIB_XauReadAuth = @LIB_XauReadAuth@
+LIB_crypt = @LIB_crypt@
+LIB_dbm_firstkey = @LIB_dbm_firstkey@
+LIB_dbopen = @LIB_dbopen@
+LIB_dlopen = @LIB_dlopen@
+LIB_dn_expand = @LIB_dn_expand@
+LIB_el_init = @LIB_el_init@
+LIB_getattr = @LIB_getattr@
+LIB_gethostbyname = @LIB_gethostbyname@
+LIB_getpwent_r = @LIB_getpwent_r@
+LIB_getpwnam_r = @LIB_getpwnam_r@
+LIB_getsockopt = @LIB_getsockopt@
+LIB_logout = @LIB_logout@
+LIB_logwtmp = @LIB_logwtmp@
+LIB_odm_initialize = @LIB_odm_initialize@
+LIB_pidfile = @LIB_pidfile@
+LIB_readline = @LIB_readline@
+LIB_res_search = @LIB_res_search@
+LIB_setpcred = @LIB_setpcred@
+LIB_setsockopt = @LIB_setsockopt@
+LIB_socket = @LIB_socket@
+LIB_syslog = @LIB_syslog@
+LIB_tgetent = @LIB_tgetent@
+
+LIBS = @LIBS@
+
+HESIODLIB = @HESIODLIB@
+HESIODINCLUDE = @HESIODINCLUDE@
+INCLUDE_hesiod = @INCLUDE_hesiod@
+LIB_hesiod = @LIB_hesiod@
+
+INCLUDE_krb4 = @INCLUDE_krb4@
+LIB_krb4 = @LIB_krb4@
+
+INCLUDE_openldap = @INCLUDE_openldap@
+LIB_openldap = @LIB_openldap@
+
+INCLUDE_readline = @INCLUDE_readline@
+
+LEXLIB = @LEXLIB@
+
+NROFF_MAN = groff -mandoc -Tascii
+
+@KRB4_TRUE@LIB_kafs = @KRB4_TRUE@$(top_builddir)/lib/kafs/libkafs.la $(AIX_EXTRA_KAFS)
+
+@KRB5_TRUE@LIB_krb5 = @KRB5_TRUE@$(top_builddir)/lib/krb5/libkrb5.la \
+@KRB5_TRUE@	$(top_builddir)/lib/asn1/libasn1.la
+@KRB5_TRUE@LIB_gssapi = @KRB5_TRUE@$(top_builddir)/lib/gssapi/libgssapi.la
+
+@DCE_TRUE@LIB_kdfs = @DCE_TRUE@$(top_builddir)/lib/kdfs/libkdfs.la
+
+CHECK_LOCAL = $(PROGRAMS)
+
+sbin_PROGRAMS = kadmin
+
+libexec_PROGRAMS = kadmind
+
+man_MANS = kadmin.8 kadmind.8
+
+noinst_PROGRAMS = add_random_users
+
+kadmin_SOURCES = \
+	ank.c					\
+	cpw.c					\
+	del.c					\
+	del_enctype.c				\
+	dump.c					\
+	ext.c					\
+	get.c					\
+	init.c					\
+	kadmin.c				\
+	load.c					\
+	mod.c					\
+	rename.c				\
+	util.c					\
+	random_password.c			\
+	kadmin_locl.h
+
+
+@KRB4_TRUE@KRB4LIB = @KRB4_TRUE@$(LIB_krb4)
+@KRB4_TRUE@version4_c = @KRB4_TRUE@version4.c
+
+kadmind_SOURCES = \
+	kadmind.c				\
+	server.c				\
+	kadmin_locl.h				\
+	$(version4_c)				\
+	kadm_conn.c
+
+
+EXTRA_kadmind_SOURCES = version4.c
+
+add_random_users_SOURCES = add-random-users.c
+
+COMMON_LDADD = \
+	$(top_builddir)/lib/hdb/libhdb.la \
+	$(LIB_openldap) \
+	$(top_builddir)/lib/krb5/libkrb5.la \
+	$(LIB_des) \
+	$(top_builddir)/lib/asn1/libasn1.la \
+	$(LIB_roken) \
+	$(DBLIB)
+
+
+kadmind_LDADD = $(KRB4LIB) $(top_builddir)/lib/kadm5/libkadm5srv.la \
+	$(COMMON_LDADD) \
+	$(LIB_pidfile) \
+	$(LIB_dlopen)
+
+
+kadmin_LDADD = \
+	$(top_builddir)/lib/kadm5/libkadm5clnt.la \
+	$(top_builddir)/lib/kadm5/libkadm5srv.la \
+	$(top_builddir)/lib/sl/libsl.la \
+	$(LIB_readline) \
+	$(COMMON_LDADD) \
+	$(LIB_dlopen)
+
+
+add_random_users_LDADD = \
+	$(top_builddir)/lib/kadm5/libkadm5clnt.la \
+	$(top_builddir)/lib/kadm5/libkadm5srv.la \
+	$(COMMON_LDADD) \
+	$(LIB_dlopen)
+
+subdir = kadmin
+mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs
+CONFIG_HEADER = ../include/config.h
+CONFIG_CLEAN_FILES = 
+libexec_PROGRAMS =  kadmind$(EXEEXT)
+noinst_PROGRAMS =  add_random_users$(EXEEXT)
+sbin_PROGRAMS =  kadmin$(EXEEXT)
+PROGRAMS =  $(libexec_PROGRAMS) $(noinst_PROGRAMS) $(sbin_PROGRAMS)
+
+
+DEFS = @DEFS@ -I. -I$(srcdir) -I../include
+CPPFLAGS = @CPPFLAGS@
+LDFLAGS = @LDFLAGS@
+X_CFLAGS = @X_CFLAGS@
+X_LIBS = @X_LIBS@
+X_EXTRA_LIBS = @X_EXTRA_LIBS@
+X_PRE_LIBS = @X_PRE_LIBS@
+am_add_random_users_OBJECTS =  add-random-users.$(OBJEXT)
+add_random_users_OBJECTS =  $(am_add_random_users_OBJECTS)
+add_random_users_DEPENDENCIES =  \
+$(top_builddir)/lib/kadm5/libkadm5clnt.la \
+$(top_builddir)/lib/kadm5/libkadm5srv.la \
+$(top_builddir)/lib/hdb/libhdb.la $(top_builddir)/lib/krb5/libkrb5.la \
+$(top_builddir)/lib/asn1/libasn1.la
+add_random_users_LDFLAGS = 
+am_kadmin_OBJECTS =  ank.$(OBJEXT) cpw.$(OBJEXT) del.$(OBJEXT) \
+del_enctype.$(OBJEXT) dump.$(OBJEXT) ext.$(OBJEXT) get.$(OBJEXT) \
+init.$(OBJEXT) kadmin.$(OBJEXT) load.$(OBJEXT) mod.$(OBJEXT) \
+rename.$(OBJEXT) util.$(OBJEXT) random_password.$(OBJEXT)
+kadmin_OBJECTS =  $(am_kadmin_OBJECTS)
+kadmin_DEPENDENCIES =  $(top_builddir)/lib/kadm5/libkadm5clnt.la \
+$(top_builddir)/lib/kadm5/libkadm5srv.la \
+$(top_builddir)/lib/sl/libsl.la $(top_builddir)/lib/hdb/libhdb.la \
+$(top_builddir)/lib/krb5/libkrb5.la $(top_builddir)/lib/asn1/libasn1.la
+kadmin_LDFLAGS = 
+@KRB4_FALSE@am_kadmind_OBJECTS =  kadmind.$(OBJEXT) server.$(OBJEXT) \
+@KRB4_FALSE@kadm_conn.$(OBJEXT)
+@KRB4_TRUE@am_kadmind_OBJECTS =  kadmind.$(OBJEXT) server.$(OBJEXT) \
+@KRB4_TRUE@version4.$(OBJEXT) kadm_conn.$(OBJEXT)
+kadmind_OBJECTS =  $(am_kadmind_OBJECTS)
+@KRB4_FALSE@kadmind_DEPENDENCIES =  \
+@KRB4_FALSE@$(top_builddir)/lib/kadm5/libkadm5srv.la \
+@KRB4_FALSE@$(top_builddir)/lib/hdb/libhdb.la \
+@KRB4_FALSE@$(top_builddir)/lib/krb5/libkrb5.la \
+@KRB4_FALSE@$(top_builddir)/lib/asn1/libasn1.la
+@KRB4_TRUE@kadmind_DEPENDENCIES =  \
+@KRB4_TRUE@$(top_builddir)/lib/kadm5/libkadm5srv.la \
+@KRB4_TRUE@$(top_builddir)/lib/hdb/libhdb.la \
+@KRB4_TRUE@$(top_builddir)/lib/krb5/libkrb5.la \
+@KRB4_TRUE@$(top_builddir)/lib/asn1/libasn1.la
+kadmind_LDFLAGS = 
+COMPILE = $(CC) $(DEFS) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) --mode=compile $(CC) $(DEFS) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+CFLAGS = @CFLAGS@
+CCLD = $(CC)
+LINK = $(LIBTOOL) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) $(LDFLAGS) -o $@
+DIST_SOURCES =  $(add_random_users_SOURCES) $(kadmin_SOURCES) \
+$(kadmind_SOURCES) $(EXTRA_kadmind_SOURCES)
+man8dir = $(mandir)/man8
+MANS = $(man_MANS)
+depcomp = 
+DIST_COMMON =  ChangeLog Makefile.am Makefile.in
+
+
+DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
+
+GZIP_ENV = --best
+SOURCES = $(add_random_users_SOURCES) $(kadmin_SOURCES) $(kadmind_SOURCES) $(EXTRA_kadmind_SOURCES)
+OBJECTS = $(am_add_random_users_OBJECTS) $(am_kadmin_OBJECTS) $(am_kadmind_OBJECTS)
+
+all: all-redirect
+.SUFFIXES:
+.SUFFIXES: .et .h .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .x .c .lo .o .obj
+$(srcdir)/Makefile.in: Makefile.am $(top_srcdir)/configure.in $(ACLOCAL_M4) $(top_srcdir)/Makefile.am.common $(top_srcdir)/cf/Makefile.am.common
+	cd $(top_srcdir) && $(AUTOMAKE) --foreign kadmin/Makefile
+
+Makefile: $(srcdir)/Makefile.in  $(top_builddir)/config.status
+	cd $(top_builddir) \
+	  && CONFIG_FILES=$(subdir)/$@ CONFIG_HEADERS= $(SHELL) ./config.status
+
+
+mostlyclean-libexecPROGRAMS:
+
+clean-libexecPROGRAMS:
+	-test -z "$(libexec_PROGRAMS)" || rm -f $(libexec_PROGRAMS)
+
+distclean-libexecPROGRAMS:
+
+maintainer-clean-libexecPROGRAMS:
+
+install-libexecPROGRAMS: $(libexec_PROGRAMS)
+	@$(NORMAL_INSTALL)
+	$(mkinstalldirs) $(DESTDIR)$(libexecdir)
+	@list='$(libexec_PROGRAMS)'; for p in $$list; do \
+	  if test -f $$p; then \
+	    f="`echo $$p|sed -e 's/$(EXEEXT)$$//' -e '$(transform)' -e 's/$$/$(EXEEXT)/'`"; \
+	    echo " $(LIBTOOL)  --mode=install $(INSTALL_PROGRAM) $(INSTALL_STRIP_FLAG) $$p $(DESTDIR)$(libexecdir)/$$f"; \
+	    $(LIBTOOL)  --mode=install $(INSTALL_PROGRAM) $(INSTALL_STRIP_FLAG) $$p $(DESTDIR)$(libexecdir)/$$f; \
+	  else :; fi; \
+	done
+
+uninstall-libexecPROGRAMS:
+	@$(NORMAL_UNINSTALL)
+	@list='$(libexec_PROGRAMS)'; for p in $$list; do \
+	  f="`echo $$p|sed -e 's/$(EXEEXT)$$//' -e '$(transform)' -e 's/$$/$(EXEEXT)/'`"; \
+	  echo " rm -f $(DESTDIR)$(libexecdir)/$$f"; \
+	  rm -f $(DESTDIR)$(libexecdir)/$$f; \
+	done
+
+mostlyclean-noinstPROGRAMS:
+
+clean-noinstPROGRAMS:
+	-test -z "$(noinst_PROGRAMS)" || rm -f $(noinst_PROGRAMS)
+
+distclean-noinstPROGRAMS:
+
+maintainer-clean-noinstPROGRAMS:
+
+mostlyclean-sbinPROGRAMS:
+
+clean-sbinPROGRAMS:
+	-test -z "$(sbin_PROGRAMS)" || rm -f $(sbin_PROGRAMS)
+
+distclean-sbinPROGRAMS:
+
+maintainer-clean-sbinPROGRAMS:
+
+install-sbinPROGRAMS: $(sbin_PROGRAMS)
+	@$(NORMAL_INSTALL)
+	$(mkinstalldirs) $(DESTDIR)$(sbindir)
+	@list='$(sbin_PROGRAMS)'; for p in $$list; do \
+	  if test -f $$p; then \
+	    f="`echo $$p|sed -e 's/$(EXEEXT)$$//' -e '$(transform)' -e 's/$$/$(EXEEXT)/'`"; \
+	    echo " $(LIBTOOL)  --mode=install $(INSTALL_PROGRAM) $(INSTALL_STRIP_FLAG) $$p $(DESTDIR)$(sbindir)/$$f"; \
+	    $(LIBTOOL)  --mode=install $(INSTALL_PROGRAM) $(INSTALL_STRIP_FLAG) $$p $(DESTDIR)$(sbindir)/$$f; \
+	  else :; fi; \
+	done
+
+uninstall-sbinPROGRAMS:
+	@$(NORMAL_UNINSTALL)
+	@list='$(sbin_PROGRAMS)'; for p in $$list; do \
+	  f="`echo $$p|sed -e 's/$(EXEEXT)$$//' -e '$(transform)' -e 's/$$/$(EXEEXT)/'`"; \
+	  echo " rm -f $(DESTDIR)$(sbindir)/$$f"; \
+	  rm -f $(DESTDIR)$(sbindir)/$$f; \
+	done
+
+mostlyclean-compile:
+	-rm -f *.o core *.core
+	-rm -f *.$(OBJEXT)
+
+clean-compile:
+
+distclean-compile:
+	-rm -f *.tab.c
+
+maintainer-clean-compile:
+
+mostlyclean-libtool:
+	-rm -f *.lo
+
+clean-libtool:
+	-rm -rf .libs _libs
+
+distclean-libtool:
+
+maintainer-clean-libtool:
+
+add_random_users$(EXEEXT): $(add_random_users_OBJECTS) $(add_random_users_DEPENDENCIES)
+	@rm -f add_random_users$(EXEEXT)
+	$(LINK) $(add_random_users_LDFLAGS) $(add_random_users_OBJECTS) $(add_random_users_LDADD) $(LIBS)
+
+kadmin$(EXEEXT): $(kadmin_OBJECTS) $(kadmin_DEPENDENCIES)
+	@rm -f kadmin$(EXEEXT)
+	$(LINK) $(kadmin_LDFLAGS) $(kadmin_OBJECTS) $(kadmin_LDADD) $(LIBS)
+
+kadmind$(EXEEXT): $(kadmind_OBJECTS) $(kadmind_DEPENDENCIES)
+	@rm -f kadmind$(EXEEXT)
+	$(LINK) $(kadmind_LDFLAGS) $(kadmind_OBJECTS) $(kadmind_LDADD) $(LIBS)
+.c.o:
+	$(COMPILE) -c $<
+.c.obj:
+	$(COMPILE) -c `cygpath -w $<`
+.c.lo:
+	$(LTCOMPILE) -c -o $@ $<
+
+install-man8:
+	$(mkinstalldirs) $(DESTDIR)$(man8dir)
+	@list='$(man8_MANS)'; \
+	l2='$(man_MANS)'; for i in $$l2; do \
+	  case "$$i" in \
+	    *.8*) list="$$list $$i" ;; \
+	  esac; \
+	done; \
+	for i in $$list; do \
+	  if test -f $(srcdir)/$$i; then file=$(srcdir)/$$i; \
+	  else file=$$i; fi; \
+	  ext=`echo $$i | sed -e 's/^.*\\.//'`; \
+	  inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \
+	  inst=`echo $$inst | sed -e 's/^.*\///'`; \
+	  inst=`echo $$inst | sed '$(transform)'`.$$ext; \
+	  echo " $(INSTALL_DATA) $$file $(DESTDIR)$(man8dir)/$$inst"; \
+	  $(INSTALL_DATA) $$file $(DESTDIR)$(man8dir)/$$inst; \
+	done
+
+uninstall-man8:
+	@list='$(man8_MANS)'; \
+	l2='$(man_MANS)'; for i in $$l2; do \
+	  case "$$i" in \
+	    *.8*) list="$$list $$i" ;; \
+	  esac; \
+	done; \
+	for i in $$list; do \
+	  ext=`echo $$i | sed -e 's/^.*\\.//'`; \
+	  inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \
+	  inst=`echo $$inst | sed -e 's/^.*\///'`; \
+	  inst=`echo $$inst | sed '$(transform)'`.$$ext; \
+	  echo " rm -f $(DESTDIR)$(man8dir)/$$inst"; \
+	  rm -f $(DESTDIR)$(man8dir)/$$inst; \
+	done
+install-man: $(MANS)
+	@$(NORMAL_INSTALL)
+	$(MAKE) $(AM_MAKEFLAGS) install-man8
+uninstall-man:
+	@$(NORMAL_UNINSTALL)
+	$(MAKE) $(AM_MAKEFLAGS) uninstall-man8
+
+tags: TAGS
+
+ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
+	list='$(SOURCES) $(HEADERS) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '    { files[$$0] = 1; } \
+	       END { for (i in files) print i; }'`; \
+	mkid -fID $$unique $(LISP)
+
+TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	tags=; \
+	here=`pwd`; \
+	list='$(SOURCES) $(HEADERS) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '    { files[$$0] = 1; } \
+	       END { for (i in files) print i; }'`; \
+	test -z "$(ETAGS_ARGS)$$unique$(LISP)$$tags" \
+	  || etags $(ETAGS_ARGS) $$tags  $$unique $(LISP)
+
+GTAGS:
+	here=`CDPATH=: && cd $(top_builddir) && pwd` \
+	  && cd $(top_srcdir) \
+	  && gtags -i $$here
+
+mostlyclean-tags:
+
+clean-tags:
+
+distclean-tags:
+	-rm -f TAGS ID
+
+maintainer-clean-tags:
+
+distdir = $(top_builddir)/$(PACKAGE)-$(VERSION)/$(subdir)
+
+distdir: $(DISTFILES)
+	@for file in $(DISTFILES); do \
+	  d=$(srcdir); \
+	  if test -d $$d/$$file; then \
+	    cp -pR $$d/$$file $(distdir) \
+	    || exit 1; \
+	  else \
+	    test -f $(distdir)/$$file \
+	    || cp -p $$d/$$file $(distdir)/$$file \
+	    || exit 1; \
+	  fi; \
+	done
+	$(MAKE) $(AM_MAKEFLAGS) top_distdir="$(top_distdir)" distdir="$(distdir)" dist-hook
+info-am:
+info: info-am
+dvi-am:
+dvi: dvi-am
+check-am: all-am
+	$(MAKE) $(AM_MAKEFLAGS) check-local
+check: check-am
+installcheck-am:
+installcheck: installcheck-am
+install-exec-am: install-libexecPROGRAMS install-sbinPROGRAMS
+	@$(NORMAL_INSTALL)
+	$(MAKE) $(AM_MAKEFLAGS) install-exec-hook
+install-exec: install-exec-am
+
+install-data-am: install-man install-data-local
+install-data: install-data-am
+
+install-am: all-am
+	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
+install: install-am
+uninstall-am: uninstall-libexecPROGRAMS uninstall-sbinPROGRAMS \
+		uninstall-man
+uninstall: uninstall-am
+all-am: Makefile $(PROGRAMS) $(MANS) all-local
+all-redirect: all-am
+install-strip:
+	$(MAKE) $(AM_MAKEFLAGS) INSTALL_STRIP_FLAG=-s install
+installdirs:
+	$(mkinstalldirs)  $(DESTDIR)$(libexecdir) $(DESTDIR)$(sbindir) \
+		$(DESTDIR)$(mandir)/man8
+
+
+mostlyclean-generic:
+
+clean-generic:
+
+distclean-generic:
+	-rm -f Makefile $(CONFIG_CLEAN_FILES)
+	-rm -f config.cache config.log stamp-h stamp-h[0-9]*
+
+maintainer-clean-generic:
+	-rm -f Makefile.in
+mostlyclean-am:  mostlyclean-libexecPROGRAMS mostlyclean-noinstPROGRAMS \
+		mostlyclean-sbinPROGRAMS mostlyclean-compile \
+		mostlyclean-libtool mostlyclean-tags \
+		mostlyclean-generic
+
+mostlyclean: mostlyclean-am
+
+clean-am:  clean-libexecPROGRAMS clean-noinstPROGRAMS clean-sbinPROGRAMS \
+		clean-compile clean-libtool clean-tags clean-generic \
+		mostlyclean-am
+
+clean: clean-am
+
+distclean-am:  distclean-libexecPROGRAMS distclean-noinstPROGRAMS \
+		distclean-sbinPROGRAMS distclean-compile \
+		distclean-libtool distclean-tags distclean-generic \
+		clean-am
+	-rm -f libtool
+
+distclean: distclean-am
+
+maintainer-clean-am:  maintainer-clean-libexecPROGRAMS \
+		maintainer-clean-noinstPROGRAMS \
+		maintainer-clean-sbinPROGRAMS maintainer-clean-compile \
+		maintainer-clean-libtool maintainer-clean-tags \
+		maintainer-clean-generic distclean-am
+	@echo "This command is intended for maintainers to use;"
+	@echo "it deletes files that may require special tools to rebuild."
+
+maintainer-clean: maintainer-clean-am
+
+.PHONY: mostlyclean-libexecPROGRAMS distclean-libexecPROGRAMS \
+clean-libexecPROGRAMS maintainer-clean-libexecPROGRAMS \
+uninstall-libexecPROGRAMS install-libexecPROGRAMS \
+mostlyclean-noinstPROGRAMS distclean-noinstPROGRAMS \
+clean-noinstPROGRAMS maintainer-clean-noinstPROGRAMS \
+mostlyclean-sbinPROGRAMS distclean-sbinPROGRAMS clean-sbinPROGRAMS \
+maintainer-clean-sbinPROGRAMS uninstall-sbinPROGRAMS \
+install-sbinPROGRAMS mostlyclean-compile distclean-compile \
+clean-compile maintainer-clean-compile mostlyclean-libtool \
+distclean-libtool clean-libtool maintainer-clean-libtool install-man8 \
+uninstall-man8 install-man uninstall-man tags mostlyclean-tags \
+distclean-tags clean-tags maintainer-clean-tags distdir info-am info \
+dvi-am dvi check-local check check-am installcheck-am installcheck \
+install-exec-am install-exec install-data-local install-data-am \
+install-data install-am install uninstall-am uninstall all-local \
+all-redirect all-am all install-strip installdirs mostlyclean-generic \
+distclean-generic clean-generic maintainer-clean-generic clean \
+mostlyclean distclean maintainer-clean
+
+
+install-suid-programs:
+	@foo='$(bin_SUIDS)'; \
+	for file in $$foo; do \
+	x=$(DESTDIR)$(bindir)/$$file; \
+	if chown 0:0 $$x && chmod u+s $$x; then :; else \
+	echo "*"; \
+	echo "* Failed to install $$x setuid root"; \
+	echo "*"; \
+	fi; done
+
+install-exec-hook: install-suid-programs
+
+install-build-headers:: $(include_HEADERS) $(build_HEADERZ)
+	@foo='$(include_HEADERS) $(build_HEADERZ)'; \
+	for f in $$foo; do \
+		f=`basename $$f`; \
+		if test -f "$(srcdir)/$$f"; then file="$(srcdir)/$$f"; \
+		else file="$$f"; fi; \
+		if cmp -s  $$file $(buildinclude)/$$f 2> /dev/null ; then \
+		: ; else \
+			echo " $(CP) $$file $(buildinclude)/$$f"; \
+			$(CP) $$file $(buildinclude)/$$f; \
+		fi ; \
+	done
+
+all-local: install-build-headers
+#NROFF_MAN = nroff -man
+.1.cat1:
+	$(NROFF_MAN) $< > $@
+.3.cat3:
+	$(NROFF_MAN) $< > $@
+.5.cat5:
+	$(NROFF_MAN) $< > $@
+.8.cat8:
+	$(NROFF_MAN) $< > $@
+
+dist-cat1-mans:
+	@foo='$(man1_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.1) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat1/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-cat3-mans:
+	@foo='$(man3_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.3) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat3/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-cat5-mans:
+	@foo='$(man5_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.5) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat5/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-cat8-mans:
+	@foo='$(man8_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.8) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat8/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-hook: dist-cat1-mans dist-cat3-mans dist-cat5-mans dist-cat8-mans
+
+install-cat-mans:
+	$(SHELL) $(top_srcdir)/cf/install-catman.sh "$(INSTALL_DATA)" "$(mkinstalldirs)" "$(srcdir)" "$(DESTDIR)$(mandir)" '$(CATMANEXT)' $(man_MANS) $(man1_MANS) $(man3_MANS) $(man5_MANS) $(man8_MANS)
+
+install-data-local: install-cat-mans
+
+.et.h:
+	$(COMPILE_ET) $<
+.et.c:
+	$(COMPILE_ET) $<
+
+.x.c:
+	@cmp -s $< $@ 2> /dev/null || cp $< $@
+
+check-local::
+	@foo='$(CHECK_LOCAL)'; \
+	  if test "$$foo"; then \
+	  failed=0; all=0; \
+	  for i in $$foo; do \
+	    all=`expr $$all + 1`; \
+	    if ./$$i --version > /dev/null 2>&1; then \
+	      echo "PASS: $$i"; \
+	    else \
+	      echo "FAIL: $$i"; \
+	      failed=`expr $$failed + 1`; \
+	    fi; \
+	  done; \
+	  if test "$$failed" -eq 0; then \
+	    banner="All $$all tests passed"; \
+	  else \
+	    banner="$$failed of $$all tests failed"; \
+	  fi; \
+	  dashes=`echo "$$banner" | sed s/./=/g`; \
+	  echo "$$dashes"; \
+	  echo "$$banner"; \
+	  echo "$$dashes"; \
+	  test "$$failed" -eq 0; \
+	fi
+
+# Tell versions [3.59,3.63) of GNU make to not export all variables.
+# Otherwise a system limit (for SysV at least) may be exceeded.
+.NOEXPORT:
diff --git a/crypto/heimdal/kadmin/add-random-users.c b/crypto/heimdal/kadmin/add-random-users.c
new file mode 100644
index 0000000..f0b7f4c
--- /dev/null
+++ b/crypto/heimdal/kadmin/add-random-users.c
@@ -0,0 +1,157 @@
+/*
+ * Copyright (c) 2000 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "kadmin_locl.h"
+
+RCSID("$Id: add-random-users.c,v 1.3 2001/02/20 01:44:49 assar Exp $");
+
+#define WORDS_FILENAME "/usr/share/dict/words"
+
+#define NUSERS 1000
+
+static unsigned
+read_words (const char *filename, char ***ret_w)
+{
+    unsigned n, alloc;
+    FILE *f;
+    char buf[256];
+    char **w = NULL;
+
+    f = fopen (filename, "r");
+    if (f == NULL)
+	err (1, "cannot open %s", filename);
+    alloc = n = 0;
+    while (fgets (buf, sizeof(buf), f) != NULL) {
+	if (buf[strlen (buf) - 1] == '\n')
+	    buf[strlen (buf) - 1] = '\0';
+	if (n >= alloc) {
+	    alloc += 16;
+	    w = erealloc (w, alloc * sizeof(char **));
+	}
+	w[n++] = estrdup (buf);
+    }
+    *ret_w = w;
+    return n;
+}
+
+static void
+add_user (krb5_context context, void *kadm_handle,
+	  unsigned nwords, char **words)
+{
+    kadm5_principal_ent_rec princ;
+    char name[64];
+    int r1, r2;
+    krb5_error_code ret;
+    int mask;
+
+    r1 = rand();
+    r2 = rand();
+
+    snprintf (name, sizeof(name), "%s%d", words[r1 % nwords], r2 % 1000);
+
+    mask = KADM5_PRINCIPAL;
+
+    memset(&princ, 0, sizeof(princ));
+    ret = krb5_parse_name(context, name, &princ.principal);
+    if (ret)
+	krb5_err(context, 1, ret, "krb5_parse_name");
+
+    ret = kadm5_create_principal (kadm_handle, &princ, mask, name);
+    if (ret)
+	krb5_err (context, 1, ret, "kadm5_create_principal");
+    kadm5_free_principal_ent(kadm_handle, &princ);
+    printf ("%s\n", name);
+}
+
+static void
+add_users (unsigned n)
+{
+    krb5_error_code ret;
+    int i;
+    void *kadm_handle;
+    krb5_context context;
+    unsigned nwords;
+    char **words;
+
+    ret = krb5_init_context(&context);
+    if (ret)
+	errx (1, "krb5_init_context failed: %d", ret);
+    ret = kadm5_s_init_with_password_ctx(context, 
+					 KADM5_ADMIN_SERVICE,
+					 NULL,
+					 KADM5_ADMIN_SERVICE,
+					 NULL, 0, 0, 
+					 &kadm_handle);
+    if(ret)
+	krb5_err(context, 1, ret, "kadm5_init_with_password");
+
+    nwords = read_words (WORDS_FILENAME, &words);
+    
+    for (i = 0; i < n; ++i)
+	add_user (context, kadm_handle, nwords, words);
+    kadm5_destroy(kadm_handle);
+    krb5_free_context(context);
+}
+
+static int version_flag	= 0;
+static int help_flag	= 0;
+
+static struct getargs args[] = {
+    { "version", 	0,   arg_flag, &version_flag },
+    { "help",		0,   arg_flag, &help_flag }
+};
+
+static void
+usage (int ret)
+{
+    arg_printusage (args,
+		    sizeof(args)/sizeof(*args),
+		    NULL,
+		    NULL);
+    exit (ret);
+}
+
+int
+main(int argc, char **argv)
+{
+    int optind = 0;
+
+    setprogname(argv[0]);
+    if(getarg(args, sizeof(args) / sizeof(args[0]), argc, argv, &optind))
+	usage(1);
+    if (help_flag)
+	usage (0);
+    srand (0);
+    add_users (NUSERS);
+    return 0;
+}
diff --git a/crypto/heimdal/kadmin/ank.c b/crypto/heimdal/kadmin/ank.c
new file mode 100644
index 0000000..129ee66
--- /dev/null
+++ b/crypto/heimdal/kadmin/ank.c
@@ -0,0 +1,304 @@
+/*
+ * Copyright (c) 1997-2000 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "kadmin_locl.h"
+
+RCSID("$Id: ank.c,v 1.21 2000/09/10 19:16:39 joda Exp $");
+
+/*
+ * fetch the default principal corresponding to `princ'
+ */
+
+static krb5_error_code
+get_default (kadm5_server_context *context,
+	     krb5_principal princ,
+	     kadm5_principal_ent_t default_ent)
+{
+    krb5_error_code ret;
+    krb5_principal def_principal;
+    krb5_realm *realm = krb5_princ_realm(context->context, princ);
+
+    ret = krb5_make_principal (context->context, &def_principal,
+			       *realm, "default", NULL);
+    if (ret)
+	return ret;
+    ret = kadm5_get_principal (context, def_principal, default_ent,
+			       KADM5_PRINCIPAL_NORMAL_MASK);
+    krb5_free_principal (context->context, def_principal);
+    return ret;
+}
+
+/*
+ * Add the principal `name' to the database.
+ * Prompt for all data not given by the input parameters.
+ */
+
+static krb5_error_code
+add_one_principal (const char *name,
+		   int rand_key,
+		   int rand_password,
+		   char *password,
+		   krb5_key_data *key_data,
+		   const char *max_ticket_life,
+		   const char *max_renewable_life,
+		   const char *attributes,
+		   const char *expiration,
+		   const char *pw_expiration)
+{
+    krb5_error_code ret;
+    kadm5_principal_ent_rec princ, defrec;
+    kadm5_principal_ent_rec *default_ent = NULL;
+    krb5_principal princ_ent = NULL;
+    int mask = 0;
+    int default_mask = 0;
+    char pwbuf[1024];
+
+    memset(&princ, 0, sizeof(princ));
+    ret = krb5_parse_name(context, name, &princ_ent);
+    if (ret) {
+	krb5_warn(context, ret, "krb5_parse_name");
+	return ret;
+    }
+    princ.principal = princ_ent;
+    mask |= KADM5_PRINCIPAL;
+
+    ret = set_entry(context, &princ, &mask,
+		    max_ticket_life, max_renewable_life, 
+		    expiration, pw_expiration, attributes);
+    if (ret)
+	goto out;
+
+    default_ent = &defrec;
+    ret = get_default (kadm_handle, princ_ent, default_ent);
+    if (ret) {
+	default_ent  = NULL;
+	default_mask = 0;
+    } else {
+	default_mask = KADM5_ATTRIBUTES | KADM5_MAX_LIFE | KADM5_MAX_RLIFE |
+	    KADM5_PRINC_EXPIRE_TIME | KADM5_PW_EXPIRATION;
+    }
+
+    edit_entry(&princ, &mask, default_ent, default_mask);
+    if(rand_key || key_data) {
+	princ.attributes |= KRB5_KDB_DISALLOW_ALL_TIX;
+	mask |= KADM5_ATTRIBUTES;
+	strlcpy (pwbuf, "hemlig", sizeof(pwbuf));
+	password = pwbuf;
+    } else if (rand_password) {
+	random_password (pwbuf, sizeof(pwbuf));
+	password = pwbuf;
+    } else if(password == NULL) {
+	char *princ_name;
+	char *prompt;
+
+	krb5_unparse_name(context, princ_ent, &princ_name);
+	asprintf (&prompt, "%s's Password: ", princ_name);
+	free (princ_name);
+	ret = des_read_pw_string (pwbuf, sizeof(pwbuf), prompt, 1);
+	free (prompt);
+	if (ret)
+	    goto out;
+	password = pwbuf;
+    }
+    
+    ret = kadm5_create_principal(kadm_handle, &princ, mask, password);
+    if(ret)
+	krb5_warn(context, ret, "kadm5_create_principal");
+    if(rand_key) {
+	krb5_keyblock *new_keys;
+	int n_keys, i;
+	ret = kadm5_randkey_principal(kadm_handle, princ_ent, 
+				      &new_keys, &n_keys);
+	if(ret){
+	    krb5_warn(context, ret, "kadm5_randkey_principal");
+	    n_keys = 0;
+	}
+	for(i = 0; i < n_keys; i++)
+	    krb5_free_keyblock_contents(context, &new_keys[i]);
+	free(new_keys);
+	kadm5_get_principal(kadm_handle, princ_ent, &princ, 
+			    KADM5_PRINCIPAL | KADM5_KVNO | KADM5_ATTRIBUTES);
+	princ.attributes &= (~KRB5_KDB_DISALLOW_ALL_TIX);
+	princ.kvno = 1;
+	kadm5_modify_principal(kadm_handle, &princ, 
+			       KADM5_ATTRIBUTES | KADM5_KVNO);
+	kadm5_free_principal_ent(kadm_handle, &princ);
+    } else if (key_data) {
+	ret = kadm5_chpass_principal_with_key (kadm_handle, princ_ent,
+					       3, key_data);
+	if (ret) {
+	    krb5_warn(context, ret, "kadm5_chpass_principal_with_key");
+	}
+	kadm5_get_principal(kadm_handle, princ_ent, &princ, 
+			    KADM5_PRINCIPAL | KADM5_ATTRIBUTES);
+	princ.attributes &= (~KRB5_KDB_DISALLOW_ALL_TIX);
+	kadm5_modify_principal(kadm_handle, &princ, KADM5_ATTRIBUTES);
+	kadm5_free_principal_ent(kadm_handle, &princ);
+    } else if (rand_password) {
+	char *princ_name;
+
+	krb5_unparse_name(context, princ_ent, &princ_name);
+	printf ("added %s with password `%s'\n", princ_name, password);
+	free (princ_name);
+    }
+out:
+    if (princ_ent)
+	krb5_free_principal (context, princ_ent);
+    if(default_ent)
+	kadm5_free_principal_ent (context, default_ent);
+    if (password != NULL)
+	memset (password, 0, strlen(password));
+    return ret;
+}
+
+/*
+ * parse the string `key_string' into `key', returning 0 iff succesful.
+ */
+
+/*
+ * the ank command
+ */
+
+static struct getargs args[] = {
+    { "random-key",	'r',	arg_flag,	NULL, "set random key" },
+    { "random-password", 0,	arg_flag,	NULL, "set random password" },
+    { "password",	'p',	arg_string,	NULL, "princial's password" },
+    { "key",		0,	arg_string,	NULL, "DES-key in hex" },
+    { "max-ticket-life",  0,	arg_string,	NULL, "max ticket lifetime",
+      "lifetime"},
+    { "max-renewable-life",  0,	arg_string,	NULL,
+      "max renewable lifetime", "lifetime" },
+    { "attributes",	0,	arg_string,	NULL, "principal attributes",
+      "attributes"},
+    { "expiration-time",0,	arg_string,	NULL, "Expiration time",
+      "time"},
+    { "pw-expiration-time", 0,  arg_string,	NULL,
+      "Password expiration time", "time"}
+};
+
+static int num_args = sizeof(args) / sizeof(args[0]);
+
+static void
+usage(void)
+{
+    arg_printusage (args, num_args, "add", "principal...");
+}
+
+/*
+ * Parse arguments and add all the principals.
+ */
+
+int
+add_new_key(int argc, char **argv)
+{
+    char *password = NULL;
+    char *key = NULL;
+    int random_key = 0;
+    int random_password = 0;
+    int optind = 0;
+    krb5_error_code ret;
+    char *max_ticket_life	= NULL;
+    char *max_renewable_life	= NULL;
+    char *attributes		= NULL;
+    char *expiration		= NULL;
+    char *pw_expiration		= NULL;
+    int i;
+    int num;
+    krb5_key_data key_data[3];
+    krb5_key_data *kdp = NULL;
+
+    args[0].value = &random_key;
+    args[1].value = &random_password;
+    args[2].value = &password;
+    args[3].value = &key;
+    args[4].value = &max_ticket_life;
+    args[5].value = &max_renewable_life;
+    args[6].value = &attributes;
+    args[7].value = &expiration;
+    args[8].value = &pw_expiration;
+    
+    if(getarg(args, num_args, argc, argv, &optind)) {
+	usage ();
+	return 0;
+    }
+    if(optind == argc) {
+	usage ();
+	return 0;
+    }
+
+    num = 0;
+    if (random_key)
+	++num;
+    if (random_password)
+	++num;
+    if (password)
+	++num;
+    if (key)
+	++num;
+
+    if (num > 1) {
+	printf ("give only one of "
+		"--random-key, --random-password, --password, --key\n");
+	return 0;
+    }
+
+    if (key) {
+	const char *error;
+
+	if (parse_des_key (key, key_data, &error)) {
+	    printf ("failed parsing key `%s': %s\n", key, error);
+	    return 0;
+	}
+	kdp = key_data;
+    }
+
+    for (i = optind; i < argc; ++i) {
+	ret = add_one_principal (argv[i], random_key, random_password,
+				 password,
+				 kdp,
+				 max_ticket_life,
+				 max_renewable_life,
+				 attributes,
+				 expiration,
+				 pw_expiration);
+	if (ret) {
+	    krb5_warn (context, ret, "adding %s", argv[i]);
+	    break;
+	}
+    }
+    if (kdp) {
+	int16_t dummy = 3;
+	kadm5_free_key_data (kadm_handle, &dummy, key_data);
+    }
+    return 0;
+}
diff --git a/crypto/heimdal/kadmin/cpw.c b/crypto/heimdal/kadmin/cpw.c
new file mode 100644
index 0000000..06200d6
--- /dev/null
+++ b/crypto/heimdal/kadmin/cpw.c
@@ -0,0 +1,213 @@
+/*
+ * Copyright (c) 1997 - 2001 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "kadmin_locl.h"
+
+RCSID("$Id: cpw.c,v 1.12 2001/05/07 05:30:23 assar Exp $");
+
+struct cpw_entry_data {
+    int random_key;
+    int random_password;
+    char *password;
+    krb5_key_data *key_data;
+};
+
+static struct getargs args[] = {
+    { "random-key",	'r',	arg_flag,	NULL, "set random key" },
+    { "random-password", 0,	arg_flag,	NULL, "set random password" },
+    { "password",	'p',	arg_string,	NULL, "princial's password" },
+    { "key",		 0,	arg_string,	NULL, "DES key in hex" }
+};
+
+static int num_args = sizeof(args) / sizeof(args[0]);
+
+static void
+usage(void)
+{
+    arg_printusage(args, num_args, "cpw", "principal...");
+}
+
+static int
+set_random_key (krb5_principal principal)
+{
+    krb5_error_code ret;
+    int i;
+    krb5_keyblock *keys;
+    int num_keys;
+
+    ret = kadm5_randkey_principal(kadm_handle, principal, &keys, &num_keys);
+    if(ret)
+	return ret;
+    for(i = 0; i < num_keys; i++)
+	krb5_free_keyblock_contents(context, &keys[i]);
+    free(keys);
+    return 0;
+}
+
+static int
+set_random_password (krb5_principal principal)
+{
+    krb5_error_code ret;
+    char pw[128];
+
+    random_password (pw, sizeof(pw));
+    ret = kadm5_chpass_principal(kadm_handle, principal, pw);
+    if (ret == 0) {
+	char *princ_name;
+
+	krb5_unparse_name(context, principal, &princ_name);
+
+	printf ("%s's password set to `%s'\n", princ_name, pw);
+	free (princ_name);
+    }
+    memset (pw, 0, sizeof(pw));
+    return ret;
+}
+
+static int
+set_password (krb5_principal principal, char *password)
+{
+    krb5_error_code ret = 0;
+    char pwbuf[128];
+
+    if(password == NULL) {
+	char *princ_name;
+	char *prompt;
+
+	krb5_unparse_name(context, principal, &princ_name);
+	asprintf(&prompt, "%s's Password: ", princ_name);
+	free (princ_name);
+	ret = des_read_pw_string(pwbuf, sizeof(pwbuf), prompt, 1);
+	free (prompt);
+	if(ret){
+	    return 0; /* XXX error code? */
+	}
+	password = pwbuf;
+    }
+    if(ret == 0)
+	ret = kadm5_chpass_principal(kadm_handle, principal, password);
+    memset(pwbuf, 0, sizeof(pwbuf));
+    return ret;
+}
+
+static int
+set_key_data (krb5_principal principal, krb5_key_data *key_data)
+{
+    krb5_error_code ret;
+
+    ret = kadm5_chpass_principal_with_key (kadm_handle, principal,
+					   3, key_data);
+    return ret;
+}
+
+static int
+do_cpw_entry(krb5_principal principal, void *data)
+{
+    struct cpw_entry_data *e = data;
+    
+    if (e->random_key)
+	return set_random_key (principal);
+    else if (e->random_password)
+	return set_random_password (principal);
+    else if (e->key_data)
+	return set_key_data (principal, e->key_data);
+    else
+	return set_password (principal, e->password);
+}
+
+int
+cpw_entry(int argc, char **argv)
+{
+    krb5_error_code ret;
+    int i;
+    int optind = 0;
+    struct cpw_entry_data data;
+    int num;
+    char *key_string;
+    krb5_key_data key_data[3];
+
+    data.random_key      = 0;
+    data.random_password = 0;
+    data.password        = NULL;
+    data.key_data	 = NULL;
+
+    key_string = NULL;
+
+    args[0].value = &data.random_key;
+    args[1].value = &data.random_password;
+    args[2].value = &data.password;
+    args[3].value = &key_string;
+    if(getarg(args, num_args, argc, argv, &optind)){
+	usage();
+	return 0;
+    }
+
+    num = 0;
+    if (data.random_key)
+	++num;
+    if (data.random_password)
+	++num;
+    if (data.password)
+	++num;
+    if (key_string)
+	++num;
+
+    if (num > 1) {
+	printf ("give only one of "
+		"--random-key, --random-password, --password, --key\n");
+	return 0;
+    }
+	
+    if (key_string) {
+	const char *error;
+
+	if (parse_des_key (key_string, key_data, &error)) {
+	    printf ("failed parsing key `%s': %s\n", key_string, error);
+	    return 0;
+	}
+	data.key_data = key_data;
+    }
+
+    argc -= optind;
+    argv += optind;
+
+    for(i = 0; i < argc; i++)
+	ret = foreach_principal(argv[i], do_cpw_entry, "cpw", &data);
+
+    if (data.key_data) {
+	int16_t dummy;
+	kadm5_free_key_data (kadm_handle, &dummy, key_data);
+    }
+
+    return 0;
+}
diff --git a/crypto/heimdal/kadmin/del.c b/crypto/heimdal/kadmin/del.c
new file mode 100644
index 0000000..1697656
--- /dev/null
+++ b/crypto/heimdal/kadmin/del.c
@@ -0,0 +1,80 @@
+/*
+ * Copyright (c) 1997 - 2001 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "kadmin_locl.h"
+
+RCSID("$Id: del.c,v 1.6 2001/05/07 05:30:50 assar Exp $");
+
+static int
+do_del_entry(krb5_principal principal, void *data)
+{
+    return kadm5_delete_principal(kadm_handle, principal);
+}
+
+static struct getargs args[] = {
+    { "help", 'h', arg_flag, NULL }
+};
+
+static int num_args = sizeof(args) / sizeof(args[0]);
+
+static void
+usage(void)
+{
+    arg_printusage (args, num_args, "delete", "principal...");
+}
+
+
+int
+del_entry(int argc, char **argv)
+{
+    int optind = 0;
+    int help_flag = 0;
+
+    int i;
+    krb5_error_code ret;
+
+    args[0].value = &help_flag;
+
+    if(getarg(args, num_args, argc, argv, &optind)) {
+	usage ();
+	return 0;
+    }
+    if(optind == argc || help_flag) {
+	usage ();
+	return 0;
+    }
+
+    for(i = 1; i < argc; i++)
+	ret = foreach_principal(argv[i], do_del_entry, "del", NULL);
+    return 0;
+}
diff --git a/crypto/heimdal/kadmin/del_enctype.c b/crypto/heimdal/kadmin/del_enctype.c
new file mode 100644
index 0000000..985cc84
--- /dev/null
+++ b/crypto/heimdal/kadmin/del_enctype.c
@@ -0,0 +1,148 @@
+/*
+ * Copyright (c) 1999-2001 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "kadmin_locl.h"
+
+RCSID("$Id: del_enctype.c,v 1.7 2001/04/19 07:26:52 joda Exp $");
+
+/*
+ * del_enctype principal enctypes...
+ */
+
+static struct getargs args[] = {
+    { "help", 'h', arg_flag, NULL }
+};
+
+static int num_args = sizeof(args) / sizeof(args[0]);
+
+static void
+usage(void)
+{
+    arg_printusage (args, num_args, "del_enctype", "principal enctypes...");
+}
+
+
+int
+del_enctype(int argc, char **argv)
+{
+    int optind = 0;
+    int help_flag = 0;
+
+    kadm5_principal_ent_rec princ;
+    krb5_principal princ_ent = NULL;
+    krb5_error_code ret;
+    const char *princ_name;
+    int i, j, k;
+    krb5_key_data *new_key_data;
+    int n_etypes;
+    krb5_enctype *etypes;
+
+    args[0].value = &help_flag;
+
+    if(getarg(args, num_args, argc, argv, &optind)) {
+	usage ();
+	return 0;
+    }
+    if(argc - optind < 2 || help_flag) {
+	usage ();
+	return 0;
+    }
+
+    memset (&princ, 0, sizeof(princ));
+    princ_name = argv[1];
+    n_etypes   = argc - 2;
+    etypes     = malloc (n_etypes * sizeof(*etypes));
+    if (etypes == NULL) {
+	krb5_warnx (context, "out of memory");
+	return 0;
+    }
+    for (i = 0; i < n_etypes; ++i) {
+	ret = krb5_string_to_enctype (context, argv[i + 2], &etypes[i]);
+	if (ret) {
+	    krb5_warnx (context, "bad enctype `%s'", argv[i + 2]);
+	    goto out2;
+	}
+    }
+
+    ret = krb5_parse_name(context, princ_name, &princ_ent);
+    if (ret) {
+	krb5_warn (context, ret, "krb5_parse_name %s", princ_name);
+	goto out2;
+    }
+
+    ret = kadm5_get_principal(kadm_handle, princ_ent, &princ,
+			      KADM5_PRINCIPAL | KADM5_KEY_DATA);
+    if (ret) {
+	krb5_free_principal (context, princ_ent);
+	krb5_warnx (context, "no such principal: %s", princ_name);
+	goto out2;
+    }
+
+    new_key_data   = malloc(princ.n_key_data * sizeof(*new_key_data));
+    if (new_key_data == NULL) {
+	krb5_warnx (context, "out of memory");
+	goto out;
+    }
+
+    for (i = 0, j = 0; i < princ.n_key_data; ++i) {
+	krb5_key_data *key = &princ.key_data[i];
+	int docopy = 1;
+
+	for (k = 0; k < n_etypes; ++k)
+	    if (etypes[k] == key->key_data_type[0]) {
+		docopy = 0;
+		break;
+	    }
+	if (docopy) {
+	    new_key_data[j++] = *key;
+	} else {
+	    int16_t ignore = 1;
+
+	    kadm5_free_key_data (kadm_handle, &ignore, key);
+	}
+    }
+
+    free (princ.key_data);
+    princ.n_key_data = j;
+    princ.key_data   = new_key_data;
+
+    ret = kadm5_modify_principal (kadm_handle, &princ, KADM5_KEY_DATA);
+    if (ret)
+	krb5_warn(context, ret, "kadm5_modify_principal");
+out:
+    krb5_free_principal (context, princ_ent);
+    kadm5_free_principal_ent(kadm_handle, &princ);
+out2:
+    free (etypes);
+    return 0;
+}
diff --git a/crypto/heimdal/kadmin/dump.c b/crypto/heimdal/kadmin/dump.c
new file mode 100644
index 0000000..a57309c
--- /dev/null
+++ b/crypto/heimdal/kadmin/dump.c
@@ -0,0 +1,80 @@
+/*
+ * Copyright (c) 1997, 1998, 1999 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "kadmin_locl.h"
+#include <kadm5/private.h>
+
+RCSID("$Id: dump.c,v 1.26 1999/12/02 17:04:58 joda Exp $");
+
+int
+dump(int argc, char **argv)
+{
+    krb5_error_code ret;
+    FILE *f;
+    HDB *db = _kadm5_s_get_db(kadm_handle);
+    int decrypt = 0;
+    int optind = 0;
+
+    struct getargs args[] = {
+	{ "decrypt", 'd', arg_flag, NULL, "decrypt keys" }
+    };
+    args[0].value = &decrypt;
+
+    if(getarg(args, sizeof(args) / sizeof(args[0]), argc, argv, &optind)) {
+	arg_printusage(args, sizeof(args) / sizeof(args[0]), "kadmin dump", 
+		       "[dump-file]");
+	return 0;
+    }
+
+    argc -= optind;
+    argv += optind;
+    if(argc < 1)
+	f = stdout;
+    else
+	f = fopen(argv[0], "w");
+    
+    ret = db->open(context, db, O_RDONLY, 0600);
+    if(ret){
+	krb5_warn(context, ret, "hdb_open");
+	if(f != stdout)
+	    fclose(f);
+	return 0;
+    }
+
+    hdb_foreach(context, db, decrypt ? HDB_F_DECRYPT : 0, hdb_print_entry, f);
+
+    if(f != stdout)
+	fclose(f);
+    db->close(context, db);
+    return 0;
+}
diff --git a/crypto/heimdal/kadmin/ext.c b/crypto/heimdal/kadmin/ext.c
new file mode 100644
index 0000000..6b3f3af
--- /dev/null
+++ b/crypto/heimdal/kadmin/ext.c
@@ -0,0 +1,115 @@
+/*
+ * Copyright (c) 1997 - 2001 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "kadmin_locl.h"
+
+RCSID("$Id: ext.c,v 1.6 2001/05/07 05:31:12 assar Exp $");
+
+struct ext_keytab_data {
+    krb5_keytab keytab;
+};
+
+static struct getargs args[] = {
+    { "keytab",		'k',	arg_string,	NULL, "keytab to use" },
+};
+
+static int num_args = sizeof(args) / sizeof(args[0]);
+
+static void
+usage(void)
+{
+    arg_printusage(args, num_args, "ext", "principal...");
+}
+
+static int
+do_ext_keytab(krb5_principal principal, void *data)
+{
+    krb5_error_code ret;
+    int i;
+    kadm5_principal_ent_rec princ;
+    struct ext_keytab_data *e = data;
+
+    ret = kadm5_get_principal(kadm_handle, principal, &princ, 
+			      KADM5_PRINCIPAL|KADM5_KVNO|KADM5_KEY_DATA);
+    if(ret)
+	return ret;
+    for(i = 0; i < princ.n_key_data; i++){
+	krb5_keytab_entry key;
+	krb5_key_data *k = &princ.key_data[i];
+	key.principal = princ.principal;
+	key.vno = k->key_data_kvno;
+	key.keyblock.keytype = k->key_data_type[0];
+	key.keyblock.keyvalue.length = k->key_data_length[0];
+	key.keyblock.keyvalue.data = k->key_data_contents[0];
+	key.timestamp = time(NULL);
+	ret = krb5_kt_add_entry(context, e->keytab, &key);
+	if(ret)
+	    krb5_warn(context, ret, "krb5_kt_add_entry");
+    }
+    kadm5_free_principal_ent(kadm_handle, &princ);
+    return 0;
+}
+
+int
+ext_keytab(int argc, char **argv)
+{
+    krb5_error_code ret;
+    int i;
+    int optind = 0;
+    char *keytab = NULL;
+    struct ext_keytab_data data;
+    
+    args[0].value = &keytab;
+    if(getarg(args, num_args, argc, argv, &optind)){
+	usage();
+	return 0;
+    }
+    if(keytab)
+	ret = krb5_kt_resolve(context, keytab, &data.keytab);
+    else
+	ret = krb5_kt_default(context, &data.keytab);
+    if(ret){
+	krb5_warn(context, ret, "krb5_kt_resolve");
+	return 0;
+    }
+
+    argc -= optind;
+    argv += optind;
+
+    for(i = 0; i < argc; i++) 
+	foreach_principal(argv[i], do_ext_keytab, "ext", &data);
+
+    krb5_kt_close(context, data.keytab);
+
+    return 0;
+}
diff --git a/crypto/heimdal/kadmin/get.c b/crypto/heimdal/kadmin/get.c
new file mode 100644
index 0000000..30eea9d
--- /dev/null
+++ b/crypto/heimdal/kadmin/get.c
@@ -0,0 +1,290 @@
+/*
+ * Copyright (c) 1997-2001 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "kadmin_locl.h"
+#include <parse_units.h>
+
+RCSID("$Id: get.c,v 1.13 2001/05/07 05:31:43 assar Exp $");
+
+struct get_entry_data {
+    void (*header)(void);
+    void (*format)(kadm5_principal_ent_t);
+};
+
+static void
+print_entry_terse(kadm5_principal_ent_t princ)
+{
+    char *p;
+    krb5_unparse_name(context, princ->principal, &p);
+    printf("  %s\n", p);
+    free(p);
+}
+
+static void
+print_header_short(void)
+{
+    printf("%-20s ", "Principal");
+    
+    printf("%-10s ", "Expires");
+	    
+    printf("%-10s ", "PW-exp");
+	    
+    printf("%-10s ", "PW-change");
+	
+    printf("%-9s ", "Max life");
+
+    printf("%-9s ", "Max renew");
+    
+    printf("\n");
+}
+
+static void
+print_entry_short(kadm5_principal_ent_t princ)
+{
+    char buf[1024];
+    
+    krb5_unparse_name_fixed_short(context, princ->principal, buf, sizeof(buf));
+    printf("%-20s ", buf);
+    
+    time_t2str(princ->princ_expire_time, buf, sizeof(buf), 0);
+    printf("%-10s ", buf);
+	    
+    time_t2str(princ->pw_expiration, buf, sizeof(buf), 0);
+    printf("%-10s ", buf);
+	    
+    time_t2str(princ->last_pwd_change, buf, sizeof(buf), 0);
+    printf("%-10s ", buf);
+	
+    deltat2str(princ->max_life, buf, sizeof(buf));
+    printf("%-9s ", buf);
+
+    deltat2str(princ->max_renewable_life, buf, sizeof(buf));
+    printf("%-9s ", buf);
+
+#if 0
+    time_t2str(princ->mod_date, buf, sizeof(buf), 0);
+    printf("%-10s ", buf);
+
+    krb5_unparse_name_fixed(context, princ->mod_name, buf, sizeof(buf));
+    printf("%-24s", buf);
+#endif
+    
+    printf("\n");
+}
+
+/*
+ * return 0 iff `salt' actually is the same as the current salt in `k'
+ */
+
+static int
+cmp_salt (const krb5_salt *salt, const krb5_key_data *k)
+{
+    if (salt->salttype != k->key_data_type[1])
+	return 1;
+    if (salt->saltvalue.length != k->key_data_length[1])
+	return 1;
+    return memcmp (salt->saltvalue.data, k->key_data_contents[1],
+		   salt->saltvalue.length);
+}
+
+static void
+print_entry_long(kadm5_principal_ent_t princ)
+{
+    char buf[1024];
+    int i;
+    krb5_salt def_salt;
+    
+    krb5_unparse_name_fixed(context, princ->principal, buf, sizeof(buf));
+    printf("%24s: %s\n", "Principal", buf);
+    time_t2str(princ->princ_expire_time, buf, sizeof(buf), 1);
+    printf("%24s: %s\n", "Principal expires", buf);
+	    
+    time_t2str(princ->pw_expiration, buf, sizeof(buf), 1);
+    printf("%24s: %s\n", "Password expires", buf);
+	    
+    time_t2str(princ->last_pwd_change, buf, sizeof(buf), 1);
+    printf("%24s: %s\n", "Last password change", buf);
+	
+    deltat2str(princ->max_life, buf, sizeof(buf));
+    printf("%24s: %s\n", "Max ticket life", buf);
+
+    deltat2str(princ->max_renewable_life, buf, sizeof(buf));
+    printf("%24s: %s\n", "Max renewable life", buf);
+    printf("%24s: %d\n", "Kvno", princ->kvno);
+    printf("%24s: %d\n", "Mkvno", princ->mkvno);
+    printf("%24s: %s\n", "Policy", princ->policy ? princ->policy : "none");
+    time_t2str(princ->last_success, buf, sizeof(buf), 1);
+    printf("%24s: %s\n", "Last successful login", buf);
+    time_t2str(princ->last_failed, buf, sizeof(buf), 1);
+    printf("%24s: %s\n", "Last failed login", buf);
+    printf("%24s: %d\n", "Failed login count", princ->fail_auth_count);
+    time_t2str(princ->mod_date, buf, sizeof(buf), 1);
+    printf("%24s: %s\n", "Last modified", buf);
+    if(princ->mod_name != NULL) {
+	krb5_unparse_name_fixed(context, princ->mod_name, buf, sizeof(buf));
+	printf("%24s: %s\n", "Modifier", buf);
+    }
+    attributes2str (princ->attributes, buf, sizeof(buf));
+    printf("%24s: %s\n", "Attributes", buf);
+
+    printf("%24s: ", "Keytypes(salttype[(salt-value)])");
+
+    krb5_get_pw_salt (context, princ->principal, &def_salt);
+
+    for (i = 0; i < princ->n_key_data; ++i) {
+	krb5_key_data *k = &princ->key_data[i];
+	krb5_error_code ret;
+	char *e_string, *s_string, *salt;
+
+	ret = krb5_enctype_to_string (context,
+				      k->key_data_type[0],
+				      &e_string);
+	if (ret)
+	    asprintf (&e_string, "unknown(%d)", k->key_data_type[0]);
+
+	ret = krb5_salttype_to_string (context,
+				       k->key_data_type[0],
+				       k->key_data_type[1],
+				       &s_string);
+	if (ret)
+	    asprintf (&s_string, "unknown(%d)", k->key_data_type[1]);
+
+	if (cmp_salt(&def_salt, k) == 0)
+	    salt = strdup("");
+	else if(k->key_data_length[1] == 0)
+	    salt = strdup("()");
+	else
+	    asprintf (&salt, "(%.*s)", k->key_data_length[1],
+		      (char *)k->key_data_contents[1]);
+
+
+	printf ("%s%s(%s%s)", (i != 0) ? ", " : "", e_string, s_string, salt);
+	free (e_string);
+	free (s_string);
+	free (salt);
+    }
+    krb5_free_salt (context, def_salt);
+    printf("\n\n");
+}
+
+static int
+do_get_entry(krb5_principal principal, void *data)
+{
+    kadm5_principal_ent_rec princ;
+    krb5_error_code ret;
+    struct get_entry_data *e = data;
+    
+    memset(&princ, 0, sizeof(princ));
+    ret = kadm5_get_principal(kadm_handle, principal, 
+			      &princ,
+			      KADM5_PRINCIPAL_NORMAL_MASK|KADM5_KEY_DATA);
+    if(ret)
+	return ret;
+    else {
+	if(e->header) {
+	    (*e->header)();
+	    e->header = NULL; /* XXX only once */
+	}
+	(e->format)(&princ);
+	kadm5_free_principal_ent(kadm_handle, &princ);
+    }
+    return 0;
+}
+
+static int
+getit(const char *name, int terse_flag, int argc, char **argv)
+{
+    int i;
+    krb5_error_code ret;
+    struct get_entry_data data;
+    struct getargs args[] = {
+	{ "long",	'l',	arg_flag,	NULL, "long format" },
+	{ "short",	's',	arg_flag,	NULL, "short format" },
+	{ "terse",	't',	arg_flag,	NULL, "terse format" },
+    };
+    int num_args = sizeof(args) / sizeof(args[0]);
+    int optind = 0;
+    int long_flag = -1;
+    int short_flag = -1;
+    
+    args[0].value = &long_flag;
+    args[1].value = &short_flag;
+    args[2].value = &terse_flag;
+
+    if(getarg(args, num_args, argc, argv, &optind))
+	goto usage;
+    if(optind == argc)
+	goto usage;
+
+    if(long_flag == -1 && (short_flag == 1 || terse_flag == 1))
+	long_flag = 0;
+    if(short_flag == -1 && (long_flag == 1 || terse_flag == 1))
+	short_flag = 0;
+    if(terse_flag == -1 && (long_flag == 1 || short_flag == 1))
+	terse_flag = 0;
+    if(long_flag == 0 && short_flag == 0 && terse_flag == 0)
+	short_flag = 1;
+
+    if(long_flag) {
+	data.format = print_entry_long;
+	data.header = NULL;
+    } else if(short_flag){
+	data.format = print_entry_short;
+	data.header = print_header_short;
+    } else if(terse_flag) {
+	data.format = print_entry_terse;
+	data.header = NULL;
+    }
+
+    argc -= optind;
+    argv += optind;
+
+    for(i = 0; i < argc; i++)
+	ret = foreach_principal(argv[i], do_get_entry, "get", &data);
+    return 0;
+usage:
+    arg_printusage (args, num_args, name, "principal...");
+    return 0;
+}
+
+int
+get_entry(int argc, char **argv)
+{
+    return getit("get", 0, argc, argv);
+}
+
+int
+list_princs(int argc, char **argv)
+{
+    return getit("list", 1, argc, argv);
+}
diff --git a/crypto/heimdal/kadmin/init.c b/crypto/heimdal/kadmin/init.c
new file mode 100644
index 0000000..2391a08
--- /dev/null
+++ b/crypto/heimdal/kadmin/init.c
@@ -0,0 +1,227 @@
+/*
+ * Copyright (c) 1997-2000 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "kadmin_locl.h"
+#include <kadm5/private.h>
+
+RCSID("$Id: init.c,v 1.27 2000/09/10 19:20:16 joda Exp $");
+
+static kadm5_ret_t
+create_random_entry(krb5_principal princ,
+		    unsigned max_life,
+		    unsigned max_rlife,
+		    u_int32_t attributes)
+{
+    kadm5_principal_ent_rec ent;
+    kadm5_ret_t ret;
+    int mask = 0;
+    krb5_keyblock *keys;
+    int n_keys, i;
+
+    memset(&ent, 0, sizeof(ent));
+    ent.principal = princ;
+    mask |= KADM5_PRINCIPAL;
+    if (max_life) {
+	ent.max_life = max_life;
+	mask |= KADM5_MAX_LIFE;
+    }
+    if (max_rlife) {
+	ent.max_renewable_life = max_rlife;
+	mask |= KADM5_MAX_RLIFE;
+    }
+    ent.attributes |= attributes | KRB5_KDB_DISALLOW_ALL_TIX;
+    mask |= KADM5_ATTRIBUTES;
+
+    ret = kadm5_create_principal(kadm_handle, &ent, mask, "hemlig");
+    if(ret)
+	return ret;
+    ret = kadm5_randkey_principal(kadm_handle, princ, &keys, &n_keys);
+    if(ret)
+	return ret;
+    for(i = 0; i < n_keys; i++)
+	krb5_free_keyblock_contents(context, &keys[i]);
+    free(keys);
+    ret = kadm5_get_principal(kadm_handle, princ, &ent, 
+			      KADM5_PRINCIPAL | KADM5_ATTRIBUTES);
+    if(ret)
+	return ret;
+    ent.attributes &= (~KRB5_KDB_DISALLOW_ALL_TIX);
+    ent.kvno = 1;
+    ret = kadm5_modify_principal(kadm_handle, &ent, 
+				 KADM5_ATTRIBUTES|KADM5_KVNO);
+    kadm5_free_principal_ent (kadm_handle, &ent);
+    if(ret)
+	return ret;
+    return 0;
+}
+
+static struct getargs args[] = {
+    { "realm-max-ticket-life",  0,	arg_string,	NULL,
+      "realm max ticket lifetime" },
+    { "realm-max-renewable-life",  0,	arg_string,	NULL,
+      "realm max renewable lifetime" },
+};
+
+static int num_args = sizeof(args) / sizeof(args[0]);
+
+static void
+usage(void)
+{
+    arg_printusage (args, num_args, "init", "realm...");
+}
+
+int
+init(int argc, char **argv)
+{
+    kadm5_ret_t ret;
+    int i;
+    char *realm_max_life  = NULL;
+    char *realm_max_rlife = NULL;
+    HDB *db;
+    int optind = 0;
+    krb5_deltat max_life, max_rlife;
+
+    args[0].value = &realm_max_life;
+    args[1].value = &realm_max_rlife;
+
+    if(getarg(args, num_args, argc, argv, &optind)) {
+	usage();
+	return 0;
+    }
+
+    if(argc - optind < 1) {
+	usage();
+	return 0;
+    }
+
+    if (realm_max_life) {
+	if (str2deltat (realm_max_life, &max_life) != 0) {
+	    krb5_warnx (context, "unable to parse `%s'", realm_max_life);
+	    return 0;
+	}
+    }
+    if (realm_max_rlife) {
+	if (str2deltat (realm_max_rlife, &max_rlife) != 0) {
+	    krb5_warnx (context, "unable to parse `%s'", realm_max_rlife);
+	    return 0;
+	}
+    }
+
+    db = _kadm5_s_get_db(kadm_handle);
+
+    ret = db->open(context, db, O_RDWR | O_CREAT, 0600);
+    if(ret){
+	krb5_warn(context, ret, "hdb_open");
+	return 0;
+    }
+    db->close(context, db);
+    for(i = optind; i < argc; i++){
+	krb5_principal princ;
+	const char *realm = argv[i];
+
+	/* Create `krbtgt/REALM' */
+	krb5_make_principal(context, &princ, realm,
+			    KRB5_TGS_NAME, realm, NULL);
+	if (realm_max_life == NULL) {
+	    max_life = 0;
+	    edit_deltat ("Realm max ticket life", &max_life, NULL, 0);
+	}
+	if (realm_max_rlife == NULL) {
+	    max_rlife = 0;
+	    edit_deltat("Realm max renewable ticket life", &max_rlife,
+			NULL, 0);
+	}
+	create_random_entry(princ, max_life, max_rlife, 0);
+	krb5_free_principal(context, princ);
+
+	/* Create `kadmin/changepw' */
+	krb5_make_principal(context, &princ, realm, 
+			    "kadmin", "changepw", NULL);
+	create_random_entry(princ, 5*60, 5*60, 
+			    KRB5_KDB_DISALLOW_TGT_BASED|
+			    KRB5_KDB_PWCHANGE_SERVICE|
+			    KRB5_KDB_DISALLOW_POSTDATED|
+			    KRB5_KDB_DISALLOW_FORWARDABLE|
+			    KRB5_KDB_DISALLOW_RENEWABLE|
+			    KRB5_KDB_DISALLOW_PROXIABLE|
+			    KRB5_KDB_REQUIRES_PRE_AUTH);
+	krb5_free_principal(context, princ);
+
+	/* Create `kadmin/admin' */
+	krb5_make_principal(context, &princ, realm, 
+			    "kadmin", "admin", NULL);
+	create_random_entry(princ, 60*60, 60*60, KRB5_KDB_REQUIRES_PRE_AUTH);
+	krb5_free_principal(context, princ);
+
+	/* Create `changepw/kerberos' (for v4 compat) */
+	krb5_make_principal(context, &princ, realm,
+			    "changepw", "kerberos", NULL);
+	create_random_entry(princ, 60*60, 60*60,
+			    KRB5_KDB_DISALLOW_TGT_BASED|
+			    KRB5_KDB_PWCHANGE_SERVICE);
+
+	krb5_free_principal(context, princ);
+
+	/* Create `kadmin/hprop' for database propagation */
+	krb5_make_principal(context, &princ, realm,
+			    "kadmin", "hprop", NULL);
+	create_random_entry(princ, 60*60, 60*60,
+			    KRB5_KDB_REQUIRES_PRE_AUTH|
+			    KRB5_KDB_DISALLOW_TGT_BASED);
+	krb5_free_principal(context, princ);
+
+	/* Create `default' */
+	{
+	    kadm5_principal_ent_rec ent;
+	    int mask = 0;
+
+	    memset (&ent, 0, sizeof(ent));
+	    mask |= KADM5_PRINCIPAL;
+	    krb5_make_principal(context, &ent.principal, realm,
+				"default", NULL);
+	    mask |= KADM5_MAX_LIFE;
+	    ent.max_life = 24 * 60 * 60;
+	    mask |= KADM5_MAX_RLIFE;
+	    ent.max_renewable_life = 7 * ent.max_life;
+	    ent.attributes = KRB5_KDB_DISALLOW_ALL_TIX;
+	    mask |= KADM5_ATTRIBUTES;
+
+	    ret = kadm5_create_principal(kadm_handle, &ent, mask, "");
+	    if (ret)
+		krb5_err (context, 1, ret, "kadm5_create_principal");
+
+	    krb5_free_principal(context, ent.principal);
+	}
+    }
+    return 0;
+}
diff --git a/crypto/heimdal/kadmin/kadm_conn.c b/crypto/heimdal/kadmin/kadm_conn.c
new file mode 100644
index 0000000..3914822
--- /dev/null
+++ b/crypto/heimdal/kadmin/kadm_conn.c
@@ -0,0 +1,289 @@
+/*
+ * Copyright (c) 2000 - 2001 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "kadmin_locl.h"
+#ifdef HAVE_SYS_WAIT_H
+#include <sys/wait.h>
+#endif
+
+RCSID("$Id: kadm_conn.c,v 1.13 2001/05/16 22:06:44 assar Exp $");
+
+struct kadm_port {
+    char *port;
+    unsigned short def_port;
+    struct kadm_port *next;
+} *kadm_ports;
+
+static void
+add_kadm_port(krb5_context context, const char *service, unsigned int port)
+{
+    struct kadm_port *p;
+    p = malloc(sizeof(*p));
+    if(p == NULL) {
+	krb5_warnx(context, "failed to allocate %lu bytes\n", 
+		   (unsigned long)sizeof(*p));
+	return;
+    }
+    
+    p->port = strdup(service);
+    p->def_port = port;
+
+    p->next = kadm_ports;
+    kadm_ports = p;
+}
+
+static void
+add_standard_ports (krb5_context context)
+{
+    add_kadm_port(context, "kerberos-adm", 749);
+#ifdef KRB4
+    add_kadm_port(context, "kerberos-master", 751);
+#endif
+}
+
+/*
+ * parse the set of space-delimited ports in `str' and add them.
+ * "+" => all the standard ones
+ * otherwise it's port|service[/protocol]
+ */
+
+void
+parse_ports(krb5_context context, const char *str)
+{
+    char p[128];
+
+    while(strsep_copy(&str, " \t", p, sizeof(p)) != -1) {
+	if(strcmp(p, "+") == 0)
+	    add_standard_ports(context);
+	else
+	    add_kadm_port(context, p, 0);
+    }
+}
+
+static pid_t pgrp;
+sig_atomic_t term_flag, doing_useful_work;
+
+static RETSIGTYPE
+sigchld(int sig)
+{
+    int status;
+    waitpid(-1, &status, 0);
+    SIGRETURN(0);
+}
+
+static RETSIGTYPE
+terminate(int sig)
+{
+    if(getpid() == pgrp) {
+	/* parent */
+	term_flag = 1;
+	signal(sig, SIG_IGN);
+	killpg(pgrp, sig);
+    } else {
+	/* child */
+	if(doing_useful_work)
+	    term_flag = 1;
+	else
+	    exit(0);
+    }
+    SIGRETURN(0);
+}
+
+static int
+spawn_child(krb5_context context, int *socks, int num_socks, int this_sock)
+{
+    int e, i;
+    struct sockaddr_storage __ss;
+    struct sockaddr *sa = (struct sockaddr *)&__ss;
+    socklen_t sa_size = sizeof(__ss);
+    int s;
+    pid_t pid;
+    krb5_address addr;
+    char buf[128];
+    size_t buf_len;
+
+    s = accept(socks[this_sock], sa, &sa_size);
+    if(s < 0) {
+	krb5_warn(context, errno, "accept");
+	return 1;
+    }
+    e = krb5_sockaddr2address(context, sa, &addr);
+    if(e)
+	krb5_warn(context, e, "krb5_sockaddr2address");
+    else {
+	e = krb5_print_address (&addr, buf, sizeof(buf), 
+				&buf_len);
+	if(e) 
+	    krb5_warn(context, e, "krb5_print_address");
+	else
+	    krb5_warnx(context, "connection from %s", buf);
+	krb5_free_address(context, &addr);
+    }
+    
+    pid = fork();
+    if(pid == 0) {
+	for(i = 0; i < num_socks; i++)
+	    close(socks[i]);
+	dup2(s, STDIN_FILENO);
+	dup2(s, STDOUT_FILENO);
+	if(s != STDIN_FILENO && s != STDOUT_FILENO)
+	    close(s);
+	return 0;
+    } else {
+	close(s);
+    }
+    return 1;
+}
+
+static int
+wait_for_connection(krb5_context context,
+		    int *socks, int num_socks)
+{
+    int i, e;
+    fd_set orig_read_set, read_set;
+    int max_fd = -1;
+    
+    FD_ZERO(&orig_read_set);
+    
+    for(i = 0; i < num_socks; i++) {
+	if (socks[i] >= FD_SETSIZE)
+	    errx (1, "fd too large");
+	FD_SET(socks[i], &orig_read_set);
+	max_fd = max(max_fd, socks[i]);
+    }
+    
+    pgrp = getpid();
+
+    if(setpgid(0, pgrp) < 0)
+	err(1, "setpgid");
+
+    signal(SIGTERM, terminate);
+    signal(SIGINT, terminate);
+    signal(SIGCHLD, sigchld);
+
+    while (term_flag == 0) {
+	read_set = orig_read_set;
+	e = select(max_fd + 1, &read_set, NULL, NULL, NULL);
+	if(e < 0) {
+	    if(errno != EINTR)
+		krb5_warn(context, errno, "select");
+	} else if(e == 0)
+	    krb5_warnx(context, "select returned 0");
+	else {
+	    for(i = 0; i < num_socks; i++) {
+		if(FD_ISSET(socks[i], &read_set))
+		    if(spawn_child(context, socks, num_socks, i) == 0)
+			return 0;
+	    }
+	}
+    }
+    signal(SIGCHLD, SIG_IGN);
+    while(1) {
+	int status;
+	pid_t pid;
+	pid = waitpid(-1, &status, 0);
+	if(pid == -1 && errno == ECHILD)
+	    break;
+    }
+    exit(0);
+}
+
+
+int
+start_server(krb5_context context)
+{
+    int e;
+    struct kadm_port *p;
+
+    int *socks = NULL, *tmp;
+    int num_socks = 0;
+    int i;
+
+    for(p = kadm_ports; p; p = p->next) {
+	struct addrinfo hints, *ai, *ap;
+	char portstr[32];
+	memset (&hints, 0, sizeof(hints));
+	hints.ai_flags    = AI_PASSIVE;
+	hints.ai_socktype = SOCK_STREAM;
+
+	e = getaddrinfo(NULL, p->port, &hints, &ai);
+	if(e) {
+	    snprintf(portstr, sizeof(portstr), "%u", p->def_port);
+	    e = getaddrinfo(NULL, portstr, &hints, &ai);
+	}
+
+	if(e) {
+	    krb5_warn(context, krb5_eai_to_heim_errno(e, errno),
+		      "%s", portstr);
+	    continue;
+	}
+	i = 0;
+	for(ap = ai; ap; ap = ap->ai_next) 
+	    i++;
+	tmp = realloc(socks, (num_socks + i) * sizeof(*socks));
+	if(tmp == NULL) {
+	    krb5_warnx(context, "failed to reallocate %lu bytes", 
+		       (unsigned long)(num_socks + i) * sizeof(*socks));
+	    continue;
+	}
+	socks = tmp;
+	for(ap = ai; ap; ap = ap->ai_next) {
+	    int one = 1;
+	    int s = socket(ap->ai_family, ap->ai_socktype, ap->ai_protocol);
+	    if(s < 0) {
+		krb5_warn(context, errno, "socket");
+		continue;
+	    }
+#if defined(SO_REUSEADDR) && defined(HAVE_SETSOCKOPT)
+	    if(setsockopt(s, SOL_SOCKET, SO_REUSEADDR, (void *)&one,
+			  sizeof(one)) < 0)
+		krb5_warn(context, errno, "setsockopt");
+#endif
+	    if (bind (s, ap->ai_addr, ap->ai_addrlen) < 0) {
+		krb5_warn(context, errno, "bind");
+		close(s);
+		continue;
+	    }
+	    if (listen (s, SOMAXCONN) < 0) {
+		krb5_warn(context, errno, "listen");
+		close(s);
+		continue;
+	    }
+	    socks[num_socks++] = s;
+	}
+	freeaddrinfo (ai);
+    }
+    if(num_socks == 0)
+	krb5_errx(context, 1, "no sockets to listen to - exiting");
+    return wait_for_connection(context, socks, num_socks);
+}
diff --git a/crypto/heimdal/kadmin/kadmin.8 b/crypto/heimdal/kadmin/kadmin.8
new file mode 100644
index 0000000..67072af
--- /dev/null
+++ b/crypto/heimdal/kadmin/kadmin.8
@@ -0,0 +1,255 @@
+.\" $Id: kadmin.8,v 1.5 2001/06/08 21:27:57 joda Exp $
+.\"
+.Dd September 10, 2000
+.Dt KADMIN 8
+.Os HEIMDAL
+.Sh NAME
+.Nm kadmin
+.Nd Kerberos administration utility
+.Sh SYNOPSIS
+.Nm
+.Oo Fl p Ar string \*(Ba Xo
+.Fl -principal= Ns Ar string
+.Xc
+.Oc
+.Oo Fl K Ar string \*(Ba Xo
+.Fl -keytab= Ns Ar string
+.Xc
+.Oc
+.Oo Fl c Ar file \*(Ba Xo
+.Fl -config-file= Ns Ar file
+.Xc
+.Oc
+.Oo Fl k Ar file \*(Ba Xo
+.Fl -key-file= Ns Ar file
+.Xc
+.Oc
+.Oo Fl r Ar realm \*(Ba Xo
+.Fl -realm= Ns Ar realm
+.Xc
+.Oc
+.Oo Fl a Ar host \*(Ba Xo
+.Fl -admin-server= Ns Ar host
+.Xc
+.Oc
+.Oo Fl s Ar port number \*(Ba Xo
+.Fl -server-port= Ns Ar port number
+.Xc
+.Oc
+.Op Fl l | Fl -local
+.Op Fl h | Fl -help
+.Op Fl v | Fl -version
+.Op Ar command
+.Sh DESCRIPTION
+The
+.Nm
+program is used to make modification to the Kerberos database, either remotely via the 
+.Xr kadmind 8
+daemon, or locally (with the 
+.Fl l 
+option).
+.Pp
+Supported options:
+.Bl -tag -width Ds
+.It Xo
+.Fl p Ar string Ns ,
+.Fl -principal= Ns Ar string
+.Xc
+principal to authenticate as
+.It Xo
+.Fl K Ar string Ns ,
+.Fl -keytab= Ns Ar string
+.Xc
+keytab for authentication pricipal
+.It Xo
+.Fl c Ar file Ns ,
+.Fl -config-file= Ns Ar file
+.Xc
+location of config file
+.It Xo
+.Fl k Ar file Ns ,
+.Fl -key-file= Ns Ar file
+.Xc
+location of master key file
+.It Xo
+.Fl r Ar realm Ns ,
+.Fl -realm= Ns Ar realm
+.Xc
+realm to use
+.It Xo
+.Fl a Ar host Ns ,
+.Fl -admin-server= Ns Ar host
+.Xc
+server to contact
+.It Xo
+.Fl s Ar port number Ns ,
+.Fl -server-port= Ns Ar port number
+.Xc
+port to use
+.It Xo
+.Fl l Ns ,
+.Fl -local
+.Xc
+local admin mode
+.El
+.Pp
+If no 
+.Ar command
+is given on the command line,
+.Nm 
+will prompt for commands to process. Commands include:
+.\" not using a list here, since groff apparently gets confused 
+.\" with nested Xo/Xc
+.Bd -ragged -offset indent
+.Nm add
+.Op Fl r | Fl -random-key
+.Op Fl -random-password
+.Oo Fl p Ar string \*(Ba Xo
+.Fl -password= Ns Ar string
+.Xc
+.Oc
+.Op Fl -key= Ns Ar string
+.Op Fl -max-ticket-life= Ns Ar lifetime
+.Op Fl -max-renewable-life= Ns Ar lifetime
+.Op Fl -attributes= Ns Ar attributes
+.Op Fl -expiration-time= Ns Ar time
+.Op Fl -pw-expiration-time= Ns Ar time
+.Ar principal...
+.Pp
+.Bd -ragged -offset indent
+creates a new principal
+.Ed
+.Pp
+.Nm passwd
+.Op Fl r | Fl -random-key
+.Op Fl -random-password
+.Oo Fl p Ar string \*(Ba Xo
+.Fl -password= Ns Ar string
+.Xc
+.Oc
+.Op Fl -key= Ns Ar string
+.Ar principal...
+.Pp
+.Bd -ragged -offset indent
+changes the password of an existing principal
+.Ed
+.Pp
+.Nm delete
+.Ar principal...
+.Pp
+.Bd -ragged -offset indent
+removes a principal
+.Ed
+.Pp
+.Nm del_enctype
+.Ar principal enctypes...
+.Pp
+.Bd -ragged -offset indent
+removes some enctypes from a principal, this can be useful the service
+belonging to the principal is known to not handle certain enctypes
+.Ed
+.Pp
+.Nm ext_keytab
+.Oo Fl k Ar string \*(Ba Xo
+.Fl -keytab= Ns Ar string
+.Xc
+.Oc
+.Ar principal...
+.Pp
+.Bd -ragged -offset indent
+creates a keytab with the keys of the specified principals
+.Ed
+.Pp
+.Nm get
+.Op Fl l | Fl -long
+.Op Fl s | Fl -short
+.Op Fl t | Fl -terse
+.Ar expression...
+.Pp
+.Bd -ragged -offset indent
+lists the principals that match the expressions (which are shell glob
+like), long format gives more information, and terse just prints the
+names
+.Ed
+.Pp
+.Nm rename
+.Ar from to
+.Pp
+.Bd -ragged -offset indent
+renames a principal
+.Ed
+.Pp
+.Nm modify
+.Oo Fl a Ar attributes \*(Ba Xo
+.Fl -attributes= Ns Ar attributes
+.Xc
+.Oc
+.Op Fl -max-ticket-life= Ns Ar lifetime
+.Op Fl -max-renewable-life= Ns Ar lifetime
+.Op Fl -expiration-time= Ns Ar time
+.Op Fl -pw-expiration-time= Ns Ar time
+.Op Fl -kvno= Ns Ar number
+.Ar principal
+.Pp
+.Bd -ragged -offset indent
+modifies certain attributes of a principal
+.Ed
+.Pp
+.Nm privileges
+.Pp
+.Bd -ragged -offset indent
+lists the operations you are allowd to perform
+.Ed
+.Pp
+.Ed
+.Pp
+When running in local mode, the following commands can also be used.
+.Bd -ragged -offset indent
+.Nm dump
+.Op Fl d | Fl -decrypt
+.Op Ar dump-file
+.Pp
+.Bd -ragged -offset indent
+writes the database in
+.Dq human readable
+form to the specified file, or standard out
+.Ed
+.Pp
+.Nm init
+.Op Fl -realm-max-ticket-life= Ns Ar string
+.Op Fl -realm-max-renewable-life= Ns Ar string
+.Ar realm
+.Pp
+.Bd -ragged -offset indent
+initialises the Kerberos database with entries for a new realm, it's
+possible to have more than one realm served by one server
+.Ed
+.Pp
+.Nm load
+.Ar file
+.Pp
+.Bd -ragged -offset indent
+reads a previously dumped database, and re-creates that database from scratch
+.Ed
+.Pp
+.Nm merge
+.Ar file
+.Pp
+.Bd -ragged -offset indent
+similar to 
+.Nm list
+but just modifies the database with the entries in the dump file
+.Ed
+.Pp
+.Ed
+.\".Sh ENVIRONMENT
+.\".Sh FILES
+.\".Sh EXAMPLES
+.\".Sh DIAGNOSTICS
+.Sh SEE ALSO
+.Xr kadmind 8 ,
+.Xr kdc 8
+.\".Sh STANDARDS
+.\".Sh HISTORY
+.\".Sh AUTHORS
+.\".Sh BUGS
diff --git a/crypto/heimdal/kadmin/kadmin.c b/crypto/heimdal/kadmin/kadmin.c
new file mode 100644
index 0000000..058187c
--- /dev/null
+++ b/crypto/heimdal/kadmin/kadmin.c
@@ -0,0 +1,322 @@
+/*
+ * Copyright (c) 1997 - 2001 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "kadmin_locl.h"
+#include <sl.h>
+
+RCSID("$Id: kadmin.c,v 1.38 2001/05/15 06:34:35 assar Exp $");
+
+static char *config_file;
+static char *keyfile;
+static int local_flag;
+static int help_flag;
+static int version_flag;
+static char *realm;
+static char *admin_server;
+static int server_port = 0;
+static char *client_name;
+static char *keytab;
+
+static struct getargs args[] = {
+    {	"principal", 	'p',	arg_string,	&client_name,
+	"principal to authenticate as" },
+    {   "keytab",	'K',	arg_string,	&keytab,
+   	"keytab for authentication pricipal" },
+    { 
+	"config-file",	'c',	arg_string,	&config_file, 
+	"location of config file",	"file" 
+    },
+    {
+	"key-file",	'k',	arg_string, &keyfile, 
+	"location of master key file", "file"
+    },
+    {	
+	"realm",	'r',	arg_string,   &realm, 
+	"realm to use", "realm" 
+    },
+    {	
+	"admin-server",	'a',	arg_string,   &admin_server, 
+	"server to contact", "host" 
+    },
+    {	
+	"server-port",	's',	arg_integer,   &server_port, 
+	"port to use", "port number" 
+    },
+    {	"local", 'l', arg_flag, &local_flag, "local admin mode" },
+    {	"help",		'h',	arg_flag,   &help_flag },
+    {	"version",	'v',	arg_flag,   &version_flag }
+};
+
+static int num_args = sizeof(args) / sizeof(args[0]);
+
+static SL_cmd commands[] = {
+    /* commands that are only available with `-l' */
+    { 
+	"dump",		dump,		"dump [file]",
+	"Dumps the database in a human readable format to the\n"
+	"specified file, or the standard out." 
+    },
+    { 
+	"load",		load,		"load file",
+	"Loads a previously dumped file."
+    },
+    { 
+	"merge",	merge,		"merge file" ,
+	"Merges the contents of a dump file into the database."
+    },
+    { 
+	"init",		init,		"init realm...",
+	"Initializes the default principals for a realm.\n"
+	"Creates the database if necessary."
+    },
+    /* common commands */
+    { 
+	"add",	add_new_key, 	"add principal" ,
+	"Adds a principal to the database."
+    },
+    { "add_new_key"},
+    { "ank"},
+    { 
+	"passwd",	cpw_entry, 	"passwd expression..." ,
+	"Changes the password of one or more principals\n"
+	"matching the expressions."
+    },
+    { "change_password"},
+    { "cpw"},
+    { 
+	"delete",	del_entry, 	"delete expression...",
+	"Deletes all principals matching the expressions."
+    },
+    { "del_entry" },
+    {
+	"del_enctype",	del_enctype,	"del_enctype principal enctype...",
+	"Delete all the mentioned enctypes for principal."
+    },
+    { 
+	"ext_keytab",	ext_keytab, 	"ext_keytab expression...",
+	"Extracts the keys of all principals matching the expressions,\n"
+	"and stores them in a keytab." 
+    },
+    { 
+	"get",		get_entry, 	"get expression...",
+	"Shows information about principals matching the expressions."
+    },
+    { "get_entry" },
+    { 
+	"rename",	rename_entry, 	"rename source target",
+	"Renames `source' to `target'."
+    },
+    { 
+	"modify",	mod_entry, 	"modify principal",
+	"Modifies some attributes of the specified principal."
+    },
+    { 
+	"privileges",	get_privs,	"privileges",
+	"Shows which kinds of operations you are allowed to perform."
+    },
+    { "privs" },
+    { 
+	"list",		list_princs,	"list expression...", 
+	"Lists principals in a terse format. The same as `get -t'." 
+    },
+    { "help",		help, "help"},
+    { "?"},
+    { "exit",		exit_kadmin, "exit"},
+    { "quit" },
+    { NULL}
+};
+
+krb5_context context;
+void *kadm_handle;
+
+static SL_cmd *actual_cmds;
+
+int
+help(int argc, char **argv)
+{
+    sl_help(actual_cmds, argc, argv);
+    return 0;
+}
+
+int
+exit_kadmin (int argc, char **argv)
+{
+    return 1;
+}
+
+static void
+usage(int ret)
+{
+    arg_printusage (args, num_args, NULL, "[command]");
+    exit (ret);
+}
+
+int
+get_privs(int argc, char **argv)
+{
+    u_int32_t privs;
+    char str[128];
+    kadm5_ret_t ret;
+    
+    int help_flag = 0;
+    struct getargs args[] = {
+	{ "help",	'h',	arg_flag,	NULL }
+    };
+    int num_args = sizeof(args) / sizeof(args[0]);
+    int optind = 0;
+
+    args[0].value = &help_flag;
+
+    if(getarg(args, num_args, argc, argv, &optind)) {
+	arg_printusage (args, num_args, "privileges", NULL);
+	return 0;
+    }
+    if(help_flag) {
+	arg_printusage (args, num_args, "privileges", NULL);
+	return 0;
+    }
+
+    ret = kadm5_get_privs(kadm_handle, &privs);
+    if(ret)
+	krb5_warn(context, ret, "kadm5_get_privs");
+    else{
+	ret =_kadm5_privs_to_string(privs, str, sizeof(str));
+	printf("%s\n", str);
+    }
+    return 0;
+}
+
+int
+main(int argc, char **argv)
+{
+    krb5_error_code ret;
+    krb5_config_section *cf = NULL;
+    kadm5_config_params conf;
+    int optind = 0;
+    int e;
+
+    setprogname(argv[0]);
+
+    ret = krb5_init_context(&context);
+    if (ret)
+	errx (1, "krb5_init_context failed: %d", ret);
+
+    while((e = getarg(args, num_args, argc, argv, &optind)))
+	errx(1, "error at argument `%s'", argv[optind]);
+
+    if (help_flag)
+	usage (0);
+
+    if (version_flag) {
+	print_version(NULL);
+	exit(0);
+    }
+
+    argc -= optind;
+    argv += optind;
+
+    if (config_file == NULL)
+	config_file = HDB_DB_DIR "/kdc.conf";
+
+    if(krb5_config_parse_file(context, config_file, &cf) == 0) {
+	const char *p = krb5_config_get_string (context, cf, 
+						"kdc", "key-file", NULL);
+	if (p)
+	    keyfile = strdup(p);
+    }
+    krb5_clear_error_string (context);
+
+    memset(&conf, 0, sizeof(conf));
+    if(realm) {
+	krb5_set_default_realm(context, realm); /* XXX should be fixed
+						   some other way */
+	conf.realm = realm;
+	conf.mask |= KADM5_CONFIG_REALM;
+    }
+
+    if (admin_server) {
+	conf.admin_server = admin_server;
+	conf.mask |= KADM5_CONFIG_ADMIN_SERVER;
+    }
+
+    if (server_port) {
+	conf.kadmind_port = htons(server_port);
+	conf.mask |= KADM5_CONFIG_KADMIND_PORT;
+    }
+
+    if(local_flag){
+	ret = kadm5_s_init_with_password_ctx(context, 
+					     KADM5_ADMIN_SERVICE,
+					     NULL,
+					     KADM5_ADMIN_SERVICE,
+					     &conf, 0, 0, 
+					     &kadm_handle);
+	actual_cmds = commands;
+    } else if (keytab) {
+        ret = kadm5_c_init_with_skey_ctx(context,
+					 client_name,
+					 keytab,
+					 KADM5_ADMIN_SERVICE,
+                                         &conf, 0, 0,
+                                         &kadm_handle);
+        actual_cmds = commands + 4; /* XXX */
+    } else {
+	ret = kadm5_c_init_with_password_ctx(context, 
+					     client_name,
+					     NULL,
+					     KADM5_ADMIN_SERVICE,
+					     &conf, 0, 0, 
+					     &kadm_handle);
+	actual_cmds = commands + 4; /* XXX */
+    }
+    
+    if(ret)
+	krb5_err(context, 1, ret, "kadm5_init_with_password");
+
+    signal(SIGINT, SIG_IGN); /* ignore signals for now, the sl command
+                                parser will handle SIGINT its own way;
+                                we should really take care of this in
+                                each function, f.i `get' might be
+                                interruptable, but not `create' */
+    if (argc != 0) {
+	ret = sl_command (actual_cmds, argc, argv);
+	if(ret == -1)
+	    krb5_warnx (context, "unrecognized command: %s", argv[0]);
+    } else
+	ret = sl_loop (actual_cmds, "kadmin> ") != 0;
+
+    kadm5_destroy(kadm_handle);
+    krb5_config_file_free (context, cf);
+    krb5_free_context(context);
+    return ret;
+}
diff --git a/crypto/heimdal/kadmin/kadmin.cat8 b/crypto/heimdal/kadmin/kadmin.cat8
new file mode 100644
index 0000000..31885a7
--- /dev/null
+++ b/crypto/heimdal/kadmin/kadmin.cat8
@@ -0,0 +1,123 @@
+
+KADMIN(8)                UNIX System Manager's Manual                KADMIN(8)
+
+NNAAMMEE
+     kkaaddmmiinn - Kerberos administration utility
+
+SSYYNNOOPPSSIISS
+     kkaaddmmiinn [--pp _s_t_r_i_n_g | ----pprriinncciippaall==_s_t_r_i_n_g] [--KK _s_t_r_i_n_g | ----kkeeyyttaabb==_s_t_r_i_n_g] [--cc
+     _f_i_l_e | ----ccoonnffiigg--ffiillee==_f_i_l_e] [--kk _f_i_l_e | ----kkeeyy--ffiillee==_f_i_l_e] [--rr _r_e_a_l_m |
+     ----rreeaallmm==_r_e_a_l_m] [--aa _h_o_s_t | ----aaddmmiinn--sseerrvveerr==_h_o_s_t] [--ss _p_o_r_t _n_u_m_b_e_r |
+     ----sseerrvveerr--ppoorrtt==_p_o_r_t _n_u_m_b_e_r] [--ll | ----llooccaall] [--hh | ----hheellpp] [--vv | ----vveerrssiioonn]
+     [_c_o_m_m_a_n_d]
+
+DDEESSCCRRIIPPTTIIOONN
+     The kkaaddmmiinn program is used to make modification to the Kerberos database,
+     either remotely via the kadmind(8) daemon, or locally (with the --ll op-
+     tion).
+
+     Supported options:
+
+     --pp _s_t_r_i_n_g, ----pprriinncciippaall==_s_t_r_i_n_g
+             principal to authenticate as
+
+     --KK _s_t_r_i_n_g, ----kkeeyyttaabb==_s_t_r_i_n_g
+             keytab for authentication pricipal
+
+     --cc _f_i_l_e, ----ccoonnffiigg--ffiillee==_f_i_l_e
+             location of config file
+
+     --kk _f_i_l_e, ----kkeeyy--ffiillee==_f_i_l_e
+             location of master key file
+
+     --rr _r_e_a_l_m, ----rreeaallmm==_r_e_a_l_m
+             realm to use
+
+     --aa _h_o_s_t, ----aaddmmiinn--sseerrvveerr==_h_o_s_t
+             server to contact
+
+     --ss _p_o_r_t _n_u_m_b_e_r, ----sseerrvveerr--ppoorrtt==_p_o_r_t _n_u_m_b_e_r
+             port to use
+
+     --ll, ----llooccaall
+             local admin mode
+
+     If no _c_o_m_m_a_n_d is given on the command line, kkaaddmmiinn will prompt for com-
+     mands to process. Commands include:
+
+           aadddd [--rr | ----rraannddoomm--kkeeyy] [----rraannddoomm--ppaasssswwoorrdd] [--pp _s_t_r_i_n_g |
+           ----ppaasssswwoorrdd==_s_t_r_i_n_g] [----kkeeyy==_s_t_r_i_n_g] [----mmaaxx--ttiicckkeett--lliiffee==_l_i_f_e_t_i_m_e]
+           [----mmaaxx--rreenneewwaabbllee--lliiffee==_l_i_f_e_t_i_m_e] [----aattttrriibbuutteess==_a_t_t_r_i_b_u_t_e_s]
+           [----eexxppiirraattiioonn--ttiimmee==_t_i_m_e] [----ppww--eexxppiirraattiioonn--ttiimmee==_t_i_m_e] _p_r_i_n_c_i_p_a_l_._._.
+
+                 creates a new principal
+
+           ppaasssswwdd [--rr | ----rraannddoomm--kkeeyy] [----rraannddoomm--ppaasssswwoorrdd] [--pp _s_t_r_i_n_g |
+           ----ppaasssswwoorrdd==_s_t_r_i_n_g] [----kkeeyy==_s_t_r_i_n_g] _p_r_i_n_c_i_p_a_l_._._.
+
+                 changes the password of an existing principal
+
+           ddeelleettee _p_r_i_n_c_i_p_a_l_._._.
+
+                 removes a principal
+
+           ddeell__eennccttyyppee _p_r_i_n_c_i_p_a_l _e_n_c_t_y_p_e_s_._._.
+
+
+                 removes some enctypes from a principal, this can be useful
+                 the service belonging to the principal is known to not handle
+                 certain enctypes
+
+           eexxtt__kkeeyyttaabb [--kk _s_t_r_i_n_g | ----kkeeyyttaabb==_s_t_r_i_n_g] _p_r_i_n_c_i_p_a_l_._._.
+
+                 creates a keytab with the keys of the specified principals
+
+           ggeett [--ll | ----lloonngg] [--ss | ----sshhoorrtt] [--tt | ----tteerrssee] _e_x_p_r_e_s_s_i_o_n_._._.
+
+                 lists the principals that match the expressions (which are
+                 shell glob like), long format gives more information, and
+                 terse just prints the names
+
+           rreennaammee _f_r_o_m _t_o
+
+                 renames a principal
+
+           mmooddiiffyy [--aa _a_t_t_r_i_b_u_t_e_s | ----aattttrriibbuutteess==_a_t_t_r_i_b_u_t_e_s]
+           [----mmaaxx--ttiicckkeett--lliiffee==_l_i_f_e_t_i_m_e] [----mmaaxx--rreenneewwaabbllee--lliiffee==_l_i_f_e_t_i_m_e]
+           [----eexxppiirraattiioonn--ttiimmee==_t_i_m_e] [----ppww--eexxppiirraattiioonn--ttiimmee==_t_i_m_e]
+           [----kkvvnnoo==_n_u_m_b_e_r] _p_r_i_n_c_i_p_a_l
+
+                 modifies certain attributes of a principal
+
+           pprriivviilleeggeess
+
+                 lists the operations you are allowd to perform
+
+     When running in local mode, the following commands can also be used.
+
+           dduummpp [--dd | ----ddeeccrryypptt] [_d_u_m_p_-_f_i_l_e]
+
+                 writes the database in ``human readable'' form to the speci-
+                 fied file, or standard out
+
+           iinniitt [----rreeaallmm--mmaaxx--ttiicckkeett--lliiffee==_s_t_r_i_n_g]
+           [----rreeaallmm--mmaaxx--rreenneewwaabbllee--lliiffee==_s_t_r_i_n_g] _r_e_a_l_m
+
+                 initialises the Kerberos database with entries for a new
+                 realm, it's possible to have more than one realm served by
+                 one server
+
+           llooaadd _f_i_l_e
+
+                 reads a previously dumped database, and re-creates that
+                 database from scratch
+
+           mmeerrggee _f_i_l_e
+
+                 similar to lliisstt but just modifies the database with the en-
+                 tries in the dump file
+
+SSEEEE AALLSSOO
+     kadmind(8),  kdc(8)
+
+ HEIMDAL                      September 10, 2000                             2
diff --git a/crypto/heimdal/kadmin/kadmin_locl.h b/crypto/heimdal/kadmin/kadmin_locl.h
new file mode 100644
index 0000000..5df4e91
--- /dev/null
+++ b/crypto/heimdal/kadmin/kadmin_locl.h
@@ -0,0 +1,195 @@
+/*
+ * Copyright (c) 1997-2001 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+/* 
+ * $Id: kadmin_locl.h,v 1.36 2001/05/07 05:32:04 assar Exp $
+ * $FreeBSD$
+ */
+
+#ifndef __ADMIN_LOCL_H__
+#define __ADMIN_LOCL_H__
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+#endif
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <ctype.h>
+#include <errno.h>
+#include <limits.h>
+#ifdef HAVE_SYS_TYPES_H
+#include <sys/types.h>
+#endif
+#ifdef HAVE_SYS_SELECT_H
+#include <sys/select.h>
+#endif
+#ifdef HAVE_FCNTL_H
+#include <fcntl.h>
+#endif
+#ifdef HAVE_SYS_SOCKET_H
+#include <sys/socket.h>
+#endif
+#ifdef HAVE_SYS_SELECT_H
+#include <sys/select.h>
+#endif
+#ifdef HAVE_NETINET_IN_H
+#include <netinet/in.h>
+#endif
+#ifdef HAVE_NETINET_IN6_H
+#include <netinet/in6.h>
+#endif
+#ifdef HAVE_NETINET6_IN6_H
+#include <netinet6/in6.h>
+#endif
+
+#ifdef HAVE_UTIL_H
+#include <util.h>
+#endif
+#ifdef HAVE_NETDB_H
+#include <netdb.h>
+#endif
+#ifdef HAVE_SYS_UN_H
+#include <sys/un.h>
+#endif
+#include <err.h>
+#include <roken.h>
+#ifdef HAVE_OPENSSL_DES_H
+#include <openssl/des.h>
+#else
+#include <des.h>
+#endif
+#include <krb5.h>
+#include <krb5_locl.h>
+#include <hdb.h>
+#include <hdb_err.h>
+#include <kadm5/admin.h>
+#include <kadm5/private.h>
+#include <kadm5/kadm5_err.h>
+#include <parse_time.h>
+#include <getarg.h>
+
+
+extern krb5_context context;
+extern void * kadm_handle;
+
+#define DECL(X) int X(int, char **)
+
+DECL(add_new_key);
+DECL(cpw_entry);
+DECL(del_entry);
+DECL(del_enctype);
+DECL(exit_kadmin);
+DECL(ext_keytab);
+DECL(get_entry);
+DECL(get_privs);
+DECL(help);
+DECL(list_princs);
+DECL(mod_entry);
+DECL(rename_entry);
+DECL(init);
+DECL(dump);
+DECL(load);
+DECL(merge);
+
+#undef ALLOC
+#define ALLOC(X) ((X) = malloc(sizeof(*(X))))
+
+/* util.c */
+
+void attributes2str(krb5_flags attributes, char *str, size_t len);
+int  str2attributes(const char *str, krb5_flags *flags);
+int  parse_attributes (const char *resp, krb5_flags *attr, int *mask, int bit);
+int  edit_attributes (const char *prompt, krb5_flags *attr, int *mask,
+		      int bit);
+
+void time_t2str(time_t t, char *str, size_t len, int include_time);
+int  str2time_t (const char *str, time_t *time);
+int  parse_timet (const char *resp, krb5_timestamp *value, int *mask, int bit);
+int  edit_timet (const char *prompt, krb5_timestamp *value, int *mask,
+		 int bit);
+
+void deltat2str(unsigned t, char *str, size_t len);
+int  str2deltat(const char *str, krb5_deltat *delta);
+int  parse_deltat (const char *resp, krb5_deltat *value, int *mask, int bit);
+int  edit_deltat (const char *prompt, krb5_deltat *value, int *mask, int bit);
+
+int edit_entry(kadm5_principal_ent_t ent, int *mask,
+	       kadm5_principal_ent_t default_ent, int default_mask);
+int set_entry(krb5_context context,
+	      kadm5_principal_ent_t ent,
+	      int *mask,
+	      const char *max_ticket_life,
+	      const char *max_renewable_life,
+	      const char *expiration,
+	      const char *pw_expiration,
+	      const char *attributes);
+int
+foreach_principal(const char *exp, 
+		  int (*func)(krb5_principal, void*), 
+		  const char *funcname,
+		  void *data);
+
+void get_response(const char *prompt, const char *def, char *buf, size_t len);
+
+int parse_des_key (const char *key_string,
+		   krb5_key_data *key_data, const char **err);
+
+/* server.c */
+
+krb5_error_code
+kadmind_loop (krb5_context, krb5_auth_context, krb5_keytab, int);
+
+/* version4.c */
+
+void
+handle_v4(krb5_context context, krb5_keytab keytab, int len, int fd);
+
+/* random_password.c */
+
+void
+random_password(char *pw, size_t len);
+
+/* kadm_conn.c */
+
+extern sig_atomic_t term_flag, doing_useful_work;
+
+void parse_ports(krb5_context, const char*);
+int start_server(krb5_context);
+
+/* server.c */
+
+krb5_error_code
+kadmind_loop (krb5_context, krb5_auth_context, krb5_keytab, int);
+
+#endif /* __ADMIN_LOCL_H__ */
diff --git a/crypto/heimdal/kadmin/kadmind.8 b/crypto/heimdal/kadmin/kadmind.8
new file mode 100644
index 0000000..928d12f
--- /dev/null
+++ b/crypto/heimdal/kadmin/kadmind.8
@@ -0,0 +1,137 @@
+.Dd June  7, 2000
+.Dt KADMIND 8
+.Os HEIMDAL
+.Sh NAME
+.Nm kadmind
+.Nd "server for administrative access to kerberos database"
+.Sh SYNOPSIS
+.Nm
+.Oo Fl c Ar file \*(Ba Xo
+.Fl -config-file= Ns Ar file
+.Xc
+.Oc
+.Oo Fl k Ar file \*(Ba Xo
+.Fl -key-file= Ns Ar file
+.Xc
+.Oc
+.Op Fl -keytab= Ns Ar keytab
+.Oo Fl r Ar realm \*(Ba Xo
+.Fl -realm= Ns Ar realm
+.Xc
+.Oc
+.Op Fl d | Fl -debug
+.Oo Fl p Ar port \*(Ba Xo
+.Fl -ports= Ns Ar port
+.Xc
+.Oc
+.Sh DESCRIPTION
+.Nm
+listens for requests for changes to the Kerberos database and performs
+these, subject to permissions.  When starting, if stdin is a socket it assumes that it has been started by 
+.Xr inetd 8 ,
+otherwise it behaves as a daemon, forking processes for each new
+connection. The 
+.Fl -debug
+option causes 
+.Nm
+to accept exactly one connection, which is useful for debugging. 
+.Pp
+If built with krb4 support, it implements both the Heimdal Kerberos 5
+administrative protocol and the Kerberos 4 protocol. Password changes
+via the Kerberos 4 protocol are also performed by
+.Nm kadmind ,
+but the
+.Xr kpasswdd 8 
+daemon is responsible for the Kerberos 5 password changing protocol
+(used by
+.Xr kpasswd 1 )
+.
+.Pp
+This daemon should only be run on ther master server, and not on any
+slaves.
+.Pp
+Principals are always allowed to change their own password and list
+their own principals.  Apart from that, doing any operation requires
+permission explicitly added in the ACL file
+.Pa /var/heimdal/kadmind.acl .
+The format of this file is:
+.Bd -ragged
+.Va principal
+.Va rights
+.Op Va principal-pattern
+.Ed
+.Pp
+Where rights is any combination of:
+.Bl -bullet
+.It
+change-password | cpw
+.It
+list
+.It
+delete
+.It
+modify
+.It
+add
+.It
+get
+.It
+all
+.El
+.Pp
+And the optional
+.Ar principal-pattern
+restricts the rights to principals that match the glob-style pattern.
+.Pp
+Supported options:
+.Bl -tag -width Ds
+.It Xo
+.Fl c Ar file Ns ,
+.Fl -config-file= Ns Ar file
+.Xc
+location of config file
+.It Xo
+.Fl k Ar file Ns ,
+.Fl -key-file= Ns Ar file
+.Xc
+location of master key file
+.It Xo
+.Fl -keytab= Ns Ar keytab
+.Xc
+what keytab to use
+.It Xo
+.Fl r Ar realm Ns ,
+.Fl -realm= Ns Ar realm
+.Xc
+realm to use
+.It Xo
+.Fl d Ns ,
+.Fl -debug
+.Xc
+enable debugging
+.It Xo
+.Fl p Ar port Ns ,
+.Fl -ports= Ns Ar port
+.Xc
+ports to listen to. By default, if run as a daemon, it listen to ports
+749, and 751 (if built with Kerberos 4 support), but you can add any
+number of ports with this option. The port string is a whitespace
+separated list of port specifications, with the special string 
+.Dq +
+representing the default set of ports.
+.El
+.\".Sh ENVIRONMENT
+.Sh FILES
+.Pa /var/heimdal/kadmind.acl
+.Sh EXAMPLES
+This will cause kadmind to listen to port 4711 in addition to any
+compiled in defaults:
+.Bd -literal -offset indent
+# kadmind --ports="+ 4711" &
+.Ed
+.\".Sh DIAGNOSTICS
+.Sh SEE ALSO
+.Xr kdc 8 ,
+.Xr kadmin 1 ,
+.Xr kpasswdd 8 ,
+.Xr kpasswd 1
diff --git a/crypto/heimdal/kadmin/kadmind.c b/crypto/heimdal/kadmin/kadmind.c
new file mode 100644
index 0000000..c8fe8ec
--- /dev/null
+++ b/crypto/heimdal/kadmin/kadmind.c
@@ -0,0 +1,170 @@
+/*
+ * Copyright (c) 1997-2001 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "kadmin_locl.h"
+
+RCSID("$Id: kadmind.c,v 1.27 2001/05/14 06:16:41 assar Exp $");
+
+static char *check_library  = NULL;
+static char *check_function = NULL;
+static char *config_file;
+static char *keyfile;
+static char *keytab_str = "HDB:";
+static int help_flag;
+static int version_flag;
+static int debug_flag;
+static char *port_str;
+char *realm;
+
+static struct getargs args[] = {
+    { 
+	"config-file",	'c',	arg_string,	&config_file, 
+	"location of config file",	"file" 
+    },
+    {
+	"key-file",	'k',	arg_string, &keyfile, 
+	"location of master key file", "file"
+    },
+    {
+	"keytab",	0,	arg_string, &keytab_str,
+	"what keytab to use", "keytab"
+    },
+    {	"realm",	'r',	arg_string,   &realm, 
+	"realm to use", "realm" 
+    },
+#ifdef HAVE_DLOPEN
+    { "check-library", 0, arg_string, &check_library, 
+      "library to load password check function from", "library" },
+    { "check-function", 0, arg_string, &check_function,
+      "password check function to load", "function" },
+#endif
+    {	"debug",	'd',	arg_flag,   &debug_flag, 
+	"enable debugging" 
+    },
+    {	"ports",	'p',	arg_string, &port_str, 
+	"ports to listen to", "port" },
+    {	"help",		'h',	arg_flag,   &help_flag },
+    {	"version",	'v',	arg_flag,   &version_flag }
+};
+
+static int num_args = sizeof(args) / sizeof(args[0]);
+
+krb5_context context;
+
+static void
+usage(int ret)
+{
+    arg_printusage (args, num_args, NULL, "");
+    exit (ret);
+}
+
+int
+main(int argc, char **argv)
+{
+    krb5_error_code ret;
+    krb5_config_section *cf;
+    int optind = 0;
+    int e;
+    krb5_log_facility *logf;
+    krb5_keytab keytab;
+
+    setprogname(argv[0]);
+
+    ret = krb5_init_context(&context);
+    if (ret)
+	errx (1, "krb5_init_context failed: %d", ret);
+
+    ret = krb5_openlog(context, "kadmind", &logf);
+    ret = krb5_set_warn_dest(context, logf);
+
+    while((e = getarg(args, num_args, argc, argv, &optind)))
+	warnx("error at argument `%s'", argv[optind]);
+
+    if (help_flag)
+	usage (0);
+
+    if (version_flag) {
+	print_version(NULL);
+	exit(0);
+    }
+
+    argc -= optind;
+    argv += optind;
+
+    ret = krb5_kt_register(context, &hdb_kt_ops);
+    if(ret)
+	krb5_err(context, 1, ret, "krb5_kt_register");
+
+    if (config_file == NULL)
+	config_file = HDB_DB_DIR "/kdc.conf";
+
+    if(krb5_config_parse_file(context, config_file, &cf) == 0) {
+	const char *p = krb5_config_get_string (context, cf, 
+						"kdc", "key-file", NULL);
+	if (p)
+	    keyfile = strdup(p);
+    }
+
+    ret = krb5_kt_resolve(context, keytab_str, &keytab);
+    if(ret)
+	krb5_err(context, 1, ret, "krb5_kt_resolve");
+
+    kadm5_setup_passwd_quality_check (context, check_library, check_function);
+
+    {
+	int fd = 0;
+	struct sockaddr_storage __ss;
+	struct sockaddr *sa = (struct sockaddr *)&__ss;
+	socklen_t sa_size = sizeof(__ss);
+	krb5_auth_context ac = NULL;
+	int debug_port;
+
+	if(debug_flag) {
+	    if(port_str == NULL)
+		debug_port = krb5_getportbyname (context, "kerberos-adm", 
+						 "tcp", 749);
+	    else
+		debug_port = htons(atoi(port_str));
+	    mini_inetd(debug_port);
+	} else if(roken_getsockname(STDIN_FILENO, sa, &sa_size) < 0 && 
+		   errno == ENOTSOCK) {
+	    parse_ports(context, port_str ? port_str : "+");
+	    pidfile(NULL);
+	    start_server(context);
+	}
+	if(realm)
+	    krb5_set_default_realm(context, realm); /* XXX */
+	kadmind_loop(context, ac, keytab, fd);
+    }
+    return 0;
+}
diff --git a/crypto/heimdal/kadmin/kadmind.cat8 b/crypto/heimdal/kadmin/kadmind.cat8
new file mode 100644
index 0000000..c03ae18
--- /dev/null
+++ b/crypto/heimdal/kadmin/kadmind.cat8
@@ -0,0 +1,93 @@
+
+KADMIND(8)               UNIX System Manager's Manual               KADMIND(8)
+
+NNAAMMEE
+     kkaaddmmiinndd - server for administrative access to kerberos database
+
+SSYYNNOOPPSSIISS
+     kkaaddmmiinndd [--cc _f_i_l_e | ----ccoonnffiigg--ffiillee==_f_i_l_e] [--kk _f_i_l_e | ----kkeeyy--ffiillee==_f_i_l_e]
+     [----kkeeyyttaabb==_k_e_y_t_a_b] [--rr _r_e_a_l_m | ----rreeaallmm==_r_e_a_l_m] [--dd | ----ddeebbuugg] [--pp _p_o_r_t |
+     ----ppoorrttss==_p_o_r_t]
+
+DDEESSCCRRIIPPTTIIOONN
+     kkaaddmmiinndd listens for requests for changes to the Kerberos database and
+     performs these, subject to permissions.  When starting, if stdin is a
+     socket it assumes that it has been started by inetd(8),  otherwise it be-
+     haves as a daemon, forking processes for each new connection. The ----ddeebbuugg
+     option causes kkaaddmmiinndd to accept exactly one connection, which is useful
+     for debugging.
+
+     If built with krb4 support, it implements both the Heimdal Kerberos 5 ad-
+     ministrative protocol and the Kerberos 4 protocol. Password changes via
+     the Kerberos 4 protocol are also performed by kkaaddmmiinndd, but the kpass-
+     wdd(8) daemon is responsible for the Kerberos 5 password changing proto-
+     col (used by kpasswd(1))
+
+     This daemon should only be run on ther master server, and not on any
+     slaves.
+
+     Principals are always allowed to change their own password and list their
+     own principals.  Apart from that, doing any operation requires permission
+     explicitly added in the ACL file _/_v_a_r_/_h_e_i_m_d_a_l_/_k_a_d_m_i_n_d_._a_c_l. The format of
+     this file is:
+
+     _p_r_i_n_c_i_p_a_l _r_i_g_h_t_s [_p_r_i_n_c_i_p_a_l_-_p_a_t_t_e_r_n]
+
+     Where rights is any combination of:
+
+     ++oo   change-password | cpw
+
+     ++oo   list
+
+     ++oo   delete
+
+     ++oo   modify
+
+     ++oo   add
+
+     ++oo   get
+
+     ++oo   all
+
+     And the optional _p_r_i_n_c_i_p_a_l_-_p_a_t_t_e_r_n restricts the rights to principals
+     that match the glob-style pattern.
+
+     Supported options:
+
+     --cc _f_i_l_e, ----ccoonnffiigg--ffiillee==_f_i_l_e
+             location of config file
+
+     --kk _f_i_l_e, ----kkeeyy--ffiillee==_f_i_l_e
+             location of master key file
+
+     ----kkeeyyttaabb==_k_e_y_t_a_b
+
+
+             what keytab to use
+
+     --rr _r_e_a_l_m, ----rreeaallmm==_r_e_a_l_m
+             realm to use
+
+     --dd, ----ddeebbuugg
+             enable debugging
+
+     --pp _p_o_r_t, ----ppoorrttss==_p_o_r_t
+             ports to listen to. By default, if run as a daemon, it listen to
+             ports 749, and 751 (if built with Kerberos 4 support), but you
+             can add any number of ports with this option. The port string is
+             a whitespace separated list of port specifications, with the spe-
+             cial string ``+'' representing the default set of ports.
+
+FFIILLEESS
+     _/_v_a_r_/_h_e_i_m_d_a_l_/_k_a_d_m_i_n_d_._a_c_l
+
+EEXXAAMMPPLLEESS
+     This will cause kadmind to listen to port 4711 in addition to any com-
+     piled in defaults:
+
+           # kadmind --ports="+ 4711" &
+
+SSEEEE AALLSSOO
+     kdc(8),  kadmin(1),  kpasswdd(8),  kpasswd(1)
+
+ HEIMDAL                         June 7, 2000                                2
diff --git a/crypto/heimdal/kadmin/load.c b/crypto/heimdal/kadmin/load.c
new file mode 100644
index 0000000..f117554
--- /dev/null
+++ b/crypto/heimdal/kadmin/load.c
@@ -0,0 +1,533 @@
+/*
+ * Copyright (c) 1997-2001 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "kadmin_locl.h"
+#include <kadm5/private.h>
+
+RCSID("$Id: load.c,v 1.41 2001/02/20 01:44:49 assar Exp $");
+
+struct entry {
+    char *principal;
+    char *key;
+    char *max_life;
+    char *max_renew;
+    char *created;
+    char *modified;
+    char *valid_start;
+    char *valid_end;
+    char *pw_end;
+    char *flags;
+    char *etypes;
+};
+
+static char *
+skip_next(char *p)
+{
+    while(*p && !isspace((unsigned char)*p)) 
+	p++;
+    *p++ = 0;
+    while(*p && isspace((unsigned char)*p))
+	p++;
+    return p;
+}
+
+/*
+ * Parse the time in `s', returning:
+ * -1 if error parsing
+ * 0  if none  present
+ * 1  if parsed ok
+ */
+
+static int
+parse_time_string(time_t *t, const char *s)
+{
+    int year, month, date, hour, minute, second;
+    struct tm tm;
+
+    if(strcmp(s, "-") == 0)
+	return 0;
+    if(sscanf(s, "%04d%02d%02d%02d%02d%02d", 
+	      &year, &month, &date, &hour, &minute, &second) != 6)
+	return -1;
+    tm.tm_year  = year - 1900;
+    tm.tm_mon   = month - 1;
+    tm.tm_mday  = date;
+    tm.tm_hour  = hour;
+    tm.tm_min   = minute;
+    tm.tm_sec   = second;
+    tm.tm_isdst = 0;
+    *t = timegm(&tm);
+    return 1;
+}
+
+/*
+ * parse time, allocating space in *t if it's there
+ */
+
+static int
+parse_time_string_alloc (time_t **t, const char *s)
+{
+    time_t tmp;
+    int ret;
+
+    *t = NULL;
+    ret = parse_time_string (&tmp, s);
+    if (ret == 1) {
+	*t = malloc (sizeof (**t));
+	if (*t == NULL)
+	    krb5_errx (context, 1, "malloc: out of memory");
+	**t = tmp;
+    }
+    return ret;
+}
+
+/*
+ * see parse_time_string for calling convention
+ */
+
+static int
+parse_integer(unsigned *u, const char *s)
+{
+    if(strcmp(s, "-") == 0)
+	return 0;
+    if (sscanf(s, "%u", u) != 1)
+	return -1;
+    return 1;
+}
+
+static int
+parse_integer_alloc (int **u, const char *s)
+{
+    unsigned tmp;
+    int ret;
+
+    *u = NULL;
+    ret = parse_integer (&tmp, s);
+    if (ret == 1) {
+	*u = malloc (sizeof (**u));
+	if (*u == NULL)
+	    krb5_errx (context, 1, "malloc: out of memory");
+	**u = tmp;
+    }
+    return ret;
+}
+
+/*
+ * Parse dumped keys in `str' and store them in `ent'
+ * return -1 if parsing failed
+ */
+
+static int
+parse_keys(hdb_entry *ent, char *str)
+{
+    krb5_error_code ret;
+    int tmp;
+    char *p;
+    int i;
+    
+    p = strsep(&str, ":");
+    if (sscanf(p, "%d", &tmp) != 1)
+	return 1;
+    ent->kvno = tmp;
+    p = strsep(&str, ":");
+    while(p){
+	Key *key;
+	key = realloc(ent->keys.val, 
+		      (ent->keys.len + 1) * sizeof(*ent->keys.val));
+	if(key == NULL)
+	    krb5_errx (context, 1, "realloc: out of memory");
+	ent->keys.val = key;
+	key = ent->keys.val + ent->keys.len;
+	ent->keys.len++;
+	memset(key, 0, sizeof(*key));
+	if(sscanf(p, "%d", &tmp) == 1) {
+	    key->mkvno = malloc(sizeof(*key->mkvno));
+	    *key->mkvno = tmp;
+	} else
+	    key->mkvno = NULL;
+	p = strsep(&str, ":");
+	if (sscanf(p, "%d", &tmp) != 1)
+	    return 1;
+	key->key.keytype = tmp;
+	p = strsep(&str, ":");
+	ret = krb5_data_alloc(&key->key.keyvalue, (strlen(p) - 1) / 2 + 1);
+	if (ret)
+	    krb5_err (context, 1, ret, "krb5_data_alloc");
+	for(i = 0; i < strlen(p); i += 2) {
+	    if(sscanf(p + i, "%02x", &tmp) != 1)
+		return 1;
+	    ((u_char*)key->key.keyvalue.data)[i / 2] = tmp;
+	}
+	p = strsep(&str, ":");
+	if(strcmp(p, "-") != 0){
+	    unsigned type;
+	    size_t p_len;
+
+	    if(sscanf(p, "%u/", &type) != 1)
+		return 1;
+	    p = strchr(p, '/');
+	    if(p == NULL)
+		return 1;
+	    p++;
+	    p_len = strlen(p);
+
+	    key->salt = malloc(sizeof(*key->salt));
+	    if (key->salt == NULL)
+		krb5_errx (context, 1, "malloc: out of memory");
+	    key->salt->type = type;
+		
+	    if (p_len) {
+		if(*p == '\"') {
+		    ret = krb5_data_copy(&key->salt->salt, p + 1, p_len - 2);
+		    if (ret)
+			krb5_err (context, 1, ret, "krb5_data_copy");
+		} else {
+		    ret = krb5_data_alloc(&key->salt->salt,
+					  (p_len - 1) / 2 + 1);
+		    if (ret)
+			krb5_err (context, 1, ret, "krb5_data_alloc");
+		    for(i = 0; i < p_len; i += 2){
+			if (sscanf(p + i, "%02x", &tmp) != 1)
+			    return 1;
+			((u_char*)key->salt->salt.data)[i / 2] = tmp;
+		    }
+		}
+	    } else
+		krb5_data_zero (&key->salt->salt);
+	}
+	p = strsep(&str, ":");
+    }
+    return 0;
+}
+
+/*
+ * see parse_time_string for calling convention
+ */
+
+static int
+parse_event(Event *ev, char *s)
+{
+    krb5_error_code ret;
+    char *p;
+
+    if(strcmp(s, "-") == 0)
+	return 0;
+    memset(ev, 0, sizeof(*ev));
+    p = strsep(&s, ":");
+    if(parse_time_string(&ev->time, p) != 1)
+	return -1;
+    p = strsep(&s, ":");
+    ret = krb5_parse_name(context, p, &ev->principal);
+    if (ret)
+	return -1;
+    return 1;
+}
+
+static int
+parse_event_alloc (Event **ev, char *s)
+{
+    Event tmp;
+    int ret;
+
+    *ev = NULL;
+    ret = parse_event (&tmp, s);
+    if (ret == 1) {
+	*ev = malloc (sizeof (**ev));
+	if (*ev == NULL)
+	    krb5_errx (context, 1, "malloc: out of memory");
+	**ev = tmp;
+    }
+    return ret;
+}
+
+static int
+parse_hdbflags2int(HDBFlags *f, const char *s)
+{
+    int ret;
+    unsigned tmp;
+
+    ret = parse_integer (&tmp, s);
+    if (ret == 1)
+	*f = int2HDBFlags (tmp);
+    return ret;
+}
+
+#if 0
+static void
+parse_etypes(char *str, unsigned **val, unsigned *len)
+{
+    unsigned v;
+    
+    *val = NULL;
+    *len = 0;
+    while(sscanf(str, "%u", &v) == 1) {
+	*val = realloc(*val, (*len+1) * sizeof(**val));
+	(*val)[(*len)++] = v;
+	str = strchr(str, ':');
+	if(str == NULL)
+	    break;
+	str++;
+    }
+}
+#endif
+
+/*
+ * Parse the dump file in `filename' and create the database (merging
+ * iff merge)
+ */
+
+static int
+doit(const char *filename, int merge)
+{
+    krb5_error_code ret;
+    FILE *f;
+    char s[1024];
+    char *p;
+    int line;
+    int flags = O_RDWR;
+    struct entry e;
+    hdb_entry ent;
+    HDB *db = _kadm5_s_get_db(kadm_handle);
+
+    f = fopen(filename, "r");
+    if(f == NULL){
+	krb5_warn(context, errno, "fopen(%s)", filename);
+	return 1;
+    }
+    ret = kadm5_log_truncate (kadm_handle);
+    if (ret) {
+	fclose (f);
+	krb5_warn(context, ret, "kadm5_log_truncate");
+	return 1;
+    }
+
+    if(!merge)
+	flags |= O_CREAT | O_TRUNC;
+    ret = db->open(context, db, flags, 0600);
+    if(ret){
+	krb5_warn(context, ret, "hdb_open");
+	fclose(f);
+	return 1;
+    }
+    line = 0;
+    ret = 0;
+    while(fgets(s, sizeof(s), f) != NULL) {
+	ret = 0;
+	line++;
+	e.principal = s;
+	for(p = s; *p; p++){
+	    if(*p == '\\')
+		p++;
+	    else if(isspace((unsigned char)*p)) {
+		*p = 0;
+		break;
+	    }
+	}
+	p = skip_next(p);
+	
+	e.key = p;
+	p = skip_next(p);
+
+	e.created = p;
+	p = skip_next(p);
+
+	e.modified = p;
+	p = skip_next(p);
+
+	e.valid_start = p;
+	p = skip_next(p);
+
+	e.valid_end = p;
+	p = skip_next(p);
+
+	e.pw_end = p;
+	p = skip_next(p);
+
+	e.max_life = p;
+	p = skip_next(p);
+
+	e.max_renew = p;
+	p = skip_next(p);
+
+	e.flags = p;
+	p = skip_next(p);
+
+	e.etypes = p;
+	p = skip_next(p);
+
+	memset(&ent, 0, sizeof(ent));
+	ret = krb5_parse_name(context, e.principal, &ent.principal);
+	if(ret) {
+	    fprintf(stderr, "%s:%d:%s (%s)\n", 
+		    filename, 
+		    line,
+		    krb5_get_err_text(context, ret),
+		    e.principal);
+	    continue;
+	}
+	
+	if (parse_keys(&ent, e.key)) {
+	    fprintf (stderr, "%s:%d:error parsing keys (%s)\n",
+		     filename, line, e.key);
+	    hdb_free_entry (context, &ent);
+	    continue;
+	}
+	
+	if (parse_event(&ent.created_by, e.created) == -1) {
+	    fprintf (stderr, "%s:%d:error parsing created event (%s)\n",
+		     filename, line, e.created);
+	    hdb_free_entry (context, &ent);
+	    continue;
+	}
+	if (parse_event_alloc (&ent.modified_by, e.modified) == -1) {
+	    fprintf (stderr, "%s:%d:error parsing event (%s)\n",
+		     filename, line, e.modified);
+	    hdb_free_entry (context, &ent);
+	    continue;
+	}
+	if (parse_time_string_alloc (&ent.valid_start, e.valid_start) == -1) {
+	    fprintf (stderr, "%s:%d:error parsing time (%s)\n",
+		     filename, line, e.valid_start);
+	    hdb_free_entry (context, &ent);
+	    continue;
+	}
+	if (parse_time_string_alloc (&ent.valid_end,   e.valid_end) == -1) {
+	    fprintf (stderr, "%s:%d:error parsing time (%s)\n",
+		     filename, line, e.valid_end);
+	    hdb_free_entry (context, &ent);
+	    continue;
+	}
+	if (parse_time_string_alloc (&ent.pw_end,      e.pw_end) == -1) {
+	    fprintf (stderr, "%s:%d:error parsing time (%s)\n",
+		     filename, line, e.pw_end);
+	    hdb_free_entry (context, &ent);
+	    continue;
+	}
+
+	if (parse_integer_alloc (&ent.max_life,  e.max_life) == -1) {
+	    fprintf (stderr, "%s:%d:error parsing lifetime (%s)\n",
+		     filename, line, e.max_life);
+	    hdb_free_entry (context, &ent);
+	    continue;
+
+	}
+	if (parse_integer_alloc (&ent.max_renew, e.max_renew) == -1) {
+	    fprintf (stderr, "%s:%d:error parsing lifetime (%s)\n",
+		     filename, line, e.max_renew);
+	    hdb_free_entry (context, &ent);
+	    continue;
+	}
+
+	if (parse_hdbflags2int (&ent.flags, e.flags) != 1) {
+	    fprintf (stderr, "%s:%d:error parsing flags (%s)\n",
+		     filename, line, e.flags);
+	    hdb_free_entry (context, &ent);
+	    continue;
+	}
+#if 0
+	ALLOC(ent.etypes);
+	parse_etypes(e.etypes, &ent.etypes->val, &ent.etypes->len);
+	if(ent.etypes->len == 0) {
+	    free(ent.etypes);
+	    ent.etypes = NULL;
+	}
+#endif
+
+	ret = db->store(context, db, HDB_F_REPLACE, &ent);
+	hdb_free_entry (context, &ent);
+	if (ret) {
+	    krb5_warn(context, ret, "db_store");
+	    break;
+	}
+    }
+    db->close(context, db);
+    fclose(f);
+    return ret != 0;
+}
+
+
+static struct getargs args[] = {
+    { "help", 'h', arg_flag, NULL }
+};
+
+static int num_args = sizeof(args) / sizeof(args[0]);
+
+static void
+usage(const char *name)
+{
+    arg_printusage (args, num_args, name, "file");
+}
+
+
+
+int
+load(int argc, char **argv)
+{
+    int optind = 0;
+    int help_flag = 0;
+
+    args[0].value = &help_flag;
+
+    if(getarg(args, num_args, argc, argv, &optind)) {
+	usage ("load");
+	return 0;
+    }
+    if(argc - optind != 1 || help_flag) {
+	usage ("load");
+	return 0;
+    }
+
+    doit(argv[optind], 0);
+    return 0;
+}
+
+int
+merge(int argc, char **argv)
+{
+    int optind = 0;
+    int help_flag = 0;
+
+    args[0].value = &help_flag;
+
+    if(getarg(args, num_args, argc, argv, &optind)) {
+	usage ("merge");
+	return 0;
+    }
+    if(argc - optind != 1 || help_flag) {
+	usage ("merge");
+	return 0;
+    }
+
+    doit(argv[optind], 1);
+    return 0;
+}
diff --git a/crypto/heimdal/kadmin/mod.c b/crypto/heimdal/kadmin/mod.c
new file mode 100644
index 0000000..1ea9c86
--- /dev/null
+++ b/crypto/heimdal/kadmin/mod.c
@@ -0,0 +1,149 @@
+/*
+ * Copyright (c) 1997 - 2000 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "kadmin_locl.h"
+
+RCSID("$Id: mod.c,v 1.10 2000/07/11 14:34:56 joda Exp $");
+
+static int parse_args (krb5_context context, kadm5_principal_ent_t ent,
+		       int argc, char **argv, int *optind, char *name,
+		       int *mask);
+
+static int
+parse_args(krb5_context context, kadm5_principal_ent_t ent,
+	    int argc, char **argv, int *optind, char *name,
+	    int *mask)
+{
+    char *attr_str = NULL;
+    char *max_life_str = NULL;
+    char *max_rlife_str = NULL;
+    char *expiration_str = NULL;
+    char *pw_expiration_str = NULL;
+    int new_kvno = -1;
+    int ret, i;
+
+    struct getargs args[] = {
+	{"attributes",	'a',	arg_string, NULL, "Attributies",
+	 "attributes"},
+	{"max-ticket-life", 0,	arg_string, NULL, "max ticket lifetime",
+	 "lifetime"},
+	{"max-renewable-life",  0, arg_string,	NULL,
+	 "max renewable lifetime", "lifetime" },
+	{"expiration-time",	0,	arg_string, 
+	 NULL, "Expiration time", "time"},
+	{"pw-expiration-time",  0,	arg_string, 
+	 NULL, "Password expiration time", "time"},
+	{"kvno",  0,	arg_integer, 
+	 NULL, "Key version number", "number"},
+    };
+
+    i = 0;
+    args[i++].value = &attr_str;
+    args[i++].value = &max_life_str;
+    args[i++].value = &max_rlife_str;
+    args[i++].value = &expiration_str;
+    args[i++].value = &pw_expiration_str;
+    args[i++].value = &new_kvno;
+
+    *optind = 0; /* XXX */
+
+    if(getarg(args, sizeof(args) / sizeof(args[0]), 
+	      argc, argv, optind)){
+	arg_printusage(args, 
+		       sizeof(args) / sizeof(args[0]), 
+		       name ? name : "",
+		       "principal");
+	return -1;
+    }
+    
+    ret = set_entry(context, ent, mask, max_life_str, max_rlife_str, 
+		    expiration_str, pw_expiration_str, attr_str);
+    if (ret)
+	return ret;
+
+    if(new_kvno != -1) {
+	ent->kvno = new_kvno;
+	*mask |= KADM5_KVNO;
+    }
+    return 0;
+}
+
+int
+mod_entry(int argc, char **argv)
+{
+    kadm5_principal_ent_rec princ;
+    int mask = 0;
+    krb5_error_code ret;
+    krb5_principal princ_ent = NULL;
+    int optind;
+
+    memset (&princ, 0, sizeof(princ));
+
+    ret = parse_args (context, &princ, argc, argv,
+		      &optind, "mod", &mask);
+    if (ret)
+	return 0;
+
+    argc -= optind;
+    argv += optind;
+    
+    if (argc != 1) {
+	printf ("Usage: mod [options] principal\n");
+	return 0;
+    }
+
+    krb5_parse_name(context, argv[0], &princ_ent);
+
+    if (mask == 0) {
+	memset(&princ, 0, sizeof(princ));
+	ret = kadm5_get_principal(kadm_handle, princ_ent, &princ, 
+				  KADM5_PRINCIPAL | KADM5_ATTRIBUTES | 
+				  KADM5_MAX_LIFE | KADM5_MAX_RLIFE |
+				  KADM5_PRINC_EXPIRE_TIME |
+				  KADM5_PW_EXPIRATION);
+	krb5_free_principal (context, princ_ent);
+	if (ret) {
+	    printf ("no such principal: %s\n", argv[0]);
+	    return 0;
+	}
+	edit_entry(&princ, &mask, NULL, 0);
+    } else {
+	princ.principal = princ_ent;
+    }
+
+    ret = kadm5_modify_principal(kadm_handle, &princ, mask);
+    if(ret)
+	krb5_warn(context, ret, "kadm5_modify_principal");
+    kadm5_free_principal_ent(kadm_handle, &princ);
+    return 0;
+}
diff --git a/crypto/heimdal/kadmin/random_password.c b/crypto/heimdal/kadmin/random_password.c
new file mode 100644
index 0000000..92fb2fc
--- /dev/null
+++ b/crypto/heimdal/kadmin/random_password.c
@@ -0,0 +1,157 @@
+/*
+ * Copyright (c) 1998, 1999 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "kadmin_locl.h"
+
+RCSID("$Id: random_password.c,v 1.4 2001/02/15 04:20:53 assar Exp $");
+
+/* This file defines some a function that generates a random password,
+   that can be used when creating a large amount of principals (such
+   as for a batch of students). Since this is a political matter, you
+   should think about how secure generated passwords has to be.
+   
+   Both methods defined here will give you at least 55 bits of
+   entropy.
+   */
+
+/* If you want OTP-style passwords, define OTP_STYLE */
+
+#ifdef OTP_STYLE
+#include <otp.h>
+#else
+static void generate_password(char **pw, int num_classes, ...);
+#endif
+
+void
+random_password(char *pw, size_t len)
+{
+#ifdef OTP_STYLE
+    {
+	OtpKey newkey;
+
+	krb5_generate_random_block(&newkey, sizeof(newkey));
+	otp_print_stddict (newkey, pw, len);
+	strlwr(pw);
+    }
+#else
+    char *pass;
+    generate_password(&pass, 3, 
+		      "abcdefghijklmnopqrstuvwxyz", 7, 
+		      "ABCDEFGHIJKLMNOPQRSTUVWXYZ", 2, 
+		      "@$%&*()-+=:,/<>1234567890", 1);
+    strlcpy(pw, pass, len);
+    memset(pass, 0, strlen(pass));
+    free(pass);
+#endif
+}
+
+/* some helper functions */
+
+#ifndef OTP_STYLE
+/* return a random value in range 0-127 */
+static int
+RND(unsigned char *key, int keylen, int *left)
+{
+    if(*left == 0){
+	krb5_generate_random_block(key, keylen);
+	*left = keylen;
+    }
+    (*left)--;
+    return ((unsigned char*)key)[*left];
+}
+
+/* This a helper function that generates a random password with a
+   number of characters from a set of character classes.
+
+   If there are n classes, and the size of each class is Pi, and the
+   number of characters from each class is Ni, the number of possible
+   passwords are (given that the character classes are disjoint):
+
+     n             n
+   -----        /  ----  \
+   |   |  Ni    |  \     |
+   |   | Pi     |   \  Ni| !
+   |   | ---- * |   /    |
+   |   | Ni!    |  /___  |
+    i=1          \  i=1  /
+   
+    Since it uses the RND function above, neither the size of each
+    class, nor the total length of the generated password should be
+    larger than 127 (without fixing RND).
+   
+   */
+static void
+generate_password(char **pw, int num_classes, ...)
+{
+    struct {
+	const char *str;
+	int len;
+	int freq;
+    } *classes;
+    va_list ap;
+    int len, i;
+    unsigned char rbuf[8]; /* random buffer */
+    int rleft = 0;
+
+    classes = malloc(num_classes * sizeof(*classes));
+    va_start(ap, num_classes);
+    len = 0;
+    for(i = 0; i < num_classes; i++){
+	classes[i].str = va_arg(ap, const char*);
+	classes[i].len = strlen(classes[i].str);
+	classes[i].freq = va_arg(ap, int);
+	len += classes[i].freq;
+    }
+    va_end(ap);
+    *pw = malloc(len + 1);
+    if(*pw == NULL)
+	return;
+    for(i = 0; i < len; i++) {
+	int j;
+	int x = RND(rbuf, sizeof(rbuf), &rleft) % (len - i);
+	int t = 0;
+	for(j = 0; j < num_classes; j++) {
+	    if(x < t + classes[j].freq) {
+		(*pw)[i] = classes[j].str[RND(rbuf, sizeof(rbuf), &rleft)
+					 % classes[j].len];
+		classes[j].freq--;
+		break;
+	    }
+	    t += classes[j].freq;
+	}
+    }
+    (*pw)[len] = '\0';
+    memset(rbuf, 0, sizeof(rbuf));
+    free(classes);
+}
+#endif
diff --git a/crypto/heimdal/kadmin/rename.c b/crypto/heimdal/kadmin/rename.c
new file mode 100644
index 0000000..ac5f4d6
--- /dev/null
+++ b/crypto/heimdal/kadmin/rename.c
@@ -0,0 +1,88 @@
+/*
+ * Copyright (c) 1997-2001 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "kadmin_locl.h"
+
+RCSID("$Id: rename.c,v 1.4 2001/05/04 13:07:03 joda Exp $");
+
+static struct getargs args[] = {
+    { "help", 'h', arg_flag, NULL }
+};
+
+static int num_args = sizeof(args) / sizeof(args[0]);
+
+static void
+usage(void)
+{
+    arg_printusage (args, num_args, "rename", "from to");
+}
+
+int
+rename_entry(int argc, char **argv)
+{
+    int optind = 0;
+    int help_flag = 0;
+
+    krb5_error_code ret;
+    krb5_principal princ1, princ2;
+
+    args[0].value = &help_flag;
+
+    if(getarg(args, num_args, argc, argv, &optind)) {
+	usage ();
+	return 0;
+    }
+    if(argc - optind != 2 || help_flag) {
+	usage ();
+	return 0;
+    }
+
+    ret = krb5_parse_name(context, argv[1], &princ1);
+    if(ret){
+	krb5_warn(context, ret, "krb5_parse_name(%s)", argv[1]);
+	return 0;
+    }
+    ret = krb5_parse_name(context, argv[2], &princ2);
+    if(ret){
+	krb5_free_principal(context, princ2);
+	krb5_warn(context, ret, "krb5_parse_name(%s)", argv[2]);
+	return 0;
+    }
+    ret = kadm5_rename_principal(kadm_handle, princ1, princ2);
+    if(ret)
+	krb5_warn(context, ret, "rename");
+    krb5_free_principal(context, princ1);
+    krb5_free_principal(context, princ2);
+    return 0;
+}
+
diff --git a/crypto/heimdal/kadmin/server.c b/crypto/heimdal/kadmin/server.c
new file mode 100644
index 0000000..add1dde
--- /dev/null
+++ b/crypto/heimdal/kadmin/server.c
@@ -0,0 +1,555 @@
+/*
+ * Copyright (c) 1997 - 2000 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "kadmin_locl.h"
+#include <krb5-private.h>
+
+RCSID("$Id: server.c,v 1.32 2000/09/19 12:46:01 assar Exp $");
+
+static kadm5_ret_t
+kadmind_dispatch(void *kadm_handle, krb5_boolean initial,
+		 krb5_data *in, krb5_data *out)
+{
+    kadm5_ret_t ret;
+    int32_t cmd, mask, tmp;
+    kadm5_server_context *context = kadm_handle;
+    char client[128], name[128], name2[128];
+    char *op = "";
+    krb5_principal princ, princ2;
+    kadm5_principal_ent_rec ent;
+    char *password, *exp;
+    krb5_keyblock *new_keys;
+    int n_keys;
+    char **princs;
+    int n_princs;
+    krb5_storage *sp;
+    
+    krb5_unparse_name_fixed(context->context, context->caller, 
+			    client, sizeof(client));
+    
+    sp = krb5_storage_from_data(in);
+
+    krb5_ret_int32(sp, &cmd);
+    switch(cmd){
+    case kadm_get:{
+	op = "GET";
+	ret = krb5_ret_principal(sp, &princ);
+	if(ret)
+	    goto fail;
+	ret = krb5_ret_int32(sp, &mask);
+	if(ret){
+	    krb5_free_principal(context->context, princ);
+	    goto fail;
+	}
+	krb5_unparse_name_fixed(context->context, princ, name, sizeof(name));
+	krb5_warnx(context->context, "%s: %s %s", client, op, name);
+	ret = _kadm5_acl_check_permission(context, KADM5_PRIV_GET, princ);
+	if(ret){
+	    krb5_free_principal(context->context, princ);
+	    goto fail;
+	}
+	ret = kadm5_get_principal(kadm_handle, princ, &ent, mask);
+	krb5_storage_free(sp);
+	sp = krb5_storage_emem();
+	krb5_store_int32(sp, ret);
+	if(ret == 0){
+	    kadm5_store_principal_ent(sp, &ent);
+	    kadm5_free_principal_ent(kadm_handle, &ent);
+	}
+	krb5_free_principal(context->context, princ);
+	break;
+    }
+    case kadm_delete:{
+	op = "DELETE";
+	ret = krb5_ret_principal(sp, &princ);
+	if(ret)
+	    goto fail;
+	krb5_unparse_name_fixed(context->context, princ, name, sizeof(name));
+	krb5_warnx(context->context, "%s: %s %s", client, op, name);
+	ret = _kadm5_acl_check_permission(context, KADM5_PRIV_DELETE, princ);
+	if(ret){
+	    krb5_free_principal(context->context, princ);
+	    goto fail;
+	}
+	ret = kadm5_delete_principal(kadm_handle, princ);
+	krb5_free_principal(context->context, princ);
+	krb5_storage_free(sp);
+	sp = krb5_storage_emem();
+	krb5_store_int32(sp, ret);
+	break;
+    }
+    case kadm_create:{
+	op = "CREATE";
+	ret = kadm5_ret_principal_ent(sp, &ent);
+	if(ret)
+	    goto fail;
+	ret = krb5_ret_int32(sp, &mask);
+	if(ret){
+	    kadm5_free_principal_ent(context->context, &ent);
+	    goto fail;
+	}
+	ret = krb5_ret_string(sp, &password);
+	if(ret){
+	    kadm5_free_principal_ent(context->context, &ent);
+	    goto fail;
+	}
+	krb5_unparse_name_fixed(context->context, ent.principal, 
+				name, sizeof(name));
+	krb5_warnx(context->context, "%s: %s %s", client, op, name);
+	ret = _kadm5_acl_check_permission(context, KADM5_PRIV_ADD,
+					  ent.principal);
+	if(ret){
+	    kadm5_free_principal_ent(context->context, &ent);
+	    memset(password, 0, strlen(password));
+	    free(password);
+	    goto fail;
+	}
+	ret = kadm5_create_principal(kadm_handle, &ent, 
+				     mask, password);
+	kadm5_free_principal_ent(kadm_handle, &ent);
+	memset(password, 0, strlen(password));
+	free(password);
+	krb5_storage_free(sp);
+	sp = krb5_storage_emem();
+	krb5_store_int32(sp, ret);
+	break;
+    }
+    case kadm_modify:{
+	op = "MODIFY";
+	ret = kadm5_ret_principal_ent(sp, &ent);
+	if(ret)
+	    goto fail;
+	ret = krb5_ret_int32(sp, &mask);
+	if(ret){
+	    kadm5_free_principal_ent(context, &ent);
+	    goto fail;
+	}
+	krb5_unparse_name_fixed(context->context, ent.principal, 
+				name, sizeof(name));
+	krb5_warnx(context->context, "%s: %s %s", client, op, name);
+	ret = _kadm5_acl_check_permission(context, KADM5_PRIV_MODIFY,
+					  ent.principal);
+	if(ret){
+	    kadm5_free_principal_ent(context, &ent);
+	    goto fail;
+	}
+	ret = kadm5_modify_principal(kadm_handle, &ent, mask);
+	kadm5_free_principal_ent(kadm_handle, &ent);
+	krb5_storage_free(sp);
+	sp = krb5_storage_emem();
+	krb5_store_int32(sp, ret);
+	break;
+    }
+    case kadm_rename:{
+	op = "RENAME";
+	ret = krb5_ret_principal(sp, &princ);
+	if(ret)
+	    goto fail;
+	ret = krb5_ret_principal(sp, &princ2);
+	if(ret){
+	    krb5_free_principal(context->context, princ);
+	    goto fail;
+	}
+	krb5_unparse_name_fixed(context->context, princ, name, sizeof(name));
+	krb5_unparse_name_fixed(context->context, princ2, name2, sizeof(name2));
+	krb5_warnx(context->context, "%s: %s %s -> %s", 
+		   client, op, name, name2);
+	ret = _kadm5_acl_check_permission(context, 
+					  KADM5_PRIV_ADD,
+					  princ2)
+	    || _kadm5_acl_check_permission(context, 
+					   KADM5_PRIV_DELETE,
+					   princ);
+	if(ret){
+	    krb5_free_principal(context->context, princ);
+	    goto fail;
+	}
+	ret = kadm5_rename_principal(kadm_handle, princ, princ2);
+	krb5_free_principal(context->context, princ);
+	krb5_free_principal(context->context, princ2);
+	krb5_storage_free(sp);
+	sp = krb5_storage_emem();
+	krb5_store_int32(sp, ret);
+	break;
+    }
+    case kadm_chpass:{
+	op = "CHPASS";
+	ret = krb5_ret_principal(sp, &princ);
+	if(ret)
+	    goto fail;
+	ret = krb5_ret_string(sp, &password);
+	if(ret){
+	    krb5_free_principal(context->context, princ);
+	    goto fail;
+	}
+	krb5_unparse_name_fixed(context->context, princ, name, sizeof(name));
+	krb5_warnx(context->context, "%s: %s %s", client, op, name);
+
+	/*
+	 * The change is allowed if at least one of:
+	 * a) it's for the principal him/herself and this was an initial ticket
+	 * b) the user is on the CPW ACL.
+	 */
+
+	if (initial
+	    && krb5_principal_compare (context->context, context->caller,
+				       princ))
+	    ret = 0;
+	else
+	    ret = _kadm5_acl_check_permission(context, KADM5_PRIV_CPW, princ);
+
+	if(ret) {
+	    krb5_free_principal(context->context, princ);
+	    goto fail;
+	}
+	ret = kadm5_chpass_principal(kadm_handle, princ, password);
+	krb5_free_principal(context->context, princ);
+	memset(password, 0, strlen(password));
+	free(password);
+	krb5_storage_free(sp);
+	sp = krb5_storage_emem();
+	krb5_store_int32(sp, ret);
+	break;
+    }
+    case kadm_chpass_with_key:{
+	int i;
+	krb5_key_data *key_data;
+	int n_key_data;
+
+	op = "CHPASS_WITH_KEY";
+	ret = krb5_ret_principal(sp, &princ);
+	if(ret)
+	    goto fail;
+	ret = krb5_ret_int32(sp, &n_key_data);
+	if (ret) {
+	    krb5_free_principal(context->context, princ);
+	    goto fail;
+	}
+
+	key_data = malloc (n_key_data * sizeof(*key_data));
+	if (key_data == NULL) {
+	    ret = ENOMEM;
+	    krb5_free_principal(context->context, princ);
+	    goto fail;
+	}
+
+	for (i = 0; i < n_key_data; ++i) {
+	    ret = kadm5_ret_key_data (sp, &key_data[i]);
+	    if (ret) {
+		int16_t dummy = i;
+
+		kadm5_free_key_data (context, &dummy, key_data);
+		free (key_data);
+		krb5_free_principal(context->context, princ);
+		goto fail;
+	    }
+	}
+
+	krb5_unparse_name_fixed(context->context, princ, name, sizeof(name));
+	krb5_warnx(context->context, "%s: %s %s", client, op, name);
+
+	/*
+	 * The change is allowed if at least one of:
+	 * a) it's for the principal him/herself and this was an initial ticket
+	 * b) the user is on the CPW ACL.
+	 */
+
+	if (initial
+	    && krb5_principal_compare (context->context, context->caller,
+				       princ))
+	    ret = 0;
+	else
+	    ret = _kadm5_acl_check_permission(context, KADM5_PRIV_CPW, princ);
+
+	if(ret) {
+	    int16_t dummy = n_key_data;
+
+	    kadm5_free_key_data (context, &dummy, key_data);
+	    free (key_data);
+	    krb5_free_principal(context->context, princ);
+	    goto fail;
+	}
+	ret = kadm5_chpass_principal_with_key(kadm_handle, princ,
+					      n_key_data, key_data);
+	{
+	    int16_t dummy = n_key_data;
+	    kadm5_free_key_data (context, &dummy, key_data);
+	}
+	free (key_data);
+	krb5_free_principal(context->context, princ);
+	krb5_storage_free(sp);
+	sp = krb5_storage_emem();
+	krb5_store_int32(sp, ret);
+	break;
+    }
+    case kadm_randkey:{
+	op = "RANDKEY";
+	ret = krb5_ret_principal(sp, &princ);
+	if(ret)
+	    goto fail;
+	krb5_unparse_name_fixed(context->context, princ, name, sizeof(name));
+	krb5_warnx(context->context, "%s: %s %s", client, op, name);
+	/*
+	 * The change is allowed if at least one of:
+	 * a) it's for the principal him/herself and this was an initial ticket
+	 * b) the user is on the CPW ACL.
+	 */
+
+	if (initial
+	    && krb5_principal_compare (context->context, context->caller,
+				       princ))
+	    ret = 0;
+	else
+	    ret = _kadm5_acl_check_permission(context, KADM5_PRIV_CPW, princ);
+
+	if(ret) {
+	    krb5_free_principal(context->context, princ);
+	    goto fail;
+	}
+	ret = kadm5_randkey_principal(kadm_handle, princ, 
+				      &new_keys, &n_keys);
+	krb5_free_principal(context->context, princ);
+	krb5_storage_free(sp);
+	sp = krb5_storage_emem();
+	krb5_store_int32(sp, ret);
+	if(ret == 0){
+	    int i;
+	    krb5_store_int32(sp, n_keys);
+	    for(i = 0; i < n_keys; i++){
+		krb5_store_keyblock(sp, new_keys[i]);
+		krb5_free_keyblock_contents(context->context, &new_keys[i]);
+	    }
+	}
+	break;
+    }
+    case kadm_get_privs:{
+	ret = kadm5_get_privs(kadm_handle, &mask);
+	krb5_storage_free(sp);
+	sp = krb5_storage_emem();
+	krb5_store_int32(sp, ret);
+	if(ret == 0)
+	    krb5_store_int32(sp, mask);
+	break;
+    }
+    case kadm_get_princs:{
+	op = "LIST";
+	ret = krb5_ret_int32(sp, &tmp);
+	if(ret)
+	    goto fail;
+	if(tmp){
+	    ret = krb5_ret_string(sp, &exp);
+	    if(ret)
+		goto fail;
+	}else
+	    exp = NULL;
+	krb5_warnx(context->context, "%s: %s %s", client, op, exp ? exp : "*");
+	ret = _kadm5_acl_check_permission(context, KADM5_PRIV_LIST, NULL);
+	if(ret){
+	    free(exp);
+	    goto fail;
+	}
+	ret = kadm5_get_principals(kadm_handle, exp, &princs, &n_princs);
+	free(exp);
+	krb5_storage_free(sp);
+	sp = krb5_storage_emem();
+	krb5_store_int32(sp, ret);
+	if(ret == 0){
+	    int i;
+	    krb5_store_int32(sp, n_princs);
+	    for(i = 0; i < n_princs; i++)
+		krb5_store_string(sp, princs[i]);
+	    kadm5_free_name_list(kadm_handle, princs, &n_princs);
+	}
+	break;
+    }
+    default:
+	krb5_warnx(context->context, "%s: UNKNOWN OP %d", client, cmd);
+	krb5_storage_free(sp);
+	sp = krb5_storage_emem();
+	krb5_store_int32(sp, KADM5_FAILURE);
+	break;
+    }
+    krb5_storage_to_data(sp, out);
+    krb5_storage_free(sp);
+    return 0;
+fail:
+    krb5_warn(context->context, ret, "%s", op);
+    sp->seek(sp, 0, SEEK_SET);
+    krb5_store_int32(sp, ret);
+    krb5_storage_to_data(sp, out);
+    krb5_storage_free(sp);
+    return 0;
+}
+
+static void
+v5_loop (krb5_context context,
+	 krb5_auth_context ac,
+	 krb5_boolean initial,
+	 void *kadm_handle,
+	 int fd)
+{
+    krb5_error_code ret;
+    krb5_data in, out;
+
+    for (;;) {
+	doing_useful_work = 0;
+	if(term_flag)
+	    exit(0);
+	ret = krb5_read_priv_message(context, ac, &fd, &in);
+	if(ret == HEIM_ERR_EOF)
+	    exit(0);
+	if(ret)
+	    krb5_err(context, 1, ret, "krb5_read_priv_message");
+	doing_useful_work = 1;
+	kadmind_dispatch(kadm_handle, initial, &in, &out);
+	krb5_data_free(&in);
+	ret = krb5_write_priv_message(context, ac, &fd, &out);
+	if(ret)
+	    krb5_err(context, 1, ret, "krb5_write_priv_message");
+    }
+}
+
+static krb5_boolean
+match_appl_version(void *data, const char *appl_version)
+{
+    unsigned minor;
+    if(sscanf(appl_version, "KADM0.%u", &minor) != 1)
+	return 0;
+    *(unsigned*)data = minor;
+    return 1;
+}
+
+static void
+handle_v5(krb5_context context,
+	  krb5_auth_context ac,
+	  krb5_keytab keytab,
+	  int len,
+	  int fd)
+{
+    krb5_error_code ret;
+    u_char version[sizeof(KRB5_SENDAUTH_VERSION)];
+    krb5_ticket *ticket;
+    char *server_name;
+    char *client;
+    void *kadm_handle;
+    ssize_t n;
+    krb5_boolean initial;
+
+    unsigned kadm_version;
+    kadm5_config_params realm_params;
+
+    if (len != sizeof(KRB5_SENDAUTH_VERSION))
+	krb5_errx(context, 1, "bad sendauth len %d", len);
+    n = krb5_net_read(context, &fd, version, len);
+    if (n < 0)
+	krb5_err (context, 1, errno, "reading sendauth version");
+    if (n == 0)
+	krb5_errx (context, 1, "EOF reading sendauth version");
+    if(memcmp(version, KRB5_SENDAUTH_VERSION, len) != 0)
+	krb5_errx(context, 1, "bad sendauth version %.8s", version);
+	
+    ret = krb5_recvauth_match_version(context, &ac, &fd, 
+				      match_appl_version, &kadm_version,
+				      NULL, KRB5_RECVAUTH_IGNORE_VERSION, 
+				      keytab, &ticket);
+    if(ret == KRB5_KT_NOTFOUND)
+	krb5_errx(context, 1, "krb5_recvauth: key no found");
+    if(ret)
+	krb5_err(context, 1, ret, "krb5_recvauth");
+
+    ret = krb5_unparse_name (context, ticket->server, &server_name);
+    if (ret)
+	krb5_err (context, 1, ret, "krb5_unparse_name");
+
+    if (strncmp (server_name, KADM5_ADMIN_SERVICE,
+		 strlen(KADM5_ADMIN_SERVICE)) != 0)
+	krb5_errx (context, 1, "ticket for strange principal (%s)",
+		   server_name);
+
+    free (server_name);
+
+    memset(&realm_params, 0, sizeof(realm_params));
+
+    if(kadm_version == 1) {
+	krb5_data params;
+	ret = krb5_read_priv_message(context, ac, &fd, &params);
+	if(ret)
+	    krb5_err(context, 1, ret, "krb5_read_priv_message");
+	_kadm5_unmarshal_params(context, &params, &realm_params);
+    }
+
+    initial = ticket->ticket.flags.initial;
+    ret = krb5_unparse_name(context, ticket->client, &client);
+    if (ret)
+	krb5_err (context, 1, ret, "krb5_unparse_name");
+    krb5_free_ticket (context, ticket);
+    ret = kadm5_init_with_password_ctx(context, 
+				       client, 
+				       NULL,
+				       KADM5_ADMIN_SERVICE,
+				       &realm_params, 
+				       0, 0, 
+				       &kadm_handle);
+    if(ret)
+	krb5_err (context, 1, ret, "kadm5_init_with_password_ctx");
+    v5_loop (context, ac, initial, kadm_handle, fd);
+}
+
+krb5_error_code
+kadmind_loop(krb5_context context,
+	     krb5_auth_context ac,
+	     krb5_keytab keytab, 
+	     int fd)
+{
+    unsigned char tmp[4];
+    ssize_t n;
+    unsigned long len;
+
+    n = krb5_net_read(context, &fd, tmp, 4);
+    if(n == 0)
+	exit(0);
+    if(n < 0)
+	krb5_err(context, 1, errno, "read");
+    _krb5_get_int(tmp, &len, 4);
+    if(len > 0xffff && (len & 0xffff) == ('K' << 8) + 'A') {
+	len >>= 16;
+#ifdef KRB4
+	handle_v4(context, keytab, len, fd);
+#else
+	krb5_errx(context, 1, "packet appears to be version 4");
+#endif
+    } else {
+	handle_v5(context, ac, keytab, len, fd);
+    }
+    return 0;
+}
diff --git a/crypto/heimdal/kadmin/util.c b/crypto/heimdal/kadmin/util.c
new file mode 100644
index 0000000..4a5e1c0
--- /dev/null
+++ b/crypto/heimdal/kadmin/util.c
@@ -0,0 +1,592 @@
+/*
+ * Copyright (c) 1997 - 2001 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "kadmin_locl.h"
+#include <parse_units.h>
+
+RCSID("$Id: util.c,v 1.32 2001/05/14 06:17:20 assar Exp $");
+
+/*
+ * util.c - functions for parsing, unparsing, and editing different
+ * types of data used in kadmin.
+ */
+
+/*
+ * attributes 
+ */
+
+struct units kdb_attrs[] = {
+    { "new-princ",		KRB5_KDB_NEW_PRINC },
+    { "support-desmd5",		KRB5_KDB_SUPPORT_DESMD5 },
+    { "pwchange-service",	KRB5_KDB_PWCHANGE_SERVICE },
+    { "disallow-svr",		KRB5_KDB_DISALLOW_SVR },
+    { "requires-pw-change",	KRB5_KDB_REQUIRES_PWCHANGE },
+    { "requires-hw-auth",	KRB5_KDB_REQUIRES_HW_AUTH },
+    { "requires-pre-auth",	KRB5_KDB_REQUIRES_PRE_AUTH },
+    { "disallow-all-tix",	KRB5_KDB_DISALLOW_ALL_TIX },
+    { "disallow-dup-skey",	KRB5_KDB_DISALLOW_DUP_SKEY },
+    { "disallow-proxiable",	KRB5_KDB_DISALLOW_PROXIABLE },
+    { "disallow-renewable",	KRB5_KDB_DISALLOW_RENEWABLE },
+    { "disallow-tgt-based",	KRB5_KDB_DISALLOW_TGT_BASED },
+    { "disallow-forwardable",	KRB5_KDB_DISALLOW_FORWARDABLE },
+    { "disallow-postdated",	KRB5_KDB_DISALLOW_POSTDATED },
+    { NULL }
+};
+
+/*
+ * convert the attributes in `attributes' into a printable string
+ * in `str, len'
+ */
+
+void
+attributes2str(krb5_flags attributes, char *str, size_t len)
+{
+    unparse_flags (attributes, kdb_attrs, str, len);
+}
+
+/*
+ * convert the string in `str' into attributes in `flags'
+ * return 0 if parsed ok, else -1.
+ */
+
+int
+str2attributes(const char *str, krb5_flags *flags)
+{
+    int res;
+
+    res = parse_flags (str, kdb_attrs, *flags);
+    if (res < 0)
+	return res;
+    else {
+	*flags = res;
+	return 0;
+    }
+}
+
+/*
+ * try to parse the string `resp' into attributes in `attr', also
+ * setting the `bit' in `mask' if attributes are given and valid.
+ */
+
+int
+parse_attributes (const char *resp, krb5_flags *attr, int *mask, int bit)
+{
+    krb5_flags tmp = *attr;
+
+    if (str2attributes(resp, &tmp) == 0) {
+	*attr = tmp;
+	if (mask)
+	    *mask |= bit;
+	return 0;
+    } else if(*resp == '?') {
+	print_flags_table (kdb_attrs, stderr);
+    } else {
+	fprintf (stderr, "Unable to parse '%s'\n", resp);
+    }
+    return -1;
+}
+
+/*
+ * allow the user to edit the attributes in `attr', prompting with `prompt'
+ */
+
+int
+edit_attributes (const char *prompt, krb5_flags *attr, int *mask, int bit)
+{
+    char buf[1024], resp[1024];
+
+    if (mask && (*mask & bit))
+	return 0;
+
+    attributes2str(*attr, buf, sizeof(buf));
+    for (;;) {
+	get_response("Attributes", buf, resp, sizeof(resp));
+	if (resp[0] == '\0')
+	    break;
+	if (parse_attributes (resp, attr, mask, bit) == 0)
+	    break;
+    }
+    return 0;
+}
+
+/*
+ * time_t
+ * the special value 0 means ``never''
+ */
+
+/*
+ * Convert the time `t' to a string representation in `str' (of max
+ * size `len').  If include_time also include time, otherwise just
+ * date.  
+ */
+
+void
+time_t2str(time_t t, char *str, size_t len, int include_time)
+{
+    if(t) {
+	if(include_time)
+	    strftime(str, len, "%Y-%m-%d %H:%M:%S UTC", gmtime(&t));
+	else
+	    strftime(str, len, "%Y-%m-%d", gmtime(&t));
+    } else
+	snprintf(str, len, "never");
+}
+
+/*
+ * Convert the time representation in `str' to a time in `time'.
+ * Return 0 if succesful, else -1.
+ */
+
+int
+str2time_t (const char *str, time_t *t)
+{
+    const char *p;
+    struct tm tm, tm2;
+
+    memset (&tm, 0, sizeof (tm));
+
+    if(strcasecmp(str, "never") == 0) {
+	*t = 0;
+	return 0;
+    }
+
+    if(strcasecmp(str, "now") == 0) {
+	*t = time(NULL);
+	return 0;
+    }
+
+    p = strptime (str, "%Y-%m-%d", &tm);
+
+    if (p == NULL)
+	return -1;
+
+    /* Do it on the end of the day */
+    tm2.tm_hour = 23;
+    tm2.tm_min  = 59;
+    tm2.tm_sec  = 59;
+
+    if(strptime (p, "%H:%M:%S", &tm2) != NULL) {
+	tm.tm_hour = tm2.tm_hour;
+	tm.tm_min  = tm2.tm_min;
+	tm.tm_sec  = tm2.tm_sec;
+    }
+
+    *t = tm2time (tm, 0);
+    return 0;
+}
+
+/*
+ * try to parse the time in `resp' storing it in `value'
+ */
+
+int
+parse_timet (const char *resp, krb5_timestamp *value, int *mask, int bit)
+{
+    time_t tmp;
+
+    if (str2time_t(resp, &tmp) == 0) {
+	*value = tmp;
+	if(mask)
+	    *mask |= bit;
+	return 0;
+    } else if(*resp == '?') {
+	printf ("Print date on format YYYY-mm-dd [hh:mm:ss]\n");
+    } else {
+	fprintf (stderr, "Unable to parse time '%s'\n", resp);
+    }
+    return -1;
+}
+
+/*
+ * allow the user to edit the time in `value'
+ */
+
+int
+edit_timet (const char *prompt, krb5_timestamp *value, int *mask, int bit)
+{
+    char buf[1024], resp[1024];
+
+    if (mask && (*mask & bit))
+	return 0;
+
+    time_t2str (*value, buf, sizeof (buf), 0);
+
+    for (;;) {
+	get_response(prompt, buf, resp, sizeof(resp));
+	if (parse_timet (resp, value, mask, bit) == 0)
+	    break;
+    }
+    return 0;
+}
+
+/*
+ * deltat
+ * the special value 0 means ``unlimited''
+ */
+
+/*
+ * convert the delta_t value in `t' into a printable form in `str, len'
+ */
+
+void
+deltat2str(unsigned t, char *str, size_t len)
+{
+    if(t == 0 || t == INT_MAX)
+	snprintf(str, len, "unlimited");
+    else
+	unparse_time(t, str, len);
+}
+
+/*
+ * parse the delta value in `str', storing result in `*delta'
+ * return 0 if ok, else -1
+ */
+
+int
+str2deltat(const char *str, krb5_deltat *delta)
+{
+    int res;
+
+    if(strcasecmp(str, "unlimited") == 0) {
+	*delta = 0;
+	return 0;
+    }
+    res = parse_time(str, "day");
+    if (res < 0)
+	return res;
+    else {
+	*delta = res;
+	return 0;
+    }
+}
+
+/*
+ * try to parse the string in `resp' into a deltad in `value'
+ * `mask' will get the bit `bit' set if a value was given.
+ */
+
+int
+parse_deltat (const char *resp, krb5_deltat *value, int *mask, int bit)
+{
+    krb5_deltat tmp;
+
+    if (str2deltat(resp, &tmp) == 0) {
+	*value = tmp;
+	if (mask)
+	    *mask |= bit;
+	return 0;
+    } else if(*resp == '?') {
+	print_time_table (stderr);
+    } else {
+	fprintf (stderr, "Unable to parse time '%s'\n", resp);
+    }
+    return -1;
+}
+
+/*
+ * allow the user to edit the deltat in `value'
+ */
+
+int
+edit_deltat (const char *prompt, krb5_deltat *value, int *mask, int bit)
+{
+    char buf[1024], resp[1024];
+
+    if (mask && (*mask & bit))
+	return 0;
+
+    deltat2str(*value, buf, sizeof(buf));
+    for (;;) {
+	get_response(prompt, buf, resp, sizeof(resp));
+	if (parse_deltat (resp, value, mask, bit) == 0)
+	    break;
+    }
+    return 0;
+}
+
+/*
+ * allow the user to edit `ent'
+ */
+
+int
+edit_entry(kadm5_principal_ent_t ent, int *mask,
+	   kadm5_principal_ent_t default_ent, int default_mask)
+{
+    if (default_ent
+	&& (default_mask & KADM5_MAX_LIFE)
+	&& !(*mask & KADM5_MAX_LIFE))
+	ent->max_life = default_ent->max_life;
+    edit_deltat ("Max ticket life", &ent->max_life, mask,
+		 KADM5_MAX_LIFE);
+
+    if (default_ent
+	&& (default_mask & KADM5_MAX_RLIFE)
+	&& !(*mask & KADM5_MAX_RLIFE))
+	ent->max_renewable_life = default_ent->max_renewable_life;
+    edit_deltat ("Max renewable life", &ent->max_renewable_life, mask,
+		 KADM5_MAX_RLIFE);
+
+    if (default_ent
+	&& (default_mask & KADM5_PRINC_EXPIRE_TIME)
+	&& !(*mask & KADM5_PRINC_EXPIRE_TIME))
+	ent->princ_expire_time = default_ent->princ_expire_time;
+    edit_timet ("Principal expiration time", &ent->princ_expire_time, mask,
+	       KADM5_PRINC_EXPIRE_TIME);
+
+    if (default_ent
+	&& (default_mask & KADM5_PW_EXPIRATION)
+	&& !(*mask & KADM5_PW_EXPIRATION))
+	ent->pw_expiration = default_ent->pw_expiration;
+    edit_timet ("Password expiration time", &ent->pw_expiration, mask,
+	       KADM5_PW_EXPIRATION);
+
+    if (default_ent
+	&& (default_mask & KADM5_ATTRIBUTES)
+	&& !(*mask & KADM5_ATTRIBUTES))
+	ent->attributes = default_ent->attributes & ~KRB5_KDB_DISALLOW_ALL_TIX;
+    edit_attributes ("Attributes", &ent->attributes, mask,
+		     KADM5_ATTRIBUTES);
+    return 0;
+}
+
+/*
+ * Parse the arguments, set the fields in `ent' and the `mask' for the
+ * entries having been set.
+ * Return 1 on failure and 0 on success.
+ */
+
+int
+set_entry(krb5_context context,
+	  kadm5_principal_ent_t ent,
+	  int *mask,
+	  const char *max_ticket_life,
+	  const char *max_renewable_life,
+	  const char *expiration,
+	  const char *pw_expiration,
+	  const char *attributes)
+{
+    if (max_ticket_life != NULL) {
+	if (parse_deltat (max_ticket_life, &ent->max_life, 
+			  mask, KADM5_MAX_LIFE)) {
+	    krb5_warnx (context, "unable to parse `%s'", max_ticket_life);
+	    return 1;
+	}
+    }
+    if (max_renewable_life != NULL) {
+	if (parse_deltat (max_renewable_life, &ent->max_renewable_life, 
+			  mask, KADM5_MAX_RLIFE)) {
+	    krb5_warnx (context, "unable to parse `%s'", max_renewable_life);
+	    return 1;
+	}
+    }
+
+    if (expiration) {
+	if (parse_timet (expiration, &ent->princ_expire_time, 
+			mask, KADM5_PRINC_EXPIRE_TIME)) {
+	    krb5_warnx (context, "unable to parse `%s'", expiration);
+	    return 1;
+	}
+    }
+    if (pw_expiration) {
+	if (parse_timet (pw_expiration, &ent->pw_expiration, 
+			 mask, KADM5_PW_EXPIRATION)) {
+	    krb5_warnx (context, "unable to parse `%s'", pw_expiration);
+	    return 1;
+	}
+    }
+    if (attributes != NULL) {
+	if (parse_attributes (attributes, &ent->attributes, 
+			      mask, KADM5_ATTRIBUTES)) {
+	    krb5_warnx (context, "unable to parse `%s'", attributes);
+	    return 1;
+	}
+    }
+    return 0;
+}
+
+/*
+ * Does `string' contain any globing characters?
+ */
+
+static int
+is_expression(const char *string)
+{
+    const char *p;
+    int quote = 0;
+
+    for(p = string; *p; p++) {
+	if(quote) {
+	    quote = 0;
+	    continue;
+	}
+	if(*p == '\\')
+	    quote++;
+	else if(strchr("[]*?", *p) != NULL) 
+	    return 1;
+    }
+    return 0;
+}
+
+/* loop over all principals matching exp */
+int
+foreach_principal(const char *exp, 
+		  int (*func)(krb5_principal, void*), 
+		  const char *funcname,
+		  void *data)
+{
+    char **princs;
+    int num_princs;
+    int i;
+    krb5_error_code ret;
+    krb5_principal princ_ent;
+    int is_expr;
+
+    /* if this isn't an expression, there is no point in wading
+       through the whole database looking for matches */
+    is_expr = is_expression(exp);
+    if(is_expr)
+	ret = kadm5_get_principals(kadm_handle, exp, &princs, &num_princs);
+    if(!is_expr || ret == KADM5_AUTH_LIST) {
+	/* we might be able to perform the requested opreration even
+           if we're not allowed to list principals */
+	num_princs = 1;
+	princs = malloc(sizeof(*princs));
+	if(princs == NULL)
+	    return ENOMEM;
+	princs[0] = strdup(exp);
+	if(princs[0] == NULL){ 
+	    free(princs);
+	    return ENOMEM;
+	}
+    } else if(ret) {
+	krb5_warn(context, ret, "kadm5_get_principals");
+	return ret;
+    }
+    for(i = 0; i < num_princs; i++) {
+	ret = krb5_parse_name(context, princs[i], &princ_ent);
+	if(ret){
+	    krb5_warn(context, ret, "krb5_parse_name(%s)", princs[i]);
+	    continue;
+	}
+	ret = (*func)(princ_ent, data);
+	if(ret)
+	    krb5_warn(context, ret, "%s %s", funcname, princs[i]);
+	krb5_free_principal(context, princ_ent);
+    }
+    kadm5_free_name_list(kadm_handle, princs, &num_princs);
+    return 0;
+}
+
+/*
+ * prompt with `prompt' and default value `def', and store the reply
+ * in `buf, len'
+ */
+
+void
+get_response(const char *prompt, const char *def, char *buf, size_t len)
+{
+    char *p;
+
+    printf("%s [%s]:", prompt, def);
+    if(fgets(buf, len, stdin) == NULL)
+	*buf = '\0';
+    p = strchr(buf, '\n');
+    if(p)
+	*p = '\0';
+    if(strcmp(buf, "") == 0)
+	strncpy(buf, def, len);
+    buf[len-1] = 0;
+}
+
+/*
+ * return [0, 16) or -1
+ */
+
+static int
+hex2n (char c)
+{
+    static char hexdigits[] = "0123456789abcdef";
+    const char *p;
+
+    p = strchr (hexdigits, tolower((int)c));
+    if (p == NULL)
+	return -1;
+    else
+	return p - hexdigits;
+}
+
+/*
+ * convert a key in a readable format into a keyblock.
+ * return 0 iff succesful, otherwise `err' should point to an error message
+ */
+
+int
+parse_des_key (const char *key_string, krb5_key_data *key_data,
+	       const char **err)
+{
+    const char *p = key_string;
+    unsigned char bits[8];
+    int i;
+
+    if (strlen (key_string) != 16) {
+	*err = "bad length, should be 16 for DES key";
+	return 1;
+    }
+    for (i = 0; i < 8; ++i) {
+	int d1, d2;
+
+	d1 = hex2n(p[2 * i]);
+	d2 = hex2n(p[2 * i + 1]);
+	if (d1 < 0 || d2 < 0) {
+	    *err = "non-hex character";
+	    return 1;
+	}
+	bits[i] = (d1 << 4) | d2;
+    }
+    for (i = 0; i < 3; ++i) {
+	key_data[i].key_data_ver  = 2;
+	key_data[i].key_data_kvno = 0;
+	/* key */
+	key_data[i].key_data_type[0]     = ETYPE_DES_CBC_CRC;
+	key_data[i].key_data_length[0]   = 8;
+	key_data[i].key_data_contents[0] = malloc(8);
+	memcpy (key_data[i].key_data_contents[0], bits, 8);
+	/* salt */
+	key_data[i].key_data_type[1]     = KRB5_PW_SALT;
+	key_data[i].key_data_length[1]   = 0;
+	key_data[i].key_data_contents[1] = NULL;
+    }
+    key_data[0].key_data_type[0] = ETYPE_DES_CBC_MD5;
+    key_data[1].key_data_type[0] = ETYPE_DES_CBC_MD4;
+    return 0;
+}
diff --git a/crypto/heimdal/kadmin/version4.c b/crypto/heimdal/kadmin/version4.c
new file mode 100644
index 0000000..e4ebce7
--- /dev/null
+++ b/crypto/heimdal/kadmin/version4.c
@@ -0,0 +1,1006 @@
+/*
+ * Copyright (c) 1999 - 2001 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of KTH nor the names of its contributors may be
+ *    used to endorse or promote products derived from this software without
+ *    specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY KTH AND ITS CONTRIBUTORS ``AS IS'' AND ANY
+ * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL KTH OR ITS CONTRIBUTORS BE
+ * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+ * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+ * WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
+ * OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
+ * ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */
+
+#include "kadmin_locl.h"
+#include <krb5-private.h>
+
+#define Principal krb4_Principal
+#define kadm_get krb4_kadm_get
+#undef ALLOC
+#include <krb.h>
+#include <kadm.h>
+#include <krb_err.h>
+#include <kadm_err.h>
+
+RCSID("$Id: version4.c,v 1.24 2001/01/29 08:40:45 assar Exp $");
+
+#define KADM_NO_OPCODE -1
+#define KADM_NO_ENCRYPT -2
+
+/*
+ * make an error packet if we fail encrypting
+ */
+
+static void
+make_you_loose_packet(int code, krb5_data *reply)
+{
+    krb5_data_alloc(reply, KADM_VERSIZE + 4);
+    memcpy(reply->data, KADM_ULOSE, KADM_VERSIZE);
+    _krb5_put_int((char*)reply->data + KADM_VERSIZE, code, 4);
+}
+
+static int
+ret_fields(krb5_storage *sp, char *fields)
+{
+    return sp->fetch(sp, fields, FLDSZ);
+}
+
+static int
+store_fields(krb5_storage *sp, char *fields)
+{
+    return sp->store(sp, fields, FLDSZ);
+}
+
+static void
+ret_vals(krb5_storage *sp, Kadm_vals *vals)
+{
+    int field;
+    char *tmp_string;
+
+    memset(vals, 0, sizeof(*vals));
+    
+    ret_fields(sp, vals->fields);
+    
+    for(field = 31; field >= 0; field--) {
+	if(IS_FIELD(field, vals->fields)) {
+	    switch(field) {
+	    case KADM_NAME:
+		krb5_ret_stringz(sp, &tmp_string);
+		strlcpy(vals->name, tmp_string, sizeof(vals->name));
+		free(tmp_string);
+		break;
+	    case KADM_INST:
+		krb5_ret_stringz(sp, &tmp_string);
+		strlcpy(vals->instance, tmp_string, 
+				sizeof(vals->instance));
+		free(tmp_string);
+		break;
+	    case KADM_EXPDATE:
+		krb5_ret_int32(sp, &vals->exp_date);
+		break;
+	    case KADM_ATTR:
+		krb5_ret_int16(sp, &vals->attributes);
+		break;
+	    case KADM_MAXLIFE:
+		krb5_ret_int8(sp, &vals->max_life);
+		break;
+	    case KADM_DESKEY:
+		krb5_ret_int32(sp, &vals->key_high);
+		krb5_ret_int32(sp, &vals->key_low);
+		break;
+#ifdef EXTENDED_KADM
+	    case KADM_MODDATE:
+		krb5_ret_int32(sp, &vals->mod_date);
+		break;
+	    case KADM_MODNAME:
+		krb5_ret_stringz(sp, &tmp_string);
+		strlcpy(vals->mod_name, tmp_string, 
+				sizeof(vals->mod_name));
+		free(tmp_string);
+		break;
+	    case KADM_MODINST:
+		krb5_ret_stringz(sp, &tmp_string);
+		strlcpy(vals->mod_instance, tmp_string, 
+				sizeof(vals->mod_instance));
+		free(tmp_string);
+		break;
+	    case KADM_KVNO:
+		krb5_ret_int8(sp, &vals->key_version);
+		break;
+#endif
+	    default:
+		break;
+	    }
+	}
+    }
+}
+
+static void
+store_vals(krb5_storage *sp, Kadm_vals *vals)
+{
+    int field;
+    
+    store_fields(sp, vals->fields);
+
+    for(field = 31; field >= 0; field--) {
+	if(IS_FIELD(field, vals->fields)) {
+	    switch(field) {
+	    case KADM_NAME:
+		krb5_store_stringz(sp, vals->name);
+		break;
+	    case KADM_INST:
+		krb5_store_stringz(sp, vals->instance);
+		break;
+	    case KADM_EXPDATE:
+		krb5_store_int32(sp, vals->exp_date);
+		break;
+	    case KADM_ATTR:
+		krb5_store_int16(sp, vals->attributes);
+		break;
+	    case KADM_MAXLIFE:
+		krb5_store_int8(sp, vals->max_life);
+		break;
+	    case KADM_DESKEY:
+		krb5_store_int32(sp, vals->key_high);
+		krb5_store_int32(sp, vals->key_low);
+		break;
+#ifdef EXTENDED_KADM
+	    case KADM_MODDATE:
+		krb5_store_int32(sp, vals->mod_date);
+		break;
+	    case KADM_MODNAME:
+		krb5_store_stringz(sp, vals->mod_name);
+		break;
+	    case KADM_MODINST:
+		krb5_store_stringz(sp, vals->mod_instance);
+		break;
+	    case KADM_KVNO:
+		krb5_store_int8(sp, vals->key_version);
+		break;
+#endif
+	    default:
+		break;
+	    }
+	}
+    }
+}
+
+static int
+flags_4_to_5(char *flags)
+{
+    int i;
+    int32_t mask = 0;
+    for(i = 31; i >= 0; i--) {
+	if(IS_FIELD(i, flags))
+	    switch(i) {
+	    case KADM_NAME:
+	    case KADM_INST:
+		mask |= KADM5_PRINCIPAL;
+	    case KADM_EXPDATE:
+		mask |= KADM5_PRINC_EXPIRE_TIME;
+	    case KADM_MAXLIFE:
+		mask |= KADM5_MAX_LIFE;
+#ifdef EXTENDED_KADM
+	    case KADM_KVNO:
+		mask |= KADM5_KEY_DATA;
+	    case KADM_MODDATE:
+		mask |= KADM5_MOD_TIME;
+	    case KADM_MODNAME:
+	    case KADM_MODINST:
+		mask |= KADM5_MOD_NAME;
+#endif
+	    }
+    }
+    return mask;
+}
+
+static void
+ent_to_values(krb5_context context,
+	      kadm5_principal_ent_t ent,
+	      int32_t mask,
+	      Kadm_vals *vals)
+{
+    krb5_error_code ret;
+    char realm[REALM_SZ];
+    time_t exp = 0;
+
+    memset(vals, 0, sizeof(*vals));
+    if(mask & KADM5_PRINCIPAL) {
+	ret = krb5_524_conv_principal(context, ent->principal, 
+				      vals->name, vals->instance, realm);
+	SET_FIELD(KADM_NAME, vals->fields);
+	SET_FIELD(KADM_INST, vals->fields);
+    }
+    if(mask & KADM5_PRINC_EXPIRE_TIME) {
+	if(ent->princ_expire_time != 0)
+	    exp = ent->princ_expire_time;
+    }
+    if(mask & KADM5_PW_EXPIRATION) {
+	if(ent->pw_expiration != 0 && (exp == 0 || exp > ent->pw_expiration))
+	    exp = ent->pw_expiration;
+    }
+    if(exp) {
+	vals->exp_date = exp;
+	SET_FIELD(KADM_EXPDATE, vals->fields);
+    }
+    if(mask & KADM5_MAX_LIFE) {
+	if(ent->max_life == 0)
+	    vals->max_life = 255;
+	else
+	    vals->max_life = krb_time_to_life(0, ent->max_life);
+	SET_FIELD(KADM_MAXLIFE, vals->fields);
+    }
+    if(mask & KADM5_KEY_DATA) {
+	if(ent->n_key_data > 0) {
+#ifdef EXTENDED_KADM
+	vals->key_version = ent->key_data[0].key_data_kvno;
+	SET_FIELD(KADM_KVNO, vals->fields);
+#endif
+	}
+	/* XXX the key itself? */
+    }
+#ifdef EXTENDED_KADM
+    if(mask & KADM5_MOD_TIME) {
+	vals->mod_date = ent->mod_date;
+	SET_FIELD(KADM_MODDATE, vals->fields);
+    }
+    if(mask & KADM5_MOD_NAME) {
+	krb5_524_conv_principal(context, ent->mod_name, 
+				vals->mod_name, vals->mod_instance, realm);
+	SET_FIELD(KADM_MODNAME, vals->fields);
+	SET_FIELD(KADM_MODINST, vals->fields);
+    }
+#endif
+}
+
+/*
+ * convert the kadm4 values in `vals' to `ent' (and `mask')
+ */
+
+static krb5_error_code
+values_to_ent(krb5_context context,
+	      Kadm_vals *vals, 
+	      kadm5_principal_ent_t ent,
+	      int32_t *mask)
+{
+    krb5_error_code ret;
+    *mask = 0;
+    memset(ent, 0, sizeof(*ent));
+    
+    if(IS_FIELD(KADM_NAME, vals->fields)) {
+	char *inst = NULL;
+	if(IS_FIELD(KADM_INST, vals->fields))
+	    inst = vals->instance;
+	ret = krb5_425_conv_principal(context, 
+				      vals->name,
+				      inst,
+				      NULL,
+				      &ent->principal);
+	if(ret)
+	    return ret;
+	*mask |= KADM5_PRINCIPAL;
+    }
+    if(IS_FIELD(KADM_EXPDATE, vals->fields)) {
+	ent->princ_expire_time = vals->exp_date;
+	*mask |= KADM5_PRINC_EXPIRE_TIME;
+    }
+    if(IS_FIELD(KADM_MAXLIFE, vals->fields)) {
+	ent->max_life = krb_life_to_time(0, vals->max_life);
+	*mask |= KADM5_MAX_LIFE;
+    }
+    
+    if(IS_FIELD(KADM_DESKEY, vals->fields)) {
+	int i;
+	ent->key_data = calloc(3, sizeof(*ent->key_data));
+	if(ent->key_data == NULL)
+	    return ENOMEM;
+	for(i = 0; i < 3; i++) {
+	    u_int32_t key_low, key_high;
+
+	    ent->key_data[i].key_data_ver = 2;
+#ifdef EXTENDED_KADM
+	    if(IS_FIELD(KADM_KVNO, vals->fields))
+		ent->key_data[i].key_data_kvno = vals->key_version;
+#endif
+	    ent->key_data[i].key_data_type[0] = ETYPE_DES_CBC_MD5;
+	    ent->key_data[i].key_data_length[0] = 8;
+	    if((ent->key_data[i].key_data_contents[0] = malloc(8)) == NULL)
+		return ENOMEM;
+
+	    key_low  = ntohl(vals->key_low);
+	    key_high = ntohl(vals->key_high);
+	    memcpy(ent->key_data[i].key_data_contents[0],
+		   &key_low, 4);
+	    memcpy((char*)ent->key_data[i].key_data_contents[0] + 4,
+		   &key_high, 4);
+	    ent->key_data[i].key_data_type[1] = KRB5_PW_SALT;
+	    ent->key_data[i].key_data_length[1] = 0;
+	    ent->key_data[i].key_data_contents[1] = NULL;
+	}
+	ent->key_data[1].key_data_type[0] = ETYPE_DES_CBC_MD4;
+	ent->key_data[2].key_data_type[0] = ETYPE_DES_CBC_CRC;
+	ent->n_key_data = 3;
+	*mask |= KADM5_KEY_DATA;
+    }
+    
+#ifdef EXTENDED_KADM
+    if(IS_FIELD(KADM_MODDATE, vals->fields)) {
+	ent->mod_date = vals->mod_date;
+	*mask |= KADM5_MOD_TIME;
+    }
+    if(IS_FIELD(KADM_MODNAME, vals->fields)) {
+	char *inst = NULL;
+	if(IS_FIELD(KADM_MODINST, vals->fields))
+	    inst = vals->mod_instance;
+	ret = krb5_425_conv_principal(context, 
+				      vals->mod_name,
+				      inst,
+				      NULL,
+				      &ent->mod_name);
+	if(ret)
+	    return ret;
+	*mask |= KADM5_MOD_NAME;
+    }
+#endif
+    return 0;
+}
+
+/*
+ * Try to translate a KADM5 error code into a v4 kadmin one.
+ */
+
+static int
+error_code(int ret)
+{
+    switch (ret) {
+    case 0:
+	return 0;
+    case KADM5_FAILURE :
+    case KADM5_AUTH_GET :
+    case KADM5_AUTH_ADD :
+    case KADM5_AUTH_MODIFY :
+    case KADM5_AUTH_DELETE :
+    case KADM5_AUTH_INSUFFICIENT :
+	return KADM_UNAUTH;
+    case KADM5_BAD_DB :
+	return KADM_UK_RERROR;
+    case KADM5_DUP :
+	return KADM_INUSE;
+    case KADM5_RPC_ERROR :
+    case KADM5_NO_SRV :
+	return KADM_NO_SERV;
+    case KADM5_NOT_INIT :
+	return KADM_NO_CONN;
+    case KADM5_UNK_PRINC :
+	return KADM_NOENTRY;
+    case KADM5_PASS_Q_TOOSHORT :
+#ifdef KADM_PASS_Q_TOOSHORT
+	return KADM_PASS_Q_TOOSHORT;
+#else
+	return KADM_INSECURE_PW;
+#endif
+    case KADM5_PASS_Q_CLASS :
+#ifdef KADM_PASS_Q_CLASS
+	return KADM_PASS_Q_CLASS;
+#else
+	return KADM_INSECURE_PW;
+#endif
+    case KADM5_PASS_Q_DICT :
+#ifdef KADM_PASS_Q_DICT
+	return KADM_PASS_Q_DICT;
+#else
+	return KADM_INSECURE_PW;
+#endif
+    case KADM5_PASS_REUSE :
+    case KADM5_PASS_TOOSOON :
+    case KADM5_BAD_PASSWORD :
+	return KADM_INSECURE_PW;
+    case KADM5_PROTECT_PRINCIPAL :
+	return KADM_IMMUTABLE;
+    case KADM5_POLICY_REF :
+    case KADM5_INIT :
+    case KADM5_BAD_HIST_KEY :
+    case KADM5_UNK_POLICY :
+    case KADM5_BAD_MASK :
+    case KADM5_BAD_CLASS :
+    case KADM5_BAD_LENGTH :
+    case KADM5_BAD_POLICY :
+    case KADM5_BAD_PRINCIPAL :
+    case KADM5_BAD_AUX_ATTR :
+    case KADM5_BAD_HISTORY :
+    case KADM5_BAD_MIN_PASS_LIFE :
+    case KADM5_BAD_SERVER_HANDLE :
+    case KADM5_BAD_STRUCT_VERSION :
+    case KADM5_OLD_STRUCT_VERSION :
+    case KADM5_NEW_STRUCT_VERSION :
+    case KADM5_BAD_API_VERSION :
+    case KADM5_OLD_LIB_API_VERSION :
+    case KADM5_OLD_SERVER_API_VERSION :
+    case KADM5_NEW_LIB_API_VERSION :
+    case KADM5_NEW_SERVER_API_VERSION :
+    case KADM5_SECURE_PRINC_MISSING :
+    case KADM5_NO_RENAME_SALT :
+    case KADM5_BAD_CLIENT_PARAMS :
+    case KADM5_BAD_SERVER_PARAMS :
+    case KADM5_AUTH_LIST :
+    case KADM5_AUTH_CHANGEPW :
+    case KADM5_BAD_TL_TYPE :
+    case KADM5_MISSING_CONF_PARAMS :
+    case KADM5_BAD_SERVER_NAME :
+    default :
+	return KADM_UNAUTH;	/* XXX */
+    }
+}
+
+/*
+ * server functions
+ */
+
+static int
+kadm_ser_cpw(krb5_context context,
+	     void *kadm_handle, 
+	     krb5_principal principal, 
+	     const char *principal_string,
+	     krb5_storage *message,
+	     krb5_storage *reply)
+{
+    char key[8];
+    char *password = NULL;
+    krb5_error_code ret;
+    
+    krb5_warnx(context, "v4-compat %s: CHPASS %s",
+	       principal_string, principal_string); 
+
+    ret = message->fetch(message, key + 4, 4);
+    ret = message->fetch(message, key, 4);
+    ret = krb5_ret_stringz(message, &password);
+    
+    if(password) {
+	krb5_data pwd_data;
+	const char *tmp;
+
+	pwd_data.data   = password;
+	pwd_data.length = strlen(password);
+
+	tmp = kadm5_check_password_quality (context, principal, &pwd_data);
+
+	if (tmp != NULL) {
+	    krb5_store_stringz (reply, (char *)tmp);
+	    ret = KADM5_PASS_Q_DICT;
+	    goto fail;
+	}
+	ret = kadm5_chpass_principal(kadm_handle, principal, password);
+    } else {
+	krb5_key_data key_data[3];
+	int i;
+	for(i = 0; i < 3; i++) {
+	    key_data[i].key_data_ver = 2;
+	    key_data[i].key_data_kvno = 0;
+	    /* key */
+	    key_data[i].key_data_type[0] = ETYPE_DES_CBC_CRC;
+	    key_data[i].key_data_length[0] = 8;
+	    key_data[i].key_data_contents[0] = malloc(8);
+	    memcpy(key_data[i].key_data_contents[0], &key, 8);
+	    /* salt */
+	    key_data[i].key_data_type[1] = KRB5_PW_SALT;
+	    key_data[i].key_data_length[1] = 0;
+	    key_data[i].key_data_contents[1] = NULL;
+	}
+	key_data[0].key_data_type[0] = ETYPE_DES_CBC_MD5;
+	key_data[1].key_data_type[0] = ETYPE_DES_CBC_MD4;
+	ret = kadm5_s_chpass_principal_with_key(kadm_handle, 
+						principal, 3, key_data);
+    }
+
+    if(ret != 0) {
+	krb5_store_stringz(reply, (char*)krb5_get_err_text(context, ret));
+	goto fail;
+    }
+    return 0;
+fail:
+    krb5_warn(context, ret, "v4-compat CHPASS");
+    return error_code(ret);
+}
+
+static int
+kadm_ser_add(krb5_context context,
+	     void *kadm_handle, 
+	     krb5_principal principal, 
+	     const char *principal_string,
+	     krb5_storage *message,
+	     krb5_storage *reply)
+{
+    int32_t mask;
+    kadm5_principal_ent_rec ent, out;
+    Kadm_vals values;
+    krb5_error_code ret;
+    char name[128];
+
+    ret_vals(message, &values);
+
+    ret = values_to_ent(context, &values, &ent, &mask);
+    if(ret)
+	goto fail;
+
+    krb5_unparse_name_fixed(context, ent.principal, name, sizeof(name));
+    krb5_warnx(context, "v4-compat %s: ADD %s",
+	       principal_string, name);
+
+    ret = _kadm5_acl_check_permission (kadm_handle, KADM5_PRIV_ADD,
+				       ent.principal);
+    if (ret)
+	goto fail;
+
+    ret = kadm5_s_create_principal_with_key(kadm_handle, &ent, mask);
+    if(ret) {
+	kadm5_free_principal_ent(kadm_handle, &ent);
+	goto fail;
+    }
+
+    mask = KADM5_PRINCIPAL | KADM5_PRINC_EXPIRE_TIME | KADM5_MAX_LIFE |
+	KADM5_KEY_DATA | KADM5_MOD_TIME | KADM5_MOD_NAME;
+    
+    kadm5_get_principal(kadm_handle, ent.principal, &out, mask);
+    ent_to_values(context, &out, mask, &values);
+    kadm5_free_principal_ent(kadm_handle, &ent);
+    kadm5_free_principal_ent(kadm_handle, &out);
+    store_vals(reply, &values);
+    return 0;
+fail:
+    krb5_warn(context, ret, "v4-compat ADD");
+    return error_code(ret);
+}
+
+static int
+kadm_ser_get(krb5_context context,
+	     void *kadm_handle, 
+	     krb5_principal principal, 
+	     const char *principal_string,
+	     krb5_storage *message,
+	     krb5_storage *reply)
+{
+    krb5_error_code ret;
+    Kadm_vals values;
+    kadm5_principal_ent_rec ent, out;
+    int32_t mask;
+    char flags[FLDSZ];
+    char name[128];
+
+    ret_vals(message, &values);
+    /* XXX BRAIN DAMAGE! these flags are not stored in the same order
+       as in the header */
+    krb5_ret_int8(message, &flags[3]);
+    krb5_ret_int8(message, &flags[2]);
+    krb5_ret_int8(message, &flags[1]);
+    krb5_ret_int8(message, &flags[0]);
+    ret = values_to_ent(context, &values, &ent, &mask);
+    if(ret)
+	goto fail;
+
+    krb5_unparse_name_fixed(context, ent.principal, name, sizeof(name));
+    krb5_warnx(context, "v4-compat %s: GET %s",
+	       principal_string, name);
+
+    ret = _kadm5_acl_check_permission (kadm_handle, KADM5_PRIV_GET,
+				       ent.principal);
+    if (ret)
+	goto fail;
+
+    mask = flags_4_to_5(flags);
+
+    ret = kadm5_get_principal(kadm_handle, ent.principal, &out, mask);
+    kadm5_free_principal_ent(kadm_handle, &ent);
+
+    if (ret)
+	goto fail;
+    
+    ent_to_values(context, &out, mask, &values);
+
+    kadm5_free_principal_ent(kadm_handle, &out);
+
+    store_vals(reply, &values);
+    return 0;
+fail:
+    krb5_warn(context, ret, "v4-compat GET");
+    return error_code(ret);
+}
+
+static int
+kadm_ser_mod(krb5_context context,
+	     void *kadm_handle, 
+	     krb5_principal principal, 
+	     const char *principal_string,
+	     krb5_storage *message,
+	     krb5_storage *reply)
+{
+    Kadm_vals values1, values2;
+    kadm5_principal_ent_rec ent, out;
+    int32_t mask;
+    krb5_error_code ret;
+    char name[128];
+    
+    ret_vals(message, &values1);
+    /* why are the old values sent? is the mask the same in the old and
+       the new entry? */
+    ret_vals(message, &values2);
+    
+    ret = values_to_ent(context, &values2, &ent, &mask);
+    if(ret)
+	goto fail;
+
+    krb5_unparse_name_fixed(context, ent.principal, name, sizeof(name));
+    krb5_warnx(context, "v4-compat %s: MOD %s",
+	       principal_string, name);
+
+    ret = _kadm5_acl_check_permission (kadm_handle, KADM5_PRIV_MODIFY,
+				       ent.principal);
+    if (ret)
+	goto fail;
+
+    ret = kadm5_s_modify_principal(kadm_handle, &ent, mask);
+    if(ret) {
+	kadm5_free_principal_ent(kadm_handle, &ent);
+	krb5_warn(context, ret, "kadm5_s_modify_principal");
+	goto fail;
+    }
+
+    ret = kadm5_get_principal(kadm_handle, ent.principal, &out, mask);
+    if(ret) {
+	kadm5_free_principal_ent(kadm_handle, &ent);
+	krb5_warn(context, ret, "kadm5_s_modify_principal");
+	goto fail;
+    }
+
+    ent_to_values(context, &out, mask, &values1);
+
+    kadm5_free_principal_ent(kadm_handle, &ent);
+    kadm5_free_principal_ent(kadm_handle, &out);
+    
+    store_vals(reply, &values1);
+    return 0;
+fail:
+    krb5_warn(context, ret, "v4-compat MOD");
+    return error_code(ret);
+}
+
+static int
+kadm_ser_del(krb5_context context,
+	     void *kadm_handle, 
+	     krb5_principal principal, 
+	     const char *principal_string,
+	     krb5_storage *message,
+	     krb5_storage *reply)
+{
+    Kadm_vals values;
+    kadm5_principal_ent_rec ent;
+    int32_t mask;
+    krb5_error_code ret;
+    char name[128];
+
+    ret_vals(message, &values);
+
+    ret = values_to_ent(context, &values, &ent, &mask);
+    if(ret)
+	goto fail;
+    
+    krb5_unparse_name_fixed(context, ent.principal, name, sizeof(name));
+    krb5_warnx(context, "v4-compat %s: DEL %s",
+	       principal_string, name);
+
+    ret = _kadm5_acl_check_permission (kadm_handle, KADM5_PRIV_DELETE,
+				       ent.principal);
+    if (ret)
+	goto fail;
+
+    ret = kadm5_delete_principal(kadm_handle, ent.principal);
+
+    kadm5_free_principal_ent(kadm_handle, &ent);
+
+    if (ret)
+	goto fail;
+
+    return 0;
+fail:
+    krb5_warn(context, ret, "v4-compat ADD");
+    return error_code(ret);
+}
+
+static int
+dispatch(krb5_context context,
+	 void *kadm_handle,
+	 krb5_principal principal,
+	 const char *principal_string,
+	 krb5_data msg, 
+	 krb5_data *reply)
+{
+    int retval;
+    int8_t command;
+    krb5_storage *sp_in, *sp_out;
+    
+    sp_in = krb5_storage_from_data(&msg);
+    krb5_ret_int8(sp_in, &command);
+    
+    sp_out = krb5_storage_emem();
+    sp_out->store(sp_out, KADM_VERSTR, KADM_VERSIZE);
+    krb5_store_int32(sp_out, 0);
+
+    switch(command) {
+    case CHANGE_PW:
+	retval = kadm_ser_cpw(context, kadm_handle, principal,
+			      principal_string,
+			      sp_in, sp_out);
+	break;
+    case ADD_ENT:
+	retval = kadm_ser_add(context, kadm_handle, principal,
+			      principal_string,
+			      sp_in, sp_out);
+	break;
+    case GET_ENT:
+	retval = kadm_ser_get(context, kadm_handle, principal,
+			      principal_string,
+			      sp_in, sp_out);
+	break;
+    case MOD_ENT:
+	retval = kadm_ser_mod(context, kadm_handle, principal,
+			      principal_string,
+			      sp_in, sp_out);
+	break;
+    case DEL_ENT:
+	retval = kadm_ser_del(context, kadm_handle, principal,
+			      principal_string,
+			      sp_in, sp_out);
+	break;
+    default:
+	krb5_warnx(context, "v4-compat %s: unknown opcode: %d",
+		   principal_string, command);
+	retval = KADM_NO_OPCODE;
+	break;
+    }
+    krb5_storage_free(sp_in);
+    if(retval) {
+	sp_out->seek(sp_out, KADM_VERSIZE, SEEK_SET);
+	krb5_store_int32(sp_out, retval);
+    }
+    krb5_storage_to_data(sp_out, reply);
+    krb5_storage_free(sp_out);
+    return retval;
+}
+
+/*
+ * Decode a v4 kadmin packet in `message' and create a reply in `reply'
+ */
+
+static void
+decode_packet(krb5_context context,
+	      krb5_keytab keytab,
+	      struct sockaddr_in *admin_addr,
+	      struct sockaddr_in *client_addr,
+	      krb5_data message,
+	      krb5_data *reply)
+{
+    int ret;
+    KTEXT_ST authent;
+    AUTH_DAT ad;
+    MSG_DAT msg_dat;
+    off_t off = 0;
+    unsigned long rlen;
+    char sname[] = "changepw", sinst[] = "kerberos";
+    unsigned long checksum;
+    des_key_schedule schedule;
+    char *msg = message.data;
+    void *kadm_handle;
+    krb5_principal client;
+    char *client_str;
+    krb5_keytab_entry entry;
+    
+    if(message.length < KADM_VERSIZE
+       || strncmp(msg, KADM_VERSTR, KADM_VERSIZE) != 0) {
+	make_you_loose_packet (KADM_BAD_VER, reply);
+	return;
+    }
+
+    off = KADM_VERSIZE;
+    off += _krb5_get_int(msg + off, &rlen, 4);
+    memset(&authent, 0, sizeof(authent));
+    authent.length = message.length - rlen - KADM_VERSIZE - 4;
+    memcpy(authent.dat, (char*)msg + off, authent.length);
+    off += authent.length;
+    
+    {
+	krb5_principal principal;
+	krb5_keyblock *key;
+
+	ret = krb5_make_principal(context, &principal, NULL, 
+				  "changepw", "kerberos", NULL);
+	if (ret) {
+	    krb5_warn (context, ret, "krb5_make_principal");
+	    make_you_loose_packet (KADM_NOMEM, reply);
+	    return;
+	}
+	ret = krb5_kt_get_entry (context, keytab, principal, 0,
+				 ETYPE_DES_CBC_MD5, &entry);
+	krb5_kt_close (context, keytab);
+	if (ret) {
+	    krb5_free_principal(context, principal);
+	    make_you_loose_packet (KADM_NO_AUTH, reply);
+	    return;
+	}
+	ret = krb5_copy_keyblock (context, &entry.keyblock,& key);
+	krb5_kt_free_entry(context, &entry);
+	krb5_free_principal(context, principal);
+	if(ret) {
+	    if(ret == KRB5_KT_NOTFOUND)
+		make_you_loose_packet(KADM_NO_AUTH, reply);
+	    else
+		/* XXX */
+		make_you_loose_packet(KADM_NO_AUTH, reply);
+	    krb5_warn(context, ret, "krb5_kt_read_service_key");
+	    return;
+	}
+	
+	if(key->keyvalue.length != 8)
+	    krb5_abortx(context, "key has wrong length (%lu)", 
+			(unsigned long)key->keyvalue.length);
+	krb_set_key(key->keyvalue.data, 0);
+	krb5_free_keyblock(context, key);
+    }
+    
+    ret = krb_rd_req(&authent, sname, sinst, 
+		     client_addr->sin_addr.s_addr, &ad, NULL);
+
+    if(ret) {
+	make_you_loose_packet(krb_err_base + ret, reply);
+	krb5_warnx(context, "krb_rd_req: %d", ret);
+	return;
+    }
+
+    ret = krb5_425_conv_principal(context, ad.pname, ad.pinst, ad.prealm,
+				  &client);
+    if (ret) {
+	krb5_warnx (context, "krb5_425_conv_principal: %d", ret);
+	make_you_loose_packet (KADM_NOMEM, reply);
+	return;
+    }
+
+    krb5_unparse_name(context, client, &client_str);
+
+    ret = kadm5_init_with_password_ctx(context, 
+				       client_str, 
+				       NULL,
+				       KADM5_ADMIN_SERVICE,
+				       NULL, 0, 0, 
+				       &kadm_handle);
+    if (ret) {
+	krb5_warn (context, ret, "kadm5_init_with_password_ctx");
+	make_you_loose_packet (KADM_NOMEM, reply);
+	goto out;
+    }
+    
+    checksum = des_quad_cksum((void *)(msg + off), NULL, rlen, 0, &ad.session);
+    if(checksum != ad.checksum) {
+	krb5_warnx(context, "decode_packet: bad checksum");
+	make_you_loose_packet (KADM_BAD_CHK, reply);
+	goto out;
+    }
+    des_set_key(&ad.session, schedule);
+    ret = krb_rd_priv(msg + off, rlen, schedule, &ad.session, 
+		      client_addr, admin_addr, &msg_dat);
+    if (ret) {
+	make_you_loose_packet (krb_err_base + ret, reply);
+	krb5_warnx(context, "krb_rd_priv: %d", ret);
+	goto out;
+    }
+
+    {
+	krb5_data d, r;
+	int retval;
+
+	d.data   = msg_dat.app_data;
+	d.length = msg_dat.app_length;
+	
+	retval = dispatch(context, kadm_handle,
+			  client, client_str, d, &r);
+	krb5_data_alloc(reply, r.length + 26);
+	reply->length = krb_mk_priv(r.data, reply->data, r.length, 
+				    schedule, &ad.session, 
+				    admin_addr, client_addr);
+	if((ssize_t)reply->length < 0) {
+	    make_you_loose_packet(KADM_NO_ENCRYPT, reply);
+	    goto out;
+	}
+    }
+out:
+    krb5_free_principal(context, client);
+    free(client_str);
+}
+
+void
+handle_v4(krb5_context context,
+	  krb5_keytab keytab,
+	  int len,
+	  int fd)
+{
+    int first = 1;
+    struct sockaddr_in admin_addr, client_addr;
+    socklen_t addr_len;
+    krb5_data message, reply;
+    ssize_t n;
+
+    addr_len = sizeof(client_addr);
+    if (getsockname(fd, (struct sockaddr*)&admin_addr, &addr_len) < 0)
+	krb5_errx (context, 1, "getsockname");
+    addr_len = sizeof(client_addr);
+    if (getpeername(fd, (struct sockaddr*)&client_addr, &addr_len) < 0)
+	krb5_errx (context, 1, "getpeername");
+
+    while(1) {
+	doing_useful_work = 0;
+	if(term_flag)
+	    exit(0);
+	if(first) {
+	    /* first time around, we have already read len, and two
+               bytes of the version string */
+	    krb5_data_alloc(&message, len);
+	    memcpy(message.data, "KA", 2);
+	    n = krb5_net_read(context, &fd, (char*)message.data + 2,
+			      len - 2);
+	    if (n == 0)
+		exit (0);
+	    if (n < 0)
+		krb5_err (context, 1, errno, "krb5_net_read");
+	    first = 0;
+	} else {
+	    char buf[2];
+	    unsigned long tmp;
+	    ssize_t n;
+
+	    n = krb5_net_read(context, &fd, buf, sizeof(2));
+	    if (n == 0)
+		exit (0);
+	    if (n < 0)
+		krb5_err (context, 1, errno, "krb5_net_read");
+	    _krb5_get_int(buf, &tmp, 2);
+	    krb5_data_alloc(&message, tmp);
+	    n = krb5_net_read(context, &fd, message.data, message.length);
+	    if (n == 0)
+		krb5_errx (context, 1, "EOF in krb5_net_read");
+	    if (n < 0)
+		krb5_err (context, 1, errno, "krb5_net_read");
+	}
+	doing_useful_work = 1;
+	decode_packet(context, keytab, &admin_addr, &client_addr, 
+		      message, &reply);
+	krb5_data_free(&message);
+	{
+	    char buf[2];
+
+	    _krb5_put_int(buf, reply.length, sizeof(buf));
+	    n = krb5_net_write(context, &fd, buf, sizeof(buf));
+	    if (n < 0)
+		krb5_err (context, 1, errno, "krb5_net_write");
+	    n = krb5_net_write(context, &fd, reply.data, reply.length);
+	    if (n < 0)
+		krb5_err (context, 1, errno, "krb5_net_write");
+	    krb5_data_free(&reply);
+	}
+    }
+}
diff --git a/crypto/heimdal/kdc/524.c b/crypto/heimdal/kdc/524.c
new file mode 100644
index 0000000..ebe747f
--- /dev/null
+++ b/crypto/heimdal/kdc/524.c
@@ -0,0 +1,295 @@
+/*
+ * Copyright (c) 1997-2001 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "kdc_locl.h"
+
+RCSID("$Id: 524.c,v 1.20 2001/05/14 06:17:47 assar Exp $");
+
+#ifdef KRB4
+
+/*
+ * fetch the server from `t', returning the name in malloced memory in
+ * `spn' and the entry itself in `server'
+ */
+
+static krb5_error_code
+fetch_server (const Ticket *t,
+	      char **spn,
+	      hdb_entry **server,
+	      const char *from)
+{
+    krb5_error_code ret;
+    krb5_principal sprinc;
+
+    ret = principalname2krb5_principal(&sprinc, t->sname, t->realm);
+    if (ret) {
+	kdc_log(0, "principalname2krb5_principal: %s",
+		krb5_get_err_text(context, ret));
+	return ret;
+    }
+    ret = krb5_unparse_name(context, sprinc, spn);
+    if (ret) {
+	krb5_free_principal(context, sprinc);
+	kdc_log(0, "krb5_unparse_name: %s", krb5_get_err_text(context, ret));
+	return ret;
+    }
+    ret = db_fetch(sprinc, server);
+    krb5_free_principal(context, sprinc);
+    if (ret) {
+	kdc_log(0,
+	"Request to convert ticket from %s for unknown principal %s: %s",
+		from, *spn, krb5_get_err_text(context, ret));
+	if (ret == ENOENT)
+	    ret = KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN;
+	return ret;
+    }
+    return 0;
+}
+
+static krb5_error_code
+log_524 (const EncTicketPart *et,
+	 const char *from,
+	 const char *spn)
+{
+    krb5_principal client;
+    char *cpn;
+    krb5_error_code ret;
+
+    ret = principalname2krb5_principal(&client, et->cname, et->crealm);
+    if (ret) {
+	kdc_log(0, "principalname2krb5_principal: %s",
+		krb5_get_err_text (context, ret));
+	return ret;
+    }
+    ret = krb5_unparse_name(context, client, &cpn);
+    if (ret) {
+	krb5_free_principal(context, client);
+	kdc_log(0, "krb5_unparse_name: %s",
+		krb5_get_err_text (context, ret));
+	return ret;
+    }
+    kdc_log(1, "524-REQ %s from %s for %s", cpn, from, spn);
+    free(cpn);
+    krb5_free_principal(context, client);
+    return 0;
+}
+
+static krb5_error_code
+verify_flags (const EncTicketPart *et,
+	      const char *spn)
+{
+    if(et->endtime < kdc_time){
+	kdc_log(0, "Ticket expired (%s)", spn);
+	return KRB5KRB_AP_ERR_TKT_EXPIRED;
+    }
+    if(et->flags.invalid){
+	kdc_log(0, "Ticket not valid (%s)", spn);
+	return KRB5KRB_AP_ERR_TKT_NYV;
+    }
+    return 0;
+}
+
+/*
+ * set the `et->caddr' to the most appropriate address to use, where
+ * `addr' is the address the request was received from.
+ */
+
+static krb5_error_code
+set_address (EncTicketPart *et,
+	     struct sockaddr *addr,
+	     const char *from)
+{
+    krb5_error_code ret;
+    krb5_address *v4_addr;
+
+    v4_addr = malloc (sizeof(*v4_addr));
+    if (v4_addr == NULL)
+	return ENOMEM;
+
+    ret = krb5_sockaddr2address(context, addr, v4_addr);
+    if(ret) {
+	free (v4_addr);
+	kdc_log(0, "Failed to convert address (%s)", from);
+	return ret;
+    }
+	    
+    if (et->caddr && !krb5_address_search (context, v4_addr, et->caddr)) {
+	kdc_log(0, "Incorrect network address (%s)", from);
+	krb5_free_address(context, v4_addr);
+	free (v4_addr);
+	return KRB5KRB_AP_ERR_BADADDR;
+    }
+    if(v4_addr->addr_type == KRB5_ADDRESS_INET) {
+	/* we need to collapse the addresses in the ticket to a
+	   single address; best guess is to use the address the
+	   connection came from */
+	
+	if (et->caddr != NULL) {
+	    free_HostAddresses(et->caddr);
+	} else {
+	    et->caddr = malloc (sizeof (*et->caddr));
+	    if (et->caddr == NULL) {
+		krb5_free_address(context, v4_addr);
+		free(v4_addr);
+		return ENOMEM;
+	    }
+	}
+	et->caddr->val = v4_addr;
+	et->caddr->len = 1;
+    } else {
+	krb5_free_address(context, v4_addr);
+	free(v4_addr);
+    }
+    return 0;
+}
+
+/*
+ * process a 5->4 request, based on `t', and received `from, addr',
+ * returning the reply in `reply'
+ */
+
+krb5_error_code
+do_524(const Ticket *t, krb5_data *reply,
+       const char *from, struct sockaddr *addr)
+{
+    krb5_error_code ret = 0;
+    krb5_crypto crypto;
+    hdb_entry *server = NULL;
+    Key *skey;
+    krb5_data et_data;
+    EncTicketPart et;
+    EncryptedData ticket;
+    krb5_storage *sp;
+    char *spn = NULL;
+    unsigned char buf[MAX_KTXT_LEN + 4 * 4];
+    size_t len;
+    
+    if(!enable_524) {
+	ret = KRB5KDC_ERR_POLICY;
+	kdc_log(0, "Rejected ticket conversion request from %s", from);
+	goto out;
+    }
+
+    ret = fetch_server (t, &spn, &server, from);
+    if (ret) {
+	goto out;
+    }
+
+    ret = hdb_enctype2key(context, server, t->enc_part.etype, &skey);
+    if(ret){
+	kdc_log(0, "No suitable key found for server (%s) from %s", spn, from);
+	goto out;
+    }
+    ret = krb5_crypto_init(context, &skey->key, 0, &crypto);
+    if (ret) {
+	kdc_log(0, "krb5_crypto_init failed: %s",
+		krb5_get_err_text(context, ret));
+	goto out;
+    }
+    ret = krb5_decrypt_EncryptedData (context,
+				      crypto,
+				      KRB5_KU_TICKET,
+				      &t->enc_part,
+				      &et_data);
+    krb5_crypto_destroy(context, crypto);
+    if(ret){
+	kdc_log(0, "Failed to decrypt ticket from %s for %s", from, spn);
+	goto out;
+    }
+    ret = krb5_decode_EncTicketPart(context, et_data.data, et_data.length, 
+				    &et, &len);
+    krb5_data_free(&et_data);
+    if(ret){
+	kdc_log(0, "Failed to decode ticket from %s for %s", from, spn);
+	goto out;
+    }
+
+    ret = log_524 (&et, from, spn);
+    if (ret) {
+	free_EncTicketPart(&et);
+	goto out;
+    }
+
+    ret = verify_flags (&et, spn);
+    if (ret) {
+	free_EncTicketPart(&et);
+	goto out;
+    }
+
+    ret = set_address (&et, addr, from);
+    if (ret) {
+	free_EncTicketPart(&et);
+	goto out;
+    }
+    ret = encode_v4_ticket(buf + sizeof(buf) - 1, sizeof(buf),
+			   &et, &t->sname, &len);
+    free_EncTicketPart(&et);
+    if(ret){
+	kdc_log(0, "Failed to encode v4 ticket (%s)", spn);
+	goto out;
+    }
+    ret = get_des_key(server, FALSE, &skey);
+    if(ret){
+	kdc_log(0, "No DES key for server (%s)", spn);
+	goto out;
+    }
+    ret = encrypt_v4_ticket(buf + sizeof(buf) - len, len, 
+			    skey->key.keyvalue.data, &ticket);
+    if(ret){
+	kdc_log(0, "Failed to encrypt v4 ticket (%s)", spn);
+	goto out;
+    }
+out:
+    /* make reply */
+    memset(buf, 0, sizeof(buf));
+    sp = krb5_storage_from_mem(buf, sizeof(buf));
+    krb5_store_int32(sp, ret);
+    if(ret == 0){
+	krb5_store_int32(sp, server->kvno); /* is this right? */
+	krb5_store_data(sp, ticket.cipher);
+	/* Aargh! This is coded as a KTEXT_ST. */
+	sp->seek(sp, MAX_KTXT_LEN - ticket.cipher.length, SEEK_CUR);
+	krb5_store_int32(sp, 0); /* mbz */
+	free_EncryptedData(&ticket);
+    }
+    ret = krb5_storage_to_data(sp, reply);
+    krb5_storage_free(sp);
+    
+    if(spn)
+	free(spn);
+    if(server)
+	free_ent (server);
+    return ret;
+}
+
+#endif /* KRB4 */
diff --git a/crypto/heimdal/kdc/Makefile.am b/crypto/heimdal/kdc/Makefile.am
new file mode 100644
index 0000000..674ec4d
--- /dev/null
+++ b/crypto/heimdal/kdc/Makefile.am
@@ -0,0 +1,67 @@
+# $Id: Makefile.am,v 1.41 2000/11/15 22:51:12 assar Exp $
+
+include $(top_srcdir)/Makefile.am.common
+
+INCLUDES += $(INCLUDE_krb4) -I$(srcdir)/../lib/krb5
+
+bin_PROGRAMS = string2key
+
+sbin_PROGRAMS = kstash
+
+libexec_PROGRAMS = hprop hpropd kdc
+
+man_MANS = kdc.8 kstash.8 hprop.8 hpropd.8 string2key.8
+
+hprop_SOURCES = hprop.c mit_dump.c v4_dump.c hprop.h kadb.h 
+hpropd_SOURCES = hpropd.c hprop.h
+
+kstash_SOURCES = kstash.c headers.h
+
+string2key_SOURCES = string2key.c headers.h
+
+kdc_SOURCES = \
+	524.c		\
+	config.c	\
+	connect.c	\
+	kaserver.c	\
+	kdc_locl.h	\
+	kerberos4.c	\
+	kerberos4.h	\
+	kerberos5.c	\
+	log.c		\
+	main.c		\
+	misc.c		\
+	rx.h
+
+
+hprop_LDADD = \
+	$(top_builddir)/lib/hdb/libhdb.la \
+	$(LIB_openldap) \
+	$(top_builddir)/lib/krb5/libkrb5.la \
+	$(LIB_kdb) $(LIB_krb4) \
+	$(LIB_des) \
+	$(top_builddir)/lib/asn1/libasn1.la \
+	$(LIB_roken) \
+	$(DBLIB) 
+
+hpropd_LDADD = \
+	$(top_builddir)/lib/hdb/libhdb.la \
+	$(LIB_openldap) \
+	$(top_builddir)/lib/krb5/libkrb5.la \
+	$(LIB_kdb) $(LIB_krb4) \
+	$(LIB_des) \
+	$(top_builddir)/lib/asn1/libasn1.la \
+	$(LIB_roken) \
+	$(DBLIB) 
+
+LDADD = $(top_builddir)/lib/hdb/libhdb.la \
+	$(LIB_openldap) \
+	$(top_builddir)/lib/krb5/libkrb5.la \
+	$(LIB_krb4) \
+	$(LIB_des) \
+	$(top_builddir)/lib/asn1/libasn1.la \
+	$(LIB_roken) \
+	$(DBLIB)
+
+kdc_LDADD = $(LDADD) $(LIB_pidfile)
+
diff --git a/crypto/heimdal/kdc/Makefile.in b/crypto/heimdal/kdc/Makefile.in
new file mode 100644
index 0000000..90d7e04
--- /dev/null
+++ b/crypto/heimdal/kdc/Makefile.in
@@ -0,0 +1,781 @@
+# Makefile.in generated automatically by automake 1.4b from Makefile.am
+
+# Copyright 1994, 1995, 1996, 1997, 1998, 1999, 2000
+# Free Software Foundation, Inc.
+# This Makefile.in is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+
+SHELL = @SHELL@
+
+srcdir = @srcdir@
+top_srcdir = @top_srcdir@
+VPATH = @srcdir@
+prefix = @prefix@
+exec_prefix = @exec_prefix@
+
+bindir = @bindir@
+sbindir = @sbindir@
+libexecdir = @libexecdir@
+datadir = @datadir@
+sysconfdir = @sysconfdir@
+sharedstatedir = @sharedstatedir@
+localstatedir = @localstatedir@
+libdir = @libdir@
+infodir = @infodir@
+mandir = @mandir@
+includedir = @includedir@
+oldincludedir = /usr/include
+
+pkgdatadir = $(datadir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkgincludedir = $(includedir)/@PACKAGE@
+
+top_builddir = ..
+
+ACLOCAL = @ACLOCAL@
+AUTOCONF = @AUTOCONF@
+AUTOMAKE = @AUTOMAKE@
+AUTOHEADER = @AUTOHEADER@
+
+INSTALL = @INSTALL@
+INSTALL_PROGRAM = @INSTALL_PROGRAM@
+INSTALL_DATA = @INSTALL_DATA@
+INSTALL_SCRIPT = @INSTALL_SCRIPT@
+INSTALL_STRIP_FLAG =
+transform = @program_transform_name@
+
+NORMAL_INSTALL = :
+PRE_INSTALL = :
+POST_INSTALL = :
+NORMAL_UNINSTALL = :
+PRE_UNINSTALL = :
+POST_UNINSTALL = :
+
+@SET_MAKE@
+host_alias = @host_alias@
+host_triplet = @host@
+AIX_EXTRA_KAFS = @AIX_EXTRA_KAFS@
+AMDEP = @AMDEP@
+AMTAR = @AMTAR@
+AS = @AS@
+AWK = @AWK@
+CANONICAL_HOST = @CANONICAL_HOST@
+CATMAN = @CATMAN@
+CATMANEXT = @CATMANEXT@
+CC = @CC@
+CPP = @CPP@
+CXX = @CXX@
+CXXCPP = @CXXCPP@
+DBLIB = @DBLIB@
+DEPDIR = @DEPDIR@
+DIR_des = @DIR_des@
+DIR_roken = @DIR_roken@
+DLLTOOL = @DLLTOOL@
+EXEEXT = @EXEEXT@
+EXTRA_LIB45 = @EXTRA_LIB45@
+GROFF = @GROFF@
+INCLUDES_roken = @INCLUDES_roken@
+INCLUDE_ = @INCLUDE_@
+LEX = @LEX@
+LIBOBJS = @LIBOBJS@
+LIBTOOL = @LIBTOOL@
+LIB_ = @LIB_@
+LIB_AUTH_SUBDIRS = @LIB_AUTH_SUBDIRS@
+LIB_des = @LIB_des@
+LIB_des_appl = @LIB_des_appl@
+LIB_kdb = @LIB_kdb@
+LIB_otp = @LIB_otp@
+LIB_roken = @LIB_roken@
+LIB_security = @LIB_security@
+LN_S = @LN_S@
+LTLIBOBJS = @LTLIBOBJS@
+MAKEINFO = @MAKEINFO@
+NEED_WRITEAUTH_FALSE = @NEED_WRITEAUTH_FALSE@
+NEED_WRITEAUTH_TRUE = @NEED_WRITEAUTH_TRUE@
+NROFF = @NROFF@
+OBJDUMP = @OBJDUMP@
+OBJEXT = @OBJEXT@
+PACKAGE = @PACKAGE@
+RANLIB = @RANLIB@
+STRIP = @STRIP@
+VERSION = @VERSION@
+VOID_RETSIGTYPE = @VOID_RETSIGTYPE@
+WFLAGS = @WFLAGS@
+WFLAGS_NOIMPLICITINT = @WFLAGS_NOIMPLICITINT@
+WFLAGS_NOUNUSED = @WFLAGS_NOUNUSED@
+YACC = @YACC@
+dpagaix_CFLAGS = @dpagaix_CFLAGS@
+dpagaix_LDADD = @dpagaix_LDADD@
+install_sh = @install_sh@
+
+# $Id: Makefile.am,v 1.41 2000/11/15 22:51:12 assar Exp $
+
+
+# $Id: Makefile.am.common,v 1.3 1999/04/01 14:58:43 joda Exp $
+
+
+# $Id: Makefile.am.common,v 1.26 2001/05/21 13:27:48 joda Exp $
+
+
+AUTOMAKE_OPTIONS = foreign no-dependencies
+
+SUFFIXES = .et .h .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .x
+
+INCLUDES = -I$(top_builddir)/include $(INCLUDES_roken) $(INCLUDE_krb4) -I$(srcdir)/../lib/krb5
+
+AM_CFLAGS =  $(WFLAGS)
+
+CP = cp
+
+COMPILE_ET = $(top_builddir)/lib/com_err/compile_et
+
+buildinclude = $(top_builddir)/include
+
+LIB_XauReadAuth = @LIB_XauReadAuth@
+LIB_crypt = @LIB_crypt@
+LIB_dbm_firstkey = @LIB_dbm_firstkey@
+LIB_dbopen = @LIB_dbopen@
+LIB_dlopen = @LIB_dlopen@
+LIB_dn_expand = @LIB_dn_expand@
+LIB_el_init = @LIB_el_init@
+LIB_getattr = @LIB_getattr@
+LIB_gethostbyname = @LIB_gethostbyname@
+LIB_getpwent_r = @LIB_getpwent_r@
+LIB_getpwnam_r = @LIB_getpwnam_r@
+LIB_getsockopt = @LIB_getsockopt@
+LIB_logout = @LIB_logout@
+LIB_logwtmp = @LIB_logwtmp@
+LIB_odm_initialize = @LIB_odm_initialize@
+LIB_pidfile = @LIB_pidfile@
+LIB_readline = @LIB_readline@
+LIB_res_search = @LIB_res_search@
+LIB_setpcred = @LIB_setpcred@
+LIB_setsockopt = @LIB_setsockopt@
+LIB_socket = @LIB_socket@
+LIB_syslog = @LIB_syslog@
+LIB_tgetent = @LIB_tgetent@
+
+LIBS = @LIBS@
+
+HESIODLIB = @HESIODLIB@
+HESIODINCLUDE = @HESIODINCLUDE@
+INCLUDE_hesiod = @INCLUDE_hesiod@
+LIB_hesiod = @LIB_hesiod@
+
+INCLUDE_krb4 = @INCLUDE_krb4@
+LIB_krb4 = @LIB_krb4@
+
+INCLUDE_openldap = @INCLUDE_openldap@
+LIB_openldap = @LIB_openldap@
+
+INCLUDE_readline = @INCLUDE_readline@
+
+LEXLIB = @LEXLIB@
+
+NROFF_MAN = groff -mandoc -Tascii
+
+@KRB4_TRUE@LIB_kafs = @KRB4_TRUE@$(top_builddir)/lib/kafs/libkafs.la $(AIX_EXTRA_KAFS)
+
+@KRB5_TRUE@LIB_krb5 = @KRB5_TRUE@$(top_builddir)/lib/krb5/libkrb5.la \
+@KRB5_TRUE@	$(top_builddir)/lib/asn1/libasn1.la
+@KRB5_TRUE@LIB_gssapi = @KRB5_TRUE@$(top_builddir)/lib/gssapi/libgssapi.la
+
+@DCE_TRUE@LIB_kdfs = @DCE_TRUE@$(top_builddir)/lib/kdfs/libkdfs.la
+
+CHECK_LOCAL = $(PROGRAMS)
+
+bin_PROGRAMS = string2key
+
+sbin_PROGRAMS = kstash
+
+libexec_PROGRAMS = hprop hpropd kdc
+
+man_MANS = kdc.8 kstash.8 hprop.8 hpropd.8 string2key.8
+
+hprop_SOURCES = hprop.c mit_dump.c v4_dump.c hprop.h kadb.h 
+hpropd_SOURCES = hpropd.c hprop.h
+
+kstash_SOURCES = kstash.c headers.h
+
+string2key_SOURCES = string2key.c headers.h
+
+kdc_SOURCES = \
+	524.c		\
+	config.c	\
+	connect.c	\
+	kaserver.c	\
+	kdc_locl.h	\
+	kerberos4.c	\
+	kerberos4.h	\
+	kerberos5.c	\
+	log.c		\
+	main.c		\
+	misc.c		\
+	rx.h
+
+
+hprop_LDADD = \
+	$(top_builddir)/lib/hdb/libhdb.la \
+	$(LIB_openldap) \
+	$(top_builddir)/lib/krb5/libkrb5.la \
+	$(LIB_kdb) $(LIB_krb4) \
+	$(LIB_des) \
+	$(top_builddir)/lib/asn1/libasn1.la \
+	$(LIB_roken) \
+	$(DBLIB) 
+
+
+hpropd_LDADD = \
+	$(top_builddir)/lib/hdb/libhdb.la \
+	$(LIB_openldap) \
+	$(top_builddir)/lib/krb5/libkrb5.la \
+	$(LIB_kdb) $(LIB_krb4) \
+	$(LIB_des) \
+	$(top_builddir)/lib/asn1/libasn1.la \
+	$(LIB_roken) \
+	$(DBLIB) 
+
+
+LDADD = $(top_builddir)/lib/hdb/libhdb.la \
+	$(LIB_openldap) \
+	$(top_builddir)/lib/krb5/libkrb5.la \
+	$(LIB_krb4) \
+	$(LIB_des) \
+	$(top_builddir)/lib/asn1/libasn1.la \
+	$(LIB_roken) \
+	$(DBLIB)
+
+
+kdc_LDADD = $(LDADD) $(LIB_pidfile)
+subdir = kdc
+mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs
+CONFIG_HEADER = ../include/config.h
+CONFIG_CLEAN_FILES = 
+bin_PROGRAMS =  string2key$(EXEEXT)
+libexec_PROGRAMS =  hprop$(EXEEXT) hpropd$(EXEEXT) kdc$(EXEEXT)
+sbin_PROGRAMS =  kstash$(EXEEXT)
+PROGRAMS =  $(bin_PROGRAMS) $(libexec_PROGRAMS) $(sbin_PROGRAMS)
+
+
+DEFS = @DEFS@ -I. -I$(srcdir) -I../include
+CPPFLAGS = @CPPFLAGS@
+LDFLAGS = @LDFLAGS@
+X_CFLAGS = @X_CFLAGS@
+X_LIBS = @X_LIBS@
+X_EXTRA_LIBS = @X_EXTRA_LIBS@
+X_PRE_LIBS = @X_PRE_LIBS@
+am_hprop_OBJECTS =  hprop.$(OBJEXT) mit_dump.$(OBJEXT) v4_dump.$(OBJEXT)
+hprop_OBJECTS =  $(am_hprop_OBJECTS)
+hprop_DEPENDENCIES =  $(top_builddir)/lib/hdb/libhdb.la \
+$(top_builddir)/lib/krb5/libkrb5.la $(top_builddir)/lib/asn1/libasn1.la
+hprop_LDFLAGS = 
+am_hpropd_OBJECTS =  hpropd.$(OBJEXT)
+hpropd_OBJECTS =  $(am_hpropd_OBJECTS)
+hpropd_DEPENDENCIES =  $(top_builddir)/lib/hdb/libhdb.la \
+$(top_builddir)/lib/krb5/libkrb5.la $(top_builddir)/lib/asn1/libasn1.la
+hpropd_LDFLAGS = 
+am_kdc_OBJECTS =  524.$(OBJEXT) config.$(OBJEXT) connect.$(OBJEXT) \
+kaserver.$(OBJEXT) kerberos4.$(OBJEXT) kerberos5.$(OBJEXT) \
+log.$(OBJEXT) main.$(OBJEXT) misc.$(OBJEXT)
+kdc_OBJECTS =  $(am_kdc_OBJECTS)
+kdc_DEPENDENCIES =  $(top_builddir)/lib/hdb/libhdb.la \
+$(top_builddir)/lib/krb5/libkrb5.la $(top_builddir)/lib/asn1/libasn1.la
+kdc_LDFLAGS = 
+am_kstash_OBJECTS =  kstash.$(OBJEXT)
+kstash_OBJECTS =  $(am_kstash_OBJECTS)
+kstash_LDADD = $(LDADD)
+kstash_DEPENDENCIES =  $(top_builddir)/lib/hdb/libhdb.la \
+$(top_builddir)/lib/krb5/libkrb5.la $(top_builddir)/lib/asn1/libasn1.la
+kstash_LDFLAGS = 
+am_string2key_OBJECTS =  string2key.$(OBJEXT)
+string2key_OBJECTS =  $(am_string2key_OBJECTS)
+string2key_LDADD = $(LDADD)
+string2key_DEPENDENCIES =  $(top_builddir)/lib/hdb/libhdb.la \
+$(top_builddir)/lib/krb5/libkrb5.la $(top_builddir)/lib/asn1/libasn1.la
+string2key_LDFLAGS = 
+COMPILE = $(CC) $(DEFS) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) --mode=compile $(CC) $(DEFS) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+CFLAGS = @CFLAGS@
+CCLD = $(CC)
+LINK = $(LIBTOOL) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) $(LDFLAGS) -o $@
+DIST_SOURCES =  $(hprop_SOURCES) $(hpropd_SOURCES) $(kdc_SOURCES) \
+$(kstash_SOURCES) $(string2key_SOURCES)
+man8dir = $(mandir)/man8
+MANS = $(man_MANS)
+depcomp = 
+DIST_COMMON =  Makefile.am Makefile.in
+
+
+DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
+
+GZIP_ENV = --best
+SOURCES = $(hprop_SOURCES) $(hpropd_SOURCES) $(kdc_SOURCES) $(kstash_SOURCES) $(string2key_SOURCES)
+OBJECTS = $(am_hprop_OBJECTS) $(am_hpropd_OBJECTS) $(am_kdc_OBJECTS) $(am_kstash_OBJECTS) $(am_string2key_OBJECTS)
+
+all: all-redirect
+.SUFFIXES:
+.SUFFIXES: .et .h .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .x .c .lo .o .obj
+$(srcdir)/Makefile.in: Makefile.am $(top_srcdir)/configure.in $(ACLOCAL_M4) $(top_srcdir)/Makefile.am.common $(top_srcdir)/cf/Makefile.am.common
+	cd $(top_srcdir) && $(AUTOMAKE) --foreign kdc/Makefile
+
+Makefile: $(srcdir)/Makefile.in  $(top_builddir)/config.status
+	cd $(top_builddir) \
+	  && CONFIG_FILES=$(subdir)/$@ CONFIG_HEADERS= $(SHELL) ./config.status
+
+
+mostlyclean-binPROGRAMS:
+
+clean-binPROGRAMS:
+	-test -z "$(bin_PROGRAMS)" || rm -f $(bin_PROGRAMS)
+
+distclean-binPROGRAMS:
+
+maintainer-clean-binPROGRAMS:
+
+install-binPROGRAMS: $(bin_PROGRAMS)
+	@$(NORMAL_INSTALL)
+	$(mkinstalldirs) $(DESTDIR)$(bindir)
+	@list='$(bin_PROGRAMS)'; for p in $$list; do \
+	  if test -f $$p; then \
+	    f="`echo $$p|sed -e 's/$(EXEEXT)$$//' -e '$(transform)' -e 's/$$/$(EXEEXT)/'`"; \
+	    echo " $(LIBTOOL)  --mode=install $(INSTALL_PROGRAM) $(INSTALL_STRIP_FLAG) $$p $(DESTDIR)$(bindir)/$$f"; \
+	    $(LIBTOOL)  --mode=install $(INSTALL_PROGRAM) $(INSTALL_STRIP_FLAG) $$p $(DESTDIR)$(bindir)/$$f; \
+	  else :; fi; \
+	done
+
+uninstall-binPROGRAMS:
+	@$(NORMAL_UNINSTALL)
+	@list='$(bin_PROGRAMS)'; for p in $$list; do \
+	  f="`echo $$p|sed -e 's/$(EXEEXT)$$//' -e '$(transform)' -e 's/$$/$(EXEEXT)/'`"; \
+	  echo " rm -f $(DESTDIR)$(bindir)/$$f"; \
+	  rm -f $(DESTDIR)$(bindir)/$$f; \
+	done
+
+mostlyclean-libexecPROGRAMS:
+
+clean-libexecPROGRAMS:
+	-test -z "$(libexec_PROGRAMS)" || rm -f $(libexec_PROGRAMS)
+
+distclean-libexecPROGRAMS:
+
+maintainer-clean-libexecPROGRAMS:
+
+install-libexecPROGRAMS: $(libexec_PROGRAMS)
+	@$(NORMAL_INSTALL)
+	$(mkinstalldirs) $(DESTDIR)$(libexecdir)
+	@list='$(libexec_PROGRAMS)'; for p in $$list; do \
+	  if test -f $$p; then \
+	    f="`echo $$p|sed -e 's/$(EXEEXT)$$//' -e '$(transform)' -e 's/$$/$(EXEEXT)/'`"; \
+	    echo " $(LIBTOOL)  --mode=install $(INSTALL_PROGRAM) $(INSTALL_STRIP_FLAG) $$p $(DESTDIR)$(libexecdir)/$$f"; \
+	    $(LIBTOOL)  --mode=install $(INSTALL_PROGRAM) $(INSTALL_STRIP_FLAG) $$p $(DESTDIR)$(libexecdir)/$$f; \
+	  else :; fi; \
+	done
+
+uninstall-libexecPROGRAMS:
+	@$(NORMAL_UNINSTALL)
+	@list='$(libexec_PROGRAMS)'; for p in $$list; do \
+	  f="`echo $$p|sed -e 's/$(EXEEXT)$$//' -e '$(transform)' -e 's/$$/$(EXEEXT)/'`"; \
+	  echo " rm -f $(DESTDIR)$(libexecdir)/$$f"; \
+	  rm -f $(DESTDIR)$(libexecdir)/$$f; \
+	done
+
+mostlyclean-sbinPROGRAMS:
+
+clean-sbinPROGRAMS:
+	-test -z "$(sbin_PROGRAMS)" || rm -f $(sbin_PROGRAMS)
+
+distclean-sbinPROGRAMS:
+
+maintainer-clean-sbinPROGRAMS:
+
+install-sbinPROGRAMS: $(sbin_PROGRAMS)
+	@$(NORMAL_INSTALL)
+	$(mkinstalldirs) $(DESTDIR)$(sbindir)
+	@list='$(sbin_PROGRAMS)'; for p in $$list; do \
+	  if test -f $$p; then \
+	    f="`echo $$p|sed -e 's/$(EXEEXT)$$//' -e '$(transform)' -e 's/$$/$(EXEEXT)/'`"; \
+	    echo " $(LIBTOOL)  --mode=install $(INSTALL_PROGRAM) $(INSTALL_STRIP_FLAG) $$p $(DESTDIR)$(sbindir)/$$f"; \
+	    $(LIBTOOL)  --mode=install $(INSTALL_PROGRAM) $(INSTALL_STRIP_FLAG) $$p $(DESTDIR)$(sbindir)/$$f; \
+	  else :; fi; \
+	done
+
+uninstall-sbinPROGRAMS:
+	@$(NORMAL_UNINSTALL)
+	@list='$(sbin_PROGRAMS)'; for p in $$list; do \
+	  f="`echo $$p|sed -e 's/$(EXEEXT)$$//' -e '$(transform)' -e 's/$$/$(EXEEXT)/'`"; \
+	  echo " rm -f $(DESTDIR)$(sbindir)/$$f"; \
+	  rm -f $(DESTDIR)$(sbindir)/$$f; \
+	done
+
+mostlyclean-compile:
+	-rm -f *.o core *.core
+	-rm -f *.$(OBJEXT)
+
+clean-compile:
+
+distclean-compile:
+	-rm -f *.tab.c
+
+maintainer-clean-compile:
+
+mostlyclean-libtool:
+	-rm -f *.lo
+
+clean-libtool:
+	-rm -rf .libs _libs
+
+distclean-libtool:
+
+maintainer-clean-libtool:
+
+hprop$(EXEEXT): $(hprop_OBJECTS) $(hprop_DEPENDENCIES)
+	@rm -f hprop$(EXEEXT)
+	$(LINK) $(hprop_LDFLAGS) $(hprop_OBJECTS) $(hprop_LDADD) $(LIBS)
+
+hpropd$(EXEEXT): $(hpropd_OBJECTS) $(hpropd_DEPENDENCIES)
+	@rm -f hpropd$(EXEEXT)
+	$(LINK) $(hpropd_LDFLAGS) $(hpropd_OBJECTS) $(hpropd_LDADD) $(LIBS)
+
+kdc$(EXEEXT): $(kdc_OBJECTS) $(kdc_DEPENDENCIES)
+	@rm -f kdc$(EXEEXT)
+	$(LINK) $(kdc_LDFLAGS) $(kdc_OBJECTS) $(kdc_LDADD) $(LIBS)
+
+kstash$(EXEEXT): $(kstash_OBJECTS) $(kstash_DEPENDENCIES)
+	@rm -f kstash$(EXEEXT)
+	$(LINK) $(kstash_LDFLAGS) $(kstash_OBJECTS) $(kstash_LDADD) $(LIBS)
+
+string2key$(EXEEXT): $(string2key_OBJECTS) $(string2key_DEPENDENCIES)
+	@rm -f string2key$(EXEEXT)
+	$(LINK) $(string2key_LDFLAGS) $(string2key_OBJECTS) $(string2key_LDADD) $(LIBS)
+.c.o:
+	$(COMPILE) -c $<
+.c.obj:
+	$(COMPILE) -c `cygpath -w $<`
+.c.lo:
+	$(LTCOMPILE) -c -o $@ $<
+
+install-man8:
+	$(mkinstalldirs) $(DESTDIR)$(man8dir)
+	@list='$(man8_MANS)'; \
+	l2='$(man_MANS)'; for i in $$l2; do \
+	  case "$$i" in \
+	    *.8*) list="$$list $$i" ;; \
+	  esac; \
+	done; \
+	for i in $$list; do \
+	  if test -f $(srcdir)/$$i; then file=$(srcdir)/$$i; \
+	  else file=$$i; fi; \
+	  ext=`echo $$i | sed -e 's/^.*\\.//'`; \
+	  inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \
+	  inst=`echo $$inst | sed -e 's/^.*\///'`; \
+	  inst=`echo $$inst | sed '$(transform)'`.$$ext; \
+	  echo " $(INSTALL_DATA) $$file $(DESTDIR)$(man8dir)/$$inst"; \
+	  $(INSTALL_DATA) $$file $(DESTDIR)$(man8dir)/$$inst; \
+	done
+
+uninstall-man8:
+	@list='$(man8_MANS)'; \
+	l2='$(man_MANS)'; for i in $$l2; do \
+	  case "$$i" in \
+	    *.8*) list="$$list $$i" ;; \
+	  esac; \
+	done; \
+	for i in $$list; do \
+	  ext=`echo $$i | sed -e 's/^.*\\.//'`; \
+	  inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \
+	  inst=`echo $$inst | sed -e 's/^.*\///'`; \
+	  inst=`echo $$inst | sed '$(transform)'`.$$ext; \
+	  echo " rm -f $(DESTDIR)$(man8dir)/$$inst"; \
+	  rm -f $(DESTDIR)$(man8dir)/$$inst; \
+	done
+install-man: $(MANS)
+	@$(NORMAL_INSTALL)
+	$(MAKE) $(AM_MAKEFLAGS) install-man8
+uninstall-man:
+	@$(NORMAL_UNINSTALL)
+	$(MAKE) $(AM_MAKEFLAGS) uninstall-man8
+
+tags: TAGS
+
+ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
+	list='$(SOURCES) $(HEADERS) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '    { files[$$0] = 1; } \
+	       END { for (i in files) print i; }'`; \
+	mkid -fID $$unique $(LISP)
+
+TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	tags=; \
+	here=`pwd`; \
+	list='$(SOURCES) $(HEADERS) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '    { files[$$0] = 1; } \
+	       END { for (i in files) print i; }'`; \
+	test -z "$(ETAGS_ARGS)$$unique$(LISP)$$tags" \
+	  || etags $(ETAGS_ARGS) $$tags  $$unique $(LISP)
+
+GTAGS:
+	here=`CDPATH=: && cd $(top_builddir) && pwd` \
+	  && cd $(top_srcdir) \
+	  && gtags -i $$here
+
+mostlyclean-tags:
+
+clean-tags:
+
+distclean-tags:
+	-rm -f TAGS ID
+
+maintainer-clean-tags:
+
+distdir = $(top_builddir)/$(PACKAGE)-$(VERSION)/$(subdir)
+
+distdir: $(DISTFILES)
+	@for file in $(DISTFILES); do \
+	  d=$(srcdir); \
+	  if test -d $$d/$$file; then \
+	    cp -pR $$d/$$file $(distdir) \
+	    || exit 1; \
+	  else \
+	    test -f $(distdir)/$$file \
+	    || cp -p $$d/$$file $(distdir)/$$file \
+	    || exit 1; \
+	  fi; \
+	done
+	$(MAKE) $(AM_MAKEFLAGS) top_distdir="$(top_distdir)" distdir="$(distdir)" dist-hook
+info-am:
+info: info-am
+dvi-am:
+dvi: dvi-am
+check-am: all-am
+	$(MAKE) $(AM_MAKEFLAGS) check-local
+check: check-am
+installcheck-am:
+installcheck: installcheck-am
+install-exec-am: install-binPROGRAMS install-libexecPROGRAMS \
+		install-sbinPROGRAMS
+	@$(NORMAL_INSTALL)
+	$(MAKE) $(AM_MAKEFLAGS) install-exec-hook
+install-exec: install-exec-am
+
+install-data-am: install-man install-data-local
+install-data: install-data-am
+
+install-am: all-am
+	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
+install: install-am
+uninstall-am: uninstall-binPROGRAMS uninstall-libexecPROGRAMS \
+		uninstall-sbinPROGRAMS uninstall-man
+uninstall: uninstall-am
+all-am: Makefile $(PROGRAMS) $(MANS) all-local
+all-redirect: all-am
+install-strip:
+	$(MAKE) $(AM_MAKEFLAGS) INSTALL_STRIP_FLAG=-s install
+installdirs:
+	$(mkinstalldirs)  $(DESTDIR)$(bindir) $(DESTDIR)$(libexecdir) \
+		$(DESTDIR)$(sbindir) $(DESTDIR)$(mandir)/man8
+
+
+mostlyclean-generic:
+
+clean-generic:
+
+distclean-generic:
+	-rm -f Makefile $(CONFIG_CLEAN_FILES)
+	-rm -f config.cache config.log stamp-h stamp-h[0-9]*
+
+maintainer-clean-generic:
+	-rm -f Makefile.in
+mostlyclean-am:  mostlyclean-binPROGRAMS mostlyclean-libexecPROGRAMS \
+		mostlyclean-sbinPROGRAMS mostlyclean-compile \
+		mostlyclean-libtool mostlyclean-tags \
+		mostlyclean-generic
+
+mostlyclean: mostlyclean-am
+
+clean-am:  clean-binPROGRAMS clean-libexecPROGRAMS clean-sbinPROGRAMS \
+		clean-compile clean-libtool clean-tags clean-generic \
+		mostlyclean-am
+
+clean: clean-am
+
+distclean-am:  distclean-binPROGRAMS distclean-libexecPROGRAMS \
+		distclean-sbinPROGRAMS distclean-compile \
+		distclean-libtool distclean-tags distclean-generic \
+		clean-am
+	-rm -f libtool
+
+distclean: distclean-am
+
+maintainer-clean-am:  maintainer-clean-binPROGRAMS \
+		maintainer-clean-libexecPROGRAMS \
+		maintainer-clean-sbinPROGRAMS maintainer-clean-compile \
+		maintainer-clean-libtool maintainer-clean-tags \
+		maintainer-clean-generic distclean-am
+	@echo "This command is intended for maintainers to use;"
+	@echo "it deletes files that may require special tools to rebuild."
+
+maintainer-clean: maintainer-clean-am
+
+.PHONY: mostlyclean-binPROGRAMS distclean-binPROGRAMS clean-binPROGRAMS \
+maintainer-clean-binPROGRAMS uninstall-binPROGRAMS install-binPROGRAMS \
+mostlyclean-libexecPROGRAMS distclean-libexecPROGRAMS \
+clean-libexecPROGRAMS maintainer-clean-libexecPROGRAMS \
+uninstall-libexecPROGRAMS install-libexecPROGRAMS \
+mostlyclean-sbinPROGRAMS distclean-sbinPROGRAMS clean-sbinPROGRAMS \
+maintainer-clean-sbinPROGRAMS uninstall-sbinPROGRAMS \
+install-sbinPROGRAMS mostlyclean-compile distclean-compile \
+clean-compile maintainer-clean-compile mostlyclean-libtool \
+distclean-libtool clean-libtool maintainer-clean-libtool install-man8 \
+uninstall-man8 install-man uninstall-man tags mostlyclean-tags \
+distclean-tags clean-tags maintainer-clean-tags distdir info-am info \
+dvi-am dvi check-local check check-am installcheck-am installcheck \
+install-exec-am install-exec install-data-local install-data-am \
+install-data install-am install uninstall-am uninstall all-local \
+all-redirect all-am all install-strip installdirs mostlyclean-generic \
+distclean-generic clean-generic maintainer-clean-generic clean \
+mostlyclean distclean maintainer-clean
+
+
+install-suid-programs:
+	@foo='$(bin_SUIDS)'; \
+	for file in $$foo; do \
+	x=$(DESTDIR)$(bindir)/$$file; \
+	if chown 0:0 $$x && chmod u+s $$x; then :; else \
+	echo "*"; \
+	echo "* Failed to install $$x setuid root"; \
+	echo "*"; \
+	fi; done
+
+install-exec-hook: install-suid-programs
+
+install-build-headers:: $(include_HEADERS) $(build_HEADERZ)
+	@foo='$(include_HEADERS) $(build_HEADERZ)'; \
+	for f in $$foo; do \
+		f=`basename $$f`; \
+		if test -f "$(srcdir)/$$f"; then file="$(srcdir)/$$f"; \
+		else file="$$f"; fi; \
+		if cmp -s  $$file $(buildinclude)/$$f 2> /dev/null ; then \
+		: ; else \
+			echo " $(CP) $$file $(buildinclude)/$$f"; \
+			$(CP) $$file $(buildinclude)/$$f; \
+		fi ; \
+	done
+
+all-local: install-build-headers
+#NROFF_MAN = nroff -man
+.1.cat1:
+	$(NROFF_MAN) $< > $@
+.3.cat3:
+	$(NROFF_MAN) $< > $@
+.5.cat5:
+	$(NROFF_MAN) $< > $@
+.8.cat8:
+	$(NROFF_MAN) $< > $@
+
+dist-cat1-mans:
+	@foo='$(man1_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.1) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat1/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-cat3-mans:
+	@foo='$(man3_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.3) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat3/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-cat5-mans:
+	@foo='$(man5_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.5) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat5/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-cat8-mans:
+	@foo='$(man8_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.8) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat8/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-hook: dist-cat1-mans dist-cat3-mans dist-cat5-mans dist-cat8-mans
+
+install-cat-mans:
+	$(SHELL) $(top_srcdir)/cf/install-catman.sh "$(INSTALL_DATA)" "$(mkinstalldirs)" "$(srcdir)" "$(DESTDIR)$(mandir)" '$(CATMANEXT)' $(man_MANS) $(man1_MANS) $(man3_MANS) $(man5_MANS) $(man8_MANS)
+
+install-data-local: install-cat-mans
+
+.et.h:
+	$(COMPILE_ET) $<
+.et.c:
+	$(COMPILE_ET) $<
+
+.x.c:
+	@cmp -s $< $@ 2> /dev/null || cp $< $@
+
+check-local::
+	@foo='$(CHECK_LOCAL)'; \
+	  if test "$$foo"; then \
+	  failed=0; all=0; \
+	  for i in $$foo; do \
+	    all=`expr $$all + 1`; \
+	    if ./$$i --version > /dev/null 2>&1; then \
+	      echo "PASS: $$i"; \
+	    else \
+	      echo "FAIL: $$i"; \
+	      failed=`expr $$failed + 1`; \
+	    fi; \
+	  done; \
+	  if test "$$failed" -eq 0; then \
+	    banner="All $$all tests passed"; \
+	  else \
+	    banner="$$failed of $$all tests failed"; \
+	  fi; \
+	  dashes=`echo "$$banner" | sed s/./=/g`; \
+	  echo "$$dashes"; \
+	  echo "$$banner"; \
+	  echo "$$dashes"; \
+	  test "$$failed" -eq 0; \
+	fi
+
+# Tell versions [3.59,3.63) of GNU make to not export all variables.
+# Otherwise a system limit (for SysV at least) may be exceeded.
+.NOEXPORT:
diff --git a/crypto/heimdal/kdc/config.c b/crypto/heimdal/kdc/config.c
new file mode 100644
index 0000000..78f75d3
--- /dev/null
+++ b/crypto/heimdal/kdc/config.c
@@ -0,0 +1,364 @@
+/*
+ * Copyright (c) 1997-2001 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "kdc_locl.h"
+#include <getarg.h>
+#include <parse_bytes.h>
+
+RCSID("$Id: config.c,v 1.36 2001/05/17 07:13:43 joda Exp $");
+
+static char *config_file;	/* location of kdc config file */
+
+int require_preauth = -1;	/* 1 == require preauth for all principals */
+
+size_t max_request;		/* maximal size of a request */
+
+static char *max_request_str;	/* `max_request' as a string */
+
+time_t kdc_warn_pwexpire;	/* time before expiration to print a warning */
+
+struct dbinfo *databases;
+HDB **db;
+int num_db;
+
+char *port_str;
+
+int enable_http = -1;
+krb5_boolean encode_as_rep_as_tgs_rep; /* bug compatibility */
+
+krb5_boolean check_ticket_addresses;
+krb5_boolean allow_null_ticket_addresses;
+krb5_boolean allow_anonymous;
+
+static struct getarg_strings addresses_str;	/* addresses to listen on */
+krb5_addresses explicit_addresses;
+
+#ifdef KRB4
+char *v4_realm;
+int enable_v4 = -1;
+int enable_524 = -1;
+#endif
+#ifdef KASERVER
+krb5_boolean enable_kaserver = -1;
+#endif
+
+static int help_flag;
+static int version_flag;
+
+static struct getargs args[] = {
+    { 
+	"config-file",	'c',	arg_string,	&config_file, 
+	"location of config file",	"file" 
+    },
+    { 
+	"require-preauth",	'p',	arg_negative_flag, &require_preauth, 
+	"don't require pa-data in as-reqs"
+    },
+    { 
+	"max-request",	0,	arg_string, &max_request, 
+	"max size for a kdc-request", "size"
+    },
+#if 0
+    {
+	"database",	'd', 	arg_string, &databases,
+	"location of database", "database"
+    },
+#endif
+    { "enable-http", 'H', arg_flag, &enable_http, "turn on HTTP support" },
+#ifdef KRB4
+    {	"kerberos4",	0, 	arg_negative_flag, &enable_v4,
+	"don't respond to kerberos 4 requests" 
+    },
+    {	"524",		0, 	arg_negative_flag, &enable_524,
+	"don't respond to 524 requests" 
+    },
+    { 
+	"v4-realm",	'r',	arg_string, &v4_realm, 
+	"realm to serve v4-requests for"
+    },
+#endif
+#ifdef KASERVER
+    {
+	"kaserver", 'K', arg_negative_flag,   &enable_kaserver,
+	"turn off kaserver support"
+    },
+#endif
+    {	"ports",	'P', 	arg_string, &port_str,
+	"ports to listen to" 
+    },
+    {	"addresses",	0,	arg_strings, &addresses_str,
+	"addresses to listen on", "list of addresses" },
+    {	"help",		'h',	arg_flag,   &help_flag },
+    {	"version",	'v',	arg_flag,   &version_flag }
+};
+
+static int num_args = sizeof(args) / sizeof(args[0]);
+
+static void
+usage(int ret)
+{
+    arg_printusage (args, num_args, NULL, "");
+    exit (ret);
+}
+
+static void
+get_dbinfo(krb5_config_section *cf)
+{
+    krb5_config_binding *top_binding = NULL;
+    krb5_config_binding *db_binding;
+    krb5_config_binding *default_binding = NULL;
+    struct dbinfo *di, **dt;
+    const char *default_dbname = HDB_DEFAULT_DB;
+    const char *default_mkey = HDB_DB_DIR "/m-key";
+    const char *p;
+
+    databases = NULL;
+    dt = &databases;
+    while((db_binding = (krb5_config_binding *)
+	   krb5_config_get_next(context, cf, &top_binding, 
+				krb5_config_list, 
+				"kdc", 
+				"database",
+				NULL))) {
+	p = krb5_config_get_string(context, db_binding, "realm", NULL);
+	if(p == NULL) {
+	    if(default_binding) {
+		krb5_warnx(context, "WARNING: more than one realm-less "
+			   "database specification");
+		krb5_warnx(context, "WARNING: using the first encountered");
+	    } else
+		default_binding = db_binding;
+	    continue;
+	}
+	di = calloc(1, sizeof(*di));
+	di->realm = strdup(p);
+	p = krb5_config_get_string(context, db_binding, "dbname", NULL);
+	if(p)
+	    di->dbname = strdup(p);
+	p = krb5_config_get_string(context, db_binding, "mkey_file", NULL);
+	if(p)
+	    di->mkey_file = strdup(p);
+	*dt = di;
+	dt = &di->next;
+    }
+    if(default_binding) {
+	di = calloc(1, sizeof(*di));
+	p = krb5_config_get_string(context, default_binding, "dbname", NULL);
+	if(p) {
+	    di->dbname = strdup(p);
+	    default_dbname = p;
+	}
+	p = krb5_config_get_string(context, default_binding, "mkey_file", NULL);
+	if(p) {
+	    di->mkey_file = strdup(p);
+	    default_mkey = p;
+	}
+	*dt = di;
+	dt = &di->next;
+    } else {
+	di = calloc(1, sizeof(*di));
+	di->dbname = strdup(default_dbname);
+	di->mkey_file = strdup(default_mkey);
+	*dt = di;
+	dt = &di->next;
+    }
+    for(di = databases; di; di = di->next) {
+	if(di->dbname == NULL)
+	    di->dbname = strdup(default_dbname);
+	if(di->mkey_file == NULL) {
+	    p = strrchr(di->dbname, '.');
+	    if(p == NULL || strchr(p, '/') != NULL)
+		asprintf(&di->mkey_file, "%s.mkey", di->dbname);
+	    else
+		asprintf(&di->mkey_file, "%.*s.mkey", 
+			 (int)(p - di->dbname), di->dbname);
+	}
+    }
+}
+
+static void
+add_one_address (const char *str, int first)
+{
+    krb5_error_code ret;
+    krb5_addresses tmp;
+
+    ret = krb5_parse_address (context, str, &tmp);
+    if (ret)
+	krb5_err (context, 1, ret, "parse_address `%s'", str);
+    if (first)
+	krb5_copy_addresses(context, &tmp, &explicit_addresses);
+    else
+	krb5_append_addresses(context, &explicit_addresses, &tmp);
+    krb5_free_addresses (context, &tmp);
+}
+
+void
+configure(int argc, char **argv)
+{
+    krb5_config_section *cf = NULL;
+    int optind = 0;
+    int e;
+    const char *p;
+    
+    while((e = getarg(args, num_args, argc, argv, &optind)))
+	warnx("error at argument `%s'", argv[optind]);
+
+    if(help_flag)
+	usage (0);
+
+    if (version_flag) {
+	print_version(NULL);
+	exit(0);
+    }
+
+    argc -= optind;
+    argv += optind;
+
+    if (argc != 0)
+	usage(1);
+    
+    if(config_file == NULL)
+	config_file = _PATH_KDC_CONF;
+    
+    if(krb5_config_parse_file(context, config_file, &cf))
+	cf = NULL;
+    
+    get_dbinfo(cf);
+    
+    if(max_request_str){
+	max_request = parse_bytes(max_request_str, NULL);
+    }
+
+    if(max_request == 0){
+	p = krb5_config_get_string (context,
+				    cf, 
+				    "kdc",
+				    "max-request",
+				    NULL);
+	if(p)
+	    max_request = parse_bytes(p, NULL);
+    }
+    
+    if(require_preauth == -1)
+	require_preauth = krb5_config_get_bool(context, cf, "kdc", 
+					       "require-preauth", NULL);
+
+    if(port_str == NULL){
+	p = krb5_config_get_string(context, cf, "kdc", "ports", NULL);
+	if (p != NULL)
+	    port_str = strdup(p);
+    }
+
+    explicit_addresses.len = 0;
+
+    if (addresses_str.num_strings) {
+	int i;
+
+	for (i = 0; i < addresses_str.num_strings; ++i)
+	    add_one_address (addresses_str.strings[i], i == 0);
+	free_getarg_strings (&addresses_str);
+    } else {
+	char **foo = krb5_config_get_strings (context, cf,
+					      "kdc", "addresses", NULL);
+
+	if (foo != NULL) {
+	    add_one_address (*foo++, TRUE);
+	    while (*foo)
+		add_one_address (*foo++, FALSE);
+	}
+    }
+
+#ifdef KRB4
+    if(enable_v4 == -1)
+	enable_v4 = krb5_config_get_bool_default(context, cf, TRUE, "kdc", 
+					 "enable-kerberos4", NULL);
+    if(enable_524 == -1)
+	enable_524 = krb5_config_get_bool_default(context, cf, enable_v4, 
+						  "kdc", "enable-524", NULL);
+#endif
+
+    if(enable_http == -1)
+	enable_http = krb5_config_get_bool(context, cf, "kdc", 
+					   "enable-http", NULL);
+    check_ticket_addresses = 
+	krb5_config_get_bool_default(context, cf, TRUE, "kdc", 
+				     "check-ticket-addresses", NULL);
+    allow_null_ticket_addresses = 
+	krb5_config_get_bool_default(context, cf, TRUE, "kdc", 
+				     "allow-null-ticket-addresses", NULL);
+
+    allow_anonymous = 
+	krb5_config_get_bool(context, cf, "kdc", 
+			     "allow-anonymous", NULL);
+#ifdef KRB4
+    if(v4_realm == NULL){
+	p = krb5_config_get_string (context, cf, 
+				    "kdc",
+				    "v4-realm",
+				    NULL);
+	if(p)
+	    v4_realm = strdup(p);
+    }
+#endif
+#ifdef KASERVER
+    if (enable_kaserver == -1)
+	enable_kaserver = krb5_config_get_bool_default(context, cf, TRUE,
+						       "kdc",
+						       "enable-kaserver",
+						       NULL);
+#endif
+
+    encode_as_rep_as_tgs_rep = krb5_config_get_bool(context, cf, "kdc", 
+						    "encode_as_rep_as_tgs_rep", 
+						    NULL);
+
+    kdc_warn_pwexpire = krb5_config_get_time (context, cf,
+					      "kdc",
+					      "kdc_warn_pwexpire",
+					      NULL);
+    kdc_openlog(cf);
+    if(cf)
+	krb5_config_file_free (context, cf);
+    if(max_request == 0)
+	max_request = 64 * 1024;
+    if(require_preauth == -1)
+	require_preauth = 1;
+    if (port_str == NULL)
+	port_str = "+";
+#ifdef KRB4
+    if(v4_realm == NULL){
+	v4_realm = malloc(40); /* REALM_SZ */
+	krb_get_lrealm(v4_realm, 1);
+    }
+#endif
+}
diff --git a/crypto/heimdal/kdc/connect.c b/crypto/heimdal/kdc/connect.c
new file mode 100644
index 0000000..7f13310
--- /dev/null
+++ b/crypto/heimdal/kdc/connect.c
@@ -0,0 +1,804 @@
+/*
+ * Copyright (c) 1997-2001 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "kdc_locl.h"
+
+RCSID("$Id: connect.c,v 1.82 2001/05/14 06:18:11 assar Exp $");
+
+/*
+ * a tuple describing on what to listen
+ */
+
+struct port_desc{
+    int family;
+    int type;
+    int port;
+};
+
+/* the current ones */
+
+static struct port_desc *ports;
+static int num_ports;
+
+/*
+ * add `family, port, protocol' to the list with duplicate suppresion.
+ */
+
+static void
+add_port(int family, int port, const char *protocol)
+{
+    int type;
+    int i;
+
+    if(strcmp(protocol, "udp") == 0)
+	type = SOCK_DGRAM;
+    else if(strcmp(protocol, "tcp") == 0)
+	type = SOCK_STREAM;
+    else
+	return;
+    for(i = 0; i < num_ports; i++){
+	if(ports[i].type == type
+	   && ports[i].port == port
+	   && ports[i].family == family)
+	    return;
+    }
+    ports = realloc(ports, (num_ports + 1) * sizeof(*ports));
+    if (ports == NULL)
+	krb5_err (context, 1, errno, "realloc");
+    ports[num_ports].family = family;
+    ports[num_ports].type   = type;
+    ports[num_ports].port   = port;
+    num_ports++;
+}
+
+/*
+ * add a triple but with service -> port lookup
+ * (this prints warnings for stuff that does not exist)
+ */
+
+static void
+add_port_service(int family, const char *service, int port,
+		 const char *protocol)
+{
+    port = krb5_getportbyname (context, service, protocol, port);
+    add_port (family, port, protocol);
+}
+
+/*
+ * add the port with service -> port lookup or string -> number
+ * (no warning is printed)
+ */
+
+static void
+add_port_string (int family, const char *port_str, const char *protocol)
+{
+    struct servent *sp;
+    int port;
+
+    sp = roken_getservbyname (port_str, protocol);
+    if (sp != NULL) {
+	port = sp->s_port;
+    } else {
+	char *end;
+
+	port = htons(strtol(port_str, &end, 0));
+	if (end == port_str)
+	    return;
+    }
+    add_port (family, port, protocol);
+}
+
+/*
+ * add the standard collection of ports for `family'
+ */
+
+static void
+add_standard_ports (int family)
+{
+    add_port_service(family, "kerberos", 88, "udp");
+    add_port_service(family, "kerberos", 88, "tcp");
+    add_port_service(family, "kerberos-sec", 88, "udp");
+    add_port_service(family, "kerberos-sec", 88, "tcp");
+    if(enable_http)
+	add_port_service(family, "http", 80, "tcp");
+#ifdef KRB4
+    if(enable_v4) {
+	add_port_service(family, "kerberos-iv", 750, "udp");
+	add_port_service(family, "kerberos-iv", 750, "tcp");
+    }
+    if(enable_524) {
+	add_port_service(family, "krb524", 4444, "udp");
+	add_port_service(family, "krb524", 4444, "tcp");
+    }
+#endif
+#ifdef KASERVER
+    if (enable_kaserver)
+	add_port_service(family, "afs3-kaserver", 7004, "udp");
+#endif
+}
+
+/*
+ * parse the set of space-delimited ports in `str' and add them.
+ * "+" => all the standard ones
+ * otherwise it's port|service[/protocol]
+ */
+
+static void
+parse_ports(const char *str)
+{
+    char *pos = NULL;
+    char *p;
+    char *str_copy = strdup (str);
+
+    p = strtok_r(str_copy, " \t", &pos);
+    while(p != NULL) {
+	if(strcmp(p, "+") == 0) {
+#ifdef HAVE_IPV6
+	    add_standard_ports(AF_INET6);
+#endif
+	    add_standard_ports(AF_INET);
+	} else {
+	    char *q = strchr(p, '/');
+	    if(q){
+		*q++ = 0;
+#ifdef HAVE_IPV6
+		add_port_string(AF_INET6, p, q);
+#endif
+		add_port_string(AF_INET, p, q);
+	    }else {
+#ifdef HAVE_IPV6
+		add_port_string(AF_INET6, p, "udp");
+		add_port_string(AF_INET6, p, "tcp");
+#endif
+		add_port_string(AF_INET, p, "udp");
+		add_port_string(AF_INET, p, "tcp");
+	    }
+	}
+	    
+	p = strtok_r(NULL, " \t", &pos);
+    }
+    free (str_copy);
+}
+
+/*
+ * every socket we listen on
+ */
+
+struct descr {
+    int s;
+    int type;
+    unsigned char *buf;
+    size_t size;
+    size_t len;
+    time_t timeout;
+    struct sockaddr_storage __ss;
+    struct sockaddr *sa;
+    socklen_t sock_len;
+    char addr_string[128];
+};
+
+static void
+init_descr(struct descr *d)
+{
+    memset(d, 0, sizeof(*d));
+    d->sa = (struct sockaddr *)&d->__ss;
+    d->s = -1;
+}
+
+/*
+ * re-intialize all `n' ->sa in `d'.
+ */
+
+static void
+reinit_descrs (struct descr *d, int n)
+{
+    int i;
+
+    for (i = 0; i < n; ++i)
+	d[i].sa = (struct sockaddr *)&d[i].__ss;
+}
+
+/*
+ * Create the socket (family, type, port) in `d'
+ */
+
+static void 
+init_socket(struct descr *d, krb5_address *a, int family, int type, int port)
+{
+    krb5_error_code ret;
+    struct sockaddr_storage __ss;
+    struct sockaddr *sa = (struct sockaddr *)&__ss;
+    int sa_size;
+
+    init_descr (d);
+
+    ret = krb5_addr2sockaddr (context, a, sa, &sa_size, port);
+    if (ret) {
+	krb5_warn(context, ret, "krb5_addr2sockaddr");
+	close(d->s);
+	d->s = -1;
+	return;
+    }
+
+    if (sa->sa_family != family)
+	return;
+
+    d->s = socket(family, type, 0);
+    if(d->s < 0){
+	krb5_warn(context, errno, "socket(%d, %d, 0)", family, type);
+	d->s = -1;
+	return;
+    }
+#if defined(HAVE_SETSOCKOPT) && defined(SOL_SOCKET) && defined(SO_REUSEADDR)
+    {
+	int one = 1;
+	setsockopt(d->s, SOL_SOCKET, SO_REUSEADDR, (void *)&one, sizeof(one));
+    }
+#endif
+    d->type = type;
+
+    if(bind(d->s, sa, sa_size) < 0){
+	char a_str[256];
+	size_t len;
+
+	krb5_print_address (a, a_str, sizeof(a_str), &len);
+	krb5_warn(context, errno, "bind %s/%d", a_str, ntohs(port));
+	close(d->s);
+	d->s = -1;
+	return;
+    }
+    if(type == SOCK_STREAM && listen(d->s, SOMAXCONN) < 0){
+	char a_str[256];
+	size_t len;
+
+	krb5_print_address (a, a_str, sizeof(a_str), &len);
+	krb5_warn(context, errno, "listen %s/%d", a_str, ntohs(port));
+	close(d->s);
+	d->s = -1;
+	return;
+    }
+}
+
+/*
+ * Allocate descriptors for all the sockets that we should listen on
+ * and return the number of them.
+ */
+
+static int
+init_sockets(struct descr **desc)
+{
+    krb5_error_code ret;
+    int i, j;
+    struct descr *d;
+    int num = 0;
+    krb5_addresses addresses;
+
+    if (explicit_addresses.len) {
+	addresses = explicit_addresses;
+    } else {
+	ret = krb5_get_all_server_addrs (context, &addresses);
+	if (ret)
+	    krb5_err (context, 1, ret, "krb5_get_all_server_addrs");
+    }
+    parse_ports(port_str);
+    d = malloc(addresses.len * num_ports * sizeof(*d));
+    if (d == NULL)
+	krb5_errx(context, 1, "malloc(%lu) failed",
+		  (unsigned long)num_ports * sizeof(*d));
+
+    for (i = 0; i < num_ports; i++){
+	for (j = 0; j < addresses.len; ++j) {
+	    init_socket(&d[num], &addresses.val[j],
+			ports[i].family, ports[i].type, ports[i].port);
+	    if(d[num].s != -1){
+		char a_str[80];
+		size_t len;
+
+		krb5_print_address (&addresses.val[j], a_str,
+				    sizeof(a_str), &len);
+
+		kdc_log(5, "listening on %s port %u/%s",
+			a_str,
+			ntohs(ports[i].port), 
+			(ports[i].type == SOCK_STREAM) ? "tcp" : "udp");
+		/* XXX */
+		num++;
+	    }
+	}
+    }
+    krb5_free_addresses (context, &addresses);
+    d = realloc(d, num * sizeof(*d));
+    if (d == NULL && num != 0)
+	krb5_errx(context, 1, "realloc(%lu) failed",
+		  (unsigned long)num * sizeof(*d));
+    reinit_descrs (d, num);
+    *desc = d;
+    return num;
+}
+
+/*
+ * handle the request in `buf, len', from `addr' (or `from' as a string),
+ * sending a reply in `reply'.
+ */
+
+static int
+process_request(unsigned char *buf, 
+		size_t len, 
+		krb5_data *reply,
+		int *sendlength,
+		const char *from,
+		struct sockaddr *addr)
+{
+    KDC_REQ req;
+#ifdef KRB4
+    Ticket ticket;
+#endif
+    krb5_error_code ret;
+    size_t i;
+
+    gettimeofday(&now, NULL);
+    if(decode_AS_REQ(buf, len, &req, &i) == 0){
+	ret = as_rep(&req, reply, from, addr);
+	free_AS_REQ(&req);
+	return ret;
+    }else if(decode_TGS_REQ(buf, len, &req, &i) == 0){
+	ret = tgs_rep(&req, reply, from, addr);
+	free_TGS_REQ(&req);
+	return ret;
+    }
+#ifdef KRB4
+    else if(maybe_version4(buf, len)){
+	*sendlength = 0; /* elbitapmoc sdrawkcab XXX */
+	do_version4(buf, len, reply, from, (struct sockaddr_in*)addr);
+	return 0;
+    }else if(decode_Ticket(buf, len, &ticket, &i) == 0){
+	ret = do_524(&ticket, reply, from, addr);
+	free_Ticket(&ticket);
+	return ret;
+    }
+#endif
+#ifdef KASERVER
+    else if (enable_kaserver) {
+	ret = do_kaserver (buf, len, reply, from, (struct sockaddr_in*)addr);
+	return ret;
+    }
+#endif
+			  
+    return -1;
+}
+
+static void
+addr_to_string(struct sockaddr *addr, size_t addr_len, char *str, size_t len)
+{
+    krb5_address a;
+    krb5_sockaddr2address(context, addr, &a);
+    if(krb5_print_address(&a, str, len, &len) == 0) {
+	krb5_free_address(context, &a);
+	return;
+    }
+    krb5_free_address(context, &a);
+    snprintf(str, len, "<family=%d>", addr->sa_family);
+}
+
+/*
+ * Handle the request in `buf, len' to socket `d'
+ */
+
+static void
+do_request(void *buf, size_t len, int sendlength,
+	   struct descr *d)
+{
+    krb5_error_code ret;
+    krb5_data reply;
+    
+    reply.length = 0;
+    ret = process_request(buf, len, &reply, &sendlength,
+			  d->addr_string, d->sa);
+    if(reply.length){
+	kdc_log(5, "sending %d bytes to %s", reply.length, d->addr_string);
+	if(sendlength){
+	    unsigned char len[4];
+	    len[0] = (reply.length >> 24) & 0xff;
+	    len[1] = (reply.length >> 16) & 0xff;
+	    len[2] = (reply.length >> 8) & 0xff;
+	    len[3] = reply.length & 0xff;
+	    if(sendto(d->s, len, sizeof(len), 0, d->sa, d->sock_len) < 0) {
+		kdc_log (0, "sendto(%s): %s", d->addr_string, strerror(errno));
+		krb5_data_free(&reply);
+		return;
+	    }
+	}
+	if(sendto(d->s, reply.data, reply.length, 0, d->sa, d->sock_len) < 0) {
+	    kdc_log (0, "sendto(%s): %s", d->addr_string, strerror(errno));
+	    krb5_data_free(&reply);
+	    return;
+	}
+	krb5_data_free(&reply);
+    }
+    if(ret)
+	kdc_log(0, "Failed processing %lu byte request from %s", 
+		(unsigned long)len, d->addr_string);
+}
+
+/*
+ * Handle incoming data to the UDP socket in `d'
+ */
+
+static void
+handle_udp(struct descr *d)
+{
+    unsigned char *buf;
+    int n;
+
+    buf = malloc(max_request);
+    if(buf == NULL){
+	kdc_log(0, "Failed to allocate %lu bytes", (unsigned long)max_request);
+	return;
+    }
+
+    d->sock_len = sizeof(d->__ss);
+    n = recvfrom(d->s, buf, max_request, 0, d->sa, &d->sock_len);
+    if(n < 0)
+	krb5_warn(context, errno, "recvfrom");
+    else {
+	addr_to_string (d->sa, d->sock_len,
+			d->addr_string, sizeof(d->addr_string));
+	do_request(buf, n, 0, d);
+    }
+    free (buf);
+}
+
+static void
+clear_descr(struct descr *d)
+{
+    if(d->buf)
+	memset(d->buf, 0, d->size);
+    d->len = 0;
+    if(d->s != -1)
+	close(d->s);
+    d->s = -1;
+}
+
+
+/* remove HTTP %-quoting from buf */
+static int
+de_http(char *buf)
+{
+    char *p, *q;
+    for(p = q = buf; *p; p++, q++) {
+	if(*p == '%') {
+	    unsigned int x;
+	    if(sscanf(p + 1, "%2x", &x) != 1)
+		return -1;
+	    *q = x;
+	    p += 2;
+	} else
+	    *q = *p;
+    }
+    *q = '\0';
+    return 0;
+}
+
+#define TCP_TIMEOUT 4
+
+/*
+ * accept a new TCP connection on `d[parent]' and store it in `d[child]'
+ */
+
+static void
+add_new_tcp (struct descr *d, int parent, int child)
+{
+    int s;
+
+    if (child == -1)
+	return;
+
+    d[child].sock_len = sizeof(d[child].__ss);
+    s = accept(d[parent].s, d[child].sa, &d[child].sock_len);
+    if(s < 0) {
+	krb5_warn(context, errno, "accept");
+	return;
+    }
+	    
+    if (s >= FD_SETSIZE) {
+	krb5_warnx(context, "socket FD too large");
+	close (s);
+	return;
+    }
+
+    d[child].s = s;
+    d[child].timeout = time(NULL) + TCP_TIMEOUT;
+    d[child].type = SOCK_STREAM;
+    addr_to_string (d[child].sa, d[child].sock_len,
+		    d[child].addr_string, sizeof(d[child].addr_string));
+}
+
+/*
+ * Grow `d' to handle at least `n'.
+ * Return != 0 if fails
+ */
+
+static int
+grow_descr (struct descr *d, size_t n)
+{
+    if (d->size - d->len < n) {
+	unsigned char *tmp;
+
+	d->size += max(1024, d->len + n);
+	if (d->size >= max_request) {
+	    kdc_log(0, "Request exceeds max request size (%lu bytes).",
+		    (unsigned long)d->size);
+	    clear_descr(d);
+	    return -1;
+	}
+	tmp = realloc (d->buf, d->size);
+	if (tmp == NULL) {
+	    kdc_log(0, "Failed to re-allocate %lu bytes.",
+		    (unsigned long)d->size);
+	    clear_descr(d);
+	    return -1;
+	}
+	d->buf = tmp;
+    }
+    return 0;
+}
+
+/*
+ * Try to handle the TCP data at `d->buf, d->len'.
+ * Return -1 if failed, 0 if succesful, and 1 if data is complete.
+ */
+
+static int
+handle_vanilla_tcp (struct descr *d)
+{
+    krb5_storage *sp;
+    int32_t len;
+
+    sp = krb5_storage_from_mem(d->buf, d->len);
+    if (sp == NULL) {
+	kdc_log (0, "krb5_storage_from_mem failed");
+	return -1;
+    }
+    krb5_ret_int32(sp, &len);
+    krb5_storage_free(sp);
+    if(d->len - 4 >= len) {
+	memmove(d->buf, d->buf + 4, d->len - 4);
+	return 1;
+    }
+    return 0;
+}
+
+/*
+ * Try to handle the TCP/HTTP data at `d->buf, d->len'.
+ * Return -1 if failed, 0 if succesful, and 1 if data is complete.
+ */
+
+static int
+handle_http_tcp (struct descr *d)
+{
+    char *s, *p, *t;
+    void *data;
+    char *proto;
+    int len;
+
+    s = (char *)d->buf;
+
+    p = strstr(s, "\r\n");
+    if (p == NULL) {
+	kdc_log(0, "Malformed HTTP request from %s", d->addr_string);
+	return -1;
+    }
+    *p = 0;
+
+    p = NULL;
+    t = strtok_r(s, " \t", &p);
+    if (t == NULL) {
+	kdc_log(0, "Malformed HTTP request from %s", d->addr_string);
+	return -1;
+    }
+    t = strtok_r(NULL, " \t", &p);
+    if(t == NULL) {
+	kdc_log(0, "Malformed HTTP request from %s", d->addr_string);
+	return -1;
+    }
+    data = malloc(strlen(t));
+    if (data == NULL) {
+	kdc_log(0, "Failed to allocate %lu bytes",
+		(unsigned long)strlen(t));
+	return -1;
+    }
+    if(*t == '/')
+	t++;
+    if(de_http(t) != 0) {
+	kdc_log(0, "Malformed HTTP request from %s", d->addr_string);
+	kdc_log(5, "Request: %s", t);
+	free(data);
+	return -1;
+    }
+    proto = strtok_r(NULL, " \t", &p);
+    if (proto == NULL) {
+	kdc_log(0, "Malformed HTTP request from %s", d->addr_string);
+	free(data);
+	return -1;
+    }
+    len = base64_decode(t, data);
+    if(len <= 0){
+	const char *msg = 
+	    " 404 Not found\r\n"
+	    "Server: Heimdal/" VERSION "\r\n"
+	    "Content-type: text/html\r\n"
+	    "Content-transfer-encoding: 8bit\r\n\r\n"
+	    "<TITLE>404 Not found</TITLE>\r\n"
+	    "<H1>404 Not found</H1>\r\n"
+	    "That page doesn't exist, maybe you are looking for "
+	    "<A HREF=\"http://www.pdc.kth.se/heimdal\">Heimdal</A>?\r\n";
+	write(d->s, proto, strlen(proto));
+	write(d->s, msg, strlen(msg));
+	kdc_log(0, "HTTP request from %s is non KDC request", d->addr_string);
+	kdc_log(5, "Request: %s", t);
+	free(data);
+	return -1;
+    }
+    {
+	const char *msg = 
+	    " 200 OK\r\n"
+	    "Server: Heimdal/" VERSION "\r\n"
+	    "Content-type: application/octet-stream\r\n"
+	    "Content-transfer-encoding: binary\r\n\r\n";
+	write(d->s, proto, strlen(proto));
+	write(d->s, msg, strlen(msg));
+    }
+    memcpy(d->buf, data, len);
+    d->len = len;
+    free(data);
+    return 1;
+}
+
+/*
+ * Handle incoming data to the TCP socket in `d[index]'
+ */
+
+static void
+handle_tcp(struct descr *d, int index, int min_free)
+{
+    unsigned char buf[1024];
+    int n;
+    int ret = 0;
+
+    if (d[index].timeout == 0) {
+	add_new_tcp (d, index, min_free);
+	return;
+    }
+
+    n = recvfrom(d[index].s, buf, sizeof(buf), 0, NULL, NULL);
+    if(n < 0){
+	krb5_warn(context, errno, "recvfrom");
+	return;
+    }
+    if (grow_descr (&d[index], n))
+	return;
+    memcpy(d[index].buf + d[index].len, buf, n);
+    d[index].len += n;
+    if(d[index].len > 4 && d[index].buf[0] == 0) {
+	ret = handle_vanilla_tcp (&d[index]);
+    } else if(enable_http &&
+	      d[index].len >= 4 &&
+	      strncmp((char *)d[index].buf, "GET ", 4) == 0 && 
+	      strncmp((char *)d[index].buf + d[index].len - 4,
+		      "\r\n\r\n", 4) == 0) {
+	ret = handle_http_tcp (&d[index]);
+	if (ret < 0)
+	    clear_descr (d + index);
+    } else if (d[index].len > 4) {
+	kdc_log (0, "TCP data of strange type from %s", d[index].addr_string);
+	return;
+    }
+    if (ret < 0)
+	return;
+    else if (ret == 1) {
+	do_request(d[index].buf, d[index].len, 1, &d[index]);
+	clear_descr(d + index);
+    }
+}
+
+void
+loop(void)
+{
+    struct descr *d;
+    int ndescr;
+
+    ndescr = init_sockets(&d);
+    if(ndescr <= 0)
+	krb5_errx(context, 1, "No sockets!");
+    while(exit_flag == 0){
+	struct timeval tmout;
+	fd_set fds;
+	int min_free = -1;
+	int max_fd = 0;
+	int i;
+
+	FD_ZERO(&fds);
+	for(i = 0; i < ndescr; i++) {
+	    if(d[i].s >= 0){
+		if(d[i].type == SOCK_STREAM && 
+		   d[i].timeout && d[i].timeout < time(NULL)) {
+		    kdc_log(1, "TCP-connection from %s expired after %lu bytes",
+			    d[i].addr_string, (unsigned long)d[i].len);
+		    clear_descr(&d[i]);
+		    continue;
+		}
+		if(max_fd < d[i].s)
+		    max_fd = d[i].s;
+		if (max_fd >= FD_SETSIZE)
+		    krb5_errx(context, 1, "fd too large");
+		FD_SET(d[i].s, &fds);
+	    } else if(min_free < 0 || i < min_free)
+		min_free = i;
+	}
+	if(min_free == -1){
+	    struct descr *tmp;
+	    tmp = realloc(d, (ndescr + 4) * sizeof(*d));
+	    if(tmp == NULL)
+		krb5_warnx(context, "No memory");
+	    else {
+		d = tmp;
+		reinit_descrs (d, ndescr);
+		memset(d + ndescr, 0, 4 * sizeof(*d));
+		for(i = ndescr; i < ndescr + 4; i++)
+		    init_descr (&d[i]);
+		min_free = ndescr;
+		ndescr += 4;
+	    }
+	}
+    
+	tmout.tv_sec = TCP_TIMEOUT;
+	tmout.tv_usec = 0;
+	switch(select(max_fd + 1, &fds, 0, 0, &tmout)){
+	case 0:
+	    break;
+	case -1:
+	    if (errno != EINTR)
+		krb5_warn(context, errno, "select");
+	    break;
+	default:
+	    for(i = 0; i < ndescr; i++)
+		if(d[i].s >= 0 && FD_ISSET(d[i].s, &fds)) {
+		    if(d[i].type == SOCK_DGRAM)
+			handle_udp(&d[i]);
+		    else if(d[i].type == SOCK_STREAM)
+			handle_tcp(d, i, min_free);
+		}
+	}
+    }
+    free (d);
+}
diff --git a/crypto/heimdal/kdc/headers.h b/crypto/heimdal/kdc/headers.h
new file mode 100644
index 0000000..ce0f132
--- /dev/null
+++ b/crypto/heimdal/kdc/headers.h
@@ -0,0 +1,110 @@
+/*
+ * Copyright (c) 1997 - 2000 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+/* 
+ * $Id: headers.h,v 1.11 2001/02/15 04:20:53 assar Exp $ 
+ * $FreeBSD$ 
+ */
+
+#ifndef __HEADERS_H__
+#define __HEADERS_H__
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+#endif
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <errno.h>
+#include <signal.h>
+#include <stdarg.h>
+#ifdef HAVE_SYS_TYPES_H
+#include <sys/types.h>
+#endif
+#ifdef HAVE_FCNTL_H
+#include <fcntl.h>
+#endif
+#ifdef HAVE_SYS_SELECT_H
+#include <sys/select.h>
+#endif
+#ifdef HAVE_SYS_SOCKET_H
+#include <sys/socket.h>
+#endif
+#ifdef HAVE_NETINET_IN_H
+#include <netinet/in.h>
+#endif
+#ifdef HAVE_NETINET_IN6_H
+#include <netinet/in6.h>
+#endif
+#ifdef HAVE_NETINET6_IN6_H
+#include <netinet6/in6.h>
+#endif
+#ifdef HAVE_ARPA_INET_H
+#include <arpa/inet.h>
+#endif
+#ifdef HAVE_NETDB_H
+#include <netdb.h>
+#endif
+#ifdef HAVE_UTIL_H
+#include <util.h>
+#endif
+#include <err.h>
+#include <roken.h>
+#include <getarg.h>
+#include <base64.h>
+#include <parse_units.h>
+#ifdef HAVE_OPENSSL_DES_H
+#include <openssl/des.h>
+#else
+#include <des.h>
+#endif
+#include <krb5.h>
+#include <krb5_locl.h>
+#include <hdb.h>
+#include <hdb_err.h>
+#include <der.h> /* copy_octet_string */
+
+#ifdef KRB4
+#include <krb.h>
+#include <prot.h>
+#define Principal Principal4
+#include <krb_db.h>
+#endif
+
+#undef ALLOC
+#define ALLOC(X) ((X) = malloc(sizeof(*(X))))
+#undef ALLOC_SEQ
+#define ALLOC_SEQ(X, N) do { (X)->len = (N); \
+(X)->val = calloc((X)->len, sizeof(*(X)->val)); } while(0)
+
+#endif /* __HEADERS_H__ */
diff --git a/crypto/heimdal/kdc/hprop-common.c b/crypto/heimdal/kdc/hprop-common.c
new file mode 100644
index 0000000..660725f
--- /dev/null
+++ b/crypto/heimdal/kdc/hprop-common.c
@@ -0,0 +1,83 @@
+/*
+ * Copyright (c) 1997, 1998 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "hprop.h"
+
+RCSID("$Id: hprop-common.c,v 1.7 1999/12/02 17:04:59 joda Exp $");
+
+krb5_error_code 
+send_priv(krb5_context context, krb5_auth_context ac,
+	  krb5_data *data, int fd)
+{
+    krb5_data packet;
+    krb5_error_code ret;
+
+    ret = krb5_mk_priv (context,
+			ac,
+			data,
+			&packet,
+			NULL);
+    if (ret)
+	return ret;
+    
+    ret = krb5_write_message (context, &fd, &packet);
+    krb5_data_free(&packet);
+    return ret;
+}
+
+krb5_error_code
+recv_priv(krb5_context context, krb5_auth_context ac, int fd, krb5_data *out)
+{
+    krb5_error_code ret;
+    krb5_data data;
+
+    ret = krb5_read_message (context, &fd, &data);
+    if (ret)
+	return ret;
+
+    ret = krb5_rd_priv(context, ac, &data, out, NULL);
+    krb5_data_free (&data);
+    return ret;
+}
+
+krb5_error_code
+send_clear(krb5_context context, int fd, krb5_data data)
+{
+    return krb5_write_message (context, &fd, &data);
+}
+
+krb5_error_code
+recv_clear(krb5_context context, int fd, krb5_data *out)
+{
+    return krb5_read_message (context, &fd, out);
+}
diff --git a/crypto/heimdal/kdc/hprop.8 b/crypto/heimdal/kdc/hprop.8
new file mode 100644
index 0000000..ae8ee85
--- /dev/null
+++ b/crypto/heimdal/kdc/hprop.8
@@ -0,0 +1,171 @@
+.\" $Id: hprop.8,v 1.10 2001/06/08 21:35:31 joda Exp $
+.\"
+.Dd June 19, 2000
+.Dt HPROP 8
+.Os HEIMDAL
+.Sh NAME
+.Nm hprop
+.Nd propagate the KDC database
+.Sh SYNOPSIS
+.Nm
+.Oo Fl m Ar file \*(Ba Xo
+.Fl -master-key= Ns Pa file
+.Xc
+.Oc
+.Oo Fl d Ar file \*(Ba Xo
+.Fl -database= Ns Pa file
+.Xc
+.Oc
+.Op Fl -source= Ns Ar heimdal|mit-dump|krb4-db|krb4-dump
+.Op Fl 4 | Fl -v4-db
+.Op Fl K | Fl -ka-db
+.Oo Fl c Ar cell \*(Ba Xo
+.Fl -cell= Ns Ar cell
+.Xc
+.Oc
+.Op Fl S | Fl -kaspecials
+.Oo Fl r Ar string \*(Ba Xo
+.Fl -v4-realm= Ns Ar string
+.Xc
+.Oc
+.Oo Fl k Ar keytab \*(Ba Xo
+.Fl -keytab= Ns Ar keytab
+.Xc
+.Oc
+.Oo Fl R Ar string \*(Ba Xo
+.Fl -v5-realm= Ns Ar string
+.Xc
+.Oc
+.Op Fl D | Fl -decrypt
+.Op Fl E | Fl -encrypt
+.Op Fl n | Fl -stdout
+.Op Fl v | Fl -verbose
+.Op Fl -version
+.Op Fl h | Fl -help
+.Ar host Ns Op : Ns Ar port
+.Ar ...
+.Sh DESCRIPTION
+.Nm
+takes a principal database in a specified format and converts it into
+a stream of Heimdal database records. This stream can either be
+written to standard out, or (more commonly) be propagated to a
+.Xr hpropd 8
+server running on a different machine.
+.Pp
+If propagating, it connects to all
+.Ar hosts
+specified on the command by opening a TCP connection to port 754
+(service hprop) and sends the database in encrypted form.
+.Pp
+Supported options:
+.Bl -tag -width Ds
+.It Xo
+.Fl m Ar file Ns ,
+.Fl -master-key= Ns Pa file
+.Xc
+Where to find the master key to encrypt or decrypt keys with.
+.It Xo
+.Fl d Ar file Ns ,
+.Fl -database= Ns Pa file
+.Xc
+The database to be propagated.
+.It Xo
+.Fl -source= Ns Ar heimdal|mit-dump|krb4-db|krb4-dump
+.Xc
+Specifies the type of the source database. Alternatives include: 
+.Bl -tag -width krb4-dump
+.It heimdal
+a Heimdal database
+.It mit-dump
+a MIT Kerberos 5 dump file
+.It krb4-db
+a Kerberos 4 database
+.It krb4-dump
+a Kerberos 4 dump file
+.It kaserver
+a Transarc kaserver database
+.El
+.It Xo
+.Fl k Ar keytab Ns ,
+.Fl -keytab= Ns Ar keytab
+.Xc
+The keytab to use for fetching the key to be used for authenticating
+to the propagation daemon(s). The key
+.Pa kadmin/hprop
+is used from this keytab.  The default is to fetch the key from the
+KDC database.
+.It Xo
+.Fl R Ar string Ns ,
+.Fl -v5-realm= Ns Ar string
+.Xc
+Local realm override.
+.It Xo
+.Fl D Ns ,
+.Fl -decrypt
+.Xc
+The encryption keys in the database can either be in clear, or
+encrypted with a master key. This option thansmits the database with
+unencrypted keys.
+.It Xo
+.Fl E Ns ,
+.Fl -encrypt
+.Xc
+This option thansmits the database with encrypted keys.
+.It Xo
+.Fl n Ns ,
+.Fl -stdout
+.Xc
+Dump the database on stdout, in a format that can be fed to hpropd.
+.El
+.Pp
+The following options are only valid if
+.Nm hprop
+is compiled with support for Kerberos 4 (kaserver).
+.Bl -tag -width Ds
+.It Xo
+.Fl r Ar string Ns ,
+.Fl -v4-realm= Ns Ar string
+.Xc
+v4 realm to use
+.It Xo
+.Fl c Ar cell Ns ,
+.Fl -cell= Ns Ar cell
+.Xc
+The AFS cell name, used if reading a kaserver database.
+.It Xo
+.Fl S Ns ,
+.Fl -kaspecials
+.Xc
+Also dump the principals marked as special in the kaserver database.
+.It Xo
+.Fl 4 Ns ,
+.Fl -v4-db
+.Xc
+Deprecated, identical to 
+.Sq --source=krb4-db .
+.It Xo
+.Fl K Ns ,
+.Fl -ka-db
+.Xc
+Deprecated, identical to 
+.Sq --source=kaserver .
+.El
+.Sh EXAMPLES
+The following will propagate a database to another machine (which
+should run
+.Xr hpropd 8):
+.Bd -literal -offset indent
+$ hprop slave-1 slave-2
+.Ed
+.Pp
+Copy a Kerberos 4 database to a Kerberos 5 slave:
+.Bd -literal -offset indent
+$ hprop --source=krb4-db -E krb5-slave
+.Ed
+.Pp
+Convert a Kerberos 4 dump-file for use with a Heimdal KDC:
+.Bd -literal -offset indent
+$ hprop -n --source=krb4-dump -d /var/kerberos/principal.dump -E | hpropd -n
+.Ed
+.Sh SEE ALSO
+.Xr hpropd 8
diff --git a/crypto/heimdal/kdc/hprop.c b/crypto/heimdal/kdc/hprop.c
new file mode 100644
index 0000000..b5d1743
--- /dev/null
+++ b/crypto/heimdal/kdc/hprop.c
@@ -0,0 +1,913 @@
+/*
+ * Copyright (c) 1997 - 2001 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "hprop.h"
+
+RCSID("$Id: hprop.c,v 1.62 2001/02/20 01:44:50 assar Exp $");
+
+static int version_flag;
+static int help_flag;
+static char *ktname = HPROP_KEYTAB;
+static char *database;
+static char *mkeyfile;
+static int to_stdout;
+static int verbose_flag;
+static int encrypt_flag;
+static int decrypt_flag;
+static hdb_master_key mkey5;
+
+static char *source_type;
+
+static char *afs_cell;
+static char *realm;
+
+#ifdef KRB4
+static int v4_db;
+
+static des_cblock mkey4;
+static des_key_schedule msched4;
+
+#ifdef KASERVER_DB
+static int kaspecials_flag;
+static int ka_db;
+static int ka_use_null_salt;
+#endif
+#endif
+
+static char *local_realm=NULL;
+
+static int
+open_socket(krb5_context context, const char *hostname, const char *port)
+{
+    struct addrinfo *ai, *a;
+    struct addrinfo hints;
+    int error;
+
+    memset (&hints, 0, sizeof(hints));
+    hints.ai_socktype = SOCK_STREAM;
+    hints.ai_protocol = IPPROTO_TCP;
+
+    error = getaddrinfo (hostname, port, &hints, &ai);
+    if (error) {
+	warnx ("%s: %s", hostname, gai_strerror(error));
+	return -1;
+    }
+    
+    for (a = ai; a != NULL; a = a->ai_next) {
+	int s;
+
+	s = socket (a->ai_family, a->ai_socktype, a->ai_protocol);
+	if (s < 0)
+	    continue;
+	if (connect (s, a->ai_addr, a->ai_addrlen) < 0) {
+	    warn ("connect(%s)", hostname);
+	    close (s);
+	    continue;
+	}
+	freeaddrinfo (ai);
+	return s;
+    }
+    warnx ("failed to contact %s", hostname);
+    freeaddrinfo (ai);
+    return -1;
+}
+
+krb5_error_code
+v5_prop(krb5_context context, HDB *db, hdb_entry *entry, void *appdata)
+{
+    krb5_error_code ret;
+    struct prop_data *pd = appdata;
+    krb5_data data;
+
+    if(encrypt_flag) {
+	ret = hdb_seal_keys_mkey(context, entry, mkey5);
+	if (ret) {
+	    krb5_warn(context, ret, "hdb_seal_keys_mkey");
+	    return ret;
+	}
+    }
+    if(decrypt_flag) {
+	ret = hdb_unseal_keys_mkey(context, entry, mkey5);
+	if (ret) {
+	    krb5_warn(context, ret, "hdb_unseal_keys_mkey");
+	    return ret;
+	}
+    }	
+
+    ret = hdb_entry2value(context, entry, &data);
+    if(ret) {
+	krb5_warn(context, ret, "hdb_entry2value");
+	return ret;
+    }
+
+    if(to_stdout)
+	ret = krb5_write_message(context, &pd->sock, &data);
+    else
+	ret = krb5_write_priv_message(context, pd->auth_context, 
+				      &pd->sock, &data);
+    krb5_data_free(&data);
+    return ret;
+}
+
+#ifdef KRB4
+
+static char realm_buf[REALM_SZ];
+
+static int
+kdb_prop(void *arg, Principal *p)
+{
+    int ret;
+    struct v4_principal pr;
+
+    memset(&pr, 0, sizeof(pr));
+
+    if(p->attributes != 0) {
+	warnx("%s.%s has non-zero attributes - skipping", 
+	      p->name, p->instance);
+	    return 0;
+    }
+    strlcpy(pr.name, p->name, sizeof(pr.name));
+    strlcpy(pr.instance, p->instance, sizeof(pr.instance));
+
+    copy_to_key(&p->key_low, &p->key_high, pr.key);
+    kdb_encrypt_key(&pr.key, &pr.key, &mkey4, msched4, DES_DECRYPT);
+    pr.exp_date = p->exp_date;
+    pr.mod_date = p->mod_date;
+    strlcpy(pr.mod_name, p->mod_name, sizeof(pr.mod_name));
+    strlcpy(pr.mod_instance, p->mod_instance, sizeof(pr.mod_instance));
+    pr.max_life = p->max_life;
+    pr.mkvno = -1; /* p->kdc_key_ver; */
+    pr.kvno = p->key_version;
+    
+    ret = v4_prop(arg, &pr);
+    memset(&pr, 0, sizeof(pr));
+    return ret;
+}
+
+#endif /* KRB4 */
+
+#ifndef KRB4
+static time_t
+krb_life_to_time(time_t start, int life)
+{
+    static int lifetimes[] = {
+	  38400,   41055,   43894,   46929,   50174,   53643,   57352,   61318,
+	  65558,   70091,   74937,   80119,   85658,   91581,   97914,  104684,
+	 111922,  119661,  127935,  136781,  146239,  156350,  167161,  178720,
+	 191077,  204289,  218415,  233517,  249664,  266926,  285383,  305116,
+	 326213,  348769,  372885,  398668,  426234,  455705,  487215,  520904,
+	 556921,  595430,  636601,  680618,  727680,  777995,  831789,  889303,
+	 950794, 1016537, 1086825, 1161973, 1242318, 1328218, 1420057, 1518247,
+	1623226, 1735464, 1855462, 1983758, 2120925, 2267576, 2424367, 2592000
+    };
+
+#if 0
+    int i;
+    double q = exp((log(2592000.0) - log(38400.0)) / 63);
+    double x = 38400;
+    for(i = 0; i < 64; i++) {
+	lifetimes[i] = (int)x;
+	x *= q;
+    }
+#endif
+
+    if(life == 0xff)
+	return NEVERDATE;
+    if(life < 0x80)
+	return start + life * 5 * 60;
+    if(life > 0xbf)
+	life = 0xbf;
+    return start + lifetimes[life - 0x80];
+}
+#endif /* !KRB4 */
+
+int
+v4_prop(void *arg, struct v4_principal *p)
+{
+    struct prop_data *pd = arg;
+    hdb_entry ent;
+    krb5_error_code ret;
+
+    memset(&ent, 0, sizeof(ent));
+
+    ret = krb5_425_conv_principal(pd->context, p->name, p->instance, realm,
+				  &ent.principal);
+    if(ret){
+	krb5_warn(pd->context, ret,
+		  "krb5_425_conv_principal %s.%s@%s",
+		  p->name, p->instance, realm);
+	return 0;
+    }
+
+    if(verbose_flag) {
+	char *s;
+	krb5_unparse_name_short(pd->context, ent.principal, &s);
+	krb5_warnx(pd->context, "%s.%s -> %s", p->name, p->instance, s);
+	free(s);
+    }
+
+    ent.kvno = p->kvno;
+    ent.keys.len = 3;
+    ent.keys.val = malloc(ent.keys.len * sizeof(*ent.keys.val));
+    if(p->mkvno != -1) {
+	ent.keys.val[0].mkvno = malloc (sizeof(*ent.keys.val[0].mkvno));
+#if 0
+	*(ent.keys.val[0].mkvno) = p->mkvno; /* XXX */
+#else
+	*(ent.keys.val[0].mkvno) = 0;
+#endif
+    } else
+	ent.keys.val[0].mkvno = NULL;
+    ent.keys.val[0].salt = calloc(1, sizeof(*ent.keys.val[0].salt));
+    ent.keys.val[0].salt->type = KRB5_PADATA_PW_SALT;
+    ent.keys.val[0].key.keytype = ETYPE_DES_CBC_MD5;
+    krb5_data_alloc(&ent.keys.val[0].key.keyvalue, sizeof(des_cblock));
+    memcpy(ent.keys.val[0].key.keyvalue.data, p->key, 8);
+
+    copy_Key(&ent.keys.val[0], &ent.keys.val[1]);
+    ent.keys.val[1].key.keytype = ETYPE_DES_CBC_MD4;
+    copy_Key(&ent.keys.val[0], &ent.keys.val[2]);
+    ent.keys.val[2].key.keytype = ETYPE_DES_CBC_CRC;
+
+    {
+	int life = krb_life_to_time(0, p->max_life);
+	if(life == NEVERDATE){
+	    ent.max_life = NULL;
+	} else {
+	    /* clean up lifetime a bit */
+	    if(life > 86400)
+		life = (life + 86399) / 86400 * 86400;
+	    else if(life > 3600)
+		life = (life + 3599) / 3600 * 3600;
+	    ALLOC(ent.max_life);
+	    *ent.max_life = life;
+	}
+    }
+
+    ALLOC(ent.valid_end);
+    *ent.valid_end = p->exp_date;
+
+    ret = krb5_make_principal(pd->context, &ent.created_by.principal,
+			      realm,
+			      "kadmin",
+			      "hprop",
+			      NULL);
+    if(ret){
+	krb5_warn(pd->context, ret, "krb5_make_principal");
+	ret = 0;
+	goto out;
+    }
+    ent.created_by.time = time(NULL);
+    ALLOC(ent.modified_by);
+    ret = krb5_425_conv_principal(pd->context, p->mod_name, p->mod_instance, 
+				  realm, &ent.modified_by->principal);
+    if(ret){
+	krb5_warn(pd->context, ret, "%s.%s@%s", p->name, p->instance, realm);
+	ent.modified_by->principal = NULL;
+	ret = 0;
+	goto out;
+    }
+    ent.modified_by->time = p->mod_date;
+
+    ent.flags.forwardable = 1;
+    ent.flags.renewable = 1;
+    ent.flags.proxiable = 1;
+    ent.flags.postdate = 1;
+    ent.flags.client = 1;
+    ent.flags.server = 1;
+    
+    /* special case password changing service */
+    if(strcmp(p->name, "changepw") == 0 && 
+       strcmp(p->instance, "kerberos") == 0) {
+	ent.flags.forwardable = 0;
+	ent.flags.renewable = 0;
+	ent.flags.proxiable = 0;
+	ent.flags.postdate = 0;
+	ent.flags.initial = 1;
+	ent.flags.change_pw = 1;
+    }
+
+    ret = v5_prop(pd->context, NULL, &ent, pd);
+
+    if (strcmp (p->name, "krbtgt") == 0
+	&& strcmp (realm, p->instance) != 0) {
+	krb5_free_principal (pd->context, ent.principal);
+	ret = krb5_425_conv_principal (pd->context, p->name,
+				       realm, p->instance,
+				       &ent.principal);
+	if (ret == 0)
+	    ret = v5_prop (pd->context, NULL, &ent, pd);
+    }
+
+  out:
+    hdb_free_entry(pd->context, &ent);
+    return ret;
+}
+
+#ifdef KRB4
+#ifdef KASERVER_DB
+
+#include "kadb.h"
+
+/* read a `ka_entry' from `fd' at offset `pos' */
+static void
+read_block(krb5_context context, int fd, int32_t pos, void *buf, size_t len)
+{
+    krb5_error_code ret;
+    if(lseek(fd, 64 + pos, SEEK_SET) == (off_t)-1)
+	krb5_err(context, 1, errno, "lseek(%u)", 64 + pos);
+    ret = read(fd, buf, len);
+    if(ret < 0)
+	krb5_err(context, 1, errno, "read(%u)", len);
+    if(ret != len)
+	krb5_errx(context, 1, "read(%u) = %u", len, ret);
+}
+
+static int
+ka_convert(struct prop_data *pd, int fd, struct ka_entry *ent,
+	   const char *cell)
+{
+    int32_t flags = ntohl(ent->flags);
+    krb5_error_code ret;
+    hdb_entry hdb;
+
+    if(!kaspecials_flag
+       && (flags & KAFNORMAL) == 0) /* remove special entries */
+	return 0;
+    memset(&hdb, 0, sizeof(hdb));
+    ret = krb5_425_conv_principal(pd->context, ent->name, ent->instance, realm,
+				  &hdb.principal);
+    if(ret) {
+	krb5_warn(pd->context, ret,
+		  "krb5_425_conv_principal (%s.%s@%s)",
+		  ent->name, ent->instance, realm);
+	return 0;
+    }
+    hdb.kvno = ntohl(ent->kvno);
+    hdb.keys.len = 3;
+    hdb.keys.val = malloc(hdb.keys.len * sizeof(*hdb.keys.val));
+    hdb.keys.val[0].mkvno = NULL;
+    hdb.keys.val[0].salt = calloc(1, sizeof(*hdb.keys.val[0].salt));
+    if (ka_use_null_salt) {
+	hdb.keys.val[0].salt->type = hdb_pw_salt;
+	hdb.keys.val[0].salt->salt.data = NULL;
+	hdb.keys.val[0].salt->salt.length = 0;
+    } else {
+	hdb.keys.val[0].salt->type = hdb_afs3_salt;
+	hdb.keys.val[0].salt->salt.data = strdup(cell);
+	hdb.keys.val[0].salt->salt.length = strlen(cell);
+    }
+    
+    hdb.keys.val[0].key.keytype = ETYPE_DES_CBC_MD5;
+    krb5_data_copy(&hdb.keys.val[0].key.keyvalue, ent->key, sizeof(ent->key));
+    copy_Key(&hdb.keys.val[0], &hdb.keys.val[1]);
+    hdb.keys.val[1].key.keytype = ETYPE_DES_CBC_MD4;
+    copy_Key(&hdb.keys.val[0], &hdb.keys.val[2]);
+    hdb.keys.val[2].key.keytype = ETYPE_DES_CBC_CRC;
+
+    ALLOC(hdb.max_life);
+    *hdb.max_life = ntohl(ent->max_life);
+
+    if(ntohl(ent->valid_end) != NEVERDATE && ntohl(ent->valid_end) != -1){
+	ALLOC(hdb.valid_end);
+	*hdb.valid_end = ntohl(ent->valid_end);
+    }
+    
+    if (ntohl(ent->pw_change) != NEVERDATE && 
+	ent->pw_expire != 255 &&
+	ent->pw_expire != 0) {
+	ALLOC(hdb.pw_end);
+	*hdb.pw_end = ntohl(ent->pw_change)
+	    + 24 * 60 * 60 * ent->pw_expire;
+    }
+
+    ret = krb5_make_principal(pd->context, &hdb.created_by.principal,
+			      realm,
+			      "kadmin",
+			      "hprop",
+			      NULL);
+    hdb.created_by.time = time(NULL);
+
+    if(ent->mod_ptr){
+	struct ka_entry mod;
+	ALLOC(hdb.modified_by);
+	read_block(pd->context, fd, ntohl(ent->mod_ptr), &mod, sizeof(mod));
+	
+	krb5_425_conv_principal(pd->context, mod.name, mod.instance, realm, 
+				&hdb.modified_by->principal);
+	hdb.modified_by->time = ntohl(ent->mod_time);
+	memset(&mod, 0, sizeof(mod));
+    }
+
+    hdb.flags.forwardable = 1;
+    hdb.flags.renewable = 1;
+    hdb.flags.proxiable = 1;
+    hdb.flags.postdate = 1;
+    /* XXX - AFS 3.4a creates krbtgt.REALMOFCELL as NOTGS+NOSEAL */
+    if (strcmp(ent->name, "krbtgt") == 0 &&
+	(flags & (KAFNOTGS|KAFNOSEAL)) == (KAFNOTGS|KAFNOSEAL))
+	flags &= ~(KAFNOTGS|KAFNOSEAL);
+
+    hdb.flags.client = (flags & KAFNOTGS) == 0;
+    hdb.flags.server = (flags & KAFNOSEAL) == 0;
+
+    ret = v5_prop(pd->context, NULL, &hdb, pd);
+    hdb_free_entry(pd->context, &hdb);
+    return ret;
+}
+
+static int
+ka_dump(struct prop_data *pd, const char *file, const char *cell)
+{
+    struct ka_header header;
+    int i;
+    int fd = open(file, O_RDONLY);
+
+    if(fd < 0)
+	krb5_err(pd->context, 1, errno, "open(%s)", file);
+    read_block(pd->context, fd, 0, &header, sizeof(header));
+    if(header.version1 != header.version2)
+	krb5_errx(pd->context, 1, "Version mismatch in header: %ld/%ld",
+		  (long)ntohl(header.version1), (long)ntohl(header.version2));
+    if(ntohl(header.version1) != 5)
+	krb5_errx(pd->context, 1, "Unknown database version %ld (expected 5)", 
+		  (long)ntohl(header.version1));
+    for(i = 0; i < ntohl(header.hashsize); i++){
+	int32_t pos = ntohl(header.hash[i]);
+	while(pos){
+	    struct ka_entry ent;
+	    read_block(pd->context, fd, pos, &ent, sizeof(ent));
+	    ka_convert(pd, fd, &ent, cell);
+	    pos = ntohl(ent.next);
+	}
+    }
+    return 0;
+}
+
+#endif /* KASERVER_DB */
+
+#endif /* KRB4 */
+
+
+struct getargs args[] = {
+    { "master-key", 'm', arg_string, &mkeyfile, "v5 master key file", "file" },
+    { "database", 'd',	arg_string, &database, "database", "file" },
+    { "source",   0,	arg_string, &source_type, "type of database to read", 
+      "heimdal"
+      "|mit-dump"
+      "|krb4-dump"
+#ifdef KRB4
+      "|krb4-db"
+#ifdef KASERVER_DB
+      "|kaserver"
+#endif
+#endif
+    },
+      
+#ifdef KRB4
+    { "v4-db",    '4',	arg_flag, &v4_db },
+#endif
+    { "v4-realm", 'r',  arg_string, &realm, "v4 realm to use" },
+#ifdef KASERVER_DB
+    { "ka-db",	  'K',  arg_flag, &ka_db },
+    { "cell",	  'c',  arg_string, &afs_cell, "name of AFS cell" },
+    { "kaspecials", 'S', arg_flag,   &kaspecials_flag, "dump KASPECIAL keys"},
+#endif
+    { "keytab",   'k',	arg_string, &ktname, "keytab to use for authentication", "keytab" },
+    { "v5-realm", 'R',  arg_string, &local_realm, "v5 realm to use" },
+    { "decrypt",  'D',  arg_flag,   &decrypt_flag,   "decrypt keys" },
+    { "encrypt",  'E',  arg_flag,   &encrypt_flag,   "encrypt keys" },
+    { "stdout",	  'n',  arg_flag,   &to_stdout, "dump to stdout" },
+    { "verbose",  'v',	arg_flag, &verbose_flag },
+    { "version",   0,	arg_flag, &version_flag },
+    { "help",     'h',	arg_flag, &help_flag }
+};
+
+static int num_args = sizeof(args) / sizeof(args[0]);
+
+static void
+usage(int ret)
+{
+    arg_printusage (args, num_args, NULL, "host ...");
+    exit (ret);
+}
+
+static void
+get_creds(krb5_context context, krb5_ccache *cache)
+{
+    krb5_keytab keytab;
+    krb5_principal client;
+    krb5_error_code ret;
+    krb5_get_init_creds_opt init_opts;
+    krb5_preauthtype preauth = KRB5_PADATA_ENC_TIMESTAMP;
+    krb5_creds creds;
+    
+    ret = krb5_kt_register(context, &hdb_kt_ops);
+    if(ret) krb5_err(context, 1, ret, "krb5_kt_register");
+
+    ret = krb5_kt_resolve(context, ktname, &keytab);
+    if(ret) krb5_err(context, 1, ret, "krb5_kt_resolve");
+    
+    ret = krb5_make_principal(context, &client, NULL, 
+			      "kadmin", HPROP_NAME, NULL);
+    if(ret) krb5_err(context, 1, ret, "krb5_make_principal");
+
+    krb5_get_init_creds_opt_init(&init_opts);
+    krb5_get_init_creds_opt_set_preauth_list(&init_opts, &preauth, 1);
+
+    ret = krb5_get_init_creds_keytab(context, &creds, client, keytab, 0, NULL, &init_opts);
+    if(ret) krb5_err(context, 1, ret, "krb5_get_init_creds");
+    
+    ret = krb5_kt_close(context, keytab);
+    if(ret) krb5_err(context, 1, ret, "krb5_kt_close");
+    
+    ret = krb5_cc_gen_new(context, &krb5_mcc_ops, cache);
+    if(ret) krb5_err(context, 1, ret, "krb5_cc_gen_new");
+
+    ret = krb5_cc_initialize(context, *cache, client);
+    if(ret) krb5_err(context, 1, ret, "krb5_cc_initialize");
+
+    ret = krb5_cc_store_cred(context, *cache, &creds);
+    if(ret) krb5_err(context, 1, ret, "krb5_cc_store_cred");
+}
+
+enum hprop_source {
+    HPROP_HEIMDAL = 1,
+    HPROP_KRB4_DB,
+    HPROP_KRB4_DUMP,
+    HPROP_KASERVER,
+    HPROP_MIT_DUMP
+};
+
+#define IS_TYPE_V4(X) ((X) == HPROP_KRB4_DB || (X) == HPROP_KRB4_DUMP || (X) == HPROP_KASERVER)
+
+struct {
+    int type;
+    const char *name;
+} types[] = {
+    { HPROP_HEIMDAL,	"heimdal" },
+    { HPROP_KRB4_DUMP,	"krb4-dump" },
+#ifdef KRB4
+    { HPROP_KRB4_DB,	"krb4-db" },
+#ifdef KASERVER_DB
+    { HPROP_KASERVER, 	"kaserver" },
+#endif
+#endif
+    { HPROP_MIT_DUMP,	"mit-dump" }
+};
+
+static int
+parse_source_type(const char *s)
+{
+    int i;
+    for(i = 0; i < sizeof(types) / sizeof(types[0]); i++) {
+	if(strstr(types[i].name, s) == types[i].name)
+	    return types[i].type;
+    }
+    return 0;
+}
+
+static void
+iterate (krb5_context context,
+	 const char *database,
+	 const char *afs_cell,
+	 HDB *db,
+	 int type,
+	 struct prop_data *pd)
+{
+    int ret;
+
+    switch(type) {
+    case HPROP_KRB4_DUMP:
+	ret = v4_prop_dump(pd, database);
+	break;
+#ifdef KRB4
+    case HPROP_KRB4_DB:
+	ret = kerb_db_iterate ((k_iter_proc_t)kdb_prop, pd);
+	if(ret)
+	    krb5_errx(context, 1, "kerb_db_iterate: %s", 
+		      krb_get_err_text(ret));
+	break;
+#ifdef KASERVER_DB
+    case HPROP_KASERVER:
+	ret = ka_dump(pd, database, afs_cell);
+	if(ret)
+	    krb5_errx(context, 1, "ka_dump: %s", krb_get_err_text(ret));
+	break;
+#endif
+#endif /* KRB4 */
+    case HPROP_MIT_DUMP:
+	ret = mit_prop_dump(pd, database);
+	if (ret)
+	    krb5_errx(context, 1, "mit_prop_dump: %s",
+		      krb5_get_err_text(context, ret));
+	break;
+    case HPROP_HEIMDAL:
+	ret = hdb_foreach(context, db, HDB_F_DECRYPT, v5_prop, pd);
+	if(ret)
+	    krb5_err(context, 1, ret, "hdb_foreach");
+	break;
+    }
+}
+
+static int
+dump_database (krb5_context context, int type,
+	       const char *database, const char *afs_cell,
+	       HDB *db)
+{
+    krb5_error_code ret;
+    struct prop_data pd;
+    krb5_data data;
+
+    pd.context      = context;
+    pd.auth_context = NULL;
+    pd.sock         = STDOUT_FILENO;
+	
+    iterate (context, database, afs_cell, db, type, &pd);
+    krb5_data_zero (&data);
+    ret = krb5_write_message (context, &pd.sock, &data);
+    if (ret)
+	krb5_err(context, 1, ret, "krb5_write_message");
+
+    return 0;
+}
+
+static int
+propagate_database (krb5_context context, int type,
+		    const char *database, const char *afs_cell,
+		    HDB *db, krb5_ccache ccache,
+		    int optind, int argc, char **argv)
+{
+    krb5_principal server;
+    krb5_error_code ret;
+    int i;
+
+    for(i = optind; i < argc; i++){
+	krb5_auth_context auth_context;
+	int fd;
+	struct prop_data pd;
+	krb5_data data;
+
+	char *port, portstr[NI_MAXSERV];
+	
+	port = strchr(argv[i], ':');
+	if(port == NULL) {
+	    snprintf(portstr, sizeof(portstr), "%u", 
+		     ntohs(krb5_getportbyname (context, "hprop", "tcp", 
+					       HPROP_PORT)));
+	    port = portstr;
+	} else
+	    *port++ = '\0';
+
+	fd = open_socket(context, argv[i], port);
+	if(fd < 0) {
+	    krb5_warn (context, errno, "connect %s", argv[i]);
+	    continue;
+	}
+
+	ret = krb5_sname_to_principal(context, argv[i],
+				      HPROP_NAME, KRB5_NT_SRV_HST, &server);
+	if(ret) {
+	    krb5_warn(context, ret, "krb5_sname_to_principal(%s)", argv[i]);
+	    close(fd);
+	    continue;
+	}
+
+        if (local_realm) {
+            krb5_realm my_realm;
+            krb5_get_default_realm(context,&my_realm);
+
+            krb5_princ_set_realm(context,server,&my_realm);
+        }
+    
+	auth_context = NULL;
+	ret = krb5_sendauth(context,
+			    &auth_context,
+			    &fd,
+			    HPROP_VERSION,
+			    NULL,
+			    server,
+			    AP_OPTS_MUTUAL_REQUIRED,
+			    NULL, /* in_data */
+			    NULL, /* in_creds */
+			    ccache,
+			    NULL,
+			    NULL,
+			    NULL);
+
+	if(ret) {
+	    krb5_warn(context, ret, "krb5_sendauth");
+	    close(fd);
+	    continue;
+	}
+
+	pd.context      = context;
+	pd.auth_context = auth_context;
+	pd.sock         = fd;
+
+	iterate (context, database, afs_cell, db, type, &pd);
+
+	krb5_data_zero (&data);
+	ret = krb5_write_priv_message(context, auth_context, &fd, &data);
+	if(ret)
+	    krb5_warn(context, ret, "krb5_write_priv_message");
+
+	ret = krb5_read_priv_message(context, auth_context, &fd, &data);
+	if(ret)
+	    krb5_warn(context, ret, "krb5_read_priv_message");
+	else
+	    krb5_data_free (&data);
+	
+	krb5_auth_con_free(context, auth_context);
+	close(fd);
+    }
+    return 0;
+}
+
+#ifdef KRB4
+
+static void
+v4_get_masterkey (krb5_context context, char *database)
+{
+    int e;
+
+    e = kerb_db_set_name (database);
+    if(e)
+	krb5_errx(context, 1, "kerb_db_set_name: %s",
+		  krb_get_err_text(e));
+    e = kdb_get_master_key(0, &mkey4, msched4);
+    if(e)
+	krb5_errx(context, 1, "kdb_get_master_key: %s",
+		  krb_get_err_text(e));
+    e = kdb_verify_master_key(&mkey4, msched4, NULL);
+    if (e < 0)
+	krb5_errx(context, 1, "kdb_verify_master_key failed");
+}
+
+#endif
+
+int
+main(int argc, char **argv)
+{
+    krb5_error_code ret;
+    krb5_context context;
+    krb5_ccache ccache;
+    HDB *db;
+    int optind = 0;
+
+    int type = 0;
+
+    setprogname(argv[0]);
+
+    if(getarg(args, num_args, argc, argv, &optind))
+	usage(1);
+
+    if(help_flag)
+	usage(0);
+    
+    if(version_flag){
+	print_version(NULL);
+	exit(0);
+    }
+
+    ret = krb5_init_context(&context);
+    if(ret)
+	exit(1);
+
+    if(local_realm)
+	krb5_set_default_realm(context, local_realm);
+
+
+    if(encrypt_flag && decrypt_flag)
+	krb5_errx(context, 1, 
+		  "only one of `--encrypt' and `--decrypt' is meaningful");
+
+#ifdef KRB4
+    if(v4_db) {
+	if(type != 0)
+	    krb5_errx(context, 1, "more than one database type specified");
+	type = HPROP_KRB4_DB;
+    }
+#ifdef KASERVER_DB
+    if(ka_db) {
+	if(type != 0)
+	    krb5_errx(context, 1, "more than one database type specified");
+	type = HPROP_KASERVER;
+    }
+#endif
+#endif
+
+    if(source_type != NULL) {
+	if(type != 0)
+	    krb5_errx(context, 1, "more than one database type specified");
+	type = parse_source_type(source_type);
+	if(type == 0)
+	    krb5_errx(context, 1, "unknown source type `%s'", source_type);
+    } else if(type == 0)
+	type = HPROP_HEIMDAL;
+
+    if(!to_stdout)
+	get_creds(context, &ccache);
+    
+    if(decrypt_flag || encrypt_flag) {
+	ret = hdb_read_master_key(context, mkeyfile, &mkey5);
+	if(ret && ret != ENOENT)
+	    krb5_err(context, 1, ret, "hdb_read_master_key");
+	if(ret)
+	    krb5_errx(context, 1, "No master key file found");
+    }
+    
+#ifdef KRB4
+    if (IS_TYPE_V4(type)) {
+	int e;
+
+	if (realm == NULL) {
+	    e = krb_get_lrealm(realm_buf, 1);
+	    if(e)
+		krb5_errx(context, 1, "krb_get_lrealm: %s",
+			  krb_get_err_text(e));
+	    realm = realm_buf;
+	}
+    }
+#endif
+
+    switch(type) {
+#ifdef KRB4
+    case HPROP_KRB4_DB:
+	if (database == NULL)
+	    krb5_errx(context, 1, "no database specified");
+	v4_get_masterkey (context, database);
+	break;
+#ifdef KASERVER_DB
+    case HPROP_KASERVER:
+	if (database == NULL)
+	    database = DEFAULT_DATABASE;
+	ka_use_null_salt = krb5_config_get_bool_default(context, NULL, FALSE, 
+							"hprop", 
+							"afs_uses_null_salt", 
+							NULL);
+
+	break;
+#endif
+#endif /* KRB4 */
+    case HPROP_KRB4_DUMP:
+	if (database == NULL)
+	    krb5_errx(context, 1, "no dump file specified");
+#ifdef KRB4
+	v4_get_masterkey (context, database);
+#endif
+	break;
+    case HPROP_MIT_DUMP:
+	if (database == NULL)
+	    krb5_errx(context, 1, "no dump file specified");
+	break;
+    case HPROP_HEIMDAL:
+	ret = hdb_create (context, &db, database);
+	if(ret)
+	    krb5_err(context, 1, ret, "hdb_create: %s", database);
+	ret = db->open(context, db, O_RDONLY, 0);
+	if(ret)
+	    krb5_err(context, 1, ret, "db->open");
+	break;
+    default:
+	krb5_errx(context, 1, "unknown dump type `%d'", type);
+	break;
+    }
+
+    if (to_stdout)
+	dump_database (context, type, database, afs_cell, db);
+    else
+	propagate_database (context, type, database, afs_cell,
+			    db, ccache, optind, argc, argv);
+    return 0;
+}
diff --git a/crypto/heimdal/kdc/hprop.cat8 b/crypto/heimdal/kdc/hprop.cat8
new file mode 100644
index 0000000..f6c70b4
--- /dev/null
+++ b/crypto/heimdal/kdc/hprop.cat8
@@ -0,0 +1,103 @@
+
+HPROP(8)                 UNIX System Manager's Manual                 HPROP(8)
+
+NNAAMMEE
+     hhpprroopp - propagate the KDC database
+
+SSYYNNOOPPSSIISS
+     hhpprroopp [--mm _f_i_l_e | ----mmaasstteerr--kkeeyy==_f_i_l_e] [--dd _f_i_l_e | ----ddaattaabbaassee==_f_i_l_e]
+     [----ssoouurrccee==_h_e_i_m_d_a_l_|_m_i_t_-_d_u_m_p_|_k_r_b_4_-_d_b_|_k_r_b_4_-_d_u_m_p] [--44 | ----vv44--ddbb] [--KK |
+     ----kkaa--ddbb] [--cc _c_e_l_l | ----cceellll==_c_e_l_l] [--SS | ----kkaassppeecciiaallss] [--rr _s_t_r_i_n_g |
+     ----vv44--rreeaallmm==_s_t_r_i_n_g] [--kk _k_e_y_t_a_b | ----kkeeyyttaabb==_k_e_y_t_a_b] [--RR _s_t_r_i_n_g |
+     ----vv55--rreeaallmm==_s_t_r_i_n_g] [--DD | ----ddeeccrryypptt] [--EE | ----eennccrryypptt] [--nn | ----ssttddoouutt] [--vv
+     | ----vveerrbboossee] [----vveerrssiioonn] [--hh | ----hheellpp] _h_o_s_t[:_p_o_r_t] _._._.
+
+DDEESSCCRRIIPPTTIIOONN
+     hhpprroopp takes a principal database in a specified format and converts it
+     into a stream of Heimdal database records. This stream can either be
+     written to standard out, or (more commonly) be propagated to a hpropd(8)
+     server running on a different machine.
+
+     If propagating, it connects to all _h_o_s_t_s specified on the command by
+     opening a TCP connection to port 754 (service hprop) and sends the
+     database in encrypted form.
+
+     Supported options:
+
+     --mm _f_i_l_e, ----mmaasstteerr--kkeeyy==_f_i_l_e
+             Where to find the master key to encrypt or decrypt keys with.
+
+     --dd _f_i_l_e, ----ddaattaabbaassee==_f_i_l_e
+             The database to be propagated.
+
+     ----ssoouurrccee==_h_e_i_m_d_a_l_|_m_i_t_-_d_u_m_p_|_k_r_b_4_-_d_b_|_k_r_b_4_-_d_u_m_p
+             Specifies the type of the source database. Alternatives include:
+
+             heimdal    a Heimdal database
+
+             mit-dump   a MIT Kerberos 5 dump file
+
+             krb4-db    a Kerberos 4 database
+
+             krb4-dump  a Kerberos 4 dump file
+
+             kaserver   a Transarc kaserver database
+
+     --kk _k_e_y_t_a_b, ----kkeeyyttaabb==_k_e_y_t_a_b
+             The keytab to use for fetching the key to be used for authenti-
+             cating to the propagation daemon(s). The key _k_a_d_m_i_n_/_h_p_r_o_p is used
+             from this keytab.  The default is to fetch the key from the KDC
+             database.
+
+     --RR _s_t_r_i_n_g, ----vv55--rreeaallmm==_s_t_r_i_n_g
+             Local realm override.
+
+     --DD, ----ddeeccrryypptt
+             The encryption keys in the database can either be in clear, or
+             encrypted with a master key. This option thansmits the database
+             with unencrypted keys.
+
+     --EE, ----eennccrryypptt
+             This option thansmits the database with encrypted keys.
+
+     --nn, ----ssttddoouutt
+             Dump the database on stdout, in a format that can be fed to
+             hpropd.
+
+     The following options are only valid if hhpprroopp is compiled with support
+     for Kerberos 4 (kaserver).
+
+     --rr _s_t_r_i_n_g, ----vv44--rreeaallmm==_s_t_r_i_n_g
+             v4 realm to use
+
+     --cc _c_e_l_l, ----cceellll==_c_e_l_l
+             The AFS cell name, used if reading a kaserver database.
+
+     --SS, ----kkaassppeecciiaallss
+             Also dump the principals marked as special in the kaserver
+             database.
+
+     --44, ----vv44--ddbb
+             Deprecated, identical to `--source=krb4-db'.
+
+     --KK, ----kkaa--ddbb
+             Deprecated, identical to `--source=kaserver'.
+
+EEXXAAMMPPLLEESS
+     The following will propagate a database to another machine (which should
+     run hpropd(8):)
+
+           $ hprop slave-1 slave-2
+
+     Copy a Kerberos 4 database to a Kerberos 5 slave:
+
+           $ hprop --source=krb4-db -E krb5-slave
+
+     Convert a Kerberos 4 dump-file for use with a Heimdal KDC:
+
+           $ hprop -n --source=krb4-dump -d /var/kerberos/principal.dump -E | hpropd -n
+
+SSEEEE AALLSSOO
+     hpropd(8)
+
+ HEIMDAL                         June 19, 2000                               2
diff --git a/crypto/heimdal/kdc/hprop.h b/crypto/heimdal/kdc/hprop.h
new file mode 100644
index 0000000..0bcab88
--- /dev/null
+++ b/crypto/heimdal/kdc/hprop.h
@@ -0,0 +1,75 @@
+/*
+ * Copyright (c) 1997 - 2000 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+/* $Id: hprop.h,v 1.13 2001/01/26 15:54:19 joda Exp $ */
+
+#ifndef __HPROP_H__
+#define __HPROP_H__
+
+#include "headers.h"
+
+struct prop_data{
+    krb5_context context;
+    krb5_auth_context auth_context;
+    int sock;
+};
+
+#define HPROP_VERSION "hprop-0.0"
+#define HPROP_NAME "hprop"
+#define HPROP_KEYTAB "HDB:"
+#define HPROP_PORT 754
+
+#ifndef NEVERDATE
+#define NEVERDATE ((1U << 31) - 1)
+#endif
+
+krb5_error_code v5_prop(krb5_context, HDB*, hdb_entry*, void*);
+int mit_prop_dump(void*, const char*);
+
+struct v4_principal {
+    char name[64];
+    char instance[64];
+    des_cblock key;
+    int kvno;
+    int mkvno;
+    time_t exp_date;
+    time_t mod_date;
+    char mod_name[64];
+    char mod_instance[64];
+    int max_life;
+};
+
+int v4_prop(void*, struct v4_principal*);
+int v4_prop_dump(void *arg, const char*);
+
+#endif /* __HPROP_H__ */
diff --git a/crypto/heimdal/kdc/hpropd.8 b/crypto/heimdal/kdc/hpropd.8
new file mode 100644
index 0000000..dd26547
--- /dev/null
+++ b/crypto/heimdal/kdc/hpropd.8
@@ -0,0 +1,74 @@
+.\" $Id: hpropd.8,v 1.7 2001/06/08 21:35:32 joda Exp $
+.\"
+.Dd August 27, 1997
+.Dt HPROPD 8
+.Os HEIMDAL
+.Sh NAME
+.Nm hpropd
+.Nd receive a propagated database
+.Sh SYNOPSIS
+.Nm
+.Oo Fl d Ar file \*(Ba Xo
+.Fl -database= Ns Ar file
+.Xc
+.Oc
+.Op Fl n | Fl -stdin
+.Op Fl -print
+.Op Fl i | Fl -no-inetd
+.Oo Fl k Ar keytab \*(Ba Xo
+.Fl -keytab= Ns Ar keytab
+.Xc
+.Oc
+.Op Fl 4 | Fl -v4dump
+.Sh DESCRIPTION
+.Nm
+receives databases sent by
+.Nm hprop .
+and writes it as a local database.
+.Pp
+By default,
+.Nm
+expects to be started from
+.Nm inetd
+if stdin is a socket and expects to receive the dumped database over
+stdin otherwise.
+If the database is sent over the network, it is authenticated and
+encrypted.
+Only connections from
+.Li kadmin/hprop
+are accepted.
+.Pp
+Options supported:
+.Bl -tag -width Ds
+.It Xo
+.Fl d Ar file Ns ,
+.Fl -database= Ns Ar file
+.Xc
+database
+.It Xo
+.Fl n Ns ,
+.Fl -stdin
+.Xc
+read from stdin
+.It Xo
+.Fl -print
+.Xc
+print dump to stdout
+.It Xo
+.Fl i Ns ,
+.Fl -no-inetd
+.Xc
+Not started from inetd
+.It Xo
+.Fl k Ar keytab Ns ,
+.Fl -keytab= Ns Ar keytab
+.Xc
+keytab to use for authentication
+.It Xo
+.Fl 4 Ns ,
+.Fl -v4dump
+.Xc
+create v4 type DB
+.El
+.Sh SEE ALSO
+.Xr hprop 8
diff --git a/crypto/heimdal/kdc/hpropd.c b/crypto/heimdal/kdc/hpropd.c
new file mode 100644
index 0000000..da5498b
--- /dev/null
+++ b/crypto/heimdal/kdc/hpropd.c
@@ -0,0 +1,434 @@
+/*
+ * Copyright (c) 1997-2001 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "hprop.h"
+
+RCSID("$Id: hpropd.c,v 1.32 2001/02/20 01:44:50 assar Exp $");
+
+#ifdef KRB4
+static des_cblock mkey4;
+static des_key_schedule msched4;
+
+static char *
+time2str(time_t t)
+{
+    static char buf[128];
+    strftime(buf, sizeof(buf), "%Y%m%d%H%M", gmtime(&t));
+    return buf;
+}
+
+static int 
+dump_krb4(krb5_context context, hdb_entry *ent, int fd)
+{
+    char name[ANAME_SZ];  
+    char instance[INST_SZ];
+    char realm[REALM_SZ];
+    char buf[1024];
+    char *p;
+    int i;
+    int ret;
+    char *princ_name;
+    Event *modifier;
+    krb5_realm *realms;
+    int cmp;
+  
+    ret = krb5_524_conv_principal(context, ent->principal,
+				  name, instance, realm);
+    if (ret) {
+	krb5_unparse_name(context, ent->principal, &princ_name);
+	krb5_warn(context, ret, "%s", princ_name);
+	free(princ_name);
+	return -1;
+    }
+
+    ret = krb5_get_default_realms (context, &realms);
+    if (ret) {
+	krb5_warn(context, ret, "krb5_get_default_realms");
+	return -1;
+    }
+
+    cmp = strcmp (realms[0], ent->principal->realm);
+    krb5_free_host_realm (context, realms);
+    if (cmp != 0)
+        return -1;
+
+    snprintf (buf, sizeof(buf), "%s %s ", name,
+	      (strlen(instance) != 0) ? instance : "*");
+
+    if (ent->max_life) { 
+	asprintf(&p, "%d", krb_time_to_life(0, *ent->max_life));
+	strcat(buf, p);
+	free(p);
+    } else 
+	strcat(buf, "255"); 
+    strcat(buf, " ");
+
+    i = 0;
+    while (i < ent->keys.len &&
+	   ent->keys.val[i].key.keytype != KEYTYPE_DES)
+	++i;
+
+    if (i == ent->keys.len) {
+	krb5_warnx(context, "No DES key for %s.%s", name, instance);
+	return -1;
+    }
+
+    if (ent->keys.val[i].mkvno)
+	asprintf(&p, "%d ", *ent->keys.val[i].mkvno);
+    else
+	asprintf(&p, "%d ", 1);
+    strcat(buf, p);
+    free(p);
+
+    asprintf(&p, "%d ", ent->kvno);
+    strcat(buf, p);
+    free(p);
+
+    asprintf(&p, "%d ", 0); /* Attributes are always 0*/  
+    strcat(buf, p);
+    free(p);
+
+    { 
+	u_int32_t *key = ent->keys.val[i].key.keyvalue.data;
+	kdb_encrypt_key((des_cblock*)key, (des_cblock*)key,
+			&mkey4, msched4, DES_ENCRYPT);
+	asprintf(&p, "%x %x ", (int)htonl(*key), (int)htonl(*(key+1)));
+	strcat(buf, p);
+	free(p);
+    }
+ 
+    if (ent->valid_end == NULL)
+	strcat(buf, time2str(60*60*24*365*50)); /* no expiration */
+    else
+	strcat(buf, time2str(*ent->valid_end));
+    strcat(buf, " ");
+
+    if (ent->modified_by == NULL) 
+	modifier = &ent->created_by;
+    else  
+	modifier = ent->modified_by;
+    
+    ret = krb5_524_conv_principal(context, modifier->principal,
+				  name, instance, realm);
+    if (ret) { 
+	krb5_unparse_name(context, modifier->principal, &princ_name);
+	krb5_warn(context, ret, "%s", princ_name);
+	free(princ_name);
+	return -1;
+    } 
+    asprintf(&p, "%s %s %s\n", time2str(modifier->time), 
+	     (strlen(name) != 0) ? name : "*", 
+	     (strlen(instance) != 0) ? instance : "*");
+    strcat(buf, p);
+    free(p);
+
+    ret = write(fd, buf, strlen(buf));
+    if (ret == -1)
+	krb5_warnx(context, "write");
+    return 0;
+}
+#endif /* KRB4 */
+
+static int inetd_flag = -1;
+static int help_flag;
+static int version_flag;
+static int print_dump;
+static char *database = HDB_DEFAULT_DB;
+static int from_stdin;
+#ifdef KRB4
+static int v4dump;
+#endif
+static char *ktname = NULL;
+
+struct getargs args[] = {
+    { "database", 'd', arg_string, &database, "database", "file" },
+    { "stdin",    'n', arg_flag, &from_stdin, "read from stdin" },
+    { "print",	    0, arg_flag, &print_dump, "print dump to stdout" },
+    { "inetd",	   'i',	arg_negative_flag,	&inetd_flag,
+      "Not started from inetd" },
+    { "keytab",   'k',	arg_string, &ktname,	"keytab to use for authentication", "keytab" },
+#ifdef KRB4
+    { "v4dump",       '4',  arg_flag, &v4dump, "create v4 type DB" },
+#endif
+    { "version",    0, arg_flag, &version_flag, NULL, NULL },
+    { "help",    'h',  arg_flag, &help_flag, NULL, NULL}
+};
+
+static int num_args = sizeof(args) / sizeof(args[0]);
+
+static void
+usage(int ret)
+{
+    arg_printusage (args, num_args, NULL, "");
+    exit (ret);
+}
+
+int
+main(int argc, char **argv)
+{
+    krb5_error_code ret;
+    krb5_context context;
+    krb5_auth_context ac = NULL;
+    krb5_principal c1, c2;
+    krb5_authenticator authent;
+    krb5_keytab keytab;
+    int fd;
+    HDB *db;
+    int optind = 0;
+    char *tmp_db;
+    krb5_log_facility *fac;
+    int nprincs;
+#ifdef KRB4
+    int e;
+    int fd_out = -1;
+#endif
+
+    setprogname(argv[0]);
+
+    ret = krb5_init_context(&context);
+    if(ret)
+	exit(1);
+
+    ret = krb5_openlog(context, "hpropd", &fac);
+    if(ret)
+	;
+    krb5_set_warn_dest(context, fac);
+  
+    if(getarg(args, num_args, argc, argv, &optind))
+	usage(1);
+
+#ifdef KRB4
+    if (v4dump && database == HDB_DEFAULT_DB)
+       database = "/var/kerberos/524_dump";
+#endif /* KRB4 */
+    
+    if(help_flag)
+	usage(0);
+    if(version_flag) {
+	print_version(NULL);
+	exit(0);
+    }
+    
+    argc -= optind;
+    argv += optind;
+
+    if (argc != 0)
+	usage(1);
+
+    if(from_stdin)
+	fd = STDIN_FILENO;
+    else {
+	struct sockaddr_storage ss;
+	struct sockaddr *sa = (struct sockaddr *)&ss;
+	socklen_t sin_len = sizeof(ss);
+	char addr_name[256];
+	krb5_ticket *ticket;
+	char *server;
+
+	fd = STDIN_FILENO;
+	if (inetd_flag == -1) {
+	    if (getpeername (fd, sa, &sin_len) < 0)
+		inetd_flag = 0;
+	    else
+		inetd_flag = 1;
+	}
+	if (!inetd_flag) {
+	    mini_inetd (krb5_getportbyname (context, "hprop", "tcp",
+					    HPROP_PORT));
+	}
+	sin_len = sizeof(ss);
+	if(getpeername(fd, sa, &sin_len) < 0)
+	    krb5_err(context, 1, errno, "getpeername");
+
+	if (inet_ntop(sa->sa_family,
+		      socket_get_address (sa),
+		      addr_name,
+		      sizeof(addr_name)) == NULL)
+	    strlcpy (addr_name, "unknown address",
+			     sizeof(addr_name));
+
+	krb5_log(context, fac, 0, "Connection from %s", addr_name);
+    
+	ret = krb5_kt_register(context, &hdb_kt_ops);
+	if(ret)
+	    krb5_err(context, 1, ret, "krb5_kt_register");
+
+	if (ktname != NULL) {
+	    ret = krb5_kt_resolve(context, ktname, &keytab);
+	    if (ret)
+		krb5_err (context, 1, ret, "krb5_kt_resolve %s", ktname);
+	} else {
+	    ret = krb5_kt_default (context, &keytab);
+	    if (ret)
+		krb5_err (context, 1, ret, "krb5_kt_default");
+	}
+
+	ret = krb5_recvauth(context, &ac, &fd, HPROP_VERSION, NULL,
+			    0, keytab, &ticket);
+	if(ret)
+	    krb5_err(context, 1, ret, "krb5_recvauth");
+	
+	ret = krb5_unparse_name(context, ticket->server, &server);
+	if (ret)
+	    krb5_err(context, 1, ret, "krb5_unparse_name");
+	if (strncmp(server, "hprop/", 5) != 0)
+	    krb5_errx(context, 1, "ticket not for hprop (%s)", server);
+
+	free(server);
+	krb5_free_ticket (context, ticket);
+
+	ret = krb5_auth_getauthenticator(context, ac, &authent);
+	if(ret)
+	    krb5_err(context, 1, ret, "krb5_auth_getauthenticator");
+	
+	ret = krb5_make_principal(context, &c1, NULL, "kadmin", "hprop", NULL);
+	if(ret)
+	    krb5_err(context, 1, ret, "krb5_make_principal");
+	principalname2krb5_principal(&c2, authent->cname, authent->crealm);
+	if(!krb5_principal_compare(context, c1, c2)) {
+	    char *s;
+	    krb5_unparse_name(context, c2, &s);
+	    krb5_errx(context, 1, "Unauthorized connection from %s", s);
+	}
+	krb5_free_principal(context, c1);
+	krb5_free_principal(context, c2);
+
+	ret = krb5_kt_close(context, keytab);
+	if(ret)
+	    krb5_err(context, 1, ret, "krb5_kt_close");
+    }
+    
+    if(!print_dump) {
+	asprintf(&tmp_db, "%s~", database);
+#ifdef KRB4
+	if (v4dump) {
+	    fd_out = open(tmp_db, O_WRONLY | O_CREAT | O_TRUNC, 0600);
+	    if (fd_out == -1)
+		krb5_errx(context, 1, "%s", strerror(errno));
+	}
+	else
+#endif /* KRB4 */
+	{
+	    ret = hdb_create(context, &db, tmp_db);
+	    if(ret)
+		krb5_err(context, 1, ret, "hdb_create(%s)", tmp_db);
+	    ret = db->open(context, db, O_RDWR | O_CREAT | O_TRUNC, 0600);
+	    if(ret)
+		krb5_err(context, 1, ret, "hdb_open(%s)", tmp_db);
+	}
+    }
+
+#ifdef KRB4
+    if (v4dump) {
+	e = kdb_get_master_key(0, &mkey4, msched4);
+	if(e)
+	    krb5_errx(context, 1, "kdb_get_master_key: %s",
+		      krb_get_err_text(e));
+    }
+#endif /* KRB4 */
+
+    nprincs = 0;
+    while(1){
+	krb5_data data;
+	hdb_entry entry;
+
+	if(from_stdin) {
+	    ret = krb5_read_message(context, &fd, &data);
+	    if(ret != 0 && ret != HEIM_ERR_EOF)
+		krb5_err(context, 1, ret, "krb5_read_message");
+	} else {
+	    ret = krb5_read_priv_message(context, ac, &fd, &data);
+	    if(ret)
+		krb5_err(context, 1, ret, "krb5_read_priv_message");
+	}
+
+	if(ret == HEIM_ERR_EOF || data.length == 0) {
+	    if(!from_stdin) {
+		data.data = NULL;
+		data.length = 0;
+		krb5_write_priv_message(context, ac, &fd, &data);
+	    }
+	    if(!print_dump) {
+#ifdef KRB4
+		if (v4dump) {
+		    ret = rename(tmp_db, database);
+		    if (ret)
+			krb5_errx(context, 1, "rename");
+		    ret = close(fd_out);
+		    if (ret)
+			krb5_errx(context, 1, "close");
+		} else
+#endif /* KRB4 */
+		{
+		    ret = db->rename(context, db, database);
+		    if(ret)
+			krb5_err(context, 1, ret, "db_rename");
+		    ret = db->close(context, db);
+		    if(ret)
+			krb5_err(context, 1, ret, "db_close");
+		}
+	    }
+	    break;
+	}
+	ret = hdb_value2entry(context, &data, &entry);
+	if(ret)
+	    krb5_err(context, 1, ret, "hdb_value2entry");
+	if(print_dump)
+	    hdb_print_entry(context, db, &entry, stdout);
+	else {
+#ifdef KRB4
+	    if (v4dump) {
+		ret = dump_krb4(context, &entry, fd_out);
+		if(!ret) nprincs++;
+	    }
+	    else
+#endif /* KRB4 */
+	    {
+		ret = db->store(context, db, 0, &entry);
+		if(ret == HDB_ERR_EXISTS) {
+		    char *s;
+		    krb5_unparse_name(context, entry.principal, &s);
+		    krb5_warnx(context, "Entry exists: %s", s);
+		    free(s);
+		} else if(ret) 
+		    krb5_err(context, 1, ret, "db_store");
+		else
+		    nprincs++;
+	    }
+	}
+	hdb_free_entry(context, &entry);
+    }
+    if (!print_dump)
+	krb5_log(context, fac, 0, "Received %d principals", nprincs);
+    exit(0);
+}
diff --git a/crypto/heimdal/kdc/hpropd.cat8 b/crypto/heimdal/kdc/hpropd.cat8
new file mode 100644
index 0000000..5218e6d
--- /dev/null
+++ b/crypto/heimdal/kdc/hpropd.cat8
@@ -0,0 +1,43 @@
+
+HPROPD(8)                UNIX System Manager's Manual                HPROPD(8)
+
+NNAAMMEE
+     hhpprrooppdd - receive a propagated database
+
+SSYYNNOOPPSSIISS
+     hhpprrooppdd [--dd _f_i_l_e | ----ddaattaabbaassee==_f_i_l_e] [--nn | ----ssttddiinn] [----pprriinntt] [--ii |
+     ----nnoo--iinneettdd] [--kk _k_e_y_t_a_b | ----kkeeyyttaabb==_k_e_y_t_a_b] [--44 | ----vv44dduummpp]
+
+DDEESSCCRRIIPPTTIIOONN
+     hhpprrooppdd receives databases sent by hhpprroopp. and writes it as a local
+     database.
+
+     By default, hhpprrooppdd expects to be started from iinneettdd if stdin is a socket
+     and expects to receive the dumped database over stdin otherwise.  If the
+     database is sent over the network, it is authenticated and encrypted.
+     Only connections from kadmin/hprop are accepted.
+
+     Options supported:
+
+     --dd _f_i_l_e, ----ddaattaabbaassee==_f_i_l_e
+             database
+
+     --nn, ----ssttddiinn
+             read from stdin
+
+     ----pprriinntt
+             print dump to stdout
+
+     --ii, ----nnoo--iinneettdd
+             Not started from inetd
+
+     --kk _k_e_y_t_a_b, ----kkeeyyttaabb==_k_e_y_t_a_b
+             keytab to use for authentication
+
+     --44, ----vv44dduummpp
+             create v4 type DB
+
+SSEEEE AALLSSOO
+     hprop(8)
+
+ HEIMDAL                        August 27, 1997                              1
diff --git a/crypto/heimdal/kdc/kadb.h b/crypto/heimdal/kdc/kadb.h
new file mode 100644
index 0000000..5c98ccc
--- /dev/null
+++ b/crypto/heimdal/kdc/kadb.h
@@ -0,0 +1,84 @@
+/*
+ * Copyright (c) 1998 - 2000 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+/* $Id: kadb.h,v 1.3 2000/03/03 12:36:26 assar Exp $ */
+
+#ifndef __kadb_h__
+#define __kadb_h__
+
+#define HASHSIZE 8191
+
+struct ka_header {
+    int32_t version1;			/* file format version, should
+					   match version2 */
+    int32_t size;
+    int32_t free_ptr;
+    int32_t eof_ptr;
+    int32_t kvno_ptr;
+    int32_t stats[8];
+    int32_t admin_accounts;
+    int32_t special_keys_version;
+    int32_t hashsize;			/* allocated size of hash */
+    int32_t hash[HASHSIZE];
+    int32_t version2;
+};
+
+struct ka_entry {
+    int32_t flags;			/* see below */
+    int32_t next;			/* next in hash list */
+    int32_t valid_end;			/* expiration date */
+    int32_t mod_time;			/* time last modified */
+    int32_t mod_ptr;			/* pointer to modifier */
+    int32_t pw_change;			/* last pw change */
+    int32_t max_life;			/* max ticket life */
+    int32_t kvno;
+    int32_t foo2[2];			/* huh? */
+    char name[64];
+    char instance[64];
+    char key[8];
+    u_char pw_expire;			/* # days before password expires  */
+    u_char spare;
+    u_char attempts;
+    u_char locktime;
+};
+
+#define KAFNORMAL	(1<<0)
+#define KAFADMIN        (1<<2)	/* an administrator */
+#define KAFNOTGS        (1<<3)	/* ! allow principal to get or use TGT */
+#define KAFNOSEAL       (1<<5)	/* ! allow principal as server in GetTicket */
+#define KAFNOCPW        (1<<6)	/* ! allow principal to change its own key */
+#define KAFSPECIAL      (1<<8)	/* set if special AuthServer principal */
+
+#define DEFAULT_DATABASE "/usr/afs/db/kaserver.DB0"
+
+#endif /* __kadb_h__ */
diff --git a/crypto/heimdal/kdc/kaserver.c b/crypto/heimdal/kdc/kaserver.c
new file mode 100644
index 0000000..5920895
--- /dev/null
+++ b/crypto/heimdal/kdc/kaserver.c
@@ -0,0 +1,823 @@
+/*
+ * Copyright (c) 1997 - 2001 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "kdc_locl.h"
+
+RCSID("$Id: kaserver.c,v 1.16 2001/02/05 10:49:43 assar Exp $");
+
+#ifdef KASERVER
+
+#include <rx.h>
+
+#define KA_AUTHENTICATION_SERVICE 731
+#define KA_TICKET_GRANTING_SERVICE 732
+#define KA_MAINTENANCE_SERVICE 733
+
+#define AUTHENTICATE_OLD	 1
+#define CHANGEPASSWORD		 2
+#define GETTICKET_OLD		 3
+#define SETPASSWORD		 4
+#define SETFIELDS		 5
+#define CREATEUSER		 6
+#define DELETEUSER		 7
+#define GETENTRY		 8
+#define LISTENTRY		 9
+#define GETSTATS		10
+#define DEBUG			11
+#define GETPASSWORD		12
+#define GETRANDOMKEY		13
+#define AUTHENTICATE		21
+#define AUTHENTICATE_V2		22
+#define GETTICKET		23
+
+/* XXX - Where do we get these? */
+
+#define RXGEN_OPCODE (-455)
+
+#define KADATABASEINCONSISTENT                   (180480L)
+#define KAEXIST                                  (180481L)
+#define KAIO                                     (180482L)
+#define KACREATEFAIL                             (180483L)
+#define KANOENT                                  (180484L)
+#define KAEMPTY                                  (180485L)
+#define KABADNAME                                (180486L)
+#define KABADINDEX                               (180487L)
+#define KANOAUTH                                 (180488L)
+#define KAANSWERTOOLONG                          (180489L)
+#define KABADREQUEST                             (180490L)
+#define KAOLDINTERFACE                           (180491L)
+#define KABADARGUMENT                            (180492L)
+#define KABADCMD                                 (180493L)
+#define KANOKEYS                                 (180494L)
+#define KAREADPW                                 (180495L)
+#define KABADKEY                                 (180496L)
+#define KAUBIKINIT                               (180497L)
+#define KAUBIKCALL                               (180498L)
+#define KABADPROTOCOL                            (180499L)
+#define KANOCELLS                                (180500L)
+#define KANOCELL                                 (180501L)
+#define KATOOMANYUBIKS                           (180502L)
+#define KATOOMANYKEYS                            (180503L)
+#define KABADTICKET                              (180504L)
+#define KAUNKNOWNKEY                             (180505L)
+#define KAKEYCACHEINVALID                        (180506L)
+#define KABADSERVER                              (180507L)
+#define KABADUSER                                (180508L)
+#define KABADCPW                                 (180509L)
+#define KABADCREATE                              (180510L)
+#define KANOTICKET                               (180511L)
+#define KAASSOCUSER                              (180512L)
+#define KANOTSPECIAL                             (180513L)
+#define KACLOCKSKEW                              (180514L)
+#define KANORECURSE                              (180515L)
+#define KARXFAIL                                 (180516L)
+#define KANULLPASSWORD                           (180517L)
+#define KAINTERNALERROR                          (180518L)
+#define KAPWEXPIRED                              (180519L)
+#define KAREUSED                                 (180520L)
+#define KATOOSOON                                (180521L)
+#define KALOCKED                                 (180522L)
+
+static void
+decode_rx_header (krb5_storage *sp,
+		  struct rx_header *h)
+{
+    krb5_ret_int32(sp, &h->epoch);
+    krb5_ret_int32(sp, &h->connid);
+    krb5_ret_int32(sp, &h->callid);
+    krb5_ret_int32(sp, &h->seqno);
+    krb5_ret_int32(sp, &h->serialno);
+    krb5_ret_int8(sp,  &h->type);
+    krb5_ret_int8(sp,  &h->flags);
+    krb5_ret_int8(sp,  &h->status);
+    krb5_ret_int8(sp,  &h->secindex);
+    krb5_ret_int16(sp, &h->reserved);
+    krb5_ret_int16(sp, &h->serviceid);
+}
+
+static void
+encode_rx_header (struct rx_header *h,
+		  krb5_storage *sp)
+{
+    krb5_store_int32(sp, h->epoch);
+    krb5_store_int32(sp, h->connid);
+    krb5_store_int32(sp, h->callid);
+    krb5_store_int32(sp, h->seqno);
+    krb5_store_int32(sp, h->serialno);
+    krb5_store_int8(sp,  h->type);
+    krb5_store_int8(sp,  h->flags);
+    krb5_store_int8(sp,  h->status);
+    krb5_store_int8(sp,  h->secindex);
+    krb5_store_int16(sp, h->reserved);
+    krb5_store_int16(sp, h->serviceid);
+}
+
+static void
+init_reply_header (struct rx_header *hdr,
+		   struct rx_header *reply_hdr,
+		   u_char type,
+		   u_char flags)
+{
+    reply_hdr->epoch     = hdr->epoch;
+    reply_hdr->connid    = hdr->connid;
+    reply_hdr->callid    = hdr->callid;
+    reply_hdr->seqno     = 1;
+    reply_hdr->serialno  = 1;
+    reply_hdr->type      = type;
+    reply_hdr->flags     = flags;
+    reply_hdr->status    = 0;
+    reply_hdr->secindex  = 0;
+    reply_hdr->reserved  = 0;
+    reply_hdr->serviceid = hdr->serviceid;
+}
+
+static void
+make_error_reply (struct rx_header *hdr,
+		  u_int32_t ret,
+		  krb5_data *reply)
+
+{
+    krb5_storage *sp;
+    struct rx_header reply_hdr;
+
+    init_reply_header (hdr, &reply_hdr, HT_ABORT, HF_LAST);
+    sp = krb5_storage_emem();
+    encode_rx_header (&reply_hdr, sp);
+    krb5_store_int32(sp, ret);
+    krb5_storage_to_data (sp, reply);
+    krb5_storage_free (sp);
+}
+
+static krb5_error_code
+krb5_ret_xdr_data(krb5_storage *sp,
+		  krb5_data *data)
+{
+    int ret;
+    int size;
+    ret = krb5_ret_int32(sp, &size);
+    if(ret)
+	return ret;
+    data->length = size;
+    if (size) {
+	u_char foo[4];
+	size_t pad = (4 - size % 4) % 4;
+
+	data->data = malloc(size);
+	if (data->data == NULL)
+	    return ENOMEM;
+	ret = sp->fetch(sp, data->data, size);
+	if(ret != size)
+	    return (ret < 0)? errno : KRB5_CC_END;
+	if (pad) {
+	    ret = sp->fetch(sp, foo, pad);
+	    if (ret != pad)
+		return (ret < 0)? errno : KRB5_CC_END;
+	}
+    } else
+	data->data = NULL;
+    return 0;
+}
+
+static krb5_error_code
+krb5_store_xdr_data(krb5_storage *sp,
+		    krb5_data data)
+{
+    u_char zero[4] = {0, 0, 0, 0};
+    int ret;
+    size_t pad;
+
+    ret = krb5_store_int32(sp, data.length);
+    if(ret < 0)
+	return ret;
+    ret = sp->store(sp, data.data, data.length);
+    if(ret != data.length){
+	if(ret < 0)
+	    return errno;
+	return KRB5_CC_END;
+    }
+    pad = (4 - data.length % 4) % 4;
+    if (pad) {
+	ret = sp->store(sp, zero, pad);
+	if (ret != pad) {
+	    if (ret < 0)
+		return errno;
+	    return KRB5_CC_END;
+	}
+    }
+    return 0;
+}
+
+
+static krb5_error_code
+create_reply_ticket (struct rx_header *hdr,
+		     Key *skey,
+		     char *name, char *instance, char *realm,
+		     struct sockaddr_in *addr,
+		     int life,
+		     int kvno,
+		     int32_t max_seq_len,
+		     char *sname, char *sinstance,
+		     u_int32_t challenge,
+		     char *label,
+		     des_cblock *key,
+		     krb5_data *reply)
+{
+    KTEXT_ST ticket;
+    des_cblock session;
+    krb5_storage *sp;
+    krb5_data enc_data;
+    des_key_schedule schedule;
+    struct rx_header reply_hdr;
+    des_cblock zero;
+    size_t pad;
+    unsigned fyrtiosjuelva;
+
+    /* create the ticket */
+
+    des_new_random_key(&session);
+
+    krb_create_ticket (&ticket, 0, name, instance, realm,
+		       addr->sin_addr.s_addr,
+		       &session, life, kdc_time,
+		       sname, sinstance, skey->key.keyvalue.data);
+
+    /* create the encrypted part of the reply */
+    sp = krb5_storage_emem ();
+    krb5_generate_random_block(&fyrtiosjuelva, sizeof(fyrtiosjuelva));
+    fyrtiosjuelva &= 0xffffffff;
+    krb5_store_int32 (sp, fyrtiosjuelva);
+    krb5_store_int32 (sp, challenge);
+    sp->store  (sp, session, 8);
+    memset (&session, 0, sizeof(session));
+    krb5_store_int32 (sp, kdc_time);
+    krb5_store_int32 (sp, kdc_time + krb_life_to_time (0, life));
+    krb5_store_int32 (sp, kvno);
+    krb5_store_int32 (sp, ticket.length);
+    krb5_store_stringz (sp, name);
+    krb5_store_stringz (sp, instance);
+#if 1 /* XXX - Why shouldn't the realm go here? */
+    krb5_store_stringz (sp, "");
+#else
+    krb5_store_stringz (sp, realm);
+#endif
+    krb5_store_stringz (sp, sname);
+    krb5_store_stringz (sp, sinstance);
+    sp->store (sp, ticket.dat, ticket.length);
+    sp->store (sp, label, strlen(label));
+
+    /* pad to DES block */
+    memset (zero, 0, sizeof(zero));
+    pad = (8 - sp->seek (sp, 0, SEEK_CUR) % 8) % 8;
+    sp->store (sp, zero, pad);
+
+    krb5_storage_to_data (sp, &enc_data);
+    krb5_storage_free (sp);
+
+    if (enc_data.length > max_seq_len) {
+	krb5_data_free (&enc_data);
+	make_error_reply (hdr, KAANSWERTOOLONG, reply);
+	return 0;
+    }
+
+    /* encrypt it */
+    des_set_key (key, schedule);
+    des_pcbc_encrypt ((des_cblock *)enc_data.data,
+		      (des_cblock *)enc_data.data,
+		      enc_data.length,
+		      schedule,
+		      key,
+		      DES_ENCRYPT);
+    memset (&schedule, 0, sizeof(schedule));
+
+    /* create the reply packet */
+    init_reply_header (hdr, &reply_hdr, HT_DATA, HF_LAST);
+    sp = krb5_storage_emem ();
+    encode_rx_header (&reply_hdr, sp);
+    krb5_store_int32 (sp, max_seq_len);
+    krb5_store_xdr_data (sp, enc_data);
+    krb5_data_free (&enc_data);
+    krb5_storage_to_data (sp, reply);
+    krb5_storage_free (sp);
+    return 0;
+}
+
+static krb5_error_code
+unparse_auth_args (krb5_storage *sp,
+		   char **name,
+		   char **instance,
+		   time_t *start_time,
+		   time_t *end_time,
+		   krb5_data *request,
+		   int32_t *max_seq_len)
+{
+    krb5_data data;
+    int32_t tmp;
+
+    krb5_ret_xdr_data (sp, &data);
+    *name = malloc(data.length + 1);
+    if (*name == NULL)
+	return ENOMEM;
+    memcpy (*name, data.data, data.length);
+    (*name)[data.length] = '\0';
+    krb5_data_free (&data);
+
+    krb5_ret_xdr_data (sp, &data);
+    *instance = malloc(data.length + 1);
+    if (*instance == NULL) {
+	free (*name);
+	return ENOMEM;
+    }
+    memcpy (*instance, data.data, data.length);
+    (*instance)[data.length] = '\0';
+    krb5_data_free (&data);
+
+    krb5_ret_int32 (sp, &tmp);
+    *start_time = tmp;
+    krb5_ret_int32 (sp, &tmp);
+    *end_time = tmp;
+    krb5_ret_xdr_data (sp, request);
+    krb5_ret_int32 (sp, max_seq_len);
+    /* ignore the rest */
+    return 0;
+}
+
+static void
+do_authenticate (struct rx_header *hdr,
+		 krb5_storage *sp,
+		 struct sockaddr_in *addr,
+		 krb5_data *reply)
+{
+    krb5_error_code ret;
+    char *name = NULL;
+    char *instance = NULL;
+    time_t start_time;
+    time_t end_time;
+    krb5_data request;
+    int32_t max_seq_len;
+    hdb_entry *client_entry = NULL;
+    hdb_entry *server_entry = NULL;
+    Key *ckey = NULL;
+    Key *skey = NULL;
+    des_cblock key;
+    des_key_schedule schedule;
+    krb5_storage *reply_sp;
+    time_t max_life;
+    u_int8_t life;
+    int32_t chal;
+    char client_name[256];
+    char server_name[256];
+	
+    krb5_data_zero (&request);
+
+    unparse_auth_args (sp, &name, &instance, &start_time, &end_time,
+		       &request, &max_seq_len);
+
+    snprintf (client_name, sizeof(client_name), "%s.%s@%s",
+	      name, instance, v4_realm);
+
+    ret = db_fetch4 (name, instance, v4_realm, &client_entry);
+    if (ret) {
+	kdc_log(0, "Client not found in database: %s: %s",
+		client_name, krb5_get_err_text(context, ret));
+	make_error_reply (hdr, KANOENT, reply);
+	goto out;
+    }
+
+    snprintf (server_name, sizeof(server_name), "%s.%s@%s",
+	      "krbtgt", v4_realm, v4_realm);
+
+    ret = db_fetch4 ("krbtgt", v4_realm, v4_realm, &server_entry);
+    if (ret) {
+	kdc_log(0, "Server not found in database: %s: %s",
+		server_name, krb5_get_err_text(context, ret));
+	make_error_reply (hdr, KANOENT, reply);
+	goto out;
+    }
+
+    ret = check_flags (client_entry, client_name,
+		       server_entry, server_name,
+		       TRUE);
+    if (ret) {
+	make_error_reply (hdr, KAPWEXPIRED, reply);
+	goto out;
+    }
+
+    /* find a DES key */
+    ret = get_des_key(client_entry, TRUE, &ckey);
+    if(ret){
+	kdc_log(0, "%s", krb5_get_err_text(context, ret));
+	make_error_reply (hdr, KANOKEYS, reply);
+	goto out;
+    }
+
+    /* find a DES key */
+    ret = get_des_key(server_entry, TRUE, &skey);
+    if(ret){
+	kdc_log(0, "%s", krb5_get_err_text(context, ret));
+	make_error_reply (hdr, KANOKEYS, reply);
+	goto out;
+    }
+
+    /* try to decode the `request' */
+    memcpy (&key, ckey->key.keyvalue.data, sizeof(key));
+    des_set_key (&key, schedule);
+    des_pcbc_encrypt ((des_cblock *)request.data,
+		      (des_cblock *)request.data,
+		      request.length,
+		      schedule,
+		      &key,
+		      DES_DECRYPT);
+    memset (&schedule, 0, sizeof(schedule));
+
+    /* check for the magic label */
+    if (memcmp ((char *)request.data + 4, "gTGS", 4) != 0) {
+	make_error_reply (hdr, KABADREQUEST, reply);
+	goto out;
+    }
+
+    reply_sp = krb5_storage_from_mem (request.data, 4);
+    krb5_ret_int32 (reply_sp, &chal);
+    krb5_storage_free (reply_sp);
+
+    if (abs(chal - kdc_time) > context->max_skew) {
+	make_error_reply (hdr, KACLOCKSKEW, reply);
+	goto out;
+    }
+
+    /* life */
+    max_life = end_time - kdc_time;
+    if (client_entry->max_life)
+	max_life = min(max_life, *client_entry->max_life);
+    if (server_entry->max_life)
+	max_life = min(max_life, *server_entry->max_life);
+
+    life = krb_time_to_life(kdc_time, kdc_time + max_life);
+
+    create_reply_ticket (hdr, skey,
+			 name, instance, v4_realm,
+			 addr, life, server_entry->kvno,
+			 max_seq_len,
+			 "krbtgt", v4_realm,
+			 chal + 1, "tgsT",
+			 &key, reply);
+    memset (&key, 0, sizeof(key));
+
+out:
+    if (request.length) {
+	memset (request.data, 0, request.length);
+	krb5_data_free (&request);
+    }
+    if (name)
+	free (name);
+    if (instance)
+	free (instance);
+    if (client_entry)
+	free_ent (client_entry);
+    if (server_entry)
+	free_ent (server_entry);
+}
+
+static krb5_error_code
+unparse_getticket_args (krb5_storage *sp,
+			int *kvno,
+			char **auth_domain,
+			krb5_data *ticket,
+			char **name,
+			char **instance,
+			krb5_data *times,
+			int32_t *max_seq_len)
+{
+    krb5_data data;
+    int32_t tmp;
+
+    krb5_ret_int32 (sp, &tmp);
+    *kvno = tmp;
+
+    krb5_ret_xdr_data (sp, &data);
+    *auth_domain = malloc(data.length + 1);
+    if (*auth_domain == NULL)
+	return ENOMEM;
+    memcpy (*auth_domain, data.data, data.length);
+    (*auth_domain)[data.length] = '\0';
+    krb5_data_free (&data);
+
+    krb5_ret_xdr_data (sp, ticket);
+
+    krb5_ret_xdr_data (sp, &data);
+    *name = malloc(data.length + 1);
+    if (*name == NULL) {
+	free (*auth_domain);
+	return ENOMEM;
+    }
+    memcpy (*name, data.data, data.length);
+    (*name)[data.length] = '\0';
+    krb5_data_free (&data);
+
+    krb5_ret_xdr_data (sp, &data);
+    *instance = malloc(data.length + 1);
+    if (*instance == NULL) {
+	free (*auth_domain);
+	free (*name);
+	return ENOMEM;
+    }
+    memcpy (*instance, data.data, data.length);
+    (*instance)[data.length] = '\0';
+    krb5_data_free (&data);
+
+    krb5_ret_xdr_data (sp, times);
+
+    krb5_ret_int32 (sp, max_seq_len);
+    /* ignore the rest */
+    return 0;
+}
+
+static void
+do_getticket (struct rx_header *hdr,
+	      krb5_storage *sp,
+	      struct sockaddr_in *addr,
+	      krb5_data *reply)
+{
+    krb5_error_code ret;
+    int kvno;
+    char *auth_domain = NULL;
+    krb5_data aticket;
+    char *name = NULL;
+    char *instance = NULL;
+    krb5_data times;
+    int32_t max_seq_len;
+    hdb_entry *server_entry = NULL;
+    hdb_entry *krbtgt_entry = NULL;
+    Key *kkey = NULL;
+    Key *skey = NULL;
+    des_cblock key;
+    des_key_schedule schedule;
+    des_cblock session;
+    time_t max_life;
+    int8_t life;
+    time_t start_time, end_time;
+    char pname[ANAME_SZ];
+    char pinst[INST_SZ];
+    char prealm[REALM_SZ];
+    char server_name[256];
+
+    krb5_data_zero (&aticket);
+    krb5_data_zero (&times);
+
+    unparse_getticket_args (sp, &kvno, &auth_domain, &aticket,
+			    &name, &instance, &times, &max_seq_len);
+
+    snprintf (server_name, sizeof(server_name),
+	      "%s.%s@%s", name, instance, v4_realm);
+
+    ret = db_fetch4 (name, instance, v4_realm, &server_entry);
+    if (ret) {
+	kdc_log(0, "Server not found in database: %s: %s",
+		server_name, krb5_get_err_text(context, ret));
+	make_error_reply (hdr, KANOENT, reply);
+	goto out;
+    }
+
+    ret = check_flags (NULL, NULL,
+		       server_entry, server_name,
+		       FALSE);
+    if (ret) {
+	make_error_reply (hdr, KAPWEXPIRED, reply);
+	goto out;
+    }
+
+    ret = db_fetch4 ("krbtgt", v4_realm, v4_realm, &krbtgt_entry);
+    if (ret) {
+	kdc_log(0, "Server not found in database: %s.%s@%s: %s",
+		"krbtgt", v4_realm, v4_realm, krb5_get_err_text(context, ret));
+	make_error_reply (hdr, KANOENT, reply);
+	goto out;
+    }
+
+    /* find a DES key */
+    ret = get_des_key(krbtgt_entry, TRUE, &kkey);
+    if(ret){
+	kdc_log(0, "%s", krb5_get_err_text(context, ret));
+	make_error_reply (hdr, KANOKEYS, reply);
+	goto out;
+    }
+
+    /* find a DES key */
+    ret = get_des_key(server_entry, TRUE, &skey);
+    if(ret){
+	kdc_log(0, "%s", krb5_get_err_text(context, ret));
+	make_error_reply (hdr, KANOKEYS, reply);
+	goto out;
+    }
+
+    /* decrypt the incoming ticket */
+    memcpy (&key, kkey->key.keyvalue.data, sizeof(key));
+
+    /* unpack the ticket */
+    {
+	KTEXT_ST ticket;
+	u_char flags;
+	int life;
+	u_int32_t time_sec;
+	char sname[ANAME_SZ];
+	char sinstance[SNAME_SZ];
+	u_int32_t paddress;
+
+	if (aticket.length > sizeof(ticket.dat)) {
+	    kdc_log(0, "ticket too long (%u > %u)",
+		    (unsigned)aticket.length,
+		    (unsigned)sizeof(ticket.dat));
+	    make_error_reply (hdr, KABADTICKET, reply);
+	    goto out;
+	}
+
+	ticket.length = aticket.length;
+	memcpy (ticket.dat, aticket.data, ticket.length);
+
+	des_set_key (&key, schedule);
+	decomp_ticket (&ticket, &flags, pname, pinst, prealm,
+		       &paddress, session, &life, &time_sec,
+		       sname, sinstance, 
+		       &key, schedule);
+
+	if (strcmp (sname, "krbtgt") != 0
+	    || strcmp (sinstance, v4_realm) != 0) {
+	    kdc_log(0, "no TGT: %s.%s for %s.%s@%s",
+		    sname, sinstance,
+		    pname, pinst, prealm);
+	    make_error_reply (hdr, KABADTICKET, reply);
+	    goto out;
+	}
+
+	if (kdc_time > krb_life_to_time(time_sec, life)) {
+	    kdc_log(0, "TGT expired: %s.%s@%s",
+		    pname, pinst, prealm);
+	    make_error_reply (hdr, KABADTICKET, reply);
+	    goto out;
+	}
+    }
+
+    /* decrypt the times */
+    des_set_key (&session, schedule);
+    des_ecb_encrypt (times.data,
+		     times.data,
+		     schedule,
+		     DES_DECRYPT);
+    memset (&schedule, 0, sizeof(schedule));
+
+    /* and extract them */
+    {
+	krb5_storage *sp;
+	int32_t tmp;
+
+	sp = krb5_storage_from_mem (times.data, times.length);
+	krb5_ret_int32 (sp, &tmp);
+	start_time = tmp;
+	krb5_ret_int32 (sp, &tmp);
+	end_time = tmp;
+	krb5_storage_free (sp);
+    }
+
+    /* life */
+    max_life = end_time - kdc_time;
+    if (krbtgt_entry->max_life)
+	max_life = min(max_life, *krbtgt_entry->max_life);
+    if (server_entry->max_life)
+	max_life = min(max_life, *server_entry->max_life);
+
+    life = krb_time_to_life(kdc_time, kdc_time + max_life);
+
+    create_reply_ticket (hdr, skey,
+			 pname, pinst, prealm,
+			 addr, life, server_entry->kvno,
+			 max_seq_len,
+			 name, instance,
+			 0, "gtkt",
+			 &session, reply);
+    memset (&session, 0, sizeof(session));
+    
+out:
+    if (aticket.length) {
+	memset (aticket.data, 0, aticket.length);
+	krb5_data_free (&aticket);
+    }
+    if (times.length) {
+	memset (times.data, 0, times.length);
+	krb5_data_free (&times);
+    }
+    if (auth_domain)
+	free (auth_domain);
+    if (name)
+	free (name);
+    if (instance)
+	free (instance);
+    if (krbtgt_entry)
+	free_ent (krbtgt_entry);
+    if (server_entry)
+	free_ent (server_entry);
+}
+
+krb5_error_code
+do_kaserver(unsigned char *buf,
+	    size_t len,
+	    krb5_data *reply,
+	    const char *from,
+	    struct sockaddr_in *addr)
+{
+    krb5_error_code ret = 0;
+    struct rx_header hdr;
+    u_int32_t op;
+    krb5_storage *sp;
+
+    if (len < RX_HEADER_SIZE)
+	return -1;
+    sp = krb5_storage_from_mem (buf, len);
+
+    decode_rx_header (sp, &hdr);
+    buf += RX_HEADER_SIZE;
+    len -= RX_HEADER_SIZE;
+
+    switch (hdr.type) {
+    case HT_DATA :
+	break;
+    case HT_ACK :
+    case HT_BUSY :
+    case HT_ABORT :
+    case HT_ACKALL :
+    case HT_CHAL :
+    case HT_RESP :
+    case HT_DEBUG :
+    default:
+	/* drop */
+	goto out;
+    }
+
+
+    if (hdr.serviceid != KA_AUTHENTICATION_SERVICE
+	&& hdr.serviceid != KA_TICKET_GRANTING_SERVICE) {
+	ret = -1;
+	goto out;
+    }
+
+    krb5_ret_int32(sp, &op);
+    switch (op) {
+    case AUTHENTICATE :
+	do_authenticate (&hdr, sp, addr, reply);
+	break;
+    case GETTICKET :
+	do_getticket (&hdr, sp, addr, reply);
+	break;
+    case AUTHENTICATE_OLD :
+    case CHANGEPASSWORD :
+    case GETTICKET_OLD :
+    case SETPASSWORD :
+    case SETFIELDS :
+    case CREATEUSER :
+    case DELETEUSER :
+    case GETENTRY :
+    case LISTENTRY :
+    case GETSTATS :
+    case DEBUG :
+    case GETPASSWORD :
+    case GETRANDOMKEY :
+    case AUTHENTICATE_V2 :
+    default :
+	make_error_reply (&hdr, RXGEN_OPCODE, reply);
+	break;
+    }
+
+out:
+    krb5_storage_free (sp);
+    return ret;
+}
+
+#endif /* KASERVER */
diff --git a/crypto/heimdal/kdc/kdc.8 b/crypto/heimdal/kdc/kdc.8
new file mode 100644
index 0000000..8437c63
--- /dev/null
+++ b/crypto/heimdal/kdc/kdc.8
@@ -0,0 +1,143 @@
+.\" $Id: kdc.8,v 1.13 2001/06/08 21:35:32 joda Exp $
+.\"
+.Dd July 27, 1997
+.Dt KDC 8
+.Os HEIMDAL
+.Sh NAME
+.Nm kdc
+.Nd Kerberos 5 server
+.Sh SYNOPSIS
+.Nm
+.Oo Fl c Ar file \*(Ba Xo
+.Fl -config-file= Ns Ar file
+.Xc
+.Oc
+.Op Fl p | Fl -no-require-preauth
+.Op Fl -max-request= Ns Ar size
+.Op Fl H | Fl -enable-http
+.Oo Fl r Ar string \*(Ba Xo
+.Fl -v4-realm= Ns Ar string
+.Xc
+.Oc
+.Op Fl K | Fl -no-kaserver
+.Op Fl r Ar realm
+.Op Fl -v4-realm= Ns Ar realm
+.Oo Fl P Ar string \*(Ba Xo
+.Fl -ports= Ns Ar string
+.Xc
+.Oc
+.Op Fl -addresses= Ns Ar list of addresses
+.Sh DESCRIPTION
+.Nm
+serves requests for tickets. When it starts, it first checks the flags
+passed, any options that are not specified with a command line flag is
+taken from a config file, or from a default compiled-in value.
+.Pp
+Options supported:
+.Bl -tag -width Ds
+.It Fl c Ar file
+.It Fl -config-file= Ns Ar file
+Specifies the location of the config file, the default is
+.Pa /var/heimdal/kdc.conf .
+This is the only value that can't be specified in the config file.
+.It Fl p
+.It Fl -no-require-preauth
+Turn off the requirement for pre-autentication in the initial AS-REQ
+for all principals. The use of pre-authentication makes it more
+difficult to do offline password attacks. You might want to turn it
+off if you have clients that doesn't do pre-authentication. Since the
+version 4 protocol doesn't support any pre-authentication, so serving
+version 4 clients is just about the same as not requiring
+pre-athentication. The default is to require
+pre-authentication. Adding the require-preauth per principal is a more
+flexible way of handling this.
+.It Xo
+.Fl -max-request= Ns Ar size
+.Xc
+Gives an upper limit on the size of the requests that the kdc is
+willing to handle.
+.It Xo
+.Fl H Ns ,
+.Fl -enable-http
+.Xc
+Makes the kdc listen on port 80 and handle requests encapsulated in HTTP.
+.It Xo
+.Fl K Ns ,
+.Fl -no-kaserver
+.Xc
+Disables kaserver emulation (in case it's compiled in).
+.It Fl r Ar realm
+.It Fl -v4-realm= Ns Ar realm
+What realm this server should act as when dealing with version 4
+requests. The database can contain any number of realms, but since the
+version 4 protocol doesn't contain a realm for the server, it must be
+explicitly specified. The default is whatever is returned by
+.Fn krb_get_lrealm .
+This option is only availabe if the KDC has been compiled with version
+4 support.
+.It Xo
+.Fl P Ar string Ns ,
+.Fl -ports= Ns Ar string
+.Xc
+Specifies the set of ports the KDC should listen on.  It is given as a
+white-space separated list of services or port numbers.
+.It Xo
+.Fl -addresses= Ns Ar list of addresses
+.Xc
+The list of addresses to listen for requests on.  By default, the kdc
+will listen on all the locally configured addresses.  If only a subset
+is desired, or the automatic detection fails, this option might be used.
+.El
+.Pp
+All activities , are logged to one or more destinations, see 
+.Xr krb5.conf 5 ,
+and
+.Xr krb5_openlog 3 .
+The entity used for logging is
+.Nm kdc .
+.Sh CONFIGURATION FILE
+The configuration file has the same syntax as the 
+.Pa krb5.conf
+file (you can actually put the configuration in
+.Pa /etc/krb5.conf ,
+and then start the KDC with
+.Fl -config-file= Ns Ar /etc/krb5.conf ) .
+All options should be in a section called
+.Dq kdc .
+All the command-line options can preferably be added in the
+configuration file.  The only difference is the pre-authentication flag,
+that has to be specified as:
+.Pp
+.Dl require-preauth = no
+.Pp
+(in fact you can specify the option as
+.Fl -require-preauth=no ) .
+.Pp
+And there are some configuration options which do not have
+command-line equivalents:
+.Bl -tag -width "xxx" -offset indent
+.It Li check-ticket-addresses = Va boolean
+Check the addresses in the ticket when processing TGS requests.  The
+default is FALSE.
+.It Li allow-null-ticket-addresses = Va boolean
+Permit tickets with no addresses.  This option is only relevant when
+check-ticket-addresses is TRUE.
+.It Li allow-anonymous = Va boolean
+Permit anonymous tickets with no addresses.
+.It encode_as_rep_as_tgs_rep = Va boolean
+Encode AS-Rep as TGS-Rep to be bug-compatible with old DCE code.  The
+Heimdal clients allow both.
+.It kdc_warn_pwexpire = Va time
+How long before password/principal expiration the KDC should start
+sending out warning messages.
+.El
+.Pp
+An example of a config file:
+.Bd -literal -offset indent
+[kdc]
+	require-preauth = no
+	v4-realm = FOO.SE
+	key-file = /key-file
+.Ed
+.Sh SEE ALSO
+.Xr kinit 1
diff --git a/crypto/heimdal/kdc/kdc.cat8 b/crypto/heimdal/kdc/kdc.cat8
new file mode 100644
index 0000000..234b76d
--- /dev/null
+++ b/crypto/heimdal/kdc/kdc.cat8
@@ -0,0 +1,118 @@
+
+KDC(8)                   UNIX System Manager's Manual                   KDC(8)
+
+NNAAMMEE
+     kkddcc - Kerberos 5 server
+
+SSYYNNOOPPSSIISS
+     kkddcc [--cc _f_i_l_e | ----ccoonnffiigg--ffiillee==_f_i_l_e] [--pp | ----nnoo--rreeqquuiirree--pprreeaauutthh]
+     [----mmaaxx--rreeqquueesstt==_s_i_z_e] [--HH | ----eennaabbllee--hhttttpp] [--rr _s_t_r_i_n_g | ----vv44--rreeaallmm==_s_t_r_i_n_g]
+     [--KK | ----nnoo--kkaasseerrvveerr] [--rr _r_e_a_l_m] [----vv44--rreeaallmm==_r_e_a_l_m] [--PP _s_t_r_i_n_g |
+     ----ppoorrttss==_s_t_r_i_n_g] [----aaddddrreesssseess==_l_i_s_t _o_f _a_d_d_r_e_s_s_e_s]
+
+DDEESSCCRRIIPPTTIIOONN
+     kkddcc serves requests for tickets. When it starts, it first checks the
+     flags passed, any options that are not specified with a command line flag
+     is taken from a config file, or from a default compiled-in value.
+
+     Options supported:
+
+     --cc _f_i_l_e
+
+     ----ccoonnffiigg--ffiillee==_f_i_l_e
+             Specifies the location of the config file, the default is
+             _/_v_a_r_/_h_e_i_m_d_a_l_/_k_d_c_._c_o_n_f. This is the only value that can't be spec-
+             ified in the config file.
+
+     --pp
+
+     ----nnoo--rreeqquuiirree--pprreeaauutthh
+             Turn off the requirement for pre-autentication in the initial AS-
+             REQ for all principals. The use of pre-authentication makes it
+             more difficult to do offline password attacks. You might want to
+             turn it off if you have clients that doesn't do pre-authentica-
+             tion. Since the version 4 protocol doesn't support any pre-au-
+             thentication, so serving version 4 clients is just about the same
+             as not requiring pre-athentication. The default is to require
+             pre-authentication. Adding the require-preauth per principal is a
+             more flexible way of handling this.
+
+     ----mmaaxx--rreeqquueesstt==_s_i_z_e
+             Gives an upper limit on the size of the requests that the kdc is
+             willing to handle.
+
+     --HH, ----eennaabbllee--hhttttpp
+             Makes the kdc listen on port 80 and handle requests encapsulated
+             in HTTP.
+
+     --KK, ----nnoo--kkaasseerrvveerr
+             Disables kaserver emulation (in case it's compiled in).
+
+     --rr _r_e_a_l_m
+
+     ----vv44--rreeaallmm==_r_e_a_l_m
+             What realm this server should act as when dealing with version 4
+             requests. The database can contain any number of realms, but
+             since the version 4 protocol doesn't contain a realm for the
+             server, it must be explicitly specified. The default is whatever
+             is returned by kkrrbb__ggeett__llrreeaallmm().  This option is only availabe if
+             the KDC has been compiled with version 4 support.
+
+     --PP _s_t_r_i_n_g, ----ppoorrttss==_s_t_r_i_n_g
+             Specifies the set of ports the KDC should listen on.  It is given
+             as a white-space separated list of services or port numbers.
+
+     ----aaddddrreesssseess==_l_i_s_t _o_f _a_d_d_r_e_s_s_e_s
+             The list of addresses to listen for requests on.  By default, the
+             kdc will listen on all the locally configured addresses.  If only
+             a subset is desired, or the automatic detection fails, this op-
+             tion might be used.
+
+     All activities , are logged to one or more destinations, see
+     krb5.conf(5),  and krb5_openlog(3).  The entity used for logging is kkddcc.
+
+CCOONNFFIIGGUURRAATTIIOONN FFIILLEE
+     The configuration file has the same syntax as the _k_r_b_5_._c_o_n_f file (you can
+     actually put the configuration in _/_e_t_c_/_k_r_b_5_._c_o_n_f, and then start the KDC
+     with ----ccoonnffiigg--ffiillee==_/_e_t_c_/_k_r_b_5_._c_o_n_f). All options should be in a section
+     called ``kdc''. All the command-line options can preferably be added in
+     the configuration file.  The only difference is the pre-authentication
+     flag, that has to be specified as:
+
+           require-preauth = no
+
+     (in fact you can specify the option as ----rreeqquuiirree--pprreeaauutthh==nnoo).
+
+     And there are some configuration options which do not have command-line
+     equivalents:
+
+           check-ticket-addresses = _b_o_o_l_e_a_n
+                Check the addresses in the ticket when processing TGS re-
+                quests.  The default is FALSE.
+
+           allow-null-ticket-addresses = _b_o_o_l_e_a_n
+                Permit tickets with no addresses.  This option is only rele-
+                vant when check-ticket-addresses is TRUE.
+
+           allow-anonymous = _b_o_o_l_e_a_n
+                Permit anonymous tickets with no addresses.
+
+           encode_as_rep_as_tgs_rep = _b_o_o_l_e_a_n
+                Encode AS-Rep as TGS-Rep to be bug-compatible with old DCE
+                code.  The Heimdal clients allow both.
+
+           kdc_warn_pwexpire = _t_i_m_e
+                How long before password/principal expiration the KDC should
+                start sending out warning messages.
+
+     An example of a config file:
+
+           [kdc]
+                   require-preauth = no
+                   v4-realm = FOO.SE
+                   key-file = /key-file
+
+SSEEEE AALLSSOO
+     kinit(1)
+
+ HEIMDAL                         July 27, 1997                               2
diff --git a/crypto/heimdal/kdc/kdc_locl.h b/crypto/heimdal/kdc/kdc_locl.h
new file mode 100644
index 0000000..2cc753c
--- /dev/null
+++ b/crypto/heimdal/kdc/kdc_locl.h
@@ -0,0 +1,118 @@
+/*
+ * Copyright (c) 1997-2001 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+/* 
+ * $Id: kdc_locl.h,v 1.48 2001/01/30 01:44:07 assar Exp $ 
+ */
+
+#ifndef __KDC_LOCL_H__
+#define __KDC_LOCL_H__
+
+#include "headers.h"
+
+extern krb5_context context;
+
+extern int require_preauth;
+extern sig_atomic_t exit_flag;
+extern size_t max_request;
+extern time_t kdc_warn_pwexpire;
+extern struct dbinfo {
+    char *realm;
+    char *dbname;
+    char *mkey_file;
+    struct dbinfo *next;
+} *databases;
+extern HDB **db;
+extern int num_db;
+extern char *port_str;
+extern krb5_addresses explicit_addresses;
+
+extern int enable_http;
+extern krb5_boolean encode_as_rep_as_tgs_rep;
+extern krb5_boolean check_ticket_addresses;
+extern krb5_boolean allow_null_ticket_addresses;
+extern krb5_boolean allow_anonymous;
+
+#ifdef KRB4
+extern char *v4_realm;
+extern int enable_v4;
+extern int enable_524;
+#endif
+#ifdef KASERVER
+extern krb5_boolean enable_kaserver;
+#endif
+
+#define _PATH_KDC_CONF		HDB_DB_DIR "/kdc.conf"
+#define DEFAULT_LOG_DEST	"0-1/FILE:" HDB_DB_DIR "/kdc.log"
+
+extern struct timeval now;
+#define kdc_time (now.tv_sec)
+
+krb5_error_code as_rep (KDC_REQ*, krb5_data*, const char*, struct sockaddr*);
+void configure (int, char**);
+krb5_error_code db_fetch (krb5_principal, hdb_entry**);
+void free_ent(hdb_entry *);
+void kdc_log (int, const char*, ...)
+    __attribute__ ((format (printf, 2,3)));
+
+char* kdc_log_msg (int, const char*, ...)
+    __attribute__ ((format (printf, 2,3)));
+char* kdc_log_msg_va (int, const char*, va_list)
+    __attribute__ ((format (printf, 2,0)));
+void kdc_openlog (krb5_config_section*);
+void loop (void);
+void set_master_key (EncryptionKey);
+krb5_error_code tgs_rep (KDC_REQ*, krb5_data*, const char*, struct sockaddr *);
+Key* unseal_key (Key*);
+krb5_error_code check_flags(hdb_entry *client, const char *client_name,
+			    hdb_entry *server, const char *server_name,
+			    krb5_boolean is_as_req);
+
+#ifdef KRB4
+krb5_error_code db_fetch4 (const char*, const char*, const char*, hdb_entry**);
+krb5_error_code do_524 (const Ticket*, krb5_data*, const char*, struct sockaddr*);
+krb5_error_code do_version4 (unsigned char*, size_t, krb5_data*, const char*, 
+			     struct sockaddr_in*);
+krb5_error_code encode_v4_ticket (void*, size_t, const EncTicketPart*, 
+				  const PrincipalName*, size_t*);
+krb5_error_code encrypt_v4_ticket (void*, size_t, des_cblock*, EncryptedData*);
+krb5_error_code get_des_key(hdb_entry*, krb5_boolean, Key**);
+int maybe_version4 (unsigned char*, int);
+#endif
+
+#ifdef KASERVER
+krb5_error_code do_kaserver (unsigned char*, size_t, krb5_data*, const char*, 
+			     struct sockaddr_in*);
+#endif
+
+#endif /* __KDC_LOCL_H__ */
diff --git a/crypto/heimdal/kdc/kerberos4.c b/crypto/heimdal/kdc/kerberos4.c
new file mode 100644
index 0000000..111bd9f
--- /dev/null
+++ b/crypto/heimdal/kdc/kerberos4.c
@@ -0,0 +1,655 @@
+/*
+ * Copyright (c) 1997 - 2000 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "kdc_locl.h"
+
+RCSID("$Id: kerberos4.c,v 1.36 2001/01/30 01:44:08 assar Exp $");
+
+#ifdef KRB4
+
+#ifndef swap32
+static u_int32_t
+swap32(u_int32_t x)
+{
+    return ((x << 24) & 0xff000000) |
+	((x << 8) & 0xff0000) |
+	((x >> 8) & 0xff00) |
+	((x >> 24) & 0xff);
+}
+#endif /* swap32 */
+
+int
+maybe_version4(unsigned char *buf, int len)
+{
+    return len > 0 && *buf == 4;
+}
+
+static void
+make_err_reply(krb5_data *reply, int code, const char *msg)
+{
+    KTEXT_ST er;
+
+    /* name, instance and realm are not checked in most (all?)
+       implementations; msg is also never used, but we send it anyway
+       (for debugging purposes) */
+
+    if(msg == NULL)
+	msg = krb_get_err_text(code);
+    cr_err_reply(&er, "", "", "", kdc_time, code, (char*)msg);
+    krb5_data_copy(reply, er.dat, er.length);
+}
+
+static krb5_boolean
+valid_princ(krb5_context context, krb5_principal princ)
+{
+    krb5_error_code ret;
+    char *s;
+    hdb_entry *ent;
+
+    ret = krb5_unparse_name(context, princ, &s);
+    if (ret)
+	return 0;
+    ret = db_fetch(princ, &ent);
+    if (ret) {
+	kdc_log(7, "Lookup %s failed: %s", s,
+		krb5_get_err_text (context, ret));
+	free(s);
+	return 0;
+    }
+    kdc_log(7, "Lookup %s succeeded", s);
+    free(s);
+    free_ent(ent);
+    return 1;
+}
+
+krb5_error_code
+db_fetch4(const char *name, const char *instance, const char *realm,
+	  hdb_entry **ent)
+{
+    krb5_principal p;
+    krb5_error_code ret;
+    
+    ret = krb5_425_conv_principal_ext(context, name, instance, realm, 
+				      valid_princ, 0, &p);
+    if(ret)
+	return ret;
+    ret = db_fetch(p, ent);
+    krb5_free_principal(context, p);
+    return ret;
+}
+
+krb5_error_code
+get_des_key(hdb_entry *principal, krb5_boolean prefer_afs_key, Key **ret_key)
+{
+    Key *v5_key = NULL, *v4_key = NULL, *afs_key = NULL;
+    int i;
+    krb5_enctype etypes[] = { ETYPE_DES_CBC_MD5, 
+			      ETYPE_DES_CBC_MD4, 
+			      ETYPE_DES_CBC_CRC };
+
+    for(i = 0;
+	i < sizeof(etypes)/sizeof(etypes[0])
+	    && (v5_key == NULL || v4_key == NULL || afs_key == NULL);
+	++i) {
+	Key *key = NULL;
+	while(hdb_next_enctype2key(context, principal, etypes[i], &key) == 0) {
+	    if(key->salt == NULL) {
+		if(v5_key == NULL)
+		    v5_key = key;
+	    } else if(key->salt->type == hdb_pw_salt && 
+		      key->salt->salt.length == 0) {
+		if(v4_key == NULL)
+		    v4_key = key;
+	    } else if(key->salt->type == hdb_afs3_salt) {
+		if(afs_key == NULL)
+		    afs_key = key;
+	    }
+	}
+    }
+
+    if(prefer_afs_key) {
+	if(afs_key)
+	    *ret_key = afs_key;
+	else if(v4_key)
+	    *ret_key = v4_key;
+	else if(v5_key)
+	    *ret_key = v5_key;
+	else
+	    return KERB_ERR_NULL_KEY;
+    } else {
+	if(v4_key)
+	    *ret_key = v4_key;
+	else if(afs_key)
+	    *ret_key = afs_key;
+	else  if(v5_key)
+	    *ret_key = v5_key;
+	else
+	    return KERB_ERR_NULL_KEY;
+    }
+
+    if((*ret_key)->key.keyvalue.length == 0)
+	return KERB_ERR_NULL_KEY;
+    return 0;
+}
+
+#define RCHECK(X, L) if(X){make_err_reply(reply, KFAILURE, "Packet too short"); goto L;}
+
+/*
+ * Process the v4 request in `buf, len' (received from `addr'
+ * (with string `from').
+ * Return an error code and a reply in `reply'.
+ */
+
+krb5_error_code
+do_version4(unsigned char *buf,
+	    size_t len,
+	    krb5_data *reply,
+	    const char *from,
+	    struct sockaddr_in *addr)
+{
+    krb5_storage *sp;
+    krb5_error_code ret;
+    hdb_entry *client = NULL, *server = NULL;
+    Key *ckey, *skey;
+    int8_t pvno;
+    int8_t msg_type;
+    int lsb;
+    char *name = NULL, *inst = NULL, *realm = NULL;
+    char *sname = NULL, *sinst = NULL;
+    int32_t req_time;
+    time_t max_life;
+    u_int8_t life;
+    char client_name[256];
+    char server_name[256];
+
+    if(!enable_v4) {
+	kdc_log(0, "Rejected version 4 request from %s", from);
+	make_err_reply(reply, KDC_GEN_ERR, "function not enabled");
+	return 0;
+    }
+
+    sp = krb5_storage_from_mem(buf, len);
+    RCHECK(krb5_ret_int8(sp, &pvno), out);
+    if(pvno != 4){
+	kdc_log(0, "Protocol version mismatch (%d)", pvno);
+	make_err_reply(reply, KDC_PKT_VER, NULL);
+	goto out;
+    }
+    RCHECK(krb5_ret_int8(sp, &msg_type), out);
+    lsb = msg_type & 1;
+    msg_type &= ~1;
+    switch(msg_type){
+    case AUTH_MSG_KDC_REQUEST:
+	RCHECK(krb5_ret_stringz(sp, &name), out1);
+	RCHECK(krb5_ret_stringz(sp, &inst), out1);
+	RCHECK(krb5_ret_stringz(sp, &realm), out1);
+	RCHECK(krb5_ret_int32(sp, &req_time), out1);
+	if(lsb)
+	    req_time = swap32(req_time);
+	RCHECK(krb5_ret_int8(sp, &life), out1);
+	RCHECK(krb5_ret_stringz(sp, &sname), out1);
+	RCHECK(krb5_ret_stringz(sp, &sinst), out1);
+	snprintf (client_name, sizeof(client_name),
+		  "%s.%s@%s", name, inst, realm);
+	snprintf (server_name, sizeof(server_name),
+		  "%s.%s@%s", sname, sinst, v4_realm);
+	
+	kdc_log(0, "AS-REQ %s from %s for %s",
+		client_name, from, server_name);
+
+	ret = db_fetch4(name, inst, realm, &client);
+	if(ret) {
+	    kdc_log(0, "Client not found in database: %s: %s",
+		    client_name, krb5_get_err_text(context, ret));
+	    make_err_reply(reply, KERB_ERR_PRINCIPAL_UNKNOWN, NULL);
+	    goto out1;
+	}
+	ret = db_fetch4(sname, sinst, v4_realm, &server);
+	if(ret){
+	    kdc_log(0, "Server not found in database: %s: %s",
+		    server_name, krb5_get_err_text(context, ret));
+	    make_err_reply(reply, KERB_ERR_PRINCIPAL_UNKNOWN, NULL);
+	    goto out1;
+	}
+
+	ret = check_flags (client, client_name,
+			   server, server_name,
+			   TRUE);
+	if (ret) {
+	    /* good error code? */
+	    make_err_reply(reply, KERB_ERR_NAME_EXP, NULL);
+	    goto out1;
+	}
+
+	/*
+	 * There's no way to do pre-authentication in v4 and thus no
+	 * good error code to return if preauthentication is required.
+	 */
+
+	if (require_preauth
+	    || client->flags.require_preauth
+	    || server->flags.require_preauth) {
+	    kdc_log(0,
+		    "Pre-authentication required for v4-request: "
+		    "%s for %s",
+		    client_name, server_name);
+	    make_err_reply(reply, KERB_ERR_NULL_KEY, NULL);
+	    goto out1;
+	}
+
+	ret = get_des_key(client, FALSE, &ckey);
+	if(ret){
+	    kdc_log(0, "%s", krb5_get_err_text(context, ret));
+	    /* XXX */
+	    make_err_reply(reply, KDC_NULL_KEY, 
+			   "No DES key in database (client)");
+	    goto out1;
+	}
+
+#if 0
+	/* this is not necessary with the new code in libkrb */
+	/* find a properly salted key */
+	while(ckey->salt == NULL || ckey->salt->salt.length != 0)
+	    ret = hdb_next_keytype2key(context, client, KEYTYPE_DES, &ckey);
+	if(ret){
+	    kdc_log(0, "No version-4 salted key in database -- %s.%s@%s", 
+		    name, inst, realm);
+	    make_err_reply(reply, KDC_NULL_KEY, 
+			   "No version-4 salted key in database");
+	    goto out1;
+	}
+#endif
+	
+	ret = get_des_key(server, FALSE, &skey);
+	if(ret){
+	    kdc_log(0, "%s", krb5_get_err_text(context, ret));
+	    /* XXX */
+	    make_err_reply(reply, KDC_NULL_KEY, 
+			   "No DES key in database (server)");
+	    goto out1;
+	}
+
+	max_life = krb_life_to_time(0, life);
+	if(client->max_life)
+	    max_life = min(max_life, *client->max_life);
+	if(server->max_life)
+	    max_life = min(max_life, *server->max_life);
+
+	life = krb_time_to_life(kdc_time, kdc_time + max_life);
+    
+	{
+	    KTEXT_ST cipher, ticket;
+	    KTEXT r;
+	    des_cblock session;
+
+	    des_new_random_key(&session);
+
+	    krb_create_ticket(&ticket, 0, name, inst, v4_realm,
+			      addr->sin_addr.s_addr, session, life, kdc_time, 
+			      sname, sinst, skey->key.keyvalue.data);
+	
+	    create_ciph(&cipher, session, sname, sinst, v4_realm,
+			life, server->kvno, &ticket, kdc_time, 
+			ckey->key.keyvalue.data);
+	    memset(&session, 0, sizeof(session));
+	    r = create_auth_reply(name, inst, realm, req_time, 0, 
+				  client->pw_end ? *client->pw_end : 0, 
+				  client->kvno, &cipher);
+	    krb5_data_copy(reply, r->dat, r->length);
+	    memset(&cipher, 0, sizeof(cipher));
+	    memset(&ticket, 0, sizeof(ticket));
+	}
+    out1:
+	break;
+    case AUTH_MSG_APPL_REQUEST: {
+	int8_t kvno;
+	int8_t ticket_len;
+	int8_t req_len;
+	KTEXT_ST auth;
+	AUTH_DAT ad;
+	size_t pos;
+	krb5_principal tgt_princ = NULL;
+	hdb_entry *tgt = NULL;
+	Key *tkey;
+	
+	RCHECK(krb5_ret_int8(sp, &kvno), out2);
+	RCHECK(krb5_ret_stringz(sp, &realm), out2);
+	
+	ret = krb5_425_conv_principal(context, "krbtgt", realm, v4_realm,
+				      &tgt_princ);
+	if(ret){
+	    kdc_log(0, "Converting krbtgt principal: %s", 
+		    krb5_get_err_text(context, ret));
+	    make_err_reply(reply, KFAILURE, 
+			   "Failed to convert v4 principal (krbtgt)");
+	    goto out2;
+	}
+
+	ret = db_fetch(tgt_princ, &tgt);
+	if(ret){
+	    char *s;
+	    s = kdc_log_msg(0, "Ticket-granting ticket not "
+			    "found in database: krbtgt.%s@%s: %s", 
+			    realm, v4_realm,
+			    krb5_get_err_text(context, ret));
+	    make_err_reply(reply, KFAILURE, s);
+	    free(s);
+	    goto out2;
+	}
+	
+	if(tgt->kvno != kvno){
+	    kdc_log(0, "tgs-req with old kvno %d (current %d) for "
+		    "krbtgt.%s@%s", kvno, tgt->kvno, realm, v4_realm);
+	    make_err_reply(reply, KDC_AUTH_EXP,
+			   "old krbtgt kvno used");
+	    goto out2;
+	}
+
+	ret = get_des_key(tgt, FALSE, &tkey);
+	if(ret){
+	    kdc_log(0, "%s", krb5_get_err_text(context, ret));
+	    /* XXX */
+	    make_err_reply(reply, KDC_NULL_KEY, 
+			   "No DES key in database (krbtgt)");
+	    goto out2;
+	}
+
+	RCHECK(krb5_ret_int8(sp, &ticket_len), out2);
+	RCHECK(krb5_ret_int8(sp, &req_len), out2);
+	
+	pos = sp->seek(sp, ticket_len + req_len, SEEK_CUR);
+	
+	memset(&auth, 0, sizeof(auth));
+	memcpy(&auth.dat, buf, pos);
+	auth.length = pos;
+	krb_set_key(tkey->key.keyvalue.data, 0);
+
+	krb_ignore_ip_address = !check_ticket_addresses;
+
+	ret = krb_rd_req(&auth, "krbtgt", realm, 
+			 addr->sin_addr.s_addr, &ad, 0);
+	if(ret){
+	    kdc_log(0, "krb_rd_req: %s", krb_get_err_text(ret));
+	    make_err_reply(reply, ret, NULL);
+	    goto out2;
+	}
+	
+	RCHECK(krb5_ret_int32(sp, &req_time), out2);
+	if(lsb)
+	    req_time = swap32(req_time);
+	RCHECK(krb5_ret_int8(sp, &life), out2);
+	RCHECK(krb5_ret_stringz(sp, &sname), out2);
+	RCHECK(krb5_ret_stringz(sp, &sinst), out2);
+	snprintf (server_name, sizeof(server_name),
+		  "%s.%s@%s",
+		  sname, sinst, v4_realm);
+
+	kdc_log(0, "TGS-REQ %s.%s@%s from %s for %s",
+		ad.pname, ad.pinst, ad.prealm, from, server_name);
+	
+	if(strcmp(ad.prealm, realm)){
+	    kdc_log(0, "Can't hop realms %s -> %s", realm, ad.prealm);
+	    make_err_reply(reply, KERB_ERR_PRINCIPAL_UNKNOWN, 
+			   "Can't hop realms");
+	    goto out2;
+	}
+
+	if(strcmp(sname, "changepw") == 0){
+	    kdc_log(0, "Bad request for changepw ticket");
+	    make_err_reply(reply, KERB_ERR_PRINCIPAL_UNKNOWN, 
+			   "Can't authorize password change based on TGT");
+	    goto out2;
+	}
+	
+#if 0
+	ret = db_fetch4(ad.pname, ad.pinst, ad.prealm, &client);
+	if(ret){
+	    char *s;
+	    s = kdc_log_msg(0, "Client not found in database: %s.%s@%s: %s", 
+			    ad.pname, ad.pinst, ad.prealm,
+			    krb5_get_err_text(context, ret));
+	    make_err_reply(reply, KERB_ERR_PRINCIPAL_UNKNOWN, s);
+	    free(s);
+	    goto out2;
+	}
+#endif
+	
+	ret = db_fetch4(sname, sinst, v4_realm, &server);
+	if(ret){
+	    char *s;
+	    s = kdc_log_msg(0, "Server not found in database: %s: %s",
+			    server_name, krb5_get_err_text(context, ret));
+	    make_err_reply(reply, KERB_ERR_PRINCIPAL_UNKNOWN, s);
+	    free(s);
+	    goto out2;
+	}
+
+	ret = check_flags (NULL, NULL,
+			   server, server_name,
+			   FALSE);
+	if (ret) {
+	    /* good error code? */
+	    make_err_reply(reply, KERB_ERR_NAME_EXP, NULL);
+	    goto out2;
+	}
+
+	ret = get_des_key(server, FALSE, &skey);
+	if(ret){
+	    kdc_log(0, "%s", krb5_get_err_text(context, ret));
+	    /* XXX */
+	    make_err_reply(reply, KDC_NULL_KEY, 
+			   "No DES key in database (server)");
+	    goto out2;
+	}
+
+	max_life = krb_life_to_time(ad.time_sec, ad.life);
+	max_life = min(max_life, krb_life_to_time(kdc_time, life));
+	life = min(life, krb_time_to_life(kdc_time, max_life));
+	max_life = krb_life_to_time(0, life);
+#if 0
+	if(client->max_life)
+	    max_life = min(max_life, *client->max_life);
+#endif
+	if(server->max_life)
+	    max_life = min(max_life, *server->max_life);
+	
+	{
+	    KTEXT_ST cipher, ticket;
+	    KTEXT r;
+	    des_cblock session;
+	    des_new_random_key(&session);
+	    krb_create_ticket(&ticket, 0, ad.pname, ad.pinst, ad.prealm,
+			      addr->sin_addr.s_addr, &session, life, kdc_time,
+			      sname, sinst, skey->key.keyvalue.data);
+	    
+	    create_ciph(&cipher, session, sname, sinst, v4_realm,
+			life, server->kvno, &ticket,
+			kdc_time, &ad.session);
+
+	    memset(&session, 0, sizeof(session));
+	    memset(ad.session, 0, sizeof(ad.session));
+
+	    r = create_auth_reply(ad.pname, ad.pinst, ad.prealm, 
+				  req_time, 0, 0, 0, &cipher);
+	    krb5_data_copy(reply, r->dat, r->length);
+	    memset(&cipher, 0, sizeof(cipher));
+	    memset(&ticket, 0, sizeof(ticket));
+	}
+    out2:
+	if(tgt_princ)
+	    krb5_free_principal(context, tgt_princ);
+	if(tgt)
+	    free_ent(tgt);
+	break;
+    }
+    
+    case AUTH_MSG_ERR_REPLY:
+	break;
+    default:
+	kdc_log(0, "Unknown message type: %d from %s", 
+		msg_type, from);
+	
+	make_err_reply(reply, KFAILURE, "Unknown message type");
+    }
+out:
+    if(name)
+	free(name);
+    if(inst)
+	free(inst);
+    if(realm)
+	free(realm);
+    if(sname)
+	free(sname);
+    if(sinst)
+	free(sinst);
+    if(client)
+	free_ent(client);
+    if(server)
+	free_ent(server);
+    krb5_storage_free(sp);
+    return 0;
+}
+
+
+#define ETYPE_DES_PCBC 17 /* XXX */
+
+krb5_error_code
+encrypt_v4_ticket(void *buf, size_t len, des_cblock *key, EncryptedData *reply)
+{
+    des_key_schedule schedule;
+
+    reply->etype = ETYPE_DES_PCBC;
+    reply->kvno = NULL;
+    reply->cipher.length = len;
+    reply->cipher.data = malloc(len);
+    if(len != 0 && reply->cipher.data == NULL)
+	return ENOMEM;
+    des_set_key(key, schedule);
+    des_pcbc_encrypt(buf,
+		     reply->cipher.data,
+		     len,
+		     schedule,
+		     key,
+		     DES_ENCRYPT);
+    memset(schedule, 0, sizeof(schedule));
+    return 0;
+}
+
+krb5_error_code
+encode_v4_ticket(void *buf, size_t len, const EncTicketPart *et,
+		 const PrincipalName *service, size_t *size)
+{
+    krb5_storage *sp;
+    krb5_error_code ret;
+    char name[40], inst[40], realm[40];
+    char sname[40], sinst[40];
+
+    {
+	krb5_principal princ;
+	principalname2krb5_principal(&princ,
+				     *service,
+				     et->crealm);
+	ret = krb5_524_conv_principal(context, 
+				      princ,
+				      sname,
+				      sinst,
+				      realm);
+	krb5_free_principal(context, princ);
+	if(ret)
+	    return ret;
+
+	principalname2krb5_principal(&princ,
+				     et->cname,
+				     et->crealm);
+				     
+	ret = krb5_524_conv_principal(context, 
+				      princ,
+				      name,
+				      inst,
+				      realm);
+	krb5_free_principal(context, princ);
+    }
+    if(ret)
+	return ret;
+
+    sp = krb5_storage_emem();
+    
+    krb5_store_int8(sp, 0); /* flags */
+    krb5_store_stringz(sp, name);
+    krb5_store_stringz(sp, inst);
+    krb5_store_stringz(sp, realm);
+    {
+	unsigned char tmp[4] = { 0, 0, 0, 0 };
+	int i;
+	if(et->caddr){
+	    for(i = 0; i < et->caddr->len; i++)
+		if(et->caddr->val[i].addr_type == AF_INET &&
+		   et->caddr->val[i].address.length == 4){
+		    memcpy(tmp, et->caddr->val[i].address.data, 4);
+		    break;
+		}
+	}
+	sp->store(sp, tmp, sizeof(tmp));
+    }
+
+    if((et->key.keytype != ETYPE_DES_CBC_MD5 &&
+	et->key.keytype != ETYPE_DES_CBC_MD4 &&
+	et->key.keytype != ETYPE_DES_CBC_CRC) || 
+       et->key.keyvalue.length != 8)
+	return -1;
+    sp->store(sp, et->key.keyvalue.data, 8);
+    
+    {
+	time_t start = et->starttime ? *et->starttime : et->authtime;
+	krb5_store_int8(sp, krb_time_to_life(start, et->endtime));
+	krb5_store_int32(sp, start);
+    }
+
+    krb5_store_stringz(sp, sname);
+    krb5_store_stringz(sp, sinst);
+    
+    {
+	krb5_data data;
+	krb5_storage_to_data(sp, &data);
+	krb5_storage_free(sp);
+	*size = (data.length + 7) & ~7; /* pad to 8 bytes */
+	if(*size > len)
+	    return -1;
+	memset((unsigned char*)buf - *size + 1, 0, *size);
+	memcpy((unsigned char*)buf - *size + 1, data.data, data.length);
+	krb5_data_free(&data);
+    }
+    return 0;
+}
+
+#endif /* KRB4 */
diff --git a/crypto/heimdal/kdc/kerberos4.h b/crypto/heimdal/kdc/kerberos4.h
new file mode 100644
index 0000000..5bf3c2b
--- /dev/null
+++ b/crypto/heimdal/kdc/kerberos4.h
@@ -0,0 +1,43 @@
+/*
+ * Copyright (c) 1997 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+/* $Id: kerberos4.h,v 1.2 1999/12/02 17:04:59 joda Exp $ */
+
+#ifndef __KERBEROS4_H__
+#define __KERBEROS4_H__
+
+hdb_entry* db_fetch4(const char *name,
+		     const char *instance,
+		     const char *realm);
+
+#endif /* __KERBEROS4_H__ */
diff --git a/crypto/heimdal/kdc/kerberos5.c b/crypto/heimdal/kdc/kerberos5.c
new file mode 100644
index 0000000..e540b12
--- /dev/null
+++ b/crypto/heimdal/kdc/kerberos5.c
@@ -0,0 +1,1771 @@
+/*
+ * Copyright (c) 1997-2001 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "kdc_locl.h"
+
+RCSID("$Id: kerberos5.c,v 1.133 2001/05/22 20:16:22 assar Exp $");
+
+#define MAX_TIME ((time_t)((1U << 31) - 1))
+
+static void
+fix_time(time_t **t)
+{
+    if(*t == NULL){
+	ALLOC(*t);
+	**t = MAX_TIME;
+    }
+    if(**t == 0) **t = MAX_TIME; /* fix for old clients */
+}
+
+static void
+set_salt_padata (METHOD_DATA **m, Salt *salt)
+{
+    if (salt) {
+	ALLOC(*m);
+	(*m)->len = 1;
+	ALLOC((*m)->val);
+	(*m)->val->padata_type = salt->type;
+	copy_octet_string(&salt->salt,
+			  &(*m)->val->padata_value);
+    }
+}
+
+static PA_DATA*
+find_padata(KDC_REQ *req, int *start, int type)
+{
+    while(*start < req->padata->len){
+	(*start)++;
+	if(req->padata->val[*start - 1].padata_type == type)
+	    return &req->padata->val[*start - 1];
+    }
+    return NULL;
+}
+
+/*
+ * return the first appropriate key of `princ' in `ret_key'.  Look for
+ * all the etypes in (`etypes', `len'), stopping as soon as we find
+ * one, but preferring one that has default salt
+ */
+
+static krb5_error_code
+find_etype(hdb_entry *princ, unsigned *etypes, unsigned len, 
+	   Key **ret_key, krb5_enctype *ret_etype)
+{
+    int i;
+    krb5_error_code ret = KRB5KDC_ERR_ETYPE_NOSUPP;
+
+    for(i = 0; ret != 0 && i < len ; i++) {
+	Key *key = NULL;
+
+	while (hdb_next_enctype2key(context, princ, etypes[i], &key) == 0) {
+	    if (key->key.keyvalue.length == 0) {
+		ret = KRB5KDC_ERR_NULL_KEY;
+		continue;
+	    }
+	    *ret_key   = key;
+	    *ret_etype = etypes[i];
+	    ret = 0;
+	    if (key->salt == NULL)
+		return ret;
+	}
+    }
+    return ret;
+}
+
+static krb5_error_code
+find_keys(hdb_entry *client,
+	  hdb_entry *server, 
+	  Key **ckey,
+	  krb5_enctype *cetype,
+	  Key **skey,
+	  krb5_enctype *setype, 
+	  int *etypes,
+	  unsigned num_etypes)
+{
+    krb5_error_code ret;
+
+    if(client){
+	/* find client key */
+	ret = find_etype(client, etypes, num_etypes, ckey, cetype);
+	if (ret) {
+	    kdc_log(0, "Client has no support for etypes");
+	    return ret;
+	}
+    }
+
+    if(server){
+	/* find server key */
+	ret = find_etype(server, etypes, num_etypes, skey, setype);
+	if (ret) {
+	    kdc_log(0, "Server has no support for etypes");
+	    return ret;
+	}
+    }
+    return 0;
+}
+
+static krb5_error_code
+make_anonymous_principalname (PrincipalName *pn)
+{
+    pn->name_type = KRB5_NT_PRINCIPAL;
+    pn->name_string.len = 1;
+    pn->name_string.val = malloc(sizeof(*pn->name_string.val));
+    if (pn->name_string.val == NULL)
+	return ENOMEM;
+    pn->name_string.val[0] = strdup("anonymous");
+    if (pn->name_string.val[0] == NULL) {
+	free(pn->name_string.val);
+	pn->name_string.val = NULL;
+	return ENOMEM;
+    }
+    return 0;
+}
+
+static krb5_error_code
+encode_reply(KDC_REP *rep, EncTicketPart *et, EncKDCRepPart *ek, 
+	     krb5_enctype etype, 
+	     int skvno, EncryptionKey *skey,
+	     int ckvno, EncryptionKey *ckey,
+	     krb5_data *reply)
+{
+    unsigned char buf[8192]; /* XXX The data could be indefinite */
+    size_t len;
+    krb5_error_code ret;
+    krb5_crypto crypto;
+
+    ret = encode_EncTicketPart(buf + sizeof(buf) - 1, sizeof(buf), et, &len);
+    if(ret) {
+	kdc_log(0, "Failed to encode ticket: %s", 
+		krb5_get_err_text(context, ret));
+	return ret;
+    }
+    
+
+    ret = krb5_crypto_init(context, skey, etype, &crypto);
+    if (ret) {
+	kdc_log(0, "krb5_crypto_init failed: %s",
+		krb5_get_err_text(context, ret));
+	return ret;
+    }
+
+    krb5_encrypt_EncryptedData(context, 
+			       crypto,
+			       KRB5_KU_TICKET,
+			       buf + sizeof(buf) - len,
+			       len,
+			       skvno,
+			       &rep->ticket.enc_part);
+
+    krb5_crypto_destroy(context, crypto);
+    
+    if(rep->msg_type == krb_as_rep && !encode_as_rep_as_tgs_rep)
+	ret = encode_EncASRepPart(buf + sizeof(buf) - 1, sizeof(buf), 
+				  ek, &len);
+    else
+	ret = encode_EncTGSRepPart(buf + sizeof(buf) - 1, sizeof(buf), 
+				   ek, &len);
+    if(ret) {
+	kdc_log(0, "Failed to encode KDC-REP: %s", 
+		krb5_get_err_text(context, ret));
+	return ret;
+    }
+    ret = krb5_crypto_init(context, ckey, 0, &crypto);
+    if (ret) {
+	kdc_log(0, "krb5_crypto_init failed: %s",
+		krb5_get_err_text(context, ret));
+	return ret;
+    }
+    if(rep->msg_type == krb_as_rep) {
+	krb5_encrypt_EncryptedData(context,
+				   crypto,
+				   KRB5_KU_AS_REP_ENC_PART,
+				   buf + sizeof(buf) - len,
+				   len,
+				   ckvno,
+				   &rep->enc_part);
+	ret = encode_AS_REP(buf + sizeof(buf) - 1, sizeof(buf), rep, &len);
+    } else {
+	krb5_encrypt_EncryptedData(context,
+				   crypto,
+				   KRB5_KU_TGS_REP_ENC_PART_SESSION,
+				   buf + sizeof(buf) - len,
+				   len,
+				   ckvno,
+				   &rep->enc_part);
+	ret = encode_TGS_REP(buf + sizeof(buf) - 1, sizeof(buf), rep, &len);
+    }
+    krb5_crypto_destroy(context, crypto);
+    if(ret) {
+	kdc_log(0, "Failed to encode KDC-REP: %s", 
+		krb5_get_err_text(context, ret));
+	return ret;
+    }
+    krb5_data_copy(reply, buf + sizeof(buf) - len, len);
+    return 0;
+}
+
+static int
+realloc_method_data(METHOD_DATA *md)
+{
+    PA_DATA *pa;
+    pa = realloc(md->val, (md->len + 1) * sizeof(*md->val));
+    if(pa == NULL)
+	return ENOMEM;
+    md->val = pa;
+    md->len++;
+    return 0;
+}
+
+static krb5_error_code
+get_pa_etype_info(METHOD_DATA *md, hdb_entry *client)
+{
+    krb5_error_code ret = 0;
+    int i;
+    ETYPE_INFO pa;
+    unsigned char *buf;
+    size_t len;
+    
+
+    pa.len = client->keys.len;
+    pa.val = malloc(pa.len * sizeof(*pa.val));
+    if(pa.val == NULL)
+	return ENOMEM;
+    for(i = 0; i < client->keys.len; i++) {
+	pa.val[i].etype = client->keys.val[i].key.keytype;
+	if(client->keys.val[i].salt){
+	    ALLOC(pa.val[i].salttype);
+#if 0
+	    if(client->keys.val[i].salt->type == hdb_pw_salt)
+		*pa.val[i].salttype = 0; /* or 1? or NULL? */
+	    else if(client->keys.val[i].salt->type == hdb_afs3_salt)
+		*pa.val[i].salttype = 2;
+	    else {
+		free_ETYPE_INFO(&pa);
+		kdc_log(0, "unknown salt-type: %d", 
+			client->keys.val[i].salt->type);
+		return KRB5KRB_ERR_GENERIC;
+	    }
+	    /* according to `the specs', we can't send a salt if
+	       we have AFS3 salted key, but that requires that you
+	       *know* what cell you are using (e.g by assuming
+	       that the cell is the same as the realm in lower
+	       case) */
+#else
+	    *pa.val[i].salttype = client->keys.val[i].salt->type;
+#endif
+	    krb5_copy_data(context, &client->keys.val[i].salt->salt,
+			   &pa.val[i].salt);
+	} else {
+	    /* we return no salt type at all, as that should indicate
+	     * the default salt type and make everybody happy.  some
+	     * systems (like w2k) dislike being told the salt type
+	     * here. */
+
+	    pa.val[i].salttype = NULL;
+	    pa.val[i].salt = NULL;
+	}
+    }
+    len = length_ETYPE_INFO(&pa);
+    buf = malloc(len);
+    if (buf == NULL) {
+	free_ETYPE_INFO(&pa);
+	return ENOMEM;
+    }
+    ret = encode_ETYPE_INFO(buf + len - 1, len, &pa, &len);
+    free_ETYPE_INFO(&pa);
+    if(ret) {
+	free(buf);
+	return ret;
+    }
+    ret = realloc_method_data(md);
+    if(ret) {
+	free(buf);
+	return ret;
+    }
+    md->val[md->len - 1].padata_type = KRB5_PADATA_ETYPE_INFO;
+    md->val[md->len - 1].padata_value.length = len;
+    md->val[md->len - 1].padata_value.data = buf;
+    return 0;
+}
+
+/*
+ * verify the flags on `client' and `server', returning 0
+ * if they are OK and generating an error messages and returning
+ * and error code otherwise.
+ */
+
+krb5_error_code
+check_flags(hdb_entry *client, const char *client_name,
+	    hdb_entry *server, const char *server_name,
+	    krb5_boolean is_as_req)
+{
+    if(client != NULL) {
+	/* check client */
+	if (client->flags.invalid) {
+	    kdc_log(0, "Client (%s) has invalid bit set", client_name);
+	    return KRB5KDC_ERR_POLICY;
+	}
+	
+	if(!client->flags.client){
+	    kdc_log(0, "Principal may not act as client -- %s", 
+		    client_name);
+	    return KRB5KDC_ERR_POLICY;
+	}
+	
+	if (client->valid_start && *client->valid_start > kdc_time) {
+	    kdc_log(0, "Client not yet valid -- %s", client_name);
+	    return KRB5KDC_ERR_CLIENT_NOTYET;
+	}
+	
+	if (client->valid_end && *client->valid_end < kdc_time) {
+	    kdc_log(0, "Client expired -- %s", client_name);
+	    return KRB5KDC_ERR_NAME_EXP;
+	}
+	
+	if (client->pw_end && *client->pw_end < kdc_time
+	    && !server->flags.change_pw) {
+	    kdc_log(0, "Client's key has expired -- %s", client_name);
+	    return KRB5KDC_ERR_KEY_EXPIRED;
+	}
+    }
+
+    /* check server */
+    
+    if (server != NULL) {
+	if (server->flags.invalid) {
+	    kdc_log(0, "Server has invalid flag set -- %s", server_name);
+	    return KRB5KDC_ERR_POLICY;
+	}
+
+	if(!server->flags.server){
+	    kdc_log(0, "Principal may not act as server -- %s", 
+		    server_name);
+	    return KRB5KDC_ERR_POLICY;
+	}
+
+	if(!is_as_req && server->flags.initial) {
+	    kdc_log(0, "AS-REQ is required for server -- %s", server_name);
+	    return KRB5KDC_ERR_POLICY;
+	}
+
+	if (server->valid_start && *server->valid_start > kdc_time) {
+	    kdc_log(0, "Server not yet valid -- %s", server_name);
+	    return KRB5KDC_ERR_SERVICE_NOTYET;
+	}
+
+	if (server->valid_end && *server->valid_end < kdc_time) {
+	    kdc_log(0, "Server expired -- %s", server_name);
+	    return KRB5KDC_ERR_SERVICE_EXP;
+	}
+
+	if (server->pw_end && *server->pw_end < kdc_time) {
+	    kdc_log(0, "Server's key has expired -- %s", server_name);
+	    return KRB5KDC_ERR_KEY_EXPIRED;
+	}
+    }
+    return 0;
+}
+
+/*
+ * Return TRUE if `from' is part of `addresses' taking into consideration
+ * the configuration variables that tells us how strict we should be about
+ * these checks
+ */
+
+static krb5_boolean
+check_addresses(HostAddresses *addresses, const struct sockaddr *from)
+{
+    krb5_error_code ret;
+    krb5_address addr;
+    krb5_boolean result;
+    
+    if(check_ticket_addresses == 0)
+	return TRUE;
+
+    if(addresses == NULL)
+	return allow_null_ticket_addresses;
+    
+    ret = krb5_sockaddr2address (context, from, &addr);
+    if(ret)
+	return FALSE;
+
+    result = krb5_address_search(context, &addr, addresses);
+    krb5_free_address (context, &addr);
+    return result;
+}
+
+krb5_error_code
+as_rep(KDC_REQ *req, 
+       krb5_data *reply,
+       const char *from,
+       struct sockaddr *from_addr)
+{
+    KDC_REQ_BODY *b = &req->req_body;
+    AS_REP rep;
+    KDCOptions f = b->kdc_options;
+    hdb_entry *client = NULL, *server = NULL;
+    krb5_enctype cetype, setype;
+    EncTicketPart et;
+    EncKDCRepPart ek;
+    krb5_principal client_princ, server_princ;
+    char *client_name, *server_name;
+    krb5_error_code ret = 0;
+    const char *e_text = NULL;
+    krb5_crypto crypto;
+    Key *ckey, *skey;
+
+    memset(&rep, 0, sizeof(rep));
+
+    if(b->sname == NULL){
+	server_name = "<unknown server>";
+	ret = KRB5KRB_ERR_GENERIC;
+	e_text = "No server in request";
+    } else{
+	principalname2krb5_principal (&server_princ, *(b->sname), b->realm);
+	krb5_unparse_name(context, server_princ, &server_name);
+    }
+    
+    if(b->cname == NULL){
+	client_name = "<unknown client>";
+	ret = KRB5KRB_ERR_GENERIC;
+	e_text = "No client in request";
+    } else {
+	principalname2krb5_principal (&client_princ, *(b->cname), b->realm);
+	krb5_unparse_name(context, client_princ, &client_name);
+    }
+    kdc_log(0, "AS-REQ %s from %s for %s", 
+	    client_name, from, server_name);
+
+    if(ret)
+	goto out;
+
+    ret = db_fetch(client_princ, &client);
+    if(ret){
+	kdc_log(0, "UNKNOWN -- %s: %s", client_name,
+		krb5_get_err_text(context, ret));
+	ret = KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN;
+	goto out;
+    }
+
+    ret = db_fetch(server_princ, &server);
+    if(ret){
+	kdc_log(0, "UNKNOWN -- %s: %s", server_name,
+		krb5_get_err_text(context, ret));
+	ret = KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN;
+	goto out;
+    }
+
+    ret = check_flags(client, client_name, server, server_name, TRUE);
+    if(ret)
+	goto out;
+
+    memset(&et, 0, sizeof(et));
+    memset(&ek, 0, sizeof(ek));
+
+    if(req->padata){
+	int i = 0;
+	PA_DATA *pa;
+	int found_pa = 0;
+	kdc_log(5, "Looking for pa-data -- %s", client_name);
+	while((pa = find_padata(req, &i, KRB5_PADATA_ENC_TIMESTAMP))){
+	    krb5_data ts_data;
+	    PA_ENC_TS_ENC p;
+	    time_t patime;
+	    size_t len;
+	    EncryptedData enc_data;
+	    Key *pa_key;
+	    
+	    found_pa = 1;
+	    
+	    ret = decode_EncryptedData(pa->padata_value.data,
+				       pa->padata_value.length,
+				       &enc_data,
+				       &len);
+	    if (ret) {
+		ret = KRB5KRB_AP_ERR_BAD_INTEGRITY;
+		kdc_log(5, "Failed to decode PA-DATA -- %s", 
+			client_name);
+		goto out;
+	    }
+	    
+	    ret = hdb_enctype2key(context, client, enc_data.etype, &pa_key);
+	    if(ret){
+		char *estr;
+		e_text = "No key matches pa-data";
+		ret = KRB5KDC_ERR_PREAUTH_FAILED;
+		if(krb5_enctype_to_string(context, enc_data.etype, &estr))
+		    estr = NULL;
+		if(estr == NULL)
+		    kdc_log(5, "No client key matching pa-data (%d) -- %s", 
+			    enc_data.etype, client_name);
+		else
+		    kdc_log(5, "No client key matching pa-data (%s) -- %s", 
+			    estr, client_name);
+		free(estr);
+		    
+		free_EncryptedData(&enc_data);
+		continue;
+	    }
+	    
+	    ret = krb5_crypto_init(context, &pa_key->key, 0, &crypto);
+	    if (ret) {
+		kdc_log(0, "krb5_crypto_init failed: %s",
+			krb5_get_err_text(context, ret));
+		free_EncryptedData(&enc_data);
+		continue;
+	    }
+
+	    ret = krb5_decrypt_EncryptedData (context,
+					      crypto,
+					      KRB5_KU_PA_ENC_TIMESTAMP,
+					      &enc_data,
+					      &ts_data);
+	    krb5_crypto_destroy(context, crypto);
+	    free_EncryptedData(&enc_data);
+	    if(ret){
+		e_text = "Failed to decrypt PA-DATA";
+		kdc_log (5, "Failed to decrypt PA-DATA -- %s",
+			 client_name);
+		ret = KRB5KRB_AP_ERR_BAD_INTEGRITY;
+		continue;
+	    }
+	    ret = decode_PA_ENC_TS_ENC(ts_data.data,
+				       ts_data.length,
+				       &p,
+				       &len);
+	    krb5_data_free(&ts_data);
+	    if(ret){
+		e_text = "Failed to decode PA-ENC-TS-ENC";
+		ret = KRB5KRB_AP_ERR_BAD_INTEGRITY;
+		kdc_log (5, "Failed to decode PA-ENC-TS_ENC -- %s",
+			 client_name);
+		continue;
+	    }
+	    patime = p.patimestamp;
+	    free_PA_ENC_TS_ENC(&p);
+	    if (abs(kdc_time - p.patimestamp) > context->max_skew) {
+		ret = KRB5KDC_ERR_PREAUTH_FAILED;
+		e_text = "Too large time skew";
+		kdc_log(0, "Too large time skew -- %s", client_name);
+		goto out;
+	    }
+	    et.flags.pre_authent = 1;
+	    kdc_log(2, "Pre-authentication succeded -- %s", client_name);
+	    break;
+	}
+	if(found_pa == 0 && require_preauth)
+	    goto use_pa;
+	/* We come here if we found a pa-enc-timestamp, but if there
+           was some problem with it, other than too large skew */
+	if(found_pa && et.flags.pre_authent == 0){
+	    kdc_log(0, "%s -- %s", e_text, client_name);
+	    e_text = NULL;
+	    goto out;
+	}
+    }else if (require_preauth
+	      || client->flags.require_preauth
+	      || server->flags.require_preauth) {
+	METHOD_DATA method_data;
+	PA_DATA *pa;
+	unsigned char *buf;
+	size_t len;
+	krb5_data foo_data;
+
+    use_pa: 
+	method_data.len = 0;
+	method_data.val = NULL;
+
+	ret = realloc_method_data(&method_data);
+	pa = &method_data.val[method_data.len-1];
+	pa->padata_type		= KRB5_PADATA_ENC_TIMESTAMP;
+	pa->padata_value.length	= 0;
+	pa->padata_value.data	= NULL;
+
+	ret = get_pa_etype_info(&method_data, client); /* XXX check ret */
+	
+	len = length_METHOD_DATA(&method_data);
+	buf = malloc(len);
+	encode_METHOD_DATA(buf + len - 1,
+			   len,
+			   &method_data,
+			   &len);
+	free_METHOD_DATA(&method_data);
+	foo_data.length = len;
+	foo_data.data   = buf;
+	
+	ret = KRB5KDC_ERR_PREAUTH_REQUIRED;
+	krb5_mk_error(context,
+		      ret,
+		      "Need to use PA-ENC-TIMESTAMP",
+		      &foo_data,
+		      client_princ,
+		      server_princ,
+		      NULL,
+		      NULL,
+		      reply);
+	free(buf);
+	kdc_log(0, "No PA-ENC-TIMESTAMP -- %s", client_name);
+	ret = 0;
+	goto out2;
+    }
+    
+    ret = find_keys(client, server, &ckey, &cetype, &skey, &setype,
+		    b->etype.val, b->etype.len);
+    if(ret) {
+	kdc_log(0, "Server/client has no support for etypes");
+	goto out;
+    }
+	
+    {
+	char *cet;
+	char *set;
+
+	ret = krb5_enctype_to_string(context, cetype, &cet);
+	if(ret == 0) {
+	    ret = krb5_enctype_to_string(context, setype, &set);
+	    if (ret == 0) {
+		kdc_log(5, "Using %s/%s", cet, set);
+		free(set);
+	    } else
+	    free(cet);
+	} else
+	    kdc_log(5, "Using e-types %d/%d", cetype, setype);
+    }
+    
+    {
+	char str[128];
+	unparse_flags(KDCOptions2int(f), KDCOptions_units, str, sizeof(str));
+	if(*str)
+	    kdc_log(2, "Requested flags: %s", str);
+    }
+    
+
+    if(f.renew || f.validate || f.proxy || f.forwarded || f.enc_tkt_in_skey
+       || (f.request_anonymous && !allow_anonymous)) {
+	ret = KRB5KDC_ERR_BADOPTION;
+	kdc_log(0, "Bad KDC options -- %s", client_name);
+	goto out;
+    }
+    
+    rep.pvno = 5;
+    rep.msg_type = krb_as_rep;
+    copy_Realm(&b->realm, &rep.crealm);
+    if (f.request_anonymous)
+	make_anonymous_principalname (&rep.cname);
+    else
+	copy_PrincipalName(b->cname, &rep.cname);
+    rep.ticket.tkt_vno = 5;
+    copy_Realm(&b->realm, &rep.ticket.realm);
+    copy_PrincipalName(b->sname, &rep.ticket.sname);
+
+    et.flags.initial = 1;
+    if(client->flags.forwardable && server->flags.forwardable)
+	et.flags.forwardable = f.forwardable;
+    else if (f.forwardable) {
+	ret = KRB5KDC_ERR_POLICY;
+	kdc_log(0, "Ticket may not be forwardable -- %s", client_name);
+	goto out;
+    }
+    if(client->flags.proxiable && server->flags.proxiable)
+	et.flags.proxiable = f.proxiable;
+    else if (f.proxiable) {
+	ret = KRB5KDC_ERR_POLICY;
+	kdc_log(0, "Ticket may not be proxiable -- %s", client_name);
+	goto out;
+    }
+    if(client->flags.postdate && server->flags.postdate)
+	et.flags.may_postdate = f.allow_postdate;
+    else if (f.allow_postdate){
+	ret = KRB5KDC_ERR_POLICY;
+	kdc_log(0, "Ticket may not be postdatable -- %s", client_name);
+	goto out;
+    }
+
+    /* check for valid set of addresses */
+    if(!check_addresses(b->addresses, from_addr)) {
+	ret = KRB5KRB_AP_ERR_BADADDR;
+	kdc_log(0, "Bad address list requested -- %s", client_name);
+	goto out;
+    }
+
+    krb5_generate_random_keyblock(context, setype, &et.key);
+    copy_PrincipalName(&rep.cname, &et.cname);
+    copy_Realm(&b->realm, &et.crealm);
+    
+    {
+	time_t start;
+	time_t t;
+	
+	start = et.authtime = kdc_time;
+    
+	if(f.postdated && req->req_body.from){
+	    ALLOC(et.starttime);
+	    start = *et.starttime = *req->req_body.from;
+	    et.flags.invalid = 1;
+	    et.flags.postdated = 1; /* XXX ??? */
+	}
+	fix_time(&b->till);
+	t = *b->till;
+
+	/* be careful not overflowing */
+
+	if(client->max_life)
+	    t = start + min(t - start, *client->max_life);
+	if(server->max_life)
+	    t = start + min(t - start, *server->max_life);
+#if 0
+	t = min(t, start + realm->max_life);
+#endif
+	et.endtime = t;
+	if(f.renewable_ok && et.endtime < *b->till){
+	    f.renewable = 1;
+	    if(b->rtime == NULL){
+		ALLOC(b->rtime);
+		*b->rtime = 0;
+	    }
+	    if(*b->rtime < *b->till)
+		*b->rtime = *b->till;
+	}
+	if(f.renewable && b->rtime){
+	    t = *b->rtime;
+	    if(t == 0)
+		t = MAX_TIME;
+	    if(client->max_renew)
+		t = start + min(t - start, *client->max_renew);
+	    if(server->max_renew)
+		t = start + min(t - start, *server->max_renew);
+#if 0
+	    t = min(t, start + realm->max_renew);
+#endif
+	    ALLOC(et.renew_till);
+	    *et.renew_till = t;
+	    et.flags.renewable = 1;
+	}
+    }
+
+    if (f.request_anonymous)
+	et.flags.anonymous = 1;
+    
+    if(b->addresses){
+	ALLOC(et.caddr);
+	copy_HostAddresses(b->addresses, et.caddr);
+    }
+    
+    {
+	krb5_data empty_string;
+      
+	krb5_data_zero(&empty_string); 
+	et.transited.tr_type = DOMAIN_X500_COMPRESS;
+	et.transited.contents = empty_string;
+    }
+     
+    copy_EncryptionKey(&et.key, &ek.key);
+
+    /* The MIT ASN.1 library (obviously) doesn't tell lengths encoded
+     * as 0 and as 0x80 (meaning indefinite length) apart, and is thus
+     * incapable of correctly decoding SEQUENCE OF's of zero length.
+     *
+     * To fix this, always send at least one no-op last_req
+     *
+     * If there's a pw_end or valid_end we will use that,
+     * otherwise just a dummy lr.
+     */
+    ek.last_req.val = malloc(2 * sizeof(*ek.last_req.val));
+    ek.last_req.len = 0;
+    if (client->pw_end
+	&& (kdc_warn_pwexpire == 0
+	    || kdc_time + kdc_warn_pwexpire <= *client->pw_end)) {
+	ek.last_req.val[ek.last_req.len].lr_type  = LR_PW_EXPTIME;
+	ek.last_req.val[ek.last_req.len].lr_value = *client->pw_end;
+	++ek.last_req.len;
+    }
+    if (client->valid_end) {
+	ek.last_req.val[ek.last_req.len].lr_type  = LR_ACCT_EXPTIME;
+	ek.last_req.val[ek.last_req.len].lr_value = *client->valid_end;
+	++ek.last_req.len;
+    }
+    if (ek.last_req.len == 0) {
+	ek.last_req.val[ek.last_req.len].lr_type  = LR_NONE;
+	ek.last_req.val[ek.last_req.len].lr_value = 0;
+	++ek.last_req.len;
+    }
+    ek.nonce = b->nonce;
+    if (client->valid_end || client->pw_end) {
+	ALLOC(ek.key_expiration);
+	if (client->valid_end) {
+	    if (client->pw_end)
+		*ek.key_expiration = min(*client->valid_end, *client->pw_end);
+	    else
+		*ek.key_expiration = *client->valid_end;
+	} else
+	    *ek.key_expiration = *client->pw_end;
+    } else
+	ek.key_expiration = NULL;
+    ek.flags = et.flags;
+    ek.authtime = et.authtime;
+    if (et.starttime) {
+	ALLOC(ek.starttime);
+	*ek.starttime = *et.starttime;
+    }
+    ek.endtime = et.endtime;
+    if (et.renew_till) {
+	ALLOC(ek.renew_till);
+	*ek.renew_till = *et.renew_till;
+    }
+    copy_Realm(&rep.ticket.realm, &ek.srealm);
+    copy_PrincipalName(&rep.ticket.sname, &ek.sname);
+    if(et.caddr){
+	ALLOC(ek.caddr);
+	copy_HostAddresses(et.caddr, ek.caddr);
+    }
+
+    set_salt_padata (&rep.padata, ckey->salt);
+    ret = encode_reply(&rep, &et, &ek, setype, server->kvno, &skey->key,
+		       client->kvno, &ckey->key, reply);
+    free_EncTicketPart(&et);
+    free_EncKDCRepPart(&ek);
+    free_AS_REP(&rep);
+out:
+    if(ret){
+	krb5_mk_error(context,
+		      ret,
+		      e_text,
+		      NULL,
+		      client_princ,
+		      server_princ,
+		      NULL,
+		      NULL,
+		      reply);
+	ret = 0;
+    }
+out2:
+    krb5_free_principal(context, client_princ);
+    free(client_name);
+    krb5_free_principal(context, server_princ);
+    free(server_name);
+    if(client)
+	free_ent(client);
+    if(server)
+	free_ent(server);
+    return ret;
+}
+
+
+static krb5_error_code
+check_tgs_flags(KDC_REQ_BODY *b, EncTicketPart *tgt, EncTicketPart *et)
+{
+    KDCOptions f = b->kdc_options;
+	
+    if(f.validate){
+	if(!tgt->flags.invalid || tgt->starttime == NULL){
+	    kdc_log(0, "Bad request to validate ticket");
+	    return KRB5KDC_ERR_BADOPTION;
+	}
+	if(*tgt->starttime > kdc_time){
+	    kdc_log(0, "Early request to validate ticket");
+	    return KRB5KRB_AP_ERR_TKT_NYV;
+	}
+	/* XXX  tkt = tgt */
+	et->flags.invalid = 0;
+    }else if(tgt->flags.invalid){
+	kdc_log(0, "Ticket-granting ticket has INVALID flag set");
+	return KRB5KRB_AP_ERR_TKT_INVALID;
+    }
+
+    if(f.forwardable){
+	if(!tgt->flags.forwardable){
+	    kdc_log(0, "Bad request for forwardable ticket");
+	    return KRB5KDC_ERR_BADOPTION;
+	}
+	et->flags.forwardable = 1;
+    }
+    if(f.forwarded){
+	if(!tgt->flags.forwardable){
+	    kdc_log(0, "Request to forward non-forwardable ticket");
+	    return KRB5KDC_ERR_BADOPTION;
+	}
+	et->flags.forwarded = 1;
+	et->caddr = b->addresses;
+    }
+    if(tgt->flags.forwarded)
+	et->flags.forwarded = 1;
+	
+    if(f.proxiable){
+	if(!tgt->flags.proxiable){
+	    kdc_log(0, "Bad request for proxiable ticket");
+	    return KRB5KDC_ERR_BADOPTION;
+	}
+	et->flags.proxiable = 1;
+    }
+    if(f.proxy){
+	if(!tgt->flags.proxiable){
+	    kdc_log(0, "Request to proxy non-proxiable ticket");
+	    return KRB5KDC_ERR_BADOPTION;
+	}
+	et->flags.proxy = 1;
+	et->caddr = b->addresses;
+    }
+    if(tgt->flags.proxy)
+	et->flags.proxy = 1;
+
+    if(f.allow_postdate){
+	if(!tgt->flags.may_postdate){
+	    kdc_log(0, "Bad request for post-datable ticket");
+	    return KRB5KDC_ERR_BADOPTION;
+	}
+	et->flags.may_postdate = 1;
+    }
+    if(f.postdated){
+	if(!tgt->flags.may_postdate){
+	    kdc_log(0, "Bad request for postdated ticket");
+	    return KRB5KDC_ERR_BADOPTION;
+	}
+	if(b->from)
+	    *et->starttime = *b->from;
+	et->flags.postdated = 1;
+	et->flags.invalid = 1;
+    }else if(b->from && *b->from > kdc_time + context->max_skew){
+	kdc_log(0, "Ticket cannot be postdated");
+	return KRB5KDC_ERR_CANNOT_POSTDATE;
+    }
+
+    if(f.renewable){
+	if(!tgt->flags.renewable){
+	    kdc_log(0, "Bad request for renewable ticket");
+	    return KRB5KDC_ERR_BADOPTION;
+	}
+	et->flags.renewable = 1;
+	ALLOC(et->renew_till);
+	fix_time(&b->rtime);
+	*et->renew_till = *b->rtime;
+    }
+    if(f.renew){
+	time_t old_life;
+	if(!tgt->flags.renewable || tgt->renew_till == NULL){
+	    kdc_log(0, "Request to renew non-renewable ticket");
+	    return KRB5KDC_ERR_BADOPTION;
+	}
+	old_life = tgt->endtime;
+	if(tgt->starttime)
+	    old_life -= *tgt->starttime;
+	else
+	    old_life -= tgt->authtime;
+	et->endtime = *et->starttime + old_life;
+	if (et->renew_till != NULL)
+	    et->endtime = min(*et->renew_till, et->endtime);
+    }	    
+    
+    /* checks for excess flags */
+    if(f.request_anonymous && !allow_anonymous){
+	kdc_log(0, "Request for anonymous ticket");
+	return KRB5KDC_ERR_BADOPTION;
+    }
+    return 0;
+}
+
+static krb5_error_code
+fix_transited_encoding(TransitedEncoding *tr, 
+		       const char *client_realm, 
+		       const char *server_realm, 
+		       const char *tgt_realm)
+{
+    krb5_error_code ret = 0;
+    if(strcmp(client_realm, tgt_realm) && strcmp(server_realm, tgt_realm)){
+	char **realms = NULL, **tmp;
+	int num_realms = 0;
+	int i;
+	if(tr->tr_type && tr->contents.length != 0) {
+	    if(tr->tr_type != DOMAIN_X500_COMPRESS){
+		kdc_log(0, "Unknown transited type: %u", 
+			tr->tr_type);
+		return KRB5KDC_ERR_TRTYPE_NOSUPP;
+	    }
+	    ret = krb5_domain_x500_decode(context, 
+					  tr->contents,
+					  &realms, 
+					  &num_realms,
+					  client_realm,
+					  server_realm);
+	    if(ret){
+		krb5_warn(context, ret, "Decoding transited encoding");
+		return ret;
+	    }
+	}
+	tmp = realloc(realms, (num_realms + 1) * sizeof(*realms));
+	if(tmp == NULL){
+	    ret = ENOMEM;
+	    goto free_realms;
+	}
+	realms = tmp;
+	realms[num_realms] = strdup(tgt_realm);
+	if(realms[num_realms] == NULL){
+	    ret = ENOMEM;
+	    goto free_realms;
+	}
+	num_realms++;
+	free_TransitedEncoding(tr);
+	tr->tr_type = DOMAIN_X500_COMPRESS;
+	ret = krb5_domain_x500_encode(realms, num_realms, &tr->contents);
+	if(ret)
+	    krb5_warn(context, ret, "Encoding transited encoding");
+    free_realms:
+	for(i = 0; i < num_realms; i++)
+	    free(realms[i]);
+	free(realms);
+    }
+    return ret;
+}
+
+
+static krb5_error_code
+tgs_make_reply(KDC_REQ_BODY *b, 
+	       EncTicketPart *tgt, 
+	       EncTicketPart *adtkt, 
+	       AuthorizationData *auth_data,
+	       hdb_entry *server, 
+	       hdb_entry *client, 
+	       krb5_principal client_principal, 
+	       hdb_entry *krbtgt,
+	       krb5_enctype cetype,
+	       krb5_data *reply)
+{
+    KDC_REP rep;
+    EncKDCRepPart ek;
+    EncTicketPart et;
+    KDCOptions f = b->kdc_options;
+    krb5_error_code ret;
+    krb5_enctype etype;
+    Key *skey;
+    EncryptionKey *ekey;
+    
+    if(adtkt) {
+	int i;
+	krb5_keytype kt;
+	ekey = &adtkt->key;
+	for(i = 0; i < b->etype.len; i++){
+	    ret = krb5_enctype_to_keytype(context, b->etype.val[i], &kt);
+	    if(ret)
+		continue;
+	    if(adtkt->key.keytype == kt)
+		break;
+	}
+	if(i == b->etype.len)
+	    return KRB5KDC_ERR_ETYPE_NOSUPP;
+	etype = b->etype.val[i];
+    }else{
+	ret = find_keys(NULL, server, NULL, NULL, &skey, &etype, 
+			b->etype.val, b->etype.len);
+	if(ret) {
+	    kdc_log(0, "Server has no support for etypes");
+	    return ret;
+	}
+	ekey = &skey->key;
+    }
+    
+    memset(&rep, 0, sizeof(rep));
+    memset(&et, 0, sizeof(et));
+    memset(&ek, 0, sizeof(ek));
+    
+    rep.pvno = 5;
+    rep.msg_type = krb_tgs_rep;
+
+    et.authtime = tgt->authtime;
+    fix_time(&b->till);
+    et.endtime = min(tgt->endtime, *b->till);
+    ALLOC(et.starttime);
+    *et.starttime = kdc_time;
+    
+    ret = check_tgs_flags(b, tgt, &et);
+    if(ret)
+	return ret;
+
+    copy_TransitedEncoding(&tgt->transited, &et.transited);
+    ret = fix_transited_encoding(&et.transited,
+				 *krb5_princ_realm(context, client_principal),
+				 *krb5_princ_realm(context, server->principal),
+				 *krb5_princ_realm(context, krbtgt->principal));
+    if(ret){
+	free_TransitedEncoding(&et.transited);
+	return ret;
+    }
+
+
+    copy_Realm(krb5_princ_realm(context, server->principal), 
+	       &rep.ticket.realm);
+    krb5_principal2principalname(&rep.ticket.sname, server->principal);
+    copy_Realm(&tgt->crealm, &rep.crealm);
+    if (f.request_anonymous)
+	make_anonymous_principalname (&tgt->cname);
+    else
+	copy_PrincipalName(&tgt->cname, &rep.cname);
+    rep.ticket.tkt_vno = 5;
+
+    ek.caddr = et.caddr;
+    if(et.caddr == NULL)
+	et.caddr = tgt->caddr;
+
+    {
+	time_t life;
+	life = et.endtime - *et.starttime;
+	if(client && client->max_life)
+	    life = min(life, *client->max_life);
+	if(server->max_life)
+	    life = min(life, *server->max_life);
+	et.endtime = *et.starttime + life;
+    }
+    if(f.renewable_ok && tgt->flags.renewable && 
+       et.renew_till == NULL && et.endtime < *b->till){
+	et.flags.renewable = 1;
+	ALLOC(et.renew_till);
+	*et.renew_till = *b->till;
+    }
+    if(et.renew_till){
+	time_t renew;
+	renew = *et.renew_till - et.authtime;
+	if(client && client->max_renew)
+	    renew = min(renew, *client->max_renew);
+	if(server->max_renew)
+	    renew = min(renew, *server->max_renew);
+	*et.renew_till = et.authtime + renew;
+    }
+	    
+    if(et.renew_till){
+	*et.renew_till = min(*et.renew_till, *tgt->renew_till);
+	*et.starttime = min(*et.starttime, *et.renew_till);
+	et.endtime = min(et.endtime, *et.renew_till);
+    }
+    
+    *et.starttime = min(*et.starttime, et.endtime);
+
+    if(*et.starttime == et.endtime){
+	ret = KRB5KDC_ERR_NEVER_VALID;
+	goto out;
+    }
+    if(et.renew_till && et.endtime == *et.renew_till){
+	free(et.renew_till);
+	et.renew_till = NULL;
+	et.flags.renewable = 0;
+    }
+    
+    et.flags.pre_authent = tgt->flags.pre_authent;
+    et.flags.hw_authent  = tgt->flags.hw_authent;
+    et.flags.anonymous   = tgt->flags.anonymous;
+	    
+    /* XXX Check enc-authorization-data */
+    et.authorization_data = auth_data;
+
+    krb5_generate_random_keyblock(context, etype, &et.key);
+    et.crealm = tgt->crealm;
+    et.cname = tgt->cname;
+	    
+    ek.key = et.key;
+    /* MIT must have at least one last_req */
+    ek.last_req.len = 1;
+    ek.last_req.val = calloc(1, sizeof(*ek.last_req.val));
+    ek.nonce = b->nonce;
+    ek.flags = et.flags;
+    ek.authtime = et.authtime;
+    ek.starttime = et.starttime;
+    ek.endtime = et.endtime;
+    ek.renew_till = et.renew_till;
+    ek.srealm = rep.ticket.realm;
+    ek.sname = rep.ticket.sname;
+	    
+    /* It is somewhat unclear where the etype in the following
+       encryption should come from. What we have is a session
+       key in the passed tgt, and a list of preferred etypes
+       *for the new ticket*. Should we pick the best possible
+       etype, given the keytype in the tgt, or should we look
+       at the etype list here as well?  What if the tgt
+       session key is DES3 and we want a ticket with a (say)
+       CAST session key. Should the DES3 etype be added to the
+       etype list, even if we don't want a session key with
+       DES3? */
+    ret = encode_reply(&rep, &et, &ek, etype, adtkt ? 0 : server->kvno, ekey,
+		       0, &tgt->key, reply);
+out:
+    free_TGS_REP(&rep);
+    free_TransitedEncoding(&et.transited);
+    if(et.starttime)
+	free(et.starttime);
+    if(et.renew_till)
+	free(et.renew_till);
+    free_LastReq(&ek.last_req);
+    memset(et.key.keyvalue.data, 0, et.key.keyvalue.length);
+    free_EncryptionKey(&et.key);
+    return ret;
+}
+
+static krb5_error_code
+tgs_check_authenticator(krb5_auth_context ac,
+			KDC_REQ_BODY *b, 
+			krb5_keyblock *key)
+{
+    krb5_authenticator auth;
+    size_t len;
+    unsigned char buf[8192];
+    krb5_error_code ret;
+    krb5_crypto crypto;
+    
+    krb5_auth_getauthenticator(context, ac, &auth);
+    if(auth->cksum == NULL){
+	kdc_log(0, "No authenticator in request");
+	ret = KRB5KRB_AP_ERR_INAPP_CKSUM;
+	goto out;
+    }
+    /*
+     * according to RFC1510 it doesn't need to be keyed,
+     * but according to the latest draft it needs to.
+     */
+    if (
+#if 0
+!krb5_checksum_is_keyed(context, auth->cksum->cksumtype)
+	||
+#endif
+ !krb5_checksum_is_collision_proof(context, auth->cksum->cksumtype)) {
+	kdc_log(0, "Bad checksum type in authenticator: %d", 
+		auth->cksum->cksumtype);
+	ret =  KRB5KRB_AP_ERR_INAPP_CKSUM;
+	goto out;
+    }
+		
+    /* XXX should not re-encode this */
+    ret = encode_KDC_REQ_BODY(buf + sizeof(buf) - 1, sizeof(buf),
+			      b, &len);
+    if(ret){
+	kdc_log(0, "Failed to encode KDC-REQ-BODY: %s", 
+		krb5_get_err_text(context, ret));
+	goto out;
+    }
+    ret = krb5_crypto_init(context, key, 0, &crypto);
+    if (ret) {
+	kdc_log(0, "krb5_crypto_init failed: %s",
+		krb5_get_err_text(context, ret));
+	goto out;
+    }
+    ret = krb5_verify_checksum(context,
+			       crypto,
+			       KRB5_KU_TGS_REQ_AUTH_CKSUM,
+			       buf + sizeof(buf) - len, 
+			       len,
+			       auth->cksum);
+    krb5_crypto_destroy(context, crypto);
+    if(ret){
+	kdc_log(0, "Failed to verify checksum: %s", 
+		krb5_get_err_text(context, ret));
+    }
+out:
+    free_Authenticator(auth);
+    free(auth);
+    return ret;
+}
+
+/*
+ * return the realm of a krbtgt-ticket or NULL
+ */
+
+static Realm 
+get_krbtgt_realm(const PrincipalName *p)
+{
+    if(p->name_string.len == 2
+       && strcmp(p->name_string.val[0], KRB5_TGS_NAME) == 0)
+	return p->name_string.val[1];
+    else
+	return NULL;
+}
+
+static Realm
+find_rpath(Realm r)
+{
+    const char *new_realm = krb5_config_get_string(context,
+						   NULL,
+						   "libdefaults", 
+						   "capath", 
+						   r, 
+						   NULL);
+    return (Realm)new_realm;
+}
+	    
+
+static krb5_boolean
+need_referral(krb5_principal server, krb5_realm **realms)
+{
+    if(server->name.name_type != KRB5_NT_SRV_INST ||
+       server->name.name_string.len != 2)
+	return FALSE;
+ 
+    return krb5_get_host_realm_int(context, server->name.name_string.val[1],
+				   FALSE, realms) == 0;
+}
+
+static krb5_error_code
+tgs_rep2(KDC_REQ_BODY *b,
+	 PA_DATA *tgs_req,
+	 krb5_data *reply,
+	 const char *from,
+	 const struct sockaddr *from_addr,
+	 time_t **csec,
+	 int **cusec)
+{
+    krb5_ap_req ap_req;
+    krb5_error_code ret;
+    krb5_principal princ;
+    krb5_auth_context ac = NULL;
+    krb5_ticket *ticket = NULL;
+    krb5_flags ap_req_options;
+    krb5_flags verify_ap_req_flags;
+    const char *e_text = NULL;
+    krb5_crypto crypto;
+
+    hdb_entry *krbtgt = NULL;
+    EncTicketPart *tgt;
+    Key *tkey;
+    krb5_enctype cetype;
+    krb5_principal cp = NULL;
+    krb5_principal sp = NULL;
+    AuthorizationData *auth_data = NULL;
+
+    *csec  = NULL;
+    *cusec = NULL;
+
+    memset(&ap_req, 0, sizeof(ap_req));
+    ret = krb5_decode_ap_req(context, &tgs_req->padata_value, &ap_req);
+    if(ret){
+	kdc_log(0, "Failed to decode AP-REQ: %s", 
+		krb5_get_err_text(context, ret));
+	goto out2;
+    }
+    
+    if(!get_krbtgt_realm(&ap_req.ticket.sname)){
+	/* XXX check for ticket.sname == req.sname */
+	kdc_log(0, "PA-DATA is not a ticket-granting ticket");
+	ret = KRB5KDC_ERR_POLICY; /* ? */
+	goto out2;
+    }
+    
+    principalname2krb5_principal(&princ,
+				 ap_req.ticket.sname,
+				 ap_req.ticket.realm);
+    
+    ret = db_fetch(princ, &krbtgt);
+
+    if(ret) {
+	char *p;
+	krb5_unparse_name(context, princ, &p);
+	kdc_log(0, "Ticket-granting ticket not found in database: %s: %s",
+		p, krb5_get_err_text(context, ret));
+	free(p);
+	ret = KRB5KRB_AP_ERR_NOT_US;
+	goto out2;
+    }
+    
+    if(ap_req.ticket.enc_part.kvno && 
+       *ap_req.ticket.enc_part.kvno != krbtgt->kvno){
+	char *p;
+
+	krb5_unparse_name (context, princ, &p);
+	kdc_log(0, "Ticket kvno = %d, DB kvno = %d (%s)", 
+		*ap_req.ticket.enc_part.kvno,
+		krbtgt->kvno,
+		p);
+	free (p);
+	ret = KRB5KRB_AP_ERR_BADKEYVER;
+	goto out2;
+    }
+
+    ret = hdb_enctype2key(context, krbtgt, ap_req.ticket.enc_part.etype, &tkey);
+    if(ret){
+	char *str;
+	krb5_enctype_to_string(context, ap_req.ticket.enc_part.etype, &str);
+	kdc_log(0, "No server key found for %s", str);
+	free(str);
+	ret = KRB5KRB_AP_ERR_BADKEYVER;
+	goto out2;
+    }
+    
+    if (b->kdc_options.validate)
+	verify_ap_req_flags = KRB5_VERIFY_AP_REQ_IGNORE_INVALID;
+    else
+	verify_ap_req_flags = 0;
+
+    ret = krb5_verify_ap_req2(context,
+			      &ac,
+			      &ap_req,
+			      princ,
+			      &tkey->key,
+			      verify_ap_req_flags,
+			      &ap_req_options,
+			      &ticket,
+			      KRB5_KU_TGS_REQ_AUTH);
+			     
+    krb5_free_principal(context, princ);
+    if(ret) {
+	kdc_log(0, "Failed to verify AP-REQ: %s", 
+		krb5_get_err_text(context, ret));
+	goto out2;
+    }
+
+    {
+	krb5_authenticator auth;
+
+	ret = krb5_auth_getauthenticator(context, ac, &auth);
+	if (ret == 0) {
+	    *csec   = malloc(sizeof(**csec));
+	    if (*csec == NULL) {
+		krb5_free_authenticator(context, &auth);
+		kdc_log(0, "malloc failed");
+		goto out2;
+	    }
+	    **csec  = auth->ctime;
+	    *cusec  = malloc(sizeof(**cusec));
+	    if (*cusec == NULL) {
+		krb5_free_authenticator(context, &auth);
+		kdc_log(0, "malloc failed");
+		goto out2;
+	    }
+	    **csec  = auth->cusec;
+	    krb5_free_authenticator(context, &auth);
+	}
+    }
+
+    cetype = ap_req.authenticator.etype;
+
+    tgt = &ticket->ticket;
+
+    ret = tgs_check_authenticator(ac, b, &tgt->key);
+
+    if (b->enc_authorization_data) {
+	krb5_keyblock *subkey;
+	krb5_data ad;
+	ret = krb5_auth_con_getremotesubkey(context,
+					    ac,
+					    &subkey);
+	if(ret){
+	    krb5_auth_con_free(context, ac);
+	    kdc_log(0, "Failed to get remote subkey: %s", 
+		    krb5_get_err_text(context, ret));
+	    goto out2;
+	}
+	if(subkey == NULL){
+	    ret = krb5_auth_con_getkey(context, ac, &subkey);
+	    if(ret) {
+		krb5_auth_con_free(context, ac);
+		kdc_log(0, "Failed to get session key: %s", 
+			krb5_get_err_text(context, ret));
+		goto out2;
+	    }
+	}
+	if(subkey == NULL){
+	    krb5_auth_con_free(context, ac);
+	    kdc_log(0, "Failed to get key for enc-authorization-data");
+	    ret = KRB5KRB_AP_ERR_BAD_INTEGRITY; /* ? */
+	    goto out2;
+	}
+	ret = krb5_crypto_init(context, subkey, 0, &crypto);
+	if (ret) {
+	    krb5_auth_con_free(context, ac);
+	    kdc_log(0, "krb5_crypto_init failed: %s",
+		    krb5_get_err_text(context, ret));
+	    goto out2;
+	}
+	ret = krb5_decrypt_EncryptedData (context,
+					  crypto,
+					  KRB5_KU_TGS_REQ_AUTH_DAT_SUBKEY,
+					  b->enc_authorization_data,
+					  &ad);
+	krb5_crypto_destroy(context, crypto);
+	if(ret){
+	    krb5_auth_con_free(context, ac);
+	    kdc_log(0, "Failed to decrypt enc-authorization-data");
+	    ret = KRB5KRB_AP_ERR_BAD_INTEGRITY; /* ? */
+	    goto out2;
+	}
+	krb5_free_keyblock(context, subkey);
+	ALLOC(auth_data);
+	ret = decode_AuthorizationData(ad.data, ad.length, auth_data, NULL);
+	if(ret){
+	    krb5_auth_con_free(context, ac);
+	    free(auth_data);
+	    auth_data = NULL;
+	    kdc_log(0, "Failed to decode authorization data");
+	    ret = KRB5KRB_AP_ERR_BAD_INTEGRITY; /* ? */
+	    goto out2;
+	}
+    }
+
+    krb5_auth_con_free(context, ac);
+
+    if(ret){
+	kdc_log(0, "Failed to verify authenticator: %s", 
+		krb5_get_err_text(context, ret));
+	goto out2;
+    }
+    
+    {
+	PrincipalName *s;
+	Realm r;
+	char *spn = NULL, *cpn = NULL;
+	hdb_entry *server = NULL, *client = NULL;
+	int loop = 0;
+	EncTicketPart adtkt;
+	char opt_str[128];
+
+	s = b->sname;
+	r = b->realm;
+	if(b->kdc_options.enc_tkt_in_skey){
+	    Ticket *t;
+	    hdb_entry *uu;
+	    krb5_principal p;
+	    Key *tkey;
+	    
+	    if(b->additional_tickets == NULL || 
+	       b->additional_tickets->len == 0){
+		ret = KRB5KDC_ERR_BADOPTION; /* ? */
+		kdc_log(0, "No second ticket present in request");
+		goto out;
+	    }
+	    t = &b->additional_tickets->val[0];
+	    if(!get_krbtgt_realm(&t->sname)){
+		kdc_log(0, "Additional ticket is not a ticket-granting ticket");
+		ret = KRB5KDC_ERR_POLICY;
+		goto out2;
+	    }
+	    principalname2krb5_principal(&p, t->sname, t->realm);
+	    ret = db_fetch(p, &uu);
+	    krb5_free_principal(context, p);
+	    if(ret){
+		if (ret == ENOENT)
+		    ret = KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN;
+		goto out;
+	    }
+	    ret = hdb_enctype2key(context, uu, t->enc_part.etype, &tkey);
+	    if(ret){
+		ret = KRB5KDC_ERR_ETYPE_NOSUPP; /* XXX */
+		goto out;
+	    }
+	    ret = krb5_decrypt_ticket(context, t, &tkey->key, &adtkt, 0);
+
+	    if(ret)
+		goto out;
+	    s = &adtkt.cname;
+	    r = adtkt.crealm;
+	}
+
+	principalname2krb5_principal(&sp, *s, r);
+	krb5_unparse_name(context, sp, &spn);	
+	principalname2krb5_principal(&cp, tgt->cname, tgt->crealm);
+	krb5_unparse_name(context, cp, &cpn);
+	unparse_flags (KDCOptions2int(b->kdc_options), KDCOptions_units,
+		       opt_str, sizeof(opt_str));
+	if(*opt_str)
+	    kdc_log(0, "TGS-REQ %s from %s for %s [%s]", 
+		    cpn, from, spn, opt_str);
+	else
+	    kdc_log(0, "TGS-REQ %s from %s for %s", cpn, from, spn);
+    server_lookup:
+	ret = db_fetch(sp, &server);
+
+	if(ret){
+	    Realm req_rlm, new_rlm;
+	    krb5_realm *realms;
+
+	    if ((req_rlm = get_krbtgt_realm(&sp->name)) != NULL) {
+		if(loop++ < 2) {
+		    new_rlm = find_rpath(req_rlm);
+		    if(new_rlm) {
+			kdc_log(5, "krbtgt for realm %s not found, trying %s", 
+				req_rlm, new_rlm);
+			krb5_free_principal(context, sp);
+			free(spn);
+			krb5_make_principal(context, &sp, r, 
+					    KRB5_TGS_NAME, new_rlm, NULL);
+			krb5_unparse_name(context, sp, &spn);	
+			goto server_lookup;
+		    }
+		}
+	    } else if(need_referral(sp, &realms)) {
+		if (strcmp(realms[0], sp->realm) != 0) {
+		    kdc_log(5, "returning a referral to realm %s for "
+			    "server %s that was not found",
+			    realms[0], spn);
+		    krb5_free_principal(context, sp);
+		    free(spn);
+		    krb5_make_principal(context, &sp, r, KRB5_TGS_NAME,
+					realms[0], NULL);
+		    krb5_unparse_name(context, sp, &spn);
+		    krb5_free_host_realm(context, realms);
+		    goto server_lookup;
+		}
+		krb5_free_host_realm(context, realms);
+	    }
+	    kdc_log(0, "Server not found in database: %s: %s", spn,
+		    krb5_get_err_text(context, ret));
+	    if (ret == ENOENT)
+		ret = KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN;
+	    goto out;
+	}
+
+	ret = db_fetch(cp, &client);
+	if(ret)
+	    kdc_log(1, "Client not found in database: %s: %s",
+		    cpn, krb5_get_err_text(context, ret));
+#if 0
+	/* XXX check client only if same realm as krbtgt-instance */
+	if(ret){
+	    kdc_log(0, "Client not found in database: %s: %s",
+		    cpn, krb5_get_err_text(context, ret));
+	    if (ret == ENOENT)
+		ret = KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN;
+	    goto out;
+	}
+#endif
+
+	ret = check_flags(client, cpn, server, spn, FALSE);
+	if(ret)
+	    goto out;
+
+	if((b->kdc_options.validate || b->kdc_options.renew) && 
+	   !krb5_principal_compare(context, 
+				   krbtgt->principal,
+				   server->principal)){
+	    kdc_log(0, "Inconsistent request.");
+	    ret = KRB5KDC_ERR_SERVER_NOMATCH;
+	    goto out;
+	}
+
+	/* check for valid set of addresses */
+	if(!check_addresses(tgt->caddr, from_addr)) {
+	    ret = KRB5KRB_AP_ERR_BADADDR;
+	    kdc_log(0, "Request from wrong address");
+	    goto out;
+	}
+	
+	ret = tgs_make_reply(b, 
+			     tgt, 
+			     b->kdc_options.enc_tkt_in_skey ? &adtkt : NULL, 
+			     auth_data,
+			     server, 
+			     client, 
+			     cp, 
+			     krbtgt, 
+			     cetype, 
+			     reply);
+	
+    out:
+	free(spn);
+	free(cpn);
+	    
+	if(server)
+	    free_ent(server);
+	if(client)
+	    free_ent(client);
+    }
+out2:
+    if(ret) {
+	krb5_mk_error(context,
+		      ret,
+		      e_text,
+		      NULL,
+		      cp,
+		      sp,
+		      NULL,
+		      NULL,
+		      reply);
+	free(*csec);
+	free(*cusec);
+	*csec  = NULL;
+	*cusec = NULL;
+    }
+    krb5_free_principal(context, cp);
+    krb5_free_principal(context, sp);
+    if (ticket) {
+	krb5_free_ticket(context, ticket);
+	free(ticket);
+    }
+    free_AP_REQ(&ap_req);
+    if(auth_data){
+	free_AuthorizationData(auth_data);
+	free(auth_data);
+    }
+
+    if(krbtgt)
+	free_ent(krbtgt);
+
+    return ret;
+}
+
+
+krb5_error_code
+tgs_rep(KDC_REQ *req, 
+	krb5_data *data,
+	const char *from,
+	struct sockaddr *from_addr)
+{
+    krb5_error_code ret;
+    int i = 0;
+    PA_DATA *tgs_req = NULL;
+    time_t *csec = NULL;
+    int *cusec = NULL;
+
+    if(req->padata == NULL){
+	ret = KRB5KDC_ERR_PREAUTH_REQUIRED; /* XXX ??? */
+	kdc_log(0, "TGS-REQ from %s without PA-DATA", from);
+	goto out;
+    }
+    
+    tgs_req = find_padata(req, &i, KRB5_PADATA_TGS_REQ);
+
+    if(tgs_req == NULL){
+	ret = KRB5KDC_ERR_PADATA_TYPE_NOSUPP;
+	
+	kdc_log(0, "TGS-REQ from %s without PA-TGS-REQ", from);
+	goto out;
+    }
+    ret = tgs_rep2(&req->req_body, tgs_req, data, from, from_addr,
+		   &csec, &cusec);
+out:
+    if(ret && data->data == NULL){
+	krb5_mk_error(context,
+		      ret,
+		      NULL,
+		      NULL,
+		      NULL,
+		      NULL,
+		      csec,
+		      cusec,
+		      data);
+    }
+    free(csec);
+    free(cusec);
+    return 0;
+}
diff --git a/crypto/heimdal/kdc/kstash.8 b/crypto/heimdal/kdc/kstash.8
new file mode 100644
index 0000000..afbad1e
--- /dev/null
+++ b/crypto/heimdal/kdc/kstash.8
@@ -0,0 +1,60 @@
+.\" $Id: kstash.8,v 1.5 2001/06/08 21:35:32 joda Exp $
+.\"
+.Dd September  1, 2000
+.Dt KSTASH 8
+.Os HEIMDAL
+.Sh NAME
+.Nm kstash
+.Nd "store the KDC master password in a file"
+.Sh SYNOPSIS
+.Nm
+.Oo Fl e Ar string \*(Ba Xo
+.Fl -enctype= Ns Ar string
+.Xc
+.Oc
+.Oo Fl k Ar file \*(Ba Xo
+.Fl -key-file= Ns Ar file
+.Xc
+.Oc
+.Op Fl -convert-file
+.Op Fl -master-key-fd= Ns Ar fd
+.Op Fl h | Fl -help
+.Op Fl -version
+.Sh DESCRIPTION
+.Nm
+reads the Kerberos master key and stores it in a file that will be
+used by the KDC.
+.Pp
+Supported options:
+.Bl -tag -width Ds
+.It Xo
+.Fl e Ar string Ns ,
+.Fl -enctype= Ns Ar string
+.Xc
+the encryption type to use, defaults to DES3-CBC-SHA1
+.It Xo
+.Fl k Ar file Ns ,
+.Fl -key-file= Ns Ar file
+.Xc
+the name of the master key file
+.It Xo
+.Fl -convert-file
+.Xc
+don't ask for a new master key, just read an old master key file, and
+writes it back in the new keyfile format
+.It Xo
+.Fl -master-key-fd= Ns Ar fd
+.Xc
+filedescriptor to read passphrase from, if not specified the
+passphrase will be read from the terminal
+.El
+.\".Sh ENVIRONMENT
+.\".Sh FILES
+.\".Sh EXAMPLES
+.\".Sh DIAGNOSTICS
+.Sh SEE ALSO
+.Xr kdc 8
+.\".Sh STANDARDS
+.\".Sh HISTORY
+.\".Sh AUTHORS
+.\".Sh BUGS
diff --git a/crypto/heimdal/kdc/kstash.c b/crypto/heimdal/kdc/kstash.c
new file mode 100644
index 0000000..edb00b2
--- /dev/null
+++ b/crypto/heimdal/kdc/kstash.c
@@ -0,0 +1,148 @@
+/*
+ * Copyright (c) 1997-2001 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "headers.h"
+
+RCSID("$Id: kstash.c,v 1.14 2001/01/30 17:08:35 assar Exp $");
+
+krb5_context context;
+
+char *keyfile = HDB_DB_DIR "/m-key";
+int convert_flag;
+int help_flag;
+int version_flag;
+
+int master_key_fd = -1;
+
+char *enctype_str = "des3-cbc-sha1";
+
+struct getargs args[] = {
+    { "enctype", 'e', arg_string, &enctype_str, "encryption type" },
+    { "key-file", 'k', arg_string, &keyfile, "master key file", "file" },
+    { "convert-file", 0, arg_flag, &convert_flag, 
+      "just convert keyfile to new format" },
+    { "master-key-fd", 0, arg_integer, &master_key_fd, 
+      "filedescriptor to read passphrase from", "fd" },
+    { "help", 'h', arg_flag, &help_flag },
+    { "version", 0, arg_flag, &version_flag }
+};
+
+int num_args = sizeof(args) / sizeof(args[0]);
+
+int
+main(int argc, char **argv)
+{
+    char buf[1024];
+    krb5_error_code ret;
+    
+    krb5_enctype enctype;
+
+    hdb_master_key mkey;
+    
+    krb5_program_setup(&context, argc, argv, args, num_args, NULL);
+
+    if(help_flag)
+	krb5_std_usage(0, args, num_args);
+    if(version_flag){
+	print_version(NULL);
+	exit(0);
+    }
+
+    ret = krb5_string_to_enctype(context, enctype_str, &enctype);
+    if(ret)
+	krb5_err(context, 1, ret, "krb5_string_to_enctype");
+
+    ret = hdb_read_master_key(context, keyfile, &mkey);
+    if(ret && ret != ENOENT)
+	krb5_err(context, 1, ret, "reading master key from %s", keyfile);
+
+    if (convert_flag) {
+	if (ret)
+	    krb5_err(context, 1, ret, "reading master key from %s", keyfile);
+    } else {
+	krb5_keyblock key;
+	krb5_salt salt;
+	salt.salttype = KRB5_PW_SALT;
+	/* XXX better value? */
+	salt.saltvalue.data = NULL;
+	salt.saltvalue.length = 0;
+	if(master_key_fd != -1) {
+	    ssize_t n;
+	    n = read(master_key_fd, buf, sizeof(buf));
+	    if(n <= 0)
+		krb5_err(context, 1, errno, "failed to read passphrase");
+	    buf[n] = '\0';
+	    buf[strcspn(buf, "\r\n")] = '\0';
+	} else {
+	    if(des_read_pw_string(buf, sizeof(buf), "Master key: ", 1))
+		exit(1);
+	}
+	krb5_string_to_key_salt(context, enctype, buf, salt, &key);
+	ret = hdb_add_master_key(context, &key, &mkey);
+	
+	krb5_free_keyblock_contents(context, &key);
+
+    }
+    
+    {
+	char *new, *old;
+	asprintf(&old, "%s.old", keyfile);
+	asprintf(&new, "%s.new", keyfile);
+	if(unlink(new) < 0 && errno != ENOENT) {
+	    ret = errno;
+	    goto out;
+	}
+	krb5_warnx(context, "writing key to `%s'", keyfile);
+	ret = hdb_write_master_key(context, new, mkey);
+	if(ret)
+	    unlink(new);
+	else {
+	    unlink(old);
+	    if(link(keyfile, old) < 0 && errno != ENOENT) {
+		ret = errno;
+		unlink(new);
+	    } else if(rename(new, keyfile) < 0) {
+		ret = errno;
+	    }
+	}
+    out:
+	free(old);
+	free(new);
+	if(ret)
+	    krb5_warn(context, errno, "writing master key file");
+    }
+
+    hdb_free_master_key(context, mkey);
+
+    exit(ret != 0);
+}
diff --git a/crypto/heimdal/kdc/kstash.cat8 b/crypto/heimdal/kdc/kstash.cat8
new file mode 100644
index 0000000..7dd2c7a
--- /dev/null
+++ b/crypto/heimdal/kdc/kstash.cat8
@@ -0,0 +1,34 @@
+
+KSTASH(8)                UNIX System Manager's Manual                KSTASH(8)
+
+NNAAMMEE
+     kkssttaasshh - store the KDC master password in a file
+
+SSYYNNOOPPSSIISS
+     kkssttaasshh [--ee _s_t_r_i_n_g | ----eennccttyyppee==_s_t_r_i_n_g] [--kk _f_i_l_e | ----kkeeyy--ffiillee==_f_i_l_e]
+     [----ccoonnvveerrtt--ffiillee] [----mmaasstteerr--kkeeyy--ffdd==_f_d] [--hh | ----hheellpp] [----vveerrssiioonn]
+
+DDEESSCCRRIIPPTTIIOONN
+     kkssttaasshh reads the Kerberos master key and stores it in a file that will be
+     used by the KDC.
+
+     Supported options:
+
+     --ee _s_t_r_i_n_g, ----eennccttyyppee==_s_t_r_i_n_g
+             the encryption type to use, defaults to DES3-CBC-SHA1
+
+     --kk _f_i_l_e, ----kkeeyy--ffiillee==_f_i_l_e
+             the name of the master key file
+
+     ----ccoonnvveerrtt--ffiillee
+             don't ask for a new master key, just read an old master key file,
+             and writes it back in the new keyfile format
+
+     ----mmaasstteerr--kkeeyy--ffdd==_f_d
+             filedescriptor to read passphrase from, if not specified the
+             passphrase will be read from the terminal
+
+SSEEEE AALLSSOO
+     kdc(8)
+
+ HEIMDAL                       September 1, 2000                             1
diff --git a/crypto/heimdal/kdc/log.c b/crypto/heimdal/kdc/log.c
new file mode 100644
index 0000000..5a36969
--- /dev/null
+++ b/crypto/heimdal/kdc/log.c
@@ -0,0 +1,86 @@
+/*
+ * Copyright (c) 1997, 1998 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "kdc_locl.h"
+RCSID("$Id: log.c,v 1.13 2000/09/10 19:27:29 joda Exp $");
+
+static krb5_log_facility *logf;
+
+void
+kdc_openlog(krb5_config_section *cf)
+{
+    char **s = NULL, **p;
+    krb5_initlog(context, "kdc", &logf);
+    if(cf)
+	s = krb5_config_get_strings(context, cf, "kdc", "logging", NULL);
+
+    if(s == NULL)
+	s = krb5_config_get_strings(context, NULL, "logging", "kdc", NULL);
+    if(s){
+	for(p = s; *p; p++)
+	    krb5_addlog_dest(context, logf, *p);
+	krb5_config_free_strings(s);
+    }else
+	krb5_addlog_dest(context, logf, DEFAULT_LOG_DEST);
+    krb5_set_warn_dest(context, logf);
+}
+
+char*
+kdc_log_msg_va(int level, const char *fmt, va_list ap)
+{
+    char *msg;
+    krb5_vlog_msg(context, logf, &msg, level, fmt, ap);
+    return msg;
+}
+
+char*
+kdc_log_msg(int level, const char *fmt, ...)
+{
+    va_list ap;
+    char *s;
+    va_start(ap, fmt);
+    s = kdc_log_msg_va(level, fmt, ap);
+    va_end(ap);
+    return s;
+}
+
+void
+kdc_log(int level, const char *fmt, ...)
+{
+    va_list ap;
+    char *s;
+    va_start(ap, fmt);
+    s = kdc_log_msg_va(level, fmt, ap);
+    if(s) free(s);
+    va_end(ap);
+}
diff --git a/crypto/heimdal/kdc/main.c b/crypto/heimdal/kdc/main.c
new file mode 100644
index 0000000..146bd91
--- /dev/null
+++ b/crypto/heimdal/kdc/main.c
@@ -0,0 +1,103 @@
+/*
+ * Copyright (c) 1997 - 2000 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "kdc_locl.h"
+
+RCSID("$Id: main.c,v 1.25 2001/02/20 01:44:50 assar Exp $");
+
+sig_atomic_t exit_flag = 0;
+krb5_context context;
+
+static RETSIGTYPE
+sigterm(int sig)
+{
+    exit_flag = 1;
+}
+
+int
+main(int argc, char **argv)
+{
+    krb5_error_code ret;
+    setprogname(argv[0]);
+    
+    ret = krb5_init_context(&context);
+    if (ret)
+	errx (1, "krb5_init_context failed: %d", ret);
+
+    configure(argc, argv);
+
+    if(databases == NULL) {
+	db = malloc(sizeof(*db));
+	num_db = 1;
+	ret = hdb_create(context, &db[0], NULL);
+	if(ret)
+	    krb5_err(context, 1, ret, "hdb_create %s", HDB_DEFAULT_DB);
+	ret = hdb_set_master_keyfile(context, db[0], NULL);
+	if (ret)
+	    krb5_err(context, 1, ret, "hdb_set_master_keyfile");
+    } else {
+	struct dbinfo *d;
+	int i;
+	/* count databases */
+	for(d = databases, i = 0; d; d = d->next, i++);
+	db = malloc(i * sizeof(*db));
+	for(d = databases, num_db = 0; d; d = d->next, num_db++) {
+	    ret = hdb_create(context, &db[num_db], d->dbname);
+	    if(ret)
+		krb5_err(context, 1, ret, "hdb_create %s", d->dbname);
+	    ret = hdb_set_master_keyfile(context, db[num_db], d->mkey_file);
+	    if (ret)
+		krb5_err(context, 1, ret, "hdb_set_master_keyfile");
+	}
+    }
+
+#ifdef HAVE_SIGACTION
+    {
+	struct sigaction sa;
+
+	sa.sa_flags = 0;
+	sa.sa_handler = sigterm;
+	sigemptyset(&sa.sa_mask);
+
+	sigaction(SIGINT, &sa, NULL);
+	sigaction(SIGTERM, &sa, NULL);
+    }
+#else
+    signal(SIGINT, sigterm);
+    signal(SIGTERM, sigterm);
+#endif
+    pidfile(NULL);
+    loop();
+    krb5_free_context(context);
+    return 0;
+}
diff --git a/crypto/heimdal/kdc/misc.c b/crypto/heimdal/kdc/misc.c
new file mode 100644
index 0000000..aebdc68
--- /dev/null
+++ b/crypto/heimdal/kdc/misc.c
@@ -0,0 +1,76 @@
+/*
+ * Copyright (c) 1997 - 2001 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "kdc_locl.h"
+
+RCSID("$Id: misc.c,v 1.22 2001/01/30 03:54:21 assar Exp $");
+
+struct timeval now;
+
+krb5_error_code
+db_fetch(krb5_principal principal, hdb_entry **h)
+{
+    hdb_entry *ent;
+    krb5_error_code ret = HDB_ERR_NOENTRY;
+    int i;
+
+    ent = malloc (sizeof (*ent));
+    if (ent == NULL)
+	return ENOMEM;
+    ent->principal = principal;
+
+    for(i = 0; i < num_db; i++) {
+	ret = db[i]->open(context, db[i], O_RDONLY, 0);
+	if (ret) {
+	    kdc_log(0, "Failed to open database: %s", 
+		    krb5_get_err_text(context, ret));
+	    continue;
+	}
+	ret = db[i]->fetch(context, db[i], HDB_F_DECRYPT, ent);
+	db[i]->close(context, db[i]);
+	if(ret == 0) {
+	    *h = ent;
+	    return 0;
+	}
+    }
+    free(ent);
+    return ret;
+}
+
+void
+free_ent(hdb_entry *ent)
+{
+    hdb_free_entry (context, ent);
+    free (ent);
+}
+
diff --git a/crypto/heimdal/kdc/mit_dump.c b/crypto/heimdal/kdc/mit_dump.c
new file mode 100644
index 0000000..336d265
--- /dev/null
+++ b/crypto/heimdal/kdc/mit_dump.c
@@ -0,0 +1,370 @@
+/*
+ * Copyright (c) 2000 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#include "hprop.h"
+
+RCSID("$Id: mit_dump.c,v 1.3 2000/08/09 09:57:37 joda Exp $");
+
+/*
+can have any number of princ stanzas.
+format is as follows (only \n indicates newlines)
+princ\t%d\t (%d is KRB5_KDB_V1_BASE_LENGTH, always 38)
+%d\t (strlen of principal e.g. shadow/foo@ANDREW.CMU.EDU)
+%d\t (number of tl_data)
+%d\t (number of key data, e.g. how many keys for this user)
+%d\t (extra data length) 
+%s\t (principal name)
+%d\t (attributes)
+%d\t (max lifetime, seconds)
+%d\t (max renewable life, seconds)
+%d\t (expiration, seconds since epoch or 2145830400 for never)
+%d\t (password expiration, seconds, 0 for never) 
+%d\t (last successful auth, seconds since epoch)
+%d\t (last failed auth, per above)
+%d\t (failed auth count)
+foreach tl_data 0 to number of tl_data - 1 as above
+  %d\t%d\t (data type, data length)
+  foreach tl_data 0 to length-1
+    %02x (tl data contents[element n])
+  except if tl_data length is 0
+    %d (always -1)
+  \t
+foreach key 0 to number of keys - 1 as above
+  %d\t%d\t (key data version, kvno)
+  foreach version 0 to key data version - 1 (a key or a salt)
+    %d\t%d\t(data type for this key, data length for this key)
+    foreach key data length 0 to length-1
+      %02x (key data contents[element n])
+    except if key_data length is 0
+      %d (always -1)
+    \t    
+foreach extra data length 0 to length - 1
+  %02x (extra data part)
+unless no extra data
+  %d (always -1)
+;\n
+
+*/
+
+static int
+hex_to_octet_string(const char *ptr, krb5_data *data)
+{
+    int i;
+    unsigned int v;
+    for(i = 0; i < data->length; i++) {
+	if(sscanf(ptr + 2 * i, "%02x", &v) != 1)
+	    return -1;
+	((unsigned char*)data->data)[i] = v;
+    }
+    return 2 * i;
+}
+
+static char *
+nexttoken(char **p)
+{
+    char *q;
+    do {
+	q = strsep(p, " \t");
+    } while(q && *q == '\0');
+    return q;
+}
+
+static size_t
+getdata(char **p, unsigned char *buf, size_t len)
+{
+    size_t i;
+    int v;
+    char *q = nexttoken(p);
+    i = 0;
+    while(*q && i < len) {
+	if(sscanf(q, "%02x", &v) != 1)
+	    break;
+	buf[i++] = v;
+	q += 2;
+    }
+    return i;
+}
+
+static int
+getint(char **p)
+{
+    int val;
+    char *q = nexttoken(p);
+    sscanf(q, "%d", &val);
+    return val;
+}
+
+#include <kadm5/admin.h>
+
+static void
+attr_to_flags(unsigned attr, HDBFlags *flags)
+{
+    flags->postdate =		!(attr & KRB5_KDB_DISALLOW_POSTDATED);
+    flags->forwardable =	!(attr & KRB5_KDB_DISALLOW_FORWARDABLE);
+    flags->initial =	       !!(attr & KRB5_KDB_DISALLOW_TGT_BASED);
+    flags->renewable =		!(attr & KRB5_KDB_DISALLOW_RENEWABLE);
+    flags->proxiable =		!(attr & KRB5_KDB_DISALLOW_PROXIABLE);
+    /* DUP_SKEY */
+    flags->invalid =	       !!(attr & KRB5_KDB_DISALLOW_ALL_TIX);
+    flags->require_preauth =   !!(attr & KRB5_KDB_REQUIRES_PRE_AUTH);
+    /* HW_AUTH */
+    flags->server =		!(attr & KRB5_KDB_DISALLOW_SVR);
+    flags->change_pw = 	       !!(attr & KRB5_KDB_PWCHANGE_SERVICE);
+    flags->client =	        1; /* XXX */
+}
+
+#define KRB5_KDB_SALTTYPE_NORMAL	0
+#define KRB5_KDB_SALTTYPE_V4		1
+#define KRB5_KDB_SALTTYPE_NOREALM	2
+#define KRB5_KDB_SALTTYPE_ONLYREALM	3
+#define KRB5_KDB_SALTTYPE_SPECIAL	4
+#define KRB5_KDB_SALTTYPE_AFS3		5
+
+static krb5_error_code
+fix_salt(krb5_context context, hdb_entry *ent, int key_num)
+{
+    krb5_error_code ret;
+    Salt *salt = ent->keys.val[key_num].salt;
+    /* fix salt type */
+    switch((int)salt->type) {
+    case KRB5_KDB_SALTTYPE_NORMAL:
+	salt->type = KRB5_PADATA_PW_SALT;
+	break;
+    case KRB5_KDB_SALTTYPE_V4:
+	krb5_data_free(&salt->salt);
+	salt->type = KRB5_PADATA_PW_SALT;
+	break;
+    case KRB5_KDB_SALTTYPE_NOREALM:
+    {
+	size_t len;
+	int i;
+	krb5_error_code ret;
+	char *p;
+	    
+	len = 0;
+	for (i = 0; i < ent->principal->name.name_string.len; ++i)
+	    len += strlen(ent->principal->name.name_string.val[i]);
+	ret = krb5_data_alloc (&salt->salt, len);
+	if (ret)
+	    return ret;
+	p = salt->salt.data;
+	for (i = 0; i < ent->principal->name.name_string.len; ++i) {
+	    memcpy (p,
+		    ent->principal->name.name_string.val[i],
+		    strlen(ent->principal->name.name_string.val[i]));
+	    p += strlen(ent->principal->name.name_string.val[i]);
+	}
+
+	salt->type = KRB5_PADATA_PW_SALT;
+	break;
+    }
+    case KRB5_KDB_SALTTYPE_ONLYREALM:
+	krb5_data_free(&salt->salt);
+	ret = krb5_data_copy(&salt->salt, 
+			     ent->principal->realm, 
+			     strlen(ent->principal->realm));
+	if(ret)
+	    return ret;
+	salt->type = KRB5_PADATA_PW_SALT;
+	break;
+    case KRB5_KDB_SALTTYPE_SPECIAL:
+	salt->type = KRB5_PADATA_PW_SALT;
+	break;
+    case KRB5_KDB_SALTTYPE_AFS3:
+	krb5_data_free(&salt->salt);
+	ret = krb5_data_copy(&salt->salt, 
+		       ent->principal->realm, 
+		       strlen(ent->principal->realm));
+	if(ret)
+	    return ret;
+	salt->type = KRB5_PADATA_AFS3_SALT;
+	break;
+    default:
+	abort();
+    }
+    return 0;
+}
+
+int
+mit_prop_dump(void *arg, const char *file)
+{
+    krb5_error_code ret;
+    char buf [1024];
+    FILE *f;
+    int lineno = 0;
+    struct hdb_entry ent;
+
+    struct prop_data *pd = arg;
+
+    f = fopen(file, "r");
+    if(f == NULL)
+	return errno;
+    
+    while(fgets(buf, sizeof(buf), f)) {
+	char *p = buf, *q;
+
+	int i;
+
+	int num_tl_data;
+	int num_key_data;
+	int extra_data_length;
+	int attributes;
+
+	int tmp;
+
+	lineno++;
+
+	memset(&ent, 0, sizeof(ent));
+
+	q = nexttoken(&p);
+	if(strcmp(q, "kdb5_util") == 0) {
+	    int major;
+	    q = nexttoken(&p); /* load_dump */
+	    if(strcmp(q, "load_dump"))
+		errx(1, "line %d: unknown version", lineno);
+	    q = nexttoken(&p); /* load_dump */
+	    if(strcmp(q, "version"))
+		errx(1, "line %d: unknown version", lineno);
+	    q = nexttoken(&p); /* x.0 */
+	    if(sscanf(q, "%d", &major) != 1)
+		errx(1, "line %d: unknown version", lineno);
+	    if(major != 4)
+		errx(1, "unknown dump file format, got %d, expected 4", major);
+	    continue;
+	} else if(strcmp(q, "princ") != 0) {
+	    warnx("line %d: not a principal", lineno);
+	    continue;
+	}
+	tmp = getint(&p);
+	if(tmp != 38) {
+	    warnx("line %d: bad base length %d != 38", lineno, tmp);
+	    continue;
+	}
+	q = nexttoken(&p); /* length of principal */
+	num_tl_data = getint(&p); /* number of tl-data */
+	num_key_data = getint(&p); /* number of key-data */
+	extra_data_length = getint(&p);  /* length of extra data */
+	q = nexttoken(&p); /* principal name */
+	krb5_parse_name(pd->context, q, &ent.principal);
+	attributes = getint(&p); /* attributes */
+	attr_to_flags(attributes, &ent.flags);
+	tmp = getint(&p); /* max life */
+	if(tmp != 0) {
+	    ALLOC(ent.max_life);
+	    *ent.max_life = tmp;
+	}
+	tmp = getint(&p); /* max renewable life */
+	if(tmp != 0) {
+	    ALLOC(ent.max_renew);
+	    *ent.max_renew = tmp;
+	}
+	tmp = getint(&p); /* expiration */
+	if(tmp != 0 && tmp != 2145830400) {
+	    ALLOC(ent.valid_end);
+	    *ent.valid_end = tmp;
+	}
+	tmp = getint(&p); /* pw expiration */
+	if(tmp != 0) {
+	    ALLOC(ent.pw_end);
+	    *ent.pw_end = tmp;
+	}
+	q = nexttoken(&p); /* last auth */
+	q = nexttoken(&p); /* last failed auth */
+	q = nexttoken(&p); /* fail auth count */
+	for(i = 0; i < num_tl_data; i++) {
+	    unsigned long val;
+	    int tl_type, tl_length;
+	    unsigned char *buf;
+	    krb5_principal princ;
+
+	    tl_type = getint(&p); /* data type */
+	    tl_length = getint(&p); /* data length */
+
+#define KRB5_TL_LAST_PWD_CHANGE	1
+#define KRB5_TL_MOD_PRINC	2
+	    switch(tl_type) {
+	    case KRB5_TL_MOD_PRINC:
+		buf = malloc(tl_length);
+		getdata(&p, buf, tl_length); /* data itself */
+		val = buf[0] | (buf[1] << 8) | (buf[2] << 16) | (buf[3] << 24);
+		ret = krb5_parse_name(pd->context, buf + 4, &princ);
+		free(buf);
+		ALLOC(ent.modified_by);
+		ent.modified_by->time = val;
+		ent.modified_by->principal = princ;
+		break;
+	    default:
+		nexttoken(&p);
+		break;
+	    }
+	}
+	ALLOC_SEQ(&ent.keys, num_key_data);
+	for(i = 0; i < num_key_data; i++) {
+	    int key_versions;
+	    key_versions = getint(&p); /* key data version */
+	    ent.kvno = getint(&p); /* XXX kvno */
+	    
+	    ALLOC(ent.keys.val[i].mkvno);
+	    *ent.keys.val[i].mkvno = 0;
+	    
+	    /* key version 0 -- actual key */
+	    ent.keys.val[i].key.keytype = getint(&p); /* key type */
+	    tmp = getint(&p); /* key length */
+	    /* the first two bytes of the key is the key length --
+	       skip it */
+	    krb5_data_alloc(&ent.keys.val[i].key.keyvalue, tmp - 2);
+	    q = nexttoken(&p); /* key itself */
+	    hex_to_octet_string(q + 4, &ent.keys.val[i].key.keyvalue);
+
+	    if(key_versions > 1) {
+		/* key version 1 -- optional salt */
+		ALLOC(ent.keys.val[i].salt);
+		ent.keys.val[i].salt->type = getint(&p); /* salt type */
+		tmp = getint(&p); /* salt length */
+		if(tmp > 0) {
+		    krb5_data_alloc(&ent.keys.val[i].salt->salt, tmp - 2);
+		    q = nexttoken(&p); /* salt itself */
+		    hex_to_octet_string(q + 4, &ent.keys.val[i].salt->salt);
+		} else {
+		    ent.keys.val[i].salt->salt.length = 0;
+		    ent.keys.val[i].salt->salt.data = NULL;
+		    tmp = getint(&p);	/* -1, if no data. */
+		}
+		fix_salt(pd->context, &ent, i);
+	    }
+	}
+	q = nexttoken(&p); /* extra data */
+	v5_prop(pd->context, NULL, &ent, arg);
+    }
+    return 0;
+}
diff --git a/crypto/heimdal/kdc/rx.h b/crypto/heimdal/kdc/rx.h
new file mode 100644
index 0000000..ab8ec805
--- /dev/null
+++ b/crypto/heimdal/kdc/rx.h
@@ -0,0 +1,79 @@
+/*
+ * Copyright (c) 1997 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+/* $Id: rx.h,v 1.4 1999/12/02 17:05:00 joda Exp $ */
+
+#ifndef __RX_H__
+#define __RX_H__
+
+/* header of a RPC packet */
+
+enum rx_header_type {
+     HT_DATA = 1,
+     HT_ACK = 2,
+     HT_BUSY = 3,
+     HT_ABORT = 4,
+     HT_ACKALL = 5,
+     HT_CHAL = 6,
+     HT_RESP = 7,
+     HT_DEBUG = 8
+};
+
+/* For flags in header */
+
+enum rx_header_flag {
+     HF_CLIENT_INITIATED = 1,
+     HF_REQ_ACK = 2,
+     HF_LAST = 4,
+     HF_MORE = 8
+};
+
+struct rx_header {
+     u_int32_t epoch;
+     u_int32_t connid;		/* And channel ID */
+     u_int32_t callid;
+     u_int32_t seqno;
+     u_int32_t serialno;
+     u_char type;
+     u_char flags;
+     u_char status;
+     u_char secindex;
+     u_int16_t reserved;	/* ??? verifier? */
+     u_int16_t serviceid;
+/* This should be the other way around according to everything but */
+/* tcpdump */
+};
+
+#define RX_HEADER_SIZE 28
+
+#endif /* __RX_H__ */
diff --git a/crypto/heimdal/kdc/string2key.8 b/crypto/heimdal/kdc/string2key.8
new file mode 100644
index 0000000..50d7c29
--- /dev/null
+++ b/crypto/heimdal/kdc/string2key.8
@@ -0,0 +1,79 @@
+.\" $Id: string2key.8,v 1.4 2001/06/08 21:35:32 joda Exp $
+.\"
+.Dd March  4, 2000
+.Dt STRING2KEY 8
+.Os HEIMDAL
+.Sh NAME
+.Nm string2key
+.Nd map a password into a key
+.Sh SYNOPSIS
+.Nm
+.Op Fl 5 | Fl -version5
+.Op Fl 4 | Fl -version4
+.Op Fl a | Fl -afs
+.Oo Fl c Ar cell \*(Ba Xo
+.Fl -cell= Ns Ar cell
+.Xc
+.Oc
+.Oo Fl w Ar password \*(Ba Xo
+.Fl -password= Ns Ar password
+.Xc
+.Oc
+.Oo Fl p Ar principal \*(Ba Xo
+.Fl -principal= Ns Ar principal
+.Xc
+.Oc
+.Oo Fl k Ar string \*(Ba Xo
+.Fl -keytype= Ns Ar string
+.Xc
+.Oc
+.Ar password
+.Sh DESCRIPTION
+.Nm
+performs the string-to-key function.
+This is useful when you want to handle the raw key instead of the password.
+Supported options:
+.Bl -tag -width Ds
+.It Xo
+.Fl 5 Ns ,
+.Fl -version5
+.Xc
+Output Kerberos v5 string-to-key
+.It Xo
+.Fl 4 Ns ,
+.Fl -version4
+.Xc
+Output Kerberos v4 string-to-key
+.It Xo
+.Fl a Ns ,
+.Fl -afs
+.Xc
+Output AFS string-to-key
+.It Xo
+.Fl c Ar cell Ns ,
+.Fl -cell= Ns Ar cell
+.Xc
+AFS cell to use
+.It Xo
+.Fl w Ar password Ns ,
+.Fl -password= Ns Ar password
+.Xc
+Password to use
+.It Xo
+.Fl p Ar principal Ns ,
+.Fl -principal= Ns Ar principal
+.Xc
+Kerberos v5 principal to use
+.It Xo
+.Fl k Ar string Ns ,
+.Fl -keytype= Ns Ar string
+.Xc
+Keytype
+.It Xo
+.Fl -version
+.Xc
+print version
+.It Xo
+.Fl -help
+.Xc
+.El
diff --git a/crypto/heimdal/kdc/string2key.c b/crypto/heimdal/kdc/string2key.c
new file mode 100644
index 0000000..e0cc871
--- /dev/null
+++ b/crypto/heimdal/kdc/string2key.c
@@ -0,0 +1,179 @@
+/*
+ * Copyright (c) 1997, 1998, 1999 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "headers.h"
+#include <getarg.h>
+
+RCSID("$Id: string2key.c,v 1.18 1999/12/02 17:05:00 joda Exp $");
+
+int version5;
+int version4;
+int afs;
+char *principal;
+char *cell;
+char *password;
+char *keytype_str = "des-cbc-md5";
+int version;
+int help;
+
+struct getargs args[] = {
+    { "version5", '5', arg_flag,   &version5, "Output Kerberos v5 string-to-key" },
+    { "version4", '4', arg_flag,   &version4, "Output Kerberos v4 string-to-key" },
+    { "afs",      'a', arg_flag,   &afs, "Output AFS string-to-key" },
+    { "cell",     'c', arg_string, &cell, "AFS cell to use", "cell" },
+    { "password", 'w', arg_string, &password, "Password to use", "password" },
+    { "principal",'p', arg_string, &principal, "Kerberos v5 principal to use", "principal" },
+    { "keytype",  'k', arg_string, &keytype_str, "Keytype" },
+    { "version",    0, arg_flag,   &version, "print version" },
+    { "help",       0, arg_flag,   &help, NULL }
+};
+
+int num_args = sizeof(args) / sizeof(args[0]);
+
+static void
+usage(int status)
+{
+    arg_printusage (args, num_args, NULL, "password");
+    exit(status);
+}
+
+static void
+tokey(krb5_context context, 
+      krb5_enctype enctype, 
+      const char *password, 
+      krb5_salt salt, 
+      const char *label)
+{
+    int i;
+    krb5_keyblock key;
+    krb5_string_to_key_salt(context, enctype, password, salt, &key);
+    printf("%s: ", label);
+    for(i = 0; i < key.keyvalue.length; i++)
+	printf("%02x", ((unsigned char*)key.keyvalue.data)[i]);
+    printf("\n");
+    krb5_free_keyblock_contents(context, &key);
+}
+
+int
+main(int argc, char **argv)
+{
+    krb5_context context;
+    krb5_principal princ;
+    krb5_salt salt;
+    int optind;
+    char buf[1024];
+    krb5_enctype etype;
+    krb5_error_code ret;
+
+    optind = krb5_program_setup(&context, argc, argv, args, num_args, NULL);
+
+    if(help)
+	usage(0);
+    
+    if(version){
+	print_version (NULL);
+	return 0;
+    }
+
+    argc -= optind;
+    argv += optind;
+
+    if (argc > 1)
+	usage(1);
+
+    if(!version5 && !version4 && !afs)
+	version5 = 1;
+
+    ret = krb5_string_to_enctype(context, keytype_str, &etype);
+#if 0
+    if(ret) {
+	krb5_keytype keytype;
+	ret = krb5_string_to_keytype(context, keytype_str, &keytype);
+	ret = krb5_keytype_to_enctype(context, keytype, &etype);
+    }
+#endif
+    if(ret)
+	krb5_err(context, 1, ret, "%s", keytype_str);
+    
+    if((etype != ETYPE_DES_CBC_CRC &&
+	etype != ETYPE_DES_CBC_MD4 &&
+	etype != ETYPE_DES_CBC_MD5) &&
+       (afs || version4))
+	krb5_errx(context, 1, 
+		  "DES is the only valid keytype for AFS and Kerberos 4");
+    
+
+    if(version5 && principal == NULL){
+	printf("Kerberos v5 principal: ");
+	if(fgets(buf, sizeof(buf), stdin) == NULL)
+	    return 1;
+	if(buf[strlen(buf) - 1] == '\n')
+	    buf[strlen(buf) - 1] = '\0';
+	principal = estrdup(buf);
+    }
+    if(afs && cell == NULL){
+	printf("AFS cell: ");
+	if(fgets(buf, sizeof(buf), stdin) == NULL)
+	    return 1;
+	if(buf[strlen(buf) - 1] == '\n')
+	    buf[strlen(buf) - 1] = '\0';
+	cell = estrdup(buf);
+    }
+    if(argv[0])
+	password = argv[0];
+    if(password == NULL){
+	if(des_read_pw_string(buf, sizeof(buf), "Password: ", 0))
+	    return 1;
+	password = buf;
+    }
+	
+    if(version5){
+	krb5_parse_name(context, principal, &princ);
+	krb5_get_pw_salt(context, princ, &salt);
+	tokey(context, etype, password, salt, "Kerberos v5 key");
+	krb5_free_salt(context, salt);
+    }
+    if(version4){
+	salt.salttype = KRB5_PW_SALT;
+	salt.saltvalue.length = 0;
+	salt.saltvalue.data = NULL;
+	tokey(context, ETYPE_DES_CBC_MD5, password, salt, "Kerberos v4 key");
+    }
+    if(afs){
+	salt.salttype = KRB5_AFS3_SALT;
+	salt.saltvalue.length = strlen(cell);
+	salt.saltvalue.data = cell;
+	tokey(context, ETYPE_DES_CBC_MD5, password, salt, "AFS key");
+    }
+    return 0;
+}
diff --git a/crypto/heimdal/kdc/string2key.cat8 b/crypto/heimdal/kdc/string2key.cat8
new file mode 100644
index 0000000..d70e150
--- /dev/null
+++ b/crypto/heimdal/kdc/string2key.cat8
@@ -0,0 +1,42 @@
+
+STRING2KEY(8)            UNIX System Manager's Manual            STRING2KEY(8)
+
+NNAAMMEE
+     ssttrriinngg22kkeeyy - map a password into a key
+
+SSYYNNOOPPSSIISS
+     ssttrriinngg22kkeeyy [--55 | ----vveerrssiioonn55] [--44 | ----vveerrssiioonn44] [--aa | ----aaffss] [--cc _c_e_l_l |
+     ----cceellll==_c_e_l_l] [--ww _p_a_s_s_w_o_r_d | ----ppaasssswwoorrdd==_p_a_s_s_w_o_r_d] [--pp _p_r_i_n_c_i_p_a_l |
+     ----pprriinncciippaall==_p_r_i_n_c_i_p_a_l] [--kk _s_t_r_i_n_g | ----kkeeyyttyyppee==_s_t_r_i_n_g] _p_a_s_s_w_o_r_d
+
+DDEESSCCRRIIPPTTIIOONN
+     ssttrriinngg22kkeeyy performs the string-to-key function.  This is useful when you
+     want to handle the raw key instead of the password.  Supported options:
+
+     --55, ----vveerrssiioonn55
+             Output Kerberos v5 string-to-key
+
+     --44, ----vveerrssiioonn44
+             Output Kerberos v4 string-to-key
+
+     --aa, ----aaffss
+             Output AFS string-to-key
+
+     --cc _c_e_l_l, ----cceellll==_c_e_l_l
+             AFS cell to use
+
+     --ww _p_a_s_s_w_o_r_d, ----ppaasssswwoorrdd==_p_a_s_s_w_o_r_d
+             Password to use
+
+     --pp _p_r_i_n_c_i_p_a_l, ----pprriinncciippaall==_p_r_i_n_c_i_p_a_l
+             Kerberos v5 principal to use
+
+     --kk _s_t_r_i_n_g, ----kkeeyyttyyppee==_s_t_r_i_n_g
+             Keytype
+
+     ----vveerrssiioonn
+             print version
+
+     ----hheellpp
+
+ HEIMDAL                         March 4, 2000                               1
diff --git a/crypto/heimdal/kdc/v4_dump.c b/crypto/heimdal/kdc/v4_dump.c
new file mode 100644
index 0000000..dc0a8f2
--- /dev/null
+++ b/crypto/heimdal/kdc/v4_dump.c
@@ -0,0 +1,142 @@
+/*
+ * Copyright (c) 2000 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#include "hprop.h"
+
+RCSID("$Id: v4_dump.c,v 1.4 2001/01/26 15:55:07 joda Exp $");
+
+static time_t
+time_parse(const char *cp)
+{
+    char wbuf[5];
+    struct tm tp;
+    int local;
+
+    memset(&tp, 0, sizeof(tp));	/* clear out the struct */
+    
+    /* new format is YYYYMMDDHHMM UTC,
+       old format is YYMMDDHHMM local time */
+    if (strlen(cp) > 10) {		/* new format */
+	strlcpy(wbuf, cp, sizeof(wbuf));
+	tp.tm_year = atoi(wbuf) - 1900;
+	cp += 4;
+	local = 0;
+    } else {
+	wbuf[0] = *cp++;
+	wbuf[1] = *cp++;
+	wbuf[2] = '\0';
+	tp.tm_year = atoi(wbuf);
+	if(tp.tm_year < 38)
+	    tp.tm_year += 100;
+	local = 1;
+    }
+
+    wbuf[0] = *cp++;
+    wbuf[1] = *cp++;
+    wbuf[2] = 0;
+    tp.tm_mon = atoi(wbuf) - 1;
+
+    wbuf[0] = *cp++;
+    wbuf[1] = *cp++;
+    tp.tm_mday = atoi(wbuf);
+    
+    wbuf[0] = *cp++;
+    wbuf[1] = *cp++;
+    tp.tm_hour = atoi(wbuf);
+    
+    wbuf[0] = *cp++;
+    wbuf[1] = *cp++;
+    tp.tm_min = atoi(wbuf);
+    
+    return(tm2time(tp, local));
+}
+
+/* convert a version 4 dump file */
+int
+v4_prop_dump(void *arg, const char *file)
+{
+    char buf [1024];
+    FILE *f;
+    int lineno = 0;
+
+    f = fopen(file, "r");
+    if(f == NULL)
+	return errno;
+    
+    while(fgets(buf, sizeof(buf), f)) {
+	int ret;
+	unsigned long key[2]; /* yes, long */
+	char exp_date[64], mod_date[64];
+	struct v4_principal pr;
+	int attributes;
+    
+	memset(&pr, 0, sizeof(pr));
+	errno = 0;
+	lineno++;
+	ret = sscanf(buf, "%s %s %d %d %d %d %lx %lx %s %s %s %s",
+		     pr.name, pr.instance,
+		     &pr.max_life, &pr.mkvno, &pr.kvno,
+		     &attributes,
+		     &key[0], &key[1],
+		     exp_date, mod_date,
+		     pr.mod_name, pr.mod_instance);
+	if(ret != 12){
+	    warnx("Line %d malformed (ignored)", lineno);
+	    continue;
+	}
+	if(attributes != 0) {
+	    warnx("Line %d (%s.%s) has non-zero attributes - skipping", 
+		  lineno, pr.name, pr.instance);
+	    continue;
+	}
+	pr.key[0] = (key[0] >> 24) & 0xff;
+	pr.key[1] = (key[0] >> 16) & 0xff;
+	pr.key[2] = (key[0] >> 8) & 0xff;
+	pr.key[3] = (key[0] >> 0) & 0xff;
+	pr.key[4] = (key[1] >> 24) & 0xff;
+	pr.key[5] = (key[1] >> 16) & 0xff;
+	pr.key[6] = (key[1] >> 8) & 0xff;
+	pr.key[7] = (key[1] >> 0) & 0xff;
+	pr.exp_date = time_parse(exp_date);
+	pr.mod_date = time_parse(mod_date);
+	if (pr.instance[0] == '*')
+	    pr.instance[0] = '\0';
+	if (pr.mod_name[0] == '*')
+	    pr.mod_name[0] = '\0';
+	if (pr.mod_instance[0] == '*')
+	    pr.mod_instance[0] = '\0';
+	v4_prop(arg, &pr);
+	memset(&pr, 0, sizeof(pr));
+    }
+    return 0;
+}
diff --git a/crypto/heimdal/kpasswd/Makefile.am b/crypto/heimdal/kpasswd/Makefile.am
new file mode 100644
index 0000000..fc9cb67
--- /dev/null
+++ b/crypto/heimdal/kpasswd/Makefile.am
@@ -0,0 +1,29 @@
+# $Id: Makefile.am,v 1.15 2000/11/15 22:51:13 assar Exp $
+
+include $(top_srcdir)/Makefile.am.common
+
+man_MANS = kpasswd.1 kpasswdd.8
+
+bin_PROGRAMS = kpasswd
+
+kpasswd_SOURCES = kpasswd.c kpasswd_locl.h
+
+libexec_PROGRAMS = kpasswdd
+
+noinst_PROGRAMS = kpasswd-generator
+
+kpasswdd_SOURCES = kpasswdd.c kpasswd_locl.h
+
+kpasswdd_LDADD = \
+	$(top_builddir)/lib/kadm5/libkadm5srv.la \
+	$(top_builddir)/lib/hdb/libhdb.la \
+	$(LIB_openldap) \
+	$(LDADD) \
+	$(LIB_pidfile) \
+	$(LIB_dlopen) \
+	$(DBLIB)
+
+LDADD = $(top_builddir)/lib/krb5/libkrb5.la \
+	$(LIB_des) \
+	$(top_builddir)/lib/asn1/libasn1.la \
+	$(LIB_roken)
diff --git a/crypto/heimdal/kpasswd/Makefile.in b/crypto/heimdal/kpasswd/Makefile.in
new file mode 100644
index 0000000..372a1d6
--- /dev/null
+++ b/crypto/heimdal/kpasswd/Makefile.in
@@ -0,0 +1,743 @@
+# Makefile.in generated automatically by automake 1.4b from Makefile.am
+
+# Copyright 1994, 1995, 1996, 1997, 1998, 1999, 2000
+# Free Software Foundation, Inc.
+# This Makefile.in is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+
+SHELL = @SHELL@
+
+srcdir = @srcdir@
+top_srcdir = @top_srcdir@
+VPATH = @srcdir@
+prefix = @prefix@
+exec_prefix = @exec_prefix@
+
+bindir = @bindir@
+sbindir = @sbindir@
+libexecdir = @libexecdir@
+datadir = @datadir@
+sysconfdir = @sysconfdir@
+sharedstatedir = @sharedstatedir@
+localstatedir = @localstatedir@
+libdir = @libdir@
+infodir = @infodir@
+mandir = @mandir@
+includedir = @includedir@
+oldincludedir = /usr/include
+
+pkgdatadir = $(datadir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkgincludedir = $(includedir)/@PACKAGE@
+
+top_builddir = ..
+
+ACLOCAL = @ACLOCAL@
+AUTOCONF = @AUTOCONF@
+AUTOMAKE = @AUTOMAKE@
+AUTOHEADER = @AUTOHEADER@
+
+INSTALL = @INSTALL@
+INSTALL_PROGRAM = @INSTALL_PROGRAM@
+INSTALL_DATA = @INSTALL_DATA@
+INSTALL_SCRIPT = @INSTALL_SCRIPT@
+INSTALL_STRIP_FLAG =
+transform = @program_transform_name@
+
+NORMAL_INSTALL = :
+PRE_INSTALL = :
+POST_INSTALL = :
+NORMAL_UNINSTALL = :
+PRE_UNINSTALL = :
+POST_UNINSTALL = :
+
+@SET_MAKE@
+host_alias = @host_alias@
+host_triplet = @host@
+AIX_EXTRA_KAFS = @AIX_EXTRA_KAFS@
+AMDEP = @AMDEP@
+AMTAR = @AMTAR@
+AS = @AS@
+AWK = @AWK@
+CANONICAL_HOST = @CANONICAL_HOST@
+CATMAN = @CATMAN@
+CATMANEXT = @CATMANEXT@
+CC = @CC@
+CPP = @CPP@
+CXX = @CXX@
+CXXCPP = @CXXCPP@
+DBLIB = @DBLIB@
+DEPDIR = @DEPDIR@
+DIR_des = @DIR_des@
+DIR_roken = @DIR_roken@
+DLLTOOL = @DLLTOOL@
+EXEEXT = @EXEEXT@
+EXTRA_LIB45 = @EXTRA_LIB45@
+GROFF = @GROFF@
+INCLUDES_roken = @INCLUDES_roken@
+INCLUDE_ = @INCLUDE_@
+LEX = @LEX@
+LIBOBJS = @LIBOBJS@
+LIBTOOL = @LIBTOOL@
+LIB_ = @LIB_@
+LIB_AUTH_SUBDIRS = @LIB_AUTH_SUBDIRS@
+LIB_des = @LIB_des@
+LIB_des_appl = @LIB_des_appl@
+LIB_kdb = @LIB_kdb@
+LIB_otp = @LIB_otp@
+LIB_roken = @LIB_roken@
+LIB_security = @LIB_security@
+LN_S = @LN_S@
+LTLIBOBJS = @LTLIBOBJS@
+MAKEINFO = @MAKEINFO@
+NEED_WRITEAUTH_FALSE = @NEED_WRITEAUTH_FALSE@
+NEED_WRITEAUTH_TRUE = @NEED_WRITEAUTH_TRUE@
+NROFF = @NROFF@
+OBJDUMP = @OBJDUMP@
+OBJEXT = @OBJEXT@
+PACKAGE = @PACKAGE@
+RANLIB = @RANLIB@
+STRIP = @STRIP@
+VERSION = @VERSION@
+VOID_RETSIGTYPE = @VOID_RETSIGTYPE@
+WFLAGS = @WFLAGS@
+WFLAGS_NOIMPLICITINT = @WFLAGS_NOIMPLICITINT@
+WFLAGS_NOUNUSED = @WFLAGS_NOUNUSED@
+YACC = @YACC@
+dpagaix_CFLAGS = @dpagaix_CFLAGS@
+dpagaix_LDADD = @dpagaix_LDADD@
+install_sh = @install_sh@
+
+# $Id: Makefile.am,v 1.15 2000/11/15 22:51:13 assar Exp $
+
+
+# $Id: Makefile.am.common,v 1.3 1999/04/01 14:58:43 joda Exp $
+
+
+# $Id: Makefile.am.common,v 1.26 2001/05/21 13:27:48 joda Exp $
+
+
+AUTOMAKE_OPTIONS = foreign no-dependencies
+
+SUFFIXES = .et .h .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .x
+
+INCLUDES = -I$(top_builddir)/include $(INCLUDES_roken)
+
+AM_CFLAGS =  $(WFLAGS)
+
+CP = cp
+
+COMPILE_ET = $(top_builddir)/lib/com_err/compile_et
+
+buildinclude = $(top_builddir)/include
+
+LIB_XauReadAuth = @LIB_XauReadAuth@
+LIB_crypt = @LIB_crypt@
+LIB_dbm_firstkey = @LIB_dbm_firstkey@
+LIB_dbopen = @LIB_dbopen@
+LIB_dlopen = @LIB_dlopen@
+LIB_dn_expand = @LIB_dn_expand@
+LIB_el_init = @LIB_el_init@
+LIB_getattr = @LIB_getattr@
+LIB_gethostbyname = @LIB_gethostbyname@
+LIB_getpwent_r = @LIB_getpwent_r@
+LIB_getpwnam_r = @LIB_getpwnam_r@
+LIB_getsockopt = @LIB_getsockopt@
+LIB_logout = @LIB_logout@
+LIB_logwtmp = @LIB_logwtmp@
+LIB_odm_initialize = @LIB_odm_initialize@
+LIB_pidfile = @LIB_pidfile@
+LIB_readline = @LIB_readline@
+LIB_res_search = @LIB_res_search@
+LIB_setpcred = @LIB_setpcred@
+LIB_setsockopt = @LIB_setsockopt@
+LIB_socket = @LIB_socket@
+LIB_syslog = @LIB_syslog@
+LIB_tgetent = @LIB_tgetent@
+
+LIBS = @LIBS@
+
+HESIODLIB = @HESIODLIB@
+HESIODINCLUDE = @HESIODINCLUDE@
+INCLUDE_hesiod = @INCLUDE_hesiod@
+LIB_hesiod = @LIB_hesiod@
+
+INCLUDE_krb4 = @INCLUDE_krb4@
+LIB_krb4 = @LIB_krb4@
+
+INCLUDE_openldap = @INCLUDE_openldap@
+LIB_openldap = @LIB_openldap@
+
+INCLUDE_readline = @INCLUDE_readline@
+
+LEXLIB = @LEXLIB@
+
+NROFF_MAN = groff -mandoc -Tascii
+
+@KRB4_TRUE@LIB_kafs = @KRB4_TRUE@$(top_builddir)/lib/kafs/libkafs.la $(AIX_EXTRA_KAFS)
+
+@KRB5_TRUE@LIB_krb5 = @KRB5_TRUE@$(top_builddir)/lib/krb5/libkrb5.la \
+@KRB5_TRUE@	$(top_builddir)/lib/asn1/libasn1.la
+@KRB5_TRUE@LIB_gssapi = @KRB5_TRUE@$(top_builddir)/lib/gssapi/libgssapi.la
+
+@DCE_TRUE@LIB_kdfs = @DCE_TRUE@$(top_builddir)/lib/kdfs/libkdfs.la
+
+CHECK_LOCAL = $(PROGRAMS)
+
+man_MANS = kpasswd.1 kpasswdd.8
+
+bin_PROGRAMS = kpasswd
+
+kpasswd_SOURCES = kpasswd.c kpasswd_locl.h
+
+libexec_PROGRAMS = kpasswdd
+
+noinst_PROGRAMS = kpasswd-generator
+
+kpasswdd_SOURCES = kpasswdd.c kpasswd_locl.h
+
+kpasswdd_LDADD = \
+	$(top_builddir)/lib/kadm5/libkadm5srv.la \
+	$(top_builddir)/lib/hdb/libhdb.la \
+	$(LIB_openldap) \
+	$(LDADD) \
+	$(LIB_pidfile) \
+	$(LIB_dlopen) \
+	$(DBLIB)
+
+
+LDADD = $(top_builddir)/lib/krb5/libkrb5.la \
+	$(LIB_des) \
+	$(top_builddir)/lib/asn1/libasn1.la \
+	$(LIB_roken)
+
+subdir = kpasswd
+mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs
+CONFIG_HEADER = ../include/config.h
+CONFIG_CLEAN_FILES = 
+bin_PROGRAMS =  kpasswd$(EXEEXT)
+libexec_PROGRAMS =  kpasswdd$(EXEEXT)
+noinst_PROGRAMS =  kpasswd-generator$(EXEEXT)
+PROGRAMS =  $(bin_PROGRAMS) $(libexec_PROGRAMS) $(noinst_PROGRAMS)
+
+
+DEFS = @DEFS@ -I. -I$(srcdir) -I../include
+CPPFLAGS = @CPPFLAGS@
+LDFLAGS = @LDFLAGS@
+X_CFLAGS = @X_CFLAGS@
+X_LIBS = @X_LIBS@
+X_EXTRA_LIBS = @X_EXTRA_LIBS@
+X_PRE_LIBS = @X_PRE_LIBS@
+am_kpasswd_OBJECTS =  kpasswd.$(OBJEXT)
+kpasswd_OBJECTS =  $(am_kpasswd_OBJECTS)
+kpasswd_LDADD = $(LDADD)
+kpasswd_DEPENDENCIES =  $(top_builddir)/lib/krb5/libkrb5.la \
+$(top_builddir)/lib/asn1/libasn1.la
+kpasswd_LDFLAGS = 
+kpasswd_generator_SOURCES = kpasswd-generator.c
+kpasswd_generator_OBJECTS =  kpasswd-generator.$(OBJEXT)
+kpasswd_generator_LDADD = $(LDADD)
+kpasswd_generator_DEPENDENCIES =  $(top_builddir)/lib/krb5/libkrb5.la \
+$(top_builddir)/lib/asn1/libasn1.la
+kpasswd_generator_LDFLAGS = 
+am_kpasswdd_OBJECTS =  kpasswdd.$(OBJEXT)
+kpasswdd_OBJECTS =  $(am_kpasswdd_OBJECTS)
+kpasswdd_DEPENDENCIES =  $(top_builddir)/lib/kadm5/libkadm5srv.la \
+$(top_builddir)/lib/hdb/libhdb.la $(top_builddir)/lib/krb5/libkrb5.la \
+$(top_builddir)/lib/asn1/libasn1.la
+kpasswdd_LDFLAGS = 
+COMPILE = $(CC) $(DEFS) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) --mode=compile $(CC) $(DEFS) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+CFLAGS = @CFLAGS@
+CCLD = $(CC)
+LINK = $(LIBTOOL) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) $(LDFLAGS) -o $@
+DIST_SOURCES =  $(kpasswd_SOURCES) kpasswd-generator.c \
+$(kpasswdd_SOURCES)
+man1dir = $(mandir)/man1
+man8dir = $(mandir)/man8
+MANS = $(man_MANS)
+depcomp = 
+DIST_COMMON =  Makefile.am Makefile.in
+
+
+DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
+
+GZIP_ENV = --best
+SOURCES = $(kpasswd_SOURCES) kpasswd-generator.c $(kpasswdd_SOURCES)
+OBJECTS = $(am_kpasswd_OBJECTS) kpasswd-generator.$(OBJEXT) $(am_kpasswdd_OBJECTS)
+
+all: all-redirect
+.SUFFIXES:
+.SUFFIXES: .et .h .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .x .c .lo .o .obj
+$(srcdir)/Makefile.in: Makefile.am $(top_srcdir)/configure.in $(ACLOCAL_M4) $(top_srcdir)/Makefile.am.common $(top_srcdir)/cf/Makefile.am.common
+	cd $(top_srcdir) && $(AUTOMAKE) --foreign kpasswd/Makefile
+
+Makefile: $(srcdir)/Makefile.in  $(top_builddir)/config.status
+	cd $(top_builddir) \
+	  && CONFIG_FILES=$(subdir)/$@ CONFIG_HEADERS= $(SHELL) ./config.status
+
+
+mostlyclean-binPROGRAMS:
+
+clean-binPROGRAMS:
+	-test -z "$(bin_PROGRAMS)" || rm -f $(bin_PROGRAMS)
+
+distclean-binPROGRAMS:
+
+maintainer-clean-binPROGRAMS:
+
+install-binPROGRAMS: $(bin_PROGRAMS)
+	@$(NORMAL_INSTALL)
+	$(mkinstalldirs) $(DESTDIR)$(bindir)
+	@list='$(bin_PROGRAMS)'; for p in $$list; do \
+	  if test -f $$p; then \
+	    f="`echo $$p|sed -e 's/$(EXEEXT)$$//' -e '$(transform)' -e 's/$$/$(EXEEXT)/'`"; \
+	    echo " $(LIBTOOL)  --mode=install $(INSTALL_PROGRAM) $(INSTALL_STRIP_FLAG) $$p $(DESTDIR)$(bindir)/$$f"; \
+	    $(LIBTOOL)  --mode=install $(INSTALL_PROGRAM) $(INSTALL_STRIP_FLAG) $$p $(DESTDIR)$(bindir)/$$f; \
+	  else :; fi; \
+	done
+
+uninstall-binPROGRAMS:
+	@$(NORMAL_UNINSTALL)
+	@list='$(bin_PROGRAMS)'; for p in $$list; do \
+	  f="`echo $$p|sed -e 's/$(EXEEXT)$$//' -e '$(transform)' -e 's/$$/$(EXEEXT)/'`"; \
+	  echo " rm -f $(DESTDIR)$(bindir)/$$f"; \
+	  rm -f $(DESTDIR)$(bindir)/$$f; \
+	done
+
+mostlyclean-libexecPROGRAMS:
+
+clean-libexecPROGRAMS:
+	-test -z "$(libexec_PROGRAMS)" || rm -f $(libexec_PROGRAMS)
+
+distclean-libexecPROGRAMS:
+
+maintainer-clean-libexecPROGRAMS:
+
+install-libexecPROGRAMS: $(libexec_PROGRAMS)
+	@$(NORMAL_INSTALL)
+	$(mkinstalldirs) $(DESTDIR)$(libexecdir)
+	@list='$(libexec_PROGRAMS)'; for p in $$list; do \
+	  if test -f $$p; then \
+	    f="`echo $$p|sed -e 's/$(EXEEXT)$$//' -e '$(transform)' -e 's/$$/$(EXEEXT)/'`"; \
+	    echo " $(LIBTOOL)  --mode=install $(INSTALL_PROGRAM) $(INSTALL_STRIP_FLAG) $$p $(DESTDIR)$(libexecdir)/$$f"; \
+	    $(LIBTOOL)  --mode=install $(INSTALL_PROGRAM) $(INSTALL_STRIP_FLAG) $$p $(DESTDIR)$(libexecdir)/$$f; \
+	  else :; fi; \
+	done
+
+uninstall-libexecPROGRAMS:
+	@$(NORMAL_UNINSTALL)
+	@list='$(libexec_PROGRAMS)'; for p in $$list; do \
+	  f="`echo $$p|sed -e 's/$(EXEEXT)$$//' -e '$(transform)' -e 's/$$/$(EXEEXT)/'`"; \
+	  echo " rm -f $(DESTDIR)$(libexecdir)/$$f"; \
+	  rm -f $(DESTDIR)$(libexecdir)/$$f; \
+	done
+
+mostlyclean-noinstPROGRAMS:
+
+clean-noinstPROGRAMS:
+	-test -z "$(noinst_PROGRAMS)" || rm -f $(noinst_PROGRAMS)
+
+distclean-noinstPROGRAMS:
+
+maintainer-clean-noinstPROGRAMS:
+
+mostlyclean-compile:
+	-rm -f *.o core *.core
+	-rm -f *.$(OBJEXT)
+
+clean-compile:
+
+distclean-compile:
+	-rm -f *.tab.c
+
+maintainer-clean-compile:
+
+mostlyclean-libtool:
+	-rm -f *.lo
+
+clean-libtool:
+	-rm -rf .libs _libs
+
+distclean-libtool:
+
+maintainer-clean-libtool:
+
+kpasswd$(EXEEXT): $(kpasswd_OBJECTS) $(kpasswd_DEPENDENCIES)
+	@rm -f kpasswd$(EXEEXT)
+	$(LINK) $(kpasswd_LDFLAGS) $(kpasswd_OBJECTS) $(kpasswd_LDADD) $(LIBS)
+
+kpasswd-generator$(EXEEXT): $(kpasswd_generator_OBJECTS) $(kpasswd_generator_DEPENDENCIES)
+	@rm -f kpasswd-generator$(EXEEXT)
+	$(LINK) $(kpasswd_generator_LDFLAGS) $(kpasswd_generator_OBJECTS) $(kpasswd_generator_LDADD) $(LIBS)
+
+kpasswdd$(EXEEXT): $(kpasswdd_OBJECTS) $(kpasswdd_DEPENDENCIES)
+	@rm -f kpasswdd$(EXEEXT)
+	$(LINK) $(kpasswdd_LDFLAGS) $(kpasswdd_OBJECTS) $(kpasswdd_LDADD) $(LIBS)
+.c.o:
+	$(COMPILE) -c $<
+.c.obj:
+	$(COMPILE) -c `cygpath -w $<`
+.c.lo:
+	$(LTCOMPILE) -c -o $@ $<
+
+install-man1:
+	$(mkinstalldirs) $(DESTDIR)$(man1dir)
+	@list='$(man1_MANS)'; \
+	l2='$(man_MANS)'; for i in $$l2; do \
+	  case "$$i" in \
+	    *.1*) list="$$list $$i" ;; \
+	  esac; \
+	done; \
+	for i in $$list; do \
+	  if test -f $(srcdir)/$$i; then file=$(srcdir)/$$i; \
+	  else file=$$i; fi; \
+	  ext=`echo $$i | sed -e 's/^.*\\.//'`; \
+	  inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \
+	  inst=`echo $$inst | sed -e 's/^.*\///'`; \
+	  inst=`echo $$inst | sed '$(transform)'`.$$ext; \
+	  echo " $(INSTALL_DATA) $$file $(DESTDIR)$(man1dir)/$$inst"; \
+	  $(INSTALL_DATA) $$file $(DESTDIR)$(man1dir)/$$inst; \
+	done
+
+uninstall-man1:
+	@list='$(man1_MANS)'; \
+	l2='$(man_MANS)'; for i in $$l2; do \
+	  case "$$i" in \
+	    *.1*) list="$$list $$i" ;; \
+	  esac; \
+	done; \
+	for i in $$list; do \
+	  ext=`echo $$i | sed -e 's/^.*\\.//'`; \
+	  inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \
+	  inst=`echo $$inst | sed -e 's/^.*\///'`; \
+	  inst=`echo $$inst | sed '$(transform)'`.$$ext; \
+	  echo " rm -f $(DESTDIR)$(man1dir)/$$inst"; \
+	  rm -f $(DESTDIR)$(man1dir)/$$inst; \
+	done
+
+install-man8:
+	$(mkinstalldirs) $(DESTDIR)$(man8dir)
+	@list='$(man8_MANS)'; \
+	l2='$(man_MANS)'; for i in $$l2; do \
+	  case "$$i" in \
+	    *.8*) list="$$list $$i" ;; \
+	  esac; \
+	done; \
+	for i in $$list; do \
+	  if test -f $(srcdir)/$$i; then file=$(srcdir)/$$i; \
+	  else file=$$i; fi; \
+	  ext=`echo $$i | sed -e 's/^.*\\.//'`; \
+	  inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \
+	  inst=`echo $$inst | sed -e 's/^.*\///'`; \
+	  inst=`echo $$inst | sed '$(transform)'`.$$ext; \
+	  echo " $(INSTALL_DATA) $$file $(DESTDIR)$(man8dir)/$$inst"; \
+	  $(INSTALL_DATA) $$file $(DESTDIR)$(man8dir)/$$inst; \
+	done
+
+uninstall-man8:
+	@list='$(man8_MANS)'; \
+	l2='$(man_MANS)'; for i in $$l2; do \
+	  case "$$i" in \
+	    *.8*) list="$$list $$i" ;; \
+	  esac; \
+	done; \
+	for i in $$list; do \
+	  ext=`echo $$i | sed -e 's/^.*\\.//'`; \
+	  inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \
+	  inst=`echo $$inst | sed -e 's/^.*\///'`; \
+	  inst=`echo $$inst | sed '$(transform)'`.$$ext; \
+	  echo " rm -f $(DESTDIR)$(man8dir)/$$inst"; \
+	  rm -f $(DESTDIR)$(man8dir)/$$inst; \
+	done
+install-man: $(MANS)
+	@$(NORMAL_INSTALL)
+	$(MAKE) $(AM_MAKEFLAGS) install-man1 install-man8
+uninstall-man:
+	@$(NORMAL_UNINSTALL)
+	$(MAKE) $(AM_MAKEFLAGS) uninstall-man1 uninstall-man8
+
+tags: TAGS
+
+ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
+	list='$(SOURCES) $(HEADERS) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '    { files[$$0] = 1; } \
+	       END { for (i in files) print i; }'`; \
+	mkid -fID $$unique $(LISP)
+
+TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	tags=; \
+	here=`pwd`; \
+	list='$(SOURCES) $(HEADERS) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '    { files[$$0] = 1; } \
+	       END { for (i in files) print i; }'`; \
+	test -z "$(ETAGS_ARGS)$$unique$(LISP)$$tags" \
+	  || etags $(ETAGS_ARGS) $$tags  $$unique $(LISP)
+
+GTAGS:
+	here=`CDPATH=: && cd $(top_builddir) && pwd` \
+	  && cd $(top_srcdir) \
+	  && gtags -i $$here
+
+mostlyclean-tags:
+
+clean-tags:
+
+distclean-tags:
+	-rm -f TAGS ID
+
+maintainer-clean-tags:
+
+distdir = $(top_builddir)/$(PACKAGE)-$(VERSION)/$(subdir)
+
+distdir: $(DISTFILES)
+	@for file in $(DISTFILES); do \
+	  d=$(srcdir); \
+	  if test -d $$d/$$file; then \
+	    cp -pR $$d/$$file $(distdir) \
+	    || exit 1; \
+	  else \
+	    test -f $(distdir)/$$file \
+	    || cp -p $$d/$$file $(distdir)/$$file \
+	    || exit 1; \
+	  fi; \
+	done
+	$(MAKE) $(AM_MAKEFLAGS) top_distdir="$(top_distdir)" distdir="$(distdir)" dist-hook
+info-am:
+info: info-am
+dvi-am:
+dvi: dvi-am
+check-am: all-am
+	$(MAKE) $(AM_MAKEFLAGS) check-local
+check: check-am
+installcheck-am:
+installcheck: installcheck-am
+install-exec-am: install-binPROGRAMS install-libexecPROGRAMS
+	@$(NORMAL_INSTALL)
+	$(MAKE) $(AM_MAKEFLAGS) install-exec-hook
+install-exec: install-exec-am
+
+install-data-am: install-man install-data-local
+install-data: install-data-am
+
+install-am: all-am
+	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
+install: install-am
+uninstall-am: uninstall-binPROGRAMS uninstall-libexecPROGRAMS \
+		uninstall-man
+uninstall: uninstall-am
+all-am: Makefile $(PROGRAMS) $(MANS) all-local
+all-redirect: all-am
+install-strip:
+	$(MAKE) $(AM_MAKEFLAGS) INSTALL_STRIP_FLAG=-s install
+installdirs:
+	$(mkinstalldirs)  $(DESTDIR)$(bindir) $(DESTDIR)$(libexecdir) \
+		$(DESTDIR)$(mandir)/man1 $(DESTDIR)$(mandir)/man8
+
+
+mostlyclean-generic:
+
+clean-generic:
+
+distclean-generic:
+	-rm -f Makefile $(CONFIG_CLEAN_FILES)
+	-rm -f config.cache config.log stamp-h stamp-h[0-9]*
+
+maintainer-clean-generic:
+	-rm -f Makefile.in
+mostlyclean-am:  mostlyclean-binPROGRAMS mostlyclean-libexecPROGRAMS \
+		mostlyclean-noinstPROGRAMS mostlyclean-compile \
+		mostlyclean-libtool mostlyclean-tags \
+		mostlyclean-generic
+
+mostlyclean: mostlyclean-am
+
+clean-am:  clean-binPROGRAMS clean-libexecPROGRAMS clean-noinstPROGRAMS \
+		clean-compile clean-libtool clean-tags clean-generic \
+		mostlyclean-am
+
+clean: clean-am
+
+distclean-am:  distclean-binPROGRAMS distclean-libexecPROGRAMS \
+		distclean-noinstPROGRAMS distclean-compile \
+		distclean-libtool distclean-tags distclean-generic \
+		clean-am
+	-rm -f libtool
+
+distclean: distclean-am
+
+maintainer-clean-am:  maintainer-clean-binPROGRAMS \
+		maintainer-clean-libexecPROGRAMS \
+		maintainer-clean-noinstPROGRAMS \
+		maintainer-clean-compile maintainer-clean-libtool \
+		maintainer-clean-tags maintainer-clean-generic \
+		distclean-am
+	@echo "This command is intended for maintainers to use;"
+	@echo "it deletes files that may require special tools to rebuild."
+
+maintainer-clean: maintainer-clean-am
+
+.PHONY: mostlyclean-binPROGRAMS distclean-binPROGRAMS clean-binPROGRAMS \
+maintainer-clean-binPROGRAMS uninstall-binPROGRAMS install-binPROGRAMS \
+mostlyclean-libexecPROGRAMS distclean-libexecPROGRAMS \
+clean-libexecPROGRAMS maintainer-clean-libexecPROGRAMS \
+uninstall-libexecPROGRAMS install-libexecPROGRAMS \
+mostlyclean-noinstPROGRAMS distclean-noinstPROGRAMS \
+clean-noinstPROGRAMS maintainer-clean-noinstPROGRAMS \
+mostlyclean-compile distclean-compile clean-compile \
+maintainer-clean-compile mostlyclean-libtool distclean-libtool \
+clean-libtool maintainer-clean-libtool install-man1 uninstall-man1 \
+install-man8 uninstall-man8 install-man uninstall-man tags \
+mostlyclean-tags distclean-tags clean-tags maintainer-clean-tags \
+distdir info-am info dvi-am dvi check-local check check-am \
+installcheck-am installcheck install-exec-am install-exec \
+install-data-local install-data-am install-data install-am install \
+uninstall-am uninstall all-local all-redirect all-am all install-strip \
+installdirs mostlyclean-generic distclean-generic clean-generic \
+maintainer-clean-generic clean mostlyclean distclean maintainer-clean
+
+
+install-suid-programs:
+	@foo='$(bin_SUIDS)'; \
+	for file in $$foo; do \
+	x=$(DESTDIR)$(bindir)/$$file; \
+	if chown 0:0 $$x && chmod u+s $$x; then :; else \
+	echo "*"; \
+	echo "* Failed to install $$x setuid root"; \
+	echo "*"; \
+	fi; done
+
+install-exec-hook: install-suid-programs
+
+install-build-headers:: $(include_HEADERS) $(build_HEADERZ)
+	@foo='$(include_HEADERS) $(build_HEADERZ)'; \
+	for f in $$foo; do \
+		f=`basename $$f`; \
+		if test -f "$(srcdir)/$$f"; then file="$(srcdir)/$$f"; \
+		else file="$$f"; fi; \
+		if cmp -s  $$file $(buildinclude)/$$f 2> /dev/null ; then \
+		: ; else \
+			echo " $(CP) $$file $(buildinclude)/$$f"; \
+			$(CP) $$file $(buildinclude)/$$f; \
+		fi ; \
+	done
+
+all-local: install-build-headers
+#NROFF_MAN = nroff -man
+.1.cat1:
+	$(NROFF_MAN) $< > $@
+.3.cat3:
+	$(NROFF_MAN) $< > $@
+.5.cat5:
+	$(NROFF_MAN) $< > $@
+.8.cat8:
+	$(NROFF_MAN) $< > $@
+
+dist-cat1-mans:
+	@foo='$(man1_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.1) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat1/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-cat3-mans:
+	@foo='$(man3_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.3) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat3/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-cat5-mans:
+	@foo='$(man5_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.5) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat5/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-cat8-mans:
+	@foo='$(man8_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.8) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat8/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-hook: dist-cat1-mans dist-cat3-mans dist-cat5-mans dist-cat8-mans
+
+install-cat-mans:
+	$(SHELL) $(top_srcdir)/cf/install-catman.sh "$(INSTALL_DATA)" "$(mkinstalldirs)" "$(srcdir)" "$(DESTDIR)$(mandir)" '$(CATMANEXT)' $(man_MANS) $(man1_MANS) $(man3_MANS) $(man5_MANS) $(man8_MANS)
+
+install-data-local: install-cat-mans
+
+.et.h:
+	$(COMPILE_ET) $<
+.et.c:
+	$(COMPILE_ET) $<
+
+.x.c:
+	@cmp -s $< $@ 2> /dev/null || cp $< $@
+
+check-local::
+	@foo='$(CHECK_LOCAL)'; \
+	  if test "$$foo"; then \
+	  failed=0; all=0; \
+	  for i in $$foo; do \
+	    all=`expr $$all + 1`; \
+	    if ./$$i --version > /dev/null 2>&1; then \
+	      echo "PASS: $$i"; \
+	    else \
+	      echo "FAIL: $$i"; \
+	      failed=`expr $$failed + 1`; \
+	    fi; \
+	  done; \
+	  if test "$$failed" -eq 0; then \
+	    banner="All $$all tests passed"; \
+	  else \
+	    banner="$$failed of $$all tests failed"; \
+	  fi; \
+	  dashes=`echo "$$banner" | sed s/./=/g`; \
+	  echo "$$dashes"; \
+	  echo "$$banner"; \
+	  echo "$$dashes"; \
+	  test "$$failed" -eq 0; \
+	fi
+
+# Tell versions [3.59,3.63) of GNU make to not export all variables.
+# Otherwise a system limit (for SysV at least) may be exceeded.
+.NOEXPORT:
diff --git a/crypto/heimdal/kpasswd/kpasswd-generator.c b/crypto/heimdal/kpasswd/kpasswd-generator.c
new file mode 100644
index 0000000..41ca65d
--- /dev/null
+++ b/crypto/heimdal/kpasswd/kpasswd-generator.c
@@ -0,0 +1,194 @@
+/*
+ * Copyright (c) 2000 - 2001 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "kpasswd_locl.h"
+
+RCSID("$Id: kpasswd-generator.c,v 1.4 2001/05/12 15:17:10 assar Exp $");
+
+static unsigned
+read_words (const char *filename, char ***ret_w)
+{
+    unsigned n, alloc;
+    FILE *f;
+    char buf[256];
+    char **w = NULL;
+
+    f = fopen (filename, "r");
+    if (f == NULL)
+	err (1, "cannot open %s", filename);
+    alloc = n = 0;
+    while (fgets (buf, sizeof(buf), f) != NULL) {
+	if (buf[strlen (buf) - 1] == '\n')
+	    buf[strlen (buf) - 1] = '\0';
+	if (n >= alloc) {
+	    alloc += 16;
+	    w = erealloc (w, alloc * sizeof(char **));
+	}
+	w[n++] = estrdup (buf);
+    }
+    *ret_w = w;
+    return n;
+}
+
+static int
+nop_prompter (krb5_context context,
+	      void *data,
+	      const char *name,
+	      const char *banner,
+	      int num_prompts,
+	      krb5_prompt prompts[])
+{
+    return 0;
+}
+
+static void
+generate_requests (const char *filename, unsigned nreq)
+{
+    krb5_context context;
+    krb5_error_code ret;
+    int i;
+    char **words;
+    unsigned nwords;
+
+    ret = krb5_init_context (&context);
+    if (ret)
+	errx (1, "krb5_init_context failed: %d", ret);
+
+    nwords = read_words (filename, &words);
+
+    for (i = 0; i < nreq; ++i) {
+	char *name = words[rand() % nwords];
+	krb5_get_init_creds_opt opt;
+	krb5_creds cred;
+	krb5_principal principal;
+	int result_code;
+	krb5_data result_code_string, result_string;
+	char *old_pwd, *new_pwd;
+
+	krb5_get_init_creds_opt_init (&opt);
+	krb5_get_init_creds_opt_set_tkt_life (&opt, 300);
+	krb5_get_init_creds_opt_set_forwardable (&opt, FALSE);
+	krb5_get_init_creds_opt_set_proxiable (&opt, FALSE);
+
+	ret = krb5_parse_name (context, name, &principal);
+	if (ret)
+	    krb5_err (context, 1, ret, "krb5_parse_name %s", name);
+
+	asprintf (&old_pwd, "%s", name);
+	asprintf (&new_pwd, "%s2", name);
+
+	ret = krb5_get_init_creds_password (context,
+					    &cred,
+					    principal,
+					    old_pwd,
+					    nop_prompter,
+					    NULL,
+					    0,
+					    "kadmin/changepw",
+					    &opt);
+	if( ret == KRB5KRB_AP_ERR_BAD_INTEGRITY
+	    || ret == KRB5KRB_AP_ERR_MODIFIED) {
+	    char *tmp;
+
+	    tmp = new_pwd;
+	    new_pwd = old_pwd;
+	    old_pwd = tmp;
+
+	    ret = krb5_get_init_creds_password (context,
+						&cred,
+						principal,
+						old_pwd,
+						nop_prompter,
+						NULL,
+						0,
+						"kadmin/changepw",
+						&opt);
+	}
+	if (ret)
+	    krb5_err (context, 1, ret, "krb5_get_init_creds_password");
+
+	krb5_free_principal (context, principal);
+
+	ret = krb5_change_password (context, &cred, new_pwd,
+				    &result_code,
+				    &result_code_string,
+				    &result_string);
+	if (ret)
+	    krb5_err (context, 1, ret, "krb5_change_password");
+
+	free (old_pwd);
+	free (new_pwd);
+	krb5_free_creds_contents (context, &cred);
+    }
+}
+
+static int version_flag	= 0;
+static int help_flag	= 0;
+
+static struct getargs args[] = {
+    { "version", 	0,   arg_flag, &version_flag },
+    { "help",		0,   arg_flag, &help_flag }
+};
+
+static void
+usage (int ret)
+{
+    arg_printusage (args,
+		    sizeof(args)/sizeof(*args),
+		    NULL,
+		    "file [number]");
+    exit (ret);
+}
+
+int
+main(int argc, char **argv)
+{
+    int optind = 0;
+    int nreq;
+    char *end;
+
+    setprogname(argv[0]);
+    if(getarg(args, sizeof(args) / sizeof(args[0]), argc, argv, &optind))
+	usage(1);
+    argc -= optind;
+    argv += optind;
+
+    if (argc != 2)
+	usage (1);
+    srand (0);
+    nreq = strtol (argv[1], &end, 0);
+    if (argv[1] == end || *end != '\0')
+	usage (1);
+    generate_requests (argv[0], nreq);
+    return 0;
+}
diff --git a/crypto/heimdal/kpasswd/kpasswd.1 b/crypto/heimdal/kpasswd/kpasswd.1
new file mode 100644
index 0000000..50e5cd8
--- /dev/null
+++ b/crypto/heimdal/kpasswd/kpasswd.1
@@ -0,0 +1,19 @@
+.\" $Id: kpasswd.1,v 1.3 2001/05/02 08:59:22 assar Exp $
+.\"
+.Dd Aug 27, 1997
+.Dt KPASSWD 1
+.Os HEIMDAL
+.Sh NAME
+.Nm kpasswd
+.Nd Kerberos 5 password changing program
+.Sh SYNOPSIS
+.Nm
+.Op Ar principal
+.Sh DESCRIPTION
+.Nm
+is the client for changing passwords.
+.Sh DIAGNOSTICS
+If the password quality check fails or some other error occurs, an
+explanation is printed.
+.Sh SEE ALSO
+.Xr kpasswdd 8
diff --git a/crypto/heimdal/kpasswd/kpasswd.c b/crypto/heimdal/kpasswd/kpasswd.c
new file mode 100644
index 0000000..28de853
--- /dev/null
+++ b/crypto/heimdal/kpasswd/kpasswd.c
@@ -0,0 +1,143 @@
+/*
+ * Copyright (c) 1997-2000 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "kpasswd_locl.h"
+RCSID("$Id: kpasswd.c,v 1.23 2000/12/31 07:48:34 assar Exp $");
+
+static int version_flag;
+static int help_flag;
+
+static struct getargs args[] = {
+    { "version", 		0,   arg_flag, &version_flag },
+    { "help",			0,   arg_flag, &help_flag }
+};
+
+static void
+usage (int ret, struct getargs *a, int num_args)
+{
+    arg_printusage (a, num_args, NULL, "[principal]");
+    exit (ret);
+}
+
+int
+main (int argc, char **argv)
+{
+    krb5_error_code ret;
+    krb5_context context;
+    krb5_principal principal;
+    int optind = 0;
+    krb5_get_init_creds_opt opt;
+    krb5_creds cred;
+    int result_code;
+    krb5_data result_code_string, result_string;
+    char pwbuf[BUFSIZ];
+
+    optind = krb5_program_setup(&context, argc, argv,
+				args, sizeof(args) / sizeof(args[0]), usage);
+
+    if (help_flag)
+	usage (0, args, sizeof(args) / sizeof(args[0]));
+
+    if(version_flag){
+	print_version (NULL);
+	exit(0);
+    }
+
+    krb5_get_init_creds_opt_init (&opt);
+    
+    krb5_get_init_creds_opt_set_tkt_life (&opt, 300);
+    krb5_get_init_creds_opt_set_forwardable (&opt, FALSE);
+    krb5_get_init_creds_opt_set_proxiable (&opt, FALSE);
+
+    argc -= optind;
+    argv += optind;
+
+    if (argc > 1)
+	usage (1, args, sizeof(args) / sizeof(args[0]));
+
+    ret = krb5_init_context (&context);
+    if (ret)
+	errx (1, "krb5_init_context failed: %d", ret);
+  
+    if(argv[0]) {
+	ret = krb5_parse_name (context, argv[0], &principal);
+	if (ret)
+	    krb5_err (context, 1, ret, "krb5_parse_name");
+    } else
+	principal = NULL;
+
+    ret = krb5_get_init_creds_password (context,
+					&cred,
+					principal,
+					NULL,
+					krb5_prompter_posix,
+					NULL,
+					0,
+					"kadmin/changepw",
+					&opt);
+    switch (ret) {
+    case 0:
+	break;
+    case KRB5_LIBOS_PWDINTR :
+	return 1;
+    case KRB5KRB_AP_ERR_BAD_INTEGRITY :
+    case KRB5KRB_AP_ERR_MODIFIED :
+	krb5_errx(context, 1, "Password incorrect");
+	break;
+    default:
+	krb5_err(context, 1, ret, "krb5_get_init_creds");
+    }
+
+    krb5_data_zero (&result_code_string);
+    krb5_data_zero (&result_string);
+
+    if(des_read_pw_string (pwbuf, sizeof(pwbuf), "New password: ", 1) != 0)
+	return 1;
+
+    ret = krb5_change_password (context, &cred, pwbuf,
+				&result_code,
+				&result_code_string,
+				&result_string);
+    if (ret)
+	krb5_err (context, 1, ret, "krb5_change_password");
+
+    printf ("Reply from server: %.*s\n", (int)result_string.length,
+	    (char *)result_string.data);
+
+    krb5_data_free (&result_code_string);
+    krb5_data_free (&result_string);
+    
+    krb5_free_creds_contents (context, &cred);
+    krb5_free_context (context);
+    return result_code;
+}
diff --git a/crypto/heimdal/kpasswd/kpasswd.cat1 b/crypto/heimdal/kpasswd/kpasswd.cat1
new file mode 100644
index 0000000..874fb22
--- /dev/null
+++ b/crypto/heimdal/kpasswd/kpasswd.cat1
@@ -0,0 +1,20 @@
+
+KPASSWD(1)                   UNIX Reference Manual                  KPASSWD(1)
+
+NNAAMMEE
+     kkppaasssswwdd - Kerberos 5 password changing program
+
+SSYYNNOOPPSSIISS
+     kkppaasssswwdd [_p_r_i_n_c_i_p_a_l]
+
+DDEESSCCRRIIPPTTIIOONN
+     kkppaasssswwdd is the client for changing passwords.
+
+DDIIAAGGNNOOSSTTIICCSS
+     If the password quality check fails or some other error occurs, an expla-
+     nation is printed.
+
+SSEEEE AALLSSOO
+     kpasswdd(8)
+
+ HEIMDAL                         Aug 27, 1997                                1
diff --git a/crypto/heimdal/kpasswd/kpasswd_locl.h b/crypto/heimdal/kpasswd/kpasswd_locl.h
new file mode 100644
index 0000000..c2ba5ed1
--- /dev/null
+++ b/crypto/heimdal/kpasswd/kpasswd_locl.h
@@ -0,0 +1,105 @@
+/*
+ * Copyright (c) 1997 - 2000 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+/* $Id: kpasswd_locl.h,v 1.10 2001/02/15 04:20:54 assar Exp $ */
+
+#ifndef __KPASSWD_LOCL_H__
+#define __KPASSWD_LOCL_H__
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+#endif
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#ifdef HAVE_SYS_TYPES_H
+#include <sys/types.h>
+#endif
+#ifdef HAVE_FCNTL_H
+#include <fcntl.h>
+#endif
+#ifdef HAVE_SYS_UIO_H
+#include <sys/uio.h>
+#endif
+#ifdef HAVE_UNISTD_H
+#include <unistd.h>
+#endif
+#ifdef HAVE_PWD_H
+#include <pwd.h>
+#endif
+#ifdef HAVE_SYS_TIME_H
+#include <sys/time.h>
+#endif
+#ifdef HAVE_SYS_SELECT_H
+#include <sys/select.h>
+#endif
+#ifdef HAVE_SYS_SOCKET_H
+#include <sys/socket.h>
+#endif
+#ifdef HAVE_NETINET_IN_H
+#include <netinet/in.h>
+#endif
+#ifdef HAVE_NETINET_IN6_H
+#include <netinet/in6.h>
+#endif
+#ifdef HAVE_NETINET6_IN6_H
+#include <netinet6/in6.h>
+#endif
+
+#ifdef HAVE_ARPA_INET_H
+#include <arpa/inet.h>
+#endif
+#ifdef HAVE_NETDB_H
+#include <netdb.h>
+#endif
+#ifdef HAVE_ERRNO_H
+#include <errno.h>
+#endif
+#ifdef HAVE_DLFCN_H
+#include <dlfcn.h>
+#endif
+#ifdef HAVE_UTIL_H
+#include <util.h>
+#endif
+#include <err.h>
+#include <roken.h>
+#include <getarg.h>
+#ifdef HAVE_OPENSSL_DES_H
+#include <openssl/des.h>
+#else
+#include <des.h>
+#endif
+#include <krb5.h>
+
+#endif /* __KPASSWD_LOCL_H__ */
diff --git a/crypto/heimdal/kpasswd/kpasswdd.8 b/crypto/heimdal/kpasswd/kpasswdd.8
new file mode 100644
index 0000000..5cf4b24
--- /dev/null
+++ b/crypto/heimdal/kpasswd/kpasswdd.8
@@ -0,0 +1,88 @@
+.\" $Id: kpasswdd.8,v 1.5 2001/06/08 21:35:32 joda Exp $
+.\"
+.Dd April 19, 1999
+.Dt KPASSWDD 8
+.Os HEIMDAL
+.Sh NAME
+.Nm kpasswdd
+.Nd Kerberos 5 password changing server
+.Sh SYNOPSIS
+.Nm
+.Op Fl -check-library= Ns Ar library
+.Op Fl -check-function= Ns Ar function
+.Oo Fl k Ar kspec \*(Ba Xo
+.Fl -keytab= Ns Ar kspec
+.Xc
+.Oc
+.Oo Fl r Ar realm \*(Ba Xo
+.Fl -realm= Ns Ar realm
+.Xc
+.Oc
+.Oo Fl p Ar string \*(Ba Xo
+.Fl -port= Ns Ar string
+.Xc
+.Oc
+.Op Fl -version
+.Op Fl -help
+.Sh DESCRIPTION
+.Nm
+serves request for password changes. It listens on UDP port 464
+(service kpasswd) and processes requests when they arrive. It changes
+the database directly and should thus only run on the master KDC.
+.Pp
+Supported options:
+.Bl -tag -width Ds
+.It Xo
+.Fl -check-library= Ns Ar library
+.Xc
+If your system has support for dynamic loading of shared libraries,
+you can use an external function to check password quality. This
+option specifies which library to load.
+.It Xo
+.Fl -check-function= Ns Ar function
+.Xc
+This is the function to call in the loaded library. The function
+should look like this:
+.Pp
+.Ft const char *
+.Fn passwd_check "krb5_context context" "krb5_principal principal" "krb5_data *password"
+.Pp
+.Fa context
+is an initialized context;
+.Fa principal
+is the one who tries to change passwords, and
+.Fa password
+is the new password. Note that the password (in
+.Fa password->data )
+is not zero terminated.
+.It Xo
+.Fl k Ar kspec Ns ,
+.Fl -keytab= Ns Ar kspec
+.Xc
+keytab to get authentication key from
+.It Xo
+.Fl r Ar realm Ns ,
+.Fl -realm= Ns Ar realm
+.Xc
+default realm
+.It Xo
+.Fl p Ar string Ns ,
+.Fl -port= Ns Ar string
+.Xc
+port to listen on (default service kpasswd - 464).
+.El
+.Sh DIAGNOSTICS
+If an error occurs, the error message is returned to the user and/or
+logged to syslog.
+.Sh BUGS
+The default password quality checks are too basic.
+.Sh SEE ALSO
+.Xr kdc 8 ,
+.Xr kpasswd 1
+.\".Sh ENVIRONMENT
+.\".Sh FILES
+.\".Sh EXAMPLES
+.\".Sh SEE ALSO
+.\".Sh STANDARDS
+.\".Sh HISTORY
+.\".Sh AUTHORS
diff --git a/crypto/heimdal/kpasswd/kpasswdd.c b/crypto/heimdal/kpasswd/kpasswdd.c
new file mode 100644
index 0000000..4ddb078
--- /dev/null
+++ b/crypto/heimdal/kpasswd/kpasswdd.c
@@ -0,0 +1,602 @@
+/*
+ * Copyright (c) 1997-2001 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "kpasswd_locl.h"
+RCSID("$Id: kpasswdd.c,v 1.51 2001/05/14 06:18:56 assar Exp $");
+
+#include <kadm5/admin.h>
+
+#include <hdb.h>
+
+static krb5_context context;
+static krb5_log_facility *log_facility;
+
+static sig_atomic_t exit_flag = 0;
+
+static void
+send_reply (int s,
+	    struct sockaddr *sa,
+	    int sa_size,
+	    krb5_data *ap_rep,
+	    krb5_data *rest)
+{
+    struct msghdr msghdr;
+    struct iovec iov[3];
+    u_int16_t len, ap_rep_len;
+    u_char header[6];
+    u_char *p;
+
+    if (ap_rep)
+	ap_rep_len = ap_rep->length;
+    else
+	ap_rep_len = 0;
+
+    len = 6 + ap_rep_len + rest->length;
+    p = header;
+    *p++ = (len >> 8) & 0xFF;
+    *p++ = (len >> 0) & 0xFF;
+    *p++ = 0;
+    *p++ = 1;
+    *p++ = (ap_rep_len >> 8) & 0xFF;
+    *p++ = (ap_rep_len >> 0) & 0xFF;
+
+    memset (&msghdr, 0, sizeof(msghdr));
+    msghdr.msg_name       = (void *)sa;
+    msghdr.msg_namelen    = sa_size;
+    msghdr.msg_iov        = iov;
+    msghdr.msg_iovlen     = sizeof(iov)/sizeof(*iov);
+#if 0
+    msghdr.msg_control    = NULL;
+    msghdr.msg_controllen = 0;
+#endif
+
+    iov[0].iov_base       = (char *)header;
+    iov[0].iov_len        = 6;
+    if (ap_rep_len) {
+	iov[1].iov_base   = ap_rep->data;
+	iov[1].iov_len    = ap_rep->length;
+    } else {
+	iov[1].iov_base   = NULL;
+	iov[1].iov_len    = 0;
+    }
+    iov[2].iov_base       = rest->data;
+    iov[2].iov_len        = rest->length;
+
+    if (sendmsg (s, &msghdr, 0) < 0)
+	krb5_warn (context, errno, "sendmsg");
+}
+
+static int
+make_result (krb5_data *data,
+	     u_int16_t result_code,
+	     const char *expl)
+{
+    krb5_data_zero (data);
+
+    data->length = asprintf ((char **)&data->data,
+			     "%c%c%s",
+			     (result_code >> 8) & 0xFF,
+			     result_code & 0xFF,
+			     expl);
+
+    if (data->data == NULL) {
+	krb5_warnx (context, "Out of memory generating error reply");
+	return 1;
+    }
+    return 0;
+}
+
+static void
+reply_error (krb5_principal server,
+	     int s,
+	     struct sockaddr *sa,
+	     int sa_size,
+	     krb5_error_code error_code,
+	     u_int16_t result_code,
+	     const char *expl)
+{
+    krb5_error_code ret;
+    krb5_data error_data;
+    krb5_data e_data;
+
+    if (make_result(&e_data, result_code, expl))
+	return;
+
+    ret = krb5_mk_error (context,
+			 error_code,
+			 NULL,
+			 &e_data,
+			 NULL,
+			 server,
+			 NULL,
+			 NULL,
+			 &error_data);
+    krb5_data_free (&e_data);
+    if (ret) {
+	krb5_warn (context, ret, "Could not even generate error reply");
+	return;
+    }
+    send_reply (s, sa, sa_size, NULL, &error_data);
+    krb5_data_free (&error_data);
+}
+
+static void
+reply_priv (krb5_auth_context auth_context,
+	    int s,
+	    struct sockaddr *sa,
+	    int sa_size,
+	    u_int16_t result_code,
+	    const char *expl)
+{
+    krb5_error_code ret;
+    krb5_data krb_priv_data;
+    krb5_data ap_rep_data;
+    krb5_data e_data;
+
+    ret = krb5_mk_rep (context,
+		       auth_context,
+		       &ap_rep_data);
+    if (ret) {
+	krb5_warn (context, ret, "Could not even generate error reply");
+	return;
+    }
+
+    if (make_result(&e_data, result_code, expl))
+	return;
+
+    ret = krb5_mk_priv (context,
+			auth_context,
+			&e_data,
+			&krb_priv_data,
+			NULL);
+    krb5_data_free (&e_data);
+    if (ret) {
+	krb5_warn (context, ret, "Could not even generate error reply");
+	return;
+    }
+    send_reply (s, sa, sa_size, &ap_rep_data, &krb_priv_data);
+    krb5_data_free (&ap_rep_data);
+    krb5_data_free (&krb_priv_data);
+}
+
+/*
+ * Change the password for `principal', sending the reply back on `s'
+ * (`sa', `sa_size') to `pwd_data'.
+ */
+
+static void
+change (krb5_auth_context auth_context,
+	krb5_principal principal,
+	int s,
+	struct sockaddr *sa,
+	int sa_size,
+	krb5_data *pwd_data)
+{
+    krb5_error_code ret;
+    char *client;
+    const char *pwd_reason;
+    kadm5_config_params conf;
+    void *kadm5_handle;
+    char *tmp;
+
+    memset (&conf, 0, sizeof(conf));
+    
+    krb5_unparse_name (context, principal, &client);
+
+    ret = kadm5_init_with_password_ctx(context, 
+				       client,
+				       NULL,
+				       KADM5_ADMIN_SERVICE,
+				       &conf, 0, 0, 
+				       &kadm5_handle);
+    if (ret) {
+	free (client);
+	krb5_warn (context, ret, "kadm5_init_with_password_ctx");
+	reply_priv (auth_context, s, sa, sa_size, 2,
+		    "Internal error");
+	return;
+    }
+
+    krb5_warnx (context, "Changing password for %s", client);
+    free (client);
+
+    pwd_reason = kadm5_check_password_quality (context, principal, pwd_data);
+    if (pwd_reason != NULL ) {
+	krb5_warnx (context, "%s", pwd_reason);
+	reply_priv (auth_context, s, sa, sa_size, 4, pwd_reason);
+	kadm5_destroy (kadm5_handle);
+	return;
+    }
+
+    tmp = malloc (pwd_data->length + 1);
+    if (tmp == NULL) {
+	krb5_warnx (context, "malloc: out of memory");
+	reply_priv (auth_context, s, sa, sa_size, 2,
+		    "Internal error");
+	goto out;
+    }
+    memcpy (tmp, pwd_data->data, pwd_data->length);
+    tmp[pwd_data->length] = '\0';
+
+    ret = kadm5_s_chpass_principal_cond (kadm5_handle, principal, tmp);
+    memset (tmp, 0, pwd_data->length);
+    free (tmp);
+    if (ret) {
+	krb5_warn (context, ret, "kadm5_s_chpass_principal_cond");
+	reply_priv (auth_context, s, sa, sa_size, 2,
+		    "Internal error");
+	goto out;
+    }
+    reply_priv (auth_context, s, sa, sa_size, 0, "Password changed");
+out:
+    kadm5_destroy (kadm5_handle);
+}
+
+static int
+verify (krb5_auth_context *auth_context,
+	krb5_principal server,
+	krb5_keytab keytab,
+	krb5_ticket **ticket,
+	krb5_data *out_data,
+	int s,
+	struct sockaddr *sa,
+	int sa_size,
+	u_char *msg,
+	size_t len)
+{
+    krb5_error_code ret;
+    u_int16_t pkt_len, pkt_ver, ap_req_len;
+    krb5_data ap_req_data;
+    krb5_data krb_priv_data;
+
+    pkt_len = (msg[0] << 8) | (msg[1]);
+    pkt_ver = (msg[2] << 8) | (msg[3]);
+    ap_req_len = (msg[4] << 8) | (msg[5]);
+    if (pkt_len != len) {
+	krb5_warnx (context, "Strange len: %ld != %ld", 
+		    (long)pkt_len, (long)len);
+	reply_error (server, s, sa, sa_size, 0, 1, "Bad request");
+	return 1;
+    }
+    if (pkt_ver != 0x0001) {
+	krb5_warnx (context, "Bad version (%d)", pkt_ver);
+	reply_error (server, s, sa, sa_size, 0, 1, "Wrong program version");
+	return 1;
+    }
+
+    ap_req_data.data   = msg + 6;
+    ap_req_data.length = ap_req_len;
+
+    ret = krb5_rd_req (context,
+		       auth_context,
+		       &ap_req_data,
+		       server,
+		       keytab,
+		       NULL,
+		       ticket);
+    if (ret) {
+	if(ret == KRB5_KT_NOTFOUND) {
+	    char *name;
+	    krb5_unparse_name(context, server, &name);
+	    krb5_warnx (context, "krb5_rd_req: %s (%s)", 
+			krb5_get_err_text(context, ret), name);
+	    free(name);
+	} else
+	    krb5_warn (context, ret, "krb5_rd_req");
+	reply_error (server, s, sa, sa_size, ret, 3, "Authentication failed");
+	return 1;
+    }
+
+    if (!(*ticket)->ticket.flags.initial) {
+	krb5_warnx (context, "initial flag not set");
+	reply_error (server, s, sa, sa_size, ret, 1,
+		     "Bad request");
+	goto out;
+    }
+    krb_priv_data.data   = msg + 6 + ap_req_len;
+    krb_priv_data.length = len - 6 - ap_req_len;
+
+    ret = krb5_rd_priv (context,
+			*auth_context,
+			&krb_priv_data,
+			out_data,
+			NULL);
+    
+    if (ret) {
+	krb5_warn (context, ret, "krb5_rd_priv");
+	reply_error (server, s, sa, sa_size, ret, 3, "Bad request");
+	goto out;
+    }
+    return 0;
+out:
+    krb5_free_ticket (context, *ticket);
+    return 1;
+}
+
+static void
+process (krb5_principal server,
+	 krb5_keytab keytab,
+	 int s,
+	 krb5_address *this_addr,
+	 struct sockaddr *sa,
+	 int sa_size,
+	 u_char *msg,
+	 int len)
+{
+    krb5_error_code ret;
+    krb5_auth_context auth_context = NULL;
+    krb5_data out_data;
+    krb5_ticket *ticket;
+    krb5_address other_addr;
+
+    krb5_data_zero (&out_data);
+
+    ret = krb5_auth_con_init (context, &auth_context);
+    if (ret) {
+	krb5_warn (context, ret, "krb5_auth_con_init");
+	return;
+    }
+
+    krb5_auth_con_setflags (context, auth_context,
+			    KRB5_AUTH_CONTEXT_DO_SEQUENCE);
+
+    ret = krb5_sockaddr2address (context, sa, &other_addr);
+    if (ret) {
+	krb5_warn (context, ret, "krb5_sockaddr2address");
+	goto out;
+    }
+
+    ret = krb5_auth_con_setaddrs (context,
+				  auth_context,
+				  this_addr,
+				  &other_addr);
+    krb5_free_address (context, &other_addr);
+    if (ret) {
+	krb5_warn (context, ret, "krb5_auth_con_setaddr");
+	goto out;
+    }
+
+    if (verify (&auth_context, server, keytab, &ticket, &out_data,
+		s, sa, sa_size, msg, len) == 0) {
+	change (auth_context,
+		ticket->client,
+		s,
+		sa, sa_size,
+		&out_data);
+	memset (out_data.data, 0, out_data.length);
+	krb5_free_ticket (context, ticket);
+	free (ticket);
+    }
+
+out:
+    krb5_data_free (&out_data);
+    krb5_auth_con_free (context, auth_context);
+}
+
+static int
+doit (krb5_keytab keytab, int port)
+{
+    krb5_error_code ret;
+    krb5_principal server;
+    int *sockets;
+    int maxfd;
+    char *realm;
+    krb5_addresses addrs;
+    unsigned n, i;
+    fd_set real_fdset;
+    struct sockaddr_storage __ss;
+    struct sockaddr *sa = (struct sockaddr *)&__ss;
+
+    ret = krb5_get_default_realm (context, &realm);
+    if (ret)
+	krb5_err (context, 1, ret, "krb5_get_default_realm");
+
+    ret = krb5_build_principal (context,
+				&server,
+				strlen(realm),
+				realm,
+				"kadmin",
+				"changepw",
+				NULL);
+    if (ret)
+	krb5_err (context, 1, ret, "krb5_build_principal");
+
+    free (realm);
+
+    ret = krb5_get_all_server_addrs (context, &addrs);
+    if (ret)
+	krb5_err (context, 1, ret, "krb5_get_all_server_addrs");
+
+    n = addrs.len;
+
+    sockets = malloc (n * sizeof(*sockets));
+    if (sockets == NULL)
+	krb5_errx (context, 1, "out of memory");
+    maxfd = 0;
+    FD_ZERO(&real_fdset);
+    for (i = 0; i < n; ++i) {
+	int sa_size;
+
+	krb5_addr2sockaddr (context, &addrs.val[i], sa, &sa_size, port);
+	
+	sockets[i] = socket (sa->sa_family, SOCK_DGRAM, 0);
+	if (sockets[i] < 0)
+	    krb5_err (context, 1, errno, "socket");
+	if (bind (sockets[i], sa, sa_size) < 0) {
+	    char str[128];
+	    size_t len;
+	    ret = krb5_print_address (&addrs.val[i], str, sizeof(str), &len);
+	    krb5_err (context, 1, errno, "bind(%s)", str);
+	}
+	maxfd = max (maxfd, sockets[i]);
+	if (maxfd >= FD_SETSIZE)
+	    krb5_errx (context, 1, "fd too large");
+	FD_SET(sockets[i], &real_fdset);
+    }
+
+    while(exit_flag == 0) {
+	int ret;
+	fd_set fdset = real_fdset;
+
+	ret = select (maxfd + 1, &fdset, NULL, NULL, NULL);
+	if (ret < 0) {
+	    if (errno == EINTR)
+		continue;
+	    else
+		krb5_err (context, 1, errno, "select");
+	}
+	for (i = 0; i < n; ++i)
+	    if (FD_ISSET(sockets[i], &fdset)) {
+		u_char buf[BUFSIZ];
+		socklen_t addrlen = sizeof(__ss);
+
+		ret = recvfrom (sockets[i], buf, sizeof(buf), 0,
+				sa, &addrlen);
+		if (ret < 0) {
+		    if(errno == EINTR)
+			break;
+		    else
+			krb5_err (context, 1, errno, "recvfrom");
+		}
+
+		process (server, keytab, sockets[i],
+			 &addrs.val[i],
+			 sa, addrlen,
+			 buf, ret);
+	    }
+    }
+    krb5_free_addresses (context, &addrs);
+    krb5_free_principal (context, server);
+    krb5_free_context (context);
+    return 0;
+}
+
+static RETSIGTYPE
+sigterm(int sig)
+{
+    exit_flag = 1;
+}
+
+const char *check_library  = NULL;
+const char *check_function = NULL;
+char *keytab_str = "HDB:";
+char *realm_str;
+int version_flag;
+int help_flag;
+char *port_str;
+
+struct getargs args[] = {
+#ifdef HAVE_DLOPEN
+    { "check-library", 0, arg_string, &check_library, 
+      "library to load password check function from", "library" },
+    { "check-function", 0, arg_string, &check_function,
+      "password check function to load", "function" },
+#endif
+    { "keytab", 'k', arg_string, &keytab_str, 
+      "keytab to get authentication key from", "kspec" },
+    { "realm", 'r', arg_string, &realm_str, "default realm", "realm" },
+    { "port",  'p', arg_string, &port_str, "port" },
+    { "version", 0, arg_flag, &version_flag },
+    { "help", 0, arg_flag, &help_flag }
+};
+int num_args = sizeof(args) / sizeof(args[0]);
+
+int
+main (int argc, char **argv)
+{
+    int optind;
+    krb5_keytab keytab;
+    krb5_error_code ret;
+    int port;
+    
+    optind = krb5_program_setup(&context, argc, argv, args, num_args, NULL);
+    
+    if(help_flag)
+	krb5_std_usage(0, args, num_args);
+    if(version_flag) {
+	print_version(NULL);
+	exit(0);
+    }
+
+    if(realm_str)
+	krb5_set_default_realm(context, realm_str);
+    
+    krb5_openlog (context, "kpasswdd", &log_facility);
+    krb5_set_warn_dest(context, log_facility);
+
+    if (port_str != NULL) {
+	struct servent *s = roken_getservbyname (port_str, "udp");
+
+	if (s != NULL)
+	    port = s->s_port;
+	else {
+	    char *ptr;
+
+	    port = strtol (port_str, &ptr, 10);
+	    if (port == 0 && ptr == port_str)
+		krb5_errx (context, 1, "bad port `%s'", port_str);
+	    port = htons(port);
+	}
+    } else
+	port = krb5_getportbyname (context, "kpasswd", "udp", KPASSWD_PORT);
+
+    ret = krb5_kt_register(context, &hdb_kt_ops);
+    if(ret)
+	krb5_err(context, 1, ret, "krb5_kt_register");
+
+    ret = krb5_kt_resolve(context, keytab_str, &keytab);
+    if(ret)
+	krb5_err(context, 1, ret, "%s", keytab_str);
+    
+    kadm5_setup_passwd_quality_check (context, check_library, check_function);
+
+#ifdef HAVE_SIGACTION
+    {
+	struct sigaction sa;
+
+	sa.sa_flags = 0;
+	sa.sa_handler = sigterm;
+	sigemptyset(&sa.sa_mask);
+
+	sigaction(SIGINT,  &sa, NULL);
+	sigaction(SIGTERM, &sa, NULL);
+    }
+#else
+    signal(SIGINT,  sigterm);
+    signal(SIGTERM, sigterm);
+#endif
+
+    pidfile(NULL);
+
+    return doit (keytab, port);
+}
diff --git a/crypto/heimdal/kpasswd/kpasswdd.cat8 b/crypto/heimdal/kpasswd/kpasswdd.cat8
new file mode 100644
index 0000000..b7d2e8d
--- /dev/null
+++ b/crypto/heimdal/kpasswd/kpasswdd.cat8
@@ -0,0 +1,54 @@
+
+KPASSWDD(8)              UNIX System Manager's Manual              KPASSWDD(8)
+
+NNAAMMEE
+     kkppaasssswwdddd - Kerberos 5 password changing server
+
+SSYYNNOOPPSSIISS
+     kkppaasssswwdddd [----cchheecckk--lliibbrraarryy==_l_i_b_r_a_r_y] [----cchheecckk--ffuunnccttiioonn==_f_u_n_c_t_i_o_n] [--kk _k_s_p_e_c
+     | ----kkeeyyttaabb==_k_s_p_e_c] [--rr _r_e_a_l_m | ----rreeaallmm==_r_e_a_l_m] [--pp _s_t_r_i_n_g | ----ppoorrtt==_s_t_r_i_n_g]
+     [----vveerrssiioonn] [----hheellpp]
+
+DDEESSCCRRIIPPTTIIOONN
+     kkppaasssswwdddd serves request for password changes. It listens on UDP port 464
+     (service kpasswd) and processes requests when they arrive. It changes the
+     database directly and should thus only run on the master KDC.
+
+     Supported options:
+
+     ----cchheecckk--lliibbrraarryy==_l_i_b_r_a_r_y
+             If your system has support for dynamic loading of shared li-
+             braries, you can use an external function to check password qual-
+             ity. This option specifies which library to load.
+
+     ----cchheecckk--ffuunnccttiioonn==_f_u_n_c_t_i_o_n
+             This is the function to call in the loaded library. The function
+             should look like this:
+
+             _c_o_n_s_t _c_h_a_r _* ppaasssswwdd__cchheecckk(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _k_r_b_5___p_r_i_n_c_i_p_a_l
+             _p_r_i_n_c_i_p_a_l, _k_r_b_5___d_a_t_a _*_p_a_s_s_w_o_r_d)
+
+             _c_o_n_t_e_x_t is an initialized context; _p_r_i_n_c_i_p_a_l is the one who tries
+             to change passwords, and _p_a_s_s_w_o_r_d is the new password. Note that
+             the password (in _p_a_s_s_w_o_r_d_-_>_d_a_t_a) is not zero terminated.
+
+     --kk _k_s_p_e_c, ----kkeeyyttaabb==_k_s_p_e_c
+             keytab to get authentication key from
+
+     --rr _r_e_a_l_m, ----rreeaallmm==_r_e_a_l_m
+             default realm
+
+     --pp _s_t_r_i_n_g, ----ppoorrtt==_s_t_r_i_n_g
+             port to listen on (default service kpasswd - 464).
+
+DDIIAAGGNNOOSSTTIICCSS
+     If an error occurs, the error message is returned to the user and/or
+     logged to syslog.
+
+BBUUGGSS
+     The default password quality checks are too basic.
+
+SSEEEE AALLSSOO
+     kdc(8),  kpasswd(1)
+
+ HEIMDAL                        April 19, 1999                               1
diff --git a/crypto/heimdal/krb5.conf b/crypto/heimdal/krb5.conf
new file mode 100644
index 0000000..c9f4c44
--- /dev/null
+++ b/crypto/heimdal/krb5.conf
@@ -0,0 +1,26 @@
+[libdefaults]
+        default_realm = MY.REALM
+	clockskew = 300
+	v4_instance_resolve = false
+	v4_name_convert = {
+		host = {
+			rcmd = host
+			ftp = ftp
+		}
+		plain = {
+			something = something-else
+		}
+	}
+	
+[realms]
+	MY.REALM = {
+		kdc = MY.COMPUTER
+	}
+	OTHER.REALM = {
+		v4_instance_convert = {
+			kerberos = kerberos
+			computer = computer.some.other.domain
+		}
+	}
+[domain_realm]
+	.my.domain = MY.REALM
diff --git a/crypto/heimdal/kuser/Makefile.am b/crypto/heimdal/kuser/Makefile.am
new file mode 100644
index 0000000..f3900ff
--- /dev/null
+++ b/crypto/heimdal/kuser/Makefile.am
@@ -0,0 +1,37 @@
+# $Id: Makefile.am,v 1.27 2000/11/15 22:51:13 assar Exp $
+
+include $(top_srcdir)/Makefile.am.common
+
+INCLUDES += $(INCLUDE_krb4)
+
+man_MANS = kinit.1 klist.1 kdestroy.1 kgetcred.1
+
+bin_PROGRAMS = kinit kauth klist kdestroy kgetcred
+
+kinit_SOURCES = kinit.c kinit_options.c
+
+kauth_SOURCES = kinit.c kauth_options.c
+
+noinst_PROGRAMS = kverify kdecode_ticket generate-requests
+
+CHECK_LOCAL = $(bin_PROGRAMS)
+
+kauth_LDADD = \
+	$(LIB_kafs) \
+	$(top_builddir)/lib/krb5/libkrb5.la \
+	$(LIB_krb4) \
+	$(LIB_des) \
+	$(top_builddir)/lib/asn1/libasn1.la \
+	$(LIB_roken)
+
+kinit_LDADD	= $(kauth_LDADD)
+
+kdestroy_LDADD	= $(kauth_LDADD)
+
+klist_LDADD	= $(kauth_LDADD)
+
+LDADD = \
+	$(top_builddir)/lib/krb5/libkrb5.la \
+	$(LIB_des) \
+	$(top_builddir)/lib/asn1/libasn1.la \
+	$(LIB_roken)
diff --git a/crypto/heimdal/kuser/Makefile.in b/crypto/heimdal/kuser/Makefile.in
new file mode 100644
index 0000000..45dd3d2
--- /dev/null
+++ b/crypto/heimdal/kuser/Makefile.in
@@ -0,0 +1,733 @@
+# Makefile.in generated automatically by automake 1.4b from Makefile.am
+
+# Copyright 1994, 1995, 1996, 1997, 1998, 1999, 2000
+# Free Software Foundation, Inc.
+# This Makefile.in is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+
+SHELL = @SHELL@
+
+srcdir = @srcdir@
+top_srcdir = @top_srcdir@
+VPATH = @srcdir@
+prefix = @prefix@
+exec_prefix = @exec_prefix@
+
+bindir = @bindir@
+sbindir = @sbindir@
+libexecdir = @libexecdir@
+datadir = @datadir@
+sysconfdir = @sysconfdir@
+sharedstatedir = @sharedstatedir@
+localstatedir = @localstatedir@
+libdir = @libdir@
+infodir = @infodir@
+mandir = @mandir@
+includedir = @includedir@
+oldincludedir = /usr/include
+
+pkgdatadir = $(datadir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkgincludedir = $(includedir)/@PACKAGE@
+
+top_builddir = ..
+
+ACLOCAL = @ACLOCAL@
+AUTOCONF = @AUTOCONF@
+AUTOMAKE = @AUTOMAKE@
+AUTOHEADER = @AUTOHEADER@
+
+INSTALL = @INSTALL@
+INSTALL_PROGRAM = @INSTALL_PROGRAM@
+INSTALL_DATA = @INSTALL_DATA@
+INSTALL_SCRIPT = @INSTALL_SCRIPT@
+INSTALL_STRIP_FLAG =
+transform = @program_transform_name@
+
+NORMAL_INSTALL = :
+PRE_INSTALL = :
+POST_INSTALL = :
+NORMAL_UNINSTALL = :
+PRE_UNINSTALL = :
+POST_UNINSTALL = :
+
+@SET_MAKE@
+host_alias = @host_alias@
+host_triplet = @host@
+AIX_EXTRA_KAFS = @AIX_EXTRA_KAFS@
+AMDEP = @AMDEP@
+AMTAR = @AMTAR@
+AS = @AS@
+AWK = @AWK@
+CANONICAL_HOST = @CANONICAL_HOST@
+CATMAN = @CATMAN@
+CATMANEXT = @CATMANEXT@
+CC = @CC@
+CPP = @CPP@
+CXX = @CXX@
+CXXCPP = @CXXCPP@
+DBLIB = @DBLIB@
+DEPDIR = @DEPDIR@
+DIR_des = @DIR_des@
+DIR_roken = @DIR_roken@
+DLLTOOL = @DLLTOOL@
+EXEEXT = @EXEEXT@
+EXTRA_LIB45 = @EXTRA_LIB45@
+GROFF = @GROFF@
+INCLUDES_roken = @INCLUDES_roken@
+INCLUDE_ = @INCLUDE_@
+LEX = @LEX@
+LIBOBJS = @LIBOBJS@
+LIBTOOL = @LIBTOOL@
+LIB_ = @LIB_@
+LIB_AUTH_SUBDIRS = @LIB_AUTH_SUBDIRS@
+LIB_des = @LIB_des@
+LIB_des_appl = @LIB_des_appl@
+LIB_kdb = @LIB_kdb@
+LIB_otp = @LIB_otp@
+LIB_roken = @LIB_roken@
+LIB_security = @LIB_security@
+LN_S = @LN_S@
+LTLIBOBJS = @LTLIBOBJS@
+MAKEINFO = @MAKEINFO@
+NEED_WRITEAUTH_FALSE = @NEED_WRITEAUTH_FALSE@
+NEED_WRITEAUTH_TRUE = @NEED_WRITEAUTH_TRUE@
+NROFF = @NROFF@
+OBJDUMP = @OBJDUMP@
+OBJEXT = @OBJEXT@
+PACKAGE = @PACKAGE@
+RANLIB = @RANLIB@
+STRIP = @STRIP@
+VERSION = @VERSION@
+VOID_RETSIGTYPE = @VOID_RETSIGTYPE@
+WFLAGS = @WFLAGS@
+WFLAGS_NOIMPLICITINT = @WFLAGS_NOIMPLICITINT@
+WFLAGS_NOUNUSED = @WFLAGS_NOUNUSED@
+YACC = @YACC@
+dpagaix_CFLAGS = @dpagaix_CFLAGS@
+dpagaix_LDADD = @dpagaix_LDADD@
+install_sh = @install_sh@
+
+# $Id: Makefile.am,v 1.27 2000/11/15 22:51:13 assar Exp $
+
+
+# $Id: Makefile.am.common,v 1.3 1999/04/01 14:58:43 joda Exp $
+
+
+# $Id: Makefile.am.common,v 1.26 2001/05/21 13:27:48 joda Exp $
+
+
+AUTOMAKE_OPTIONS = foreign no-dependencies
+
+SUFFIXES = .et .h .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .x
+
+INCLUDES = -I$(top_builddir)/include $(INCLUDES_roken) $(INCLUDE_krb4)
+
+AM_CFLAGS =  $(WFLAGS)
+
+CP = cp
+
+COMPILE_ET = $(top_builddir)/lib/com_err/compile_et
+
+buildinclude = $(top_builddir)/include
+
+LIB_XauReadAuth = @LIB_XauReadAuth@
+LIB_crypt = @LIB_crypt@
+LIB_dbm_firstkey = @LIB_dbm_firstkey@
+LIB_dbopen = @LIB_dbopen@
+LIB_dlopen = @LIB_dlopen@
+LIB_dn_expand = @LIB_dn_expand@
+LIB_el_init = @LIB_el_init@
+LIB_getattr = @LIB_getattr@
+LIB_gethostbyname = @LIB_gethostbyname@
+LIB_getpwent_r = @LIB_getpwent_r@
+LIB_getpwnam_r = @LIB_getpwnam_r@
+LIB_getsockopt = @LIB_getsockopt@
+LIB_logout = @LIB_logout@
+LIB_logwtmp = @LIB_logwtmp@
+LIB_odm_initialize = @LIB_odm_initialize@
+LIB_pidfile = @LIB_pidfile@
+LIB_readline = @LIB_readline@
+LIB_res_search = @LIB_res_search@
+LIB_setpcred = @LIB_setpcred@
+LIB_setsockopt = @LIB_setsockopt@
+LIB_socket = @LIB_socket@
+LIB_syslog = @LIB_syslog@
+LIB_tgetent = @LIB_tgetent@
+
+LIBS = @LIBS@
+
+HESIODLIB = @HESIODLIB@
+HESIODINCLUDE = @HESIODINCLUDE@
+INCLUDE_hesiod = @INCLUDE_hesiod@
+LIB_hesiod = @LIB_hesiod@
+
+INCLUDE_krb4 = @INCLUDE_krb4@
+LIB_krb4 = @LIB_krb4@
+
+INCLUDE_openldap = @INCLUDE_openldap@
+LIB_openldap = @LIB_openldap@
+
+INCLUDE_readline = @INCLUDE_readline@
+
+LEXLIB = @LEXLIB@
+
+NROFF_MAN = groff -mandoc -Tascii
+
+@KRB4_TRUE@LIB_kafs = @KRB4_TRUE@$(top_builddir)/lib/kafs/libkafs.la $(AIX_EXTRA_KAFS)
+
+@KRB5_TRUE@LIB_krb5 = @KRB5_TRUE@$(top_builddir)/lib/krb5/libkrb5.la \
+@KRB5_TRUE@	$(top_builddir)/lib/asn1/libasn1.la
+@KRB5_TRUE@LIB_gssapi = @KRB5_TRUE@$(top_builddir)/lib/gssapi/libgssapi.la
+
+@DCE_TRUE@LIB_kdfs = @DCE_TRUE@$(top_builddir)/lib/kdfs/libkdfs.la
+
+CHECK_LOCAL = $(bin_PROGRAMS)
+
+man_MANS = kinit.1 klist.1 kdestroy.1 kgetcred.1
+
+bin_PROGRAMS = kinit kauth klist kdestroy kgetcred
+
+kinit_SOURCES = kinit.c kinit_options.c
+
+kauth_SOURCES = kinit.c kauth_options.c
+
+noinst_PROGRAMS = kverify kdecode_ticket generate-requests
+
+kauth_LDADD = \
+	$(LIB_kafs) \
+	$(top_builddir)/lib/krb5/libkrb5.la \
+	$(LIB_krb4) \
+	$(LIB_des) \
+	$(top_builddir)/lib/asn1/libasn1.la \
+	$(LIB_roken)
+
+
+kinit_LDADD = $(kauth_LDADD)
+
+kdestroy_LDADD = $(kauth_LDADD)
+
+klist_LDADD = $(kauth_LDADD)
+
+LDADD = \
+	$(top_builddir)/lib/krb5/libkrb5.la \
+	$(LIB_des) \
+	$(top_builddir)/lib/asn1/libasn1.la \
+	$(LIB_roken)
+
+subdir = kuser
+mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs
+CONFIG_HEADER = ../include/config.h
+CONFIG_CLEAN_FILES = 
+bin_PROGRAMS =  kinit$(EXEEXT) kauth$(EXEEXT) klist$(EXEEXT) \
+kdestroy$(EXEEXT) kgetcred$(EXEEXT)
+noinst_PROGRAMS =  kverify$(EXEEXT) kdecode_ticket$(EXEEXT) \
+generate-requests$(EXEEXT)
+PROGRAMS =  $(bin_PROGRAMS) $(noinst_PROGRAMS)
+
+
+DEFS = @DEFS@ -I. -I$(srcdir) -I../include
+CPPFLAGS = @CPPFLAGS@
+LDFLAGS = @LDFLAGS@
+X_CFLAGS = @X_CFLAGS@
+X_LIBS = @X_LIBS@
+X_EXTRA_LIBS = @X_EXTRA_LIBS@
+X_PRE_LIBS = @X_PRE_LIBS@
+generate_requests_SOURCES = generate-requests.c
+generate_requests_OBJECTS =  generate-requests.$(OBJEXT)
+generate_requests_LDADD = $(LDADD)
+generate_requests_DEPENDENCIES =  $(top_builddir)/lib/krb5/libkrb5.la \
+$(top_builddir)/lib/asn1/libasn1.la
+generate_requests_LDFLAGS = 
+am_kauth_OBJECTS =  kinit.$(OBJEXT) kauth_options.$(OBJEXT)
+kauth_OBJECTS =  $(am_kauth_OBJECTS)
+@KRB4_FALSE@kauth_DEPENDENCIES =  $(top_builddir)/lib/krb5/libkrb5.la \
+@KRB4_FALSE@$(top_builddir)/lib/asn1/libasn1.la
+@KRB4_TRUE@kauth_DEPENDENCIES =  $(top_builddir)/lib/kafs/libkafs.la \
+@KRB4_TRUE@$(top_builddir)/lib/krb5/libkrb5.la \
+@KRB4_TRUE@$(top_builddir)/lib/asn1/libasn1.la
+kauth_LDFLAGS = 
+kdecode_ticket_SOURCES = kdecode_ticket.c
+kdecode_ticket_OBJECTS =  kdecode_ticket.$(OBJEXT)
+kdecode_ticket_LDADD = $(LDADD)
+kdecode_ticket_DEPENDENCIES =  $(top_builddir)/lib/krb5/libkrb5.la \
+$(top_builddir)/lib/asn1/libasn1.la
+kdecode_ticket_LDFLAGS = 
+kdestroy_SOURCES = kdestroy.c
+kdestroy_OBJECTS =  kdestroy.$(OBJEXT)
+@KRB4_FALSE@kdestroy_DEPENDENCIES =  $(top_builddir)/lib/krb5/libkrb5.la \
+@KRB4_FALSE@$(top_builddir)/lib/asn1/libasn1.la
+@KRB4_TRUE@kdestroy_DEPENDENCIES =  $(top_builddir)/lib/kafs/libkafs.la \
+@KRB4_TRUE@$(top_builddir)/lib/krb5/libkrb5.la \
+@KRB4_TRUE@$(top_builddir)/lib/asn1/libasn1.la
+kdestroy_LDFLAGS = 
+kgetcred_SOURCES = kgetcred.c
+kgetcred_OBJECTS =  kgetcred.$(OBJEXT)
+kgetcred_LDADD = $(LDADD)
+kgetcred_DEPENDENCIES =  $(top_builddir)/lib/krb5/libkrb5.la \
+$(top_builddir)/lib/asn1/libasn1.la
+kgetcred_LDFLAGS = 
+am_kinit_OBJECTS =  kinit.$(OBJEXT) kinit_options.$(OBJEXT)
+kinit_OBJECTS =  $(am_kinit_OBJECTS)
+@KRB4_FALSE@kinit_DEPENDENCIES =  $(top_builddir)/lib/krb5/libkrb5.la \
+@KRB4_FALSE@$(top_builddir)/lib/asn1/libasn1.la
+@KRB4_TRUE@kinit_DEPENDENCIES =  $(top_builddir)/lib/kafs/libkafs.la \
+@KRB4_TRUE@$(top_builddir)/lib/krb5/libkrb5.la \
+@KRB4_TRUE@$(top_builddir)/lib/asn1/libasn1.la
+kinit_LDFLAGS = 
+klist_SOURCES = klist.c
+klist_OBJECTS =  klist.$(OBJEXT)
+@KRB4_FALSE@klist_DEPENDENCIES =  $(top_builddir)/lib/krb5/libkrb5.la \
+@KRB4_FALSE@$(top_builddir)/lib/asn1/libasn1.la
+@KRB4_TRUE@klist_DEPENDENCIES =  $(top_builddir)/lib/kafs/libkafs.la \
+@KRB4_TRUE@$(top_builddir)/lib/krb5/libkrb5.la \
+@KRB4_TRUE@$(top_builddir)/lib/asn1/libasn1.la
+klist_LDFLAGS = 
+kverify_SOURCES = kverify.c
+kverify_OBJECTS =  kverify.$(OBJEXT)
+kverify_LDADD = $(LDADD)
+kverify_DEPENDENCIES =  $(top_builddir)/lib/krb5/libkrb5.la \
+$(top_builddir)/lib/asn1/libasn1.la
+kverify_LDFLAGS = 
+COMPILE = $(CC) $(DEFS) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) --mode=compile $(CC) $(DEFS) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+CFLAGS = @CFLAGS@
+CCLD = $(CC)
+LINK = $(LIBTOOL) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) $(LDFLAGS) -o $@
+DIST_SOURCES =  generate-requests.c $(kauth_SOURCES) kdecode_ticket.c \
+kdestroy.c kgetcred.c $(kinit_SOURCES) klist.c kverify.c
+man1dir = $(mandir)/man1
+MANS = $(man_MANS)
+depcomp = 
+DIST_COMMON =  Makefile.am Makefile.in
+
+
+DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
+
+GZIP_ENV = --best
+SOURCES = generate-requests.c $(kauth_SOURCES) kdecode_ticket.c kdestroy.c kgetcred.c $(kinit_SOURCES) klist.c kverify.c
+OBJECTS = generate-requests.$(OBJEXT) $(am_kauth_OBJECTS) kdecode_ticket.$(OBJEXT) kdestroy.$(OBJEXT) kgetcred.$(OBJEXT) $(am_kinit_OBJECTS) klist.$(OBJEXT) kverify.$(OBJEXT)
+
+all: all-redirect
+.SUFFIXES:
+.SUFFIXES: .et .h .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .x .c .lo .o .obj
+$(srcdir)/Makefile.in: Makefile.am $(top_srcdir)/configure.in $(ACLOCAL_M4) $(top_srcdir)/Makefile.am.common $(top_srcdir)/cf/Makefile.am.common
+	cd $(top_srcdir) && $(AUTOMAKE) --foreign kuser/Makefile
+
+Makefile: $(srcdir)/Makefile.in  $(top_builddir)/config.status
+	cd $(top_builddir) \
+	  && CONFIG_FILES=$(subdir)/$@ CONFIG_HEADERS= $(SHELL) ./config.status
+
+
+mostlyclean-binPROGRAMS:
+
+clean-binPROGRAMS:
+	-test -z "$(bin_PROGRAMS)" || rm -f $(bin_PROGRAMS)
+
+distclean-binPROGRAMS:
+
+maintainer-clean-binPROGRAMS:
+
+install-binPROGRAMS: $(bin_PROGRAMS)
+	@$(NORMAL_INSTALL)
+	$(mkinstalldirs) $(DESTDIR)$(bindir)
+	@list='$(bin_PROGRAMS)'; for p in $$list; do \
+	  if test -f $$p; then \
+	    f="`echo $$p|sed -e 's/$(EXEEXT)$$//' -e '$(transform)' -e 's/$$/$(EXEEXT)/'`"; \
+	    echo " $(LIBTOOL)  --mode=install $(INSTALL_PROGRAM) $(INSTALL_STRIP_FLAG) $$p $(DESTDIR)$(bindir)/$$f"; \
+	    $(LIBTOOL)  --mode=install $(INSTALL_PROGRAM) $(INSTALL_STRIP_FLAG) $$p $(DESTDIR)$(bindir)/$$f; \
+	  else :; fi; \
+	done
+
+uninstall-binPROGRAMS:
+	@$(NORMAL_UNINSTALL)
+	@list='$(bin_PROGRAMS)'; for p in $$list; do \
+	  f="`echo $$p|sed -e 's/$(EXEEXT)$$//' -e '$(transform)' -e 's/$$/$(EXEEXT)/'`"; \
+	  echo " rm -f $(DESTDIR)$(bindir)/$$f"; \
+	  rm -f $(DESTDIR)$(bindir)/$$f; \
+	done
+
+mostlyclean-noinstPROGRAMS:
+
+clean-noinstPROGRAMS:
+	-test -z "$(noinst_PROGRAMS)" || rm -f $(noinst_PROGRAMS)
+
+distclean-noinstPROGRAMS:
+
+maintainer-clean-noinstPROGRAMS:
+
+mostlyclean-compile:
+	-rm -f *.o core *.core
+	-rm -f *.$(OBJEXT)
+
+clean-compile:
+
+distclean-compile:
+	-rm -f *.tab.c
+
+maintainer-clean-compile:
+
+mostlyclean-libtool:
+	-rm -f *.lo
+
+clean-libtool:
+	-rm -rf .libs _libs
+
+distclean-libtool:
+
+maintainer-clean-libtool:
+
+generate-requests$(EXEEXT): $(generate_requests_OBJECTS) $(generate_requests_DEPENDENCIES)
+	@rm -f generate-requests$(EXEEXT)
+	$(LINK) $(generate_requests_LDFLAGS) $(generate_requests_OBJECTS) $(generate_requests_LDADD) $(LIBS)
+
+kauth$(EXEEXT): $(kauth_OBJECTS) $(kauth_DEPENDENCIES)
+	@rm -f kauth$(EXEEXT)
+	$(LINK) $(kauth_LDFLAGS) $(kauth_OBJECTS) $(kauth_LDADD) $(LIBS)
+
+kdecode_ticket$(EXEEXT): $(kdecode_ticket_OBJECTS) $(kdecode_ticket_DEPENDENCIES)
+	@rm -f kdecode_ticket$(EXEEXT)
+	$(LINK) $(kdecode_ticket_LDFLAGS) $(kdecode_ticket_OBJECTS) $(kdecode_ticket_LDADD) $(LIBS)
+
+kdestroy$(EXEEXT): $(kdestroy_OBJECTS) $(kdestroy_DEPENDENCIES)
+	@rm -f kdestroy$(EXEEXT)
+	$(LINK) $(kdestroy_LDFLAGS) $(kdestroy_OBJECTS) $(kdestroy_LDADD) $(LIBS)
+
+kgetcred$(EXEEXT): $(kgetcred_OBJECTS) $(kgetcred_DEPENDENCIES)
+	@rm -f kgetcred$(EXEEXT)
+	$(LINK) $(kgetcred_LDFLAGS) $(kgetcred_OBJECTS) $(kgetcred_LDADD) $(LIBS)
+
+kinit$(EXEEXT): $(kinit_OBJECTS) $(kinit_DEPENDENCIES)
+	@rm -f kinit$(EXEEXT)
+	$(LINK) $(kinit_LDFLAGS) $(kinit_OBJECTS) $(kinit_LDADD) $(LIBS)
+
+klist$(EXEEXT): $(klist_OBJECTS) $(klist_DEPENDENCIES)
+	@rm -f klist$(EXEEXT)
+	$(LINK) $(klist_LDFLAGS) $(klist_OBJECTS) $(klist_LDADD) $(LIBS)
+
+kverify$(EXEEXT): $(kverify_OBJECTS) $(kverify_DEPENDENCIES)
+	@rm -f kverify$(EXEEXT)
+	$(LINK) $(kverify_LDFLAGS) $(kverify_OBJECTS) $(kverify_LDADD) $(LIBS)
+.c.o:
+	$(COMPILE) -c $<
+.c.obj:
+	$(COMPILE) -c `cygpath -w $<`
+.c.lo:
+	$(LTCOMPILE) -c -o $@ $<
+
+install-man1:
+	$(mkinstalldirs) $(DESTDIR)$(man1dir)
+	@list='$(man1_MANS)'; \
+	l2='$(man_MANS)'; for i in $$l2; do \
+	  case "$$i" in \
+	    *.1*) list="$$list $$i" ;; \
+	  esac; \
+	done; \
+	for i in $$list; do \
+	  if test -f $(srcdir)/$$i; then file=$(srcdir)/$$i; \
+	  else file=$$i; fi; \
+	  ext=`echo $$i | sed -e 's/^.*\\.//'`; \
+	  inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \
+	  inst=`echo $$inst | sed -e 's/^.*\///'`; \
+	  inst=`echo $$inst | sed '$(transform)'`.$$ext; \
+	  echo " $(INSTALL_DATA) $$file $(DESTDIR)$(man1dir)/$$inst"; \
+	  $(INSTALL_DATA) $$file $(DESTDIR)$(man1dir)/$$inst; \
+	done
+
+uninstall-man1:
+	@list='$(man1_MANS)'; \
+	l2='$(man_MANS)'; for i in $$l2; do \
+	  case "$$i" in \
+	    *.1*) list="$$list $$i" ;; \
+	  esac; \
+	done; \
+	for i in $$list; do \
+	  ext=`echo $$i | sed -e 's/^.*\\.//'`; \
+	  inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \
+	  inst=`echo $$inst | sed -e 's/^.*\///'`; \
+	  inst=`echo $$inst | sed '$(transform)'`.$$ext; \
+	  echo " rm -f $(DESTDIR)$(man1dir)/$$inst"; \
+	  rm -f $(DESTDIR)$(man1dir)/$$inst; \
+	done
+install-man: $(MANS)
+	@$(NORMAL_INSTALL)
+	$(MAKE) $(AM_MAKEFLAGS) install-man1
+uninstall-man:
+	@$(NORMAL_UNINSTALL)
+	$(MAKE) $(AM_MAKEFLAGS) uninstall-man1
+
+tags: TAGS
+
+ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
+	list='$(SOURCES) $(HEADERS) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '    { files[$$0] = 1; } \
+	       END { for (i in files) print i; }'`; \
+	mkid -fID $$unique $(LISP)
+
+TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	tags=; \
+	here=`pwd`; \
+	list='$(SOURCES) $(HEADERS) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '    { files[$$0] = 1; } \
+	       END { for (i in files) print i; }'`; \
+	test -z "$(ETAGS_ARGS)$$unique$(LISP)$$tags" \
+	  || etags $(ETAGS_ARGS) $$tags  $$unique $(LISP)
+
+GTAGS:
+	here=`CDPATH=: && cd $(top_builddir) && pwd` \
+	  && cd $(top_srcdir) \
+	  && gtags -i $$here
+
+mostlyclean-tags:
+
+clean-tags:
+
+distclean-tags:
+	-rm -f TAGS ID
+
+maintainer-clean-tags:
+
+distdir = $(top_builddir)/$(PACKAGE)-$(VERSION)/$(subdir)
+
+distdir: $(DISTFILES)
+	@for file in $(DISTFILES); do \
+	  d=$(srcdir); \
+	  if test -d $$d/$$file; then \
+	    cp -pR $$d/$$file $(distdir) \
+	    || exit 1; \
+	  else \
+	    test -f $(distdir)/$$file \
+	    || cp -p $$d/$$file $(distdir)/$$file \
+	    || exit 1; \
+	  fi; \
+	done
+	$(MAKE) $(AM_MAKEFLAGS) top_distdir="$(top_distdir)" distdir="$(distdir)" dist-hook
+info-am:
+info: info-am
+dvi-am:
+dvi: dvi-am
+check-am: all-am
+	$(MAKE) $(AM_MAKEFLAGS) check-local
+check: check-am
+installcheck-am:
+installcheck: installcheck-am
+install-exec-am: install-binPROGRAMS
+	@$(NORMAL_INSTALL)
+	$(MAKE) $(AM_MAKEFLAGS) install-exec-hook
+install-exec: install-exec-am
+
+install-data-am: install-man install-data-local
+install-data: install-data-am
+
+install-am: all-am
+	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
+install: install-am
+uninstall-am: uninstall-binPROGRAMS uninstall-man
+uninstall: uninstall-am
+all-am: Makefile $(PROGRAMS) $(MANS) all-local
+all-redirect: all-am
+install-strip:
+	$(MAKE) $(AM_MAKEFLAGS) INSTALL_STRIP_FLAG=-s install
+installdirs:
+	$(mkinstalldirs)  $(DESTDIR)$(bindir) $(DESTDIR)$(mandir)/man1
+
+
+mostlyclean-generic:
+
+clean-generic:
+
+distclean-generic:
+	-rm -f Makefile $(CONFIG_CLEAN_FILES)
+	-rm -f config.cache config.log stamp-h stamp-h[0-9]*
+
+maintainer-clean-generic:
+	-rm -f Makefile.in
+mostlyclean-am:  mostlyclean-binPROGRAMS mostlyclean-noinstPROGRAMS \
+		mostlyclean-compile mostlyclean-libtool \
+		mostlyclean-tags mostlyclean-generic
+
+mostlyclean: mostlyclean-am
+
+clean-am:  clean-binPROGRAMS clean-noinstPROGRAMS clean-compile \
+		clean-libtool clean-tags clean-generic mostlyclean-am
+
+clean: clean-am
+
+distclean-am:  distclean-binPROGRAMS distclean-noinstPROGRAMS \
+		distclean-compile distclean-libtool distclean-tags \
+		distclean-generic clean-am
+	-rm -f libtool
+
+distclean: distclean-am
+
+maintainer-clean-am:  maintainer-clean-binPROGRAMS \
+		maintainer-clean-noinstPROGRAMS \
+		maintainer-clean-compile maintainer-clean-libtool \
+		maintainer-clean-tags maintainer-clean-generic \
+		distclean-am
+	@echo "This command is intended for maintainers to use;"
+	@echo "it deletes files that may require special tools to rebuild."
+
+maintainer-clean: maintainer-clean-am
+
+.PHONY: mostlyclean-binPROGRAMS distclean-binPROGRAMS clean-binPROGRAMS \
+maintainer-clean-binPROGRAMS uninstall-binPROGRAMS install-binPROGRAMS \
+mostlyclean-noinstPROGRAMS distclean-noinstPROGRAMS \
+clean-noinstPROGRAMS maintainer-clean-noinstPROGRAMS \
+mostlyclean-compile distclean-compile clean-compile \
+maintainer-clean-compile mostlyclean-libtool distclean-libtool \
+clean-libtool maintainer-clean-libtool install-man1 uninstall-man1 \
+install-man uninstall-man tags mostlyclean-tags distclean-tags \
+clean-tags maintainer-clean-tags distdir info-am info dvi-am dvi \
+check-local check check-am installcheck-am installcheck install-exec-am \
+install-exec install-data-local install-data-am install-data install-am \
+install uninstall-am uninstall all-local all-redirect all-am all \
+install-strip installdirs mostlyclean-generic distclean-generic \
+clean-generic maintainer-clean-generic clean mostlyclean distclean \
+maintainer-clean
+
+
+install-suid-programs:
+	@foo='$(bin_SUIDS)'; \
+	for file in $$foo; do \
+	x=$(DESTDIR)$(bindir)/$$file; \
+	if chown 0:0 $$x && chmod u+s $$x; then :; else \
+	echo "*"; \
+	echo "* Failed to install $$x setuid root"; \
+	echo "*"; \
+	fi; done
+
+install-exec-hook: install-suid-programs
+
+install-build-headers:: $(include_HEADERS) $(build_HEADERZ)
+	@foo='$(include_HEADERS) $(build_HEADERZ)'; \
+	for f in $$foo; do \
+		f=`basename $$f`; \
+		if test -f "$(srcdir)/$$f"; then file="$(srcdir)/$$f"; \
+		else file="$$f"; fi; \
+		if cmp -s  $$file $(buildinclude)/$$f 2> /dev/null ; then \
+		: ; else \
+			echo " $(CP) $$file $(buildinclude)/$$f"; \
+			$(CP) $$file $(buildinclude)/$$f; \
+		fi ; \
+	done
+
+all-local: install-build-headers
+#NROFF_MAN = nroff -man
+.1.cat1:
+	$(NROFF_MAN) $< > $@
+.3.cat3:
+	$(NROFF_MAN) $< > $@
+.5.cat5:
+	$(NROFF_MAN) $< > $@
+.8.cat8:
+	$(NROFF_MAN) $< > $@
+
+dist-cat1-mans:
+	@foo='$(man1_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.1) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat1/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-cat3-mans:
+	@foo='$(man3_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.3) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat3/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-cat5-mans:
+	@foo='$(man5_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.5) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat5/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-cat8-mans:
+	@foo='$(man8_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.8) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat8/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-hook: dist-cat1-mans dist-cat3-mans dist-cat5-mans dist-cat8-mans
+
+install-cat-mans:
+	$(SHELL) $(top_srcdir)/cf/install-catman.sh "$(INSTALL_DATA)" "$(mkinstalldirs)" "$(srcdir)" "$(DESTDIR)$(mandir)" '$(CATMANEXT)' $(man_MANS) $(man1_MANS) $(man3_MANS) $(man5_MANS) $(man8_MANS)
+
+install-data-local: install-cat-mans
+
+.et.h:
+	$(COMPILE_ET) $<
+.et.c:
+	$(COMPILE_ET) $<
+
+.x.c:
+	@cmp -s $< $@ 2> /dev/null || cp $< $@
+
+check-local::
+	@foo='$(CHECK_LOCAL)'; \
+	  if test "$$foo"; then \
+	  failed=0; all=0; \
+	  for i in $$foo; do \
+	    all=`expr $$all + 1`; \
+	    if ./$$i --version > /dev/null 2>&1; then \
+	      echo "PASS: $$i"; \
+	    else \
+	      echo "FAIL: $$i"; \
+	      failed=`expr $$failed + 1`; \
+	    fi; \
+	  done; \
+	  if test "$$failed" -eq 0; then \
+	    banner="All $$all tests passed"; \
+	  else \
+	    banner="$$failed of $$all tests failed"; \
+	  fi; \
+	  dashes=`echo "$$banner" | sed s/./=/g`; \
+	  echo "$$dashes"; \
+	  echo "$$banner"; \
+	  echo "$$dashes"; \
+	  test "$$failed" -eq 0; \
+	fi
+
+# Tell versions [3.59,3.63) of GNU make to not export all variables.
+# Otherwise a system limit (for SysV at least) may be exceeded.
+.NOEXPORT:
diff --git a/crypto/heimdal/kuser/generate-requests.c b/crypto/heimdal/kuser/generate-requests.c
new file mode 100644
index 0000000..74371a7
--- /dev/null
+++ b/crypto/heimdal/kuser/generate-requests.c
@@ -0,0 +1,151 @@
+/*
+ * Copyright (c) 2000 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "kuser_locl.h"
+
+RCSID("$Id: generate-requests.c,v 1.3 2001/02/20 01:44:51 assar Exp $");
+
+static krb5_error_code
+null_key_proc (krb5_context context,
+	       krb5_enctype type,
+	       krb5_salt salt,
+	       krb5_const_pointer keyseed,
+	       krb5_keyblock **key)
+{
+    return ENOTTY;
+}
+
+static unsigned
+read_words (const char *filename, char ***ret_w)
+{
+    unsigned n, alloc;
+    FILE *f;
+    char buf[256];
+    char **w = NULL;
+
+    f = fopen (filename, "r");
+    if (f == NULL)
+	err (1, "cannot open %s", filename);
+    alloc = n = 0;
+    while (fgets (buf, sizeof(buf), f) != NULL) {
+	if (buf[strlen (buf) - 1] == '\n')
+	    buf[strlen (buf) - 1] = '\0';
+	if (n >= alloc) {
+	    alloc += 16;
+	    w = erealloc (w, alloc * sizeof(char **));
+	}
+	w[n++] = estrdup (buf);
+    }
+    *ret_w = w;
+    return n;
+}
+
+static void
+generate_requests (const char *filename, unsigned nreq)
+{
+    krb5_context context;
+    krb5_error_code ret;
+    krb5_creds cred;
+    int i;
+    char **words;
+    unsigned nwords;
+
+    ret = krb5_init_context (&context);
+    if (ret)
+	errx (1, "krb5_init_context failed: %d", ret);
+
+    nwords = read_words (filename, &words);
+
+    for (i = 0; i < nreq; ++i) {
+	char *name = words[rand() % nwords];
+	krb5_realm *client_realm;
+
+	memset(&cred, 0, sizeof(cred));
+
+	ret = krb5_parse_name (context, name, &cred.client);
+	if (ret)
+	    krb5_err (context, 1, ret, "krb5_parse_name %s", name);
+	client_realm = krb5_princ_realm (context, cred.client);
+
+	ret = krb5_make_principal(context, &cred.server, *client_realm,
+				  KRB5_TGS_NAME, *client_realm, NULL);
+	if (ret)
+	    krb5_err (context, 1, ret, "krb5_make_principal");
+
+	ret = krb5_get_in_cred (context, 0, NULL, NULL, NULL, NULL,
+				null_key_proc, NULL, NULL, NULL,
+				&cred, NULL);
+	krb5_free_creds_contents (context, &cred);
+    }
+}
+
+static int version_flag	= 0;
+static int help_flag	= 0;
+
+static struct getargs args[] = {
+    { "version", 	0,   arg_flag, &version_flag },
+    { "help",		0,   arg_flag, &help_flag }
+};
+
+static void
+usage (int ret)
+{
+    arg_printusage (args,
+		    sizeof(args)/sizeof(*args),
+		    NULL,
+		    "file number");
+    exit (ret);
+}
+
+int
+main(int argc, char **argv)
+{
+    int optind = 0;
+    int nreq;
+    char *end;
+
+    setprogname(argv[0]);
+    if(getarg(args, sizeof(args) / sizeof(args[0]), argc, argv, &optind))
+	usage(1);
+    argc -= optind;
+    argv += optind;
+
+    if (argc != 2)
+	usage (1);
+    srand (0);
+    nreq = strtol (argv[1], &end, 0);
+    if (argv[1] == end || *end != '\0')
+	usage (1);
+    generate_requests (argv[0], nreq);
+    return 0;
+}
diff --git a/crypto/heimdal/kuser/kauth_options.c b/crypto/heimdal/kuser/kauth_options.c
new file mode 100644
index 0000000..c432d32
--- /dev/null
+++ b/crypto/heimdal/kuser/kauth_options.c
@@ -0,0 +1,40 @@
+/*
+ * Copyright (c) 1998 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "kuser_locl.h"
+RCSID("$Id: kauth_options.c,v 1.2 1999/12/02 17:05:00 joda Exp $");
+
+#ifdef KRB4
+int do_afslog		= 1;
+int get_v4_tgt		= 1;
+#endif
diff --git a/crypto/heimdal/kuser/kdecode_ticket.c b/crypto/heimdal/kuser/kdecode_ticket.c
new file mode 100644
index 0000000..74ca5af
--- /dev/null
+++ b/crypto/heimdal/kuser/kdecode_ticket.c
@@ -0,0 +1,162 @@
+/*
+ * Copyright (c) 1997 - 2000 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "kuser_locl.h"
+
+RCSID("$Id: kdecode_ticket.c,v 1.5 2001/02/20 01:44:51 assar Exp $");
+
+static char *etype_str;
+static int version_flag;
+static int help_flag;
+
+static void
+print_and_decode_tkt (krb5_context context,
+		      krb5_data *ticket,
+		      krb5_principal server,
+		      krb5_enctype enctype)
+{
+    krb5_error_code ret;
+    krb5_crypto crypto;
+    krb5_data dec_data;
+    size_t len;
+    EncTicketPart decr_part;
+    krb5_keyblock key;
+    Ticket tkt;
+
+    ret = decode_Ticket (ticket->data, ticket->length, &tkt, &len);
+    if (ret)
+	krb5_err (context, 1, ret, "decode_Ticket");
+
+    ret = krb5_string_to_key (context, enctype, "foo", server, &key);
+    if (ret)
+	krb5_err (context, 1, ret, "krb5_string_to_key");
+
+    ret = krb5_crypto_init(context, &key, 0, &crypto);
+    if (ret)
+	krb5_err (context, 1, ret, "krb5_crypto_init");
+
+    ret = krb5_decrypt_EncryptedData (context, crypto, KRB5_KU_TICKET,
+				      &tkt.enc_part, &dec_data);
+    krb5_crypto_destroy (context, crypto);
+    if (ret)
+	krb5_err (context, 1, ret, "krb5_decrypt_EncryptedData");
+    ret = krb5_decode_EncTicketPart (context, dec_data.data, dec_data.length,
+				     &decr_part, &len);
+    krb5_data_free (&dec_data);
+    if (ret)
+	krb5_err (context, 1, ret, "krb5_decode_EncTicketPart");
+}
+
+struct getargs args[] = {
+    { "enctype",	'e', arg_string, &etype_str,
+      "encryption type to use", "enctype"},
+    { "version", 	0,   arg_flag, &version_flag },
+    { "help",		0,   arg_flag, &help_flag }
+};
+
+static void
+usage (int ret)
+{
+    arg_printusage (args,
+		    sizeof(args)/sizeof(*args),
+		    NULL,
+		    "service");
+    exit (ret);
+}
+
+int
+main(int argc, char **argv)
+{
+    krb5_error_code ret;
+    krb5_context context;
+    krb5_ccache cache;
+    krb5_creds in, *out;
+    int optind = 0;
+
+    setprogname (argv[0]);
+
+    ret = krb5_init_context (&context);
+    if (ret)
+	errx(1, "krb5_init_context failed: %d", ret);
+  
+    if(getarg(args, sizeof(args) / sizeof(args[0]), argc, argv, &optind))
+	usage(1);
+    
+    if (help_flag)
+	usage (0);
+
+    if(version_flag) {
+	print_version(NULL);
+	exit(0);
+    }
+
+    argc -= optind;
+    argv += optind;
+
+    if (argc != 1)
+	usage (1);
+
+    ret = krb5_cc_default(context, &cache);
+    if (ret)
+	krb5_err (context, 1, ret, "krb5_cc_default");
+
+    memset(&in, 0, sizeof(in));
+
+    if (etype_str) {
+	krb5_enctype enctype;
+
+	ret = krb5_string_to_enctype(context, etype_str, &enctype);
+	if (ret)
+	    krb5_errx (context, 1, "unrecognized enctype: %s", etype_str);
+	in.session.keytype = enctype;
+    }
+
+    ret = krb5_cc_get_principal(context, cache, &in.client);
+    if (ret)
+	krb5_err (context, 1, ret, "krb5_cc_get_principal");
+
+    ret = krb5_parse_name(context, argv[0], &in.server);
+    if (ret)
+	krb5_err (context, 1, ret, "krb5_parse_name %s", argv[0]);
+
+    in.times.endtime = 0;
+    ret = krb5_get_credentials(context, 0, cache, &in, &out);
+    if (ret)
+	krb5_err (context, 1, ret, "krb5_get_credentials");
+
+    print_and_decode_tkt (context, &out->ticket, out->server,
+			  out->session.keytype);
+
+    krb5_free_creds_contents(context, out);
+    return 0;
+}
diff --git a/crypto/heimdal/kuser/kdestroy.1 b/crypto/heimdal/kuser/kdestroy.1
new file mode 100644
index 0000000..8d8b430
--- /dev/null
+++ b/crypto/heimdal/kuser/kdestroy.1
@@ -0,0 +1,33 @@
+.\" $Id: kdestroy.1,v 1.3 2001/05/02 08:59:22 assar Exp $
+.\"
+.Dd August 27, 1997
+.Dt KDESTROY 1
+.Os HEIMDAL
+.Sh NAME
+.Nm kdestroy
+.Nd destroy the current ticket file
+.Sh SYNOPSIS
+.Nm
+.Op Fl c Ar cachefile
+.Op Fl -cache= Ns Ar cachefile
+.Op Fl -no-unlog
+.Op Fl -no-delete-v4
+.Op Fl -version
+.Op Fl -help
+.Sh DESCRIPTION
+.Nm
+remove the current set of tickets.
+.Pp
+Supported options:
+.Bl -tag -width Ds
+.It Fl c Ar cachefile
+.It Fl cache= Ns Ar cachefile
+The cache file to remove.
+.It Fl -no-unlog
+Do not remove AFS tokens.
+.It Fl -no-delete-v4
+Do not remove v4 tickets.
+.El
+.Sh SEE ALSO
+.Xr kinit 1 ,
+.Xr klist 1
diff --git a/crypto/heimdal/kuser/kdestroy.c b/crypto/heimdal/kuser/kdestroy.c
new file mode 100644
index 0000000..a1a5c0d
--- /dev/null
+++ b/crypto/heimdal/kuser/kdestroy.c
@@ -0,0 +1,125 @@
+/*
+ * Copyright (c) 1997 - 2000 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "kuser_locl.h"
+RCSID("$Id: kdestroy.c,v 1.13 2001/02/20 01:44:51 assar Exp $");
+
+static const char *cache;
+static int help_flag;
+static int version_flag;
+static int unlog_flag = 1;
+static int dest_tkt_flag = 1;
+
+struct getargs args[] = {
+    { "cache",		'c', arg_string, &cache, "cache to destroy", "cache" },
+    { "unlog",		0,   arg_negative_flag, &unlog_flag,
+      "do not destroy tokens", NULL },
+    { "delete-v4",	0,   arg_negative_flag, &dest_tkt_flag,
+      "do not destroy v4 tickets", NULL },
+    { "version", 	0,   arg_flag, &version_flag, NULL, NULL },
+    { "help",		'h', arg_flag, &help_flag, NULL, NULL}
+};
+
+int num_args = sizeof(args) / sizeof(args[0]);
+
+static void
+usage (int status)
+{
+    arg_printusage (args, num_args, NULL, "");
+    exit (status);
+}
+
+int
+main (int argc, char **argv)
+{
+    krb5_error_code ret;
+    krb5_context context;
+    krb5_ccache  ccache;
+    int optind = 0;
+    int exit_val = 0;
+
+    setprogname (argv[0]);
+
+    if(getarg(args, num_args, argc, argv, &optind))
+	usage(1);
+  
+    if (help_flag)
+	usage (0);
+  
+    if(version_flag){
+	print_version(NULL);
+	exit(0);
+    }
+  
+    argc -= optind;
+    argv += optind;
+
+    if (argc != 0)
+	usage (1);
+
+    ret = krb5_init_context (&context);
+    if (ret)
+	errx (1, "krb5_init_context failed: %d", ret);
+  
+    if(cache == NULL)
+	cache = krb5_cc_default_name(context);
+
+    ret =  krb5_cc_resolve(context, 
+			   cache, 
+			   &ccache);
+
+    if (ret == 0) {
+	ret = krb5_cc_destroy (context, ccache);
+	if (ret) {
+	    warnx ("krb5_cc_destroy: %s", krb5_get_err_text(context, ret));
+	    exit_val = 1;
+	}
+    } else {
+	warnx ("krb5_cc_resolve(%s): %s", cache,
+	       krb5_get_err_text(context, ret));
+	exit_val = 1;
+    }
+
+    krb5_free_context (context);
+
+#if KRB4
+    if(dest_tkt_flag && dest_tkt ())
+	exit_val = 1;
+    if (unlog_flag && k_hasafs ()) {
+	if (k_unlog ())
+	    exit_val = 1;
+    }
+#endif
+
+    return exit_val;
+}
diff --git a/crypto/heimdal/kuser/kdestroy.cat1 b/crypto/heimdal/kuser/kdestroy.cat1
new file mode 100644
index 0000000..0949f96
--- /dev/null
+++ b/crypto/heimdal/kuser/kdestroy.cat1
@@ -0,0 +1,30 @@
+
+KDESTROY(1)                  UNIX Reference Manual                 KDESTROY(1)
+
+NNAAMMEE
+     kkddeessttrrooyy - destroy the current ticket file
+
+SSYYNNOOPPSSIISS
+     kkddeessttrrooyy [--cc _c_a_c_h_e_f_i_l_e] [----ccaacchhee==_c_a_c_h_e_f_i_l_e] [----nnoo--uunnlloogg] [----nnoo--ddeelleettee--vv44]
+     [----vveerrssiioonn] [----hheellpp]
+
+DDEESSCCRRIIPPTTIIOONN
+     kkddeessttrrooyy remove the current set of tickets.
+
+     Supported options:
+
+     --cc _c_a_c_h_e_f_i_l_e
+
+     --ccaacchhee==_c_a_c_h_e_f_i_l_e
+             The cache file to remove.
+
+     ----nnoo--uunnlloogg
+             Do not remove AFS tokens.
+
+     ----nnoo--ddeelleettee--vv44
+             Do not remove v4 tickets.
+
+SSEEEE AALLSSOO
+     kinit(1),  klist(1)
+
+ HEIMDAL                        August 27, 1997                              1
diff --git a/crypto/heimdal/kuser/kgetcred.1 b/crypto/heimdal/kuser/kgetcred.1
new file mode 100644
index 0000000..c7235f3
--- /dev/null
+++ b/crypto/heimdal/kuser/kgetcred.1
@@ -0,0 +1,41 @@
+.\" $Id: kgetcred.1,v 1.4 2001/06/08 21:40:40 joda Exp $
+.\"
+.Dd May 14, 1999
+.Dt KGETCRED 1
+.Os HEIMDAL
+.Sh NAME
+.Nm kgetcred
+.Nd "get a ticket for a particular service"
+.Sh SYNOPSIS
+.Nm
+.Oo Fl e Ar enctype \*(Ba Xo
+.Fl -enctype= Ns Ar enctype
+.Xc
+.Oc
+.Op Fl -version
+.Op Fl -help
+.Ar service
+.Sh DESCRIPTION
+.Nm
+obtains a ticket for a service.
+Usually tickets for services are obtained automatically when needed
+but sometimes for some odd reason you want to obtain a particular
+ticket or of a special type.
+.Pp
+Supported options:
+.Bl -tag -width Ds
+.It Xo
+.Fl e Ar enctype Ns ,
+.Fl -enctype= Ns Ar enctype
+.Xc
+encryption type to use
+.It Xo
+.Fl -version
+.Xc
+.It Xo
+.Fl -help
+.Xc
+.El
+.Sh SEE ALSO
+.Xr kinit 1 ,
+.Xr klist 1
diff --git a/crypto/heimdal/kuser/kgetcred.c b/crypto/heimdal/kuser/kgetcred.c
new file mode 100644
index 0000000..6707455
--- /dev/null
+++ b/crypto/heimdal/kuser/kgetcred.c
@@ -0,0 +1,121 @@
+/*
+ * Copyright (c) 1997 - 2000 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "kuser_locl.h"
+
+RCSID("$Id: kgetcred.c,v 1.5 2001/02/20 01:44:51 assar Exp $");
+
+static char *etype_str;
+static int version_flag;
+static int help_flag;
+
+struct getargs args[] = {
+    { "enctype",	'e', arg_string, &etype_str,
+      "encryption type to use", "enctype"},
+    { "version", 	0,   arg_flag, &version_flag },
+    { "help",		0,   arg_flag, &help_flag }
+};
+
+static void
+usage (int ret)
+{
+    arg_printusage (args,
+		    sizeof(args)/sizeof(*args),
+		    NULL,
+		    "service");
+    exit (ret);
+}
+
+int
+main(int argc, char **argv)
+{
+    krb5_error_code ret;
+    krb5_context context;
+    krb5_ccache cache;
+    krb5_creds in, *out;
+    int optind = 0;
+
+    setprogname (argv[0]);
+
+    ret = krb5_init_context (&context);
+    if (ret)
+	errx(1, "krb5_init_context failed: %d", ret);
+  
+    if(getarg(args, sizeof(args) / sizeof(args[0]), argc, argv, &optind))
+	usage(1);
+    
+    if (help_flag)
+	usage (0);
+
+    if(version_flag) {
+	print_version(NULL);
+	exit(0);
+    }
+
+    argc -= optind;
+    argv += optind;
+
+    if (argc != 1)
+	usage (1);
+
+    ret = krb5_cc_default(context, &cache);
+    if (ret)
+	krb5_err (context, 1, ret, "krb5_cc_default");
+
+    memset(&in, 0, sizeof(in));
+
+    if (etype_str) {
+	krb5_enctype enctype;
+
+	ret = krb5_string_to_enctype(context, etype_str, &enctype);
+	if (ret)
+	    krb5_errx (context, 1, "unrecognized enctype: %s", etype_str);
+	in.session.keytype = enctype;
+    }
+
+    ret = krb5_cc_get_principal(context, cache, &in.client);
+    if (ret)
+	krb5_err (context, 1, ret, "krb5_cc_get_principal");
+
+    ret = krb5_parse_name(context, argv[0], &in.server);
+    if (ret)
+	krb5_err (context, 1, ret, "krb5_parse_name %s", argv[0]);
+
+    in.times.endtime = 0;
+    ret = krb5_get_credentials(context, 0, cache, &in, &out);
+    if (ret)
+	krb5_err (context, 1, ret, "krb5_get_credentials");
+
+    krb5_free_creds_contents(context, out);
+    return 0;
+}
diff --git a/crypto/heimdal/kuser/kgetcred.cat1 b/crypto/heimdal/kuser/kgetcred.cat1
new file mode 100644
index 0000000..63a6c98
--- /dev/null
+++ b/crypto/heimdal/kuser/kgetcred.cat1
@@ -0,0 +1,27 @@
+
+KGETCRED(1)                  UNIX Reference Manual                 KGETCRED(1)
+
+NNAAMMEE
+     kkggeettccrreedd - get a ticket for a particular service
+
+SSYYNNOOPPSSIISS
+     kkggeettccrreedd [--ee _e_n_c_t_y_p_e | ----eennccttyyppee==_e_n_c_t_y_p_e] [----vveerrssiioonn] [----hheellpp] _s_e_r_v_i_c_e
+
+DDEESSCCRRIIPPTTIIOONN
+     kkggeettccrreedd obtains a ticket for a service.  Usually tickets for services
+     are obtained automatically when needed but sometimes for some odd reason
+     you want to obtain a particular ticket or of a special type.
+
+     Supported options:
+
+     --ee _e_n_c_t_y_p_e, ----eennccttyyppee==_e_n_c_t_y_p_e
+             encryption type to use
+
+     ----vveerrssiioonn
+
+     ----hheellpp
+
+SSEEEE AALLSSOO
+     kinit(1),  klist(1)
+
+ HEIMDAL                         May 14, 1999                                1
diff --git a/crypto/heimdal/kuser/kinit.1 b/crypto/heimdal/kuser/kinit.1
new file mode 100644
index 0000000..8c2fc81
--- /dev/null
+++ b/crypto/heimdal/kuser/kinit.1
@@ -0,0 +1,224 @@
+.\" $Id: kinit.1,v 1.11 2001/06/08 21:35:32 joda Exp $
+.\"
+.Dd May 29, 1998
+.Dt KINIT 1
+.Os HEIMDAL
+.Sh NAME
+.Nm kinit ,
+.Nm kauth
+.Nd acquire initial tickets
+.Sh SYNOPSIS
+.Nm kinit
+.Op Fl 4 | Fl -524init
+.Op Fl -afslog
+.Oo Fl c Ar cachename \*(Ba Xo
+.Fl -cache= Ns Ar cachename
+.Xc
+.Oc
+.Op Fl f | Fl -forwardable
+.Oo Fl t Ar keytabname \*(Ba Xo
+.Fl -keytab= Ns Ar keytabname
+.Xc
+.Oc
+.Oo Fl l Ar time \*(Ba Xo
+.Fl -lifetime= Ns Ar time
+.Xc
+.Oc
+.Op Fl p | Fl -proxiable
+.Op Fl R | Fl -renew
+.Op Fl -renewable
+.Oo Fl r Ar time \*(Ba Xo
+.Fl -renewable-life= Ns Ar time
+.Xc
+.Oc
+.Oo Fl S Ar principal \*(Ba Xo
+.Fl -server= Ns Ar principal
+.Xc
+.Oc
+.Oo Fl s Ar time \*(Ba Xo
+.Fl -start-time= Ns Ar time
+.Xc
+.Oc
+.Op Fl k | Fl -use-keytab
+.Op Fl v | Fl -validate
+.Oo Fl e Ar enctype \*(Ba Xo
+.Fl -enctypes= Ns Ar enctype
+.Xc
+.Oc
+.Op Fl -fcache-version= Ns Ar integer
+.Op Fl -no-addresses
+.Op Fl -anonymous
+.Op Fl -version
+.Op Fl -help
+.Op Ar principal Op Ar command
+.Sh DESCRIPTION
+.Nm
+is used to authenticate to the kerberos server as
+.Ar principal ,
+or if none is given, a system generated default (typically your login
+name at the default realm), and acquire a ticket granting ticket that
+can later be used to obtain tickets for other services.
+.Pp
+If you have compiled kinit with Kerberos 4 support and you have a
+Kerberos 4 server,
+.Nm
+will detect this and get you Kerberos 4 tickets.
+.Pp
+Supported options:
+.Bl -tag -width Ds
+.It Xo
+.Fl c Ar cachename
+.Fl -cache= Ns Ar cachename
+.Xc
+The credentials cache to put the acquired ticket in, if other than
+default.
+.It Xo
+.Fl f Ns ,
+.Fl -forwardable
+.Xc
+Get ticket that can be forwarded to another host.
+.It Xo
+.Fl t Ar keytabname Ns ,
+.Fl -keytab= Ns Ar keytabname
+.Xc
+Don't ask for a password, but instead get the key from the specified
+keytab.
+.It Xo 
+.Fl l Ar time Ns , 
+.Fl -lifetime= Ns Ar time
+.Xc
+Specifies the lifetime of the ticket. The argument can either be in
+seconds, or a more human readable string like
+.Sq 1h .
+.It Xo
+.Fl p Ns ,
+.Fl -proxiable
+.Xc
+Request tickets with the proxiable flag set.
+.It Xo
+.Fl R Ns ,
+.Fl -renew
+.Xc
+Try to renew ticket. The ticket must have the
+.Sq renewable
+flag set, and must not be expired.
+.It Fl -renewable
+The same as
+.Fl -renewable-life ,
+with an infinite time.
+.It Xo
+.Fl r Ar time Ns ,
+.Fl -renewable-life= Ns Ar time
+.Xc
+The max renewable ticket life.
+.It Xo
+.Fl S Ar principal Ns ,
+.Fl -server= Ns Ar principal
+.Xc
+Get a ticket for a service other than krbtgt/LOCAL.REALM.
+.It Xo
+.Fl s Ar time Ns ,
+.Fl -start-time= Ns Ar time
+.Xc
+Obtain a ticket that starts to be valid
+.Ar time
+(which can really be a generic time specification, like
+.Sq 1h )
+seconds into the future.
+.It Xo
+.Fl k Ns ,
+.Fl -use-keytab
+.Xc
+The same as
+.Fl -keytab ,
+but with the default keytab name (normally
+.Ar FILE:/etc/krb5.keytab ) .
+.It Xo
+.Fl v Ns ,
+.Fl -validate
+.Xc
+Try to validate an invalid ticket.
+.It Xo
+.Fl e ,
+.Fl -enctypes= Ns Ar enctypes
+.Xc
+Request tickets with this particular enctype.
+.It Xo
+.Fl -fcache-version= Ns Ar version
+.Xc
+Create a credentials cache of version
+.Nm version .
+.It Xo
+.Fl -no-addresses
+.Xc
+Request a ticket with no addresses.
+.It Xo
+.Fl -anonymous
+.Xc
+Request an anonymous ticket (which means that the ticket will be
+issued to an anonymous principal, typically 
+.Dq anonymous@REALM).
+.El
+.Pp
+The following options are only available if
+.Nm 
+has been compiled with support for Kerberos 4. The 
+.Nm kauth
+program is identical to
+.Nm kinit ,
+but has these options enabled by
+default.
+.Bl -tag -width Ds
+.It Xo
+.Fl 4 Ns ,
+.Fl -524init
+.Xc
+Try to convert the obtained Kerberos 5 krbtgt to a version 4 compatible
+ticket. It will store this ticket in the default Kerberos 4 ticket
+file.
+.It Fl -afslog
+Gets AFS tickets, converts them to version 4 format, and stores them
+in the kernel. Only useful if you have AFS.
+.El
+.Pp
+The 
+.Ar forwardable ,
+.Ar proxiable ,
+.Ar ticket_life ,
+and
+.Ar renewable_life 
+options can be set to a default value from the
+.Dv appdefaults
+section in krb5.conf, see
+.Xr krb5_appdefault 3 .
+.Pp
+If  a
+.Ar command
+is given, 
+.Nm kinit
+will setup new credentials caches, and AFS PAG, and then run the given
+command. When it finishes the credentials will be removed.
+.Sh ENVIRONMENT
+.Bl -tag -width Ds
+.It Ev KRB5CCNAME
+Specifies the default cache file.
+.It Ev KRB5_CONFIG
+The directory where the
+.Pa krb5.conf
+can be found, default is 
+.Pa /etc .
+.It Ev KRBTKFILE
+Specifies the Kerberos 4 ticket file to store version 4 tickets in.
+.El
+.\".Sh FILES
+.\".Sh EXAMPLES
+.\".Sh DIAGNOSTICS
+.Sh SEE ALSO
+.Xr kdestroy 1 ,
+.Xr klist 1 ,
+.Xr krb5.conf 5 ,
+.Xr krb5_appdefault 3
+.\".Sh STANDARDS
+.\".Sh HISTORY
+.\".Sh AUTHORS
+.\".Sh BUGS
diff --git a/crypto/heimdal/kuser/kinit.c b/crypto/heimdal/kuser/kinit.c
new file mode 100644
index 0000000..560e0e2
--- /dev/null
+++ b/crypto/heimdal/kuser/kinit.c
@@ -0,0 +1,605 @@
+/*
+ * Copyright (c) 1997-2001 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "kuser_locl.h"
+RCSID("$Id: kinit.c,v 1.75 2001/05/07 21:08:15 assar Exp $");
+
+#ifdef KRB4
+/* for when the KDC tells us it's a v4 one, we try to talk that */
+
+static int
+key_to_key(const char *user,
+	   char *instance,
+	   const char *realm,
+	   const void *arg,
+	   des_cblock *key)
+{
+    memcpy(key, arg, sizeof(des_cblock));
+    return 0;
+}
+
+static int
+do_v4_fallback (krb5_context context,
+		const krb5_principal principal,
+		int lifetime,
+		int use_srvtab, const char *srvtab_str,
+		char *passwd, size_t passwd_size)
+{
+    int ret;
+    krb_principal princ;
+    des_cblock key;
+    krb5_error_code kret;
+
+    if (lifetime == 0)
+	lifetime = DEFAULT_TKT_LIFE;
+    else
+	lifetime = krb_time_to_life (0, lifetime);
+
+    kret = krb5_524_conv_principal (context, principal,
+				    princ.name,
+				    princ.instance,
+				    princ.realm);
+    if (kret) {
+	krb5_warn (context, kret, "krb5_524_conv_principal");
+	return 1;
+    }
+
+    if (use_srvtab || srvtab_str) {
+	if (srvtab_str == NULL)
+	    srvtab_str = KEYFILE;
+
+	ret = read_service_key (princ.name, princ.instance, princ.realm,
+				0, srvtab_str, (char *)&key);
+	if (ret) {
+	    warnx ("read_service_key %s: %s", srvtab_str,
+		   krb_get_err_text (ret));
+	    return 1;
+	}
+	ret = krb_get_in_tkt (princ.name, princ.instance, princ.realm,
+			      KRB_TICKET_GRANTING_TICKET, princ.realm,
+			      lifetime, key_to_key, NULL, key);
+    } else {
+	ret = krb_get_pw_in_tkt2(princ.name, princ.instance, princ.realm, 
+				 KRB_TICKET_GRANTING_TICKET, princ.realm, 
+				 lifetime, passwd, &key);
+    }
+    memset (passwd, 0, passwd_size);
+    memset (key, 0, sizeof(key));
+    if (ret) {
+	warnx ("%s", krb_get_err_text(ret));
+	return 1;
+    }
+    if (k_hasafs()) {
+	if ((ret = krb_afslog(NULL, NULL)) != 0 && ret != KDC_PR_UNKNOWN) {
+	    if(ret > 0)
+		warnx ("%s", krb_get_err_text(ret));
+	    else
+		warnx ("failed to store AFS token");
+	}
+    }
+    return 0;
+}
+
+
+/*
+ * the special version of get_default_principal that takes v4 into account
+ */
+
+static krb5_error_code
+kinit_get_default_principal (krb5_context context,
+			     krb5_principal *princ)
+{
+    krb5_error_code ret;
+    krb5_ccache id;
+    krb_principal v4_princ;
+    int kret;
+
+    ret = krb5_cc_default (context, &id);
+    if (ret == 0) {
+	ret = krb5_cc_get_principal (context, id, princ);
+	krb5_cc_close (context, id);
+	if (ret == 0)
+	    return 0;
+    }
+
+    kret = krb_get_tf_fullname (tkt_string(),
+				v4_princ.name,
+				v4_princ.instance,
+				v4_princ.realm);
+    if (kret == KSUCCESS) {
+	ret = krb5_425_conv_principal (context,
+				       v4_princ.name,
+				       v4_princ.instance,
+				       v4_princ.realm,
+				       princ);
+	if (ret == 0)
+	    return 0;
+    }
+    return krb5_get_default_principal (context, princ);
+}
+
+#else /* !KRB4 */
+
+static krb5_error_code
+kinit_get_default_principal (krb5_context context,
+			     krb5_principal *princ)
+{
+    return krb5_get_default_principal (context, princ);
+}
+
+#endif /* !KRB4 */
+
+int forwardable_flag	= -1;
+int proxiable_flag	= -1;
+int renewable_flag	= -1;
+int renew_flag		= 0;
+int validate_flag	= 0;
+int version_flag	= 0;
+int help_flag		= 0;
+int addrs_flag		= 1;
+int anonymous_flag	= 0;
+char *lifetime 		= NULL;
+char *renew_life	= NULL;
+char *server		= NULL;
+char *cred_cache	= NULL;
+char *start_str		= NULL;
+struct getarg_strings etype_str;
+int use_keytab		= 0;
+char *keytab_str	= NULL;
+#ifdef KRB4
+extern int do_afslog;
+extern int get_v4_tgt;
+#endif
+int fcache_version;
+
+static struct getargs args[] = {
+#ifdef KRB4
+    { "524init", 	'4', arg_flag, &get_v4_tgt,
+      "obtain version 4 TGT" },
+    
+    { "afslog", 	0  , arg_flag, &do_afslog,
+      "obtain afs tokens"  },
+#endif
+    { "cache", 		'c', arg_string, &cred_cache,
+      "credentials cache", "cachename" },
+
+    { "forwardable",	'f', arg_flag, &forwardable_flag,
+      "get forwardable tickets"},
+
+    { "keytab",         't', arg_string, &keytab_str,
+      "keytab to use", "keytabname" },
+
+    { "lifetime",	'l', arg_string, &lifetime,
+      "lifetime of tickets", "time"},
+
+    { "proxiable",	'p', arg_flag, &proxiable_flag,
+      "get proxiable tickets" },
+
+    { "renew",          'R', arg_flag, &renew_flag,
+      "renew TGT" },
+
+    { "renewable",	0,   arg_flag, &renewable_flag,
+      "get renewable tickets" },
+
+    { "renewable-life",	'r', arg_string, &renew_life,
+      "renewable lifetime of tickets", "time" },
+
+    { "server", 	'S', arg_string, &server,
+      "server to get ticket for", "principal" },
+
+    { "start-time",	's', arg_string, &start_str,
+      "when ticket gets valid", "time" },
+
+    { "use-keytab",     'k', arg_flag, &use_keytab,
+      "get key from keytab" },
+
+    { "validate",	'v', arg_flag, &validate_flag,
+      "validate TGT" },
+
+    { "enctypes",	'e', arg_strings, &etype_str,
+      "encryption types to use", "enctypes" },
+
+    { "fcache-version", 0,   arg_integer, &fcache_version,
+      "file cache version to create" },
+
+    { "addresses",	0,   arg_negative_flag,	&addrs_flag,
+      "request a ticket with no addresses" },
+
+    { "anonymous",	0,   arg_flag,	&anonymous_flag,
+      "request an anonymous ticket" },
+
+    { "version", 	0,   arg_flag, &version_flag },
+    { "help",		0,   arg_flag, &help_flag }
+};
+
+static void
+usage (int ret)
+{
+    arg_printusage (args,
+		    sizeof(args)/sizeof(*args),
+		    NULL,
+		    "[principal [command]]");
+    exit (ret);
+}
+
+static int
+renew_validate(krb5_context context, 
+	       int renew,
+	       int validate,
+	       krb5_ccache cache, 
+	       const char *server,
+	       krb5_deltat life)
+{
+    krb5_error_code ret;
+    krb5_creds in, *out;
+    krb5_kdc_flags flags;
+
+    memset(&in, 0, sizeof(in));
+
+    ret = krb5_cc_get_principal(context, cache, &in.client);
+    if(ret) {
+	krb5_warn(context, ret, "krb5_cc_get_principal");
+	return ret;
+    }
+    if(server) {
+	ret = krb5_parse_name(context, server, &in.server);
+	if(ret) {
+	    krb5_warn(context, ret, "krb5_parse_name");
+	    goto out;
+	}
+    } else {
+	krb5_realm *client_realm = krb5_princ_realm (context, in.client);
+
+	ret = krb5_make_principal(context, &in.server, *client_realm,
+				  KRB5_TGS_NAME, *client_realm, NULL);
+	if(ret) {
+	    krb5_warn(context, ret, "krb5_make_principal");
+	    goto out;
+	}
+    }
+    flags.i = 0;
+    flags.b.renewable         = flags.b.renew = renew;
+    flags.b.validate          = validate;
+    if (forwardable_flag != -1)
+	flags.b.forwardable       = forwardable_flag;
+    if (proxiable_flag != -1)
+	flags.b.proxiable         = proxiable_flag;
+    if (anonymous_flag != -1)
+	flags.b.request_anonymous = anonymous_flag;
+    if(life)
+	in.times.endtime = time(NULL) + life;
+
+    ret = krb5_get_kdc_cred(context,
+			    cache,
+			    flags,
+			    NULL,
+			    NULL,
+			    &in,
+			    &out);
+    if(ret) {
+	krb5_warn(context, ret, "krb5_get_kdc_cred");
+	goto out;
+    }
+    ret = krb5_cc_initialize(context, cache, in.client);
+    if(ret) {
+	krb5_free_creds (context, out);
+	krb5_warn(context, ret, "krb5_cc_initialize");
+	goto out;
+    }
+    ret = krb5_cc_store_cred(context, cache, out);
+    krb5_free_creds (context, out);
+    if(ret) {
+	krb5_warn(context, ret, "krb5_cc_store_cred");
+	goto out;
+    }
+out:
+    krb5_free_creds_contents(context, &in);
+    return ret;
+}
+
+int
+main (int argc, char **argv)
+{
+    krb5_error_code ret;
+    krb5_context context;
+    krb5_ccache  ccache;
+    krb5_principal principal;
+    krb5_creds cred;
+    int optind = 0;
+    krb5_get_init_creds_opt opt;
+    krb5_deltat start_time = 0;
+    krb5_deltat ticket_life = 0;
+    krb5_addresses no_addrs;
+    char passwd[256];
+
+    setprogname (argv[0]);
+    memset(&cred, 0, sizeof(cred));
+    
+    ret = krb5_init_context (&context);
+    if (ret)
+	errx(1, "krb5_init_context failed: %d", ret);
+  
+    /* XXX no way to figure out if set without explict test */
+    if(krb5_config_get_string(context, NULL, "libdefaults", 
+			      "forwardable", NULL))
+	forwardable_flag = krb5_config_get_bool (context, NULL,
+						 "libdefaults",
+						 "forwardable",
+						 NULL);
+
+#ifdef KRB4
+    get_v4_tgt = krb5_config_get_bool_default (context, NULL,
+					       get_v4_tgt,
+					       "libdefaults",
+					       "krb4_get_tickets",
+					       NULL);
+#endif
+
+    if(getarg(args, sizeof(args) / sizeof(args[0]), argc, argv, &optind))
+	usage(1);
+    
+    if (help_flag)
+	usage (0);
+
+    if(version_flag) {
+	print_version(NULL);
+	exit(0);
+    }
+
+    argc -= optind;
+    argv += optind;
+
+    if (argv[0]) {
+	ret = krb5_parse_name (context, argv[0], &principal);
+	if (ret)
+	    krb5_err (context, 1, ret, "krb5_parse_name");
+    } else {
+	ret = kinit_get_default_principal (context, &principal);
+	if (ret)
+	    krb5_err (context, 1, ret, "krb5_get_default_principal");
+    }
+
+    if(fcache_version)
+	krb5_set_fcache_version(context, fcache_version);
+
+    if(cred_cache) 
+	ret = krb5_cc_resolve(context, cred_cache, &ccache);
+    else {
+	if(argc > 1) {
+	    char s[1024];
+	    ret = krb5_cc_gen_new(context, &krb5_fcc_ops, &ccache);
+	    if(ret)
+		krb5_err(context, 1, ret, "creating cred cache");
+	    snprintf(s, sizeof(s), "%s:%s",
+		     krb5_cc_get_type(context, ccache),
+		     krb5_cc_get_name(context, ccache));
+	    setenv("KRB5CCNAME", s, 1);
+#ifdef KRB4
+	    snprintf(s, sizeof(s), "%s_XXXXXX", TKT_ROOT);
+	    close(mkstemp(s));
+	    setenv("KRBTKFILE", s, 1);
+	    if (k_hasafs ())
+		k_setpag();
+#endif
+	} else
+	    ret = krb5_cc_default (context, &ccache);
+    }
+    if (ret)
+	krb5_err (context, 1, ret, "resolving credentials cache");
+
+    if (lifetime) {
+	int tmp = parse_time (lifetime, "s");
+	if (tmp < 0)
+	    errx (1, "unparsable time: %s", lifetime);
+
+	ticket_life = tmp;
+    }
+    if(renew_flag || validate_flag) {
+	ret = renew_validate(context, renew_flag, validate_flag, 
+			     ccache, server, ticket_life);
+	exit(ret != 0);
+    }
+
+    krb5_get_init_creds_opt_init (&opt);
+    
+    krb5_get_init_creds_opt_set_default_flags(context, "kinit", 
+					      /* XXX */principal->realm, &opt);
+
+    if(forwardable_flag != -1)
+	krb5_get_init_creds_opt_set_forwardable (&opt, forwardable_flag);
+    if(proxiable_flag != -1)
+	krb5_get_init_creds_opt_set_proxiable (&opt, proxiable_flag);
+    if(anonymous_flag != -1)
+	krb5_get_init_creds_opt_set_anonymous (&opt, anonymous_flag);
+
+    if (!addrs_flag) {
+	no_addrs.len = 0;
+	no_addrs.val = NULL;
+
+	krb5_get_init_creds_opt_set_address_list (&opt, &no_addrs);
+    }
+
+    if(renew_life) {
+	int tmp = parse_time (renew_life, "s");
+	if (tmp < 0)
+	    errx (1, "unparsable time: %s", renew_life);
+
+	krb5_get_init_creds_opt_set_renew_life (&opt, tmp);
+    } else if (renewable_flag == 1)
+	krb5_get_init_creds_opt_set_renew_life (&opt, 1 << 30);
+
+    if(ticket_life != 0)
+	krb5_get_init_creds_opt_set_tkt_life (&opt, ticket_life);
+
+    if(start_str) {
+	int tmp = parse_time (start_str, "s");
+	if (tmp < 0)
+	    errx (1, "unparsable time: %s", start_str);
+
+	start_time = tmp;
+    }
+
+    if(etype_str.num_strings) {
+	krb5_enctype *enctype = NULL;
+	int i;
+	enctype = malloc(etype_str.num_strings * sizeof(*enctype));
+	if(enctype == NULL)
+	    errx(1, "out of memory");
+	for(i = 0; i < etype_str.num_strings; i++) {
+	    ret = krb5_string_to_enctype(context, 
+					 etype_str.strings[i], 
+					 &enctype[i]);
+	    if(ret)
+		errx(1, "unrecognized enctype: %s", etype_str.strings[i]);
+	}
+	krb5_get_init_creds_opt_set_etype_list(&opt, enctype, 
+					       etype_str.num_strings);
+    }
+
+#ifdef KRB4
+    get_v4_tgt = krb5_config_get_bool_default (context,
+					       NULL,
+					       get_v4_tgt,
+					       "realms",
+					       krb5_princ_realm(context,
+								principal),
+					       "krb4_get_tickets",
+					       NULL);
+#endif
+
+    if(use_keytab || keytab_str) {
+	krb5_keytab kt;
+	if(keytab_str)
+	    ret = krb5_kt_resolve(context, keytab_str, &kt);
+	else
+	    ret = krb5_kt_default(context, &kt);
+	if (ret)
+	    krb5_err (context, 1, ret, "resolving keytab");
+	ret = krb5_get_init_creds_keytab (context,
+					  &cred,
+					  principal,
+					  kt,
+					  start_time,
+					  server,
+					  &opt);
+	krb5_kt_close(context, kt);
+    } else {
+	char *p, *prompt;
+
+	krb5_unparse_name (context, principal, &p);
+	asprintf (&prompt, "%s's Password: ", p);
+	free (p);
+
+	if (des_read_pw_string(passwd, sizeof(passwd)-1, prompt, 0)){
+	    memset(passwd, 0, sizeof(passwd));
+	    exit(1);
+	}
+
+	free (prompt);
+
+	ret = krb5_get_init_creds_password (context,
+					    &cred,
+					    principal,
+					    passwd,
+					    krb5_prompter_posix,
+					    NULL,
+					    start_time,
+					    server,
+					    &opt);
+    }
+#ifdef KRB4
+    if (ret == KRB5KRB_AP_ERR_V4_REPLY || ret == KRB5_KDC_UNREACH) {
+	int exit_val;
+
+	exit_val = do_v4_fallback (context, principal, ticket_life,
+				   use_keytab, keytab_str,
+				   passwd, sizeof(passwd));
+	memset(passwd, 0, sizeof(passwd));
+	if (exit_val == 0 || ret == KRB5KRB_AP_ERR_V4_REPLY) {
+	    krb5_free_context (context);
+	    return exit_val;
+	}
+    }
+#endif
+    memset(passwd, 0, sizeof(passwd));
+
+    switch(ret){
+    case 0:
+	break;
+    case KRB5_LIBOS_PWDINTR: /* don't print anything if it was just C-c:ed */
+	memset(passwd, 0, sizeof(passwd));
+	exit(1);
+    case KRB5KRB_AP_ERR_BAD_INTEGRITY:
+    case KRB5KRB_AP_ERR_MODIFIED:
+	memset(passwd, 0, sizeof(passwd));
+	krb5_errx(context, 1, "Password incorrect");
+	break;
+    default:
+	krb5_err(context, 1, ret, "krb5_get_init_creds");
+    }
+
+    ret = krb5_cc_initialize (context, ccache, cred.client);
+    if (ret)
+	krb5_err (context, 1, ret, "krb5_cc_initialize");
+    
+    ret = krb5_cc_store_cred (context, ccache, &cred);
+    if (ret)
+	krb5_err (context, 1, ret, "krb5_cc_store_cred");
+
+#ifdef KRB4
+    if(get_v4_tgt) {
+	CREDENTIALS c;
+	ret = krb524_convert_creds_kdc(context, ccache, &cred, &c);
+	if(ret)
+	    krb5_warn(context, ret, "converting creds");
+	else
+	    tf_setup(&c, c.pname, c.pinst);
+	memset(&c, 0, sizeof(c));
+    }
+    if(do_afslog && k_hasafs())
+	krb5_afslog(context, ccache, NULL, NULL);
+    krb5_free_creds_contents (context, &cred);
+#endif
+    if(argc > 1) {
+	simple_execvp(argv[1], argv+1);
+	krb5_cc_destroy(context, ccache);
+#ifdef KRB4
+	dest_tkt();
+	if(k_hasafs())
+	    k_unlog();
+#endif
+    } else 
+	krb5_cc_close (context, ccache);
+    krb5_free_context (context);
+    return 0;
+}
diff --git a/crypto/heimdal/kuser/kinit.cat1 b/crypto/heimdal/kuser/kinit.cat1
new file mode 100644
index 0000000..3507385
--- /dev/null
+++ b/crypto/heimdal/kuser/kinit.cat1
@@ -0,0 +1,119 @@
+
+KINIT(1)                     UNIX Reference Manual                    KINIT(1)
+
+NNAAMMEE
+     kkiinniitt, kkaauutthh - acquire initial tickets
+
+SSYYNNOOPPSSIISS
+     kkiinniitt [--44 | ----552244iinniitt] [----aaffsslloogg] [--cc _c_a_c_h_e_n_a_m_e | ----ccaacchhee==_c_a_c_h_e_n_a_m_e] [--ff
+           | ----ffoorrwwaarrddaabbllee] [--tt _k_e_y_t_a_b_n_a_m_e | ----kkeeyyttaabb==_k_e_y_t_a_b_n_a_m_e] [--ll _t_i_m_e |
+           ----lliiffeettiimmee==_t_i_m_e] [--pp | ----pprrooxxiiaabbllee] [--RR | ----rreenneeww] [----rreenneewwaabbllee]
+           [--rr _t_i_m_e | ----rreenneewwaabbllee--lliiffee==_t_i_m_e] [--SS _p_r_i_n_c_i_p_a_l |
+           ----sseerrvveerr==_p_r_i_n_c_i_p_a_l] [--ss _t_i_m_e | ----ssttaarrtt--ttiimmee==_t_i_m_e] [--kk |
+           ----uussee--kkeeyyttaabb] [--vv | ----vvaalliiddaattee] [--ee _e_n_c_t_y_p_e | ----eennccttyyppeess==_e_n_c_t_y_p_e]
+           [----ffccaacchhee--vveerrssiioonn==_i_n_t_e_g_e_r] [----nnoo--aaddddrreesssseess] [----aannoonnyymmoouuss]
+           [----vveerrssiioonn] [----hheellpp] [_p_r_i_n_c_i_p_a_l [_c_o_m_m_a_n_d]]
+
+DDEESSCCRRIIPPTTIIOONN
+     kkiinniitt is used to authenticate to the kerberos server as _p_r_i_n_c_i_p_a_l, or if
+     none is given, a system generated default (typically your login name at
+     the default realm), and acquire a ticket granting ticket that can later
+     be used to obtain tickets for other services.
+
+     If you have compiled kinit with Kerberos 4 support and you have a Ker-
+     beros 4 server, kkiinniitt will detect this and get you Kerberos 4 tickets.
+
+     Supported options:
+
+     --cc _c_a_c_h_e_n_a_m_e ----ccaacchhee==_c_a_c_h_e_n_a_m_e
+             The credentials cache to put the acquired ticket in, if other
+             than default.
+
+     --ff, ----ffoorrwwaarrddaabbllee
+             Get ticket that can be forwarded to another host.
+
+     --tt _k_e_y_t_a_b_n_a_m_e, ----kkeeyyttaabb==_k_e_y_t_a_b_n_a_m_e
+             Don't ask for a password, but instead get the key from the speci-
+             fied keytab.
+
+     --ll _t_i_m_e, ----lliiffeettiimmee==_t_i_m_e
+             Specifies the lifetime of the ticket. The argument can either be
+             in seconds, or a more human readable string like `1h'.
+
+     --pp, ----pprrooxxiiaabbllee
+             Request tickets with the proxiable flag set.
+
+     --RR, ----rreenneeww
+             Try to renew ticket. The ticket must have the `renewable' flag
+             set, and must not be expired.
+
+     ----rreenneewwaabbllee
+             The same as ----rreenneewwaabbllee--lliiffee, with an infinite time.
+
+     --rr _t_i_m_e, ----rreenneewwaabbllee--lliiffee==_t_i_m_e
+             The max renewable ticket life.
+
+     --SS _p_r_i_n_c_i_p_a_l, ----sseerrvveerr==_p_r_i_n_c_i_p_a_l
+             Get a ticket for a service other than krbtgt/LOCAL.REALM.
+
+     --ss _t_i_m_e, ----ssttaarrtt--ttiimmee==_t_i_m_e
+             Obtain a ticket that starts to be valid _t_i_m_e (which can really be
+             a generic time specification, like `1h') seconds into the future.
+
+     --kk, ----uussee--kkeeyyttaabb
+             The same as ----kkeeyyttaabb, but with the default keytab name (normally
+
+             _F_I_L_E_:_/_e_t_c_/_k_r_b_5_._k_e_y_t_a_b).
+
+     --vv, ----vvaalliiddaattee
+             Try to validate an invalid ticket.
+
+     --ee, ----eennccttyyppeess==_e_n_c_t_y_p_e_s
+             Request tickets with this particular enctype.
+
+     ----ffccaacchhee--vveerrssiioonn==_v_e_r_s_i_o_n
+             Create a credentials cache of version vveerrssiioonn.
+
+     ----nnoo--aaddddrreesssseess
+             Request a ticket with no addresses.
+
+     ----aannoonnyymmoouuss
+             Request an anonymous ticket (which means that the ticket will be
+             issued to an anonymous principal, typically ``anonymous@REALM).''
+
+     The following options are only available if kkiinniitt has been compiled with
+     support for Kerberos 4. The kkaauutthh program is identical to kkiinniitt, but has
+     these options enabled by default.
+
+     --44, ----552244iinniitt
+             Try to convert the obtained Kerberos 5 krbtgt to a version 4 com-
+             patible ticket. It will store this ticket in the default Kerberos
+             4 ticket file.
+
+     ----aaffsslloogg
+             Gets AFS tickets, converts them to version 4 format, and stores
+             them in the kernel. Only useful if you have AFS.
+
+     The _f_o_r_w_a_r_d_a_b_l_e, _p_r_o_x_i_a_b_l_e, _t_i_c_k_e_t___l_i_f_e, and _r_e_n_e_w_a_b_l_e___l_i_f_e options can
+     be set to a default value from the appdefaults section in krb5.conf, see
+     krb5_appdefault(3).
+
+     If  a _c_o_m_m_a_n_d is given, kkiinniitt will setup new credentials caches, and AFS
+     PAG, and then run the given command. When it finishes the credentials
+     will be removed.
+
+EENNVVIIRROONNMMEENNTT
+     KRB5CCNAME
+             Specifies the default cache file.
+
+     KRB5_CONFIG
+             The directory where the _k_r_b_5_._c_o_n_f can be found, default is _/_e_t_c.
+
+     KRBTKFILE
+             Specifies the Kerberos 4 ticket file to store version 4 tickets
+             in.
+
+SSEEEE AALLSSOO
+     kdestroy(1),  klist(1),  krb5.conf(5),  krb5_appdefault(3)
+
+ HEIMDAL                         May 29, 1998                                2
diff --git a/crypto/heimdal/kuser/kinit_options.c b/crypto/heimdal/kuser/kinit_options.c
new file mode 100644
index 0000000..5a7dcd9
--- /dev/null
+++ b/crypto/heimdal/kuser/kinit_options.c
@@ -0,0 +1,40 @@
+/*
+ * Copyright (c) 1998 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "kuser_locl.h"
+RCSID("$Id: kinit_options.c,v 1.2 1999/12/02 17:05:01 joda Exp $");
+
+#ifdef KRB4
+int do_afslog		= 0;
+int get_v4_tgt		= 0;
+#endif
diff --git a/crypto/heimdal/kuser/klist.1 b/crypto/heimdal/kuser/klist.1
new file mode 100644
index 0000000..296e4fa
--- /dev/null
+++ b/crypto/heimdal/kuser/klist.1
@@ -0,0 +1,119 @@
+.\" $Id: klist.1,v 1.8 2001/06/08 21:35:32 joda Exp $
+.\"
+.Dd July 8, 2000
+.Dt KLIST 1
+.Os HEIMDAL
+.Sh NAME
+.Nm klist
+.Nd list Kerberos credentials
+.Sh SYNOPSIS
+.Nm
+.Oo Fl c Ar cache \*(Ba Xo
+.Fl -cache= Ns Ar cache
+.Xc
+.Oc
+.Op Fl s | Fl t | Fl -test
+.Op Fl 4 | Fl -v4
+.Op Fl T | Fl -tokens
+.Op Fl 5 | Fl -v5
+.Op Fl v | Fl -verbose
+.Op Fl f
+.Op Fl -version
+.Op Fl -help
+.Sh DESCRIPTION
+.Nm
+reads and displays the current tickets in the crential cache (also
+known as the ticket file).
+.Pp
+Options supported:
+.Bl -tag -width Ds
+.It Xo
+.Fl c Ar cache Ns ,
+.Fl -cache= Ns Ar cache
+.Xc
+credentials cache to list
+.It Xo
+.Fl s Ns ,
+.Fl t Ns ,
+.Fl -test
+.Xc
+Test for there being an active and valid TGT for the local realm of
+the user in the credential cache.
+.It Xo
+.Fl 4 Ns ,
+.Fl -v4
+.Xc
+display v4 tickets
+.It Xo
+.Fl T Ns ,
+.Fl -tokens
+.Xc
+display AFS tokens
+.It Xo
+.Fl 5 Ns ,
+.Fl -v5
+.Xc
+display v5 cred cache (this is the default)
+.It Fl f
+Include ticket flags in short form, each charcted stands for a
+specific flag, as follows:
+.Bl -tag -width  XXX -compact -offset indent
+.It F
+forwardable
+.It f
+forwarded
+.It P
+proxiable
+.It p
+proxied
+.It D
+postdate-able
+.It d
+postdated
+.It R
+renewable
+.It I
+initial
+.It i
+invalid
+.It A
+pre-authenticated
+.It H
+hardware authenticated
+.El
+.Pp
+This information is also output with the 
+.Fl -verbose
+option, but in a more verbose way.
+.It Xo
+.Fl v Ns ,
+.Fl -verbose
+.Xc
+Verbose output. Include all possible information:
+.Bl -tag -width XXXX -offset indent
+.It Server
+the princial the ticket is for
+.It Ticket etype
+the encryption type use in the ticket, followed by the key version of
+the ticket, if it is available
+.It Session key
+the encryption type of the session key, if it's different from the
+encryption type of the ticket
+.It Auth time
+the time the authentication exchange took place
+.It Start time
+the time that this tickets is valid from (only printed if it's
+different from the auth time)
+.It End time
+when the ticket expires, if it has already expired this is also noted
+.It Renew till
+the maximum possible end time of any ticket derived from this one
+.It Ticket flags
+the flags set on the ticket
+.It Addresses
+the set of addresses from which this ticket is valid
+.El
+.El
+.Sh SEE ALSO
+.Xr kinit 1 ,
+.Xr kdestroy 1
diff --git a/crypto/heimdal/kuser/klist.c b/crypto/heimdal/kuser/klist.c
new file mode 100644
index 0000000..ebeebad
--- /dev/null
+++ b/crypto/heimdal/kuser/klist.c
@@ -0,0 +1,671 @@
+/*
+ * Copyright (c) 1997-2001 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "kuser_locl.h"
+#include "rtbl.h"
+
+RCSID("$Id: klist.c,v 1.64 2001/05/11 19:55:13 assar Exp $");
+
+static char*
+printable_time(time_t t)
+{
+    static char s[128];
+    strcpy(s, ctime(&t)+ 4);
+    s[15] = 0;
+    return s;
+}
+
+static char*
+printable_time_long(time_t t)
+{
+    static char s[128];
+    strcpy(s, ctime(&t)+ 4);
+    s[20] = 0;
+    return s;
+}
+
+#define COL_ISSUED		"  Issued"
+#define COL_EXPIRES		"  Expires"
+#define COL_FLAGS		"Flags"
+#define COL_PRINCIPAL		"  Principal"
+#define COL_PRINCIPAL_KVNO	"  Principal (kvno)"
+
+static void
+print_cred(krb5_context context, krb5_creds *cred, rtbl_t ct, int do_flags)
+{
+    char *str;
+    krb5_error_code ret;
+    krb5_timestamp sec;
+
+    krb5_timeofday (context, &sec);
+
+
+    if(cred->times.starttime)
+	rtbl_add_column_entry(ct, COL_ISSUED,
+			      printable_time(cred->times.starttime));
+    else
+	rtbl_add_column_entry(ct, COL_ISSUED,
+			      printable_time(cred->times.authtime));
+    
+    if(cred->times.endtime > sec)
+	rtbl_add_column_entry(ct, COL_EXPIRES,
+			      printable_time(cred->times.endtime));
+    else
+	rtbl_add_column_entry(ct, COL_EXPIRES, ">>>Expired<<<");
+    ret = krb5_unparse_name (context, cred->server, &str);
+    if (ret)
+	krb5_err(context, 1, ret, "krb5_unparse_name");
+    rtbl_add_column_entry(ct, COL_PRINCIPAL, str);
+    if(do_flags) {
+	char s[16], *sp = s;
+	if(cred->flags.b.forwardable)
+	    *sp++ = 'F';
+	if(cred->flags.b.forwarded)
+	    *sp++ = 'f';
+	if(cred->flags.b.proxiable)
+	    *sp++ = 'P';
+	if(cred->flags.b.proxy)
+	    *sp++ = 'p';
+	if(cred->flags.b.may_postdate)
+	    *sp++ = 'D';
+	if(cred->flags.b.postdated)
+	    *sp++ = 'd';
+	if(cred->flags.b.renewable)
+	    *sp++ = 'R';
+	if(cred->flags.b.initial)
+	    *sp++ = 'I';
+	if(cred->flags.b.invalid)
+	    *sp++ = 'i';
+	if(cred->flags.b.pre_authent)
+	    *sp++ = 'A';
+	if(cred->flags.b.hw_authent)
+	    *sp++ = 'H';
+	*sp++ = '\0';
+	rtbl_add_column_entry(ct, COL_FLAGS, s);
+    }
+    free(str);
+}
+
+static void
+print_cred_verbose(krb5_context context, krb5_creds *cred)
+{
+    int j;
+    char *str;
+    krb5_error_code ret;
+    int first_flag;
+    krb5_timestamp sec;
+
+    krb5_timeofday (context, &sec);
+
+    ret = krb5_unparse_name(context, cred->server, &str);
+    if(ret)
+	exit(1);
+    printf("Server: %s\n", str);
+    free (str);
+    {
+	Ticket t;
+	size_t len;
+	char *s;
+
+	decode_Ticket(cred->ticket.data, cred->ticket.length, &t, &len);
+	ret = krb5_enctype_to_string(context, t.enc_part.etype, &s);
+	printf("Ticket etype: ");
+	if (ret == 0) {
+	    printf("%s", s);
+	    free(s);
+	} else {
+	    printf("unknown(%d)", t.enc_part.etype);
+	}
+	if(t.enc_part.kvno)
+	    printf(", kvno %d", *t.enc_part.kvno);
+	printf("\n");
+	if(cred->session.keytype != t.enc_part.etype) {
+	    ret = krb5_keytype_to_string(context, cred->session.keytype, &str);
+	    if(ret == KRB5_PROG_KEYTYPE_NOSUPP)
+		ret = krb5_enctype_to_string(context, cred->session.keytype, 
+					     &str);
+	    if(ret)
+		krb5_warn(context, ret, "session keytype");
+	    else {
+		printf("Session key: %s\n", str);
+		free(str);
+	    }
+	}
+	free_Ticket(&t);
+    }
+    printf("Auth time:  %s\n", printable_time_long(cred->times.authtime));
+    if(cred->times.authtime != cred->times.starttime)
+	printf("Start time: %s\n", printable_time_long(cred->times.starttime));
+    printf("End time:   %s", printable_time_long(cred->times.endtime));
+    if(sec > cred->times.endtime)
+	printf(" (expired)");
+    printf("\n");
+    if(cred->flags.b.renewable)
+	printf("Renew till: %s\n", 
+	       printable_time_long(cred->times.renew_till));
+    printf("Ticket flags: ");
+#define PRINT_FLAG2(f, s) if(cred->flags.b.f) { if(!first_flag) printf(", "); printf("%s", #s); first_flag = 0; }
+#define PRINT_FLAG(f) PRINT_FLAG2(f, f)
+    first_flag = 1;
+    PRINT_FLAG(forwardable);
+    PRINT_FLAG(forwarded);
+    PRINT_FLAG(proxiable);
+    PRINT_FLAG(proxy);
+    PRINT_FLAG2(may_postdate, may-postdate);
+    PRINT_FLAG(postdated);
+    PRINT_FLAG(invalid);
+    PRINT_FLAG(renewable);
+    PRINT_FLAG(initial);
+    PRINT_FLAG2(pre_authent, pre-authenticated);
+    PRINT_FLAG2(hw_authent, hw-authenticated);
+    PRINT_FLAG2(transited_policy_checked, transited-policy-checked);
+    PRINT_FLAG2(ok_as_delegate, ok-as-delegate);
+    PRINT_FLAG(anonymous);
+    printf("\n");
+    printf("Addresses: ");
+    for(j = 0; j < cred->addresses.len; j++){
+	char buf[128];
+	size_t len;
+	if(j) printf(", ");
+	ret = krb5_print_address(&cred->addresses.val[j], 
+				 buf, sizeof(buf), &len);
+
+	if(ret == 0)
+	    printf("%s", buf);
+    }
+    printf("\n\n");
+}
+
+/*
+ * Print all tickets in `ccache' on stdout, verbosily iff do_verbose.
+ */
+
+static void
+print_tickets (krb5_context context,
+	       krb5_ccache ccache,
+	       krb5_principal principal,
+	       int do_verbose,
+	       int do_flags)
+{
+    krb5_error_code ret;
+    char *str;
+    krb5_cc_cursor cursor;
+    krb5_creds creds;
+
+    rtbl_t ct = NULL;
+
+    ret = krb5_unparse_name (context, principal, &str);
+    if (ret)
+	krb5_err (context, 1, ret, "krb5_unparse_name");
+
+    printf ("%17s: %s:%s\n", 
+	    "Credentials cache",
+	    krb5_cc_get_type(context, ccache),
+	    krb5_cc_get_name(context, ccache));
+    printf ("%17s: %s\n", "Principal", str);
+    free (str);
+    
+    if(do_verbose)
+	printf ("%17s: %d\n", "Cache version",
+		krb5_cc_get_version(context, ccache));
+    
+    if (do_verbose && context->kdc_sec_offset) {
+	char buf[BUFSIZ];
+	int val;
+	int sig;
+
+	val = context->kdc_sec_offset;
+	sig = 1;
+	if (val < 0) {
+	    sig = -1;
+	    val = -val;
+	}
+	
+	unparse_time (val, buf, sizeof(buf));
+
+	printf ("%17s: %s%s\n", "KDC time offset",
+		sig == -1 ? "-" : "", buf);
+    }
+
+    printf("\n");
+
+    ret = krb5_cc_start_seq_get (context, ccache, &cursor);
+    if (ret)
+	krb5_err(context, 1, ret, "krb5_cc_start_seq_get");
+
+    if(!do_verbose) {
+	ct = rtbl_create();
+	rtbl_add_column(ct, COL_ISSUED, 0);
+	rtbl_add_column(ct, COL_EXPIRES, 0);
+	if(do_flags)
+	    rtbl_add_column(ct, COL_FLAGS, 0);
+	rtbl_add_column(ct, COL_PRINCIPAL, 0);
+	rtbl_set_prefix(ct, "  ");
+	rtbl_set_column_prefix(ct, COL_ISSUED, "");
+    }
+    while (krb5_cc_next_cred (context,
+			      ccache,
+			      &cursor,
+			      &creds) == 0) {
+	if(do_verbose){
+	    print_cred_verbose(context, &creds);
+	}else{
+	    print_cred(context, &creds, ct, do_flags);
+	}
+	krb5_free_creds_contents (context, &creds);
+    }
+    ret = krb5_cc_end_seq_get (context, ccache, &cursor);
+    if (ret)
+	krb5_err (context, 1, ret, "krb5_cc_end_seq_get");
+    if(!do_verbose) {
+	rtbl_format(ct, stdout);
+	rtbl_destroy(ct);
+    }
+}
+
+/*
+ * Check if there's a tgt for the realm of `principal' and ccache and
+ * if so return 0, else 1
+ */
+
+static int
+check_for_tgt (krb5_context context,
+	       krb5_ccache ccache,
+	       krb5_principal principal)
+{
+    krb5_error_code ret;
+    krb5_creds pattern;
+    krb5_creds creds;
+    krb5_realm *client_realm;
+    int expired;
+
+    client_realm = krb5_princ_realm (context, principal);
+
+    ret = krb5_make_principal (context, &pattern.server,
+			       *client_realm, KRB5_TGS_NAME, *client_realm,
+			       NULL);
+    if (ret)
+	krb5_err (context, 1, ret, "krb5_make_principal");
+
+    ret = krb5_cc_retrieve_cred (context, ccache, 0, &pattern, &creds);
+    expired = time(NULL) > creds.times.endtime;
+    krb5_free_principal (context, pattern.server);
+    krb5_free_creds_contents (context, &creds);
+    if (ret) {
+	if (ret == KRB5_CC_END)
+	    return 1;
+	krb5_err (context, 1, ret, "krb5_cc_retrieve_cred");
+    }
+    return expired;
+}
+
+#ifdef KRB4
+/* prints the approximate kdc time differential as something human
+   readable */
+
+static void
+print_time_diff(int do_verbose)
+{
+    int d = abs(krb_get_kdc_time_diff());
+    char buf[80];
+
+    if ((do_verbose && d > 0) || d > 60) {
+	unparse_time_approx (d, buf, sizeof(buf));
+	printf ("Time diff:\t%s\n", buf);
+    }
+}
+
+/*
+ * return a short representation of `dp' in string form.
+ */
+
+static char *
+short_date(int32_t dp)
+{
+    char *cp;
+    time_t t = (time_t)dp;
+
+    if (t == (time_t)(-1L)) return "***  Never  *** ";
+    cp = ctime(&t) + 4;
+    cp[15] = '\0';
+    return (cp);
+}
+
+/*
+ * Print a list of all the v4 tickets
+ */
+
+static int
+display_v4_tickets (int do_verbose)
+{
+    char *file;
+    int ret;
+    krb_principal princ;
+    CREDENTIALS cred;
+    int found = 0;
+
+    rtbl_t ct;
+
+    file = getenv ("KRBTKFILE");
+    if (file == NULL)
+	file = TKT_FILE;
+
+    printf("v4-ticket file:	%s\n", file);
+
+    ret = krb_get_tf_realm (file, princ.realm);
+    if (ret) {
+	warnx ("%s", krb_get_err_text(ret));
+	return 1;
+    }
+
+    ret = tf_init (file, R_TKT_FIL);
+    if (ret) {
+	warnx ("tf_init: %s", krb_get_err_text(ret));
+	return 1;
+    }
+    ret = tf_get_pname (princ.name);
+    if (ret) {
+	tf_close ();
+	warnx ("tf_get_pname: %s", krb_get_err_text(ret));
+	return 1;
+    }
+    ret = tf_get_pinst (princ.instance);
+    if (ret) {
+	tf_close ();
+	warnx ("tf_get_pname: %s", krb_get_err_text(ret));
+	return 1;
+    }
+
+    printf("Principal:\t%s\n", krb_unparse_name (&princ));
+    print_time_diff(do_verbose);
+    printf("\n");
+
+    ct = rtbl_create();
+    rtbl_add_column(ct, COL_ISSUED, 0);
+    rtbl_add_column(ct, COL_EXPIRES, 0);
+    if (do_verbose)
+	rtbl_add_column(ct, COL_PRINCIPAL_KVNO, 0);
+    else
+	rtbl_add_column(ct, COL_PRINCIPAL, 0);
+    rtbl_set_prefix(ct, "  ");
+    rtbl_set_column_prefix(ct, COL_ISSUED, "");
+
+    while ((ret = tf_get_cred(&cred)) == KSUCCESS) {
+	struct timeval tv;
+	char buf1[20], buf2[20];
+	const char *pp;
+
+	found++;
+
+	strlcpy(buf1,
+		short_date(cred.issue_date),
+		sizeof(buf1));
+	cred.issue_date = krb_life_to_time(cred.issue_date, cred.lifetime);
+	krb_kdctimeofday(&tv);
+	if (do_verbose || tv.tv_sec < (unsigned long) cred.issue_date)
+	    strlcpy(buf2,
+		    short_date(cred.issue_date),
+		    sizeof(buf2));
+	else
+	    strlcpy(buf2,
+		    ">>> Expired <<<",
+		    sizeof(buf2));
+	rtbl_add_column_entry(ct, COL_ISSUED, buf1);
+	rtbl_add_column_entry(ct, COL_EXPIRES, buf2);
+	pp = krb_unparse_name_long(cred.service,
+				   cred.instance,
+				   cred.realm);
+	if (do_verbose) {
+	    char *tmp;
+
+	    asprintf(&tmp, "%s (%d)", pp, cred.kvno);
+	    rtbl_add_column_entry(ct, COL_PRINCIPAL_KVNO, tmp);
+	    free(tmp);
+	} else {
+	    rtbl_add_column_entry(ct, COL_PRINCIPAL, pp);
+	}
+    }
+    rtbl_format(ct, stdout);
+    rtbl_destroy(ct);
+    if (!found && ret == EOF)
+	printf("No tickets in file.\n");
+    tf_close();
+    
+    /*
+     * should do NAT stuff here
+     */
+    return 0;
+}
+
+/*
+ * Print a list of all AFS tokens
+ */
+
+static void
+display_tokens(int do_verbose)
+{
+    u_int32_t i;
+    unsigned char t[128];
+    struct ViceIoctl parms;
+
+    parms.in = (void *)&i;
+    parms.in_size = sizeof(i);
+    parms.out = (void *)t;
+    parms.out_size = sizeof(t);
+
+    for (i = 0; k_pioctl(NULL, VIOCGETTOK, &parms, 0) == 0; i++) {
+        int32_t size_secret_tok, size_public_tok;
+        unsigned char *cell;
+	struct ClearToken ct;
+	unsigned char *r = t;
+	struct timeval tv;
+	char buf1[20], buf2[20];
+
+	memcpy(&size_secret_tok, r, sizeof(size_secret_tok));
+	/* dont bother about the secret token */
+	r += size_secret_tok + sizeof(size_secret_tok);
+	memcpy(&size_public_tok, r, sizeof(size_public_tok));
+	r += sizeof(size_public_tok);
+	memcpy(&ct, r, size_public_tok);
+	r += size_public_tok;
+	/* there is a int32_t with length of cellname, but we dont read it */
+	r += sizeof(int32_t);
+	cell = r;
+
+	gettimeofday (&tv, NULL);
+	strlcpy (buf1, printable_time(ct.BeginTimestamp),
+			 sizeof(buf1));
+	if (do_verbose || tv.tv_sec < ct.EndTimestamp)
+	    strlcpy (buf2, printable_time(ct.EndTimestamp),
+			     sizeof(buf2));
+	else
+	    strlcpy (buf2, ">>> Expired <<<", sizeof(buf2));
+
+	printf("%s  %s  ", buf1, buf2);
+
+	if ((ct.EndTimestamp - ct.BeginTimestamp) & 1)
+	  printf("User's (AFS ID %d) tokens for %s", ct.ViceId, cell);
+	else
+	  printf("Tokens for %s", cell);
+	if (do_verbose)
+	    printf(" (%d)", ct.AuthHandle);
+	putchar('\n');
+    }
+}
+#endif /* KRB4 */
+
+/*
+ * display the ccache in `cred_cache'
+ */
+
+static int
+display_v5_ccache (const char *cred_cache, int do_test, int do_verbose, 
+		   int do_flags)
+{
+    krb5_error_code ret;
+    krb5_context context;
+    krb5_ccache ccache;
+    krb5_principal principal;
+    int exit_status = 0;
+
+    ret = krb5_init_context (&context);
+    if (ret)
+	errx (1, "krb5_init_context failed: %d", ret);
+
+    if(cred_cache) {
+	ret = krb5_cc_resolve(context, cred_cache, &ccache);
+	if (ret)
+	    krb5_err (context, 1, ret, "%s", cred_cache);
+    } else {
+	ret = krb5_cc_default (context, &ccache);
+	if (ret)
+	    krb5_err (context, 1, ret, "krb5_cc_resolve");
+    }
+
+    ret = krb5_cc_get_principal (context, ccache, &principal);
+    if (ret) {
+	if(ret == ENOENT) {
+	    if (!do_test)
+		krb5_warnx(context, "No ticket file: %s",
+			   krb5_cc_get_name(context, ccache));
+	    return 1;
+	} else
+	    krb5_err (context, 1, ret, "krb5_cc_get_principal");
+    }
+    if (do_test)
+	exit_status = check_for_tgt (context, ccache, principal);
+    else
+	print_tickets (context, ccache, principal, do_verbose, do_flags);
+
+    ret = krb5_cc_close (context, ccache);
+    if (ret)
+	krb5_err (context, 1, ret, "krb5_cc_close");
+
+    krb5_free_principal (context, principal);
+    krb5_free_context (context);
+    return exit_status;
+}
+
+static int version_flag = 0;
+static int help_flag	= 0;
+static int do_verbose	= 0;
+static int do_test	= 0;
+#ifdef KRB4
+static int do_v4	= 1;
+static int do_tokens	= 0;
+#endif
+static int do_v5	= 1;
+static char *cred_cache;
+static int do_flags = 0;
+
+static struct getargs args[] = {
+    { NULL, 'f', arg_flag, &do_flags },
+    { "cache",			'c', arg_string, &cred_cache,
+      "credentials cache to list", "cache" },
+    { "test",			't', arg_flag, &do_test,
+      "test for having tickets", NULL },
+    { NULL,			's', arg_flag, &do_test },
+#ifdef KRB4
+    { "v4",			'4',	arg_flag, &do_v4,
+      "display v4 tickets", NULL },
+    { "tokens",			'T',   arg_flag, &do_tokens,
+      "display AFS tokens", NULL },
+#endif
+    { "v5",			'5',	arg_flag, &do_v5,
+      "display v5 cred cache", NULL},
+    { "verbose",		'v', arg_flag, &do_verbose,
+      "verbose output", NULL },
+    { NULL,			'a', arg_flag, &do_verbose },
+    { NULL,			'n', arg_flag, &do_verbose },
+    { "version", 		0,   arg_flag, &version_flag, 
+      "print version", NULL },
+    { "help",			0,   arg_flag, &help_flag, 
+      NULL, NULL}
+};
+
+static void
+usage (int ret)
+{
+    arg_printusage (args,
+		    sizeof(args)/sizeof(*args),
+		    NULL,
+		    "");
+    exit (ret);
+}
+
+int
+main (int argc, char **argv)
+{
+    int optind = 0;
+    int exit_status = 0;
+
+    setprogname (argv[0]);
+
+    if(getarg(args, sizeof(args) / sizeof(args[0]), argc, argv, &optind))
+	usage(1);
+    
+    if (help_flag)
+	usage (0);
+
+    if(version_flag){
+	print_version(NULL);
+	exit(0);
+    }
+
+    argc -= optind;
+    argv += optind;
+
+    if (argc != 0)
+	usage (1);
+
+    if (do_v5)
+	exit_status = display_v5_ccache (cred_cache, do_test, 
+					 do_verbose, do_flags);
+
+#ifdef KRB4
+    if (!do_test) {
+	if (do_v4) {
+	    if (do_v5)
+		printf ("\n");
+	    display_v4_tickets (do_verbose);
+	}
+	if (do_tokens && k_hasafs ()) {
+	    if (do_v4 || do_v5)
+		printf ("\n");
+	    display_tokens (do_verbose);
+	}
+    }
+#endif
+
+    return exit_status;
+}
diff --git a/crypto/heimdal/kuser/klist.cat1 b/crypto/heimdal/kuser/klist.cat1
new file mode 100644
index 0000000..20f2c33
--- /dev/null
+++ b/crypto/heimdal/kuser/klist.cat1
@@ -0,0 +1,89 @@
+
+KLIST(1)                     UNIX Reference Manual                    KLIST(1)
+
+NNAAMMEE
+     kklliisstt - list Kerberos credentials
+
+SSYYNNOOPPSSIISS
+     kklliisstt [--cc _c_a_c_h_e | ----ccaacchhee==_c_a_c_h_e] [--ss | --tt | ----tteesstt] [--44 | ----vv44] [--TT |
+     ----ttookkeennss] [--55 | ----vv55] [--vv | ----vveerrbboossee] [--ff] [----vveerrssiioonn] [----hheellpp]
+
+DDEESSCCRRIIPPTTIIOONN
+     kklliisstt reads and displays the current tickets in the crential cache (also
+     known as the ticket file).
+
+     Options supported:
+
+     --cc _c_a_c_h_e, ----ccaacchhee==_c_a_c_h_e
+             credentials cache to list
+
+     --ss, --tt, ----tteesstt
+             Test for there being an active and valid TGT for the local realm
+             of the user in the credential cache.
+
+     --44, ----vv44
+             display v4 tickets
+
+     --TT, ----ttookkeennss
+             display AFS tokens
+
+     --55, ----vv55
+             display v5 cred cache (this is the default)
+
+     --ff      Include ticket flags in short form, each charcted stands for a
+             specific flag, as follows:
+                   F    forwardable
+                   f    forwarded
+                   P    proxiable
+                   p    proxied
+                   D    postdate-able
+                   d    postdated
+                   R    renewable
+                   I    initial
+                   i    invalid
+                   A    pre-authenticated
+                   H    hardware authenticated
+
+             This information is also output with the ----vveerrbboossee option, but in
+             a more verbose way.
+
+     --vv, ----vveerrbboossee
+             Verbose output. Include all possible information:
+
+                   Server
+                         the princial the ticket is for
+
+                   Ticket etype
+                         the encryption type use in the ticket, followed by
+                         the key version of the ticket, if it is available
+
+                   Session key
+                         the encryption type of the session key, if it's dif-
+                         ferent from the encryption type of the ticket
+
+                   Auth time
+
+                         the time the authentication exchange took place
+
+                   Start time
+                         the time that this tickets is valid from (only print-
+                         ed if it's different from the auth time)
+
+                   End time
+                         when the ticket expires, if it has already expired
+                         this is also noted
+
+                   Renew till
+                         the maximum possible end time of any ticket derived
+                         from this one
+
+                   Ticket flags
+                         the flags set on the ticket
+
+                   Addresses
+                         the set of addresses from which this ticket is valid
+
+SSEEEE AALLSSOO
+     kinit(1),  kdestroy(1)
+
+ HEIMDAL                         July 8, 2000                                2
diff --git a/crypto/heimdal/kuser/kuser_locl.h b/crypto/heimdal/kuser/kuser_locl.h
new file mode 100644
index 0000000..2010150
--- /dev/null
+++ b/crypto/heimdal/kuser/kuser_locl.h
@@ -0,0 +1,89 @@
+/*
+ * Copyright (c) 1997 - 1999 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+/* $Id: kuser_locl.h,v 1.12 1999/12/02 17:05:01 joda Exp $ */
+
+#ifndef __KUSER_LOCL_H__
+#define __KUSER_LOCL_H__
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+#endif
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <time.h>
+#ifdef HAVE_SYS_TYPES_H
+#include <sys/types.h>
+#endif
+#ifdef HAVE_PWD_H
+#include <pwd.h>
+#endif
+#ifdef HAVE_SYS_TIME_H
+#include <sys/time.h>
+#endif
+#ifdef HAVE_SYS_SOCKET_H
+#include <sys/socket.h>
+#endif
+#ifdef HAVE_NETINET_IN_H
+#include <netinet/in.h>
+#endif
+#ifdef HAVE_NETINET_IN6_H
+#include <netinet/in6.h>
+#endif
+#ifdef HAVE_NETINET6_IN6_H
+#include <netinet6/in6.h>
+#endif
+
+#ifdef HAVE_ARPA_INET_H
+#include <arpa/inet.h>
+#endif
+#include <roken.h>
+#include <getarg.h>
+#include <parse_time.h>
+#include <err.h>
+#include <krb5.h>
+
+#ifdef KRB4
+#include <krb.h>
+#endif
+#if defined(HAVE_SYS_IOCTL_H) && SunOS != 40
+#include <sys/ioctl.h>
+#endif
+#ifdef HAVE_SYS_IOCCOM_H
+#include <sys/ioccom.h>
+#endif
+#include <kafs.h>
+
+#endif /* __KUSER_LOCL_H__ */
diff --git a/crypto/heimdal/kuser/kverify.c b/crypto/heimdal/kuser/kverify.c
new file mode 100644
index 0000000..72b15f9
--- /dev/null
+++ b/crypto/heimdal/kuser/kverify.c
@@ -0,0 +1,84 @@
+/*
+ * Copyright (c) 1997 - 2000 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "kuser_locl.h"
+
+RCSID("$Id: kverify.c,v 1.4 2000/12/31 07:55:54 assar Exp $");
+
+int
+main(int argc, char **argv)
+{
+    krb5_context context;
+    krb5_error_code ret;
+    krb5_creds cred;
+    krb5_preauthtype pre_auth_types[] = {KRB5_PADATA_ENC_TIMESTAMP};
+    krb5_get_init_creds_opt get_options;
+    krb5_verify_init_creds_opt verify_options;
+
+    ret = krb5_init_context(&context);
+    if (ret)
+	errx (1, "krb5_init_context failed: %d", ret);
+
+    krb5_get_init_creds_opt_init (&get_options);
+
+    krb5_get_init_creds_opt_set_preauth_list (&get_options,
+					      pre_auth_types,
+					      1);
+
+    krb5_verify_init_creds_opt_init (&verify_options);
+    
+    ret = krb5_get_init_creds_password (context,
+					&cred,
+					NULL,
+					NULL,
+					krb5_prompter_posix,
+					NULL,
+					0,
+					NULL,
+					&get_options);
+    if (ret)
+	errx (1, "krb5_get_init_creds: %s", krb5_get_err_text(context, ret));
+
+    ret = krb5_verify_init_creds (context,
+				  &cred,
+				  NULL,
+				  NULL,
+				  NULL,
+				  &verify_options);
+    if (ret)
+	errx (1, "krb5_verify_init_creds: %s",
+	      krb5_get_err_text(context, ret));
+    krb5_free_creds_contents (context, &cred);
+    krb5_free_context (context);
+    return 0;
+}
diff --git a/crypto/heimdal/lib/45/45_locl.h b/crypto/heimdal/lib/45/45_locl.h
new file mode 100644
index 0000000..8104179
--- /dev/null
+++ b/crypto/heimdal/lib/45/45_locl.h
@@ -0,0 +1,52 @@
+/*
+ * Copyright (c) 1997 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#ifndef __45_LOCL_H__
+#define __45_LOCL_H__
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+#endif
+
+#include <string.h>
+#include <stdlib.h>
+
+#ifdef HAVE_SYS_TIME_H
+#include <sys/time.h>
+#endif
+
+#include <krb5.h>
+#include <krb.h>
+#include <prot.h>
+
+#endif /* __45_LOCL_H__ */
diff --git a/crypto/heimdal/lib/45/Makefile.am b/crypto/heimdal/lib/45/Makefile.am
new file mode 100644
index 0000000..50d47fd
--- /dev/null
+++ b/crypto/heimdal/lib/45/Makefile.am
@@ -0,0 +1,11 @@
+# $Id: Makefile.am,v 1.5 1999/03/20 13:58:17 joda Exp $
+
+include $(top_srcdir)/Makefile.am.common
+
+INCLUDES += $(INCLUDE_krb4)
+
+lib_LIBRARIES = @EXTRA_LIB45@
+
+EXTRA_LIBRARIES = lib45.a
+
+lib45_a_SOURCES = get_ad_tkt.c mk_req.c 45_locl.h
diff --git a/crypto/heimdal/lib/45/Makefile.in b/crypto/heimdal/lib/45/Makefile.in
new file mode 100644
index 0000000..52341d5
--- /dev/null
+++ b/crypto/heimdal/lib/45/Makefile.in
@@ -0,0 +1,573 @@
+# Makefile.in generated automatically by automake 1.4b from Makefile.am
+
+# Copyright 1994, 1995, 1996, 1997, 1998, 1999, 2000
+# Free Software Foundation, Inc.
+# This Makefile.in is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+
+SHELL = @SHELL@
+
+srcdir = @srcdir@
+top_srcdir = @top_srcdir@
+VPATH = @srcdir@
+prefix = @prefix@
+exec_prefix = @exec_prefix@
+
+bindir = @bindir@
+sbindir = @sbindir@
+libexecdir = @libexecdir@
+datadir = @datadir@
+sysconfdir = @sysconfdir@
+sharedstatedir = @sharedstatedir@
+localstatedir = @localstatedir@
+libdir = @libdir@
+infodir = @infodir@
+mandir = @mandir@
+includedir = @includedir@
+oldincludedir = /usr/include
+
+pkgdatadir = $(datadir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkgincludedir = $(includedir)/@PACKAGE@
+
+top_builddir = ../..
+
+ACLOCAL = @ACLOCAL@
+AUTOCONF = @AUTOCONF@
+AUTOMAKE = @AUTOMAKE@
+AUTOHEADER = @AUTOHEADER@
+
+INSTALL = @INSTALL@
+INSTALL_PROGRAM = @INSTALL_PROGRAM@
+INSTALL_DATA = @INSTALL_DATA@
+INSTALL_SCRIPT = @INSTALL_SCRIPT@
+INSTALL_STRIP_FLAG =
+transform = @program_transform_name@
+
+NORMAL_INSTALL = :
+PRE_INSTALL = :
+POST_INSTALL = :
+NORMAL_UNINSTALL = :
+PRE_UNINSTALL = :
+POST_UNINSTALL = :
+
+@SET_MAKE@
+host_alias = @host_alias@
+host_triplet = @host@
+AIX_EXTRA_KAFS = @AIX_EXTRA_KAFS@
+AMDEP = @AMDEP@
+AMTAR = @AMTAR@
+AS = @AS@
+AWK = @AWK@
+CANONICAL_HOST = @CANONICAL_HOST@
+CATMAN = @CATMAN@
+CATMANEXT = @CATMANEXT@
+CC = @CC@
+CPP = @CPP@
+CXX = @CXX@
+CXXCPP = @CXXCPP@
+DBLIB = @DBLIB@
+DEPDIR = @DEPDIR@
+DIR_des = @DIR_des@
+DIR_roken = @DIR_roken@
+DLLTOOL = @DLLTOOL@
+EXEEXT = @EXEEXT@
+EXTRA_LIB45 = @EXTRA_LIB45@
+GROFF = @GROFF@
+INCLUDES_roken = @INCLUDES_roken@
+INCLUDE_ = @INCLUDE_@
+LEX = @LEX@
+LIBOBJS = @LIBOBJS@
+LIBTOOL = @LIBTOOL@
+LIB_ = @LIB_@
+LIB_AUTH_SUBDIRS = @LIB_AUTH_SUBDIRS@
+LIB_des = @LIB_des@
+LIB_des_appl = @LIB_des_appl@
+LIB_kdb = @LIB_kdb@
+LIB_otp = @LIB_otp@
+LIB_roken = @LIB_roken@
+LIB_security = @LIB_security@
+LN_S = @LN_S@
+LTLIBOBJS = @LTLIBOBJS@
+MAKEINFO = @MAKEINFO@
+NEED_WRITEAUTH_FALSE = @NEED_WRITEAUTH_FALSE@
+NEED_WRITEAUTH_TRUE = @NEED_WRITEAUTH_TRUE@
+NROFF = @NROFF@
+OBJDUMP = @OBJDUMP@
+OBJEXT = @OBJEXT@
+PACKAGE = @PACKAGE@
+RANLIB = @RANLIB@
+STRIP = @STRIP@
+VERSION = @VERSION@
+VOID_RETSIGTYPE = @VOID_RETSIGTYPE@
+WFLAGS = @WFLAGS@
+WFLAGS_NOIMPLICITINT = @WFLAGS_NOIMPLICITINT@
+WFLAGS_NOUNUSED = @WFLAGS_NOUNUSED@
+YACC = @YACC@
+dpagaix_CFLAGS = @dpagaix_CFLAGS@
+dpagaix_LDADD = @dpagaix_LDADD@
+install_sh = @install_sh@
+
+# $Id: Makefile.am,v 1.5 1999/03/20 13:58:17 joda Exp $
+
+
+# $Id: Makefile.am.common,v 1.3 1999/04/01 14:58:43 joda Exp $
+
+
+# $Id: Makefile.am.common,v 1.26 2001/05/21 13:27:48 joda Exp $
+
+
+AUTOMAKE_OPTIONS = foreign no-dependencies
+
+SUFFIXES = .et .h .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .x
+
+INCLUDES = -I$(top_builddir)/include $(INCLUDES_roken) $(INCLUDE_krb4)
+
+AM_CFLAGS =  $(WFLAGS)
+
+CP = cp
+
+COMPILE_ET = $(top_builddir)/lib/com_err/compile_et
+
+buildinclude = $(top_builddir)/include
+
+LIB_XauReadAuth = @LIB_XauReadAuth@
+LIB_crypt = @LIB_crypt@
+LIB_dbm_firstkey = @LIB_dbm_firstkey@
+LIB_dbopen = @LIB_dbopen@
+LIB_dlopen = @LIB_dlopen@
+LIB_dn_expand = @LIB_dn_expand@
+LIB_el_init = @LIB_el_init@
+LIB_getattr = @LIB_getattr@
+LIB_gethostbyname = @LIB_gethostbyname@
+LIB_getpwent_r = @LIB_getpwent_r@
+LIB_getpwnam_r = @LIB_getpwnam_r@
+LIB_getsockopt = @LIB_getsockopt@
+LIB_logout = @LIB_logout@
+LIB_logwtmp = @LIB_logwtmp@
+LIB_odm_initialize = @LIB_odm_initialize@
+LIB_pidfile = @LIB_pidfile@
+LIB_readline = @LIB_readline@
+LIB_res_search = @LIB_res_search@
+LIB_setpcred = @LIB_setpcred@
+LIB_setsockopt = @LIB_setsockopt@
+LIB_socket = @LIB_socket@
+LIB_syslog = @LIB_syslog@
+LIB_tgetent = @LIB_tgetent@
+
+LIBS = @LIBS@
+
+HESIODLIB = @HESIODLIB@
+HESIODINCLUDE = @HESIODINCLUDE@
+INCLUDE_hesiod = @INCLUDE_hesiod@
+LIB_hesiod = @LIB_hesiod@
+
+INCLUDE_krb4 = @INCLUDE_krb4@
+LIB_krb4 = @LIB_krb4@
+
+INCLUDE_openldap = @INCLUDE_openldap@
+LIB_openldap = @LIB_openldap@
+
+INCLUDE_readline = @INCLUDE_readline@
+
+LEXLIB = @LEXLIB@
+
+NROFF_MAN = groff -mandoc -Tascii
+
+@KRB4_TRUE@LIB_kafs = @KRB4_TRUE@$(top_builddir)/lib/kafs/libkafs.la $(AIX_EXTRA_KAFS)
+
+@KRB5_TRUE@LIB_krb5 = @KRB5_TRUE@$(top_builddir)/lib/krb5/libkrb5.la \
+@KRB5_TRUE@	$(top_builddir)/lib/asn1/libasn1.la
+@KRB5_TRUE@LIB_gssapi = @KRB5_TRUE@$(top_builddir)/lib/gssapi/libgssapi.la
+
+@DCE_TRUE@LIB_kdfs = @DCE_TRUE@$(top_builddir)/lib/kdfs/libkdfs.la
+
+CHECK_LOCAL = $(PROGRAMS)
+
+lib_LIBRARIES = @EXTRA_LIB45@
+
+EXTRA_LIBRARIES = lib45.a
+
+lib45_a_SOURCES = get_ad_tkt.c mk_req.c 45_locl.h
+subdir = lib/45
+mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs
+CONFIG_HEADER = ../../include/config.h
+CONFIG_CLEAN_FILES = 
+LIBRARIES =  $(lib_LIBRARIES)
+
+
+DEFS = @DEFS@ -I. -I$(srcdir) -I../../include
+CPPFLAGS = @CPPFLAGS@
+LDFLAGS = @LDFLAGS@
+X_CFLAGS = @X_CFLAGS@
+X_LIBS = @X_LIBS@
+X_EXTRA_LIBS = @X_EXTRA_LIBS@
+X_PRE_LIBS = @X_PRE_LIBS@
+lib45_a_AR = $(AR) cru
+lib45_a_LIBADD = 
+am_lib45_a_OBJECTS =  get_ad_tkt.$(OBJEXT) mk_req.$(OBJEXT)
+lib45_a_OBJECTS =  $(am_lib45_a_OBJECTS)
+AR = ar
+COMPILE = $(CC) $(DEFS) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) --mode=compile $(CC) $(DEFS) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+CFLAGS = @CFLAGS@
+CCLD = $(CC)
+LINK = $(LIBTOOL) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) $(LDFLAGS) -o $@
+DIST_SOURCES =  $(lib45_a_SOURCES)
+depcomp = 
+DIST_COMMON =  Makefile.am Makefile.in
+
+
+DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
+
+GZIP_ENV = --best
+SOURCES = $(lib45_a_SOURCES)
+OBJECTS = $(am_lib45_a_OBJECTS)
+
+all: all-redirect
+.SUFFIXES:
+.SUFFIXES: .et .h .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .x .c .lo .o .obj
+$(srcdir)/Makefile.in: Makefile.am $(top_srcdir)/configure.in $(ACLOCAL_M4) $(top_srcdir)/Makefile.am.common $(top_srcdir)/cf/Makefile.am.common
+	cd $(top_srcdir) && $(AUTOMAKE) --foreign lib/45/Makefile
+
+Makefile: $(srcdir)/Makefile.in  $(top_builddir)/config.status
+	cd $(top_builddir) \
+	  && CONFIG_FILES=$(subdir)/$@ CONFIG_HEADERS= $(SHELL) ./config.status
+
+
+mostlyclean-libLIBRARIES:
+
+clean-libLIBRARIES:
+	-test -z "$(lib_LIBRARIES)" || rm -f $(lib_LIBRARIES)
+
+distclean-libLIBRARIES:
+
+maintainer-clean-libLIBRARIES:
+
+install-libLIBRARIES: $(lib_LIBRARIES)
+	@$(NORMAL_INSTALL)
+	$(mkinstalldirs) $(DESTDIR)$(libdir)
+	@list='$(lib_LIBRARIES)'; for p in $$list; do \
+	  if test -f $$p; then \
+	    echo " $(INSTALL_DATA) $$p $(DESTDIR)$(libdir)/$$p"; \
+	    $(INSTALL_DATA) $$p $(DESTDIR)$(libdir)/$$p; \
+	  else :; fi; \
+	done
+	@$(POST_INSTALL)
+	@list='$(lib_LIBRARIES)'; for p in $$list; do \
+	  if test -f $$p; then \
+	    echo " $(RANLIB) $(DESTDIR)$(libdir)/$$p"; \
+	    $(RANLIB) $(DESTDIR)$(libdir)/$$p; \
+	  else :; fi; \
+	done
+
+uninstall-libLIBRARIES:
+	@$(NORMAL_UNINSTALL)
+	@list='$(lib_LIBRARIES)'; for p in $$list; do \
+	  echo " rm -f $(DESTDIR)$(libdir)/$$p"; \
+	  rm -f $(DESTDIR)$(libdir)/$$p; \
+	done
+
+mostlyclean-compile:
+	-rm -f *.o core *.core
+	-rm -f *.$(OBJEXT)
+
+clean-compile:
+
+distclean-compile:
+	-rm -f *.tab.c
+
+maintainer-clean-compile:
+
+mostlyclean-libtool:
+	-rm -f *.lo
+
+clean-libtool:
+	-rm -rf .libs _libs
+
+distclean-libtool:
+
+maintainer-clean-libtool:
+
+lib45.a: $(lib45_a_OBJECTS) $(lib45_a_DEPENDENCIES)
+	-rm -f lib45.a
+	$(lib45_a_AR) lib45.a $(lib45_a_OBJECTS) $(lib45_a_LIBADD)
+	$(RANLIB) lib45.a
+.c.o:
+	$(COMPILE) -c $<
+.c.obj:
+	$(COMPILE) -c `cygpath -w $<`
+.c.lo:
+	$(LTCOMPILE) -c -o $@ $<
+
+tags: TAGS
+
+ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
+	list='$(SOURCES) $(HEADERS) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '    { files[$$0] = 1; } \
+	       END { for (i in files) print i; }'`; \
+	mkid -fID $$unique $(LISP)
+
+TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	tags=; \
+	here=`pwd`; \
+	list='$(SOURCES) $(HEADERS) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '    { files[$$0] = 1; } \
+	       END { for (i in files) print i; }'`; \
+	test -z "$(ETAGS_ARGS)$$unique$(LISP)$$tags" \
+	  || etags $(ETAGS_ARGS) $$tags  $$unique $(LISP)
+
+GTAGS:
+	here=`CDPATH=: && cd $(top_builddir) && pwd` \
+	  && cd $(top_srcdir) \
+	  && gtags -i $$here
+
+mostlyclean-tags:
+
+clean-tags:
+
+distclean-tags:
+	-rm -f TAGS ID
+
+maintainer-clean-tags:
+
+distdir = $(top_builddir)/$(PACKAGE)-$(VERSION)/$(subdir)
+
+distdir: $(DISTFILES)
+	@for file in $(DISTFILES); do \
+	  d=$(srcdir); \
+	  if test -d $$d/$$file; then \
+	    cp -pR $$d/$$file $(distdir) \
+	    || exit 1; \
+	  else \
+	    test -f $(distdir)/$$file \
+	    || cp -p $$d/$$file $(distdir)/$$file \
+	    || exit 1; \
+	  fi; \
+	done
+	$(MAKE) $(AM_MAKEFLAGS) top_distdir="$(top_distdir)" distdir="$(distdir)" dist-hook
+info-am:
+info: info-am
+dvi-am:
+dvi: dvi-am
+check-am: all-am
+	$(MAKE) $(AM_MAKEFLAGS) check-local
+check: check-am
+installcheck-am:
+installcheck: installcheck-am
+install-exec-am: install-libLIBRARIES
+	@$(NORMAL_INSTALL)
+	$(MAKE) $(AM_MAKEFLAGS) install-exec-hook
+install-exec: install-exec-am
+
+install-data-am: install-data-local
+install-data: install-data-am
+
+install-am: all-am
+	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
+install: install-am
+uninstall-am: uninstall-libLIBRARIES
+uninstall: uninstall-am
+all-am: Makefile $(LIBRARIES) all-local
+all-redirect: all-am
+install-strip:
+	$(MAKE) $(AM_MAKEFLAGS) INSTALL_STRIP_FLAG=-s install
+installdirs:
+	$(mkinstalldirs)  $(DESTDIR)$(libdir)
+
+
+mostlyclean-generic:
+
+clean-generic:
+
+distclean-generic:
+	-rm -f Makefile $(CONFIG_CLEAN_FILES)
+	-rm -f config.cache config.log stamp-h stamp-h[0-9]*
+
+maintainer-clean-generic:
+	-rm -f Makefile.in
+mostlyclean-am:  mostlyclean-libLIBRARIES mostlyclean-compile \
+		mostlyclean-libtool mostlyclean-tags \
+		mostlyclean-generic
+
+mostlyclean: mostlyclean-am
+
+clean-am:  clean-libLIBRARIES clean-compile clean-libtool clean-tags \
+		clean-generic mostlyclean-am
+
+clean: clean-am
+
+distclean-am:  distclean-libLIBRARIES distclean-compile \
+		distclean-libtool distclean-tags distclean-generic \
+		clean-am
+	-rm -f libtool
+
+distclean: distclean-am
+
+maintainer-clean-am:  maintainer-clean-libLIBRARIES \
+		maintainer-clean-compile maintainer-clean-libtool \
+		maintainer-clean-tags maintainer-clean-generic \
+		distclean-am
+	@echo "This command is intended for maintainers to use;"
+	@echo "it deletes files that may require special tools to rebuild."
+
+maintainer-clean: maintainer-clean-am
+
+.PHONY: mostlyclean-libLIBRARIES distclean-libLIBRARIES \
+clean-libLIBRARIES maintainer-clean-libLIBRARIES uninstall-libLIBRARIES \
+install-libLIBRARIES mostlyclean-compile distclean-compile \
+clean-compile maintainer-clean-compile mostlyclean-libtool \
+distclean-libtool clean-libtool maintainer-clean-libtool tags \
+mostlyclean-tags distclean-tags clean-tags maintainer-clean-tags \
+distdir info-am info dvi-am dvi check-local check check-am \
+installcheck-am installcheck install-exec-am install-exec \
+install-data-local install-data-am install-data install-am install \
+uninstall-am uninstall all-local all-redirect all-am all install-strip \
+installdirs mostlyclean-generic distclean-generic clean-generic \
+maintainer-clean-generic clean mostlyclean distclean maintainer-clean
+
+
+install-suid-programs:
+	@foo='$(bin_SUIDS)'; \
+	for file in $$foo; do \
+	x=$(DESTDIR)$(bindir)/$$file; \
+	if chown 0:0 $$x && chmod u+s $$x; then :; else \
+	echo "*"; \
+	echo "* Failed to install $$x setuid root"; \
+	echo "*"; \
+	fi; done
+
+install-exec-hook: install-suid-programs
+
+install-build-headers:: $(include_HEADERS) $(build_HEADERZ)
+	@foo='$(include_HEADERS) $(build_HEADERZ)'; \
+	for f in $$foo; do \
+		f=`basename $$f`; \
+		if test -f "$(srcdir)/$$f"; then file="$(srcdir)/$$f"; \
+		else file="$$f"; fi; \
+		if cmp -s  $$file $(buildinclude)/$$f 2> /dev/null ; then \
+		: ; else \
+			echo " $(CP) $$file $(buildinclude)/$$f"; \
+			$(CP) $$file $(buildinclude)/$$f; \
+		fi ; \
+	done
+
+all-local: install-build-headers
+#NROFF_MAN = nroff -man
+.1.cat1:
+	$(NROFF_MAN) $< > $@
+.3.cat3:
+	$(NROFF_MAN) $< > $@
+.5.cat5:
+	$(NROFF_MAN) $< > $@
+.8.cat8:
+	$(NROFF_MAN) $< > $@
+
+dist-cat1-mans:
+	@foo='$(man1_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.1) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat1/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-cat3-mans:
+	@foo='$(man3_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.3) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat3/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-cat5-mans:
+	@foo='$(man5_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.5) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat5/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-cat8-mans:
+	@foo='$(man8_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.8) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat8/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-hook: dist-cat1-mans dist-cat3-mans dist-cat5-mans dist-cat8-mans
+
+install-cat-mans:
+	$(SHELL) $(top_srcdir)/cf/install-catman.sh "$(INSTALL_DATA)" "$(mkinstalldirs)" "$(srcdir)" "$(DESTDIR)$(mandir)" '$(CATMANEXT)' $(man_MANS) $(man1_MANS) $(man3_MANS) $(man5_MANS) $(man8_MANS)
+
+install-data-local: install-cat-mans
+
+.et.h:
+	$(COMPILE_ET) $<
+.et.c:
+	$(COMPILE_ET) $<
+
+.x.c:
+	@cmp -s $< $@ 2> /dev/null || cp $< $@
+
+check-local::
+	@foo='$(CHECK_LOCAL)'; \
+	  if test "$$foo"; then \
+	  failed=0; all=0; \
+	  for i in $$foo; do \
+	    all=`expr $$all + 1`; \
+	    if ./$$i --version > /dev/null 2>&1; then \
+	      echo "PASS: $$i"; \
+	    else \
+	      echo "FAIL: $$i"; \
+	      failed=`expr $$failed + 1`; \
+	    fi; \
+	  done; \
+	  if test "$$failed" -eq 0; then \
+	    banner="All $$all tests passed"; \
+	  else \
+	    banner="$$failed of $$all tests failed"; \
+	  fi; \
+	  dashes=`echo "$$banner" | sed s/./=/g`; \
+	  echo "$$dashes"; \
+	  echo "$$banner"; \
+	  echo "$$dashes"; \
+	  test "$$failed" -eq 0; \
+	fi
+
+# Tell versions [3.59,3.63) of GNU make to not export all variables.
+# Otherwise a system limit (for SysV at least) may be exceeded.
+.NOEXPORT:
diff --git a/crypto/heimdal/lib/45/get_ad_tkt.c b/crypto/heimdal/lib/45/get_ad_tkt.c
new file mode 100644
index 0000000..3619606
--- /dev/null
+++ b/crypto/heimdal/lib/45/get_ad_tkt.c
@@ -0,0 +1,116 @@
+/*
+ * Copyright (c) 1997, 1999 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "45_locl.h"
+
+RCSID("$Id: get_ad_tkt.c,v 1.3 1999/12/02 17:05:01 joda Exp $");
+
+/* get an additional version 4 ticket via the 524 protocol */
+
+#ifndef NEVERDATE
+#define NEVERDATE ((unsigned long)0x7fffffffL)
+#endif
+
+int
+get_ad_tkt(char *service, char *sinstance, char *realm, int lifetime)
+{
+    krb5_error_code ret;
+    int code;
+    krb5_context context;
+    krb5_ccache id;
+    krb5_creds in_creds, *out_creds;
+    CREDENTIALS cred;
+    time_t now;
+    char pname[ANAME_SZ], pinst[INST_SZ], prealm[REALM_SZ];
+    
+    ret = krb5_init_context(&context);
+    if(ret)
+	return KFAILURE;
+    ret = krb5_cc_default(context, &id);
+    if(ret){
+	krb5_free_context(context);
+	return KFAILURE;
+    }
+    memset(&in_creds, 0, sizeof(in_creds));
+    now = time(NULL);
+    in_creds.times.endtime = krb_life_to_time(time(NULL), lifetime);
+    if(in_creds.times.endtime == NEVERDATE)
+	in_creds.times.endtime = 0;
+    ret = krb5_cc_get_principal(context, id, &in_creds.client);
+    if(ret){
+	krb5_cc_close(context, id);
+	krb5_free_context(context);
+	return KFAILURE;
+    }
+    ret = krb5_524_conv_principal(context, in_creds.client, 
+				  pname, pinst, prealm);
+    if(ret){
+	krb5_free_principal(context, in_creds.client);
+	krb5_cc_close(context, id);
+	krb5_free_context(context);
+	return KFAILURE;
+    }
+    ret = krb5_425_conv_principal(context, service, sinstance, realm, 
+				  &in_creds.server);
+    if(ret){
+	krb5_free_principal(context, in_creds.client);
+	krb5_cc_close(context, id);
+	krb5_free_context(context);
+	return KFAILURE;
+    }
+    ret = krb5_get_credentials(context, 
+			       0, 
+			       id,
+			       &in_creds,
+			       &out_creds);
+    krb5_free_principal(context, in_creds.client);
+    krb5_free_principal(context, in_creds.server);
+    if(ret){
+	krb5_cc_close(context, id);
+	krb5_free_context(context);
+	return KFAILURE;
+    }
+    ret = krb524_convert_creds_kdc(context, id, out_creds, &cred);
+    krb5_cc_close(context, id);
+    krb5_free_context(context);
+    krb5_free_creds(context, out_creds);
+    if(ret)
+	return KFAILURE;
+    code = save_credentials(cred.service, cred.instance, cred.realm, 
+			    cred.session, cred.lifetime, cred.kvno, 
+			    &cred.ticket_st, now);
+    if(code == NO_TKT_FIL)
+	code = tf_setup(&cred, pname, pinst);
+    memset(&cred.session, 0, sizeof(cred.session));
+    return code;
+}
diff --git a/crypto/heimdal/lib/45/mk_req.c b/crypto/heimdal/lib/45/mk_req.c
new file mode 100644
index 0000000..db909c2
--- /dev/null
+++ b/crypto/heimdal/lib/45/mk_req.c
@@ -0,0 +1,139 @@
+/*
+ * Copyright (c) 1997 - 2000 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+/* implementation of krb_mk_req that uses 524 protocol */
+
+#include "45_locl.h"
+
+RCSID("$Id: mk_req.c,v 1.6 2000/04/11 00:49:35 assar Exp $");
+
+static int lifetime = 255;
+
+static void
+build_request(KTEXT req,
+	      const char *name, const char *inst, const char *realm, 
+	      u_int32_t checksum)
+{
+    struct timeval tv;
+    krb5_storage *sp;
+    krb5_data data;
+    sp = krb5_storage_emem();
+    krb5_store_stringz(sp, name);
+    krb5_store_stringz(sp, inst);
+    krb5_store_stringz(sp, realm);
+    krb5_store_int32(sp, checksum);
+    gettimeofday(&tv, NULL);
+    krb5_store_int8(sp, tv.tv_usec  / 5000);
+    krb5_store_int32(sp, tv.tv_sec);
+    krb5_storage_to_data(sp, &data);
+    krb5_storage_free(sp);
+    memcpy(req->dat, data.data, data.length);
+    req->length = (data.length + 7) & ~7;
+    krb5_data_free(&data);
+}
+
+#ifdef KRB_MK_REQ_CONST
+int
+krb_mk_req(KTEXT authent,
+	   const char *service, const char *instance, const char *realm, 
+	   int32_t checksum)
+#else
+int
+krb_mk_req(KTEXT authent,
+	   char *service, char *instance, char *realm, 
+	   int32_t checksum)
+
+#endif
+{
+    CREDENTIALS cr;
+    KTEXT_ST req;
+    krb5_storage *sp;
+    int code;
+    /* XXX get user realm */
+    const char *myrealm = realm;
+    krb5_data a;
+
+    code = krb_get_cred(service, instance, realm, &cr);
+    if(code || time(NULL) > krb_life_to_time(cr.issue_date, cr.lifetime)){
+	code = get_ad_tkt((char *)service,
+			  (char *)instance, (char *)realm, lifetime);
+	if(code == KSUCCESS)
+	    code = krb_get_cred(service, instance, realm, &cr);
+    }
+
+    if(code)
+	return code;
+
+    sp = krb5_storage_emem();
+
+    krb5_store_int8(sp, KRB_PROT_VERSION);
+    krb5_store_int8(sp, AUTH_MSG_APPL_REQUEST);
+    
+    krb5_store_int8(sp, cr.kvno);
+    krb5_store_stringz(sp, realm);
+    krb5_store_int8(sp, cr.ticket_st.length);
+
+    build_request(&req, cr.pname, cr.pinst, myrealm, checksum);
+    encrypt_ktext(&req, &cr.session, DES_ENCRYPT);
+
+    krb5_store_int8(sp, req.length);
+
+    sp->store(sp, cr.ticket_st.dat, cr.ticket_st.length);
+    sp->store(sp, req.dat, req.length);
+    krb5_storage_to_data(sp, &a);
+    krb5_storage_free(sp);
+    memcpy(authent->dat, a.data, a.length);
+    authent->length = a.length;
+    krb5_data_free(&a);
+
+    memset(&cr, 0, sizeof(cr));
+    memset(&req, 0, sizeof(req));
+
+    return KSUCCESS;
+}
+
+/* 
+ * krb_set_lifetime sets the default lifetime for additional tickets
+ * obtained via krb_mk_req().
+ * 
+ * It returns the previous value of the default lifetime.
+ */
+
+int
+krb_set_lifetime(int newval)
+{
+    int olife = lifetime;
+
+    lifetime = newval;
+    return(olife);
+}
diff --git a/crypto/heimdal/lib/Makefile.am b/crypto/heimdal/lib/Makefile.am
new file mode 100644
index 0000000..ed228d1
--- /dev/null
+++ b/crypto/heimdal/lib/Makefile.am
@@ -0,0 +1,16 @@
+# $Id: Makefile.am,v 1.21 2000/11/15 23:11:05 assar Exp $
+
+include $(top_srcdir)/Makefile.am.common
+
+if KRB4
+dir_45 = 45
+endif
+if OTP
+dir_otp = otp
+endif
+if DCE
+dir_dce = kdfs
+endif
+
+SUBDIRS = @DIR_roken@ vers editline com_err sl asn1 @DIR_des@ krb5 \
+	kafs hdb kadm5 gssapi auth $(dir_45) $(dir_otp) $(dir_dce)
diff --git a/crypto/heimdal/lib/Makefile.in b/crypto/heimdal/lib/Makefile.in
new file mode 100644
index 0000000..fec9b2c
--- /dev/null
+++ b/crypto/heimdal/lib/Makefile.in
@@ -0,0 +1,560 @@
+# Makefile.in generated automatically by automake 1.4b from Makefile.am
+
+# Copyright 1994, 1995, 1996, 1997, 1998, 1999, 2000
+# Free Software Foundation, Inc.
+# This Makefile.in is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+
+SHELL = @SHELL@
+
+srcdir = @srcdir@
+top_srcdir = @top_srcdir@
+VPATH = @srcdir@
+prefix = @prefix@
+exec_prefix = @exec_prefix@
+
+bindir = @bindir@
+sbindir = @sbindir@
+libexecdir = @libexecdir@
+datadir = @datadir@
+sysconfdir = @sysconfdir@
+sharedstatedir = @sharedstatedir@
+localstatedir = @localstatedir@
+libdir = @libdir@
+infodir = @infodir@
+mandir = @mandir@
+includedir = @includedir@
+oldincludedir = /usr/include
+
+pkgdatadir = $(datadir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkgincludedir = $(includedir)/@PACKAGE@
+
+top_builddir = ..
+
+ACLOCAL = @ACLOCAL@
+AUTOCONF = @AUTOCONF@
+AUTOMAKE = @AUTOMAKE@
+AUTOHEADER = @AUTOHEADER@
+
+INSTALL = @INSTALL@
+INSTALL_PROGRAM = @INSTALL_PROGRAM@
+INSTALL_DATA = @INSTALL_DATA@
+INSTALL_SCRIPT = @INSTALL_SCRIPT@
+INSTALL_STRIP_FLAG =
+transform = @program_transform_name@
+
+NORMAL_INSTALL = :
+PRE_INSTALL = :
+POST_INSTALL = :
+NORMAL_UNINSTALL = :
+PRE_UNINSTALL = :
+POST_UNINSTALL = :
+
+@SET_MAKE@
+host_alias = @host_alias@
+host_triplet = @host@
+AIX_EXTRA_KAFS = @AIX_EXTRA_KAFS@
+AMDEP = @AMDEP@
+AMTAR = @AMTAR@
+AS = @AS@
+AWK = @AWK@
+CANONICAL_HOST = @CANONICAL_HOST@
+CATMAN = @CATMAN@
+CATMANEXT = @CATMANEXT@
+CC = @CC@
+CPP = @CPP@
+CXX = @CXX@
+CXXCPP = @CXXCPP@
+DBLIB = @DBLIB@
+DEPDIR = @DEPDIR@
+DIR_des = @DIR_des@
+DIR_roken = @DIR_roken@
+DLLTOOL = @DLLTOOL@
+EXEEXT = @EXEEXT@
+EXTRA_LIB45 = @EXTRA_LIB45@
+GROFF = @GROFF@
+INCLUDES_roken = @INCLUDES_roken@
+INCLUDE_ = @INCLUDE_@
+LEX = @LEX@
+LIBOBJS = @LIBOBJS@
+LIBTOOL = @LIBTOOL@
+LIB_ = @LIB_@
+LIB_AUTH_SUBDIRS = @LIB_AUTH_SUBDIRS@
+LIB_des = @LIB_des@
+LIB_des_appl = @LIB_des_appl@
+LIB_kdb = @LIB_kdb@
+LIB_otp = @LIB_otp@
+LIB_roken = @LIB_roken@
+LIB_security = @LIB_security@
+LN_S = @LN_S@
+LTLIBOBJS = @LTLIBOBJS@
+MAKEINFO = @MAKEINFO@
+NEED_WRITEAUTH_FALSE = @NEED_WRITEAUTH_FALSE@
+NEED_WRITEAUTH_TRUE = @NEED_WRITEAUTH_TRUE@
+NROFF = @NROFF@
+OBJDUMP = @OBJDUMP@
+OBJEXT = @OBJEXT@
+PACKAGE = @PACKAGE@
+RANLIB = @RANLIB@
+STRIP = @STRIP@
+VERSION = @VERSION@
+VOID_RETSIGTYPE = @VOID_RETSIGTYPE@
+WFLAGS = @WFLAGS@
+WFLAGS_NOIMPLICITINT = @WFLAGS_NOIMPLICITINT@
+WFLAGS_NOUNUSED = @WFLAGS_NOUNUSED@
+YACC = @YACC@
+dpagaix_CFLAGS = @dpagaix_CFLAGS@
+dpagaix_LDADD = @dpagaix_LDADD@
+install_sh = @install_sh@
+
+# $Id: Makefile.am,v 1.21 2000/11/15 23:11:05 assar Exp $
+
+
+# $Id: Makefile.am.common,v 1.3 1999/04/01 14:58:43 joda Exp $
+
+
+# $Id: Makefile.am.common,v 1.26 2001/05/21 13:27:48 joda Exp $
+
+
+AUTOMAKE_OPTIONS = foreign no-dependencies
+
+SUFFIXES = .et .h .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .x
+
+INCLUDES = -I$(top_builddir)/include $(INCLUDES_roken)
+
+AM_CFLAGS =  $(WFLAGS)
+
+CP = cp
+
+COMPILE_ET = $(top_builddir)/lib/com_err/compile_et
+
+buildinclude = $(top_builddir)/include
+
+LIB_XauReadAuth = @LIB_XauReadAuth@
+LIB_crypt = @LIB_crypt@
+LIB_dbm_firstkey = @LIB_dbm_firstkey@
+LIB_dbopen = @LIB_dbopen@
+LIB_dlopen = @LIB_dlopen@
+LIB_dn_expand = @LIB_dn_expand@
+LIB_el_init = @LIB_el_init@
+LIB_getattr = @LIB_getattr@
+LIB_gethostbyname = @LIB_gethostbyname@
+LIB_getpwent_r = @LIB_getpwent_r@
+LIB_getpwnam_r = @LIB_getpwnam_r@
+LIB_getsockopt = @LIB_getsockopt@
+LIB_logout = @LIB_logout@
+LIB_logwtmp = @LIB_logwtmp@
+LIB_odm_initialize = @LIB_odm_initialize@
+LIB_pidfile = @LIB_pidfile@
+LIB_readline = @LIB_readline@
+LIB_res_search = @LIB_res_search@
+LIB_setpcred = @LIB_setpcred@
+LIB_setsockopt = @LIB_setsockopt@
+LIB_socket = @LIB_socket@
+LIB_syslog = @LIB_syslog@
+LIB_tgetent = @LIB_tgetent@
+
+LIBS = @LIBS@
+
+HESIODLIB = @HESIODLIB@
+HESIODINCLUDE = @HESIODINCLUDE@
+INCLUDE_hesiod = @INCLUDE_hesiod@
+LIB_hesiod = @LIB_hesiod@
+
+INCLUDE_krb4 = @INCLUDE_krb4@
+LIB_krb4 = @LIB_krb4@
+
+INCLUDE_openldap = @INCLUDE_openldap@
+LIB_openldap = @LIB_openldap@
+
+INCLUDE_readline = @INCLUDE_readline@
+
+LEXLIB = @LEXLIB@
+
+NROFF_MAN = groff -mandoc -Tascii
+
+@KRB4_TRUE@LIB_kafs = @KRB4_TRUE@$(top_builddir)/lib/kafs/libkafs.la $(AIX_EXTRA_KAFS)
+
+@KRB5_TRUE@LIB_krb5 = @KRB5_TRUE@$(top_builddir)/lib/krb5/libkrb5.la \
+@KRB5_TRUE@	$(top_builddir)/lib/asn1/libasn1.la
+@KRB5_TRUE@LIB_gssapi = @KRB5_TRUE@$(top_builddir)/lib/gssapi/libgssapi.la
+
+@DCE_TRUE@LIB_kdfs = @DCE_TRUE@$(top_builddir)/lib/kdfs/libkdfs.la
+
+CHECK_LOCAL = $(PROGRAMS)
+
+@KRB4_TRUE@dir_45 = @KRB4_TRUE@45
+@OTP_TRUE@dir_otp = @OTP_TRUE@otp
+@DCE_TRUE@dir_dce = @DCE_TRUE@kdfs
+
+SUBDIRS = @DIR_roken@ vers editline com_err sl asn1 @DIR_des@ krb5 \
+	kafs hdb kadm5 gssapi auth $(dir_45) $(dir_otp) $(dir_dce)
+
+subdir = lib
+mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs
+CONFIG_HEADER = ../include/config.h
+CONFIG_CLEAN_FILES = 
+CFLAGS = @CFLAGS@
+COMPILE = $(CC) $(DEFS) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) --mode=compile $(CC) $(DEFS) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+CCLD = $(CC)
+LINK = $(LIBTOOL) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) $(LDFLAGS) -o $@
+DIST_SOURCES = 
+depcomp = 
+DIST_COMMON =  Makefile.am Makefile.in
+
+
+DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
+
+GZIP_ENV = --best
+DIST_SUBDIRS =  @DIR_roken@ vers editline com_err sl asn1 @DIR_des@ krb5 \
+kafs hdb kadm5 gssapi auth 45 otp kdfs
+all: all-redirect
+.SUFFIXES:
+.SUFFIXES: .et .h .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .x
+$(srcdir)/Makefile.in: Makefile.am $(top_srcdir)/configure.in $(ACLOCAL_M4) $(top_srcdir)/Makefile.am.common $(top_srcdir)/cf/Makefile.am.common
+	cd $(top_srcdir) && $(AUTOMAKE) --foreign lib/Makefile
+
+Makefile: $(srcdir)/Makefile.in  $(top_builddir)/config.status
+	cd $(top_builddir) \
+	  && CONFIG_FILES=$(subdir)/$@ CONFIG_HEADERS= $(SHELL) ./config.status
+
+
+# This directory's subdirectories are mostly independent; you can cd
+# into them and run `make' without going through this Makefile.
+# To change the values of `make' variables: instead of editing Makefiles,
+# (1) if the variable is set in `config.status', edit `config.status'
+#     (which will cause the Makefiles to be regenerated when you run `make');
+# (2) otherwise, pass the desired values on the `make' command line.
+
+all-recursive install-data-recursive install-exec-recursive \
+installdirs-recursive install-recursive uninstall-recursive  \
+check-recursive installcheck-recursive info-recursive dvi-recursive:
+	@set fnord $(MAKEFLAGS); amf=$$2; \
+	dot_seen=no; \
+	target=`echo $@ | sed s/-recursive//`; \
+	list='$(SUBDIRS)'; for subdir in $$list; do \
+	  echo "Making $$target in $$subdir"; \
+	  if test "$$subdir" = "."; then \
+	    dot_seen=yes; \
+	    local_target="$$target-am"; \
+	  else \
+	    local_target="$$target"; \
+	  fi; \
+	  (cd $$subdir && $(MAKE) $(AM_MAKEFLAGS) $$local_target) \
+	   || case "$$amf" in *=*) exit 1;; *k*) fail=yes;; *) exit 1;; esac; \
+	done; \
+	if test "$$dot_seen" = "no"; then \
+	  $(MAKE) $(AM_MAKEFLAGS) "$$target-am" || exit 1; \
+	fi; test -z "$$fail"
+
+mostlyclean-recursive clean-recursive distclean-recursive \
+maintainer-clean-recursive:
+	@set fnord $(MAKEFLAGS); amf=$$2; \
+	dot_seen=no; \
+	case "$@" in \
+	  distclean-* | maintainer-clean-*) list='$(DIST_SUBDIRS)' ;; \
+	  *) list='$(SUBDIRS)' ;; \
+	esac; \
+	rev=''; for subdir in $$list; do \
+	  if test "$$subdir" = "."; then :; else \
+	    rev="$$subdir $$rev"; \
+	  fi; \
+	done; \
+	rev="$$rev ."; \
+	target=`echo $@ | sed s/-recursive//`; \
+	for subdir in $$rev; do \
+	  echo "Making $$target in $$subdir"; \
+	  if test "$$subdir" = "."; then \
+	    local_target="$$target-am"; \
+	  else \
+	    local_target="$$target"; \
+	  fi; \
+	  (cd $$subdir && $(MAKE) $(AM_MAKEFLAGS) $$local_target) \
+	   || case "$$amf" in *=*) exit 1;; *k*) fail=yes;; *) exit 1;; esac; \
+	done && test -z "$$fail"
+tags-recursive:
+	list='$(SUBDIRS)'; for subdir in $$list; do \
+	  test "$$subdir" = . || (cd $$subdir && $(MAKE) $(AM_MAKEFLAGS) tags); \
+	done
+
+tags: TAGS
+
+ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
+	list='$(SOURCES) $(HEADERS) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '    { files[$$0] = 1; } \
+	       END { for (i in files) print i; }'`; \
+	mkid -fID $$unique $(LISP)
+
+TAGS: tags-recursive $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	tags=; \
+	here=`pwd`; \
+	list='$(SUBDIRS)'; for subdir in $$list; do \
+   if test "$$subdir" = .; then :; else \
+	    test -f $$subdir/TAGS && tags="$$tags -i $$here/$$subdir/TAGS"; \
+   fi; \
+	done; \
+	list='$(SOURCES) $(HEADERS) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '    { files[$$0] = 1; } \
+	       END { for (i in files) print i; }'`; \
+	test -z "$(ETAGS_ARGS)$$unique$(LISP)$$tags" \
+	  || etags $(ETAGS_ARGS) $$tags  $$unique $(LISP)
+
+GTAGS:
+	here=`CDPATH=: && cd $(top_builddir) && pwd` \
+	  && cd $(top_srcdir) \
+	  && gtags -i $$here
+
+mostlyclean-tags:
+
+clean-tags:
+
+distclean-tags:
+	-rm -f TAGS ID
+
+maintainer-clean-tags:
+
+distdir = $(top_builddir)/$(PACKAGE)-$(VERSION)/$(subdir)
+
+distdir: $(DISTFILES)
+	@for file in $(DISTFILES); do \
+	  d=$(srcdir); \
+	  if test -d $$d/$$file; then \
+	    cp -pR $$d/$$file $(distdir) \
+	    || exit 1; \
+	  else \
+	    test -f $(distdir)/$$file \
+	    || cp -p $$d/$$file $(distdir)/$$file \
+	    || exit 1; \
+	  fi; \
+	done
+	for subdir in $(DIST_SUBDIRS); do \
+	  if test "$$subdir" = .; then :; else \
+	    test -d $(distdir)/$$subdir \
+	    || mkdir $(distdir)/$$subdir \
+	    || exit 1; \
+	    (cd $$subdir && $(MAKE) $(AM_MAKEFLAGS) top_distdir=../$(top_distdir) distdir=../$(distdir)/$$subdir distdir) \
+	      || exit 1; \
+	  fi; \
+	done
+	$(MAKE) $(AM_MAKEFLAGS) top_distdir="$(top_distdir)" distdir="$(distdir)" dist-hook
+info-am:
+info: info-recursive
+dvi-am:
+dvi: dvi-recursive
+check-am: all-am
+	$(MAKE) $(AM_MAKEFLAGS) check-local
+check: check-recursive
+installcheck-am:
+installcheck: installcheck-recursive
+install-exec-am:
+	@$(NORMAL_INSTALL)
+	$(MAKE) $(AM_MAKEFLAGS) install-exec-hook
+install-exec: install-exec-recursive
+
+install-data-am: install-data-local
+install-data: install-data-recursive
+
+install-am: all-am
+	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
+install: install-recursive
+uninstall-am:
+uninstall: uninstall-recursive
+all-am: Makefile all-local
+all-redirect: all-recursive
+install-strip:
+	$(MAKE) $(AM_MAKEFLAGS) INSTALL_STRIP_FLAG=-s install
+installdirs: installdirs-recursive
+installdirs-am:
+
+
+mostlyclean-generic:
+
+clean-generic:
+
+distclean-generic:
+	-rm -f Makefile $(CONFIG_CLEAN_FILES)
+	-rm -f config.cache config.log stamp-h stamp-h[0-9]*
+
+maintainer-clean-generic:
+	-rm -f Makefile.in
+mostlyclean-am:  mostlyclean-tags mostlyclean-generic
+
+mostlyclean: mostlyclean-recursive
+
+clean-am:  clean-tags clean-generic mostlyclean-am
+
+clean: clean-recursive
+
+distclean-am:  distclean-tags distclean-generic clean-am
+	-rm -f libtool
+
+distclean: distclean-recursive
+
+maintainer-clean-am:  maintainer-clean-tags maintainer-clean-generic \
+		distclean-am
+	@echo "This command is intended for maintainers to use;"
+	@echo "it deletes files that may require special tools to rebuild."
+
+maintainer-clean: maintainer-clean-recursive
+
+.PHONY: install-recursive uninstall-recursive install-data-recursive \
+uninstall-data-recursive install-exec-recursive \
+uninstall-exec-recursive installdirs-recursive uninstalldirs-recursive \
+all-recursive check-recursive installcheck-recursive info-recursive \
+dvi-recursive mostlyclean-recursive distclean-recursive clean-recursive \
+maintainer-clean-recursive tags tags-recursive mostlyclean-tags \
+distclean-tags clean-tags maintainer-clean-tags distdir info-am info \
+dvi-am dvi check-local check check-am installcheck-am installcheck \
+install-exec-am install-exec install-data-local install-data-am \
+install-data install-am install uninstall-am uninstall all-local \
+all-redirect all-am all install-strip installdirs-am installdirs \
+mostlyclean-generic distclean-generic clean-generic \
+maintainer-clean-generic clean mostlyclean distclean maintainer-clean
+
+
+install-suid-programs:
+	@foo='$(bin_SUIDS)'; \
+	for file in $$foo; do \
+	x=$(DESTDIR)$(bindir)/$$file; \
+	if chown 0:0 $$x && chmod u+s $$x; then :; else \
+	echo "*"; \
+	echo "* Failed to install $$x setuid root"; \
+	echo "*"; \
+	fi; done
+
+install-exec-hook: install-suid-programs
+
+install-build-headers:: $(include_HEADERS) $(build_HEADERZ)
+	@foo='$(include_HEADERS) $(build_HEADERZ)'; \
+	for f in $$foo; do \
+		f=`basename $$f`; \
+		if test -f "$(srcdir)/$$f"; then file="$(srcdir)/$$f"; \
+		else file="$$f"; fi; \
+		if cmp -s  $$file $(buildinclude)/$$f 2> /dev/null ; then \
+		: ; else \
+			echo " $(CP) $$file $(buildinclude)/$$f"; \
+			$(CP) $$file $(buildinclude)/$$f; \
+		fi ; \
+	done
+
+all-local: install-build-headers
+#NROFF_MAN = nroff -man
+.1.cat1:
+	$(NROFF_MAN) $< > $@
+.3.cat3:
+	$(NROFF_MAN) $< > $@
+.5.cat5:
+	$(NROFF_MAN) $< > $@
+.8.cat8:
+	$(NROFF_MAN) $< > $@
+
+dist-cat1-mans:
+	@foo='$(man1_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.1) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat1/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-cat3-mans:
+	@foo='$(man3_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.3) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat3/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-cat5-mans:
+	@foo='$(man5_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.5) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat5/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-cat8-mans:
+	@foo='$(man8_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.8) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat8/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-hook: dist-cat1-mans dist-cat3-mans dist-cat5-mans dist-cat8-mans
+
+install-cat-mans:
+	$(SHELL) $(top_srcdir)/cf/install-catman.sh "$(INSTALL_DATA)" "$(mkinstalldirs)" "$(srcdir)" "$(DESTDIR)$(mandir)" '$(CATMANEXT)' $(man_MANS) $(man1_MANS) $(man3_MANS) $(man5_MANS) $(man8_MANS)
+
+install-data-local: install-cat-mans
+
+.et.h:
+	$(COMPILE_ET) $<
+.et.c:
+	$(COMPILE_ET) $<
+
+.x.c:
+	@cmp -s $< $@ 2> /dev/null || cp $< $@
+
+check-local::
+	@foo='$(CHECK_LOCAL)'; \
+	  if test "$$foo"; then \
+	  failed=0; all=0; \
+	  for i in $$foo; do \
+	    all=`expr $$all + 1`; \
+	    if ./$$i --version > /dev/null 2>&1; then \
+	      echo "PASS: $$i"; \
+	    else \
+	      echo "FAIL: $$i"; \
+	      failed=`expr $$failed + 1`; \
+	    fi; \
+	  done; \
+	  if test "$$failed" -eq 0; then \
+	    banner="All $$all tests passed"; \
+	  else \
+	    banner="$$failed of $$all tests failed"; \
+	  fi; \
+	  dashes=`echo "$$banner" | sed s/./=/g`; \
+	  echo "$$dashes"; \
+	  echo "$$banner"; \
+	  echo "$$dashes"; \
+	  test "$$failed" -eq 0; \
+	fi
+
+# Tell versions [3.59,3.63) of GNU make to not export all variables.
+# Otherwise a system limit (for SysV at least) may be exceeded.
+.NOEXPORT:
diff --git a/crypto/heimdal/lib/asn1/Makefile.am b/crypto/heimdal/lib/asn1/Makefile.am
new file mode 100644
index 0000000..e4f0149
--- /dev/null
+++ b/crypto/heimdal/lib/asn1/Makefile.am
@@ -0,0 +1,124 @@
+# $Id: Makefile.am,v 1.63 2001/05/16 23:49:27 assar Exp $
+
+include $(top_srcdir)/Makefile.am.common
+
+YFLAGS = -d
+
+lib_LTLIBRARIES = libasn1.la
+libasn1_la_LDFLAGS = -version-info 5:0:0
+
+BUILT_SOURCES =			\
+	$(gen_files:.x=.c)	\
+	asn1_err.h		\
+	asn1_err.c
+
+gen_files =					\
+	asn1_APOptions.x			\
+	asn1_AP_REP.x				\
+	asn1_AP_REQ.x				\
+	asn1_AS_REP.x				\
+	asn1_AS_REQ.x				\
+	asn1_Authenticator.x			\
+	asn1_AuthorizationData.x		\
+	asn1_CKSUMTYPE.x			\
+	asn1_Checksum.x				\
+	asn1_ENCTYPE.x				\
+	asn1_ETYPE_INFO.x			\
+	asn1_ETYPE_INFO_ENTRY.x			\
+	asn1_EncAPRepPart.x			\
+	asn1_EncASRepPart.x			\
+	asn1_EncKDCRepPart.x			\
+	asn1_EncKrbCredPart.x			\
+	asn1_EncKrbPrivPart.x			\
+	asn1_EncTGSRepPart.x			\
+	asn1_EncTicketPart.x			\
+	asn1_EncryptedData.x			\
+	asn1_EncryptionKey.x			\
+	asn1_HostAddress.x			\
+	asn1_HostAddresses.x			\
+	asn1_KDCOptions.x			\
+	asn1_KDC_REP.x				\
+	asn1_KDC_REQ.x				\
+	asn1_KDC_REQ_BODY.x			\
+	asn1_KRB_CRED.x				\
+	asn1_KRB_ERROR.x			\
+	asn1_KRB_PRIV.x				\
+	asn1_KRB_SAFE.x				\
+	asn1_KRB_SAFE_BODY.x			\
+	asn1_KerberosTime.x			\
+	asn1_KrbCredInfo.x			\
+	asn1_LastReq.x				\
+	asn1_LR_TYPE.x				\
+	asn1_MESSAGE_TYPE.x			\
+	asn1_METHOD_DATA.x			\
+	asn1_NAME_TYPE.x			\
+	asn1_PADATA_TYPE.x			\
+	asn1_PA_DATA.x				\
+	asn1_PA_ENC_TS_ENC.x			\
+	asn1_Principal.x			\
+	asn1_PrincipalName.x			\
+	asn1_Realm.x				\
+	asn1_TGS_REP.x				\
+	asn1_TGS_REQ.x				\
+	asn1_Ticket.x				\
+	asn1_TicketFlags.x			\
+	asn1_TransitedEncoding.x		\
+	asn1_UNSIGNED.x
+
+
+noinst_PROGRAMS = asn1_compile asn1_print
+check_PROGRAMS = check-der
+TESTS = check-der
+
+asn1_compile_SOURCES = 				\
+	gen.c					\
+	gen_copy.c				\
+	gen_decode.c				\
+	gen_encode.c				\
+	gen_free.c				\
+	gen_glue.c				\
+	gen_length.c				\
+	hash.c					\
+	lex.l					\
+	main.c					\
+	parse.y					\
+	symbol.c
+
+libasn1_la_SOURCES =				\
+	der_get.c				\
+	der_put.c				\
+	der_free.c				\
+	der_length.c				\
+	der_copy.c				\
+	timegm.c				\
+	$(BUILT_SOURCES)
+
+asn1_compile_LDADD = \
+	$(LIB_roken) $(LEXLIB)
+
+check_der_LDADD = \
+	libasn1.la \
+	../com_err/libcom_err.la \
+	$(LIB_roken)
+
+asn1_print_LDADD = $(check_der_LDADD)
+
+TESTS = check-der
+
+CLEANFILES = lex.c parse.c parse.h krb5_asn1.h $(BUILT_SOURCES) \
+	$(gen_files) asn1_files
+
+include_HEADERS = krb5_asn1.h asn1_err.h der.h
+
+$(asn1_compile_OBJECTS): parse.h
+
+$(gen_files) krb5_asn1.h: asn1_files
+
+asn1_files: asn1_compile$(EXEEXT) $(srcdir)/k5.asn1
+	./asn1_compile$(EXEEXT) $(srcdir)/k5.asn1 krb5_asn1
+
+$(libasn1_la_OBJECTS): krb5_asn1.h asn1_err.h
+
+$(asn1_print_OBJECTS): krb5_asn1.h
+
+EXTRA_DIST = asn1_err.et
diff --git a/crypto/heimdal/lib/asn1/Makefile.in b/crypto/heimdal/lib/asn1/Makefile.in
new file mode 100644
index 0000000..5717f31
--- /dev/null
+++ b/crypto/heimdal/lib/asn1/Makefile.in
@@ -0,0 +1,850 @@
+# Makefile.in generated automatically by automake 1.4b from Makefile.am
+
+# Copyright 1994, 1995, 1996, 1997, 1998, 1999, 2000
+# Free Software Foundation, Inc.
+# This Makefile.in is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+
+SHELL = @SHELL@
+
+srcdir = @srcdir@
+top_srcdir = @top_srcdir@
+VPATH = @srcdir@
+prefix = @prefix@
+exec_prefix = @exec_prefix@
+
+bindir = @bindir@
+sbindir = @sbindir@
+libexecdir = @libexecdir@
+datadir = @datadir@
+sysconfdir = @sysconfdir@
+sharedstatedir = @sharedstatedir@
+localstatedir = @localstatedir@
+libdir = @libdir@
+infodir = @infodir@
+mandir = @mandir@
+includedir = @includedir@
+oldincludedir = /usr/include
+
+pkgdatadir = $(datadir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkgincludedir = $(includedir)/@PACKAGE@
+
+top_builddir = ../..
+
+ACLOCAL = @ACLOCAL@
+AUTOCONF = @AUTOCONF@
+AUTOMAKE = @AUTOMAKE@
+AUTOHEADER = @AUTOHEADER@
+
+INSTALL = @INSTALL@
+INSTALL_PROGRAM = @INSTALL_PROGRAM@
+INSTALL_DATA = @INSTALL_DATA@
+INSTALL_SCRIPT = @INSTALL_SCRIPT@
+INSTALL_STRIP_FLAG =
+transform = @program_transform_name@
+
+NORMAL_INSTALL = :
+PRE_INSTALL = :
+POST_INSTALL = :
+NORMAL_UNINSTALL = :
+PRE_UNINSTALL = :
+POST_UNINSTALL = :
+
+@SET_MAKE@
+host_alias = @host_alias@
+host_triplet = @host@
+AIX_EXTRA_KAFS = @AIX_EXTRA_KAFS@
+AMDEP = @AMDEP@
+AMTAR = @AMTAR@
+AS = @AS@
+AWK = @AWK@
+CANONICAL_HOST = @CANONICAL_HOST@
+CATMAN = @CATMAN@
+CATMANEXT = @CATMANEXT@
+CC = @CC@
+CPP = @CPP@
+CXX = @CXX@
+CXXCPP = @CXXCPP@
+DBLIB = @DBLIB@
+DEPDIR = @DEPDIR@
+DIR_des = @DIR_des@
+DIR_roken = @DIR_roken@
+DLLTOOL = @DLLTOOL@
+EXEEXT = @EXEEXT@
+EXTRA_LIB45 = @EXTRA_LIB45@
+GROFF = @GROFF@
+INCLUDES_roken = @INCLUDES_roken@
+INCLUDE_ = @INCLUDE_@
+LEX = @LEX@
+LIBOBJS = @LIBOBJS@
+LIBTOOL = @LIBTOOL@
+LIB_ = @LIB_@
+LIB_AUTH_SUBDIRS = @LIB_AUTH_SUBDIRS@
+LIB_des = @LIB_des@
+LIB_des_appl = @LIB_des_appl@
+LIB_kdb = @LIB_kdb@
+LIB_otp = @LIB_otp@
+LIB_roken = @LIB_roken@
+LIB_security = @LIB_security@
+LN_S = @LN_S@
+LTLIBOBJS = @LTLIBOBJS@
+MAKEINFO = @MAKEINFO@
+NEED_WRITEAUTH_FALSE = @NEED_WRITEAUTH_FALSE@
+NEED_WRITEAUTH_TRUE = @NEED_WRITEAUTH_TRUE@
+NROFF = @NROFF@
+OBJDUMP = @OBJDUMP@
+OBJEXT = @OBJEXT@
+PACKAGE = @PACKAGE@
+RANLIB = @RANLIB@
+STRIP = @STRIP@
+VERSION = @VERSION@
+VOID_RETSIGTYPE = @VOID_RETSIGTYPE@
+WFLAGS = @WFLAGS@
+WFLAGS_NOIMPLICITINT = @WFLAGS_NOIMPLICITINT@
+WFLAGS_NOUNUSED = @WFLAGS_NOUNUSED@
+YACC = @YACC@
+dpagaix_CFLAGS = @dpagaix_CFLAGS@
+dpagaix_LDADD = @dpagaix_LDADD@
+install_sh = @install_sh@
+
+# $Id: Makefile.am,v 1.63 2001/05/16 23:49:27 assar Exp $
+
+
+# $Id: Makefile.am.common,v 1.3 1999/04/01 14:58:43 joda Exp $
+
+
+# $Id: Makefile.am.common,v 1.26 2001/05/21 13:27:48 joda Exp $
+
+
+AUTOMAKE_OPTIONS = foreign no-dependencies
+
+SUFFIXES = .et .h .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .x
+
+INCLUDES = -I$(top_builddir)/include $(INCLUDES_roken)
+
+AM_CFLAGS =  $(WFLAGS)
+
+CP = cp
+
+COMPILE_ET = $(top_builddir)/lib/com_err/compile_et
+
+buildinclude = $(top_builddir)/include
+
+LIB_XauReadAuth = @LIB_XauReadAuth@
+LIB_crypt = @LIB_crypt@
+LIB_dbm_firstkey = @LIB_dbm_firstkey@
+LIB_dbopen = @LIB_dbopen@
+LIB_dlopen = @LIB_dlopen@
+LIB_dn_expand = @LIB_dn_expand@
+LIB_el_init = @LIB_el_init@
+LIB_getattr = @LIB_getattr@
+LIB_gethostbyname = @LIB_gethostbyname@
+LIB_getpwent_r = @LIB_getpwent_r@
+LIB_getpwnam_r = @LIB_getpwnam_r@
+LIB_getsockopt = @LIB_getsockopt@
+LIB_logout = @LIB_logout@
+LIB_logwtmp = @LIB_logwtmp@
+LIB_odm_initialize = @LIB_odm_initialize@
+LIB_pidfile = @LIB_pidfile@
+LIB_readline = @LIB_readline@
+LIB_res_search = @LIB_res_search@
+LIB_setpcred = @LIB_setpcred@
+LIB_setsockopt = @LIB_setsockopt@
+LIB_socket = @LIB_socket@
+LIB_syslog = @LIB_syslog@
+LIB_tgetent = @LIB_tgetent@
+
+LIBS = @LIBS@
+
+HESIODLIB = @HESIODLIB@
+HESIODINCLUDE = @HESIODINCLUDE@
+INCLUDE_hesiod = @INCLUDE_hesiod@
+LIB_hesiod = @LIB_hesiod@
+
+INCLUDE_krb4 = @INCLUDE_krb4@
+LIB_krb4 = @LIB_krb4@
+
+INCLUDE_openldap = @INCLUDE_openldap@
+LIB_openldap = @LIB_openldap@
+
+INCLUDE_readline = @INCLUDE_readline@
+
+LEXLIB = @LEXLIB@
+
+NROFF_MAN = groff -mandoc -Tascii
+
+@KRB4_TRUE@LIB_kafs = @KRB4_TRUE@$(top_builddir)/lib/kafs/libkafs.la $(AIX_EXTRA_KAFS)
+
+@KRB5_TRUE@LIB_krb5 = @KRB5_TRUE@$(top_builddir)/lib/krb5/libkrb5.la \
+@KRB5_TRUE@	$(top_builddir)/lib/asn1/libasn1.la
+@KRB5_TRUE@LIB_gssapi = @KRB5_TRUE@$(top_builddir)/lib/gssapi/libgssapi.la
+
+@DCE_TRUE@LIB_kdfs = @DCE_TRUE@$(top_builddir)/lib/kdfs/libkdfs.la
+
+CHECK_LOCAL = $(PROGRAMS)
+
+YFLAGS = -d
+
+lib_LTLIBRARIES = libasn1.la
+libasn1_la_LDFLAGS = -version-info 5:0:0
+
+BUILT_SOURCES = \
+	$(gen_files:.x=.c)	\
+	asn1_err.h		\
+	asn1_err.c
+
+
+gen_files = \
+	asn1_APOptions.x			\
+	asn1_AP_REP.x				\
+	asn1_AP_REQ.x				\
+	asn1_AS_REP.x				\
+	asn1_AS_REQ.x				\
+	asn1_Authenticator.x			\
+	asn1_AuthorizationData.x		\
+	asn1_CKSUMTYPE.x			\
+	asn1_Checksum.x				\
+	asn1_ENCTYPE.x				\
+	asn1_ETYPE_INFO.x			\
+	asn1_ETYPE_INFO_ENTRY.x			\
+	asn1_EncAPRepPart.x			\
+	asn1_EncASRepPart.x			\
+	asn1_EncKDCRepPart.x			\
+	asn1_EncKrbCredPart.x			\
+	asn1_EncKrbPrivPart.x			\
+	asn1_EncTGSRepPart.x			\
+	asn1_EncTicketPart.x			\
+	asn1_EncryptedData.x			\
+	asn1_EncryptionKey.x			\
+	asn1_HostAddress.x			\
+	asn1_HostAddresses.x			\
+	asn1_KDCOptions.x			\
+	asn1_KDC_REP.x				\
+	asn1_KDC_REQ.x				\
+	asn1_KDC_REQ_BODY.x			\
+	asn1_KRB_CRED.x				\
+	asn1_KRB_ERROR.x			\
+	asn1_KRB_PRIV.x				\
+	asn1_KRB_SAFE.x				\
+	asn1_KRB_SAFE_BODY.x			\
+	asn1_KerberosTime.x			\
+	asn1_KrbCredInfo.x			\
+	asn1_LastReq.x				\
+	asn1_LR_TYPE.x				\
+	asn1_MESSAGE_TYPE.x			\
+	asn1_METHOD_DATA.x			\
+	asn1_NAME_TYPE.x			\
+	asn1_PADATA_TYPE.x			\
+	asn1_PA_DATA.x				\
+	asn1_PA_ENC_TS_ENC.x			\
+	asn1_Principal.x			\
+	asn1_PrincipalName.x			\
+	asn1_Realm.x				\
+	asn1_TGS_REP.x				\
+	asn1_TGS_REQ.x				\
+	asn1_Ticket.x				\
+	asn1_TicketFlags.x			\
+	asn1_TransitedEncoding.x		\
+	asn1_UNSIGNED.x
+
+
+noinst_PROGRAMS = asn1_compile asn1_print
+check_PROGRAMS = check-der
+
+TESTS = check-der
+
+asn1_compile_SOURCES = \
+	gen.c					\
+	gen_copy.c				\
+	gen_decode.c				\
+	gen_encode.c				\
+	gen_free.c				\
+	gen_glue.c				\
+	gen_length.c				\
+	hash.c					\
+	lex.l					\
+	main.c					\
+	parse.y					\
+	symbol.c
+
+
+libasn1_la_SOURCES = \
+	der_get.c				\
+	der_put.c				\
+	der_free.c				\
+	der_length.c				\
+	der_copy.c				\
+	timegm.c				\
+	$(BUILT_SOURCES)
+
+
+asn1_compile_LDADD = \
+	$(LIB_roken) $(LEXLIB)
+
+
+check_der_LDADD = \
+	libasn1.la \
+	../com_err/libcom_err.la \
+	$(LIB_roken)
+
+
+asn1_print_LDADD = $(check_der_LDADD)
+
+CLEANFILES = lex.c parse.c parse.h krb5_asn1.h $(BUILT_SOURCES) \
+	$(gen_files) asn1_files
+
+
+include_HEADERS = krb5_asn1.h asn1_err.h der.h
+
+EXTRA_DIST = asn1_err.et
+subdir = lib/asn1
+mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs
+CONFIG_HEADER = ../../include/config.h
+CONFIG_CLEAN_FILES = 
+LTLIBRARIES =  $(lib_LTLIBRARIES)
+
+
+DEFS = @DEFS@ -I. -I$(srcdir) -I../../include
+CPPFLAGS = @CPPFLAGS@
+LDFLAGS = @LDFLAGS@
+X_CFLAGS = @X_CFLAGS@
+X_LIBS = @X_LIBS@
+X_EXTRA_LIBS = @X_EXTRA_LIBS@
+X_PRE_LIBS = @X_PRE_LIBS@
+libasn1_la_LIBADD = 
+am_libasn1_la_OBJECTS =  der_get.lo der_put.lo der_free.lo der_length.lo \
+der_copy.lo timegm.lo asn1_APOptions.lo asn1_AP_REP.lo asn1_AP_REQ.lo \
+asn1_AS_REP.lo asn1_AS_REQ.lo asn1_Authenticator.lo \
+asn1_AuthorizationData.lo asn1_CKSUMTYPE.lo asn1_Checksum.lo \
+asn1_ENCTYPE.lo asn1_ETYPE_INFO.lo asn1_ETYPE_INFO_ENTRY.lo \
+asn1_EncAPRepPart.lo asn1_EncASRepPart.lo asn1_EncKDCRepPart.lo \
+asn1_EncKrbCredPart.lo asn1_EncKrbPrivPart.lo asn1_EncTGSRepPart.lo \
+asn1_EncTicketPart.lo asn1_EncryptedData.lo asn1_EncryptionKey.lo \
+asn1_HostAddress.lo asn1_HostAddresses.lo asn1_KDCOptions.lo \
+asn1_KDC_REP.lo asn1_KDC_REQ.lo asn1_KDC_REQ_BODY.lo asn1_KRB_CRED.lo \
+asn1_KRB_ERROR.lo asn1_KRB_PRIV.lo asn1_KRB_SAFE.lo \
+asn1_KRB_SAFE_BODY.lo asn1_KerberosTime.lo asn1_KrbCredInfo.lo \
+asn1_LastReq.lo asn1_LR_TYPE.lo asn1_MESSAGE_TYPE.lo \
+asn1_METHOD_DATA.lo asn1_NAME_TYPE.lo asn1_PADATA_TYPE.lo \
+asn1_PA_DATA.lo asn1_PA_ENC_TS_ENC.lo asn1_Principal.lo \
+asn1_PrincipalName.lo asn1_Realm.lo asn1_TGS_REP.lo asn1_TGS_REQ.lo \
+asn1_Ticket.lo asn1_TicketFlags.lo asn1_TransitedEncoding.lo \
+asn1_UNSIGNED.lo asn1_err.lo
+libasn1_la_OBJECTS =  $(am_libasn1_la_OBJECTS)
+check_PROGRAMS =  check-der$(EXEEXT)
+noinst_PROGRAMS =  asn1_compile$(EXEEXT) asn1_print$(EXEEXT)
+PROGRAMS =  $(noinst_PROGRAMS)
+
+am_asn1_compile_OBJECTS =  gen.$(OBJEXT) gen_copy.$(OBJEXT) \
+gen_decode.$(OBJEXT) gen_encode.$(OBJEXT) gen_free.$(OBJEXT) \
+gen_glue.$(OBJEXT) gen_length.$(OBJEXT) hash.$(OBJEXT) lex.$(OBJEXT) \
+main.$(OBJEXT) parse.$(OBJEXT) symbol.$(OBJEXT)
+asn1_compile_OBJECTS =  $(am_asn1_compile_OBJECTS)
+asn1_compile_DEPENDENCIES = 
+asn1_compile_LDFLAGS = 
+asn1_print_SOURCES = asn1_print.c
+asn1_print_OBJECTS =  asn1_print.$(OBJEXT)
+asn1_print_DEPENDENCIES =  libasn1.la ../com_err/libcom_err.la
+asn1_print_LDFLAGS = 
+check_der_SOURCES = check-der.c
+check_der_OBJECTS =  check-der.$(OBJEXT)
+check_der_DEPENDENCIES =  libasn1.la ../com_err/libcom_err.la
+check_der_LDFLAGS = 
+COMPILE = $(CC) $(DEFS) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) --mode=compile $(CC) $(DEFS) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+CFLAGS = @CFLAGS@
+LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
+CCLD = $(CC)
+LINK = $(LIBTOOL) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) $(LDFLAGS) -o $@
+DIST_SOURCES =  $(libasn1_la_SOURCES) $(asn1_compile_SOURCES) \
+asn1_print.c check-der.c
+HEADERS =  $(include_HEADERS)
+
+depcomp = 
+DIST_COMMON =  $(include_HEADERS) Makefile.am Makefile.in lex.c parse.c \
+parse.h
+
+
+DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
+
+GZIP_ENV = --best
+SOURCES = $(libasn1_la_SOURCES) $(asn1_compile_SOURCES) asn1_print.c check-der.c
+OBJECTS = $(am_libasn1_la_OBJECTS) $(am_asn1_compile_OBJECTS) asn1_print.$(OBJEXT) check-der.$(OBJEXT)
+
+all: all-redirect
+.SUFFIXES:
+.SUFFIXES: .et .h .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .x .c .l .lo .o .obj .y
+$(srcdir)/Makefile.in: Makefile.am $(top_srcdir)/configure.in $(ACLOCAL_M4) $(top_srcdir)/Makefile.am.common $(top_srcdir)/cf/Makefile.am.common
+	cd $(top_srcdir) && $(AUTOMAKE) --foreign lib/asn1/Makefile
+
+Makefile: $(srcdir)/Makefile.in  $(top_builddir)/config.status
+	cd $(top_builddir) \
+	  && CONFIG_FILES=$(subdir)/$@ CONFIG_HEADERS= $(SHELL) ./config.status
+
+
+mostlyclean-libLTLIBRARIES:
+
+clean-libLTLIBRARIES:
+	-test -z "$(lib_LTLIBRARIES)" || rm -f $(lib_LTLIBRARIES)
+
+distclean-libLTLIBRARIES:
+
+maintainer-clean-libLTLIBRARIES:
+
+install-libLTLIBRARIES: $(lib_LTLIBRARIES)
+	@$(NORMAL_INSTALL)
+	$(mkinstalldirs) $(DESTDIR)$(libdir)
+	@list='$(lib_LTLIBRARIES)'; for p in $$list; do \
+	  if test -f $$p; then \
+	    echo " $(LIBTOOL)  --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$p $(DESTDIR)$(libdir)/$$p"; \
+	    $(LIBTOOL)  --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$p $(DESTDIR)$(libdir)/$$p; \
+	  else :; fi; \
+	done
+
+uninstall-libLTLIBRARIES:
+	@$(NORMAL_UNINSTALL)
+	@list='$(lib_LTLIBRARIES)'; for p in $$list; do \
+	  echo " $(LIBTOOL)  --mode=uninstall rm -f $(DESTDIR)$(libdir)/$$p"; \
+	  $(LIBTOOL)  --mode=uninstall rm -f $(DESTDIR)$(libdir)/$$p; \
+	done
+
+mostlyclean-compile:
+	-rm -f *.o core *.core
+	-rm -f *.$(OBJEXT)
+
+clean-compile:
+
+distclean-compile:
+	-rm -f *.tab.c
+
+maintainer-clean-compile:
+
+mostlyclean-libtool:
+	-rm -f *.lo
+
+clean-libtool:
+	-rm -rf .libs _libs
+
+distclean-libtool:
+
+maintainer-clean-libtool:
+
+libasn1.la: $(libasn1_la_OBJECTS) $(libasn1_la_DEPENDENCIES)
+	$(LINK) -rpath $(libdir) $(libasn1_la_LDFLAGS) $(libasn1_la_OBJECTS) $(libasn1_la_LIBADD) $(LIBS)
+
+mostlyclean-checkPROGRAMS:
+
+clean-checkPROGRAMS:
+	-test -z "$(check_PROGRAMS)" || rm -f $(check_PROGRAMS)
+
+distclean-checkPROGRAMS:
+
+maintainer-clean-checkPROGRAMS:
+
+mostlyclean-noinstPROGRAMS:
+
+clean-noinstPROGRAMS:
+	-test -z "$(noinst_PROGRAMS)" || rm -f $(noinst_PROGRAMS)
+
+distclean-noinstPROGRAMS:
+
+maintainer-clean-noinstPROGRAMS:
+
+asn1_compile$(EXEEXT): $(asn1_compile_OBJECTS) $(asn1_compile_DEPENDENCIES)
+	@rm -f asn1_compile$(EXEEXT)
+	$(LINK) $(asn1_compile_LDFLAGS) $(asn1_compile_OBJECTS) $(asn1_compile_LDADD) $(LIBS)
+
+asn1_print$(EXEEXT): $(asn1_print_OBJECTS) $(asn1_print_DEPENDENCIES)
+	@rm -f asn1_print$(EXEEXT)
+	$(LINK) $(asn1_print_LDFLAGS) $(asn1_print_OBJECTS) $(asn1_print_LDADD) $(LIBS)
+
+check-der$(EXEEXT): $(check_der_OBJECTS) $(check_der_DEPENDENCIES)
+	@rm -f check-der$(EXEEXT)
+	$(LINK) $(check_der_LDFLAGS) $(check_der_OBJECTS) $(check_der_LDADD) $(LIBS)
+.c.o:
+	$(COMPILE) -c $<
+.c.obj:
+	$(COMPILE) -c `cygpath -w $<`
+.c.lo:
+	$(LTCOMPILE) -c -o $@ $<
+.l.c:
+	$(LEX) $(AM_LFLAGS) $(LFLAGS) $< && mv $(LEX_OUTPUT_ROOT).c $@
+.y.c:
+	$(YACC) $(AM_YFLAGS) $(YFLAGS) $< && mv y.tab.c $*.c
+	if test -f y.tab.h; then \
+	if cmp -s y.tab.h $*.h; then rm -f y.tab.h; else mv y.tab.h $*.h; fi; \
+	else :; fi
+parse.h: parse.c
+
+
+install-includeHEADERS: $(include_HEADERS)
+	@$(NORMAL_INSTALL)
+	$(mkinstalldirs) $(DESTDIR)$(includedir)
+	@list='$(include_HEADERS)'; for p in $$list; do \
+	  if test -f "$$p"; then d= ; else d="$(srcdir)/"; fi; \
+	  f="`echo $$p | sed -e 's|^.*/||'`"; \
+	  echo " $(INSTALL_DATA) $$d$$p $(DESTDIR)$(includedir)/$$f"; \
+	  $(INSTALL_DATA) $$d$$p $(DESTDIR)$(includedir)/$$f; \
+	done
+
+uninstall-includeHEADERS:
+	@$(NORMAL_UNINSTALL)
+	@list='$(include_HEADERS)'; for p in $$list; do \
+	  f="`echo $$p | sed -e 's|^.*/||'`"; \
+	  echo " rm -f $(DESTDIR)$(includedir)/$$f"; \
+	  rm -f $(DESTDIR)$(includedir)/$$f; \
+	done
+
+tags: TAGS
+
+ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
+	list='$(SOURCES) $(HEADERS) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '    { files[$$0] = 1; } \
+	       END { for (i in files) print i; }'`; \
+	mkid -fID $$unique $(LISP)
+
+TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	tags=; \
+	here=`pwd`; \
+	list='$(SOURCES) $(HEADERS) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '    { files[$$0] = 1; } \
+	       END { for (i in files) print i; }'`; \
+	test -z "$(ETAGS_ARGS)$$unique$(LISP)$$tags" \
+	  || etags $(ETAGS_ARGS) $$tags  $$unique $(LISP)
+
+GTAGS:
+	here=`CDPATH=: && cd $(top_builddir) && pwd` \
+	  && cd $(top_srcdir) \
+	  && gtags -i $$here
+
+mostlyclean-tags:
+
+clean-tags:
+
+distclean-tags:
+	-rm -f TAGS ID
+
+maintainer-clean-tags:
+check-TESTS: $(TESTS)
+	@failed=0; all=0; xfail=0; xpass=0; \
+	srcdir=$(srcdir); export srcdir; \
+	list='$(TESTS)'; \
+	if test -n "$$list"; then \
+	  for tst in $$list; do \
+	    if test -f ./$$tst; then dir=./; \
+	    elif test -f $$tst; then dir=; \
+	    else dir="$(srcdir)/"; fi; \
+	    if $(TESTS_ENVIRONMENT) $${dir}$$tst; then \
+	      all=`expr $$all + 1`; \
+	      case " $(XFAIL_TESTS) " in \
+	      *" $$tst "*) \
+	        xpass=`expr $$xpass + 1`; \
+	        failed=`expr $$failed + 1`; \
+	        echo "XPASS: $$tst"; \
+	      ;; \
+	      *) \
+	        echo "PASS: $$tst"; \
+	      ;; \
+	      esac; \
+	    elif test $$? -ne 77; then \
+	      all=`expr $$all + 1`; \
+	      case " $(XFAIL_TESTS) " in \
+	      *" $$tst "*) \
+	        xfail=`expr $$xfail + 1`; \
+	        echo "XFAIL: $$tst"; \
+	      ;; \
+	      *) \
+	        failed=`expr $$failed + 1`; \
+	        echo "FAIL: $$tst"; \
+	      ;; \
+	      esac; \
+	    fi; \
+	  done; \
+	  if test "$$failed" -eq 0; then \
+	    if test "$$xfail" -eq 0; then \
+	      banner="All $$all tests passed"; \
+	    else \
+	      banner="All $$all tests behaved as expected ($$xfail expected failures)"; \
+	    fi; \
+	  else \
+	    if test "$$xpass" -eq 0; then \
+	      banner="$$failed of $$all tests failed"; \
+	    else \
+	      banner="$$failed of $$all tests did not behave as expected ($$xpass unexpected passes)"; \
+	    fi; \
+	  fi; \
+	  dashes=`echo "$$banner" | sed s/./=/g`; \
+	  echo "$$dashes"; \
+	  echo "$$banner"; \
+	  echo "$$dashes"; \
+	  test "$$failed" -eq 0; \
+	fi
+
+distdir = $(top_builddir)/$(PACKAGE)-$(VERSION)/$(subdir)
+
+distdir: $(DISTFILES)
+	@for file in $(DISTFILES); do \
+	  d=$(srcdir); \
+	  if test -d $$d/$$file; then \
+	    cp -pR $$d/$$file $(distdir) \
+	    || exit 1; \
+	  else \
+	    test -f $(distdir)/$$file \
+	    || cp -p $$d/$$file $(distdir)/$$file \
+	    || exit 1; \
+	  fi; \
+	done
+	$(MAKE) $(AM_MAKEFLAGS) top_distdir="$(top_distdir)" distdir="$(distdir)" dist-hook
+info-am:
+info: info-am
+dvi-am:
+dvi: dvi-am
+check-am: all-am
+	$(MAKE) $(AM_MAKEFLAGS) $(check_PROGRAMS)
+	$(MAKE) $(AM_MAKEFLAGS) check-TESTS check-local
+check: check-am
+installcheck-am:
+installcheck: installcheck-am
+all-recursive-am: $(BUILT_SOURCES)
+	$(MAKE) $(AM_MAKEFLAGS) all-recursive
+
+install-exec-am: install-libLTLIBRARIES
+	@$(NORMAL_INSTALL)
+	$(MAKE) $(AM_MAKEFLAGS) install-exec-hook
+install-exec: install-exec-am
+
+install-data-am: install-includeHEADERS install-data-local
+install-data: install-data-am
+
+install-am: all-am
+	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
+install: install-am
+uninstall-am: uninstall-libLTLIBRARIES uninstall-includeHEADERS
+uninstall: uninstall-am
+all-am: Makefile $(LTLIBRARIES) $(PROGRAMS) $(HEADERS) all-local
+all-redirect: all-am
+install-strip:
+	$(MAKE) $(AM_MAKEFLAGS) INSTALL_STRIP_FLAG=-s install
+installdirs:
+	$(mkinstalldirs)  $(DESTDIR)$(libdir) $(DESTDIR)$(includedir)
+
+
+mostlyclean-generic:
+
+clean-generic:
+	-test -z "$(CLEANFILES)" || rm -f $(CLEANFILES)
+
+distclean-generic:
+	-rm -f Makefile $(CONFIG_CLEAN_FILES)
+	-rm -f config.cache config.log stamp-h stamp-h[0-9]*
+
+maintainer-clean-generic:
+	-rm -f Makefile.in
+	-test -z "lex.cparse.hparse.c$(BUILT_SOURCES)" || rm -f lex.c parse.h parse.c $(BUILT_SOURCES)
+mostlyclean-am:  mostlyclean-libLTLIBRARIES mostlyclean-compile \
+		mostlyclean-libtool mostlyclean-checkPROGRAMS \
+		mostlyclean-noinstPROGRAMS mostlyclean-tags \
+		mostlyclean-generic
+
+mostlyclean: mostlyclean-am
+
+clean-am:  clean-libLTLIBRARIES clean-compile clean-libtool \
+		clean-checkPROGRAMS clean-noinstPROGRAMS clean-tags \
+		clean-generic mostlyclean-am
+
+clean: clean-am
+
+distclean-am:  distclean-libLTLIBRARIES distclean-compile \
+		distclean-libtool distclean-checkPROGRAMS \
+		distclean-noinstPROGRAMS distclean-tags \
+		distclean-generic clean-am
+	-rm -f libtool
+
+distclean: distclean-am
+
+maintainer-clean-am:  maintainer-clean-libLTLIBRARIES \
+		maintainer-clean-compile maintainer-clean-libtool \
+		maintainer-clean-checkPROGRAMS \
+		maintainer-clean-noinstPROGRAMS maintainer-clean-tags \
+		maintainer-clean-generic distclean-am
+	@echo "This command is intended for maintainers to use;"
+	@echo "it deletes files that may require special tools to rebuild."
+
+maintainer-clean: maintainer-clean-am
+
+.PHONY: mostlyclean-libLTLIBRARIES distclean-libLTLIBRARIES \
+clean-libLTLIBRARIES maintainer-clean-libLTLIBRARIES \
+uninstall-libLTLIBRARIES install-libLTLIBRARIES mostlyclean-compile \
+distclean-compile clean-compile maintainer-clean-compile \
+mostlyclean-libtool distclean-libtool clean-libtool \
+maintainer-clean-libtool mostlyclean-checkPROGRAMS \
+distclean-checkPROGRAMS clean-checkPROGRAMS \
+maintainer-clean-checkPROGRAMS mostlyclean-noinstPROGRAMS \
+distclean-noinstPROGRAMS clean-noinstPROGRAMS \
+maintainer-clean-noinstPROGRAMS uninstall-includeHEADERS \
+install-includeHEADERS tags mostlyclean-tags distclean-tags clean-tags \
+maintainer-clean-tags check-TESTS distdir info-am info dvi-am dvi \
+check-local check check-am installcheck-am installcheck \
+all-recursive-am install-exec-am install-exec install-data-local \
+install-data-am install-data install-am install uninstall-am uninstall \
+all-local all-redirect all-am all install-strip installdirs \
+mostlyclean-generic distclean-generic clean-generic \
+maintainer-clean-generic clean mostlyclean distclean maintainer-clean
+
+
+install-suid-programs:
+	@foo='$(bin_SUIDS)'; \
+	for file in $$foo; do \
+	x=$(DESTDIR)$(bindir)/$$file; \
+	if chown 0:0 $$x && chmod u+s $$x; then :; else \
+	echo "*"; \
+	echo "* Failed to install $$x setuid root"; \
+	echo "*"; \
+	fi; done
+
+install-exec-hook: install-suid-programs
+
+install-build-headers:: $(include_HEADERS) $(build_HEADERZ)
+	@foo='$(include_HEADERS) $(build_HEADERZ)'; \
+	for f in $$foo; do \
+		f=`basename $$f`; \
+		if test -f "$(srcdir)/$$f"; then file="$(srcdir)/$$f"; \
+		else file="$$f"; fi; \
+		if cmp -s  $$file $(buildinclude)/$$f 2> /dev/null ; then \
+		: ; else \
+			echo " $(CP) $$file $(buildinclude)/$$f"; \
+			$(CP) $$file $(buildinclude)/$$f; \
+		fi ; \
+	done
+
+all-local: install-build-headers
+#NROFF_MAN = nroff -man
+.1.cat1:
+	$(NROFF_MAN) $< > $@
+.3.cat3:
+	$(NROFF_MAN) $< > $@
+.5.cat5:
+	$(NROFF_MAN) $< > $@
+.8.cat8:
+	$(NROFF_MAN) $< > $@
+
+dist-cat1-mans:
+	@foo='$(man1_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.1) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat1/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-cat3-mans:
+	@foo='$(man3_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.3) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat3/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-cat5-mans:
+	@foo='$(man5_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.5) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat5/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-cat8-mans:
+	@foo='$(man8_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.8) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat8/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-hook: dist-cat1-mans dist-cat3-mans dist-cat5-mans dist-cat8-mans
+
+install-cat-mans:
+	$(SHELL) $(top_srcdir)/cf/install-catman.sh "$(INSTALL_DATA)" "$(mkinstalldirs)" "$(srcdir)" "$(DESTDIR)$(mandir)" '$(CATMANEXT)' $(man_MANS) $(man1_MANS) $(man3_MANS) $(man5_MANS) $(man8_MANS)
+
+install-data-local: install-cat-mans
+
+.et.h:
+	$(COMPILE_ET) $<
+.et.c:
+	$(COMPILE_ET) $<
+
+.x.c:
+	@cmp -s $< $@ 2> /dev/null || cp $< $@
+
+check-local::
+	@foo='$(CHECK_LOCAL)'; \
+	  if test "$$foo"; then \
+	  failed=0; all=0; \
+	  for i in $$foo; do \
+	    all=`expr $$all + 1`; \
+	    if ./$$i --version > /dev/null 2>&1; then \
+	      echo "PASS: $$i"; \
+	    else \
+	      echo "FAIL: $$i"; \
+	      failed=`expr $$failed + 1`; \
+	    fi; \
+	  done; \
+	  if test "$$failed" -eq 0; then \
+	    banner="All $$all tests passed"; \
+	  else \
+	    banner="$$failed of $$all tests failed"; \
+	  fi; \
+	  dashes=`echo "$$banner" | sed s/./=/g`; \
+	  echo "$$dashes"; \
+	  echo "$$banner"; \
+	  echo "$$dashes"; \
+	  test "$$failed" -eq 0; \
+	fi
+
+$(asn1_compile_OBJECTS): parse.h
+
+$(gen_files) krb5_asn1.h: asn1_files
+
+asn1_files: asn1_compile$(EXEEXT) $(srcdir)/k5.asn1
+	./asn1_compile$(EXEEXT) $(srcdir)/k5.asn1 krb5_asn1
+
+$(libasn1_la_OBJECTS): krb5_asn1.h asn1_err.h
+
+$(asn1_print_OBJECTS): krb5_asn1.h
+
+# Tell versions [3.59,3.63) of GNU make to not export all variables.
+# Otherwise a system limit (for SysV at least) may be exceeded.
+.NOEXPORT:
diff --git a/crypto/heimdal/lib/asn1/asn1-common.h b/crypto/heimdal/lib/asn1/asn1-common.h
new file mode 100644
index 0000000..d3a30f2
--- /dev/null
+++ b/crypto/heimdal/lib/asn1/asn1-common.h
@@ -0,0 +1,16 @@
+/* $Id: asn1-common.h,v 1.1 2000/04/14 15:41:31 joda Exp $ */
+
+#include <stddef.h>
+#include <time.h>
+
+#ifndef __asn1_common_definitions__
+#define __asn1_common_definitions__
+
+typedef struct octet_string {
+    size_t length;
+    void *data;
+} octet_string;
+
+typedef char *general_string;
+
+#endif
diff --git a/crypto/heimdal/lib/asn1/asn1_err.et b/crypto/heimdal/lib/asn1/asn1_err.et
new file mode 100644
index 0000000..8f1f272
--- /dev/null
+++ b/crypto/heimdal/lib/asn1/asn1_err.et
@@ -0,0 +1,20 @@
+#
+# Error messages for the asn.1 library
+#
+# This might look like a com_err file, but is not
+#
+id "$Id: asn1_err.et,v 1.5 1998/02/16 16:17:17 joda Exp $"
+
+error_table asn1
+prefix ASN1
+error_code BAD_TIMEFORMAT,	"ASN.1 failed call to system time library"
+error_code MISSING_FIELD,	"ASN.1 structure is missing a required field"
+error_code MISPLACED_FIELD,	"ASN.1 unexpected field number"
+error_code TYPE_MISMATCH,	"ASN.1 type numbers are inconsistent"
+error_code OVERFLOW,		"ASN.1 value too large"
+error_code OVERRUN,		"ASN.1 encoding ended unexpectedly"
+error_code BAD_ID,		"ASN.1 identifier doesn't match expected value"
+error_code BAD_LENGTH,		"ASN.1 length doesn't match expected value"
+error_code BAD_FORMAT,		"ASN.1 badly-formatted encoding"
+error_code PARSE_ERROR,		"ASN.1 parse error"
+end
diff --git a/crypto/heimdal/lib/asn1/asn1_print.c b/crypto/heimdal/lib/asn1/asn1_print.c
new file mode 100644
index 0000000..587d7e0
--- /dev/null
+++ b/crypto/heimdal/lib/asn1/asn1_print.c
@@ -0,0 +1,242 @@
+/*
+ * Copyright (c) 1997 - 2000 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "der_locl.h"
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <getarg.h>
+#include <err.h>
+
+RCSID("$Id: asn1_print.c,v 1.7 2001/02/20 01:44:52 assar Exp $");
+
+static struct et_list *et_list;
+
+const char *class_names[] = {
+    "UNIV",			/* 0 */
+    "APPL",			/* 1 */
+    "CONTEXT",			/* 2 */
+    "PRIVATE"			/* 3 */
+};
+
+const char *type_names[] = {
+    "PRIM",			/* 0 */
+    "CONS"			/* 1 */
+};
+
+const char *tag_names[] = {
+    NULL,			/* 0 */
+    NULL,			/* 1 */
+    "Integer",			/* 2 */
+    "BitString",		/* 3 */
+    "OctetString",		/* 4 */
+    "Null",			/* 5 */
+    "ObjectID",			/* 6 */
+    NULL,			/* 7 */
+    NULL,			/* 8 */
+    NULL,			/* 9 */
+    NULL,			/* 10 */
+    NULL,			/* 11 */
+    NULL,			/* 12 */
+    NULL,			/* 13 */
+    NULL,			/* 14 */
+    NULL,			/* 15 */
+    "Sequence",			/* 16 */
+    "Set",			/* 17 */
+    NULL,			/* 18 */
+    "PrintableString",		/* 19 */
+    NULL,			/* 20 */
+    NULL,			/* 21 */
+    "IA5String",		/* 22 */
+    "UTCTime",			/* 23 */
+    "GeneralizedTime",		/* 24 */
+    NULL,			/* 25 */
+    "VisibleString",		/* 26 */
+    "GeneralString"		/* 27 */
+};
+
+static int
+loop (unsigned char *buf, size_t len, int indent)
+{
+    while (len > 0) {
+	int ret;
+	Der_class class;
+	Der_type type;
+	int tag;
+	size_t sz;
+	size_t length;
+	int i;
+
+	ret = der_get_tag (buf, len, &class, &type, &tag, &sz);
+	if (ret)
+	    errx (1, "der_get_tag: %s", com_right (et_list, ret));
+	if (sz > len)
+	    errx (1, "unreasonable length (%u) > %u",
+		  (unsigned)sz, (unsigned)len);
+	buf += sz;
+	len -= sz;
+	for (i = 0; i < indent; ++i)
+	    printf (" ");
+	printf ("%s %s ", class_names[class], type_names[type]);
+	if (tag_names[tag])
+	    printf ("%s = ", tag_names[tag]);
+	else
+	    printf ("tag %d = ", tag);
+	ret = der_get_length (buf, len, &length, &sz);
+	if (ret)
+	    errx (1, "der_get_tag: %s", com_right (et_list, ret));
+	buf += sz;
+	len -= sz;
+
+	if (class == CONTEXT) {
+	    printf ("[%d]\n", tag);
+	    loop (buf, length, indent);
+	} else if (class == UNIV) {
+	    switch (tag) {
+	    case UT_Sequence :
+		printf ("{\n");
+		loop (buf, length, indent + 2);
+		for (i = 0; i < indent; ++i)
+		    printf (" ");
+		printf ("}\n");
+		break;
+	    case UT_Integer : {
+		int val;
+
+		ret = der_get_int (buf, length, &val, NULL);
+		if (ret)
+		    errx (1, "der_get_int: %s", com_right (et_list, ret));
+		printf ("integer %d\n", val);
+		break;
+	    }
+	    case UT_OctetString : {
+		octet_string str;
+		int i;
+		unsigned char *uc;
+
+		ret = der_get_octet_string (buf, length, &str, NULL);
+		if (ret)
+		    errx (1, "der_get_octet_string: %s",
+			  com_right (et_list, ret));
+		printf ("(length %d), ", length);
+		uc = (unsigned char *)str.data;
+		for (i = 0; i < 16; ++i)
+		    printf ("%02x", uc[i]);
+		printf ("\n");
+		free (str.data);
+		break;
+	    }
+	    case UT_GeneralizedTime :
+	    case UT_GeneralString : {
+		general_string str;
+
+		ret = der_get_general_string (buf, length, &str, NULL);
+		if (ret)
+		    errx (1, "der_get_general_string: %s",
+			  com_right (et_list, ret));
+		printf ("\"%s\"\n", str);
+		free (str);
+		break;
+	    }
+	    default :
+		printf ("%d bytes\n", length);
+		break;
+	    }
+	}
+	buf += length;
+	len -= length;
+    }
+    return 0;
+}
+
+static int
+doit (const char *filename)
+{
+    int fd = open (filename, O_RDONLY);
+    struct stat sb;
+    unsigned char *buf;
+    size_t len;
+    int ret;
+
+    if(fd < 0)
+	err (1, "opening %s for read", filename);
+    if (fstat (fd, &sb) < 0)
+	err (1, "stat %s", filename);
+    len = sb.st_size;
+    buf = malloc (len);
+    if (buf == NULL)
+	err (1, "malloc %u", len);
+    if (read (fd, buf, len) != len)
+	errx (1, "read failed");
+    close (fd);
+    ret = loop (buf, len, 0);
+    free (buf);
+    return ret;
+}
+
+
+static int version_flag;
+static int help_flag;
+struct getargs args[] = {
+    { "version", 0, arg_flag, &version_flag },
+    { "help", 0, arg_flag, &help_flag }
+};
+int num_args = sizeof(args) / sizeof(args[0]);
+
+static void
+usage(int code)
+{
+    arg_printusage(args, num_args, NULL, "dump-file");
+    exit(code);
+}
+
+int
+main(int argc, char **argv)
+{
+    int optind = 0;
+
+    setprogname (argv[0]);
+    initialize_asn1_error_table_r (&et_list);
+    if(getarg(args, num_args, argc, argv, &optind))
+	usage(1);
+    if(help_flag)
+	usage(0);
+    if(version_flag) {
+	print_version(NULL);
+	exit(0);
+    }
+    argv += optind;
+    argc -= optind;
+    if (argc != 1)
+	usage (1);
+    return doit (argv[0]);
+}
diff --git a/crypto/heimdal/lib/asn1/check-der.c b/crypto/heimdal/lib/asn1/check-der.c
new file mode 100644
index 0000000..a2f1217
--- /dev/null
+++ b/crypto/heimdal/lib/asn1/check-der.c
@@ -0,0 +1,289 @@
+/*
+ * Copyright (c) 1999 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+#endif
+#include <stdio.h>
+#include <string.h>
+#include <err.h>
+#include <roken.h>
+
+#include <libasn1.h>
+
+RCSID("$Id: check-der.c,v 1.7 1999/12/02 17:05:01 joda Exp $");
+
+static void
+print_bytes (unsigned const char *buf, size_t len)
+{
+    int i;
+
+    for (i = 0; i < len; ++i)
+	printf ("%02x ", buf[i]);
+}
+
+struct test_case {
+    void *val;
+    int byte_len;
+    const unsigned char *bytes;
+    char *name;
+};
+
+static int
+generic_test (const struct test_case *tests,
+	      unsigned ntests,
+	      size_t data_size,
+	      int (*encode)(unsigned char *, size_t, void *, size_t *),
+	      int (*length)(void *),
+	      int (*decode)(unsigned char *, size_t, void *, size_t *),
+	      int (*cmp)(void *a, void *b))
+{
+    unsigned char buf[4711];
+    int i;
+    int failures = 0;
+    void *val = malloc (data_size);
+
+    if (data_size != 0 && val == NULL)
+	err (1, "malloc");
+
+    for (i = 0; i < ntests; ++i) {
+	int ret;
+	size_t sz, consumed_sz, length_sz;
+	unsigned char *beg;
+
+	ret = (*encode) (buf + sizeof(buf) - 1, sizeof(buf),
+			 tests[i].val, &sz);
+	beg = buf + sizeof(buf) - sz;
+	if (ret != 0) {
+	    printf ("encoding of %s failed\n", tests[i].name);
+	    ++failures;
+	}
+	if (sz != tests[i].byte_len) {
+	    printf ("encoding of %s has wrong len (%lu != %lu)\n",
+		    tests[i].name, 
+		    (unsigned long)sz, (unsigned long)tests[i].byte_len);
+	    ++failures;
+	}
+
+	length_sz = (*length) (tests[i].val);
+	if (sz != length_sz) {
+	    printf ("length for %s is bad (%lu != %lu)\n",
+		    tests[i].name, (unsigned long)length_sz, (unsigned long)sz);
+	    ++failures;
+	}
+
+	if (memcmp (beg, tests[i].bytes, tests[i].byte_len) != 0) {
+	    printf ("encoding of %s has bad bytes:\n"
+		    "correct: ", tests[i].name);
+	    print_bytes (tests[i].bytes, tests[i].byte_len);
+	    printf ("\nactual:  ");
+	    print_bytes (beg, sz);
+	    printf ("\n");
+	    ++failures;
+	}
+	ret = (*decode) (beg, sz, val, &consumed_sz);
+	if (ret != 0) {
+	    printf ("decoding of %s failed\n", tests[i].name);
+	    ++failures;
+	}
+	if (sz != consumed_sz) {
+	    printf ("different length decoding %s (%ld != %ld)\n",
+		    tests[i].name, 
+		    (unsigned long)sz, (unsigned long)consumed_sz);
+	    ++failures;
+	}
+	if ((*cmp)(val, tests[i].val) != 0) {
+	    printf ("%s: comparison failed\n", tests[i].name);
+	    ++failures;
+	}
+    }
+    free (val);
+    return failures;
+}
+
+static int
+cmp_integer (void *a, void *b)
+{
+    int *ia = (int *)a;
+    int *ib = (int *)b;
+
+    return *ib - *ia;
+}
+
+static int
+test_integer (void)
+{
+    struct test_case tests[] = {
+	{NULL, 3, "\x02\x01\x00"},
+	{NULL, 3, "\x02\x01\x7f"},
+	{NULL, 4, "\x02\x02\x00\x80"},
+	{NULL, 4, "\x02\x02\x01\x00"},
+	{NULL, 3, "\x02\x01\x80"},
+	{NULL, 4, "\x02\x02\xff\x7f"},
+	{NULL, 3, "\x02\x01\xff"},
+	{NULL, 4, "\x02\x02\xff\x01"},
+	{NULL, 4, "\x02\x02\x00\xff"},
+	{NULL, 6, "\x02\x04\x80\x00\x00\x00"},
+	{NULL, 6, "\x02\x04\x7f\xff\xff\xff"}
+    };
+
+    int values[] = {0, 127, 128, 256, -128, -129, -1, -255, 255,
+		    0x80000000, 0x7fffffff};
+    int i;
+    int ntests = sizeof(tests) / sizeof(*tests);
+
+    for (i = 0; i < ntests; ++i) {
+	tests[i].val = &values[i];
+	asprintf (&tests[i].name, "integer %d", values[i]);
+    }
+
+    return generic_test (tests, ntests, sizeof(int),
+			 (int (*)(unsigned char *, size_t,
+				  void *, size_t *))encode_integer,
+			 (int (*)(void *))length_integer,
+			 (int (*)(unsigned char *, size_t,
+				  void *, size_t *))decode_integer,
+			 cmp_integer);
+}
+
+static int
+cmp_octet_string (void *a, void *b)
+{
+    octet_string *oa = (octet_string *)a;
+    octet_string *ob = (octet_string *)b;
+
+    if (oa->length != ob->length)
+	return ob->length - oa->length;
+
+    return (memcmp (oa->data, ob->data, oa->length));
+}
+
+static int
+test_octet_string (void)
+{
+    octet_string s1 = {8, "\x01\x23\x45\x67\x89\xab\xcd\xef"};
+
+    struct test_case tests[] = {
+	{NULL, 10, "\x04\x08\x01\x23\x45\x67\x89\xab\xcd\xef"}
+    };
+    int ntests = sizeof(tests) / sizeof(*tests);
+
+    tests[0].val = &s1;
+    asprintf (&tests[0].name, "a octet string");
+
+    return generic_test (tests, ntests, sizeof(octet_string),
+			 (int (*)(unsigned char *, size_t,
+				  void *, size_t *))encode_octet_string,
+			 (int (*)(void *))length_octet_string,
+			 (int (*)(unsigned char *, size_t,
+				  void *, size_t *))decode_octet_string,
+			 cmp_octet_string);
+}
+
+static int
+cmp_general_string (void *a, void *b)
+{
+    unsigned char **sa = (unsigned char **)a;
+    unsigned char **sb = (unsigned char **)b;
+
+    return strcmp (*sa, *sb);
+}
+
+static int
+test_general_string (void)
+{
+    unsigned char *s1 = "Test User 1";
+
+    struct test_case tests[] = {
+	{NULL, 13, "\x1b\x0b\x54\x65\x73\x74\x20\x55\x73\x65\x72\x20\x31"}
+    };
+    int ntests = sizeof(tests) / sizeof(*tests);
+
+    tests[0].val = &s1;
+    asprintf (&tests[0].name, "the string \"%s\"", s1);
+
+    return generic_test (tests, ntests, sizeof(unsigned char *),
+			 (int (*)(unsigned char *, size_t,
+				  void *, size_t *))encode_general_string,
+			 (int (*)(void *))length_general_string,
+			 (int (*)(unsigned char *, size_t,
+				  void *, size_t *))decode_general_string,
+			 cmp_general_string);
+}
+
+static int
+cmp_generalized_time (void *a, void *b)
+{
+    time_t *ta = (time_t *)a;
+    time_t *tb = (time_t *)b;
+
+    return *tb - *ta;
+}
+
+static int
+test_generalized_time (void)
+{
+    struct test_case tests[] = {
+	{NULL, 17, "\x18\x0f""19700101000000Z"},
+	{NULL, 17, "\x18\x0f""19851106210627Z"}
+    };
+    time_t values[] = {0, 500159187};
+    int i;
+    int ntests = sizeof(tests) / sizeof(*tests);
+
+    for (i = 0; i < ntests; ++i) {
+	tests[i].val = &values[i];
+	asprintf (&tests[i].name, "time %d", (int)values[i]);
+    }
+
+    return generic_test (tests, ntests, sizeof(time_t),
+			 (int (*)(unsigned char *, size_t,
+				  void *, size_t *))encode_generalized_time,
+			 (int (*)(void *))length_generalized_time,
+			 (int (*)(unsigned char *, size_t,
+				  void *, size_t *))decode_generalized_time,
+			 cmp_generalized_time);
+}
+
+int
+main(int argc, char **argv)
+{
+    int ret = 0;
+
+    ret += test_integer ();
+    ret += test_octet_string ();
+    ret += test_general_string ();
+    ret += test_generalized_time ();
+
+    return ret;
+}
diff --git a/crypto/heimdal/lib/asn1/der.h b/crypto/heimdal/lib/asn1/der.h
new file mode 100644
index 0000000..f031f81
--- /dev/null
+++ b/crypto/heimdal/lib/asn1/der.h
@@ -0,0 +1,136 @@
+/*
+ * Copyright (c) 1997 - 2001 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+/* $Id: der.h,v 1.20 2001/01/29 08:31:27 assar Exp $ */
+
+#ifndef __DER_H__
+#define __DER_H__
+
+#include <time.h>
+
+typedef enum {UNIV = 0, APPL = 1, CONTEXT = 2 , PRIVATE = 3} Der_class;
+
+typedef enum {PRIM = 0, CONS = 1} Der_type;
+
+/* Universal tags */
+
+enum {
+     UT_Integer		= 2,	
+     UT_BitString	= 3,
+     UT_OctetString	= 4,
+     UT_Null		= 5,
+     UT_ObjID		= 6,
+     UT_Sequence	= 16,
+     UT_Set		= 17,
+     UT_PrintableString	= 19,
+     UT_IA5String	= 22,
+     UT_UTCTime		= 23,
+     UT_GeneralizedTime	= 24,
+     UT_VisibleString	= 26,
+     UT_GeneralString	= 27
+};
+
+#define ASN1_INDEFINITE 0xdce0deed
+
+#ifndef HAVE_TIMEGM
+time_t timegm (struct tm *);
+#endif
+
+int time2generalizedtime (time_t t, octet_string *s);
+
+int der_get_int (const unsigned char *p, size_t len, int *ret, size_t *size);
+int der_get_length (const unsigned char *p, size_t len,
+		    size_t *val, size_t *size);
+int der_get_general_string (const unsigned char *p, size_t len, 
+			    general_string *str, size_t *size);
+int der_get_octet_string (const unsigned char *p, size_t len, 
+			  octet_string *data, size_t *size);
+int der_get_tag (const unsigned char *p, size_t len, 
+		 Der_class *class, Der_type *type,
+		 int *tag, size_t *size);
+
+int der_match_tag (const unsigned char *p, size_t len, 
+		   Der_class class, Der_type type,
+		   int tag, size_t *size);
+int der_match_tag_and_length (const unsigned char *p, size_t len,
+			      Der_class class, Der_type type, int tag,
+			      size_t *length_ret, size_t *size);
+
+int decode_integer (const unsigned char*, size_t, int*, size_t*);
+int decode_unsigned (const unsigned char*, size_t, unsigned*, size_t*);
+int decode_general_string (const unsigned char*, size_t,
+			   general_string*, size_t*);
+int decode_octet_string (const unsigned char*, size_t, octet_string*, size_t*);
+int decode_generalized_time (const unsigned char*, size_t, time_t*, size_t*);
+
+int der_put_int (unsigned char *p, size_t len, int val, size_t*);
+int der_put_length (unsigned char *p, size_t len, size_t val, size_t*);
+int der_put_general_string (unsigned char *p, size_t len,
+			    const general_string *str, size_t*);
+int der_put_octet_string (unsigned char *p, size_t len,
+			  const octet_string *data, size_t*);
+int der_put_tag (unsigned char *p, size_t len, Der_class class, Der_type type,
+		 int tag, size_t*);
+int der_put_length_and_tag (unsigned char*, size_t, size_t, 
+			    Der_class, Der_type, int, size_t*);
+
+int encode_integer (unsigned char *p, size_t len,
+		    const int *data, size_t*);
+int encode_unsigned (unsigned char *p, size_t len,
+		     const unsigned *data, size_t*);
+int encode_general_string (unsigned char *p, size_t len, 
+			   const general_string *data, size_t*);
+int encode_octet_string (unsigned char *p, size_t len,
+			 const octet_string *k, size_t*);
+int encode_generalized_time (unsigned char *p, size_t len,
+			     const time_t *t, size_t*);
+
+void free_integer (int *num);
+void free_general_string (general_string *str);
+void free_octet_string (octet_string *k);
+void free_generalized_time (time_t *t);
+
+size_t length_len (size_t len);
+size_t length_integer (const int *data);
+size_t length_unsigned (const unsigned *data);
+size_t length_general_string (const general_string *data);
+size_t length_octet_string (const octet_string *k);
+size_t length_generalized_time (const time_t *t);
+
+int copy_general_string (const general_string *from, general_string *to);
+int copy_octet_string (const octet_string *from, octet_string *to);
+
+int fix_dce(size_t reallen, size_t *len);
+
+#endif /* __DER_H__ */
+
diff --git a/crypto/heimdal/lib/asn1/der_copy.c b/crypto/heimdal/lib/asn1/der_copy.c
new file mode 100644
index 0000000..83c2446
--- /dev/null
+++ b/crypto/heimdal/lib/asn1/der_copy.c
@@ -0,0 +1,57 @@
+/*
+ * Copyright (c) 1997 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "der_locl.h"
+
+RCSID("$Id: der_copy.c,v 1.8 1999/12/02 17:05:01 joda Exp $");
+
+int
+copy_general_string (const general_string *from, general_string *to)
+{
+    *to = malloc(strlen(*from) + 1);
+    if(*to == NULL)
+	return ENOMEM;
+    strcpy(*to, *from);
+    return 0;
+}
+
+int
+copy_octet_string (const octet_string *from, octet_string *to)
+{
+    to->length = from->length;
+    to->data   = malloc(to->length);
+    if(to->length != 0 && to->data == NULL)
+	return ENOMEM;
+    memcpy(to->data, from->data, to->length);
+    return 0;
+}
diff --git a/crypto/heimdal/lib/asn1/der_free.c b/crypto/heimdal/lib/asn1/der_free.c
new file mode 100644
index 0000000..7191e4e
--- /dev/null
+++ b/crypto/heimdal/lib/asn1/der_free.c
@@ -0,0 +1,48 @@
+/*
+ * Copyright (c) 1997 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "der_locl.h"
+
+RCSID("$Id: der_free.c,v 1.7 1999/12/02 17:05:01 joda Exp $");
+
+void
+free_general_string (general_string *str)
+{
+    free(*str);
+}
+
+void
+free_octet_string (octet_string *k)
+{
+    free(k->data);
+}
diff --git a/crypto/heimdal/lib/asn1/der_get.c b/crypto/heimdal/lib/asn1/der_get.c
new file mode 100644
index 0000000..1a180da
--- /dev/null
+++ b/crypto/heimdal/lib/asn1/der_get.c
@@ -0,0 +1,383 @@
+/*
+ * Copyright (c) 1997 - 2000 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "der_locl.h"
+
+RCSID("$Id: der_get.c,v 1.28 2000/04/06 17:19:53 assar Exp $");
+
+#include <version.h>
+
+/* 
+ * All decoding functions take a pointer `p' to first position in
+ * which to read, from the left, `len' which means the maximum number
+ * of characters we are able to read, `ret' were the value will be
+ * returned and `size' where the number of used bytes is stored.
+ * Either 0 or an error code is returned.
+ */
+
+static int
+der_get_unsigned (const unsigned char *p, size_t len,
+		  unsigned *ret, size_t *size)
+{
+    unsigned val = 0;
+    size_t oldlen = len;
+
+    while (len--)
+	val = val * 256 + *p++;
+    *ret = val;
+    if(size) *size = oldlen;
+    return 0;
+}
+
+int
+der_get_int (const unsigned char *p, size_t len,
+	     int *ret, size_t *size)
+{
+    int val = 0;
+    size_t oldlen = len;
+
+    if (len--)
+	val = (signed char)*p++;
+    while (len--)
+	val = val * 256 + *p++;
+    *ret = val;
+    if(size) *size = oldlen;
+    return 0;
+}
+
+int
+der_get_length (const unsigned char *p, size_t len,
+		size_t *val, size_t *size)
+{
+    size_t v;
+
+    if (len <= 0)
+	return ASN1_OVERRUN;
+    --len;
+    v = *p++;
+    if (v < 128) {
+	*val = v;
+	if(size) *size = 1;
+    } else {
+	int e;
+	size_t l;
+	unsigned tmp;
+
+	if(v == 0x80){
+	    *val = ASN1_INDEFINITE;
+	    if(size) *size = 1;
+	    return 0;
+	}
+	v &= 0x7F;
+	if (len < v)
+	    return ASN1_OVERRUN;
+	e = der_get_unsigned (p, v, &tmp, &l);
+	if(e) return e;
+	*val = tmp;
+	if(size) *size = l + 1;
+    }
+    return 0;
+}
+
+int
+der_get_general_string (const unsigned char *p, size_t len, 
+			general_string *str, size_t *size)
+{
+    char *s;
+
+    s = malloc (len + 1);
+    if (s == NULL)
+	return ENOMEM;
+    memcpy (s, p, len);
+    s[len] = '\0';
+    *str = s;
+    if(size) *size = len;
+    return 0;
+}
+
+int
+der_get_octet_string (const unsigned char *p, size_t len, 
+		      octet_string *data, size_t *size)
+{
+    data->length = len;
+    data->data = malloc(len);
+    if (data->data == NULL && data->length != 0)
+	return ENOMEM;
+    memcpy (data->data, p, len);
+    if(size) *size = len;
+    return 0;
+}
+
+int
+der_get_tag (const unsigned char *p, size_t len,
+	     Der_class *class, Der_type *type,
+	     int *tag, size_t *size)
+{
+    if (len < 1)
+	return ASN1_OVERRUN;
+    *class = (Der_class)(((*p) >> 6) & 0x03);
+    *type = (Der_type)(((*p) >> 5) & 0x01);
+    *tag = (*p) & 0x1F;
+    if(size) *size = 1;
+    return 0;
+}
+
+int
+der_match_tag (const unsigned char *p, size_t len,
+	       Der_class class, Der_type type,
+	       int tag, size_t *size)
+{
+    size_t l;
+    Der_class thisclass;
+    Der_type thistype;
+    int thistag;
+    int e;
+
+    e = der_get_tag (p, len, &thisclass, &thistype, &thistag, &l);
+    if (e) return e;
+    if (class != thisclass || type != thistype)
+	return ASN1_BAD_ID;
+    if(tag > thistag)
+	return ASN1_MISPLACED_FIELD;
+    if(tag < thistag)
+	return ASN1_MISSING_FIELD;
+    if(size) *size = l;
+    return 0;
+}
+
+int
+der_match_tag_and_length (const unsigned char *p, size_t len,
+			  Der_class class, Der_type type, int tag,
+			  size_t *length_ret, size_t *size)
+{
+    size_t l, ret = 0;
+    int e;
+
+    e = der_match_tag (p, len, class, type, tag, &l);
+    if (e) return e;
+    p += l;
+    len -= l;
+    ret += l;
+    e = der_get_length (p, len, length_ret, &l);
+    if (e) return e;
+    p += l;
+    len -= l;
+    ret += l;
+    if(size) *size = ret;
+    return 0;
+}
+
+int
+decode_integer (const unsigned char *p, size_t len,
+		int *num, size_t *size)
+{
+    size_t ret = 0;
+    size_t l, reallen;
+    int e;
+
+    e = der_match_tag (p, len, UNIV, PRIM, UT_Integer, &l);
+    if (e) return e;
+    p += l;
+    len -= l;
+    ret += l;
+    e = der_get_length (p, len, &reallen, &l);
+    if (e) return e;
+    p += l;
+    len -= l;
+    ret += l;
+    e = der_get_int (p, reallen, num, &l);
+    if (e) return e;
+    p += l;
+    len -= l;
+    ret += l;
+    if(size) *size = ret;
+    return 0;
+}
+
+int
+decode_unsigned (const unsigned char *p, size_t len,
+		 unsigned *num, size_t *size)
+{
+    size_t ret = 0;
+    size_t l, reallen;
+    int e;
+
+    e = der_match_tag (p, len, UNIV, PRIM, UT_Integer, &l);
+    if (e) return e;
+    p += l;
+    len -= l;
+    ret += l;
+    e = der_get_length (p, len, &reallen, &l);
+    if (e) return e;
+    p += l;
+    len -= l;
+    ret += l;
+    e = der_get_unsigned (p, reallen, num, &l);
+    if (e) return e;
+    p += l;
+    len -= l;
+    ret += l;
+    if(size) *size = ret;
+    return 0;
+}
+
+int
+decode_general_string (const unsigned char *p, size_t len, 
+		       general_string *str, size_t *size)
+{
+    size_t ret = 0;
+    size_t l;
+    int e;
+    size_t slen;
+
+    e = der_match_tag (p, len, UNIV, PRIM, UT_GeneralString, &l);
+    if (e) return e;
+    p += l;
+    len -= l;
+    ret += l;
+
+    e = der_get_length (p, len, &slen, &l);
+    if (e) return e;
+    p += l;
+    len -= l;
+    ret += l;
+    if (len < slen)
+	return ASN1_OVERRUN;
+
+    e = der_get_general_string (p, slen, str, &l);
+    if (e) return e;
+    p += l;
+    len -= l;
+    ret += l;
+    if(size) *size = ret;
+    return 0;
+}
+
+int
+decode_octet_string (const unsigned char *p, size_t len, 
+		     octet_string *k, size_t *size)
+{
+    size_t ret = 0;
+    size_t l;
+    int e;
+    size_t slen;
+
+    e = der_match_tag (p, len, UNIV, PRIM, UT_OctetString, &l);
+    if (e) return e;
+    p += l;
+    len -= l;
+    ret += l;
+
+    e = der_get_length (p, len, &slen, &l);
+    if (e) return e;
+    p += l;
+    len -= l;
+    ret += l;
+    if (len < slen)
+	return ASN1_OVERRUN;
+
+    e = der_get_octet_string (p, slen, k, &l);
+    if (e) return e;
+    p += l;
+    len -= l;
+    ret += l;
+    if(size) *size = ret;
+    return 0;
+}
+
+static void
+generalizedtime2time (const char *s, time_t *t)
+{
+    struct tm tm;
+
+    memset(&tm, 0, sizeof(tm));
+    sscanf (s, "%04d%02d%02d%02d%02d%02dZ",
+	    &tm.tm_year, &tm.tm_mon, &tm.tm_mday, &tm.tm_hour,
+	    &tm.tm_min, &tm.tm_sec);
+    tm.tm_year -= 1900;
+    tm.tm_mon -= 1;
+    *t = timegm (&tm);
+}
+
+int
+decode_generalized_time (const unsigned char *p, size_t len,
+			 time_t *t, size_t *size)
+{
+    octet_string k;
+    char *times;
+    size_t ret = 0;
+    size_t l;
+    int e;
+    size_t slen;
+
+    e = der_match_tag (p, len, UNIV, PRIM, UT_GeneralizedTime, &l);
+    if (e) return e;
+    p += l;
+    len -= l;
+    ret += l;
+
+    e = der_get_length (p, len, &slen, &l);
+    if (e) return e;
+    p += l;
+    len -= l;
+    ret += l;
+    if (len < slen)
+	return ASN1_OVERRUN;
+    e = der_get_octet_string (p, slen, &k, &l);
+    if (e) return e;
+    p += l;
+    len -= l;
+    ret += l;
+    times = realloc(k.data, k.length + 1);
+    if (times == NULL){
+	free(k.data);
+	return ENOMEM;
+    }
+    times[k.length] = 0;
+    generalizedtime2time (times, t);
+    free (times);
+    if(size) *size = ret;
+    return 0;
+}
+
+
+int
+fix_dce(size_t reallen, size_t *len)
+{
+    if(reallen == ASN1_INDEFINITE)
+	return 1;
+    if(*len < reallen)
+	return -1;
+    *len = reallen;
+    return 0;
+}
diff --git a/crypto/heimdal/lib/asn1/der_length.c b/crypto/heimdal/lib/asn1/der_length.c
new file mode 100644
index 0000000..d488f8f
--- /dev/null
+++ b/crypto/heimdal/lib/asn1/der_length.c
@@ -0,0 +1,119 @@
+/*
+ * Copyright (c) 1997 - 2000 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "der_locl.h"
+
+RCSID("$Id: der_length.c,v 1.11 2000/04/06 17:20:26 assar Exp $");
+
+static size_t
+len_unsigned (unsigned val)
+{
+  size_t ret = 0;
+
+  do {
+    ++ret;
+    val /= 256;
+  } while (val);
+  return ret;
+}
+
+static size_t
+len_int (int val)
+{
+  size_t ret = 0;
+
+  if (val == 0)
+    return 1;
+  while (val > 255 || val < -255) {
+    ++ret;
+    val /= 256;
+  }
+  if (val != 0) {
+    ++ret;
+    if ((signed char)val != val)
+      ++ret;
+    val /= 256;
+  }
+  return ret;
+}
+
+size_t
+length_len (size_t len)
+{
+  if (len < 128)
+    return 1;
+  else
+    return len_unsigned (len) + 1;
+}
+
+size_t
+length_integer (const int *data)
+{
+  size_t len = len_int (*data);
+
+  return 1 + length_len(len) + len;
+}
+
+size_t
+length_unsigned (const unsigned *data)
+{
+  size_t len = len_unsigned (*data);
+
+  return 1 + length_len(len) + len;
+}
+
+size_t
+length_general_string (const general_string *data)
+{
+  char *str = *data;
+  size_t len = strlen(str);
+  return 1 + length_len(len) + len;
+}
+
+size_t
+length_octet_string (const octet_string *k)
+{
+  return 1 + length_len(k->length) + k->length;
+}
+
+size_t
+length_generalized_time (const time_t *t)
+{
+  octet_string k;
+  size_t ret;
+
+  time2generalizedtime (*t, &k);
+  ret = 1 + length_len(k.length) + k.length;
+  free (k.data);
+  return ret;
+}
diff --git a/crypto/heimdal/lib/asn1/der_locl.h b/crypto/heimdal/lib/asn1/der_locl.h
new file mode 100644
index 0000000..6eeb42d
--- /dev/null
+++ b/crypto/heimdal/lib/asn1/der_locl.h
@@ -0,0 +1,54 @@
+/*
+ * Copyright (c) 1997 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+/* $Id: der_locl.h,v 1.3 1999/12/02 17:05:02 joda Exp $ */
+
+#ifndef __DER_LOCL_H__
+#define __DER_LOCL_H__
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+#endif
+#include <assert.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <limits.h>
+#include <ctype.h>
+#include <time.h>
+#include <errno.h>
+#include <roken.h>
+
+#include <libasn1.h>
+
+#endif /* __DER_LOCL_H__ */
diff --git a/crypto/heimdal/lib/asn1/der_put.c b/crypto/heimdal/lib/asn1/der_put.c
new file mode 100644
index 0000000..1eda917
--- /dev/null
+++ b/crypto/heimdal/lib/asn1/der_put.c
@@ -0,0 +1,340 @@
+/*
+ * Copyright (c) 1997 - 2001 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "der_locl.h"
+
+RCSID("$Id: der_put.c,v 1.24 2001/01/29 08:31:27 assar Exp $");
+
+/*
+ * All encoding functions take a pointer `p' to first position in
+ * which to write, from the right, `len' which means the maximum
+ * number of characters we are able to write and return an int
+ * indicating how many actually got written, or <0 in case of errors.
+ */
+
+static int
+der_put_unsigned (unsigned char *p, size_t len, unsigned val, size_t *size)
+{
+    unsigned char *base = p;
+
+    if (val) {
+	while (len > 0 && val) {
+	    *p-- = val % 256;
+	    val /= 256;
+	    --len;
+	}
+	if (val != 0)
+	    return ASN1_OVERFLOW;
+	else {
+	    *size = base - p;
+	    return 0;
+	}
+    } else if (len < 1)
+	return ASN1_OVERFLOW;
+    else {
+	*p    = 0;
+	*size = 1;
+	return 0;
+    }
+}
+
+int
+der_put_int (unsigned char *p, size_t len, int val, size_t *size)
+{
+    unsigned char *base = p;
+
+    if(val >= 0) {
+	do {
+	    if(len < 1)
+		return ASN1_OVERFLOW;
+	    *p-- = val % 256;
+	    len--;
+	    val /= 256;
+	} while(val);
+	if(p[1] >= 128) {
+	    if(len < 1)
+		return ASN1_OVERFLOW;
+	    *p-- = 0;
+	    len--;
+	}
+    } else {
+	val = ~val;
+	do {
+	    if(len < 1)
+		return ASN1_OVERFLOW;
+	    *p-- = ~(val % 256);
+	    len--;
+	    val /= 256;
+	} while(val);
+	if(p[1] < 128) {
+	    if(len < 1)
+		return ASN1_OVERFLOW;
+	    *p-- = 0xff;
+	    len--;
+	}
+    }
+    *size = base - p;
+    return 0;
+}
+
+
+int
+der_put_length (unsigned char *p, size_t len, size_t val, size_t *size)
+{
+    if (val < 128) {
+	if (len < 1)
+	    return ASN1_OVERFLOW;
+	else {
+	    *p = val;
+	    *size = 1;
+	    return 0;
+	}
+    } else {
+	size_t l;
+	int e;
+
+	e = der_put_unsigned (p, len - 1, val, &l);
+	if (e)
+	    return e;
+	p -= l;
+	*p = 0x80 | l;
+	*size = l + 1;
+	return 0;
+    }
+}
+
+int
+der_put_general_string (unsigned char *p, size_t len, 
+			const general_string *str, size_t *size)
+{
+    size_t slen = strlen(*str);
+
+    if (len < slen)
+	return ASN1_OVERFLOW;
+    p -= slen;
+    len -= slen;
+    memcpy (p+1, *str, slen);
+    *size = slen;
+    return 0;
+}
+
+int
+der_put_octet_string (unsigned char *p, size_t len, 
+		      const octet_string *data, size_t *size)
+{
+    if (len < data->length)
+	return ASN1_OVERFLOW;
+    p -= data->length;
+    len -= data->length;
+    memcpy (p+1, data->data, data->length);
+    *size = data->length;
+    return 0;
+}
+
+int
+der_put_tag (unsigned char *p, size_t len, Der_class class, Der_type type,
+	     int tag, size_t *size)
+{
+    if (len < 1)
+	return ASN1_OVERFLOW;
+    *p = (class << 6) | (type << 5) | tag; /* XXX */
+    *size = 1;
+    return 0;
+}
+
+int
+der_put_length_and_tag (unsigned char *p, size_t len, size_t len_val,
+			Der_class class, Der_type type, int tag, size_t *size)
+{
+    size_t ret = 0;
+    size_t l;
+    int e;
+
+    e = der_put_length (p, len, len_val, &l);
+    if(e)
+	return e;
+    p -= l;
+    len -= l;
+    ret += l;
+    e = der_put_tag (p, len, class, type, tag, &l);
+    if(e)
+	return e;
+    p -= l;
+    len -= l;
+    ret += l;
+    *size = ret;
+    return 0;
+}
+
+int
+encode_integer (unsigned char *p, size_t len, const int *data, size_t *size)
+{
+    int num = *data;
+    size_t ret = 0;
+    size_t l;
+    int e;
+    
+    e = der_put_int (p, len, num, &l);
+    if(e)
+	return e;
+    p -= l;
+    len -= l;
+    ret += l;
+    e = der_put_length_and_tag (p, len, l, UNIV, PRIM, UT_Integer, &l);
+    if (e)
+	return e;
+    p -= l;
+    len -= l;
+    ret += l;
+    *size = ret;
+    return 0;
+}
+
+int
+encode_unsigned (unsigned char *p, size_t len, const unsigned *data,
+		 size_t *size)
+{
+    unsigned num = *data;
+    size_t ret = 0;
+    size_t l;
+    int e;
+    
+    e = der_put_unsigned (p, len, num, &l);
+    if(e)
+	return e;
+    p -= l;
+    len -= l;
+    ret += l;
+    e = der_put_length_and_tag (p, len, l, UNIV, PRIM, UT_Integer, &l);
+    if (e)
+	return e;
+    p -= l;
+    len -= l;
+    ret += l;
+    *size = ret;
+    return 0;
+}
+
+int
+encode_general_string (unsigned char *p, size_t len, 
+		       const general_string *data, size_t *size)
+{
+    size_t ret = 0;
+    size_t l;
+    int e;
+
+    e = der_put_general_string (p, len, data, &l);
+    if (e)
+	return e;
+    p -= l;
+    len -= l;
+    ret += l;
+    e = der_put_length_and_tag (p, len, l, UNIV, PRIM, UT_GeneralString, &l);
+    if (e)
+	return e;
+    p -= l;
+    len -= l;
+    ret += l;
+    *size = ret;
+    return 0;
+}
+
+int
+encode_octet_string (unsigned char *p, size_t len, 
+		     const octet_string *k, size_t *size)
+{
+    size_t ret = 0;
+    size_t l;
+    int e;
+
+    e = der_put_octet_string (p, len, k, &l);
+    if (e)
+	return e;
+    p -= l;
+    len -= l;
+    ret += l;
+    e = der_put_length_and_tag (p, len, l, UNIV, PRIM, UT_OctetString, &l);
+    if (e)
+	return e;
+    p -= l;
+    len -= l;
+    ret += l;
+    *size = ret;
+    return 0;
+}
+
+int
+time2generalizedtime (time_t t, octet_string *s)
+{
+     struct tm *tm;
+
+     s->data = malloc(16);
+     if (s->data == NULL)
+	 return ENOMEM;
+     s->length = 15;
+     tm = gmtime (&t);
+     sprintf (s->data, "%04d%02d%02d%02d%02d%02dZ", tm->tm_year + 1900,
+	      tm->tm_mon + 1, tm->tm_mday, tm->tm_hour, tm->tm_min,
+	      tm->tm_sec);
+     return 0;
+}
+
+int
+encode_generalized_time (unsigned char *p, size_t len,
+			 const time_t *t, size_t *size)
+{
+    size_t ret = 0;
+    size_t l;
+    octet_string k;
+    int e;
+
+    e = time2generalizedtime (*t, &k);
+    if (e)
+	return e;
+    e = der_put_octet_string (p, len, &k, &l);
+    free (k.data);
+    if (e)
+	return e;
+    p -= l;
+    len -= l;
+    ret += l;
+    e = der_put_length_and_tag (p, len, k.length, UNIV, PRIM, 
+				UT_GeneralizedTime, &l);
+    if (e)
+	return e;
+    p -= l;
+    len -= l;
+    ret += l;
+    *size = ret;
+    return 0;
+}
diff --git a/crypto/heimdal/lib/asn1/gen.c b/crypto/heimdal/lib/asn1/gen.c
new file mode 100644
index 0000000..54212d9
--- /dev/null
+++ b/crypto/heimdal/lib/asn1/gen.c
@@ -0,0 +1,375 @@
+/*
+ * Copyright (c) 1997 - 2000 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "gen_locl.h"
+
+RCSID("$Id: gen.c,v 1.44 2000/06/19 15:17:52 joda Exp $");
+
+FILE *headerfile, *codefile, *logfile;
+
+#define STEM "asn1"
+
+static const char *orig_filename;
+static char header[1024];
+static char headerbase[1024] = STEM;
+
+const char *
+filename (void)
+{
+    return orig_filename;
+}
+
+void
+init_generate (const char *filename, const char *base)
+{
+    orig_filename = filename;
+    if(base)
+	strcpy(headerbase, base);
+    sprintf(header, "%s.h", headerbase);
+    headerfile = fopen (header, "w");
+    if (headerfile == NULL)
+	err (1, "open %s", header);
+    fprintf (headerfile,
+	     "/* Generated from %s */\n"
+	     "/* Do not edit */\n\n",
+	     filename);
+    fprintf (headerfile, 
+	     "#ifndef __%s_h__\n"
+	     "#define __%s_h__\n\n", headerbase, headerbase);
+    fprintf (headerfile, 
+	     "#include <stddef.h>\n"
+	     "#include <time.h>\n\n");
+#ifndef HAVE_TIMEGM
+    fprintf (headerfile, "time_t timegm (struct tm*);\n\n");
+#endif
+    fprintf (headerfile,
+	     "#ifndef __asn1_common_definitions__\n"
+	     "#define __asn1_common_definitions__\n\n");
+    fprintf (headerfile,
+	     "typedef struct octet_string {\n"
+	     "  size_t length;\n"
+	     "  void *data;\n"
+	     "} octet_string;\n\n");
+    fprintf (headerfile,
+#if 0
+	     "typedef struct general_string {\n"
+	     "  size_t length;\n"
+	     "  char *data;\n"
+	     "} general_string;\n\n"
+#else
+	     "typedef char *general_string;\n\n"
+#endif
+	     );
+    fprintf (headerfile, "#endif\n\n");
+    logfile = fopen(STEM "_files", "w");
+    if (logfile == NULL)
+	err (1, "open " STEM "_files");
+}
+
+void
+close_generate (void)
+{
+    fprintf (headerfile, "#endif /* __%s_h__ */\n", headerbase);
+
+    fclose (headerfile);
+    fprintf (logfile, "\n");
+    fclose (logfile);
+}
+
+void
+generate_constant (const Symbol *s)
+{
+  fprintf (headerfile, "enum { %s = %d };\n\n",
+	   s->gen_name, s->constant);
+}
+
+static void
+space(int level)
+{
+    while(level-- > 0)
+	fprintf(headerfile, "  ");
+}
+
+static void
+define_asn1 (int level, Type *t)
+{
+    switch (t->type) {
+    case TType:
+	space(level);
+	fprintf (headerfile, "%s", t->symbol->name);
+	break;
+    case TInteger:
+	space(level);
+	fprintf (headerfile, "INTEGER");
+	break;
+    case TUInteger:
+	space(level);
+	fprintf (headerfile, "UNSIGNED INTEGER");
+	break;
+    case TOctetString:
+	space(level);
+	fprintf (headerfile, "OCTET STRING");
+	break;
+    case TBitString: {
+	Member *m;
+	Type i;
+	int tag = -1;
+
+	i.type = TInteger;
+	space(level);
+	fprintf (headerfile, "BIT STRING {\n");
+	for (m = t->members; m && m->val != tag; m = m->next) {
+	    if (tag == -1)
+		tag = m->val;
+	    space(level + 1);
+	    fprintf (headerfile, "%s(%d)%s\n", m->name, m->val, 
+		     m->next->val == tag?"":",");
+
+	}
+	space(level);
+	fprintf (headerfile, "}");
+	break;
+    }
+    case TSequence: {
+	Member *m;
+	int tag;
+	int max_width = 0;
+
+	space(level);
+	fprintf (headerfile, "SEQUENCE {\n");
+	for (m = t->members, tag = -1; m && m->val != tag; m = m->next) {
+	    if (tag == -1)
+		tag = m->val;
+	    if(strlen(m->name) + (m->val > 9) > max_width)
+		max_width = strlen(m->name) + (m->val > 9);
+	}
+	max_width += 3 + 2;
+	if(max_width < 16) max_width = 16;
+	for (m = t->members, tag = -1 ; m && m->val != tag; m = m->next) {
+	    int width;
+	    if (tag == -1)
+		tag = m->val;
+	    space(level + 1);
+	    fprintf(headerfile, "%s[%d]", m->name, m->val);
+	    width = max_width - strlen(m->name) - 3 - (m->val > 9) - 2;
+	    fprintf(headerfile, "%*s", width, "");
+	    define_asn1(level + 1, m->type);
+	    if(m->optional)
+		fprintf(headerfile, " OPTIONAL");
+	    if(m->next->val != tag)
+		fprintf (headerfile, ",");
+	    fprintf (headerfile, "\n");
+	}
+	space(level);
+	fprintf (headerfile, "}");
+	break;
+    }
+    case TSequenceOf: {
+	space(level);
+	fprintf (headerfile, "SEQUENCE OF ");
+	define_asn1 (0, t->subtype);
+	break;
+    }
+    case TGeneralizedTime:
+	space(level);
+	fprintf (headerfile, "GeneralizedTime");
+	break;
+    case TGeneralString:
+	space(level);
+	fprintf (headerfile, "GeneralString");
+	break;
+    case TApplication:
+	fprintf (headerfile, "[APPLICATION %d] ", t->application);
+	define_asn1 (level, t->subtype);
+	break;
+    default:
+	abort ();
+    }
+}
+
+static void
+define_type (int level, char *name, Type *t, int typedefp)
+{
+    switch (t->type) {
+    case TType:
+	space(level);
+	fprintf (headerfile, "%s %s;\n", t->symbol->gen_name, name);
+	break;
+    case TInteger:
+	space(level);
+        if(t->members == NULL) {
+            fprintf (headerfile, "int %s;\n", name);
+        } else {
+            Member *m;
+            int tag = -1;
+            fprintf (headerfile, "enum %s {\n", typedefp ? name : "");
+	    for (m = t->members; m && m->val != tag; m = m->next) {
+                if(tag == -1)
+                    tag = m->val;
+                space (level + 1);
+                fprintf(headerfile, "%s = %d%s\n", m->gen_name, m->val, 
+                        m->next->val == tag ? "" : ",");
+            }
+            fprintf (headerfile, "} %s;\n", name);
+        }
+	break;
+    case TUInteger:
+	space(level);
+	fprintf (headerfile, "unsigned int %s;\n", name);
+	break;
+    case TOctetString:
+	space(level);
+	fprintf (headerfile, "octet_string %s;\n", name);
+	break;
+    case TBitString: {
+	Member *m;
+	Type i;
+	int tag = -1;
+
+	i.type = TUInteger;
+	space(level);
+	fprintf (headerfile, "struct %s {\n", typedefp ? name : "");
+	for (m = t->members; m && m->val != tag; m = m->next) {
+	    char *n;
+
+	    asprintf (&n, "%s:1", m->gen_name);
+	    define_type (level + 1, n, &i, FALSE);
+	    free (n);
+	    if (tag == -1)
+		tag = m->val;
+	}
+	space(level);
+	fprintf (headerfile, "} %s;\n\n", name);
+	break;
+    }
+    case TSequence: {
+	Member *m;
+	int tag = -1;
+
+	space(level);
+	fprintf (headerfile, "struct %s {\n", typedefp ? name : "");
+	for (m = t->members; m && m->val != tag; m = m->next) {
+	    if (m->optional) {
+		char *n;
+
+		asprintf (&n, "*%s", m->gen_name);
+		define_type (level + 1, n, m->type, FALSE);
+		free (n);
+	    } else
+		define_type (level + 1, m->gen_name, m->type, FALSE);
+	    if (tag == -1)
+		tag = m->val;
+	}
+	space(level);
+	fprintf (headerfile, "} %s;\n", name);
+	break;
+    }
+    case TSequenceOf: {
+	Type i;
+
+	i.type = TUInteger;
+	i.application = 0;
+
+	space(level);
+	fprintf (headerfile, "struct %s {\n", typedefp ? name : "");
+	define_type (level + 1, "len", &i, FALSE);
+	define_type (level + 1, "*val", t->subtype, FALSE);
+	space(level);
+	fprintf (headerfile, "} %s;\n", name);
+	break;
+    }
+    case TGeneralizedTime:
+	space(level);
+	fprintf (headerfile, "time_t %s;\n", name);
+	break;
+    case TGeneralString:
+	space(level);
+	fprintf (headerfile, "general_string %s;\n", name);
+	break;
+    case TApplication:
+	define_type (level, name, t->subtype, FALSE);
+	break;
+    default:
+	abort ();
+    }
+}
+
+static void
+generate_type_header (const Symbol *s)
+{
+    fprintf (headerfile, "/*\n");
+    fprintf (headerfile, "%s ::= ", s->name);
+    define_asn1 (0, s->type);
+    fprintf (headerfile, "\n*/\n\n");
+
+    fprintf (headerfile, "typedef ");
+    define_type (0, s->gen_name, s->type, TRUE);
+
+    fprintf (headerfile, "\n");
+}
+
+
+void
+generate_type (const Symbol *s)
+{
+    char *filename;
+
+    asprintf (&filename, "%s_%s.x", STEM, s->gen_name);
+    codefile = fopen (filename, "w");
+    if (codefile == NULL)
+	err (1, "fopen %s", filename);
+    fprintf(logfile, "%s ", filename);
+    free(filename);
+    fprintf (codefile, 
+	     "/* Generated from %s */\n"
+	     "/* Do not edit */\n\n"
+	     "#include \"libasn1.h\"\n\n"
+#if 0
+	     "#include <stdio.h>\n"
+	     "#include <stdlib.h>\n"
+	     "#include <time.h>\n"
+	     "#include <" STEM ".h>\n\n"
+	     "#include <asn1_err.h>\n"
+	     "#include <der.h>\n"
+#endif
+	     ,orig_filename);
+    generate_type_header (s);
+    generate_type_encode (s);
+    generate_type_decode (s);
+    generate_type_free (s);
+    generate_type_length (s);
+    generate_type_copy (s);
+    generate_glue (s);
+    fprintf(headerfile, "\n\n");
+    fclose(codefile);
+}
diff --git a/crypto/heimdal/lib/asn1/gen.h b/crypto/heimdal/lib/asn1/gen.h
new file mode 100644
index 0000000..369b6e3
--- /dev/null
+++ b/crypto/heimdal/lib/asn1/gen.h
@@ -0,0 +1,38 @@
+/*
+ * Copyright (c) 1997 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+/* $Id: gen.h,v 1.4 1999/12/02 17:05:02 joda Exp $ */
+
+#include <stdio.h>
+#include "symbol.h"
+
diff --git a/crypto/heimdal/lib/asn1/gen_copy.c b/crypto/heimdal/lib/asn1/gen_copy.c
new file mode 100644
index 0000000..7d414a9
--- /dev/null
+++ b/crypto/heimdal/lib/asn1/gen_copy.c
@@ -0,0 +1,147 @@
+/*
+ * Copyright (c) 1997 - 2000 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "gen_locl.h"
+
+RCSID("$Id: gen_copy.c,v 1.11 2000/04/06 17:22:05 assar Exp $");
+
+static void
+copy_primitive (const char *typename, const char *from, const char *to)
+{
+    fprintf (codefile, "if(copy_%s(%s, %s)) return ENOMEM;\n", 
+	     typename, from, to);
+}
+
+static void
+copy_type (const char *from, const char *to, const Type *t)
+{
+  switch (t->type) {
+  case TType:
+#if 0
+      copy_type (from, to, t->symbol->type);
+#endif
+      fprintf (codefile, "if(copy_%s(%s, %s)) return ENOMEM;\n", 
+	       t->symbol->gen_name, from, to);
+      break;
+  case TInteger:
+  case TUInteger:
+      fprintf(codefile, "*(%s) = *(%s);\n", to, from);
+      break;
+  case TOctetString:
+      copy_primitive ("octet_string", from, to);
+      break;
+  case TBitString: {
+      fprintf(codefile, "*(%s) = *(%s);\n", to, from);
+      break;
+  }
+  case TSequence: {
+      Member *m;
+      int tag = -1;
+
+      if (t->members == NULL)
+	  break;
+      
+      for (m = t->members; m && tag != m->val; m = m->next) {
+	  char *f;
+	  char *t;
+
+	  asprintf (&f, "%s(%s)->%s",
+		    m->optional ? "" : "&", from, m->gen_name);
+	  asprintf (&t, "%s(%s)->%s",
+		    m->optional ? "" : "&", to, m->gen_name);
+	  if(m->optional){
+	      fprintf(codefile, "if(%s) {\n", f);
+	      fprintf(codefile, "%s = malloc(sizeof(*%s));\n", t, t);
+	      fprintf(codefile, "if(%s == NULL) return ENOMEM;\n", t);
+	  }
+	  copy_type (f, t, m->type);
+	  if(m->optional){
+	      fprintf(codefile, "}else\n");
+	      fprintf(codefile, "%s = NULL;\n", t);
+	  }
+	  if (tag == -1)
+	      tag = m->val;
+	  free (f);
+	  free (t);
+      }
+      break;
+  }
+  case TSequenceOf: {
+      char *f;
+      char *T;
+
+      fprintf (codefile, "if(((%s)->val = "
+	       "malloc((%s)->len * sizeof(*(%s)->val))) == NULL && (%s)->len != 0)\n", 
+	       to, from, to, from);
+      fprintf (codefile, "return ENOMEM;\n");
+      fprintf(codefile,
+	      "for((%s)->len = 0; (%s)->len < (%s)->len; (%s)->len++){\n",
+	      to, to, from, to);
+      asprintf(&f, "&(%s)->val[(%s)->len]", from, to);
+      asprintf(&T, "&(%s)->val[(%s)->len]", to, to);
+      copy_type(f, T, t->subtype);
+      fprintf(codefile, "}\n");
+      free(f);
+      free(T);
+      break;
+  }
+  case TGeneralizedTime:
+      fprintf(codefile, "*(%s) = *(%s);\n", to, from);
+      break;
+  case TGeneralString:
+      copy_primitive ("general_string", from, to);
+      break;
+  case TApplication:
+      copy_type (from, to, t->subtype);
+      break;
+  default :
+      abort ();
+  }
+}
+
+void
+generate_type_copy (const Symbol *s)
+{
+  fprintf (headerfile,
+	   "int    copy_%s  (const %s *, %s *);\n",
+	   s->gen_name, s->gen_name, s->gen_name);
+
+  fprintf (codefile, "int\n"
+	   "copy_%s(const %s *from, %s *to)\n"
+	   "{\n",
+	   s->gen_name, s->gen_name, s->gen_name);
+
+  copy_type ("from", "to", s->type);
+  fprintf (codefile, "return 0;\n}\n\n");
+}
+
diff --git a/crypto/heimdal/lib/asn1/gen_decode.c b/crypto/heimdal/lib/asn1/gen_decode.c
new file mode 100644
index 0000000..9303698
--- /dev/null
+++ b/crypto/heimdal/lib/asn1/gen_decode.c
@@ -0,0 +1,388 @@
+/*
+ * Copyright (c) 1997 - 2001 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "gen_locl.h"
+
+RCSID("$Id: gen_decode.c,v 1.16 2001/02/10 18:14:38 assar Exp $");
+
+static void
+decode_primitive (const char *typename, const char *name)
+{
+    fprintf (codefile,
+	     "e = decode_%s(p, len, %s, &l);\n"
+	     "FORW;\n",
+	     typename,
+	     name);
+}
+
+static void
+decode_type (const char *name, const Type *t)
+{
+    switch (t->type) {
+    case TType:
+#if 0
+	decode_type (name, t->symbol->type);
+#endif
+	fprintf (codefile,
+		 "e = decode_%s(p, len, %s, &l);\n"
+		 "FORW;\n",
+		 t->symbol->gen_name, name);
+	break;
+    case TInteger:
+	if(t->members == NULL)
+	    decode_primitive ("integer", name);
+	else {
+	    char *s;
+	    asprintf(&s, "(int*)%s", name);
+	    if(s == NULL)
+		errx (1, "out of memory");
+	    decode_primitive ("integer", s);
+	    free(s);
+	}
+	break;
+    case TUInteger:
+	decode_primitive ("unsigned", name);
+	break;
+    case TOctetString:
+	decode_primitive ("octet_string", name);
+	break;
+    case TBitString: {
+	Member *m;
+	int tag = -1;
+	int pos;
+
+	fprintf (codefile,
+		 "e = der_match_tag_and_length (p, len, UNIV, PRIM, UT_BitString,"
+		 "&reallen, &l);\n"
+		 "FORW;\n"
+		 "if(len < reallen)\n"
+		 "return ASN1_OVERRUN;\n"
+		 "p++;\n"
+		 "len--;\n"
+		 "reallen--;\n"
+		 "ret++;\n");
+	pos = 0;
+	for (m = t->members; m && tag != m->val; m = m->next) {
+	    while (m->val / 8 > pos / 8) {
+		fprintf (codefile,
+			 "p++; len--; reallen--; ret++;\n");
+		pos += 8;
+	    }
+	    fprintf (codefile,
+		     "%s->%s = (*p >> %d) & 1;\n",
+		     name, m->gen_name, 7 - m->val % 8);
+	    if (tag == -1)
+		tag = m->val;
+	}
+	fprintf (codefile,
+		 "p += reallen; len -= reallen; ret += reallen;\n");
+	break;
+    }
+    case TSequence: {
+	Member *m;
+	int tag = -1;
+
+	if (t->members == NULL)
+	    break;
+
+	fprintf (codefile,
+		 "e = der_match_tag_and_length (p, len, UNIV, CONS, UT_Sequence,"
+		 "&reallen, &l);\n"
+		 "FORW;\n"
+		 "{\n"
+		 "int dce_fix;\n"
+		 "if((dce_fix = fix_dce(reallen, &len)) < 0)\n"
+		 "return ASN1_BAD_FORMAT;\n");
+
+	for (m = t->members; m && tag != m->val; m = m->next) {
+	    char *s;
+
+	    asprintf (&s, "%s(%s)->%s", m->optional ? "" : "&", name, m->gen_name);
+	    if (0 && m->type->type == TType){
+		if(m->optional)
+		    fprintf (codefile,
+			     "%s = malloc(sizeof(*%s));\n"
+			     "if(%s == NULL) return ENOMEM;\n", s, s, s);
+		fprintf (codefile, 
+			 "e = decode_seq_%s(p, len, %d, %d, %s, &l);\n",
+			 m->type->symbol->gen_name,
+			 m->val, 
+			 m->optional,
+			 s);
+		if(m->optional)
+		    fprintf (codefile, 
+			     "if (e == ASN1_MISSING_FIELD) {\n"
+			     "free(%s);\n"
+			     "%s = NULL;\n"
+			     "e = l = 0;\n"
+			     "}\n",
+			     s, s);
+	  
+		fprintf (codefile, "FORW;\n");
+	  
+	    }else{
+		fprintf (codefile, "{\n"
+			 "size_t newlen, oldlen;\n\n"
+			 "e = der_match_tag (p, len, CONTEXT, CONS, %d, &l);\n",
+			 m->val);
+		fprintf (codefile,
+			 "if (e)\n");
+		if(m->optional)
+		    /* XXX should look at e */
+		    fprintf (codefile,
+			     "%s = NULL;\n", s);
+		else
+		    fprintf (codefile,
+			     "return e;\n");
+		fprintf (codefile, 
+			 "else {\n");
+		fprintf (codefile,
+			 "p += l;\n"
+			 "len -= l;\n"
+			 "ret += l;\n"
+			 "e = der_get_length (p, len, &newlen, &l);\n"
+			 "FORW;\n"
+			 "{\n"
+	       
+			 "int dce_fix;\n"
+			 "oldlen = len;\n"
+			 "if((dce_fix = fix_dce(newlen, &len)) < 0)"
+			 "return ASN1_BAD_FORMAT;\n");
+		if (m->optional)
+		    fprintf (codefile,
+			     "%s = malloc(sizeof(*%s));\n"
+			     "if(%s == NULL) return ENOMEM;\n", s, s, s);
+		decode_type (s, m->type);
+		fprintf (codefile,
+			 "if(dce_fix){\n"
+			 "e = der_match_tag_and_length (p, len, "
+			 "(Der_class)0, (Der_type)0, 0, &reallen, &l);\n"
+			 "FORW;\n"
+			 "}else \n"
+			 "len = oldlen - newlen;\n"
+			 "}\n"
+			 "}\n");
+		fprintf (codefile,
+			 "}\n");
+	    }
+	    if (tag == -1)
+		tag = m->val;
+	    free (s);
+	}
+	fprintf(codefile,
+		"if(dce_fix){\n"
+		"e = der_match_tag_and_length (p, len, "
+		"(Der_class)0, (Der_type)0, 0, &reallen, &l);\n"
+		"FORW;\n"
+		"}\n"
+		"}\n");
+
+	break;
+    }
+    case TSequenceOf: {
+	char *n;
+
+	fprintf (codefile,
+		 "e = der_match_tag_and_length (p, len, UNIV, CONS, UT_Sequence,"
+		 "&reallen, &l);\n"
+		 "FORW;\n"
+		 "if(len < reallen)\n"
+		 "return ASN1_OVERRUN;\n"
+		 "len = reallen;\n");
+
+	fprintf (codefile,
+		 "{\n"
+		 "size_t origlen = len;\n"
+		 "int oldret = ret;\n"
+		 "ret = 0;\n"
+		 "(%s)->len = 0;\n"
+		 "(%s)->val = NULL;\n"
+		 "while(ret < origlen) {\n"
+		 "(%s)->len++;\n"
+		 "(%s)->val = realloc((%s)->val, sizeof(*((%s)->val)) * (%s)->len);\n",
+		 name, name, name, name, name, name, name);
+	asprintf (&n, "&(%s)->val[(%s)->len-1]", name, name);
+	decode_type (n, t->subtype);
+	fprintf (codefile, 
+		 "len = origlen - ret;\n"
+		 "}\n"
+		 "ret += oldret;\n"
+		 "}\n");
+	free (n);
+	break;
+    }
+    case TGeneralizedTime:
+	decode_primitive ("generalized_time", name);
+	break;
+    case TGeneralString:
+	decode_primitive ("general_string", name);
+	break;
+    case TApplication:
+	fprintf (codefile,
+		 "e = der_match_tag_and_length (p, len, APPL, CONS, %d, "
+		 "&reallen, &l);\n"
+		 "FORW;\n"
+		 "{\n"
+		 "int dce_fix;\n"
+		 "if((dce_fix = fix_dce(reallen, &len)) < 0)\n"
+		 "return ASN1_BAD_FORMAT;\n", 
+		 t->application);
+	decode_type (name, t->subtype);
+	fprintf(codefile,
+		"if(dce_fix){\n"
+		"e = der_match_tag_and_length (p, len, "
+		"(Der_class)0, (Der_type)0, 0, &reallen, &l);\n"
+		"FORW;\n"
+		"}\n"
+		"}\n");
+
+	break;
+    default :
+	abort ();
+    }
+}
+
+void
+generate_type_decode (const Symbol *s)
+{
+  fprintf (headerfile,
+	   "int    "
+	   "decode_%s(const unsigned char *, size_t, %s *, size_t *);\n",
+	   s->gen_name, s->gen_name);
+
+  fprintf (codefile, "#define FORW "
+	   "if(e) goto fail; "
+	   "p += l; "
+	   "len -= l; "
+	   "ret += l\n\n");
+
+
+  fprintf (codefile, "int\n"
+	   "decode_%s(const unsigned char *p,"
+	   " size_t len, %s *data, size_t *size)\n"
+	   "{\n",
+	   s->gen_name, s->gen_name);
+
+  switch (s->type->type) {
+  case TInteger:
+  case TUInteger:
+  case TOctetString:
+  case TGeneralizedTime:
+  case TGeneralString:
+  case TBitString:
+  case TSequence:
+  case TSequenceOf:
+  case TApplication:
+  case TType:
+    fprintf (codefile,
+	     "size_t ret = 0, reallen;\n"
+	     "size_t l;\n"
+	     "int i, e;\n\n");
+    fprintf (codefile, "memset(data, 0, sizeof(*data));\n");
+    fprintf (codefile, "i = 0;\n"); /* hack to avoid `unused variable' */
+    fprintf (codefile, "reallen = 0;\n"); /* hack to avoid `unused variable' */
+
+    decode_type ("data", s->type);
+    fprintf (codefile, 
+	     "if(size) *size = ret;\n"
+	     "return 0;\n");
+    fprintf (codefile,
+	     "fail:\n"
+	     "free_%s(data);\n"
+	     "return e;\n",
+	     s->gen_name);
+    break;
+  default:
+    abort ();
+  }
+  fprintf (codefile, "}\n\n");
+}
+
+void
+generate_seq_type_decode (const Symbol *s)
+{
+    fprintf (headerfile,
+	     "int decode_seq_%s(const unsigned char *, size_t, int, int, "
+	     "%s *, size_t *);\n",
+	     s->gen_name, s->gen_name);
+
+    fprintf (codefile, "int\n"
+	     "decode_seq_%s(const unsigned char *p, size_t len, int tag, "
+	     "int optional, %s *data, size_t *size)\n"
+	     "{\n",
+	     s->gen_name, s->gen_name);
+
+    fprintf (codefile,
+	     "size_t newlen, oldlen;\n"
+	     "size_t l, ret = 0;\n"
+	     "int e;\n"
+	     "int dce_fix;\n");
+    
+    fprintf (codefile,
+	     "e = der_match_tag(p, len, CONTEXT, CONS, tag, &l);\n"
+	     "if (e)\n"
+	     "return e;\n");
+    fprintf (codefile, 
+	     "p += l;\n"
+	     "len -= l;\n"
+	     "ret += l;\n"
+	     "e = der_get_length(p, len, &newlen, &l);\n"
+	     "if (e)\n"
+	     "return e;\n"
+	     "p += l;\n"
+	     "len -= l;\n"
+	     "ret += l;\n"
+	     "oldlen = len;\n"
+	     "if ((dce_fix = fix_dce(newlen, &len)) < 0)\n"
+	     "return ASN1_BAD_FORMAT;\n"
+	     "e = decode_%s(p, len, data, &l);\n"
+	     "if (e)\n"
+	     "return e;\n"
+	     "p += l;\n"
+	     "len -= l;\n"
+	     "ret += l;\n"
+	     "if (dce_fix) {\n"
+	     "size_t reallen;\n\n"
+	     "e = der_match_tag_and_length(p, len, "
+	     "(Der_class)0, (Der_type)0, 0, &reallen, &l);\n"
+	     "if (e)\n"
+	     "return e;\n"
+	     "ret += l;\n"
+	     "}\n",
+	     s->gen_name);
+    fprintf (codefile, 
+	     "if(size) *size = ret;\n"
+	     "return 0;\n");
+
+    fprintf (codefile, "}\n\n");
+}
diff --git a/crypto/heimdal/lib/asn1/gen_encode.c b/crypto/heimdal/lib/asn1/gen_encode.c
new file mode 100644
index 0000000..367ca37
--- /dev/null
+++ b/crypto/heimdal/lib/asn1/gen_encode.c
@@ -0,0 +1,256 @@
+/*
+ * Copyright (c) 1997 - 2000 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "gen_locl.h"
+
+RCSID("$Id: gen_encode.c,v 1.11 2000/06/19 15:19:08 joda Exp $");
+
+static void
+encode_primitive (const char *typename, const char *name)
+{
+    fprintf (codefile,
+	     "e = encode_%s(p, len, %s, &l);\n"
+	     "BACK;\n",
+	     typename,
+	     name);
+}
+
+static void
+encode_type (const char *name, const Type *t)
+{
+    switch (t->type) {
+    case TType:
+#if 0
+	encode_type (name, t->symbol->type);
+#endif
+	fprintf (codefile,
+		 "e = encode_%s(p, len, %s, &l);\n"
+		 "BACK;\n",
+		 t->symbol->gen_name, name);
+	break;
+    case TInteger:
+	if(t->members == NULL)
+	    encode_primitive ("integer", name);
+	else {
+	    char *s;
+	    asprintf(&s, "(const int*)%s", name);
+	    if(s == NULL)
+		errx(1, "out of memory");
+	    encode_primitive ("integer", s);
+	    free(s);
+	}
+	break;
+    case TUInteger:
+	encode_primitive ("unsigned", name);
+	break;
+    case TOctetString:
+	encode_primitive ("octet_string", name);
+	break;
+    case TBitString: {
+	Member *m;
+	int pos;
+	int rest;
+	int tag = -1;
+
+	if (t->members == NULL)
+	    break;
+
+	fprintf (codefile, "{\n"
+		 "unsigned char c = 0;\n");
+	pos = t->members->prev->val;
+	/* fix for buggy MIT (and OSF?) code */
+	if (pos > 31)
+	    abort ();
+	/*
+	 * It seems that if we do not always set pos to 31 here, the MIT
+	 * code will do the wrong thing.
+	 *
+	 * I hate ASN.1 (and DER), but I hate it even more when everybody
+	 * has to screw it up differently.
+	 */
+	pos = 31;
+	rest = 7 - (pos % 8);
+
+	for (m = t->members->prev; m && tag != m->val; m = m->prev) {
+	    while (m->val / 8 < pos / 8) {
+		fprintf (codefile,
+			 "*p-- = c; len--; ret++;\n"
+			 "c = 0;\n");
+		pos -= 8;
+	    }
+	    fprintf (codefile,
+		     "if(%s->%s) c |= 1<<%d;\n", name, m->gen_name,
+		     7 - m->val % 8);
+
+	    if (tag == -1)
+		tag = m->val;
+	}
+
+	fprintf (codefile, 
+		 "*p-- = c;\n"
+		 "*p-- = %d;\n"
+		 "len -= 2;\n"
+		 "ret += 2;\n"
+		 "}\n\n"
+		 "e = der_put_length_and_tag (p, len, ret, UNIV, PRIM,"
+		 "UT_BitString, &l);\n"
+		 "BACK;\n",
+		 rest);
+	break;
+    }
+    case TSequence: {
+	Member *m;
+	int tag = -1;
+
+	if (t->members == NULL)
+	    break;
+
+	for (m = t->members->prev; m && tag != m->val; m = m->prev) {
+	    char *s;
+
+	    asprintf (&s, "%s(%s)->%s", m->optional ? "" : "&", name, m->gen_name);
+	    if (m->optional)
+		fprintf (codefile,
+			 "if(%s)\n",
+			 s);
+#if 1
+	    fprintf (codefile, "{\n"
+		     "int oldret = ret;\n"
+		     "ret = 0;\n");
+#endif
+	    encode_type (s, m->type);
+	    fprintf (codefile,
+		     "e = der_put_length_and_tag (p, len, ret, CONTEXT, CONS, "
+		     "%d, &l);\n"
+		     "BACK;\n",
+		     m->val);
+#if 1
+	    fprintf (codefile,
+		     "ret += oldret;\n"
+		     "}\n");
+#endif
+	    if (tag == -1)
+		tag = m->val;
+	    free (s);
+	}
+	fprintf (codefile,
+		 "e = der_put_length_and_tag (p, len, ret, UNIV, CONS, UT_Sequence, &l);\n"
+		 "BACK;\n");
+	break;
+    }
+    case TSequenceOf: {
+	char *n;
+
+	fprintf (codefile,
+		 "for(i = (%s)->len - 1; i >= 0; --i) {\n"
+#if 1
+		 "int oldret = ret;\n"
+		 "ret = 0;\n",
+#else
+		 ,
+#endif
+		 name);
+	asprintf (&n, "&(%s)->val[i]", name);
+	encode_type (n, t->subtype);
+	fprintf (codefile,
+#if 1
+		 "ret += oldret;\n"
+#endif
+		 "}\n"
+		 "e = der_put_length_and_tag (p, len, ret, UNIV, CONS, UT_Sequence, &l);\n"
+		 "BACK;\n");
+	free (n);
+	break;
+    }
+    case TGeneralizedTime:
+	encode_primitive ("generalized_time", name);
+	break;
+    case TGeneralString:
+	encode_primitive ("general_string", name);
+	break;
+    case TApplication:
+	encode_type (name, t->subtype);
+	fprintf (codefile,
+		 "e = der_put_length_and_tag (p, len, ret, APPL, CONS, %d, &l);\n"
+		 "BACK;\n",
+		 t->application);
+	break;
+    default:
+	abort ();
+    }
+}
+
+void
+generate_type_encode (const Symbol *s)
+{
+  fprintf (headerfile,
+	   "int    "
+	   "encode_%s(unsigned char *, size_t, const %s *, size_t *);\n",
+	   s->gen_name, s->gen_name);
+
+  fprintf (codefile, "#define BACK if (e) return e; p -= l; len -= l; ret += l\n\n");
+
+
+  fprintf (codefile, "int\n"
+	   "encode_%s(unsigned char *p, size_t len,"
+	   " const %s *data, size_t *size)\n"
+	   "{\n",
+	   s->gen_name, s->gen_name);
+
+  switch (s->type->type) {
+  case TInteger:
+  case TUInteger:
+  case TOctetString:
+  case TGeneralizedTime:
+  case TGeneralString:
+  case TBitString:
+  case TSequence:
+  case TSequenceOf:
+  case TApplication:
+  case TType:
+    fprintf (codefile,
+	     "size_t ret = 0;\n"
+	     "size_t l;\n"
+	     "int i, e;\n\n");
+    fprintf(codefile, "i = 0;\n"); /* hack to avoid `unused variable' */
+    
+      encode_type("data", s->type);
+
+    fprintf (codefile, "*size = ret;\n"
+	     "return 0;\n");
+    break;
+  default:
+    abort ();
+  }
+  fprintf (codefile, "}\n\n");
+}
diff --git a/crypto/heimdal/lib/asn1/gen_free.c b/crypto/heimdal/lib/asn1/gen_free.c
new file mode 100644
index 0000000..20ae521
--- /dev/null
+++ b/crypto/heimdal/lib/asn1/gen_free.c
@@ -0,0 +1,131 @@
+/*
+ * Copyright (c) 1997 - 2000 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "gen_locl.h"
+
+RCSID("$Id: gen_free.c,v 1.8 2000/04/06 17:24:02 assar Exp $");
+
+static void
+free_primitive (const char *typename, const char *name)
+{
+    fprintf (codefile, "free_%s(%s);\n", typename, name);
+}
+
+static void
+free_type (const char *name, const Type *t)
+{
+  switch (t->type) {
+  case TType:
+#if 0
+      free_type (name, t->symbol->type);
+#endif
+      fprintf (codefile, "free_%s(%s);\n", t->symbol->gen_name, name);
+      break;
+  case TInteger:
+  case TUInteger:
+      break;
+  case TOctetString:
+      free_primitive ("octet_string", name);
+      break;
+  case TBitString: {
+      break;
+  }
+  case TSequence: {
+      Member *m;
+      int tag = -1;
+
+      if (t->members == NULL)
+	  break;
+      
+      for (m = t->members; m && tag != m->val; m = m->next) {
+	  char *s;
+
+	  asprintf (&s, "%s(%s)->%s",
+		    m->optional ? "" : "&", name, m->gen_name);
+	  if(m->optional)
+	      fprintf(codefile, "if(%s) {\n", s);
+	  free_type (s, m->type);
+	  if(m->optional)
+	      fprintf(codefile, 
+		      "free(%s);\n"
+		      "}\n",s);
+	  if (tag == -1)
+	      tag = m->val;
+	  free (s);
+      }
+      break;
+  }
+  case TSequenceOf: {
+      char *n;
+
+      fprintf (codefile, "while((%s)->len){\n", name);
+      asprintf (&n, "&(%s)->val[(%s)->len-1]", name, name);
+      free_type(n, t->subtype);
+      fprintf(codefile, 
+	      "(%s)->len--;\n"
+	      "}\n",
+	      name);
+      fprintf(codefile,
+	      "free((%s)->val);\n", name);
+      free(n);
+      break;
+  }
+  case TGeneralizedTime:
+      break;
+  case TGeneralString:
+      free_primitive ("general_string", name);
+      break;
+  case TApplication:
+      free_type (name, t->subtype);
+      break;
+  default :
+      abort ();
+  }
+}
+
+void
+generate_type_free (const Symbol *s)
+{
+  fprintf (headerfile,
+	   "void   free_%s  (%s *);\n",
+	   s->gen_name, s->gen_name);
+
+  fprintf (codefile, "void\n"
+	   "free_%s(%s *data)\n"
+	   "{\n",
+	   s->gen_name, s->gen_name);
+
+  free_type ("data", s->type);
+  fprintf (codefile, "}\n\n");
+}
+
diff --git a/crypto/heimdal/lib/asn1/gen_glue.c b/crypto/heimdal/lib/asn1/gen_glue.c
new file mode 100644
index 0000000..2f6280a
--- /dev/null
+++ b/crypto/heimdal/lib/asn1/gen_glue.c
@@ -0,0 +1,139 @@
+/*
+ * Copyright (c) 1997, 1999 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "gen_locl.h"
+
+RCSID("$Id: gen_glue.c,v 1.7 1999/12/02 17:05:02 joda Exp $");
+
+static void
+generate_2int (const Symbol *s)
+{
+    Type *t = s->type;
+    Member *m;
+    int tag = -1;
+
+    fprintf (headerfile,
+	     "unsigned %s2int(%s);\n",
+	     s->gen_name, s->gen_name);
+
+    fprintf (codefile,
+	     "unsigned %s2int(%s f)\n"
+	     "{\n"
+	     "unsigned r = 0;\n",
+	     s->gen_name, s->gen_name);
+
+    for (m = t->members; m && m->val != tag; m = m->next) {
+	fprintf (codefile, "if(f.%s) r |= (1U << %d);\n",
+		 m->gen_name, m->val);
+	
+	if (tag == -1)
+	    tag = m->val;
+    }
+    fprintf (codefile, "return r;\n"
+	     "}\n\n");
+}
+
+static void
+generate_int2 (const Symbol *s)
+{
+    Type *t = s->type;
+    Member *m;
+    int tag = -1;
+
+    fprintf (headerfile,
+	     "%s int2%s(unsigned);\n",
+	     s->gen_name, s->gen_name);
+
+    fprintf (codefile,
+	     "%s int2%s(unsigned n)\n"
+	     "{\n"
+	     "\t%s flags;\n\n",
+	     s->gen_name, s->gen_name, s->gen_name);
+
+    for (m = t->members; m && m->val != tag; m = m->next) {
+	fprintf (codefile, "\tflags.%s = (n >> %d) & 1;\n",
+		 m->gen_name, m->val);
+	
+	if (tag == -1)
+	    tag = m->val;
+    }
+    fprintf (codefile, "\treturn flags;\n"
+	     "}\n\n");
+}
+
+/*
+ * This depends on the bit string being declared in increasing order
+ */
+
+static void
+generate_units (const Symbol *s)
+{
+    Type *t = s->type;
+    Member *m;
+    int tag = -1;
+
+    fprintf (headerfile,
+	     "extern struct units %s_units[];",
+	     s->gen_name);
+
+    fprintf (codefile,
+	     "struct units %s_units[] = {\n",
+	     s->gen_name);
+
+    if(t->members)
+	for (m = t->members->prev; m && m->val != tag; m = m->prev) {
+	    fprintf (codefile,
+		     "\t{\"%s\",\t1U << %d},\n", m->gen_name, m->val);
+	    
+	    if (tag == -1)
+		tag = m->val;
+	}
+
+    fprintf (codefile,
+	     "\t{NULL,\t0}\n"
+	     "};\n\n");
+}
+
+void
+generate_glue (const Symbol *s)
+{
+    switch(s->type->type) {
+    case TBitString :
+	generate_2int (s);
+	generate_int2 (s);
+	generate_units (s);
+	break;
+    default :
+	break;
+    }
+}
diff --git a/crypto/heimdal/lib/asn1/gen_length.c b/crypto/heimdal/lib/asn1/gen_length.c
new file mode 100644
index 0000000..ca2af6f
--- /dev/null
+++ b/crypto/heimdal/lib/asn1/gen_length.c
@@ -0,0 +1,165 @@
+/*
+ * Copyright (c) 1997 - 2000 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "gen_locl.h"
+
+RCSID("$Id: gen_length.c,v 1.10 2000/06/21 22:40:53 assar Exp $");
+
+static void
+length_primitive (const char *typename,
+		  const char *name,
+		  const char *variable)
+{
+    fprintf (codefile, "%s += length_%s(%s);\n", variable, typename, name);
+}
+
+static void
+length_type (const char *name, const Type *t, const char *variable)
+{
+    switch (t->type) {
+    case TType:
+#if 0
+	length_type (name, t->symbol->type);
+#endif
+	fprintf (codefile, "%s += length_%s(%s);\n",
+		 variable, t->symbol->gen_name, name);
+	break;
+    case TInteger:
+        if(t->members == NULL)
+            length_primitive ("integer", name, variable);
+        else {
+            char *s;
+            asprintf(&s, "(const int*)%s", name);
+            if(s == NULL)
+		errx (1, "out of memory");
+            length_primitive ("integer", s, variable);
+            free(s);
+        }
+	break;
+    case TUInteger:
+	length_primitive ("unsigned", name, variable);
+	break;
+    case TOctetString:
+	length_primitive ("octet_string", name, variable);
+	break;
+    case TBitString: {
+	/*
+	 * XXX - Hope this is correct
+	 * look at TBitString case in `encode_type'
+	 */
+	fprintf (codefile, "%s += 7;\n", variable);
+	break;
+    }
+    case TSequence: {
+	Member *m;
+	int tag = -1;
+
+	if (t->members == NULL)
+	    break;
+      
+	for (m = t->members; m && tag != m->val; m = m->next) {
+	    char *s;
+
+	    asprintf (&s, "%s(%s)->%s",
+		      m->optional ? "" : "&", name, m->gen_name);
+	    if (m->optional)
+		fprintf (codefile, "if(%s)", s);
+	    fprintf (codefile, "{\n"
+		     "int oldret = %s;\n"
+		     "%s = 0;\n", variable, variable);
+	    length_type (s, m->type, "ret");
+	    fprintf (codefile, "%s += 1 + length_len(%s) + oldret;\n",
+		     variable, variable);
+	    fprintf (codefile, "}\n");
+	    if (tag == -1)
+		tag = m->val;
+	    free (s);
+	}
+	fprintf (codefile,
+		 "%s += 1 + length_len(%s);\n", variable, variable);
+	break;
+    }
+    case TSequenceOf: {
+	char *n;
+
+	fprintf (codefile,
+		 "{\n"
+		 "int oldret = %s;\n"
+		 "int i;\n"
+		 "%s = 0;\n",
+		 variable, variable);
+
+	fprintf (codefile, "for(i = (%s)->len - 1; i >= 0; --i){\n", name);
+	asprintf (&n, "&(%s)->val[i]", name);
+	length_type(n, t->subtype, variable);
+	fprintf (codefile, "}\n");
+
+	fprintf (codefile,
+		 "%s += 1 + length_len(%s) + oldret;\n"
+		 "}\n", variable, variable);
+	free(n);
+	break;
+    }
+    case TGeneralizedTime:
+	length_primitive ("generalized_time", name, variable);
+	break;
+    case TGeneralString:
+	length_primitive ("general_string", name, variable);
+	break;
+    case TApplication:
+	length_type (name, t->subtype, variable);
+	fprintf (codefile, "ret += 1 + length_len (ret);\n");
+	break;
+    default :
+	abort ();
+    }
+}
+
+void
+generate_type_length (const Symbol *s)
+{
+  fprintf (headerfile,
+	   "size_t length_%s(const %s *);\n",
+	   s->gen_name, s->gen_name);
+
+  fprintf (codefile,
+	   "size_t\n"
+	   "length_%s(const %s *data)\n"
+	   "{\n"
+	   "size_t ret = 0;\n",
+	   s->gen_name, s->gen_name);
+
+  length_type ("data", s->type, "ret");
+  fprintf (codefile, "return ret;\n}\n\n");
+}
+
diff --git a/crypto/heimdal/lib/asn1/gen_locl.h b/crypto/heimdal/lib/asn1/gen_locl.h
new file mode 100644
index 0000000..acf6bc1a
--- /dev/null
+++ b/crypto/heimdal/lib/asn1/gen_locl.h
@@ -0,0 +1,73 @@
+/*
+ * Copyright (c) 1997 - 2000 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+/* $Id: gen_locl.h,v 1.7 2000/04/09 09:21:56 assar Exp $ */
+
+#ifndef __GEN_LOCL_H__
+#define __GEN_LOCL_H__
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+#endif
+#include <assert.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <limits.h>
+#include <ctype.h>
+#include <time.h>
+#include <errno.h>
+#include <err.h>
+#include <roken.h>
+#include "hash.h"
+#include "symbol.h"
+
+void generate_type (const Symbol *);
+void generate_constant (const Symbol *);
+void generate_type_encode (const Symbol *s);
+void generate_type_decode (const Symbol *s);
+void generate_seq_type_decode (const Symbol *s);
+void generate_type_free (const Symbol *s);
+void generate_type_length (const Symbol *s);
+void generate_type_copy (const Symbol *s);
+void generate_type_maybe (const Symbol *s);
+void generate_glue (const Symbol *s);
+
+void init_generate (const char *filename, const char *basename);
+const char *filename (void);
+void close_generate(void);
+int yyparse(void);
+
+extern FILE *headerfile, *codefile, *logfile;
+
+#endif /* __GEN_LOCL_H__ */
diff --git a/crypto/heimdal/lib/asn1/hash.c b/crypto/heimdal/lib/asn1/hash.c
new file mode 100644
index 0000000..a8d3eb3
--- /dev/null
+++ b/crypto/heimdal/lib/asn1/hash.c
@@ -0,0 +1,207 @@
+/*
+ * Copyright (c) 1997 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+/*
+ * Hash table functions
+ */
+
+#include "gen_locl.h"
+
+RCSID("$Id: hash.c,v 1.8 1999/12/02 17:05:02 joda Exp $");
+
+static Hashentry *_search(Hashtab * htab,	/* The hash table */
+			  void *ptr);	/* And key */
+
+Hashtab *
+hashtabnew(int sz,
+	   int (*cmp) (void *, void *),
+	   unsigned (*hash) (void *))
+{
+    Hashtab *htab;
+    int i;
+
+    assert(sz > 0);
+
+    htab = (Hashtab *) malloc(sizeof(Hashtab) + (sz - 1) * sizeof(Hashentry *));
+    for (i = 0; i < sz; ++i)
+	htab->tab[i] = NULL;
+
+    if (htab == NULL) {
+	return NULL;
+    } else {
+	htab->cmp = cmp;
+	htab->hash = hash;
+	htab->sz = sz;
+	return htab;
+    }
+}
+
+/* Intern search function */
+
+static Hashentry *
+_search(Hashtab * htab, void *ptr)
+{
+    Hashentry *hptr;
+
+    assert(htab && ptr);
+
+    for (hptr = htab->tab[(*htab->hash) (ptr) % htab->sz];
+	 hptr;
+	 hptr = hptr->next)
+	if ((*htab->cmp) (ptr, hptr->ptr) == 0)
+	    break;
+    return hptr;
+}
+
+/* Search for element in hash table */
+
+void *
+hashtabsearch(Hashtab * htab, void *ptr)
+{
+    Hashentry *tmp;
+
+    tmp = _search(htab, ptr);
+    return tmp ? tmp->ptr : tmp;
+}
+
+/* add element to hash table */
+/* if already there, set new value */
+/* !NULL if succesful */
+
+void *
+hashtabadd(Hashtab * htab, void *ptr)
+{
+    Hashentry *h = _search(htab, ptr);
+    Hashentry **tabptr;
+
+    assert(htab && ptr);
+
+    if (h)
+	free((void *) h->ptr);
+    else {
+	h = (Hashentry *) malloc(sizeof(Hashentry));
+	if (h == NULL) {
+	    return NULL;
+	}
+	tabptr = &htab->tab[(*htab->hash) (ptr) % htab->sz];
+	h->next = *tabptr;
+	*tabptr = h;
+	h->prev = tabptr;
+	if (h->next)
+	    h->next->prev = &h->next;
+    }
+    h->ptr = ptr;
+    return h;
+}
+
+/* delete element with key key. Iff freep, free Hashentry->ptr */
+
+int
+_hashtabdel(Hashtab * htab, void *ptr, int freep)
+{
+    Hashentry *h;
+
+    assert(htab && ptr);
+
+    h = _search(htab, ptr);
+    if (h) {
+	if (freep)
+	    free(h->ptr);
+	if ((*(h->prev) = h->next))
+	    h->next->prev = h->prev;
+	free(h);
+	return 0;
+    } else
+	return -1;
+}
+
+/* Do something for each element */
+
+void
+hashtabforeach(Hashtab * htab, int (*func) (void *ptr, void *arg),
+	       void *arg)
+{
+    Hashentry **h, *g;
+
+    assert(htab);
+
+    for (h = htab->tab; h < &htab->tab[htab->sz]; ++h)
+	for (g = *h; g; g = g->next)
+	    if ((*func) (g->ptr, arg))
+		return;
+}
+
+/* standard hash-functions for strings */
+
+unsigned
+hashadd(const char *s)
+{				/* Standard hash function */
+    unsigned i;
+
+    assert(s);
+
+    for (i = 0; *s; ++s)
+	i += *s;
+    return i;
+}
+
+unsigned
+hashcaseadd(const char *s)
+{				/* Standard hash function */
+    unsigned i;
+
+    assert(s);
+
+    for (i = 0; *s; ++s)
+	i += toupper(*s);
+    return i;
+}
+
+#define TWELVE (sizeof(unsigned))
+#define SEVENTYFIVE (6*sizeof(unsigned))
+#define HIGH_BITS (~((unsigned)(~0) >> TWELVE))
+
+unsigned
+hashjpw(const char *ss)
+{				/* another hash function */
+    unsigned h = 0;
+    unsigned g;
+    const unsigned char *s = (const unsigned char *)ss;
+
+    for (; *s; ++s) {
+	h = (h << TWELVE) + *s;
+	if ((g = h & HIGH_BITS))
+	    h = (h ^ (g >> SEVENTYFIVE)) & ~HIGH_BITS;
+    }
+    return h;
+}
diff --git a/crypto/heimdal/lib/asn1/hash.h b/crypto/heimdal/lib/asn1/hash.h
new file mode 100644
index 0000000..b54e102
--- /dev/null
+++ b/crypto/heimdal/lib/asn1/hash.h
@@ -0,0 +1,87 @@
+/*
+ * Copyright (c) 1997 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+/*
+ * hash.h. Header file for hash table functions
+ */
+
+/* $Id: hash.h,v 1.3 1999/12/02 17:05:02 joda Exp $ */
+
+struct hashentry {		/* Entry in bucket */
+     struct hashentry **prev;
+     struct hashentry *next;
+     void *ptr;
+};
+
+typedef struct hashentry Hashentry;
+
+struct hashtab {		/* Hash table */
+     int (*cmp)(void *, void *); /* Compare function */
+     unsigned (*hash)(void *);	/* hash function */
+     int sz;			/* Size */
+     Hashentry *tab[1];		/* The table */
+};
+
+typedef struct hashtab Hashtab;
+
+/* prototypes */
+
+Hashtab *hashtabnew(int sz, 
+		    int (*cmp)(void *, void *),
+		    unsigned (*hash)(void *));	/* Make new hash table */
+
+void *hashtabsearch(Hashtab *htab, /* The hash table */
+		    void *ptr);	/*  The key */
+
+
+void *hashtabadd(Hashtab *htab,	/* The hash table */
+	       void *ptr);	/* The element */
+
+int _hashtabdel(Hashtab *htab,	/* The table */
+		void *ptr,	/* Key */
+		int freep);	/* Free data part? */
+
+void hashtabforeach(Hashtab *htab,
+		    int (*func)(void *ptr, void *arg),
+		    void *arg);
+
+unsigned hashadd(const char *s);		/* Standard hash function */
+unsigned hashcaseadd(const char *s);		/* Standard hash function */
+unsigned hashjpw(const char *s);		/* another hash function */
+
+/* macros */
+
+ /* Don't free space */
+#define hashtabdel(htab,key)  _hashtabdel(htab,key,FALSE)
+
+#define hashtabfree(htab,key) _hashtabdel(htab,key,TRUE) /* Do! */
diff --git a/crypto/heimdal/lib/asn1/k5.asn1 b/crypto/heimdal/lib/asn1/k5.asn1
new file mode 100644
index 0000000..1fa8b7b
--- /dev/null
+++ b/crypto/heimdal/lib/asn1/k5.asn1
@@ -0,0 +1,448 @@
+-- $Id: k5.asn1,v 1.25 2001/05/14 06:12:13 assar Exp $
+
+KERBEROS5 DEFINITIONS ::=
+BEGIN
+
+NAME-TYPE ::= INTEGER {
+	KRB5_NT_UNKNOWN(0),	-- Name type not known
+	KRB5_NT_PRINCIPAL(1),	-- Just the name of the principal as in
+	KRB5_NT_SRV_INST(2),	-- Service and other unique instance (krbtgt)
+	KRB5_NT_SRV_HST(3),	-- Service with host name as instance
+	KRB5_NT_SRV_XHST(4),	-- Service with host as remaining components
+	KRB5_NT_UID(5),		-- Unique ID
+	KRB5_NT_X500_PRINCIPAL(6) -- PKINIT
+}
+
+-- message types
+
+MESSAGE-TYPE ::= INTEGER {
+	krb-as-req(10), -- Request for initial authentication
+	krb-as-rep(11), -- Response to KRB_AS_REQ request
+	krb-tgs-req(12), -- Request for authentication based on TGT
+	krb-tgs-rep(13), -- Response to KRB_TGS_REQ request
+	krb-ap-req(14), -- application request to server
+	krb-ap-rep(15), -- Response to KRB_AP_REQ_MUTUAL
+	krb-safe(20), -- Safe (checksummed) application message
+	krb-priv(21), -- Private (encrypted) application message
+	krb-cred(22), -- Private (encrypted) message to forward credentials
+	krb-error(30) -- Error response
+}
+
+
+-- pa-data types
+
+PADATA-TYPE ::= INTEGER {
+	KRB5-PADATA-NONE(0),
+	KRB5-PADATA-TGS-REQ(1),
+	KRB5-PADATA-AP-REQ(1),
+	KRB5-PADATA-ENC-TIMESTAMP(2),
+	KRB5-PADATA-PW-SALT(3),
+	KRB5-PADATA-ENC-UNIX-TIME(5),
+	KRB5-PADATA-SANDIA-SECUREID(6),
+	KRB5-PADATA-SESAME(7),
+	KRB5-PADATA-OSF-DCE(8),
+	KRB5-PADATA-CYBERSAFE-SECUREID(9),
+	KRB5-PADATA-AFS3-SALT(10),
+	KRB5-PADATA-ETYPE-INFO(11),
+	KRB5-PADATA-SAM-CHALLENGE(12), -- (sam/otp)
+	KRB5-PADATA-SAM-RESPONSE(13), -- (sam/otp)
+	KRB5-PADATA-PK-AS-REQ(14), -- (PKINIT)
+	KRB5-PADATA-PK-AS-REP(15), -- (PKINIT)
+	KRB5-PADATA-PK-AS-SIGN(16), -- (PKINIT)
+	KRB5-PADATA-PK-KEY-REQ(17), -- (PKINIT)
+	KRB5-PADATA-PK-KEY-REP(18), -- (PKINIT)
+	KRB5-PADATA-USE-SPECIFIED-KVNO(20),
+	KRB5-PADATA-SAM-REDIRECT(21), -- (sam/otp)
+	KRB5-PADATA-GET-FROM-TYPED-DATA(22),
+	KRB5-PADATA-SAM-ETYPE-INFO(23)
+}
+
+-- checksumtypes
+
+CKSUMTYPE ::= INTEGER {
+	CKSUMTYPE_NONE(0),
+	CKSUMTYPE_CRC32(1),
+	CKSUMTYPE_RSA_MD4(2),
+	CKSUMTYPE_RSA_MD4_DES(3),
+	CKSUMTYPE_DES_MAC(4),
+	CKSUMTYPE_DES_MAC_K(5),
+	CKSUMTYPE_RSA_MD4_DES_K(6),
+	CKSUMTYPE_RSA_MD5(7),
+	CKSUMTYPE_RSA_MD5_DES(8),
+	CKSUMTYPE_RSA_MD5_DES3(9),
+	-- CKSUMTYPE_SHA1(10),
+	CKSUMTYPE_HMAC_SHA1_DES3(12),
+	CKSUMTYPE_SHA1(1000),		-- correct value? 10 (9 also)
+	CKSUMTYPE_HMAC_MD5(-138),	-- unofficial microsoft number
+	CKSUMTYPE_HMAC_MD5_ENC(-1138)	-- even more unofficial
+}
+
+--enctypes
+ENCTYPE ::= INTEGER {
+	ETYPE_NULL(0),
+	ETYPE_DES_CBC_CRC(1),
+	ETYPE_DES_CBC_MD4(2),
+	ETYPE_DES_CBC_MD5(3),
+	ETYPE_DES3_CBC_MD5(5),
+	ETYPE_OLD_DES3_CBC_SHA1(7),
+	ETYPE_SIGN_DSA_GENERATE(8),
+	ETYPE_ENCRYPT_RSA_PRIV(9),
+	ETYPE_ENCRYPT_RSA_PUB(10),
+	ETYPE_DES3_CBC_SHA1(16),	-- with key derivation
+	ETYPE_ARCFOUR_HMAC_MD5(23),
+	ETYPE_ARCFOUR_HMAC_MD5_56(24),
+	ETYPE_ENCTYPE_PK_CROSS(48),
+-- these are for Heimdal internal use
+	ETYPE_DES_CBC_NONE(-0x1000),
+	ETYPE_DES3_CBC_NONE(-0x1001),
+	ETYPE_DES_CFB64_NONE(-0x1002),
+	ETYPE_DES_PCBC_NONE(-0x1003),
+	ETYPE_DES3_CBC_NONE_IVEC(-0x1004)
+}
+
+-- this is sugar to make something ASN1 does not have: unsigned
+
+UNSIGNED ::= INTEGER (0..4294967295)
+
+Realm ::= GeneralString
+PrincipalName ::= SEQUENCE {
+	name-type[0]		NAME-TYPE,
+	name-string[1]		SEQUENCE OF GeneralString
+}
+
+-- this is not part of RFC1510
+Principal ::= SEQUENCE {
+	name[0]			PrincipalName,
+	realm[1]		Realm
+}
+
+HostAddress ::= SEQUENCE  {
+	addr-type[0]		INTEGER,
+	address[1]		OCTET STRING
+}
+
+-- This is from RFC1510.
+--
+-- HostAddresses ::= SEQUENCE OF SEQUENCE {
+-- 	addr-type[0]		INTEGER,
+--	address[1]		OCTET STRING
+-- }
+
+-- This seems much better.
+HostAddresses ::= SEQUENCE OF HostAddress
+
+
+KerberosTime ::= GeneralizedTime -- Specifying UTC time zone (Z)
+
+AuthorizationData ::= SEQUENCE OF SEQUENCE {
+	ad-type[0]		INTEGER,
+	ad-data[1]		OCTET STRING
+}
+
+APOptions ::= BIT STRING {
+	reserved(0),
+	use-session-key(1),
+	mutual-required(2)
+}
+
+TicketFlags ::= BIT STRING {
+	reserved(0),
+	forwardable(1),
+	forwarded(2),
+	proxiable(3),
+	proxy(4),
+	may-postdate(5),
+	postdated(6),
+	invalid(7),
+	renewable(8),
+	initial(9),
+	pre-authent(10),
+	hw-authent(11),
+	transited-policy-checked(12),
+	ok-as-delegate(13),
+	anonymous(14)
+}
+
+KDCOptions ::= BIT STRING {
+	reserved(0),
+	forwardable(1),
+	forwarded(2),
+	proxiable(3),
+	proxy(4),
+	allow-postdate(5),
+	postdated(6),
+	unused7(7),
+	renewable(8),
+	unused9(9),
+	unused10(10),
+	unused11(11),
+	request-anonymous(14),
+	canonicalize(15),
+	disable-transited-check(26),
+	renewable-ok(27),
+	enc-tkt-in-skey(28),
+	renew(30),
+	validate(31)
+}
+
+LR-TYPE ::= INTEGER {
+	LR_NONE(0),		-- no information
+	LR_INITIAL_TGT(1),	-- last initial TGT request
+	LR_INITIAL(2),		-- last initial request
+	LR_ISSUE_USE_TGT(3),	-- time of newest TGT used
+	LR_RENEWAL(4),		-- time of last renewal
+	LR_REQUEST(5),		-- time of last request (of any type)
+	LR_PW_EXPTIME(6),	-- expiration time of password
+	LR_ACCT_EXPTIME(7)	-- expiration time of account
+}
+
+LastReq ::= SEQUENCE OF SEQUENCE {
+	lr-type[0]		LR-TYPE,
+	lr-value[1]		KerberosTime
+}
+
+
+EncryptedData ::= SEQUENCE {
+	etype[0] 		ENCTYPE, -- EncryptionType
+	kvno[1]			INTEGER OPTIONAL,
+	cipher[2]		OCTET STRING -- ciphertext
+}
+
+EncryptionKey ::= SEQUENCE {
+	keytype[0]		INTEGER,
+	keyvalue[1]		OCTET STRING
+}
+
+-- encoded Transited field
+TransitedEncoding ::= SEQUENCE {
+	tr-type[0]		INTEGER, -- must be registered
+	contents[1]		OCTET STRING
+}
+
+Ticket ::= [APPLICATION 1] SEQUENCE {
+	tkt-vno[0]		INTEGER,
+	realm[1]		Realm,
+	sname[2]		PrincipalName,
+	enc-part[3]		EncryptedData
+}
+-- Encrypted part of ticket
+EncTicketPart ::= [APPLICATION 3] SEQUENCE {
+	flags[0]		TicketFlags,
+	key[1]			EncryptionKey,
+	crealm[2]		Realm,
+	cname[3]		PrincipalName,
+	transited[4]		TransitedEncoding,
+	authtime[5]		KerberosTime,
+	starttime[6]		KerberosTime OPTIONAL,
+	endtime[7]		KerberosTime,
+	renew-till[8]		KerberosTime OPTIONAL,
+	caddr[9]		HostAddresses OPTIONAL,
+	authorization-data[10]	AuthorizationData OPTIONAL
+}
+
+Checksum ::= SEQUENCE {
+	cksumtype[0]		CKSUMTYPE,
+	checksum[1]		OCTET STRING
+}
+
+Authenticator ::= [APPLICATION 2] SEQUENCE    {
+	authenticator-vno[0]	INTEGER,
+	crealm[1]		Realm,
+	cname[2]		PrincipalName,
+	cksum[3]		Checksum OPTIONAL,
+	cusec[4]		INTEGER,
+	ctime[5]		KerberosTime,
+	subkey[6]		EncryptionKey OPTIONAL,
+	seq-number[7]		UNSIGNED OPTIONAL,
+	authorization-data[8]	AuthorizationData OPTIONAL
+	}
+
+PA-DATA ::= SEQUENCE {
+	-- might be encoded AP-REQ
+	padata-type[1]		PADATA-TYPE,
+	padata-value[2]		OCTET STRING
+}
+
+ETYPE-INFO-ENTRY ::= SEQUENCE {
+	etype[0]		ENCTYPE,
+	salt[1]			OCTET STRING OPTIONAL,
+	salttype[2]		INTEGER OPTIONAL
+}
+
+ETYPE-INFO ::= SEQUENCE OF ETYPE-INFO-ENTRY
+
+METHOD-DATA ::= SEQUENCE OF PA-DATA
+
+KDC-REQ-BODY ::= SEQUENCE {
+	kdc-options[0]		KDCOptions,
+	cname[1]		PrincipalName OPTIONAL, -- Used only in AS-REQ
+	realm[2]		Realm,	-- Server's realm
+					-- Also client's in AS-REQ
+	sname[3]		PrincipalName OPTIONAL,
+	from[4]			KerberosTime OPTIONAL,
+	till[5]			KerberosTime OPTIONAL,
+	rtime[6]		KerberosTime OPTIONAL,
+	nonce[7]		INTEGER,
+	etype[8]		SEQUENCE OF ENCTYPE, -- EncryptionType,
+					-- in preference order
+	addresses[9]		HostAddresses OPTIONAL,
+	enc-authorization-data[10] EncryptedData OPTIONAL,
+					-- Encrypted AuthorizationData encoding
+	additional-tickets[11]	SEQUENCE OF Ticket OPTIONAL
+}
+
+KDC-REQ ::= SEQUENCE {
+	pvno[1]			INTEGER,
+	msg-type[2]		MESSAGE-TYPE,
+	padata[3]		METHOD-DATA OPTIONAL,
+	req-body[4]		KDC-REQ-BODY
+}
+
+AS-REQ ::= [APPLICATION 10] KDC-REQ
+TGS-REQ ::= [APPLICATION 12] KDC-REQ
+
+-- padata-type ::= PA-ENC-TIMESTAMP
+-- padata-value ::= EncryptedData - PA-ENC-TS-ENC
+
+PA-ENC-TS-ENC ::= SEQUENCE {
+	patimestamp[0]		KerberosTime, -- client's time
+	pausec[1]		INTEGER OPTIONAL
+}
+
+KDC-REP ::= SEQUENCE {
+	pvno[0]			INTEGER,
+	msg-type[1]		MESSAGE-TYPE,
+	padata[2]		METHOD-DATA OPTIONAL,
+	crealm[3]		Realm,
+	cname[4]		PrincipalName,
+	ticket[5]		Ticket,
+	enc-part[6]		EncryptedData
+}
+
+AS-REP ::= [APPLICATION 11] KDC-REP
+TGS-REP ::= [APPLICATION 13] KDC-REP
+
+EncKDCRepPart ::= SEQUENCE {
+	key[0]			EncryptionKey,
+	last-req[1]		LastReq,
+	nonce[2]		INTEGER,
+	key-expiration[3]	KerberosTime OPTIONAL,
+	flags[4]		TicketFlags,
+	authtime[5]		KerberosTime,
+	starttime[6]		KerberosTime OPTIONAL,
+	endtime[7]		KerberosTime,
+	renew-till[8]		KerberosTime OPTIONAL,
+	srealm[9]		Realm,
+	sname[10]		PrincipalName,
+	caddr[11]		HostAddresses OPTIONAL
+}
+
+EncASRepPart ::= [APPLICATION 25] EncKDCRepPart
+EncTGSRepPart ::= [APPLICATION 26] EncKDCRepPart
+
+AP-REQ ::= [APPLICATION 14] SEQUENCE {
+	pvno[0]			INTEGER,
+	msg-type[1]		MESSAGE-TYPE,
+	ap-options[2]		APOptions,
+	ticket[3]		Ticket,
+	authenticator[4]	EncryptedData
+}
+
+AP-REP ::= [APPLICATION 15] SEQUENCE {
+	pvno[0]			INTEGER,
+	msg-type[1]		MESSAGE-TYPE,
+	enc-part[2]		EncryptedData
+}
+
+EncAPRepPart ::= [APPLICATION 27]     SEQUENCE {
+	ctime[0]		KerberosTime,
+	cusec[1]		INTEGER,
+	subkey[2]		EncryptionKey OPTIONAL,
+	seq-number[3]		UNSIGNED OPTIONAL
+}
+
+KRB-SAFE-BODY ::= SEQUENCE {
+	user-data[0]		OCTET STRING,
+	timestamp[1]		KerberosTime OPTIONAL,
+	usec[2]			INTEGER OPTIONAL,
+	seq-number[3]		UNSIGNED OPTIONAL,
+	s-address[4]		HostAddress OPTIONAL,
+	r-address[5]		HostAddress OPTIONAL
+}
+
+KRB-SAFE ::= [APPLICATION 20] SEQUENCE {
+	pvno[0]			INTEGER,
+	msg-type[1]		MESSAGE-TYPE,
+	safe-body[2]		KRB-SAFE-BODY,
+	cksum[3]		Checksum
+}
+
+KRB-PRIV ::= [APPLICATION 21] SEQUENCE {
+	pvno[0]			INTEGER,
+	msg-type[1]		MESSAGE-TYPE,
+	enc-part[3]		EncryptedData
+}
+EncKrbPrivPart ::= [APPLICATION 28] SEQUENCE {
+	user-data[0]		OCTET STRING,
+	timestamp[1]		KerberosTime OPTIONAL,
+	usec[2]			INTEGER OPTIONAL,
+	seq-number[3]		UNSIGNED OPTIONAL,
+	s-address[4]		HostAddress OPTIONAL, -- sender's addr
+	r-address[5]		HostAddress OPTIONAL  -- recip's addr
+}
+
+KRB-CRED ::= [APPLICATION 22]   SEQUENCE {
+	pvno[0]			INTEGER,
+	msg-type[1]		MESSAGE-TYPE, -- KRB_CRED
+	tickets[2]		SEQUENCE OF Ticket,
+	enc-part[3]		EncryptedData
+}
+
+KrbCredInfo ::= SEQUENCE {
+	key[0]			EncryptionKey,
+	prealm[1]		Realm OPTIONAL,
+	pname[2]		PrincipalName OPTIONAL,
+	flags[3]		TicketFlags OPTIONAL,
+	authtime[4]		KerberosTime OPTIONAL,
+	starttime[5]		KerberosTime OPTIONAL,
+	endtime[6] 		KerberosTime OPTIONAL,
+	renew-till[7]		KerberosTime OPTIONAL,
+	srealm[8]		Realm OPTIONAL,
+	sname[9]		PrincipalName OPTIONAL,
+	caddr[10]		HostAddresses OPTIONAL
+}
+
+EncKrbCredPart ::= [APPLICATION 29]   SEQUENCE {
+	ticket-info[0]		SEQUENCE OF KrbCredInfo,
+	nonce[1]		INTEGER OPTIONAL,
+	timestamp[2]		KerberosTime OPTIONAL,
+	usec[3]			INTEGER OPTIONAL,
+	s-address[4]		HostAddress OPTIONAL,
+	r-address[5]		HostAddress OPTIONAL
+}
+
+KRB-ERROR ::= [APPLICATION 30] SEQUENCE {
+	pvno[0]			INTEGER,
+	msg-type[1]		MESSAGE-TYPE,
+	ctime[2]		KerberosTime OPTIONAL,
+	cusec[3]		INTEGER OPTIONAL,
+	stime[4]		KerberosTime,
+	susec[5]		INTEGER,
+	error-code[6]		INTEGER,
+	crealm[7]		Realm OPTIONAL,
+	cname[8]		PrincipalName OPTIONAL,
+	realm[9]		Realm, -- Correct realm
+	sname[10]		PrincipalName, -- Correct name
+	e-text[11]		GeneralString OPTIONAL,
+	e-data[12]		OCTET STRING OPTIONAL
+}
+
+pvno INTEGER ::= 5 -- current Kerberos protocol version number
+
+-- transited encodings
+
+DOMAIN-X500-COMPRESS	INTEGER ::= 1
+
+END
+
+-- etags -r '/\([A-Za-z][-A-Za-z0-9]*\).*::=/\1/' k5.asn1
diff --git a/crypto/heimdal/lib/asn1/lex.h b/crypto/heimdal/lib/asn1/lex.h
new file mode 100644
index 0000000..9f5cadf
--- /dev/null
+++ b/crypto/heimdal/lib/asn1/lex.h
@@ -0,0 +1,41 @@
+/*
+ * Copyright (c) 1997 - 2000 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+/* $Id: lex.h,v 1.5 2000/07/01 20:21:34 assar Exp $ */
+
+#include <roken.h>
+
+void error_message (const char *, ...)
+__attribute__ ((format (printf, 1, 2)));
+
+int yylex(void);
diff --git a/crypto/heimdal/lib/asn1/lex.l b/crypto/heimdal/lib/asn1/lex.l
new file mode 100644
index 0000000..21665fb
--- /dev/null
+++ b/crypto/heimdal/lib/asn1/lex.l
@@ -0,0 +1,111 @@
+%{
+/*
+ * Copyright (c) 1997 - 2001 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+/* $Id: lex.l,v 1.16 2001/04/18 13:08:47 joda Exp $ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+#endif
+#include <stdio.h>
+#include <stdarg.h>
+#include <stdlib.h>
+#include <string.h>
+#ifdef HAVE_UNISTD_H
+#include <unistd.h>
+#endif
+#include "symbol.h"
+#include "parse.h"
+#include "lex.h"
+#include "gen_locl.h"
+
+static unsigned lineno = 1;
+
+#define YY_NO_UNPUT
+
+#undef ECHO
+
+%}
+
+
+%%
+INTEGER			{ return INTEGER; }
+IMPORTS			{ return IMPORTS; }
+FROM			{ return FROM; }
+SEQUENCE		{ return SEQUENCE; }
+OF			{ return OF; }
+OCTET			{ return OCTET; }
+STRING			{ return STRING; }
+GeneralizedTime		{ return GeneralizedTime; }
+GeneralString		{ return GeneralString; }
+BIT			{ return BIT; }
+APPLICATION		{ return APPLICATION; }
+OPTIONAL		{ return OPTIONAL; }
+BEGIN			{ return TBEGIN; }
+END			{ return END; }
+DEFINITIONS		{ return DEFINITIONS; }
+EXTERNAL		{ return EXTERNAL; }
+[,;{}()|]		{ return *yytext; }
+"["			{ return *yytext; }
+"]"			{ return *yytext; }
+::=			{ return EEQUAL; }
+--[^\n]*\n		{ ++lineno; }
+-?(0x)?[0-9]+		{ char *e; yylval.constant = strtol(yytext, &e, 0); 
+			  if(e == yytext) 
+			    error_message("malformed constant (%s)", yytext); 
+			  else return CONSTANT; }
+[A-Za-z][-A-Za-z0-9_]*	{ yylval.name =  strdup (yytext); return IDENTIFIER; }
+[ \t]			;
+\n			{ ++lineno; }
+\.\.			{ return DOTDOT; }
+.			{ error_message("Ignoring char(%c)\n", *yytext); }
+%%
+
+#ifndef yywrap /* XXX */
+int
+yywrap () 
+{
+     return 1;
+}
+#endif
+
+void
+error_message (const char *format, ...)
+{
+     va_list args;
+
+     va_start (args, format);
+     fprintf (stderr, "%s:%d: ", filename(), lineno);
+     vfprintf (stderr, format, args);
+     va_end (args);
+}
diff --git a/crypto/heimdal/lib/asn1/libasn1.h b/crypto/heimdal/lib/asn1/libasn1.h
new file mode 100644
index 0000000..8a4994a
--- /dev/null
+++ b/crypto/heimdal/lib/asn1/libasn1.h
@@ -0,0 +1,51 @@
+/*
+ * Copyright (c) 1997 - 2001 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+/* $Id: libasn1.h,v 1.9 2001/04/18 13:10:24 joda Exp $ */
+
+#ifndef __LIBASN1_H__
+#define __LIBASN1_H__
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+#endif
+
+#include <stdlib.h>
+#include <string.h>
+#include <errno.h>
+#include "krb5_asn1.h"
+#include "der.h"
+#include "asn1_err.h"
+#include <parse_units.h>
+
+#endif /* __LIBASN1_H__ */
diff --git a/crypto/heimdal/lib/asn1/main.c b/crypto/heimdal/lib/asn1/main.c
new file mode 100644
index 0000000..8b1b409
--- /dev/null
+++ b/crypto/heimdal/lib/asn1/main.c
@@ -0,0 +1,90 @@
+/*
+ * Copyright (c) 1997, 1998, 1999 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "gen_locl.h"
+#include <getarg.h>
+
+RCSID("$Id: main.c,v 1.11 2001/02/20 01:44:52 assar Exp $");
+
+extern FILE *yyin;
+
+int version_flag;
+int help_flag;
+struct getargs args[] = {
+    { "version", 0, arg_flag, &version_flag },
+    { "help", 0, arg_flag, &help_flag }
+};
+int num_args = sizeof(args) / sizeof(args[0]);
+
+static void
+usage(int code)
+{
+    arg_printusage(args, num_args, NULL, "[asn1-file [name]]");
+    exit(code);
+}
+
+int
+main(int argc, char **argv)
+{
+    int ret;
+    char *file;
+    char *name = NULL;
+    int optind = 0;
+
+    setprogname(argv[0]);
+    if(getarg(args, num_args, argc, argv, &optind))
+	usage(1);
+    if(help_flag)
+	usage(0);
+    if(version_flag) {
+	print_version(NULL);
+	exit(0);
+    }
+    if (argc == optind) {
+	file = "stdin";
+	name = "stdin";
+	yyin = stdin;
+    } else {
+	file = argv[optind];
+	yyin = fopen (file, "r");
+	if (yyin == NULL)
+	    err (1, "open %s", file);
+	name = argv[optind + 1];
+    }
+
+    init_generate (file, name);
+    initsym ();
+    ret = yyparse ();
+    close_generate ();
+    return ret;
+}
diff --git a/crypto/heimdal/lib/asn1/parse.y b/crypto/heimdal/lib/asn1/parse.y
new file mode 100644
index 0000000..81b5cb1
--- /dev/null
+++ b/crypto/heimdal/lib/asn1/parse.y
@@ -0,0 +1,254 @@
+/*
+ * Copyright (c) 1997 - 2001 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+/* $Id: parse.y,v 1.17 2001/03/26 04:09:55 assar Exp $ */
+
+%{
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+#endif
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include "symbol.h"
+#include "lex.h"
+#include "gen_locl.h"
+
+RCSID("$Id: parse.y,v 1.17 2001/03/26 04:09:55 assar Exp $");
+
+static Type *new_type (Typetype t);
+void yyerror (char *);
+
+static void append (Member *l, Member *r);
+
+%}
+
+%union {
+  int constant;
+  char *name;
+  Type *type;
+  Member *member;
+}
+
+%token INTEGER SEQUENCE OF OCTET STRING GeneralizedTime GeneralString
+%token BIT APPLICATION OPTIONAL EEQUAL TBEGIN END DEFINITIONS EXTERNAL
+%token DOTDOT
+%token IMPORTS FROM
+%token <name> IDENTIFIER 
+%token <constant> CONSTANT
+
+%type <constant> constant optional2
+%type <type> type
+%type <member> memberdecls memberdecl bitdecls bitdecl
+
+%start envelope
+
+%%
+
+envelope	: IDENTIFIER DEFINITIONS EEQUAL TBEGIN specification END {}
+		;
+
+specification	:
+		| specification declaration
+		;
+
+declaration	: imports_decl
+		| type_decl
+		| constant_decl
+		;
+
+referencenames	: IDENTIFIER ',' referencenames
+		{
+			Symbol *s = addsym($1);
+			s->stype = Stype;
+		}
+		| IDENTIFIER
+		{
+			Symbol *s = addsym($1);
+			s->stype = Stype;
+		}
+		;
+
+imports_decl	: IMPORTS referencenames FROM IDENTIFIER ';'
+		;
+
+type_decl	: IDENTIFIER EEQUAL type
+		{
+		  Symbol *s = addsym ($1);
+		  s->stype = Stype;
+		  s->type = $3;
+		  generate_type (s);
+		}
+		;
+
+constant_decl	: IDENTIFIER type EEQUAL constant
+		{
+		  Symbol *s = addsym ($1);
+		  s->stype = SConstant;
+		  s->constant = $4;
+		  generate_constant (s);
+		}
+		;
+
+type		: INTEGER     { $$ = new_type(TInteger); }
+		| INTEGER '(' constant DOTDOT constant ')' {
+		    if($3 != 0)
+			error_message("Only 0 supported as low range");
+		    if($5 != INT_MIN && $5 != UINT_MAX && $5 != INT_MAX)
+			error_message("Only %u supported as high range",
+				      UINT_MAX);
+		    $$ = new_type(TUInteger);
+		}
+                | INTEGER '{' bitdecls '}'
+                {
+			$$ = new_type(TInteger);
+			$$->members = $3;
+                }
+		| OCTET STRING { $$ = new_type(TOctetString); }
+		| GeneralString { $$ = new_type(TGeneralString); }
+		| GeneralizedTime { $$ = new_type(TGeneralizedTime); }
+		| SEQUENCE OF type
+		{
+		  $$ = new_type(TSequenceOf);
+		  $$->subtype = $3;
+		}
+		| SEQUENCE '{' memberdecls '}'
+		{
+		  $$ = new_type(TSequence);
+		  $$->members = $3;
+		}
+		| BIT STRING '{' bitdecls '}'
+		{
+		  $$ = new_type(TBitString);
+		  $$->members = $4;
+		}
+		| IDENTIFIER
+		{
+		  Symbol *s = addsym($1);
+		  $$ = new_type(TType);
+		  if(s->stype != Stype)
+		    error_message ("%s is not a type\n", $1);
+		  else
+		    $$->symbol = s;
+		}
+		| '[' APPLICATION constant ']' type
+		{
+		  $$ = new_type(TApplication);
+		  $$->subtype = $5;
+		  $$->application = $3;
+		}
+		;
+
+memberdecls	: { $$ = NULL; }
+		| memberdecl	{ $$ = $1; }
+		| memberdecls ',' memberdecl { $$ = $1; append($$, $3); }
+		;
+
+memberdecl	: IDENTIFIER '[' constant ']' type optional2
+		{
+		  $$ = malloc(sizeof(*$$));
+		  $$->name = $1;
+		  $$->gen_name = strdup($1);
+		  output_name ($$->gen_name);
+		  $$->val = $3;
+		  $$->optional = $6;
+		  $$->type = $5;
+		  $$->next = $$->prev = $$;
+		}
+		;
+
+optional2	: { $$ = 0; }
+		| OPTIONAL { $$ = 1; }
+		;
+
+bitdecls	: { $$ = NULL; }
+		| bitdecl { $$ = $1; }
+		| bitdecls ',' bitdecl { $$ = $1; append($$, $3); }
+		;
+
+bitdecl		: IDENTIFIER '(' constant ')'
+		{
+		  $$ = malloc(sizeof(*$$));
+		  $$->name = $1;
+		  $$->gen_name = strdup($1);
+		  output_name ($$->gen_name);
+		  $$->val = $3;
+		  $$->optional = 0;
+		  $$->type = NULL;
+		  $$->prev = $$->next = $$;
+		}
+		;
+
+constant	: CONSTANT	{ $$ = $1; }
+		| IDENTIFIER	{
+				  Symbol *s = addsym($1);
+				  if(s->stype != SConstant)
+				    error_message ("%s is not a constant\n",
+						   s->name);
+				  else
+				    $$ = s->constant;
+				}
+		;
+%%
+
+void
+yyerror (char *s)
+{
+     error_message ("%s\n", s);
+}
+
+static Type *
+new_type (Typetype tt)
+{
+  Type *t = malloc(sizeof(*t));
+  if (t == NULL) {
+      error_message ("out of memory in malloc(%lu)", 
+		     (unsigned long)sizeof(*t));
+      exit (1);
+  }
+  t->type = tt;
+  t->application = 0;
+  t->members = NULL;
+  t->subtype = NULL;
+  t->symbol  = NULL;
+  return t;
+}
+
+static void
+append (Member *l, Member *r)
+{
+  l->prev->next = r;
+  r->prev = l->prev;
+  l->prev = r;
+  r->next = l;
+}
diff --git a/crypto/heimdal/lib/asn1/pkinit.asn1 b/crypto/heimdal/lib/asn1/pkinit.asn1
new file mode 100644
index 0000000..92c5de7
--- /dev/null
+++ b/crypto/heimdal/lib/asn1/pkinit.asn1
@@ -0,0 +1,189 @@
+PKINIT DEFINITIONS ::= BEGIN
+
+IMPORTS  EncryptionKey, PrincipalName, Realm, KerberosTime, TypedData 
+	FROM krb5;
+IMPORTS SignedData, EnvelopedData FROM CMS;
+IMPORTS CertificateSerialNumber, AttributeTypeAndValue, Name FROM X509;
+
+
+-- 3.1
+
+CertPrincipalName ::= SEQUENCE {
+	name-type[0]		INTEGER,
+	name-string[1]		SEQUENCE OF UTF8String
+}
+
+
+-- 3.2.2
+
+
+TrustedCertifiers ::= SEQUENCE OF PrincipalName
+				-- X.500 name encoded as a principal name
+				-- see Section 3.1
+CertificateIndex  ::= INTEGER
+				-- 0 = 1st certificate,
+				--     (in order of encoding)
+				-- 1 = 2nd certificate, etc
+
+PA-PK-AS-REP ::= CHOICE {
+				-- PA TYPE 15
+	dhSignedData[0]		SignedData,
+				-- Defined in CMS and used only with
+				-- Diffie-Hellman key exchange (if the
+				-- client public value was present in the
+				-- request).
+				-- This choice MUST be supported
+				-- by compliant implementations.
+	encKeyPack[1]		EnvelopedData
+				-- Defined in CMS
+				-- The temporary key is encrypted
+				-- using the client public key
+				-- key
+				-- SignedReplyKeyPack, encrypted
+				-- with the temporary key, is also
+				-- included.
+}
+
+
+
+KdcDHKeyInfo ::= SEQUENCE {
+				-- used only when utilizing Diffie-Hellman
+	nonce[0]		INTEGER,
+				-- binds responce to the request
+	subjectPublicKey[2]	BIT STRING
+				-- Equals public exponent (g^a mod p)
+				-- INTEGER encoded as payload of
+				-- BIT STRING
+}
+
+ReplyKeyPack ::= SEQUENCE {
+				-- not used for Diffie-Hellman
+	replyKey[0]		EncryptionKey,
+				-- used to encrypt main reply
+				-- ENCTYPE is at least as strong as
+				-- ENCTYPE of session key
+	nonce[1]		INTEGER
+				-- binds response to the request
+				-- must be same as the nonce
+				-- passed in the PKAuthenticator
+}
+
+-- subjectAltName EXTENSION ::= {
+-- 	SYNTAX GeneralNames
+-- 	IDENTIFIED BY id-ce-subjectAltName
+-- }
+
+OtherName ::= SEQUENCE {
+	type-id			OBJECT IDENTIFIER,
+	value[0]		OCTET STRING
+--	value[0] EXPLICIT ANY DEFINED BY type-id
+}
+
+GeneralName ::= CHOICE {
+	otherName       [0] OtherName,
+	...
+}
+
+GeneralNames ::= SEQUENCE -- SIZE(1..MAX)
+	OF GeneralName
+
+KerberosName ::= SEQUENCE {
+	realm[0]		Realm,
+				-- as defined in RFC 1510
+	principalName[1]	CertPrincipalName
+				-- defined above
+}
+
+
+-- krb5 OBJECT IDENTIFIER ::= {
+-- 	iso (1) org (3) dod (6) internet (1) security (5) kerberosv5 (2)
+-- }
+
+-- krb5PrincipalName OBJECT IDENTIFIER ::= { krb5 2 }
+
+-- 3.2.1
+
+
+IssuerAndSerialNumber ::= SEQUENCE {
+	issuer			Name,
+	serialNumber		CertificateSerialNumber
+}
+
+TrustedCas ::= CHOICE {
+	principalName[0]	KerberosName,
+				-- as defined below
+	caName[1]		Name,
+				-- fully qualified X.500 name
+				-- as defined by X.509
+	issuerAndSerial[2]	IssuerAndSerialNumber
+				-- Since a CA may have a number of
+				-- certificates, only one of which
+				-- a client trusts
+}
+
+PA-PK-AS-REQ ::= SEQUENCE {
+	-- PA TYPE 14
+	signedAuthPack[0]	SignedData,
+				-- defined in CMS [11]
+				-- AuthPack (below) defines the data
+				-- that is signed
+	trustedCertifiers[1]	SEQUENCE OF TrustedCas OPTIONAL,
+				-- CAs that the client trusts
+	kdcCert[2]		IssuerAndSerialNumber OPTIONAL,
+				-- as defined in CMS [11]
+				-- specifies a particular KDC
+				-- certificate if the client
+				-- already has it;
+	encryptionCert[3]	IssuerAndSerialNumber OPTIONAL
+				-- For example, this may be the
+				-- client's Diffie-Hellman
+				-- certificate, or it may be the
+				-- client's RSA encryption
+				-- certificate.
+}
+
+PKAuthenticator ::= SEQUENCE {
+	kdcName[0]		PrincipalName,
+	kdcRealm[1]		Realm,
+	cusec[2]		INTEGER,
+				-- for replay prevention as in RFC1510
+	ctime[3]		KerberosTime,
+				-- for replay prevention as in RFC1510
+	nonce[4]		INTEGER
+}
+
+-- This is the real definition of AlgorithmIdentifier
+-- AlgorithmIdentifier ::= SEQUENCE {
+-- 	algorithm		ALGORITHM.&id,
+--	parameters		ALGORITHM.&Type
+-- }   -- as specified by the X.509 recommendation[10]
+
+-- But we'll use this one instead:
+
+AlgorithmIdentifier ::= SEQUENCE {
+	algorithm		OBJECT IDENTIFIER,
+	parameters		CHOICE {
+					a INTEGER
+				}
+}
+
+
+
+SubjectPublicKeyInfo ::= SEQUENCE {
+	algorithm		AlgorithmIdentifier,
+				-- dhKeyAgreement
+	subjectPublicKey	BIT STRING
+				-- for DH, equals
+				-- public exponent (INTEGER encoded
+				-- as payload of BIT STRING)
+} -- as specified by the X.509 recommendation[10]
+
+AuthPack ::= SEQUENCE {
+	pkAuthenticator[0]	PKAuthenticator,
+	clientPublicValue[1]	SubjectPublicKeyInfo OPTIONAL
+				-- if client is using Diffie-Hellman
+				-- (ephemeral-ephemeral only)
+}
+
+
+END
diff --git a/crypto/heimdal/lib/asn1/rfc2459.asn1 b/crypto/heimdal/lib/asn1/rfc2459.asn1
new file mode 100644
index 0000000..c9adec6
--- /dev/null
+++ b/crypto/heimdal/lib/asn1/rfc2459.asn1
@@ -0,0 +1,21 @@
+RFC2459 DEFINITIONS ::= BEGIN
+
+AttributeType ::= OBJECT-IDENTIFIER
+
+AttributeValue ::= OCTET STRING --ANY DEFINED BY AttributeType
+
+AttributeTypeAndValue ::= SEQUENCE {
+	type AttributeType,
+	value AttributeValue
+}
+
+RelativeDistinguishedName ::= --SET
+SEQUENCE OF AttributeTypeAndValue
+
+RDNSequence ::= SEQUENCE OF RelativeDistinguishedName
+
+Name ::= CHOICE { -- RFC2459
+	x RDNSequence
+}
+
+END
\ No newline at end of file
diff --git a/crypto/heimdal/lib/asn1/symbol.c b/crypto/heimdal/lib/asn1/symbol.c
new file mode 100644
index 0000000..5e6e741
--- /dev/null
+++ b/crypto/heimdal/lib/asn1/symbol.c
@@ -0,0 +1,90 @@
+/*
+ * Copyright (c) 1997 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "gen_locl.h"
+
+RCSID("$Id: symbol.c,v 1.8 1999/12/02 17:05:02 joda Exp $");
+
+static Hashtab *htab;
+
+static int
+cmp (void *a, void *b)
+{
+  Symbol *s1 = (Symbol *)a;
+  Symbol *s2 = (Symbol *)b;
+
+  return strcmp (s1->name, s2->name);
+}
+
+static unsigned
+hash (void *a)
+{
+  Symbol *s = (Symbol *)a;
+
+  return hashjpw (s->name);
+}
+
+void
+initsym ()
+{
+  htab = hashtabnew (101, cmp, hash);
+}
+
+
+void
+output_name (char *s)
+{
+  char *p;
+
+  for (p = s; *p; ++p)
+    if (*p == '-')
+      *p = '_';
+}
+
+Symbol*
+addsym (char *name)
+{
+  Symbol key, *s;
+
+  key.name = name;
+  s = (Symbol *)hashtabsearch (htab, (void *)&key);
+  if (s == NULL) {
+    s = (Symbol *)malloc (sizeof (*s));
+    s->name = name;
+    s->gen_name = strdup(name);
+    output_name (s->gen_name);
+    s->stype = SUndefined;
+    hashtabadd (htab, s);
+  }
+  return s;
+}
diff --git a/crypto/heimdal/lib/asn1/symbol.h b/crypto/heimdal/lib/asn1/symbol.h
new file mode 100644
index 0000000..bc4707f
--- /dev/null
+++ b/crypto/heimdal/lib/asn1/symbol.h
@@ -0,0 +1,83 @@
+/*
+ * Copyright (c) 1997, 1999 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+/* $Id: symbol.h,v 1.5 1999/12/02 17:05:02 joda Exp $ */
+
+#ifndef _SYMBOL_H
+#define _SYMBOL_H
+
+enum typetype { TInteger, TOctetString, TBitString, TSequence, TSequenceOf,
+		TGeneralizedTime, TGeneralString, TApplication, TType, 
+		TUInteger };
+
+typedef enum typetype Typetype;
+
+struct type;
+
+struct member {
+  char *name;
+  char *gen_name;
+  int val;
+  int optional;
+  struct type *type;
+  struct member *next, *prev;
+};
+
+typedef struct member Member;
+
+struct symbol;
+
+struct type {
+  Typetype type;
+  int application;
+  Member *members;
+  struct type *subtype;
+  struct symbol *symbol;
+};
+
+typedef struct type Type;
+
+struct symbol {
+  char *name;
+  char *gen_name;
+  enum { SUndefined, SConstant, Stype } stype;
+  int constant;
+  Type *type;
+};
+
+typedef struct symbol Symbol;
+
+void initsym (void);
+Symbol *addsym (char *);
+void output_name (char *);
+#endif
diff --git a/crypto/heimdal/lib/asn1/timegm.c b/crypto/heimdal/lib/asn1/timegm.c
new file mode 100644
index 0000000..bdc997f
--- /dev/null
+++ b/crypto/heimdal/lib/asn1/timegm.c
@@ -0,0 +1,71 @@
+/*
+ * Copyright (c) 1997 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "der_locl.h"
+
+RCSID("$Id: timegm.c,v 1.7 1999/12/02 17:05:02 joda Exp $");
+
+#ifndef HAVE_TIMEGM
+
+static int
+is_leap(unsigned y)
+{
+    y += 1900;
+    return (y % 4) == 0 && ((y % 100) != 0 || (y % 400) == 0);
+}
+
+time_t
+timegm (struct tm *tm)
+{
+  static const unsigned ndays[2][12] ={
+    {31, 28, 31, 30, 31, 30, 31, 31, 30, 31, 30, 31},
+    {31, 29, 31, 30, 31, 30, 31, 31, 30, 31, 30, 31}};
+  time_t res = 0;
+  unsigned i;
+
+  for (i = 70; i < tm->tm_year; ++i)
+    res += is_leap(i) ? 366 : 365;
+
+  for (i = 0; i < tm->tm_mon; ++i)
+    res += ndays[is_leap(tm->tm_year)][i];
+  res += tm->tm_mday - 1;
+  res *= 24;
+  res += tm->tm_hour;
+  res *= 60;
+  res += tm->tm_min;
+  res *= 60;
+  res += tm->tm_sec;
+  return res;
+}
+
+#endif /* HAVE_TIMEGM */
diff --git a/crypto/heimdal/lib/asn1/x509.asn1 b/crypto/heimdal/lib/asn1/x509.asn1
new file mode 100644
index 0000000..4a15844
--- /dev/null
+++ b/crypto/heimdal/lib/asn1/x509.asn1
@@ -0,0 +1,23 @@
+X509 DEFINITIONS ::= BEGIN
+
+CertificateSerialNumber ::= INTEGER -- X.509 '97
+
+AttributeType ::= OBJECT-IDENTIFIER
+
+AttributeValue ::= OCTET STRING --ANY DEFINED BY AttributeType
+
+AttributeTypeAndValue ::= SEQUENCE {
+	type AttributeType,
+	value AttributeValue
+}
+
+RelativeDistinguishedName ::= --SET
+SEQUENCE OF AttributeTypeAndValue
+
+RDNSequence ::= SEQUENCE OF RelativeDistinguishedName
+
+Name ::= CHOICE { -- RFC2459
+	x RDNSequence
+}
+
+END
\ No newline at end of file
diff --git a/crypto/heimdal/lib/auth/ChangeLog b/crypto/heimdal/lib/auth/ChangeLog
new file mode 100644
index 0000000..fcd790f
--- /dev/null
+++ b/crypto/heimdal/lib/auth/ChangeLog
@@ -0,0 +1,114 @@
+2001-03-06  Assar Westerlund  <assar@sics.se>
+
+	* sia/Makefile.am: make sure of using -rpath and not -R when
+	calling ld
+
+2001-02-15  Assar Westerlund  <assar@sics.se>
+
+	* pam/pam.c (psyslog): do not log to console
+
+2001-01-29  Assar Westerlund  <assar@sics.se>
+
+	* sia/Makefile.am (libsia_krb5.so): actually run ld in the case
+	shared library case
+
+2000-12-31  Assar Westerlund  <assar@sics.se>
+
+	* sia/sia.c (siad_ses_init): handle krb5_init_context failure
+	consistently
+	* afskauthlib/verify.c (verify_krb5): handle krb5_init_context
+	failure consistently
+
+2000-11-30  Johan Danielsson  <joda@pdc.kth.se>
+
+	* afskauthlib/Makefile.am: use libtool
+
+	* afskauthlib/Makefile.am: work with krb4 only
+
+2000-07-30  Johan Danielsson  <joda@pdc.kth.se>
+
+	* sia/Makefile.am: don't compress library, since 5.0 seems to have
+	a problem with this
+
+2000-07-02  Assar Westerlund  <assar@sics.se>
+
+	* afskauthlib/verify.c: fixes for pag setting
+
+1999-12-30  Assar Westerlund  <assar@sics.se>
+
+	* sia/Makefile.am: try to link with shared libraries if we don't
+ 	find any static ones
+
+1999-12-20  Johan Danielsson  <joda@pdc.kth.se>
+
+	* sia/sia.c: don't use string concatenation with TKT_ROOT
+
+1999-11-15  Assar Westerlund  <assar@sics.se>
+
+	* */lib/Makefile.in: set LIBNAME.  From Enrico Scholz
+ 	<Enrico.Scholz@informatik.tu-chemnitz.de>
+
+1999-10-17  Assar Westerlund  <assar@sics.se>
+
+	* afskauthlib/verify.c (verify_krb5): need realm for v5 -> v4
+
+1999-10-03  Assar Westerlund  <assar@sics.se>
+
+	* afskauthlib/verify.c (verify_krb5): update to new
+ 	krb524_convert_creds_kdc
+
+1999-09-28  Assar Westerlund  <assar@sics.se>
+
+	* sia/sia.c (doauth): use krb5_get_local_realms and
+ 	krb5_verify_user_lrealm
+
+	* afskauthlib/verify.c (verify_krb5): remove krb5_kuserok.  use
+ 	krb5_verify_user_lrealm
+
+1999-08-27  Johan Danielsson  <joda@pdc.kth.se>
+
+	* pam/Makefile.in: link with res_search/dn_expand libraries
+
+1999-08-11  Johan Danielsson  <joda@pdc.kth.se>
+
+	* afskauthlib/verify.c: make this compile w/o krb4
+
+1999-08-04  Assar Westerlund  <assar@sics.se>
+
+	* afskauthlib/verify.c: incorporate patches from Miroslav Ruda
+ 	<ruda@ics.muni.cz>
+
+Thu Apr  8 14:35:34 1999  Johan Danielsson  <joda@hella.pdc.kth.se>
+
+	* sia/sia.c: remove definition of KRB_VERIFY_USER (moved to
+ 	config.h)
+
+	* sia/Makefile.am: make it build w/o krb4
+
+	* afskauthlib/verify.c: add krb5 support
+
+	* afskauthlib/Makefile.am: build afskauthlib.so
+
+Wed Apr  7 14:06:22 1999  Johan Danielsson  <joda@hella.pdc.kth.se>
+
+	* sia/sia.c: make it compile w/o krb4
+
+	* sia/Makefile.am: make it compile w/o krb4
+
+Thu Apr  1 18:09:23 1999  Johan Danielsson  <joda@hella.pdc.kth.se>
+
+	* sia/sia_locl.h: POSIX_GETPWNAM_R is defined in config.h
+
+Sun Mar 21 14:08:30 1999  Johan Danielsson  <joda@hella.pdc.kth.se>
+
+	* sia/Makefile.in: add posix_getpw.c
+	  
+	* sia/Makefile.am: makefile for sia
+	  
+	* sia/posix_getpw.c: move from sia.c
+	  
+	* sia/sia_locl.h: merge with krb5 version
+	  
+	* sia/sia.c: merge with krb5 version
+	  
+	* sia/sia5.c: remove unused variables
diff --git a/crypto/heimdal/lib/auth/Makefile.am b/crypto/heimdal/lib/auth/Makefile.am
new file mode 100644
index 0000000..0310dc3
--- /dev/null
+++ b/crypto/heimdal/lib/auth/Makefile.am
@@ -0,0 +1,6 @@
+# $Id: Makefile.am,v 1.2 1999/03/21 17:11:08 joda Exp $
+
+include $(top_srcdir)/Makefile.am.common
+
+SUBDIRS = @LIB_AUTH_SUBDIRS@
+DIST_SUBDIRS = afskauthlib pam sia
diff --git a/crypto/heimdal/lib/auth/Makefile.in b/crypto/heimdal/lib/auth/Makefile.in
new file mode 100644
index 0000000..95b2a6b
--- /dev/null
+++ b/crypto/heimdal/lib/auth/Makefile.in
@@ -0,0 +1,553 @@
+# Makefile.in generated automatically by automake 1.4b from Makefile.am
+
+# Copyright 1994, 1995, 1996, 1997, 1998, 1999, 2000
+# Free Software Foundation, Inc.
+# This Makefile.in is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+
+SHELL = @SHELL@
+
+srcdir = @srcdir@
+top_srcdir = @top_srcdir@
+VPATH = @srcdir@
+prefix = @prefix@
+exec_prefix = @exec_prefix@
+
+bindir = @bindir@
+sbindir = @sbindir@
+libexecdir = @libexecdir@
+datadir = @datadir@
+sysconfdir = @sysconfdir@
+sharedstatedir = @sharedstatedir@
+localstatedir = @localstatedir@
+libdir = @libdir@
+infodir = @infodir@
+mandir = @mandir@
+includedir = @includedir@
+oldincludedir = /usr/include
+
+pkgdatadir = $(datadir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkgincludedir = $(includedir)/@PACKAGE@
+
+top_builddir = ../..
+
+ACLOCAL = @ACLOCAL@
+AUTOCONF = @AUTOCONF@
+AUTOMAKE = @AUTOMAKE@
+AUTOHEADER = @AUTOHEADER@
+
+INSTALL = @INSTALL@
+INSTALL_PROGRAM = @INSTALL_PROGRAM@
+INSTALL_DATA = @INSTALL_DATA@
+INSTALL_SCRIPT = @INSTALL_SCRIPT@
+INSTALL_STRIP_FLAG =
+transform = @program_transform_name@
+
+NORMAL_INSTALL = :
+PRE_INSTALL = :
+POST_INSTALL = :
+NORMAL_UNINSTALL = :
+PRE_UNINSTALL = :
+POST_UNINSTALL = :
+
+@SET_MAKE@
+host_alias = @host_alias@
+host_triplet = @host@
+AIX_EXTRA_KAFS = @AIX_EXTRA_KAFS@
+AMDEP = @AMDEP@
+AMTAR = @AMTAR@
+AS = @AS@
+AWK = @AWK@
+CANONICAL_HOST = @CANONICAL_HOST@
+CATMAN = @CATMAN@
+CATMANEXT = @CATMANEXT@
+CC = @CC@
+CPP = @CPP@
+CXX = @CXX@
+CXXCPP = @CXXCPP@
+DBLIB = @DBLIB@
+DEPDIR = @DEPDIR@
+DIR_des = @DIR_des@
+DIR_roken = @DIR_roken@
+DLLTOOL = @DLLTOOL@
+EXEEXT = @EXEEXT@
+EXTRA_LIB45 = @EXTRA_LIB45@
+GROFF = @GROFF@
+INCLUDES_roken = @INCLUDES_roken@
+INCLUDE_ = @INCLUDE_@
+LEX = @LEX@
+LIBOBJS = @LIBOBJS@
+LIBTOOL = @LIBTOOL@
+LIB_ = @LIB_@
+LIB_AUTH_SUBDIRS = @LIB_AUTH_SUBDIRS@
+LIB_des = @LIB_des@
+LIB_des_appl = @LIB_des_appl@
+LIB_kdb = @LIB_kdb@
+LIB_otp = @LIB_otp@
+LIB_roken = @LIB_roken@
+LIB_security = @LIB_security@
+LN_S = @LN_S@
+LTLIBOBJS = @LTLIBOBJS@
+MAKEINFO = @MAKEINFO@
+NEED_WRITEAUTH_FALSE = @NEED_WRITEAUTH_FALSE@
+NEED_WRITEAUTH_TRUE = @NEED_WRITEAUTH_TRUE@
+NROFF = @NROFF@
+OBJDUMP = @OBJDUMP@
+OBJEXT = @OBJEXT@
+PACKAGE = @PACKAGE@
+RANLIB = @RANLIB@
+STRIP = @STRIP@
+VERSION = @VERSION@
+VOID_RETSIGTYPE = @VOID_RETSIGTYPE@
+WFLAGS = @WFLAGS@
+WFLAGS_NOIMPLICITINT = @WFLAGS_NOIMPLICITINT@
+WFLAGS_NOUNUSED = @WFLAGS_NOUNUSED@
+YACC = @YACC@
+dpagaix_CFLAGS = @dpagaix_CFLAGS@
+dpagaix_LDADD = @dpagaix_LDADD@
+install_sh = @install_sh@
+
+# $Id: Makefile.am,v 1.2 1999/03/21 17:11:08 joda Exp $
+
+
+# $Id: Makefile.am.common,v 1.3 1999/04/01 14:58:43 joda Exp $
+
+
+# $Id: Makefile.am.common,v 1.26 2001/05/21 13:27:48 joda Exp $
+
+
+AUTOMAKE_OPTIONS = foreign no-dependencies
+
+SUFFIXES = .et .h .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .x
+
+INCLUDES = -I$(top_builddir)/include $(INCLUDES_roken)
+
+AM_CFLAGS =  $(WFLAGS)
+
+CP = cp
+
+COMPILE_ET = $(top_builddir)/lib/com_err/compile_et
+
+buildinclude = $(top_builddir)/include
+
+LIB_XauReadAuth = @LIB_XauReadAuth@
+LIB_crypt = @LIB_crypt@
+LIB_dbm_firstkey = @LIB_dbm_firstkey@
+LIB_dbopen = @LIB_dbopen@
+LIB_dlopen = @LIB_dlopen@
+LIB_dn_expand = @LIB_dn_expand@
+LIB_el_init = @LIB_el_init@
+LIB_getattr = @LIB_getattr@
+LIB_gethostbyname = @LIB_gethostbyname@
+LIB_getpwent_r = @LIB_getpwent_r@
+LIB_getpwnam_r = @LIB_getpwnam_r@
+LIB_getsockopt = @LIB_getsockopt@
+LIB_logout = @LIB_logout@
+LIB_logwtmp = @LIB_logwtmp@
+LIB_odm_initialize = @LIB_odm_initialize@
+LIB_pidfile = @LIB_pidfile@
+LIB_readline = @LIB_readline@
+LIB_res_search = @LIB_res_search@
+LIB_setpcred = @LIB_setpcred@
+LIB_setsockopt = @LIB_setsockopt@
+LIB_socket = @LIB_socket@
+LIB_syslog = @LIB_syslog@
+LIB_tgetent = @LIB_tgetent@
+
+LIBS = @LIBS@
+
+HESIODLIB = @HESIODLIB@
+HESIODINCLUDE = @HESIODINCLUDE@
+INCLUDE_hesiod = @INCLUDE_hesiod@
+LIB_hesiod = @LIB_hesiod@
+
+INCLUDE_krb4 = @INCLUDE_krb4@
+LIB_krb4 = @LIB_krb4@
+
+INCLUDE_openldap = @INCLUDE_openldap@
+LIB_openldap = @LIB_openldap@
+
+INCLUDE_readline = @INCLUDE_readline@
+
+LEXLIB = @LEXLIB@
+
+NROFF_MAN = groff -mandoc -Tascii
+
+@KRB4_TRUE@LIB_kafs = @KRB4_TRUE@$(top_builddir)/lib/kafs/libkafs.la $(AIX_EXTRA_KAFS)
+
+@KRB5_TRUE@LIB_krb5 = @KRB5_TRUE@$(top_builddir)/lib/krb5/libkrb5.la \
+@KRB5_TRUE@	$(top_builddir)/lib/asn1/libasn1.la
+@KRB5_TRUE@LIB_gssapi = @KRB5_TRUE@$(top_builddir)/lib/gssapi/libgssapi.la
+
+@DCE_TRUE@LIB_kdfs = @DCE_TRUE@$(top_builddir)/lib/kdfs/libkdfs.la
+
+CHECK_LOCAL = $(PROGRAMS)
+
+SUBDIRS = @LIB_AUTH_SUBDIRS@
+DIST_SUBDIRS = afskauthlib pam sia
+subdir = lib/auth
+mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs
+CONFIG_HEADER = ../../include/config.h
+CONFIG_CLEAN_FILES = 
+CFLAGS = @CFLAGS@
+COMPILE = $(CC) $(DEFS) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) --mode=compile $(CC) $(DEFS) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+CCLD = $(CC)
+LINK = $(LIBTOOL) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) $(LDFLAGS) -o $@
+DIST_SOURCES = 
+depcomp = 
+DIST_COMMON =  ChangeLog Makefile.am Makefile.in
+
+
+DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
+
+GZIP_ENV = --best
+all: all-redirect
+.SUFFIXES:
+.SUFFIXES: .et .h .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .x
+$(srcdir)/Makefile.in: Makefile.am $(top_srcdir)/configure.in $(ACLOCAL_M4) $(top_srcdir)/Makefile.am.common $(top_srcdir)/cf/Makefile.am.common
+	cd $(top_srcdir) && $(AUTOMAKE) --foreign lib/auth/Makefile
+
+Makefile: $(srcdir)/Makefile.in  $(top_builddir)/config.status
+	cd $(top_builddir) \
+	  && CONFIG_FILES=$(subdir)/$@ CONFIG_HEADERS= $(SHELL) ./config.status
+
+
+# This directory's subdirectories are mostly independent; you can cd
+# into them and run `make' without going through this Makefile.
+# To change the values of `make' variables: instead of editing Makefiles,
+# (1) if the variable is set in `config.status', edit `config.status'
+#     (which will cause the Makefiles to be regenerated when you run `make');
+# (2) otherwise, pass the desired values on the `make' command line.
+
+all-recursive install-data-recursive install-exec-recursive \
+installdirs-recursive install-recursive uninstall-recursive  \
+check-recursive installcheck-recursive info-recursive dvi-recursive:
+	@set fnord $(MAKEFLAGS); amf=$$2; \
+	dot_seen=no; \
+	target=`echo $@ | sed s/-recursive//`; \
+	list='$(SUBDIRS)'; for subdir in $$list; do \
+	  echo "Making $$target in $$subdir"; \
+	  if test "$$subdir" = "."; then \
+	    dot_seen=yes; \
+	    local_target="$$target-am"; \
+	  else \
+	    local_target="$$target"; \
+	  fi; \
+	  (cd $$subdir && $(MAKE) $(AM_MAKEFLAGS) $$local_target) \
+	   || case "$$amf" in *=*) exit 1;; *k*) fail=yes;; *) exit 1;; esac; \
+	done; \
+	if test "$$dot_seen" = "no"; then \
+	  $(MAKE) $(AM_MAKEFLAGS) "$$target-am" || exit 1; \
+	fi; test -z "$$fail"
+
+mostlyclean-recursive clean-recursive distclean-recursive \
+maintainer-clean-recursive:
+	@set fnord $(MAKEFLAGS); amf=$$2; \
+	dot_seen=no; \
+	case "$@" in \
+	  distclean-* | maintainer-clean-*) list='$(DIST_SUBDIRS)' ;; \
+	  *) list='$(SUBDIRS)' ;; \
+	esac; \
+	rev=''; for subdir in $$list; do \
+	  if test "$$subdir" = "."; then :; else \
+	    rev="$$subdir $$rev"; \
+	  fi; \
+	done; \
+	rev="$$rev ."; \
+	target=`echo $@ | sed s/-recursive//`; \
+	for subdir in $$rev; do \
+	  echo "Making $$target in $$subdir"; \
+	  if test "$$subdir" = "."; then \
+	    local_target="$$target-am"; \
+	  else \
+	    local_target="$$target"; \
+	  fi; \
+	  (cd $$subdir && $(MAKE) $(AM_MAKEFLAGS) $$local_target) \
+	   || case "$$amf" in *=*) exit 1;; *k*) fail=yes;; *) exit 1;; esac; \
+	done && test -z "$$fail"
+tags-recursive:
+	list='$(SUBDIRS)'; for subdir in $$list; do \
+	  test "$$subdir" = . || (cd $$subdir && $(MAKE) $(AM_MAKEFLAGS) tags); \
+	done
+
+tags: TAGS
+
+ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
+	list='$(SOURCES) $(HEADERS) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '    { files[$$0] = 1; } \
+	       END { for (i in files) print i; }'`; \
+	mkid -fID $$unique $(LISP)
+
+TAGS: tags-recursive $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	tags=; \
+	here=`pwd`; \
+	list='$(SUBDIRS)'; for subdir in $$list; do \
+   if test "$$subdir" = .; then :; else \
+	    test -f $$subdir/TAGS && tags="$$tags -i $$here/$$subdir/TAGS"; \
+   fi; \
+	done; \
+	list='$(SOURCES) $(HEADERS) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '    { files[$$0] = 1; } \
+	       END { for (i in files) print i; }'`; \
+	test -z "$(ETAGS_ARGS)$$unique$(LISP)$$tags" \
+	  || etags $(ETAGS_ARGS) $$tags  $$unique $(LISP)
+
+GTAGS:
+	here=`CDPATH=: && cd $(top_builddir) && pwd` \
+	  && cd $(top_srcdir) \
+	  && gtags -i $$here
+
+mostlyclean-tags:
+
+clean-tags:
+
+distclean-tags:
+	-rm -f TAGS ID
+
+maintainer-clean-tags:
+
+distdir = $(top_builddir)/$(PACKAGE)-$(VERSION)/$(subdir)
+
+distdir: $(DISTFILES)
+	@for file in $(DISTFILES); do \
+	  d=$(srcdir); \
+	  if test -d $$d/$$file; then \
+	    cp -pR $$d/$$file $(distdir) \
+	    || exit 1; \
+	  else \
+	    test -f $(distdir)/$$file \
+	    || cp -p $$d/$$file $(distdir)/$$file \
+	    || exit 1; \
+	  fi; \
+	done
+	for subdir in $(DIST_SUBDIRS); do \
+	  if test "$$subdir" = .; then :; else \
+	    test -d $(distdir)/$$subdir \
+	    || mkdir $(distdir)/$$subdir \
+	    || exit 1; \
+	    (cd $$subdir && $(MAKE) $(AM_MAKEFLAGS) top_distdir=../$(top_distdir) distdir=../$(distdir)/$$subdir distdir) \
+	      || exit 1; \
+	  fi; \
+	done
+	$(MAKE) $(AM_MAKEFLAGS) top_distdir="$(top_distdir)" distdir="$(distdir)" dist-hook
+info-am:
+info: info-recursive
+dvi-am:
+dvi: dvi-recursive
+check-am: all-am
+	$(MAKE) $(AM_MAKEFLAGS) check-local
+check: check-recursive
+installcheck-am:
+installcheck: installcheck-recursive
+install-exec-am:
+	@$(NORMAL_INSTALL)
+	$(MAKE) $(AM_MAKEFLAGS) install-exec-hook
+install-exec: install-exec-recursive
+
+install-data-am: install-data-local
+install-data: install-data-recursive
+
+install-am: all-am
+	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
+install: install-recursive
+uninstall-am:
+uninstall: uninstall-recursive
+all-am: Makefile all-local
+all-redirect: all-recursive
+install-strip:
+	$(MAKE) $(AM_MAKEFLAGS) INSTALL_STRIP_FLAG=-s install
+installdirs: installdirs-recursive
+installdirs-am:
+
+
+mostlyclean-generic:
+
+clean-generic:
+
+distclean-generic:
+	-rm -f Makefile $(CONFIG_CLEAN_FILES)
+	-rm -f config.cache config.log stamp-h stamp-h[0-9]*
+
+maintainer-clean-generic:
+	-rm -f Makefile.in
+mostlyclean-am:  mostlyclean-tags mostlyclean-generic
+
+mostlyclean: mostlyclean-recursive
+
+clean-am:  clean-tags clean-generic mostlyclean-am
+
+clean: clean-recursive
+
+distclean-am:  distclean-tags distclean-generic clean-am
+	-rm -f libtool
+
+distclean: distclean-recursive
+
+maintainer-clean-am:  maintainer-clean-tags maintainer-clean-generic \
+		distclean-am
+	@echo "This command is intended for maintainers to use;"
+	@echo "it deletes files that may require special tools to rebuild."
+
+maintainer-clean: maintainer-clean-recursive
+
+.PHONY: install-recursive uninstall-recursive install-data-recursive \
+uninstall-data-recursive install-exec-recursive \
+uninstall-exec-recursive installdirs-recursive uninstalldirs-recursive \
+all-recursive check-recursive installcheck-recursive info-recursive \
+dvi-recursive mostlyclean-recursive distclean-recursive clean-recursive \
+maintainer-clean-recursive tags tags-recursive mostlyclean-tags \
+distclean-tags clean-tags maintainer-clean-tags distdir info-am info \
+dvi-am dvi check-local check check-am installcheck-am installcheck \
+install-exec-am install-exec install-data-local install-data-am \
+install-data install-am install uninstall-am uninstall all-local \
+all-redirect all-am all install-strip installdirs-am installdirs \
+mostlyclean-generic distclean-generic clean-generic \
+maintainer-clean-generic clean mostlyclean distclean maintainer-clean
+
+
+install-suid-programs:
+	@foo='$(bin_SUIDS)'; \
+	for file in $$foo; do \
+	x=$(DESTDIR)$(bindir)/$$file; \
+	if chown 0:0 $$x && chmod u+s $$x; then :; else \
+	echo "*"; \
+	echo "* Failed to install $$x setuid root"; \
+	echo "*"; \
+	fi; done
+
+install-exec-hook: install-suid-programs
+
+install-build-headers:: $(include_HEADERS) $(build_HEADERZ)
+	@foo='$(include_HEADERS) $(build_HEADERZ)'; \
+	for f in $$foo; do \
+		f=`basename $$f`; \
+		if test -f "$(srcdir)/$$f"; then file="$(srcdir)/$$f"; \
+		else file="$$f"; fi; \
+		if cmp -s  $$file $(buildinclude)/$$f 2> /dev/null ; then \
+		: ; else \
+			echo " $(CP) $$file $(buildinclude)/$$f"; \
+			$(CP) $$file $(buildinclude)/$$f; \
+		fi ; \
+	done
+
+all-local: install-build-headers
+#NROFF_MAN = nroff -man
+.1.cat1:
+	$(NROFF_MAN) $< > $@
+.3.cat3:
+	$(NROFF_MAN) $< > $@
+.5.cat5:
+	$(NROFF_MAN) $< > $@
+.8.cat8:
+	$(NROFF_MAN) $< > $@
+
+dist-cat1-mans:
+	@foo='$(man1_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.1) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat1/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-cat3-mans:
+	@foo='$(man3_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.3) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat3/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-cat5-mans:
+	@foo='$(man5_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.5) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat5/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-cat8-mans:
+	@foo='$(man8_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.8) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat8/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-hook: dist-cat1-mans dist-cat3-mans dist-cat5-mans dist-cat8-mans
+
+install-cat-mans:
+	$(SHELL) $(top_srcdir)/cf/install-catman.sh "$(INSTALL_DATA)" "$(mkinstalldirs)" "$(srcdir)" "$(DESTDIR)$(mandir)" '$(CATMANEXT)' $(man_MANS) $(man1_MANS) $(man3_MANS) $(man5_MANS) $(man8_MANS)
+
+install-data-local: install-cat-mans
+
+.et.h:
+	$(COMPILE_ET) $<
+.et.c:
+	$(COMPILE_ET) $<
+
+.x.c:
+	@cmp -s $< $@ 2> /dev/null || cp $< $@
+
+check-local::
+	@foo='$(CHECK_LOCAL)'; \
+	  if test "$$foo"; then \
+	  failed=0; all=0; \
+	  for i in $$foo; do \
+	    all=`expr $$all + 1`; \
+	    if ./$$i --version > /dev/null 2>&1; then \
+	      echo "PASS: $$i"; \
+	    else \
+	      echo "FAIL: $$i"; \
+	      failed=`expr $$failed + 1`; \
+	    fi; \
+	  done; \
+	  if test "$$failed" -eq 0; then \
+	    banner="All $$all tests passed"; \
+	  else \
+	    banner="$$failed of $$all tests failed"; \
+	  fi; \
+	  dashes=`echo "$$banner" | sed s/./=/g`; \
+	  echo "$$dashes"; \
+	  echo "$$banner"; \
+	  echo "$$dashes"; \
+	  test "$$failed" -eq 0; \
+	fi
+
+# Tell versions [3.59,3.63) of GNU make to not export all variables.
+# Otherwise a system limit (for SysV at least) may be exceeded.
+.NOEXPORT:
diff --git a/crypto/heimdal/lib/auth/afskauthlib/Makefile.am b/crypto/heimdal/lib/auth/afskauthlib/Makefile.am
new file mode 100644
index 0000000..d3e771c
--- /dev/null
+++ b/crypto/heimdal/lib/auth/afskauthlib/Makefile.am
@@ -0,0 +1,49 @@
+# $Id: Makefile.am,v 1.5 2000/11/30 01:39:09 joda Exp $
+
+include $(top_srcdir)/Makefile.am.common
+
+INCLUDES += $(INCLUDE_krb4)
+
+DEFS = @DEFS@
+
+foodir = $(libdir)
+foo_DATA = afskauthlib.so
+
+SUFFIXES += .c .o
+
+SRCS = verify.c
+OBJS = verify.o
+
+CLEANFILES = $(foo_DATA) $(OBJS) so_locations
+
+afskauthlib.so: $(OBJS)
+	$(LINK) -shared $(OBJS) $(L)
+
+.c.o:
+	$(COMPILE) -c $<
+
+if KRB4
+KAFS = $(top_builddir)/lib/kafs/libkafs.la
+endif
+
+if KRB5
+L = \
+	$(KAFS)	\
+	$(top_builddir)/lib/krb5/libkrb5.la	\
+	$(top_builddir)/lib/asn1/libasn1.la	\
+	$(LIB_krb4)					\
+	$(top_builddir)/lib/des/libdes.la		\
+	$(top_builddir)/lib/roken/libroken.la	\
+	-lc
+
+else
+
+L = \
+	$(KAFS)	\
+	$(LIB_krb4)					\
+	$(top_builddir)/lib/des/libdes.la		\
+	$(top_builddir)/lib/roken/libroken.la	\
+	-lc
+endif
+
+$(OBJS): $(top_builddir)/include/config.h
diff --git a/crypto/heimdal/lib/auth/afskauthlib/Makefile.in b/crypto/heimdal/lib/auth/afskauthlib/Makefile.in
new file mode 100644
index 0000000..8946cdf
--- /dev/null
+++ b/crypto/heimdal/lib/auth/afskauthlib/Makefile.in
@@ -0,0 +1,492 @@
+# Makefile.in generated automatically by automake 1.4b from Makefile.am
+
+# Copyright 1994, 1995, 1996, 1997, 1998, 1999, 2000
+# Free Software Foundation, Inc.
+# This Makefile.in is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+
+SHELL = @SHELL@
+
+srcdir = @srcdir@
+top_srcdir = @top_srcdir@
+VPATH = @srcdir@
+prefix = @prefix@
+exec_prefix = @exec_prefix@
+
+bindir = @bindir@
+sbindir = @sbindir@
+libexecdir = @libexecdir@
+datadir = @datadir@
+sysconfdir = @sysconfdir@
+sharedstatedir = @sharedstatedir@
+localstatedir = @localstatedir@
+libdir = @libdir@
+infodir = @infodir@
+mandir = @mandir@
+includedir = @includedir@
+oldincludedir = /usr/include
+
+pkgdatadir = $(datadir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkgincludedir = $(includedir)/@PACKAGE@
+
+top_builddir = ../../..
+
+ACLOCAL = @ACLOCAL@
+AUTOCONF = @AUTOCONF@
+AUTOMAKE = @AUTOMAKE@
+AUTOHEADER = @AUTOHEADER@
+
+INSTALL = @INSTALL@
+INSTALL_PROGRAM = @INSTALL_PROGRAM@
+INSTALL_DATA = @INSTALL_DATA@
+INSTALL_SCRIPT = @INSTALL_SCRIPT@
+INSTALL_STRIP_FLAG =
+transform = @program_transform_name@
+
+NORMAL_INSTALL = :
+PRE_INSTALL = :
+POST_INSTALL = :
+NORMAL_UNINSTALL = :
+PRE_UNINSTALL = :
+POST_UNINSTALL = :
+
+@SET_MAKE@
+host_alias = @host_alias@
+host_triplet = @host@
+AIX_EXTRA_KAFS = @AIX_EXTRA_KAFS@
+AMDEP = @AMDEP@
+AMTAR = @AMTAR@
+AS = @AS@
+AWK = @AWK@
+CANONICAL_HOST = @CANONICAL_HOST@
+CATMAN = @CATMAN@
+CATMANEXT = @CATMANEXT@
+CC = @CC@
+CPP = @CPP@
+CXX = @CXX@
+CXXCPP = @CXXCPP@
+DBLIB = @DBLIB@
+DEPDIR = @DEPDIR@
+DIR_des = @DIR_des@
+DIR_roken = @DIR_roken@
+DLLTOOL = @DLLTOOL@
+EXEEXT = @EXEEXT@
+EXTRA_LIB45 = @EXTRA_LIB45@
+GROFF = @GROFF@
+INCLUDES_roken = @INCLUDES_roken@
+INCLUDE_ = @INCLUDE_@
+LEX = @LEX@
+LIBOBJS = @LIBOBJS@
+LIBTOOL = @LIBTOOL@
+LIB_ = @LIB_@
+LIB_AUTH_SUBDIRS = @LIB_AUTH_SUBDIRS@
+LIB_des = @LIB_des@
+LIB_des_appl = @LIB_des_appl@
+LIB_kdb = @LIB_kdb@
+LIB_otp = @LIB_otp@
+LIB_roken = @LIB_roken@
+LIB_security = @LIB_security@
+LN_S = @LN_S@
+LTLIBOBJS = @LTLIBOBJS@
+MAKEINFO = @MAKEINFO@
+NEED_WRITEAUTH_FALSE = @NEED_WRITEAUTH_FALSE@
+NEED_WRITEAUTH_TRUE = @NEED_WRITEAUTH_TRUE@
+NROFF = @NROFF@
+OBJDUMP = @OBJDUMP@
+OBJEXT = @OBJEXT@
+PACKAGE = @PACKAGE@
+RANLIB = @RANLIB@
+STRIP = @STRIP@
+VERSION = @VERSION@
+VOID_RETSIGTYPE = @VOID_RETSIGTYPE@
+WFLAGS = @WFLAGS@
+WFLAGS_NOIMPLICITINT = @WFLAGS_NOIMPLICITINT@
+WFLAGS_NOUNUSED = @WFLAGS_NOUNUSED@
+YACC = @YACC@
+dpagaix_CFLAGS = @dpagaix_CFLAGS@
+dpagaix_LDADD = @dpagaix_LDADD@
+install_sh = @install_sh@
+
+# $Id: Makefile.am,v 1.5 2000/11/30 01:39:09 joda Exp $
+
+
+# $Id: Makefile.am.common,v 1.3 1999/04/01 14:58:43 joda Exp $
+
+
+# $Id: Makefile.am.common,v 1.26 2001/05/21 13:27:48 joda Exp $
+
+
+AUTOMAKE_OPTIONS = foreign no-dependencies
+
+SUFFIXES = .et .h .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .x .c .o
+
+INCLUDES = -I$(top_builddir)/include $(INCLUDES_roken) $(INCLUDE_krb4)
+
+AM_CFLAGS =  $(WFLAGS)
+
+CP = cp
+
+COMPILE_ET = $(top_builddir)/lib/com_err/compile_et
+
+buildinclude = $(top_builddir)/include
+
+LIB_XauReadAuth = @LIB_XauReadAuth@
+LIB_crypt = @LIB_crypt@
+LIB_dbm_firstkey = @LIB_dbm_firstkey@
+LIB_dbopen = @LIB_dbopen@
+LIB_dlopen = @LIB_dlopen@
+LIB_dn_expand = @LIB_dn_expand@
+LIB_el_init = @LIB_el_init@
+LIB_getattr = @LIB_getattr@
+LIB_gethostbyname = @LIB_gethostbyname@
+LIB_getpwent_r = @LIB_getpwent_r@
+LIB_getpwnam_r = @LIB_getpwnam_r@
+LIB_getsockopt = @LIB_getsockopt@
+LIB_logout = @LIB_logout@
+LIB_logwtmp = @LIB_logwtmp@
+LIB_odm_initialize = @LIB_odm_initialize@
+LIB_pidfile = @LIB_pidfile@
+LIB_readline = @LIB_readline@
+LIB_res_search = @LIB_res_search@
+LIB_setpcred = @LIB_setpcred@
+LIB_setsockopt = @LIB_setsockopt@
+LIB_socket = @LIB_socket@
+LIB_syslog = @LIB_syslog@
+LIB_tgetent = @LIB_tgetent@
+
+LIBS = @LIBS@
+
+HESIODLIB = @HESIODLIB@
+HESIODINCLUDE = @HESIODINCLUDE@
+INCLUDE_hesiod = @INCLUDE_hesiod@
+LIB_hesiod = @LIB_hesiod@
+
+INCLUDE_krb4 = @INCLUDE_krb4@
+LIB_krb4 = @LIB_krb4@
+
+INCLUDE_openldap = @INCLUDE_openldap@
+LIB_openldap = @LIB_openldap@
+
+INCLUDE_readline = @INCLUDE_readline@
+
+LEXLIB = @LEXLIB@
+
+NROFF_MAN = groff -mandoc -Tascii
+
+@KRB4_TRUE@LIB_kafs = @KRB4_TRUE@$(top_builddir)/lib/kafs/libkafs.la $(AIX_EXTRA_KAFS)
+
+@KRB5_TRUE@LIB_krb5 = @KRB5_TRUE@$(top_builddir)/lib/krb5/libkrb5.la \
+@KRB5_TRUE@	$(top_builddir)/lib/asn1/libasn1.la
+@KRB5_TRUE@LIB_gssapi = @KRB5_TRUE@$(top_builddir)/lib/gssapi/libgssapi.la
+
+@DCE_TRUE@LIB_kdfs = @DCE_TRUE@$(top_builddir)/lib/kdfs/libkdfs.la
+
+CHECK_LOCAL = $(PROGRAMS)
+
+DEFS = @DEFS@
+
+foodir = $(libdir)
+foo_DATA = afskauthlib.so
+
+SRCS = verify.c
+OBJS = verify.o
+
+CLEANFILES = $(foo_DATA) $(OBJS) so_locations
+
+@KRB4_TRUE@KAFS = @KRB4_TRUE@$(top_builddir)/lib/kafs/libkafs.la
+
+@KRB5_TRUE@L = @KRB5_TRUE@\
+@KRB5_TRUE@	$(KAFS)	\
+@KRB5_TRUE@	$(top_builddir)/lib/krb5/libkrb5.la	\
+@KRB5_TRUE@	$(top_builddir)/lib/asn1/libasn1.la	\
+@KRB5_TRUE@	$(LIB_krb4)					\
+@KRB5_TRUE@	$(top_builddir)/lib/des/libdes.la		\
+@KRB5_TRUE@	$(top_builddir)/lib/roken/libroken.la	\
+@KRB5_TRUE@	-lc
+@KRB5_FALSE@L = @KRB5_FALSE@\
+@KRB5_FALSE@	$(KAFS)	\
+@KRB5_FALSE@	$(LIB_krb4)					\
+@KRB5_FALSE@	$(top_builddir)/lib/des/libdes.la		\
+@KRB5_FALSE@	$(top_builddir)/lib/roken/libroken.la	\
+@KRB5_FALSE@	-lc
+subdir = lib/auth/afskauthlib
+mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs
+CONFIG_HEADER = ../../../include/config.h
+CONFIG_CLEAN_FILES = 
+CFLAGS = @CFLAGS@
+COMPILE = $(CC) $(DEFS) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) --mode=compile $(CC) $(DEFS) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+CCLD = $(CC)
+LINK = $(LIBTOOL) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) $(LDFLAGS) -o $@
+DIST_SOURCES = 
+DATA =  $(foo_DATA)
+
+depcomp = 
+DIST_COMMON =  Makefile.am Makefile.in
+
+
+DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
+
+GZIP_ENV = --best
+all: all-redirect
+.SUFFIXES:
+.SUFFIXES: .et .h .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .x .c .o
+$(srcdir)/Makefile.in: Makefile.am $(top_srcdir)/configure.in $(ACLOCAL_M4) $(top_srcdir)/Makefile.am.common $(top_srcdir)/cf/Makefile.am.common
+	cd $(top_srcdir) && $(AUTOMAKE) --foreign lib/auth/afskauthlib/Makefile
+
+Makefile: $(srcdir)/Makefile.in  $(top_builddir)/config.status
+	cd $(top_builddir) \
+	  && CONFIG_FILES=$(subdir)/$@ CONFIG_HEADERS= $(SHELL) ./config.status
+
+
+install-fooDATA: $(foo_DATA)
+	@$(NORMAL_INSTALL)
+	$(mkinstalldirs) $(DESTDIR)$(foodir)
+	@list='$(foo_DATA)'; for p in $$list; do \
+	  if test -f "$$p"; then d= ; else d="$(srcdir)/"; fi; \
+	  f="`echo $$p | sed -e 's|^.*/||'`"; \
+	  echo " $(INSTALL_DATA) $$d$$p $(DESTDIR)$(foodir)/$$f"; \
+	  $(INSTALL_DATA) $$d$$p $(DESTDIR)$(foodir)/$$f; \
+	done
+
+uninstall-fooDATA:
+	@$(NORMAL_UNINSTALL)
+	@list='$(foo_DATA)'; for p in $$list; do \
+	  f="`echo $$p | sed -e 's|^.*/||'`"; \
+	  echo " rm -f $(DESTDIR)$(foodir)/$$f"; \
+	  rm -f $(DESTDIR)$(foodir)/$$f; \
+	done
+tags: TAGS
+TAGS:
+
+
+distdir = $(top_builddir)/$(PACKAGE)-$(VERSION)/$(subdir)
+
+distdir: $(DISTFILES)
+	@for file in $(DISTFILES); do \
+	  d=$(srcdir); \
+	  if test -d $$d/$$file; then \
+	    cp -pR $$d/$$file $(distdir) \
+	    || exit 1; \
+	  else \
+	    test -f $(distdir)/$$file \
+	    || cp -p $$d/$$file $(distdir)/$$file \
+	    || exit 1; \
+	  fi; \
+	done
+	$(MAKE) $(AM_MAKEFLAGS) top_distdir="$(top_distdir)" distdir="$(distdir)" dist-hook
+info-am:
+info: info-am
+dvi-am:
+dvi: dvi-am
+check-am: all-am
+	$(MAKE) $(AM_MAKEFLAGS) check-local
+check: check-am
+installcheck-am:
+installcheck: installcheck-am
+install-exec-am:
+	@$(NORMAL_INSTALL)
+	$(MAKE) $(AM_MAKEFLAGS) install-exec-hook
+install-exec: install-exec-am
+
+install-data-am: install-fooDATA install-data-local
+install-data: install-data-am
+
+install-am: all-am
+	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
+install: install-am
+uninstall-am: uninstall-fooDATA
+uninstall: uninstall-am
+all-am: Makefile $(DATA) all-local
+all-redirect: all-am
+install-strip:
+	$(MAKE) $(AM_MAKEFLAGS) INSTALL_STRIP_FLAG=-s install
+installdirs:
+	$(mkinstalldirs)  $(DESTDIR)$(foodir)
+
+
+mostlyclean-generic:
+
+clean-generic:
+	-test -z "$(CLEANFILES)" || rm -f $(CLEANFILES)
+
+distclean-generic:
+	-rm -f Makefile $(CONFIG_CLEAN_FILES)
+	-rm -f config.cache config.log stamp-h stamp-h[0-9]*
+
+maintainer-clean-generic:
+	-rm -f Makefile.in
+mostlyclean-am:  mostlyclean-generic
+
+mostlyclean: mostlyclean-am
+
+clean-am:  clean-generic mostlyclean-am
+
+clean: clean-am
+
+distclean-am:  distclean-generic clean-am
+	-rm -f libtool
+
+distclean: distclean-am
+
+maintainer-clean-am:  maintainer-clean-generic distclean-am
+	@echo "This command is intended for maintainers to use;"
+	@echo "it deletes files that may require special tools to rebuild."
+
+maintainer-clean: maintainer-clean-am
+
+.PHONY: uninstall-fooDATA install-fooDATA tags distdir info-am info \
+dvi-am dvi check-local check check-am installcheck-am installcheck \
+install-exec-am install-exec install-data-local install-data-am \
+install-data install-am install uninstall-am uninstall all-local \
+all-redirect all-am all install-strip installdirs mostlyclean-generic \
+distclean-generic clean-generic maintainer-clean-generic clean \
+mostlyclean distclean maintainer-clean
+
+
+install-suid-programs:
+	@foo='$(bin_SUIDS)'; \
+	for file in $$foo; do \
+	x=$(DESTDIR)$(bindir)/$$file; \
+	if chown 0:0 $$x && chmod u+s $$x; then :; else \
+	echo "*"; \
+	echo "* Failed to install $$x setuid root"; \
+	echo "*"; \
+	fi; done
+
+install-exec-hook: install-suid-programs
+
+install-build-headers:: $(include_HEADERS) $(build_HEADERZ)
+	@foo='$(include_HEADERS) $(build_HEADERZ)'; \
+	for f in $$foo; do \
+		f=`basename $$f`; \
+		if test -f "$(srcdir)/$$f"; then file="$(srcdir)/$$f"; \
+		else file="$$f"; fi; \
+		if cmp -s  $$file $(buildinclude)/$$f 2> /dev/null ; then \
+		: ; else \
+			echo " $(CP) $$file $(buildinclude)/$$f"; \
+			$(CP) $$file $(buildinclude)/$$f; \
+		fi ; \
+	done
+
+all-local: install-build-headers
+#NROFF_MAN = nroff -man
+.1.cat1:
+	$(NROFF_MAN) $< > $@
+.3.cat3:
+	$(NROFF_MAN) $< > $@
+.5.cat5:
+	$(NROFF_MAN) $< > $@
+.8.cat8:
+	$(NROFF_MAN) $< > $@
+
+dist-cat1-mans:
+	@foo='$(man1_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.1) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat1/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-cat3-mans:
+	@foo='$(man3_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.3) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat3/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-cat5-mans:
+	@foo='$(man5_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.5) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat5/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-cat8-mans:
+	@foo='$(man8_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.8) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat8/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-hook: dist-cat1-mans dist-cat3-mans dist-cat5-mans dist-cat8-mans
+
+install-cat-mans:
+	$(SHELL) $(top_srcdir)/cf/install-catman.sh "$(INSTALL_DATA)" "$(mkinstalldirs)" "$(srcdir)" "$(DESTDIR)$(mandir)" '$(CATMANEXT)' $(man_MANS) $(man1_MANS) $(man3_MANS) $(man5_MANS) $(man8_MANS)
+
+install-data-local: install-cat-mans
+
+.et.h:
+	$(COMPILE_ET) $<
+.et.c:
+	$(COMPILE_ET) $<
+
+.x.c:
+	@cmp -s $< $@ 2> /dev/null || cp $< $@
+
+check-local::
+	@foo='$(CHECK_LOCAL)'; \
+	  if test "$$foo"; then \
+	  failed=0; all=0; \
+	  for i in $$foo; do \
+	    all=`expr $$all + 1`; \
+	    if ./$$i --version > /dev/null 2>&1; then \
+	      echo "PASS: $$i"; \
+	    else \
+	      echo "FAIL: $$i"; \
+	      failed=`expr $$failed + 1`; \
+	    fi; \
+	  done; \
+	  if test "$$failed" -eq 0; then \
+	    banner="All $$all tests passed"; \
+	  else \
+	    banner="$$failed of $$all tests failed"; \
+	  fi; \
+	  dashes=`echo "$$banner" | sed s/./=/g`; \
+	  echo "$$dashes"; \
+	  echo "$$banner"; \
+	  echo "$$dashes"; \
+	  test "$$failed" -eq 0; \
+	fi
+
+afskauthlib.so: $(OBJS)
+	$(LINK) -shared $(OBJS) $(L)
+
+.c.o:
+	$(COMPILE) -c $<
+
+$(OBJS): $(top_builddir)/include/config.h
+
+# Tell versions [3.59,3.63) of GNU make to not export all variables.
+# Otherwise a system limit (for SysV at least) may be exceeded.
+.NOEXPORT:
diff --git a/crypto/heimdal/lib/auth/afskauthlib/verify.c b/crypto/heimdal/lib/auth/afskauthlib/verify.c
new file mode 100644
index 0000000..e0e31b6
--- /dev/null
+++ b/crypto/heimdal/lib/auth/afskauthlib/verify.c
@@ -0,0 +1,301 @@
+/*
+ * Copyright (c) 1995-2000 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+RCSID("$Id: verify.c,v 1.24 2000/12/31 07:57:08 assar Exp $");
+#endif
+#include <unistd.h>
+#include <sys/types.h>
+#include <pwd.h>
+#ifdef KRB5
+#include <krb5.h>
+#endif
+#ifdef KRB4
+#include <krb.h>
+#include <kafs.h>
+#endif
+#include <roken.h>
+
+#ifdef KRB5
+static char krb5ccname[128];
+#endif
+#ifdef KRB4
+static char krbtkfile[128];
+#endif
+
+/* 
+   In some cases is afs_gettktstring called twice (once before
+   afs_verify and once after afs_verify).
+   In some cases (rlogin with access allowed via .rhosts) 
+   afs_verify is not called!
+   So we can't rely on correct value in krbtkfile in some
+   cases!
+*/
+
+static int correct_tkfilename=0;
+static int pag_set=0;
+
+#ifdef KRB4
+static void
+set_krbtkfile(uid_t uid)
+{
+    snprintf (krbtkfile, sizeof(krbtkfile), "%s%d", TKT_ROOT, (unsigned)uid);
+    krb_set_tkt_string (krbtkfile);
+    correct_tkfilename = 1;
+}
+#endif
+
+/* XXX this has to be the default cache name, since the KRB5CCNAME
+ * environment variable isn't exported by login/xdm
+ */
+
+#ifdef KRB5
+static void
+set_krb5ccname(uid_t uid)
+{
+    snprintf (krb5ccname, sizeof(krb5ccname), "FILE:/tmp/krb5cc_%d", uid);
+#ifdef KRB4
+    snprintf (krbtkfile, sizeof(krbtkfile), "%s%d", TKT_ROOT, (unsigned)uid);
+#endif
+    correct_tkfilename = 1;
+}
+#endif
+
+static void
+set_spec_krbtkfile(void)
+{
+    int fd;
+#ifdef KRB4
+    snprintf (krbtkfile, sizeof(krbtkfile), "%s_XXXXXX", TKT_ROOT);
+    fd = mkstemp(krbtkfile);
+    close(fd);
+    unlink(krbtkfile); 
+    krb_set_tkt_string (krbtkfile);
+#endif
+#ifdef KRB5
+    snprintf(krb5ccname, sizeof(krb5ccname),"FILE:/tmp/krb5cc_XXXXXX");
+    fd=mkstemp(krb5ccname+5);
+    close(fd);
+    unlink(krb5ccname+5);
+#endif
+}
+
+#ifdef KRB5
+static int
+verify_krb5(struct passwd *pwd,
+	    char *password,
+	    int32_t *exp,
+	    int quiet)
+{
+    krb5_context context;
+    krb5_error_code ret;
+    krb5_ccache ccache;
+    krb5_principal principal;
+    
+    ret = krb5_init_context(&context);
+    if (ret) {
+	syslog(LOG_AUTH|LOG_DEBUG, "krb5_init_context failed: %d", ret);
+	goto out;
+    }
+
+    ret = krb5_parse_name (context, pwd->pw_name, &principal);
+    if (ret) {
+	syslog(LOG_AUTH|LOG_DEBUG, "krb5_parse_name: %s", 
+	       krb5_get_err_text(context, ret));
+	goto out;
+    }
+
+    set_krb5ccname(pwd->pw_uid);
+    ret = krb5_cc_resolve(context, krb5ccname, &ccache);
+    if(ret) {
+	syslog(LOG_AUTH|LOG_DEBUG, "krb5_cc_resolve: %s", 
+	       krb5_get_err_text(context, ret));
+	goto out;
+    }
+
+    ret = krb5_verify_user_lrealm(context,
+				  principal,
+				  ccache,
+				  password,
+				  TRUE,
+				  NULL);
+    if(ret) {
+	syslog(LOG_AUTH|LOG_DEBUG, "krb5_verify_user: %s", 
+	       krb5_get_err_text(context, ret));
+	goto out;
+    }
+
+    if(chown(krb5_cc_get_name(context, ccache), pwd->pw_uid, pwd->pw_gid)) {
+	syslog(LOG_AUTH|LOG_DEBUG, "chown: %s", 
+	       krb5_get_err_text(context, errno));
+	goto out;
+    }
+
+#ifdef KRB4
+    if (krb5_config_get_bool(context, NULL,
+			     "libdefaults",
+			     "krb4_get_tickets",
+			     NULL)) {
+	CREDENTIALS c;
+	krb5_creds mcred, cred;
+        krb5_realm realm;
+
+        krb5_get_default_realm(context, &realm);
+	krb5_make_principal(context, &mcred.server, realm,
+			    "krbtgt",
+			    realm,
+			    NULL);
+	free (realm);
+	ret = krb5_cc_retrieve_cred(context, ccache, 0, &mcred, &cred);
+	if(ret == 0) {
+	    ret = krb524_convert_creds_kdc(context, ccache, &cred, &c);
+	    if(ret)
+		krb5_warn(context, ret, "converting creds");
+	    else {
+		set_krbtkfile(pwd->pw_uid);
+		tf_setup(&c, c.pname, c.pinst); 
+	    }
+	    memset(&c, 0, sizeof(c));
+	    krb5_free_creds_contents(context, &cred);
+	} else
+	    syslog(LOG_AUTH|LOG_DEBUG, "krb5_cc_retrieve_cred: %s", 
+		   krb5_get_err_text(context, ret));
+	    
+	krb5_free_principal(context, mcred.server);
+    }
+    if (!pag_set && k_hasafs()) {
+	k_setpag();
+	pag_set = 1;
+    }
+
+    if (pag_set)
+	krb5_afslog_uid_home(context, ccache, NULL, NULL, 
+			     pwd->pw_uid, pwd->pw_dir);
+#endif
+out:
+    if(ret && !quiet)
+	printf ("%s\n", krb5_get_err_text (context, ret));
+    return ret;
+}
+#endif
+
+#ifdef KRB4
+static int
+verify_krb4(struct passwd *pwd,
+	    char *password,
+	    int32_t *exp,
+	    int quiet)
+{
+    int ret = 1;
+    char lrealm[REALM_SZ];
+    
+    if (krb_get_lrealm (lrealm, 1) != KFAILURE) {
+	set_krbtkfile(pwd->pw_uid);
+	ret = krb_verify_user (pwd->pw_name, "", lrealm, password,
+			       KRB_VERIFY_SECURE, NULL);
+	if (ret == KSUCCESS) {
+	    if (!pag_set && k_hasafs()) {
+		k_setpag ();
+		pag_set = 1;
+            }
+            if (pag_set)
+		krb_afslog_uid_home (0, 0, pwd->pw_uid, pwd->pw_dir);
+	} else if (!quiet)
+	    printf ("%s\n", krb_get_err_text (ret));
+    }
+    return ret;
+}
+#endif
+
+int
+afs_verify(char *name,
+	   char *password,
+	   int32_t *exp,
+	   int quiet)
+{
+    int ret = 1;
+    struct passwd *pwd = k_getpwnam (name);
+
+    if(pwd == NULL)
+	return 1;
+
+    if (!pag_set && k_hasafs()) {
+        k_setpag();
+        pag_set=1;
+    }
+
+    if (ret)
+	ret = unix_verify_user (name, password);
+#ifdef KRB5
+    if (ret)
+	ret = verify_krb5(pwd, password, exp, quiet);
+#endif
+#ifdef KRB4
+    if(ret)
+	ret = verify_krb4(pwd, password, exp, quiet);
+#endif
+    return ret;
+}
+
+char *
+afs_gettktstring (void)
+{
+    char *ptr;
+    struct passwd *pwd;
+
+    if (!correct_tkfilename) {
+	ptr = getenv("LOGNAME"); 
+	if (ptr != NULL && ((pwd = getpwnam(ptr)) != NULL)) {
+	    set_krb5ccname(pwd->pw_uid);
+#ifdef KRB4
+	    set_krbtkfile(pwd->pw_uid);
+	    if (!pag_set && k_hasafs()) {
+                k_setpag();
+                pag_set=1;
+	    }
+#endif
+	} else {
+	    set_spec_krbtkfile();
+	}
+    }
+#ifdef KRB5
+    esetenv("KRB5CCNAME",krb5ccname,1);
+#endif
+#ifdef KRB4
+    esetenv("KRBTKFILE",krbtkfile,1);
+    return krbtkfile;
+#else
+    return "";
+#endif
+}
diff --git a/crypto/heimdal/lib/auth/pam/Makefile.am b/crypto/heimdal/lib/auth/pam/Makefile.am
new file mode 100644
index 0000000..abde2d9
--- /dev/null
+++ b/crypto/heimdal/lib/auth/pam/Makefile.am
@@ -0,0 +1,3 @@
+# $Id: Makefile.am,v 1.2 1999/04/01 14:57:04 joda Exp $
+
+include $(top_srcdir)/Makefile.am.common
diff --git a/crypto/heimdal/lib/auth/pam/Makefile.in b/crypto/heimdal/lib/auth/pam/Makefile.in
new file mode 100644
index 0000000..54ca6e6
--- /dev/null
+++ b/crypto/heimdal/lib/auth/pam/Makefile.in
@@ -0,0 +1,434 @@
+# Makefile.in generated automatically by automake 1.4b from Makefile.am
+
+# Copyright 1994, 1995, 1996, 1997, 1998, 1999, 2000
+# Free Software Foundation, Inc.
+# This Makefile.in is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+
+SHELL = @SHELL@
+
+srcdir = @srcdir@
+top_srcdir = @top_srcdir@
+VPATH = @srcdir@
+prefix = @prefix@
+exec_prefix = @exec_prefix@
+
+bindir = @bindir@
+sbindir = @sbindir@
+libexecdir = @libexecdir@
+datadir = @datadir@
+sysconfdir = @sysconfdir@
+sharedstatedir = @sharedstatedir@
+localstatedir = @localstatedir@
+libdir = @libdir@
+infodir = @infodir@
+mandir = @mandir@
+includedir = @includedir@
+oldincludedir = /usr/include
+
+pkgdatadir = $(datadir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkgincludedir = $(includedir)/@PACKAGE@
+
+top_builddir = ../../..
+
+ACLOCAL = @ACLOCAL@
+AUTOCONF = @AUTOCONF@
+AUTOMAKE = @AUTOMAKE@
+AUTOHEADER = @AUTOHEADER@
+
+INSTALL = @INSTALL@
+INSTALL_PROGRAM = @INSTALL_PROGRAM@
+INSTALL_DATA = @INSTALL_DATA@
+INSTALL_SCRIPT = @INSTALL_SCRIPT@
+INSTALL_STRIP_FLAG =
+transform = @program_transform_name@
+
+NORMAL_INSTALL = :
+PRE_INSTALL = :
+POST_INSTALL = :
+NORMAL_UNINSTALL = :
+PRE_UNINSTALL = :
+POST_UNINSTALL = :
+
+@SET_MAKE@
+host_alias = @host_alias@
+host_triplet = @host@
+AIX_EXTRA_KAFS = @AIX_EXTRA_KAFS@
+AMDEP = @AMDEP@
+AMTAR = @AMTAR@
+AS = @AS@
+AWK = @AWK@
+CANONICAL_HOST = @CANONICAL_HOST@
+CATMAN = @CATMAN@
+CATMANEXT = @CATMANEXT@
+CC = @CC@
+CPP = @CPP@
+CXX = @CXX@
+CXXCPP = @CXXCPP@
+DBLIB = @DBLIB@
+DEPDIR = @DEPDIR@
+DIR_des = @DIR_des@
+DIR_roken = @DIR_roken@
+DLLTOOL = @DLLTOOL@
+EXEEXT = @EXEEXT@
+EXTRA_LIB45 = @EXTRA_LIB45@
+GROFF = @GROFF@
+INCLUDES_roken = @INCLUDES_roken@
+INCLUDE_ = @INCLUDE_@
+LEX = @LEX@
+LIBOBJS = @LIBOBJS@
+LIBTOOL = @LIBTOOL@
+LIB_ = @LIB_@
+LIB_AUTH_SUBDIRS = @LIB_AUTH_SUBDIRS@
+LIB_des = @LIB_des@
+LIB_des_appl = @LIB_des_appl@
+LIB_kdb = @LIB_kdb@
+LIB_otp = @LIB_otp@
+LIB_roken = @LIB_roken@
+LIB_security = @LIB_security@
+LN_S = @LN_S@
+LTLIBOBJS = @LTLIBOBJS@
+MAKEINFO = @MAKEINFO@
+NEED_WRITEAUTH_FALSE = @NEED_WRITEAUTH_FALSE@
+NEED_WRITEAUTH_TRUE = @NEED_WRITEAUTH_TRUE@
+NROFF = @NROFF@
+OBJDUMP = @OBJDUMP@
+OBJEXT = @OBJEXT@
+PACKAGE = @PACKAGE@
+RANLIB = @RANLIB@
+STRIP = @STRIP@
+VERSION = @VERSION@
+VOID_RETSIGTYPE = @VOID_RETSIGTYPE@
+WFLAGS = @WFLAGS@
+WFLAGS_NOIMPLICITINT = @WFLAGS_NOIMPLICITINT@
+WFLAGS_NOUNUSED = @WFLAGS_NOUNUSED@
+YACC = @YACC@
+dpagaix_CFLAGS = @dpagaix_CFLAGS@
+dpagaix_LDADD = @dpagaix_LDADD@
+install_sh = @install_sh@
+
+# $Id: Makefile.am,v 1.2 1999/04/01 14:57:04 joda Exp $
+
+
+# $Id: Makefile.am.common,v 1.3 1999/04/01 14:58:43 joda Exp $
+
+
+# $Id: Makefile.am.common,v 1.26 2001/05/21 13:27:48 joda Exp $
+
+
+AUTOMAKE_OPTIONS = foreign no-dependencies
+
+SUFFIXES = .et .h .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .x
+
+INCLUDES = -I$(top_builddir)/include $(INCLUDES_roken)
+
+AM_CFLAGS =  $(WFLAGS)
+
+CP = cp
+
+COMPILE_ET = $(top_builddir)/lib/com_err/compile_et
+
+buildinclude = $(top_builddir)/include
+
+LIB_XauReadAuth = @LIB_XauReadAuth@
+LIB_crypt = @LIB_crypt@
+LIB_dbm_firstkey = @LIB_dbm_firstkey@
+LIB_dbopen = @LIB_dbopen@
+LIB_dlopen = @LIB_dlopen@
+LIB_dn_expand = @LIB_dn_expand@
+LIB_el_init = @LIB_el_init@
+LIB_getattr = @LIB_getattr@
+LIB_gethostbyname = @LIB_gethostbyname@
+LIB_getpwent_r = @LIB_getpwent_r@
+LIB_getpwnam_r = @LIB_getpwnam_r@
+LIB_getsockopt = @LIB_getsockopt@
+LIB_logout = @LIB_logout@
+LIB_logwtmp = @LIB_logwtmp@
+LIB_odm_initialize = @LIB_odm_initialize@
+LIB_pidfile = @LIB_pidfile@
+LIB_readline = @LIB_readline@
+LIB_res_search = @LIB_res_search@
+LIB_setpcred = @LIB_setpcred@
+LIB_setsockopt = @LIB_setsockopt@
+LIB_socket = @LIB_socket@
+LIB_syslog = @LIB_syslog@
+LIB_tgetent = @LIB_tgetent@
+
+LIBS = @LIBS@
+
+HESIODLIB = @HESIODLIB@
+HESIODINCLUDE = @HESIODINCLUDE@
+INCLUDE_hesiod = @INCLUDE_hesiod@
+LIB_hesiod = @LIB_hesiod@
+
+INCLUDE_krb4 = @INCLUDE_krb4@
+LIB_krb4 = @LIB_krb4@
+
+INCLUDE_openldap = @INCLUDE_openldap@
+LIB_openldap = @LIB_openldap@
+
+INCLUDE_readline = @INCLUDE_readline@
+
+LEXLIB = @LEXLIB@
+
+NROFF_MAN = groff -mandoc -Tascii
+
+@KRB4_TRUE@LIB_kafs = @KRB4_TRUE@$(top_builddir)/lib/kafs/libkafs.la $(AIX_EXTRA_KAFS)
+
+@KRB5_TRUE@LIB_krb5 = @KRB5_TRUE@$(top_builddir)/lib/krb5/libkrb5.la \
+@KRB5_TRUE@	$(top_builddir)/lib/asn1/libasn1.la
+@KRB5_TRUE@LIB_gssapi = @KRB5_TRUE@$(top_builddir)/lib/gssapi/libgssapi.la
+
+@DCE_TRUE@LIB_kdfs = @DCE_TRUE@$(top_builddir)/lib/kdfs/libkdfs.la
+
+CHECK_LOCAL = $(PROGRAMS)
+subdir = lib/auth/pam
+mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs
+CONFIG_HEADER = ../../../include/config.h
+CONFIG_CLEAN_FILES = 
+CFLAGS = @CFLAGS@
+COMPILE = $(CC) $(DEFS) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) --mode=compile $(CC) $(DEFS) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+CCLD = $(CC)
+LINK = $(LIBTOOL) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) $(LDFLAGS) -o $@
+DIST_SOURCES = 
+depcomp = 
+DIST_COMMON =  Makefile.am Makefile.in
+
+
+DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
+
+GZIP_ENV = --best
+all: all-redirect
+.SUFFIXES:
+.SUFFIXES: .et .h .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .x
+$(srcdir)/Makefile.in: Makefile.am $(top_srcdir)/configure.in $(ACLOCAL_M4) $(top_srcdir)/Makefile.am.common $(top_srcdir)/cf/Makefile.am.common
+	cd $(top_srcdir) && $(AUTOMAKE) --foreign lib/auth/pam/Makefile
+
+Makefile: $(srcdir)/Makefile.in  $(top_builddir)/config.status
+	cd $(top_builddir) \
+	  && CONFIG_FILES=$(subdir)/$@ CONFIG_HEADERS= $(SHELL) ./config.status
+
+tags: TAGS
+TAGS:
+
+
+distdir = $(top_builddir)/$(PACKAGE)-$(VERSION)/$(subdir)
+
+distdir: $(DISTFILES)
+	@for file in $(DISTFILES); do \
+	  d=$(srcdir); \
+	  if test -d $$d/$$file; then \
+	    cp -pR $$d/$$file $(distdir) \
+	    || exit 1; \
+	  else \
+	    test -f $(distdir)/$$file \
+	    || cp -p $$d/$$file $(distdir)/$$file \
+	    || exit 1; \
+	  fi; \
+	done
+	$(MAKE) $(AM_MAKEFLAGS) top_distdir="$(top_distdir)" distdir="$(distdir)" dist-hook
+info-am:
+info: info-am
+dvi-am:
+dvi: dvi-am
+check-am: all-am
+	$(MAKE) $(AM_MAKEFLAGS) check-local
+check: check-am
+installcheck-am:
+installcheck: installcheck-am
+install-exec-am:
+	@$(NORMAL_INSTALL)
+	$(MAKE) $(AM_MAKEFLAGS) install-exec-hook
+install-exec: install-exec-am
+
+install-data-am: install-data-local
+install-data: install-data-am
+
+install-am: all-am
+	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
+install: install-am
+uninstall-am:
+uninstall: uninstall-am
+all-am: Makefile all-local
+all-redirect: all-am
+install-strip:
+	$(MAKE) $(AM_MAKEFLAGS) INSTALL_STRIP_FLAG=-s install
+installdirs:
+
+
+mostlyclean-generic:
+
+clean-generic:
+
+distclean-generic:
+	-rm -f Makefile $(CONFIG_CLEAN_FILES)
+	-rm -f config.cache config.log stamp-h stamp-h[0-9]*
+
+maintainer-clean-generic:
+	-rm -f Makefile.in
+mostlyclean-am:  mostlyclean-generic
+
+mostlyclean: mostlyclean-am
+
+clean-am:  clean-generic mostlyclean-am
+
+clean: clean-am
+
+distclean-am:  distclean-generic clean-am
+	-rm -f libtool
+
+distclean: distclean-am
+
+maintainer-clean-am:  maintainer-clean-generic distclean-am
+	@echo "This command is intended for maintainers to use;"
+	@echo "it deletes files that may require special tools to rebuild."
+
+maintainer-clean: maintainer-clean-am
+
+.PHONY: tags distdir info-am info dvi-am dvi check-local check check-am \
+installcheck-am installcheck install-exec-am install-exec \
+install-data-local install-data-am install-data install-am install \
+uninstall-am uninstall all-local all-redirect all-am all install-strip \
+installdirs mostlyclean-generic distclean-generic clean-generic \
+maintainer-clean-generic clean mostlyclean distclean maintainer-clean
+
+
+install-suid-programs:
+	@foo='$(bin_SUIDS)'; \
+	for file in $$foo; do \
+	x=$(DESTDIR)$(bindir)/$$file; \
+	if chown 0:0 $$x && chmod u+s $$x; then :; else \
+	echo "*"; \
+	echo "* Failed to install $$x setuid root"; \
+	echo "*"; \
+	fi; done
+
+install-exec-hook: install-suid-programs
+
+install-build-headers:: $(include_HEADERS) $(build_HEADERZ)
+	@foo='$(include_HEADERS) $(build_HEADERZ)'; \
+	for f in $$foo; do \
+		f=`basename $$f`; \
+		if test -f "$(srcdir)/$$f"; then file="$(srcdir)/$$f"; \
+		else file="$$f"; fi; \
+		if cmp -s  $$file $(buildinclude)/$$f 2> /dev/null ; then \
+		: ; else \
+			echo " $(CP) $$file $(buildinclude)/$$f"; \
+			$(CP) $$file $(buildinclude)/$$f; \
+		fi ; \
+	done
+
+all-local: install-build-headers
+#NROFF_MAN = nroff -man
+.1.cat1:
+	$(NROFF_MAN) $< > $@
+.3.cat3:
+	$(NROFF_MAN) $< > $@
+.5.cat5:
+	$(NROFF_MAN) $< > $@
+.8.cat8:
+	$(NROFF_MAN) $< > $@
+
+dist-cat1-mans:
+	@foo='$(man1_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.1) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat1/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-cat3-mans:
+	@foo='$(man3_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.3) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat3/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-cat5-mans:
+	@foo='$(man5_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.5) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat5/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-cat8-mans:
+	@foo='$(man8_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.8) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat8/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-hook: dist-cat1-mans dist-cat3-mans dist-cat5-mans dist-cat8-mans
+
+install-cat-mans:
+	$(SHELL) $(top_srcdir)/cf/install-catman.sh "$(INSTALL_DATA)" "$(mkinstalldirs)" "$(srcdir)" "$(DESTDIR)$(mandir)" '$(CATMANEXT)' $(man_MANS) $(man1_MANS) $(man3_MANS) $(man5_MANS) $(man8_MANS)
+
+install-data-local: install-cat-mans
+
+.et.h:
+	$(COMPILE_ET) $<
+.et.c:
+	$(COMPILE_ET) $<
+
+.x.c:
+	@cmp -s $< $@ 2> /dev/null || cp $< $@
+
+check-local::
+	@foo='$(CHECK_LOCAL)'; \
+	  if test "$$foo"; then \
+	  failed=0; all=0; \
+	  for i in $$foo; do \
+	    all=`expr $$all + 1`; \
+	    if ./$$i --version > /dev/null 2>&1; then \
+	      echo "PASS: $$i"; \
+	    else \
+	      echo "FAIL: $$i"; \
+	      failed=`expr $$failed + 1`; \
+	    fi; \
+	  done; \
+	  if test "$$failed" -eq 0; then \
+	    banner="All $$all tests passed"; \
+	  else \
+	    banner="$$failed of $$all tests failed"; \
+	  fi; \
+	  dashes=`echo "$$banner" | sed s/./=/g`; \
+	  echo "$$dashes"; \
+	  echo "$$banner"; \
+	  echo "$$dashes"; \
+	  test "$$failed" -eq 0; \
+	fi
+
+# Tell versions [3.59,3.63) of GNU make to not export all variables.
+# Otherwise a system limit (for SysV at least) may be exceeded.
+.NOEXPORT:
diff --git a/crypto/heimdal/lib/auth/pam/pam.c b/crypto/heimdal/lib/auth/pam/pam.c
new file mode 100644
index 0000000..eeb2d25
--- /dev/null
+++ b/crypto/heimdal/lib/auth/pam/pam.c
@@ -0,0 +1,443 @@
+/*
+ * Copyright (c) 1995 - 2001 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#ifdef HAVE_CONFIG_H
+#include<config.h>
+RCSID("$Id: pam.c,v 1.27 2001/02/15 04:30:05 assar Exp $");
+#endif
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <pwd.h>
+#include <unistd.h>
+#include <sys/types.h>
+#include <syslog.h>
+
+#include <security/pam_appl.h>
+#include <security/pam_modules.h>
+#ifndef PAM_AUTHTOK_RECOVERY_ERR /* Fix linsux typo. */
+#define PAM_AUTHTOK_RECOVERY_ERR PAM_AUTHTOK_RECOVER_ERR
+#endif
+
+#include <netinet/in.h>
+#include <krb.h>
+#include <kafs.h>
+
+#if 0
+/* Debugging PAM modules is a royal pain, truss helps. */
+#define DEBUG(msg) (access(msg " at line", __LINE__))
+#endif
+
+static void
+psyslog(int level, const char *format, ...)
+{
+  va_list args;
+  va_start(args, format);
+  openlog("pam_krb4", LOG_PID, LOG_AUTH);
+  vsyslog(level, format, args);
+  va_end(args);
+  closelog();
+}
+
+enum {
+  KRB4_DEBUG,
+  KRB4_USE_FIRST_PASS,
+  KRB4_TRY_FIRST_PASS,
+  KRB4_IGNORE_ROOT,
+  KRB4_NO_VERIFY,
+  KRB4_REAFSLOG,
+  KRB4_CTRLS			/* Number of ctrl arguments defined. */
+};
+
+#define KRB4_DEFAULTS  0
+
+static int ctrl_flags = KRB4_DEFAULTS;
+#define ctrl_on(x)  (krb4_args[x].flag & ctrl_flags)
+#define ctrl_off(x) (!ctrl_on(x))
+
+typedef struct
+{
+  const char *token;
+  unsigned int flag;
+} krb4_ctrls_t;
+
+static krb4_ctrls_t krb4_args[KRB4_CTRLS] =
+{
+  /* KRB4_DEBUG          */ { "debug",          0x01 },
+  /* KRB4_USE_FIRST_PASS */ { "use_first_pass", 0x02 },
+  /* KRB4_TRY_FIRST_PASS */ { "try_first_pass", 0x04 },
+  /* KRB4_IGNORE_ROOT    */ { "ignore_root",    0x08 },
+  /* KRB4_NO_VERIFY      */ { "no_verify",      0x10 },
+  /* KRB4_REAFSLOG       */ { "reafslog",       0x20 },
+};
+
+static void
+parse_ctrl(int argc, const char **argv)
+{
+  int i, j;
+
+  ctrl_flags = KRB4_DEFAULTS;
+  for (i = 0; i < argc; i++)
+    {
+      for (j = 0; j < KRB4_CTRLS; j++)
+	if (strcmp(argv[i], krb4_args[j].token) == 0)
+	  break;
+    
+      if (j >= KRB4_CTRLS)
+	psyslog(LOG_ALERT, "unrecognized option [%s]", *argv);
+      else
+	ctrl_flags |= krb4_args[j].flag;
+    }
+}
+
+static void
+pdeb(const char *format, ...)
+{
+  va_list args;
+  if (ctrl_off(KRB4_DEBUG))
+    return;
+  va_start(args, format);
+  openlog("pam_krb4", LOG_CONS|LOG_PID, LOG_AUTH);
+  vsyslog(LOG_DEBUG, format, args);
+  va_end(args);
+  closelog();
+}
+
+#define ENTRY(func) pdeb("%s() flags = %d ruid = %d euid = %d", func, flags, getuid(), geteuid())
+
+static void
+set_tkt_string(uid_t uid)
+{
+  char buf[128];
+
+  snprintf(buf, sizeof(buf), "%s%u", TKT_ROOT, (unsigned)uid);
+  krb_set_tkt_string(buf);
+
+#if 0
+  /* pam_set_data+pam_get_data are not guaranteed to work, grr. */
+  pam_set_data(pamh, "KRBTKFILE", strdup(t), cleanup);
+  if (pam_get_data(pamh, "KRBTKFILE", (const void**)&tkt) == PAM_SUCCESS)
+    {
+      pam_putenv(pamh, var);
+    }
+#endif
+
+  /* We don't want to inherit this variable.
+   * If we still do, it must have a sane value. */
+  if (getenv("KRBTKFILE") != 0)
+    {
+      char *var = malloc(sizeof(buf));
+      snprintf(var, sizeof(buf), "KRBTKFILE=%s", tkt_string());
+      putenv(var);
+      /* free(var); XXX */
+    }
+}
+
+static int
+verify_pass(pam_handle_t *pamh,
+	    const char *name,
+	    const char *inst,
+	    const char *pass)
+{
+  char realm[REALM_SZ];
+  int ret, krb_verify, old_euid, old_ruid;
+
+  krb_get_lrealm(realm, 1);
+  if (ctrl_on(KRB4_NO_VERIFY))
+    krb_verify = KRB_VERIFY_SECURE_FAIL;
+  else
+    krb_verify = KRB_VERIFY_SECURE;
+  old_ruid = getuid();
+  old_euid = geteuid();
+  setreuid(0, 0);
+  ret = krb_verify_user(name, inst, realm, pass, krb_verify, NULL);
+  pdeb("krb_verify_user(`%s', `%s', `%s', pw, %d, NULL) returns %s",
+       name, inst, realm, krb_verify,
+       krb_get_err_text(ret));
+  setreuid(old_ruid, old_euid);
+  if (getuid() != old_ruid || geteuid() != old_euid)
+    {
+      psyslog(LOG_ALERT , "setreuid(%d, %d) failed at line %d",
+	      old_ruid, old_euid, __LINE__);
+      exit(1);
+    }
+    
+  switch(ret) {
+  case KSUCCESS:
+    return PAM_SUCCESS;
+  case KDC_PR_UNKNOWN:
+    return PAM_USER_UNKNOWN;
+  case SKDC_CANT:
+  case SKDC_RETRY:
+  case RD_AP_TIME:
+    return PAM_AUTHINFO_UNAVAIL;
+  default:
+    return PAM_AUTH_ERR;
+  }
+}
+
+static int
+krb4_auth(pam_handle_t *pamh,
+	  int flags,
+	  const char *name,
+	  const char *inst,
+	  struct pam_conv *conv)
+{
+  struct pam_response *resp;
+  char prompt[128];
+  struct pam_message msg, *pmsg = &msg;
+  int ret;
+
+  if (ctrl_on(KRB4_TRY_FIRST_PASS) || ctrl_on(KRB4_USE_FIRST_PASS))
+    {
+      char *pass = 0;
+      ret = pam_get_item(pamh, PAM_AUTHTOK, (void **) &pass);
+      if (ret != PAM_SUCCESS)
+        {
+          psyslog(LOG_ERR , "pam_get_item returned error to get-password");
+          return ret;
+        }
+      else if (pass != 0 && verify_pass(pamh, name, inst, pass) == PAM_SUCCESS)
+	return PAM_SUCCESS;
+      else if (ctrl_on(KRB4_USE_FIRST_PASS))
+	return PAM_AUTHTOK_RECOVERY_ERR;       /* Wrong password! */
+      else
+	/* We tried the first password but it didn't work, cont. */;
+    }
+
+  msg.msg_style = PAM_PROMPT_ECHO_OFF;
+  if (*inst == 0)
+    snprintf(prompt, sizeof(prompt), "%s's Password: ", name);
+  else
+    snprintf(prompt, sizeof(prompt), "%s.%s's Password: ", name, inst);
+  msg.msg = prompt;
+
+  ret = conv->conv(1, &pmsg, &resp, conv->appdata_ptr);
+  if (ret != PAM_SUCCESS)
+    return ret;
+
+  ret = verify_pass(pamh, name, inst, resp->resp);
+  if (ret == PAM_SUCCESS)
+    {
+      memset(resp->resp, 0, strlen(resp->resp)); /* Erase password! */
+      free(resp->resp);
+      free(resp);
+    }
+  else
+    {
+      pam_set_item(pamh, PAM_AUTHTOK, resp->resp); /* Save password. */
+      /* free(resp->resp); XXX */
+      /* free(resp); XXX */
+    }
+  
+  return ret;
+}
+
+int
+pam_sm_authenticate(pam_handle_t *pamh,
+		    int flags,
+		    int argc,
+		    const char **argv)
+{
+  char *user;
+  int ret;
+  struct pam_conv *conv;
+  struct passwd *pw;
+  uid_t uid = -1;
+  const char *name, *inst;
+  char realm[REALM_SZ];
+  realm[0] = 0;
+
+  parse_ctrl(argc, argv);
+  ENTRY("pam_sm_authenticate");
+
+  ret = pam_get_user(pamh, &user, "login: ");
+  if (ret != PAM_SUCCESS)
+    return ret;
+
+  if (ctrl_on(KRB4_IGNORE_ROOT) && strcmp(user, "root") == 0)
+    return PAM_AUTHINFO_UNAVAIL;
+
+  ret = pam_get_item(pamh, PAM_CONV, (void*)&conv);
+  if (ret != PAM_SUCCESS)
+    return ret;
+
+  pw = getpwnam(user);
+  if (pw != 0)
+    {
+      uid = pw->pw_uid;
+      set_tkt_string(uid);
+    }
+    
+  if (strcmp(user, "root") == 0 && getuid() != 0)
+    {
+      pw = getpwuid(getuid());
+      if (pw != 0)
+	{
+	  name = strdup(pw->pw_name);
+	  inst = "root";
+	}
+    }
+  else
+    {
+      name = user;
+      inst = "";
+    }
+
+  ret = krb4_auth(pamh, flags, name, inst, conv);
+
+  /*
+   * The realm was lost inside krb_verify_user() so we can't simply do
+   * a krb_kuserok() when inst != "".
+   */
+  if (ret == PAM_SUCCESS && inst[0] != 0)
+    {
+      uid_t old_euid = geteuid();
+      uid_t old_ruid = getuid();
+
+      setreuid(0, 0);		/* To read ticket file. */
+      if (krb_get_tf_fullname(tkt_string(), 0, 0, realm) != KSUCCESS)
+	ret = PAM_SERVICE_ERR;
+      else if (krb_kuserok(name, inst, realm, user) != KSUCCESS)
+	{
+	  setreuid(0, uid);	/*  To read ~/.klogin. */
+	  if (krb_kuserok(name, inst, realm, user) != KSUCCESS)
+	    ret = PAM_PERM_DENIED;
+	}
+
+      if (ret != PAM_SUCCESS)
+	{
+	  dest_tkt();		/* Passwd known, ok to kill ticket. */
+	  psyslog(LOG_NOTICE,
+		  "%s.%s@%s is not allowed to log in as %s",
+		  name, inst, realm, user);
+	}
+
+      setreuid(old_ruid, old_euid);
+      if (getuid() != old_ruid || geteuid() != old_euid)
+	{
+	  psyslog(LOG_ALERT , "setreuid(%d, %d) failed at line %d",
+		  old_ruid, old_euid, __LINE__);
+	  exit(1);
+	}
+    }
+
+  if (ret == PAM_SUCCESS)
+    {
+      psyslog(LOG_INFO,
+	      "%s.%s@%s authenticated as user %s",
+	      name, inst, realm, user);
+      if (chown(tkt_string(), uid, -1) == -1)
+	{
+	  dest_tkt();
+	  psyslog(LOG_ALERT , "chown(%s, %d, -1) failed", tkt_string(), uid);
+	  exit(1);
+	}
+    }
+
+  /*
+   * Kludge alert!!! Sun dtlogin unlock screen fails to call
+   * pam_setcred(3) with PAM_REFRESH_CRED after a successful
+   * authentication attempt, sic.
+   *
+   * This hack is designed as a workaround to that problem.
+   */
+  if (ctrl_on(KRB4_REAFSLOG))
+    if (ret == PAM_SUCCESS)
+      pam_sm_setcred(pamh, PAM_REFRESH_CRED, argc, argv);
+  
+  return ret;
+}
+
+int 
+pam_sm_setcred(pam_handle_t *pamh, int flags, int argc, const char **argv)
+{
+  parse_ctrl(argc, argv);
+  ENTRY("pam_sm_setcred");
+
+  switch (flags & ~PAM_SILENT) {
+  case 0:
+  case PAM_ESTABLISH_CRED:
+    if (k_hasafs())
+      k_setpag();
+    /* Fall through, fill PAG with credentials below. */
+  case PAM_REINITIALIZE_CRED:
+  case PAM_REFRESH_CRED:
+    if (k_hasafs())
+      {
+	void *user = 0;
+
+	if (pam_get_item(pamh, PAM_USER, &user) == PAM_SUCCESS)
+	  {
+	    struct passwd *pw = getpwnam((char *)user);
+	    if (pw != 0)
+	      krb_afslog_uid_home(/*cell*/ 0,/*realm_hint*/ 0,
+				  pw->pw_uid, pw->pw_dir);
+	  }
+      }
+    break;
+  case PAM_DELETE_CRED:
+    dest_tkt();
+    if (k_hasafs())
+      k_unlog();
+    break;
+  default:
+    psyslog(LOG_ALERT , "pam_sm_setcred: unknown flags 0x%x", flags);
+    break;
+  }
+  
+  return PAM_SUCCESS;
+}
+
+int
+pam_sm_open_session(pam_handle_t *pamh, int flags, int argc, const char **argv)
+{
+  parse_ctrl(argc, argv);
+  ENTRY("pam_sm_open_session");
+
+  return PAM_SUCCESS;
+}
+
+
+int
+pam_sm_close_session(pam_handle_t *pamh, int flags, int argc, const char**argv)
+{
+  parse_ctrl(argc, argv);
+  ENTRY("pam_sm_close_session");
+
+  /* This isn't really kosher, but it's handy. */
+  pam_sm_setcred(pamh, PAM_DELETE_CRED, argc, argv);
+
+  return PAM_SUCCESS;
+}
diff --git a/crypto/heimdal/lib/auth/pam/pam.conf.add b/crypto/heimdal/lib/auth/pam/pam.conf.add
new file mode 100644
index 0000000..7db3e3d
--- /dev/null
+++ b/crypto/heimdal/lib/auth/pam/pam.conf.add
@@ -0,0 +1,97 @@
+To enable PAM in dtlogin and /bin/login under SunOS 5.6 apply this patch:
+
+--- /etc/pam.conf.DIST	Mon Jul 20 15:37:46 1998
++++ /etc/pam.conf	Tue Feb 15 19:39:12 2000
+@@ -4,15 +4,19 @@
+ #
+ # Authentication management
+ #
++login	auth sufficient	/usr/athena/lib/pam_krb4.so
+ login	auth required 	/usr/lib/security/pam_unix.so.1 
+ login	auth required 	/usr/lib/security/pam_dial_auth.so.1 
+ #
+ rlogin  auth sufficient /usr/lib/security/pam_rhosts_auth.so.1
+ rlogin	auth required 	/usr/lib/security/pam_unix.so.1
+ #
++dtlogin	auth sufficient	/usr/athena/lib/pam_krb4.so
+ dtlogin	auth required 	/usr/lib/security/pam_unix.so.1 
+ #
+ rsh	auth required	/usr/lib/security/pam_rhosts_auth.so.1
++# Reafslog is for dtlogin lock display
++other	auth sufficient	/usr/athena/lib/pam_krb4.so reafslog
+ other	auth required	/usr/lib/security/pam_unix.so.1
+ #
+ # Account management
+@@ -24,6 +28,8 @@
+ #
+ # Session management
+ #
++dtlogin	session required	/usr/athena/lib/pam_krb4.so
++login	session required	/usr/athena/lib/pam_krb4.so
+ other	session required	/usr/lib/security/pam_unix.so.1 
+ #
+ # Password management
+---------------------------------------------------------------------------
+To enable PAM in /bin/login and xdm under Red Hat 6.? apply these patches:
+
+--- /etc/pam.d/login~	Tue Dec  7 12:01:35 1999
++++ /etc/pam.d/login	Wed May 31 16:27:55 2000
+@@ -1,9 +1,12 @@
+ #%PAM-1.0
++# Updated to work with kerberos
++auth       sufficient   /usr/athena/lib/pam_krb4.so.1.0.1
+ auth       required	/lib/security/pam_securetty.so
+ auth       required	/lib/security/pam_pwdb.so shadow nullok
+ auth       required	/lib/security/pam_nologin.so
+ account    required	/lib/security/pam_pwdb.so
+ password   required	/lib/security/pam_cracklib.so
+ password   required	/lib/security/pam_pwdb.so nullok use_authtok md5 shadow
++session    required     /usr/athena/lib/pam_krb4.so.1.0.1
+ session    required	/lib/security/pam_pwdb.so
+ session    optional	/lib/security/pam_console.so
+--- /etc/pam.d/xdm~	Wed May 31 16:33:54 2000
++++ /etc/pam.d/xdm	Wed May 31 16:28:29 2000
+@@ -1,8 +1,11 @@
+ #%PAM-1.0
++# Updated to work with kerberos
++auth       sufficient   /usr/athena/lib/pam_krb4.so.1.0.1
+ auth       required	/lib/security/pam_pwdb.so shadow nullok
+ auth       required	/lib/security/pam_nologin.so
+ account    required	/lib/security/pam_pwdb.so
+ password   required	/lib/security/pam_cracklib.so
+ password   required	/lib/security/pam_pwdb.so shadow nullok use_authtok
++session    required     /usr/athena/lib/pam_krb4.so.1.0.1
+ session    required	/lib/security/pam_pwdb.so
+ session    optional     /lib/security/pam_console.so
+--- /etc/pam.d/gdm~	Wed May 31 16:33:54 2000
++++ /etc/pam.d/gdm	Wed May 31 16:34:28 2000
+@@ -1,8 +1,11 @@
+ #%PAM-1.0
++# Updated to work with kerberos
++auth       sufficient   /usr/athena/lib/pam_krb4.so.1.0.1
+ auth       required	/lib/security/pam_pwdb.so shadow nullok
+ auth       required	/lib/security/pam_nologin.so
+ account    required	/lib/security/pam_pwdb.so
+ password   required	/lib/security/pam_cracklib.so
+ password   required	/lib/security/pam_pwdb.so shadow nullok use_authtok
++session    required     /usr/athena/lib/pam_krb4.so.1.0.1
+ session    required	/lib/security/pam_pwdb.so
+ session    optional     /lib/security/pam_console.so
+
+--------------------------------------------------------------------------
+
+This stuff may work under some other system.
+
+# To get this to work, you will have to add entries to /etc/pam.conf
+#
+# To make login kerberos-aware, you might change pam.conf to look
+# like:
+
+# login authorization
+login   auth       sufficient   /lib/security/pam_krb4.so
+login   auth       required     /lib/security/pam_securetty.so
+login   auth       required     /lib/security/pam_unix_auth.so
+login   account    required     /lib/security/pam_unix_acct.so
+login   password   required     /lib/security/pam_unix_passwd.so
+login   session    required     /lib/security/pam_krb4.so
+login   session    required     /lib/security/pam_unix_session.so
diff --git a/crypto/heimdal/lib/auth/sia/Makefile.am b/crypto/heimdal/lib/auth/sia/Makefile.am
new file mode 100644
index 0000000..ae52155
--- /dev/null
+++ b/crypto/heimdal/lib/auth/sia/Makefile.am
@@ -0,0 +1,110 @@
+# $Id: Makefile.am,v 1.9 2001/03/06 16:57:09 assar Exp $
+
+include $(top_srcdir)/Makefile.am.common
+
+INCLUDES += $(INCLUDE_krb4)
+
+WFLAGS += $(WFLAGS_NOIMPLICITINT)
+
+DEFS = @DEFS@
+
+## this is horribly ugly, but automake/libtool doesn't allow us to
+## unconditionally build shared libraries, and it does not allow us to
+## link with non-installed libraries
+
+if KRB4
+KAFS=$(top_builddir)/lib/kafs/.libs/libkafs.a
+KAFS_S=$(top_builddir)/lib/kafs/.libs/libkafs.so
+endif
+
+if KRB5
+L = \
+	$(KAFS)						\
+	$(top_builddir)/lib/krb5/.libs/libkrb5.a	\
+	$(top_builddir)/lib/asn1/.libs/libasn1.a	\
+	$(LIB_krb4)					\
+	$(top_builddir)/lib/des/.libs/libdes.a		\
+	$(top_builddir)/lib/com_err/.libs/libcom_err.a	\
+	$(top_builddir)/lib/roken/.libs/libroken.a	\
+	$(LIB_getpwnam_r)				\
+	-lc
+
+L_shared = \
+	$(KAFS_S)					\
+	$(top_builddir)/lib/krb5/.libs/libkrb5.so	\
+	$(top_builddir)/lib/asn1/.libs/libasn1.so	\
+	$(LIB_krb4)					\
+	$(top_builddir)/lib/des/.libs/libdes.so		\
+	$(top_builddir)/lib/com_err/.libs/libcom_err.so	\
+	$(top_builddir)/lib/roken/.libs/libroken.so	\
+	$(LIB_getpwnam_r)				\
+	-lc
+
+MOD = libsia_krb5.so
+
+else
+
+L = \
+	$(KAFS)						\
+	$(top_builddir)/lib/kadm/.libs/libkadm.a	\
+	$(top_builddir)/lib/krb/.libs/libkrb.a		\
+	$(top_builddir)/lib/des/.libs/libdes.a		\
+	$(top_builddir)/lib/com_err/.libs/libcom_err.a	\
+	$(top_builddir)/lib/roken/.libs/libroken.a	\
+	$(LIB_getpwnam_r)				\
+	-lc
+
+L_shared = \
+	$(KAFS_S)					\
+	$(top_builddir)/lib/kadm/.libs/libkadm.so	\
+	$(top_builddir)/lib/krb/.libs/libkrb.so		\
+	$(top_builddir)/lib/des/.libs/libdes.so		\
+	$(top_builddir)/lib/com_err/.libs/libcom_err.so	\
+	$(top_builddir)/lib/roken/.libs/libroken.so	\
+	$(LIB_getpwnam_r)				\
+	-lc
+
+MOD = libsia_krb4.so
+
+endif
+
+EXTRA_DIST = sia.c krb4_matrix.conf krb4+c2_matrix.conf \
+	krb5_matrix.conf krb5+c2_matrix.conf security.patch
+
+foodir = $(libdir)
+foo_DATA = $(MOD)
+
+LDFLAGS = -rpath $(libdir) -hidden -exported_symbol siad_\* 
+
+OBJS = sia.o posix_getpw.o
+
+libsia_krb5.so: $(OBJS)
+	@if test -f $(top_builddir)/lib/krb5/.libs/libkrb5.a; then \
+		echo "ld -shared -o $@ $(LDFLAGS) $(OBJS) $(L)"; \
+		ld -shared -o $@ $(LDFLAGS) $(OBJS) `echo $(L) | sed 's,-R,-rpath,g'`; \
+	elif test -f $(top_builddir)/lib/krb5/.libs/libkrb5.so; then \
+		echo "ld -shared -o $@ $(LDFLAGS) $(OBJS) `echo $(L_shared) | sed 's,-R,-rpath,g'`"; \
+		ld -shared -o $@ $(LDFLAGS) $(OBJS) `echo $(L_shared) | sed 's,-R,-rpath,g'`; \
+	else \
+		echo "missing libraries"; exit 1; \
+	fi
+	ostrip -x -z $@
+
+libsia_krb4.so: $(OBJS)
+	@if test -f $(top_builddir)/lib/krb/.libs/libkrb.a; then \
+		echo "ld -shared -o $@ $(LDFLAGS) $(OBJS) `echo $(L) | sed 's,-R,-rpath,g'`"; \
+		ld -shared -o $@ $(LDFLAGS) $(OBJS) `echo $(L) | sed 's,-R,-rpath,g'`; \
+	elif test -f $(top_builddir)/lib/krb/.libs/libkrb.so; then \
+		echo "ld -shared -o $@ $(LDFLAGS) $(OBJS) `echo $(L_shared) | sed 's,-R,-rpath,g'`"; \
+		ld -shared -o $@ $(LDFLAGS) $(OBJS) `echo $(L_shared) | sed 's,-R,-rpath,g'`; \
+	else \
+		echo "missing libraries"; exit 1; \
+	fi
+	ostrip -x $@
+
+CLEANFILES = $(MOD) $(OBJS) so_locations
+
+SUFFIXES += .c .o
+
+.c.o:
+	$(COMPILE) -c $<
diff --git a/crypto/heimdal/lib/auth/sia/Makefile.in b/crypto/heimdal/lib/auth/sia/Makefile.in
new file mode 100644
index 0000000..15bfc0a
--- /dev/null
+++ b/crypto/heimdal/lib/auth/sia/Makefile.in
@@ -0,0 +1,546 @@
+# Makefile.in generated automatically by automake 1.4b from Makefile.am
+
+# Copyright 1994, 1995, 1996, 1997, 1998, 1999, 2000
+# Free Software Foundation, Inc.
+# This Makefile.in is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+
+SHELL = @SHELL@
+
+srcdir = @srcdir@
+top_srcdir = @top_srcdir@
+VPATH = @srcdir@
+prefix = @prefix@
+exec_prefix = @exec_prefix@
+
+bindir = @bindir@
+sbindir = @sbindir@
+libexecdir = @libexecdir@
+datadir = @datadir@
+sysconfdir = @sysconfdir@
+sharedstatedir = @sharedstatedir@
+localstatedir = @localstatedir@
+libdir = @libdir@
+infodir = @infodir@
+mandir = @mandir@
+includedir = @includedir@
+oldincludedir = /usr/include
+
+pkgdatadir = $(datadir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkgincludedir = $(includedir)/@PACKAGE@
+
+top_builddir = ../../..
+
+ACLOCAL = @ACLOCAL@
+AUTOCONF = @AUTOCONF@
+AUTOMAKE = @AUTOMAKE@
+AUTOHEADER = @AUTOHEADER@
+
+INSTALL = @INSTALL@
+INSTALL_PROGRAM = @INSTALL_PROGRAM@
+INSTALL_DATA = @INSTALL_DATA@
+INSTALL_SCRIPT = @INSTALL_SCRIPT@
+INSTALL_STRIP_FLAG =
+transform = @program_transform_name@
+
+NORMAL_INSTALL = :
+PRE_INSTALL = :
+POST_INSTALL = :
+NORMAL_UNINSTALL = :
+PRE_UNINSTALL = :
+POST_UNINSTALL = :
+
+@SET_MAKE@
+host_alias = @host_alias@
+host_triplet = @host@
+AIX_EXTRA_KAFS = @AIX_EXTRA_KAFS@
+AMDEP = @AMDEP@
+AMTAR = @AMTAR@
+AS = @AS@
+AWK = @AWK@
+CANONICAL_HOST = @CANONICAL_HOST@
+CATMAN = @CATMAN@
+CATMANEXT = @CATMANEXT@
+CC = @CC@
+CPP = @CPP@
+CXX = @CXX@
+CXXCPP = @CXXCPP@
+DBLIB = @DBLIB@
+DEPDIR = @DEPDIR@
+DIR_des = @DIR_des@
+DIR_roken = @DIR_roken@
+DLLTOOL = @DLLTOOL@
+EXEEXT = @EXEEXT@
+EXTRA_LIB45 = @EXTRA_LIB45@
+GROFF = @GROFF@
+INCLUDES_roken = @INCLUDES_roken@
+INCLUDE_ = @INCLUDE_@
+LEX = @LEX@
+LIBOBJS = @LIBOBJS@
+LIBTOOL = @LIBTOOL@
+LIB_ = @LIB_@
+LIB_AUTH_SUBDIRS = @LIB_AUTH_SUBDIRS@
+LIB_des = @LIB_des@
+LIB_des_appl = @LIB_des_appl@
+LIB_kdb = @LIB_kdb@
+LIB_otp = @LIB_otp@
+LIB_roken = @LIB_roken@
+LIB_security = @LIB_security@
+LN_S = @LN_S@
+LTLIBOBJS = @LTLIBOBJS@
+MAKEINFO = @MAKEINFO@
+NEED_WRITEAUTH_FALSE = @NEED_WRITEAUTH_FALSE@
+NEED_WRITEAUTH_TRUE = @NEED_WRITEAUTH_TRUE@
+NROFF = @NROFF@
+OBJDUMP = @OBJDUMP@
+OBJEXT = @OBJEXT@
+PACKAGE = @PACKAGE@
+RANLIB = @RANLIB@
+STRIP = @STRIP@
+VERSION = @VERSION@
+VOID_RETSIGTYPE = @VOID_RETSIGTYPE@
+WFLAGS_NOIMPLICITINT = @WFLAGS_NOIMPLICITINT@
+WFLAGS_NOUNUSED = @WFLAGS_NOUNUSED@
+YACC = @YACC@
+dpagaix_CFLAGS = @dpagaix_CFLAGS@
+dpagaix_LDADD = @dpagaix_LDADD@
+install_sh = @install_sh@
+
+# $Id: Makefile.am,v 1.9 2001/03/06 16:57:09 assar Exp $
+
+
+# $Id: Makefile.am.common,v 1.3 1999/04/01 14:58:43 joda Exp $
+
+
+# $Id: Makefile.am.common,v 1.26 2001/05/21 13:27:48 joda Exp $
+
+
+AUTOMAKE_OPTIONS = foreign no-dependencies
+
+SUFFIXES = .et .h .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .x .c .o
+
+INCLUDES = -I$(top_builddir)/include $(INCLUDES_roken) $(INCLUDE_krb4)
+
+AM_CFLAGS =  $(WFLAGS)
+
+CP = cp
+
+COMPILE_ET = $(top_builddir)/lib/com_err/compile_et
+
+buildinclude = $(top_builddir)/include
+
+LIB_XauReadAuth = @LIB_XauReadAuth@
+LIB_crypt = @LIB_crypt@
+LIB_dbm_firstkey = @LIB_dbm_firstkey@
+LIB_dbopen = @LIB_dbopen@
+LIB_dlopen = @LIB_dlopen@
+LIB_dn_expand = @LIB_dn_expand@
+LIB_el_init = @LIB_el_init@
+LIB_getattr = @LIB_getattr@
+LIB_gethostbyname = @LIB_gethostbyname@
+LIB_getpwent_r = @LIB_getpwent_r@
+LIB_getpwnam_r = @LIB_getpwnam_r@
+LIB_getsockopt = @LIB_getsockopt@
+LIB_logout = @LIB_logout@
+LIB_logwtmp = @LIB_logwtmp@
+LIB_odm_initialize = @LIB_odm_initialize@
+LIB_pidfile = @LIB_pidfile@
+LIB_readline = @LIB_readline@
+LIB_res_search = @LIB_res_search@
+LIB_setpcred = @LIB_setpcred@
+LIB_setsockopt = @LIB_setsockopt@
+LIB_socket = @LIB_socket@
+LIB_syslog = @LIB_syslog@
+LIB_tgetent = @LIB_tgetent@
+
+LIBS = @LIBS@
+
+HESIODLIB = @HESIODLIB@
+HESIODINCLUDE = @HESIODINCLUDE@
+INCLUDE_hesiod = @INCLUDE_hesiod@
+LIB_hesiod = @LIB_hesiod@
+
+INCLUDE_krb4 = @INCLUDE_krb4@
+LIB_krb4 = @LIB_krb4@
+
+INCLUDE_openldap = @INCLUDE_openldap@
+LIB_openldap = @LIB_openldap@
+
+INCLUDE_readline = @INCLUDE_readline@
+
+LEXLIB = @LEXLIB@
+
+NROFF_MAN = groff -mandoc -Tascii
+
+@KRB4_TRUE@LIB_kafs = @KRB4_TRUE@$(top_builddir)/lib/kafs/libkafs.la $(AIX_EXTRA_KAFS)
+
+@KRB5_TRUE@LIB_krb5 = @KRB5_TRUE@$(top_builddir)/lib/krb5/libkrb5.la \
+@KRB5_TRUE@	$(top_builddir)/lib/asn1/libasn1.la
+@KRB5_TRUE@LIB_gssapi = @KRB5_TRUE@$(top_builddir)/lib/gssapi/libgssapi.la
+
+@DCE_TRUE@LIB_kdfs = @DCE_TRUE@$(top_builddir)/lib/kdfs/libkdfs.la
+
+CHECK_LOCAL = $(PROGRAMS)
+
+WFLAGS = @WFLAGS@ $(WFLAGS_NOIMPLICITINT)
+
+DEFS = @DEFS@
+
+@KRB4_TRUE@KAFS = @KRB4_TRUE@$(top_builddir)/lib/kafs/.libs/libkafs.a
+@KRB4_TRUE@KAFS_S = @KRB4_TRUE@$(top_builddir)/lib/kafs/.libs/libkafs.so
+
+@KRB5_TRUE@L = @KRB5_TRUE@\
+@KRB5_TRUE@	$(KAFS)						\
+@KRB5_TRUE@	$(top_builddir)/lib/krb5/.libs/libkrb5.a	\
+@KRB5_TRUE@	$(top_builddir)/lib/asn1/.libs/libasn1.a	\
+@KRB5_TRUE@	$(LIB_krb4)					\
+@KRB5_TRUE@	$(top_builddir)/lib/des/.libs/libdes.a		\
+@KRB5_TRUE@	$(top_builddir)/lib/com_err/.libs/libcom_err.a	\
+@KRB5_TRUE@	$(top_builddir)/lib/roken/.libs/libroken.a	\
+@KRB5_TRUE@	$(LIB_getpwnam_r)				\
+@KRB5_TRUE@	-lc
+@KRB5_FALSE@L = @KRB5_FALSE@\
+@KRB5_FALSE@	$(KAFS)						\
+@KRB5_FALSE@	$(top_builddir)/lib/kadm/.libs/libkadm.a	\
+@KRB5_FALSE@	$(top_builddir)/lib/krb/.libs/libkrb.a		\
+@KRB5_FALSE@	$(top_builddir)/lib/des/.libs/libdes.a		\
+@KRB5_FALSE@	$(top_builddir)/lib/com_err/.libs/libcom_err.a	\
+@KRB5_FALSE@	$(top_builddir)/lib/roken/.libs/libroken.a	\
+@KRB5_FALSE@	$(LIB_getpwnam_r)				\
+@KRB5_FALSE@	-lc
+
+@KRB5_TRUE@L_shared = @KRB5_TRUE@\
+@KRB5_TRUE@	$(KAFS_S)					\
+@KRB5_TRUE@	$(top_builddir)/lib/krb5/.libs/libkrb5.so	\
+@KRB5_TRUE@	$(top_builddir)/lib/asn1/.libs/libasn1.so	\
+@KRB5_TRUE@	$(LIB_krb4)					\
+@KRB5_TRUE@	$(top_builddir)/lib/des/.libs/libdes.so		\
+@KRB5_TRUE@	$(top_builddir)/lib/com_err/.libs/libcom_err.so	\
+@KRB5_TRUE@	$(top_builddir)/lib/roken/.libs/libroken.so	\
+@KRB5_TRUE@	$(LIB_getpwnam_r)				\
+@KRB5_TRUE@	-lc
+@KRB5_FALSE@L_shared = @KRB5_FALSE@\
+@KRB5_FALSE@	$(KAFS_S)					\
+@KRB5_FALSE@	$(top_builddir)/lib/kadm/.libs/libkadm.so	\
+@KRB5_FALSE@	$(top_builddir)/lib/krb/.libs/libkrb.so		\
+@KRB5_FALSE@	$(top_builddir)/lib/des/.libs/libdes.so		\
+@KRB5_FALSE@	$(top_builddir)/lib/com_err/.libs/libcom_err.so	\
+@KRB5_FALSE@	$(top_builddir)/lib/roken/.libs/libroken.so	\
+@KRB5_FALSE@	$(LIB_getpwnam_r)				\
+@KRB5_FALSE@	-lc
+
+@KRB5_TRUE@MOD = @KRB5_TRUE@libsia_krb5.so
+@KRB5_FALSE@MOD = @KRB5_FALSE@libsia_krb4.so
+
+EXTRA_DIST = sia.c krb4_matrix.conf krb4+c2_matrix.conf \
+	krb5_matrix.conf krb5+c2_matrix.conf security.patch
+
+
+foodir = $(libdir)
+foo_DATA = $(MOD)
+
+LDFLAGS = -rpath $(libdir) -hidden -exported_symbol siad_\* 
+
+OBJS = sia.o posix_getpw.o
+
+CLEANFILES = $(MOD) $(OBJS) so_locations
+subdir = lib/auth/sia
+mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs
+CONFIG_HEADER = ../../../include/config.h
+CONFIG_CLEAN_FILES = 
+CFLAGS = @CFLAGS@
+COMPILE = $(CC) $(DEFS) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) --mode=compile $(CC) $(DEFS) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+CCLD = $(CC)
+LINK = $(LIBTOOL) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) $(LDFLAGS) -o $@
+DIST_SOURCES = 
+DATA =  $(foo_DATA)
+
+depcomp = 
+DIST_COMMON =  Makefile.am Makefile.in
+
+
+DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
+
+GZIP_ENV = --best
+all: all-redirect
+.SUFFIXES:
+.SUFFIXES: .et .h .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .x .c .o
+$(srcdir)/Makefile.in: Makefile.am $(top_srcdir)/configure.in $(ACLOCAL_M4) $(top_srcdir)/Makefile.am.common $(top_srcdir)/cf/Makefile.am.common
+	cd $(top_srcdir) && $(AUTOMAKE) --foreign lib/auth/sia/Makefile
+
+Makefile: $(srcdir)/Makefile.in  $(top_builddir)/config.status
+	cd $(top_builddir) \
+	  && CONFIG_FILES=$(subdir)/$@ CONFIG_HEADERS= $(SHELL) ./config.status
+
+
+install-fooDATA: $(foo_DATA)
+	@$(NORMAL_INSTALL)
+	$(mkinstalldirs) $(DESTDIR)$(foodir)
+	@list='$(foo_DATA)'; for p in $$list; do \
+	  if test -f "$$p"; then d= ; else d="$(srcdir)/"; fi; \
+	  f="`echo $$p | sed -e 's|^.*/||'`"; \
+	  echo " $(INSTALL_DATA) $$d$$p $(DESTDIR)$(foodir)/$$f"; \
+	  $(INSTALL_DATA) $$d$$p $(DESTDIR)$(foodir)/$$f; \
+	done
+
+uninstall-fooDATA:
+	@$(NORMAL_UNINSTALL)
+	@list='$(foo_DATA)'; for p in $$list; do \
+	  f="`echo $$p | sed -e 's|^.*/||'`"; \
+	  echo " rm -f $(DESTDIR)$(foodir)/$$f"; \
+	  rm -f $(DESTDIR)$(foodir)/$$f; \
+	done
+tags: TAGS
+TAGS:
+
+
+distdir = $(top_builddir)/$(PACKAGE)-$(VERSION)/$(subdir)
+
+distdir: $(DISTFILES)
+	@for file in $(DISTFILES); do \
+	  d=$(srcdir); \
+	  if test -d $$d/$$file; then \
+	    cp -pR $$d/$$file $(distdir) \
+	    || exit 1; \
+	  else \
+	    test -f $(distdir)/$$file \
+	    || cp -p $$d/$$file $(distdir)/$$file \
+	    || exit 1; \
+	  fi; \
+	done
+	$(MAKE) $(AM_MAKEFLAGS) top_distdir="$(top_distdir)" distdir="$(distdir)" dist-hook
+info-am:
+info: info-am
+dvi-am:
+dvi: dvi-am
+check-am: all-am
+	$(MAKE) $(AM_MAKEFLAGS) check-local
+check: check-am
+installcheck-am:
+installcheck: installcheck-am
+install-exec-am:
+	@$(NORMAL_INSTALL)
+	$(MAKE) $(AM_MAKEFLAGS) install-exec-hook
+install-exec: install-exec-am
+
+install-data-am: install-fooDATA install-data-local
+install-data: install-data-am
+
+install-am: all-am
+	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
+install: install-am
+uninstall-am: uninstall-fooDATA
+uninstall: uninstall-am
+all-am: Makefile $(DATA) all-local
+all-redirect: all-am
+install-strip:
+	$(MAKE) $(AM_MAKEFLAGS) INSTALL_STRIP_FLAG=-s install
+installdirs:
+	$(mkinstalldirs)  $(DESTDIR)$(foodir)
+
+
+mostlyclean-generic:
+
+clean-generic:
+	-test -z "$(CLEANFILES)" || rm -f $(CLEANFILES)
+
+distclean-generic:
+	-rm -f Makefile $(CONFIG_CLEAN_FILES)
+	-rm -f config.cache config.log stamp-h stamp-h[0-9]*
+
+maintainer-clean-generic:
+	-rm -f Makefile.in
+mostlyclean-am:  mostlyclean-generic
+
+mostlyclean: mostlyclean-am
+
+clean-am:  clean-generic mostlyclean-am
+
+clean: clean-am
+
+distclean-am:  distclean-generic clean-am
+	-rm -f libtool
+
+distclean: distclean-am
+
+maintainer-clean-am:  maintainer-clean-generic distclean-am
+	@echo "This command is intended for maintainers to use;"
+	@echo "it deletes files that may require special tools to rebuild."
+
+maintainer-clean: maintainer-clean-am
+
+.PHONY: uninstall-fooDATA install-fooDATA tags distdir info-am info \
+dvi-am dvi check-local check check-am installcheck-am installcheck \
+install-exec-am install-exec install-data-local install-data-am \
+install-data install-am install uninstall-am uninstall all-local \
+all-redirect all-am all install-strip installdirs mostlyclean-generic \
+distclean-generic clean-generic maintainer-clean-generic clean \
+mostlyclean distclean maintainer-clean
+
+
+install-suid-programs:
+	@foo='$(bin_SUIDS)'; \
+	for file in $$foo; do \
+	x=$(DESTDIR)$(bindir)/$$file; \
+	if chown 0:0 $$x && chmod u+s $$x; then :; else \
+	echo "*"; \
+	echo "* Failed to install $$x setuid root"; \
+	echo "*"; \
+	fi; done
+
+install-exec-hook: install-suid-programs
+
+install-build-headers:: $(include_HEADERS) $(build_HEADERZ)
+	@foo='$(include_HEADERS) $(build_HEADERZ)'; \
+	for f in $$foo; do \
+		f=`basename $$f`; \
+		if test -f "$(srcdir)/$$f"; then file="$(srcdir)/$$f"; \
+		else file="$$f"; fi; \
+		if cmp -s  $$file $(buildinclude)/$$f 2> /dev/null ; then \
+		: ; else \
+			echo " $(CP) $$file $(buildinclude)/$$f"; \
+			$(CP) $$file $(buildinclude)/$$f; \
+		fi ; \
+	done
+
+all-local: install-build-headers
+#NROFF_MAN = nroff -man
+.1.cat1:
+	$(NROFF_MAN) $< > $@
+.3.cat3:
+	$(NROFF_MAN) $< > $@
+.5.cat5:
+	$(NROFF_MAN) $< > $@
+.8.cat8:
+	$(NROFF_MAN) $< > $@
+
+dist-cat1-mans:
+	@foo='$(man1_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.1) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat1/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-cat3-mans:
+	@foo='$(man3_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.3) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat3/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-cat5-mans:
+	@foo='$(man5_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.5) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat5/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-cat8-mans:
+	@foo='$(man8_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.8) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat8/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-hook: dist-cat1-mans dist-cat3-mans dist-cat5-mans dist-cat8-mans
+
+install-cat-mans:
+	$(SHELL) $(top_srcdir)/cf/install-catman.sh "$(INSTALL_DATA)" "$(mkinstalldirs)" "$(srcdir)" "$(DESTDIR)$(mandir)" '$(CATMANEXT)' $(man_MANS) $(man1_MANS) $(man3_MANS) $(man5_MANS) $(man8_MANS)
+
+install-data-local: install-cat-mans
+
+.et.h:
+	$(COMPILE_ET) $<
+.et.c:
+	$(COMPILE_ET) $<
+
+.x.c:
+	@cmp -s $< $@ 2> /dev/null || cp $< $@
+
+check-local::
+	@foo='$(CHECK_LOCAL)'; \
+	  if test "$$foo"; then \
+	  failed=0; all=0; \
+	  for i in $$foo; do \
+	    all=`expr $$all + 1`; \
+	    if ./$$i --version > /dev/null 2>&1; then \
+	      echo "PASS: $$i"; \
+	    else \
+	      echo "FAIL: $$i"; \
+	      failed=`expr $$failed + 1`; \
+	    fi; \
+	  done; \
+	  if test "$$failed" -eq 0; then \
+	    banner="All $$all tests passed"; \
+	  else \
+	    banner="$$failed of $$all tests failed"; \
+	  fi; \
+	  dashes=`echo "$$banner" | sed s/./=/g`; \
+	  echo "$$dashes"; \
+	  echo "$$banner"; \
+	  echo "$$dashes"; \
+	  test "$$failed" -eq 0; \
+	fi
+
+libsia_krb5.so: $(OBJS)
+	@if test -f $(top_builddir)/lib/krb5/.libs/libkrb5.a; then \
+		echo "ld -shared -o $@ $(LDFLAGS) $(OBJS) $(L)"; \
+		ld -shared -o $@ $(LDFLAGS) $(OBJS) `echo $(L) | sed 's,-R,-rpath,g'`; \
+	elif test -f $(top_builddir)/lib/krb5/.libs/libkrb5.so; then \
+		echo "ld -shared -o $@ $(LDFLAGS) $(OBJS) `echo $(L_shared) | sed 's,-R,-rpath,g'`"; \
+		ld -shared -o $@ $(LDFLAGS) $(OBJS) `echo $(L_shared) | sed 's,-R,-rpath,g'`; \
+	else \
+		echo "missing libraries"; exit 1; \
+	fi
+	ostrip -x -z $@
+
+libsia_krb4.so: $(OBJS)
+	@if test -f $(top_builddir)/lib/krb/.libs/libkrb.a; then \
+		echo "ld -shared -o $@ $(LDFLAGS) $(OBJS) `echo $(L) | sed 's,-R,-rpath,g'`"; \
+		ld -shared -o $@ $(LDFLAGS) $(OBJS) `echo $(L) | sed 's,-R,-rpath,g'`; \
+	elif test -f $(top_builddir)/lib/krb/.libs/libkrb.so; then \
+		echo "ld -shared -o $@ $(LDFLAGS) $(OBJS) `echo $(L_shared) | sed 's,-R,-rpath,g'`"; \
+		ld -shared -o $@ $(LDFLAGS) $(OBJS) `echo $(L_shared) | sed 's,-R,-rpath,g'`; \
+	else \
+		echo "missing libraries"; exit 1; \
+	fi
+	ostrip -x $@
+
+.c.o:
+	$(COMPILE) -c $<
+
+# Tell versions [3.59,3.63) of GNU make to not export all variables.
+# Otherwise a system limit (for SysV at least) may be exceeded.
+.NOEXPORT:
diff --git a/crypto/heimdal/lib/auth/sia/krb4+c2_matrix.conf b/crypto/heimdal/lib/auth/sia/krb4+c2_matrix.conf
new file mode 100644
index 0000000..4b90e02
--- /dev/null
+++ b/crypto/heimdal/lib/auth/sia/krb4+c2_matrix.conf
@@ -0,0 +1,58 @@
+# Copyright (c) 1998 Kungliga Tekniska Högskolan
+# (Royal Institute of Technology, Stockholm, Sweden). 
+# All rights reserved. 
+#
+# Redistribution and use in source and binary forms, with or without 
+# modification, are permitted provided that the following conditions 
+# are met: 
+#
+# 1. Redistributions of source code must retain the above copyright 
+#    notice, this list of conditions and the following disclaimer. 
+#
+# 2. Redistributions in binary form must reproduce the above copyright 
+#    notice, this list of conditions and the following disclaimer in the 
+#    documentation and/or other materials provided with the distribution. 
+#
+# 3. Neither the name of the Institute nor the names of its contributors 
+#    may be used to endorse or promote products derived from this software 
+#    without specific prior written permission. 
+#
+# THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+# ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+# SUCH DAMAGE. 
+
+# $Id: krb4+c2_matrix.conf,v 1.4 1999/12/02 16:58:37 joda Exp $
+
+# sia matrix configuration file (Kerberos 4 + C2)
+
+siad_init=(KRB4,/usr/athena/lib/libsia_krb4.so)(BSD,libc.so)
+siad_chk_invoker=(KRB4,/usr/athena/lib/libsia_krb4.so)(OSFC2,/usr/shlib/libsecurity.so)
+siad_ses_init=(KRB4,/usr/athena/lib/libsia_krb4.so)(OSFC2,/usr/shlib/libsecurity.so)
+siad_ses_authent=(KRB4,/usr/athena/lib/libsia_krb4.so)(OSFC2,/usr/shlib/libsecurity.so)
+siad_ses_estab=(KRB4,/usr/athena/lib/libsia_krb4.so)(OSFC2,/usr/shlib/libsecurity.so)
+siad_ses_launch=(KRB4,/usr/athena/lib/libsia_krb4.so)(OSFC2,/usr/shlib/libsecurity.so)
+siad_ses_suauthent=(KRB4,/usr/athena/lib/libsia_krb4.so)(OSFC2,/usr/shlib/libsecurity.so)
+siad_ses_reauthent=(KRB4,/usr/athena/lib/libsia_krb4.so)(OSFC2,/usr/shlib/libsecurity.so)
+siad_chg_finger=(KRB4,/usr/athena/lib/libsia_krb4.so)(OSFC2,/usr/shlib/libsecurity.so)
+siad_chg_password=(KRB4,/usr/athena/lib/libsia_krb4.so)(OSFC2,/usr/shlib/libsecurity.so)
+siad_chg_shell=(KRB4,/usr/athena/lib/libsia_krb4.so)(OSFC2,/usr/shlib/libsecurity.so)
+siad_getpwent=(BSD,libc.so)
+siad_getpwuid=(BSD,libc.so)
+siad_getpwnam=(BSD,libc.so)
+siad_setpwent=(BSD,libc.so)
+siad_endpwent=(BSD,libc.so)
+siad_getgrent=(BSD,libc.so)
+siad_getgrgid=(BSD,libc.so)
+siad_getgrnam=(BSD,libc.so)
+siad_setgrent=(BSD,libc.so)
+siad_endgrent=(BSD,libc.so)
+siad_ses_release=(KRB4,/usr/athena/lib/libsia_krb4.so)(OSFC2,/usr/shlib/libsecurity.so)
+siad_chk_user=(KRB4,/usr/athena/lib/libsia_krb4.so)(OSFC2,/usr/shlib/libsecurity.so)
diff --git a/crypto/heimdal/lib/auth/sia/krb4_matrix.conf b/crypto/heimdal/lib/auth/sia/krb4_matrix.conf
new file mode 100644
index 0000000..4f55a81
--- /dev/null
+++ b/crypto/heimdal/lib/auth/sia/krb4_matrix.conf
@@ -0,0 +1,59 @@
+# Copyright (c) 1998 Kungliga Tekniska Högskolan
+# (Royal Institute of Technology, Stockholm, Sweden). 
+# All rights reserved. 
+#
+# Redistribution and use in source and binary forms, with or without 
+# modification, are permitted provided that the following conditions 
+# are met: 
+#
+# 1. Redistributions of source code must retain the above copyright 
+#    notice, this list of conditions and the following disclaimer. 
+#
+# 2. Redistributions in binary form must reproduce the above copyright 
+#    notice, this list of conditions and the following disclaimer in the 
+#    documentation and/or other materials provided with the distribution. 
+#
+# 3. Neither the name of the Institute nor the names of its contributors 
+#    may be used to endorse or promote products derived from this software 
+#    without specific prior written permission. 
+#
+# THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+# ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+# SUCH DAMAGE. 
+
+# $Id: krb4_matrix.conf,v 1.6 1999/12/02 16:58:37 joda Exp $
+
+# sia matrix configuration file (Kerberos 4 + BSD)
+
+siad_init=(KRB4,/usr/athena/lib/libsia_krb4.so)(BSD,libc.so) 
+siad_chk_invoker=(BSD,libc.so)
+siad_ses_init=(KRB4,/usr/athena/lib/libsia_krb4.so)
+siad_ses_authent=(KRB4,/usr/athena/lib/libsia_krb4.so)(BSD,libc.so)
+siad_ses_estab=(BSD,libc.so)
+siad_ses_launch=(KRB4,/usr/athena/lib/libsia_krb4.so)(BSD,libc.so)
+siad_ses_suauthent=(KRB4,/usr/athena/lib/libsia_krb4.so)(BSD,libc.so)
+siad_ses_reauthent=(KRB4,/usr/athena/lib/libsia_krb4.so)(BSD,libc.so)
+siad_chg_finger=(BSD,libc.so)
+siad_chg_password=(KRB4,/usr/athena/lib/libsia_krb4.so)(BSD,libc.so)
+siad_chg_shell=(BSD,libc.so)
+siad_getpwent=(BSD,libc.so)
+siad_getpwuid=(BSD,libc.so)
+siad_getpwnam=(BSD,libc.so)
+siad_setpwent=(BSD,libc.so)
+siad_endpwent=(BSD,libc.so)
+siad_getgrent=(BSD,libc.so)
+siad_getgrgid=(BSD,libc.so)
+siad_getgrnam=(BSD,libc.so)
+siad_setgrent=(BSD,libc.so)
+siad_endgrent=(BSD,libc.so)
+siad_ses_release=(KRB4,/usr/athena/lib/libsia_krb4.so)(BSD,libc.so)
+siad_chk_user=(KRB4,/usr/athena/lib/libsia_krb4.so)(BSD,libc.so)
+
diff --git a/crypto/heimdal/lib/auth/sia/krb5+c2_matrix.conf b/crypto/heimdal/lib/auth/sia/krb5+c2_matrix.conf
new file mode 100644
index 0000000..c2952e2
--- /dev/null
+++ b/crypto/heimdal/lib/auth/sia/krb5+c2_matrix.conf
@@ -0,0 +1,27 @@
+# $Id: krb5+c2_matrix.conf,v 1.2 1998/11/26 20:58:18 assar Exp $
+
+# sia matrix configuration file (Kerberos 5 + C2)
+
+siad_init=(KRB5,/usr/athena/lib/libsia_krb5.so)(BSD,libc.so)
+siad_chk_invoker=(OSFC2,/usr/shlib/libsecurity.so)
+siad_ses_init=(KRB5,/usr/athena/lib/libsia_krb5.so)(OSFC2,/usr/shlib/libsecurity.so)
+siad_ses_authent=(KRB5,/usr/athena/lib/libsia_krb5.so)(OSFC2,/usr/shlib/libsecurity.so)
+siad_ses_estab=(KRB5,/usr/athena/lib/libsia_krb5.so)(OSFC2,/usr/shlib/libsecurity.so)
+siad_ses_launch=(KRB5,/usr/athena/lib/libsia_krb5.so)(OSFC2,/usr/shlib/libsecurity.so)
+siad_ses_suauthent=(KRB5,/usr/athena/lib/libsia_krb5.so)(OSFC2,/usr/shlib/libsecurity.so)
+siad_ses_reauthent=(KRB5,/usr/athena/lib/libsia_krb5.so)(OSFC2,/usr/shlib/libsecurity.so)
+siad_chg_finger=(KRB5,/usr/athena/lib/libsia_krb5.so)(OSFC2,/usr/shlib/libsecurity.so)
+siad_chg_password=(KRB5,/usr/athena/lib/libsia_krb5.so)(OSFC2,/usr/shlib/libsecurity.so)
+siad_chg_shell=(KRB5,/usr/athena/lib/libsia_krb5.so)(OSFC2,/usr/shlib/libsecurity.so)
+siad_getpwent=(BSD,libc.so)
+siad_getpwuid=(BSD,libc.so)
+siad_getpwnam=(BSD,libc.so)
+siad_setpwent=(BSD,libc.so)
+siad_endpwent=(BSD,libc.so)
+siad_getgrent=(BSD,libc.so)
+siad_getgrgid=(BSD,libc.so)
+siad_getgrnam=(BSD,libc.so)
+siad_setgrent=(BSD,libc.so)
+siad_endgrent=(BSD,libc.so)
+siad_ses_release=(KRB5,/usr/athena/lib/libsia_krb5.so)(OSFC2,/usr/shlib/libsecurity.so)
+siad_chk_user=(KRB5,/usr/athena/lib/libsia_krb5.so)(OSFC2,/usr/shlib/libsecurity.so)
diff --git a/crypto/heimdal/lib/auth/sia/krb5_matrix.conf b/crypto/heimdal/lib/auth/sia/krb5_matrix.conf
new file mode 100644
index 0000000..e49366a
--- /dev/null
+++ b/crypto/heimdal/lib/auth/sia/krb5_matrix.conf
@@ -0,0 +1,27 @@
+# $Id: krb5_matrix.conf,v 1.1 1997/05/15 18:34:18 joda Exp $
+
+# sia matrix configuration file (Kerberos 5 + BSD)
+
+siad_init=(KRB5,/usr/athena/lib/libsia_krb5.so)(BSD,libc.so) 
+siad_chk_invoker=(BSD,libc.so)
+siad_ses_init=(KRB5,/usr/athena/lib/libsia_krb5.so)
+siad_ses_authent=(KRB5,/usr/athena/lib/libsia_krb5.so)(BSD,libc.so)
+siad_ses_estab=(BSD,libc.so)
+siad_ses_launch=(KRB5,/usr/athena/lib/libsia_krb5.so)(BSD,libc.so)
+siad_ses_suauthent=(KRB5,/usr/athena/lib/libsia_krb5.so)(BSD,libc.so)
+siad_ses_reauthent=(BSD,libc.so)
+siad_chg_finger=(BSD,libc.so)
+siad_chg_password=(BSD,libc.so)
+siad_chg_shell=(BSD,libc.so)
+siad_getpwent=(BSD,libc.so)
+siad_getpwuid=(BSD,libc.so)
+siad_getpwnam=(BSD,libc.so)
+siad_setpwent=(BSD,libc.so)
+siad_endpwent=(BSD,libc.so)
+siad_getgrent=(BSD,libc.so)
+siad_getgrgid=(BSD,libc.so)
+siad_getgrnam=(BSD,libc.so)
+siad_setgrent=(BSD,libc.so)
+siad_endgrent=(BSD,libc.so)
+siad_ses_release=(KRB5,/usr/athena/lib/libsia_krb5.so)(BSD,libc.so)
+siad_chk_user=(BSD,libc.so)
diff --git a/crypto/heimdal/lib/auth/sia/posix_getpw.c b/crypto/heimdal/lib/auth/sia/posix_getpw.c
new file mode 100644
index 0000000..c5961dc
--- /dev/null
+++ b/crypto/heimdal/lib/auth/sia/posix_getpw.c
@@ -0,0 +1,78 @@
+/*
+ * Copyright (c) 1999 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of KTH nor the names of its contributors may be
+ *    used to endorse or promote products derived from this software without
+ *    specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY KTH AND ITS CONTRIBUTORS ``AS IS'' AND ANY
+ * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL KTH OR ITS CONTRIBUTORS BE
+ * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+ * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+ * WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
+ * OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
+ * ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */
+
+#include "sia_locl.h"
+
+RCSID("$Id: posix_getpw.c,v 1.1 1999/03/21 17:07:02 joda Exp $");
+
+#ifndef POSIX_GETPWNAM_R
+/* 
+ * These functions translate from the old Digital UNIX 3.x interface
+ * to POSIX.1c.
+ */
+
+int
+posix_getpwnam_r(const char *name, struct passwd *pwd, 
+		 char *buffer, int len, struct passwd **result)
+{
+    int ret = getpwnam_r(name, pwd, buffer, len);
+    if(ret == 0)
+	*result = pwd;
+    else{
+	*result = NULL;
+	ret = _Geterrno();
+	if(ret == 0){
+	    ret = ERANGE;
+	    _Seterrno(ret);
+	}
+    }
+    return ret;
+}
+
+int
+posix_getpwuid_r(uid_t uid, struct passwd *pwd, 
+		 char *buffer, int len, struct passwd **result)
+{
+    int ret = getpwuid_r(uid, pwd, buffer, len);
+    if(ret == 0)
+	*result = pwd;
+    else{
+	*result = NULL;
+	ret = _Geterrno();
+	if(ret == 0){
+	    ret = ERANGE;
+	    _Seterrno(ret);
+	}
+    }
+    return ret;
+}
+#endif /* POSIX_GETPWNAM_R */
diff --git a/crypto/heimdal/lib/auth/sia/security.patch b/crypto/heimdal/lib/auth/sia/security.patch
new file mode 100644
index 0000000..c407876
--- /dev/null
+++ b/crypto/heimdal/lib/auth/sia/security.patch
@@ -0,0 +1,11 @@
+--- /sbin/init.d/security~      Tue Aug 20 22:44:09 1996
++++ /sbin/init.d/security       Fri Nov  1 14:52:56 1996
+@@ -49,7 +49,7 @@
+                    SECURITY=BASE
+                fi
+                ;;
+-       BASE)
++       BASE|KRB4)
+                ;;
+        *)
+                echo "security configuration set to default (BASE)."
diff --git a/crypto/heimdal/lib/auth/sia/sia.c b/crypto/heimdal/lib/auth/sia/sia.c
new file mode 100644
index 0000000..6092a88
--- /dev/null
+++ b/crypto/heimdal/lib/auth/sia/sia.c
@@ -0,0 +1,676 @@
+/*
+ * Copyright (c) 1995-2000 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#include "sia_locl.h"
+
+RCSID("$Id: sia.c,v 1.35 2001/02/20 01:44:53 assar Exp $");
+
+int 
+siad_init(void)
+{
+    return SIADSUCCESS;
+}
+
+int 
+siad_chk_invoker(void)
+{
+    SIA_DEBUG(("DEBUG", "siad_chk_invoker"));
+    return SIADFAIL;
+}
+
+int 
+siad_ses_init(SIAENTITY *entity, int pkgind)
+{
+    krb5_error_code ret;
+    struct state *s = malloc(sizeof(*s));
+
+    SIA_DEBUG(("DEBUG", "siad_ses_init"));
+    if(s == NULL)
+	return SIADFAIL;
+    memset(s, 0, sizeof(*s));
+#ifdef SIA_KRB5
+    ret = krb5_init_context(&s->context);
+    if (ret)
+	return SIADFAIL;
+#endif
+    entity->mech[pkgind] = (int*)s;
+    return SIADSUCCESS;
+}
+
+static int
+setup_name(SIAENTITY *e, prompt_t *p)
+{
+    SIA_DEBUG(("DEBUG", "setup_name"));
+    e->name = malloc(SIANAMEMIN + 1);
+    if(e->name == NULL){
+	SIA_DEBUG(("DEBUG", "failed to malloc %u bytes", SIANAMEMIN+1));
+	return SIADFAIL;
+    }
+    p->prompt = (unsigned char*)"login: ";
+    p->result = (unsigned char*)e->name;
+    p->min_result_length = 1;
+    p->max_result_length = SIANAMEMIN;
+    p->control_flags = 0;
+    return SIADSUCCESS;
+}
+
+static int
+setup_password(SIAENTITY *e, prompt_t *p)
+{
+    SIA_DEBUG(("DEBUG", "setup_password"));
+    e->password = malloc(SIAMXPASSWORD + 1);
+    if(e->password == NULL){
+	SIA_DEBUG(("DEBUG", "failed to malloc %u bytes", SIAMXPASSWORD+1));
+	return SIADFAIL;
+    }
+    p->prompt = (unsigned char*)"Password: ";
+    p->result = (unsigned char*)e->password;
+    p->min_result_length = 0;
+    p->max_result_length = SIAMXPASSWORD;
+    p->control_flags = SIARESINVIS;
+    return SIADSUCCESS;
+}
+
+
+static int
+doauth(SIAENTITY *entity, int pkgind, char *name)
+{
+    struct passwd pw, *pwd;
+    char pwbuf[1024];
+    struct state *s = (struct state*)entity->mech[pkgind];
+#ifdef SIA_KRB5
+    krb5_realm *realms, *r;
+    krb5_principal principal;
+    krb5_ccache ccache;
+    krb5_error_code ret;
+#endif
+#ifdef SIA_KRB4
+    char realm[REALM_SZ];
+    char *toname, *toinst;
+    int ret;
+    struct passwd fpw, *fpwd;
+    char fpwbuf[1024];
+    int secure;
+#endif
+	
+    if(getpwnam_r(name, &pw, pwbuf, sizeof(pwbuf), &pwd) != 0){
+	SIA_DEBUG(("DEBUG", "failed to getpwnam(%s)", name));
+	return SIADFAIL;
+    }
+
+#ifdef SIA_KRB5
+    ret = krb5_get_default_realms(s->context, &realms);
+
+    for (r = realms; *r != NULL; ++r) {
+	krb5_make_principal (s->context, &principal, *r, entity->name, NULL);
+
+	if(krb5_kuserok(s->context, principal, entity->name))
+	    break;
+    }
+    krb5_free_host_realm (s->context, realms);
+    if (*r == NULL)
+	return SIADFAIL;
+
+    sprintf(s->ticket, "FILE:/tmp/krb5_cc%d_%d", pwd->pw_uid, getpid());
+    ret = krb5_cc_resolve(s->context, s->ticket, &ccache);
+    if(ret)
+	return SIADFAIL;
+#endif
+	
+#ifdef SIA_KRB4
+    snprintf(s->ticket, sizeof(s->ticket),
+	     "%s%u_%u", TKT_ROOT, (unsigned)pwd->pw_uid, (unsigned)getpid());
+    krb_get_lrealm(realm, 1);
+    toname = name;
+    toinst = "";
+    if(entity->authtype == SIA_A_SUAUTH){
+	uid_t ouid;
+#ifdef HAVE_SIAENTITY_OUID
+	ouid = entity->ouid;
+#else
+	ouid = getuid();
+#endif
+	if(getpwuid_r(ouid, &fpw, fpwbuf, sizeof(fpwbuf), &fpwd) != 0){
+	    SIA_DEBUG(("DEBUG", "failed to getpwuid(%u)", ouid));
+	    return SIADFAIL;
+	}
+	snprintf(s->ticket, sizeof(s->ticket), "%s_%s_to_%s_%d", 
+		 TKT_ROOT, fpwd->pw_name, pwd->pw_name, getpid());
+	if(strcmp(pwd->pw_name, "root") == 0){
+	    toname = fpwd->pw_name;
+	    toinst = pwd->pw_name;
+	}
+    }
+    if(entity->authtype == SIA_A_REAUTH) 
+	snprintf(s->ticket, sizeof(s->ticket), "%s", tkt_string());
+    
+    krb_set_tkt_string(s->ticket);
+	
+    setuid(0); /* XXX fix for fix in tf_util.c */
+    if(krb_kuserok(toname, toinst, realm, name)){
+	SIA_DEBUG(("DEBUG", "%s.%s@%s is not allowed to login as %s", 
+		   toname, toinst, realm, name));
+	return SIADFAIL;
+    }
+#endif
+#ifdef SIA_KRB5
+    ret = krb5_verify_user_lrealm(s->context, principal, ccache,
+				  entity->password, 1, NULL);
+    if(ret){
+	/* if this is most likely a local user (such as
+	   root), just silently return failure when the
+	   principal doesn't exist */
+	if(ret != KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN && 
+	   ret != KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN)
+	    SIALOG("WARNING", "krb5_verify_user(%s): %s", 
+		   entity->name, error_message(ret));
+	return SIADFAIL;
+    }
+#endif
+#ifdef SIA_KRB4
+    if (getuid () == 0)
+	secure = KRB_VERIFY_SECURE;
+    else
+	secure = KRB_VERIFY_NOT_SECURE;
+	
+    ret = krb_verify_user(toname, toinst, realm,
+			  entity->password, secure, NULL);
+    if(ret){
+	SIA_DEBUG(("DEBUG", "krb_verify_user: %s", krb_get_err_text(ret)));
+	if(ret != KDC_PR_UNKNOWN)
+	    /* since this is most likely a local user (such as
+	       root), just silently return failure when the
+	       principal doesn't exist */
+	    SIALOG("WARNING", "krb_verify_user(%s.%s): %s", 
+		   toname, toinst, krb_get_err_text(ret));
+	return SIADFAIL;
+    }
+#endif
+    if(sia_make_entity_pwd(pwd, entity) == SIAFAIL)
+	return SIADFAIL;
+    s->valid = 1;
+    return SIADSUCCESS;
+}
+
+
+static int 
+common_auth(sia_collect_func_t *collect, 
+	    SIAENTITY *entity, 
+	    int siastat,
+	    int pkgind)
+{
+    prompt_t prompts[2], *pr;
+    char *name;
+
+    SIA_DEBUG(("DEBUG", "common_auth"));
+    if((siastat == SIADSUCCESS) && (geteuid() == 0))
+	return SIADSUCCESS;
+    if(entity == NULL) {
+	SIA_DEBUG(("DEBUG", "entity == NULL"));
+	return SIADFAIL | SIADSTOP;
+    }
+    name = entity->name;
+    if(entity->acctname)
+	name = entity->acctname;
+    
+    if((collect != NULL) && entity->colinput) {
+	int num;
+	pr = prompts;
+	if(name == NULL){
+	    if(setup_name(entity, pr) != SIADSUCCESS)
+		return SIADFAIL;
+	    pr++;
+	}
+	if(entity->password == NULL){
+	    if(setup_password(entity, pr) != SIADSUCCESS)
+		return SIADFAIL;
+	    pr++;
+	}
+	num = pr - prompts;
+	if(num == 1){
+	    if((*collect)(240, SIAONELINER, (unsigned char*)"", num, 
+			  prompts) != SIACOLSUCCESS){
+		SIA_DEBUG(("DEBUG", "collect failed"));
+		return SIADFAIL | SIADSTOP;
+	    }
+	} else if(num > 0){
+	    if((*collect)(0, SIAFORM, (unsigned char*)"", num, 
+			  prompts) != SIACOLSUCCESS){
+		SIA_DEBUG(("DEBUG", "collect failed"));
+		return SIADFAIL | SIADSTOP;
+	    }
+	}
+    }
+    if(name == NULL)
+	name = entity->name;
+    if(name == NULL || name[0] == '\0'){
+	SIA_DEBUG(("DEBUG", "name is null"));
+	return SIADFAIL;
+    }
+
+    if(entity->password == NULL || strlen(entity->password) > SIAMXPASSWORD){
+	SIA_DEBUG(("DEBUG", "entity->password is null"));
+	return SIADFAIL;
+    }
+    
+    return doauth(entity, pkgind, name);
+}
+
+
+int 
+siad_ses_authent(sia_collect_func_t *collect, 
+		 SIAENTITY *entity, 
+		 int siastat,
+		 int pkgind)
+{
+    SIA_DEBUG(("DEBUG", "siad_ses_authent"));
+    return common_auth(collect, entity, siastat, pkgind);
+}
+
+int 
+siad_ses_estab(sia_collect_func_t *collect, 
+	       SIAENTITY *entity, int pkgind)
+{
+    SIA_DEBUG(("DEBUG", "siad_ses_estab"));
+    return SIADFAIL;
+}
+
+int 
+siad_ses_launch(sia_collect_func_t *collect,
+		SIAENTITY *entity,
+		int pkgind)
+{
+    static char env[MaxPathLen];
+    struct state *s = (struct state*)entity->mech[pkgind];
+    SIA_DEBUG(("DEBUG", "siad_ses_launch"));
+    if(s->valid){
+#ifdef SIA_KRB5
+	chown(s->ticket + sizeof("FILE:") - 1, 
+	      entity->pwd->pw_uid, 
+	      entity->pwd->pw_gid);
+	snprintf(env, sizeof(env), "KRB5CCNAME=%s", s->ticket);
+#endif
+#ifdef SIA_KRB4
+	chown(s->ticket, entity->pwd->pw_uid, entity->pwd->pw_gid);
+	snprintf(env, sizeof(env), "KRBTKFILE=%s", s->ticket);
+#endif
+	putenv(env);
+    }
+#ifdef KRB4
+    if (k_hasafs()) {
+	char cell[64];
+	k_setpag();
+	if(k_afs_cell_of_file(entity->pwd->pw_dir, cell, sizeof(cell)) == 0)
+	    krb_afslog(cell, 0);
+	krb_afslog_home(0, 0, entity->pwd->pw_dir);
+    }
+#endif
+    return SIADSUCCESS;
+}
+
+int 
+siad_ses_release(SIAENTITY *entity, int pkgind)
+{
+    SIA_DEBUG(("DEBUG", "siad_ses_release"));
+    if(entity->mech[pkgind]){
+#ifdef SIA_KRB5
+	struct state *s = (struct state*)entity->mech[pkgind];
+	krb5_free_context(s->context);
+#endif
+	free(entity->mech[pkgind]);
+    }
+    return SIADSUCCESS;
+}
+
+int 
+siad_ses_suauthent(sia_collect_func_t *collect,
+		   SIAENTITY *entity,
+		   int siastat,
+		   int pkgind)
+{
+    SIA_DEBUG(("DEBUG", "siad_ses_suauth"));
+    if(geteuid() != 0)
+	return SIADFAIL;
+    if(entity->name == NULL)
+	return SIADFAIL;
+    if(entity->name[0] == '\0') {
+	free(entity->name);
+	entity->name = strdup("root");
+	if (entity->name == NULL)
+	    return SIADFAIL;
+    }
+    return common_auth(collect, entity, siastat, pkgind);
+}
+
+int
+siad_ses_reauthent (sia_collect_func_t *collect,
+		    SIAENTITY *entity,
+		    int siastat,
+		    int pkgind)
+{
+    int ret;
+    SIA_DEBUG(("DEBUG", "siad_ses_reauthent"));
+    if(entity == NULL || entity->name == NULL)
+	return SIADFAIL;
+    ret = common_auth(collect, entity, siastat, pkgind);
+    if((ret & SIADSUCCESS)){
+	/* launch isn't (always?) called when doing reauth, so we must
+           duplicate some code here... */
+	struct state *s = (struct state*)entity->mech[pkgind];
+	chown(s->ticket, entity->pwd->pw_uid, entity->pwd->pw_gid);
+#ifdef KRB4
+	if(k_hasafs()) {
+	    char cell[64];
+	    if(k_afs_cell_of_file(entity->pwd->pw_dir, 
+				  cell, sizeof(cell)) == 0)
+		krb_afslog(cell, 0);
+	    krb_afslog_home(0, 0, entity->pwd->pw_dir);
+	}
+#endif
+    }
+    return ret;
+}
+
+int
+siad_chg_finger (sia_collect_func_t *collect,
+		     const char *username, 
+		     int argc, 
+		     char *argv[])
+{
+    SIA_DEBUG(("DEBUG", "siad_chg_finger"));
+    return SIADFAIL;
+}
+
+#ifdef SIA_KRB5
+int
+siad_chg_password (sia_collect_func_t *collect,
+		     const char *username, 
+		     int argc, 
+		     char *argv[])
+{
+    return SIADFAIL;
+}
+#endif
+
+#ifdef SIA_KRB4
+static void
+sia_message(sia_collect_func_t *collect, int rendition, 
+	    const char *title, const char *message)
+{
+    prompt_t prompt;
+    prompt.prompt = (unsigned char*)message;
+    (*collect)(0, rendition, (unsigned char*)title, 1, &prompt);
+}
+
+static int
+init_change(sia_collect_func_t *collect, krb_principal *princ)
+{
+    prompt_t prompt;
+    char old_pw[MAX_KPW_LEN+1];
+    char *msg;
+    char tktstring[128];
+    int ret;
+    
+    SIA_DEBUG(("DEBUG", "init_change"));
+    prompt.prompt = (unsigned char*)"Old password: ";
+    prompt.result = (unsigned char*)old_pw;
+    prompt.min_result_length = 0;
+    prompt.max_result_length = sizeof(old_pw) - 1;
+    prompt.control_flags = SIARESINVIS;
+    asprintf(&msg, "Changing password for %s", krb_unparse_name(princ));
+    if(msg == NULL){
+	SIA_DEBUG(("DEBUG", "out of memory"));
+	return SIADFAIL;
+    }
+    ret = (*collect)(60, SIAONELINER, (unsigned char*)msg, 1, &prompt);
+    free(msg);
+    SIA_DEBUG(("DEBUG", "ret = %d", ret));
+    if(ret != SIACOLSUCCESS)
+	return SIADFAIL;
+    snprintf(tktstring, sizeof(tktstring), 
+	     "%s_cpw_%u", TKT_ROOT, (unsigned)getpid());
+    krb_set_tkt_string(tktstring);
+    
+    ret = krb_get_pw_in_tkt(princ->name, princ->instance, princ->realm, 
+			    PWSERV_NAME, KADM_SINST, 1, old_pw);
+    if (ret != KSUCCESS) {
+	SIA_DEBUG(("DEBUG", "krb_get_pw_in_tkt: %s", krb_get_err_text(ret)));
+	if (ret == INTK_BADPW)
+	    sia_message(collect, SIAWARNING, "", "Incorrect old password.");
+	else
+	    sia_message(collect, SIAWARNING, "", "Kerberos error.");
+	memset(old_pw, 0, sizeof(old_pw));
+	return SIADFAIL;
+    }
+    if(chown(tktstring, getuid(), -1) < 0){
+	dest_tkt();
+	return SIADFAIL;
+    }
+    memset(old_pw, 0, sizeof(old_pw));
+    return SIADSUCCESS;
+}
+
+int
+siad_chg_password (sia_collect_func_t *collect,
+		   const char *username, 
+		   int argc, 
+		   char *argv[])
+{
+    prompt_t prompts[2];
+    krb_principal princ;
+    int ret;
+    char new_pw1[MAX_KPW_LEN+1];
+    char new_pw2[MAX_KPW_LEN+1];
+    static struct et_list *et_list;
+
+    setprogname(argv[0]);
+
+    SIA_DEBUG(("DEBUG", "siad_chg_password"));
+    if(collect == NULL)
+	return SIADFAIL;
+
+    if(username == NULL)
+	username = getlogin();
+
+    ret = krb_parse_name(username, &princ);
+    if(ret)
+	return SIADFAIL;
+    if(princ.realm[0] == '\0')
+	krb_get_lrealm(princ.realm, 1);
+
+    if(et_list == NULL) {
+	initialize_kadm_error_table_r(&et_list);
+	initialize_krb_error_table_r(&et_list);
+    }
+
+    ret = init_change(collect, &princ);
+    if(ret != SIADSUCCESS)
+	return ret;
+
+again:
+    prompts[0].prompt = (unsigned char*)"New password: ";
+    prompts[0].result = (unsigned char*)new_pw1;
+    prompts[0].min_result_length = MIN_KPW_LEN;
+    prompts[0].max_result_length = sizeof(new_pw1) - 1;
+    prompts[0].control_flags = SIARESINVIS;
+    prompts[1].prompt = (unsigned char*)"Verify new password: ";
+    prompts[1].result = (unsigned char*)new_pw2;
+    prompts[1].min_result_length = MIN_KPW_LEN;
+    prompts[1].max_result_length = sizeof(new_pw2) - 1;
+    prompts[1].control_flags = SIARESINVIS;
+    if((*collect)(120, SIAFORM, (unsigned char*)"", 2, prompts) != 
+       SIACOLSUCCESS) {
+	dest_tkt();
+	return SIADFAIL;
+    }
+    if(strcmp(new_pw1, new_pw2) != 0){
+	sia_message(collect, SIAWARNING, "", "Password mismatch.");
+	goto again;
+    }
+    ret = kadm_check_pw(new_pw1);
+    if(ret) {
+	sia_message(collect, SIAWARNING, "", com_right(et_list, ret));
+	goto again;
+    }
+    
+    memset(new_pw2, 0, sizeof(new_pw2));
+    ret = kadm_init_link (PWSERV_NAME, KRB_MASTER, princ.realm);
+    if (ret != KADM_SUCCESS)
+	sia_message(collect, SIAWARNING, "Error initing kadmin connection", 
+		    com_right(et_list, ret));
+    else {
+	des_cblock newkey;
+	char *pw_msg; /* message from server */
+
+	des_string_to_key(new_pw1, &newkey);
+	ret = kadm_change_pw_plain((unsigned char*)&newkey, new_pw1, &pw_msg);
+	memset(newkey, 0, sizeof(newkey));
+      
+	if (ret == KADM_INSECURE_PW)
+	    sia_message(collect, SIAWARNING, "Insecure password", pw_msg);
+	else if (ret != KADM_SUCCESS)
+	    sia_message(collect, SIAWARNING, "Error changing password", 
+			com_right(et_list, ret));
+    }
+    memset(new_pw1, 0, sizeof(new_pw1));
+
+    if (ret != KADM_SUCCESS)
+	sia_message(collect, SIAWARNING, "", "Password NOT changed.");
+    else
+	sia_message(collect, SIAINFO, "", "Password changed.");
+    
+    dest_tkt();
+    if(ret)
+	return SIADFAIL;
+    return SIADSUCCESS;
+}
+#endif
+
+int
+siad_chg_shell (sia_collect_func_t *collect,
+		     const char *username, 
+		     int argc, 
+		     char *argv[])
+{
+    return SIADFAIL;
+}
+
+int
+siad_getpwent(struct passwd *result, 
+	      char *buf, 
+	      int bufsize, 
+	      struct sia_context *context)
+{
+    return SIADFAIL;
+}
+
+int
+siad_getpwuid (uid_t uid, 
+	       struct passwd *result, 
+	       char *buf, 
+	       int bufsize, 
+	       struct sia_context *context)
+{
+    return SIADFAIL;
+}
+
+int
+siad_getpwnam (const char *name, 
+	       struct passwd *result, 
+	       char *buf, 
+	       int bufsize, 
+	       struct sia_context *context)
+{
+    return SIADFAIL;
+}
+
+int
+siad_setpwent (struct sia_context *context)
+{
+    return SIADFAIL;
+}
+
+int
+siad_endpwent (struct sia_context *context)
+{
+    return SIADFAIL;
+}
+
+int
+siad_getgrent(struct group *result, 
+	      char *buf, 
+	      int bufsize, 
+	      struct sia_context *context)
+{
+    return SIADFAIL;
+}
+
+int
+siad_getgrgid (gid_t gid, 
+	       struct group *result, 
+	       char *buf, 
+	       int bufsize, 
+	       struct sia_context *context)
+{
+    return SIADFAIL;
+}
+
+int
+siad_getgrnam (const char *name, 
+	       struct group *result, 
+	       char *buf, 
+	       int bufsize, 
+	       struct sia_context *context)
+{
+    return SIADFAIL;
+}
+
+int
+siad_setgrent (struct sia_context *context)
+{
+    return SIADFAIL;
+}
+
+int
+siad_endgrent (struct sia_context *context)
+{
+    return SIADFAIL;
+}
+
+int
+siad_chk_user (const char *logname, int checkflag)
+{
+    if(checkflag != CHGPASSWD)
+	return SIADFAIL;
+    return SIADSUCCESS;
+}
diff --git a/crypto/heimdal/lib/auth/sia/sia_locl.h b/crypto/heimdal/lib/auth/sia/sia_locl.h
new file mode 100644
index 0000000..0f3f74d
--- /dev/null
+++ b/crypto/heimdal/lib/auth/sia/sia_locl.h
@@ -0,0 +1,94 @@
+/*
+ * Copyright (c) 1999 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of KTH nor the names of its contributors may be
+ *    used to endorse or promote products derived from this software without
+ *    specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY KTH AND ITS CONTRIBUTORS ``AS IS'' AND ANY
+ * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL KTH OR ITS CONTRIBUTORS BE
+ * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+ * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+ * WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
+ * OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
+ * ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */
+
+/* $Id: sia_locl.h,v 1.2 1999/04/01 16:09:22 joda Exp $ */
+
+#ifndef __sia_locl_h__
+#define __sia_locl_h__
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+#endif
+#include <ctype.h>
+#include <stdio.h>
+#include <string.h>
+#include <siad.h>
+#include <pwd.h>
+#include <sys/types.h>
+#include <sys/socket.h>
+#include <netinet/in.h>
+
+#ifdef KRB5
+#define SIA_KRB5
+#elif defined(KRB4)
+#define SIA_KRB4
+#endif
+
+#ifdef SIA_KRB5
+#include <krb5.h>
+#include <com_err.h>
+#endif
+#ifdef SIA_KRB4
+#include <krb.h>
+#include <krb_err.h>
+#include <kadm.h>
+#include <kadm_err.h>
+#endif
+#ifdef KRB4
+#include <kafs.h>
+#endif
+
+#include <roken.h>
+
+#ifndef POSIX_GETPWNAM_R
+
+#define getpwnam_r posix_getpwnam_r
+#define getpwuid_r posix_getpwuid_r
+
+#endif /* POSIX_GETPWNAM_R */
+
+#ifndef DEBUG
+#define SIA_DEBUG(X)
+#else
+#define SIA_DEBUG(X) SIALOG X
+#endif
+
+struct state{
+#ifdef SIA_KRB5
+    krb5_context context;
+    krb5_auth_context auth_context;
+#endif
+    char ticket[MaxPathLen];
+    int valid;
+};
+
+#endif /* __sia_locl_h__ */
diff --git a/crypto/heimdal/lib/com_err/ChangeLog b/crypto/heimdal/lib/com_err/ChangeLog
new file mode 100644
index 0000000..8291e78
--- /dev/null
+++ b/crypto/heimdal/lib/com_err/ChangeLog
@@ -0,0 +1,149 @@
+2001-05-17  Assar Westerlund  <assar@sics.se>
+
+	* Makefile.am: bump version to 2:0:1
+
+2001-05-11  Assar Westerlund  <assar@sics.se>
+
+	* com_err.h (add_to_error_table): add prototype
+	* com_err.c (add_to_error_table): new function, from Derrick J
+	Brashear <shadow@dementia.org>
+
+2001-05-06  Assar Westerlund  <assar@sics.se>
+
+	* com_err.h: add printf formats for gcc
+
+2001-02-28  Johan Danielsson  <joda@pdc.kth.se>
+
+	* error.c (initialize_error_table_r): put table at end of the list
+
+2001-02-15  Assar Westerlund  <assar@sics.se>
+
+	* com_err.c (default_proc): add printf attributes
+
+2000-08-16  Assar Westerlund  <assar@sics.se>
+
+	* Makefile.am: bump version to 1:1:0
+
+2000-07-31  Assar Westerlund  <assar@sics.se>
+
+	* com_right.h (initialize_error_table_r): fix prototype
+
+2000-04-05  Assar Westerlund  <assar@sics.se>
+
+	* com_err.c (_et_lit): explicitly initialize it to NULL to make
+	dyld on Darwin/MacOS X happy
+
+2000-01-16  Assar Westerlund  <assar@sics.se>
+
+	* com_err.h: remove __P definition (now in com_right.h).  this
+	file always includes com_right.h so that's where it should reside.
+	* com_right.h: moved __P here and added it to the function
+	prototypes
+	* com_err.h (error_table_name): add __P
+
+1999-07-03  Assar Westerlund  <assar@sics.se>
+
+	* parse.y (statement): use asprintf
+
+1999-06-13  Assar Westerlund  <assar@sics.se>
+
+	* Makefile.in: make it solaris make vpath-safe
+
+Thu Apr  1 11:13:53 1999  Johan Danielsson  <joda@hella.pdc.kth.se>
+
+	* compile_et.c: use getargs
+
+Sat Mar 20 00:16:30 1999  Assar Westerlund  <assar@sics.se>
+
+	* compile_et.c: static-ize
+
+Thu Mar 18 11:22:13 1999  Johan Danielsson  <joda@hella.pdc.kth.se>
+
+	* Makefile.am: include Makefile.am.common
+
+Tue Mar 16 22:30:05 1999  Assar Westerlund  <assar@sics.se>
+
+	* parse.y: use YYACCEPT instead of return
+
+Sat Mar 13 22:22:56 1999  Assar Westerlund  <assar@sics.se>
+
+	* compile_et.c (generate_h): cast when calling is* to get rid of a
+ 	warning
+
+Thu Mar 11 15:00:51 1999  Johan Danielsson  <joda@hella.pdc.kth.se>
+
+	* parse.y: prototype for error_message
+
+Sun Nov 22 10:39:02 1998  Assar Westerlund  <assar@sics.se>
+
+	* compile_et.h: include ctype and roken
+
+	* compile_et.c: include err.h
+	(generate_h): remove unused variable
+
+	* Makefile.in (WFLAGS): set
+
+Fri Nov 20 06:58:59 1998  Assar Westerlund  <assar@sics.se>
+
+	* lex.l: undef ECHO to work around AIX lex bug
+
+Sun Sep 27 02:23:59 1998  Johan Danielsson  <joda@hella.pdc.kth.se>
+
+	* com_err.c (error_message): try to pass code to strerror, to see
+ 	if it might be an errno code (this if broken, but some MIT code
+ 	seems to expect this behaviour)
+
+Sat Sep 26 17:42:39 1998  Johan Danielsson  <joda@hella.pdc.kth.se>
+
+	* compile_et.c: <foo_err.h> -> "foo_err.h"
+
+Tue Jun 30 17:17:36 1998  Assar Westerlund  <assar@sics.se>
+
+	* Makefile.in: add str{cpy,cat}_truncate
+
+Mon May 25 05:24:39 1998  Assar Westerlund  <assar@sics.se>
+
+	* Makefile.in (clean): try to remove shared library debris
+
+Sun Apr 19 09:50:17 1998  Assar Westerlund  <assar@sics.se>
+
+	* Makefile.in: add symlink magic for linux
+
+Sun Apr  5 09:22:11 1998  Assar Westerlund  <assar@sics.se>
+
+	* parse.y: define alloca to malloc in case we're using bison but
+ 	don't have alloca
+
+Tue Mar 24 05:13:01 1998  Assar Westerlund  <assar@sics.se>
+
+	* Makefile.in: link with snprintf (From Derrick J Brashear
+ 	<shadow@dementia.org>)
+
+Fri Feb 27 05:01:42 1998  Assar Westerlund  <assar@sics.se>
+
+	* parse.y: initialize ec->next
+
+Thu Feb 26 02:22:25 1998  Assar Westerlund  <assar@sics.se>
+
+	* Makefile.am: @LEXLIB@
+
+Sat Feb 21 15:18:54 1998  assar westerlund  <assar@sics.se>
+
+	* Makefile.in: set YACC and LEX
+
+Tue Feb 17 22:20:27 1998  Bjoern Groenvall  <bg@sics.se>
+
+	* com_right.h: Change typedefs so that one may mix MIT compile_et
+ 	generated code with krb4 dito.
+
+Tue Feb 17 16:30:55 1998  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* compile_et.c (generate): Always return a value.
+
+	* parse.y: Files don't have to end with `end'.
+
+Mon Feb 16 16:09:20 1998  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* lex.l (getstring): Replace getc() with input().
+
+	* Makefile.am: Fixes for new compile_et.
diff --git a/crypto/heimdal/lib/com_err/Makefile.am b/crypto/heimdal/lib/com_err/Makefile.am
new file mode 100644
index 0000000..15fae4e
--- /dev/null
+++ b/crypto/heimdal/lib/com_err/Makefile.am
@@ -0,0 +1,24 @@
+# $Id: Makefile.am,v 1.25 2001/05/17 00:01:26 assar Exp $
+
+include $(top_srcdir)/Makefile.am.common
+
+YFLAGS = -d
+
+lib_LTLIBRARIES = libcom_err.la
+libcom_err_la_LDFLAGS = -version-info 2:0:1
+
+bin_PROGRAMS = compile_et
+
+include_HEADERS = com_err.h com_right.h
+
+compile_et_SOURCES = compile_et.c compile_et.h parse.y lex.l
+
+libcom_err_la_SOURCES = error.c com_err.c roken_rename.h
+
+CLEANFILES = lex.c parse.c parse.h
+
+$(compile_et_OBJECTS): parse.h
+
+compile_et_LDADD = \
+	$(LIB_roken) \
+	$(LEXLIB)
diff --git a/crypto/heimdal/lib/com_err/Makefile.in b/crypto/heimdal/lib/com_err/Makefile.in
new file mode 100644
index 0000000..88f9ee7
--- /dev/null
+++ b/crypto/heimdal/lib/com_err/Makefile.in
@@ -0,0 +1,659 @@
+# Makefile.in generated automatically by automake 1.4b from Makefile.am
+
+# Copyright 1994, 1995, 1996, 1997, 1998, 1999, 2000
+# Free Software Foundation, Inc.
+# This Makefile.in is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+
+SHELL = @SHELL@
+
+srcdir = @srcdir@
+top_srcdir = @top_srcdir@
+VPATH = @srcdir@
+prefix = @prefix@
+exec_prefix = @exec_prefix@
+
+bindir = @bindir@
+sbindir = @sbindir@
+libexecdir = @libexecdir@
+datadir = @datadir@
+sysconfdir = @sysconfdir@
+sharedstatedir = @sharedstatedir@
+localstatedir = @localstatedir@
+libdir = @libdir@
+infodir = @infodir@
+mandir = @mandir@
+includedir = @includedir@
+oldincludedir = /usr/include
+
+pkgdatadir = $(datadir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkgincludedir = $(includedir)/@PACKAGE@
+
+top_builddir = ../..
+
+ACLOCAL = @ACLOCAL@
+AUTOCONF = @AUTOCONF@
+AUTOMAKE = @AUTOMAKE@
+AUTOHEADER = @AUTOHEADER@
+
+INSTALL = @INSTALL@
+INSTALL_PROGRAM = @INSTALL_PROGRAM@
+INSTALL_DATA = @INSTALL_DATA@
+INSTALL_SCRIPT = @INSTALL_SCRIPT@
+INSTALL_STRIP_FLAG =
+transform = @program_transform_name@
+
+NORMAL_INSTALL = :
+PRE_INSTALL = :
+POST_INSTALL = :
+NORMAL_UNINSTALL = :
+PRE_UNINSTALL = :
+POST_UNINSTALL = :
+
+@SET_MAKE@
+host_alias = @host_alias@
+host_triplet = @host@
+AIX_EXTRA_KAFS = @AIX_EXTRA_KAFS@
+AMDEP = @AMDEP@
+AMTAR = @AMTAR@
+AS = @AS@
+AWK = @AWK@
+CANONICAL_HOST = @CANONICAL_HOST@
+CATMAN = @CATMAN@
+CATMANEXT = @CATMANEXT@
+CC = @CC@
+CPP = @CPP@
+CXX = @CXX@
+CXXCPP = @CXXCPP@
+DBLIB = @DBLIB@
+DEPDIR = @DEPDIR@
+DIR_des = @DIR_des@
+DIR_roken = @DIR_roken@
+DLLTOOL = @DLLTOOL@
+EXEEXT = @EXEEXT@
+EXTRA_LIB45 = @EXTRA_LIB45@
+GROFF = @GROFF@
+INCLUDES_roken = @INCLUDES_roken@
+INCLUDE_ = @INCLUDE_@
+LEX = @LEX@
+LIBOBJS = @LIBOBJS@
+LIBTOOL = @LIBTOOL@
+LIB_ = @LIB_@
+LIB_AUTH_SUBDIRS = @LIB_AUTH_SUBDIRS@
+LIB_des = @LIB_des@
+LIB_des_appl = @LIB_des_appl@
+LIB_kdb = @LIB_kdb@
+LIB_otp = @LIB_otp@
+LIB_roken = @LIB_roken@
+LIB_security = @LIB_security@
+LN_S = @LN_S@
+LTLIBOBJS = @LTLIBOBJS@
+MAKEINFO = @MAKEINFO@
+NEED_WRITEAUTH_FALSE = @NEED_WRITEAUTH_FALSE@
+NEED_WRITEAUTH_TRUE = @NEED_WRITEAUTH_TRUE@
+NROFF = @NROFF@
+OBJDUMP = @OBJDUMP@
+OBJEXT = @OBJEXT@
+PACKAGE = @PACKAGE@
+RANLIB = @RANLIB@
+STRIP = @STRIP@
+VERSION = @VERSION@
+VOID_RETSIGTYPE = @VOID_RETSIGTYPE@
+WFLAGS = @WFLAGS@
+WFLAGS_NOIMPLICITINT = @WFLAGS_NOIMPLICITINT@
+WFLAGS_NOUNUSED = @WFLAGS_NOUNUSED@
+YACC = @YACC@
+dpagaix_CFLAGS = @dpagaix_CFLAGS@
+dpagaix_LDADD = @dpagaix_LDADD@
+install_sh = @install_sh@
+
+# $Id: Makefile.am,v 1.25 2001/05/17 00:01:26 assar Exp $
+
+
+# $Id: Makefile.am.common,v 1.3 1999/04/01 14:58:43 joda Exp $
+
+
+# $Id: Makefile.am.common,v 1.26 2001/05/21 13:27:48 joda Exp $
+
+
+AUTOMAKE_OPTIONS = foreign no-dependencies
+
+SUFFIXES = .et .h .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .x
+
+INCLUDES = -I$(top_builddir)/include $(INCLUDES_roken)
+
+AM_CFLAGS =  $(WFLAGS)
+
+CP = cp
+
+COMPILE_ET = $(top_builddir)/lib/com_err/compile_et
+
+buildinclude = $(top_builddir)/include
+
+LIB_XauReadAuth = @LIB_XauReadAuth@
+LIB_crypt = @LIB_crypt@
+LIB_dbm_firstkey = @LIB_dbm_firstkey@
+LIB_dbopen = @LIB_dbopen@
+LIB_dlopen = @LIB_dlopen@
+LIB_dn_expand = @LIB_dn_expand@
+LIB_el_init = @LIB_el_init@
+LIB_getattr = @LIB_getattr@
+LIB_gethostbyname = @LIB_gethostbyname@
+LIB_getpwent_r = @LIB_getpwent_r@
+LIB_getpwnam_r = @LIB_getpwnam_r@
+LIB_getsockopt = @LIB_getsockopt@
+LIB_logout = @LIB_logout@
+LIB_logwtmp = @LIB_logwtmp@
+LIB_odm_initialize = @LIB_odm_initialize@
+LIB_pidfile = @LIB_pidfile@
+LIB_readline = @LIB_readline@
+LIB_res_search = @LIB_res_search@
+LIB_setpcred = @LIB_setpcred@
+LIB_setsockopt = @LIB_setsockopt@
+LIB_socket = @LIB_socket@
+LIB_syslog = @LIB_syslog@
+LIB_tgetent = @LIB_tgetent@
+
+LIBS = @LIBS@
+
+HESIODLIB = @HESIODLIB@
+HESIODINCLUDE = @HESIODINCLUDE@
+INCLUDE_hesiod = @INCLUDE_hesiod@
+LIB_hesiod = @LIB_hesiod@
+
+INCLUDE_krb4 = @INCLUDE_krb4@
+LIB_krb4 = @LIB_krb4@
+
+INCLUDE_openldap = @INCLUDE_openldap@
+LIB_openldap = @LIB_openldap@
+
+INCLUDE_readline = @INCLUDE_readline@
+
+LEXLIB = @LEXLIB@
+
+NROFF_MAN = groff -mandoc -Tascii
+
+@KRB4_TRUE@LIB_kafs = @KRB4_TRUE@$(top_builddir)/lib/kafs/libkafs.la $(AIX_EXTRA_KAFS)
+
+@KRB5_TRUE@LIB_krb5 = @KRB5_TRUE@$(top_builddir)/lib/krb5/libkrb5.la \
+@KRB5_TRUE@	$(top_builddir)/lib/asn1/libasn1.la
+@KRB5_TRUE@LIB_gssapi = @KRB5_TRUE@$(top_builddir)/lib/gssapi/libgssapi.la
+
+@DCE_TRUE@LIB_kdfs = @DCE_TRUE@$(top_builddir)/lib/kdfs/libkdfs.la
+
+CHECK_LOCAL = $(PROGRAMS)
+
+YFLAGS = -d
+
+lib_LTLIBRARIES = libcom_err.la
+libcom_err_la_LDFLAGS = -version-info 2:0:1
+
+bin_PROGRAMS = compile_et
+
+include_HEADERS = com_err.h com_right.h
+
+compile_et_SOURCES = compile_et.c compile_et.h parse.y lex.l
+
+libcom_err_la_SOURCES = error.c com_err.c roken_rename.h
+
+CLEANFILES = lex.c parse.c parse.h
+
+compile_et_LDADD = \
+	$(LIB_roken) \
+	$(LEXLIB)
+
+subdir = lib/com_err
+mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs
+CONFIG_HEADER = ../../include/config.h
+CONFIG_CLEAN_FILES = 
+LTLIBRARIES =  $(lib_LTLIBRARIES)
+
+
+DEFS = @DEFS@ -I. -I$(srcdir) -I../../include
+CPPFLAGS = @CPPFLAGS@
+LDFLAGS = @LDFLAGS@
+X_CFLAGS = @X_CFLAGS@
+X_LIBS = @X_LIBS@
+X_EXTRA_LIBS = @X_EXTRA_LIBS@
+X_PRE_LIBS = @X_PRE_LIBS@
+libcom_err_la_LIBADD = 
+am_libcom_err_la_OBJECTS =  error.lo com_err.lo
+libcom_err_la_OBJECTS =  $(am_libcom_err_la_OBJECTS)
+bin_PROGRAMS =  compile_et$(EXEEXT)
+PROGRAMS =  $(bin_PROGRAMS)
+
+am_compile_et_OBJECTS =  compile_et.$(OBJEXT) parse.$(OBJEXT) \
+lex.$(OBJEXT)
+compile_et_OBJECTS =  $(am_compile_et_OBJECTS)
+compile_et_DEPENDENCIES = 
+compile_et_LDFLAGS = 
+COMPILE = $(CC) $(DEFS) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) --mode=compile $(CC) $(DEFS) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+CFLAGS = @CFLAGS@
+LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
+CCLD = $(CC)
+LINK = $(LIBTOOL) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) $(LDFLAGS) -o $@
+DIST_SOURCES =  $(libcom_err_la_SOURCES) $(compile_et_SOURCES)
+HEADERS =  $(include_HEADERS)
+
+depcomp = 
+DIST_COMMON =  $(include_HEADERS) ChangeLog Makefile.am Makefile.in \
+lex.c parse.c parse.h
+
+
+DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
+
+GZIP_ENV = --best
+SOURCES = $(libcom_err_la_SOURCES) $(compile_et_SOURCES)
+OBJECTS = $(am_libcom_err_la_OBJECTS) $(am_compile_et_OBJECTS)
+
+all: all-redirect
+.SUFFIXES:
+.SUFFIXES: .et .h .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .x .c .l .lo .o .obj .y
+$(srcdir)/Makefile.in: Makefile.am $(top_srcdir)/configure.in $(ACLOCAL_M4) $(top_srcdir)/Makefile.am.common $(top_srcdir)/cf/Makefile.am.common
+	cd $(top_srcdir) && $(AUTOMAKE) --foreign lib/com_err/Makefile
+
+Makefile: $(srcdir)/Makefile.in  $(top_builddir)/config.status
+	cd $(top_builddir) \
+	  && CONFIG_FILES=$(subdir)/$@ CONFIG_HEADERS= $(SHELL) ./config.status
+
+
+mostlyclean-libLTLIBRARIES:
+
+clean-libLTLIBRARIES:
+	-test -z "$(lib_LTLIBRARIES)" || rm -f $(lib_LTLIBRARIES)
+
+distclean-libLTLIBRARIES:
+
+maintainer-clean-libLTLIBRARIES:
+
+install-libLTLIBRARIES: $(lib_LTLIBRARIES)
+	@$(NORMAL_INSTALL)
+	$(mkinstalldirs) $(DESTDIR)$(libdir)
+	@list='$(lib_LTLIBRARIES)'; for p in $$list; do \
+	  if test -f $$p; then \
+	    echo " $(LIBTOOL)  --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$p $(DESTDIR)$(libdir)/$$p"; \
+	    $(LIBTOOL)  --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$p $(DESTDIR)$(libdir)/$$p; \
+	  else :; fi; \
+	done
+
+uninstall-libLTLIBRARIES:
+	@$(NORMAL_UNINSTALL)
+	@list='$(lib_LTLIBRARIES)'; for p in $$list; do \
+	  echo " $(LIBTOOL)  --mode=uninstall rm -f $(DESTDIR)$(libdir)/$$p"; \
+	  $(LIBTOOL)  --mode=uninstall rm -f $(DESTDIR)$(libdir)/$$p; \
+	done
+
+mostlyclean-compile:
+	-rm -f *.o core *.core
+	-rm -f *.$(OBJEXT)
+
+clean-compile:
+
+distclean-compile:
+	-rm -f *.tab.c
+
+maintainer-clean-compile:
+
+mostlyclean-libtool:
+	-rm -f *.lo
+
+clean-libtool:
+	-rm -rf .libs _libs
+
+distclean-libtool:
+
+maintainer-clean-libtool:
+
+libcom_err.la: $(libcom_err_la_OBJECTS) $(libcom_err_la_DEPENDENCIES)
+	$(LINK) -rpath $(libdir) $(libcom_err_la_LDFLAGS) $(libcom_err_la_OBJECTS) $(libcom_err_la_LIBADD) $(LIBS)
+
+mostlyclean-binPROGRAMS:
+
+clean-binPROGRAMS:
+	-test -z "$(bin_PROGRAMS)" || rm -f $(bin_PROGRAMS)
+
+distclean-binPROGRAMS:
+
+maintainer-clean-binPROGRAMS:
+
+install-binPROGRAMS: $(bin_PROGRAMS)
+	@$(NORMAL_INSTALL)
+	$(mkinstalldirs) $(DESTDIR)$(bindir)
+	@list='$(bin_PROGRAMS)'; for p in $$list; do \
+	  if test -f $$p; then \
+	    f="`echo $$p|sed -e 's/$(EXEEXT)$$//' -e '$(transform)' -e 's/$$/$(EXEEXT)/'`"; \
+	    echo " $(LIBTOOL)  --mode=install $(INSTALL_PROGRAM) $(INSTALL_STRIP_FLAG) $$p $(DESTDIR)$(bindir)/$$f"; \
+	    $(LIBTOOL)  --mode=install $(INSTALL_PROGRAM) $(INSTALL_STRIP_FLAG) $$p $(DESTDIR)$(bindir)/$$f; \
+	  else :; fi; \
+	done
+
+uninstall-binPROGRAMS:
+	@$(NORMAL_UNINSTALL)
+	@list='$(bin_PROGRAMS)'; for p in $$list; do \
+	  f="`echo $$p|sed -e 's/$(EXEEXT)$$//' -e '$(transform)' -e 's/$$/$(EXEEXT)/'`"; \
+	  echo " rm -f $(DESTDIR)$(bindir)/$$f"; \
+	  rm -f $(DESTDIR)$(bindir)/$$f; \
+	done
+
+compile_et$(EXEEXT): $(compile_et_OBJECTS) $(compile_et_DEPENDENCIES)
+	@rm -f compile_et$(EXEEXT)
+	$(LINK) $(compile_et_LDFLAGS) $(compile_et_OBJECTS) $(compile_et_LDADD) $(LIBS)
+.c.o:
+	$(COMPILE) -c $<
+.c.obj:
+	$(COMPILE) -c `cygpath -w $<`
+.c.lo:
+	$(LTCOMPILE) -c -o $@ $<
+.l.c:
+	$(LEX) $(AM_LFLAGS) $(LFLAGS) $< && mv $(LEX_OUTPUT_ROOT).c $@
+.y.c:
+	$(YACC) $(AM_YFLAGS) $(YFLAGS) $< && mv y.tab.c $*.c
+	if test -f y.tab.h; then \
+	if cmp -s y.tab.h $*.h; then rm -f y.tab.h; else mv y.tab.h $*.h; fi; \
+	else :; fi
+parse.h: parse.c
+
+
+install-includeHEADERS: $(include_HEADERS)
+	@$(NORMAL_INSTALL)
+	$(mkinstalldirs) $(DESTDIR)$(includedir)
+	@list='$(include_HEADERS)'; for p in $$list; do \
+	  if test -f "$$p"; then d= ; else d="$(srcdir)/"; fi; \
+	  f="`echo $$p | sed -e 's|^.*/||'`"; \
+	  echo " $(INSTALL_DATA) $$d$$p $(DESTDIR)$(includedir)/$$f"; \
+	  $(INSTALL_DATA) $$d$$p $(DESTDIR)$(includedir)/$$f; \
+	done
+
+uninstall-includeHEADERS:
+	@$(NORMAL_UNINSTALL)
+	@list='$(include_HEADERS)'; for p in $$list; do \
+	  f="`echo $$p | sed -e 's|^.*/||'`"; \
+	  echo " rm -f $(DESTDIR)$(includedir)/$$f"; \
+	  rm -f $(DESTDIR)$(includedir)/$$f; \
+	done
+
+tags: TAGS
+
+ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
+	list='$(SOURCES) $(HEADERS) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '    { files[$$0] = 1; } \
+	       END { for (i in files) print i; }'`; \
+	mkid -fID $$unique $(LISP)
+
+TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	tags=; \
+	here=`pwd`; \
+	list='$(SOURCES) $(HEADERS) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '    { files[$$0] = 1; } \
+	       END { for (i in files) print i; }'`; \
+	test -z "$(ETAGS_ARGS)$$unique$(LISP)$$tags" \
+	  || etags $(ETAGS_ARGS) $$tags  $$unique $(LISP)
+
+GTAGS:
+	here=`CDPATH=: && cd $(top_builddir) && pwd` \
+	  && cd $(top_srcdir) \
+	  && gtags -i $$here
+
+mostlyclean-tags:
+
+clean-tags:
+
+distclean-tags:
+	-rm -f TAGS ID
+
+maintainer-clean-tags:
+
+distdir = $(top_builddir)/$(PACKAGE)-$(VERSION)/$(subdir)
+
+distdir: $(DISTFILES)
+	@for file in $(DISTFILES); do \
+	  d=$(srcdir); \
+	  if test -d $$d/$$file; then \
+	    cp -pR $$d/$$file $(distdir) \
+	    || exit 1; \
+	  else \
+	    test -f $(distdir)/$$file \
+	    || cp -p $$d/$$file $(distdir)/$$file \
+	    || exit 1; \
+	  fi; \
+	done
+	$(MAKE) $(AM_MAKEFLAGS) top_distdir="$(top_distdir)" distdir="$(distdir)" dist-hook
+info-am:
+info: info-am
+dvi-am:
+dvi: dvi-am
+check-am: all-am
+	$(MAKE) $(AM_MAKEFLAGS) check-local
+check: check-am
+installcheck-am:
+installcheck: installcheck-am
+install-binPROGRAMS: install-libLTLIBRARIES
+
+install-exec-am: install-libLTLIBRARIES install-binPROGRAMS
+	@$(NORMAL_INSTALL)
+	$(MAKE) $(AM_MAKEFLAGS) install-exec-hook
+install-exec: install-exec-am
+
+install-data-am: install-includeHEADERS install-data-local
+install-data: install-data-am
+
+install-am: all-am
+	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
+install: install-am
+uninstall-am: uninstall-libLTLIBRARIES uninstall-binPROGRAMS \
+		uninstall-includeHEADERS
+uninstall: uninstall-am
+all-am: Makefile $(LTLIBRARIES) $(PROGRAMS) $(HEADERS) all-local
+all-redirect: all-am
+install-strip:
+	$(MAKE) $(AM_MAKEFLAGS) INSTALL_STRIP_FLAG=-s install
+installdirs:
+	$(mkinstalldirs)  $(DESTDIR)$(libdir) $(DESTDIR)$(bindir) \
+		$(DESTDIR)$(includedir)
+
+
+mostlyclean-generic:
+
+clean-generic:
+	-test -z "$(CLEANFILES)" || rm -f $(CLEANFILES)
+
+distclean-generic:
+	-rm -f Makefile $(CONFIG_CLEAN_FILES)
+	-rm -f config.cache config.log stamp-h stamp-h[0-9]*
+
+maintainer-clean-generic:
+	-rm -f Makefile.in
+	-test -z "lex.cparse.hparse.c" || rm -f lex.c parse.h parse.c
+mostlyclean-am:  mostlyclean-libLTLIBRARIES mostlyclean-compile \
+		mostlyclean-libtool mostlyclean-binPROGRAMS \
+		mostlyclean-tags mostlyclean-generic
+
+mostlyclean: mostlyclean-am
+
+clean-am:  clean-libLTLIBRARIES clean-compile clean-libtool \
+		clean-binPROGRAMS clean-tags clean-generic \
+		mostlyclean-am
+
+clean: clean-am
+
+distclean-am:  distclean-libLTLIBRARIES distclean-compile \
+		distclean-libtool distclean-binPROGRAMS distclean-tags \
+		distclean-generic clean-am
+	-rm -f libtool
+
+distclean: distclean-am
+
+maintainer-clean-am:  maintainer-clean-libLTLIBRARIES \
+		maintainer-clean-compile maintainer-clean-libtool \
+		maintainer-clean-binPROGRAMS maintainer-clean-tags \
+		maintainer-clean-generic distclean-am
+	@echo "This command is intended for maintainers to use;"
+	@echo "it deletes files that may require special tools to rebuild."
+
+maintainer-clean: maintainer-clean-am
+
+.PHONY: mostlyclean-libLTLIBRARIES distclean-libLTLIBRARIES \
+clean-libLTLIBRARIES maintainer-clean-libLTLIBRARIES \
+uninstall-libLTLIBRARIES install-libLTLIBRARIES mostlyclean-compile \
+distclean-compile clean-compile maintainer-clean-compile \
+mostlyclean-libtool distclean-libtool clean-libtool \
+maintainer-clean-libtool mostlyclean-binPROGRAMS distclean-binPROGRAMS \
+clean-binPROGRAMS maintainer-clean-binPROGRAMS uninstall-binPROGRAMS \
+install-binPROGRAMS uninstall-includeHEADERS install-includeHEADERS \
+tags mostlyclean-tags distclean-tags clean-tags maintainer-clean-tags \
+distdir info-am info dvi-am dvi check-local check check-am \
+installcheck-am installcheck install-exec-am install-exec \
+install-data-local install-data-am install-data install-am install \
+uninstall-am uninstall all-local all-redirect all-am all install-strip \
+installdirs mostlyclean-generic distclean-generic clean-generic \
+maintainer-clean-generic clean mostlyclean distclean maintainer-clean
+
+
+install-suid-programs:
+	@foo='$(bin_SUIDS)'; \
+	for file in $$foo; do \
+	x=$(DESTDIR)$(bindir)/$$file; \
+	if chown 0:0 $$x && chmod u+s $$x; then :; else \
+	echo "*"; \
+	echo "* Failed to install $$x setuid root"; \
+	echo "*"; \
+	fi; done
+
+install-exec-hook: install-suid-programs
+
+install-build-headers:: $(include_HEADERS) $(build_HEADERZ)
+	@foo='$(include_HEADERS) $(build_HEADERZ)'; \
+	for f in $$foo; do \
+		f=`basename $$f`; \
+		if test -f "$(srcdir)/$$f"; then file="$(srcdir)/$$f"; \
+		else file="$$f"; fi; \
+		if cmp -s  $$file $(buildinclude)/$$f 2> /dev/null ; then \
+		: ; else \
+			echo " $(CP) $$file $(buildinclude)/$$f"; \
+			$(CP) $$file $(buildinclude)/$$f; \
+		fi ; \
+	done
+
+all-local: install-build-headers
+#NROFF_MAN = nroff -man
+.1.cat1:
+	$(NROFF_MAN) $< > $@
+.3.cat3:
+	$(NROFF_MAN) $< > $@
+.5.cat5:
+	$(NROFF_MAN) $< > $@
+.8.cat8:
+	$(NROFF_MAN) $< > $@
+
+dist-cat1-mans:
+	@foo='$(man1_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.1) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat1/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-cat3-mans:
+	@foo='$(man3_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.3) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat3/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-cat5-mans:
+	@foo='$(man5_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.5) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat5/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-cat8-mans:
+	@foo='$(man8_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.8) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat8/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-hook: dist-cat1-mans dist-cat3-mans dist-cat5-mans dist-cat8-mans
+
+install-cat-mans:
+	$(SHELL) $(top_srcdir)/cf/install-catman.sh "$(INSTALL_DATA)" "$(mkinstalldirs)" "$(srcdir)" "$(DESTDIR)$(mandir)" '$(CATMANEXT)' $(man_MANS) $(man1_MANS) $(man3_MANS) $(man5_MANS) $(man8_MANS)
+
+install-data-local: install-cat-mans
+
+.et.h:
+	$(COMPILE_ET) $<
+.et.c:
+	$(COMPILE_ET) $<
+
+.x.c:
+	@cmp -s $< $@ 2> /dev/null || cp $< $@
+
+check-local::
+	@foo='$(CHECK_LOCAL)'; \
+	  if test "$$foo"; then \
+	  failed=0; all=0; \
+	  for i in $$foo; do \
+	    all=`expr $$all + 1`; \
+	    if ./$$i --version > /dev/null 2>&1; then \
+	      echo "PASS: $$i"; \
+	    else \
+	      echo "FAIL: $$i"; \
+	      failed=`expr $$failed + 1`; \
+	    fi; \
+	  done; \
+	  if test "$$failed" -eq 0; then \
+	    banner="All $$all tests passed"; \
+	  else \
+	    banner="$$failed of $$all tests failed"; \
+	  fi; \
+	  dashes=`echo "$$banner" | sed s/./=/g`; \
+	  echo "$$dashes"; \
+	  echo "$$banner"; \
+	  echo "$$dashes"; \
+	  test "$$failed" -eq 0; \
+	fi
+
+$(compile_et_OBJECTS): parse.h
+
+# Tell versions [3.59,3.63) of GNU make to not export all variables.
+# Otherwise a system limit (for SysV at least) may be exceeded.
+.NOEXPORT:
diff --git a/crypto/heimdal/lib/com_err/com_err.c b/crypto/heimdal/lib/com_err/com_err.c
new file mode 100644
index 0000000..7975739
--- /dev/null
+++ b/crypto/heimdal/lib/com_err/com_err.c
@@ -0,0 +1,169 @@
+/*
+ * Copyright (c) 1997 - 2001 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+RCSID("$Id: com_err.c,v 1.17 2001/05/11 20:02:34 assar Exp $");
+#endif
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <roken.h>
+#include "com_err.h"
+
+struct et_list *_et_list = NULL;
+
+
+const char *
+error_message (long code)
+{
+    static char msg[128];
+    const char *p = com_right(_et_list, code);
+    if (p == NULL)
+	p = strerror(code);
+    if (p != NULL && *p != '\0') {
+	strncpy(msg, p, sizeof(msg) - 1);
+	msg[sizeof(msg) - 1] = 0;
+    } else 
+	sprintf(msg, "Unknown error %ld", code);
+    return msg;
+}
+
+int
+init_error_table(const char **msgs, long base, int count)
+{
+    initialize_error_table_r(&_et_list, msgs, count, base);
+    return 0;
+}
+
+static void
+default_proc (const char *whoami, long code, const char *fmt, va_list args)
+    __attribute__((__format__(__printf__, 3, 0)));
+ 
+static void
+default_proc (const char *whoami, long code, const char *fmt, va_list args)
+{
+    if (whoami)
+      fprintf(stderr, "%s: ", whoami);
+    if (code)
+      fprintf(stderr, "%s ", error_message(code));
+    if (fmt)
+      vfprintf(stderr, fmt, args);
+    fprintf(stderr, "\r\n");	/* ??? */
+}
+
+static errf com_err_hook = default_proc;
+
+void 
+com_err_va (const char *whoami, 
+	    long code, 
+	    const char *fmt, 
+	    va_list args)
+{
+    (*com_err_hook) (whoami, code, fmt, args);
+}
+
+void
+com_err (const char *whoami,
+	 long code,
+	 const char *fmt, 
+	 ...)
+{
+    va_list ap;
+    va_start(ap, fmt);
+    com_err_va (whoami, code, fmt, ap);
+    va_end(ap);
+}
+
+errf
+set_com_err_hook (errf new)
+{
+    errf old = com_err_hook;
+
+    if (new)
+	com_err_hook = new;
+    else
+	com_err_hook = default_proc;
+    
+    return old;
+}
+
+errf
+reset_com_err_hook (void) 
+{
+    return set_com_err_hook(NULL);
+}
+
+#define ERRCODE_RANGE   8       /* # of bits to shift table number */
+#define BITS_PER_CHAR   6       /* # bits to shift per character in name */
+
+static const char char_set[] =
+        "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789_";
+
+static char buf[6];
+
+const char *
+error_table_name(int num)
+{
+    int ch;
+    int i;
+    char *p;
+
+    /* num = aa aaa abb bbb bcc ccc cdd ddd d?? ??? ??? */
+    p = buf;
+    num >>= ERRCODE_RANGE;
+    /* num = ?? ??? ??? aaa aaa bbb bbb ccc ccc ddd ddd */
+    num &= 077777777;
+    /* num = 00 000 000 aaa aaa bbb bbb ccc ccc ddd ddd */
+    for (i = 4; i >= 0; i--) {
+        ch = (num >> BITS_PER_CHAR * i) & ((1 << BITS_PER_CHAR) - 1);
+        if (ch != 0)
+            *p++ = char_set[ch-1];
+    }
+    *p = '\0';
+    return(buf);
+}
+
+void
+add_to_error_table(struct et_list *new_table)
+{
+    struct et_list *et;
+
+    for (et = _et_list; et; et = et->next) {
+	if (et->table->base == new_table->table->base)
+	    return;
+    }
+
+    new_table->next = _et_list;
+    _et_list = new_table;
+}
diff --git a/crypto/heimdal/lib/com_err/com_err.h b/crypto/heimdal/lib/com_err/com_err.h
new file mode 100644
index 0000000..a76214b
--- /dev/null
+++ b/crypto/heimdal/lib/com_err/com_err.h
@@ -0,0 +1,65 @@
+/*
+ * Copyright (c) 1997 - 2001 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+/* $Id: com_err.h,v 1.9 2001/05/11 20:03:36 assar Exp $ */
+
+/* MIT compatible com_err library */
+
+#ifndef __COM_ERR_H__
+#define __COM_ERR_H__
+
+#include <com_right.h>
+
+#if !defined(__GNUC__) && !defined(__attribute__)
+#define __attribute__(X)
+#endif
+
+typedef void (*errf) __P((const char *, long, const char *, va_list));
+
+const char * error_message __P((long));
+int init_error_table __P((const char**, long, int));
+
+void com_err_va __P((const char *, long, const char *, va_list))
+    __attribute__((format(printf, 3, 0)));
+
+void com_err __P((const char *, long, const char *, ...))
+    __attribute__((format(printf, 3, 4)));
+
+errf set_com_err_hook __P((errf));
+errf reset_com_err_hook __P((void));
+
+const char *error_table_name  __P((int num));
+
+void add_to_error_table __P((struct et_list *new_table));
+
+#endif /* __COM_ERR_H__ */
diff --git a/crypto/heimdal/lib/com_err/com_right.h b/crypto/heimdal/lib/com_err/com_right.h
new file mode 100644
index 0000000..c87bb0d
--- /dev/null
+++ b/crypto/heimdal/lib/com_err/com_right.h
@@ -0,0 +1,66 @@
+/*
+ * Copyright (c) 1997 - 2000 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+/* $Id: com_right.h,v 1.11 2000/07/31 01:11:08 assar Exp $ */
+
+#ifndef __COM_RIGHT_H__
+#define __COM_RIGHT_H__
+
+#ifdef __STDC__
+#include <stdarg.h>
+#endif
+
+#ifndef __P
+#ifdef __STDC__
+#define __P(X) X
+#else
+#define __P(X) ()
+#endif
+#endif
+
+struct error_table {
+    char const * const * msgs;
+    long base;
+    int n_msgs;
+};
+struct et_list {
+    struct et_list *next;
+    struct error_table *table;
+};
+extern struct et_list *_et_list;
+
+const char *com_right __P((struct et_list *list, long code));
+void initialize_error_table_r __P((struct et_list **, const char **, int, long));
+void free_error_table __P((struct et_list *));
+
+#endif /* __COM_RIGHT_H__ */
diff --git a/crypto/heimdal/lib/com_err/compile_et.c b/crypto/heimdal/lib/com_err/compile_et.c
new file mode 100644
index 0000000..ab7fc2e
--- /dev/null
+++ b/crypto/heimdal/lib/com_err/compile_et.c
@@ -0,0 +1,235 @@
+/*
+ * Copyright (c) 1998, 1999 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#undef ROKEN_RENAME
+#include "compile_et.h"
+#include <getarg.h>
+
+RCSID("$Id: compile_et.c,v 1.14 2001/02/20 01:44:53 assar Exp $");
+
+#include <roken.h>
+#include <err.h>
+#include "parse.h"
+
+int numerror;
+extern FILE *yyin;
+
+extern void yyparse(void);
+
+long base;
+int number;
+char *prefix;
+char *id_str;
+
+char name[128];
+char Basename[128];
+
+#ifdef YYDEBUG
+extern int yydebug = 1;
+#endif
+
+char *filename;
+char hfn[128];
+char cfn[128];
+
+struct error_code *codes = NULL;
+
+static int
+generate_c(void)
+{
+    int n;
+    struct error_code *ec;
+
+    FILE *c_file = fopen(cfn, "w");
+    if(c_file == NULL)
+	return 1;
+
+    fprintf(c_file, "/* Generated from %s */\n", filename);
+    if(id_str) 
+	fprintf(c_file, "/* %s */\n", id_str);
+    fprintf(c_file, "\n");
+    fprintf(c_file, "#include <stddef.h>\n");
+    fprintf(c_file, "#include <com_err.h>\n");
+    fprintf(c_file, "#include \"%s\"\n", hfn);
+    fprintf(c_file, "\n");
+
+    fprintf(c_file, "static const char *text[] = {\n");
+
+    for(ec = codes, n = 0; ec; ec = ec->next, n++) {
+	while(n < ec->number) {
+	    fprintf(c_file, "\t/* %03d */ \"Reserved %s error (%d)\",\n",
+		    n, name, n);
+	    n++;
+	    
+	}
+	fprintf(c_file, "\t/* %03d */ \"%s\",\n", ec->number, ec->string);
+    }
+
+    fprintf(c_file, "\tNULL\n");
+    fprintf(c_file, "};\n");
+    fprintf(c_file, "\n");
+    fprintf(c_file, 
+	    "void initialize_%s_error_table_r(struct et_list **list)\n", 
+	    name);
+    fprintf(c_file, "{\n");
+    fprintf(c_file, 
+	    "    initialize_error_table_r(list, text, "
+	    "%s_num_errors, ERROR_TABLE_BASE_%s);\n", name, name);
+    fprintf(c_file, "}\n");
+    fprintf(c_file, "\n");
+    fprintf(c_file, "void initialize_%s_error_table(void)\n", name);
+    fprintf(c_file, "{\n");
+    fprintf(c_file,
+	    "    init_error_table(text, ERROR_TABLE_BASE_%s, "
+	    "%s_num_errors);\n", name, name);
+    fprintf(c_file, "}\n");
+
+    fclose(c_file);
+    return 0;
+}
+
+static int
+generate_h(void)
+{
+    struct error_code *ec;
+    char fn[128];
+    FILE *h_file = fopen(hfn, "w");
+    char *p;
+
+    if(h_file == NULL)
+	return 1;
+
+    snprintf(fn, sizeof(fn), "__%s__", hfn);
+    for(p = fn; *p; p++)
+	if(!isalnum((unsigned char)*p))
+	    *p = '_';
+    
+    fprintf(h_file, "/* Generated from %s */\n", filename);
+    if(id_str) 
+	fprintf(h_file, "/* %s */\n", id_str);
+    fprintf(h_file, "\n");
+    fprintf(h_file, "#ifndef %s\n", fn);
+    fprintf(h_file, "#define %s\n", fn);
+    fprintf(h_file, "\n");
+    fprintf(h_file, "#include <com_right.h>\n");
+    fprintf(h_file, "\n");
+    fprintf(h_file, 
+	    "void initialize_%s_error_table_r(struct et_list **);\n",
+	    name);
+    fprintf(h_file, "\n");
+    fprintf(h_file, "void initialize_%s_error_table(void);\n", name);
+    fprintf(h_file, "#define init_%s_err_tbl initialize_%s_error_table\n", 
+	    name, name);
+    fprintf(h_file, "\n");
+    fprintf(h_file, "typedef enum %s_error_number{\n", name);
+    fprintf(h_file, "\tERROR_TABLE_BASE_%s = %ld,\n", name, base);
+    fprintf(h_file, "\t%s_err_base = %ld,\n", name, base);
+
+    for(ec = codes; ec; ec = ec->next) {
+	fprintf(h_file, "\t%s = %ld,\n", ec->name, base + ec->number);
+    }
+
+    fprintf(h_file, "\t%s_num_errors = %d\n", name, number);
+    fprintf(h_file, "} %s_error_number;\n", name);
+    fprintf(h_file, "\n");
+    fprintf(h_file, "#endif /* %s */\n", fn);
+
+
+    fclose(h_file);
+    return 0;
+}
+
+static int
+generate(void)
+{
+    return generate_c() || generate_h();
+}
+
+int version_flag;
+int help_flag;
+struct getargs args[] = {
+    { "version", 0, arg_flag, &version_flag },
+    { "help", 0, arg_flag, &help_flag }
+};
+int num_args = sizeof(args) / sizeof(args[0]);
+
+static void
+usage(int code)
+{
+    arg_printusage(args, num_args, NULL, "error-table");
+    exit(code);
+}
+
+int
+main(int argc, char **argv)
+{
+    char *p;
+    int optind = 0;
+
+    setprogname(argv[0]);
+    if(getarg(args, num_args, argc, argv, &optind))
+	usage(1);
+    if(help_flag)
+	usage(0);
+    if(version_flag) {
+	print_version(NULL);
+	exit(0);
+    }
+
+    if(optind == argc) 
+	usage(1);
+    filename = argv[optind];
+    yyin = fopen(filename, "r");
+    if(yyin == NULL)
+	err(1, "%s", filename);
+	
+    
+    p = strrchr(filename, '/');
+    if(p)
+	p++;
+    else
+	p = filename;
+    strncpy(Basename, p, sizeof(Basename));
+    Basename[sizeof(Basename) - 1] = '\0';
+    
+    Basename[strcspn(Basename, ".")] = '\0';
+    
+    snprintf(hfn, sizeof(hfn), "%s.h", Basename);
+    snprintf(cfn, sizeof(cfn), "%s.c", Basename);
+    
+    yyparse();
+    if(numerror)
+	return 1;
+
+    return generate();
+}
diff --git a/crypto/heimdal/lib/com_err/compile_et.h b/crypto/heimdal/lib/com_err/compile_et.h
new file mode 100644
index 0000000..86dd113
--- /dev/null
+++ b/crypto/heimdal/lib/com_err/compile_et.h
@@ -0,0 +1,79 @@
+/*
+ * Copyright (c) 1998 - 2000 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+/* $Id: compile_et.h,v 1.6 2000/07/01 20:21:48 assar Exp $ */
+
+#ifndef __COMPILE_ET_H__
+#define __COMPILE_ET_H__
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+#endif
+
+#include <stdio.h>
+#include <string.h>
+#include <stdlib.h>
+#include <stdarg.h>
+#include <ctype.h>
+#include <roken.h>
+
+extern long base;
+extern int number;
+extern char *prefix;
+extern char name[128];
+extern char *id_str;
+extern char *filename;
+extern int numerror;
+
+struct error_code {
+    unsigned number;
+    char *name;
+    char *string;
+    struct error_code *next, **tail;
+};
+
+extern struct error_code *codes;
+
+#define APPEND(L, V) 				\
+do {						\
+    if((L) == NULL) {				\
+	(L) = (V);				\
+	(L)->tail = &(V)->next;			\
+	(L)->next = NULL;			\
+    }else{					\
+	*(L)->tail = (V);			\
+	(L)->tail = &(V)->next;			\
+    }						\
+}while(0)
+
+#endif /* __COMPILE_ET_H__ */
diff --git a/crypto/heimdal/lib/com_err/error.c b/crypto/heimdal/lib/com_err/error.c
new file mode 100644
index 0000000..b22f25b
--- /dev/null
+++ b/crypto/heimdal/lib/com_err/error.c
@@ -0,0 +1,91 @@
+/*
+ * Copyright (c) 1997, 1998, 2001 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+RCSID("$Id: error.c,v 1.15 2001/02/28 20:00:13 joda Exp $");
+#endif
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <com_right.h>
+
+const char *
+com_right(struct et_list *list, long code)
+{
+    struct et_list *p;
+    for (p = list; p; p = p->next) {
+	if (code >= p->table->base && code < p->table->base + p->table->n_msgs)
+	    return p->table->msgs[code - p->table->base];
+    }
+    return NULL;
+}
+
+struct foobar {
+    struct et_list etl;
+    struct error_table et;
+};
+
+void
+initialize_error_table_r(struct et_list **list, 
+			 const char **messages, 
+			 int num_errors,
+			 long base)
+{
+    struct et_list *et, **end;
+    struct foobar *f;
+    for (end = list, et = *list; et; end = &et->next, et = et->next)
+        if (et->table->msgs == messages)
+            return;
+    f = malloc(sizeof(*f));
+    if (f == NULL)
+        return;
+    et = &f->etl;
+    et->table = &f->et;
+    et->table->msgs = messages;
+    et->table->n_msgs = num_errors;
+    et->table->base = base;
+    et->next = NULL;
+    *end = et;
+}
+			
+
+void
+free_error_table(struct et_list *et)
+{
+    while(et){
+	struct et_list *p = et;
+	et = et->next;
+	free(p);
+    }
+}
diff --git a/crypto/heimdal/lib/com_err/lex.h b/crypto/heimdal/lib/com_err/lex.h
new file mode 100644
index 0000000..9912bf4
--- /dev/null
+++ b/crypto/heimdal/lib/com_err/lex.h
@@ -0,0 +1,39 @@
+/*
+ * Copyright (c) 1997 - 2000 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+/* $Id: lex.h,v 1.1 2000/06/22 00:42:52 assar Exp $ */
+
+void error_message (const char *, ...)
+__attribute__ ((format (printf, 1, 2)));
+
+int yylex(void);
diff --git a/crypto/heimdal/lib/com_err/lex.l b/crypto/heimdal/lib/com_err/lex.l
new file mode 100644
index 0000000..e98db6f
--- /dev/null
+++ b/crypto/heimdal/lib/com_err/lex.l
@@ -0,0 +1,126 @@
+%{
+/*
+ * Copyright (c) 1998 - 2000 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+/*
+ * This is to handle the definition of this symbol in some AIX
+ * headers, which will conflict with the definition that lex will
+ * generate for it.  It's only a problem for AIX lex.
+ */
+
+#undef ECHO
+
+#include "compile_et.h"
+#include "parse.h"
+#include "lex.h"
+
+RCSID("$Id: lex.l,v 1.6 2000/06/22 00:42:52 assar Exp $");
+
+static unsigned lineno = 1;
+static int getstring(void);
+
+#define YY_NO_UNPUT
+
+#undef ECHO
+
+%}
+
+
+%%
+et			{ return ET; }
+error_table		{ return ET; }
+ec			{ return EC; }
+error_code		{ return EC; }
+prefix			{ return PREFIX; }
+index			{ return INDEX; }
+id			{ return ID; }
+end			{ return END; }
+[0-9]+			{ yylval.number = atoi(yytext); return NUMBER; }
+#[^\n]*			;
+[ \t]			;
+\n			{ lineno++; }
+\"			{ return getstring(); }
+[a-zA-Z0-9_]+		{ yylval.string = strdup(yytext); return STRING; }
+.			{ return *yytext; }
+%%
+
+#ifndef yywrap /* XXX */
+int
+yywrap () 
+{
+     return 1;
+}
+#endif
+
+static int
+getstring(void)
+{
+    char x[128];
+    int i = 0;
+    int c;
+    int quote = 0;
+    while((c = input()) != EOF){
+	if(quote) {
+	    x[i++] = c;
+	    quote = 0;
+	    continue;
+	}
+	if(c == '\n'){
+	    error_message("unterminated string");
+	    lineno++;
+	    break;
+	}
+	if(c == '\\'){
+	    quote++;
+	    continue;
+	}
+	if(c == '\"')
+	    break;
+	x[i++] = c;
+    }
+    x[i] = '\0';
+    yylval.string = strdup(x);
+    return STRING;
+}
+
+void
+error_message (const char *format, ...)
+{
+     va_list args;
+
+     va_start (args, format);
+     fprintf (stderr, "%s:%d:", filename, lineno);
+     vfprintf (stderr, format, args);
+     va_end (args);
+     numerror++;
+}
diff --git a/crypto/heimdal/lib/com_err/parse.y b/crypto/heimdal/lib/com_err/parse.y
new file mode 100644
index 0000000..82e99ff
--- /dev/null
+++ b/crypto/heimdal/lib/com_err/parse.y
@@ -0,0 +1,167 @@
+%{
+/*
+ * Copyright (c) 1998 - 2000 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "compile_et.h"
+#include "lex.h"
+
+RCSID("$Id: parse.y,v 1.11 2000/06/22 00:42:52 assar Exp $");
+
+void yyerror (char *s);
+static long name2number(const char *str);
+
+extern char *yytext;
+
+/* This is for bison */
+
+#if !defined(alloca) && !defined(HAVE_ALLOCA)
+#define alloca(x) malloc(x)
+#endif
+
+%}
+
+%union {
+  char *string;
+  int number;
+}
+
+%token ET INDEX PREFIX EC ID END
+%token <string> STRING
+%token <number> NUMBER
+
+%%
+
+file		: /* */ 
+		| header statements
+		;
+
+header		: id et
+		| et
+		;
+
+id		: ID STRING
+		{
+		    id_str = $2;
+		}
+		;
+
+et		: ET STRING
+		{
+		    base = name2number($2);
+		    strncpy(name, $2, sizeof(name));
+		    name[sizeof(name) - 1] = '\0';
+		    free($2);
+		}
+		| ET STRING STRING
+		{
+		    base = name2number($2);
+		    strncpy(name, $3, sizeof(name));
+		    name[sizeof(name) - 1] = '\0';
+		    free($2);
+		    free($3);
+		}
+		;
+
+statements	: statement
+		| statements statement
+		;
+
+statement	: INDEX NUMBER 
+		{
+			number = $2;
+		}
+		| PREFIX STRING
+		{
+		    prefix = realloc(prefix, strlen($2) + 2);
+		    strcpy(prefix, $2);
+		    strcat(prefix, "_");
+		    free($2);
+		}
+		| PREFIX
+		{
+		    prefix = realloc(prefix, 1);
+		    *prefix = '\0';
+		}
+		| EC STRING ',' STRING
+		{
+		    struct error_code *ec = malloc(sizeof(*ec));
+
+		    ec->next = NULL;
+		    ec->number = number;
+		    if(prefix && *prefix != '\0') {
+			asprintf (&ec->name, "%s%s", prefix, $2);
+			free($2);
+		    } else
+			ec->name = $2;
+		    ec->string = $4;
+		    APPEND(codes, ec);
+		    number++;
+		}
+		| END
+		{
+			YYACCEPT;
+		}
+		;
+
+%%
+
+static long
+name2number(const char *str)
+{
+    const char *p;
+    long base = 0;
+    const char *x = "ABCDEFGHIJKLMNOPQRSTUVWXYZ"
+	"abcdefghijklmnopqrstuvwxyz0123456789_";
+    if(strlen(str) > 4) {
+	yyerror("table name too long");
+	return 0;
+    }
+    for(p = str; *p; p++){
+	char *q = strchr(x, *p);
+	if(q == NULL) {
+	    yyerror("invalid character in table name");
+	    return 0;
+	}
+	base = (base << 6) + (q - x) + 1;
+    }
+    base <<= 8;
+    if(base > 0x7fffffff)
+	base = -(0xffffffff - base + 1);
+    return base;
+}
+
+void
+yyerror (char *s)
+{
+     error_message ("%s\n", s);
+}
diff --git a/crypto/heimdal/lib/com_err/roken_rename.h b/crypto/heimdal/lib/com_err/roken_rename.h
new file mode 100644
index 0000000..173c9a7
--- /dev/null
+++ b/crypto/heimdal/lib/com_err/roken_rename.h
@@ -0,0 +1,39 @@
+/*
+ * Copyright (c) 1998 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+/* $Id: roken_rename.h,v 1.3 1999/12/02 16:58:38 joda Exp $ */
+
+#ifndef __roken_rename_h__
+#define __roken_rename_h__
+
+#endif /* __roken_rename_h__ */
diff --git a/crypto/heimdal/lib/editline/ChangeLog b/crypto/heimdal/lib/editline/ChangeLog
new file mode 100644
index 0000000..be78368
--- /dev/null
+++ b/crypto/heimdal/lib/editline/ChangeLog
@@ -0,0 +1,98 @@
+2000-11-15  Assar Westerlund  <assar@sics.se>
+
+	* Makefile.am: make libeditline and libel_compat into libtool
+	libraries but always make them static
+
+2000-03-01  Assar Westerlund  <assar@sics.se>
+
+	* edit_compat.c (readline): be more liberal in what we accept from
+	el_gets.  if count == 0 -> interpret it as EOF.  also copy the
+	string first and then cut of the newline, it's cleaner
+
+1999-12-23  Assar Westerlund  <assar@sics.se>
+
+	* editline.c (TTYinfo): add fallback if we fail to find "le" in
+ 	termcap.
+
+1999-08-06  Assar Westerlund  <assar@sics.se>
+
+	* editline.c (TTYinfo): copy backspace string to avoid referencing
+ 	into a local variable.
+
+1999-08-04  Assar Westerlund  <assar@sics.se>
+
+	* Makefile.am: don't run testit in `make check'
+
+1999-04-11  Assar Westerlund  <assar@sics.se>
+
+	* Makefile.am: don't run testit as a check
+
+Sat Apr 10 23:01:18 1999  Johan Danielsson  <joda@hella.pdc.kth.se>
+
+	* complete.c (rl_complete_filename): return if there were no
+ 	matches
+
+Thu Apr  8 15:08:25 1999  Johan Danielsson  <joda@hella.pdc.kth.se>
+
+	* Makefile.in: snprintf
+
+	* roken_rename.h: add snprintf, asprintf
+
+	* Makefile.am: build testit
+
+	* complete.c: nuke NEW, DISPOSE, RENEW, and COPYFROMTO macros;
+ 	(rl_complete): call rl_list_possib instead of doing the same
+
+	* editline.h: nuke NEW, DISPOSE, RENEW, and COPYFROMTO macros
+
+	* editline.c: nuke NEW, DISPOSE, RENEW, and COPYFROMTO macros
+
+	* sysunix.c: add some whitespace
+
+Thu Mar 18 11:22:55 1999  Johan Danielsson  <joda@hella.pdc.kth.se>
+
+	* Makefile.am: include Makefile.am.common
+
+Tue Mar 16 17:10:34 1999  Johan Danielsson  <joda@hella.pdc.kth.se>
+
+	* editline.c: remove protos for read/write
+
+Sat Mar 13 22:23:22 1999  Assar Westerlund  <assar@sics.se>
+
+	* <roken.h>: add
+
+Sun Nov 22 10:40:28 1998  Assar Westerlund  <assar@sics.se>
+
+	* Makefile.in (WFLAGS): set
+
+Tue Sep 29 02:09:15 1998  Assar Westerlund  <assar@sics.se>
+
+	* Makefile.in (LIB_DEPS): add LIB_tgetent
+
+Thu Jul  2 15:10:08 1998  Johan Danielsson  <joda@blubb.pdc.kth.se>
+
+	* edit_compat.c: support for newer libedit
+
+Tue Jun 30 17:18:09 1998  Assar Westerlund  <assar@sics.se>
+
+	* Makefile.in (distclean): don't remove roken_rename.h
+
+Fri May 29 19:03:38 1998  Assar Westerlund  <assar@sics.se>
+
+	* Makefile.in (strdup.c): remove dependency
+
+Mon May 25 05:25:16 1998  Assar Westerlund  <assar@sics.se>
+
+	* Makefile.in (clean): try to remove shared library debris
+
+Sun Apr 19 09:53:46 1998  Assar Westerlund  <assar@sics.se>
+
+	* Makefile.in: add symlink magic for linux
+
+Sat Feb  7 07:24:30 1998  Assar Westerlund  <assar@sics.se>
+
+	* editline.h: add prototypes
+
+Tue Feb  3 10:24:22 1998  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* editline.c: If read returns EINTR, try again.
diff --git a/crypto/heimdal/lib/editline/Makefile.am b/crypto/heimdal/lib/editline/Makefile.am
new file mode 100644
index 0000000..49e4885
--- /dev/null
+++ b/crypto/heimdal/lib/editline/Makefile.am
@@ -0,0 +1,54 @@
+# $Id: Makefile.am,v 1.12 2000/11/14 23:22:29 assar Exp $
+
+include $(top_srcdir)/Makefile.am.common
+
+if do_roken_rename
+IS = -DROKEN_RENAME
+ES = snprintf.c strdup.c
+endif
+
+INCLUDES += $(IS)
+
+man_MANS = editline.3
+
+lib_LTLIBRARIES = libeditline.la
+if el_compat
+noinst_LTLIBRARIES = libel_compat.la
+else
+noinst_LTLIBRARIES =
+endif
+
+noinst_PROGRAMS = testit
+
+CHECK_LOCAL =
+
+testit_LDADD = \
+	libeditline.la \
+	$(LIB_tgetent) \
+	$(LIB_roken)
+
+include_HEADERS = editline.h
+
+libeditline_la_SOURCES = \
+	complete.c \
+	editline.c \
+	sysunix.c \
+	editline.h \
+	roken_rename.h \
+	unix.h \
+	$(EXTRA_SOURCE)
+
+libeditline_la_LDFLAGS = -static
+
+EXTRA_SOURCE = $(ES) 
+
+libel_compat_la_SOURCES = edit_compat.c
+
+libel_compat_la_LDFLAGS = -static
+
+EXTRA_DIST = $(man_MANS)
+
+snprintf.c:
+	$(LN_S) $(srcdir)/../roken/snprintf.c .
+strdup.c:
+	$(LN_S) $(srcdir)/../roken/strdup.c .
diff --git a/crypto/heimdal/lib/editline/Makefile.in b/crypto/heimdal/lib/editline/Makefile.in
new file mode 100644
index 0000000..4a06487
--- /dev/null
+++ b/crypto/heimdal/lib/editline/Makefile.in
@@ -0,0 +1,715 @@
+# Makefile.in generated automatically by automake 1.4b from Makefile.am
+
+# Copyright 1994, 1995, 1996, 1997, 1998, 1999, 2000
+# Free Software Foundation, Inc.
+# This Makefile.in is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+
+SHELL = @SHELL@
+
+srcdir = @srcdir@
+top_srcdir = @top_srcdir@
+VPATH = @srcdir@
+prefix = @prefix@
+exec_prefix = @exec_prefix@
+
+bindir = @bindir@
+sbindir = @sbindir@
+libexecdir = @libexecdir@
+datadir = @datadir@
+sysconfdir = @sysconfdir@
+sharedstatedir = @sharedstatedir@
+localstatedir = @localstatedir@
+libdir = @libdir@
+infodir = @infodir@
+mandir = @mandir@
+includedir = @includedir@
+oldincludedir = /usr/include
+
+pkgdatadir = $(datadir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkgincludedir = $(includedir)/@PACKAGE@
+
+top_builddir = ../..
+
+ACLOCAL = @ACLOCAL@
+AUTOCONF = @AUTOCONF@
+AUTOMAKE = @AUTOMAKE@
+AUTOHEADER = @AUTOHEADER@
+
+INSTALL = @INSTALL@
+INSTALL_PROGRAM = @INSTALL_PROGRAM@
+INSTALL_DATA = @INSTALL_DATA@
+INSTALL_SCRIPT = @INSTALL_SCRIPT@
+INSTALL_STRIP_FLAG =
+transform = @program_transform_name@
+
+NORMAL_INSTALL = :
+PRE_INSTALL = :
+POST_INSTALL = :
+NORMAL_UNINSTALL = :
+PRE_UNINSTALL = :
+POST_UNINSTALL = :
+
+@SET_MAKE@
+host_alias = @host_alias@
+host_triplet = @host@
+AIX_EXTRA_KAFS = @AIX_EXTRA_KAFS@
+AMDEP = @AMDEP@
+AMTAR = @AMTAR@
+AS = @AS@
+AWK = @AWK@
+CANONICAL_HOST = @CANONICAL_HOST@
+CATMAN = @CATMAN@
+CATMANEXT = @CATMANEXT@
+CC = @CC@
+CPP = @CPP@
+CXX = @CXX@
+CXXCPP = @CXXCPP@
+DBLIB = @DBLIB@
+DEPDIR = @DEPDIR@
+DIR_des = @DIR_des@
+DIR_roken = @DIR_roken@
+DLLTOOL = @DLLTOOL@
+EXEEXT = @EXEEXT@
+EXTRA_LIB45 = @EXTRA_LIB45@
+GROFF = @GROFF@
+INCLUDES_roken = @INCLUDES_roken@
+INCLUDE_ = @INCLUDE_@
+LEX = @LEX@
+LIBOBJS = @LIBOBJS@
+LIBTOOL = @LIBTOOL@
+LIB_ = @LIB_@
+LIB_AUTH_SUBDIRS = @LIB_AUTH_SUBDIRS@
+LIB_des = @LIB_des@
+LIB_des_appl = @LIB_des_appl@
+LIB_kdb = @LIB_kdb@
+LIB_otp = @LIB_otp@
+LIB_roken = @LIB_roken@
+LIB_security = @LIB_security@
+LN_S = @LN_S@
+LTLIBOBJS = @LTLIBOBJS@
+MAKEINFO = @MAKEINFO@
+NEED_WRITEAUTH_FALSE = @NEED_WRITEAUTH_FALSE@
+NEED_WRITEAUTH_TRUE = @NEED_WRITEAUTH_TRUE@
+NROFF = @NROFF@
+OBJDUMP = @OBJDUMP@
+OBJEXT = @OBJEXT@
+PACKAGE = @PACKAGE@
+RANLIB = @RANLIB@
+STRIP = @STRIP@
+VERSION = @VERSION@
+VOID_RETSIGTYPE = @VOID_RETSIGTYPE@
+WFLAGS = @WFLAGS@
+WFLAGS_NOIMPLICITINT = @WFLAGS_NOIMPLICITINT@
+WFLAGS_NOUNUSED = @WFLAGS_NOUNUSED@
+YACC = @YACC@
+dpagaix_CFLAGS = @dpagaix_CFLAGS@
+dpagaix_LDADD = @dpagaix_LDADD@
+install_sh = @install_sh@
+
+# $Id: Makefile.am,v 1.12 2000/11/14 23:22:29 assar Exp $
+
+
+# $Id: Makefile.am.common,v 1.3 1999/04/01 14:58:43 joda Exp $
+
+
+# $Id: Makefile.am.common,v 1.26 2001/05/21 13:27:48 joda Exp $
+
+
+AUTOMAKE_OPTIONS = foreign no-dependencies
+
+SUFFIXES = .et .h .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .x
+
+INCLUDES = -I$(top_builddir)/include $(INCLUDES_roken) $(IS)
+
+AM_CFLAGS =  $(WFLAGS)
+
+CP = cp
+
+COMPILE_ET = $(top_builddir)/lib/com_err/compile_et
+
+buildinclude = $(top_builddir)/include
+
+LIB_XauReadAuth = @LIB_XauReadAuth@
+LIB_crypt = @LIB_crypt@
+LIB_dbm_firstkey = @LIB_dbm_firstkey@
+LIB_dbopen = @LIB_dbopen@
+LIB_dlopen = @LIB_dlopen@
+LIB_dn_expand = @LIB_dn_expand@
+LIB_el_init = @LIB_el_init@
+LIB_getattr = @LIB_getattr@
+LIB_gethostbyname = @LIB_gethostbyname@
+LIB_getpwent_r = @LIB_getpwent_r@
+LIB_getpwnam_r = @LIB_getpwnam_r@
+LIB_getsockopt = @LIB_getsockopt@
+LIB_logout = @LIB_logout@
+LIB_logwtmp = @LIB_logwtmp@
+LIB_odm_initialize = @LIB_odm_initialize@
+LIB_pidfile = @LIB_pidfile@
+LIB_readline = @LIB_readline@
+LIB_res_search = @LIB_res_search@
+LIB_setpcred = @LIB_setpcred@
+LIB_setsockopt = @LIB_setsockopt@
+LIB_socket = @LIB_socket@
+LIB_syslog = @LIB_syslog@
+LIB_tgetent = @LIB_tgetent@
+
+LIBS = @LIBS@
+
+HESIODLIB = @HESIODLIB@
+HESIODINCLUDE = @HESIODINCLUDE@
+INCLUDE_hesiod = @INCLUDE_hesiod@
+LIB_hesiod = @LIB_hesiod@
+
+INCLUDE_krb4 = @INCLUDE_krb4@
+LIB_krb4 = @LIB_krb4@
+
+INCLUDE_openldap = @INCLUDE_openldap@
+LIB_openldap = @LIB_openldap@
+
+INCLUDE_readline = @INCLUDE_readline@
+
+LEXLIB = @LEXLIB@
+
+NROFF_MAN = groff -mandoc -Tascii
+
+@KRB4_TRUE@LIB_kafs = @KRB4_TRUE@$(top_builddir)/lib/kafs/libkafs.la $(AIX_EXTRA_KAFS)
+
+@KRB5_TRUE@LIB_krb5 = @KRB5_TRUE@$(top_builddir)/lib/krb5/libkrb5.la \
+@KRB5_TRUE@	$(top_builddir)/lib/asn1/libasn1.la
+@KRB5_TRUE@LIB_gssapi = @KRB5_TRUE@$(top_builddir)/lib/gssapi/libgssapi.la
+
+@DCE_TRUE@LIB_kdfs = @DCE_TRUE@$(top_builddir)/lib/kdfs/libkdfs.la
+
+CHECK_LOCAL = 
+
+@do_roken_rename_TRUE@IS = @do_roken_rename_TRUE@-DROKEN_RENAME
+@do_roken_rename_TRUE@ES = @do_roken_rename_TRUE@snprintf.c strdup.c
+
+man_MANS = editline.3
+
+lib_LTLIBRARIES = libeditline.la
+@el_compat_TRUE@noinst_LTLIBRARIES = @el_compat_TRUE@libel_compat.la
+@el_compat_FALSE@noinst_LTLIBRARIES = 
+
+noinst_PROGRAMS = testit
+
+testit_LDADD = \
+	libeditline.la \
+	$(LIB_tgetent) \
+	$(LIB_roken)
+
+
+include_HEADERS = editline.h
+
+libeditline_la_SOURCES = \
+	complete.c \
+	editline.c \
+	sysunix.c \
+	editline.h \
+	roken_rename.h \
+	unix.h \
+	$(EXTRA_SOURCE)
+
+
+libeditline_la_LDFLAGS = -static
+
+EXTRA_SOURCE = $(ES) 
+
+libel_compat_la_SOURCES = edit_compat.c
+
+libel_compat_la_LDFLAGS = -static
+
+EXTRA_DIST = $(man_MANS)
+subdir = lib/editline
+mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs
+CONFIG_HEADER = ../../include/config.h
+CONFIG_CLEAN_FILES = 
+LTLIBRARIES =  $(lib_LTLIBRARIES) $(noinst_LTLIBRARIES)
+
+
+DEFS = @DEFS@ -I. -I$(srcdir) -I../../include
+CPPFLAGS = @CPPFLAGS@
+LDFLAGS = @LDFLAGS@
+X_CFLAGS = @X_CFLAGS@
+X_LIBS = @X_LIBS@
+X_EXTRA_LIBS = @X_EXTRA_LIBS@
+X_PRE_LIBS = @X_PRE_LIBS@
+libeditline_la_LIBADD = 
+@do_roken_rename_FALSE@am_libeditline_la_OBJECTS =  complete.lo \
+@do_roken_rename_FALSE@editline.lo sysunix.lo
+@do_roken_rename_TRUE@am_libeditline_la_OBJECTS =  complete.lo \
+@do_roken_rename_TRUE@editline.lo sysunix.lo snprintf.lo strdup.lo
+libeditline_la_OBJECTS =  $(am_libeditline_la_OBJECTS)
+libel_compat_la_LIBADD = 
+am_libel_compat_la_OBJECTS =  edit_compat.lo
+libel_compat_la_OBJECTS =  $(am_libel_compat_la_OBJECTS)
+noinst_PROGRAMS =  testit$(EXEEXT)
+PROGRAMS =  $(noinst_PROGRAMS)
+
+testit_SOURCES = testit.c
+testit_OBJECTS =  testit.$(OBJEXT)
+testit_DEPENDENCIES =  libeditline.la
+testit_LDFLAGS = 
+COMPILE = $(CC) $(DEFS) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) --mode=compile $(CC) $(DEFS) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+CFLAGS = @CFLAGS@
+CCLD = $(CC)
+LINK = $(LIBTOOL) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) $(LDFLAGS) -o $@
+DIST_SOURCES =  $(libeditline_la_SOURCES) $(libel_compat_la_SOURCES) \
+testit.c
+man3dir = $(mandir)/man3
+MANS = $(man_MANS)
+HEADERS =  $(include_HEADERS)
+
+depcomp = 
+DIST_COMMON =  README $(include_HEADERS) ChangeLog Makefile.am \
+Makefile.in
+
+
+DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
+
+GZIP_ENV = --best
+SOURCES = $(libeditline_la_SOURCES) $(libel_compat_la_SOURCES) testit.c
+OBJECTS = $(am_libeditline_la_OBJECTS) $(am_libel_compat_la_OBJECTS) testit.$(OBJEXT)
+
+all: all-redirect
+.SUFFIXES:
+.SUFFIXES: .et .h .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .x .c .lo .o .obj
+$(srcdir)/Makefile.in: Makefile.am $(top_srcdir)/configure.in $(ACLOCAL_M4) $(top_srcdir)/Makefile.am.common $(top_srcdir)/cf/Makefile.am.common
+	cd $(top_srcdir) && $(AUTOMAKE) --foreign lib/editline/Makefile
+
+Makefile: $(srcdir)/Makefile.in  $(top_builddir)/config.status
+	cd $(top_builddir) \
+	  && CONFIG_FILES=$(subdir)/$@ CONFIG_HEADERS= $(SHELL) ./config.status
+
+
+mostlyclean-libLTLIBRARIES:
+
+clean-libLTLIBRARIES:
+	-test -z "$(lib_LTLIBRARIES)" || rm -f $(lib_LTLIBRARIES)
+
+distclean-libLTLIBRARIES:
+
+maintainer-clean-libLTLIBRARIES:
+
+install-libLTLIBRARIES: $(lib_LTLIBRARIES)
+	@$(NORMAL_INSTALL)
+	$(mkinstalldirs) $(DESTDIR)$(libdir)
+	@list='$(lib_LTLIBRARIES)'; for p in $$list; do \
+	  if test -f $$p; then \
+	    echo " $(LIBTOOL)  --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$p $(DESTDIR)$(libdir)/$$p"; \
+	    $(LIBTOOL)  --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$p $(DESTDIR)$(libdir)/$$p; \
+	  else :; fi; \
+	done
+
+uninstall-libLTLIBRARIES:
+	@$(NORMAL_UNINSTALL)
+	@list='$(lib_LTLIBRARIES)'; for p in $$list; do \
+	  echo " $(LIBTOOL)  --mode=uninstall rm -f $(DESTDIR)$(libdir)/$$p"; \
+	  $(LIBTOOL)  --mode=uninstall rm -f $(DESTDIR)$(libdir)/$$p; \
+	done
+
+mostlyclean-noinstLTLIBRARIES:
+
+clean-noinstLTLIBRARIES:
+	-test -z "$(noinst_LTLIBRARIES)" || rm -f $(noinst_LTLIBRARIES)
+
+distclean-noinstLTLIBRARIES:
+
+maintainer-clean-noinstLTLIBRARIES:
+
+mostlyclean-compile:
+	-rm -f *.o core *.core
+	-rm -f *.$(OBJEXT)
+
+clean-compile:
+
+distclean-compile:
+	-rm -f *.tab.c
+
+maintainer-clean-compile:
+
+mostlyclean-libtool:
+	-rm -f *.lo
+
+clean-libtool:
+	-rm -rf .libs _libs
+
+distclean-libtool:
+
+maintainer-clean-libtool:
+
+libeditline.la: $(libeditline_la_OBJECTS) $(libeditline_la_DEPENDENCIES)
+	$(LINK) -rpath $(libdir) $(libeditline_la_LDFLAGS) $(libeditline_la_OBJECTS) $(libeditline_la_LIBADD) $(LIBS)
+
+libel_compat.la: $(libel_compat_la_OBJECTS) $(libel_compat_la_DEPENDENCIES)
+	$(LINK)  $(libel_compat_la_LDFLAGS) $(libel_compat_la_OBJECTS) $(libel_compat_la_LIBADD) $(LIBS)
+
+mostlyclean-noinstPROGRAMS:
+
+clean-noinstPROGRAMS:
+	-test -z "$(noinst_PROGRAMS)" || rm -f $(noinst_PROGRAMS)
+
+distclean-noinstPROGRAMS:
+
+maintainer-clean-noinstPROGRAMS:
+
+testit$(EXEEXT): $(testit_OBJECTS) $(testit_DEPENDENCIES)
+	@rm -f testit$(EXEEXT)
+	$(LINK) $(testit_LDFLAGS) $(testit_OBJECTS) $(testit_LDADD) $(LIBS)
+.c.o:
+	$(COMPILE) -c $<
+.c.obj:
+	$(COMPILE) -c `cygpath -w $<`
+.c.lo:
+	$(LTCOMPILE) -c -o $@ $<
+
+install-man3:
+	$(mkinstalldirs) $(DESTDIR)$(man3dir)
+	@list='$(man3_MANS)'; \
+	l2='$(man_MANS)'; for i in $$l2; do \
+	  case "$$i" in \
+	    *.3*) list="$$list $$i" ;; \
+	  esac; \
+	done; \
+	for i in $$list; do \
+	  if test -f $(srcdir)/$$i; then file=$(srcdir)/$$i; \
+	  else file=$$i; fi; \
+	  ext=`echo $$i | sed -e 's/^.*\\.//'`; \
+	  inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \
+	  inst=`echo $$inst | sed -e 's/^.*\///'`; \
+	  inst=`echo $$inst | sed '$(transform)'`.$$ext; \
+	  echo " $(INSTALL_DATA) $$file $(DESTDIR)$(man3dir)/$$inst"; \
+	  $(INSTALL_DATA) $$file $(DESTDIR)$(man3dir)/$$inst; \
+	done
+
+uninstall-man3:
+	@list='$(man3_MANS)'; \
+	l2='$(man_MANS)'; for i in $$l2; do \
+	  case "$$i" in \
+	    *.3*) list="$$list $$i" ;; \
+	  esac; \
+	done; \
+	for i in $$list; do \
+	  ext=`echo $$i | sed -e 's/^.*\\.//'`; \
+	  inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \
+	  inst=`echo $$inst | sed -e 's/^.*\///'`; \
+	  inst=`echo $$inst | sed '$(transform)'`.$$ext; \
+	  echo " rm -f $(DESTDIR)$(man3dir)/$$inst"; \
+	  rm -f $(DESTDIR)$(man3dir)/$$inst; \
+	done
+install-man: $(MANS)
+	@$(NORMAL_INSTALL)
+	$(MAKE) $(AM_MAKEFLAGS) install-man3
+uninstall-man:
+	@$(NORMAL_UNINSTALL)
+	$(MAKE) $(AM_MAKEFLAGS) uninstall-man3
+
+install-includeHEADERS: $(include_HEADERS)
+	@$(NORMAL_INSTALL)
+	$(mkinstalldirs) $(DESTDIR)$(includedir)
+	@list='$(include_HEADERS)'; for p in $$list; do \
+	  if test -f "$$p"; then d= ; else d="$(srcdir)/"; fi; \
+	  f="`echo $$p | sed -e 's|^.*/||'`"; \
+	  echo " $(INSTALL_DATA) $$d$$p $(DESTDIR)$(includedir)/$$f"; \
+	  $(INSTALL_DATA) $$d$$p $(DESTDIR)$(includedir)/$$f; \
+	done
+
+uninstall-includeHEADERS:
+	@$(NORMAL_UNINSTALL)
+	@list='$(include_HEADERS)'; for p in $$list; do \
+	  f="`echo $$p | sed -e 's|^.*/||'`"; \
+	  echo " rm -f $(DESTDIR)$(includedir)/$$f"; \
+	  rm -f $(DESTDIR)$(includedir)/$$f; \
+	done
+
+tags: TAGS
+
+ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
+	list='$(SOURCES) $(HEADERS) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '    { files[$$0] = 1; } \
+	       END { for (i in files) print i; }'`; \
+	mkid -fID $$unique $(LISP)
+
+TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	tags=; \
+	here=`pwd`; \
+	list='$(SOURCES) $(HEADERS) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '    { files[$$0] = 1; } \
+	       END { for (i in files) print i; }'`; \
+	test -z "$(ETAGS_ARGS)$$unique$(LISP)$$tags" \
+	  || etags $(ETAGS_ARGS) $$tags  $$unique $(LISP)
+
+GTAGS:
+	here=`CDPATH=: && cd $(top_builddir) && pwd` \
+	  && cd $(top_srcdir) \
+	  && gtags -i $$here
+
+mostlyclean-tags:
+
+clean-tags:
+
+distclean-tags:
+	-rm -f TAGS ID
+
+maintainer-clean-tags:
+
+distdir = $(top_builddir)/$(PACKAGE)-$(VERSION)/$(subdir)
+
+distdir: $(DISTFILES)
+	@for file in $(DISTFILES); do \
+	  d=$(srcdir); \
+	  if test -d $$d/$$file; then \
+	    cp -pR $$d/$$file $(distdir) \
+	    || exit 1; \
+	  else \
+	    test -f $(distdir)/$$file \
+	    || cp -p $$d/$$file $(distdir)/$$file \
+	    || exit 1; \
+	  fi; \
+	done
+	$(MAKE) $(AM_MAKEFLAGS) top_distdir="$(top_distdir)" distdir="$(distdir)" dist-hook
+info-am:
+info: info-am
+dvi-am:
+dvi: dvi-am
+check-am: all-am
+	$(MAKE) $(AM_MAKEFLAGS) check-local
+check: check-am
+installcheck-am:
+installcheck: installcheck-am
+install-exec-am: install-libLTLIBRARIES
+	@$(NORMAL_INSTALL)
+	$(MAKE) $(AM_MAKEFLAGS) install-exec-hook
+install-exec: install-exec-am
+
+install-data-am: install-man install-includeHEADERS install-data-local
+install-data: install-data-am
+
+install-am: all-am
+	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
+install: install-am
+uninstall-am: uninstall-libLTLIBRARIES uninstall-man \
+		uninstall-includeHEADERS
+uninstall: uninstall-am
+all-am: Makefile $(LTLIBRARIES) $(PROGRAMS) $(MANS) $(HEADERS) all-local
+all-redirect: all-am
+install-strip:
+	$(MAKE) $(AM_MAKEFLAGS) INSTALL_STRIP_FLAG=-s install
+installdirs:
+	$(mkinstalldirs)  $(DESTDIR)$(libdir) $(DESTDIR)$(mandir)/man3 \
+		$(DESTDIR)$(includedir)
+
+
+mostlyclean-generic:
+
+clean-generic:
+
+distclean-generic:
+	-rm -f Makefile $(CONFIG_CLEAN_FILES)
+	-rm -f config.cache config.log stamp-h stamp-h[0-9]*
+
+maintainer-clean-generic:
+	-rm -f Makefile.in
+mostlyclean-am:  mostlyclean-libLTLIBRARIES \
+		mostlyclean-noinstLTLIBRARIES mostlyclean-compile \
+		mostlyclean-libtool mostlyclean-noinstPROGRAMS \
+		mostlyclean-tags mostlyclean-generic
+
+mostlyclean: mostlyclean-am
+
+clean-am:  clean-libLTLIBRARIES clean-noinstLTLIBRARIES clean-compile \
+		clean-libtool clean-noinstPROGRAMS clean-tags \
+		clean-generic mostlyclean-am
+
+clean: clean-am
+
+distclean-am:  distclean-libLTLIBRARIES distclean-noinstLTLIBRARIES \
+		distclean-compile distclean-libtool \
+		distclean-noinstPROGRAMS distclean-tags \
+		distclean-generic clean-am
+	-rm -f libtool
+
+distclean: distclean-am
+
+maintainer-clean-am:  maintainer-clean-libLTLIBRARIES \
+		maintainer-clean-noinstLTLIBRARIES \
+		maintainer-clean-compile maintainer-clean-libtool \
+		maintainer-clean-noinstPROGRAMS maintainer-clean-tags \
+		maintainer-clean-generic distclean-am
+	@echo "This command is intended for maintainers to use;"
+	@echo "it deletes files that may require special tools to rebuild."
+
+maintainer-clean: maintainer-clean-am
+
+.PHONY: mostlyclean-libLTLIBRARIES distclean-libLTLIBRARIES \
+clean-libLTLIBRARIES maintainer-clean-libLTLIBRARIES \
+uninstall-libLTLIBRARIES install-libLTLIBRARIES \
+mostlyclean-noinstLTLIBRARIES distclean-noinstLTLIBRARIES \
+clean-noinstLTLIBRARIES maintainer-clean-noinstLTLIBRARIES \
+mostlyclean-compile distclean-compile clean-compile \
+maintainer-clean-compile mostlyclean-libtool distclean-libtool \
+clean-libtool maintainer-clean-libtool mostlyclean-noinstPROGRAMS \
+distclean-noinstPROGRAMS clean-noinstPROGRAMS \
+maintainer-clean-noinstPROGRAMS install-man3 uninstall-man3 install-man \
+uninstall-man uninstall-includeHEADERS install-includeHEADERS tags \
+mostlyclean-tags distclean-tags clean-tags maintainer-clean-tags \
+distdir info-am info dvi-am dvi check-local check check-am \
+installcheck-am installcheck install-exec-am install-exec \
+install-data-local install-data-am install-data install-am install \
+uninstall-am uninstall all-local all-redirect all-am all install-strip \
+installdirs mostlyclean-generic distclean-generic clean-generic \
+maintainer-clean-generic clean mostlyclean distclean maintainer-clean
+
+
+install-suid-programs:
+	@foo='$(bin_SUIDS)'; \
+	for file in $$foo; do \
+	x=$(DESTDIR)$(bindir)/$$file; \
+	if chown 0:0 $$x && chmod u+s $$x; then :; else \
+	echo "*"; \
+	echo "* Failed to install $$x setuid root"; \
+	echo "*"; \
+	fi; done
+
+install-exec-hook: install-suid-programs
+
+install-build-headers:: $(include_HEADERS) $(build_HEADERZ)
+	@foo='$(include_HEADERS) $(build_HEADERZ)'; \
+	for f in $$foo; do \
+		f=`basename $$f`; \
+		if test -f "$(srcdir)/$$f"; then file="$(srcdir)/$$f"; \
+		else file="$$f"; fi; \
+		if cmp -s  $$file $(buildinclude)/$$f 2> /dev/null ; then \
+		: ; else \
+			echo " $(CP) $$file $(buildinclude)/$$f"; \
+			$(CP) $$file $(buildinclude)/$$f; \
+		fi ; \
+	done
+
+all-local: install-build-headers
+#NROFF_MAN = nroff -man
+.1.cat1:
+	$(NROFF_MAN) $< > $@
+.3.cat3:
+	$(NROFF_MAN) $< > $@
+.5.cat5:
+	$(NROFF_MAN) $< > $@
+.8.cat8:
+	$(NROFF_MAN) $< > $@
+
+dist-cat1-mans:
+	@foo='$(man1_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.1) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat1/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-cat3-mans:
+	@foo='$(man3_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.3) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat3/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-cat5-mans:
+	@foo='$(man5_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.5) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat5/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-cat8-mans:
+	@foo='$(man8_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.8) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat8/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-hook: dist-cat1-mans dist-cat3-mans dist-cat5-mans dist-cat8-mans
+
+install-cat-mans:
+	$(SHELL) $(top_srcdir)/cf/install-catman.sh "$(INSTALL_DATA)" "$(mkinstalldirs)" "$(srcdir)" "$(DESTDIR)$(mandir)" '$(CATMANEXT)' $(man_MANS) $(man1_MANS) $(man3_MANS) $(man5_MANS) $(man8_MANS)
+
+install-data-local: install-cat-mans
+
+.et.h:
+	$(COMPILE_ET) $<
+.et.c:
+	$(COMPILE_ET) $<
+
+.x.c:
+	@cmp -s $< $@ 2> /dev/null || cp $< $@
+
+check-local::
+	@foo='$(CHECK_LOCAL)'; \
+	  if test "$$foo"; then \
+	  failed=0; all=0; \
+	  for i in $$foo; do \
+	    all=`expr $$all + 1`; \
+	    if ./$$i --version > /dev/null 2>&1; then \
+	      echo "PASS: $$i"; \
+	    else \
+	      echo "FAIL: $$i"; \
+	      failed=`expr $$failed + 1`; \
+	    fi; \
+	  done; \
+	  if test "$$failed" -eq 0; then \
+	    banner="All $$all tests passed"; \
+	  else \
+	    banner="$$failed of $$all tests failed"; \
+	  fi; \
+	  dashes=`echo "$$banner" | sed s/./=/g`; \
+	  echo "$$dashes"; \
+	  echo "$$banner"; \
+	  echo "$$dashes"; \
+	  test "$$failed" -eq 0; \
+	fi
+
+snprintf.c:
+	$(LN_S) $(srcdir)/../roken/snprintf.c .
+strdup.c:
+	$(LN_S) $(srcdir)/../roken/strdup.c .
+
+# Tell versions [3.59,3.63) of GNU make to not export all variables.
+# Otherwise a system limit (for SysV at least) may be exceeded.
+.NOEXPORT:
diff --git a/crypto/heimdal/lib/editline/README b/crypto/heimdal/lib/editline/README
new file mode 100644
index 0000000..829db99
--- /dev/null
+++ b/crypto/heimdal/lib/editline/README
@@ -0,0 +1,45 @@
+$Revision: 1.1 $
+
+This is a line-editing library.  It can be linked into almost any
+program to provide command-line editing and recall.
+
+It is call-compatible with the FSF readline library, but it is a
+fraction of the size (and offers fewer features).  It does not use
+standard I/O.  It is distributed under a "C News-like" copyright.
+
+Configuration is done in the Makefile.  Type "make testit" to get
+a small slow shell for testing.
+
+An earlier version was distributed with Byron's rc.  Principal
+changes over that version include:
+	Faster.
+	Is eight-bit clean (thanks to brendan@cs.widener.edu)
+	Written in K&R C, but ANSI compliant (gcc all warnings)
+	Propagates EOF properly; rc trip test now passes
+	Doesn't need or use or provide memmove.
+	More robust
+	Calling sequence changed to be compatible with readline.
+	Test program, new manpage, better configuration
+	More system-independant; includes Unix and OS-9 support.
+
+Enjoy,
+	Rich $alz
+	<rsalz@osf.org>
+
+ Copyright 1992 Simmule Turner and Rich Salz.  All rights reserved.
+
+ This software is not subject to any license of the American Telephone
+ and Telegraph Company or of the Regents of the University of California.
+
+ Permission is granted to anyone to use this software for any purpose on
+ any computer system, and to alter it and redistribute it freely, subject
+ to the following restrictions:
+ 1. The authors are not responsible for the consequences of use of this
+    software, no matter how awful, even if they arise from flaws in it.
+ 2. The origin of this software must not be misrepresented, either by
+    explicit claim or by omission.  Since few users ever read sources,
+    credits must appear in the documentation.
+ 3. Altered versions must be plainly marked as such, and must not be
+    misrepresented as being the original software.  Since few users
+    ever read sources, credits must appear in the documentation.
+ 4. This notice may not be removed or altered.
diff --git a/crypto/heimdal/lib/editline/complete.c b/crypto/heimdal/lib/editline/complete.c
new file mode 100644
index 0000000..d2a311d
--- /dev/null
+++ b/crypto/heimdal/lib/editline/complete.c
@@ -0,0 +1,243 @@
+/*  Copyright 1992 Simmule Turner and Rich Salz.  All rights reserved. 
+ *
+ *  This software is not subject to any license of the American Telephone 
+ *  and Telegraph Company or of the Regents of the University of California. 
+ *
+ *  Permission is granted to anyone to use this software for any purpose on
+ *  any computer system, and to alter it and redistribute it freely, subject
+ *  to the following restrictions:
+ *  1. The authors are not responsible for the consequences of use of this
+ *     software, no matter how awful, even if they arise from flaws in it.
+ *  2. The origin of this software must not be misrepresented, either by
+ *     explicit claim or by omission.  Since few users ever read sources,
+ *     credits must appear in the documentation.
+ *  3. Altered versions must be plainly marked as such, and must not be
+ *     misrepresented as being the original software.  Since few users
+ *     ever read sources, credits must appear in the documentation.
+ *  4. This notice may not be removed or altered.
+ */
+
+/*
+**  History and file completion functions for editline library.
+*/
+#include <config.h>
+#include "editline.h"
+
+RCSID("$Id: complete.c,v 1.5 1999/04/10 21:01:16 joda Exp $");
+
+/*
+**  strcmp-like sorting predicate for qsort.
+*/
+static int
+compare(const void *p1, const void *p2)
+{
+    const char	**v1;
+    const char	**v2;
+    
+    v1 = (const char **)p1;
+    v2 = (const char **)p2;
+    return strcmp(*v1, *v2);
+}
+
+/*
+**  Fill in *avp with an array of names that match file, up to its length.
+**  Ignore . and .. .
+*/
+static int
+FindMatches(char *dir, char *file, char ***avp)
+{
+    char	**av;
+    char	**new;
+    char	*p;
+    DIR		*dp;
+    DIRENTRY	*ep;
+    size_t	ac;
+    size_t	len;
+
+    if ((dp = opendir(dir)) == NULL)
+	return 0;
+
+    av = NULL;
+    ac = 0;
+    len = strlen(file);
+    while ((ep = readdir(dp)) != NULL) {
+	p = ep->d_name;
+	if (p[0] == '.' && (p[1] == '\0' || (p[1] == '.' && p[2] == '\0')))
+	    continue;
+	if (len && strncmp(p, file, len) != 0)
+	    continue;
+
+	if ((ac % MEM_INC) == 0) {
+	    if ((new = malloc(sizeof(char*) * (ac + MEM_INC))) == NULL)
+		break;
+	    if (ac) {
+		memcpy(new, av, ac * sizeof (char **));
+		free(av);
+	    }
+	    *avp = av = new;
+	}
+
+	if ((av[ac] = strdup(p)) == NULL) {
+	    if (ac == 0)
+		free(av);
+	    break;
+	}
+	ac++;
+    }
+
+    /* Clean up and return. */
+    (void)closedir(dp);
+    if (ac)
+	qsort(av, ac, sizeof (char **), compare);
+    return ac;
+}
+
+/*
+**  Split a pathname into allocated directory and trailing filename parts.
+*/
+static int SplitPath(char *path, char **dirpart, char **filepart)
+{
+    static char	DOT[] = ".";
+    char	*dpart;
+    char	*fpart;
+
+    if ((fpart = strrchr(path, '/')) == NULL) {
+	if ((dpart = strdup(DOT)) == NULL)
+	    return -1;
+	if ((fpart = strdup(path)) == NULL) {
+	    free(dpart);
+	    return -1;
+	}
+    }
+    else {
+	if ((dpart = strdup(path)) == NULL)
+	    return -1;
+	dpart[fpart - path] = '\0';
+	if ((fpart = strdup(++fpart)) == NULL) {
+	    free(dpart);
+	    return -1;
+	}
+    }
+    *dirpart = dpart;
+    *filepart = fpart;
+    return 0;
+}
+
+/*
+**  Attempt to complete the pathname, returning an allocated copy.
+**  Fill in *unique if we completed it, or set it to 0 if ambiguous.
+*/
+
+static char *
+rl_complete_filename(char *pathname, int *unique)
+{
+    char	**av;
+    char	*new;
+    char	*p;
+    size_t	ac;
+    size_t	end;
+    size_t	i;
+    size_t	j;
+    size_t	len;
+    char *s;
+    
+    ac = rl_list_possib(pathname, &av);
+    if(ac == 0)
+	return NULL;
+
+    s = strrchr(pathname, '/');
+    if(s == NULL)
+	len = strlen(pathname);
+    else
+	len = strlen(s + 1);
+
+    p = NULL;
+    if (ac == 1) {
+	/* Exactly one match -- finish it off. */
+	*unique = 1;
+	j = strlen(av[0]) - len + 2;
+	if ((p = malloc(j + 1)) != NULL) {
+	    memcpy(p, av[0] + len, j);
+	    asprintf(&new, "%s%s", pathname, p);
+	    if(new != NULL) {
+		rl_add_slash(new, p);
+		free(new);
+	    }
+	}
+    }
+    else {
+	*unique = 0;
+	if (len) {
+	    /* Find largest matching substring. */
+	    for (i = len, end = strlen(av[0]); i < end; i++)
+		for (j = 1; j < ac; j++)
+		    if (av[0][i] != av[j][i])
+			goto breakout;
+  breakout:
+	    if (i > len) {
+		j = i - len + 1;
+		if ((p = malloc(j)) != NULL) {
+		    memcpy(p, av[0] + len, j);
+		    p[j - 1] = '\0';
+		}
+	    }
+	}
+    }
+
+    /* Clean up and return. */
+    for (i = 0; i < ac; i++)
+	free(av[i]);
+    free(av);
+    return p;
+}
+
+static rl_complete_func_t complete_func = rl_complete_filename;
+
+char *
+rl_complete(char *pathname, int *unique)
+{
+    return (*complete_func)(pathname, unique);
+}
+
+rl_complete_func_t
+rl_set_complete_func(rl_complete_func_t func)
+{
+    rl_complete_func_t old = complete_func;
+    complete_func = func;
+    return old;
+}
+
+
+/*
+**  Return all possible completions.
+*/
+static int
+rl_list_possib_filename(char *pathname, char ***avp)
+{
+    char	*dir;
+    char	*file;
+    int		ac;
+
+    if (SplitPath(pathname, &dir, &file) < 0)
+	return 0;
+    ac = FindMatches(dir, file, avp);
+    free(dir);
+    free(file);
+    return ac;
+}
+
+static rl_list_possib_func_t list_possib_func = rl_list_possib_filename;
+
+int
+rl_list_possib(char *pathname, char ***avp)
+{
+    return (*list_possib_func)(pathname, avp);
+}
+
+rl_list_possib_func_t
+rl_set_list_possib_func(rl_list_possib_func_t func)
+{
+    rl_list_possib_func_t old = list_possib_func;
+    list_possib_func = func;
+    return old;
+}
diff --git a/crypto/heimdal/lib/editline/edit_compat.c b/crypto/heimdal/lib/editline/edit_compat.c
new file mode 100644
index 0000000..9b1863e
--- /dev/null
+++ b/crypto/heimdal/lib/editline/edit_compat.c
@@ -0,0 +1,118 @@
+/*
+ * Copyright (c) 1995 - 2000 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#include <config.h>
+#include <stdio.h>
+#include <string.h>
+#include <histedit.h>
+
+RCSID("$Id: edit_compat.c,v 1.8 2000/03/01 20:53:05 assar Exp $");
+
+void
+rl_reset_terminal(char *p)
+{
+}
+
+void
+rl_initialize()
+{
+}
+
+static const char *pr;
+static const char* ret_prompt(EditLine *e)
+{
+    return pr;
+}
+
+static History *h;
+
+#ifdef H_SETSIZE
+#define EL_INIT_FOUR 1
+#else
+#ifdef H_SETMAXSIZE
+/* backwards compatibility */
+#define H_SETSIZE H_SETMAXSIZE
+#endif
+#endif
+
+char *
+readline(const char* prompt)
+{
+    static EditLine *e;
+#ifdef H_SETSIZE
+    HistEvent ev;
+#endif
+    int count;
+    const char *str;
+
+    if(e == NULL){
+#ifdef EL_INIT_FOUR
+	e = el_init("", stdin, stdout, stderr);
+#else
+	e = el_init("", stdin, stdout);
+#endif
+	el_set(e, EL_PROMPT, ret_prompt);
+	h = history_init();
+#ifdef H_SETSIZE
+	history(h, &ev, H_SETSIZE, 25);
+#else
+	history(h, H_EVENT, 25);
+#endif
+	el_set(e, EL_HIST, history, h);
+	el_set(e, EL_EDITOR, "emacs"); /* XXX? */
+    }
+    pr = prompt ? prompt : "";
+    str = el_gets(e, &count);
+    if (str && count > 0) {
+	char *ret = strdup (str);
+
+	if (ret == NULL)
+	    return NULL;
+
+	if (ret[strlen(ret) - 1] == '\n')
+	    ret[strlen(ret) - 1] = '\0';
+	return ret;
+    } 
+    return NULL;
+}
+
+void
+add_history(char *p)
+{
+#ifdef H_SETSIZE
+    HistEvent ev;
+    history(h, &ev, H_ENTER, p);
+#else
+    history(h, H_ENTER, p);
+#endif
+}
diff --git a/crypto/heimdal/lib/editline/editline.3 b/crypto/heimdal/lib/editline/editline.3
new file mode 100644
index 0000000..6e30a09
--- /dev/null
+++ b/crypto/heimdal/lib/editline/editline.3
@@ -0,0 +1,175 @@
+.\" $Revision: 1.2 $
+.TH EDITLINE 3
+.SH NAME
+editline \- command-line editing library with history
+.SH SYNOPSIS
+.nf
+.B "char *"
+.B "readline(prompt)"
+.B "     char	*prompt;"
+
+.B "void"
+.B "add_history(line)"
+.B "    char	*line;"
+.fi
+.SH DESCRIPTION
+.I Editline
+is a library that provides an line-editing interface with text recall.
+It is intended to be compatible with the
+.I readline
+library provided by the Free Software Foundation, but much smaller.
+The bulk of this manual page describes the user interface.
+.PP
+The
+.I readline
+routine returns a line of text with the trailing newline removed.
+The data is returned in a buffer allocated with
+.IR malloc (3),
+so the space should be released with
+.IR free (3)
+when the calling program is done with it.
+Before accepting input from the user, the specified
+.I prompt
+is displayed on the terminal.
+.PP
+The
+.I add_history
+routine makes a copy of the specified
+.I line
+and adds it to the internal history list.
+.SS "User Interface"
+A program that uses this library provides a simple emacs-like editing
+interface to its users.
+A line may be edited before it is sent to the calling program by typing either
+control characters or escape sequences.
+A control character, shown as a caret followed by a letter, is typed by
+holding down the ``control'' key while the letter is typed.
+For example, ``^A'' is a control-A.
+An escape sequence is entered by typing the ``escape'' key followed by one or
+more characters.
+The escape key is abbreviated as ``ESC.''
+Note that unlike control keys, case matters in escape sequences; ``ESC\ F''
+is not the same as ``ESC\ f''.
+.PP
+An editing command may be typed anywhere on the line, not just at the
+beginning.
+In addition, a return may also be typed anywhere on the line, not just at
+the end.
+.PP
+Most editing commands may be given a repeat count,
+.IR n ,
+where
+.I n
+is a number.
+To enter a repeat count, type the escape key, the number, and then
+the command to execute.
+For example, ``ESC\ 4\ ^f'' moves forward four characters.
+If a command may be given a repeat count then the text ``[n]'' is given at the
+end of its description.
+.PP
+The following control characters are accepted:
+.RS
+.nf
+.ta \w'ESC DEL  'u
+^A	Move to the beginning of the line
+^B	Move left (backwards) [n]
+^D	Delete character [n]
+^E	Move to end of line
+^F	Move right (forwards) [n]
+^G	Ring the bell
+^H	Delete character before cursor (backspace key) [n]
+^I	Complete filename (tab key); see below
+^J	Done with line (return key)
+^K	Kill to end of line (or column [n])
+^L	Redisplay line
+^M	Done with line (alternate return key)
+^N	Get next line from history [n]
+^P	Get previous line from history [n]
+^R	Search backward (forward if [n]) through history for text;
+\&	must start line if text begins with an uparrow
+^T	Transpose characters
+^V	Insert next character, even if it is an edit command
+^W	Wipe to the mark
+^X^X	Exchange current location and mark
+^Y	Yank back last killed text
+^[	Start an escape sequence (escape key)
+^]c	Move forward to next character ``c''
+^?	Delete character before cursor (delete key) [n]
+.fi
+.RE
+.PP
+The following escape sequences are provided.
+.RS
+.nf
+.ta \w'ESC DEL  'u
+ESC\ ^H	Delete previous word (backspace key) [n]
+ESC\ DEL	Delete previous word (delete key) [n]
+ESC\ SP	Set the mark (space key); see ^X^X and ^Y above
+ESC\ \.	Get the last (or [n]'th) word from previous line
+ESC\ ?	Show possible completions; see below
+ESC\ <	Move to start of history
+ESC\ >	Move to end of history
+ESC\ b	Move backward a word [n]
+ESC\ d	Delete word under cursor [n]
+ESC\ f	Move forward a word [n]
+ESC\ l	Make word lowercase [n]
+ESC\ u	Make word uppercase [n]
+ESC\ y	Yank back last killed text
+ESC\ v	Show library version
+ESC\ w	Make area up to mark yankable
+ESC\ nn	Set repeat count to the number nn
+ESC\ C	Read from environment variable ``_C_'', where C is
+\&	an uppercase letter
+.fi
+.RE
+.PP
+The
+.I editline
+library has a small macro facility.
+If you type the escape key followed by an uppercase letter,
+.IR C ,
+then the contents of the environment variable
+.I _C_
+are read in as if you had typed them at the keyboard.
+For example, if the variable
+.I _L_
+contains the following:
+.RS
+^A^Kecho '^V^[[H^V^[[2J'^M
+.RE
+Then typing ``ESC L'' will move to the beginning of the line, kill the
+entire line, enter the echo command needed to clear the terminal (if your
+terminal is like a VT-100), and send the line back to the shell.
+.PP
+The
+.I editline
+library also does filename completion.
+Suppose the root directory has the following files in it:
+.RS
+.nf
+.ta \w'core   'u
+bin	vmunix
+core	vmunix.old
+.fi
+.RE
+If you type ``rm\ /v'' and then the tab key.
+.I Editline
+will then finish off as much of the name as possible by adding ``munix''.
+Because the name is not unique, it will then beep.
+If you type the escape key and a question mark, it will display the
+two choices.
+If you then type a period and a tab, the library will finish off the filename
+for you:
+.RS
+.nf
+.RI "rm /v[TAB]" munix .TAB old
+.fi
+.RE
+The tab key is shown by ``[TAB]'' and the automatically-entered text
+is shown in italics.
+.SH "BUGS AND LIMITATIONS"
+Cannot handle lines more than 80 columns.
+.SH AUTHORS
+Simmule R. Turner <uunet.uu.net!capitol!sysgo!simmy>
+and Rich $alz <rsalz@osf.org>.
+Original manual page by DaviD W. Sanderson <dws@ssec.wisc.edu>.
diff --git a/crypto/heimdal/lib/editline/editline.c b/crypto/heimdal/lib/editline/editline.c
new file mode 100644
index 0000000..43dd58a
--- /dev/null
+++ b/crypto/heimdal/lib/editline/editline.c
@@ -0,0 +1,1376 @@
+/*  Copyright 1992 Simmule Turner and Rich Salz.  All rights reserved. 
+ *
+ *  This software is not subject to any license of the American Telephone 
+ *  and Telegraph Company or of the Regents of the University of California. 
+ *
+ *  Permission is granted to anyone to use this software for any purpose on
+ *  any computer system, and to alter it and redistribute it freely, subject
+ *  to the following restrictions:
+ *  1. The authors are not responsible for the consequences of use of this
+ *     software, no matter how awful, even if they arise from flaws in it.
+ *  2. The origin of this software must not be misrepresented, either by
+ *     explicit claim or by omission.  Since few users ever read sources,
+ *     credits must appear in the documentation.
+ *  3. Altered versions must be plainly marked as such, and must not be
+ *     misrepresented as being the original software.  Since few users
+ *     ever read sources, credits must appear in the documentation.
+ *  4. This notice may not be removed or altered.
+ */
+
+/*
+**  Main editing routines for editline library.
+*/
+#include <config.h>
+#include "editline.h"
+#include <ctype.h>
+#include <errno.h>
+
+RCSID("$Id: editline.c,v 1.9 1999/12/23 21:27:00 assar Exp $");
+
+/*
+**  Manifest constants.
+*/
+#define SCREEN_WIDTH	80
+#define SCREEN_ROWS	24
+#define NO_ARG		(-1)
+#define DEL		127
+#define CTL(x)		((x) & 0x1F)
+#define ISCTL(x)	((x) && (x) < ' ')
+#define UNCTL(x)	((x) + 64)
+#define META(x)		((x) | 0x80)
+#define ISMETA(x)	((x) & 0x80)
+#define UNMETA(x)	((x) & 0x7F)
+#if	!defined(HIST_SIZE)
+#define HIST_SIZE	20
+#endif	/* !defined(HIST_SIZE) */
+
+/*
+**  Command status codes.
+*/
+typedef enum _STATUS {
+    CSdone, CSeof, CSmove, CSdispatch, CSstay
+} STATUS;
+
+/*
+**  The type of case-changing to perform.
+*/
+typedef enum _CASE {
+    TOupper, TOlower
+} CASE;
+
+/*
+**  Key to command mapping.
+*/
+typedef struct _KEYMAP {
+    unsigned char	Key;
+    STATUS	(*Function)();
+} KEYMAP;
+
+/*
+**  Command history structure.
+*/
+typedef struct _HISTORY {
+    int		Size;
+    int		Pos;
+    unsigned char	*Lines[HIST_SIZE];
+} HISTORY;
+
+/*
+**  Globals.
+*/
+int		rl_eof;
+int		rl_erase;
+int		rl_intr;
+int		rl_kill;
+
+static unsigned char		NIL[] = "";
+static const unsigned char	*Input = NIL;
+static unsigned char		*Line;
+static const char	*Prompt;
+static unsigned char		*Yanked;
+static char		*Screen;
+static char		NEWLINE[]= CRLF;
+static HISTORY		H;
+int		rl_quit;
+static int		Repeat;
+static int		End;
+static int		Mark;
+static int		OldPoint;
+static int		Point;
+static int		PushBack;
+static int		Pushed;
+static KEYMAP		Map[33];
+static KEYMAP		MetaMap[16];
+static size_t		Length;
+static size_t		ScreenCount;
+static size_t		ScreenSize;
+static char		*backspace;
+static int		TTYwidth;
+static int		TTYrows;
+
+/* Display print 8-bit chars as `M-x' or as the actual 8-bit char? */
+int		rl_meta_chars = 1;
+
+/*
+**  Declarations.
+*/
+static unsigned char	*editinput(void);
+char	*tgetstr(const char*, char**);
+int	tgetent(char*, const char*);
+int	tgetnum(const char*);
+
+/*
+**  TTY input/output functions.
+*/
+
+static void
+TTYflush()
+{
+    if (ScreenCount) {
+	write(1, Screen, ScreenCount);
+	ScreenCount = 0;
+    }
+}
+
+static void
+TTYput(unsigned char c)
+{
+    Screen[ScreenCount] = c;
+    if (++ScreenCount >= ScreenSize - 1) {
+	ScreenSize += SCREEN_INC;
+	Screen = realloc(Screen, ScreenSize);
+    }
+}
+
+static void
+TTYputs(const char *p)
+{
+    while (*p)
+	TTYput(*p++);
+}
+
+static void
+TTYshow(unsigned char c)
+{
+    if (c == DEL) {
+	TTYput('^');
+	TTYput('?');
+    }
+    else if (ISCTL(c)) {
+	TTYput('^');
+	TTYput(UNCTL(c));
+    }
+    else if (rl_meta_chars && ISMETA(c)) {
+	TTYput('M');
+	TTYput('-');
+	TTYput(UNMETA(c));
+    }
+    else
+	TTYput(c);
+}
+
+static void
+TTYstring(unsigned char *p)
+{
+    while (*p)
+	TTYshow(*p++);
+}
+
+static int
+TTYget()
+{
+    char c;
+    int e;
+
+    TTYflush();
+    if (Pushed) {
+	Pushed = 0;
+	return PushBack;
+    }
+    if (*Input)
+	return *Input++;
+    do {
+	e = read(0, &c, 1);
+    } while(e < 0 && errno == EINTR);
+    if(e == 1)
+	return c;
+    return EOF;
+}
+
+static void
+TTYback(void)
+{
+    if (backspace)
+	TTYputs(backspace);
+    else
+	TTYput('\b');
+}
+
+static void
+TTYbackn(int n)
+{
+    while (--n >= 0)
+	TTYback();
+}
+
+static void
+TTYinfo()
+{
+    static int		init;
+    char		*term;
+    char		buff[2048];
+    char		*bp;
+    char		*tmp;
+#if	defined(TIOCGWINSZ)
+    struct winsize	W;
+#endif	/* defined(TIOCGWINSZ) */
+
+    if (init) {
+#if	defined(TIOCGWINSZ)
+	/* Perhaps we got resized. */
+	if (ioctl(0, TIOCGWINSZ, &W) >= 0
+	 && W.ws_col > 0 && W.ws_row > 0) {
+	    TTYwidth = (int)W.ws_col;
+	    TTYrows = (int)W.ws_row;
+	}
+#endif	/* defined(TIOCGWINSZ) */
+	return;
+    }
+    init++;
+
+    TTYwidth = TTYrows = 0;
+    bp = &buff[0];
+    if ((term = getenv("TERM")) == NULL)
+	term = "dumb";
+    if (tgetent(buff, term) < 0) {
+       TTYwidth = SCREEN_WIDTH;
+       TTYrows = SCREEN_ROWS;
+       return;
+    }
+    tmp = tgetstr("le", &bp);
+    if (tmp != NULL)
+	backspace = strdup(tmp);
+    else
+	backspace = "\b";
+    TTYwidth = tgetnum("co");
+    TTYrows = tgetnum("li");
+
+#if	defined(TIOCGWINSZ)
+    if (ioctl(0, TIOCGWINSZ, &W) >= 0) {
+	TTYwidth = (int)W.ws_col;
+	TTYrows = (int)W.ws_row;
+    }
+#endif	/* defined(TIOCGWINSZ) */
+
+    if (TTYwidth <= 0 || TTYrows <= 0) {
+	TTYwidth = SCREEN_WIDTH;
+	TTYrows = SCREEN_ROWS;
+    }
+}
+
+
+/*
+**  Print an array of words in columns.
+*/
+static void
+columns(int ac, unsigned char **av)
+{
+    unsigned char	*p;
+    int		i;
+    int		j;
+    int		k;
+    int		len;
+    int		skip;
+    int		longest;
+    int		cols;
+
+    /* Find longest name, determine column count from that. */
+    for (longest = 0, i = 0; i < ac; i++)
+	if ((j = strlen((char *)av[i])) > longest)
+	    longest = j;
+    cols = TTYwidth / (longest + 3);
+
+    TTYputs(NEWLINE);
+    for (skip = ac / cols + 1, i = 0; i < skip; i++) {
+	for (j = i; j < ac; j += skip) {
+	    for (p = av[j], len = strlen((char *)p), k = len; --k >= 0; p++)
+		TTYput(*p);
+	    if (j + skip < ac)
+		while (++len < longest + 3)
+		    TTYput(' ');
+	}
+	TTYputs(NEWLINE);
+    }
+}
+
+static void
+reposition()
+{
+    int		i;
+    unsigned char	*p;
+
+    TTYput('\r');
+    TTYputs(Prompt);
+    for (i = Point, p = Line; --i >= 0; p++)
+	TTYshow(*p);
+}
+
+static void
+left(STATUS Change)
+{
+    TTYback();
+    if (Point) {
+	if (ISCTL(Line[Point - 1]))
+	    TTYback();
+        else if (rl_meta_chars && ISMETA(Line[Point - 1])) {
+	    TTYback();
+	    TTYback();
+	}
+    }
+    if (Change == CSmove)
+	Point--;
+}
+
+static void
+right(STATUS Change)
+{
+    TTYshow(Line[Point]);
+    if (Change == CSmove)
+	Point++;
+}
+
+static STATUS
+ring_bell()
+{
+    TTYput('\07');
+    TTYflush();
+    return CSstay;
+}
+
+static STATUS
+do_macro(unsigned char c)
+{
+    unsigned char		name[4];
+
+    name[0] = '_';
+    name[1] = c;
+    name[2] = '_';
+    name[3] = '\0';
+
+    if ((Input = (unsigned char *)getenv((char *)name)) == NULL) {
+	Input = NIL;
+	return ring_bell();
+    }
+    return CSstay;
+}
+
+static STATUS
+do_forward(STATUS move)
+{
+    int		i;
+    unsigned char	*p;
+
+    i = 0;
+    do {
+	p = &Line[Point];
+	for ( ; Point < End && (*p == ' ' || !isalnum(*p)); Point++, p++)
+	    if (move == CSmove)
+		right(CSstay);
+
+	for (; Point < End && isalnum(*p); Point++, p++)
+	    if (move == CSmove)
+		right(CSstay);
+
+	if (Point == End)
+	    break;
+    } while (++i < Repeat);
+
+    return CSstay;
+}
+
+static STATUS
+do_case(CASE type)
+{
+    int		i;
+    int		end;
+    int		count;
+    unsigned char	*p;
+
+    do_forward(CSstay);
+    if (OldPoint != Point) {
+	if ((count = Point - OldPoint) < 0)
+	    count = -count;
+	Point = OldPoint;
+	if ((end = Point + count) > End)
+	    end = End;
+	for (i = Point, p = &Line[i]; i < end; i++, p++) {
+	    if (type == TOupper) {
+		if (islower(*p))
+		    *p = toupper(*p);
+	    }
+	    else if (isupper(*p))
+		*p = tolower(*p);
+	    right(CSmove);
+	}
+    }
+    return CSstay;
+}
+
+static STATUS
+case_down_word()
+{
+    return do_case(TOlower);
+}
+
+static STATUS
+case_up_word()
+{
+    return do_case(TOupper);
+}
+
+static void
+ceol()
+{
+    int		extras;
+    int		i;
+    unsigned char	*p;
+
+    for (extras = 0, i = Point, p = &Line[i]; i <= End; i++, p++) {
+	TTYput(' ');
+	if (ISCTL(*p)) {
+	    TTYput(' ');
+	    extras++;
+	}
+	else if (rl_meta_chars && ISMETA(*p)) {
+	    TTYput(' ');
+	    TTYput(' ');
+	    extras += 2;
+	}
+    }
+
+    for (i += extras; i > Point; i--)
+	TTYback();
+}
+
+static void
+clear_line()
+{
+    Point = -strlen(Prompt);
+    TTYput('\r');
+    ceol();
+    Point = 0;
+    End = 0;
+    Line[0] = '\0';
+}
+
+static STATUS
+insert_string(unsigned char *p)
+{
+    size_t	len;
+    int		i;
+    unsigned char	*new;
+    unsigned char	*q;
+
+    len = strlen((char *)p);
+    if (End + len >= Length) {
+	if ((new = malloc(sizeof(unsigned char) * (Length + len + MEM_INC))) == NULL)
+	    return CSstay;
+	if (Length) {
+	    memcpy(new, Line, Length);
+	    free(Line);
+	}
+	Line = new;
+	Length += len + MEM_INC;
+    }
+
+    for (q = &Line[Point], i = End - Point; --i >= 0; )
+	q[len + i] = q[i];
+    memcpy(&Line[Point], p, len);
+    End += len;
+    Line[End] = '\0';
+    TTYstring(&Line[Point]);
+    Point += len;
+
+    return Point == End ? CSstay : CSmove;
+}
+
+
+static unsigned char *
+next_hist()
+{
+    return H.Pos >= H.Size - 1 ? NULL : H.Lines[++H.Pos];
+}
+
+static unsigned char *
+prev_hist()
+{
+    return H.Pos == 0 ? NULL : H.Lines[--H.Pos];
+}
+
+static STATUS
+do_insert_hist(unsigned char *p)
+{
+    if (p == NULL)
+	return ring_bell();
+    Point = 0;
+    reposition();
+    ceol();
+    End = 0;
+    return insert_string(p);
+}
+
+static STATUS
+do_hist(unsigned char *(*move)())
+{
+    unsigned char	*p;
+    int		i;
+
+    i = 0;
+    do {
+	if ((p = (*move)()) == NULL)
+	    return ring_bell();
+    } while (++i < Repeat);
+    return do_insert_hist(p);
+}
+
+static STATUS
+h_next()
+{
+    return do_hist(next_hist);
+}
+
+static STATUS
+h_prev()
+{
+    return do_hist(prev_hist);
+}
+
+static STATUS
+h_first()
+{
+    return do_insert_hist(H.Lines[H.Pos = 0]);
+}
+
+static STATUS
+h_last()
+{
+    return do_insert_hist(H.Lines[H.Pos = H.Size - 1]);
+}
+
+/*
+**  Return zero if pat appears as a substring in text.
+*/
+static int
+substrcmp(char *text, char *pat, int len)
+{
+    unsigned char	c;
+
+    if ((c = *pat) == '\0')
+        return *text == '\0';
+    for ( ; *text; text++)
+        if (*text == c && strncmp(text, pat, len) == 0)
+            return 0;
+    return 1;
+}
+
+static unsigned char *
+search_hist(unsigned char *search, unsigned char *(*move)())
+{
+    static unsigned char	*old_search;
+    int		len;
+    int		pos;
+    int		(*match)();
+    char	*pat;
+
+    /* Save or get remembered search pattern. */
+    if (search && *search) {
+	if (old_search)
+	    free(old_search);
+	old_search = (unsigned char *)strdup((char *)search);
+    }
+    else {
+	if (old_search == NULL || *old_search == '\0')
+            return NULL;
+	search = old_search;
+    }
+
+    /* Set up pattern-finder. */
+    if (*search == '^') {
+	match = strncmp;
+	pat = (char *)(search + 1);
+    }
+    else {
+	match = substrcmp;
+	pat = (char *)search;
+    }
+    len = strlen(pat);
+
+    for (pos = H.Pos; (*move)() != NULL; )
+	if ((*match)((char *)H.Lines[H.Pos], pat, len) == 0)
+            return H.Lines[H.Pos];
+    H.Pos = pos;
+    return NULL;
+}
+
+static STATUS
+h_search()
+{
+    static int	Searching;
+    const char	*old_prompt;
+    unsigned char	*(*move)();
+    unsigned char	*p;
+
+    if (Searching)
+	return ring_bell();
+    Searching = 1;
+
+    clear_line();
+    old_prompt = Prompt;
+    Prompt = "Search: ";
+    TTYputs(Prompt);
+    move = Repeat == NO_ARG ? prev_hist : next_hist;
+    p = search_hist(editinput(), move);
+    clear_line();
+    Prompt = old_prompt;
+    TTYputs(Prompt);
+
+    Searching = 0;
+    return do_insert_hist(p);
+}
+
+static STATUS
+fd_char()
+{
+    int		i;
+
+    i = 0;
+    do {
+	if (Point >= End)
+	    break;
+	right(CSmove);
+    } while (++i < Repeat);
+    return CSstay;
+}
+
+static void
+save_yank(int begin, int i)
+{
+    if (Yanked) {
+	free(Yanked);
+	Yanked = NULL;
+    }
+
+    if (i < 1)
+	return;
+
+    if ((Yanked = malloc(sizeof(unsigned char) * (i + 1))) != NULL) {
+	memcpy(Yanked, &Line[begin], i);
+	Yanked[i+1] = '\0';
+    }
+}
+
+static STATUS
+delete_string(int count)
+{
+    int		i;
+    unsigned char	*p;
+
+    if (count <= 0 || End == Point)
+	return ring_bell();
+
+    if (count == 1 && Point == End - 1) {
+	/* Optimize common case of delete at end of line. */
+	End--;
+	p = &Line[Point];
+	i = 1;
+	TTYput(' ');
+	if (ISCTL(*p)) {
+	    i = 2;
+	    TTYput(' ');
+	}
+	else if (rl_meta_chars && ISMETA(*p)) {
+	    i = 3;
+	    TTYput(' ');
+	    TTYput(' ');
+	}
+	TTYbackn(i);
+	*p = '\0';
+	return CSmove;
+    }
+    if (Point + count > End && (count = End - Point) <= 0)
+	return CSstay;
+
+    if (count > 1)
+	save_yank(Point, count);
+
+    for (p = &Line[Point], i = End - (Point + count) + 1; --i >= 0; p++)
+	p[0] = p[count];
+    ceol();
+    End -= count;
+    TTYstring(&Line[Point]);
+    return CSmove;
+}
+
+static STATUS
+bk_char()
+{
+    int		i;
+
+    i = 0;
+    do {
+	if (Point == 0)
+	    break;
+	left(CSmove);
+    } while (++i < Repeat);
+
+    return CSstay;
+}
+
+static STATUS
+bk_del_char()
+{
+    int		i;
+
+    i = 0;
+    do {
+	if (Point == 0)
+	    break;
+	left(CSmove);
+    } while (++i < Repeat);
+
+    return delete_string(i);
+}
+
+static STATUS
+redisplay()
+{
+    TTYputs(NEWLINE);
+    TTYputs(Prompt);
+    TTYstring(Line);
+    return CSmove;
+}
+
+static STATUS
+kill_line()
+{
+    int		i;
+
+    if (Repeat != NO_ARG) {
+	if (Repeat < Point) {
+	    i = Point;
+	    Point = Repeat;
+	    reposition();
+	    delete_string(i - Point);
+	}
+	else if (Repeat > Point) {
+	    right(CSmove);
+	    delete_string(Repeat - Point - 1);
+	}
+	return CSmove;
+    }
+
+    save_yank(Point, End - Point);
+    Line[Point] = '\0';
+    ceol();
+    End = Point;
+    return CSstay;
+}
+
+static STATUS
+insert_char(int c)
+{
+    STATUS	s;
+    unsigned char	buff[2];
+    unsigned char	*p;
+    unsigned char	*q;
+    int		i;
+
+    if (Repeat == NO_ARG || Repeat < 2) {
+	buff[0] = c;
+	buff[1] = '\0';
+	return insert_string(buff);
+    }
+
+    if ((p = malloc(Repeat + 1)) == NULL)
+	return CSstay;
+    for (i = Repeat, q = p; --i >= 0; )
+	*q++ = c;
+    *q = '\0';
+    Repeat = 0;
+    s = insert_string(p);
+    free(p);
+    return s;
+}
+
+static STATUS
+meta()
+{
+    unsigned int	c;
+    KEYMAP		*kp;
+
+    if ((c = TTYget()) == EOF)
+	return CSeof;
+    /* Also include VT-100 arrows. */
+    if (c == '[' || c == 'O')
+	switch (c = TTYget()) {
+	default:	return ring_bell();
+	case EOF:	return CSeof;
+	case 'A':	return h_prev();
+	case 'B':	return h_next();
+	case 'C':	return fd_char();
+	case 'D':	return bk_char();
+	}
+
+    if (isdigit(c)) {
+	for (Repeat = c - '0'; (c = TTYget()) != EOF && isdigit(c); )
+	    Repeat = Repeat * 10 + c - '0';
+	Pushed = 1;
+	PushBack = c;
+	return CSstay;
+    }
+
+    if (isupper(c))
+	return do_macro(c);
+    for (OldPoint = Point, kp = MetaMap; kp->Function; kp++)
+	if (kp->Key == c)
+	    return (*kp->Function)();
+
+    return ring_bell();
+}
+
+static STATUS
+emacs(unsigned int c)
+{
+    STATUS		s;
+    KEYMAP		*kp;
+
+    if (ISMETA(c)) {
+	Pushed = 1;
+	PushBack = UNMETA(c);
+	return meta();
+    }
+    for (kp = Map; kp->Function; kp++)
+	if (kp->Key == c)
+	    break;
+    s = kp->Function ? (*kp->Function)() : insert_char((int)c);
+    if (!Pushed)
+	/* No pushback means no repeat count; hacky, but true. */
+	Repeat = NO_ARG;
+    return s;
+}
+
+static STATUS
+TTYspecial(unsigned int c)
+{
+    if (ISMETA(c))
+	return CSdispatch;
+
+    if (c == rl_erase || c == DEL)
+	return bk_del_char();
+    if (c == rl_kill) {
+	if (Point != 0) {
+	    Point = 0;
+	    reposition();
+	}
+	Repeat = NO_ARG;
+	return kill_line();
+    }
+    if (c == rl_intr || c == rl_quit) {
+	Point = End = 0;
+	Line[0] = '\0';
+	return redisplay();
+    }
+    if (c == rl_eof && Point == 0 && End == 0)
+	return CSeof;
+
+    return CSdispatch;
+}
+
+static unsigned char *
+editinput()
+{
+    unsigned int	c;
+
+    Repeat = NO_ARG;
+    OldPoint = Point = Mark = End = 0;
+    Line[0] = '\0';
+
+    while ((c = TTYget()) != EOF)
+	switch (TTYspecial(c)) {
+	case CSdone:
+	    return Line;
+	case CSeof:
+	    return NULL;
+	case CSmove:
+	    reposition();
+	    break;
+	case CSdispatch:
+	    switch (emacs(c)) {
+	    case CSdone:
+		return Line;
+	    case CSeof:
+		return NULL;
+	    case CSmove:
+		reposition();
+		break;
+	    case CSdispatch:
+	    case CSstay:
+		break;
+	    }
+	    break;
+	case CSstay:
+	    break;
+	}
+    return NULL;
+}
+
+static void
+hist_add(unsigned char *p)
+{
+    int		i;
+
+    if ((p = (unsigned char *)strdup((char *)p)) == NULL)
+	return;
+    if (H.Size < HIST_SIZE)
+	H.Lines[H.Size++] = p;
+    else {
+	free(H.Lines[0]);
+	for (i = 0; i < HIST_SIZE - 1; i++)
+	    H.Lines[i] = H.Lines[i + 1];
+	H.Lines[i] = p;
+    }
+    H.Pos = H.Size - 1;
+}
+
+/*
+**  For compatibility with FSF readline.
+*/
+/* ARGSUSED0 */
+void
+rl_reset_terminal(char *p)
+{
+}
+
+void
+rl_initialize(void)
+{
+}
+
+char *
+readline(const char* prompt)
+{
+    unsigned char	*line;
+
+    if (Line == NULL) {
+	Length = MEM_INC;
+	if ((Line = malloc(Length)) == NULL)
+	    return NULL;
+    }
+
+    TTYinfo();
+    rl_ttyset(0);
+    hist_add(NIL);
+    ScreenSize = SCREEN_INC;
+    Screen = malloc(ScreenSize);
+    Prompt = prompt ? prompt : (char *)NIL;
+    TTYputs(Prompt);
+    if ((line = editinput()) != NULL) {
+	line = (unsigned char *)strdup((char *)line);
+	TTYputs(NEWLINE);
+	TTYflush();
+    }
+    rl_ttyset(1);
+    free(Screen);
+    free(H.Lines[--H.Size]);
+    return (char *)line;
+}
+
+void
+add_history(char *p)
+{
+    if (p == NULL || *p == '\0')
+	return;
+
+#if	defined(UNIQUE_HISTORY)
+    if (H.Pos && strcmp(p, H.Lines[H.Pos - 1]) == 0)
+        return;
+#endif	/* defined(UNIQUE_HISTORY) */
+    hist_add((unsigned char *)p);
+}
+
+
+static STATUS
+beg_line()
+{
+    if (Point) {
+	Point = 0;
+	return CSmove;
+    }
+    return CSstay;
+}
+
+static STATUS
+del_char()
+{
+    return delete_string(Repeat == NO_ARG ? 1 : Repeat);
+}
+
+static STATUS
+end_line()
+{
+    if (Point != End) {
+	Point = End;
+	return CSmove;
+    }
+    return CSstay;
+}
+
+/*
+**  Move back to the beginning of the current word and return an
+**  allocated copy of it.
+*/
+static unsigned char *
+find_word()
+{
+    static char	SEPS[] = "#;&|^$=`'{}()<>\n\t ";
+    unsigned char	*p;
+    unsigned char	*new;
+    size_t	len;
+
+    for (p = &Line[Point]; p > Line && strchr(SEPS, (char)p[-1]) == NULL; p--)
+	continue;
+    len = Point - (p - Line) + 1;
+    if ((new = malloc(len)) == NULL)
+	return NULL;
+    memcpy(new, p, len);
+    new[len - 1] = '\0';
+    return new;
+}
+
+static STATUS
+c_complete()
+{
+    unsigned char	*p;
+    unsigned char	*word;
+    int		unique;
+    STATUS	s;
+
+    word = find_word();
+    p = (unsigned char *)rl_complete((char *)word, &unique);
+    if (word)
+	free(word);
+    if (p && *p) {
+	s = insert_string(p);
+	if (!unique)
+	    ring_bell();
+	free(p);
+	return s;
+    }
+    return ring_bell();
+}
+
+static STATUS
+c_possible()
+{
+    unsigned char	**av;
+    unsigned char	*word;
+    int		ac;
+
+    word = find_word();
+    ac = rl_list_possib((char *)word, (char ***)&av);
+    if (word)
+	free(word);
+    if (ac) {
+	columns(ac, av);
+	while (--ac >= 0)
+	    free(av[ac]);
+	free(av);
+	return CSmove;
+    }
+    return ring_bell();
+}
+
+static STATUS
+accept_line()
+{
+    Line[End] = '\0';
+    return CSdone;
+}
+
+static STATUS
+transpose()
+{
+    unsigned char	c;
+
+    if (Point) {
+	if (Point == End)
+	    left(CSmove);
+	c = Line[Point - 1];
+	left(CSstay);
+	Line[Point - 1] = Line[Point];
+	TTYshow(Line[Point - 1]);
+	Line[Point++] = c;
+	TTYshow(c);
+    }
+    return CSstay;
+}
+
+static STATUS
+quote()
+{
+    unsigned int	c;
+
+    return (c = TTYget()) == EOF ? CSeof : insert_char((int)c);
+}
+
+static STATUS
+wipe()
+{
+    int		i;
+
+    if (Mark > End)
+	return ring_bell();
+
+    if (Point > Mark) {
+	i = Point;
+	Point = Mark;
+	Mark = i;
+	reposition();
+    }
+
+    return delete_string(Mark - Point);
+}
+
+static STATUS
+mk_set()
+{
+    Mark = Point;
+    return CSstay;
+}
+
+static STATUS
+exchange()
+{
+    unsigned int	c;
+
+    if ((c = TTYget()) != CTL('X'))
+	return c == EOF ? CSeof : ring_bell();
+
+    if ((c = Mark) <= End) {
+	Mark = Point;
+	Point = c;
+	return CSmove;
+    }
+    return CSstay;
+}
+
+static STATUS
+yank()
+{
+    if (Yanked && *Yanked)
+	return insert_string(Yanked);
+    return CSstay;
+}
+
+static STATUS
+copy_region()
+{
+    if (Mark > End)
+	return ring_bell();
+
+    if (Point > Mark)
+	save_yank(Mark, Point - Mark);
+    else
+	save_yank(Point, Mark - Point);
+
+    return CSstay;
+}
+
+static STATUS
+move_to_char()
+{
+    unsigned int	c;
+    int			i;
+    unsigned char		*p;
+
+    if ((c = TTYget()) == EOF)
+	return CSeof;
+    for (i = Point + 1, p = &Line[i]; i < End; i++, p++)
+	if (*p == c) {
+	    Point = i;
+	    return CSmove;
+	}
+    return CSstay;
+}
+
+static STATUS
+fd_word()
+{
+    return do_forward(CSmove);
+}
+
+static STATUS
+fd_kill_word()
+{
+    int		i;
+
+    do_forward(CSstay);
+    if (OldPoint != Point) {
+	i = Point - OldPoint;
+	Point = OldPoint;
+	return delete_string(i);
+    }
+    return CSstay;
+}
+
+static STATUS
+bk_word()
+{
+    int		i;
+    unsigned char	*p;
+
+    i = 0;
+    do {
+	for (p = &Line[Point]; p > Line && !isalnum(p[-1]); p--)
+	    left(CSmove);
+
+	for (; p > Line && p[-1] != ' ' && isalnum(p[-1]); p--)
+	    left(CSmove);
+
+	if (Point == 0)
+	    break;
+    } while (++i < Repeat);
+
+    return CSstay;
+}
+
+static STATUS
+bk_kill_word()
+{
+    bk_word();
+    if (OldPoint != Point)
+	return delete_string(OldPoint - Point);
+    return CSstay;
+}
+
+static int
+argify(unsigned char *line, unsigned char ***avp)
+{
+    unsigned char	*c;
+    unsigned char	**p;
+    unsigned char	**new;
+    int		ac;
+    int		i;
+
+    i = MEM_INC;
+    if ((*avp = p = malloc(sizeof(unsigned char*) * i))== NULL)
+	 return 0;
+
+    for (c = line; isspace(*c); c++)
+	continue;
+    if (*c == '\n' || *c == '\0')
+	return 0;
+
+    for (ac = 0, p[ac++] = c; *c && *c != '\n'; ) {
+	if (isspace(*c)) {
+	    *c++ = '\0';
+	    if (*c && *c != '\n') {
+		if (ac + 1 == i) {
+		    new = malloc(sizeof(unsigned char*) * (i + MEM_INC));
+		    if (new == NULL) {
+			p[ac] = NULL;
+			return ac;
+		    }
+		    memcpy(new, p, i * sizeof (char **));
+		    i += MEM_INC;
+		    free(p);
+		    *avp = p = new;
+		}
+		p[ac++] = c;
+	    }
+	}
+	else
+	    c++;
+    }
+    *c = '\0';
+    p[ac] = NULL;
+    return ac;
+}
+
+static STATUS
+last_argument()
+{
+    unsigned char	**av;
+    unsigned char	*p;
+    STATUS	s;
+    int		ac;
+
+    if (H.Size == 1 || (p = H.Lines[H.Size - 2]) == NULL)
+	return ring_bell();
+
+    if ((p = (unsigned char *)strdup((char *)p)) == NULL)
+	return CSstay;
+    ac = argify(p, &av);
+
+    if (Repeat != NO_ARG)
+	s = Repeat < ac ? insert_string(av[Repeat]) : ring_bell();
+    else
+	s = ac ? insert_string(av[ac - 1]) : CSstay;
+
+    if (ac)
+	free(av);
+    free(p);
+    return s;
+}
+
+static KEYMAP	Map[33] = {
+    {	CTL('@'),	ring_bell	},
+    {	CTL('A'),	beg_line	},
+    {	CTL('B'),	bk_char		},
+    {	CTL('D'),	del_char	},
+    {	CTL('E'),	end_line	},
+    {	CTL('F'),	fd_char		},
+    {	CTL('G'),	ring_bell	},
+    {	CTL('H'),	bk_del_char	},
+    {	CTL('I'),	c_complete	},
+    {	CTL('J'),	accept_line	},
+    {	CTL('K'),	kill_line	},
+    {	CTL('L'),	redisplay	},
+    {	CTL('M'),	accept_line	},
+    {	CTL('N'),	h_next		},
+    {	CTL('O'),	ring_bell	},
+    {	CTL('P'),	h_prev		},
+    {	CTL('Q'),	ring_bell	},
+    {	CTL('R'),	h_search	},
+    {	CTL('S'),	ring_bell	},
+    {	CTL('T'),	transpose	},
+    {	CTL('U'),	ring_bell	},
+    {	CTL('V'),	quote		},
+    {	CTL('W'),	wipe		},
+    {	CTL('X'),	exchange	},
+    {	CTL('Y'),	yank		},
+    {	CTL('Z'),	ring_bell	},
+    {	CTL('['),	meta		},
+    {	CTL(']'),	move_to_char	},
+    {	CTL('^'),	ring_bell	},
+    {	CTL('_'),	ring_bell	},
+    {	0,		NULL		}
+};
+
+static KEYMAP	MetaMap[16]= {
+    {	CTL('H'),	bk_kill_word	},
+    {	DEL,		bk_kill_word	},
+    {	' ',		mk_set	},
+    {	'.',		last_argument	},
+    {	'<',		h_first		},
+    {	'>',		h_last		},
+    {	'?',		c_possible	},
+    {	'b',		bk_word		},
+    {	'd',		fd_kill_word	},
+    {	'f',		fd_word		},
+    {	'l',		case_down_word	},
+    {	'u',		case_up_word	},
+    {	'y',		yank		},
+    {	'w',		copy_region	},
+    {	0,		NULL		}
+};
diff --git a/crypto/heimdal/lib/editline/editline.cat3 b/crypto/heimdal/lib/editline/editline.cat3
new file mode 100644
index 0000000..6e7e63e
--- /dev/null
+++ b/crypto/heimdal/lib/editline/editline.cat3
@@ -0,0 +1,198 @@
+
+
+
+EDITLINE(3)                                                       EDITLINE(3)
+
+
+
+NAME
+  editline - command-line editing library with history
+
+SYNOPSIS
+  cchhaarr **
+  rreeaaddlliinnee((pprroommpptt))
+       cchhaarr       **pprroommpptt;;
+
+  vvooiidd
+  aadddd__hhiissttoorryy((lliinnee))
+      cchhaarr        **lliinnee;;
+
+DESCRIPTION
+  _E_d_i_t_l_i_n_e is a library that provides an line-editing interface with text
+  recall.  It is intended to be compatible with the _r_e_a_d_l_i_n_e library provided
+  by the Free Software Foundation, but much smaller.  The bulk of this manual
+  page describes the user interface.
+
+  The _r_e_a_d_l_i_n_e routine returns a line of text with the trailing newline
+  removed.  The data is returned in a buffer allocated with _m_a_l_l_o_c(3), so the
+  space should be released with _f_r_e_e(3) when the calling program is done with
+  it.  Before accepting input from the user, the specified _p_r_o_m_p_t is dis-
+  played on the terminal.
+
+  The _a_d_d___h_i_s_t_o_r_y routine makes a copy of the specified _l_i_n_e and adds it to
+  the internal history list.
+
+  User Interface
+
+  A program that uses this library provides a simple emacs-like editing
+  interface to its users.  A line may be edited before it is sent to the
+  calling program by typing either control characters or escape sequences.  A
+  control character, shown as a caret followed by a letter, is typed by hold-
+  ing down the ``control'' key while the letter is typed.  For example,
+  ``^A'' is a control-A.  An escape sequence is entered by typing the
+  ``escape'' key followed by one or more characters.  The escape key is
+  abbreviated as ``ESC.''  Note that unlike control keys, case matters in
+  escape sequences; ``ESC F'' is not the same as ``ESC f''.
+
+  An editing command may be typed anywhere on the line, not just at the
+  beginning.  In addition, a return may also be typed anywhere on the line,
+  not just at the end.
+
+  Most editing commands may be given a repeat count, _n, where _n is a number.
+  To enter a repeat count, type the escape key, the number, and then the com-
+  mand to execute.  For example, ``ESC 4 ^f'' moves forward four characters.
+  If a command may be given a repeat count then the text ``[n]'' is given at
+  the end of its description.
+
+  The following control characters are accepted:
+       ^A       Move to the beginning of the line
+       ^B       Move left (backwards) [n]
+       ^D       Delete character [n]
+       ^E       Move to end of line
+       ^F       Move right (forwards) [n]
+       ^G       Ring the bell
+       ^H       Delete character before cursor (backspace key) [n]
+       ^I       Complete filename (tab key); see below
+       ^J       Done with line (return key)
+       ^K       Kill to end of line (or column [n])
+       ^L       Redisplay line
+       ^M       Done with line (alternate return key)
+       ^N       Get next line from history [n]
+       ^P       Get previous line from history [n]
+       ^R       Search backward (forward if [n]) through history for text;
+                must start line if text begins with an uparrow
+       ^T       Transpose characters
+       ^V       Insert next character, even if it is an edit command
+       ^W       Wipe to the mark
+       ^X^X     Exchange current location and mark
+       ^Y       Yank back last killed text
+       ^[       Start an escape sequence (escape key)
+       ^]c      Move forward to next character ``c''
+       ^?       Delete character before cursor (delete key) [n]
+
+  The following escape sequences are provided.
+       ESC ^H   Delete previous word (backspace key) [n]
+       ESC DEL  Delete previous word (delete key) [n]
+       ESC SP   Set the mark (space key); see ^X^X and ^Y above
+       ESC .    Get the last (or [n]'th) word from previous line
+       ESC ?    Show possible completions; see below
+       ESC <    Move to start of history
+       ESC >    Move to end of history
+       ESC b    Move backward a word [n]
+       ESC d    Delete word under cursor [n]
+       ESC f    Move forward a word [n]
+       ESC l    Make word lowercase [n]
+       ESC u    Make word uppercase [n]
+       ESC y    Yank back last killed text
+       ESC v    Show library version
+       ESC w    Make area up to mark yankable
+       ESC nn   Set repeat count to the number nn
+       ESC C    Read from environment variable ``_C_'', where C is
+                an uppercase letter
+
+  The _e_d_i_t_l_i_n_e library has a small macro facility.  If you type the escape
+  key followed by an uppercase letter, _C, then the contents of the environ-
+  ment variable ___C__ are read in as if you had typed them at the keyboard.
+  For example, if the variable ___L__ contains the following:
+       ^A^Kecho '^V^[[H^V^[[2J'^M
+  Then typing ``ESC L'' will move to the beginning of the line, kill the
+  entire line, enter the echo command needed to clear the terminal (if your
+  terminal is like a VT-100), and send the line back to the shell.
+
+  The _e_d_i_t_l_i_n_e library also does filename completion.  Suppose the root
+  directory has the following files in it:
+       bin    vmunix
+       core   vmunix.old
+  If you type ``rm /v'' and then the tab key.  _E_d_i_t_l_i_n_e will then finish off
+  as much of the name as possible by adding ``munix''.  Because the name is
+  not unique, it will then beep.  If you type the escape key and a question
+  mark, it will display the two choices.  If you then type a period and a
+  tab, the library will finish off the filename for you:
+       rm /v[TAB]_m_u_n_i_x.TAB_o_l_d
+  The tab key is shown by ``[TAB]'' and the automatically-entered text is
+  shown in italics.
+
+
+
+BUGS AND LIMITATIONS
+  Cannot handle lines more than 80 columns.
+
+
+
+
+AUTHORS
+  Simmule R. Turner <uunet.uu.net!capitol!sysgo!simmy> and Rich $alz
+  <rsalz@osf.org>.  Original manual page by DaviD W. Sanderson
+  <dws@ssec.wisc.edu>.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
diff --git a/crypto/heimdal/lib/editline/editline.h b/crypto/heimdal/lib/editline/editline.h
new file mode 100644
index 0000000..a948ddc
--- /dev/null
+++ b/crypto/heimdal/lib/editline/editline.h
@@ -0,0 +1,64 @@
+/*  $Revision: 1.4 $
+**
+**  Internal header file for editline library.
+*/
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+#endif
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+
+#define CRLF		"\r\n"
+
+#ifdef HAVE_SYS_TYPES_H
+#include <sys/types.h>
+#endif
+#ifdef HAVE_SYS_STAT_H
+#include <sys/stat.h>
+#endif
+
+#ifdef HAVE_DIRENT_H
+#include <dirent.h>
+typedef struct dirent	DIRENTRY;
+#else
+#include <sys/dir.h>
+typedef struct direct	DIRENTRY;
+#endif
+
+#include <roken.h>
+
+#if	!defined(S_ISDIR)
+#define S_ISDIR(m)		(((m) & S_IFMT) == S_IFDIR)
+#endif	/* !defined(S_ISDIR) */
+
+typedef unsigned char	CHAR;
+
+#define MEM_INC		64
+#define SCREEN_INC	256
+
+/*
+**  Variables and routines internal to this package.
+*/
+extern int	rl_eof;
+extern int	rl_erase;
+extern int	rl_intr;
+extern int	rl_kill;
+extern int	rl_quit;
+
+typedef char* (*rl_complete_func_t)(char*, int*);
+
+typedef int (*rl_list_possib_func_t)(char*, char***);
+
+void	add_history (char*);
+char*	readline (const char* prompt);
+void	rl_add_slash (char*, char*);
+char*	rl_complete (char*, int*);
+void	rl_initialize (void);
+int	rl_list_possib (char*, char***);
+void	rl_reset_terminal (char*);
+void	rl_ttyset (int);
+rl_complete_func_t	rl_set_complete_func (rl_complete_func_t);
+rl_list_possib_func_t	rl_set_list_possib_func (rl_list_possib_func_t);
+ 
diff --git a/crypto/heimdal/lib/editline/roken_rename.h b/crypto/heimdal/lib/editline/roken_rename.h
new file mode 100644
index 0000000..9ea278d
--- /dev/null
+++ b/crypto/heimdal/lib/editline/roken_rename.h
@@ -0,0 +1,61 @@
+/*
+ * Copyright (c) 1998, 1999 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+/* $Id: roken_rename.h,v 1.4 1999/12/02 16:58:39 joda Exp $ */
+
+#ifndef __roken_rename_h__
+#define __roken_rename_h__
+
+#ifndef HAVE_STRDUP
+#define strdup _editline_strdup
+#endif
+#ifndef HAVE_SNPRINTF
+#define snprintf _editline_snprintf
+#endif
+#ifndef HAVE_VSNPRINTF
+#define vsnprintf _editline_vsnprintf
+#endif
+#ifndef HAVE_ASPRINTF
+#define asprintf _editline_asprintf
+#endif
+#ifndef HAVE_ASNPRINTF
+#define asnprintf _editline_asnprintf
+#endif
+#ifndef HAVE_VASPRINTF
+#define vasprintf _editline_vasprintf
+#endif
+#ifndef HAVE_VASNPRINTF
+#define vasnprintf _editline_vasnprintf
+#endif
+
+#endif /* __roken_rename_h__ */
diff --git a/crypto/heimdal/lib/editline/sysunix.c b/crypto/heimdal/lib/editline/sysunix.c
new file mode 100644
index 0000000..bcd6def
--- /dev/null
+++ b/crypto/heimdal/lib/editline/sysunix.c
@@ -0,0 +1,92 @@
+/*  Copyright 1992 Simmule Turner and Rich Salz.  All rights reserved. 
+ *
+ *  This software is not subject to any license of the American Telephone 
+ *  and Telegraph Company or of the Regents of the University of California. 
+ *
+ *  Permission is granted to anyone to use this software for any purpose on
+ *  any computer system, and to alter it and redistribute it freely, subject
+ *  to the following restrictions:
+ *  1. The authors are not responsible for the consequences of use of this
+ *     software, no matter how awful, even if they arise from flaws in it.
+ *  2. The origin of this software must not be misrepresented, either by
+ *     explicit claim or by omission.  Since few users ever read sources,
+ *     credits must appear in the documentation.
+ *  3. Altered versions must be plainly marked as such, and must not be
+ *     misrepresented as being the original software.  Since few users
+ *     ever read sources, credits must appear in the documentation.
+ *  4. This notice may not be removed or altered.
+ */
+
+/*
+**  Unix system-dependant routines for editline library.
+*/
+#include <config.h>
+#include "editline.h"
+
+#ifdef HAVE_TERMIOS_H
+#include <termios.h>
+#else
+#include <sgtty.h>
+#endif
+
+RCSID("$Id: sysunix.c,v 1.4 1999/04/08 13:08:24 joda Exp $");
+
+#ifdef HAVE_TERMIOS_H
+
+void
+rl_ttyset(int Reset)
+{
+    static struct termios	old;
+    struct termios		new;
+    
+    if (Reset == 0) {
+	tcgetattr(0, &old);
+	rl_erase = old.c_cc[VERASE];
+	rl_kill = old.c_cc[VKILL];
+	rl_eof = old.c_cc[VEOF];
+	rl_intr = old.c_cc[VINTR];
+	rl_quit = old.c_cc[VQUIT];
+
+	new = old;
+	new.c_cc[VINTR] = -1;
+	new.c_cc[VQUIT] = -1;
+	new.c_lflag &= ~(ECHO | ICANON);
+	new.c_iflag &= ~(ISTRIP | INPCK);
+	new.c_cc[VMIN] = 1;
+	new.c_cc[VTIME] = 0;
+	tcsetattr(0, TCSANOW, &new);
+    }
+    else
+	tcsetattr(0, TCSANOW, &old);
+}
+
+#else /* !HAVE_TERMIOS_H */
+
+void
+rl_ttyset(int Reset)
+{
+       static struct sgttyb old;
+       struct sgttyb new;
+
+       if (Reset == 0) {
+               ioctl(0, TIOCGETP, &old);
+               rl_erase = old.sg_erase;
+               rl_kill = old.sg_kill;
+               new = old;
+               new.sg_flags &= ~(ECHO | ICANON);
+               new.sg_flags &= ~(ISTRIP | INPCK);
+               ioctl(0, TIOCSETP, &new);
+       } else {
+               ioctl(0, TIOCSETP, &old);
+       }
+}
+#endif /* HAVE_TERMIOS_H */
+
+void
+rl_add_slash(char *path, char *p)
+{
+    struct stat	Sb;
+    
+    if (stat(path, &Sb) >= 0)
+	strcat(p, S_ISDIR(Sb.st_mode) ? "/" : " ");
+}
diff --git a/crypto/heimdal/lib/editline/testit.c b/crypto/heimdal/lib/editline/testit.c
new file mode 100644
index 0000000..4635e36
--- /dev/null
+++ b/crypto/heimdal/lib/editline/testit.c
@@ -0,0 +1,38 @@
+/*  $Revision: 1.2 $
+**
+**  A "micro-shell" to test editline library.
+**  If given any arguments, commands aren't executed.
+*/
+#if defined(HAVE_CONFIG_H)
+#include <config.h>
+#endif
+#include <stdio.h>
+#include <stdlib.h>
+#ifdef HAVE_ERRNO_H
+#include <errno.h>
+#endif
+
+#include "editline.h"
+
+int
+main(int ac, char **av)
+{
+    char	*p;
+    int		doit;
+
+    doit = ac == 1;
+    while ((p = readline("testit> ")) != NULL) {
+	(void)printf("\t\t\t|%s|\n", p);
+	if (doit)
+	    if (strncmp(p, "cd ", 3) == 0) {
+		if (chdir(&p[3]) < 0)
+		    perror(&p[3]);
+	    } else if (system(p) != 0) {
+		perror(p);
+	    }
+	add_history(p);
+	free(p);
+    }
+    exit(0);
+    /* NOTREACHED */
+}
diff --git a/crypto/heimdal/lib/editline/unix.h b/crypto/heimdal/lib/editline/unix.h
new file mode 100644
index 0000000..fe6beed
--- /dev/null
+++ b/crypto/heimdal/lib/editline/unix.h
@@ -0,0 +1,22 @@
+/*  $Revision: 1.1 $
+**
+**  Editline system header file for Unix.
+*/
+
+#define CRLF		"\r\n"
+#define FORWARD		STATIC
+
+#include <sys/types.h>
+#include <sys/stat.h>
+
+#if	defined(USE_DIRENT)
+#include <dirent.h>
+typedef struct dirent	DIRENTRY;
+#else
+#include <sys/dir.h>
+typedef struct direct	DIRENTRY;
+#endif	/* defined(USE_DIRENT) */
+
+#if	!defined(S_ISDIR)
+#define S_ISDIR(m)		(((m) & S_IFMT) == S_IFDIR)
+#endif	/* !defined(S_ISDIR) */
diff --git a/crypto/heimdal/lib/gssapi/8003.c b/crypto/heimdal/lib/gssapi/8003.c
new file mode 100644
index 0000000..c0d8881
--- /dev/null
+++ b/crypto/heimdal/lib/gssapi/8003.c
@@ -0,0 +1,203 @@
+/*
+ * Copyright (c) 1997 - 2001 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "gssapi_locl.h"
+
+RCSID("$Id: 8003.c,v 1.8 2001/01/29 02:08:58 assar Exp $");
+
+static krb5_error_code
+encode_om_uint32(OM_uint32 n, u_char *p)
+{
+  p[0] = (n >> 0)  & 0xFF;
+  p[1] = (n >> 8)  & 0xFF;
+  p[2] = (n >> 16) & 0xFF;
+  p[3] = (n >> 24) & 0xFF;
+  return 0;
+}
+
+static krb5_error_code
+decode_om_uint32(u_char *p, OM_uint32 *n)
+{
+    *n = (p[0] << 0) | (p[1] << 8) | (p[2] << 16) | (p[3] << 24);
+    return 0;
+}
+
+static krb5_error_code
+hash_input_chan_bindings (const gss_channel_bindings_t b,
+			  u_char *p)
+{
+  u_char num[4];
+  MD5_CTX md5;
+
+  MD5_Init(&md5);
+  encode_om_uint32 (b->initiator_addrtype, num);
+  MD5_Update (&md5, num, sizeof(num));
+  encode_om_uint32 (b->initiator_address.length, num);
+  MD5_Update (&md5, num, sizeof(num));
+  if (b->initiator_address.length)
+    MD5_Update (&md5,
+		b->initiator_address.value,
+		b->initiator_address.length);
+  encode_om_uint32 (b->acceptor_addrtype, num);
+  MD5_Update (&md5, num, sizeof(num));
+  encode_om_uint32 (b->acceptor_address.length, num);
+  MD5_Update (&md5, num, sizeof(num));
+  if (b->acceptor_address.length)
+    MD5_Update (&md5,
+		b->acceptor_address.value,
+		b->acceptor_address.length);
+  encode_om_uint32 (b->application_data.length, num);
+  MD5_Update (&md5, num, sizeof(num));
+  if (b->application_data.length)
+    MD5_Update (&md5,
+		b->application_data.value,
+		b->application_data.length);
+  MD5_Final (p, &md5);
+  return 0;
+}
+
+krb5_error_code
+gssapi_krb5_create_8003_checksum (
+		      const gss_channel_bindings_t input_chan_bindings,
+		      OM_uint32 flags,
+		      krb5_data *fwd_data,
+		      Checksum *result)
+{
+  u_char *p;
+
+  /* 
+   * see rfc1964 (section 1.1.1 (Initial Token), and the checksum value 
+   * field's format)
+   */
+  result->cksumtype = 0x8003;
+  if (fwd_data->length > 0 && (flags & GSS_C_DELEG_FLAG))
+    result->checksum.length = 24 + 4 + fwd_data->length;
+  else 
+    result->checksum.length = 24;
+  result->checksum.data   = malloc (result->checksum.length);
+  if (result->checksum.data == NULL)
+    return ENOMEM;
+  
+  p = result->checksum.data;
+  encode_om_uint32 (16, p);
+  p += 4;
+  if (input_chan_bindings == GSS_C_NO_CHANNEL_BINDINGS) {
+    memset (p, 0, 16);
+  } else {
+    hash_input_chan_bindings (input_chan_bindings, p);
+  }
+  p += 16;
+  encode_om_uint32 (flags, p);
+  p += 4;
+
+  if (fwd_data->length > 0 && (flags & GSS_C_DELEG_FLAG)) {
+#if 0
+     u_char *tmp;
+
+     result->checksum.length = 28 + fwd_data->length;
+     tmp = realloc(result->checksum.data, result->checksum.length);
+     if (tmp == NULL)
+        return ENOMEM;
+     result->checksum.data = tmp;
+
+     p = (u_char*)result->checksum.data + 24;  
+#endif
+     *p++ = (1 >> 0) & 0xFF;                   /* DlgOpt */ /* == 1 */
+     *p++ = (1 >> 8) & 0xFF;                   /* DlgOpt */ /* == 0 */
+     *p++ = (fwd_data->length >> 0) & 0xFF;    /* Dlgth  */
+     *p++ = (fwd_data->length >> 8) & 0xFF;    /* Dlgth  */
+     memcpy(p, (unsigned char *) fwd_data->data, fwd_data->length);
+
+     p += fwd_data->length;
+     
+  if (p - (u_char *)result->checksum.data != result->checksum.length)
+        abort();
+  }
+  
+  return 0;
+}
+
+krb5_error_code
+gssapi_krb5_verify_8003_checksum(
+		      const gss_channel_bindings_t input_chan_bindings,
+		      Checksum *cksum,
+		      OM_uint32 *flags,
+		      krb5_data *fwd_data)
+{
+    unsigned char hash[16];
+    unsigned char *p;
+    OM_uint32 length;
+    int DlgOpt;
+
+    /* XXX should handle checksums > 24 bytes */
+    if(cksum->cksumtype != 0x8003)
+	return GSS_S_BAD_BINDINGS;
+    
+    p = cksum->checksum.data;
+    decode_om_uint32(p, &length);
+    if(length != sizeof(hash))
+	return GSS_S_FAILURE;
+    
+    p += 4;
+    
+    if (input_chan_bindings != GSS_C_NO_CHANNEL_BINDINGS) {
+	if(hash_input_chan_bindings(input_chan_bindings, hash) != 0)
+	    return GSS_S_FAILURE;
+	if(memcmp(hash, p, sizeof(hash)) != 0)
+	    return GSS_S_FAILURE;
+    }
+    
+    p += sizeof(hash);
+    
+    decode_om_uint32(p, flags);
+
+    if (cksum->checksum.length > 24 && (*flags & GSS_C_DELEG_FLAG)) {
+    
+      p += 4;
+    
+      DlgOpt = (p[0] << 0) | (p[1] << 8 );
+      if (DlgOpt != 1)
+         return GSS_S_BAD_BINDINGS;
+      
+      p += 2;
+      fwd_data->length = (p[0] << 0) | (p[1] << 8);
+      fwd_data->data = malloc(fwd_data->length);
+      if (fwd_data->data == NULL)
+         return ENOMEM;
+
+      p += 2;
+      memcpy(fwd_data->data, p, fwd_data->length);
+    }
+    
+    return 0;
+}
diff --git a/crypto/heimdal/lib/gssapi/ChangeLog b/crypto/heimdal/lib/gssapi/ChangeLog
new file mode 100644
index 0000000..99ab271
--- /dev/null
+++ b/crypto/heimdal/lib/gssapi/ChangeLog
@@ -0,0 +1,246 @@
+2001-05-17  Assar Westerlund  <assar@sics.se>
+
+	* Makefile.am: bump version to 3:1:2
+
+2001-05-14  Assar Westerlund  <assar@sics.se>
+
+	* address_to_krb5addr.c: adapt to new address functions
+
+2001-05-11  Assar Westerlund  <assar@sics.se>
+
+	* try to return the error string from libkrb5 where applicable
+
+2001-05-08  Assar Westerlund  <assar@sics.se>
+
+	* delete_sec_context.c (gss_delete_sec_context): remember to free
+	the memory used by the ticket itself. from <tmartin@mirapoint.com>
+
+2001-05-04  Assar Westerlund  <assar@sics.se>
+
+	* gssapi_locl.h: add config.h for completeness
+	* gssapi.h: remove config.h, this is an installed header file
+	sys/types.h is not needed either
+	
+2001-03-12  Assar Westerlund  <assar@sics.se>
+
+	* acquire_cred.c (gss_acquire_cred): remove memory leaks.  from
+	Jason R Thorpe <thorpej@zembu.com>
+
+2001-02-18  Assar Westerlund  <assar@sics.se>
+
+	* accept_sec_context.c (gss_accept_sec_context): either return
+	gss_name NULL-ed or set
+
+	* import_name.c: set minor_status in some cases where it was not
+	done
+
+2001-02-15  Assar Westerlund  <assar@sics.se>
+
+	* wrap.c: use krb5_generate_random_block for the confounders
+
+2001-01-30  Assar Westerlund  <assar@sics.se>
+
+	* Makefile.am (libgssapi_la_LDFLAGS): bump version to 3:0:2
+	* acquire_cred.c, init_sec_context.c, release_cred.c: add support
+	for getting creds from a keytab, from fvdl@netbsd.org
+
+	* copy_ccache.c: add gss_krb5_copy_ccache
+
+2001-01-27  Assar Westerlund  <assar@sics.se>
+
+	* get_mic.c: cast parameters to des function to non-const pointers
+ 	to handle the case where these functions actually take non-const
+ 	des_cblock *
+
+2001-01-09  Assar Westerlund  <assar@sics.se>
+
+	* accept_sec_context.c (gss_accept_sec_context): use krb5_rd_cred2
+	instead of krb5_rd_cred
+
+2000-12-11  Assar Westerlund  <assar@sics.se>
+
+	* Makefile.am (libgssapi_la_LDFLAGS): bump to 2:3:1
+
+2000-12-08  Assar Westerlund  <assar@sics.se>
+
+	* wrap.c (wrap_des3): use the checksum as ivec when encrypting the
+	sequence number
+	* unwrap.c (unwrap_des3): use the checksum as ivec when encrypting
+	the sequence number
+	* init_sec_context.c (init_auth): always zero fwd_data
+
+2000-12-06  Johan Danielsson  <joda@pdc.kth.se>
+
+	* accept_sec_context.c: de-pointerise auth_context parameter to
+	krb5_mk_rep
+
+2000-11-15  Assar Westerlund  <assar@sics.se>
+
+	* init_sec_context.c (init_auth): update to new
+	krb5_build_authenticator
+
+2000-09-19  Assar Westerlund  <assar@sics.se>
+
+	* Makefile.am (libgssapi_la_LDFLAGS): bump to 2:2:1
+
+2000-08-27  Assar Westerlund  <assar@sics.se>
+
+	* init_sec_context.c: actually pay attention to `time_req'
+	* init_sec_context.c: re-organize.  leak less memory.
+	* gssapi_locl.h (gssapi_krb5_encapsulate, gss_krb5_getsomekey):
+	update prototypes add assert.h
+	* gssapi.h (GSS_KRB5_CONF_C_QOP_DES, GSS_KRB5_CONF_C_QOP_DES3_KD):
+	add
+	* verify_mic.c: re-organize and add 3DES code
+	* wrap.c: re-organize and add 3DES code
+	* unwrap.c: re-organize and add 3DES code
+	* get_mic.c: re-organize and add 3DES code
+	* encapsulate.c (gssapi_krb5_encapsulate): do not free `in_data',
+	let the caller do that.  fix the callers.
+
+2000-08-16  Assar Westerlund  <assar@sics.se>
+
+	* Makefile.am: bump version to 2:1:1
+
+2000-07-29  Assar Westerlund  <assar@sics.se>
+
+	* decapsulate.c (gssapi_krb5_verify_header): sanity-check length
+
+2000-07-25  Johan Danielsson  <joda@pdc.kth.se>
+
+	* Makefile.am: bump version to 2:0:1
+
+2000-07-22  Assar Westerlund  <assar@sics.se>
+
+	* gssapi.h: update OID for GSS_C_NT_HOSTBASED_SERVICE and other
+	details from rfc2744
+
+2000-06-29  Assar Westerlund  <assar@sics.se>
+
+	* address_to_krb5addr.c (gss_address_to_krb5addr): actually use
+	`int' instead of `sa_family_t' for the address family.
+
+2000-06-21  Assar Westerlund  <assar@sics.se>
+
+	* add support for token delegation.  From Daniel Kouril
+	<kouril@ics.muni.cz> and Miroslav Ruda <ruda@ics.muni.cz>
+
+2000-05-15  Assar Westerlund  <assar@sics.se>
+
+	* Makefile.am (libgssapi_la_LDFLAGS): set version to 1:1:1
+
+2000-04-12  Assar Westerlund  <assar@sics.se>
+
+	* release_oid_set.c (gss_release_oid_set): clear set for
+	robustness.  From GOMBAS Gabor <gombasg@inf.elte.hu>
+	* release_name.c (gss_release_name): reset input_name for
+	robustness.  From GOMBAS Gabor <gombasg@inf.elte.hu>
+	* release_buffer.c (gss_release_buffer): set value to NULL to be
+	more robust.  From GOMBAS Gabor <gombasg@inf.elte.hu>
+	* add_oid_set_member.c (gss_add_oid_set_member): actually check if
+	the oid is a member first.  leave the oid_set unchanged if realloc
+	fails.
+
+2000-02-13  Assar Westerlund  <assar@sics.se>
+
+	* Makefile.am: set version to 1:0:1
+
+2000-02-12  Assar Westerlund  <assar@sics.se>
+
+	* gssapi_locl.h: add flags for import/export
+	* import_sec_context.c (import_sec_context: add flags for what
+	fields are included.  do not include the authenticator for now.
+	* export_sec_context.c (export_sec_context: add flags for what
+	fields are included.  do not include the authenticator for now.
+	* accept_sec_context.c (gss_accept_sec_context): set target in
+	context_handle
+
+2000-02-11  Assar Westerlund  <assar@sics.se>
+
+	* delete_sec_context.c (gss_delete_sec_context): set context to
+	GSS_C_NO_CONTEXT
+
+	* Makefile.am: add {export,import}_sec_context.c
+	* export_sec_context.c: new file
+	* import_sec_context.c: new file
+	* accept_sec_context.c (gss_accept_sec_context): set trans flag
+
+2000-02-07  Assar Westerlund  <assar@sics.se>
+
+	* Makefile.am: set version to 0:5:0
+
+2000-01-26  Assar Westerlund  <assar@sics.se>
+
+	* delete_sec_context.c (gss_delete_sec_context): handle a NULL
+	output_token
+
+	* wrap.c: update to pseudo-standard APIs for md4,md5,sha.  some
+	changes to libdes calls to make them more portable.
+	* verify_mic.c: update to pseudo-standard APIs for md4,md5,sha.
+	some changes to libdes calls to make them more portable.
+	* unwrap.c: update to pseudo-standard APIs for md4,md5,sha.  some
+	changes to libdes calls to make them more portable.
+	* get_mic.c: update to pseudo-standard APIs for md4,md5,sha.  some
+	changes to libdes calls to make them more portable.
+	* 8003.c: update to pseudo-standard APIs for md4,md5,sha.
+
+2000-01-06  Assar Westerlund  <assar@sics.se>
+
+	* Makefile.am: set version to 0:4:0
+
+1999-12-26  Assar Westerlund  <assar@sics.se>
+
+	* accept_sec_context.c (gss_accept_sec_context): always set
+ 	`output_token'
+	* init_sec_context.c (init_auth): always initialize `output_token'
+	* delete_sec_context.c (gss_delete_sec_context): always set
+ 	`output_token'
+
+1999-12-06  Assar Westerlund  <assar@sics.se>
+
+	* Makefile.am: bump version to 0:3:0
+
+1999-10-20  Assar Westerlund  <assar@sics.se>
+
+	* Makefile.am: set version to 0:2:0
+
+1999-09-21  Assar Westerlund  <assar@sics.se>
+
+	* init_sec_context.c (gss_init_sec_context): initialize `ticket'
+
+	* gssapi.h (gss_ctx_id_t_desc): add ticket in here.  ick.
+
+	* delete_sec_context.c (gss_delete_sec_context): free ticket
+
+	* accept_sec_context.c (gss_accept_sec_context): stove away
+ 	`krb5_ticket' in context so that ugly programs such as
+ 	gss_nt_server can get at it.  uck.
+
+1999-09-20  Johan Danielsson  <joda@pdc.kth.se>
+
+	* accept_sec_context.c: set minor_status
+
+1999-08-04  Assar Westerlund  <assar@sics.se>
+
+	* display_status.c (calling_error, routine_error): right shift the
+ 	code to make it possible to index into the arrays
+
+1999-07-28  Assar Westerlund  <assar@sics.se>
+
+	* gssapi.h (GSS_C_AF_INET6): add
+
+	* import_name.c (import_hostbased_name): set minor_status
+
+1999-07-26  Assar Westerlund  <assar@sics.se>
+
+	* Makefile.am: set version to 0:1:0
+
+Wed Apr  7 14:05:15 1999  Johan Danielsson  <joda@hella.pdc.kth.se>
+
+	* display_status.c: set minor_status
+
+	* init_sec_context.c: set minor_status
+
+	* lib/gssapi/init.c: remove donep (check gssapi_krb5_context
+ 	directly)
+
diff --git a/crypto/heimdal/lib/gssapi/Makefile.am b/crypto/heimdal/lib/gssapi/Makefile.am
new file mode 100644
index 0000000..3132040
--- /dev/null
+++ b/crypto/heimdal/lib/gssapi/Makefile.am
@@ -0,0 +1,50 @@
+# $Id: Makefile.am,v 1.31 2001/05/16 23:52:27 assar Exp $
+
+include $(top_srcdir)/Makefile.am.common
+
+INCLUDES += -I$(srcdir)/../krb5 $(INCLUDE_krb4)
+
+lib_LTLIBRARIES = libgssapi.la
+libgssapi_la_LDFLAGS = -version-info 3:1:2
+
+include_HEADERS = gssapi.h
+
+libgssapi_la_SOURCES =		\
+	8003.c			\
+	accept_sec_context.c	\
+	acquire_cred.c		\
+	add_oid_set_member.c	\
+	canonicalize_name.c	\
+	compare_name.c		\
+	context_time.c		\
+	copy_ccache.c		\
+	create_emtpy_oid_set.c	\
+	decapsulate.c		\
+	delete_sec_context.c	\
+	display_name.c		\
+	display_status.c	\
+	duplicate_name.c	\
+	encapsulate.c		\
+	export_sec_context.c	\
+	export_name.c		\
+	external.c		\
+	get_mic.c		\
+	gssapi.h		\
+	gssapi_locl.h		\
+	import_name.c		\
+	import_sec_context.c	\
+	indicate_mechs.c	\
+	init.c			\
+	init_sec_context.c	\
+	inquire_context.c	\
+	inquire_cred.c		\
+	release_buffer.c	\
+	release_cred.c		\
+	release_name.c		\
+	release_oid_set.c	\
+	test_oid_set_member.c	\
+	unwrap.c		\
+	v1.c			\
+	verify_mic.c		\
+        wrap.c                  \
+        address_to_krb5addr.c
diff --git a/crypto/heimdal/lib/gssapi/Makefile.in b/crypto/heimdal/lib/gssapi/Makefile.in
new file mode 100644
index 0000000..a71a183
--- /dev/null
+++ b/crypto/heimdal/lib/gssapi/Makefile.in
@@ -0,0 +1,632 @@
+# Makefile.in generated automatically by automake 1.4b from Makefile.am
+
+# Copyright 1994, 1995, 1996, 1997, 1998, 1999, 2000
+# Free Software Foundation, Inc.
+# This Makefile.in is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+
+SHELL = @SHELL@
+
+srcdir = @srcdir@
+top_srcdir = @top_srcdir@
+VPATH = @srcdir@
+prefix = @prefix@
+exec_prefix = @exec_prefix@
+
+bindir = @bindir@
+sbindir = @sbindir@
+libexecdir = @libexecdir@
+datadir = @datadir@
+sysconfdir = @sysconfdir@
+sharedstatedir = @sharedstatedir@
+localstatedir = @localstatedir@
+libdir = @libdir@
+infodir = @infodir@
+mandir = @mandir@
+includedir = @includedir@
+oldincludedir = /usr/include
+
+pkgdatadir = $(datadir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkgincludedir = $(includedir)/@PACKAGE@
+
+top_builddir = ../..
+
+ACLOCAL = @ACLOCAL@
+AUTOCONF = @AUTOCONF@
+AUTOMAKE = @AUTOMAKE@
+AUTOHEADER = @AUTOHEADER@
+
+INSTALL = @INSTALL@
+INSTALL_PROGRAM = @INSTALL_PROGRAM@
+INSTALL_DATA = @INSTALL_DATA@
+INSTALL_SCRIPT = @INSTALL_SCRIPT@
+INSTALL_STRIP_FLAG =
+transform = @program_transform_name@
+
+NORMAL_INSTALL = :
+PRE_INSTALL = :
+POST_INSTALL = :
+NORMAL_UNINSTALL = :
+PRE_UNINSTALL = :
+POST_UNINSTALL = :
+
+@SET_MAKE@
+host_alias = @host_alias@
+host_triplet = @host@
+AIX_EXTRA_KAFS = @AIX_EXTRA_KAFS@
+AMDEP = @AMDEP@
+AMTAR = @AMTAR@
+AS = @AS@
+AWK = @AWK@
+CANONICAL_HOST = @CANONICAL_HOST@
+CATMAN = @CATMAN@
+CATMANEXT = @CATMANEXT@
+CC = @CC@
+CPP = @CPP@
+CXX = @CXX@
+CXXCPP = @CXXCPP@
+DBLIB = @DBLIB@
+DEPDIR = @DEPDIR@
+DIR_des = @DIR_des@
+DIR_roken = @DIR_roken@
+DLLTOOL = @DLLTOOL@
+EXEEXT = @EXEEXT@
+EXTRA_LIB45 = @EXTRA_LIB45@
+GROFF = @GROFF@
+INCLUDES_roken = @INCLUDES_roken@
+INCLUDE_ = @INCLUDE_@
+LEX = @LEX@
+LIBOBJS = @LIBOBJS@
+LIBTOOL = @LIBTOOL@
+LIB_ = @LIB_@
+LIB_AUTH_SUBDIRS = @LIB_AUTH_SUBDIRS@
+LIB_des = @LIB_des@
+LIB_des_appl = @LIB_des_appl@
+LIB_kdb = @LIB_kdb@
+LIB_otp = @LIB_otp@
+LIB_roken = @LIB_roken@
+LIB_security = @LIB_security@
+LN_S = @LN_S@
+LTLIBOBJS = @LTLIBOBJS@
+MAKEINFO = @MAKEINFO@
+NEED_WRITEAUTH_FALSE = @NEED_WRITEAUTH_FALSE@
+NEED_WRITEAUTH_TRUE = @NEED_WRITEAUTH_TRUE@
+NROFF = @NROFF@
+OBJDUMP = @OBJDUMP@
+OBJEXT = @OBJEXT@
+PACKAGE = @PACKAGE@
+RANLIB = @RANLIB@
+STRIP = @STRIP@
+VERSION = @VERSION@
+VOID_RETSIGTYPE = @VOID_RETSIGTYPE@
+WFLAGS = @WFLAGS@
+WFLAGS_NOIMPLICITINT = @WFLAGS_NOIMPLICITINT@
+WFLAGS_NOUNUSED = @WFLAGS_NOUNUSED@
+YACC = @YACC@
+dpagaix_CFLAGS = @dpagaix_CFLAGS@
+dpagaix_LDADD = @dpagaix_LDADD@
+install_sh = @install_sh@
+
+# $Id: Makefile.am,v 1.31 2001/05/16 23:52:27 assar Exp $
+
+
+# $Id: Makefile.am.common,v 1.3 1999/04/01 14:58:43 joda Exp $
+
+
+# $Id: Makefile.am.common,v 1.26 2001/05/21 13:27:48 joda Exp $
+
+
+AUTOMAKE_OPTIONS = foreign no-dependencies
+
+SUFFIXES = .et .h .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .x
+
+INCLUDES = -I$(top_builddir)/include $(INCLUDES_roken) -I$(srcdir)/../krb5 $(INCLUDE_krb4)
+
+AM_CFLAGS =  $(WFLAGS)
+
+CP = cp
+
+COMPILE_ET = $(top_builddir)/lib/com_err/compile_et
+
+buildinclude = $(top_builddir)/include
+
+LIB_XauReadAuth = @LIB_XauReadAuth@
+LIB_crypt = @LIB_crypt@
+LIB_dbm_firstkey = @LIB_dbm_firstkey@
+LIB_dbopen = @LIB_dbopen@
+LIB_dlopen = @LIB_dlopen@
+LIB_dn_expand = @LIB_dn_expand@
+LIB_el_init = @LIB_el_init@
+LIB_getattr = @LIB_getattr@
+LIB_gethostbyname = @LIB_gethostbyname@
+LIB_getpwent_r = @LIB_getpwent_r@
+LIB_getpwnam_r = @LIB_getpwnam_r@
+LIB_getsockopt = @LIB_getsockopt@
+LIB_logout = @LIB_logout@
+LIB_logwtmp = @LIB_logwtmp@
+LIB_odm_initialize = @LIB_odm_initialize@
+LIB_pidfile = @LIB_pidfile@
+LIB_readline = @LIB_readline@
+LIB_res_search = @LIB_res_search@
+LIB_setpcred = @LIB_setpcred@
+LIB_setsockopt = @LIB_setsockopt@
+LIB_socket = @LIB_socket@
+LIB_syslog = @LIB_syslog@
+LIB_tgetent = @LIB_tgetent@
+
+LIBS = @LIBS@
+
+HESIODLIB = @HESIODLIB@
+HESIODINCLUDE = @HESIODINCLUDE@
+INCLUDE_hesiod = @INCLUDE_hesiod@
+LIB_hesiod = @LIB_hesiod@
+
+INCLUDE_krb4 = @INCLUDE_krb4@
+LIB_krb4 = @LIB_krb4@
+
+INCLUDE_openldap = @INCLUDE_openldap@
+LIB_openldap = @LIB_openldap@
+
+INCLUDE_readline = @INCLUDE_readline@
+
+LEXLIB = @LEXLIB@
+
+NROFF_MAN = groff -mandoc -Tascii
+
+@KRB4_TRUE@LIB_kafs = @KRB4_TRUE@$(top_builddir)/lib/kafs/libkafs.la $(AIX_EXTRA_KAFS)
+
+@KRB5_TRUE@LIB_krb5 = @KRB5_TRUE@$(top_builddir)/lib/krb5/libkrb5.la \
+@KRB5_TRUE@	$(top_builddir)/lib/asn1/libasn1.la
+@KRB5_TRUE@LIB_gssapi = @KRB5_TRUE@$(top_builddir)/lib/gssapi/libgssapi.la
+
+@DCE_TRUE@LIB_kdfs = @DCE_TRUE@$(top_builddir)/lib/kdfs/libkdfs.la
+
+CHECK_LOCAL = $(PROGRAMS)
+
+lib_LTLIBRARIES = libgssapi.la
+libgssapi_la_LDFLAGS = -version-info 3:1:2
+
+include_HEADERS = gssapi.h
+
+libgssapi_la_SOURCES = \
+	8003.c			\
+	accept_sec_context.c	\
+	acquire_cred.c		\
+	add_oid_set_member.c	\
+	canonicalize_name.c	\
+	compare_name.c		\
+	context_time.c		\
+	copy_ccache.c		\
+	create_emtpy_oid_set.c	\
+	decapsulate.c		\
+	delete_sec_context.c	\
+	display_name.c		\
+	display_status.c	\
+	duplicate_name.c	\
+	encapsulate.c		\
+	export_sec_context.c	\
+	export_name.c		\
+	external.c		\
+	get_mic.c		\
+	gssapi.h		\
+	gssapi_locl.h		\
+	import_name.c		\
+	import_sec_context.c	\
+	indicate_mechs.c	\
+	init.c			\
+	init_sec_context.c	\
+	inquire_context.c	\
+	inquire_cred.c		\
+	release_buffer.c	\
+	release_cred.c		\
+	release_name.c		\
+	release_oid_set.c	\
+	test_oid_set_member.c	\
+	unwrap.c		\
+	v1.c			\
+	verify_mic.c		\
+        wrap.c                  \
+        address_to_krb5addr.c
+
+subdir = lib/gssapi
+mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs
+CONFIG_HEADER = ../../include/config.h
+CONFIG_CLEAN_FILES = 
+LTLIBRARIES =  $(lib_LTLIBRARIES)
+
+
+DEFS = @DEFS@ -I. -I$(srcdir) -I../../include
+CPPFLAGS = @CPPFLAGS@
+LDFLAGS = @LDFLAGS@
+X_CFLAGS = @X_CFLAGS@
+X_LIBS = @X_LIBS@
+X_EXTRA_LIBS = @X_EXTRA_LIBS@
+X_PRE_LIBS = @X_PRE_LIBS@
+libgssapi_la_LIBADD = 
+am_libgssapi_la_OBJECTS =  8003.lo accept_sec_context.lo acquire_cred.lo \
+add_oid_set_member.lo canonicalize_name.lo compare_name.lo \
+context_time.lo copy_ccache.lo create_emtpy_oid_set.lo decapsulate.lo \
+delete_sec_context.lo display_name.lo display_status.lo \
+duplicate_name.lo encapsulate.lo export_sec_context.lo export_name.lo \
+external.lo get_mic.lo import_name.lo import_sec_context.lo \
+indicate_mechs.lo init.lo init_sec_context.lo inquire_context.lo \
+inquire_cred.lo release_buffer.lo release_cred.lo release_name.lo \
+release_oid_set.lo test_oid_set_member.lo unwrap.lo v1.lo verify_mic.lo \
+wrap.lo address_to_krb5addr.lo
+libgssapi_la_OBJECTS =  $(am_libgssapi_la_OBJECTS)
+COMPILE = $(CC) $(DEFS) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) --mode=compile $(CC) $(DEFS) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+CFLAGS = @CFLAGS@
+CCLD = $(CC)
+LINK = $(LIBTOOL) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) $(LDFLAGS) -o $@
+DIST_SOURCES =  $(libgssapi_la_SOURCES)
+HEADERS =  $(include_HEADERS)
+
+depcomp = 
+DIST_COMMON =  $(include_HEADERS) ChangeLog Makefile.am Makefile.in
+
+
+DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
+
+GZIP_ENV = --best
+SOURCES = $(libgssapi_la_SOURCES)
+OBJECTS = $(am_libgssapi_la_OBJECTS)
+
+all: all-redirect
+.SUFFIXES:
+.SUFFIXES: .et .h .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .x .c .lo .o .obj
+$(srcdir)/Makefile.in: Makefile.am $(top_srcdir)/configure.in $(ACLOCAL_M4) $(top_srcdir)/Makefile.am.common $(top_srcdir)/cf/Makefile.am.common
+	cd $(top_srcdir) && $(AUTOMAKE) --foreign lib/gssapi/Makefile
+
+Makefile: $(srcdir)/Makefile.in  $(top_builddir)/config.status
+	cd $(top_builddir) \
+	  && CONFIG_FILES=$(subdir)/$@ CONFIG_HEADERS= $(SHELL) ./config.status
+
+
+mostlyclean-libLTLIBRARIES:
+
+clean-libLTLIBRARIES:
+	-test -z "$(lib_LTLIBRARIES)" || rm -f $(lib_LTLIBRARIES)
+
+distclean-libLTLIBRARIES:
+
+maintainer-clean-libLTLIBRARIES:
+
+install-libLTLIBRARIES: $(lib_LTLIBRARIES)
+	@$(NORMAL_INSTALL)
+	$(mkinstalldirs) $(DESTDIR)$(libdir)
+	@list='$(lib_LTLIBRARIES)'; for p in $$list; do \
+	  if test -f $$p; then \
+	    echo " $(LIBTOOL)  --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$p $(DESTDIR)$(libdir)/$$p"; \
+	    $(LIBTOOL)  --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$p $(DESTDIR)$(libdir)/$$p; \
+	  else :; fi; \
+	done
+
+uninstall-libLTLIBRARIES:
+	@$(NORMAL_UNINSTALL)
+	@list='$(lib_LTLIBRARIES)'; for p in $$list; do \
+	  echo " $(LIBTOOL)  --mode=uninstall rm -f $(DESTDIR)$(libdir)/$$p"; \
+	  $(LIBTOOL)  --mode=uninstall rm -f $(DESTDIR)$(libdir)/$$p; \
+	done
+
+mostlyclean-compile:
+	-rm -f *.o core *.core
+	-rm -f *.$(OBJEXT)
+
+clean-compile:
+
+distclean-compile:
+	-rm -f *.tab.c
+
+maintainer-clean-compile:
+
+mostlyclean-libtool:
+	-rm -f *.lo
+
+clean-libtool:
+	-rm -rf .libs _libs
+
+distclean-libtool:
+
+maintainer-clean-libtool:
+
+libgssapi.la: $(libgssapi_la_OBJECTS) $(libgssapi_la_DEPENDENCIES)
+	$(LINK) -rpath $(libdir) $(libgssapi_la_LDFLAGS) $(libgssapi_la_OBJECTS) $(libgssapi_la_LIBADD) $(LIBS)
+.c.o:
+	$(COMPILE) -c $<
+.c.obj:
+	$(COMPILE) -c `cygpath -w $<`
+.c.lo:
+	$(LTCOMPILE) -c -o $@ $<
+
+install-includeHEADERS: $(include_HEADERS)
+	@$(NORMAL_INSTALL)
+	$(mkinstalldirs) $(DESTDIR)$(includedir)
+	@list='$(include_HEADERS)'; for p in $$list; do \
+	  if test -f "$$p"; then d= ; else d="$(srcdir)/"; fi; \
+	  f="`echo $$p | sed -e 's|^.*/||'`"; \
+	  echo " $(INSTALL_DATA) $$d$$p $(DESTDIR)$(includedir)/$$f"; \
+	  $(INSTALL_DATA) $$d$$p $(DESTDIR)$(includedir)/$$f; \
+	done
+
+uninstall-includeHEADERS:
+	@$(NORMAL_UNINSTALL)
+	@list='$(include_HEADERS)'; for p in $$list; do \
+	  f="`echo $$p | sed -e 's|^.*/||'`"; \
+	  echo " rm -f $(DESTDIR)$(includedir)/$$f"; \
+	  rm -f $(DESTDIR)$(includedir)/$$f; \
+	done
+
+tags: TAGS
+
+ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
+	list='$(SOURCES) $(HEADERS) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '    { files[$$0] = 1; } \
+	       END { for (i in files) print i; }'`; \
+	mkid -fID $$unique $(LISP)
+
+TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	tags=; \
+	here=`pwd`; \
+	list='$(SOURCES) $(HEADERS) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '    { files[$$0] = 1; } \
+	       END { for (i in files) print i; }'`; \
+	test -z "$(ETAGS_ARGS)$$unique$(LISP)$$tags" \
+	  || etags $(ETAGS_ARGS) $$tags  $$unique $(LISP)
+
+GTAGS:
+	here=`CDPATH=: && cd $(top_builddir) && pwd` \
+	  && cd $(top_srcdir) \
+	  && gtags -i $$here
+
+mostlyclean-tags:
+
+clean-tags:
+
+distclean-tags:
+	-rm -f TAGS ID
+
+maintainer-clean-tags:
+
+distdir = $(top_builddir)/$(PACKAGE)-$(VERSION)/$(subdir)
+
+distdir: $(DISTFILES)
+	@for file in $(DISTFILES); do \
+	  d=$(srcdir); \
+	  if test -d $$d/$$file; then \
+	    cp -pR $$d/$$file $(distdir) \
+	    || exit 1; \
+	  else \
+	    test -f $(distdir)/$$file \
+	    || cp -p $$d/$$file $(distdir)/$$file \
+	    || exit 1; \
+	  fi; \
+	done
+	$(MAKE) $(AM_MAKEFLAGS) top_distdir="$(top_distdir)" distdir="$(distdir)" dist-hook
+info-am:
+info: info-am
+dvi-am:
+dvi: dvi-am
+check-am: all-am
+	$(MAKE) $(AM_MAKEFLAGS) check-local
+check: check-am
+installcheck-am:
+installcheck: installcheck-am
+install-exec-am: install-libLTLIBRARIES
+	@$(NORMAL_INSTALL)
+	$(MAKE) $(AM_MAKEFLAGS) install-exec-hook
+install-exec: install-exec-am
+
+install-data-am: install-includeHEADERS install-data-local
+install-data: install-data-am
+
+install-am: all-am
+	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
+install: install-am
+uninstall-am: uninstall-libLTLIBRARIES uninstall-includeHEADERS
+uninstall: uninstall-am
+all-am: Makefile $(LTLIBRARIES) $(HEADERS) all-local
+all-redirect: all-am
+install-strip:
+	$(MAKE) $(AM_MAKEFLAGS) INSTALL_STRIP_FLAG=-s install
+installdirs:
+	$(mkinstalldirs)  $(DESTDIR)$(libdir) $(DESTDIR)$(includedir)
+
+
+mostlyclean-generic:
+
+clean-generic:
+
+distclean-generic:
+	-rm -f Makefile $(CONFIG_CLEAN_FILES)
+	-rm -f config.cache config.log stamp-h stamp-h[0-9]*
+
+maintainer-clean-generic:
+	-rm -f Makefile.in
+mostlyclean-am:  mostlyclean-libLTLIBRARIES mostlyclean-compile \
+		mostlyclean-libtool mostlyclean-tags \
+		mostlyclean-generic
+
+mostlyclean: mostlyclean-am
+
+clean-am:  clean-libLTLIBRARIES clean-compile clean-libtool clean-tags \
+		clean-generic mostlyclean-am
+
+clean: clean-am
+
+distclean-am:  distclean-libLTLIBRARIES distclean-compile \
+		distclean-libtool distclean-tags distclean-generic \
+		clean-am
+	-rm -f libtool
+
+distclean: distclean-am
+
+maintainer-clean-am:  maintainer-clean-libLTLIBRARIES \
+		maintainer-clean-compile maintainer-clean-libtool \
+		maintainer-clean-tags maintainer-clean-generic \
+		distclean-am
+	@echo "This command is intended for maintainers to use;"
+	@echo "it deletes files that may require special tools to rebuild."
+
+maintainer-clean: maintainer-clean-am
+
+.PHONY: mostlyclean-libLTLIBRARIES distclean-libLTLIBRARIES \
+clean-libLTLIBRARIES maintainer-clean-libLTLIBRARIES \
+uninstall-libLTLIBRARIES install-libLTLIBRARIES mostlyclean-compile \
+distclean-compile clean-compile maintainer-clean-compile \
+mostlyclean-libtool distclean-libtool clean-libtool \
+maintainer-clean-libtool uninstall-includeHEADERS \
+install-includeHEADERS tags mostlyclean-tags distclean-tags clean-tags \
+maintainer-clean-tags distdir info-am info dvi-am dvi check-local check \
+check-am installcheck-am installcheck install-exec-am install-exec \
+install-data-local install-data-am install-data install-am install \
+uninstall-am uninstall all-local all-redirect all-am all install-strip \
+installdirs mostlyclean-generic distclean-generic clean-generic \
+maintainer-clean-generic clean mostlyclean distclean maintainer-clean
+
+
+install-suid-programs:
+	@foo='$(bin_SUIDS)'; \
+	for file in $$foo; do \
+	x=$(DESTDIR)$(bindir)/$$file; \
+	if chown 0:0 $$x && chmod u+s $$x; then :; else \
+	echo "*"; \
+	echo "* Failed to install $$x setuid root"; \
+	echo "*"; \
+	fi; done
+
+install-exec-hook: install-suid-programs
+
+install-build-headers:: $(include_HEADERS) $(build_HEADERZ)
+	@foo='$(include_HEADERS) $(build_HEADERZ)'; \
+	for f in $$foo; do \
+		f=`basename $$f`; \
+		if test -f "$(srcdir)/$$f"; then file="$(srcdir)/$$f"; \
+		else file="$$f"; fi; \
+		if cmp -s  $$file $(buildinclude)/$$f 2> /dev/null ; then \
+		: ; else \
+			echo " $(CP) $$file $(buildinclude)/$$f"; \
+			$(CP) $$file $(buildinclude)/$$f; \
+		fi ; \
+	done
+
+all-local: install-build-headers
+#NROFF_MAN = nroff -man
+.1.cat1:
+	$(NROFF_MAN) $< > $@
+.3.cat3:
+	$(NROFF_MAN) $< > $@
+.5.cat5:
+	$(NROFF_MAN) $< > $@
+.8.cat8:
+	$(NROFF_MAN) $< > $@
+
+dist-cat1-mans:
+	@foo='$(man1_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.1) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat1/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-cat3-mans:
+	@foo='$(man3_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.3) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat3/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-cat5-mans:
+	@foo='$(man5_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.5) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat5/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-cat8-mans:
+	@foo='$(man8_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.8) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat8/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-hook: dist-cat1-mans dist-cat3-mans dist-cat5-mans dist-cat8-mans
+
+install-cat-mans:
+	$(SHELL) $(top_srcdir)/cf/install-catman.sh "$(INSTALL_DATA)" "$(mkinstalldirs)" "$(srcdir)" "$(DESTDIR)$(mandir)" '$(CATMANEXT)' $(man_MANS) $(man1_MANS) $(man3_MANS) $(man5_MANS) $(man8_MANS)
+
+install-data-local: install-cat-mans
+
+.et.h:
+	$(COMPILE_ET) $<
+.et.c:
+	$(COMPILE_ET) $<
+
+.x.c:
+	@cmp -s $< $@ 2> /dev/null || cp $< $@
+
+check-local::
+	@foo='$(CHECK_LOCAL)'; \
+	  if test "$$foo"; then \
+	  failed=0; all=0; \
+	  for i in $$foo; do \
+	    all=`expr $$all + 1`; \
+	    if ./$$i --version > /dev/null 2>&1; then \
+	      echo "PASS: $$i"; \
+	    else \
+	      echo "FAIL: $$i"; \
+	      failed=`expr $$failed + 1`; \
+	    fi; \
+	  done; \
+	  if test "$$failed" -eq 0; then \
+	    banner="All $$all tests passed"; \
+	  else \
+	    banner="$$failed of $$all tests failed"; \
+	  fi; \
+	  dashes=`echo "$$banner" | sed s/./=/g`; \
+	  echo "$$dashes"; \
+	  echo "$$banner"; \
+	  echo "$$dashes"; \
+	  test "$$failed" -eq 0; \
+	fi
+
+# Tell versions [3.59,3.63) of GNU make to not export all variables.
+# Otherwise a system limit (for SysV at least) may be exceeded.
+.NOEXPORT:
diff --git a/crypto/heimdal/lib/gssapi/accept_sec_context.c b/crypto/heimdal/lib/gssapi/accept_sec_context.c
new file mode 100644
index 0000000..4cb2427
--- /dev/null
+++ b/crypto/heimdal/lib/gssapi/accept_sec_context.c
@@ -0,0 +1,392 @@
+/*
+ * Copyright (c) 1997 - 2001 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "gssapi_locl.h"
+
+RCSID("$Id: accept_sec_context.c,v 1.24 2001/05/11 09:16:45 assar Exp $");
+
+static krb5_keytab gss_keytab;
+
+OM_uint32
+gsskrb5_register_acceptor_identity (char *identity)
+{
+    char *p;
+    if(gss_keytab != NULL) {
+	krb5_kt_close(gssapi_krb5_context, gss_keytab);
+	gss_keytab = NULL;
+    }
+    asprintf(&p, "FILE:%s", identity);
+    if(p == NULL)
+	return GSS_S_FAILURE;
+    krb5_kt_resolve(gssapi_krb5_context, p, &gss_keytab);
+    free(p);
+    return GSS_S_COMPLETE;
+}
+
+OM_uint32
+gss_accept_sec_context
+           (OM_uint32 * minor_status,
+            gss_ctx_id_t * context_handle,
+            const gss_cred_id_t acceptor_cred_handle,
+            const gss_buffer_t input_token_buffer,
+            const gss_channel_bindings_t input_chan_bindings,
+            gss_name_t * src_name,
+            gss_OID * mech_type,
+            gss_buffer_t output_token,
+            OM_uint32 * ret_flags,
+            OM_uint32 * time_rec,
+            gss_cred_id_t * delegated_cred_handle
+           )
+{
+  krb5_error_code kret;
+  OM_uint32 ret;
+  krb5_data indata;
+  krb5_flags ap_options;
+  OM_uint32 flags;
+  krb5_ticket *ticket = NULL;
+  krb5_keytab keytab = NULL;
+  krb5_data fwd_data;
+  OM_uint32 minor;
+
+  gssapi_krb5_init ();
+
+  krb5_data_zero (&fwd_data);
+  output_token->length = 0;
+  output_token->value   = NULL;
+
+  if (*context_handle == GSS_C_NO_CONTEXT) {
+      *context_handle = malloc(sizeof(**context_handle));
+    if (*context_handle == GSS_C_NO_CONTEXT) {
+	*minor_status = ENOMEM;
+	return GSS_S_FAILURE;
+    }
+  }
+
+  (*context_handle)->auth_context =  NULL;
+  (*context_handle)->source = NULL;
+  (*context_handle)->target = NULL;
+  (*context_handle)->flags = 0;
+  (*context_handle)->more_flags = 0;
+  (*context_handle)->ticket = NULL;
+
+  if (src_name != NULL)
+      *src_name = NULL;
+
+  kret = krb5_auth_con_init (gssapi_krb5_context,
+			     &(*context_handle)->auth_context);
+  if (kret) {
+    ret = GSS_S_FAILURE;
+    *minor_status = kret;
+    gssapi_krb5_set_error_string ();
+    goto failure;
+  }
+
+  if (input_chan_bindings != GSS_C_NO_CHANNEL_BINDINGS
+      && input_chan_bindings->application_data.length ==
+           2 * sizeof((*context_handle)->auth_context->local_port)
+           ) {
+     
+     /* Port numbers are expected to be in application_data.value,
+      * initator's port first */
+     
+     krb5_address initiator_addr, acceptor_addr;
+     
+     memset(&initiator_addr, 0, sizeof(initiator_addr));
+     memset(&acceptor_addr, 0, sizeof(acceptor_addr));
+
+     (*context_handle)->auth_context->remote_port = 
+        *(int16_t *) input_chan_bindings->application_data.value; 
+     
+     (*context_handle)->auth_context->local_port =
+        *((int16_t *) input_chan_bindings->application_data.value + 1);
+
+     
+     kret = gss_address_to_krb5addr(input_chan_bindings->acceptor_addrtype,
+                               &input_chan_bindings->acceptor_address,
+                               (*context_handle)->auth_context->local_port,
+                               &acceptor_addr); 
+     if (kret) {
+        *minor_status = kret;
+	gssapi_krb5_set_error_string ();
+        ret = GSS_S_BAD_BINDINGS;
+        goto failure;
+     }
+                             
+     kret = gss_address_to_krb5addr(input_chan_bindings->initiator_addrtype,
+                               &input_chan_bindings->initiator_address, 
+                               (*context_handle)->auth_context->remote_port,
+                               &initiator_addr); 
+     if (kret) {
+        krb5_free_address (gssapi_krb5_context, &acceptor_addr);
+        *minor_status = kret;
+	gssapi_krb5_set_error_string ();
+        ret = GSS_S_BAD_BINDINGS;
+        goto failure;
+     }
+     
+     kret = krb5_auth_con_setaddrs(gssapi_krb5_context,
+                                   (*context_handle)->auth_context,
+                                   &acceptor_addr,    /* local address */
+                                   &initiator_addr);  /* remote address */
+     
+     krb5_free_address (gssapi_krb5_context, &initiator_addr);
+     krb5_free_address (gssapi_krb5_context, &acceptor_addr);
+     
+#if 0
+     free(input_chan_bindings->application_data.value);
+     input_chan_bindings->application_data.value = NULL;
+     input_chan_bindings->application_data.length = 0;
+#endif
+     
+     if (kret) {
+        *minor_status = kret;
+	gssapi_krb5_set_error_string ();
+        ret = GSS_S_BAD_BINDINGS;
+        goto failure;
+     }
+  }
+  
+
+
+  {
+    int32_t tmp;
+
+    krb5_auth_con_getflags(gssapi_krb5_context,
+			   (*context_handle)->auth_context,
+			   &tmp);
+    tmp |= KRB5_AUTH_CONTEXT_DO_SEQUENCE;
+    krb5_auth_con_setflags(gssapi_krb5_context,
+			   (*context_handle)->auth_context,
+			   tmp);
+  }
+
+  ret = gssapi_krb5_decapsulate (input_token_buffer,
+				 &indata,
+				 "\x01\x00");
+  if (ret) {
+      kret = 0;
+      goto failure;
+  }
+
+  if (acceptor_cred_handle == GSS_C_NO_CREDENTIAL) {
+      if (gss_keytab != NULL) {
+	  keytab = gss_keytab;
+     }
+  } else if (acceptor_cred_handle->keytab != NULL) {
+     keytab = acceptor_cred_handle->keytab;
+  }
+
+  kret = krb5_rd_req (gssapi_krb5_context,
+		      &(*context_handle)->auth_context,
+		      &indata,
+		      (acceptor_cred_handle == GSS_C_NO_CREDENTIAL) ? NULL 
+			: acceptor_cred_handle->principal,
+		      keytab,
+		      &ap_options,
+		      &ticket);
+  if (kret) {
+    ret = GSS_S_FAILURE;
+    *minor_status = kret;
+    gssapi_krb5_set_error_string ();
+    goto failure;
+  }
+
+  kret = krb5_copy_principal (gssapi_krb5_context,
+			      ticket->client,
+			      &(*context_handle)->source);
+  if (kret) {
+    ret = GSS_S_FAILURE;
+    *minor_status = kret;
+    gssapi_krb5_set_error_string ();
+    goto failure;
+  }
+
+  kret = krb5_copy_principal (gssapi_krb5_context,
+			      ticket->server,
+			      &(*context_handle)->target);
+  if (kret) {
+    ret = GSS_S_FAILURE;
+    *minor_status = kret;
+    gssapi_krb5_set_error_string ();
+    goto failure;
+  }
+
+  if (src_name != NULL) {
+    kret = krb5_copy_principal (gssapi_krb5_context,
+				ticket->client,
+				src_name);
+    if (kret) {
+      ret = GSS_S_FAILURE;
+      *minor_status = kret;
+      gssapi_krb5_set_error_string ();
+      goto failure;
+    }
+  }
+
+  {
+      krb5_authenticator authenticator;
+      
+      kret = krb5_auth_getauthenticator(gssapi_krb5_context,
+					(*context_handle)->auth_context,
+					&authenticator);
+      if(kret) {
+	  ret = GSS_S_FAILURE;
+	  *minor_status = kret;
+	  gssapi_krb5_set_error_string ();
+	  goto failure;
+      }
+
+      kret = gssapi_krb5_verify_8003_checksum(input_chan_bindings,
+					      authenticator->cksum,
+					      &flags,
+					      &fwd_data);
+      krb5_free_authenticator(gssapi_krb5_context, &authenticator);
+      if (kret) {
+	  ret = GSS_S_FAILURE;
+	  *minor_status = kret;
+	  gssapi_krb5_set_error_string ();
+	  goto failure;
+      }
+  }
+
+  if (fwd_data.length > 0 && (flags & GSS_C_DELEG_FLAG)) {
+      
+      krb5_ccache ccache;
+      
+      if (delegated_cred_handle == NULL || *delegated_cred_handle == NULL)
+         /* XXX Create a new delegated_cred_handle? */
+         kret = krb5_cc_default (gssapi_krb5_context, &ccache);
+      
+      else {
+         if ((*delegated_cred_handle)->ccache == NULL)
+            kret = krb5_cc_gen_new (gssapi_krb5_context,
+                                    &krb5_mcc_ops,
+                                    &(*delegated_cred_handle)->ccache);
+         ccache = (*delegated_cred_handle)->ccache;
+      }
+      
+      if (kret) {
+         flags &= ~GSS_C_DELEG_FLAG;
+         goto end_fwd;
+      }
+      
+      kret = krb5_cc_initialize(gssapi_krb5_context,
+                                ccache,
+                                *src_name);
+      if (kret) {
+         flags &= ~GSS_C_DELEG_FLAG;
+         goto end_fwd;
+      }
+      
+      kret = krb5_rd_cred2(gssapi_krb5_context,
+			   (*context_handle)->auth_context,
+			   ccache,
+			   &fwd_data);
+      if (kret) {
+         flags &= ~GSS_C_DELEG_FLAG;
+         goto end_fwd;
+      }
+
+end_fwd:
+      free(fwd_data.data);
+  }
+         
+
+  flags |= GSS_C_TRANS_FLAG;
+
+  if (ret_flags)
+    *ret_flags = flags;
+  (*context_handle)->flags = flags;
+  (*context_handle)->more_flags |= OPEN;
+
+  if (mech_type)
+    *mech_type = GSS_KRB5_MECHANISM;
+
+  if (time_rec)
+    *time_rec = GSS_C_INDEFINITE;
+
+  if(flags & GSS_C_MUTUAL_FLAG) {
+    krb5_data outbuf;
+
+    kret = krb5_mk_rep (gssapi_krb5_context,
+			(*context_handle)->auth_context,
+			&outbuf);
+    if (kret) {
+      ret = GSS_S_FAILURE;
+      *minor_status = kret;
+      gssapi_krb5_set_error_string ();
+      goto failure;
+    }
+    ret = gssapi_krb5_encapsulate (&outbuf,
+				   output_token,
+				   "\x02\x00");
+    krb5_data_free (&outbuf);
+    if (ret) {
+	kret = 0;
+      goto failure;
+    }
+  } else {
+    output_token->length = 0;
+  }
+
+  (*context_handle)->ticket = ticket;
+  ticket = NULL;
+
+#if 0
+  krb5_free_ticket (context, ticket);
+#endif
+
+  return GSS_S_COMPLETE;
+
+failure:
+  if (fwd_data.length > 0)
+    free(fwd_data.data);
+  if (ticket != NULL)
+    krb5_free_ticket (gssapi_krb5_context, ticket);
+  krb5_auth_con_free (gssapi_krb5_context,
+		      (*context_handle)->auth_context);
+  if((*context_handle)->source)
+    krb5_free_principal (gssapi_krb5_context,
+			 (*context_handle)->source);
+  if((*context_handle)->target)
+    krb5_free_principal (gssapi_krb5_context,
+			 (*context_handle)->target);
+  free (*context_handle);
+  if (src_name != NULL) {
+      gss_release_name (&minor, src_name);
+      *src_name = NULL;
+  }
+  *context_handle = GSS_C_NO_CONTEXT;
+  *minor_status = kret;
+  return GSS_S_FAILURE;
+}
diff --git a/crypto/heimdal/lib/gssapi/acquire_cred.c b/crypto/heimdal/lib/gssapi/acquire_cred.c
new file mode 100644
index 0000000..acc60a2
--- /dev/null
+++ b/crypto/heimdal/lib/gssapi/acquire_cred.c
@@ -0,0 +1,162 @@
+/*
+ * Copyright (c) 1997 - 2001 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "gssapi_locl.h"
+
+RCSID("$Id: acquire_cred.c,v 1.6 2001/05/11 09:16:45 assar Exp $");
+
+OM_uint32 gss_acquire_cred
+           (OM_uint32 * minor_status,
+            const gss_name_t desired_name,
+            OM_uint32 time_req,
+            const gss_OID_set desired_mechs,
+            gss_cred_usage_t cred_usage,
+            gss_cred_id_t * output_cred_handle,
+            gss_OID_set * actual_mechs,
+            OM_uint32 * time_rec
+           )
+{
+    gss_cred_id_t handle;
+    OM_uint32 ret;
+    krb5_error_code kret = 0;
+    krb5_ccache ccache;
+
+    handle = (gss_cred_id_t)malloc(sizeof(*handle));
+    if (handle == GSS_C_NO_CREDENTIAL)
+        return GSS_S_FAILURE;
+
+    memset(handle, 0, sizeof (*handle));
+
+    ret = gss_duplicate_name(minor_status, desired_name, &handle->principal);
+    if (ret) {
+	free(handle);
+        return ret;
+    }
+
+    if (krb5_cc_default(gssapi_krb5_context, &ccache) == 0) {
+	krb5_principal def_princ;
+
+	if (krb5_cc_get_principal(gssapi_krb5_context, ccache,
+				  &def_princ) != 0) {
+	    krb5_cc_close(gssapi_krb5_context, ccache);
+	    goto try_keytab;
+	}
+	if (krb5_principal_compare(gssapi_krb5_context, handle->principal,
+				   def_princ) == FALSE) {
+	    krb5_free_principal(gssapi_krb5_context, def_princ);
+	    krb5_cc_close(gssapi_krb5_context, ccache);
+	    goto try_keytab;
+	}
+	handle->ccache = ccache;
+	handle->keytab = NULL;
+	krb5_free_principal(gssapi_krb5_context, def_princ);
+    } else {
+    	krb5_creds cred;
+    	krb5_get_init_creds_opt opt;
+
+ try_keytab:
+	kret = krb5_kt_default(gssapi_krb5_context, &handle->keytab);
+	if (kret != 0)
+	    goto krb5_bad;
+
+	krb5_get_init_creds_opt_init(&opt);
+	memset(&cred, 0, sizeof(cred));
+
+	kret = krb5_get_init_creds_keytab(gssapi_krb5_context, &cred,
+					  handle->principal, handle->keytab,
+					  0, NULL, &opt);
+	if (kret != 0)
+	    goto krb5_bad;
+
+	kret = krb5_cc_gen_new(gssapi_krb5_context, &krb5_mcc_ops,
+			       &handle->ccache);
+	if (kret != 0) {
+	    krb5_free_creds_contents(gssapi_krb5_context, &cred);
+	    goto krb5_bad;
+	}
+
+	kret = krb5_cc_initialize(gssapi_krb5_context, handle->ccache,
+				  cred.client);
+	if (kret != 0) {
+	    krb5_free_creds_contents(gssapi_krb5_context, &cred);
+	    goto krb5_bad;
+	}
+
+	kret = krb5_cc_store_cred(gssapi_krb5_context, handle->ccache, &cred);
+	if (kret != 0) {
+	    krb5_free_creds_contents(gssapi_krb5_context, &cred);
+	    goto krb5_bad;
+	}
+
+	krb5_free_creds_contents(gssapi_krb5_context, &cred);
+    }
+
+    /* XXX */
+    handle->lifetime = time_req;
+    handle->usage = cred_usage;
+
+    ret = gss_create_empty_oid_set(minor_status, &handle->mechanisms);
+    if (ret)
+	goto gssapi_bad;
+
+    ret = gss_add_oid_set_member(minor_status, GSS_KRB5_MECHANISM,
+				 &handle->mechanisms);
+    if (ret)
+	goto gssapi_bad;
+
+    ret = gss_inquire_cred(minor_status, handle, NULL, time_rec, NULL,
+			   actual_mechs);
+    if (ret)
+	goto gssapi_bad;
+
+    *output_cred_handle = handle;
+    return (GSS_S_COMPLETE);
+
+ krb5_bad:
+    ret = GSS_S_FAILURE;
+    *minor_status = kret;
+    gssapi_krb5_set_error_string ();
+
+ gssapi_bad:
+    krb5_free_principal(gssapi_krb5_context, handle->principal);
+    if (handle->ccache != NULL)
+	krb5_cc_close(gssapi_krb5_context, handle->ccache);
+    if (handle->keytab != NULL)
+	krb5_kt_close(gssapi_krb5_context, handle->keytab);
+    if (handle->mechanisms != NULL)
+	gss_release_oid_set(NULL, &handle->mechanisms);
+
+    free(handle);
+
+    return (ret);
+}
diff --git a/crypto/heimdal/lib/gssapi/add_oid_set_member.c b/crypto/heimdal/lib/gssapi/add_oid_set_member.c
new file mode 100644
index 0000000..baf70c5
--- /dev/null
+++ b/crypto/heimdal/lib/gssapi/add_oid_set_member.c
@@ -0,0 +1,66 @@
+/*
+ * Copyright (c) 1997 - 2001 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "gssapi_locl.h"
+
+RCSID("$Id: add_oid_set_member.c,v 1.7 2001/02/18 03:39:08 assar Exp $");
+
+OM_uint32 gss_add_oid_set_member (
+            OM_uint32 * minor_status,
+            const gss_OID member_oid,
+            gss_OID_set * oid_set
+           )
+{
+  gss_OID tmp;
+  size_t n;
+  OM_uint32 res;
+  int present;
+
+  res = gss_test_oid_set_member(minor_status, member_oid, *oid_set, &present);
+  if (res != GSS_S_COMPLETE)
+    return res;
+
+  if (present)
+    return GSS_S_COMPLETE;
+
+  n = (*oid_set)->count + 1;
+  tmp = realloc ((*oid_set)->elements, n * sizeof(gss_OID_desc));
+  if (tmp == NULL) {
+    *minor_status = ENOMEM;
+    return GSS_S_FAILURE;
+  }
+  (*oid_set)->elements = tmp;
+  (*oid_set)->count = n;
+  (*oid_set)->elements[n-1] = *member_oid;
+  return GSS_S_COMPLETE;
+}
diff --git a/crypto/heimdal/lib/gssapi/address_to_krb5addr.c b/crypto/heimdal/lib/gssapi/address_to_krb5addr.c
new file mode 100644
index 0000000..c8041aa
--- /dev/null
+++ b/crypto/heimdal/lib/gssapi/address_to_krb5addr.c
@@ -0,0 +1,76 @@
+/*
+ * Copyright (c) 2000 - 2001 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "gssapi_locl.h"
+
+#include <roken.h>
+
+krb5_error_code
+gss_address_to_krb5addr(OM_uint32 gss_addr_type,
+                        gss_buffer_desc *gss_addr,
+                        int16_t port,
+                        krb5_address *address)
+{
+   int addr_type;
+   struct sockaddr sa;
+   int sa_size = sizeof(sa);
+   krb5_error_code problem;
+   
+   if (gss_addr == NULL)
+      return GSS_S_FAILURE; 
+   
+   switch (gss_addr_type) {
+#ifdef HAVE_IPV6
+      case GSS_C_AF_INET6: addr_type = AF_INET6;
+                           break;
+#endif /* HAVE_IPV6 */
+                           
+      case GSS_C_AF_INET:  addr_type = AF_INET;
+                           break;
+      default:
+                           return GSS_S_FAILURE;
+   }
+                      
+   problem = krb5_h_addr2sockaddr (gssapi_krb5_context,
+				   addr_type,
+                                   gss_addr->value, 
+                                   &sa, 
+                                   &sa_size, 
+                                   port);
+   if (problem)
+      return GSS_S_FAILURE;
+
+   problem = krb5_sockaddr2address (gssapi_krb5_context, &sa, address);
+
+   return problem;  
+}
diff --git a/crypto/heimdal/lib/gssapi/canonicalize_name.c b/crypto/heimdal/lib/gssapi/canonicalize_name.c
new file mode 100644
index 0000000..afa39f3
--- /dev/null
+++ b/crypto/heimdal/lib/gssapi/canonicalize_name.c
@@ -0,0 +1,46 @@
+/*
+ * Copyright (c) 1997 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "gssapi_locl.h"
+
+RCSID("$Id: canonicalize_name.c,v 1.2 1999/12/02 17:05:03 joda Exp $");
+
+OM_uint32 gss_canonicalize_name (
+            OM_uint32 * minor_status,
+            const gss_name_t input_name,
+            const gss_OID mech_type,
+            gss_name_t * output_name
+           )
+{
+    return gss_duplicate_name (minor_status, input_name, output_name);
+}
diff --git a/crypto/heimdal/lib/gssapi/compare_name.c b/crypto/heimdal/lib/gssapi/compare_name.c
new file mode 100644
index 0000000..5926b15
--- /dev/null
+++ b/crypto/heimdal/lib/gssapi/compare_name.c
@@ -0,0 +1,49 @@
+/*
+ * Copyright (c) 1997 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "gssapi_locl.h"
+
+RCSID("$Id: compare_name.c,v 1.2 1999/12/02 17:05:03 joda Exp $");
+
+OM_uint32 gss_compare_name
+           (OM_uint32 * minor_status,
+            const gss_name_t name1,
+            const gss_name_t name2,
+            int * name_equal
+           )
+{
+    gssapi_krb5_init ();
+    *name_equal = krb5_principal_compare (gssapi_krb5_context,
+					  name1, name2);
+    return GSS_S_COMPLETE;
+}
diff --git a/crypto/heimdal/lib/gssapi/context_time.c b/crypto/heimdal/lib/gssapi/context_time.c
new file mode 100644
index 0000000..f933f9e
--- /dev/null
+++ b/crypto/heimdal/lib/gssapi/context_time.c
@@ -0,0 +1,66 @@
+/*
+ * Copyright (c) 1997 - 2001 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "gssapi_locl.h"
+
+RCSID("$Id: context_time.c,v 1.5 2001/05/11 09:16:45 assar Exp $");
+
+OM_uint32 gss_context_time
+           (OM_uint32 * minor_status,
+            const gss_ctx_id_t context_handle,
+            OM_uint32 * time_rec
+           )
+{
+    OM_uint32 lifetime;
+    OM_uint32 ret;
+    krb5_error_code kret;
+    krb5_timestamp timeret;
+
+    gssapi_krb5_init();
+
+    ret = gss_inquire_context(minor_status, context_handle,
+			      NULL, NULL, &lifetime, NULL, NULL, NULL, NULL);
+    if (ret) {
+        return ret;
+    }
+
+    kret = krb5_timeofday(gssapi_krb5_context, &timeret);
+    if (kret) {
+	*minor_status = kret;
+	gssapi_krb5_set_error_string ();
+        return GSS_S_FAILURE;
+    }
+
+    *time_rec = lifetime - timeret;
+    return GSS_S_COMPLETE;
+}
diff --git a/crypto/heimdal/lib/gssapi/copy_ccache.c b/crypto/heimdal/lib/gssapi/copy_ccache.c
new file mode 100644
index 0000000..a6f53df
--- /dev/null
+++ b/crypto/heimdal/lib/gssapi/copy_ccache.c
@@ -0,0 +1,57 @@
+/*
+ * Copyright (c) 2000 - 2001 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "gssapi_locl.h"
+
+RCSID("$Id: copy_ccache.c,v 1.2 2001/05/11 09:16:45 assar Exp $");
+
+OM_uint32
+gss_krb5_copy_ccache(OM_uint32 *minor,
+		     gss_cred_id_t cred,
+		     krb5_ccache out)
+{
+    krb5_error_code kret;
+
+    if (cred->ccache == NULL) {
+	*minor = EINVAL;
+	return GSS_S_FAILURE;
+    }
+
+    kret = krb5_cc_copy_cache(gssapi_krb5_context, cred->ccache, out);
+    if (kret) {
+	*minor = kret;
+	gssapi_krb5_set_error_string ();
+	return GSS_S_FAILURE;
+    }
+    return GSS_S_COMPLETE;
+}
diff --git a/crypto/heimdal/lib/gssapi/create_emtpy_oid_set.c b/crypto/heimdal/lib/gssapi/create_emtpy_oid_set.c
new file mode 100644
index 0000000..de71749
--- /dev/null
+++ b/crypto/heimdal/lib/gssapi/create_emtpy_oid_set.c
@@ -0,0 +1,51 @@
+/*
+ * Copyright (c) 1997 - 2001 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "gssapi_locl.h"
+
+RCSID("$Id: create_emtpy_oid_set.c,v 1.4 2001/02/18 03:39:08 assar Exp $");
+
+OM_uint32 gss_create_empty_oid_set (
+            OM_uint32 * minor_status,
+            gss_OID_set * oid_set
+           )
+{
+  *oid_set = malloc(sizeof(**oid_set));
+  if (*oid_set == NULL) {
+    *minor_status = ENOMEM;
+    return GSS_S_FAILURE;
+  }
+  (*oid_set)->count = 0;
+  (*oid_set)->elements = NULL;
+  return GSS_S_COMPLETE;
+}
diff --git a/crypto/heimdal/lib/gssapi/decapsulate.c b/crypto/heimdal/lib/gssapi/decapsulate.c
new file mode 100644
index 0000000..b0a0f1e
--- /dev/null
+++ b/crypto/heimdal/lib/gssapi/decapsulate.c
@@ -0,0 +1,102 @@
+/*
+ * Copyright (c) 1997 - 2000 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "gssapi_locl.h"
+
+RCSID("$Id: decapsulate.c,v 1.6 2000/07/29 05:48:13 assar Exp $");
+
+OM_uint32
+gssapi_krb5_verify_header(u_char **str,
+			  size_t total_len,
+			  char *type)
+{
+    size_t len, len_len, mech_len, foo;
+    int e;
+    u_char *p = *str;
+
+    if (total_len < 1)
+	return GSS_S_DEFECTIVE_TOKEN;
+    if (*p++ != 0x60)
+	return GSS_S_DEFECTIVE_TOKEN;
+    e = der_get_length (p, total_len - 1, &len, &len_len);
+    if (e || 1 + len_len + len != total_len)
+	return GSS_S_DEFECTIVE_TOKEN;
+    p += len_len;
+    if (*p++ != 0x06)
+	return GSS_S_DEFECTIVE_TOKEN;
+    e = der_get_length (p, total_len - 1 - len_len - 1,
+			&mech_len, &foo);
+    if (e)
+	return GSS_S_DEFECTIVE_TOKEN;
+    p += foo;
+    if (mech_len != GSS_KRB5_MECHANISM->length)
+	return GSS_S_BAD_MECH;
+    if (memcmp(p,
+	       GSS_KRB5_MECHANISM->elements,
+	       GSS_KRB5_MECHANISM->length) != 0)
+	return GSS_S_BAD_MECH;
+    p += mech_len;
+    if (memcmp (p, type, 2) != 0)
+	return GSS_S_DEFECTIVE_TOKEN;
+    p += 2;
+    *str = p;
+    return GSS_S_COMPLETE;
+}
+
+/*
+ * Remove the GSS-API wrapping from `in_token' giving `out_data.
+ * Does not copy data, so just free `in_token'.
+ */
+
+OM_uint32
+gssapi_krb5_decapsulate(
+			gss_buffer_t input_token_buffer,
+			krb5_data *out_data,
+			char *type
+)
+{
+    u_char *p;
+    OM_uint32 ret;
+
+    p = input_token_buffer->value;
+    ret = gssapi_krb5_verify_header(&p,
+				    input_token_buffer->length,
+				    type);
+    if (ret)
+	return ret;
+
+    out_data->length = input_token_buffer->length -
+	(p - (u_char *)input_token_buffer->value);
+    out_data->data   = p;
+    return GSS_S_COMPLETE;
+}
diff --git a/crypto/heimdal/lib/gssapi/delete_sec_context.c b/crypto/heimdal/lib/gssapi/delete_sec_context.c
new file mode 100644
index 0000000..06f44e3
--- /dev/null
+++ b/crypto/heimdal/lib/gssapi/delete_sec_context.c
@@ -0,0 +1,68 @@
+/*
+ * Copyright (c) 1997 - 2001 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "gssapi_locl.h"
+
+RCSID("$Id: delete_sec_context.c,v 1.9 2001/05/10 15:23:04 assar Exp $");
+
+OM_uint32 gss_delete_sec_context
+           (OM_uint32 * minor_status,
+            gss_ctx_id_t * context_handle,
+            gss_buffer_t output_token
+           )
+{
+  gssapi_krb5_init ();
+
+  if (output_token) {
+      output_token->length = 0;
+      output_token->value  = NULL;
+  }
+
+  krb5_auth_con_free (gssapi_krb5_context,
+		      (*context_handle)->auth_context);
+  if((*context_handle)->source)
+    krb5_free_principal (gssapi_krb5_context,
+			 (*context_handle)->source);
+  if((*context_handle)->target)
+    krb5_free_principal (gssapi_krb5_context,
+			 (*context_handle)->target);
+  if ((*context_handle)->ticket) {
+    krb5_free_ticket (gssapi_krb5_context,
+		      (*context_handle)->ticket);
+    free((*context_handle)->ticket);
+  }
+
+  free (*context_handle);
+  *context_handle = GSS_C_NO_CONTEXT;
+  return GSS_S_COMPLETE;
+}
diff --git a/crypto/heimdal/lib/gssapi/display_name.c b/crypto/heimdal/lib/gssapi/display_name.c
new file mode 100644
index 0000000..1c25e67
--- /dev/null
+++ b/crypto/heimdal/lib/gssapi/display_name.c
@@ -0,0 +1,72 @@
+/*
+ * Copyright (c) 1997 - 2001 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "gssapi_locl.h"
+
+RCSID("$Id: display_name.c,v 1.7 2001/05/11 09:16:46 assar Exp $");
+
+OM_uint32 gss_display_name
+           (OM_uint32 * minor_status,
+            const gss_name_t input_name,
+            gss_buffer_t output_name_buffer,
+            gss_OID * output_name_type
+           )
+{
+  krb5_error_code kret;
+  char *buf;
+  size_t len;
+
+  gssapi_krb5_init ();
+  kret = krb5_unparse_name (gssapi_krb5_context,
+			    input_name,
+			    &buf);
+  if (kret) {
+    *minor_status = kret;
+    gssapi_krb5_set_error_string ();
+    return GSS_S_FAILURE;
+  }
+  len = strlen (buf);
+  output_name_buffer->length = len;
+  output_name_buffer->value  = malloc(len + 1);
+  if (output_name_buffer->value == NULL) {
+    free (buf);
+    *minor_status = ENOMEM;
+    return GSS_S_FAILURE;
+  }
+  memcpy (output_name_buffer->value, buf, len);
+  ((char *)output_name_buffer->value)[len] = '\0';
+  free (buf);
+  if (output_name_type)
+      *output_name_type = GSS_KRB5_NT_PRINCIPAL_NAME;
+  return GSS_S_COMPLETE;
+}
diff --git a/crypto/heimdal/lib/gssapi/display_status.c b/crypto/heimdal/lib/gssapi/display_status.c
new file mode 100644
index 0000000..1fa0531
--- /dev/null
+++ b/crypto/heimdal/lib/gssapi/display_status.c
@@ -0,0 +1,153 @@
+/*
+ * Copyright (c) 1998 - 2001 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "gssapi_locl.h"
+
+RCSID("$Id: display_status.c,v 1.6 2001/05/11 09:16:46 assar Exp $");
+
+static char *krb5_error_string;
+
+static char *
+calling_error(OM_uint32 v)
+{
+    static char *msgs[] = {
+	NULL,			/* 0 */
+	"A required input parameter could not be read.", /*  */
+	"A required output parameter could not be written.", /*  */
+	"A parameter was malformed"
+    };
+
+    v >>= GSS_C_CALLING_ERROR_OFFSET;
+
+    if (v == 0)
+	return "";
+    else if (v >= sizeof(msgs)/sizeof(*msgs))
+	return "unknown calling error";
+    else
+	return msgs[v];
+}
+
+static char *
+routine_error(OM_uint32 v)
+{
+    static char *msgs[] = {
+	NULL,			/* 0 */
+	"An unsupported mechanism was requested",
+	"An invalid name was supplied",
+	"A supplied name was of an unsupported type",
+	"Incorrect channel bindings were supplied",
+	"An invalid status code was supplied",
+	"A token had an invalid MIC",
+	"No credentials were supplied, "
+	"or the credentials were unavailable or inaccessible.",
+	"No context has been established",
+	"A token was invalid",
+	"A credential was invalid",
+	"The referenced credentials have expired",
+	"The context has expired",
+	"Miscellaneous failure (see text)",
+	"The quality-of-protection requested could not be provide",
+	"The operation is forbidden by local security policy",
+	"The operation or option is not available",
+	"The requested credential element already exists",
+	"The provided name was not a mechanism name.",
+    };
+
+    v >>= GSS_C_ROUTINE_ERROR_OFFSET;
+
+    if (v == 0)
+	return "";
+    else if (v >= sizeof(msgs)/sizeof(*msgs))
+	return "unknown routine error";
+    else
+	return msgs[v];
+}
+
+void
+gssapi_krb5_set_error_string (void)
+{
+    krb5_error_string = krb5_get_error_string(gssapi_krb5_context);
+}
+
+char *
+gssapi_krb5_get_error_string (void)
+{
+    char *ret = krb5_error_string;
+    krb5_error_string = NULL;
+    return ret;
+}
+
+OM_uint32 gss_display_status
+           (OM_uint32		*minor_status,
+	    OM_uint32		 status_value,
+	    int			 status_type,
+	    const gss_OID	 mech_type,
+	    OM_uint32		*message_context,
+	    gss_buffer_t	 status_string)
+{
+  char *buf;
+
+  gssapi_krb5_init ();
+
+  *minor_status = 0;
+
+  if (mech_type != GSS_C_NO_OID &&
+      mech_type != GSS_KRB5_MECHANISM)
+      return GSS_S_BAD_MECH;
+
+  if (status_type == GSS_C_GSS_CODE) {
+      asprintf (&buf, "%s %s",
+		calling_error(GSS_CALLING_ERROR(status_value)),
+		routine_error(GSS_ROUTINE_ERROR(status_value)));
+      if (buf == NULL) {
+	  *minor_status = ENOMEM;
+	  return GSS_S_FAILURE;
+      }
+  } else if (status_type == GSS_C_MECH_CODE) {
+      buf = gssapi_krb5_get_error_string ();
+      if (buf == NULL)
+	  buf = strdup(krb5_get_err_text (gssapi_krb5_context, status_value));
+      if (buf == NULL) {
+	  *minor_status = ENOMEM;
+	  return GSS_S_FAILURE;
+      }
+  } else
+      return GSS_S_BAD_STATUS;
+
+  *message_context = 0;
+
+  status_string->length = strlen(buf);
+  status_string->value  = buf;
+  
+  return GSS_S_COMPLETE;
+}
diff --git a/crypto/heimdal/lib/gssapi/duplicate_name.c b/crypto/heimdal/lib/gssapi/duplicate_name.c
new file mode 100644
index 0000000..b0ecdf2
--- /dev/null
+++ b/crypto/heimdal/lib/gssapi/duplicate_name.c
@@ -0,0 +1,58 @@
+/*
+ * Copyright (c) 1997 - 2001 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "gssapi_locl.h"
+
+RCSID("$Id: duplicate_name.c,v 1.5 2001/05/11 09:16:46 assar Exp $");
+
+OM_uint32 gss_duplicate_name (
+            OM_uint32 * minor_status,
+            const gss_name_t src_name,
+            gss_name_t * dest_name
+           )
+{
+  krb5_error_code kret;
+
+  gssapi_krb5_init ();
+
+  kret = krb5_copy_principal (gssapi_krb5_context,
+			      src_name,
+			      dest_name);
+  if (kret) {
+    *minor_status = kret;
+    gssapi_krb5_set_error_string ();
+    return GSS_S_FAILURE;
+  } else {
+    return GSS_S_COMPLETE;
+  }
+}
diff --git a/crypto/heimdal/lib/gssapi/encapsulate.c b/crypto/heimdal/lib/gssapi/encapsulate.c
new file mode 100644
index 0000000..2732b23
--- /dev/null
+++ b/crypto/heimdal/lib/gssapi/encapsulate.c
@@ -0,0 +1,99 @@
+/*
+ * Copyright (c) 1997 - 2000 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "gssapi_locl.h"
+
+RCSID("$Id: encapsulate.c,v 1.5 2000/08/27 02:46:23 assar Exp $");
+
+void
+gssapi_krb5_encap_length (size_t data_len,
+			  size_t *len,
+			  size_t *total_len)
+{
+    size_t len_len;
+
+    *len = 1 + 1 + GSS_KRB5_MECHANISM->length + 2 + data_len;
+
+    len_len = length_len(*len);
+
+    *total_len = 1 + len_len + *len;
+}
+
+u_char *
+gssapi_krb5_make_header (u_char *p,
+			 size_t len,
+			 u_char *type)
+{
+    int e;
+    size_t len_len, foo;
+
+    *p++ = 0x60;
+    len_len = length_len(len);
+    e = der_put_length (p + len_len - 1, len_len, len, &foo);
+    if(e || foo != len_len)
+	abort ();
+    p += len_len;
+    *p++ = 0x06;
+    *p++ = GSS_KRB5_MECHANISM->length;
+    memcpy (p, GSS_KRB5_MECHANISM->elements, GSS_KRB5_MECHANISM->length);
+    p += GSS_KRB5_MECHANISM->length;
+    memcpy (p, type, 2);
+    p += 2;
+    return p;
+}
+
+/*
+ * Give it a krb5_data and it will encapsulate with extra GSS-API wrappings.
+ */
+
+OM_uint32
+gssapi_krb5_encapsulate(
+			const krb5_data *in_data,
+			gss_buffer_t output_token,
+			u_char *type
+)
+{
+    size_t len, outer_len;
+    u_char *p;
+
+    gssapi_krb5_encap_length (in_data->length, &len, &outer_len);
+    
+    output_token->length = outer_len;
+    output_token->value  = malloc (outer_len);
+    if (output_token->value == NULL)
+	return GSS_S_FAILURE;
+
+    p = gssapi_krb5_make_header (output_token->value, len, type);
+    memcpy (p, in_data->data, in_data->length);
+    return GSS_S_COMPLETE;
+}
diff --git a/crypto/heimdal/lib/gssapi/export_name.c b/crypto/heimdal/lib/gssapi/export_name.c
new file mode 100644
index 0000000..efbd9c4
--- /dev/null
+++ b/crypto/heimdal/lib/gssapi/export_name.c
@@ -0,0 +1,48 @@
+/*
+ * Copyright (c) 1997 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "gssapi_locl.h"
+
+RCSID("$Id: export_name.c,v 1.4 1999/12/02 17:05:03 joda Exp $");
+
+OM_uint32 gss_export_name
+           (OM_uint32  * minor_status,
+            const gss_name_t input_name,
+            gss_buffer_t exported_name
+           )
+{
+  return gss_display_name(minor_status,
+        input_name,
+        exported_name,
+        NULL);
+}
diff --git a/crypto/heimdal/lib/gssapi/export_sec_context.c b/crypto/heimdal/lib/gssapi/export_sec_context.c
new file mode 100644
index 0000000..30c5a11
--- /dev/null
+++ b/crypto/heimdal/lib/gssapi/export_sec_context.c
@@ -0,0 +1,233 @@
+/*
+ * Copyright (c) 1999 - 2001 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "gssapi_locl.h"
+
+RCSID("$Id: export_sec_context.c,v 1.4 2001/02/18 03:39:09 assar Exp $");
+
+OM_uint32
+gss_export_sec_context (
+    OM_uint32 * minor_status,
+    gss_ctx_id_t * context_handle,
+    gss_buffer_t interprocess_token
+    )
+{
+    krb5_storage *sp;
+    krb5_auth_context ac;
+    OM_uint32 ret = GSS_S_COMPLETE;
+    krb5_data data;
+    gss_buffer_desc buffer;
+    int flags;
+    OM_uint32 minor;
+    krb5_error_code kret;
+
+    gssapi_krb5_init ();
+    if (!((*context_handle)->flags & GSS_C_TRANS_FLAG))
+	return GSS_S_UNAVAILABLE;
+
+    sp = krb5_storage_emem ();
+    if (sp == NULL) {
+	*minor_status = ENOMEM;
+	return GSS_S_FAILURE;
+    }
+    ac = (*context_handle)->auth_context;
+
+    /* flagging included fields */
+
+    flags = 0;
+    if (ac->local_address)
+	flags |= SC_LOCAL_ADDRESS;
+    if (ac->remote_address)
+	flags |= SC_REMOTE_ADDRESS;
+    if (ac->keyblock)
+	flags |= SC_KEYBLOCK;
+    if (ac->local_subkey)
+	flags |= SC_LOCAL_SUBKEY;
+    if (ac->remote_subkey)
+	flags |= SC_REMOTE_SUBKEY;
+
+    kret = krb5_store_int32 (sp, flags);
+    if (kret) {
+	*minor_status = kret;
+	goto failure;
+    }
+
+    /* marshall auth context */
+
+    kret = krb5_store_int32 (sp, ac->flags);
+    if (kret) {
+	*minor_status = kret;
+	goto failure;
+    }
+    if (ac->local_address) {
+	kret = krb5_store_address (sp, *ac->local_address);
+	if (kret) {
+	    *minor_status = kret;
+	    goto failure;
+	}
+    }
+    if (ac->remote_address) {
+	kret = krb5_store_address (sp, *ac->remote_address);
+	if (kret) {
+	    *minor_status = kret;
+	    goto failure;
+	}
+    }
+    kret = krb5_store_int16 (sp, ac->local_port);
+    if (kret) {
+	*minor_status = kret;
+	goto failure;
+    }
+    kret = krb5_store_int16 (sp, ac->remote_port);
+    if (kret) {
+	*minor_status = kret;
+	goto failure;
+    }
+    if (ac->keyblock) {
+	kret = krb5_store_keyblock (sp, *ac->keyblock);
+	if (kret) {
+	    *minor_status = kret;
+	    goto failure;
+	}
+    }
+    if (ac->local_subkey) {
+	kret = krb5_store_keyblock (sp, *ac->local_subkey);
+	if (kret) {
+	    *minor_status = kret;
+	    goto failure;
+	}
+    }
+    if (ac->remote_subkey) {
+	kret = krb5_store_keyblock (sp, *ac->remote_subkey);
+	if (kret) {
+	    *minor_status = kret;
+	    goto failure;
+	}
+    }
+    kret = krb5_store_int32 (sp, ac->local_seqnumber);
+	if (kret) {
+	    *minor_status = kret;
+	    goto failure;
+	}
+    kret = krb5_store_int32 (sp, ac->remote_seqnumber);
+	if (kret) {
+	    *minor_status = kret;
+	    goto failure;
+	}
+
+#if 0
+    {
+	size_t sz;
+	unsigned char auth_buf[1024];
+
+	ret = encode_Authenticator (auth_buf, sizeof(auth_buf),
+				    ac->authenticator, &sz);
+	if (ret) {
+	    krb5_storage_free (sp);
+	    *minor_status = ret;
+	    return GSS_S_FAILURE;
+	}
+	data.data   = auth_buf;
+	data.length = sz;
+	kret = krb5_store_data (sp, data);
+	if (kret) {
+	    *minor_status = kret;
+	    goto failure;
+	}
+    }
+#endif
+    kret = krb5_store_int32 (sp, ac->keytype);
+    if (kret) {
+	*minor_status = kret;
+	goto failure;
+    }
+    kret = krb5_store_int32 (sp, ac->cksumtype);
+    if (kret) {
+	*minor_status = kret;
+	goto failure;
+    }
+
+    /* names */
+
+    ret = gss_export_name (minor_status, (*context_handle)->source, &buffer);
+    if (ret)
+	goto failure;
+    data.data   = buffer.value;
+    data.length = buffer.length;
+    kret = krb5_store_data (sp, data);
+    gss_release_buffer (&minor, &buffer);
+    if (kret) {
+	*minor_status = kret;
+	goto failure;
+    }
+
+    ret = gss_export_name (minor_status, (*context_handle)->target, &buffer);
+    if (ret)
+	goto failure;
+    data.data   = buffer.value;
+    data.length = buffer.length;
+    kret = krb5_store_data (sp, data);
+    gss_release_buffer (&minor, &buffer);
+    if (kret) {
+	*minor_status = kret;
+	goto failure;
+    }
+
+    kret = krb5_store_int32 (sp, (*context_handle)->flags);
+    if (kret) {
+	*minor_status = kret;
+	goto failure;
+    }
+    kret = krb5_store_int32 (sp, (*context_handle)->more_flags);
+    if (kret) {
+	*minor_status = kret;
+	goto failure;
+    }
+
+    kret = krb5_storage_to_data (sp, &data);
+    krb5_storage_free (sp);
+    if (kret) {
+	*minor_status = kret;
+	return GSS_S_FAILURE;
+    }
+    interprocess_token->length = data.length;
+    interprocess_token->value  = data.data;
+    ret = gss_delete_sec_context (minor_status, context_handle,
+				  GSS_C_NO_BUFFER);
+    if (ret != GSS_S_COMPLETE)
+	gss_release_buffer (NULL, interprocess_token);
+    return ret;
+ failure:
+    krb5_storage_free (sp);
+    return ret;
+}
diff --git a/crypto/heimdal/lib/gssapi/external.c b/crypto/heimdal/lib/gssapi/external.c
new file mode 100644
index 0000000..dca35ea
--- /dev/null
+++ b/crypto/heimdal/lib/gssapi/external.c
@@ -0,0 +1,235 @@
+/*
+ * Copyright (c) 1997 - 2000 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "gssapi_locl.h"
+
+RCSID("$Id: external.c,v 1.5 2000/07/22 03:45:28 assar Exp $");
+
+/*
+ * The implementation must reserve static storage for a
+ * gss_OID_desc object containing the value
+ * {10, (void *)"\x2a\x86\x48\x86\xf7\x12"
+ *              "\x01\x02\x01\x01"},
+ * corresponding to an object-identifier value of
+ * {iso(1) member-body(2) United States(840) mit(113554)
+ *  infosys(1) gssapi(2) generic(1) user_name(1)}.  The constant
+ * GSS_C_NT_USER_NAME should be initialized to point
+ * to that gss_OID_desc.
+ */
+
+static gss_OID_desc gss_c_nt_user_name_oid_desc =
+{10, (void *)"\x2a\x86\x48\x86\xf7\x12"
+ "\x01\x02\x01\x01"};
+
+gss_OID GSS_C_NT_USER_NAME = &gss_c_nt_user_name_oid_desc;
+
+/*
+ * The implementation must reserve static storage for a
+ * gss_OID_desc object containing the value
+ * {10, (void *)"\x2a\x86\x48\x86\xf7\x12"
+ *              "\x01\x02\x01\x02"},
+ * corresponding to an object-identifier value of
+ * {iso(1) member-body(2) United States(840) mit(113554)
+ *  infosys(1) gssapi(2) generic(1) machine_uid_name(2)}.
+ * The constant GSS_C_NT_MACHINE_UID_NAME should be
+ * initialized to point to that gss_OID_desc.
+ */
+
+static gss_OID_desc gss_c_nt_machine_uid_name_oid_desc =
+{10, (void *)"\x2a\x86\x48\x86\xf7\x12"
+ "\x01\x02\x01\x02"};
+
+gss_OID GSS_C_NT_MACHINE_UID_NAME = &gss_c_nt_machine_uid_name_oid_desc;
+
+/*
+ * The implementation must reserve static storage for a
+ * gss_OID_desc object containing the value
+ * {10, (void *)"\x2a\x86\x48\x86\xf7\x12"
+ *              "\x01\x02\x01\x03"},
+ * corresponding to an object-identifier value of
+ * {iso(1) member-body(2) United States(840) mit(113554)
+ *  infosys(1) gssapi(2) generic(1) string_uid_name(3)}.
+ * The constant GSS_C_NT_STRING_UID_NAME should be
+ * initialized to point to that gss_OID_desc.
+ */
+
+static gss_OID_desc gss_c_nt_string_uid_name_oid_desc =
+{10, (void *)"\x2a\x86\x48\x86\xf7\x12"
+ "\x01\x02\x01\x03"};
+
+gss_OID GSS_C_NT_STRING_UID_NAME = &gss_c_nt_string_uid_name_oid_desc;
+
+/*
+ * The implementation must reserve static storage for a
+ * gss_OID_desc object containing the value
+ * {6, (void *)"\x2b\x06\x01\x05\x06\x02"},
+ * corresponding to an object-identifier value of
+ * {iso(1) org(3) dod(6) internet(1) security(5)
+ * nametypes(6) gss-host-based-services(2)).  The constant
+ * GSS_C_NT_HOSTBASED_SERVICE_X should be initialized to point
+ * to that gss_OID_desc.  This is a deprecated OID value, and
+ * implementations wishing to support hostbased-service names
+ * should instead use the GSS_C_NT_HOSTBASED_SERVICE OID,
+ * defined below, to identify such names;
+ * GSS_C_NT_HOSTBASED_SERVICE_X should be accepted a synonym
+ * for GSS_C_NT_HOSTBASED_SERVICE when presented as an input
+ * parameter, but should not be emitted by GSS-API
+ * implementations
+ */
+
+static gss_OID_desc gss_c_nt_hostbased_service_x_oid_desc =
+{6, (void *)"\x2b\x06\x01\x05\x06\x02"};
+
+gss_OID GSS_C_NT_HOSTBASED_SERVICE_X = &gss_c_nt_hostbased_service_x_oid_desc;
+
+/*
+ * The implementation must reserve static storage for a
+ * gss_OID_desc object containing the value
+ * {10, (void *)"\x2a\x86\x48\x86\xf7\x12"
+ *              "\x01\x02\x01\x04"}, corresponding to an
+ * object-identifier value of {iso(1) member-body(2)
+ * Unites States(840) mit(113554) infosys(1) gssapi(2)
+ * generic(1) service_name(4)}.  The constant
+ * GSS_C_NT_HOSTBASED_SERVICE should be initialized
+ * to point to that gss_OID_desc.
+ */
+static gss_OID_desc gss_c_nt_hostbased_service_oid_desc =
+{10, (void *)"\x2a\x86\x48\x86\xf7\x12" "\x01\x02\x01\x04"};
+
+gss_OID GSS_C_NT_HOSTBASED_SERVICE = &gss_c_nt_hostbased_service_oid_desc;
+
+/*
+ * The implementation must reserve static storage for a
+ * gss_OID_desc object containing the value
+ * {6, (void *)"\x2b\x06\01\x05\x06\x03"},
+ * corresponding to an object identifier value of
+ * {1(iso), 3(org), 6(dod), 1(internet), 5(security),
+ * 6(nametypes), 3(gss-anonymous-name)}.  The constant
+ * and GSS_C_NT_ANONYMOUS should be initialized to point
+ * to that gss_OID_desc.
+ */
+
+static gss_OID_desc gss_c_nt_anonymous_oid_desc =
+{6, (void *)"\x2b\x06\01\x05\x06\x03"};
+
+gss_OID GSS_C_NT_ANONYMOUS = &gss_c_nt_anonymous_oid_desc;
+
+/*
+ * The implementation must reserve static storage for a
+ * gss_OID_desc object containing the value
+ * {6, (void *)"\x2b\x06\x01\x05\x06\x04"},
+ * corresponding to an object-identifier value of
+ * {1(iso), 3(org), 6(dod), 1(internet), 5(security),
+ * 6(nametypes), 4(gss-api-exported-name)}.  The constant
+ * GSS_C_NT_EXPORT_NAME should be initialized to point
+ * to that gss_OID_desc.
+ */
+
+static gss_OID_desc gss_c_nt_export_name_oid_desc =
+{6, (void *)"\x2b\x06\x01\x05\x06\x04"};
+
+gss_OID GSS_C_NT_EXPORT_NAME = &gss_c_nt_export_name_oid_desc;
+
+/*
+ *   This name form shall be represented by the Object Identifier {iso(1)
+ *   member-body(2) United States(840) mit(113554) infosys(1) gssapi(2)
+ *   krb5(2) krb5_name(1)}.  The recommended symbolic name for this type
+ *   is "GSS_KRB5_NT_PRINCIPAL_NAME".
+ */
+
+static gss_OID_desc gss_krb5_nt_principal_name_oid_desc =
+{10, (void *)"\x2a\x86\x48\x86\xf7\x12\x01\x02\x02\x01"};
+
+gss_OID GSS_KRB5_NT_PRINCIPAL_NAME = &gss_krb5_nt_principal_name_oid_desc;
+
+/*
+ *   This name form shall be represented by the Object Identifier {iso(1)
+ *   member-body(2) United States(840) mit(113554) infosys(1) gssapi(2)
+ *   generic(1) user_name(1)}.  The recommended symbolic name for this
+ *   type is "GSS_KRB5_NT_USER_NAME".
+ */
+
+gss_OID GSS_KRB5_NT_USER_NAME = &gss_c_nt_user_name_oid_desc;
+
+/*
+ *   This name form shall be represented by the Object Identifier {iso(1)
+ *   member-body(2) United States(840) mit(113554) infosys(1) gssapi(2)
+ *   generic(1) machine_uid_name(2)}.  The recommended symbolic name for
+ *   this type is "GSS_KRB5_NT_MACHINE_UID_NAME".
+ */
+
+gss_OID GSS_KRB5_NT_MACHINE_UID_NAME = &gss_c_nt_machine_uid_name_oid_desc;
+
+/*
+ *   This name form shall be represented by the Object Identifier {iso(1)
+ *   member-body(2) United States(840) mit(113554) infosys(1) gssapi(2)
+ *   generic(1) string_uid_name(3)}.  The recommended symbolic name for
+ *   this type is "GSS_KRB5_NT_STRING_UID_NAME".
+ */
+
+gss_OID GSS_KRB5_NT_STRING_UID_NAME = &gss_c_nt_string_uid_name_oid_desc;
+
+/*
+ *   To support ongoing experimentation, testing, and evolution of the
+ *   specification, the Kerberos V5 GSS-API mechanism as defined in this
+ *   and any successor memos will be identified with the following Object
+ *   Identifier, as defined in RFC-1510, until the specification is
+ *   advanced to the level of Proposed Standard RFC:
+ *
+ *   {iso(1), org(3), dod(5), internet(1), security(5), kerberosv5(2)}
+ *
+ *   Upon advancement to the level of Proposed Standard RFC, the Kerberos
+ *   V5 GSS-API mechanism will be identified by an Object Identifier
+ *   having the value:
+ *
+ *   {iso(1) member-body(2) United States(840) mit(113554) infosys(1)
+ *   gssapi(2) krb5(2)}
+ */
+
+#if 0 /* This is the old OID */
+
+static gss_OID_desc gss_krb5_mechanism_oid_desc =
+{5, (void *)"\x2b\x05\x01\x05\x02"};
+
+#endif
+
+static gss_OID_desc gss_krb5_mechanism_oid_desc =
+{9, (void *)"\x2a\x86\x48\x86\xf7\x12\x01\x02\x02"};
+
+gss_OID GSS_KRB5_MECHANISM = &gss_krb5_mechanism_oid_desc;
+
+/*
+ * Context for krb5 calls.
+ */
+
+krb5_context gssapi_krb5_context;
diff --git a/crypto/heimdal/lib/gssapi/get_mic.c b/crypto/heimdal/lib/gssapi/get_mic.c
new file mode 100644
index 0000000..751f56c
--- /dev/null
+++ b/crypto/heimdal/lib/gssapi/get_mic.c
@@ -0,0 +1,287 @@
+/*
+ * Copyright (c) 1997 - 2001 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "gssapi_locl.h"
+
+RCSID("$Id: get_mic.c,v 1.17 2001/05/11 09:16:46 assar Exp $");
+
+static OM_uint32
+mic_des
+           (OM_uint32 * minor_status,
+            const gss_ctx_id_t context_handle,
+            gss_qop_t qop_req,
+            const gss_buffer_t message_buffer,
+            gss_buffer_t message_token,
+	    krb5_keyblock *key
+           )
+{
+  u_char *p;
+  MD5_CTX md5;
+  u_char hash[16];
+  des_key_schedule schedule;
+  des_cblock deskey;
+  des_cblock zero;
+  int32_t seq_number;
+  size_t len, total_len;
+
+  gssapi_krb5_encap_length (22, &len, &total_len);
+
+  message_token->length = total_len;
+  message_token->value  = malloc (total_len);
+  if (message_token->value == NULL) {
+    *minor_status = ENOMEM;
+    return GSS_S_FAILURE;
+  }
+
+  p = gssapi_krb5_make_header(message_token->value,
+			      len,
+			      "\x01\x01"); /* TOK_ID */
+
+  memcpy (p, "\x00\x00", 2);	/* SGN_ALG = DES MAC MD5 */
+  p += 2;
+
+  memcpy (p, "\xff\xff\xff\xff", 4); /* Filler */
+  p += 4;
+
+  /* Fill in later (SND-SEQ) */
+  memset (p, 0, 16);
+  p += 16;
+
+  /* checksum */
+  MD5_Init (&md5);
+  MD5_Update (&md5, p - 24, 8);
+  MD5_Update (&md5, message_buffer->value, message_buffer->length);
+  MD5_Final (hash, &md5);
+
+  memset (&zero, 0, sizeof(zero));
+  memcpy (&deskey, key->keyvalue.data, sizeof(deskey));
+  des_set_key (&deskey, schedule);
+  des_cbc_cksum ((void *)hash, (void *)hash, sizeof(hash),
+		 schedule, &zero);
+  memcpy (p - 8, hash, 8);	/* SGN_CKSUM */
+
+  /* sequence number */
+  krb5_auth_getlocalseqnumber (gssapi_krb5_context,
+			       context_handle->auth_context,
+			       &seq_number);
+
+  p -= 16;			/* SND_SEQ */
+  p[0] = (seq_number >> 0)  & 0xFF;
+  p[1] = (seq_number >> 8)  & 0xFF;
+  p[2] = (seq_number >> 16) & 0xFF;
+  p[3] = (seq_number >> 24) & 0xFF;
+  memset (p + 4,
+	  (context_handle->more_flags & LOCAL) ? 0 : 0xFF,
+	  4);
+
+  des_set_key (&deskey, schedule);
+  des_cbc_encrypt ((void *)p, (void *)p, 8,
+		   schedule, (des_cblock *)(p + 8), DES_ENCRYPT);
+
+  krb5_auth_setlocalseqnumber (gssapi_krb5_context,
+			       context_handle->auth_context,
+			       ++seq_number);
+  
+  memset (deskey, 0, sizeof(deskey));
+  memset (schedule, 0, sizeof(schedule));
+  
+  return GSS_S_COMPLETE;
+}
+
+static OM_uint32
+mic_des3
+           (OM_uint32 * minor_status,
+            const gss_ctx_id_t context_handle,
+            gss_qop_t qop_req,
+            const gss_buffer_t message_buffer,
+            gss_buffer_t message_token,
+	    krb5_keyblock *key
+           )
+{
+  u_char *p;
+  Checksum cksum;
+  u_char seq[8];
+
+  int32_t seq_number;
+  size_t len, total_len;
+
+  krb5_crypto crypto;
+  krb5_error_code kret;
+  krb5_data encdata;
+  char *tmp;
+
+  gssapi_krb5_encap_length (36, &len, &total_len);
+
+  message_token->length = total_len;
+  message_token->value  = malloc (total_len);
+  if (message_token->value == NULL) {
+      *minor_status = ENOMEM;
+      return GSS_S_FAILURE;
+  }
+
+  p = gssapi_krb5_make_header(message_token->value,
+			      len,
+			      "\x01\x01"); /* TOK-ID */
+
+  memcpy (p, "\x04\x00", 2);	/* SGN_ALG = HMAC SHA1 DES3-KD */
+  p += 2;
+
+  memcpy (p, "\xff\xff\xff\xff", 4); /* filler */
+  p += 4;
+
+  /* this should be done in parts */
+
+  tmp = malloc (message_buffer->length + 8);
+  if (tmp == NULL) {
+      free (message_token->value);
+      *minor_status = ENOMEM;
+      return GSS_S_FAILURE;
+  }
+  memcpy (tmp, p - 8, 8);
+  memcpy (tmp + 8, message_buffer->value, message_buffer->length);
+
+  kret = krb5_crypto_init(gssapi_krb5_context, key, 0, &crypto);
+  if (kret) {
+      free (message_token->value);
+      free (tmp);
+      gssapi_krb5_set_error_string ();
+      *minor_status = kret;
+      return GSS_S_FAILURE;
+  }
+
+  kret = krb5_create_checksum (gssapi_krb5_context,
+			       crypto,
+			       KRB5_KU_USAGE_SIGN,
+			       0,
+			       tmp,
+			       message_buffer->length + 8,
+			       &cksum);
+  free (tmp);
+  krb5_crypto_destroy (gssapi_krb5_context, crypto);
+  if (kret) {
+      free (message_token->value);
+      gssapi_krb5_set_error_string ();
+      *minor_status = kret;
+      return GSS_S_FAILURE;
+  }
+
+  memcpy (p + 8, cksum.checksum.data, cksum.checksum.length);
+
+  /* sequence number */
+  krb5_auth_getlocalseqnumber (gssapi_krb5_context,
+			       context_handle->auth_context,
+			       &seq_number);
+
+  seq[0] = (seq_number >> 0)  & 0xFF;
+  seq[1] = (seq_number >> 8)  & 0xFF;
+  seq[2] = (seq_number >> 16) & 0xFF;
+  seq[3] = (seq_number >> 24) & 0xFF;
+  memset (seq + 4,
+	  (context_handle->more_flags & LOCAL) ? 0 : 0xFF,
+	  4);
+
+  kret = krb5_crypto_init(gssapi_krb5_context, key,
+			  ETYPE_DES3_CBC_NONE, &crypto);
+  if (kret) {
+      free (message_token->value);
+      gssapi_krb5_set_error_string ();
+      *minor_status = kret;
+      return GSS_S_FAILURE;
+  }
+
+  kret = krb5_encrypt (gssapi_krb5_context,
+		       crypto,
+		       KRB5_KU_USAGE_SEQ,
+		       seq, 8, &encdata);
+  krb5_crypto_destroy (gssapi_krb5_context, crypto);
+  if (kret) {
+      free (message_token->value);
+      gssapi_krb5_set_error_string ();
+      *minor_status = kret;
+      return GSS_S_FAILURE;
+  }
+  
+  assert (encdata.length == 8);
+
+  memcpy (p, encdata.data, encdata.length);
+  krb5_data_free (&encdata);
+
+  p += 8 + cksum.checksum.length;
+
+  memcpy (p, message_buffer->value, message_buffer->length);
+
+  krb5_auth_setlocalseqnumber (gssapi_krb5_context,
+			       context_handle->auth_context,
+			       ++seq_number);
+  
+  free_Checksum (&cksum);
+  return GSS_S_COMPLETE;
+}
+
+OM_uint32 gss_get_mic
+           (OM_uint32 * minor_status,
+            const gss_ctx_id_t context_handle,
+            gss_qop_t qop_req,
+            const gss_buffer_t message_buffer,
+            gss_buffer_t message_token
+           )
+{
+  krb5_keyblock *key;
+  OM_uint32 ret;
+  krb5_keytype keytype;
+
+  ret = gss_krb5_getsomekey(context_handle, &key);
+  if (ret) {
+      gssapi_krb5_set_error_string ();
+      *minor_status = ret;
+      return GSS_S_FAILURE;
+  }
+  krb5_enctype_to_keytype (gssapi_krb5_context, key->keytype, &keytype);
+
+  switch (keytype) {
+  case KEYTYPE_DES :
+      ret = mic_des (minor_status, context_handle, qop_req,
+		     message_buffer, message_token, key);
+      break;
+  case KEYTYPE_DES3 :
+      ret = mic_des3 (minor_status, context_handle, qop_req,
+		      message_buffer, message_token, key);
+      break;
+  default :
+      *minor_status = KRB5_PROG_ETYPE_NOSUPP;
+      ret = GSS_S_FAILURE;
+      break;
+  }
+  krb5_free_keyblock (gssapi_krb5_context, key);
+  return ret;
+}
diff --git a/crypto/heimdal/lib/gssapi/gssapi.h b/crypto/heimdal/lib/gssapi/gssapi.h
new file mode 100644
index 0000000..82d4056
--- /dev/null
+++ b/crypto/heimdal/lib/gssapi/gssapi.h
@@ -0,0 +1,773 @@
+/*
+ * Copyright (c) 1997 - 2001 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+/* $Id: gssapi.h,v 1.21 2001/05/04 13:52:02 assar Exp $ */
+
+#ifndef GSSAPI_H_
+#define GSSAPI_H_
+
+/*
+ * First, include stddef.h to get size_t defined.
+ */
+#include <stddef.h>
+
+#include <krb5-types.h>
+
+/*
+ * Now define the three implementation-dependent types.
+ */
+
+typedef u_int32_t OM_uint32;
+
+typedef u_int32_t gss_uint32;
+
+/*
+ * This is to avoid having to include <krb5.h>
+ */
+
+struct krb5_auth_context_data;
+
+struct Principal;
+
+/* typedef void *gss_name_t; */
+
+typedef struct Principal *gss_name_t;
+
+typedef struct gss_ctx_id_t_desc_struct {
+  struct krb5_auth_context_data *auth_context;
+  gss_name_t source, target;
+  OM_uint32 flags;
+  enum { LOCAL = 1, OPEN = 2} more_flags;
+  struct krb5_ticket *ticket;
+} gss_ctx_id_t_desc;
+
+typedef gss_ctx_id_t_desc *gss_ctx_id_t;
+
+typedef struct gss_OID_desc_struct {
+      OM_uint32 length;
+      void      *elements;
+} gss_OID_desc, *gss_OID;
+
+typedef struct gss_OID_set_desc_struct  {
+      size_t     count;
+      gss_OID    elements;
+} gss_OID_set_desc, *gss_OID_set;
+
+struct krb5_keytab_data;
+
+struct krb5_ccache_data;
+
+typedef int gss_cred_usage_t;
+
+typedef struct gss_cred_id_t_desc_struct {
+  gss_name_t principal;
+  struct krb5_keytab_data *keytab;
+  OM_uint32 lifetime;
+  gss_cred_usage_t usage;
+  gss_OID_set mechanisms;
+  struct krb5_ccache_data *ccache;
+} gss_cred_id_t_desc;
+
+typedef gss_cred_id_t_desc *gss_cred_id_t;
+
+typedef struct gss_buffer_desc_struct {
+      size_t length;
+      void *value;
+} gss_buffer_desc, *gss_buffer_t;
+
+typedef struct gss_channel_bindings_struct {
+      OM_uint32 initiator_addrtype;
+      gss_buffer_desc initiator_address;
+      OM_uint32 acceptor_addrtype;
+      gss_buffer_desc acceptor_address;
+      gss_buffer_desc application_data;
+} *gss_channel_bindings_t;
+
+/*
+ * For now, define a QOP-type as an OM_uint32
+ */
+typedef OM_uint32 gss_qop_t;
+
+/*
+ * Flag bits for context-level services.
+ */
+#define GSS_C_DELEG_FLAG 1
+#define GSS_C_MUTUAL_FLAG 2
+#define GSS_C_REPLAY_FLAG 4
+#define GSS_C_SEQUENCE_FLAG 8
+#define GSS_C_CONF_FLAG 16
+#define GSS_C_INTEG_FLAG 32
+#define GSS_C_ANON_FLAG 64
+#define GSS_C_PROT_READY_FLAG 128
+#define GSS_C_TRANS_FLAG 256
+
+/*
+ * Credential usage options
+ */
+#define GSS_C_BOTH 0
+#define GSS_C_INITIATE 1
+#define GSS_C_ACCEPT 2
+
+/*
+ * Status code types for gss_display_status
+ */
+#define GSS_C_GSS_CODE 1
+#define GSS_C_MECH_CODE 2
+
+/*
+ * The constant definitions for channel-bindings address families
+ */
+#define GSS_C_AF_UNSPEC     0
+#define GSS_C_AF_LOCAL      1
+#define GSS_C_AF_INET       2
+#define GSS_C_AF_IMPLINK    3
+#define GSS_C_AF_PUP        4
+#define GSS_C_AF_CHAOS      5
+#define GSS_C_AF_NS         6
+#define GSS_C_AF_NBS        7
+#define GSS_C_AF_ECMA       8
+#define GSS_C_AF_DATAKIT    9
+#define GSS_C_AF_CCITT      10
+#define GSS_C_AF_SNA        11
+#define GSS_C_AF_DECnet     12
+#define GSS_C_AF_DLI        13
+#define GSS_C_AF_LAT        14
+#define GSS_C_AF_HYLINK     15
+#define GSS_C_AF_APPLETALK  16
+#define GSS_C_AF_BSC        17
+#define GSS_C_AF_DSS        18
+#define GSS_C_AF_OSI        19
+#define GSS_C_AF_X25        21
+#define GSS_C_AF_INET6	    24
+
+#define GSS_C_AF_NULLADDR   255
+
+/*
+ * Various Null values
+ */
+#define GSS_C_NO_NAME ((gss_name_t) 0)
+#define GSS_C_NO_BUFFER ((gss_buffer_t) 0)
+#define GSS_C_NO_OID ((gss_OID) 0)
+#define GSS_C_NO_OID_SET ((gss_OID_set) 0)
+#define GSS_C_NO_CONTEXT ((gss_ctx_id_t) 0)
+#define GSS_C_NO_CREDENTIAL ((gss_cred_id_t) 0)
+#define GSS_C_NO_CHANNEL_BINDINGS ((gss_channel_bindings_t) 0)
+#define GSS_C_EMPTY_BUFFER {0, NULL}
+
+/*
+ * Some alternate names for a couple of the above
+ * values.  These are defined for V1 compatibility.
+ */
+#define GSS_C_NULL_OID GSS_C_NO_OID
+#define GSS_C_NULL_OID_SET GSS_C_NO_OID_SET
+
+/*
+ * Define the default Quality of Protection for per-message
+ * services.  Note that an implementation that offers multiple
+ * levels of QOP may define GSS_C_QOP_DEFAULT to be either zero
+ * (as done here) to mean "default protection", or to a specific
+ * explicit QOP value.  However, a value of 0 should always be
+ * interpreted by a GSSAPI implementation as a request for the
+ * default protection level.
+ */
+#define GSS_C_QOP_DEFAULT 0
+
+#define GSS_KRB5_CONF_C_QOP_DES		0x0100
+#define GSS_KRB5_CONF_C_QOP_DES3_KD	0x0200
+
+/*
+ * Expiration time of 2^32-1 seconds means infinite lifetime for a
+ * credential or security context
+ */
+#define GSS_C_INDEFINITE 0xfffffffful
+
+/*
+ * The implementation must reserve static storage for a
+ * gss_OID_desc object containing the value
+ * {10, (void *)"\x2a\x86\x48\x86\xf7\x12"
+ *              "\x01\x02\x01\x01"},
+ * corresponding to an object-identifier value of
+ * {iso(1) member-body(2) United States(840) mit(113554)
+ *  infosys(1) gssapi(2) generic(1) user_name(1)}.  The constant
+ * GSS_C_NT_USER_NAME should be initialized to point
+ * to that gss_OID_desc.
+ */
+extern gss_OID GSS_C_NT_USER_NAME;
+
+/*
+ * The implementation must reserve static storage for a
+ * gss_OID_desc object containing the value
+ * {10, (void *)"\x2a\x86\x48\x86\xf7\x12"
+ *              "\x01\x02\x01\x02"},
+ * corresponding to an object-identifier value of
+ * {iso(1) member-body(2) United States(840) mit(113554)
+ *  infosys(1) gssapi(2) generic(1) machine_uid_name(2)}.
+ * The constant GSS_C_NT_MACHINE_UID_NAME should be
+ * initialized to point to that gss_OID_desc.
+ */
+extern gss_OID GSS_C_NT_MACHINE_UID_NAME;
+
+/*
+ * The implementation must reserve static storage for a
+ * gss_OID_desc object containing the value
+ * {10, (void *)"\x2a\x86\x48\x86\xf7\x12"
+ *              "\x01\x02\x01\x03"},
+ * corresponding to an object-identifier value of
+ * {iso(1) member-body(2) United States(840) mit(113554)
+ *  infosys(1) gssapi(2) generic(1) string_uid_name(3)}.
+ * The constant GSS_C_NT_STRING_UID_NAME should be
+ * initialized to point to that gss_OID_desc.
+ */
+extern gss_OID GSS_C_NT_STRING_UID_NAME;
+
+/*
+ * The implementation must reserve static storage for a
+ * gss_OID_desc object containing the value
+ * {6, (void *)"\x2b\x06\x01\x05\x06\x02"},
+ * corresponding to an object-identifier value of
+ * {iso(1) org(3) dod(6) internet(1) security(5)
+ * nametypes(6) gss-host-based-services(2)).  The constant
+ * GSS_C_NT_HOSTBASED_SERVICE_X should be initialized to point
+ * to that gss_OID_desc.  This is a deprecated OID value, and
+ * implementations wishing to support hostbased-service names
+ * should instead use the GSS_C_NT_HOSTBASED_SERVICE OID,
+ * defined below, to identify such names;
+ * GSS_C_NT_HOSTBASED_SERVICE_X should be accepted a synonym
+ * for GSS_C_NT_HOSTBASED_SERVICE when presented as an input
+ * parameter, but should not be emitted by GSS-API
+ * implementations
+ */
+extern gss_OID GSS_C_NT_HOSTBASED_SERVICE_X;
+
+/*
+ * The implementation must reserve static storage for a
+ * gss_OID_desc object containing the value
+ * {10, (void *)"\x2a\x86\x48\x86\xf7\x12"
+ *              "\x01\x02\x01\x04"}, corresponding to an
+ * object-identifier value of {iso(1) member-body(2)
+ * Unites States(840) mit(113554) infosys(1) gssapi(2)
+ * generic(1) service_name(4)}.  The constant
+ * GSS_C_NT_HOSTBASED_SERVICE should be initialized
+ * to point to that gss_OID_desc.
+ */
+extern gss_OID GSS_C_NT_HOSTBASED_SERVICE;
+
+/*
+ * The implementation must reserve static storage for a
+ * gss_OID_desc object containing the value
+ * {6, (void *)"\x2b\x06\01\x05\x06\x03"},
+ * corresponding to an object identifier value of
+ * {1(iso), 3(org), 6(dod), 1(internet), 5(security),
+ * 6(nametypes), 3(gss-anonymous-name)}.  The constant
+ * and GSS_C_NT_ANONYMOUS should be initialized to point
+ * to that gss_OID_desc.
+ */
+extern gss_OID GSS_C_NT_ANONYMOUS;
+
+/*
+ * The implementation must reserve static storage for a
+ * gss_OID_desc object containing the value
+ * {6, (void *)"\x2b\x06\x01\x05\x06\x04"},
+ * corresponding to an object-identifier value of
+ * {1(iso), 3(org), 6(dod), 1(internet), 5(security),
+ * 6(nametypes), 4(gss-api-exported-name)}.  The constant
+ * GSS_C_NT_EXPORT_NAME should be initialized to point
+ * to that gss_OID_desc.
+ */
+extern gss_OID GSS_C_NT_EXPORT_NAME;
+
+/*
+ * This if for kerberos5 names.
+ */
+
+extern gss_OID GSS_KRB5_NT_PRINCIPAL_NAME;
+extern gss_OID GSS_KRB5_NT_USER_NAME;
+extern gss_OID GSS_KRB5_NT_MACHINE_UID_NAME;
+extern gss_OID GSS_KRB5_NT_STRING_UID_NAME;
+
+extern gss_OID GSS_KRB5_MECHANISM;
+
+/* for compatibility with MIT api */
+
+#define gss_mech_krb5 GSS_KRB5_MECHANISM
+
+/* Major status codes */
+
+#define GSS_S_COMPLETE 0
+
+/*
+ * Some "helper" definitions to make the status code macros obvious.
+ */
+#define GSS_C_CALLING_ERROR_OFFSET 24
+#define GSS_C_ROUTINE_ERROR_OFFSET 16
+#define GSS_C_SUPPLEMENTARY_OFFSET 0
+#define GSS_C_CALLING_ERROR_MASK 0377ul
+#define GSS_C_ROUTINE_ERROR_MASK 0377ul
+#define GSS_C_SUPPLEMENTARY_MASK 0177777ul
+
+/*
+ * The macros that test status codes for error conditions.
+ * Note that the GSS_ERROR() macro has changed slightly from
+ * the V1 GSSAPI so that it now evaluates its argument
+ * only once.
+ */
+#define GSS_CALLING_ERROR(x) \
+  (x & (GSS_C_CALLING_ERROR_MASK << GSS_C_CALLING_ERROR_OFFSET))
+#define GSS_ROUTINE_ERROR(x) \
+  (x & (GSS_C_ROUTINE_ERROR_MASK << GSS_C_ROUTINE_ERROR_OFFSET))
+#define GSS_SUPPLEMENTARY_INFO(x) \
+  (x & (GSS_C_SUPPLEMENTARY_MASK << GSS_C_SUPPLEMENTARY_OFFSET))
+#define GSS_ERROR(x) \
+  (x & ((GSS_C_CALLING_ERROR_MASK << GSS_C_CALLING_ERROR_OFFSET) | \
+        (GSS_C_ROUTINE_ERROR_MASK << GSS_C_ROUTINE_ERROR_OFFSET)))
+
+/*
+ * Now the actual status code definitions
+ */
+
+/*
+ * Calling errors:
+ */
+#define GSS_S_CALL_INACCESSIBLE_READ \
+                             (1ul << GSS_C_CALLING_ERROR_OFFSET)
+#define GSS_S_CALL_INACCESSIBLE_WRITE \
+                             (2ul << GSS_C_CALLING_ERROR_OFFSET)
+#define GSS_S_CALL_BAD_STRUCTURE \
+                             (3ul << GSS_C_CALLING_ERROR_OFFSET)
+
+/*
+ * Routine errors:
+ */
+#define GSS_S_BAD_MECH (1ul << GSS_C_ROUTINE_ERROR_OFFSET)
+#define GSS_S_BAD_NAME (2ul << GSS_C_ROUTINE_ERROR_OFFSET)
+#define GSS_S_BAD_NAMETYPE (3ul << GSS_C_ROUTINE_ERROR_OFFSET)
+
+#define GSS_S_BAD_BINDINGS (4ul << GSS_C_ROUTINE_ERROR_OFFSET)
+#define GSS_S_BAD_STATUS (5ul << GSS_C_ROUTINE_ERROR_OFFSET)
+#define GSS_S_BAD_SIG (6ul << GSS_C_ROUTINE_ERROR_OFFSET)
+#define GSS_S_BAD_MIC GSS_S_BAD_SIG
+#define GSS_S_NO_CRED (7ul << GSS_C_ROUTINE_ERROR_OFFSET)
+#define GSS_S_NO_CONTEXT (8ul << GSS_C_ROUTINE_ERROR_OFFSET)
+#define GSS_S_DEFECTIVE_TOKEN (9ul << GSS_C_ROUTINE_ERROR_OFFSET)
+#define GSS_S_DEFECTIVE_CREDENTIAL (10ul << GSS_C_ROUTINE_ERROR_OFFSET)
+#define GSS_S_CREDENTIALS_EXPIRED (11ul << GSS_C_ROUTINE_ERROR_OFFSET)
+#define GSS_S_CONTEXT_EXPIRED (12ul << GSS_C_ROUTINE_ERROR_OFFSET)
+#define GSS_S_FAILURE (13ul << GSS_C_ROUTINE_ERROR_OFFSET)
+#define GSS_S_BAD_QOP (14ul << GSS_C_ROUTINE_ERROR_OFFSET)
+#define GSS_S_UNAUTHORIZED (15ul << GSS_C_ROUTINE_ERROR_OFFSET)
+#define GSS_S_UNAVAILABLE (16ul << GSS_C_ROUTINE_ERROR_OFFSET)
+#define GSS_S_DUPLICATE_ELEMENT (17ul << GSS_C_ROUTINE_ERROR_OFFSET)
+#define GSS_S_NAME_NOT_MN (18ul << GSS_C_ROUTINE_ERROR_OFFSET)
+
+/*
+ * Supplementary info bits:
+ */
+#define GSS_S_CONTINUE_NEEDED (1ul << (GSS_C_SUPPLEMENTARY_OFFSET + 0))
+#define GSS_S_DUPLICATE_TOKEN (1ul << (GSS_C_SUPPLEMENTARY_OFFSET + 1))
+#define GSS_S_OLD_TOKEN (1ul << (GSS_C_SUPPLEMENTARY_OFFSET + 2))
+#define GSS_S_UNSEQ_TOKEN (1ul << (GSS_C_SUPPLEMENTARY_OFFSET + 3))
+#define GSS_S_GAP_TOKEN (1ul << (GSS_C_SUPPLEMENTARY_OFFSET + 4))
+
+/*
+ * From RFC1964:
+ *
+ * 4.1.1. Non-Kerberos-specific codes
+ */
+
+#define GSS_KRB5_S_G_BAD_SERVICE_NAME 1
+           /* "No @ in SERVICE-NAME name string" */
+#define GSS_KRB5_S_G_BAD_STRING_UID 2
+           /* "STRING-UID-NAME contains nondigits" */
+#define GSS_KRB5_S_G_NOUSER 3
+           /* "UID does not resolve to username" */
+#define GSS_KRB5_S_G_VALIDATE_FAILED 4
+           /* "Validation error" */
+#define GSS_KRB5_S_G_BUFFER_ALLOC 5
+           /* "Couldn't allocate gss_buffer_t data" */
+#define GSS_KRB5_S_G_BAD_MSG_CTX 6
+           /* "Message context invalid" */
+#define GSS_KRB5_S_G_WRONG_SIZE 7
+           /* "Buffer is the wrong size" */
+#define GSS_KRB5_S_G_BAD_USAGE 8
+           /* "Credential usage type is unknown" */
+#define GSS_KRB5_S_G_UNKNOWN_QOP 9
+           /* "Unknown quality of protection specified" */
+
+  /*
+   * 4.1.2. Kerberos-specific-codes
+   */
+
+#define GSS_KRB5_S_KG_CCACHE_NOMATCH 10
+           /* "Principal in credential cache does not match desired name" */
+#define GSS_KRB5_S_KG_KEYTAB_NOMATCH 11
+           /* "No principal in keytab matches desired name" */
+#define GSS_KRB5_S_KG_TGT_MISSING 12
+           /* "Credential cache has no TGT" */
+#define GSS_KRB5_S_KG_NO_SUBKEY 13
+           /* "Authenticator has no subkey" */
+#define GSS_KRB5_S_KG_CONTEXT_ESTABLISHED 14
+           /* "Context is already fully established" */
+#define GSS_KRB5_S_KG_BAD_SIGN_TYPE 15
+           /* "Unknown signature type in token" */
+#define GSS_KRB5_S_KG_BAD_LENGTH 16
+           /* "Invalid field length in token" */
+#define GSS_KRB5_S_KG_CTX_INCOMPLETE 17
+           /* "Attempt to use incomplete security context" */
+
+/*
+ * Finally, function prototypes for the GSS-API routines.
+ */
+
+OM_uint32 gss_acquire_cred
+           (OM_uint32 * minor_status,
+            const gss_name_t desired_name,
+            OM_uint32 time_req,
+            const gss_OID_set desired_mechs,
+            gss_cred_usage_t cred_usage,
+            gss_cred_id_t * output_cred_handle,
+            gss_OID_set * actual_mechs,
+            OM_uint32 * time_rec
+           );
+
+OM_uint32 gss_release_cred
+           (OM_uint32 * minor_status,
+            gss_cred_id_t * cred_handle
+           );
+
+OM_uint32 gss_init_sec_context
+           (OM_uint32 * minor_status,
+            const gss_cred_id_t initiator_cred_handle,
+            gss_ctx_id_t * context_handle,
+            const gss_name_t target_name,
+            const gss_OID mech_type,
+            OM_uint32 req_flags,
+            OM_uint32 time_req,
+            const gss_channel_bindings_t input_chan_bindings,
+            const gss_buffer_t input_token,
+            gss_OID * actual_mech_type,
+            gss_buffer_t output_token,
+            OM_uint32 * ret_flags,
+            OM_uint32 * time_rec
+           );
+
+OM_uint32 gss_accept_sec_context
+           (OM_uint32 * minor_status,
+            gss_ctx_id_t * context_handle,
+            const gss_cred_id_t acceptor_cred_handle,
+            const gss_buffer_t input_token_buffer,
+            const gss_channel_bindings_t input_chan_bindings,
+            gss_name_t * src_name,
+            gss_OID * mech_type,
+            gss_buffer_t output_token,
+            OM_uint32 * ret_flags,
+            OM_uint32 * time_rec,
+            gss_cred_id_t * delegated_cred_handle
+           );
+
+OM_uint32 gss_process_context_token
+           (OM_uint32 * minor_status,
+            const gss_ctx_id_t context_handle,
+            const gss_buffer_t token_buffer
+           );
+
+OM_uint32 gss_delete_sec_context
+           (OM_uint32 * minor_status,
+            gss_ctx_id_t * context_handle,
+            gss_buffer_t output_token
+           );
+
+OM_uint32 gss_context_time
+           (OM_uint32 * minor_status,
+            const gss_ctx_id_t context_handle,
+            OM_uint32 * time_rec
+           );
+
+OM_uint32 gss_get_mic
+           (OM_uint32 * minor_status,
+            const gss_ctx_id_t context_handle,
+            gss_qop_t qop_req,
+            const gss_buffer_t message_buffer,
+            gss_buffer_t message_token
+           );
+
+OM_uint32 gss_verify_mic
+           (OM_uint32 * minor_status,
+            const gss_ctx_id_t context_handle,
+            const gss_buffer_t message_buffer,
+            const gss_buffer_t token_buffer,
+            gss_qop_t * qop_state
+           );
+
+OM_uint32 gss_wrap
+           (OM_uint32 * minor_status,
+            const gss_ctx_id_t context_handle,
+            int conf_req_flag,
+            gss_qop_t qop_req,
+            const gss_buffer_t input_message_buffer,
+            int * conf_state,
+            gss_buffer_t output_message_buffer
+           );
+
+OM_uint32 gss_unwrap
+           (OM_uint32 * minor_status,
+            const gss_ctx_id_t context_handle,
+            const gss_buffer_t input_message_buffer,
+            gss_buffer_t output_message_buffer,
+            int * conf_state,
+            gss_qop_t * qop_state
+           );
+
+OM_uint32 gss_display_status
+           (OM_uint32 * minor_status,
+            OM_uint32 status_value,
+            int status_type,
+            const gss_OID mech_type,
+            OM_uint32 * message_context,
+            gss_buffer_t status_string
+           );
+
+OM_uint32 gss_indicate_mechs
+           (OM_uint32 * minor_status,
+            gss_OID_set * mech_set
+           );
+
+OM_uint32 gss_compare_name
+           (OM_uint32 * minor_status,
+            const gss_name_t name1,
+            const gss_name_t name2,
+            int * name_equal
+           );
+
+OM_uint32 gss_display_name
+           (OM_uint32 * minor_status,
+            const gss_name_t input_name,
+            gss_buffer_t output_name_buffer,
+            gss_OID * output_name_type
+           );
+
+OM_uint32 gss_import_name
+           (OM_uint32 * minor_status,
+            const gss_buffer_t input_name_buffer,
+            const gss_OID input_name_type,
+            gss_name_t * output_name
+           );
+
+OM_uint32 gss_export_name
+           (OM_uint32  * minor_status,
+            const gss_name_t input_name,
+            gss_buffer_t exported_name
+           );
+
+OM_uint32 gss_release_name
+           (OM_uint32 * minor_status,
+            gss_name_t * input_name
+           );
+
+OM_uint32 gss_release_buffer
+           (OM_uint32 * minor_status,
+            gss_buffer_t buffer
+           );
+
+OM_uint32 gss_release_oid_set
+           (OM_uint32 * minor_status,
+            gss_OID_set * set
+           );
+
+OM_uint32 gss_inquire_cred
+           (OM_uint32 * minor_status,
+            const gss_cred_id_t cred_handle,
+            gss_name_t * name,
+            OM_uint32 * lifetime,
+            gss_cred_usage_t * cred_usage,
+            gss_OID_set * mechanisms
+           );
+
+OM_uint32 gss_inquire_context (
+            OM_uint32 * minor_status,
+            const gss_ctx_id_t context_handle,
+            gss_name_t * src_name,
+            gss_name_t * targ_name,
+            OM_uint32 * lifetime_rec,
+            gss_OID * mech_type,
+            OM_uint32 * ctx_flags,
+            int * locally_initiated,
+            int * open
+           );
+
+OM_uint32 gss_wrap_size_limit (
+            OM_uint32 * minor_status,
+            const gss_ctx_id_t context_handle,
+            int conf_req_flag,
+            gss_qop_t qop_req,
+            OM_uint32 req_output_size,
+            OM_uint32 * max_input_size
+           );
+
+OM_uint32 gss_add_cred (
+            OM_uint32 * minor_status,
+            const gss_cred_id_t input_cred_handle,
+            const gss_name_t desired_name,
+            const gss_OID desired_mech,
+            gss_cred_usage_t cred_usage,
+            OM_uint32 initiator_time_req,
+            OM_uint32 acceptor_time_req,
+            gss_cred_id_t * output_cred_handle,
+            gss_OID_set * actual_mechs,
+            OM_uint32 * initiator_time_rec,
+            OM_uint32 * acceptor_time_rec
+           );
+
+OM_uint32 gss_inquire_cred_by_mech (
+            OM_uint32 * minor_status,
+            const gss_cred_id_t cred_handle,
+            const gss_OID mech_type,
+            gss_name_t * name,
+            OM_uint32 * initiator_lifetime,
+            OM_uint32 * acceptor_lifetime,
+            gss_cred_usage_t * cred_usage
+           );
+
+OM_uint32 gss_export_sec_context (
+            OM_uint32 * minor_status,
+            gss_ctx_id_t * context_handle,
+            gss_buffer_t interprocess_token
+           );
+
+OM_uint32 gss_import_sec_context (
+            OM_uint32 * minor_status,
+            const gss_buffer_t interprocess_token,
+            gss_ctx_id_t * context_handle
+           );
+
+OM_uint32 gss_create_empty_oid_set (
+            OM_uint32 * minor_status,
+            gss_OID_set * oid_set
+           );
+
+OM_uint32 gss_add_oid_set_member (
+            OM_uint32 * minor_status,
+            const gss_OID member_oid,
+            gss_OID_set * oid_set
+           );
+
+OM_uint32 gss_test_oid_set_member (
+            OM_uint32 * minor_status,
+            const gss_OID member,
+            const gss_OID_set set,
+            int * present
+           );
+
+OM_uint32 gss_inquire_names_for_mech (
+            OM_uint32 * minor_status,
+            const gss_OID mechanism,
+            gss_OID_set * name_types
+           );
+
+OM_uint32 gss_inquire_mechs_for_name (
+            OM_uint32 * minor_status,
+            const gss_name_t input_name,
+            gss_OID_set * mech_types
+           );
+
+OM_uint32 gss_canonicalize_name (
+            OM_uint32 * minor_status,
+            const gss_name_t input_name,
+            const gss_OID mech_type,
+            gss_name_t * output_name
+           );
+
+OM_uint32 gss_duplicate_name (
+            OM_uint32 * minor_status,
+            const gss_name_t src_name,
+            gss_name_t * dest_name
+           );
+
+/*
+ * The following routines are obsolete variants of gss_get_mic,
+ * gss_verify_mic, gss_wrap and gss_unwrap.  They should be
+ * provided by GSSAPI V2 implementations for backwards
+ * compatibility with V1 applications.  Distinct entrypoints
+ * (as opposed to #defines) should be provided, both to allow
+ * GSSAPI V1 applications to link against GSSAPI V2 implementations,
+ * and to retain the slight parameter type differences between the
+ * obsolete versions of these routines and their current forms.
+ */
+
+OM_uint32 gss_sign
+           (OM_uint32 * minor_status,
+            gss_ctx_id_t context_handle,
+            int qop_req,
+            gss_buffer_t message_buffer,
+            gss_buffer_t message_token
+           );
+
+OM_uint32 gss_verify
+           (OM_uint32 * minor_status,
+            gss_ctx_id_t context_handle,
+            gss_buffer_t message_buffer,
+            gss_buffer_t token_buffer,
+            int * qop_state
+           );
+
+OM_uint32 gss_seal
+           (OM_uint32 * minor_status,
+            gss_ctx_id_t context_handle,
+            int conf_req_flag,
+            int qop_req,
+            gss_buffer_t input_message_buffer,
+            int * conf_state,
+            gss_buffer_t output_message_buffer
+           );
+
+OM_uint32 gss_unseal
+           (OM_uint32 * minor_status,
+            gss_ctx_id_t context_handle,
+            gss_buffer_t input_message_buffer,
+            gss_buffer_t output_message_buffer,
+            int * conf_state,
+            int * qop_state
+           );
+
+/*
+ * kerberos mechanism specific functions
+ */
+
+OM_uint32 gsskrb5_register_acceptor_identity
+        (char *identity);
+
+OM_uint32 gss_krb5_copy_ccache
+	(OM_uint32 *minor,
+	 gss_cred_id_t cred,
+	 struct krb5_ccache_data *out);
+
+#endif /* GSSAPI_H_ */
diff --git a/crypto/heimdal/lib/gssapi/gssapi_locl.h b/crypto/heimdal/lib/gssapi/gssapi_locl.h
new file mode 100644
index 0000000..e7450d4
--- /dev/null
+++ b/crypto/heimdal/lib/gssapi/gssapi_locl.h
@@ -0,0 +1,116 @@
+/*
+ * Copyright (c) 1997 - 2001 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+/* $Id: gssapi_locl.h,v 1.16 2001/05/11 09:16:46 assar Exp $ */
+
+#ifndef GSSAPI_LOCL_H
+#define GSSAPI_LOCL_H
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+#endif
+
+#include <krb5_locl.h>
+#include <gssapi.h>
+#include <assert.h>
+
+extern krb5_context gssapi_krb5_context;
+
+void gssapi_krb5_init (void);
+
+krb5_error_code
+gssapi_krb5_create_8003_checksum (
+		      const gss_channel_bindings_t input_chan_bindings,
+		      OM_uint32 flags,
+                      krb5_data *fwd_data,
+		      Checksum *result);
+
+krb5_error_code
+gssapi_krb5_verify_8003_checksum (
+		      const gss_channel_bindings_t input_chan_bindings,
+		      Checksum *cksum,
+		      OM_uint32 *flags,
+                      krb5_data *fwd_data);
+
+OM_uint32
+gssapi_krb5_encapsulate(
+			const krb5_data *in_data,
+			gss_buffer_t output_token,
+			u_char *type);
+
+OM_uint32
+gssapi_krb5_decapsulate(
+			gss_buffer_t input_token_buffer,
+			krb5_data *out_data,
+			char *type);
+
+void
+gssapi_krb5_encap_length (size_t data_len,
+			  size_t *len,
+			  size_t *total_len);
+
+u_char *
+gssapi_krb5_make_header (u_char *p,
+			 size_t len,
+			 u_char *type);
+
+OM_uint32
+gssapi_krb5_verify_header(u_char **str,
+			  size_t total_len,
+			  char *type);
+
+OM_uint32
+gss_krb5_getsomekey(const gss_ctx_id_t context_handle,
+		    krb5_keyblock **key);
+
+krb5_error_code
+gss_address_to_krb5addr(OM_uint32 gss_addr_type,
+                        gss_buffer_desc *gss_addr,
+                        int16_t port,
+                        krb5_address *address);
+
+/* sec_context flags */
+
+#define SC_LOCAL_ADDRESS  0x01
+#define SC_REMOTE_ADDRESS 0x02
+#define SC_KEYBLOCK	  0x04
+#define SC_LOCAL_SUBKEY	  0x08
+#define SC_REMOTE_SUBKEY  0x10
+
+void
+gssapi_krb5_set_error_string (void);
+
+char *
+gssapi_krb5_get_error_string (void);
+
+#endif
diff --git a/crypto/heimdal/lib/gssapi/import_name.c b/crypto/heimdal/lib/gssapi/import_name.c
new file mode 100644
index 0000000..8ed55f1
--- /dev/null
+++ b/crypto/heimdal/lib/gssapi/import_name.c
@@ -0,0 +1,151 @@
+/*
+ * Copyright (c) 1997 - 2001 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "gssapi_locl.h"
+
+RCSID("$Id: import_name.c,v 1.10 2001/05/11 09:16:46 assar Exp $");
+
+static OM_uint32
+import_krb5_name (OM_uint32 *minor_status,
+		  const gss_buffer_t input_name_buffer,
+		  gss_name_t *output_name)
+{
+    krb5_error_code kerr;
+    char *tmp;
+
+    tmp = malloc (input_name_buffer->length + 1);
+    if (tmp == NULL) {
+	*minor_status = ENOMEM;
+	return GSS_S_FAILURE;
+    }
+    memcpy (tmp,
+	    input_name_buffer->value,
+	    input_name_buffer->length);
+    tmp[input_name_buffer->length] = '\0';
+
+    kerr = krb5_parse_name (gssapi_krb5_context,
+			    tmp,
+			    output_name);
+    free (tmp);
+    if (kerr == 0)
+	return GSS_S_COMPLETE;
+    else if (kerr == KRB5_PARSE_ILLCHAR || kerr == KRB5_PARSE_MALFORMED) {
+	gssapi_krb5_set_error_string ();
+	*minor_status = kerr;
+	return GSS_S_BAD_NAME;
+    } else {
+	gssapi_krb5_set_error_string ();
+	*minor_status = kerr;
+	return GSS_S_FAILURE;
+    }
+}
+
+static OM_uint32
+import_hostbased_name (OM_uint32 *minor_status,
+		       const gss_buffer_t input_name_buffer,
+		       gss_name_t *output_name)
+{
+    krb5_error_code kerr;
+    char *tmp;
+    char *p;
+    char *host;
+    char local_hostname[MAXHOSTNAMELEN];
+
+    tmp = malloc (input_name_buffer->length + 1);
+    if (tmp == NULL) {
+	*minor_status = ENOMEM;
+	return GSS_S_FAILURE;
+    }
+    memcpy (tmp,
+	    input_name_buffer->value,
+	    input_name_buffer->length);
+    tmp[input_name_buffer->length] = '\0';
+
+    p = strchr (tmp, '@');
+    if (p != NULL) {
+	*p = '\0';
+	host = p + 1;
+    } else {
+	if (gethostname(local_hostname, sizeof(local_hostname)) < 0) {
+	    *minor_status = errno;
+	    free (tmp);
+	    return GSS_S_FAILURE;
+	}
+	host = local_hostname;
+    }
+
+    kerr = krb5_sname_to_principal (gssapi_krb5_context,
+				    host,
+				    tmp,
+				    KRB5_NT_SRV_HST,
+				    output_name);
+    free (tmp);
+    *minor_status = kerr;
+    if (kerr == 0)
+	return GSS_S_COMPLETE;
+    else if (kerr == KRB5_PARSE_ILLCHAR || kerr == KRB5_PARSE_MALFORMED) {
+	gssapi_krb5_set_error_string ();
+	*minor_status = kerr;
+	return GSS_S_BAD_NAME;
+    } else {
+	gssapi_krb5_set_error_string ();
+	*minor_status = kerr;
+	return GSS_S_FAILURE;
+    }
+}
+
+OM_uint32 gss_import_name
+           (OM_uint32 * minor_status,
+            const gss_buffer_t input_name_buffer,
+            const gss_OID input_name_type,
+            gss_name_t * output_name
+           )
+{
+    gssapi_krb5_init ();
+
+    if (input_name_type == GSS_C_NT_HOSTBASED_SERVICE)
+	return import_hostbased_name (minor_status,
+				      input_name_buffer,
+				      output_name);
+    else if (input_name_type == GSS_C_NO_OID
+	     || input_name_type == GSS_C_NT_USER_NAME
+	     || input_name_type == GSS_KRB5_NT_PRINCIPAL_NAME)
+ 	/* default printable syntax */
+	return import_krb5_name (minor_status,
+				 input_name_buffer,
+				 output_name);
+    else {
+	*minor_status = 0;
+	return GSS_S_BAD_NAMETYPE;
+    }
+}
diff --git a/crypto/heimdal/lib/gssapi/import_sec_context.c b/crypto/heimdal/lib/gssapi/import_sec_context.c
new file mode 100644
index 0000000..c84f3b6
--- /dev/null
+++ b/crypto/heimdal/lib/gssapi/import_sec_context.c
@@ -0,0 +1,192 @@
+/*
+ * Copyright (c) 1999 - 2001 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "gssapi_locl.h"
+
+RCSID("$Id: import_sec_context.c,v 1.5 2001/05/11 09:16:46 assar Exp $");
+
+OM_uint32
+gss_import_sec_context (
+    OM_uint32 * minor_status,
+    const gss_buffer_t interprocess_token,
+    gss_ctx_id_t * context_handle
+    )
+{
+    OM_uint32 ret = GSS_S_FAILURE;
+    krb5_error_code kret;
+    krb5_storage *sp;
+    krb5_auth_context ac;
+    krb5_address local, remote;
+    krb5_address *localp, *remotep;
+    krb5_data data;
+    gss_buffer_desc buffer;
+    krb5_keyblock keyblock;
+    int32_t tmp;
+    int32_t flags;
+    OM_uint32 minor;
+
+    gssapi_krb5_init ();
+
+    sp = krb5_storage_from_mem (interprocess_token->value,
+				interprocess_token->length);
+    if (sp == NULL) {
+	*minor_status = ENOMEM;
+	return GSS_S_FAILURE;
+    }
+
+    *context_handle = malloc(sizeof(**context_handle));
+    if (*context_handle == NULL) {
+	*minor_status = ENOMEM;
+	krb5_storage_free (sp);
+	return GSS_S_FAILURE;
+    }
+    memset (*context_handle, 0, sizeof(**context_handle));
+
+    kret = krb5_auth_con_init (gssapi_krb5_context,
+			       &(*context_handle)->auth_context);
+    if (kret) {
+	gssapi_krb5_set_error_string ();
+	*minor_status = kret;
+	ret = GSS_S_FAILURE;
+	goto failure;
+    }
+
+    /* flags */
+
+    krb5_ret_int32 (sp, &flags);
+
+    /* retrieve the auth context */
+
+    ac = (*context_handle)->auth_context;
+    krb5_ret_int32 (sp, &ac->flags);
+    if (flags & SC_LOCAL_ADDRESS)
+	krb5_ret_address (sp, localp = &local);
+    else
+	localp = NULL;
+    if (flags & SC_REMOTE_ADDRESS)
+	krb5_ret_address (sp, remotep  = &remote);
+    else
+	remotep = NULL;
+    krb5_auth_con_setaddrs (gssapi_krb5_context, ac, localp, remotep);
+    if (localp)
+	krb5_free_address (gssapi_krb5_context, localp);
+    if (remotep)
+	krb5_free_address (gssapi_krb5_context, remotep);
+    krb5_ret_int16 (sp, &ac->local_port);
+    krb5_ret_int16 (sp, &ac->remote_port);
+    if (flags & SC_KEYBLOCK) {
+	krb5_ret_keyblock (sp, &keyblock);
+	krb5_auth_con_setkey (gssapi_krb5_context, ac, &keyblock);
+	krb5_free_keyblock_contents (gssapi_krb5_context, &keyblock);
+    }
+    if (flags & SC_LOCAL_SUBKEY) {
+	krb5_ret_keyblock (sp, &keyblock);
+	krb5_auth_con_setlocalsubkey (gssapi_krb5_context, ac, &keyblock);
+	krb5_free_keyblock_contents (gssapi_krb5_context, &keyblock);
+    }
+    if (flags & SC_REMOTE_SUBKEY) {
+	krb5_ret_keyblock (sp, &keyblock);
+	krb5_auth_con_setremotesubkey (gssapi_krb5_context, ac, &keyblock);
+	krb5_free_keyblock_contents (gssapi_krb5_context, &keyblock);
+    }
+    krb5_ret_int32 (sp, &ac->local_seqnumber);
+    krb5_ret_int32 (sp, &ac->remote_seqnumber);
+
+#if 0
+    {
+	    size_t sz;
+
+	    krb5_ret_data (sp, &data);
+	    ac->authenticator = malloc (sizeof (*ac->authenticator));
+	    if (ac->authenticator == NULL) {
+		*minor_status = ENOMEM;
+		ret = GSS_S_FAILURE;
+		goto failure;
+	    }
+
+	    kret = decode_Authenticator (data.data, data.length,
+					 ac->authenticator, &sz);
+	    krb5_data_free (&data);
+	    if (kret) {
+		*minor_status = kret;
+		ret = GSS_S_FAILURE;
+		goto failure;
+	    }
+    }
+#endif
+
+    krb5_ret_int32 (sp, &tmp);
+    ac->keytype = tmp;
+    krb5_ret_int32 (sp, &tmp);
+    ac->cksumtype = tmp;
+
+    /* names */
+
+    krb5_ret_data (sp, &data);
+    buffer.value  = data.data;
+    buffer.length = data.length;
+
+    ret = gss_import_name (minor_status, &buffer, GSS_C_NO_OID,
+			   &(*context_handle)->source);
+    krb5_data_free (&data);
+    if (ret)
+	goto failure;
+
+    krb5_ret_data (sp, &data);
+    buffer.value  = data.data;
+    buffer.length = data.length;
+
+    ret = gss_import_name (minor_status, &buffer, GSS_C_NO_OID,
+			   &(*context_handle)->target);
+    krb5_data_free (&data);
+    if (ret)
+	goto failure;
+
+    krb5_ret_int32 (sp, &tmp);
+    (*context_handle)->flags = tmp;
+    krb5_ret_int32 (sp, &tmp);
+    (*context_handle)->more_flags = tmp;
+
+    return GSS_S_COMPLETE;
+
+failure:
+    krb5_auth_con_free (gssapi_krb5_context,
+			(*context_handle)->auth_context);
+    if ((*context_handle)->source != NULL)
+	gss_release_name(&minor, &(*context_handle)->source);
+    if ((*context_handle)->target != NULL)
+	gss_release_name(&minor, &(*context_handle)->target);
+    free (*context_handle);
+    *context_handle = GSS_C_NO_CONTEXT;
+    return ret;
+}
diff --git a/crypto/heimdal/lib/gssapi/indicate_mechs.c b/crypto/heimdal/lib/gssapi/indicate_mechs.c
new file mode 100644
index 0000000..c77d177
--- /dev/null
+++ b/crypto/heimdal/lib/gssapi/indicate_mechs.c
@@ -0,0 +1,57 @@
+/*
+ * Copyright (c) 1997 - 2001 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "gssapi_locl.h"
+
+RCSID("$Id: indicate_mechs.c,v 1.4 2001/02/18 03:39:09 assar Exp $");
+
+OM_uint32 gss_indicate_mechs
+           (OM_uint32 * minor_status,
+            gss_OID_set * mech_set
+           )
+{
+  *mech_set = malloc(sizeof(**mech_set));
+  if (*mech_set == NULL) {
+    *minor_status = ENOMEM;
+    return GSS_S_FAILURE;
+  }
+  (*mech_set)->count = 1;
+  (*mech_set)->elements = malloc((*mech_set)->count * sizeof(gss_OID_desc));
+  if ((*mech_set)->elements == NULL) {
+    free (*mech_set);
+    *minor_status = ENOMEM;
+    return GSS_S_FAILURE;
+  }
+  (*mech_set)->elements[0] = *GSS_KRB5_MECHANISM;
+  return GSS_S_COMPLETE;
+}
diff --git a/crypto/heimdal/lib/gssapi/init.c b/crypto/heimdal/lib/gssapi/init.c
new file mode 100644
index 0000000..6b19c46
--- /dev/null
+++ b/crypto/heimdal/lib/gssapi/init.c
@@ -0,0 +1,47 @@
+/*
+ * Copyright (c) 1997 - 2000 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "gssapi_locl.h"
+
+RCSID("$Id: init.c,v 1.5 2000/12/31 07:58:37 assar Exp $");
+
+void
+gssapi_krb5_init (void)
+{
+    krb5_error_code ret;
+
+    if(gssapi_krb5_context == NULL) {
+	ret = krb5_init_context (&gssapi_krb5_context);
+	/* and what do we do when that failed? */
+    }
+}
diff --git a/crypto/heimdal/lib/gssapi/init_sec_context.c b/crypto/heimdal/lib/gssapi/init_sec_context.c
new file mode 100644
index 0000000..3928143
--- /dev/null
+++ b/crypto/heimdal/lib/gssapi/init_sec_context.c
@@ -0,0 +1,531 @@
+/*
+ * Copyright (c) 1997 - 2001 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "gssapi_locl.h"
+
+RCSID("$Id: init_sec_context.c,v 1.27 2001/05/11 09:16:46 assar Exp $");
+
+/*
+ * copy the addresses from `input_chan_bindings' (if any) to
+ * the auth context `ac'
+ */
+
+static OM_uint32
+set_addresses (krb5_auth_context ac,
+	       const gss_channel_bindings_t input_chan_bindings)	       
+{
+    /* Port numbers are expected to be in application_data.value, 
+     * initator's port first */ 
+
+    krb5_address initiator_addr, acceptor_addr;
+    krb5_error_code kret;
+       
+    if (input_chan_bindings == GSS_C_NO_CHANNEL_BINDINGS
+	|| input_chan_bindings->application_data.length !=
+	2 * sizeof(ac->local_port))
+	return 0;
+
+    memset(&initiator_addr, 0, sizeof(initiator_addr));
+    memset(&acceptor_addr, 0, sizeof(acceptor_addr));
+       
+    ac->local_port =
+	*(int16_t *) input_chan_bindings->application_data.value;
+       
+    ac->remote_port =
+	*((int16_t *) input_chan_bindings->application_data.value + 1);
+       
+    kret = gss_address_to_krb5addr(input_chan_bindings->acceptor_addrtype,
+				   &input_chan_bindings->acceptor_address,
+				   ac->remote_port,
+				   &acceptor_addr);
+    if (kret)
+	return kret;
+           
+    kret = gss_address_to_krb5addr(input_chan_bindings->initiator_addrtype,
+				   &input_chan_bindings->initiator_address,
+				   ac->local_port,
+				   &initiator_addr);
+    if (kret) {
+	krb5_free_address (gssapi_krb5_context, &acceptor_addr);
+	return kret;
+    }
+       
+    kret = krb5_auth_con_setaddrs(gssapi_krb5_context,
+				  ac,
+				  &initiator_addr,  /* local address */
+				  &acceptor_addr);  /* remote address */
+       
+    krb5_free_address (gssapi_krb5_context, &initiator_addr);
+    krb5_free_address (gssapi_krb5_context, &acceptor_addr);
+       
+#if 0
+    free(input_chan_bindings->application_data.value);
+    input_chan_bindings->application_data.value = NULL;
+    input_chan_bindings->application_data.length = 0;
+#endif
+
+    return kret;
+}
+
+/*
+ * handle delegated creds in init-sec-context
+ */
+
+static void
+do_delegation (krb5_auth_context ac,
+	       krb5_ccache ccache,
+	       krb5_creds *cred,
+	       const gss_name_t target_name,
+	       krb5_data *fwd_data,
+	       int *flags)
+{
+    krb5_creds creds;
+    krb5_kdc_flags fwd_flags;
+    krb5_keyblock *subkey;
+    krb5_error_code kret;
+       
+    memset (&creds, 0, sizeof(creds));
+    krb5_data_zero (fwd_data);
+       
+    kret = krb5_generate_subkey (gssapi_krb5_context, &cred->session, &subkey);
+    if (kret)
+	goto out;
+       
+    kret = krb5_auth_con_setlocalsubkey(gssapi_krb5_context, ac, subkey);
+    krb5_free_keyblock (gssapi_krb5_context, subkey);
+    if (kret)
+	goto out;
+       
+    kret = krb5_cc_get_principal(gssapi_krb5_context, ccache, &creds.client);
+    if (kret) 
+	goto out;
+       
+    kret = krb5_build_principal(gssapi_krb5_context,
+				&creds.server,
+				strlen(creds.client->realm),
+				creds.client->realm,
+				KRB5_TGS_NAME,
+				creds.client->realm,
+				NULL);
+    if (kret)
+	goto out; 
+       
+    creds.times.endtime = 0;
+       
+    fwd_flags.i = 0;
+    fwd_flags.b.forwarded = 1;
+    fwd_flags.b.forwardable = 1;
+       
+    if ( /*target_name->name.name_type != KRB5_NT_SRV_HST ||*/
+	target_name->name.name_string.len < 2) 
+	goto out;
+       
+    kret = krb5_get_forwarded_creds(gssapi_krb5_context,
+				    ac,
+				    ccache,
+				    fwd_flags.i,
+				    target_name->name.name_string.val[1],
+				    &creds,
+				    fwd_data);
+       
+ out:
+    if (kret)
+	*flags &= ~GSS_C_DELEG_FLAG;
+    else
+	*flags |= GSS_C_DELEG_FLAG;
+       
+    if (creds.client)
+	krb5_free_principal(gssapi_krb5_context, creds.client);
+    if (creds.server)
+	krb5_free_principal(gssapi_krb5_context, creds.server);
+}
+
+/*
+ * first stage of init-sec-context
+ */
+
+static OM_uint32
+init_auth
+(OM_uint32 * minor_status,
+ const gss_cred_id_t initiator_cred_handle,
+ gss_ctx_id_t * context_handle,
+ const gss_name_t target_name,
+ const gss_OID mech_type,
+ OM_uint32 req_flags,
+ OM_uint32 time_req,
+ const gss_channel_bindings_t input_chan_bindings,
+ const gss_buffer_t input_token,
+ gss_OID * actual_mech_type,
+ gss_buffer_t output_token,
+ OM_uint32 * ret_flags,
+ OM_uint32 * time_rec
+    )
+{
+    OM_uint32 ret = GSS_S_FAILURE;
+    krb5_error_code kret;
+    krb5_flags ap_options;
+    krb5_creds this_cred, *cred;
+    krb5_data outbuf;
+    krb5_ccache ccache;
+    u_int32_t flags;
+    Authenticator *auth;
+    krb5_data authenticator;
+    Checksum cksum;
+    krb5_enctype enctype;
+    krb5_data fwd_data;
+
+    output_token->length = 0;
+    output_token->value  = NULL;
+
+    krb5_data_zero(&outbuf);
+    krb5_data_zero(&fwd_data);
+
+    *minor_status = 0;
+
+    *context_handle = malloc(sizeof(**context_handle));
+    if (*context_handle == NULL) {
+	*minor_status = ENOMEM;
+	return GSS_S_FAILURE;
+    }
+
+    (*context_handle)->auth_context = NULL;
+    (*context_handle)->source       = NULL;
+    (*context_handle)->target       = NULL;
+    (*context_handle)->flags        = 0;
+    (*context_handle)->more_flags   = 0;
+    (*context_handle)->ticket       = NULL;
+
+    kret = krb5_auth_con_init (gssapi_krb5_context,
+			       &(*context_handle)->auth_context);
+    if (kret) {
+	gssapi_krb5_set_error_string ();
+	*minor_status = kret;
+	ret = GSS_S_FAILURE;
+	goto failure;
+    }
+
+    kret = set_addresses ((*context_handle)->auth_context,
+			  input_chan_bindings);
+    if (kret) {
+	*minor_status = kret;
+	ret = GSS_S_BAD_BINDINGS;
+	goto failure;
+    }
+       
+    {
+	int32_t tmp;
+
+	krb5_auth_con_getflags(gssapi_krb5_context,
+			       (*context_handle)->auth_context,
+			       &tmp);
+	tmp |= KRB5_AUTH_CONTEXT_DO_SEQUENCE;
+	krb5_auth_con_setflags(gssapi_krb5_context,
+			       (*context_handle)->auth_context,
+			       tmp);
+    }
+
+    if (actual_mech_type)
+	*actual_mech_type = GSS_KRB5_MECHANISM;
+
+    if (initiator_cred_handle == GSS_C_NO_CREDENTIAL) {
+	kret = krb5_cc_default (gssapi_krb5_context, &ccache);
+	if (kret) {
+	    gssapi_krb5_set_error_string ();
+	    *minor_status = kret;
+	    ret = GSS_S_FAILURE;
+	    goto failure;
+	}
+    } else
+	ccache = initiator_cred_handle->ccache;
+
+    kret = krb5_cc_get_principal (gssapi_krb5_context,
+				  ccache,
+				  &(*context_handle)->source);
+    if (kret) {
+	gssapi_krb5_set_error_string ();
+	*minor_status = kret;
+	ret = GSS_S_FAILURE;
+	goto failure;
+    }
+
+    kret = krb5_copy_principal (gssapi_krb5_context,
+				target_name,
+				&(*context_handle)->target);
+    if (kret) {
+	gssapi_krb5_set_error_string ();
+	*minor_status = kret;
+	ret = GSS_S_FAILURE;
+	goto failure;
+    }
+
+    memset(&this_cred, 0, sizeof(this_cred));
+    this_cred.client          = (*context_handle)->source;
+    this_cred.server          = (*context_handle)->target;
+    if (time_req) {
+	krb5_timestamp ts;
+
+	krb5_timeofday (gssapi_krb5_context, &ts);
+	this_cred.times.endtime = ts + time_req;
+    } else
+	this_cred.times.endtime   = 0;
+    this_cred.session.keytype = 0;
+  
+    kret = krb5_get_credentials (gssapi_krb5_context,
+				 KRB5_TC_MATCH_KEYTYPE,
+				 ccache,
+				 &this_cred,
+				 &cred);
+
+    if (kret) {
+	gssapi_krb5_set_error_string ();
+	*minor_status = kret;
+	ret = GSS_S_FAILURE;
+	goto failure;
+    }
+
+    krb5_auth_con_setkey(gssapi_krb5_context, 
+			 (*context_handle)->auth_context, 
+			 &cred->session);
+  
+    flags = 0;
+    ap_options = 0;
+    if (req_flags & GSS_C_DELEG_FLAG)
+	do_delegation ((*context_handle)->auth_context,
+		       ccache, cred, target_name, &fwd_data, &flags);
+       
+    if (req_flags & GSS_C_MUTUAL_FLAG) {
+	flags |= GSS_C_MUTUAL_FLAG;
+	ap_options |= AP_OPTS_MUTUAL_REQUIRED;
+    }
+    
+    if (req_flags & GSS_C_REPLAY_FLAG)
+	;                               /* XXX */
+    if (req_flags & GSS_C_SEQUENCE_FLAG)
+	;                               /* XXX */
+    if (req_flags & GSS_C_ANON_FLAG)
+	;                               /* XXX */
+    flags |= GSS_C_CONF_FLAG;
+    flags |= GSS_C_INTEG_FLAG;
+    flags |= GSS_C_SEQUENCE_FLAG;
+    flags |= GSS_C_TRANS_FLAG;
+    
+    if (ret_flags)
+	*ret_flags = flags;
+    (*context_handle)->flags = flags;
+    (*context_handle)->more_flags = LOCAL;
+    
+    kret = gssapi_krb5_create_8003_checksum (input_chan_bindings,
+					     flags,
+					     &fwd_data,
+					     &cksum);
+    krb5_data_free (&fwd_data);
+    if (kret) {
+	gssapi_krb5_set_error_string ();
+	*minor_status = kret;
+	ret = GSS_S_FAILURE;
+	goto failure;
+    }
+
+#if 1
+    enctype = (*context_handle)->auth_context->keyblock->keytype;
+#else
+    if ((*context_handle)->auth_context->enctype)
+	enctype = (*context_handle)->auth_context->enctype;
+    else {
+	kret = krb5_keytype_to_enctype(gssapi_krb5_context,
+				       (*context_handle)->auth_context->keyblock->keytype,
+				       &enctype);
+	if (kret)
+	    return kret;
+    }
+#endif
+
+    kret = krb5_build_authenticator (gssapi_krb5_context,
+				     (*context_handle)->auth_context,
+				     enctype,
+				     cred,
+				     &cksum,
+				     &auth,
+				     &authenticator,
+				     KRB5_KU_AP_REQ_AUTH);
+
+    if (kret) {
+	gssapi_krb5_set_error_string ();
+	*minor_status = kret;
+	ret = GSS_S_FAILURE;
+	goto failure;
+    }
+
+    kret = krb5_build_ap_req (gssapi_krb5_context,
+			      enctype,
+			      cred,
+			      ap_options,
+			      authenticator,
+			      &outbuf);
+
+    if (kret) {
+	gssapi_krb5_set_error_string ();
+	*minor_status = kret;
+	ret = GSS_S_FAILURE;
+	goto failure;
+    }
+
+    ret = gssapi_krb5_encapsulate (&outbuf, output_token, "\x01\x00");
+    if (ret) {
+	*minor_status = kret;
+	goto failure;
+    }
+
+    krb5_data_free (&outbuf);
+
+    if (flags & GSS_C_MUTUAL_FLAG) {
+	return GSS_S_CONTINUE_NEEDED;
+    } else {
+	(*context_handle)->more_flags |= OPEN;
+	return GSS_S_COMPLETE;
+    }
+
+ failure:
+    krb5_auth_con_free (gssapi_krb5_context,
+			(*context_handle)->auth_context);
+    if((*context_handle)->source)
+	krb5_free_principal (gssapi_krb5_context,
+			     (*context_handle)->source);
+    if((*context_handle)->target)
+	krb5_free_principal (gssapi_krb5_context,
+			     (*context_handle)->target);
+    free (*context_handle);
+    krb5_data_free (&outbuf);
+    *context_handle = GSS_C_NO_CONTEXT;
+    return ret;
+}
+
+static OM_uint32
+repl_mutual
+           (OM_uint32 * minor_status,
+            const gss_cred_id_t initiator_cred_handle,
+            gss_ctx_id_t * context_handle,
+            const gss_name_t target_name,
+            const gss_OID mech_type,
+            OM_uint32 req_flags,
+            OM_uint32 time_req,
+            const gss_channel_bindings_t input_chan_bindings,
+            const gss_buffer_t input_token,
+            gss_OID * actual_mech_type,
+            gss_buffer_t output_token,
+            OM_uint32 * ret_flags,
+            OM_uint32 * time_rec
+           )
+{
+    OM_uint32 ret;
+    krb5_error_code kret;
+    krb5_data indata;
+    krb5_ap_rep_enc_part *repl;
+
+    ret = gssapi_krb5_decapsulate (input_token, &indata, "\x02\x00");
+    if (ret) {
+				/* XXX - Handle AP_ERROR */
+	*minor_status = 0;
+	return GSS_S_FAILURE;
+    }
+
+    kret = krb5_rd_rep (gssapi_krb5_context,
+			(*context_handle)->auth_context,
+			&indata,
+			&repl);
+    if (kret) {
+	gssapi_krb5_set_error_string ();
+	*minor_status = kret;
+	return GSS_S_FAILURE;
+    }
+    krb5_free_ap_rep_enc_part (gssapi_krb5_context,
+			       repl);
+
+    output_token->length = 0;
+
+    (*context_handle)->more_flags |= OPEN;
+
+    return GSS_S_COMPLETE;
+}
+
+/*
+ * gss_init_sec_context
+ */
+
+OM_uint32 gss_init_sec_context
+           (OM_uint32 * minor_status,
+            const gss_cred_id_t initiator_cred_handle,
+            gss_ctx_id_t * context_handle,
+            const gss_name_t target_name,
+            const gss_OID mech_type,
+            OM_uint32 req_flags,
+            OM_uint32 time_req,
+            const gss_channel_bindings_t input_chan_bindings,
+            const gss_buffer_t input_token,
+            gss_OID * actual_mech_type,
+            gss_buffer_t output_token,
+            OM_uint32 * ret_flags,
+            OM_uint32 * time_rec
+           )
+{
+    gssapi_krb5_init ();
+
+    if (input_token == GSS_C_NO_BUFFER || input_token->length == 0)
+	return init_auth (minor_status,
+			  initiator_cred_handle,
+			  context_handle,
+			  target_name,
+			  mech_type,
+			  req_flags,
+			  time_req,
+			  input_chan_bindings,
+			  input_token,
+			  actual_mech_type,
+			  output_token,
+			  ret_flags,
+			  time_rec);
+    else
+	return repl_mutual(minor_status,
+			   initiator_cred_handle,
+			   context_handle,
+			   target_name,
+			   mech_type,
+			   req_flags,
+			   time_req,
+			   input_chan_bindings,
+			   input_token,
+			   actual_mech_type,
+			   output_token,
+			   ret_flags,
+			   time_rec);
+}
diff --git a/crypto/heimdal/lib/gssapi/inquire_context.c b/crypto/heimdal/lib/gssapi/inquire_context.c
new file mode 100644
index 0000000..6463253
--- /dev/null
+++ b/crypto/heimdal/lib/gssapi/inquire_context.c
@@ -0,0 +1,84 @@
+/*
+ * Copyright (c) 1997 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "gssapi_locl.h"
+
+RCSID("$Id: inquire_context.c,v 1.3 1999/12/02 17:05:04 joda Exp $");
+
+OM_uint32 gss_inquire_context (
+            OM_uint32 * minor_status,
+            const gss_ctx_id_t context_handle,
+            gss_name_t * src_name,
+            gss_name_t * targ_name,
+            OM_uint32 * lifetime_rec,
+            gss_OID * mech_type,
+            OM_uint32 * ctx_flags,
+            int * locally_initiated,
+            int * open
+           )
+{
+  OM_uint32 ret;
+
+  if (src_name) {
+    ret = gss_duplicate_name (minor_status,
+			      context_handle->source,
+			      src_name);
+    if (ret)
+      return ret;
+  }
+
+  if (targ_name) {
+    ret = gss_duplicate_name (minor_status,
+			      context_handle->target,
+			      targ_name);
+    if (ret)
+      return ret;
+  }
+
+  if (lifetime_rec)
+    *lifetime_rec = GSS_C_INDEFINITE;
+
+  if (mech_type)
+    *mech_type = GSS_KRB5_MECHANISM;
+
+  if (ctx_flags)
+    *ctx_flags = context_handle->flags;
+
+  if (locally_initiated)
+    *locally_initiated = context_handle->more_flags & LOCAL;
+
+  if (open)
+    *open = context_handle->more_flags & OPEN;
+
+  return GSS_S_COMPLETE;
+}
diff --git a/crypto/heimdal/lib/gssapi/inquire_cred.c b/crypto/heimdal/lib/gssapi/inquire_cred.c
new file mode 100644
index 0000000..9e181f3
--- /dev/null
+++ b/crypto/heimdal/lib/gssapi/inquire_cred.c
@@ -0,0 +1,78 @@
+/*
+ * Copyright (c) 1997 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "gssapi_locl.h"
+
+RCSID("$Id: inquire_cred.c,v 1.2 1999/12/02 17:05:04 joda Exp $");
+
+OM_uint32 gss_inquire_cred
+           (OM_uint32 * minor_status,
+            const gss_cred_id_t cred_handle,
+            gss_name_t * name,
+            OM_uint32 * lifetime,
+            gss_cred_usage_t * cred_usage,
+            gss_OID_set * mechanisms
+           )
+{
+    OM_uint32 ret;
+
+    if (cred_handle == GSS_C_NO_CREDENTIAL) {
+        return GSS_S_FAILURE;
+    }
+
+    if (name != NULL) {
+        ret = gss_duplicate_name(minor_status, cred_handle->principal, name);
+        if (ret) {
+        	return ret;
+        }
+    }
+    if (lifetime != NULL) {
+        *lifetime = cred_handle->lifetime;
+    }
+    if (cred_usage != NULL) {
+        *cred_usage = cred_handle->usage;
+    }
+    if (mechanisms != NULL) {
+        ret = gss_create_empty_oid_set(minor_status, mechanisms);
+        if (ret) {
+            return ret;
+        }
+        ret = gss_add_oid_set_member(minor_status,
+				     &cred_handle->mechanisms->elements[0],
+				     mechanisms);
+        if (ret) {
+            return ret;
+        }
+    }
+    return GSS_S_COMPLETE;
+}
diff --git a/crypto/heimdal/lib/gssapi/release_buffer.c b/crypto/heimdal/lib/gssapi/release_buffer.c
new file mode 100644
index 0000000..f399a18
--- /dev/null
+++ b/crypto/heimdal/lib/gssapi/release_buffer.c
@@ -0,0 +1,47 @@
+/*
+ * Copyright (c) 1997 - 2000 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "gssapi_locl.h"
+
+RCSID("$Id: release_buffer.c,v 1.4 2000/04/12 09:47:23 assar Exp $");
+
+OM_uint32 gss_release_buffer
+           (OM_uint32 * minor_status,
+            gss_buffer_t buffer
+           )
+{
+  free (buffer->value);
+  buffer->value  = NULL;
+  buffer->length = 0;
+  return GSS_S_COMPLETE;
+}
diff --git a/crypto/heimdal/lib/gssapi/release_cred.c b/crypto/heimdal/lib/gssapi/release_cred.c
new file mode 100644
index 0000000..87ad512
--- /dev/null
+++ b/crypto/heimdal/lib/gssapi/release_cred.c
@@ -0,0 +1,59 @@
+/*
+ * Copyright (c) 1997, 1998 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "gssapi_locl.h"
+
+RCSID("$Id: release_cred.c,v 1.5 2001/01/30 00:49:05 assar Exp $");
+
+OM_uint32 gss_release_cred
+           (OM_uint32 * minor_status,
+            gss_cred_id_t * cred_handle
+           )
+{
+    if (*cred_handle == GSS_C_NO_CREDENTIAL) {
+        return GSS_S_COMPLETE;
+    }
+
+    gssapi_krb5_init ();
+
+    krb5_free_principal(gssapi_krb5_context, (*cred_handle)->principal);
+    if ((*cred_handle)->keytab != NULL)
+	krb5_kt_close(gssapi_krb5_context, (*cred_handle)->keytab);
+    if ((*cred_handle)->ccache != NULL)
+	krb5_cc_close(gssapi_krb5_context, (*cred_handle)->ccache);
+    gss_release_oid_set(NULL, &(*cred_handle)->mechanisms);
+    free(*cred_handle);
+    *cred_handle = GSS_C_NO_CREDENTIAL;
+    return GSS_S_COMPLETE;
+}
+
diff --git a/crypto/heimdal/lib/gssapi/release_name.c b/crypto/heimdal/lib/gssapi/release_name.c
new file mode 100644
index 0000000..ce18a91
--- /dev/null
+++ b/crypto/heimdal/lib/gssapi/release_name.c
@@ -0,0 +1,48 @@
+/*
+ * Copyright (c) 1997 - 2000 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "gssapi_locl.h"
+
+RCSID("$Id: release_name.c,v 1.5 2000/04/12 09:48:27 assar Exp $");
+
+OM_uint32 gss_release_name
+           (OM_uint32 * minor_status,
+            gss_name_t * input_name
+           )
+{
+  gssapi_krb5_init ();
+  krb5_free_principal(gssapi_krb5_context,
+		      *input_name);
+  *input_name = GSS_C_NO_NAME;
+  return GSS_S_COMPLETE;
+}
diff --git a/crypto/heimdal/lib/gssapi/release_oid_set.c b/crypto/heimdal/lib/gssapi/release_oid_set.c
new file mode 100644
index 0000000..4225788
--- /dev/null
+++ b/crypto/heimdal/lib/gssapi/release_oid_set.c
@@ -0,0 +1,47 @@
+/*
+ * Copyright (c) 1997 - 2000 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "gssapi_locl.h"
+
+RCSID("$Id: release_oid_set.c,v 1.4 2000/04/19 13:06:13 assar Exp $");
+
+OM_uint32 gss_release_oid_set
+           (OM_uint32 * minor_status,
+            gss_OID_set * set
+           )
+{
+  free ((*set)->elements);
+  free (*set);
+  *set = GSS_C_NO_OID_SET;
+  return GSS_S_COMPLETE;
+}
diff --git a/crypto/heimdal/lib/gssapi/test_oid_set_member.c b/crypto/heimdal/lib/gssapi/test_oid_set_member.c
new file mode 100644
index 0000000..47e9fa7
--- /dev/null
+++ b/crypto/heimdal/lib/gssapi/test_oid_set_member.c
@@ -0,0 +1,57 @@
+/*
+ * Copyright (c) 1997 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "gssapi_locl.h"
+
+RCSID("$Id: test_oid_set_member.c,v 1.4 1999/12/02 17:05:04 joda Exp $");
+
+OM_uint32 gss_test_oid_set_member (
+            OM_uint32 * minor_status,
+            const gss_OID member,
+            const gss_OID_set set,
+            int * present
+           )
+{
+  size_t i;
+
+  *present = 0;
+  for (i = 0; i < set->count; ++i)
+    if (member->length == set->elements[i].length
+	&& memcmp (member->elements,
+		   set->elements[i].elements,
+		   member->length) == 0) {
+      *present = 1;
+      break;
+    }
+  return GSS_S_COMPLETE;
+}
diff --git a/crypto/heimdal/lib/gssapi/unwrap.c b/crypto/heimdal/lib/gssapi/unwrap.c
new file mode 100644
index 0000000..95f8e21
--- /dev/null
+++ b/crypto/heimdal/lib/gssapi/unwrap.c
@@ -0,0 +1,415 @@
+/*
+ * Copyright (c) 1997 - 2001 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "gssapi_locl.h"
+
+RCSID("$Id: unwrap.c,v 1.17 2001/05/11 09:16:47 assar Exp $");
+
+OM_uint32
+gss_krb5_getsomekey(const gss_ctx_id_t context_handle,
+		    krb5_keyblock **key)
+{
+    /* XXX this is ugly, and probably incorrect... */
+    krb5_keyblock *skey;
+    krb5_auth_con_getlocalsubkey(gssapi_krb5_context,
+				 context_handle->auth_context, 
+				 &skey);
+    if(skey == NULL)
+	krb5_auth_con_getremotesubkey(gssapi_krb5_context,
+				      context_handle->auth_context, 
+				      &skey);
+    if(skey == NULL)
+	krb5_auth_con_getkey(gssapi_krb5_context,
+			     context_handle->auth_context, 
+			     &skey);
+    if(skey == NULL)
+	return GSS_S_FAILURE;
+    *key = skey;
+    return 0;
+}
+
+static OM_uint32
+unwrap_des
+           (OM_uint32 * minor_status,
+            const gss_ctx_id_t context_handle,
+            const gss_buffer_t input_message_buffer,
+            gss_buffer_t output_message_buffer,
+            int * conf_state,
+            gss_qop_t * qop_state,
+	    krb5_keyblock *key
+           )
+{
+  u_char *p, *pad;
+  size_t len;
+  MD5_CTX md5;
+  u_char hash[16], seq_data[8];
+  des_key_schedule schedule;
+  des_cblock deskey;
+  des_cblock zero;
+  int i;
+  int32_t seq_number;
+  size_t padlength;
+  OM_uint32 ret;
+  int cstate;
+
+  p = input_message_buffer->value;
+  ret = gssapi_krb5_verify_header (&p,
+				   input_message_buffer->length,
+				   "\x02\x01");
+  if (ret) {
+      *minor_status = 0;
+      return ret;
+  }
+
+  if (memcmp (p, "\x00\x00", 2) != 0)
+    return GSS_S_BAD_SIG;
+  p += 2;
+  if (memcmp (p, "\x00\x00", 2) == 0) {
+      cstate = 1;
+  } else if (memcmp (p, "\xFF\xFF", 2) == 0) {
+      cstate = 0;
+  } else
+      return GSS_S_BAD_MIC;
+  p += 2;
+  if(conf_state != NULL)
+      *conf_state = cstate;
+  if (memcmp (p, "\xff\xff", 2) != 0)
+    return GSS_S_DEFECTIVE_TOKEN;
+  p += 2;
+  p += 16;
+
+  len = p - (u_char *)input_message_buffer->value;
+
+  if(cstate) {
+      /* decrypt data */
+      memcpy (&deskey, key->keyvalue.data, sizeof(deskey));
+
+      for (i = 0; i < sizeof(deskey); ++i)
+	  deskey[i] ^= 0xf0;
+      des_set_key (&deskey, schedule);
+      memset (&zero, 0, sizeof(zero));
+      des_cbc_encrypt ((void *)p,
+		       (void *)p,
+		       input_message_buffer->length - len,
+		       schedule,
+		       &zero,
+		       DES_DECRYPT);
+      
+      memset (deskey, 0, sizeof(deskey));
+      memset (schedule, 0, sizeof(schedule));
+  }
+  /* check pad */
+
+  pad = (u_char *)input_message_buffer->value + input_message_buffer->length - 1;
+  padlength = *pad;
+
+  for (i = padlength; i > 0 && *pad == padlength; i--, pad--)
+    ;
+  if (i != 0)
+    return GSS_S_BAD_MIC;
+
+  MD5_Init (&md5);
+  MD5_Update (&md5, p - 24, 8);
+  MD5_Update (&md5, p, input_message_buffer->length - len);
+  MD5_Final (hash, &md5);
+
+  memset (&zero, 0, sizeof(zero));
+  memcpy (&deskey, key->keyvalue.data, sizeof(deskey));
+  des_set_key (&deskey, schedule);
+  des_cbc_cksum ((void *)hash, (void *)hash, sizeof(hash),
+		 schedule, &zero);
+  if (memcmp (p - 8, hash, 8) != 0)
+    return GSS_S_BAD_MIC;
+
+  /* verify sequence number */
+  
+  krb5_auth_getremoteseqnumber (gssapi_krb5_context,
+				context_handle->auth_context,
+				&seq_number);
+  seq_data[0] = (seq_number >> 0)  & 0xFF;
+  seq_data[1] = (seq_number >> 8)  & 0xFF;
+  seq_data[2] = (seq_number >> 16) & 0xFF;
+  seq_data[3] = (seq_number >> 24) & 0xFF;
+  memset (seq_data + 4,
+	  (context_handle->more_flags & LOCAL) ? 0xFF : 0,
+	  4);
+
+  p -= 16;
+  des_set_key (&deskey, schedule);
+  des_cbc_encrypt ((void *)p, (void *)p, 8,
+		   schedule, (des_cblock *)hash, DES_DECRYPT);
+
+  memset (deskey, 0, sizeof(deskey));
+  memset (schedule, 0, sizeof(schedule));
+
+  if (memcmp (p, seq_data, 8) != 0) {
+    return GSS_S_BAD_MIC;
+  }
+
+  krb5_auth_setremoteseqnumber (gssapi_krb5_context,
+				context_handle->auth_context,
+				++seq_number);
+
+  /* copy out data */
+
+  output_message_buffer->length = input_message_buffer->length
+    - len - padlength - 8;
+  output_message_buffer->value  = malloc(output_message_buffer->length);
+  if(output_message_buffer->length != 0 && output_message_buffer->value == NULL)
+      return GSS_S_FAILURE;
+  memcpy (output_message_buffer->value,
+	  p + 24,
+	  output_message_buffer->length);
+  return GSS_S_COMPLETE;
+}
+
+static OM_uint32
+unwrap_des3
+           (OM_uint32 * minor_status,
+            const gss_ctx_id_t context_handle,
+            const gss_buffer_t input_message_buffer,
+            gss_buffer_t output_message_buffer,
+            int * conf_state,
+            gss_qop_t * qop_state,
+	    krb5_keyblock *key
+           )
+{
+  u_char *p, *pad;
+  size_t len;
+  u_char seq[8];
+  krb5_data seq_data;
+  u_char cksum[20];
+  int i;
+  int32_t seq_number;
+  size_t padlength;
+  OM_uint32 ret;
+  int cstate;
+  krb5_crypto crypto;
+  Checksum csum;
+  int cmp;
+
+  p = input_message_buffer->value;
+  ret = gssapi_krb5_verify_header (&p,
+				   input_message_buffer->length,
+				   "\x02\x01");
+  if (ret)
+      return ret;
+
+  if (memcmp (p, "\x04\x00", 2) != 0) /* HMAC SHA1 DES3_KD */
+    return GSS_S_BAD_SIG;
+  p += 2;
+  if (memcmp (p, "\x02\x00", 2) == 0) {
+    cstate = 1;
+  } else if (memcmp (p, "\xff\xff", 2) == 0) {
+    cstate = 0;
+  } else
+    return GSS_S_BAD_MIC;
+  p += 2;
+  if(conf_state != NULL)
+    *conf_state = cstate;
+  if (memcmp (p, "\xff\xff", 2) != 0)
+    return GSS_S_DEFECTIVE_TOKEN;
+  p += 2;
+  p += 28;
+
+  len = p - (u_char *)input_message_buffer->value;
+
+  if(cstate) {
+      /* decrypt data */
+      krb5_data tmp;
+
+      ret = krb5_crypto_init(gssapi_krb5_context, key,
+			     ETYPE_DES3_CBC_NONE, &crypto);
+      if (ret) {
+	  gssapi_krb5_set_error_string ();
+	  *minor_status = ret;
+	  return GSS_S_FAILURE;
+      }
+      ret = krb5_decrypt(gssapi_krb5_context, crypto, KRB5_KU_USAGE_SEAL,
+			 p, input_message_buffer->length - len, &tmp);
+      krb5_crypto_destroy(gssapi_krb5_context, crypto);
+      if (ret) {
+	  gssapi_krb5_set_error_string ();
+	  *minor_status = ret;
+	  return GSS_S_FAILURE;
+      }
+      assert (tmp.length == input_message_buffer->length - len);
+
+      memcpy (p, tmp.data, tmp.length);
+      krb5_data_free(&tmp);
+  }
+  /* check pad */
+
+  pad = (u_char *)input_message_buffer->value + input_message_buffer->length - 1;
+  padlength = *pad;
+
+  for (i = padlength; i > 0 && *pad == padlength; i--, pad--)
+    ;
+  if (i != 0)
+    return GSS_S_BAD_MIC;
+
+  /* verify sequence number */
+  
+  krb5_auth_getremoteseqnumber (gssapi_krb5_context,
+				context_handle->auth_context,
+				&seq_number);
+  seq[0] = (seq_number >> 0)  & 0xFF;
+  seq[1] = (seq_number >> 8)  & 0xFF;
+  seq[2] = (seq_number >> 16) & 0xFF;
+  seq[3] = (seq_number >> 24) & 0xFF;
+  memset (seq + 4,
+	  (context_handle->more_flags & LOCAL) ? 0xFF : 0,
+	  4);
+
+  p -= 28;
+
+  ret = krb5_crypto_init(gssapi_krb5_context, key,
+			 ETYPE_DES3_CBC_NONE_IVEC, &crypto);
+  if (ret) {
+      gssapi_krb5_set_error_string ();
+      *minor_status = ret;
+      return GSS_S_FAILURE;
+  }
+  {
+      des_cblock ivec;
+
+      memcpy(&ivec, p + 8, 8);
+      ret = krb5_decrypt_ivec (gssapi_krb5_context,
+			       crypto,
+			       KRB5_KU_USAGE_SEQ,
+			       p, 8, &seq_data,
+			       &ivec);
+  }
+  krb5_crypto_destroy (gssapi_krb5_context, crypto);
+  if (ret) {
+      gssapi_krb5_set_error_string ();
+      *minor_status = ret;
+      return GSS_S_FAILURE;
+  }
+  if (seq_data.length != 8) {
+      krb5_data_free (&seq_data);
+      return GSS_S_BAD_MIC;
+  }
+
+  cmp = memcmp (seq, seq_data.data, seq_data.length);
+  krb5_data_free (&seq_data);
+  if (cmp != 0) {
+      return GSS_S_BAD_MIC;
+  }
+
+  krb5_auth_setremoteseqnumber (gssapi_krb5_context,
+				context_handle->auth_context,
+				++seq_number);
+
+  /* verify checksum */
+
+  memcpy (cksum, p + 8, 20);
+
+  memcpy (p + 20, p - 8, 8);
+
+  csum.cksumtype = CKSUMTYPE_HMAC_SHA1_DES3;
+  csum.checksum.length = 20;
+  csum.checksum.data   = cksum;
+
+  ret = krb5_crypto_init(gssapi_krb5_context, key, 0, &crypto);
+  if (ret) {
+      gssapi_krb5_set_error_string ();
+      *minor_status = ret;
+      return GSS_S_FAILURE;
+  }
+
+  ret = krb5_verify_checksum (gssapi_krb5_context, crypto,
+			      KRB5_KU_USAGE_SIGN,
+			      p + 20,
+			      input_message_buffer->length - len + 8,
+			      &csum);
+  krb5_crypto_destroy (gssapi_krb5_context, crypto);
+  if (ret) {
+      gssapi_krb5_set_error_string ();
+      *minor_status = ret;
+      return GSS_S_FAILURE;
+  }
+
+  /* copy out data */
+
+  output_message_buffer->length = input_message_buffer->length
+    - len - padlength - 8;
+  output_message_buffer->value  = malloc(output_message_buffer->length);
+  if(output_message_buffer->length != 0 && output_message_buffer->value == NULL)
+      return GSS_S_FAILURE;
+  memcpy (output_message_buffer->value,
+	  p + 36,
+	  output_message_buffer->length);
+  return GSS_S_COMPLETE;
+}
+
+OM_uint32 gss_unwrap
+           (OM_uint32 * minor_status,
+            const gss_ctx_id_t context_handle,
+            const gss_buffer_t input_message_buffer,
+            gss_buffer_t output_message_buffer,
+            int * conf_state,
+            gss_qop_t * qop_state
+           )
+{
+  krb5_keyblock *key;
+  OM_uint32 ret;
+  krb5_keytype keytype;
+
+  ret = gss_krb5_getsomekey(context_handle, &key);
+  if (ret) {
+      gssapi_krb5_set_error_string ();
+      *minor_status = ret;
+      return GSS_S_FAILURE;
+  }
+  krb5_enctype_to_keytype (gssapi_krb5_context, key->keytype, &keytype);
+
+  switch (keytype) {
+  case KEYTYPE_DES :
+      ret = unwrap_des (minor_status, context_handle,
+			input_message_buffer, output_message_buffer,
+			conf_state, qop_state, key);
+      break;
+  case KEYTYPE_DES3 :
+      ret = unwrap_des3 (minor_status, context_handle,
+			 input_message_buffer, output_message_buffer,
+			 conf_state, qop_state, key);
+      break;
+  default :
+      *minor_status = KRB5_PROG_ETYPE_NOSUPP;
+      ret = GSS_S_FAILURE;
+      break;
+  }
+  krb5_free_keyblock (gssapi_krb5_context, key);
+  return ret;
+}
diff --git a/crypto/heimdal/lib/gssapi/v1.c b/crypto/heimdal/lib/gssapi/v1.c
new file mode 100644
index 0000000..34091ea
--- /dev/null
+++ b/crypto/heimdal/lib/gssapi/v1.c
@@ -0,0 +1,104 @@
+/*
+ * Copyright (c) 1997 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "gssapi_locl.h"
+
+RCSID("$Id: v1.c,v 1.2 1999/12/02 17:05:04 joda Exp $");
+
+/* These functions are for V1 compatibility */
+
+OM_uint32 gss_sign
+           (OM_uint32 * minor_status,
+            gss_ctx_id_t context_handle,
+            int qop_req,
+            gss_buffer_t message_buffer,
+            gss_buffer_t message_token
+           )
+{
+  return gss_get_mic(minor_status,
+	context_handle,
+	(gss_qop_t)qop_req,
+	message_buffer,
+	message_token);
+}
+
+OM_uint32 gss_verify
+           (OM_uint32 * minor_status,
+            gss_ctx_id_t context_handle,
+            gss_buffer_t message_buffer,
+            gss_buffer_t token_buffer,
+            int * qop_state
+           )
+{
+  return gss_verify_mic(minor_status,
+	context_handle,
+	message_buffer,
+	token_buffer,
+	(gss_qop_t *)qop_state);
+}
+
+OM_uint32 gss_seal
+           (OM_uint32 * minor_status,
+            gss_ctx_id_t context_handle,
+            int conf_req_flag,
+            int qop_req,
+            gss_buffer_t input_message_buffer,
+            int * conf_state,
+            gss_buffer_t output_message_buffer
+           )
+{
+  return gss_wrap(minor_status,
+	context_handle,
+	conf_req_flag,
+	(gss_qop_t)qop_req,
+	input_message_buffer,
+	conf_state,
+	output_message_buffer);
+}
+
+OM_uint32 gss_unseal
+           (OM_uint32 * minor_status,
+            gss_ctx_id_t context_handle,
+            gss_buffer_t input_message_buffer,
+            gss_buffer_t output_message_buffer,
+            int * conf_state,
+            int * qop_state
+           )
+{
+  return gss_unwrap(minor_status,
+	context_handle,
+	input_message_buffer,
+	output_message_buffer,
+	conf_state,
+	(gss_qop_t *)qop_state);
+}
diff --git a/crypto/heimdal/lib/gssapi/verify_mic.c b/crypto/heimdal/lib/gssapi/verify_mic.c
new file mode 100644
index 0000000..b39ae73
--- /dev/null
+++ b/crypto/heimdal/lib/gssapi/verify_mic.c
@@ -0,0 +1,275 @@
+/*
+ * Copyright (c) 1997 - 2001 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "gssapi_locl.h"
+
+RCSID("$Id: verify_mic.c,v 1.13 2001/05/11 09:16:47 assar Exp $");
+
+static OM_uint32
+verify_mic_des
+           (OM_uint32 * minor_status,
+            const gss_ctx_id_t context_handle,
+            const gss_buffer_t message_buffer,
+            const gss_buffer_t token_buffer,
+            gss_qop_t * qop_state,
+	    krb5_keyblock *key
+	    )
+{
+  u_char *p;
+  MD5_CTX md5;
+  u_char hash[16], seq_data[8];
+  des_key_schedule schedule;
+  des_cblock zero;
+  des_cblock deskey;
+  int32_t seq_number;
+  OM_uint32 ret;
+
+  p = token_buffer->value;
+  ret = gssapi_krb5_verify_header (&p,
+				   token_buffer->length,
+				   "\x01\x01");
+  if (ret)
+      return ret;
+
+  if (memcmp(p, "\x00\x00", 2) != 0)
+      return GSS_S_BAD_SIG;
+  p += 2;
+  if (memcmp (p, "\xff\xff\xff\xff", 4) != 0)
+    return GSS_S_BAD_MIC;
+  p += 4;
+  p += 16;
+
+  /* verify checksum */
+  MD5_Init (&md5);
+  MD5_Update (&md5, p - 24, 8);
+  MD5_Update (&md5, message_buffer->value,
+	     message_buffer->length);
+  MD5_Final (hash, &md5);
+
+  memset (&zero, 0, sizeof(zero));
+  memcpy (&deskey, key->keyvalue.data, sizeof(deskey));
+
+  des_set_key (&deskey, schedule);
+  des_cbc_cksum ((void *)hash, (void *)hash, sizeof(hash),
+		 schedule, &zero);
+  if (memcmp (p - 8, hash, 8) != 0) {
+    memset (deskey, 0, sizeof(deskey));
+    memset (schedule, 0, sizeof(schedule));
+    return GSS_S_BAD_MIC;
+  }
+
+  /* verify sequence number */
+  
+  krb5_auth_getremoteseqnumber (gssapi_krb5_context,
+				context_handle->auth_context,
+				&seq_number);
+  seq_data[0] = (seq_number >> 0)  & 0xFF;
+  seq_data[1] = (seq_number >> 8)  & 0xFF;
+  seq_data[2] = (seq_number >> 16) & 0xFF;
+  seq_data[3] = (seq_number >> 24) & 0xFF;
+  memset (seq_data + 4,
+	  (context_handle->more_flags & LOCAL) ? 0xFF : 0,
+	  4);
+
+  p -= 16;
+  des_set_key (&deskey, schedule);
+  des_cbc_encrypt ((void *)p, (void *)p, 8,
+		   schedule, (des_cblock *)hash, DES_DECRYPT);
+
+  memset (deskey, 0, sizeof(deskey));
+  memset (schedule, 0, sizeof(schedule));
+
+  if (memcmp (p, seq_data, 8) != 0) {
+    return GSS_S_BAD_MIC;
+  }
+
+  krb5_auth_setremoteseqnumber (gssapi_krb5_context,
+				context_handle->auth_context,
+				++seq_number);
+
+  return GSS_S_COMPLETE;
+}
+
+static OM_uint32
+verify_mic_des3
+           (OM_uint32 * minor_status,
+            const gss_ctx_id_t context_handle,
+            const gss_buffer_t message_buffer,
+            const gss_buffer_t token_buffer,
+            gss_qop_t * qop_state,
+	    krb5_keyblock *key
+	    )
+{
+  u_char *p;
+  u_char seq[8];
+  int32_t seq_number;
+  OM_uint32 ret;
+  krb5_crypto crypto;
+  krb5_data seq_data;
+  int cmp;
+  Checksum csum;
+  char *tmp;
+  
+  p = token_buffer->value;
+  ret = gssapi_krb5_verify_header (&p,
+				   token_buffer->length,
+				   "\x01\x01");
+  if (ret)
+      return ret;
+
+  if (memcmp(p, "\x04\x00", 2) != 0) /* SGN_ALG = HMAC SHA1 DES3-KD */
+      return GSS_S_BAD_SIG;
+  p += 2;
+  if (memcmp (p, "\xff\xff\xff\xff", 4) != 0)
+    return GSS_S_BAD_MIC;
+  p += 4;
+
+  ret = krb5_crypto_init(gssapi_krb5_context, key,
+			 ETYPE_DES3_CBC_NONE, &crypto);
+  if (ret){
+      gssapi_krb5_set_error_string ();
+      *minor_status = ret;
+      return GSS_S_FAILURE;
+  }
+
+  /* verify sequence number */
+
+  ret = krb5_decrypt (gssapi_krb5_context,
+		      crypto,
+		      KRB5_KU_USAGE_SEQ,
+		      p, 8, &seq_data);
+  if (ret) {
+      gssapi_krb5_set_error_string ();
+      krb5_crypto_destroy (gssapi_krb5_context, crypto);
+      *minor_status = ret;
+      return GSS_S_FAILURE;
+  }
+
+  if (seq_data.length != 8) {
+      krb5_crypto_destroy (gssapi_krb5_context, crypto);
+      krb5_data_free (&seq_data);
+      return GSS_S_BAD_MIC;
+  }
+
+  krb5_auth_getremoteseqnumber (gssapi_krb5_context,
+				context_handle->auth_context,
+				&seq_number);
+  seq[0] = (seq_number >> 0)  & 0xFF;
+  seq[1] = (seq_number >> 8)  & 0xFF;
+  seq[2] = (seq_number >> 16) & 0xFF;
+  seq[3] = (seq_number >> 24) & 0xFF;
+  memset (seq + 4,
+	  (context_handle->more_flags & LOCAL) ? 0xFF : 0,
+	  4);
+  cmp = memcmp (seq, seq_data.data, seq_data.length);
+  krb5_data_free (&seq_data);
+  if (cmp != 0) {
+      krb5_crypto_destroy (gssapi_krb5_context, crypto);
+      return GSS_S_BAD_MIC;
+  }
+
+  /* verify checksum */
+
+  tmp = malloc (message_buffer->length + 8);
+  if (tmp == NULL) {
+      krb5_crypto_destroy (gssapi_krb5_context, crypto);
+      *minor_status = ENOMEM;
+      return GSS_S_FAILURE;
+  }
+
+  memcpy (tmp, p - 8, 8);
+  memcpy (tmp + 8, message_buffer->value, message_buffer->length);
+
+  csum.cksumtype = CKSUMTYPE_HMAC_SHA1_DES3;
+  csum.checksum.length = 20;
+  csum.checksum.data   = p + 8;
+
+  ret = krb5_verify_checksum (gssapi_krb5_context, crypto,
+			      KRB5_KU_USAGE_SIGN,
+			      tmp, message_buffer->length + 8,
+			      &csum);
+  free (tmp);
+  if (ret) {
+      gssapi_krb5_set_error_string ();
+      krb5_crypto_destroy (gssapi_krb5_context, crypto);
+      *minor_status = ret;
+      return GSS_S_BAD_MIC;
+  }
+
+  krb5_auth_setremoteseqnumber (gssapi_krb5_context,
+				context_handle->auth_context,
+				++seq_number);
+
+  krb5_crypto_destroy (gssapi_krb5_context, crypto);
+  return GSS_S_COMPLETE;
+}
+
+OM_uint32
+gss_verify_mic
+           (OM_uint32 * minor_status,
+            const gss_ctx_id_t context_handle,
+            const gss_buffer_t message_buffer,
+            const gss_buffer_t token_buffer,
+            gss_qop_t * qop_state
+	    )
+{
+    krb5_keyblock *key;
+    OM_uint32 ret;
+    krb5_keytype keytype;
+
+    ret = krb5_auth_con_getremotesubkey (gssapi_krb5_context,
+					 context_handle->auth_context,
+					 &key);
+    if (ret) {
+	gssapi_krb5_set_error_string ();
+	*minor_status = ret;
+	return GSS_S_FAILURE;
+    }
+    krb5_enctype_to_keytype (gssapi_krb5_context, key->keytype, &keytype);
+    switch (keytype) {
+    case KEYTYPE_DES :
+	ret = verify_mic_des (minor_status, context_handle,
+			      message_buffer, token_buffer, qop_state, key);
+	break;
+    case KEYTYPE_DES3 :
+	ret = verify_mic_des3 (minor_status, context_handle,
+			       message_buffer, token_buffer, qop_state, key);
+	break;
+    default :
+	*minor_status = KRB5_PROG_ETYPE_NOSUPP;
+	ret = GSS_S_FAILURE;
+	break;
+    }
+    krb5_free_keyblock (gssapi_krb5_context, key);
+    return ret;
+}
diff --git a/crypto/heimdal/lib/gssapi/wrap.c b/crypto/heimdal/lib/gssapi/wrap.c
new file mode 100644
index 0000000..3d282fd
--- /dev/null
+++ b/crypto/heimdal/lib/gssapi/wrap.c
@@ -0,0 +1,418 @@
+/*
+ * Copyright (c) 1997 - 2001 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "gssapi_locl.h"
+
+RCSID("$Id: wrap.c,v 1.18 2001/05/11 09:16:47 assar Exp $");
+
+static OM_uint32
+sub_wrap_size (
+            OM_uint32 req_output_size,
+            OM_uint32 * max_input_size,
+	    int blocksize,
+	    int extrasize
+           )
+{
+  size_t len, total_len, padlength;
+  padlength = blocksize - (req_output_size % blocksize);
+  len = req_output_size + 8 + padlength + extrasize;
+  gssapi_krb5_encap_length(len, &len, &total_len);
+  *max_input_size = (OM_uint32)total_len;
+  return GSS_S_COMPLETE;
+}
+
+OM_uint32
+gss_wrap_size_limit (
+            OM_uint32 * minor_status,
+            const gss_ctx_id_t context_handle,
+            int conf_req_flag,
+            gss_qop_t qop_req,
+            OM_uint32 req_output_size,
+            OM_uint32 * max_input_size
+           )
+{
+  krb5_keyblock *key;
+  OM_uint32 ret;
+  krb5_keytype keytype;
+
+  ret = gss_krb5_getsomekey(context_handle, &key);
+  if (ret) {
+      gssapi_krb5_set_error_string ();
+      *minor_status = ret;
+      return GSS_S_FAILURE;
+  }
+  krb5_enctype_to_keytype (gssapi_krb5_context, key->keytype, &keytype);
+
+  switch (keytype) {
+  case KEYTYPE_DES :
+      ret = sub_wrap_size(req_output_size, max_input_size, 8, 22);
+      break;
+  case KEYTYPE_DES3 :
+      ret = sub_wrap_size(req_output_size, max_input_size, 8, 34);
+      break;
+  default :
+      *minor_status = KRB5_PROG_ETYPE_NOSUPP;
+      ret = GSS_S_FAILURE;
+      break;
+  }
+  krb5_free_keyblock (gssapi_krb5_context, key);
+  return ret;
+}
+
+static OM_uint32
+wrap_des
+           (OM_uint32 * minor_status,
+            const gss_ctx_id_t context_handle,
+            int conf_req_flag,
+            gss_qop_t qop_req,
+            const gss_buffer_t input_message_buffer,
+            int * conf_state,
+            gss_buffer_t output_message_buffer,
+	    krb5_keyblock *key
+           )
+{
+  u_char *p;
+  MD5_CTX md5;
+  u_char hash[16];
+  des_key_schedule schedule;
+  des_cblock deskey;
+  des_cblock zero;
+  int i;
+  int32_t seq_number;
+  size_t len, total_len, padlength, datalen;
+
+  padlength = 8 - (input_message_buffer->length % 8);
+  datalen = input_message_buffer->length + padlength + 8;
+  len = datalen + 22;
+  gssapi_krb5_encap_length (len, &len, &total_len);
+
+  output_message_buffer->length = total_len;
+  output_message_buffer->value  = malloc (total_len);
+  if (output_message_buffer->value == NULL)
+    return GSS_S_FAILURE;
+
+  p = gssapi_krb5_make_header(output_message_buffer->value,
+			      len,
+			      "\x02\x01"); /* TOK_ID */
+
+  /* SGN_ALG */
+  memcpy (p, "\x00\x00", 2);
+  p += 2;
+  /* SEAL_ALG */
+  if(conf_req_flag)
+      memcpy (p, "\x00\x00", 2);
+  else
+      memcpy (p, "\xff\xff", 2);
+  p += 2;
+  /* Filler */
+  memcpy (p, "\xff\xff", 2);
+  p += 2;
+
+  /* fill in later */
+  memset (p, 0, 16);
+  p += 16;
+
+  /* confounder + data + pad */
+  krb5_generate_random_block(p, 8);
+  memcpy (p + 8, input_message_buffer->value,
+	  input_message_buffer->length);
+  memset (p + 8 + input_message_buffer->length, padlength, padlength);
+
+  /* checksum */
+  MD5_Init (&md5);
+  MD5_Update (&md5, p - 24, 8);
+  MD5_Update (&md5, p, datalen);
+  MD5_Final (hash, &md5);
+
+  memset (&zero, 0, sizeof(zero));
+  memcpy (&deskey, key->keyvalue.data, sizeof(deskey));
+  des_set_key (&deskey, schedule);
+  des_cbc_cksum ((void *)hash, (void *)hash, sizeof(hash),
+		 schedule, &zero);
+  memcpy (p - 8, hash, 8);
+
+  /* sequence number */
+  krb5_auth_getlocalseqnumber (gssapi_krb5_context,
+			       context_handle->auth_context,
+			       &seq_number);
+
+  p -= 16;
+  p[0] = (seq_number >> 0)  & 0xFF;
+  p[1] = (seq_number >> 8)  & 0xFF;
+  p[2] = (seq_number >> 16) & 0xFF;
+  p[3] = (seq_number >> 24) & 0xFF;
+  memset (p + 4,
+	  (context_handle->more_flags & LOCAL) ? 0 : 0xFF,
+	  4);
+
+  des_set_key (&deskey, schedule);
+  des_cbc_encrypt ((void *)p, (void *)p, 8,
+		   schedule, (des_cblock *)(p + 8), DES_ENCRYPT);
+
+  krb5_auth_setlocalseqnumber (gssapi_krb5_context,
+			       context_handle->auth_context,
+			       ++seq_number);
+
+  /* encrypt the data */
+  p += 16;
+
+  if(conf_req_flag) {
+      memcpy (&deskey, key->keyvalue.data, sizeof(deskey));
+
+      for (i = 0; i < sizeof(deskey); ++i)
+	  deskey[i] ^= 0xf0;
+      des_set_key (&deskey, schedule);
+      memset (&zero, 0, sizeof(zero));
+      des_cbc_encrypt ((void *)p,
+		       (void *)p,
+		       datalen,
+		       schedule,
+		       &zero,
+		       DES_ENCRYPT);
+      
+      memset (deskey, 0, sizeof(deskey));
+      memset (schedule, 0, sizeof(schedule));
+  }
+  if(conf_state != NULL)
+      *conf_state = conf_req_flag;
+  return GSS_S_COMPLETE;
+}
+
+static OM_uint32
+wrap_des3
+           (OM_uint32 * minor_status,
+            const gss_ctx_id_t context_handle,
+            int conf_req_flag,
+            gss_qop_t qop_req,
+            const gss_buffer_t input_message_buffer,
+            int * conf_state,
+            gss_buffer_t output_message_buffer,
+	    krb5_keyblock *key
+           )
+{
+  u_char *p;
+  u_char seq[8];
+  int32_t seq_number;
+  size_t len, total_len, padlength, datalen;
+  u_int32_t ret;
+  krb5_crypto crypto;
+  Checksum cksum;
+  krb5_data encdata;
+
+  padlength = 8 - (input_message_buffer->length % 8);
+  datalen = input_message_buffer->length + padlength + 8;
+  len = datalen + 34;
+  gssapi_krb5_encap_length (len, &len, &total_len);
+
+  output_message_buffer->length = total_len;
+  output_message_buffer->value  = malloc (total_len);
+  if (output_message_buffer->value == NULL)
+    return GSS_S_FAILURE;
+
+  p = gssapi_krb5_make_header(output_message_buffer->value,
+			      len,
+			      "\x02\x01"); /* TOK_ID */
+
+  /* SGN_ALG */
+  memcpy (p, "\x04\x00", 2);	/* HMAC SHA1 DES3-KD */
+  p += 2;
+  /* SEAL_ALG */
+  if(conf_req_flag)
+      memcpy (p, "\x02\x00", 2); /* DES3-KD */
+  else
+      memcpy (p, "\xff\xff", 2);
+  p += 2;
+  /* Filler */
+  memcpy (p, "\xff\xff", 2);
+  p += 2;
+
+  /* calculate checksum (the above + confounder + data + pad) */
+
+  memcpy (p + 20, p - 8, 8);
+  krb5_generate_random_block(p + 28, 8);
+  memcpy (p + 28 + 8, input_message_buffer->value,
+	  input_message_buffer->length);
+  memset (p + 28 + 8 + input_message_buffer->length, padlength, padlength);
+
+  ret = krb5_crypto_init(gssapi_krb5_context, key, 0, &crypto);
+  if (ret) {
+      gssapi_krb5_set_error_string ();
+      free (output_message_buffer->value);
+      *minor_status = ret;
+      return GSS_S_FAILURE;
+  }
+
+  ret = krb5_create_checksum (gssapi_krb5_context,
+			      crypto,
+			      KRB5_KU_USAGE_SIGN,
+			      0,
+			      p + 20,
+			      datalen + 8,
+			      &cksum);
+  krb5_crypto_destroy (gssapi_krb5_context, crypto);
+  if (ret) {
+      gssapi_krb5_set_error_string ();
+      free (output_message_buffer->value);
+      *minor_status = ret;
+      return GSS_S_FAILURE;
+  }
+
+  /* zero out SND_SEQ + SGN_CKSUM in case */
+  memset (p, 0, 28);
+
+  memcpy (p + 8, cksum.checksum.data, cksum.checksum.length);
+  free_Checksum (&cksum);
+
+  /* sequence number */
+  krb5_auth_getlocalseqnumber (gssapi_krb5_context,
+			       context_handle->auth_context,
+			       &seq_number);
+
+  seq[0] = (seq_number >> 0)  & 0xFF;
+  seq[1] = (seq_number >> 8)  & 0xFF;
+  seq[2] = (seq_number >> 16) & 0xFF;
+  seq[3] = (seq_number >> 24) & 0xFF;
+  memset (seq + 4,
+	  (context_handle->more_flags & LOCAL) ? 0 : 0xFF,
+	  4);
+
+
+  ret = krb5_crypto_init(gssapi_krb5_context, key, ETYPE_DES3_CBC_NONE_IVEC,
+			 &crypto);
+  if (ret) {
+      free (output_message_buffer->value);
+      *minor_status = ret;
+      return GSS_S_FAILURE;
+  }
+
+  {
+      des_cblock ivec;
+
+      memcpy (&ivec, p + 8, 8);
+      ret = krb5_encrypt_ivec (gssapi_krb5_context,
+			       crypto,
+			       KRB5_KU_USAGE_SEQ,
+			       seq, 8, &encdata,
+			       &ivec);
+  }
+  krb5_crypto_destroy (gssapi_krb5_context, crypto);
+  if (ret) {
+      gssapi_krb5_set_error_string ();
+      free (output_message_buffer->value);
+      *minor_status = ret;
+      return GSS_S_FAILURE;
+  }
+  
+  assert (encdata.length == 8);
+
+  memcpy (p, encdata.data, encdata.length);
+  krb5_data_free (&encdata);
+
+  krb5_auth_setlocalseqnumber (gssapi_krb5_context,
+			       context_handle->auth_context,
+			       ++seq_number);
+
+  /* encrypt the data */
+  p += 28;
+
+  if(conf_req_flag) {
+      krb5_data tmp;
+
+      ret = krb5_crypto_init(gssapi_krb5_context, key,
+			     ETYPE_DES3_CBC_NONE, &crypto);
+      if (ret) {
+	  gssapi_krb5_set_error_string ();
+	  free (output_message_buffer->value);
+	  *minor_status = ret;
+	  return GSS_S_FAILURE;
+      }
+      ret = krb5_encrypt(gssapi_krb5_context, crypto, KRB5_KU_USAGE_SEAL,
+			 p, datalen, &tmp);
+      krb5_crypto_destroy(gssapi_krb5_context, crypto);
+      if (ret) {
+	  gssapi_krb5_set_error_string ();
+	  free (output_message_buffer->value);
+	  *minor_status = ret;
+	  return GSS_S_FAILURE;
+      }
+      assert (tmp.length == datalen);
+
+      memcpy (p, tmp.data, datalen);
+      krb5_data_free(&tmp);
+  }
+  if(conf_state != NULL)
+      *conf_state = conf_req_flag;
+  return GSS_S_COMPLETE;
+}
+
+OM_uint32 gss_wrap
+           (OM_uint32 * minor_status,
+            const gss_ctx_id_t context_handle,
+            int conf_req_flag,
+            gss_qop_t qop_req,
+            const gss_buffer_t input_message_buffer,
+            int * conf_state,
+            gss_buffer_t output_message_buffer
+           )
+{
+  krb5_keyblock *key;
+  OM_uint32 ret;
+  krb5_keytype keytype;
+
+  ret = gss_krb5_getsomekey(context_handle, &key);
+  if (ret) {
+      gssapi_krb5_set_error_string ();
+      *minor_status = ret;
+      return GSS_S_FAILURE;
+  }
+  krb5_enctype_to_keytype (gssapi_krb5_context, key->keytype, &keytype);
+
+  switch (keytype) {
+  case KEYTYPE_DES :
+      ret = wrap_des (minor_status, context_handle, conf_req_flag,
+		      qop_req, input_message_buffer, conf_state,
+		      output_message_buffer, key);
+      break;
+  case KEYTYPE_DES3 :
+      ret = wrap_des3 (minor_status, context_handle, conf_req_flag,
+		       qop_req, input_message_buffer, conf_state,
+		       output_message_buffer, key);
+      break;
+  default :
+      *minor_status = KRB5_PROG_ETYPE_NOSUPP;
+      ret = GSS_S_FAILURE;
+      break;
+  }
+  krb5_free_keyblock (gssapi_krb5_context, key);
+  return ret;
+}
diff --git a/crypto/heimdal/lib/hdb/Makefile.am b/crypto/heimdal/lib/hdb/Makefile.am
new file mode 100644
index 0000000..b860260
--- /dev/null
+++ b/crypto/heimdal/lib/hdb/Makefile.am
@@ -0,0 +1,63 @@
+# $Id: Makefile.am,v 1.44 2001/05/16 23:50:57 assar Exp $
+
+include $(top_srcdir)/Makefile.am.common
+
+INCLUDES += -I../asn1 -I$(srcdir)/../asn1
+
+BUILT_SOURCES = asn1_Key.c asn1_Event.c asn1_HDBFlags.c asn1_hdb_entry.c \
+	asn1_Salt.c hdb_err.c hdb_err.h
+
+foo = asn1_Key.x asn1_Event.x asn1_HDBFlags.x asn1_hdb_entry.x asn1_Salt.x
+
+CLEANFILES = $(BUILT_SOURCES) $(foo) hdb_asn1.h asn1_files
+
+noinst_PROGRAMS = convert_db
+LDADD = libhdb.la \
+	$(LIB_openldap) \
+	../krb5/libkrb5.la \
+	../asn1/libasn1.la \
+	$(LIB_des) \
+	$(LIB_roken) \
+	$(DBLIB)
+
+lib_LTLIBRARIES = libhdb.la
+libhdb_la_LDFLAGS = -version-info 7:1:0
+
+libhdb_la_SOURCES =				\
+	common.c				\
+	db.c					\
+	db3.c					\
+	hdb-ldap.c				\
+	hdb.c					\
+	keytab.c				\
+	mkey.c					\
+	ndbm.c					\
+	print.c					\
+	$(BUILT_SOURCES)
+
+INCLUDES += $(INCLUDE_openldap)
+
+include_HEADERS = hdb.h hdb_err.h hdb_asn1.h hdb-protos.h hdb-private.h
+
+libhdb_la_LIBADD = $(LIB_openldap)
+
+$(libhdb_la_OBJECTS): $(srcdir)/hdb-protos.h $(srcdir)/hdb-private.h
+
+$(srcdir)/hdb-protos.h:
+	cd $(srcdir); perl ../../cf/make-proto.pl -o hdb-protos.h $(libhdb_la_SOURCES) || rm -f hdb-protos.h
+
+$(srcdir)/hdb-private.h:
+	cd $(srcdir); perl ../../cf/make-proto.pl -p hdb-private.h $(libhdb_la_SOURCES) || rm -f hdb-private.h
+
+$(foo) hdb_asn1.h: asn1_files
+
+asn1_files: ../asn1/asn1_compile$(EXEEXT) $(srcdir)/hdb.asn1
+	../asn1/asn1_compile$(EXEEXT) $(srcdir)/hdb.asn1 hdb_asn1
+
+$(libhdb_la_OBJECTS): hdb_asn1.h hdb_err.h
+
+$(convert_db_OBJECTS): hdb_asn1.h hdb_err.h
+
+# to help stupid solaris make
+
+hdb_err.h: hdb_err.et
diff --git a/crypto/heimdal/lib/hdb/Makefile.in b/crypto/heimdal/lib/hdb/Makefile.in
new file mode 100644
index 0000000..4fbaf27
--- /dev/null
+++ b/crypto/heimdal/lib/hdb/Makefile.in
@@ -0,0 +1,669 @@
+# Makefile.in generated automatically by automake 1.4b from Makefile.am
+
+# Copyright 1994, 1995, 1996, 1997, 1998, 1999, 2000
+# Free Software Foundation, Inc.
+# This Makefile.in is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+
+SHELL = @SHELL@
+
+srcdir = @srcdir@
+top_srcdir = @top_srcdir@
+VPATH = @srcdir@
+prefix = @prefix@
+exec_prefix = @exec_prefix@
+
+bindir = @bindir@
+sbindir = @sbindir@
+libexecdir = @libexecdir@
+datadir = @datadir@
+sysconfdir = @sysconfdir@
+sharedstatedir = @sharedstatedir@
+localstatedir = @localstatedir@
+libdir = @libdir@
+infodir = @infodir@
+mandir = @mandir@
+includedir = @includedir@
+oldincludedir = /usr/include
+
+pkgdatadir = $(datadir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkgincludedir = $(includedir)/@PACKAGE@
+
+top_builddir = ../..
+
+ACLOCAL = @ACLOCAL@
+AUTOCONF = @AUTOCONF@
+AUTOMAKE = @AUTOMAKE@
+AUTOHEADER = @AUTOHEADER@
+
+INSTALL = @INSTALL@
+INSTALL_PROGRAM = @INSTALL_PROGRAM@
+INSTALL_DATA = @INSTALL_DATA@
+INSTALL_SCRIPT = @INSTALL_SCRIPT@
+INSTALL_STRIP_FLAG =
+transform = @program_transform_name@
+
+NORMAL_INSTALL = :
+PRE_INSTALL = :
+POST_INSTALL = :
+NORMAL_UNINSTALL = :
+PRE_UNINSTALL = :
+POST_UNINSTALL = :
+
+@SET_MAKE@
+host_alias = @host_alias@
+host_triplet = @host@
+AIX_EXTRA_KAFS = @AIX_EXTRA_KAFS@
+AMDEP = @AMDEP@
+AMTAR = @AMTAR@
+AS = @AS@
+AWK = @AWK@
+CANONICAL_HOST = @CANONICAL_HOST@
+CATMAN = @CATMAN@
+CATMANEXT = @CATMANEXT@
+CC = @CC@
+CPP = @CPP@
+CXX = @CXX@
+CXXCPP = @CXXCPP@
+DBLIB = @DBLIB@
+DEPDIR = @DEPDIR@
+DIR_des = @DIR_des@
+DIR_roken = @DIR_roken@
+DLLTOOL = @DLLTOOL@
+EXEEXT = @EXEEXT@
+EXTRA_LIB45 = @EXTRA_LIB45@
+GROFF = @GROFF@
+INCLUDES_roken = @INCLUDES_roken@
+INCLUDE_ = @INCLUDE_@
+LEX = @LEX@
+LIBOBJS = @LIBOBJS@
+LIBTOOL = @LIBTOOL@
+LIB_ = @LIB_@
+LIB_AUTH_SUBDIRS = @LIB_AUTH_SUBDIRS@
+LIB_des = @LIB_des@
+LIB_des_appl = @LIB_des_appl@
+LIB_kdb = @LIB_kdb@
+LIB_otp = @LIB_otp@
+LIB_roken = @LIB_roken@
+LIB_security = @LIB_security@
+LN_S = @LN_S@
+LTLIBOBJS = @LTLIBOBJS@
+MAKEINFO = @MAKEINFO@
+NEED_WRITEAUTH_FALSE = @NEED_WRITEAUTH_FALSE@
+NEED_WRITEAUTH_TRUE = @NEED_WRITEAUTH_TRUE@
+NROFF = @NROFF@
+OBJDUMP = @OBJDUMP@
+OBJEXT = @OBJEXT@
+PACKAGE = @PACKAGE@
+RANLIB = @RANLIB@
+STRIP = @STRIP@
+VERSION = @VERSION@
+VOID_RETSIGTYPE = @VOID_RETSIGTYPE@
+WFLAGS = @WFLAGS@
+WFLAGS_NOIMPLICITINT = @WFLAGS_NOIMPLICITINT@
+WFLAGS_NOUNUSED = @WFLAGS_NOUNUSED@
+YACC = @YACC@
+dpagaix_CFLAGS = @dpagaix_CFLAGS@
+dpagaix_LDADD = @dpagaix_LDADD@
+install_sh = @install_sh@
+
+# $Id: Makefile.am,v 1.44 2001/05/16 23:50:57 assar Exp $
+
+
+# $Id: Makefile.am.common,v 1.3 1999/04/01 14:58:43 joda Exp $
+
+
+# $Id: Makefile.am.common,v 1.26 2001/05/21 13:27:48 joda Exp $
+
+
+AUTOMAKE_OPTIONS = foreign no-dependencies
+
+SUFFIXES = .et .h .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .x
+
+INCLUDES = -I$(top_builddir)/include $(INCLUDES_roken) -I../asn1 -I$(srcdir)/../asn1 $(INCLUDE_openldap)
+
+AM_CFLAGS =  $(WFLAGS)
+
+CP = cp
+
+COMPILE_ET = $(top_builddir)/lib/com_err/compile_et
+
+buildinclude = $(top_builddir)/include
+
+LIB_XauReadAuth = @LIB_XauReadAuth@
+LIB_crypt = @LIB_crypt@
+LIB_dbm_firstkey = @LIB_dbm_firstkey@
+LIB_dbopen = @LIB_dbopen@
+LIB_dlopen = @LIB_dlopen@
+LIB_dn_expand = @LIB_dn_expand@
+LIB_el_init = @LIB_el_init@
+LIB_getattr = @LIB_getattr@
+LIB_gethostbyname = @LIB_gethostbyname@
+LIB_getpwent_r = @LIB_getpwent_r@
+LIB_getpwnam_r = @LIB_getpwnam_r@
+LIB_getsockopt = @LIB_getsockopt@
+LIB_logout = @LIB_logout@
+LIB_logwtmp = @LIB_logwtmp@
+LIB_odm_initialize = @LIB_odm_initialize@
+LIB_pidfile = @LIB_pidfile@
+LIB_readline = @LIB_readline@
+LIB_res_search = @LIB_res_search@
+LIB_setpcred = @LIB_setpcred@
+LIB_setsockopt = @LIB_setsockopt@
+LIB_socket = @LIB_socket@
+LIB_syslog = @LIB_syslog@
+LIB_tgetent = @LIB_tgetent@
+
+LIBS = @LIBS@
+
+HESIODLIB = @HESIODLIB@
+HESIODINCLUDE = @HESIODINCLUDE@
+INCLUDE_hesiod = @INCLUDE_hesiod@
+LIB_hesiod = @LIB_hesiod@
+
+INCLUDE_krb4 = @INCLUDE_krb4@
+LIB_krb4 = @LIB_krb4@
+
+INCLUDE_openldap = @INCLUDE_openldap@
+LIB_openldap = @LIB_openldap@
+
+INCLUDE_readline = @INCLUDE_readline@
+
+LEXLIB = @LEXLIB@
+
+NROFF_MAN = groff -mandoc -Tascii
+
+@KRB4_TRUE@LIB_kafs = @KRB4_TRUE@$(top_builddir)/lib/kafs/libkafs.la $(AIX_EXTRA_KAFS)
+
+@KRB5_TRUE@LIB_krb5 = @KRB5_TRUE@$(top_builddir)/lib/krb5/libkrb5.la \
+@KRB5_TRUE@	$(top_builddir)/lib/asn1/libasn1.la
+@KRB5_TRUE@LIB_gssapi = @KRB5_TRUE@$(top_builddir)/lib/gssapi/libgssapi.la
+
+@DCE_TRUE@LIB_kdfs = @DCE_TRUE@$(top_builddir)/lib/kdfs/libkdfs.la
+
+CHECK_LOCAL = $(PROGRAMS)
+
+BUILT_SOURCES = asn1_Key.c asn1_Event.c asn1_HDBFlags.c asn1_hdb_entry.c \
+	asn1_Salt.c hdb_err.c hdb_err.h
+
+
+foo = asn1_Key.x asn1_Event.x asn1_HDBFlags.x asn1_hdb_entry.x asn1_Salt.x
+
+CLEANFILES = $(BUILT_SOURCES) $(foo) hdb_asn1.h asn1_files
+
+noinst_PROGRAMS = convert_db
+LDADD = libhdb.la \
+	$(LIB_openldap) \
+	../krb5/libkrb5.la \
+	../asn1/libasn1.la \
+	$(LIB_des) \
+	$(LIB_roken) \
+	$(DBLIB)
+
+
+lib_LTLIBRARIES = libhdb.la
+libhdb_la_LDFLAGS = -version-info 7:1:0
+
+libhdb_la_SOURCES = \
+	common.c				\
+	db.c					\
+	db3.c					\
+	hdb-ldap.c				\
+	hdb.c					\
+	keytab.c				\
+	mkey.c					\
+	ndbm.c					\
+	print.c					\
+	$(BUILT_SOURCES)
+
+
+include_HEADERS = hdb.h hdb_err.h hdb_asn1.h hdb-protos.h hdb-private.h
+
+libhdb_la_LIBADD = $(LIB_openldap)
+subdir = lib/hdb
+mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs
+CONFIG_HEADER = ../../include/config.h
+CONFIG_CLEAN_FILES = 
+LTLIBRARIES =  $(lib_LTLIBRARIES)
+
+
+DEFS = @DEFS@ -I. -I$(srcdir) -I../../include
+CPPFLAGS = @CPPFLAGS@
+LDFLAGS = @LDFLAGS@
+X_CFLAGS = @X_CFLAGS@
+X_LIBS = @X_LIBS@
+X_EXTRA_LIBS = @X_EXTRA_LIBS@
+X_PRE_LIBS = @X_PRE_LIBS@
+libhdb_la_DEPENDENCIES = 
+am_libhdb_la_OBJECTS =  common.lo db.lo db3.lo hdb-ldap.lo hdb.lo \
+keytab.lo mkey.lo ndbm.lo print.lo asn1_Key.lo asn1_Event.lo \
+asn1_HDBFlags.lo asn1_hdb_entry.lo asn1_Salt.lo hdb_err.lo
+libhdb_la_OBJECTS =  $(am_libhdb_la_OBJECTS)
+noinst_PROGRAMS =  convert_db$(EXEEXT)
+PROGRAMS =  $(noinst_PROGRAMS)
+
+convert_db_SOURCES = convert_db.c
+convert_db_OBJECTS =  convert_db.$(OBJEXT)
+convert_db_LDADD = $(LDADD)
+convert_db_DEPENDENCIES =  libhdb.la ../krb5/libkrb5.la \
+../asn1/libasn1.la
+convert_db_LDFLAGS = 
+COMPILE = $(CC) $(DEFS) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) --mode=compile $(CC) $(DEFS) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+CFLAGS = @CFLAGS@
+CCLD = $(CC)
+LINK = $(LIBTOOL) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) $(LDFLAGS) -o $@
+DIST_SOURCES =  $(libhdb_la_SOURCES) convert_db.c
+HEADERS =  $(include_HEADERS)
+
+depcomp = 
+DIST_COMMON =  $(include_HEADERS) Makefile.am Makefile.in
+
+
+DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
+
+GZIP_ENV = --best
+SOURCES = $(libhdb_la_SOURCES) convert_db.c
+OBJECTS = $(am_libhdb_la_OBJECTS) convert_db.$(OBJEXT)
+
+all: all-redirect
+.SUFFIXES:
+.SUFFIXES: .et .h .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .x .c .lo .o .obj
+$(srcdir)/Makefile.in: Makefile.am $(top_srcdir)/configure.in $(ACLOCAL_M4) $(top_srcdir)/Makefile.am.common $(top_srcdir)/cf/Makefile.am.common
+	cd $(top_srcdir) && $(AUTOMAKE) --foreign lib/hdb/Makefile
+
+Makefile: $(srcdir)/Makefile.in  $(top_builddir)/config.status
+	cd $(top_builddir) \
+	  && CONFIG_FILES=$(subdir)/$@ CONFIG_HEADERS= $(SHELL) ./config.status
+
+
+mostlyclean-libLTLIBRARIES:
+
+clean-libLTLIBRARIES:
+	-test -z "$(lib_LTLIBRARIES)" || rm -f $(lib_LTLIBRARIES)
+
+distclean-libLTLIBRARIES:
+
+maintainer-clean-libLTLIBRARIES:
+
+install-libLTLIBRARIES: $(lib_LTLIBRARIES)
+	@$(NORMAL_INSTALL)
+	$(mkinstalldirs) $(DESTDIR)$(libdir)
+	@list='$(lib_LTLIBRARIES)'; for p in $$list; do \
+	  if test -f $$p; then \
+	    echo " $(LIBTOOL)  --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$p $(DESTDIR)$(libdir)/$$p"; \
+	    $(LIBTOOL)  --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$p $(DESTDIR)$(libdir)/$$p; \
+	  else :; fi; \
+	done
+
+uninstall-libLTLIBRARIES:
+	@$(NORMAL_UNINSTALL)
+	@list='$(lib_LTLIBRARIES)'; for p in $$list; do \
+	  echo " $(LIBTOOL)  --mode=uninstall rm -f $(DESTDIR)$(libdir)/$$p"; \
+	  $(LIBTOOL)  --mode=uninstall rm -f $(DESTDIR)$(libdir)/$$p; \
+	done
+
+mostlyclean-compile:
+	-rm -f *.o core *.core
+	-rm -f *.$(OBJEXT)
+
+clean-compile:
+
+distclean-compile:
+	-rm -f *.tab.c
+
+maintainer-clean-compile:
+
+mostlyclean-libtool:
+	-rm -f *.lo
+
+clean-libtool:
+	-rm -rf .libs _libs
+
+distclean-libtool:
+
+maintainer-clean-libtool:
+
+libhdb.la: $(libhdb_la_OBJECTS) $(libhdb_la_DEPENDENCIES)
+	$(LINK) -rpath $(libdir) $(libhdb_la_LDFLAGS) $(libhdb_la_OBJECTS) $(libhdb_la_LIBADD) $(LIBS)
+
+mostlyclean-noinstPROGRAMS:
+
+clean-noinstPROGRAMS:
+	-test -z "$(noinst_PROGRAMS)" || rm -f $(noinst_PROGRAMS)
+
+distclean-noinstPROGRAMS:
+
+maintainer-clean-noinstPROGRAMS:
+
+convert_db$(EXEEXT): $(convert_db_OBJECTS) $(convert_db_DEPENDENCIES)
+	@rm -f convert_db$(EXEEXT)
+	$(LINK) $(convert_db_LDFLAGS) $(convert_db_OBJECTS) $(convert_db_LDADD) $(LIBS)
+.c.o:
+	$(COMPILE) -c $<
+.c.obj:
+	$(COMPILE) -c `cygpath -w $<`
+.c.lo:
+	$(LTCOMPILE) -c -o $@ $<
+
+install-includeHEADERS: $(include_HEADERS)
+	@$(NORMAL_INSTALL)
+	$(mkinstalldirs) $(DESTDIR)$(includedir)
+	@list='$(include_HEADERS)'; for p in $$list; do \
+	  if test -f "$$p"; then d= ; else d="$(srcdir)/"; fi; \
+	  f="`echo $$p | sed -e 's|^.*/||'`"; \
+	  echo " $(INSTALL_DATA) $$d$$p $(DESTDIR)$(includedir)/$$f"; \
+	  $(INSTALL_DATA) $$d$$p $(DESTDIR)$(includedir)/$$f; \
+	done
+
+uninstall-includeHEADERS:
+	@$(NORMAL_UNINSTALL)
+	@list='$(include_HEADERS)'; for p in $$list; do \
+	  f="`echo $$p | sed -e 's|^.*/||'`"; \
+	  echo " rm -f $(DESTDIR)$(includedir)/$$f"; \
+	  rm -f $(DESTDIR)$(includedir)/$$f; \
+	done
+
+tags: TAGS
+
+ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
+	list='$(SOURCES) $(HEADERS) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '    { files[$$0] = 1; } \
+	       END { for (i in files) print i; }'`; \
+	mkid -fID $$unique $(LISP)
+
+TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	tags=; \
+	here=`pwd`; \
+	list='$(SOURCES) $(HEADERS) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '    { files[$$0] = 1; } \
+	       END { for (i in files) print i; }'`; \
+	test -z "$(ETAGS_ARGS)$$unique$(LISP)$$tags" \
+	  || etags $(ETAGS_ARGS) $$tags  $$unique $(LISP)
+
+GTAGS:
+	here=`CDPATH=: && cd $(top_builddir) && pwd` \
+	  && cd $(top_srcdir) \
+	  && gtags -i $$here
+
+mostlyclean-tags:
+
+clean-tags:
+
+distclean-tags:
+	-rm -f TAGS ID
+
+maintainer-clean-tags:
+
+distdir = $(top_builddir)/$(PACKAGE)-$(VERSION)/$(subdir)
+
+distdir: $(DISTFILES)
+	@for file in $(DISTFILES); do \
+	  d=$(srcdir); \
+	  if test -d $$d/$$file; then \
+	    cp -pR $$d/$$file $(distdir) \
+	    || exit 1; \
+	  else \
+	    test -f $(distdir)/$$file \
+	    || cp -p $$d/$$file $(distdir)/$$file \
+	    || exit 1; \
+	  fi; \
+	done
+	$(MAKE) $(AM_MAKEFLAGS) top_distdir="$(top_distdir)" distdir="$(distdir)" dist-hook
+info-am:
+info: info-am
+dvi-am:
+dvi: dvi-am
+check-am: all-am
+	$(MAKE) $(AM_MAKEFLAGS) check-local
+check: check-am
+installcheck-am:
+installcheck: installcheck-am
+all-recursive-am: $(BUILT_SOURCES)
+	$(MAKE) $(AM_MAKEFLAGS) all-recursive
+
+install-exec-am: install-libLTLIBRARIES
+	@$(NORMAL_INSTALL)
+	$(MAKE) $(AM_MAKEFLAGS) install-exec-hook
+install-exec: install-exec-am
+
+install-data-am: install-includeHEADERS install-data-local
+install-data: install-data-am
+
+install-am: all-am
+	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
+install: install-am
+uninstall-am: uninstall-libLTLIBRARIES uninstall-includeHEADERS
+uninstall: uninstall-am
+all-am: Makefile $(LTLIBRARIES) $(PROGRAMS) $(HEADERS) all-local
+all-redirect: all-am
+install-strip:
+	$(MAKE) $(AM_MAKEFLAGS) INSTALL_STRIP_FLAG=-s install
+installdirs:
+	$(mkinstalldirs)  $(DESTDIR)$(libdir) $(DESTDIR)$(includedir)
+
+
+mostlyclean-generic:
+
+clean-generic:
+	-test -z "$(CLEANFILES)" || rm -f $(CLEANFILES)
+
+distclean-generic:
+	-rm -f Makefile $(CONFIG_CLEAN_FILES)
+	-rm -f config.cache config.log stamp-h stamp-h[0-9]*
+
+maintainer-clean-generic:
+	-rm -f Makefile.in
+	-test -z "$(BUILT_SOURCES)" || rm -f $(BUILT_SOURCES)
+mostlyclean-am:  mostlyclean-libLTLIBRARIES mostlyclean-compile \
+		mostlyclean-libtool mostlyclean-noinstPROGRAMS \
+		mostlyclean-tags mostlyclean-generic
+
+mostlyclean: mostlyclean-am
+
+clean-am:  clean-libLTLIBRARIES clean-compile clean-libtool \
+		clean-noinstPROGRAMS clean-tags clean-generic \
+		mostlyclean-am
+
+clean: clean-am
+
+distclean-am:  distclean-libLTLIBRARIES distclean-compile \
+		distclean-libtool distclean-noinstPROGRAMS \
+		distclean-tags distclean-generic clean-am
+	-rm -f libtool
+
+distclean: distclean-am
+
+maintainer-clean-am:  maintainer-clean-libLTLIBRARIES \
+		maintainer-clean-compile maintainer-clean-libtool \
+		maintainer-clean-noinstPROGRAMS maintainer-clean-tags \
+		maintainer-clean-generic distclean-am
+	@echo "This command is intended for maintainers to use;"
+	@echo "it deletes files that may require special tools to rebuild."
+
+maintainer-clean: maintainer-clean-am
+
+.PHONY: mostlyclean-libLTLIBRARIES distclean-libLTLIBRARIES \
+clean-libLTLIBRARIES maintainer-clean-libLTLIBRARIES \
+uninstall-libLTLIBRARIES install-libLTLIBRARIES mostlyclean-compile \
+distclean-compile clean-compile maintainer-clean-compile \
+mostlyclean-libtool distclean-libtool clean-libtool \
+maintainer-clean-libtool mostlyclean-noinstPROGRAMS \
+distclean-noinstPROGRAMS clean-noinstPROGRAMS \
+maintainer-clean-noinstPROGRAMS uninstall-includeHEADERS \
+install-includeHEADERS tags mostlyclean-tags distclean-tags clean-tags \
+maintainer-clean-tags distdir info-am info dvi-am dvi check-local check \
+check-am installcheck-am installcheck all-recursive-am install-exec-am \
+install-exec install-data-local install-data-am install-data install-am \
+install uninstall-am uninstall all-local all-redirect all-am all \
+install-strip installdirs mostlyclean-generic distclean-generic \
+clean-generic maintainer-clean-generic clean mostlyclean distclean \
+maintainer-clean
+
+
+install-suid-programs:
+	@foo='$(bin_SUIDS)'; \
+	for file in $$foo; do \
+	x=$(DESTDIR)$(bindir)/$$file; \
+	if chown 0:0 $$x && chmod u+s $$x; then :; else \
+	echo "*"; \
+	echo "* Failed to install $$x setuid root"; \
+	echo "*"; \
+	fi; done
+
+install-exec-hook: install-suid-programs
+
+install-build-headers:: $(include_HEADERS) $(build_HEADERZ)
+	@foo='$(include_HEADERS) $(build_HEADERZ)'; \
+	for f in $$foo; do \
+		f=`basename $$f`; \
+		if test -f "$(srcdir)/$$f"; then file="$(srcdir)/$$f"; \
+		else file="$$f"; fi; \
+		if cmp -s  $$file $(buildinclude)/$$f 2> /dev/null ; then \
+		: ; else \
+			echo " $(CP) $$file $(buildinclude)/$$f"; \
+			$(CP) $$file $(buildinclude)/$$f; \
+		fi ; \
+	done
+
+all-local: install-build-headers
+#NROFF_MAN = nroff -man
+.1.cat1:
+	$(NROFF_MAN) $< > $@
+.3.cat3:
+	$(NROFF_MAN) $< > $@
+.5.cat5:
+	$(NROFF_MAN) $< > $@
+.8.cat8:
+	$(NROFF_MAN) $< > $@
+
+dist-cat1-mans:
+	@foo='$(man1_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.1) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat1/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-cat3-mans:
+	@foo='$(man3_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.3) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat3/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-cat5-mans:
+	@foo='$(man5_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.5) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat5/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-cat8-mans:
+	@foo='$(man8_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.8) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat8/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-hook: dist-cat1-mans dist-cat3-mans dist-cat5-mans dist-cat8-mans
+
+install-cat-mans:
+	$(SHELL) $(top_srcdir)/cf/install-catman.sh "$(INSTALL_DATA)" "$(mkinstalldirs)" "$(srcdir)" "$(DESTDIR)$(mandir)" '$(CATMANEXT)' $(man_MANS) $(man1_MANS) $(man3_MANS) $(man5_MANS) $(man8_MANS)
+
+install-data-local: install-cat-mans
+
+.et.h:
+	$(COMPILE_ET) $<
+.et.c:
+	$(COMPILE_ET) $<
+
+.x.c:
+	@cmp -s $< $@ 2> /dev/null || cp $< $@
+
+check-local::
+	@foo='$(CHECK_LOCAL)'; \
+	  if test "$$foo"; then \
+	  failed=0; all=0; \
+	  for i in $$foo; do \
+	    all=`expr $$all + 1`; \
+	    if ./$$i --version > /dev/null 2>&1; then \
+	      echo "PASS: $$i"; \
+	    else \
+	      echo "FAIL: $$i"; \
+	      failed=`expr $$failed + 1`; \
+	    fi; \
+	  done; \
+	  if test "$$failed" -eq 0; then \
+	    banner="All $$all tests passed"; \
+	  else \
+	    banner="$$failed of $$all tests failed"; \
+	  fi; \
+	  dashes=`echo "$$banner" | sed s/./=/g`; \
+	  echo "$$dashes"; \
+	  echo "$$banner"; \
+	  echo "$$dashes"; \
+	  test "$$failed" -eq 0; \
+	fi
+
+$(libhdb_la_OBJECTS): $(srcdir)/hdb-protos.h $(srcdir)/hdb-private.h
+
+$(srcdir)/hdb-protos.h:
+	cd $(srcdir); perl ../../cf/make-proto.pl -o hdb-protos.h $(libhdb_la_SOURCES) || rm -f hdb-protos.h
+
+$(srcdir)/hdb-private.h:
+	cd $(srcdir); perl ../../cf/make-proto.pl -p hdb-private.h $(libhdb_la_SOURCES) || rm -f hdb-private.h
+
+$(foo) hdb_asn1.h: asn1_files
+
+asn1_files: ../asn1/asn1_compile$(EXEEXT) $(srcdir)/hdb.asn1
+	../asn1/asn1_compile$(EXEEXT) $(srcdir)/hdb.asn1 hdb_asn1
+
+$(libhdb_la_OBJECTS): hdb_asn1.h hdb_err.h
+
+$(convert_db_OBJECTS): hdb_asn1.h hdb_err.h
+
+# to help stupid solaris make
+
+hdb_err.h: hdb_err.et
+
+# Tell versions [3.59,3.63) of GNU make to not export all variables.
+# Otherwise a system limit (for SysV at least) may be exceeded.
+.NOEXPORT:
diff --git a/crypto/heimdal/lib/hdb/common.c b/crypto/heimdal/lib/hdb/common.c
new file mode 100644
index 0000000..befde78
--- /dev/null
+++ b/crypto/heimdal/lib/hdb/common.c
@@ -0,0 +1,152 @@
+/*
+ * Copyright (c) 1997-2001 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "hdb_locl.h"
+
+RCSID("$Id: common.c,v 1.8 2001/01/30 01:22:17 assar Exp $");
+
+int
+hdb_principal2key(krb5_context context, krb5_principal p, krb5_data *key)
+{
+    Principal new;
+    size_t len;
+    unsigned char *buf;
+    int ret;
+
+    ret = copy_Principal(p, &new);
+    if(ret)
+	goto out;
+    new.name.name_type = 0;
+    len = length_Principal(&new);
+    buf  = malloc(len);
+    if(buf == NULL){
+	ret = ENOMEM;
+	goto out;
+    }
+    ret = encode_Principal(buf + len - 1, len, &new, &len);
+    if(ret){
+	free(buf);
+	goto out;
+    }
+    key->data = buf;
+    key->length = len;
+out:
+    free_Principal(&new);
+    return ret;
+}
+
+int
+hdb_key2principal(krb5_context context, krb5_data *key, krb5_principal p)
+{
+    return decode_Principal(key->data, key->length, p, NULL);
+}
+
+int
+hdb_entry2value(krb5_context context, hdb_entry *ent, krb5_data *value)
+{
+    unsigned char *buf;
+    size_t len;
+    int ret;
+
+    len = length_hdb_entry(ent);
+    buf = malloc(len);
+    if(buf == NULL)
+	return ENOMEM;
+    ret = encode_hdb_entry(buf + len - 1, len, ent, &len);
+    if(ret){
+	free(buf);
+	return ret;
+    }
+    value->data = buf;
+    value->length = len;
+    return 0;
+}
+
+int
+hdb_value2entry(krb5_context context, krb5_data *value, hdb_entry *ent)
+{
+    return decode_hdb_entry(value->data, value->length, ent, NULL);
+}
+
+krb5_error_code
+_hdb_fetch(krb5_context context, HDB *db, unsigned flags, hdb_entry *entry)
+{
+    krb5_data key, value;
+    int code = 0;
+
+    hdb_principal2key(context, entry->principal, &key);
+    code = db->_get(context, db, key, &value);
+    krb5_data_free(&key);
+    if(code)
+	return code;
+    hdb_value2entry(context, &value, entry);
+    if (db->master_key_set && (flags & HDB_F_DECRYPT)) {
+	code = hdb_unseal_keys (context, db, entry);
+	if (code)
+	    hdb_free_entry(context, entry);
+    }
+    krb5_data_free(&value);
+    return code;
+}
+
+krb5_error_code
+_hdb_store(krb5_context context, HDB *db, unsigned flags, hdb_entry *entry)
+{
+    krb5_data key, value;
+    int code;
+
+    hdb_principal2key(context, entry->principal, &key);
+    code = hdb_seal_keys(context, db, entry);
+    if (code) {
+	krb5_data_free(&key);
+	return code;
+    }
+    hdb_entry2value(context, entry, &value);
+    code = db->_put(context, db, flags & HDB_F_REPLACE, key, value);
+    krb5_data_free(&value);
+    krb5_data_free(&key);
+    return code;
+}
+
+krb5_error_code
+_hdb_remove(krb5_context context, HDB *db, hdb_entry *entry)
+{
+    krb5_data key;
+    int code;
+
+    hdb_principal2key(context, entry->principal, &key);
+    code = db->_del(context, db, key);
+    krb5_data_free(&key);
+    return code;
+}
+
diff --git a/crypto/heimdal/lib/hdb/convert_db.c b/crypto/heimdal/lib/hdb/convert_db.c
new file mode 100644
index 0000000..0b300a5
--- /dev/null
+++ b/crypto/heimdal/lib/hdb/convert_db.c
@@ -0,0 +1,213 @@
+/*
+ * Copyright (c) 1999 - 2001 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of KTH nor the names of its contributors may be
+ *    used to endorse or promote products derived from this software without
+ *    specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY KTH AND ITS CONTRIBUTORS ``AS IS'' AND ANY
+ * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL KTH OR ITS CONTRIBUTORS BE
+ * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+ * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+ * WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
+ * OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
+ * ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */
+
+/* Converts a database from version 0.0* to 0.1. This is done by
+ * making three copies of each DES key (DES-CBC-CRC, DES-CBC-MD4, and
+ * DES-CBC-MD5).
+ *
+ * Use with care. 
+ */
+
+#include "hdb_locl.h"
+#include <getarg.h>
+#include <err.h>
+
+RCSID("$Id: convert_db.c,v 1.12 2001/02/20 01:44:53 assar Exp $");
+
+static krb5_error_code
+update_keytypes(krb5_context context, HDB *db, hdb_entry *entry, void *data)
+{
+    int i;
+    int n = 0;
+    Key *k;
+    int save_len;
+    Key *save_val;
+    HDB *new = data;
+    krb5_error_code ret;
+
+    for(i = 0; i < entry->keys.len; i++) 
+	if(entry->keys.val[i].key.keytype == KEYTYPE_DES)
+	    n += 2;
+	else if(entry->keys.val[i].key.keytype == KEYTYPE_DES3)
+	    n += 1;
+    k = malloc(sizeof(*k) * (entry->keys.len + n));
+    n = 0;
+    for(i = 0; i < entry->keys.len; i++) {
+	copy_Key(&entry->keys.val[i], &k[n]);
+	if(entry->keys.val[i].key.keytype == KEYTYPE_DES) {
+	    copy_Key(&entry->keys.val[i], &k[n+1]);
+	    k[n+1].key.keytype = ETYPE_DES_CBC_MD4;
+	    copy_Key(&entry->keys.val[i], &k[n+2]);
+	    k[n+2].key.keytype = ETYPE_DES_CBC_MD5;
+	    n += 2;
+	}
+	else if(entry->keys.val[i].key.keytype == KEYTYPE_DES3) {
+	    copy_Key(&entry->keys.val[i], &k[n+1]);
+	    k[n+1].key.keytype = ETYPE_DES3_CBC_MD5;
+	    n += 1;
+	}
+	n++;
+    }
+    save_len = entry->keys.len;
+    save_val = entry->keys.val;
+    entry->keys.len = n;
+    entry->keys.val = k;
+    ret = new->store(context, new, HDB_F_REPLACE, entry);
+    entry->keys.len = save_len;
+    entry->keys.val = save_val;
+    for(i = 0; i < n; i++) 
+	free_Key(&k[i]);
+    free(k);
+    return 0;
+}
+
+static krb5_error_code
+update_version2(krb5_context context, HDB *db, hdb_entry *entry, void *data)
+{
+    HDB *new = data;
+    if(!db->master_key_set) {
+	int i;
+	for(i = 0; i < entry->keys.len; i++) {
+	    free(entry->keys.val[i].mkvno);
+	    entry->keys.val[i].mkvno = NULL;
+	}
+    }
+    new->store(context, new, HDB_F_REPLACE, entry);
+    return 0;
+}
+
+char *old_database = HDB_DEFAULT_DB;
+char *new_database = HDB_DEFAULT_DB ".new";
+char *mkeyfile;
+int update_version;
+int help_flag;
+int version_flag;
+
+struct getargs args[] = {
+    { "old-database",	0,	arg_string, &old_database,
+      "name of database to convert", "file" },
+    { "new-database",	0,	arg_string, &new_database,
+      "name of converted database", "file" },
+    { "master-key",	0,	arg_string, &mkeyfile, 
+      "v5 master key file", "file" },
+    { "update-version", 0, 	arg_flag, &update_version,
+      "update the database to the current version" },
+    { "help",		'h',	arg_flag,   &help_flag },
+    { "version",	0,	arg_flag,   &version_flag }
+};
+
+static int num_args = sizeof(args) / sizeof(args[0]);
+
+int
+main(int argc, char **argv)
+{
+    krb5_error_code ret;
+    krb5_context context;
+    HDB *db, *new;
+    int optind = 0;
+    int master_key_set = 0;
+    
+    setprogname(argv[0]);
+
+    if(getarg(args, num_args, argc, argv, &optind))
+	krb5_std_usage(1, args, num_args);
+
+    if(help_flag)
+	krb5_std_usage(0, args, num_args);
+    
+    if(version_flag){
+	print_version(NULL);
+	exit(0);
+    }
+
+    ret = krb5_init_context(&context);
+    if(ret != 0)
+	errx(1, "krb5_init_context failed: %d", ret);
+    
+    ret = hdb_create(context, &db, old_database);
+    if(ret != 0)
+	krb5_err(context, 1, ret, "hdb_create");
+
+    ret = hdb_set_master_keyfile(context, db, mkeyfile);
+    if (ret)
+	krb5_err(context, 1, ret, "hdb_set_master_keyfile");
+    master_key_set = 1;
+    ret = hdb_create(context, &new, new_database);
+    if(ret != 0)
+	krb5_err(context, 1, ret, "hdb_create");
+    if (master_key_set) {
+	ret = hdb_set_master_keyfile(context, new, mkeyfile);
+	if (ret)
+	    krb5_err(context, 1, ret, "hdb_set_master_keyfile");
+    }
+    ret = db->open(context, db, O_RDONLY, 0);
+    if(ret == HDB_ERR_BADVERSION) {
+	krb5_data tag;
+	krb5_data version;
+	int foo;
+	unsigned ver;
+	tag.data = HDB_DB_FORMAT_ENTRY;
+	tag.length = strlen(tag.data);
+	ret = (*db->_get)(context, db, tag, &version);
+	if(ret)
+	    krb5_errx(context, 1, "database is wrong version, "
+		      "but couldn't find version key (%s)", 
+		      HDB_DB_FORMAT_ENTRY);
+	foo = sscanf(version.data, "%u", &ver);
+	krb5_data_free (&version);
+	if(foo != 1)
+	    krb5_errx(context, 1, "database version is not a number");
+	if(ver == 1 && HDB_DB_FORMAT == 2) {
+	    krb5_warnx(context, "will upgrade database from version %d to %d", 
+		       ver, HDB_DB_FORMAT);
+	    krb5_warnx(context, "rerun to do other conversions");
+	    update_version = 1;
+	} else
+	    krb5_errx(context, 1, 
+		      "don't know how to upgrade from version %d to %d", 
+		      ver, HDB_DB_FORMAT);
+    } else if(ret)
+	krb5_err(context, 1, ret, "%s", old_database);
+    ret = new->open(context, new, O_CREAT|O_EXCL|O_RDWR, 0600);
+    if(ret)
+	krb5_err(context, 1, ret, "%s", new_database);
+    if(update_version)
+	ret = hdb_foreach(context, db, 0, update_version2, new);
+    else
+	ret = hdb_foreach(context, db, 0, update_keytypes, new);
+    if(ret != 0)
+	krb5_err(context, 1, ret, "hdb_foreach");
+    db->close(context, db);
+    new->close(context, new);
+    krb5_warnx(context, "wrote converted database to `%s'", new_database);
+    return 0;
+}
diff --git a/crypto/heimdal/lib/hdb/db.c b/crypto/heimdal/lib/hdb/db.c
new file mode 100644
index 0000000..6f9c688
--- /dev/null
+++ b/crypto/heimdal/lib/hdb/db.c
@@ -0,0 +1,276 @@
+/*
+ * Copyright (c) 1997 - 2001 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "hdb_locl.h"
+
+RCSID("$Id: db.c,v 1.28 2001/01/30 01:24:00 assar Exp $");
+
+#if defined(HAVE_DB_H) && DB_VERSION_MAJOR < 3
+
+static krb5_error_code
+DB_close(krb5_context context, HDB *db)
+{
+    DB *d = (DB*)db->db;
+    d->close(d);
+    return 0;
+}
+
+static krb5_error_code
+DB_destroy(krb5_context context, HDB *db)
+{
+    krb5_error_code ret;
+
+    ret = hdb_clear_master_key (context, db);
+    free(db->name);
+    free(db);
+    return ret;
+}
+
+static krb5_error_code
+DB_lock(krb5_context context, HDB *db, int operation)
+{
+    DB *d = (DB*)db->db;
+    int fd = (*d->fd)(d);
+    if(fd < 0)
+	return HDB_ERR_CANT_LOCK_DB;
+    return hdb_lock(fd, operation);
+}
+
+static krb5_error_code
+DB_unlock(krb5_context context, HDB *db)
+{
+    DB *d = (DB*)db->db;
+    int fd = (*d->fd)(d);
+    if(fd < 0)
+	return HDB_ERR_CANT_LOCK_DB;
+    return hdb_unlock(fd);
+}
+
+
+static krb5_error_code
+DB_seq(krb5_context context, HDB *db,
+       unsigned flags, hdb_entry *entry, int flag)
+{
+    DB *d = (DB*)db->db;
+    DBT key, value;
+    krb5_data key_data, data;
+    int code;
+
+    code = db->lock(context, db, HDB_RLOCK);
+    if(code == -1)
+	return HDB_ERR_DB_INUSE;
+    code = d->seq(d, &key, &value, flag);
+    db->unlock(context, db); /* XXX check value */
+    if(code == -1)
+	return errno;
+    if(code == 1)
+	return HDB_ERR_NOENTRY;
+
+    key_data.data = key.data;
+    key_data.length = key.size;
+    data.data = value.data;
+    data.length = value.size;
+    if (hdb_value2entry(context, &data, entry))
+	return DB_seq(context, db, flags, entry, R_NEXT);
+    if (db->master_key_set && (flags & HDB_F_DECRYPT)) {
+	code = hdb_unseal_keys (context, db, entry);
+	if (code)
+	    hdb_free_entry (context, entry);
+    }
+    if (code == 0 && entry->principal == NULL) {
+	entry->principal = malloc(sizeof(*entry->principal));
+	if (entry->principal == NULL) {
+	    code = ENOMEM;
+	    hdb_free_entry (context, entry);
+	} else {
+	    hdb_key2principal(context, &key_data, entry->principal);
+	}
+    }
+    return code;
+}
+
+
+static krb5_error_code
+DB_firstkey(krb5_context context, HDB *db, unsigned flags, hdb_entry *entry)
+{
+    return DB_seq(context, db, flags, entry, R_FIRST);
+}
+
+
+static krb5_error_code
+DB_nextkey(krb5_context context, HDB *db, unsigned flags, hdb_entry *entry)
+{
+    return DB_seq(context, db, flags, entry, R_NEXT);
+}
+
+static krb5_error_code
+DB_rename(krb5_context context, HDB *db, const char *new_name)
+{
+    int ret;
+    char *old, *new;
+
+    asprintf(&old, "%s.db", db->name);
+    asprintf(&new, "%s.db", new_name);
+    ret = rename(old, new);
+    free(old);
+    free(new);
+    if(ret)
+	return errno;
+    
+    free(db->name);
+    db->name = strdup(new_name);
+    return 0;
+}
+
+static krb5_error_code
+DB__get(krb5_context context, HDB *db, krb5_data key, krb5_data *reply)
+{
+    DB *d = (DB*)db->db;
+    DBT k, v;
+    int code;
+
+    k.data = key.data;
+    k.size = key.length;
+    code = db->lock(context, db, HDB_RLOCK);
+    if(code)
+	return code;
+    code = d->get(d, &k, &v, 0);
+    db->unlock(context, db);
+    if(code < 0)
+	return errno;
+    if(code == 1)
+	return HDB_ERR_NOENTRY;
+    
+    krb5_data_copy(reply, v.data, v.size);
+    return 0;
+}
+
+static krb5_error_code
+DB__put(krb5_context context, HDB *db, int replace, 
+	krb5_data key, krb5_data value)
+{
+    DB *d = (DB*)db->db;
+    DBT k, v;
+    int code;
+
+    k.data = key.data;
+    k.size = key.length;
+    v.data = value.data;
+    v.size = value.length;
+    code = db->lock(context, db, HDB_WLOCK);
+    if(code)
+	return code;
+    code = d->put(d, &k, &v, replace ? 0 : R_NOOVERWRITE);
+    db->unlock(context, db);
+    if(code < 0)
+	return errno;
+    if(code == 1)
+	return HDB_ERR_EXISTS;
+    return 0;
+}
+
+static krb5_error_code
+DB__del(krb5_context context, HDB *db, krb5_data key)
+{
+    DB *d = (DB*)db->db;
+    DBT k;
+    krb5_error_code code;
+    k.data = key.data;
+    k.size = key.length;
+    code = db->lock(context, db, HDB_WLOCK);
+    if(code)
+	return code;
+    code = d->del(d, &k, 0);
+    db->unlock(context, db);
+    if(code == 1)
+	return HDB_ERR_NOENTRY;
+    if(code < 0)
+	return errno;
+    return 0;
+}
+
+static krb5_error_code
+DB_open(krb5_context context, HDB *db, int flags, mode_t mode)
+{
+    char *fn;
+    krb5_error_code ret;
+
+    asprintf(&fn, "%s.db", db->name);
+    if (fn == NULL)
+	return ENOMEM;
+    db->db = dbopen(fn, flags, mode, DB_BTREE, NULL);
+    free(fn);
+    /* try to open without .db extension */
+    if(db->db == NULL && errno == ENOENT)
+	db->db = dbopen(db->name, flags, mode, DB_BTREE, NULL);
+    if(db->db == NULL)
+	return errno;
+    if((flags & O_ACCMODE) == O_RDONLY)
+	ret = hdb_check_db_format(context, db);
+    else
+	ret = hdb_init_db(context, db);
+    if(ret == HDB_ERR_NOENTRY)
+	return 0;
+    return ret;
+}
+
+krb5_error_code
+hdb_db_create(krb5_context context, HDB **db, 
+	      const char *filename)
+{
+    *db = malloc(sizeof(**db));
+    if (*db == NULL)
+	return ENOMEM;
+
+    (*db)->db = NULL;
+    (*db)->name = strdup(filename);
+    (*db)->master_key_set = 0;
+    (*db)->openp = 0;
+    (*db)->open  = DB_open;
+    (*db)->close = DB_close;
+    (*db)->fetch = _hdb_fetch;
+    (*db)->store = _hdb_store;
+    (*db)->remove = _hdb_remove;
+    (*db)->firstkey = DB_firstkey;
+    (*db)->nextkey= DB_nextkey;
+    (*db)->lock = DB_lock;
+    (*db)->unlock = DB_unlock;
+    (*db)->rename = DB_rename;
+    (*db)->_get = DB__get;
+    (*db)->_put = DB__put;
+    (*db)->_del = DB__del;
+    (*db)->destroy = DB_destroy;
+    return 0;
+}
+
+#endif
diff --git a/crypto/heimdal/lib/hdb/db3.c b/crypto/heimdal/lib/hdb/db3.c
new file mode 100644
index 0000000..a682071
--- /dev/null
+++ b/crypto/heimdal/lib/hdb/db3.c
@@ -0,0 +1,310 @@
+/*
+ * Copyright (c) 1997 - 2001 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "hdb_locl.h"
+
+RCSID("$Id: db3.c,v 1.6 2001/01/30 01:24:00 assar Exp $");
+
+#if defined(HAVE_DB_H) && DB_VERSION_MAJOR == 3
+static krb5_error_code
+DB_close(krb5_context context, HDB *db)
+{
+    DB *d = (DB*)db->db;
+    DBC *dbcp = (DBC*)db->dbc;
+
+    dbcp->c_close(dbcp);
+    db->dbc = 0;
+    d->close(d, 0);
+    return 0;
+}
+
+static krb5_error_code
+DB_destroy(krb5_context context, HDB *db)
+{
+    krb5_error_code ret;
+
+    ret = hdb_clear_master_key (context, db);
+    free(db->name);
+    free(db);
+    return ret;
+}
+
+static krb5_error_code
+DB_lock(krb5_context context, HDB *db, int operation)
+{
+    DB *d = (DB*)db->db;
+    int fd;
+    if ((*d->fd)(d, &fd))
+	return HDB_ERR_CANT_LOCK_DB;
+    return hdb_lock(fd, operation);
+}
+
+static krb5_error_code
+DB_unlock(krb5_context context, HDB *db)
+{
+    DB *d = (DB*)db->db;
+    int fd;
+    if ((*d->fd)(d, &fd))
+	return HDB_ERR_CANT_LOCK_DB;
+    return hdb_unlock(fd);
+}
+
+
+static krb5_error_code
+DB_seq(krb5_context context, HDB *db,
+       unsigned flags, hdb_entry *entry, int flag)
+{
+    DB *d = (DB*)db->db;
+    DBT key, value;
+    DBC *dbcp = db->dbc;
+    krb5_data key_data, data;
+    int code;
+
+    memset(&key, 0, sizeof(DBT));
+    memset(&value, 0, sizeof(DBT));
+    if (db->lock(context, db, HDB_RLOCK))
+	return HDB_ERR_DB_INUSE;
+    code = dbcp->c_get(dbcp, &key, &value, flag);
+    db->unlock(context, db); /* XXX check value */
+    if (code == DB_NOTFOUND)
+	return HDB_ERR_NOENTRY;
+    if (code)
+	return code;
+
+    key_data.data = key.data;
+    key_data.length = key.size;
+    data.data = value.data;
+    data.length = value.size;
+    if (hdb_value2entry(context, &data, entry))
+	return DB_seq(context, db, flags, entry, DB_NEXT);
+    if (db->master_key_set && (flags & HDB_F_DECRYPT)) {
+	code = hdb_unseal_keys (context, db, entry);
+	if (code)
+	    hdb_free_entry (context, entry);
+    }
+    if (entry->principal == NULL) {
+	entry->principal = malloc(sizeof(*entry->principal));
+	if (entry->principal == NULL) {
+	    code = ENOMEM;
+	    hdb_free_entry (context, entry);
+	} else {
+	    hdb_key2principal(context, &key_data, entry->principal);
+	}
+    }
+    return 0;
+}
+
+
+static krb5_error_code
+DB_firstkey(krb5_context context, HDB *db, unsigned flags, hdb_entry *entry)
+{
+    return DB_seq(context, db, flags, entry, DB_FIRST);
+}
+
+
+static krb5_error_code
+DB_nextkey(krb5_context context, HDB *db, unsigned flags, hdb_entry *entry)
+{
+    return DB_seq(context, db, flags, entry, DB_NEXT);
+}
+
+static krb5_error_code
+DB_rename(krb5_context context, HDB *db, const char *new_name)
+{
+    int ret;
+    char *old, *new;
+
+    asprintf(&old, "%s.db", db->name);
+    asprintf(&new, "%s.db", new_name);
+    ret = rename(old, new);
+    free(old);
+    free(new);
+    if(ret)
+	return errno;
+    
+    free(db->name);
+    db->name = strdup(new_name);
+    return 0;
+}
+
+static krb5_error_code
+DB__get(krb5_context context, HDB *db, krb5_data key, krb5_data *reply)
+{
+    DB *d = (DB*)db->db;
+    DBT k, v;
+    int code;
+
+    memset(&k, 0, sizeof(DBT));
+    memset(&v, 0, sizeof(DBT));
+    k.data = key.data;
+    k.size = key.length;
+    k.flags = 0;
+    if ((code = db->lock(context, db, HDB_RLOCK)))
+	return code;
+    code = d->get(d, NULL, &k, &v, 0);
+    db->unlock(context, db);
+    if(code == DB_NOTFOUND)
+	return HDB_ERR_NOENTRY;
+    if(code)
+	return code;
+
+    krb5_data_copy(reply, v.data, v.size);
+    return 0;
+}
+
+static krb5_error_code
+DB__put(krb5_context context, HDB *db, int replace, 
+	krb5_data key, krb5_data value)
+{
+    DB *d = (DB*)db->db;
+    DBT k, v;
+    int code;
+
+    memset(&k, 0, sizeof(DBT));
+    memset(&v, 0, sizeof(DBT));
+    k.data = key.data;
+    k.size = key.length;
+    k.flags = 0;
+    v.data = value.data;
+    v.size = value.length;
+    v.flags = 0;
+    if ((code = db->lock(context, db, HDB_WLOCK)))
+	return code;
+    code = d->put(d, NULL, &k, &v, replace ? 0 : DB_NOOVERWRITE);
+    db->unlock(context, db);
+    if(code == DB_KEYEXIST)
+	return HDB_ERR_EXISTS;
+    if(code)
+	return errno;
+    return 0;
+}
+
+static krb5_error_code
+DB__del(krb5_context context, HDB *db, krb5_data key)
+{
+    DB *d = (DB*)db->db;
+    DBT k;
+    krb5_error_code code;
+    memset(&k, 0, sizeof(DBT));
+    k.data = key.data;
+    k.size = key.length;
+    k.flags = 0;
+    code = db->lock(context, db, HDB_WLOCK);
+    if(code)
+	return code;
+    code = d->del(d, NULL, &k, 0);
+    db->unlock(context, db);
+    if(code == DB_NOTFOUND)
+	return HDB_ERR_NOENTRY;
+    if(code)
+	return code;
+    return 0;
+}
+
+static krb5_error_code
+DB_open(krb5_context context, HDB *db, int flags, mode_t mode)
+{
+    char *fn;
+    krb5_error_code ret;
+    DB *d;
+    int myflags = 0;
+
+    if (flags & O_CREAT)
+      myflags |= DB_CREATE;
+
+    if (flags & O_EXCL)
+      myflags |= DB_EXCL;
+
+    if (flags & O_RDONLY)
+      myflags |= DB_RDONLY;
+
+    if (flags & O_TRUNC)
+      myflags |= DB_TRUNCATE;
+
+    asprintf(&fn, "%s.db", db->name);
+    if (fn == NULL)
+	return ENOMEM;
+    db_create(&d, NULL, 0);
+    db->db = d;
+    if ((ret = d->open(db->db, fn, NULL, DB_BTREE, myflags, mode))) {
+      if(ret == ENOENT)
+	/* try to open without .db extension */
+	if (d->open(db->db, db->name, NULL, DB_BTREE, myflags, mode)) {
+	  free(fn);
+	  return ret;
+	}
+    }
+    free(fn);
+
+    ret = d->cursor(d, NULL, (DBC **)&db->dbc, 0);
+    if (ret)
+        return ret;
+
+    if((flags & O_ACCMODE) == O_RDONLY)
+	ret = hdb_check_db_format(context, db);
+    else
+	ret = hdb_init_db(context, db);
+    if(ret == HDB_ERR_NOENTRY)
+	return 0;
+    return ret;
+}
+
+krb5_error_code
+hdb_db_create(krb5_context context, HDB **db, 
+	      const char *filename)
+{
+    *db = malloc(sizeof(**db));
+    if (*db == NULL)
+	return ENOMEM;
+
+    (*db)->db = NULL;
+    (*db)->name = strdup(filename);
+    (*db)->master_key_set = 0;
+    (*db)->openp = 0;
+    (*db)->open  = DB_open;
+    (*db)->close = DB_close;
+    (*db)->fetch = _hdb_fetch;
+    (*db)->store = _hdb_store;
+    (*db)->remove = _hdb_remove;
+    (*db)->firstkey = DB_firstkey;
+    (*db)->nextkey= DB_nextkey;
+    (*db)->lock = DB_lock;
+    (*db)->unlock = DB_unlock;
+    (*db)->rename = DB_rename;
+    (*db)->_get = DB__get;
+    (*db)->_put = DB__put;
+    (*db)->_del = DB__del;
+    (*db)->destroy = DB_destroy;
+    return 0;
+}
+#endif
diff --git a/crypto/heimdal/lib/hdb/hdb-ldap.c b/crypto/heimdal/lib/hdb/hdb-ldap.c
new file mode 100644
index 0000000..db321cb
--- /dev/null
+++ b/crypto/heimdal/lib/hdb/hdb-ldap.c
@@ -0,0 +1,1344 @@
+/*
+ * Copyright (c) 1999 - 2001, PADL Software Pty Ltd.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * 3. Neither the name of PADL Software  nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY PADL SOFTWARE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL PADL SOFTWARE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#include "hdb_locl.h"
+
+RCSID("$Id: hdb-ldap.c,v 1.8 2001/03/26 00:59:37 assar Exp $");
+
+#ifdef OPENLDAP
+
+#include <lber.h>
+#include <ldap.h>
+#include <ctype.h>
+#include <sys/un.h>
+
+static krb5_error_code LDAP__connect(krb5_context context, HDB * db);
+
+static krb5_error_code
+LDAP_message2entry(krb5_context context, HDB * db, LDAPMessage * msg,
+		   hdb_entry * ent);
+
+static char *krb5kdcentry_attrs[] =
+    { "krb5PrincipalName", "cn", "krb5PrincipalRealm",
+    "krb5KeyVersionNumber", "krb5Key",
+    "krb5ValidStart", "krb5ValidEnd", "krb5PasswordEnd",
+    "krb5MaxLife", "krb5MaxRenew", "krb5KDCFlags", "krb5EncryptionType",
+    "modifiersName", "modifyTimestamp", "creatorsName", "createTimestamp",
+    NULL
+};
+
+static char *krb5principal_attrs[] =
+    { "krb5PrincipalName", "cn", "krb5PrincipalRealm",
+    "modifiersName", "modifyTimestamp", "creatorsName", "createTimestamp",
+    NULL
+};
+
+/* based on samba: source/passdb/ldap.c */
+static krb5_error_code
+LDAP_addmod_len(LDAPMod *** modlist, int modop, const char *attribute,
+		unsigned char *value, size_t len)
+{
+    LDAPMod **mods = *modlist;
+    int i, j;
+
+    if (mods == NULL) {
+	mods = (LDAPMod **) calloc(1, sizeof(LDAPMod *));
+	if (mods == NULL) {
+	    return ENOMEM;
+	}
+	mods[0] = NULL;
+    }
+
+    for (i = 0; mods[i] != NULL; ++i) {
+	if ((mods[i]->mod_op & (~LDAP_MOD_BVALUES)) == modop
+	    && (!strcasecmp(mods[i]->mod_type, attribute))) {
+	    break;
+	}
+    }
+
+    if (mods[i] == NULL) {
+	mods = (LDAPMod **) realloc(mods, (i + 2) * sizeof(LDAPMod *));
+	if (mods == NULL) {
+	    return ENOMEM;
+	}
+	mods[i] = (LDAPMod *) malloc(sizeof(LDAPMod));
+	if (mods[i] == NULL) {
+	    return ENOMEM;
+	}
+	mods[i]->mod_op = modop | LDAP_MOD_BVALUES;
+	mods[i]->mod_bvalues = NULL;
+	mods[i]->mod_type = strdup(attribute);
+	if (mods[i]->mod_type == NULL) {
+	    return ENOMEM;
+	}
+	mods[i + 1] = NULL;
+    }
+
+    if (value != NULL) {
+	j = 0;
+	if (mods[i]->mod_bvalues != NULL) {
+	    for (; mods[i]->mod_bvalues[j] != NULL; j++);
+	}
+	mods[i]->mod_bvalues =
+	    (struct berval **) realloc(mods[i]->mod_bvalues,
+				       (j + 2) * sizeof(struct berval *));
+	if (mods[i]->mod_bvalues == NULL) {
+	    return ENOMEM;
+	}
+	/* Caller allocates memory on our behalf, unlike LDAP_addmod. */
+	mods[i]->mod_bvalues[j] =
+	    (struct berval *) malloc(sizeof(struct berval));
+	if (mods[i]->mod_bvalues[j] == NULL) {
+	    return ENOMEM;
+	}
+	mods[i]->mod_bvalues[j]->bv_val = value;
+	mods[i]->mod_bvalues[j]->bv_len = len;
+	mods[i]->mod_bvalues[j + 1] = NULL;
+    }
+    *modlist = mods;
+    return 0;
+}
+
+static krb5_error_code
+LDAP_addmod(LDAPMod *** modlist, int modop, const char *attribute,
+	    const char *value)
+{
+    LDAPMod **mods = *modlist;
+    int i, j;
+
+    if (mods == NULL) {
+	mods = (LDAPMod **) calloc(1, sizeof(LDAPMod *));
+	if (mods == NULL) {
+	    return ENOMEM;
+	}
+	mods[0] = NULL;
+    }
+
+    for (i = 0; mods[i] != NULL; ++i) {
+	if (mods[i]->mod_op == modop
+	    && (!strcasecmp(mods[i]->mod_type, attribute))) {
+	    break;
+	}
+    }
+
+    if (mods[i] == NULL) {
+	mods = (LDAPMod **) realloc(mods, (i + 2) * sizeof(LDAPMod *));
+	if (mods == NULL) {
+	    return ENOMEM;
+	}
+	mods[i] = (LDAPMod *) malloc(sizeof(LDAPMod));
+	if (mods[i] == NULL) {
+	    return ENOMEM;
+	}
+	mods[i]->mod_op = modop;
+	mods[i]->mod_values = NULL;
+	mods[i]->mod_type = strdup(attribute);
+	if (mods[i]->mod_type == NULL) {
+	    return ENOMEM;
+	}
+	mods[i + 1] = NULL;
+    }
+
+    if (value != NULL) {
+	j = 0;
+	if (mods[i]->mod_values != NULL) {
+	    for (; mods[i]->mod_values[j] != NULL; j++);
+	}
+	mods[i]->mod_values = (char **) realloc(mods[i]->mod_values,
+						(j + 2) * sizeof(char *));
+	if (mods[i]->mod_values == NULL) {
+	    return ENOMEM;
+	}
+	mods[i]->mod_values[j] = strdup(value);
+	if (mods[i]->mod_values[j] == NULL) {
+	    return ENOMEM;
+	}
+	mods[i]->mod_values[j + 1] = NULL;
+    }
+    *modlist = mods;
+    return 0;
+}
+
+static krb5_error_code
+LDAP_addmod_generalized_time(LDAPMod *** mods, int modop,
+			     const char *attribute, KerberosTime * time)
+{
+    char buf[22];
+    struct tm *tm;
+
+    /* XXX not threadsafe */
+    tm = gmtime(time);
+    strftime(buf, sizeof(buf), "%Y%m%d%H%M%SZ", tm);
+
+    return LDAP_addmod(mods, modop, attribute, buf);
+}
+
+static krb5_error_code
+LDAP_get_string_value(HDB * db, LDAPMessage * entry,
+		      const char *attribute, char **ptr)
+{
+    char **vals;
+    int ret;
+
+    vals = ldap_get_values((LDAP *) db->db, entry, (char *) attribute);
+    if (vals == NULL) {
+	return HDB_ERR_NOENTRY;
+    }
+    *ptr = strdup(vals[0]);
+    if (*ptr == NULL) {
+	ret = ENOMEM;
+    } else {
+	ret = 0;
+    }
+
+    ldap_value_free(vals);
+
+    return ret;
+}
+
+static krb5_error_code
+LDAP_get_integer_value(HDB * db, LDAPMessage * entry,
+		       const char *attribute, int *ptr)
+{
+    char **vals;
+
+    vals = ldap_get_values((LDAP *) db->db, entry, (char *) attribute);
+    if (vals == NULL) {
+	return HDB_ERR_NOENTRY;
+    }
+    *ptr = atoi(vals[0]);
+    ldap_value_free(vals);
+    return 0;
+}
+
+static krb5_error_code
+LDAP_get_generalized_time_value(HDB * db, LDAPMessage * entry,
+				const char *attribute, KerberosTime * kt)
+{
+    char *tmp, *gentime;
+    struct tm tm;
+    int ret;
+
+    *kt = 0;
+
+    ret = LDAP_get_string_value(db, entry, attribute, &gentime);
+    if (ret != 0) {
+	return ret;
+    }
+
+    tmp = strptime(gentime, "%Y%m%d%H%M%SZ", &tm);
+    if (tmp == NULL) {
+	free(gentime);
+	return HDB_ERR_NOENTRY;
+    }
+
+    free(gentime);
+
+    *kt = timegm(&tm);
+
+    return 0;
+}
+
+static krb5_error_code
+LDAP_entry2mods(krb5_context context, HDB * db, hdb_entry * ent,
+		LDAPMessage * msg, LDAPMod *** pmods)
+{
+    krb5_error_code ret;
+    krb5_boolean is_new_entry;
+    int rc, i;
+    char *tmp = NULL;
+    LDAPMod **mods = NULL;
+    hdb_entry orig;
+    unsigned long oflags, nflags;
+
+    if (msg != NULL) {
+	ret = LDAP_message2entry(context, db, msg, &orig);
+	if (ret != 0) {
+	    goto out;
+	}
+	is_new_entry = FALSE;
+    } else {
+	/* to make it perfectly obvious we're depending on
+	 * orig being intiialized to zero */
+	memset(&orig, 0, sizeof(orig));
+	is_new_entry = TRUE;
+    }
+
+    if (is_new_entry) {
+	ret = LDAP_addmod(&mods, LDAP_MOD_ADD, "objectClass", "top");
+	if (ret != 0) {
+	    goto out;
+	}
+	/* person is the structural object class */
+	ret = LDAP_addmod(&mods, LDAP_MOD_ADD, "objectClass", "person");
+	if (ret != 0) {
+	    goto out;
+	}
+	ret =
+	    LDAP_addmod(&mods, LDAP_MOD_ADD, "objectClass",
+			"krb5Principal");
+	if (ret != 0) {
+	    goto out;
+	}
+	ret = LDAP_addmod(&mods, LDAP_MOD_ADD, "objectClass",
+			  "krb5KDCEntry");
+	if (ret != 0) {
+	    goto out;
+	}
+    }
+
+    if (is_new_entry ||
+	krb5_principal_compare(context, ent->principal, orig.principal) ==
+	FALSE) {
+	ret = krb5_unparse_name(context, ent->principal, &tmp);
+	if (ret != 0) {
+	    goto out;
+	}
+	ret =
+	    LDAP_addmod(&mods, LDAP_MOD_REPLACE, "krb5PrincipalName", tmp);
+	if (ret != 0) {
+	    free(tmp);
+	    goto out;
+	}
+	free(tmp);
+    }
+
+    if (ent->kvno != orig.kvno) {
+	rc = asprintf(&tmp, "%d", ent->kvno);
+	if (rc < 0) {
+	    ret = ENOMEM;
+	    goto out;
+	}
+	ret =
+	    LDAP_addmod(&mods, LDAP_MOD_REPLACE, "krb5KeyVersionNumber",
+			tmp);
+	free(tmp);
+	if (ret != 0) {
+	    goto out;
+	}
+    }
+
+    if (ent->valid_start) {
+	if (orig.valid_end == NULL
+	    || (*(ent->valid_start) != *(orig.valid_start))) {
+	    ret =
+		LDAP_addmod_generalized_time(&mods, LDAP_MOD_REPLACE,
+					     "krb5ValidStart",
+					     ent->valid_start);
+	    if (ret != 0) {
+		goto out;
+	    }
+	}
+    }
+
+    if (ent->valid_end) {
+	if (orig.valid_end == NULL
+	    || (*(ent->valid_end) != *(orig.valid_end))) {
+	    ret =
+		LDAP_addmod_generalized_time(&mods, LDAP_MOD_REPLACE,
+					     "krb5ValidEnd",
+					     ent->valid_end);
+	    if (ret != 0) {
+		goto out;
+	    }
+	}
+    }
+
+    if (ent->pw_end) {
+	if (orig.pw_end == NULL || (*(ent->pw_end) != *(orig.pw_end))) {
+	    ret =
+		LDAP_addmod_generalized_time(&mods, LDAP_MOD_REPLACE,
+					     "krb5PasswordEnd",
+					     ent->pw_end);
+	    if (ret != 0) {
+		goto out;
+	    }
+	}
+    }
+
+    if (ent->max_life) {
+	if (orig.max_life == NULL
+	    || (*(ent->max_life) != *(orig.max_life))) {
+	    rc = asprintf(&tmp, "%d", *(ent->max_life));
+	    if (rc < 0) {
+		ret = ENOMEM;
+		goto out;
+	    }
+	    ret = LDAP_addmod(&mods, LDAP_MOD_REPLACE, "krb5MaxLife", tmp);
+	    free(tmp);
+	    if (ret != 0) {
+		goto out;
+	    }
+	}
+    }
+
+    if (ent->max_renew) {
+	if (orig.max_renew == NULL
+	    || (*(ent->max_renew) != *(orig.max_renew))) {
+	    rc = asprintf(&tmp, "%d", *(ent->max_renew));
+	    if (rc < 0) {
+		ret = ENOMEM;
+		goto out;
+	    }
+	    ret =
+		LDAP_addmod(&mods, LDAP_MOD_REPLACE, "krb5MaxRenew", tmp);
+	    free(tmp);
+	    if (ret != 0) {
+		goto out;
+	    }
+	}
+    }
+
+    memset(&oflags, 0, sizeof(oflags));
+    memcpy(&oflags, &orig.flags, sizeof(HDBFlags));
+    memset(&nflags, 0, sizeof(nflags));
+    memcpy(&nflags, &ent->flags, sizeof(HDBFlags));
+
+    if (memcmp(&oflags, &nflags, sizeof(HDBFlags))) {
+	rc = asprintf(&tmp, "%lu", nflags);
+	if (rc < 0) {
+	    ret = ENOMEM;
+	    goto out;
+	}
+	ret = LDAP_addmod(&mods, LDAP_MOD_REPLACE, "krb5KDCFlags", tmp);
+	free(tmp);
+	if (ret != 0) {
+	    goto out;
+	}
+    }
+
+    if (is_new_entry == FALSE && orig.keys.len > 0) {
+	/* for the moment, clobber and replace keys. */
+	ret = LDAP_addmod(&mods, LDAP_MOD_DELETE, "krb5Key", NULL);
+	if (ret != 0) {
+	    goto out;
+	}
+    }
+
+    for (i = 0; i < ent->keys.len; i++) {
+	unsigned char *buf;
+	size_t len;
+	Key new;
+
+	ret = copy_Key(&ent->keys.val[i], &new);
+	if (ret != 0) {
+	    goto out;
+	}
+
+	len = length_Key(&new);
+	buf = malloc(len);
+	if (buf == NULL) {
+	    ret = ENOMEM;
+	    free_Key(&new);
+	    goto out;
+	}
+
+	ret = encode_Key(buf + len - 1, len, &new, &len);
+	if (ret != 0) {
+	    free(buf);
+	    free_Key(&new);
+	    goto out;
+	}
+	free_Key(&new);
+
+	/* addmod_len _owns_ the key, doesn't need to copy it */
+	ret = LDAP_addmod_len(&mods, LDAP_MOD_ADD, "krb5Key", buf, len);
+	if (ret != 0) {
+	    goto out;
+	}
+    }
+
+    if (ent->etypes) {
+	/* clobber and replace encryption types. */
+	if (is_new_entry == FALSE) {
+	    ret =
+		LDAP_addmod(&mods, LDAP_MOD_DELETE, "krb5EncryptionType",
+			    NULL);
+	}
+	for (i = 0; i < ent->etypes->len; i++) {
+	    rc = asprintf(&tmp, "%d", ent->etypes->val[i]);
+	    if (rc < 0) {
+		ret = ENOMEM;
+		goto out;
+	    }
+	    free(tmp);
+	    ret =
+		LDAP_addmod(&mods, LDAP_MOD_ADD, "krb5EncryptionType",
+			    tmp);
+	    if (ret != 0) {
+		goto out;
+	    }
+	}
+    }
+
+    /* for clarity */
+    ret = 0;
+
+  out:
+
+    if (ret == 0) {
+	*pmods = mods;
+    } else if (mods != NULL) {
+	ldap_mods_free(mods, 1);
+	*pmods = NULL;
+    }
+
+    if (msg != NULL) {
+	hdb_free_entry(context, &orig);
+    }
+
+    return ret;
+}
+
+static krb5_error_code
+LDAP_dn2principal(krb5_context context, HDB * db, const char *dn,
+		  krb5_principal * principal)
+{
+    krb5_error_code ret;
+    int rc;
+    char **values;
+    LDAPMessage *res = NULL, *e;
+
+    rc = 1;
+    (void) ldap_set_option((LDAP *) db->db, LDAP_OPT_SIZELIMIT, &rc);
+    rc = ldap_search_s((LDAP *) db->db, db->name, LDAP_SCOPE_BASE,
+		       "(objectclass=krb5Principal)", krb5principal_attrs,
+		       0, &res);
+
+    if (rc != LDAP_SUCCESS) {
+	ret = HDB_ERR_NOENTRY;
+	goto out;
+    }
+
+    e = ldap_first_entry((LDAP *) db->db, res);
+    if (e == NULL) {
+	ret = HDB_ERR_NOENTRY;
+	goto out;
+    }
+
+    values = ldap_get_values((LDAP *) db->db, e, "krb5PrincipalName");
+    if (values == NULL) {
+	ret = HDB_ERR_NOENTRY;
+	goto out;
+    }
+
+    ret = krb5_parse_name(context, values[0], principal);
+    ldap_value_free(values);
+
+  out:
+    if (res != NULL) {
+	ldap_msgfree(res);
+    }
+    return ret;
+}
+
+static krb5_error_code
+LDAP__lookup_princ(krb5_context context, HDB * db, const char *princname,
+		   LDAPMessage ** msg)
+{
+    krb5_error_code ret;
+    int rc;
+    char *filter = NULL;
+
+    (void) LDAP__connect(context, db);
+
+    rc =
+	asprintf(&filter,
+		 "(&(objectclass=krb5KDCEntry)(krb5PrincipalName=%s))",
+		 princname);
+    if (rc < 0) {
+	ret = ENOMEM;
+	goto out;
+    }
+
+    rc = 1;
+    (void) ldap_set_option((LDAP *) db->db, LDAP_OPT_SIZELIMIT, (void *) &rc);
+
+    rc = ldap_search_s((LDAP *) db->db, db->name, LDAP_SCOPE_ONELEVEL, filter, 
+		       krb5kdcentry_attrs, 0, msg);
+    if (rc != LDAP_SUCCESS) {
+	ret = HDB_ERR_NOENTRY;
+	goto out;
+    }
+
+    ret = 0;
+
+  out:
+    if (filter != NULL) {
+	free(filter);
+    }
+    return ret;
+}
+
+static krb5_error_code
+LDAP_principal2message(krb5_context context, HDB * db,
+		       krb5_principal princ, LDAPMessage ** msg)
+{
+    char *princname = NULL;
+    krb5_error_code ret;
+
+    ret = krb5_unparse_name(context, princ, &princname);
+    if (ret != 0) {
+	return ret;
+    }
+
+    ret = LDAP__lookup_princ(context, db, princname, msg);
+    free(princname);
+
+    return ret;
+}
+
+/*
+ * Construct an hdb_entry from a directory entry.
+ */
+static krb5_error_code
+LDAP_message2entry(krb5_context context, HDB * db, LDAPMessage * msg,
+		   hdb_entry * ent)
+{
+    char *unparsed_name = NULL, *dn = NULL;
+    int ret;
+    unsigned long tmp;
+    struct berval **keys;
+    char **values;
+
+    memset(ent, 0, sizeof(*ent));
+    memset(&ent->flags, 0, sizeof(HDBFlags));
+
+    ret =
+	LDAP_get_string_value(db, msg, "krb5PrincipalName",
+			      &unparsed_name);
+    if (ret != 0) {
+	return ret;
+    }
+
+    ret = krb5_parse_name(context, unparsed_name, &ent->principal);
+    if (ret != 0) {
+	goto out;
+    }
+
+    ret =
+	LDAP_get_integer_value(db, msg, "krb5KeyVersionNumber",
+			       &ent->kvno);
+    if (ret != 0) {
+	ent->kvno = 0;
+    }
+
+    keys = ldap_get_values_len((LDAP *) db->db, msg, "krb5Key");
+    if (keys != NULL) {
+	int i;
+	size_t l;
+
+	ent->keys.len = ldap_count_values_len(keys);
+	ent->keys.val = (Key *) calloc(ent->keys.len, sizeof(Key));
+	for (i = 0; i < ent->keys.len; i++) {
+	    decode_Key((unsigned char *) keys[i]->bv_val,
+		       (size_t) keys[i]->bv_len, &ent->keys.val[i], &l);
+	}
+	ber_bvecfree(keys);
+    } else {
+#if 1
+	/*
+	 * This violates the ASN1 but it allows a principal to
+	 * be related to a general directory entry without creating
+	 * the keys. Hopefully it's OK.
+	 */
+	ent->keys.len = 0;
+	ent->keys.val = NULL;
+#else
+	ret = HDB_ERR_NOENTRY;
+	goto out;
+#endif
+    }
+
+    ret =
+	LDAP_get_generalized_time_value(db, msg, "createTimestamp",
+					&ent->created_by.time);
+    if (ret != 0) {
+	ent->created_by.time = time(NULL);
+    }
+
+    ent->created_by.principal = NULL;
+
+    ret = LDAP_get_string_value(db, msg, "creatorsName", &dn);
+    if (ret == 0) {
+	if (LDAP_dn2principal(context, db, dn, &ent->created_by.principal)
+	    != 0) {
+	    ent->created_by.principal = NULL;
+	}
+	free(dn);
+    }
+
+    ent->modified_by = (Event *) malloc(sizeof(Event));
+    if (ent->modified_by == NULL) {
+	ret = ENOMEM;
+	goto out;
+    }
+    ret =
+	LDAP_get_generalized_time_value(db, msg, "modifyTimestamp",
+					&ent->modified_by->time);
+    if (ret == 0) {
+	ret = LDAP_get_string_value(db, msg, "modifiersName", &dn);
+	if (LDAP_dn2principal
+	    (context, db, dn, &ent->modified_by->principal) != 0) {
+	    ent->modified_by->principal = NULL;
+	}
+	free(dn);
+    } else {
+	free(ent->modified_by);
+	ent->modified_by = NULL;
+    }
+
+    if ((ent->valid_start = (KerberosTime *) malloc(sizeof(KerberosTime)))
+	== NULL) {
+	ret = ENOMEM;
+	goto out;
+    }
+    ret =
+	LDAP_get_generalized_time_value(db, msg, "krb5ValidStart",
+					ent->valid_start);
+    if (ret != 0) {
+	/* OPTIONAL */
+	free(ent->valid_start);
+	ent->valid_start = NULL;
+    }
+
+    if ((ent->valid_end = (KerberosTime *) malloc(sizeof(KerberosTime))) ==
+	NULL) {ret = ENOMEM;
+	goto out;
+    }
+    ret =
+	LDAP_get_generalized_time_value(db, msg, "krb5ValidEnd",
+					ent->valid_end);
+    if (ret != 0) {
+	/* OPTIONAL */
+	free(ent->valid_end);
+	ent->valid_end = NULL;
+    }
+
+    if ((ent->pw_end = (KerberosTime *) malloc(sizeof(KerberosTime))) ==
+	NULL) {ret = ENOMEM;
+	goto out;
+    }
+    ret =
+	LDAP_get_generalized_time_value(db, msg, "krb5PasswordEnd",
+					ent->pw_end);
+    if (ret != 0) {
+	/* OPTIONAL */
+	free(ent->pw_end);
+	ent->pw_end = NULL;
+    }
+
+    ent->max_life = (int *) malloc(sizeof(int));
+    if (ent->max_life == NULL) {
+	ret = ENOMEM;
+	goto out;
+    }
+    ret = LDAP_get_integer_value(db, msg, "krb5MaxLife", ent->max_life);
+    if (ret != 0) {
+	free(ent->max_life);
+	ent->max_life = NULL;
+    }
+
+    ent->max_renew = (int *) malloc(sizeof(int));
+    if (ent->max_renew == NULL) {
+	ret = ENOMEM;
+	goto out;
+    }
+    ret = LDAP_get_integer_value(db, msg, "krb5MaxRenew", ent->max_renew);
+    if (ret != 0) {
+	free(ent->max_renew);
+	ent->max_renew = NULL;
+    }
+
+    values = ldap_get_values((LDAP *) db->db, msg, "krb5KDCFlags");
+    if (values != NULL) {
+	tmp = strtoul(values[0], (char **) NULL, 10);
+	if (tmp == ULONG_MAX && errno == ERANGE) {
+	    ret = ERANGE;
+	    goto out;
+	}
+    } else {
+	tmp = 0;
+    }
+    memcpy(&ent->flags, &tmp, sizeof(HDBFlags));
+
+    values = ldap_get_values((LDAP *) db->db, msg, "krb5EncryptionType");
+    if (values != NULL) {
+	int i;
+
+	ent->etypes = malloc(sizeof(*(ent->etypes)));
+	if (ent->etypes == NULL) {
+	    ret = ENOMEM;
+	    goto out;
+	}
+	ent->etypes->len = ldap_count_values(values);
+	ent->etypes->val = calloc(ent->etypes->len, sizeof(int));
+	for (i = 0; i < ent->etypes->len; i++) {
+	    ent->etypes->val[i] = atoi(values[i]);
+	}
+	ldap_value_free(values);
+    }
+
+    ret = 0;
+
+  out:
+    if (unparsed_name != NULL) {
+	free(unparsed_name);
+    }
+
+    if (ret != 0) {
+	/* I don't think this frees ent itself. */
+	hdb_free_entry(context, ent);
+    }
+
+    return ret;
+}
+
+static krb5_error_code LDAP_close(krb5_context context, HDB * db)
+{
+    LDAP *ld = (LDAP *) db->db;
+
+    ldap_unbind(ld);
+    db->db = NULL;
+    return 0;
+}
+
+static krb5_error_code
+LDAP_lock(krb5_context context, HDB * db, int operation)
+{
+    return 0;
+}
+
+static krb5_error_code LDAP_unlock(krb5_context context, HDB * db)
+{
+    return 0;
+}
+
+static krb5_error_code
+LDAP_seq(krb5_context context, HDB * db, unsigned flags, hdb_entry * entry)
+{
+    int msgid, rc, parserc;
+    krb5_error_code ret;
+    LDAPMessage *e;
+
+    msgid = db->openp;		/* BOGUS OVERLOADING */
+    if (msgid < 0) {
+	return HDB_ERR_NOENTRY;
+    }
+
+    do {
+	rc = ldap_result((LDAP *) db->db, msgid, LDAP_MSG_ONE, NULL, &e);
+	switch (rc) {
+	case LDAP_RES_SEARCH_ENTRY:
+	    /* We have an entry. Parse it. */
+	    ret = LDAP_message2entry(context, db, e, entry);
+	    ldap_msgfree(e);
+	    break;
+	case LDAP_RES_SEARCH_RESULT:
+	    /* We're probably at the end of the results. If not, abandon. */
+	    parserc =
+		ldap_parse_result((LDAP *) db->db, e, NULL, NULL, NULL,
+				  NULL, NULL, 1);
+	    if (parserc != LDAP_SUCCESS
+		&& parserc != LDAP_MORE_RESULTS_TO_RETURN) {
+		ldap_abandon((LDAP *) db->db, msgid);
+	    }
+	    ret = HDB_ERR_NOENTRY;
+	    db->openp = -1;
+	    break;
+	case 0:
+	case -1:
+	default:
+	    /* Some unspecified error (timeout?). Abandon. */
+	    ldap_msgfree(e);
+	    ldap_abandon((LDAP *) db->db, msgid);
+	    ret = HDB_ERR_NOENTRY;
+	    db->openp = -1;
+	    break;
+	}
+    } while (rc == LDAP_RES_SEARCH_REFERENCE);
+
+    if (ret == 0) {
+	if (db->master_key_set && (flags & HDB_F_DECRYPT)) {
+	    ret = hdb_unseal_keys(context, db, entry);
+	    if (ret)
+		hdb_free_entry(context,entry);
+	}
+    }
+
+    return ret;
+}
+
+static krb5_error_code
+LDAP_firstkey(krb5_context context, HDB * db, unsigned flags,
+	      hdb_entry * entry)
+{
+    int msgid;
+
+    (void) LDAP__connect(context, db);
+
+    msgid = LDAP_NO_LIMIT;
+    (void) ldap_set_option((LDAP *) db->db, LDAP_OPT_SIZELIMIT, &msgid);
+
+    msgid = ldap_search((LDAP *) db->db, db->name,
+			LDAP_SCOPE_ONELEVEL, "(objectclass=krb5KDCEntry)",
+			krb5kdcentry_attrs, 0);
+    if (msgid < 0) {
+	return HDB_ERR_NOENTRY;
+    }
+
+    db->openp = msgid;
+
+    return LDAP_seq(context, db, flags, entry);
+}
+
+static krb5_error_code
+LDAP_nextkey(krb5_context context, HDB * db, unsigned flags,
+	     hdb_entry * entry)
+{
+    return LDAP_seq(context, db, flags, entry);
+}
+
+static krb5_error_code
+LDAP_rename(krb5_context context, HDB * db, const char *new_name)
+{
+    return HDB_ERR_DB_INUSE;
+}
+
+static krb5_boolean LDAP__is_user_namingcontext(const char *ctx,
+						char *const *subschema)
+{
+    char *const *p;
+
+    if (!strcasecmp(ctx, "CN=MONITOR")
+	|| !strcasecmp(ctx, "CN=CONFIG")) {
+	return FALSE;
+    }
+
+    if (subschema != NULL) {
+	for (p = subschema; *p != NULL; p++) {
+	    if (!strcasecmp(ctx, *p)) {
+		return FALSE;
+	    }
+	}
+    }
+
+    return TRUE;
+}
+
+static krb5_error_code LDAP__connect(krb5_context context, HDB * db)
+{
+    int rc;
+    krb5_error_code ret;
+    char *attrs[] = { "namingContexts", "subschemaSubentry", NULL };
+    LDAPMessage *res = NULL, *e;
+
+    if (db->db != NULL) {
+	/* connection has been opened. ping server. */
+	struct sockaddr_un addr;
+	socklen_t len;
+	int sd;
+
+	if (ldap_get_option((LDAP *) db->db, LDAP_OPT_DESC, &sd) == 0 &&
+	    getpeername(sd, (struct sockaddr *) &addr, &len) < 0) {
+	    /* the other end has died. reopen. */
+	    LDAP_close(context, db);
+	}
+    }
+
+    if (db->db != NULL) {
+	/* server is UP */
+	return 0;
+    }
+
+    rc = ldap_initialize((LDAP **) & db->db, "ldapi:///");
+    if (rc != LDAP_SUCCESS) {
+	return HDB_ERR_NOENTRY;
+    }
+
+    rc = LDAP_VERSION3;
+    (void) ldap_set_option((LDAP *) db->db, LDAP_OPT_PROTOCOL_VERSION, &rc);
+
+    /* XXX set db->name to the search base */
+    rc = ldap_search_s((LDAP *) db->db, "", LDAP_SCOPE_BASE,
+		       "(objectclass=*)", attrs, 0, &res);
+    if (rc != LDAP_SUCCESS) {
+	ret = HDB_ERR_BADVERSION;
+	goto out;
+    }
+
+    e = ldap_first_entry((LDAP *) db->db, res);
+    if (e == NULL) {
+	ret = HDB_ERR_NOENTRY;
+	goto out;
+    }
+
+    if (db->name == NULL) {
+	char **contexts = NULL, **schema_contexts, **p;
+
+	contexts = ldap_get_values((LDAP *) db->db, e, "namingContexts");
+	if (contexts == NULL) {
+	    ret = HDB_ERR_NOENTRY;
+	    goto out;
+	}
+
+	schema_contexts =
+	    ldap_get_values((LDAP *) db->db, e, "subschemaSubentry");
+
+	if (db->name != NULL) {
+	    free(db->name);
+	    db->name = NULL;
+	}
+
+	for (p = contexts; *p != NULL; p++) {
+	    if (LDAP__is_user_namingcontext(*p, schema_contexts)) {
+		break;
+	    }
+	}
+
+	db->name = strdup(*p);
+	if (db->name == NULL) {
+	    ldap_value_free(contexts);
+	    ret = ENOMEM;
+	    goto out;
+	}
+
+	ldap_value_free(contexts);
+	if (schema_contexts != NULL) {
+	    ldap_value_free(schema_contexts);
+	}
+    }
+
+    ret = 0;
+
+  out:
+
+    if (res != NULL) {
+	ldap_msgfree(res);
+    }
+
+    if (ret != 0) {
+	if (db->db != NULL) {
+	    ldap_unbind((LDAP *) db->db);
+	    db->db = NULL;
+	}
+    }
+
+    return ret;
+}
+
+static krb5_error_code
+LDAP_open(krb5_context context, HDB * db, int flags, mode_t mode)
+{
+    krb5_error_code ret;
+
+    /* Not the right place for this. */
+#ifdef HAVE_SIGACTION
+    {
+	struct sigaction sa;
+
+	sa.sa_flags = 0;
+	sa.sa_handler = SIG_IGN;
+	sigemptyset(&sa.sa_mask);
+
+	sigaction(SIGPIPE, &sa, NULL);
+    }
+#else
+    signal(SIGPIPE, SIG_IGN);
+#endif
+
+    if (db->name != NULL) {
+	free(db->name);
+	db->name = NULL;
+    }
+
+    ret = LDAP__connect(context, db);
+    if (ret != 0) {
+	return ret;
+    }
+
+    return ret;
+}
+
+static krb5_error_code
+LDAP_fetch(krb5_context context, HDB * db, unsigned flags,
+	   hdb_entry * entry)
+{
+    LDAPMessage *msg, *e;
+    krb5_error_code ret;
+
+    ret = LDAP_principal2message(context, db, entry->principal, &msg);
+    if (ret != 0) {
+	return ret;
+    }
+
+    e = ldap_first_entry((LDAP *) db->db, msg);
+    if (e == NULL) {
+	ret = HDB_ERR_NOENTRY;
+	goto out;
+    }
+
+    ret = LDAP_message2entry(context, db, e, entry);
+    if (ret == 0) {
+	if (db->master_key_set && (flags & HDB_F_DECRYPT)) {
+	    ret = hdb_unseal_keys(context, db, entry);
+	    if (ret)
+		hdb_free_entry(context,entry);
+	}
+    }
+
+  out:
+    ldap_msgfree(msg);
+
+    return ret;
+}
+
+static krb5_error_code
+LDAP_store(krb5_context context, HDB * db, unsigned flags,
+	   hdb_entry * entry)
+{
+    LDAPMod **mods = NULL;
+    krb5_error_code ret;
+    LDAPMessage *msg = NULL, *e = NULL;
+    char *dn = NULL, *name = NULL;
+
+    ret = krb5_unparse_name(context, entry->principal, &name);
+    if (ret != 0) {
+	goto out;
+    }
+
+    ret = LDAP__lookup_princ(context, db, name, &msg);
+    if (ret == 0) {
+	e = ldap_first_entry((LDAP *) db->db, msg);
+    }
+
+    ret = hdb_seal_keys(context, db, entry);
+    if (ret)
+	goto out;
+
+    /* turn new entry into LDAPMod array */
+    ret = LDAP_entry2mods(context, db, entry, e, &mods);
+    if (ret != 0) {
+	goto out;
+    }
+
+    if (e == NULL) {
+	/* Doesn't exist yet. */
+	char *p;
+
+	e = NULL;
+
+	/* normalize the naming attribute */
+	for (p = name; *p != '\0'; p++) {
+	    *p = (char) tolower((int) *p);
+	}
+
+	/*
+	 * We could do getpwnam() on the local component of
+	 * the principal to find cn/sn but that's probably
+	 * bad thing to do from inside a KDC. Better leave
+	 * it to management tools.
+	 */
+	ret = LDAP_addmod(&mods, LDAP_MOD_ADD, "cn", name);
+	if (ret < 0) {
+	    goto out;
+	}
+
+	ret = LDAP_addmod(&mods, LDAP_MOD_ADD, "sn", name);
+	if (ret < 0) {
+	    goto out;
+	}
+
+	ret = asprintf(&dn, "cn=%s,%s", name, db->name);
+	if (ret < 0) {
+	    ret = ENOMEM;
+	    goto out;
+	}
+    } else if (flags & HDB_F_REPLACE) {
+	/* Entry exists, and we're allowed to replace it. */
+	dn = ldap_get_dn((LDAP *) db->db, e);
+    } else {
+	/* Entry exists, but we're not allowed to replace it. Bail. */
+	ret = HDB_ERR_EXISTS;
+	goto out;
+    }
+
+    /* write entry into directory */
+    if (e == NULL) {
+	/* didn't exist before */
+	ret = ldap_add_s((LDAP *) db->db, dn, mods);
+    } else {
+	/* already existed, send deltas only */
+	ret = ldap_modify_s((LDAP *) db->db, dn, mods);
+    }
+
+    if (ret == LDAP_SUCCESS) {
+	ret = 0;
+    } else {
+	ret = HDB_ERR_CANT_LOCK_DB;
+    }
+
+  out:
+    /* free stuff */
+    if (dn != NULL) {
+	free(dn);
+    }
+
+    if (msg != NULL) {
+	ldap_msgfree(msg);
+    }
+
+    if (mods != NULL) {
+	ldap_mods_free(mods, 1);
+    }
+
+    if (name != NULL) {
+	free(name);
+    }
+
+    return ret;
+}
+
+static krb5_error_code
+LDAP_remove(krb5_context context, HDB * db, hdb_entry * entry)
+{
+    krb5_error_code ret;
+    LDAPMessage *msg, *e;
+    char *dn = NULL;
+
+    ret = LDAP_principal2message(context, db, entry->principal, &msg);
+    if (ret != 0) {
+	goto out;
+    }
+
+    e = ldap_first_entry((LDAP *) db->db, msg);
+    if (e == NULL) {
+	ret = HDB_ERR_NOENTRY;
+	goto out;
+    }
+
+    dn = ldap_get_dn((LDAP *) db->db, e);
+    if (dn == NULL) {
+	ret = HDB_ERR_NOENTRY;
+	goto out;
+    }
+
+    ret = LDAP_NO_LIMIT;
+    (void) ldap_set_option((LDAP *) db->db, LDAP_OPT_SIZELIMIT, &ret);
+
+    ret = ldap_delete_s((LDAP *) db->db, dn);
+    if (ret == LDAP_SUCCESS) {
+	ret = 0;
+    } else {
+	ret = HDB_ERR_CANT_LOCK_DB;
+    }
+
+  out:
+    if (dn != NULL) {
+	free(dn);
+    }
+
+    if (msg != NULL) {
+	ldap_msgfree(msg);
+    }
+
+    return ret;
+}
+
+static krb5_error_code
+LDAP__get(krb5_context context, HDB * db, krb5_data key, krb5_data * reply)
+{
+    fprintf(stderr, "LDAP__get not implemented\n");
+    abort();
+    return 0;
+}
+
+static krb5_error_code
+LDAP__put(krb5_context context, HDB * db, int replace,
+	  krb5_data key, krb5_data value)
+{
+    fprintf(stderr, "LDAP__put not implemented\n");
+    abort();
+    return 0;
+}
+
+static krb5_error_code
+LDAP__del(krb5_context context, HDB * db, krb5_data key)
+{
+    fprintf(stderr, "LDAP__del not implemented\n");
+    abort();
+    return 0;
+}
+
+static krb5_error_code LDAP_destroy(krb5_context context, HDB * db)
+{
+    krb5_error_code ret;
+
+    ret = hdb_clear_master_key(context, db);
+    free(db->name);
+    free(db);
+
+    return ret;
+}
+
+krb5_error_code
+hdb_ldap_create(krb5_context context, HDB ** db, const char *filename)
+{
+    *db = malloc(sizeof(**db));
+    if (*db == NULL)
+	return ENOMEM;
+
+    (*db)->db = NULL;
+/*    (*db)->name = strdup(filename); */
+    (*db)->name = NULL;
+    (*db)->master_key_set = 0;
+    (*db)->openp = 0;
+    (*db)->open = LDAP_open;
+    (*db)->close = LDAP_close;
+    (*db)->fetch = LDAP_fetch;
+    (*db)->store = LDAP_store;
+    (*db)->remove = LDAP_remove;
+    (*db)->firstkey = LDAP_firstkey;
+    (*db)->nextkey = LDAP_nextkey;
+    (*db)->lock = LDAP_lock;
+    (*db)->unlock = LDAP_unlock;
+    (*db)->rename = LDAP_rename;
+    /* can we ditch these? */
+    (*db)->_get = LDAP__get;
+    (*db)->_put = LDAP__put;
+    (*db)->_del = LDAP__del;
+    (*db)->destroy = LDAP_destroy;
+
+    return 0;
+}
+
+#endif				/* OPENLDAP */
diff --git a/crypto/heimdal/lib/hdb/hdb-private.h b/crypto/heimdal/lib/hdb/hdb-private.h
new file mode 100644
index 0000000..7563d36
--- /dev/null
+++ b/crypto/heimdal/lib/hdb/hdb-private.h
@@ -0,0 +1,36 @@
+/* This is a generated file */
+#ifndef __hdb_private_h__
+#define __hdb_private_h__
+
+#ifdef __STDC__
+#include <stdarg.h>
+#ifndef __P
+#define __P(x) x
+#endif
+#else
+#ifndef __P
+#define __P(x) ()
+#endif
+#endif
+
+krb5_error_code
+_hdb_fetch __P((
+	krb5_context context,
+	HDB *db,
+	unsigned flags,
+	hdb_entry *entry));
+
+krb5_error_code
+_hdb_remove __P((
+	krb5_context context,
+	HDB *db,
+	hdb_entry *entry));
+
+krb5_error_code
+_hdb_store __P((
+	krb5_context context,
+	HDB *db,
+	unsigned flags,
+	hdb_entry *entry));
+
+#endif /* __hdb_private_h__ */
diff --git a/crypto/heimdal/lib/hdb/hdb-protos.h b/crypto/heimdal/lib/hdb/hdb-protos.h
new file mode 100644
index 0000000..dbb00a5
--- /dev/null
+++ b/crypto/heimdal/lib/hdb/hdb-protos.h
@@ -0,0 +1,197 @@
+/* This is a generated file */
+#ifndef __hdb_protos_h__
+#define __hdb_protos_h__
+
+#ifdef __STDC__
+#include <stdarg.h>
+#ifndef __P
+#define __P(x) x
+#endif
+#else
+#ifndef __P
+#define __P(x) ()
+#endif
+#endif
+
+krb5_error_code
+hdb_add_master_key __P((
+	krb5_context context,
+	krb5_keyblock *key,
+	hdb_master_key *inout));
+
+krb5_error_code
+hdb_check_db_format __P((
+	krb5_context context,
+	HDB *db));
+
+krb5_error_code
+hdb_clear_master_key __P((
+	krb5_context context,
+	HDB *db));
+
+krb5_error_code
+hdb_create __P((
+	krb5_context context,
+	HDB **db,
+	const char *filename));
+
+krb5_error_code
+hdb_db_create __P((
+	krb5_context context,
+	HDB **db,
+	const char *filename));
+
+krb5_error_code
+hdb_enctype2key __P((
+	krb5_context context,
+	hdb_entry *e,
+	krb5_enctype enctype,
+	Key **key));
+
+krb5_error_code
+hdb_entry2string __P((
+	krb5_context context,
+	hdb_entry *ent,
+	char **str));
+
+int
+hdb_entry2value __P((
+	krb5_context context,
+	hdb_entry *ent,
+	krb5_data *value));
+
+krb5_error_code
+hdb_foreach __P((
+	krb5_context context,
+	HDB *db,
+	unsigned flags,
+	hdb_foreach_func_t func,
+	void *data));
+
+void
+hdb_free_entry __P((
+	krb5_context context,
+	hdb_entry *ent));
+
+void
+hdb_free_key __P((Key *key));
+
+void
+hdb_free_master_key __P((
+	krb5_context context,
+	hdb_master_key mkey));
+
+krb5_error_code
+hdb_init_db __P((
+	krb5_context context,
+	HDB *db));
+
+int
+hdb_key2principal __P((
+	krb5_context context,
+	krb5_data *key,
+	krb5_principal p));
+
+krb5_error_code
+hdb_ldap_create __P((
+	krb5_context context,
+	HDB ** db,
+	const char *filename));
+
+krb5_error_code
+hdb_lock __P((
+	int fd,
+	int operation));
+
+krb5_error_code
+hdb_ndbm_create __P((
+	krb5_context context,
+	HDB **db,
+	const char *filename));
+
+krb5_error_code
+hdb_next_enctype2key __P((
+	krb5_context context,
+	const hdb_entry *e,
+	krb5_enctype enctype,
+	Key **key));
+
+int
+hdb_principal2key __P((
+	krb5_context context,
+	krb5_principal p,
+	krb5_data *key));
+
+krb5_error_code
+hdb_print_entry __P((
+	krb5_context context,
+	HDB *db,
+	hdb_entry *entry,
+	void *data));
+
+krb5_error_code
+hdb_process_master_key __P((
+	krb5_context context,
+	int kvno,
+	krb5_keyblock *key,
+	krb5_enctype etype,
+	hdb_master_key *mkey));
+
+krb5_error_code
+hdb_read_master_key __P((
+	krb5_context context,
+	const char *filename,
+	hdb_master_key *mkey));
+
+krb5_error_code
+hdb_seal_keys __P((
+	krb5_context context,
+	HDB *db,
+	hdb_entry *ent));
+
+krb5_error_code
+hdb_seal_keys_mkey __P((
+	krb5_context context,
+	hdb_entry *ent,
+	hdb_master_key mkey));
+
+krb5_error_code
+hdb_set_master_key __P((
+	krb5_context context,
+	HDB *db,
+	krb5_keyblock *key));
+
+krb5_error_code
+hdb_set_master_keyfile __P((
+	krb5_context context,
+	HDB *db,
+	const char *keyfile));
+
+krb5_error_code
+hdb_unlock __P((int fd));
+
+krb5_error_code
+hdb_unseal_keys __P((
+	krb5_context context,
+	HDB *db,
+	hdb_entry *ent));
+
+krb5_error_code
+hdb_unseal_keys_mkey __P((
+	krb5_context context,
+	hdb_entry *ent,
+	hdb_master_key mkey));
+
+int
+hdb_value2entry __P((
+	krb5_context context,
+	krb5_data *value,
+	hdb_entry *ent));
+
+krb5_error_code
+hdb_write_master_key __P((
+	krb5_context context,
+	const char *filename,
+	hdb_master_key mkey));
+
+#endif /* __hdb_protos_h__ */
diff --git a/crypto/heimdal/lib/hdb/hdb.asn1 b/crypto/heimdal/lib/hdb/hdb.asn1
new file mode 100644
index 0000000..2a20cd1
--- /dev/null
+++ b/crypto/heimdal/lib/hdb/hdb.asn1
@@ -0,0 +1,63 @@
+-- $Id: hdb.asn1,v 1.8 2000/06/19 15:22:22 joda Exp $
+HDB DEFINITIONS ::=
+BEGIN
+
+IMPORTS EncryptionKey, KerberosTime, Principal FROM krb5;
+
+HDB_DB_FORMAT INTEGER ::= 2	-- format of database, 
+				-- update when making changes
+
+-- these should have the same value as the pa-* counterparts
+hdb-pw-salt	INTEGER	::= 3
+hdb-afs3-salt	INTEGER	::= 10
+
+Salt ::= SEQUENCE {
+	type[0]		INTEGER,
+	salt[1]		OCTET STRING
+}
+
+Key ::= SEQUENCE {
+	mkvno[0]	INTEGER OPTIONAL,	-- master key version number
+	key[1]		EncryptionKey,
+	salt[2]		Salt OPTIONAL
+}
+
+Event ::= SEQUENCE {
+	time[0]		KerberosTime,
+	principal[1]	Principal OPTIONAL
+}
+
+HDBFlags ::= BIT STRING {
+	initial(0),		-- require as-req
+	forwardable(1),		-- may issue forwardable
+	proxiable(2),		-- may issue proxiable
+	renewable(3),		-- may issue renewable
+	postdate(4),		-- may issue postdatable
+	server(5),		-- may be server
+	client(6),		-- may be client
+	invalid(7),		-- entry is invalid
+	require-preauth(8),	-- must use preauth
+	change-pw(9),		-- change password service
+	require-hwauth(10),	-- must use hwauth
+	ok-as-delegate(11),	-- as in TicketFlags
+	user-to-user(12),	-- may use user-to-user auth
+	immutable(13)		-- may not be deleted
+}
+
+hdb_entry ::= SEQUENCE {
+	principal[0]	Principal  OPTIONAL, -- this is optional only 
+					     -- for compatibility with libkrb5
+	kvno[1]		INTEGER,
+	keys[2]		SEQUENCE OF Key,
+	created-by[3]	Event,
+	modified-by[4]	Event OPTIONAL,
+	valid-start[5]	KerberosTime OPTIONAL,
+	valid-end[6]	KerberosTime OPTIONAL,
+	pw-end[7]	KerberosTime OPTIONAL,
+	max-life[8]	INTEGER OPTIONAL,
+	max-renew[9]	INTEGER OPTIONAL,
+	flags[10]	HDBFlags,
+	etypes[11]	SEQUENCE OF INTEGER OPTIONAL
+}
+
+END
diff --git a/crypto/heimdal/lib/hdb/hdb.c b/crypto/heimdal/lib/hdb/hdb.c
new file mode 100644
index 0000000..1565f03
--- /dev/null
+++ b/crypto/heimdal/lib/hdb/hdb.c
@@ -0,0 +1,240 @@
+/*
+ * Copyright (c) 1997 - 2000 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "hdb_locl.h"
+
+RCSID("$Id: hdb.c,v 1.42 2000/11/15 23:12:15 assar Exp $");
+
+struct hdb_method {
+    const char *prefix;
+    krb5_error_code (*create)(krb5_context, HDB **, const char *filename);
+};
+
+static struct hdb_method methods[] = {
+#ifdef HAVE_DB_H
+    {"db:",	hdb_db_create},
+#endif
+#if defined(HAVE_NDBM_H) || defined(HAVE_GDBM_NDBM_H)
+    {"ndbm:",	hdb_ndbm_create},
+#endif
+#ifdef OPENLDAP
+    {"ldap:",	hdb_ldap_create},
+#endif
+#ifdef HAVE_DB_H
+    {"",	hdb_db_create},
+#elif defined(HAVE_NDBM_H)
+    {"",	hdb_ndbm_create},
+#elif defined(OPENLDAP)
+    {"",	hdb_ldap_create},
+#endif
+    {NULL,	NULL}
+};
+
+krb5_error_code
+hdb_next_enctype2key(krb5_context context,
+		     const hdb_entry *e,
+		     krb5_enctype enctype,
+		     Key **key)
+{
+    Key *k;
+    
+    for (k = *key ? (*key) + 1 : e->keys.val;
+	 k < e->keys.val + e->keys.len; 
+	 k++)
+	if(k->key.keytype == enctype){
+	    *key = k;
+	    return 0;
+	}
+    return KRB5_PROG_ETYPE_NOSUPP; /* XXX */
+}
+
+krb5_error_code
+hdb_enctype2key(krb5_context context, 
+		hdb_entry *e, 
+		krb5_enctype enctype, 
+		Key **key)
+{
+    *key = NULL;
+    return hdb_next_enctype2key(context, e, enctype, key);
+}
+
+void
+hdb_free_key(Key *key)
+{
+    memset(key->key.keyvalue.data, 
+	   0,
+	   key->key.keyvalue.length);
+    free_Key(key);
+    free(key);
+}
+
+
+krb5_error_code
+hdb_lock(int fd, int operation)
+{
+    int i, code = 0;
+
+    for(i = 0; i < 3; i++){
+	code = flock(fd, (operation == HDB_RLOCK ? LOCK_SH : LOCK_EX) | LOCK_NB);
+	if(code == 0 || errno != EWOULDBLOCK)
+	    break;
+	sleep(1);
+    }
+    if(code == 0)
+	return 0;
+    if(errno == EWOULDBLOCK)
+	return HDB_ERR_DB_INUSE;
+    return HDB_ERR_CANT_LOCK_DB;
+}
+
+krb5_error_code
+hdb_unlock(int fd)
+{
+    int code;
+    code = flock(fd, LOCK_UN);
+    if(code)
+	return 4711 /* XXX */;
+    return 0;
+}
+
+void
+hdb_free_entry(krb5_context context, hdb_entry *ent)
+{
+    int i;
+
+    for(i = 0; i < ent->keys.len; ++i) {
+	Key *k = &ent->keys.val[i];
+
+	memset (k->key.keyvalue.data, 0, k->key.keyvalue.length);
+    }
+    free_hdb_entry(ent);
+}
+
+krb5_error_code
+hdb_foreach(krb5_context context,
+	    HDB *db,
+	    unsigned flags,
+	    hdb_foreach_func_t func,
+	    void *data)
+{
+    krb5_error_code ret;
+    hdb_entry entry;
+    ret = db->firstkey(context, db, flags, &entry);
+    while(ret == 0){
+	ret = (*func)(context, db, &entry, data);
+	hdb_free_entry(context, &entry);
+	if(ret == 0)
+	    ret = db->nextkey(context, db, flags, &entry);
+    }
+    if(ret == HDB_ERR_NOENTRY)
+	ret = 0;
+    return ret;
+}
+
+krb5_error_code
+hdb_check_db_format(krb5_context context, HDB *db)
+{
+    krb5_data tag;
+    krb5_data version;
+    krb5_error_code ret;
+    unsigned ver;
+    int foo;
+
+    tag.data = HDB_DB_FORMAT_ENTRY;
+    tag.length = strlen(tag.data);
+    ret = (*db->_get)(context, db, tag, &version);
+    if(ret)
+	return ret;
+    foo = sscanf(version.data, "%u", &ver);
+    krb5_data_free (&version);
+    if (foo != 1)
+	return HDB_ERR_BADVERSION;
+    if(ver != HDB_DB_FORMAT)
+	return HDB_ERR_BADVERSION;
+    return 0;
+}
+
+krb5_error_code
+hdb_init_db(krb5_context context, HDB *db)
+{
+    krb5_error_code ret;
+    krb5_data tag;
+    krb5_data version;
+    char ver[32];
+    
+    ret = hdb_check_db_format(context, db);
+    if(ret != HDB_ERR_NOENTRY)
+	return ret;
+    
+    tag.data = HDB_DB_FORMAT_ENTRY;
+    tag.length = strlen(tag.data);
+    snprintf(ver, sizeof(ver), "%u", HDB_DB_FORMAT);
+    version.data = ver;
+    version.length = strlen(version.data) + 1; /* zero terminated */
+    ret = (*db->_put)(context, db, 0, tag, version);
+    return ret;
+}
+
+/*
+ * find the relevant method for `filename', returning a pointer to the
+ * rest in `rest'.
+ * return NULL if there's no such method.
+ */
+
+static const struct hdb_method *
+find_method (const char *filename, const char **rest)
+{
+    const struct hdb_method *h;
+
+    for (h = methods; h->prefix != NULL; ++h)
+	if (strncmp (filename, h->prefix, strlen(h->prefix)) == 0) {
+	    *rest = filename + strlen(h->prefix);
+	    return h;
+	}
+    return NULL;
+}
+
+krb5_error_code
+hdb_create(krb5_context context, HDB **db, const char *filename)
+{
+    const struct hdb_method *h;
+    const char *residual;
+
+    if(filename == NULL)
+	filename = HDB_DEFAULT_DB;
+    initialize_hdb_error_table_r(&context->et_list);
+    h = find_method (filename, &residual);
+    if (h == NULL)
+	krb5_errx(context, 1, "No database support! (hdb_create)");
+    return (*h->create)(context, db, residual);
+}
diff --git a/crypto/heimdal/lib/hdb/hdb.h b/crypto/heimdal/lib/hdb/hdb.h
new file mode 100644
index 0000000..21d739b
--- /dev/null
+++ b/crypto/heimdal/lib/hdb/hdb.h
@@ -0,0 +1,91 @@
+/*
+ * Copyright (c) 1997 - 2000 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+/* $Id: hdb.h,v 1.31 2000/07/08 16:03:37 joda Exp $ */
+
+#ifndef __HDB_H__
+#define __HDB_H__
+
+#include <hdb_err.h>
+
+#include <hdb_asn1.h>
+
+enum hdb_lockop{ HDB_RLOCK, HDB_WLOCK };
+
+/* flags for various functions */
+#define HDB_F_DECRYPT	1 /* decrypt keys */
+#define HDB_F_REPLACE	2 /* replace entry */
+
+/* key usage for master key */
+#define HDB_KU_MKEY	0x484442
+
+typedef struct hdb_master_key_data *hdb_master_key;
+
+typedef struct HDB{
+    void *db;
+    void *dbc;
+    char *name;
+    int master_key_set;
+    hdb_master_key master_key;
+    int openp;
+
+    krb5_error_code (*open)(krb5_context, struct HDB*, int, mode_t);
+    krb5_error_code (*close)(krb5_context, struct HDB*);
+    krb5_error_code (*fetch)(krb5_context, struct HDB*, unsigned, hdb_entry*);
+    krb5_error_code (*store)(krb5_context, struct HDB*, unsigned, hdb_entry*);
+    krb5_error_code (*remove)(krb5_context, struct HDB*, hdb_entry*);
+    krb5_error_code (*firstkey)(krb5_context, struct HDB*, 
+				unsigned, hdb_entry*);
+    krb5_error_code (*nextkey)(krb5_context, struct HDB*, 
+			       unsigned, hdb_entry*);
+    krb5_error_code (*lock)(krb5_context, struct HDB*, int operation);
+    krb5_error_code (*unlock)(krb5_context, struct HDB*);
+    krb5_error_code (*rename)(krb5_context, struct HDB*, const char*);
+    krb5_error_code (*_get)(krb5_context, struct HDB*, krb5_data, krb5_data*);
+    krb5_error_code (*_put)(krb5_context, struct HDB*, int, 
+			    krb5_data, krb5_data);
+    krb5_error_code (*_del)(krb5_context, struct HDB*, krb5_data);
+    krb5_error_code (*destroy)(krb5_context, struct HDB*);
+}HDB;
+
+#define HDB_DB_DIR "/var/heimdal"
+#define HDB_DEFAULT_DB HDB_DB_DIR "/heimdal"
+#define HDB_DB_FORMAT_ENTRY "hdb/db-format"
+
+typedef krb5_error_code (*hdb_foreach_func_t)(krb5_context, HDB*,
+					      hdb_entry*, void*);
+extern krb5_kt_ops hdb_kt_ops;
+
+#include <hdb-protos.h>
+
+#endif /* __HDB_H__ */
diff --git a/crypto/heimdal/lib/hdb/hdb_err.et b/crypto/heimdal/lib/hdb/hdb_err.et
new file mode 100644
index 0000000..9929a56
--- /dev/null
+++ b/crypto/heimdal/lib/hdb/hdb_err.et
@@ -0,0 +1,27 @@
+#
+# Error messages for the hdb library
+#
+# This might look like a com_err file, but is not
+#
+id "$Id: hdb_err.et,v 1.5 2001/01/28 23:05:52 assar Exp $"
+
+error_table hdb
+
+prefix HDB_ERR
+
+index 1
+#error_code INUSE,		"Entry already exists in database"
+error_code UK_SERROR,		"Database store error"
+error_code UK_RERROR,		"Database read error"
+error_code NOENTRY,		"No such entry in the database"
+error_code DB_INUSE,		"Database is locked or in use--try again later"
+error_code DB_CHANGED,		"Database was modified during read"
+error_code RECURSIVELOCK,	"Attempt to lock database twice"
+error_code NOTLOCKED,		"Attempt to unlock database when not locked"
+error_code BADLOCKMODE,		"Invalid kdb lock mode"
+error_code CANT_LOCK_DB,	"Insufficient access to lock database"
+error_code EXISTS,		"Entry already exists in database"
+error_code BADVERSION,		"Wrong database version"
+error_code NO_MKEY,		"No correct master key"
+
+end
diff --git a/crypto/heimdal/lib/hdb/hdb_locl.h b/crypto/heimdal/lib/hdb/hdb_locl.h
new file mode 100644
index 0000000..e5a6362
--- /dev/null
+++ b/crypto/heimdal/lib/hdb/hdb_locl.h
@@ -0,0 +1,81 @@
+/*
+ * Copyright (c) 1997-2001 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+/* $Id: hdb_locl.h,v 1.15 2001/02/15 04:20:54 assar Exp $ */
+/* $FreeBSD$ */
+
+#ifndef __HDB_LOCL_H__
+#define __HDB_LOCL_H__
+
+#include <config.h>
+
+#include <stdio.h>
+#include <string.h>
+#include <stdlib.h>
+#include <errno.h>
+#ifdef HAVE_SYS_TYPES_H
+#include <sys/types.h>
+#endif
+#ifdef HAVE_UNISTD_H
+#include <unistd.h>
+#endif
+#ifdef HAVE_FCNTL_H
+#include <fcntl.h>
+#endif
+#ifdef HAVE_SYS_FILE_H
+#include <sys/file.h>
+#endif
+#include <roken.h>
+
+#ifdef HAVE_OPENSSL_DES_H
+#include <openssl/des.h>
+#else
+#include <des.h>
+#endif
+#include <krb5.h>
+#include <hdb.h>
+#include <hdb-private.h>
+
+#if defined(HAVE_DB_185_H)
+#include <db_185.h>
+#elif defined(HAVE_DB_H)
+#include <db.h>
+#endif
+
+#if defined(HAVE_NDBM_H)
+#include <ndbm.h>
+#elif defined(HAVE_GDBM_NDBM_H)
+#include <gdbm/ndbm.h>
+#endif
+
+#endif /* __HDB_LOCL_H__ */
diff --git a/crypto/heimdal/lib/hdb/keytab.c b/crypto/heimdal/lib/hdb/keytab.c
new file mode 100644
index 0000000..5de3cc5
--- /dev/null
+++ b/crypto/heimdal/lib/hdb/keytab.c
@@ -0,0 +1,259 @@
+/*
+ * Copyright (c) 1999 - 2000 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "hdb_locl.h"
+
+/* keytab backend for HDB databases */
+
+RCSID("$Id: keytab.c,v 1.3 2000/08/27 04:31:42 assar Exp $");
+
+struct hdb_data {
+    char *dbname;
+    char *mkey;
+};
+
+/*
+ * the format for HDB keytabs is:
+ * HDB:[database:mkey]
+ */
+
+static krb5_error_code
+hdb_resolve(krb5_context context, const char *name, krb5_keytab id)
+{
+    struct hdb_data *d;
+    const char *db, *mkey;
+
+    d = malloc(sizeof(*d));
+    if(d == NULL)
+	return ENOMEM;
+    db = name;
+    mkey = strchr(name, ':');
+    if(mkey == NULL || mkey[1] == '\0') {
+	if(*name == '\0')
+	    d->dbname = NULL;
+	else {
+	    d->dbname = strdup(name);
+	    if(d->dbname == NULL) {
+		free(d);
+		return ENOMEM;
+	    }
+	}
+	d->mkey = NULL;
+    } else {
+	if((mkey - db) == 0) {
+	    d->dbname = NULL;
+	} else {
+	    d->dbname = malloc(mkey - db);
+	    if(d->dbname == NULL) {
+		free(d);
+		return ENOMEM;
+	    }
+	    memmove(d->dbname, db, mkey - db);
+	    d->dbname[mkey - db] = '\0';
+	}
+	d->mkey = strdup(mkey + 1);
+	if(d->mkey == NULL) {
+	    free(d->dbname);
+	    free(d);
+	    return ENOMEM;
+	}
+    }
+    id->data = d;
+    return 0;
+}
+
+static krb5_error_code
+hdb_close(krb5_context context, krb5_keytab id)
+{
+    struct hdb_data *d = id->data;
+
+    free(d->dbname);
+    free(d->mkey);
+    free(d);
+    return 0;
+}
+
+static krb5_error_code 
+hdb_get_name(krb5_context context, 
+	     krb5_keytab id, 
+	     char *name, 
+	     size_t namesize)
+{
+    struct hdb_data *d = id->data;
+
+    snprintf(name, namesize, "%s%s%s", 
+	     d->dbname ? d->dbname : "",
+	     (d->dbname || d->mkey) ? ":" : "",
+	     d->mkey ? d->mkey : "");
+    return 0;
+}
+
+static void
+set_config (krb5_context context,
+	    krb5_config_binding *binding,
+	    const char **dbname,
+	    const char **mkey)
+{
+    *dbname = krb5_config_get_string(context, binding, "dbname", NULL);
+    *mkey   = krb5_config_get_string(context, binding, "mkey_file", NULL);
+}
+
+/*
+ * try to figure out the database (`dbname') and master-key (`mkey')
+ * that should be used for `principal'.
+ */
+
+static void
+find_db (krb5_context context,
+	 const char **dbname,
+	 const char **mkey,
+	 krb5_const_principal principal)
+{
+    krb5_config_binding *top_bind = NULL;
+    krb5_config_binding *default_binding = NULL;
+    krb5_config_binding *db;
+    krb5_realm *prealm = krb5_princ_realm(context, (krb5_principal)principal);
+
+    *dbname = *mkey = NULL;
+
+    while ((db = (krb5_config_binding *)
+	    krb5_config_get_next(context,
+				 NULL,
+				 &top_bind,
+				 krb5_config_list,
+				 "kdc",
+				 "database",
+				 NULL)) != NULL) {
+	const char *p;
+	
+	p = krb5_config_get_string (context, db, "realm", NULL);
+	if (p == NULL) {
+	    if(default_binding) {
+		krb5_warnx(context, "WARNING: more than one realm-less "
+			   "database specification");
+		krb5_warnx(context, "WARNING: using the first encountered");
+	    } else
+		default_binding = db;
+	} else if (strcmp (*prealm, p) == 0) {
+	    set_config (context, db, dbname, mkey);
+	    break;
+	}
+    }
+    if (*dbname == NULL && default_binding != NULL)
+	set_config (context, default_binding, dbname, mkey);
+    if (*dbname == NULL)
+	*dbname = HDB_DEFAULT_DB;
+}
+
+/*
+ * find the keytab entry in `id' for `principal, kvno, enctype' and return
+ * it in `entry'.  return 0 or an error code
+ */
+
+static krb5_error_code
+hdb_get_entry(krb5_context context,
+	      krb5_keytab id,
+	      krb5_const_principal principal,
+	      krb5_kvno kvno,
+	      krb5_enctype enctype,
+	      krb5_keytab_entry *entry)
+{
+    hdb_entry ent;
+    krb5_error_code ret;
+    struct hdb_data *d = id->data;
+    int i;
+    HDB *db;
+    const char *dbname = d->dbname;
+    const char *mkey   = d->mkey;
+
+    if (dbname == NULL)
+	find_db (context, &dbname, &mkey, principal);
+
+    ret = hdb_create (context, &db, dbname);
+    if (ret)
+	return ret;
+    ret = hdb_set_master_keyfile (context, db, mkey);
+    if (ret) {
+	(*db->destroy)(context, db);
+	return ret;
+    }
+	
+    ret = (*db->open)(context, db, O_RDONLY, 0);
+    if (ret) {
+	(*db->destroy)(context, db);
+	return ret;
+    }
+    ent.principal = (krb5_principal)principal;
+    ret = (*db->fetch)(context, db, HDB_F_DECRYPT, &ent);
+    (*db->close)(context, db);
+    (*db->destroy)(context, db);
+
+    if(ret == HDB_ERR_NOENTRY)
+	return KRB5_KT_NOTFOUND;
+    else if(ret)
+	return ret;
+    if(kvno && ent.kvno != kvno) {
+	hdb_free_entry(context, &ent);
+ 	return KRB5_KT_NOTFOUND;
+    }
+    if(enctype == 0)
+	if(ent.keys.len > 0)
+	    enctype = ent.keys.val[0].key.keytype;
+    ret = KRB5_KT_NOTFOUND;
+    for(i = 0; i < ent.keys.len; i++) {
+	if(ent.keys.val[i].key.keytype == enctype) {
+	    krb5_copy_principal(context, principal, &entry->principal);
+	    entry->vno = ent.kvno;
+	    krb5_copy_keyblock_contents(context, 
+					&ent.keys.val[i].key, 
+					&entry->keyblock);
+	    ret = 0;
+	    break;
+	}
+    }
+    hdb_free_entry(context, &ent);
+    return ret;
+}
+
+krb5_kt_ops hdb_kt_ops = {
+    "HDB",
+    hdb_resolve,
+    hdb_get_name,
+    hdb_close,
+    hdb_get_entry,
+    NULL,		/* start_seq_get */
+    NULL,		/* next_entry */
+    NULL,		/* end_seq_get */
+    NULL,		/* add */
+    NULL		/* remove */
+};
diff --git a/crypto/heimdal/lib/hdb/libasn1.h b/crypto/heimdal/lib/hdb/libasn1.h
new file mode 100644
index 0000000..ef02d7c
--- /dev/null
+++ b/crypto/heimdal/lib/hdb/libasn1.h
@@ -0,0 +1,51 @@
+/*
+ * Copyright (c) 1997, 2001 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+/* $Id: libasn1.h,v 1.5 2001/04/18 16:21:33 joda Exp $ */
+
+#ifndef __LIBASN1_H__
+#define __LIBASN1_H__
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+#endif
+
+#include <stdlib.h>
+#include <errno.h>
+#include <krb5_asn1.h>
+#include <der.h>
+#include "hdb_asn1.h"
+#include <asn1_err.h>
+#include <parse_units.h>
+
+#endif /* __LIBASN1_H__ */
diff --git a/crypto/heimdal/lib/hdb/mkey.c b/crypto/heimdal/lib/hdb/mkey.c
new file mode 100644
index 0000000..2c85333
--- /dev/null
+++ b/crypto/heimdal/lib/hdb/mkey.c
@@ -0,0 +1,475 @@
+/*
+ * Copyright (c) 2000 - 2001 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "hdb_locl.h"
+#ifndef O_BINARY
+#define O_BINARY 0
+#endif
+
+RCSID("$Id: mkey.c,v 1.8 2001/01/30 01:20:57 assar Exp $");
+
+struct hdb_master_key_data {
+    krb5_keytab_entry keytab;
+    krb5_crypto crypto;
+    struct hdb_master_key_data *next;
+};
+
+void
+hdb_free_master_key(krb5_context context, hdb_master_key mkey)
+{
+    struct hdb_master_key_data *ptr;
+    while(mkey) {
+	krb5_kt_free_entry(context, &mkey->keytab);
+	krb5_crypto_destroy(context, mkey->crypto);
+	ptr = mkey;
+	mkey = mkey->next;
+	free(ptr);
+    }
+}
+
+krb5_error_code
+hdb_process_master_key(krb5_context context,
+		       int kvno, krb5_keyblock *key, krb5_enctype etype,
+		       hdb_master_key *mkey)
+{
+    krb5_error_code ret;
+    *mkey = calloc(1, sizeof(**mkey));
+    if(*mkey == NULL)
+	return ENOMEM;
+    (*mkey)->keytab.vno = kvno;
+    ret = krb5_parse_name(context, "K/M", &(*mkey)->keytab.principal);
+    ret = krb5_copy_keyblock_contents(context, key, &(*mkey)->keytab.keyblock);
+    if(ret) {
+	free(*mkey);
+	*mkey = NULL;
+	return ret;
+    }
+    if(etype != 0)
+	(*mkey)->keytab.keyblock.keytype = etype;
+    (*mkey)->keytab.timestamp = time(NULL);
+    ret = krb5_crypto_init(context, key, etype, &(*mkey)->crypto);
+    if(ret) {
+	krb5_free_keyblock_contents(context, &(*mkey)->keytab.keyblock);
+	free(*mkey);
+	*mkey = NULL;
+    }
+    return ret;
+}
+
+krb5_error_code
+hdb_add_master_key(krb5_context context, krb5_keyblock *key,
+		   hdb_master_key *inout)
+{
+    int vno = 0;
+    hdb_master_key p;
+    krb5_error_code ret;
+
+    for(p = *inout; p; p = p->next)
+	vno = max(vno, p->keytab.vno);
+    vno++;
+    ret = hdb_process_master_key(context, vno, key, 0, &p);
+    if(ret)
+	return ret;
+    p->next = *inout;
+    *inout = p;
+    return 0;
+}
+
+static krb5_error_code
+read_master_keytab(krb5_context context, const char *filename, 
+		   hdb_master_key *mkey)
+{
+    krb5_error_code ret;
+    krb5_keytab id;
+    krb5_kt_cursor cursor;
+    krb5_keytab_entry entry;
+    hdb_master_key p;
+    
+    ret = krb5_kt_resolve(context, filename, &id);
+    if(ret)
+	return ret;
+
+    ret = krb5_kt_start_seq_get(context, id, &cursor);
+    if(ret)
+	goto out;
+    *mkey = NULL;
+    while(krb5_kt_next_entry(context, id, &entry, &cursor) == 0) {
+	p = calloc(1, sizeof(*p));
+	p->keytab = entry;
+	ret = krb5_crypto_init(context, &p->keytab.keyblock, 0, &p->crypto);
+	p->next = *mkey;
+	*mkey = p;
+    }
+    krb5_kt_end_seq_get(context, id, &cursor);
+  out:
+    krb5_kt_close(context, id);
+    return ret;
+}
+
+/* read a MIT master keyfile */
+static krb5_error_code
+read_master_mit(krb5_context context, const char *filename, 
+		hdb_master_key *mkey)
+{
+    int fd;
+    krb5_error_code ret;
+    krb5_storage *sp;
+    u_int16_t enctype;
+    krb5_keyblock key;
+	       
+    fd = open(filename, O_RDONLY | O_BINARY);
+    if(fd < 0)
+	return errno;
+    sp = krb5_storage_from_fd(fd);
+    if(sp == NULL) {
+	close(fd);
+	return errno;
+    }
+    krb5_storage_set_flags(sp, KRB5_STORAGE_HOST_BYTEORDER);
+#if 0
+    /* could possibly use ret_keyblock here, but do it with more
+       checks for now */
+    ret = krb5_ret_keyblock(sp, &key);
+#else
+    ret = krb5_ret_int16(sp, &enctype);
+    if((htons(enctype) & 0xff00) == 0x3000) {
+	ret = HEIM_ERR_BAD_MKEY;
+	goto out;
+    }
+    key.keytype = enctype;
+    ret = krb5_ret_data(sp, &key.keyvalue);
+    if(ret)
+	goto out;
+#endif
+    ret = hdb_process_master_key(context, 0, &key, 0, mkey);
+    krb5_free_keyblock_contents(context, &key);
+  out:
+    krb5_storage_free(sp);
+    close(fd);
+    return ret;
+}
+
+/* read an old master key file */
+static krb5_error_code
+read_master_encryptionkey(krb5_context context, const char *filename, 
+			  hdb_master_key *mkey)
+{
+    int fd;
+    krb5_keyblock key;
+    krb5_error_code ret;
+    unsigned char buf[256];
+    ssize_t len;
+	       
+    fd = open(filename, O_RDONLY | O_BINARY);
+    if(fd < 0)
+	return errno;
+    
+    len = read(fd, buf, sizeof(buf));
+    close(fd);
+    if(len < 0)
+	return errno;
+
+    ret = decode_EncryptionKey(buf, len, &key, &len);
+    memset(buf, 0, sizeof(buf));
+    if(ret)
+	return ret;
+
+    /* Originally, the keytype was just that, and later it got changed
+       to des-cbc-md5, but we always used des in cfb64 mode. This
+       should cover all cases, but will break if someone has hacked
+       this code to really use des-cbc-md5 -- but then that's not my
+       problem. */
+    if(key.keytype == KEYTYPE_DES || key.keytype == ETYPE_DES_CBC_MD5)
+	key.keytype = ETYPE_DES_CFB64_NONE;
+    
+    ret = hdb_process_master_key(context, 0, &key, 0, mkey);
+    krb5_free_keyblock_contents(context, &key);
+    return ret;
+}
+
+/* read a krb4 /.k style file */
+static krb5_error_code
+read_master_krb4(krb5_context context, const char *filename, 
+		 hdb_master_key *mkey)
+{
+    int fd;
+    krb5_keyblock key;
+    krb5_error_code ret;
+    unsigned char buf[256];
+    ssize_t len;
+	       
+    fd = open(filename, O_RDONLY | O_BINARY);
+    if(fd < 0)
+	return errno;
+    
+    len = read(fd, buf, sizeof(buf));
+    close(fd);
+    if(len < 0)
+	return errno;
+
+    memset(&key, 0, sizeof(key));
+    key.keytype = ETYPE_DES_PCBC_NONE;
+    ret = krb5_data_copy(&key.keyvalue, buf, len);
+    memset(buf, 0, sizeof(buf));
+    if(ret) 
+	return ret;
+
+    ret = hdb_process_master_key(context, 0, &key, 0, mkey);
+    krb5_free_keyblock_contents(context, &key);
+    return ret;
+}
+
+krb5_error_code
+hdb_read_master_key(krb5_context context, const char *filename, 
+		    hdb_master_key *mkey)
+{
+    FILE *f;
+    unsigned char buf[16];
+    krb5_error_code ret;
+
+    off_t len;
+
+    *mkey = NULL;
+
+    if(filename == NULL)
+	filename = HDB_DB_DIR "/m-key";
+
+    f = fopen(filename, "r");
+    if(f == NULL)
+	return errno;
+    
+    if(fread(buf, 1, 2, f) != 2) {
+	fclose(f);
+	return HEIM_ERR_EOF;
+    }
+    
+    fseek(f, 0, SEEK_END);
+    len = ftell(f);
+
+    if(fclose(f) != 0)
+	return errno;
+    
+    if(len < 0)
+	return errno;
+    
+    if(len == 8) {
+	ret = read_master_krb4(context, filename, mkey);
+    } else if(buf[0] == 0x30 && len <= 127 && buf[1] == len - 2) {
+	ret = read_master_encryptionkey(context, filename, mkey);
+    } else if(buf[0] == 5 && buf[1] >= 1 && buf[1] <= 2) {
+	ret = read_master_keytab(context, filename, mkey);
+    } else {
+	ret = read_master_mit(context, filename, mkey);
+    }
+    return ret;
+}
+
+krb5_error_code
+hdb_write_master_key(krb5_context context, const char *filename, 
+		     hdb_master_key mkey)
+{
+    krb5_error_code ret;
+    hdb_master_key p;
+    krb5_keytab kt;
+
+    if(filename == NULL)
+	filename = HDB_DB_DIR "/m-key";
+
+    ret = krb5_kt_resolve(context, filename, &kt);
+    if(ret)
+	return ret;
+
+    for(p = mkey; p; p = p->next) {
+	ret = krb5_kt_add_entry(context, kt, &p->keytab);
+    }
+
+    krb5_kt_close(context, kt);
+
+    return ret;
+}
+
+static hdb_master_key
+find_master_key(Key *key, hdb_master_key mkey)
+{
+    hdb_master_key ret = NULL;
+    while(mkey) {
+	if(ret == NULL && mkey->keytab.vno == 0)
+	    ret = mkey;
+	if(key->mkvno == NULL) {
+	    if(ret == NULL || mkey->keytab.vno > ret->keytab.vno)
+		ret = mkey;
+	} else if(mkey->keytab.vno == *key->mkvno)
+	    return mkey;
+	mkey = mkey->next;
+    }
+    return ret;
+}
+
+krb5_error_code
+hdb_unseal_keys_mkey(krb5_context context, hdb_entry *ent, hdb_master_key mkey)
+{
+    int i;
+    krb5_error_code ret;
+    krb5_data res;
+    Key *k;
+
+    for(i = 0; i < ent->keys.len; i++){
+	hdb_master_key key;
+
+	k = &ent->keys.val[i];
+	if(k->mkvno == NULL)
+	    continue;
+
+	key = find_master_key(&ent->keys.val[i], mkey);
+
+	if (key == NULL)
+	    return HDB_ERR_NO_MKEY;
+
+	ret = krb5_decrypt(context, key->crypto, HDB_KU_MKEY,
+			   k->key.keyvalue.data,
+			   k->key.keyvalue.length,
+			   &res);
+	if (ret)
+	    return ret;
+
+	memset(k->key.keyvalue.data, 0, k->key.keyvalue.length);
+	free(k->key.keyvalue.data);
+	k->key.keyvalue = res;
+	free(k->mkvno);
+	k->mkvno = NULL;
+    }
+    return 0;
+}
+
+krb5_error_code
+hdb_unseal_keys(krb5_context context, HDB *db, hdb_entry *ent)
+{
+    if (db->master_key_set == 0)
+	return 0;
+    return hdb_unseal_keys_mkey(context, ent, db->master_key);
+}
+
+krb5_error_code
+hdb_seal_keys_mkey(krb5_context context, hdb_entry *ent, hdb_master_key mkey)
+{
+    int i;
+    krb5_error_code ret;
+    krb5_data res;
+    for(i = 0; i < ent->keys.len; i++){
+	Key *k = &ent->keys.val[i];
+	hdb_master_key key;
+
+	if(k->mkvno != NULL)
+	    continue;
+
+	key = find_master_key(k, mkey);
+
+	if (key == NULL)
+	    return HDB_ERR_NO_MKEY;
+
+	ret = krb5_encrypt(context, key->crypto, HDB_KU_MKEY,
+			   k->key.keyvalue.data,
+			   k->key.keyvalue.length,
+			   &res);
+	if (ret)
+	    return ret;
+
+	memset(k->key.keyvalue.data, 0, k->key.keyvalue.length);
+	free(k->key.keyvalue.data);
+	k->key.keyvalue = res;
+
+	k->mkvno = malloc(sizeof(*k->mkvno));
+	if (k->mkvno == NULL)
+	    return ENOMEM;
+	*k->mkvno = key->keytab.vno;
+    }
+    return 0;
+}
+
+krb5_error_code
+hdb_seal_keys(krb5_context context, HDB *db, hdb_entry *ent)
+{
+    if (db->master_key_set == 0)
+	return 0;
+    
+    return hdb_seal_keys_mkey(context, ent, db->master_key);
+}
+
+krb5_error_code
+hdb_set_master_key (krb5_context context,
+		    HDB *db,
+		    krb5_keyblock *key)
+{
+    krb5_error_code ret;
+    hdb_master_key mkey;
+
+    ret = hdb_process_master_key(context, 0, key, 0, &mkey);
+    if (ret)
+	return ret;
+    db->master_key = mkey;
+#if 0 /* XXX - why? */
+    des_set_random_generator_seed(key.keyvalue.data);
+#endif
+    db->master_key_set = 1;
+    return 0;
+}
+
+krb5_error_code
+hdb_set_master_keyfile (krb5_context context,
+			HDB *db,
+			const char *keyfile)
+{
+    hdb_master_key key;
+    krb5_error_code ret;
+
+    ret = hdb_read_master_key(context, keyfile, &key);
+    if (ret) {
+	if (ret != ENOENT)
+	    return ret;
+	return 0;
+    }
+    db->master_key = key;
+    db->master_key_set = 1;
+    return ret;
+}
+
+krb5_error_code
+hdb_clear_master_key (krb5_context context,
+		      HDB *db)
+{
+    if (db->master_key_set) {
+	hdb_free_master_key(context, db->master_key);
+	db->master_key_set = 0;
+    }
+    return 0;
+}
diff --git a/crypto/heimdal/lib/hdb/ndbm.c b/crypto/heimdal/lib/hdb/ndbm.c
new file mode 100644
index 0000000..b4335f9
--- /dev/null
+++ b/crypto/heimdal/lib/hdb/ndbm.c
@@ -0,0 +1,323 @@
+/*
+ * Copyright (c) 1997 - 2001 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "hdb_locl.h"
+
+RCSID("$Id: ndbm.c,v 1.30 2001/01/30 01:24:00 assar Exp $");
+
+#if defined(HAVE_NDBM_H) || defined(HAVE_GDBM_NDBM_H)
+
+struct ndbm_db {
+    DBM *db;
+    int lock_fd;
+};
+
+static krb5_error_code
+NDBM_destroy(krb5_context context, HDB *db)
+{
+    krb5_error_code ret;
+
+    ret = hdb_clear_master_key (context, db);
+    free(db->name);
+    free(db);
+    return 0;
+}
+
+static krb5_error_code
+NDBM_lock(krb5_context context, HDB *db, int operation)
+{
+    struct ndbm_db *d = db->db;
+    return hdb_lock(d->lock_fd, operation);
+}
+
+static krb5_error_code
+NDBM_unlock(krb5_context context, HDB *db)
+{
+    struct ndbm_db *d = db->db;
+    return hdb_unlock(d->lock_fd);
+}
+
+static krb5_error_code
+NDBM_seq(krb5_context context, HDB *db, 
+	 unsigned flags, hdb_entry *entry, int first)
+
+{
+    struct ndbm_db *d = (struct ndbm_db *)db->db;
+    datum key, value;
+    krb5_data key_data, data;
+    krb5_error_code ret = 0;
+
+    if(first)
+	key = dbm_firstkey(d->db);
+    else
+	key = dbm_nextkey(d->db);
+    if(key.dptr == NULL)
+	return HDB_ERR_NOENTRY;
+    key_data.data = key.dptr;
+    key_data.length = key.dsize;
+    ret = db->lock(context, db, HDB_RLOCK);
+    if(ret) return ret;
+    value = dbm_fetch(d->db, key);
+    db->unlock(context, db);
+    data.data = value.dptr;
+    data.length = value.dsize;
+    if(hdb_value2entry(context, &data, entry))
+	return NDBM_seq(context, db, flags, entry, 0);
+    if (db->master_key_set && (flags & HDB_F_DECRYPT)) {
+	ret = hdb_unseal_keys (context, db, entry);
+	if (ret)
+	    hdb_free_entry (context, entry);
+    }
+    if (entry->principal == NULL) {
+	entry->principal = malloc (sizeof(*entry->principal));
+	if (entry->principal == NULL) {
+	    ret = ENOMEM;
+	    hdb_free_entry (context, entry);
+	} else {
+	    hdb_key2principal (context, &key_data, entry->principal);
+	}
+    }
+    return ret;
+}
+
+
+static krb5_error_code
+NDBM_firstkey(krb5_context context, HDB *db, unsigned flags, hdb_entry *entry)
+{
+    return NDBM_seq(context, db, flags, entry, 1);
+}
+
+
+static krb5_error_code
+NDBM_nextkey(krb5_context context, HDB *db, unsigned flags, hdb_entry *entry)
+{
+    return NDBM_seq(context, db, flags, entry, 0);
+}
+
+static krb5_error_code
+NDBM_rename(krb5_context context, HDB *db, const char *new_name)
+{
+    /* XXX this function will break */
+    struct ndbm_db *d = db->db;
+
+    int ret;
+    char *old_dir, *old_pag, *new_dir, *new_pag;
+    char *new_lock;
+    int lock_fd;
+
+    /* lock old and new databases */
+    ret = db->lock(context, db, HDB_WLOCK);
+    if(ret) return ret;
+    asprintf(&new_lock, "%s.lock", new_name);
+    lock_fd = open(new_lock, O_RDWR | O_CREAT, 0600);
+    free(new_lock);
+    if(lock_fd < 0) {
+	ret = errno;
+	db->unlock(context, db);
+	return ret;
+    }
+    ret = hdb_lock(lock_fd, HDB_WLOCK);
+    if(ret) {
+	db->unlock(context, db);
+	close(lock_fd);
+	return ret;
+    }
+
+    asprintf(&old_dir, "%s.dir", db->name);
+    asprintf(&old_pag, "%s.pag", db->name);
+    asprintf(&new_dir, "%s.dir", new_name);
+    asprintf(&new_pag, "%s.pag", new_name);
+
+    ret = rename(old_dir, new_dir) || rename(old_pag, new_pag);
+    free(old_dir);
+    free(old_pag);
+    free(new_dir);
+    free(new_pag);
+    hdb_unlock(lock_fd);
+    db->unlock(context, db);
+
+    if(ret) {
+	close(lock_fd);
+	return errno;
+    }
+
+    close(d->lock_fd);
+    d->lock_fd = lock_fd;
+    
+    free(db->name);
+    db->name = strdup(new_name);
+    return 0;
+}
+
+static krb5_error_code
+NDBM__get(krb5_context context, HDB *db, krb5_data key, krb5_data *reply)
+{
+    struct ndbm_db *d = (struct ndbm_db *)db->db;
+    datum k, v;
+    int code;
+
+    k.dptr  = key.data;
+    k.dsize = key.length;
+    code = db->lock(context, db, HDB_RLOCK);
+    if(code)
+	return code;
+    v = dbm_fetch(d->db, k);
+    db->unlock(context, db);
+    if(v.dptr == NULL)
+	return HDB_ERR_NOENTRY;
+
+    krb5_data_copy(reply, v.dptr, v.dsize);
+    return 0;
+}
+
+static krb5_error_code
+NDBM__put(krb5_context context, HDB *db, int replace, 
+	krb5_data key, krb5_data value)
+{
+    struct ndbm_db *d = (struct ndbm_db *)db->db;
+    datum k, v;
+    int code;
+
+    k.dptr  = key.data;
+    k.dsize = key.length;
+    v.dptr  = value.data;
+    v.dsize = value.length;
+
+    code = db->lock(context, db, HDB_WLOCK);
+    if(code)
+	return code;
+    code = dbm_store(d->db, k, v, replace ? DBM_REPLACE : DBM_INSERT);
+    db->unlock(context, db);
+    if(code == 1)
+	return HDB_ERR_EXISTS;
+    if (code < 0)
+	return code;
+    return 0;
+}
+
+static krb5_error_code
+NDBM__del(krb5_context context, HDB *db, krb5_data key)
+{
+    struct ndbm_db *d = (struct ndbm_db *)db->db;
+    datum k;
+    int code;
+    krb5_error_code ret;
+
+    k.dptr = key.data;
+    k.dsize = key.length;
+    ret = db->lock(context, db, HDB_WLOCK);
+    if(ret) return ret;
+    code = dbm_delete(d->db, k);
+    db->unlock(context, db);
+    if(code < 0)
+	return errno;
+    return 0;
+}
+
+static krb5_error_code
+NDBM_open(krb5_context context, HDB *db, int flags, mode_t mode)
+{
+    krb5_error_code ret;
+    struct ndbm_db *d = malloc(sizeof(*d));
+    char *lock_file;
+
+    if(d == NULL)
+	return ENOMEM;
+    asprintf(&lock_file, "%s.lock", (char*)db->name);
+    if(lock_file == NULL) {
+	free(d);
+	return ENOMEM;
+    }
+    d->db = dbm_open((char*)db->name, flags, mode);
+    if(d->db == NULL){
+	free(d);
+	free(lock_file);
+	return errno;
+    }
+    d->lock_fd = open(lock_file, O_RDWR | O_CREAT, 0600);
+    free(lock_file);
+    if(d->lock_fd < 0){
+	dbm_close(d->db);
+	free(d);
+	return errno;
+    }
+    db->db = d;
+    if((flags & O_ACCMODE) == O_RDONLY)
+	ret = hdb_check_db_format(context, db);
+    else
+	ret = hdb_init_db(context, db);
+    if(ret == HDB_ERR_NOENTRY)
+	return 0;
+    return ret;
+}
+
+static krb5_error_code
+NDBM_close(krb5_context context, HDB *db)
+{
+    struct ndbm_db *d = db->db;
+    dbm_close(d->db);
+    close(d->lock_fd);
+    free(d);
+    return 0;
+}
+
+krb5_error_code
+hdb_ndbm_create(krb5_context context, HDB **db, 
+		const char *filename)
+{
+    *db = malloc(sizeof(**db));
+    if (*db == NULL)
+	return ENOMEM;
+
+    (*db)->db = NULL;
+    (*db)->name = strdup(filename);
+    (*db)->master_key_set = 0;
+    (*db)->openp = 0;
+    (*db)->open = NDBM_open;
+    (*db)->close = NDBM_close;
+    (*db)->fetch = _hdb_fetch;
+    (*db)->store = _hdb_store;
+    (*db)->remove = _hdb_remove;
+    (*db)->firstkey = NDBM_firstkey;
+    (*db)->nextkey= NDBM_nextkey;
+    (*db)->lock = NDBM_lock;
+    (*db)->unlock = NDBM_unlock;
+    (*db)->rename = NDBM_rename;
+    (*db)->_get = NDBM__get;
+    (*db)->_put = NDBM__put;
+    (*db)->_del = NDBM__del;
+    (*db)->destroy = NDBM_destroy;
+    return 0;
+}
+
+#endif
diff --git a/crypto/heimdal/lib/hdb/print.c b/crypto/heimdal/lib/hdb/print.c
new file mode 100644
index 0000000..903e78b
--- /dev/null
+++ b/crypto/heimdal/lib/hdb/print.c
@@ -0,0 +1,236 @@
+/*
+ * Copyright (c) 1999-2001 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of KTH nor the names of its contributors may be
+ *    used to endorse or promote products derived from this software without
+ *    specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY KTH AND ITS CONTRIBUTORS ``AS IS'' AND ANY
+ * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL KTH OR ITS CONTRIBUTORS BE
+ * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+ * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+ * WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
+ * OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
+ * ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */
+
+#include "hdb_locl.h"
+#include <ctype.h>
+
+RCSID("$Id: print.c,v 1.5 2001/01/26 15:08:36 joda Exp $");
+
+/* 
+   This is the present contents of a dump line. This might change at
+   any time. Fields are separated by white space.
+
+  principal
+  keyblock
+  	kvno
+	keys...
+		mkvno
+		enctype
+		keyvalue
+		salt (- means use normal salt)
+  creation date and principal
+  modification date and principal
+  principal valid from date (not used)
+  principal valid end date (not used)
+  principal key expires (not used)
+  max ticket life
+  max renewable life
+  flags
+  */
+
+static void
+append_hex(char *str, krb5_data *data)
+{
+    int i, s = 1;
+    char *p;
+
+    p = data->data;
+    for(i = 0; i < data->length; i++)
+	if(!isalnum((unsigned char)p[i]) && p[i] != '.'){
+	    s = 0;
+	    break;
+	}
+    if(s){
+	p = calloc(1, data->length + 2 + 1);
+	p[0] = '\"';
+	p[data->length + 1] = '\"';
+	memcpy(p + 1, data->data, data->length);
+    }else{
+	const char *xchars = "0123456789abcdef";
+	char *q = p = malloc(data->length * 2 + 1);
+	for(i = 0; i < data->length; i++) {
+	    unsigned char c = ((u_char*)data->data)[i];
+	    *q++ = xchars[(c & 0xf0) >> 4];
+	    *q++ = xchars[(c & 0xf)];
+	}
+	*q = '\0';
+    }
+    strcat(str, p);
+    free(p);
+}
+
+static char *
+time2str(time_t t)
+{
+    static char buf[128];
+    strftime(buf, sizeof(buf), "%Y%m%d%H%M%S", gmtime(&t));
+    return buf;
+}
+
+static krb5_error_code
+event2string(krb5_context context, Event *ev, char **str)
+{
+    char *p;
+    char *pr;
+    krb5_error_code ret;
+    if(ev == NULL){
+	*str = strdup("-");
+	return (*str == NULL) ? ENOMEM : 0;
+    }
+    if (ev->principal == NULL) {
+       pr = strdup("UNKNOWN");
+       if (pr == NULL)
+	   return ENOMEM;
+    } else {
+       ret = krb5_unparse_name(context, ev->principal, &pr);
+       if(ret)
+           return ret;
+    }
+    ret = asprintf(&p, "%s:%s", time2str(ev->time), pr);
+    free(pr);
+    if(ret < 0)
+	return ENOMEM;
+    *str = p;
+    return 0;
+}
+
+krb5_error_code
+hdb_entry2string(krb5_context context, hdb_entry *ent, char **str)
+{
+    char *p;
+    char buf[1024] = "";
+    char tmp[32];
+    int i;
+    krb5_error_code ret;
+
+    /* --- principal */
+    ret = krb5_unparse_name(context, ent->principal, &p);
+    if(ret)
+	return ret;
+    strlcat(buf, p, sizeof(buf));
+    strlcat(buf, " ", sizeof(buf));
+    free(p);
+    /* --- kvno */
+    snprintf(tmp, sizeof(tmp), "%d", ent->kvno);
+    strlcat(buf, tmp, sizeof(buf));
+    /* --- keys */
+    for(i = 0; i < ent->keys.len; i++){
+	/* --- mkvno, keytype */
+	if(ent->keys.val[i].mkvno)
+	    snprintf(tmp, sizeof(tmp), ":%d:%d:", 
+		     *ent->keys.val[i].mkvno, 
+		     ent->keys.val[i].key.keytype);
+	else
+	    snprintf(tmp, sizeof(tmp), "::%d:", 
+		     ent->keys.val[i].key.keytype);
+	strlcat(buf, tmp, sizeof(buf));
+	/* --- keydata */
+	append_hex(buf, &ent->keys.val[i].key.keyvalue);
+	strlcat(buf, ":", sizeof(buf));
+	/* --- salt */
+	if(ent->keys.val[i].salt){
+	    snprintf(tmp, sizeof(tmp), "%u/", ent->keys.val[i].salt->type);
+	    strlcat(buf, tmp, sizeof(buf));
+	    append_hex(buf, &ent->keys.val[i].salt->salt);
+	}else
+	    strlcat(buf, "-", sizeof(buf));
+    }
+    strlcat(buf, " ", sizeof(buf));
+    /* --- created by */
+    event2string(context, &ent->created_by, &p);
+    strlcat(buf, p, sizeof(buf));
+    strlcat(buf, " ", sizeof(buf));
+    free(p);
+    /* --- modified by */
+    event2string(context, ent->modified_by, &p);
+    strlcat(buf, p, sizeof(buf));
+    strlcat(buf, " ", sizeof(buf));
+    free(p);
+
+    /* --- valid start */
+    if(ent->valid_start)
+	strlcat(buf, time2str(*ent->valid_start), sizeof(buf));
+    else
+	strlcat(buf, "-", sizeof(buf));
+    strlcat(buf, " ", sizeof(buf));
+
+    /* --- valid end */
+    if(ent->valid_end)
+	strlcat(buf, time2str(*ent->valid_end), sizeof(buf));
+    else
+	strlcat(buf, "-", sizeof(buf));
+    strlcat(buf, " ", sizeof(buf));
+    
+    /* --- password ends */
+    if(ent->pw_end)
+	strlcat(buf, time2str(*ent->pw_end), sizeof(buf));
+    else
+	strlcat(buf, "-", sizeof(buf));
+    strlcat(buf, " ", sizeof(buf));
+
+    /* --- max life */
+    if(ent->max_life){
+	snprintf(tmp, sizeof(tmp), "%d", *ent->max_life);
+	strlcat(buf, tmp, sizeof(buf));
+    }else
+	strlcat(buf, "-", sizeof(buf));
+    strlcat(buf, " ", sizeof(buf));
+
+    /* --- max renewable life */
+    if(ent->max_renew){
+	snprintf(tmp, sizeof(tmp), "%d", *ent->max_renew);
+	strlcat(buf, tmp, sizeof(buf));
+    }else
+	strlcat(buf, "-", sizeof(buf));
+    
+    strlcat(buf, " ", sizeof(buf));
+
+    /* --- flags */
+    snprintf(tmp, sizeof(tmp), "%d", HDBFlags2int(ent->flags));
+    strlcat(buf, tmp, sizeof(buf));
+    
+    *str = strdup(buf);
+    
+    return 0;
+}
+
+/* print a hdb_entry to (FILE*)data; suitable for hdb_foreach */
+
+krb5_error_code
+hdb_print_entry(krb5_context context, HDB *db, hdb_entry *entry, void *data)
+{
+    char *p;
+    hdb_entry2string(context, entry, &p);
+    fprintf((FILE*)data, "%s\n", p);
+    free(p);
+    return 0;
+}
diff --git a/crypto/heimdal/lib/kadm5/ChangeLog b/crypto/heimdal/lib/kadm5/ChangeLog
new file mode 100644
index 0000000..605a970
--- /dev/null
+++ b/crypto/heimdal/lib/kadm5/ChangeLog
@@ -0,0 +1,526 @@
+2001-02-19  Johan Danielsson  <joda@pdc.kth.se>
+
+	* replay_log.c: add --{start-end}-version flags to replay just
+	part of the log
+
+2001-02-15  Assar Westerlund  <assar@sics.se>
+
+	* ipropd_master.c (main): fix select-loop to decrement ret
+	correctly.  from "Brandon S. Allbery KF8NH" <allbery@ece.cmu.edu>
+
+2001-01-30  Assar Westerlund  <assar@sics.se>
+
+	* Makefile.am: bump versions
+
+2000-12-31  Assar Westerlund  <assar@sics.se>
+
+	* init_s.c (*): handle krb5_init_context failure consistently
+	* init_c.c (init_context): handle krb5_init_context failure
+	consistently
+
+2000-12-11  Assar Westerlund  <assar@sics.se>
+
+	* Makefile.am (libkadm5srv_la_LDFLAGS): bump version to 7:2:0
+
+2000-11-16  Assar Westerlund  <assar@sics.se>
+
+	* set_keys.c (make_keys): clean-up salting loop and try not to
+	leak memory
+
+	* ipropd_master.c (main): check for fd's being too large to select
+	on
+
+2000-08-16  Assar Westerlund  <assar@sics.se>
+
+	* Makefile.am (libkadm5srv_la_LDFLAGS): bump version to 7:1:0
+
+2000-08-10  Assar Westerlund  <assar@sics.se>
+
+	* acl.c (fetch_acl): fix wrong cases, use krb5_principal_match
+
+2000-08-07  Assar Westerlund  <assar@sics.se>
+
+	* ipropd_master.c (main): ignore SIGPIPE
+
+2000-08-06  Assar Westerlund  <assar@sics.se>
+
+	* ipropd_slave.c (receive_everything): make `fd' an int instead of
+	a pointer.  From Derrick J Brashear <shadow@dementia.org>
+
+2000-08-04  Johan Danielsson  <joda@pdc.kth.se>
+
+	* admin.h: change void** to void*
+
+2000-07-25  Johan Danielsson  <joda@pdc.kth.se>
+
+	* Makefile.am: bump versions to 7:0:0 and 6:0:2
+
+2000-07-24  Assar Westerlund  <assar@sics.se>
+
+	* log.c (kadm5_log_get_version): rename kadm5_log_get_version_fd
+	and make a new that takes a context
+	(kadm5_log_nop): add logging of missing lengths
+	(kadm5_log_truncate): new function
+
+	* dump_log.c (print_entry): update and correct
+	* randkey_s.c: call _kadm5_bump_pw_expire
+	* truncate_log.c: new program for truncating the log
+	* Makefile.am (sbin_PROGRAMS): add truncate_log
+	(C_SOURCES): add bump_pw_expire.c
+	* bump_pw_expire.c: new function for extending password expiration
+
+2000-07-22  Assar Westerlund  <assar@sics.se>
+
+	* keys.c: new file with _kadm5_free_keys, _kadm5_init_keys
+
+	* set_keys.c (free_keys, init_keys): elevate to internal kadm5
+	functions
+
+	* chpass_s.c (kadm5_s_chpass_principal_cond): new function
+	* Makefile.am (C_SOURCES): add keys.c
+	* init_c.c: remove unused variable and handle some parameters
+	being NULL
+
+2000-07-22  Johan Danielsson  <joda@pdc.kth.se>
+
+	* ipropd_slave.c: use krb5_read_priv_message
+
+	* ipropd_master.c: use krb5_{read,write}_priv_message
+
+	* init_c.c: use krb5_write_priv_message
+
+2000-07-11  Johan Danielsson  <joda@pdc.kth.se>
+
+	* ipropd_slave.c: no need to call gethostname, since
+	sname_to_principal will
+
+	* send_recv.c: assert that we have a connected socket
+
+	* get_princs_c.c: call _kadm5_connect
+
+	* rename_c.c: call _kadm5_connect
+
+	* randkey_c.c: call _kadm5_connect
+
+	* privs_c.c: call _kadm5_connect
+
+	* modify_c.c: call _kadm5_connect
+
+	* get_c.c: call _kadm5_connect
+
+	* delete_c.c: call _kadm5_connect
+
+	* create_c.c: call _kadm5_connect
+
+	* chpass_c.c: call _kadm5_connect
+
+	* private.h: add more fields to client context; remove prototypes
+
+	* admin.h: remove prototypes
+
+	* kadm5-protos.h: move public prototypes here
+
+	* kadm5-private.h: move private prototypes here
+
+	* init_c.c: break out connection code to separate function, and
+	defer calling it until we actually do something
+
+2000-07-07  Assar Westerlund  <assar@sics.se>
+
+	* set_keys.c (make_keys): also support `[kadmin]use_v4_salt' for
+	backwards compatability
+
+2000-06-26  Johan Danielsson  <joda@pdc.kth.se>
+
+	* set_keys.c (_kadm5_set_keys): rewrite this to be more easily
+	adaptable to different salts
+	
+2000-06-19  Johan Danielsson  <joda@pdc.kth.se>
+
+	* get_s.c: pa_* -> KRB5_PADATA_*
+
+2000-06-16  Assar Westerlund  <assar@sics.se>
+
+	* ipropd_slave.c: change default keytab to default keytab (as in
+	typically FILE:/etc/krb5.keytab)
+
+2000-06-08  Assar Westerlund  <assar@sics.se>
+
+	* ipropd_slave.c: bug fixes, for actually writing the full dump to
+	the database.  based on a patch from Love <lha@stacken.kth.se>
+
+2000-06-07  Assar Westerlund  <assar@sics.se>
+
+	* acl.c: add support for patterns of principals
+	* log.c (kadm5_log_replay_create): handle more NULL pointers
+	(should they really happen?)
+	* log.c (kadm5_log_replay_modify): handle max_life == NULL and
+	max_renew == NULL
+
+	* ipropd_master.c: use syslog.  be less verbose
+	* ipropd_slave.c: use syslog
+
+2000-06-05  Assar Westerlund  <assar@sics.se>
+
+	* private.h (kadm_ops): add kadm_nop more prototypes
+	* log.c (kadm5_log_set_version, kadm5_log_reinit, kadm5_log_nop,
+	kadm5_log_replay_nop): add
+	* ipropd_slave.c: and some more improvements
+	* ipropd_master.c: lots of improvements
+	* iprop.h (IPROP_PORT, IPROP_SERVICE): add
+	(iprop_cmd): add new commands
+
+	* dump_log.c: add nop
+
+2000-05-15  Assar Westerlund  <assar@sics.se>
+
+	* Makefile.am (libkadm5clnt_la_LDFLAGS): set version to 5:1:1
+
+2000-05-12  Assar Westerlund  <assar@sics.se>
+
+	* get_s.c (kadm5_s_get_principal): set life, rlife to INT_MAX as a
+	fallback.  handle not having any creator.
+	* destroy_s.c (kadm5_s_destroy): free all allocated memory
+	* context_s.c (set_field): free variable if it's already set
+	(find_db_spec): malloc space for all strings
+
+2000-04-05  Assar Westerlund  <assar@sics.se>
+
+	* Makefile.am (LDADD): add LIB_openldap
+
+2000-04-03  Assar Westerlund  <assar@sics.se>
+
+	* Makefile.am (libkadm5srv_la_LDFLAGS): set version to 6:0:1
+	(libkadm5clnt_la_LDFLAGS): set version to 5:0:1
+
+2000-03-24  Assar Westerlund  <assar@sics.se>
+
+	* set_keys.c (_kadm5_set_keys2): rewrite
+	(_kadm5_set_keys3): add
+
+	* private.h (struct kadm_func): add chpass_principal_with_key
+	* init_c.c (set_funcs): add chpass_principal_with_key
+
+2000-03-23  Assar Westerlund  <assar@sics.se>
+
+	* context_s.c (set_funcs): add chpass_principal_with_key
+	* common_glue.c (kadm5_chpass_principal_with_key): add
+	* chpass_s.c: comment-ize and change calling convention for
+	_kadm5_set_keys*
+	* chpass_c.c (kadm5_c_chpass_principal_with_key): add
+
+2000-02-07  Assar Westerlund  <assar@sics.se>
+
+	* Makefile.am (libkadm5clnt_la_LDFLAGS): set version to 4:2:0
+
+2000-01-28  Assar Westerlund  <assar@sics.se>
+
+	* init_c.c (get_new_cache): make sure to request non-forwardable,
+	non-proxiable
+
+2000-01-06  Assar Westerlund  <assar@sics.se>
+
+	* Makefile.am (libkadm5srv.la): bump version to 5:1:0
+
+	* context_s.c (_kadm5_s_init_context): handle params == NULL
+
+1999-12-26  Assar Westerlund  <assar@sics.se>
+
+	* get_s.c (kadm5_s_get_principal): handle modified_by->principal
+ 	== NULL
+
+1999-12-20  Assar Westerlund  <assar@sics.se>
+
+	* Makefile.am (libkadm5clnt_la_LDFLAGS): bump version to 4:1:0
+
+	* init_c.c (_kadm5_c_init_context): handle getting back port
+ 	number from admin host
+	(kadm5_c_init_with_context): remove `proto/' part before doing
+	getaddrinfo()
+
+1999-12-06  Assar Westerlund  <assar@sics.se>
+
+	* Makefile.am: bump version to 5:0:0 and 4:0:0
+
+	* init_c.c (kadm5_c_init_with_context): don't use unitialized
+ 	stuff
+
+1999-12-04  Assar Westerlund  <assar@sics.se>
+
+	* replay_log.c: adapt to changed kadm5_log_foreach
+
+	* log.c (kadm5_log_foreach): change to take a
+ 	`kadm5_server_context'
+
+	* init_c.c: use krb5_warn{,x}
+
+	* dump_log.c: adapt to changed kadm5_log_foreach
+
+	* init_c.c: re-write to use getaddrinfo
+	* Makefile.am (install-build-headers): add dependency
+	
+1999-12-03  Johan Danielsson  <joda@pdc.kth.se>
+
+	* log.c (kadm5_log_foreach): pass context
+
+	* dump_log.c: print more interesting things
+
+1999-12-02  Johan Danielsson  <joda@pdc.kth.se>
+
+	* ipropd_master.c (process_msg): check for short reads
+
+1999-11-25  Assar Westerlund  <assar@sics.se>
+
+	* modify_s.c (kadm5_s_modify_principal): support key_data
+	(kadm5_s_modify_principal_with_key): remove
+
+	* admin.h (kadm5_s_modify_principal_with_key): remove
+
+1999-11-20  Assar Westerlund  <assar@sics.se>
+
+	* context_s.c (find_db_spec): ugly cast work-around.
+
+1999-11-14  Assar Westerlund  <assar@sics.se>
+
+	* context_s.c (_kadm5_s_init_context): call krb5_add_et_list so
+ 	that we aren't dependent on the layout of krb5_context_data
+	* init_c.c (_kadm5_c_init_context): call krb5_add_et_list so that
+ 	we aren't dependent on the layout of krb5_context_data
+
+1999-11-13  Assar Westerlund  <assar@sics.se>
+
+	* password_quality.c (kadm5_setup_passwd_quality_check): use
+	correct types for function pointers
+	
+1999-11-09  Johan Danielsson  <joda@pdc.kth.se>
+
+	* randkey_s.c: always bail out if the fetch fails
+
+	* admin.h (kadm5_config_params): remove fields we're not using
+
+	* ipropd_slave.c: allow passing a realm
+
+	* ipropd_master.c: allow passing a realm
+
+	* dump_log.c: allow passing a realm
+
+	* acl.c: correctly get acl file
+
+	* private.h (kadm5_server_context): add config_params struct and
+	remove acl_file; bump protocol version number
+
+	* marshall.c: marshalling of config parameters
+
+	* init_c.c (kadm5_c_init_with_context): try to cope with old
+	servers
+
+	* init_s.c (kadm5_s_init_with_context): actually use some passed
+	values
+
+	* context_s.c (_kadm5_s_init_context): get dbname, acl_file, and
+	stash_file from the config parameters, try to figure out these if
+	they're not provided
+
+1999-11-05  Assar Westerlund  <assar@sics.se>
+
+	* Makefile.am (install-build-headers): use `cp' instead of
+ 	INSTALL_DATA
+
+1999-11-04  Assar Westerlund  <assar@sics.se>
+
+	* Makefile.am: bump version to 4:0:0 and 3:0:0 (they access fields
+ 	directly in libkrb5's context - bad functions)
+
+	* set_keys.c (_kadm5_set_keys_randomly): set enctypes correctly in
+ 	the copied keys
+
+1999-10-20  Assar Westerlund  <assar@sics.se>
+
+	* Makefile.am: set version of kadm5srv to 3:0:2 (new password
+ 	quality functions).
+ 	set version of kdam5clnt to 2:1:1 (no interface changes)
+
+	* Makefile.am (LDADD): add $(LIB_dlopen)
+
+1999-10-17  Assar Westerlund  <assar@sics.se>
+
+	* randkey_s.c (kadm5_s_randkey_principal): use
+ 	_kadm5_set_keys_randomly
+
+	* set_keys.c (free_keys): free more memory
+	(_kadm5_set_keys): a little bit more generic
+	(_kadm5_set_keys_randomly): new function for setting random keys.
+
+1999-10-14  Assar Westerlund  <assar@sics.se>
+
+	* set_keys.c (_kadm5_set_keys): ignore old keys when setting new
+ 	ones and always add 3 DES keys and one 3DES key
+
+1999-10-03  Assar Westerlund  <assar@sics.se>
+
+	* init_c.c (_kadm5_c_init_context): use `krb5_get_krb_admin_hst'.
+  	check return value from strdup
+
+1999-09-26  Assar Westerlund  <assar@sics.se>
+
+	* acl.c (_kadm5_privs_to_string): forgot one strcpy_truncate ->
+ 	strlcpy
+
+1999-09-24  Johan Danielsson  <joda@pdc.kth.se>
+
+	* dump_log.c: remove unused `optind'
+
+	* replay_log.c: remove unused `optind'
+
+1999-09-13  Assar Westerlund  <assar@sics.se>
+
+	* chpass_c.c (kadm5_c_chpass_principal): new _kadm5_client_recv
+
+	* send_recv.c (_kadm5_client_recv): return result in a `krb5_data'
+ 	so that we avoid copying it and don't need to dimension in
+ 	advance.  change all callers.
+
+1999-09-10  Assar Westerlund  <assar@sics.se>
+
+	* password_quality.c: new file
+
+	* admin.h
+ 	(kadm5_setup_passwd_quality_check,kadm5_check_password_quality):
+ 	add prototypes
+
+	* Makefile.am (S_SOURCES): add password_quality.c
+
+1999-07-26  Assar Westerlund  <assar@sics.se>
+
+	* Makefile.am: update versions to 2:0:1
+
+1999-07-24  Assar Westerlund  <assar@sics.se>
+
+	* ent_setup.c (_kadm5_setup_entry): make princ_expire_time == 0
+ 	and pw_expiration == 0 mean never
+
+1999-07-22  Assar Westerlund  <assar@sics.se>
+
+	* log.c (kadm5_log_flush): extra cast
+
+1999-07-07  Assar Westerlund  <assar@sics.se>
+
+	* marshall.c (store_principal_ent): encoding princ_expire_time and
+ 	pw_expiration in correct order
+
+1999-06-28  Assar Westerlund  <assar@sics.se>
+
+	* randkey_s.c (kadm5_s_randkey_principal): nuke old mkvno,
+ 	otherwise hdb will think that the new random keys are already
+ 	encrypted which will cause lots of confusion later.
+
+1999-06-23  Assar Westerlund  <assar@sics.se>
+
+	* ent_setup.c (_kadm5_setup_entry): handle 0 == unlimited
+ 	correctly.  From Michal Vocu <michal@karlin.mff.cuni.cz>
+
+1999-06-15  Assar Westerlund  <assar@sics.se>
+
+	* init_c.c (get_cred_cache): use get_default_username
+
+1999-05-23  Assar Westerlund  <assar@sics.se>
+
+	* create_s.c (create_principal): if there's no default entry the
+	mask should be zero.
+
+1999-05-21  Assar Westerlund  <assar@sics.se>
+
+	* init_c.c (get_cred_cache): use $USERNAME
+
+1999-05-17  Johan Danielsson  <joda@pdc.kth.se>
+
+	* init_c.c (get_cred_cache): figure out principal
+
+1999-05-05  Johan Danielsson  <joda@pdc.kth.se>
+
+	* send_recv.c: cleanup _kadm5_client_{send,recv}
+
+1999-05-04  Assar Westerlund  <assar@sics.se>
+
+	* set_keys.c (_kadm5_set_keys2): don't check the recently created
+ 	memory for NULL pointers
+
+	* private.h (_kadm5_setup_entry): change prototype
+
+	* modify_s.c: call new _kadm5_setup_entry
+
+	* ent_setup.c (_kadm5_setup_entry): change so that it takes three
+ 	masks, one for what bits to set and one for each of principal and
+ 	def containing the bits that are set there.
+
+	* create_s.c: call new _kadm5_setup_entry
+
+	* create_s.c (get_default): check return value
+	(create_principal): send wider mask to _kadm5_setup_entry
+
+1999-05-04  Johan Danielsson  <joda@pdc.kth.se>
+
+	* send_recv.c (_kadm5_client_recv): handle arbitrarily sized
+	packets, check for errors
+
+	* get_c.c: check for failure from _kadm5_client_{send,recv}
+
+1999-05-04  Assar Westerlund  <assar@sics.se>
+
+	* init_c.c (get_new_cache): don't abort when interrupted from
+ 	password prompt
+	
+	* destroy_c.c (kadm5_c_destroy): check if we should destroy the
+ 	auth context
+
+1999-05-03  Johan Danielsson  <joda@pdc.kth.se>
+
+	* chpass_s.c: fix arguments to _kadm5_set_keys2
+
+	* private.h: proto
+
+	* set_keys.c: clear mkvno
+
+	* rename_s.c: add flags to fetch and store; seal keys before
+	logging
+
+	* randkey_s.c: add flags to fetch and store; seal keys before
+	logging
+
+	* modify_s.c: add flags to fetch and store; seal keys before
+	logging
+
+	* log.c: add flags to fetch and store; seal keys before logging
+
+	* get_s.c: add flags to fetch and store; seal keys before logging
+
+	* get_princs_s.c: add flags to fetch and store; seal keys before
+	logging
+
+	* delete_s.c: add flags to fetch and store; seal keys before
+	logging
+
+	* create_s.c: add flags to fetch and store; seal keys before
+	logging
+
+	* chpass_s.c: add flags to fetch and store; seal keys before
+	logging
+
+	* Makefile.am: remove server.c
+
+	* admin.h: add prototypes
+
+	* ent_setup.c (_kadm5_setup_entry): set key_data
+
+	* set_keys.c: add _kadm5_set_keys2 to sey keys from key_data
+
+	* modify_s.c: add kadm5_s_modify_principal_with_key
+
+	* create_s.c: add kadm5_s_create_principal_with_key
+
+	* chpass_s.c: add kadm5_s_chpass_principal_with_key
+
+	* kadm5_locl.h: move stuff to private.h
+
+	* private.h: move stuff from kadm5_locl.h
+	
\ No newline at end of file
diff --git a/crypto/heimdal/lib/kadm5/Makefile.am b/crypto/heimdal/lib/kadm5/Makefile.am
new file mode 100644
index 0000000..d554b18
--- /dev/null
+++ b/crypto/heimdal/lib/kadm5/Makefile.am
@@ -0,0 +1,116 @@
+# $Id: Makefile.am,v 1.44 2001/01/30 01:56:00 assar Exp $
+
+include $(top_srcdir)/Makefile.am.common
+
+lib_LTLIBRARIES = libkadm5srv.la libkadm5clnt.la
+libkadm5srv_la_LDFLAGS = -version-info 7:3:0
+libkadm5clnt_la_LDFLAGS = -version-info 6:1:2
+sbin_PROGRAMS = dump_log replay_log truncate_log
+
+libexec_PROGRAMS = ipropd-master ipropd-slave
+
+kadm5includedir = $(includedir)/kadm5
+buildkadm5include = $(buildinclude)/kadm5
+
+kadm5include_HEADERS = kadm5_err.h admin.h private.h \
+	kadm5-protos.h kadm5-private.h
+
+install-build-headers:: $(kadm5include_HEADERS)
+	@foo='$(kadm5include_HEADERS)'; \
+	for f in $$foo; do \
+		f=`basename $$f`; \
+		if test -f "$(srcdir)/$$f"; then file="$(srcdir)/$$f"; \
+		else file="$$f"; fi; \
+		if cmp -s  $$file $(buildkadm5include)/$$f 2> /dev/null ; then \
+		: ; else \
+			echo "cp $$file $(buildkadm5include)/$$f";\
+			cp $$file $(buildkadm5include)/$$f; \
+		fi ; \
+	done
+
+C_SOURCES =					\
+	admin.h					\
+	chpass_c.c				\
+	common_glue.c				\
+	create_c.c				\
+	delete_c.c				\
+	destroy_c.c				\
+	flush_c.c				\
+	free.c					\
+	get_c.c					\
+	get_princs_c.c				\
+	init_c.c				\
+	kadm5_err.c				\
+	kadm5_locl.h				\
+	marshall.c				\
+	modify_c.c				\
+	private.h				\
+	privs_c.c				\
+	randkey_c.c				\
+	rename_c.c				\
+	send_recv.c
+
+S_SOURCES =					\
+	acl.c					\
+	admin.h					\
+	bump_pw_expire.c			\
+	chpass_s.c				\
+	common_glue.c				\
+	context_s.c				\
+	create_s.c				\
+	delete_s.c				\
+	destroy_s.c				\
+	ent_setup.c				\
+	error.c					\
+	flush_s.c				\
+	free.c					\
+	get_princs_s.c				\
+	get_s.c					\
+	init_s.c				\
+	kadm5_err.c				\
+	kadm5_locl.h				\
+	keys.c					\
+	log.c					\
+	marshall.c				\
+	modify_s.c				\
+	private.h				\
+	privs_s.c				\
+	randkey_s.c				\
+	rename_s.c				\
+	set_keys.c				\
+	set_modifier.c				\
+	password_quality.c
+
+libkadm5srv_la_SOURCES = $(S_SOURCES) server_glue.c
+libkadm5clnt_la_SOURCES = $(C_SOURCES) client_glue.c
+
+dump_log_SOURCES = dump_log.c kadm5_locl.h
+
+replay_log_SOURCES = replay_log.c kadm5_locl.h
+
+ipropd_master_SOURCES = ipropd_master.c iprop.h kadm5_locl.h
+
+ipropd_slave_SOURCES = ipropd_slave.c iprop.h kadm5_locl.h
+
+truncate_log_SOURCES = truncate_log.c
+
+LDADD = \
+	libkadm5srv.la \
+	$(top_builddir)/lib/hdb/libhdb.la \
+	$(LIB_openldap) \
+	$(top_builddir)/lib/krb5/libkrb5.la \
+	$(top_builddir)/lib/asn1/libasn1.la \
+	$(LIB_des) \
+	$(LIB_roken) \
+	$(DBLIB) \
+	$(LIB_dlopen)
+
+CLEANFILES = kadm5_err.c kadm5_err.h
+
+$(libkadm5srv_la_OBJECTS): kadm5_err.h
+
+client_glue.lo server_glue.lo: $(srcdir)/common_glue.c
+
+# to help stupid solaris make
+
+kadm5_err.h: kadm5_err.et
diff --git a/crypto/heimdal/lib/kadm5/Makefile.in b/crypto/heimdal/lib/kadm5/Makefile.in
new file mode 100644
index 0000000..16f82a3
--- /dev/null
+++ b/crypto/heimdal/lib/kadm5/Makefile.in
@@ -0,0 +1,840 @@
+# Makefile.in generated automatically by automake 1.4b from Makefile.am
+
+# Copyright 1994, 1995, 1996, 1997, 1998, 1999, 2000
+# Free Software Foundation, Inc.
+# This Makefile.in is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+
+SHELL = @SHELL@
+
+srcdir = @srcdir@
+top_srcdir = @top_srcdir@
+VPATH = @srcdir@
+prefix = @prefix@
+exec_prefix = @exec_prefix@
+
+bindir = @bindir@
+sbindir = @sbindir@
+libexecdir = @libexecdir@
+datadir = @datadir@
+sysconfdir = @sysconfdir@
+sharedstatedir = @sharedstatedir@
+localstatedir = @localstatedir@
+libdir = @libdir@
+infodir = @infodir@
+mandir = @mandir@
+includedir = @includedir@
+oldincludedir = /usr/include
+
+pkgdatadir = $(datadir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkgincludedir = $(includedir)/@PACKAGE@
+
+top_builddir = ../..
+
+ACLOCAL = @ACLOCAL@
+AUTOCONF = @AUTOCONF@
+AUTOMAKE = @AUTOMAKE@
+AUTOHEADER = @AUTOHEADER@
+
+INSTALL = @INSTALL@
+INSTALL_PROGRAM = @INSTALL_PROGRAM@
+INSTALL_DATA = @INSTALL_DATA@
+INSTALL_SCRIPT = @INSTALL_SCRIPT@
+INSTALL_STRIP_FLAG =
+transform = @program_transform_name@
+
+NORMAL_INSTALL = :
+PRE_INSTALL = :
+POST_INSTALL = :
+NORMAL_UNINSTALL = :
+PRE_UNINSTALL = :
+POST_UNINSTALL = :
+
+@SET_MAKE@
+host_alias = @host_alias@
+host_triplet = @host@
+AIX_EXTRA_KAFS = @AIX_EXTRA_KAFS@
+AMDEP = @AMDEP@
+AMTAR = @AMTAR@
+AS = @AS@
+AWK = @AWK@
+CANONICAL_HOST = @CANONICAL_HOST@
+CATMAN = @CATMAN@
+CATMANEXT = @CATMANEXT@
+CC = @CC@
+CPP = @CPP@
+CXX = @CXX@
+CXXCPP = @CXXCPP@
+DBLIB = @DBLIB@
+DEPDIR = @DEPDIR@
+DIR_des = @DIR_des@
+DIR_roken = @DIR_roken@
+DLLTOOL = @DLLTOOL@
+EXEEXT = @EXEEXT@
+EXTRA_LIB45 = @EXTRA_LIB45@
+GROFF = @GROFF@
+INCLUDES_roken = @INCLUDES_roken@
+INCLUDE_ = @INCLUDE_@
+LEX = @LEX@
+LIBOBJS = @LIBOBJS@
+LIBTOOL = @LIBTOOL@
+LIB_ = @LIB_@
+LIB_AUTH_SUBDIRS = @LIB_AUTH_SUBDIRS@
+LIB_des = @LIB_des@
+LIB_des_appl = @LIB_des_appl@
+LIB_kdb = @LIB_kdb@
+LIB_otp = @LIB_otp@
+LIB_roken = @LIB_roken@
+LIB_security = @LIB_security@
+LN_S = @LN_S@
+LTLIBOBJS = @LTLIBOBJS@
+MAKEINFO = @MAKEINFO@
+NEED_WRITEAUTH_FALSE = @NEED_WRITEAUTH_FALSE@
+NEED_WRITEAUTH_TRUE = @NEED_WRITEAUTH_TRUE@
+NROFF = @NROFF@
+OBJDUMP = @OBJDUMP@
+OBJEXT = @OBJEXT@
+PACKAGE = @PACKAGE@
+RANLIB = @RANLIB@
+STRIP = @STRIP@
+VERSION = @VERSION@
+VOID_RETSIGTYPE = @VOID_RETSIGTYPE@
+WFLAGS = @WFLAGS@
+WFLAGS_NOIMPLICITINT = @WFLAGS_NOIMPLICITINT@
+WFLAGS_NOUNUSED = @WFLAGS_NOUNUSED@
+YACC = @YACC@
+dpagaix_CFLAGS = @dpagaix_CFLAGS@
+dpagaix_LDADD = @dpagaix_LDADD@
+install_sh = @install_sh@
+
+# $Id: Makefile.am,v 1.44 2001/01/30 01:56:00 assar Exp $
+
+
+# $Id: Makefile.am.common,v 1.3 1999/04/01 14:58:43 joda Exp $
+
+
+# $Id: Makefile.am.common,v 1.26 2001/05/21 13:27:48 joda Exp $
+
+
+AUTOMAKE_OPTIONS = foreign no-dependencies
+
+SUFFIXES = .et .h .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .x
+
+INCLUDES = -I$(top_builddir)/include $(INCLUDES_roken)
+
+AM_CFLAGS =  $(WFLAGS)
+
+CP = cp
+
+COMPILE_ET = $(top_builddir)/lib/com_err/compile_et
+
+buildinclude = $(top_builddir)/include
+
+LIB_XauReadAuth = @LIB_XauReadAuth@
+LIB_crypt = @LIB_crypt@
+LIB_dbm_firstkey = @LIB_dbm_firstkey@
+LIB_dbopen = @LIB_dbopen@
+LIB_dlopen = @LIB_dlopen@
+LIB_dn_expand = @LIB_dn_expand@
+LIB_el_init = @LIB_el_init@
+LIB_getattr = @LIB_getattr@
+LIB_gethostbyname = @LIB_gethostbyname@
+LIB_getpwent_r = @LIB_getpwent_r@
+LIB_getpwnam_r = @LIB_getpwnam_r@
+LIB_getsockopt = @LIB_getsockopt@
+LIB_logout = @LIB_logout@
+LIB_logwtmp = @LIB_logwtmp@
+LIB_odm_initialize = @LIB_odm_initialize@
+LIB_pidfile = @LIB_pidfile@
+LIB_readline = @LIB_readline@
+LIB_res_search = @LIB_res_search@
+LIB_setpcred = @LIB_setpcred@
+LIB_setsockopt = @LIB_setsockopt@
+LIB_socket = @LIB_socket@
+LIB_syslog = @LIB_syslog@
+LIB_tgetent = @LIB_tgetent@
+
+LIBS = @LIBS@
+
+HESIODLIB = @HESIODLIB@
+HESIODINCLUDE = @HESIODINCLUDE@
+INCLUDE_hesiod = @INCLUDE_hesiod@
+LIB_hesiod = @LIB_hesiod@
+
+INCLUDE_krb4 = @INCLUDE_krb4@
+LIB_krb4 = @LIB_krb4@
+
+INCLUDE_openldap = @INCLUDE_openldap@
+LIB_openldap = @LIB_openldap@
+
+INCLUDE_readline = @INCLUDE_readline@
+
+LEXLIB = @LEXLIB@
+
+NROFF_MAN = groff -mandoc -Tascii
+
+@KRB4_TRUE@LIB_kafs = @KRB4_TRUE@$(top_builddir)/lib/kafs/libkafs.la $(AIX_EXTRA_KAFS)
+
+@KRB5_TRUE@LIB_krb5 = @KRB5_TRUE@$(top_builddir)/lib/krb5/libkrb5.la \
+@KRB5_TRUE@	$(top_builddir)/lib/asn1/libasn1.la
+@KRB5_TRUE@LIB_gssapi = @KRB5_TRUE@$(top_builddir)/lib/gssapi/libgssapi.la
+
+@DCE_TRUE@LIB_kdfs = @DCE_TRUE@$(top_builddir)/lib/kdfs/libkdfs.la
+
+CHECK_LOCAL = $(PROGRAMS)
+
+lib_LTLIBRARIES = libkadm5srv.la libkadm5clnt.la
+libkadm5srv_la_LDFLAGS = -version-info 7:3:0
+libkadm5clnt_la_LDFLAGS = -version-info 6:1:2
+sbin_PROGRAMS = dump_log replay_log truncate_log
+
+libexec_PROGRAMS = ipropd-master ipropd-slave
+
+kadm5includedir = $(includedir)/kadm5
+buildkadm5include = $(buildinclude)/kadm5
+
+kadm5include_HEADERS = kadm5_err.h admin.h private.h \
+	kadm5-protos.h kadm5-private.h
+
+
+C_SOURCES = \
+	admin.h					\
+	chpass_c.c				\
+	common_glue.c				\
+	create_c.c				\
+	delete_c.c				\
+	destroy_c.c				\
+	flush_c.c				\
+	free.c					\
+	get_c.c					\
+	get_princs_c.c				\
+	init_c.c				\
+	kadm5_err.c				\
+	kadm5_locl.h				\
+	marshall.c				\
+	modify_c.c				\
+	private.h				\
+	privs_c.c				\
+	randkey_c.c				\
+	rename_c.c				\
+	send_recv.c
+
+
+S_SOURCES = \
+	acl.c					\
+	admin.h					\
+	bump_pw_expire.c			\
+	chpass_s.c				\
+	common_glue.c				\
+	context_s.c				\
+	create_s.c				\
+	delete_s.c				\
+	destroy_s.c				\
+	ent_setup.c				\
+	error.c					\
+	flush_s.c				\
+	free.c					\
+	get_princs_s.c				\
+	get_s.c					\
+	init_s.c				\
+	kadm5_err.c				\
+	kadm5_locl.h				\
+	keys.c					\
+	log.c					\
+	marshall.c				\
+	modify_s.c				\
+	private.h				\
+	privs_s.c				\
+	randkey_s.c				\
+	rename_s.c				\
+	set_keys.c				\
+	set_modifier.c				\
+	password_quality.c
+
+
+libkadm5srv_la_SOURCES = $(S_SOURCES) server_glue.c
+libkadm5clnt_la_SOURCES = $(C_SOURCES) client_glue.c
+
+dump_log_SOURCES = dump_log.c kadm5_locl.h
+
+replay_log_SOURCES = replay_log.c kadm5_locl.h
+
+ipropd_master_SOURCES = ipropd_master.c iprop.h kadm5_locl.h
+
+ipropd_slave_SOURCES = ipropd_slave.c iprop.h kadm5_locl.h
+
+truncate_log_SOURCES = truncate_log.c
+
+LDADD = \
+	libkadm5srv.la \
+	$(top_builddir)/lib/hdb/libhdb.la \
+	$(LIB_openldap) \
+	$(top_builddir)/lib/krb5/libkrb5.la \
+	$(top_builddir)/lib/asn1/libasn1.la \
+	$(LIB_des) \
+	$(LIB_roken) \
+	$(DBLIB) \
+	$(LIB_dlopen)
+
+
+CLEANFILES = kadm5_err.c kadm5_err.h
+subdir = lib/kadm5
+mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs
+CONFIG_HEADER = ../../include/config.h
+CONFIG_CLEAN_FILES = 
+LTLIBRARIES =  $(lib_LTLIBRARIES)
+
+
+DEFS = @DEFS@ -I. -I$(srcdir) -I../../include
+CPPFLAGS = @CPPFLAGS@
+LDFLAGS = @LDFLAGS@
+X_CFLAGS = @X_CFLAGS@
+X_LIBS = @X_LIBS@
+X_EXTRA_LIBS = @X_EXTRA_LIBS@
+X_PRE_LIBS = @X_PRE_LIBS@
+libkadm5clnt_la_LIBADD = 
+am_libkadm5clnt_la_OBJECTS =  chpass_c.lo common_glue.lo create_c.lo \
+delete_c.lo destroy_c.lo flush_c.lo free.lo get_c.lo get_princs_c.lo \
+init_c.lo kadm5_err.lo marshall.lo modify_c.lo privs_c.lo randkey_c.lo \
+rename_c.lo send_recv.lo client_glue.lo
+libkadm5clnt_la_OBJECTS =  $(am_libkadm5clnt_la_OBJECTS)
+libkadm5srv_la_LIBADD = 
+am_libkadm5srv_la_OBJECTS =  acl.lo bump_pw_expire.lo chpass_s.lo \
+common_glue.lo context_s.lo create_s.lo delete_s.lo destroy_s.lo \
+ent_setup.lo error.lo flush_s.lo free.lo get_princs_s.lo get_s.lo \
+init_s.lo kadm5_err.lo keys.lo log.lo marshall.lo modify_s.lo \
+privs_s.lo randkey_s.lo rename_s.lo set_keys.lo set_modifier.lo \
+password_quality.lo server_glue.lo
+libkadm5srv_la_OBJECTS =  $(am_libkadm5srv_la_OBJECTS)
+libexec_PROGRAMS =  ipropd-master$(EXEEXT) ipropd-slave$(EXEEXT)
+sbin_PROGRAMS =  dump_log$(EXEEXT) replay_log$(EXEEXT) \
+truncate_log$(EXEEXT)
+PROGRAMS =  $(libexec_PROGRAMS) $(sbin_PROGRAMS)
+
+am_dump_log_OBJECTS =  dump_log.$(OBJEXT)
+dump_log_OBJECTS =  $(am_dump_log_OBJECTS)
+dump_log_LDADD = $(LDADD)
+dump_log_DEPENDENCIES =  libkadm5srv.la \
+$(top_builddir)/lib/hdb/libhdb.la $(top_builddir)/lib/krb5/libkrb5.la \
+$(top_builddir)/lib/asn1/libasn1.la
+dump_log_LDFLAGS = 
+am_ipropd_master_OBJECTS =  ipropd_master.$(OBJEXT)
+ipropd_master_OBJECTS =  $(am_ipropd_master_OBJECTS)
+ipropd_master_LDADD = $(LDADD)
+ipropd_master_DEPENDENCIES =  libkadm5srv.la \
+$(top_builddir)/lib/hdb/libhdb.la $(top_builddir)/lib/krb5/libkrb5.la \
+$(top_builddir)/lib/asn1/libasn1.la
+ipropd_master_LDFLAGS = 
+am_ipropd_slave_OBJECTS =  ipropd_slave.$(OBJEXT)
+ipropd_slave_OBJECTS =  $(am_ipropd_slave_OBJECTS)
+ipropd_slave_LDADD = $(LDADD)
+ipropd_slave_DEPENDENCIES =  libkadm5srv.la \
+$(top_builddir)/lib/hdb/libhdb.la $(top_builddir)/lib/krb5/libkrb5.la \
+$(top_builddir)/lib/asn1/libasn1.la
+ipropd_slave_LDFLAGS = 
+am_replay_log_OBJECTS =  replay_log.$(OBJEXT)
+replay_log_OBJECTS =  $(am_replay_log_OBJECTS)
+replay_log_LDADD = $(LDADD)
+replay_log_DEPENDENCIES =  libkadm5srv.la \
+$(top_builddir)/lib/hdb/libhdb.la $(top_builddir)/lib/krb5/libkrb5.la \
+$(top_builddir)/lib/asn1/libasn1.la
+replay_log_LDFLAGS = 
+am_truncate_log_OBJECTS =  truncate_log.$(OBJEXT)
+truncate_log_OBJECTS =  $(am_truncate_log_OBJECTS)
+truncate_log_LDADD = $(LDADD)
+truncate_log_DEPENDENCIES =  libkadm5srv.la \
+$(top_builddir)/lib/hdb/libhdb.la $(top_builddir)/lib/krb5/libkrb5.la \
+$(top_builddir)/lib/asn1/libasn1.la
+truncate_log_LDFLAGS = 
+COMPILE = $(CC) $(DEFS) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) --mode=compile $(CC) $(DEFS) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+CFLAGS = @CFLAGS@
+CCLD = $(CC)
+LINK = $(LIBTOOL) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) $(LDFLAGS) -o $@
+DIST_SOURCES =  $(libkadm5clnt_la_SOURCES) $(libkadm5srv_la_SOURCES) \
+$(dump_log_SOURCES) $(ipropd_master_SOURCES) $(ipropd_slave_SOURCES) \
+$(replay_log_SOURCES) $(truncate_log_SOURCES)
+HEADERS =  $(kadm5include_HEADERS)
+
+depcomp = 
+DIST_COMMON =  $(kadm5include_HEADERS) ChangeLog Makefile.am Makefile.in
+
+
+DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
+
+GZIP_ENV = --best
+SOURCES = $(libkadm5clnt_la_SOURCES) $(libkadm5srv_la_SOURCES) $(dump_log_SOURCES) $(ipropd_master_SOURCES) $(ipropd_slave_SOURCES) $(replay_log_SOURCES) $(truncate_log_SOURCES)
+OBJECTS = $(am_libkadm5clnt_la_OBJECTS) $(am_libkadm5srv_la_OBJECTS) $(am_dump_log_OBJECTS) $(am_ipropd_master_OBJECTS) $(am_ipropd_slave_OBJECTS) $(am_replay_log_OBJECTS) $(am_truncate_log_OBJECTS)
+
+all: all-redirect
+.SUFFIXES:
+.SUFFIXES: .et .h .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .x .c .lo .o .obj
+$(srcdir)/Makefile.in: Makefile.am $(top_srcdir)/configure.in $(ACLOCAL_M4) $(top_srcdir)/Makefile.am.common $(top_srcdir)/cf/Makefile.am.common
+	cd $(top_srcdir) && $(AUTOMAKE) --foreign lib/kadm5/Makefile
+
+Makefile: $(srcdir)/Makefile.in  $(top_builddir)/config.status
+	cd $(top_builddir) \
+	  && CONFIG_FILES=$(subdir)/$@ CONFIG_HEADERS= $(SHELL) ./config.status
+
+
+mostlyclean-libLTLIBRARIES:
+
+clean-libLTLIBRARIES:
+	-test -z "$(lib_LTLIBRARIES)" || rm -f $(lib_LTLIBRARIES)
+
+distclean-libLTLIBRARIES:
+
+maintainer-clean-libLTLIBRARIES:
+
+install-libLTLIBRARIES: $(lib_LTLIBRARIES)
+	@$(NORMAL_INSTALL)
+	$(mkinstalldirs) $(DESTDIR)$(libdir)
+	@list='$(lib_LTLIBRARIES)'; for p in $$list; do \
+	  if test -f $$p; then \
+	    echo " $(LIBTOOL)  --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$p $(DESTDIR)$(libdir)/$$p"; \
+	    $(LIBTOOL)  --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$p $(DESTDIR)$(libdir)/$$p; \
+	  else :; fi; \
+	done
+
+uninstall-libLTLIBRARIES:
+	@$(NORMAL_UNINSTALL)
+	@list='$(lib_LTLIBRARIES)'; for p in $$list; do \
+	  echo " $(LIBTOOL)  --mode=uninstall rm -f $(DESTDIR)$(libdir)/$$p"; \
+	  $(LIBTOOL)  --mode=uninstall rm -f $(DESTDIR)$(libdir)/$$p; \
+	done
+
+mostlyclean-compile:
+	-rm -f *.o core *.core
+	-rm -f *.$(OBJEXT)
+
+clean-compile:
+
+distclean-compile:
+	-rm -f *.tab.c
+
+maintainer-clean-compile:
+
+mostlyclean-libtool:
+	-rm -f *.lo
+
+clean-libtool:
+	-rm -rf .libs _libs
+
+distclean-libtool:
+
+maintainer-clean-libtool:
+
+libkadm5clnt.la: $(libkadm5clnt_la_OBJECTS) $(libkadm5clnt_la_DEPENDENCIES)
+	$(LINK) -rpath $(libdir) $(libkadm5clnt_la_LDFLAGS) $(libkadm5clnt_la_OBJECTS) $(libkadm5clnt_la_LIBADD) $(LIBS)
+
+libkadm5srv.la: $(libkadm5srv_la_OBJECTS) $(libkadm5srv_la_DEPENDENCIES)
+	$(LINK) -rpath $(libdir) $(libkadm5srv_la_LDFLAGS) $(libkadm5srv_la_OBJECTS) $(libkadm5srv_la_LIBADD) $(LIBS)
+
+mostlyclean-libexecPROGRAMS:
+
+clean-libexecPROGRAMS:
+	-test -z "$(libexec_PROGRAMS)" || rm -f $(libexec_PROGRAMS)
+
+distclean-libexecPROGRAMS:
+
+maintainer-clean-libexecPROGRAMS:
+
+install-libexecPROGRAMS: $(libexec_PROGRAMS)
+	@$(NORMAL_INSTALL)
+	$(mkinstalldirs) $(DESTDIR)$(libexecdir)
+	@list='$(libexec_PROGRAMS)'; for p in $$list; do \
+	  if test -f $$p; then \
+	    f="`echo $$p|sed -e 's/$(EXEEXT)$$//' -e '$(transform)' -e 's/$$/$(EXEEXT)/'`"; \
+	    echo " $(LIBTOOL)  --mode=install $(INSTALL_PROGRAM) $(INSTALL_STRIP_FLAG) $$p $(DESTDIR)$(libexecdir)/$$f"; \
+	    $(LIBTOOL)  --mode=install $(INSTALL_PROGRAM) $(INSTALL_STRIP_FLAG) $$p $(DESTDIR)$(libexecdir)/$$f; \
+	  else :; fi; \
+	done
+
+uninstall-libexecPROGRAMS:
+	@$(NORMAL_UNINSTALL)
+	@list='$(libexec_PROGRAMS)'; for p in $$list; do \
+	  f="`echo $$p|sed -e 's/$(EXEEXT)$$//' -e '$(transform)' -e 's/$$/$(EXEEXT)/'`"; \
+	  echo " rm -f $(DESTDIR)$(libexecdir)/$$f"; \
+	  rm -f $(DESTDIR)$(libexecdir)/$$f; \
+	done
+
+mostlyclean-sbinPROGRAMS:
+
+clean-sbinPROGRAMS:
+	-test -z "$(sbin_PROGRAMS)" || rm -f $(sbin_PROGRAMS)
+
+distclean-sbinPROGRAMS:
+
+maintainer-clean-sbinPROGRAMS:
+
+install-sbinPROGRAMS: $(sbin_PROGRAMS)
+	@$(NORMAL_INSTALL)
+	$(mkinstalldirs) $(DESTDIR)$(sbindir)
+	@list='$(sbin_PROGRAMS)'; for p in $$list; do \
+	  if test -f $$p; then \
+	    f="`echo $$p|sed -e 's/$(EXEEXT)$$//' -e '$(transform)' -e 's/$$/$(EXEEXT)/'`"; \
+	    echo " $(LIBTOOL)  --mode=install $(INSTALL_PROGRAM) $(INSTALL_STRIP_FLAG) $$p $(DESTDIR)$(sbindir)/$$f"; \
+	    $(LIBTOOL)  --mode=install $(INSTALL_PROGRAM) $(INSTALL_STRIP_FLAG) $$p $(DESTDIR)$(sbindir)/$$f; \
+	  else :; fi; \
+	done
+
+uninstall-sbinPROGRAMS:
+	@$(NORMAL_UNINSTALL)
+	@list='$(sbin_PROGRAMS)'; for p in $$list; do \
+	  f="`echo $$p|sed -e 's/$(EXEEXT)$$//' -e '$(transform)' -e 's/$$/$(EXEEXT)/'`"; \
+	  echo " rm -f $(DESTDIR)$(sbindir)/$$f"; \
+	  rm -f $(DESTDIR)$(sbindir)/$$f; \
+	done
+
+dump_log$(EXEEXT): $(dump_log_OBJECTS) $(dump_log_DEPENDENCIES)
+	@rm -f dump_log$(EXEEXT)
+	$(LINK) $(dump_log_LDFLAGS) $(dump_log_OBJECTS) $(dump_log_LDADD) $(LIBS)
+
+ipropd-master$(EXEEXT): $(ipropd_master_OBJECTS) $(ipropd_master_DEPENDENCIES)
+	@rm -f ipropd-master$(EXEEXT)
+	$(LINK) $(ipropd_master_LDFLAGS) $(ipropd_master_OBJECTS) $(ipropd_master_LDADD) $(LIBS)
+
+ipropd-slave$(EXEEXT): $(ipropd_slave_OBJECTS) $(ipropd_slave_DEPENDENCIES)
+	@rm -f ipropd-slave$(EXEEXT)
+	$(LINK) $(ipropd_slave_LDFLAGS) $(ipropd_slave_OBJECTS) $(ipropd_slave_LDADD) $(LIBS)
+
+replay_log$(EXEEXT): $(replay_log_OBJECTS) $(replay_log_DEPENDENCIES)
+	@rm -f replay_log$(EXEEXT)
+	$(LINK) $(replay_log_LDFLAGS) $(replay_log_OBJECTS) $(replay_log_LDADD) $(LIBS)
+
+truncate_log$(EXEEXT): $(truncate_log_OBJECTS) $(truncate_log_DEPENDENCIES)
+	@rm -f truncate_log$(EXEEXT)
+	$(LINK) $(truncate_log_LDFLAGS) $(truncate_log_OBJECTS) $(truncate_log_LDADD) $(LIBS)
+.c.o:
+	$(COMPILE) -c $<
+.c.obj:
+	$(COMPILE) -c `cygpath -w $<`
+.c.lo:
+	$(LTCOMPILE) -c -o $@ $<
+
+install-kadm5includeHEADERS: $(kadm5include_HEADERS)
+	@$(NORMAL_INSTALL)
+	$(mkinstalldirs) $(DESTDIR)$(kadm5includedir)
+	@list='$(kadm5include_HEADERS)'; for p in $$list; do \
+	  if test -f "$$p"; then d= ; else d="$(srcdir)/"; fi; \
+	  f="`echo $$p | sed -e 's|^.*/||'`"; \
+	  echo " $(INSTALL_DATA) $$d$$p $(DESTDIR)$(kadm5includedir)/$$f"; \
+	  $(INSTALL_DATA) $$d$$p $(DESTDIR)$(kadm5includedir)/$$f; \
+	done
+
+uninstall-kadm5includeHEADERS:
+	@$(NORMAL_UNINSTALL)
+	@list='$(kadm5include_HEADERS)'; for p in $$list; do \
+	  f="`echo $$p | sed -e 's|^.*/||'`"; \
+	  echo " rm -f $(DESTDIR)$(kadm5includedir)/$$f"; \
+	  rm -f $(DESTDIR)$(kadm5includedir)/$$f; \
+	done
+
+tags: TAGS
+
+ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
+	list='$(SOURCES) $(HEADERS) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '    { files[$$0] = 1; } \
+	       END { for (i in files) print i; }'`; \
+	mkid -fID $$unique $(LISP)
+
+TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	tags=; \
+	here=`pwd`; \
+	list='$(SOURCES) $(HEADERS) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '    { files[$$0] = 1; } \
+	       END { for (i in files) print i; }'`; \
+	test -z "$(ETAGS_ARGS)$$unique$(LISP)$$tags" \
+	  || etags $(ETAGS_ARGS) $$tags  $$unique $(LISP)
+
+GTAGS:
+	here=`CDPATH=: && cd $(top_builddir) && pwd` \
+	  && cd $(top_srcdir) \
+	  && gtags -i $$here
+
+mostlyclean-tags:
+
+clean-tags:
+
+distclean-tags:
+	-rm -f TAGS ID
+
+maintainer-clean-tags:
+
+distdir = $(top_builddir)/$(PACKAGE)-$(VERSION)/$(subdir)
+
+distdir: $(DISTFILES)
+	@for file in $(DISTFILES); do \
+	  d=$(srcdir); \
+	  if test -d $$d/$$file; then \
+	    cp -pR $$d/$$file $(distdir) \
+	    || exit 1; \
+	  else \
+	    test -f $(distdir)/$$file \
+	    || cp -p $$d/$$file $(distdir)/$$file \
+	    || exit 1; \
+	  fi; \
+	done
+	$(MAKE) $(AM_MAKEFLAGS) top_distdir="$(top_distdir)" distdir="$(distdir)" dist-hook
+info-am:
+info: info-am
+dvi-am:
+dvi: dvi-am
+check-am: all-am
+	$(MAKE) $(AM_MAKEFLAGS) check-local
+check: check-am
+installcheck-am:
+installcheck: installcheck-am
+install-exec-am: install-libLTLIBRARIES install-libexecPROGRAMS \
+		install-sbinPROGRAMS
+	@$(NORMAL_INSTALL)
+	$(MAKE) $(AM_MAKEFLAGS) install-exec-hook
+install-exec: install-exec-am
+
+install-data-am: install-kadm5includeHEADERS install-data-local
+install-data: install-data-am
+
+install-am: all-am
+	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
+install: install-am
+uninstall-am: uninstall-libLTLIBRARIES uninstall-libexecPROGRAMS \
+		uninstall-sbinPROGRAMS uninstall-kadm5includeHEADERS
+uninstall: uninstall-am
+all-am: Makefile $(LTLIBRARIES) $(PROGRAMS) $(HEADERS) all-local
+all-redirect: all-am
+install-strip:
+	$(MAKE) $(AM_MAKEFLAGS) INSTALL_STRIP_FLAG=-s install
+installdirs:
+	$(mkinstalldirs)  $(DESTDIR)$(libdir) $(DESTDIR)$(libexecdir) \
+		$(DESTDIR)$(sbindir) $(DESTDIR)$(kadm5includedir)
+
+
+mostlyclean-generic:
+
+clean-generic:
+	-test -z "$(CLEANFILES)" || rm -f $(CLEANFILES)
+
+distclean-generic:
+	-rm -f Makefile $(CONFIG_CLEAN_FILES)
+	-rm -f config.cache config.log stamp-h stamp-h[0-9]*
+
+maintainer-clean-generic:
+	-rm -f Makefile.in
+mostlyclean-am:  mostlyclean-libLTLIBRARIES mostlyclean-compile \
+		mostlyclean-libtool mostlyclean-libexecPROGRAMS \
+		mostlyclean-sbinPROGRAMS mostlyclean-tags \
+		mostlyclean-generic
+
+mostlyclean: mostlyclean-am
+
+clean-am:  clean-libLTLIBRARIES clean-compile clean-libtool \
+		clean-libexecPROGRAMS clean-sbinPROGRAMS clean-tags \
+		clean-generic mostlyclean-am
+
+clean: clean-am
+
+distclean-am:  distclean-libLTLIBRARIES distclean-compile \
+		distclean-libtool distclean-libexecPROGRAMS \
+		distclean-sbinPROGRAMS distclean-tags distclean-generic \
+		clean-am
+	-rm -f libtool
+
+distclean: distclean-am
+
+maintainer-clean-am:  maintainer-clean-libLTLIBRARIES \
+		maintainer-clean-compile maintainer-clean-libtool \
+		maintainer-clean-libexecPROGRAMS \
+		maintainer-clean-sbinPROGRAMS maintainer-clean-tags \
+		maintainer-clean-generic distclean-am
+	@echo "This command is intended for maintainers to use;"
+	@echo "it deletes files that may require special tools to rebuild."
+
+maintainer-clean: maintainer-clean-am
+
+.PHONY: mostlyclean-libLTLIBRARIES distclean-libLTLIBRARIES \
+clean-libLTLIBRARIES maintainer-clean-libLTLIBRARIES \
+uninstall-libLTLIBRARIES install-libLTLIBRARIES mostlyclean-compile \
+distclean-compile clean-compile maintainer-clean-compile \
+mostlyclean-libtool distclean-libtool clean-libtool \
+maintainer-clean-libtool mostlyclean-libexecPROGRAMS \
+distclean-libexecPROGRAMS clean-libexecPROGRAMS \
+maintainer-clean-libexecPROGRAMS uninstall-libexecPROGRAMS \
+install-libexecPROGRAMS mostlyclean-sbinPROGRAMS distclean-sbinPROGRAMS \
+clean-sbinPROGRAMS maintainer-clean-sbinPROGRAMS uninstall-sbinPROGRAMS \
+install-sbinPROGRAMS uninstall-kadm5includeHEADERS \
+install-kadm5includeHEADERS tags mostlyclean-tags distclean-tags \
+clean-tags maintainer-clean-tags distdir info-am info dvi-am dvi \
+check-local check check-am installcheck-am installcheck install-exec-am \
+install-exec install-data-local install-data-am install-data install-am \
+install uninstall-am uninstall all-local all-redirect all-am all \
+install-strip installdirs mostlyclean-generic distclean-generic \
+clean-generic maintainer-clean-generic clean mostlyclean distclean \
+maintainer-clean
+
+
+install-suid-programs:
+	@foo='$(bin_SUIDS)'; \
+	for file in $$foo; do \
+	x=$(DESTDIR)$(bindir)/$$file; \
+	if chown 0:0 $$x && chmod u+s $$x; then :; else \
+	echo "*"; \
+	echo "* Failed to install $$x setuid root"; \
+	echo "*"; \
+	fi; done
+
+install-exec-hook: install-suid-programs
+
+install-build-headers:: $(include_HEADERS) $(build_HEADERZ)
+	@foo='$(include_HEADERS) $(build_HEADERZ)'; \
+	for f in $$foo; do \
+		f=`basename $$f`; \
+		if test -f "$(srcdir)/$$f"; then file="$(srcdir)/$$f"; \
+		else file="$$f"; fi; \
+		if cmp -s  $$file $(buildinclude)/$$f 2> /dev/null ; then \
+		: ; else \
+			echo " $(CP) $$file $(buildinclude)/$$f"; \
+			$(CP) $$file $(buildinclude)/$$f; \
+		fi ; \
+	done
+
+all-local: install-build-headers
+#NROFF_MAN = nroff -man
+.1.cat1:
+	$(NROFF_MAN) $< > $@
+.3.cat3:
+	$(NROFF_MAN) $< > $@
+.5.cat5:
+	$(NROFF_MAN) $< > $@
+.8.cat8:
+	$(NROFF_MAN) $< > $@
+
+dist-cat1-mans:
+	@foo='$(man1_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.1) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat1/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-cat3-mans:
+	@foo='$(man3_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.3) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat3/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-cat5-mans:
+	@foo='$(man5_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.5) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat5/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-cat8-mans:
+	@foo='$(man8_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.8) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat8/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-hook: dist-cat1-mans dist-cat3-mans dist-cat5-mans dist-cat8-mans
+
+install-cat-mans:
+	$(SHELL) $(top_srcdir)/cf/install-catman.sh "$(INSTALL_DATA)" "$(mkinstalldirs)" "$(srcdir)" "$(DESTDIR)$(mandir)" '$(CATMANEXT)' $(man_MANS) $(man1_MANS) $(man3_MANS) $(man5_MANS) $(man8_MANS)
+
+install-data-local: install-cat-mans
+
+.et.h:
+	$(COMPILE_ET) $<
+.et.c:
+	$(COMPILE_ET) $<
+
+.x.c:
+	@cmp -s $< $@ 2> /dev/null || cp $< $@
+
+check-local::
+	@foo='$(CHECK_LOCAL)'; \
+	  if test "$$foo"; then \
+	  failed=0; all=0; \
+	  for i in $$foo; do \
+	    all=`expr $$all + 1`; \
+	    if ./$$i --version > /dev/null 2>&1; then \
+	      echo "PASS: $$i"; \
+	    else \
+	      echo "FAIL: $$i"; \
+	      failed=`expr $$failed + 1`; \
+	    fi; \
+	  done; \
+	  if test "$$failed" -eq 0; then \
+	    banner="All $$all tests passed"; \
+	  else \
+	    banner="$$failed of $$all tests failed"; \
+	  fi; \
+	  dashes=`echo "$$banner" | sed s/./=/g`; \
+	  echo "$$dashes"; \
+	  echo "$$banner"; \
+	  echo "$$dashes"; \
+	  test "$$failed" -eq 0; \
+	fi
+
+install-build-headers:: $(kadm5include_HEADERS)
+	@foo='$(kadm5include_HEADERS)'; \
+	for f in $$foo; do \
+		f=`basename $$f`; \
+		if test -f "$(srcdir)/$$f"; then file="$(srcdir)/$$f"; \
+		else file="$$f"; fi; \
+		if cmp -s  $$file $(buildkadm5include)/$$f 2> /dev/null ; then \
+		: ; else \
+			echo "cp $$file $(buildkadm5include)/$$f";\
+			cp $$file $(buildkadm5include)/$$f; \
+		fi ; \
+	done
+
+$(libkadm5srv_la_OBJECTS): kadm5_err.h
+
+client_glue.lo server_glue.lo: $(srcdir)/common_glue.c
+
+# to help stupid solaris make
+
+kadm5_err.h: kadm5_err.et
+
+# Tell versions [3.59,3.63) of GNU make to not export all variables.
+# Otherwise a system limit (for SysV at least) may be exceeded.
+.NOEXPORT:
diff --git a/crypto/heimdal/lib/kadm5/acl.c b/crypto/heimdal/lib/kadm5/acl.c
new file mode 100644
index 0000000..c963171
--- /dev/null
+++ b/crypto/heimdal/lib/kadm5/acl.c
@@ -0,0 +1,215 @@
+/*
+ * Copyright (c) 1997 - 2000 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "kadm5_locl.h"
+
+RCSID("$Id: acl.c,v 1.12 2000/08/10 19:24:08 assar Exp $");
+
+static struct units acl_units[] = {
+    { "all",		KADM5_PRIV_ALL },
+    { "change-password",KADM5_PRIV_CPW },
+    { "cpw",		KADM5_PRIV_CPW },
+    { "list",		KADM5_PRIV_LIST },
+    { "delete",		KADM5_PRIV_DELETE },
+    { "modify",		KADM5_PRIV_MODIFY },
+    { "add",		KADM5_PRIV_ADD },
+    { "get", 		KADM5_PRIV_GET },
+    { NULL }
+};
+
+kadm5_ret_t
+_kadm5_string_to_privs(const char *s, u_int32_t* privs)
+{
+    int flags;
+    flags = parse_flags(s, acl_units, 0);
+    if(flags < 0)
+	return KADM5_FAILURE;
+    *privs = flags;
+    return 0;
+}
+
+kadm5_ret_t
+_kadm5_privs_to_string(u_int32_t privs, char *string, size_t len)
+{
+    if(privs == 0)
+	strlcpy(string, "none", len);
+    else
+	unparse_flags(privs, acl_units + 1, string, len);
+    return 0;
+}
+
+/*
+ * retrieve the right for the current caller on `princ' (NULL means all)
+ * and store them in `ret_flags'
+ * return 0 or an error.
+ */
+
+static kadm5_ret_t
+fetch_acl (kadm5_server_context *context,
+	   krb5_const_principal princ,
+	   unsigned *ret_flags)
+{
+    unsigned flags = -1;
+    FILE *f = fopen(context->config.acl_file, "r");
+    krb5_error_code ret = 0;
+
+    if(f != NULL) {
+	char buf[256];
+
+	while(fgets(buf, sizeof(buf), f) != NULL){
+	    char *foo = NULL, *p;
+	    krb5_principal this_princ;
+
+	    flags = -1;
+	    p = strtok_r(buf, " \t\n", &foo);
+	    if(p == NULL)
+		continue;
+	    ret = krb5_parse_name(context->context, p, &this_princ);
+	    if(ret)
+		continue;
+	    if(!krb5_principal_compare(context->context, 
+				       context->caller, this_princ)) {
+		krb5_free_principal(context->context, this_princ);
+		continue;
+	    }
+	    krb5_free_principal(context->context, this_princ);
+	    p = strtok_r(NULL, " \t\n", &foo);
+	    if(p == NULL)
+		continue;
+	    ret = _kadm5_string_to_privs(p, &flags);
+	    if (ret)
+		break;
+	    p = strtok_r(NULL, "\n", &foo);
+	    if (p == NULL) {
+		ret = 0;
+		break;
+	    }
+	    if (princ != NULL) {
+		krb5_principal pattern_princ;
+		krb5_boolean tmp;
+
+		ret = krb5_parse_name (context->context, p, &pattern_princ);
+		if (ret)
+		    break;
+		tmp = krb5_principal_match (context->context,
+					    princ, pattern_princ);
+		krb5_free_principal (context->context, pattern_princ);
+		if (tmp) {
+		    ret = 0;
+		    break;
+		}
+	    }
+	}
+	fclose(f);
+    }
+    if(flags == -1)
+	flags = 0;
+    if (ret == 0)
+	*ret_flags = flags;
+    return ret;
+}
+
+/*
+ * set global acl flags in `context' for the current caller.
+ * return 0 on success or an error
+ */
+
+kadm5_ret_t
+_kadm5_acl_init(kadm5_server_context *context)
+{
+    krb5_principal princ;
+    krb5_error_code ret;
+    
+    ret = krb5_parse_name(context->context, KADM5_ADMIN_SERVICE, &princ);
+    if (ret)
+	return ret;
+    ret = krb5_principal_compare(context->context, context->caller, princ);
+    krb5_free_principal(context->context, princ);
+    if(ret != 0) {
+	context->acl_flags = KADM5_PRIV_ALL;
+	return 0;
+    }
+
+    return fetch_acl (context, NULL, &context->acl_flags);
+}
+
+/*
+ * check if `flags' allows `op'
+ * return 0 if OK or an error
+ */
+
+static kadm5_ret_t
+check_flags (unsigned op,
+	     unsigned flags)
+{
+    unsigned res = ~flags & op;
+
+    if(res & KADM5_PRIV_GET)
+	return KADM5_AUTH_GET;
+    if(res & KADM5_PRIV_ADD)
+	return KADM5_AUTH_ADD;
+    if(res & KADM5_PRIV_MODIFY)
+	return KADM5_AUTH_MODIFY;
+    if(res & KADM5_PRIV_DELETE)
+	return KADM5_AUTH_DELETE;
+    if(res & KADM5_PRIV_CPW)
+	return KADM5_AUTH_CHANGEPW;
+    if(res & KADM5_PRIV_LIST)
+	return KADM5_AUTH_LIST;
+    if(res)
+	return KADM5_AUTH_INSUFFICIENT;
+    return 0;
+}
+
+/*
+ * return 0 if the current caller in `context' is allowed to perform
+ * `op' on `princ' and otherwise an error
+ * princ == NULL if it's not relevant.
+ */
+
+kadm5_ret_t
+_kadm5_acl_check_permission(kadm5_server_context *context,
+			    unsigned op,
+			    krb5_const_principal princ)
+{
+    kadm5_ret_t ret;
+    unsigned princ_flags;
+
+    ret = check_flags (op, context->acl_flags);
+    if (ret == 0)
+	return ret;
+    ret = fetch_acl (context, princ, &princ_flags);
+    if (ret)
+	return ret;
+    return check_flags (op, princ_flags);
+}
diff --git a/crypto/heimdal/lib/kadm5/admin.h b/crypto/heimdal/lib/kadm5/admin.h
new file mode 100644
index 0000000..d9bd85f
--- /dev/null
+++ b/crypto/heimdal/lib/kadm5/admin.h
@@ -0,0 +1,243 @@
+/*
+ * Copyright (c) 1997-2000 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+/* $Id: admin.h,v 1.18 2000/08/04 11:26:21 joda Exp $ */
+
+#ifndef __KADM5_ADMIN_H__
+#define __KADM5_ADMIN_H__
+
+#define KADM5_API_VERSION_1 1
+#define KADM5_API_VERSION_2 2
+
+#ifndef USE_KADM5_API_VERSION
+#define USE_KADM5_API_VERSION KADM5_API_VERSION_2
+#endif
+
+#if USE_KADM5_API_VERSION != KADM5_API_VERSION_2
+#error No support for API versions other than 2
+#endif
+
+#define KADM5_STRUCT_VERSION 0
+
+#include <krb5.h>
+
+#define KRB5_KDB_DISALLOW_POSTDATED	0x00000001
+#define KRB5_KDB_DISALLOW_FORWARDABLE	0x00000002
+#define KRB5_KDB_DISALLOW_TGT_BASED	0x00000004
+#define KRB5_KDB_DISALLOW_RENEWABLE	0x00000008
+#define KRB5_KDB_DISALLOW_PROXIABLE	0x00000010
+#define KRB5_KDB_DISALLOW_DUP_SKEY	0x00000020
+#define KRB5_KDB_DISALLOW_ALL_TIX	0x00000040
+#define KRB5_KDB_REQUIRES_PRE_AUTH	0x00000080
+#define KRB5_KDB_REQUIRES_HW_AUTH	0x00000100
+#define KRB5_KDB_REQUIRES_PWCHANGE	0x00000200
+#define KRB5_KDB_DISALLOW_SVR		0x00001000
+#define KRB5_KDB_PWCHANGE_SERVICE	0x00002000
+#define KRB5_KDB_SUPPORT_DESMD5		0x00004000
+#define KRB5_KDB_NEW_PRINC		0x00008000
+
+#define KADM5_PRINCIPAL		0x000001
+#define KADM5_PRINC_EXPIRE_TIME	0x000002
+#define KADM5_PW_EXPIRATION	0x000004
+#define KADM5_LAST_PWD_CHANGE	0x000008
+#define KADM5_ATTRIBUTES	0x000010
+#define KADM5_MAX_LIFE		0x000020
+#define KADM5_MOD_TIME		0x000040
+#define KADM5_MOD_NAME		0x000080
+#define KADM5_KVNO		0x000100
+#define KADM5_MKVNO		0x000200
+#define KADM5_AUX_ATTRIBUTES	0x000400
+#define KADM5_POLICY		0x000800
+#define KADM5_POLICY_CLR	0x001000
+#define KADM5_MAX_RLIFE		0x002000
+#define KADM5_LAST_SUCCESS	0x004000
+#define KADM5_LAST_FAILED	0x008000
+#define KADM5_FAIL_AUTH_COUNT	0x010000
+#define KADM5_KEY_DATA		0x020000
+#define KADM5_TL_DATA		0x040000
+
+#define KADM5_PRINCIPAL_NORMAL_MASK (~(KADM5_KEY_DATA | KADM5_TL_DATA))
+
+#define KADM5_PW_MAX_LIFE 	0x004000
+#define KADM5_PW_MIN_LIFE	0x008000
+#define KADM5_PW_MIN_LENGTH 	0x010000
+#define KADM5_PW_MIN_CLASSES	0x020000
+#define KADM5_PW_HISTORY_NUM	0x040000
+#define KADM5_REF_COUNT		0x080000
+
+#define KADM5_POLICY_NORMAL_MASK (~0)
+
+#define KADM5_ADMIN_SERVICE	"kadmin/admin"
+#define KADM5_HIST_PRINCIPAL	"kadmin/history"
+#define KADM5_CHANGEPW_SERVICE	"kadmin/changepw"
+
+typedef struct _krb5_key_data {
+    int16_t key_data_ver;	/* Version */
+    int16_t key_data_kvno;	/* Key Version */
+    int16_t key_data_type[2];	/* Array of types */
+    int16_t key_data_length[2];	/* Array of lengths */
+    void*   key_data_contents[2];/* Array of pointers */
+} krb5_key_data;
+
+typedef struct _krb5_tl_data {
+    struct _krb5_tl_data* tl_data_next;
+    int16_t tl_data_type;         
+    int16_t tl_data_length;       
+    void*   tl_data_contents;     
+} krb5_tl_data;
+
+typedef struct _kadm5_principal_ent_t {
+    krb5_principal principal;
+
+    krb5_timestamp princ_expire_time;
+    krb5_timestamp last_pwd_change;
+    krb5_timestamp pw_expiration;
+    krb5_deltat max_life;
+    krb5_principal mod_name;
+    krb5_timestamp mod_date;
+    krb5_flags attributes;
+    krb5_kvno kvno;
+    krb5_kvno mkvno;
+
+    char * policy;
+    u_int32_t aux_attributes;
+
+    krb5_deltat max_renewable_life;
+    krb5_timestamp last_success;
+    krb5_timestamp last_failed;
+    krb5_kvno fail_auth_count;
+    int16_t n_key_data;
+    int16_t n_tl_data;
+    krb5_tl_data *tl_data;
+    krb5_key_data *key_data;
+} kadm5_principal_ent_rec, *kadm5_principal_ent_t;
+
+typedef struct _kadm5_policy_ent_t {
+    char *policy;
+
+    u_int32_t pw_min_life;
+    u_int32_t pw_max_life;
+    u_int32_t pw_min_length;
+    u_int32_t pw_min_classes;
+    u_int32_t pw_history_num;
+    u_int32_t policy_refcnt;
+} kadm5_policy_ent_rec, *kadm5_policy_ent_t;
+
+#define KADM5_CONFIG_REALM			(1 << 0)
+#define KADM5_CONFIG_PROFILE			(1 << 1)
+#define KADM5_CONFIG_KADMIND_PORT		(1 << 2)
+#define KADM5_CONFIG_ADMIN_SERVER		(1 << 3)
+#define KADM5_CONFIG_DBNAME			(1 << 4)
+#define KADM5_CONFIG_ADBNAME			(1 << 5)
+#define KADM5_CONFIG_ADB_LOCKFILE		(1 << 6)
+#define KADM5_CONFIG_ACL_FILE			(1 << 7)
+#define KADM5_CONFIG_DICT_FILE			(1 << 8)
+#define KADM5_CONFIG_ADMIN_KEYTAB		(1 << 9)
+#define KADM5_CONFIG_MKEY_FROM_KEYBOARD		(1 << 10)
+#define KADM5_CONFIG_STASH_FILE			(1 << 11)
+#define KADM5_CONFIG_MKEY_NAME			(1 << 12)
+#define KADM5_CONFIG_ENCTYPE			(1 << 13)
+#define KADM5_CONFIG_MAX_LIFE			(1 << 14)
+#define KADM5_CONFIG_MAX_RLIFE			(1 << 15)
+#define KADM5_CONFIG_EXPIRATION			(1 << 16)
+#define KADM5_CONFIG_FLAGS			(1 << 17)
+#define KADM5_CONFIG_ENCTYPES			(1 << 18)
+
+#define KADM5_PRIV_GET		(1 << 0)
+#define KADM5_PRIV_ADD 		(1 << 1)
+#define KADM5_PRIV_MODIFY	(1 << 2)
+#define KADM5_PRIV_DELETE	(1 << 3)
+#define KADM5_PRIV_LIST		(1 << 4)
+#define KADM5_PRIV_CPW		(1 << 5)
+#define KADM5_PRIV_ALL		(KADM5_PRIV_GET | KADM5_PRIV_ADD | KADM5_PRIV_MODIFY | KADM5_PRIV_DELETE | KADM5_PRIV_LIST | KADM5_PRIV_CPW)
+
+typedef struct {
+    int XXX;
+}krb5_key_salt_tuple;
+
+typedef struct _kadm5_config_params {
+    u_int32_t mask;
+
+    /* Client and server fields */
+    char *realm;
+    int kadmind_port;
+
+    /* client fields */
+    char *admin_server;
+
+    /* server fields */
+    char *dbname;
+    char *acl_file;
+
+    /* server library (database) fields */
+    char *stash_file;
+} kadm5_config_params;
+
+typedef krb5_error_code kadm5_ret_t;
+
+#include "kadm5-protos.h"
+
+#if 0
+/* unimplemented functions */
+kadm5_ret_t 
+kadm5_decrypt_key(void *server_handle,
+		  kadm5_principal_ent_t entry, int32_t
+		  ktype, int32_t stype, int32_t
+		  kvno, krb5_keyblock *keyblock,
+		  krb5_keysalt *keysalt, int *kvnop);
+
+kadm5_ret_t
+kadm5_create_policy(void *server_handle,
+		    kadm5_policy_ent_t policy, u_int32_t mask); 
+
+kadm5_ret_t
+kadm5_delete_policy(void *server_handle, char *policy);
+
+
+kadm5_ret_t
+kadm5_modify_policy(void *server_handle,
+		    kadm5_policy_ent_t policy, 
+		    u_int32_t mask);
+
+kadm5_ret_t
+kadm5_get_policy(void *server_handle, char *policy, kadm5_policy_ent_t ent); 
+
+kadm5_ret_t
+kadm5_get_policies(void *server_handle, char *exp,
+		   char ***pols, int *count);
+
+void 
+kadm5_free_policy_ent(kadm5_policy_ent_t policy);
+
+#endif
+
+#endif /* __KADM5_ADMIN_H__ */
diff --git a/crypto/heimdal/lib/kadm5/bump_pw_expire.c b/crypto/heimdal/lib/kadm5/bump_pw_expire.c
new file mode 100644
index 0000000..a185c20
--- /dev/null
+++ b/crypto/heimdal/lib/kadm5/bump_pw_expire.c
@@ -0,0 +1,59 @@
+/*
+ * Copyright (c) 2000 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "kadm5_locl.h"
+
+RCSID("$Id: bump_pw_expire.c,v 1.1 2000/07/24 03:47:54 assar Exp $");
+
+/*
+ * extend password_expiration if it's defined
+ */
+
+kadm5_ret_t
+_kadm5_bump_pw_expire(kadm5_server_context *context,
+		      hdb_entry *ent)
+{
+    if (ent->pw_end != NULL) {
+	time_t life;
+
+	life = krb5_config_get_time_default(context->context,
+					    NULL,
+					    365 * 24 * 60 * 60,
+					    "kadmin",
+					    "password_lifetime",
+					    NULL);
+
+	*(ent->pw_end) = time(NULL) + life;
+    }
+    return 0;
+}
diff --git a/crypto/heimdal/lib/kadm5/chpass_c.c b/crypto/heimdal/lib/kadm5/chpass_c.c
new file mode 100644
index 0000000..b06b8cd
--- /dev/null
+++ b/crypto/heimdal/lib/kadm5/chpass_c.c
@@ -0,0 +1,116 @@
+/*
+ * Copyright (c) 1997 - 2000 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "kadm5_locl.h"
+
+RCSID("$Id: chpass_c.c,v 1.5 2000/07/11 15:59:14 joda Exp $");
+
+kadm5_ret_t
+kadm5_c_chpass_principal(void *server_handle, 
+			 krb5_principal princ,
+			 char *password)
+{
+    kadm5_client_context *context = server_handle;
+    kadm5_ret_t ret;
+    krb5_storage *sp;
+    unsigned char buf[1024];
+    int32_t tmp;
+    krb5_data reply;
+
+    ret = _kadm5_connect(server_handle);
+    if(ret)
+	return ret;
+
+    sp = krb5_storage_from_mem(buf, sizeof(buf));
+    if (sp == NULL)
+	return ENOMEM;
+    krb5_store_int32(sp, kadm_chpass);
+    krb5_store_principal(sp, princ);
+    krb5_store_string(sp, password);
+    ret = _kadm5_client_send(context, sp);
+    krb5_storage_free(sp);
+    ret = _kadm5_client_recv(context, &reply);
+    if(ret)
+	return ret;
+    sp = krb5_storage_from_data (&reply);
+    if (sp == NULL) {
+	krb5_data_free (&reply);
+	return ENOMEM;
+    }
+    krb5_ret_int32(sp, &tmp);
+    krb5_storage_free(sp);
+    krb5_data_free (&reply);
+    return tmp;
+}
+
+kadm5_ret_t
+kadm5_c_chpass_principal_with_key(void *server_handle, 
+				  krb5_principal princ,
+				  int n_key_data,
+				  krb5_key_data *key_data)
+{
+    kadm5_client_context *context = server_handle;
+    kadm5_ret_t ret;
+    krb5_storage *sp;
+    unsigned char buf[1024];
+    int32_t tmp;
+    krb5_data reply;
+    int i;
+
+    ret = _kadm5_connect(server_handle);
+    if(ret)
+	return ret;
+
+    sp = krb5_storage_from_mem(buf, sizeof(buf));
+    if (sp == NULL)
+	return ENOMEM;
+    krb5_store_int32(sp, kadm_chpass_with_key);
+    krb5_store_principal(sp, princ);
+    krb5_store_int32(sp, n_key_data);
+    for (i = 0; i < n_key_data; ++i)
+	kadm5_store_key_data (sp, &key_data[i]);
+    ret = _kadm5_client_send(context, sp);
+    krb5_storage_free(sp);
+    ret = _kadm5_client_recv(context, &reply);
+    if(ret)
+	return ret;
+    sp = krb5_storage_from_data (&reply);
+    if (sp == NULL) {
+	krb5_data_free (&reply);
+	return ENOMEM;
+    }
+    krb5_ret_int32(sp, &tmp);
+    krb5_storage_free(sp);
+    krb5_data_free (&reply);
+    return tmp;
+}
diff --git a/crypto/heimdal/lib/kadm5/chpass_s.c b/crypto/heimdal/lib/kadm5/chpass_s.c
new file mode 100644
index 0000000..2133469
--- /dev/null
+++ b/crypto/heimdal/lib/kadm5/chpass_s.c
@@ -0,0 +1,177 @@
+/*
+ * Copyright (c) 1997-2001 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "kadm5_locl.h"
+
+RCSID("$Id: chpass_s.c,v 1.13 2001/01/30 01:24:28 assar Exp $");
+
+static kadm5_ret_t
+change(void *server_handle, 
+       krb5_principal princ,
+       char *password,
+       int cond)
+{
+    kadm5_server_context *context = server_handle;
+    hdb_entry ent;
+    kadm5_ret_t ret;
+    Key *keys;
+    size_t num_keys;
+    int cmp = 1;
+
+    ent.principal = princ;
+    ret = context->db->open(context->context, context->db, O_RDWR, 0);
+    if(ret)
+	return ret;
+    ret = context->db->fetch(context->context, context->db, 
+			     0, &ent);
+    if(ret == HDB_ERR_NOENTRY)
+	goto out;
+
+    num_keys = ent.keys.len;
+    keys     = ent.keys.val;
+
+    ent.keys.len = 0;
+    ent.keys.val = NULL;
+
+    ret = _kadm5_set_keys(context, &ent, password);
+    if(ret) {
+	_kadm5_free_keys (server_handle, num_keys, keys);
+	goto out2;
+    }
+    if (cond)
+	cmp = _kadm5_cmp_keys (ent.keys.val, ent.keys.len,
+			       keys, num_keys);
+    _kadm5_free_keys (server_handle, num_keys, keys);
+
+    if (cmp == 0)
+	goto out2;
+
+    ret = _kadm5_set_modifier(context, &ent);
+    if(ret)
+	goto out2;
+
+    ret = _kadm5_bump_pw_expire(context, &ent);
+    if (ret)
+	goto out2;
+
+    ret = hdb_seal_keys(context->context, context->db, &ent);
+    if (ret)
+	goto out2;
+
+    kadm5_log_modify (context,
+		      &ent,
+		      KADM5_PRINCIPAL | KADM5_MOD_NAME | KADM5_MOD_TIME |
+		      KADM5_KEY_DATA | KADM5_KVNO | KADM5_PW_EXPIRATION);
+    
+    ret = context->db->store(context->context, context->db, 
+			     HDB_F_REPLACE, &ent);
+out2:
+    hdb_free_entry(context->context, &ent);
+out:
+    context->db->close(context->context, context->db);
+    return _kadm5_error_code(ret);
+}
+
+
+
+/*
+ * change the password of `princ' to `password' if it's not already that.
+ */
+
+kadm5_ret_t
+kadm5_s_chpass_principal_cond(void *server_handle, 
+			      krb5_principal princ,
+			      char *password)
+{
+    return change (server_handle, princ, password, 1);
+}
+
+/*
+ * change the password of `princ' to `password'
+ */
+
+kadm5_ret_t
+kadm5_s_chpass_principal(void *server_handle, 
+			 krb5_principal princ,
+			 char *password)
+{
+    return change (server_handle, princ, password, 0);
+}
+
+/*
+ * change keys for `princ' to `keys'
+ */
+
+kadm5_ret_t
+kadm5_s_chpass_principal_with_key(void *server_handle, 
+				  krb5_principal princ,
+				  int n_key_data,
+				  krb5_key_data *key_data)
+{
+    kadm5_server_context *context = server_handle;
+    hdb_entry ent;
+    kadm5_ret_t ret;
+    ent.principal = princ;
+    ret = context->db->open(context->context, context->db, O_RDWR, 0);
+    if(ret)
+	return ret;
+    ret = context->db->fetch(context->context, context->db, 0, &ent);
+    if(ret == HDB_ERR_NOENTRY)
+	goto out;
+    ret = _kadm5_set_keys2(context, &ent, n_key_data, key_data);
+    if(ret)
+	goto out2;
+    ret = _kadm5_set_modifier(context, &ent);
+    if(ret)
+	goto out2;
+    ret = _kadm5_bump_pw_expire(context, &ent);
+    if (ret)
+	goto out2;
+
+    ret = hdb_seal_keys(context->context, context->db, &ent);
+    if (ret)
+	goto out2;
+
+    kadm5_log_modify (context,
+		      &ent,
+		      KADM5_PRINCIPAL | KADM5_MOD_NAME | KADM5_MOD_TIME |
+		      KADM5_KEY_DATA | KADM5_KVNO | KADM5_PW_EXPIRATION);
+    
+    ret = context->db->store(context->context, context->db, 
+			     HDB_F_REPLACE, &ent);
+out2:
+    hdb_free_entry(context->context, &ent);
+out:
+    context->db->close(context->context, context->db);
+    return _kadm5_error_code(ret);
+}
diff --git a/crypto/heimdal/lib/kadm5/client_glue.c b/crypto/heimdal/lib/kadm5/client_glue.c
new file mode 100644
index 0000000..395577d
--- /dev/null
+++ b/crypto/heimdal/lib/kadm5/client_glue.c
@@ -0,0 +1,150 @@
+/*
+ * Copyright (c) 1997 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "kadm5_locl.h"
+
+RCSID("$Id: client_glue.c,v 1.5 1999/12/02 17:05:05 joda Exp $");
+
+kadm5_ret_t
+kadm5_init_with_password(const char *client_name,
+			 const char *password,
+			 const char *service_name,
+			 kadm5_config_params *realm_params,
+			 unsigned long struct_version,
+			 unsigned long api_version,
+			 void **server_handle)
+{
+    return kadm5_c_init_with_password(client_name,
+				      password,
+				      service_name,
+				      realm_params,
+				      struct_version,
+				      api_version,
+				      server_handle);
+}
+
+kadm5_ret_t
+kadm5_init_with_password_ctx(krb5_context context,
+			     const char *client_name,
+			     const char *password,
+			     const char *service_name,
+			     kadm5_config_params *realm_params,
+			     unsigned long struct_version,
+			     unsigned long api_version,
+			     void **server_handle)
+{
+    return kadm5_c_init_with_password_ctx(context,
+					  client_name,
+					  password,
+					  service_name,
+					  realm_params,
+					  struct_version,
+					  api_version,
+					  server_handle);
+}
+
+kadm5_ret_t
+kadm5_init_with_skey(const char *client_name,
+		     const char *keytab,
+		     const char *service_name,
+		     kadm5_config_params *realm_params,
+		     unsigned long struct_version,
+		     unsigned long api_version,
+		     void **server_handle)
+{
+    return kadm5_c_init_with_skey(client_name,
+				  keytab,
+				  service_name,
+				  realm_params,
+				  struct_version,
+				  api_version,
+				  server_handle);
+}
+
+kadm5_ret_t
+kadm5_init_with_skey_ctx(krb5_context context,
+			 const char *client_name,
+			 const char *keytab,
+			 const char *service_name,
+			 kadm5_config_params *realm_params,
+			 unsigned long struct_version,
+			 unsigned long api_version,
+			 void **server_handle)
+{
+    return kadm5_c_init_with_skey_ctx(context,
+				      client_name,
+				      keytab,
+				      service_name,
+				      realm_params,
+				      struct_version,
+				      api_version,
+				      server_handle);
+}
+
+kadm5_ret_t
+kadm5_init_with_creds(const char *client_name,
+		      krb5_ccache ccache,
+		      const char *service_name,
+		      kadm5_config_params *realm_params,
+		      unsigned long struct_version,
+		      unsigned long api_version,
+		      void **server_handle)
+{
+    return kadm5_c_init_with_creds(client_name,
+				   ccache,
+				   service_name,
+				   realm_params,
+				   struct_version,
+				   api_version,
+				   server_handle);
+}
+
+kadm5_ret_t
+kadm5_init_with_creds_ctx(krb5_context context,
+			  const char *client_name,
+			  krb5_ccache ccache,
+			  const char *service_name,
+			  kadm5_config_params *realm_params,
+			  unsigned long struct_version,
+			  unsigned long api_version,
+			  void **server_handle)
+{
+    return kadm5_c_init_with_creds_ctx(context,
+				       client_name,
+				       ccache,
+				       service_name,
+				       realm_params,
+				       struct_version,
+				       api_version,
+				       server_handle);
+}
diff --git a/crypto/heimdal/lib/kadm5/common_glue.c b/crypto/heimdal/lib/kadm5/common_glue.c
new file mode 100644
index 0000000..b508282
--- /dev/null
+++ b/crypto/heimdal/lib/kadm5/common_glue.c
@@ -0,0 +1,134 @@
+/*
+ * Copyright (c) 1997 - 2000 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "kadm5_locl.h"
+
+RCSID("$Id: common_glue.c,v 1.5 2000/03/23 22:58:26 assar Exp $");
+
+#define __CALL(F, P) (*((kadm5_common_context*)server_handle)->funcs.F)P;
+
+kadm5_ret_t
+kadm5_chpass_principal(void *server_handle,
+		       krb5_principal princ,
+		       char *password)
+{
+    return __CALL(chpass_principal, (server_handle, princ, password));
+}
+
+kadm5_ret_t
+kadm5_chpass_principal_with_key(void *server_handle,
+				krb5_principal princ,
+				int n_key_data,
+				krb5_key_data *key_data)
+{
+    return __CALL(chpass_principal_with_key,
+		  (server_handle, princ, n_key_data, key_data));
+}
+
+kadm5_ret_t
+kadm5_create_principal(void *server_handle,
+		       kadm5_principal_ent_t princ,
+		       u_int32_t mask,
+		       char *password)
+{
+    return __CALL(create_principal, (server_handle, princ, mask, password));
+}
+
+kadm5_ret_t
+kadm5_delete_principal(void *server_handle,
+		       krb5_principal princ)
+{
+    return __CALL(delete_principal, (server_handle, princ));
+}
+
+kadm5_ret_t
+kadm5_destroy (void *server_handle)
+{
+    return __CALL(destroy, (server_handle));
+}
+
+kadm5_ret_t
+kadm5_flush (void *server_handle)
+{
+    return __CALL(flush, (server_handle));
+}
+
+kadm5_ret_t
+kadm5_get_principal(void *server_handle,
+		    krb5_principal princ,
+		    kadm5_principal_ent_t out,
+		    u_int32_t mask)
+{
+    return __CALL(get_principal, (server_handle, princ, out, mask));
+}
+
+kadm5_ret_t
+kadm5_modify_principal(void *server_handle,
+		       kadm5_principal_ent_t princ,
+		       u_int32_t mask)
+{
+    return __CALL(modify_principal, (server_handle, princ, mask));
+}
+
+kadm5_ret_t
+kadm5_randkey_principal(void *server_handle,
+			krb5_principal princ,
+			krb5_keyblock **new_keys,
+			int *n_keys)
+{
+    return __CALL(randkey_principal, (server_handle, princ, new_keys, n_keys));
+}
+
+kadm5_ret_t
+kadm5_rename_principal(void *server_handle,
+		       krb5_principal source,
+		       krb5_principal target)
+{
+    return __CALL(rename_principal, (server_handle, source, target));
+}
+
+kadm5_ret_t
+kadm5_get_principals(void *server_handle,
+		     const char *exp,
+		     char ***princs,
+		     int *count)
+{
+    return __CALL(get_principals, (server_handle, exp, princs, count));
+}
+
+kadm5_ret_t
+kadm5_get_privs(void *server_handle,
+		u_int32_t *privs)
+{
+    return __CALL(get_privs, (server_handle, privs));
+}
diff --git a/crypto/heimdal/lib/kadm5/context_s.c b/crypto/heimdal/lib/kadm5/context_s.c
new file mode 100644
index 0000000..805f4f0
--- /dev/null
+++ b/crypto/heimdal/lib/kadm5/context_s.c
@@ -0,0 +1,225 @@
+/*
+ * Copyright (c) 1997 - 2000 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "kadm5_locl.h"
+
+RCSID("$Id: context_s.c,v 1.15 2000/05/12 15:22:33 assar Exp $");
+
+static void
+set_funcs(kadm5_server_context *c)
+{
+#define SET(C, F) (C)->funcs.F = kadm5_s_ ## F
+    SET(c, chpass_principal);
+    SET(c, chpass_principal_with_key);
+    SET(c, create_principal);
+    SET(c, delete_principal);
+    SET(c, destroy);
+    SET(c, flush);
+    SET(c, get_principal);
+    SET(c, get_principals);
+    SET(c, get_privs);
+    SET(c, modify_principal);
+    SET(c, randkey_principal);
+    SET(c, rename_principal);
+}
+
+struct database_spec {
+    char *dbpath;
+    char *logfile;
+    char *mkeyfile;
+    char *aclfile;
+};
+
+static void
+set_field(krb5_context context, krb5_config_binding *binding, 
+	  const char *dbname, const char *name, const char *ext, 
+	  char **variable)
+{
+    const char *p;
+
+    if (*variable != NULL)
+	free (*variable);
+
+    p = krb5_config_get_string(context, binding, name, NULL);
+    if(p)
+	*variable = strdup(p);
+    else {
+	p = strrchr(dbname, '.');
+	if(p == NULL)
+	    asprintf(variable, "%s.%s", dbname, ext);
+	else
+	    asprintf(variable, "%.*s.%s", (int)(p - dbname), dbname, ext);
+    }
+}
+
+static void
+set_socket_name(const char *dbname, struct sockaddr_un *un)
+{
+    const char *p;
+    memset(un, 0, sizeof(*un));
+    un->sun_family = AF_UNIX;
+    p = strrchr(dbname, '.');
+    if(p == NULL)
+	snprintf(un->sun_path, sizeof(un->sun_path), "%s.signal", 
+		 dbname);
+    else
+	snprintf(un->sun_path, sizeof(un->sun_path), "%.*s.signal", 
+		 (int)(p - dbname), dbname);
+}
+
+static void
+set_config(kadm5_server_context *ctx,
+	   krb5_config_binding *binding)
+{
+    const char *p;
+    if(ctx->config.dbname == NULL) {
+	p = krb5_config_get_string(ctx->context, binding, "dbname", NULL);
+	if(p)
+	    ctx->config.dbname = strdup(p);
+	else
+	    ctx->config.dbname = strdup(HDB_DEFAULT_DB);
+    }
+    if(ctx->log_context.log_file == NULL)
+	set_field(ctx->context, binding, ctx->config.dbname, 
+		  "log_file", "log", &ctx->log_context.log_file);
+    set_socket_name(ctx->config.dbname, &ctx->log_context.socket_name);
+    if(ctx->config.acl_file == NULL)
+	set_field(ctx->context, binding, ctx->config.dbname, 
+		  "acl_file", "acl", &ctx->config.acl_file);
+    /* XXX calling a file a `stash file' isn't very clever */
+    if(ctx->config.stash_file == NULL)
+	set_field(ctx->context, binding, ctx->config.dbname, 
+		  "mkey_file", "mkey", &ctx->config.stash_file);
+}
+
+static kadm5_ret_t
+find_db_spec(kadm5_server_context *ctx)
+{
+    krb5_config_binding *top_binding = NULL;
+    krb5_config_binding *db_binding;
+    krb5_config_binding *default_binding = NULL;
+    krb5_context context = ctx->context;
+
+    while((db_binding = (krb5_config_binding *)
+	   krb5_config_get_next(context,
+				NULL, &top_binding, 
+				krb5_config_list, 
+				"kdc", 
+				"database",
+				NULL))) {
+	const char *p;
+	p = krb5_config_get_string(context, db_binding, "realm", NULL);
+	if(p == NULL) {
+	    if(default_binding) {
+		krb5_warnx(context, "WARNING: more than one realm-less "
+			   "database specification");
+		krb5_warnx(context, "WARNING: using the first encountered");
+	    } else
+		default_binding = db_binding;
+	    continue;
+	}
+	if(strcmp(ctx->config.realm, p) != 0)
+	    continue;
+	
+	set_config(ctx, db_binding);
+	return 0;
+    }
+    if(default_binding)
+	set_config(ctx, default_binding);
+    else {
+	ctx->config.dbname        = strdup(HDB_DEFAULT_DB);
+	ctx->config.acl_file      = strdup(HDB_DB_DIR "/kadmind.acl");
+	ctx->config.stash_file    = strdup(HDB_DB_DIR "/m-key");
+	ctx->log_context.log_file = strdup(HDB_DB_DIR "/log");
+	memset(&ctx->log_context.socket_name, 0, 
+	       sizeof(ctx->log_context.socket_name));
+	ctx->log_context.socket_name.sun_family = AF_UNIX;
+	strlcpy(ctx->log_context.socket_name.sun_path, 
+		KADM5_LOG_SIGNAL, 
+		sizeof(ctx->log_context.socket_name.sun_path));
+    }
+    return 0;
+}
+
+kadm5_ret_t
+_kadm5_s_init_context(kadm5_server_context **ctx, 
+		      kadm5_config_params *params,
+		      krb5_context context)
+{
+    *ctx = malloc(sizeof(**ctx));
+    if(*ctx == NULL)
+	return ENOMEM;
+    memset(*ctx, 0, sizeof(**ctx));
+    set_funcs(*ctx);
+    (*ctx)->context = context;
+    krb5_add_et_list (context, initialize_kadm5_error_table_r);
+#define is_set(M) (params && params->mask & KADM5_CONFIG_ ## M)
+    if(is_set(REALM))
+	(*ctx)->config.realm = strdup(params->realm);
+    else
+	krb5_get_default_realm(context, &(*ctx)->config.realm);
+    if(is_set(DBNAME))
+	(*ctx)->config.dbname = strdup(params->dbname);
+    if(is_set(ACL_FILE))
+	(*ctx)->config.acl_file = strdup(params->acl_file);
+    if(is_set(STASH_FILE))
+	(*ctx)->config.stash_file = strdup(params->stash_file);
+    
+    find_db_spec(*ctx);
+    
+    /* PROFILE can't be specified for now */
+    /* KADMIND_PORT is supposed to be used on the server also, 
+       but this doesn't make sense */
+    /* ADMIN_SERVER is client only */
+    /* ADNAME is not used at all (as far as I can tell) */
+    /* ADB_LOCKFILE ditto */
+    /* DICT_FILE */
+    /* ADMIN_KEYTAB */
+    /* MKEY_FROM_KEYBOARD is not supported */
+    /* MKEY_NAME neither */
+    /* ENCTYPE */
+    /* MAX_LIFE */
+    /* MAX_RLIFE */
+    /* EXPIRATION */
+    /* FLAGS */
+    /* ENCTYPES */
+
+    return 0;
+}
+
+HDB *
+_kadm5_s_get_db(void *server_handle)
+{
+    kadm5_server_context *context = server_handle;
+    return context->db;
+}
diff --git a/crypto/heimdal/lib/kadm5/create_c.c b/crypto/heimdal/lib/kadm5/create_c.c
new file mode 100644
index 0000000..8d81cb3
--- /dev/null
+++ b/crypto/heimdal/lib/kadm5/create_c.c
@@ -0,0 +1,77 @@
+/*
+ * Copyright (c) 1997 - 1999 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "kadm5_locl.h"
+
+RCSID("$Id: create_c.c,v 1.4 2000/07/11 15:59:21 joda Exp $");
+
+kadm5_ret_t
+kadm5_c_create_principal(void *server_handle,
+			 kadm5_principal_ent_t princ, 
+			 u_int32_t mask,
+			 char *password)
+{
+    kadm5_client_context *context = server_handle;
+    kadm5_ret_t ret;
+    krb5_storage *sp;
+    unsigned char buf[1024];
+    int32_t tmp;
+    krb5_data reply;
+
+    ret = _kadm5_connect(server_handle);
+    if(ret)
+	return ret;
+
+    sp = krb5_storage_from_mem(buf, sizeof(buf));
+    if (sp == NULL)
+	return ENOMEM;
+    krb5_store_int32(sp, kadm_create);
+    kadm5_store_principal_ent(sp, princ);
+    krb5_store_int32(sp, mask);
+    krb5_store_string(sp, password);
+    ret = _kadm5_client_send(context, sp);
+    krb5_storage_free(sp);
+    ret = _kadm5_client_recv(context, &reply);
+    if(ret)
+	return ret;
+    sp = krb5_storage_from_data (&reply);
+    if (sp == NULL) {
+	krb5_data_free (&reply);
+	return ENOMEM;
+    }
+    krb5_ret_int32(sp, &tmp);
+    krb5_storage_free(sp);
+    krb5_data_free (&reply);
+    return tmp;
+}
+
diff --git a/crypto/heimdal/lib/kadm5/create_s.c b/crypto/heimdal/lib/kadm5/create_s.c
new file mode 100644
index 0000000..287211b
--- /dev/null
+++ b/crypto/heimdal/lib/kadm5/create_s.c
@@ -0,0 +1,198 @@
+/*
+ * Copyright (c) 1997-2001 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "kadm5_locl.h"
+
+RCSID("$Id: create_s.c,v 1.19 2001/01/30 01:24:28 assar Exp $");
+
+static kadm5_ret_t
+get_default(kadm5_server_context *context, krb5_principal princ, 
+	    kadm5_principal_ent_t def)
+{
+    kadm5_ret_t ret;
+    krb5_principal def_principal;
+    krb5_realm *realm = krb5_princ_realm(context->context, princ);
+
+    ret = krb5_make_principal(context->context, &def_principal, 
+			      *realm, "default", NULL);
+    if (ret)
+	return ret;
+    ret = kadm5_s_get_principal(context, def_principal, def, 
+				KADM5_PRINCIPAL_NORMAL_MASK);
+    krb5_free_principal (context->context, def_principal);
+    return ret;
+}
+
+static kadm5_ret_t
+create_principal(kadm5_server_context *context,
+		 kadm5_principal_ent_t princ,
+		 u_int32_t mask,
+		 hdb_entry *ent,
+		 u_int32_t required_mask,
+		 u_int32_t forbidden_mask)
+{
+    kadm5_ret_t ret;
+    kadm5_principal_ent_rec defrec, *defent;
+    u_int32_t def_mask;
+    
+    if((mask & required_mask) != required_mask)
+	return KADM5_BAD_MASK;
+    if((mask & forbidden_mask))
+	return KADM5_BAD_MASK;
+    if((mask & KADM5_POLICY) && strcmp(princ->policy, "default"))
+	/* XXX no real policies for now */
+	return KADM5_UNK_POLICY;
+    memset(ent, 0, sizeof(*ent));
+    ret  = krb5_copy_principal(context->context, princ->principal, 
+			       &ent->principal);
+    if(ret)
+	return ret;
+    
+    defent = &defrec;
+    ret = get_default(context, princ->principal, defent);
+    if(ret) {
+	defent   = NULL;
+	def_mask = 0;
+    } else {
+	def_mask = KADM5_ATTRIBUTES | KADM5_MAX_LIFE | KADM5_MAX_RLIFE;
+    }
+
+    ret = _kadm5_setup_entry(context,
+			     ent, mask | def_mask,
+			     princ, mask,
+			     defent, def_mask);
+    if(defent)
+	kadm5_free_principal_ent(context, defent);
+    
+    ent->created_by.time = time(NULL);
+    ret = krb5_copy_principal(context->context, context->caller, 
+			      &ent->created_by.principal);
+
+    return ret;
+}
+
+kadm5_ret_t
+kadm5_s_create_principal_with_key(void *server_handle,
+				  kadm5_principal_ent_t princ,
+				  u_int32_t mask)
+{
+    kadm5_ret_t ret;
+    hdb_entry ent;
+    kadm5_server_context *context = server_handle;
+
+    ret = create_principal(context, princ, mask, &ent,
+			   KADM5_PRINCIPAL | KADM5_KEY_DATA,
+			   KADM5_LAST_PWD_CHANGE | KADM5_MOD_TIME 
+			   | KADM5_MOD_NAME | KADM5_MKVNO 
+			   | KADM5_AUX_ATTRIBUTES 
+			   | KADM5_POLICY_CLR | KADM5_LAST_SUCCESS 
+			   | KADM5_LAST_FAILED | KADM5_FAIL_AUTH_COUNT);
+    if(ret)
+	goto out;
+
+    ret = _kadm5_set_keys2(context, &ent, princ->n_key_data, princ->key_data);
+    if(ret)
+	goto out;
+    
+    ret = hdb_seal_keys(context->context, context->db, &ent);
+    if (ret)
+	goto out;
+    
+    kadm5_log_create (context, &ent);
+
+    ret = context->db->open(context->context, context->db, O_RDWR, 0);
+    if(ret)
+	goto out;
+    ret = context->db->store(context->context, context->db, 0, &ent);
+    context->db->close(context->context, context->db);
+out:
+    hdb_free_entry(context->context, &ent);
+    return _kadm5_error_code(ret);
+}
+				  
+
+kadm5_ret_t
+kadm5_s_create_principal(void *server_handle,
+			 kadm5_principal_ent_t princ, 
+			 u_int32_t mask,
+			 char *password)
+{
+    kadm5_ret_t ret;
+    hdb_entry ent;
+    kadm5_server_context *context = server_handle;
+
+    ret = create_principal(context, princ, mask, &ent,
+			   KADM5_PRINCIPAL,
+			   KADM5_LAST_PWD_CHANGE | KADM5_MOD_TIME 
+			   | KADM5_MOD_NAME | KADM5_MKVNO 
+			   | KADM5_AUX_ATTRIBUTES | KADM5_KEY_DATA
+			   | KADM5_POLICY_CLR | KADM5_LAST_SUCCESS 
+			   | KADM5_LAST_FAILED | KADM5_FAIL_AUTH_COUNT);
+    if(ret)
+	goto out;
+
+    /* XXX this should be fixed */
+    ent.keys.len = 4;
+    ent.keys.val = calloc(ent.keys.len, sizeof(*ent.keys.val));
+    ent.keys.val[0].key.keytype = ETYPE_DES_CBC_CRC;
+    /* flag as version 4 compatible salt; ignored by _kadm5_set_keys
+       if we don't want to be compatible */
+    ent.keys.val[0].salt = calloc(1, sizeof(*ent.keys.val[0].salt));
+    ent.keys.val[0].salt->type = hdb_pw_salt;
+    ent.keys.val[1].key.keytype = ETYPE_DES_CBC_MD4;
+    ent.keys.val[1].salt = calloc(1, sizeof(*ent.keys.val[1].salt));
+    ent.keys.val[1].salt->type = hdb_pw_salt;
+    ent.keys.val[2].key.keytype = ETYPE_DES_CBC_MD5;
+    ent.keys.val[2].salt = calloc(1, sizeof(*ent.keys.val[2].salt));
+    ent.keys.val[2].salt->type = hdb_pw_salt;
+    ent.keys.val[3].key.keytype = ETYPE_DES3_CBC_SHA1;
+    ret = _kadm5_set_keys(context, &ent, password);
+    if (ret)
+	goto out;
+
+    ret = hdb_seal_keys(context->context, context->db, &ent);
+    if (ret)
+	goto out;
+    
+    kadm5_log_create (context, &ent);
+
+    ret = context->db->open(context->context, context->db, O_RDWR, 0);
+    if(ret)
+	goto out;
+    ret = context->db->store(context->context, context->db, 0, &ent);
+    context->db->close(context->context, context->db);
+out:
+    hdb_free_entry(context->context, &ent);
+    return _kadm5_error_code(ret);
+}
+
diff --git a/crypto/heimdal/lib/kadm5/delete_c.c b/crypto/heimdal/lib/kadm5/delete_c.c
new file mode 100644
index 0000000..7575c5e
--- /dev/null
+++ b/crypto/heimdal/lib/kadm5/delete_c.c
@@ -0,0 +1,73 @@
+/*
+ * Copyright (c) 1997 - 1999 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "kadm5_locl.h"
+
+RCSID("$Id: delete_c.c,v 1.4 2000/07/11 15:59:29 joda Exp $");
+
+kadm5_ret_t
+kadm5_c_delete_principal(void *server_handle, krb5_principal princ)
+{
+    kadm5_client_context *context = server_handle;
+    kadm5_ret_t ret;
+    krb5_storage *sp;
+    unsigned char buf[1024];
+    int32_t tmp;
+    krb5_data reply;
+
+    ret = _kadm5_connect(server_handle);
+    if(ret)
+	return ret;
+
+    sp = krb5_storage_from_mem(buf, sizeof(buf));
+    if (sp == NULL)
+	return ENOMEM;
+    krb5_store_int32(sp, kadm_delete);
+    krb5_store_principal(sp, princ);
+    ret = _kadm5_client_send(context, sp);
+    krb5_storage_free(sp);
+    if (ret)
+	return ret;
+    ret = _kadm5_client_recv(context, &reply);
+    if (ret)
+	return ret;
+    sp = krb5_storage_from_data (&reply);
+    if(sp == NULL) {
+	krb5_data_free (&reply);
+	return ENOMEM;
+    }
+    krb5_ret_int32(sp, &tmp);
+    krb5_storage_free(sp);
+    krb5_data_free (&reply);
+    return tmp;
+}
diff --git a/crypto/heimdal/lib/kadm5/delete_s.c b/crypto/heimdal/lib/kadm5/delete_s.c
new file mode 100644
index 0000000..2f2bf88
--- /dev/null
+++ b/crypto/heimdal/lib/kadm5/delete_s.c
@@ -0,0 +1,72 @@
+/*
+ * Copyright (c) 1997 - 2001 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "kadm5_locl.h"
+
+RCSID("$Id: delete_s.c,v 1.9 2001/01/30 01:24:28 assar Exp $");
+
+kadm5_ret_t
+kadm5_s_delete_principal(void *server_handle, krb5_principal princ)
+{
+    kadm5_server_context *context = server_handle;
+    kadm5_ret_t ret;
+    hdb_entry ent;
+
+    ent.principal = princ;
+    ret = context->db->open(context->context, context->db, O_RDWR, 0);
+    if(ret) {
+	krb5_warn(context->context, ret, "opening database");
+	return ret;
+    }
+    ret = context->db->fetch(context->context, context->db, 
+			     HDB_F_DECRYPT, &ent);
+    if(ret == HDB_ERR_NOENTRY)
+	goto out2;
+    if(ent.flags.immutable) {
+	ret = KADM5_PROTECT_PRINCIPAL;
+	goto out;
+    }
+    
+    ret = hdb_seal_keys(context->context, context->db, &ent);
+    if (ret)
+	goto out;
+
+    kadm5_log_delete (context, princ);
+    
+    ret = context->db->remove(context->context, context->db, &ent);
+out:
+    hdb_free_entry(context->context, &ent);
+out2:
+    context->db->close(context->context, context->db);
+    return _kadm5_error_code(ret);
+}
diff --git a/crypto/heimdal/lib/kadm5/destroy_c.c b/crypto/heimdal/lib/kadm5/destroy_c.c
new file mode 100644
index 0000000..b42c84c
--- /dev/null
+++ b/crypto/heimdal/lib/kadm5/destroy_c.c
@@ -0,0 +1,51 @@
+/*
+ * Copyright (c) 1997 - 1999 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "kadm5_locl.h"
+
+RCSID("$Id: destroy_c.c,v 1.3 1999/12/02 17:05:05 joda Exp $");
+
+kadm5_ret_t 
+kadm5_c_destroy(void *server_handle)
+{
+    kadm5_client_context *context = server_handle;
+
+    free(context->realm);
+    free(context->admin_server);
+    close(context->sock);
+    if (context->ac != NULL)
+	krb5_auth_con_free(context->context, context->ac);
+    if(context->my_context)
+	krb5_free_context(context->context);
+    return 0;
+}
diff --git a/crypto/heimdal/lib/kadm5/destroy_s.c b/crypto/heimdal/lib/kadm5/destroy_s.c
new file mode 100644
index 0000000..a8ad328
--- /dev/null
+++ b/crypto/heimdal/lib/kadm5/destroy_s.c
@@ -0,0 +1,81 @@
+/*
+ * Copyright (c) 1997 - 2000 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "kadm5_locl.h"
+
+RCSID("$Id: destroy_s.c,v 1.6 2000/05/12 15:23:13 assar Exp $");
+
+/*
+ * dealloc a `kadm5_config_params'
+ */
+
+static void
+destroy_config (kadm5_config_params *c)
+{
+    free (c->realm);
+    free (c->dbname);
+    free (c->acl_file);
+    free (c->stash_file);
+}
+
+/*
+ * dealloc a kadm5_log_context
+ */
+
+static void
+destroy_kadm5_log_context (kadm5_log_context *c)
+{
+    free (c->log_file);
+    close (c->socket_fd);
+}
+
+/*
+ * destroy a kadm5 handle
+ */
+
+kadm5_ret_t 
+kadm5_s_destroy(void *server_handle)
+{
+    kadm5_ret_t ret;
+    kadm5_server_context *context = server_handle;
+    krb5_context kcontext = context->context;
+
+    ret = context->db->destroy(kcontext, context->db);
+    destroy_kadm5_log_context (&context->log_context);
+    destroy_config (&context->config);
+    krb5_free_principal (kcontext, context->caller);
+    if(context->my_context)
+	krb5_free_context(kcontext);
+    free (context);
+    return ret;
+}
diff --git a/crypto/heimdal/lib/kadm5/dump_log.c b/crypto/heimdal/lib/kadm5/dump_log.c
new file mode 100644
index 0000000..691f2d3
--- /dev/null
+++ b/crypto/heimdal/lib/kadm5/dump_log.c
@@ -0,0 +1,267 @@
+/*
+ * Copyright (c) 1997 - 2000 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "iprop.h"
+#include "parse_time.h"
+
+RCSID("$Id: dump_log.c,v 1.11 2000/07/24 04:30:11 assar Exp $");
+
+static char *op_names[] = {
+    "get",
+    "delete",
+    "create",
+    "rename",
+    "chpass",
+    "modify",
+    "randkey",
+    "get_privs",
+    "get_princs",
+    "chpass_with_key",
+    "nop"
+};
+
+static void
+print_entry(kadm5_server_context *server_context,
+	    u_int32_t ver,
+	    time_t timestamp,
+	    enum kadm_ops op,
+	    u_int32_t len,
+	    krb5_storage *sp)
+{
+    char t[256];
+    u_int32_t mask;
+    hdb_entry ent;
+    krb5_principal source;
+    char *name1, *name2;
+    krb5_data data;
+    krb5_context context = server_context->context;
+
+    off_t end = sp->seek(sp, 0, SEEK_CUR) + len;
+    
+    krb5_error_code ret;
+
+    strftime(t, sizeof(t), "%Y-%m-%d %H:%M:%S", localtime(&timestamp));
+
+    if(op < kadm_get || op > kadm_nop) {
+	printf("unknown op: %d\n", op);
+	sp->seek(sp, end, SEEK_SET);
+	return;
+    }
+
+    printf ("%s: ver = %u, timestamp = %s, len = %u\n",
+	    op_names[op], ver, t, len);
+    switch(op) {
+    case kadm_delete:
+	krb5_ret_principal(sp, &source);
+	krb5_unparse_name(context, source, &name1);
+	printf("    %s\n", name1);
+	free(name1);
+	krb5_free_principal(context, source);
+	break;
+    case kadm_rename:
+	krb5_data_alloc(&data, len);
+	krb5_ret_principal(sp, &source);
+	sp->fetch(sp, data.data, data.length);
+	hdb_value2entry(context, &data, &ent);
+	krb5_unparse_name(context, source, &name1);
+	krb5_unparse_name(context, ent.principal, &name2);
+	printf("    %s -> %s\n", name1, name2);
+	free(name1);
+	free(name2);
+	krb5_free_principal(context, source);
+	hdb_free_entry(context, &ent);
+	break;
+    case kadm_create:
+	krb5_data_alloc(&data, len);
+	sp->fetch(sp, data.data, data.length);
+	ret = hdb_value2entry(context, &data, &ent);
+	if(ret)
+	    abort();
+	mask = ~0;
+	goto foo;
+    case kadm_modify:
+	krb5_data_alloc(&data, len);
+	krb5_ret_int32(sp, &mask);
+	sp->fetch(sp, data.data, data.length);
+	ret = hdb_value2entry(context, &data, &ent);
+	if(ret)
+	    abort();
+    foo:
+	if(ent.principal /* mask & KADM5_PRINCIPAL */) {
+	    krb5_unparse_name(context, ent.principal, &name1);
+	    printf("    principal = %s\n", name1);
+	    free(name1);
+	}
+	if(mask & KADM5_PRINC_EXPIRE_TIME) {
+	    if(ent.valid_end == NULL) {
+		strcpy(t, "never");
+	    } else {
+		strftime(t, sizeof(t), "%Y-%m-%d %H:%M:%S", 
+			 localtime(ent.valid_end));
+	    }
+	    printf("    expires = %s\n", t);
+	}
+	if(mask & KADM5_PW_EXPIRATION) {
+	    if(ent.pw_end == NULL) {
+		strcpy(t, "never");
+	    } else {
+		strftime(t, sizeof(t), "%Y-%m-%d %H:%M:%S", 
+			 localtime(ent.pw_end));
+	    }
+	    printf("    password exp = %s\n", t);
+	}
+	if(mask & KADM5_LAST_PWD_CHANGE) {
+	}
+	if(mask & KADM5_ATTRIBUTES) {
+	    unparse_flags(HDBFlags2int(ent.flags), 
+			  HDBFlags_units, t, sizeof(t));
+	    printf("    attributes = %s\n", t);
+	}
+	if(mask & KADM5_MAX_LIFE) {
+	    if(ent.max_life == NULL)
+		strcpy(t, "for ever");
+	    else
+		unparse_time(*ent.max_life, t, sizeof(t));
+	    printf("    max life = %s\n", t);
+	}
+	if(mask & KADM5_MAX_RLIFE) {
+	    if(ent.max_renew == NULL)
+		strcpy(t, "for ever");
+	    else
+		unparse_time(*ent.max_renew, t, sizeof(t));
+	    printf("    max rlife = %s\n", t);
+	}
+	if(mask & KADM5_MOD_TIME) {
+	    printf("    mod time\n");
+	}
+	if(mask & KADM5_MOD_NAME) {
+	    printf("    mod name\n");
+	}
+	if(mask & KADM5_KVNO) {
+	    printf("    kvno = %d\n", ent.kvno);
+	}
+	if(mask & KADM5_MKVNO) {
+	    printf("    mkvno\n");
+	}
+	if(mask & KADM5_AUX_ATTRIBUTES) {
+	    printf("    aux attributes\n");
+	}
+	if(mask & KADM5_POLICY) {
+	    printf("    policy\n");
+	}
+	if(mask & KADM5_POLICY_CLR) {
+	    printf("    mod time\n");
+	}
+	if(mask & KADM5_LAST_SUCCESS) {
+	    printf("    last success\n");
+	}
+	if(mask & KADM5_LAST_FAILED) {
+	    printf("    last failed\n");
+	}
+	if(mask & KADM5_FAIL_AUTH_COUNT) {
+	    printf("    fail auth count\n");
+	}
+	if(mask & KADM5_KEY_DATA) {
+	    printf("    key data\n");
+	}
+	if(mask & KADM5_TL_DATA) {
+	    printf("    tl data\n");
+	}
+	hdb_free_entry(context, &ent);
+	break;
+    case kadm_nop :
+	break;
+    default:
+	abort();
+    }
+    sp->seek(sp, end, SEEK_SET);
+}
+
+static char *realm;
+static int version_flag;
+static int help_flag;
+
+static struct getargs args[] = {
+    { "realm", 'r', arg_string, &realm },
+    { "version", 0, arg_flag, &version_flag },
+    { "help", 0, arg_flag, &help_flag }
+};
+int num_args = sizeof(args) / sizeof(args[0]);
+
+int
+main(int argc, char **argv)
+{
+    krb5_context context;
+    krb5_error_code ret;
+    void *kadm_handle;
+    kadm5_server_context *server_context;
+    kadm5_config_params conf;
+
+    krb5_program_setup(&context, argc, argv, args, num_args, NULL);
+    
+    if(help_flag)
+	krb5_std_usage(0, args, num_args);
+    if(version_flag) {
+	print_version(NULL);
+	exit(0);
+    }
+
+    memset(&conf, 0, sizeof(conf));
+    if(realm) {
+	conf.mask |= KADM5_CONFIG_REALM;
+	conf.realm = realm;
+    }
+    ret = kadm5_init_with_password_ctx (context,
+					KADM5_ADMIN_SERVICE,
+					NULL,
+					KADM5_ADMIN_SERVICE,
+					&conf, 0, 0, 
+					&kadm_handle);
+    if (ret)
+	krb5_err (context, 1, ret, "kadm5_init_with_password_ctx");
+
+    server_context = (kadm5_server_context *)kadm_handle;
+
+    ret = kadm5_log_init (server_context);
+    if (ret)
+	krb5_err (context, 1, ret, "kadm5_log_init");
+
+    ret = kadm5_log_foreach (server_context, print_entry);
+    if(ret)
+	krb5_warn(context, ret, "kadm5_log_foreach");
+
+    ret = kadm5_log_end (server_context);
+    if (ret)
+	krb5_warn(context, ret, "kadm5_log_end");
+    return 0;
+}
diff --git a/crypto/heimdal/lib/kadm5/ent_setup.c b/crypto/heimdal/lib/kadm5/ent_setup.c
new file mode 100644
index 0000000..29fab74
--- /dev/null
+++ b/crypto/heimdal/lib/kadm5/ent_setup.c
@@ -0,0 +1,142 @@
+/*
+ * Copyright (c) 1997 - 2000 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "kadm5_locl.h"
+
+RCSID("$Id: ent_setup.c,v 1.12 2000/03/23 23:02:35 assar Exp $");
+
+#define set_value(X, V) do { if((X) == NULL) (X) = malloc(sizeof(*(X))); *(X) = V; } while(0)
+#define set_null(X)     do { if((X) != NULL) free((X)); (X) = NULL; } while (0)
+
+static void
+attr_to_flags(unsigned attr, HDBFlags *flags)
+{
+    flags->postdate =		!(attr & KRB5_KDB_DISALLOW_POSTDATED);
+    flags->forwardable =	!(attr & KRB5_KDB_DISALLOW_FORWARDABLE);
+    flags->initial =	       !!(attr & KRB5_KDB_DISALLOW_TGT_BASED);
+    flags->renewable =		!(attr & KRB5_KDB_DISALLOW_RENEWABLE);
+    flags->proxiable =		!(attr & KRB5_KDB_DISALLOW_PROXIABLE);
+    /* DUP_SKEY */
+    flags->invalid =	       !!(attr & KRB5_KDB_DISALLOW_ALL_TIX);
+    flags->require_preauth =   !!(attr & KRB5_KDB_REQUIRES_PRE_AUTH);
+    /* HW_AUTH */
+    flags->server =		!(attr & KRB5_KDB_DISALLOW_SVR);
+    flags->change_pw = 	       !!(attr & KRB5_KDB_PWCHANGE_SERVICE);
+    flags->client =	        1; /* XXX */
+}
+
+/*
+ * Create the hdb entry `ent' based on data from `princ' with
+ * `princ_mask' specifying what fields to be gotten from there and
+ * `mask' specifying what fields we want filled in.
+ */
+
+kadm5_ret_t
+_kadm5_setup_entry(kadm5_server_context *context,
+		   hdb_entry *ent,
+		   u_int32_t mask,
+		   kadm5_principal_ent_t princ, 
+		   u_int32_t princ_mask,
+		   kadm5_principal_ent_t def,
+		   u_int32_t def_mask)
+{
+    if(mask & KADM5_PRINC_EXPIRE_TIME
+       && princ_mask & KADM5_PRINC_EXPIRE_TIME) {
+	if (princ->princ_expire_time)
+	    set_value(ent->valid_end, princ->princ_expire_time);
+	else
+	    set_null(ent->valid_end);
+    }
+    if(mask & KADM5_PW_EXPIRATION
+       && princ_mask & KADM5_PW_EXPIRATION) {
+	if (princ->pw_expiration)
+	    set_value(ent->pw_end, princ->pw_expiration);
+	else
+	    set_null(ent->pw_end);
+    }
+    if(mask & KADM5_ATTRIBUTES) {
+	if (princ_mask & KADM5_ATTRIBUTES) {
+	    attr_to_flags(princ->attributes, &ent->flags);
+	} else if(def_mask & KADM5_ATTRIBUTES) {
+	    attr_to_flags(def->attributes, &ent->flags);
+	    ent->flags.invalid = 0;
+	} else {
+	    ent->flags.client      = 1;
+	    ent->flags.server      = 1;
+	    ent->flags.forwardable = 1;
+	    ent->flags.proxiable   = 1;
+	    ent->flags.renewable   = 1;
+	    ent->flags.postdate    = 1;
+	}
+    }
+    if(mask & KADM5_MAX_LIFE) {
+	if(princ_mask & KADM5_MAX_LIFE) {
+	    if(princ->max_life)
+	      set_value(ent->max_life, princ->max_life);
+	    else
+	      set_null(ent->max_life);
+	} else if(def_mask & KADM5_MAX_LIFE) {
+	    if(def->max_life)
+	      set_value(ent->max_life, def->max_life);
+	    else
+	      set_null(ent->max_life);
+	}
+    }
+    if(mask & KADM5_KVNO
+       && princ_mask & KADM5_KVNO)
+	ent->kvno = princ->kvno;
+    if(mask & KADM5_MAX_RLIFE) {
+	if(princ_mask & KADM5_MAX_RLIFE) {
+	  if(princ->max_renewable_life)
+	    set_value(ent->max_renew, princ->max_renewable_life);
+	  else
+	    set_null(ent->max_renew);
+	} else if(def_mask & KADM5_MAX_RLIFE) {
+	  if(def->max_renewable_life)
+	    set_value(ent->max_renew, def->max_renewable_life);
+	  else
+	    set_null(ent->max_renew);
+	}
+    }
+    if(mask & KADM5_KEY_DATA
+       && princ_mask & KADM5_KEY_DATA) {
+	_kadm5_set_keys2(context, ent, princ->n_key_data, princ->key_data);
+    }
+    if(mask & KADM5_TL_DATA) {
+	/* XXX */
+    }
+    if(mask & KADM5_FAIL_AUTH_COUNT) {
+	/* XXX */
+    }
+    return 0;
+}
diff --git a/crypto/heimdal/lib/kadm5/error.c b/crypto/heimdal/lib/kadm5/error.c
new file mode 100644
index 0000000..11b1ded
--- /dev/null
+++ b/crypto/heimdal/lib/kadm5/error.c
@@ -0,0 +1,48 @@
+/*
+ * Copyright (c) 1997 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "kadm5_locl.h"
+
+RCSID("$Id: error.c,v 1.3 1999/12/02 17:05:06 joda Exp $");
+
+kadm5_ret_t
+_kadm5_error_code(kadm5_ret_t code)
+{
+    switch(code){
+    case HDB_ERR_EXISTS:
+	return KADM5_DUP;
+    case HDB_ERR_NOENTRY:
+	return KADM5_UNK_PRINC;
+    }
+    return code;
+}
diff --git a/crypto/heimdal/lib/kadm5/flush.c b/crypto/heimdal/lib/kadm5/flush.c
new file mode 100644
index 0000000..4808259
--- /dev/null
+++ b/crypto/heimdal/lib/kadm5/flush.c
@@ -0,0 +1,48 @@
+/*
+ * Copyright (c) 1997 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "kadm5_locl.h"
+
+RCSID("$Id: flush.c,v 1.2 1999/12/02 17:05:06 joda Exp $");
+
+kadm5_ret_t 
+kadm5_s_flush(void *server_handle)
+{
+    return 0;
+}
+
+kadm5_ret_t 
+kadm5_c_flush(void *server_handle)
+{
+    return 0;
+}
diff --git a/crypto/heimdal/lib/kadm5/flush_c.c b/crypto/heimdal/lib/kadm5/flush_c.c
new file mode 100644
index 0000000..01cdcf7
--- /dev/null
+++ b/crypto/heimdal/lib/kadm5/flush_c.c
@@ -0,0 +1,41 @@
+/*
+ * Copyright (c) 1999 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of KTH nor the names of its contributors may be
+ *    used to endorse or promote products derived from this software without
+ *    specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY KTH AND ITS CONTRIBUTORS ``AS IS'' AND ANY
+ * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL KTH OR ITS CONTRIBUTORS BE
+ * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+ * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+ * WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
+ * OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
+ * ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */
+
+#include "kadm5_locl.h"
+
+RCSID("$Id: flush_c.c,v 1.1 1999/03/23 18:23:36 joda Exp $");
+
+kadm5_ret_t 
+kadm5_c_flush(void *server_handle)
+{
+    return 0;
+}
diff --git a/crypto/heimdal/lib/kadm5/flush_s.c b/crypto/heimdal/lib/kadm5/flush_s.c
new file mode 100644
index 0000000..dffbe2f
--- /dev/null
+++ b/crypto/heimdal/lib/kadm5/flush_s.c
@@ -0,0 +1,41 @@
+/*
+ * Copyright (c) 1999 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of KTH nor the names of its contributors may be
+ *    used to endorse or promote products derived from this software without
+ *    specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY KTH AND ITS CONTRIBUTORS ``AS IS'' AND ANY
+ * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL KTH OR ITS CONTRIBUTORS BE
+ * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+ * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+ * WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
+ * OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
+ * ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */
+
+#include "kadm5_locl.h"
+
+RCSID("$Id: flush_s.c,v 1.1 1999/03/23 18:23:37 joda Exp $");
+
+kadm5_ret_t 
+kadm5_s_flush(void *server_handle)
+{
+    return 0;
+}
diff --git a/crypto/heimdal/lib/kadm5/free.c b/crypto/heimdal/lib/kadm5/free.c
new file mode 100644
index 0000000..fcc1e70
--- /dev/null
+++ b/crypto/heimdal/lib/kadm5/free.c
@@ -0,0 +1,91 @@
+/*
+ * Copyright (c) 1997 - 1999 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "kadm5_locl.h"
+
+RCSID("$Id: free.c,v 1.4 1999/12/02 17:05:06 joda Exp $");
+
+void 
+kadm5_free_key_data(void *server_handle,
+		    int16_t *n_key_data, 
+		    krb5_key_data *key_data)
+{
+    int i;
+    for(i = 0; i < *n_key_data; i++){
+	if(key_data[i].key_data_contents[0]){
+	    memset(key_data[i].key_data_contents[0], 
+		   0,
+		   key_data[i].key_data_length[0]);
+	    free(key_data[i].key_data_contents[0]);
+	}
+	if(key_data[i].key_data_contents[1])
+	    free(key_data[i].key_data_contents[1]);
+    }
+    *n_key_data = 0;
+}
+
+
+void 
+kadm5_free_principal_ent(void *server_handle,
+			 kadm5_principal_ent_t princ)
+{
+    kadm5_server_context *context = server_handle;
+    if(princ->principal)
+	krb5_free_principal(context->context, princ->principal);
+    if(princ->mod_name)
+	krb5_free_principal(context->context, princ->mod_name);
+    kadm5_free_key_data(server_handle, &princ->n_key_data, princ->key_data);
+    while(princ->n_tl_data && princ->tl_data) {
+	krb5_tl_data *tp;
+	tp = princ->tl_data;
+	princ->tl_data = tp->tl_data_next;
+	princ->n_tl_data--;
+	memset(tp->tl_data_contents, 0, tp->tl_data_length);
+	free(tp->tl_data_contents);
+	free(tp);
+    }
+    if (princ->key_data != NULL)
+	free (princ->key_data);
+}
+
+void 
+kadm5_free_name_list(void *server_handle,
+		     char **names, 
+		     int *count)
+{
+    int i;
+    for(i = 0; i < *count; i++)
+	free(names[i]);
+    free(names);
+    *count = 0;
+}
diff --git a/crypto/heimdal/lib/kadm5/get_c.c b/crypto/heimdal/lib/kadm5/get_c.c
new file mode 100644
index 0000000..279a77a
--- /dev/null
+++ b/crypto/heimdal/lib/kadm5/get_c.c
@@ -0,0 +1,80 @@
+/*
+ * Copyright (c) 1997 - 1999 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "kadm5_locl.h"
+
+RCSID("$Id: get_c.c,v 1.6 2000/07/11 15:59:36 joda Exp $");
+
+kadm5_ret_t
+kadm5_c_get_principal(void *server_handle, 
+		      krb5_principal princ, 
+		      kadm5_principal_ent_t out, 
+		      u_int32_t mask)
+{
+    kadm5_client_context *context = server_handle;
+    kadm5_ret_t ret;
+    krb5_storage *sp;
+    unsigned char buf[1024];
+    int32_t tmp;
+    krb5_data reply;
+
+    ret = _kadm5_connect(server_handle);
+    if(ret)
+	return ret;
+
+    sp = krb5_storage_from_mem(buf, sizeof(buf));
+    if (sp == NULL)
+	return ENOMEM;
+    krb5_store_int32(sp, kadm_get);
+    krb5_store_principal(sp, princ);
+    krb5_store_int32(sp, mask);
+    ret = _kadm5_client_send(context, sp);
+    krb5_storage_free(sp);
+    if(ret)
+	return ret;
+    ret = _kadm5_client_recv(context, &reply);
+    if (ret)
+	return ret;
+    sp = krb5_storage_from_data (&reply);
+    if (sp == NULL) {
+	krb5_data_free (&reply);
+	return ENOMEM;
+    }
+    krb5_ret_int32(sp, &tmp);
+    ret = tmp;
+    if(ret == 0)
+	kadm5_ret_principal_ent(sp, out);
+    krb5_storage_free(sp);
+    krb5_data_free (&reply);
+    return ret;
+}
diff --git a/crypto/heimdal/lib/kadm5/get_princs_c.c b/crypto/heimdal/lib/kadm5/get_princs_c.c
new file mode 100644
index 0000000..3536cdf
--- /dev/null
+++ b/crypto/heimdal/lib/kadm5/get_princs_c.c
@@ -0,0 +1,90 @@
+/*
+ * Copyright (c) 1997 - 1999 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "kadm5_locl.h"
+
+RCSID("$Id: get_princs_c.c,v 1.4 2000/07/11 16:00:19 joda Exp $");
+
+kadm5_ret_t
+kadm5_c_get_principals(void *server_handle, 
+		       const char *exp,
+		       char ***princs, 
+		       int *count)
+{
+    kadm5_client_context *context = server_handle;
+    kadm5_ret_t ret;
+    krb5_storage *sp;
+    unsigned char buf[1024];
+    int32_t tmp;
+    krb5_data reply;
+
+    ret = _kadm5_connect(server_handle);
+    if(ret)
+	return ret;
+
+    sp = krb5_storage_from_mem(buf, sizeof(buf));
+    if (sp == NULL)
+	return ENOMEM;
+    krb5_store_int32(sp, kadm_get_princs);
+    krb5_store_int32(sp, exp != NULL);
+    if(exp)
+	krb5_store_string(sp, exp);
+    ret = _kadm5_client_send(context, sp);
+    krb5_storage_free(sp);
+    ret = _kadm5_client_recv(context, &reply);
+    if(ret)
+	return ret;
+    sp = krb5_storage_from_data (&reply);
+    if (sp == NULL) {
+	krb5_data_free (&reply);
+	return ENOMEM;
+    }
+    krb5_ret_int32(sp, &tmp);
+    ret = tmp;
+    if(ret == 0) {
+	int i;
+	krb5_ret_int32(sp, &tmp);
+	*princs = calloc(tmp + 1, sizeof(**princs));
+	if (*princs == NULL) {
+	    ret = ENOMEM;
+	    goto out;
+	}
+	for(i = 0; i < tmp; i++)
+	    krb5_ret_string(sp, &(*princs)[i]);
+	*count = tmp;
+    }
+out:
+    krb5_storage_free(sp);
+    krb5_data_free (&reply);
+    return ret;
+}
diff --git a/crypto/heimdal/lib/kadm5/get_princs_s.c b/crypto/heimdal/lib/kadm5/get_princs_s.c
new file mode 100644
index 0000000..2702bae
--- /dev/null
+++ b/crypto/heimdal/lib/kadm5/get_princs_s.c
@@ -0,0 +1,113 @@
+/*
+ * Copyright (c) 1997, 1998, 1999 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "kadm5_locl.h"
+
+RCSID("$Id: get_princs_s.c,v 1.5 1999/12/02 17:05:06 joda Exp $");
+
+struct foreach_data {
+    const char *exp;
+    char *exp2;
+    char **princs;
+    int count;
+};
+
+static krb5_error_code
+add_princ(struct foreach_data *d, char *princ)
+{
+    char **tmp;
+    tmp = realloc(d->princs, (d->count + 1) * sizeof(*tmp));
+    if(tmp == NULL)
+	return ENOMEM;
+    d->princs = tmp;
+    d->princs[d->count++] = princ;
+    return 0;
+}
+
+static krb5_error_code
+foreach(krb5_context context, HDB *db, hdb_entry *ent, void *data)
+{
+    struct foreach_data *d = data;
+    char *princ;
+    krb5_error_code ret;
+    ret = krb5_unparse_name(context, ent->principal, &princ);
+    if(ret)
+	return ret;
+    if(d->exp){
+	if(fnmatch(d->exp, princ, 0) == 0 || fnmatch(d->exp2, princ, 0) == 0)
+	    ret = add_princ(d, princ);
+	else
+	    free(princ);
+    }else{
+	ret = add_princ(d, princ);
+    }
+    if(ret)
+	free(princ);
+    return ret;
+}
+
+kadm5_ret_t
+kadm5_s_get_principals(void *server_handle, 
+		       const char *exp,
+		       char ***princs, 
+		       int *count)
+{
+    struct foreach_data d;
+    kadm5_server_context *context = server_handle;
+    kadm5_ret_t ret;
+    ret = context->db->open(context->context, context->db, O_RDWR, 0);
+    if(ret) {
+	krb5_warn(context->context, ret, "opening database");
+	return ret;
+    }
+    d.exp = exp;
+    {
+	krb5_realm r;
+	krb5_get_default_realm(context->context, &r);
+	asprintf(&d.exp2, "%s@%s", exp, r);
+	free(r);
+    }
+    d.princs = NULL;
+    d.count = 0;
+    ret = hdb_foreach(context->context, context->db, 0, foreach, &d);
+    context->db->close(context->context, context->db);
+    if(ret == 0)
+	ret = add_princ(&d, NULL);
+    if(ret == 0){
+	*princs = d.princs;
+	*count = d.count - 1;
+    }else
+	kadm5_free_name_list(context, d.princs, &d.count);
+    free(d.exp2);
+    return _kadm5_error_code(ret);
+}
diff --git a/crypto/heimdal/lib/kadm5/get_s.c b/crypto/heimdal/lib/kadm5/get_s.c
new file mode 100644
index 0000000..0851900
--- /dev/null
+++ b/crypto/heimdal/lib/kadm5/get_s.c
@@ -0,0 +1,191 @@
+/*
+ * Copyright (c) 1997, 1998, 1999 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "kadm5_locl.h"
+
+RCSID("$Id: get_s.c,v 1.13 2000/06/19 16:11:31 joda Exp $");
+
+kadm5_ret_t
+kadm5_s_get_principal(void *server_handle, 
+		      krb5_principal princ, 
+		      kadm5_principal_ent_t out, 
+		      u_int32_t mask)
+{
+    kadm5_server_context *context = server_handle;
+    kadm5_ret_t ret;
+    hdb_entry ent;
+    
+    ent.principal = princ;
+    ret = context->db->open(context->context, context->db, O_RDONLY, 0);
+    if(ret)
+	return ret;
+    ret = context->db->fetch(context->context, context->db, 
+			     HDB_F_DECRYPT, &ent);
+    context->db->close(context->context, context->db);
+    if(ret)
+	return _kadm5_error_code(ret);
+
+    memset(out, 0, sizeof(*out));
+    if(mask & KADM5_PRINCIPAL)
+	ret  = krb5_copy_principal(context->context, ent.principal, 
+				   &out->principal);
+    if(ret)
+	goto out;
+    if(mask & KADM5_PRINC_EXPIRE_TIME && ent.valid_end)
+	out->princ_expire_time = *ent.valid_end;
+    if(mask & KADM5_PW_EXPIRATION && ent.pw_end)
+	out->pw_expiration = *ent.pw_end;
+    if(mask & KADM5_LAST_PWD_CHANGE)
+	/* XXX implement */;
+    if(mask & KADM5_ATTRIBUTES){
+	out->attributes |= ent.flags.postdate ? 0 : KRB5_KDB_DISALLOW_POSTDATED;
+	out->attributes |= ent.flags.forwardable ? 0 : KRB5_KDB_DISALLOW_FORWARDABLE;
+	out->attributes |= ent.flags.initial ? KRB5_KDB_DISALLOW_TGT_BASED : 0;
+	out->attributes |= ent.flags.renewable ? 0 : KRB5_KDB_DISALLOW_RENEWABLE;
+	out->attributes |= ent.flags.proxiable ? 0 : KRB5_KDB_DISALLOW_PROXIABLE;
+	out->attributes |= ent.flags.invalid ? KRB5_KDB_DISALLOW_ALL_TIX : 0;
+	out->attributes |= ent.flags.require_preauth ? KRB5_KDB_REQUIRES_PRE_AUTH : 0;
+	out->attributes |= ent.flags.server ? 0 : KRB5_KDB_DISALLOW_SVR;
+	out->attributes |= ent.flags.change_pw ? KRB5_KDB_PWCHANGE_SERVICE : 0;
+    }
+    if(mask & KADM5_MAX_LIFE) {
+	if(ent.max_life)
+	    out->max_life = *ent.max_life;
+	else
+	    out->max_life = INT_MAX;
+    }
+    if(mask & KADM5_MOD_TIME) {
+	if(ent.modified_by)
+	    out->mod_date = ent.modified_by->time;
+	else
+	    out->mod_date = ent.created_by.time;
+    }
+    if(mask & KADM5_MOD_NAME) {
+	if(ent.modified_by) {
+	    if (ent.modified_by->principal != NULL)
+		ret = krb5_copy_principal(context->context, 
+					  ent.modified_by->principal,
+					  &out->mod_name);
+	} else if(ent.created_by.principal != NULL)
+	    ret = krb5_copy_principal(context->context, 
+				      ent.created_by.principal,
+				      &out->mod_name);
+	else
+	    out->mod_name = NULL;
+    }
+    if(ret)
+	goto out;
+
+    if(mask & KADM5_KVNO)
+	out->kvno = ent.kvno;
+    if(mask & KADM5_MKVNO) {
+	int n;
+	out->mkvno = 0; /* XXX */
+	for(n = 0; n < ent.keys.len; n++)
+	    if(ent.keys.val[n].mkvno) {
+		out->mkvno = *ent.keys.val[n].mkvno; /* XXX this isn't right */
+		break;
+	    }
+    }
+    if(mask & KADM5_AUX_ATTRIBUTES)
+	/* XXX implement */;
+    if(mask & KADM5_POLICY)
+	out->policy = NULL;
+    if(mask & KADM5_MAX_RLIFE) {
+	if(ent.max_renew)
+	    out->max_renewable_life = *ent.max_renew;
+	else
+	    out->max_renewable_life = INT_MAX;
+    }
+    if(mask & KADM5_LAST_SUCCESS)
+	/* XXX implement */;
+    if(mask & KADM5_LAST_FAILED)
+	/* XXX implement */;
+    if(mask & KADM5_FAIL_AUTH_COUNT)
+	/* XXX implement */;
+    if(mask & KADM5_KEY_DATA){
+	int i;
+	Key *key;
+	krb5_key_data *kd;
+	krb5_salt salt;
+	krb5_data *sp;
+	krb5_get_pw_salt(context->context, ent.principal, &salt);
+	out->key_data = malloc(ent.keys.len * sizeof(*out->key_data));
+	for(i = 0; i < ent.keys.len; i++){
+	    key = &ent.keys.val[i];
+	    kd = &out->key_data[i];
+	    kd->key_data_ver = 2;
+	    kd->key_data_kvno = ent.kvno;
+	    kd->key_data_type[0] = key->key.keytype;
+	    if(key->salt)
+		kd->key_data_type[1] = key->salt->type;
+	    else
+		kd->key_data_type[1] = KRB5_PADATA_PW_SALT;
+	    /* setup key */
+	    kd->key_data_length[0] = key->key.keyvalue.length;
+	    kd->key_data_contents[0] = malloc(kd->key_data_length[0]);
+	    if(kd->key_data_contents[0] == NULL){
+		ret = ENOMEM;
+		break;
+	    }
+	    memcpy(kd->key_data_contents[0], key->key.keyvalue.data, 
+		   kd->key_data_length[0]);
+	    /* setup salt */
+	    if(key->salt)
+		sp = &key->salt->salt;
+	    else
+		sp = &salt.saltvalue;
+	    kd->key_data_length[1] = sp->length;
+	    kd->key_data_contents[1] = malloc(kd->key_data_length[1]);
+	    if(kd->key_data_length[1] != 0
+	       && kd->key_data_contents[1] == NULL) {
+		memset(kd->key_data_contents[0], 0, kd->key_data_length[0]);
+		ret = ENOMEM;
+		break;
+	    }
+	    memcpy(kd->key_data_contents[1], sp->data, kd->key_data_length[1]);
+	    out->n_key_data = i + 1;
+	}
+	krb5_free_salt(context->context, salt);
+    }
+    if(ret){
+	kadm5_free_principal_ent(context, out);
+	goto out;
+    }
+    if(mask & KADM5_TL_DATA)
+	/* XXX implement */;
+out:
+    hdb_free_entry(context->context, &ent);
+
+    return _kadm5_error_code(ret);
+}
diff --git a/crypto/heimdal/lib/kadm5/init_c.c b/crypto/heimdal/lib/kadm5/init_c.c
new file mode 100644
index 0000000..e4df034
--- /dev/null
+++ b/crypto/heimdal/lib/kadm5/init_c.c
@@ -0,0 +1,648 @@
+/*
+ * Copyright (c) 1997 - 2000 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "kadm5_locl.h"
+#include <sys/types.h>
+#include <sys/socket.h>
+#include <netinet/in.h>
+#include <netdb.h>
+
+RCSID("$Id: init_c.c,v 1.40 2000/12/31 08:00:23 assar Exp $");
+
+static void
+set_funcs(kadm5_client_context *c)
+{
+#define SET(C, F) (C)->funcs.F = kadm5 ## _c_ ## F
+    SET(c, chpass_principal);
+    SET(c, chpass_principal_with_key);
+    SET(c, create_principal);
+    SET(c, delete_principal);
+    SET(c, destroy);
+    SET(c, flush);
+    SET(c, get_principal);
+    SET(c, get_principals);
+    SET(c, get_privs);
+    SET(c, modify_principal);
+    SET(c, randkey_principal);
+    SET(c, rename_principal);
+}
+
+kadm5_ret_t
+_kadm5_c_init_context(kadm5_client_context **ctx, 
+		      kadm5_config_params *params,
+		      krb5_context context)
+{
+    krb5_error_code ret;
+    char *colon;
+
+    *ctx = malloc(sizeof(**ctx));
+    if(*ctx == NULL)
+	return ENOMEM;
+    memset(*ctx, 0, sizeof(**ctx));
+    krb5_add_et_list (context, initialize_kadm5_error_table_r);
+    set_funcs(*ctx);
+    (*ctx)->context = context;
+    if(params->mask & KADM5_CONFIG_REALM)
+	(*ctx)->realm = strdup(params->realm);
+    else
+	krb5_get_default_realm((*ctx)->context, &(*ctx)->realm);
+    if(params->mask & KADM5_CONFIG_ADMIN_SERVER)
+	(*ctx)->admin_server = strdup(params->admin_server);
+    else {
+	char **hostlist;
+
+	ret = krb5_get_krb_admin_hst (context, &(*ctx)->realm, &hostlist);
+	if (ret)
+	    return ret;
+	(*ctx)->admin_server = strdup(*hostlist);
+	krb5_free_krbhst (context, hostlist);
+    }
+
+    if ((*ctx)->admin_server == NULL)
+	return ENOMEM;
+    colon = strchr ((*ctx)->admin_server, ':');
+    if (colon != NULL)
+	*colon++ = '\0';
+
+    (*ctx)->kadmind_port = 0;
+
+    if(params->mask & KADM5_CONFIG_KADMIND_PORT)
+	(*ctx)->kadmind_port = params->kadmind_port;
+    else if (colon != NULL) {
+	char *end;
+
+	(*ctx)->kadmind_port = htons(strtol (colon, &end, 0));
+    }
+    if ((*ctx)->kadmind_port == 0)
+	(*ctx)->kadmind_port = krb5_getportbyname (context, "kerberos-adm", 
+						   "tcp", 749);
+    return 0;
+}
+
+static krb5_error_code
+get_kadm_ticket(krb5_context context,
+		krb5_ccache id,
+		krb5_principal client,
+		const char *server_name)
+{
+    krb5_error_code ret;
+    krb5_creds in, *out;
+    
+    memset(&in, 0, sizeof(in));
+    in.client = client;
+    ret = krb5_parse_name(context, server_name, &in.server);
+    if(ret) 
+	return ret;
+    ret = krb5_get_credentials(context, 0, id, &in, &out);
+    if(ret == 0)
+	krb5_free_creds(context, out);
+    krb5_free_principal(context, in.server);
+    return ret;
+}
+
+static krb5_error_code
+get_new_cache(krb5_context context,
+	      krb5_principal client,
+	      const char *password,
+	      krb5_prompter_fct prompter,
+	      const char *keytab,
+	      const char *server_name,
+	      krb5_ccache *ret_cache)
+{
+    krb5_error_code ret;
+    krb5_creds cred;
+    krb5_get_init_creds_opt opt;
+    krb5_ccache id;
+    
+    krb5_get_init_creds_opt_init (&opt);
+    krb5_get_init_creds_opt_set_forwardable (&opt, FALSE);
+    krb5_get_init_creds_opt_set_proxiable (&opt, FALSE);
+
+    if(password == NULL && prompter == NULL) {
+	krb5_keytab kt;
+	if(keytab == NULL)
+	    ret = krb5_kt_default(context, &kt);
+	else
+	    ret = krb5_kt_resolve(context, keytab, &kt);
+	if(ret) 
+	    return ret;
+	ret = krb5_get_init_creds_keytab (context,
+					  &cred,
+					  client,
+					  kt,
+					  0,
+					  server_name,
+					  &opt);
+	krb5_kt_close(context, kt);
+    } else {
+	ret = krb5_get_init_creds_password (context,
+					    &cred,
+					    client,
+					    password,
+					    prompter,
+					    NULL,
+					    0,
+					    server_name,
+					    &opt);
+    }
+    switch(ret){
+    case 0:
+	break;
+    case KRB5_LIBOS_PWDINTR:	/* don't print anything if it was just C-c:ed */
+    case KRB5KRB_AP_ERR_BAD_INTEGRITY:
+    case KRB5KRB_AP_ERR_MODIFIED:
+	return KADM5_BAD_PASSWORD;
+    default:
+	return ret;
+    }
+    ret = krb5_cc_gen_new(context, &krb5_mcc_ops, &id);
+    if(ret)
+	return ret;
+    ret = krb5_cc_initialize (context, id, cred.client);
+    if (ret)
+	return ret;
+    ret = krb5_cc_store_cred (context, id, &cred);
+    if (ret)
+	return ret;
+    krb5_free_creds_contents (context, &cred);
+    *ret_cache = id;
+    return 0;
+}
+
+static krb5_error_code
+get_cred_cache(krb5_context context,
+	       const char *client_name,
+	       const char *server_name,
+	       const char *password,
+	       krb5_prompter_fct prompter,
+	       const char *keytab,
+	       krb5_ccache ccache,
+	       krb5_ccache *ret_cache)
+{
+    krb5_error_code ret;
+    krb5_ccache id = NULL;
+    krb5_principal default_client = NULL, client = NULL;
+    
+    /* treat empty password as NULL */
+    if(password && *password == '\0')
+	password = NULL;
+    if(server_name == NULL)
+	server_name = KADM5_ADMIN_SERVICE;
+    
+    if(client_name != NULL) {
+	ret = krb5_parse_name(context, client_name, &client);
+	if(ret) 
+	    return ret;
+    }
+
+    if(password != NULL || prompter != NULL) {
+	/* get principal from default cache, ok if this doesn't work */
+	ret = krb5_cc_default(context, &id);
+	if(ret == 0) {
+	    ret = krb5_cc_get_principal(context, id, &default_client);
+	    if(ret) {
+		krb5_cc_close(context, id);
+		id = NULL;
+	    }
+	}
+	
+	if(client == NULL)
+	    client = default_client;
+	if(client == NULL) {
+	    const char *user;
+
+	    user = get_default_username ();
+
+	    if(user == NULL)
+		return KADM5_FAILURE;
+	    ret = krb5_make_principal(context, &client, 
+				      NULL, user, "admin", NULL);
+	    if(ret)
+		return ret;
+	}
+	if(client != default_client) {
+	    krb5_free_principal(context, default_client);
+	    default_client = NULL;
+	    if (id != NULL) {
+		krb5_cc_close(context, id);
+		id = NULL;
+	    }
+	}
+    } else if(ccache != NULL)
+	id = ccache;
+    
+
+    if(id && (default_client == NULL || 
+	      krb5_principal_compare(context, client, default_client))) {
+	ret = get_kadm_ticket(context, id, client, server_name);
+	if(ret == 0) {
+	    *ret_cache = id;
+	    krb5_free_principal(context, default_client);
+	    if (default_client != client)
+		krb5_free_principal(context, client);
+	    return 0;
+	}
+	if(ccache != NULL)
+	    /* couldn't get ticket from cache */
+	    return -1;
+    }
+    /* get creds via AS request */
+    if(id)
+	krb5_cc_close(context, id);
+    if (client != default_client)
+	krb5_free_principal(context, default_client);
+
+    ret = get_new_cache(context, client, password, prompter, keytab, 
+			server_name, ret_cache);
+    krb5_free_principal(context, client);
+    return ret;
+}
+
+static kadm5_ret_t
+kadm_connect(kadm5_client_context *ctx)
+{
+    kadm5_ret_t ret;
+    krb5_principal server;
+    krb5_ccache cc;
+    int s;
+    struct addrinfo *ai, *a;
+    struct addrinfo hints;
+    int error;
+    char portstr[NI_MAXSERV];
+    char *hostname, *slash;
+    krb5_context context = ctx->context;
+
+    memset (&hints, 0, sizeof(hints));
+    hints.ai_socktype = SOCK_STREAM;
+    hints.ai_protocol = IPPROTO_TCP;
+    
+    snprintf (portstr, sizeof(portstr), "%u", ntohs(ctx->kadmind_port));
+
+    hostname = ctx->admin_server;
+    slash = strchr (hostname, '/');
+    if (slash != NULL)
+	hostname = slash + 1;
+
+    error = getaddrinfo (hostname, portstr, &hints, &ai);
+    if (error) 
+	return KADM5_BAD_SERVER_NAME;
+    
+    for (a = ai; a != NULL; a = a->ai_next) {
+	s = socket (a->ai_family, a->ai_socktype, a->ai_protocol);
+	if (s < 0)
+	    continue;
+	if (connect (s, a->ai_addr, a->ai_addrlen) < 0) {
+	    krb5_warn (context, errno, "connect(%s)", hostname);
+	    close (s);
+	    continue;
+	}
+	break;
+    }
+    if (a == NULL) {
+	freeaddrinfo (ai);
+	krb5_warnx (context, "failed to contact %s", hostname);
+	return KADM5_FAILURE;
+    }
+    ret = get_cred_cache(context, ctx->client_name, ctx->service_name, 
+			 NULL, ctx->prompter, ctx->keytab, 
+			 ctx->ccache, &cc);
+    
+    if(ret) {
+	freeaddrinfo (ai);
+	close(s);
+	return ret;
+    }
+    ret = krb5_parse_name(context, KADM5_ADMIN_SERVICE, &server);
+    if(ret) {
+	freeaddrinfo (ai);
+	if(ctx->ccache == NULL)
+	    krb5_cc_close(context, cc);
+	close(s);
+	return ret;
+    }
+    ctx->ac = NULL;
+
+    ret = krb5_sendauth(context, &ctx->ac, &s, 
+			KADMIN_APPL_VERSION, NULL, 
+			server, AP_OPTS_MUTUAL_REQUIRED, 
+			NULL, NULL, cc, NULL, NULL, NULL);
+    if(ret == 0) {
+	krb5_data params;
+	ret = _kadm5_marshal_params(context, ctx->realm_params, &params);
+	
+	ret = krb5_write_priv_message(context, ctx->ac, &s, &params);
+	krb5_data_free(&params);
+	if(ret) {
+	    freeaddrinfo (ai);
+	    close(s);
+	    if(ctx->ccache == NULL)
+		krb5_cc_close(context, cc);
+	    return ret;
+	}
+    } else if(ret == KRB5_SENDAUTH_BADAPPLVERS) {
+	close(s);
+
+	s = socket (a->ai_family, a->ai_socktype, a->ai_protocol);
+	if (s < 0) {
+	    freeaddrinfo (ai);
+	    return errno;
+	}
+	if (connect (s, a->ai_addr, a->ai_addrlen) < 0) {
+	    close (s);
+	    freeaddrinfo (ai);
+	    return errno;
+	}
+	ret = krb5_sendauth(context, &ctx->ac, &s, 
+			    KADMIN_OLD_APPL_VERSION, NULL, 
+			    server, AP_OPTS_MUTUAL_REQUIRED, 
+			    NULL, NULL, cc, NULL, NULL, NULL);
+    }
+    freeaddrinfo (ai);
+    if(ret) {
+	close(s);
+	return ret;
+    }
+    
+    krb5_free_principal(context, server);
+    if(ctx->ccache == NULL)
+	krb5_cc_close(context, cc);
+    if(ret) {
+	close(s);
+	return ret;
+    }
+    ctx->sock = s;
+    
+    return 0;
+}
+
+kadm5_ret_t
+_kadm5_connect(void *handle)
+{
+    kadm5_client_context *ctx = handle;
+    if(ctx->sock == -1)
+	return kadm_connect(ctx);
+    return 0;
+}
+
+static kadm5_ret_t 
+kadm5_c_init_with_context(krb5_context context,
+			  const char *client_name, 
+			  const char *password,
+			  krb5_prompter_fct prompter,
+			  const char *keytab,
+			  krb5_ccache ccache,
+			  const char *service_name,
+			  kadm5_config_params *realm_params,
+			  unsigned long struct_version,
+			  unsigned long api_version,
+			  void **server_handle)
+{
+    kadm5_ret_t ret;
+    kadm5_client_context *ctx;
+    krb5_ccache cc;
+
+    ret = _kadm5_c_init_context(&ctx, realm_params, context);
+    if(ret)
+	return ret;
+
+    if(password != NULL && *password != '\0') {
+	ret = get_cred_cache(context, client_name, service_name, 
+			     password, prompter, keytab, ccache, &cc);
+	if(ret)
+	    return ret; /* XXX */
+	ccache = cc;
+    }
+    
+
+    if (client_name != NULL)
+	ctx->client_name = strdup(client_name);
+    else
+	ctx->client_name = NULL;
+    if (service_name != NULL)
+	ctx->service_name = strdup(service_name);
+    else
+	ctx->service_name = NULL;
+    ctx->prompter = prompter;
+    ctx->keytab = keytab;
+    ctx->ccache = ccache;
+    ctx->realm_params = realm_params;
+    ctx->sock = -1;
+    
+    *server_handle = ctx;
+    return 0;
+}
+
+static kadm5_ret_t 
+init_context(const char *client_name, 
+	     const char *password,
+	     krb5_prompter_fct prompter,
+	     const char *keytab,
+	     krb5_ccache ccache,
+	     const char *service_name,
+	     kadm5_config_params *realm_params,
+	     unsigned long struct_version,
+	     unsigned long api_version,
+	     void **server_handle)
+{
+    krb5_context context;
+    kadm5_ret_t ret;
+    kadm5_server_context *ctx;
+    
+    ret = krb5_init_context(&context);
+    if (ret)
+	return ret;
+    ret = kadm5_c_init_with_context(context,
+				    client_name,
+				    password,
+				    prompter,
+				    keytab,
+				    ccache,
+				    service_name,
+				    realm_params,
+				    struct_version,
+				    api_version,
+				    server_handle);
+    if(ret){
+	krb5_free_context(context);
+	return ret;
+    }
+    ctx = *server_handle;
+    ctx->my_context = 1;
+    return 0;
+}
+
+kadm5_ret_t 
+kadm5_c_init_with_password_ctx(krb5_context context,
+			       const char *client_name, 
+			       const char *password,
+			       const char *service_name,
+			       kadm5_config_params *realm_params,
+			       unsigned long struct_version,
+			       unsigned long api_version,
+			       void **server_handle)
+{
+    return kadm5_c_init_with_context(context,
+				     client_name,
+				     password,
+				     krb5_prompter_posix,
+				     NULL,
+				     NULL,
+				     service_name,
+				     realm_params,
+				     struct_version,
+				     api_version,
+				     server_handle);
+}
+
+kadm5_ret_t 
+kadm5_c_init_with_password(const char *client_name, 
+			   const char *password,
+			   const char *service_name,
+			   kadm5_config_params *realm_params,
+			   unsigned long struct_version,
+			   unsigned long api_version,
+			   void **server_handle)
+{
+    return init_context(client_name, 
+			password, 
+			krb5_prompter_posix,
+			NULL,
+			NULL,
+			service_name, 
+			realm_params, 
+			struct_version, 
+			api_version, 
+			server_handle);
+}
+
+kadm5_ret_t 
+kadm5_c_init_with_skey_ctx(krb5_context context,
+			   const char *client_name, 
+			   const char *keytab,
+			   const char *service_name,
+			   kadm5_config_params *realm_params,
+			   unsigned long struct_version,
+			   unsigned long api_version,
+			   void **server_handle)
+{
+    return kadm5_c_init_with_context(context,
+				     client_name,
+				     NULL,
+				     NULL,
+				     keytab,
+				     NULL,
+				     service_name,
+				     realm_params,
+				     struct_version,
+				     api_version,
+				     server_handle);
+}
+
+
+kadm5_ret_t 
+kadm5_c_init_with_skey(const char *client_name, 
+		     const char *keytab,
+		     const char *service_name,
+		     kadm5_config_params *realm_params,
+		     unsigned long struct_version,
+		     unsigned long api_version,
+		     void **server_handle)
+{
+    return init_context(client_name, 
+			NULL,
+			NULL,
+			keytab,
+			NULL,
+			service_name, 
+			realm_params, 
+			struct_version, 
+			api_version, 
+			server_handle);
+}
+
+kadm5_ret_t 
+kadm5_c_init_with_creds_ctx(krb5_context context,
+			    const char *client_name,
+			    krb5_ccache ccache,
+			    const char *service_name,
+			    kadm5_config_params *realm_params,
+			    unsigned long struct_version,
+			    unsigned long api_version,
+			    void **server_handle)
+{
+    return kadm5_c_init_with_context(context,
+				     client_name,
+				     NULL,
+				     NULL,
+				     NULL,
+				     ccache,
+				     service_name,
+				     realm_params,
+				     struct_version,
+				     api_version,
+				     server_handle);
+}
+
+kadm5_ret_t 
+kadm5_c_init_with_creds(const char *client_name,
+			krb5_ccache ccache,
+			const char *service_name,
+			kadm5_config_params *realm_params,
+			unsigned long struct_version,
+			unsigned long api_version,
+			void **server_handle)
+{
+    return init_context(client_name, 
+			NULL,
+			NULL,
+			NULL,
+			ccache,
+			service_name, 
+			realm_params, 
+			struct_version, 
+			api_version, 
+			server_handle);
+}
+
+#if 0
+kadm5_ret_t 
+kadm5_init(char *client_name, char *pass,
+	   char *service_name,
+	   kadm5_config_params *realm_params,
+	   unsigned long struct_version,
+	   unsigned long api_version,
+	   void **server_handle)
+{
+}
+#endif
+
diff --git a/crypto/heimdal/lib/kadm5/init_s.c b/crypto/heimdal/lib/kadm5/init_s.c
new file mode 100644
index 0000000..bf5d036
--- /dev/null
+++ b/crypto/heimdal/lib/kadm5/init_s.c
@@ -0,0 +1,238 @@
+/*
+ * Copyright (c) 1997 - 2000 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "kadm5_locl.h"
+
+RCSID("$Id: init_s.c,v 1.10 2000/12/31 08:01:16 assar Exp $");
+
+
+static kadm5_ret_t 
+kadm5_s_init_with_context(krb5_context context,
+			  const char *client_name, 
+			  const char *service_name,
+			  kadm5_config_params *realm_params,
+			  unsigned long struct_version,
+			  unsigned long api_version,
+			  void **server_handle)
+{
+    kadm5_ret_t ret;
+    kadm5_server_context *ctx;
+    ret = _kadm5_s_init_context(&ctx, realm_params, context);
+    if(ret)
+	return ret;
+
+    assert(ctx->config.dbname != NULL);
+    assert(ctx->config.stash_file != NULL);
+    assert(ctx->config.acl_file != NULL);
+    assert(ctx->log_context.log_file != NULL);
+    assert(ctx->log_context.socket_name.sun_path[0] != '\0');
+
+    ret = hdb_create(ctx->context, &ctx->db, ctx->config.dbname);
+    if(ret)
+	return ret;
+    ret = hdb_set_master_keyfile (ctx->context, 
+				  ctx->db, ctx->config.stash_file);
+    if(ret)
+	return ret;
+
+    ctx->log_context.log_fd   = -1;
+
+    ctx->log_context.socket_fd = socket (AF_UNIX, SOCK_DGRAM, 0);
+
+    ret = krb5_parse_name(ctx->context, client_name, &ctx->caller);
+    if(ret)
+	return ret;
+
+    ret = _kadm5_acl_init(ctx);
+    if(ret)
+	return ret;
+    
+    *server_handle = ctx;
+    return 0;
+}
+
+kadm5_ret_t 
+kadm5_s_init_with_password_ctx(krb5_context context,
+			       const char *client_name, 
+			       const char *password,
+			       const char *service_name,
+			       kadm5_config_params *realm_params,
+			       unsigned long struct_version,
+			       unsigned long api_version,
+			       void **server_handle)
+{
+    return kadm5_s_init_with_context(context,
+				     client_name,
+				     service_name,
+				     realm_params,
+				     struct_version,
+				     api_version,
+				     server_handle);
+}
+
+kadm5_ret_t 
+kadm5_s_init_with_password(const char *client_name, 
+			   const char *password,
+			   const char *service_name,
+			   kadm5_config_params *realm_params,
+			   unsigned long struct_version,
+			   unsigned long api_version,
+			   void **server_handle)
+{
+    krb5_context context;
+    kadm5_ret_t ret;
+    kadm5_server_context *ctx;
+
+    ret = krb5_init_context(&context);
+    if (ret)
+	return ret;
+    ret = kadm5_s_init_with_password_ctx(context, 
+					 client_name, 
+					 password, 
+					 service_name, 
+					 realm_params, 
+					 struct_version, 
+					 api_version, 
+					 server_handle);
+    if(ret){
+	krb5_free_context(context);
+	return ret;
+    }
+    ctx = *server_handle;
+    ctx->my_context = 1;
+    return 0;
+}
+
+kadm5_ret_t 
+kadm5_s_init_with_skey_ctx(krb5_context context,
+			   const char *client_name, 
+			   const char *keytab,
+			   const char *service_name,
+			   kadm5_config_params *realm_params,
+			   unsigned long struct_version,
+			   unsigned long api_version,
+			   void **server_handle)
+{
+    return kadm5_s_init_with_context(context,
+				     client_name,
+				     service_name,
+				     realm_params,
+				     struct_version,
+				     api_version,
+				     server_handle);
+}
+
+kadm5_ret_t 
+kadm5_s_init_with_skey(const char *client_name,
+		       const char *keytab,
+		       const char *service_name,
+		       kadm5_config_params *realm_params,
+		       unsigned long struct_version,
+		       unsigned long api_version,
+		       void **server_handle)
+{
+    krb5_context context;
+    kadm5_ret_t ret;
+    kadm5_server_context *ctx;
+
+    ret = krb5_init_context(&context);
+    if (ret)
+	return ret;
+    ret = kadm5_s_init_with_skey_ctx(context, 
+				     client_name, 
+				     keytab, 
+				     service_name, 
+				     realm_params, 
+				     struct_version, 
+				     api_version, 
+				     server_handle);
+    if(ret){
+	krb5_free_context(context);
+	return ret;
+    }
+    ctx = *server_handle;
+    ctx->my_context = 1;
+    return 0;
+}
+
+kadm5_ret_t 
+kadm5_s_init_with_creds_ctx(krb5_context context,
+			    const char *client_name,
+			    krb5_ccache ccache,
+			    const char *service_name,
+			    kadm5_config_params *realm_params,
+			    unsigned long struct_version,
+			    unsigned long api_version,
+			    void **server_handle)
+{
+    return kadm5_s_init_with_context(context,
+				     client_name,
+				     service_name,
+				     realm_params,
+				     struct_version,
+				     api_version,
+				     server_handle);
+}
+
+kadm5_ret_t 
+kadm5_s_init_with_creds(const char *client_name,
+			krb5_ccache ccache,
+			const char *service_name,
+			kadm5_config_params *realm_params,
+			unsigned long struct_version,
+			unsigned long api_version,
+			void **server_handle)
+{
+    krb5_context context;
+    kadm5_ret_t ret;
+    kadm5_server_context *ctx;
+
+    ret = krb5_init_context(&context);
+    if (ret)
+	return ret;
+    ret = kadm5_s_init_with_creds_ctx(context, 
+				      client_name, 
+				      ccache, 
+				      service_name, 
+				      realm_params, 
+				      struct_version, 
+				      api_version, 
+				      server_handle);
+    if(ret){
+	krb5_free_context(context);
+	return ret;
+    }
+    ctx = *server_handle;
+    ctx->my_context = 1;
+    return 0;
+}
diff --git a/crypto/heimdal/lib/kadm5/iprop.h b/crypto/heimdal/lib/kadm5/iprop.h
new file mode 100644
index 0000000..a8f2b7f
--- /dev/null
+++ b/crypto/heimdal/lib/kadm5/iprop.h
@@ -0,0 +1,62 @@
+/*
+ * Copyright (c) 1998-2000 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+/* $Id: iprop.h,v 1.5 2000/06/05 17:02:43 assar Exp $ */
+
+#ifndef __IPROP_H__
+#define __IPROP_H__
+
+#include "kadm5_locl.h"
+#include <getarg.h>
+#ifdef HAVE_SYS_SELECT_H
+#include <sys/select.h>
+#endif
+
+#define IPROP_VERSION "iprop-0.0"
+
+#define KADM5_SLAVE_ACL HDB_DB_DIR "/slaves"
+
+#define IPROP_NAME "iprop"
+
+#define IPROP_SERVICE "iprop"
+
+#define IPROP_PORT 2121
+
+enum iprop_cmd { I_HAVE = 1,
+		 FOR_YOU = 2,
+		 TELL_YOU_EVERYTHING = 3,
+		 ONE_PRINC = 4,
+		 NOW_YOU_HAVE = 5
+};
+
+#endif /* __IPROP_H__ */
diff --git a/crypto/heimdal/lib/kadm5/ipropd_master.c b/crypto/heimdal/lib/kadm5/ipropd_master.c
new file mode 100644
index 0000000..0eadf0b
--- /dev/null
+++ b/crypto/heimdal/lib/kadm5/ipropd_master.c
@@ -0,0 +1,490 @@
+/*
+ * Copyright (c) 1997 - 2001 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "iprop.h"
+
+RCSID("$Id: ipropd_master.c,v 1.22 2001/02/14 23:00:16 assar Exp $");
+
+static krb5_log_facility *log_facility;
+
+static int
+make_signal_socket (krb5_context context)
+{
+    struct sockaddr_un addr;
+    int fd;
+
+    fd = socket (AF_UNIX, SOCK_DGRAM, 0);
+    if (fd < 0)
+	krb5_err (context, 1, errno, "socket AF_UNIX");
+    memset (&addr, 0, sizeof(addr));
+    addr.sun_family = AF_UNIX;
+    strlcpy (addr.sun_path, KADM5_LOG_SIGNAL, sizeof(addr.sun_path));
+    unlink (addr.sun_path);
+    if (bind (fd, (struct sockaddr *)&addr, sizeof(addr)) < 0)
+	krb5_err (context, 1, errno, "bind %s", addr.sun_path);
+    return fd;
+}
+
+static int
+make_listen_socket (krb5_context context)
+{
+    int fd;
+    int one = 1;
+    struct sockaddr_in addr;
+
+    fd = socket (AF_INET, SOCK_STREAM, 0);
+    if (fd < 0)
+	krb5_err (context, 1, errno, "socket AF_INET");
+    setsockopt (fd, SOL_SOCKET, SO_REUSEADDR, &one, sizeof(one));
+    memset (&addr, 0, sizeof(addr));
+    addr.sin_family = AF_INET;
+    addr.sin_port   = krb5_getportbyname (context,
+					  IPROP_SERVICE, "tcp", IPROP_PORT);
+    if(bind(fd, (struct sockaddr *)&addr, sizeof(addr)) < 0)
+	krb5_err (context, 1, errno, "bind");
+    if (listen(fd, SOMAXCONN) < 0)
+	krb5_err (context, 1, errno, "listen");
+    return fd;
+}
+
+struct slave {
+    int fd;
+    struct sockaddr_in addr;
+    char *name;
+    krb5_auth_context ac;
+    u_int32_t version;
+    struct slave *next;
+};
+
+typedef struct slave slave;
+
+static int
+check_acl (krb5_context context, const char *name)
+{
+    FILE *fp;
+    char buf[256];
+    int ret = 1;
+
+    fp = fopen (KADM5_SLAVE_ACL, "r");
+    if (fp == NULL)
+	return 1;
+    while (fgets(buf, sizeof(buf), fp) != NULL) {
+	if (buf[strlen(buf) - 1 ] == '\n')
+	    buf[strlen(buf) - 1 ] = '\0';
+	if (strcmp (buf, name) == 0) {
+	    ret = 0;
+	    break;
+	}
+    }
+    fclose (fp);
+    return ret;
+}
+
+static void
+add_slave (krb5_context context, krb5_keytab keytab, slave **root, int fd)
+{
+    krb5_principal server;
+    krb5_error_code ret;
+    slave *s;
+    socklen_t addr_len;
+    krb5_ticket *ticket = NULL;
+    char hostname[128];
+
+    s = malloc(sizeof(*s));
+    if (s == NULL) {
+	krb5_warnx (context, "add_slave: no memory");
+	return;
+    }
+    s->name = NULL;
+    s->ac = NULL;
+
+    addr_len = sizeof(s->addr);
+    s->fd = accept (fd, (struct sockaddr *)&s->addr, &addr_len);
+    if (s->fd < 0) {
+	krb5_warn (context, errno, "accept");
+	goto error;
+    }
+    gethostname(hostname, sizeof(hostname));
+    ret = krb5_sname_to_principal (context, hostname, IPROP_NAME,
+				   KRB5_NT_SRV_HST, &server);
+    if (ret) {
+	krb5_warn (context, ret, "krb5_sname_to_principal");
+	goto error;
+    }
+
+    ret = krb5_recvauth (context, &s->ac, &s->fd,
+			 IPROP_VERSION, server, 0, keytab, &ticket);
+    krb5_free_principal (context, server);
+    if (ret) {
+	krb5_warn (context, ret, "krb5_recvauth");
+	goto error;
+    }
+    ret = krb5_unparse_name (context, ticket->client, &s->name);
+    if (ret) {
+	krb5_warn (context, ret, "krb5_unparse_name");
+	goto error;
+    }
+    if (check_acl (context, s->name)) {
+	krb5_warnx (context, "%s not in acl", s->name);
+	goto error;
+    }
+    krb5_free_ticket (context, ticket);
+    krb5_warnx (context, "connection from %s", s->name);
+
+    s->version = 0;
+    s->next = *root;
+    *root = s;
+    return;
+error:
+    if (s->name)
+	free (s->name);
+    if (s->ac)
+	krb5_auth_con_free(context, s->ac);
+    if (ticket)
+    krb5_free_ticket (context, ticket);
+    close (s->fd);
+    free(s);
+}
+
+static void
+remove_slave (krb5_context context, slave *s, slave **root)
+{
+    slave **p;
+
+    close (s->fd);
+    free (s->name);
+    krb5_auth_con_free (context, s->ac);
+
+    for (p = root; *p; p = &(*p)->next)
+	if (*p == s) {
+	    *p = s->next;
+	    break;
+	}
+    free (s);
+}
+
+struct prop_context {
+    krb5_auth_context auth_context;
+    int fd;
+};
+
+static int
+prop_one (krb5_context context, HDB *db, hdb_entry *entry, void *v)
+{
+    krb5_error_code ret;
+    krb5_data data;
+    struct slave *slave = (struct slave *)v;
+
+    ret = hdb_entry2value (context, entry, &data);
+    if (ret)
+	return ret;
+    ret = krb5_data_realloc (&data, data.length + 4);
+    if (ret) {
+	krb5_data_free (&data);
+	return ret;
+    }
+    memmove ((char *)data.data + 4, data.data, data.length - 4);
+    _krb5_put_int (data.data, ONE_PRINC, 4);
+
+    ret = krb5_write_priv_message (context, slave->ac, &slave->fd, &data);
+    krb5_data_free (&data);
+    return ret;
+}
+
+static int
+send_complete (krb5_context context, slave *s,
+	       const char *database, u_int32_t current_version)
+{
+    krb5_error_code ret;
+    HDB *db;
+    krb5_data data;
+    char buf[8];
+
+    ret = hdb_create (context, &db, database);
+    if (ret)
+	krb5_err (context, 1, ret, "hdb_create: %s", database);
+    ret = db->open (context, db, O_RDONLY, 0);
+    if (ret)
+	krb5_err (context, 1, ret, "db->open");
+
+    _krb5_put_int(buf, TELL_YOU_EVERYTHING, 4);
+
+    data.data   = buf;
+    data.length = 4;
+
+    ret = krb5_write_priv_message(context, s->ac, &s->fd, &data);
+
+    if (ret)
+	krb5_err (context, 1, ret, "krb5_write_priv_message");
+
+    ret = hdb_foreach (context, db, 0, prop_one, s);
+    if (ret)
+	krb5_err (context, 1, ret, "hdb_foreach");
+
+    _krb5_put_int (buf, NOW_YOU_HAVE, 4);
+    _krb5_put_int (buf + 4, current_version, 4);
+    data.length = 8;
+
+    ret = krb5_write_priv_message(context, s->ac, &s->fd, &data);
+
+    if (ret)
+	krb5_err (context, 1, ret, "krb5_write_priv_message");
+
+    return 0;
+}
+
+static int
+send_diffs (krb5_context context, slave *s, int log_fd,
+	    const char *database, u_int32_t current_version)
+{
+    krb5_storage *sp;
+    u_int32_t ver;
+    time_t timestamp;
+    enum kadm_ops op;
+    u_int32_t len;
+    off_t right, left;
+    krb5_data data;
+    int ret = 0;
+
+    if (s->version == current_version)
+	return 0;
+
+    sp = kadm5_log_goto_end (log_fd);
+    right = sp->seek(sp, 0, SEEK_CUR);
+    for (;;) {
+	if (kadm5_log_previous (sp, &ver, &timestamp, &op, &len))
+	    abort ();
+	left = sp->seek(sp, -16, SEEK_CUR);
+	if (ver == s->version)
+	    return 0;
+	if (ver == s->version + 1)
+	    break;
+	if (left == 0)
+	    return send_complete (context, s, database, current_version);
+    }
+    krb5_data_alloc (&data, right - left + 4);
+    sp->fetch (sp, (char *)data.data + 4, data.length - 4);
+    krb5_storage_free(sp);
+
+    _krb5_put_int(data.data, FOR_YOU, 4);
+
+    ret = krb5_write_priv_message(context, s->ac, &s->fd, &data);
+
+    if (ret) {
+	krb5_warn (context, ret, "krb5_write_priv_message");
+	return 1;
+    }
+    return 0;
+}
+
+static int
+process_msg (krb5_context context, slave *s, int log_fd,
+	     const char *database, u_int32_t current_version)
+{
+    int ret = 0;
+    krb5_data out;
+    krb5_storage *sp;
+    int32_t tmp;
+
+    ret = krb5_read_priv_message(context, s->ac, &s->fd, &out);
+    if(ret) {
+	krb5_warn (context, ret, "error reading message from %s", s->name);
+	return 1;
+    }
+
+    sp = krb5_storage_from_mem (out.data, out.length);
+    krb5_ret_int32 (sp, &tmp);
+    switch (tmp) {
+    case I_HAVE :
+	krb5_ret_int32 (sp, &tmp);
+	s->version = tmp;
+	ret = send_diffs (context, s, log_fd, database, current_version);
+	break;
+    case FOR_YOU :
+    default :
+	krb5_warnx (context, "Ignoring command %d", tmp);
+	break;
+    }
+
+    krb5_data_free (&out);
+    return ret;
+}
+
+static char *realm;
+static int version_flag;
+static int help_flag;
+static char *keytab_str = "HDB:";
+static char *database;
+
+static struct getargs args[] = {
+    { "realm", 'r', arg_string, &realm },
+    { "keytab", 'k', arg_string, &keytab_str,
+      "keytab to get authentication from", "kspec" },
+    { "database", 'd', arg_string, &database, "database", "file"},
+    { "version", 0, arg_flag, &version_flag },
+    { "help", 0, arg_flag, &help_flag }
+};
+static int num_args = sizeof(args) / sizeof(args[0]);
+
+int
+main(int argc, char **argv)
+{
+    krb5_error_code ret;
+    krb5_context context;
+    void *kadm_handle;
+    kadm5_server_context *server_context;
+    kadm5_config_params conf;
+    int signal_fd, listen_fd;
+    int log_fd;
+    slave *slaves = NULL;
+    u_int32_t current_version, old_version = 0;
+    krb5_keytab keytab;
+    int optind;
+    
+    optind = krb5_program_setup(&context, argc, argv, args, num_args, NULL);
+    
+    if(help_flag)
+	krb5_std_usage(0, args, num_args);
+    if(version_flag) {
+	print_version(NULL);
+	exit(0);
+    }
+
+    krb5_openlog (context, "ipropd-master", &log_facility);
+    krb5_set_warn_dest(context, log_facility);
+
+    ret = krb5_kt_register(context, &hdb_kt_ops);
+    if(ret)
+	krb5_err(context, 1, ret, "krb5_kt_register");
+
+    ret = krb5_kt_resolve(context, keytab_str, &keytab);
+    if(ret)
+	krb5_err(context, 1, ret, "krb5_kt_resolve: %s", keytab_str);
+    
+    memset(&conf, 0, sizeof(conf));
+    if(realm) {
+	conf.mask |= KADM5_CONFIG_REALM;
+	conf.realm = realm;
+    }
+    ret = kadm5_init_with_skey_ctx (context,
+				    KADM5_ADMIN_SERVICE,
+				    NULL,
+				    KADM5_ADMIN_SERVICE,
+				    &conf, 0, 0, 
+				    &kadm_handle);
+    if (ret)
+	krb5_err (context, 1, ret, "kadm5_init_with_password_ctx");
+
+    server_context = (kadm5_server_context *)kadm_handle;
+
+    log_fd = open (server_context->log_context.log_file, O_RDONLY, 0);
+    if (log_fd < 0)
+	krb5_err (context, 1, errno, "open %s",
+		  server_context->log_context.log_file);
+
+    signal_fd = make_signal_socket (context);
+    listen_fd = make_listen_socket (context);
+
+    signal (SIGPIPE, SIG_IGN);
+
+    for (;;) {
+	slave *p;
+	fd_set readset;
+	int max_fd = 0;
+	struct timeval to = {30, 0};
+	u_int32_t vers;
+
+	if (signal_fd >= FD_SETSIZE || listen_fd >= FD_SETSIZE)
+	    krb5_errx (context, 1, "fd too large");
+
+	FD_ZERO(&readset);
+	FD_SET(signal_fd, &readset);
+	max_fd = max(max_fd, signal_fd);
+	FD_SET(listen_fd, &readset);
+	max_fd = max(max_fd, listen_fd);
+
+	for (p = slaves; p != NULL; p = p->next) {
+	    FD_SET(p->fd, &readset);
+	    max_fd = max(max_fd, p->fd);
+	}
+
+	ret = select (max_fd + 1,
+		      &readset, NULL, NULL, &to);
+	if (ret < 0) {
+	    if (errno == EINTR)
+		continue;
+	    else
+		krb5_err (context, 1, errno, "select");
+	}
+
+	if (ret == 0) {
+	    old_version = current_version;
+	    kadm5_log_get_version_fd (log_fd, &current_version);
+
+	    if (current_version > old_version)
+		for (p = slaves; p != NULL; p = p->next)
+		    send_diffs (context, p, log_fd, database, current_version);
+	}
+
+	if (ret && FD_ISSET(signal_fd, &readset)) {
+	    struct sockaddr_un peer_addr;
+	    socklen_t peer_len = sizeof(peer_addr);
+
+	    if(recvfrom(signal_fd, &vers, sizeof(vers), 0,
+			(struct sockaddr *)&peer_addr, &peer_len) < 0) {
+		krb5_warn (context, errno, "recvfrom");
+		continue;
+	    }
+	    --ret;
+	    old_version = current_version;
+	    kadm5_log_get_version_fd (log_fd, &current_version);
+	    for (p = slaves; p != NULL; p = p->next)
+		send_diffs (context, p, log_fd, database, current_version);
+	}
+
+	for(p = slaves; p != NULL; p = p->next)
+	    if (FD_ISSET(p->fd, &readset)) {
+		--ret;
+		if(process_msg (context, p, log_fd, database, current_version))
+		    remove_slave (context, p, &slaves);
+	    }
+
+	if (ret && FD_ISSET(listen_fd, &readset)) {
+	    add_slave (context, keytab, &slaves, listen_fd);
+	    --ret;
+	}
+
+    }
+
+    return 0;
+}
diff --git a/crypto/heimdal/lib/kadm5/ipropd_slave.c b/crypto/heimdal/lib/kadm5/ipropd_slave.c
new file mode 100644
index 0000000..8d8bf25
--- /dev/null
+++ b/crypto/heimdal/lib/kadm5/ipropd_slave.c
@@ -0,0 +1,433 @@
+/*
+ * Copyright (c) 1997 - 2000 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "iprop.h"
+
+RCSID("$Id: ipropd_slave.c,v 1.21 2000/08/06 02:06:19 assar Exp $");
+
+static krb5_log_facility *log_facility;
+
+static int
+connect_to_master (krb5_context context, const char *master)
+{
+    int fd;
+    struct sockaddr_in addr;
+    struct hostent *he;
+
+    fd = socket (AF_INET, SOCK_STREAM, 0);
+    if (fd < 0)
+	krb5_err (context, 1, errno, "socket AF_INET");
+    memset (&addr, 0, sizeof(addr));
+    addr.sin_family = AF_INET;
+    addr.sin_port   = krb5_getportbyname (context,
+					  IPROP_SERVICE, "tcp", IPROP_PORT);
+    he = roken_gethostbyname (master);
+    if (he == NULL)
+	krb5_errx (context, 1, "gethostbyname: %s", hstrerror(h_errno));
+    memcpy (&addr.sin_addr, he->h_addr, sizeof(addr.sin_addr));
+    if(connect(fd, (struct sockaddr *)&addr, sizeof(addr)) < 0)
+	krb5_err (context, 1, errno, "connect");
+    return fd;
+}
+
+static void
+get_creds(krb5_context context, const char *keytab_str,
+	  krb5_ccache *cache, const char *host)
+{
+    krb5_keytab keytab;
+    krb5_principal client;
+    krb5_error_code ret;
+    krb5_get_init_creds_opt init_opts;
+    krb5_creds creds;
+    char *server;
+    char keytab_buf[256];
+    
+    ret = krb5_kt_register(context, &hdb_kt_ops);
+    if(ret)
+	krb5_err(context, 1, ret, "krb5_kt_register");
+
+    if (keytab_str == NULL) {
+	ret = krb5_kt_default_name (context, keytab_buf, sizeof(keytab_buf));
+	if (ret)
+	    krb5_err (context, 1, ret, "krb5_kt_default_name");
+	keytab_str = keytab_buf;
+    }
+
+    ret = krb5_kt_resolve(context, keytab_str, &keytab);
+    if(ret)
+	krb5_err(context, 1, ret, "%s", keytab_str);
+    
+    ret = krb5_sname_to_principal (context, NULL, IPROP_NAME,
+				   KRB5_NT_SRV_HST, &client);
+    if (ret) krb5_err(context, 1, ret, "krb5_sname_to_principal");
+
+    krb5_get_init_creds_opt_init(&init_opts);
+
+    asprintf (&server, "%s/%s", IPROP_NAME, host);
+    if (server == NULL)
+	krb5_errx (context, 1, "malloc: no memory");
+
+    ret = krb5_get_init_creds_keytab(context, &creds, client, keytab,
+				     0, server, &init_opts);
+    free (server);
+    if(ret) krb5_err(context, 1, ret, "krb5_get_init_creds");
+    
+    ret = krb5_kt_close(context, keytab);
+    if(ret) krb5_err(context, 1, ret, "krb5_kt_close");
+    
+    ret = krb5_cc_gen_new(context, &krb5_mcc_ops, cache);
+    if(ret) krb5_err(context, 1, ret, "krb5_cc_gen_new");
+
+    ret = krb5_cc_initialize(context, *cache, client);
+    if(ret) krb5_err(context, 1, ret, "krb5_cc_initialize");
+
+    ret = krb5_cc_store_cred(context, *cache, &creds);
+    if(ret) krb5_err(context, 1, ret, "krb5_cc_store_cred");
+}
+
+static void
+ihave (krb5_context context, krb5_auth_context auth_context,
+       int fd, u_int32_t version)
+{
+    int ret;
+    u_char buf[8];
+    krb5_storage *sp;
+    krb5_data data, priv_data;
+
+    sp = krb5_storage_from_mem (buf, 8);
+    krb5_store_int32 (sp, I_HAVE);
+    krb5_store_int32 (sp, version);
+    krb5_storage_free (sp);
+    data.length = 8;
+    data.data   = buf;
+    
+    ret = krb5_mk_priv (context, auth_context, &data, &priv_data, NULL);
+    if (ret)
+	krb5_err (context, 1, ret, "krb_mk_priv");
+
+    ret = krb5_write_message (context, &fd, &priv_data);
+    if (ret)
+	krb5_err (context, 1, ret, "krb5_write_message");
+
+    krb5_data_free (&priv_data);
+}
+
+static void
+receive_loop (krb5_context context,
+	      krb5_storage *sp,
+	      kadm5_server_context *server_context)
+{
+    int ret;
+    off_t left, right;
+    void *buf;
+    int32_t vers;
+
+    do {
+	int32_t len, timestamp, tmp;
+	enum kadm_ops op;
+
+	if(krb5_ret_int32 (sp, &vers) != 0)
+	    return;
+	krb5_ret_int32 (sp, &timestamp);
+	krb5_ret_int32 (sp, &tmp);
+	op = tmp;
+	krb5_ret_int32 (sp, &len);
+	if (vers <= server_context->log_context.version)
+	    sp->seek(sp, len, SEEK_CUR);
+    } while(vers <= server_context->log_context.version);
+
+    left  = sp->seek (sp, -16, SEEK_CUR);
+    right = sp->seek (sp, 0, SEEK_END);
+    buf = malloc (right - left);
+    if (buf == NULL && (right - left) != 0) {
+	krb5_warnx (context, "malloc: no memory");
+	return;
+    }
+    sp->seek (sp, left, SEEK_SET);
+    sp->fetch (sp, buf, right - left);
+    write (server_context->log_context.log_fd, buf, right-left);
+    fsync (server_context->log_context.log_fd);
+    free (buf);
+
+    sp->seek (sp, left, SEEK_SET);
+
+    for(;;) {
+	int32_t len, timestamp, tmp;
+	enum kadm_ops op;
+
+	if(krb5_ret_int32 (sp, &vers) != 0)
+	    break;
+	krb5_ret_int32 (sp, &timestamp);
+	krb5_ret_int32 (sp, &tmp);
+	op = tmp;
+	krb5_ret_int32 (sp, &len);
+
+	ret = kadm5_log_replay (server_context,
+				op, vers, len, sp);
+	if (ret)
+	    krb5_warn (context, ret, "kadm5_log_replay");
+	else
+	    server_context->log_context.version = vers;
+	sp->seek (sp, 8, SEEK_CUR);
+    }
+}
+
+static void
+receive (krb5_context context,
+	 krb5_storage *sp,
+	 kadm5_server_context *server_context)
+{
+    int ret;
+
+    ret = server_context->db->open(context,
+				   server_context->db,
+				   O_RDWR | O_CREAT, 0600);
+    if (ret)
+	krb5_err (context, 1, ret, "db->open");
+
+    receive_loop (context, sp, server_context);
+
+    ret = server_context->db->close (context, server_context->db);
+    if (ret)
+	krb5_err (context, 1, ret, "db->close");
+}
+
+static void
+receive_everything (krb5_context context, int fd,
+		    kadm5_server_context *server_context,
+		    krb5_auth_context auth_context)
+{
+    int ret;
+    krb5_data data;
+    int32_t vno;
+    int32_t opcode;
+
+    ret = server_context->db->open(context,
+				   server_context->db,
+				   O_RDWR | O_CREAT | O_TRUNC, 0600);
+    if (ret)
+	krb5_err (context, 1, ret, "db->open");
+
+    do {
+	krb5_storage *sp;
+
+	ret = krb5_read_priv_message(context, auth_context, &fd, &data);
+
+	if (ret)
+	    krb5_err (context, 1, ret, "krb5_read_priv_message");
+
+	sp = krb5_storage_from_data (&data);
+	krb5_ret_int32 (sp, &opcode);
+	if (opcode == ONE_PRINC) {
+	    krb5_data fake_data;
+	    hdb_entry entry;
+
+	    fake_data.data   = (char *)data.data + 4;
+	    fake_data.length = data.length - 4;
+
+	    ret = hdb_value2entry (context, &fake_data, &entry);
+	    if (ret)
+		krb5_err (context, 1, ret, "hdb_value2entry");
+	    ret = server_context->db->store(server_context->context,
+					    server_context->db,
+					    0, &entry);
+	    if (ret)
+		krb5_err (context, 1, ret, "hdb_store");
+
+	    hdb_free_entry (context, &entry);
+	    krb5_data_free (&data);
+	}
+    } while (opcode == ONE_PRINC);
+
+    if (opcode != NOW_YOU_HAVE)
+	krb5_errx (context, 1, "receive_everything: strange %d", opcode);
+
+    _krb5_get_int ((char *)data.data + 4, &vno, 4);
+
+    ret = kadm5_log_reinit (server_context);
+    if (ret)
+	krb5_err(context, 1, ret, "kadm5_log_reinit");
+
+    ret = kadm5_log_set_version (server_context, vno - 1);
+    if (ret)
+	krb5_err (context, 1, ret, "kadm5_log_set_version");
+
+    ret = kadm5_log_nop (server_context);
+    if (ret)
+	krb5_err (context, 1, ret, "kadm5_log_nop");
+
+    krb5_data_free (&data);
+
+    ret = server_context->db->close (context, server_context->db);
+    if (ret)
+	krb5_err (context, 1, ret, "db->close");
+}
+
+static char *realm;
+static int version_flag;
+static int help_flag;
+static char *keytab_str;
+
+static struct getargs args[] = {
+    { "realm", 'r', arg_string, &realm },
+    { "keytab", 'k', arg_string, &keytab_str,
+      "keytab to get authentication from", "kspec" },
+    { "version", 0, arg_flag, &version_flag },
+    { "help", 0, arg_flag, &help_flag }
+};
+
+static int num_args = sizeof(args) / sizeof(args[0]);
+
+static void
+usage (int code, struct getargs *args, int num_args)
+{
+    arg_printusage (args, num_args, NULL, "master");
+    exit (code);
+}
+
+int
+main(int argc, char **argv)
+{
+    krb5_error_code ret;
+    krb5_context context;
+    krb5_auth_context auth_context;
+    void *kadm_handle;
+    kadm5_server_context *server_context;
+    kadm5_config_params conf;
+    int master_fd;
+    krb5_ccache ccache;
+    krb5_principal server;
+
+    int optind;
+    const char *master;
+    
+    optind = krb5_program_setup(&context, argc, argv, args, num_args, usage);
+    
+    if(help_flag)
+	usage (0, args, num_args);
+    if(version_flag) {
+	print_version(NULL);
+	exit(0);
+    }
+
+    argc -= optind;
+    argv += optind;
+
+    if (argc != 1)
+	usage (1, args, num_args);
+
+    master = argv[0];
+
+    krb5_openlog (context, "ipropd-master", &log_facility);
+    krb5_set_warn_dest(context, log_facility);
+
+    ret = krb5_kt_register(context, &hdb_kt_ops);
+    if(ret)
+	krb5_err(context, 1, ret, "krb5_kt_register");
+
+    memset(&conf, 0, sizeof(conf));
+    if(realm) {
+	conf.mask |= KADM5_CONFIG_REALM;
+	conf.realm = realm;
+    }
+    ret = kadm5_init_with_password_ctx (context,
+					KADM5_ADMIN_SERVICE,
+					NULL,
+					KADM5_ADMIN_SERVICE,
+					&conf, 0, 0, 
+					&kadm_handle);
+    if (ret)
+	krb5_err (context, 1, ret, "kadm5_init_with_password_ctx");
+
+    server_context = (kadm5_server_context *)kadm_handle;
+
+    ret = kadm5_log_init (server_context);
+    if (ret)
+	krb5_err (context, 1, ret, "kadm5_log_init");
+
+    get_creds(context, keytab_str, &ccache, master);
+
+    master_fd = connect_to_master (context, master);
+
+    ret = krb5_sname_to_principal (context, master, IPROP_NAME,
+				   KRB5_NT_SRV_HST, &server);
+    if (ret)
+	krb5_err (context, 1, ret, "krb5_sname_to_principal");
+
+    auth_context = NULL;
+    ret = krb5_sendauth (context, &auth_context, &master_fd,
+			 IPROP_VERSION, NULL, server,
+			 AP_OPTS_MUTUAL_REQUIRED, NULL, NULL,
+			 ccache, NULL, NULL, NULL);
+    if (ret)
+	krb5_err (context, 1, ret, "krb5_sendauth");
+
+    ihave (context, auth_context, master_fd,
+	   server_context->log_context.version);
+
+    for (;;) {
+	int ret;
+	krb5_data out;
+	krb5_storage *sp;
+	int32_t tmp;
+
+	ret = krb5_read_priv_message(context, auth_context, &master_fd, &out);
+
+	if (ret)
+	    krb5_err (context, 1, ret, "krb5_read_priv_message");
+
+	sp = krb5_storage_from_mem (out.data, out.length);
+	krb5_ret_int32 (sp, &tmp);
+	switch (tmp) {
+	case FOR_YOU :
+	    receive (context, sp, server_context);
+	    ihave (context, auth_context, master_fd,
+		   server_context->log_context.version);
+	    break;
+	case TELL_YOU_EVERYTHING :
+	    receive_everything (context, master_fd, server_context,
+				auth_context);
+	    break;
+	case NOW_YOU_HAVE :
+	case I_HAVE :
+	case ONE_PRINC :
+	default :
+	    krb5_warnx (context, "Ignoring command %d", tmp);
+	    break;
+	}
+	krb5_storage_free (sp);
+	krb5_data_free (&out);
+    }
+    
+    return 0;
+    }
diff --git a/crypto/heimdal/lib/kadm5/kadm5-private.h b/crypto/heimdal/lib/kadm5/kadm5-private.h
new file mode 100644
index 0000000..4e74a2b
--- /dev/null
+++ b/crypto/heimdal/lib/kadm5/kadm5-private.h
@@ -0,0 +1,245 @@
+/*
+ * Copyright (c) 2000 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+/* $Id: kadm5-private.h,v 1.3 2000/07/24 04:31:17 assar Exp $ */
+
+#ifndef __kadm5_privatex_h__
+#define __kadm5_privatex_h__
+
+kadm5_ret_t _kadm5_privs_to_string (u_int32_t, char*, size_t);
+
+kadm5_ret_t _kadm5_string_to_privs (const char*, u_int32_t*);
+
+HDB *_kadm5_s_get_db (void *);
+
+kadm5_ret_t
+_kadm5_acl_check_permission __P((
+	kadm5_server_context *context,
+	unsigned op,
+	krb5_const_principal princ));
+
+kadm5_ret_t
+_kadm5_acl_init __P((kadm5_server_context *context));
+
+kadm5_ret_t
+_kadm5_c_init_context __P((
+	kadm5_client_context **ctx,
+	kadm5_config_params *params,
+	krb5_context context));
+
+kadm5_ret_t
+_kadm5_client_recv __P((
+	kadm5_client_context *context,
+	krb5_data *reply));
+
+kadm5_ret_t
+_kadm5_client_send __P((
+	kadm5_client_context *context,
+	krb5_storage *sp));
+
+kadm5_ret_t
+_kadm5_connect __P((void*));
+
+kadm5_ret_t
+_kadm5_error_code __P((kadm5_ret_t code));
+
+kadm5_ret_t
+_kadm5_s_init_context __P((
+	kadm5_server_context **ctx,
+	kadm5_config_params *params,
+	krb5_context context));
+
+kadm5_ret_t
+_kadm5_set_keys __P((
+	kadm5_server_context *context,
+	hdb_entry *ent,
+	const char *password));
+
+kadm5_ret_t
+_kadm5_set_keys2 __P((
+	kadm5_server_context *context,
+	hdb_entry *ent, 
+	int16_t n_key_data, 
+	krb5_key_data *key_data));
+
+kadm5_ret_t
+_kadm5_set_keys3 __P((
+	kadm5_server_context *context,
+	hdb_entry *ent, 
+	int n_keys,
+	krb5_keyblock *keyblocks));
+
+kadm5_ret_t
+_kadm5_set_keys_randomly __P((kadm5_server_context *context,
+			      hdb_entry *ent,
+			      krb5_keyblock **new_keys,
+			      int *n_keys));
+
+kadm5_ret_t
+_kadm5_set_modifier __P((
+	kadm5_server_context *context,
+	hdb_entry *ent));
+
+kadm5_ret_t
+_kadm5_bump_pw_expire __P((kadm5_server_context *context,
+			   hdb_entry *ent));
+
+kadm5_ret_t
+_kadm5_setup_entry __P((
+	kadm5_server_context *context,
+	hdb_entry *ent,
+	u_int32_t mask,
+	kadm5_principal_ent_t princ,
+	u_int32_t princ_mask,
+	kadm5_principal_ent_t def,
+	u_int32_t def_mask));
+
+kadm5_ret_t
+kadm5_log_get_version_fd (int fd, u_int32_t *ver);
+
+kadm5_ret_t
+kadm5_log_get_version (kadm5_server_context *context, u_int32_t *ver);
+
+kadm5_ret_t
+kadm5_log_set_version (kadm5_server_context *context, u_int32_t vno);
+
+kadm5_ret_t
+kadm5_log_init (kadm5_server_context *context);
+
+kadm5_ret_t
+kadm5_log_reinit (kadm5_server_context *context);
+
+kadm5_ret_t
+kadm5_log_create (kadm5_server_context *context,
+		  hdb_entry *ent);
+
+kadm5_ret_t
+kadm5_log_delete (kadm5_server_context *context,
+		  krb5_principal princ);
+
+kadm5_ret_t
+kadm5_log_rename (kadm5_server_context *context,
+		  krb5_principal source,
+		  hdb_entry *ent);
+
+kadm5_ret_t
+kadm5_log_modify (kadm5_server_context *context,
+		  hdb_entry *ent,
+		  u_int32_t mask);
+
+kadm5_ret_t
+kadm5_log_nop (kadm5_server_context *context);
+
+kadm5_ret_t
+kadm5_log_end (kadm5_server_context *context);
+
+kadm5_ret_t
+kadm5_log_foreach (kadm5_server_context *context,
+		   void (*func)(kadm5_server_context *server_context,
+				u_int32_t ver,
+				time_t timestamp,
+				enum kadm_ops op,
+				u_int32_t len,
+				krb5_storage *sp));
+
+kadm5_ret_t
+kadm5_log_replay_create (kadm5_server_context *context,
+			 u_int32_t ver,
+			 u_int32_t len,
+			 krb5_storage *sp);
+
+kadm5_ret_t
+kadm5_log_replay_delete (kadm5_server_context *context,
+			 u_int32_t ver,
+			 u_int32_t len,
+			 krb5_storage *sp);
+
+kadm5_ret_t
+kadm5_log_replay_rename (kadm5_server_context *context,
+			 u_int32_t ver,
+			 u_int32_t len,
+			 krb5_storage *sp);
+
+kadm5_ret_t
+kadm5_log_replay_modify (kadm5_server_context *context,
+			 u_int32_t ver,
+			 u_int32_t len,
+			 krb5_storage *sp);
+
+kadm5_ret_t
+kadm5_log_replay_nop (kadm5_server_context *context,
+		      u_int32_t ver,
+		      u_int32_t len,
+		      krb5_storage *sp);
+
+kadm5_ret_t
+kadm5_log_replay (kadm5_server_context *context,
+		  enum kadm_ops op,
+		  u_int32_t ver,
+		  u_int32_t len,
+		  krb5_storage *sp);
+
+krb5_storage *
+kadm5_log_goto_end (int fd);
+
+kadm5_ret_t
+kadm5_log_previous (krb5_storage *sp,
+		    u_int32_t *ver,
+		    time_t *timestamp,
+		    enum kadm_ops *op,
+		    u_int32_t *len);
+
+kadm5_ret_t
+kadm5_log_truncate (kadm5_server_context *server_context);
+
+kadm5_ret_t
+_kadm5_marshal_params __P((krb5_context context, 
+			   kadm5_config_params *params, 
+			   krb5_data *out));
+
+kadm5_ret_t
+_kadm5_unmarshal_params __P((krb5_context context,
+			     krb5_data *in,
+			     kadm5_config_params *params));
+
+void
+_kadm5_free_keys (kadm5_server_context *context,
+		  int len, Key *keys);
+
+void
+_kadm5_init_keys (Key *keys, int len);
+
+int
+_kadm5_cmp_keys(Key *keys1, int len1, Key *keys2, int len2);
+
+#endif /* __kadm5_privatex_h__ */
diff --git a/crypto/heimdal/lib/kadm5/kadm5-protos.h b/crypto/heimdal/lib/kadm5/kadm5-protos.h
new file mode 100644
index 0000000..070492b
--- /dev/null
+++ b/crypto/heimdal/lib/kadm5/kadm5-protos.h
@@ -0,0 +1,516 @@
+/*
+ * Copyright (c) 2000 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+/* $Id: kadm5-protos.h,v 1.2 2000/07/22 05:52:01 assar Exp $ */
+
+#ifndef __kadm5_protos_h__
+#define __kadm5_protos_h__
+
+kadm5_ret_t
+kadm5_c_chpass_principal __P((
+	void *server_handle,
+	krb5_principal princ,
+	char *password));
+
+kadm5_ret_t
+kadm5_c_chpass_principal_with_key __P((
+	void *server_handle,
+	krb5_principal princ,
+	int n_key_data,
+	krb5_key_data *key_data));
+
+kadm5_ret_t
+kadm5_c_create_principal __P((
+	void *server_handle,
+	kadm5_principal_ent_t princ,
+	u_int32_t mask,
+	char *password));
+
+kadm5_ret_t
+kadm5_c_delete_principal __P((
+	void *server_handle,
+	krb5_principal princ));
+
+kadm5_ret_t
+kadm5_c_destroy __P((void *server_handle));
+
+kadm5_ret_t
+kadm5_c_flush __P((void *server_handle));
+
+kadm5_ret_t
+kadm5_c_get_principal __P((
+	void *server_handle,
+	krb5_principal princ,
+	kadm5_principal_ent_t out,
+	u_int32_t mask));
+
+kadm5_ret_t
+kadm5_c_get_principals __P((
+	void *server_handle,
+	const char *exp,
+	char ***princs,
+	int *count));
+
+kadm5_ret_t
+kadm5_c_get_privs __P((
+	void *server_handle,
+	u_int32_t *privs));
+
+kadm5_ret_t
+kadm5_c_init_with_creds __P((
+	const char *client_name,
+	krb5_ccache ccache,
+	const char *service_name,
+	kadm5_config_params *realm_params,
+	unsigned long struct_version,
+	unsigned long api_version,
+	void **server_handle));
+
+kadm5_ret_t
+kadm5_c_init_with_creds_ctx __P((
+	krb5_context context,
+	const char *client_name,
+	krb5_ccache ccache,
+	const char *service_name,
+	kadm5_config_params *realm_params,
+	unsigned long struct_version,
+	unsigned long api_version,
+	void **server_handle));
+
+kadm5_ret_t
+kadm5_c_init_with_password __P((
+	const char *client_name,
+	const char *password,
+	const char *service_name,
+	kadm5_config_params *realm_params,
+	unsigned long struct_version,
+	unsigned long api_version,
+	void **server_handle));
+
+kadm5_ret_t
+kadm5_c_init_with_password_ctx __P((
+	krb5_context context,
+	const char *client_name,
+	const char *password,
+	const char *service_name,
+	kadm5_config_params *realm_params,
+	unsigned long struct_version,
+	unsigned long api_version,
+	void **server_handle));
+
+kadm5_ret_t
+kadm5_c_init_with_skey __P((
+	const char *client_name,
+	const char *keytab,
+	const char *service_name,
+	kadm5_config_params *realm_params,
+	unsigned long struct_version,
+	unsigned long api_version,
+	void **server_handle));
+
+kadm5_ret_t
+kadm5_c_init_with_skey_ctx __P((
+	krb5_context context,
+	const char *client_name,
+	const char *keytab,
+	const char *service_name,
+	kadm5_config_params *realm_params,
+	unsigned long struct_version,
+	unsigned long api_version,
+	void **server_handle));
+
+kadm5_ret_t
+kadm5_c_modify_principal __P((
+	void *server_handle,
+	kadm5_principal_ent_t princ,
+	u_int32_t mask));
+
+kadm5_ret_t
+kadm5_c_randkey_principal __P((
+	void *server_handle,
+	krb5_principal princ,
+	krb5_keyblock **new_keys,
+	int *n_keys));
+
+kadm5_ret_t
+kadm5_c_rename_principal __P((
+	void *server_handle,
+	krb5_principal source,
+	krb5_principal target));
+
+kadm5_ret_t
+kadm5_chpass_principal __P((
+	void *server_handle,
+	krb5_principal princ,
+	char *password));
+
+kadm5_ret_t
+kadm5_chpass_principal_with_key __P((
+	void *server_handle,
+	krb5_principal princ,
+	int n_key_data,
+	krb5_key_data *key_data));
+
+kadm5_ret_t
+kadm5_create_principal __P((
+	void *server_handle,
+	kadm5_principal_ent_t princ,
+	u_int32_t mask,
+	char *password));
+
+kadm5_ret_t
+kadm5_delete_principal __P((
+	void *server_handle,
+	krb5_principal princ));
+
+kadm5_ret_t
+kadm5_destroy __P((void *server_handle));
+
+kadm5_ret_t
+kadm5_flush __P((void *server_handle));
+
+void
+kadm5_free_key_data __P((
+	void *server_handle,
+	int16_t *n_key_data,
+	krb5_key_data *key_data));
+
+void
+kadm5_free_name_list __P((
+	void *server_handle,
+	char **names,
+	int *count));
+
+void
+kadm5_free_principal_ent __P((
+	void *server_handle,
+	kadm5_principal_ent_t princ));
+
+kadm5_ret_t
+kadm5_get_principal __P((
+	void *server_handle,
+	krb5_principal princ,
+	kadm5_principal_ent_t out,
+	u_int32_t mask));
+
+kadm5_ret_t
+kadm5_get_principals __P((
+	void *server_handle,
+	const char *exp,
+	char ***princs,
+	int *count));
+
+kadm5_ret_t
+kadm5_get_privs __P((
+	void *server_handle,
+	u_int32_t *privs));
+
+kadm5_ret_t
+kadm5_init_with_creds __P((
+	const char *client_name,
+	krb5_ccache ccache,
+	const char *service_name,
+	kadm5_config_params *realm_params,
+	unsigned long struct_version,
+	unsigned long api_version,
+	void **server_handle));
+
+kadm5_ret_t
+kadm5_init_with_creds_ctx __P((
+	krb5_context context,
+	const char *client_name,
+	krb5_ccache ccache,
+	const char *service_name,
+	kadm5_config_params *realm_params,
+	unsigned long struct_version,
+	unsigned long api_version,
+	void **server_handle));
+
+kadm5_ret_t
+kadm5_init_with_password __P((
+	const char *client_name,
+	const char *password,
+	const char *service_name,
+	kadm5_config_params *realm_params,
+	unsigned long struct_version,
+	unsigned long api_version,
+	void **server_handle));
+
+kadm5_ret_t
+kadm5_init_with_password_ctx __P((
+	krb5_context context,
+	const char *client_name,
+	const char *password,
+	const char *service_name,
+	kadm5_config_params *realm_params,
+	unsigned long struct_version,
+	unsigned long api_version,
+	void **server_handle));
+
+kadm5_ret_t
+kadm5_init_with_skey __P((
+	const char *client_name,
+	const char *keytab,
+	const char *service_name,
+	kadm5_config_params *realm_params,
+	unsigned long struct_version,
+	unsigned long api_version,
+	void **server_handle));
+
+kadm5_ret_t
+kadm5_init_with_skey_ctx __P((
+	krb5_context context,
+	const char *client_name,
+	const char *keytab,
+	const char *service_name,
+	kadm5_config_params *realm_params,
+	unsigned long struct_version,
+	unsigned long api_version,
+	void **server_handle));
+
+kadm5_ret_t
+kadm5_modify_principal __P((
+	void *server_handle,
+	kadm5_principal_ent_t princ,
+	u_int32_t mask));
+
+kadm5_ret_t
+kadm5_randkey_principal __P((
+	void *server_handle,
+	krb5_principal princ,
+	krb5_keyblock **new_keys,
+	int *n_keys));
+
+kadm5_ret_t
+kadm5_rename_principal __P((
+	void *server_handle,
+	krb5_principal source,
+	krb5_principal target));
+
+kadm5_ret_t
+kadm5_ret_key_data __P((
+	krb5_storage *sp,
+	krb5_key_data *key));
+
+kadm5_ret_t
+kadm5_ret_principal_ent __P((
+	krb5_storage *sp,
+	kadm5_principal_ent_t princ));
+
+kadm5_ret_t
+kadm5_ret_principal_ent_mask __P((
+	krb5_storage *sp,
+	kadm5_principal_ent_t princ,
+	u_int32_t *mask));
+
+kadm5_ret_t
+kadm5_ret_tl_data __P((
+	krb5_storage *sp,
+	krb5_tl_data *tl));
+
+kadm5_ret_t
+kadm5_s_chpass_principal __P((
+	void *server_handle,
+	krb5_principal princ,
+	char *password));
+
+kadm5_ret_t
+kadm5_s_chpass_principal_cond __P((
+	void *server_handle,
+	krb5_principal princ,
+	char *password));
+
+kadm5_ret_t
+kadm5_s_chpass_principal_with_key __P((
+	void *server_handle,
+	krb5_principal princ,
+	int n_key_data,
+	krb5_key_data *key_data));
+
+kadm5_ret_t
+kadm5_s_create_principal __P((
+	void *server_handle,
+	kadm5_principal_ent_t princ,
+	u_int32_t mask,
+	char *password));
+
+kadm5_ret_t
+kadm5_s_create_principal_with_key __P((
+	void *server_handle,
+	kadm5_principal_ent_t princ,
+	u_int32_t mask));
+
+kadm5_ret_t
+kadm5_s_delete_principal __P((
+	void *server_handle,
+	krb5_principal princ));
+
+kadm5_ret_t
+kadm5_s_destroy __P((void *server_handle));
+
+kadm5_ret_t
+kadm5_s_flush __P((void *server_handle));
+
+kadm5_ret_t
+kadm5_s_get_principal __P((
+	void *server_handle,
+	krb5_principal princ,
+	kadm5_principal_ent_t out,
+	u_int32_t mask));
+
+kadm5_ret_t
+kadm5_s_get_principals __P((
+	void *server_handle,
+	const char *exp,
+	char ***princs,
+	int *count));
+
+kadm5_ret_t
+kadm5_s_get_privs __P((
+	void *server_handle,
+	u_int32_t *privs));
+
+kadm5_ret_t
+kadm5_s_init_with_creds __P((
+	const char *client_name,
+	krb5_ccache ccache,
+	const char *service_name,
+	kadm5_config_params *realm_params,
+	unsigned long struct_version,
+	unsigned long api_version,
+	void **server_handle));
+
+kadm5_ret_t
+kadm5_s_init_with_creds_ctx __P((
+	krb5_context context,
+	const char *client_name,
+	krb5_ccache ccache,
+	const char *service_name,
+	kadm5_config_params *realm_params,
+	unsigned long struct_version,
+	unsigned long api_version,
+	void **server_handle));
+
+kadm5_ret_t
+kadm5_s_init_with_password __P((
+	const char *client_name,
+	const char *password,
+	const char *service_name,
+	kadm5_config_params *realm_params,
+	unsigned long struct_version,
+	unsigned long api_version,
+	void **server_handle));
+
+kadm5_ret_t
+kadm5_s_init_with_password_ctx __P((
+	krb5_context context,
+	const char *client_name,
+	const char *password,
+	const char *service_name,
+	kadm5_config_params *realm_params,
+	unsigned long struct_version,
+	unsigned long api_version,
+	void **server_handle));
+
+kadm5_ret_t
+kadm5_s_init_with_skey __P((
+	const char *client_name,
+	const char *keytab,
+	const char *service_name,
+	kadm5_config_params *realm_params,
+	unsigned long struct_version,
+	unsigned long api_version,
+	void **server_handle));
+
+kadm5_ret_t
+kadm5_s_init_with_skey_ctx __P((
+	krb5_context context,
+	const char *client_name,
+	const char *keytab,
+	const char *service_name,
+	kadm5_config_params *realm_params,
+	unsigned long struct_version,
+	unsigned long api_version,
+	void **server_handle));
+
+kadm5_ret_t
+kadm5_s_modify_principal __P((
+	void *server_handle,
+	kadm5_principal_ent_t princ,
+	u_int32_t mask));
+
+kadm5_ret_t
+kadm5_s_randkey_principal __P((
+	void *server_handle,
+	krb5_principal princ,
+	krb5_keyblock **new_keys,
+	int *n_keys));
+
+kadm5_ret_t
+kadm5_s_rename_principal __P((
+	void *server_handle,
+	krb5_principal source,
+	krb5_principal target));
+
+kadm5_ret_t
+kadm5_store_key_data __P((
+	krb5_storage *sp,
+	krb5_key_data *key));
+
+kadm5_ret_t
+kadm5_store_principal_ent __P((
+	krb5_storage *sp,
+	kadm5_principal_ent_t princ));
+
+kadm5_ret_t
+kadm5_store_principal_ent_mask __P((
+	krb5_storage *sp,
+	kadm5_principal_ent_t princ,
+	u_int32_t mask));
+
+kadm5_ret_t
+kadm5_store_tl_data __P((
+	krb5_storage *sp,
+	krb5_tl_data *tl));
+
+void
+kadm5_setup_passwd_quality_check(krb5_context context,
+				 const char *check_library,
+				 const char *check_function);
+
+const char *
+kadm5_check_password_quality (krb5_context context,
+			      krb5_principal principal,
+			      krb5_data *pwd_data);
+
+#endif /* __kadm5_protos_h__ */
diff --git a/crypto/heimdal/lib/kadm5/kadm5_err.et b/crypto/heimdal/lib/kadm5/kadm5_err.et
new file mode 100644
index 0000000..506a554
--- /dev/null
+++ b/crypto/heimdal/lib/kadm5/kadm5_err.et
@@ -0,0 +1,59 @@
+#
+# Error messages for the kadm5 library
+#
+# This might look like a com_err file, but is not
+#
+id "$Id: kadm5_err.et,v 1.4 1998/02/16 16:37:17 joda Exp $"
+
+error_table ovk kadm5
+
+prefix KADM5
+error_code FAILURE,		"Operation failed for unspecified reason"
+error_code AUTH_GET,		"Operation requires `get' privilege"
+error_code AUTH_ADD,		"Operation requires `add' privilege"
+error_code AUTH_MODIFY,		"Operation requires `modify' privilege"
+error_code AUTH_DELETE,		"Operation requires `delete' privilege"
+error_code AUTH_INSUFFICIENT,	"Insufficient authorization for operation"
+error_code BAD_DB,		"Database inconsistency detected"
+error_code DUP,			"Principal or policy already exists"
+error_code RPC_ERROR,		"Communication failure with server"
+error_code NO_SRV,		"No administration server found for realm"
+error_code BAD_HIST_KEY,	"Password history principal key version mismatch"
+error_code NOT_INIT,		"Connection to server not initialized"
+error_code UNK_PRINC,		"Principal does not exist"
+error_code UNK_POLICY,		"Policy does not exist"
+error_code BAD_MASK,		"Invalid field mask for operation"
+error_code BAD_CLASS,		"Invalid number of character classes"
+error_code BAD_LENGTH,		"Invalid password length"
+error_code BAD_POLICY,		"Invalid policy name"
+error_code BAD_PRINCIPAL,	"Invalid principal name."
+error_code BAD_AUX_ATTR,	"Invalid auxillary attributes"
+error_code BAD_HISTORY,		"Invalid password history count"
+error_code BAD_MIN_PASS_LIFE,	"Password minimum life is greater then password maximum life"
+error_code PASS_Q_TOOSHORT,	"Password is too short"
+error_code PASS_Q_CLASS,	"Password does not contain enough character classes"
+error_code PASS_Q_DICT,		"Password is in the password dictionary"
+error_code PASS_REUSE,		"Can't resuse password"
+error_code PASS_TOOSOON,	"Current password's minimum life has not expired"
+error_code POLICY_REF,		"Policy is in use"
+error_code INIT,		"Connection to server already initialized"
+error_code BAD_PASSWORD,	"Incorrect password"
+error_code PROTECT_PRINCIPAL,	"Can't change protected principal"
+error_code BAD_SERVER_HANDLE,	"Programmer error!  Bad Admin server handle"
+error_code BAD_STRUCT_VERSION,	"Programmer error!  Bad API structure version"
+error_code OLD_STRUCT_VERSION,	"API structure version specified by application is no longer supported"
+error_code NEW_STRUCT_VERSION,	"API structure version specified by application is unknown to libraries"
+error_code BAD_API_VERSION,	"Programmer error!  Bad API version"
+error_code OLD_LIB_API_VERSION,	"API version specified by application is no longer supported by libraries"
+error_code OLD_SERVER_API_VERSION,"API version specified by application is no longer supported by server"
+error_code NEW_LIB_API_VERSION,	"API version specified by application is unknown to libraries"
+error_code NEW_SERVER_API_VERSION,"API version specified by application is unknown to server"
+error_code SECURE_PRINC_MISSING,"Database error! Required principal missing"
+error_code NO_RENAME_SALT,	"The salt type of the specified principal does not support renaming"
+error_code BAD_CLIENT_PARAMS,	"Invalid configuration parameter for remote KADM5 client"
+error_code BAD_SERVER_PARAMS,	"Invalid configuration parameter for local KADM5 client."
+error_code AUTH_LIST,		"Operation requires `list' privilege"
+error_code AUTH_CHANGEPW,	"Operation requires `change-password' privilege"
+error_code BAD_TL_TYPE,		"Programmer error!  Invalid tagged data list element type"
+error_code MISSING_CONF_PARAMS,	"Required parameters in kdc.conf missing"
+error_code BAD_SERVER_NAME,	"Bad krb5 admin server hostname"
diff --git a/crypto/heimdal/lib/kadm5/kadm5_locl.h b/crypto/heimdal/lib/kadm5/kadm5_locl.h
new file mode 100644
index 0000000..6f634ed
--- /dev/null
+++ b/crypto/heimdal/lib/kadm5/kadm5_locl.h
@@ -0,0 +1,85 @@
+/*
+ * Copyright (c) 1997-2000 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+/* $Id: kadm5_locl.h,v 1.23 2000/07/08 11:57:40 assar Exp $ */
+
+#ifndef __KADM5_LOCL_H__
+#define __KADM5_LOCL_H__
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+#endif
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <errno.h>
+#include <assert.h>
+#include <limits.h>
+#ifdef HAVE_UNISTD_H
+#include <unistd.h>
+#endif
+#ifdef HAVE_FCNTL_H
+#include <fcntl.h>
+#endif
+#ifdef HAVE_SYS_TYPES_H
+#include <sys/types.h>
+#endif
+#ifdef HAVE_SYS_TIME_H
+#include <sys/time.h>
+#endif
+#ifdef HAVE_UNISTD_H
+#include <unistd.h>
+#endif
+#ifdef HAVE_SYS_FILE_H
+#include <sys/file.h>
+#endif
+#ifdef HAVE_SYS_SOCKET_H
+#include <sys/socket.h>
+#endif
+#ifdef HAVE_SYS_UN_H
+#include <sys/un.h>
+#endif
+#ifdef HAVE_NETDB_H
+#include <netdb.h>
+#endif
+#include <fnmatch.h>
+#include "admin.h"
+#include "kadm5_err.h"
+#include <hdb.h>
+#include <der.h>
+#include <roken.h>
+#include <parse_units.h>
+#include "private.h"
+
+#endif /* __KADM5_LOCL_H__ */
diff --git a/crypto/heimdal/lib/kadm5/keys.c b/crypto/heimdal/lib/kadm5/keys.c
new file mode 100644
index 0000000..3ae21ab
--- /dev/null
+++ b/crypto/heimdal/lib/kadm5/keys.c
@@ -0,0 +1,112 @@
+/*
+ * Copyright (c) 1997 - 2000 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "kadm5_locl.h"
+
+RCSID("$Id: keys.c,v 1.1 2000/07/22 05:53:02 assar Exp $");
+
+/*
+ * free all the memory used by (len, keys)
+ */
+
+void
+_kadm5_free_keys (kadm5_server_context *context,
+		  int len, Key *keys)
+{
+    int i;
+
+    for (i = 0; i < len; ++i) {
+	free (keys[i].mkvno);
+	keys[i].mkvno = NULL;
+	if (keys[i].salt != NULL) {
+	    free_Salt(keys[i].salt);
+	    free(keys[i].salt);
+	    keys[i].salt = NULL;
+	}
+	krb5_free_keyblock_contents(context->context, &keys[i].key);
+    }
+    free (keys);
+}
+
+/*
+ * null-ify `len', `keys'
+ */
+
+void
+_kadm5_init_keys (Key *keys, int len)
+{
+    int i;
+
+    for (i = 0; i < len; ++i) {
+	keys[i].mkvno               = NULL;
+	keys[i].salt                = NULL;
+	keys[i].key.keyvalue.length = 0;
+	keys[i].key.keyvalue.data   = NULL;
+    }
+}
+
+/*
+ * return 0 iff `keys1, len1' and `keys2, len2' are identical
+ */
+
+int
+_kadm5_cmp_keys(Key *keys1, int len1, Key *keys2, int len2)
+{
+    int i;
+
+    if (len1 != len2)
+	return 1;
+
+    for (i = 0; i < len1; ++i) {
+	if ((keys1[i].salt != NULL && keys2[i].salt == NULL)
+	    || (keys1[i].salt == NULL && keys2[i].salt != NULL))
+	    return 1;
+	if (keys1[i].salt != NULL) {
+	    if (keys1[i].salt->type != keys2[i].salt->type)
+		return 1;
+	    if (keys1[i].salt->salt.length != keys2[i].salt->salt.length)
+		return 1;
+	    if (memcmp (keys1[i].salt->salt.data, keys2[i].salt->salt.data,
+			keys1[i].salt->salt.length) != 0)
+		return 1;
+	}
+	if (keys1[i].key.keytype != keys2[i].key.keytype)
+	    return 1;
+	if (keys1[i].key.keyvalue.length != keys2[i].key.keyvalue.length)
+	    return 1;
+	if (memcmp (keys1[i].key.keyvalue.data, keys2[i].key.keyvalue.data,
+		    keys1[i].key.keyvalue.length) != 0)
+	    return 1;
+    }
+    return 0;
+}
diff --git a/crypto/heimdal/lib/kadm5/log.c b/crypto/heimdal/lib/kadm5/log.c
new file mode 100644
index 0000000..875f749
--- /dev/null
+++ b/crypto/heimdal/lib/kadm5/log.c
@@ -0,0 +1,805 @@
+/*
+ * Copyright (c) 1997 - 2000 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "kadm5_locl.h"
+
+RCSID("$Id: log.c,v 1.18 2000/07/24 04:32:17 assar Exp $");
+
+/*
+ * A log record consists of:
+ *
+ * version number		4 bytes
+ * time in seconds		4 bytes
+ * operation (enum kadm_ops)	4 bytes
+ * length of record		4 bytes
+ * data...			n bytes
+ * length of record		4 bytes
+ * version number		4 bytes
+ *
+ */
+
+kadm5_ret_t
+kadm5_log_get_version_fd (int fd,
+			  u_int32_t *ver)
+{
+    int ret;
+    krb5_storage *sp;
+    int32_t old_version;
+
+    ret = lseek (fd, 0, SEEK_END);
+    if(ret < 0)
+	return errno;
+    if(ret == 0) {
+	*ver = 0;
+	return 0;
+    }
+    sp = krb5_storage_from_fd (fd);
+    sp->seek(sp, -4, SEEK_CUR);
+    krb5_ret_int32 (sp, &old_version);
+    *ver = old_version;
+    krb5_storage_free(sp);
+    lseek (fd, 0, SEEK_END);
+    return 0;
+}
+
+kadm5_ret_t
+kadm5_log_get_version (kadm5_server_context *context, u_int32_t *ver)
+{
+    return kadm5_log_get_version_fd (context->log_context.log_fd, ver);
+}
+
+kadm5_ret_t
+kadm5_log_set_version (kadm5_server_context *context, u_int32_t vno)
+{
+    kadm5_log_context *log_context = &context->log_context;
+
+    log_context->version = vno;
+    return 0;
+}
+
+kadm5_ret_t
+kadm5_log_init (kadm5_server_context *context)
+{
+    int fd;
+    kadm5_ret_t ret;
+    kadm5_log_context *log_context = &context->log_context;
+
+    if (log_context->log_fd != -1)
+	return 0;
+    fd = open (log_context->log_file, O_RDWR | O_CREAT, 0600);
+    if (fd < 0)
+	return errno;
+    if (flock (fd, LOCK_EX) < 0) {
+	close (fd);
+	return errno;
+    }
+
+    ret = kadm5_log_get_version_fd (fd, &log_context->version);
+    if (ret)
+	return ret;
+
+    log_context->log_fd  = fd;
+    return 0;
+}
+
+kadm5_ret_t
+kadm5_log_reinit (kadm5_server_context *context)
+{
+    int fd;
+    kadm5_log_context *log_context = &context->log_context;
+
+    if (log_context->log_fd != -1) {
+	close (log_context->log_fd);
+	log_context->log_fd = -1;
+    }
+    fd = open (log_context->log_file, O_RDWR | O_CREAT | O_TRUNC, 0600);
+    if (fd < 0)
+	return errno;
+    if (flock (fd, LOCK_EX) < 0) {
+	close (fd);
+	return errno;
+    }
+
+    log_context->version = 0;
+    log_context->log_fd  = fd;
+    return 0;
+}
+
+
+kadm5_ret_t
+kadm5_log_end (kadm5_server_context *context)
+{
+    kadm5_log_context *log_context = &context->log_context;
+    int fd = log_context->log_fd;
+
+    flock (fd, LOCK_UN);
+    close(fd);
+    log_context->log_fd = -1;
+    return 0;
+}
+
+static kadm5_ret_t
+kadm5_log_preamble (kadm5_server_context *context,
+		    krb5_storage *sp,
+		    enum kadm_ops op)
+{
+    kadm5_log_context *log_context = &context->log_context;
+    kadm5_ret_t kadm_ret;
+
+    kadm_ret = kadm5_log_init (context);
+    if (kadm_ret)
+	return kadm_ret;
+
+    krb5_store_int32 (sp, ++log_context->version);
+    krb5_store_int32 (sp, time(NULL));
+    krb5_store_int32 (sp, op);
+    return 0;
+}
+
+static kadm5_ret_t
+kadm5_log_postamble (kadm5_log_context *context,
+		     krb5_storage *sp)
+{
+    krb5_store_int32 (sp, context->version);
+    return 0;
+}
+
+/*
+ * flush the log record in `sp'.
+ */
+
+static kadm5_ret_t
+kadm5_log_flush (kadm5_log_context *log_context,
+		 krb5_storage *sp)
+{
+    krb5_data data;
+    size_t len;
+    int ret;
+
+    krb5_storage_to_data(sp, &data);
+    len = data.length;
+    ret = write (log_context->log_fd, data.data, len);
+    if (ret != len) {
+	krb5_data_free(&data);
+	return errno;
+    }
+    if (fsync (log_context->log_fd) < 0) {
+	krb5_data_free(&data);
+	return errno;
+    }
+    /*
+     * Try to send a signal to any running `ipropd-master'
+     */
+    sendto (log_context->socket_fd,
+	    (void *)&log_context->version,
+	    sizeof(log_context->version),
+	    0,
+	    (struct sockaddr *)&log_context->socket_name,
+	    sizeof(log_context->socket_name));
+
+    krb5_data_free(&data);
+    return 0;
+}
+
+/*
+ * Add a `create' operation to the log.
+ */
+
+kadm5_ret_t
+kadm5_log_create (kadm5_server_context *context,
+		  hdb_entry *ent)
+{
+    krb5_storage *sp;
+    kadm5_ret_t ret;
+    krb5_data value;
+    kadm5_log_context *log_context = &context->log_context;
+
+    sp = krb5_storage_emem();
+    ret = hdb_entry2value (context->context, ent, &value);
+    if (ret) {
+	krb5_storage_free(sp);
+	return ret;
+    }
+    ret = kadm5_log_preamble (context, sp, kadm_create);
+    if (ret) {
+	krb5_data_free (&value);
+	krb5_storage_free(sp);
+	return ret;
+    }
+    krb5_store_int32 (sp, value.length);
+    sp->store(sp, value.data, value.length);
+    krb5_store_int32 (sp, value.length);
+    krb5_data_free (&value);
+    ret = kadm5_log_postamble (log_context, sp);
+    if (ret) {
+	krb5_storage_free (sp);
+	return ret;
+    }
+    ret = kadm5_log_flush (log_context, sp);
+    krb5_storage_free (sp);
+    if (ret)
+	return ret;
+    ret = kadm5_log_end (context);
+    return ret;
+}
+
+/*
+ * Read the data of a create log record from `sp' and change the
+ * database.
+ */
+
+kadm5_ret_t
+kadm5_log_replay_create (kadm5_server_context *context,
+			 u_int32_t ver,
+			 u_int32_t len,
+			 krb5_storage *sp)
+{
+    krb5_error_code ret;
+    krb5_data data;
+    hdb_entry ent;
+
+    krb5_data_alloc (&data, len);
+    sp->fetch (sp, data.data, len);
+    ret = hdb_value2entry (context->context, &data, &ent);
+    krb5_data_free(&data);
+    if (ret)
+	return ret;
+    ret = context->db->store(context->context, context->db, 0, &ent);
+    hdb_free_entry (context->context, &ent);
+    return ret;
+}
+
+/*
+ * Add a `delete' operation to the log.
+ */
+
+kadm5_ret_t
+kadm5_log_delete (kadm5_server_context *context,
+		  krb5_principal princ)
+{
+    krb5_storage *sp;
+    kadm5_ret_t ret;
+    off_t off;
+    off_t len;
+    kadm5_log_context *log_context = &context->log_context;
+
+    sp = krb5_storage_emem();
+    ret = kadm5_log_preamble (context, sp, kadm_delete);
+    if (ret) {
+	krb5_storage_free(sp);
+	return ret;
+    }
+    krb5_store_int32 (sp, 0);
+    off = sp->seek (sp, 0, SEEK_CUR);
+    krb5_store_principal (sp, princ);
+    len = sp->seek (sp, 0, SEEK_CUR) - off;
+    sp->seek(sp, -(len + 4), SEEK_CUR);
+    krb5_store_int32 (sp, len);
+    sp->seek(sp, len, SEEK_CUR);
+    krb5_store_int32 (sp, len);
+    if (ret) {
+	krb5_storage_free (sp);
+	return ret;
+    }
+    ret = kadm5_log_postamble (log_context, sp);
+    if (ret) {
+	krb5_storage_free (sp);
+	return ret;
+    }
+    ret = kadm5_log_flush (log_context, sp);
+    krb5_storage_free (sp);
+    if (ret)
+	return ret;
+    ret = kadm5_log_end (context);
+    return ret;
+}
+
+/*
+ * Read a `delete' log operation from `sp' and apply it.
+ */
+
+kadm5_ret_t
+kadm5_log_replay_delete (kadm5_server_context *context,
+			 u_int32_t ver,
+			 u_int32_t len,
+			 krb5_storage *sp)
+{
+    krb5_error_code ret;
+    hdb_entry ent;
+
+    krb5_ret_principal (sp, &ent.principal);
+
+    ret = context->db->remove(context->context, context->db, &ent);
+    krb5_free_principal (context->context, ent.principal);
+    return ret;
+}
+
+/*
+ * Add a `rename' operation to the log.
+ */
+
+kadm5_ret_t
+kadm5_log_rename (kadm5_server_context *context,
+		  krb5_principal source,
+		  hdb_entry *ent)
+{
+    krb5_storage *sp;
+    kadm5_ret_t ret;
+    off_t off;
+    off_t len;
+    krb5_data value;
+    kadm5_log_context *log_context = &context->log_context;
+
+    sp = krb5_storage_emem();
+    ret = hdb_entry2value (context->context, ent, &value);
+    if (ret) {
+	krb5_storage_free(sp);
+	return ret;
+    }
+    ret = kadm5_log_preamble (context, sp, kadm_rename);
+    if (ret) {
+	krb5_storage_free(sp);
+	krb5_data_free (&value);
+	return ret;
+    }
+    krb5_store_int32 (sp, 0);
+    off = sp->seek (sp, 0, SEEK_CUR);
+    krb5_store_principal (sp, source);
+    sp->store(sp, value.data, value.length);
+    krb5_data_free (&value);
+    len = sp->seek (sp, 0, SEEK_CUR) - off;
+
+    sp->seek(sp, -(len + 4), SEEK_CUR);
+    krb5_store_int32 (sp, len);
+    sp->seek(sp, len, SEEK_CUR);
+    krb5_store_int32 (sp, len);
+    if (ret) {
+	krb5_storage_free (sp);
+	return ret;
+    }
+    ret = kadm5_log_postamble (log_context, sp);
+    if (ret) {
+	krb5_storage_free (sp);
+	return ret;
+    }
+    ret = kadm5_log_flush (log_context, sp);
+    krb5_storage_free (sp);
+    if (ret)
+	return ret;
+    ret = kadm5_log_end (context);
+    return ret;
+}
+
+/*
+ * Read a `rename' log operation from `sp' and apply it.
+ */
+
+kadm5_ret_t
+kadm5_log_replay_rename (kadm5_server_context *context,
+			 u_int32_t ver,
+			 u_int32_t len,
+			 krb5_storage *sp)
+{
+    krb5_error_code ret;
+    krb5_principal source;
+    hdb_entry source_ent, target_ent;
+    krb5_data value;
+    off_t off;
+    size_t princ_len, data_len;
+
+    off = sp->seek(sp, 0, SEEK_CUR);
+    krb5_ret_principal (sp, &source);
+    princ_len = sp->seek(sp, 0, SEEK_CUR) - off;
+    data_len = len - princ_len;
+    krb5_data_alloc (&value, data_len);
+    sp->fetch (sp, value.data, data_len);
+    ret = hdb_value2entry (context->context, &value, &target_ent);
+    krb5_data_free(&value);
+    if (ret) {
+	krb5_free_principal (context->context, source);
+	return ret;
+    }
+    ret = context->db->store (context->context, context->db, 0, &target_ent);
+    hdb_free_entry (context->context, &target_ent);
+    if (ret) {
+	krb5_free_principal (context->context, source);
+	return ret;
+    }
+    source_ent.principal = source;
+    ret = context->db->remove (context->context, context->db, &source_ent);
+    krb5_free_principal (context->context, source);
+    return ret;
+}
+
+
+/*
+ * Add a `modify' operation to the log.
+ */
+
+kadm5_ret_t
+kadm5_log_modify (kadm5_server_context *context,
+		  hdb_entry *ent,
+		  u_int32_t mask)
+{
+    krb5_storage *sp;
+    kadm5_ret_t ret;
+    krb5_data value;
+    u_int32_t len;
+    kadm5_log_context *log_context = &context->log_context;
+
+    sp = krb5_storage_emem();
+    ret = hdb_entry2value (context->context, ent, &value);
+    if (ret) {
+	krb5_storage_free(sp);
+	return ret;
+    }
+    ret = kadm5_log_preamble (context, sp, kadm_modify);
+    if (ret) {
+	krb5_data_free (&value);
+	krb5_storage_free(sp);
+	return ret;
+    }
+    len = value.length + 4;
+    krb5_store_int32 (sp, len);
+    krb5_store_int32 (sp, mask);
+    sp->store(sp, value.data, value.length);
+    krb5_data_free (&value);
+    krb5_store_int32 (sp, len);
+    if (ret) {
+	krb5_storage_free (sp);
+	return ret;
+    }
+    ret = kadm5_log_postamble (log_context, sp);
+    if (ret) {
+	krb5_storage_free (sp);
+	return ret;
+    }
+    ret = kadm5_log_flush (log_context, sp);
+    krb5_storage_free (sp);
+    if (ret)
+	return ret;
+    ret = kadm5_log_end (context);
+    return ret;
+}
+
+/*
+ * Read a `modify' log operation from `sp' and apply it.
+ */
+
+kadm5_ret_t
+kadm5_log_replay_modify (kadm5_server_context *context,
+			 u_int32_t ver,
+			 u_int32_t len,
+			 krb5_storage *sp)
+{
+    krb5_error_code ret;
+    int32_t mask;
+    krb5_data value;
+    hdb_entry ent, log_ent;
+
+    krb5_ret_int32 (sp, &mask);
+    len -= 4;
+    krb5_data_alloc (&value, len);
+    sp->fetch (sp, value.data, len);
+    ret = hdb_value2entry (context->context, &value, &log_ent);
+    krb5_data_free(&value);
+    if (ret)
+	return ret;
+    ent.principal = log_ent.principal;
+    log_ent.principal = NULL;
+    ret = context->db->fetch(context->context, context->db, 
+			     HDB_F_DECRYPT, &ent);
+    if (ret)
+	return ret;
+    if (mask & KADM5_PRINC_EXPIRE_TIME) {
+	if (log_ent.valid_end == NULL) {
+	    ent.valid_end = NULL;
+	} else {
+	    if (ent.valid_end == NULL)
+		ent.valid_end = malloc(sizeof(*ent.valid_end));
+	    *ent.valid_end = *log_ent.valid_end;
+	}
+    }
+    if (mask & KADM5_PW_EXPIRATION) {
+	if (log_ent.pw_end == NULL) {
+	    ent.pw_end = NULL;
+	} else {
+	    if (ent.pw_end == NULL)
+		ent.pw_end = malloc(sizeof(*ent.pw_end));
+	    *ent.pw_end = *log_ent.pw_end;
+	}
+    }
+    if (mask & KADM5_LAST_PWD_CHANGE) {
+	abort ();		/* XXX */
+    }
+    if (mask & KADM5_ATTRIBUTES) {
+	ent.flags = log_ent.flags;
+    }
+    if (mask & KADM5_MAX_LIFE) {
+	if (log_ent.max_life == NULL) {
+	    ent.max_life = NULL;
+	} else {
+	    if (ent.max_life == NULL)
+		ent.max_life = malloc (sizeof(*ent.max_life));
+	    *ent.max_life = *log_ent.max_life;
+	}
+    }
+    if ((mask & KADM5_MOD_TIME) && (mask & KADM5_MOD_NAME)) {
+	if (ent.modified_by == NULL) {
+	    ent.modified_by = malloc(sizeof(*ent.modified_by));
+	} else
+	    free_Event(ent.modified_by);
+	copy_Event(log_ent.modified_by, ent.modified_by);
+    }
+    if (mask & KADM5_KVNO) {
+	ent.kvno = log_ent.kvno;
+    }
+    if (mask & KADM5_MKVNO) {
+	abort ();		/* XXX */
+    }
+    if (mask & KADM5_AUX_ATTRIBUTES) {
+	abort ();		/* XXX */
+    }
+    if (mask & KADM5_POLICY) {
+	abort ();		/* XXX */
+    }
+    if (mask & KADM5_POLICY_CLR) {
+	abort ();		/* XXX */
+    }
+    if (mask & KADM5_MAX_RLIFE) {
+	if (log_ent.max_renew == NULL) {
+	    ent.max_renew = NULL;
+	} else {
+	    if (ent.max_renew == NULL)
+		ent.max_renew = malloc (sizeof(*ent.max_renew));
+	    *ent.max_renew = *log_ent.max_renew;
+	}
+    }
+    if (mask & KADM5_LAST_SUCCESS) {
+	abort ();		/* XXX */
+    }
+    if (mask & KADM5_LAST_FAILED) {
+	abort ();		/* XXX */
+    }
+    if (mask & KADM5_FAIL_AUTH_COUNT) {
+	abort ();		/* XXX */
+    }
+    if (mask & KADM5_KEY_DATA) {
+	size_t len;
+	int i;
+
+	for (i = 0; i < ent.keys.len; ++i)
+	    free_Key(&ent.keys.val[i]);
+	free (ent.keys.val);
+
+	len = log_ent.keys.len;
+
+	ent.keys.len = len;
+	ent.keys.val = malloc(len * sizeof(*ent.keys.val));
+	for (i = 0; i < ent.keys.len; ++i)
+	    copy_Key(&log_ent.keys.val[i],
+		     &ent.keys.val[i]);
+    }
+    ret = context->db->store(context->context, context->db, 
+			     HDB_F_REPLACE, &ent);
+    hdb_free_entry (context->context, &ent);
+    hdb_free_entry (context->context, &log_ent);
+    return ret;
+}
+
+/*
+ * Add a `nop' operation to the log.
+ */
+
+kadm5_ret_t
+kadm5_log_nop (kadm5_server_context *context)
+{
+    krb5_storage *sp;
+    kadm5_ret_t ret;
+    kadm5_log_context *log_context = &context->log_context;
+
+    sp = krb5_storage_emem();
+    ret = kadm5_log_preamble (context, sp, kadm_nop);
+    if (ret) {
+	krb5_storage_free (sp);
+	return ret;
+    }
+    krb5_store_int32 (sp, 0);
+    krb5_store_int32 (sp, 0);
+    ret = kadm5_log_postamble (log_context, sp);
+    if (ret) {
+	krb5_storage_free (sp);
+	return ret;
+    }
+    ret = kadm5_log_flush (log_context, sp);
+    krb5_storage_free (sp);
+    if (ret)
+	return ret;
+    ret = kadm5_log_end (context);
+    return ret;
+}
+
+/*
+ * Read a `nop' log operation from `sp' and apply it.
+ */
+
+kadm5_ret_t
+kadm5_log_replay_nop (kadm5_server_context *context,
+		      u_int32_t ver,
+		      u_int32_t len,
+		      krb5_storage *sp)
+{
+    return 0;
+}
+
+/*
+ * Call `func' for each log record in the log in `context'
+ */
+
+kadm5_ret_t
+kadm5_log_foreach (kadm5_server_context *context,
+		   void (*func)(kadm5_server_context *server_context,
+				u_int32_t ver,
+				time_t timestamp,
+				enum kadm_ops op,
+				u_int32_t len,
+				krb5_storage *sp))
+{
+    int fd = context->log_context.log_fd;
+    krb5_storage *sp;
+
+    lseek (fd, 0, SEEK_SET);
+    sp = krb5_storage_from_fd (fd);
+    for (;;) {
+	int32_t ver, timestamp, op, len;
+
+	if(krb5_ret_int32 (sp, &ver) != 0)
+	    break;
+	krb5_ret_int32 (sp, &timestamp);
+	krb5_ret_int32 (sp, &op);
+	krb5_ret_int32 (sp, &len);
+	(*func)(context, ver, timestamp, op, len, sp);
+	sp->seek(sp, 8, SEEK_CUR);
+    }
+    return 0;
+}
+
+/*
+ * Go to end of log.
+ */
+
+krb5_storage *
+kadm5_log_goto_end (int fd)
+{
+    krb5_storage *sp;
+
+    sp = krb5_storage_from_fd (fd);
+    sp->seek(sp, 0, SEEK_END);
+    return sp;
+}
+
+/*
+ * Return previous log entry.
+ */
+
+kadm5_ret_t
+kadm5_log_previous (krb5_storage *sp,
+		    u_int32_t *ver,
+		    time_t *timestamp,
+		    enum kadm_ops *op,
+		    u_int32_t *len)
+{
+    off_t off;
+    int32_t tmp;
+
+    sp->seek(sp, -8, SEEK_CUR);
+    krb5_ret_int32 (sp, &tmp);
+    *len = tmp;
+    krb5_ret_int32 (sp, &tmp);
+    *ver = tmp;
+    off = 24 + *len;
+    sp->seek(sp, -off, SEEK_CUR);
+    krb5_ret_int32 (sp, &tmp);
+    assert(tmp == *ver);
+    krb5_ret_int32 (sp, &tmp);
+    *timestamp = tmp;
+    krb5_ret_int32 (sp, &tmp);
+    *op = tmp;
+    krb5_ret_int32 (sp, &tmp);
+    assert(tmp == *len);
+    return 0;
+}
+
+/*
+ * Replay a record from the log
+ */
+
+kadm5_ret_t
+kadm5_log_replay (kadm5_server_context *context,
+		  enum kadm_ops op,
+		  u_int32_t ver,
+		  u_int32_t len,
+		  krb5_storage *sp)
+{
+    switch (op) {
+    case kadm_create :
+	return kadm5_log_replay_create (context, ver, len, sp);
+    case kadm_delete :
+	return kadm5_log_replay_delete (context, ver, len, sp);
+    case kadm_rename :
+	return kadm5_log_replay_rename (context, ver, len, sp);
+    case kadm_modify :
+	return kadm5_log_replay_modify (context, ver, len, sp);
+    case kadm_nop :
+	return kadm5_log_replay_nop (context, ver, len, sp);
+    default :
+	return KADM5_FAILURE;
+    }
+}
+
+/*
+ * truncate the log - i.e. create an empty file with just (nop vno + 2)
+ */
+
+kadm5_ret_t
+kadm5_log_truncate (kadm5_server_context *server_context)
+{
+    kadm5_ret_t ret;
+    u_int32_t vno;
+
+    ret = kadm5_log_init (server_context);
+    if (ret)
+	return ret;
+
+    ret = kadm5_log_get_version (server_context, &vno);
+    if (ret)
+	return ret;
+
+    ret = kadm5_log_reinit (server_context);
+    if (ret)
+	return ret;
+
+    ret = kadm5_log_set_version (server_context, vno + 1);
+    if (ret)
+	return ret;
+
+    ret = kadm5_log_nop (server_context);
+    if (ret)
+	return ret;
+
+    ret = kadm5_log_end (server_context);
+    if (ret)
+	return ret;
+    return 0;
+
+}
diff --git a/crypto/heimdal/lib/kadm5/marshall.c b/crypto/heimdal/lib/kadm5/marshall.c
new file mode 100644
index 0000000..9828837
--- /dev/null
+++ b/crypto/heimdal/lib/kadm5/marshall.c
@@ -0,0 +1,330 @@
+/*
+ * Copyright (c) 1997 - 1999 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "kadm5_locl.h"
+
+RCSID("$Id: marshall.c,v 1.6 1999/12/02 17:05:06 joda Exp $");
+
+kadm5_ret_t
+kadm5_store_key_data(krb5_storage *sp,
+		     krb5_key_data *key)
+{
+    krb5_data c;
+    krb5_store_int32(sp, key->key_data_ver);
+    krb5_store_int32(sp, key->key_data_kvno);
+    krb5_store_int32(sp, key->key_data_type[0]);
+    c.length = key->key_data_length[0];
+    c.data = key->key_data_contents[0];
+    krb5_store_data(sp, c);
+    krb5_store_int32(sp, key->key_data_type[1]);
+    c.length = key->key_data_length[1];
+    c.data = key->key_data_contents[1];
+    krb5_store_data(sp, c);
+    return 0;
+}
+
+kadm5_ret_t
+kadm5_ret_key_data(krb5_storage *sp,
+		   krb5_key_data *key)
+{
+    krb5_data c;
+    int32_t tmp;
+    krb5_ret_int32(sp, &tmp);
+    key->key_data_ver = tmp;
+    krb5_ret_int32(sp, &tmp);
+    key->key_data_kvno = tmp;
+    krb5_ret_int32(sp, &tmp);
+    key->key_data_type[0] = tmp;
+    krb5_ret_data(sp, &c);
+    key->key_data_length[0] = c.length;
+    key->key_data_contents[0] = c.data;
+    krb5_ret_int32(sp, &tmp);
+    key->key_data_type[1] = tmp;
+    krb5_ret_data(sp, &c);
+    key->key_data_length[1] = c.length;
+    key->key_data_contents[1] = c.data;
+    return 0;
+}
+
+kadm5_ret_t
+kadm5_store_tl_data(krb5_storage *sp,
+		    krb5_tl_data *tl)
+{
+    krb5_data c;
+    krb5_store_int32(sp, tl->tl_data_type);
+    c.length = tl->tl_data_length;
+    c.data = tl->tl_data_contents;
+    krb5_store_data(sp, c);
+    return 0;
+}
+
+kadm5_ret_t
+kadm5_ret_tl_data(krb5_storage *sp,
+		  krb5_tl_data *tl)
+{
+    krb5_data c;
+    int32_t tmp;
+    krb5_ret_int32(sp, &tmp);
+    tl->tl_data_type = tmp;
+    krb5_ret_data(sp, &c);
+    tl->tl_data_length = c.length;
+    tl->tl_data_contents = c.data;
+    return 0;
+}
+
+static kadm5_ret_t
+store_principal_ent(krb5_storage *sp,
+		    kadm5_principal_ent_t princ,
+		    u_int32_t mask)
+{
+    int i;
+
+    if (mask & KADM5_PRINCIPAL)
+	krb5_store_principal(sp, princ->principal);
+    if (mask & KADM5_PRINC_EXPIRE_TIME)
+	krb5_store_int32(sp, princ->princ_expire_time);
+    if (mask & KADM5_PW_EXPIRATION)
+	krb5_store_int32(sp, princ->pw_expiration);
+    if (mask & KADM5_LAST_PWD_CHANGE)
+	krb5_store_int32(sp, princ->last_pwd_change);
+    if (mask & KADM5_MAX_LIFE)
+	krb5_store_int32(sp, princ->max_life);
+    if (mask & KADM5_MOD_NAME) {
+	krb5_store_int32(sp, princ->mod_name != NULL);
+	if(princ->mod_name)
+	    krb5_store_principal(sp, princ->mod_name);
+    }
+    if (mask & KADM5_MOD_TIME)
+	krb5_store_int32(sp, princ->mod_date);
+    if (mask & KADM5_ATTRIBUTES)
+	krb5_store_int32(sp, princ->attributes);
+    if (mask & KADM5_KVNO)
+	krb5_store_int32(sp, princ->kvno);
+    if (mask & KADM5_MKVNO)
+	krb5_store_int32(sp, princ->mkvno);
+    if (mask & KADM5_POLICY) {
+	krb5_store_int32(sp, princ->policy != NULL);
+	if(princ->policy)
+	    krb5_store_string(sp, princ->policy);
+    }
+    if (mask & KADM5_AUX_ATTRIBUTES)
+	krb5_store_int32(sp, princ->aux_attributes);
+    if (mask & KADM5_MAX_RLIFE)
+	krb5_store_int32(sp, princ->max_renewable_life);
+    if (mask & KADM5_LAST_SUCCESS)
+	krb5_store_int32(sp, princ->last_success);
+    if (mask & KADM5_LAST_FAILED)
+	krb5_store_int32(sp, princ->last_failed);
+    if (mask & KADM5_FAIL_AUTH_COUNT)
+	krb5_store_int32(sp, princ->fail_auth_count);
+    if (mask & KADM5_KEY_DATA) {
+	krb5_store_int32(sp, princ->n_key_data);
+	for(i = 0; i < princ->n_key_data; i++)
+	    kadm5_store_key_data(sp, &princ->key_data[i]);
+    }
+    if (mask & KADM5_TL_DATA) {
+	krb5_tl_data *tp;
+
+	krb5_store_int32(sp, princ->n_tl_data);
+	for(tp = princ->tl_data; tp; tp = tp->tl_data_next)
+	    kadm5_store_tl_data(sp, tp);
+    }
+    return 0;
+}
+
+
+kadm5_ret_t
+kadm5_store_principal_ent(krb5_storage *sp,
+			  kadm5_principal_ent_t princ)
+{
+    return store_principal_ent (sp, princ, ~0);
+}
+
+kadm5_ret_t
+kadm5_store_principal_ent_mask(krb5_storage *sp,
+			       kadm5_principal_ent_t princ,
+			       u_int32_t mask)
+{
+    krb5_store_int32(sp, mask);
+    return store_principal_ent (sp, princ, mask);
+}
+
+static kadm5_ret_t
+ret_principal_ent(krb5_storage *sp,
+		  kadm5_principal_ent_t princ,
+		  u_int32_t mask)
+{
+    int i;
+    int32_t tmp;
+
+    if (mask & KADM5_PRINCIPAL)
+	krb5_ret_principal(sp, &princ->principal);
+    
+    if (mask & KADM5_PRINC_EXPIRE_TIME) {
+	krb5_ret_int32(sp, &tmp);
+	princ->princ_expire_time = tmp;
+    }
+    if (mask & KADM5_PW_EXPIRATION) {
+	krb5_ret_int32(sp, &tmp);
+	princ->pw_expiration = tmp;
+    }
+    if (mask & KADM5_LAST_PWD_CHANGE) {
+	krb5_ret_int32(sp, &tmp);
+	princ->last_pwd_change = tmp;
+    }
+    if (mask & KADM5_MAX_LIFE) {
+	krb5_ret_int32(sp, &tmp);
+	princ->max_life = tmp;
+    }
+    if (mask & KADM5_MOD_NAME) {
+	krb5_ret_int32(sp, &tmp);
+	if(tmp)
+	    krb5_ret_principal(sp, &princ->mod_name);
+	else
+	    princ->mod_name = NULL;
+    }
+    if (mask & KADM5_MOD_TIME) {
+	krb5_ret_int32(sp, &tmp);
+	princ->mod_date = tmp;
+    }
+    if (mask & KADM5_ATTRIBUTES) {
+	krb5_ret_int32(sp, &tmp);
+	princ->attributes = tmp;
+    }
+    if (mask & KADM5_KVNO) {
+	krb5_ret_int32(sp, &tmp);
+	princ->kvno = tmp;
+    }
+    if (mask & KADM5_MKVNO) {
+	krb5_ret_int32(sp, &tmp);
+	princ->mkvno = tmp;
+    }
+    if (mask & KADM5_POLICY) {
+	krb5_ret_int32(sp, &tmp);
+	if(tmp)
+	    krb5_ret_string(sp, &princ->policy);
+	else
+	    princ->policy = NULL;
+    }
+    if (mask & KADM5_AUX_ATTRIBUTES) {
+	krb5_ret_int32(sp, &tmp);
+	princ->aux_attributes = tmp;
+    }
+    if (mask & KADM5_MAX_RLIFE) {
+	krb5_ret_int32(sp, &tmp);
+	princ->max_renewable_life = tmp;
+    }
+    if (mask & KADM5_LAST_SUCCESS) {
+	krb5_ret_int32(sp, &tmp);
+	princ->last_success = tmp;
+    }
+    if (mask & KADM5_LAST_FAILED) {
+	krb5_ret_int32(sp, &tmp);
+	princ->last_failed = tmp;
+    }
+    if (mask & KADM5_FAIL_AUTH_COUNT) {
+	krb5_ret_int32(sp, &tmp);
+	princ->fail_auth_count = tmp;
+    }
+    if (mask & KADM5_KEY_DATA) {
+	krb5_ret_int32(sp, &tmp);
+	princ->n_key_data = tmp;
+	princ->key_data = malloc(princ->n_key_data * sizeof(*princ->key_data));
+	for(i = 0; i < princ->n_key_data; i++)
+	    kadm5_ret_key_data(sp, &princ->key_data[i]);
+    }
+    if (mask & KADM5_TL_DATA) {
+	krb5_ret_int32(sp, &tmp);
+	princ->n_tl_data = tmp;
+	princ->tl_data = NULL;
+	for(i = 0; i < princ->n_tl_data; i++){
+	    krb5_tl_data *tp = malloc(sizeof(*tp));
+	    kadm5_ret_tl_data(sp, tp);
+	    tp->tl_data_next = princ->tl_data;
+	    princ->tl_data = tp;
+	}
+    }
+    return 0;
+}
+
+kadm5_ret_t
+kadm5_ret_principal_ent(krb5_storage *sp,
+			kadm5_principal_ent_t princ)
+{
+    return ret_principal_ent (sp, princ, ~0);
+}
+
+kadm5_ret_t
+kadm5_ret_principal_ent_mask(krb5_storage *sp,
+			     kadm5_principal_ent_t princ,
+			     u_int32_t *mask)
+{
+    int32_t tmp;
+
+    krb5_ret_int32 (sp, &tmp);
+    *mask = tmp;
+    return ret_principal_ent (sp, princ, *mask);
+}
+
+kadm5_ret_t
+_kadm5_marshal_params(krb5_context context, 
+		      kadm5_config_params *params, 
+		      krb5_data *out)
+{
+    krb5_storage *sp = krb5_storage_emem();
+    
+    krb5_store_int32(sp, params->mask & (KADM5_CONFIG_REALM));
+	
+    if(params->mask & KADM5_CONFIG_REALM)
+	krb5_store_string(sp, params->realm);
+    krb5_storage_to_data(sp, out);
+    krb5_storage_free(sp);
+
+    return 0;
+}
+
+kadm5_ret_t
+_kadm5_unmarshal_params(krb5_context context,
+			krb5_data *in,
+			kadm5_config_params *params)
+{
+    krb5_storage *sp = krb5_storage_from_data(in);
+    
+    krb5_ret_int32(sp, &params->mask);
+	
+    if(params->mask & KADM5_CONFIG_REALM)
+	krb5_ret_string(sp, &params->realm);
+    krb5_storage_free(sp);
+
+    return 0;
+}
diff --git a/crypto/heimdal/lib/kadm5/modify_c.c b/crypto/heimdal/lib/kadm5/modify_c.c
new file mode 100644
index 0000000..8d8ca56
--- /dev/null
+++ b/crypto/heimdal/lib/kadm5/modify_c.c
@@ -0,0 +1,77 @@
+/*
+ * Copyright (c) 1997 - 1999 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "kadm5_locl.h"
+
+RCSID("$Id: modify_c.c,v 1.4 2000/07/11 15:59:46 joda Exp $");
+
+kadm5_ret_t
+kadm5_c_modify_principal(void *server_handle,
+			 kadm5_principal_ent_t princ, 
+			 u_int32_t mask)
+{
+    kadm5_client_context *context = server_handle;
+    kadm5_ret_t ret;
+    krb5_storage *sp;
+    unsigned char buf[1024];
+    int32_t tmp;
+    krb5_data reply;
+
+    ret = _kadm5_connect(server_handle);
+    if(ret)
+	return ret;
+
+    sp = krb5_storage_from_mem(buf, sizeof(buf));
+    if (sp == NULL)
+	return ENOMEM;
+    krb5_store_int32(sp, kadm_modify);
+    kadm5_store_principal_ent(sp, princ);
+    krb5_store_int32(sp, mask);
+    ret = _kadm5_client_send(context, sp);
+    krb5_storage_free(sp);
+    if(ret)
+	return ret;
+    ret = _kadm5_client_recv(context, &reply);
+    if(ret)
+	return ret;
+    sp = krb5_storage_from_data (&reply);
+    if (sp == NULL) {
+	krb5_data_free (&reply);
+	return ENOMEM;
+    }
+    krb5_ret_int32(sp, &tmp);
+    krb5_storage_free(sp);
+    krb5_data_free (&reply);
+    return tmp;
+}
+
diff --git a/crypto/heimdal/lib/kadm5/modify_s.c b/crypto/heimdal/lib/kadm5/modify_s.c
new file mode 100644
index 0000000..8c595a9
--- /dev/null
+++ b/crypto/heimdal/lib/kadm5/modify_s.c
@@ -0,0 +1,94 @@
+/*
+ * Copyright (c) 1997-2001 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "kadm5_locl.h"
+
+RCSID("$Id: modify_s.c,v 1.12 2001/01/30 01:24:28 assar Exp $");
+
+static kadm5_ret_t
+modify_principal(void *server_handle,
+		 kadm5_principal_ent_t princ, 
+		 u_int32_t mask,
+		 u_int32_t forbidden_mask)
+{
+    kadm5_server_context *context = server_handle;
+    hdb_entry ent;
+    kadm5_ret_t ret;
+    if((mask & forbidden_mask))
+	return KADM5_BAD_MASK;
+    if((mask & KADM5_POLICY) && strcmp(princ->policy, "default"))
+	return KADM5_UNK_POLICY;
+    
+    ent.principal = princ->principal;
+    ret = context->db->open(context->context, context->db, O_RDWR, 0);
+    if(ret)
+	return ret;
+    ret = context->db->fetch(context->context, context->db, 0, &ent);
+    if(ret)
+	goto out;
+    ret = _kadm5_setup_entry(context, &ent, mask, princ, mask, NULL, 0);
+    if(ret)
+	goto out2;
+    ret = _kadm5_set_modifier(context, &ent);
+    if(ret)
+	goto out2;
+
+    ret = hdb_seal_keys(context->context, context->db, &ent);
+    if (ret)
+	goto out2;
+
+    kadm5_log_modify (context,
+		      &ent,
+		      mask | KADM5_MOD_NAME | KADM5_MOD_TIME);
+		      
+    ret = context->db->store(context->context, context->db, 
+			     HDB_F_REPLACE, &ent);
+out2:
+    hdb_free_entry(context->context, &ent);
+out:
+    context->db->close(context->context, context->db);
+    return _kadm5_error_code(ret);
+}
+
+
+kadm5_ret_t
+kadm5_s_modify_principal(void *server_handle,
+			 kadm5_principal_ent_t princ, 
+			 u_int32_t mask)
+{
+    return modify_principal(server_handle, princ, mask, 
+			    KADM5_LAST_PWD_CHANGE | KADM5_MOD_TIME 
+			    | KADM5_MOD_NAME | KADM5_MKVNO 
+			    | KADM5_AUX_ATTRIBUTES | KADM5_LAST_SUCCESS
+			    | KADM5_LAST_FAILED);
+}
diff --git a/crypto/heimdal/lib/kadm5/password_quality.c b/crypto/heimdal/lib/kadm5/password_quality.c
new file mode 100644
index 0000000..bc1463f
--- /dev/null
+++ b/crypto/heimdal/lib/kadm5/password_quality.c
@@ -0,0 +1,145 @@
+/*
+ * Copyright (c) 1997-1999 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "kadm5_locl.h"
+
+RCSID("$Id: password_quality.c,v 1.4 2000/07/05 13:14:45 joda Exp $");
+
+#ifdef HAVE_DLFCN_H
+#include <dlfcn.h>
+#endif
+
+static const char *
+simple_passwd_quality (krb5_context context,
+		       krb5_principal principal,
+		       krb5_data *pwd)
+{
+    if (pwd->length < 6)
+	return "Password too short";
+    else
+	return NULL;
+}
+
+typedef const char* (*passwd_quality_check_func)(krb5_context, 
+						 krb5_principal, 
+						 krb5_data*);
+
+static passwd_quality_check_func passwd_quality_check = simple_passwd_quality;
+
+#ifdef HAVE_DLOPEN
+
+#define PASSWD_VERSION 0
+
+#endif
+
+/*
+ * setup the password quality hook
+ */
+
+void
+kadm5_setup_passwd_quality_check(krb5_context context,
+				 const char *check_library,
+				 const char *check_function)
+{
+#ifdef HAVE_DLOPEN
+    void *handle;
+    void *sym;
+    int *version;
+    int flags;
+    const char *tmp;
+
+#ifdef RTLD_NOW
+    flags = RTLD_NOW;
+#else
+    flags = 0;
+#endif
+
+    if(check_library == NULL) {
+	tmp = krb5_config_get_string(context, NULL, 
+				     "password_quality", 
+				     "check_library", 
+				     NULL);
+	if(tmp != NULL)
+	    check_library = tmp;
+    }
+    if(check_function == NULL) {
+	tmp = krb5_config_get_string(context, NULL, 
+				     "password_quality", 
+				     "check_function", 
+				     NULL);
+	if(tmp != NULL)
+	    check_function = tmp;
+    }
+    if(check_library != NULL && check_function == NULL)
+	check_function = "passwd_check";
+
+    if(check_library == NULL)
+	return;
+    handle = dlopen(check_library, flags);
+    if(handle == NULL) {
+	krb5_warnx(context, "failed to open `%s'", check_library);
+	return;
+    }
+    version = dlsym(handle, "version");
+    if(version == NULL) {
+	krb5_warnx(context,
+		   "didn't find `version' symbol in `%s'", check_library);
+	dlclose(handle);
+	return;
+    }
+    if(*version != PASSWD_VERSION) {
+	krb5_warnx(context,
+		   "version of loaded library is %d (expected %d)",
+		   *version, PASSWD_VERSION);
+	dlclose(handle);
+	return;
+    }
+    sym = dlsym(handle, check_function);
+    if(sym == NULL) {
+	krb5_warnx(context, 
+		   "didn't find `%s' symbol in `%s'", 
+		   check_function, check_library);
+	dlclose(handle);
+	return;
+    }
+    passwd_quality_check = (passwd_quality_check_func) sym;
+#endif /* HAVE_DLOPEN */
+}
+
+const char *
+kadm5_check_password_quality (krb5_context context,
+			      krb5_principal principal,
+			      krb5_data *pwd_data)
+{
+    return (*passwd_quality_check) (context, principal, pwd_data);
+}
diff --git a/crypto/heimdal/lib/kadm5/private.h b/crypto/heimdal/lib/kadm5/private.h
new file mode 100644
index 0000000..bcdf363
--- /dev/null
+++ b/crypto/heimdal/lib/kadm5/private.h
@@ -0,0 +1,132 @@
+/*
+ * Copyright (c) 1997-2000 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+/* $Id: private.h,v 1.14 2000/07/11 15:58:57 joda Exp $ */
+
+#ifndef __kadm5_private_h__
+#define __kadm5_private_h__
+
+struct kadm_func {
+    kadm5_ret_t (*chpass_principal) (void *, krb5_principal, char*);
+    kadm5_ret_t (*create_principal) (void*, kadm5_principal_ent_t, 
+				     u_int32_t, char*);
+    kadm5_ret_t (*delete_principal) (void*, krb5_principal);
+    kadm5_ret_t (*destroy) (void*);
+    kadm5_ret_t (*flush) (void*);
+    kadm5_ret_t (*get_principal) (void*, krb5_principal, 
+				  kadm5_principal_ent_t, u_int32_t);
+    kadm5_ret_t (*get_principals) (void*, const char*, char***, int*);
+    kadm5_ret_t (*get_privs) (void*, u_int32_t*);
+    kadm5_ret_t (*modify_principal) (void*, kadm5_principal_ent_t, u_int32_t);
+    kadm5_ret_t (*randkey_principal) (void*, krb5_principal, 
+				      krb5_keyblock**, int*);
+    kadm5_ret_t (*rename_principal) (void*, krb5_principal, krb5_principal);
+    kadm5_ret_t (*chpass_principal_with_key) (void *, krb5_principal,
+					      int, krb5_key_data *);
+};
+
+/* XXX should be integrated */
+typedef struct kadm5_common_context {
+    krb5_context context;
+    krb5_boolean my_context;
+    struct kadm_func funcs;
+    void *data;
+}kadm5_common_context;
+
+typedef struct kadm5_log_peer {
+    int fd;
+    char *name;
+    krb5_auth_context ac;
+    struct kadm5_log_peer *next;
+} kadm5_log_peer;
+
+typedef struct kadm5_log_context {
+    char *log_file;
+    int log_fd;
+    u_int32_t version;
+    struct sockaddr_un socket_name;
+    int socket_fd;
+} kadm5_log_context;
+
+typedef struct kadm5_server_context {
+    krb5_context context;
+    krb5_boolean my_context;
+    struct kadm_func funcs;
+    /* */
+    kadm5_config_params config;
+    HDB *db;
+    krb5_principal caller;
+    unsigned acl_flags;
+    kadm5_log_context log_context;
+} kadm5_server_context;
+
+typedef struct kadm5_client_context {
+    krb5_context context;
+    krb5_boolean my_context;
+    struct kadm_func funcs;
+    /* */
+    krb5_auth_context ac;
+    char *realm;
+    char *admin_server;
+    int kadmind_port;
+    int sock;
+    char *client_name;
+    char *service_name;
+    krb5_prompter_fct prompter;
+    const char *keytab;
+    krb5_ccache ccache;
+    kadm5_config_params *realm_params;
+}kadm5_client_context;
+
+enum kadm_ops {
+    kadm_get,
+    kadm_delete,
+    kadm_create,
+    kadm_rename,
+    kadm_chpass,
+    kadm_modify,
+    kadm_randkey,
+    kadm_get_privs,
+    kadm_get_princs,
+    kadm_chpass_with_key,
+    kadm_nop
+};
+
+#define KADMIN_APPL_VERSION "KADM0.1"
+#define KADMIN_OLD_APPL_VERSION "KADM0.0"
+
+#define KADM5_LOG_SIGNAL HDB_DB_DIR "/signal"
+
+#include "kadm5-private.h"
+
+#endif /* __kadm5_private_h__ */
diff --git a/crypto/heimdal/lib/kadm5/privs_c.c b/crypto/heimdal/lib/kadm5/privs_c.c
new file mode 100644
index 0000000..83d293c
--- /dev/null
+++ b/crypto/heimdal/lib/kadm5/privs_c.c
@@ -0,0 +1,77 @@
+/*
+ * Copyright (c) 1997 - 1999 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "kadm5_locl.h"
+
+RCSID("$Id: privs_c.c,v 1.4 2000/07/11 15:59:54 joda Exp $");
+
+kadm5_ret_t
+kadm5_c_get_privs(void *server_handle, u_int32_t *privs)
+{
+    kadm5_client_context *context = server_handle;
+    kadm5_ret_t ret;
+    krb5_storage *sp;
+    unsigned char buf[1024];
+    int32_t tmp;
+    krb5_data reply;
+
+    ret = _kadm5_connect(server_handle);
+    if(ret)
+	return ret;
+
+    sp = krb5_storage_from_mem(buf, sizeof(buf));
+    if (sp == NULL)
+	return ENOMEM;
+    krb5_store_int32(sp, kadm_get_privs);
+    ret = _kadm5_client_send(context, sp);
+    krb5_storage_free(sp);
+    if(ret)
+	return ret;
+    ret = _kadm5_client_recv(context, &reply);
+    if (ret)
+	return ret;
+    sp = krb5_storage_from_data(&reply);
+    if (sp == NULL) {
+	krb5_data_free (&reply);
+	return ENOMEM;
+    }
+    krb5_ret_int32(sp, &tmp);
+    ret = tmp;
+    if(ret == 0){
+	krb5_ret_int32(sp, &tmp);
+	*privs = tmp;
+    }
+    krb5_storage_free(sp);
+    krb5_data_free (&reply);
+    return ret;
+}
diff --git a/crypto/heimdal/lib/kadm5/privs_s.c b/crypto/heimdal/lib/kadm5/privs_s.c
new file mode 100644
index 0000000..85cd5d5
--- /dev/null
+++ b/crypto/heimdal/lib/kadm5/privs_s.c
@@ -0,0 +1,44 @@
+/*
+ * Copyright (c) 1997 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "kadm5_locl.h"
+
+RCSID("$Id: privs_s.c,v 1.2 1999/12/02 17:05:07 joda Exp $");
+
+kadm5_ret_t
+kadm5_s_get_privs(void *server_handle, u_int32_t *privs)
+{
+    kadm5_server_context *context = server_handle;
+    *privs = context->acl_flags;
+    return 0;
+}
diff --git a/crypto/heimdal/lib/kadm5/randkey_c.c b/crypto/heimdal/lib/kadm5/randkey_c.c
new file mode 100644
index 0000000..eedf697
--- /dev/null
+++ b/crypto/heimdal/lib/kadm5/randkey_c.c
@@ -0,0 +1,93 @@
+/*
+ * Copyright (c) 1997 - 1999 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "kadm5_locl.h"
+
+RCSID("$Id: randkey_c.c,v 1.4 2000/07/11 16:00:02 joda Exp $");
+
+kadm5_ret_t
+kadm5_c_randkey_principal(void *server_handle, 
+			  krb5_principal princ,
+			  krb5_keyblock **new_keys, 
+			  int *n_keys)
+{
+    kadm5_client_context *context = server_handle;
+    kadm5_ret_t ret;
+    krb5_storage *sp;
+    unsigned char buf[1024];
+    int32_t tmp;
+    krb5_data reply;
+
+    ret = _kadm5_connect(server_handle);
+    if(ret)
+	return ret;
+
+    sp = krb5_storage_from_mem(buf, sizeof(buf));
+    if (sp == NULL)
+	return ENOMEM;
+    krb5_store_int32(sp, kadm_randkey);
+    krb5_store_principal(sp, princ);
+    ret = _kadm5_client_send(context, sp);
+    krb5_storage_free(sp);
+    if (ret)
+	return ret;
+    ret = _kadm5_client_recv(context, &reply);
+    if(ret)
+	return ret;
+    sp = krb5_storage_from_data(&reply);
+    if (sp == NULL) {
+	krb5_data_free (&reply);
+	return ENOMEM;
+    }
+    krb5_ret_int32(sp, &tmp);
+    ret = tmp;
+    if(ret == 0){
+	krb5_keyblock *k;
+	int i;
+
+	krb5_ret_int32(sp, &tmp);
+	k = malloc(tmp * sizeof(*k));
+	if (k == NULL) {
+	    ret = ENOMEM;
+	    goto out;
+	}
+	for(i = 0; i < tmp; i++)
+	    krb5_ret_keyblock(sp, &k[i]);
+	*n_keys = tmp;
+	*new_keys = k;
+    }
+out:
+    krb5_storage_free(sp);
+    krb5_data_free (&reply);
+    return ret;
+}
diff --git a/crypto/heimdal/lib/kadm5/randkey_s.c b/crypto/heimdal/lib/kadm5/randkey_s.c
new file mode 100644
index 0000000..9780b11
--- /dev/null
+++ b/crypto/heimdal/lib/kadm5/randkey_s.c
@@ -0,0 +1,101 @@
+/*
+ * Copyright (c) 1997-2001 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "kadm5_locl.h"
+
+RCSID("$Id: randkey_s.c,v 1.13 2001/01/30 01:24:28 assar Exp $");
+
+/*
+ * Set the keys of `princ' to random values, returning the random keys
+ * in `new_keys', `n_keys'.
+ */
+
+kadm5_ret_t
+kadm5_s_randkey_principal(void *server_handle, 
+			  krb5_principal princ,
+			  krb5_keyblock **new_keys, 
+			  int *n_keys)
+{
+    kadm5_server_context *context = server_handle;
+    hdb_entry ent;
+    kadm5_ret_t ret;
+
+    ent.principal = princ;
+    ret = context->db->open(context->context, context->db, O_RDWR, 0);
+    if(ret)
+	return ret;
+    ret = context->db->fetch(context->context, context->db, 0, &ent);
+    if(ret)
+	goto out;
+
+    ret = _kadm5_set_keys_randomly (context,
+				    &ent,
+				    new_keys,
+				    n_keys);
+    if (ret)
+	goto out2;
+
+    ret = _kadm5_set_modifier(context, &ent);
+    if(ret)
+	goto out3;
+    ret = _kadm5_bump_pw_expire(context, &ent);
+    if (ret)
+	goto out2;
+
+    ret = hdb_seal_keys(context->context, context->db, &ent);
+    if (ret)
+	goto out2;
+
+    kadm5_log_modify (context,
+		      &ent,
+		      KADM5_PRINCIPAL | KADM5_MOD_NAME | KADM5_MOD_TIME |
+		      KADM5_KEY_DATA | KADM5_KVNO | KADM5_PW_EXPIRATION);
+
+    ret = context->db->store(context->context, context->db, 
+			     HDB_F_REPLACE, &ent);
+out3:
+    if (ret) {
+	int i;
+
+	for (i = 0; i < *n_keys; ++i)
+	    krb5_free_keyblock_contents (context->context, &(*new_keys)[i]);
+	free (*new_keys);
+	*new_keys = NULL;
+	*n_keys = 0;
+    }
+out2:
+    hdb_free_entry(context->context, &ent);
+out:
+    context->db->close(context->context, context->db);
+    return _kadm5_error_code(ret);
+}
diff --git a/crypto/heimdal/lib/kadm5/rename_c.c b/crypto/heimdal/lib/kadm5/rename_c.c
new file mode 100644
index 0000000..95ccf25
--- /dev/null
+++ b/crypto/heimdal/lib/kadm5/rename_c.c
@@ -0,0 +1,77 @@
+/*
+ * Copyright (c) 1997 - 1999 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "kadm5_locl.h"
+
+RCSID("$Id: rename_c.c,v 1.4 2000/07/11 16:00:08 joda Exp $");
+
+kadm5_ret_t
+kadm5_c_rename_principal(void *server_handle, 
+			 krb5_principal source,
+			 krb5_principal target)
+{
+    kadm5_client_context *context = server_handle;
+    kadm5_ret_t ret;
+    krb5_storage *sp;
+    unsigned char buf[1024];
+    int32_t tmp;
+    krb5_data reply;
+
+    ret = _kadm5_connect(server_handle);
+    if(ret)
+	return ret;
+
+    sp = krb5_storage_from_mem(buf, sizeof(buf));
+    if (sp == NULL)
+	return ENOMEM;
+    krb5_store_int32(sp, kadm_rename);
+    krb5_store_principal(sp, source);
+    krb5_store_principal(sp, target);
+    ret = _kadm5_client_send(context, sp);
+    krb5_storage_free(sp);
+    if (ret)
+	return ret;
+    ret = _kadm5_client_recv(context, &reply);
+    if(ret)
+	return ret;
+    sp = krb5_storage_from_data (&reply);
+    if (sp == NULL) {
+	krb5_data_free (&reply);
+	return ENOMEM;
+    }
+    krb5_ret_int32(sp, &tmp);
+    ret = tmp;
+    krb5_storage_free(sp);
+    krb5_data_free (&reply);
+    return ret;
+}
diff --git a/crypto/heimdal/lib/kadm5/rename_s.c b/crypto/heimdal/lib/kadm5/rename_s.c
new file mode 100644
index 0000000..a478e0a
--- /dev/null
+++ b/crypto/heimdal/lib/kadm5/rename_s.c
@@ -0,0 +1,108 @@
+/*
+ * Copyright (c) 1997 - 2001 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "kadm5_locl.h"
+
+RCSID("$Id: rename_s.c,v 1.11 2001/01/30 01:24:29 assar Exp $");
+
+kadm5_ret_t
+kadm5_s_rename_principal(void *server_handle, 
+			 krb5_principal source,
+			 krb5_principal target)
+{
+    kadm5_server_context *context = server_handle;
+    kadm5_ret_t ret;
+    hdb_entry ent, ent2;
+    ent.principal = source;
+    if(krb5_principal_compare(context->context, source, target))
+	return KADM5_DUP; /* XXX is this right? */
+    if(!krb5_realm_compare(context->context, source, target))
+	return KADM5_FAILURE; /* XXX better code */
+    ret = context->db->open(context->context, context->db, O_RDWR, 0);
+    if(ret)
+	return ret;
+    ret = context->db->fetch(context->context, context->db, 0, &ent);
+    if(ret){
+	context->db->close(context->context, context->db);
+	goto out;
+    }
+    ret = _kadm5_set_modifier(context, &ent);
+    if(ret)
+	goto out2;
+    {
+	/* fix salt */
+	int i;
+	Salt salt;
+	krb5_salt salt2;
+	krb5_get_pw_salt(context->context, source, &salt2);
+	salt.type = hdb_pw_salt;
+	salt.salt = salt2.saltvalue;
+	for(i = 0; i < ent.keys.len; i++){
+	    if(ent.keys.val[i].salt == NULL){
+		ent.keys.val[i].salt = malloc(sizeof(*ent.keys.val[i].salt));
+		ret = copy_Salt(&salt, ent.keys.val[i].salt);
+		if(ret)
+		    break;
+	    }
+	}
+	krb5_free_salt(context->context, salt2);
+    }
+    if(ret)
+	goto out2;
+    ent2.principal = ent.principal;
+    ent.principal = target;
+
+    ret = hdb_seal_keys(context->context, context->db, &ent);
+    if (ret) {
+	ent.principal = ent2.principal;
+	goto out2;
+    }
+
+    kadm5_log_rename (context,
+		      source,
+		      &ent);
+
+    ret = context->db->store(context->context, context->db, 0, &ent);
+    if(ret){
+	ent.principal = ent2.principal;
+	goto out2;
+    }
+    ret = context->db->remove(context->context, context->db, &ent2);
+    ent.principal = ent2.principal;
+out2:
+    context->db->close(context->context, context->db);
+    hdb_free_entry(context->context, &ent);
+out:
+    return _kadm5_error_code(ret);
+}
+
diff --git a/crypto/heimdal/lib/kadm5/replay_log.c b/crypto/heimdal/lib/kadm5/replay_log.c
new file mode 100644
index 0000000..8e5c31d
--- /dev/null
+++ b/crypto/heimdal/lib/kadm5/replay_log.c
@@ -0,0 +1,129 @@
+/*
+ * Copyright (c) 1997, 1998, 1999, 2001 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "iprop.h"
+
+RCSID("$Id: replay_log.c,v 1.8 2001/02/19 18:10:43 joda Exp $");
+
+int start_version = -1;
+int end_version = -1;
+
+static void
+apply_entry(kadm5_server_context *server_context,
+	    u_int32_t ver,
+	    time_t timestamp,
+	    enum kadm_ops op,
+	    u_int32_t len,
+	    krb5_storage *sp)
+{
+    krb5_error_code ret;
+
+    if((start_version != -1 && ver < start_version) ||
+       (end_version != -1 && ver > end_version)) {
+	/* XXX skip this entry */
+	(*sp->seek)(sp, len, SEEK_CUR);
+	return;
+    }
+    printf ("ver %u... ", ver);
+    fflush (stdout);
+
+    ret = kadm5_log_replay (server_context,
+			    op, ver, len, sp);
+    if (ret)
+	krb5_warn (server_context->context, ret, "kadm5_log_replay");
+
+    
+    printf ("done\n");
+}
+
+int version_flag;
+int help_flag;
+struct getargs args[] = {
+    { "start-version", 0, arg_integer, &start_version, "start replay with this version" },
+    { "end-version", 0, arg_integer, &end_version, "end replay with this version" },
+    { "version", 0, arg_flag, &version_flag },
+    { "help", 0, arg_flag, &help_flag }
+};
+int num_args = sizeof(args) / sizeof(args[0]);
+
+int
+main(int argc, char **argv)
+{
+    krb5_context context;
+    krb5_error_code ret;
+    void *kadm_handle;
+    kadm5_config_params conf;
+    kadm5_server_context *server_context;
+
+    krb5_program_setup(&context, argc, argv, args, num_args, NULL);
+    
+    if(help_flag)
+	krb5_std_usage(0, args, num_args);
+    if(version_flag) {
+	print_version(NULL);
+	exit(0);
+    }
+
+    memset(&conf, 0, sizeof(conf));
+    ret = kadm5_init_with_password_ctx (context,
+					KADM5_ADMIN_SERVICE,
+					NULL,
+					KADM5_ADMIN_SERVICE,
+					&conf, 0, 0, 
+					&kadm_handle);
+    if (ret)
+	krb5_err (context, 1, ret, "kadm5_init_with_password_ctx");
+
+    server_context = (kadm5_server_context *)kadm_handle;
+
+    ret = server_context->db->open(context,
+				   server_context->db,
+				   O_RDWR | O_CREAT, 0);
+    if (ret)
+	krb5_err (context, 1, ret, "db->open");
+
+    ret = kadm5_log_init (server_context);
+    if (ret)
+	krb5_err (context, 1, ret, "kadm5_log_init");
+
+    ret = kadm5_log_foreach (server_context, apply_entry);
+    if(ret)
+	krb5_warn(context, ret, "kadm5_log_foreach");
+    ret = kadm5_log_end (server_context);
+    if (ret)
+	krb5_warn(context, ret, "kadm5_log_end");
+    ret = server_context->db->close (context, server_context->db);
+    if (ret)
+	krb5_err (context, 1, ret, "db->close");
+    return 0;
+}
diff --git a/crypto/heimdal/lib/kadm5/sample_passwd_check.c b/crypto/heimdal/lib/kadm5/sample_passwd_check.c
new file mode 100644
index 0000000..4ff5122
--- /dev/null
+++ b/crypto/heimdal/lib/kadm5/sample_passwd_check.c
@@ -0,0 +1,85 @@
+/*
+ * Copyright (c) 1999 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of KTH nor the names of its contributors may be
+ *    used to endorse or promote products derived from this software without
+ *    specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY KTH AND ITS CONTRIBUTORS ``AS IS'' AND ANY
+ * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL KTH OR ITS CONTRIBUTORS BE
+ * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+ * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+ * WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
+ * OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
+ * ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */
+
+/* $Id: sample_passwd_check.c,v 1.1 1999/09/10 10:11:03 assar Exp $ */
+
+#include <string.h>
+#include <stdlib.h>
+#include <krb5.h>
+
+/* specify the api-version this library conforms to */
+
+int version = 0;
+
+/* just check the length of the password, this is what the default
+   check does, but this lets you specify the minimum length in
+   krb5.conf */
+const char*
+check_length(krb5_context context,
+             krb5_principal prinipal,
+             krb5_data *password)
+{
+    int min_length = krb5_config_get_int_default(context, NULL, 6,
+						 "password_quality",
+						 "min_length",
+						 NULL);
+    if(password->length < min_length)
+	return "Password too short";
+    return NULL;
+}
+
+#ifdef DICTPATH
+
+/* use cracklib to check password quality; this requires a patch for
+   cracklib that can be found at
+   ftp://ftp.pdc.kth.se/pub/krb/src/cracklib.patch */
+
+const char*
+check_cracklib(krb5_context context,
+	       krb5_principal principal,
+	       krb5_data *password)
+{
+    char *s = malloc(password->length + 1);
+    char *msg;
+    char *strings[2];
+    if(s == NULL)
+	return NULL; /* XXX */
+    strings[0] = principal->name.name_string.val[0]; /* XXX */
+    strings[1] = NULL;
+    memcpy(s, password->data, password->length);
+    s[password->length] = '\0';
+    msg = FascistCheck(s, DICTPATH, strings);
+    memset(s, 0, password->length);
+    free(s);
+    return msg;
+}
+#endif
diff --git a/crypto/heimdal/lib/kadm5/send_recv.c b/crypto/heimdal/lib/kadm5/send_recv.c
new file mode 100644
index 0000000..796cd05
--- /dev/null
+++ b/crypto/heimdal/lib/kadm5/send_recv.c
@@ -0,0 +1,91 @@
+/*
+ * Copyright (c) 1997, 1999 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "kadm5_locl.h"
+
+RCSID("$Id: send_recv.c,v 1.8 2000/07/11 16:00:58 joda Exp $");
+
+kadm5_ret_t 
+_kadm5_client_send(kadm5_client_context *context, krb5_storage *sp)
+{
+    krb5_data msg, out;
+    krb5_error_code ret;
+    size_t len;
+    krb5_storage *sock;
+
+    assert(context->sock != -1);
+
+    len = sp->seek(sp, 0, SEEK_CUR);
+    ret = krb5_data_alloc(&msg, len);
+    sp->seek(sp, 0, SEEK_SET);
+    sp->fetch(sp, msg.data, msg.length);
+    
+    ret = krb5_mk_priv(context->context, context->ac, &msg, &out, NULL);
+    krb5_data_free(&msg);
+    if(ret)
+	return ret;
+    
+    sock = krb5_storage_from_fd(context->sock);
+    if(sock == NULL) {
+	krb5_data_free(&out);
+	return ENOMEM;
+    }
+    
+    ret = krb5_store_data(sock, out);
+    krb5_storage_free(sock);
+    krb5_data_free(&out);
+    return ret;
+}
+
+kadm5_ret_t
+_kadm5_client_recv(kadm5_client_context *context, krb5_data *reply)
+{
+    krb5_error_code ret;
+    krb5_data data;
+    krb5_storage *sock;
+
+    sock = krb5_storage_from_fd(context->sock);
+    if(sock == NULL)
+	return ENOMEM;
+    ret = krb5_ret_data(sock, &data);
+    krb5_storage_free(sock);
+    if(ret == KRB5_CC_END)
+	return KADM5_RPC_ERROR;
+    else if(ret)
+	return ret;
+
+    ret = krb5_rd_priv(context->context, context->ac, &data, reply, NULL);
+    krb5_data_free(&data);
+    return ret;
+}
+
diff --git a/crypto/heimdal/lib/kadm5/server_glue.c b/crypto/heimdal/lib/kadm5/server_glue.c
new file mode 100644
index 0000000..21b6077
--- /dev/null
+++ b/crypto/heimdal/lib/kadm5/server_glue.c
@@ -0,0 +1,150 @@
+/*
+ * Copyright (c) 1997 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "kadm5_locl.h"
+
+RCSID("$Id: server_glue.c,v 1.6 1999/12/02 17:05:07 joda Exp $");
+
+kadm5_ret_t
+kadm5_init_with_password(const char *client_name,
+			 const char *password,
+			 const char *service_name,
+			 kadm5_config_params *realm_params,
+			 unsigned long struct_version,
+			 unsigned long api_version,
+			 void **server_handle)
+{
+    return kadm5_s_init_with_password(client_name,
+				      password,
+				      service_name,
+				      realm_params,
+				      struct_version,
+				      api_version,
+				      server_handle);
+}
+
+kadm5_ret_t
+kadm5_init_with_password_ctx(krb5_context context,
+			     const char *client_name,
+			     const char *password,
+			     const char *service_name,
+			     kadm5_config_params *realm_params,
+			     unsigned long struct_version,
+			     unsigned long api_version,
+			     void **server_handle)
+{
+    return kadm5_s_init_with_password_ctx(context,
+					  client_name,
+					  password,
+					  service_name,
+					  realm_params,
+					  struct_version,
+					  api_version,
+					  server_handle);
+}
+
+kadm5_ret_t
+kadm5_init_with_skey(const char *client_name,
+		     const char *keytab,
+		     const char *service_name,
+		     kadm5_config_params *realm_params,
+		     unsigned long struct_version,
+		     unsigned long api_version,
+		     void **server_handle)
+{
+    return kadm5_s_init_with_skey(client_name,
+				  keytab,
+				  service_name,
+				  realm_params,
+				  struct_version,
+				  api_version,
+				  server_handle);
+}
+
+kadm5_ret_t
+kadm5_init_with_skey_ctx(krb5_context context,
+			 const char *client_name,
+			 const char *keytab,
+			 const char *service_name,
+			 kadm5_config_params *realm_params,
+			 unsigned long struct_version,
+			 unsigned long api_version,
+			 void **server_handle)
+{
+    return kadm5_s_init_with_skey_ctx(context,
+				      client_name,
+				      keytab,
+				      service_name,
+				      realm_params,
+				      struct_version,
+				      api_version,
+				      server_handle);
+}
+
+kadm5_ret_t
+kadm5_init_with_creds(const char *client_name,
+		      krb5_ccache ccache,
+		      const char *service_name,
+		      kadm5_config_params *realm_params,
+		      unsigned long struct_version,
+		      unsigned long api_version,
+		      void **server_handle)
+{
+    return kadm5_s_init_with_creds(client_name,
+				   ccache,
+				   service_name,
+				   realm_params,
+				   struct_version,
+				   api_version,
+				   server_handle);
+}
+
+kadm5_ret_t
+kadm5_init_with_creds_ctx(krb5_context context,
+			  const char *client_name,
+			  krb5_ccache ccache,
+			  const char *service_name,
+			  kadm5_config_params *realm_params,
+			  unsigned long struct_version,
+			  unsigned long api_version,
+			  void **server_handle)
+{
+    return kadm5_s_init_with_creds_ctx(context,
+				       client_name,
+				       ccache,
+				       service_name,
+				       realm_params,
+				       struct_version,
+				       api_version,
+				       server_handle);
+}
diff --git a/crypto/heimdal/lib/kadm5/set_keys.c b/crypto/heimdal/lib/kadm5/set_keys.c
new file mode 100644
index 0000000..f3f4e36
--- /dev/null
+++ b/crypto/heimdal/lib/kadm5/set_keys.c
@@ -0,0 +1,466 @@
+/*
+ * Copyright (c) 1997 - 2000 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "kadm5_locl.h"
+
+RCSID("$Id: set_keys.c,v 1.23 2000/11/15 23:13:30 assar Exp $");
+
+/*
+ * the known and used DES enctypes
+ */
+
+static krb5_enctype des_types[] = { ETYPE_DES_CBC_CRC,
+ 				    ETYPE_DES_CBC_MD4,
+ 				    ETYPE_DES_CBC_MD5 };
+static unsigned n_des_types = sizeof(des_types) / sizeof(des_types[0]);
+
+static krb5_error_code
+make_keys(krb5_context context, krb5_principal principal, const char *password,
+	  Key **keys_ret, size_t *num_keys_ret)
+{
+    krb5_enctype all_etypes[] = { ETYPE_DES3_CBC_SHA1,
+				  ETYPE_DES_CBC_MD5,
+				  ETYPE_DES_CBC_MD4,
+				  ETYPE_DES_CBC_CRC };
+
+
+    krb5_enctype e;
+
+    krb5_error_code ret = 0;
+    char **ktypes, **kp;
+
+    Key *keys = NULL, *tmp;
+    int num_keys = 0;
+    Key key;
+
+    int i;
+    char *v4_ktypes[] = {"des3:pw-salt", "v4", NULL};
+
+    ktypes = krb5_config_get_strings(context, NULL, "kadmin", 
+				     "default_keys", NULL);
+
+    /* for each entry in `default_keys' try to parse it as a sequence
+       of etype:salttype:salt, syntax of this if something like:
+       [(des|des3|etype):](pw|afs3)[:string], if etype is omitted it
+       means everything, and if string is omitted is means the default
+       string (for that principal). Additional special values:
+       v5 == pw-salt, and
+       v4 == pw-salt:
+    */
+
+    if (ktypes == NULL
+	&& krb5_config_get_bool (context, NULL, "kadmin",
+				 "use_v4_salt", NULL))
+	ktypes = v4_ktypes;
+
+    for(kp = ktypes; kp && *kp; kp++) {
+	krb5_enctype *etypes;
+	int num_etypes;
+	krb5_salt salt;
+	krb5_boolean salt_set;
+
+	const char *p;
+	char buf[3][256];
+	int num_buf = 0;
+
+	p = *kp;
+	if(strcmp(p, "v5") == 0)
+	    p = "pw-salt";
+	else if(strcmp(p, "v4") == 0)
+	    p = "des:pw-salt:";
+	
+	/* split p in a list of :-separated strings */
+	for(num_buf = 0; num_buf < 3; num_buf++)
+	    if(strsep_copy(&p, ":", buf[num_buf], sizeof(buf[num_buf])) == -1)
+		break;
+
+	etypes = NULL;
+	num_etypes = 0;
+	memset(&salt, 0, sizeof(salt));
+	salt_set = FALSE;
+
+	for(i = 0; i < num_buf; i++) {
+	    if(etypes == NULL) {
+		/* this might be a etype specifier */
+		/* XXX there should be a string_to_etypes handling
+                   special cases like `des' and `all' */
+		if(strcmp(buf[i], "des") == 0) {
+		    etypes = all_etypes + 1;
+		    num_etypes = 3;
+		    continue;
+		} else if(strcmp(buf[i], "des3") == 0) {
+		    e = ETYPE_DES3_CBC_SHA1;
+		    etypes = &e;
+		    num_etypes = 1;
+		    continue;
+		} else {
+		    ret = krb5_string_to_enctype(context, buf[i], &e);
+		    if(ret == 0) {
+			etypes = &e;
+			num_etypes = 1;
+			continue;
+		    }
+		}
+	    }
+	    if(salt.salttype == 0) {
+		/* interpret string as a salt specifier, if no etype
+                   is set, this sets default values */
+		/* XXX should perhaps use string_to_salttype, but that
+                   interface sucks */
+		if(strcmp(buf[i], "pw-salt") == 0) {
+		    if(etypes == NULL) {
+			etypes = all_etypes;
+			num_etypes = 4;
+		    }
+		    salt.salttype = KRB5_PW_SALT;
+		} else if(strcmp(buf[i], "afs3-salt") == 0) {
+		    if(etypes == NULL) {
+			etypes = all_etypes + 1;
+			num_etypes = 3;
+		    }
+		    salt.salttype = KRB5_AFS3_SALT;
+		}
+	    } else {
+		/* if there is a final string, use it as the string to
+                   salt with, this is mostly useful with null salt for
+                   v4 compat, and a cell name for afs compat */
+		salt.saltvalue.data = buf[i];
+		salt.saltvalue.length = strlen(buf[i]);
+		salt_set = TRUE;
+	    }
+	}
+
+	if(etypes == NULL || salt.salttype == 0) {	    
+	    krb5_warnx(context, "bad value for default_keys `%s'", *kp);
+	    continue;
+	}
+
+	if(!salt_set && salt.salttype == KRB5_PW_SALT)
+	    /* make up default salt */
+	    ret = krb5_get_pw_salt(context, principal, &salt);
+	memset(&key, 0, sizeof(key));
+	for(i = 0; i < num_etypes; i++) {
+	    ret = krb5_string_to_key_salt (context,
+					   etypes[i],
+					   password,
+					   salt,
+					   &key.key);
+
+	    if(ret)
+		goto out;
+
+	    if (salt.salttype != KRB5_PW_SALT || salt_set) {
+		key.salt = malloc (sizeof(*key.salt));
+		if (key.salt == NULL) {
+		    free_Key(&key);
+		    ret = ENOMEM;
+		    goto out;
+		}
+		key.salt->type = salt.salttype;
+		krb5_data_zero (&key.salt->salt);
+
+		/* is the salt has not been set explicitly, it will be
+		   the default salt, so there's no need to explicitly
+		   copy it */
+		if (salt_set) {
+		    ret = krb5_data_copy(&key.salt->salt, 
+					 salt.saltvalue.data, 
+					 salt.saltvalue.length);
+		    if (ret) {
+			free_Key(&key);
+			goto out;
+		    }
+		}
+	    }
+	    tmp = realloc(keys, (num_keys + 1) * sizeof(*keys));
+	    if(tmp == NULL) {
+		free_Key(&key);
+		ret = ENOMEM;
+		goto out;
+	    }
+	    keys = tmp;
+	    keys[num_keys++] = key;
+	}
+    }
+
+    if(num_keys == 0) {
+	/* if we didn't manage to find a single valid key, create a
+           default set */
+	/* XXX only do this is there is no `default_keys'? */
+	krb5_salt v5_salt;
+	tmp = realloc(keys, (num_keys + 4) * sizeof(*keys));
+	if(tmp == NULL) {
+	    ret = ENOMEM;
+	    goto out;
+	}
+	keys = tmp;
+	ret = krb5_get_pw_salt(context, principal, &v5_salt);
+	if(ret)
+	    goto out;
+	for(i = 0; i < 4; i++) {
+	    memset(&key, 0, sizeof(key));
+	    ret = krb5_string_to_key_salt(context, all_etypes[i], password, 
+					  v5_salt, &key.key);
+	    if(ret) {
+		krb5_free_salt(context, v5_salt);
+		goto out;
+	    }
+	    keys[num_keys++] = key;
+	}
+	krb5_free_salt(context, v5_salt);
+    }
+
+  out:
+    if(ret == 0) {
+	*keys_ret = keys;
+	*num_keys_ret = num_keys;
+    } else {
+	for(i = 0; i < num_keys; i++) {
+	    free_Key(&keys[i]);
+	}
+	free(keys);
+    }
+    return ret;
+}
+
+/*
+ * Set the keys of `ent' to the string-to-key of `password'
+ */
+
+kadm5_ret_t
+_kadm5_set_keys(kadm5_server_context *context,
+		hdb_entry *ent, 
+		const char *password)
+{
+    kadm5_ret_t ret;
+    Key *keys;
+    size_t num_keys;
+
+    ret = make_keys(context->context, ent->principal, password, 
+		    &keys, &num_keys);
+
+    if(ret)
+	return ret;
+    
+    _kadm5_free_keys (context, ent->keys.len, ent->keys.val);
+    ent->keys.val = keys;
+    ent->keys.len = num_keys;
+    ent->kvno++;
+    return 0;
+}
+
+/*
+ * Set the keys of `ent' to (`n_key_data', `key_data')
+ */
+
+kadm5_ret_t
+_kadm5_set_keys2(kadm5_server_context *context,
+		 hdb_entry *ent, 
+		 int16_t n_key_data, 
+		 krb5_key_data *key_data)
+{
+    krb5_error_code ret;
+    int i;
+    unsigned len;
+    Key *keys;
+
+    len  = n_key_data;
+    keys = malloc (len * sizeof(*keys));
+    if (keys == NULL)
+	return ENOMEM;
+
+    _kadm5_init_keys (keys, len);
+
+    for(i = 0; i < n_key_data; i++) {
+	keys[i].mkvno = NULL;
+	keys[i].key.keytype = key_data[i].key_data_type[0];
+	ret = krb5_data_copy(&keys[i].key.keyvalue,
+			     key_data[i].key_data_contents[0],
+			     key_data[i].key_data_length[0]);
+	if(ret)
+	    goto out;
+	if(key_data[i].key_data_ver == 2) {
+	    Salt *salt;
+
+	    salt = malloc(sizeof(*salt));
+	    if(salt == NULL) {
+		ret = ENOMEM;
+		goto out;
+	    }
+	    keys[i].salt = salt;
+	    salt->type = key_data[i].key_data_type[1];
+	    krb5_data_copy(&salt->salt, 
+			   key_data[i].key_data_contents[1],
+			   key_data[i].key_data_length[1]);
+	} else
+	    keys[i].salt = NULL;
+    }
+    _kadm5_free_keys (context, ent->keys.len, ent->keys.val);
+    ent->keys.len = len;
+    ent->keys.val = keys;
+    ent->kvno++;
+    return 0;
+ out:
+    _kadm5_free_keys (context, len, keys);
+    return ret;
+}
+
+/*
+ * Set the keys of `ent' to `n_keys, keys'
+ */
+
+kadm5_ret_t
+_kadm5_set_keys3(kadm5_server_context *context,
+		 hdb_entry *ent,
+		 int n_keys,
+		 krb5_keyblock *keyblocks)
+{
+    krb5_error_code ret;
+    int i;
+    unsigned len;
+    Key *keys;
+
+    len  = n_keys;
+    keys = malloc (len * sizeof(*keys));
+    if (keys == NULL)
+	return ENOMEM;
+
+    _kadm5_init_keys (keys, len);
+
+    for(i = 0; i < n_keys; i++) {
+	keys[i].mkvno = NULL;
+	ret = krb5_copy_keyblock_contents (context->context,
+					   &keyblocks[i],
+					   &keys[i].key);
+	if(ret)
+	    goto out;
+	keys[i].salt = NULL;
+    }
+    _kadm5_free_keys (context, ent->keys.len, ent->keys.val);
+    ent->keys.len = len;
+    ent->keys.val = keys;
+    ent->kvno++;
+    return 0;
+ out:
+    _kadm5_free_keys (context, len, keys);
+    return ret;
+}
+
+/*
+ * Set the keys of `ent' to random keys and return them in `n_keys'
+ * and `new_keys'.
+ */
+
+kadm5_ret_t
+_kadm5_set_keys_randomly (kadm5_server_context *context,
+			  hdb_entry *ent,
+			  krb5_keyblock **new_keys,
+			  int *n_keys)
+{
+    kadm5_ret_t ret = 0;
+    int i;
+    unsigned len;
+    krb5_keyblock *keys;
+    Key *hkeys;
+
+    len  = n_des_types + 1;
+    keys = malloc (len * sizeof(*keys));
+    if (keys == NULL)
+	return ENOMEM;
+
+    for (i = 0; i < len; ++i) {
+	keys[i].keyvalue.length = 0;
+	keys[i].keyvalue.data   = NULL;
+    }
+
+    hkeys = malloc (len * sizeof(*hkeys));
+    if (hkeys == NULL) {
+	free (keys);
+	return ENOMEM;
+    }
+
+    _kadm5_init_keys (hkeys, len);
+
+    ret = krb5_generate_random_keyblock (context->context,
+					 des_types[0],
+					 &keys[0]);
+    if (ret)
+	goto out;
+
+    ret = krb5_copy_keyblock_contents (context->context,
+				       &keys[0],
+				       &hkeys[0].key);
+    if (ret)
+	goto out;
+
+    for (i = 1; i < n_des_types; ++i) {
+	ret = krb5_copy_keyblock_contents (context->context,
+					   &keys[0],
+					   &keys[i]);
+	if (ret)
+	    goto out;
+	keys[i].keytype = des_types[i];
+	ret = krb5_copy_keyblock_contents (context->context,
+					   &keys[0],
+					   &hkeys[i].key);
+	if (ret)
+	    goto out;
+	hkeys[i].key.keytype = des_types[i];
+    }
+
+    ret = krb5_generate_random_keyblock (context->context,
+					 ETYPE_DES3_CBC_SHA1,
+					 &keys[n_des_types]);
+    if (ret)
+	goto out;
+
+    ret = krb5_copy_keyblock_contents (context->context,
+				       &keys[n_des_types],
+				       &hkeys[n_des_types].key);
+    if (ret)
+	goto out;
+
+    _kadm5_free_keys (context, ent->keys.len, ent->keys.val);
+    ent->keys.len = len;
+    ent->keys.val = hkeys;
+    ent->kvno++;
+    *new_keys     = keys;
+    *n_keys       = len;
+    return ret;
+out:
+    for (i = 0; i < len; ++i)
+	krb5_free_keyblock_contents (context->context, &keys[i]);
+    free (keys);
+    _kadm5_free_keys (context, len, hkeys);
+    return ret;
+}
diff --git a/crypto/heimdal/lib/kadm5/set_modifier.c b/crypto/heimdal/lib/kadm5/set_modifier.c
new file mode 100644
index 0000000..2b09745
--- /dev/null
+++ b/crypto/heimdal/lib/kadm5/set_modifier.c
@@ -0,0 +1,54 @@
+/*
+ * Copyright (c) 1997 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "kadm5_locl.h"
+
+RCSID("$Id: set_modifier.c,v 1.2 1999/12/02 17:05:07 joda Exp $");
+
+kadm5_ret_t
+_kadm5_set_modifier(kadm5_server_context *context,
+		    hdb_entry *ent)
+{
+    kadm5_ret_t ret;
+    if(ent->modified_by == NULL){
+	ent->modified_by = malloc(sizeof(*ent->modified_by));
+	if(ent->modified_by == NULL)
+	    return ENOMEM;
+    } else
+	free_Event(ent->modified_by);
+    ent->modified_by->time = time(NULL);
+    ret = krb5_copy_principal(context->context, context->caller, 
+			      &ent->modified_by->principal);
+    return ret;
+}
+
diff --git a/crypto/heimdal/lib/kadm5/truncate_log.c b/crypto/heimdal/lib/kadm5/truncate_log.c
new file mode 100644
index 0000000..215fdd7
--- /dev/null
+++ b/crypto/heimdal/lib/kadm5/truncate_log.c
@@ -0,0 +1,88 @@
+/*
+ * Copyright (c) 2000 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "iprop.h"
+
+RCSID("$Id: truncate_log.c,v 1.1 2000/07/24 04:27:06 assar Exp $");
+
+static char *realm;
+static int version_flag;
+static int help_flag;
+
+static struct getargs args[] = {
+    { "realm", 'r', arg_string, &realm },
+    { "version", 0, arg_flag, &version_flag },
+    { "help", 0, arg_flag, &help_flag }
+};
+
+static int num_args = sizeof(args) / sizeof(args[0]);
+
+int
+main(int argc, char **argv)
+{
+    krb5_context context;
+    krb5_error_code ret;
+    void *kadm_handle;
+    kadm5_server_context *server_context;
+    kadm5_config_params conf;
+
+    krb5_program_setup(&context, argc, argv, args, num_args, NULL);
+    
+    if(help_flag)
+	krb5_std_usage(0, args, num_args);
+    if(version_flag) {
+	print_version(NULL);
+	exit(0);
+    }
+
+    memset(&conf, 0, sizeof(conf));
+    if(realm) {
+	conf.mask |= KADM5_CONFIG_REALM;
+	conf.realm = realm;
+    }
+
+    ret = kadm5_init_with_password_ctx (context,
+					KADM5_ADMIN_SERVICE,
+					NULL,
+					KADM5_ADMIN_SERVICE,
+					&conf, 0, 0, 
+					&kadm_handle);
+    if (ret)
+	krb5_err (context, 1, ret, "kadm5_init_with_password_ctx");
+
+    server_context = (kadm5_server_context *)kadm_handle;
+
+    ret = kadm5_log_truncate (server_context);
+	krb5_err (context, 1, ret, "kadm5_log_truncate");
+    return 0;
+}
diff --git a/crypto/heimdal/lib/kafs/ChangeLog b/crypto/heimdal/lib/kafs/ChangeLog
new file mode 100644
index 0000000..32b7728
--- /dev/null
+++ b/crypto/heimdal/lib/kafs/ChangeLog
@@ -0,0 +1,221 @@
+2001-05-18  Johan Danielsson  <joda@pdc.kth.se>
+
+	* Makefile.am: only build resolve.c if doing renaming
+
+2001-02-12  Assar Westerlund  <assar@sics.se>
+
+	* Makefile.am, roken_rename.h: add rename of dns functions
+
+2000-12-11  Assar Westerlund  <assar@sics.se>
+
+	* Makefile.am (libkafs_la_LDFLAGS): set version to 2:3:2
+
+2000-11-17  Assar Westerlund  <assar@sics.se>
+
+	* afssysdefs.h: solaris 8 apperently uses 65
+
+2000-09-19  Assar Westerlund  <assar@sics.se>
+
+	* Makefile.am (libkafs_la_LDFLAGS): bump version to 2:2:2
+
+2000-09-12  Johan Danielsson  <joda@pdc.kth.se>
+
+	* dlfcn.c: correct arguments to some snprintf:s
+
+2000-07-25  Johan Danielsson  <joda@pdc.kth.se>
+
+	* Makefile.am: bump version to 2:1:2
+
+2000-04-03  Assar Westerlund  <assar@sics.se>
+
+	* Makefile.am: set version to 2:0:2
+
+2000-03-20  Assar Westerlund  <assar@sics.se>
+
+	* afssysdefs.h: make versions later than 5.7 of solaris also use
+	73
+
+2000-03-16  Assar Westerlund  <assar@sics.se>
+
+	* afskrb.c (afslog_uid_int): use krb_get_tf_fullname instead of
+	krb_get_default_principal
+
+2000-03-15  Assar Westerlund  <assar@sics.se>
+
+	* afssys.c (map_syscall_name_to_number): ignore # at
+	beginning-of-line
+
+2000-03-13  Assar Westerlund  <assar@sics.se>
+
+	* afssysdefs.h: add 230 for MacOS X per information from
+	<warner.c@apple.com>
+
+1999-12-06  Assar Westerlund  <assar@sics.se>
+
+	* Makefile.am: set version to 1:2:1
+
+1999-11-22  Assar Westerlund  <assar@sics.se>
+
+	* afskrb5.c (afslog_uid_int): handle d->realm == NULL
+	
+1999-11-17  Assar Westerlund  <assar@sics.se>
+
+	* afskrb5.c (afslog_uid_int): don't look at the local realm at
+ 	all.  just use the realm from the ticket file.
+
+1999-10-20  Assar Westerlund  <assar@sics.se>
+
+	* Makefile.am: set version to 1:1:1
+
+	* afskrb5.c (get_cred): always request a DES key
+
+Mon Oct 18 17:40:21 1999  Bjoern Groenvall  <bg@mummel.sics.se>
+
+	* common.c (find_cells): Trim trailing whitespace from
+ 	cellname. Lines starting with # are regarded as comments.
+
+Fri Oct  8 18:17:22 1999  Bjoern Groenvall  <bg@mummel.sics.se>
+
+	* afskrb.c, common.c : Change code to make a clear distinction
+ 	between hinted realm and ticket realm.
+
+	* kafs_locl.h: Added argument realm_hint.
+
+	* common.c (_kafs_get_cred): Change code to acquire the ``best''
+ 	possible ticket. Use cross-cell authentication only as method of
+ 	last resort.
+
+	* afskrb.c (afslog_uid_int): Add realm_hint argument and extract
+ 	realm from ticket file.
+
+	* afskrb5.c (afslog_uid_int): Added argument realm_hint.
+
+1999-10-03  Assar Westerlund  <assar@sics.se>
+
+	* afskrb5.c (get_cred): update to new krb524_convert_creds_kdc
+
+1999-08-12  Johan Danielsson  <joda@pdc.kth.se>
+
+	* Makefile.am: ignore the comlicated aix construct if !krb4
+
+1999-07-26  Assar Westerlund  <assar@sics.se>
+
+	* Makefile.am: set version to 1:0:1
+
+1999-07-22  Assar Westerlund  <assar@sics.se>
+
+	* afssysdefs.h: define AFS_SYSCALL to 73 for Solaris 2.7
+
+1999-07-07  Assar Westerlund  <assar@sics.se>
+
+	* afskrb5.c (krb5_realm_of_cell): new function
+
+	* afskrb.c (krb_realm_of_cell): new function
+	(afslog_uid_int): call krb_get_lrealm correctly
+
+1999-06-15  Assar Westerlund  <assar@sics.se>
+
+	* common.c (realm_of_cell): rename to _kafs_realm_of_cell and
+ 	un-staticize
+
+Fri Mar 19 14:52:29 1999  Johan Danielsson  <joda@hella.pdc.kth.se>
+
+	* Makefile.am: add version-info
+
+Thu Mar 18 11:24:02 1999  Johan Danielsson  <joda@hella.pdc.kth.se>
+
+	* Makefile.am: include Makefile.am.common
+
+Sat Feb 27 19:46:21 1999  Johan Danielsson  <joda@hella.pdc.kth.se>
+
+	* Makefile.am: remove EXTRA_DATA (as of autoconf 2.13/automake
+ 	1.4)
+
+Thu Feb 11 22:57:37 1999  Johan Danielsson  <joda@hella.pdc.kth.se>
+
+	* Makefile.am: set AIX_SRC also if !AIX
+
+Tue Dec  1 14:45:15 1998  Johan Danielsson  <joda@hella.pdc.kth.se>
+
+	* Makefile.am: fix AIX linkage
+
+Sun Nov 22 10:40:44 1998  Assar Westerlund  <assar@sics.se>
+
+	* Makefile.in (WFLAGS): set
+
+Sat Nov 21 16:55:19 1998  Johan Danielsson  <joda@hella.pdc.kth.se>
+
+	* afskrb5.c: add homedir support
+
+Sun Sep  6 20:16:27 1998  Assar Westerlund  <assar@sics.se>
+
+	* add new functionality for specifying the homedir to krb_afslog
+ 	et al
+
+Thu Jul 16 01:27:19 1998  Assar Westerlund  <assar@sics.se>
+
+	* afssys.c: reorganize order of definitions.
+	(try_one, try_two): conditionalize
+
+Thu Jul  9 18:31:52 1998  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* common.c (realm_of_cell): make the dns fallback work
+
+Wed Jul  8 01:39:44 1998  Assar Westerlund  <assar@sics.se>
+
+	* afssys.c (map_syscall_name_to_number): new function for finding
+ 	the number of a syscall given the name on solaris
+	(k_hasafs): try using map_syscall_name_to_number
+
+Tue Jun 30 17:19:00 1998  Assar Westerlund  <assar@sics.se>
+
+	* afssys.c: rewrite and add support for environment variable
+ 	AFS_SYSCALL
+
+	* Makefile.in (distclean): don't remove roken_rename.h
+
+Fri May 29 19:03:20 1998  Assar Westerlund  <assar@sics.se>
+
+	* Makefile.in (roken_rename.h): remove dependency
+
+Mon May 25 05:25:54 1998  Assar Westerlund  <assar@sics.se>
+
+	* Makefile.in (clean): try to remove shared library debris
+
+Sun Apr 19 09:58:40 1998  Assar Westerlund  <assar@sics.se>
+
+	* Makefile.in: add symlink magic for linux
+
+Sat Apr  4 15:08:48 1998  Assar Westerlund  <assar@sics.se>
+
+	* kafs.h: add arla paths
+
+	* common.c (_kafs_afslog_all_local_cells): Try _PATH_ARLA_*
+	(_realm_of_cell): Try _PATH_ARLA_CELLSERVDB
+
+Thu Feb 19 14:50:22 1998  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* common.c: Don't store expired tokens (this broke when using
+ 	pag-less rsh-sessions, and `non-standard' ticket files).
+
+Thu Feb 12 11:20:15 1998  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* Makefile.in: Install/uninstall one library at a time.
+
+Thu Feb 12 05:38:58 1998  Assar Westerlund  <assar@sics.se>
+
+	* Makefile.in (install): one library at a time.
+
+Mon Feb  9 23:40:32 1998  Assar Westerlund  <assar@sics.se>
+
+	* common.c (find_cells): ignore empty lines
+
+Tue Jan  6 04:25:58 1998  Assar Westerlund  <assar@sics.se>
+
+	* afssysdefs.h (AFS_SYSCALL): add FreeBSD
+
+Fri Jan  2 17:08:24 1998  Assar Westerlund  <assar@sics.se>
+
+	* kafs.h: new VICEIOCTL's.  From <rb@stacken.kth.se>
+
+	* afssysdefs.h: Add OpenBSD
diff --git a/crypto/heimdal/lib/kafs/Makefile.am b/crypto/heimdal/lib/kafs/Makefile.am
new file mode 100644
index 0000000..5eda566
--- /dev/null
+++ b/crypto/heimdal/lib/kafs/Makefile.am
@@ -0,0 +1,87 @@
+# $Id: Makefile.am,v 1.25 2001/05/18 16:11:39 joda Exp $
+
+include $(top_srcdir)/Makefile.am.common
+
+INCLUDES += $(INCLUDE_krb4) $(AFS_EXTRA_DEFS)
+
+if KRB4
+AFSLIBS = libkafs.la
+
+if AIX
+AFSL_EXP = $(srcdir)/afsl.exp
+
+if AIX4
+AFS_EXTRA_LD = -bnoentry
+else
+AFS_EXTRA_LD = -e _nostart
+endif
+
+if AIX_DYNAMIC_AFS
+if HAVE_DLOPEN
+AIX_SRC = 
+else
+AIX_SRC = dlfcn.c
+endif
+AFS_EXTRA_LIBS = afslib.so
+AFS_EXTRA_DEFS =
+else
+AIX_SRC = afslib.c
+AFS_EXTRA_LIBS = 
+AFS_EXTRA_DEFS = -DSTATIC_AFS
+endif
+
+else
+AFSL_EXP =
+AIX_SRC =
+endif # AIX
+
+else
+AFSLIBS = 
+endif # KRB4
+
+
+lib_LTLIBRARIES = $(AFSLIBS)
+libkafs_la_LDFLAGS = -version-info 2:3:2
+foodir = $(libdir)
+foo_DATA = $(AFS_EXTRA_LIBS)
+# EXTRA_DATA = afslib.so
+
+CLEANFILES= $(AFS_EXTRA_LIBS) $(ROKEN_SRCS)
+
+include_HEADERS = kafs.h
+
+if KRB5
+afskrb5_c = afskrb5.c
+endif
+
+if do_roken_rename
+ROKEN_SRCS = resolve.c
+endif
+
+libkafs_la_SOURCES =				\
+	afssys.c				\
+	afskrb.c				\
+	$(afskrb5_c)				\
+	common.c				\
+	$(AIX_SRC)				\
+	kafs_locl.h				\
+	afssysdefs.h				\
+	$(ROKEN_SRCS)
+
+#afslib_so_SOURCES = afslib.c
+
+EXTRA_libkafs_la_SOURCES = afskrb5.c dlfcn.c afslib.c dlfcn.h
+
+EXTRA_DIST = README.dlfcn afsl.exp afslib.exp
+
+man_MANS = kafs.3
+
+# AIX: this almost works with gcc, but somehow it fails to use the
+# correct ld, use ld instead
+afslib.so: afslib.o
+	ld -o $@ -bM:SRE -bI:$(srcdir)/afsl.exp -bE:$(srcdir)/afslib.exp $(AFS_EXTRA_LD) afslib.o -lc
+
+$(OBJECTS): ../../include/config.h
+
+resolve.c:
+	$(LN_S) $(srcdir)/../roken/resolve.c .
diff --git a/crypto/heimdal/lib/kafs/Makefile.in b/crypto/heimdal/lib/kafs/Makefile.in
new file mode 100644
index 0000000..be72b73
--- /dev/null
+++ b/crypto/heimdal/lib/kafs/Makefile.in
@@ -0,0 +1,1036 @@
+# Makefile.in generated automatically by automake 1.4b from Makefile.am
+
+# Copyright 1994, 1995, 1996, 1997, 1998, 1999, 2000
+# Free Software Foundation, Inc.
+# This Makefile.in is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+
+SHELL = @SHELL@
+
+srcdir = @srcdir@
+top_srcdir = @top_srcdir@
+VPATH = @srcdir@
+prefix = @prefix@
+exec_prefix = @exec_prefix@
+
+bindir = @bindir@
+sbindir = @sbindir@
+libexecdir = @libexecdir@
+datadir = @datadir@
+sysconfdir = @sysconfdir@
+sharedstatedir = @sharedstatedir@
+localstatedir = @localstatedir@
+libdir = @libdir@
+infodir = @infodir@
+mandir = @mandir@
+includedir = @includedir@
+oldincludedir = /usr/include
+
+pkgdatadir = $(datadir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkgincludedir = $(includedir)/@PACKAGE@
+
+top_builddir = ../..
+
+ACLOCAL = @ACLOCAL@
+AUTOCONF = @AUTOCONF@
+AUTOMAKE = @AUTOMAKE@
+AUTOHEADER = @AUTOHEADER@
+
+INSTALL = @INSTALL@
+INSTALL_PROGRAM = @INSTALL_PROGRAM@
+INSTALL_DATA = @INSTALL_DATA@
+INSTALL_SCRIPT = @INSTALL_SCRIPT@
+INSTALL_STRIP_FLAG =
+transform = @program_transform_name@
+
+NORMAL_INSTALL = :
+PRE_INSTALL = :
+POST_INSTALL = :
+NORMAL_UNINSTALL = :
+PRE_UNINSTALL = :
+POST_UNINSTALL = :
+
+@SET_MAKE@
+host_alias = @host_alias@
+host_triplet = @host@
+AIX_EXTRA_KAFS = @AIX_EXTRA_KAFS@
+AMDEP = @AMDEP@
+AMTAR = @AMTAR@
+AS = @AS@
+AWK = @AWK@
+CANONICAL_HOST = @CANONICAL_HOST@
+CATMAN = @CATMAN@
+CATMANEXT = @CATMANEXT@
+CC = @CC@
+CPP = @CPP@
+CXX = @CXX@
+CXXCPP = @CXXCPP@
+DBLIB = @DBLIB@
+DEPDIR = @DEPDIR@
+DIR_des = @DIR_des@
+DIR_roken = @DIR_roken@
+DLLTOOL = @DLLTOOL@
+EXEEXT = @EXEEXT@
+EXTRA_LIB45 = @EXTRA_LIB45@
+GROFF = @GROFF@
+INCLUDES_roken = @INCLUDES_roken@
+INCLUDE_ = @INCLUDE_@
+LEX = @LEX@
+LIBOBJS = @LIBOBJS@
+LIBTOOL = @LIBTOOL@
+LIB_ = @LIB_@
+LIB_AUTH_SUBDIRS = @LIB_AUTH_SUBDIRS@
+LIB_des = @LIB_des@
+LIB_des_appl = @LIB_des_appl@
+LIB_kdb = @LIB_kdb@
+LIB_otp = @LIB_otp@
+LIB_roken = @LIB_roken@
+LIB_security = @LIB_security@
+LN_S = @LN_S@
+LTLIBOBJS = @LTLIBOBJS@
+MAKEINFO = @MAKEINFO@
+NEED_WRITEAUTH_FALSE = @NEED_WRITEAUTH_FALSE@
+NEED_WRITEAUTH_TRUE = @NEED_WRITEAUTH_TRUE@
+NROFF = @NROFF@
+OBJDUMP = @OBJDUMP@
+OBJEXT = @OBJEXT@
+PACKAGE = @PACKAGE@
+RANLIB = @RANLIB@
+STRIP = @STRIP@
+VERSION = @VERSION@
+VOID_RETSIGTYPE = @VOID_RETSIGTYPE@
+WFLAGS = @WFLAGS@
+WFLAGS_NOIMPLICITINT = @WFLAGS_NOIMPLICITINT@
+WFLAGS_NOUNUSED = @WFLAGS_NOUNUSED@
+YACC = @YACC@
+dpagaix_CFLAGS = @dpagaix_CFLAGS@
+dpagaix_LDADD = @dpagaix_LDADD@
+install_sh = @install_sh@
+
+# $Id: Makefile.am,v 1.25 2001/05/18 16:11:39 joda Exp $
+
+
+# $Id: Makefile.am.common,v 1.3 1999/04/01 14:58:43 joda Exp $
+
+
+# $Id: Makefile.am.common,v 1.26 2001/05/21 13:27:48 joda Exp $
+
+
+AUTOMAKE_OPTIONS = foreign no-dependencies
+
+SUFFIXES = .et .h .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .x
+
+INCLUDES = -I$(top_builddir)/include $(INCLUDES_roken) $(INCLUDE_krb4) $(AFS_EXTRA_DEFS)
+
+AM_CFLAGS =  $(WFLAGS)
+
+CP = cp
+
+COMPILE_ET = $(top_builddir)/lib/com_err/compile_et
+
+buildinclude = $(top_builddir)/include
+
+LIB_XauReadAuth = @LIB_XauReadAuth@
+LIB_crypt = @LIB_crypt@
+LIB_dbm_firstkey = @LIB_dbm_firstkey@
+LIB_dbopen = @LIB_dbopen@
+LIB_dlopen = @LIB_dlopen@
+LIB_dn_expand = @LIB_dn_expand@
+LIB_el_init = @LIB_el_init@
+LIB_getattr = @LIB_getattr@
+LIB_gethostbyname = @LIB_gethostbyname@
+LIB_getpwent_r = @LIB_getpwent_r@
+LIB_getpwnam_r = @LIB_getpwnam_r@
+LIB_getsockopt = @LIB_getsockopt@
+LIB_logout = @LIB_logout@
+LIB_logwtmp = @LIB_logwtmp@
+LIB_odm_initialize = @LIB_odm_initialize@
+LIB_pidfile = @LIB_pidfile@
+LIB_readline = @LIB_readline@
+LIB_res_search = @LIB_res_search@
+LIB_setpcred = @LIB_setpcred@
+LIB_setsockopt = @LIB_setsockopt@
+LIB_socket = @LIB_socket@
+LIB_syslog = @LIB_syslog@
+LIB_tgetent = @LIB_tgetent@
+
+LIBS = @LIBS@
+
+HESIODLIB = @HESIODLIB@
+HESIODINCLUDE = @HESIODINCLUDE@
+INCLUDE_hesiod = @INCLUDE_hesiod@
+LIB_hesiod = @LIB_hesiod@
+
+INCLUDE_krb4 = @INCLUDE_krb4@
+LIB_krb4 = @LIB_krb4@
+
+INCLUDE_openldap = @INCLUDE_openldap@
+LIB_openldap = @LIB_openldap@
+
+INCLUDE_readline = @INCLUDE_readline@
+
+LEXLIB = @LEXLIB@
+
+NROFF_MAN = groff -mandoc -Tascii
+
+@KRB4_TRUE@LIB_kafs = @KRB4_TRUE@$(top_builddir)/lib/kafs/libkafs.la $(AIX_EXTRA_KAFS)
+
+@KRB5_TRUE@LIB_krb5 = @KRB5_TRUE@$(top_builddir)/lib/krb5/libkrb5.la \
+@KRB5_TRUE@	$(top_builddir)/lib/asn1/libasn1.la
+@KRB5_TRUE@LIB_gssapi = @KRB5_TRUE@$(top_builddir)/lib/gssapi/libgssapi.la
+
+@DCE_TRUE@LIB_kdfs = @DCE_TRUE@$(top_builddir)/lib/kdfs/libkdfs.la
+
+CHECK_LOCAL = $(PROGRAMS)
+
+@KRB4_TRUE@AFSLIBS = @KRB4_TRUE@libkafs.la
+@KRB4_FALSE@AFSLIBS = 
+
+@KRB4_TRUE@@AIX_TRUE@AFSL_EXP = @KRB4_TRUE@@AIX_TRUE@$(srcdir)/afsl.exp
+@KRB4_TRUE@@AIX_FALSE@AFSL_EXP = 
+@KRB4_TRUE@@AIX_TRUE@@AIX4_TRUE@AFS_EXTRA_LD = @KRB4_TRUE@@AIX_TRUE@@AIX4_TRUE@-bnoentry
+@KRB4_TRUE@@AIX_TRUE@@AIX4_FALSE@AFS_EXTRA_LD = @KRB4_TRUE@@AIX_TRUE@@AIX4_FALSE@-e _nostart
+@KRB4_TRUE@@AIX_TRUE@@AIX_DYNAMIC_AFS_TRUE@@HAVE_DLOPEN_TRUE@AIX_SRC = 
+@KRB4_TRUE@@AIX_TRUE@@AIX_DYNAMIC_AFS_TRUE@@HAVE_DLOPEN_FALSE@AIX_SRC = @KRB4_TRUE@@AIX_TRUE@@AIX_DYNAMIC_AFS_TRUE@@HAVE_DLOPEN_FALSE@dlfcn.c
+@KRB4_TRUE@@AIX_TRUE@@AIX_DYNAMIC_AFS_FALSE@AIX_SRC = @KRB4_TRUE@@AIX_TRUE@@AIX_DYNAMIC_AFS_FALSE@afslib.c
+@KRB4_TRUE@@AIX_FALSE@AIX_SRC = 
+@KRB4_TRUE@@AIX_TRUE@@AIX_DYNAMIC_AFS_TRUE@AFS_EXTRA_LIBS = @KRB4_TRUE@@AIX_TRUE@@AIX_DYNAMIC_AFS_TRUE@afslib.so
+@KRB4_TRUE@@AIX_TRUE@@AIX_DYNAMIC_AFS_FALSE@AFS_EXTRA_LIBS = 
+@KRB4_TRUE@@AIX_TRUE@@AIX_DYNAMIC_AFS_TRUE@AFS_EXTRA_DEFS = 
+@KRB4_TRUE@@AIX_TRUE@@AIX_DYNAMIC_AFS_FALSE@AFS_EXTRA_DEFS = @KRB4_TRUE@@AIX_TRUE@@AIX_DYNAMIC_AFS_FALSE@-DSTATIC_AFS
+
+lib_LTLIBRARIES = $(AFSLIBS)
+libkafs_la_LDFLAGS = -version-info 2:3:2
+foodir = $(libdir)
+foo_DATA = $(AFS_EXTRA_LIBS)
+# EXTRA_DATA = afslib.so
+
+CLEANFILES = $(AFS_EXTRA_LIBS) $(ROKEN_SRCS)
+
+include_HEADERS = kafs.h
+
+@KRB5_TRUE@afskrb5_c = @KRB5_TRUE@afskrb5.c
+
+@do_roken_rename_TRUE@ROKEN_SRCS = @do_roken_rename_TRUE@resolve.c
+
+libkafs_la_SOURCES = \
+	afssys.c				\
+	afskrb.c				\
+	$(afskrb5_c)				\
+	common.c				\
+	$(AIX_SRC)				\
+	kafs_locl.h				\
+	afssysdefs.h				\
+	$(ROKEN_SRCS)
+
+
+#afslib_so_SOURCES = afslib.c
+
+EXTRA_libkafs_la_SOURCES = afskrb5.c dlfcn.c afslib.c dlfcn.h
+
+EXTRA_DIST = README.dlfcn afsl.exp afslib.exp
+
+man_MANS = kafs.3
+subdir = lib/kafs
+mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs
+CONFIG_HEADER = ../../include/config.h
+CONFIG_CLEAN_FILES = 
+LTLIBRARIES =  $(lib_LTLIBRARIES)
+
+
+DEFS = @DEFS@ -I. -I$(srcdir) -I../../include
+CPPFLAGS = @CPPFLAGS@
+LDFLAGS = @LDFLAGS@
+X_CFLAGS = @X_CFLAGS@
+X_LIBS = @X_LIBS@
+X_EXTRA_LIBS = @X_EXTRA_LIBS@
+X_PRE_LIBS = @X_PRE_LIBS@
+libkafs_la_LIBADD = 
+@AIX_DYNAMIC_AFS_FALSE@@AIX_FALSE@@HAVE_DLOPEN_FALSE@@KRB4_FALSE@@KRB5_FALSE@@do_roken_rename_FALSE@am_libkafs_la_OBJECTS =  \
+@AIX_DYNAMIC_AFS_FALSE@@AIX_FALSE@@HAVE_DLOPEN_FALSE@@KRB4_FALSE@@KRB5_FALSE@@do_roken_rename_FALSE@afssys.lo \
+@AIX_DYNAMIC_AFS_FALSE@@AIX_FALSE@@HAVE_DLOPEN_FALSE@@KRB4_FALSE@@KRB5_FALSE@@do_roken_rename_FALSE@afskrb.lo \
+@AIX_DYNAMIC_AFS_FALSE@@AIX_FALSE@@HAVE_DLOPEN_FALSE@@KRB4_FALSE@@KRB5_FALSE@@do_roken_rename_FALSE@common.lo
+@AIX_DYNAMIC_AFS_FALSE@@AIX_FALSE@@HAVE_DLOPEN_FALSE@@KRB4_FALSE@@KRB5_FALSE@@do_roken_rename_TRUE@am_libkafs_la_OBJECTS =  \
+@AIX_DYNAMIC_AFS_FALSE@@AIX_FALSE@@HAVE_DLOPEN_FALSE@@KRB4_FALSE@@KRB5_FALSE@@do_roken_rename_TRUE@afssys.lo \
+@AIX_DYNAMIC_AFS_FALSE@@AIX_FALSE@@HAVE_DLOPEN_FALSE@@KRB4_FALSE@@KRB5_FALSE@@do_roken_rename_TRUE@afskrb.lo \
+@AIX_DYNAMIC_AFS_FALSE@@AIX_FALSE@@HAVE_DLOPEN_FALSE@@KRB4_FALSE@@KRB5_FALSE@@do_roken_rename_TRUE@common.lo \
+@AIX_DYNAMIC_AFS_FALSE@@AIX_FALSE@@HAVE_DLOPEN_FALSE@@KRB4_FALSE@@KRB5_FALSE@@do_roken_rename_TRUE@resolve.lo
+@AIX_DYNAMIC_AFS_FALSE@@AIX_FALSE@@HAVE_DLOPEN_FALSE@@KRB4_FALSE@@KRB5_TRUE@@do_roken_rename_FALSE@am_libkafs_la_OBJECTS =  \
+@AIX_DYNAMIC_AFS_FALSE@@AIX_FALSE@@HAVE_DLOPEN_FALSE@@KRB4_FALSE@@KRB5_TRUE@@do_roken_rename_FALSE@afssys.lo \
+@AIX_DYNAMIC_AFS_FALSE@@AIX_FALSE@@HAVE_DLOPEN_FALSE@@KRB4_FALSE@@KRB5_TRUE@@do_roken_rename_FALSE@afskrb.lo \
+@AIX_DYNAMIC_AFS_FALSE@@AIX_FALSE@@HAVE_DLOPEN_FALSE@@KRB4_FALSE@@KRB5_TRUE@@do_roken_rename_FALSE@afskrb5.lo \
+@AIX_DYNAMIC_AFS_FALSE@@AIX_FALSE@@HAVE_DLOPEN_FALSE@@KRB4_FALSE@@KRB5_TRUE@@do_roken_rename_FALSE@common.lo
+@AIX_DYNAMIC_AFS_FALSE@@AIX_FALSE@@HAVE_DLOPEN_FALSE@@KRB4_FALSE@@KRB5_TRUE@@do_roken_rename_TRUE@am_libkafs_la_OBJECTS =  \
+@AIX_DYNAMIC_AFS_FALSE@@AIX_FALSE@@HAVE_DLOPEN_FALSE@@KRB4_FALSE@@KRB5_TRUE@@do_roken_rename_TRUE@afssys.lo \
+@AIX_DYNAMIC_AFS_FALSE@@AIX_FALSE@@HAVE_DLOPEN_FALSE@@KRB4_FALSE@@KRB5_TRUE@@do_roken_rename_TRUE@afskrb.lo \
+@AIX_DYNAMIC_AFS_FALSE@@AIX_FALSE@@HAVE_DLOPEN_FALSE@@KRB4_FALSE@@KRB5_TRUE@@do_roken_rename_TRUE@afskrb5.lo \
+@AIX_DYNAMIC_AFS_FALSE@@AIX_FALSE@@HAVE_DLOPEN_FALSE@@KRB4_FALSE@@KRB5_TRUE@@do_roken_rename_TRUE@common.lo \
+@AIX_DYNAMIC_AFS_FALSE@@AIX_FALSE@@HAVE_DLOPEN_FALSE@@KRB4_FALSE@@KRB5_TRUE@@do_roken_rename_TRUE@resolve.lo
+@AIX_DYNAMIC_AFS_FALSE@@AIX_FALSE@@HAVE_DLOPEN_FALSE@@KRB4_TRUE@@KRB5_FALSE@@do_roken_rename_FALSE@am_libkafs_la_OBJECTS =  \
+@AIX_DYNAMIC_AFS_FALSE@@AIX_FALSE@@HAVE_DLOPEN_FALSE@@KRB4_TRUE@@KRB5_FALSE@@do_roken_rename_FALSE@afssys.lo \
+@AIX_DYNAMIC_AFS_FALSE@@AIX_FALSE@@HAVE_DLOPEN_FALSE@@KRB4_TRUE@@KRB5_FALSE@@do_roken_rename_FALSE@afskrb.lo \
+@AIX_DYNAMIC_AFS_FALSE@@AIX_FALSE@@HAVE_DLOPEN_FALSE@@KRB4_TRUE@@KRB5_FALSE@@do_roken_rename_FALSE@common.lo
+@AIX_DYNAMIC_AFS_FALSE@@AIX_FALSE@@HAVE_DLOPEN_FALSE@@KRB4_TRUE@@KRB5_FALSE@@do_roken_rename_TRUE@am_libkafs_la_OBJECTS =  \
+@AIX_DYNAMIC_AFS_FALSE@@AIX_FALSE@@HAVE_DLOPEN_FALSE@@KRB4_TRUE@@KRB5_FALSE@@do_roken_rename_TRUE@afssys.lo \
+@AIX_DYNAMIC_AFS_FALSE@@AIX_FALSE@@HAVE_DLOPEN_FALSE@@KRB4_TRUE@@KRB5_FALSE@@do_roken_rename_TRUE@afskrb.lo \
+@AIX_DYNAMIC_AFS_FALSE@@AIX_FALSE@@HAVE_DLOPEN_FALSE@@KRB4_TRUE@@KRB5_FALSE@@do_roken_rename_TRUE@common.lo \
+@AIX_DYNAMIC_AFS_FALSE@@AIX_FALSE@@HAVE_DLOPEN_FALSE@@KRB4_TRUE@@KRB5_FALSE@@do_roken_rename_TRUE@resolve.lo
+@AIX_DYNAMIC_AFS_FALSE@@AIX_FALSE@@HAVE_DLOPEN_FALSE@@KRB4_TRUE@@KRB5_TRUE@@do_roken_rename_FALSE@am_libkafs_la_OBJECTS =  \
+@AIX_DYNAMIC_AFS_FALSE@@AIX_FALSE@@HAVE_DLOPEN_FALSE@@KRB4_TRUE@@KRB5_TRUE@@do_roken_rename_FALSE@afssys.lo \
+@AIX_DYNAMIC_AFS_FALSE@@AIX_FALSE@@HAVE_DLOPEN_FALSE@@KRB4_TRUE@@KRB5_TRUE@@do_roken_rename_FALSE@afskrb.lo \
+@AIX_DYNAMIC_AFS_FALSE@@AIX_FALSE@@HAVE_DLOPEN_FALSE@@KRB4_TRUE@@KRB5_TRUE@@do_roken_rename_FALSE@afskrb5.lo \
+@AIX_DYNAMIC_AFS_FALSE@@AIX_FALSE@@HAVE_DLOPEN_FALSE@@KRB4_TRUE@@KRB5_TRUE@@do_roken_rename_FALSE@common.lo
+@AIX_DYNAMIC_AFS_FALSE@@AIX_FALSE@@HAVE_DLOPEN_FALSE@@KRB4_TRUE@@KRB5_TRUE@@do_roken_rename_TRUE@am_libkafs_la_OBJECTS =  \
+@AIX_DYNAMIC_AFS_FALSE@@AIX_FALSE@@HAVE_DLOPEN_FALSE@@KRB4_TRUE@@KRB5_TRUE@@do_roken_rename_TRUE@afssys.lo \
+@AIX_DYNAMIC_AFS_FALSE@@AIX_FALSE@@HAVE_DLOPEN_FALSE@@KRB4_TRUE@@KRB5_TRUE@@do_roken_rename_TRUE@afskrb.lo \
+@AIX_DYNAMIC_AFS_FALSE@@AIX_FALSE@@HAVE_DLOPEN_FALSE@@KRB4_TRUE@@KRB5_TRUE@@do_roken_rename_TRUE@afskrb5.lo \
+@AIX_DYNAMIC_AFS_FALSE@@AIX_FALSE@@HAVE_DLOPEN_FALSE@@KRB4_TRUE@@KRB5_TRUE@@do_roken_rename_TRUE@common.lo \
+@AIX_DYNAMIC_AFS_FALSE@@AIX_FALSE@@HAVE_DLOPEN_FALSE@@KRB4_TRUE@@KRB5_TRUE@@do_roken_rename_TRUE@resolve.lo
+@AIX_DYNAMIC_AFS_FALSE@@AIX_FALSE@@HAVE_DLOPEN_TRUE@@KRB4_FALSE@@KRB5_FALSE@@do_roken_rename_FALSE@am_libkafs_la_OBJECTS =  \
+@AIX_DYNAMIC_AFS_FALSE@@AIX_FALSE@@HAVE_DLOPEN_TRUE@@KRB4_FALSE@@KRB5_FALSE@@do_roken_rename_FALSE@afssys.lo \
+@AIX_DYNAMIC_AFS_FALSE@@AIX_FALSE@@HAVE_DLOPEN_TRUE@@KRB4_FALSE@@KRB5_FALSE@@do_roken_rename_FALSE@afskrb.lo \
+@AIX_DYNAMIC_AFS_FALSE@@AIX_FALSE@@HAVE_DLOPEN_TRUE@@KRB4_FALSE@@KRB5_FALSE@@do_roken_rename_FALSE@common.lo
+@AIX_DYNAMIC_AFS_FALSE@@AIX_FALSE@@HAVE_DLOPEN_TRUE@@KRB4_FALSE@@KRB5_FALSE@@do_roken_rename_TRUE@am_libkafs_la_OBJECTS =  \
+@AIX_DYNAMIC_AFS_FALSE@@AIX_FALSE@@HAVE_DLOPEN_TRUE@@KRB4_FALSE@@KRB5_FALSE@@do_roken_rename_TRUE@afssys.lo \
+@AIX_DYNAMIC_AFS_FALSE@@AIX_FALSE@@HAVE_DLOPEN_TRUE@@KRB4_FALSE@@KRB5_FALSE@@do_roken_rename_TRUE@afskrb.lo \
+@AIX_DYNAMIC_AFS_FALSE@@AIX_FALSE@@HAVE_DLOPEN_TRUE@@KRB4_FALSE@@KRB5_FALSE@@do_roken_rename_TRUE@common.lo \
+@AIX_DYNAMIC_AFS_FALSE@@AIX_FALSE@@HAVE_DLOPEN_TRUE@@KRB4_FALSE@@KRB5_FALSE@@do_roken_rename_TRUE@resolve.lo
+@AIX_DYNAMIC_AFS_FALSE@@AIX_FALSE@@HAVE_DLOPEN_TRUE@@KRB4_FALSE@@KRB5_TRUE@@do_roken_rename_FALSE@am_libkafs_la_OBJECTS =  \
+@AIX_DYNAMIC_AFS_FALSE@@AIX_FALSE@@HAVE_DLOPEN_TRUE@@KRB4_FALSE@@KRB5_TRUE@@do_roken_rename_FALSE@afssys.lo \
+@AIX_DYNAMIC_AFS_FALSE@@AIX_FALSE@@HAVE_DLOPEN_TRUE@@KRB4_FALSE@@KRB5_TRUE@@do_roken_rename_FALSE@afskrb.lo \
+@AIX_DYNAMIC_AFS_FALSE@@AIX_FALSE@@HAVE_DLOPEN_TRUE@@KRB4_FALSE@@KRB5_TRUE@@do_roken_rename_FALSE@afskrb5.lo \
+@AIX_DYNAMIC_AFS_FALSE@@AIX_FALSE@@HAVE_DLOPEN_TRUE@@KRB4_FALSE@@KRB5_TRUE@@do_roken_rename_FALSE@common.lo
+@AIX_DYNAMIC_AFS_FALSE@@AIX_FALSE@@HAVE_DLOPEN_TRUE@@KRB4_FALSE@@KRB5_TRUE@@do_roken_rename_TRUE@am_libkafs_la_OBJECTS =  \
+@AIX_DYNAMIC_AFS_FALSE@@AIX_FALSE@@HAVE_DLOPEN_TRUE@@KRB4_FALSE@@KRB5_TRUE@@do_roken_rename_TRUE@afssys.lo \
+@AIX_DYNAMIC_AFS_FALSE@@AIX_FALSE@@HAVE_DLOPEN_TRUE@@KRB4_FALSE@@KRB5_TRUE@@do_roken_rename_TRUE@afskrb.lo \
+@AIX_DYNAMIC_AFS_FALSE@@AIX_FALSE@@HAVE_DLOPEN_TRUE@@KRB4_FALSE@@KRB5_TRUE@@do_roken_rename_TRUE@afskrb5.lo \
+@AIX_DYNAMIC_AFS_FALSE@@AIX_FALSE@@HAVE_DLOPEN_TRUE@@KRB4_FALSE@@KRB5_TRUE@@do_roken_rename_TRUE@common.lo \
+@AIX_DYNAMIC_AFS_FALSE@@AIX_FALSE@@HAVE_DLOPEN_TRUE@@KRB4_FALSE@@KRB5_TRUE@@do_roken_rename_TRUE@resolve.lo
+@AIX_DYNAMIC_AFS_FALSE@@AIX_FALSE@@HAVE_DLOPEN_TRUE@@KRB4_TRUE@@KRB5_FALSE@@do_roken_rename_FALSE@am_libkafs_la_OBJECTS =  \
+@AIX_DYNAMIC_AFS_FALSE@@AIX_FALSE@@HAVE_DLOPEN_TRUE@@KRB4_TRUE@@KRB5_FALSE@@do_roken_rename_FALSE@afssys.lo \
+@AIX_DYNAMIC_AFS_FALSE@@AIX_FALSE@@HAVE_DLOPEN_TRUE@@KRB4_TRUE@@KRB5_FALSE@@do_roken_rename_FALSE@afskrb.lo \
+@AIX_DYNAMIC_AFS_FALSE@@AIX_FALSE@@HAVE_DLOPEN_TRUE@@KRB4_TRUE@@KRB5_FALSE@@do_roken_rename_FALSE@common.lo
+@AIX_DYNAMIC_AFS_FALSE@@AIX_FALSE@@HAVE_DLOPEN_TRUE@@KRB4_TRUE@@KRB5_FALSE@@do_roken_rename_TRUE@am_libkafs_la_OBJECTS =  \
+@AIX_DYNAMIC_AFS_FALSE@@AIX_FALSE@@HAVE_DLOPEN_TRUE@@KRB4_TRUE@@KRB5_FALSE@@do_roken_rename_TRUE@afssys.lo \
+@AIX_DYNAMIC_AFS_FALSE@@AIX_FALSE@@HAVE_DLOPEN_TRUE@@KRB4_TRUE@@KRB5_FALSE@@do_roken_rename_TRUE@afskrb.lo \
+@AIX_DYNAMIC_AFS_FALSE@@AIX_FALSE@@HAVE_DLOPEN_TRUE@@KRB4_TRUE@@KRB5_FALSE@@do_roken_rename_TRUE@common.lo \
+@AIX_DYNAMIC_AFS_FALSE@@AIX_FALSE@@HAVE_DLOPEN_TRUE@@KRB4_TRUE@@KRB5_FALSE@@do_roken_rename_TRUE@resolve.lo
+@AIX_DYNAMIC_AFS_FALSE@@AIX_FALSE@@HAVE_DLOPEN_TRUE@@KRB4_TRUE@@KRB5_TRUE@@do_roken_rename_FALSE@am_libkafs_la_OBJECTS =  \
+@AIX_DYNAMIC_AFS_FALSE@@AIX_FALSE@@HAVE_DLOPEN_TRUE@@KRB4_TRUE@@KRB5_TRUE@@do_roken_rename_FALSE@afssys.lo \
+@AIX_DYNAMIC_AFS_FALSE@@AIX_FALSE@@HAVE_DLOPEN_TRUE@@KRB4_TRUE@@KRB5_TRUE@@do_roken_rename_FALSE@afskrb.lo \
+@AIX_DYNAMIC_AFS_FALSE@@AIX_FALSE@@HAVE_DLOPEN_TRUE@@KRB4_TRUE@@KRB5_TRUE@@do_roken_rename_FALSE@afskrb5.lo \
+@AIX_DYNAMIC_AFS_FALSE@@AIX_FALSE@@HAVE_DLOPEN_TRUE@@KRB4_TRUE@@KRB5_TRUE@@do_roken_rename_FALSE@common.lo
+@AIX_DYNAMIC_AFS_FALSE@@AIX_FALSE@@HAVE_DLOPEN_TRUE@@KRB4_TRUE@@KRB5_TRUE@@do_roken_rename_TRUE@am_libkafs_la_OBJECTS =  \
+@AIX_DYNAMIC_AFS_FALSE@@AIX_FALSE@@HAVE_DLOPEN_TRUE@@KRB4_TRUE@@KRB5_TRUE@@do_roken_rename_TRUE@afssys.lo \
+@AIX_DYNAMIC_AFS_FALSE@@AIX_FALSE@@HAVE_DLOPEN_TRUE@@KRB4_TRUE@@KRB5_TRUE@@do_roken_rename_TRUE@afskrb.lo \
+@AIX_DYNAMIC_AFS_FALSE@@AIX_FALSE@@HAVE_DLOPEN_TRUE@@KRB4_TRUE@@KRB5_TRUE@@do_roken_rename_TRUE@afskrb5.lo \
+@AIX_DYNAMIC_AFS_FALSE@@AIX_FALSE@@HAVE_DLOPEN_TRUE@@KRB4_TRUE@@KRB5_TRUE@@do_roken_rename_TRUE@common.lo \
+@AIX_DYNAMIC_AFS_FALSE@@AIX_FALSE@@HAVE_DLOPEN_TRUE@@KRB4_TRUE@@KRB5_TRUE@@do_roken_rename_TRUE@resolve.lo
+@AIX_DYNAMIC_AFS_FALSE@@AIX_TRUE@@HAVE_DLOPEN_FALSE@@KRB4_FALSE@@KRB5_FALSE@@do_roken_rename_FALSE@am_libkafs_la_OBJECTS =  \
+@AIX_DYNAMIC_AFS_FALSE@@AIX_TRUE@@HAVE_DLOPEN_FALSE@@KRB4_FALSE@@KRB5_FALSE@@do_roken_rename_FALSE@afssys.lo \
+@AIX_DYNAMIC_AFS_FALSE@@AIX_TRUE@@HAVE_DLOPEN_FALSE@@KRB4_FALSE@@KRB5_FALSE@@do_roken_rename_FALSE@afskrb.lo \
+@AIX_DYNAMIC_AFS_FALSE@@AIX_TRUE@@HAVE_DLOPEN_FALSE@@KRB4_FALSE@@KRB5_FALSE@@do_roken_rename_FALSE@common.lo
+@AIX_DYNAMIC_AFS_FALSE@@AIX_TRUE@@HAVE_DLOPEN_FALSE@@KRB4_FALSE@@KRB5_FALSE@@do_roken_rename_TRUE@am_libkafs_la_OBJECTS =  \
+@AIX_DYNAMIC_AFS_FALSE@@AIX_TRUE@@HAVE_DLOPEN_FALSE@@KRB4_FALSE@@KRB5_FALSE@@do_roken_rename_TRUE@afssys.lo \
+@AIX_DYNAMIC_AFS_FALSE@@AIX_TRUE@@HAVE_DLOPEN_FALSE@@KRB4_FALSE@@KRB5_FALSE@@do_roken_rename_TRUE@afskrb.lo \
+@AIX_DYNAMIC_AFS_FALSE@@AIX_TRUE@@HAVE_DLOPEN_FALSE@@KRB4_FALSE@@KRB5_FALSE@@do_roken_rename_TRUE@common.lo \
+@AIX_DYNAMIC_AFS_FALSE@@AIX_TRUE@@HAVE_DLOPEN_FALSE@@KRB4_FALSE@@KRB5_FALSE@@do_roken_rename_TRUE@resolve.lo
+@AIX_DYNAMIC_AFS_FALSE@@AIX_TRUE@@HAVE_DLOPEN_FALSE@@KRB4_FALSE@@KRB5_TRUE@@do_roken_rename_FALSE@am_libkafs_la_OBJECTS =  \
+@AIX_DYNAMIC_AFS_FALSE@@AIX_TRUE@@HAVE_DLOPEN_FALSE@@KRB4_FALSE@@KRB5_TRUE@@do_roken_rename_FALSE@afssys.lo \
+@AIX_DYNAMIC_AFS_FALSE@@AIX_TRUE@@HAVE_DLOPEN_FALSE@@KRB4_FALSE@@KRB5_TRUE@@do_roken_rename_FALSE@afskrb.lo \
+@AIX_DYNAMIC_AFS_FALSE@@AIX_TRUE@@HAVE_DLOPEN_FALSE@@KRB4_FALSE@@KRB5_TRUE@@do_roken_rename_FALSE@afskrb5.lo \
+@AIX_DYNAMIC_AFS_FALSE@@AIX_TRUE@@HAVE_DLOPEN_FALSE@@KRB4_FALSE@@KRB5_TRUE@@do_roken_rename_FALSE@common.lo
+@AIX_DYNAMIC_AFS_FALSE@@AIX_TRUE@@HAVE_DLOPEN_FALSE@@KRB4_FALSE@@KRB5_TRUE@@do_roken_rename_TRUE@am_libkafs_la_OBJECTS =  \
+@AIX_DYNAMIC_AFS_FALSE@@AIX_TRUE@@HAVE_DLOPEN_FALSE@@KRB4_FALSE@@KRB5_TRUE@@do_roken_rename_TRUE@afssys.lo \
+@AIX_DYNAMIC_AFS_FALSE@@AIX_TRUE@@HAVE_DLOPEN_FALSE@@KRB4_FALSE@@KRB5_TRUE@@do_roken_rename_TRUE@afskrb.lo \
+@AIX_DYNAMIC_AFS_FALSE@@AIX_TRUE@@HAVE_DLOPEN_FALSE@@KRB4_FALSE@@KRB5_TRUE@@do_roken_rename_TRUE@afskrb5.lo \
+@AIX_DYNAMIC_AFS_FALSE@@AIX_TRUE@@HAVE_DLOPEN_FALSE@@KRB4_FALSE@@KRB5_TRUE@@do_roken_rename_TRUE@common.lo \
+@AIX_DYNAMIC_AFS_FALSE@@AIX_TRUE@@HAVE_DLOPEN_FALSE@@KRB4_FALSE@@KRB5_TRUE@@do_roken_rename_TRUE@resolve.lo
+@AIX_DYNAMIC_AFS_FALSE@@AIX_TRUE@@HAVE_DLOPEN_FALSE@@KRB4_TRUE@@KRB5_FALSE@@do_roken_rename_FALSE@am_libkafs_la_OBJECTS =  \
+@AIX_DYNAMIC_AFS_FALSE@@AIX_TRUE@@HAVE_DLOPEN_FALSE@@KRB4_TRUE@@KRB5_FALSE@@do_roken_rename_FALSE@afssys.lo \
+@AIX_DYNAMIC_AFS_FALSE@@AIX_TRUE@@HAVE_DLOPEN_FALSE@@KRB4_TRUE@@KRB5_FALSE@@do_roken_rename_FALSE@afskrb.lo \
+@AIX_DYNAMIC_AFS_FALSE@@AIX_TRUE@@HAVE_DLOPEN_FALSE@@KRB4_TRUE@@KRB5_FALSE@@do_roken_rename_FALSE@common.lo \
+@AIX_DYNAMIC_AFS_FALSE@@AIX_TRUE@@HAVE_DLOPEN_FALSE@@KRB4_TRUE@@KRB5_FALSE@@do_roken_rename_FALSE@afslib.lo
+@AIX_DYNAMIC_AFS_FALSE@@AIX_TRUE@@HAVE_DLOPEN_FALSE@@KRB4_TRUE@@KRB5_FALSE@@do_roken_rename_TRUE@am_libkafs_la_OBJECTS =  \
+@AIX_DYNAMIC_AFS_FALSE@@AIX_TRUE@@HAVE_DLOPEN_FALSE@@KRB4_TRUE@@KRB5_FALSE@@do_roken_rename_TRUE@afssys.lo \
+@AIX_DYNAMIC_AFS_FALSE@@AIX_TRUE@@HAVE_DLOPEN_FALSE@@KRB4_TRUE@@KRB5_FALSE@@do_roken_rename_TRUE@afskrb.lo \
+@AIX_DYNAMIC_AFS_FALSE@@AIX_TRUE@@HAVE_DLOPEN_FALSE@@KRB4_TRUE@@KRB5_FALSE@@do_roken_rename_TRUE@common.lo \
+@AIX_DYNAMIC_AFS_FALSE@@AIX_TRUE@@HAVE_DLOPEN_FALSE@@KRB4_TRUE@@KRB5_FALSE@@do_roken_rename_TRUE@afslib.lo \
+@AIX_DYNAMIC_AFS_FALSE@@AIX_TRUE@@HAVE_DLOPEN_FALSE@@KRB4_TRUE@@KRB5_FALSE@@do_roken_rename_TRUE@resolve.lo
+@AIX_DYNAMIC_AFS_FALSE@@AIX_TRUE@@HAVE_DLOPEN_FALSE@@KRB4_TRUE@@KRB5_TRUE@@do_roken_rename_FALSE@am_libkafs_la_OBJECTS =  \
+@AIX_DYNAMIC_AFS_FALSE@@AIX_TRUE@@HAVE_DLOPEN_FALSE@@KRB4_TRUE@@KRB5_TRUE@@do_roken_rename_FALSE@afssys.lo \
+@AIX_DYNAMIC_AFS_FALSE@@AIX_TRUE@@HAVE_DLOPEN_FALSE@@KRB4_TRUE@@KRB5_TRUE@@do_roken_rename_FALSE@afskrb.lo \
+@AIX_DYNAMIC_AFS_FALSE@@AIX_TRUE@@HAVE_DLOPEN_FALSE@@KRB4_TRUE@@KRB5_TRUE@@do_roken_rename_FALSE@afskrb5.lo \
+@AIX_DYNAMIC_AFS_FALSE@@AIX_TRUE@@HAVE_DLOPEN_FALSE@@KRB4_TRUE@@KRB5_TRUE@@do_roken_rename_FALSE@common.lo \
+@AIX_DYNAMIC_AFS_FALSE@@AIX_TRUE@@HAVE_DLOPEN_FALSE@@KRB4_TRUE@@KRB5_TRUE@@do_roken_rename_FALSE@afslib.lo
+@AIX_DYNAMIC_AFS_FALSE@@AIX_TRUE@@HAVE_DLOPEN_FALSE@@KRB4_TRUE@@KRB5_TRUE@@do_roken_rename_TRUE@am_libkafs_la_OBJECTS =  \
+@AIX_DYNAMIC_AFS_FALSE@@AIX_TRUE@@HAVE_DLOPEN_FALSE@@KRB4_TRUE@@KRB5_TRUE@@do_roken_rename_TRUE@afssys.lo \
+@AIX_DYNAMIC_AFS_FALSE@@AIX_TRUE@@HAVE_DLOPEN_FALSE@@KRB4_TRUE@@KRB5_TRUE@@do_roken_rename_TRUE@afskrb.lo \
+@AIX_DYNAMIC_AFS_FALSE@@AIX_TRUE@@HAVE_DLOPEN_FALSE@@KRB4_TRUE@@KRB5_TRUE@@do_roken_rename_TRUE@afskrb5.lo \
+@AIX_DYNAMIC_AFS_FALSE@@AIX_TRUE@@HAVE_DLOPEN_FALSE@@KRB4_TRUE@@KRB5_TRUE@@do_roken_rename_TRUE@common.lo \
+@AIX_DYNAMIC_AFS_FALSE@@AIX_TRUE@@HAVE_DLOPEN_FALSE@@KRB4_TRUE@@KRB5_TRUE@@do_roken_rename_TRUE@afslib.lo \
+@AIX_DYNAMIC_AFS_FALSE@@AIX_TRUE@@HAVE_DLOPEN_FALSE@@KRB4_TRUE@@KRB5_TRUE@@do_roken_rename_TRUE@resolve.lo
+@AIX_DYNAMIC_AFS_FALSE@@AIX_TRUE@@HAVE_DLOPEN_TRUE@@KRB4_FALSE@@KRB5_FALSE@@do_roken_rename_FALSE@am_libkafs_la_OBJECTS =  \
+@AIX_DYNAMIC_AFS_FALSE@@AIX_TRUE@@HAVE_DLOPEN_TRUE@@KRB4_FALSE@@KRB5_FALSE@@do_roken_rename_FALSE@afssys.lo \
+@AIX_DYNAMIC_AFS_FALSE@@AIX_TRUE@@HAVE_DLOPEN_TRUE@@KRB4_FALSE@@KRB5_FALSE@@do_roken_rename_FALSE@afskrb.lo \
+@AIX_DYNAMIC_AFS_FALSE@@AIX_TRUE@@HAVE_DLOPEN_TRUE@@KRB4_FALSE@@KRB5_FALSE@@do_roken_rename_FALSE@common.lo
+@AIX_DYNAMIC_AFS_FALSE@@AIX_TRUE@@HAVE_DLOPEN_TRUE@@KRB4_FALSE@@KRB5_FALSE@@do_roken_rename_TRUE@am_libkafs_la_OBJECTS =  \
+@AIX_DYNAMIC_AFS_FALSE@@AIX_TRUE@@HAVE_DLOPEN_TRUE@@KRB4_FALSE@@KRB5_FALSE@@do_roken_rename_TRUE@afssys.lo \
+@AIX_DYNAMIC_AFS_FALSE@@AIX_TRUE@@HAVE_DLOPEN_TRUE@@KRB4_FALSE@@KRB5_FALSE@@do_roken_rename_TRUE@afskrb.lo \
+@AIX_DYNAMIC_AFS_FALSE@@AIX_TRUE@@HAVE_DLOPEN_TRUE@@KRB4_FALSE@@KRB5_FALSE@@do_roken_rename_TRUE@common.lo \
+@AIX_DYNAMIC_AFS_FALSE@@AIX_TRUE@@HAVE_DLOPEN_TRUE@@KRB4_FALSE@@KRB5_FALSE@@do_roken_rename_TRUE@resolve.lo
+@AIX_DYNAMIC_AFS_FALSE@@AIX_TRUE@@HAVE_DLOPEN_TRUE@@KRB4_FALSE@@KRB5_TRUE@@do_roken_rename_FALSE@am_libkafs_la_OBJECTS =  \
+@AIX_DYNAMIC_AFS_FALSE@@AIX_TRUE@@HAVE_DLOPEN_TRUE@@KRB4_FALSE@@KRB5_TRUE@@do_roken_rename_FALSE@afssys.lo \
+@AIX_DYNAMIC_AFS_FALSE@@AIX_TRUE@@HAVE_DLOPEN_TRUE@@KRB4_FALSE@@KRB5_TRUE@@do_roken_rename_FALSE@afskrb.lo \
+@AIX_DYNAMIC_AFS_FALSE@@AIX_TRUE@@HAVE_DLOPEN_TRUE@@KRB4_FALSE@@KRB5_TRUE@@do_roken_rename_FALSE@afskrb5.lo \
+@AIX_DYNAMIC_AFS_FALSE@@AIX_TRUE@@HAVE_DLOPEN_TRUE@@KRB4_FALSE@@KRB5_TRUE@@do_roken_rename_FALSE@common.lo
+@AIX_DYNAMIC_AFS_FALSE@@AIX_TRUE@@HAVE_DLOPEN_TRUE@@KRB4_FALSE@@KRB5_TRUE@@do_roken_rename_TRUE@am_libkafs_la_OBJECTS =  \
+@AIX_DYNAMIC_AFS_FALSE@@AIX_TRUE@@HAVE_DLOPEN_TRUE@@KRB4_FALSE@@KRB5_TRUE@@do_roken_rename_TRUE@afssys.lo \
+@AIX_DYNAMIC_AFS_FALSE@@AIX_TRUE@@HAVE_DLOPEN_TRUE@@KRB4_FALSE@@KRB5_TRUE@@do_roken_rename_TRUE@afskrb.lo \
+@AIX_DYNAMIC_AFS_FALSE@@AIX_TRUE@@HAVE_DLOPEN_TRUE@@KRB4_FALSE@@KRB5_TRUE@@do_roken_rename_TRUE@afskrb5.lo \
+@AIX_DYNAMIC_AFS_FALSE@@AIX_TRUE@@HAVE_DLOPEN_TRUE@@KRB4_FALSE@@KRB5_TRUE@@do_roken_rename_TRUE@common.lo \
+@AIX_DYNAMIC_AFS_FALSE@@AIX_TRUE@@HAVE_DLOPEN_TRUE@@KRB4_FALSE@@KRB5_TRUE@@do_roken_rename_TRUE@resolve.lo
+@AIX_DYNAMIC_AFS_FALSE@@AIX_TRUE@@HAVE_DLOPEN_TRUE@@KRB4_TRUE@@KRB5_FALSE@@do_roken_rename_FALSE@am_libkafs_la_OBJECTS =  \
+@AIX_DYNAMIC_AFS_FALSE@@AIX_TRUE@@HAVE_DLOPEN_TRUE@@KRB4_TRUE@@KRB5_FALSE@@do_roken_rename_FALSE@afssys.lo \
+@AIX_DYNAMIC_AFS_FALSE@@AIX_TRUE@@HAVE_DLOPEN_TRUE@@KRB4_TRUE@@KRB5_FALSE@@do_roken_rename_FALSE@afskrb.lo \
+@AIX_DYNAMIC_AFS_FALSE@@AIX_TRUE@@HAVE_DLOPEN_TRUE@@KRB4_TRUE@@KRB5_FALSE@@do_roken_rename_FALSE@common.lo \
+@AIX_DYNAMIC_AFS_FALSE@@AIX_TRUE@@HAVE_DLOPEN_TRUE@@KRB4_TRUE@@KRB5_FALSE@@do_roken_rename_FALSE@afslib.lo
+@AIX_DYNAMIC_AFS_FALSE@@AIX_TRUE@@HAVE_DLOPEN_TRUE@@KRB4_TRUE@@KRB5_FALSE@@do_roken_rename_TRUE@am_libkafs_la_OBJECTS =  \
+@AIX_DYNAMIC_AFS_FALSE@@AIX_TRUE@@HAVE_DLOPEN_TRUE@@KRB4_TRUE@@KRB5_FALSE@@do_roken_rename_TRUE@afssys.lo \
+@AIX_DYNAMIC_AFS_FALSE@@AIX_TRUE@@HAVE_DLOPEN_TRUE@@KRB4_TRUE@@KRB5_FALSE@@do_roken_rename_TRUE@afskrb.lo \
+@AIX_DYNAMIC_AFS_FALSE@@AIX_TRUE@@HAVE_DLOPEN_TRUE@@KRB4_TRUE@@KRB5_FALSE@@do_roken_rename_TRUE@common.lo \
+@AIX_DYNAMIC_AFS_FALSE@@AIX_TRUE@@HAVE_DLOPEN_TRUE@@KRB4_TRUE@@KRB5_FALSE@@do_roken_rename_TRUE@afslib.lo \
+@AIX_DYNAMIC_AFS_FALSE@@AIX_TRUE@@HAVE_DLOPEN_TRUE@@KRB4_TRUE@@KRB5_FALSE@@do_roken_rename_TRUE@resolve.lo
+@AIX_DYNAMIC_AFS_FALSE@@AIX_TRUE@@HAVE_DLOPEN_TRUE@@KRB4_TRUE@@KRB5_TRUE@@do_roken_rename_FALSE@am_libkafs_la_OBJECTS =  \
+@AIX_DYNAMIC_AFS_FALSE@@AIX_TRUE@@HAVE_DLOPEN_TRUE@@KRB4_TRUE@@KRB5_TRUE@@do_roken_rename_FALSE@afssys.lo \
+@AIX_DYNAMIC_AFS_FALSE@@AIX_TRUE@@HAVE_DLOPEN_TRUE@@KRB4_TRUE@@KRB5_TRUE@@do_roken_rename_FALSE@afskrb.lo \
+@AIX_DYNAMIC_AFS_FALSE@@AIX_TRUE@@HAVE_DLOPEN_TRUE@@KRB4_TRUE@@KRB5_TRUE@@do_roken_rename_FALSE@afskrb5.lo \
+@AIX_DYNAMIC_AFS_FALSE@@AIX_TRUE@@HAVE_DLOPEN_TRUE@@KRB4_TRUE@@KRB5_TRUE@@do_roken_rename_FALSE@common.lo \
+@AIX_DYNAMIC_AFS_FALSE@@AIX_TRUE@@HAVE_DLOPEN_TRUE@@KRB4_TRUE@@KRB5_TRUE@@do_roken_rename_FALSE@afslib.lo
+@AIX_DYNAMIC_AFS_FALSE@@AIX_TRUE@@HAVE_DLOPEN_TRUE@@KRB4_TRUE@@KRB5_TRUE@@do_roken_rename_TRUE@am_libkafs_la_OBJECTS =  \
+@AIX_DYNAMIC_AFS_FALSE@@AIX_TRUE@@HAVE_DLOPEN_TRUE@@KRB4_TRUE@@KRB5_TRUE@@do_roken_rename_TRUE@afssys.lo \
+@AIX_DYNAMIC_AFS_FALSE@@AIX_TRUE@@HAVE_DLOPEN_TRUE@@KRB4_TRUE@@KRB5_TRUE@@do_roken_rename_TRUE@afskrb.lo \
+@AIX_DYNAMIC_AFS_FALSE@@AIX_TRUE@@HAVE_DLOPEN_TRUE@@KRB4_TRUE@@KRB5_TRUE@@do_roken_rename_TRUE@afskrb5.lo \
+@AIX_DYNAMIC_AFS_FALSE@@AIX_TRUE@@HAVE_DLOPEN_TRUE@@KRB4_TRUE@@KRB5_TRUE@@do_roken_rename_TRUE@common.lo \
+@AIX_DYNAMIC_AFS_FALSE@@AIX_TRUE@@HAVE_DLOPEN_TRUE@@KRB4_TRUE@@KRB5_TRUE@@do_roken_rename_TRUE@afslib.lo \
+@AIX_DYNAMIC_AFS_FALSE@@AIX_TRUE@@HAVE_DLOPEN_TRUE@@KRB4_TRUE@@KRB5_TRUE@@do_roken_rename_TRUE@resolve.lo
+@AIX_DYNAMIC_AFS_TRUE@@AIX_FALSE@@HAVE_DLOPEN_FALSE@@KRB4_FALSE@@KRB5_FALSE@@do_roken_rename_FALSE@am_libkafs_la_OBJECTS =  \
+@AIX_DYNAMIC_AFS_TRUE@@AIX_FALSE@@HAVE_DLOPEN_FALSE@@KRB4_FALSE@@KRB5_FALSE@@do_roken_rename_FALSE@afssys.lo \
+@AIX_DYNAMIC_AFS_TRUE@@AIX_FALSE@@HAVE_DLOPEN_FALSE@@KRB4_FALSE@@KRB5_FALSE@@do_roken_rename_FALSE@afskrb.lo \
+@AIX_DYNAMIC_AFS_TRUE@@AIX_FALSE@@HAVE_DLOPEN_FALSE@@KRB4_FALSE@@KRB5_FALSE@@do_roken_rename_FALSE@common.lo
+@AIX_DYNAMIC_AFS_TRUE@@AIX_FALSE@@HAVE_DLOPEN_FALSE@@KRB4_FALSE@@KRB5_FALSE@@do_roken_rename_TRUE@am_libkafs_la_OBJECTS =  \
+@AIX_DYNAMIC_AFS_TRUE@@AIX_FALSE@@HAVE_DLOPEN_FALSE@@KRB4_FALSE@@KRB5_FALSE@@do_roken_rename_TRUE@afssys.lo \
+@AIX_DYNAMIC_AFS_TRUE@@AIX_FALSE@@HAVE_DLOPEN_FALSE@@KRB4_FALSE@@KRB5_FALSE@@do_roken_rename_TRUE@afskrb.lo \
+@AIX_DYNAMIC_AFS_TRUE@@AIX_FALSE@@HAVE_DLOPEN_FALSE@@KRB4_FALSE@@KRB5_FALSE@@do_roken_rename_TRUE@common.lo \
+@AIX_DYNAMIC_AFS_TRUE@@AIX_FALSE@@HAVE_DLOPEN_FALSE@@KRB4_FALSE@@KRB5_FALSE@@do_roken_rename_TRUE@resolve.lo
+@AIX_DYNAMIC_AFS_TRUE@@AIX_FALSE@@HAVE_DLOPEN_FALSE@@KRB4_FALSE@@KRB5_TRUE@@do_roken_rename_FALSE@am_libkafs_la_OBJECTS =  \
+@AIX_DYNAMIC_AFS_TRUE@@AIX_FALSE@@HAVE_DLOPEN_FALSE@@KRB4_FALSE@@KRB5_TRUE@@do_roken_rename_FALSE@afssys.lo \
+@AIX_DYNAMIC_AFS_TRUE@@AIX_FALSE@@HAVE_DLOPEN_FALSE@@KRB4_FALSE@@KRB5_TRUE@@do_roken_rename_FALSE@afskrb.lo \
+@AIX_DYNAMIC_AFS_TRUE@@AIX_FALSE@@HAVE_DLOPEN_FALSE@@KRB4_FALSE@@KRB5_TRUE@@do_roken_rename_FALSE@afskrb5.lo \
+@AIX_DYNAMIC_AFS_TRUE@@AIX_FALSE@@HAVE_DLOPEN_FALSE@@KRB4_FALSE@@KRB5_TRUE@@do_roken_rename_FALSE@common.lo
+@AIX_DYNAMIC_AFS_TRUE@@AIX_FALSE@@HAVE_DLOPEN_FALSE@@KRB4_FALSE@@KRB5_TRUE@@do_roken_rename_TRUE@am_libkafs_la_OBJECTS =  \
+@AIX_DYNAMIC_AFS_TRUE@@AIX_FALSE@@HAVE_DLOPEN_FALSE@@KRB4_FALSE@@KRB5_TRUE@@do_roken_rename_TRUE@afssys.lo \
+@AIX_DYNAMIC_AFS_TRUE@@AIX_FALSE@@HAVE_DLOPEN_FALSE@@KRB4_FALSE@@KRB5_TRUE@@do_roken_rename_TRUE@afskrb.lo \
+@AIX_DYNAMIC_AFS_TRUE@@AIX_FALSE@@HAVE_DLOPEN_FALSE@@KRB4_FALSE@@KRB5_TRUE@@do_roken_rename_TRUE@afskrb5.lo \
+@AIX_DYNAMIC_AFS_TRUE@@AIX_FALSE@@HAVE_DLOPEN_FALSE@@KRB4_FALSE@@KRB5_TRUE@@do_roken_rename_TRUE@common.lo \
+@AIX_DYNAMIC_AFS_TRUE@@AIX_FALSE@@HAVE_DLOPEN_FALSE@@KRB4_FALSE@@KRB5_TRUE@@do_roken_rename_TRUE@resolve.lo
+@AIX_DYNAMIC_AFS_TRUE@@AIX_FALSE@@HAVE_DLOPEN_FALSE@@KRB4_TRUE@@KRB5_FALSE@@do_roken_rename_FALSE@am_libkafs_la_OBJECTS =  \
+@AIX_DYNAMIC_AFS_TRUE@@AIX_FALSE@@HAVE_DLOPEN_FALSE@@KRB4_TRUE@@KRB5_FALSE@@do_roken_rename_FALSE@afssys.lo \
+@AIX_DYNAMIC_AFS_TRUE@@AIX_FALSE@@HAVE_DLOPEN_FALSE@@KRB4_TRUE@@KRB5_FALSE@@do_roken_rename_FALSE@afskrb.lo \
+@AIX_DYNAMIC_AFS_TRUE@@AIX_FALSE@@HAVE_DLOPEN_FALSE@@KRB4_TRUE@@KRB5_FALSE@@do_roken_rename_FALSE@common.lo
+@AIX_DYNAMIC_AFS_TRUE@@AIX_FALSE@@HAVE_DLOPEN_FALSE@@KRB4_TRUE@@KRB5_FALSE@@do_roken_rename_TRUE@am_libkafs_la_OBJECTS =  \
+@AIX_DYNAMIC_AFS_TRUE@@AIX_FALSE@@HAVE_DLOPEN_FALSE@@KRB4_TRUE@@KRB5_FALSE@@do_roken_rename_TRUE@afssys.lo \
+@AIX_DYNAMIC_AFS_TRUE@@AIX_FALSE@@HAVE_DLOPEN_FALSE@@KRB4_TRUE@@KRB5_FALSE@@do_roken_rename_TRUE@afskrb.lo \
+@AIX_DYNAMIC_AFS_TRUE@@AIX_FALSE@@HAVE_DLOPEN_FALSE@@KRB4_TRUE@@KRB5_FALSE@@do_roken_rename_TRUE@common.lo \
+@AIX_DYNAMIC_AFS_TRUE@@AIX_FALSE@@HAVE_DLOPEN_FALSE@@KRB4_TRUE@@KRB5_FALSE@@do_roken_rename_TRUE@resolve.lo
+@AIX_DYNAMIC_AFS_TRUE@@AIX_FALSE@@HAVE_DLOPEN_FALSE@@KRB4_TRUE@@KRB5_TRUE@@do_roken_rename_FALSE@am_libkafs_la_OBJECTS =  \
+@AIX_DYNAMIC_AFS_TRUE@@AIX_FALSE@@HAVE_DLOPEN_FALSE@@KRB4_TRUE@@KRB5_TRUE@@do_roken_rename_FALSE@afssys.lo \
+@AIX_DYNAMIC_AFS_TRUE@@AIX_FALSE@@HAVE_DLOPEN_FALSE@@KRB4_TRUE@@KRB5_TRUE@@do_roken_rename_FALSE@afskrb.lo \
+@AIX_DYNAMIC_AFS_TRUE@@AIX_FALSE@@HAVE_DLOPEN_FALSE@@KRB4_TRUE@@KRB5_TRUE@@do_roken_rename_FALSE@afskrb5.lo \
+@AIX_DYNAMIC_AFS_TRUE@@AIX_FALSE@@HAVE_DLOPEN_FALSE@@KRB4_TRUE@@KRB5_TRUE@@do_roken_rename_FALSE@common.lo
+@AIX_DYNAMIC_AFS_TRUE@@AIX_FALSE@@HAVE_DLOPEN_FALSE@@KRB4_TRUE@@KRB5_TRUE@@do_roken_rename_TRUE@am_libkafs_la_OBJECTS =  \
+@AIX_DYNAMIC_AFS_TRUE@@AIX_FALSE@@HAVE_DLOPEN_FALSE@@KRB4_TRUE@@KRB5_TRUE@@do_roken_rename_TRUE@afssys.lo \
+@AIX_DYNAMIC_AFS_TRUE@@AIX_FALSE@@HAVE_DLOPEN_FALSE@@KRB4_TRUE@@KRB5_TRUE@@do_roken_rename_TRUE@afskrb.lo \
+@AIX_DYNAMIC_AFS_TRUE@@AIX_FALSE@@HAVE_DLOPEN_FALSE@@KRB4_TRUE@@KRB5_TRUE@@do_roken_rename_TRUE@afskrb5.lo \
+@AIX_DYNAMIC_AFS_TRUE@@AIX_FALSE@@HAVE_DLOPEN_FALSE@@KRB4_TRUE@@KRB5_TRUE@@do_roken_rename_TRUE@common.lo \
+@AIX_DYNAMIC_AFS_TRUE@@AIX_FALSE@@HAVE_DLOPEN_FALSE@@KRB4_TRUE@@KRB5_TRUE@@do_roken_rename_TRUE@resolve.lo
+@AIX_DYNAMIC_AFS_TRUE@@AIX_FALSE@@HAVE_DLOPEN_TRUE@@KRB4_FALSE@@KRB5_FALSE@@do_roken_rename_FALSE@am_libkafs_la_OBJECTS =  \
+@AIX_DYNAMIC_AFS_TRUE@@AIX_FALSE@@HAVE_DLOPEN_TRUE@@KRB4_FALSE@@KRB5_FALSE@@do_roken_rename_FALSE@afssys.lo \
+@AIX_DYNAMIC_AFS_TRUE@@AIX_FALSE@@HAVE_DLOPEN_TRUE@@KRB4_FALSE@@KRB5_FALSE@@do_roken_rename_FALSE@afskrb.lo \
+@AIX_DYNAMIC_AFS_TRUE@@AIX_FALSE@@HAVE_DLOPEN_TRUE@@KRB4_FALSE@@KRB5_FALSE@@do_roken_rename_FALSE@common.lo
+@AIX_DYNAMIC_AFS_TRUE@@AIX_FALSE@@HAVE_DLOPEN_TRUE@@KRB4_FALSE@@KRB5_FALSE@@do_roken_rename_TRUE@am_libkafs_la_OBJECTS =  \
+@AIX_DYNAMIC_AFS_TRUE@@AIX_FALSE@@HAVE_DLOPEN_TRUE@@KRB4_FALSE@@KRB5_FALSE@@do_roken_rename_TRUE@afssys.lo \
+@AIX_DYNAMIC_AFS_TRUE@@AIX_FALSE@@HAVE_DLOPEN_TRUE@@KRB4_FALSE@@KRB5_FALSE@@do_roken_rename_TRUE@afskrb.lo \
+@AIX_DYNAMIC_AFS_TRUE@@AIX_FALSE@@HAVE_DLOPEN_TRUE@@KRB4_FALSE@@KRB5_FALSE@@do_roken_rename_TRUE@common.lo \
+@AIX_DYNAMIC_AFS_TRUE@@AIX_FALSE@@HAVE_DLOPEN_TRUE@@KRB4_FALSE@@KRB5_FALSE@@do_roken_rename_TRUE@resolve.lo
+@AIX_DYNAMIC_AFS_TRUE@@AIX_FALSE@@HAVE_DLOPEN_TRUE@@KRB4_FALSE@@KRB5_TRUE@@do_roken_rename_FALSE@am_libkafs_la_OBJECTS =  \
+@AIX_DYNAMIC_AFS_TRUE@@AIX_FALSE@@HAVE_DLOPEN_TRUE@@KRB4_FALSE@@KRB5_TRUE@@do_roken_rename_FALSE@afssys.lo \
+@AIX_DYNAMIC_AFS_TRUE@@AIX_FALSE@@HAVE_DLOPEN_TRUE@@KRB4_FALSE@@KRB5_TRUE@@do_roken_rename_FALSE@afskrb.lo \
+@AIX_DYNAMIC_AFS_TRUE@@AIX_FALSE@@HAVE_DLOPEN_TRUE@@KRB4_FALSE@@KRB5_TRUE@@do_roken_rename_FALSE@afskrb5.lo \
+@AIX_DYNAMIC_AFS_TRUE@@AIX_FALSE@@HAVE_DLOPEN_TRUE@@KRB4_FALSE@@KRB5_TRUE@@do_roken_rename_FALSE@common.lo
+@AIX_DYNAMIC_AFS_TRUE@@AIX_FALSE@@HAVE_DLOPEN_TRUE@@KRB4_FALSE@@KRB5_TRUE@@do_roken_rename_TRUE@am_libkafs_la_OBJECTS =  \
+@AIX_DYNAMIC_AFS_TRUE@@AIX_FALSE@@HAVE_DLOPEN_TRUE@@KRB4_FALSE@@KRB5_TRUE@@do_roken_rename_TRUE@afssys.lo \
+@AIX_DYNAMIC_AFS_TRUE@@AIX_FALSE@@HAVE_DLOPEN_TRUE@@KRB4_FALSE@@KRB5_TRUE@@do_roken_rename_TRUE@afskrb.lo \
+@AIX_DYNAMIC_AFS_TRUE@@AIX_FALSE@@HAVE_DLOPEN_TRUE@@KRB4_FALSE@@KRB5_TRUE@@do_roken_rename_TRUE@afskrb5.lo \
+@AIX_DYNAMIC_AFS_TRUE@@AIX_FALSE@@HAVE_DLOPEN_TRUE@@KRB4_FALSE@@KRB5_TRUE@@do_roken_rename_TRUE@common.lo \
+@AIX_DYNAMIC_AFS_TRUE@@AIX_FALSE@@HAVE_DLOPEN_TRUE@@KRB4_FALSE@@KRB5_TRUE@@do_roken_rename_TRUE@resolve.lo
+@AIX_DYNAMIC_AFS_TRUE@@AIX_FALSE@@HAVE_DLOPEN_TRUE@@KRB4_TRUE@@KRB5_FALSE@@do_roken_rename_FALSE@am_libkafs_la_OBJECTS =  \
+@AIX_DYNAMIC_AFS_TRUE@@AIX_FALSE@@HAVE_DLOPEN_TRUE@@KRB4_TRUE@@KRB5_FALSE@@do_roken_rename_FALSE@afssys.lo \
+@AIX_DYNAMIC_AFS_TRUE@@AIX_FALSE@@HAVE_DLOPEN_TRUE@@KRB4_TRUE@@KRB5_FALSE@@do_roken_rename_FALSE@afskrb.lo \
+@AIX_DYNAMIC_AFS_TRUE@@AIX_FALSE@@HAVE_DLOPEN_TRUE@@KRB4_TRUE@@KRB5_FALSE@@do_roken_rename_FALSE@common.lo
+@AIX_DYNAMIC_AFS_TRUE@@AIX_FALSE@@HAVE_DLOPEN_TRUE@@KRB4_TRUE@@KRB5_FALSE@@do_roken_rename_TRUE@am_libkafs_la_OBJECTS =  \
+@AIX_DYNAMIC_AFS_TRUE@@AIX_FALSE@@HAVE_DLOPEN_TRUE@@KRB4_TRUE@@KRB5_FALSE@@do_roken_rename_TRUE@afssys.lo \
+@AIX_DYNAMIC_AFS_TRUE@@AIX_FALSE@@HAVE_DLOPEN_TRUE@@KRB4_TRUE@@KRB5_FALSE@@do_roken_rename_TRUE@afskrb.lo \
+@AIX_DYNAMIC_AFS_TRUE@@AIX_FALSE@@HAVE_DLOPEN_TRUE@@KRB4_TRUE@@KRB5_FALSE@@do_roken_rename_TRUE@common.lo \
+@AIX_DYNAMIC_AFS_TRUE@@AIX_FALSE@@HAVE_DLOPEN_TRUE@@KRB4_TRUE@@KRB5_FALSE@@do_roken_rename_TRUE@resolve.lo
+@AIX_DYNAMIC_AFS_TRUE@@AIX_FALSE@@HAVE_DLOPEN_TRUE@@KRB4_TRUE@@KRB5_TRUE@@do_roken_rename_FALSE@am_libkafs_la_OBJECTS =  \
+@AIX_DYNAMIC_AFS_TRUE@@AIX_FALSE@@HAVE_DLOPEN_TRUE@@KRB4_TRUE@@KRB5_TRUE@@do_roken_rename_FALSE@afssys.lo \
+@AIX_DYNAMIC_AFS_TRUE@@AIX_FALSE@@HAVE_DLOPEN_TRUE@@KRB4_TRUE@@KRB5_TRUE@@do_roken_rename_FALSE@afskrb.lo \
+@AIX_DYNAMIC_AFS_TRUE@@AIX_FALSE@@HAVE_DLOPEN_TRUE@@KRB4_TRUE@@KRB5_TRUE@@do_roken_rename_FALSE@afskrb5.lo \
+@AIX_DYNAMIC_AFS_TRUE@@AIX_FALSE@@HAVE_DLOPEN_TRUE@@KRB4_TRUE@@KRB5_TRUE@@do_roken_rename_FALSE@common.lo
+@AIX_DYNAMIC_AFS_TRUE@@AIX_FALSE@@HAVE_DLOPEN_TRUE@@KRB4_TRUE@@KRB5_TRUE@@do_roken_rename_TRUE@am_libkafs_la_OBJECTS =  \
+@AIX_DYNAMIC_AFS_TRUE@@AIX_FALSE@@HAVE_DLOPEN_TRUE@@KRB4_TRUE@@KRB5_TRUE@@do_roken_rename_TRUE@afssys.lo \
+@AIX_DYNAMIC_AFS_TRUE@@AIX_FALSE@@HAVE_DLOPEN_TRUE@@KRB4_TRUE@@KRB5_TRUE@@do_roken_rename_TRUE@afskrb.lo \
+@AIX_DYNAMIC_AFS_TRUE@@AIX_FALSE@@HAVE_DLOPEN_TRUE@@KRB4_TRUE@@KRB5_TRUE@@do_roken_rename_TRUE@afskrb5.lo \
+@AIX_DYNAMIC_AFS_TRUE@@AIX_FALSE@@HAVE_DLOPEN_TRUE@@KRB4_TRUE@@KRB5_TRUE@@do_roken_rename_TRUE@common.lo \
+@AIX_DYNAMIC_AFS_TRUE@@AIX_FALSE@@HAVE_DLOPEN_TRUE@@KRB4_TRUE@@KRB5_TRUE@@do_roken_rename_TRUE@resolve.lo
+@AIX_DYNAMIC_AFS_TRUE@@AIX_TRUE@@HAVE_DLOPEN_FALSE@@KRB4_FALSE@@KRB5_FALSE@@do_roken_rename_FALSE@am_libkafs_la_OBJECTS =  \
+@AIX_DYNAMIC_AFS_TRUE@@AIX_TRUE@@HAVE_DLOPEN_FALSE@@KRB4_FALSE@@KRB5_FALSE@@do_roken_rename_FALSE@afssys.lo \
+@AIX_DYNAMIC_AFS_TRUE@@AIX_TRUE@@HAVE_DLOPEN_FALSE@@KRB4_FALSE@@KRB5_FALSE@@do_roken_rename_FALSE@afskrb.lo \
+@AIX_DYNAMIC_AFS_TRUE@@AIX_TRUE@@HAVE_DLOPEN_FALSE@@KRB4_FALSE@@KRB5_FALSE@@do_roken_rename_FALSE@common.lo
+@AIX_DYNAMIC_AFS_TRUE@@AIX_TRUE@@HAVE_DLOPEN_FALSE@@KRB4_FALSE@@KRB5_FALSE@@do_roken_rename_TRUE@am_libkafs_la_OBJECTS =  \
+@AIX_DYNAMIC_AFS_TRUE@@AIX_TRUE@@HAVE_DLOPEN_FALSE@@KRB4_FALSE@@KRB5_FALSE@@do_roken_rename_TRUE@afssys.lo \
+@AIX_DYNAMIC_AFS_TRUE@@AIX_TRUE@@HAVE_DLOPEN_FALSE@@KRB4_FALSE@@KRB5_FALSE@@do_roken_rename_TRUE@afskrb.lo \
+@AIX_DYNAMIC_AFS_TRUE@@AIX_TRUE@@HAVE_DLOPEN_FALSE@@KRB4_FALSE@@KRB5_FALSE@@do_roken_rename_TRUE@common.lo \
+@AIX_DYNAMIC_AFS_TRUE@@AIX_TRUE@@HAVE_DLOPEN_FALSE@@KRB4_FALSE@@KRB5_FALSE@@do_roken_rename_TRUE@resolve.lo
+@AIX_DYNAMIC_AFS_TRUE@@AIX_TRUE@@HAVE_DLOPEN_FALSE@@KRB4_FALSE@@KRB5_TRUE@@do_roken_rename_FALSE@am_libkafs_la_OBJECTS =  \
+@AIX_DYNAMIC_AFS_TRUE@@AIX_TRUE@@HAVE_DLOPEN_FALSE@@KRB4_FALSE@@KRB5_TRUE@@do_roken_rename_FALSE@afssys.lo \
+@AIX_DYNAMIC_AFS_TRUE@@AIX_TRUE@@HAVE_DLOPEN_FALSE@@KRB4_FALSE@@KRB5_TRUE@@do_roken_rename_FALSE@afskrb.lo \
+@AIX_DYNAMIC_AFS_TRUE@@AIX_TRUE@@HAVE_DLOPEN_FALSE@@KRB4_FALSE@@KRB5_TRUE@@do_roken_rename_FALSE@afskrb5.lo \
+@AIX_DYNAMIC_AFS_TRUE@@AIX_TRUE@@HAVE_DLOPEN_FALSE@@KRB4_FALSE@@KRB5_TRUE@@do_roken_rename_FALSE@common.lo
+@AIX_DYNAMIC_AFS_TRUE@@AIX_TRUE@@HAVE_DLOPEN_FALSE@@KRB4_FALSE@@KRB5_TRUE@@do_roken_rename_TRUE@am_libkafs_la_OBJECTS =  \
+@AIX_DYNAMIC_AFS_TRUE@@AIX_TRUE@@HAVE_DLOPEN_FALSE@@KRB4_FALSE@@KRB5_TRUE@@do_roken_rename_TRUE@afssys.lo \
+@AIX_DYNAMIC_AFS_TRUE@@AIX_TRUE@@HAVE_DLOPEN_FALSE@@KRB4_FALSE@@KRB5_TRUE@@do_roken_rename_TRUE@afskrb.lo \
+@AIX_DYNAMIC_AFS_TRUE@@AIX_TRUE@@HAVE_DLOPEN_FALSE@@KRB4_FALSE@@KRB5_TRUE@@do_roken_rename_TRUE@afskrb5.lo \
+@AIX_DYNAMIC_AFS_TRUE@@AIX_TRUE@@HAVE_DLOPEN_FALSE@@KRB4_FALSE@@KRB5_TRUE@@do_roken_rename_TRUE@common.lo \
+@AIX_DYNAMIC_AFS_TRUE@@AIX_TRUE@@HAVE_DLOPEN_FALSE@@KRB4_FALSE@@KRB5_TRUE@@do_roken_rename_TRUE@resolve.lo
+@AIX_DYNAMIC_AFS_TRUE@@AIX_TRUE@@HAVE_DLOPEN_FALSE@@KRB4_TRUE@@KRB5_FALSE@@do_roken_rename_FALSE@am_libkafs_la_OBJECTS =  \
+@AIX_DYNAMIC_AFS_TRUE@@AIX_TRUE@@HAVE_DLOPEN_FALSE@@KRB4_TRUE@@KRB5_FALSE@@do_roken_rename_FALSE@afssys.lo \
+@AIX_DYNAMIC_AFS_TRUE@@AIX_TRUE@@HAVE_DLOPEN_FALSE@@KRB4_TRUE@@KRB5_FALSE@@do_roken_rename_FALSE@afskrb.lo \
+@AIX_DYNAMIC_AFS_TRUE@@AIX_TRUE@@HAVE_DLOPEN_FALSE@@KRB4_TRUE@@KRB5_FALSE@@do_roken_rename_FALSE@common.lo \
+@AIX_DYNAMIC_AFS_TRUE@@AIX_TRUE@@HAVE_DLOPEN_FALSE@@KRB4_TRUE@@KRB5_FALSE@@do_roken_rename_FALSE@dlfcn.lo
+@AIX_DYNAMIC_AFS_TRUE@@AIX_TRUE@@HAVE_DLOPEN_FALSE@@KRB4_TRUE@@KRB5_FALSE@@do_roken_rename_TRUE@am_libkafs_la_OBJECTS =  \
+@AIX_DYNAMIC_AFS_TRUE@@AIX_TRUE@@HAVE_DLOPEN_FALSE@@KRB4_TRUE@@KRB5_FALSE@@do_roken_rename_TRUE@afssys.lo \
+@AIX_DYNAMIC_AFS_TRUE@@AIX_TRUE@@HAVE_DLOPEN_FALSE@@KRB4_TRUE@@KRB5_FALSE@@do_roken_rename_TRUE@afskrb.lo \
+@AIX_DYNAMIC_AFS_TRUE@@AIX_TRUE@@HAVE_DLOPEN_FALSE@@KRB4_TRUE@@KRB5_FALSE@@do_roken_rename_TRUE@common.lo \
+@AIX_DYNAMIC_AFS_TRUE@@AIX_TRUE@@HAVE_DLOPEN_FALSE@@KRB4_TRUE@@KRB5_FALSE@@do_roken_rename_TRUE@dlfcn.lo \
+@AIX_DYNAMIC_AFS_TRUE@@AIX_TRUE@@HAVE_DLOPEN_FALSE@@KRB4_TRUE@@KRB5_FALSE@@do_roken_rename_TRUE@resolve.lo
+@AIX_DYNAMIC_AFS_TRUE@@AIX_TRUE@@HAVE_DLOPEN_FALSE@@KRB4_TRUE@@KRB5_TRUE@@do_roken_rename_FALSE@am_libkafs_la_OBJECTS =  \
+@AIX_DYNAMIC_AFS_TRUE@@AIX_TRUE@@HAVE_DLOPEN_FALSE@@KRB4_TRUE@@KRB5_TRUE@@do_roken_rename_FALSE@afssys.lo \
+@AIX_DYNAMIC_AFS_TRUE@@AIX_TRUE@@HAVE_DLOPEN_FALSE@@KRB4_TRUE@@KRB5_TRUE@@do_roken_rename_FALSE@afskrb.lo \
+@AIX_DYNAMIC_AFS_TRUE@@AIX_TRUE@@HAVE_DLOPEN_FALSE@@KRB4_TRUE@@KRB5_TRUE@@do_roken_rename_FALSE@afskrb5.lo \
+@AIX_DYNAMIC_AFS_TRUE@@AIX_TRUE@@HAVE_DLOPEN_FALSE@@KRB4_TRUE@@KRB5_TRUE@@do_roken_rename_FALSE@common.lo \
+@AIX_DYNAMIC_AFS_TRUE@@AIX_TRUE@@HAVE_DLOPEN_FALSE@@KRB4_TRUE@@KRB5_TRUE@@do_roken_rename_FALSE@dlfcn.lo
+@AIX_DYNAMIC_AFS_TRUE@@AIX_TRUE@@HAVE_DLOPEN_FALSE@@KRB4_TRUE@@KRB5_TRUE@@do_roken_rename_TRUE@am_libkafs_la_OBJECTS =  \
+@AIX_DYNAMIC_AFS_TRUE@@AIX_TRUE@@HAVE_DLOPEN_FALSE@@KRB4_TRUE@@KRB5_TRUE@@do_roken_rename_TRUE@afssys.lo \
+@AIX_DYNAMIC_AFS_TRUE@@AIX_TRUE@@HAVE_DLOPEN_FALSE@@KRB4_TRUE@@KRB5_TRUE@@do_roken_rename_TRUE@afskrb.lo \
+@AIX_DYNAMIC_AFS_TRUE@@AIX_TRUE@@HAVE_DLOPEN_FALSE@@KRB4_TRUE@@KRB5_TRUE@@do_roken_rename_TRUE@afskrb5.lo \
+@AIX_DYNAMIC_AFS_TRUE@@AIX_TRUE@@HAVE_DLOPEN_FALSE@@KRB4_TRUE@@KRB5_TRUE@@do_roken_rename_TRUE@common.lo \
+@AIX_DYNAMIC_AFS_TRUE@@AIX_TRUE@@HAVE_DLOPEN_FALSE@@KRB4_TRUE@@KRB5_TRUE@@do_roken_rename_TRUE@dlfcn.lo \
+@AIX_DYNAMIC_AFS_TRUE@@AIX_TRUE@@HAVE_DLOPEN_FALSE@@KRB4_TRUE@@KRB5_TRUE@@do_roken_rename_TRUE@resolve.lo
+@AIX_DYNAMIC_AFS_TRUE@@AIX_TRUE@@HAVE_DLOPEN_TRUE@@KRB4_FALSE@@KRB5_FALSE@@do_roken_rename_FALSE@am_libkafs_la_OBJECTS =  \
+@AIX_DYNAMIC_AFS_TRUE@@AIX_TRUE@@HAVE_DLOPEN_TRUE@@KRB4_FALSE@@KRB5_FALSE@@do_roken_rename_FALSE@afssys.lo \
+@AIX_DYNAMIC_AFS_TRUE@@AIX_TRUE@@HAVE_DLOPEN_TRUE@@KRB4_FALSE@@KRB5_FALSE@@do_roken_rename_FALSE@afskrb.lo \
+@AIX_DYNAMIC_AFS_TRUE@@AIX_TRUE@@HAVE_DLOPEN_TRUE@@KRB4_FALSE@@KRB5_FALSE@@do_roken_rename_FALSE@common.lo
+@AIX_DYNAMIC_AFS_TRUE@@AIX_TRUE@@HAVE_DLOPEN_TRUE@@KRB4_FALSE@@KRB5_FALSE@@do_roken_rename_TRUE@am_libkafs_la_OBJECTS =  \
+@AIX_DYNAMIC_AFS_TRUE@@AIX_TRUE@@HAVE_DLOPEN_TRUE@@KRB4_FALSE@@KRB5_FALSE@@do_roken_rename_TRUE@afssys.lo \
+@AIX_DYNAMIC_AFS_TRUE@@AIX_TRUE@@HAVE_DLOPEN_TRUE@@KRB4_FALSE@@KRB5_FALSE@@do_roken_rename_TRUE@afskrb.lo \
+@AIX_DYNAMIC_AFS_TRUE@@AIX_TRUE@@HAVE_DLOPEN_TRUE@@KRB4_FALSE@@KRB5_FALSE@@do_roken_rename_TRUE@common.lo \
+@AIX_DYNAMIC_AFS_TRUE@@AIX_TRUE@@HAVE_DLOPEN_TRUE@@KRB4_FALSE@@KRB5_FALSE@@do_roken_rename_TRUE@resolve.lo
+@AIX_DYNAMIC_AFS_TRUE@@AIX_TRUE@@HAVE_DLOPEN_TRUE@@KRB4_FALSE@@KRB5_TRUE@@do_roken_rename_FALSE@am_libkafs_la_OBJECTS =  \
+@AIX_DYNAMIC_AFS_TRUE@@AIX_TRUE@@HAVE_DLOPEN_TRUE@@KRB4_FALSE@@KRB5_TRUE@@do_roken_rename_FALSE@afssys.lo \
+@AIX_DYNAMIC_AFS_TRUE@@AIX_TRUE@@HAVE_DLOPEN_TRUE@@KRB4_FALSE@@KRB5_TRUE@@do_roken_rename_FALSE@afskrb.lo \
+@AIX_DYNAMIC_AFS_TRUE@@AIX_TRUE@@HAVE_DLOPEN_TRUE@@KRB4_FALSE@@KRB5_TRUE@@do_roken_rename_FALSE@afskrb5.lo \
+@AIX_DYNAMIC_AFS_TRUE@@AIX_TRUE@@HAVE_DLOPEN_TRUE@@KRB4_FALSE@@KRB5_TRUE@@do_roken_rename_FALSE@common.lo
+@AIX_DYNAMIC_AFS_TRUE@@AIX_TRUE@@HAVE_DLOPEN_TRUE@@KRB4_FALSE@@KRB5_TRUE@@do_roken_rename_TRUE@am_libkafs_la_OBJECTS =  \
+@AIX_DYNAMIC_AFS_TRUE@@AIX_TRUE@@HAVE_DLOPEN_TRUE@@KRB4_FALSE@@KRB5_TRUE@@do_roken_rename_TRUE@afssys.lo \
+@AIX_DYNAMIC_AFS_TRUE@@AIX_TRUE@@HAVE_DLOPEN_TRUE@@KRB4_FALSE@@KRB5_TRUE@@do_roken_rename_TRUE@afskrb.lo \
+@AIX_DYNAMIC_AFS_TRUE@@AIX_TRUE@@HAVE_DLOPEN_TRUE@@KRB4_FALSE@@KRB5_TRUE@@do_roken_rename_TRUE@afskrb5.lo \
+@AIX_DYNAMIC_AFS_TRUE@@AIX_TRUE@@HAVE_DLOPEN_TRUE@@KRB4_FALSE@@KRB5_TRUE@@do_roken_rename_TRUE@common.lo \
+@AIX_DYNAMIC_AFS_TRUE@@AIX_TRUE@@HAVE_DLOPEN_TRUE@@KRB4_FALSE@@KRB5_TRUE@@do_roken_rename_TRUE@resolve.lo
+@AIX_DYNAMIC_AFS_TRUE@@AIX_TRUE@@HAVE_DLOPEN_TRUE@@KRB4_TRUE@@KRB5_FALSE@@do_roken_rename_FALSE@am_libkafs_la_OBJECTS =  \
+@AIX_DYNAMIC_AFS_TRUE@@AIX_TRUE@@HAVE_DLOPEN_TRUE@@KRB4_TRUE@@KRB5_FALSE@@do_roken_rename_FALSE@afssys.lo \
+@AIX_DYNAMIC_AFS_TRUE@@AIX_TRUE@@HAVE_DLOPEN_TRUE@@KRB4_TRUE@@KRB5_FALSE@@do_roken_rename_FALSE@afskrb.lo \
+@AIX_DYNAMIC_AFS_TRUE@@AIX_TRUE@@HAVE_DLOPEN_TRUE@@KRB4_TRUE@@KRB5_FALSE@@do_roken_rename_FALSE@common.lo
+@AIX_DYNAMIC_AFS_TRUE@@AIX_TRUE@@HAVE_DLOPEN_TRUE@@KRB4_TRUE@@KRB5_FALSE@@do_roken_rename_TRUE@am_libkafs_la_OBJECTS =  \
+@AIX_DYNAMIC_AFS_TRUE@@AIX_TRUE@@HAVE_DLOPEN_TRUE@@KRB4_TRUE@@KRB5_FALSE@@do_roken_rename_TRUE@afssys.lo \
+@AIX_DYNAMIC_AFS_TRUE@@AIX_TRUE@@HAVE_DLOPEN_TRUE@@KRB4_TRUE@@KRB5_FALSE@@do_roken_rename_TRUE@afskrb.lo \
+@AIX_DYNAMIC_AFS_TRUE@@AIX_TRUE@@HAVE_DLOPEN_TRUE@@KRB4_TRUE@@KRB5_FALSE@@do_roken_rename_TRUE@common.lo \
+@AIX_DYNAMIC_AFS_TRUE@@AIX_TRUE@@HAVE_DLOPEN_TRUE@@KRB4_TRUE@@KRB5_FALSE@@do_roken_rename_TRUE@resolve.lo
+@AIX_DYNAMIC_AFS_TRUE@@AIX_TRUE@@HAVE_DLOPEN_TRUE@@KRB4_TRUE@@KRB5_TRUE@@do_roken_rename_FALSE@am_libkafs_la_OBJECTS =  \
+@AIX_DYNAMIC_AFS_TRUE@@AIX_TRUE@@HAVE_DLOPEN_TRUE@@KRB4_TRUE@@KRB5_TRUE@@do_roken_rename_FALSE@afssys.lo \
+@AIX_DYNAMIC_AFS_TRUE@@AIX_TRUE@@HAVE_DLOPEN_TRUE@@KRB4_TRUE@@KRB5_TRUE@@do_roken_rename_FALSE@afskrb.lo \
+@AIX_DYNAMIC_AFS_TRUE@@AIX_TRUE@@HAVE_DLOPEN_TRUE@@KRB4_TRUE@@KRB5_TRUE@@do_roken_rename_FALSE@afskrb5.lo \
+@AIX_DYNAMIC_AFS_TRUE@@AIX_TRUE@@HAVE_DLOPEN_TRUE@@KRB4_TRUE@@KRB5_TRUE@@do_roken_rename_FALSE@common.lo
+@AIX_DYNAMIC_AFS_TRUE@@AIX_TRUE@@HAVE_DLOPEN_TRUE@@KRB4_TRUE@@KRB5_TRUE@@do_roken_rename_TRUE@am_libkafs_la_OBJECTS =  \
+@AIX_DYNAMIC_AFS_TRUE@@AIX_TRUE@@HAVE_DLOPEN_TRUE@@KRB4_TRUE@@KRB5_TRUE@@do_roken_rename_TRUE@afssys.lo \
+@AIX_DYNAMIC_AFS_TRUE@@AIX_TRUE@@HAVE_DLOPEN_TRUE@@KRB4_TRUE@@KRB5_TRUE@@do_roken_rename_TRUE@afskrb.lo \
+@AIX_DYNAMIC_AFS_TRUE@@AIX_TRUE@@HAVE_DLOPEN_TRUE@@KRB4_TRUE@@KRB5_TRUE@@do_roken_rename_TRUE@afskrb5.lo \
+@AIX_DYNAMIC_AFS_TRUE@@AIX_TRUE@@HAVE_DLOPEN_TRUE@@KRB4_TRUE@@KRB5_TRUE@@do_roken_rename_TRUE@common.lo \
+@AIX_DYNAMIC_AFS_TRUE@@AIX_TRUE@@HAVE_DLOPEN_TRUE@@KRB4_TRUE@@KRB5_TRUE@@do_roken_rename_TRUE@resolve.lo
+libkafs_la_OBJECTS =  $(am_libkafs_la_OBJECTS)
+COMPILE = $(CC) $(DEFS) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) --mode=compile $(CC) $(DEFS) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+CFLAGS = @CFLAGS@
+CCLD = $(CC)
+LINK = $(LIBTOOL) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) $(LDFLAGS) -o $@
+DIST_SOURCES =  $(libkafs_la_SOURCES) $(EXTRA_libkafs_la_SOURCES)
+man3dir = $(mandir)/man3
+MANS = $(man_MANS)
+DATA =  $(foo_DATA)
+
+HEADERS =  $(include_HEADERS)
+
+depcomp = 
+DIST_COMMON =  $(include_HEADERS) ChangeLog Makefile.am Makefile.in
+
+
+DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
+
+GZIP_ENV = --best
+SOURCES = $(libkafs_la_SOURCES) $(EXTRA_libkafs_la_SOURCES)
+OBJECTS = $(am_libkafs_la_OBJECTS)
+
+all: all-redirect
+.SUFFIXES:
+.SUFFIXES: .et .h .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .x .c .lo .o .obj
+$(srcdir)/Makefile.in: Makefile.am $(top_srcdir)/configure.in $(ACLOCAL_M4) $(top_srcdir)/Makefile.am.common $(top_srcdir)/cf/Makefile.am.common
+	cd $(top_srcdir) && $(AUTOMAKE) --foreign lib/kafs/Makefile
+
+Makefile: $(srcdir)/Makefile.in  $(top_builddir)/config.status
+	cd $(top_builddir) \
+	  && CONFIG_FILES=$(subdir)/$@ CONFIG_HEADERS= $(SHELL) ./config.status
+
+
+mostlyclean-libLTLIBRARIES:
+
+clean-libLTLIBRARIES:
+	-test -z "$(lib_LTLIBRARIES)" || rm -f $(lib_LTLIBRARIES)
+
+distclean-libLTLIBRARIES:
+
+maintainer-clean-libLTLIBRARIES:
+
+install-libLTLIBRARIES: $(lib_LTLIBRARIES)
+	@$(NORMAL_INSTALL)
+	$(mkinstalldirs) $(DESTDIR)$(libdir)
+	@list='$(lib_LTLIBRARIES)'; for p in $$list; do \
+	  if test -f $$p; then \
+	    echo " $(LIBTOOL)  --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$p $(DESTDIR)$(libdir)/$$p"; \
+	    $(LIBTOOL)  --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$p $(DESTDIR)$(libdir)/$$p; \
+	  else :; fi; \
+	done
+
+uninstall-libLTLIBRARIES:
+	@$(NORMAL_UNINSTALL)
+	@list='$(lib_LTLIBRARIES)'; for p in $$list; do \
+	  echo " $(LIBTOOL)  --mode=uninstall rm -f $(DESTDIR)$(libdir)/$$p"; \
+	  $(LIBTOOL)  --mode=uninstall rm -f $(DESTDIR)$(libdir)/$$p; \
+	done
+
+mostlyclean-compile:
+	-rm -f *.o core *.core
+	-rm -f *.$(OBJEXT)
+
+clean-compile:
+
+distclean-compile:
+	-rm -f *.tab.c
+
+maintainer-clean-compile:
+
+mostlyclean-libtool:
+	-rm -f *.lo
+
+clean-libtool:
+	-rm -rf .libs _libs
+
+distclean-libtool:
+
+maintainer-clean-libtool:
+
+libkafs.la: $(libkafs_la_OBJECTS) $(libkafs_la_DEPENDENCIES)
+	$(LINK) -rpath $(libdir) $(libkafs_la_LDFLAGS) $(libkafs_la_OBJECTS) $(libkafs_la_LIBADD) $(LIBS)
+.c.o:
+	$(COMPILE) -c $<
+.c.obj:
+	$(COMPILE) -c `cygpath -w $<`
+.c.lo:
+	$(LTCOMPILE) -c -o $@ $<
+
+install-man3:
+	$(mkinstalldirs) $(DESTDIR)$(man3dir)
+	@list='$(man3_MANS)'; \
+	l2='$(man_MANS)'; for i in $$l2; do \
+	  case "$$i" in \
+	    *.3*) list="$$list $$i" ;; \
+	  esac; \
+	done; \
+	for i in $$list; do \
+	  if test -f $(srcdir)/$$i; then file=$(srcdir)/$$i; \
+	  else file=$$i; fi; \
+	  ext=`echo $$i | sed -e 's/^.*\\.//'`; \
+	  inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \
+	  inst=`echo $$inst | sed -e 's/^.*\///'`; \
+	  inst=`echo $$inst | sed '$(transform)'`.$$ext; \
+	  echo " $(INSTALL_DATA) $$file $(DESTDIR)$(man3dir)/$$inst"; \
+	  $(INSTALL_DATA) $$file $(DESTDIR)$(man3dir)/$$inst; \
+	done
+
+uninstall-man3:
+	@list='$(man3_MANS)'; \
+	l2='$(man_MANS)'; for i in $$l2; do \
+	  case "$$i" in \
+	    *.3*) list="$$list $$i" ;; \
+	  esac; \
+	done; \
+	for i in $$list; do \
+	  ext=`echo $$i | sed -e 's/^.*\\.//'`; \
+	  inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \
+	  inst=`echo $$inst | sed -e 's/^.*\///'`; \
+	  inst=`echo $$inst | sed '$(transform)'`.$$ext; \
+	  echo " rm -f $(DESTDIR)$(man3dir)/$$inst"; \
+	  rm -f $(DESTDIR)$(man3dir)/$$inst; \
+	done
+install-man: $(MANS)
+	@$(NORMAL_INSTALL)
+	$(MAKE) $(AM_MAKEFLAGS) install-man3
+uninstall-man:
+	@$(NORMAL_UNINSTALL)
+	$(MAKE) $(AM_MAKEFLAGS) uninstall-man3
+
+install-fooDATA: $(foo_DATA)
+	@$(NORMAL_INSTALL)
+	$(mkinstalldirs) $(DESTDIR)$(foodir)
+	@list='$(foo_DATA)'; for p in $$list; do \
+	  if test -f "$$p"; then d= ; else d="$(srcdir)/"; fi; \
+	  f="`echo $$p | sed -e 's|^.*/||'`"; \
+	  echo " $(INSTALL_DATA) $$d$$p $(DESTDIR)$(foodir)/$$f"; \
+	  $(INSTALL_DATA) $$d$$p $(DESTDIR)$(foodir)/$$f; \
+	done
+
+uninstall-fooDATA:
+	@$(NORMAL_UNINSTALL)
+	@list='$(foo_DATA)'; for p in $$list; do \
+	  f="`echo $$p | sed -e 's|^.*/||'`"; \
+	  echo " rm -f $(DESTDIR)$(foodir)/$$f"; \
+	  rm -f $(DESTDIR)$(foodir)/$$f; \
+	done
+
+install-includeHEADERS: $(include_HEADERS)
+	@$(NORMAL_INSTALL)
+	$(mkinstalldirs) $(DESTDIR)$(includedir)
+	@list='$(include_HEADERS)'; for p in $$list; do \
+	  if test -f "$$p"; then d= ; else d="$(srcdir)/"; fi; \
+	  f="`echo $$p | sed -e 's|^.*/||'`"; \
+	  echo " $(INSTALL_DATA) $$d$$p $(DESTDIR)$(includedir)/$$f"; \
+	  $(INSTALL_DATA) $$d$$p $(DESTDIR)$(includedir)/$$f; \
+	done
+
+uninstall-includeHEADERS:
+	@$(NORMAL_UNINSTALL)
+	@list='$(include_HEADERS)'; for p in $$list; do \
+	  f="`echo $$p | sed -e 's|^.*/||'`"; \
+	  echo " rm -f $(DESTDIR)$(includedir)/$$f"; \
+	  rm -f $(DESTDIR)$(includedir)/$$f; \
+	done
+
+tags: TAGS
+
+ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
+	list='$(SOURCES) $(HEADERS) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '    { files[$$0] = 1; } \
+	       END { for (i in files) print i; }'`; \
+	mkid -fID $$unique $(LISP)
+
+TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	tags=; \
+	here=`pwd`; \
+	list='$(SOURCES) $(HEADERS) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '    { files[$$0] = 1; } \
+	       END { for (i in files) print i; }'`; \
+	test -z "$(ETAGS_ARGS)$$unique$(LISP)$$tags" \
+	  || etags $(ETAGS_ARGS) $$tags  $$unique $(LISP)
+
+GTAGS:
+	here=`CDPATH=: && cd $(top_builddir) && pwd` \
+	  && cd $(top_srcdir) \
+	  && gtags -i $$here
+
+mostlyclean-tags:
+
+clean-tags:
+
+distclean-tags:
+	-rm -f TAGS ID
+
+maintainer-clean-tags:
+
+distdir = $(top_builddir)/$(PACKAGE)-$(VERSION)/$(subdir)
+
+distdir: $(DISTFILES)
+	@for file in $(DISTFILES); do \
+	  d=$(srcdir); \
+	  if test -d $$d/$$file; then \
+	    cp -pR $$d/$$file $(distdir) \
+	    || exit 1; \
+	  else \
+	    test -f $(distdir)/$$file \
+	    || cp -p $$d/$$file $(distdir)/$$file \
+	    || exit 1; \
+	  fi; \
+	done
+	$(MAKE) $(AM_MAKEFLAGS) top_distdir="$(top_distdir)" distdir="$(distdir)" dist-hook
+info-am:
+info: info-am
+dvi-am:
+dvi: dvi-am
+check-am: all-am
+	$(MAKE) $(AM_MAKEFLAGS) check-local
+check: check-am
+installcheck-am:
+installcheck: installcheck-am
+install-exec-am: install-libLTLIBRARIES
+	@$(NORMAL_INSTALL)
+	$(MAKE) $(AM_MAKEFLAGS) install-exec-hook
+install-exec: install-exec-am
+
+install-data-am: install-man install-fooDATA install-includeHEADERS \
+		install-data-local
+install-data: install-data-am
+
+install-am: all-am
+	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
+install: install-am
+uninstall-am: uninstall-libLTLIBRARIES uninstall-man uninstall-fooDATA \
+		uninstall-includeHEADERS
+uninstall: uninstall-am
+all-am: Makefile $(LTLIBRARIES) $(MANS) $(DATA) $(HEADERS) all-local
+all-redirect: all-am
+install-strip:
+	$(MAKE) $(AM_MAKEFLAGS) INSTALL_STRIP_FLAG=-s install
+installdirs:
+	$(mkinstalldirs)  $(DESTDIR)$(libdir) $(DESTDIR)$(mandir)/man3 \
+		$(DESTDIR)$(foodir) $(DESTDIR)$(includedir)
+
+
+mostlyclean-generic:
+
+clean-generic:
+	-test -z "$(CLEANFILES)" || rm -f $(CLEANFILES)
+
+distclean-generic:
+	-rm -f Makefile $(CONFIG_CLEAN_FILES)
+	-rm -f config.cache config.log stamp-h stamp-h[0-9]*
+
+maintainer-clean-generic:
+	-rm -f Makefile.in
+mostlyclean-am:  mostlyclean-libLTLIBRARIES mostlyclean-compile \
+		mostlyclean-libtool mostlyclean-tags \
+		mostlyclean-generic
+
+mostlyclean: mostlyclean-am
+
+clean-am:  clean-libLTLIBRARIES clean-compile clean-libtool clean-tags \
+		clean-generic mostlyclean-am
+
+clean: clean-am
+
+distclean-am:  distclean-libLTLIBRARIES distclean-compile \
+		distclean-libtool distclean-tags distclean-generic \
+		clean-am
+	-rm -f libtool
+
+distclean: distclean-am
+
+maintainer-clean-am:  maintainer-clean-libLTLIBRARIES \
+		maintainer-clean-compile maintainer-clean-libtool \
+		maintainer-clean-tags maintainer-clean-generic \
+		distclean-am
+	@echo "This command is intended for maintainers to use;"
+	@echo "it deletes files that may require special tools to rebuild."
+
+maintainer-clean: maintainer-clean-am
+
+.PHONY: mostlyclean-libLTLIBRARIES distclean-libLTLIBRARIES \
+clean-libLTLIBRARIES maintainer-clean-libLTLIBRARIES \
+uninstall-libLTLIBRARIES install-libLTLIBRARIES mostlyclean-compile \
+distclean-compile clean-compile maintainer-clean-compile \
+mostlyclean-libtool distclean-libtool clean-libtool \
+maintainer-clean-libtool install-man3 uninstall-man3 install-man \
+uninstall-man uninstall-fooDATA install-fooDATA \
+uninstall-includeHEADERS install-includeHEADERS tags mostlyclean-tags \
+distclean-tags clean-tags maintainer-clean-tags distdir info-am info \
+dvi-am dvi check-local check check-am installcheck-am installcheck \
+install-exec-am install-exec install-data-local install-data-am \
+install-data install-am install uninstall-am uninstall all-local \
+all-redirect all-am all install-strip installdirs mostlyclean-generic \
+distclean-generic clean-generic maintainer-clean-generic clean \
+mostlyclean distclean maintainer-clean
+
+
+install-suid-programs:
+	@foo='$(bin_SUIDS)'; \
+	for file in $$foo; do \
+	x=$(DESTDIR)$(bindir)/$$file; \
+	if chown 0:0 $$x && chmod u+s $$x; then :; else \
+	echo "*"; \
+	echo "* Failed to install $$x setuid root"; \
+	echo "*"; \
+	fi; done
+
+install-exec-hook: install-suid-programs
+
+install-build-headers:: $(include_HEADERS) $(build_HEADERZ)
+	@foo='$(include_HEADERS) $(build_HEADERZ)'; \
+	for f in $$foo; do \
+		f=`basename $$f`; \
+		if test -f "$(srcdir)/$$f"; then file="$(srcdir)/$$f"; \
+		else file="$$f"; fi; \
+		if cmp -s  $$file $(buildinclude)/$$f 2> /dev/null ; then \
+		: ; else \
+			echo " $(CP) $$file $(buildinclude)/$$f"; \
+			$(CP) $$file $(buildinclude)/$$f; \
+		fi ; \
+	done
+
+all-local: install-build-headers
+#NROFF_MAN = nroff -man
+.1.cat1:
+	$(NROFF_MAN) $< > $@
+.3.cat3:
+	$(NROFF_MAN) $< > $@
+.5.cat5:
+	$(NROFF_MAN) $< > $@
+.8.cat8:
+	$(NROFF_MAN) $< > $@
+
+dist-cat1-mans:
+	@foo='$(man1_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.1) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat1/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-cat3-mans:
+	@foo='$(man3_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.3) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat3/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-cat5-mans:
+	@foo='$(man5_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.5) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat5/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-cat8-mans:
+	@foo='$(man8_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.8) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat8/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-hook: dist-cat1-mans dist-cat3-mans dist-cat5-mans dist-cat8-mans
+
+install-cat-mans:
+	$(SHELL) $(top_srcdir)/cf/install-catman.sh "$(INSTALL_DATA)" "$(mkinstalldirs)" "$(srcdir)" "$(DESTDIR)$(mandir)" '$(CATMANEXT)' $(man_MANS) $(man1_MANS) $(man3_MANS) $(man5_MANS) $(man8_MANS)
+
+install-data-local: install-cat-mans
+
+.et.h:
+	$(COMPILE_ET) $<
+.et.c:
+	$(COMPILE_ET) $<
+
+.x.c:
+	@cmp -s $< $@ 2> /dev/null || cp $< $@
+
+check-local::
+	@foo='$(CHECK_LOCAL)'; \
+	  if test "$$foo"; then \
+	  failed=0; all=0; \
+	  for i in $$foo; do \
+	    all=`expr $$all + 1`; \
+	    if ./$$i --version > /dev/null 2>&1; then \
+	      echo "PASS: $$i"; \
+	    else \
+	      echo "FAIL: $$i"; \
+	      failed=`expr $$failed + 1`; \
+	    fi; \
+	  done; \
+	  if test "$$failed" -eq 0; then \
+	    banner="All $$all tests passed"; \
+	  else \
+	    banner="$$failed of $$all tests failed"; \
+	  fi; \
+	  dashes=`echo "$$banner" | sed s/./=/g`; \
+	  echo "$$dashes"; \
+	  echo "$$banner"; \
+	  echo "$$dashes"; \
+	  test "$$failed" -eq 0; \
+	fi
+
+# AIX: this almost works with gcc, but somehow it fails to use the
+# correct ld, use ld instead
+afslib.so: afslib.o
+	ld -o $@ -bM:SRE -bI:$(srcdir)/afsl.exp -bE:$(srcdir)/afslib.exp $(AFS_EXTRA_LD) afslib.o -lc
+
+$(OBJECTS): ../../include/config.h
+
+resolve.c:
+	$(LN_S) $(srcdir)/../roken/resolve.c .
+
+# Tell versions [3.59,3.63) of GNU make to not export all variables.
+# Otherwise a system limit (for SysV at least) may be exceeded.
+.NOEXPORT:
diff --git a/crypto/heimdal/lib/kafs/README.dlfcn b/crypto/heimdal/lib/kafs/README.dlfcn
new file mode 100644
index 0000000..cee1b75
--- /dev/null
+++ b/crypto/heimdal/lib/kafs/README.dlfcn
@@ -0,0 +1,246 @@
+Copyright (c) 1992,1993,1995,1996, Jens-Uwe Mager, Helios Software GmbH
+Not derived from licensed software.
+
+Permission is granted to freely use, copy, modify, and redistribute
+this software, provided that the author is not construed to be liable
+for any results of using the software, alterations are clearly marked
+as such, and this notice is not modified.
+
+libdl.a
+-------
+
+This is an emulation library to emulate the SunOS/System V.4 functions
+to access the runtime linker. The functions are emulated by using the
+AIX load() function and by reading the .loader section of the loaded
+module to find the exports. The to be loaded module should be linked as
+follows (if using AIX 3):
+
+	cc -o module.so -bM:SRE -bE:module.exp -e _nostart $(OBJS)
+
+For AIX 4:
+
+	cc -o module.so -bM:SRE -bE:module.exp -bnoentry $(OBJS)
+
+If you want to reference symbols from the main part of the program in a
+loaded module, you will have to link against the export file of the
+main part:
+
+	cc -o main -bE:main.exp $(MAIN_OBJS)
+	cc -o module.so -bM:SRE -bI:main.exp -bE:module.exp -bnoentry $(OBJS)
+
+Note that you explicitely have to specify what functions are supposed
+to be accessible from your loaded modules, this is different from
+SunOS/System V.4 where any global is automatically exported. If you
+want to export all globals, the following script might be of help:
+
+#!/bin/sh
+/usr/ucb/nm -g $* | awk '$2 == "B" || $2 == "D" { print $3 }'
+
+The module export file contains the symbols to be exported. Because
+this library uses the loader section, the final module.so file can be
+stripped. C++ users should build their shared objects using the script
+makeC++SharedLib (part of the IBM C++ compiler), this will make sure
+that constructors and destructors for static and global objects will be
+called upon loading and unloading the module. GNU C++ users should use
+the -shared option to g++ to link the shared object:
+
+	g++ -o module.so -shared $(OBJS)
+
+If the shared object does have permissions for anybody, the shared
+object will be loaded into the shared library segment and it will stay
+there even if the main application terminates. If you rebuild your
+shared object after a bugfix and you want to make sure that you really
+get the newest version you will have to use the "slibclean" command
+before starting the application again to garbage collect the shared
+library segment. If the performance utilities (bosperf) are installed
+you can use the following command to see what shared objects are
+loaded:
+
+/usr/lpp/bosperf/genkld | sort | uniq
+
+For easier debugging you can avoid loading the shared object into the
+shared library segment alltogether by removing permissions for others
+from the module.so file:
+
+chmod o-rwx module.so
+
+This will ensure you get a fresh copy of the shared object for every
+dlopen() call which is loaded into the application's data segment.
+
+Usage
+-----
+
+void *dlopen(const char *path, int mode);
+
+This routine loads the module pointed to by path and reads its export
+table. If the path does not contain a '/' character, dlopen will search
+for the module using the LIBPATH environment variable. It returns an
+opaque handle to the module or NULL on error. The mode parameter can be
+either RTLD_LAZY (for lazy function binding) or RTLD_NOW for immediate
+function binding. The AIX implementation currently does treat RTLD_NOW
+the same as RTLD_LAZY. The flag RTLD_GLOBAL might be or'ed into the
+mode parameter to allow loaded modules to bind to global variables or
+functions in other loaded modules loaded by dlopen(). If RTLD_GLOBAL is
+not specified, only globals from the main part of the executable or
+shared libraries are used to look for undefined symbols in loaded
+modules.
+
+
+void *dlsym(void *handle, const char *symbol);
+
+This routine searches for the symbol in the module referred to by
+handle and returns its address. If the symbol could not be found, the
+function returns NULL. The return value must be casted to a proper
+function pointer before it can be used. SunOS/System V.4 allows handle
+to be a NULL pointer to refer to the module the call is made from, this
+is not implemented.
+
+int dlclose(void *handle);
+
+This routine unloads the module referred to by the handle and disposes
+of any local storage. this function returns -1 on failure. Any function
+pointers obtained through dlsym() should be considered invalid after
+closing a module.
+
+As AIX caches shared objects in the shared library segment, function
+pointers obtained through dlsym() might still work even though the
+module has been unloaded. This can introduce subtle bugs that will
+segment fault later if AIX garbage collects or immediatly on
+SunOS/System V.4 as the text segment is unmapped.
+
+char *dlerror(void);
+
+This routine can be used to retrieve a text message describing the most
+recent error that occured on on of the above routines. This function
+returns NULL if there is no error information.
+
+Initialization and termination handlers
+---------------------------------------
+
+The emulation provides for an initialization and a termination
+handler.  The dlfcn.h file contains a structure declaration named
+dl_info with following members:
+
+	void (*init)(void);
+	void (*fini)(void);
+
+The init function is called upon first referencing the library. The
+fini function is called at dlclose() time or when the process exits.
+The module should declare a variable named dl_info that contains this
+structure which must be exported.  These functions correspond to the
+documented _init() and _fini() functions of SunOS 4.x, but these are
+appearently not implemented in SunOS.  When using SunOS 5.0, these
+correspond to #pragma init and #pragma fini respectively. At the same
+time any static or global C++ object's constructors or destructors will
+be called.
+
+BUGS
+----
+
+Please note that there is currently a problem with implicitely loaded
+shared C++ libaries: if you refer to a shared C++ library from a loaded
+module that is not yet used by the main program, the dlopen() emulator
+does not notice this and does not call the static constructors for the
+implicitely loaded library. This can be easily demonstrated by
+referencing the C++ standard streams from a loaded module if the main
+program is a plain C program.
+
+Jens-Uwe Mager
+
+HELIOS Software GmbH
+Lavesstr. 80
+30159 Hannover
+Germany
+
+Phone:		+49 511 36482-0
+FAX:		+49 511 36482-69
+AppleLink:	helios.de/jum
+Internet:	jum@helios.de
+
+Revison History
+---------------
+
+SCCS/s.dlfcn.h:
+
+D 1.4 95/04/25 09:36:52 jum 4 3	00018/00004/00028
+MRs:
+COMMENTS:
+added RTLD_GLOBAL, include and C++ guards
+
+D 1.3 92/12/27 20:58:32 jum 3 2	00001/00001/00031
+MRs:
+COMMENTS:
+we always have prototypes on RS/6000
+
+D 1.2 92/08/16 17:45:11 jum 2 1	00009/00000/00023
+MRs:
+COMMENTS:
+added dl_info structure to implement initialize and terminate functions
+
+D 1.1 92/08/02 18:08:45 jum 1 0	00023/00000/00000
+MRs:
+COMMENTS:
+Erstellungsdatum und -uhrzeit 92/08/02 18:08:45 von jum
+
+SCCS/s.dlfcn.c:
+
+D 1.11 96/04/10 20:12:51 jum 13 12	00037/00000/00533
+MRs:
+COMMENTS:
+Integrated the changes from John W. Eaton <jwe@bevo.che.wisc.edu> to initialize
+g++ generated shared objects.
+
+D 1.10 96/02/15 17:42:44 jum 12 10	00012/00007/00521
+MRs:
+COMMENTS:
+the C++ constructor and destructor chains are now called properly for either
+xlC 2 or xlC 3 (CSet++).
+
+D 1.9 95/09/22 11:09:38 markus 10 9	00001/00008/00527
+MRs:
+COMMENTS:
+Fix version number
+
+D 1.8 95/09/22 10:14:34 markus 9 8	00008/00001/00527
+MRs:
+COMMENTS:
+Added version number for dl lib
+
+D 1.7 95/08/14 19:08:38 jum 8 6	00026/00004/00502
+MRs:
+COMMENTS:
+Integrated the fixes from Kirk Benell (kirk@rsinc.com) to allow loading of
+shared objects generated under AIX 4. Fixed bug that symbols with exactly
+8 characters would use garbage characters from the following symbol value.
+
+D 1.6 95/04/25 09:38:03 jum 6 5	00046/00006/00460
+MRs:
+COMMENTS:
+added handling of C++ static constructors and destructors, added RTLD_GLOBAL to bind against other loaded modules
+
+D 1.5 93/02/14 20:14:17 jum 5 4	00002/00000/00464
+MRs:
+COMMENTS:
+added path to dlopen error message to make clear where there error occured.
+
+D 1.4 93/01/03 19:13:56 jum 4 3	00061/00005/00403
+MRs:
+COMMENTS:
+to allow calling symbols in the main module call load with L_NOAUTODEFER and 
+do a loadbind later with the main module.
+
+D 1.3 92/12/27 20:59:55 jum 3 2	00066/00008/00342
+MRs:
+COMMENTS:
+added search by L_GETINFO if module got loaded by LIBPATH
+
+D 1.2 92/08/16 17:45:43 jum 2 1	00074/00006/00276
+MRs:
+COMMENTS:
+implemented initialize and terminate functions, added reference counting to avoid multiple loads of the same library
+
+D 1.1 92/08/02 18:08:45 jum 1 0	00282/00000/00000
+MRs:
+COMMENTS:
+Erstellungsdatum und -uhrzeit 92/08/02 18:08:45 von jum
+
diff --git a/crypto/heimdal/lib/kafs/afskrb.c b/crypto/heimdal/lib/kafs/afskrb.c
new file mode 100644
index 0000000..ea7ca53
--- /dev/null
+++ b/crypto/heimdal/lib/kafs/afskrb.c
@@ -0,0 +1,135 @@
+/*
+ * Copyright (c) 1995 - 2000 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#include "kafs_locl.h"
+
+RCSID("$Id: afskrb.c,v 1.14 2000/03/16 05:35:56 assar Exp $");
+
+struct krb_kafs_data {
+    const char *realm;
+};
+
+static int
+get_cred(kafs_data *data, const char *name, const char *inst, 
+	 const char *realm, CREDENTIALS *c)
+{
+    KTEXT_ST tkt;
+    int ret = krb_get_cred((char*)name, (char*)inst, (char*)realm, c);
+    
+    if (ret) {
+	ret = krb_mk_req(&tkt, (char*)name, (char*)inst, (char*)realm, 0);
+	if (ret == KSUCCESS)
+	    ret = krb_get_cred((char*)name, (char*)inst, (char*)realm, c);
+    }
+    return ret;
+}
+
+static int
+afslog_uid_int(kafs_data *data,
+	       const char *cell,
+	       const char *realm_hint,
+	       uid_t uid,
+	       const char *homedir)
+{
+    int ret;
+    CREDENTIALS c;
+    char realm[REALM_SZ];
+    
+    if (cell == 0 || cell[0] == 0)
+	return _kafs_afslog_all_local_cells (data, uid, homedir);
+
+    /* Extract realm from ticket file. */
+    ret = krb_get_tf_fullname(tkt_string(), NULL, NULL, realm);
+    if (ret != KSUCCESS)
+	return ret;
+
+    ret = _kafs_get_cred(data, cell, realm_hint, realm, &c);
+    
+    if (ret == 0)
+	ret = kafs_settoken(cell, uid, &c);
+    return ret;
+}
+
+static char *
+get_realm(kafs_data *data, const char *host)
+{
+    char *r = krb_realmofhost(host);
+    if(r != NULL)
+	return strdup(r);
+    else
+	return NULL;
+}
+
+int
+krb_afslog_uid_home(const char *cell, const char *realm_hint, uid_t uid,
+		    const char *homedir)
+{
+    kafs_data kd;
+
+    kd.afslog_uid = afslog_uid_int;
+    kd.get_cred = get_cred;
+    kd.get_realm = get_realm;
+    kd.data = 0;
+    return afslog_uid_int(&kd, cell, realm_hint, uid, homedir);
+}
+
+int
+krb_afslog_uid(const char *cell, const char *realm_hint, uid_t uid)
+{
+    return krb_afslog_uid_home(cell, realm_hint, uid, NULL);
+}
+
+int
+krb_afslog(const char *cell, const char *realm_hint)
+{
+    return krb_afslog_uid(cell, realm_hint, getuid());
+}
+
+int
+krb_afslog_home(const char *cell, const char *realm_hint, const char *homedir)
+{
+    return krb_afslog_uid_home(cell, realm_hint, getuid(), homedir);
+}
+
+/*
+ *
+ */
+
+int
+krb_realm_of_cell(const char *cell, char **realm)
+{
+    kafs_data kd;
+
+    kd.get_realm = get_realm;
+    return _kafs_realm_of_cell(&kd, cell, realm);
+}
diff --git a/crypto/heimdal/lib/kafs/afskrb5.c b/crypto/heimdal/lib/kafs/afskrb5.c
new file mode 100644
index 0000000..4c35ea7
--- /dev/null
+++ b/crypto/heimdal/lib/kafs/afskrb5.c
@@ -0,0 +1,179 @@
+/*
+ * Copyright (c) 1995, 1996, 1997, 1998, 1999 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#include "kafs_locl.h"
+
+RCSID("$Id: afskrb5.c,v 1.13 1999/12/02 16:58:39 joda Exp $");
+
+struct krb5_kafs_data {
+    krb5_context context;
+    krb5_ccache id;
+    krb5_const_realm realm;
+};
+
+static int
+get_cred(kafs_data *data, const char *name, const char *inst, 
+	 const char *realm, CREDENTIALS *c)
+{
+    krb5_error_code ret;
+    krb5_creds in_creds, *out_creds;
+    struct krb5_kafs_data *d = data->data;
+
+    memset(&in_creds, 0, sizeof(in_creds));
+    ret = krb5_425_conv_principal(d->context, name, inst, realm, 
+				  &in_creds.server);
+    if(ret)
+	return ret;
+    ret = krb5_cc_get_principal(d->context, d->id, &in_creds.client);
+    if(ret){
+	krb5_free_principal(d->context, in_creds.server);
+	return ret;
+    }
+    in_creds.session.keytype = KEYTYPE_DES;
+    ret = krb5_get_credentials(d->context, 0, d->id, &in_creds, &out_creds);
+    krb5_free_principal(d->context, in_creds.server);
+    krb5_free_principal(d->context, in_creds.client);
+    if(ret)
+	return ret;
+    ret = krb524_convert_creds_kdc(d->context, d->id, out_creds, c);
+    krb5_free_creds(d->context, out_creds);
+    return ret;
+}
+
+static krb5_error_code
+afslog_uid_int(kafs_data *data, const char *cell, const char *rh, uid_t uid,
+	       const char *homedir)
+{
+    krb5_error_code ret;
+    CREDENTIALS c;
+    krb5_principal princ;
+    krb5_realm *trealm; /* ticket realm */
+    struct krb5_kafs_data *d = data->data;
+    
+    if (cell == 0 || cell[0] == 0)
+	return _kafs_afslog_all_local_cells (data, uid, homedir);
+
+    ret = krb5_cc_get_principal (d->context, d->id, &princ);
+    if (ret)
+	return ret;
+
+    trealm = krb5_princ_realm (d->context, princ);
+
+    if (d->realm != NULL && strcmp (d->realm, *trealm) == 0) {
+	trealm = NULL;
+	krb5_free_principal (d->context, princ);
+    }
+
+    ret = _kafs_get_cred(data, cell, d->realm, *trealm, &c);
+    if(trealm)
+	krb5_free_principal (d->context, princ);
+    
+    if(ret == 0)
+	ret = kafs_settoken(cell, uid, &c);
+    return ret;
+}
+
+static char *
+get_realm(kafs_data *data, const char *host)
+{
+    struct krb5_kafs_data *d = data->data;
+    krb5_realm *realms;
+    char *r;
+    if(krb5_get_host_realm(d->context, host, &realms))
+	return NULL;
+    r = strdup(realms[0]);
+    krb5_free_host_realm(d->context, realms);
+    return r;
+}
+
+krb5_error_code
+krb5_afslog_uid_home(krb5_context context,
+		     krb5_ccache id,
+		     const char *cell,
+		     krb5_const_realm realm,
+		     uid_t uid,
+		     const char *homedir)
+{
+    kafs_data kd;
+    struct krb5_kafs_data d;
+    kd.afslog_uid = afslog_uid_int;
+    kd.get_cred = get_cred;
+    kd.get_realm = get_realm;
+    kd.data = &d;
+    d.context = context;
+    d.id = id;
+    d.realm = realm;
+    return afslog_uid_int(&kd, cell, 0, uid, homedir);
+}
+
+krb5_error_code
+krb5_afslog_uid(krb5_context context,
+		krb5_ccache id,
+		const char *cell,
+		krb5_const_realm realm,
+		uid_t uid)
+{
+    return krb5_afslog_uid_home (context, id, cell, realm, uid, NULL);
+}
+
+krb5_error_code
+krb5_afslog(krb5_context context,
+	    krb5_ccache id, 
+	    const char *cell,
+	    krb5_const_realm realm)
+{
+    return krb5_afslog_uid (context, id, cell, realm, getuid());
+}
+
+krb5_error_code
+krb5_afslog_home(krb5_context context,
+		 krb5_ccache id, 
+		 const char *cell,
+		 krb5_const_realm realm,
+		 const char *homedir)
+{
+    return krb5_afslog_uid_home (context, id, cell, realm, getuid(), homedir);
+}
+
+/*
+ *
+ */
+
+krb5_error_code
+krb5_realm_of_cell(const char *cell, char **realm)
+{
+    kafs_data kd;
+
+    kd.get_realm = get_realm;
+    return _kafs_realm_of_cell(&kd, cell, realm);
+}
diff --git a/crypto/heimdal/lib/kafs/afsl.exp b/crypto/heimdal/lib/kafs/afsl.exp
new file mode 100644
index 0000000..4d2b00e
--- /dev/null
+++ b/crypto/heimdal/lib/kafs/afsl.exp
@@ -0,0 +1,6 @@
+#!/unix
+
+* This mumbo jumbo creates entry points to syscalls in _AIX
+
+lpioctl	syscall
+lsetpag	syscall
diff --git a/crypto/heimdal/lib/kafs/afslib.c b/crypto/heimdal/lib/kafs/afslib.c
new file mode 100644
index 0000000..ae3b5a5
--- /dev/null
+++ b/crypto/heimdal/lib/kafs/afslib.c
@@ -0,0 +1,55 @@
+/*
+ * Copyright (c) 1995, 1996, 1997 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+/* 
+ * This file is only used with AIX 
+ */
+
+#include "kafs_locl.h"
+
+RCSID("$Id: afslib.c,v 1.6 1999/12/02 16:58:40 joda Exp $");
+
+int
+aix_pioctl(char *a_path,
+	   int o_opcode,
+	   struct ViceIoctl *a_paramsP,
+	   int a_followSymlinks)
+{
+    return lpioctl(a_path, o_opcode, a_paramsP, a_followSymlinks);
+}
+
+int
+aix_setpag(void)
+{
+    return lsetpag();
+}
diff --git a/crypto/heimdal/lib/kafs/afslib.exp b/crypto/heimdal/lib/kafs/afslib.exp
new file mode 100644
index 0000000..f288717
--- /dev/null
+++ b/crypto/heimdal/lib/kafs/afslib.exp
@@ -0,0 +1,3 @@
+#!
+aix_pioctl
+aix_setpag
diff --git a/crypto/heimdal/lib/kafs/afssys.c b/crypto/heimdal/lib/kafs/afssys.c
new file mode 100644
index 0000000..c64b382
--- /dev/null
+++ b/crypto/heimdal/lib/kafs/afssys.c
@@ -0,0 +1,398 @@
+/*
+ * Copyright (c) 1995 - 200 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#include "kafs_locl.h"
+
+RCSID("$Id: afssys.c,v 1.67 2000/07/08 12:06:03 assar Exp $");
+
+int _kafs_debug; /* this should be done in a better way */
+
+#define NO_ENTRY_POINT		0
+#define SINGLE_ENTRY_POINT	1
+#define MULTIPLE_ENTRY_POINT	2
+#define SINGLE_ENTRY_POINT2	3
+#define SINGLE_ENTRY_POINT3	4
+#define AIX_ENTRY_POINTS	5
+#define UNKNOWN_ENTRY_POINT	6
+static int afs_entry_point = UNKNOWN_ENTRY_POINT;
+static int afs_syscalls[2];
+
+/* Magic to get AIX syscalls to work */
+#ifdef _AIX
+
+static int (*Pioctl)(char*, int, struct ViceIoctl*, int);
+static int (*Setpag)(void);
+
+#include "dlfcn.h"
+
+/*
+ *
+ */
+
+static int
+try_aix(void)
+{
+#ifdef STATIC_AFS_SYSCALLS
+    Pioctl = aix_pioctl;
+    Setpag = aix_setpag;
+#else
+    void *ptr;
+    char path[MaxPathLen], *p;
+    /*
+     * If we are root or running setuid don't trust AFSLIBPATH!
+     */
+    if (getuid() != 0 && !issuid() && (p = getenv("AFSLIBPATH")) != NULL)
+	strlcpy(path, p, sizeof(path));
+    else
+	snprintf(path, sizeof(path), "%s/afslib.so", LIBDIR);
+	
+    ptr = dlopen(path, RTLD_NOW);
+    if(ptr == NULL) {
+	if(_kafs_debug) {
+	    if(errno == ENOEXEC && (p = dlerror()) != NULL)
+		fprintf(stderr, "dlopen(%s): %s\n", path, p);
+	    else if (errno != ENOENT)
+		fprintf(stderr, "dlopen(%s): %s\n", path, strerror(errno));
+	}
+	return 1;
+    }
+    Setpag = (int (*)(void))dlsym(ptr, "aix_setpag");
+    Pioctl = (int (*)(char*, int, 
+		      struct ViceIoctl*, int))dlsym(ptr, "aix_pioctl");
+#endif
+    afs_entry_point = AIX_ENTRY_POINTS;
+    return 0;
+}
+#endif /* _AIX */
+
+/* 
+ * This probably only works under Solaris and could get confused if
+ * there's a /etc/name_to_sysnum file.  
+ */
+
+#define _PATH_ETC_NAME_TO_SYSNUM "/etc/name_to_sysnum"
+
+static int
+map_syscall_name_to_number (const char *str, int *res)
+{
+    FILE *f;
+    char buf[256];
+    size_t str_len = strlen (str);
+
+    f = fopen (_PATH_ETC_NAME_TO_SYSNUM, "r");
+    if (f == NULL)
+	return -1;
+    while (fgets (buf, sizeof(buf), f) != NULL) {
+	if (buf[0] == '#')
+	    continue;
+
+	if (strncmp (str, buf, str_len) == 0) {
+	    char *begptr = buf + str_len;
+	    char *endptr;
+	    long val = strtol (begptr, &endptr, 0);
+
+	    if (val != 0 && endptr != begptr) {
+		fclose (f);
+		*res = val;
+		return 0;
+	    }
+	}
+    }
+    fclose (f);
+    return -1;
+}
+
+int
+k_pioctl(char *a_path,
+	 int o_opcode,
+	 struct ViceIoctl *a_paramsP,
+	 int a_followSymlinks)
+{
+#ifndef NO_AFS
+    switch(afs_entry_point){
+#if defined(AFS_SYSCALL) || defined(AFS_SYSCALL2) || defined(AFS_SYSCALL3)
+    case SINGLE_ENTRY_POINT:
+    case SINGLE_ENTRY_POINT2:
+    case SINGLE_ENTRY_POINT3:
+	return syscall(afs_syscalls[0], AFSCALL_PIOCTL,
+		       a_path, o_opcode, a_paramsP, a_followSymlinks);
+#endif
+#if defined(AFS_PIOCTL)
+    case MULTIPLE_ENTRY_POINT:
+	return syscall(afs_syscalls[0],
+		       a_path, o_opcode, a_paramsP, a_followSymlinks);
+#endif
+#ifdef _AIX
+    case AIX_ENTRY_POINTS:
+	return Pioctl(a_path, o_opcode, a_paramsP, a_followSymlinks);
+#endif
+    }
+    
+    errno = ENOSYS;
+#ifdef SIGSYS
+    kill(getpid(), SIGSYS);	/* You loose! */
+#endif
+#endif /* NO_AFS */
+    return -1;
+}
+
+int
+k_afs_cell_of_file(const char *path, char *cell, int len)
+{
+    struct ViceIoctl parms;
+    parms.in = NULL;
+    parms.in_size = 0;
+    parms.out = cell;
+    parms.out_size = len;
+    return k_pioctl((char*)path, VIOC_FILE_CELL_NAME, &parms, 1);
+}
+
+int
+k_unlog(void)
+{
+    struct ViceIoctl parms;
+    memset(&parms, 0, sizeof(parms));
+    return k_pioctl(0, VIOCUNLOG, &parms, 0);
+}
+
+int
+k_setpag(void)
+{
+#ifndef NO_AFS
+    switch(afs_entry_point){
+#if defined(AFS_SYSCALL) || defined(AFS_SYSCALL2) || defined(AFS_SYSCALL3)
+    case SINGLE_ENTRY_POINT:
+    case SINGLE_ENTRY_POINT2:
+    case SINGLE_ENTRY_POINT3:
+	return syscall(afs_syscalls[0], AFSCALL_SETPAG);
+#endif
+#if defined(AFS_PIOCTL)
+    case MULTIPLE_ENTRY_POINT:
+	return syscall(afs_syscalls[1]);
+#endif
+#ifdef _AIX
+    case AIX_ENTRY_POINTS:
+	return Setpag();
+#endif
+    }
+    
+    errno = ENOSYS;
+#ifdef SIGSYS
+    kill(getpid(), SIGSYS);	/* You loose! */
+#endif
+#endif /* NO_AFS */
+    return -1;
+}
+
+static jmp_buf catch_SIGSYS;
+
+#ifdef SIGSYS
+
+static RETSIGTYPE
+SIGSYS_handler(int sig)
+{
+    errno = 0;
+    signal(SIGSYS, SIGSYS_handler); /* Need to reinstall handler on SYSV */
+    longjmp(catch_SIGSYS, 1);
+}
+
+#endif
+
+/*
+ * Try to see if `syscall' is a pioctl.  Return 0 iff succesful.
+ */
+
+#if defined(AFS_SYSCALL) || defined(AFS_SYSCALL2) || defined(AFS_SYSCALL3)
+static int
+try_one (int syscall_num)
+{
+    struct ViceIoctl parms;
+    memset(&parms, 0, sizeof(parms));
+
+    if (setjmp(catch_SIGSYS) == 0) {
+	syscall(syscall_num, AFSCALL_PIOCTL,
+		0, VIOCSETTOK, &parms, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0);
+	if (errno == EINVAL) {
+	    afs_entry_point = SINGLE_ENTRY_POINT;
+	    afs_syscalls[0] = syscall_num;
+	    return 0;
+	}
+    }
+    return 1;
+}
+#endif
+
+/*
+ * Try to see if `syscall_pioctl' is a pioctl syscall.  Return 0 iff
+ * succesful.
+ *
+ */
+
+#ifdef AFS_PIOCTL
+static int
+try_two (int syscall_pioctl, int syscall_setpag)
+{
+    struct ViceIoctl parms;
+    memset(&parms, 0, sizeof(parms));
+
+    if (setjmp(catch_SIGSYS) == 0) {
+	syscall(syscall_pioctl,
+		0, VIOCSETTOK, &parms, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0);
+	if (errno == EINVAL) {
+	    afs_entry_point = MULTIPLE_ENTRY_POINT;
+	    afs_syscalls[0] = syscall_pioctl;
+	    afs_syscalls[1] = syscall_setpag;
+	    return 0;
+	}
+    }
+    return 1;
+}
+#endif
+
+int
+k_hasafs(void)
+{
+#if !defined(NO_AFS) && defined(SIGSYS)
+    RETSIGTYPE (*saved_func)(int);
+#endif
+    int saved_errno;
+    char *env = getenv ("AFS_SYSCALL");
+  
+    /*
+     * Already checked presence of AFS syscalls?
+     */
+    if (afs_entry_point != UNKNOWN_ENTRY_POINT)
+	return afs_entry_point != NO_ENTRY_POINT;
+
+    /*
+     * Probe kernel for AFS specific syscalls,
+     * they (currently) come in two flavors.
+     * If the syscall is absent we recive a SIGSYS.
+     */
+    afs_entry_point = NO_ENTRY_POINT;
+  
+    saved_errno = errno;
+#ifndef NO_AFS
+#ifdef SIGSYS
+    saved_func = signal(SIGSYS, SIGSYS_handler);
+#endif
+
+#if defined(AFS_SYSCALL) || defined(AFS_SYSCALL2) || defined(AFS_SYSCALL3)
+    {
+	int tmp;
+
+	if (env != NULL) {
+	    if (sscanf (env, "%d", &tmp) == 1) {
+		if (try_one (tmp) == 0)
+		    goto done;
+	    } else {
+		char *end = NULL;
+		char *p;
+		char *s = strdup (env);
+
+		if (s != NULL) {
+		    for (p = strtok_r (s, ",", &end);
+			 p != NULL;
+			 p = strtok_r (NULL, ",", &end)) {
+			if (map_syscall_name_to_number (p, &tmp) == 0)
+			    if (try_one (tmp) == 0) {
+				free (s);
+				goto done;
+			    }
+		    }
+		    free (s);
+		}
+	    }
+	}
+    }
+#endif /* AFS_SYSCALL || AFS_SYSCALL2 || AFS_SYSCALL3 */
+
+#ifdef AFS_SYSCALL
+    if (try_one (AFS_SYSCALL) == 0)
+	goto done;
+#endif /* AFS_SYSCALL */
+
+#ifdef AFS_PIOCTL
+    {
+	int tmp[2];
+
+	if (env != NULL && sscanf (env, "%d%d", &tmp[0], &tmp[1]) == 2)
+	    if (try_two (tmp[0], tmp[1]) == 2)
+		goto done;
+    }
+#endif /* AFS_PIOCTL */
+
+#ifdef AFS_PIOCTL
+    if (try_two (AFS_PIOCTL, AFS_SETPAG) == 0)
+	goto done;
+#endif /* AFS_PIOCTL */
+
+#ifdef AFS_SYSCALL2
+    if (try_one (AFS_SYSCALL2) == 0)
+	goto done;
+#endif /* AFS_SYSCALL2 */
+
+#ifdef AFS_SYSCALL3
+    if (try_one (AFS_SYSCALL3) == 0)
+	goto done;
+#endif /* AFS_SYSCALL3 */
+
+#ifdef _AIX
+#if 0
+    if (env != NULL) {
+	char *pos = NULL;
+	char *pioctl_name;
+	char *setpag_name;
+
+	pioctl_name = strtok_r (env, ", \t", &pos);
+	if (pioctl_name != NULL) {
+	    setpag_name = strtok_r (NULL, ", \t", &pos);
+	    if (setpag_name != NULL)
+		if (try_aix (pioctl_name, setpag_name) == 0)
+		    goto done;
+	}
+    }
+#endif
+
+    if(try_aix() == 0)
+	goto done;
+#endif
+
+done:
+#ifdef SIGSYS
+    signal(SIGSYS, saved_func);
+#endif
+#endif /* NO_AFS */
+    errno = saved_errno;
+    return afs_entry_point != NO_ENTRY_POINT;
+}
diff --git a/crypto/heimdal/lib/kafs/afssysdefs.h b/crypto/heimdal/lib/kafs/afssysdefs.h
new file mode 100644
index 0000000..800921f
--- /dev/null
+++ b/crypto/heimdal/lib/kafs/afssysdefs.h
@@ -0,0 +1,95 @@
+/*
+ * Copyright (c) 1995 - 2000 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+/* $Id: afssysdefs.h,v 1.24 2000/11/17 01:07:47 assar Exp $ */
+
+/*
+ * This section is for machines using single entry point AFS syscalls!
+ * and/or
+ * This section is for machines using multiple entry point AFS syscalls!
+ *
+ * SunOS 4 is an example of single entry point and sgi of multiple
+ * entry point syscalls.
+ */
+
+#if SunOS == 40
+#define AFS_SYSCALL	31
+#endif
+
+#if SunOS >= 50 && SunOS < 57
+#define AFS_SYSCALL	105
+#endif
+
+#if SunOS == 57
+#define AFS_SYSCALL	73
+#endif
+
+#if SunOS >= 58
+#define AFS_SYSCALL	65
+#endif
+
+#if defined(__hpux)
+#define AFS_SYSCALL	50
+#define AFS_SYSCALL2	49
+#define AFS_SYSCALL3	48
+#endif
+
+#if defined(_AIX)
+/* _AIX is too weird */
+#endif
+
+#if defined(__sgi)
+#define AFS_PIOCTL      (64+1000)
+#define AFS_SETPAG      (65+1000)
+#endif
+
+#if defined(__osf__)
+#define AFS_SYSCALL	232
+#define AFS_SYSCALL2	258
+#endif
+
+#if defined(__ultrix)
+#define AFS_SYSCALL	31
+#endif
+
+#if defined(__FreeBSD__) || defined(__NetBSD__) || defined(__OpenBSD__)
+#define AFS_SYSCALL 210
+#endif
+
+#ifdef __APPLE__		/* MacOS X */
+#define AFS_SYSCALL 230
+#endif
+
+#ifdef SYS_afs_syscall
+#define AFS_SYSCALL3	SYS_afs_syscall
+#endif
diff --git a/crypto/heimdal/lib/kafs/common.c b/crypto/heimdal/lib/kafs/common.c
new file mode 100644
index 0000000..207b9b6
--- /dev/null
+++ b/crypto/heimdal/lib/kafs/common.c
@@ -0,0 +1,396 @@
+/*
+ * Copyright (c) 1997, 1998, 1999 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "kafs_locl.h"
+
+RCSID("$Id: common.c,v 1.19 1999/12/02 16:58:40 joda Exp $");
+
+#define AUTH_SUPERUSER "afs"
+
+/*
+ * Here only ASCII characters are relevant.
+ */
+
+#define IsAsciiLower(c) ('a' <= (c) && (c) <= 'z')
+
+#define ToAsciiUpper(c) ((c) - 'a' + 'A')
+
+static void
+foldup(char *a, const char *b)
+{
+  for (; *b; a++, b++)
+    if (IsAsciiLower(*b))
+      *a = ToAsciiUpper(*b);
+    else
+      *a = *b;
+  *a = '\0';
+}
+
+int
+kafs_settoken(const char *cell, uid_t uid, CREDENTIALS *c)
+{
+    struct ViceIoctl parms;
+    struct ClearToken ct;
+    int32_t sizeof_x;
+    char buf[2048], *t;
+    int ret;
+    
+    /*
+     * Build a struct ClearToken
+     */
+    ct.AuthHandle = c->kvno;
+    memcpy (ct.HandShakeKey, c->session, sizeof(c->session));
+    ct.ViceId = uid;
+    ct.BeginTimestamp = c->issue_date;
+    ct.EndTimestamp = krb_life_to_time(c->issue_date, c->lifetime);
+    if(ct.EndTimestamp < time(NULL))
+	return 0; /* don't store tokens that has expired (and possibly
+		     overwriting valid tokens)*/
+
+#define ODD(x) ((x) & 1)
+    /* According to Transarc conventions ViceId is valid iff
+     * (EndTimestamp - BeginTimestamp) is odd. By decrementing EndTime
+     * the transformations:
+     *
+     * (issue_date, life) -> (StartTime, EndTime) -> (issue_date, life)
+     * preserves the original values.
+     */
+    if (uid != 0)		/* valid ViceId */
+      {
+	if (!ODD(ct.EndTimestamp - ct.BeginTimestamp))
+	  ct.EndTimestamp--;
+      }
+    else			/* not valid ViceId */
+      {
+	if (ODD(ct.EndTimestamp - ct.BeginTimestamp))
+	  ct.EndTimestamp--;
+      }
+
+    t = buf;
+    /*
+     * length of secret token followed by secret token
+     */
+    sizeof_x = c->ticket_st.length;
+    memcpy(t, &sizeof_x, sizeof(sizeof_x));
+    t += sizeof(sizeof_x);
+    memcpy(t, c->ticket_st.dat, sizeof_x);
+    t += sizeof_x;
+    /*
+     * length of clear token followed by clear token
+     */
+    sizeof_x = sizeof(ct);
+    memcpy(t, &sizeof_x, sizeof(sizeof_x));
+    t += sizeof(sizeof_x);
+    memcpy(t, &ct, sizeof_x);
+    t += sizeof_x;
+
+    /*
+     * do *not* mark as primary cell
+     */
+    sizeof_x = 0;
+    memcpy(t, &sizeof_x, sizeof(sizeof_x));
+    t += sizeof(sizeof_x);
+    /*
+     * follow with cell name
+     */
+    sizeof_x = strlen(cell) + 1;
+    memcpy(t, cell, sizeof_x);
+    t += sizeof_x;
+
+    /*
+     * Build argument block
+     */
+    parms.in = buf;
+    parms.in_size = t - buf;
+    parms.out = 0;
+    parms.out_size = 0;
+    ret = k_pioctl(0, VIOCSETTOK, &parms, 0);
+    return ret;
+}
+
+/* Try to get a db-server for an AFS cell from a AFSDB record */
+
+static int
+dns_find_cell(const char *cell, char *dbserver, size_t len)
+{
+    struct dns_reply *r;
+    int ok = -1;
+    r = dns_lookup(cell, "afsdb");
+    if(r){
+	struct resource_record *rr = r->head;
+	while(rr){
+	    if(rr->type == T_AFSDB && rr->u.afsdb->preference == 1){
+		strlcpy(dbserver,
+				rr->u.afsdb->domain,
+				len);
+		ok = 0;
+		break;
+	    }
+	    rr = rr->next;
+	}
+	dns_free_data(r);
+    }
+    return ok;
+}
+
+
+/*
+ * Try to find the cells we should try to klog to in "file".
+ */
+static void
+find_cells(char *file, char ***cells, int *index)
+{
+    FILE *f;
+    char cell[64];
+    int i;
+    int ind = *index;
+
+    f = fopen(file, "r");
+    if (f == NULL)
+	return;
+    while (fgets(cell, sizeof(cell), f)) {
+	char *t;
+	t = cell + strlen(cell);
+	for (; t >= cell; t--)
+	  if (*t == '\n' || *t == '\t' || *t == ' ')
+	    *t = 0;
+	if (cell[0] == '\0' || cell[0] == '#')
+	    continue;
+	for(i = 0; i < ind; i++)
+	    if(strcmp((*cells)[i], cell) == 0)
+		break;
+	if(i == ind){
+	    char **tmp;
+
+	    tmp = realloc(*cells, (ind + 1) * sizeof(**cells));
+	    if (tmp == NULL)
+		break;
+	    *cells = tmp;
+	    (*cells)[ind] = strdup(cell);
+	    if ((*cells)[ind] == NULL)
+		break;
+	    ++ind;
+	}
+    }
+    fclose(f);
+    *index = ind;
+}
+
+/*
+ * Get tokens for all cells[]
+ */
+static int
+afslog_cells(kafs_data *data, char **cells, int max, uid_t uid,
+	     const char *homedir)
+{
+    int ret = 0;
+    int i;
+    for (i = 0; i < max; i++) {
+        int er = (*data->afslog_uid)(data, cells[i], 0, uid, homedir);
+	if (er)
+	    ret = er;
+    }
+    return ret;
+}
+
+int
+_kafs_afslog_all_local_cells(kafs_data *data, uid_t uid, const char *homedir)
+{
+    int ret;
+    char **cells = NULL;
+    int index = 0;
+
+    if (homedir == NULL)
+	homedir = getenv("HOME");
+    if (homedir != NULL) {
+	char home[MaxPathLen];
+	snprintf(home, sizeof(home), "%s/.TheseCells", homedir);
+	find_cells(home, &cells, &index);
+    }
+    find_cells(_PATH_THESECELLS, &cells, &index);
+    find_cells(_PATH_THISCELL, &cells, &index);
+    find_cells(_PATH_ARLA_THESECELLS, &cells, &index);
+    find_cells(_PATH_ARLA_THISCELL, &cells, &index);
+    
+    ret = afslog_cells(data, cells, index, uid, homedir);
+    while(index > 0)
+	free(cells[--index]);
+    free(cells);
+    return ret;
+}
+
+
+/* Find the realm associated with cell. Do this by opening
+   /usr/vice/etc/CellServDB and getting the realm-of-host for the
+   first VL-server for the cell.
+
+   This does not work when the VL-server is living in one realm, but
+   the cell it is serving is living in another realm.
+
+   Return 0 on success, -1 otherwise.
+   */
+
+int
+_kafs_realm_of_cell(kafs_data *data, const char *cell, char **realm)
+{
+    FILE *F;
+    char buf[1024];
+    char *p;
+    int ret = -1;
+
+    if ((F = fopen(_PATH_CELLSERVDB, "r"))
+	|| (F = fopen(_PATH_ARLA_CELLSERVDB, "r"))) {
+	while (fgets(buf, sizeof(buf), F)) {
+	    if (buf[0] != '>')
+		continue; /* Not a cell name line, try next line */
+	    if (strncmp(buf + 1, cell, strlen(cell)) == 0) {
+		/*
+		 * We found the cell name we're looking for.
+		 * Read next line on the form ip-address '#' hostname
+		 */
+		if (fgets(buf, sizeof(buf), F) == NULL)
+		    break;	/* Read failed, give up */
+		p = strchr(buf, '#');
+		if (p == NULL)
+		    break;	/* No '#', give up */
+		p++;
+		if (buf[strlen(buf) - 1] == '\n')
+		    buf[strlen(buf) - 1] = '\0';
+		*realm = (*data->get_realm)(data, p);
+		if (*realm && **realm != '\0')
+		    ret = 0;
+		break;		/* Won't try any more */
+	    }
+	}
+	fclose(F);
+    }
+    if (*realm == NULL && dns_find_cell(cell, buf, sizeof(buf)) == 0) {
+	*realm = strdup(krb_realmofhost(buf));
+	if(*realm != NULL)
+	    ret = 0;
+    }
+    return ret;
+}
+
+int
+_kafs_get_cred(kafs_data *data,
+	      const char *cell, 
+	      const char *realm_hint,
+	      const char *realm,
+	      CREDENTIALS *c)
+{
+    int ret = -1;
+    char *vl_realm;
+    char CELL[64];
+
+    /* We're about to find the the realm that holds the key for afs in
+     * the specified cell. The problem is that null-instance
+     * afs-principals are common and that hitting the wrong realm might
+     * yield the wrong afs key. The following assumptions were made.
+     *
+     * Any realm passed to us is preferred.
+     *
+     * If there is a realm with the same name as the cell, it is most
+     * likely the correct realm to talk to.
+     *
+     * In most (maybe even all) cases the database servers of the cell
+     * will live in the realm we are looking for.
+     *
+     * Try the local realm, but if the previous cases fail, this is
+     * really a long shot.
+     *
+     */
+  
+    /* comments on the ordering of these tests */
+
+    /* If the user passes a realm, she probably knows something we don't
+     * know and we should try afs@realm_hint (otherwise we're talking with a
+     * blondino and she might as well have it.)
+     */
+  
+    if (realm_hint) {
+	ret = (*data->get_cred)(data, AUTH_SUPERUSER, cell, realm_hint, c);
+	if (ret == 0) return 0;
+	ret = (*data->get_cred)(data, AUTH_SUPERUSER, "", realm_hint, c);
+	if (ret == 0) return 0;
+    }
+
+    foldup(CELL, cell);
+
+    /*
+     * If cell == realm we don't need no cross-cell authentication.
+     * Try afs@REALM.
+     */
+    if (strcmp(CELL, realm) == 0) {
+        ret = (*data->get_cred)(data, AUTH_SUPERUSER, "", realm, c);
+	if (ret == 0) return 0;
+	/* Try afs.cell@REALM below. */
+    }
+
+    /*
+     * If the AFS servers have a file /usr/afs/etc/krb.conf containing
+     * REALM we still don't have to resort to cross-cell authentication.
+     * Try afs.cell@REALM.
+     */
+    ret = (*data->get_cred)(data, AUTH_SUPERUSER, cell, realm, c);
+    if (ret == 0) return 0;
+
+    /*
+     * We failed to get ``first class tickets'' for afs,
+     * fall back to cross-cell authentication.
+     * Try afs@CELL.
+     * Try afs.cell@CELL.
+     */
+    ret = (*data->get_cred)(data, AUTH_SUPERUSER, "", CELL, c);
+    if (ret == 0) return 0;
+    ret = (*data->get_cred)(data, AUTH_SUPERUSER, cell, CELL, c);
+    if (ret == 0) return 0;
+
+    /*
+     * Perhaps the cell doesn't correspond to any realm?
+     * Use realm of first volume location DB server.
+     * Try afs.cell@VL_REALM.
+     * Try afs@VL_REALM???
+     */
+    if (_kafs_realm_of_cell(data, cell, &vl_realm) == 0
+	&& strcmp(vl_realm, realm) != 0
+	&& strcmp(vl_realm, CELL) != 0) {
+	ret = (*data->get_cred)(data, AUTH_SUPERUSER, cell, vl_realm, c);
+	if (ret)
+	    ret = (*data->get_cred)(data, AUTH_SUPERUSER, "", vl_realm, c);
+	free(vl_realm);
+	if (ret == 0) return 0;
+    }
+
+    return ret;
+}
diff --git a/crypto/heimdal/lib/kafs/dlfcn.c b/crypto/heimdal/lib/kafs/dlfcn.c
new file mode 100644
index 0000000..728cf5c
--- /dev/null
+++ b/crypto/heimdal/lib/kafs/dlfcn.c
@@ -0,0 +1,581 @@
+/*
+ * @(#)dlfcn.c	1.11 revision of 96/04/10  20:12:51
+ * This is an unpublished work copyright (c) 1992 HELIOS Software GmbH
+ * 30159 Hannover, Germany
+ */
+
+/*
+ * Changes marked with `--jwe' were made on April 7 1996 by John W. Eaton
+ * <jwe@bevo.che.wisc.edu> to support g++ and/or use with Octave.
+ */
+
+/*
+ * This makes my life easier with Octave.  --jwe
+ */
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+#endif
+
+#include <stdio.h>
+#include <errno.h>
+#include <string.h>
+#include <stdlib.h>
+#include <sys/types.h>
+#include <sys/ldr.h>
+#include <a.out.h>
+#include <ldfcn.h>
+#include "dlfcn.h"
+
+/*
+ * We simulate dlopen() et al. through a call to load. Because AIX has
+ * no call to find an exported symbol we read the loader section of the
+ * loaded module and build a list of exported symbols and their virtual
+ * address.
+ */
+
+typedef struct {
+	char		*name;		/* the symbols's name */
+	void		*addr;		/* its relocated virtual address */
+} Export, *ExportPtr;
+
+/*
+ * xlC uses the following structure to list its constructors and
+ * destructors. This is gleaned from the output of munch.
+ */
+typedef struct {
+	void (*init)(void);		/* call static constructors */
+	void (*term)(void);		/* call static destructors */
+} Cdtor, *CdtorPtr;
+
+typedef void (*GccCDtorPtr)(void);
+
+/*
+ * The void * handle returned from dlopen is actually a ModulePtr.
+ */
+typedef struct Module {
+	struct Module	*next;
+	char		*name;		/* module name for refcounting */
+	int		refCnt;		/* the number of references */
+	void		*entry;		/* entry point from load */
+	struct dl_info	*info;		/* optional init/terminate functions */
+	CdtorPtr	cdtors;		/* optional C++ constructors */
+	GccCDtorPtr	gcc_ctor;	/* g++ constructors  --jwe */
+	GccCDtorPtr	gcc_dtor;	/* g++ destructors  --jwe */
+	int		nExports;	/* the number of exports found */
+	ExportPtr	exports;	/* the array of exports */
+} Module, *ModulePtr;
+
+/*
+ * We keep a list of all loaded modules to be able to call the fini
+ * handlers and destructors at atexit() time.
+ */
+static ModulePtr modList;
+
+/*
+ * The last error from one of the dl* routines is kept in static
+ * variables here. Each error is returned only once to the caller.
+ */
+static char errbuf[BUFSIZ];
+static int errvalid;
+
+/*
+ * The `fixed' gcc header files on AIX 3.2.5 provide a prototype for
+ * strdup().  --jwe
+ */
+#ifndef HAVE_STRDUP
+extern char *strdup(const char *);
+#endif
+static void caterr(char *);
+static int readExports(ModulePtr);
+static void terminate(void);
+static void *findMain(void);
+
+void *dlopen(const char *path, int mode)
+{
+	ModulePtr mp;
+	static void *mainModule;
+
+	/*
+	 * Upon the first call register a terminate handler that will
+	 * close all libraries. Also get a reference to the main module
+	 * for use with loadbind.
+	 */
+	if (!mainModule) {
+		if ((mainModule = findMain()) == NULL)
+			return NULL;
+		atexit(terminate);
+	}
+	/*
+	 * Scan the list of modules if we have the module already loaded.
+	 */
+	for (mp = modList; mp; mp = mp->next)
+		if (strcmp(mp->name, path) == 0) {
+			mp->refCnt++;
+			return mp;
+		}
+	if ((mp = (ModulePtr)calloc(1, sizeof(*mp))) == NULL) {
+		errvalid++;
+		snprintf (errbuf, sizeof(errbuf), "calloc: %s", strerror(errno));
+		return NULL;
+	}
+	if ((mp->name = strdup(path)) == NULL) {
+		errvalid++;
+		snprintf (errbuf, sizeof(errbuf), "strdup: %s", strerror(errno));
+		free(mp);
+		return NULL;
+	}
+	/*
+	 * load should be declared load(const char *...). Thus we
+	 * cast the path to a normal char *. Ugly.
+	 */
+	if ((mp->entry = (void *)load((char *)path, L_NOAUTODEFER, NULL)) == NULL) {
+		free(mp->name);
+		free(mp);
+		errvalid++;
+		snprintf (errbuf, sizeof(errbuf),
+			  "dlopen: %s: ", path);
+		/*
+		 * If AIX says the file is not executable, the error
+		 * can be further described by querying the loader about
+		 * the last error.
+		 */
+		if (errno == ENOEXEC) {
+			char *tmp[BUFSIZ/sizeof(char *)];
+			if (loadquery(L_GETMESSAGES, tmp, sizeof(tmp)) == -1)
+				strlcpy(errbuf,
+						strerror(errno),
+						sizeof(errbuf));
+			else {
+				char **p;
+				for (p = tmp; *p; p++)
+					caterr(*p);
+			}
+		} else
+			strlcat(errbuf,
+					strerror(errno),
+					sizeof(errbuf));
+		return NULL;
+	}
+	mp->refCnt = 1;
+	mp->next = modList;
+	modList = mp;
+	if (loadbind(0, mainModule, mp->entry) == -1) {
+		dlclose(mp);
+		errvalid++;
+		snprintf (errbuf, sizeof(errbuf),
+			  "loadbind: %s", strerror(errno));
+		return NULL;
+	}
+	/*
+	 * If the user wants global binding, loadbind against all other
+	 * loaded modules.
+	 */
+	if (mode & RTLD_GLOBAL) {
+		ModulePtr mp1;
+		for (mp1 = mp->next; mp1; mp1 = mp1->next)
+			if (loadbind(0, mp1->entry, mp->entry) == -1) {
+				dlclose(mp);
+				errvalid++;
+				snprintf (errbuf, sizeof(errbuf),
+					  "loadbind: %s",
+					  strerror(errno));
+				return NULL;
+			}
+	}
+	if (readExports(mp) == -1) {
+		dlclose(mp);
+		return NULL;
+	}
+	/*
+	 * If there is a dl_info structure, call the init function.
+	 */
+	if (mp->info = (struct dl_info *)dlsym(mp, "dl_info")) {
+		if (mp->info->init)
+			(*mp->info->init)();
+	} else
+		errvalid = 0;
+	/*
+	 * If the shared object was compiled using xlC we will need
+	 * to call static constructors (and later on dlclose destructors).
+	 */
+	if (mp->cdtors = (CdtorPtr)dlsym(mp, "__cdtors")) {
+		CdtorPtr cp = mp->cdtors;
+		while (cp->init || cp->term) {
+			if (cp->init && cp->init != (void (*)(void))0xffffffff)
+				(*cp->init)();
+			cp++;
+		}
+	/*
+	 * If the shared object was compiled using g++, we will need
+	 * to call global constructors using the _GLOBAL__DI function,
+	 * and later, global destructors using the _GLOBAL_DD
+	 * funciton.  --jwe
+	 */
+	} else if (mp->gcc_ctor = (GccCDtorPtr)dlsym(mp, "_GLOBAL__DI")) {
+		(*mp->gcc_ctor)();
+		mp->gcc_dtor = (GccCDtorPtr)dlsym(mp, "_GLOBAL__DD"); 
+	} else
+		errvalid = 0;
+	return mp;
+}
+
+/*
+ * Attempt to decipher an AIX loader error message and append it
+ * to our static error message buffer.
+ */
+static void caterr(char *s)
+{
+	char *p = s;
+
+	while (*p >= '0' && *p <= '9')
+		p++;
+	switch(atoi(s)) {
+	case L_ERROR_TOOMANY:
+		strlcat(errbuf, "to many errors", sizeof(errbuf));
+		break;
+	case L_ERROR_NOLIB:
+		strlcat(errbuf, "can't load library", sizeof(errbuf));
+		strlcat(errbuf, p, sizeof(errbuf));
+		break;
+	case L_ERROR_UNDEF:
+		strlcat(errbuf, "can't find symbol", sizeof(errbuf));
+		strlcat(errbuf, p, sizeof(errbuf));
+		break;
+	case L_ERROR_RLDBAD:
+		strlcat(errbuf, "bad RLD", sizeof(errbuf));
+		strlcat(errbuf, p, sizeof(errbuf));
+		break;
+	case L_ERROR_FORMAT:
+		strlcat(errbuf, "bad exec format in", sizeof(errbuf));
+		strlcat(errbuf, p, sizeof(errbuf));
+		break;
+	case L_ERROR_ERRNO:
+		strlcat(errbuf, strerror(atoi(++p)), sizeof(errbuf));
+		break;
+	default:
+		strlcat(errbuf, s, sizeof(errbuf));
+		break;
+	}
+}
+
+void *dlsym(void *handle, const char *symbol)
+{
+	ModulePtr mp = (ModulePtr)handle;
+	ExportPtr ep;
+	int i;
+
+	/*
+	 * Could speed up the search, but I assume that one assigns
+	 * the result to function pointers anyways.
+	 */
+	for (ep = mp->exports, i = mp->nExports; i; i--, ep++)
+		if (strcmp(ep->name, symbol) == 0)
+			return ep->addr;
+	errvalid++;
+	snprintf (errbuf, sizeof(errbuf),
+		  "dlsym: undefined symbol %s", symbol);		  
+	return NULL;
+}
+
+char *dlerror(void)
+{
+	if (errvalid) {
+		errvalid = 0;
+		return errbuf;
+	}
+	return NULL;
+}
+
+int dlclose(void *handle)
+{
+	ModulePtr mp = (ModulePtr)handle;
+	int result;
+	ModulePtr mp1;
+
+	if (--mp->refCnt > 0)
+		return 0;
+	if (mp->info && mp->info->fini)
+		(*mp->info->fini)();
+	if (mp->cdtors) {
+		CdtorPtr cp = mp->cdtors;
+		while (cp->init || cp->term) {
+			if (cp->term && cp->init != (void (*)(void))0xffffffff)
+				(*cp->term)();
+			cp++;
+		}
+	/*
+	 * If the function to handle global destructors for g++
+	 * exists, call it.  --jwe
+	 */
+	} else if (mp->gcc_dtor) {
+	        (*mp->gcc_dtor)();
+	}
+	result = unload(mp->entry);
+	if (result == -1) {
+		errvalid++;
+		snprintf (errbuf, sizeof(errbuf),
+			  "%s", strerror(errno));
+	}
+	if (mp->exports) {
+		ExportPtr ep;
+		int i;
+		for (ep = mp->exports, i = mp->nExports; i; i--, ep++)
+			if (ep->name)
+				free(ep->name);
+		free(mp->exports);
+	}
+	if (mp == modList)
+		modList = mp->next;
+	else {
+		for (mp1 = modList; mp1; mp1 = mp1->next)
+			if (mp1->next == mp) {
+				mp1->next = mp->next;
+				break;
+			}
+	}
+	free(mp->name);
+	free(mp);
+	return result;
+}
+
+static void terminate(void)
+{
+	while (modList)
+		dlclose(modList);
+}
+
+/*
+ * Build the export table from the XCOFF .loader section.
+ */
+static int readExports(ModulePtr mp)
+{
+	LDFILE *ldp = NULL;
+	SCNHDR sh, shdata;
+	LDHDR *lhp;
+	char *ldbuf;
+	LDSYM *ls;
+	int i;
+	ExportPtr ep;
+
+	if ((ldp = ldopen(mp->name, ldp)) == NULL) {
+		struct ld_info *lp;
+		char *buf;
+		int size = 4*1024;
+		if (errno != ENOENT) {
+			errvalid++;
+			snprintf(errbuf, sizeof(errbuf),
+				 "readExports: %s",
+				 strerror(errno));
+			return -1;
+		}
+		/*
+		 * The module might be loaded due to the LIBPATH
+		 * environment variable. Search for the loaded
+		 * module using L_GETINFO.
+		 */
+		if ((buf = malloc(size)) == NULL) {
+			errvalid++;
+			snprintf(errbuf, sizeof(errbuf),
+				 "readExports: %s",
+				 strerror(errno));
+			return -1;
+		}
+		while ((i = loadquery(L_GETINFO, buf, size)) == -1 && errno == ENOMEM) {
+			free(buf);
+			size += 4*1024;
+			if ((buf = malloc(size)) == NULL) {
+				errvalid++;
+				snprintf(errbuf, sizeof(errbuf),
+					 "readExports: %s",
+					 strerror(errno));
+				return -1;
+			}
+		}
+		if (i == -1) {
+			errvalid++;
+			snprintf(errbuf, sizeof(errbuf),
+				 "readExports: %s",
+				 strerror(errno));
+			free(buf);
+			return -1;
+		}
+		/*
+		 * Traverse the list of loaded modules. The entry point
+		 * returned by load() does actually point to the data
+		 * segment origin.
+		 */
+		lp = (struct ld_info *)buf;
+		while (lp) {
+			if (lp->ldinfo_dataorg == mp->entry) {
+				ldp = ldopen(lp->ldinfo_filename, ldp);
+				break;
+			}
+			if (lp->ldinfo_next == 0)
+				lp = NULL;
+			else
+				lp = (struct ld_info *)((char *)lp + lp->ldinfo_next);
+		}
+		free(buf);
+		if (!ldp) {
+			errvalid++;
+			snprintf (errbuf, sizeof(errbuf),
+				  "readExports: %s", strerror(errno));
+			return -1;
+		}
+	}
+	if (TYPE(ldp) != U802TOCMAGIC) {
+		errvalid++;
+		snprintf(errbuf, sizeof(errbuf), "readExports: bad magic");
+		while(ldclose(ldp) == FAILURE)
+			;
+		return -1;
+	}
+	/*
+	 * Get the padding for the data section. This is needed for
+	 * AIX 4.1 compilers. This is used when building the final
+	 * function pointer to the exported symbol.
+	 */
+	if (ldnshread(ldp, _DATA, &shdata) != SUCCESS) {
+		errvalid++;
+		snprintf(errbuf, sizeof(errbuf),
+			 "readExports: cannot read data section header");
+		while(ldclose(ldp) == FAILURE)
+			;
+		return -1;
+	}
+	if (ldnshread(ldp, _LOADER, &sh) != SUCCESS) {
+		errvalid++;
+		snprintf(errbuf, sizeof(errbuf),
+			 "readExports: cannot read loader section header");
+		while(ldclose(ldp) == FAILURE)
+			;
+		return -1;
+	}
+	/*
+	 * We read the complete loader section in one chunk, this makes
+	 * finding long symbol names residing in the string table easier.
+	 */
+	if ((ldbuf = (char *)malloc(sh.s_size)) == NULL) {
+		errvalid++;
+		snprintf (errbuf, sizeof(errbuf),
+			  "readExports: %s", strerror(errno));
+		while(ldclose(ldp) == FAILURE)
+			;
+		return -1;
+	}
+	if (FSEEK(ldp, sh.s_scnptr, BEGINNING) != OKFSEEK) {
+		errvalid++;
+		snprintf(errbuf, sizeof(errbuf),
+			 "readExports: cannot seek to loader section");
+		free(ldbuf);
+		while(ldclose(ldp) == FAILURE)
+			;
+		return -1;
+	}
+	if (FREAD(ldbuf, sh.s_size, 1, ldp) != 1) {
+		errvalid++;
+		snprintf(errbuf, sizeof(errbuf),
+			 "readExports: cannot read loader section");
+		free(ldbuf);
+		while(ldclose(ldp) == FAILURE)
+			;
+		return -1;
+	}
+	lhp = (LDHDR *)ldbuf;
+	ls = (LDSYM *)(ldbuf+LDHDRSZ);
+	/*
+	 * Count the number of exports to include in our export table.
+	 */
+	for (i = lhp->l_nsyms; i; i--, ls++) {
+		if (!LDR_EXPORT(*ls))
+			continue;
+		mp->nExports++;
+	}
+	if ((mp->exports = (ExportPtr)calloc(mp->nExports, sizeof(*mp->exports))) == NULL) {
+		errvalid++;
+		snprintf (errbuf, sizeof(errbuf),
+			  "readExports: %s", strerror(errno));
+		free(ldbuf);
+		while(ldclose(ldp) == FAILURE)
+			;
+		return -1;
+	}
+	/*
+	 * Fill in the export table. All entries are relative to
+	 * the entry point we got from load.
+	 */
+	ep = mp->exports;
+	ls = (LDSYM *)(ldbuf+LDHDRSZ);
+	for (i = lhp->l_nsyms; i; i--, ls++) {
+		char *symname;
+		char tmpsym[SYMNMLEN+1];
+		if (!LDR_EXPORT(*ls))
+			continue;
+		if (ls->l_zeroes == 0)
+			symname = ls->l_offset+lhp->l_stoff+ldbuf;
+		else {
+			/*
+			 * The l_name member is not zero terminated, we
+			 * must copy the first SYMNMLEN chars and make
+			 * sure we have a zero byte at the end.
+			 */
+		        strlcpy (tmpsym, ls->l_name,
+					 SYMNMLEN + 1);
+			symname = tmpsym;
+		}
+		ep->name = strdup(symname);
+		ep->addr = (void *)((unsigned long)mp->entry +
+					ls->l_value - shdata.s_vaddr);
+		ep++;
+	}
+	free(ldbuf);
+	while(ldclose(ldp) == FAILURE)
+		;
+	return 0;
+}
+
+/*
+ * Find the main modules entry point. This is used as export pointer
+ * for loadbind() to be able to resolve references to the main part.
+ */
+static void * findMain(void)
+{
+	struct ld_info *lp;
+	char *buf;
+	int size = 4*1024;
+	int i;
+	void *ret;
+
+	if ((buf = malloc(size)) == NULL) {
+		errvalid++;
+		snprintf (errbuf, sizeof(errbuf),
+			  "findMail: %s", strerror(errno));
+		return NULL;
+	}
+	while ((i = loadquery(L_GETINFO, buf, size)) == -1 && errno == ENOMEM) {
+		free(buf);
+		size += 4*1024;
+		if ((buf = malloc(size)) == NULL) {
+			errvalid++;
+			snprintf (errbuf, sizeof(errbuf),
+				  "findMail: %s", strerror(errno));
+			return NULL;
+		}
+	}
+	if (i == -1) {
+		errvalid++;
+		snprintf (errbuf, sizeof(errbuf),
+			  "findMail: %s", strerror(errno));
+		free(buf);
+		return NULL;
+	}
+	/*
+	 * The first entry is the main module. The entry point
+	 * returned by load() does actually point to the data
+	 * segment origin.
+	 */
+	lp = (struct ld_info *)buf;
+	ret = lp->ldinfo_dataorg;
+	free(buf);
+	return ret;
+}
diff --git a/crypto/heimdal/lib/kafs/dlfcn.h b/crypto/heimdal/lib/kafs/dlfcn.h
new file mode 100644
index 0000000..5671e9c
--- /dev/null
+++ b/crypto/heimdal/lib/kafs/dlfcn.h
@@ -0,0 +1,46 @@
+/*
+ * @(#)dlfcn.h	1.4 revision of 95/04/25  09:36:52
+ * This is an unpublished work copyright (c) 1992 HELIOS Software GmbH
+ * 30159 Hannover, Germany
+ */
+
+#ifndef __dlfcn_h__
+#define __dlfcn_h__
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/*
+ * Mode flags for the dlopen routine.
+ */
+#define RTLD_LAZY	1	/* lazy function call binding */
+#define RTLD_NOW	2	/* immediate function call binding */
+#define RTLD_GLOBAL	0x100	/* allow symbols to be global */
+
+/*
+ * To be able to intialize, a library may provide a dl_info structure
+ * that contains functions to be called to initialize and terminate.
+ */
+struct dl_info {
+	void (*init)(void);
+	void (*fini)(void);
+};
+
+#if __STDC__ || defined(_IBMR2)
+void *dlopen(const char *path, int mode);
+void *dlsym(void *handle, const char *symbol);
+char *dlerror(void);
+int dlclose(void *handle);
+#else
+void *dlopen();
+void *dlsym();
+char *dlerror();
+int dlclose();
+#endif
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* __dlfcn_h__ */
diff --git a/crypto/heimdal/lib/kafs/kafs.3 b/crypto/heimdal/lib/kafs/kafs.3
new file mode 100644
index 0000000..0b6b050
--- /dev/null
+++ b/crypto/heimdal/lib/kafs/kafs.3
@@ -0,0 +1,157 @@
+.\"	$Id: kafs.3,v 1.4 2001/01/11 16:16:29 assar Exp $
+.\"
+.Dd May 7, 1997
+.Os KTH-KRB
+.Dt KAFS 3
+.Sh NAME
+.Nm k_hasafs ,
+.Nm k_pioctl ,
+.Nm k_unlog ,
+.Nm k_setpag ,
+.Nm k_afs_cell_of_file ,
+.Nm krb_afslog ,
+.Nm krb_afslog_uid
+.\" .Nm krb5_afslog ,
+.\" .Nm krb5_afslog_uid
+.Nd AFS library
+.Sh SYNOPSIS
+.Fd #include <kafs.h>
+.Ft int
+.Fn k_afs_cell_of_file "const char *path" "char *cell" "int len"
+.Ft int
+.Fn k_hasafs
+.Ft int
+.Fn k_pioctl "char *a_path" "int o_opcode" "struct ViceIoctl *a_paramsP" "int a_followSymlinks"
+.Ft int
+.Fn k_setpag
+.Ft int
+.Fn k_unlog
+.Ft int
+.Fn krb_afslog "char *cell" "char *realm"
+.Ft int
+.Fn krb_afslog_uid "char *cell" "char *realm" "uid_t uid"
+.\" .Ft krb5_error_code
+.\" .Fn krb5_afslog_uid "krb5_context context" "krb5_ccache id" "const char *cell" "krb5_const_realm realm" "uid_t uid"
+.\" .Ft krb5_error_code
+.\" .Fn krb5_afslog "krb5_context context" "krb5_ccache id" "const char *cell" "krb5_const_realm realm"
+.Sh DESCRIPTION
+.Fn k_hasafs
+initializes some library internal structures, and tests for the
+presense of AFS in the kernel, none of the other functions should be
+called before 
+.Fn k_hasafs
+is called, or if it fails.
+.Pp
+.Fn krb_afslog ,
+and
+.Fn krb_afslog_uid
+obtains new tokens (and possibly tickets) for the specified
+.Fa cell
+and
+.Fa realm .
+If 
+.Fa cell
+is 
+.Dv NULL ,
+the local cell is used. If 
+.Fa realm 
+is
+.Dv NULL ,
+the function tries to guess what realm to use. Unless you  have some good knowledge of what cell or realm to use, you should pass
+.Dv NULL . 
+.Fn krb_afslog 
+will use the real user-id for the
+.Dv ViceId
+field in the token, 
+.Fn krb_afslog_uid
+will use
+.Fa uid .
+.Pp
+.\" .Fn krb5_afslog ,
+.\" and 
+.\" .Fn krb5_afslog_uid
+.\" are the Kerberos 5 equivalents of
+.\" .Fn krb_afslog ,
+.\" and
+.\" .Fn krb_afslog_uid .
+.\" The extra arguments are the ubiquitous context, and the cache id where
+.\" to store any obtained tickets. Since AFS servers normally can't handle
+.\" Kerberos 5 tickets directly, these functions will first obtain version
+.\" 5 tickets for the requested cells, and then convert them to version 4
+.\" tickets, that can be stashed in the kernel. To convert tickets the
+.\" .Fn krb524_convert_creds_kdc
+.\" function will be used.
+.\" .Pp
+.Fn k_afs_cell_of_file
+will in 
+.Fa cell
+return the cell of a specified file, no more than
+.Fa len
+characters is put in 
+.Fa cell .
+.Pp
+.Fn k_pioctl
+does a 
+.Fn pioctl
+syscall with the specified arguments. This function is equivalent to
+.Fn lpioctl .
+.Pp
+.Fn k_setpag
+initializes a new PAG.
+.Pp
+.Fn k_unlog
+removes destroys all tokens in the current PAG.
+.Sh ENVIRONMENT
+The following environment variable affect the mode of operation of
+.Nm kafs :
+.Bl -tag -width AFS_SYSCALL
+.It Ev AFS_SYSCALL
+Normally,
+.Nm kafs
+will try to figure out the correct system call(s) that are used by AFS
+by itself.  If it does not manage to do that, or does it incorrectly,
+you can set this variable to the system call number or list of system
+call numbers that should be used.
+.El
+.Sh RETURN VALUES
+.Fn k_hasafs
+returns 1 if AFS is present in the kernel, 0 otherwise.
+.Fn krb_afslog
+and
+.Fn krb_afslog_uid
+returns 0 on success, or a kerberos error number on failure.
+.Fn k_afs_cell_of_file ,
+.Fn k_pioctl , 
+.Fn k_setpag ,
+and
+.Fn k_unlog
+all return the value of the underlaying system call, 0 on success.
+.Sh EXAMPLES
+The following code from
+.Nm login 
+will obtain a new PAG and tokens for the local cell and the cell of
+the users home directory.
+.Bd -literal
+if (k_hasafs()) {
+	char cell[64];
+	k_setpag();
+	if(k_afs_cell_of_file(pwd->pw_dir, cell, sizeof(cell)) == 0)
+		krb_afslog(cell, NULL);
+	krb_afslog(NULL, NULL);
+}
+.Ed
+.Sh ERRORS
+If any of these functions (appart from 
+.Fn k_hasafs )
+is called without AFS beeing present in the kernel, the process will
+usually (depending on the operating system) receive a SIGSYS signal.
+.Sh SEE ALSO
+.Rs
+.%A Transarc Corporation
+.%J AFS-3 Programmer's Reference
+.%T File Server/Cache Manager Interface
+.%D 1991
+.Re
+.Sh BUGS
+.Ev AFS_SYSCALL
+has no effect under AIX.
diff --git a/crypto/heimdal/lib/kafs/kafs.cat3 b/crypto/heimdal/lib/kafs/kafs.cat3
new file mode 100644
index 0000000..78f5bd5
--- /dev/null
+++ b/crypto/heimdal/lib/kafs/kafs.cat3
@@ -0,0 +1,95 @@
+
+KAFS(3)                    UNIX Programmer's Manual                    KAFS(3)
+
+NNAAMMEE
+     kk__hhaassaaffss, kk__ppiiooccttll, kk__uunnlloogg, kk__sseettppaagg, kk__aaffss__cceellll__ooff__ffiillee, kkrrbb__aaffsslloogg,
+     kkrrbb__aaffsslloogg__uuiidd - AFS library
+
+SSYYNNOOPPSSIISS
+     ##iinncclluuddee <<kkaaffss..hh>>
+
+     _i_n_t
+     kk__aaffss__cceellll__ooff__ffiillee(_c_o_n_s_t _c_h_a_r _*_p_a_t_h, _c_h_a_r _*_c_e_l_l, _i_n_t _l_e_n)
+
+     _i_n_t
+     kk__hhaassaaffss()
+
+     _i_n_t
+     kk__ppiiooccttll(_c_h_a_r _*_a___p_a_t_h, _i_n_t _o___o_p_c_o_d_e, _s_t_r_u_c_t _V_i_c_e_I_o_c_t_l _*_a___p_a_r_a_m_s_P,
+             _i_n_t _a___f_o_l_l_o_w_S_y_m_l_i_n_k_s)
+
+     _i_n_t
+     kk__sseettppaagg()
+
+     _i_n_t
+     kk__uunnlloogg()
+
+     _i_n_t
+     kkrrbb__aaffsslloogg(_c_h_a_r _*_c_e_l_l, _c_h_a_r _*_r_e_a_l_m)
+
+     _i_n_t
+     kkrrbb__aaffsslloogg__uuiidd(_c_h_a_r _*_c_e_l_l, _c_h_a_r _*_r_e_a_l_m, _u_i_d___t _u_i_d)
+
+DDEESSCCRRIIPPTTIIOONN
+     kk__hhaassaaffss() initializes some library internal structures, and tests for
+     the presense of AFS in the kernel, none of the other functions should be
+     called before kk__hhaassaaffss() is called, or if it fails.
+
+     kkrrbb__aaffsslloogg(), and kkrrbb__aaffsslloogg__uuiidd() obtains new tokens (and possibly tick-
+     ets) for the specified _c_e_l_l and _r_e_a_l_m. If _c_e_l_l is NULL, the local cell is
+     used. If _r_e_a_l_m is NULL, the function tries to guess what realm to use.
+     Unless you  have some good knowledge of what cell or realm to use, you
+     should pass NULL. kkrrbb__aaffsslloogg() will use the real user-id for the ViceId
+     field in the token, kkrrbb__aaffsslloogg__uuiidd() will use _u_i_d.
+
+     kk__aaffss__cceellll__ooff__ffiillee() will in _c_e_l_l return the cell of a specified file, no
+     more than _l_e_n characters is put in _c_e_l_l.
+
+     kk__ppiiooccttll() does a ppiiooccttll() syscall with the specified arguments. This
+     function is equivalent to llppiiooccttll().
+
+     kk__sseettppaagg() initializes a new PAG.
+
+     kk__uunnlloogg() removes destroys all tokens in the current PAG.
+
+EENNVVIIRROONNMMEENNTT
+     The following environment variable affect the mode of operation of kkaaffss:
+
+     AFS_SYSCALL  Normally, kkaaffss will try to figure out the correct system
+                  call(s) that are used by AFS by itself.  If it does not man-
+                  age to do that, or does it incorrectly, you can set this
+                  variable to the system call number or list of system call
+                  numbers that should be used.
+
+RREETTUURRNN VVAALLUUEESS
+     kk__hhaassaaffss() returns 1 if AFS is present in the kernel, 0 otherwise.
+     kkrrbb__aaffsslloogg() and kkrrbb__aaffsslloogg__uuiidd() returns 0 on success, or a kerberos er-
+     ror number on failure.  kk__aaffss__cceellll__ooff__ffiillee(), kk__ppiiooccttll(), kk__sseettppaagg(), and
+     kk__uunnlloogg() all return the value of the underlaying system call, 0 on suc-
+     cess.
+
+EEXXAAMMPPLLEESS
+     The following code from llooggiinn will obtain a new PAG and tokens for the
+     local cell and the cell of the users home directory.
+
+     if (k_hasafs()) {
+             char cell[64];
+             k_setpag();
+             if(k_afs_cell_of_file(pwd->pw_dir, cell, sizeof(cell)) == 0)
+                     krb_afslog(cell, NULL);
+             krb_afslog(NULL, NULL);
+     }
+
+EERRRROORRSS
+     If any of these functions (appart from kk__hhaassaaffss()) is called without AFS
+     beeing present in the kernel, the process will usually (depending on the
+     operating system) receive a SIGSYS signal.
+
+SSEEEE AALLSSOO
+     Transarc Corporation, "File Server/Cache Manager Interface", _A_F_S_-_3
+     _P_r_o_g_r_a_m_m_e_r_'_s _R_e_f_e_r_e_n_c_e, 1991.
+
+BBUUGGSS
+     AFS_SYSCALL has no effect under AIX.
+
+ KTH-KRB                          May 7, 1997                                2
diff --git a/crypto/heimdal/lib/kafs/kafs.h b/crypto/heimdal/lib/kafs/kafs.h
new file mode 100644
index 0000000..0fb969e
--- /dev/null
+++ b/crypto/heimdal/lib/kafs/kafs.h
@@ -0,0 +1,191 @@
+/*
+ * Copyright (c) 1995, 1996, 1997, 1998, 1999 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+/* $Id: kafs.h,v 1.32 1999/12/02 16:58:40 joda Exp $ */
+
+#ifndef __KAFS_H
+#define __KAFS_H
+
+/* XXX must include krb5.h or krb.h */
+
+/* sys/ioctl.h must be included manually before kafs.h */
+
+/*
+ */
+#define AFSCALL_PIOCTL 20
+#define AFSCALL_SETPAG 21
+
+#ifndef _VICEIOCTL
+#define _VICEIOCTL(id)  ((unsigned int ) _IOW('V', id, struct ViceIoctl))
+#endif /* _VICEIOCTL */
+
+#define VIOCSETAL		_VICEIOCTL(1)
+#define VIOCGETAL		_VICEIOCTL(2)
+#define VIOCSETTOK		_VICEIOCTL(3)
+#define VIOCGETVOLSTAT		_VICEIOCTL(4)
+#define VIOCSETVOLSTAT		_VICEIOCTL(5)
+#define VIOCFLUSH		_VICEIOCTL(6)
+#define VIOCGETTOK		_VICEIOCTL(8)
+#define VIOCUNLOG		_VICEIOCTL(9)
+#define VIOCCKSERV		_VICEIOCTL(10)
+#define VIOCCKBACK		_VICEIOCTL(11)
+#define VIOCCKCONN		_VICEIOCTL(12)
+#define VIOCWHEREIS		_VICEIOCTL(14)
+#define VIOCACCESS		_VICEIOCTL(20)
+#define VIOCUNPAG		_VICEIOCTL(21)
+#define VIOCGETFID		_VICEIOCTL(22)
+#define VIOCSETCACHESIZE	_VICEIOCTL(24)
+#define VIOCFLUSHCB		_VICEIOCTL(25)
+#define VIOCNEWCELL		_VICEIOCTL(26)
+#define VIOCGETCELL		_VICEIOCTL(27)
+#define VIOC_AFS_DELETE_MT_PT	_VICEIOCTL(28)
+#define VIOC_AFS_STAT_MT_PT	_VICEIOCTL(29)
+#define VIOC_FILE_CELL_NAME	_VICEIOCTL(30)
+#define VIOC_GET_WS_CELL	_VICEIOCTL(31)
+#define VIOC_AFS_MARINER_HOST	_VICEIOCTL(32)
+#define VIOC_GET_PRIMARY_CELL	_VICEIOCTL(33)
+#define VIOC_VENUSLOG		_VICEIOCTL(34)
+#define VIOC_GETCELLSTATUS	_VICEIOCTL(35)
+#define VIOC_SETCELLSTATUS	_VICEIOCTL(36)
+#define VIOC_FLUSHVOLUME	_VICEIOCTL(37)
+#define VIOC_AFS_SYSNAME	_VICEIOCTL(38)
+#define VIOC_EXPORTAFS		_VICEIOCTL(39)
+#define VIOCGETCACHEPARAMS	_VICEIOCTL(40)
+#define VIOC_GCPAGS		_VICEIOCTL(48) 
+
+struct ViceIoctl {
+  caddr_t in, out;
+  short in_size;
+  short out_size;
+};
+
+struct ClearToken {
+  int32_t AuthHandle;
+  char HandShakeKey[8];
+  int32_t ViceId;
+  int32_t BeginTimestamp;
+  int32_t EndTimestamp;
+};
+
+#ifdef __STDC__
+#ifndef __P
+#define __P(x) x
+#endif
+#else
+#ifndef __P
+#define __P(x) ()
+#endif
+#endif
+
+/* Use k_hasafs() to probe if the machine supports AFS syscalls.
+   The other functions will generate a SIGSYS if AFS is not supported */
+
+int k_hasafs __P((void));
+
+int krb_afslog __P((const char *cell, const char *realm));
+int krb_afslog_uid __P((const char *cell, const char *realm, uid_t uid));
+int krb_afslog_home __P((const char *cell, const char *realm,
+			 const char *homedir));
+int krb_afslog_uid_home __P((const char *cell, const char *realm, uid_t uid,
+			     const char *homedir));
+
+int krb_realm_of_cell __P((const char *cell, char **realm));
+
+/* compat */
+#define k_afsklog krb_afslog
+#define k_afsklog_uid krb_afslog_uid
+
+int k_pioctl __P((char *a_path,
+		  int o_opcode,
+		  struct ViceIoctl *a_paramsP,
+		  int a_followSymlinks));
+int k_unlog __P((void));
+int k_setpag __P((void));
+int k_afs_cell_of_file __P((const char *path, char *cell, int len));
+
+
+
+/* XXX */
+#ifdef KFAILURE
+#define KRB_H_INCLUDED
+#endif
+
+#ifdef KRB5_RECVAUTH_IGNORE_VERSION
+#define KRB5_H_INCLUDED
+#endif
+
+#ifdef KRB_H_INCLUDED
+int kafs_settoken __P((const char*, uid_t, CREDENTIALS*));
+#endif
+
+#ifdef KRB5_H_INCLUDED
+krb5_error_code krb5_afslog_uid __P((krb5_context context,
+				     krb5_ccache id,
+				     const char *cell,
+				     krb5_const_realm realm,
+				     uid_t uid));
+krb5_error_code krb5_afslog __P((krb5_context context,
+				 krb5_ccache id, 
+				 const char *cell,
+				 krb5_const_realm realm));
+krb5_error_code krb5_afslog_uid_home __P((krb5_context context,
+					  krb5_ccache id,
+					  const char *cell,
+					  krb5_const_realm realm,
+					  uid_t uid,
+					  const char *homedir));
+
+krb5_error_code krb5_afslog_home __P((krb5_context context,
+				      krb5_ccache id,
+				      const char *cell,
+				      krb5_const_realm realm,
+				      const char *homedir));
+
+krb5_error_code krb5_realm_of_cell __P((const char *cell, char **realm));
+
+#endif
+
+
+#define _PATH_VICE		"/usr/vice/etc/"
+#define _PATH_THISCELL 		_PATH_VICE "ThisCell"
+#define _PATH_CELLSERVDB 	_PATH_VICE "CellServDB"
+#define _PATH_THESECELLS	_PATH_VICE "TheseCells"
+
+#define _PATH_ARLA_VICE		"/usr/arla/etc/"
+#define _PATH_ARLA_THISCELL	_PATH_ARLA_VICE "ThisCell"
+#define _PATH_ARLA_CELLSERVDB 	_PATH_ARLA_VICE "CellServDB"
+#define _PATH_ARLA_THESECELLS	_PATH_ARLA_VICE "TheseCells"
+
+extern int _kafs_debug;
+
+#endif /* __KAFS_H */
diff --git a/crypto/heimdal/lib/kafs/kafs_locl.h b/crypto/heimdal/lib/kafs/kafs_locl.h
new file mode 100644
index 0000000..ac1c2f6
--- /dev/null
+++ b/crypto/heimdal/lib/kafs/kafs_locl.h
@@ -0,0 +1,135 @@
+/*
+ * Copyright (c) 1995, 1996, 1997, 1998, 1999 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+/* $Id: kafs_locl.h,v 1.15 1999/12/02 16:58:40 joda Exp $ */
+
+#ifndef __KAFS_LOCL_H__
+#define __KAFS_LOCL_H__
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+#endif
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <signal.h>
+#include <setjmp.h>
+#include <errno.h>
+
+#ifdef HAVE_SYS_TYPES_H
+#include <sys/types.h>
+#endif
+#ifdef HAVE_UNISTD_H
+#include <unistd.h>
+#endif
+#if defined(HAVE_SYS_IOCTL_H) && SunOS != 40
+#include <sys/ioctl.h>
+#endif
+#ifdef HAVE_SYS_FILIO_H
+#include <sys/filio.h>
+#endif
+
+#ifdef HAVE_SYS_SYSCALL_H
+#include <sys/syscall.h>
+#endif
+#ifdef HAVE_SYS_SOCKET_H
+#include <sys/socket.h>
+#endif
+#ifdef HAVE_NETINET_IN_H
+#include <netinet/in.h>
+#endif
+#ifdef HAVE_NETINET_IN6_H
+#include <netinet/in6.h>
+#endif
+#ifdef HAVE_NETINET6_IN6_H
+#include <netinet6/in6.h>
+#endif
+
+#ifdef HAVE_NETDB_H
+#include <netdb.h>
+#endif
+
+#ifdef HAVE_ARPA_NAMESER_H
+#include <arpa/nameser.h>
+#endif
+#ifdef HAVE_RESOLV_H
+#include <resolv.h>
+#endif
+#include <roken.h>
+
+#ifdef KRB5
+#include <krb5.h>
+#endif
+#ifdef KRB4
+#include <krb.h>
+#endif
+#include <kafs.h>
+
+#include <resolve.h>
+
+#include "afssysdefs.h"
+
+struct kafs_data;
+typedef int (*afslog_uid_func_t)(struct kafs_data *,
+				 const char *cell,
+				 const char *realm_hint,
+				 uid_t,
+				 const char *homedir);
+
+typedef int (*get_cred_func_t)(struct kafs_data*, const char*, const char*, 
+				    const char*, CREDENTIALS*);
+
+typedef char* (*get_realm_func_t)(struct kafs_data*, const char*);
+
+typedef struct kafs_data {
+    afslog_uid_func_t afslog_uid;
+    get_cred_func_t get_cred;
+    get_realm_func_t get_realm;
+    void *data;
+} kafs_data;
+
+int _kafs_afslog_all_local_cells(kafs_data*, uid_t, const char*);
+
+int _kafs_get_cred(kafs_data*, const char*, const char*, const char *, 
+		  CREDENTIALS*);
+
+int
+_kafs_realm_of_cell(kafs_data *data, const char *cell, char **realm);
+
+#ifdef _AIX
+int aix_pioctl(char*, int, struct ViceIoctl*, int);
+int aix_setpag(void);
+#endif
+
+#endif /* __KAFS_LOCL_H__ */
diff --git a/crypto/heimdal/lib/kafs/roken_rename.h b/crypto/heimdal/lib/kafs/roken_rename.h
new file mode 100644
index 0000000..4a7fb1d
--- /dev/null
+++ b/crypto/heimdal/lib/kafs/roken_rename.h
@@ -0,0 +1,50 @@
+/*
+ * Copyright (c) 2001 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+/* $Id: roken_rename.h,v 1.1 2001/02/12 22:01:27 assar Exp $ */
+
+#ifndef __roken_rename_h__
+#define __roken_rename_h__
+
+/*
+ * Libroken routines that are added libkafs
+ */
+
+#define _resolve_debug _roken_resolve_debug
+
+#define dns_free_data _kafs_dns_free_data
+#define dns_lookup _kafs_dns_lookup
+#define dns_string_to_type _kafs_dns_string_to_type
+#define dns_type_to_string _kafs_dns_type_to_string
+
+#endif /* __roken_rename_h__ */
diff --git a/crypto/heimdal/lib/krb5/Makefile.am b/crypto/heimdal/lib/krb5/Makefile.am
new file mode 100644
index 0000000..bc3dd6e
--- /dev/null
+++ b/crypto/heimdal/lib/krb5/Makefile.am
@@ -0,0 +1,165 @@
+# $Id: Makefile.am,v 1.125 2001/05/16 23:51:50 assar Exp $
+
+include $(top_srcdir)/Makefile.am.common
+
+bin_PROGRAMS = verify_krb5_conf
+
+noinst_PROGRAMS = dump_config test_get_addrs
+
+check_PROGRAMS = n-fold-test string-to-key-test derived-key-test store-test
+TESTS = n-fold-test string-to-key-test derived-key-test store-test
+
+LDADD = libkrb5.la \
+	$(LIB_des) \
+	$(top_builddir)/lib/asn1/libasn1.la \
+	$(LIB_roken)
+
+libkrb5_la_LIBADD = \
+	../com_err/error.lo ../com_err/com_err.lo \
+	$(LIB_des) \
+	$(top_builddir)/lib/asn1/libasn1.la \
+	$(LIB_roken)
+
+lib_LTLIBRARIES = libkrb5.la
+
+ERR_FILES = krb5_err.c heim_err.c
+
+libkrb5_la_SOURCES =				\
+	acl.c					\
+	add_et_list.c				\
+	addr_families.c				\
+	address.c				\
+	aname_to_localname.c			\
+	appdefault.c				\
+	asn1_glue.c				\
+	auth_context.c				\
+	build_ap_req.c				\
+	build_auth.c				\
+	cache.c					\
+	changepw.c				\
+	codec.c					\
+	config_file.c				\
+	config_file_netinfo.c			\
+	convert_creds.c				\
+	constants.c				\
+	context.c				\
+	copy_host_realm.c			\
+	crc.c					\
+	creds.c					\
+	crypto.c				\
+	data.c					\
+	eai_to_heim_errno.c			\
+	error_string.c				\
+	expand_hostname.c			\
+	fcache.c				\
+	free.c					\
+	free_host_realm.c			\
+	generate_seq_number.c			\
+	generate_subkey.c			\
+	get_addrs.c				\
+	get_cred.c				\
+	get_default_principal.c			\
+	get_default_realm.c			\
+	get_for_creds.c				\
+	get_host_realm.c			\
+	get_in_tkt.c				\
+	get_in_tkt_pw.c				\
+	get_in_tkt_with_keytab.c		\
+	get_in_tkt_with_skey.c			\
+	get_port.c				\
+	init_creds.c				\
+	init_creds_pw.c				\
+	keyblock.c				\
+	keytab.c				\
+	keytab_any.c				\
+	keytab_file.c				\
+	keytab_memory.c				\
+	keytab_keyfile.c			\
+	keytab_krb4.c				\
+	krbhst.c				\
+	kuserok.c				\
+	log.c					\
+	mcache.c				\
+	misc.c					\
+	mk_error.c				\
+	mk_priv.c				\
+	mk_rep.c				\
+	mk_req.c				\
+	mk_req_ext.c				\
+	mk_safe.c				\
+	net_read.c				\
+	net_write.c				\
+	n-fold.c				\
+	padata.c				\
+	principal.c				\
+	prog_setup.c				\
+	prompter_posix.c			\
+	rd_cred.c				\
+	rd_error.c				\
+	rd_priv.c				\
+	rd_rep.c				\
+	rd_req.c				\
+	rd_safe.c				\
+	read_message.c				\
+	recvauth.c				\
+	replay.c				\
+	send_to_kdc.c				\
+	sendauth.c				\
+	set_default_realm.c			\
+	sock_principal.c			\
+	store.c					\
+	store_emem.c				\
+	store_fd.c				\
+	store_mem.c				\
+	ticket.c				\
+	time.c					\
+	transited.c				\
+	verify_init.c				\
+	verify_user.c				\
+	version.c				\
+	warn.c					\
+	write_message.c				\
+	$(ERR_FILES)
+
+libkrb5_la_LDFLAGS = -version-info 16:0:0
+
+$(libkrb5_la_OBJECTS): $(srcdir)/krb5-protos.h $(srcdir)/krb5-private.h
+
+$(srcdir)/krb5-protos.h:
+	cd $(srcdir); perl ../../cf/make-proto.pl -o krb5-protos.h $(libkrb5_la_SOURCES) || rm -f krb5-protos.h
+
+$(srcdir)/krb5-private.h:
+	cd $(srcdir); perl ../../cf/make-proto.pl -p krb5-private.h $(libkrb5_la_SOURCES) || rm -f krb5-private.h
+
+#libkrb5_la_LIBADD = ../com_err/error.lo ../com_err/com_err.lo
+
+man_MANS =					\
+	kerberos.8				\
+	krb5.conf.5				\
+	krb5_425_conv_principal.3		\
+	krb5_appdefault.3			\
+	krb5_build_principal.3			\
+	krb5_config.3				\
+	krb5_free_principal.3			\
+	krb5_openlog.3				\
+	krb5_parse_name.3			\
+	krb5_sname_to_principal.3		\
+	krb5_unparse_name.3			\
+	krb5_warn.3				\
+	verify_krb5_conf.8			\
+	krb5_auth_context.3			\
+	krb5_context.3				\
+	krb5_init_context.3			\
+	krb5_keytab.3
+
+include_HEADERS = krb5.h krb5-protos.h krb5-private.h krb5_err.h heim_err.h
+
+CLEANFILES = krb5_err.c krb5_err.h heim_err.c heim_err.h
+
+$(libkrb5_la_OBJECTS): krb5_err.h heim_err.h
+
+# to help stupid solaris make
+
+krb5_err.h: krb5_err.et
+
+heim_err.h: heim_err.et
diff --git a/crypto/heimdal/lib/krb5/Makefile.in b/crypto/heimdal/lib/krb5/Makefile.in
new file mode 100644
index 0000000..52925bb
--- /dev/null
+++ b/crypto/heimdal/lib/krb5/Makefile.in
@@ -0,0 +1,1078 @@
+# Makefile.in generated automatically by automake 1.4b from Makefile.am
+
+# Copyright 1994, 1995, 1996, 1997, 1998, 1999, 2000
+# Free Software Foundation, Inc.
+# This Makefile.in is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+
+SHELL = @SHELL@
+
+srcdir = @srcdir@
+top_srcdir = @top_srcdir@
+VPATH = @srcdir@
+prefix = @prefix@
+exec_prefix = @exec_prefix@
+
+bindir = @bindir@
+sbindir = @sbindir@
+libexecdir = @libexecdir@
+datadir = @datadir@
+sysconfdir = @sysconfdir@
+sharedstatedir = @sharedstatedir@
+localstatedir = @localstatedir@
+libdir = @libdir@
+infodir = @infodir@
+mandir = @mandir@
+includedir = @includedir@
+oldincludedir = /usr/include
+
+pkgdatadir = $(datadir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkgincludedir = $(includedir)/@PACKAGE@
+
+top_builddir = ../..
+
+ACLOCAL = @ACLOCAL@
+AUTOCONF = @AUTOCONF@
+AUTOMAKE = @AUTOMAKE@
+AUTOHEADER = @AUTOHEADER@
+
+INSTALL = @INSTALL@
+INSTALL_PROGRAM = @INSTALL_PROGRAM@
+INSTALL_DATA = @INSTALL_DATA@
+INSTALL_SCRIPT = @INSTALL_SCRIPT@
+INSTALL_STRIP_FLAG =
+transform = @program_transform_name@
+
+NORMAL_INSTALL = :
+PRE_INSTALL = :
+POST_INSTALL = :
+NORMAL_UNINSTALL = :
+PRE_UNINSTALL = :
+POST_UNINSTALL = :
+
+@SET_MAKE@
+host_alias = @host_alias@
+host_triplet = @host@
+AIX_EXTRA_KAFS = @AIX_EXTRA_KAFS@
+AMDEP = @AMDEP@
+AMTAR = @AMTAR@
+AS = @AS@
+AWK = @AWK@
+CANONICAL_HOST = @CANONICAL_HOST@
+CATMAN = @CATMAN@
+CATMANEXT = @CATMANEXT@
+CC = @CC@
+CPP = @CPP@
+CXX = @CXX@
+CXXCPP = @CXXCPP@
+DBLIB = @DBLIB@
+DEPDIR = @DEPDIR@
+DIR_des = @DIR_des@
+DIR_roken = @DIR_roken@
+DLLTOOL = @DLLTOOL@
+EXEEXT = @EXEEXT@
+EXTRA_LIB45 = @EXTRA_LIB45@
+GROFF = @GROFF@
+INCLUDES_roken = @INCLUDES_roken@
+INCLUDE_ = @INCLUDE_@
+LEX = @LEX@
+LIBOBJS = @LIBOBJS@
+LIBTOOL = @LIBTOOL@
+LIB_ = @LIB_@
+LIB_AUTH_SUBDIRS = @LIB_AUTH_SUBDIRS@
+LIB_des = @LIB_des@
+LIB_des_appl = @LIB_des_appl@
+LIB_kdb = @LIB_kdb@
+LIB_otp = @LIB_otp@
+LIB_roken = @LIB_roken@
+LIB_security = @LIB_security@
+LN_S = @LN_S@
+LTLIBOBJS = @LTLIBOBJS@
+MAKEINFO = @MAKEINFO@
+NEED_WRITEAUTH_FALSE = @NEED_WRITEAUTH_FALSE@
+NEED_WRITEAUTH_TRUE = @NEED_WRITEAUTH_TRUE@
+NROFF = @NROFF@
+OBJDUMP = @OBJDUMP@
+OBJEXT = @OBJEXT@
+PACKAGE = @PACKAGE@
+RANLIB = @RANLIB@
+STRIP = @STRIP@
+VERSION = @VERSION@
+VOID_RETSIGTYPE = @VOID_RETSIGTYPE@
+WFLAGS = @WFLAGS@
+WFLAGS_NOIMPLICITINT = @WFLAGS_NOIMPLICITINT@
+WFLAGS_NOUNUSED = @WFLAGS_NOUNUSED@
+YACC = @YACC@
+dpagaix_CFLAGS = @dpagaix_CFLAGS@
+dpagaix_LDADD = @dpagaix_LDADD@
+install_sh = @install_sh@
+
+# $Id: Makefile.am,v 1.125 2001/05/16 23:51:50 assar Exp $
+
+
+# $Id: Makefile.am.common,v 1.3 1999/04/01 14:58:43 joda Exp $
+
+
+# $Id: Makefile.am.common,v 1.26 2001/05/21 13:27:48 joda Exp $
+
+
+AUTOMAKE_OPTIONS = foreign no-dependencies
+
+SUFFIXES = .et .h .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .x
+
+INCLUDES = -I$(top_builddir)/include $(INCLUDES_roken)
+
+AM_CFLAGS =  $(WFLAGS)
+
+CP = cp
+
+COMPILE_ET = $(top_builddir)/lib/com_err/compile_et
+
+buildinclude = $(top_builddir)/include
+
+LIB_XauReadAuth = @LIB_XauReadAuth@
+LIB_crypt = @LIB_crypt@
+LIB_dbm_firstkey = @LIB_dbm_firstkey@
+LIB_dbopen = @LIB_dbopen@
+LIB_dlopen = @LIB_dlopen@
+LIB_dn_expand = @LIB_dn_expand@
+LIB_el_init = @LIB_el_init@
+LIB_getattr = @LIB_getattr@
+LIB_gethostbyname = @LIB_gethostbyname@
+LIB_getpwent_r = @LIB_getpwent_r@
+LIB_getpwnam_r = @LIB_getpwnam_r@
+LIB_getsockopt = @LIB_getsockopt@
+LIB_logout = @LIB_logout@
+LIB_logwtmp = @LIB_logwtmp@
+LIB_odm_initialize = @LIB_odm_initialize@
+LIB_pidfile = @LIB_pidfile@
+LIB_readline = @LIB_readline@
+LIB_res_search = @LIB_res_search@
+LIB_setpcred = @LIB_setpcred@
+LIB_setsockopt = @LIB_setsockopt@
+LIB_socket = @LIB_socket@
+LIB_syslog = @LIB_syslog@
+LIB_tgetent = @LIB_tgetent@
+
+LIBS = @LIBS@
+
+HESIODLIB = @HESIODLIB@
+HESIODINCLUDE = @HESIODINCLUDE@
+INCLUDE_hesiod = @INCLUDE_hesiod@
+LIB_hesiod = @LIB_hesiod@
+
+INCLUDE_krb4 = @INCLUDE_krb4@
+LIB_krb4 = @LIB_krb4@
+
+INCLUDE_openldap = @INCLUDE_openldap@
+LIB_openldap = @LIB_openldap@
+
+INCLUDE_readline = @INCLUDE_readline@
+
+LEXLIB = @LEXLIB@
+
+NROFF_MAN = groff -mandoc -Tascii
+
+@KRB4_TRUE@LIB_kafs = @KRB4_TRUE@$(top_builddir)/lib/kafs/libkafs.la $(AIX_EXTRA_KAFS)
+
+@KRB5_TRUE@LIB_krb5 = @KRB5_TRUE@$(top_builddir)/lib/krb5/libkrb5.la \
+@KRB5_TRUE@	$(top_builddir)/lib/asn1/libasn1.la
+@KRB5_TRUE@LIB_gssapi = @KRB5_TRUE@$(top_builddir)/lib/gssapi/libgssapi.la
+
+@DCE_TRUE@LIB_kdfs = @DCE_TRUE@$(top_builddir)/lib/kdfs/libkdfs.la
+
+CHECK_LOCAL = $(PROGRAMS)
+
+bin_PROGRAMS = verify_krb5_conf
+
+noinst_PROGRAMS = dump_config test_get_addrs
+
+check_PROGRAMS = n-fold-test string-to-key-test derived-key-test store-test
+TESTS = n-fold-test string-to-key-test derived-key-test store-test
+
+LDADD = libkrb5.la \
+	$(LIB_des) \
+	$(top_builddir)/lib/asn1/libasn1.la \
+	$(LIB_roken)
+
+
+libkrb5_la_LIBADD = \
+	../com_err/error.lo ../com_err/com_err.lo \
+	$(LIB_des) \
+	$(top_builddir)/lib/asn1/libasn1.la \
+	$(LIB_roken)
+
+
+lib_LTLIBRARIES = libkrb5.la
+
+ERR_FILES = krb5_err.c heim_err.c
+
+libkrb5_la_SOURCES = \
+	acl.c					\
+	add_et_list.c				\
+	addr_families.c				\
+	address.c				\
+	aname_to_localname.c			\
+	appdefault.c				\
+	asn1_glue.c				\
+	auth_context.c				\
+	build_ap_req.c				\
+	build_auth.c				\
+	cache.c					\
+	changepw.c				\
+	codec.c					\
+	config_file.c				\
+	config_file_netinfo.c			\
+	convert_creds.c				\
+	constants.c				\
+	context.c				\
+	copy_host_realm.c			\
+	crc.c					\
+	creds.c					\
+	crypto.c				\
+	data.c					\
+	eai_to_heim_errno.c			\
+	error_string.c				\
+	expand_hostname.c			\
+	fcache.c				\
+	free.c					\
+	free_host_realm.c			\
+	generate_seq_number.c			\
+	generate_subkey.c			\
+	get_addrs.c				\
+	get_cred.c				\
+	get_default_principal.c			\
+	get_default_realm.c			\
+	get_for_creds.c				\
+	get_host_realm.c			\
+	get_in_tkt.c				\
+	get_in_tkt_pw.c				\
+	get_in_tkt_with_keytab.c		\
+	get_in_tkt_with_skey.c			\
+	get_port.c				\
+	init_creds.c				\
+	init_creds_pw.c				\
+	keyblock.c				\
+	keytab.c				\
+	keytab_any.c				\
+	keytab_file.c				\
+	keytab_memory.c				\
+	keytab_keyfile.c			\
+	keytab_krb4.c				\
+	krbhst.c				\
+	kuserok.c				\
+	log.c					\
+	mcache.c				\
+	misc.c					\
+	mk_error.c				\
+	mk_priv.c				\
+	mk_rep.c				\
+	mk_req.c				\
+	mk_req_ext.c				\
+	mk_safe.c				\
+	net_read.c				\
+	net_write.c				\
+	n-fold.c				\
+	padata.c				\
+	principal.c				\
+	prog_setup.c				\
+	prompter_posix.c			\
+	rd_cred.c				\
+	rd_error.c				\
+	rd_priv.c				\
+	rd_rep.c				\
+	rd_req.c				\
+	rd_safe.c				\
+	read_message.c				\
+	recvauth.c				\
+	replay.c				\
+	send_to_kdc.c				\
+	sendauth.c				\
+	set_default_realm.c			\
+	sock_principal.c			\
+	store.c					\
+	store_emem.c				\
+	store_fd.c				\
+	store_mem.c				\
+	ticket.c				\
+	time.c					\
+	transited.c				\
+	verify_init.c				\
+	verify_user.c				\
+	version.c				\
+	warn.c					\
+	write_message.c				\
+	$(ERR_FILES)
+
+
+libkrb5_la_LDFLAGS = -version-info 16:0:0
+
+#libkrb5_la_LIBADD = ../com_err/error.lo ../com_err/com_err.lo
+
+man_MANS = \
+	kerberos.8				\
+	krb5.conf.5				\
+	krb5_425_conv_principal.3		\
+	krb5_appdefault.3			\
+	krb5_build_principal.3			\
+	krb5_config.3				\
+	krb5_free_principal.3			\
+	krb5_openlog.3				\
+	krb5_parse_name.3			\
+	krb5_sname_to_principal.3		\
+	krb5_unparse_name.3			\
+	krb5_warn.3				\
+	verify_krb5_conf.8			\
+	krb5_auth_context.3			\
+	krb5_context.3				\
+	krb5_init_context.3			\
+	krb5_keytab.3
+
+
+include_HEADERS = krb5.h krb5-protos.h krb5-private.h krb5_err.h heim_err.h
+
+CLEANFILES = krb5_err.c krb5_err.h heim_err.c heim_err.h
+subdir = lib/krb5
+mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs
+CONFIG_HEADER = ../../include/config.h
+CONFIG_CLEAN_FILES = 
+LTLIBRARIES =  $(lib_LTLIBRARIES)
+
+
+DEFS = @DEFS@ -I. -I$(srcdir) -I../../include
+CPPFLAGS = @CPPFLAGS@
+LDFLAGS = @LDFLAGS@
+X_CFLAGS = @X_CFLAGS@
+X_LIBS = @X_LIBS@
+X_EXTRA_LIBS = @X_EXTRA_LIBS@
+X_PRE_LIBS = @X_PRE_LIBS@
+libkrb5_la_DEPENDENCIES =  ../com_err/error.lo ../com_err/com_err.lo \
+$(top_builddir)/lib/asn1/libasn1.la
+am_libkrb5_la_OBJECTS =  acl.lo add_et_list.lo addr_families.lo \
+address.lo aname_to_localname.lo appdefault.lo asn1_glue.lo \
+auth_context.lo build_ap_req.lo build_auth.lo cache.lo changepw.lo \
+codec.lo config_file.lo config_file_netinfo.lo convert_creds.lo \
+constants.lo context.lo copy_host_realm.lo crc.lo creds.lo crypto.lo \
+data.lo eai_to_heim_errno.lo error_string.lo expand_hostname.lo \
+fcache.lo free.lo free_host_realm.lo generate_seq_number.lo \
+generate_subkey.lo get_addrs.lo get_cred.lo get_default_principal.lo \
+get_default_realm.lo get_for_creds.lo get_host_realm.lo get_in_tkt.lo \
+get_in_tkt_pw.lo get_in_tkt_with_keytab.lo get_in_tkt_with_skey.lo \
+get_port.lo init_creds.lo init_creds_pw.lo keyblock.lo keytab.lo \
+keytab_any.lo keytab_file.lo keytab_memory.lo keytab_keyfile.lo \
+keytab_krb4.lo krbhst.lo kuserok.lo log.lo mcache.lo misc.lo \
+mk_error.lo mk_priv.lo mk_rep.lo mk_req.lo mk_req_ext.lo mk_safe.lo \
+net_read.lo net_write.lo n-fold.lo padata.lo principal.lo prog_setup.lo \
+prompter_posix.lo rd_cred.lo rd_error.lo rd_priv.lo rd_rep.lo rd_req.lo \
+rd_safe.lo read_message.lo recvauth.lo replay.lo send_to_kdc.lo \
+sendauth.lo set_default_realm.lo sock_principal.lo store.lo \
+store_emem.lo store_fd.lo store_mem.lo ticket.lo time.lo transited.lo \
+verify_init.lo verify_user.lo version.lo warn.lo write_message.lo \
+krb5_err.lo heim_err.lo
+libkrb5_la_OBJECTS =  $(am_libkrb5_la_OBJECTS)
+bin_PROGRAMS =  verify_krb5_conf$(EXEEXT)
+check_PROGRAMS =  n-fold-test$(EXEEXT) string-to-key-test$(EXEEXT) \
+derived-key-test$(EXEEXT) store-test$(EXEEXT)
+noinst_PROGRAMS =  dump_config$(EXEEXT) test_get_addrs$(EXEEXT)
+PROGRAMS =  $(bin_PROGRAMS) $(noinst_PROGRAMS)
+
+derived_key_test_SOURCES = derived-key-test.c
+derived_key_test_OBJECTS =  derived-key-test.$(OBJEXT)
+derived_key_test_LDADD = $(LDADD)
+derived_key_test_DEPENDENCIES =  libkrb5.la \
+$(top_builddir)/lib/asn1/libasn1.la
+derived_key_test_LDFLAGS = 
+dump_config_SOURCES = dump_config.c
+dump_config_OBJECTS =  dump_config.$(OBJEXT)
+dump_config_LDADD = $(LDADD)
+dump_config_DEPENDENCIES =  libkrb5.la \
+$(top_builddir)/lib/asn1/libasn1.la
+dump_config_LDFLAGS = 
+n_fold_test_SOURCES = n-fold-test.c
+n_fold_test_OBJECTS =  n-fold-test.$(OBJEXT)
+n_fold_test_LDADD = $(LDADD)
+n_fold_test_DEPENDENCIES =  libkrb5.la \
+$(top_builddir)/lib/asn1/libasn1.la
+n_fold_test_LDFLAGS = 
+store_test_SOURCES = store-test.c
+store_test_OBJECTS =  store-test.$(OBJEXT)
+store_test_LDADD = $(LDADD)
+store_test_DEPENDENCIES =  libkrb5.la \
+$(top_builddir)/lib/asn1/libasn1.la
+store_test_LDFLAGS = 
+string_to_key_test_SOURCES = string-to-key-test.c
+string_to_key_test_OBJECTS =  string-to-key-test.$(OBJEXT)
+string_to_key_test_LDADD = $(LDADD)
+string_to_key_test_DEPENDENCIES =  libkrb5.la \
+$(top_builddir)/lib/asn1/libasn1.la
+string_to_key_test_LDFLAGS = 
+test_get_addrs_SOURCES = test_get_addrs.c
+test_get_addrs_OBJECTS =  test_get_addrs.$(OBJEXT)
+test_get_addrs_LDADD = $(LDADD)
+test_get_addrs_DEPENDENCIES =  libkrb5.la \
+$(top_builddir)/lib/asn1/libasn1.la
+test_get_addrs_LDFLAGS = 
+verify_krb5_conf_SOURCES = verify_krb5_conf.c
+verify_krb5_conf_OBJECTS =  verify_krb5_conf.$(OBJEXT)
+verify_krb5_conf_LDADD = $(LDADD)
+verify_krb5_conf_DEPENDENCIES =  libkrb5.la \
+$(top_builddir)/lib/asn1/libasn1.la
+verify_krb5_conf_LDFLAGS = 
+COMPILE = $(CC) $(DEFS) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) --mode=compile $(CC) $(DEFS) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+CFLAGS = @CFLAGS@
+CCLD = $(CC)
+LINK = $(LIBTOOL) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) $(LDFLAGS) -o $@
+DIST_SOURCES =  $(libkrb5_la_SOURCES) derived-key-test.c dump_config.c \
+n-fold-test.c store-test.c string-to-key-test.c test_get_addrs.c \
+verify_krb5_conf.c
+man3dir = $(mandir)/man3
+man5dir = $(mandir)/man5
+man8dir = $(mandir)/man8
+MANS = $(man_MANS)
+HEADERS =  $(include_HEADERS)
+
+depcomp = 
+DIST_COMMON =  $(include_HEADERS) Makefile.am Makefile.in
+
+
+DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
+
+GZIP_ENV = --best
+SOURCES = $(libkrb5_la_SOURCES) derived-key-test.c dump_config.c n-fold-test.c store-test.c string-to-key-test.c test_get_addrs.c verify_krb5_conf.c
+OBJECTS = $(am_libkrb5_la_OBJECTS) derived-key-test.$(OBJEXT) dump_config.$(OBJEXT) n-fold-test.$(OBJEXT) store-test.$(OBJEXT) string-to-key-test.$(OBJEXT) test_get_addrs.$(OBJEXT) verify_krb5_conf.$(OBJEXT)
+
+all: all-redirect
+.SUFFIXES:
+.SUFFIXES: .et .h .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .x .c .lo .o .obj
+$(srcdir)/Makefile.in: Makefile.am $(top_srcdir)/configure.in $(ACLOCAL_M4) $(top_srcdir)/Makefile.am.common $(top_srcdir)/cf/Makefile.am.common
+	cd $(top_srcdir) && $(AUTOMAKE) --foreign lib/krb5/Makefile
+
+Makefile: $(srcdir)/Makefile.in  $(top_builddir)/config.status
+	cd $(top_builddir) \
+	  && CONFIG_FILES=$(subdir)/$@ CONFIG_HEADERS= $(SHELL) ./config.status
+
+
+mostlyclean-libLTLIBRARIES:
+
+clean-libLTLIBRARIES:
+	-test -z "$(lib_LTLIBRARIES)" || rm -f $(lib_LTLIBRARIES)
+
+distclean-libLTLIBRARIES:
+
+maintainer-clean-libLTLIBRARIES:
+
+install-libLTLIBRARIES: $(lib_LTLIBRARIES)
+	@$(NORMAL_INSTALL)
+	$(mkinstalldirs) $(DESTDIR)$(libdir)
+	@list='$(lib_LTLIBRARIES)'; for p in $$list; do \
+	  if test -f $$p; then \
+	    echo " $(LIBTOOL)  --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$p $(DESTDIR)$(libdir)/$$p"; \
+	    $(LIBTOOL)  --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$p $(DESTDIR)$(libdir)/$$p; \
+	  else :; fi; \
+	done
+
+uninstall-libLTLIBRARIES:
+	@$(NORMAL_UNINSTALL)
+	@list='$(lib_LTLIBRARIES)'; for p in $$list; do \
+	  echo " $(LIBTOOL)  --mode=uninstall rm -f $(DESTDIR)$(libdir)/$$p"; \
+	  $(LIBTOOL)  --mode=uninstall rm -f $(DESTDIR)$(libdir)/$$p; \
+	done
+
+mostlyclean-compile:
+	-rm -f *.o core *.core
+	-rm -f *.$(OBJEXT)
+
+clean-compile:
+
+distclean-compile:
+	-rm -f *.tab.c
+
+maintainer-clean-compile:
+
+mostlyclean-libtool:
+	-rm -f *.lo
+
+clean-libtool:
+	-rm -rf .libs _libs
+
+distclean-libtool:
+
+maintainer-clean-libtool:
+
+libkrb5.la: $(libkrb5_la_OBJECTS) $(libkrb5_la_DEPENDENCIES)
+	$(LINK) -rpath $(libdir) $(libkrb5_la_LDFLAGS) $(libkrb5_la_OBJECTS) $(libkrb5_la_LIBADD) $(LIBS)
+
+mostlyclean-binPROGRAMS:
+
+clean-binPROGRAMS:
+	-test -z "$(bin_PROGRAMS)" || rm -f $(bin_PROGRAMS)
+
+distclean-binPROGRAMS:
+
+maintainer-clean-binPROGRAMS:
+
+install-binPROGRAMS: $(bin_PROGRAMS)
+	@$(NORMAL_INSTALL)
+	$(mkinstalldirs) $(DESTDIR)$(bindir)
+	@list='$(bin_PROGRAMS)'; for p in $$list; do \
+	  if test -f $$p; then \
+	    f="`echo $$p|sed -e 's/$(EXEEXT)$$//' -e '$(transform)' -e 's/$$/$(EXEEXT)/'`"; \
+	    echo " $(LIBTOOL)  --mode=install $(INSTALL_PROGRAM) $(INSTALL_STRIP_FLAG) $$p $(DESTDIR)$(bindir)/$$f"; \
+	    $(LIBTOOL)  --mode=install $(INSTALL_PROGRAM) $(INSTALL_STRIP_FLAG) $$p $(DESTDIR)$(bindir)/$$f; \
+	  else :; fi; \
+	done
+
+uninstall-binPROGRAMS:
+	@$(NORMAL_UNINSTALL)
+	@list='$(bin_PROGRAMS)'; for p in $$list; do \
+	  f="`echo $$p|sed -e 's/$(EXEEXT)$$//' -e '$(transform)' -e 's/$$/$(EXEEXT)/'`"; \
+	  echo " rm -f $(DESTDIR)$(bindir)/$$f"; \
+	  rm -f $(DESTDIR)$(bindir)/$$f; \
+	done
+
+mostlyclean-checkPROGRAMS:
+
+clean-checkPROGRAMS:
+	-test -z "$(check_PROGRAMS)" || rm -f $(check_PROGRAMS)
+
+distclean-checkPROGRAMS:
+
+maintainer-clean-checkPROGRAMS:
+
+mostlyclean-noinstPROGRAMS:
+
+clean-noinstPROGRAMS:
+	-test -z "$(noinst_PROGRAMS)" || rm -f $(noinst_PROGRAMS)
+
+distclean-noinstPROGRAMS:
+
+maintainer-clean-noinstPROGRAMS:
+
+derived-key-test$(EXEEXT): $(derived_key_test_OBJECTS) $(derived_key_test_DEPENDENCIES)
+	@rm -f derived-key-test$(EXEEXT)
+	$(LINK) $(derived_key_test_LDFLAGS) $(derived_key_test_OBJECTS) $(derived_key_test_LDADD) $(LIBS)
+
+dump_config$(EXEEXT): $(dump_config_OBJECTS) $(dump_config_DEPENDENCIES)
+	@rm -f dump_config$(EXEEXT)
+	$(LINK) $(dump_config_LDFLAGS) $(dump_config_OBJECTS) $(dump_config_LDADD) $(LIBS)
+
+n-fold-test$(EXEEXT): $(n_fold_test_OBJECTS) $(n_fold_test_DEPENDENCIES)
+	@rm -f n-fold-test$(EXEEXT)
+	$(LINK) $(n_fold_test_LDFLAGS) $(n_fold_test_OBJECTS) $(n_fold_test_LDADD) $(LIBS)
+
+store-test$(EXEEXT): $(store_test_OBJECTS) $(store_test_DEPENDENCIES)
+	@rm -f store-test$(EXEEXT)
+	$(LINK) $(store_test_LDFLAGS) $(store_test_OBJECTS) $(store_test_LDADD) $(LIBS)
+
+string-to-key-test$(EXEEXT): $(string_to_key_test_OBJECTS) $(string_to_key_test_DEPENDENCIES)
+	@rm -f string-to-key-test$(EXEEXT)
+	$(LINK) $(string_to_key_test_LDFLAGS) $(string_to_key_test_OBJECTS) $(string_to_key_test_LDADD) $(LIBS)
+
+test_get_addrs$(EXEEXT): $(test_get_addrs_OBJECTS) $(test_get_addrs_DEPENDENCIES)
+	@rm -f test_get_addrs$(EXEEXT)
+	$(LINK) $(test_get_addrs_LDFLAGS) $(test_get_addrs_OBJECTS) $(test_get_addrs_LDADD) $(LIBS)
+
+verify_krb5_conf$(EXEEXT): $(verify_krb5_conf_OBJECTS) $(verify_krb5_conf_DEPENDENCIES)
+	@rm -f verify_krb5_conf$(EXEEXT)
+	$(LINK) $(verify_krb5_conf_LDFLAGS) $(verify_krb5_conf_OBJECTS) $(verify_krb5_conf_LDADD) $(LIBS)
+.c.o:
+	$(COMPILE) -c $<
+.c.obj:
+	$(COMPILE) -c `cygpath -w $<`
+.c.lo:
+	$(LTCOMPILE) -c -o $@ $<
+
+install-man3:
+	$(mkinstalldirs) $(DESTDIR)$(man3dir)
+	@list='$(man3_MANS)'; \
+	l2='$(man_MANS)'; for i in $$l2; do \
+	  case "$$i" in \
+	    *.3*) list="$$list $$i" ;; \
+	  esac; \
+	done; \
+	for i in $$list; do \
+	  if test -f $(srcdir)/$$i; then file=$(srcdir)/$$i; \
+	  else file=$$i; fi; \
+	  ext=`echo $$i | sed -e 's/^.*\\.//'`; \
+	  inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \
+	  inst=`echo $$inst | sed -e 's/^.*\///'`; \
+	  inst=`echo $$inst | sed '$(transform)'`.$$ext; \
+	  echo " $(INSTALL_DATA) $$file $(DESTDIR)$(man3dir)/$$inst"; \
+	  $(INSTALL_DATA) $$file $(DESTDIR)$(man3dir)/$$inst; \
+	done
+
+uninstall-man3:
+	@list='$(man3_MANS)'; \
+	l2='$(man_MANS)'; for i in $$l2; do \
+	  case "$$i" in \
+	    *.3*) list="$$list $$i" ;; \
+	  esac; \
+	done; \
+	for i in $$list; do \
+	  ext=`echo $$i | sed -e 's/^.*\\.//'`; \
+	  inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \
+	  inst=`echo $$inst | sed -e 's/^.*\///'`; \
+	  inst=`echo $$inst | sed '$(transform)'`.$$ext; \
+	  echo " rm -f $(DESTDIR)$(man3dir)/$$inst"; \
+	  rm -f $(DESTDIR)$(man3dir)/$$inst; \
+	done
+
+install-man5:
+	$(mkinstalldirs) $(DESTDIR)$(man5dir)
+	@list='$(man5_MANS)'; \
+	l2='$(man_MANS)'; for i in $$l2; do \
+	  case "$$i" in \
+	    *.5*) list="$$list $$i" ;; \
+	  esac; \
+	done; \
+	for i in $$list; do \
+	  if test -f $(srcdir)/$$i; then file=$(srcdir)/$$i; \
+	  else file=$$i; fi; \
+	  ext=`echo $$i | sed -e 's/^.*\\.//'`; \
+	  inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \
+	  inst=`echo $$inst | sed -e 's/^.*\///'`; \
+	  inst=`echo $$inst | sed '$(transform)'`.$$ext; \
+	  echo " $(INSTALL_DATA) $$file $(DESTDIR)$(man5dir)/$$inst"; \
+	  $(INSTALL_DATA) $$file $(DESTDIR)$(man5dir)/$$inst; \
+	done
+
+uninstall-man5:
+	@list='$(man5_MANS)'; \
+	l2='$(man_MANS)'; for i in $$l2; do \
+	  case "$$i" in \
+	    *.5*) list="$$list $$i" ;; \
+	  esac; \
+	done; \
+	for i in $$list; do \
+	  ext=`echo $$i | sed -e 's/^.*\\.//'`; \
+	  inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \
+	  inst=`echo $$inst | sed -e 's/^.*\///'`; \
+	  inst=`echo $$inst | sed '$(transform)'`.$$ext; \
+	  echo " rm -f $(DESTDIR)$(man5dir)/$$inst"; \
+	  rm -f $(DESTDIR)$(man5dir)/$$inst; \
+	done
+
+install-man8:
+	$(mkinstalldirs) $(DESTDIR)$(man8dir)
+	@list='$(man8_MANS)'; \
+	l2='$(man_MANS)'; for i in $$l2; do \
+	  case "$$i" in \
+	    *.8*) list="$$list $$i" ;; \
+	  esac; \
+	done; \
+	for i in $$list; do \
+	  if test -f $(srcdir)/$$i; then file=$(srcdir)/$$i; \
+	  else file=$$i; fi; \
+	  ext=`echo $$i | sed -e 's/^.*\\.//'`; \
+	  inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \
+	  inst=`echo $$inst | sed -e 's/^.*\///'`; \
+	  inst=`echo $$inst | sed '$(transform)'`.$$ext; \
+	  echo " $(INSTALL_DATA) $$file $(DESTDIR)$(man8dir)/$$inst"; \
+	  $(INSTALL_DATA) $$file $(DESTDIR)$(man8dir)/$$inst; \
+	done
+
+uninstall-man8:
+	@list='$(man8_MANS)'; \
+	l2='$(man_MANS)'; for i in $$l2; do \
+	  case "$$i" in \
+	    *.8*) list="$$list $$i" ;; \
+	  esac; \
+	done; \
+	for i in $$list; do \
+	  ext=`echo $$i | sed -e 's/^.*\\.//'`; \
+	  inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \
+	  inst=`echo $$inst | sed -e 's/^.*\///'`; \
+	  inst=`echo $$inst | sed '$(transform)'`.$$ext; \
+	  echo " rm -f $(DESTDIR)$(man8dir)/$$inst"; \
+	  rm -f $(DESTDIR)$(man8dir)/$$inst; \
+	done
+install-man: $(MANS)
+	@$(NORMAL_INSTALL)
+	$(MAKE) $(AM_MAKEFLAGS) install-man3 install-man5 install-man8
+uninstall-man:
+	@$(NORMAL_UNINSTALL)
+	$(MAKE) $(AM_MAKEFLAGS) uninstall-man3 uninstall-man5 uninstall-man8
+
+install-includeHEADERS: $(include_HEADERS)
+	@$(NORMAL_INSTALL)
+	$(mkinstalldirs) $(DESTDIR)$(includedir)
+	@list='$(include_HEADERS)'; for p in $$list; do \
+	  if test -f "$$p"; then d= ; else d="$(srcdir)/"; fi; \
+	  f="`echo $$p | sed -e 's|^.*/||'`"; \
+	  echo " $(INSTALL_DATA) $$d$$p $(DESTDIR)$(includedir)/$$f"; \
+	  $(INSTALL_DATA) $$d$$p $(DESTDIR)$(includedir)/$$f; \
+	done
+
+uninstall-includeHEADERS:
+	@$(NORMAL_UNINSTALL)
+	@list='$(include_HEADERS)'; for p in $$list; do \
+	  f="`echo $$p | sed -e 's|^.*/||'`"; \
+	  echo " rm -f $(DESTDIR)$(includedir)/$$f"; \
+	  rm -f $(DESTDIR)$(includedir)/$$f; \
+	done
+
+tags: TAGS
+
+ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
+	list='$(SOURCES) $(HEADERS) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '    { files[$$0] = 1; } \
+	       END { for (i in files) print i; }'`; \
+	mkid -fID $$unique $(LISP)
+
+TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	tags=; \
+	here=`pwd`; \
+	list='$(SOURCES) $(HEADERS) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '    { files[$$0] = 1; } \
+	       END { for (i in files) print i; }'`; \
+	test -z "$(ETAGS_ARGS)$$unique$(LISP)$$tags" \
+	  || etags $(ETAGS_ARGS) $$tags  $$unique $(LISP)
+
+GTAGS:
+	here=`CDPATH=: && cd $(top_builddir) && pwd` \
+	  && cd $(top_srcdir) \
+	  && gtags -i $$here
+
+mostlyclean-tags:
+
+clean-tags:
+
+distclean-tags:
+	-rm -f TAGS ID
+
+maintainer-clean-tags:
+check-TESTS: $(TESTS)
+	@failed=0; all=0; xfail=0; xpass=0; \
+	srcdir=$(srcdir); export srcdir; \
+	list='$(TESTS)'; \
+	if test -n "$$list"; then \
+	  for tst in $$list; do \
+	    if test -f ./$$tst; then dir=./; \
+	    elif test -f $$tst; then dir=; \
+	    else dir="$(srcdir)/"; fi; \
+	    if $(TESTS_ENVIRONMENT) $${dir}$$tst; then \
+	      all=`expr $$all + 1`; \
+	      case " $(XFAIL_TESTS) " in \
+	      *" $$tst "*) \
+	        xpass=`expr $$xpass + 1`; \
+	        failed=`expr $$failed + 1`; \
+	        echo "XPASS: $$tst"; \
+	      ;; \
+	      *) \
+	        echo "PASS: $$tst"; \
+	      ;; \
+	      esac; \
+	    elif test $$? -ne 77; then \
+	      all=`expr $$all + 1`; \
+	      case " $(XFAIL_TESTS) " in \
+	      *" $$tst "*) \
+	        xfail=`expr $$xfail + 1`; \
+	        echo "XFAIL: $$tst"; \
+	      ;; \
+	      *) \
+	        failed=`expr $$failed + 1`; \
+	        echo "FAIL: $$tst"; \
+	      ;; \
+	      esac; \
+	    fi; \
+	  done; \
+	  if test "$$failed" -eq 0; then \
+	    if test "$$xfail" -eq 0; then \
+	      banner="All $$all tests passed"; \
+	    else \
+	      banner="All $$all tests behaved as expected ($$xfail expected failures)"; \
+	    fi; \
+	  else \
+	    if test "$$xpass" -eq 0; then \
+	      banner="$$failed of $$all tests failed"; \
+	    else \
+	      banner="$$failed of $$all tests did not behave as expected ($$xpass unexpected passes)"; \
+	    fi; \
+	  fi; \
+	  dashes=`echo "$$banner" | sed s/./=/g`; \
+	  echo "$$dashes"; \
+	  echo "$$banner"; \
+	  echo "$$dashes"; \
+	  test "$$failed" -eq 0; \
+	fi
+
+distdir = $(top_builddir)/$(PACKAGE)-$(VERSION)/$(subdir)
+
+distdir: $(DISTFILES)
+	@for file in $(DISTFILES); do \
+	  d=$(srcdir); \
+	  if test -d $$d/$$file; then \
+	    cp -pR $$d/$$file $(distdir) \
+	    || exit 1; \
+	  else \
+	    test -f $(distdir)/$$file \
+	    || cp -p $$d/$$file $(distdir)/$$file \
+	    || exit 1; \
+	  fi; \
+	done
+	$(MAKE) $(AM_MAKEFLAGS) top_distdir="$(top_distdir)" distdir="$(distdir)" dist-hook
+info-am:
+info: info-am
+dvi-am:
+dvi: dvi-am
+check-am: all-am
+	$(MAKE) $(AM_MAKEFLAGS) $(check_PROGRAMS)
+	$(MAKE) $(AM_MAKEFLAGS) check-TESTS check-local
+check: check-am
+installcheck-am:
+installcheck: installcheck-am
+install-binPROGRAMS: install-libLTLIBRARIES
+
+install-exec-am: install-libLTLIBRARIES install-binPROGRAMS
+	@$(NORMAL_INSTALL)
+	$(MAKE) $(AM_MAKEFLAGS) install-exec-hook
+install-exec: install-exec-am
+
+install-data-am: install-man install-includeHEADERS install-data-local
+install-data: install-data-am
+
+install-am: all-am
+	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
+install: install-am
+uninstall-am: uninstall-libLTLIBRARIES uninstall-binPROGRAMS \
+		uninstall-man uninstall-includeHEADERS
+uninstall: uninstall-am
+all-am: Makefile $(LTLIBRARIES) $(PROGRAMS) $(MANS) $(HEADERS) all-local
+all-redirect: all-am
+install-strip:
+	$(MAKE) $(AM_MAKEFLAGS) INSTALL_STRIP_FLAG=-s install
+installdirs:
+	$(mkinstalldirs)  $(DESTDIR)$(libdir) $(DESTDIR)$(bindir) \
+		$(DESTDIR)$(mandir)/man3 $(DESTDIR)$(mandir)/man5 \
+		$(DESTDIR)$(mandir)/man8 $(DESTDIR)$(includedir)
+
+
+mostlyclean-generic:
+
+clean-generic:
+	-test -z "$(CLEANFILES)" || rm -f $(CLEANFILES)
+
+distclean-generic:
+	-rm -f Makefile $(CONFIG_CLEAN_FILES)
+	-rm -f config.cache config.log stamp-h stamp-h[0-9]*
+
+maintainer-clean-generic:
+	-rm -f Makefile.in
+mostlyclean-am:  mostlyclean-libLTLIBRARIES mostlyclean-compile \
+		mostlyclean-libtool mostlyclean-binPROGRAMS \
+		mostlyclean-checkPROGRAMS mostlyclean-noinstPROGRAMS \
+		mostlyclean-tags mostlyclean-generic
+
+mostlyclean: mostlyclean-am
+
+clean-am:  clean-libLTLIBRARIES clean-compile clean-libtool \
+		clean-binPROGRAMS clean-checkPROGRAMS \
+		clean-noinstPROGRAMS clean-tags clean-generic \
+		mostlyclean-am
+
+clean: clean-am
+
+distclean-am:  distclean-libLTLIBRARIES distclean-compile \
+		distclean-libtool distclean-binPROGRAMS \
+		distclean-checkPROGRAMS distclean-noinstPROGRAMS \
+		distclean-tags distclean-generic clean-am
+	-rm -f libtool
+
+distclean: distclean-am
+
+maintainer-clean-am:  maintainer-clean-libLTLIBRARIES \
+		maintainer-clean-compile maintainer-clean-libtool \
+		maintainer-clean-binPROGRAMS \
+		maintainer-clean-checkPROGRAMS \
+		maintainer-clean-noinstPROGRAMS maintainer-clean-tags \
+		maintainer-clean-generic distclean-am
+	@echo "This command is intended for maintainers to use;"
+	@echo "it deletes files that may require special tools to rebuild."
+
+maintainer-clean: maintainer-clean-am
+
+.PHONY: mostlyclean-libLTLIBRARIES distclean-libLTLIBRARIES \
+clean-libLTLIBRARIES maintainer-clean-libLTLIBRARIES \
+uninstall-libLTLIBRARIES install-libLTLIBRARIES mostlyclean-compile \
+distclean-compile clean-compile maintainer-clean-compile \
+mostlyclean-libtool distclean-libtool clean-libtool \
+maintainer-clean-libtool mostlyclean-binPROGRAMS distclean-binPROGRAMS \
+clean-binPROGRAMS maintainer-clean-binPROGRAMS uninstall-binPROGRAMS \
+install-binPROGRAMS mostlyclean-checkPROGRAMS distclean-checkPROGRAMS \
+clean-checkPROGRAMS maintainer-clean-checkPROGRAMS \
+mostlyclean-noinstPROGRAMS distclean-noinstPROGRAMS \
+clean-noinstPROGRAMS maintainer-clean-noinstPROGRAMS install-man3 \
+uninstall-man3 install-man5 uninstall-man5 install-man8 uninstall-man8 \
+install-man uninstall-man uninstall-includeHEADERS \
+install-includeHEADERS tags mostlyclean-tags distclean-tags clean-tags \
+maintainer-clean-tags check-TESTS distdir info-am info dvi-am dvi \
+check-local check check-am installcheck-am installcheck install-exec-am \
+install-exec install-data-local install-data-am install-data install-am \
+install uninstall-am uninstall all-local all-redirect all-am all \
+install-strip installdirs mostlyclean-generic distclean-generic \
+clean-generic maintainer-clean-generic clean mostlyclean distclean \
+maintainer-clean
+
+
+install-suid-programs:
+	@foo='$(bin_SUIDS)'; \
+	for file in $$foo; do \
+	x=$(DESTDIR)$(bindir)/$$file; \
+	if chown 0:0 $$x && chmod u+s $$x; then :; else \
+	echo "*"; \
+	echo "* Failed to install $$x setuid root"; \
+	echo "*"; \
+	fi; done
+
+install-exec-hook: install-suid-programs
+
+install-build-headers:: $(include_HEADERS) $(build_HEADERZ)
+	@foo='$(include_HEADERS) $(build_HEADERZ)'; \
+	for f in $$foo; do \
+		f=`basename $$f`; \
+		if test -f "$(srcdir)/$$f"; then file="$(srcdir)/$$f"; \
+		else file="$$f"; fi; \
+		if cmp -s  $$file $(buildinclude)/$$f 2> /dev/null ; then \
+		: ; else \
+			echo " $(CP) $$file $(buildinclude)/$$f"; \
+			$(CP) $$file $(buildinclude)/$$f; \
+		fi ; \
+	done
+
+all-local: install-build-headers
+#NROFF_MAN = nroff -man
+.1.cat1:
+	$(NROFF_MAN) $< > $@
+.3.cat3:
+	$(NROFF_MAN) $< > $@
+.5.cat5:
+	$(NROFF_MAN) $< > $@
+.8.cat8:
+	$(NROFF_MAN) $< > $@
+
+dist-cat1-mans:
+	@foo='$(man1_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.1) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat1/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-cat3-mans:
+	@foo='$(man3_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.3) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat3/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-cat5-mans:
+	@foo='$(man5_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.5) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat5/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-cat8-mans:
+	@foo='$(man8_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.8) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat8/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-hook: dist-cat1-mans dist-cat3-mans dist-cat5-mans dist-cat8-mans
+
+install-cat-mans:
+	$(SHELL) $(top_srcdir)/cf/install-catman.sh "$(INSTALL_DATA)" "$(mkinstalldirs)" "$(srcdir)" "$(DESTDIR)$(mandir)" '$(CATMANEXT)' $(man_MANS) $(man1_MANS) $(man3_MANS) $(man5_MANS) $(man8_MANS)
+
+install-data-local: install-cat-mans
+
+.et.h:
+	$(COMPILE_ET) $<
+.et.c:
+	$(COMPILE_ET) $<
+
+.x.c:
+	@cmp -s $< $@ 2> /dev/null || cp $< $@
+
+check-local::
+	@foo='$(CHECK_LOCAL)'; \
+	  if test "$$foo"; then \
+	  failed=0; all=0; \
+	  for i in $$foo; do \
+	    all=`expr $$all + 1`; \
+	    if ./$$i --version > /dev/null 2>&1; then \
+	      echo "PASS: $$i"; \
+	    else \
+	      echo "FAIL: $$i"; \
+	      failed=`expr $$failed + 1`; \
+	    fi; \
+	  done; \
+	  if test "$$failed" -eq 0; then \
+	    banner="All $$all tests passed"; \
+	  else \
+	    banner="$$failed of $$all tests failed"; \
+	  fi; \
+	  dashes=`echo "$$banner" | sed s/./=/g`; \
+	  echo "$$dashes"; \
+	  echo "$$banner"; \
+	  echo "$$dashes"; \
+	  test "$$failed" -eq 0; \
+	fi
+
+$(libkrb5_la_OBJECTS): $(srcdir)/krb5-protos.h $(srcdir)/krb5-private.h
+
+$(srcdir)/krb5-protos.h:
+	cd $(srcdir); perl ../../cf/make-proto.pl -o krb5-protos.h $(libkrb5_la_SOURCES) || rm -f krb5-protos.h
+
+$(srcdir)/krb5-private.h:
+	cd $(srcdir); perl ../../cf/make-proto.pl -p krb5-private.h $(libkrb5_la_SOURCES) || rm -f krb5-private.h
+
+$(libkrb5_la_OBJECTS): krb5_err.h heim_err.h
+
+# to help stupid solaris make
+
+krb5_err.h: krb5_err.et
+
+heim_err.h: heim_err.et
+
+# Tell versions [3.59,3.63) of GNU make to not export all variables.
+# Otherwise a system limit (for SysV at least) may be exceeded.
+.NOEXPORT:
diff --git a/crypto/heimdal/lib/krb5/acl.c b/crypto/heimdal/lib/krb5/acl.c
new file mode 100644
index 0000000..fb22fbb
--- /dev/null
+++ b/crypto/heimdal/lib/krb5/acl.c
@@ -0,0 +1,205 @@
+/*
+ * Copyright (c) 2000 - 2001 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#include "krb5_locl.h"
+#include <fnmatch.h>
+
+RCSID("$Id: acl.c,v 1.2 2001/05/14 06:14:43 assar Exp $");
+
+struct acl_field {
+    enum { acl_string, acl_fnmatch, acl_retval } type;
+    union {
+	const char *cstr;
+	char **retv;
+    } u;
+    struct acl_field *next, **last;
+};
+
+static void
+acl_free_list(struct acl_field *acl)
+{
+    struct acl_field *next;
+    while(acl != NULL) {
+	next = acl->next;
+	free(acl);
+	acl = next;
+    }
+}
+
+static krb5_error_code
+acl_parse_format(krb5_context context,
+		 struct acl_field **acl_ret,
+		 const char *format,
+		 va_list ap)
+{
+    const char *p;
+    struct acl_field *acl = NULL, *tmp;
+
+    for(p = format; *p != '\0'; p++) {
+	tmp = malloc(sizeof(*tmp));
+	if(tmp == NULL) {
+	    krb5_set_error_string(context, "malloc: out of memory");
+	    acl_free_list(acl);
+	    return ENOMEM;
+	}
+	if(*p == 's') {
+	    tmp->type = acl_string;
+	    tmp->u.cstr = va_arg(ap, const char*);
+	} else if(*p == 'f') {
+	    tmp->type = acl_fnmatch;
+	    tmp->u.cstr = va_arg(ap, const char*);
+	} else if(*p == 'r') {
+	    tmp->type = acl_retval;
+	    tmp->u.retv = va_arg(ap, char **);
+	}
+	tmp->next = NULL;
+	if(acl == NULL)
+	    acl = tmp;
+	else
+	    *acl->last = tmp;
+	acl->last = &tmp->next;
+    }
+    *acl_ret = acl;
+    return 0;
+}
+
+static krb5_boolean
+acl_match_field(krb5_context context,
+		const char *string,
+		struct acl_field *field)
+{
+    if(field->type == acl_string) {
+	return !strcmp(string, field->u.cstr);
+    } else if(field->type == acl_fnmatch) {
+	return !fnmatch(string, field->u.cstr, 0);
+    } else if(field->type == acl_retval) {
+	*field->u.retv = strdup(string);
+	return TRUE;
+    }
+    return FALSE;
+}
+
+static krb5_boolean
+acl_match_acl(krb5_context context,
+	      struct acl_field *acl,
+	      const char *string)
+{
+    char buf[256];
+    for(;strsep_copy(&string, " \t", buf, sizeof(buf)) != -1; 
+	acl = acl->next) {
+	if(buf[0] == '\0')
+	    continue; /* skip ws */
+	if(!acl_match_field(context, buf, acl)) {
+	    return FALSE;
+	}
+    }
+    return TRUE;
+}
+
+
+krb5_error_code
+krb5_acl_match_string(krb5_context context,
+		      const char *acl_string,
+		      const char *format,
+		      ...)
+{
+    krb5_error_code ret;
+    krb5_boolean found;
+    struct acl_field *acl;
+
+    va_list ap;
+    va_start(ap, format);
+    ret = acl_parse_format(context, &acl, format, ap);
+    va_end(ap);
+    if(ret)
+	return ret;
+
+    found = acl_match_acl(context, acl, acl_string);
+    acl_free_list(acl);
+    if (found) {
+	return 0;
+    } else {
+	krb5_set_error_string(context, "ACL did not match");
+	return EACCES;
+    }
+}
+	       
+krb5_error_code
+krb5_acl_match_file(krb5_context context,
+		    const char *file,
+		    const char *format,
+		    ...)
+{
+    krb5_error_code ret;
+    struct acl_field *acl;
+    char buf[256];
+    va_list ap;
+    FILE *f;
+    krb5_boolean found;
+
+    f = fopen(file, "r");
+    if(f == NULL) {
+	int save_errno = errno;
+
+	krb5_set_error_string(context, "open(%s): %s", file,
+			      strerror(save_errno));
+	return save_errno;
+    }
+
+    va_start(ap, format);
+    ret = acl_parse_format(context, &acl, format, ap);
+    va_end(ap);
+    if(ret) {
+	fclose(f);
+	return ret;
+    }
+
+    found = FALSE;
+    while(fgets(buf, sizeof(buf), f)) {
+	if(buf[0] == '#')
+	    continue;
+	if(acl_match_acl(context, acl, buf)) {
+	    found = TRUE;
+	    break;
+	}
+    }
+
+    fclose(f);
+    acl_free_list(acl);
+    if (found) {
+	return 0;
+    } else {
+	krb5_set_error_string(context, "ACL did not match");
+	return EACCES;
+    }
+}
diff --git a/crypto/heimdal/lib/krb5/add_et_list.c b/crypto/heimdal/lib/krb5/add_et_list.c
new file mode 100644
index 0000000..cfc42f4
--- /dev/null
+++ b/crypto/heimdal/lib/krb5/add_et_list.c
@@ -0,0 +1,50 @@
+/*
+ * Copyright (c) 1999 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "krb5_locl.h"
+
+RCSID("$Id: add_et_list.c,v 1.2 1999/12/02 17:05:07 joda Exp $");
+
+/*
+ * Add a specified list of error messages to the et list in context.
+ * Call func (probably a comerr-generated function) with a pointer to
+ * the current et_list.
+ */
+
+krb5_error_code
+krb5_add_et_list (krb5_context context,
+		  void (*func)(struct et_list **))
+{
+    (*func)(&context->et_list);
+    return 0;
+}
diff --git a/crypto/heimdal/lib/krb5/addr_families.c b/crypto/heimdal/lib/krb5/addr_families.c
new file mode 100644
index 0000000..430fd1e
--- /dev/null
+++ b/crypto/heimdal/lib/krb5/addr_families.c
@@ -0,0 +1,564 @@
+/*
+ * Copyright (c) 1997-2001 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "krb5_locl.h"
+
+RCSID("$Id: addr_families.c,v 1.26 2001/05/14 22:49:55 assar Exp $");
+
+struct addr_operations {
+    int af;
+    krb5_address_type atype;
+    size_t max_sockaddr_size;
+    krb5_error_code (*sockaddr2addr)(const struct sockaddr *, krb5_address *);
+    krb5_error_code (*sockaddr2port)(const struct sockaddr *, int16_t *);
+    void (*addr2sockaddr)(const krb5_address *, struct sockaddr *,
+			  int *sa_size, int port);
+    void (*h_addr2sockaddr)(const char *, struct sockaddr *, int *, int);
+    krb5_error_code (*h_addr2addr)(const char *, krb5_address *);
+    krb5_boolean (*uninteresting)(const struct sockaddr *);
+    void (*anyaddr)(struct sockaddr *, int *, int);
+    int (*print_addr)(const krb5_address *, char *, size_t);
+    int (*parse_addr)(const char*, krb5_address *);
+};
+
+/*
+ * AF_INET - aka IPv4 implementation
+ */
+
+static krb5_error_code
+ipv4_sockaddr2addr (const struct sockaddr *sa, krb5_address *a)
+{
+    const struct sockaddr_in *sin = (const struct sockaddr_in *)sa;
+    unsigned char buf[4];
+
+    a->addr_type = KRB5_ADDRESS_INET;
+    memcpy (buf, &sin->sin_addr, 4);
+    return krb5_data_copy(&a->address, buf, 4);
+}
+
+static krb5_error_code
+ipv4_sockaddr2port (const struct sockaddr *sa, int16_t *port)
+{
+    const struct sockaddr_in *sin = (const struct sockaddr_in *)sa;
+
+    *port = sin->sin_port;
+    return 0;
+}
+
+static void
+ipv4_addr2sockaddr (const krb5_address *a,
+		    struct sockaddr *sa,
+		    int *sa_size,
+		    int port)
+{
+    struct sockaddr_in *sin = (struct sockaddr_in *)sa;
+
+    memset (sin, 0, sizeof(*sin));
+    sin->sin_family = AF_INET;
+    memcpy (&sin->sin_addr, a->address.data, 4);
+    sin->sin_port = port;
+    *sa_size = sizeof(*sin);
+}
+
+static void
+ipv4_h_addr2sockaddr(const char *addr,
+		     struct sockaddr *sa, int *sa_size, int port)
+{
+    struct sockaddr_in *sin = (struct sockaddr_in *)sa;
+
+    memset (sin, 0, sizeof(*sin));
+    *sa_size = sizeof(*sin);
+    sin->sin_family = AF_INET;
+    sin->sin_port   = port;
+    sin->sin_addr   = *((const struct in_addr *)addr);
+}
+
+static krb5_error_code
+ipv4_h_addr2addr (const char *addr,
+		  krb5_address *a)
+{
+    unsigned char buf[4];
+
+    a->addr_type = KRB5_ADDRESS_INET;
+    memcpy(buf, addr, 4);
+    return krb5_data_copy(&a->address, buf, 4);
+}
+
+/*
+ * Are there any addresses that should be considered `uninteresting'?
+ */
+
+static krb5_boolean
+ipv4_uninteresting (const struct sockaddr *sa)
+{
+    const struct sockaddr_in *sin = (const struct sockaddr_in *)sa;
+
+    if (sin->sin_addr.s_addr == INADDR_ANY)
+	return TRUE;
+
+    return FALSE;
+}
+
+static void
+ipv4_anyaddr (struct sockaddr *sa, int *sa_size, int port)
+{
+    struct sockaddr_in *sin = (struct sockaddr_in *)sa;
+
+    memset (sin, 0, sizeof(*sin));
+    *sa_size = sizeof(*sin);
+    sin->sin_family = AF_INET;
+    sin->sin_port   = port;
+    sin->sin_addr.s_addr = INADDR_ANY;
+}
+
+static int
+ipv4_print_addr (const krb5_address *addr, char *str, size_t len)
+{
+    struct in_addr ia;
+
+    memcpy (&ia, addr->address.data, 4);
+
+    return snprintf (str, len, "IPv4:%s", inet_ntoa(ia));
+}
+
+static int
+ipv4_parse_addr (const char *address, krb5_address *addr)
+{
+    const char *p;
+    struct in_addr a;
+
+    p = strchr(address, ':');
+    if(p) {
+	p++;
+	if(strncasecmp(address, "ip:", p - address) != 0 &&
+	   strncasecmp(address, "ip4:", p - address) != 0 &&
+	   strncasecmp(address, "ipv4:", p - address) != 0 &&
+	   strncasecmp(address, "inet:", p - address) != 0)
+	    return -1;
+    } else
+	p = address;
+#ifdef HAVE_INET_ATON
+    if(inet_aton(p, &a) == 0)
+	return -1;
+#elif defined(HAVE_INET_ADDR)
+    a.s_addr = inet_addr(p);
+    if(a.s_addr == INADDR_NONE)
+	return -1;
+#else
+    return -1;
+#endif
+    addr->addr_type = KRB5_ADDRESS_INET;
+    if(krb5_data_alloc(&addr->address, 4) != 0)
+	return -1;
+    _krb5_put_int(addr->address.data, ntohl(a.s_addr), addr->address.length);
+    return 0;
+}
+
+/*
+ * AF_INET6 - aka IPv6 implementation
+ */
+
+#ifdef HAVE_IPV6
+
+static krb5_error_code
+ipv6_sockaddr2addr (const struct sockaddr *sa, krb5_address *a)
+{
+    const struct sockaddr_in6 *sin6 = (const struct sockaddr_in6 *)sa;
+
+    if (IN6_IS_ADDR_V4MAPPED(&sin6->sin6_addr)) {
+	unsigned char buf[4];
+
+	a->addr_type      = KRB5_ADDRESS_INET;
+#ifndef IN6_ADDR_V6_TO_V4
+#ifdef IN6_EXTRACT_V4ADDR
+#define IN6_ADDR_V6_TO_V4(x) (&IN6_EXTRACT_V4ADDR(x))
+#else
+#define IN6_ADDR_V6_TO_V4(x) ((const struct in_addr *)&(x)->s6_addr[12])
+#endif
+#endif
+	memcpy (buf, IN6_ADDR_V6_TO_V4(&sin6->sin6_addr), 4);
+	return krb5_data_copy(&a->address, buf, 4);
+    } else {
+	a->addr_type = KRB5_ADDRESS_INET6;
+	return krb5_data_copy(&a->address,
+			      &sin6->sin6_addr,
+			      sizeof(sin6->sin6_addr));
+    }
+}
+
+static krb5_error_code
+ipv6_sockaddr2port (const struct sockaddr *sa, int16_t *port)
+{
+    const struct sockaddr_in6 *sin6 = (const struct sockaddr_in6 *)sa;
+
+    *port = sin6->sin6_port;
+    return 0;
+}
+
+static void
+ipv6_addr2sockaddr (const krb5_address *a,
+		    struct sockaddr *sa,
+		    int *sa_size,
+		    int port)
+{
+    struct sockaddr_in6 *sin6 = (struct sockaddr_in6 *)sa;
+
+    memset (sin6, 0, sizeof(*sin6));
+    sin6->sin6_family = AF_INET6;
+    memcpy (&sin6->sin6_addr, a->address.data, sizeof(sin6->sin6_addr));
+    sin6->sin6_port = port;
+    *sa_size = sizeof(*sin6);
+}
+
+static void
+ipv6_h_addr2sockaddr(const char *addr,
+		     struct sockaddr *sa,
+		     int *sa_size,
+		     int port)
+{
+    struct sockaddr_in6 *sin6 = (struct sockaddr_in6 *)sa;
+
+    memset (sin6, 0, sizeof(*sin6));
+    *sa_size = sizeof(*sin6);
+    sin6->sin6_family = AF_INET6;
+    sin6->sin6_port   = port;
+    sin6->sin6_addr   = *((const struct in6_addr *)addr);
+}
+
+static krb5_error_code
+ipv6_h_addr2addr (const char *addr,
+		  krb5_address *a)
+{
+    a->addr_type = KRB5_ADDRESS_INET6;
+    return krb5_data_copy(&a->address, addr, sizeof(struct in6_addr));
+}
+
+/*
+ * 
+ */
+
+static krb5_boolean
+ipv6_uninteresting (const struct sockaddr *sa)
+{
+    const struct sockaddr_in6 *sin6 = (const struct sockaddr_in6 *)sa;
+    const struct in6_addr *in6 = (const struct in6_addr *)&sin6->sin6_addr;
+    
+    return
+	IN6_IS_ADDR_LINKLOCAL(in6)
+	|| IN6_IS_ADDR_V4COMPAT(in6);
+}
+
+static void
+ipv6_anyaddr (struct sockaddr *sa, int *sa_size, int port)
+{
+    struct sockaddr_in6 *sin6 = (struct sockaddr_in6 *)sa;
+
+    memset (sin6, 0, sizeof(*sin6));
+    *sa_size = sizeof(*sin6);
+    sin6->sin6_family = AF_INET6;
+    sin6->sin6_port   = port;
+    sin6->sin6_addr   = in6addr_any;
+}
+
+static int
+ipv6_print_addr (const krb5_address *addr, char *str, size_t len)
+{
+    char buf[128], buf2[3];
+#ifdef HAVE_INET_NTOP
+    if(inet_ntop(AF_INET6, addr->address.data, buf, sizeof(buf)) == NULL)
+#endif
+	{
+	    /* XXX this is pretty ugly, but better than abort() */
+	    int i;
+	    unsigned char *p = addr->address.data;
+	    buf[0] = '\0';
+	    for(i = 0; i < addr->address.length; i++) {
+		snprintf(buf2, sizeof(buf2), "%02x", p[i]);
+		if(i > 0 && (i & 1) == 0)
+		    strlcat(buf, ":", sizeof(buf));
+		strlcat(buf, buf2, sizeof(buf));
+	    }
+	}
+    return snprintf(str, len, "IPv6:%s", buf);
+}
+
+static int
+ipv6_parse_addr (const char *address, krb5_address *addr)
+{
+    int ret;
+    struct in6_addr in6;
+
+    ret = inet_pton(AF_INET6, address, &in6.s6_addr);
+    if(ret == 1) {
+	addr->addr_type = KRB5_ADDRESS_INET6;
+	ret = krb5_data_alloc(&addr->address, sizeof(in6.s6_addr));
+	if (ret)
+	    return -1;
+	memcpy(addr->address.data, in6.s6_addr, sizeof(in6.s6_addr));
+	return 0;
+    }
+    return -1;
+}
+
+#endif /* IPv6 */
+
+/*
+ * table
+ */
+
+static struct addr_operations at[] = {
+    {AF_INET,	KRB5_ADDRESS_INET, sizeof(struct sockaddr_in),
+     ipv4_sockaddr2addr, 
+     ipv4_sockaddr2port,
+     ipv4_addr2sockaddr,
+     ipv4_h_addr2sockaddr,
+     ipv4_h_addr2addr,
+     ipv4_uninteresting, ipv4_anyaddr, ipv4_print_addr, ipv4_parse_addr},
+#ifdef HAVE_IPV6
+    {AF_INET6,	KRB5_ADDRESS_INET6, sizeof(struct sockaddr_in6),
+     ipv6_sockaddr2addr, 
+     ipv6_sockaddr2port,
+     ipv6_addr2sockaddr,
+     ipv6_h_addr2sockaddr,
+     ipv6_h_addr2addr,
+     ipv6_uninteresting, ipv6_anyaddr, ipv6_print_addr, ipv6_parse_addr}
+#endif
+};
+
+static int num_addrs = sizeof(at) / sizeof(at[0]);
+
+static size_t max_sockaddr_size = 0;
+
+/*
+ * generic functions
+ */
+
+static struct addr_operations *
+find_af(int af)
+{
+    struct addr_operations *a;
+
+    for (a = at; a < at + num_addrs; ++a)
+	if (af == a->af)
+	    return a;
+    return NULL;
+}
+
+static struct addr_operations *
+find_atype(int atype)
+{
+    struct addr_operations *a;
+
+    for (a = at; a < at + num_addrs; ++a)
+	if (atype == a->atype)
+	    return a;
+    return NULL;
+}
+
+krb5_error_code
+krb5_sockaddr2address (krb5_context context,
+		       const struct sockaddr *sa, krb5_address *addr)
+{
+    struct addr_operations *a = find_af(sa->sa_family);
+    if (a == NULL) {
+	krb5_set_error_string (context, "Address family %d not supported",
+			       sa->sa_family);
+	return KRB5_PROG_ATYPE_NOSUPP;
+    }
+    return (*a->sockaddr2addr)(sa, addr);
+}
+
+krb5_error_code
+krb5_sockaddr2port (krb5_context context,
+		    const struct sockaddr *sa, int16_t *port)
+{
+    struct addr_operations *a = find_af(sa->sa_family);
+    if (a == NULL) {
+	krb5_set_error_string (context, "Address family %d not supported",
+			       sa->sa_family);
+	return KRB5_PROG_ATYPE_NOSUPP;
+    }
+    return (*a->sockaddr2port)(sa, port);
+}
+
+krb5_error_code
+krb5_addr2sockaddr (krb5_context context,
+		    const krb5_address *addr,
+		    struct sockaddr *sa,
+		    int *sa_size,
+		    int port)
+{
+    struct addr_operations *a = find_atype(addr->addr_type);
+
+    if (a == NULL) {
+	krb5_set_error_string (context, "Address type %d not supported",
+			       addr->addr_type);
+	return KRB5_PROG_ATYPE_NOSUPP;
+    }
+    (*a->addr2sockaddr)(addr, sa, sa_size, port);
+    return 0;
+}
+
+size_t
+krb5_max_sockaddr_size (void)
+{
+    if (max_sockaddr_size == 0) {
+	struct addr_operations *a;
+
+	for(a = at; a < at + num_addrs; ++a)
+	    max_sockaddr_size = max(max_sockaddr_size, a->max_sockaddr_size);
+    }
+    return max_sockaddr_size;
+}
+
+krb5_boolean
+krb5_sockaddr_uninteresting(const struct sockaddr *sa)
+{
+    struct addr_operations *a = find_af(sa->sa_family);
+    if (a == NULL)
+	return TRUE;
+    return (*a->uninteresting)(sa);
+}
+
+krb5_error_code
+krb5_h_addr2sockaddr (krb5_context context,
+		      int af,
+		      const char *addr, struct sockaddr *sa, int *sa_size,
+		      int port)
+{
+    struct addr_operations *a = find_af(af);
+    if (a == NULL) {
+	krb5_set_error_string (context, "Address family %d not supported", af);
+	return KRB5_PROG_ATYPE_NOSUPP;
+    }
+    (*a->h_addr2sockaddr)(addr, sa, sa_size, port);
+    return 0;
+}
+
+krb5_error_code
+krb5_h_addr2addr (krb5_context context,
+		  int af,
+		  const char *haddr, krb5_address *addr)
+{
+    struct addr_operations *a = find_af(af);
+    if (a == NULL) {
+	krb5_set_error_string (context, "Address family %d not supported", af);
+	return KRB5_PROG_ATYPE_NOSUPP;
+    }
+    return (*a->h_addr2addr)(haddr, addr);
+}
+
+krb5_error_code
+krb5_anyaddr (krb5_context context,
+	      int af,
+	      struct sockaddr *sa,
+	      int *sa_size,
+	      int port)
+{
+    struct addr_operations *a = find_af (af);
+
+    if (a == NULL) {
+	krb5_set_error_string (context, "Address family %d not supported", af);
+	return KRB5_PROG_ATYPE_NOSUPP;
+    }
+
+    (*a->anyaddr)(sa, sa_size, port);
+    return 0;
+}
+
+krb5_error_code
+krb5_print_address (const krb5_address *addr, 
+		    char *str, size_t len, size_t *ret_len)
+{
+    struct addr_operations *a = find_atype(addr->addr_type);
+
+    if (a == NULL) {
+	char *s;
+	size_t l;
+	int i;
+	s = str;
+	l = snprintf(s, len, "TYPE_%d:", addr->addr_type);
+	s += l;
+	len -= len;
+	for(i = 0; i < addr->address.length; i++) {
+	    l = snprintf(s, len, "%02x", ((char*)addr->address.data)[i]);
+	    len -= l;
+	    s += l;
+	}
+	*ret_len = s - str;
+	return 0;
+    }
+    *ret_len = (*a->print_addr)(addr, str, len);
+    return 0;
+}
+
+krb5_error_code
+krb5_parse_address(krb5_context context,
+		   const char *string,
+		   krb5_addresses *addresses)
+{
+    int i, n;
+    struct addrinfo *ai, *a;
+    int error;
+    int save_errno;
+
+    for(i = 0; i < num_addrs; i++) {
+	if(at[i].parse_addr) {
+	    krb5_address a;
+	    if((*at[i].parse_addr)(string, &a) == 0) {
+		ALLOC_SEQ(addresses, 1);
+		addresses->val[0] = a;
+		return 0;
+	    }
+	}
+    }
+
+    error = getaddrinfo (string, NULL, NULL, &ai);
+    if (error) {
+	save_errno = errno;
+	krb5_set_error_string (context, "%s: %s", string, gai_strerror(error));
+	return krb5_eai_to_heim_errno(error, save_errno);
+    }
+    
+    n = 0;
+    for (a = ai; a != NULL; a = a->ai_next)
+	++n;
+
+    ALLOC_SEQ(addresses, n);
+
+    for (a = ai, i = 0; a != NULL; a = a->ai_next, ++i) {
+	krb5_sockaddr2address (context, ai->ai_addr, &addresses->val[i]);
+    }
+    freeaddrinfo (ai);
+    return 0;
+}
diff --git a/crypto/heimdal/lib/krb5/address.c b/crypto/heimdal/lib/krb5/address.c
new file mode 100644
index 0000000..5dc756a
--- /dev/null
+++ b/crypto/heimdal/lib/krb5/address.c
@@ -0,0 +1,203 @@
+/*
+ * Copyright (c) 1997 - 2001 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "krb5_locl.h"
+
+RCSID("$Id: address.c,v 1.15 2001/05/14 06:14:44 assar Exp $");
+
+#if 0
+/* This is the supposedly MIT-api version */
+
+krb5_boolean
+krb5_address_search(krb5_context context,
+		    const krb5_address *addr,
+		    krb5_address *const *addrlist)
+{
+  krb5_address *a;
+
+  while((a = *addrlist++))
+    if (krb5_address_compare (context, addr, a))
+      return TRUE;
+  return FALSE;
+}
+#endif
+
+krb5_boolean
+krb5_address_search(krb5_context context,
+		    const krb5_address *addr,
+		    const krb5_addresses *addrlist)
+{
+    int i;
+
+    for (i = 0; i < addrlist->len; ++i)
+	if (krb5_address_compare (context, addr, &addrlist->val[i]))
+	    return TRUE;
+    return FALSE;
+}
+
+int
+krb5_address_order(krb5_context context,
+		   const krb5_address *addr1,
+		   const krb5_address *addr2)
+{
+    return (addr1->addr_type - addr2->addr_type)
+	|| memcmp (addr1->address.data,
+		   addr2->address.data,
+		   addr1->address.length);
+}
+
+krb5_boolean
+krb5_address_compare(krb5_context context,
+		     const krb5_address *addr1,
+		     const krb5_address *addr2)
+{
+    return krb5_address_order (context, addr1, addr2) == 0;
+}
+
+krb5_error_code
+krb5_copy_address(krb5_context context,
+		  const krb5_address *inaddr,
+		  krb5_address *outaddr)
+{
+    copy_HostAddress(inaddr, outaddr);
+    return 0;
+}
+
+krb5_error_code
+krb5_copy_addresses(krb5_context context,
+		    const krb5_addresses *inaddr,
+		    krb5_addresses *outaddr)
+{
+    copy_HostAddresses(inaddr, outaddr);
+    return 0;
+}
+
+krb5_error_code
+krb5_free_address(krb5_context context,
+		  krb5_address *address)
+{
+    krb5_data_free (&address->address);
+    return 0;
+}
+
+krb5_error_code
+krb5_free_addresses(krb5_context context,
+		    krb5_addresses *addresses)
+{
+    free_HostAddresses(addresses);
+    return 0;
+}
+
+krb5_error_code
+krb5_append_addresses(krb5_context context,
+		      krb5_addresses *dest,
+		      const krb5_addresses *source)
+{
+    krb5_address *tmp;
+    krb5_error_code ret;
+    int i;
+    if(source->len > 0) {
+	tmp = realloc(dest->val, (dest->len + source->len) * sizeof(*tmp));
+	if(tmp == NULL) {
+	    krb5_set_error_string(context, "realloc: out of memory");
+	    return ENOMEM;
+	}
+	dest->val = tmp;
+	for(i = 0; i < source->len; i++) {
+	    /* skip duplicates */
+	    if(krb5_address_search(context, &source->val[i], dest))
+		continue;
+	    ret = krb5_copy_address(context, 
+				    &source->val[i], 
+				    &dest->val[dest->len]);
+	    if(ret)
+		return ret;
+	    dest->len++;
+	}
+    }
+    return 0;
+}
+
+/*
+ * Create an address of type KRB5_ADDRESS_ADDRPORT from (addr, port)
+ */
+
+krb5_error_code
+krb5_make_addrport (krb5_context context,
+		    krb5_address **res, const krb5_address *addr, int16_t port)
+{
+    krb5_error_code ret;
+    size_t len = addr->address.length + 2 + 4 * 4;
+    u_char *p;
+
+    *res = malloc (sizeof(**res));
+    if (*res == NULL) {
+	krb5_set_error_string(context, "malloc: out of memory");
+	return ENOMEM;
+    }
+    (*res)->addr_type = KRB5_ADDRESS_ADDRPORT;
+    ret = krb5_data_alloc (&(*res)->address, len);
+    if (ret) {
+	krb5_set_error_string(context, "malloc: out of memory");
+	free (*res);
+	return ret;
+    }
+    p = (*res)->address.data;
+    *p++ = 0;
+    *p++ = 0;
+    *p++ = (addr->addr_type     ) & 0xFF;
+    *p++ = (addr->addr_type >> 8) & 0xFF;
+
+    *p++ = (addr->address.length      ) & 0xFF;
+    *p++ = (addr->address.length >>  8) & 0xFF;
+    *p++ = (addr->address.length >> 16) & 0xFF;
+    *p++ = (addr->address.length >> 24) & 0xFF;
+
+    memcpy (p, addr->address.data, addr->address.length);
+    p += addr->address.length;
+
+    *p++ = 0;
+    *p++ = 0;
+    *p++ = (KRB5_ADDRESS_IPPORT     ) & 0xFF;
+    *p++ = (KRB5_ADDRESS_IPPORT >> 8) & 0xFF;
+
+    *p++ = (2      ) & 0xFF;
+    *p++ = (2 >>  8) & 0xFF;
+    *p++ = (2 >> 16) & 0xFF;
+    *p++ = (2 >> 24) & 0xFF;
+
+    memcpy (p, &port, 2);
+    p += 2;
+
+    return 0;
+}
diff --git a/crypto/heimdal/lib/krb5/aname_to_localname.c b/crypto/heimdal/lib/krb5/aname_to_localname.c
new file mode 100644
index 0000000..c125580
--- /dev/null
+++ b/crypto/heimdal/lib/krb5/aname_to_localname.c
@@ -0,0 +1,76 @@
+/*
+ * Copyright (c) 1997 - 1999 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include <krb5_locl.h>
+
+RCSID("$Id: aname_to_localname.c,v 1.3 1999/12/02 17:05:07 joda Exp $");
+
+krb5_error_code
+krb5_aname_to_localname (krb5_context context,
+			 krb5_const_principal aname,
+			 size_t lnsize,
+			 char *lname)
+{
+    krb5_error_code ret;
+    krb5_realm *lrealms, *r;
+    int foo = 1;
+    size_t len;
+    char *res;
+
+    ret = krb5_get_default_realms (context, &lrealms);
+    if (ret)
+	return ret;
+
+    for (r = lrealms; *r != NULL; ++r) {
+	foo = strcmp (*r, aname->realm);
+	if (foo == 0)
+	    break;
+    }
+    krb5_free_host_realm (context, lrealms);
+    if (foo != 0)
+	return KRB5_NO_LOCALNAME;
+
+    if (aname->name.name_string.len == 1)
+	res = aname->name.name_string.val[0];
+    else if (aname->name.name_string.len == 2
+	     && strcmp (aname->name.name_string.val[1], "root") == 0)
+	res = "root";
+    else
+	return KRB5_NO_LOCALNAME;
+
+    len = strlen (res);
+    if (len >= lnsize)
+	return ERANGE;
+    strcpy (lname, res);
+    return 0;
+}
diff --git a/crypto/heimdal/lib/krb5/appdefault.c b/crypto/heimdal/lib/krb5/appdefault.c
new file mode 100644
index 0000000..12de150
--- /dev/null
+++ b/crypto/heimdal/lib/krb5/appdefault.c
@@ -0,0 +1,123 @@
+/*
+ * Copyright (c) 2000 - 2001 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "krb5_locl.h"
+
+RCSID("$Id: appdefault.c,v 1.5 2001/05/14 06:14:44 assar Exp $");
+
+void
+krb5_appdefault_boolean(krb5_context context, const char *appname, 
+			krb5_realm realm, const char *option,
+			krb5_boolean def_val, krb5_boolean *ret_val)
+{
+    
+    if(appname == NULL)
+	appname = getprogname();
+    def_val = krb5_config_get_bool_default(context, NULL, def_val, 
+					   "appdefaults", 
+					   option, 
+					   NULL);
+    if(realm != NULL)
+	def_val = krb5_config_get_bool_default(context, NULL, def_val,
+					       "appdefaults", 
+					       realm, 
+					       option, 
+					       NULL);
+    if(appname != NULL) {
+	def_val = krb5_config_get_bool_default(context, NULL, def_val, 
+					       "appdefaults", 
+					       appname, 
+					       option, 
+					       NULL);
+	if(realm != NULL)
+	    def_val = krb5_config_get_bool_default(context, NULL, def_val,
+						   "appdefaults", 
+						   appname, 
+						   realm, 
+						   option, 
+						   NULL);
+    }
+    *ret_val = def_val;
+}
+
+void
+krb5_appdefault_string(krb5_context context, const char *appname, 
+		       krb5_realm realm, const char *option,
+		       const char *def_val, char **ret_val)
+{
+    if(appname == NULL)
+	appname = getprogname();
+    def_val = krb5_config_get_string_default(context, NULL, def_val, 
+					     "appdefaults", 
+					     option, 
+					     NULL);
+    if(realm != NULL)
+	def_val = krb5_config_get_string_default(context, NULL, def_val,
+						 "appdefaults", 
+						 realm, 
+						 option, 
+						 NULL);
+    if(appname != NULL) {
+	def_val = krb5_config_get_string_default(context, NULL, def_val, 
+						 "appdefaults", 
+						 appname, 
+						 option, 
+						 NULL);
+	if(realm != NULL)
+	    def_val = krb5_config_get_string_default(context, NULL, def_val,
+						     "appdefaults", 
+						     appname, 
+						     realm, 
+						     option, 
+						     NULL);
+    }
+    if(def_val != NULL)
+	*ret_val = strdup(def_val);
+    else
+	*ret_val = NULL;
+}
+
+void
+krb5_appdefault_time(krb5_context context, const char *appname,
+		     krb5_realm realm, const char *option,
+		     time_t def_val, time_t *ret_val)
+{
+    time_t t;
+    char tstr[32];
+    char *val;
+    snprintf(tstr, sizeof(tstr), "%ld", (long)def_val);
+    krb5_appdefault_string(context, appname, realm, option, tstr, &val);
+    t = parse_time (val, NULL);
+    free(val);
+    *ret_val = t;
+}
diff --git a/crypto/heimdal/lib/krb5/asn1_glue.c b/crypto/heimdal/lib/krb5/asn1_glue.c
new file mode 100644
index 0000000..ac83ff7
--- /dev/null
+++ b/crypto/heimdal/lib/krb5/asn1_glue.c
@@ -0,0 +1,59 @@
+/*
+ * Copyright (c) 1997 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+/*
+ *
+ */
+
+#include "krb5_locl.h"
+
+RCSID("$Id: asn1_glue.c,v 1.7 1999/12/02 17:05:07 joda Exp $");
+
+krb5_error_code
+krb5_principal2principalname (PrincipalName *p,
+			      const krb5_principal from)
+{
+    return copy_PrincipalName(&from->name, p);
+}
+
+krb5_error_code
+principalname2krb5_principal (krb5_principal *principal,
+			      const PrincipalName from,
+			      const Realm realm)
+{
+    krb5_principal p = malloc(sizeof(*p));
+    copy_PrincipalName(&from, &p->name);
+    p->realm = strdup(realm);
+    *principal = p;
+    return 0;
+}
diff --git a/crypto/heimdal/lib/krb5/auth_context.c b/crypto/heimdal/lib/krb5/auth_context.c
new file mode 100644
index 0000000..eca2e87
--- /dev/null
+++ b/crypto/heimdal/lib/krb5/auth_context.c
@@ -0,0 +1,472 @@
+/*
+ * Copyright (c) 1997 - 2001 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "krb5_locl.h"
+
+RCSID("$Id: auth_context.c,v 1.56 2001/05/14 06:14:44 assar Exp $");
+
+krb5_error_code
+krb5_auth_con_init(krb5_context context,
+		   krb5_auth_context *auth_context)
+{
+    krb5_auth_context p;
+
+    ALLOC(p, 1);
+    if(!p) {
+	krb5_set_error_string(context, "malloc: out of memory");
+	return ENOMEM;
+    }
+    memset(p, 0, sizeof(*p));
+    ALLOC(p->authenticator, 1);
+    if (!p->authenticator) {
+	krb5_set_error_string(context, "malloc: out of memory");
+	free(p);
+	return ENOMEM;
+    }
+    memset (p->authenticator, 0, sizeof(*p->authenticator));
+    p->flags = KRB5_AUTH_CONTEXT_DO_TIME;
+
+    p->local_address  = NULL;
+    p->remote_address = NULL;
+    p->local_port     = 0;
+    p->remote_port    = 0;
+    p->keytype        = KEYTYPE_NULL;
+    p->cksumtype      = CKSUMTYPE_NONE;
+    *auth_context     = p;
+    return 0;
+}
+
+krb5_error_code
+krb5_auth_con_free(krb5_context context,
+		   krb5_auth_context auth_context)
+{
+    if (auth_context != NULL) {
+	krb5_free_authenticator(context, &auth_context->authenticator);
+	if(auth_context->local_address){
+	    free_HostAddress(auth_context->local_address);
+	    free(auth_context->local_address);
+	}
+	if(auth_context->remote_address){
+	    free_HostAddress(auth_context->remote_address);
+	    free(auth_context->remote_address);
+	}
+	krb5_free_keyblock(context, auth_context->keyblock);
+	krb5_free_keyblock(context, auth_context->remote_subkey);
+	krb5_free_keyblock(context, auth_context->local_subkey);
+	free (auth_context);
+    }
+    return 0;
+}
+
+krb5_error_code
+krb5_auth_con_setflags(krb5_context context,
+		       krb5_auth_context auth_context,
+		       int32_t flags)
+{
+    auth_context->flags = flags;
+    return 0;
+}
+
+
+krb5_error_code
+krb5_auth_con_getflags(krb5_context context,
+		       krb5_auth_context auth_context,
+		       int32_t *flags)
+{
+    *flags = auth_context->flags;
+    return 0;
+}
+
+
+krb5_error_code
+krb5_auth_con_setaddrs(krb5_context context,
+		       krb5_auth_context auth_context,
+		       krb5_address *local_addr,
+		       krb5_address *remote_addr)
+{
+    if (local_addr) {
+	if (auth_context->local_address)
+	    krb5_free_address (context, auth_context->local_address);
+	else
+	    auth_context->local_address = malloc(sizeof(krb5_address));
+	krb5_copy_address(context, local_addr, auth_context->local_address);
+    }
+    if (remote_addr) {
+	if (auth_context->remote_address)
+	    krb5_free_address (context, auth_context->remote_address);
+	else
+	    auth_context->remote_address = malloc(sizeof(krb5_address));
+	krb5_copy_address(context, remote_addr, auth_context->remote_address);
+    }
+    return 0;
+}
+
+krb5_error_code
+krb5_auth_con_genaddrs(krb5_context context, 
+		       krb5_auth_context auth_context, 
+		       int fd, int flags)
+{
+    krb5_error_code ret;
+    krb5_address local_k_address, remote_k_address;
+    krb5_address *lptr = NULL, *rptr = NULL;
+    struct sockaddr_storage ss_local, ss_remote;
+    struct sockaddr *local  = (struct sockaddr *)&ss_local;
+    struct sockaddr *remote = (struct sockaddr *)&ss_remote;
+    socklen_t len;
+
+    if(flags & KRB5_AUTH_CONTEXT_GENERATE_LOCAL_ADDR) {
+	if (auth_context->local_address == NULL) {
+	    len = sizeof(ss_local);
+	    if(getsockname(fd, local, &len) < 0) {
+		ret = errno;
+		krb5_set_error_string (context, "getsockname: %s",
+				       strerror(ret));
+		goto out;
+	    }
+	    krb5_sockaddr2address (context, local, &local_k_address);
+	    if(flags & KRB5_AUTH_CONTEXT_GENERATE_LOCAL_FULL_ADDR) {
+		krb5_sockaddr2port (context, local, &auth_context->local_port);
+	    } else
+		auth_context->local_port = 0;
+	    lptr = &local_k_address;
+	}
+    }
+    if(flags & KRB5_AUTH_CONTEXT_GENERATE_REMOTE_ADDR) {
+	len = sizeof(ss_remote);
+	if(getpeername(fd, remote, &len) < 0) {
+	    ret = errno;
+	    krb5_set_error_string (context, "getpeername: %s", strerror(ret));
+	    goto out;
+	}
+	krb5_sockaddr2address (context, remote, &remote_k_address);
+	if(flags & KRB5_AUTH_CONTEXT_GENERATE_REMOTE_FULL_ADDR) {
+	    krb5_sockaddr2port (context, remote, &auth_context->remote_port);
+	} else
+	    auth_context->remote_port = 0;
+	rptr = &remote_k_address;
+    }
+    ret = krb5_auth_con_setaddrs (context,
+				  auth_context,
+				  lptr,
+				  rptr);
+  out:
+    if (lptr)
+	krb5_free_address (context, lptr);
+    if (rptr)
+	krb5_free_address (context, rptr);
+    return ret;
+
+}
+
+krb5_error_code
+krb5_auth_con_setaddrs_from_fd (krb5_context context,
+				krb5_auth_context auth_context,
+				void *p_fd)
+{
+    int fd = *(int*)p_fd;
+    int flags = 0;
+    if(auth_context->local_address == NULL)
+	flags |= KRB5_AUTH_CONTEXT_GENERATE_LOCAL_FULL_ADDR;
+    if(auth_context->remote_address == NULL)
+	flags |= KRB5_AUTH_CONTEXT_GENERATE_REMOTE_FULL_ADDR;
+    return krb5_auth_con_genaddrs(context, auth_context, fd, flags);
+}
+
+krb5_error_code
+krb5_auth_con_getaddrs(krb5_context context,
+		       krb5_auth_context auth_context,
+		       krb5_address **local_addr,
+		       krb5_address **remote_addr)
+{
+    if(*local_addr)
+	krb5_free_address (context, *local_addr);
+    *local_addr = malloc (sizeof(**local_addr));
+    if (*local_addr == NULL) {
+	krb5_set_error_string(context, "malloc: out of memory");
+	return ENOMEM;
+    }
+    krb5_copy_address(context,
+		      auth_context->local_address,
+		      *local_addr);
+
+    if(*remote_addr)
+	krb5_free_address (context, *remote_addr);
+    *remote_addr = malloc (sizeof(**remote_addr));
+    if (*remote_addr == NULL) {
+	krb5_set_error_string(context, "malloc: out of memory");
+	krb5_free_address (context, *local_addr);
+	*local_addr = NULL;
+	return ENOMEM;
+    }
+    krb5_copy_address(context,
+		      auth_context->remote_address,
+		      *remote_addr);
+    return 0;
+}
+
+static krb5_error_code
+copy_key(krb5_context context,
+	 krb5_keyblock *in,
+	 krb5_keyblock **out)
+{
+    if(in)
+	return krb5_copy_keyblock(context, in, out);
+    *out = NULL; /* is this right? */
+    return 0;
+}
+
+krb5_error_code
+krb5_auth_con_getkey(krb5_context context,
+		     krb5_auth_context auth_context,
+		     krb5_keyblock **keyblock)
+{
+    return copy_key(context, auth_context->keyblock, keyblock);
+}
+
+krb5_error_code
+krb5_auth_con_getlocalsubkey(krb5_context context,
+			     krb5_auth_context auth_context,
+			     krb5_keyblock **keyblock)
+{
+    return copy_key(context, auth_context->local_subkey, keyblock);
+}
+
+krb5_error_code
+krb5_auth_con_getremotesubkey(krb5_context context,
+			      krb5_auth_context auth_context,
+			      krb5_keyblock **keyblock)
+{
+    return copy_key(context, auth_context->remote_subkey, keyblock);
+}
+
+krb5_error_code
+krb5_auth_con_setkey(krb5_context context,
+		     krb5_auth_context auth_context,
+		     krb5_keyblock *keyblock)
+{
+    if(auth_context->keyblock)
+	krb5_free_keyblock(context, auth_context->keyblock);
+    return copy_key(context, keyblock, &auth_context->keyblock);
+}
+
+krb5_error_code
+krb5_auth_con_setlocalsubkey(krb5_context context,
+			     krb5_auth_context auth_context,
+			     krb5_keyblock *keyblock)
+{
+    if(auth_context->local_subkey)
+	krb5_free_keyblock(context, auth_context->local_subkey);
+    return copy_key(context, keyblock, &auth_context->local_subkey);
+}
+
+krb5_error_code
+krb5_auth_con_setremotesubkey(krb5_context context,
+			      krb5_auth_context auth_context,
+			      krb5_keyblock *keyblock)
+{
+    if(auth_context->remote_subkey)
+	krb5_free_keyblock(context, auth_context->remote_subkey);
+    return copy_key(context, keyblock, &auth_context->remote_subkey);
+}
+
+krb5_error_code
+krb5_auth_setcksumtype(krb5_context context,
+		       krb5_auth_context auth_context,
+		       krb5_cksumtype cksumtype)
+{
+    auth_context->cksumtype = cksumtype;
+    return 0;
+}
+
+krb5_error_code
+krb5_auth_getcksumtype(krb5_context context,
+		       krb5_auth_context auth_context,
+		       krb5_cksumtype *cksumtype)
+{
+    *cksumtype = auth_context->cksumtype;
+    return 0;
+}
+
+krb5_error_code
+krb5_auth_setkeytype (krb5_context context,
+		      krb5_auth_context auth_context,
+		      krb5_keytype keytype)
+{
+    auth_context->keytype = keytype;
+    return 0;
+}
+
+krb5_error_code
+krb5_auth_getkeytype (krb5_context context,
+		      krb5_auth_context auth_context,
+		      krb5_keytype *keytype)
+{
+    *keytype = auth_context->keytype;
+    return 0;
+}
+
+#if 0
+krb5_error_code
+krb5_auth_setenctype(krb5_context context,
+		     krb5_auth_context auth_context,
+		     krb5_enctype etype)
+{
+    if(auth_context->keyblock)
+	krb5_free_keyblock(context, auth_context->keyblock);
+    ALLOC(auth_context->keyblock, 1);
+    if(auth_context->keyblock == NULL)
+	return ENOMEM;
+    auth_context->keyblock->keytype = etype;
+    return 0;
+}
+
+krb5_error_code
+krb5_auth_getenctype(krb5_context context,
+		     krb5_auth_context auth_context,
+		     krb5_enctype *etype)
+{
+    krb5_abortx(context, "unimplemented krb5_auth_getenctype called");
+}
+#endif
+
+krb5_error_code
+krb5_auth_getlocalseqnumber(krb5_context context,
+			    krb5_auth_context auth_context,
+			    int32_t *seqnumber)
+{
+  *seqnumber = auth_context->local_seqnumber;
+  return 0;
+}
+
+krb5_error_code
+krb5_auth_setlocalseqnumber (krb5_context context,
+			     krb5_auth_context auth_context,
+			     int32_t seqnumber)
+{
+  auth_context->local_seqnumber = seqnumber;
+  return 0;
+}
+
+krb5_error_code
+krb5_auth_getremoteseqnumber(krb5_context context,
+			     krb5_auth_context auth_context,
+			     int32_t *seqnumber)
+{
+  *seqnumber = auth_context->remote_seqnumber;
+  return 0;
+}
+
+krb5_error_code
+krb5_auth_setremoteseqnumber (krb5_context context,
+			      krb5_auth_context auth_context,
+			      int32_t seqnumber)
+{
+  auth_context->remote_seqnumber = seqnumber;
+  return 0;
+}
+
+
+krb5_error_code
+krb5_auth_getauthenticator(krb5_context context,
+			   krb5_auth_context auth_context,
+			   krb5_authenticator *authenticator)
+{
+    *authenticator = malloc(sizeof(**authenticator));
+    if (*authenticator == NULL) {
+	krb5_set_error_string(context, "malloc: out of memory");
+	return ENOMEM;
+    }
+
+    copy_Authenticator(auth_context->authenticator,
+		       *authenticator);
+    return 0;
+}
+
+
+void
+krb5_free_authenticator(krb5_context context,
+			krb5_authenticator *authenticator)
+{
+    free_Authenticator (*authenticator);
+    free (*authenticator);
+    *authenticator = NULL;
+}
+
+
+krb5_error_code
+krb5_auth_con_setuserkey(krb5_context context,
+			 krb5_auth_context auth_context,
+			 krb5_keyblock *keyblock)
+{
+    if(auth_context->keyblock)
+	krb5_free_keyblock(context, auth_context->keyblock);
+    return krb5_copy_keyblock(context, keyblock, &auth_context->keyblock);
+}
+
+krb5_error_code
+krb5_auth_con_getrcache(krb5_context context,
+			krb5_auth_context auth_context,
+			krb5_rcache *rcache)
+{
+    *rcache = auth_context->rcache;
+    return 0;
+}
+
+krb5_error_code
+krb5_auth_con_setrcache(krb5_context context,
+			krb5_auth_context auth_context,
+			krb5_rcache rcache)
+{
+    auth_context->rcache = rcache;
+    return 0;
+}
+
+#if 0 /* not implemented */
+
+krb5_error_code
+krb5_auth_con_initivector(krb5_context context,
+			  krb5_auth_context auth_context)
+{
+    krb5_abortx(context, "unimplemented krb5_auth_con_initivector called");
+}
+
+
+krb5_error_code
+krb5_auth_con_setivector(krb5_context context,
+			 krb5_auth_context auth_context,
+			 krb5_pointer ivector)
+{
+    krb5_abortx(context, "unimplemented krb5_auth_con_setivector called");
+}
+
+#endif /* not implemented */
diff --git a/crypto/heimdal/lib/krb5/build_ap_req.c b/crypto/heimdal/lib/krb5/build_ap_req.c
new file mode 100644
index 0000000..e4f7d4e
--- /dev/null
+++ b/crypto/heimdal/lib/krb5/build_ap_req.c
@@ -0,0 +1,80 @@
+/*
+ * Copyright (c) 1997 - 2001 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include <krb5_locl.h>
+
+RCSID("$Id: build_ap_req.c,v 1.17 2001/05/14 06:14:44 assar Exp $");
+
+krb5_error_code
+krb5_build_ap_req (krb5_context context,
+		   krb5_enctype enctype,
+		   krb5_creds *cred,
+		   krb5_flags ap_options,
+		   krb5_data authenticator,
+		   krb5_data *retdata)
+{
+  krb5_error_code ret = 0;
+  AP_REQ ap;
+  Ticket t;
+  size_t len;
+  
+  ap.pvno = 5;
+  ap.msg_type = krb_ap_req;
+  memset(&ap.ap_options, 0, sizeof(ap.ap_options));
+  ap.ap_options.use_session_key = (ap_options & AP_OPTS_USE_SESSION_KEY) > 0;
+  ap.ap_options.mutual_required = (ap_options & AP_OPTS_MUTUAL_REQUIRED) > 0;
+  
+  ap.ticket.tkt_vno = 5;
+  copy_Realm(&cred->server->realm, &ap.ticket.realm);
+  copy_PrincipalName(&cred->server->name, &ap.ticket.sname);
+
+  decode_Ticket(cred->ticket.data, cred->ticket.length, &t, &len);
+  copy_EncryptedData(&t.enc_part, &ap.ticket.enc_part);
+  free_Ticket(&t);
+
+  ap.authenticator.etype = enctype;
+  ap.authenticator.kvno  = NULL;
+  ap.authenticator.cipher = authenticator;
+
+  retdata->length = length_AP_REQ(&ap);
+  retdata->data   = malloc(retdata->length);
+  if(retdata->data == NULL) {
+      krb5_set_error_string(context, "malloc: out of memory");
+      ret = ENOMEM;
+  } else
+      encode_AP_REQ((unsigned char *)retdata->data + retdata->length - 1,
+		    retdata->length, &ap, &len);
+  free_AP_REQ(&ap);
+  
+  return ret;
+}
diff --git a/crypto/heimdal/lib/krb5/build_auth.c b/crypto/heimdal/lib/krb5/build_auth.c
new file mode 100644
index 0000000..b1650fd
--- /dev/null
+++ b/crypto/heimdal/lib/krb5/build_auth.c
@@ -0,0 +1,163 @@
+/*
+ * Copyright (c) 1997 - 2001 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include <krb5_locl.h>
+
+RCSID("$Id: build_auth.c,v 1.35 2001/05/14 06:14:44 assar Exp $");
+
+krb5_error_code
+krb5_build_authenticator (krb5_context context,
+			  krb5_auth_context auth_context,
+			  krb5_enctype enctype,
+			  krb5_creds *cred,
+			  Checksum *cksum,
+			  Authenticator **auth_result,
+			  krb5_data *result,
+			  krb5_key_usage usage)
+{
+  Authenticator *auth;
+  u_char *buf = NULL;
+  size_t buf_size;
+  size_t len;
+  krb5_error_code ret;
+  krb5_crypto crypto;
+
+  auth = malloc(sizeof(*auth));
+  if (auth == NULL) {
+      krb5_set_error_string(context, "malloc: out of memory");
+      return ENOMEM;
+  }
+
+  memset (auth, 0, sizeof(*auth));
+  auth->authenticator_vno = 5;
+  copy_Realm(&cred->client->realm, &auth->crealm);
+  copy_PrincipalName(&cred->client->name, &auth->cname);
+
+  {
+      int32_t sec, usec;
+
+      krb5_us_timeofday (context, &sec, &usec);
+      auth->ctime = sec;
+      auth->cusec = usec;
+  }
+  ret = krb5_auth_con_getlocalsubkey(context, auth_context, &auth->subkey);
+  if(ret)
+      goto fail;
+
+  if(auth->subkey == NULL) {
+      krb5_generate_subkey (context, &cred->session, &auth->subkey);
+      ret = krb5_auth_con_setlocalsubkey(context, auth_context, auth->subkey);
+      if(ret)
+	  goto fail;
+  }
+
+  if (auth_context->flags & KRB5_AUTH_CONTEXT_DO_SEQUENCE) {
+    krb5_generate_seq_number (context,
+			      &cred->session, 
+			      &auth_context->local_seqnumber);
+    ALLOC(auth->seq_number, 1);
+    *auth->seq_number = auth_context->local_seqnumber;
+  } else
+    auth->seq_number = NULL;
+  auth->authorization_data = NULL;
+  auth->cksum = cksum;
+
+  /* XXX - Copy more to auth_context? */
+
+  if (auth_context) {
+    auth_context->authenticator->ctime = auth->ctime;
+    auth_context->authenticator->cusec = auth->cusec;
+  }
+
+  buf_size = 1024;
+  buf = malloc (buf_size);
+  if (buf == NULL) {
+      krb5_set_error_string(context, "malloc: out of memory");
+      ret = ENOMEM;
+      goto fail;
+  }
+
+  do {
+      ret = krb5_encode_Authenticator (context,
+				       buf + buf_size - 1,
+				       buf_size,
+				       auth, &len);
+      if (ret) {
+	  if (ret == ASN1_OVERFLOW) {
+	      u_char *tmp;
+
+	      buf_size *= 2;
+	      tmp = realloc (buf, buf_size);
+	      if (tmp == NULL) {
+		  krb5_set_error_string(context, "malloc: out of memory");
+		  ret = ENOMEM;
+		  goto fail;
+	      }
+	      buf = tmp;
+	  } else {
+	      goto fail;
+	  }
+      }
+  } while(ret == ASN1_OVERFLOW);
+
+  ret = krb5_crypto_init(context, &cred->session, enctype, &crypto);
+  if (ret)
+      goto fail;
+  ret = krb5_encrypt (context,
+		      crypto,
+		      usage /* KRB5_KU_AP_REQ_AUTH */,
+		      buf + buf_size - len, 
+		      len,
+		      result);
+  krb5_crypto_destroy(context, crypto);
+
+  if (ret)
+      goto fail;
+
+  free (buf);
+
+  if (auth_result)
+    *auth_result = auth;
+  else {
+    /* Don't free the `cksum', it's allocated by the caller */
+    auth->cksum = NULL;
+    free_Authenticator (auth);
+    free (auth);
+  }
+  return ret;
+fail:
+  free_Authenticator (auth);
+  free (auth);
+  free (buf);
+  return ret;
+}
diff --git a/crypto/heimdal/lib/krb5/cache.c b/crypto/heimdal/lib/krb5/cache.c
new file mode 100644
index 0000000..141eb61
--- /dev/null
+++ b/crypto/heimdal/lib/krb5/cache.c
@@ -0,0 +1,444 @@
+/*
+ * Copyright (c) 1997-2001 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "krb5_locl.h"
+
+RCSID("$Id: cache.c,v 1.47 2001/05/14 06:14:45 assar Exp $");
+
+/*
+ * Add a new ccache type with operations `ops', overwriting any
+ * existing one if `override'.
+ * Return an error code or 0.
+ */
+
+krb5_error_code
+krb5_cc_register(krb5_context context, 
+		 const krb5_cc_ops *ops, 
+		 krb5_boolean override)
+{
+    char *prefix_copy;
+    int i;
+
+    for(i = 0; i < context->num_cc_ops && context->cc_ops[i].prefix; i++) {
+	if(strcmp(context->cc_ops[i].prefix, ops->prefix) == 0) {
+	    if(override)
+		free(context->cc_ops[i].prefix);
+	    else {
+		krb5_set_error_string(context,
+				      "ccache type %s already exists",
+				      ops->prefix);
+		return KRB5_CC_TYPE_EXISTS;
+	    }
+	}
+    }
+    prefix_copy = strdup(ops->prefix);
+    if (prefix_copy == NULL) {
+	krb5_set_error_string(context, "malloc: out of memory");
+	return KRB5_CC_NOMEM;
+    }
+    if(i == context->num_cc_ops) {
+	krb5_cc_ops *o = realloc(context->cc_ops,
+				 (context->num_cc_ops + 1) *
+				 sizeof(*context->cc_ops));
+	if(o == NULL) {
+	    krb5_set_error_string(context, "malloc: out of memory");
+	    free(prefix_copy);
+	    return KRB5_CC_NOMEM;
+	}
+	context->num_cc_ops++;
+	context->cc_ops = o;
+	memset(context->cc_ops + i, 0, 
+	       (context->num_cc_ops - i) * sizeof(*context->cc_ops));
+    }
+    memcpy(&context->cc_ops[i], ops, sizeof(context->cc_ops[i]));
+    context->cc_ops[i].prefix = prefix_copy;
+    return 0;
+}
+
+/*
+ * Allocate memory for a new ccache in `id' with operations `ops'
+ * and name `residual'.
+ * Return 0 or an error code.
+ */
+
+static krb5_error_code
+allocate_ccache (krb5_context context,
+		 const krb5_cc_ops *ops,
+		 const char *residual,
+		 krb5_ccache *id)
+{
+    krb5_error_code ret;
+    krb5_ccache p;
+
+    p = malloc(sizeof(*p));
+    if(p == NULL) {
+	krb5_set_error_string(context, "malloc: out of memory");
+	return KRB5_CC_NOMEM;
+    }
+    p->ops = ops;
+    *id = p;
+    ret = p->ops->resolve(context, id, residual);
+    if(ret)
+	free(p);
+    return ret;
+}
+
+/*
+ * Find and allocate a ccache in `id' from the specification in `residual'.
+ * If the ccache name doesn't contain any colon, interpret it as a file name.
+ * Return 0 or an error code.
+ */
+
+krb5_error_code
+krb5_cc_resolve(krb5_context context,
+		const char *name,
+		krb5_ccache *id)
+{
+    int i;
+
+    for(i = 0; i < context->num_cc_ops && context->cc_ops[i].prefix; i++) {
+	size_t prefix_len = strlen(context->cc_ops[i].prefix);
+
+	if(strncmp(context->cc_ops[i].prefix, name, prefix_len) == 0
+	   && name[prefix_len] == ':') {
+	    return allocate_ccache (context, &context->cc_ops[i],
+				    name + prefix_len + 1,
+				    id);
+	}
+    }
+    if (strchr (name, ':') == NULL)
+	return allocate_ccache (context, &krb5_fcc_ops, name, id);
+    else {
+	krb5_set_error_string(context, "unknown ccache type %s", name);
+	return KRB5_CC_UNKNOWN_TYPE;
+    }
+}
+
+/*
+ * Generate a new ccache of type `ops' in `id'.
+ * Return 0 or an error code.
+ */
+
+krb5_error_code
+krb5_cc_gen_new(krb5_context context,
+		const krb5_cc_ops *ops,
+		krb5_ccache *id)
+{
+    krb5_ccache p;
+
+    p = malloc (sizeof(*p));
+    if (p == NULL) {
+	krb5_set_error_string(context, "malloc: out of memory");
+	return KRB5_CC_NOMEM;
+    }
+    p->ops = ops;
+    *id = p;
+    return p->ops->gen_new(context, id);
+}
+
+/*
+ * Return the name of the ccache `id'
+ */
+
+const char*
+krb5_cc_get_name(krb5_context context,
+		 krb5_ccache id)
+{
+    return id->ops->get_name(context, id);
+}
+
+/*
+ * Return the type of the ccache `id'.
+ */
+
+const char*
+krb5_cc_get_type(krb5_context context,
+		 krb5_ccache id)
+{
+    return id->ops->prefix;
+}
+
+/*
+ * Return a pointer to a static string containing the default ccache name.
+ */
+
+const char*
+krb5_cc_default_name(krb5_context context)
+{
+    static char name[1024];
+    char *p;
+
+    p = getenv("KRB5CCNAME");
+    if(p)
+	strlcpy (name, p, sizeof(name));
+    else
+	snprintf(name,
+		 sizeof(name),
+		 "FILE:/tmp/krb5cc_%u",
+		 (unsigned)getuid());
+    return name;
+}
+
+/*
+ * Open the default ccache in `id'.
+ * Return 0 or an error code.
+ */
+
+krb5_error_code
+krb5_cc_default(krb5_context context,
+		krb5_ccache *id)
+{
+    return krb5_cc_resolve(context, 
+			   krb5_cc_default_name(context), 
+			   id);
+}
+
+/*
+ * Create a new ccache in `id' for `primary_principal'.
+ * Return 0 or an error code.
+ */
+
+krb5_error_code
+krb5_cc_initialize(krb5_context context,
+		   krb5_ccache id,
+		   krb5_principal primary_principal)
+{
+    return id->ops->init(context, id, primary_principal);
+}
+
+
+/*
+ * Remove the ccache `id'.
+ * Return 0 or an error code.
+ */
+
+krb5_error_code
+krb5_cc_destroy(krb5_context context,
+		krb5_ccache id)
+{
+    krb5_error_code ret;
+
+    ret = id->ops->destroy(context, id);
+    krb5_cc_close (context, id);
+    return ret;
+}
+
+/*
+ * Stop using the ccache `id' and free the related resources.
+ * Return 0 or an error code.
+ */
+
+krb5_error_code
+krb5_cc_close(krb5_context context,
+	      krb5_ccache id)
+{
+    krb5_error_code ret;
+    ret = id->ops->close(context, id);
+    free(id);
+    return ret;
+}
+
+/*
+ * Store `creds' in the ccache `id'.
+ * Return 0 or an error code.
+ */
+
+krb5_error_code
+krb5_cc_store_cred(krb5_context context,
+		   krb5_ccache id,
+		   krb5_creds *creds)
+{
+    return id->ops->store(context, id, creds);
+}
+
+/*
+ * Retrieve the credential identified by `mcreds' (and `whichfields')
+ * from `id' in `creds'.
+ * Return 0 or an error code.
+ */
+
+krb5_error_code
+krb5_cc_retrieve_cred(krb5_context context,
+		      krb5_ccache id,
+		      krb5_flags whichfields,
+		      const krb5_creds *mcreds,
+		      krb5_creds *creds)
+{
+    krb5_error_code ret;
+    krb5_cc_cursor cursor;
+    krb5_cc_start_seq_get(context, id, &cursor);
+    while((ret = krb5_cc_next_cred(context, id, &cursor, creds)) == 0){
+	if(krb5_compare_creds(context, whichfields, mcreds, creds)){
+	    ret = 0;
+	    break;
+	}
+	krb5_free_creds_contents (context, creds);
+    }
+    krb5_cc_end_seq_get(context, id, &cursor);
+    return ret;
+}
+
+/*
+ * Return the principal of `id' in `principal'.
+ * Return 0 or an error code.
+ */
+
+krb5_error_code
+krb5_cc_get_principal(krb5_context context,
+		      krb5_ccache id,
+		      krb5_principal *principal)
+{
+    return id->ops->get_princ(context, id, principal);
+}
+
+/*
+ * Start iterating over `id', `cursor' is initialized to the
+ * beginning.
+ * Return 0 or an error code.
+ */
+
+krb5_error_code
+krb5_cc_start_seq_get (krb5_context context,
+		       const krb5_ccache id,
+		       krb5_cc_cursor *cursor)
+{
+    return id->ops->get_first(context, id, cursor);
+}
+
+/*
+ * Retrieve the next cred pointed to by (`id', `cursor') in `creds'
+ * and advance `cursor'.
+ * Return 0 or an error code.
+ */
+
+krb5_error_code
+krb5_cc_next_cred (krb5_context context,
+		   const krb5_ccache id,
+		   krb5_cc_cursor *cursor,
+		   krb5_creds *creds)
+{
+    return id->ops->get_next(context, id, cursor, creds);
+}
+
+/*
+ * Destroy the cursor `cursor'.
+ */
+
+krb5_error_code
+krb5_cc_end_seq_get (krb5_context context,
+		     const krb5_ccache id,
+		     krb5_cc_cursor *cursor)
+{
+    return id->ops->end_get(context, id, cursor);
+}
+
+/*
+ * Remove the credential identified by `cred', `which' from `id'.
+ */
+
+krb5_error_code
+krb5_cc_remove_cred(krb5_context context,
+		    krb5_ccache id,
+		    krb5_flags which,
+		    krb5_creds *cred)
+{
+    if(id->ops->remove_cred == NULL) {
+	krb5_set_error_string(context,
+			      "ccache %s does not support remove_cred",
+			      id->ops->prefix);
+	return EACCES; /* XXX */
+    }
+    return (*id->ops->remove_cred)(context, id, which, cred);
+}
+
+/*
+ * Set the flags of `id' to `flags'.
+ */
+
+krb5_error_code
+krb5_cc_set_flags(krb5_context context,
+		  krb5_ccache id,
+		  krb5_flags flags)
+{
+    return id->ops->set_flags(context, id, flags);
+}
+		    
+/*
+ * Copy the contents of `from' to `to'.
+ */
+
+krb5_error_code
+krb5_cc_copy_cache(krb5_context context,
+		   const krb5_ccache from,
+		   krb5_ccache to)
+{
+    krb5_error_code ret;
+    krb5_cc_cursor cursor;
+    krb5_creds cred;
+    krb5_principal princ;
+
+    ret = krb5_cc_get_principal(context, from, &princ);
+    if(ret)
+	return ret;
+    ret = krb5_cc_initialize(context, to, princ);
+    if(ret){
+	krb5_free_principal(context, princ);
+	return ret;
+    }
+    ret = krb5_cc_start_seq_get(context, from, &cursor);
+    if(ret){
+	krb5_free_principal(context, princ);
+	return ret;
+    }
+    while(ret == 0 && krb5_cc_next_cred(context, from, &cursor, &cred) == 0){
+	ret = krb5_cc_store_cred(context, to, &cred);
+	krb5_free_creds_contents (context, &cred);
+    }
+    krb5_cc_end_seq_get(context, from, &cursor);
+    krb5_free_principal(context, princ);
+    return ret;
+}
+
+/*
+ * Return the version of `id'.
+ */
+
+krb5_error_code
+krb5_cc_get_version(krb5_context context,
+		    const krb5_ccache id)
+{
+    if(id->ops->get_version)
+	return id->ops->get_version(context, id);
+    else
+	return 0;
+}
diff --git a/crypto/heimdal/lib/krb5/changepw.c b/crypto/heimdal/lib/krb5/changepw.c
new file mode 100644
index 0000000..309e972
--- /dev/null
+++ b/crypto/heimdal/lib/krb5/changepw.c
@@ -0,0 +1,389 @@
+/*
+ * Copyright (c) 1997 - 2001 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include <krb5_locl.h>
+
+RCSID("$Id: changepw.c,v 1.32 2001/05/14 22:49:55 assar Exp $");
+
+static krb5_error_code
+get_kdc_address (krb5_context context,
+		 krb5_realm realm,
+		 struct addrinfo **ai,
+		 char **ret_host)
+{
+    krb5_error_code ret;
+    char **hostlist;
+    int port = 0;
+    int error;
+    char *host;
+    int save_errno;
+
+    ret = krb5_get_krb_changepw_hst (context,
+				     &realm,
+				     &hostlist);
+    if (ret)
+	return ret;
+
+    host = strdup(*hostlist);
+    krb5_free_krbhst(context, hostlist);
+    if (host == NULL) {
+	krb5_set_error_string (context, "malloc: out of memory");
+	return ENOMEM;
+    }
+
+    port = ntohs(krb5_getportbyname (context, "kpasswd", "udp", KPASSWD_PORT));
+    error = roken_getaddrinfo_hostspec2(host, SOCK_DGRAM, port, ai);
+
+    if(error) {
+	save_errno = errno;
+	krb5_set_error_string(context, "resolving %s: %s",
+			      host, gai_strerror(error));
+	return krb5_eai_to_heim_errno(error, save_errno);
+    }
+    *ret_host = host;
+    return 0;
+}
+
+static krb5_error_code
+send_request (krb5_context context,
+	      krb5_auth_context *auth_context,
+	      krb5_creds *creds,
+	      int sock,
+	      struct sockaddr *sa,
+	      int sa_size,
+	      char *passwd,
+	      const char *host)
+{
+    krb5_error_code ret;
+    krb5_data ap_req_data;
+    krb5_data krb_priv_data;
+    krb5_data passwd_data;
+    size_t len;
+    u_char header[6];
+    u_char *p;
+    struct iovec iov[3];
+    struct msghdr msghdr;
+
+    krb5_data_zero (&ap_req_data);
+
+    ret = krb5_mk_req_extended (context,
+				auth_context,
+				AP_OPTS_MUTUAL_REQUIRED,
+				NULL, /* in_data */
+				creds,
+				&ap_req_data);
+    if (ret)
+	return ret;
+
+    passwd_data.data   = passwd;
+    passwd_data.length = strlen(passwd);
+
+    krb5_data_zero (&krb_priv_data);
+
+    ret = krb5_mk_priv (context,
+			*auth_context,
+			&passwd_data,
+			&krb_priv_data,
+			NULL);
+    if (ret)
+	goto out2;
+
+    len = 6 + ap_req_data.length + krb_priv_data.length;
+    p = header;
+    *p++ = (len >> 8) & 0xFF;
+    *p++ = (len >> 0) & 0xFF;
+    *p++ = 0;
+    *p++ = 1;
+    *p++ = (ap_req_data.length >> 8) & 0xFF;
+    *p++ = (ap_req_data.length >> 0) & 0xFF;
+
+    memset(&msghdr, 0, sizeof(msghdr));
+    msghdr.msg_name       = (void *)sa;
+    msghdr.msg_namelen    = sa_size;
+    msghdr.msg_iov        = iov;
+    msghdr.msg_iovlen     = sizeof(iov)/sizeof(*iov);
+#if 0
+    msghdr.msg_control    = NULL;
+    msghdr.msg_controllen = 0;
+#endif
+
+    iov[0].iov_base    = (void*)header;
+    iov[0].iov_len     = 6;
+    iov[1].iov_base    = ap_req_data.data;
+    iov[1].iov_len     = ap_req_data.length;
+    iov[2].iov_base    = krb_priv_data.data;
+    iov[2].iov_len     = krb_priv_data.length;
+
+    if (sendmsg (sock, &msghdr, 0) < 0) {
+	ret = errno;
+	krb5_set_error_string(context, "sendmsg %s: %s", host, strerror(ret));
+    }
+
+    krb5_data_free (&krb_priv_data);
+out2:
+    krb5_data_free (&ap_req_data);
+    return ret;
+}
+
+static void
+str2data (krb5_data *d,
+	  const char *fmt,
+	  ...) __attribute__ ((format (printf, 2, 3)));
+
+static void
+str2data (krb5_data *d,
+	  const char *fmt,
+	  ...)
+{
+    va_list args;
+
+    va_start(args, fmt);
+    d->length = vasprintf ((char **)&d->data, fmt, args);
+    va_end(args);
+}
+
+static krb5_error_code
+process_reply (krb5_context context,
+	       krb5_auth_context auth_context,
+	       int sock,
+	       int *result_code,
+	       krb5_data *result_code_string,
+	       krb5_data *result_string,
+	       const char *host)
+{
+    krb5_error_code ret;
+    u_char reply[BUFSIZ];
+    size_t len;
+    u_int16_t pkt_len, pkt_ver;
+    krb5_data ap_rep_data;
+    int save_errno;
+
+    ret = recvfrom (sock, reply, sizeof(reply), 0, NULL, NULL);
+    if (ret < 0) {
+	save_errno = errno;
+	krb5_set_error_string(context, "recvfrom %s: %s",
+			      host, strerror(save_errno));
+	return save_errno;
+    }
+
+    len = ret;
+    pkt_len = (reply[0] << 8) | (reply[1]);
+    pkt_ver = (reply[2] << 8) | (reply[3]);
+
+    if (pkt_len != len) {
+	str2data (result_string, "client: wrong len in reply");
+	*result_code = KRB5_KPASSWD_MALFORMED;
+	return 0;
+    }
+    if (pkt_ver != 0x0001) {
+	str2data (result_string,
+		  "client: wrong version number (%d)", pkt_ver);
+	*result_code = KRB5_KPASSWD_MALFORMED;
+	return 0;
+    }
+
+    ap_rep_data.data = reply + 6;
+    ap_rep_data.length  = (reply[4] << 8) | (reply[5]);
+  
+    if (ap_rep_data.length) {
+	krb5_ap_rep_enc_part *ap_rep;
+	krb5_data priv_data;
+	u_char *p;
+
+	ret = krb5_rd_rep (context,
+			   auth_context,
+			   &ap_rep_data,
+			   &ap_rep);
+	if (ret)
+	    return ret;
+
+	krb5_free_ap_rep_enc_part (context, ap_rep);
+
+	priv_data.data   = (u_char*)ap_rep_data.data + ap_rep_data.length;
+	priv_data.length = len - ap_rep_data.length - 6;
+
+	ret = krb5_rd_priv (context,
+			    auth_context,
+			    &priv_data,
+			    result_code_string,
+			    NULL);
+	if (ret) {
+	    krb5_data_free (result_code_string);
+	    return ret;
+	}
+
+	if (result_code_string->length < 2) {
+	    *result_code = KRB5_KPASSWD_MALFORMED;
+	    str2data (result_string,
+		      "client: bad length in result");
+	    return 0;
+	}
+	p = result_code_string->data;
+      
+	*result_code = (p[0] << 8) | p[1];
+	krb5_data_copy (result_string,
+			(unsigned char*)result_code_string->data + 2,
+			result_code_string->length - 2);
+	return 0;
+    } else {
+	KRB_ERROR error;
+	size_t size;
+	u_char *p;
+      
+	ret = decode_KRB_ERROR(reply + 6, len - 6, &error, &size);
+	if (ret) {
+	    return ret;
+	}
+	if (error.e_data->length < 2) {
+	    krb5_warnx (context, "too short e_data to print anything usable");
+	    return 1;		/* XXX */
+	}
+
+	p = error.e_data->data;
+	*result_code = (p[0] << 8) | p[1];
+	krb5_data_copy (result_string,
+			p + 2,
+			error.e_data->length - 2);
+	return 0;
+    }
+}
+
+/*
+ * change the password using the credentials in `creds' (for the
+ * principal indicated in them) to `newpw', storing the result of
+ * the operation in `result_*' and an error code or 0.
+ */
+
+krb5_error_code
+krb5_change_password (krb5_context	context,
+		      krb5_creds	*creds,
+		      char		*newpw,
+		      int		*result_code,
+		      krb5_data		*result_code_string,
+		      krb5_data		*result_string)
+{
+    krb5_error_code ret;
+    krb5_auth_context auth_context = NULL;
+    int sock;
+    int i;
+    struct addrinfo *ai, *a;
+    int done = 0;
+    char *host = NULL;
+
+    ret = krb5_auth_con_init (context, &auth_context);
+    if (ret)
+	return ret;
+
+    ret = get_kdc_address (context, creds->client->realm, &ai, &host);
+    if (ret)
+	goto out;
+
+    for (a = ai; !done && a != NULL; a = a->ai_next) {
+	int replied = 0;
+
+	sock = socket (a->ai_family, a->ai_socktype, a->ai_protocol);
+	if (sock < 0)
+	    continue;
+
+	for (i = 0; !done && i < 5; ++i) {
+	    fd_set fdset;
+	    struct timeval tv;
+
+	    if (!replied) {
+		replied = 0;
+		ret = send_request (context,
+				    &auth_context,
+				    creds,
+				    sock,
+				    a->ai_addr,
+				    a->ai_addrlen,
+				    newpw,
+				    host);
+		if (ret) {
+		    close(sock);
+		    goto out;
+		}
+	    }
+	    
+	    if (sock >= FD_SETSIZE) {
+		krb5_set_error_string(context, "fd %d too large", sock);
+		ret = ERANGE;
+		close (sock);
+		goto out;
+	    }
+
+	    FD_ZERO(&fdset);
+	    FD_SET(sock, &fdset);
+	    tv.tv_usec = 0;
+	    tv.tv_sec  = 1 + (1 << i);
+
+	    ret = select (sock + 1, &fdset, NULL, NULL, &tv);
+	    if (ret < 0 && errno != EINTR) {
+		close(sock);
+		goto out;
+	    }
+	    if (ret == 1) {
+		ret = process_reply (context,
+				     auth_context,
+				     sock,
+				     result_code,
+				     result_code_string,
+				     result_string,
+				     host);
+		if (ret == 0)
+		    done = 1;
+		else if (i > 0 && ret == KRB5KRB_AP_ERR_MUT_FAIL)
+		    replied = 1;
+	    } else {
+		ret = KRB5_KDC_UNREACH;
+	    }
+	}
+	close (sock);
+    }
+    freeaddrinfo (ai);
+
+out:
+    krb5_auth_con_free (context, auth_context);
+    free (host);
+    if (done)
+	return 0;
+    else {
+	if (ret == KRB5_KDC_UNREACH)
+	    krb5_set_error_string(context,
+				  "failed to reach kpasswd server %s "
+				  "in realm %s",
+				  host, creds->client->realm);
+
+	return ret;
+    }
+}
diff --git a/crypto/heimdal/lib/krb5/codec.c b/crypto/heimdal/lib/krb5/codec.c
new file mode 100644
index 0000000..6a49e68
--- /dev/null
+++ b/crypto/heimdal/lib/krb5/codec.c
@@ -0,0 +1,176 @@
+/*
+ * Copyright (c) 1998 - 2001 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "krb5_locl.h"
+
+RCSID("$Id: codec.c,v 1.7 2001/05/16 22:08:08 assar Exp $");
+
+krb5_error_code
+krb5_decode_EncTicketPart (krb5_context context,
+			   const void *data,
+			   size_t length,
+			   EncTicketPart *t,
+			   size_t *len)
+{
+    return decode_EncTicketPart(data, length, t, len);
+}
+
+krb5_error_code
+krb5_encode_EncTicketPart (krb5_context context,
+			   void *data,
+			   size_t length,
+			   EncTicketPart *t,
+			   size_t *len)
+{
+    return encode_EncTicketPart(data, length, t, len);
+}
+
+krb5_error_code
+krb5_decode_EncASRepPart (krb5_context context,
+			  const void *data,
+			  size_t length,
+			  EncASRepPart *t,
+			  size_t *len)
+{
+    return decode_EncASRepPart(data, length, t, len);
+}
+
+krb5_error_code
+krb5_encode_EncASRepPart (krb5_context context,
+			  void *data,
+			  size_t length,
+			  EncASRepPart *t,
+			  size_t *len)
+{
+    return encode_EncASRepPart(data, length, t, len);
+}
+
+krb5_error_code
+krb5_decode_EncTGSRepPart (krb5_context context,
+			   const void *data,
+			   size_t length,
+			   EncTGSRepPart *t,
+			   size_t *len)
+{
+    return decode_EncTGSRepPart(data, length, t, len);
+}
+
+krb5_error_code
+krb5_encode_EncTGSRepPart (krb5_context context,
+			   void *data,
+			   size_t length,
+			   EncTGSRepPart *t,
+			   size_t *len)
+{
+    return encode_EncTGSRepPart(data, length, t, len);
+}
+
+krb5_error_code
+krb5_decode_EncAPRepPart (krb5_context context,
+			  const void *data,
+			  size_t length,
+			  EncAPRepPart *t,
+			  size_t *len)
+{
+    return decode_EncAPRepPart(data, length, t, len);
+}
+
+krb5_error_code
+krb5_encode_EncAPRepPart (krb5_context context,
+			  void *data,
+			  size_t length,
+			  EncAPRepPart *t,
+			  size_t *len)
+{
+    return encode_EncAPRepPart(data, length, t, len);
+}
+
+krb5_error_code
+krb5_decode_Authenticator (krb5_context context,
+			   const void *data,
+			   size_t length,
+			   Authenticator *t,
+			   size_t *len)
+{
+    return decode_Authenticator(data, length, t, len);
+}
+
+krb5_error_code
+krb5_encode_Authenticator (krb5_context context,
+			   void *data,
+			   size_t length,
+			   Authenticator *t,
+			   size_t *len)
+{
+    return encode_Authenticator(data, length, t, len);
+}
+
+krb5_error_code
+krb5_decode_EncKrbCredPart (krb5_context context,
+			    const void *data,
+			    size_t length,
+			    EncKrbCredPart *t,
+			    size_t *len)
+{
+    return decode_EncKrbCredPart(data, length, t, len);
+}
+
+krb5_error_code
+krb5_encode_EncKrbCredPart (krb5_context context,
+			    void *data,
+			    size_t length,
+			    EncKrbCredPart *t,
+			    size_t *len)
+{
+    return encode_EncKrbCredPart (data, length, t, len);
+}
+
+krb5_error_code
+krb5_decode_ETYPE_INFO (krb5_context context,
+			const void *data,
+			size_t length,
+			ETYPE_INFO *t,
+			size_t *len)
+{
+    return decode_ETYPE_INFO(data, length, t, len);
+}
+
+krb5_error_code
+krb5_encode_ETYPE_INFO (krb5_context context,
+			void *data,
+			size_t length,
+			ETYPE_INFO *t,
+			size_t *len)
+{
+    return encode_ETYPE_INFO (data, length, t, len);
+}
diff --git a/crypto/heimdal/lib/krb5/config_file.c b/crypto/heimdal/lib/krb5/config_file.c
new file mode 100644
index 0000000..b53b69c
--- /dev/null
+++ b/crypto/heimdal/lib/krb5/config_file.c
@@ -0,0 +1,791 @@
+/*
+ * Copyright (c) 1997 - 2001 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "krb5_locl.h"
+RCSID("$Id: config_file.c,v 1.42 2001/05/14 06:14:45 assar Exp $");
+
+#ifndef HAVE_NETINFO
+
+static krb5_error_code parse_section(char *p, krb5_config_section **s,
+				     krb5_config_section **res,
+				     char **error_message);
+static krb5_error_code parse_binding(FILE *f, unsigned *lineno, char *p,
+				     krb5_config_binding **b,
+				     krb5_config_binding **parent,
+				     char **error_message);
+static krb5_error_code parse_list(FILE *f, unsigned *lineno,
+				  krb5_config_binding **parent,
+				  char **error_message);
+
+/*
+ * Parse a section:
+ *
+ * [section]
+ *	foo = bar
+ *	b = {
+ *		a
+ *	    }
+ * ...
+ * 
+ * starting at the line in `p', storing the resulting structure in
+ * `s' and hooking it into `parent'.
+ * Store the error message in `error_message'.
+ */
+
+static krb5_error_code
+parse_section(char *p, krb5_config_section **s, krb5_config_section **parent,
+	      char **error_message)
+{
+    char *p1;
+    krb5_config_section *tmp;
+
+    p1 = strchr (p + 1, ']');
+    if (p1 == NULL) {
+	*error_message = "missing ]";
+	return KRB5_CONFIG_BADFORMAT;
+    }
+    *p1 = '\0';
+    tmp = malloc(sizeof(*tmp));
+    if (tmp == NULL) {
+	*error_message = "out of memory";
+	return KRB5_CONFIG_BADFORMAT;
+    }
+    tmp->name = strdup(p+1);
+    if (tmp->name == NULL) {
+	*error_message = "out of memory";
+	return KRB5_CONFIG_BADFORMAT;
+    }
+    tmp->type = krb5_config_list;
+    tmp->u.list = NULL;
+    tmp->next = NULL;
+    if (*s)
+	(*s)->next = tmp;
+    else
+	*parent = tmp;
+    *s = tmp;
+    return 0;
+}
+
+/*
+ * Parse a brace-enclosed list from `f', hooking in the structure at
+ * `parent'.
+ * Store the error message in `error_message'.
+ */
+
+static int
+parse_list(FILE *f, unsigned *lineno, krb5_config_binding **parent,
+	   char **error_message)
+{
+    char buf[BUFSIZ];
+    int ret;
+    krb5_config_binding *b = NULL;
+    unsigned beg_lineno = *lineno;
+
+    while(fgets(buf, sizeof(buf), f) != NULL) {
+	char *p;
+
+	++*lineno;
+	if (buf[strlen(buf) - 1] == '\n')
+	    buf[strlen(buf) - 1] = '\0';
+	p = buf;
+	while(isspace((unsigned char)*p))
+	    ++p;
+	if (*p == '#' || *p == ';' || *p == '\0')
+	    continue;
+	while(isspace((unsigned char)*p))
+	    ++p;
+	if (*p == '}')
+	    return 0;
+	if (*p == '\0')
+	    continue;
+	ret = parse_binding (f, lineno, p, &b, parent, error_message);
+	if (ret)
+	    return ret;
+    }
+    *lineno = beg_lineno;
+    *error_message = "unclosed {";
+    return KRB5_CONFIG_BADFORMAT;
+}
+
+/*
+ *
+ */
+
+static int
+parse_binding(FILE *f, unsigned *lineno, char *p,
+	      krb5_config_binding **b, krb5_config_binding **parent,
+	      char **error_message)
+{
+    krb5_config_binding *tmp;
+    char *p1, *p2;
+    int ret = 0;
+
+    p1 = p;
+    while (*p && *p != '=' && !isspace((unsigned char)*p))
+	++p;
+    if (*p == '\0') {
+	*error_message = "no =";
+	return KRB5_CONFIG_BADFORMAT;
+    }
+    p2 = p;
+    while (isspace((unsigned char)*p))
+	++p;
+    if (*p != '=') {
+	*error_message = "no =";
+	return KRB5_CONFIG_BADFORMAT;
+    }
+    ++p;
+    while(isspace((unsigned char)*p))
+	++p;
+    tmp = malloc(sizeof(*tmp));
+    if (tmp == NULL) {
+	*error_message = "out of memory";
+	return KRB5_CONFIG_BADFORMAT;
+    }
+    *p2 = '\0';
+    tmp->name = strdup(p1);
+    tmp->next = NULL;
+    if (*p == '{') {
+	tmp->type = krb5_config_list;
+	tmp->u.list = NULL;
+	ret = parse_list (f, lineno, &tmp->u.list, error_message);
+    } else {
+	p1 = p;
+	p = p1 + strlen(p1);
+	while(p > p1 && isspace((unsigned char)*(p-1)))
+	    --p;
+	*p = '\0';
+	tmp->type = krb5_config_string;
+	tmp->u.string = strdup(p1);
+    }
+    if (*b)
+	(*b)->next = tmp;
+    else
+	*parent = tmp;
+    *b = tmp;
+    return ret;
+}
+
+/*
+ * Parse the config file `fname', generating the structures into `res'
+ * returning error messages in `error_message'
+ */
+
+static krb5_error_code
+krb5_config_parse_file_debug (const char *fname,
+			      krb5_config_section **res,
+			      unsigned *lineno,
+			      char **error_message)
+{
+    FILE *f;
+    krb5_config_section *s;
+    krb5_config_binding *b;
+    char buf[BUFSIZ];
+    krb5_error_code ret = 0;
+
+    s = NULL;
+    b = NULL;
+    *lineno = 0;
+    f = fopen (fname, "r");
+    if (f == NULL) {
+	*error_message = "cannot open file";
+	return ENOENT;
+    }
+    *res = NULL;
+    while (fgets(buf, sizeof(buf), f) != NULL) {
+	char *p;
+
+	++*lineno;
+	if(buf[strlen(buf) - 1] == '\n')
+	    buf[strlen(buf) - 1] = '\0';
+	p = buf;
+	while(isspace((unsigned char)*p))
+	    ++p;
+	if (*p == '#' || *p == ';')
+	    continue;
+	if (*p == '[') {
+	    ret = parse_section(p, &s, res, error_message);
+	    if (ret) {
+		goto out;
+	    }
+	    b = NULL;
+	} else if (*p == '}') {
+	    *error_message = "unmatched }";
+	    ret = EINVAL;	/* XXX */
+	    goto out;
+	} else if(*p != '\0') {
+	    ret = parse_binding(f, lineno, p, &b, &s->u.list, error_message);
+	    if (ret)
+		goto out;
+	}
+    }
+out:
+    fclose (f);
+    return ret;
+}
+
+krb5_error_code
+krb5_config_parse_file (krb5_context context,
+			const char *fname,
+			krb5_config_section **res)
+{
+    char *str;
+    unsigned lineno;
+    krb5_error_code ret;
+
+    ret = krb5_config_parse_file_debug (fname, res, &lineno, &str);
+    if (ret) {
+	krb5_set_error_string (context, "%s:%u: %s", fname, lineno, str);
+	return ret;
+    }
+    return 0;
+}
+
+#endif /* !HAVE_NETINFO */
+
+static void
+free_binding (krb5_context context, krb5_config_binding *b)
+{
+    krb5_config_binding *next_b;
+
+    while (b) {
+	free (b->name);
+	if (b->type == krb5_config_string)
+	    free (b->u.string);
+	else if (b->type == krb5_config_list)
+	    free_binding (context, b->u.list);
+	else
+	    krb5_abortx(context, "unknown binding type (%d) in free_binding", 
+			b->type);
+	next_b = b->next;
+	free (b);
+	b = next_b;
+    }
+}
+
+krb5_error_code
+krb5_config_file_free (krb5_context context, krb5_config_section *s)
+{
+    free_binding (context, s);
+    return 0;
+}
+
+const void *
+krb5_config_get_next (krb5_context context,
+		      krb5_config_section *c,
+		      krb5_config_binding **pointer,
+		      int type,
+		      ...)
+{
+    const char *ret;
+    va_list args;
+
+    va_start(args, type);
+    ret = krb5_config_vget_next (context, c, pointer, type, args);
+    va_end(args);
+    return ret;
+}
+
+const void *
+krb5_config_vget_next (krb5_context context,
+		       krb5_config_section *c,
+		       krb5_config_binding **pointer,
+		       int type,
+		       va_list args)
+{
+    krb5_config_binding *b;
+    const char *p;
+
+    if(c == NULL)
+	c = context->cf;
+
+    if (c == NULL)
+	return NULL;
+
+    if (*pointer == NULL) {
+	b = (c != NULL) ? c : context->cf;
+	p = va_arg(args, const char *);
+	if (p == NULL)
+	    return NULL;
+    } else {
+	b = *pointer;
+	p = b->name;
+	b = b->next;
+    }
+
+    while (b) {
+	if (strcmp (b->name, p) == 0) {
+	    if (*pointer == NULL)
+		p = va_arg(args, const char *);
+	    else
+		p = NULL;
+	    if (type == b->type && p == NULL) {
+		*pointer = b;
+		return b->u.generic;
+	    } else if(b->type == krb5_config_list && p != NULL) {
+		b = b->u.list;
+	    } else {
+		return NULL;
+	    }
+	} else {
+	    b = b->next;
+	}
+    }
+    return NULL;
+}
+
+const void *
+krb5_config_get (krb5_context context,
+		 krb5_config_section *c,
+		 int type,
+		 ...)
+{
+    const void *ret;
+    va_list args;
+
+    va_start(args, type);
+    ret = krb5_config_vget (context, c, type, args);
+    va_end(args);
+    return ret;
+}
+
+const void *
+krb5_config_vget (krb5_context context,
+		  krb5_config_section *c,
+		  int type,
+		  va_list args)
+{
+    krb5_config_binding *foo = NULL;
+
+    return krb5_config_vget_next (context, c, &foo, type, args);
+}
+
+const krb5_config_binding *
+krb5_config_get_list (krb5_context context,
+		      krb5_config_section *c,
+		      ...)
+{
+    const krb5_config_binding *ret;
+    va_list args;
+
+    va_start(args, c);
+    ret = krb5_config_vget_list (context, c, args);
+    va_end(args);
+    return ret;
+}
+
+const krb5_config_binding *
+krb5_config_vget_list (krb5_context context,
+		       krb5_config_section *c,
+		       va_list args)
+{
+    return krb5_config_vget (context, c, krb5_config_list, args);
+}
+
+const char *
+krb5_config_get_string (krb5_context context,
+			krb5_config_section *c,
+			...)
+{
+    const char *ret;
+    va_list args;
+
+    va_start(args, c);
+    ret = krb5_config_vget_string (context, c, args);
+    va_end(args);
+    return ret;
+}
+
+const char *
+krb5_config_vget_string (krb5_context context,
+			 krb5_config_section *c,
+			 va_list args)
+{
+    return krb5_config_vget (context, c, krb5_config_string, args);
+}
+
+const char *
+krb5_config_vget_string_default (krb5_context context,
+				 krb5_config_section *c,
+				 const char *def_value,
+				 va_list args)
+{
+    const char *ret;
+
+    ret = krb5_config_vget_string (context, c, args);
+    if (ret == NULL)
+	ret = def_value;
+    return ret;
+}
+
+const char *
+krb5_config_get_string_default (krb5_context context,
+				krb5_config_section *c,
+				const char *def_value,
+				...)
+{
+    const char *ret;
+    va_list args;
+
+    va_start(args, def_value);
+    ret = krb5_config_vget_string_default (context, c, def_value, args);
+    va_end(args);
+    return ret;
+}
+
+char **
+krb5_config_vget_strings(krb5_context context,
+			 krb5_config_section *c,
+			 va_list args)
+{
+    char **strings = NULL;
+    int nstr = 0;
+    krb5_config_binding *b = NULL;
+    const char *p;
+
+    while((p = krb5_config_vget_next(context, c, &b, 
+				     krb5_config_string, args))) {
+	char *tmp = strdup(p);
+	char *pos = NULL;
+	char *s;
+	if(tmp == NULL)
+	    goto cleanup;
+	s = strtok_r(tmp, " \t", &pos);
+	while(s){
+	    char **tmp = realloc(strings, (nstr + 1) * sizeof(*strings));
+	    if(tmp == NULL)
+		goto cleanup;
+	    strings = tmp;
+	    strings[nstr] = strdup(s);
+	    nstr++;
+	    if(strings[nstr-1] == NULL)
+		goto cleanup;
+	    s = strtok_r(NULL, " \t", &pos);
+	}
+	free(tmp);
+    }
+    if(nstr){
+	char **tmp = realloc(strings, (nstr + 1) * sizeof(*strings));
+	if(strings == NULL)
+	    goto cleanup;
+	strings = tmp;
+	strings[nstr] = NULL;
+    }
+    return strings;
+cleanup:
+    while(nstr--)
+	free(strings[nstr]);
+    free(strings);
+    return NULL;
+
+}
+
+char**
+krb5_config_get_strings(krb5_context context,
+			krb5_config_section *c,
+			...)
+{
+    va_list ap;
+    char **ret;
+    va_start(ap, c);
+    ret = krb5_config_vget_strings(context, c, ap);
+    va_end(ap);
+    return ret;
+}
+
+void
+krb5_config_free_strings(char **strings)
+{
+    char **s = strings;
+    while(s && *s){
+	free(*s);
+	s++;
+    }
+    free(strings);
+}
+
+krb5_boolean
+krb5_config_vget_bool_default (krb5_context context,
+			       krb5_config_section *c,
+			       krb5_boolean def_value,
+			       va_list args)
+{
+    const char *str;
+    str = krb5_config_vget_string (context, c, args);
+    if(str == NULL)
+	return def_value;
+    if(strcasecmp(str, "yes") == 0 ||
+       strcasecmp(str, "true") == 0 ||
+       atoi(str)) return TRUE;
+    return FALSE;
+}
+
+krb5_boolean
+krb5_config_vget_bool  (krb5_context context,
+			krb5_config_section *c,
+			va_list args)
+{
+    return krb5_config_vget_bool_default (context, c, FALSE, args);
+}
+
+krb5_boolean
+krb5_config_get_bool_default (krb5_context context,
+			      krb5_config_section *c,
+			      krb5_boolean def_value,
+			      ...)
+{
+    va_list ap;
+    krb5_boolean ret;
+    va_start(ap, def_value);
+    ret = krb5_config_vget_bool_default(context, c, def_value, ap);
+    va_end(ap);
+    return ret;
+}
+
+krb5_boolean
+krb5_config_get_bool (krb5_context context,
+		      krb5_config_section *c,
+		      ...)
+{
+    va_list ap;
+    krb5_boolean ret;
+    va_start(ap, c);
+    ret = krb5_config_vget_bool (context, c, ap);
+    va_end(ap);
+    return ret;
+}
+
+int
+krb5_config_vget_time_default (krb5_context context,
+			       krb5_config_section *c,
+			       int def_value,
+			       va_list args)
+{
+    const char *str;
+    str = krb5_config_vget_string (context, c, args);
+    if(str == NULL)
+	return def_value;
+    return parse_time (str, NULL);
+}
+
+int
+krb5_config_vget_time  (krb5_context context,
+			krb5_config_section *c,
+			va_list args)
+{
+    return krb5_config_vget_time_default (context, c, -1, args);
+}
+
+int
+krb5_config_get_time_default (krb5_context context,
+			      krb5_config_section *c,
+			      int def_value,
+			      ...)
+{
+    va_list ap;
+    int ret;
+    va_start(ap, def_value);
+    ret = krb5_config_vget_time_default(context, c, def_value, ap);
+    va_end(ap);
+    return ret;
+}
+
+int
+krb5_config_get_time (krb5_context context,
+		      krb5_config_section *c,
+		      ...)
+{
+    va_list ap;
+    int ret;
+    va_start(ap, c);
+    ret = krb5_config_vget_time (context, c, ap);
+    va_end(ap);
+    return ret;
+}
+
+
+int
+krb5_config_vget_int_default (krb5_context context,
+			      krb5_config_section *c,
+			      int def_value,
+			      va_list args)
+{
+    const char *str;
+    str = krb5_config_vget_string (context, c, args);
+    if(str == NULL)
+	return def_value;
+    else { 
+	char *endptr; 
+	long l; 
+	l = strtol(str, &endptr, 0); 
+	if (endptr == str) 
+	    return def_value; 
+	else 
+	    return l;
+    }
+}
+
+int
+krb5_config_vget_int  (krb5_context context,
+		       krb5_config_section *c,
+		       va_list args)
+{
+    return krb5_config_vget_int_default (context, c, -1, args);
+}
+
+int
+krb5_config_get_int_default (krb5_context context,
+			     krb5_config_section *c,
+			     int def_value,
+			     ...)
+{
+    va_list ap;
+    int ret;
+    va_start(ap, def_value);
+    ret = krb5_config_vget_int_default(context, c, def_value, ap);
+    va_end(ap);
+    return ret;
+}
+
+int
+krb5_config_get_int (krb5_context context,
+		     krb5_config_section *c,
+		     ...)
+{
+    va_list ap;
+    int ret;
+    va_start(ap, c);
+    ret = krb5_config_vget_int (context, c, ap);
+    va_end(ap);
+    return ret;
+}
+
+#ifdef TEST
+
+static int print_list (krb5_context context, FILE *f, 
+		       krb5_config_binding *l, unsigned level);
+static int print_binding (krb5_context context, FILE *f, 
+			  krb5_config_binding *b, unsigned level);
+static int print_section (krb5_context context, FILE *f, 
+			  krb5_config_section *s, unsigned level);
+static int print_config (krb5_context context, FILE *f, 
+			 krb5_config_section *c);
+
+static void
+tab (FILE *f, unsigned count)
+{
+    while(count--)
+	fprintf (f, "\t");
+}
+
+static int
+print_list (krb5_context context, 
+	    FILE *f, 
+	    krb5_config_binding *l, 
+	    unsigned level)
+{
+    while(l) {
+	print_binding (context, f, l, level);
+	l = l->next;
+    }
+    return 0;
+}
+
+static int
+print_binding (krb5_context context, 
+	       FILE *f, 
+	       krb5_config_binding *b, 
+	       unsigned level)
+{
+    tab (f, level);
+    fprintf (f, "%s = ", b->name);
+    if (b->type == krb5_config_string)
+	fprintf (f, "%s\n", b->u.string);
+    else if (b->type == krb5_config_list) {
+	fprintf (f, "{\n");
+	print_list (f, b->u.list, level + 1);
+	tab (f, level);
+	fprintf (f, "}\n");
+    } else
+	krb5_abortx(context, "unknown binding type (%d) in print_binding", 
+		    b->type);
+    return 0;
+}
+
+static int
+print_section (FILE *f, krb5_config_section *s, unsigned level)
+{
+    fprintf (f, "[%s]\n", s->name);
+    print_list (f, s->u.list, level + 1);
+    return 0;
+}
+
+static int
+print_config (FILE *f, krb5_config_section *c)
+{
+    while (c) {
+	print_section (f, c, 0);
+	c = c->next;
+    }
+    return 0;
+}
+
+
+int
+main(void)
+{
+    krb5_config_section *c;
+
+    printf ("%d\n", krb5_config_parse_file ("/etc/krb5.conf", &c));
+    print_config (stdout, c);
+    printf ("[libdefaults]ticket_lifetime = %s\n",
+	    krb5_config_get_string (context, c,
+			       "libdefaults",
+			       "ticket_lifetime",
+			       NULL));
+    printf ("[realms]foo = %s\n",
+	    krb5_config_get_string (context, c,
+			       "realms",
+			       "foo",
+			       NULL));
+    printf ("[realms]ATHENA.MIT.EDU/v4_instance_convert/lithium = %s\n",
+	    krb5_config_get_string (context, c,
+			       "realms",
+			       "ATHENA.MIT.EDU",
+			       "v4_instance_convert",
+			       "lithium",
+			       NULL));
+    return 0;
+}
+
+#endif /* TEST */
diff --git a/crypto/heimdal/lib/krb5/config_file_netinfo.c b/crypto/heimdal/lib/krb5/config_file_netinfo.c
new file mode 100644
index 0000000..a035e88
--- /dev/null
+++ b/crypto/heimdal/lib/krb5/config_file_netinfo.c
@@ -0,0 +1,180 @@
+/*
+ * Copyright (c) 1997 - 2001 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "krb5_locl.h"
+RCSID("$Id: config_file_netinfo.c,v 1.3 2001/05/14 06:14:45 assar Exp $");
+
+/*
+ * Netinfo implementation from Luke Howard <lukeh@xedoc.com.au>
+ */
+
+#ifdef HAVE_NETINFO
+#include <netinfo/ni.h>
+static ni_status
+ni_proplist2binding(ni_proplist *pl, krb5_config_section **ret)
+{
+    int i, j;
+    krb5_config_section **next = NULL;
+
+    for (i = 0; i < pl->ni_proplist_len; i++) {
+	if (!strcmp(pl->nipl_val[i].nip_name, "name"))
+	    continue;
+
+	for (j = 0; j < pl->nipl_val[i].nip_val.ni_namelist_len; j++) {
+	    krb5_config_binding *b;
+
+	    b = malloc(sizeof(*b));
+	    if (b == NULL)
+		return NI_FAILED;
+	
+	    b->next = NULL;
+	    b->type = krb5_config_string;
+	    b->name = ni_name_dup(pl->nipl_val[i].nip_name);
+	    b->u.string = ni_name_dup(pl->nipl_val[i].nip_val.ninl_val[j]);
+
+	    if (next == NULL) {
+		*ret = b;
+	    } else {
+		*next = b;
+	    }
+	    next = &b->next;
+	}
+    }
+    return NI_OK;
+}
+
+static ni_status
+ni_idlist2binding(void *ni, ni_idlist *idlist, krb5_config_section **ret)
+{
+    int i;
+    ni_status nis;
+    krb5_config_section **next;
+
+    for (i = 0; i < idlist->ni_idlist_len; i++) {
+	ni_proplist pl;
+        ni_id nid;
+	ni_idlist children;
+	krb5_config_binding *b;
+	ni_index index;
+
+	nid.nii_instance = 0;
+	nid.nii_object = idlist->ni_idlist_val[i];
+
+	nis = ni_read(ni, &nid, &pl);
+
+	if (nis != NI_OK) {
+	     return nis;
+	}
+	index = ni_proplist_match(pl, "name", NULL);
+	b = malloc(sizeof(*b));
+	if (b == NULL) return NI_FAILED;
+
+	if (i == 0) {
+	    *ret = b;
+	} else {
+	    *next = b;
+	}
+
+	b->type = krb5_config_list;
+	b->name = ni_name_dup(pl.nipl_val[index].nip_val.ninl_val[0]);
+	b->next = NULL;
+	b->u.list = NULL;
+
+	/* get the child directories */
+	nis = ni_children(ni, &nid, &children);
+	if (nis == NI_OK) {
+	    nis = ni_idlist2binding(ni, &children, &b->u.list);
+	    if (nis != NI_OK) {
+		return nis;
+	    }
+	}
+
+	nis = ni_proplist2binding(&pl, b->u.list == NULL ? &b->u.list : &b->u.list->next);
+	ni_proplist_free(&pl);
+	if (nis != NI_OK) {
+	    return nis;
+	}
+	next = &b->next;
+    }
+    ni_idlist_free(idlist);
+    return NI_OK;
+}
+
+krb5_error_code
+krb5_config_parse_file (krb5_context context,
+			const char *fname,
+			krb5_config_section **res)
+{
+    void *ni = NULL, *lastni = NULL;
+    int i;
+    ni_status nis;
+    ni_id nid;
+    ni_idlist children;
+
+    krb5_config_section *s;
+    int ret;
+
+    s = NULL;
+
+    for (i = 0; i < 256; i++) {
+	if (i == 0) {
+	    nis = ni_open(NULL, ".", &ni);
+	} else {
+	    if (lastni != NULL) ni_free(lastni);
+	    lastni = ni;
+	    nis = ni_open(lastni, "..", &ni);
+	}
+	if (nis != NI_OK)
+	    break;
+	nis = ni_pathsearch(ni, &nid, "/locations/kerberos");
+	if (nis == NI_OK) {
+	    nis = ni_children(ni, &nid, &children);
+	    if (nis != NI_OK)
+		break;
+	    nis = ni_idlist2binding(ni, &children, &s);
+	    break;
+	}
+    }
+
+    if (ni != NULL) ni_free(ni);
+    if (ni != lastni && lastni != NULL) ni_free(lastni);
+
+    ret = (nis == NI_OK) ? 0 : -1;
+    if (ret == 0) {
+	*res = s;
+    } else {
+	*res = NULL;
+    }
+    return ret;
+}
+#endif /* HAVE_NETINFO */
diff --git a/crypto/heimdal/lib/krb5/constants.c b/crypto/heimdal/lib/krb5/constants.c
new file mode 100644
index 0000000..946fd4d
--- /dev/null
+++ b/crypto/heimdal/lib/krb5/constants.c
@@ -0,0 +1,39 @@
+/*
+ * Copyright (c) 1997-2000 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "krb5_locl.h"
+
+RCSID("$Id: constants.c,v 1.5 2000/07/14 21:53:01 joda Exp $");
+
+const char krb5_config_file[] = "/etc/krb5.conf";
+const char krb5_defkeyname[] = KEYTAB_DEFAULT;
diff --git a/crypto/heimdal/lib/krb5/context.c b/crypto/heimdal/lib/krb5/context.c
new file mode 100644
index 0000000..2ba194b
--- /dev/null
+++ b/crypto/heimdal/lib/krb5/context.c
@@ -0,0 +1,376 @@
+/*
+ * Copyright (c) 1997 - 2001 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "krb5_locl.h"
+
+RCSID("$Id: context.c,v 1.64 2001/05/16 22:24:42 assar Exp $");
+
+#define INIT_FIELD(C, T, E, D, F)					\
+    (C)->E = krb5_config_get_ ## T ## _default ((C), NULL, (D), 	\
+						"libdefaults", F, NULL)
+
+/*
+ * Set the list of etypes `ret_etypes' from the configuration variable
+ * `name'
+ */
+
+static krb5_error_code
+set_etypes (krb5_context context,
+	    const char *name,
+	    krb5_enctype **ret_enctypes)
+{
+    char **etypes_str;
+    krb5_enctype *etypes;
+
+    etypes_str = krb5_config_get_strings(context, NULL, "libdefaults", 
+					 name, NULL);
+    if(etypes_str){
+	int i, j, k;
+	for(i = 0; etypes_str[i]; i++);
+	etypes = malloc((i+1) * sizeof(*etypes));
+	if (etypes == NULL) {
+	    krb5_config_free_strings (etypes_str);
+	    krb5_set_error_string (context, "malloc: out of memory");
+	    return ENOMEM;
+	}
+	for(j = 0, k = 0; j < i; j++) {
+	    if(krb5_string_to_enctype(context, etypes_str[j], &etypes[k]) == 0)
+		k++;
+	}
+	etypes[k] = ETYPE_NULL;
+	krb5_config_free_strings(etypes_str);
+	*ret_enctypes = etypes;
+    }
+    return 0;
+}
+
+/*
+ * read variables from the configuration file and set in `context'
+ */
+
+static krb5_error_code
+init_context_from_config_file(krb5_context context)
+{
+    const char * tmp;
+    INIT_FIELD(context, time, max_skew, 5 * 60, "clockskew");
+    INIT_FIELD(context, time, kdc_timeout, 3, "kdc_timeout");
+    INIT_FIELD(context, int, max_retries, 3, "max_retries");
+
+    INIT_FIELD(context, string, http_proxy, NULL, "http_proxy");
+
+    set_etypes (context, "default_etypes", &context->etypes);
+    set_etypes (context, "default_etypes_des", &context->etypes_des);
+
+    /* default keytab name */
+    INIT_FIELD(context, string, default_keytab, 
+	       KEYTAB_DEFAULT, "default_keytab_name");
+
+    INIT_FIELD(context, string, default_keytab_modify, 
+	       KEYTAB_DEFAULT_MODIFY, "default_keytab_modify_name");
+
+    INIT_FIELD(context, string, time_fmt, 
+	       "%Y-%m-%dT%H:%M:%S", "time_format");
+
+    INIT_FIELD(context, string, date_fmt, 
+	       "%Y-%m-%d", "date_format");
+
+    INIT_FIELD(context, bool, log_utc, 
+	       FALSE, "log_utc");
+
+
+    
+    /* init dns-proxy slime */
+    tmp = krb5_config_get_string(context, NULL, "libdefaults", 
+				 "dns_proxy", NULL);
+    if(tmp) 
+	roken_gethostby_setup(context->http_proxy, tmp);
+    context->default_realms = NULL;
+
+    {
+	krb5_addresses addresses;
+	char **adr, **a;
+	adr = krb5_config_get_strings(context, NULL, 
+				      "libdefaults", 
+				      "extra_addresses", 
+				      NULL);
+	memset(&addresses, 0, sizeof(addresses));
+	for(a = adr; a && *a; a++) {
+	    krb5_parse_address(context, *a, &addresses);
+	    krb5_add_extra_addresses(context, &addresses);
+	    krb5_free_addresses(context, &addresses);
+	}
+	krb5_config_free_strings(adr);
+    }
+    
+    INIT_FIELD(context, bool, scan_interfaces, TRUE, "scan_interfaces");
+    INIT_FIELD(context, bool, srv_lookup, TRUE, "srv_lookup");
+    INIT_FIELD(context, bool, srv_try_txt, FALSE, "srv_try_txt");
+    INIT_FIELD(context, int, fcache_vno, 0, "fcache_version");
+
+    context->cc_ops       = NULL;
+    context->num_cc_ops	  = 0;
+    krb5_cc_register(context, &krb5_fcc_ops, TRUE);
+    krb5_cc_register(context, &krb5_mcc_ops, TRUE);
+
+    context->num_kt_types = 0;
+    context->kt_types     = NULL;
+    krb5_kt_register (context, &krb5_fkt_ops);
+    krb5_kt_register (context, &krb5_mkt_ops);
+    krb5_kt_register (context, &krb5_akf_ops);
+    krb5_kt_register (context, &krb4_fkt_ops);
+    krb5_kt_register (context, &krb5_srvtab_fkt_ops);
+    krb5_kt_register (context, &krb5_any_ops);
+    return 0;
+}
+
+krb5_error_code
+krb5_init_context(krb5_context *context)
+{
+    krb5_context p;
+    const char *config_file = NULL;
+    krb5_config_section *tmp_cf;
+    krb5_error_code ret;
+
+    ALLOC(p, 1);
+    if(!p)
+	return ENOMEM;
+    memset(p, 0, sizeof(krb5_context_data));
+
+    /* init error tables */
+    krb5_init_ets(p);
+
+    if(!issuid())
+	config_file = getenv("KRB5_CONFIG");
+    if (config_file == NULL)
+	config_file = krb5_config_file;
+
+    ret = krb5_config_parse_file (p, config_file, &tmp_cf);
+
+    if (ret == 0)
+	p->cf = tmp_cf;
+#if 0
+    else
+	krb5_warnx (p, "Unable to parse config file %s.  Ignoring.",
+		    config_file); /* XXX */
+#endif
+
+    ret = init_context_from_config_file(p);
+    if(ret) {
+	krb5_free_context(p);
+	return ret;
+    }
+
+    *context = p;
+    return 0;
+}
+
+void
+krb5_free_context(krb5_context context)
+{
+  int i;
+
+  free(context->etypes);
+  free(context->etypes_des);
+  krb5_free_host_realm (context, context->default_realms);
+  krb5_config_file_free (context, context->cf);
+  free_error_table (context->et_list);
+  for(i = 0; i < context->num_cc_ops; ++i)
+    free(context->cc_ops[i].prefix);
+  free(context->cc_ops);
+  free(context->kt_types);
+  free(context);
+}
+
+/*
+ * set `etype' to a malloced list of the default enctypes
+ */
+
+static krb5_error_code
+default_etypes(krb5_context context, krb5_enctype **etype)
+{
+    krb5_enctype p[] = {
+	ETYPE_DES3_CBC_SHA1,
+	ETYPE_DES3_CBC_MD5,
+	ETYPE_ARCFOUR_HMAC_MD5,
+	ETYPE_DES_CBC_MD5,
+	ETYPE_DES_CBC_MD4,
+	ETYPE_DES_CBC_CRC,
+	ETYPE_NULL
+    };
+
+    *etype = malloc(sizeof(p));
+    if(*etype == NULL) {
+	krb5_set_error_string (context, "malloc: out of memory");
+	return ENOMEM;
+    }
+    memcpy(*etype, p, sizeof(p));
+    return 0;
+}
+
+krb5_error_code
+krb5_set_default_in_tkt_etypes(krb5_context context, 
+			       const krb5_enctype *etypes)
+{
+    int i;
+    krb5_enctype *p = NULL;
+
+    if(etypes) {
+	for (i = 0; etypes[i]; ++i)
+	    if(!krb5_enctype_valid(context, etypes[i])) {
+		krb5_set_error_string(context, "enctype %d not supported",
+				      etypes[i]);
+		return KRB5_PROG_ETYPE_NOSUPP;
+	    }
+	++i;
+	ALLOC(p, i);
+	if(!p) {
+	    krb5_set_error_string (context, "malloc: out of memory");
+	    return ENOMEM;
+	}
+	memmove(p, etypes, i * sizeof(krb5_enctype));
+    }
+    if(context->etypes)
+	free(context->etypes);
+    context->etypes = p;
+    return 0;
+}
+
+
+krb5_error_code
+krb5_get_default_in_tkt_etypes(krb5_context context,
+			       krb5_enctype **etypes)
+{
+  krb5_enctype *p;
+  int i;
+  krb5_error_code ret;
+
+  if(context->etypes) {
+    for(i = 0; context->etypes[i]; i++);
+    ++i;
+    ALLOC(p, i);
+    if(!p) {
+      krb5_set_error_string (context, "malloc: out of memory");
+      return ENOMEM;
+    }
+    memmove(p, context->etypes, i * sizeof(krb5_enctype));
+  } else {
+    ret = default_etypes(context, &p);
+    if (ret)
+      return ret;
+  }
+  *etypes = p;
+  return 0;
+}
+
+const char *
+krb5_get_err_text(krb5_context context, krb5_error_code code)
+{
+    const char *p = com_right(context->et_list, code);
+    if(p == NULL)
+	p = strerror(code);
+    return p;
+}
+
+void
+krb5_init_ets(krb5_context context)
+{
+    if(context->et_list == NULL){
+	krb5_add_et_list(context, initialize_krb5_error_table_r);
+	krb5_add_et_list(context, initialize_asn1_error_table_r);
+	krb5_add_et_list(context, initialize_heim_error_table_r);
+    }
+}
+
+void
+krb5_set_use_admin_kdc (krb5_context context, krb5_boolean flag)
+{
+    context->use_admin_kdc = flag;
+}
+
+krb5_boolean
+krb5_get_use_admin_kdc (krb5_context context)
+{
+    return context->use_admin_kdc;
+}
+
+krb5_error_code
+krb5_add_extra_addresses(krb5_context context, krb5_addresses *addresses)
+{
+
+    if(context->extra_addresses)
+	return krb5_append_addresses(context, 
+				     context->extra_addresses, addresses);
+    else
+	return krb5_set_extra_addresses(context, addresses);
+}
+
+krb5_error_code
+krb5_set_extra_addresses(krb5_context context, const krb5_addresses *addresses)
+{
+    if(context->extra_addresses) {
+	krb5_free_addresses(context, context->extra_addresses);
+	free(context->extra_addresses);
+    }
+    if(context->extra_addresses == NULL) {
+	context->extra_addresses = malloc(sizeof(*context->extra_addresses));
+	if(context->extra_addresses == NULL) {
+	    krb5_set_error_string (context, "malloc: out of memory");
+	    return ENOMEM;
+	}
+    }
+    return krb5_copy_addresses(context, addresses, context->extra_addresses);
+}
+
+krb5_error_code
+krb5_get_extra_addresses(krb5_context context, krb5_addresses *addresses)
+{
+    if(context->extra_addresses == NULL) {
+	memset(addresses, 0, sizeof(*addresses));
+	return 0;
+    }
+    return copy_HostAddresses(context->extra_addresses, addresses);
+}
+
+krb5_error_code
+krb5_set_fcache_version(krb5_context context, int version)
+{
+    context->fcache_vno = version;
+    return 0;
+}
+
+krb5_error_code
+krb5_get_fcache_version(krb5_context context, int *version)
+{
+    *version = context->fcache_vno;
+    return 0;
+}
diff --git a/crypto/heimdal/lib/krb5/convert_creds.c b/crypto/heimdal/lib/krb5/convert_creds.c
new file mode 100644
index 0000000..f248cd0
--- /dev/null
+++ b/crypto/heimdal/lib/krb5/convert_creds.c
@@ -0,0 +1,241 @@
+/*
+ * Copyright (c) 1997 - 2001 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "krb5_locl.h"
+RCSID("$Id: convert_creds.c,v 1.17 2001/05/14 06:14:45 assar Exp $");
+
+static krb5_error_code
+check_ticket_flags(TicketFlags f)
+{
+    return 0; /* maybe add some more tests here? */
+}
+
+/* include this here, to avoid dependencies on libkrb */
+
+#define		MAX_KTXT_LEN	1250
+
+#define 	ANAME_SZ	40
+#define		REALM_SZ	40
+#define		SNAME_SZ	40
+#define		INST_SZ		40
+
+struct ktext {
+    unsigned int length;		/* Length of the text */
+    unsigned char dat[MAX_KTXT_LEN];	/* The data itself */
+    u_int32_t mbz;		/* zero to catch runaway strings */
+};
+
+struct credentials {
+    char    service[ANAME_SZ];	/* Service name */
+    char    instance[INST_SZ];	/* Instance */
+    char    realm[REALM_SZ];	/* Auth domain */
+    des_cblock session;		/* Session key */
+    int     lifetime;		/* Lifetime */
+    int     kvno;		/* Key version number */
+    struct ktext ticket_st;	/* The ticket itself */
+    int32_t    issue_date;	/* The issue time */
+    char    pname[ANAME_SZ];	/* Principal's name */
+    char    pinst[INST_SZ];	/* Principal's instance */
+};
+
+
+#define TKTLIFENUMFIXED 64
+#define TKTLIFEMINFIXED 0x80
+#define TKTLIFEMAXFIXED 0xBF
+#define TKTLIFENOEXPIRE 0xFF
+#define MAXTKTLIFETIME	(30*24*3600)	/* 30 days */
+#ifndef NEVERDATE
+#define NEVERDATE ((time_t)0x7fffffffL)
+#endif
+
+static const int _tkt_lifetimes[TKTLIFENUMFIXED] = {
+   38400,   41055,   43894,   46929,   50174,   53643,   57352,   61318,
+   65558,   70091,   74937,   80119,   85658,   91581,   97914,  104684,
+  111922,  119661,  127935,  136781,  146239,  156350,  167161,  178720,
+  191077,  204289,  218415,  233517,  249664,  266926,  285383,  305116,
+  326213,  348769,  372885,  398668,  426234,  455705,  487215,  520904,
+  556921,  595430,  636601,  680618,  727680,  777995,  831789,  889303,
+  950794, 1016537, 1086825, 1161973, 1242318, 1328218, 1420057, 1518247,
+ 1623226, 1735464, 1855462, 1983758, 2120925, 2267576, 2424367, 2592000
+};
+
+static int
+_krb_time_to_life(time_t start, time_t end)
+{
+    int i;
+    time_t life = end - start;
+
+    if (life > MAXTKTLIFETIME || life <= 0) 
+	return 0;
+#if 0    
+    if (krb_no_long_lifetimes) 
+	return (life + 5*60 - 1)/(5*60);
+#endif
+    
+    if (end >= NEVERDATE)
+	return TKTLIFENOEXPIRE;
+    if (life < _tkt_lifetimes[0]) 
+	return (life + 5*60 - 1)/(5*60);
+    for (i=0; i<TKTLIFENUMFIXED; i++)
+	if (life <= _tkt_lifetimes[i])
+	    return i + TKTLIFEMINFIXED;
+    return 0;
+    
+}
+
+/* Convert the v5 credentials in `in_cred' to v4-dito in `v4creds'.
+ * This is done by sending them to the 524 function in the KDC.  If
+ * `in_cred' doesn't contain a DES session key, then a new one is
+ * gotten from the KDC and stored in the cred cache `ccache'.
+ */
+
+krb5_error_code
+krb524_convert_creds_kdc(krb5_context context, 
+			 krb5_ccache ccache,
+			 krb5_creds *in_cred,
+			 struct credentials *v4creds)
+{
+    krb5_error_code ret;
+    krb5_data reply;
+    krb5_storage *sp;
+    int32_t tmp;
+    krb5_data ticket;
+    char realm[REALM_SZ];
+    krb5_creds *v5_creds = in_cred;
+    krb5_keytype keytype;
+
+    keytype = v5_creds->session.keytype;
+
+    if (keytype != ENCTYPE_DES_CBC_CRC) {
+	/* MIT krb524d doesn't like nothing but des-cbc-crc tickets,
+           so go get one */
+	krb5_creds template;
+
+	memset (&template, 0, sizeof(template));
+	template.session.keytype = ENCTYPE_DES_CBC_CRC;
+	ret = krb5_copy_principal (context, in_cred->client, &template.client);
+	if (ret) {
+	    krb5_free_creds_contents (context, &template);
+	    return ret;
+	}
+	ret = krb5_copy_principal (context, in_cred->server, &template.server);
+	if (ret) {
+	    krb5_free_creds_contents (context, &template);
+	    return ret;
+	}
+
+	ret = krb5_get_credentials (context, 0, ccache,
+				    &template, &v5_creds);
+	krb5_free_creds_contents (context, &template);
+	if (ret)
+	    return ret;
+    }
+
+    ret = check_ticket_flags(v5_creds->flags.b);
+    if(ret)
+	goto out2;
+
+    {
+	char **hostlist;
+	int port;
+	port = krb5_getportbyname (context, "krb524", "udp", 4444);
+	
+	ret = krb5_get_krbhst (context, krb5_princ_realm(context, 
+							 v5_creds->server), 
+			       &hostlist);
+	if(ret)
+	    goto out2;
+	
+	ret = krb5_sendto (context,
+			   &v5_creds->ticket,
+			   hostlist,
+			   port,
+			   &reply);
+	if(ret == KRB5_KDC_UNREACH) {
+	    port = krb5_getportbyname (context, "kerberos", "udp", 88);
+	    ret = krb5_sendto (context,
+			       &v5_creds->ticket,
+			       hostlist,
+			       port,
+			       &reply);
+	}
+	krb5_free_krbhst (context, hostlist);
+    }
+    if (ret)
+	goto out2;
+    sp = krb5_storage_from_mem(reply.data, reply.length);
+    if(sp == NULL) {
+	ret = ENOMEM;
+	krb5_set_error_string (context, "malloc: out of memory");
+	goto out2;
+    }
+    krb5_ret_int32(sp, &tmp);
+    ret = tmp;
+    if(ret == 0) {
+	memset(v4creds, 0, sizeof(*v4creds));
+	ret = krb5_ret_int32(sp, &tmp);
+	if(ret)
+	    goto out;
+	v4creds->kvno = tmp;
+	ret = krb5_ret_data(sp, &ticket);
+	if(ret)
+	    goto out;
+	v4creds->ticket_st.length = ticket.length;
+	memcpy(v4creds->ticket_st.dat, ticket.data, ticket.length);
+	krb5_data_free(&ticket);
+	ret = krb5_524_conv_principal(context, 
+				      v5_creds->server, 
+				      v4creds->service, 
+				      v4creds->instance, 
+				      v4creds->realm);
+	if(ret)
+	    goto out;
+	v4creds->issue_date = v5_creds->times.authtime;
+	v4creds->lifetime = _krb_time_to_life(v4creds->issue_date,
+					      v5_creds->times.endtime);
+	ret = krb5_524_conv_principal(context, v5_creds->client, 
+				      v4creds->pname, 
+				      v4creds->pinst, 
+				      realm);
+	if(ret)
+	    goto out;
+	memcpy(v4creds->session, v5_creds->session.keyvalue.data, 8);
+    }
+out:
+    krb5_storage_free(sp);
+    krb5_data_free(&reply);
+out2:
+    if (v5_creds != in_cred)
+	krb5_free_creds (context, v5_creds);
+    return ret;
+}
diff --git a/crypto/heimdal/lib/krb5/copy_host_realm.c b/crypto/heimdal/lib/krb5/copy_host_realm.c
new file mode 100644
index 0000000..38fdfa8
--- /dev/null
+++ b/crypto/heimdal/lib/krb5/copy_host_realm.c
@@ -0,0 +1,69 @@
+/*
+ * Copyright (c) 1999 - 2001 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "krb5_locl.h"
+
+RCSID("$Id: copy_host_realm.c,v 1.4 2001/05/14 06:14:45 assar Exp $");
+
+/*
+ * Copy the list of realms from `from' to `to'.
+ */
+
+krb5_error_code
+krb5_copy_host_realm(krb5_context context,
+		     const krb5_realm *from,
+		     krb5_realm **to)
+{
+    int n, i;
+    const krb5_realm *p;
+
+    for (n = 0, p = from; *p != NULL; ++p)
+	++n;
+    ++n;
+    *to = malloc (n * sizeof(**to));
+    if (*to == NULL) {
+	krb5_set_error_string (context, "malloc: out of memory");
+	return ENOMEM;
+    }
+    for (i = 0; i < n; ++i)
+	(*to)[i] = NULL;
+    for (i = 0, p = from; *p != NULL; ++p, ++i) {
+	(*to)[i] = strdup(*p);
+	if ((*to)[i] == NULL) {
+	    krb5_free_host_realm (context, *to);
+	    krb5_set_error_string (context, "malloc: out of memory");
+	    return ENOMEM;
+	}
+    }
+    return 0;
+}
diff --git a/crypto/heimdal/lib/krb5/crc.c b/crypto/heimdal/lib/krb5/crc.c
new file mode 100644
index 0000000..c7cedd8
--- /dev/null
+++ b/crypto/heimdal/lib/krb5/crc.c
@@ -0,0 +1,71 @@
+/*
+ * Copyright (c) 1997 - 2000 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "krb5_locl.h"
+
+RCSID("$Id: crc.c,v 1.9 2000/08/03 01:45:14 assar Exp $");
+
+static u_long table[256];
+
+#define CRC_GEN 0xEDB88320L
+
+void
+_krb5_crc_init_table(void)
+{
+    static int flag = 0;
+    unsigned long crc, poly;
+    int     i, j;
+    
+    if(flag) return;
+    poly = CRC_GEN;
+    for (i = 0; i < 256; i++) {
+	crc = i;
+	for (j = 8; j > 0; j--) {
+	    if (crc & 1) {
+		crc = (crc >> 1) ^ poly;
+	    } else {
+		crc >>= 1;
+	    }
+	}
+	table[i] = crc;
+    }
+    flag = 1;
+}
+
+u_int32_t
+_krb5_crc_update (const char *p, size_t len, u_int32_t res)
+{
+    while (len--)
+	res = table[(res ^ *p++) & 0xFF] ^ (res >> 8);
+    return res & 0xFFFFFFFF;
+}
diff --git a/crypto/heimdal/lib/krb5/creds.c b/crypto/heimdal/lib/krb5/creds.c
new file mode 100644
index 0000000..01c1c30
--- /dev/null
+++ b/crypto/heimdal/lib/krb5/creds.c
@@ -0,0 +1,151 @@
+/*
+ * Copyright (c) 1997 - 2001 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "krb5_locl.h"
+
+RCSID("$Id: creds.c,v 1.15 2001/05/14 06:14:45 assar Exp $");
+
+krb5_error_code
+krb5_free_cred_contents (krb5_context context, krb5_creds *c)
+{
+    return krb5_free_creds_contents (context, c);
+}    
+
+krb5_error_code
+krb5_free_creds_contents (krb5_context context, krb5_creds *c)
+{
+    krb5_free_principal (context, c->client);
+    c->client = NULL;
+    krb5_free_principal (context, c->server);
+    c->server = NULL;
+    krb5_free_keyblock_contents (context, &c->session);
+    krb5_data_free (&c->ticket);
+    krb5_data_free (&c->second_ticket);
+    free_AuthorizationData (&c->authdata);
+    krb5_free_addresses (context, &c->addresses);
+    return 0;
+}
+
+krb5_error_code
+krb5_copy_creds_contents (krb5_context context,
+			  const krb5_creds *incred,
+			  krb5_creds *c)
+{
+    krb5_error_code ret;
+
+    memset(c, 0, sizeof(*c));
+    ret = krb5_copy_principal (context, incred->client, &c->client);
+    if (ret)
+	goto fail;
+    ret = krb5_copy_principal (context, incred->server, &c->server);
+    if (ret)
+	goto fail;
+    ret = krb5_copy_keyblock_contents (context, &incred->session, &c->session);
+    if (ret)
+	goto fail;
+    c->times = incred->times;
+    ret = krb5_data_copy (&c->ticket,
+			  incred->ticket.data,
+			  incred->ticket.length);
+    if (ret)
+	goto fail;
+    ret = krb5_data_copy (&c->second_ticket,
+			  incred->second_ticket.data,
+			  incred->second_ticket.length);
+    if (ret)
+	goto fail;
+    ret = copy_AuthorizationData(&incred->authdata, &c->authdata);
+    if (ret)
+	goto fail;
+    ret = krb5_copy_addresses (context,
+			       &incred->addresses,
+			       &c->addresses);
+    if (ret)
+	goto fail;
+    c->flags = incred->flags;
+    return 0;
+
+fail:
+    krb5_free_creds_contents (context, c);
+    return ret;
+}
+
+krb5_error_code
+krb5_copy_creds (krb5_context context,
+		 const krb5_creds *incred,
+		 krb5_creds **outcred)
+{
+    krb5_creds *c;
+
+    c = malloc (sizeof (*c));
+    if (c == NULL) {
+	krb5_set_error_string (context, "malloc: out of memory");
+	return ENOMEM;
+    }
+    memset (c, 0, sizeof(*c));
+    *outcred = c;
+    return krb5_copy_creds_contents (context, incred, c);
+}
+
+krb5_error_code
+krb5_free_creds (krb5_context context, krb5_creds *c)
+{
+    krb5_free_creds_contents (context, c);
+    free (c);
+    return 0;
+}
+
+/*
+ * Return TRUE if `mcreds' and `creds' are equal (`whichfields'
+ * determines what equal means).
+ */
+
+krb5_boolean
+krb5_compare_creds(krb5_context context, krb5_flags whichfields, 
+		   const krb5_creds *mcreds, const krb5_creds *creds)
+{
+    krb5_boolean match;
+
+    if(whichfields & KRB5_TC_DONT_MATCH_REALM)
+	match = krb5_principal_compare_any_realm(context, 
+						 mcreds->server, 
+						 creds->server);
+    else
+	match = krb5_principal_compare(context, mcreds->server, creds->server);
+    if(match && (whichfields & KRB5_TC_MATCH_KEYTYPE) &&
+       !krb5_enctypes_compatible_keys (context,
+				       mcreds->session.keytype,
+				       creds->session.keytype))
+	match = FALSE;
+    return match;
+}
diff --git a/crypto/heimdal/lib/krb5/crypto.c b/crypto/heimdal/lib/krb5/crypto.c
new file mode 100644
index 0000000..9077c34
--- /dev/null
+++ b/crypto/heimdal/lib/krb5/crypto.c
@@ -0,0 +1,3173 @@
+/*
+ * Copyright (c) 1997 - 2001 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "krb5_locl.h"
+RCSID("$Id: crypto.c,v 1.50 2001/05/14 06:14:45 assar Exp $");
+/* RCSID("$FreeBSD$"); */
+
+#undef CRYPTO_DEBUG
+#ifdef CRYPTO_DEBUG
+static void krb5_crypto_debug(krb5_context, int, size_t, krb5_keyblock*);
+#endif
+
+
+struct key_data {
+    krb5_keyblock *key;
+    krb5_data *schedule;
+};
+
+struct key_usage {
+    unsigned usage;
+    struct key_data key;
+};
+
+struct krb5_crypto_data {
+    struct encryption_type *et;
+    struct key_data key;
+    int num_key_usage;
+    struct key_usage *key_usage;
+};
+
+#define CRYPTO_ETYPE(C) ((C)->et->type)
+
+/* bits for `flags' below */
+#define F_KEYED		 1	/* checksum is keyed */
+#define F_CPROOF	 2	/* checksum is collision proof */
+#define F_DERIVED	 4	/* uses derived keys */
+#define F_VARIANT	 8	/* uses `variant' keys (6.4.3) */
+#define F_PSEUDO	16	/* not a real protocol type */
+#define F_SPECIAL	32	/* backwards */
+
+struct salt_type {
+    krb5_salttype type;
+    const char *name;
+    krb5_error_code (*string_to_key)(krb5_context, krb5_enctype, krb5_data, 
+				     krb5_salt, krb5_keyblock*);
+};
+
+struct key_type {
+    krb5_keytype type; /* XXX */
+    const char *name;
+    size_t bits;
+    size_t size;
+    size_t schedule_size;
+#if 0
+    krb5_enctype best_etype;
+#endif
+    void (*random_key)(krb5_context, krb5_keyblock*);
+    void (*schedule)(krb5_context, struct key_data *);
+    struct salt_type *string_to_key;
+};
+
+struct checksum_type {
+    krb5_cksumtype type;
+    const char *name;
+    size_t blocksize;
+    size_t checksumsize;
+    unsigned flags;
+    void (*checksum)(krb5_context context,
+		     struct key_data *key,
+		     const void *buf, size_t len,
+		     unsigned usage,
+		     Checksum *csum);
+    krb5_error_code (*verify)(krb5_context context,
+			      struct key_data *key,
+			      const void *buf, size_t len,
+			      unsigned usage,
+			      Checksum *csum);
+};
+
+struct encryption_type {
+    krb5_enctype type;
+    const char *name;
+    size_t blocksize;
+    size_t confoundersize;
+    struct key_type *keytype;
+    struct checksum_type *checksum;
+    struct checksum_type *keyed_checksum;
+    unsigned flags;
+    krb5_error_code (*encrypt)(krb5_context context,
+			       struct key_data *key,
+			       void *data, size_t len,
+			       krb5_boolean encrypt,
+			       int usage,
+			       void *ivec);
+};
+
+#define ENCRYPTION_USAGE(U) (((U) << 8) | 0xAA)
+#define INTEGRITY_USAGE(U) (((U) << 8) | 0x55)
+#define CHECKSUM_USAGE(U) (((U) << 8) | 0x99)
+
+static struct checksum_type *_find_checksum(krb5_cksumtype type);
+static struct encryption_type *_find_enctype(krb5_enctype type);
+static struct key_type *_find_keytype(krb5_keytype type);
+static krb5_error_code _get_derived_key(krb5_context, krb5_crypto, 
+					unsigned, struct key_data**);
+static struct key_data *_new_derived_key(krb5_crypto crypto, unsigned usage);
+
+/************************************************************
+ *                                                          *
+ ************************************************************/
+
+static void
+DES_random_key(krb5_context context,
+	       krb5_keyblock *key)
+{
+    des_cblock *k = key->keyvalue.data;
+    do {
+	krb5_generate_random_block(k, sizeof(des_cblock));
+	des_set_odd_parity(k);
+    } while(des_is_weak_key(k));
+}
+
+static void
+DES_schedule(krb5_context context,
+	     struct key_data *key)
+{
+    des_set_key(key->key->keyvalue.data, key->schedule->data);
+}
+
+static krb5_error_code
+DES_string_to_key(krb5_context context,
+		  krb5_enctype enctype,
+		  krb5_data password,
+		  krb5_salt salt,
+		  krb5_keyblock *key)
+{
+    char *s;
+    size_t len;
+    des_cblock tmp;
+
+    len = password.length + salt.saltvalue.length + 1;
+    s = malloc(len);
+    if(s == NULL) {
+	krb5_set_error_string(context, "malloc: out of memory");
+	return ENOMEM;
+    }
+    memcpy(s, password.data, password.length);
+    memcpy(s + password.length, salt.saltvalue.data, salt.saltvalue.length);
+    s[len - 1] = '\0';
+    des_string_to_key(s, &tmp);
+    key->keytype = enctype;
+    krb5_data_copy(&key->keyvalue, tmp, sizeof(tmp));
+    memset(&tmp, 0, sizeof(tmp));
+    memset(s, 0, len);
+    free(s);
+    return 0;
+}
+
+/* This defines the Andrew string_to_key function.  It accepts a password
+ * string as input and converts its via a one-way encryption algorithm to a DES
+ * encryption key.  It is compatible with the original Andrew authentication
+ * service password database.
+ */
+
+/*
+ * Short passwords, i.e 8 characters or less.
+ */
+static void
+DES_AFS3_CMU_string_to_key (krb5_data pw,
+			    krb5_data cell,
+			    des_cblock *key)
+{
+    char  password[8+1];	/* crypt is limited to 8 chars anyway */
+    int   i;
+    
+    for(i = 0; i < 8; i++) {
+	char c = ((i < pw.length) ? ((char*)pw.data)[i] : 0) ^
+		 ((i < cell.length) ?
+		  tolower(((unsigned char*)cell.data)[i]) : 0);
+	password[i] = c ? c : 'X';
+    }
+    password[8] = '\0';
+
+    memcpy(key, crypt(password, "#~") + 2, sizeof(des_cblock));
+
+    /* parity is inserted into the LSB so left shift each byte up one
+       bit. This allows ascii characters with a zero MSB to retain as
+       much significance as possible. */
+    for (i = 0; i < sizeof(des_cblock); i++)
+	((unsigned char*)key)[i] <<= 1;
+    des_set_odd_parity (key);
+}
+
+/*
+ * Long passwords, i.e 9 characters or more.
+ */
+static void
+DES_AFS3_Transarc_string_to_key (krb5_data pw,
+				 krb5_data cell,
+				 des_cblock *key)
+{
+    des_key_schedule schedule;
+    des_cblock temp_key;
+    des_cblock ivec;
+    char password[512];
+    size_t passlen;
+
+    memcpy(password, pw.data, min(pw.length, sizeof(password)));
+    if(pw.length < sizeof(password)) {
+	int len = min(cell.length, sizeof(password) - pw.length);
+	int i;
+
+	memcpy(password + pw.length, cell.data, len);
+	for (i = pw.length; i < pw.length + len; ++i)
+	    password[i] = tolower((unsigned char)password[i]);
+    }
+    passlen = min(sizeof(password), pw.length + cell.length);
+    memcpy(&ivec, "kerberos", 8);
+    memcpy(&temp_key, "kerberos", 8);
+    des_set_odd_parity (&temp_key);
+    des_set_key (&temp_key, schedule);
+    des_cbc_cksum ((des_cblock *)password, &ivec, passlen, schedule, &ivec);
+
+    memcpy(&temp_key, &ivec, 8);
+    des_set_odd_parity (&temp_key);
+    des_set_key (&temp_key, schedule);
+    des_cbc_cksum ((des_cblock *)password, key, passlen, schedule, &ivec);
+    memset(&schedule, 0, sizeof(schedule));
+    memset(&temp_key, 0, sizeof(temp_key));
+    memset(&ivec, 0, sizeof(ivec));
+    memset(password, 0, sizeof(password));
+
+    des_set_odd_parity (key);
+}
+
+static krb5_error_code
+DES_AFS3_string_to_key(krb5_context context,
+		       krb5_enctype enctype,
+		       krb5_data password,
+		       krb5_salt salt,
+		       krb5_keyblock *key)
+{
+    des_cblock tmp;
+    if(password.length > 8)
+	DES_AFS3_Transarc_string_to_key(password, salt.saltvalue, &tmp);
+    else
+	DES_AFS3_CMU_string_to_key(password, salt.saltvalue, &tmp);
+    key->keytype = enctype;
+    krb5_data_copy(&key->keyvalue, tmp, sizeof(tmp));
+    memset(&key, 0, sizeof(key));
+    return 0;
+}
+
+static void
+DES3_random_key(krb5_context context,
+		krb5_keyblock *key)
+{
+    des_cblock *k = key->keyvalue.data;
+    do {
+	krb5_generate_random_block(k, 3 * sizeof(des_cblock));
+	des_set_odd_parity(&k[0]);
+	des_set_odd_parity(&k[1]);
+	des_set_odd_parity(&k[2]);
+    } while(des_is_weak_key(&k[0]) ||
+	    des_is_weak_key(&k[1]) ||
+	    des_is_weak_key(&k[2]));
+}
+
+static void
+DES3_schedule(krb5_context context,
+	      struct key_data *key)
+{
+    des_cblock *k = key->key->keyvalue.data;
+    des_key_schedule *s = key->schedule->data;
+    des_set_key(&k[0], s[0]);
+    des_set_key(&k[1], s[1]);
+    des_set_key(&k[2], s[2]);
+}
+
+/*
+ * A = A xor B. A & B are 8 bytes.
+ */
+
+static void
+xor (des_cblock *key, const unsigned char *b)
+{
+    unsigned char *a = (unsigned char*)key;
+    a[0] ^= b[0];
+    a[1] ^= b[1];
+    a[2] ^= b[2];
+    a[3] ^= b[3];
+    a[4] ^= b[4];
+    a[5] ^= b[5];
+    a[6] ^= b[6];
+    a[7] ^= b[7];
+}
+
+static krb5_error_code
+DES3_string_to_key(krb5_context context,
+		   krb5_enctype enctype,
+		   krb5_data password,
+		   krb5_salt salt,
+		   krb5_keyblock *key)
+{
+    char *str;
+    size_t len;
+    unsigned char tmp[24];
+    des_cblock keys[3];
+    
+    len = password.length + salt.saltvalue.length;
+    str = malloc(len);
+    if(len != 0 && str == NULL) {
+	krb5_set_error_string(context, "malloc: out of memory");
+	return ENOMEM;
+    }
+    memcpy(str, password.data, password.length);
+    memcpy(str + password.length, salt.saltvalue.data, salt.saltvalue.length);
+    {
+	des_cblock ivec;
+	des_key_schedule s[3];
+	int i;
+	
+	_krb5_n_fold(str, len, tmp, 24);
+	
+	for(i = 0; i < 3; i++){
+	    memcpy(keys + i, tmp + i * 8, sizeof(keys[i]));
+	    des_set_odd_parity(keys + i);
+	    if(des_is_weak_key(keys + i))
+		xor(keys + i, (unsigned char*)"\0\0\0\0\0\0\0\xf0");
+	    des_set_key(keys + i, s[i]);
+	}
+	memset(&ivec, 0, sizeof(ivec));
+	des_ede3_cbc_encrypt((des_cblock *)tmp,
+			     (des_cblock *)tmp, sizeof(tmp), 
+			     s[0], s[1], s[2], &ivec, DES_ENCRYPT);
+	memset(s, 0, sizeof(s));
+	memset(&ivec, 0, sizeof(ivec));
+	for(i = 0; i < 3; i++){
+	    memcpy(keys + i, tmp + i * 8, sizeof(keys[i]));
+	    des_set_odd_parity(keys + i);
+	    if(des_is_weak_key(keys + i))
+		xor(keys + i, (unsigned char*)"\0\0\0\0\0\0\0\xf0");
+	}
+	memset(tmp, 0, sizeof(tmp));
+    }
+    key->keytype = enctype;
+    krb5_data_copy(&key->keyvalue, keys, sizeof(keys));
+    memset(keys, 0, sizeof(keys));
+    memset(str, 0, len);
+    free(str);
+    return 0;
+}
+
+static krb5_error_code
+DES3_string_to_key_derived(krb5_context context,
+			   krb5_enctype enctype,
+			   krb5_data password,
+			   krb5_salt salt,
+			   krb5_keyblock *key)
+{
+    krb5_error_code ret;
+    size_t len = password.length + salt.saltvalue.length;
+    char *s;
+
+    s = malloc(len);
+    if(len != 0 && s == NULL) {
+	krb5_set_error_string(context, "malloc: out of memory");
+	return ENOMEM;
+    }
+    memcpy(s, password.data, password.length);
+    memcpy(s + password.length, salt.saltvalue.data, salt.saltvalue.length);
+    ret = krb5_string_to_key_derived(context,
+				     s,
+				     len,
+				     enctype,
+				     key);
+    memset(s, 0, len);
+    free(s);
+    return ret;
+}
+
+/*
+ * ARCFOUR
+ */
+
+static void
+ARCFOUR_random_key(krb5_context context, krb5_keyblock *key)
+{
+    krb5_generate_random_block (key->keyvalue.data,
+				key->keyvalue.length);
+}
+
+static void
+ARCFOUR_schedule(krb5_context context, struct key_data *kd)
+{
+    RC4_set_key (kd->schedule->data,
+		 kd->key->keyvalue.length, kd->key->keyvalue.data);
+}
+
+static krb5_error_code
+ARCFOUR_string_to_key(krb5_context context,
+		  krb5_enctype enctype,
+		  krb5_data password,
+		  krb5_salt salt,
+		  krb5_keyblock *key)
+{
+    char *s, *p;
+    size_t len;
+    int i;
+    MD4_CTX m;
+
+    len = 2 * password.length;
+    s = malloc (len);
+    if (len != 0 && s == NULL) {
+	krb5_set_error_string(context, "malloc: out of memory");
+	return ENOMEM;
+    }
+    for (p = s, i = 0; i < password.length; ++i) {
+	*p++ = ((char *)password.data)[i];
+	*p++ = 0;
+    }
+    MD4_Init (&m);
+    MD4_Update (&m, s, len);
+    key->keytype = enctype;
+    krb5_data_alloc (&key->keyvalue, 16);
+    MD4_Final (key->keyvalue.data, &m);
+    memset (s, 0, len);
+    free (s);
+    return 0;
+}
+
+extern struct salt_type des_salt[], 
+    des3_salt[], des3_salt_derived[], arcfour_salt[];
+
+struct key_type keytype_null = {
+    KEYTYPE_NULL,
+    "null",
+    0,
+    0,
+    0,
+    NULL,
+    NULL,
+    NULL
+};
+
+struct key_type keytype_des = {
+    KEYTYPE_DES,
+    "des",
+    56,
+    sizeof(des_cblock),
+    sizeof(des_key_schedule),
+    DES_random_key,
+    DES_schedule,
+    des_salt
+};
+
+struct key_type keytype_des3 = {
+    KEYTYPE_DES3,
+    "des3",
+    168,
+    3 * sizeof(des_cblock), 
+    3 * sizeof(des_key_schedule), 
+    DES3_random_key,
+    DES3_schedule,
+    des3_salt
+};
+
+struct key_type keytype_des3_derived = {
+    KEYTYPE_DES3,
+    "des3",
+    168,
+    3 * sizeof(des_cblock),
+    3 * sizeof(des_key_schedule), 
+    DES3_random_key,
+    DES3_schedule,
+    des3_salt_derived
+};
+
+struct key_type keytype_arcfour = {
+    KEYTYPE_ARCFOUR,
+    "arcfour",
+    128,
+    16,
+    sizeof(RC4_KEY),
+    ARCFOUR_random_key,
+    ARCFOUR_schedule,
+    arcfour_salt
+};
+
+struct key_type *keytypes[] = {
+    &keytype_null,
+    &keytype_des,
+    &keytype_des3_derived,
+    &keytype_des3,
+    &keytype_arcfour
+};
+
+static int num_keytypes = sizeof(keytypes) / sizeof(keytypes[0]);
+
+static struct key_type *
+_find_keytype(krb5_keytype type)
+{
+    int i;
+    for(i = 0; i < num_keytypes; i++)
+	if(keytypes[i]->type == type)
+	    return keytypes[i];
+    return NULL;
+}
+
+
+struct salt_type des_salt[] = {
+    {
+	KRB5_PW_SALT,
+	"pw-salt",
+	DES_string_to_key
+    },
+    {
+	KRB5_AFS3_SALT,
+	"afs3-salt",
+	DES_AFS3_string_to_key
+    },
+    { 0 }
+};
+
+struct salt_type des3_salt[] = {
+    {
+	KRB5_PW_SALT,
+	"pw-salt",
+	DES3_string_to_key
+    },
+    { 0 }
+};
+
+struct salt_type des3_salt_derived[] = {
+    {
+	KRB5_PW_SALT,
+	"pw-salt",
+	DES3_string_to_key_derived
+    },
+    { 0 }
+};
+
+struct salt_type arcfour_salt[] = {
+    {
+	KRB5_PW_SALT,
+	"pw-salt",
+	ARCFOUR_string_to_key
+    },
+    { 0 }
+};
+
+krb5_error_code
+krb5_salttype_to_string (krb5_context context,
+			 krb5_enctype etype,
+			 krb5_salttype stype,
+			 char **string)
+{
+    struct encryption_type *e;
+    struct salt_type *st;
+
+    e = _find_enctype (etype);
+    if (e == NULL) {
+	krb5_set_error_string(context, "encryption type %d not supported",
+			      etype);
+	return KRB5_PROG_ETYPE_NOSUPP;
+    }
+    for (st = e->keytype->string_to_key; st && st->type; st++) {
+	if (st->type == stype) {
+	    *string = strdup (st->name);
+	    if (*string == NULL) {
+		krb5_set_error_string(context, "malloc: out of memory");
+		return ENOMEM;
+	    }
+	    return 0;
+	}
+    }
+    krb5_set_error_string(context, "salttype %d not supported", stype);
+    return HEIM_ERR_SALTTYPE_NOSUPP;
+}
+
+krb5_error_code
+krb5_string_to_salttype (krb5_context context,
+			 krb5_enctype etype,
+			 const char *string,
+			 krb5_salttype *salttype)
+{
+    struct encryption_type *e;
+    struct salt_type *st;
+
+    e = _find_enctype (etype);
+    if (e == NULL) {
+	krb5_set_error_string(context, "encryption type %d not supported",
+			      etype);
+	return KRB5_PROG_ETYPE_NOSUPP;
+    }
+    for (st = e->keytype->string_to_key; st && st->type; st++) {
+	if (strcasecmp (st->name, string) == 0) {
+	    *salttype = st->type;
+	    return 0;
+	}
+    }
+    krb5_set_error_string(context, "salttype %s not supported", string);
+    return HEIM_ERR_SALTTYPE_NOSUPP;
+}
+
+krb5_error_code
+krb5_get_pw_salt(krb5_context context,
+		 krb5_const_principal principal,
+		 krb5_salt *salt)
+{
+    size_t len;
+    int i;
+    krb5_error_code ret;
+    char *p;
+     
+    salt->salttype = KRB5_PW_SALT;
+    len = strlen(principal->realm);
+    for (i = 0; i < principal->name.name_string.len; ++i)
+	len += strlen(principal->name.name_string.val[i]);
+    ret = krb5_data_alloc (&salt->saltvalue, len);
+    if (ret)
+	return ret;
+    p = salt->saltvalue.data;
+    memcpy (p, principal->realm, strlen(principal->realm));
+    p += strlen(principal->realm);
+    for (i = 0; i < principal->name.name_string.len; ++i) {
+	memcpy (p,
+		principal->name.name_string.val[i],
+		strlen(principal->name.name_string.val[i]));
+	p += strlen(principal->name.name_string.val[i]);
+    }
+    return 0;
+}
+
+krb5_error_code
+krb5_free_salt(krb5_context context, 
+	       krb5_salt salt)
+{
+    krb5_data_free(&salt.saltvalue);
+    return 0;
+}
+
+krb5_error_code
+krb5_string_to_key_data (krb5_context context,
+			 krb5_enctype enctype,
+			 krb5_data password,
+			 krb5_principal principal,
+			 krb5_keyblock *key)
+{
+    krb5_error_code ret;
+    krb5_salt salt;
+
+    ret = krb5_get_pw_salt(context, principal, &salt);
+    if(ret)
+	return ret;
+    ret = krb5_string_to_key_data_salt(context, enctype, password, salt, key);
+    krb5_free_salt(context, salt);
+    return ret;
+}
+
+krb5_error_code
+krb5_string_to_key (krb5_context context,
+		    krb5_enctype enctype,
+		    const char *password,
+		    krb5_principal principal,
+		    krb5_keyblock *key)
+{
+    krb5_data pw;
+    pw.data = (void*)password;
+    pw.length = strlen(password);
+    return krb5_string_to_key_data(context, enctype, pw, principal, key);
+}
+
+/*
+ * Do a string -> key for encryption type `enctype' operation on
+ * `password' (with salt `salt'), returning the resulting key in `key'
+ */
+
+krb5_error_code
+krb5_string_to_key_data_salt (krb5_context context,
+			      krb5_enctype enctype,
+			      krb5_data password,
+			      krb5_salt salt,
+			      krb5_keyblock *key)
+{
+    struct encryption_type *et =_find_enctype(enctype);
+    struct salt_type *st;
+    if(et == NULL) {
+	krb5_set_error_string(context, "encryption type %d not supported",
+			      enctype);
+	return KRB5_PROG_ETYPE_NOSUPP;
+    }
+    for(st = et->keytype->string_to_key; st && st->type; st++) 
+	if(st->type == salt.salttype)
+	    return (*st->string_to_key)(context, enctype, password, salt, key);
+    krb5_set_error_string(context, "salt type %d not supported",
+			  salt.salttype);
+    return HEIM_ERR_SALTTYPE_NOSUPP;
+}
+
+/*
+ * Do a string -> key for encryption type `enctype' operation on the
+ * string `password' (with salt `salt'), returning the resulting key
+ * in `key'
+ */
+
+krb5_error_code
+krb5_string_to_key_salt (krb5_context context,
+			 krb5_enctype enctype,
+			 const char *password,
+			 krb5_salt salt,
+			 krb5_keyblock *key)
+{
+    krb5_data pw;
+    pw.data = (void*)password;
+    pw.length = strlen(password);
+    return krb5_string_to_key_data_salt(context, enctype, pw, salt, key);
+}
+
+krb5_error_code
+krb5_keytype_to_string(krb5_context context,
+		       krb5_keytype keytype,
+		       char **string)
+{
+    struct key_type *kt = _find_keytype(keytype);
+    if(kt == NULL) {
+	krb5_set_error_string(context, "key type %d not supported", keytype);
+	return KRB5_PROG_KEYTYPE_NOSUPP;
+    }
+    *string = strdup(kt->name);
+    if(*string == NULL) {
+	krb5_set_error_string(context, "malloc: out of memory");
+	return ENOMEM;
+    }
+    return 0;
+}
+
+krb5_error_code
+krb5_string_to_keytype(krb5_context context,
+		       const char *string,
+		       krb5_keytype *keytype)
+{
+    int i;
+    for(i = 0; i < num_keytypes; i++)
+	if(strcasecmp(keytypes[i]->name, string) == 0){
+	    *keytype = keytypes[i]->type;
+	    return 0;
+	}
+    krb5_set_error_string(context, "key type %s not supported", string);
+    return KRB5_PROG_KEYTYPE_NOSUPP;
+}
+
+krb5_error_code
+krb5_generate_random_keyblock(krb5_context context,
+			      krb5_enctype type,
+			      krb5_keyblock *key)
+{
+    krb5_error_code ret;
+    struct encryption_type *et = _find_enctype(type);
+    if(et == NULL) {
+	krb5_set_error_string(context, "encryption type %d not supported",
+			      type);
+	return KRB5_PROG_ETYPE_NOSUPP;
+    }
+    ret = krb5_data_alloc(&key->keyvalue, et->keytype->size);
+    if(ret) 
+	return ret;
+    key->keytype = type;
+    if(et->keytype->random_key)
+	(*et->keytype->random_key)(context, key);
+    else
+	krb5_generate_random_block(key->keyvalue.data, 
+				   key->keyvalue.length);
+    return 0;
+}
+
+static krb5_error_code
+_key_schedule(krb5_context context,
+	      struct key_data *key)
+{
+    krb5_error_code ret;
+    struct encryption_type *et = _find_enctype(key->key->keytype);
+    struct key_type *kt = et->keytype;
+
+    if(kt->schedule == NULL)
+	return 0;
+    if (key->schedule != NULL)
+	return 0;
+    ALLOC(key->schedule, 1);
+    if(key->schedule == NULL) {
+	krb5_set_error_string(context, "malloc: out of memory");
+	return ENOMEM;
+    }
+    ret = krb5_data_alloc(key->schedule, kt->schedule_size);
+    if(ret) {
+	free(key->schedule);
+	key->schedule = NULL;
+	return ret;
+    }
+    (*kt->schedule)(context, key);
+    return 0;
+}
+
+/************************************************************
+ *                                                          *
+ ************************************************************/
+
+static void
+NONE_checksum(krb5_context context,
+	      struct key_data *key,
+	      const void *data,
+	      size_t len,
+	      unsigned usage,
+	      Checksum *C)
+{
+}
+
+static void
+CRC32_checksum(krb5_context context,
+	       struct key_data *key,
+	       const void *data,
+	       size_t len,
+	       unsigned usage,
+	       Checksum *C)
+{
+    u_int32_t crc;
+    unsigned char *r = C->checksum.data;
+    _krb5_crc_init_table ();
+    crc = _krb5_crc_update (data, len, 0);
+    r[0] = crc & 0xff;
+    r[1] = (crc >> 8)  & 0xff;
+    r[2] = (crc >> 16) & 0xff;
+    r[3] = (crc >> 24) & 0xff;
+}
+
+static void
+RSA_MD4_checksum(krb5_context context,
+		 struct key_data *key,
+		 const void *data,
+		 size_t len,
+		 unsigned usage,
+		 Checksum *C)
+{
+    MD4_CTX m;
+
+    MD4_Init (&m);
+    MD4_Update (&m, data, len);
+    MD4_Final (C->checksum.data, &m);
+}
+
+static void
+RSA_MD4_DES_checksum(krb5_context context, 
+		     struct key_data *key,
+		     const void *data, 
+		     size_t len, 
+		     unsigned usage,
+		     Checksum *cksum)
+{
+    MD4_CTX md4;
+    des_cblock ivec;
+    unsigned char *p = cksum->checksum.data;
+    
+    krb5_generate_random_block(p, 8);
+    MD4_Init (&md4);
+    MD4_Update (&md4, p, 8);
+    MD4_Update (&md4, data, len);
+    MD4_Final (p + 8, &md4);
+    memset (&ivec, 0, sizeof(ivec));
+    des_cbc_encrypt((des_cblock*)p, 
+		    (des_cblock*)p, 
+		    24, 
+		    key->schedule->data, 
+		    &ivec, 
+		    DES_ENCRYPT);
+}
+
+static krb5_error_code
+RSA_MD4_DES_verify(krb5_context context,
+		   struct key_data *key,
+		   const void *data,
+		   size_t len,
+		   unsigned usage,
+		   Checksum *C)
+{
+    MD4_CTX md4;
+    unsigned char tmp[24];
+    unsigned char res[16];
+    des_cblock ivec;
+    krb5_error_code ret = 0;
+
+    memset(&ivec, 0, sizeof(ivec));
+    des_cbc_encrypt(C->checksum.data,
+		    (void*)tmp, 
+		    C->checksum.length, 
+		    key->schedule->data,
+		    &ivec,
+		    DES_DECRYPT);
+    MD4_Init (&md4);
+    MD4_Update (&md4, tmp, 8); /* confounder */
+    MD4_Update (&md4, data, len);
+    MD4_Final (res, &md4);
+    if(memcmp(res, tmp + 8, sizeof(res)) != 0) {
+	krb5_clear_error_string (context);
+	ret = KRB5KRB_AP_ERR_BAD_INTEGRITY;
+    }
+    memset(tmp, 0, sizeof(tmp));
+    memset(res, 0, sizeof(res));
+    return ret;
+}
+
+static void
+RSA_MD5_checksum(krb5_context context,
+		 struct key_data *key,
+		 const void *data,
+		 size_t len,
+		 unsigned usage,
+		 Checksum *C)
+{
+    MD5_CTX m;
+
+    MD5_Init  (&m);
+    MD5_Update(&m, data, len);
+    MD5_Final (C->checksum.data, &m);
+}
+
+static void
+RSA_MD5_DES_checksum(krb5_context context,
+		     struct key_data *key,
+		     const void *data,
+		     size_t len,
+		     unsigned usage,
+		     Checksum *C)
+{
+    MD5_CTX md5;
+    des_cblock ivec;
+    unsigned char *p = C->checksum.data;
+    
+    krb5_generate_random_block(p, 8);
+    MD5_Init (&md5);
+    MD5_Update (&md5, p, 8);
+    MD5_Update (&md5, data, len);
+    MD5_Final (p + 8, &md5);
+    memset (&ivec, 0, sizeof(ivec));
+    des_cbc_encrypt((des_cblock*)p, 
+		    (des_cblock*)p, 
+		    24, 
+		    key->schedule->data, 
+		    &ivec, 
+		    DES_ENCRYPT);
+}
+
+static krb5_error_code
+RSA_MD5_DES_verify(krb5_context context,
+		   struct key_data *key,
+		   const void *data,
+		   size_t len,
+		   unsigned usage,
+		   Checksum *C)
+{
+    MD5_CTX md5;
+    unsigned char tmp[24];
+    unsigned char res[16];
+    des_cblock ivec;
+    des_key_schedule *sched = key->schedule->data;
+    krb5_error_code ret = 0;
+
+    memset(&ivec, 0, sizeof(ivec));
+    des_cbc_encrypt(C->checksum.data, 
+		    (void*)tmp, 
+		    C->checksum.length, 
+		    sched[0],
+		    &ivec,
+		    DES_DECRYPT);
+    MD5_Init (&md5);
+    MD5_Update (&md5, tmp, 8); /* confounder */
+    MD5_Update (&md5, data, len);
+    MD5_Final (res, &md5);
+    if(memcmp(res, tmp + 8, sizeof(res)) != 0) {
+	krb5_clear_error_string (context);
+	ret = KRB5KRB_AP_ERR_BAD_INTEGRITY;
+    }
+    memset(tmp, 0, sizeof(tmp));
+    memset(res, 0, sizeof(res));
+    return ret;
+}
+
+static void
+RSA_MD5_DES3_checksum(krb5_context context,
+		      struct key_data *key,
+		      const void *data,
+		      size_t len,
+		      unsigned usage,
+		      Checksum *C)
+{
+    MD5_CTX md5;
+    des_cblock ivec;
+    unsigned char *p = C->checksum.data;
+    des_key_schedule *sched = key->schedule->data;
+    
+    krb5_generate_random_block(p, 8);
+    MD5_Init (&md5);
+    MD5_Update (&md5, p, 8);
+    MD5_Update (&md5, data, len);
+    MD5_Final (p + 8, &md5);
+    memset (&ivec, 0, sizeof(ivec));
+    des_ede3_cbc_encrypt((des_cblock*)p, 
+			 (des_cblock*)p, 
+			 24, 
+			 sched[0], sched[1], sched[2],
+			 &ivec, 
+			 DES_ENCRYPT);
+}
+
+static krb5_error_code
+RSA_MD5_DES3_verify(krb5_context context,
+		    struct key_data *key,
+		    const void *data,
+		    size_t len,
+		    unsigned usage,
+		    Checksum *C)
+{
+    MD5_CTX md5;
+    unsigned char tmp[24];
+    unsigned char res[16];
+    des_cblock ivec;
+    des_key_schedule *sched = key->schedule->data;
+    krb5_error_code ret = 0;
+
+    memset(&ivec, 0, sizeof(ivec));
+    des_ede3_cbc_encrypt(C->checksum.data, 
+			 (void*)tmp, 
+			 C->checksum.length, 
+			 sched[0], sched[1], sched[2],
+			 &ivec,
+			 DES_DECRYPT);
+    MD5_Init (&md5);
+    MD5_Update (&md5, tmp, 8); /* confounder */
+    MD5_Update (&md5, data, len);
+    MD5_Final (res, &md5);
+    if(memcmp(res, tmp + 8, sizeof(res)) != 0) {
+	krb5_clear_error_string (context);
+	ret = KRB5KRB_AP_ERR_BAD_INTEGRITY;
+    }
+    memset(tmp, 0, sizeof(tmp));
+    memset(res, 0, sizeof(res));
+    return ret;
+}
+
+static void
+SHA1_checksum(krb5_context context,
+	      struct key_data *key,
+	      const void *data,
+	      size_t len,
+	      unsigned usage,
+	      Checksum *C)
+{
+    SHA_CTX m;
+
+    SHA1_Init(&m);
+    SHA1_Update(&m, data, len);
+    SHA1_Final(C->checksum.data, &m);
+}
+
+/* HMAC according to RFC2104 */
+static void
+hmac(krb5_context context,
+     struct checksum_type *cm, 
+     const void *data, 
+     size_t len, 
+     unsigned usage,
+     struct key_data *keyblock,
+     Checksum *result)
+{
+    unsigned char *ipad, *opad;
+    unsigned char *key;
+    size_t key_len;
+    int i;
+    
+    if(keyblock->key->keyvalue.length > cm->blocksize){
+	(*cm->checksum)(context, 
+			keyblock, 
+			keyblock->key->keyvalue.data, 
+			keyblock->key->keyvalue.length, 
+			usage,
+			result);
+	key = result->checksum.data;
+	key_len = result->checksum.length;
+    } else {
+	key = keyblock->key->keyvalue.data;
+	key_len = keyblock->key->keyvalue.length;
+    }
+    ipad = malloc(cm->blocksize + len);
+    opad = malloc(cm->blocksize + cm->checksumsize);
+    memset(ipad, 0x36, cm->blocksize);
+    memset(opad, 0x5c, cm->blocksize);
+    for(i = 0; i < key_len; i++){
+	ipad[i] ^= key[i];
+	opad[i] ^= key[i];
+    }
+    memcpy(ipad + cm->blocksize, data, len);
+    (*cm->checksum)(context, keyblock, ipad, cm->blocksize + len,
+		    usage, result);
+    memcpy(opad + cm->blocksize, result->checksum.data, 
+	   result->checksum.length);
+    (*cm->checksum)(context, keyblock, opad, 
+		    cm->blocksize + cm->checksumsize, usage, result);
+    memset(ipad, 0, cm->blocksize + len);
+    free(ipad);
+    memset(opad, 0, cm->blocksize + cm->checksumsize);
+    free(opad);
+}
+
+static void
+HMAC_SHA1_DES3_checksum(krb5_context context,
+			struct key_data *key, 
+			const void *data, 
+			size_t len, 
+			unsigned usage,
+			Checksum *result)
+{
+    struct checksum_type *c = _find_checksum(CKSUMTYPE_SHA1);
+
+    hmac(context, c, data, len, usage, key, result);
+}
+
+/*
+ * checksum according to section 5. of draft-brezak-win2k-krb-rc4-hmac-03.txt
+ */
+
+static void
+HMAC_MD5_checksum(krb5_context context,
+		  struct key_data *key,
+		  const void *data,
+		  size_t len,
+		  unsigned usage,
+		  Checksum *result)
+{
+    MD5_CTX md5;
+    struct checksum_type *c = _find_checksum (CKSUMTYPE_RSA_MD5);
+    const char signature[] = "signaturekey";
+    Checksum ksign_c;
+    struct key_data ksign;
+    krb5_keyblock kb;
+    unsigned char t[4];
+    unsigned char tmp[16];
+    unsigned char ksign_c_data[16];
+
+    ksign_c.checksum.length = sizeof(ksign_c_data);
+    ksign_c.checksum.data   = ksign_c_data;
+    hmac(context, c, signature, sizeof(signature), 0, key, &ksign_c);
+    ksign.key = &kb;
+    kb.keyvalue = ksign_c.checksum;
+    MD5_Init (&md5);
+    t[0] = (usage >>  0) & 0xFF;
+    t[1] = (usage >>  8) & 0xFF;
+    t[2] = (usage >> 16) & 0xFF;
+    t[3] = (usage >> 24) & 0xFF;
+    MD5_Update (&md5, t, 4);
+    MD5_Update (&md5, data, len);
+    MD5_Final (tmp, &md5);
+    hmac(context, c, tmp, sizeof(tmp), 0, &ksign, result);
+}
+
+/*
+ * same as previous but being used while encrypting.
+ */
+
+static void
+HMAC_MD5_checksum_enc(krb5_context context,
+		      struct key_data *key,
+		      const void *data,
+		      size_t len,
+		      unsigned usage,
+		      Checksum *result)
+{
+    struct checksum_type *c = _find_checksum (CKSUMTYPE_RSA_MD5);
+    Checksum ksign_c;
+    struct key_data ksign;
+    krb5_keyblock kb;
+    unsigned char t[4];
+    unsigned char ksign_c_data[16];
+
+    t[0] = (usage >>  0) & 0xFF;
+    t[1] = (usage >>  8) & 0xFF;
+    t[2] = (usage >> 16) & 0xFF;
+    t[3] = (usage >> 24) & 0xFF;
+
+    ksign_c.checksum.length = sizeof(ksign_c_data);
+    ksign_c.checksum.data   = ksign_c_data;
+    hmac(context, c, t, sizeof(t), 0, key, &ksign_c);
+    ksign.key = &kb;
+    kb.keyvalue = ksign_c.checksum;
+    hmac(context, c, data, len, 0, &ksign, result);
+}
+
+struct checksum_type checksum_none = {
+    CKSUMTYPE_NONE, 
+    "none", 
+    1, 
+    0, 
+    0, 
+    NONE_checksum, 
+    NULL
+};
+struct checksum_type checksum_crc32 = {
+    CKSUMTYPE_CRC32,
+    "crc32",
+    1,
+    4,
+    0,
+    CRC32_checksum,
+    NULL
+};
+struct checksum_type checksum_rsa_md4 = {
+    CKSUMTYPE_RSA_MD4,
+    "rsa-md4",
+    64,
+    16,
+    F_CPROOF,
+    RSA_MD4_checksum,
+    NULL
+};
+struct checksum_type checksum_rsa_md4_des = {
+    CKSUMTYPE_RSA_MD4_DES,
+    "rsa-md4-des",
+    64,
+    24,
+    F_KEYED | F_CPROOF | F_VARIANT,
+    RSA_MD4_DES_checksum,
+    RSA_MD4_DES_verify
+};
+#if 0
+struct checksum_type checksum_des_mac = { 
+    CKSUMTYPE_DES_MAC,
+    "des-mac",
+    0,
+    0,
+    0,
+    DES_MAC_checksum
+};
+struct checksum_type checksum_des_mac_k = {
+    CKSUMTYPE_DES_MAC_K,
+    "des-mac-k",
+    0,
+    0,
+    0,
+    DES_MAC_K_checksum
+};
+struct checksum_type checksum_rsa_md4_des_k = {
+    CKSUMTYPE_RSA_MD4_DES_K, 
+    "rsa-md4-des-k", 
+    0, 
+    0, 
+    0, 
+    RSA_MD4_DES_K_checksum,
+    RSA_MD4_DES_K_verify
+};
+#endif
+struct checksum_type checksum_rsa_md5 = {
+    CKSUMTYPE_RSA_MD5,
+    "rsa-md5",
+    64,
+    16,
+    F_CPROOF,
+    RSA_MD5_checksum,
+    NULL
+};
+struct checksum_type checksum_rsa_md5_des = {
+    CKSUMTYPE_RSA_MD5_DES,
+    "rsa-md5-des",
+    64,
+    24,
+    F_KEYED | F_CPROOF | F_VARIANT,
+    RSA_MD5_DES_checksum,
+    RSA_MD5_DES_verify
+};
+struct checksum_type checksum_rsa_md5_des3 = {
+    CKSUMTYPE_RSA_MD5_DES3,
+    "rsa-md5-des3",
+    64,
+    24,
+    F_KEYED | F_CPROOF | F_VARIANT,
+    RSA_MD5_DES3_checksum,
+    RSA_MD5_DES3_verify
+};
+struct checksum_type checksum_sha1 = {
+    CKSUMTYPE_SHA1,
+    "sha1",
+    64,
+    20,
+    F_CPROOF,
+    SHA1_checksum,
+    NULL
+};
+struct checksum_type checksum_hmac_sha1_des3 = {
+    CKSUMTYPE_HMAC_SHA1_DES3,
+    "hmac-sha1-des3",
+    64,
+    20,
+    F_KEYED | F_CPROOF | F_DERIVED,
+    HMAC_SHA1_DES3_checksum,
+    NULL
+};
+
+struct checksum_type checksum_hmac_md5 = {
+    CKSUMTYPE_HMAC_MD5,
+    "hmac-md5",
+    64,
+    16,
+    F_KEYED | F_CPROOF,
+    HMAC_MD5_checksum,
+    NULL
+};
+
+struct checksum_type checksum_hmac_md5_enc = {
+    CKSUMTYPE_HMAC_MD5_ENC,
+    "hmac-md5-enc",
+    64,
+    16,
+    F_KEYED | F_CPROOF | F_PSEUDO,
+    HMAC_MD5_checksum_enc,
+    NULL
+};
+
+struct checksum_type *checksum_types[] = {
+    &checksum_none,
+    &checksum_crc32,
+    &checksum_rsa_md4,
+    &checksum_rsa_md4_des,
+#if 0
+    &checksum_des_mac, 
+    &checksum_des_mac_k,
+    &checksum_rsa_md4_des_k,
+#endif
+    &checksum_rsa_md5,
+    &checksum_rsa_md5_des,
+    &checksum_rsa_md5_des3,
+    &checksum_sha1,
+    &checksum_hmac_sha1_des3,
+    &checksum_hmac_md5,
+    &checksum_hmac_md5_enc
+};
+
+static int num_checksums = sizeof(checksum_types) / sizeof(checksum_types[0]);
+
+static struct checksum_type *
+_find_checksum(krb5_cksumtype type)
+{
+    int i;
+    for(i = 0; i < num_checksums; i++)
+	if(checksum_types[i]->type == type)
+	    return checksum_types[i];
+    return NULL;
+}
+
+static krb5_error_code
+get_checksum_key(krb5_context context, 
+		 krb5_crypto crypto,
+		 unsigned usage,  /* not krb5_key_usage */
+		 struct checksum_type *ct, 
+		 struct key_data **key)
+{
+    krb5_error_code ret = 0;
+
+    if(ct->flags & F_DERIVED)
+	ret = _get_derived_key(context, crypto, usage, key);
+    else if(ct->flags & F_VARIANT) {
+	int i;
+
+	*key = _new_derived_key(crypto, 0xff/* KRB5_KU_RFC1510_VARIANT */);
+	if(*key == NULL) {
+	    krb5_set_error_string(context, "malloc: out of memory");
+	    return ENOMEM;
+	}
+	ret = krb5_copy_keyblock(context, crypto->key.key, &(*key)->key);
+	if(ret) 
+	    return ret;
+	for(i = 0; i < (*key)->key->keyvalue.length; i++)
+	    ((unsigned char*)(*key)->key->keyvalue.data)[i] ^= 0xF0;
+    } else {
+	*key = &crypto->key; 
+    }
+    if(ret == 0)
+	ret = _key_schedule(context, *key);
+    return ret;
+}
+
+static krb5_error_code
+do_checksum (krb5_context context,
+	     struct checksum_type *ct,
+	     krb5_crypto crypto,
+	     unsigned usage,
+	     void *data,
+	     size_t len,
+	     Checksum *result)
+{
+    krb5_error_code ret;
+    struct key_data *dkey;
+    int keyed_checksum;
+
+    keyed_checksum = (ct->flags & F_KEYED) != 0;
+    if(keyed_checksum && crypto == NULL) {
+	krb5_clear_error_string (context);
+	return KRB5_PROG_SUMTYPE_NOSUPP; /* XXX */
+    }
+    if(keyed_checksum) {
+	ret = get_checksum_key(context, crypto, usage, ct, &dkey);
+	if (ret)
+	    return ret;
+    } else
+	dkey = NULL;
+    result->cksumtype = ct->type;
+    krb5_data_alloc(&result->checksum, ct->checksumsize);
+    (*ct->checksum)(context, dkey, data, len, usage, result);
+    return 0;
+}
+
+static krb5_error_code
+create_checksum(krb5_context context,
+		krb5_crypto crypto,
+		krb5_key_usage usage, /* not krb5_key_usage */
+		krb5_cksumtype type, /* 0 -> pick from crypto */
+		void *data,
+		size_t len,
+		Checksum *result)
+{
+    struct checksum_type *ct = NULL;
+
+    if (type) {
+	ct = _find_checksum(type);
+    } else if (crypto) {
+	ct = crypto->et->keyed_checksum;
+	if (ct == NULL)
+	    ct = crypto->et->checksum;
+    }
+
+    if(ct == NULL) {
+	krb5_set_error_string (context, "checksum type %d not supported",
+			       type);
+	return KRB5_PROG_SUMTYPE_NOSUPP;
+    }
+    return do_checksum (context, ct, crypto, usage, data, len, result);
+}
+
+krb5_error_code
+krb5_create_checksum(krb5_context context,
+		     krb5_crypto crypto,
+		     krb5_key_usage usage,
+		     int type,
+		     void *data,
+		     size_t len,
+		     Checksum *result)
+{
+    return create_checksum(context, crypto, 
+			   CHECKSUM_USAGE(usage), 
+			   type, data, len, result);
+}
+
+static krb5_error_code
+verify_checksum(krb5_context context,
+		krb5_crypto crypto,
+		unsigned usage, /* not krb5_key_usage */
+		void *data,
+		size_t len,
+		Checksum *cksum)
+{
+    krb5_error_code ret;
+    struct key_data *dkey;
+    int keyed_checksum;
+    Checksum c;
+    struct checksum_type *ct;
+
+    ct = _find_checksum(cksum->cksumtype);
+    if(ct == NULL) {
+	krb5_set_error_string (context, "checksum type %d not supported",
+			       cksum->cksumtype);
+	return KRB5_PROG_SUMTYPE_NOSUPP;
+    }
+    if(ct->checksumsize != cksum->checksum.length) {
+	krb5_clear_error_string (context);
+	return KRB5KRB_AP_ERR_BAD_INTEGRITY; /* XXX */
+    }
+    keyed_checksum = (ct->flags & F_KEYED) != 0;
+    if(keyed_checksum && crypto == NULL) {
+	krb5_clear_error_string (context);
+	return KRB5_PROG_SUMTYPE_NOSUPP; /* XXX */
+    }
+    if(keyed_checksum)
+	ret = get_checksum_key(context, crypto, usage, ct, &dkey);
+    else
+	dkey = NULL;
+    if(ct->verify)
+	return (*ct->verify)(context, dkey, data, len, usage, cksum);
+
+    ret = krb5_data_alloc (&c.checksum, ct->checksumsize);
+    if (ret)
+	return ret;
+
+    (*ct->checksum)(context, dkey, data, len, usage, &c);
+
+    if(c.checksum.length != cksum->checksum.length || 
+       memcmp(c.checksum.data, cksum->checksum.data, c.checksum.length)) {
+	krb5_clear_error_string (context);
+	ret = KRB5KRB_AP_ERR_BAD_INTEGRITY;
+    } else {
+	ret = 0;
+    }
+    krb5_data_free (&c.checksum);
+    return ret;
+}
+
+krb5_error_code
+krb5_verify_checksum(krb5_context context,
+		     krb5_crypto crypto,
+		     krb5_key_usage usage, 
+		     void *data,
+		     size_t len,
+		     Checksum *cksum)
+{
+    return verify_checksum(context, crypto, 
+			   CHECKSUM_USAGE(usage), data, len, cksum);
+}
+
+krb5_error_code
+krb5_checksumsize(krb5_context context,
+		  krb5_cksumtype type,
+		  size_t *size)
+{
+    struct checksum_type *ct = _find_checksum(type);
+    if(ct == NULL) {
+	krb5_set_error_string (context, "checksum type %d not supported",
+			       type);
+	return KRB5_PROG_SUMTYPE_NOSUPP;
+    }
+    *size = ct->checksumsize;
+    return 0;
+}
+
+krb5_boolean
+krb5_checksum_is_keyed(krb5_context context,
+		       krb5_cksumtype type)
+{
+    struct checksum_type *ct = _find_checksum(type);
+    if(ct == NULL) {
+	krb5_set_error_string (context, "checksum type %d not supported",
+			       type);
+	return KRB5_PROG_SUMTYPE_NOSUPP;
+    }
+    return ct->flags & F_KEYED;
+}
+
+krb5_boolean
+krb5_checksum_is_collision_proof(krb5_context context,
+				 krb5_cksumtype type)
+{
+    struct checksum_type *ct = _find_checksum(type);
+    if(ct == NULL) {
+	krb5_set_error_string (context, "checksum type %d not supported",
+			       type);
+	return KRB5_PROG_SUMTYPE_NOSUPP;
+    }
+    return ct->flags & F_CPROOF;
+}
+
+/************************************************************
+ *                                                          *
+ ************************************************************/
+
+static krb5_error_code
+NULL_encrypt(krb5_context context,
+	     struct key_data *key, 
+	     void *data, 
+	     size_t len, 
+	     krb5_boolean encrypt,
+	     int usage,
+	     void *ivec)
+{
+    return 0;
+}
+
+static krb5_error_code
+DES_CBC_encrypt_null_ivec(krb5_context context,
+			  struct key_data *key, 
+			  void *data, 
+			  size_t len, 
+			  krb5_boolean encrypt,
+			  int usage,
+			  void *ignore_ivec)
+{
+    des_cblock ivec;
+    des_key_schedule *s = key->schedule->data;
+    memset(&ivec, 0, sizeof(ivec));
+    des_cbc_encrypt(data, data, len, *s, &ivec, encrypt);
+    return 0;
+}
+
+static krb5_error_code
+DES_CBC_encrypt_key_ivec(krb5_context context,
+			 struct key_data *key, 
+			 void *data, 
+			 size_t len, 
+			 krb5_boolean encrypt,
+			 int usage,
+			 void *ignore_ivec)
+{
+    des_cblock ivec;
+    des_key_schedule *s = key->schedule->data;
+    memcpy(&ivec, key->key->keyvalue.data, sizeof(ivec));
+    des_cbc_encrypt(data, data, len, *s, &ivec, encrypt);
+    return 0;
+}
+
+static krb5_error_code
+DES3_CBC_encrypt(krb5_context context,
+		 struct key_data *key, 
+		 void *data, 
+		 size_t len, 
+		 krb5_boolean encrypt,
+		 int usage,
+		 void *ignore_ivec)
+{
+    des_cblock ivec;
+    des_key_schedule *s = key->schedule->data;
+    memset(&ivec, 0, sizeof(ivec));
+    des_ede3_cbc_encrypt(data, data, len, s[0], s[1], s[2], &ivec, encrypt);
+    return 0;
+}
+
+static krb5_error_code
+DES3_CBC_encrypt_ivec(krb5_context context,
+		      struct key_data *key, 
+		      void *data, 
+		      size_t len, 
+		      krb5_boolean encrypt,
+		      int usage,
+		      void *ivec)
+{
+    des_key_schedule *s = key->schedule->data;
+
+    des_ede3_cbc_encrypt(data, data, len, s[0], s[1], s[2], ivec, encrypt);
+    return 0;
+}
+
+static krb5_error_code
+DES_CFB64_encrypt_null_ivec(krb5_context context,
+			    struct key_data *key, 
+			    void *data, 
+			    size_t len, 
+			    krb5_boolean encrypt,
+			    int usage,
+			    void *ignore_ivec)
+{
+    des_cblock ivec;
+    int num = 0;
+    des_key_schedule *s = key->schedule->data;
+    memset(&ivec, 0, sizeof(ivec));
+
+    des_cfb64_encrypt(data, data, len, *s, &ivec, &num, encrypt);
+    return 0;
+}
+
+static krb5_error_code
+DES_PCBC_encrypt_key_ivec(krb5_context context,
+			  struct key_data *key, 
+			  void *data, 
+			  size_t len, 
+			  krb5_boolean encrypt,
+			  int usage,
+			  void *ignore_ivec)
+{
+    des_cblock ivec;
+    des_key_schedule *s = key->schedule->data;
+    memcpy(&ivec, key->key->keyvalue.data, sizeof(ivec));
+
+    des_pcbc_encrypt(data, data, len, *s, &ivec, encrypt);
+    return 0;
+}
+
+/*
+ * section 6 of draft-brezak-win2k-krb-rc4-hmac-03
+ *
+ * warning: not for small children
+ */
+
+static krb5_error_code
+ARCFOUR_subencrypt(krb5_context context,
+		   struct key_data *key,
+		   void *data,
+		   size_t len,
+		   int usage,
+		   void *ivec)
+{
+    struct checksum_type *c = _find_checksum (CKSUMTYPE_RSA_MD5);
+    Checksum k1_c, k2_c, k3_c, cksum;
+    struct key_data ke;
+    krb5_keyblock kb;
+    unsigned char t[4];
+    RC4_KEY rc4_key;
+    char *cdata = (char *)data;
+    unsigned char k1_c_data[16], k2_c_data[16], k3_c_data[16];
+
+    t[0] = (usage >>  0) & 0xFF;
+    t[1] = (usage >>  8) & 0xFF;
+    t[2] = (usage >> 16) & 0xFF;
+    t[3] = (usage >> 24) & 0xFF;
+
+    k1_c.checksum.length = sizeof(k1_c_data);
+    k1_c.checksum.data   = k1_c_data;
+
+    hmac(NULL, c, t, sizeof(t), 0, key, &k1_c);
+
+    memcpy (k2_c_data, k1_c_data, sizeof(k1_c_data));
+
+    k2_c.checksum.length = sizeof(k2_c_data);
+    k2_c.checksum.data   = k2_c_data;
+
+    ke.key = &kb;
+    kb.keyvalue = k2_c.checksum;
+
+    cksum.checksum.length = 16;
+    cksum.checksum.data   = data;
+
+    hmac(NULL, c, cdata + 16, len - 16, 0, &ke, &cksum);
+
+    ke.key = &kb;
+    kb.keyvalue = k1_c.checksum;
+
+    k3_c.checksum.length = sizeof(k3_c_data);
+    k3_c.checksum.data   = k3_c_data;
+
+    hmac(NULL, c, data, 16, 0, &ke, &k3_c);
+
+    RC4_set_key (&rc4_key, k3_c.checksum.length, k3_c.checksum.data);
+    RC4 (&rc4_key, len - 16, cdata + 16, cdata + 16);
+    memset (k1_c_data, 0, sizeof(k1_c_data));
+    memset (k2_c_data, 0, sizeof(k2_c_data));
+    memset (k3_c_data, 0, sizeof(k3_c_data));
+    return 0;
+}
+
+static krb5_error_code
+ARCFOUR_subdecrypt(krb5_context context,
+		   struct key_data *key,
+		   void *data,
+		   size_t len,
+		   int usage,
+		   void *ivec)
+{
+    struct checksum_type *c = _find_checksum (CKSUMTYPE_RSA_MD5);
+    Checksum k1_c, k2_c, k3_c, cksum;
+    struct key_data ke;
+    krb5_keyblock kb;
+    unsigned char t[4];
+    RC4_KEY rc4_key;
+    char *cdata = (char *)data;
+    unsigned char k1_c_data[16], k2_c_data[16], k3_c_data[16];
+    unsigned char cksum_data[16];
+
+    t[0] = (usage >>  0) & 0xFF;
+    t[1] = (usage >>  8) & 0xFF;
+    t[2] = (usage >> 16) & 0xFF;
+    t[3] = (usage >> 24) & 0xFF;
+
+    k1_c.checksum.length = sizeof(k1_c_data);
+    k1_c.checksum.data   = k1_c_data;
+
+    hmac(NULL, c, t, sizeof(t), 0, key, &k1_c);
+
+    memcpy (k2_c_data, k1_c_data, sizeof(k1_c_data));
+
+    k2_c.checksum.length = sizeof(k2_c_data);
+    k2_c.checksum.data   = k2_c_data;
+
+    ke.key = &kb;
+    kb.keyvalue = k1_c.checksum;
+
+    k3_c.checksum.length = sizeof(k3_c_data);
+    k3_c.checksum.data   = k3_c_data;
+
+    hmac(NULL, c, cdata, 16, 0, &ke, &k3_c);
+
+    RC4_set_key (&rc4_key, k3_c.checksum.length, k3_c.checksum.data);
+    RC4 (&rc4_key, len - 16, cdata + 16, cdata + 16);
+
+    ke.key = &kb;
+    kb.keyvalue = k2_c.checksum;
+
+    cksum.checksum.length = 16;
+    cksum.checksum.data   = cksum_data;
+
+    hmac(NULL, c, cdata + 16, len - 16, 0, &ke, &cksum);
+
+    memset (k1_c_data, 0, sizeof(k1_c_data));
+    memset (k2_c_data, 0, sizeof(k2_c_data));
+    memset (k3_c_data, 0, sizeof(k3_c_data));
+
+    if (memcmp (cksum.checksum.data, data, 16) != 0) {
+	krb5_clear_error_string (context);
+	return KRB5KRB_AP_ERR_BAD_INTEGRITY;
+    } else {
+	return 0;
+    }
+}
+
+/*
+ * convert the usage numbers used in
+ * draft-ietf-cat-kerb-key-derivation-00.txt to the ones in
+ * draft-brezak-win2k-krb-rc4-hmac-03.txt
+ */
+
+static int
+usage2arcfour (int usage)
+{
+    switch (usage) {
+    case KRB5_KU_PA_ENC_TIMESTAMP :
+	return 1;
+    case KRB5_KU_TICKET :
+	return 8;
+    case KRB5_KU_AS_REP_ENC_PART :
+	return 8;
+    case KRB5_KU_TGS_REQ_AUTH_DAT_SESSION :
+    case KRB5_KU_TGS_REQ_AUTH_DAT_SUBKEY :
+    case KRB5_KU_TGS_REQ_AUTH_CKSUM :
+    case KRB5_KU_TGS_REQ_AUTH :
+	return 7;
+    case KRB5_KU_TGS_REP_ENC_PART_SESSION :
+    case KRB5_KU_TGS_REP_ENC_PART_SUB_KEY :
+	return 8;
+    case KRB5_KU_AP_REQ_AUTH_CKSUM :
+    case KRB5_KU_AP_REQ_AUTH :
+    case KRB5_KU_AP_REQ_ENC_PART :
+	return 11;
+    case KRB5_KU_KRB_PRIV :
+	return 0;
+    case KRB5_KU_KRB_CRED :
+    case KRB5_KU_KRB_SAFE_CKSUM :
+    case KRB5_KU_OTHER_ENCRYPTED :
+    case KRB5_KU_OTHER_CKSUM :
+    case KRB5_KU_KRB_ERROR :
+    case KRB5_KU_AD_KDC_ISSUED :
+    case KRB5_KU_MANDATORY_TICKET_EXTENSION :
+    case KRB5_KU_AUTH_DATA_TICKET_EXTENSION :
+    case KRB5_KU_USAGE_SEAL :
+    case KRB5_KU_USAGE_SIGN :
+    case KRB5_KU_USAGE_SEQ :
+    default :
+	abort ();
+    }
+}
+
+static krb5_error_code
+ARCFOUR_encrypt(krb5_context context,
+		struct key_data *key,
+		void *data,
+		size_t len,
+		krb5_boolean encrypt,
+		int usage,
+		void *ivec)
+{
+    usage = usage2arcfour (usage);
+
+    if (encrypt)
+	return ARCFOUR_subencrypt (context, key, data, len, usage, ivec);
+    else
+	return ARCFOUR_subdecrypt (context, key, data, len, usage, ivec);
+}
+
+
+/*
+ * these should currently be in reverse preference order.
+ * (only relevant for !F_PSEUDO) */
+
+static struct encryption_type enctype_null = {
+    ETYPE_NULL,
+    "null",
+    1,
+    0,
+    &keytype_null,
+    &checksum_none,
+    NULL,
+    0,
+    NULL_encrypt,
+};
+static struct encryption_type enctype_des_cbc_crc = {
+    ETYPE_DES_CBC_CRC,
+    "des-cbc-crc",
+    8,
+    8,
+    &keytype_des,
+    &checksum_crc32,
+    NULL,
+    0,
+    DES_CBC_encrypt_key_ivec,
+};
+static struct encryption_type enctype_des_cbc_md4 = {
+    ETYPE_DES_CBC_MD4,
+    "des-cbc-md4",
+    8,
+    8,
+    &keytype_des,
+    &checksum_rsa_md4,
+    &checksum_rsa_md4_des,
+    0,
+    DES_CBC_encrypt_null_ivec,
+};
+static struct encryption_type enctype_des_cbc_md5 = {
+    ETYPE_DES_CBC_MD5,
+    "des-cbc-md5",
+    8,
+    8,
+    &keytype_des,
+    &checksum_rsa_md5,
+    &checksum_rsa_md5_des,
+    0,
+    DES_CBC_encrypt_null_ivec,
+};
+static struct encryption_type enctype_arcfour_hmac_md5 = {
+    ETYPE_ARCFOUR_HMAC_MD5,
+    "arcfour-hmac-md5",
+    1,
+    8,
+    &keytype_arcfour,
+    &checksum_hmac_md5_enc,
+    &checksum_hmac_md5_enc,
+    F_SPECIAL,
+    ARCFOUR_encrypt
+};
+static struct encryption_type enctype_des3_cbc_md5 = { 
+    ETYPE_DES3_CBC_MD5,
+    "des3-cbc-md5",
+    8,
+    8,
+    &keytype_des3,
+    &checksum_rsa_md5,
+    &checksum_rsa_md5_des3,
+    0,
+    DES3_CBC_encrypt,
+};
+static struct encryption_type enctype_des3_cbc_sha1 = {
+    ETYPE_DES3_CBC_SHA1,
+    "des3-cbc-sha1",
+    8,
+    8,
+    &keytype_des3_derived,
+    &checksum_sha1,
+    &checksum_hmac_sha1_des3,
+    F_DERIVED,
+    DES3_CBC_encrypt,
+};
+static struct encryption_type enctype_old_des3_cbc_sha1 = {
+    ETYPE_OLD_DES3_CBC_SHA1,
+    "old-des3-cbc-sha1",
+    8,
+    8,
+    &keytype_des3,
+    &checksum_sha1,
+    &checksum_hmac_sha1_des3,
+    0,
+    DES3_CBC_encrypt,
+};
+static struct encryption_type enctype_des_cbc_none = {
+    ETYPE_DES_CBC_NONE,
+    "des-cbc-none",
+    8,
+    0,
+    &keytype_des,
+    &checksum_none,
+    NULL,
+    F_PSEUDO,
+    DES_CBC_encrypt_null_ivec,
+};
+static struct encryption_type enctype_des_cfb64_none = {
+    ETYPE_DES_CFB64_NONE,
+    "des-cfb64-none",
+    1,
+    0,
+    &keytype_des,
+    &checksum_none,
+    NULL,
+    F_PSEUDO,
+    DES_CFB64_encrypt_null_ivec,
+};
+static struct encryption_type enctype_des_pcbc_none = {
+    ETYPE_DES_PCBC_NONE,
+    "des-pcbc-none",
+    8,
+    0,
+    &keytype_des,
+    &checksum_none,
+    NULL,
+    F_PSEUDO,
+    DES_PCBC_encrypt_key_ivec,
+};
+static struct encryption_type enctype_des3_cbc_none = {
+    ETYPE_DES3_CBC_NONE,
+    "des3-cbc-none",
+    8,
+    0,
+    &keytype_des3_derived,
+    &checksum_none,
+    NULL,
+    F_PSEUDO,
+    DES3_CBC_encrypt,
+};
+static struct encryption_type enctype_des3_cbc_none_ivec = {
+    ETYPE_DES3_CBC_NONE_IVEC,
+    "des3-cbc-none-ivec",
+    8,
+    0,
+    &keytype_des3_derived,
+    &checksum_none,
+    NULL,
+    F_PSEUDO,
+    DES3_CBC_encrypt_ivec,
+};
+
+static struct encryption_type *etypes[] = {
+    &enctype_null,
+    &enctype_des_cbc_crc,
+    &enctype_des_cbc_md4,
+    &enctype_des_cbc_md5,
+    &enctype_arcfour_hmac_md5,
+    &enctype_des3_cbc_md5, 
+    &enctype_des3_cbc_sha1,
+    &enctype_old_des3_cbc_sha1,
+    &enctype_des_cbc_none,
+    &enctype_des_cfb64_none,
+    &enctype_des_pcbc_none,
+    &enctype_des3_cbc_none,
+    &enctype_des3_cbc_none_ivec
+};
+
+static unsigned num_etypes = sizeof(etypes) / sizeof(etypes[0]);
+
+
+static struct encryption_type *
+_find_enctype(krb5_enctype type)
+{
+    int i;
+    for(i = 0; i < num_etypes; i++)
+	if(etypes[i]->type == type)
+	    return etypes[i];
+    return NULL;
+}
+
+
+krb5_error_code
+krb5_enctype_to_string(krb5_context context,
+		       krb5_enctype etype,
+		       char **string)
+{
+    struct encryption_type *e;
+    e = _find_enctype(etype);
+    if(e == NULL) {
+	krb5_set_error_string (context, "encryption type %d not supported",
+			       etype);
+	return KRB5_PROG_ETYPE_NOSUPP;
+    }
+    *string = strdup(e->name);
+    if(*string == NULL) {
+	krb5_set_error_string(context, "malloc: out of memory");
+	return ENOMEM;
+    }
+    return 0;
+}
+
+krb5_error_code
+krb5_string_to_enctype(krb5_context context,
+		       const char *string,
+		       krb5_enctype *etype)
+{
+    int i;
+    for(i = 0; i < num_etypes; i++)
+	if(strcasecmp(etypes[i]->name, string) == 0){
+	    *etype = etypes[i]->type;
+	    return 0;
+	}
+    krb5_set_error_string (context, "encryption type %s not supported",
+			   string);
+    return KRB5_PROG_ETYPE_NOSUPP;
+}
+
+krb5_error_code
+krb5_enctype_to_keytype(krb5_context context,
+			krb5_enctype etype,
+			krb5_keytype *keytype)
+{
+    struct encryption_type *e = _find_enctype(etype);
+    if(e == NULL) {
+	krb5_set_error_string (context, "encryption type %d not supported",
+			       etype);
+	return KRB5_PROG_ETYPE_NOSUPP;
+    }
+    *keytype = e->keytype->type; /* XXX */
+    return 0;
+}
+
+#if 0
+krb5_error_code
+krb5_keytype_to_enctype(krb5_context context,
+			krb5_keytype keytype,
+			krb5_enctype *etype)
+{
+    struct key_type *kt = _find_keytype(keytype);
+    krb5_warnx(context, "krb5_keytype_to_enctype(%u)", keytype);
+    if(kt == NULL)
+	return KRB5_PROG_KEYTYPE_NOSUPP;
+    *etype = kt->best_etype;
+    return 0;
+}
+#endif
+    
+krb5_error_code
+krb5_keytype_to_enctypes (krb5_context context,
+			  krb5_keytype keytype,
+			  unsigned *len,
+			  int **val)
+{
+    int i;
+    unsigned n = 0;
+    int *ret;
+
+    for (i = num_etypes - 1; i >= 0; --i) {
+	if (etypes[i]->keytype->type == keytype
+	    && !(etypes[i]->flags & F_PSEUDO))
+	    ++n;
+    }
+    ret = malloc(n * sizeof(int));
+    if (ret == NULL && n != 0) {
+	krb5_set_error_string(context, "malloc: out of memory");
+	return ENOMEM;
+    }
+    n = 0;
+    for (i = num_etypes - 1; i >= 0; --i) {
+	if (etypes[i]->keytype->type == keytype
+	    && !(etypes[i]->flags & F_PSEUDO))
+	    ret[n++] = etypes[i]->type;
+    }
+    *len = n;
+    *val = ret;
+    return 0;
+}
+
+/*
+ * First take the configured list of etypes for `keytype' if available,
+ * else, do `krb5_keytype_to_enctypes'.
+ */
+
+krb5_error_code
+krb5_keytype_to_enctypes_default (krb5_context context,
+				  krb5_keytype keytype,
+				  unsigned *len,
+				  int **val)
+{
+    int i, n;
+    int *ret;
+
+    if (keytype != KEYTYPE_DES || context->etypes_des == NULL)
+	return krb5_keytype_to_enctypes (context, keytype, len, val);
+
+    for (n = 0; context->etypes_des[n]; ++n)
+	;
+    ret = malloc (n * sizeof(*ret));
+    if (ret == NULL && n != 0) {
+	krb5_set_error_string(context, "malloc: out of memory");
+	return ENOMEM;
+    }
+    for (i = 0; i < n; ++i)
+	ret[i] = context->etypes_des[i];
+    *len = n;
+    *val = ret;
+    return 0;
+}
+
+krb5_error_code
+krb5_enctype_valid(krb5_context context, 
+		 krb5_enctype etype)
+{
+    return _find_enctype(etype) != NULL;
+}
+
+/* if two enctypes have compatible keys */
+krb5_boolean
+krb5_enctypes_compatible_keys(krb5_context context,
+			      krb5_enctype etype1,
+			      krb5_enctype etype2)
+{
+    struct encryption_type *e1 = _find_enctype(etype1);
+    struct encryption_type *e2 = _find_enctype(etype2);
+    return e1 != NULL && e2 != NULL && e1->keytype == e2->keytype;
+}
+
+static krb5_boolean
+derived_crypto(krb5_context context,
+	       krb5_crypto crypto)
+{
+    return (crypto->et->flags & F_DERIVED) != 0;
+}
+
+static krb5_boolean
+special_crypto(krb5_context context,
+	       krb5_crypto crypto)
+{
+    return (crypto->et->flags & F_SPECIAL) != 0;
+}
+
+#define CHECKSUMSIZE(C) ((C)->checksumsize)
+#define CHECKSUMTYPE(C) ((C)->type)
+
+static krb5_error_code
+encrypt_internal_derived(krb5_context context,
+			 krb5_crypto crypto,
+			 unsigned usage,
+			 void *data,
+			 size_t len,
+			 krb5_data *result,
+			 void *ivec)
+{
+    size_t sz, block_sz, checksum_sz;
+    Checksum cksum;
+    unsigned char *p, *q;
+    krb5_error_code ret;
+    struct key_data *dkey;
+    struct encryption_type *et = crypto->et;
+    
+    checksum_sz = CHECKSUMSIZE(et->keyed_checksum);
+
+    sz = et->confoundersize + /* 4 - length */ len;
+    block_sz = (sz + et->blocksize - 1) &~ (et->blocksize - 1); /* pad */
+    p = calloc(1, block_sz + checksum_sz);
+    if(p == NULL)
+	return ENOMEM;
+    
+    q = p;
+    krb5_generate_random_block(q, et->confoundersize); /* XXX */
+    q += et->confoundersize;
+    memcpy(q, data, len);
+    
+    ret = create_checksum(context, 
+			  crypto, 
+			  INTEGRITY_USAGE(usage),
+			  et->keyed_checksum->type,
+			  p, 
+			  block_sz,
+			  &cksum);
+    if(ret == 0 && cksum.checksum.length != checksum_sz) {
+	free_Checksum (&cksum);
+	krb5_clear_error_string (context);
+	ret = KRB5_CRYPTO_INTERNAL;
+    }
+    if(ret) {
+	memset(p, 0, block_sz + checksum_sz);
+	free(p);
+	return ret;
+    }
+    memcpy(p + block_sz, cksum.checksum.data, cksum.checksum.length);
+    free_Checksum (&cksum);
+    ret = _get_derived_key(context, crypto, ENCRYPTION_USAGE(usage), &dkey);
+    if(ret) {
+	memset(p, 0, block_sz + checksum_sz);
+	free(p);
+	return ret;
+    }
+    ret = _key_schedule(context, dkey);
+    if(ret) {
+	memset(p, 0, block_sz);
+	free(p);
+	return ret;
+    }
+#ifdef CRYPTO_DEBUG
+    krb5_crypto_debug(context, 1, block_sz, dkey->key);
+#endif
+    (*et->encrypt)(context, dkey, p, block_sz, 1, usage, ivec);
+    result->data = p;
+    result->length = block_sz + checksum_sz;
+    return 0;
+}
+
+static krb5_error_code
+encrypt_internal(krb5_context context,
+		 krb5_crypto crypto,
+		 void *data,
+		 size_t len,
+		 krb5_data *result,
+		 void *ivec)
+{
+    size_t sz, block_sz, checksum_sz;
+    Checksum cksum;
+    unsigned char *p, *q;
+    krb5_error_code ret;
+    struct encryption_type *et = crypto->et;
+    
+    checksum_sz = CHECKSUMSIZE(et->checksum);
+    
+    sz = et->confoundersize + checksum_sz + len;
+    block_sz = (sz + et->blocksize - 1) &~ (et->blocksize - 1); /* pad */
+    p = calloc(1, block_sz);
+    if(p == NULL) {
+	krb5_set_error_string(context, "malloc: out of memory");
+	return ENOMEM;
+    }
+    
+    q = p;
+    krb5_generate_random_block(q, et->confoundersize); /* XXX */
+    q += et->confoundersize;
+    memset(q, 0, checksum_sz);
+    q += checksum_sz;
+    memcpy(q, data, len);
+
+    ret = create_checksum(context, 
+			  crypto,
+			  0,
+			  et->checksum->type,
+			  p, 
+			  block_sz,
+			  &cksum);
+    if(ret == 0 && cksum.checksum.length != checksum_sz) {
+	krb5_clear_error_string (context);
+	ret = KRB5_CRYPTO_INTERNAL;
+    }
+    if(ret) {
+	memset(p, 0, block_sz);
+	free(p);
+	free_Checksum(&cksum);
+	return ret;
+    }
+    memcpy(p + et->confoundersize, cksum.checksum.data, cksum.checksum.length);
+    free_Checksum(&cksum);
+    ret = _key_schedule(context, &crypto->key);
+    if(ret) {
+	memset(p, 0, block_sz);
+	free(p);
+	return ret;
+    }
+#ifdef CRYPTO_DEBUG
+    krb5_crypto_debug(context, 1, block_sz, crypto->key.key);
+#endif
+    (*et->encrypt)(context, &crypto->key, p, block_sz, 1, 0, ivec);
+    result->data = p;
+    result->length = block_sz;
+    return 0;
+}
+
+static krb5_error_code
+encrypt_internal_special(krb5_context context,
+			 krb5_crypto crypto,
+			 int usage,
+			 void *data,
+			 size_t len,
+			 krb5_data *result,
+			 void *ivec)
+{
+    struct encryption_type *et = crypto->et;
+    size_t cksum_sz = CHECKSUMSIZE(et->checksum);
+    size_t sz = len + cksum_sz + et->confoundersize;
+    char *tmp, *p;
+
+    tmp = malloc (sz);
+    if (tmp == NULL) {
+	krb5_set_error_string(context, "malloc: out of memory");
+	return ENOMEM;
+    }
+    p = tmp;
+    memset (p, 0, cksum_sz);
+    p += cksum_sz;
+    krb5_generate_random_block(p, et->confoundersize);
+    p += et->confoundersize;
+    memcpy (p, data, len);
+    (*et->encrypt)(context, &crypto->key, tmp, sz, TRUE, usage, ivec);
+    result->data   = tmp;
+    result->length = sz;
+    return 0;
+}
+
+static krb5_error_code
+decrypt_internal_derived(krb5_context context,
+			 krb5_crypto crypto,
+			 unsigned usage,
+			 void *data,
+			 size_t len,
+			 krb5_data *result,
+			 void *ivec)
+{
+    size_t checksum_sz;
+    Checksum cksum;
+    unsigned char *p;
+    krb5_error_code ret;
+    struct key_data *dkey;
+    struct encryption_type *et = crypto->et;
+    unsigned long l;
+    
+    checksum_sz = CHECKSUMSIZE(et->keyed_checksum);
+    if (len < checksum_sz) {
+	krb5_clear_error_string (context);
+	return EINVAL;		/* XXX - better error code? */
+    }
+
+    p = malloc(len);
+    if(len != 0 && p == NULL) {
+	krb5_set_error_string(context, "malloc: out of memory");
+	return ENOMEM;
+    }
+    memcpy(p, data, len);
+
+    len -= checksum_sz;
+
+    ret = _get_derived_key(context, crypto, ENCRYPTION_USAGE(usage), &dkey);
+    if(ret) {
+	free(p);
+	return ret;
+    }
+    ret = _key_schedule(context, dkey);
+    if(ret) {
+	free(p);
+	return ret;
+    }
+#ifdef CRYPTO_DEBUG
+    krb5_crypto_debug(context, 0, len, dkey->key);
+#endif
+    (*et->encrypt)(context, dkey, p, len, 0, usage, ivec);
+
+    cksum.checksum.data   = p + len;
+    cksum.checksum.length = checksum_sz;
+    cksum.cksumtype       = CHECKSUMTYPE(et->keyed_checksum);
+
+    ret = verify_checksum(context,
+			  crypto,
+			  INTEGRITY_USAGE(usage),
+			  p,
+			  len,
+			  &cksum);
+    if(ret) {
+	free(p);
+	return ret;
+    }
+    l = len - et->confoundersize;
+    memmove(p, p + et->confoundersize, l);
+    result->data = realloc(p, l);
+    if(result->data == NULL) {
+	free(p);
+	krb5_set_error_string(context, "malloc: out of memory");
+	return ENOMEM;
+    }
+    result->length = l;
+    return 0;
+}
+
+static krb5_error_code
+decrypt_internal(krb5_context context,
+		 krb5_crypto crypto,
+		 void *data,
+		 size_t len,
+		 krb5_data *result,
+		 void *ivec)
+{
+    krb5_error_code ret;
+    unsigned char *p;
+    Checksum cksum;
+    size_t checksum_sz, l;
+    struct encryption_type *et = crypto->et;
+    
+    checksum_sz = CHECKSUMSIZE(et->checksum);
+    p = malloc(len);
+    if(len != 0 && p == NULL) {
+	krb5_set_error_string(context, "malloc: out of memory");
+	return ENOMEM;
+    }
+    memcpy(p, data, len);
+    
+    ret = _key_schedule(context, &crypto->key);
+    if(ret) {
+	free(p);
+	return ret;
+    }
+#ifdef CRYPTO_DEBUG
+    krb5_crypto_debug(context, 0, len, crypto->key.key);
+#endif
+    (*et->encrypt)(context, &crypto->key, p, len, 0, 0, ivec);
+    ret = krb5_data_copy(&cksum.checksum, p + et->confoundersize, checksum_sz);
+    if(ret) {
+ 	free(p);
+ 	return ret;
+    }
+    memset(p + et->confoundersize, 0, checksum_sz);
+    cksum.cksumtype = CHECKSUMTYPE(et->checksum);
+    ret = verify_checksum(context, NULL, 0, p, len, &cksum);
+    free_Checksum(&cksum);
+    if(ret) {
+	free(p);
+	return ret;
+    }
+    l = len - et->confoundersize - checksum_sz;
+    memmove(p, p + et->confoundersize + checksum_sz, l);
+    result->data = realloc(p, l);
+    if(result->data == NULL) {
+	free(p);
+	krb5_set_error_string(context, "malloc: out of memory");
+	return ENOMEM;
+    }
+    result->length = l;
+    return 0;
+}
+
+static krb5_error_code
+decrypt_internal_special(krb5_context context,
+			 krb5_crypto crypto,
+			 int usage,
+			 void *data,
+			 size_t len,
+			 krb5_data *result,
+			 void *ivec)
+{
+    struct encryption_type *et = crypto->et;
+    size_t cksum_sz = CHECKSUMSIZE(et->checksum);
+    size_t sz = len - cksum_sz - et->confoundersize;
+    char *cdata = (char *)data;
+    char *tmp;
+
+    tmp = malloc (sz);
+    if (tmp == NULL) {
+	krb5_set_error_string(context, "malloc: out of memory");
+	return ENOMEM;
+    }
+    
+    (*et->encrypt)(context, &crypto->key, data, len, FALSE, usage, ivec);
+
+    memcpy (tmp, cdata + cksum_sz + et->confoundersize, sz);
+
+    result->data   = tmp;
+    result->length = sz;
+    return 0;
+}
+
+
+krb5_error_code
+krb5_encrypt_ivec(krb5_context context,
+		  krb5_crypto crypto,
+		  unsigned usage,
+		  void *data,
+		  size_t len,
+		  krb5_data *result,
+		  void *ivec)
+{
+    if(derived_crypto(context, crypto))
+	return encrypt_internal_derived(context, crypto, usage, 
+					data, len, result, ivec);
+    else if (special_crypto(context, crypto))
+	return encrypt_internal_special (context, crypto, usage,
+					 data, len, result, ivec);
+    else
+	return encrypt_internal(context, crypto, data, len, result, ivec);
+}
+
+krb5_error_code
+krb5_encrypt(krb5_context context,
+	     krb5_crypto crypto,
+	     unsigned usage,
+	     void *data,
+	     size_t len,
+	     krb5_data *result)
+{
+    return krb5_encrypt_ivec(context, crypto, usage, data, len, result, NULL);
+}
+
+krb5_error_code
+krb5_encrypt_EncryptedData(krb5_context context,
+			   krb5_crypto crypto,
+			   unsigned usage,
+			   void *data,
+			   size_t len,
+			   int kvno,
+			   EncryptedData *result)
+{
+    result->etype = CRYPTO_ETYPE(crypto);
+    if(kvno){
+	ALLOC(result->kvno, 1);
+	*result->kvno = kvno;
+    }else
+	result->kvno = NULL;
+    return krb5_encrypt(context, crypto, usage, data, len, &result->cipher);
+}
+
+krb5_error_code
+krb5_decrypt_ivec(krb5_context context,
+		  krb5_crypto crypto,
+		  unsigned usage,
+		  void *data,
+		  size_t len,
+		  krb5_data *result,
+		  void *ivec)
+{
+    if(derived_crypto(context, crypto))
+	return decrypt_internal_derived(context, crypto, usage, 
+					data, len, result, ivec);
+    else if (special_crypto (context, crypto))
+	return decrypt_internal_special(context, crypto, usage,
+					data, len, result, ivec);
+    else
+	return decrypt_internal(context, crypto, data, len, result, ivec);
+}
+
+krb5_error_code
+krb5_decrypt(krb5_context context,
+	     krb5_crypto crypto,
+	     unsigned usage,
+	     void *data,
+	     size_t len,
+	     krb5_data *result)
+{
+    return krb5_decrypt_ivec (context, crypto, usage, data, len, result,
+			      NULL);
+}
+
+krb5_error_code
+krb5_decrypt_EncryptedData(krb5_context context,
+			   krb5_crypto crypto,
+			   unsigned usage,
+			   const EncryptedData *e,
+			   krb5_data *result)
+{
+    return krb5_decrypt(context, crypto, usage, 
+			e->cipher.data, e->cipher.length, result);
+}
+
+/************************************************************
+ *                                                          *
+ ************************************************************/
+
+#ifdef HAVE_OPENSSL_DES_H
+#include <openssl/rand.h>
+
+/* From openssl/crypto/rand/rand_lcl.h */
+#define ENTROPY_NEEDED 20
+static int
+seed_something(void)
+{
+    int fd = -1;
+    size_t len;
+    char buf[1024], seedfile[256];
+
+    /* If there is a seed file, load it. But such a file cannot be trusted,
+       so use 0 for the entropy estimate */
+    if (RAND_file_name(seedfile, sizeof(seedfile))) {
+	fd = open(seedfile, O_RDONLY);
+	if (fd >= 0) {
+	    read(fd, buf, sizeof(buf));
+	    /* Use the full buffer anyway */
+	    RAND_add(buf, sizeof(buf), 0.0);
+	} else
+	    seedfile[0] = '\0';
+    } else
+	seedfile[0] = '\0';
+
+    /* Calling RAND_status() will try to use /dev/urandom if it exists so
+       we do not have to deal with it. */
+    if (RAND_status() != 1) {
+	krb5_context context;
+	char *p;
+
+	/* Try using egd */
+	if (!krb5_init_context(&context)) {
+	    p = krb5_config_get_string(context, NULL, "libdefaults",
+		"egd_socket", NULL);
+	    if (p != NULL)
+		RAND_egd_bytes(p, ENTROPY_NEEDED);
+	    krb5_free_context(context);
+	}
+    }
+    
+    if (RAND_status() == 1)	{
+	/* Update the seed file */
+	if (seedfile[0])
+	    RAND_write_file(seedfile);
+
+	return 0;
+    } else
+	return -1;
+}
+
+void
+krb5_generate_random_block(void *buf, size_t len)
+{
+    static int rng_initialized = 0;
+    
+    if (!rng_initialized) {
+	if (seed_something())
+	    krb5_abortx(NULL, "Fatal: could not seed the random number generator");
+	
+	rng_initialized = 1;
+    }
+    RAND_bytes(buf, len);
+}
+
+#else
+
+void
+krb5_generate_random_block(void *buf, size_t len)
+{
+    des_cblock key, out;
+    static des_cblock counter;
+    static des_key_schedule schedule;
+    int i;
+    static int initialized = 0;
+
+    if(!initialized) {
+	des_new_random_key(&key);
+	des_set_key(&key, schedule);
+	memset(&key, 0, sizeof(key));
+	des_new_random_key(&counter);
+    }
+    while(len > 0) {
+	des_ecb_encrypt(&counter, &out, schedule, DES_ENCRYPT);
+	for(i = 7; i >=0; i--)
+	    if(counter[i]++)
+		break;
+	memcpy(buf, out, min(len, sizeof(out)));
+	len -= min(len, sizeof(out));
+	buf = (char*)buf + sizeof(out);
+    }
+}
+#endif
+
+static void
+DES3_postproc(krb5_context context,
+	      unsigned char *k, size_t len, struct key_data *key)
+{
+    unsigned char x[24];
+    int i, j;
+
+    memset(x, 0, sizeof(x));
+    for (i = 0; i < 3; ++i) {
+	unsigned char foo;
+
+	for (j = 0; j < 7; ++j) {
+	    unsigned char b = k[7 * i + j];
+
+	    x[8 * i + j] = b;
+	}
+	foo = 0;
+	for (j = 6; j >= 0; --j) {
+	    foo |= k[7 * i + j] & 1;
+	    foo <<= 1;
+	}
+	x[8 * i + 7] = foo;
+    }
+    k = key->key->keyvalue.data;
+    memcpy(k, x, 24);
+    memset(x, 0, sizeof(x));
+    if (key->schedule) {
+	krb5_free_data(context, key->schedule);
+	key->schedule = NULL;
+    }
+    des_set_odd_parity((des_cblock*)k);
+    des_set_odd_parity((des_cblock*)(k + 8));
+    des_set_odd_parity((des_cblock*)(k + 16));
+}
+
+static krb5_error_code
+derive_key(krb5_context context,
+	   struct encryption_type *et,
+	   struct key_data *key,
+	   const void *constant,
+	   size_t len)
+{
+    unsigned char *k;
+    unsigned int nblocks = 0, i;
+    krb5_error_code ret = 0;
+    
+    struct key_type *kt = et->keytype;
+    ret = _key_schedule(context, key);
+    if(ret)
+	return ret;
+    if(et->blocksize * 8 < kt->bits || 
+       len != et->blocksize) {
+	nblocks = (kt->bits + et->blocksize * 8 - 1) / (et->blocksize * 8);
+	k = malloc(nblocks * et->blocksize);
+	if(k == NULL) {
+	    krb5_set_error_string(context, "malloc: out of memory");
+	    return ENOMEM;
+	}
+	_krb5_n_fold(constant, len, k, et->blocksize);
+	for(i = 0; i < nblocks; i++) {
+	    if(i > 0)
+		memcpy(k + i * et->blocksize, 
+		       k + (i - 1) * et->blocksize,
+		       et->blocksize);
+	    (*et->encrypt)(context, key, k + i * et->blocksize, et->blocksize,
+			   1, 0, NULL);
+	}
+    } else {
+	/* this case is probably broken, but won't be run anyway */
+	void *c = malloc(len);
+	size_t res_len = (kt->bits + 7) / 8;
+
+	if(len != 0 && c == NULL) {
+	    krb5_set_error_string(context, "malloc: out of memory");
+	    return ENOMEM;
+	}
+	memcpy(c, constant, len);
+	(*et->encrypt)(context, key, c, len, 1, 0, NULL);
+	k = malloc(res_len);
+	if(res_len != 0 && k == NULL) {
+	    free(c);
+	    krb5_set_error_string(context, "malloc: out of memory");
+	    return ENOMEM;
+	}
+	_krb5_n_fold(c, len, k, res_len);
+	free(c);
+    }
+    
+    /* XXX keytype dependent post-processing */
+    switch(kt->type) {
+    case KEYTYPE_DES3:
+	DES3_postproc(context, k, nblocks * et->blocksize, key);
+	break;
+    default:
+	krb5_set_error_string(context,
+			      "derive_key() called with unknown keytype (%u)", 
+			      kt->type);
+	ret = KRB5_CRYPTO_INTERNAL;
+	break;
+    }
+    memset(k, 0, nblocks * et->blocksize);
+    free(k);
+    return ret;
+}
+
+static struct key_data *
+_new_derived_key(krb5_crypto crypto, unsigned usage)
+{
+    struct key_usage *d = crypto->key_usage;
+    d = realloc(d, (crypto->num_key_usage + 1) * sizeof(*d));
+    if(d == NULL)
+	return NULL;
+    crypto->key_usage = d;
+    d += crypto->num_key_usage++;
+    memset(d, 0, sizeof(*d));
+    d->usage = usage;
+    return &d->key;
+}
+
+krb5_error_code
+krb5_derive_key(krb5_context context,
+		const krb5_keyblock *key,
+		krb5_enctype etype,
+		const void *constant,
+		size_t constant_len,
+		krb5_keyblock **derived_key)
+{
+    krb5_error_code ret;
+    struct encryption_type *et;
+    struct key_data d;
+
+    et = _find_enctype (etype);
+    if (et == NULL) {
+	krb5_set_error_string(context, "encryption type %d not supported",
+			      etype);
+	return KRB5_PROG_ETYPE_NOSUPP;
+    }
+
+    ret = krb5_copy_keyblock(context, key, derived_key);
+    if (ret)
+	return ret;
+
+    d.key = *derived_key;
+    d.schedule = NULL;
+    ret = derive_key(context, et, &d, constant, constant_len);
+    if (ret)
+	return ret;
+    ret = krb5_copy_keyblock(context, d.key, derived_key);
+    return ret;
+}
+
+static krb5_error_code
+_get_derived_key(krb5_context context, 
+		 krb5_crypto crypto, 
+		 unsigned usage, 
+		 struct key_data **key)
+{
+    int i;
+    struct key_data *d;
+    unsigned char constant[5];
+
+    for(i = 0; i < crypto->num_key_usage; i++)
+	if(crypto->key_usage[i].usage == usage) {
+	    *key = &crypto->key_usage[i].key;
+	    return 0;
+	}
+    d = _new_derived_key(crypto, usage);
+    if(d == NULL) {
+	krb5_set_error_string(context, "malloc: out of memory");
+	return ENOMEM;
+    }
+    krb5_copy_keyblock(context, crypto->key.key, &d->key);
+    _krb5_put_int(constant, usage, 5);
+    derive_key(context, crypto->et, d, constant, sizeof(constant));
+    *key = d;
+    return 0;
+}
+
+
+krb5_error_code
+krb5_crypto_init(krb5_context context,
+		 const krb5_keyblock *key,
+		 krb5_enctype etype,
+		 krb5_crypto *crypto)
+{
+    krb5_error_code ret;
+    ALLOC(*crypto, 1);
+    if(*crypto == NULL) {
+	krb5_set_error_string(context, "malloc: out of memory");
+	return ENOMEM;
+    }
+    if(etype == ETYPE_NULL)
+	etype = key->keytype;
+    (*crypto)->et = _find_enctype(etype);
+    if((*crypto)->et == NULL) {
+	free(*crypto);
+	krb5_set_error_string (context, "encryption type %d not supported",
+			       etype);
+	return KRB5_PROG_ETYPE_NOSUPP;
+    }
+    ret = krb5_copy_keyblock(context, key, &(*crypto)->key.key);
+    if(ret) {
+	free(*crypto);
+	return ret;
+    }
+    (*crypto)->key.schedule = NULL;
+    (*crypto)->num_key_usage = 0;
+    (*crypto)->key_usage = NULL;
+    return 0;
+}
+
+static void
+free_key_data(krb5_context context, struct key_data *key)
+{
+    krb5_free_keyblock(context, key->key);
+    if(key->schedule) {
+	memset(key->schedule->data, 0, key->schedule->length);
+	krb5_free_data(context, key->schedule);
+    }
+}
+
+static void
+free_key_usage(krb5_context context, struct key_usage *ku)
+{
+    free_key_data(context, &ku->key);
+}
+
+krb5_error_code
+krb5_crypto_destroy(krb5_context context,
+		    krb5_crypto crypto)
+{
+    int i;
+    
+    for(i = 0; i < crypto->num_key_usage; i++)
+	free_key_usage(context, &crypto->key_usage[i]);
+    free(crypto->key_usage);
+    free_key_data(context, &crypto->key);
+    free (crypto);
+    return 0;
+}
+
+krb5_error_code
+krb5_string_to_key_derived(krb5_context context,
+			   const void *str,
+			   size_t len,
+			   krb5_enctype etype,
+			   krb5_keyblock *key)
+{
+    struct encryption_type *et = _find_enctype(etype);
+    krb5_error_code ret;
+    struct key_data kd;
+    u_char *tmp;
+
+    if(et == NULL) {
+	krb5_set_error_string (context, "encryption type %d not supported",
+			       etype);
+	return KRB5_PROG_ETYPE_NOSUPP;
+    }
+    ALLOC(kd.key, 1);
+    kd.key->keytype = etype;
+    tmp = malloc (et->keytype->bits / 8);
+    _krb5_n_fold(str, len, tmp, et->keytype->bits / 8);
+    krb5_data_alloc(&kd.key->keyvalue, et->keytype->size);
+    kd.schedule = NULL;
+    DES3_postproc (context, tmp, et->keytype->bits / 8, &kd); /* XXX */
+    ret = derive_key(context,
+		     et,
+		     &kd,
+		     "kerberos", /* XXX well known constant */
+		     strlen("kerberos"));
+    ret = krb5_copy_keyblock_contents(context, kd.key, key);
+    free_key_data(context, &kd);
+    return ret;
+}
+
+static size_t
+wrapped_length (krb5_context context,
+		krb5_crypto  crypto,
+		size_t       data_len)
+{
+    struct encryption_type *et = crypto->et;
+    size_t blocksize = et->blocksize;
+    size_t res;
+
+    res =  et->confoundersize + et->checksum->checksumsize + data_len;
+    res =  (res + blocksize - 1) / blocksize * blocksize;
+    return res;
+}
+
+static size_t
+wrapped_length_dervied (krb5_context context,
+			krb5_crypto  crypto,
+			size_t       data_len)
+{
+    struct encryption_type *et = crypto->et;
+    size_t blocksize = et->blocksize;
+    size_t res;
+
+    res =  et->confoundersize + data_len;
+    res =  (res + blocksize - 1) / blocksize * blocksize;
+    res += et->checksum->checksumsize;
+    return res;
+}
+
+/*
+ * Return the size of an encrypted packet of length `data_len'
+ */
+
+size_t
+krb5_get_wrapped_length (krb5_context context,
+			 krb5_crypto  crypto,
+			 size_t       data_len)
+{
+    if (derived_crypto (context, crypto))
+	return wrapped_length_dervied (context, crypto, data_len);
+    else
+	return wrapped_length (context, crypto, data_len);
+}
+
+#ifdef CRYPTO_DEBUG
+
+static krb5_error_code
+krb5_get_keyid(krb5_context context,
+	       krb5_keyblock *key,
+	       u_int32_t *keyid)
+{
+    MD5_CTX md5;
+    unsigned char tmp[16];
+
+    MD5_Init (&md5);
+    MD5_Update (&md5, key->keyvalue.data, key->keyvalue.length);
+    MD5_Final (tmp, &md5);
+    *keyid = (tmp[12] << 24) | (tmp[13] << 16) | (tmp[14] << 8) | tmp[15];
+    return 0;
+}
+
+static void
+krb5_crypto_debug(krb5_context context,
+		  int encrypt,
+		  size_t len,
+		  krb5_keyblock *key)
+{
+    u_int32_t keyid;
+    char *kt;
+    krb5_get_keyid(context, key, &keyid);
+    krb5_enctype_to_string(context, key->keytype, &kt);
+    krb5_warnx(context, "%s %lu bytes with key-id %#x (%s)", 
+	       encrypt ? "encrypting" : "decrypting",
+	       (unsigned long)len,
+	       keyid,
+	       kt);
+    free(kt);
+}
+
+#endif /* CRYPTO_DEBUG */
+
+#if 0
+int
+main()
+{
+#if 0
+    int i;
+    krb5_context context;
+    krb5_crypto crypto;
+    struct key_data *d;
+    krb5_keyblock key;
+    char constant[4];
+    unsigned usage = ENCRYPTION_USAGE(3);
+    krb5_error_code ret;
+
+    ret = krb5_init_context(&context);
+    if (ret)
+	errx (1, "krb5_init_context failed: %d", ret);
+
+    key.keytype = ETYPE_NEW_DES3_CBC_SHA1;
+    key.keyvalue.data = "\xb3\x85\x58\x94\xd9\xdc\x7c\xc8"
+	"\x25\xe9\x85\xab\x3e\xb5\xfb\x0e"
+	"\xc8\xdf\xab\x26\x86\x64\x15\x25";
+    key.keyvalue.length = 24;
+
+    krb5_crypto_init(context, &key, 0, &crypto);
+
+    d = _new_derived_key(crypto, usage);
+    if(d == NULL)
+	return ENOMEM;
+    krb5_copy_keyblock(context, crypto->key.key, &d->key);
+    _krb5_put_int(constant, usage, 4);
+    derive_key(context, crypto->et, d, constant, sizeof(constant));
+    return 0;
+#else
+    int i;
+    krb5_context context;
+    krb5_crypto crypto;
+    struct key_data *d;
+    krb5_keyblock key;
+    krb5_error_code ret;
+    Checksum res;
+
+    char *data = "what do ya want for nothing?";
+
+    ret = krb5_init_context(&context);
+    if (ret)
+	errx (1, "krb5_init_context failed: %d", ret);
+
+    key.keytype = ETYPE_NEW_DES3_CBC_SHA1;
+    key.keyvalue.data = "Jefe";
+    /* "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b"
+       "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b"; */
+    key.keyvalue.length = 4;
+
+    d = calloc(1, sizeof(*d));
+
+    d->key = &key;
+    res.checksum.length = 20;
+    res.checksum.data = malloc(res.checksum.length);
+    HMAC_SHA1_DES3_checksum(context, d, data, 28, &res);
+
+    return 0;
+#endif
+}
+#endif
diff --git a/crypto/heimdal/lib/krb5/data.c b/crypto/heimdal/lib/krb5/data.c
new file mode 100644
index 0000000..c6a5d75
--- /dev/null
+++ b/crypto/heimdal/lib/krb5/data.c
@@ -0,0 +1,113 @@
+/*
+ * Copyright (c) 1997 - 2001 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "krb5_locl.h"
+
+RCSID("$Id: data.c,v 1.16 2001/05/14 06:14:46 assar Exp $");
+
+void
+krb5_data_zero(krb5_data *p)
+{
+    p->length = 0;
+    p->data   = NULL;
+}
+
+void
+krb5_data_free(krb5_data *p)
+{
+    if(p->data != NULL)
+	free(p->data);
+    p->length = 0;
+}
+
+void
+krb5_free_data(krb5_context context,
+	       krb5_data *p)
+{
+    krb5_data_free(p);
+    free(p);
+}
+
+krb5_error_code
+krb5_data_alloc(krb5_data *p, int len)
+{
+    p->data = malloc(len);
+    if(len && p->data == NULL)
+	return ENOMEM;
+    p->length = len;
+    return 0;
+}
+
+krb5_error_code
+krb5_data_realloc(krb5_data *p, int len)
+{
+    void *tmp;
+    tmp = realloc(p->data, len);
+    if(len && !tmp)
+	return ENOMEM;
+    p->data = tmp;
+    p->length = len;
+    return 0;
+}
+
+krb5_error_code
+krb5_data_copy(krb5_data *p, const void *data, size_t len)
+{
+    if (len) {
+	if(krb5_data_alloc(p, len))
+	    return ENOMEM;
+	memmove(p->data, data, len);
+    } else
+	p->data = NULL;
+    p->length = len;
+    return 0;
+}
+
+krb5_error_code
+krb5_copy_data(krb5_context context, 
+	       const krb5_data *indata, 
+	       krb5_data **outdata)
+{
+    krb5_error_code ret;
+    ALLOC(*outdata, 1);
+    if(*outdata == NULL) {
+	krb5_set_error_string(context, "malloc: out of memory");
+	return ENOMEM;
+    }
+    ret = copy_octet_string(indata, *outdata);
+    if(ret) {
+	krb5_clear_error_string (context);
+	free(*outdata);
+    }
+    return ret;
+}
diff --git a/crypto/heimdal/lib/krb5/derived-key-test.c b/crypto/heimdal/lib/krb5/derived-key-test.c
new file mode 100644
index 0000000..0a47dd3
--- /dev/null
+++ b/crypto/heimdal/lib/krb5/derived-key-test.c
@@ -0,0 +1,119 @@
+/*
+ * Copyright (c) 2001 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of KTH nor the names of its contributors may be
+ *    used to endorse or promote products derived from this software without
+ *    specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY KTH AND ITS CONTRIBUTORS ``AS IS'' AND ANY
+ * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL KTH OR ITS CONTRIBUTORS BE
+ * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+ * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+ * WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
+ * OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
+ * ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */
+
+#include "krb5_locl.h"
+
+RCSID("$Id: derived-key-test.c,v 1.1 2001/03/12 07:44:52 assar Exp $");
+
+enum { MAXSIZE = 24 };
+
+static struct testcase {
+    krb5_enctype enctype;
+    unsigned char constant[MAXSIZE];
+    size_t constant_len;
+    unsigned char key[MAXSIZE];
+    unsigned char res[MAXSIZE];
+} tests[] = {
+    {ETYPE_DES3_CBC_SHA1, {0x00, 0x00, 0x00, 0x01, 0x55}, 5,
+    {0xdc, 0xe0, 0x6b, 0x1f, 0x64, 0xc8, 0x57, 0xa1, 0x1c, 0x3d, 0xb5, 0x7c, 0x51, 0x89, 0x9b, 0x2c, 0xc1, 0x79, 0x10, 0x08, 0xce, 0x97, 0x3b, 0x92},
+    {0x92, 0x51, 0x79, 0xd0, 0x45, 0x91, 0xa7, 0x9b, 0x5d, 0x31, 0x92, 0xc4, 0xa7, 0xe9, 0xc2, 0x89, 0xb0, 0x49, 0xc7, 0x1f, 0x6e, 0xe6, 0x04, 0xcd}},
+    {ETYPE_DES3_CBC_SHA1, {0x00, 0x00, 0x00, 0x01, 0xaa}, 5,
+     {0x5e, 0x13, 0xd3, 0x1c, 0x70, 0xef, 0x76, 0x57, 0x46, 0x57, 0x85, 0x31, 0xcb, 0x51, 0xc1, 0x5b, 0xf1, 0x1c, 0xa8, 0x2c, 0x97, 0xce, 0xe9, 0xf2},
+     {0x9e, 0x58, 0xe5, 0xa1, 0x46, 0xd9, 0x94, 0x2a, 0x10, 0x1c, 0x46, 0x98, 0x45, 0xd6, 0x7a, 0x20, 0xe3, 0xc4, 0x25, 0x9e, 0xd9, 0x13, 0xf2, 0x07}},
+    {ETYPE_DES3_CBC_SHA1, {0x00, 0x00, 0x00, 0x01, 0x55}, 5,
+     {0x98, 0xe6, 0xfd, 0x8a, 0x04, 0xa4, 0xb6, 0x85, 0x9b, 0x75, 0xa1, 0x76, 0x54, 0x0b, 0x97, 0x52, 0xba, 0xd3, 0xec, 0xd6, 0x10, 0xa2, 0x52, 0xbc},
+     {0x13, 0xfe, 0xf8, 0x0d, 0x76, 0x3e, 0x94, 0xec, 0x6d, 0x13, 0xfd, 0x2c, 0xa1, 0xd0, 0x85, 0x07, 0x02, 0x49, 0xda, 0xd3, 0x98, 0x08, 0xea, 0xbf}},
+    {ETYPE_DES3_CBC_SHA1, {0x00, 0x00, 0x00, 0x01, 0xaa}, 5,
+     {0x62, 0x2a, 0xec, 0x25, 0xa2, 0xfe, 0x2c, 0xad, 0x70, 0x94, 0x68, 0x0b, 0x7c, 0x64, 0x94, 0x02, 0x80, 0x08, 0x4c, 0x1a, 0x7c, 0xec, 0x92, 0xb5},
+     {0xf8, 0xdf, 0xbf, 0x04, 0xb0, 0x97, 0xe6, 0xd9, 0xdc, 0x07, 0x02, 0x68, 0x6b, 0xcb, 0x34, 0x89, 0xd9, 0x1f, 0xd9, 0xa4, 0x51, 0x6b, 0x70, 0x3e}},
+    {ETYPE_DES3_CBC_SHA1, {0x6b, 0x65, 0x72, 0x62, 0x65, 0x72, 0x6f, 0x73}, 8,
+     {0xd3, 0xf8, 0x29, 0x8c, 0xcb, 0x16, 0x64, 0x38, 0xdc, 0xb9, 0xb9, 0x3e, 0xe5, 0xa7, 0x62, 0x92, 0x86, 0xa4, 0x91, 0xf8, 0x38, 0xf8, 0x02, 0xfb},
+     {0x23, 0x70, 0xda, 0x57, 0x5d, 0x2a, 0x3d, 0xa8, 0x64, 0xce, 0xbf, 0xdc, 0x52, 0x04, 0xd5, 0x6d, 0xf7, 0x79, 0xa7, 0xdf, 0x43, 0xd9, 0xda, 0x43}},
+    {ETYPE_DES3_CBC_SHA1, {0x63, 0x6f, 0x6d, 0x62, 0x69, 0x6e, 0x65}, 7,
+     {0xb5, 0x5e, 0x98, 0x34, 0x67, 0xe5, 0x51, 0xb3, 0xe5, 0xd0, 0xe5, 0xb6, 0xc8, 0x0d, 0x45, 0x76, 0x94, 0x23, 0xa8, 0x73, 0xdc, 0x62, 0xb3, 0x0e},
+     {0x01, 0x26, 0x38, 0x8a, 0xad, 0xc8, 0x1a, 0x1f, 0x2a, 0x62, 0xbc, 0x45, 0xf8, 0xd5, 0xc1, 0x91, 0x51, 0xba, 0xcd, 0xd5, 0xcb, 0x79, 0x8a, 0x3e}},
+    {ETYPE_DES3_CBC_SHA1, {0x00, 0x00, 0x00, 0x01, 0x55}, 5,
+     {0xc1, 0x08, 0x16, 0x49, 0xad, 0xa7, 0x43, 0x62, 0xe6, 0xa1, 0x45, 0x9d, 0x01, 0xdf, 0xd3, 0x0d, 0x67, 0xc2, 0x23, 0x4c, 0x94, 0x07, 0x04, 0xda},
+     {0x34, 0x80, 0x57, 0xec, 0x98, 0xfd, 0xc4, 0x80, 0x16, 0x16, 0x1c, 0x2a, 0x4c, 0x7a, 0x94, 0x3e, 0x92, 0xae, 0x49, 0x2c, 0x98, 0x91, 0x75, 0xf7}},
+    {ETYPE_DES3_CBC_SHA1, {0x00, 0x00, 0x00, 0x01, 0xaa}, 5,
+     {0x5d, 0x15, 0x4a, 0xf2, 0x38, 0xf4, 0x67, 0x13, 0x15, 0x57, 0x19, 0xd5, 0x5e, 0x2f, 0x1f, 0x79, 0x0d, 0xd6, 0x61, 0xf2, 0x79, 0xa7, 0x91, 0x7c},
+     {0xa8, 0x80, 0x8a, 0xc2, 0x67, 0xda, 0xda, 0x3d, 0xcb, 0xe9, 0xa7, 0xc8, 0x46, 0x26, 0xfb, 0xc7, 0x61, 0xc2, 0x94, 0xb0, 0x13, 0x15, 0xe5, 0xc1}},
+    {ETYPE_DES3_CBC_SHA1, {0x00, 0x00, 0x00, 0x01, 0x55}, 5,
+     {0x79, 0x85, 0x62, 0xe0, 0x49, 0x85, 0x2f, 0x57, 0xdc, 0x8c, 0x34, 0x3b, 0xa1, 0x7f, 0x2c, 0xa1, 0xd9, 0x73, 0x94, 0xef, 0xc8, 0xad, 0xc4, 0x43},
+     {0xc8, 0x13, 0xf8, 0x8a, 0x3b, 0xe3, 0xb3, 0x34, 0xf7, 0x54, 0x25, 0xce, 0x91, 0x75, 0xfb, 0xe3, 0xc8, 0x49, 0x3b, 0x89, 0xc8, 0x70, 0x3b, 0x49}},
+    {ETYPE_DES3_CBC_SHA1, {0x00, 0x00, 0x00, 0x01, 0xaa}, 5,
+     {0x26, 0xdc, 0xe3, 0x34, 0xb5, 0x45, 0x29, 0x2f, 0x2f, 0xea, 0xb9, 0xa8, 0x70, 0x1a, 0x89, 0xa4, 0xb9, 0x9e, 0xb9, 0x94, 0x2c, 0xec, 0xd0, 0x16},
+     {0xf4, 0x8f, 0xfd, 0x6e, 0x83, 0xf8, 0x3e, 0x73, 0x54, 0xe6, 0x94, 0xfd, 0x25, 0x2c, 0xf8, 0x3b, 0xfe, 0x58, 0xf7, 0xd5, 0xba, 0x37, 0xec, 0x5d}},
+    {0}
+};
+
+int
+main(int argc, char **argv)
+{
+    struct testcase *t;
+    krb5_context context;
+    krb5_error_code ret;
+    int val = 0;
+
+    ret = krb5_init_context (&context);
+    if (ret)
+	errx (1, "krb5_init_context failed: %d", ret);
+
+    for (t = tests; t->enctype != 0; ++t) {
+	krb5_keyblock key;
+	krb5_keyblock *dkey;
+
+	key.keytype = KEYTYPE_DES3;
+	key.keyvalue.length = MAXSIZE;
+	key.keyvalue.data   = t->key;
+
+	ret = krb5_derive_key(context, &key, t->enctype, t->constant,
+			      t->constant_len, &dkey);
+	if (ret)
+	    krb5_err (context, 1, ret, "krb5_derive_key");
+	if (memcmp (dkey->keyvalue.data, t->res, dkey->keyvalue.length) != 0) {
+	    const unsigned char *p = dkey->keyvalue.data;
+	    int i;
+
+	    printf ("derive_key failed\n");
+	    printf ("should be: ");
+	    for (i = 0; i < dkey->keyvalue.length; ++i)
+		printf ("%02x", t->res[i]);
+	    printf ("\nresult was: ");
+	    for (i = 0; i < dkey->keyvalue.length; ++i)
+		printf ("%02x", p[i]);
+	    printf ("\n");
+	    val = 1;
+	}
+    }
+    return val;
+}
diff --git a/crypto/heimdal/lib/krb5/dump_config.c b/crypto/heimdal/lib/krb5/dump_config.c
new file mode 100644
index 0000000..074595e
--- /dev/null
+++ b/crypto/heimdal/lib/krb5/dump_config.c
@@ -0,0 +1,71 @@
+/*
+ * Copyright (c) 1999 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of KTH nor the names of its contributors may be
+ *    used to endorse or promote products derived from this software without
+ *    specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY KTH AND ITS CONTRIBUTORS ``AS IS'' AND ANY
+ * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL KTH OR ITS CONTRIBUTORS BE
+ * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+ * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+ * WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
+ * OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
+ * ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */
+
+#include "krb5_locl.h"
+
+RCSID("$Id: dump_config.c,v 1.2 1999/10/28 23:22:41 assar Exp $");
+
+/* print contents of krb5.conf */
+
+static void
+print_tree(struct krb5_config_binding *b, int level)
+{
+    if (b == NULL)
+	return;
+
+    printf("%*s%s%s%s", level * 4, "", 
+	   (level == 0) ? "[" : "", b->name, (level == 0) ? "]" : "");
+    if(b->type == krb5_config_list) {
+	if(level > 0)
+	    printf(" = {");
+	printf("\n");
+	print_tree(b->u.list, level + 1);
+	if(level > 0)
+	    printf("%*s}\n", level * 4, "");
+    } else if(b->type == krb5_config_string) {
+	printf(" = %s\n", b->u.string);
+    }
+    if(b->next)
+	print_tree(b->next, level);
+}
+
+int
+main(int argc, char **argv)
+{
+    krb5_context context;
+    krb5_error_code ret = krb5_init_context(&context);
+    if(ret == 0) {
+	print_tree(context->cf, 0);
+	return 0;
+    }
+    return 1;
+}
diff --git a/crypto/heimdal/lib/krb5/eai_to_heim_errno.c b/crypto/heimdal/lib/krb5/eai_to_heim_errno.c
new file mode 100644
index 0000000..924be7c
--- /dev/null
+++ b/crypto/heimdal/lib/krb5/eai_to_heim_errno.c
@@ -0,0 +1,94 @@
+/*
+ * Copyright (c) 2000 - 2001 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include <krb5_locl.h>
+
+RCSID("$Id: eai_to_heim_errno.c,v 1.3 2001/05/14 22:48:33 assar Exp $");
+
+/*
+ * convert the getaddrinfo error code in `eai_errno' into a
+ * krb5_error_code. `system_error' should have the value of the errno
+ * after the failed call.
+ */
+
+krb5_error_code
+krb5_eai_to_heim_errno(int eai_errno, int system_error)
+{
+    switch(eai_errno) {
+    case EAI_NOERROR:
+	return 0;
+    case EAI_ADDRFAMILY:
+	return HEIM_EAI_ADDRFAMILY;
+    case EAI_AGAIN:
+	return HEIM_EAI_AGAIN;
+    case EAI_BADFLAGS:
+	return HEIM_EAI_BADFLAGS;
+    case EAI_FAIL:
+	return HEIM_EAI_FAIL;
+    case EAI_FAMILY:
+	return HEIM_EAI_FAMILY;
+    case EAI_MEMORY:
+	return HEIM_EAI_MEMORY;
+    case EAI_NODATA:
+	return HEIM_EAI_NODATA;
+    case EAI_NONAME:
+	return HEIM_EAI_NONAME;
+    case EAI_SERVICE:
+	return HEIM_EAI_SERVICE;
+    case EAI_SOCKTYPE:
+	return HEIM_EAI_SOCKTYPE;
+    case EAI_SYSTEM:
+	return system_error;
+    default:
+	return HEIM_EAI_UNKNOWN; /* XXX */
+    }
+}
+
+krb5_error_code
+krb5_h_errno_to_heim_errno(int eai_errno)
+{
+    switch(eai_errno) {
+    case 0:
+	return 0;
+    case HOST_NOT_FOUND:
+	return HEIM_EAI_NONAME;
+    case TRY_AGAIN:
+	return HEIM_EAI_AGAIN;
+    case NO_RECOVERY:
+	return HEIM_EAI_FAIL;
+    case NO_DATA:
+	return HEIM_EAI_NONAME;
+    default:
+	return HEIM_EAI_UNKNOWN; /* XXX */
+    }
+}
diff --git a/crypto/heimdal/lib/krb5/error_string.c b/crypto/heimdal/lib/krb5/error_string.c
new file mode 100644
index 0000000..bf73448
--- /dev/null
+++ b/crypto/heimdal/lib/krb5/error_string.c
@@ -0,0 +1,95 @@
+/*
+ * Copyright (c) 2001 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "krb5_locl.h"
+
+RCSID("$Id: error_string.c,v 1.1 2001/05/06 23:07:22 assar Exp $");
+
+#undef __attribute__
+#define __attribute__(X)
+
+void
+krb5_free_error_string(krb5_context context, char *str)
+{
+    if (str != context->error_buf)
+	free(str);
+}
+
+void
+krb5_clear_error_string(krb5_context context)
+{
+    if (context->error_string != NULL
+	&& context->error_string != context->error_buf)
+	free(context->error_string);
+    context->error_string = NULL;
+}
+
+krb5_error_code
+krb5_set_error_string(krb5_context context, const char *fmt, ...)
+    __attribute__((format (printf, 2, 3)))
+{
+    krb5_error_code ret;
+    va_list ap;
+
+    va_start(ap, fmt);
+    ret = krb5_vset_error_string (context, fmt, ap);
+    va_end(ap);
+    return ret;
+}
+
+krb5_error_code
+krb5_vset_error_string(krb5_context context, const char *fmt, va_list args)
+    __attribute__ ((format (printf, 2, 0)))
+{
+    krb5_clear_error_string(context);
+    vasprintf(&context->error_string, fmt, args);
+    if(context->error_string == NULL) {
+	vsnprintf (context->error_buf, sizeof(context->error_buf), fmt, args);
+	context->error_string = context->error_buf;
+    }
+    return 0;
+}
+
+char*
+krb5_get_error_string(krb5_context context)
+{
+    char *ret = context->error_string;
+    context->error_string = NULL;
+    return ret;
+}
+
+krb5_boolean
+krb5_have_error_string(krb5_context context)
+{
+    return context->error_string != NULL;
+}
diff --git a/crypto/heimdal/lib/krb5/expand_hostname.c b/crypto/heimdal/lib/krb5/expand_hostname.c
new file mode 100644
index 0000000..848c8ab
--- /dev/null
+++ b/crypto/heimdal/lib/krb5/expand_hostname.c
@@ -0,0 +1,152 @@
+/*
+ * Copyright (c) 1999 - 2001 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "krb5_locl.h"
+
+RCSID("$Id: expand_hostname.c,v 1.10 2001/05/14 06:14:46 assar Exp $");
+
+static krb5_error_code
+copy_hostname(krb5_context context,
+	      const char *orig_hostname,
+	      char **new_hostname)
+{
+    *new_hostname = strdup (orig_hostname);
+    if (*new_hostname == NULL) {
+	krb5_set_error_string(context, "malloc: out of memory");
+	return ENOMEM;
+    }
+    strlwr (*new_hostname);
+    return 0;
+}
+
+/*
+ * Try to make `orig_hostname' into a more canonical one in the newly
+ * allocated space returned in `new_hostname'.
+ */
+
+krb5_error_code
+krb5_expand_hostname (krb5_context context,
+		      const char *orig_hostname,
+		      char **new_hostname)
+{
+    struct addrinfo *ai, *a, hints;
+    int error;
+
+    memset (&hints, 0, sizeof(hints));
+    hints.ai_flags = AI_CANONNAME;
+
+    error = getaddrinfo (orig_hostname, NULL, &hints, &ai);
+    if (error)
+	return copy_hostname (context, orig_hostname, new_hostname);
+    for (a = ai; a != NULL; a = a->ai_next) {
+	if (a->ai_canonname != NULL) {
+	    *new_hostname = strdup (a->ai_canonname);
+	    freeaddrinfo (ai);
+	    if (*new_hostname == NULL) {
+		krb5_set_error_string(context, "malloc: out of memory");
+		return ENOMEM;
+	    } else {
+		return 0;
+	    }
+	}
+    }
+    freeaddrinfo (ai);
+    return copy_hostname (context, orig_hostname, new_hostname);
+}
+
+/*
+ * handle the case of the hostname being unresolvable and thus identical
+ */
+
+static krb5_error_code
+vanilla_hostname (krb5_context context,
+		  const char *orig_hostname,
+		  char **new_hostname,
+		  char ***realms)
+{
+    krb5_error_code ret;
+
+    ret = copy_hostname (context, orig_hostname, new_hostname);
+    if (ret)
+	return ret;
+    strlwr (*new_hostname);
+
+    ret = krb5_get_host_realm (context, *new_hostname, realms);
+    if (ret) {
+	free (*new_hostname);
+	return ret;
+    }
+    return 0;
+}
+
+/*
+ * expand `hostname' to a name we believe to be a hostname in newly
+ * allocated space in `host' and return realms in `realms'.
+ */
+
+krb5_error_code
+krb5_expand_hostname_realms (krb5_context context,
+			     const char *orig_hostname,
+			     char **new_hostname,
+			     char ***realms)
+{
+    struct addrinfo *ai, *a, hints;
+    int error;
+    krb5_error_code ret = 0;
+
+    memset (&hints, 0, sizeof(hints));
+    hints.ai_flags = AI_CANONNAME;
+
+    error = getaddrinfo (orig_hostname, NULL, &hints, &ai);
+    if (error)
+	return vanilla_hostname (context, orig_hostname, new_hostname,
+				 realms);
+
+    for (a = ai; a != NULL; a = a->ai_next) {
+	if (a->ai_canonname != NULL) {
+	    ret = copy_hostname (context, a->ai_canonname, new_hostname);
+	    if (ret) {
+		freeaddrinfo (ai);
+		return ret;
+	    }
+	    strlwr (*new_hostname);
+	    ret = krb5_get_host_realm (context, *new_hostname, realms);
+	    if (ret == 0) {
+		freeaddrinfo (ai);
+		return 0;
+	    }
+	    free (*new_hostname);
+	}
+    }
+    return vanilla_hostname (context, orig_hostname, new_hostname, realms);
+}
diff --git a/crypto/heimdal/lib/krb5/fcache.c b/crypto/heimdal/lib/krb5/fcache.c
new file mode 100644
index 0000000..317f702
--- /dev/null
+++ b/crypto/heimdal/lib/krb5/fcache.c
@@ -0,0 +1,524 @@
+/*
+ * Copyright (c) 1997 - 2001 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "krb5_locl.h"
+
+RCSID("$Id: fcache.c,v 1.33 2001/05/14 06:14:46 assar Exp $");
+
+typedef struct krb5_fcache{
+    char *filename;
+    int version;
+}krb5_fcache;
+
+struct fcc_cursor {
+    int fd;
+    krb5_storage *sp;
+};
+
+#define KRB5_FCC_FVNO_1 1
+#define KRB5_FCC_FVNO_2 2
+#define KRB5_FCC_FVNO_3 3
+#define KRB5_FCC_FVNO_4 4
+
+#define FCC_TAG_DELTATIME 1
+
+#define FCACHE(X) ((krb5_fcache*)(X)->data.data)
+
+#define FILENAME(X) (FCACHE(X)->filename)
+
+#define FCC_CURSOR(C) ((struct fcc_cursor*)(C))
+
+static char*
+fcc_get_name(krb5_context context,
+	     krb5_ccache id)
+{
+    return FILENAME(id);
+}
+
+static krb5_error_code
+fcc_resolve(krb5_context context, krb5_ccache *id, const char *res)
+{
+    krb5_fcache *f;
+    f = malloc(sizeof(*f));
+    if(f == NULL) {
+	krb5_set_error_string(context, "malloc: out of memory");
+	return KRB5_CC_NOMEM;
+    }
+    f->filename = strdup(res);
+    if(f->filename == NULL){
+	free(f);
+	krb5_set_error_string(context, "malloc: out of memory");
+	return KRB5_CC_NOMEM;
+    }
+    f->version = 0;
+    (*id)->data.data = f;
+    (*id)->data.length = sizeof(*f);
+    return 0;
+}
+
+/*
+ * Try to scrub the contents of `filename' safely.
+ */
+
+static int
+scrub_file (int fd)
+{
+    off_t pos;
+    char buf[128];
+
+    pos = lseek(fd, 0, SEEK_END);
+    if (pos < 0)
+        return errno;
+    if (lseek(fd, 0, SEEK_SET) < 0)
+        return errno;
+    memset(buf, 0, sizeof(buf));
+    while(pos > 0) {
+        ssize_t tmp = write(fd, buf, min(sizeof(buf), pos));
+
+	if (tmp < 0)
+	    return errno;
+	pos -= tmp;
+    }
+    fsync (fd);
+    return 0;
+}
+
+/*
+ * Erase `filename' if it exists, trying to remove the contents if
+ * it's `safe'.  We always try to remove the file, it it exists.  It's
+ * only overwritten if it's a regular file (not a symlink and not a
+ * hardlink)
+ */
+
+static krb5_error_code
+erase_file(const char *filename)
+{
+    int fd;
+    struct stat sb1, sb2;
+    int ret;
+
+    ret = lstat (filename, &sb1);
+    if (ret < 0)
+	return errno;
+
+    fd = open(filename, O_RDWR | O_BINARY);
+    if(fd < 0) {
+	if(errno == ENOENT)
+	    return 0;
+	else
+	    return errno;
+    }
+    if (unlink(filename) < 0) {
+        close (fd);
+        return errno;
+    }
+
+    ret = fstat (fd, &sb2);
+    if (ret < 0) {
+	close (fd);
+	return errno;
+    }
+
+    /* check if someone was playing with symlinks */
+
+    if (sb1.st_dev != sb2.st_dev || sb1.st_ino != sb2.st_ino) {
+	close (fd);
+	return EPERM;
+    }
+
+    /* there are still hard links to this file */
+
+    if (sb2.st_nlink != 0) {
+        close (fd);
+        return 0;
+    }
+
+    ret = scrub_file (fd);
+    close (fd);
+    return ret;
+}
+
+static krb5_error_code
+fcc_gen_new(krb5_context context, krb5_ccache *id)
+{
+    krb5_fcache *f;
+    int fd;
+    char *file;
+
+    f = malloc(sizeof(*f));
+    if(f == NULL) {
+	krb5_set_error_string(context, "malloc: out of memory");
+	return KRB5_CC_NOMEM;
+    }
+    asprintf (&file, "%sXXXXXX", KRB5_DEFAULT_CCFILE_ROOT);
+    if(file == NULL) {
+	free(f);
+	krb5_set_error_string(context, "malloc: out of memory");
+	return KRB5_CC_NOMEM;
+    }
+    fd = mkstemp(file);
+    if(fd < 0) {
+	free(f);
+	free(file);
+	krb5_set_error_string(context, "mkstemp %s", file);
+	return errno;
+    }
+    close(fd);
+    f->filename = file;
+    f->version = 0;
+    (*id)->data.data = f;
+    (*id)->data.length = sizeof(*f);
+    return 0;
+}
+
+static void
+storage_set_flags(krb5_context context, krb5_storage *sp, int vno)
+{
+    int flags = 0;
+    switch(vno) {
+    case KRB5_FCC_FVNO_1:
+	flags |= KRB5_STORAGE_PRINCIPAL_WRONG_NUM_COMPONENTS;
+	flags |= KRB5_STORAGE_PRINCIPAL_NO_NAME_TYPE;
+	flags |= KRB5_STORAGE_HOST_BYTEORDER;
+	break;
+    case KRB5_FCC_FVNO_2:
+	flags |= KRB5_STORAGE_HOST_BYTEORDER;
+	break;
+    case KRB5_FCC_FVNO_3:
+	flags |= KRB5_STORAGE_KEYBLOCK_KEYTYPE_TWICE;
+	break;
+    case KRB5_FCC_FVNO_4:
+	break;
+    default:
+	krb5_abortx(context, 
+		    "storage_set_flags called with bad vno (%x)", vno);
+    }
+    krb5_storage_set_flags(sp, flags);
+}
+
+static krb5_error_code
+fcc_initialize(krb5_context context,
+	       krb5_ccache id,
+	       krb5_principal primary_principal)
+{
+    krb5_fcache *f = FCACHE(id);
+    int ret = 0;
+    int fd;
+    char *filename = f->filename;
+
+    unlink (filename);
+  
+    fd = open(filename, O_RDWR | O_CREAT | O_EXCL | O_BINARY, 0600);
+    if(fd == -1) {
+	ret = errno;
+	krb5_set_error_string(context, "open(%s): %s", filename,
+			      strerror(ret));
+	return ret;
+    }
+    {
+	krb5_storage *sp;    
+	sp = krb5_storage_from_fd(fd);
+	if(context->fcache_vno != 0)
+	    f->version = context->fcache_vno;
+	else
+	    f->version = KRB5_FCC_FVNO_4;
+	ret |= krb5_store_int8(sp, 5);
+	ret |= krb5_store_int8(sp, f->version);
+	storage_set_flags(context, sp, f->version);
+	if(f->version == KRB5_FCC_FVNO_4 && ret == 0) {
+	    /* V4 stuff */
+	    if (context->kdc_sec_offset) {
+		ret |= krb5_store_int16 (sp, 12); /* length */
+		ret |= krb5_store_int16 (sp, FCC_TAG_DELTATIME); /* Tag */
+		ret |= krb5_store_int16 (sp, 8); /* length of data */
+		ret |= krb5_store_int32 (sp, context->kdc_sec_offset);
+		ret |= krb5_store_int32 (sp, context->kdc_usec_offset);
+	    } else {
+		ret |= krb5_store_int16 (sp, 0);
+	    }
+	}
+	ret |= krb5_store_principal(sp, primary_principal);
+	krb5_storage_free(sp);
+    }
+    if(close(fd) < 0)
+	if (ret == 0) {
+	    ret = errno;
+	    krb5_set_error_string (context, "close %s: %s", filename,
+				   strerror(ret));
+	}
+	
+    return ret;
+}
+
+static krb5_error_code
+fcc_close(krb5_context context,
+	  krb5_ccache id)
+{
+    free (FILENAME(id));
+    krb5_data_free(&id->data);
+    return 0;
+}
+
+static krb5_error_code
+fcc_destroy(krb5_context context,
+	    krb5_ccache id)
+{
+    char *f;
+    f = FILENAME(id);
+
+    erase_file(f);
+  
+    return 0;
+}
+
+static krb5_error_code
+fcc_store_cred(krb5_context context,
+	       krb5_ccache id,
+	       krb5_creds *creds)
+{
+    int ret;
+    int fd;
+    char *f;
+
+    f = FILENAME(id);
+
+    fd = open(f, O_WRONLY | O_APPEND | O_BINARY);
+    if(fd < 0) {
+	ret = errno;
+	krb5_set_error_string (context, "open(%s): %s", f, strerror(ret));
+	return ret;
+    }
+    {
+	krb5_storage *sp;
+	sp = krb5_storage_from_fd(fd);
+	storage_set_flags(context, sp, FCACHE(id)->version);
+	ret = krb5_store_creds(sp, creds);
+	krb5_storage_free(sp);
+    }
+    if (close(fd) < 0)
+	if (ret == 0) {
+	    ret = errno;
+	    krb5_set_error_string (context, "close %s: %s", f, strerror(ret));
+	}
+    return ret;
+}
+
+static krb5_error_code
+fcc_read_cred (krb5_context context,
+	       krb5_fcache *fc,
+	       krb5_storage *sp,
+	       krb5_creds *creds)
+{
+    krb5_error_code ret;
+
+    storage_set_flags(context, sp, fc->version);
+    
+    ret = krb5_ret_creds(sp, creds);
+    return ret;
+}
+
+static krb5_error_code
+init_fcc (krb5_context context,
+	  krb5_fcache *fcache,
+	  krb5_storage **ret_sp,
+	  int *ret_fd)
+{
+    int fd;
+    int8_t pvno, tag;
+    krb5_storage *sp;
+    krb5_error_code ret;
+
+    fd = open(fcache->filename, O_RDONLY | O_BINARY);
+    if(fd < 0) {
+	ret = errno;
+	krb5_set_error_string(context, "open(%s): %s", fcache->filename,
+			      strerror(ret));
+	return ret;
+    }
+    sp = krb5_storage_from_fd(fd);
+    ret = krb5_ret_int8(sp, &pvno);
+    if(ret == KRB5_CC_END) {
+
+	return ENOENT;
+    }
+    if(ret)
+	return ret;
+    if(pvno != 5) {
+	krb5_storage_free(sp);
+	close(fd);
+	return KRB5_CCACHE_BADVNO;
+    }
+    krb5_ret_int8(sp, &tag); /* should not be host byte order */
+    fcache->version = tag;
+    storage_set_flags(context, sp, fcache->version);
+    switch (tag) {
+    case KRB5_FCC_FVNO_4: {
+	int16_t length;
+
+	krb5_ret_int16 (sp, &length);
+	while(length > 0) {
+	    int16_t tag, data_len;
+	    int i;
+	    int8_t dummy;
+
+	    krb5_ret_int16 (sp, &tag);
+	    krb5_ret_int16 (sp, &data_len);
+	    switch (tag) {
+	    case FCC_TAG_DELTATIME :
+		krb5_ret_int32 (sp, &context->kdc_sec_offset);
+		krb5_ret_int32 (sp, &context->kdc_usec_offset);
+		break;
+	    default :
+		for (i = 0; i < data_len; ++i)
+		    krb5_ret_int8 (sp, &dummy);
+		break;
+	    }
+	    length -= 4 + data_len;
+	}
+	break;
+    }
+    case KRB5_FCC_FVNO_3:
+    case KRB5_FCC_FVNO_2:
+    case KRB5_FCC_FVNO_1:
+	break;
+    default :
+	krb5_storage_free (sp);
+	close (fd);
+	return KRB5_CCACHE_BADVNO;
+    }
+    *ret_sp = sp;
+    *ret_fd = fd;
+    return 0;
+}
+
+static krb5_error_code
+fcc_get_principal(krb5_context context,
+		  krb5_ccache id,
+		  krb5_principal *principal)
+{
+    krb5_error_code ret;
+    krb5_fcache *f = FCACHE(id);
+    int fd;
+    krb5_storage *sp;
+
+    ret = init_fcc (context, f, &sp, &fd);
+    if (ret)
+	return ret;
+    ret = krb5_ret_principal(sp, principal);
+    krb5_storage_free(sp);
+    close(fd);
+    return ret;
+}
+
+static krb5_error_code
+fcc_get_first (krb5_context context,
+	       krb5_ccache id,
+	       krb5_cc_cursor *cursor)
+{
+    krb5_error_code ret;
+    krb5_principal principal;
+    krb5_fcache *f = FCACHE(id);
+
+    *cursor = malloc(sizeof(struct fcc_cursor));
+
+    ret = init_fcc (context, f, &FCC_CURSOR(*cursor)->sp, 
+		    &FCC_CURSOR(*cursor)->fd);
+    if (ret)
+	return ret;
+    krb5_ret_principal (FCC_CURSOR(*cursor)->sp, &principal);
+    krb5_free_principal (context, principal);
+    return 0;
+}
+
+static krb5_error_code
+fcc_get_next (krb5_context context,
+	      krb5_ccache id,
+	      krb5_cc_cursor *cursor,
+	      krb5_creds *creds)
+{
+    return fcc_read_cred (context, FCACHE(id), FCC_CURSOR(*cursor)->sp, creds);
+}
+
+static krb5_error_code
+fcc_end_get (krb5_context context,
+	     krb5_ccache id,
+	     krb5_cc_cursor *cursor)
+{
+    krb5_storage_free(FCC_CURSOR(*cursor)->sp);
+    close (FCC_CURSOR(*cursor)->fd);
+    free(*cursor);
+    return 0;
+}
+
+static krb5_error_code
+fcc_remove_cred(krb5_context context,
+		 krb5_ccache id,
+		 krb5_flags which,
+		 krb5_creds *cred)
+{
+    return 0; /* XXX */
+}
+
+static krb5_error_code
+fcc_set_flags(krb5_context context,
+	      krb5_ccache id,
+	      krb5_flags flags)
+{
+    return 0; /* XXX */
+}
+
+static krb5_error_code
+fcc_get_version(krb5_context context,
+		krb5_ccache id)
+{
+    return FCACHE(id)->version;
+}
+		    
+const krb5_cc_ops krb5_fcc_ops = {
+    "FILE",
+    fcc_get_name,
+    fcc_resolve,
+    fcc_gen_new,
+    fcc_initialize,
+    fcc_destroy,
+    fcc_close,
+    fcc_store_cred,
+    NULL, /* fcc_retrieve */
+    fcc_get_principal,
+    fcc_get_first,
+    fcc_get_next,
+    fcc_end_get,
+    fcc_remove_cred,
+    fcc_set_flags,
+    fcc_get_version
+};
diff --git a/crypto/heimdal/lib/krb5/free.c b/crypto/heimdal/lib/krb5/free.c
new file mode 100644
index 0000000..251ec32
--- /dev/null
+++ b/crypto/heimdal/lib/krb5/free.c
@@ -0,0 +1,52 @@
+/*
+ * Copyright (c) 1997, 1998 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "krb5_locl.h"
+
+RCSID("$Id: free.c,v 1.5 1999/12/02 17:05:09 joda Exp $");
+
+krb5_error_code
+krb5_free_kdc_rep(krb5_context context, krb5_kdc_rep *rep)
+{
+    free_KDC_REP(&rep->kdc_rep);
+    free_EncTGSRepPart(&rep->enc_part);
+    free_KRB_ERROR(&rep->error);
+    return 0;
+}
+
+krb5_error_code
+krb5_xfree (void *ptr)
+{
+    free (ptr);
+    return 0;
+}
diff --git a/crypto/heimdal/lib/krb5/free_host_realm.c b/crypto/heimdal/lib/krb5/free_host_realm.c
new file mode 100644
index 0000000..a69f29b
--- /dev/null
+++ b/crypto/heimdal/lib/krb5/free_host_realm.c
@@ -0,0 +1,54 @@
+/*
+ * Copyright (c) 1997, 1999 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "krb5_locl.h"
+
+RCSID("$Id: free_host_realm.c,v 1.4 1999/12/02 17:05:09 joda Exp $");
+
+/*
+ * Free all memory allocated by `realmlist'
+ */
+
+krb5_error_code
+krb5_free_host_realm(krb5_context context,
+		     krb5_realm *realmlist)
+{
+    krb5_realm *p;
+
+    if(realmlist == NULL)
+	return 0;
+    for (p = realmlist; *p; ++p)
+	free (*p);
+    free (realmlist);
+    return 0;
+}
diff --git a/crypto/heimdal/lib/krb5/generate_seq_number.c b/crypto/heimdal/lib/krb5/generate_seq_number.c
new file mode 100644
index 0000000..795c3f3
--- /dev/null
+++ b/crypto/heimdal/lib/krb5/generate_seq_number.c
@@ -0,0 +1,62 @@
+/*
+ * Copyright (c) 1997 - 2001 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include <krb5_locl.h>
+
+RCSID("$Id: generate_seq_number.c,v 1.8 2001/05/08 14:05:37 assar Exp $");
+
+krb5_error_code
+krb5_generate_seq_number(krb5_context context,
+			 const krb5_keyblock *key,
+			 u_int32_t *seqno)
+{
+    krb5_error_code ret;
+    krb5_keyblock *subkey;
+    u_int32_t q;
+    u_char *p;
+    int i;
+
+    ret = krb5_generate_subkey (context, key, &subkey);
+    if (ret)
+	return ret;
+
+    q = 0;
+    for (p = (u_char *)subkey->keyvalue.data, i = 0;
+	 i < subkey->keyvalue.length;
+	 ++i, ++p)
+	q = (q << 8) | *p;
+    q &= 0xffffffff;
+    *seqno = q;
+    krb5_free_keyblock (context, subkey);
+    return 0;
+}
diff --git a/crypto/heimdal/lib/krb5/generate_subkey.c b/crypto/heimdal/lib/krb5/generate_subkey.c
new file mode 100644
index 0000000..3fb22f9
--- /dev/null
+++ b/crypto/heimdal/lib/krb5/generate_subkey.c
@@ -0,0 +1,54 @@
+/*
+ * Copyright (c) 1997 - 2001 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include <krb5_locl.h>
+
+RCSID("$Id: generate_subkey.c,v 1.8 2001/05/14 06:14:46 assar Exp $");
+
+krb5_error_code
+krb5_generate_subkey(krb5_context context,
+		     const krb5_keyblock *key,
+		     krb5_keyblock **subkey)
+{
+    krb5_error_code ret;
+
+    ALLOC(*subkey, 1);
+    if (*subkey == NULL) {
+	krb5_set_error_string(context, "malloc: out of memory");
+	return ENOMEM;
+    }
+    ret = krb5_generate_random_keyblock(context, key->keytype, *subkey);
+    if(ret)
+	free(*subkey);
+    return ret;
+}
diff --git a/crypto/heimdal/lib/krb5/get_addrs.c b/crypto/heimdal/lib/krb5/get_addrs.c
new file mode 100644
index 0000000..c05569f
--- /dev/null
+++ b/crypto/heimdal/lib/krb5/get_addrs.c
@@ -0,0 +1,254 @@
+/*
+ * Copyright (c) 1997 - 2001 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "krb5_locl.h"
+
+RCSID("$Id: get_addrs.c,v 1.41 2001/05/14 06:14:46 assar Exp $");
+
+#ifdef __osf__
+/* hate */
+struct rtentry;
+struct mbuf;
+#endif
+#ifdef HAVE_NET_IF_H
+#include <net/if.h>
+#endif
+#include <ifaddrs.h>
+
+static krb5_error_code
+gethostname_fallback (krb5_context context, krb5_addresses *res)
+{
+    krb5_error_code ret;
+    char hostname[MAXHOSTNAMELEN];
+    struct hostent *hostent;
+
+    if (gethostname (hostname, sizeof(hostname))) {
+	ret = errno;
+	krb5_set_error_string (context, "gethostname: %s", strerror(ret));
+	return ret;
+    }
+    hostent = roken_gethostbyname (hostname);
+    if (hostent == NULL) {
+	ret = errno;
+	krb5_set_error_string (context, "gethostbyname %s: %s",
+			       hostname, strerror(ret));
+	return ret;
+    }
+    res->len = 1;
+    res->val = malloc (sizeof(*res->val));
+    if (res->val == NULL) {
+	krb5_set_error_string(context, "malloc: out of memory");
+	return ENOMEM;
+    }
+    res->val[0].addr_type = hostent->h_addrtype;
+    res->val[0].address.data = NULL;
+    res->val[0].address.length = 0;
+    ret = krb5_data_copy (&res->val[0].address,
+			  hostent->h_addr,
+			  hostent->h_length);
+    if (ret) {
+	free (res->val);
+	return ret;
+    }
+    return 0;
+}
+
+enum {
+    LOOP            = 1,	/* do include loopback interfaces */
+    LOOP_IF_NONE    = 2,	/* include loopback if no other if's */
+    EXTRA_ADDRESSES = 4,	/* include extra addresses */
+    SCAN_INTERFACES = 8		/* scan interfaces for addresses */
+};
+
+/*
+ * Try to figure out the addresses of all configured interfaces with a
+ * lot of magic ioctls.
+ */
+
+static krb5_error_code
+find_all_addresses (krb5_context context, krb5_addresses *res, int flags)
+{
+    struct sockaddr sa_zero;
+    struct ifaddrs *ifa0, *ifa;
+    krb5_error_code ret = ENXIO; 
+    int num, idx;
+
+    res->val = NULL;
+
+    if (getifaddrs(&ifa0) == -1) {
+	ret = errno;
+	krb5_set_error_string(context, "getifaddrs: %s", strerror(ret));
+	return (ret);
+    }
+
+    memset(&sa_zero, 0, sizeof(sa_zero));
+
+    /* First, count all the ifaddrs. */
+    for (ifa = ifa0, num = 0; ifa != NULL; ifa = ifa->ifa_next, num++)
+	/* nothing */;
+
+    if (num == 0) {
+	freeifaddrs(ifa0);
+	krb5_set_error_string(context, "no addresses found");
+	return (ENXIO);
+    }
+
+    /* Allocate storage for them. */
+    res->val = calloc(num, sizeof(*res->val));
+    if (res->val == NULL) {
+	freeifaddrs(ifa0);
+	krb5_set_error_string (context, "malloc: out of memory");
+	return (ENOMEM);
+    }
+
+    /* Now traverse the list. */
+    for (ifa = ifa0, idx = 0; ifa != NULL; ifa = ifa->ifa_next) {
+	if ((ifa->ifa_flags & IFF_UP) == 0)
+	    continue;
+	if (memcmp(ifa->ifa_addr, &sa_zero, sizeof(sa_zero)) == 0)
+	    continue;
+	if (krb5_sockaddr_uninteresting(ifa->ifa_addr))
+	    continue;
+
+	if ((ifa->ifa_flags & IFF_LOOPBACK) != 0) {
+	    /* We'll deal with the LOOP_IF_NONE case later. */
+	    if ((flags & LOOP) == 0)
+		continue;
+	}
+
+	ret = krb5_sockaddr2address(context, ifa->ifa_addr, &res->val[idx]);
+	if (ret) {
+	    /*
+	     * The most likely error here is going to be "Program
+	     * lacks support for address type".  This is no big
+	     * deal -- just continue, and we'll listen on the
+	     * addresses who's type we *do* support.
+	     */
+	    continue;
+	}
+	idx++;
+    }
+
+    /*
+     * If no addresses were found, and LOOP_IF_NONE is set, then find
+     * the loopback addresses and add them to our list.
+     */
+    if ((flags & LOOP_IF_NONE) != 0 && idx == 0) {
+	for (ifa = ifa0; ifa != NULL; ifa = ifa->ifa_next) {
+	    if ((ifa->ifa_flags & IFF_UP) == 0)
+		continue;
+	    if (memcmp(ifa->ifa_addr, &sa_zero, sizeof(sa_zero)) == 0)
+		continue;
+	    if (krb5_sockaddr_uninteresting(ifa->ifa_addr))
+		continue;
+
+	    if ((ifa->ifa_flags & IFF_LOOPBACK) != 0) {
+		ret = krb5_sockaddr2address(context,
+					    ifa->ifa_addr, &res->val[idx]);
+		if (ret) {
+		    /*
+		     * See comment above.
+		     */
+		    continue;
+		}
+		idx++;
+	    }
+	}
+    }
+
+    freeifaddrs(ifa0);
+    if (ret)
+	free(res->val);
+    else
+	res->len = idx;        /* Now a count. */
+    return (ret);
+}
+
+static krb5_error_code
+get_addrs_int (krb5_context context, krb5_addresses *res, int flags)
+{
+    krb5_error_code ret = -1;
+
+    if (flags & SCAN_INTERFACES) {
+	ret = find_all_addresses (context, res, flags);
+	if(ret || res->len == 0)
+	    ret = gethostname_fallback (context, res);
+    } else
+	ret = 0;
+
+    if(ret == 0 && (flags & EXTRA_ADDRESSES)) {
+	/* append user specified addresses */
+	krb5_addresses a;
+	ret = krb5_get_extra_addresses(context, &a);
+	if(ret) {
+	    krb5_free_addresses(context, res);
+	    return ret;
+	}
+	ret = krb5_append_addresses(context, res, &a);
+	if(ret) {
+	    krb5_free_addresses(context, res);
+	    return ret;
+	}
+	krb5_free_addresses(context, &a);
+    }
+    return ret;
+}
+
+/*
+ * Try to get all addresses, but return the one corresponding to
+ * `hostname' if we fail.
+ *
+ * Only include loopback address if there are no other.
+ */
+
+krb5_error_code
+krb5_get_all_client_addrs (krb5_context context, krb5_addresses *res)
+{
+    int flags = LOOP_IF_NONE | EXTRA_ADDRESSES;
+
+    if (context->scan_interfaces)
+	flags |= SCAN_INTERFACES;
+
+    return get_addrs_int (context, res, flags);
+}
+
+/*
+ * Try to get all local addresses that a server should listen to.
+ * If that fails, we return the address corresponding to `hostname'.
+ */
+
+krb5_error_code
+krb5_get_all_server_addrs (krb5_context context, krb5_addresses *res)
+{
+    return get_addrs_int (context, res, LOOP | SCAN_INTERFACES);
+}
diff --git a/crypto/heimdal/lib/krb5/get_cred.c b/crypto/heimdal/lib/krb5/get_cred.c
new file mode 100644
index 0000000..2af940c
--- /dev/null
+++ b/crypto/heimdal/lib/krb5/get_cred.c
@@ -0,0 +1,871 @@
+/*
+ * Copyright (c) 1997 - 2001 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include <krb5_locl.h>
+
+RCSID("$Id: get_cred.c,v 1.85 2001/05/14 06:14:46 assar Exp $");
+
+/*
+ * Take the `body' and encode it into `padata' using the credentials
+ * in `creds'.
+ */
+
+static krb5_error_code
+make_pa_tgs_req(krb5_context context, 
+		krb5_auth_context ac,
+		KDC_REQ_BODY *body,
+		PA_DATA *padata,
+		krb5_creds *creds,
+		krb5_key_usage usage)
+{
+    u_char *buf;
+    size_t buf_size;
+    size_t len;
+    krb5_data in_data;
+    krb5_error_code ret;
+
+    buf_size = 1024;
+    buf = malloc (buf_size);
+    if (buf == NULL) {
+	krb5_set_error_string(context, "malloc: out of memory");
+	return ENOMEM;
+    }
+
+    do {
+	ret = encode_KDC_REQ_BODY(buf + buf_size - 1, buf_size,
+				  body, &len);
+	if (ret){
+	    if (ret == ASN1_OVERFLOW) {
+		u_char *tmp;
+
+		buf_size *= 2;
+		tmp = realloc (buf, buf_size);
+		if (tmp == NULL) {
+		    krb5_set_error_string(context, "malloc: out of memory");
+		    ret = ENOMEM;
+		    goto out;
+		}
+		buf = tmp;
+	    } else {
+		goto out;
+	    }
+	}
+    } while (ret == ASN1_OVERFLOW);
+
+    in_data.length = len;
+    in_data.data   = buf + buf_size - len;
+    ret = krb5_mk_req_internal(context, &ac, 0, &in_data, creds,
+			       &padata->padata_value,
+			       KRB5_KU_TGS_REQ_AUTH_CKSUM,
+			       usage
+			       /* KRB5_KU_TGS_REQ_AUTH */);
+out:
+    free (buf);
+    if(ret)
+	return ret;
+    padata->padata_type = KRB5_PADATA_TGS_REQ;
+    return 0;
+}
+
+/*
+ * Set the `enc-authorization-data' in `req_body' based on `authdata'
+ */
+
+static krb5_error_code
+set_auth_data (krb5_context context,
+	       KDC_REQ_BODY *req_body,
+	       krb5_authdata *authdata,
+	       krb5_keyblock *key)
+{
+    if(authdata->len) {
+	size_t len;
+	unsigned char *buf;
+	krb5_crypto crypto;
+	krb5_error_code ret;
+
+	len = length_AuthorizationData(authdata);
+	buf = malloc(len);
+	if (buf == NULL) {
+	    krb5_set_error_string(context, "malloc: out of memory");
+	    return ENOMEM;
+	}
+	ret = encode_AuthorizationData(buf + len - 1,
+				       len, authdata, &len);
+	if (ret) {
+	    free (buf);
+	    return ret;
+	}
+
+	ALLOC(req_body->enc_authorization_data, 1);
+	if (req_body->enc_authorization_data == NULL) {
+	    free (buf);
+	    krb5_set_error_string(context, "malloc: out of memory");
+	    return ENOMEM;
+	}
+	ret = krb5_crypto_init(context, key, 0, &crypto);
+	if (ret) {
+	    free (buf);
+	    free (req_body->enc_authorization_data);
+	    return ret;
+	}
+	krb5_encrypt_EncryptedData(context, 
+				   crypto,
+				   KRB5_KU_TGS_REQ_AUTH_DAT_SUBKEY, 
+				   /* KRB5_KU_TGS_REQ_AUTH_DAT_SESSION? */
+				   buf,
+				   len,
+				   0,
+				   req_body->enc_authorization_data);
+	free (buf);
+	krb5_crypto_destroy(context, crypto);
+    } else {
+	req_body->enc_authorization_data = NULL;
+    }
+    return 0;
+}    
+
+/*
+ * Create a tgs-req in `t' with `addresses', `flags', `second_ticket'
+ * (if not-NULL), `in_creds', `krbtgt', and returning the generated
+ * subkey in `subkey'.
+ */
+
+static krb5_error_code
+init_tgs_req (krb5_context context,
+	      krb5_ccache ccache,
+	      krb5_addresses *addresses,
+	      krb5_kdc_flags flags,
+	      Ticket *second_ticket,
+	      krb5_creds *in_creds,
+	      krb5_creds *krbtgt,
+	      unsigned nonce,
+	      krb5_keyblock **subkey,
+	      TGS_REQ *t,
+	      krb5_key_usage usage)
+{
+    krb5_error_code ret;
+
+    memset(t, 0, sizeof(*t));
+    t->pvno = 5;
+    t->msg_type = krb_tgs_req;
+    if (in_creds->session.keytype) {
+	ret = krb5_keytype_to_enctypes_default (context,
+						in_creds->session.keytype,
+						&t->req_body.etype.len,
+						&t->req_body.etype.val);
+    } else {
+	ret = krb5_init_etype(context, 
+			      &t->req_body.etype.len, 
+			      &t->req_body.etype.val, 
+			      NULL);
+    }
+    if (ret)
+	goto fail;
+    t->req_body.addresses = addresses;
+    t->req_body.kdc_options = flags.b;
+    ret = copy_Realm(&in_creds->server->realm, &t->req_body.realm);
+    if (ret)
+	goto fail;
+    ALLOC(t->req_body.sname, 1);
+    if (t->req_body.sname == NULL) {
+	ret = ENOMEM;
+	krb5_set_error_string(context, "malloc: out of memory");
+	goto fail;
+    }
+
+    /* some versions of some code might require that the client be
+       present in TGS-REQs, but this is clearly against the spec */
+
+    ret = copy_PrincipalName(&in_creds->server->name, t->req_body.sname);
+    if (ret)
+	goto fail;
+
+    /* req_body.till should be NULL if there is no endtime specified,
+       but old MIT code (like DCE secd) doesn't like that */
+    ALLOC(t->req_body.till, 1);
+    if(t->req_body.till == NULL){
+	ret = ENOMEM;
+	krb5_set_error_string(context, "malloc: out of memory");
+	goto fail;
+    }
+    *t->req_body.till = in_creds->times.endtime;
+    
+    t->req_body.nonce = nonce;
+    if(second_ticket){
+	ALLOC(t->req_body.additional_tickets, 1);
+	if (t->req_body.additional_tickets == NULL) {
+	    ret = ENOMEM;
+	    krb5_set_error_string(context, "malloc: out of memory");
+	    goto fail;
+	}
+	ALLOC_SEQ(t->req_body.additional_tickets, 1);
+	if (t->req_body.additional_tickets->val == NULL) {
+	    ret = ENOMEM;
+	    krb5_set_error_string(context, "malloc: out of memory");
+	    goto fail;
+	}
+	ret = copy_Ticket(second_ticket, t->req_body.additional_tickets->val); 
+	if (ret)
+	    goto fail;
+    }
+    ALLOC(t->padata, 1);
+    if (t->padata == NULL) {
+	ret = ENOMEM;
+	krb5_set_error_string(context, "malloc: out of memory");
+	goto fail;
+    }
+    ALLOC_SEQ(t->padata, 1);
+    if (t->padata->val == NULL) {
+	ret = ENOMEM;
+	krb5_set_error_string(context, "malloc: out of memory");
+	goto fail;
+    }
+
+    {
+	krb5_auth_context ac;
+	krb5_keyblock *key;
+
+	ret = krb5_auth_con_init(context, &ac);
+	if(ret)
+	    goto fail;
+	ret = krb5_generate_subkey (context, &krbtgt->session, &key);
+	if (ret) {
+	    krb5_auth_con_free (context, ac);
+	    goto fail;
+	}
+	ret = krb5_auth_con_setlocalsubkey(context, ac, key);
+	if (ret) {
+	    krb5_free_keyblock (context, key);
+	    krb5_auth_con_free (context, ac);
+	    goto fail;
+	}
+
+	ret = set_auth_data (context, &t->req_body, &in_creds->authdata, key);
+	if (ret) {
+	    krb5_free_keyblock (context, key);
+	    krb5_auth_con_free (context, ac);
+	    goto fail;
+	}
+
+	ret = make_pa_tgs_req(context,
+			      ac,
+			      &t->req_body, 
+			      t->padata->val,
+			      krbtgt,
+			      usage);
+	if(ret) {
+	    krb5_free_keyblock (context, key);
+	    krb5_auth_con_free(context, ac);
+	    goto fail;
+	}
+	*subkey = key;
+	
+	krb5_auth_con_free(context, ac);
+    }
+fail:
+    if (ret)
+	/* XXX - don't free addresses? */
+	free_TGS_REQ (t);
+    return ret;
+}
+
+static krb5_error_code
+get_krbtgt(krb5_context context,
+	   krb5_ccache  id,
+	   krb5_realm realm,
+	   krb5_creds **cred)
+{
+    krb5_error_code ret;
+    krb5_creds tmp_cred;
+
+    memset(&tmp_cred, 0, sizeof(tmp_cred));
+
+    ret = krb5_make_principal(context, 
+			      &tmp_cred.server,
+			      realm,
+			      KRB5_TGS_NAME,
+			      realm,
+			      NULL);
+    if(ret)
+	return ret;
+    ret = krb5_get_credentials(context,
+			       KRB5_GC_CACHED,
+			       id,
+			       &tmp_cred,
+			       cred);
+    krb5_free_principal(context, tmp_cred.server);
+    if(ret)
+	return ret;
+    return 0;
+}
+
+/* DCE compatible decrypt proc */
+static krb5_error_code
+decrypt_tkt_with_subkey (krb5_context context,
+			 krb5_keyblock *key,
+			 krb5_key_usage usage,
+			 krb5_const_pointer subkey,
+			 krb5_kdc_rep *dec_rep)
+{
+    krb5_error_code ret;
+    krb5_data data;
+    size_t size;
+    krb5_crypto crypto;
+    
+    ret = krb5_crypto_init(context, key, 0, &crypto);
+    if (ret)
+	return ret;
+    ret = krb5_decrypt_EncryptedData (context,
+				      crypto,
+				      usage,
+				      &dec_rep->kdc_rep.enc_part,
+				      &data);
+    krb5_crypto_destroy(context, crypto);
+    if(ret && subkey){
+	/* DCE compat -- try to decrypt with subkey */
+	ret = krb5_crypto_init(context, (krb5_keyblock*)subkey, 0, &crypto);
+	if (ret)
+	    return ret;
+	ret = krb5_decrypt_EncryptedData (context,
+					  crypto,
+					  KRB5_KU_TGS_REP_ENC_PART_SUB_KEY,
+					  &dec_rep->kdc_rep.enc_part,
+					  &data);
+	krb5_crypto_destroy(context, crypto);
+    }
+    if (ret)
+	return ret;
+    
+    ret = krb5_decode_EncASRepPart(context,
+				   data.data,
+				   data.length,
+				   &dec_rep->enc_part, 
+				   &size);
+    if (ret)
+	ret = krb5_decode_EncTGSRepPart(context,
+					data.data,
+					data.length,
+					&dec_rep->enc_part, 
+					&size);
+    krb5_data_free (&data);
+    return ret;
+}
+
+static krb5_error_code
+get_cred_kdc_usage(krb5_context context, 
+		   krb5_ccache id, 
+		   krb5_kdc_flags flags,
+		   krb5_addresses *addresses, 
+		   krb5_creds *in_creds, 
+		   krb5_creds *krbtgt,
+		   krb5_creds *out_creds,
+		   krb5_key_usage usage)
+{
+    TGS_REQ req;
+    krb5_data enc;
+    krb5_data resp;
+    krb5_kdc_rep rep;
+    KRB_ERROR error;
+    krb5_error_code ret;
+    unsigned nonce;
+    krb5_keyblock *subkey = NULL;
+    u_char *buf = NULL;
+    size_t buf_size;
+    size_t len;
+    Ticket second_ticket;
+    
+    krb5_generate_random_block(&nonce, sizeof(nonce));
+    nonce &= 0xffffffff;
+    
+    if(flags.b.enc_tkt_in_skey){
+	ret = decode_Ticket(in_creds->second_ticket.data, 
+			    in_creds->second_ticket.length, 
+			    &second_ticket, &len);
+	if(ret)
+	    return ret;
+    }
+
+    ret = init_tgs_req (context,
+			id,
+			addresses,
+			flags,
+			flags.b.enc_tkt_in_skey ? &second_ticket : NULL,
+			in_creds,
+			krbtgt,
+			nonce,
+			&subkey, 
+			&req,
+			usage);
+    if(flags.b.enc_tkt_in_skey)
+	free_Ticket(&second_ticket);
+    if (ret)
+	goto out;
+
+    buf_size = 1024;
+    buf = malloc (buf_size);
+    if (buf == NULL) {
+	krb5_set_error_string(context, "malloc: out of memory");
+	ret = ENOMEM;
+	goto out;
+    }
+
+    do {
+	ret = encode_TGS_REQ  (buf + buf_size - 1, buf_size,
+			       &req, &enc.length);
+	if (ret) {
+	    if (ret == ASN1_OVERFLOW) {
+		u_char *tmp;
+
+		buf_size *= 2;
+		tmp = realloc (buf, buf_size);
+		if (tmp == NULL) {
+		    krb5_set_error_string(context, "malloc: out of memory");
+		    ret = ENOMEM;
+		    goto out;
+		}
+		buf = tmp;
+	    } else {
+		goto out;
+	    }
+	}
+    } while (ret == ASN1_OVERFLOW);
+
+    /* don't free addresses */
+    req.req_body.addresses = NULL;
+    free_TGS_REQ(&req);
+
+    enc.data = buf + buf_size - enc.length;
+    if (ret)
+	goto out;
+    
+    /*
+     * Send and receive
+     */
+
+    ret = krb5_sendto_kdc (context, &enc, 
+			   &krbtgt->server->name.name_string.val[1], &resp);
+    if(ret)
+	goto out;
+
+    memset(&rep, 0, sizeof(rep));
+    if(decode_TGS_REP(resp.data, resp.length, &rep.kdc_rep, &len) == 0){
+	ret = krb5_copy_principal(context, 
+				  in_creds->client, 
+				  &out_creds->client);
+	if(ret)
+	    goto out;
+	ret = krb5_copy_principal(context, 
+				  in_creds->server, 
+				  &out_creds->server);
+	if(ret)
+	    goto out;
+	/* this should go someplace else */
+	out_creds->times.endtime = in_creds->times.endtime;
+
+	ret = _krb5_extract_ticket(context,
+				   &rep,
+				   out_creds,
+				   &krbtgt->session,
+				   NULL,
+				   KRB5_KU_TGS_REP_ENC_PART_SESSION,
+				   &krbtgt->addresses,
+				   nonce,
+				   TRUE,
+				   flags.b.request_anonymous,
+				   decrypt_tkt_with_subkey,
+				   subkey);
+	krb5_free_kdc_rep(context, &rep);
+	if (ret)
+	    goto out;
+    } else if(krb5_rd_error(context, &resp, &error) == 0) {
+	ret = krb5_error_from_rd_error(context, &error, in_creds);
+	krb5_free_error_contents(context, &error);
+    } else if(resp.data && ((char*)resp.data)[0] == 4) {
+	ret = KRB5KRB_AP_ERR_V4_REPLY;
+	krb5_clear_error_string(context);
+    } else {
+	ret = KRB5KRB_AP_ERR_MSG_TYPE;
+	krb5_clear_error_string(context);
+    }
+    krb5_data_free(&resp);
+out:
+    if(subkey){
+	krb5_free_keyblock_contents(context, subkey);
+	free(subkey);
+    }
+    if (buf)
+	free (buf);
+    return ret;
+    
+}
+
+static krb5_error_code
+get_cred_kdc(krb5_context context, 
+	     krb5_ccache id, 
+	     krb5_kdc_flags flags,
+	     krb5_addresses *addresses, 
+	     krb5_creds *in_creds, 
+	     krb5_creds *krbtgt,
+	     krb5_creds *out_creds)
+{
+    krb5_error_code ret;
+
+    ret = get_cred_kdc_usage(context, id, flags, addresses, in_creds,
+			     krbtgt, out_creds, KRB5_KU_TGS_REQ_AUTH);
+    if (ret == KRB5KRB_AP_ERR_BAD_INTEGRITY) {
+	krb5_clear_error_string (context);
+	ret = get_cred_kdc_usage(context, id, flags, addresses, in_creds,
+				 krbtgt, out_creds, KRB5_KU_AP_REQ_AUTH);
+    }
+    return ret;
+}
+
+/* same as above, just get local addresses first */
+
+static krb5_error_code
+get_cred_kdc_la(krb5_context context, krb5_ccache id, krb5_kdc_flags flags, 
+		krb5_creds *in_creds, krb5_creds *krbtgt, 
+		krb5_creds *out_creds)
+{
+    krb5_error_code ret;
+    krb5_addresses addresses;
+    
+    krb5_get_all_client_addrs(context, &addresses);
+    ret = get_cred_kdc(context, id, flags, &addresses, 
+		       in_creds, krbtgt, out_creds);
+    krb5_free_addresses(context, &addresses);
+    return ret;
+}
+
+krb5_error_code
+krb5_get_kdc_cred(krb5_context context,
+		  krb5_ccache id,
+		  krb5_kdc_flags flags,
+		  krb5_addresses *addresses,
+		  Ticket  *second_ticket,
+		  krb5_creds *in_creds,
+		  krb5_creds **out_creds
+		  )
+{
+    krb5_error_code ret;
+    krb5_creds *krbtgt;
+
+    *out_creds = calloc(1, sizeof(**out_creds));
+    if(*out_creds == NULL) {
+	krb5_set_error_string(context, "malloc: out of memory");
+	return ENOMEM;
+    }
+    ret = get_krbtgt (context,
+		      id,
+		      in_creds->server->realm,
+		      &krbtgt);
+    if(ret) {
+	free(*out_creds);
+	return ret;
+    }
+    ret = get_cred_kdc(context, id, flags, addresses, 
+		       in_creds, krbtgt, *out_creds);
+    krb5_free_creds (context, krbtgt);
+    if(ret)
+	free(*out_creds);
+    return ret;
+}
+
+
+static krb5_error_code
+find_cred(krb5_context context,
+	  krb5_ccache id,
+	  krb5_principal server,
+	  krb5_creds **tgts,
+	  krb5_creds *out_creds)
+{
+    krb5_error_code ret;
+    krb5_creds mcreds;
+    mcreds.server = server;
+    ret = krb5_cc_retrieve_cred(context, id, KRB5_TC_DONT_MATCH_REALM, 
+				&mcreds, out_creds);
+    if(ret == 0)
+	return 0;
+    while(tgts && *tgts){
+	if(krb5_compare_creds(context, KRB5_TC_DONT_MATCH_REALM, 
+			      &mcreds, *tgts)){
+	    ret = krb5_copy_creds_contents(context, *tgts, out_creds);
+	    return ret;
+	}
+	tgts++;
+    }
+    krb5_clear_error_string(context);
+    return KRB5_CC_NOTFOUND;
+}
+
+static krb5_error_code
+add_cred(krb5_context context, krb5_creds ***tgts, krb5_creds *tkt)
+{
+    int i;
+    krb5_error_code ret;
+    krb5_creds **tmp = *tgts;
+
+    for(i = 0; tmp && tmp[i]; i++); /* XXX */
+    tmp = realloc(tmp, (i+2)*sizeof(*tmp));
+    if(tmp == NULL) {
+	krb5_set_error_string(context, "malloc: out of memory");
+	return ENOMEM;
+    }
+    *tgts = tmp;
+    ret = krb5_copy_creds(context, tkt, &tmp[i]);
+    tmp[i+1] = NULL;
+    return ret;
+}
+
+/*
+get_cred(server)
+	creds = cc_get_cred(server)
+	if(creds) return creds
+	tgt = cc_get_cred(krbtgt/server_realm@any_realm)
+	if(tgt)
+		return get_cred_tgt(server, tgt)
+	if(client_realm == server_realm)
+		return NULL
+	tgt = get_cred(krbtgt/server_realm@client_realm)
+	while(tgt_inst != server_realm)
+		tgt = get_cred(krbtgt/server_realm@tgt_inst)
+	return get_cred_tgt(server, tgt)
+	*/
+
+static krb5_error_code
+get_cred_from_kdc_flags(krb5_context context,
+			krb5_kdc_flags flags,
+			krb5_ccache ccache,
+			krb5_creds *in_creds,
+			krb5_creds **out_creds,
+			krb5_creds ***ret_tgts)
+{
+    krb5_error_code ret;
+    krb5_creds *tgt, tmp_creds;
+    krb5_const_realm client_realm, server_realm, try_realm;
+
+    *out_creds = NULL;
+
+    client_realm = *krb5_princ_realm(context, in_creds->client);
+    server_realm = *krb5_princ_realm(context, in_creds->server);
+    memset(&tmp_creds, 0, sizeof(tmp_creds));
+    ret = krb5_copy_principal(context, in_creds->client, &tmp_creds.client);
+    if(ret)
+	return ret;
+
+    try_realm = krb5_config_get_string(context, NULL, "libdefaults",
+				       "capath", server_realm, NULL);
+    if (try_realm == NULL)
+	try_realm = client_realm;
+
+    ret = krb5_make_principal(context,
+			      &tmp_creds.server,
+			      try_realm,
+			      KRB5_TGS_NAME,
+			      server_realm,
+			      NULL);
+    if(ret){
+	krb5_free_principal(context, tmp_creds.client);
+	return ret;
+    }
+    {
+	krb5_creds tgts;
+	/* XXX try krb5_cc_retrieve_cred first? */
+	ret = find_cred(context, ccache, tmp_creds.server, 
+			*ret_tgts, &tgts);
+	if(ret == 0){
+	    *out_creds = calloc(1, sizeof(**out_creds));
+	    if(*out_creds == NULL) {
+		krb5_set_error_string(context, "malloc: out of memory");
+		ret = ENOMEM;
+	    } else {
+		ret = get_cred_kdc_la(context, ccache, flags, 
+				      in_creds, &tgts, *out_creds);
+		if (ret) {
+		    free (*out_creds);
+		    *out_creds = NULL;
+		}
+	    }
+	    krb5_free_creds_contents(context, &tgts);
+	    krb5_free_principal(context, tmp_creds.server);
+	    krb5_free_principal(context, tmp_creds.client);
+	    return ret;
+	}
+    }
+    if(krb5_realm_compare(context, in_creds->client, in_creds->server)) {
+	krb5_clear_error_string (context);
+	return KRB5_CC_NOTFOUND;
+    }
+    /* XXX this can loop forever */
+    while(1){
+	general_string tgt_inst;
+
+	ret = get_cred_from_kdc_flags(context, flags, ccache, &tmp_creds, 
+				      &tgt, ret_tgts);
+	if(ret) {
+	    krb5_free_principal(context, tmp_creds.server);
+	    krb5_free_principal(context, tmp_creds.client);
+	    return ret;
+	}
+	ret = add_cred(context, ret_tgts, tgt);
+	if(ret) {
+	    krb5_free_principal(context, tmp_creds.server);
+	    krb5_free_principal(context, tmp_creds.client);
+	    return ret;
+	}
+	tgt_inst = tgt->server->name.name_string.val[1];
+	if(strcmp(tgt_inst, server_realm) == 0)
+	    break;
+	krb5_free_principal(context, tmp_creds.server);
+	ret = krb5_make_principal(context, &tmp_creds.server, 
+				  tgt_inst, KRB5_TGS_NAME, server_realm, NULL);
+	if(ret) {
+	    krb5_free_principal(context, tmp_creds.server);
+	    krb5_free_principal(context, tmp_creds.client);
+	    return ret;
+	}
+	ret = krb5_free_creds(context, tgt);
+	if(ret) {
+	    krb5_free_principal(context, tmp_creds.server);
+	    krb5_free_principal(context, tmp_creds.client);
+	    return ret;
+	}
+    }
+	
+    krb5_free_principal(context, tmp_creds.server);
+    krb5_free_principal(context, tmp_creds.client);
+    *out_creds = calloc(1, sizeof(**out_creds));
+    if(*out_creds == NULL) {
+	krb5_set_error_string(context, "malloc: out of memory");
+	ret = ENOMEM;
+    } else {
+	ret = get_cred_kdc_la(context, ccache, flags, 
+				      in_creds, tgt, *out_creds);
+	if (ret) {
+	    free (*out_creds);
+	    *out_creds = NULL;
+	}
+    }
+    krb5_free_creds(context, tgt);
+    return ret;
+}
+
+krb5_error_code
+krb5_get_cred_from_kdc_opt(krb5_context context,
+			   krb5_ccache ccache,
+			   krb5_creds *in_creds,
+			   krb5_creds **out_creds,
+			   krb5_creds ***ret_tgts,
+			   krb5_flags flags)
+{
+    krb5_kdc_flags f;
+    f.i = flags;
+    return get_cred_from_kdc_flags(context, f, ccache, 
+				   in_creds, out_creds, ret_tgts);
+}
+
+krb5_error_code
+krb5_get_cred_from_kdc(krb5_context context,
+		       krb5_ccache ccache,
+		       krb5_creds *in_creds,
+		       krb5_creds **out_creds,
+		       krb5_creds ***ret_tgts)
+{
+    return krb5_get_cred_from_kdc_opt(context, ccache, 
+				      in_creds, out_creds, ret_tgts, 0);
+}
+     
+
+krb5_error_code
+krb5_get_credentials_with_flags(krb5_context context,
+				krb5_flags options,
+				krb5_kdc_flags flags,
+				krb5_ccache ccache,
+				krb5_creds *in_creds,
+				krb5_creds **out_creds)
+{
+    krb5_error_code ret;
+    krb5_creds **tgts;
+    krb5_creds *res_creds;
+    int i;
+    
+    *out_creds = NULL;
+    res_creds = calloc(1, sizeof(*res_creds));
+    if (res_creds == NULL) {
+	krb5_set_error_string(context, "malloc: out of memory");
+	return ENOMEM;
+    }
+
+    ret = krb5_cc_retrieve_cred(context,
+				ccache,
+				in_creds->session.keytype ?
+				KRB5_TC_MATCH_KEYTYPE : 0,
+				in_creds, res_creds);
+    if(ret == 0) {
+	*out_creds = res_creds;
+	return 0;
+    }
+    free(res_creds);
+    if(ret != KRB5_CC_END)
+	return ret;
+    if(options & KRB5_GC_CACHED) {
+	krb5_clear_error_string (context);
+	return KRB5_CC_NOTFOUND;
+    }
+    if(options & KRB5_GC_USER_USER)
+	flags.b.enc_tkt_in_skey = 1;
+    tgts = NULL;
+    ret = get_cred_from_kdc_flags(context, flags, ccache, 
+				  in_creds, out_creds, &tgts);
+    for(i = 0; tgts && tgts[i]; i++) {
+	krb5_cc_store_cred(context, ccache, tgts[i]);
+	krb5_free_creds(context, tgts[i]);
+    }
+    free(tgts);
+    if(ret == 0 && flags.b.enc_tkt_in_skey == 0)
+	krb5_cc_store_cred(context, ccache, *out_creds);
+    return ret;
+}
+
+krb5_error_code
+krb5_get_credentials(krb5_context context,
+		     krb5_flags options,
+		     krb5_ccache ccache,
+		     krb5_creds *in_creds,
+		     krb5_creds **out_creds)
+{
+    krb5_kdc_flags flags;
+    flags.i = 0;
+    return krb5_get_credentials_with_flags(context, options, flags,
+					   ccache, in_creds, out_creds);
+}
diff --git a/crypto/heimdal/lib/krb5/get_default_principal.c b/crypto/heimdal/lib/krb5/get_default_principal.c
new file mode 100644
index 0000000..f8ed48f
--- /dev/null
+++ b/crypto/heimdal/lib/krb5/get_default_principal.c
@@ -0,0 +1,98 @@
+/*
+ * Copyright (c) 1997 - 2001 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "krb5_locl.h"
+
+RCSID("$Id: get_default_principal.c,v 1.7 2001/05/14 06:14:46 assar Exp $");
+
+/*
+ * Try to find out what's a reasonable default principal.
+ */
+
+static const char*
+get_env_user(void)
+{
+    const char *user = getenv("USER");
+    if(user == NULL)
+	user = getenv("LOGNAME");
+    if(user == NULL)
+	user = getenv("USERNAME");
+    return user;
+}
+
+krb5_error_code
+krb5_get_default_principal (krb5_context context,
+			    krb5_principal *princ)
+{
+    krb5_error_code ret;
+    krb5_ccache id;
+    const char *user;
+    uid_t uid;
+
+    ret = krb5_cc_default (context, &id);
+    if (ret == 0) {
+	ret = krb5_cc_get_principal (context, id, princ);
+	krb5_cc_close (context, id);
+	if (ret == 0)
+	    return 0;
+    }
+
+
+    uid = getuid();    
+    if(uid == 0) {
+	user = getlogin();
+	if(user == NULL)
+	    user = get_env_user();
+	if(user != NULL && strcmp(user, "root") != 0)
+	    ret = krb5_make_principal(context, princ, NULL, user, "root", NULL);
+	else
+	    ret = krb5_make_principal(context, princ, NULL, "root", NULL);
+    } else {
+	struct passwd *pw = getpwuid(uid);	
+	if(pw != NULL)
+	    user = pw->pw_name;
+	else {
+	    user = get_env_user();
+	    if(user == NULL)
+		user = getlogin();
+	}
+	if(user == NULL) {
+	    krb5_set_error_string(context,
+				  "unable to figure out current principal");
+	    return ENOTTY; /* XXX */
+	}
+	ret = krb5_make_principal(context, princ, NULL, user, NULL);
+    }
+
+    return ret;
+}
diff --git a/crypto/heimdal/lib/krb5/get_default_realm.c b/crypto/heimdal/lib/krb5/get_default_realm.c
new file mode 100644
index 0000000..c090cea
--- /dev/null
+++ b/crypto/heimdal/lib/krb5/get_default_realm.c
@@ -0,0 +1,82 @@
+/*
+ * Copyright (c) 1997 - 2001 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "krb5_locl.h"
+
+RCSID("$Id: get_default_realm.c,v 1.9 2001/05/14 06:14:47 assar Exp $");
+
+/*
+ * Return a NULL-terminated list of default realms in `realms'.
+ * Free this memory with krb5_free_host_realm.
+ */
+
+krb5_error_code
+krb5_get_default_realms (krb5_context context,
+			 krb5_realm **realms)
+{
+    if (context->default_realms == NULL) {
+	krb5_error_code ret = krb5_set_default_realm (context, NULL);
+	if (ret)
+	    return KRB5_CONFIG_NODEFREALM;
+    }
+
+    return krb5_copy_host_realm (context,
+				 context->default_realms,
+				 realms);
+}
+
+/*
+ * Return the first default realm.  For compatability.
+ */
+
+krb5_error_code
+krb5_get_default_realm(krb5_context context,
+		       krb5_realm *realm)
+{
+    char *res;
+
+    if (context->default_realms == NULL
+	|| context->default_realms[0] == NULL) {
+	krb5_error_code ret = krb5_set_default_realm (context, NULL);
+	if (ret)
+	    return KRB5_CONFIG_NODEFREALM;
+    }
+
+    res = strdup (context->default_realms[0]);
+    if (res == NULL) {
+	krb5_set_error_string(context, "malloc: out of memory");
+	return ENOMEM;
+    }
+    *realm = res;
+    return 0;
+}
diff --git a/crypto/heimdal/lib/krb5/get_for_creds.c b/crypto/heimdal/lib/krb5/get_for_creds.c
new file mode 100644
index 0000000..febd061
--- /dev/null
+++ b/crypto/heimdal/lib/krb5/get_for_creds.c
@@ -0,0 +1,318 @@
+/*
+ * Copyright (c) 1997 - 2001 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include <krb5_locl.h>
+
+RCSID("$Id: get_for_creds.c,v 1.29 2001/05/14 22:49:55 assar Exp $");
+
+static krb5_error_code
+add_addrs(krb5_context context,
+	  krb5_addresses *addr,
+	  struct addrinfo *ai)
+{
+    krb5_error_code ret;
+    unsigned n, i, j;
+    void *tmp;
+    struct addrinfo *a;
+
+    n = 0;
+    for (a = ai; a != NULL; a = a->ai_next)
+	++n;
+
+    i = addr->len;
+    addr->len += n;
+    tmp = realloc(addr->val, addr->len * sizeof(*addr->val));
+    if (tmp == NULL) {
+	krb5_set_error_string(context, "malloc: out of memory");
+	ret = ENOMEM;
+	goto fail;
+    }
+    addr->val = tmp;
+    for (j = i; j < addr->len; ++j) {
+	addr->val[i].addr_type = 0;
+	krb5_data_zero(&addr->val[i].address);
+    }
+    for (a = ai; a != NULL; a = a->ai_next) {
+	ret = krb5_sockaddr2address (context, a->ai_addr, &addr->val[i]);
+	if (ret == 0)
+	    ++i;
+	else if (ret == KRB5_PROG_ATYPE_NOSUPP)
+	    krb5_clear_error_string (context);
+	else
+	    goto fail;
+    }
+    addr->len = i;
+    return 0;
+fail:
+    krb5_free_addresses (context, addr);
+    return ret;
+}
+
+/*
+ *
+ */
+
+krb5_error_code
+krb5_fwd_tgt_creds (krb5_context	context,
+		    krb5_auth_context	auth_context,
+		    const char		*hostname,
+		    krb5_principal	client,
+		    krb5_principal	server,
+		    krb5_ccache		ccache,
+		    int			forwardable,
+		    krb5_data		*out_data)
+{
+    krb5_flags flags = 0;
+    krb5_creds creds;
+    krb5_error_code ret;
+
+    flags |= KDC_OPT_FORWARDED;
+
+    if (forwardable)
+	flags |= KDC_OPT_FORWARDABLE;
+
+    
+    memset (&creds, 0, sizeof(creds));
+    creds.client = client;
+    creds.server = server;
+
+    ret = krb5_get_forwarded_creds (context,
+				    auth_context,
+				    ccache,
+				    flags,
+				    hostname,
+				    &creds,
+				    out_data);
+    return ret;
+}
+
+/*
+ *
+ */
+
+krb5_error_code
+krb5_get_forwarded_creds (krb5_context	    context,
+			  krb5_auth_context auth_context,
+			  krb5_ccache       ccache,
+			  krb5_flags        flags,
+			  const char        *hostname,
+			  krb5_creds        *in_creds,
+			  krb5_data         *out_data)
+{
+    krb5_error_code ret;
+    krb5_creds *out_creds;
+    krb5_addresses addrs;
+    KRB_CRED cred;
+    KrbCredInfo *krb_cred_info;
+    EncKrbCredPart enc_krb_cred_part;
+    size_t len;
+    u_char buf[1024];
+    int32_t sec, usec;
+    krb5_kdc_flags kdc_flags;
+    krb5_crypto crypto;
+    struct addrinfo *ai;
+    int save_errno;
+
+    addrs.len = 0;
+    addrs.val = NULL;
+
+    ret = getaddrinfo (hostname, NULL, NULL, &ai);
+    if (ret) {
+	save_errno = errno;
+	krb5_set_error_string(context, "resolving %s: %s",
+			      hostname, gai_strerror(ret));
+	return krb5_eai_to_heim_errno(ret, save_errno);
+    }
+
+    ret = add_addrs (context, &addrs, ai);
+    freeaddrinfo (ai);
+    if (ret)
+	return ret;
+
+    kdc_flags.i = flags;
+
+    ret = krb5_get_kdc_cred (context,
+			     ccache,
+			     kdc_flags,
+			     &addrs,
+			     NULL,
+			     in_creds,
+			     &out_creds);
+    krb5_free_addresses (context, &addrs);
+    if (ret) {
+	return ret;
+    }
+
+    memset (&cred, 0, sizeof(cred));
+    cred.pvno = 5;
+    cred.msg_type = krb_cred;
+    ALLOC_SEQ(&cred.tickets, 1);
+    if (cred.tickets.val == NULL) {
+	ret = ENOMEM;
+	krb5_set_error_string(context, "malloc: out of memory");
+	goto out2;
+    }
+    ret = decode_Ticket(out_creds->ticket.data,
+			out_creds->ticket.length,
+			cred.tickets.val, &len);
+    if (ret)
+	goto out3;
+
+    memset (&enc_krb_cred_part, 0, sizeof(enc_krb_cred_part));
+    ALLOC_SEQ(&enc_krb_cred_part.ticket_info, 1);
+    if (enc_krb_cred_part.ticket_info.val == NULL) {
+	ret = ENOMEM;
+	krb5_set_error_string(context, "malloc: out of memory");
+	goto out4;
+    }
+    
+    krb5_us_timeofday (context, &sec, &usec);
+
+    ALLOC(enc_krb_cred_part.timestamp, 1);
+    if (enc_krb_cred_part.timestamp == NULL) {
+	ret = ENOMEM;
+	krb5_set_error_string(context, "malloc: out of memory");
+	goto out4;
+    }
+    *enc_krb_cred_part.timestamp = sec;
+    ALLOC(enc_krb_cred_part.usec, 1);
+    if (enc_krb_cred_part.usec == NULL) {
+ 	ret = ENOMEM;
+	krb5_set_error_string(context, "malloc: out of memory");
+	goto out4;
+    }
+    *enc_krb_cred_part.usec      = usec;
+
+    if (auth_context->local_address && auth_context->local_port) {
+	ret = krb5_make_addrport (context,
+				  &enc_krb_cred_part.s_address,
+				  auth_context->local_address,
+				  auth_context->local_port);
+	if (ret)
+	    goto out4;
+    }
+
+    if (auth_context->remote_address) {
+	ALLOC(enc_krb_cred_part.r_address, 1);
+	if (enc_krb_cred_part.r_address == NULL) {
+	    ret = ENOMEM;
+	krb5_set_error_string(context, "malloc: out of memory");
+	    goto out4;
+	}
+
+	ret = krb5_copy_address (context, auth_context->remote_address,
+				 enc_krb_cred_part.r_address);
+	if (ret)
+	    goto out4;
+    }
+
+    /* fill ticket_info.val[0] */
+
+    enc_krb_cred_part.ticket_info.len = 1;
+
+    krb_cred_info = enc_krb_cred_part.ticket_info.val;
+
+    copy_EncryptionKey (&out_creds->session, &krb_cred_info->key);
+    ALLOC(krb_cred_info->prealm, 1);
+    copy_Realm (&out_creds->client->realm, krb_cred_info->prealm);
+    ALLOC(krb_cred_info->pname, 1);
+    copy_PrincipalName(&out_creds->client->name, krb_cred_info->pname);
+    ALLOC(krb_cred_info->flags, 1);
+    *krb_cred_info->flags          = out_creds->flags.b;
+    ALLOC(krb_cred_info->authtime, 1);
+    *krb_cred_info->authtime       = out_creds->times.authtime;
+    ALLOC(krb_cred_info->starttime, 1);
+    *krb_cred_info->starttime      = out_creds->times.starttime;
+    ALLOC(krb_cred_info->endtime, 1);
+    *krb_cred_info->endtime        = out_creds->times.endtime;
+    ALLOC(krb_cred_info->renew_till, 1);
+    *krb_cred_info->renew_till = out_creds->times.renew_till;
+    ALLOC(krb_cred_info->srealm, 1);
+    copy_Realm (&out_creds->server->realm, krb_cred_info->srealm);
+    ALLOC(krb_cred_info->sname, 1);
+    copy_PrincipalName (&out_creds->server->name, krb_cred_info->sname);
+    ALLOC(krb_cred_info->caddr, 1);
+    copy_HostAddresses (&out_creds->addresses, krb_cred_info->caddr);
+
+    krb5_free_creds (context, out_creds);
+
+    /* encode EncKrbCredPart */
+
+    ret = krb5_encode_EncKrbCredPart (context,
+				      buf + sizeof(buf) - 1, sizeof(buf),
+				      &enc_krb_cred_part, &len);
+    free_EncKrbCredPart (&enc_krb_cred_part);
+    if (ret) {
+	free_KRB_CRED(&cred);
+	return ret;
+    }    
+
+    ret = krb5_crypto_init(context, auth_context->local_subkey, 0, &crypto);
+    if (ret) {
+	free_KRB_CRED(&cred);
+	return ret;
+    }
+    ret = krb5_encrypt_EncryptedData (context,
+				      crypto,
+				      KRB5_KU_KRB_CRED,
+				      buf + sizeof(buf) - len,
+				      len,
+				      0,
+				      &cred.enc_part);
+    krb5_crypto_destroy(context, crypto);
+    if (ret) {
+	free_KRB_CRED(&cred);
+	return ret;
+    }
+
+    ret = encode_KRB_CRED (buf + sizeof(buf) - 1, sizeof(buf),
+			   &cred, &len);
+    free_KRB_CRED (&cred);
+    if (ret)
+	return ret;
+    out_data->length = len;
+    out_data->data   = malloc(len);
+    if (out_data->data == NULL) {
+	krb5_set_error_string(context, "malloc: out of memory");
+	return ENOMEM;
+    }
+    memcpy (out_data->data, buf + sizeof(buf) - len, len);
+    return 0;
+out4:
+    free_EncKrbCredPart(&enc_krb_cred_part);
+out3:
+    free_KRB_CRED(&cred);
+out2:
+    krb5_free_creds (context, out_creds);
+    return ret;
+}
diff --git a/crypto/heimdal/lib/krb5/get_host_realm.c b/crypto/heimdal/lib/krb5/get_host_realm.c
new file mode 100644
index 0000000..266072e
--- /dev/null
+++ b/crypto/heimdal/lib/krb5/get_host_realm.c
@@ -0,0 +1,201 @@
+/*
+ * Copyright (c) 1997 - 2001 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "krb5_locl.h"
+#include <resolve.h>
+
+RCSID("$Id: get_host_realm.c,v 1.28 2001/05/14 06:14:47 assar Exp $");
+
+/* To automagically find the correct realm of a host (without
+ * [domain_realm] in krb5.conf) add a text record for your domain with
+ * the name of your realm, like this:
+ *
+ * krb5-realm	IN	TXT	FOO.SE
+ *
+ * The search is recursive, so you can add entries for specific
+ * hosts. To find the realm of host a.b.c, it first tries
+ * krb5-realm.a.b.c, then krb5-realm.b.c and so on.
+ *
+ * Also supported is _kerberos (following draft-ietf-cat-krb-dns-locate-01.txt)
+ *
+ */
+
+static int
+copy_txt_to_realms (struct resource_record *head,
+		    krb5_realm **realms)
+{
+    struct resource_record *rr;
+    int n, i;
+
+    for(n = 0, rr = head; rr; rr = rr->next)
+	if (rr->type == T_TXT)
+	    ++n;
+
+    if (n == 0)
+	return -1;
+
+    *realms = malloc ((n + 1) * sizeof(krb5_realm));
+    if (*realms == NULL)
+	return -1;
+
+    for (i = 0; i < n + 1; ++i)
+	(*realms)[i] = NULL;
+
+    for (i = 0, rr = head; rr; rr = rr->next) {
+	if (rr->type == T_TXT) {
+	    char *tmp;
+
+	    tmp = strdup(rr->u.txt);
+	    if (tmp == NULL) {
+		for (i = 0; i < n; ++i)
+		    free ((*realms)[i]);
+		free (*realms);
+		return -1;
+	    }
+	    (*realms)[i] = tmp;
+	    ++i;
+	}
+    }
+    return 0;
+}
+
+static int
+dns_find_realm(krb5_context context,
+	       const char *domain,
+	       const char *dom_string,
+	       krb5_realm **realms)
+{
+    char dom[MAXHOSTNAMELEN];
+    struct dns_reply *r;
+    int ret;
+    
+    if(*domain == '.')
+	domain++;
+    snprintf(dom, sizeof(dom), "%s.%s.", dom_string, domain);
+    r = dns_lookup(dom, "TXT");
+    if(r == NULL)
+	return -1;
+
+    ret = copy_txt_to_realms (r->head, realms);
+    dns_free_data(r);
+    return ret;
+}
+
+/*
+ * Try to figure out what realms host in `domain' belong to from the
+ * configuration file.
+ */
+
+static int
+config_find_realm(krb5_context context, 
+		  const char *domain, 
+		  krb5_realm **realms)
+{
+    char **tmp = krb5_config_get_strings (context, NULL,
+					  "domain_realm",
+					  domain,
+					  NULL);
+
+    if (tmp == NULL)
+	return -1;
+    *realms = tmp;
+    return 0;
+}
+
+/*
+ * This function assumes that `host' is a FQDN (and doesn't handle the
+ * special case of host == NULL either).
+ * Try to find mapping in the config file or DNS and it that fails,
+ * fall back to guessing
+ */
+
+krb5_error_code
+krb5_get_host_realm_int (krb5_context context,
+			 const char *host,
+			 krb5_boolean use_dns,
+			 krb5_realm **realms)
+{
+    const char *p;
+
+    for (p = host; p != NULL; p = strchr (p + 1, '.')) {
+	if(config_find_realm(context, p, realms) == 0)
+	    return 0;
+	else if(use_dns) {
+	    if(dns_find_realm(context, p, "krb5-realm", realms) == 0)
+		return 0;
+	    if(dns_find_realm(context, p, "_kerberos", realms) == 0)
+		return 0;
+	}
+    }
+    p = strchr(host, '.');
+    if(p != NULL) {
+	p++;
+	*realms = malloc(2 * sizeof(krb5_realm));
+	if (*realms == NULL) {
+	    krb5_set_error_string(context, "malloc: out of memory");
+	    return ENOMEM;
+	}
+
+	(*realms)[0] = strdup(p);
+	if((*realms)[0] == NULL) {
+	    free(*realms);
+	    krb5_set_error_string(context, "malloc: out of memory");
+	    return ENOMEM;
+	}
+	strupr((*realms)[0]);
+	(*realms)[1] = NULL;
+	return 0;
+    }
+    krb5_set_error_string(context, "unable to find realm of host %s", host);
+    return KRB5_ERR_HOST_REALM_UNKNOWN;
+}
+
+/*
+ * Return the realm(s) of `host' as a NULL-terminated list in `realms'.
+ */
+
+krb5_error_code
+krb5_get_host_realm(krb5_context context,
+		    const char *host,
+		    krb5_realm **realms)
+{
+    char hostname[MAXHOSTNAMELEN];
+
+    if (host == NULL) {
+	if (gethostname (hostname, sizeof(hostname)))
+	    return errno;
+	host = hostname;
+    }
+
+    return krb5_get_host_realm_int (context, host, 1, realms);
+}
diff --git a/crypto/heimdal/lib/krb5/get_in_tkt.c b/crypto/heimdal/lib/krb5/get_in_tkt.c
new file mode 100644
index 0000000..bb023b1
--- /dev/null
+++ b/crypto/heimdal/lib/krb5/get_in_tkt.c
@@ -0,0 +1,832 @@
+/*
+ * Copyright (c) 1997 - 2001 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "krb5_locl.h"
+
+RCSID("$Id: get_in_tkt.c,v 1.100 2001/05/14 06:14:48 assar Exp $");
+
+krb5_error_code
+krb5_init_etype (krb5_context context,
+		 unsigned *len,
+		 int **val,
+		 const krb5_enctype *etypes)
+{
+    int i;
+    krb5_error_code ret;
+    krb5_enctype *tmp;
+
+    ret = 0;
+    if (etypes)
+	tmp = (krb5_enctype*)etypes;
+    else {
+	ret = krb5_get_default_in_tkt_etypes(context,
+					     &tmp);
+	if (ret)
+	    return ret;
+    }
+
+    for (i = 0; tmp[i]; ++i)
+	;
+    *len = i;
+    *val = malloc(i * sizeof(int));
+    if (i != 0 && *val == NULL) {
+	ret = ENOMEM;
+	krb5_set_error_string(context, "malloc: out of memory");
+	goto cleanup;
+    }
+    memmove (*val,
+	     tmp,
+	     i * sizeof(*tmp));
+cleanup:
+    if (etypes == NULL)
+	free (tmp);
+    return ret;
+}
+
+
+static krb5_error_code
+decrypt_tkt (krb5_context context,
+	     krb5_keyblock *key,
+	     krb5_key_usage usage,
+	     krb5_const_pointer decrypt_arg,
+	     krb5_kdc_rep *dec_rep)
+{
+    krb5_error_code ret;
+    krb5_data data;
+    size_t size;
+    krb5_crypto crypto;
+
+    ret = krb5_crypto_init(context, key, 0, &crypto);
+    if (ret)
+	return ret;
+
+    ret = krb5_decrypt_EncryptedData (context,
+				      crypto,
+				      usage,
+				      &dec_rep->kdc_rep.enc_part,
+				      &data);
+    krb5_crypto_destroy(context, crypto);
+
+    if (ret)
+	return ret;
+
+    ret = krb5_decode_EncASRepPart(context,
+				   data.data,
+				   data.length,
+				   &dec_rep->enc_part, 
+				   &size);
+    if (ret)
+	ret = krb5_decode_EncTGSRepPart(context,
+					data.data,
+					data.length,
+					&dec_rep->enc_part, 
+					&size);
+    krb5_data_free (&data);
+    if (ret)
+	return ret;
+    return 0;
+}
+
+int
+_krb5_extract_ticket(krb5_context context, 
+		     krb5_kdc_rep *rep, 
+		     krb5_creds *creds,		
+		     krb5_keyblock *key,
+		     krb5_const_pointer keyseed,
+		     krb5_key_usage key_usage,
+		     krb5_addresses *addrs,
+		     unsigned nonce,
+		     krb5_boolean allow_server_mismatch,
+		     krb5_boolean ignore_cname,
+		     krb5_decrypt_proc decrypt_proc,
+		     krb5_const_pointer decryptarg)
+{
+    krb5_error_code ret;
+    krb5_principal tmp_principal;
+    int tmp;
+    time_t tmp_time;
+    krb5_timestamp sec_now;
+
+    ret = principalname2krb5_principal (&tmp_principal,
+					rep->kdc_rep.cname,
+					rep->kdc_rep.crealm);
+    if (ret)
+	goto out;
+
+    /* compare client */
+
+    if (!ignore_cname) {
+	tmp = krb5_principal_compare (context, tmp_principal, creds->client);
+	if (!tmp) {
+	    krb5_free_principal (context, tmp_principal);
+	    krb5_clear_error_string (context);
+	    ret = KRB5KRB_AP_ERR_MODIFIED;
+	    goto out;
+	}
+    }
+
+    krb5_free_principal (context, creds->client);
+    creds->client = tmp_principal;
+
+    /* extract ticket */
+    {
+	unsigned char *buf;
+	size_t len;
+	len = length_Ticket(&rep->kdc_rep.ticket);
+	buf = malloc(len);
+	if(buf == NULL) {
+	    krb5_set_error_string(context, "malloc: out of memory");
+	    ret = ENOMEM;
+	    goto out;
+	}
+	encode_Ticket(buf + len - 1, len, &rep->kdc_rep.ticket, &len);
+	creds->ticket.data = buf;
+	creds->ticket.length = len;
+	creds->second_ticket.length = 0;
+	creds->second_ticket.data   = NULL;
+    }
+
+    /* compare server */
+
+    ret = principalname2krb5_principal (&tmp_principal,
+					rep->kdc_rep.ticket.sname,
+					rep->kdc_rep.ticket.realm);
+    if (ret)
+	goto out;
+    if(allow_server_mismatch){
+	krb5_free_principal(context, creds->server);
+	creds->server = tmp_principal;
+	tmp_principal = NULL;
+    }else{
+	tmp = krb5_principal_compare (context, tmp_principal, creds->server);
+	krb5_free_principal (context, tmp_principal);
+	if (!tmp) {
+	    ret = KRB5KRB_AP_ERR_MODIFIED;
+	    krb5_clear_error_string (context);
+	    goto out;
+	}
+    }
+    
+    /* decrypt */
+
+    if (decrypt_proc == NULL)
+	decrypt_proc = decrypt_tkt;
+    
+    ret = (*decrypt_proc)(context, key, key_usage, decryptarg, rep);
+    if (ret)
+	goto out;
+
+#if 0
+    /* XXX should this decode be here, or in the decrypt_proc? */
+    ret = krb5_decode_keyblock(context, &rep->enc_part.key, 1);
+    if(ret)
+	goto out;
+#endif
+
+    /* compare nonces */
+
+    if (nonce != rep->enc_part.nonce) {
+	ret = KRB5KRB_AP_ERR_MODIFIED;
+	krb5_set_error_string(context, "malloc: out of memory");
+	goto out;
+    }
+
+    /* set kdc-offset */
+
+    krb5_timeofday (context, &sec_now);
+    if (context->kdc_sec_offset == 0
+	&& krb5_config_get_bool (context, NULL,
+				 "libdefaults",
+				 "kdc_timesync",
+				 NULL)) {
+	context->kdc_sec_offset = rep->enc_part.authtime - sec_now;
+	krb5_timeofday (context, &sec_now);
+    }
+
+    /* check all times */
+
+    if (rep->enc_part.starttime) {
+	tmp_time = *rep->enc_part.starttime;
+    } else
+	tmp_time = rep->enc_part.authtime;
+
+    if (creds->times.starttime == 0
+	&& abs(tmp_time - sec_now) > context->max_skew) {
+	ret = KRB5KRB_AP_ERR_SKEW;
+	krb5_set_error_string (context,
+			       "time skew (%d) larger than max (%d)",
+			       abs(tmp_time - sec_now),
+			       (int)context->max_skew);
+	goto out;
+    }
+
+    if (creds->times.starttime != 0
+	&& tmp_time != creds->times.starttime) {
+	krb5_clear_error_string (context);
+	ret = KRB5KRB_AP_ERR_MODIFIED;
+	goto out;
+    }
+
+    creds->times.starttime = tmp_time;
+
+    if (rep->enc_part.renew_till) {
+	tmp_time = *rep->enc_part.renew_till;
+    } else
+	tmp_time = 0;
+
+    if (creds->times.renew_till != 0
+	&& tmp_time > creds->times.renew_till) {
+	krb5_clear_error_string (context);
+	ret = KRB5KRB_AP_ERR_MODIFIED;
+	goto out;
+    }
+
+    creds->times.renew_till = tmp_time;
+
+    creds->times.authtime = rep->enc_part.authtime;
+
+    if (creds->times.endtime != 0
+	&& rep->enc_part.endtime > creds->times.endtime) {
+	krb5_clear_error_string (context);
+	ret = KRB5KRB_AP_ERR_MODIFIED;
+	goto out;
+    }
+
+    creds->times.endtime  = rep->enc_part.endtime;
+
+    if(rep->enc_part.caddr)
+	krb5_copy_addresses (context, rep->enc_part.caddr, &creds->addresses);
+    else if(addrs)
+	krb5_copy_addresses (context, addrs, &creds->addresses);
+    else {
+	creds->addresses.len = 0;
+	creds->addresses.val = NULL;
+    }
+    creds->flags.b = rep->enc_part.flags;
+	  
+    creds->authdata.len = 0;
+    creds->authdata.val = NULL;
+    creds->session.keyvalue.length = 0;
+    creds->session.keyvalue.data   = NULL;
+    creds->session.keytype = rep->enc_part.key.keytype;
+    ret = krb5_data_copy (&creds->session.keyvalue,
+			  rep->enc_part.key.keyvalue.data,
+			  rep->enc_part.key.keyvalue.length);
+
+out:
+    memset (rep->enc_part.key.keyvalue.data, 0,
+	    rep->enc_part.key.keyvalue.length);
+    return ret;
+}
+
+
+static krb5_error_code
+make_pa_enc_timestamp(krb5_context context, PA_DATA *pa, 
+		      krb5_enctype etype, krb5_keyblock *key)
+{
+    PA_ENC_TS_ENC p;
+    u_char buf[1024];
+    size_t len;
+    EncryptedData encdata;
+    krb5_error_code ret;
+    int32_t sec, usec;
+    int usec2;
+    krb5_crypto crypto;
+    
+    krb5_us_timeofday (context, &sec, &usec);
+    p.patimestamp = sec;
+    usec2         = usec;
+    p.pausec      = &usec2;
+
+    ret = encode_PA_ENC_TS_ENC(buf + sizeof(buf) - 1,
+			       sizeof(buf),
+			       &p,
+			       &len);
+    if (ret)
+	return ret;
+
+    ret = krb5_crypto_init(context, key, 0, &crypto);
+    if (ret)
+	return ret;
+    ret = krb5_encrypt_EncryptedData(context, 
+				     crypto,
+				     KRB5_KU_PA_ENC_TIMESTAMP,
+				     buf + sizeof(buf) - len,
+				     len,
+				     0,
+				     &encdata);
+    krb5_crypto_destroy(context, crypto);
+    if (ret)
+	return ret;
+		    
+    ret = encode_EncryptedData(buf + sizeof(buf) - 1,
+			       sizeof(buf),
+			       &encdata, 
+			       &len);
+    free_EncryptedData(&encdata);
+    if (ret)
+	return ret;
+    pa->padata_type = KRB5_PADATA_ENC_TIMESTAMP;
+    pa->padata_value.length = 0;
+    krb5_data_copy(&pa->padata_value,
+		   buf + sizeof(buf) - len,
+		   len);
+    return 0;
+}
+
+static krb5_error_code
+add_padata(krb5_context context,
+	   METHOD_DATA *md, 
+	   krb5_principal client,
+	   krb5_key_proc key_proc,
+	   krb5_const_pointer keyseed,
+	   int *enctypes, 
+	   unsigned netypes,
+	   krb5_salt *salt)
+{
+    krb5_error_code ret;
+    PA_DATA *pa2;
+    krb5_salt salt2;
+    int *ep;
+    int i;
+    
+    if(salt == NULL) {
+	/* default to standard salt */
+	ret = krb5_get_pw_salt (context, client, &salt2);
+	salt = &salt2;
+    }
+    if (!enctypes) {
+	enctypes = (int *)context->etypes; /* XXX */
+	netypes = 0;
+	for (ep = enctypes; *ep != ETYPE_NULL; ep++)
+	    netypes++;
+    }
+    pa2 = realloc (md->val, (md->len + netypes) * sizeof(*md->val));
+    if (pa2 == NULL) {
+	krb5_set_error_string(context, "malloc: out of memory");
+	return ENOMEM;
+    }
+    md->val = pa2;
+
+    for (i = 0; i < netypes; ++i) {
+	krb5_keyblock *key;
+
+	ret = (*key_proc)(context, enctypes[i], *salt, keyseed, &key);
+	if (ret)
+	    continue;
+	ret = make_pa_enc_timestamp (context, &md->val[md->len],
+				     enctypes[i], key);
+	krb5_free_keyblock (context, key);
+	if (ret)
+	    return ret;
+	++md->len;
+    }
+    if(salt == &salt2)
+	krb5_free_salt(context, salt2);
+    return 0;
+}
+
+static krb5_error_code
+init_as_req (krb5_context context,
+	     krb5_kdc_flags opts,
+	     krb5_creds *creds,
+	     const krb5_addresses *addrs,
+	     const krb5_enctype *etypes,
+	     const krb5_preauthtype *ptypes,
+	     const krb5_preauthdata *preauth,
+	     krb5_key_proc key_proc,
+	     krb5_const_pointer keyseed,
+	     unsigned nonce,
+	     AS_REQ *a)
+{
+    krb5_error_code ret;
+    krb5_salt salt;
+
+    memset(a, 0, sizeof(*a));
+
+    a->pvno = 5;
+    a->msg_type = krb_as_req;
+    a->req_body.kdc_options = opts.b;
+    a->req_body.cname = malloc(sizeof(*a->req_body.cname));
+    if (a->req_body.cname == NULL) {
+	ret = ENOMEM;
+	krb5_set_error_string(context, "malloc: out of memory");
+	goto fail;
+    }
+    a->req_body.sname = malloc(sizeof(*a->req_body.sname));
+    if (a->req_body.sname == NULL) {
+	ret = ENOMEM;
+	krb5_set_error_string(context, "malloc: out of memory");
+	goto fail;
+    }
+    ret = krb5_principal2principalname (a->req_body.cname, creds->client);
+    if (ret)
+	goto fail;
+    ret = krb5_principal2principalname (a->req_body.sname, creds->server);
+    if (ret)
+	goto fail;
+    ret = copy_Realm(&creds->client->realm, &a->req_body.realm);
+    if (ret)
+	goto fail;
+
+    if(creds->times.starttime) {
+	a->req_body.from = malloc(sizeof(*a->req_body.from));
+	if (a->req_body.from == NULL) {
+	    ret = ENOMEM;
+	    krb5_set_error_string(context, "malloc: out of memory");
+	    goto fail;
+	}
+	*a->req_body.from = creds->times.starttime;
+    }
+    if(creds->times.endtime){
+	ALLOC(a->req_body.till, 1);
+	*a->req_body.till = creds->times.endtime;
+    }
+    if(creds->times.renew_till){
+	a->req_body.rtime = malloc(sizeof(*a->req_body.rtime));
+	if (a->req_body.rtime == NULL) {
+	    ret = ENOMEM;
+	    krb5_set_error_string(context, "malloc: out of memory");
+	    goto fail;
+	}
+	*a->req_body.rtime = creds->times.renew_till;
+    }
+    a->req_body.nonce = nonce;
+    ret = krb5_init_etype (context,
+			   &a->req_body.etype.len,
+			   &a->req_body.etype.val,
+			   etypes);
+    if (ret)
+	goto fail;
+
+    /*
+     * This means no addresses
+     */
+
+    if (addrs && addrs->len == 0) {
+	a->req_body.addresses = NULL;
+    } else {
+	a->req_body.addresses = malloc(sizeof(*a->req_body.addresses));
+	if (a->req_body.addresses == NULL) {
+	    ret = ENOMEM;
+	    krb5_set_error_string(context, "malloc: out of memory");
+	    goto fail;
+	}
+
+	if (addrs)
+	    ret = krb5_copy_addresses(context, addrs, a->req_body.addresses);
+	else
+	    ret = krb5_get_all_client_addrs (context, a->req_body.addresses);
+	if (ret)
+	    return ret;
+    }
+
+    a->req_body.enc_authorization_data = NULL;
+    a->req_body.additional_tickets = NULL;
+
+    if(preauth != NULL) {
+	int i;
+	ALLOC(a->padata, 1);
+	if(a->padata == NULL) {
+	    ret = ENOMEM;
+	    krb5_set_error_string(context, "malloc: out of memory");
+	    goto fail;
+	}
+	for(i = 0; i < preauth->len; i++) {
+	    if(preauth->val[i].type == KRB5_PADATA_ENC_TIMESTAMP){
+		int j;
+		PA_DATA *tmp = realloc(a->padata->val, 
+				       (a->padata->len + 
+					preauth->val[i].info.len) * 
+				       sizeof(*a->padata->val));
+		if(tmp == NULL) {
+		    ret = ENOMEM;
+		    krb5_set_error_string(context, "malloc: out of memory");
+		    goto fail;
+		}
+		a->padata->val = tmp;
+		for(j = 0; j < preauth->val[i].info.len; j++) {
+		    krb5_salt *sp = &salt;
+		    if(preauth->val[i].info.val[j].salttype)
+			salt.salttype = *preauth->val[i].info.val[j].salttype;
+		    else
+			salt.salttype = KRB5_PW_SALT;
+		    if(preauth->val[i].info.val[j].salt)
+			salt.saltvalue = *preauth->val[i].info.val[j].salt;
+		    else
+			if(salt.salttype == KRB5_PW_SALT)
+			    sp = NULL;
+			else
+			    krb5_data_zero(&salt.saltvalue);
+		    add_padata(context, a->padata, creds->client, 
+			       key_proc, keyseed, 
+			       &preauth->val[i].info.val[j].etype, 1,
+			       sp);
+		}
+	    }
+	}
+    } else 
+    /* not sure this is the way to use `ptypes' */
+    if (ptypes == NULL || *ptypes == KRB5_PADATA_NONE)
+	a->padata = NULL;
+    else if (*ptypes ==  KRB5_PADATA_ENC_TIMESTAMP) {
+	ALLOC(a->padata, 1);
+	if (a->padata == NULL) {
+	    ret = ENOMEM;
+	    krb5_set_error_string(context, "malloc: out of memory");
+	    goto fail;
+	}
+	a->padata->len = 0;
+	a->padata->val = NULL;
+
+	/* make a v5 salted pa-data */
+	add_padata(context, a->padata, creds->client, 
+		   key_proc, keyseed, a->req_body.etype.val,
+		   a->req_body.etype.len, NULL);
+	
+	/* make a v4 salted pa-data */
+	salt.salttype = KRB5_PW_SALT;
+	krb5_data_zero(&salt.saltvalue);
+	add_padata(context, a->padata, creds->client, 
+		   key_proc, keyseed, a->req_body.etype.val,
+		   a->req_body.etype.len, &salt);
+    } else {
+	krb5_set_error_string (context, "pre-auth type %d not supported",
+			       *ptypes);
+	ret = KRB5_PREAUTH_BAD_TYPE;
+	goto fail;
+    }
+    return 0;
+fail:
+    free_AS_REQ(a);
+    return ret;
+}
+
+static int
+set_ptypes(krb5_context context,
+	   KRB_ERROR *error, 
+	   krb5_preauthtype **ptypes,
+	   krb5_preauthdata **preauth)
+{
+    static krb5_preauthdata preauth2;
+    static krb5_preauthtype ptypes2[] = { KRB5_PADATA_ENC_TIMESTAMP, KRB5_PADATA_NONE };
+
+    if(error->e_data) {
+	METHOD_DATA md;
+	int i;
+	decode_METHOD_DATA(error->e_data->data, 
+			   error->e_data->length, 
+			   &md, 
+			   NULL);
+	for(i = 0; i < md.len; i++){
+	    switch(md.val[i].padata_type){
+	    case KRB5_PADATA_ENC_TIMESTAMP:
+		*ptypes = ptypes2;
+		break;
+	    case KRB5_PADATA_ETYPE_INFO:
+		*preauth = &preauth2;
+		ALLOC_SEQ(*preauth, 1);
+		(*preauth)->val[0].type = KRB5_PADATA_ENC_TIMESTAMP;
+		krb5_decode_ETYPE_INFO(context,
+				       md.val[i].padata_value.data, 
+				       md.val[i].padata_value.length,
+				       &(*preauth)->val[0].info,
+				       NULL);
+		break;
+	    default:
+		break;
+	    }
+	}
+	free_METHOD_DATA(&md);
+    } else {
+	*ptypes = ptypes2;
+    }
+    return(1);
+}
+
+krb5_error_code
+krb5_get_in_cred(krb5_context context,
+		 krb5_flags options,
+		 const krb5_addresses *addrs,
+		 const krb5_enctype *etypes,
+		 const krb5_preauthtype *ptypes,
+		 const krb5_preauthdata *preauth,
+		 krb5_key_proc key_proc,
+		 krb5_const_pointer keyseed,
+		 krb5_decrypt_proc decrypt_proc,
+		 krb5_const_pointer decryptarg,
+		 krb5_creds *creds,
+		 krb5_kdc_rep *ret_as_reply)
+{
+    krb5_error_code ret;
+    AS_REQ a;
+    krb5_kdc_rep rep;
+    krb5_data req, resp;
+    char buf[BUFSIZ];
+    krb5_salt salt;
+    krb5_keyblock *key;
+    size_t size;
+    krb5_kdc_flags opts;
+    PA_DATA *pa;
+    krb5_enctype etype;
+    krb5_preauthdata *my_preauth = NULL;
+    unsigned nonce;
+    int done;
+
+    opts.i = options;
+
+    krb5_generate_random_block (&nonce, sizeof(nonce));
+    nonce &= 0xffffffff;
+
+    do {
+	done = 1;
+	ret = init_as_req (context,
+			   opts,
+			   creds,
+			   addrs,
+			   etypes,
+			   ptypes,
+			   preauth,
+			   key_proc,
+			   keyseed,
+			   nonce,
+			   &a);
+	if (my_preauth) {
+	    free_ETYPE_INFO(&my_preauth->val[0].info);
+	    free (my_preauth->val);
+	}
+	if (ret)
+	    return ret;
+
+	ret = encode_AS_REQ ((unsigned char*)buf + sizeof(buf) - 1,
+			     sizeof(buf),
+			     &a,
+			     &req.length);
+	free_AS_REQ(&a);
+	if (ret)
+	    return ret;
+
+	req.data = buf + sizeof(buf) - req.length;
+
+	ret = krb5_sendto_kdc (context, &req, &creds->client->realm, &resp);
+	if (ret)
+	    return ret;
+
+	memset (&rep, 0, sizeof(rep));
+	ret = decode_AS_REP(resp.data, resp.length, &rep.kdc_rep, &size);
+	if(ret) {
+	    /* let's try to parse it as a KRB-ERROR */
+	    KRB_ERROR error;
+	    int ret2;
+
+	    ret2 = krb5_rd_error(context, &resp, &error);
+	    if(ret2 && resp.data && ((char*)resp.data)[0] == 4)
+		ret = KRB5KRB_AP_ERR_V4_REPLY;
+	    krb5_data_free(&resp);
+	    if (ret2 == 0) {
+		ret = krb5_error_from_rd_error(context, &error, creds);
+		/* if no preauth was set and KDC requires it, give it
+                   one more try */
+		if (!ptypes && !preauth
+		    && ret == KRB5KDC_ERR_PREAUTH_REQUIRED
+#if 0
+			|| ret == KRB5KDC_ERR_BADOPTION
+#endif
+		    && set_ptypes(context, &error, &ptypes, &my_preauth)) {
+		    done = 0;
+		    preauth = my_preauth;
+		    krb5_free_error_contents(context, &error);
+		    continue;
+		}
+		if(ret_as_reply)
+		    ret_as_reply->error = error;
+		else
+		    free_KRB_ERROR (&error);
+		return ret;
+	    }
+	    return ret;
+	}
+	krb5_data_free(&resp);
+    } while(!done);
+    
+    pa = NULL;
+    etype = rep.kdc_rep.enc_part.etype;
+    if(rep.kdc_rep.padata){
+	int index = 0;
+	pa = krb5_find_padata(rep.kdc_rep.padata->val, rep.kdc_rep.padata->len, 
+			      KRB5_PADATA_PW_SALT, &index);
+	if(pa == NULL) {
+	    index = 0;
+	    pa = krb5_find_padata(rep.kdc_rep.padata->val, 
+				  rep.kdc_rep.padata->len, 
+				  KRB5_PADATA_AFS3_SALT, &index);
+	}
+    }
+    if(pa) {
+	salt.salttype = pa->padata_type;
+	salt.saltvalue = pa->padata_value;
+	
+	ret = (*key_proc)(context, etype, salt, keyseed, &key);
+    } else {
+	/* make a v5 salted pa-data */
+	ret = krb5_get_pw_salt (context, creds->client, &salt);
+	
+	if (ret)
+	    goto out;
+	ret = (*key_proc)(context, etype, salt, keyseed, &key);
+	krb5_free_salt(context, salt);
+    }
+    if (ret)
+	goto out;
+	
+    ret = _krb5_extract_ticket(context, 
+			       &rep, 
+			       creds, 
+			       key, 
+			       keyseed, 
+			       KRB5_KU_AS_REP_ENC_PART,
+			       NULL, 
+			       nonce, 
+			       FALSE, 
+			       opts.b.request_anonymous,
+			       decrypt_proc, 
+			       decryptarg);
+    memset (key->keyvalue.data, 0, key->keyvalue.length);
+    krb5_free_keyblock_contents (context, key);
+    free (key);
+
+out:
+    if (ret == 0 && ret_as_reply)
+	*ret_as_reply = rep;
+    else
+	krb5_free_kdc_rep (context, &rep);
+    return ret;
+}
+
+krb5_error_code
+krb5_get_in_tkt(krb5_context context,
+		krb5_flags options,
+		const krb5_addresses *addrs,
+		const krb5_enctype *etypes,
+		const krb5_preauthtype *ptypes,
+		krb5_key_proc key_proc,
+		krb5_const_pointer keyseed,
+		krb5_decrypt_proc decrypt_proc,
+		krb5_const_pointer decryptarg,
+		krb5_creds *creds,
+		krb5_ccache ccache,
+		krb5_kdc_rep *ret_as_reply)
+{
+    krb5_error_code ret;
+    krb5_kdc_flags opts;
+    opts.i = 0;
+    opts.b = int2KDCOptions(options);
+    
+    ret = krb5_get_in_cred (context,
+			    opts.i,
+			    addrs,
+			    etypes,
+			    ptypes,
+			    NULL,
+			    key_proc,
+			    keyseed,
+			    decrypt_proc,
+			    decryptarg,
+			    creds,
+			    ret_as_reply);
+    if(ret) 
+	return ret;
+    ret = krb5_cc_store_cred (context, ccache, creds);
+    krb5_free_creds_contents (context, creds);
+    return ret;
+}
diff --git a/crypto/heimdal/lib/krb5/get_in_tkt_pw.c b/crypto/heimdal/lib/krb5/get_in_tkt_pw.c
new file mode 100644
index 0000000..a4f5c80
--- /dev/null
+++ b/crypto/heimdal/lib/krb5/get_in_tkt_pw.c
@@ -0,0 +1,90 @@
+/*
+ * Copyright (c) 1997 - 2001 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "krb5_locl.h"
+
+RCSID("$Id: get_in_tkt_pw.c,v 1.16 2001/05/14 06:14:48 assar Exp $");
+
+krb5_error_code
+krb5_password_key_proc (krb5_context context,
+			krb5_enctype type,
+			krb5_salt salt,
+			krb5_const_pointer keyseed,
+			krb5_keyblock **key)
+{
+    krb5_error_code ret;
+    const char *password = (const char *)keyseed;
+    char buf[BUFSIZ];
+     
+    *key = malloc (sizeof (**key));
+    if (*key == NULL) {
+	krb5_set_error_string(context, "malloc: out of memory");
+	return ENOMEM;
+    }
+    if (password == NULL) {
+	if(des_read_pw_string (buf, sizeof(buf), "Password: ", 0)) {
+	    free (*key);
+	    krb5_clear_error_string(context);
+	    return KRB5_LIBOS_PWDINTR;
+	}
+	password = buf;
+    }
+    ret = krb5_string_to_key_salt (context, type, password, salt, *key);
+    memset (buf, 0, sizeof(buf));
+    return ret;
+}
+
+krb5_error_code
+krb5_get_in_tkt_with_password (krb5_context context,
+			       krb5_flags options,
+			       krb5_addresses *addrs,
+			       const krb5_enctype *etypes,
+			       const krb5_preauthtype *pre_auth_types,
+			       const char *password,
+			       krb5_ccache ccache,
+			       krb5_creds *creds,
+			       krb5_kdc_rep *ret_as_reply)
+{
+     return krb5_get_in_tkt (context,
+			     options,
+			     addrs,
+			     etypes,
+			     pre_auth_types,
+			     krb5_password_key_proc,
+			     password,
+			     NULL,
+			     NULL,
+			     creds,
+			     ccache,
+			     ret_as_reply);
+}
diff --git a/crypto/heimdal/lib/krb5/get_in_tkt_with_keytab.c b/crypto/heimdal/lib/krb5/get_in_tkt_with_keytab.c
new file mode 100644
index 0000000..c5feee4
--- /dev/null
+++ b/crypto/heimdal/lib/krb5/get_in_tkt_with_keytab.c
@@ -0,0 +1,105 @@
+/*
+ * Copyright (c) 1997 - 2001 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "krb5_locl.h"
+
+RCSID("$Id: get_in_tkt_with_keytab.c,v 1.6 2001/05/14 06:14:48 assar Exp $");
+
+krb5_error_code
+krb5_keytab_key_proc (krb5_context context,
+		      krb5_enctype enctype,
+		      krb5_salt salt,
+		      krb5_const_pointer keyseed,
+		      krb5_keyblock **key)
+{
+    krb5_keytab_key_proc_args *args  = (krb5_keytab_key_proc_args *)keyseed;
+    krb5_keytab keytab = args->keytab;
+    krb5_principal principal  = args->principal;
+    krb5_error_code ret;
+    krb5_keytab real_keytab;
+    krb5_keytab_entry entry;
+
+    if(keytab == NULL)
+	krb5_kt_default(context, &real_keytab);
+    else
+	real_keytab = keytab;
+
+    ret = krb5_kt_get_entry (context, real_keytab, principal,
+			     0, enctype, &entry);
+
+    if (keytab == NULL)
+	krb5_kt_close (context, real_keytab);
+
+    if (ret)
+	return ret;
+
+    ret = krb5_copy_keyblock (context, &entry.keyblock, key);
+    krb5_kt_free_entry(context, &entry);
+    return ret;
+}
+
+krb5_error_code
+krb5_get_in_tkt_with_keytab (krb5_context context,
+			     krb5_flags options,
+			     krb5_addresses *addrs,
+			     const krb5_enctype *etypes,
+			     const krb5_preauthtype *pre_auth_types,
+			     krb5_keytab keytab,
+			     krb5_ccache ccache,
+			     krb5_creds *creds,
+			     krb5_kdc_rep *ret_as_reply)
+{
+    krb5_keytab_key_proc_args *a;
+
+    a = malloc(sizeof(*a));
+    if (a == NULL) {
+	krb5_set_error_string(context, "malloc: out of memory");
+	return ENOMEM;
+    }
+
+    a->principal = creds->client;
+    a->keytab    = keytab;
+
+    return krb5_get_in_tkt (context,
+			    options,
+			    addrs,
+			    etypes,
+			    pre_auth_types,
+			    krb5_keytab_key_proc,
+			    a,
+			    NULL,
+			    NULL,
+			    creds,
+			    ccache,
+			    ret_as_reply);
+}
diff --git a/crypto/heimdal/lib/krb5/get_in_tkt_with_skey.c b/crypto/heimdal/lib/krb5/get_in_tkt_with_skey.c
new file mode 100644
index 0000000..773d361
--- /dev/null
+++ b/crypto/heimdal/lib/krb5/get_in_tkt_with_skey.c
@@ -0,0 +1,82 @@
+/*
+ * Copyright (c) 1997, 1998 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "krb5_locl.h"
+
+RCSID("$Id: get_in_tkt_with_skey.c,v 1.3 1999/12/02 17:05:10 joda Exp $");
+
+static krb5_error_code
+krb5_skey_key_proc (krb5_context context,
+		    krb5_enctype type,
+		    krb5_salt salt,
+		    krb5_const_pointer keyseed,
+		    krb5_keyblock **key)
+{
+    return krb5_copy_keyblock (context, keyseed, key);
+}
+
+krb5_error_code
+krb5_get_in_tkt_with_skey (krb5_context context,
+			   krb5_flags options,
+			   krb5_addresses *addrs,
+			   const krb5_enctype *etypes,
+			   const krb5_preauthtype *pre_auth_types,
+			   const krb5_keyblock *key,
+			   krb5_ccache ccache,
+			   krb5_creds *creds,
+			   krb5_kdc_rep *ret_as_reply)
+{
+    if(key == NULL)
+	return krb5_get_in_tkt_with_keytab (context,
+					    options,
+					    addrs,
+					    etypes,
+					    pre_auth_types,
+					    NULL,
+					    ccache,
+					    creds,
+					    ret_as_reply);
+    else
+	return krb5_get_in_tkt (context,
+				options,
+				addrs,
+				etypes,
+				pre_auth_types,
+				krb5_skey_key_proc,
+				key,
+				NULL,
+				NULL,
+				creds,
+				ccache,
+				ret_as_reply);
+}
diff --git a/crypto/heimdal/lib/krb5/get_port.c b/crypto/heimdal/lib/krb5/get_port.c
new file mode 100644
index 0000000..6c51741
--- /dev/null
+++ b/crypto/heimdal/lib/krb5/get_port.c
@@ -0,0 +1,54 @@
+/*
+ * Copyright (c) 1997-2001 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include <krb5_locl.h>
+
+RCSID("$Id: get_port.c,v 1.8 2001/01/27 19:24:34 joda Exp $");
+
+int
+krb5_getportbyname (krb5_context context,
+		    const char *service,
+		    const char *proto,
+		    int default_port)
+{
+    struct servent *sp;
+
+    if ((sp = roken_getservbyname (service, proto)) == NULL) {
+#if 0
+	krb5_warnx(context, "%s/%s unknown service, using default port %d", 
+		   service, proto, default_port);
+#endif
+	return htons(default_port);
+    } else
+	return sp->s_port;
+}
diff --git a/crypto/heimdal/lib/krb5/heim_err.et b/crypto/heimdal/lib/krb5/heim_err.et
new file mode 100644
index 0000000..09145f2
--- /dev/null
+++ b/crypto/heimdal/lib/krb5/heim_err.et
@@ -0,0 +1,36 @@
+#
+# Error messages for the krb5 library
+#
+# This might look like a com_err file, but is not
+#
+id "$Id: heim_err.et,v 1.10 2000/07/08 13:02:11 joda Exp $"
+
+error_table heim
+
+prefix HEIM_ERR
+
+error_code LOG_PARSE,		"Error parsing log destination"
+error_code V4_PRINC_NO_CONV,	"Failed to convert v4 principal"
+error_code SALTTYPE_NOSUPP,	"Salt type is not supported by enctype"
+error_code NOHOST,		"Host not found"
+error_code OPNOTSUPP,		"Operation not supported"
+error_code EOF,			"End of file"
+error_code BAD_MKEY,		"Failed to get the master key"
+
+index 128
+prefix HEIM_EAI
+#error_code NOERROR,		"no error"
+error_code UNKNOWN,		"unknown error from getaddrinfo"
+error_code ADDRFAMILY,		"address family for nodename not supported"
+error_code AGAIN,		"temporary failure in name resolution"
+error_code BADFLAGS,		"invalid value for ai_flags"
+error_code FAIL,		"non-recoverable failure in name resolution"
+error_code FAMILY,		"ai_family not supported"
+error_code MEMORY,		"memory allocation failure"
+error_code NODATA,		"no address associated with nodename"
+error_code NONAME,		"nodename nor servname provided, or not known"
+error_code SERVICE,		"servname not supported for ai_socktype"
+error_code SOCKTYPE,		"ai_socktype not supported"
+error_code SYSTEM,		"system error returned in errno"
+
+end
diff --git a/crypto/heimdal/lib/krb5/init_creds.c b/crypto/heimdal/lib/krb5/init_creds.c
new file mode 100644
index 0000000..f6c571a
--- /dev/null
+++ b/crypto/heimdal/lib/krb5/init_creds.c
@@ -0,0 +1,161 @@
+/*
+ * Copyright (c) 1997 - 2001 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "krb5_locl.h"
+
+RCSID("$Id: init_creds.c,v 1.5 2001/01/05 16:27:39 joda Exp $");
+
+void
+krb5_get_init_creds_opt_init(krb5_get_init_creds_opt *opt)
+{
+    memset (opt, 0, sizeof(*opt));
+    opt->flags = 0;
+}
+
+void
+krb5_get_init_creds_opt_set_default_flags(krb5_context context,
+					  const char *appname, 
+					  krb5_realm realm,
+					  krb5_get_init_creds_opt *opt)
+{
+    krb5_boolean b;
+    time_t t;
+
+    krb5_appdefault_boolean(context, appname, realm, "forwardable", FALSE, &b);
+    krb5_get_init_creds_opt_set_forwardable(opt, b);
+
+    krb5_appdefault_boolean(context, appname, realm, "proxiable", FALSE, &b);
+    krb5_get_init_creds_opt_set_proxiable (opt, b);
+
+    krb5_appdefault_time(context, appname, realm, "ticket_life", 0, &t);
+    if(t != 0)
+	krb5_get_init_creds_opt_set_tkt_life(opt, t);
+    
+    krb5_appdefault_time(context, appname, realm, "renewable_life", 0, &t);
+    if(t != 0)
+	krb5_get_init_creds_opt_set_renew_life(opt, t);
+
+#if 0
+    krb5_appdefault_boolean(context, appname, realm, "anonymous", FALSE, &b);
+    krb5_get_init_creds_opt_set_anonymous (opt, b);
+
+    krb5_get_init_creds_opt_set_etype_list(opt, enctype, 
+					   etype_str.num_strings);
+
+    krb5_get_init_creds_opt_set_salt(krb5_get_init_creds_opt *opt,
+				     krb5_data *salt);
+
+    krb5_get_init_creds_opt_set_preauth_list(krb5_get_init_creds_opt *opt,
+					     krb5_preauthtype *preauth_list,
+					     int preauth_list_length);
+    krb5_get_init_creds_opt_set_address_list(krb5_get_init_creds_opt *opt,
+					     krb5_addresses *addresses);
+#endif
+}
+
+
+void
+krb5_get_init_creds_opt_set_tkt_life(krb5_get_init_creds_opt *opt,
+				     krb5_deltat tkt_life)
+{
+    opt->flags |= KRB5_GET_INIT_CREDS_OPT_TKT_LIFE;
+    opt->tkt_life = tkt_life;
+}
+
+void
+krb5_get_init_creds_opt_set_renew_life(krb5_get_init_creds_opt *opt,
+				       krb5_deltat renew_life)
+{
+    opt->flags |= KRB5_GET_INIT_CREDS_OPT_RENEW_LIFE;
+    opt->renew_life = renew_life;
+}
+
+void
+krb5_get_init_creds_opt_set_forwardable(krb5_get_init_creds_opt *opt,
+					int forwardable)
+{
+    opt->flags |= KRB5_GET_INIT_CREDS_OPT_FORWARDABLE;
+    opt->forwardable = forwardable;
+}
+
+void
+krb5_get_init_creds_opt_set_proxiable(krb5_get_init_creds_opt *opt,
+				      int proxiable)
+{
+    opt->flags |= KRB5_GET_INIT_CREDS_OPT_PROXIABLE;
+    opt->proxiable = proxiable;
+}
+
+void
+krb5_get_init_creds_opt_set_etype_list(krb5_get_init_creds_opt *opt,
+				       krb5_enctype *etype_list,
+				       int etype_list_length)
+{
+    opt->flags |= KRB5_GET_INIT_CREDS_OPT_ETYPE_LIST;
+    opt->etype_list = etype_list;
+    opt->etype_list_length = etype_list_length;
+}
+
+void
+krb5_get_init_creds_opt_set_address_list(krb5_get_init_creds_opt *opt,
+					 krb5_addresses *addresses)
+{
+    opt->flags |= KRB5_GET_INIT_CREDS_OPT_ADDRESS_LIST;
+    opt->address_list = addresses;
+}
+
+void
+krb5_get_init_creds_opt_set_preauth_list(krb5_get_init_creds_opt *opt,
+					 krb5_preauthtype *preauth_list,
+					 int preauth_list_length)
+{
+    opt->flags |= KRB5_GET_INIT_CREDS_OPT_PREAUTH_LIST;
+    opt->preauth_list_length = preauth_list_length;
+    opt->preauth_list = preauth_list;
+}
+
+void
+krb5_get_init_creds_opt_set_salt(krb5_get_init_creds_opt *opt,
+				 krb5_data *salt)
+{
+    opt->flags |= KRB5_GET_INIT_CREDS_OPT_SALT;
+    opt->salt = salt;
+}
+
+void
+krb5_get_init_creds_opt_set_anonymous(krb5_get_init_creds_opt *opt,
+				      int anonymous)
+{
+    opt->flags |= KRB5_GET_INIT_CREDS_OPT_ANONYMOUS;
+    opt->anonymous = anonymous;
+}
diff --git a/crypto/heimdal/lib/krb5/init_creds_pw.c b/crypto/heimdal/lib/krb5/init_creds_pw.c
new file mode 100644
index 0000000..daa704f
--- /dev/null
+++ b/crypto/heimdal/lib/krb5/init_creds_pw.c
@@ -0,0 +1,579 @@
+/*
+ * Copyright (c) 1997 - 2001 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "krb5_locl.h"
+
+RCSID("$Id: init_creds_pw.c,v 1.47 2001/05/14 06:14:48 assar Exp $");
+
+static int
+get_config_time (krb5_context context,
+		 char *realm,
+		 char *name,
+		 int def)
+{
+    int ret;
+
+    ret = krb5_config_get_time (context, NULL,
+				"realms",
+				realm,
+				name,
+				NULL);
+    if (ret >= 0)
+	return ret;
+    ret = krb5_config_get_time (context, NULL,
+				"libdefaults",
+				name,
+				NULL);
+    if (ret >= 0)
+	return ret;
+    return def;
+}
+
+static krb5_boolean
+get_config_bool (krb5_context context,
+		 char *realm,
+		 char *name)
+{
+    return krb5_config_get_bool (context,
+				 NULL,
+				 "realms",
+				 realm,
+				 name,
+				 NULL)
+	|| krb5_config_get_bool (context,
+				 NULL,
+				 "libdefaults",
+				 name,
+				 NULL);
+}
+
+static krb5_error_code
+init_cred (krb5_context context,
+	   krb5_creds *cred,
+	   krb5_principal client,
+	   krb5_deltat start_time,
+	   const char *in_tkt_service,
+	   krb5_get_init_creds_opt *options)
+{
+    krb5_error_code ret;
+    krb5_realm *client_realm;
+    int tmp;
+    krb5_timestamp now;
+
+    krb5_timeofday (context, &now);
+
+    memset (cred, 0, sizeof(*cred));
+    
+    if (client)
+	krb5_copy_principal(context, client, &cred->client);
+    else {
+	ret = krb5_get_default_principal (context,
+					  &cred->client);
+	if (ret)
+	    goto out;
+    }
+
+    client_realm = krb5_princ_realm (context, cred->client);
+
+    if (start_time)
+	cred->times.starttime  = now + start_time;
+
+    if (options->flags & KRB5_GET_INIT_CREDS_OPT_TKT_LIFE)
+	tmp = options->tkt_life;
+    else
+	tmp = get_config_time (context,
+			       *client_realm,
+			       "ticket_lifetime",
+			       10 * 60 * 60);
+    cred->times.endtime = now + tmp;
+
+    tmp = 0;
+    if (options->flags & KRB5_GET_INIT_CREDS_OPT_RENEW_LIFE)
+	tmp = options->renew_life;
+    else
+	tmp = get_config_time (context,
+			       *client_realm,
+			       "renew_lifetime",
+			       0);
+    if (tmp)
+	cred->times.renew_till = now + tmp;
+
+    if (in_tkt_service) {
+	krb5_realm server_realm;
+
+	ret = krb5_parse_name (context, in_tkt_service, &cred->server);
+	if (ret)
+	    goto out;
+	server_realm = strdup (*client_realm);
+	free (cred->server->realm);
+	krb5_princ_set_realm (context, cred->server, &server_realm);
+    } else {
+	ret = krb5_make_principal(context, &cred->server, 
+				  *client_realm, KRB5_TGS_NAME, *client_realm,
+				  NULL);
+	if (ret)
+	    goto out;
+    }
+    return 0;
+
+out:
+    krb5_free_creds_contents (context, cred);
+    return ret;
+}
+
+/*
+ * Parse the last_req data and show it to the user if it's interesting
+ */
+
+static void
+print_expire (krb5_context context,
+	      krb5_realm *realm,
+	      krb5_kdc_rep *rep,
+	      krb5_prompter_fct prompter,
+	      krb5_data *data)
+{
+    int i;
+    LastReq *lr = &rep->enc_part.last_req;
+    krb5_timestamp sec;
+    time_t t;
+
+    krb5_timeofday (context, &sec);
+
+    t = sec + get_config_time (context,
+			       *realm,
+			       "warn_pwexpire",
+			       7 * 24 * 60 * 60);
+
+    for (i = 0; i < lr->len; ++i) {
+	if (abs(lr->val[i].lr_type) == LR_PW_EXPTIME
+	    && lr->val[i].lr_value <= t) {
+	    char *p;
+	    time_t tmp = lr->val[i].lr_value;
+	    
+	    asprintf (&p, "Your password will expire at %s", ctime(&tmp));
+	    (*prompter) (context, data, NULL, p, 0, NULL);
+	    free (p);
+	    return;
+	}
+    }
+
+    if (rep->enc_part.key_expiration
+	&& *rep->enc_part.key_expiration <= t) {
+	char *p;
+	time_t t = *rep->enc_part.key_expiration;
+
+	asprintf (&p, "Your password/account will expire at %s", ctime(&t));
+	(*prompter) (context, data, NULL, p, 0, NULL);
+	free (p);
+    }
+}
+
+static krb5_error_code
+get_init_creds_common(krb5_context context,
+		      krb5_creds *creds,
+		      krb5_principal client,
+		      krb5_deltat start_time,
+		      const char *in_tkt_service,
+		      krb5_get_init_creds_opt *options,
+		      krb5_addresses **addrs,
+		      krb5_enctype **etypes,
+		      krb5_creds *cred,
+		      krb5_preauthtype **pre_auth_types,
+		      krb5_kdc_flags *flags)
+{
+    krb5_error_code ret;
+    krb5_realm *client_realm;
+    krb5_get_init_creds_opt default_opt;
+
+    if (options == NULL) {
+	krb5_get_init_creds_opt_init (&default_opt);
+	options = &default_opt;
+    }
+
+    ret = init_cred (context, cred, client, start_time,
+		     in_tkt_service, options);
+    if (ret)
+	return ret;
+
+    client_realm = krb5_princ_realm (context, cred->client);
+
+    flags->i = 0;
+
+    if (options->flags & KRB5_GET_INIT_CREDS_OPT_FORWARDABLE)
+	flags->b.forwardable = options->forwardable;
+    else
+	flags->b.forwardable = get_config_bool (context,
+						*client_realm,
+						"forwardable");
+
+    if (options->flags & KRB5_GET_INIT_CREDS_OPT_PROXIABLE)
+	flags->b.proxiable = options->proxiable;
+    else
+	flags->b.proxiable = get_config_bool (context,
+					      *client_realm,
+					      "proxiable");
+
+    if (start_time)
+	flags->b.postdated = 1;
+    if (cred->times.renew_till)
+	flags->b.renewable = 1;
+    if (options->flags & KRB5_GET_INIT_CREDS_OPT_ADDRESS_LIST)
+	*addrs = options->address_list;
+    if (options->flags & KRB5_GET_INIT_CREDS_OPT_ETYPE_LIST) {
+	*etypes = malloc((options->etype_list_length + 1)
+			* sizeof(krb5_enctype));
+	if (*etypes == NULL) {
+	    krb5_set_error_string(context, "malloc: out of memory");
+	    return ENOMEM;
+	}
+	memcpy (*etypes, options->etype_list,
+		options->etype_list_length * sizeof(krb5_enctype));
+	(*etypes)[options->etype_list_length] = ETYPE_NULL;
+    }
+    if (options->flags & KRB5_GET_INIT_CREDS_OPT_PREAUTH_LIST) {
+	*pre_auth_types = malloc((options->preauth_list_length + 1)
+				 * sizeof(krb5_preauthtype));
+	if (*pre_auth_types == NULL) {
+	    krb5_set_error_string(context, "malloc: out of memory");
+	    return ENOMEM;
+	}
+	memcpy (*pre_auth_types, options->preauth_list,
+		options->preauth_list_length * sizeof(krb5_preauthtype));
+	(*pre_auth_types)[options->preauth_list_length] = KRB5_PADATA_NONE;
+    }
+    if (options->flags & KRB5_GET_INIT_CREDS_OPT_SALT)
+	;			/* XXX */
+    if (options->flags & KRB5_GET_INIT_CREDS_OPT_ANONYMOUS)
+	flags->b.request_anonymous = options->anonymous;
+    return 0;
+}
+
+static krb5_error_code
+change_password (krb5_context context,
+		 krb5_principal client,
+		 const char *password,
+		 char *newpw,
+		 size_t newpw_sz,
+		 krb5_prompter_fct prompter,
+		 void *data,
+		 krb5_get_init_creds_opt *old_options)
+{
+    krb5_prompt prompts[2];
+    krb5_error_code ret;
+    krb5_creds cpw_cred;
+    char buf1[BUFSIZ], buf2[BUFSIZ];
+    krb5_data password_data;
+    int result_code;
+    krb5_data result_code_string;
+    krb5_data result_string;
+    char *p;
+    krb5_get_init_creds_opt options;
+
+    memset (&cpw_cred, 0, sizeof(cpw_cred));
+
+    krb5_get_init_creds_opt_init (&options);
+    krb5_get_init_creds_opt_set_tkt_life (&options, 60);
+    krb5_get_init_creds_opt_set_forwardable (&options, FALSE);
+    krb5_get_init_creds_opt_set_proxiable (&options, FALSE);
+    if (old_options->flags & KRB5_GET_INIT_CREDS_OPT_PREAUTH_LIST)
+	krb5_get_init_creds_opt_set_preauth_list (&options,
+						  old_options->preauth_list,
+						  old_options->preauth_list_length);					      
+
+    krb5_data_zero (&result_code_string);
+    krb5_data_zero (&result_string);
+
+    ret = krb5_get_init_creds_password (context,
+					&cpw_cred,
+					client,
+					password,
+					prompter,
+					data,
+					0,
+					"kadmin/changepw",
+					&options);
+    if (ret)
+	goto out;
+
+    for(;;) {
+	password_data.data   = buf1;
+	password_data.length = sizeof(buf1);
+
+	prompts[0].hidden = 1;
+	prompts[0].prompt = "New password: ";
+	prompts[0].reply  = &password_data;
+	prompts[0].type   = KRB5_PROMPT_TYPE_NEW_PASSWORD;
+
+	password_data.data   = buf2;
+	password_data.length = sizeof(buf2);
+
+	prompts[1].hidden = 1;
+	prompts[1].prompt = "Repeat new password: ";
+	prompts[1].reply  = &password_data;
+	prompts[1].type   = KRB5_PROMPT_TYPE_NEW_PASSWORD_AGAIN;
+
+	ret = (*prompter) (context, data, NULL, "Changing password",
+			   2, prompts);
+	if (ret) {
+	    memset (buf1, 0, sizeof(buf1));
+	    memset (buf2, 0, sizeof(buf2));
+	    goto out;
+	}
+
+	if (strcmp (buf1, buf2) == 0)
+	    break;
+	memset (buf1, 0, sizeof(buf1));
+	memset (buf2, 0, sizeof(buf2));
+    }
+    
+    ret = krb5_change_password (context,
+				&cpw_cred,
+				buf1,
+				&result_code,
+				&result_code_string,
+				&result_string);
+    if (ret)
+	goto out;
+    asprintf (&p, "%s: %.*s\n",
+	      result_code ? "Error" : "Success",
+	      (int)result_string.length,
+	      (char*)result_string.data);
+
+    ret = (*prompter) (context, data, NULL, p, 0, NULL);
+    free (p);
+    if (result_code == 0) {
+	strlcpy (newpw, buf1, newpw_sz);
+	ret = 0;
+    } else {
+	krb5_set_error_string (context, "failed changing password");
+	ret = ENOTTY;
+    }
+
+out:
+    memset (buf1, 0, sizeof(buf1));
+    memset (buf2, 0, sizeof(buf2));
+    krb5_data_free (&result_string);
+    krb5_data_free (&result_code_string);
+    krb5_free_creds_contents (context, &cpw_cred);
+    return ret;
+}
+
+krb5_error_code
+krb5_get_init_creds_password(krb5_context context,
+			     krb5_creds *creds,
+			     krb5_principal client,
+			     const char *password,
+			     krb5_prompter_fct prompter,
+			     void *data,
+			     krb5_deltat start_time,
+			     const char *in_tkt_service,
+			     krb5_get_init_creds_opt *options)
+{
+    krb5_error_code ret;
+    krb5_kdc_flags flags;
+    krb5_addresses *addrs = NULL;
+    krb5_enctype *etypes = NULL;
+    krb5_preauthtype *pre_auth_types = NULL;
+    krb5_creds this_cred;
+    krb5_kdc_rep kdc_reply;
+    char buf[BUFSIZ];
+    krb5_data password_data;
+    int done;
+
+    ret = get_init_creds_common(context, creds, client, start_time,
+				in_tkt_service, options,
+				&addrs, &etypes, &this_cred, &pre_auth_types,
+				&flags);
+    if(ret)
+	goto out;
+
+    if (password == NULL) {
+	krb5_prompt prompt;
+	char *p;
+
+	krb5_unparse_name (context, this_cred.client, &p);
+	asprintf (&prompt.prompt, "%s's Password: ", p);
+	free (p);
+	password_data.data   = buf;
+	password_data.length = sizeof(buf);
+	prompt.hidden = 1;
+	prompt.reply  = &password_data;
+	prompt.type   = KRB5_PROMPT_TYPE_PASSWORD;
+
+	ret = (*prompter) (context, data, NULL, NULL, 1, &prompt);
+	free (prompt.prompt);
+	if (ret) {
+	    memset (buf, 0, sizeof(buf));
+	    ret = KRB5_LIBOS_PWDINTR;
+	    krb5_clear_error_string (context);
+	    goto out;
+	}
+	password = password_data.data;
+    }
+
+    done = 0;
+    while(!done) {
+	memset(&kdc_reply, 0, sizeof(kdc_reply));
+	ret = krb5_get_in_cred (context,
+				flags.i,
+				addrs,
+				etypes,
+				pre_auth_types,
+				NULL,
+				krb5_password_key_proc,
+				password,
+				NULL,
+				NULL,
+				&this_cred,
+				&kdc_reply);
+	switch (ret) {
+	case 0 :
+	    done = 1;
+	    break;
+	case KRB5KDC_ERR_KEY_EXPIRED :
+	    /* try to avoid recursion */
+
+	    krb5_clear_error_string (context);
+
+	    if (in_tkt_service != NULL
+		&& strcmp (in_tkt_service, "kadmin/changepw") == 0)
+		goto out;
+
+	    ret = change_password (context,
+				   client,
+				   password,
+				   buf,
+				   sizeof(buf),
+				   prompter,
+				   data,
+				   options);
+	    if (ret)
+		goto out;
+	    password = buf;
+	    break;
+	default:
+	    goto out;
+	}
+    }
+
+    if (prompter)
+	print_expire (context,
+		      krb5_princ_realm (context, this_cred.client),
+		      &kdc_reply,
+		      prompter,
+		      data);
+out:
+    memset (buf, 0, sizeof(buf));
+    if (ret == 0)
+	krb5_free_kdc_rep (context, &kdc_reply);
+
+    free (pre_auth_types);
+    free (etypes);
+    if (ret == 0 && creds)
+	*creds = this_cred;
+    else
+	krb5_free_creds_contents (context, &this_cred);
+    return ret;
+}
+
+krb5_error_code
+krb5_keyblock_key_proc (krb5_context context,
+			krb5_keytype type,
+			krb5_data *salt,
+			krb5_const_pointer keyseed,
+			krb5_keyblock **key)
+{
+    return krb5_copy_keyblock (context, keyseed, key);
+}
+
+krb5_error_code
+krb5_get_init_creds_keytab(krb5_context context,
+			   krb5_creds *creds,
+			   krb5_principal client,
+			   krb5_keytab keytab,
+			   krb5_deltat start_time,
+			   const char *in_tkt_service,
+			   krb5_get_init_creds_opt *options)
+{
+    krb5_error_code ret;
+    krb5_kdc_flags flags;
+    krb5_addresses *addrs = NULL;
+    krb5_enctype *etypes = NULL;
+    krb5_preauthtype *pre_auth_types = NULL;
+    krb5_creds this_cred;
+    krb5_keytab_key_proc_args *a;
+    
+    ret = get_init_creds_common(context, creds, client, start_time,
+				in_tkt_service, options,
+				&addrs, &etypes, &this_cred, &pre_auth_types,
+				&flags);
+    if(ret)
+	goto out;
+
+    a = malloc (sizeof(*a));
+    if (a == NULL) {
+	krb5_set_error_string(context, "malloc: out of memory");
+	ret = ENOMEM;
+	goto out;
+    }
+    a->principal = this_cred.client;
+    a->keytab    = keytab;
+
+    ret = krb5_get_in_cred (context,
+			    flags.i,
+			    addrs,
+			    etypes,
+			    pre_auth_types,
+			    NULL,
+			    krb5_keytab_key_proc,
+			    a,
+			    NULL,
+			    NULL,
+			    &this_cred,
+			    NULL);
+    if (ret)
+	goto out;
+    free (pre_auth_types);
+    free (etypes);
+    if (creds)
+	*creds = this_cred;
+    else
+	krb5_free_creds_contents (context, &this_cred);
+    return 0;
+
+out:
+    free (pre_auth_types);
+    free (etypes);
+    krb5_free_creds_contents (context, &this_cred);
+    return ret;
+}
diff --git a/crypto/heimdal/lib/krb5/kerberos.8 b/crypto/heimdal/lib/krb5/kerberos.8
new file mode 100644
index 0000000..10f2dab
--- /dev/null
+++ b/crypto/heimdal/lib/krb5/kerberos.8
@@ -0,0 +1,73 @@
+.\" $Id: kerberos.8,v 1.2 2001/05/02 08:59:23 assar Exp $
+.\"
+.Dd September 1, 2000
+.Dt KERBEROS 8
+.Os HEIMDAL
+.Sh NAME
+.Nm kerberos
+.Nd introduction to the Kerberos system
+.Sh DESCRIPTION
+Kerberos is a network authentication system. It's purpose is to
+securely authenticate users and services in an insecure network
+environment. 
+.Pp
+This is done with a Kerberos server acting as a trusted third party,
+keeping a database with secret keys for all users and services
+(collectively called
+.Em principals ) .
+.Pp
+Each principal belongs to exactly one 
+.Em realm ,
+which is the administrative domain in Kerberos. A realm usually
+corresponds to an organisation, and the realm should normally be
+derived from that organisation's domain name. A realm is served by one
+or more Kerberos servers.
+.Pp
+The authentication process involves exchange of
+.Sq tickets
+and 
+.Sq authenticators 
+which together prove the principal's identity.
+.Pp
+When you login to the Kerberos system, either through the normal
+system login or with the
+.Xr kinit 1
+program, you acquire a 
+.Em ticket granting ticket
+which allows you to get new tickets for other services, such as
+.Ic telnet
+or
+.Ic ftp ,
+without giving your password.
+.Pp
+For more information on how Kerberos works, and other general Kerberos
+questions see the Kerberos FAQ at
+.Pa http://www.nrl.navy.mil/CCS/people/kenh/kerberos-faq.html .
+.Pp
+For setup instructions see the Heimdal Texinfo manual.
+.Sh SEE ALSO
+.Xr ftp 1
+.Xr kdestroy 1 ,
+.Xr kinit 1 ,
+.Xr klist 1 ,
+.Xr kpasswd 1 ,
+.Xr telnet 1
+.Sh HISTORY
+The Kerberos authentication system was developed in the late 1980's as
+part of the Athena Project at the Massachusetts Institute of
+Technology. Versions one through three never reached outside MIT, but
+version 4 was (and still is) quite popular, especially in the academic
+community, but is also used in commercial products like the AFS
+filesystem.
+.Pp
+The problems with version 4 are that it has many limitations, the code
+was not too well written (since it had been developed over a long
+time), and it has a number of known security problems. To resolve many
+of these issues work on version five started, and resulted in IETF
+RFC1510 in 1993. Since then much work has been put into the further
+development, and a new RFC will hopefully appear soon.
+.Pp
+This manual manual page is part of the
+.Nm Heimdal
+Kerberos 5 distribution, which has been in development at the Royal
+Institute of Technology in Stockholm, Sweden, since about 1997.
diff --git a/crypto/heimdal/lib/krb5/keyblock.c b/crypto/heimdal/lib/krb5/keyblock.c
new file mode 100644
index 0000000..7eb7067
--- /dev/null
+++ b/crypto/heimdal/lib/krb5/keyblock.c
@@ -0,0 +1,81 @@
+/*
+ * Copyright (c) 1997 - 2001 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "krb5_locl.h"
+
+RCSID("$Id: keyblock.c,v 1.12 2001/05/14 06:14:48 assar Exp $");
+
+void
+krb5_free_keyblock_contents(krb5_context context,
+			    krb5_keyblock *keyblock)
+{
+    if(keyblock) {
+	if (keyblock->keyvalue.data != NULL)
+	    memset(keyblock->keyvalue.data, 0, keyblock->keyvalue.length);
+	krb5_data_free (&keyblock->keyvalue);
+    }
+}
+
+void
+krb5_free_keyblock(krb5_context context,
+		   krb5_keyblock *keyblock)
+{
+    if(keyblock){
+	krb5_free_keyblock_contents(context, keyblock);
+	free(keyblock);
+    }
+}
+
+krb5_error_code
+krb5_copy_keyblock_contents (krb5_context context,
+			     const krb5_keyblock *inblock,
+			     krb5_keyblock *to)
+{
+    return copy_EncryptionKey(inblock, to);
+}
+
+krb5_error_code
+krb5_copy_keyblock (krb5_context context,
+		    const krb5_keyblock *inblock,
+		    krb5_keyblock **to)
+{
+    krb5_keyblock *k;
+
+    k = malloc (sizeof(*k));
+    if (k == NULL) {
+	krb5_set_error_string(context, "malloc: out of memory");
+	return ENOMEM;
+    }
+    *to = k;
+    return krb5_copy_keyblock_contents (context, inblock, k);
+}
diff --git a/crypto/heimdal/lib/krb5/keytab.c b/crypto/heimdal/lib/krb5/keytab.c
new file mode 100644
index 0000000..bde443a
--- /dev/null
+++ b/crypto/heimdal/lib/krb5/keytab.c
@@ -0,0 +1,459 @@
+/*
+ * Copyright (c) 1997 - 2001 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "krb5_locl.h"
+
+RCSID("$Id: keytab.c,v 1.50 2001/05/14 06:14:48 assar Exp $");
+
+/*
+ * Register a new keytab in `ops'
+ * Return 0 or an error.
+ */
+
+krb5_error_code
+krb5_kt_register(krb5_context context,
+		 const krb5_kt_ops *ops)
+{
+    struct krb5_keytab_data *tmp;
+
+    tmp = realloc(context->kt_types,
+		  (context->num_kt_types + 1) * sizeof(*context->kt_types));
+    if(tmp == NULL) {
+	krb5_set_error_string(context, "malloc: out of memory");
+	return ENOMEM;
+    }
+    memcpy(&tmp[context->num_kt_types], ops,
+	   sizeof(tmp[context->num_kt_types]));
+    context->kt_types = tmp;
+    context->num_kt_types++;
+    return 0;
+}
+
+/*
+ * Resolve the keytab name (of the form `type:residual') in `name'
+ * into a keytab in `id'.
+ * Return 0 or an error
+ */
+
+krb5_error_code
+krb5_kt_resolve(krb5_context context,
+		const char *name,
+		krb5_keytab *id)
+{
+    krb5_keytab k;
+    int i;
+    const char *type, *residual;
+    size_t type_len;
+    krb5_error_code ret;
+
+    residual = strchr(name, ':');
+    if(residual == NULL) {
+	type = "FILE";
+	type_len = strlen(type);
+	residual = name;
+    } else {
+	type = name;
+	type_len = residual - name;
+	residual++;
+    }
+    
+    for(i = 0; i < context->num_kt_types; i++) {
+	if(strncmp(type, context->kt_types[i].prefix, type_len) == 0)
+	    break;
+    }
+    if(i == context->num_kt_types) {
+	krb5_set_error_string(context, "unknown keytab type %.*s", 
+			      (int)type_len, type);
+	return KRB5_KT_UNKNOWN_TYPE;
+    }
+    
+    k = malloc (sizeof(*k));
+    if (k == NULL) {
+	krb5_set_error_string(context, "malloc: out of memory");
+	return ENOMEM;
+    }
+    memcpy(k, &context->kt_types[i], sizeof(*k));
+    k->data = NULL;
+    ret = (*k->resolve)(context, residual, k);
+    if(ret) {
+	free(k);
+	k = NULL;
+    }
+    *id = k;
+    return ret;
+}
+
+/*
+ * copy the name of the default keytab into `name'.
+ * Return 0 or KRB5_CONFIG_NOTENUFSPACE if `namesize' is too short.
+ */
+
+krb5_error_code
+krb5_kt_default_name(krb5_context context, char *name, size_t namesize)
+{
+    if (strlcpy (name, context->default_keytab, namesize) >= namesize) {
+	krb5_clear_error_string (context);
+	return KRB5_CONFIG_NOTENUFSPACE;
+    }
+    return 0;
+}
+
+/*
+ * copy the name of the default modify keytab into `name'.
+ * Return 0 or KRB5_CONFIG_NOTENUFSPACE if `namesize' is too short.
+ */
+
+krb5_error_code
+krb5_kt_default_modify_name(krb5_context context, char *name, size_t namesize)
+{
+    if (strlcpy (name, context->default_keytab_modify, namesize) >= namesize) {
+	krb5_clear_error_string (context);
+	return KRB5_CONFIG_NOTENUFSPACE;
+    }
+    return 0;
+}
+
+/*
+ * Set `id' to the default keytab.
+ * Return 0 or an error.
+ */
+
+krb5_error_code
+krb5_kt_default(krb5_context context, krb5_keytab *id)
+{
+    return krb5_kt_resolve (context, context->default_keytab, id);
+}
+
+/*
+ * Read the key identified by `(principal, vno, enctype)' from the
+ * keytab in `keyprocarg' (the default if == NULL) into `*key'.
+ * Return 0 or an error.
+ */
+
+krb5_error_code
+krb5_kt_read_service_key(krb5_context context,
+			 krb5_pointer keyprocarg,
+			 krb5_principal principal,
+			 krb5_kvno vno,
+			 krb5_enctype enctype,
+			 krb5_keyblock **key)
+{
+    krb5_keytab keytab;
+    krb5_keytab_entry entry;
+    krb5_error_code ret;
+
+    if (keyprocarg)
+	ret = krb5_kt_resolve (context, keyprocarg, &keytab);
+    else
+	ret = krb5_kt_default (context, &keytab);
+
+    if (ret)
+	return ret;
+
+    ret = krb5_kt_get_entry (context, keytab, principal, vno, enctype, &entry);
+    krb5_kt_close (context, keytab);
+    if (ret)
+	return ret;
+    ret = krb5_copy_keyblock (context, &entry.keyblock, key);
+    krb5_kt_free_entry(context, &entry);
+    return ret;
+}
+
+/*
+ * Retrieve the name of the keytab `keytab' into `name', `namesize'
+ * Return 0 or an error.
+ */
+
+krb5_error_code
+krb5_kt_get_name(krb5_context context, 
+		 krb5_keytab keytab,
+		 char *name,
+		 size_t namesize)
+{
+    return (*keytab->get_name)(context, keytab, name, namesize);
+}
+
+/*
+ * Finish using the keytab in `id'.  All resources will be released.
+ * Return 0 or an error.
+ */
+
+krb5_error_code
+krb5_kt_close(krb5_context context, 
+	      krb5_keytab id)
+{
+    krb5_error_code ret;
+
+    ret = (*id->close)(context, id);
+    if(ret == 0)
+	free(id);
+    return ret;
+}
+
+/*
+ * Compare `entry' against `principal, vno, enctype'.
+ * Any of `principal, vno, enctype' might be 0 which acts as a wildcard.
+ * Return TRUE if they compare the same, FALSE otherwise.
+ */
+
+krb5_boolean
+krb5_kt_compare(krb5_context context,
+		krb5_keytab_entry *entry, 
+		krb5_const_principal principal,
+		krb5_kvno vno,
+		krb5_enctype enctype)
+{
+    if(principal != NULL && 
+       !krb5_principal_compare(context, entry->principal, principal))
+	return FALSE;
+    if(vno && vno != entry->vno)
+	return FALSE;
+    if(enctype && enctype != entry->keyblock.keytype)
+	return FALSE;
+    return TRUE;
+}
+
+/*
+ * Retrieve the keytab entry for `principal, kvno, enctype' into `entry'
+ * from the keytab `id'.
+ * Return 0 or an error.
+ */
+
+krb5_error_code
+krb5_kt_get_entry(krb5_context context,
+		  krb5_keytab id,
+		  krb5_const_principal principal,
+		  krb5_kvno kvno,
+		  krb5_enctype enctype,
+		  krb5_keytab_entry *entry)
+{
+    krb5_keytab_entry tmp;
+    krb5_error_code ret;
+    krb5_kt_cursor cursor;
+
+    if(id->get)
+	return (*id->get)(context, id, principal, kvno, enctype, entry);
+
+    ret = krb5_kt_start_seq_get (context, id, &cursor);
+    if (ret)
+	return KRB5_KT_NOTFOUND; /* XXX i.e. file not found */
+
+    entry->vno = 0;
+    while (krb5_kt_next_entry(context, id, &tmp, &cursor) == 0) {
+	if (krb5_kt_compare(context, &tmp, principal, 0, enctype)) {
+	    if (kvno == tmp.vno) {
+		krb5_kt_copy_entry_contents (context, &tmp, entry);
+		krb5_kt_free_entry (context, &tmp);
+		krb5_kt_end_seq_get(context, id, &cursor);
+		return 0;
+	    } else if (kvno == 0 && tmp.vno > entry->vno) {
+		if (entry->vno)
+		    krb5_kt_free_entry (context, entry);
+		krb5_kt_copy_entry_contents (context, &tmp, entry);
+	    }
+	}
+	krb5_kt_free_entry(context, &tmp);
+    }
+    krb5_kt_end_seq_get (context, id, &cursor);
+    if (entry->vno) {
+	return 0;
+    } else {
+	char princ[256], kt_name[256];
+
+	krb5_unparse_name_fixed (context, principal, princ, sizeof(princ));
+	krb5_kt_get_name (context, id, kt_name, sizeof(kt_name));
+
+	krb5_set_error_string (context,
+ 			       "failed to find %s in keytab %s",
+			       princ, kt_name);
+	return KRB5_KT_NOTFOUND;
+    }
+}
+
+/*
+ * Copy the contents of `in' into `out'.
+ * Return 0 or an error.
+ */
+
+krb5_error_code
+krb5_kt_copy_entry_contents(krb5_context context,
+			    const krb5_keytab_entry *in,
+			    krb5_keytab_entry *out)
+{
+    krb5_error_code ret;
+
+    memset(out, 0, sizeof(*out));
+    out->vno = in->vno;
+
+    ret = krb5_copy_principal (context, in->principal, &out->principal);
+    if (ret)
+	goto fail;
+    ret = krb5_copy_keyblock_contents (context,
+				       &in->keyblock,
+				       &out->keyblock);
+    if (ret)
+	goto fail;
+    out->timestamp = in->timestamp;
+    return 0;
+fail:
+    krb5_kt_free_entry (context, out);
+    return ret;
+}
+
+/*
+ * Free the contents of `entry'.
+ */
+
+krb5_error_code
+krb5_kt_free_entry(krb5_context context,
+		   krb5_keytab_entry *entry)
+{
+  krb5_free_principal (context, entry->principal);
+  krb5_free_keyblock_contents (context, &entry->keyblock);
+  return 0;
+}
+
+#if 0
+static int
+xxxlock(int fd, int write)
+{
+    if(flock(fd, (write ? LOCK_EX : LOCK_SH) | LOCK_NB) < 0) {
+	sleep(1);
+	if(flock(fd, (write ? LOCK_EX : LOCK_SH) | LOCK_NB) < 0) 
+	    return -1;
+    }
+    return 0;
+}
+
+static void
+xxxunlock(int fd)
+{
+    flock(fd, LOCK_UN);
+}
+#endif
+
+/*
+ * Set `cursor' to point at the beginning of `id'.
+ * Return 0 or an error.
+ */
+
+krb5_error_code
+krb5_kt_start_seq_get(krb5_context context,
+		      krb5_keytab id,
+		      krb5_kt_cursor *cursor)
+{
+    if(id->start_seq_get == NULL) {
+	krb5_set_error_string(context,
+			      "start_seq_get is not supported in the %s "
+			      " keytab", id->prefix);
+	return HEIM_ERR_OPNOTSUPP;
+    }
+    return (*id->start_seq_get)(context, id, cursor);
+}
+
+/*
+ * Get the next entry from `id' pointed to by `cursor' and advance the
+ * `cursor'.
+ * Return 0 or an error.
+ */
+
+krb5_error_code
+krb5_kt_next_entry(krb5_context context,
+		   krb5_keytab id,
+		   krb5_keytab_entry *entry,
+		   krb5_kt_cursor *cursor)
+{
+    if(id->next_entry == NULL) {
+	krb5_set_error_string(context,
+			      "next_entry is not supported in the %s "
+			      " keytab", id->prefix);
+	return HEIM_ERR_OPNOTSUPP;
+    }
+    return (*id->next_entry)(context, id, entry, cursor);
+}
+
+/*
+ * Release all resources associated with `cursor'.
+ */
+
+krb5_error_code
+krb5_kt_end_seq_get(krb5_context context,
+		    krb5_keytab id,
+		    krb5_kt_cursor *cursor)
+{
+    if(id->end_seq_get == NULL) {
+	krb5_set_error_string(context,
+			      "end_seq_get is not supported in the %s "
+			      " keytab", id->prefix);
+	return HEIM_ERR_OPNOTSUPP;
+    }
+    return (*id->end_seq_get)(context, id, cursor);
+}
+
+/*
+ * Add the entry in `entry' to the keytab `id'.
+ * Return 0 or an error.
+ */
+
+krb5_error_code
+krb5_kt_add_entry(krb5_context context,
+		  krb5_keytab id,
+		  krb5_keytab_entry *entry)
+{
+    if(id->add == NULL) {
+	krb5_set_error_string(context, "Add is not supported in the %s keytab",
+			      id->prefix);
+	return KRB5_KT_NOWRITE;
+    }
+    entry->timestamp = time(NULL);
+    return (*id->add)(context, id,entry);
+}
+
+/*
+ * Remove the entry `entry' from the keytab `id'.
+ * Return 0 or an error.
+ */
+
+krb5_error_code
+krb5_kt_remove_entry(krb5_context context,
+		     krb5_keytab id,
+		     krb5_keytab_entry *entry)
+{
+    if(id->remove == NULL) {
+	krb5_set_error_string(context,
+			      "Remove is not supported in the %s keytab",
+			      id->prefix);
+	return KRB5_KT_NOWRITE;
+    }
+    return (*id->remove)(context, id, entry);
+}
diff --git a/crypto/heimdal/lib/krb5/keytab_any.c b/crypto/heimdal/lib/krb5/keytab_any.c
new file mode 100644
index 0000000..490a8f3
--- /dev/null
+++ b/crypto/heimdal/lib/krb5/keytab_any.c
@@ -0,0 +1,210 @@
+/*
+ * Copyright (c) 2001 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "krb5_locl.h"
+
+RCSID("$Id: keytab_any.c,v 1.2 2001/05/14 06:14:48 assar Exp $");
+
+struct any_data {
+    krb5_keytab kt;
+    char *name;
+    struct any_data *next;
+};
+
+static void
+free_list (struct any_data *a)
+{
+    struct any_data *next;
+
+    for (; a != NULL; a = next) {
+	next = a->next;
+	free (a->name);
+	free (a);
+    }
+}
+
+static krb5_error_code
+any_resolve(krb5_context context, const char *name, krb5_keytab id)
+{
+    struct any_data *a, *a0 = NULL, *prev = NULL;
+    krb5_error_code ret;
+    char buf[256];
+
+    while (strsep_copy(&name, ",", buf, sizeof(buf)) != -1) {
+	a = malloc(sizeof(*a));
+	if (a == NULL) {
+	    ret = ENOMEM;
+	    goto fail;
+	}
+	if (a0 == NULL) {
+	    a0 = a;
+	    a->name = strdup(name);
+	    if (a->name == NULL) {
+		krb5_set_error_string(context, "malloc: out of memory");
+		ret = ENOMEM;
+		goto fail;
+	    }
+	} else
+	    a->name = NULL;
+	if (prev != NULL)
+	    prev->next = a;
+	a->next = NULL;
+	ret = krb5_kt_resolve (context, buf, &a->kt);
+	if (ret)
+	    goto fail;
+	prev = a;
+    }
+    if (a0 == NULL) {
+	krb5_set_error_string(context, "empty ANY: keytab");
+	return ENOENT;
+    }
+    id->data = a0;
+    return 0;
+ fail:
+    free_list (a0);
+    return ret;
+}
+
+static krb5_error_code
+any_get_name (krb5_context context,
+	      krb5_keytab id,
+	      char *name,
+	      size_t namesize)
+{
+    struct any_data *a = id->data;
+    strlcpy(name, a->name, namesize);
+    return 0;
+}
+
+static krb5_error_code
+any_close (krb5_context context,
+	   krb5_keytab id)
+{
+    struct any_data *a = id->data;
+
+    free_list (a);
+    return 0;
+}
+
+struct any_cursor_extra_data {
+    struct any_data *a;
+    krb5_kt_cursor cursor;
+};
+
+static krb5_error_code
+any_start_seq_get(krb5_context context, 
+		  krb5_keytab id, 
+		  krb5_kt_cursor *c)
+{
+    struct any_data *a = id->data;
+    struct any_cursor_extra_data *ed;
+    krb5_error_code ret;
+
+    c->data = malloc (sizeof(struct any_cursor_extra_data));
+    if(c->data == NULL){
+	krb5_set_error_string (context, "malloc: out of memory");
+	return ENOMEM;
+    }
+    ed = (struct any_cursor_extra_data *)c->data;
+    ed->a = a;
+    ret = krb5_kt_start_seq_get(context, ed->a->kt, &ed->cursor);
+    if (ret) {
+	free (ed);
+	free (c->data);
+	c->data = NULL;
+	krb5_set_error_string (context, "malloc: out of memory");
+	return ENOMEM;
+    }
+    return 0;
+}
+
+static krb5_error_code
+any_next_entry (krb5_context context,
+		krb5_keytab id,
+		krb5_keytab_entry *entry,
+		krb5_kt_cursor *cursor)
+{
+    krb5_error_code ret, ret2;
+    struct any_cursor_extra_data *ed;
+
+    ed = (struct any_cursor_extra_data *)cursor->data;
+    do {
+	ret = krb5_kt_next_entry(context, ed->a->kt, entry, &ed->cursor);
+	if (ret == 0)
+	    return 0;
+	else if (ret == KRB5_CC_END) {
+	    ret2 = krb5_kt_end_seq_get (context, ed->a->kt, &ed->cursor);
+	    if (ret2)
+		return ret2;
+	    ed->a = ed->a->next;
+	    if (ed->a == NULL) {
+		krb5_clear_error_string (context);
+		return KRB5_CC_END;
+	    }
+	    ret2 = krb5_kt_start_seq_get(context, ed->a->kt, &ed->cursor);
+	    if (ret2)
+		return ret2;
+	} else
+	    return ret;
+    } while (ret == KRB5_CC_END);
+    return ret;
+}
+
+static krb5_error_code
+any_end_seq_get(krb5_context context,
+		krb5_keytab id,
+		krb5_kt_cursor *cursor)
+{
+    krb5_error_code ret = 0;
+    struct any_cursor_extra_data *ed;
+
+    ed = (struct any_cursor_extra_data *)cursor->data;
+    if (ed->a != NULL)
+	ret = krb5_kt_end_seq_get(context, ed->a->kt, &ed->cursor);
+    free (ed);
+    cursor->data = NULL;
+    return ret;
+}
+
+const krb5_kt_ops krb5_any_ops = {
+    "ANY",
+    any_resolve,
+    any_get_name,
+    any_close,
+    NULL, /* get */
+    any_start_seq_get,
+    any_next_entry,
+    any_end_seq_get,
+    NULL, /* add_entry */
+    NULL  /* remote_entry */
+};
diff --git a/crypto/heimdal/lib/krb5/keytab_file.c b/crypto/heimdal/lib/krb5/keytab_file.c
new file mode 100644
index 0000000..13b67c2
--- /dev/null
+++ b/crypto/heimdal/lib/krb5/keytab_file.c
@@ -0,0 +1,574 @@
+/*
+ * Copyright (c) 1997 - 2001 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "krb5_locl.h"
+
+RCSID("$Id: keytab_file.c,v 1.8 2001/05/14 06:14:48 assar Exp $");
+
+#define KRB5_KT_VNO_1 1
+#define KRB5_KT_VNO_2 2
+#define KRB5_KT_VNO   KRB5_KT_VNO_2
+
+/* file operations -------------------------------------------- */
+
+struct fkt_data {
+    char *filename;
+};
+
+static krb5_error_code
+krb5_kt_ret_data(krb5_context context,
+		 krb5_storage *sp,
+		 krb5_data *data)
+{
+    int ret;
+    int16_t size;
+    ret = krb5_ret_int16(sp, &size);
+    if(ret)
+	return ret;
+    data->length = size;
+    data->data = malloc(size);
+    if (data->data == NULL) {
+	krb5_set_error_string (context, "malloc: out of memory");
+	return ENOMEM;
+    }
+    ret = sp->fetch(sp, data->data, size);
+    if(ret != size)
+	return (ret < 0)? errno : KRB5_KT_END;
+    return 0;
+}
+
+static krb5_error_code
+krb5_kt_ret_string(krb5_context context,
+		   krb5_storage *sp,
+		   general_string *data)
+{
+    int ret;
+    int16_t size;
+    ret = krb5_ret_int16(sp, &size);
+    if(ret)
+	return ret;
+    *data = malloc(size + 1);
+    if (*data == NULL) {
+	krb5_set_error_string (context, "malloc: out of memory");
+	return ENOMEM;
+    }
+    ret = sp->fetch(sp, *data, size);
+    (*data)[size] = '\0';
+    if(ret != size)
+	return (ret < 0)? errno : KRB5_KT_END;
+    return 0;
+}
+
+static krb5_error_code
+krb5_kt_store_data(krb5_context context,
+		   krb5_storage *sp,
+		   krb5_data data)
+{
+    int ret;
+    ret = krb5_store_int16(sp, data.length);
+    if(ret < 0)
+	return ret;
+    ret = sp->store(sp, data.data, data.length);
+    if(ret != data.length){
+	if(ret < 0)
+	    return errno;
+	return KRB5_KT_END;
+    }
+    return 0;
+}
+
+static krb5_error_code
+krb5_kt_store_string(krb5_storage *sp,
+		     general_string data)
+{
+    int ret;
+    size_t len = strlen(data);
+    ret = krb5_store_int16(sp, len);
+    if(ret < 0)
+	return ret;
+    ret = sp->store(sp, data, len);
+    if(ret != len){
+	if(ret < 0)
+	    return errno;
+	return KRB5_KT_END;
+    }
+    return 0;
+}
+
+static krb5_error_code
+krb5_kt_ret_keyblock(krb5_context context, krb5_storage *sp, krb5_keyblock *p)
+{
+    int ret;
+    int16_t tmp;
+
+    ret = krb5_ret_int16(sp, &tmp); /* keytype + etype */
+    if(ret) return ret;
+    p->keytype = tmp;
+    ret = krb5_kt_ret_data(context, sp, &p->keyvalue);
+    return ret;
+}
+
+static krb5_error_code
+krb5_kt_store_keyblock(krb5_context context,
+		       krb5_storage *sp, 
+		       krb5_keyblock *p)
+{
+    int ret;
+
+    ret = krb5_store_int16(sp, p->keytype); /* keytype + etype */
+    if(ret) return ret;
+    ret = krb5_kt_store_data(context, sp, p->keyvalue);
+    return ret;
+}
+
+
+static krb5_error_code
+krb5_kt_ret_principal(krb5_context context,
+		      krb5_storage *sp,
+		      krb5_principal *princ)
+{
+    int i;
+    int ret;
+    krb5_principal p;
+    int16_t tmp;
+    
+    ALLOC(p, 1);
+    if(p == NULL) {
+	krb5_set_error_string (context, "malloc: out of memory");
+	return ENOMEM;
+    }
+
+    ret = krb5_ret_int16(sp, &tmp);
+    if(ret)
+	return ret;
+    if (sp->flags & KRB5_STORAGE_PRINCIPAL_WRONG_NUM_COMPONENTS)
+	tmp--;
+    p->name.name_string.len = tmp;
+    ret = krb5_kt_ret_string(context, sp, &p->realm);
+    if(ret)
+	return ret;
+    p->name.name_string.val = calloc(p->name.name_string.len, 
+				     sizeof(*p->name.name_string.val));
+    if(p->name.name_string.val == NULL) {
+	krb5_set_error_string (context, "malloc: out of memory");
+	return ENOMEM;
+    }
+    for(i = 0; i < p->name.name_string.len; i++){
+	ret = krb5_kt_ret_string(context, sp, p->name.name_string.val + i);
+	if(ret)
+	    return ret;
+    }
+    if (krb5_storage_is_flags(sp, KRB5_STORAGE_PRINCIPAL_NO_NAME_TYPE))
+	p->name.name_type = KRB5_NT_UNKNOWN;
+    else {
+	int32_t tmp32;
+	ret = krb5_ret_int32(sp, &tmp32);
+	p->name.name_type = tmp32;
+	if (ret)
+	    return ret;
+    }
+    *princ = p;
+    return 0;
+}
+
+static krb5_error_code
+krb5_kt_store_principal(krb5_context context,
+			krb5_storage *sp,
+			krb5_principal p)
+{
+    int i;
+    int ret;
+    
+    if(krb5_storage_is_flags(sp, KRB5_STORAGE_PRINCIPAL_WRONG_NUM_COMPONENTS))
+	ret = krb5_store_int16(sp, p->name.name_string.len + 1);
+    else
+	ret = krb5_store_int16(sp, p->name.name_string.len);
+    if(ret) return ret;
+    ret = krb5_kt_store_string(sp, p->realm);
+    if(ret) return ret;
+    for(i = 0; i < p->name.name_string.len; i++){
+	ret = krb5_kt_store_string(sp, p->name.name_string.val[i]);
+	if(ret)
+	    return ret;
+    }
+    if(!krb5_storage_is_flags(sp, KRB5_STORAGE_PRINCIPAL_NO_NAME_TYPE)) {
+	ret = krb5_store_int32(sp, p->name.name_type);
+	if(ret)
+	    return ret;
+    }
+
+    return 0;
+}
+
+static krb5_error_code
+fkt_resolve(krb5_context context, const char *name, krb5_keytab id)
+{
+    struct fkt_data *d;
+
+    d = malloc(sizeof(*d));
+    if(d == NULL) {
+	krb5_set_error_string (context, "malloc: out of memory");
+	return ENOMEM;
+    }
+    d->filename = strdup(name);
+    if(d->filename == NULL) {
+	free(d);
+	krb5_set_error_string (context, "malloc: out of memory");
+	return ENOMEM;
+    }
+    id->data = d;
+    return 0;
+}
+
+static krb5_error_code
+fkt_close(krb5_context context, krb5_keytab id)
+{
+    struct fkt_data *d = id->data;
+    free(d->filename);
+    free(d);
+    return 0;
+}
+
+static krb5_error_code 
+fkt_get_name(krb5_context context, 
+	     krb5_keytab id, 
+	     char *name, 
+	     size_t namesize)
+{
+    /* This function is XXX */
+    struct fkt_data *d = id->data;
+    strlcpy(name, d->filename, namesize);
+    return 0;
+}
+
+static void
+storage_set_flags(krb5_context context, krb5_storage *sp, int vno)
+{
+    int flags = 0;
+    switch(vno) {
+    case KRB5_KT_VNO_1:
+	flags |= KRB5_STORAGE_PRINCIPAL_WRONG_NUM_COMPONENTS;
+	flags |= KRB5_STORAGE_PRINCIPAL_NO_NAME_TYPE;
+	flags |= KRB5_STORAGE_HOST_BYTEORDER;
+	break;
+    case KRB5_KT_VNO_2:
+	break;
+    default:
+	krb5_abortx(context, 
+		    "storage_set_flags called with bad vno (%x)", vno);
+    }
+    krb5_storage_set_flags(sp, flags);
+}
+
+static krb5_error_code
+fkt_start_seq_get_int(krb5_context context, 
+		      krb5_keytab id, 
+		      int flags,
+		      krb5_kt_cursor *c)
+{
+    int8_t pvno, tag;
+    krb5_error_code ret;
+    struct fkt_data *d = id->data;
+    
+    c->fd = open (d->filename, flags);
+    if (c->fd < 0) {
+	ret = errno;
+	krb5_set_error_string(context, "open(%s): %s", d->filename,
+			      strerror(ret));
+	return ret;
+    }
+    c->sp = krb5_storage_from_fd(c->fd);
+    ret = krb5_ret_int8(c->sp, &pvno);
+    if(ret) {
+	krb5_storage_free(c->sp);
+	close(c->fd);
+	return ret;
+    }
+    if(pvno != 5) {
+	krb5_storage_free(c->sp);
+	close(c->fd);
+	krb5_clear_error_string (context);
+	return KRB5_KEYTAB_BADVNO;
+    }
+    ret = krb5_ret_int8(c->sp, &tag);
+    if (ret) {
+	krb5_storage_free(c->sp);
+	close(c->fd);
+	return ret;
+    }
+    id->version = tag;
+    storage_set_flags(context, c->sp, id->version);
+    return 0;
+}
+
+static krb5_error_code
+fkt_start_seq_get(krb5_context context, 
+		  krb5_keytab id, 
+		  krb5_kt_cursor *c)
+{
+    return fkt_start_seq_get_int(context, id, O_RDONLY | O_BINARY, c);
+}
+
+static krb5_error_code
+fkt_next_entry_int(krb5_context context, 
+		   krb5_keytab id, 
+		   krb5_keytab_entry *entry, 
+		   krb5_kt_cursor *cursor,
+		   off_t *start,
+		   off_t *end)
+{
+    int32_t len;
+    int ret;
+    int8_t tmp8;
+    int32_t tmp32;
+    off_t pos;
+
+    pos = cursor->sp->seek(cursor->sp, 0, SEEK_CUR);
+loop:
+    ret = krb5_ret_int32(cursor->sp, &len);
+    if (ret)
+	return ret;
+    if(len < 0) {
+	pos = cursor->sp->seek(cursor->sp, -len, SEEK_CUR);
+	goto loop;
+    }
+    ret = krb5_kt_ret_principal (context, cursor->sp, &entry->principal);
+    if (ret)
+	goto out;
+    ret = krb5_ret_int32(cursor->sp, &tmp32);
+    entry->timestamp = tmp32;
+    if (ret)
+	goto out;
+    ret = krb5_ret_int8(cursor->sp, &tmp8);
+    if (ret)
+	goto out;
+    entry->vno = tmp8;
+    ret = krb5_kt_ret_keyblock (context, cursor->sp, &entry->keyblock);
+    if (ret)
+	goto out;
+    if(start) *start = pos;
+    if(end) *end = *start + 4 + len;
+ out:
+    cursor->sp->seek(cursor->sp, pos + 4 + len, SEEK_SET);
+    return ret;
+}
+
+static krb5_error_code
+fkt_next_entry(krb5_context context, 
+	       krb5_keytab id, 
+	       krb5_keytab_entry *entry, 
+	       krb5_kt_cursor *cursor)
+{
+    return fkt_next_entry_int(context, id, entry, cursor, NULL, NULL);
+}
+
+static krb5_error_code
+fkt_end_seq_get(krb5_context context, 
+		krb5_keytab id,
+		krb5_kt_cursor *cursor)
+{
+    krb5_storage_free(cursor->sp);
+    close(cursor->fd);
+    return 0;
+}
+
+static krb5_error_code
+fkt_add_entry(krb5_context context,
+	      krb5_keytab id,
+	      krb5_keytab_entry *entry)
+{
+    int ret;
+    int fd;
+    krb5_storage *sp;
+    struct fkt_data *d = id->data;
+    krb5_data keytab;
+    int32_t len;
+    
+    fd = open (d->filename, O_RDWR | O_BINARY);
+    if (fd < 0) {
+	fd = open (d->filename, O_RDWR | O_CREAT | O_BINARY, 0600);
+	if (fd < 0) {
+	    ret = errno;
+	    krb5_set_error_string(context, "open(%s): %s", d->filename,
+				  strerror(ret));
+	    return ret;
+	}
+	sp = krb5_storage_from_fd(fd);
+	ret = krb5_store_int8(sp, 5);
+	if(ret) {
+	    krb5_storage_free(sp);
+	    close(fd);
+	    return ret;
+	}
+	if(id->version == 0)
+	    id->version = KRB5_KT_VNO;
+	ret = krb5_store_int8 (sp, id->version);
+	if (ret) {
+	    krb5_storage_free(sp);
+	    close(fd);
+	    return ret;
+	}
+	storage_set_flags(context, sp, id->version);
+    } else {
+	int8_t pvno, tag;
+	sp = krb5_storage_from_fd(fd);
+	ret = krb5_ret_int8(sp, &pvno);
+	if(ret) {
+	    krb5_storage_free(sp);
+	    close(fd);
+	    return ret;
+	}
+	if(pvno != 5) {
+	    krb5_storage_free(sp);
+	    close(fd);
+	    krb5_clear_error_string (context);
+	    return KRB5_KEYTAB_BADVNO;
+	}
+	ret = krb5_ret_int8 (sp, &tag);
+	if (ret) {
+	    krb5_storage_free(sp);
+	    close(fd);
+	    return ret;
+	}
+	id->version = tag;
+	storage_set_flags(context, sp, id->version);
+    }
+
+    {
+	krb5_storage *emem;
+	emem = krb5_storage_emem();
+	if(emem == NULL) {
+	    ret = ENOMEM;
+	    krb5_set_error_string (context, "malloc: out of memory");
+	    goto out;
+	}
+	ret = krb5_kt_store_principal(context, emem, entry->principal);
+	if(ret) {
+	    krb5_storage_free(emem);
+	    goto out;
+	}
+	ret = krb5_store_int32 (emem, entry->timestamp);
+	if(ret) {
+	    krb5_storage_free(emem);
+	    goto out;
+	}
+	ret = krb5_store_int8 (emem, entry->vno);
+	if(ret) {
+	    krb5_storage_free(emem);
+	    goto out;
+	}
+	ret = krb5_kt_store_keyblock (context, emem, &entry->keyblock);
+	if(ret) {
+	    krb5_storage_free(emem);
+	    goto out;
+	}
+	ret = krb5_storage_to_data(emem, &keytab);
+	krb5_storage_free(emem);
+	if(ret)
+	    goto out;
+    }
+    
+    while(1) {
+	ret = krb5_ret_int32(sp, &len);
+	if(ret == KRB5_CC_END) {
+	    len = keytab.length;
+	    break;
+	}
+	if(len < 0) {
+	    len = -len;
+	    if(len >= keytab.length) {
+		sp->seek(sp, -4, SEEK_CUR);
+		break;
+	    }
+	}
+	sp->seek(sp, len, SEEK_CUR);
+    }
+    ret = krb5_store_int32(sp, len);
+    if(sp->store(sp, keytab.data, keytab.length) < 0)
+	ret = errno;
+    memset(keytab.data, 0, keytab.length);
+    krb5_data_free(&keytab);
+ out:
+    krb5_storage_free(sp);
+    close(fd);
+    return ret;
+}
+
+static krb5_error_code
+fkt_remove_entry(krb5_context context,
+		 krb5_keytab id,
+		 krb5_keytab_entry *entry)
+{
+    krb5_keytab_entry e;
+    krb5_kt_cursor cursor;
+    off_t pos_start, pos_end;
+    int found = 0;
+    
+    fkt_start_seq_get_int(context, id, O_RDWR | O_BINARY, &cursor);
+    while(fkt_next_entry_int(context, id, &e, &cursor, 
+			     &pos_start, &pos_end) == 0) {
+	if(krb5_kt_compare(context, &e, entry->principal, 
+			   entry->vno, entry->keyblock.keytype)) {
+	    int32_t len;
+	    unsigned char buf[128];
+	    found = 1;
+	    cursor.sp->seek(cursor.sp, pos_start, SEEK_SET);
+	    len = pos_end - pos_start - 4;
+	    krb5_store_int32(cursor.sp, -len);
+	    memset(buf, 0, sizeof(buf));
+	    while(len > 0) {
+		cursor.sp->store(cursor.sp, buf, min(len, sizeof(buf)));
+		len -= min(len, sizeof(buf));
+	    }
+	}
+    }
+    krb5_kt_end_seq_get(context, id, &cursor);
+    if (!found) {
+	krb5_clear_error_string (context);
+	return KRB5_KT_NOTFOUND;
+    }
+    return 0;
+}
+
+const krb5_kt_ops krb5_fkt_ops = {
+    "FILE",
+    fkt_resolve,
+    fkt_get_name,
+    fkt_close,
+    NULL, /* get */
+    fkt_start_seq_get,
+    fkt_next_entry,
+    fkt_end_seq_get,
+    fkt_add_entry,
+    fkt_remove_entry
+};
diff --git a/crypto/heimdal/lib/krb5/keytab_keyfile.c b/crypto/heimdal/lib/krb5/keytab_keyfile.c
new file mode 100644
index 0000000..2403412
--- /dev/null
+++ b/crypto/heimdal/lib/krb5/keytab_keyfile.c
@@ -0,0 +1,391 @@
+/*
+ * Copyright (c) 1997 - 2001 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "krb5_locl.h"
+
+RCSID("$Id: keytab_keyfile.c,v 1.11 2001/05/14 06:14:49 assar Exp $");
+
+/* afs keyfile operations --------------------------------------- */
+
+/*
+ * Minimum tools to handle the AFS KeyFile.
+ * 
+ * Format of the KeyFile is:
+ * <int32_t numkeys> {[<int32_t kvno> <char[8] deskey>] * numkeys}
+ *
+ * It just adds to the end of the keyfile, deleting isn't implemented.
+ * Use your favorite text/hex editor to delete keys.
+ *
+ */
+
+#define AFS_SERVERTHISCELL "/usr/afs/etc/ThisCell"
+#define AFS_SERVERMAGICKRBCONF "/usr/afs/etc/krb.conf"
+
+struct akf_data {
+    int num_entries;
+    char *filename;
+    char *cell;
+    char *realm;
+};
+
+/*
+ * set `d->cell' and `d->realm'
+ */
+
+static int
+get_cell_and_realm (krb5_context context,
+		    struct akf_data *d)
+{
+    FILE *f;
+    char buf[BUFSIZ], *cp;
+    int ret;
+
+    f = fopen (AFS_SERVERTHISCELL, "r");
+    if (f == NULL) {
+	ret = errno;
+	krb5_set_error_string (context, "open %s: %s", AFS_SERVERTHISCELL,
+			       strerror(ret));
+	return ret;
+    }
+    if (fgets (buf, sizeof(buf), f) == NULL) {
+	fclose (f);
+	krb5_set_error_string (context, "no cell in %s", AFS_SERVERTHISCELL);
+	return EINVAL;
+    }
+    if (buf[strlen(buf) - 1] == '\n')
+	buf[strlen(buf) - 1] = '\0';
+    fclose(f);
+
+    d->cell = strdup (buf);
+    if (d->cell == NULL) {
+	krb5_set_error_string (context, "malloc: out of memory");
+	return ENOMEM;
+    }
+
+    f = fopen (AFS_SERVERMAGICKRBCONF, "r");
+    if (f != NULL) {
+	if (fgets (buf, sizeof(buf), f) == NULL) {
+	    fclose (f);
+	    krb5_set_error_string (context, "no realm in %s",
+				   AFS_SERVERMAGICKRBCONF);
+	    return EINVAL;
+	}
+	if (buf[strlen(buf)-1] == '\n')
+	    buf[strlen(buf)-1] = '\0';
+	fclose(f);
+    }
+    /* uppercase */
+    for (cp = buf; *cp != '\0'; cp++)
+	*cp = toupper(*cp);
+    
+    d->realm = strdup (buf);
+    if (d->realm == NULL) {
+	free (d->cell);
+	krb5_set_error_string (context, "malloc: out of memory");
+	return ENOMEM;
+    }
+    return 0;
+}
+
+/*
+ * init and get filename
+ */
+
+static krb5_error_code
+akf_resolve(krb5_context context, const char *name, krb5_keytab id)
+{
+    int ret;
+    struct akf_data *d = malloc(sizeof (struct akf_data));
+
+    if (d == NULL) {
+	krb5_set_error_string (context, "malloc: out of memory");
+	return ENOMEM;
+    }
+    
+    d->num_entries = 0;
+    ret = get_cell_and_realm (context, d);
+    if (ret) {
+	free (d);
+	return ret;
+    }
+    d->filename = strdup (name);
+    if (d->filename == NULL) {
+	free (d->cell);
+	free (d->realm);
+	free (d);
+	krb5_set_error_string (context, "malloc: out of memory");
+	return ENOMEM;
+    }
+    id->data = d;
+    
+    return 0;
+}
+
+/*
+ * cleanup
+ */
+
+static krb5_error_code
+akf_close(krb5_context context, krb5_keytab id)
+{
+    struct akf_data *d = id->data;
+
+    free (d->filename);
+    free (d->cell);
+    free (d);
+    return 0;
+}
+
+/*
+ * Return filename
+ */
+
+static krb5_error_code 
+akf_get_name(krb5_context context, 
+	     krb5_keytab id, 
+	     char *name, 
+	     size_t name_sz)
+{
+    struct akf_data *d = id->data;
+
+    strlcpy (name, d->filename, name_sz);
+    return 0;
+}
+
+/*
+ * Init 
+ */
+
+static krb5_error_code
+akf_start_seq_get(krb5_context context, 
+		  krb5_keytab id, 
+		  krb5_kt_cursor *c)
+{
+    int32_t ret;
+    struct akf_data *d = id->data;
+
+    c->fd = open (d->filename, O_RDONLY|O_BINARY, 0600);
+    if (c->fd < 0) {
+	ret = errno;
+	krb5_set_error_string(context, "open(%s): %s", d->filename,
+			      strerror(ret));
+	return ret;
+    }
+
+    c->sp = krb5_storage_from_fd(c->fd);
+    ret = krb5_ret_int32(c->sp, &d->num_entries);
+    if(ret) {
+	krb5_storage_free(c->sp);
+	close(c->fd);
+	krb5_clear_error_string (context);
+	if(ret == KRB5_CC_END)
+	    return KRB5_KT_NOTFOUND;
+	return ret;
+    }
+
+    return 0;
+}
+
+static krb5_error_code
+akf_next_entry(krb5_context context, 
+	       krb5_keytab id, 
+	       krb5_keytab_entry *entry, 
+	       krb5_kt_cursor *cursor)
+{
+    struct akf_data *d = id->data;
+    int32_t kvno;
+    off_t pos;
+    int ret;
+
+    pos = cursor->sp->seek(cursor->sp, 0, SEEK_CUR);
+
+    if ((pos - 4) / (4 + 8) >= d->num_entries)
+	return KRB5_KT_END;
+
+    ret = krb5_make_principal (context, &entry->principal,
+			       d->realm, "afs", d->cell, NULL);
+    if (ret)
+	goto out;
+
+    ret = krb5_ret_int32(cursor->sp, &kvno);
+    if (ret) {
+	krb5_free_principal (context, entry->principal);
+	goto out;
+    }
+
+    entry->vno = kvno;
+
+    entry->keyblock.keytype         = ETYPE_DES_CBC_MD5;
+    entry->keyblock.keyvalue.length = 8;
+    entry->keyblock.keyvalue.data   = malloc (8);
+    if (entry->keyblock.keyvalue.data == NULL) {
+	krb5_free_principal (context, entry->principal);
+	krb5_set_error_string (context, "malloc: out of memory");
+	ret = ENOMEM;
+	goto out;
+    }
+
+    ret = cursor->sp->fetch(cursor->sp, entry->keyblock.keyvalue.data, 8);
+    if(ret != 8)
+	ret = (ret < 0) ? errno : KRB5_KT_END;
+    else
+	ret = 0;
+
+    entry->timestamp = time(NULL);
+
+ out:
+    cursor->sp->seek(cursor->sp, pos + 4 + 8, SEEK_SET);
+    return ret;
+}
+
+static krb5_error_code
+akf_end_seq_get(krb5_context context, 
+		krb5_keytab id,
+		krb5_kt_cursor *cursor)
+{
+    krb5_storage_free(cursor->sp);
+    close(cursor->fd);
+    return 0;
+}
+
+static krb5_error_code
+akf_add_entry(krb5_context context,
+	      krb5_keytab id,
+	      krb5_keytab_entry *entry)
+{
+    struct akf_data *d = id->data;
+    int fd, created = 0;
+    krb5_error_code ret;
+
+    fd = open (d->filename, O_RDWR | O_BINARY);
+    if (fd < 0) {
+	fd = open (d->filename,
+		   O_RDWR | O_BINARY | O_CREAT, 0600);
+	if (fd < 0) {
+	    ret = errno;
+	    krb5_set_error_string(context, "open(%s): %s", d->filename,
+				  strerror(ret));
+	    return ret;
+	}
+	created = 1;
+    }
+
+    if (entry->keyblock.keyvalue.length == 8
+	&& entry->keyblock.keytype == ETYPE_DES_CBC_MD5) {
+
+	int32_t len;
+	krb5_storage *sp;
+
+	sp = krb5_storage_from_fd(fd);
+	if(sp == NULL) {
+	    close(fd);
+	    krb5_set_error_string (context, "malloc: out of memory");
+	    return ENOMEM;
+	}
+	if (created)
+	    len = 0;
+	else {
+	    if((*sp->seek)(sp, 0, SEEK_SET) < 0) {
+		ret = errno;
+		krb5_storage_free(sp);
+		close(fd);
+		krb5_set_error_string (context, "seek: %s", strerror(ret));
+		return ret;
+	    }
+	    
+	    ret = krb5_ret_int32(sp, &len);
+	    if(ret) {
+		krb5_storage_free(sp);
+		close(fd);
+		return ret;
+	    }
+	}
+	len++;
+	
+	if((*sp->seek)(sp, 0, SEEK_SET) < 0) {
+	    ret = errno;
+	    krb5_storage_free(sp);
+	    close(fd);
+	    krb5_set_error_string (context, "seek: %s", strerror(ret));
+	    return ret;
+	}
+	
+	ret = krb5_store_int32(sp, len);
+	if(ret) {
+	    krb5_storage_free(sp);
+	    close(fd);
+	    return ret;
+	}
+		
+
+	if((*sp->seek)(sp, (len - 1) * (8 + 4), SEEK_CUR) < 0) {
+	    ret = errno;
+	    krb5_storage_free(sp);
+	    close(fd);
+	    krb5_set_error_string (context, "seek: %s", strerror(ret));
+	    return ret;
+	}
+	
+	ret = krb5_store_int32(sp, entry->vno);
+	if(ret) {
+	    krb5_storage_free(sp);
+	    close(fd);
+	    return ret;
+	}
+	ret = sp->store(sp, entry->keyblock.keyvalue.data, 
+			entry->keyblock.keyvalue.length);
+	if(ret != entry->keyblock.keyvalue.length) {
+	    krb5_storage_free(sp);
+	    close(fd);
+	    if(ret < 0)
+		return errno;
+	    return ENOTTY;
+	}
+	krb5_storage_free(sp);
+    }
+    close (fd);
+    return 0;
+}
+
+const krb5_kt_ops krb5_akf_ops = {
+    "AFSKEYFILE",
+    akf_resolve,
+    akf_get_name,
+    akf_close,
+    NULL, /* get */
+    akf_start_seq_get,
+    akf_next_entry,
+    akf_end_seq_get,
+    akf_add_entry,
+    NULL /* remove */
+};
diff --git a/crypto/heimdal/lib/krb5/keytab_krb4.c b/crypto/heimdal/lib/krb5/keytab_krb4.c
new file mode 100644
index 0000000..6915cac
--- /dev/null
+++ b/crypto/heimdal/lib/krb5/keytab_krb4.c
@@ -0,0 +1,300 @@
+/*
+ * Copyright (c) 1997 - 2001 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "krb5_locl.h"
+
+RCSID("$Id: keytab_krb4.c,v 1.8 2001/05/16 22:23:31 assar Exp $");
+
+struct krb4_kt_data {
+    char *filename;
+};
+
+static krb5_error_code
+krb4_kt_resolve(krb5_context context, const char *name, krb5_keytab id)
+{
+    struct krb4_kt_data *d;
+
+    d = malloc (sizeof(*d));
+    if (d == NULL) {
+	krb5_set_error_string (context, "malloc: out of memory");
+	return ENOMEM;
+    }
+    d->filename = strdup (name);
+    if (d->filename == NULL) {
+	free(d);
+	krb5_set_error_string (context, "malloc: out of memory");
+	return ENOMEM;
+    }
+    id->data = d;
+    return 0;
+}
+
+static krb5_error_code
+krb4_kt_get_name (krb5_context context,
+		  krb5_keytab id,
+		  char *name,
+		  size_t name_sz)
+{
+    struct krb4_kt_data *d = id->data;
+
+    strlcpy (name, d->filename, name_sz);
+    return 0;
+}
+
+static krb5_error_code
+krb4_kt_close (krb5_context context,
+	       krb5_keytab id)
+{
+    struct krb4_kt_data *d = id->data;
+
+    free (d->filename);
+    free (d);
+    return 0;
+}
+
+struct krb4_cursor_extra_data {
+    krb5_keytab_entry entry;
+    int num;
+};
+
+static krb5_error_code
+krb4_kt_start_seq_get_int (krb5_context context,
+			   krb5_keytab id,
+			   int flags,
+			   krb5_kt_cursor *c)
+{
+    struct krb4_kt_data *d = id->data;
+    struct krb4_cursor_extra_data *ed;
+    int ret;
+
+    ed = malloc (sizeof(*ed));
+    if (ed == NULL) {
+	krb5_set_error_string (context, "malloc: out of memory");
+	return ENOMEM;
+    }
+    ed->entry.principal = NULL;
+    ed->num = -1;
+    c->data = ed;
+    c->fd = open (d->filename, flags);
+    if (c->fd < 0) {
+	ret = errno;
+	free (ed);
+	krb5_set_error_string(context, "open(%s): %s", d->filename,
+			      strerror(ret));
+	return ret;
+    }
+    c->sp = krb5_storage_from_fd(c->fd);
+    return 0;
+}
+
+static krb5_error_code
+krb4_kt_start_seq_get (krb5_context context,
+		       krb5_keytab id,
+		       krb5_kt_cursor *c)
+{
+    return krb4_kt_start_seq_get_int (context, id, O_BINARY | O_RDONLY, c);
+}
+
+static krb5_error_code
+read_v4_entry (krb5_context context,
+	       struct krb4_kt_data *d,
+	       krb5_kt_cursor *c,
+	       struct krb4_cursor_extra_data *ed)
+{
+    krb5_error_code ret;
+    char *service, *instance, *realm;
+    int8_t kvno;
+    des_cblock key;
+
+    ret = krb5_ret_stringz(c->sp, &service);
+    if (ret)
+	return ret;
+    ret = krb5_ret_stringz(c->sp, &instance);
+    if (ret) {
+	free (service);
+	return ret;
+    }
+    ret = krb5_ret_stringz(c->sp, &realm);
+    if (ret) {
+	free (service);
+	free (instance);
+	return ret;
+    }
+    ret = krb5_425_conv_principal (context, service, instance, realm,
+				   &ed->entry.principal);
+    free (service);
+    free (instance);
+    free (realm);
+    if (ret)
+	return ret;
+    ret = krb5_ret_int8(c->sp, &kvno);
+    if (ret) {
+	krb5_free_principal (context, ed->entry.principal);
+	return ret;
+    }
+    ret = c->sp->fetch(c->sp, key, 8);
+    if (ret < 0) {
+	krb5_free_principal(context, ed->entry.principal);
+	return ret;
+    }
+    if (ret < 8) {
+	krb5_free_principal(context, ed->entry.principal);
+	return EINVAL;
+    }
+    ed->entry.vno = kvno;
+    ret = krb5_data_copy (&ed->entry.keyblock.keyvalue,
+			  key, 8);
+    if (ret)
+	return ret;
+    ed->entry.timestamp = time(NULL);
+    ed->num = 0;
+    return 0;
+}
+
+static krb5_error_code
+krb4_kt_next_entry (krb5_context context,
+		    krb5_keytab id,
+		    krb5_keytab_entry *entry,
+		    krb5_kt_cursor *c)
+{
+    krb5_error_code ret;
+    struct krb4_kt_data *d = id->data;
+    struct krb4_cursor_extra_data *ed = c->data;
+    const krb5_enctype keytypes[] = {ETYPE_DES_CBC_MD5,
+				     ETYPE_DES_CBC_MD4,
+				     ETYPE_DES_CBC_CRC};
+
+    if (ed->num == -1) {
+	ret = read_v4_entry (context, d, c, ed);
+	if (ret)
+	    return ret;
+    }
+    ret = krb5_kt_copy_entry_contents (context,
+				       &ed->entry,
+				       entry);
+    if (ret)
+	return ret;
+    entry->keyblock.keytype = keytypes[ed->num];
+    if (++ed->num == 3) {
+	krb5_kt_free_entry (context, &ed->entry);
+	ed->num = -1;
+    }
+    return 0;
+}
+
+static krb5_error_code
+krb4_kt_end_seq_get (krb5_context context,
+		     krb5_keytab id,
+		     krb5_kt_cursor *c)
+{
+    struct krb4_cursor_extra_data *ed = c->data;
+
+    krb5_storage_free (c->sp);
+    if (ed->num != -1)
+	krb5_kt_free_entry (context, &ed->entry);
+    free (c->data);
+    close (c->fd);
+    return 0;
+}
+
+static krb5_error_code
+krb4_kt_add_entry (krb5_context context,
+		   krb5_keytab id,
+		   krb5_keytab_entry *entry)
+{
+    struct krb4_kt_data *d = id->data;
+    krb5_error_code ret;
+    int fd;
+#define ANAME_SZ 40
+#define INST_SZ 40
+#define REALM_SZ 40
+    char service[ANAME_SZ];
+    char instance[INST_SZ];
+    char realm[REALM_SZ];
+    int8_t kvno;
+
+    fd = open (d->filename, O_WRONLY | O_APPEND | O_BINARY);
+    if (fd < 0) {
+	fd = open (d->filename,
+		   O_WRONLY | O_APPEND | O_BINARY | O_CREAT, 0600);
+	if (fd < 0) {
+	    ret = errno;
+	    krb5_set_error_string(context, "open(%s): %s", d->filename,
+				  strerror(ret));
+	    return ret;
+	}
+    }
+    ret = krb5_524_conv_principal (context, entry->principal,
+				   service, instance, realm);
+    if (ret) {
+	close (fd);
+	return ret;
+    }
+    if (entry->keyblock.keyvalue.length == 8
+	&& entry->keyblock.keytype == ETYPE_DES_CBC_MD5) {
+	write(fd, service, strlen(service)+1);
+	write(fd, instance, strlen(instance)+1);
+	write(fd, realm, strlen(realm)+1);
+	kvno = entry->vno;
+	write(fd, &kvno, sizeof(kvno));
+	write(fd, entry->keyblock.keyvalue.data, 8);
+    }
+    close (fd);
+    return 0;
+}
+
+const krb5_kt_ops krb4_fkt_ops = {
+    "krb4",
+    krb4_kt_resolve,
+    krb4_kt_get_name,
+    krb4_kt_close,
+    NULL,			/* get */
+    krb4_kt_start_seq_get,
+    krb4_kt_next_entry,
+    krb4_kt_end_seq_get,
+    krb4_kt_add_entry,		/* add_entry */
+    NULL			/* remove_entry */
+};
+
+const krb5_kt_ops krb5_srvtab_fkt_ops = {
+    "SRVTAB",
+    krb4_kt_resolve,
+    krb4_kt_get_name,
+    krb4_kt_close,
+    NULL,			/* get */
+    krb4_kt_start_seq_get,
+    krb4_kt_next_entry,
+    krb4_kt_end_seq_get,
+    krb4_kt_add_entry,		/* add_entry */
+    NULL			/* remove_entry */
+};
diff --git a/crypto/heimdal/lib/krb5/keytab_memory.c b/crypto/heimdal/lib/krb5/keytab_memory.c
new file mode 100644
index 0000000..cde8943
--- /dev/null
+++ b/crypto/heimdal/lib/krb5/keytab_memory.c
@@ -0,0 +1,165 @@
+/*
+ * Copyright (c) 1997 - 2001 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "krb5_locl.h"
+
+RCSID("$Id: keytab_memory.c,v 1.5 2001/05/14 06:14:49 assar Exp $");
+
+/* memory operations -------------------------------------------- */
+
+struct mkt_data {
+    krb5_keytab_entry *entries;
+    int num_entries;
+};
+
+static krb5_error_code
+mkt_resolve(krb5_context context, const char *name, krb5_keytab id)
+{
+    struct mkt_data *d;
+    d = malloc(sizeof(*d));
+    if(d == NULL) {
+	krb5_set_error_string (context, "malloc: out of memory");
+	return ENOMEM;
+    }
+    d->entries = NULL;
+    d->num_entries = 0;
+    id->data = d;
+    return 0;
+}
+
+static krb5_error_code
+mkt_close(krb5_context context, krb5_keytab id)
+{
+    struct mkt_data *d = id->data;
+    int i;
+    for(i = 0; i < d->num_entries; i++)
+	krb5_kt_free_entry(context, &d->entries[i]);
+    free(d->entries);
+    free(d);
+    return 0;
+}
+
+static krb5_error_code 
+mkt_get_name(krb5_context context, 
+	     krb5_keytab id, 
+	     char *name, 
+	     size_t namesize)
+{
+    strlcpy(name, "", namesize);
+    return 0;
+}
+
+static krb5_error_code
+mkt_start_seq_get(krb5_context context, 
+		  krb5_keytab id, 
+		  krb5_kt_cursor *c)
+{
+    /* XXX */
+    c->fd = 0;
+    return 0;
+}
+
+static krb5_error_code
+mkt_next_entry(krb5_context context, 
+	       krb5_keytab id, 
+	       krb5_keytab_entry *entry, 
+	       krb5_kt_cursor *c)
+{
+    struct mkt_data *d = id->data;
+    if(c->fd >= d->num_entries)
+	return KRB5_KT_END;
+    return krb5_kt_copy_entry_contents(context, &d->entries[c->fd++], entry);
+}
+
+static krb5_error_code
+mkt_end_seq_get(krb5_context context, 
+		krb5_keytab id,
+		krb5_kt_cursor *cursor)
+{
+    return 0;
+}
+
+static krb5_error_code
+mkt_add_entry(krb5_context context,
+	      krb5_keytab id,
+	      krb5_keytab_entry *entry)
+{
+    struct mkt_data *d = id->data;
+    krb5_keytab_entry *tmp;
+    tmp = realloc(d->entries, (d->num_entries + 1) * sizeof(*d->entries));
+    if(tmp == NULL) {
+	krb5_set_error_string (context, "malloc: out of memory");
+	return ENOMEM;
+    }
+    d->entries = tmp;
+    return krb5_kt_copy_entry_contents(context, entry, 
+				       &d->entries[d->num_entries++]);
+}
+
+static krb5_error_code
+mkt_remove_entry(krb5_context context,
+		 krb5_keytab id,
+		 krb5_keytab_entry *entry)
+{
+    struct mkt_data *d = id->data;
+    krb5_keytab_entry *e, *end;
+    
+    /* do this backwards to minimize copying */
+    for(end = d->entries + d->num_entries, e = end - 1; e >= d->entries; e--) {
+	if(krb5_kt_compare(context, e, entry->principal, 
+			   entry->vno, entry->keyblock.keytype)) {
+	    krb5_kt_free_entry(context, e);
+	    memmove(e, e + 1, (end - e - 1) * sizeof(*e));
+	    memset(end - 1, 0, sizeof(*end));
+	    d->num_entries--;
+	    end--;
+	}
+    }
+    e = realloc(d->entries, d->num_entries * sizeof(*d->entries));
+    if(e != NULL)
+	d->entries = e;
+    return 0;
+}
+
+const krb5_kt_ops krb5_mkt_ops = {
+    "MEMORY",
+    mkt_resolve,
+    mkt_get_name,
+    mkt_close,
+    NULL, /* get */
+    mkt_start_seq_get,
+    mkt_next_entry,
+    mkt_end_seq_get,
+    mkt_add_entry,
+    mkt_remove_entry
+};
diff --git a/crypto/heimdal/lib/krb5/krb5-private.h b/crypto/heimdal/lib/krb5/krb5-private.h
new file mode 100644
index 0000000..c653695
--- /dev/null
+++ b/crypto/heimdal/lib/krb5/krb5-private.h
@@ -0,0 +1,59 @@
+/* This is a generated file */
+#ifndef __krb5_private_h__
+#define __krb5_private_h__
+
+#ifdef __STDC__
+#include <stdarg.h>
+#ifndef __P
+#define __P(x) x
+#endif
+#else
+#ifndef __P
+#define __P(x) ()
+#endif
+#endif
+
+void
+_krb5_crc_init_table __P((void));
+
+u_int32_t
+_krb5_crc_update __P((
+	const char *p,
+	size_t len,
+	u_int32_t res));
+
+int
+_krb5_extract_ticket __P((
+	krb5_context context,
+	krb5_kdc_rep *rep,
+	krb5_creds *creds,
+	krb5_keyblock *key,
+	krb5_const_pointer keyseed,
+	krb5_key_usage key_usage,
+	krb5_addresses *addrs,
+	unsigned nonce,
+	krb5_boolean allow_server_mismatch,
+	krb5_boolean ignore_cname,
+	krb5_decrypt_proc decrypt_proc,
+	krb5_const_pointer decryptarg));
+
+ssize_t
+_krb5_get_int __P((
+	void *buffer,
+	unsigned long *value,
+	size_t size));
+
+void
+_krb5_n_fold __P((
+	const void *str,
+	size_t len,
+	void *key,
+	size_t size));
+
+ssize_t
+_krb5_put_int __P((
+	void *buffer,
+	unsigned long value,
+	size_t size));
+
+#endif /* __krb5_private_h__ */
diff --git a/crypto/heimdal/lib/krb5/krb5-protos.h b/crypto/heimdal/lib/krb5/krb5-protos.h
new file mode 100644
index 0000000..1f0fdf9
--- /dev/null
+++ b/crypto/heimdal/lib/krb5/krb5-protos.h
@@ -0,0 +1,2768 @@
+/* This is a generated file */
+#ifndef __krb5_protos_h__
+#define __krb5_protos_h__
+
+#ifdef __STDC__
+#include <stdarg.h>
+#ifndef __P
+#define __P(x) x
+#endif
+#else
+#ifndef __P
+#define __P(x) ()
+#endif
+#endif
+
+#if !defined(__GNUC__) && !defined(__attribute__)
+#define __attribute__(x)
+#endif
+
+krb5_error_code
+krb524_convert_creds_kdc __P((
+	krb5_context context,
+	krb5_ccache ccache,
+	krb5_creds *in_cred,
+	struct credentials *v4creds));
+
+krb5_error_code
+krb5_425_conv_principal __P((
+	krb5_context context,
+	const char *name,
+	const char *instance,
+	const char *realm,
+	krb5_principal *princ));
+
+krb5_error_code
+krb5_425_conv_principal_ext __P((
+	krb5_context context,
+	const char *name,
+	const char *instance,
+	const char *realm,
+	krb5_boolean (*func)(krb5_context, krb5_principal),
+	krb5_boolean resolve,
+	krb5_principal *princ));
+
+krb5_error_code
+krb5_524_conv_principal __P((
+	krb5_context context,
+	const krb5_principal principal,
+	char *name,
+	char *instance,
+	char *realm));
+
+krb5_error_code
+krb5_abort __P((
+	krb5_context context,
+	krb5_error_code code,
+	const char *fmt,
+	...))
+    __attribute__ ((noreturn, format (printf, 3, 4)));
+
+krb5_error_code
+krb5_abortx __P((
+	krb5_context context,
+	const char *fmt,
+	...))
+    __attribute__ ((noreturn, format (printf, 2, 3)));
+
+krb5_error_code
+krb5_acl_match_file __P((
+	krb5_context context,
+	const char *file,
+	const char *format,
+	...));
+
+krb5_error_code
+krb5_acl_match_string __P((
+	krb5_context context,
+	const char *acl_string,
+	const char *format,
+	...));
+
+krb5_error_code
+krb5_add_et_list __P((
+	krb5_context context,
+	void (*func)(struct et_list **)));
+
+krb5_error_code
+krb5_add_extra_addresses __P((
+	krb5_context context,
+	krb5_addresses *addresses));
+
+krb5_error_code
+krb5_addlog_dest __P((
+	krb5_context context,
+	krb5_log_facility *f,
+	const char *orig));
+
+krb5_error_code
+krb5_addlog_func __P((
+	krb5_context context,
+	krb5_log_facility *fac,
+	int min,
+	int max,
+	krb5_log_log_func_t log,
+	krb5_log_close_func_t close,
+	void *data));
+
+krb5_error_code
+krb5_addr2sockaddr __P((
+	krb5_context context,
+	const krb5_address *addr,
+	struct sockaddr *sa,
+	int *sa_size,
+	int port));
+
+krb5_boolean
+krb5_address_compare __P((
+	krb5_context context,
+	const krb5_address *addr1,
+	const krb5_address *addr2));
+
+int
+krb5_address_order __P((
+	krb5_context context,
+	const krb5_address *addr1,
+	const krb5_address *addr2));
+
+krb5_boolean
+krb5_address_search __P((
+	krb5_context context,
+	const krb5_address *addr,
+	const krb5_addresses *addrlist));
+
+krb5_error_code
+krb5_aname_to_localname __P((
+	krb5_context context,
+	krb5_const_principal aname,
+	size_t lnsize,
+	char *lname));
+
+krb5_error_code
+krb5_anyaddr __P((
+	krb5_context context,
+	int af,
+	struct sockaddr *sa,
+	int *sa_size,
+	int port));
+
+void
+krb5_appdefault_boolean __P((
+	krb5_context context,
+	const char *appname,
+	krb5_realm realm,
+	const char *option,
+	krb5_boolean def_val,
+	krb5_boolean *ret_val));
+
+void
+krb5_appdefault_string __P((
+	krb5_context context,
+	const char *appname,
+	krb5_realm realm,
+	const char *option,
+	const char *def_val,
+	char **ret_val));
+
+void
+krb5_appdefault_time __P((
+	krb5_context context,
+	const char *appname,
+	krb5_realm realm,
+	const char *option,
+	time_t def_val,
+	time_t *ret_val));
+
+krb5_error_code
+krb5_append_addresses __P((
+	krb5_context context,
+	krb5_addresses *dest,
+	const krb5_addresses *source));
+
+krb5_error_code
+krb5_auth_con_free __P((
+	krb5_context context,
+	krb5_auth_context auth_context));
+
+krb5_error_code
+krb5_auth_con_genaddrs __P((
+	krb5_context context,
+	krb5_auth_context auth_context,
+	int fd,
+	int flags));
+
+krb5_error_code
+krb5_auth_con_getaddrs __P((
+	krb5_context context,
+	krb5_auth_context auth_context,
+	krb5_address **local_addr,
+	krb5_address **remote_addr));
+
+krb5_error_code
+krb5_auth_con_getflags __P((
+	krb5_context context,
+	krb5_auth_context auth_context,
+	int32_t *flags));
+
+krb5_error_code
+krb5_auth_con_getkey __P((
+	krb5_context context,
+	krb5_auth_context auth_context,
+	krb5_keyblock **keyblock));
+
+krb5_error_code
+krb5_auth_con_getlocalsubkey __P((
+	krb5_context context,
+	krb5_auth_context auth_context,
+	krb5_keyblock **keyblock));
+
+krb5_error_code
+krb5_auth_con_getrcache __P((
+	krb5_context context,
+	krb5_auth_context auth_context,
+	krb5_rcache *rcache));
+
+krb5_error_code
+krb5_auth_con_getremotesubkey __P((
+	krb5_context context,
+	krb5_auth_context auth_context,
+	krb5_keyblock **keyblock));
+
+krb5_error_code
+krb5_auth_con_init __P((
+	krb5_context context,
+	krb5_auth_context *auth_context));
+
+krb5_error_code
+krb5_auth_con_setaddrs __P((
+	krb5_context context,
+	krb5_auth_context auth_context,
+	krb5_address *local_addr,
+	krb5_address *remote_addr));
+
+krb5_error_code
+krb5_auth_con_setaddrs_from_fd __P((
+	krb5_context context,
+	krb5_auth_context auth_context,
+	void *p_fd));
+
+krb5_error_code
+krb5_auth_con_setflags __P((
+	krb5_context context,
+	krb5_auth_context auth_context,
+	int32_t flags));
+
+krb5_error_code
+krb5_auth_con_setkey __P((
+	krb5_context context,
+	krb5_auth_context auth_context,
+	krb5_keyblock *keyblock));
+
+krb5_error_code
+krb5_auth_con_setlocalsubkey __P((
+	krb5_context context,
+	krb5_auth_context auth_context,
+	krb5_keyblock *keyblock));
+
+krb5_error_code
+krb5_auth_con_setrcache __P((
+	krb5_context context,
+	krb5_auth_context auth_context,
+	krb5_rcache rcache));
+
+krb5_error_code
+krb5_auth_con_setremotesubkey __P((
+	krb5_context context,
+	krb5_auth_context auth_context,
+	krb5_keyblock *keyblock));
+
+krb5_error_code
+krb5_auth_con_setuserkey __P((
+	krb5_context context,
+	krb5_auth_context auth_context,
+	krb5_keyblock *keyblock));
+
+krb5_error_code
+krb5_auth_getauthenticator __P((
+	krb5_context context,
+	krb5_auth_context auth_context,
+	krb5_authenticator *authenticator));
+
+krb5_error_code
+krb5_auth_getcksumtype __P((
+	krb5_context context,
+	krb5_auth_context auth_context,
+	krb5_cksumtype *cksumtype));
+
+krb5_error_code
+krb5_auth_getkeytype __P((
+	krb5_context context,
+	krb5_auth_context auth_context,
+	krb5_keytype *keytype));
+
+krb5_error_code
+krb5_auth_getlocalseqnumber __P((
+	krb5_context context,
+	krb5_auth_context auth_context,
+	int32_t *seqnumber));
+
+krb5_error_code
+krb5_auth_getremoteseqnumber __P((
+	krb5_context context,
+	krb5_auth_context auth_context,
+	int32_t *seqnumber));
+
+krb5_error_code
+krb5_auth_setcksumtype __P((
+	krb5_context context,
+	krb5_auth_context auth_context,
+	krb5_cksumtype cksumtype));
+
+krb5_error_code
+krb5_auth_setkeytype __P((
+	krb5_context context,
+	krb5_auth_context auth_context,
+	krb5_keytype keytype));
+
+krb5_error_code
+krb5_auth_setlocalseqnumber __P((
+	krb5_context context,
+	krb5_auth_context auth_context,
+	int32_t seqnumber));
+
+krb5_error_code
+krb5_auth_setremoteseqnumber __P((
+	krb5_context context,
+	krb5_auth_context auth_context,
+	int32_t seqnumber));
+
+krb5_error_code
+krb5_build_ap_req __P((
+	krb5_context context,
+	krb5_enctype enctype,
+	krb5_creds *cred,
+	krb5_flags ap_options,
+	krb5_data authenticator,
+	krb5_data *retdata));
+
+krb5_error_code
+krb5_build_authenticator __P((
+	krb5_context context,
+	krb5_auth_context auth_context,
+	krb5_enctype enctype,
+	krb5_creds *cred,
+	Checksum *cksum,
+	Authenticator **auth_result,
+	krb5_data *result,
+	krb5_key_usage usage));
+
+krb5_error_code
+krb5_build_principal __P((
+	krb5_context context,
+	krb5_principal *principal,
+	int rlen,
+	krb5_const_realm realm,
+	...));
+
+krb5_error_code
+krb5_build_principal_ext __P((
+	krb5_context context,
+	krb5_principal *principal,
+	int rlen,
+	krb5_const_realm realm,
+	...));
+
+krb5_error_code
+krb5_build_principal_va __P((
+	krb5_context context,
+	krb5_principal *principal,
+	int rlen,
+	krb5_const_realm realm,
+	va_list ap));
+
+krb5_error_code
+krb5_build_principal_va_ext __P((
+	krb5_context context,
+	krb5_principal *principal,
+	int rlen,
+	krb5_const_realm realm,
+	va_list ap));
+
+krb5_error_code
+krb5_cc_close __P((
+	krb5_context context,
+	krb5_ccache id));
+
+krb5_error_code
+krb5_cc_copy_cache __P((
+	krb5_context context,
+	const krb5_ccache from,
+	krb5_ccache to));
+
+krb5_error_code
+krb5_cc_default __P((
+	krb5_context context,
+	krb5_ccache *id));
+
+const char*
+krb5_cc_default_name __P((krb5_context context));
+
+krb5_error_code
+krb5_cc_destroy __P((
+	krb5_context context,
+	krb5_ccache id));
+
+krb5_error_code
+krb5_cc_end_seq_get __P((
+	krb5_context context,
+	const krb5_ccache id,
+	krb5_cc_cursor *cursor));
+
+krb5_error_code
+krb5_cc_gen_new __P((
+	krb5_context context,
+	const krb5_cc_ops *ops,
+	krb5_ccache *id));
+
+const char*
+krb5_cc_get_name __P((
+	krb5_context context,
+	krb5_ccache id));
+
+krb5_error_code
+krb5_cc_get_principal __P((
+	krb5_context context,
+	krb5_ccache id,
+	krb5_principal *principal));
+
+const char*
+krb5_cc_get_type __P((
+	krb5_context context,
+	krb5_ccache id));
+
+krb5_error_code
+krb5_cc_get_version __P((
+	krb5_context context,
+	const krb5_ccache id));
+
+krb5_error_code
+krb5_cc_initialize __P((
+	krb5_context context,
+	krb5_ccache id,
+	krb5_principal primary_principal));
+
+krb5_error_code
+krb5_cc_next_cred __P((
+	krb5_context context,
+	const krb5_ccache id,
+	krb5_cc_cursor *cursor,
+	krb5_creds *creds));
+
+krb5_error_code
+krb5_cc_register __P((
+	krb5_context context,
+	const krb5_cc_ops *ops,
+	krb5_boolean override));
+
+krb5_error_code
+krb5_cc_remove_cred __P((
+	krb5_context context,
+	krb5_ccache id,
+	krb5_flags which,
+	krb5_creds *cred));
+
+krb5_error_code
+krb5_cc_resolve __P((
+	krb5_context context,
+	const char *name,
+	krb5_ccache *id));
+
+krb5_error_code
+krb5_cc_retrieve_cred __P((
+	krb5_context context,
+	krb5_ccache id,
+	krb5_flags whichfields,
+	const krb5_creds *mcreds,
+	krb5_creds *creds));
+
+krb5_error_code
+krb5_cc_set_flags __P((
+	krb5_context context,
+	krb5_ccache id,
+	krb5_flags flags));
+
+krb5_error_code
+krb5_cc_start_seq_get __P((
+	krb5_context context,
+	const krb5_ccache id,
+	krb5_cc_cursor *cursor));
+
+krb5_error_code
+krb5_cc_store_cred __P((
+	krb5_context context,
+	krb5_ccache id,
+	krb5_creds *creds));
+
+krb5_error_code
+krb5_change_password __P((
+	krb5_context context,
+	krb5_creds *creds,
+	char *newpw,
+	int *result_code,
+	krb5_data *result_code_string,
+	krb5_data *result_string));
+
+krb5_error_code
+krb5_check_transited_realms __P((
+	krb5_context context,
+	const char *const *realms,
+	int num_realms,
+	int *bad_realm));
+
+krb5_boolean
+krb5_checksum_is_collision_proof __P((
+	krb5_context context,
+	krb5_cksumtype type));
+
+krb5_boolean
+krb5_checksum_is_keyed __P((
+	krb5_context context,
+	krb5_cksumtype type));
+
+krb5_error_code
+krb5_checksumsize __P((
+	krb5_context context,
+	krb5_cksumtype type,
+	size_t *size));
+
+void
+krb5_clear_error_string __P((krb5_context context));
+
+krb5_error_code
+krb5_closelog __P((
+	krb5_context context,
+	krb5_log_facility *fac));
+
+krb5_boolean
+krb5_compare_creds __P((
+	krb5_context context,
+	krb5_flags whichfields,
+	const krb5_creds *mcreds,
+	const krb5_creds *creds));
+
+krb5_error_code
+krb5_config_file_free __P((
+	krb5_context context,
+	krb5_config_section *s));
+
+void
+krb5_config_free_strings __P((char **strings));
+
+const void *
+krb5_config_get __P((
+	krb5_context context,
+	krb5_config_section *c,
+	int type,
+	...));
+
+krb5_boolean
+krb5_config_get_bool __P((
+	krb5_context context,
+	krb5_config_section *c,
+	...));
+
+krb5_boolean
+krb5_config_get_bool_default __P((
+	krb5_context context,
+	krb5_config_section *c,
+	krb5_boolean def_value,
+	...));
+
+int
+krb5_config_get_int __P((
+	krb5_context context,
+	krb5_config_section *c,
+	...));
+
+int
+krb5_config_get_int_default __P((
+	krb5_context context,
+	krb5_config_section *c,
+	int def_value,
+	...));
+
+const krb5_config_binding *
+krb5_config_get_list __P((
+	krb5_context context,
+	krb5_config_section *c,
+	...));
+
+const void *
+krb5_config_get_next __P((
+	krb5_context context,
+	krb5_config_section *c,
+	krb5_config_binding **pointer,
+	int type,
+	...));
+
+const char *
+krb5_config_get_string __P((
+	krb5_context context,
+	krb5_config_section *c,
+	...));
+
+const char *
+krb5_config_get_string_default __P((
+	krb5_context context,
+	krb5_config_section *c,
+	const char *def_value,
+	...));
+
+char**
+krb5_config_get_strings __P((
+	krb5_context context,
+	krb5_config_section *c,
+	...));
+
+int
+krb5_config_get_time __P((
+	krb5_context context,
+	krb5_config_section *c,
+	...));
+
+int
+krb5_config_get_time_default __P((
+	krb5_context context,
+	krb5_config_section *c,
+	int def_value,
+	...));
+
+krb5_error_code
+krb5_config_parse_file __P((
+	krb5_context context,
+	const char *fname,
+	krb5_config_section **res));
+
+const void *
+krb5_config_vget __P((
+	krb5_context context,
+	krb5_config_section *c,
+	int type,
+	va_list args));
+
+krb5_boolean
+krb5_config_vget_bool __P((
+	krb5_context context,
+	krb5_config_section *c,
+	va_list args));
+
+krb5_boolean
+krb5_config_vget_bool_default __P((
+	krb5_context context,
+	krb5_config_section *c,
+	krb5_boolean def_value,
+	va_list args));
+
+int
+krb5_config_vget_int __P((
+	krb5_context context,
+	krb5_config_section *c,
+	va_list args));
+
+int
+krb5_config_vget_int_default __P((
+	krb5_context context,
+	krb5_config_section *c,
+	int def_value,
+	va_list args));
+
+const krb5_config_binding *
+krb5_config_vget_list __P((
+	krb5_context context,
+	krb5_config_section *c,
+	va_list args));
+
+const void *
+krb5_config_vget_next __P((
+	krb5_context context,
+	krb5_config_section *c,
+	krb5_config_binding **pointer,
+	int type,
+	va_list args));
+
+const char *
+krb5_config_vget_string __P((
+	krb5_context context,
+	krb5_config_section *c,
+	va_list args));
+
+const char *
+krb5_config_vget_string_default __P((
+	krb5_context context,
+	krb5_config_section *c,
+	const char *def_value,
+	va_list args));
+
+char **
+krb5_config_vget_strings __P((
+	krb5_context context,
+	krb5_config_section *c,
+	va_list args));
+
+int
+krb5_config_vget_time __P((
+	krb5_context context,
+	krb5_config_section *c,
+	va_list args));
+
+int
+krb5_config_vget_time_default __P((
+	krb5_context context,
+	krb5_config_section *c,
+	int def_value,
+	va_list args));
+
+krb5_error_code
+krb5_copy_address __P((
+	krb5_context context,
+	const krb5_address *inaddr,
+	krb5_address *outaddr));
+
+krb5_error_code
+krb5_copy_addresses __P((
+	krb5_context context,
+	const krb5_addresses *inaddr,
+	krb5_addresses *outaddr));
+
+krb5_error_code
+krb5_copy_creds __P((
+	krb5_context context,
+	const krb5_creds *incred,
+	krb5_creds **outcred));
+
+krb5_error_code
+krb5_copy_creds_contents __P((
+	krb5_context context,
+	const krb5_creds *incred,
+	krb5_creds *c));
+
+krb5_error_code
+krb5_copy_data __P((
+	krb5_context context,
+	const krb5_data *indata,
+	krb5_data **outdata));
+
+krb5_error_code
+krb5_copy_host_realm __P((
+	krb5_context context,
+	const krb5_realm *from,
+	krb5_realm **to));
+
+krb5_error_code
+krb5_copy_keyblock __P((
+	krb5_context context,
+	const krb5_keyblock *inblock,
+	krb5_keyblock **to));
+
+krb5_error_code
+krb5_copy_keyblock_contents __P((
+	krb5_context context,
+	const krb5_keyblock *inblock,
+	krb5_keyblock *to));
+
+krb5_error_code
+krb5_copy_principal __P((
+	krb5_context context,
+	krb5_const_principal inprinc,
+	krb5_principal *outprinc));
+
+krb5_error_code
+krb5_copy_ticket __P((
+	krb5_context context,
+	const krb5_ticket *from,
+	krb5_ticket **to));
+
+krb5_error_code
+krb5_create_checksum __P((
+	krb5_context context,
+	krb5_crypto crypto,
+	krb5_key_usage usage,
+	int type,
+	void *data,
+	size_t len,
+	Checksum *result));
+
+krb5_error_code
+krb5_crypto_destroy __P((
+	krb5_context context,
+	krb5_crypto crypto));
+
+krb5_error_code
+krb5_crypto_init __P((
+	krb5_context context,
+	const krb5_keyblock *key,
+	krb5_enctype etype,
+	krb5_crypto *crypto));
+
+krb5_error_code
+krb5_data_alloc __P((
+	krb5_data *p,
+	int len));
+
+krb5_error_code
+krb5_data_copy __P((
+	krb5_data *p,
+	const void *data,
+	size_t len));
+
+void
+krb5_data_free __P((krb5_data *p));
+
+krb5_error_code
+krb5_data_realloc __P((
+	krb5_data *p,
+	int len));
+
+void
+krb5_data_zero __P((krb5_data *p));
+
+krb5_error_code
+krb5_decode_Authenticator __P((
+	krb5_context context,
+	const void *data,
+	size_t length,
+	Authenticator *t,
+	size_t *len));
+
+krb5_error_code
+krb5_decode_ETYPE_INFO __P((
+	krb5_context context,
+	const void *data,
+	size_t length,
+	ETYPE_INFO *t,
+	size_t *len));
+
+krb5_error_code
+krb5_decode_EncAPRepPart __P((
+	krb5_context context,
+	const void *data,
+	size_t length,
+	EncAPRepPart *t,
+	size_t *len));
+
+krb5_error_code
+krb5_decode_EncASRepPart __P((
+	krb5_context context,
+	const void *data,
+	size_t length,
+	EncASRepPart *t,
+	size_t *len));
+
+krb5_error_code
+krb5_decode_EncKrbCredPart __P((
+	krb5_context context,
+	const void *data,
+	size_t length,
+	EncKrbCredPart *t,
+	size_t *len));
+
+krb5_error_code
+krb5_decode_EncTGSRepPart __P((
+	krb5_context context,
+	const void *data,
+	size_t length,
+	EncTGSRepPart *t,
+	size_t *len));
+
+krb5_error_code
+krb5_decode_EncTicketPart __P((
+	krb5_context context,
+	const void *data,
+	size_t length,
+	EncTicketPart *t,
+	size_t *len));
+
+krb5_error_code
+krb5_decode_ap_req __P((
+	krb5_context context,
+	const krb5_data *inbuf,
+	krb5_ap_req *ap_req));
+
+krb5_error_code
+krb5_decrypt __P((
+	krb5_context context,
+	krb5_crypto crypto,
+	unsigned usage,
+	void *data,
+	size_t len,
+	krb5_data *result));
+
+krb5_error_code
+krb5_decrypt_EncryptedData __P((
+	krb5_context context,
+	krb5_crypto crypto,
+	unsigned usage,
+	const EncryptedData *e,
+	krb5_data *result));
+
+krb5_error_code
+krb5_decrypt_ivec __P((
+	krb5_context context,
+	krb5_crypto crypto,
+	unsigned usage,
+	void *data,
+	size_t len,
+	krb5_data *result,
+	void *ivec));
+
+krb5_error_code
+krb5_decrypt_ticket __P((
+	krb5_context context,
+	Ticket *ticket,
+	krb5_keyblock *key,
+	EncTicketPart *out,
+	krb5_flags flags));
+
+krb5_error_code
+krb5_derive_key __P((
+	krb5_context context,
+	const krb5_keyblock *key,
+	krb5_enctype etype,
+	const void *constant,
+	size_t constant_len,
+	krb5_keyblock **derived_key));
+
+krb5_error_code
+krb5_domain_x500_decode __P((
+	krb5_context context,
+	krb5_data tr,
+	char ***realms,
+	int *num_realms,
+	const char *client_realm,
+	const char *server_realm));
+
+krb5_error_code
+krb5_domain_x500_encode __P((
+	char **realms,
+	int num_realms,
+	krb5_data *encoding));
+
+krb5_error_code
+krb5_eai_to_heim_errno __P((
+	int eai_errno,
+	int system_error));
+
+krb5_error_code
+krb5_encode_Authenticator __P((
+	krb5_context context,
+	void *data,
+	size_t length,
+	Authenticator *t,
+	size_t *len));
+
+krb5_error_code
+krb5_encode_ETYPE_INFO __P((
+	krb5_context context,
+	void *data,
+	size_t length,
+	ETYPE_INFO *t,
+	size_t *len));
+
+krb5_error_code
+krb5_encode_EncAPRepPart __P((
+	krb5_context context,
+	void *data,
+	size_t length,
+	EncAPRepPart *t,
+	size_t *len));
+
+krb5_error_code
+krb5_encode_EncASRepPart __P((
+	krb5_context context,
+	void *data,
+	size_t length,
+	EncASRepPart *t,
+	size_t *len));
+
+krb5_error_code
+krb5_encode_EncKrbCredPart __P((
+	krb5_context context,
+	void *data,
+	size_t length,
+	EncKrbCredPart *t,
+	size_t *len));
+
+krb5_error_code
+krb5_encode_EncTGSRepPart __P((
+	krb5_context context,
+	void *data,
+	size_t length,
+	EncTGSRepPart *t,
+	size_t *len));
+
+krb5_error_code
+krb5_encode_EncTicketPart __P((
+	krb5_context context,
+	void *data,
+	size_t length,
+	EncTicketPart *t,
+	size_t *len));
+
+krb5_error_code
+krb5_encrypt __P((
+	krb5_context context,
+	krb5_crypto crypto,
+	unsigned usage,
+	void *data,
+	size_t len,
+	krb5_data *result));
+
+krb5_error_code
+krb5_encrypt_EncryptedData __P((
+	krb5_context context,
+	krb5_crypto crypto,
+	unsigned usage,
+	void *data,
+	size_t len,
+	int kvno,
+	EncryptedData *result));
+
+krb5_error_code
+krb5_encrypt_ivec __P((
+	krb5_context context,
+	krb5_crypto crypto,
+	unsigned usage,
+	void *data,
+	size_t len,
+	krb5_data *result,
+	void *ivec));
+
+krb5_error_code
+krb5_enctype_to_keytype __P((
+	krb5_context context,
+	krb5_enctype etype,
+	krb5_keytype *keytype));
+
+krb5_error_code
+krb5_enctype_to_string __P((
+	krb5_context context,
+	krb5_enctype etype,
+	char **string));
+
+krb5_error_code
+krb5_enctype_valid __P((
+	krb5_context context,
+	krb5_enctype etype));
+
+krb5_boolean
+krb5_enctypes_compatible_keys __P((
+	krb5_context context,
+	krb5_enctype etype1,
+	krb5_enctype etype2));
+
+krb5_error_code
+krb5_err __P((
+	krb5_context context,
+	int eval,
+	krb5_error_code code,
+	const char *fmt,
+	...))
+    __attribute__ ((noreturn, format (printf, 4, 5)));
+
+krb5_error_code
+krb5_error_from_rd_error __P((
+	krb5_context context,
+	const krb5_error *error,
+	const krb5_creds *creds));
+
+krb5_error_code
+krb5_errx __P((
+	krb5_context context,
+	int eval,
+	const char *fmt,
+	...))
+    __attribute__ ((noreturn, format (printf, 3, 4)));
+
+krb5_error_code
+krb5_expand_hostname __P((
+	krb5_context context,
+	const char *orig_hostname,
+	char **new_hostname));
+
+krb5_error_code
+krb5_expand_hostname_realms __P((
+	krb5_context context,
+	const char *orig_hostname,
+	char **new_hostname,
+	char ***realms));
+
+PA_DATA *
+krb5_find_padata __P((
+	PA_DATA *val,
+	unsigned len,
+	int type,
+	int *index));
+
+krb5_error_code
+krb5_format_time __P((
+	krb5_context context,
+	time_t t,
+	char *s,
+	size_t len,
+	krb5_boolean include_time));
+
+krb5_error_code
+krb5_free_address __P((
+	krb5_context context,
+	krb5_address *address));
+
+krb5_error_code
+krb5_free_addresses __P((
+	krb5_context context,
+	krb5_addresses *addresses));
+
+void
+krb5_free_ap_rep_enc_part __P((
+	krb5_context context,
+	krb5_ap_rep_enc_part *val));
+
+void
+krb5_free_authenticator __P((
+	krb5_context context,
+	krb5_authenticator *authenticator));
+
+void
+krb5_free_context __P((krb5_context context));
+
+krb5_error_code
+krb5_free_cred_contents __P((
+	krb5_context context,
+	krb5_creds *c));
+
+krb5_error_code
+krb5_free_creds __P((
+	krb5_context context,
+	krb5_creds *c));
+
+krb5_error_code
+krb5_free_creds_contents __P((
+	krb5_context context,
+	krb5_creds *c));
+
+void
+krb5_free_data __P((
+	krb5_context context,
+	krb5_data *p));
+
+void
+krb5_free_error __P((
+	krb5_context context,
+	krb5_error *error));
+
+void
+krb5_free_error_contents __P((
+	krb5_context context,
+	krb5_error *error));
+
+void
+krb5_free_error_string __P((
+	krb5_context context,
+	char *str));
+
+krb5_error_code
+krb5_free_host_realm __P((
+	krb5_context context,
+	krb5_realm *realmlist));
+
+krb5_error_code
+krb5_free_kdc_rep __P((
+	krb5_context context,
+	krb5_kdc_rep *rep));
+
+void
+krb5_free_keyblock __P((
+	krb5_context context,
+	krb5_keyblock *keyblock));
+
+void
+krb5_free_keyblock_contents __P((
+	krb5_context context,
+	krb5_keyblock *keyblock));
+
+krb5_error_code
+krb5_free_krbhst __P((
+	krb5_context context,
+	char **hostlist));
+
+void
+krb5_free_principal __P((
+	krb5_context context,
+	krb5_principal p));
+
+krb5_error_code
+krb5_free_salt __P((
+	krb5_context context,
+	krb5_salt salt));
+
+krb5_error_code
+krb5_free_ticket __P((
+	krb5_context context,
+	krb5_ticket *ticket));
+
+krb5_error_code
+krb5_fwd_tgt_creds __P((
+	krb5_context context,
+	krb5_auth_context auth_context,
+	const char *hostname,
+	krb5_principal client,
+	krb5_principal server,
+	krb5_ccache ccache,
+	int forwardable,
+	krb5_data *out_data));
+
+void
+krb5_generate_random_block __P((
+	void *buf,
+	size_t len));
+
+krb5_error_code
+krb5_generate_random_keyblock __P((
+	krb5_context context,
+	krb5_enctype type,
+	krb5_keyblock *key));
+
+krb5_error_code
+krb5_generate_seq_number __P((
+	krb5_context context,
+	const krb5_keyblock *key,
+	u_int32_t *seqno));
+
+krb5_error_code
+krb5_generate_subkey __P((
+	krb5_context context,
+	const krb5_keyblock *key,
+	krb5_keyblock **subkey));
+
+krb5_error_code
+krb5_get_all_client_addrs __P((
+	krb5_context context,
+	krb5_addresses *res));
+
+krb5_error_code
+krb5_get_all_server_addrs __P((
+	krb5_context context,
+	krb5_addresses *res));
+
+krb5_error_code
+krb5_get_cred_from_kdc __P((
+	krb5_context context,
+	krb5_ccache ccache,
+	krb5_creds *in_creds,
+	krb5_creds **out_creds,
+	krb5_creds ***ret_tgts));
+
+krb5_error_code
+krb5_get_cred_from_kdc_opt __P((
+	krb5_context context,
+	krb5_ccache ccache,
+	krb5_creds *in_creds,
+	krb5_creds **out_creds,
+	krb5_creds ***ret_tgts,
+	krb5_flags flags));
+
+krb5_error_code
+krb5_get_credentials __P((
+	krb5_context context,
+	krb5_flags options,
+	krb5_ccache ccache,
+	krb5_creds *in_creds,
+	krb5_creds **out_creds));
+
+krb5_error_code
+krb5_get_credentials_with_flags __P((
+	krb5_context context,
+	krb5_flags options,
+	krb5_kdc_flags flags,
+	krb5_ccache ccache,
+	krb5_creds *in_creds,
+	krb5_creds **out_creds));
+
+krb5_error_code
+krb5_get_default_in_tkt_etypes __P((
+	krb5_context context,
+	krb5_enctype **etypes));
+
+krb5_error_code
+krb5_get_default_principal __P((
+	krb5_context context,
+	krb5_principal *princ));
+
+krb5_error_code
+krb5_get_default_realm __P((
+	krb5_context context,
+	krb5_realm *realm));
+
+krb5_error_code
+krb5_get_default_realms __P((
+	krb5_context context,
+	krb5_realm **realms));
+
+const char *
+krb5_get_err_text __P((
+	krb5_context context,
+	krb5_error_code code));
+
+char*
+krb5_get_error_string __P((krb5_context context));
+
+krb5_error_code
+krb5_get_extra_addresses __P((
+	krb5_context context,
+	krb5_addresses *addresses));
+
+krb5_error_code
+krb5_get_fcache_version __P((
+	krb5_context context,
+	int *version));
+
+krb5_error_code
+krb5_get_forwarded_creds __P((
+	krb5_context context,
+	krb5_auth_context auth_context,
+	krb5_ccache ccache,
+	krb5_flags flags,
+	const char *hostname,
+	krb5_creds *in_creds,
+	krb5_data *out_data));
+
+krb5_error_code
+krb5_get_host_realm __P((
+	krb5_context context,
+	const char *host,
+	krb5_realm **realms));
+
+krb5_error_code
+krb5_get_host_realm_int __P((
+	krb5_context context,
+	const char *host,
+	krb5_boolean use_dns,
+	krb5_realm **realms));
+
+krb5_error_code
+krb5_get_in_cred __P((
+	krb5_context context,
+	krb5_flags options,
+	const krb5_addresses *addrs,
+	const krb5_enctype *etypes,
+	const krb5_preauthtype *ptypes,
+	const krb5_preauthdata *preauth,
+	krb5_key_proc key_proc,
+	krb5_const_pointer keyseed,
+	krb5_decrypt_proc decrypt_proc,
+	krb5_const_pointer decryptarg,
+	krb5_creds *creds,
+	krb5_kdc_rep *ret_as_reply));
+
+krb5_error_code
+krb5_get_in_tkt __P((
+	krb5_context context,
+	krb5_flags options,
+	const krb5_addresses *addrs,
+	const krb5_enctype *etypes,
+	const krb5_preauthtype *ptypes,
+	krb5_key_proc key_proc,
+	krb5_const_pointer keyseed,
+	krb5_decrypt_proc decrypt_proc,
+	krb5_const_pointer decryptarg,
+	krb5_creds *creds,
+	krb5_ccache ccache,
+	krb5_kdc_rep *ret_as_reply));
+
+krb5_error_code
+krb5_get_in_tkt_with_keytab __P((
+	krb5_context context,
+	krb5_flags options,
+	krb5_addresses *addrs,
+	const krb5_enctype *etypes,
+	const krb5_preauthtype *pre_auth_types,
+	krb5_keytab keytab,
+	krb5_ccache ccache,
+	krb5_creds *creds,
+	krb5_kdc_rep *ret_as_reply));
+
+krb5_error_code
+krb5_get_in_tkt_with_password __P((
+	krb5_context context,
+	krb5_flags options,
+	krb5_addresses *addrs,
+	const krb5_enctype *etypes,
+	const krb5_preauthtype *pre_auth_types,
+	const char *password,
+	krb5_ccache ccache,
+	krb5_creds *creds,
+	krb5_kdc_rep *ret_as_reply));
+
+krb5_error_code
+krb5_get_in_tkt_with_skey __P((
+	krb5_context context,
+	krb5_flags options,
+	krb5_addresses *addrs,
+	const krb5_enctype *etypes,
+	const krb5_preauthtype *pre_auth_types,
+	const krb5_keyblock *key,
+	krb5_ccache ccache,
+	krb5_creds *creds,
+	krb5_kdc_rep *ret_as_reply));
+
+krb5_error_code
+krb5_get_init_creds_keytab __P((
+	krb5_context context,
+	krb5_creds *creds,
+	krb5_principal client,
+	krb5_keytab keytab,
+	krb5_deltat start_time,
+	const char *in_tkt_service,
+	krb5_get_init_creds_opt *options));
+
+void
+krb5_get_init_creds_opt_init __P((krb5_get_init_creds_opt *opt));
+
+void
+krb5_get_init_creds_opt_set_address_list __P((
+	krb5_get_init_creds_opt *opt,
+	krb5_addresses *addresses));
+
+void
+krb5_get_init_creds_opt_set_anonymous __P((
+	krb5_get_init_creds_opt *opt,
+	int anonymous));
+
+void
+krb5_get_init_creds_opt_set_default_flags __P((
+	krb5_context context,
+	const char *appname,
+	krb5_realm realm,
+	krb5_get_init_creds_opt *opt));
+
+void
+krb5_get_init_creds_opt_set_etype_list __P((
+	krb5_get_init_creds_opt *opt,
+	krb5_enctype *etype_list,
+	int etype_list_length));
+
+void
+krb5_get_init_creds_opt_set_forwardable __P((
+	krb5_get_init_creds_opt *opt,
+	int forwardable));
+
+void
+krb5_get_init_creds_opt_set_preauth_list __P((
+	krb5_get_init_creds_opt *opt,
+	krb5_preauthtype *preauth_list,
+	int preauth_list_length));
+
+void
+krb5_get_init_creds_opt_set_proxiable __P((
+	krb5_get_init_creds_opt *opt,
+	int proxiable));
+
+void
+krb5_get_init_creds_opt_set_renew_life __P((
+	krb5_get_init_creds_opt *opt,
+	krb5_deltat renew_life));
+
+void
+krb5_get_init_creds_opt_set_salt __P((
+	krb5_get_init_creds_opt *opt,
+	krb5_data *salt));
+
+void
+krb5_get_init_creds_opt_set_tkt_life __P((
+	krb5_get_init_creds_opt *opt,
+	krb5_deltat tkt_life));
+
+krb5_error_code
+krb5_get_init_creds_password __P((
+	krb5_context context,
+	krb5_creds *creds,
+	krb5_principal client,
+	const char *password,
+	krb5_prompter_fct prompter,
+	void *data,
+	krb5_deltat start_time,
+	const char *in_tkt_service,
+	krb5_get_init_creds_opt *options));
+
+krb5_error_code
+krb5_get_kdc_cred __P((
+	krb5_context context,
+	krb5_ccache id,
+	krb5_kdc_flags flags,
+	krb5_addresses *addresses,
+	Ticket *second_ticket,
+	krb5_creds *in_creds,
+	krb5_creds **out_creds ));
+
+krb5_error_code
+krb5_get_krb_admin_hst __P((
+	krb5_context context,
+	const krb5_realm *realm,
+	char ***hostlist));
+
+krb5_error_code
+krb5_get_krb_changepw_hst __P((
+	krb5_context context,
+	const krb5_realm *realm,
+	char ***hostlist));
+
+krb5_error_code
+krb5_get_krbhst __P((
+	krb5_context context,
+	const krb5_realm *realm,
+	char ***hostlist));
+
+krb5_error_code
+krb5_get_pw_salt __P((
+	krb5_context context,
+	krb5_const_principal principal,
+	krb5_salt *salt));
+
+krb5_error_code
+krb5_get_server_rcache __P((
+	krb5_context context,
+	const krb5_data *piece,
+	krb5_rcache *id));
+
+krb5_boolean
+krb5_get_use_admin_kdc __P((krb5_context context));
+
+size_t
+krb5_get_wrapped_length __P((
+	krb5_context context,
+	krb5_crypto crypto,
+	size_t data_len));
+
+int
+krb5_getportbyname __P((
+	krb5_context context,
+	const char *service,
+	const char *proto,
+	int default_port));
+
+krb5_error_code
+krb5_h_addr2addr __P((
+	krb5_context context,
+	int af,
+	const char *haddr,
+	krb5_address *addr));
+
+krb5_error_code
+krb5_h_addr2sockaddr __P((
+	krb5_context context,
+	int af,
+	const char *addr,
+	struct sockaddr *sa,
+	int *sa_size,
+	int port));
+
+krb5_error_code
+krb5_h_errno_to_heim_errno __P((int eai_errno));
+
+krb5_boolean
+krb5_have_error_string __P((krb5_context context));
+
+krb5_error_code
+krb5_init_context __P((krb5_context *context));
+
+void
+krb5_init_ets __P((krb5_context context));
+
+krb5_error_code
+krb5_init_etype __P((
+	krb5_context context,
+	unsigned *len,
+	int **val,
+	const krb5_enctype *etypes));
+
+krb5_error_code
+krb5_initlog __P((
+	krb5_context context,
+	const char *program,
+	krb5_log_facility **fac));
+
+krb5_error_code
+krb5_keyblock_key_proc __P((
+	krb5_context context,
+	krb5_keytype type,
+	krb5_data *salt,
+	krb5_const_pointer keyseed,
+	krb5_keyblock **key));
+
+krb5_error_code
+krb5_keytab_key_proc __P((
+	krb5_context context,
+	krb5_enctype enctype,
+	krb5_salt salt,
+	krb5_const_pointer keyseed,
+	krb5_keyblock **key));
+
+krb5_error_code
+krb5_keytype_to_enctypes __P((
+	krb5_context context,
+	krb5_keytype keytype,
+	unsigned *len,
+	int **val));
+
+krb5_error_code
+krb5_keytype_to_enctypes_default __P((
+	krb5_context context,
+	krb5_keytype keytype,
+	unsigned *len,
+	int **val));
+
+krb5_error_code
+krb5_keytype_to_string __P((
+	krb5_context context,
+	krb5_keytype keytype,
+	char **string));
+
+krb5_error_code
+krb5_kt_add_entry __P((
+	krb5_context context,
+	krb5_keytab id,
+	krb5_keytab_entry *entry));
+
+krb5_error_code
+krb5_kt_close __P((
+	krb5_context context,
+	krb5_keytab id));
+
+krb5_boolean
+krb5_kt_compare __P((
+	krb5_context context,
+	krb5_keytab_entry *entry,
+	krb5_const_principal principal,
+	krb5_kvno vno,
+	krb5_enctype enctype));
+
+krb5_error_code
+krb5_kt_copy_entry_contents __P((
+	krb5_context context,
+	const krb5_keytab_entry *in,
+	krb5_keytab_entry *out));
+
+krb5_error_code
+krb5_kt_default __P((
+	krb5_context context,
+	krb5_keytab *id));
+
+krb5_error_code
+krb5_kt_default_modify_name __P((
+	krb5_context context,
+	char *name,
+	size_t namesize));
+
+krb5_error_code
+krb5_kt_default_name __P((
+	krb5_context context,
+	char *name,
+	size_t namesize));
+
+krb5_error_code
+krb5_kt_end_seq_get __P((
+	krb5_context context,
+	krb5_keytab id,
+	krb5_kt_cursor *cursor));
+
+krb5_error_code
+krb5_kt_free_entry __P((
+	krb5_context context,
+	krb5_keytab_entry *entry));
+
+krb5_error_code
+krb5_kt_get_entry __P((
+	krb5_context context,
+	krb5_keytab id,
+	krb5_const_principal principal,
+	krb5_kvno kvno,
+	krb5_enctype enctype,
+	krb5_keytab_entry *entry));
+
+krb5_error_code
+krb5_kt_get_name __P((
+	krb5_context context,
+	krb5_keytab keytab,
+	char *name,
+	size_t namesize));
+
+krb5_error_code
+krb5_kt_next_entry __P((
+	krb5_context context,
+	krb5_keytab id,
+	krb5_keytab_entry *entry,
+	krb5_kt_cursor *cursor));
+
+krb5_error_code
+krb5_kt_read_service_key __P((
+	krb5_context context,
+	krb5_pointer keyprocarg,
+	krb5_principal principal,
+	krb5_kvno vno,
+	krb5_enctype enctype,
+	krb5_keyblock **key));
+
+krb5_error_code
+krb5_kt_register __P((
+	krb5_context context,
+	const krb5_kt_ops *ops));
+
+krb5_error_code
+krb5_kt_remove_entry __P((
+	krb5_context context,
+	krb5_keytab id,
+	krb5_keytab_entry *entry));
+
+krb5_error_code
+krb5_kt_resolve __P((
+	krb5_context context,
+	const char *name,
+	krb5_keytab *id));
+
+krb5_error_code
+krb5_kt_start_seq_get __P((
+	krb5_context context,
+	krb5_keytab id,
+	krb5_kt_cursor *cursor));
+
+krb5_boolean
+krb5_kuserok __P((
+	krb5_context context,
+	krb5_principal principal,
+	const char *luser));
+
+krb5_error_code
+krb5_log __P((
+	krb5_context context,
+	krb5_log_facility *fac,
+	int level,
+	const char *fmt,
+	...))
+    __attribute__((format (printf, 4, 5)));
+
+krb5_error_code
+krb5_log_msg __P((
+	krb5_context context,
+	krb5_log_facility *fac,
+	int level,
+	char **reply,
+	const char *fmt,
+	...))
+    __attribute__((format (printf, 5, 6)));
+
+krb5_error_code
+krb5_make_addrport __P((
+	krb5_context context,
+	krb5_address **res,
+	const krb5_address *addr,
+	int16_t port));
+
+krb5_error_code
+krb5_make_principal __P((
+	krb5_context context,
+	krb5_principal *principal,
+	krb5_const_realm realm,
+	...));
+
+size_t
+krb5_max_sockaddr_size __P((void));
+
+krb5_error_code
+krb5_mk_error __P((
+	krb5_context context,
+	krb5_error_code error_code,
+	const char *e_text,
+	const krb5_data *e_data,
+	const krb5_principal client,
+	const krb5_principal server,
+	time_t *ctime,
+	int *cusec,
+	krb5_data *reply));
+
+krb5_error_code
+krb5_mk_priv __P((
+	krb5_context context,
+	krb5_auth_context auth_context,
+	const krb5_data *userdata,
+	krb5_data *outbuf,
+	void *outdata));
+
+krb5_error_code
+krb5_mk_rep __P((
+	krb5_context context,
+	krb5_auth_context auth_context,
+	krb5_data *outbuf));
+
+krb5_error_code
+krb5_mk_req __P((
+	krb5_context context,
+	krb5_auth_context *auth_context,
+	const krb5_flags ap_req_options,
+	const char *service,
+	const char *hostname,
+	krb5_data *in_data,
+	krb5_ccache ccache,
+	krb5_data *outbuf));
+
+krb5_error_code
+krb5_mk_req_exact __P((
+	krb5_context context,
+	krb5_auth_context *auth_context,
+	const krb5_flags ap_req_options,
+	const krb5_principal server,
+	krb5_data *in_data,
+	krb5_ccache ccache,
+	krb5_data *outbuf));
+
+krb5_error_code
+krb5_mk_req_extended __P((
+	krb5_context context,
+	krb5_auth_context *auth_context,
+	const krb5_flags ap_req_options,
+	krb5_data *in_data,
+	krb5_creds *in_creds,
+	krb5_data *outbuf));
+
+krb5_error_code
+krb5_mk_req_internal __P((
+	krb5_context context,
+	krb5_auth_context *auth_context,
+	const krb5_flags ap_req_options,
+	krb5_data *in_data,
+	krb5_creds *in_creds,
+	krb5_data *outbuf,
+	krb5_key_usage checksum_usage,
+	krb5_key_usage encrypt_usage));
+
+krb5_error_code
+krb5_mk_safe __P((
+	krb5_context context,
+	krb5_auth_context auth_context,
+	const krb5_data *userdata,
+	krb5_data *outbuf,
+	void *outdata));
+
+ssize_t
+krb5_net_read __P((
+	krb5_context context,
+	void *p_fd,
+	void *buf,
+	size_t len));
+
+ssize_t
+krb5_net_write __P((
+	krb5_context context,
+	void *p_fd,
+	const void *buf,
+	size_t len));
+
+krb5_error_code
+krb5_openlog __P((
+	krb5_context context,
+	const char *program,
+	krb5_log_facility **fac));
+
+krb5_error_code
+krb5_parse_address __P((
+	krb5_context context,
+	const char *string,
+	krb5_addresses *addresses));
+
+krb5_error_code
+krb5_parse_name __P((
+	krb5_context context,
+	const char *name,
+	krb5_principal *principal));
+
+krb5_error_code
+krb5_password_key_proc __P((
+	krb5_context context,
+	krb5_enctype type,
+	krb5_salt salt,
+	krb5_const_pointer keyseed,
+	krb5_keyblock **key));
+
+krb5_realm*
+krb5_princ_realm __P((
+	krb5_context context,
+	krb5_principal principal));
+
+void
+krb5_princ_set_realm __P((
+	krb5_context context,
+	krb5_principal principal,
+	krb5_realm *realm));
+
+krb5_error_code
+krb5_principal2principalname __P((
+	PrincipalName *p,
+	const krb5_principal from));
+
+krb5_boolean
+krb5_principal_compare __P((
+	krb5_context context,
+	krb5_const_principal princ1,
+	krb5_const_principal princ2));
+
+krb5_boolean
+krb5_principal_compare_any_realm __P((
+	krb5_context context,
+	krb5_const_principal princ1,
+	krb5_const_principal princ2));
+
+krb5_boolean
+krb5_principal_match __P((
+	krb5_context context,
+	krb5_const_principal princ,
+	krb5_const_principal pattern));
+
+krb5_error_code
+krb5_print_address __P((
+	const krb5_address *addr,
+	char *str,
+	size_t len,
+	size_t *ret_len));
+
+int
+krb5_program_setup __P((
+	krb5_context *context,
+	int argc,
+	char **argv,
+	struct getargs *args,
+	int num_args,
+	void (*usage)(int, struct getargs*, int)));
+
+int
+krb5_prompter_posix __P((
+	krb5_context context,
+	void *data,
+	const char *name,
+	const char *banner,
+	int num_prompts,
+	krb5_prompt prompts[]));
+
+krb5_error_code
+krb5_rc_close __P((
+	krb5_context context,
+	krb5_rcache id));
+
+krb5_error_code
+krb5_rc_default __P((
+	krb5_context context,
+	krb5_rcache *id));
+
+const char *
+krb5_rc_default_name __P((krb5_context context));
+
+const char *
+krb5_rc_default_type __P((krb5_context context));
+
+krb5_error_code
+krb5_rc_destroy __P((
+	krb5_context context,
+	krb5_rcache id));
+
+krb5_error_code
+krb5_rc_expunge __P((
+	krb5_context context,
+	krb5_rcache id));
+
+krb5_error_code
+krb5_rc_get_lifespan __P((
+	krb5_context context,
+	krb5_rcache id,
+	krb5_deltat *auth_lifespan));
+
+const char*
+krb5_rc_get_name __P((
+	krb5_context context,
+	krb5_rcache id));
+
+const char*
+krb5_rc_get_type __P((
+	krb5_context context,
+	krb5_rcache id));
+
+krb5_error_code
+krb5_rc_initialize __P((
+	krb5_context context,
+	krb5_rcache id,
+	krb5_deltat auth_lifespan));
+
+krb5_error_code
+krb5_rc_recover __P((
+	krb5_context context,
+	krb5_rcache id));
+
+krb5_error_code
+krb5_rc_resolve __P((
+	krb5_context context,
+	krb5_rcache id,
+	const char *name));
+
+krb5_error_code
+krb5_rc_resolve_full __P((
+	krb5_context context,
+	krb5_rcache *id,
+	const char *string_name));
+
+krb5_error_code
+krb5_rc_resolve_type __P((
+	krb5_context context,
+	krb5_rcache *id,
+	const char *type));
+
+krb5_error_code
+krb5_rc_store __P((
+	krb5_context context,
+	krb5_rcache id,
+	krb5_donot_replay *rep));
+
+krb5_error_code
+krb5_rd_cred __P((
+	krb5_context context,
+	krb5_auth_context auth_context,
+	krb5_data *in_data,
+	krb5_creds ***ret_creds,
+	krb5_replay_data *out_data));
+
+krb5_error_code
+krb5_rd_cred2 __P((
+	krb5_context context,
+	krb5_auth_context auth_context,
+	krb5_ccache ccache,
+	krb5_data *in_data));
+
+krb5_error_code
+krb5_rd_error __P((
+	krb5_context context,
+	krb5_data *msg,
+	KRB_ERROR *result));
+
+krb5_error_code
+krb5_rd_priv __P((
+	krb5_context context,
+	krb5_auth_context auth_context,
+	const krb5_data *inbuf,
+	krb5_data *outbuf,
+	void *outdata));
+
+krb5_error_code
+krb5_rd_rep __P((
+	krb5_context context,
+	krb5_auth_context auth_context,
+	const krb5_data *inbuf,
+	krb5_ap_rep_enc_part **repl));
+
+krb5_error_code
+krb5_rd_req __P((
+	krb5_context context,
+	krb5_auth_context *auth_context,
+	const krb5_data *inbuf,
+	krb5_const_principal server,
+	krb5_keytab keytab,
+	krb5_flags *ap_req_options,
+	krb5_ticket **ticket));
+
+krb5_error_code
+krb5_rd_req_with_keyblock __P((
+	krb5_context context,
+	krb5_auth_context *auth_context,
+	const krb5_data *inbuf,
+	krb5_const_principal server,
+	krb5_keyblock *keyblock,
+	krb5_flags *ap_req_options,
+	krb5_ticket **ticket));
+
+krb5_error_code
+krb5_rd_safe __P((
+	krb5_context context,
+	krb5_auth_context auth_context,
+	const krb5_data *inbuf,
+	krb5_data *outbuf,
+	void *outdata));
+
+krb5_error_code
+krb5_read_message __P((
+	krb5_context context,
+	krb5_pointer p_fd,
+	krb5_data *data));
+
+krb5_error_code
+krb5_read_priv_message __P((
+	krb5_context context,
+	krb5_auth_context ac,
+	krb5_pointer p_fd,
+	krb5_data *data));
+
+krb5_error_code
+krb5_read_safe_message __P((
+	krb5_context context,
+	krb5_auth_context ac,
+	krb5_pointer p_fd,
+	krb5_data *data));
+
+krb5_boolean
+krb5_realm_compare __P((
+	krb5_context context,
+	krb5_const_principal princ1,
+	krb5_const_principal princ2));
+
+krb5_error_code
+krb5_recvauth __P((
+	krb5_context context,
+	krb5_auth_context *auth_context,
+	krb5_pointer p_fd,
+	char *appl_version,
+	krb5_principal server,
+	int32_t flags,
+	krb5_keytab keytab,
+	krb5_ticket **ticket));
+
+krb5_error_code
+krb5_recvauth_match_version __P((
+	krb5_context context,
+	krb5_auth_context *auth_context,
+	krb5_pointer p_fd,
+	krb5_boolean (*match_appl_version)(void *, const char*),
+	void *match_data,
+	krb5_principal server,
+	int32_t flags,
+	krb5_keytab keytab,
+	krb5_ticket **ticket));
+
+krb5_error_code
+krb5_ret_address __P((
+	krb5_storage *sp,
+	krb5_address *adr));
+
+krb5_error_code
+krb5_ret_addrs __P((
+	krb5_storage *sp,
+	krb5_addresses *adr));
+
+krb5_error_code
+krb5_ret_authdata __P((
+	krb5_storage *sp,
+	krb5_authdata *auth));
+
+krb5_error_code
+krb5_ret_creds __P((
+	krb5_storage *sp,
+	krb5_creds *creds));
+
+krb5_error_code
+krb5_ret_data __P((
+	krb5_storage *sp,
+	krb5_data *data));
+
+krb5_error_code
+krb5_ret_int16 __P((
+	krb5_storage *sp,
+	int16_t *value));
+
+krb5_error_code
+krb5_ret_int32 __P((
+	krb5_storage *sp,
+	int32_t *value));
+
+krb5_error_code
+krb5_ret_int8 __P((
+	krb5_storage *sp,
+	int8_t *value));
+
+krb5_error_code
+krb5_ret_keyblock __P((
+	krb5_storage *sp,
+	krb5_keyblock *p));
+
+krb5_error_code
+krb5_ret_principal __P((
+	krb5_storage *sp,
+	krb5_principal *princ));
+
+krb5_error_code
+krb5_ret_string __P((
+	krb5_storage *sp,
+	char **string));
+
+krb5_error_code
+krb5_ret_stringz __P((
+	krb5_storage *sp,
+	char **string));
+
+krb5_error_code
+krb5_ret_times __P((
+	krb5_storage *sp,
+	krb5_times *times));
+
+krb5_error_code
+krb5_salttype_to_string __P((
+	krb5_context context,
+	krb5_enctype etype,
+	krb5_salttype stype,
+	char **string));
+
+krb5_error_code
+krb5_sendauth __P((
+	krb5_context context,
+	krb5_auth_context *auth_context,
+	krb5_pointer p_fd,
+	const char *appl_version,
+	krb5_principal client,
+	krb5_principal server,
+	krb5_flags ap_req_options,
+	krb5_data *in_data,
+	krb5_creds *in_creds,
+	krb5_ccache ccache,
+	krb5_error **ret_error,
+	krb5_ap_rep_enc_part **rep_result,
+	krb5_creds **out_creds));
+
+krb5_error_code
+krb5_sendto __P((
+	krb5_context context,
+	const krb5_data *send,
+	char **hostlist,
+	int port,
+	krb5_data *receive));
+
+krb5_error_code
+krb5_sendto_kdc __P((
+	krb5_context context,
+	const krb5_data *send,
+	const krb5_realm *realm,
+	krb5_data *receive));
+
+krb5_error_code
+krb5_sendto_kdc2 __P((
+	krb5_context context,
+	const krb5_data *send,
+	const krb5_realm *realm,
+	krb5_data *receive,
+	krb5_boolean master));
+
+krb5_error_code
+krb5_set_default_in_tkt_etypes __P((
+	krb5_context context,
+	const krb5_enctype *etypes));
+
+krb5_error_code
+krb5_set_default_realm __P((
+	krb5_context context,
+	char *realm));
+
+krb5_error_code
+krb5_set_error_string __P((
+	krb5_context context,
+	const char *fmt,
+	...))
+    __attribute__((format (printf, 2, 3)));
+
+krb5_error_code
+krb5_set_extra_addresses __P((
+	krb5_context context,
+	const krb5_addresses *addresses));
+
+krb5_error_code
+krb5_set_fcache_version __P((
+	krb5_context context,
+	int version));
+
+void
+krb5_set_use_admin_kdc __P((
+	krb5_context context,
+	krb5_boolean flag));
+
+krb5_error_code
+krb5_set_warn_dest __P((
+	krb5_context context,
+	krb5_log_facility *fac));
+
+krb5_error_code
+krb5_sname_to_principal __P((
+	krb5_context context,
+	const char *hostname,
+	const char *sname,
+	int32_t type,
+	krb5_principal *ret_princ));
+
+krb5_error_code
+krb5_sock_to_principal __P((
+	krb5_context context,
+	int sock,
+	const char *sname,
+	int32_t type,
+	krb5_principal *ret_princ));
+
+krb5_error_code
+krb5_sockaddr2address __P((
+	krb5_context context,
+	const struct sockaddr *sa,
+	krb5_address *addr));
+
+krb5_error_code
+krb5_sockaddr2port __P((
+	krb5_context context,
+	const struct sockaddr *sa,
+	int16_t *port));
+
+krb5_boolean
+krb5_sockaddr_uninteresting __P((const struct sockaddr *sa));
+
+void
+krb5_std_usage __P((
+	int code,
+	struct getargs *args,
+	int num_args));
+
+void
+krb5_storage_clear_flags __P((
+	krb5_storage *sp,
+	krb5_flags flags));
+
+krb5_storage *
+krb5_storage_emem __P((void));
+
+krb5_error_code
+krb5_storage_free __P((krb5_storage *sp));
+
+krb5_storage *
+krb5_storage_from_data __P((krb5_data *data));
+
+krb5_storage *
+krb5_storage_from_fd __P((int fd));
+
+krb5_storage *
+krb5_storage_from_mem __P((
+	void *buf,
+	size_t len));
+
+krb5_flags
+krb5_storage_get_byteorder __P((
+	krb5_storage *sp,
+	krb5_flags byteorder));
+
+krb5_boolean
+krb5_storage_is_flags __P((
+	krb5_storage *sp,
+	krb5_flags flags));
+
+void
+krb5_storage_set_byteorder __P((
+	krb5_storage *sp,
+	krb5_flags byteorder));
+
+void
+krb5_storage_set_flags __P((
+	krb5_storage *sp,
+	krb5_flags flags));
+
+krb5_error_code
+krb5_storage_to_data __P((
+	krb5_storage *sp,
+	krb5_data *data));
+
+krb5_error_code
+krb5_store_address __P((
+	krb5_storage *sp,
+	krb5_address p));
+
+krb5_error_code
+krb5_store_addrs __P((
+	krb5_storage *sp,
+	krb5_addresses p));
+
+krb5_error_code
+krb5_store_authdata __P((
+	krb5_storage *sp,
+	krb5_authdata auth));
+
+krb5_error_code
+krb5_store_creds __P((
+	krb5_storage *sp,
+	krb5_creds *creds));
+
+krb5_error_code
+krb5_store_data __P((
+	krb5_storage *sp,
+	krb5_data data));
+
+krb5_error_code
+krb5_store_int16 __P((
+	krb5_storage *sp,
+	int16_t value));
+
+krb5_error_code
+krb5_store_int32 __P((
+	krb5_storage *sp,
+	int32_t value));
+
+krb5_error_code
+krb5_store_int8 __P((
+	krb5_storage *sp,
+	int8_t value));
+
+krb5_error_code
+krb5_store_keyblock __P((
+	krb5_storage *sp,
+	krb5_keyblock p));
+
+krb5_error_code
+krb5_store_principal __P((
+	krb5_storage *sp,
+	krb5_principal p));
+
+krb5_error_code
+krb5_store_string __P((
+	krb5_storage *sp,
+	const char *s));
+
+krb5_error_code
+krb5_store_stringz __P((
+	krb5_storage *sp,
+	const char *s));
+
+krb5_error_code
+krb5_store_times __P((
+	krb5_storage *sp,
+	krb5_times times));
+
+krb5_error_code
+krb5_string_to_deltat __P((
+	const char *string,
+	krb5_deltat *deltat));
+
+krb5_error_code
+krb5_string_to_enctype __P((
+	krb5_context context,
+	const char *string,
+	krb5_enctype *etype));
+
+krb5_error_code
+krb5_string_to_key __P((
+	krb5_context context,
+	krb5_enctype enctype,
+	const char *password,
+	krb5_principal principal,
+	krb5_keyblock *key));
+
+krb5_error_code
+krb5_string_to_key_data __P((
+	krb5_context context,
+	krb5_enctype enctype,
+	krb5_data password,
+	krb5_principal principal,
+	krb5_keyblock *key));
+
+krb5_error_code
+krb5_string_to_key_data_salt __P((
+	krb5_context context,
+	krb5_enctype enctype,
+	krb5_data password,
+	krb5_salt salt,
+	krb5_keyblock *key));
+
+krb5_error_code
+krb5_string_to_key_derived __P((
+	krb5_context context,
+	const void *str,
+	size_t len,
+	krb5_enctype etype,
+	krb5_keyblock *key));
+
+krb5_error_code
+krb5_string_to_key_salt __P((
+	krb5_context context,
+	krb5_enctype enctype,
+	const char *password,
+	krb5_salt salt,
+	krb5_keyblock *key));
+
+krb5_error_code
+krb5_string_to_keytype __P((
+	krb5_context context,
+	const char *string,
+	krb5_keytype *keytype));
+
+krb5_error_code
+krb5_string_to_salttype __P((
+	krb5_context context,
+	krb5_enctype etype,
+	const char *string,
+	krb5_salttype *salttype));
+
+krb5_error_code
+krb5_timeofday __P((
+	krb5_context context,
+	krb5_timestamp *timeret));
+
+krb5_error_code
+krb5_unparse_name __P((
+	krb5_context context,
+	krb5_const_principal principal,
+	char **name));
+
+krb5_error_code
+krb5_unparse_name_fixed __P((
+	krb5_context context,
+	krb5_const_principal principal,
+	char *name,
+	size_t len));
+
+krb5_error_code
+krb5_unparse_name_fixed_short __P((
+	krb5_context context,
+	krb5_const_principal principal,
+	char *name,
+	size_t len));
+
+krb5_error_code
+krb5_unparse_name_short __P((
+	krb5_context context,
+	krb5_const_principal principal,
+	char **name));
+
+krb5_error_code
+krb5_us_timeofday __P((
+	krb5_context context,
+	int32_t *sec,
+	int32_t *usec));
+
+krb5_error_code
+krb5_vabort __P((
+	krb5_context context,
+	krb5_error_code code,
+	const char *fmt,
+	va_list ap))
+    __attribute__ ((noreturn, format (printf, 3, 0)));
+
+krb5_error_code
+krb5_vabortx __P((
+	krb5_context context,
+	const char *fmt,
+	va_list ap))
+    __attribute__ ((noreturn, format (printf, 2, 0)));
+
+krb5_error_code
+krb5_verify_ap_req __P((
+	krb5_context context,
+	krb5_auth_context *auth_context,
+	krb5_ap_req *ap_req,
+	krb5_const_principal server,
+	krb5_keyblock *keyblock,
+	krb5_flags flags,
+	krb5_flags *ap_req_options,
+	krb5_ticket **ticket));
+
+krb5_error_code
+krb5_verify_ap_req2 __P((
+	krb5_context context,
+	krb5_auth_context *auth_context,
+	krb5_ap_req *ap_req,
+	krb5_const_principal server,
+	krb5_keyblock *keyblock,
+	krb5_flags flags,
+	krb5_flags *ap_req_options,
+	krb5_ticket **ticket,
+	krb5_key_usage usage));
+
+krb5_error_code
+krb5_verify_authenticator_checksum __P((
+	krb5_context context,
+	krb5_auth_context ac,
+	void *data,
+	size_t len));
+
+krb5_error_code
+krb5_verify_checksum __P((
+	krb5_context context,
+	krb5_crypto crypto,
+	krb5_key_usage usage,
+	void *data,
+	size_t len,
+	Checksum *cksum));
+
+krb5_error_code
+krb5_verify_init_creds __P((
+	krb5_context context,
+	krb5_creds *creds,
+	krb5_principal ap_req_server,
+	krb5_keytab ap_req_keytab,
+	krb5_ccache *ccache,
+	krb5_verify_init_creds_opt *options));
+
+void
+krb5_verify_init_creds_opt_init __P((krb5_verify_init_creds_opt *options));
+
+void
+krb5_verify_init_creds_opt_set_ap_req_nofail __P((
+	krb5_verify_init_creds_opt *options,
+	int ap_req_nofail));
+
+void
+krb5_verify_opt_init __P((krb5_verify_opt *opt));
+
+void
+krb5_verify_opt_set_ccache __P((
+	krb5_verify_opt *opt,
+	krb5_ccache ccache));
+
+void
+krb5_verify_opt_set_flags __P((
+	krb5_verify_opt *opt,
+	unsigned int flags));
+
+void
+krb5_verify_opt_set_keytab __P((
+	krb5_verify_opt *opt,
+	krb5_keytab keytab));
+
+void
+krb5_verify_opt_set_secure __P((
+	krb5_verify_opt *opt,
+	krb5_boolean secure));
+
+void
+krb5_verify_opt_set_service __P((
+	krb5_verify_opt *opt,
+	const char *service));
+
+krb5_error_code
+krb5_verify_user __P((
+	krb5_context context,
+	krb5_principal principal,
+	krb5_ccache ccache,
+	const char *password,
+	krb5_boolean secure,
+	const char *service));
+
+krb5_error_code
+krb5_verify_user_lrealm __P((
+	krb5_context context,
+	krb5_principal principal,
+	krb5_ccache ccache,
+	const char *password,
+	krb5_boolean secure,
+	const char *service));
+
+krb5_error_code
+krb5_verify_user_opt __P((
+	krb5_context context,
+	krb5_principal principal,
+	const char *password,
+	krb5_verify_opt *opt));
+
+krb5_error_code
+krb5_verr __P((
+	krb5_context context,
+	int eval,
+	krb5_error_code code,
+	const char *fmt,
+	va_list ap))
+    __attribute__ ((noreturn, format (printf, 4, 0)));
+
+krb5_error_code
+krb5_verrx __P((
+	krb5_context context,
+	int eval,
+	const char *fmt,
+	va_list ap))
+    __attribute__ ((noreturn, format (printf, 3, 0)));
+
+krb5_error_code
+krb5_vlog __P((
+	krb5_context context,
+	krb5_log_facility *fac,
+	int level,
+	const char *fmt,
+	va_list ap))
+    __attribute__((format (printf, 4, 0)));
+
+krb5_error_code
+krb5_vlog_msg __P((
+	krb5_context context,
+	krb5_log_facility *fac,
+	char **reply,
+	int level,
+	const char *fmt,
+	va_list ap))
+    __attribute__((format (printf, 5, 0)));
+
+krb5_error_code
+krb5_vset_error_string __P((
+	krb5_context context,
+	const char *fmt,
+	va_list args))
+    __attribute__ ((format (printf, 2, 0)));
+
+krb5_error_code
+krb5_vwarn __P((
+	krb5_context context,
+	krb5_error_code code,
+	const char *fmt,
+	va_list ap))
+    __attribute__ ((format (printf, 3, 0)));
+
+krb5_error_code
+krb5_vwarnx __P((
+	krb5_context context,
+	const char *fmt,
+	va_list ap))
+    __attribute__ ((format (printf, 2, 0)));
+
+krb5_error_code
+krb5_warn __P((
+	krb5_context context,
+	krb5_error_code code,
+	const char *fmt,
+	...))
+    __attribute__ ((format (printf, 3, 4)));
+
+krb5_error_code
+krb5_warnx __P((
+	krb5_context context,
+	const char *fmt,
+	...))
+    __attribute__ ((format (printf, 2, 3)));
+
+krb5_error_code
+krb5_write_message __P((
+	krb5_context context,
+	krb5_pointer p_fd,
+	krb5_data *data));
+
+krb5_error_code
+krb5_write_priv_message __P((
+	krb5_context context,
+	krb5_auth_context ac,
+	krb5_pointer p_fd,
+	krb5_data *data));
+
+krb5_error_code
+krb5_write_safe_message __P((
+	krb5_context context,
+	krb5_auth_context ac,
+	krb5_boolean priv,
+	krb5_pointer p_fd,
+	krb5_data *data));
+
+krb5_error_code
+krb5_xfree __P((void *ptr));
+
+krb5_error_code
+principalname2krb5_principal __P((
+	krb5_principal *principal,
+	const PrincipalName from,
+	const Realm realm));
+
+#endif /* __krb5_protos_h__ */
diff --git a/crypto/heimdal/lib/krb5/krb5.conf.5 b/crypto/heimdal/lib/krb5/krb5.conf.5
new file mode 100644
index 0000000..ca2d1e59
--- /dev/null
+++ b/crypto/heimdal/lib/krb5/krb5.conf.5
@@ -0,0 +1,350 @@
+.\" $Id: krb5.conf.5,v 1.17 2001/05/31 13:58:34 assar Exp $
+.\"
+.Dd April 11, 1999
+.Dt KRB5.CONF 5
+.Os HEIMDAL
+.Sh NAME
+.Nm /etc/krb5.conf
+.Nd configuration file for Kerberos 5
+.Sh DESCRIPTION
+The 
+.Nm
+file specifies several configuration parameters for the Kerberos 5
+library, as well as for some programs.
+.Pp
+The file consists of one or more sections, containing a number of
+bindings. The value of each binding can be either a string or a list
+of other bindings. The grammar looks like:
+.Bd -literal -offset indent
+file:
+	/* empty */
+	sections
+
+sections:
+	section sections
+	section
+
+section:
+	'[' section_name ']' bindings
+
+section_name:
+	STRING
+
+bindings:
+	binding bindings
+	binding
+
+binding:
+	name '=' STRING
+	name '=' '{' bindings '}'
+
+name:
+	STRING
+
+.Ed
+.Li STRINGs
+consists of one or more non-white space characters.
+Currently recognised sections and bindings are:
+.Bl -tag -width "xxx" -offset indent
+.It Li [appdefaults]
+Specifies the default values to be used for Kerberos applications.
+You can specify defaults per application, realm, or a combination of
+these.  The preference order is:
+.Bl -enum -compact
+.It
+.Va application Va realm Va option
+.It
+.Va application Va option
+.It
+.Va realm Va option
+.It
+.Va option
+.El
+.Pp
+The supported options are:
+.Bl -tag -width "xxx" -offset indent
+.It Li forwardable = Va boolean
+When obtaining initial credentials, make the credentials forwardable.
+.It Li proxiable = Va boolean
+When obtaining initial credentials, make the credentials proxiable.
+.It Li no-addresses = Va boolean
+When obtaining initial credentials, request them for an empty set of
+addresses, making the tickets valid from any address.
+.It Li ticket_life = Va time
+Default ticket lifetime.
+.It Li renew_lifetime = Va time
+Default renewable ticket lifetime.
+.El
+.It Li [libdefaults]
+.Bl -tag -width "xxx" -offset indent
+.It Li default_realm = Va REALM
+Default realm to use, this is also known as your 
+.Dq local realm .
+The default is the result of
+.Fn krb5_get_host_realm "local hostname" .
+.It Li clockskew = Va time
+Maximum time differential (in seconds) allowed when comparing
+times. Default is 300 seconds (five minutes).
+.It Li kdc_timeout = Va time
+Maximum time to wait for a reply from the kdc, default is 3 seconds.
+.It v4_name_convert
+.It v4_instance_resolve
+These are decribed in the 
+.Xr krb5_425_conv_principal  3
+manual page.
+.It Li capath = {
+.Bl -tag -width "xxx" -offset indent
+.It Va destination-realm Li = Va next-hop-realm
+.It ...
+.El
+Normally, all requests to realms different from the one of the current
+client are sent to this KDC to get cross-realm tickets.
+If this KDC does not have a cross-realm key with the desired realm and
+the hierarchical path to that realm does not work, a path can be
+configured using this directive.
+The text shown above instructs the KDC to try to obtain a cross-realm
+ticket to
+.Va next-hop-realm
+when the desired realm is
+.Va destination-realm .
+This configuration should preferably be done on the KDC where it will
+help all its clients but can also be done on the client itself.
+.It Li }
+.It Li default_etypes = Va etypes...
+A list of default etypes to use.
+.It Li default_etypes_des = Va etypes...
+A list of default etypes to use when requesting a DES credential.
+.It Li default_keytab_name = Va keytab
+The keytab to use if none other is specified, default is
+.Dq FILE:/etc/krb5.keytab .
+.It Li kdc_timesync = Va boolean
+Try to keep track of the time differential between the local machine
+and the KDC, and then compensate for that when issuing requests.
+.It Li max_retries = Va number
+The max number of times to try to contact each KDC.
+.It Li ticket_lifetime = Va time
+Default ticket lifetime.
+.It Li renew_lifetime = Va time
+Default renewable ticket lifetime.
+.It Li forwardable = Va boolean
+When obtaining initial credentials, make the credentials forwardable.
+This option is also valid in the [realms] section.
+.It Li proxiable = Va boolean
+When obtaining initial credentials, make the credentials proxiable.
+This option is also valid in the [realms] section.
+.It Li verify_ap_req_nofail = Va boolean
+Enable to make a failure to verify obtained credentials
+non-fatal. This can be useful if there is no keytab on a host.
+.It Li warn_pwexpire = Va time
+How soon to warn for expiring password. Default is seven days.
+.It Li http_proxy = Va proxy-spec
+A HTTP-proxy to use when talking to the KDC via HTTP.
+.It Li dns_proxy = Va proxy-spec
+Enable using DNS via HTTP.
+.It Li extra_addresses = Va address...
+A list of addresses to get tickets for along with all local addresses.
+.It Li time_format = Va string
+How to print time strings in logs, this string is passed to
+.Xr strftime 3 .
+.It Li date_format = Va string
+How to print date strings in logs, this string is passed to
+.Xr strftime 3 .
+.It Li log_utc = Va boolean
+Write log-entries using UTC instead of your local time zone.
+.It Li srv_lookup = Va boolean
+Use DNS SRV records to lookup realm configuration information.
+.It Li srv_try_txt = Va boolean
+If a SRV lookup fails, try looking up the same info in a DNS TXT record.
+.It Li scan_interfaces = Va boolean
+Scan all network interfaces for addresses, as opposed to simply using
+the address associated with the system's host name.
+.It Li fcache_version = Va int
+Use file credential cache format version specified.
+.It Li krb4_get_tickets = Va boolean
+Also get Kerberos 4 tickets in
+.Nm kinit
+and other programs.
+This option is also valid in the [realms] section.
+.El
+.It Li [domain_realm]
+This is a list of mappings from DNS domain to Kerberos realm. Each
+binding in this section looks like:
+.Pp
+.Dl domain = realm
+.Pp
+The domain can be either a full name of a host or a trailing
+component, in the latter case the domain-string should start with a
+perid.
+.It Li [realms]
+.Bl -tag -width "xxx" -offset indent
+.It Va REALM Li = {
+.Bl -tag -width "xxx" -offset indent
+.It Li kdc = Va host[:port]
+Specifies a list of kdcs for this realm. If the optional port is absent, the
+default value for the
+.Dq kerberos/udp
+service will be used.
+The kdcs will be used in the order that they are specified.
+.It Li admin_server = Va host[:port]
+Specifies the admin server for this realm, where all the modifications
+to the database are perfomed.
+.It Li kpasswd_server = Va host[:port]
+Points to the server where all the password changes are perfomed.
+If there is no such entry, the kpasswd port on the admin_server host
+will be tried.
+.It Li v4_instance_convert
+.It Li v4_name_convert
+.It Li default_domain
+See
+.Xr krb5_425_conv_principal 3 .
+.El
+.It Li }
+.El
+.It Li [logging]
+.Bl -tag -width "xxx" -offset indent
+.It Va entity Li = Va destination
+Specifies that
+.Va entity
+should use the specified
+.Li destination
+for logging. See the
+.Xr krb5_openlog 3
+manual page for a list of defined destinations.
+.El
+.It Li [kdc]
+.Bl -tag -width "xxx" -offset indent
+.It database Li = {
+.Bl -tag -width "xxx" -offset indent
+.It dbname Li = Va DATABASENAME
+use this database for this realm.
+.It realm Li = Va REALM
+specifies the realm that will be stored in this database.
+.It mkey_file Li = Pa FILENAME
+use this keytab file for the master key of this database.
+If not specified
+.Va DATABASENAME Ns .mkey
+will be used.
+.It acl_file Li = PA FILENAME
+use this file for the ACL list of this database.
+.It log_file Li = Pa FILENAME
+use this file as the log of changes performed to the database.  This
+file is used by
+.Nm ipropd-master
+for propagating changes to slaves.
+.El
+.It Li }
+.It max-request = Va SIZE
+Maximum size of a kdc request.
+.It require-preauth = Va BOOL
+If set pre-authentication is required. Since krb4 requests are not
+pre-authenticated they will be rejected.
+.It ports = Va "list of ports"
+list of ports the kdc should listen to.
+.It addresses = Va "list of interfaces"
+list of addresses the kdc should bind to.
+.It enable-kerberos4 = Va BOOL
+turn on kerberos4 support.
+.It v4-realm = Va REALM
+to what realm v4 requests should be mapped.
+.It enable-524 = Va BOOL
+should the Kerberos 524 converting facility be turned on. Default is same as
+.Va enable-kerberos4 .
+.It enable-http = Va BOOL
+should the kdc answer kdc-requests over http.
+.It enable-kaserver = Va BOOL
+if this kdc should emulate the AFS kaserver.
+.It check-ticket-addresses = Va BOOL
+verify the addresses in the tickets used in tgs requests.
+.\" XXX
+.It allow-null-ticket-addresses = Va BOOL
+allow addresses-less tickets.
+.\" XXX 
+.It allow-anonymous = Va BOOL
+if the kdc is allowed to hand out anonymous tickets.
+.It encode_as_rep_as_tgs_rep = Va BOOL
+encode as-rep as tgs-rep tobe compatible with mistakes older DCE secd did.
+.\" XXX 
+.It kdc_warn_pwexpire = Va TIME
+the time before expiration that the user should be warned that her
+password is about to expire.
+.It logging = Va Logging
+What type of logging the kdc should use, see also [logging]/kdc.
+.El
+.It Li [kadmin]
+.Bl -tag -width "xxx" -offset indent
+.It require-preauth = Va BOOL
+If pre-authentication is required to talk to the kadmin server.
+.It default_keys = Va keytypes...
+for each entry in
+.Va default_keys
+try to parse it as a sequence of
+.Va etype:salttype:salt
+syntax of this if something like:
+.Pp
+[(des|des3|etype):](pw-salt|afs3-salt)[:string]
+.Pp
+if
+.Ar etype
+is omitted it means everything, and if string is omitted is means the default string (for that principal). Additional special values of keyttypes are:
+.Bl -tag -width "xxx" -offset indent
+.It v5 
+The kerberos 5 salt
+.Va pw-salt
+.It v4
+The kerberos 4 type
+.Va des:pw-salt:
+.El
+.It use_v4_salt = Va BOOL
+When true, this is the same as
+.Pp
+.Va default_keys = Va des3:pw-salt Va v4
+.Pp
+and is only left for backwards compatability.
+.El
+.El
+.Sh ENVIRONMENT
+.Ev KRB5_CONFIG
+points to the configuration file to read.
+.Sh EXAMPLE
+.Bd -literal -offset indent
+[libdefaults]
+	default_realm = FOO.SE
+[domain_realm]
+	.foo.se = FOO.SE
+	.bar.se = FOO.SE
+[realms]
+	FOO.SE = {
+		kdc = kerberos.foo.se
+		v4_name_convert = {
+			rcmd = host
+		}
+		v4_instance_convert = {
+			xyz = xyz.bar.se
+		}
+		default_domain = foo.se
+	}
+[logging]
+	kdc = FILE:/var/heimdal/kdc.log
+	kdc = SYSLOG:INFO
+	default = SYSLOG:INFO:USER
+.Ed
+.Sh DIAGNOSTICS
+Since
+.Nm
+is read and parsed by the krb5 library, there is not a lot of
+opportunities for programs to report parsing errors in any useful
+format.
+To help overcome this problem, there is a program
+.Nm verify_krb5_conf
+that reads
+.Nm
+and tries to emit useful diagnostics from parsing errors.  Note that
+this program does not have any way of knowing what options are
+actually used and thus cannot warn about unknown or misspelt ones.
+.Sh SEE ALSO
+.Xr verify_krb5_conf 8 ,
+.Xr krb5_openlog 3 ,
+.Xr krb5_425_conv_principal 3 ,
+.Xr strftime 3 ,
+.Xr kinit 1 ,
+.Xr Source tm
diff --git a/crypto/heimdal/lib/krb5/krb5.h b/crypto/heimdal/lib/krb5/krb5.h
new file mode 100644
index 0000000..32be069
--- /dev/null
+++ b/crypto/heimdal/lib/krb5/krb5.h
@@ -0,0 +1,650 @@
+/*
+ * Copyright (c) 1997 - 2001 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+/* $Id: krb5.h,v 1.190 2001/05/16 22:23:56 assar Exp $ */
+
+#ifndef __KRB5_H__
+#define __KRB5_H__
+
+#include <time.h>
+#include <krb5-types.h>
+
+#include <asn1_err.h>
+#include <krb5_err.h>
+#include <heim_err.h>
+
+#include <krb5_asn1.h>
+
+/* simple constants */
+
+#ifndef TRUE
+#define TRUE  1
+#define FALSE 0
+#endif
+
+typedef int krb5_boolean;
+
+typedef int32_t krb5_error_code;
+
+typedef int krb5_kvno;
+
+typedef u_int32_t krb5_flags;
+
+typedef void *krb5_pointer;
+typedef const void *krb5_const_pointer;
+
+typedef octet_string krb5_data;
+
+struct krb5_crypto_data;
+typedef struct krb5_crypto_data *krb5_crypto;
+
+typedef CKSUMTYPE krb5_cksumtype;
+
+typedef Checksum krb5_checksum;
+
+typedef ENCTYPE krb5_enctype;
+
+/* alternative names */
+enum {
+    ENCTYPE_NULL		= ETYPE_NULL,
+    ENCTYPE_DES_CBC_CRC		= ETYPE_DES_CBC_CRC,
+    ENCTYPE_DES_CBC_MD4		= ETYPE_DES_CBC_MD4,
+    ENCTYPE_DES_CBC_MD5		= ETYPE_DES_CBC_MD5,
+    ENCTYPE_DES3_CBC_MD5	= ETYPE_DES3_CBC_MD5,
+    ENCTYPE_OLD_DES3_CBC_SHA1	= ETYPE_OLD_DES3_CBC_SHA1,
+    ENCTYPE_SIGN_DSA_GENERATE	= ETYPE_SIGN_DSA_GENERATE,
+    ENCTYPE_ENCRYPT_RSA_PRIV	= ETYPE_ENCRYPT_RSA_PRIV,
+    ENCTYPE_ENCRYPT_RSA_PUB	= ETYPE_ENCRYPT_RSA_PUB,
+    ENCTYPE_DES3_CBC_SHA1	= ETYPE_DES3_CBC_SHA1,
+    ENCTYPE_ARCFOUR_HMAC_MD5	= ETYPE_ARCFOUR_HMAC_MD5,
+    ENCTYPE_ARCFOUR_HMAC_MD5_56	= ETYPE_ARCFOUR_HMAC_MD5_56,
+    ENCTYPE_ENCTYPE_PK_CROSS	= ETYPE_ENCTYPE_PK_CROSS,
+    ENCTYPE_DES_CBC_NONE	= ETYPE_DES_CBC_NONE,
+    ENCTYPE_DES3_CBC_NONE	= ETYPE_DES3_CBC_NONE,
+    ENCTYPE_DES_CFB64_NONE	= ETYPE_DES_CFB64_NONE,
+    ENCTYPE_DES_PCBC_NONE	= ETYPE_DES_PCBC_NONE,
+    ENCTYPE_DES3_CBC_NONE_IVEC	= ETYPE_DES3_CBC_NONE_IVEC
+};
+
+typedef PADATA_TYPE krb5_preauthtype;
+
+typedef enum krb5_key_usage {
+    KRB5_KU_PA_ENC_TIMESTAMP = 1,
+    /* AS-REQ PA-ENC-TIMESTAMP padata timestamp, encrypted with the
+       client key (section 5.4.1) */
+    KRB5_KU_TICKET = 2,
+    /* AS-REP Ticket and TGS-REP Ticket (includes tgs session key or
+       application session key), encrypted with the service key
+       (section 5.4.2) */
+    KRB5_KU_AS_REP_ENC_PART = 3,
+    /* AS-REP encrypted part (includes tgs session key or application
+       session key), encrypted with the client key (section 5.4.2) */
+    KRB5_KU_TGS_REQ_AUTH_DAT_SESSION = 4,
+    /* TGS-REQ KDC-REQ-BODY AuthorizationData, encrypted with the tgs
+       session key (section 5.4.1) */
+    KRB5_KU_TGS_REQ_AUTH_DAT_SUBKEY = 5,
+    /* TGS-REQ KDC-REQ-BODY AuthorizationData, encrypted with the tgs
+          authenticator subkey (section 5.4.1) */
+    KRB5_KU_TGS_REQ_AUTH_CKSUM = 6,
+    /* TGS-REQ PA-TGS-REQ padata AP-REQ Authenticator cksum, keyed
+       with the tgs session key (sections 5.3.2, 5.4.1) */
+    KRB5_KU_TGS_REQ_AUTH = 7,
+    /* TGS-REQ PA-TGS-REQ padata AP-REQ Authenticator (includes tgs
+       authenticator subkey), encrypted with the tgs session key
+       (section 5.3.2) */
+    KRB5_KU_TGS_REP_ENC_PART_SESSION = 8,
+    /* TGS-REP encrypted part (includes application session key),
+       encrypted with the tgs session key (section 5.4.2) */
+    KRB5_KU_TGS_REP_ENC_PART_SUB_KEY = 9,
+    /* TGS-REP encrypted part (includes application session key),
+       encrypted with the tgs authenticator subkey (section 5.4.2) */
+    KRB5_KU_AP_REQ_AUTH_CKSUM = 10,
+    /* AP-REQ Authenticator cksum, keyed with the application session
+       key (section 5.3.2) */
+    KRB5_KU_AP_REQ_AUTH = 11,
+    /* AP-REQ Authenticator (includes application authenticator
+       subkey), encrypted with the application session key (section
+       5.3.2) */
+    KRB5_KU_AP_REQ_ENC_PART = 12,
+    /* AP-REP encrypted part (includes application session subkey),
+       encrypted with the application session key (section 5.5.2) */
+    KRB5_KU_KRB_PRIV = 13,
+    /* KRB-PRIV encrypted part, encrypted with a key chosen by the
+       application (section 5.7.1) */
+    KRB5_KU_KRB_CRED = 14,
+    /* KRB-CRED encrypted part, encrypted with a key chosen by the
+       application (section 5.8.1) */
+    KRB5_KU_KRB_SAFE_CKSUM = 15,
+    /* KRB-SAFE cksum, keyed with a key chosen by the application
+       (section 5.6.1) */
+    KRB5_KU_OTHER_ENCRYPTED = 16,
+    /* Data which is defined in some specification outside of
+       Kerberos to be encrypted using an RFC1510 encryption type. */
+    KRB5_KU_OTHER_CKSUM = 17,
+    /* Data which is defined in some specification outside of
+       Kerberos to be checksummed using an RFC1510 checksum type. */
+    KRB5_KU_KRB_ERROR = 18,
+    /* Krb-error checksum */
+    KRB5_KU_AD_KDC_ISSUED = 19,
+    /* AD-KDCIssued checksum */
+    KRB5_KU_MANDATORY_TICKET_EXTENSION = 20,
+    /* Checksum for Mandatory Ticket Extensions */
+    KRB5_KU_AUTH_DATA_TICKET_EXTENSION = 21,
+    /* Checksum in Authorization Data in Ticket Extensions */
+    KRB5_KU_USAGE_SEAL = 22,
+    /* seal in GSSAPI krb5 mechanism */
+    KRB5_KU_USAGE_SIGN = 23,
+    /* sign in GSSAPI krb5 mechanism */
+    KRB5_KU_USAGE_SEQ = 24
+    /* SEQ in GSSAPI krb5 mechanism */
+} krb5_key_usage;
+
+typedef krb5_key_usage krb5_keyusage;
+
+typedef enum krb5_salttype {
+    KRB5_PW_SALT = KRB5_PADATA_PW_SALT,
+    KRB5_AFS3_SALT = KRB5_PADATA_AFS3_SALT
+}krb5_salttype;
+
+typedef struct krb5_salt {
+    krb5_salttype salttype;
+    krb5_data saltvalue;
+} krb5_salt;
+
+typedef ETYPE_INFO krb5_preauthinfo;
+
+typedef struct {
+    krb5_preauthtype type;
+    krb5_preauthinfo info; /* list of preauthinfo for this type */
+} krb5_preauthdata_entry;
+
+typedef struct krb5_preauthdata {
+    unsigned len;
+    krb5_preauthdata_entry *val;
+}krb5_preauthdata;
+
+typedef enum krb5_address_type { 
+    KRB5_ADDRESS_INET     =   2,
+    KRB5_ADDRESS_INET6    =  24,
+    KRB5_ADDRESS_ADDRPORT = 256,
+    KRB5_ADDRESS_IPPORT   = 257
+} krb5_address_type;
+
+enum {
+  AP_OPTS_USE_SESSION_KEY = 1,
+  AP_OPTS_MUTUAL_REQUIRED = 2
+};
+
+typedef HostAddress krb5_address;
+
+typedef HostAddresses krb5_addresses;
+
+typedef enum krb5_keytype { 
+    KEYTYPE_NULL	= 0,
+    KEYTYPE_DES		= 1,
+    KEYTYPE_DES3	= 7,
+    KEYTYPE_ARCFOUR	= 23
+} krb5_keytype;
+
+typedef EncryptionKey krb5_keyblock;
+
+typedef AP_REQ krb5_ap_req;
+
+struct krb5_cc_ops;
+
+#define KRB5_DEFAULT_CCFILE_ROOT "/tmp/krb5cc_"
+
+#define KRB5_DEFAULT_CCROOT "FILE:" KRB5_DEFAULT_CCFILE_ROOT
+
+#define KRB5_ACCEPT_NULL_ADDRESSES(C) 					 \
+    krb5_config_get_bool_default((C), NULL, TRUE, 			 \
+				 "libdefaults", "accept_null_addresses", \
+				 NULL)
+
+typedef void *krb5_cc_cursor;
+
+typedef struct krb5_ccache_data {
+    const struct krb5_cc_ops *ops;
+    krb5_data data;
+}krb5_ccache_data;
+
+typedef struct krb5_ccache_data *krb5_ccache;
+
+typedef struct krb5_context_data *krb5_context;
+
+typedef Realm krb5_realm;
+typedef const char *krb5_const_realm; /* stupid language */
+
+#define krb5_realm_length(r) strlen(r)
+#define krb5_realm_data(r) (r)
+
+typedef Principal krb5_principal_data;
+typedef struct Principal *krb5_principal;
+typedef const struct Principal *krb5_const_principal;
+
+typedef time_t krb5_deltat;
+typedef time_t krb5_timestamp;
+
+typedef struct krb5_times {
+  krb5_timestamp authtime;
+  krb5_timestamp starttime;
+  krb5_timestamp endtime;
+  krb5_timestamp renew_till;
+} krb5_times;
+
+typedef union {
+    TicketFlags b;
+    krb5_flags i;
+} krb5_ticket_flags;
+
+/* options for krb5_get_in_tkt() */
+#define KDC_OPT_FORWARDABLE		(1 << 1)
+#define KDC_OPT_FORWARDED		(1 << 2)
+#define KDC_OPT_PROXIABLE		(1 << 3)
+#define KDC_OPT_PROXY			(1 << 4)
+#define KDC_OPT_ALLOW_POSTDATE		(1 << 5)
+#define KDC_OPT_POSTDATED		(1 << 6)
+#define KDC_OPT_RENEWABLE		(1 << 8)
+#define KDC_OPT_REQUEST_ANONYMOUS	(1 << 14)
+#define KDC_OPT_DISABLE_TRANSITED_CHECK	(1 << 26)
+#define KDC_OPT_RENEWABLE_OK		(1 << 27)
+#define KDC_OPT_ENC_TKT_IN_SKEY		(1 << 28)
+#define KDC_OPT_RENEW			(1 << 30)
+#define KDC_OPT_VALIDATE		(1 << 31)
+
+typedef union {
+    KDCOptions b;
+    krb5_flags i;
+} krb5_kdc_flags;
+
+/* flags for krb5_verify_ap_req */
+
+#define KRB5_VERIFY_AP_REQ_IGNORE_INVALID	(1 << 0)
+
+#define KRB5_GC_CACHED		1
+#define KRB5_GC_USER_USER	2
+
+/* constants for compare_creds (and cc_retrieve_cred) */
+#define KRB5_TC_DONT_MATCH_REALM	(1U << 31)
+#define KRB5_TC_MATCH_KEYTYPE		(1U << 30)
+
+typedef AuthorizationData krb5_authdata;
+
+typedef KRB_ERROR krb5_error;
+
+typedef struct krb5_creds {
+    krb5_principal client;
+    krb5_principal server;
+    krb5_keyblock session;
+    krb5_times times;
+    krb5_data ticket;
+    krb5_data second_ticket;
+    krb5_authdata authdata;
+    krb5_addresses addresses;
+    krb5_ticket_flags flags;
+} krb5_creds;
+
+typedef struct krb5_cc_ops {
+    char *prefix;
+    char* (*get_name)(krb5_context, krb5_ccache);
+    krb5_error_code (*resolve)(krb5_context, krb5_ccache *, const char *);
+    krb5_error_code (*gen_new)(krb5_context, krb5_ccache *);
+    krb5_error_code (*init)(krb5_context, krb5_ccache, krb5_principal);
+    krb5_error_code (*destroy)(krb5_context, krb5_ccache);
+    krb5_error_code (*close)(krb5_context, krb5_ccache);
+    krb5_error_code (*store)(krb5_context, krb5_ccache, krb5_creds*);
+    krb5_error_code (*retrieve)(krb5_context, krb5_ccache, 
+				krb5_flags, krb5_creds*, krb5_creds);
+    krb5_error_code (*get_princ)(krb5_context, krb5_ccache, krb5_principal*);
+    krb5_error_code (*get_first)(krb5_context, krb5_ccache, krb5_cc_cursor *);
+    krb5_error_code (*get_next)(krb5_context, krb5_ccache, 
+				krb5_cc_cursor*, krb5_creds*);
+    krb5_error_code (*end_get)(krb5_context, krb5_ccache, krb5_cc_cursor*);
+    krb5_error_code (*remove_cred)(krb5_context, krb5_ccache, 
+				   krb5_flags, krb5_creds*);
+    krb5_error_code (*set_flags)(krb5_context, krb5_ccache, krb5_flags);
+    int (*get_version)(krb5_context, krb5_ccache);
+} krb5_cc_ops;
+
+struct krb5_log_facility;
+
+struct krb5_config_binding {
+    enum { krb5_config_string, krb5_config_list } type;
+    char *name;
+    struct krb5_config_binding *next;
+    union {
+	char *string;
+	struct krb5_config_binding *list;
+	void *generic;
+    } u;
+};
+
+typedef struct krb5_config_binding krb5_config_binding;
+
+typedef krb5_config_binding krb5_config_section;
+
+typedef struct krb5_context_data {
+    krb5_enctype *etypes;
+    krb5_enctype *etypes_des;
+    char **default_realms;
+    time_t max_skew;
+    time_t kdc_timeout;
+    unsigned max_retries;
+    int32_t kdc_sec_offset;
+    int32_t kdc_usec_offset;
+    krb5_config_section *cf;
+    struct et_list *et_list;
+    struct krb5_log_facility *warn_dest;
+    krb5_cc_ops *cc_ops;
+    int num_cc_ops;
+    const char *http_proxy;
+    const char *time_fmt;
+    krb5_boolean log_utc;
+    const char *default_keytab;
+    const char *default_keytab_modify;
+    krb5_boolean use_admin_kdc;
+    krb5_addresses *extra_addresses;
+    krb5_boolean scan_interfaces;	/* `ifconfig -a' */
+    krb5_boolean srv_lookup;		/* do SRV lookups */
+    krb5_boolean srv_try_txt;		/* try TXT records also */
+    krb5_boolean srv_try_rfc2052;	/* try RFC2052 compatible records */
+    int32_t fcache_vno;			/* create cache files w/ this
+                                           version */
+    int num_kt_types;			/* # of registered keytab types */
+    struct krb5_keytab_data *kt_types;  /* registered keytab types */
+    const char *date_fmt;
+    char *error_string;
+    char error_buf[256];
+} krb5_context_data;
+
+typedef struct krb5_ticket {
+    EncTicketPart ticket;
+    krb5_principal client;
+    krb5_principal server;
+} krb5_ticket;
+
+typedef Authenticator krb5_authenticator_data;
+
+typedef krb5_authenticator_data *krb5_authenticator;
+
+struct krb5_rcache_data;
+typedef struct krb5_rcache_data *krb5_rcache;
+typedef Authenticator krb5_donot_replay;
+
+#define KRB5_STORAGE_HOST_BYTEORDER			0x01 /* old */
+#define KRB5_STORAGE_PRINCIPAL_WRONG_NUM_COMPONENTS	0x02
+#define KRB5_STORAGE_PRINCIPAL_NO_NAME_TYPE		0x04
+#define KRB5_STORAGE_KEYBLOCK_KEYTYPE_TWICE		0x08
+#define KRB5_STORAGE_BYTEORDER_MASK			0x60
+#define KRB5_STORAGE_BYTEORDER_BE			0x00 /* default */
+#define KRB5_STORAGE_BYTEORDER_LE			0x20
+#define KRB5_STORAGE_BYTEORDER_HOST			0x40
+
+typedef struct krb5_storage {
+    void *data;
+    ssize_t (*fetch)(struct krb5_storage*, void*, size_t);
+    ssize_t (*store)(struct krb5_storage*, const void*, size_t);
+    off_t (*seek)(struct krb5_storage*, off_t, int);
+    void (*free)(struct krb5_storage*);
+    krb5_flags flags;
+} krb5_storage;
+
+typedef struct krb5_keytab_entry {
+    krb5_principal principal;
+    krb5_kvno vno;
+    krb5_keyblock keyblock;
+    u_int32_t timestamp;
+} krb5_keytab_entry;
+
+typedef struct krb5_kt_cursor {
+    int fd;
+    krb5_storage *sp;
+    void *data;
+} krb5_kt_cursor;
+
+struct krb5_keytab_data;
+
+typedef struct krb5_keytab_data *krb5_keytab;
+
+struct krb5_keytab_data {
+    char *prefix;
+    krb5_error_code (*resolve)(krb5_context, const char*, krb5_keytab);
+    krb5_error_code (*get_name)(krb5_context, krb5_keytab, char*, size_t);
+    krb5_error_code (*close)(krb5_context, krb5_keytab);
+    krb5_error_code (*get)(krb5_context, krb5_keytab, krb5_const_principal, 
+			   krb5_kvno, krb5_enctype, krb5_keytab_entry*);
+    krb5_error_code (*start_seq_get)(krb5_context, krb5_keytab, krb5_kt_cursor*);
+    krb5_error_code (*next_entry)(krb5_context, krb5_keytab, 
+				  krb5_keytab_entry*, krb5_kt_cursor*);
+    krb5_error_code (*end_seq_get)(krb5_context, krb5_keytab, krb5_kt_cursor*);
+    krb5_error_code (*add)(krb5_context, krb5_keytab, krb5_keytab_entry*);
+    krb5_error_code (*remove)(krb5_context, krb5_keytab, krb5_keytab_entry*);
+    void *data;
+    int32_t version;
+};
+
+typedef struct krb5_keytab_data krb5_kt_ops;
+
+struct krb5_keytab_key_proc_args {
+    krb5_keytab keytab;
+    krb5_principal principal;
+};
+
+typedef struct krb5_keytab_key_proc_args krb5_keytab_key_proc_args;
+
+typedef struct krb5_replay_data {
+    krb5_timestamp timestamp;
+    u_int32_t usec;
+    u_int32_t seq;
+} krb5_replay_data;
+
+/* flags for krb5_auth_con_setflags */
+enum {
+    KRB5_AUTH_CONTEXT_DO_TIME      = 1,
+    KRB5_AUTH_CONTEXT_RET_TIME     = 2,
+    KRB5_AUTH_CONTEXT_DO_SEQUENCE  = 4,
+    KRB5_AUTH_CONTEXT_RET_SEQUENCE = 8,
+    KRB5_AUTH_CONTEXT_PERMIT_ALL   = 16
+};
+
+/* flags for krb5_auth_con_genaddrs */
+enum {
+    KRB5_AUTH_CONTEXT_GENERATE_LOCAL_ADDR       = 1,
+    KRB5_AUTH_CONTEXT_GENERATE_LOCAL_FULL_ADDR  = 3,
+    KRB5_AUTH_CONTEXT_GENERATE_REMOTE_ADDR      = 4,
+    KRB5_AUTH_CONTEXT_GENERATE_REMOTE_FULL_ADDR = 12
+};
+
+typedef struct krb5_auth_context_data {
+    unsigned int flags;
+
+    krb5_address *local_address;
+    krb5_address *remote_address;
+    int16_t local_port;
+    int16_t remote_port;
+    krb5_keyblock *keyblock;
+    krb5_keyblock *local_subkey;
+    krb5_keyblock *remote_subkey;
+
+    u_int32_t local_seqnumber;
+    u_int32_t remote_seqnumber;
+
+    krb5_authenticator authenticator;
+  
+    krb5_pointer i_vector;
+  
+    krb5_rcache rcache;
+
+    krb5_keytype keytype;	/* ¿requested key type ? */
+    krb5_cksumtype cksumtype;	/* ¡requested checksum type! */
+  
+}krb5_auth_context_data, *krb5_auth_context;
+
+typedef struct {
+    KDC_REP kdc_rep;
+    EncKDCRepPart enc_part;
+    KRB_ERROR error;
+} krb5_kdc_rep;
+
+extern const char *heimdal_version, *heimdal_long_version;
+
+typedef void (*krb5_log_log_func_t)(const char*, const char*, void*);
+typedef void (*krb5_log_close_func_t)(void*);
+
+typedef struct krb5_log_facility {
+    const char *program;
+    int len;
+    struct facility *val;
+} krb5_log_facility;
+
+typedef EncAPRepPart krb5_ap_rep_enc_part;
+
+#define KRB5_RECVAUTH_IGNORE_VERSION 1
+
+#define KRB5_SENDAUTH_VERSION "KRB5_SENDAUTH_V1.0"
+
+#define KRB5_TGS_NAME_SIZE (6)
+#define KRB5_TGS_NAME ("krbtgt")
+
+/* variables */
+
+extern const char krb5_config_file[];
+extern const char krb5_defkeyname[];
+
+typedef enum {
+    KRB5_PROMPT_TYPE_PASSWORD		= 0x1,
+    KRB5_PROMPT_TYPE_NEW_PASSWORD	= 0x2,
+    KRB5_PROMPT_TYPE_NEW_PASSWORD_AGAIN = 0x3,
+    KRB5_PROMPT_TYPE_PREAUTH		= 0x4
+} krb5_prompt_type;
+
+typedef struct _krb5_prompt {
+    char *prompt;
+    int hidden;
+    krb5_data *reply;
+    krb5_prompt_type type;
+} krb5_prompt;
+
+typedef int (*krb5_prompter_fct)(krb5_context context,
+				 void *data,
+				 const char *name,
+				 const char *banner,
+				 int num_prompts,
+				 krb5_prompt prompts[]);
+
+typedef krb5_error_code (*krb5_key_proc)(krb5_context context,
+					 krb5_enctype type,
+					 krb5_salt salt,
+					 krb5_const_pointer keyseed,
+					 krb5_keyblock **key);
+typedef krb5_error_code (*krb5_decrypt_proc)(krb5_context context,
+					     krb5_keyblock *key,
+					     krb5_key_usage usage,
+					     krb5_const_pointer decrypt_arg,
+					     krb5_kdc_rep *dec_rep);
+
+
+typedef struct _krb5_get_init_creds_opt {
+    krb5_flags flags;
+    krb5_deltat tkt_life;
+    krb5_deltat renew_life;
+    int forwardable;
+    int proxiable;
+    int anonymous;
+    krb5_enctype *etype_list;
+    int etype_list_length;
+    krb5_addresses *address_list;
+#if 0 /* this is the MIT-way */
+    krb5_address **address_list;
+#endif
+    /* XXX the next three should not be used, as they may be
+       removed later */
+    krb5_preauthtype *preauth_list;
+    int preauth_list_length;
+    krb5_data *salt;
+} krb5_get_init_creds_opt;
+
+#define KRB5_GET_INIT_CREDS_OPT_TKT_LIFE	0x0001
+#define KRB5_GET_INIT_CREDS_OPT_RENEW_LIFE	0x0002
+#define KRB5_GET_INIT_CREDS_OPT_FORWARDABLE	0x0004
+#define KRB5_GET_INIT_CREDS_OPT_PROXIABLE	0x0008
+#define KRB5_GET_INIT_CREDS_OPT_ETYPE_LIST	0x0010
+#define KRB5_GET_INIT_CREDS_OPT_ADDRESS_LIST	0x0020
+#define KRB5_GET_INIT_CREDS_OPT_PREAUTH_LIST	0x0040
+#define KRB5_GET_INIT_CREDS_OPT_SALT		0x0080
+#define KRB5_GET_INIT_CREDS_OPT_ANONYMOUS	0x0100
+
+typedef struct _krb5_verify_init_creds_opt {
+    krb5_flags flags;
+    int ap_req_nofail;
+} krb5_verify_init_creds_opt;
+
+#define KRB5_VERIFY_INIT_CREDS_OPT_AP_REQ_NOFAIL	0x0001
+
+typedef struct krb5_verify_opt {
+    unsigned int flags;
+    krb5_ccache ccache;
+    krb5_keytab keytab;
+    krb5_boolean secure;
+    const char *service;
+} krb5_verify_opt;
+
+#define KRB5_VERIFY_LREALMS 1
+
+extern const krb5_cc_ops krb5_fcc_ops;
+extern const krb5_cc_ops krb5_mcc_ops;
+
+extern const krb5_kt_ops krb5_fkt_ops;
+extern const krb5_kt_ops krb5_mkt_ops;
+extern const krb5_kt_ops krb5_akf_ops;
+extern const krb5_kt_ops krb4_fkt_ops;
+extern const krb5_kt_ops krb5_srvtab_fkt_ops;
+extern const krb5_kt_ops krb5_any_ops;
+
+#define KRB5_KPASSWD_SUCCESS	0
+#define KRB5_KPASSWD_MALFORMED	0
+#define KRB5_KPASSWD_HARDERROR	0
+#define KRB5_KPASSWD_AUTHERROR	0
+#define KRB5_KPASSWD_SOFTERROR	0
+
+#define KPASSWD_PORT 464
+
+struct credentials; /* this is to keep the compiler happy */
+struct getargs;
+
+struct sockaddr;
+
+#include <krb5-protos.h>
+
+#endif /* __KRB5_H__ */
+
diff --git a/crypto/heimdal/lib/krb5/krb5_425_conv_principal.3 b/crypto/heimdal/lib/krb5/krb5_425_conv_principal.3
new file mode 100644
index 0000000..edd2f47
--- /dev/null
+++ b/crypto/heimdal/lib/krb5/krb5_425_conv_principal.3
@@ -0,0 +1,189 @@
+.\" Copyright (c) 1997 Kungliga Tekniska Högskolan
+.\" $Id: krb5_425_conv_principal.3,v 1.5 2001/05/02 08:59:23 assar Exp $
+.Dd April 11, 1999
+.Dt KRB5_425_CONV_PRINCIPAL 3
+.Os HEIMDAL
+.Sh NAME
+.Nm krb5_425_conv_principal ,
+.Nm krb5_425_conv_principal_ext ,
+.Nm krb5_524_conv_principal
+.Nd converts to and from version 4 principals
+.Sh SYNOPSIS
+.Fd #include <krb5.h>
+.Ft krb5_error_code
+.Fn krb5_425_conv_principal "krb5_context context" "const char *name" "const char *instance" "const char *realm" "krb5_principal *principal"
+.Ft krb5_error_code
+.Fn krb5_425_conv_principal_ext "krb5_context context" "const char *name" "const char *instance" "const char *realm" "krb5_boolean (*func)(krb5_context, krb5_principal)" "krb5_boolean resolve" "krb5_principal *principal"
+.Ft krb5_error_code
+.Fn krb5_524_conv_principal "krb5_context context" "const krb5_principal principal" "char *name" "char *instance" "char *realm"
+.Sh DESCRIPTION
+Converting between version 4 and version 5 principals can at best be
+described as a mess.
+.Pp
+A version 4 principal consists of a name, an instance, and a realm. A
+version 5 principal consists of one or more components, and a
+realm. In some cases also the first component/name will differ between
+version 4 and version 5.  Furthermore the second component of a host
+principal will be the fully qualified domain name of the host in
+question, while the instance of a version 4 principal will only
+contain the first component.  Because of these problems the conversion
+between principals will have to be site customized.
+.Pp
+.Fn krb5_425_conv_principal_ext
+will try to convert a version 4 principal, given by
+.Fa name ,
+.Fa instance ,
+and
+.Fa realm ,
+to a version 5 principal. This can result in several possible
+principals, and if
+.Fa func
+is non-NULL, it will be called for each candidate principal.
+.Fa func
+should return true if the principal was
+.Dq good .
+To accomplish this, 
+.Fn krb5_425_conv_principal_ext 
+will look up the name in
+.Pa krb5.conf .
+It first looks in the 
+.Li v4_name_convert/host
+subsection, which should contain a list of version 4 names whose
+instance should be treated as a hostname. This list can be specified
+for each realm (in the
+.Li realms
+section), or in the
+.Li libdefaults
+section.  If the name is found the resulting name of the principal
+will be the value of this binding. The instance is then first looked
+up in
+.Li v4_instance_convert 
+for the specified realm. If found the resulting value will be used as
+instance (this can be used for special cases), no further attempts
+will be made to find a conversion if this fails (with
+.Fa func ) .
+If the
+.Fa resolve
+parameter is true, the instance will be looked up with
+.Fn gethostbyname .
+This can be a time consuming, error prone, and unsafe operation.  Next
+a list of hostnames will be created from the instance and the
+.Li v4_domains
+variable, which should contain a list of possible domains for the
+specific realm.
+.Pp
+On the other hand, if the name is not found in a
+.Li host
+section, it is looked up in a 
+.Li v4_name_convert/plain
+binding. If found here the name will be converted, but the instance
+will be untouched.
+.Pp
+This list of default host-type conversions is compiled-in:
+.Bd -literal -offset indent
+v4_name_convert = {
+	host = {
+		ftp = ftp
+		hprop = hprop
+		pop = pop
+		rcmd = host
+	}
+}
+.Ed
+.Pp
+It will only be used if there isn't an entry for these names in the
+config file, so you can override these defaults.
+.Pp
+.Fn krb5_425_conv_principal
+will call
+.Fn krb5_425_conv_principal_ext
+with 
+.Dv NULL
+as 
+.Fa func ,
+and the value of
+.Li v4_instance_resolve
+(from the
+.Li libdefaults
+section) as
+.Fa resolve .
+.Pp
+.Fn krb5_524_conv_principal
+basically does the opposite of 
+.Fn krb5_425_conv_principal ,
+it just doesn't have to look up any names, but will instead truncate
+instances found to belong to a host principal. The
+.Fa name , 
+.Fa instance , 
+and 
+.Fa realm
+should be at least 40 characters long.
+.Sh EXAMPLES
+Since this is confusing an example is in place.
+.Pp
+Assume that we have the 
+.Dq foo.com , 
+and 
+.Dq bar.com  
+domains that have shared a single version 4 realm, FOO.COM. The version 4 
+.Pa krb.realms 
+file looked like:
+.Bd -literal -offset indent
+foo.com		FOO.COM
+\&.foo.com	FOO.COM
+\&.bar.com	FOO.COM
+.Ed
+.Pp
+A
+.Pa krb5.conf
+file that covers this case might look like:
+.Bd -literal -offset indent
+[libdefaults]
+	v4_instance_resolve = yes
+[realms]
+	FOO.COM = {
+		kdc = kerberos.foo.com
+		v4_instance_convert = {
+			foo = foo.com
+		}
+		v4_domains = foo.com
+	}
+.Ed
+.Pp
+With this setup and the following host table:
+.Bd -literal -offset indent
+foo.com
+a-host.foo.com
+b-host.bar.com
+.Ed
+the following conversions will be made:
+.Bd -literal -offset indent
+rcmd.a-host	\(-> host/a-host.foo.com
+ftp.b-host	\(-> ftp/b-host.bar.com
+pop.foo		\(-> pop/foo.com
+ftp.other	\(-> ftp/other.foo.com
+other.a-host	\(-> other/a-host
+.Ed
+.Pp
+The first three are what you expect. If you remove the 
+.Dq v4_domains ,
+the fourth entry will result in an error (since the host
+.Dq other
+can't be found). Even if 
+.Dq a-host 
+is a valid host name, the last entry will not be converted, since the
+.Dq other
+name is not known to represent a host-type principal.
+If you turn off
+.Dq v4_instance_resolve
+the second example will result in
+.Dq ftp/b-host.foo.com 
+(because of the default domain). And all of this is of course only
+valid if you have working name resolving.
+.Sh SEE ALSO
+.Xr krb5_build_principal 3 ,
+.Xr krb5_free_principal 3 ,
+.Xr krb5_parse_name 3 ,
+.Xr krb5_sname_to_principal 3 ,
+.Xr krb5_unparse_name 3 ,
+.Xr krb5.conf 5
diff --git a/crypto/heimdal/lib/krb5/krb5_appdefault.3 b/crypto/heimdal/lib/krb5/krb5_appdefault.3
new file mode 100644
index 0000000..975cc27
--- /dev/null
+++ b/crypto/heimdal/lib/krb5/krb5_appdefault.3
@@ -0,0 +1,52 @@
+.\" Copyright (c) 2000 Kungliga Tekniska Högskolan
+.\" $Id: krb5_appdefault.3,v 1.4 2001/05/02 08:59:23 assar Exp $
+.Dd July 25, 2000
+.Dt KRB5_APPDEFAULT 3
+.Os HEIMDAL
+.Sh NAME
+.Nm krb5_appdefault_boolean ,
+.Nm krb5_appdefault_string ,
+.Nm krb5_appdefault_time
+.Nd get application configuration value
+.Sh SYNOPSIS
+.Fd #include <krb5.h>
+.Ft void
+.Fn krb5_appdefault_boolean "krb5_context context" "const char *appname" "krb5_realm realm" "const char *option" "krb5_boolean def_val" "krb5_boolean *ret_val"
+.Ft void
+.Fn krb5_appdefault_string "krb5_context context" "const char *appname" "krb5_realm realm" "const char *option" "const char *def_val" "char **ret_val"
+.Ft void
+.Fn krb5_appdefault_time "krb5_context context" "const char *appname" "krb5_realm realm" "const char *option" "time_t def_val" "time_t *ret_val"
+.Sh DESCRIPTION
+These functions get application application defaults from the 
+.Dv appdefaults
+section of the
+.Xr krb5.conf 5 
+configuration file. These defaults can be specified per application,
+and/or per realm.
+.Pp
+These values will be looked for in 
+.Xr krb5.conf 5 ,
+in order of descending importance.
+.Bd -literal -offset indent
+[appdefaults]
+	appname = {
+		realm = {
+			option = value
+		}
+	}
+	appname = {
+		option = value
+	}
+	realm = {
+		option = value
+	}
+	option = value
+.Ed
+.Pp
+If the realm is omitted it will not be used for resolving values.  If
+no value can be found,
+.Fa def_val
+is returned instead.
+.Sh SEE ALSO
+.Xr krb5_config 3 ,
+.Xr krb5.conf 5
diff --git a/crypto/heimdal/lib/krb5/krb5_auth_context.3 b/crypto/heimdal/lib/krb5/krb5_auth_context.3
new file mode 100644
index 0000000..92e25b0
--- /dev/null
+++ b/crypto/heimdal/lib/krb5/krb5_auth_context.3
@@ -0,0 +1,284 @@
+.\" Copyright (c) 2001 Kungliga Tekniska Högskolan
+.\" $Id: krb5_auth_context.3,v 1.2 2001/05/02 08:59:23 assar Exp $
+.Dd Jan 21, 2001
+.Dt KRB5_AUTH_CONTEXT 3
+.Os HEIMDAL
+.Sh NAME
+.Nm krb5_auth_context ,
+.Nm krb5_auth_con_init ,
+.Nm krb5_auth_con_free ,
+.Nm krb5_auth_con_setflags ,
+.Nm krb5_auth_con_getflags ,
+.Nm krb5_auth_con_setaddrs ,
+.Nm krb5_auth_con_setaddrs_from_fd ,
+.Nm krb5_auth_con_getaddrs ,
+.Nm krb5_auth_con_genaddrs ,
+.Nm krb5_auth_con_getkey ,
+.Nm krb5_auth_con_setkey ,
+.Nm krb5_auth_con_getuserkey ,
+.Nm krb5_auth_con_setuserkey ,
+.Nm krb5_auth_con_getlocalsubkey ,
+.Nm krb5_auth_con_setlocalsubkey ,
+.Nm krb5_auth_con_getremotesubkey ,
+.Nm krb5_auth_con_setremotesubkey ,
+.Nm krb5_auth_setcksumtype ,
+.Nm krb5_auth_getcksumtype ,
+.Nm krb5_auth_setkeytype ,
+.Nm krb5_auth_getkeytype ,
+.Nm krb5_auth_getlocalseqnumber ,
+.Nm krb5_auth_setlocalseqnumber ,
+.Nm krb5_auth_getremoteseqnumber ,
+.Nm krb5_auth_setremoteseqnumber ,
+.Nm krb5_auth_getauthenticator ,
+.Nm krb5_auth_con_getrcache ,
+.Nm krb5_auth_con_setrcache ,
+.Nm krb5_auth_con_initivector ,
+.Nm krb5_auth_con_setivector
+.Nd manage authetication on connection level
+.Sh SYNOPSIS
+.Fd #include <krb5.h>
+.Ft krb5_error_code
+.Fo krb5_auth_con_init
+.Fa "krb5_context context"
+.Fa "krb5_auth_context *auth_context"
+.Fc
+.Ft void
+.Fo krb5_auth_con_free
+.Fa "krb5_context context"
+.Fa "krb5_auth_context auth_context"
+.Fc
+.Ft krb5_error_code
+.Fo krb5_auth_con_setflags
+.Fa "krb5_context context"
+.Fa "krb5_auth_context auth_context"
+.Fa "int32_t flags"
+.Fc
+.Ft krb5_error_code
+.Fo krb5_auth_con_getflags
+.Fa "krb5_context context"
+.Fa "krb5_auth_context auth_context"
+.Fa "int32_t *flags"
+.Fc
+.Ft krb5_error_code
+.Fo krb5_auth_con_setaddrs
+.Fa "krb5_context context"
+.Fa "krb5_auth_context auth_context"
+.Fa "krb5_address *local_addr"
+.Fa "krb5_address *remote_addr"
+.Fc
+.Ft krb5_error_code
+.Fo krb5_auth_con_getaddrs
+.Fa "krb5_context context"
+.Fa "krb5_auth_context auth_context"
+.Fa "krb5_address **local_addr"
+.Fa "krb5_address **remote_addr"
+.Fc
+.Ft krb5_error_code
+.Fo krb5_auth_con_genaddrs
+.Fa "krb5_context context"
+.Fa "krb5_auth_context auth_context"
+.Fa "int fd"
+.Fa "int flags"
+.Fc
+.Ft krb5_error_code
+.Fo krb5_auth_con_setaddrs_from_fd
+.Fa "krb5_context context"
+.Fa "krb5_auth_context auth_context"
+.Fa "void *p_fd"
+.Fc
+.Ft krb5_error_code
+.Fo krb5_auth_con_getkey
+.Fa "krb5_context context"
+.Fa "krb5_auth_context auth_context"
+.Fa "krb5_keyblock **keyblock"
+.Fc
+.Ft krb5_error_code
+.Fo krb5_auth_con_getlocalsubkey
+.Fa "krb5_context context"
+.Fa "krb5_auth_context auth_context"
+.Fa "krb5_keyblock **keyblock"
+.Fc
+.Ft krb5_error_code
+.Fo krb5_auth_con_getremotesubkey
+.Fa "krb5_context context"
+.Fa "krb5_auth_context auth_context"
+.Fa "krb5_keyblock **keyblock"
+.Fc
+.Ft krb5_error_code
+.Fo krb5_auth_con_initivector
+.Fa "krb5_context context"
+.Fa "krb5_auth_context auth_context"
+.Fc
+.Ft krb5_error_code
+.Fo krb5_auth_con_setivector
+.Fa "krb5_context context"
+.Fa "krb5_auth_context *auth_context"
+.Fa "krb5_pointer ivector"
+.Fc
+.Sh DESCRIPTION
+The
+.Nm krb5_auth_context
+structure holds all context related to an authenticated connection, in
+a similar way to 
+.Nm krb5_context
+that holds the context for the thread or process.  
+.Nm krb5_auth_context
+is used by various functions that are directly related to
+authentication between the server/client. Example of data that this
+structure contains are varius flags, addresses of client and server,
+port numbers, keyblocks (and subkeys), sequence numbers, replay cache,
+and checksum-type.
+.Pp
+.Fn krb5_auth_con_init
+allocates and initilizes the
+.Nm krb5_auth_context
+structure. Default values can be changed with
+.Fn krb5_auth_con_setcksumtype
+and
+.Fn krb5_auth_con_setflags .
+The
+.Nm auth_context
+structure must be freed by 
+.Fn krb5_auth_con_free .
+.Pp
+.Fn krb5_auth_con_getflags
+and
+.Fn krb5_auth_con_setflags
+gets and modifies the flags for a 
+.Nm krb5_auth_context
+structure. Possible flags to set are:
+.Bl -tag -width Ds
+.It Dv KRB5_AUTH_CONTEXT_DO_TIME
+check timestamp on incoming packets. 
+.\".It Dv KRB5_AUTH_CONTEXT_RET_TIME
+.It Dv KRB5_AUTH_CONTEXT_DO_SEQUENCE
+Generate and check sequence-number on each packet.
+.\".It Dv KRB5_AUTH_CONTEXT_RET_SEQUENCE
+.\".It Dv KRB5_AUTH_CONTEXT_PERMIT_ALL
+.El
+.Pp
+.Fn krb5_auth_con_setaddrs ,
+.Fn krb5_auth_con_setaddrs_from_fd
+and
+.Fn krb5_auth_con_getaddrs
+gets and sets the addresses that are checked when a packet is received.
+It is mandatory to set an address for the remote
+host. If the local address is not set, it iss deduced from the underlaying
+operating system.
+.Fn krb5_auth_con_getaddrs
+will call
+.Fn krb5_free_address
+on any address that is passed in
+.Fa local_addr
+or
+.Fa remote_addr .
+.Fn krb5_auth_con_setaddr
+allows passing in a
+.Dv NULL
+pointer as
+.Fa local_addr
+and
+.Fa remote_addr ,
+in that case it will just not set that address.
+.Pp
+.Fn krb5_auth_con_setaddrs_from_fd
+fetches the addresses from a file descriptor.
+.Pp
+.Fn krb5_auth_con_genaddrs
+fetches the address information from the given file descriptor
+.Fa fd 
+depending on the bitmap argument
+.Fa flags .
+.Pp
+Possible values on
+.Fa flags
+are:
+.Bl -tag -width Ds
+.It Va KRB5_AUTH_CONTEXT_GENERATE_LOCAL_ADDR
+fetches the local address from
+.Fa fd .
+.It Va KRB5_AUTH_CONTEXT_GENERATE_REMOTE_ADDR
+fetches the remote address from
+.Fa fd .
+.El
+.Pp
+.Fn krb5_auth_con_setkey ,
+.Fn krb5_auth_con_setuserkey
+and
+.Fn krb5_auth_con_getkey
+gets and sets the key used for this auth context. The keyblock returned by
+.Fn krb5_auth_con_getkey
+should be freed with
+.Fn krb5_free_keyblock .
+The keyblock send into
+.Fn krb5_auth_con_setkey
+is copied into the
+.Nm krb5_auth_context ,
+and thus no special handling is needed.
+.Dv NULL
+is not a valid keyblock to
+.Fn krb5_auth_con_setkey .
+.Pp
+.Fn krb5_auth_con_setuserkey 
+is only useful when doing user to user authentication.
+.Fn krb5_auth_con_setkey
+is equivalent to
+.Fn krb5_auth_con_setuserkey .
+.Pp
+.Fn krb5_auth_con_getlocalsubkey ,
+.Fn krb5_auth_con_setlocalsubkey ,
+.Fn krb5_auth_con_getremotesubkey
+and
+.Fn krb5_auth_con_setremotesubkey
+gets and sets the keyblock for the local and remote subkey. The keyblock returned by 
+.Fn krb5_auth_con_getlocalsubkey
+and
+.Fn krb5_auth_con_getremotesubkey
+must be freed with
+.Fn krb5_free_keyblock .
+.Pp
+.Fn krb5_auth_setcksumtype
+and
+.Fn krb5_auth_getcksumtype
+sets and gets the checksum type that should be used for this
+connection.
+.Pp
+.Fn krb5_auth_getremoteseqnumber
+.Fn krb5_auth_setremoteseqnumber ,
+.Fn krb5_auth_getlocalseqnumber
+and
+.Fn krb5_auth_setlocalseqnumber
+gets and sets the sequence-number for the local and remote
+sequence-number counter.
+.Pp
+.Fn krb5_auth_setkeytype
+and
+.Fn krb5_auth_getkeytype
+gets and gets the keytype of the keyblock in
+.Nm krb5_auth_context .
+.Pp
+.Fn krb5_auth_getauthenticator
+Retrieves the authenticator that was used during mutual
+authentication. The 
+.Dv authenticator
+returned should be freed by calling
+.Fn krb5_free_authenticator .
+.Pp
+.Fn krb5_auth_con_getrcache
+and
+.Fn krb5_auth_con_setrcache
+gets and sets the replay-cache.
+.Pp
+.Fn krb5_auth_con_initivector
+allocates memory for and zeros the initial vector in the
+.Fa auth_context
+keyblock.
+.Pp
+.Fn krb5_auth_con_setivector
+sets the i_vector portion of 
+.Fa auth_context
+to
+.Fa ivector .
+.Sh SEE ALSO
+.Xr krb5_context 3 ,
+.Xr kerberos 8
diff --git a/crypto/heimdal/lib/krb5/krb5_build_principal.3 b/crypto/heimdal/lib/krb5/krb5_build_principal.3
new file mode 100644
index 0000000..80ac5e1
--- /dev/null
+++ b/crypto/heimdal/lib/krb5/krb5_build_principal.3
@@ -0,0 +1,68 @@
+.\" Copyright (c) 1997 Kungliga Tekniska Högskolan
+.\" $Id: krb5_build_principal.3,v 1.3 2001/05/02 08:59:23 assar Exp $
+.Dd August 8, 1997
+.Dt KRB5_BUILD_PRINCIPAL 3
+.Os HEIMDAL
+.Sh NAME
+.Nm krb5_build_principal ,
+.Nm krb5_build_principal_ext ,
+.Nm krb5_build_principal_va ,
+.Nm krb5_build_principal_va_ext ,
+.Nm krb5_make_principal
+.Nd principal creation functions
+.Sh SYNOPSIS
+.Fd #include <krb5.h>
+.Ft krb5_error_code
+.Fn krb5_build_principal "krb5_context context" "krb5_principal *principal" "int realm_len" "krb5_const_realm realm" "..."
+.Ft krb5_error_code
+.Fn krb5_build_principal_ext "krb5_context context" "krb5_principal *principal" "int realm_len" "krb5_const_realm realm" "..."
+.Ft krb5_error_code
+.Fn krb5_build_principal_va "krb5_context context" "krb5_principal *principal" "int realm_len" "krb5_const_realm realm" "va_list ap"
+.Ft krb5_error_code
+.Fn krb5_build_principal_va_ext "krb5_context context" "krb5_principal *principal" "int realm_len" "krb5_const_realm realm" "va_list ap"
+.Ft krb5_error_code
+.Fn krb5_make_principal "krb5_context context" "krb5_principal *principal" "krb5_const_realm realm" "..."
+.Sh DESCRIPTION
+These functions create a Kerberos 5 principal from a realm and a list
+of components.
+All of these functions return an allocated principal in the 
+.Fa principal
+parameter, this should be freed with
+.Fn krb5_free_principal
+after use.
+.Pp
+The
+.Dq build
+functions take a
+.Fa realm
+and the length of the realm.  The
+.Fn krb5_build_principal 
+and
+.Fn krb5_build_principal_va
+also takes a list of components (zero-terminated strings), terminated
+with
+.Dv NULL .
+The
+.Fn krb5_build_principal_ext 
+and 
+.Fn krb5_build_principal_va_ext 
+takes a list of length-value pairs, the list is terminated with a zero
+length.
+.Pp
+The 
+.Fn krb5_make_principal
+is a wrapper around 
+.Fn krb5_build_principal .
+If the realm is
+.Dv NULL ,
+the default realm will be used.
+.Sh BUGS
+You can not have a NUL in a component. Until someone can give a good
+example of where it would be a good idea to have NUL's in a component,
+this will not be fixed.
+.Sh SEE ALSO
+.Xr krb5_425_conv_principal 3 ,
+.Xr krb5_free_principal 3 ,
+.Xr krb5_parse_name 3 ,
+.Xr krb5_sname_to_principal 3 ,
+.Xr krb5_unparse_name 3
diff --git a/crypto/heimdal/lib/krb5/krb5_config.3 b/crypto/heimdal/lib/krb5/krb5_config.3
new file mode 100644
index 0000000..f847436
--- /dev/null
+++ b/crypto/heimdal/lib/krb5/krb5_config.3
@@ -0,0 +1,63 @@
+.\" Copyright (c) 2000 Kungliga Tekniska Högskolan
+.\" $Id: krb5_config.3,v 1.2 2001/05/02 08:59:23 assar Exp $
+.Dd July 25, 2000
+.Dt KRB5_CONFIG 3
+.Os HEIMDAL
+.Sh NAME
+.Nm krb5_config_get_bool_default ,
+.Nm krb5_config_get_int_default ,
+.Nm krb5_config_get_string_default ,
+.Nm krb5_config_get_time_default
+.Nd get configuration value
+.Sh SYNOPSIS
+.Fd #include <krb5.h>
+.Ft krb5_boolean
+.Fn krb5_config_get_bool_default "krb5_context context" "krb5_config_section *c" "krb5_boolean def_value" "..."
+.Ft int
+.Fn krb5_config_get_int_default "krb5_context context" "krb5_config_section *c" "int def_value" "..."
+.Ft const char*
+.Fn krb5_config_get_string_default "krb5_context context" "krb5_config_section *c" "const char *def_value" "..."
+.Ft int
+.Fn krb5_config_get_time_default "krb5_context context" "krb5_config_section *c" "int def_value" "..."
+.Sh DESCRIPTION
+These functions get values from the 
+.Xr krb5.conf 5 
+configuration file, or another configuration database specified by the
+.Fa c
+parameter.
+.Pp
+The variable arguments should be a list of strings naming each
+subsection to look for. For example:
+.Bd -literal -offset indent
+krb5_config_get_bool_default(context, NULL, FALSE, "libdefaults", "log_utc", NULL)
+.Ed
+.Pp
+gets the boolean value for the
+.Dv log_utc
+option, defaulting to
+.Dv FALSE .
+.Pp
+.Fn krb5_config_get_bool_default
+will convert the option value to a boolean value, where
+.Sq yes , 
+.Sq true ,
+and any non-zero number means
+.Dv TRUE ,
+and any other value 
+.Dv FALSE .
+.Pp
+.Fn krb5_config_get_int_default
+will convert the value to an integer.
+.Pp
+.Fn krb5_config_get_time_default
+will convert the value to a period of time (not a time stamp) in
+seconds, so the string
+.Sq 2 weeks
+will be converted to
+1209600 (2 * 7 * 24 * 60 * 60).
+.Sh BUGS
+Other than for the string case, there's no way to tell whether there
+was a value specified or not.
+.Sh SEE ALSO
+.Xr krb5_appdefault 3 ,
+.Xr krb5.conf 5
diff --git a/crypto/heimdal/lib/krb5/krb5_context.3 b/crypto/heimdal/lib/krb5/krb5_context.3
new file mode 100644
index 0000000..83a768d
--- /dev/null
+++ b/crypto/heimdal/lib/krb5/krb5_context.3
@@ -0,0 +1,20 @@
+.\" Copyright (c) 2001 Kungliga Tekniska Högskolan
+.\" $Id: krb5_context.3,v 1.1 2001/01/28 21:39:29 assar Exp $
+.Dd Jan 21, 2001
+.Dt KRB5_CONTEXT 3
+.Os HEIMDAL
+.Sh NAME
+.Nm krb5_context
+.Sh DESCRIPTION
+The
+.Nm
+structure is designed to hold all per thread state. All global
+variables that are context specific are stored in this struture,
+including default encryption types, credential-cache (ticket file), and
+default realms.
+.Pp
+The internals of the structure should never be accessed directly,
+functions exist for extracting information.
+.Sh SEE ALSO
+.Xr krb5_init_context 3 ,
+.Xr kerberos 8
diff --git a/crypto/heimdal/lib/krb5/krb5_create_checksum.3 b/crypto/heimdal/lib/krb5/krb5_create_checksum.3
new file mode 100644
index 0000000..9472ed6
--- /dev/null
+++ b/crypto/heimdal/lib/krb5/krb5_create_checksum.3
@@ -0,0 +1,62 @@
+.\" Copyright (c) 1999 Kungliga Tekniska Högskolan
+.\" $Id: krb5_create_checksum.3,v 1.2 2001/01/26 22:43:21 assar Exp $
+.Dd April  7, 1999
+.Dt NAME 3
+.Os HEIMDAL
+.Sh NAME
+.Nm krb5_checksum_is_collision_proof , 
+.Nm krb5_checksum_is_keyed , 
+.Nm krb5_checksumsize , 
+.Nm krb5_create_checksum , 
+.Nm krb5_verify_checksum
+.Nd creates and verifies checksums
+.Sh SYNOPSIS
+.Fd #include <krb5.h>
+.Ft krb5_error_code
+.Fn krb5_create_checksum "krb5_context context" "krb5_crypto crypto" "unsigned usage_or_type" "void *data" "size_t len" "Checksum *result"
+.Ft krb5_error_code
+.Fn krb5_verify_checksum "krb5_context context" "krb5_crypto crypto" "krb5_key_usage usage" "void *data" "size_t len" "Checksum *cksum"
+.Ft krb5_boolean
+.Fn krb5_checksum_is_collision_proof "krb5_context context" "krb5_cksumtype type"
+.Ft krb5_boolean
+.Fn krb5_checksum_is_keyed "krb5_context context" "krb5_cksumtype type"
+.Sh DESCRIPTION
+These functions are used to create and verify checksums.
+.Fn krb5_create_checksum 
+creates a checksum of the specified data, and puts it in
+.Fa result .
+If
+.Fa crypto
+is 
+.Dv NULL ,
+.Fa usage_or_type 
+specifies the checksum type to use; it must not be keyed. Otherwise 
+.Fa crypto
+is an encryption context created by
+.Fn krb5_crypto_init ,
+and
+.Fa usage_or_type
+specifies a key-usage.
+.Pp
+.Fn krb5_verify_checksum
+verifies the
+.Fa checksum ,
+against the provided data. 
+.Pp
+.Fn krb5_checksum_is_collision_proof
+returns true is the specified checksum is collision proof (that it's
+very unlikely that two strings has the same hash value, and that it's
+hard to find two strings that has the same hash). Examples of
+collision proof checksums are MD5, and SHA1, while CRC32 is not.
+.Pp
+.Fn krb5_checksum_is_keyed
+returns true if the specified checksum type is keyed (that the hash
+value is a function of both the data, and a separate key). Examples of
+keyed hash algorithms are HMAC-SHA1-DES3, and RSA-MD5-DES. The 
+.Dq plain
+hash functions MD5, and SHA1 are not keyed.
+.\" .Sh EXAMPLE
+.\" .Sh BUGS
+.Sh SEE ALSO
+.Xr krb5_crypto_init 3 ,
+.Xr krb5_encrypt 3
diff --git a/crypto/heimdal/lib/krb5/krb5_crypto_init.3 b/crypto/heimdal/lib/krb5/krb5_crypto_init.3
new file mode 100644
index 0000000..7d46567
--- /dev/null
+++ b/crypto/heimdal/lib/krb5/krb5_crypto_init.3
@@ -0,0 +1,37 @@
+.\" Copyright (c) 1999 Kungliga Tekniska Högskolan
+.\" $Id: krb5_crypto_init.3,v 1.2 2001/01/26 22:43:22 assar Exp $
+.Dd April  7, 1999
+.Dt NAME 3
+.Os HEIMDAL
+.Sh NAME
+.Nm krb5_crypto_init , 
+.Nm krb5_crypto_destroy
+.Nd initialize encryption context
+.Sh SYNOPSIS
+.Fd #include <krb5.h>
+.Ft krb5_error_code
+.Fn krb5_crypto_init "krb5_context context" "krb5_keyblock *key" "krb5_enctype enctype" "krb5_crypto *crypto"
+.Ft krb5_error_code
+.Fn krb5_crypto_destroy "krb5_context context" "krb5_crypto crypto"
+.Sh DESCRIPTION
+These functions are used to initialize an encryption context that can
+be used to encrypt or checksum data.
+.Pp
+The
+.Fn krb5_crypt_init
+initializes the encrytion context
+.Fa crypto .
+The
+.Fa key
+parameter is the key to use for encryption, and checksums. The
+encryption type to use is taken from the key, but can be overridden
+with the
+.Fa enctype parameter .
+.Pp
+.Fn krb5_crypto_destroy
+frees a previously allocated encrypion context.
+.\" .Sh EXAMPLE
+.\" .Sh BUGS
+.Sh SEE ALSO
+.Xr krb5_create_checksum 3 ,
+.Xr krb5_encrypt 3
diff --git a/crypto/heimdal/lib/krb5/krb5_encrypt.3 b/crypto/heimdal/lib/krb5/krb5_encrypt.3
new file mode 100644
index 0000000..291e503
--- /dev/null
+++ b/crypto/heimdal/lib/krb5/krb5_encrypt.3
@@ -0,0 +1,54 @@
+.\" Copyright (c) 1999 Kungliga Tekniska Högskolan
+.\" $Id: krb5_encrypt.3,v 1.2 2001/01/26 22:43:22 assar Exp $
+.Dd April  7, 1999
+.Dt KRB5_ENCRYPT 3
+.Os HEIMDAL
+.Sh NAME
+.Nm krb5_decrypt , 
+.Nm krb5_decrypt_EncryptedData , 
+.Nm krb5_encrypt , 
+.Nm krb5_encrypt_EncryptedData
+.Nd encrypt and decrypt data
+.Sh SYNOPSIS
+.Fd #include <krb5.h>
+.Ft krb5_error_code
+.Fn krb5_encrypt "krb5_context context" "krb5_crypto crypto" "unsigned usage" "void *data" "size_t len" "krb5_data *result"
+.Ft krb5_error_code
+.Fn krb5_encrypt_EncryptedData "krb5_context context" "krb5_crypto crypto" "unsigned usage" "void *data" "size_t len" "int kvno" "EncryptedData *result"
+.Ft krb5_error_code
+.Fn krb5_decrypt "krb5_context context" "krb5_crypto crypto" "unsigned usage" "void *data" "size_t len" "krb5_data *result"
+.Ft krb5_error_code
+.Fn krb5_decrypt_EncryptedData "krb5_context context" "krb5_crypto crypto" "unsigned usage" "EncryptedData *e" "krb5_data *result"
+.Sh DESCRIPTION
+These functions are used to encrypt and decrypt data.
+.Pp
+.Fn krb5_encrypt
+puts the encrypted version of 
+.Fa data
+(of size
+.Fa len )
+in
+.Fa result .
+If the encryption type supports using derived keys, 
+.Fa usage
+should be the appropriate key-usage.
+.Fn krb5_encrypt_EncryptedData
+does the same as
+.Fn krb5_encrypt ,
+but it puts the encrypted data in a
+.Fa EncryptedData 
+structure instead. If 
+.Fa kvno 
+is not zero, it will be put in the 
+.Fa kvno field in the
+.Fa EncryptedData .
+.Pp
+.Fn krb5_decrypt ,
+and
+.Fn krb5_decrypt_EncryptedData
+works similarly.
+.\" .Sh EXAMPLE
+.\" .Sh BUGS
+.Sh SEE ALSO
+.Xr krb5_crypto_init 3 ,
+.Xr krb5_create_checksum 3
diff --git a/crypto/heimdal/lib/krb5/krb5_err.et b/crypto/heimdal/lib/krb5/krb5_err.et
new file mode 100644
index 0000000..3427923
--- /dev/null
+++ b/crypto/heimdal/lib/krb5/krb5_err.et
@@ -0,0 +1,235 @@
+#
+# Error messages for the krb5 library
+#
+# This might look like a com_err file, but is not
+#
+id "$Id: krb5_err.et,v 1.9 2000/04/06 00:41:37 assar Exp $"
+
+error_table krb5
+
+prefix KRB5KDC_ERR
+error_code NONE,		"No error"
+error_code NAME_EXP,		"Client's entry in database has expired"
+error_code SERVICE_EXP,		"Server's entry in database has expired"
+error_code BAD_PVNO,		"Requested protocol version not supported"
+error_code C_OLD_MAST_KVNO,	"Client's key is encrypted in an old master key"
+error_code S_OLD_MAST_KVNO,	"Server's key is encrypted in an old master key"
+error_code C_PRINCIPAL_UNKNOWN,	"Client not found in Kerberos database"
+error_code S_PRINCIPAL_UNKNOWN,	"Server not found in Kerberos database"
+error_code PRINCIPAL_NOT_UNIQUE,"Principal has multiple entries in Kerberos database"
+error_code NULL_KEY,		"Client or server has a null key"
+error_code CANNOT_POSTDATE,	"Ticket is ineligible for postdating"
+error_code NEVER_VALID,		"Requested effective lifetime is negative or too short"
+error_code POLICY,		"KDC policy rejects request"
+error_code BADOPTION,		"KDC can't fulfill requested option"
+error_code ETYPE_NOSUPP,	"KDC has no support for encryption type"
+error_code SUMTYPE_NOSUPP,	"KDC has no support for checksum type"
+error_code PADATA_TYPE_NOSUPP,	"KDC has no support for padata type"
+error_code TRTYPE_NOSUPP,	"KDC has no support for transited type"
+error_code CLIENT_REVOKED,	"Clients credentials have been revoked"
+error_code SERVICE_REVOKED,	"Credentials for server have been revoked"
+error_code TGT_REVOKED,		"TGT has been revoked"
+error_code CLIENT_NOTYET,	"Client not yet valid - try again later"
+error_code SERVICE_NOTYET,	"Server not yet valid - try again later"
+error_code KEY_EXPIRED,		"Password has expired"
+error_code PREAUTH_FAILED,	"Preauthentication failed"
+error_code PREAUTH_REQUIRED,	"Additional pre-authentication required"
+error_code SERVER_NOMATCH,	"Requested server and ticket don't match"
+
+# 27-30 are reserved
+index 31
+prefix KRB5KRB_AP
+error_code ERR_BAD_INTEGRITY,	"Decrypt integrity check failed"
+error_code ERR_TKT_EXPIRED,	"Ticket expired"
+error_code ERR_TKT_NYV,		"Ticket not yet valid"
+error_code ERR_REPEAT,		"Request is a replay"
+error_code ERR_NOT_US,		"The ticket isn't for us"
+error_code ERR_BADMATCH,	"Ticket/authenticator don't match"
+error_code ERR_SKEW,		"Clock skew too great"
+error_code ERR_BADADDR,		"Incorrect net address"
+error_code ERR_BADVERSION,	"Protocol version mismatch"
+error_code ERR_MSG_TYPE,	"Invalid message type"
+error_code ERR_MODIFIED,	"Message stream modified"
+error_code ERR_BADORDER,	"Message out of order"
+error_code ERR_ILL_CR_TKT,	"Invalid cross-realm ticket"
+error_code ERR_BADKEYVER,	"Key version is not available"
+error_code ERR_NOKEY,		"Service key not available"
+error_code ERR_MUT_FAIL,	"Mutual authentication failed"
+error_code ERR_BADDIRECTION,	"Incorrect message direction"
+error_code ERR_METHOD,		"Alternative authentication method required"
+error_code ERR_BADSEQ,		"Incorrect sequence number in message"
+error_code ERR_INAPP_CKSUM,	"Inappropriate type of checksum in message"
+error_code PATH_NOT_ACCEPTED,	"Policy rejects transited path"
+
+prefix KRB5KRB_ERR
+error_code RESPONSE_TOO_BIG,	"Response too big for UDP, retry with TCP"
+# 53-59 are reserved
+index 60
+error_code GENERIC,		"Generic error (see e-text)"
+error_code FIELD_TOOLONG,	"Field is too long for this implementation"
+
+# pkinit
+index 62
+prefix KDC_ERROR
+error_code CLIENT_NOT_TRUSTED,	"Client not trusted"
+error_code KDC_NOT_TRUSTED,	"KDC not trusted"
+error_code INVALID_SIG,		"Invalid signature"
+error_code KEY_TOO_WEAK,	"Key too weak"
+error_code CERTIFICATE_MISMATCH, "Certificate mismatch"
+prefix KRB5_AP_ERR
+error_code USER_TO_USER_REQUIRED, "User to user required"
+prefix KDC_ERROR
+error_code CANT_VERIFY_CERTIFICATE, "Cannot verify certificate"
+error_code INVALID_CERTIFICATE,	"Invalid certificate"
+error_code REVOKED_CERTIFICATE,	"Revoked certificate"
+error_code REVOCATION_STATUS_UNKNOWN,	"Revocation status unknown"
+error_code REVOCATION_STATUS_UNAVAILABLE,"Revocation status unavailable"
+error_code CLIENT_NAME_MISMATCH,	"Client name mismatch"
+error_code KDC_NAME_MISMATCH,	"KDC name mismatch"
+
+# 77-127 are reserved
+
+index 128
+prefix
+error_code KRB5_ERR_RCSID,	"$Id: krb5_err.et,v 1.9 2000/04/06 00:41:37 assar Exp $"
+
+error_code KRB5_LIBOS_BADLOCKFLAG,	"Invalid flag for file lock mode"
+error_code KRB5_LIBOS_CANTREADPWD,	"Cannot read password"
+error_code KRB5_LIBOS_BADPWDMATCH,	"Password mismatch"
+error_code KRB5_LIBOS_PWDINTR,		"Password read interrupted"
+
+error_code KRB5_PARSE_ILLCHAR,		"Invalid character in component name"
+error_code KRB5_PARSE_MALFORMED,	"Malformed representation of principal"
+
+error_code KRB5_CONFIG_CANTOPEN,	"Can't open/find configuration file"
+error_code KRB5_CONFIG_BADFORMAT,	"Improper format of configuration file"
+error_code KRB5_CONFIG_NOTENUFSPACE,	"Insufficient space to return complete information"
+
+error_code KRB5_BADMSGTYPE,		"Invalid message type specified for encoding"
+
+error_code KRB5_CC_BADNAME,		"Credential cache name malformed"
+error_code KRB5_CC_UNKNOWN_TYPE,	"Unknown credential cache type" 
+error_code KRB5_CC_NOTFOUND,		"Matching credential not found"
+error_code KRB5_CC_END,			"End of credential cache reached"
+
+error_code KRB5_NO_TKT_SUPPLIED,	"Request did not supply a ticket"
+
+error_code KRB5KRB_AP_WRONG_PRINC,		"Wrong principal in request"
+error_code KRB5KRB_AP_ERR_TKT_INVALID,	"Ticket has invalid flag set"
+
+error_code KRB5_PRINC_NOMATCH,		"Requested principal and ticket don't match"
+error_code KRB5_KDCREP_MODIFIED,	"KDC reply did not match expectations"
+error_code KRB5_KDCREP_SKEW,		"Clock skew too great in KDC reply"
+error_code KRB5_IN_TKT_REALM_MISMATCH,	"Client/server realm mismatch in initial ticket request"
+
+error_code KRB5_PROG_ETYPE_NOSUPP,	"Program lacks support for encryption type"
+error_code KRB5_PROG_KEYTYPE_NOSUPP,	"Program lacks support for key type"
+error_code KRB5_WRONG_ETYPE,		"Requested encryption type not used in message"
+error_code KRB5_PROG_SUMTYPE_NOSUPP,	"Program lacks support for checksum type"
+
+error_code KRB5_REALM_UNKNOWN,		"Cannot find KDC for requested realm"
+error_code KRB5_SERVICE_UNKNOWN,	"Kerberos service unknown"
+error_code KRB5_KDC_UNREACH,		"Cannot contact any KDC for requested realm"
+error_code KRB5_NO_LOCALNAME,		"No local name found for principal name"
+
+error_code KRB5_MUTUAL_FAILED,		"Mutual authentication failed"
+
+# some of these should be combined/supplanted by system codes
+
+error_code KRB5_RC_TYPE_EXISTS,		"Replay cache type is already registered"
+error_code KRB5_RC_MALLOC,		"No more memory to allocate (in replay cache code)"
+error_code KRB5_RC_TYPE_NOTFOUND,	"Replay cache type is unknown"
+error_code KRB5_RC_UNKNOWN,		"Generic unknown RC error"
+error_code KRB5_RC_REPLAY,		"Message is a replay"
+error_code KRB5_RC_IO,			"Replay I/O operation failed XXX"
+error_code KRB5_RC_NOIO,		"Replay cache type does not support non-volatile storage"
+error_code KRB5_RC_PARSE,		"Replay cache name parse/format error"
+
+error_code KRB5_RC_IO_EOF,		"End-of-file on replay cache I/O"
+error_code KRB5_RC_IO_MALLOC,		"No more memory to allocate (in replay cache I/O code)"
+error_code KRB5_RC_IO_PERM,		"Permission denied in replay cache code"
+error_code KRB5_RC_IO_IO,		"I/O error in replay cache i/o code"
+error_code KRB5_RC_IO_UNKNOWN,		"Generic unknown RC/IO error"
+error_code KRB5_RC_IO_SPACE,		"Insufficient system space to store replay information"
+
+error_code KRB5_TRANS_CANTOPEN,		"Can't open/find realm translation file"
+error_code KRB5_TRANS_BADFORMAT,	"Improper format of realm translation file"
+
+error_code KRB5_LNAME_CANTOPEN,		"Can't open/find lname translation database"
+error_code KRB5_LNAME_NOTRANS,		"No translation available for requested principal"
+error_code KRB5_LNAME_BADFORMAT,	"Improper format of translation database entry"
+
+error_code KRB5_CRYPTO_INTERNAL,	"Cryptosystem internal error"
+
+error_code KRB5_KT_BADNAME,		"Key table name malformed"
+error_code KRB5_KT_UNKNOWN_TYPE,	"Unknown Key table type" 
+error_code KRB5_KT_NOTFOUND,		"Key table entry not found"
+error_code KRB5_KT_END,			"End of key table reached"
+error_code KRB5_KT_NOWRITE,		"Cannot write to specified key table"
+error_code KRB5_KT_IOERR,		"Error writing to key table"
+
+error_code KRB5_NO_TKT_IN_RLM,		"Cannot find ticket for requested realm"
+error_code KRB5DES_BAD_KEYPAR,		"DES key has bad parity"
+error_code KRB5DES_WEAK_KEY,		"DES key is a weak key"
+
+error_code KRB5_BAD_ENCTYPE,		"Bad encryption type"
+error_code KRB5_BAD_KEYSIZE,		"Key size is incompatible with encryption type"
+error_code KRB5_BAD_MSIZE,		"Message size is incompatible with encryption type"
+
+error_code KRB5_CC_TYPE_EXISTS,		"Credentials cache type is already registered."
+error_code KRB5_KT_TYPE_EXISTS,		"Key table type is already registered."
+
+error_code KRB5_CC_IO,			"Credentials cache I/O operation failed XXX"
+error_code KRB5_FCC_PERM,		"Credentials cache file permissions incorrect"
+error_code KRB5_FCC_NOFILE,		"No credentials cache file found"
+error_code KRB5_FCC_INTERNAL,		"Internal file credentials cache error"
+error_code KRB5_CC_WRITE,		"Error writing to credentials cache file"
+error_code KRB5_CC_NOMEM,		"No more memory to allocate (in credentials cache code)"
+error_code KRB5_CC_FORMAT,		"Bad format in credentials cache"
+
+# errors for dual tgt library calls
+error_code KRB5_INVALID_FLAGS,		"Invalid KDC option combination (library internal error)"
+error_code KRB5_NO_2ND_TKT,		"Request missing second ticket"
+
+error_code KRB5_NOCREDS_SUPPLIED,	"No credentials supplied to library routine"
+
+# errors for sendauth (and recvauth)
+
+error_code KRB5_SENDAUTH_BADAUTHVERS,	"Bad sendauth version was sent"
+error_code KRB5_SENDAUTH_BADAPPLVERS,	"Bad application version was sent (via sendauth)"
+error_code KRB5_SENDAUTH_BADRESPONSE,	"Bad response (during sendauth exchange)"
+error_code KRB5_SENDAUTH_REJECTED,	"Server rejected authentication (during sendauth exchange)"
+
+# errors for preauthentication
+
+error_code KRB5_PREAUTH_BAD_TYPE,	"Unsupported preauthentication type"
+error_code KRB5_PREAUTH_NO_KEY,		"Required preauthentication key not supplied"
+error_code KRB5_PREAUTH_FAILED,		"Generic preauthentication failure"
+
+# version number errors
+
+error_code KRB5_RCACHE_BADVNO,	"Unsupported replay cache format version number"
+error_code KRB5_CCACHE_BADVNO,	"Unsupported credentials cache format version number"
+error_code KRB5_KEYTAB_BADVNO,	"Unsupported key table format version number"
+
+#
+#
+
+error_code KRB5_PROG_ATYPE_NOSUPP,	"Program lacks support for address type"
+error_code KRB5_RC_REQUIRED,	"Message replay detection requires rcache parameter"
+error_code KRB5_ERR_BAD_HOSTNAME,	"Hostname cannot be canonicalized"
+error_code KRB5_ERR_HOST_REALM_UNKNOWN,	"Cannot determine realm for host"
+error_code KRB5_SNAME_UNSUPP_NAMETYPE,	"Conversion to service principal undefined for name type"
+
+error_code KRB5KRB_AP_ERR_V4_REPLY, "Initial Ticket response appears to be Version 4"
+error_code KRB5_REALM_CANT_RESOLVE,	"Cannot resolve KDC for requested realm"
+error_code KRB5_TKT_NOT_FORWARDABLE,	"Requesting ticket can't get forwardable tickets"
+error_code KRB5_FWD_BAD_PRINCIPAL, "Bad principal name while trying to forward credentials"
+
+error_code KRB5_GET_IN_TKT_LOOP,  "Looping detected inside krb5_get_in_tkt"
+error_code KRB5_CONFIG_NODEFREALM,	"Configuration file does not specify default realm"
+
+error_code KRB5_SAM_UNSUPPORTED,  "Bad SAM flags in obtain_sam_padata"
+error_code KRB5_KT_NAME_TOOLONG,	"Keytab name too long"
+
+end
diff --git a/crypto/heimdal/lib/krb5/krb5_free_principal.3 b/crypto/heimdal/lib/krb5/krb5_free_principal.3
new file mode 100644
index 0000000..110c802
--- /dev/null
+++ b/crypto/heimdal/lib/krb5/krb5_free_principal.3
@@ -0,0 +1,25 @@
+.\" Copyright (c) 1997 Kungliga Tekniska Högskolan
+.\" $Id: krb5_free_principal.3,v 1.3 2001/05/02 08:59:23 assar Exp $
+.Dd August 8, 1997
+.Dt KRB5_FREE_PRINCIPAL 3
+.Os HEIMDAL
+.Sh NAME
+.Nm krb5_free_principal
+.Nd principal free function
+.Sh SYNOPSIS
+.Fd #include <krb5.h>
+.Ft void
+.Fn krb5_free_principal "krb5_context context" "krb5_principal principal"
+.Sh DESCRIPTION
+The 
+.Fn krb5_free_principal
+will free a principal that has been created with
+.Fn krb5_build_principal ,
+.Fn krb5_parse_name ,
+or with some other function. 
+.Sh SEE ALSO
+.Xr krb5_425_conv_principal 3 ,
+.Xr krb5_build_principal 3 ,
+.Xr krb5_parse_name 3 ,
+.Xr krb5_sname_to_principal 3 ,
+.Xr krb5_unparse_name 3
diff --git a/crypto/heimdal/lib/krb5/krb5_init_context.3 b/crypto/heimdal/lib/krb5/krb5_init_context.3
new file mode 100644
index 0000000..54690de
--- /dev/null
+++ b/crypto/heimdal/lib/krb5/krb5_init_context.3
@@ -0,0 +1,38 @@
+.\" Copyright (c) 2001 Kungliga Tekniska Högskolan
+.\" $Id: krb5_init_context.3,v 1.2 2001/05/23 16:24:02 assar Exp $
+.Dd Jan 21, 2001
+.Dt KRB5_CONTEXT 3
+.Os HEIMDAL
+.Sh NAME
+.Nm krb5_init_context ,
+.Nm krb5_free_context
+.Sh SYNOPSIS
+.Fd #include <krb5.h>
+.Ft krb5_error_code
+.Fn krb5_init_context "krb5_context *context"
+.Ft void
+.Fn krb5_free_context "krb5_context context"
+.Sh DESCRIPTION
+The
+.Fn krb5_init_context
+function initializes the
+.Fa context
+structure and reads the configration file
+.Pa /etc/krb5.conf .
+.Pp
+The structure should be freed by calling
+.Fn krb5_free_context
+when it is no longer being used.
+.Sh RETURN VALUES
+.Fn krb5_init_context
+returns 0 to indicate success.
+Otherwise an errno code is returned.
+Failure means either that something bad happened during initialization
+(typically
+.Bq ENOMEM )
+or that Kerberos should not be used
+.Bq ENXIO .
+.Sh SEE ALSO
+.Xr krb5_context 3 ,
+.Xr errno 2 ,
+.Xr kerberos 8
diff --git a/crypto/heimdal/lib/krb5/krb5_keytab.3 b/crypto/heimdal/lib/krb5/krb5_keytab.3
new file mode 100644
index 0000000..6dc524e
--- /dev/null
+++ b/crypto/heimdal/lib/krb5/krb5_keytab.3
@@ -0,0 +1,358 @@
+.\" Copyright (c) 2001 Kungliga Tekniska Högskolan
+.\" $Id: krb5_keytab.3,v 1.1 2001/02/05 18:17:46 assar Exp $
+.Dd Feb 5, 2001
+.Dt KRB5_KEYTAB 3
+.Os HEIMDAL
+.Sh NAME
+.Nm krb5_kt_ops,
+.Nm krb5_keytab_entry ,
+.Nm krb5_kt_cursor ,
+.Nm krb5_kt_add_entry ,
+.Nm krb5_kt_close ,
+.Nm krb5_kt_compare ,
+.Nm krb5_kt_copy_entry_contents ,
+.Nm krb5_kt_default ,
+.Nm krb5_kt_default_name ,
+.Nm krb5_kt_end_seq_get ,
+.Nm krb5_kt_free_entry ,
+.Nm krb5_kt_get_entry ,
+.Nm krb5_kt_get_name ,
+.Nm krb5_kt_next_entry ,
+.Nm krb5_kt_read_service_key ,
+.Nm krb5_kt_register ,
+.Nm krb5_kt_remove_entry ,
+.Nm krb5_kt_resolve ,
+.Nm krb5_kt_start_seq_get
+.Nd manage keytab (key storage) files
+.Sh SYNOPSIS
+.Fd #include <krb5.h>
+.Pp
+.Ft krb5_error_code
+.Fo krb5_kt_add_entry
+.Fa "krb5_context context"
+.Fa "krb5_keytab id"
+.Fa "krb5_keytab_entry *entry"
+.Fc
+.Ft krb5_error_code
+.Fo krb5_kt_close
+.Fa "krb5_context context"
+.Fa "krb5_keytab id"
+.Fc
+.Ft krb5_boolean
+.Fo krb5_kt_compare
+.Fa "krb5_context context"
+.Fa "krb5_keytab_entry *entry"
+.Fa "krb5_const_principal principal"
+.Fa "krb5_kvno vno"
+.Fa "krb5_enctype enctype"
+.Fc
+.Ft krb5_error_code
+.Fo krb5_kt_copy_entry_contents
+.Fa "krb5_context context"
+.Fa "const krb5_keytab_entry *in"
+.Fa "krb5_keytab_entry *out"
+.Fc
+.Ft krb5_error_code
+.Fo krb5_kt_default
+.Fa "krb5_context context"
+.Fa "krb5_keytab *id"
+.Fc
+.Ft krb5_error_code
+.Fo krb5_kt_default_name
+.Fa "krb5_context context"
+.Fa "char *name"
+.Fa "size_t namesize"
+.Fc
+.Ft krb5_error_code
+.Fo krb5_kt_end_seq_get
+.Fa "krb5_context context"
+.Fa "krb5_keytab id"
+.Fa "krb5_kt_cursor *cursor"
+.Fc
+.Ft krb5_error_code
+.Fo krb5_kt_free_entry
+.Fa "krb5_context context"
+.Fa "krb5_keytab_entry *entry"
+.Fc
+.Ft krb5_error_code
+.Fo krb5_kt_get_entry
+.Fa "krb5_context context"
+.Fa "krb5_keytab id"
+.Fa "krb5_const_principal principal"
+.Fa "krb5_kvno kvno"
+.Fa "krb5_enctype enctype"
+.Fa "krb5_keytab_entry *entry"
+.Fc
+.Ft krb5_error_code
+.Fo krb5_kt_get_name
+.Fa "krb5_context context"
+.Fa "krb5_keytab keytab"
+.Fa "char *name"
+.Fa "size_t namesize"
+.Fc
+.Ft krb5_error_code
+.Fo krb5_kt_next_entry
+.Fa "krb5_context context"
+.Fa "krb5_keytab id"
+.Fa "krb5_keytab_entry *entry"
+.Fa "krb5_kt_cursor *cursor"
+.Fc
+.Ft krb5_error_code
+.Fo krb5_kt_read_service_key
+.Fa "krb5_context context"
+.Fa "krb5_pointer keyprocarg"
+.Fa "krb5_principal principal"
+.Fa "krb5_kvno vno"
+.Fa "krb5_enctype enctype"
+.Fa "krb5_keyblock **key"
+.Fc
+.Ft krb5_error_code
+.Fo krb5_kt_register
+.Fa "krb5_context context"
+.Fa "const krb5_kt_ops *ops"
+.Fc
+.Ft krb5_error_code
+.Fo krb5_kt_remove_entry
+.Fa "krb5_context context"
+.Fa "krb5_keytab id"
+.Fa "krb5_keytab_entry *entry"
+.Fc
+.Ft krb5_error_code
+.Fo krb5_kt_resolve
+.Fa "krb5_context context"
+.Fa "const char *name"
+.Fa "krb5_keytab *id"
+.Fc
+.Ft krb5_error_code
+.Fo krb5_kt_start_seq_get
+.Fa "krb5_context context"
+.Fa "krb5_keytab id"
+.Fa "krb5_kt_cursor *cursor"
+.Fc
+.Sh DESCRIPTION
+A keytab name is on the form
+.Li type:residual .
+The
+.Li residual
+part is specific to each keytab-type.
+.Pp
+When a keytab-name is resolved, the type is matched with an interal
+list of keytab types. If there is no matching keytab type,
+the default keytab is used. The current default type is
+.Nm file .
+The default value can be changed in the configuration file
+.Pa /etc/krb5.conf
+by setting the variable 
+.Li [defaults]default_keytab_name .
+.Pp
+The keytab types that are implemented in Heimdal
+are:
+.Bl -tag -width Ds
+.It Nm file
+store the keytab in a file, the type's name is
+.Li KEYFILE .
+The residual part is a filename.
+.It Nm keyfile
+store the keytab in a
+.Li AFS 
+keyfile (usually
+.Pa /usr/afs/etc/KeyFile ) ,
+the type's name is
+.Li AFSKEYFILE .
+The residual part is a filename.
+.It Nm krb4
+the keytab is a Kerberos 4
+.Pa srvtab
+that is on-the-fly converted to a keytab. The type's name is
+.Li krb4 .
+The residual part is a filename.
+.It Nm memory
+The keytab is stored in a memory segment. This allows sensitive and/or
+temporary data not to be stored on disk. The type's name is
+.Li MEMORY .
+There are no residual part, the only pointer back to the keytab is the
+.Fa id
+returned by
+.Fn krb5_kt_resolve .
+.El
+.Pp
+.Nm krb5_keytab_entry
+holds all data for an entry in a keytab file, like principal name,
+key-type, key, key-version number, etc.
+.Nm krb5_kt_cursor
+holds the current position that is used when iterating through a
+keytab entry with
+.Fn krb5_kt_start_seq_get , 
+.Fn krb5_kt_next_entry ,
+and
+.Fn krb5_kt_end_seq_get .
+.Pp
+.Nm krb5_kt_ops
+contains the different operations that can be done to a keytab. This
+structure is normally only used when doing a new keytab-type
+implementation.
+.Pp
+.Fn krb5_kt_resolve
+is the equvalent of an
+.Xr open 2
+on keytab. Resolve the keytab name in 
+.Fa name
+into a keytab in 
+.Fa id .
+Returns 0 or an error. The opposite of
+.Fn krb5_kt_resolve 
+is 
+.Fn krb5_kt_close .
+.Fn krb5_kt_close
+frees all resources allocated to the keytab.
+.Pp
+.Fn krb5_kt_default
+sets the argument 
+.Fa id
+to the default keytab.
+Returns 0 or an error.
+.Pp
+.Fn krb5_kt_default_name
+copy the name of the default keytab into
+.Fa name .
+Return 0 or KRB5_CONFIG_NOTENUFSPACE if 
+.Fa namesize
+is too short.
+.Pp
+.Fn krb5_kt_add_entry
+Add a new
+.Fa entry
+to the keytab 
+.Fa id .
+.Li KRB5_KT_NOWRITE
+is returned if the keytab is a readonly keytab.
+.Pp
+.Fn krb5_kt_compare
+compares the passed in 
+.Fa entry
+against
+.Fa principal ,
+.Fa vno ,
+and
+.Fa enctype .
+Any of 
+.Fa principal ,
+.Fa vno
+or
+.Fa enctype
+might be 0 which acts as a wildcard. Return TRUE if they compare the
+same, FALSE otherwise.
+.Pp
+.Fn krb5_kt_copy_entry_contents
+copies the contents of 
+.Fa in
+into 
+.Fa out .
+Returns 0 or an error.
+.Pp
+.Fn krb5_kt_get_name
+retrieves the name of the keytab 
+.Fa keytab
+into 
+.Fa name ,
+.Fa namesize .
+Returns 0 or an error.
+.Pp
+.Fn krb5_kt_free_entry
+frees the contents of 
+.Fa entry .
+.Pp
+.Fn krb5_kt_start_seq_get
+sets
+.Fa cursor
+to point at the beginning of 
+.Fa id.
+Returns 0 or an error.
+.Pp
+.Fn krb5_kt_next_entry
+gets the next entry from 
+.Fa id
+pointed to by 
+.Fa cursor
+and advance the
+.Fa cursor .
+Returns 0 or an error.
+.Pp
+.Fn krb5_kt_end_seq_get
+releases all resources associated with 
+.Fa cursor .
+.Pp
+.Fn krb5_kt_get_entry
+retrieves the keytab entry for 
+.Fa principal,
+.Fa kvno, 
+.Fa enctype
+into 
+.Fa entry
+from the keytab 
+.Fa id .
+Returns 0 or an error.
+.Pp
+.Fn krb5_kt_read_service_key
+reads the key identified by
+.Ns ( Fa principal ,
+.Fa vno ,
+.Fa enctype )
+from the keytab in 
+.Fa keyprocarg
+(the default if == NULL) into 
+.Fa *key .
+Returns 0 or an error.
+.Pp
+.Fn krb5_kt_remove_entry
+removes the entry 
+.Fa entry
+from the keytab 
+.Fa id .
+Returns 0 or an error.
+.Pp
+.Fn krb5_kt_register
+registers a new keytab type
+.Fa ops .
+Returns 0 or an error.
+.Sh EXAMPLE
+This is a minimalistic version of
+.Nm ktutil .
+.Pp
+.Bd -literal
+int
+main (int argc, char **argv)
+{
+    krb5_context context;
+    krb5_keytab keytab;
+    krb5_kt_cursor cursor;
+    krb5_keytab_entry entry;
+    krb5_error_code ret;
+    char *principal;
+
+    if (krb5_init_context (&context) != 0)
+	errx(1, "krb5_context");
+    
+    ret = krb5_kt_default (context, &keytab);
+    if (ret)
+	krb5_err(context, 1, ret, "krb5_kt_default");
+
+    ret = krb5_kt_start_seq_get(context, keytab, &cursor);
+    if (ret)
+	krb5_err(context, 1, ret, "krb5_kt_start_seq_get");	
+    while((ret = krb5_kt_next_entry(context, keytab, &entry, &cursor)) == 0){
+	krb5_unparse_name_short(context, entry.principal, &principal);
+	printf("principal: %s\\n", principal);
+	free(principal);
+	krb5_kt_free_entry(context, &entry);
+    }
+    ret = krb5_kt_end_seq_get(context, keytab, &cursor);
+    if (ret)
+	krb5_err(context, 1, ret, "krb5_kt_end_seq_get");	
+    krb5_free_context(context);
+    return 0;
+}
+.Ed
+.Sh SEE ALSO
+.Xr kerberos 8 ,
+.Xr krb5.conf 5
diff --git a/crypto/heimdal/lib/krb5/krb5_locl.h b/crypto/heimdal/lib/krb5/krb5_locl.h
new file mode 100644
index 0000000..1c5aa54
--- /dev/null
+++ b/crypto/heimdal/lib/krb5/krb5_locl.h
@@ -0,0 +1,158 @@
+/*
+ * Copyright (c) 1997-2001 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+/* $Id: krb5_locl.h,v 1.66 2001/05/10 15:31:34 assar Exp $ */
+/* $FreeBSD$ */
+
+#ifndef __KRB5_LOCL_H__
+#define __KRB5_LOCL_H__
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+#endif
+
+#include <errno.h>
+#include <ctype.h>
+#include <string.h>
+#include <stdio.h>
+#include <stdlib.h>
+
+#ifdef HAVE_SYS_TYPES_H
+#include <sys/types.h>
+#endif
+#ifdef HAVE_UNISTD_H
+#include <unistd.h>
+#endif
+#ifdef HAVE_FCNTL_H
+#include <fcntl.h>
+#endif
+
+#if defined(HAVE_SYS_IOCTL_H) && SunOS != 40
+#include <sys/ioctl.h>
+#endif
+#ifdef HAVE_PWD_H
+#include <pwd.h>
+#endif
+
+#ifdef HAVE_SYS_PARAM_H
+#include <sys/param.h>
+#endif
+#include <time.h>
+#ifdef HAVE_SYS_TIME_H
+#include <sys/time.h>
+#endif
+#ifdef HAVE_SYS_SELECT_H
+#include <sys/select.h>
+#endif
+#ifdef HAVE_SYS_SOCKET_H
+#include <sys/socket.h>
+#endif
+#ifdef HAVE_NETINET_IN_H
+#include <netinet/in.h>
+#endif
+#ifdef HAVE_NETINET_IN6_H
+#include <netinet/in6.h>
+#endif
+#ifdef HAVE_NETINET6_IN6_H
+#include <netinet6/in6.h>
+#endif
+#ifdef HAVE_NETDB_H
+#include <netdb.h>
+#endif
+#ifdef _AIX
+struct ether_addr;
+struct mbuf;
+struct sockaddr_dl;
+#endif
+#ifdef HAVE_ARPA_INET_H
+#include <arpa/inet.h>
+#endif
+#ifdef HAVE_ARPA_NAMESER_H
+#include <arpa/nameser.h>
+#endif
+#ifdef HAVE_SYS_UIO_H
+#include <sys/uio.h>
+#endif
+#ifdef HAVE_SYS_FILIO_H
+#include <sys/filio.h>
+#endif
+#include <roken.h>
+#include <parse_time.h>
+#include <base64.h>
+
+#ifdef HAVE_OPENSSL_DES_H
+#include <openssl/des.h>
+#else
+#include <des.h>
+#endif
+#ifdef HAVE_OPENSSL_MD4_H
+#include <openssl/md4.h>
+#else
+#include <md4.h>
+#endif
+#ifdef HAVE_OPENSSL_MD5_H
+#include <openssl/md5.h>
+#else
+#include <md5.h>
+#endif
+#ifdef HAVE_OPENSSL_SHA_H
+#include <openssl/sha.h>
+#else
+#include <sha.h>
+#endif
+#ifdef HAVE_OPENSSL_RC4_H
+#include <openssl/rc4.h>
+#else
+#include <rc4.h>
+#endif
+
+#include <krb5_asn1.h>
+#include <der.h>
+
+#include <krb5.h>
+#include <krb5_err.h>
+#include <asn1_err.h>
+#include <krb5-private.h>
+
+#define ALLOC(X, N) (X) = calloc((N), sizeof(*(X)))
+#define ALLOC_SEQ(X, N) do { (X)->len = (N); ALLOC((X)->val, (N)); } while(0)
+
+/* should this be public? */
+#define KEYTAB_DEFAULT "ANY:FILE:/etc/krb5.keytab,krb4:/etc/srvtab"
+#define KEYTAB_DEFAULT_MODIFY "FILE:/etc/krb5.keytab"
+
+#ifndef O_BINARY
+#define O_BINARY 0
+#endif
+
+#endif /* __KRB5_LOCL_H__ */
diff --git a/crypto/heimdal/lib/krb5/krb5_openlog.3 b/crypto/heimdal/lib/krb5/krb5_openlog.3
new file mode 100644
index 0000000..5576475
--- /dev/null
+++ b/crypto/heimdal/lib/krb5/krb5_openlog.3
@@ -0,0 +1,210 @@
+.\" Copyright (c) 1997 Kungliga Tekniska Högskolan
+.\" $Id: krb5_openlog.3,v 1.5 2001/01/26 22:43:22 assar Exp $
+.Dd August 6, 1997
+.Dt KRB5_OPENLOG 3
+.Os HEIMDAL
+.Sh NAME
+.Nm krb5_initlog ,
+.Nm krb5_openlog ,
+.Nm krb5_closelog ,
+.Nm krb5_addlog_dest ,
+.Nm krb5_addlog_func ,
+.Nm krb5_log ,
+.Nm krb5_vlog ,
+.Nm krb5_log_msg ,
+.Nm krb5_vlog_msg 
+.Nd Heimdal logging functions
+.Sh SYNOPSIS
+.Fd #include <krb5.h>
+.Ft "typedef void"
+.Fn "\*(lp*krb5_log_log_func_t\*(rp" "const char *time" "const char *message" "void *data" 
+.Ft "typedef void"
+.Fn "\*(lp*krb5_log_close_func_t\*(rp" "void *data" 
+.Ft krb5_error_code
+.Fn krb5_addlog_dest "krb5_context context" "krb5_log_facility *facility" "const char *destination"
+.Ft krb5_error_code
+.Fn krb5_addlog_func "krb5_context context" "krb5_log_facility *facility" "int min" "int max" "krb5_log_log_func_t log" "krb5_log_close_func_t close" "void *data"
+.Ft krb5_error_code
+.Fn krb5_closelog "krb5_context context" "krb5_log_facility *facility"
+.Ft krb5_error_code
+.Fn krb5_initlog "krb5_context context" "const char *program" "krb5_log_facility **facility"
+.Ft krb5_error_code
+.Fn krb5_log "krb5_context context" "krb5_log_facility *facility" "int level" "const char *format" "..."
+.Ft krb5_error_code
+.Fn krb5_log_msg "krb5_context context" "krb5_log_facility *facility" "char **reply" "int level" "const char *format" "..."
+.Ft krb5_error_code
+.Fn krb5_openlog "krb5_context context" "const char *program" "krb5_log_facility **facility"
+.Ft krb5_error_code
+.Fn krb5_vlog "krb5_context context" "krb5_log_facility *facility" "int level" "const char *format" "va_list arglist"
+.Ft krb5_error_code
+.Fn krb5_vlog_msg "krb5_context context" "krb5_log_facility *facility" "char **reply" "int level" "const char *format" "va_list arglist"
+.Sh DESCRIPTION
+These functions logs messages to one or more destinations.
+.Pp
+The
+.Fn krb5_openlog
+function creates a logging 
+.Fa facility ,
+that is used to log messages. A facility consists of one or more
+destinations (which can be files or syslog or some other device). The
+.Fa program
+parameter should be the generic name of the program that is doing the
+logging. This name is used to lookup which destinations to use. This
+information is contained in the
+.Li logging
+section of the
+.Pa krb5.conf
+configuration file.  If no entry is found for
+.Fa program ,
+the entry for
+.Li default
+is used, or if that is missing too,
+.Li SYSLOG 
+will be used as destination.
+.Pp
+To close a logging facility, use the
+.Fn krb5_closelog
+function.
+.Pp
+To log a message to a facility use one of the functions
+.Fn krb5_log ,
+.Fn krb5_log_msg ,
+.Fn krb5_vlog ,
+or
+.Fn krb5_vlog_msg .
+The functions ending in 
+.Li _msg
+return in
+.Fa reply
+a pointer to the message that just got logged. This string is allocated,
+and should be freed with
+.Fn free .
+The
+.Fa format
+is a standard 
+.Fn printf
+style format string (but see the BUGS section).
+.Pp
+If you want better control of where things gets logged, you can instead of using 
+.Fn krb5_openlog
+call 
+.Fn krb5_initlog ,
+which just initializes a facility, but doesn't define any actual logging
+destinations. You can then add destinations with the
+.Fn krb5_addlog_dest
+and
+.Fn krb5_addlog_func 
+functions.  The first of these takes a string specifying a logging
+destination, and adds this to the facility. If you want to do some
+non-standard logging you can use the
+.Fn krb5_addlog_func
+function, which takes a function to use when logging.
+The 
+.Fa log
+function is called for each message with
+.Fa time
+being a string specifying the current time, and
+.Fa message
+the message to log. 
+.Fa close
+is called when the facility is closed. You can pass application specific data in the 
+.Fa data 
+parameter. The
+.Fa min
+and 
+.Fa max
+parameter are the same as in a destination (defined below). To specify a
+max of infinity, pass -1.
+.Pp
+.Fn krb5_openlog
+calls 
+.Fn krb5_initlog
+and then calls 
+.Fn krb5_addlog_dest
+for each destination found.
+.Ss Destinations
+The defined destinations (as specified in
+.Pa krb5.conf )
+follows:
+.Bl -tag -width "xxx" -offset indent
+.It Li STDERR
+This logs to the program's stderr.
+.It Li FILE: Ns Pa /file
+.It Li FILE= Ns Pa /file
+Log to the specified file. The form using a colon appends to the file, the
+form with an equal truncates the file. The truncating form keeps the file
+open, while the appending form closes it after each log message (which
+makes it possible to rotate logs). The truncating form is mainly for
+compatibility with the MIT libkrb5.
+.It Li DEVICE= Ns Pa /device
+This logs to the specified device, at present this is the same as
+.Li FILE:/device .
+.It Li CONSOLE
+Log to the console, this is the same as
+.Li DEVICE=/dev/console .
+.It Li SYSLOG Ns Op :priority Ns Op :facility
+Send messages to the syslog system, using priority, and facility. To
+get the name for one of these, you take the name of the macro passed
+to
+.Xr syslog 3 ,
+and remove the leading
+.Li LOG_ 
+.No ( Li LOG_NOTICE
+becomes 
+.Li NOTICE ) .
+The default values (as well as the values used for unrecognised
+values), are
+.Li ERR ,
+and
+.Li AUTH ,
+respectively.  See
+.Xr syslog 3
+for a list of priorities and facilities.
+.El
+.Pp
+Each destination may optionally be prepended with a range of logging
+levels, specified as
+.Li min-max/ .
+If the
+.Fa level
+parameter to
+.Fn krb5_log
+is within this range (inclusive) the message gets logged to this
+destination, otherwise not. Either of the min and max valued may be
+omitted, in this case min is assumed to be zero, and max is assumed to be
+infinity.  If you don't include a dash, both min and max gets set to the
+specified value. If no range is specified, all messages gets logged.
+.Sh EXAMPLE
+.Bd -literal -offset indent
+[logging]
+	kdc = 0/FILE:/var/log/kdc.log
+	kdc = 1-/SYSLOG:INFO:USER
+	default = STDERR
+.Ed
+.Pp
+This will log all messages from the 
+.Nm kdc 
+program with level 0 to
+.Pa /var/log/kdc.log ,
+other messages will be logged to syslog with priority
+.Li LOG_INFO ,
+and facility
+.Li LOG_USER .
+All other programs will log all messages to their stderr.
+.Sh BUGS
+These functions use
+.Fn asprintf
+to format the message. If your operating system does not have a working
+.Fn asprintf ,
+a replacement will be used. At present this replacement does not handle
+some correct conversion specifications (like floating point numbers). Until
+this is fixed, the use of these conversions should be avoided.
+.Pp
+If logging is done to the syslog facility, these functions might not be
+thread-safe, depending on the implementation of
+.Fn openlog ,
+and
+.Fn syslog .
+.Sh SEE ALSO
+.Xr syslog 3 ,
+.Xr krb5.conf 5
diff --git a/crypto/heimdal/lib/krb5/krb5_parse_name.3 b/crypto/heimdal/lib/krb5/krb5_parse_name.3
new file mode 100644
index 0000000..c4f5acd
--- /dev/null
+++ b/crypto/heimdal/lib/krb5/krb5_parse_name.3
@@ -0,0 +1,35 @@
+.\" Copyright (c) 1997 Kungliga Tekniska Högskolan
+.\" $Id: krb5_parse_name.3,v 1.3 2001/05/02 08:59:23 assar Exp $
+.Dd August 8, 1997
+.Dt KRB5_PARSE_NAME 3
+.Os HEIMDAL
+.Sh NAME
+.Nm krb5_parse_name
+.Nd string to principal conversion
+.Sh SYNOPSIS
+.Fd #include <krb5.h>
+.Ft krb5_error_code
+.Fn krb5_parse_name "krb5_context context" "const char *name" "krb5_principal *principal"
+.Sh DESCRIPTION
+.Fn krb5_parse_name
+converts a string representation of a princpal name to
+.Nm krb5_principal .
+The
+.Fa principal 
+will point to allocated data that should be freed with
+.Fn krb5_free_principal .
+.Pp
+The string should consist of one or more name components separated with slashes
+.Pq Dq / , 
+optionally followed with an
+.Dq @
+and a realm name. A slash or @ may be contained in a name component by
+quoting it with a back-slash
+.Pq Dq \ .
+A realm should not contain slashes or colons.
+.Sh SEE ALSO
+.Xr krb5_425_conv_principal 3 ,
+.Xr krb5_build_principal 3 ,
+.Xr krb5_free_principal 3 ,
+.Xr krb5_sname_to_principal 3 ,
+.Xr krb5_unparse_name 3
diff --git a/crypto/heimdal/lib/krb5/krb5_sname_to_principal.3 b/crypto/heimdal/lib/krb5/krb5_sname_to_principal.3
new file mode 100644
index 0000000..1dee7de
--- /dev/null
+++ b/crypto/heimdal/lib/krb5/krb5_sname_to_principal.3
@@ -0,0 +1,52 @@
+.\" Copyright (c) 1997 Kungliga Tekniska Högskolan
+.\" $Id: krb5_sname_to_principal.3,v 1.3 2001/05/02 08:59:23 assar Exp $
+.Dd August 8, 1997
+.Dt KRB5_PRINCIPAL 3
+.Os HEIMDAL
+.Sh NAME
+.Nm krb5_sname_to_principal ,
+.Nm krb5_sock_to_principal
+.Nd create a service principal
+.Sh SYNOPSIS
+.Fd #include <krb5.h>
+.Ft krb5_error_code
+.Fn krb5_sname_to_principal "krb5_context context" "const char *hostname" "const char *sname" "int32_t type" "krb5_principal *principal"
+.Ft krb5_error_code
+.Fn krb5_sock_to_principal "krb5_context context" "int socket" "const char *sname" "int32_t type" "krb5_principal *principal"
+.Sh DESCRIPTION
+These functions create a 
+.Dq service
+principal that can, for instance, be used to lookup a key in a keytab. For both these function the
+.Fa sname 
+parameter will be used for the first component of the created principal. If 
+.Fa sname
+is
+.Dv NULL ,
+.Dq host
+will be used instead.
+.Fn krb5_sname_to_principal 
+will use the passed 
+.Fa hostname
+for the second component. If type 
+.Dv KRB5_NT_SRV_HST
+this name will be looked up with
+.Fn gethostbyname .
+If 
+.Fa hostname is
+.Dv NULL ,
+the local hostname will be used.
+.Pp
+.Fn krb5_sock_to_principal 
+will use the 
+.Dq sockname
+of the passed
+.Fa socket ,
+which should be a bound
+.Dv AF_INET
+socket.
+.Sh SEE ALSO
+.Xr krb5_425_conv_principal 3 ,
+.Xr krb5_build_principal 3 ,
+.Xr krb5_free_principal 3 ,
+.Xr krb5_parse_name 3 ,
+.Xr krb5_unparse_name 3
diff --git a/crypto/heimdal/lib/krb5/krb5_unparse_name.3 b/crypto/heimdal/lib/krb5/krb5_unparse_name.3
new file mode 100644
index 0000000..08409ae
--- /dev/null
+++ b/crypto/heimdal/lib/krb5/krb5_unparse_name.3
@@ -0,0 +1,28 @@
+.\" Copyright (c) 1997 Kungliga Tekniska Högskolan
+.\" $Id: krb5_unparse_name.3,v 1.3 2001/05/02 08:59:23 assar Exp $
+.Dd August 8, 1997
+.Dt KRB5_UNPARSE_NAME 3
+.Os HEIMDAL
+.Sh NAME
+.Nm krb5_unparse_name
+.\" .Nm krb5_unparse_name_ext
+.Nd principal to string conversion
+.Sh SYNOPSIS
+.Fd #include <krb5.h>
+.Ft krb5_error_code
+.Fn krb5_unparse_name "krb5_context context" "krb5_principal principal" "char **name"
+.\" .Ft krb5_error_code
+.\" .Fn krb5_unparse_name_ext "krb5_context context" "krb5_const_principal principal" "char **name" "size_t *size"
+.Sh DESCRIPTION
+This function takes a
+.Fa principal ,
+and will convert in to a printable representation with the same syntax as decribed in
+.Xr krb5_parse_name 3 .
+.Fa *name 
+will point to allocated data and should be freed by the caller.
+.Sh SEE ALSO
+.Xr krb5_425_conv_principal 3 ,
+.Xr krb5_build_principal 3 ,
+.Xr krb5_free_principal 3 ,
+.Xr krb5_parse_name 3 ,
+.Xr krb5_sname_to_principal 3
diff --git a/crypto/heimdal/lib/krb5/krb5_warn.3 b/crypto/heimdal/lib/krb5/krb5_warn.3
new file mode 100644
index 0000000..ae3a330
--- /dev/null
+++ b/crypto/heimdal/lib/krb5/krb5_warn.3
@@ -0,0 +1,61 @@
+.\" Copyright (c) 1997 Kungliga Tekniska Högskolan
+.\" $Id: krb5_warn.3,v 1.3 2001/01/26 22:43:23 assar Exp $
+.Dd August 8, 1997
+.Dt KRB5_WARN 3
+.Os HEIMDAL
+.Sh NAME
+.Nm krb5_warn ,
+.Nm krb5_warnx ,
+.Nm krb5_vwarn ,
+.Nm krb5_vwarnx ,
+.Nm krb5_err ,
+.Nm krb5_errx ,
+.Nm krb5_verr ,
+.Nm krb5_verrx ,
+.Nm krb5_set_warn_dest
+.Nd Heimdal warning and error functions
+.Sh SYNOPSIS
+.Fd #include <krb5.h>
+.Ft krb5_error_code
+.Fn krb5_err "krb5_context context" "int eval" "krb5_error_code code" "const char *format" "..."
+.Ft krb5_error_code
+.Fn krb5_errx "krb5_context context" "int eval" "const char *format" "..."
+.Ft krb5_error_code
+.Fn krb5_verr "krb5_context context" "int eval" "krb5_error_code code" "const char *format" "va_list ap"
+.Ft krb5_error_code
+.Fn krb5_verrx "krb5_context context" "int eval" "const char *format" "va_list ap"
+.Ft krb5_error_code
+.Fn krb5_vwarn "krb5_context context" "krb5_error_code code" "const char *format" "va_list ap"
+.Ft krb5_error_code
+.Fn krb5_vwarnx "krb5_context context" "const char *format" "va_list ap"
+.Ft krb5_error_code
+.Fn krb5_warn "krb5_context context" "krb5_error_code code" "const char *format" "..."
+.Ft krb5_error_code
+.Fn krb5_warnx "krb5_context context" "const char *format" "..."
+.Ft krb5_error_code
+.Fn krb5_set_warn_dest "krb5_context context" "krb5_log_facility *facility"
+.Sh DESCRIPTION
+These functions prints a warning message to some destination.
+.Fa format
+is a printf style format specifying the message to print. The forms not ending in an
+.Dq x
+prints the error string associated with
+.Fa code 
+along with the message.
+The
+.Dq err
+functions exits with exit status
+.Fa eval
+after printing the message.
+.Pp
+The
+.Fn krb5_set_warn_func
+function sets the destination for warning messages to the specified 
+.Fa facility .
+Messages logged with the
+.Dq warn
+functions have a log level of 1, while the
+.Dq err
+functions logs with level 0.
+.Sh SEE ALSO
+.Xr krb5_openlog 3
diff --git a/crypto/heimdal/lib/krb5/krbhst.c b/crypto/heimdal/lib/krb5/krbhst.c
new file mode 100644
index 0000000..86d67f6
--- /dev/null
+++ b/crypto/heimdal/lib/krb5/krbhst.c
@@ -0,0 +1,230 @@
+/*
+ * Copyright (c) 1997 - 2001 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "krb5_locl.h"
+#include <resolve.h>
+
+RCSID("$Id: krbhst.c,v 1.26 2001/05/14 06:14:49 assar Exp $");
+
+/*
+ * assuming that `*res' contains `*count' strings, add a copy of `string'.
+ */
+
+static int
+add_string(krb5_context context, char ***res, int *count, const char *string)
+{
+    char **tmp = realloc(*res, (*count + 1) * sizeof(**res));
+
+    if(tmp == NULL) {
+	krb5_set_error_string (context, "malloc: out of memory");
+	return ENOMEM;
+    }
+    *res = tmp;
+    if(string) {
+	tmp[*count] = strdup(string);
+	if(tmp[*count] == NULL) {
+	    krb5_set_error_string (context, "malloc: out of memory");
+	    return ENOMEM;
+	}
+    } else
+	tmp[*count] = NULL;
+    (*count)++;
+    return 0;
+}
+
+/*
+ * do a SRV lookup for `realm, proto, service' returning the result
+ * in `res, count'
+ */
+
+static krb5_error_code
+srv_find_realm(krb5_context context, char ***res, int *count, 
+	       const char *realm, const char *proto, const char *service)
+{
+    char domain[1024];
+    char alt_domain[1024];
+    krb5_error_code ret;
+    struct dns_reply *r;
+    struct resource_record *rr;
+
+    snprintf(domain, sizeof(domain), "_%s._%s.%s.", service, proto, realm);
+    
+    r = dns_lookup(domain, "srv");
+    if(r == NULL && context->srv_try_rfc2052) {
+	snprintf(alt_domain, sizeof(alt_domain), "%s.%s.%s.", 
+		 service, proto, realm);
+	r = dns_lookup(alt_domain, "srv");
+    }
+    if(r == NULL && context->srv_try_txt)
+	r = dns_lookup(domain, "txt");
+    if(r == NULL && context->srv_try_rfc2052 && context->srv_try_txt)
+	r = dns_lookup(alt_domain, "txt");
+    if(r == NULL)
+	return 0;
+
+    for(rr = r->head; rr; rr = rr->next){
+	if(rr->type == T_SRV){
+	    char buf[1024];
+	    char **tmp;
+
+	    tmp = realloc(*res, (*count + 1) * sizeof(**res));
+	    if (tmp == NULL) {
+		krb5_set_error_string (context, "malloc: out of memory");
+		return ENOMEM;
+	    }
+	    *res = tmp;
+	    snprintf (buf, sizeof(buf),
+		      "%s/%s:%u",
+		      proto,
+		      rr->u.srv->target,
+		      rr->u.srv->port);
+	    ret = add_string(context, res, count, buf);
+	    if(ret)
+		return ret;
+	}else if(rr->type == T_TXT) {
+	    ret = add_string(context, res, count, rr->u.txt);
+	    if(ret)
+		return ret;
+	}
+    }
+    dns_free_data(r);
+    return 0;
+}
+
+/*
+ * lookup the servers for realm `realm', looking for the config string
+ * `conf_string' in krb5.conf or for `serv_string' in SRV records.
+ * return a malloc-ed list of servers in hostlist.
+ */
+
+static krb5_error_code
+get_krbhst (krb5_context context,
+	    const krb5_realm *realm,
+	    const char *conf_string,
+	    const char *serv_string,
+	    char ***hostlist)
+{
+    char **res, **r;
+    int count;
+    krb5_error_code ret;
+
+    res = krb5_config_get_strings(context, NULL, 
+				  "realms", *realm, conf_string, NULL);
+    for(r = res, count = 0; r && *r; r++, count++);
+
+    if(count == 0 && context->srv_lookup) {
+	char *s[] = { "udp", "tcp", "http" }, **q;
+	for(q = s; q < s + sizeof(s) / sizeof(s[0]); q++) {
+	    ret = srv_find_realm(context, &res, &count, *realm, *q,
+				 serv_string);
+	    if(ret) {
+		krb5_config_free_strings(res);
+		return ret;
+	    }
+	}
+    }
+
+    if(count == 0) {
+	char buf[1024];
+	snprintf(buf, sizeof(buf), "kerberos.%s", *realm);
+	ret = add_string(context, &res, &count, buf);
+	if(ret) {
+	    krb5_config_free_strings(res);
+	    return ret;
+	}
+    }
+    add_string(context, &res, &count, NULL);
+    *hostlist = res;
+    return 0;
+}
+
+/*
+ * set `hostlist' to a malloced list of kadmin servers.
+ */
+
+krb5_error_code
+krb5_get_krb_admin_hst (krb5_context context,
+			const krb5_realm *realm,
+			char ***hostlist)
+{
+    return get_krbhst (context, realm, "admin_server", "kerberos-adm",
+		       hostlist);
+}
+
+/*
+ * set `hostlist' to a malloced list of changepw servers.
+ */
+
+krb5_error_code
+krb5_get_krb_changepw_hst (krb5_context context,
+			   const krb5_realm *realm,
+			   char ***hostlist)
+{
+    krb5_error_code ret;
+
+    ret = get_krbhst (context, realm, "kpasswd_server", "kpasswd",
+		      hostlist);
+    if (ret)
+	return ret;
+    ret = get_krbhst (context, realm, "admin_server", "kpasswd",
+		      hostlist);
+    return ret;
+}
+
+/*
+ * set `hostlist' to a malloced list of kerberos servers.
+ */
+
+krb5_error_code
+krb5_get_krbhst (krb5_context context,
+		 const krb5_realm *realm,
+		 char ***hostlist)
+{
+    return get_krbhst (context, realm, "kdc", "kerberos", hostlist);
+}
+
+/*
+ * free all memory associated with `hostlist'
+ */
+
+krb5_error_code
+krb5_free_krbhst (krb5_context context,
+		  char **hostlist)
+{
+    char **p;
+
+    for (p = hostlist; *p; ++p)
+	free (*p);
+    free (hostlist);
+    return 0;
+}
diff --git a/crypto/heimdal/lib/krb5/kuserok.c b/crypto/heimdal/lib/krb5/kuserok.c
new file mode 100644
index 0000000..ae8ddec
--- /dev/null
+++ b/crypto/heimdal/lib/krb5/kuserok.c
@@ -0,0 +1,108 @@
+/*
+ * Copyright (c) 1997 - 1999 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "krb5_locl.h"
+
+RCSID("$Id: kuserok.c,v 1.5 1999/12/02 17:05:11 joda Exp $");
+
+/*
+ * Return TRUE iff `principal' is allowed to login as `luser'.
+ */
+
+krb5_boolean
+krb5_kuserok (krb5_context context,
+	      krb5_principal principal,
+	      const char *luser)
+{
+    char buf[BUFSIZ];
+    struct passwd *pwd;
+    FILE *f;
+    krb5_realm *realms, *r;
+    krb5_error_code ret;
+    krb5_boolean b;
+
+    ret = krb5_get_default_realms (context, &realms);
+    if (ret)
+	return FALSE;
+
+    for (r = realms; *r != NULL; ++r) {
+	krb5_principal local_principal;
+
+	ret = krb5_build_principal (context,
+				    &local_principal,
+				    strlen(*r),
+				    *r,
+				    luser,
+				    NULL);
+	if (ret) {
+	    krb5_free_host_realm (context, realms);
+	    return FALSE;
+	}
+
+	b = krb5_principal_compare (context, principal, local_principal);
+	krb5_free_principal (context, local_principal);
+	if (b) {
+	    krb5_free_host_realm (context, realms);
+	    return TRUE;
+	}
+    }
+    krb5_free_host_realm (context, realms);
+
+    pwd = getpwnam (luser);	/* XXX - Should use k_getpwnam? */
+    if (pwd == NULL)
+	return FALSE;
+    snprintf (buf, sizeof(buf), "%s/.k5login", pwd->pw_dir);
+    f = fopen (buf, "r");
+    if (f == NULL)
+	return FALSE;
+    while (fgets (buf, sizeof(buf), f) != NULL) {
+	krb5_principal tmp;
+
+	if(buf[strlen(buf) - 1] == '\n')
+	    buf[strlen(buf) - 1] = '\0';
+
+	ret = krb5_parse_name (context, buf, &tmp);
+	if (ret) {
+	    fclose (f);
+	    return FALSE;
+	}
+	b = krb5_principal_compare (context, principal, tmp);
+	krb5_free_principal (context, tmp);
+	if (b) {
+	    fclose (f);
+	    return TRUE;
+	}
+    }
+    fclose (f);
+    return FALSE;
+}
diff --git a/crypto/heimdal/lib/krb5/log.c b/crypto/heimdal/lib/krb5/log.c
new file mode 100644
index 0000000..1a6d6b2
--- /dev/null
+++ b/crypto/heimdal/lib/krb5/log.c
@@ -0,0 +1,454 @@
+/*
+ * Copyright (c) 1997-2000 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "krb5_locl.h"
+
+RCSID("$Id: log.c,v 1.26 2001/05/14 06:14:49 assar Exp $");
+
+struct facility {
+    int min;
+    int max;
+    krb5_log_log_func_t log;
+    krb5_log_close_func_t close;
+    void *data;
+};
+
+static struct facility*
+log_realloc(krb5_log_facility *f)
+{
+    struct facility *fp;
+    f->len++;
+    fp = realloc(f->val, f->len * sizeof(*f->val));
+    if(fp == NULL)
+	return NULL;
+    f->val = fp;
+    fp += f->len - 1;
+    return fp;
+}
+
+struct s2i {
+    char *s;
+    int val;
+};
+
+#define L(X) { #X, LOG_ ## X }
+
+static struct s2i syslogvals[] = {
+    L(EMERG),
+    L(ALERT),
+    L(CRIT),
+    L(ERR),
+    L(WARNING),
+    L(NOTICE),
+    L(INFO),
+    L(DEBUG),
+
+    L(AUTH),
+#ifdef LOG_AUTHPRIV
+    L(AUTHPRIV),
+#endif
+#ifdef LOG_CRON
+    L(CRON),
+#endif
+    L(DAEMON),
+#ifdef LOG_FTP
+    L(FTP),
+#endif
+    L(KERN),
+    L(LPR),
+    L(MAIL),
+#ifdef LOG_NEWS
+    L(NEWS),
+#endif
+    L(SYSLOG),
+    L(USER),
+#ifdef LOG_UUCP
+    L(UUCP),
+#endif
+    L(LOCAL0),
+    L(LOCAL1),
+    L(LOCAL2),
+    L(LOCAL3),
+    L(LOCAL4),
+    L(LOCAL5),
+    L(LOCAL6),
+    L(LOCAL7),
+    { NULL, -1 }
+};
+
+static int
+find_value(const char *s, struct s2i *table)
+{
+    while(table->s && strcasecmp(table->s, s))
+	table++;
+    return table->val;
+}
+
+krb5_error_code
+krb5_initlog(krb5_context context,
+	     const char *program,
+	     krb5_log_facility **fac)
+{
+    krb5_log_facility *f = calloc(1, sizeof(*f));
+    if(f == NULL) {
+	krb5_set_error_string (context, "malloc: out of memory");
+	return ENOMEM;
+    }
+    f->program = strdup(program);
+    if(f->program == NULL){
+	free(f);
+	krb5_set_error_string (context, "malloc: out of memory");
+	return ENOMEM;
+    }
+    *fac = f;
+    return 0;
+}
+
+krb5_error_code
+krb5_addlog_func(krb5_context context,
+		 krb5_log_facility *fac,
+		 int min,
+		 int max,
+		 krb5_log_log_func_t log,
+		 krb5_log_close_func_t close,
+		 void *data)
+{
+    struct facility *fp = log_realloc(fac);
+    if(fp == NULL) {
+	krb5_set_error_string (context, "malloc: out of memory");
+	return ENOMEM;
+    }
+    fp->min = min;
+    fp->max = max;
+    fp->log = log;
+    fp->close = close;
+    fp->data = data;
+    return 0;
+}
+
+
+struct syslog_data{
+    int priority;
+};
+
+static void
+log_syslog(const char *time,
+	   const char *msg,
+	   void *data)
+     
+{
+    struct syslog_data *s = data;
+    syslog(s->priority, "%s", msg);
+}
+
+static void
+close_syslog(void *data)
+{
+    free(data);
+    closelog();
+}
+
+static krb5_error_code
+open_syslog(krb5_context context,
+	    krb5_log_facility *facility, int min, int max,
+	    const char *sev, const char *fac)
+{
+    struct syslog_data *sd = malloc(sizeof(*sd));
+    int i;
+
+    if(sd == NULL) {
+	krb5_set_error_string (context, "malloc: out of memory");
+	return ENOMEM;
+    }
+    i = find_value(sev, syslogvals);
+    if(i == -1)
+	i = LOG_ERR;
+    sd->priority = i;
+    i = find_value(fac, syslogvals);
+    if(i == -1)
+	i = LOG_AUTH;
+    sd->priority |= i;
+    roken_openlog(facility->program, LOG_PID | LOG_NDELAY, i);
+    return krb5_addlog_func(context, facility, min, max,
+			    log_syslog, close_syslog, sd);
+}
+
+struct file_data{
+    char *filename;
+    char *mode;
+    FILE *fd;
+    int keep_open;
+};
+
+static void
+log_file(const char *time,
+	 const char *msg,
+	 void *data)
+{
+    struct file_data *f = data;
+    if(f->keep_open == 0)
+	f->fd = fopen(f->filename, f->mode);
+    if(f->fd == NULL)
+	return;
+    fprintf(f->fd, "%s %s\n", time, msg);
+    if(f->keep_open == 0)
+	fclose(f->fd);
+}
+
+static void
+close_file(void *data)
+{
+    struct file_data *f = data;
+    if(f->keep_open && f->filename)
+	fclose(f->fd);
+    free(data);
+}
+
+static krb5_error_code
+open_file(krb5_context context, krb5_log_facility *fac, int min, int max,
+	  char *filename, char *mode, FILE *f, int keep_open)
+{
+    struct file_data *fd = malloc(sizeof(*fd));
+    if(fd == NULL) {
+	krb5_set_error_string (context, "malloc: out of memory");
+	return ENOMEM;
+    }
+    fd->filename = filename;
+    fd->mode = mode;
+    fd->fd = f;
+    fd->keep_open = keep_open;
+
+    return krb5_addlog_func(context, fac, min, max, log_file, close_file, fd);
+}
+
+
+
+krb5_error_code
+krb5_addlog_dest(krb5_context context, krb5_log_facility *f, const char *orig)
+{
+    krb5_error_code ret = 0;
+    int min = 0, max = -1, n;
+    char c;
+    const char *p = orig;
+
+    n = sscanf(p, "%d%c%d/", &min, &c, &max);
+    if(n == 2){
+	if(c == '/') {
+	    if(min < 0){
+		max = -min;
+		min = 0;
+	    }else{
+		max = min;
+	    }
+	}
+    }
+    if(n){
+	p = strchr(p, '/');
+	if(p == NULL) {
+	    krb5_set_error_string (context, "failed to parse \"%s\"", orig);
+	    return HEIM_ERR_LOG_PARSE;
+	}
+	p++;
+    }
+    if(strcmp(p, "STDERR") == 0){
+	ret = open_file(context, f, min, max, NULL, NULL, stderr, 1);
+    }else if(strcmp(p, "CONSOLE") == 0){
+	ret = open_file(context, f, min, max, "/dev/console", "w", NULL, 0);
+    }else if(strncmp(p, "FILE:", 4) == 0 && (p[4] == ':' || p[4] == '=')){
+	char *fn;
+	FILE *file = NULL;
+	int keep_open = 0;
+	fn = strdup(p + 5);
+	if(fn == NULL) {
+	    krb5_set_error_string (context, "malloc: out of memory");
+	    return ENOMEM;
+	}
+	if(p[4] == '='){
+	    int i = open(fn, O_WRONLY | O_CREAT | 
+			 O_TRUNC | O_APPEND, 0666);
+	    if(i < 0) {
+		ret = errno;
+		krb5_set_error_string (context, "open(%s): %s", fn,
+				       strerror(ret));
+		return ret;
+	    }
+	    file = fdopen(i, "a");
+	    if(file == NULL){
+		ret = errno;
+		close(i);
+		krb5_set_error_string (context, "fdopen(%s): %s", fn,
+				       strerror(ret));
+		return ret;
+	    }
+	    keep_open = 1;
+	}
+	ret = open_file(context, f, min, max, fn, "a", file, keep_open);
+    }else if(strncmp(p, "DEVICE=", 6) == 0){
+	ret = open_file(context, f, min, max, strdup(p + 7), "w", NULL, 0);
+    }else if(strncmp(p, "SYSLOG", 6) == 0){
+	char *severity;
+	char *facility;
+	severity = strchr(p, ':');
+	if(severity == NULL)
+	    severity = "ERR";
+	facility = strchr(severity, ':');
+	if(facility == NULL)
+	    facility = "AUTH";
+	ret = open_syslog(context, f, min, max, severity, facility);
+    }else{
+	krb5_set_error_string (context, "unknown log type: %s", p);
+	ret = HEIM_ERR_LOG_PARSE; /* XXX */
+    }
+    return ret;
+}
+
+
+krb5_error_code
+krb5_openlog(krb5_context context,
+	     const char *program,
+	     krb5_log_facility **fac)
+{
+    krb5_error_code ret;
+    char **p, **q;
+
+    ret = krb5_initlog(context, program, fac);
+    if(ret)
+	return ret;
+
+    p = krb5_config_get_strings(context, NULL, "logging", program, NULL);
+    if(p == NULL)
+	p = krb5_config_get_strings(context, NULL, "logging", "default", NULL);
+    if(p){
+	for(q = p; *q; q++)
+	    ret = krb5_addlog_dest(context, *fac, *q);
+	krb5_config_free_strings(p);
+    }else
+	ret = krb5_addlog_dest(context, *fac, "SYSLOG");
+    return 0;
+}
+
+krb5_error_code
+krb5_closelog(krb5_context context,
+	      krb5_log_facility *fac)
+{
+    int i;
+    for(i = 0; i < fac->len; i++)
+	(*fac->val[i].close)(&fac->val[i].data);
+    return 0;
+}
+
+#undef __attribute__
+#define __attribute__(X)
+
+krb5_error_code
+krb5_vlog_msg(krb5_context context,
+	      krb5_log_facility *fac,
+	      char **reply,
+	      int level,
+	      const char *fmt,
+	      va_list ap)
+     __attribute__((format (printf, 5, 0)))
+{
+    char *msg;
+    const char *actual;
+    char buf[64];
+    time_t t;
+    int i;
+
+    vasprintf(&msg, fmt, ap);
+    if (msg != NULL)
+	actual = msg;
+    else
+	actual = fmt;
+    t = time(NULL);
+    krb5_format_time(context, t, buf, sizeof(buf), TRUE);
+    for(i = 0; i < fac->len; i++)
+	if(fac->val[i].min <= level && 
+	   (fac->val[i].max < 0 || fac->val[i].max >= level))
+	    (*fac->val[i].log)(buf, actual, fac->val[i].data);
+    *reply = msg;
+    return 0;
+}
+
+krb5_error_code
+krb5_vlog(krb5_context context,
+	  krb5_log_facility *fac,
+	  int level,
+	  const char *fmt,
+	  va_list ap)
+     __attribute__((format (printf, 4, 0)))
+{
+    char *msg;
+    krb5_error_code ret;
+
+    ret = krb5_vlog_msg(context, fac, &msg, level, fmt, ap);
+    free(msg);
+    return ret;
+}
+
+krb5_error_code
+krb5_log_msg(krb5_context context,
+	     krb5_log_facility *fac,
+	     int level,
+	     char **reply,
+	     const char *fmt,
+	     ...)
+     __attribute__((format (printf, 5, 6)))
+{
+    va_list ap;
+    krb5_error_code ret;
+
+    va_start(ap, fmt);
+    ret = krb5_vlog_msg(context, fac, reply, level, fmt, ap);
+    va_end(ap);
+    return ret;
+}
+
+
+krb5_error_code
+krb5_log(krb5_context context,
+	 krb5_log_facility *fac,
+	 int level,
+	 const char *fmt,
+	 ...)
+     __attribute__((format (printf, 4, 5)))
+{
+    va_list ap;
+    krb5_error_code ret;
+
+    va_start(ap, fmt);
+    ret = krb5_vlog(context, fac, level, fmt, ap);
+    va_end(ap);
+    return ret;
+}
+
diff --git a/crypto/heimdal/lib/krb5/mcache.c b/crypto/heimdal/lib/krb5/mcache.c
new file mode 100644
index 0000000..8c44b6e
--- /dev/null
+++ b/crypto/heimdal/lib/krb5/mcache.c
@@ -0,0 +1,329 @@
+/*
+ * Copyright (c) 1997-2000 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "krb5_locl.h"
+
+RCSID("$Id: mcache.c,v 1.13 2001/05/14 06:14:49 assar Exp $");
+
+typedef struct krb5_mcache {
+    char *name;
+    unsigned int refcnt;
+    krb5_principal primary_principal;
+    struct link {
+	krb5_creds cred;
+	struct link *next;
+    } *creds;
+    struct krb5_mcache *next;
+} krb5_mcache;
+
+static struct krb5_mcache *mcc_head;
+
+#define	MCACHE(X)	((krb5_mcache *)(X)->data.data)
+
+#define MISDEAD(X)	((X)->primary_principal == NULL)
+
+#define MCC_CURSOR(C) ((struct link*)(C))
+
+static char*
+mcc_get_name(krb5_context context,
+	     krb5_ccache id)
+{
+    return MCACHE(id)->name;
+}
+
+static krb5_mcache *
+mcc_alloc(const char *name)
+{
+    krb5_mcache *m;
+
+    ALLOC(m, 1);
+    if(m == NULL)
+	return NULL;
+    if(name == NULL)
+	asprintf(&m->name, "%p", m);
+    else
+	m->name = strdup(name);
+    if(m->name == NULL) {
+	free(m);
+	return NULL;
+    }
+    m->refcnt = 1;
+    m->primary_principal = NULL;
+    m->creds = NULL;
+    m->next = mcc_head;
+    mcc_head = m;
+    return m;
+}
+
+static krb5_error_code
+mcc_resolve(krb5_context context, krb5_ccache *id, const char *res)
+{
+    krb5_mcache *m;
+
+    for (m = mcc_head; m != NULL; m = m->next)
+	if (strcmp(m->name, res) == 0)
+	    break;
+
+    if (m != NULL) {
+	m->refcnt++;
+	(*id)->data.data = m;
+	(*id)->data.length = sizeof(*m);
+	return 0;
+    }
+
+    m = mcc_alloc(res);
+    if (m == NULL) {
+	krb5_set_error_string (context, "malloc: out of memory");
+	return KRB5_CC_NOMEM;
+    }
+    
+    (*id)->data.data = m;
+    (*id)->data.length = sizeof(*m);
+
+    return 0;
+}
+
+
+static krb5_error_code
+mcc_gen_new(krb5_context context, krb5_ccache *id)
+{
+    krb5_mcache *m;
+
+    m = mcc_alloc(NULL);
+
+    if (m == NULL) {
+	krb5_set_error_string (context, "malloc: out of memory");
+	return KRB5_CC_NOMEM;
+    }
+
+    (*id)->data.data = m;
+    (*id)->data.length = sizeof(*m);
+
+    return 0;
+}
+
+static krb5_error_code
+mcc_initialize(krb5_context context,
+	       krb5_ccache id,
+	       krb5_principal primary_principal)
+{
+    return krb5_copy_principal (context,
+				primary_principal,
+				&MCACHE(id)->primary_principal);
+}
+
+static krb5_error_code
+mcc_close(krb5_context context,
+	  krb5_ccache id)
+{
+    krb5_mcache *m = MCACHE(id);
+
+    if (--m->refcnt != 0)
+	return 0;
+
+    if (MISDEAD(m)) {
+	free (m->name);
+	krb5_data_free(&id->data);
+    }
+
+    return 0;
+}
+
+static krb5_error_code
+mcc_destroy(krb5_context context,
+	    krb5_ccache id)
+{
+    krb5_mcache **n, *m = MCACHE(id);
+    struct link *l;
+
+    if (m->refcnt == 0)
+	krb5_abortx(context, "mcc_destroy: refcnt already 0");
+
+    if (!MISDEAD(m)) {
+	/* if this is an active mcache, remove it from the linked
+           list, and free all data */
+	for(n = &mcc_head; n && *n; n = &(*n)->next) {
+	    if(m == *n) {
+		*n = m->next;
+		break;
+	    }
+	}
+	krb5_free_principal (context, m->primary_principal);
+	m->primary_principal = NULL;
+	
+	l = m->creds;
+	while (l != NULL) {
+	    struct link *old;
+	    
+	    krb5_free_creds_contents (context, &l->cred);
+	    old = l;
+	    l = l->next;
+	    free (old);
+	}
+	m->creds = NULL;
+    }
+    return 0;
+}
+
+static krb5_error_code
+mcc_store_cred(krb5_context context,
+	       krb5_ccache id,
+	       krb5_creds *creds)
+{
+    krb5_mcache *m = MCACHE(id);
+    krb5_error_code ret;
+    struct link *l;
+
+    if (MISDEAD(m))
+	return ENOENT;
+
+    l = malloc (sizeof(*l));
+    if (l == NULL) {
+	krb5_set_error_string (context, "malloc: out of memory");
+	return KRB5_CC_NOMEM;
+    }
+    l->next = m->creds;
+    m->creds = l;
+    memset (&l->cred, 0, sizeof(l->cred));
+    ret = krb5_copy_creds_contents (context, creds, &l->cred);
+    if (ret) {
+	m->creds = l->next;
+	free (l);
+	return ret;
+    }
+    return 0;
+}
+
+static krb5_error_code
+mcc_get_principal(krb5_context context,
+		  krb5_ccache id,
+		  krb5_principal *principal)
+{
+    krb5_mcache *m = MCACHE(id);
+
+    if (MISDEAD(m))
+	return ENOENT;
+
+    return krb5_copy_principal (context,
+				m->primary_principal,
+				principal);
+}
+
+static krb5_error_code
+mcc_get_first (krb5_context context,
+	       krb5_ccache id,
+	       krb5_cc_cursor *cursor)
+{
+    krb5_mcache *m = MCACHE(id);
+
+    if (MISDEAD(m))
+	return ENOENT;
+
+    *cursor = m->creds;
+    return 0;
+}
+
+static krb5_error_code
+mcc_get_next (krb5_context context,
+	      krb5_ccache id,
+	      krb5_cc_cursor *cursor,
+	      krb5_creds *creds)
+{
+    krb5_mcache *m = MCACHE(id);
+    struct link *l;
+
+    if (MISDEAD(m))
+	return ENOENT;
+
+    l = *cursor;
+    if (l != NULL) {
+	*cursor = l->next;
+	return krb5_copy_creds_contents (context,
+					 &l->cred,
+					 creds);
+    } else
+	return KRB5_CC_END;
+}
+
+static krb5_error_code
+mcc_end_get (krb5_context context,
+	     krb5_ccache id,
+	     krb5_cc_cursor *cursor)
+{
+    return 0;
+}
+
+static krb5_error_code
+mcc_remove_cred(krb5_context context,
+		 krb5_ccache id,
+		 krb5_flags which,
+		 krb5_creds *mcreds)
+{
+    krb5_mcache *m = MCACHE(id);
+    struct link **q, *p;
+    for(q = &m->creds, p = *q; p; p = *q) {
+	if(krb5_compare_creds(context, which, mcreds, &p->cred)) {
+	    *q = p->next;
+	    krb5_free_cred_contents(context, &p->cred);
+	    free(p);
+	} else
+	    q = &p->next;
+    }
+    return 0;
+}
+
+static krb5_error_code
+mcc_set_flags(krb5_context context,
+	      krb5_ccache id,
+	      krb5_flags flags)
+{
+    return 0; /* XXX */
+}
+		    
+const krb5_cc_ops krb5_mcc_ops = {
+    "MEMORY",
+    mcc_get_name,
+    mcc_resolve,
+    mcc_gen_new,
+    mcc_initialize,
+    mcc_destroy,
+    mcc_close,
+    mcc_store_cred,
+    NULL, /* mcc_retrieve */
+    mcc_get_principal,
+    mcc_get_first,
+    mcc_get_next,
+    mcc_end_get,
+    mcc_remove_cred,
+    mcc_set_flags
+};
diff --git a/crypto/heimdal/lib/krb5/misc.c b/crypto/heimdal/lib/krb5/misc.c
new file mode 100644
index 0000000..baf63f6
--- /dev/null
+++ b/crypto/heimdal/lib/krb5/misc.c
@@ -0,0 +1,36 @@
+/*
+ * Copyright (c) 1997 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "krb5_locl.h"
+
+RCSID("$Id: misc.c,v 1.5 1999/12/02 17:05:11 joda Exp $");
diff --git a/crypto/heimdal/lib/krb5/mk_error.c b/crypto/heimdal/lib/krb5/mk_error.c
new file mode 100644
index 0000000..0015f45
--- /dev/null
+++ b/crypto/heimdal/lib/krb5/mk_error.c
@@ -0,0 +1,128 @@
+/*
+ * Copyright (c) 1997 - 2001 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "krb5_locl.h"
+
+RCSID("$Id: mk_error.c,v 1.16 2001/05/14 06:14:49 assar Exp $");
+
+krb5_error_code
+krb5_mk_error(krb5_context context,
+	      krb5_error_code error_code,
+	      const char *e_text,
+	      const krb5_data *e_data,
+	      const krb5_principal client,
+	      const krb5_principal server,
+	      time_t *ctime,
+	      int *cusec,
+	      krb5_data *reply)
+{
+    KRB_ERROR msg;
+    u_char *buf;
+    size_t buf_size;
+    int32_t sec, usec;
+    size_t len;
+    krb5_error_code ret = 0;
+
+    krb5_us_timeofday (context, &sec, &usec);
+
+    memset(&msg, 0, sizeof(msg));
+    msg.pvno     = 5;
+    msg.msg_type = krb_error;
+    msg.stime    = sec;
+    msg.susec    = usec;
+    msg.ctime    = ctime;
+    msg.cusec    = cusec;
+    /* Make sure we only send `protocol' error codes */
+    if(error_code < KRB5KDC_ERR_NONE || error_code >= KRB5_ERR_RCSID) {
+	if(e_text == NULL)
+	    e_text = krb5_get_err_text(context, error_code);
+	error_code = KRB5KRB_ERR_GENERIC;
+    }
+    msg.error_code = error_code - KRB5KDC_ERR_NONE;
+    if (e_text)
+	msg.e_text = (general_string*)&e_text;
+    if (e_data)
+	msg.e_data = (octet_string*)e_data;
+    if(server){
+	msg.realm = server->realm;
+	msg.sname = server->name;
+    }else{
+	msg.realm = "<unspecified realm>";
+    }
+    if(client){
+	msg.crealm = &client->realm;
+	msg.cname = &client->name;
+    }
+
+    buf_size = 1024;
+    buf = malloc (buf_size);
+    if (buf == NULL) {
+	krb5_set_error_string (context, "malloc: out of memory");
+	return ENOMEM;
+    }
+
+    do {
+	ret = encode_KRB_ERROR(buf + buf_size - 1,
+			       buf_size,
+			       &msg,
+			       &len);
+	if (ret) {
+	    if (ret == ASN1_OVERFLOW) {
+		u_char *tmp;
+
+		buf_size *= 2;
+		tmp = realloc (buf, buf_size);
+		if (tmp == NULL) {
+		    krb5_set_error_string (context, "malloc: out of memory");
+		    ret = ENOMEM;
+		    goto out;
+		}
+		buf = tmp;
+	    } else {
+		goto out;
+	    }
+	}
+    } while (ret == ASN1_OVERFLOW);
+
+    reply->length = len;
+    reply->data = malloc(len);
+    if (reply->data == NULL) {
+	krb5_set_error_string (context, "malloc: out of memory");
+	ret = ENOMEM;
+	goto out;
+    }
+    memcpy (reply->data, buf + buf_size - len, len);
+out:
+    free (buf);
+    return ret;
+}
diff --git a/crypto/heimdal/lib/krb5/mk_priv.c b/crypto/heimdal/lib/krb5/mk_priv.c
new file mode 100644
index 0000000..1de4a5c
--- /dev/null
+++ b/crypto/heimdal/lib/krb5/mk_priv.c
@@ -0,0 +1,180 @@
+/*
+ * Copyright (c) 1997 - 2001 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include <krb5_locl.h>
+
+RCSID("$Id: mk_priv.c,v 1.29 2001/05/14 06:14:49 assar Exp $");
+
+/*
+ *
+ */
+
+krb5_error_code
+krb5_mk_priv(krb5_context context,
+	     krb5_auth_context auth_context,
+	     const krb5_data *userdata,
+	     krb5_data *outbuf,
+	     /*krb5_replay_data*/ void *outdata)
+{
+  krb5_error_code ret;
+  KRB_PRIV s;
+  EncKrbPrivPart part;
+  u_char *buf;
+  size_t buf_size;
+  size_t len;
+  u_int32_t tmp_seq;
+  krb5_keyblock *key;
+  int32_t sec, usec;
+  KerberosTime sec2;
+  int usec2;
+  krb5_crypto crypto;
+
+  /* XXX - Is this right? */
+
+  if (auth_context->local_subkey)
+      key = auth_context->local_subkey;
+  else if (auth_context->remote_subkey)
+      key = auth_context->remote_subkey;
+  else
+      key = auth_context->keyblock;
+
+  krb5_us_timeofday (context, &sec, &usec);
+
+  part.user_data = *userdata;
+  sec2           = sec;
+  part.timestamp = &sec2;
+  usec2          = usec;
+  part.usec      = &usec2;
+  if (auth_context->flags & KRB5_AUTH_CONTEXT_DO_SEQUENCE) {
+    tmp_seq = auth_context->local_seqnumber;
+    part.seq_number = &tmp_seq;
+  } else {
+    part.seq_number = NULL;
+  }
+
+  part.s_address = auth_context->local_address;
+  part.r_address = auth_context->remote_address;
+
+  buf_size = 1024;
+  buf = malloc (buf_size);
+  if (buf == NULL) {
+      krb5_set_error_string (context, "malloc: out of memory");
+      return ENOMEM;
+  }
+
+  krb5_data_zero (&s.enc_part.cipher);
+
+  do {
+      ret = encode_EncKrbPrivPart (buf + buf_size - 1, buf_size,
+				   &part, &len);
+      if (ret) {
+	  if (ret == ASN1_OVERFLOW) {
+	      u_char *tmp;
+
+	      buf_size *= 2;
+	      tmp = realloc (buf, buf_size);
+	      if (tmp == NULL) {
+		  krb5_set_error_string (context, "malloc: out of memory");
+		  ret = ENOMEM;
+		  goto fail;
+	      }
+	      buf = tmp;
+	  } else {
+	      goto fail;
+	  }
+      }
+  } while(ret == ASN1_OVERFLOW);
+
+  s.pvno = 5;
+  s.msg_type = krb_priv;
+  s.enc_part.etype = key->keytype;
+  s.enc_part.kvno = NULL;
+
+  ret = krb5_crypto_init(context, key, 0, &crypto);
+  if (ret) {
+      free (buf);
+      return ret;
+  }
+  ret = krb5_encrypt (context, 
+		      crypto,
+		      KRB5_KU_KRB_PRIV,
+		      buf + buf_size - len, 
+		      len,
+		      &s.enc_part.cipher);
+  krb5_crypto_destroy(context, crypto);
+  if (ret) {
+      free(buf);
+      return ret;
+  }
+
+  do {
+      ret = encode_KRB_PRIV (buf + buf_size - 1, buf_size, &s, &len);
+
+      if (ret){
+	  if (ret == ASN1_OVERFLOW) {
+	      u_char *tmp;
+
+	      buf_size *= 2;
+	      tmp = realloc (buf, buf_size);
+	      if (tmp == NULL) {
+		  krb5_set_error_string (context, "malloc: out of memory");
+		  ret = ENOMEM;
+		  goto fail;
+	      }
+	      buf = tmp;
+	  } else {
+	      goto fail;
+	  }
+      }
+  } while(ret == ASN1_OVERFLOW);
+  krb5_data_free (&s.enc_part.cipher);
+
+  outbuf->length = len;
+  outbuf->data   = malloc (len);
+  if (outbuf->data == NULL) {
+      krb5_set_error_string (context, "malloc: out of memory");
+      free(buf);
+      return ENOMEM;
+  }
+  memcpy (outbuf->data, buf + buf_size - len, len);
+  free (buf);
+  if (auth_context->flags & KRB5_AUTH_CONTEXT_DO_SEQUENCE)
+      auth_context->local_seqnumber =
+	  (auth_context->local_seqnumber + 1) & 0xFFFFFFFF;
+  return 0;
+
+fail:
+  free (buf);
+  krb5_data_free (&s.enc_part.cipher);
+  return ret;
+}
diff --git a/crypto/heimdal/lib/krb5/mk_rep.c b/crypto/heimdal/lib/krb5/mk_rep.c
new file mode 100644
index 0000000..fc6b4f2
--- /dev/null
+++ b/crypto/heimdal/lib/krb5/mk_rep.c
@@ -0,0 +1,124 @@
+/*
+ * Copyright (c) 1997 - 2001 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include <krb5_locl.h>
+
+RCSID("$Id: mk_rep.c,v 1.19 2001/05/14 06:14:49 assar Exp $");
+
+krb5_error_code
+krb5_mk_rep(krb5_context context,
+	    krb5_auth_context auth_context,
+	    krb5_data *outbuf)
+{
+  krb5_error_code ret;
+  AP_REP ap;
+  EncAPRepPart body;
+  u_char *buf = NULL;
+  size_t buf_size;
+  size_t len;
+  krb5_crypto crypto;
+
+  ap.pvno = 5;
+  ap.msg_type = krb_ap_rep;
+
+  memset (&body, 0, sizeof(body));
+
+  body.ctime = auth_context->authenticator->ctime;
+  body.cusec = auth_context->authenticator->cusec;
+  body.subkey = NULL;
+  if (auth_context->flags & KRB5_AUTH_CONTEXT_DO_SEQUENCE) {
+    krb5_generate_seq_number (context,
+			      auth_context->keyblock,
+			      &auth_context->local_seqnumber);
+    body.seq_number = malloc (sizeof(*body.seq_number));
+    if (body.seq_number == NULL) {
+	krb5_set_error_string (context, "malloc: out of memory");
+	return ENOMEM;
+    }
+    *(body.seq_number) = auth_context->local_seqnumber;
+  } else
+    body.seq_number = NULL;
+
+  ap.enc_part.etype = auth_context->keyblock->keytype;
+  ap.enc_part.kvno  = NULL;
+
+  buf_size = length_EncAPRepPart(&body);
+  buf = malloc (buf_size);
+  if (buf == NULL) {
+      free_EncAPRepPart (&body);
+      krb5_set_error_string (context, "malloc: out of memory");
+      return ENOMEM;
+  }
+
+  ret = krb5_encode_EncAPRepPart (context, 
+				  buf + buf_size - 1,
+				  buf_size,
+				  &body, 
+				  &len);
+
+  free_EncAPRepPart (&body);
+  ret = krb5_crypto_init(context, auth_context->keyblock, 
+			 0 /* ap.enc_part.etype */, &crypto);
+  if (ret) {
+      free (buf);
+      return ret;
+  }
+  ret = krb5_encrypt (context,
+		      crypto,
+		      KRB5_KU_AP_REQ_ENC_PART,
+		      buf + buf_size - len, 
+		      len,
+		      &ap.enc_part.cipher);
+  krb5_crypto_destroy(context, crypto);
+  if (ret) {
+      free(buf);
+      return ret;
+  }
+
+  buf_size = length_AP_REP(&ap);
+  buf = realloc(buf, buf_size);
+  if(buf == NULL) {
+      free_AP_REP (&ap);
+      krb5_set_error_string (context, "malloc: out of memory");
+      return ENOMEM;
+  }
+  ret = encode_AP_REP (buf + buf_size - 1, buf_size, &ap, &len);
+  
+  free_AP_REP (&ap);
+
+  if(len != buf_size)
+      krb5_abortx(context, "krb5_mk_rep: encoded length != calculated length");
+  outbuf->data = buf;
+  outbuf->length = len;
+  return 0;
+}
diff --git a/crypto/heimdal/lib/krb5/mk_req.c b/crypto/heimdal/lib/krb5/mk_req.c
new file mode 100644
index 0000000..dbe7f3d
--- /dev/null
+++ b/crypto/heimdal/lib/krb5/mk_req.c
@@ -0,0 +1,114 @@
+/*
+ * Copyright (c) 1997 - 2001 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include <krb5_locl.h>
+
+RCSID("$Id: mk_req.c,v 1.23 2001/05/14 06:14:49 assar Exp $");
+
+krb5_error_code
+krb5_mk_req_exact(krb5_context context,
+		  krb5_auth_context *auth_context,
+		  const krb5_flags ap_req_options,
+		  const krb5_principal server,
+		  krb5_data *in_data,
+		  krb5_ccache ccache,
+		  krb5_data *outbuf)
+{
+    krb5_error_code ret;
+    krb5_creds this_cred, *cred;
+
+    memset(&this_cred, 0, sizeof(this_cred));
+
+    ret = krb5_cc_get_principal(context, ccache, &this_cred.client);
+  
+    if(ret)
+	return ret;
+
+    ret = krb5_copy_principal (context, server, &this_cred.server);
+    if (ret) {
+	krb5_free_creds_contents (context, &this_cred);
+	return ret;
+    }
+
+    this_cred.times.endtime = 0;
+    if (auth_context && *auth_context && (*auth_context)->keytype)
+	this_cred.session.keytype = (*auth_context)->keytype;
+
+    ret = krb5_get_credentials (context, 0, ccache, &this_cred, &cred);
+    krb5_free_creds_contents(context, &this_cred);
+    if (ret)
+	return ret;
+
+    return krb5_mk_req_extended (context,
+				 auth_context,
+				 ap_req_options,
+				 in_data,
+				 cred,
+				 outbuf);
+}
+
+krb5_error_code
+krb5_mk_req(krb5_context context,
+	    krb5_auth_context *auth_context,
+	    const krb5_flags ap_req_options,
+	    const char *service,
+	    const char *hostname,
+	    krb5_data *in_data,
+	    krb5_ccache ccache,
+	    krb5_data *outbuf)
+{
+    krb5_error_code ret;
+    char **realms;
+    char *real_hostname;
+    krb5_principal server;
+
+    ret = krb5_expand_hostname_realms (context, hostname,
+				       &real_hostname, &realms);
+    if (ret)
+	return ret;
+
+    ret = krb5_build_principal (context, &server,
+				strlen(*realms),
+				*realms,
+				service,
+				real_hostname,
+				NULL);
+    free (real_hostname);
+    krb5_free_host_realm (context, realms);
+    if (ret)
+	return ret;
+    ret = krb5_mk_req_exact (context, auth_context, ap_req_options,
+			     server, in_data, ccache, outbuf);
+    krb5_free_principal (context, server);
+    return ret;
+}
diff --git a/crypto/heimdal/lib/krb5/mk_req_ext.c b/crypto/heimdal/lib/krb5/mk_req_ext.c
new file mode 100644
index 0000000..5ab7a1c
--- /dev/null
+++ b/crypto/heimdal/lib/krb5/mk_req_ext.c
@@ -0,0 +1,164 @@
+/*
+ * Copyright (c) 1997 - 2001 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include <krb5_locl.h>
+
+RCSID("$Id: mk_req_ext.c,v 1.25 2001/05/09 07:15:00 assar Exp $");
+
+krb5_error_code
+krb5_mk_req_internal(krb5_context context,
+		     krb5_auth_context *auth_context,
+		     const krb5_flags ap_req_options,
+		     krb5_data *in_data,
+		     krb5_creds *in_creds,
+		     krb5_data *outbuf,
+		     krb5_key_usage checksum_usage,
+		     krb5_key_usage encrypt_usage)
+{
+  krb5_error_code ret;
+  krb5_data authenticator;
+  Checksum c;
+  Checksum *c_opt;
+  krb5_auth_context ac;
+
+  if(auth_context) {
+      if(*auth_context == NULL)
+	  ret = krb5_auth_con_init(context, auth_context);
+      else
+	  ret = 0;
+      ac = *auth_context;
+  } else
+      ret = krb5_auth_con_init(context, &ac);
+  if(ret)
+      return ret;
+      
+#if 0
+  {
+      /* This is somewhat bogus since we're possibly overwriting a
+         value specified by the user, but it's the easiest way to make
+         the code use a compatible enctype */
+      Ticket ticket;
+      krb5_keytype ticket_keytype;
+
+      ret = decode_Ticket(in_creds->ticket.data, 
+			  in_creds->ticket.length, 
+			  &ticket, 
+			  NULL);
+      krb5_enctype_to_keytype (context,
+			       ticket.enc_part.etype,
+			       &ticket_keytype);
+
+      if (ticket_keytype == in_creds->session.keytype)
+	  krb5_auth_setenctype(context, 
+			       ac,
+			       ticket.enc_part.etype);
+      free_Ticket(&ticket);
+  }
+#endif
+
+  krb5_free_keyblock(context, ac->keyblock);
+  krb5_copy_keyblock(context, &in_creds->session, &ac->keyblock);
+  
+  /* it's unclear what type of checksum we can use.  try the best one, except:
+   * a) if it's configured differently for the current realm, or
+   * b) if the session key is des-cbc-crc
+   */
+
+  if (in_data) {
+      if(ac->keyblock->keytype == ETYPE_DES_CBC_CRC) {
+	  /* this is to make DCE secd (and older MIT kdcs?) happy */
+	  ret = krb5_create_checksum(context, 
+				     NULL,
+				     0,
+				     CKSUMTYPE_RSA_MD4,
+				     in_data->data,
+				     in_data->length,
+				     &c);
+      } else {
+	  krb5_crypto crypto;
+
+	  ret = krb5_crypto_init(context, ac->keyblock, 0, &crypto);
+	  if (ret)
+	      return ret;
+	  ret = krb5_create_checksum(context, 
+				     crypto,
+				     checksum_usage,
+				     0,
+				     in_data->data,
+				     in_data->length,
+				     &c);
+      
+	  krb5_crypto_destroy(context, crypto);
+      }
+      c_opt = &c;
+  } else {
+      c_opt = NULL;
+  }
+  
+  ret = krb5_build_authenticator (context,
+				  ac,
+				  ac->keyblock->keytype,
+				  in_creds,
+				  c_opt,
+				  NULL,
+				  &authenticator,
+				  encrypt_usage);
+  if (c_opt)
+      free_Checksum (c_opt);
+  if (ret)
+    return ret;
+
+  ret = krb5_build_ap_req (context, ac->keyblock->keytype, 
+			   in_creds, ap_req_options, authenticator, outbuf);
+  if(auth_context == NULL)
+      krb5_auth_con_free(context, ac);
+  return ret;
+}
+
+krb5_error_code
+krb5_mk_req_extended(krb5_context context,
+		     krb5_auth_context *auth_context,
+		     const krb5_flags ap_req_options,
+		     krb5_data *in_data,
+		     krb5_creds *in_creds,
+		     krb5_data *outbuf)
+{
+    return krb5_mk_req_internal (context,
+				 auth_context,
+				 ap_req_options,
+				 in_data,
+				 in_creds,
+				 outbuf,
+				 KRB5_KU_AP_REQ_AUTH_CKSUM,
+				 KRB5_KU_AP_REQ_AUTH);
+}
diff --git a/crypto/heimdal/lib/krb5/mk_safe.c b/crypto/heimdal/lib/krb5/mk_safe.c
new file mode 100644
index 0000000..085ebaf
--- /dev/null
+++ b/crypto/heimdal/lib/krb5/mk_safe.c
@@ -0,0 +1,134 @@
+/*
+ * Copyright (c) 1997 - 2001 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include <krb5_locl.h>
+
+RCSID("$Id: mk_safe.c,v 1.26 2001/05/14 06:14:50 assar Exp $");
+
+krb5_error_code
+krb5_mk_safe(krb5_context context,
+	     krb5_auth_context auth_context,
+	     const krb5_data *userdata,
+	     krb5_data *outbuf,
+	     /*krb5_replay_data*/ void *outdata)
+{
+  krb5_error_code ret;
+  KRB_SAFE s;
+  int32_t sec, usec;
+  KerberosTime sec2;
+  int usec2;
+  u_char *buf = NULL;
+  void *tmp;
+  size_t buf_size;
+  size_t len;
+  u_int32_t tmp_seq;
+  krb5_crypto crypto;
+
+  s.pvno = 5;
+  s.msg_type = krb_safe;
+
+  s.safe_body.user_data = *userdata;
+  krb5_us_timeofday (context, &sec, &usec);
+
+  sec2                   = sec;
+  s.safe_body.timestamp  = &sec2;
+  usec2                  = usec2;
+  s.safe_body.usec       = &usec2;
+  if (auth_context->flags & KRB5_AUTH_CONTEXT_DO_SEQUENCE) {
+      tmp_seq = auth_context->local_seqnumber;
+      s.safe_body.seq_number = &tmp_seq;
+  } else 
+      s.safe_body.seq_number = NULL;
+
+  s.safe_body.s_address = auth_context->local_address;
+  s.safe_body.r_address = auth_context->remote_address;
+
+  s.cksum.cksumtype       = 0;
+  s.cksum.checksum.data   = NULL;
+  s.cksum.checksum.length = 0;
+
+  buf_size = length_KRB_SAFE(&s);
+  buf = malloc(buf_size + 128); /* add some for checksum */
+  if(buf == NULL) {
+      krb5_set_error_string (context, "malloc: out of memory");
+      return ENOMEM;
+  }
+  ret = encode_KRB_SAFE (buf + buf_size - 1, buf_size, &s, &len);
+  if (ret) {
+      free (buf);
+      return ret;
+  }
+  ret = krb5_crypto_init(context, auth_context->keyblock, 0, &crypto);
+  if (ret) {
+      free (buf);
+      return ret;
+  }
+  ret = krb5_create_checksum(context, 
+			     crypto,
+			     KRB5_KU_KRB_SAFE_CKSUM,
+			     0,
+			     buf + buf_size - len,
+			     len,
+			     &s.cksum);
+  krb5_crypto_destroy(context, crypto);
+  if (ret) {
+      free (buf);
+      return ret;
+  }
+
+  buf_size = length_KRB_SAFE(&s);
+  tmp = realloc(buf, buf_size);
+  if(tmp == NULL) {
+      free(buf);
+      krb5_set_error_string (context, "malloc: out of memory");
+      return ENOMEM;
+  }
+  buf = tmp;
+  
+  ret = encode_KRB_SAFE (buf + buf_size - 1, buf_size, &s, &len);
+  free_Checksum (&s.cksum);
+
+  outbuf->length = len;
+  outbuf->data   = malloc (len);
+  if (outbuf->data == NULL) {
+      free (buf);
+      krb5_set_error_string (context, "malloc: out of memory");
+      return ENOMEM;
+  }
+  memcpy (outbuf->data, buf + buf_size - len, len);
+  free (buf);
+  if (auth_context->flags & KRB5_AUTH_CONTEXT_DO_SEQUENCE)
+      auth_context->local_seqnumber =
+	  (auth_context->local_seqnumber + 1) & 0xFFFFFFFF;
+  return 0;
+}
diff --git a/crypto/heimdal/lib/krb5/n-fold-test.c b/crypto/heimdal/lib/krb5/n-fold-test.c
new file mode 100644
index 0000000..7cf4905
--- /dev/null
+++ b/crypto/heimdal/lib/krb5/n-fold-test.c
@@ -0,0 +1,119 @@
+/*
+ * Copyright (c) 1999 - 2001 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of KTH nor the names of its contributors may be
+ *    used to endorse or promote products derived from this software without
+ *    specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY KTH AND ITS CONTRIBUTORS ``AS IS'' AND ANY
+ * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL KTH OR ITS CONTRIBUTORS BE
+ * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+ * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+ * WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
+ * OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
+ * ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */
+
+#include "krb5_locl.h"
+
+RCSID("$Id: n-fold-test.c,v 1.4 2001/03/12 07:42:30 assar Exp $");
+
+enum { MAXSIZE = 24 };
+
+static struct testcase {
+    const char *str;
+    unsigned n;
+    unsigned char res[MAXSIZE];
+} tests[] = {
+    {"012345",		8,
+     {0xbe, 0x07, 0x26, 0x31, 0x27, 0x6b, 0x19, 0x55}
+    },
+    {"basch",		24,
+     {0x1a, 0xab, 0x6b, 0x42, 0x96, 0x4b, 0x98, 0xb2, 0x1f, 0x8c, 0xde,
+      0x2d, 0x24, 0x48, 0xba, 0x34, 0x55, 0xd7, 0x86, 0x2c, 0x97, 0x31,
+      0x64, 0x3f}
+    },
+    {"eichin",		24,
+     {0x65, 0x69, 0x63, 0x68, 0x69, 0x6e, 0x4b, 0x73, 0x2b, 0x4b,
+      0x1b, 0x43, 0xda, 0x1a, 0x5b, 0x99, 0x5a, 0x58, 0xd2, 0xc6, 0xd0,
+      0xd2, 0xdc, 0xca}
+    },
+    {"sommerfeld",	24,
+     {0x2f, 0x7a, 0x98, 0x55, 0x7c, 0x6e, 0xe4, 0xab, 0xad, 0xf4,
+      0xe7, 0x11, 0x92, 0xdd, 0x44, 0x2b, 0xd4, 0xff, 0x53, 0x25, 0xa5,
+      0xde, 0xf7, 0x5c}
+    },
+    {"MASSACHVSETTS INSTITVTE OF TECHNOLOGY", 24,
+     {0xdb, 0x3b, 0x0d, 0x8f, 0x0b, 0x06, 0x1e, 0x60, 0x32, 0x82,
+      0xb3, 0x08, 0xa5, 0x08, 0x41, 0x22, 0x9a, 0xd7, 0x98, 0xfa, 0xb9,
+      0x54, 0x0c, 0x1b}
+    },
+    {"assar@NADA.KTH.SE", 24,
+     {0x5c, 0x06, 0xc3, 0x4d, 0x2c, 0x89, 0x05, 0xbe, 0x7a, 0x51,
+      0x83, 0x6c, 0xd6, 0xf8, 0x1c, 0x4b, 0x7a, 0x93, 0x49, 0x16, 0x5a,
+      0xb3, 0xfa, 0xa9}
+    },
+    {"testKRBTEST.MIT.EDUtestkey", 24,
+     {0x50, 0x2c, 0xf8, 0x29, 0x78, 0xe5, 0xfb, 0x1a, 0x29, 0x06,
+      0xbd, 0x22, 0x28, 0x91, 0x56, 0xc0, 0x06, 0xa0, 0xdc, 0xf5, 0xb6,
+      0xc2, 0xda, 0x6c}
+    },
+    {"password", 7,
+     {0x78, 0xa0, 0x7b, 0x6c, 0xaf, 0x85, 0xfa}
+    },
+    {"Rough Consensus, and Running Code", 8,
+     {0xbb, 0x6e, 0xd3, 0x08, 0x70, 0xb7, 0xf0, 0xe0},
+    },
+    {"password", 21,
+     {0x59, 0xe4, 0xa8, 0xca, 0x7c, 0x03, 0x85, 0xc3, 0xc3, 0x7b, 0x3f,
+      0x6d, 0x20, 0x00, 0x24, 0x7c, 0xb6, 0xe6, 0xbd, 0x5b, 0x3e},
+    },
+    {"MASSACHVSETTS INSTITVTE OF TECHNOLOGY", 24,
+     {0xdb, 0x3b, 0x0d, 0x8f, 0x0b, 0x06, 0x1e, 0x60, 0x32, 0x82, 0xb3,
+      0x08, 0xa5, 0x08, 0x41, 0x22, 0x9a, 0xd7, 0x98, 0xfa, 0xb9, 0x54,
+      0x0c, 0x1b}
+    },
+    {NULL, 0}
+};
+
+int
+main(int argc, char **argv)
+{
+    unsigned char data[MAXSIZE];
+    struct testcase *t;
+    int ret = 0;
+
+    for (t = tests; t->str; ++t) {
+	int i;
+
+	_krb5_n_fold (t->str, strlen(t->str), data, t->n);
+	if (memcmp (data, t->res, t->n) != 0) {
+	    printf ("n-fold(\"%s\", %d) failed\n", t->str, t->n);
+	    printf ("should be: ");
+	    for (i = 0; i < t->n; ++i)
+		printf ("%02x", t->res[i]);
+	    printf ("\nresult was: ");
+	    for (i = 0; i < t->n; ++i)
+		printf ("%02x", data[i]);
+	    printf ("\n");
+	    ret = 1;
+	}
+    }
+    return ret;
+}
diff --git a/crypto/heimdal/lib/krb5/n-fold.c b/crypto/heimdal/lib/krb5/n-fold.c
new file mode 100644
index 0000000..d0db5e8
--- /dev/null
+++ b/crypto/heimdal/lib/krb5/n-fold.c
@@ -0,0 +1,126 @@
+/*
+ * Copyright (c) 1999 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of KTH nor the names of its contributors may be
+ *    used to endorse or promote products derived from this software without
+ *    specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY KTH AND ITS CONTRIBUTORS ``AS IS'' AND ANY
+ * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL KTH OR ITS CONTRIBUTORS BE
+ * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+ * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+ * WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
+ * OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
+ * ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */
+
+#include "krb5_locl.h"
+
+RCSID("$Id: n-fold.c,v 1.6 1999/08/27 09:03:41 joda Exp $");
+
+static void
+rr13(unsigned char *buf, size_t len)
+{
+    unsigned char *tmp;
+    int bytes = (len + 7) / 8;
+    int i;
+    if(len == 0)
+	return;
+    {
+	const int bits = 13 % len;
+	const int lbit = len % 8;
+    
+	tmp = malloc(bytes);
+	memcpy(tmp, buf, bytes);
+	if(lbit) {
+	    /* pad final byte with inital bits */
+	    tmp[bytes - 1] &= 0xff << (8 - lbit);
+	    for(i = lbit; i < 8; i += len)
+		tmp[bytes - 1] |= buf[0] >> i;
+	}
+	for(i = 0; i < bytes; i++) {
+	    int bb;
+	    int b1, s1, b2, s2;
+	    /* calculate first bit position of this byte */
+	    bb = 8 * i - bits;
+	    while(bb < 0)
+		bb += len;
+	    /* byte offset and shift count */
+	    b1 = bb / 8;
+	    s1 = bb % 8;
+	
+	    if(bb + 8 > bytes * 8) 
+		/* watch for wraparound */
+		s2 = (len + 8 - s1) % 8;
+	    else 
+		s2 = 8 - s1;
+	    b2 = (b1 + 1) % bytes;
+	    buf[i] = (tmp[b1] << s1) | (tmp[b2] >> s2);
+	}
+	free(tmp);
+    }
+}
+
+/* Add `b' to `a', both beeing one's complement numbers. */
+static void
+add1(unsigned char *a, unsigned char *b, size_t len)
+{
+    int i;
+    int carry = 0;
+    for(i = len - 1; i >= 0; i--){
+	int x = a[i] + b[i] + carry;
+	carry = x > 0xff;
+	a[i] = x & 0xff;
+    }
+    for(i = len - 1; carry && i >= 0; i--){
+	int x = a[i] + carry;
+	carry = x > 0xff;
+	a[i] = x & 0xff;
+    }
+}
+
+void
+_krb5_n_fold(const void *str, size_t len, void *key, size_t size)
+{
+    /* if len < size we need at most N * len bytes, ie < 2 * size;
+       if len > size we need at most 2 * len */
+    size_t maxlen = 2 * max(size, len);
+    size_t l = 0;
+    unsigned char *tmp = malloc(maxlen);
+    unsigned char *buf = malloc(len);
+    
+    memcpy(buf, str, len);
+    memset(key, 0, size);
+    do {
+	memcpy(tmp + l, buf, len);
+	l += len;
+	rr13(buf, len * 8);
+	while(l >= size) {
+	    add1(key, tmp, size);
+	    l -= size;
+	    if(l == 0)
+		break;
+	    memmove(tmp, tmp + size, l);
+	}
+    } while(l != 0);
+    memset(buf, 0, len);
+    free(buf);
+    memset(tmp, 0, maxlen);
+    free(tmp);
+}
diff --git a/crypto/heimdal/lib/krb5/net_read.c b/crypto/heimdal/lib/krb5/net_read.c
new file mode 100644
index 0000000..8cb1dc4
--- /dev/null
+++ b/crypto/heimdal/lib/krb5/net_read.c
@@ -0,0 +1,47 @@
+/*
+ * Copyright (c) 1997, 1998 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "krb5_locl.h"
+
+RCSID("$Id: net_read.c,v 1.5 1999/12/02 17:05:11 joda Exp $");
+
+ssize_t
+krb5_net_read (krb5_context context,
+	       void *p_fd,
+	       void *buf,
+	       size_t len)
+{
+  int fd = *((int *)p_fd);
+
+  return net_read (fd, buf, len);
+}
diff --git a/crypto/heimdal/lib/krb5/net_write.c b/crypto/heimdal/lib/krb5/net_write.c
new file mode 100644
index 0000000..5cc719b
--- /dev/null
+++ b/crypto/heimdal/lib/krb5/net_write.c
@@ -0,0 +1,47 @@
+/*
+ * Copyright (c) 1997, 1998 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "krb5_locl.h"
+
+RCSID("$Id: net_write.c,v 1.6 1999/12/02 17:05:11 joda Exp $");
+
+ssize_t
+krb5_net_write (krb5_context context,
+		void *p_fd,
+		const void *buf,
+		size_t len)
+{
+  int fd = *((int *)p_fd);
+
+  return net_write (fd, buf, len);
+}
diff --git a/crypto/heimdal/lib/krb5/padata.c b/crypto/heimdal/lib/krb5/padata.c
new file mode 100644
index 0000000..bcf7952
--- /dev/null
+++ b/crypto/heimdal/lib/krb5/padata.c
@@ -0,0 +1,45 @@
+/*
+ * Copyright (c) 1997 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "krb5_locl.h"
+
+RCSID("$Id: padata.c,v 1.2 1999/12/02 17:05:11 joda Exp $");
+
+PA_DATA *
+krb5_find_padata(PA_DATA *val, unsigned len, int type, int *index)
+{
+    for(; *index < len; (*index)++)
+	if(val[*index].padata_type == type)
+	    return val + *index;
+    return NULL;    
+}
diff --git a/crypto/heimdal/lib/krb5/principal.c b/crypto/heimdal/lib/krb5/principal.c
new file mode 100644
index 0000000..0bffef4
--- /dev/null
+++ b/crypto/heimdal/lib/krb5/principal.c
@@ -0,0 +1,1012 @@
+/*
+ * Copyright (c) 1997-2001 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "krb5_locl.h"
+#ifdef HAVE_RES_SEARCH
+#define USE_RESOLVER
+#endif
+#ifdef HAVE_ARPA_NAMESER_H
+#include <arpa/nameser.h>
+#endif
+#include <fnmatch.h>
+#include "resolve.h"
+
+RCSID("$Id: principal.c,v 1.74 2001/05/14 06:14:50 assar Exp $");
+
+#define princ_num_comp(P) ((P)->name.name_string.len)
+#define princ_type(P) ((P)->name.name_type)
+#define princ_comp(P) ((P)->name.name_string.val)
+#define princ_ncomp(P, N) ((P)->name.name_string.val[(N)])
+#define princ_realm(P) ((P)->realm)
+
+void
+krb5_free_principal(krb5_context context,
+		    krb5_principal p)
+{
+    if(p){
+	free_Principal(p);
+	free(p);
+    }
+}
+
+krb5_error_code
+krb5_parse_name(krb5_context context,
+		const char *name,
+		krb5_principal *principal)
+{
+    krb5_error_code ret;
+    general_string *comp;
+    general_string realm;
+    int ncomp;
+
+    char *p;
+    char *q;
+    char *s;
+    char *start;
+
+    int n;
+    char c;
+    int got_realm = 0;
+  
+    /* count number of component */
+    ncomp = 1;
+    for(p = (char*)name; *p; p++){
+	if(*p=='\\'){
+	    if(!p[1]) {
+		krb5_set_error_string (context,
+				       "trailing \\ in principal name");
+		return KRB5_PARSE_MALFORMED;
+	    }
+	    p++;
+	} else if(*p == '/')
+	    ncomp++;
+    }
+    comp = calloc(ncomp, sizeof(*comp));
+    if (comp == NULL) {
+	krb5_set_error_string (context, "malloc: out of memory");
+	return ENOMEM;
+    }
+  
+    n = 0;
+    start = q = p = s = strdup(name);
+    if (start == NULL) {
+	free (comp);
+	krb5_set_error_string (context, "malloc: out of memory");
+	return ENOMEM;
+    }
+    while(*p){
+	c = *p++;
+	if(c == '\\'){
+	    c = *p++;
+	    if(c == 'n')
+		c = '\n';
+	    else if(c == 't')
+		c = '\t';
+	    else if(c == 'b')
+		c = '\b';
+	    else if(c == '0')
+		c = '\0';
+	}else if(c == '/' || c == '@'){
+	    if(got_realm){
+		krb5_set_error_string (context,
+				       "part after realm in principal name");
+		ret = KRB5_PARSE_MALFORMED;
+		goto exit;
+	    }else{
+		comp[n] = malloc(q - start + 1);
+		if (comp[n] == NULL) {
+		    krb5_set_error_string (context, "malloc: out of memory");
+		    ret = ENOMEM;
+		    goto exit;
+		}
+		memcpy(comp[n], start, q - start);
+		comp[n][q - start] = 0;
+		n++;
+	    }
+	    if(c == '@')
+		got_realm = 1;
+	    start = q;
+	    continue;
+	}
+	if(got_realm && (c == ':' || c == '/' || c == '\0')) {
+	    krb5_set_error_string (context,
+				   "part after realm in principal name");
+	    ret = KRB5_PARSE_MALFORMED;
+	    goto exit;
+	}
+	*q++ = c;
+    }
+    if(got_realm){
+	realm = malloc(q - start + 1);
+	if (realm == NULL) {
+	    krb5_set_error_string (context, "malloc: out of memory");
+	    ret = ENOMEM;
+	    goto exit;
+	}
+	memcpy(realm, start, q - start);
+	realm[q - start] = 0;
+    }else{
+	ret = krb5_get_default_realm (context, &realm);
+	if (ret)
+	    goto exit;
+
+	comp[n] = malloc(q - start + 1);
+	if (comp[n] == NULL) {
+	    krb5_set_error_string (context, "malloc: out of memory");
+	    ret = ENOMEM;
+	    goto exit;
+	}
+	memcpy(comp[n], start, q - start);
+	comp[n][q - start] = 0;
+	n++;
+    }
+    *principal = malloc(sizeof(**principal));
+    if (*principal == NULL) {
+	krb5_set_error_string (context, "malloc: out of memory");
+	ret = ENOMEM;
+	goto exit;
+    }
+    (*principal)->name.name_type = KRB5_NT_PRINCIPAL;
+    (*principal)->name.name_string.val = comp;
+    princ_num_comp(*principal) = n;
+    (*principal)->realm = realm;
+    free(s);
+    return 0;
+exit:
+    while(n>0){
+	free(comp[--n]);
+    }
+    free(comp);
+    free(s);
+    return ret;
+}
+
+static const char quotable_chars[] = " \n\t\b\\/@";
+static const char replace_chars[] = " ntb\\/@";
+
+#define add_char(BASE, INDEX, LEN, C) do { if((INDEX) < (LEN)) (BASE)[(INDEX)++] = (C); }while(0);
+
+static size_t
+quote_string(const char *s, char *out, size_t index, size_t len)
+{
+    const char *p, *q;
+    for(p = s; *p && index < len; p++){
+	if((q = strchr(quotable_chars, *p))){
+	    add_char(out, index, len, '\\');
+	    add_char(out, index, len, replace_chars[q - quotable_chars]);
+	}else
+	    add_char(out, index, len, *p);
+    }
+    if(index < len)
+	out[index] = '\0';
+    return index;
+}
+
+
+static krb5_error_code
+unparse_name_fixed(krb5_context context,
+		   krb5_const_principal principal,
+		   char *name,
+		   size_t len,
+		   krb5_boolean short_form)
+{
+    size_t index = 0;
+    int i;
+    for(i = 0; i < princ_num_comp(principal); i++){
+	if(i)
+	    add_char(name, index, len, '/');
+	index = quote_string(princ_ncomp(principal, i), name, index, len);
+	if(index == len)
+	    return ERANGE;
+    } 
+    /* add realm if different from default realm */
+    if(short_form) {
+	krb5_realm r;
+	krb5_error_code ret;
+	ret = krb5_get_default_realm(context, &r);
+	if(ret)
+	    return ret;
+	if(strcmp(princ_realm(principal), r) != 0)
+	    short_form = 0;
+	free(r);
+    }
+    if(!short_form) {
+	add_char(name, index, len, '@');
+	index = quote_string(princ_realm(principal), name, index, len);
+	if(index == len)
+	    return ERANGE;
+    }
+    return 0;
+}
+
+krb5_error_code
+krb5_unparse_name_fixed(krb5_context context,
+			krb5_const_principal principal,
+			char *name,
+			size_t len)
+{
+    return unparse_name_fixed(context, principal, name, len, FALSE);
+}
+
+krb5_error_code
+krb5_unparse_name_fixed_short(krb5_context context,
+			      krb5_const_principal principal,
+			      char *name,
+			      size_t len)
+{
+    return unparse_name_fixed(context, principal, name, len, TRUE);
+}
+
+static krb5_error_code
+unparse_name(krb5_context context,
+	     krb5_const_principal principal,
+	     char **name,
+	     krb5_boolean short_flag)
+{
+    size_t len = 0, plen;
+    int i;
+    krb5_error_code ret;
+    /* count length */
+    plen = strlen(princ_realm(principal));
+    if(strcspn(princ_realm(principal), quotable_chars) == plen)
+	len += plen;
+    else
+	len += 2*plen;
+    len++;
+    for(i = 0; i < princ_num_comp(principal); i++){
+	plen = strlen(princ_ncomp(principal, i));
+	if(strcspn(princ_ncomp(principal, i), quotable_chars) == plen)
+	    len += plen;
+	else
+	    len += 2*plen;
+	len++;
+    }
+    *name = malloc(len);
+    if(len != 0 && *name == NULL) {
+	krb5_set_error_string (context, "malloc: out of memory");
+	return ENOMEM;
+    }
+    ret = unparse_name_fixed(context, principal, *name, len, short_flag);
+    if(ret)
+	free(*name);
+    return ret;
+}
+
+krb5_error_code
+krb5_unparse_name(krb5_context context,
+		  krb5_const_principal principal,
+		  char **name)
+{
+    return unparse_name(context, principal, name, FALSE);
+}
+
+krb5_error_code
+krb5_unparse_name_short(krb5_context context,
+			krb5_const_principal principal,
+			char **name)
+{
+    return unparse_name(context, principal, name, TRUE);
+}
+
+#if 0 /* not implemented */
+
+krb5_error_code
+krb5_unparse_name_ext(krb5_context context,
+		      krb5_const_principal principal,
+		      char **name,
+		      size_t *size)
+{
+    krb5_abortx(context, "unimplemented krb5_unparse_name_ext called");
+}
+
+#endif
+
+krb5_realm*
+krb5_princ_realm(krb5_context context,
+		 krb5_principal principal)
+{
+    return &princ_realm(principal);
+}
+
+
+void
+krb5_princ_set_realm(krb5_context context,
+		     krb5_principal principal,
+		     krb5_realm *realm)
+{
+    princ_realm(principal) = *realm;
+}
+
+
+krb5_error_code
+krb5_build_principal(krb5_context context,
+		     krb5_principal *principal,
+		     int rlen,
+		     krb5_const_realm realm,
+		     ...)
+{
+    krb5_error_code ret;
+    va_list ap;
+    va_start(ap, realm);
+    ret = krb5_build_principal_va(context, principal, rlen, realm, ap);
+    va_end(ap);
+    return ret;
+}
+
+static krb5_error_code
+append_component(krb5_context context, krb5_principal p, 
+		 const char *comp,
+		 size_t comp_len)
+{
+    general_string *tmp;
+    size_t len = princ_num_comp(p);
+
+    tmp = realloc(princ_comp(p), (len + 1) * sizeof(*tmp));
+    if(tmp == NULL) {
+	krb5_set_error_string (context, "malloc: out of memory");
+	return ENOMEM;
+    }
+    princ_comp(p) = tmp;
+    princ_ncomp(p, len) = malloc(comp_len + 1);
+    if (princ_ncomp(p, len) == NULL) {
+	krb5_set_error_string (context, "malloc: out of memory");
+	return ENOMEM;
+    }
+    memcpy (princ_ncomp(p, len), comp, comp_len);
+    princ_ncomp(p, len)[comp_len] = '\0';
+    princ_num_comp(p)++;
+    return 0;
+}
+
+static void
+va_ext_princ(krb5_context context, krb5_principal p, va_list ap)
+{
+    while(1){
+	const char *s;
+	int len;
+	len = va_arg(ap, int);
+	if(len == 0)
+	    break;
+	s = va_arg(ap, const char*);
+	append_component(context, p, s, len);
+    }
+}
+
+static void
+va_princ(krb5_context context, krb5_principal p, va_list ap)
+{
+    while(1){
+	const char *s;
+	s = va_arg(ap, const char*);
+	if(s == NULL)
+	    break;
+	append_component(context, p, s, strlen(s));
+    }
+}
+
+
+static krb5_error_code
+build_principal(krb5_context context,
+		krb5_principal *principal,
+		int rlen,
+		krb5_const_realm realm,
+		void (*func)(krb5_context, krb5_principal, va_list),
+		va_list ap)
+{
+    krb5_principal p;
+  
+    p = calloc(1, sizeof(*p));
+    if (p == NULL) {
+	krb5_set_error_string (context, "malloc: out of memory");
+	return ENOMEM;
+    }
+    princ_type(p) = KRB5_NT_PRINCIPAL;
+
+    princ_realm(p) = strdup(realm);
+    if(p->realm == NULL){
+	free(p);
+	krb5_set_error_string (context, "malloc: out of memory");
+	return ENOMEM;
+    }
+  
+    (*func)(context, p, ap);
+    *principal = p;
+    return 0;
+}
+
+krb5_error_code
+krb5_make_principal(krb5_context context,
+		    krb5_principal *principal,
+		    krb5_const_realm realm,
+		    ...)
+{
+    krb5_error_code ret;
+    krb5_realm r = NULL;
+    va_list ap;
+    if(realm == NULL) {
+	ret = krb5_get_default_realm(context, &r);
+	if(ret)
+	    return ret;
+	realm = r;
+    }
+    va_start(ap, realm);
+    ret = krb5_build_principal_va(context, principal, strlen(realm), realm, ap);
+    va_end(ap);
+    if(r)
+	free(r);
+    return ret;
+}
+
+krb5_error_code
+krb5_build_principal_va(krb5_context context, 
+			krb5_principal *principal, 
+			int rlen,
+			krb5_const_realm realm,
+			va_list ap)
+{
+    return build_principal(context, principal, rlen, realm, va_princ, ap);
+}
+
+krb5_error_code
+krb5_build_principal_va_ext(krb5_context context, 
+			    krb5_principal *principal, 
+			    int rlen,
+			    krb5_const_realm realm,
+			    va_list ap)
+{
+    return build_principal(context, principal, rlen, realm, va_ext_princ, ap);
+}
+
+
+krb5_error_code
+krb5_build_principal_ext(krb5_context context,
+			 krb5_principal *principal,
+			 int rlen,
+			 krb5_const_realm realm,
+			 ...)
+{
+    krb5_error_code ret;
+    va_list ap;
+    va_start(ap, realm);
+    ret = krb5_build_principal_va_ext(context, principal, rlen, realm, ap);
+    va_end(ap);
+    return ret;
+}
+
+
+krb5_error_code
+krb5_copy_principal(krb5_context context,
+		    krb5_const_principal inprinc,
+		    krb5_principal *outprinc)
+{
+    krb5_principal p = malloc(sizeof(*p));
+    if (p == NULL) {
+	krb5_set_error_string (context, "malloc: out of memory");
+	return ENOMEM;
+    }
+    if(copy_Principal(inprinc, p)) {
+	free(p);
+	krb5_set_error_string (context, "malloc: out of memory");
+	return ENOMEM;
+    }
+    *outprinc = p;
+    return 0;
+}
+
+/*
+ * return TRUE iff princ1 == princ2 (without considering the realm)
+ */
+
+krb5_boolean
+krb5_principal_compare_any_realm(krb5_context context,
+				 krb5_const_principal princ1,
+				 krb5_const_principal princ2)
+{
+    int i;
+    if(princ_num_comp(princ1) != princ_num_comp(princ2))
+	return FALSE;
+    for(i = 0; i < princ_num_comp(princ1); i++){
+	if(strcmp(princ_ncomp(princ1, i), princ_ncomp(princ2, i)) != 0)
+	    return FALSE;
+    }
+    return TRUE;
+}
+
+/*
+ * return TRUE iff princ1 == princ2
+ */
+
+krb5_boolean
+krb5_principal_compare(krb5_context context,
+		       krb5_const_principal princ1,
+		       krb5_const_principal princ2)
+{
+    if(!krb5_realm_compare(context, princ1, princ2))
+	return FALSE;
+    return krb5_principal_compare_any_realm(context, princ1, princ2);
+}
+
+/*
+ * return TRUE iff realm(princ1) == realm(princ2)
+ */
+
+krb5_boolean
+krb5_realm_compare(krb5_context context,
+		   krb5_const_principal princ1,
+		   krb5_const_principal princ2)
+{
+    return strcmp(princ_realm(princ1), princ_realm(princ2)) == 0;
+}
+
+/*
+ * return TRUE iff princ matches pattern
+ */
+
+krb5_boolean
+krb5_principal_match(krb5_context context,
+		     krb5_const_principal princ,
+		     krb5_const_principal pattern)
+{
+    int i;
+    if(princ_num_comp(princ) != princ_num_comp(pattern))
+	return FALSE;
+    if(fnmatch(princ_realm(pattern), princ_realm(princ), 0) != 0)
+	return FALSE;
+    for(i = 0; i < princ_num_comp(princ); i++){
+	if(fnmatch(princ_ncomp(pattern, i), princ_ncomp(princ, i), 0) != 0)
+	    return FALSE;
+    }
+    return TRUE;
+}
+
+
+struct v4_name_convert {
+    const char *from;
+    const char *to; 
+} default_v4_name_convert[] = {
+    { "ftp",	"ftp" },
+    { "hprop",	"hprop" },
+    { "pop",	"pop" },
+    { "imap",	"imap" },
+    { "rcmd",	"host" },
+    { NULL, NULL }
+};
+
+/*
+ * return the converted instance name of `name' in `realm'.
+ * look in the configuration file and then in the default set above.
+ * return NULL if no conversion is appropriate.
+ */
+
+static const char*
+get_name_conversion(krb5_context context, const char *realm, const char *name)
+{
+    struct v4_name_convert *q;
+    const char *p;
+
+    p = krb5_config_get_string(context, NULL, "realms", realm,
+			       "v4_name_convert", "host", name, NULL);
+    if(p == NULL)
+	p = krb5_config_get_string(context, NULL, "libdefaults", 
+				   "v4_name_convert", "host", name, NULL);
+    if(p)
+	return p;
+
+    /* XXX should be possible to override default list */
+    p = krb5_config_get_string(context, NULL,
+			       "realms",
+			       realm,
+			       "v4_name_convert",
+			       "plain",
+			       name,
+			       NULL);
+    if(p)
+	return NULL;
+    p = krb5_config_get_string(context, NULL,
+			       "libdefaults",
+			       "v4_name_convert",
+			       "plain",
+			       name,
+			       NULL);
+    if(p)
+	return NULL;
+    for(q = default_v4_name_convert; q->from; q++)
+	if(strcmp(q->from, name) == 0)
+	    return q->to;
+    return NULL;
+}
+
+/*
+ * convert the v4 principal `name.instance@realm' to a v5 principal in `princ'.
+ * if `resolve', use DNS.
+ * if `func', use that function for validating the conversion
+ */
+
+krb5_error_code
+krb5_425_conv_principal_ext(krb5_context context,
+			    const char *name,
+			    const char *instance,
+			    const char *realm,
+			    krb5_boolean (*func)(krb5_context, krb5_principal),
+			    krb5_boolean resolve,
+			    krb5_principal *princ)
+{
+    const char *p;
+    krb5_error_code ret;
+    krb5_principal pr;
+    char host[MAXHOSTNAMELEN];
+
+    /* do the following: if the name is found in the
+       `v4_name_convert:host' part, is is assumed to be a `host' type
+       principal, and the instance is looked up in the
+       `v4_instance_convert' part. if not found there the name is
+       (optionally) looked up as a hostname, and if that doesn't yield
+       anything, the `default_domain' is appended to the instance
+       */
+
+    if(instance == NULL)
+	goto no_host;
+    if(instance[0] == 0){
+	instance = NULL;
+	goto no_host;
+    }
+    p = get_name_conversion(context, realm, name);
+    if(p == NULL)
+	goto no_host;
+    name = p;
+    p = krb5_config_get_string(context, NULL, "realms", realm, 
+			       "v4_instance_convert", instance, NULL);
+    if(p){
+	instance = p;
+	ret = krb5_make_principal(context, &pr, realm, name, instance, NULL);
+	if(func == NULL || (*func)(context, pr)){
+	    *princ = pr;
+	    return 0;
+	}
+	krb5_free_principal(context, pr);
+	*princ = NULL;
+	krb5_clear_error_string (context);
+	return HEIM_ERR_V4_PRINC_NO_CONV;
+    }
+    if(resolve){
+	const char *inst = NULL;
+#ifdef USE_RESOLVER
+	struct dns_reply *r;
+	r = dns_lookup(instance, "a");
+	if(r && r->head && r->head->type == T_A)
+	    inst = r->head->domain;
+#else
+	struct hostent *hp = roken_gethostbyname(instance);
+	if(hp)
+	    inst = hp->h_name;
+#endif
+	if(inst) {
+	    char *low_inst = strdup(inst);
+
+	    if (low_inst == NULL) {
+#ifdef USE_RESOLVER
+		dns_free_data(r);
+#endif
+		krb5_set_error_string (context, "malloc: out of memory");
+		return ENOMEM;
+	    }
+	    ret = krb5_make_principal(context, &pr, realm, name, low_inst,
+				      NULL);
+	    free (low_inst);
+	    if(ret == 0) {
+		if(func == NULL || (*func)(context, pr)){
+		    *princ = pr;
+#ifdef USE_RESOLVER
+		    dns_free_data(r);
+#endif
+		    return 0;
+		}
+		krb5_free_principal(context, pr);
+	    }
+	}
+#ifdef USE_RESOLVER
+	if(r) 
+	    dns_free_data(r);
+#endif
+    }
+    {
+	char **domains, **d;
+	domains = krb5_config_get_strings(context, NULL, "realms", realm,
+					  "v4_domains", NULL);
+	for(d = domains; d && *d; d++){
+	    snprintf(host, sizeof(host), "%s.%s", instance, *d);
+	    ret = krb5_make_principal(context, &pr, realm, name, host, NULL);
+	    if(func == NULL || (*func)(context, pr)){
+		*princ = pr;
+		krb5_config_free_strings(domains);
+		return 0;
+	    }
+	    krb5_free_principal(context, pr);
+	}
+	krb5_config_free_strings(domains);
+    }
+    
+    
+    p = krb5_config_get_string(context, NULL, "realms", realm, 
+			       "default_domain", NULL);
+    if(p == NULL){
+	/* this should be an error, just faking a name is not good */
+	krb5_clear_error_string (context);
+	return HEIM_ERR_V4_PRINC_NO_CONV;
+    }
+	
+    if (*p == '.')
+	++p;
+    snprintf(host, sizeof(host), "%s.%s", instance, p);
+    ret = krb5_make_principal(context, &pr, realm, name, host, NULL);
+    if(func == NULL || (*func)(context, pr)){
+	*princ = pr;
+	return 0;
+    }
+    krb5_free_principal(context, pr);
+    krb5_clear_error_string (context);
+    return HEIM_ERR_V4_PRINC_NO_CONV;
+no_host:
+    p = krb5_config_get_string(context, NULL,
+			       "realms",
+			       realm,
+			       "v4_name_convert",
+			       "plain",
+			       name,
+			       NULL);
+    if(p == NULL)
+	p = krb5_config_get_string(context, NULL,
+				   "libdefaults",
+				   "v4_name_convert",
+				   "plain",
+				   name,
+				   NULL);
+    if(p)
+	name = p;
+    
+    ret = krb5_make_principal(context, &pr, realm, name, instance, NULL);
+    if(func == NULL || (*func)(context, pr)){
+	*princ = pr;
+	return 0;
+    }
+    krb5_free_principal(context, pr);
+    krb5_clear_error_string (context);
+    return HEIM_ERR_V4_PRINC_NO_CONV;
+}
+
+krb5_error_code
+krb5_425_conv_principal(krb5_context context,
+			const char *name,
+			const char *instance,
+			const char *realm,
+			krb5_principal *princ)
+{
+    krb5_boolean resolve = krb5_config_get_bool(context,
+						NULL,
+						"libdefaults", 
+						"v4_instance_resolve", 
+						NULL);
+
+    return krb5_425_conv_principal_ext(context, name, instance, realm, 
+				       NULL, resolve, princ);
+}
+
+
+static int
+check_list(const krb5_config_binding *l, const char *name, const char **out)
+{
+    while(l){
+	if (l->type != krb5_config_string)
+	    continue;
+	if(strcmp(name, l->u.string) == 0) {
+	    *out = l->name;
+	    return 1;
+	}
+	l = l->next;
+    }
+    return 0;
+}
+
+static int
+name_convert(krb5_context context, const char *name, const char *realm, 
+	     const char **out)
+{
+    const krb5_config_binding *l;
+    l = krb5_config_get_list (context,
+			      NULL,
+			      "realms",
+			      realm,
+			      "v4_name_convert",
+			      "host",
+			      NULL);
+    if(l && check_list(l, name, out))
+	return KRB5_NT_SRV_HST;
+    l = krb5_config_get_list (context,
+			      NULL,
+			      "libdefaults",
+			      "v4_name_convert",
+			      "host",
+			      NULL);
+    if(l && check_list(l, name, out))
+	return KRB5_NT_SRV_HST;
+    l = krb5_config_get_list (context,
+			      NULL,
+			      "realms",
+			      realm,
+			      "v4_name_convert",
+			      "plain",
+			      NULL);
+    if(l && check_list(l, name, out))
+	return KRB5_NT_UNKNOWN;
+    l = krb5_config_get_list (context,
+			      NULL,
+			      "libdefaults",
+			      "v4_name_convert",
+			      "host",
+			      NULL);
+    if(l && check_list(l, name, out))
+	return KRB5_NT_UNKNOWN;
+    
+    /* didn't find it in config file, try built-in list */
+    {
+	struct v4_name_convert *q;
+	for(q = default_v4_name_convert; q->from; q++) {
+	    if(strcmp(name, q->to) == 0) {
+		*out = q->from;
+		return KRB5_NT_SRV_HST;
+	    }
+	}
+    }
+    return -1;
+}
+
+/*
+ * convert the v5 principal in `principal' into a v4 corresponding one
+ * in `name, instance, realm'
+ * this is limited interface since there's no length given for these
+ * three parameters.  They have to be 40 bytes each (ANAME_SZ).
+ */
+
+krb5_error_code
+krb5_524_conv_principal(krb5_context context,
+			const krb5_principal principal,
+			char *name, 
+			char *instance,
+			char *realm)
+{
+    const char *n, *i, *r;
+    char tmpinst[40];
+    int type = princ_type(principal);
+    const int aname_sz = 40;
+
+    r = principal->realm;
+
+    switch(principal->name.name_string.len){
+    case 1:
+	n = principal->name.name_string.val[0];
+	i = "";
+	break;
+    case 2:
+	n = principal->name.name_string.val[0];
+	i = principal->name.name_string.val[1];
+	break;
+    default:
+	krb5_set_error_string (context,
+			       "cannot convert a %d component principal",
+			       principal->name.name_string.len);
+	return KRB5_PARSE_MALFORMED;
+    }
+
+    {
+	const char *tmp;
+	int t = name_convert(context, n, r, &tmp);
+	if(t >= 0) {
+	    type = t;
+	    n = tmp;
+	}
+    }
+
+    if(type == KRB5_NT_SRV_HST){
+	char *p;
+
+	strlcpy (tmpinst, i, sizeof(tmpinst));
+	p = strchr(tmpinst, '.');
+	if(p)
+	    *p = 0;
+	i = tmpinst;
+    }
+    
+    if (strlcpy (name, n, aname_sz) >= aname_sz) {
+	krb5_set_error_string (context,
+			       "too long name component to convert");
+	return KRB5_PARSE_MALFORMED;
+    }
+    if (strlcpy (instance, i, aname_sz) >= aname_sz) {
+	krb5_set_error_string (context,
+			       "too long instance component to convert");
+	return KRB5_PARSE_MALFORMED;
+    }
+    if (strlcpy (realm, r, aname_sz) >= aname_sz) {
+	krb5_set_error_string (context,
+			       "too long realm component to convert");
+	return KRB5_PARSE_MALFORMED;
+    }
+    return 0;
+}
+
+/*
+ * Create a principal in `ret_princ' for the service `sname' running
+ * on host `hostname'.  */
+			
+krb5_error_code
+krb5_sname_to_principal (krb5_context context,
+			 const char *hostname,
+			 const char *sname,
+			 int32_t type,
+			 krb5_principal *ret_princ)
+{
+    krb5_error_code ret;
+    char localhost[MAXHOSTNAMELEN];
+    char **realms, *host = NULL;
+	
+    if(type != KRB5_NT_SRV_HST && type != KRB5_NT_UNKNOWN) {
+	krb5_set_error_string (context, "unsupported name type %d",
+			       type);
+	return KRB5_SNAME_UNSUPP_NAMETYPE;
+    }
+    if(hostname == NULL) {
+	gethostname(localhost, sizeof(localhost));
+	hostname = localhost;
+    }
+    if(sname == NULL)
+	sname = "host";
+    if(type == KRB5_NT_SRV_HST) {
+	ret = krb5_expand_hostname_realms (context, hostname,
+					   &host, &realms);
+	if (ret)
+	    return ret;
+	strlwr(host);
+	hostname = host;
+    } else {
+	ret = krb5_get_host_realm(context, hostname, &realms);
+	if(ret)
+	    return ret;
+    }
+
+    ret = krb5_make_principal(context, ret_princ, realms[0], sname,
+			      hostname, NULL);
+    if(host)
+	free(host);
+    krb5_free_host_realm(context, realms);
+    return ret;
+}
diff --git a/crypto/heimdal/lib/krb5/prog_setup.c b/crypto/heimdal/lib/krb5/prog_setup.c
new file mode 100644
index 0000000..3f5efb6
--- /dev/null
+++ b/crypto/heimdal/lib/krb5/prog_setup.c
@@ -0,0 +1,66 @@
+/*
+ * Copyright (c) 1997 - 2001 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "krb5_locl.h"
+#include <getarg.h>
+#include <err.h>
+
+RCSID("$Id: prog_setup.c,v 1.9 2001/02/20 01:44:54 assar Exp $");
+
+void
+krb5_std_usage(int code, struct getargs *args, int num_args)
+{
+    arg_printusage(args, num_args, NULL, "");
+    exit(code);
+}
+
+int
+krb5_program_setup(krb5_context *context, int argc, char **argv,
+		   struct getargs *args, int num_args, 
+		   void (*usage)(int, struct getargs*, int))
+{
+    krb5_error_code ret;
+    int optind = 0;
+
+    if(usage == NULL)
+	usage = krb5_std_usage;
+
+    setprogname(argv[0]);
+    ret = krb5_init_context(context);
+    if (ret)
+	errx (1, "krb5_init_context failed: %d", ret);
+    
+    if(getarg(args, num_args, argc, argv, &optind))
+	(*usage)(1, args, num_args);
+    return optind;
+}
diff --git a/crypto/heimdal/lib/krb5/prompter_posix.c b/crypto/heimdal/lib/krb5/prompter_posix.c
new file mode 100644
index 0000000..4b9c573
--- /dev/null
+++ b/crypto/heimdal/lib/krb5/prompter_posix.c
@@ -0,0 +1,73 @@
+/*
+ * Copyright (c) 1997 - 2001 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "krb5_locl.h"
+
+RCSID("$Id: prompter_posix.c,v 1.6 2001/05/11 20:26:49 assar Exp $");
+
+int
+krb5_prompter_posix (krb5_context context,
+		     void *data,
+		     const char *name,
+		     const char *banner,
+		     int num_prompts,
+		     krb5_prompt prompts[])
+{
+    int i;
+
+    if (name)
+	fprintf (stderr, "%s\n", name);
+    if (banner)
+	fprintf (stderr, "%s\n", banner);
+    for (i = 0; i < num_prompts; ++i) {
+	if (prompts[i].hidden) {
+	    if(des_read_pw_string(prompts[i].reply->data,
+				  prompts[i].reply->length,
+				  prompts[i].prompt,
+				  0))
+	       return 1;
+	} else {
+	    char *s = prompts[i].reply->data;
+
+	    fputs (prompts[i].prompt, stdout);
+	    fflush (stdout);
+	    if(fgets(prompts[i].reply->data,
+		     prompts[i].reply->length,
+		     stdin) == NULL)
+		return 1;
+	    if(s[strlen(s) - 1] == '\n')
+		s[strlen(s) - 1] = '\0';
+	}
+    }
+    return 0;
+}
diff --git a/crypto/heimdal/lib/krb5/rd_cred.c b/crypto/heimdal/lib/krb5/rd_cred.c
new file mode 100644
index 0000000..c7729b1
--- /dev/null
+++ b/crypto/heimdal/lib/krb5/rd_cred.c
@@ -0,0 +1,265 @@
+/*
+ * Copyright (c) 1997 - 2001 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include <krb5_locl.h>
+
+RCSID("$Id: rd_cred.c,v 1.14 2001/05/14 06:14:50 assar Exp $");
+
+krb5_error_code
+krb5_rd_cred(krb5_context context,
+	     krb5_auth_context auth_context,
+	     krb5_data *in_data,
+	     krb5_creds ***ret_creds,
+	     krb5_replay_data *out_data)
+{
+    krb5_error_code ret;
+    size_t len;
+    KRB_CRED cred;
+    EncKrbCredPart enc_krb_cred_part;
+    krb5_data enc_krb_cred_part_data;
+    krb5_crypto crypto;
+    int i;
+
+    *ret_creds = NULL;
+
+    ret = decode_KRB_CRED(in_data->data, in_data->length, 
+			  &cred, &len);
+    if(ret)
+	return ret;
+
+    if (cred.pvno != 5) {
+	ret = KRB5KRB_AP_ERR_BADVERSION;
+	krb5_clear_error_string (context);
+	goto out;
+    }
+
+    if (cred.msg_type != krb_cred) {
+	ret = KRB5KRB_AP_ERR_MSG_TYPE;
+	krb5_clear_error_string (context);
+	goto out;
+    }
+
+    if (cred.enc_part.etype == ETYPE_NULL) {  
+       /* DK: MIT GSS-API Compatibility */
+       enc_krb_cred_part_data.length = cred.enc_part.cipher.length;
+       enc_krb_cred_part_data.data   = cred.enc_part.cipher.data;
+    } else {
+	if (auth_context->remote_subkey)
+	    ret = krb5_crypto_init(context, auth_context->remote_subkey,
+				   0, &crypto);
+	else
+	    ret = krb5_crypto_init(context, auth_context->keyblock,
+				   0, &crypto);
+          /* DK: MIT rsh */
+
+	if (ret)
+	    goto out;
+       
+	ret = krb5_decrypt_EncryptedData(context,
+					 crypto,
+					 KRB5_KU_KRB_CRED,
+					 &cred.enc_part,
+					 &enc_krb_cred_part_data);
+       
+	krb5_crypto_destroy(context, crypto);
+	if (ret)
+	    goto out;
+    }
+
+    ret = krb5_decode_EncKrbCredPart (context,
+				      enc_krb_cred_part_data.data,
+				      enc_krb_cred_part_data.length,
+				      &enc_krb_cred_part,
+				      &len);
+    if (ret)
+	goto out;
+
+    /* check sender address */
+
+    if (enc_krb_cred_part.s_address
+	&& auth_context->remote_address
+	&& auth_context->remote_port) {
+	krb5_address *a;
+	int cmp;
+
+	ret = krb5_make_addrport (context, &a,
+				  auth_context->remote_address,
+				  auth_context->remote_port);
+	if (ret)
+	    goto out;
+
+
+	cmp = krb5_address_compare (context,
+				    a,
+				    enc_krb_cred_part.s_address);
+
+	krb5_free_address (context, a);
+	free (a);
+
+	if (cmp == 0) {
+	    krb5_clear_error_string (context);
+	    ret = KRB5KRB_AP_ERR_BADADDR;
+	    goto out;
+	}
+    }
+
+    /* check receiver address */
+
+    if (enc_krb_cred_part.r_address
+	&& auth_context->local_address
+	&& !krb5_address_compare (context,
+				  auth_context->local_address,
+				  enc_krb_cred_part.r_address)) {
+	krb5_clear_error_string (context);
+	ret = KRB5KRB_AP_ERR_BADADDR;
+	goto out;
+    }
+
+    /* check timestamp */
+    if (auth_context->flags & KRB5_AUTH_CONTEXT_DO_TIME) {
+	krb5_timestamp sec;
+
+	krb5_timeofday (context, &sec);
+
+	if (enc_krb_cred_part.timestamp == NULL ||
+	    enc_krb_cred_part.usec      == NULL ||
+	    abs(*enc_krb_cred_part.timestamp - sec)
+	    > context->max_skew) {
+	    krb5_clear_error_string (context);
+	    ret = KRB5KRB_AP_ERR_SKEW;
+	    goto out;
+	}
+    }
+
+    if(out_data != NULL) {
+	if(enc_krb_cred_part.timestamp)
+	    out_data->timestamp = *enc_krb_cred_part.timestamp;
+	else 
+	    out_data->timestamp = 0;
+	if(enc_krb_cred_part.usec)
+	    out_data->usec = *enc_krb_cred_part.usec;
+	else 
+	    out_data->usec = 0;
+	if(enc_krb_cred_part.nonce)
+	    out_data->seq = *enc_krb_cred_part.nonce;
+	else 
+	    out_data->seq = 0;
+    }
+    
+    /* Convert to NULL terminated list of creds */
+
+    *ret_creds = calloc(enc_krb_cred_part.ticket_info.len + 1, 
+		       sizeof(**ret_creds));
+
+    for (i = 0; i < enc_krb_cred_part.ticket_info.len; ++i) {
+	KrbCredInfo *kci = &enc_krb_cred_part.ticket_info.val[i];
+	krb5_creds *creds;
+	u_char buf[1024];
+	size_t len;
+
+	creds = calloc(1, sizeof(*creds));
+	if(creds == NULL) {
+	    ret = ENOMEM;
+	    krb5_set_error_string (context, "malloc: out of memory");
+	    goto out;
+	}
+
+	ret = encode_Ticket (buf + sizeof(buf) - 1, sizeof(buf),
+			     &cred.tickets.val[i],
+			     &len);
+	if (ret)
+	    goto out;
+	krb5_data_copy (&creds->ticket, buf + sizeof(buf) - len, len);
+	copy_EncryptionKey (&kci->key, &creds->session);
+	if (kci->prealm && kci->pname)
+	    principalname2krb5_principal (&creds->client,
+					  *kci->pname,
+					  *kci->prealm);
+	if (kci->flags)
+	    creds->flags.b = *kci->flags;
+	if (kci->authtime)
+	    creds->times.authtime = *kci->authtime;
+	if (kci->starttime)
+	    creds->times.starttime = *kci->starttime;
+	if (kci->endtime)
+	    creds->times.endtime = *kci->endtime;
+	if (kci->renew_till)
+	    creds->times.renew_till = *kci->renew_till;
+	if (kci->srealm && kci->sname)
+	    principalname2krb5_principal (&creds->server,
+					  *kci->sname,
+					  *kci->srealm);
+	if (kci->caddr)
+	    krb5_copy_addresses (context,
+				 kci->caddr,
+				 &creds->addresses);
+	
+	(*ret_creds)[i] = creds;
+	
+    }
+    (*ret_creds)[i] = NULL;
+    return 0;
+
+out:
+    free_KRB_CRED (&cred);
+    if(*ret_creds) {
+	for(i = 0; (*ret_creds)[i]; i++)
+	    krb5_free_creds(context, (*ret_creds)[i]);
+	free(*ret_creds);
+    }
+    return ret;
+}
+
+krb5_error_code
+krb5_rd_cred2 (krb5_context      context,
+	       krb5_auth_context auth_context,
+	       krb5_ccache       ccache,
+	       krb5_data         *in_data)
+{
+    krb5_error_code ret;
+    krb5_creds **creds;
+    int i;
+
+    ret = krb5_rd_cred(context, auth_context, in_data, &creds, NULL);
+    if(ret)
+	return ret;
+
+    /* Store the creds in the ccache */
+
+    for(i = 0; creds && creds[i]; i++) {
+	krb5_cc_store_cred(context, ccache, creds[i]);
+	krb5_free_creds(context, creds[i]);
+    }
+    free(creds);
+    return 0;
+}
diff --git a/crypto/heimdal/lib/krb5/rd_error.c b/crypto/heimdal/lib/krb5/rd_error.c
new file mode 100644
index 0000000..ca02f3d
--- /dev/null
+++ b/crypto/heimdal/lib/krb5/rd_error.c
@@ -0,0 +1,120 @@
+/*
+ * Copyright (c) 1997 - 2001 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "krb5_locl.h"
+
+RCSID("$Id: rd_error.c,v 1.6 2001/05/15 06:35:10 assar Exp $");
+
+krb5_error_code
+krb5_rd_error(krb5_context context,
+	      krb5_data *msg,
+	      KRB_ERROR *result)
+{
+    
+    size_t len;
+    krb5_error_code ret;
+
+    ret = decode_KRB_ERROR(msg->data, msg->length, result, &len);
+    if(ret)
+	return ret;
+    result->error_code += KRB5KDC_ERR_NONE;
+    return 0;
+}
+
+void
+krb5_free_error_contents (krb5_context context,
+			  krb5_error *error)
+{
+    free_KRB_ERROR(error);
+}
+
+void
+krb5_free_error (krb5_context context,
+		 krb5_error *error)
+{
+    krb5_free_error_contents (context, error);
+    free (error);
+}
+
+krb5_error_code
+krb5_error_from_rd_error(krb5_context context,
+			 const krb5_error *error,
+			 const krb5_creds *creds)
+{
+    krb5_error_code ret;
+
+    ret = error->error_code;
+    if (error->e_text != NULL) {
+	krb5_set_error_string(context, "%s", *error->e_text);
+    } else {
+	char clientname[256], servername[256];
+
+	if (creds != NULL) {
+	    krb5_unparse_name_fixed(context, creds->client,
+				    clientname, sizeof(clientname));
+	    krb5_unparse_name_fixed(context, creds->server,
+				    servername, sizeof(servername));
+	}
+
+	switch (ret) {
+	case KRB5KDC_ERR_NAME_EXP :
+	    krb5_set_error_string(context, "Client %s%s%s expired",
+				  creds ? "(" : "",
+				  creds ? clientname : "",
+				  creds ? ")" : "");
+	    break;
+	case KRB5KDC_ERR_SERVICE_EXP :
+	    krb5_set_error_string(context, "Server %s%s%s expired",
+				  creds ? "(" : "",
+				  creds ? servername : "",
+				  creds ? ")" : "");
+	    break;
+	case KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN :
+	    krb5_set_error_string(context, "Client %s%s%s unknown",
+				  creds ? "(" : "",
+				  creds ? clientname : "",
+				  creds ? ")" : "");
+	    break;
+	case KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN :
+	    krb5_set_error_string(context, "Server %s%s%s unknown",
+				  creds ? "(" : "",
+				  creds ? servername : "",
+				  creds ? ")" : "");
+	    break;
+	default :
+	    krb5_clear_error_string(context);
+	    break;
+	}
+    }
+    return ret;
+}
diff --git a/crypto/heimdal/lib/krb5/rd_priv.c b/crypto/heimdal/lib/krb5/rd_priv.c
new file mode 100644
index 0000000..1447c14
--- /dev/null
+++ b/crypto/heimdal/lib/krb5/rd_priv.c
@@ -0,0 +1,164 @@
+/*
+ * Copyright (c) 1997 - 2001 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include <krb5_locl.h>
+
+RCSID("$Id: rd_priv.c,v 1.28 2001/05/14 06:14:50 assar Exp $");
+
+krb5_error_code
+krb5_rd_priv(krb5_context context,
+	     krb5_auth_context auth_context,
+	     const krb5_data *inbuf,
+	     krb5_data *outbuf,
+	     /*krb5_replay_data*/ void *outdata)
+{
+  krb5_error_code ret;
+  KRB_PRIV priv;
+  EncKrbPrivPart part;
+  size_t len;
+  krb5_data plain;
+  krb5_keyblock *key;
+  krb5_crypto crypto;
+
+  memset(&priv, 0, sizeof(priv));
+  ret = decode_KRB_PRIV (inbuf->data, inbuf->length, &priv, &len);
+  if (ret) 
+      goto failure;
+  if (priv.pvno != 5) {
+      krb5_clear_error_string (context);
+      ret = KRB5KRB_AP_ERR_BADVERSION;
+      goto failure;
+  }
+  if (priv.msg_type != krb_priv) {
+      krb5_clear_error_string (context);
+      ret = KRB5KRB_AP_ERR_MSG_TYPE;
+      goto failure;
+  }
+
+  /* XXX - Is this right? */
+
+  if (auth_context->local_subkey)
+      key = auth_context->local_subkey;
+  else if (auth_context->remote_subkey)
+      key = auth_context->remote_subkey;
+  else
+      key = auth_context->keyblock;
+
+  ret = krb5_crypto_init(context, key, 0, &crypto);
+  if (ret)
+      goto failure;
+  ret = krb5_decrypt_EncryptedData(context,
+				   crypto,
+				   KRB5_KU_KRB_PRIV,
+				   &priv.enc_part,
+				   &plain);
+  krb5_crypto_destroy(context, crypto);
+  if (ret) 
+      goto failure;
+
+  ret = decode_EncKrbPrivPart (plain.data, plain.length, &part, &len);
+  krb5_data_free (&plain);
+  if (ret) 
+      goto failure;
+  
+  /* check sender address */
+
+  if (part.s_address
+      && auth_context->remote_address
+      && !krb5_address_compare (context,
+				auth_context->remote_address,
+				part.s_address)) {
+      krb5_clear_error_string (context);
+      ret = KRB5KRB_AP_ERR_BADADDR;
+      goto failure_part;
+  }
+
+  /* check receiver address */
+
+  if (part.r_address
+      && auth_context->local_address
+      && !krb5_address_compare (context,
+				auth_context->local_address,
+				part.r_address)) {
+      krb5_clear_error_string (context);
+      ret = KRB5KRB_AP_ERR_BADADDR;
+      goto failure_part;
+  }
+
+  /* check timestamp */
+  if (auth_context->flags & KRB5_AUTH_CONTEXT_DO_TIME) {
+      krb5_timestamp sec;
+
+      krb5_timeofday (context, &sec);
+      if (part.timestamp == NULL ||
+	  part.usec      == NULL ||
+	  abs(*part.timestamp - sec) > context->max_skew) {
+	  krb5_clear_error_string (context);
+	  ret = KRB5KRB_AP_ERR_SKEW;
+	  goto failure_part;
+      }
+  }
+
+  /* XXX - check replay cache */
+
+  /* check sequence number. since MIT krb5 cannot generate a sequence
+     number of zero but instead generates no sequence number, we accept that
+  */
+
+  if (auth_context->flags & KRB5_AUTH_CONTEXT_DO_SEQUENCE) {
+      if ((part.seq_number == NULL
+	   && auth_context->remote_seqnumber != 0)
+	  || (part.seq_number != NULL
+	      && *part.seq_number != auth_context->remote_seqnumber)) {
+	  krb5_clear_error_string (context);
+	  ret = KRB5KRB_AP_ERR_BADORDER;
+	  goto failure_part;
+      }
+      auth_context->remote_seqnumber++;
+  }
+
+  ret = krb5_data_copy (outbuf, part.user_data.data, part.user_data.length);
+  if (ret)
+      goto failure_part;
+
+  free_EncKrbPrivPart (&part);
+  free_KRB_PRIV (&priv);
+  return 0;
+
+failure_part:
+  free_EncKrbPrivPart (&part);
+
+failure:
+  free_KRB_PRIV (&priv);
+  return ret;
+}
diff --git a/crypto/heimdal/lib/krb5/rd_rep.c b/crypto/heimdal/lib/krb5/rd_rep.c
new file mode 100644
index 0000000..7462b3d
--- /dev/null
+++ b/crypto/heimdal/lib/krb5/rd_rep.c
@@ -0,0 +1,114 @@
+/*
+ * Copyright (c) 1997 - 2001 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include <krb5_locl.h>
+
+RCSID("$Id: rd_rep.c,v 1.21 2001/05/14 06:14:50 assar Exp $");
+
+krb5_error_code
+krb5_rd_rep(krb5_context context,
+	    krb5_auth_context auth_context,
+	    const krb5_data *inbuf,
+	    krb5_ap_rep_enc_part **repl)
+{
+  krb5_error_code ret;
+  AP_REP ap_rep;
+  size_t len;
+  krb5_data data;
+  krb5_crypto crypto;
+
+  krb5_data_zero (&data);
+  ret = 0;
+
+  ret = decode_AP_REP(inbuf->data, inbuf->length, &ap_rep, &len);
+  if (ret)
+      return ret;
+  if (ap_rep.pvno != 5) {
+    ret = KRB5KRB_AP_ERR_BADVERSION;
+    krb5_clear_error_string (context);
+    goto out;
+  }
+  if (ap_rep.msg_type != krb_ap_rep) {
+    ret = KRB5KRB_AP_ERR_MSG_TYPE;
+    krb5_clear_error_string (context);
+    goto out;
+  }
+
+  ret = krb5_crypto_init(context, auth_context->keyblock, 0, &crypto);
+  if (ret)
+      goto out;
+  ret = krb5_decrypt_EncryptedData (context, 
+				    crypto,	
+				    KRB5_KU_AP_REQ_ENC_PART,
+				    &ap_rep.enc_part,
+				    &data);
+  krb5_crypto_destroy(context, crypto);
+  if (ret)
+      goto out;
+
+  *repl = malloc(sizeof(**repl));
+  if (*repl == NULL) {
+    ret = ENOMEM;
+    krb5_set_error_string (context, "malloc: out of memory");
+    goto out;
+  }
+  ret = krb5_decode_EncAPRepPart(context,
+				 data.data,
+				 data.length,
+				 *repl, 
+				 &len);
+  if (ret)
+      return ret;
+  
+  if ((*repl)->ctime != auth_context->authenticator->ctime ||
+      (*repl)->cusec != auth_context->authenticator->cusec) {
+    ret = KRB5KRB_AP_ERR_MUT_FAIL;
+    krb5_clear_error_string (context);
+    goto out;
+  }
+  if ((*repl)->seq_number)
+    auth_context->remote_seqnumber = *((*repl)->seq_number);
+  
+out:
+  krb5_data_free (&data);
+  free_AP_REP (&ap_rep);
+  return ret;
+}
+
+void
+krb5_free_ap_rep_enc_part (krb5_context context,
+			   krb5_ap_rep_enc_part *val)
+{
+    free_EncAPRepPart (val);
+    free (val);
+}
diff --git a/crypto/heimdal/lib/krb5/rd_req.c b/crypto/heimdal/lib/krb5/rd_req.c
new file mode 100644
index 0000000..b7059e1
--- /dev/null
+++ b/crypto/heimdal/lib/krb5/rd_req.c
@@ -0,0 +1,523 @@
+/*
+ * Copyright (c) 1997 - 2001 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include <krb5_locl.h>
+
+RCSID("$Id: rd_req.c,v 1.45 2001/05/14 06:14:50 assar Exp $");
+
+static krb5_error_code
+decrypt_tkt_enc_part (krb5_context context,
+		      krb5_keyblock *key,
+		      EncryptedData *enc_part,
+		      EncTicketPart *decr_part)
+{
+    krb5_error_code ret;
+    krb5_data plain;
+    size_t len;
+    krb5_crypto crypto;
+
+    ret = krb5_crypto_init(context, key, 0, &crypto);
+    if (ret)
+	return ret;
+    ret = krb5_decrypt_EncryptedData (context,
+				      crypto,
+				      KRB5_KU_TICKET,
+				      enc_part,
+				      &plain);
+    krb5_crypto_destroy(context, crypto);
+    if (ret)
+	return ret;
+
+    ret = krb5_decode_EncTicketPart(context, plain.data, plain.length, 
+				    decr_part, &len);
+    krb5_data_free (&plain);
+    return ret;
+}
+
+static krb5_error_code
+decrypt_authenticator (krb5_context context,
+		       EncryptionKey *key,
+		       EncryptedData *enc_part,
+		       Authenticator *authenticator,
+		       krb5_key_usage usage)
+{
+    krb5_error_code ret;
+    krb5_data plain;
+    size_t len;
+    krb5_crypto crypto;
+
+    ret = krb5_crypto_init(context, key, 0, &crypto);
+    if (ret)
+	return ret;
+    ret = krb5_decrypt_EncryptedData (context,
+				      crypto,
+				      usage /* KRB5_KU_AP_REQ_AUTH */,
+				      enc_part,
+				      &plain);
+    /* for backwards compatibility, also try the old usage */
+    if (ret && usage == KRB5_KU_TGS_REQ_AUTH)
+	ret = krb5_decrypt_EncryptedData (context,
+					  crypto,
+					  KRB5_KU_AP_REQ_AUTH,
+					  enc_part,
+					  &plain);
+    krb5_crypto_destroy(context, crypto);
+    if (ret)
+	return ret;
+
+    ret = krb5_decode_Authenticator(context, plain.data, plain.length, 
+				    authenticator, &len);
+    krb5_data_free (&plain);
+    return ret;
+}
+
+krb5_error_code
+krb5_decode_ap_req(krb5_context context,
+		   const krb5_data *inbuf,
+		   krb5_ap_req *ap_req)
+{
+    krb5_error_code ret;
+    size_t len;
+    ret = decode_AP_REQ(inbuf->data, inbuf->length, ap_req, &len);
+    if (ret)
+	return ret;
+    if (ap_req->pvno != 5){
+	free_AP_REQ(ap_req);
+	krb5_clear_error_string (context);
+	return KRB5KRB_AP_ERR_BADVERSION;
+    }
+    if (ap_req->msg_type != krb_ap_req){
+	free_AP_REQ(ap_req);
+	krb5_clear_error_string (context);
+	return KRB5KRB_AP_ERR_MSG_TYPE;
+    }
+    if (ap_req->ticket.tkt_vno != 5){
+	free_AP_REQ(ap_req);
+	krb5_clear_error_string (context);
+	return KRB5KRB_AP_ERR_BADVERSION;
+    }
+    return 0;
+}
+
+krb5_error_code
+krb5_decrypt_ticket(krb5_context context,
+		    Ticket *ticket,
+		    krb5_keyblock *key,
+		    EncTicketPart *out,
+		    krb5_flags flags)
+{
+    EncTicketPart t;
+    krb5_error_code ret;
+    ret = decrypt_tkt_enc_part (context, key, &ticket->enc_part, &t);
+    if (ret)
+	return ret;
+    
+    {
+	krb5_timestamp now;
+	time_t start = t.authtime;
+
+	krb5_timeofday (context, &now);
+	if(t.starttime)
+	    start = *t.starttime;
+	if(start - now > context->max_skew
+	   || (t.flags.invalid
+	       && !(flags & KRB5_VERIFY_AP_REQ_IGNORE_INVALID))) {
+	    free_EncTicketPart(&t);
+	    krb5_clear_error_string (context);
+	    return KRB5KRB_AP_ERR_TKT_NYV;
+	}
+	if(now - t.endtime > context->max_skew) {
+	    free_EncTicketPart(&t);
+	    krb5_clear_error_string (context);
+	    return KRB5KRB_AP_ERR_TKT_EXPIRED;
+	}
+    }
+    
+    if(out)
+	*out = t;
+    else
+	free_EncTicketPart(&t);
+    return 0;
+}
+
+krb5_error_code
+krb5_verify_authenticator_checksum(krb5_context context,
+				   krb5_auth_context ac,
+				   void *data,
+				   size_t len)
+{
+    krb5_error_code ret;
+    krb5_keyblock *key;
+    krb5_authenticator authenticator;
+    krb5_crypto crypto;
+    
+    ret = krb5_auth_getauthenticator (context,
+				      ac,
+				      &authenticator);
+    if(ret)
+	return ret;
+    if(authenticator->cksum == NULL)
+	return -17;
+    ret = krb5_auth_con_getkey(context, ac, &key);
+    if(ret) {
+	krb5_free_authenticator(context, &authenticator);
+	return ret;
+    }
+    ret = krb5_crypto_init(context, key, 0, &crypto);
+    if(ret)
+	goto out;
+    ret = krb5_verify_checksum (context,
+				crypto,
+				KRB5_KU_AP_REQ_AUTH_CKSUM,
+				data,
+				len,
+				authenticator->cksum);
+    krb5_crypto_destroy(context, crypto);
+out:
+    krb5_free_authenticator(context, &authenticator);
+    krb5_free_keyblock(context, key);
+    return ret;
+}
+
+#if 0
+static krb5_error_code
+check_transited(krb5_context context,
+		krb5_ticket *ticket)
+{
+    char **realms;
+    int num_realms;
+    krb5_error_code ret;
+
+    if(ticket->ticket.transited.tr_type != DOMAIN_X500_COMPRESS)
+	return KRB5KDC_ERR_TRTYPE_NOSUPP;
+
+    ret = krb5_domain_x500_decode(ticket->ticket.transited.contents, 
+				  &realms, &num_realms, 
+				  ticket->client->realm,
+				  ticket->server->realm);
+    if(ret)
+	return ret;
+    ret = krb5_check_transited_realms(context, realms, num_realms, NULL);
+    free(realms);
+    return ret;
+}
+#endif
+
+krb5_error_code
+krb5_verify_ap_req(krb5_context context,
+		   krb5_auth_context *auth_context,
+		   krb5_ap_req *ap_req,
+		   krb5_const_principal server,
+		   krb5_keyblock *keyblock,
+		   krb5_flags flags,
+		   krb5_flags *ap_req_options,
+		   krb5_ticket **ticket)
+{
+    return krb5_verify_ap_req2 (context,
+				auth_context,
+				ap_req,
+				server,
+				keyblock,
+				flags,
+				ap_req_options,
+				ticket,
+				KRB5_KU_AP_REQ_AUTH);
+}
+
+krb5_error_code
+krb5_verify_ap_req2(krb5_context context,
+		    krb5_auth_context *auth_context,
+		    krb5_ap_req *ap_req,
+		    krb5_const_principal server,
+		    krb5_keyblock *keyblock,
+		    krb5_flags flags,
+		    krb5_flags *ap_req_options,
+		    krb5_ticket **ticket,
+		    krb5_key_usage usage)
+{
+    krb5_ticket t;
+    krb5_auth_context ac;
+    krb5_error_code ret;
+    
+    if (auth_context && *auth_context) {
+	ac = *auth_context;
+    } else {
+	ret = krb5_auth_con_init (context, &ac);
+	if (ret)
+	    return ret;
+    }
+
+    if (ap_req->ap_options.use_session_key && ac->keyblock){
+	ret = krb5_decrypt_ticket(context, &ap_req->ticket, 
+				  ac->keyblock, 
+				  &t.ticket,
+				  flags);
+	krb5_free_keyblock(context, ac->keyblock);
+	ac->keyblock = NULL;
+    }else
+	ret = krb5_decrypt_ticket(context, &ap_req->ticket, 
+				  keyblock, 
+				  &t.ticket,
+				  flags);
+    
+    if(ret)
+	goto out;
+
+    principalname2krb5_principal(&t.server, ap_req->ticket.sname, 
+				 ap_req->ticket.realm);
+    principalname2krb5_principal(&t.client, t.ticket.cname, 
+				 t.ticket.crealm);
+
+    /* save key */
+
+    krb5_copy_keyblock(context, &t.ticket.key, &ac->keyblock);
+
+    ret = decrypt_authenticator (context,
+				 &t.ticket.key,
+				 &ap_req->authenticator,
+				 ac->authenticator,
+				 usage);
+    if (ret)
+	goto out2;
+
+    {
+	krb5_principal p1, p2;
+	krb5_boolean res;
+	
+	principalname2krb5_principal(&p1,
+				     ac->authenticator->cname,
+				     ac->authenticator->crealm);
+	principalname2krb5_principal(&p2, 
+				     t.ticket.cname,
+				     t.ticket.crealm);
+	res = krb5_principal_compare (context, p1, p2);
+	krb5_free_principal (context, p1);
+	krb5_free_principal (context, p2);
+	if (!res) {
+	    ret = KRB5KRB_AP_ERR_BADMATCH;
+	    krb5_clear_error_string (context);
+	    goto out2;
+	}
+    }
+
+    /* check addresses */
+
+    if (t.ticket.caddr
+	&& ac->remote_address
+	&& !krb5_address_search (context,
+				 ac->remote_address,
+				 t.ticket.caddr)) {
+	ret = KRB5KRB_AP_ERR_BADADDR;
+	krb5_clear_error_string (context);
+	goto out2;
+    }
+
+    if (ac->authenticator->seq_number)
+	ac->remote_seqnumber = *ac->authenticator->seq_number;
+
+    /* XXX - Xor sequence numbers */
+
+    /* XXX - subkeys? */
+    /* And where should it be stored? */
+
+    if (ac->authenticator->subkey) {
+	krb5_copy_keyblock(context, 
+			   ac->authenticator->subkey,
+			   &ac->remote_subkey);
+    }
+
+    if (ap_req_options) {
+	*ap_req_options = 0;
+	if (ap_req->ap_options.use_session_key)
+	    *ap_req_options |= AP_OPTS_USE_SESSION_KEY;
+	if (ap_req->ap_options.mutual_required)
+	    *ap_req_options |= AP_OPTS_MUTUAL_REQUIRED;
+    }
+
+    if(ticket){
+	*ticket = malloc(sizeof(**ticket));
+	**ticket = t;
+    } else
+	krb5_free_ticket (context, &t);
+    if (auth_context) {
+	if (*auth_context == NULL)
+	    *auth_context = ac;
+    } else
+	krb5_auth_con_free (context, ac);
+    return 0;
+ out2:
+    krb5_free_ticket (context, &t);
+ out:
+    if (auth_context == NULL || *auth_context == NULL)
+	krb5_auth_con_free (context, ac);
+    return ret;
+}
+		   
+
+krb5_error_code
+krb5_rd_req_with_keyblock(krb5_context context,
+			  krb5_auth_context *auth_context,
+			  const krb5_data *inbuf,
+			  krb5_const_principal server,
+			  krb5_keyblock *keyblock,
+			  krb5_flags *ap_req_options,
+			  krb5_ticket **ticket)
+{
+    krb5_error_code ret;
+    krb5_ap_req ap_req;
+
+    if (*auth_context == NULL) {
+	ret = krb5_auth_con_init(context, auth_context);
+	if (ret)
+	    return ret;
+    }
+
+    ret = krb5_decode_ap_req(context, inbuf, &ap_req);
+    if(ret)
+	return ret;
+
+    ret = krb5_verify_ap_req(context,
+			     auth_context,
+			     &ap_req,
+			     server,
+			     keyblock,
+			     0,
+			     ap_req_options,
+			     ticket);
+
+    free_AP_REQ(&ap_req);
+    return ret;
+}
+
+static krb5_error_code
+get_key_from_keytab(krb5_context context,
+		    krb5_auth_context *auth_context,
+		    krb5_ap_req *ap_req,
+		    krb5_const_principal server,
+		    krb5_keytab keytab,
+		    krb5_keyblock **out_key)
+{
+    krb5_keytab_entry entry;
+    krb5_error_code ret;
+    int kvno;
+    krb5_keytab real_keytab;
+
+    if(keytab == NULL)
+	krb5_kt_default(context, &real_keytab);
+    else
+	real_keytab = keytab;
+    
+    if (ap_req->ticket.enc_part.kvno)
+	kvno = *ap_req->ticket.enc_part.kvno;
+    else
+	kvno = 0;
+
+    ret = krb5_kt_get_entry (context,
+			     real_keytab,
+			     server,
+			     kvno,
+			     ap_req->ticket.enc_part.etype,
+			     &entry);
+    if(ret)
+	goto out;
+    ret = krb5_copy_keyblock(context, &entry.keyblock, out_key);
+    krb5_kt_free_entry (context, &entry);
+out:    
+    if(keytab == NULL)
+	krb5_kt_close(context, real_keytab);
+    
+    return ret;
+}
+
+krb5_error_code
+krb5_rd_req(krb5_context context,
+	    krb5_auth_context *auth_context,
+	    const krb5_data *inbuf,
+	    krb5_const_principal server,
+	    krb5_keytab keytab,
+	    krb5_flags *ap_req_options,
+	    krb5_ticket **ticket)
+{
+    krb5_error_code ret;
+    krb5_ap_req ap_req;
+    krb5_keyblock *keyblock = NULL;
+    krb5_principal service = NULL;
+
+    if (*auth_context == NULL) {
+	ret = krb5_auth_con_init(context, auth_context);
+	if (ret)
+	    return ret;
+    }
+
+    ret = krb5_decode_ap_req(context, inbuf, &ap_req);
+    if(ret)
+	return ret;
+
+    if(server == NULL){
+	principalname2krb5_principal(&service,
+				     ap_req.ticket.sname,
+				     ap_req.ticket.realm);
+	server = service;
+    }
+
+    if(ap_req.ap_options.use_session_key == 0 || 
+       (*auth_context)->keyblock == NULL){
+	ret = get_key_from_keytab(context, 
+				  auth_context, 
+				  &ap_req,
+				  server,
+				  keytab,
+				  &keyblock);
+	if(ret)
+	    goto out;
+    }
+	
+
+    ret = krb5_verify_ap_req(context,
+			     auth_context,
+			     &ap_req,
+			     server,
+			     keyblock,
+			     0,
+			     ap_req_options,
+			     ticket);
+
+    if(keyblock != NULL)
+	krb5_free_keyblock(context, keyblock);
+
+out:
+    free_AP_REQ(&ap_req);
+    if(service)
+	krb5_free_principal(context, service);
+    return ret;
+}
diff --git a/crypto/heimdal/lib/krb5/rd_safe.c b/crypto/heimdal/lib/krb5/rd_safe.c
new file mode 100644
index 0000000..62d3646
--- /dev/null
+++ b/crypto/heimdal/lib/krb5/rd_safe.c
@@ -0,0 +1,190 @@
+/*
+ * Copyright (c) 1997 - 2001 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include <krb5_locl.h>
+
+RCSID("$Id: rd_safe.c,v 1.24 2001/05/14 06:14:51 assar Exp $");
+
+static krb5_error_code
+verify_checksum(krb5_context context,
+		krb5_auth_context auth_context,
+		KRB_SAFE *safe)
+{
+    krb5_error_code ret;
+    u_char *buf;
+    size_t buf_size;
+    size_t len;
+    Checksum c;
+    krb5_crypto crypto;
+
+    c = safe->cksum;
+    safe->cksum.cksumtype       = 0;
+    safe->cksum.checksum.data   = NULL;
+    safe->cksum.checksum.length = 0;
+
+
+    buf_size = length_KRB_SAFE(safe);
+    buf = malloc(buf_size);
+
+    if (buf == NULL) {
+	ret = ENOMEM;
+	krb5_set_error_string (context, "malloc: out of memory");
+	goto out;
+    }
+
+    ret = encode_KRB_SAFE (buf + buf_size - 1,
+			   buf_size,
+			   safe,
+			   &len);
+    ret = krb5_crypto_init(context, auth_context->keyblock, 0, &crypto);
+    if (ret)
+	goto out;
+    ret = krb5_verify_checksum (context,
+				crypto,
+				KRB5_KU_KRB_SAFE_CKSUM,
+				buf + buf_size - len,
+				len,
+				&c);
+    krb5_crypto_destroy(context, crypto);
+out:
+    safe->cksum = c;
+    free (buf);
+    return ret;
+}
+
+krb5_error_code
+krb5_rd_safe(krb5_context context,
+	     krb5_auth_context auth_context,
+	     const krb5_data *inbuf,
+	     krb5_data *outbuf,
+	     /*krb5_replay_data*/ void *outdata)
+{
+  krb5_error_code ret;
+  KRB_SAFE safe;
+  size_t len;
+
+  ret = decode_KRB_SAFE (inbuf->data, inbuf->length, &safe, &len);
+  if (ret) 
+      return ret;
+  if (safe.pvno != 5) {
+      ret = KRB5KRB_AP_ERR_BADVERSION;
+      krb5_clear_error_string (context);
+      goto failure;
+  }
+  if (safe.msg_type != krb_safe) {
+      ret = KRB5KRB_AP_ERR_MSG_TYPE;
+      krb5_clear_error_string (context);
+      goto failure;
+  }
+  if (!krb5_checksum_is_keyed(context, safe.cksum.cksumtype)
+      || !krb5_checksum_is_collision_proof(context, safe.cksum.cksumtype)) {
+      ret = KRB5KRB_AP_ERR_INAPP_CKSUM;
+      krb5_clear_error_string (context);
+      goto failure;
+  }
+
+  /* check sender address */
+
+  if (safe.safe_body.s_address
+      && auth_context->remote_address
+      && !krb5_address_compare (context,
+				auth_context->remote_address,
+				safe.safe_body.s_address)) {
+      ret = KRB5KRB_AP_ERR_BADADDR;
+      krb5_clear_error_string (context);
+      goto failure;
+  }
+
+  /* check receiver address */
+
+  if (safe.safe_body.r_address
+      && auth_context->local_address
+      && !krb5_address_compare (context,
+				auth_context->local_address,
+				safe.safe_body.r_address)) {
+      ret = KRB5KRB_AP_ERR_BADADDR;
+      krb5_clear_error_string (context);
+      goto failure;
+  }
+
+  /* check timestamp */
+  if (auth_context->flags & KRB5_AUTH_CONTEXT_DO_TIME) {
+      krb5_timestamp sec;
+
+      krb5_timeofday (context, &sec);
+
+      if (safe.safe_body.timestamp == NULL ||
+	  safe.safe_body.usec      == NULL ||
+	  abs(*safe.safe_body.timestamp - sec) > context->max_skew) {
+	  ret = KRB5KRB_AP_ERR_SKEW;
+	  krb5_clear_error_string (context);
+	  goto failure;
+      }
+  }
+  /* XXX - check replay cache */
+
+  /* check sequence number. since MIT krb5 cannot generate a sequence
+     number of zero but instead generates no sequence number, we accept that
+  */
+
+  if (auth_context->flags & KRB5_AUTH_CONTEXT_DO_SEQUENCE) {
+      if ((safe.safe_body.seq_number == NULL
+	   && auth_context->remote_seqnumber != 0)
+	  || (safe.safe_body.seq_number != NULL
+	      && *safe.safe_body.seq_number !=
+	      auth_context->remote_seqnumber)) {
+	  ret = KRB5KRB_AP_ERR_BADORDER;
+	  krb5_clear_error_string (context);
+	  goto failure;
+      }
+      auth_context->remote_seqnumber++;
+  }
+
+  ret = verify_checksum (context, auth_context, &safe);
+  if (ret)
+      goto failure;
+  
+  outbuf->length = safe.safe_body.user_data.length;
+  outbuf->data   = malloc(outbuf->length);
+  if (outbuf->data == NULL) {
+      ret = ENOMEM;
+      krb5_set_error_string (context, "malloc: out of memory");
+      goto failure;
+  }
+  memcpy (outbuf->data, safe.safe_body.user_data.data, outbuf->length);
+  free_KRB_SAFE (&safe);
+  return 0;
+failure:
+  free_KRB_SAFE (&safe);
+  return ret;
+}
diff --git a/crypto/heimdal/lib/krb5/read_message.c b/crypto/heimdal/lib/krb5/read_message.c
new file mode 100644
index 0000000..124499a
--- /dev/null
+++ b/crypto/heimdal/lib/krb5/read_message.c
@@ -0,0 +1,102 @@
+/*
+ * Copyright (c) 1997 - 2001 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "krb5_locl.h"
+
+RCSID("$Id: read_message.c,v 1.8 2001/05/14 06:14:51 assar Exp $");
+
+krb5_error_code
+krb5_read_message (krb5_context context,
+		   krb5_pointer p_fd,
+		   krb5_data *data)
+{
+    krb5_error_code ret;
+    u_int32_t len;
+    u_int8_t buf[4];
+
+    ret = krb5_net_read (context, p_fd, buf, 4);
+    if(ret == -1) {
+	ret = errno;
+	krb5_clear_error_string (context);
+	return ret;
+    }
+    if(ret < 4) {
+	data->length = 0;
+	return HEIM_ERR_EOF;
+    }
+    len = (buf[0] << 24) | (buf[1] << 16) | (buf[2] << 8) | buf[3];
+    ret = krb5_data_alloc (data, len);
+    if (ret)
+	return ret;
+    if (krb5_net_read (context, p_fd, data->data, len) != len) {
+	ret = errno;
+	krb5_data_free (data);
+	krb5_clear_error_string (context);
+	return ret;
+    }
+    return 0;
+}
+
+krb5_error_code
+krb5_read_priv_message(krb5_context context,
+		       krb5_auth_context ac,
+		       krb5_pointer p_fd,
+		       krb5_data *data)
+{
+    krb5_error_code ret;
+    krb5_data packet;
+
+    ret = krb5_read_message(context, p_fd, &packet);
+    if(ret)
+	return ret;
+    ret = krb5_rd_priv (context, ac, &packet, data, NULL);
+    krb5_data_free(&packet);
+    return ret;
+}
+
+krb5_error_code
+krb5_read_safe_message(krb5_context context,
+		       krb5_auth_context ac,
+		       krb5_pointer p_fd,
+		       krb5_data *data)
+{
+    krb5_error_code ret;
+    krb5_data packet;
+
+    ret = krb5_read_message(context, p_fd, &packet);
+    if(ret)
+	return ret;
+    ret = krb5_rd_safe (context, ac, &packet, data, NULL);
+    krb5_data_free(&packet);
+    return ret;
+}
diff --git a/crypto/heimdal/lib/krb5/recvauth.c b/crypto/heimdal/lib/krb5/recvauth.c
new file mode 100644
index 0000000..806a765
--- /dev/null
+++ b/crypto/heimdal/lib/krb5/recvauth.c
@@ -0,0 +1,211 @@
+/*
+ * Copyright (c) 1997-2001 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "krb5_locl.h"
+
+RCSID("$Id: recvauth.c,v 1.15 2001/05/14 06:14:51 assar Exp $");
+
+/*
+ * See `sendauth.c' for the format.
+ */
+
+static krb5_boolean
+match_exact(void *data, const char *appl_version)
+{
+    return strcmp(data, appl_version) == 0;
+}
+
+krb5_error_code
+krb5_recvauth(krb5_context context,
+	      krb5_auth_context *auth_context,
+	      krb5_pointer p_fd,
+	      char *appl_version,
+	      krb5_principal server,
+	      int32_t flags,
+	      krb5_keytab keytab,
+	      krb5_ticket **ticket)
+{
+    return krb5_recvauth_match_version(context, auth_context, p_fd,
+				       match_exact, appl_version,
+				       server, flags,
+				       keytab, ticket);
+}
+
+krb5_error_code
+krb5_recvauth_match_version(krb5_context context,
+			    krb5_auth_context *auth_context,
+			    krb5_pointer p_fd,
+			    krb5_boolean (*match_appl_version)(void *, 
+							       const char*),
+			    void *match_data,
+			    krb5_principal server,
+			    int32_t flags,
+			    krb5_keytab keytab,
+			    krb5_ticket **ticket)
+{
+  krb5_error_code ret;
+  const char *version = KRB5_SENDAUTH_VERSION;
+  char her_version[sizeof(KRB5_SENDAUTH_VERSION)];
+  char *her_appl_version;
+  u_int32_t len;
+  u_char repl;
+  krb5_data data;
+  krb5_flags ap_options;
+  ssize_t n;
+
+  /*
+   * If there are no addresses in auth_context, get them from `fd'.
+   */
+
+  if (*auth_context == NULL) {
+      ret = krb5_auth_con_init (context, auth_context);
+      if (ret)
+	  return ret;
+  }
+
+  ret = krb5_auth_con_setaddrs_from_fd (context,
+					*auth_context,
+					p_fd);
+  if (ret)
+      return ret;
+
+  if(!(flags & KRB5_RECVAUTH_IGNORE_VERSION)) {
+    n = krb5_net_read (context, p_fd, &len, 4);
+    if (n < 0) {
+	ret = errno;
+	krb5_set_error_string (context, "read: %s", strerror(errno));
+	return ret;
+    }
+    if (n == 0) {
+	krb5_clear_error_string (context);
+	return KRB5_SENDAUTH_BADAUTHVERS;
+    }
+    len = ntohl(len);
+    if (len != sizeof(her_version)
+	|| krb5_net_read (context, p_fd, her_version, len) != len
+	|| strncmp (version, her_version, len)) {
+      repl = 1;
+      krb5_net_write (context, p_fd, &repl, 1);
+	krb5_clear_error_string (context);
+      return KRB5_SENDAUTH_BADAUTHVERS;
+    }
+  }
+
+  n = krb5_net_read (context, p_fd, &len, 4);
+  if (n < 0) {
+      ret = errno;
+      krb5_set_error_string (context, "read: %s", strerror(errno));
+      return ret;
+  }
+  if (n == 0) {
+      krb5_clear_error_string (context);
+      return KRB5_SENDAUTH_BADAPPLVERS;
+  }
+  len = ntohl(len);
+  her_appl_version = malloc (len);
+  if (her_appl_version == NULL) {
+      repl = 2;
+      krb5_net_write (context, p_fd, &repl, 1);
+      krb5_set_error_string (context, "malloc: out of memory");
+      return ENOMEM;
+  }
+  if (krb5_net_read (context, p_fd, her_appl_version, len) != len
+      || !(*match_appl_version)(match_data, her_appl_version)) {
+    repl = 2;
+    krb5_net_write (context, p_fd, &repl, 1);
+    krb5_set_error_string (context, "wrong sendauth version (%s)",
+			   her_appl_version);
+    free (her_appl_version);
+    return KRB5_SENDAUTH_BADAPPLVERS;
+  }
+  free (her_appl_version);
+
+  repl = 0;
+  if (krb5_net_write (context, p_fd, &repl, 1) != 1) {
+    ret = errno;
+    krb5_set_error_string (context, "write: %s", strerror(errno));
+    return ret;
+  }
+
+  krb5_data_zero (&data);
+  ret = krb5_read_message (context, p_fd, &data);
+  if (ret)
+      return ret;
+
+  ret = krb5_rd_req (context,
+		     auth_context,
+		     &data,
+		     server,
+		     keytab,
+		     &ap_options,
+		     ticket);
+  krb5_data_free (&data);
+  if (ret) {
+      krb5_data error_data;
+      krb5_error_code ret2;
+
+      ret2 = krb5_mk_error (context,
+			    ret,
+			    NULL,
+			    NULL,
+			    NULL,
+			    server,
+			    NULL,
+			    NULL,
+			    &error_data);
+      if (ret2 == 0) {
+	  krb5_write_message (context, p_fd, &error_data);
+	  krb5_data_free (&error_data);
+      }
+      return ret;
+  }      
+
+  len = 0;
+  if (krb5_net_write (context, p_fd, &len, 4) != 4) {
+      ret = errno;
+      krb5_set_error_string (context, "write: %s", strerror(errno));
+      return ret;
+  }
+
+  if (ap_options & AP_OPTS_MUTUAL_REQUIRED) {
+    ret = krb5_mk_rep (context, *auth_context, &data);
+    if (ret)
+      return ret;
+
+    ret = krb5_write_message (context, p_fd, &data);
+    if (ret)
+	return ret;
+    krb5_data_free (&data);
+  }
+  return 0;
+}
diff --git a/crypto/heimdal/lib/krb5/replay.c b/crypto/heimdal/lib/krb5/replay.c
new file mode 100644
index 0000000..d4f5569
--- /dev/null
+++ b/crypto/heimdal/lib/krb5/replay.c
@@ -0,0 +1,304 @@
+/*
+ * Copyright (c) 1997-2001 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "krb5_locl.h"
+#include <vis.h>
+
+RCSID("$Id: replay.c,v 1.8 2001/05/14 06:14:51 assar Exp $");
+
+struct krb5_rcache_data {
+    char *name;
+};
+
+krb5_error_code
+krb5_rc_resolve(krb5_context context,
+		krb5_rcache id,
+		const char *name)
+{
+    id->name = strdup(name);
+    if(id->name == NULL) {
+	krb5_set_error_string (context, "malloc: out of memory");
+	return KRB5_RC_MALLOC;
+    }
+    return 0;
+}
+
+krb5_error_code
+krb5_rc_resolve_type(krb5_context context,
+		     krb5_rcache *id,
+		     const char *type)
+{
+    if(strcmp(type, "FILE")) {
+	krb5_set_error_string (context, "replay cache type %s not supported",
+			       type);
+	return KRB5_RC_TYPE_NOTFOUND;
+    }
+    *id = calloc(1, sizeof(**id));
+    if(*id == NULL) {
+	krb5_set_error_string (context, "malloc: out of memory");
+	return KRB5_RC_MALLOC;
+    }
+    return 0;
+}
+
+krb5_error_code
+krb5_rc_resolve_full(krb5_context context,
+		     krb5_rcache *id,
+		     const char *string_name)
+{
+    krb5_error_code ret;
+    if(strncmp(string_name, "FILE:", 5)) {
+	krb5_set_error_string (context, "replay cache type %s not supported",
+			       string_name);
+	return KRB5_RC_TYPE_NOTFOUND;
+    }
+    ret = krb5_rc_resolve_type(context, id, "FILE");
+    if(ret)
+	return ret;
+    ret = krb5_rc_resolve(context, *id, string_name + 5);
+    return ret;
+}
+
+const char *
+krb5_rc_default_name(krb5_context context)
+{
+    return "FILE:/var/run/default_rcache";
+}
+
+const char *
+krb5_rc_default_type(krb5_context context)
+{
+    return "FILE";
+}
+
+krb5_error_code
+krb5_rc_default(krb5_context context,
+		krb5_rcache *id)
+{
+    return krb5_rc_resolve_full(context, id, krb5_rc_default_name(context));
+}
+
+struct rc_entry{
+    time_t stamp;
+    unsigned char data[16];
+};
+
+krb5_error_code
+krb5_rc_initialize(krb5_context context,
+		   krb5_rcache id,
+		   krb5_deltat auth_lifespan)
+{
+    FILE *f = fopen(id->name, "w");
+    struct rc_entry tmp;
+    int ret;
+
+    if(f == NULL) {
+	ret = errno;
+	krb5_set_error_string (context, "open(%s): %s", id->name,
+			       strerror(ret));
+	return ret;
+    }
+    tmp.stamp = auth_lifespan;
+    fwrite(&tmp, 1, sizeof(tmp), f);
+    fclose(f);
+    return 0;
+}
+
+krb5_error_code
+krb5_rc_recover(krb5_context context,
+		krb5_rcache id)
+{
+    return 0;
+}
+
+krb5_error_code
+krb5_rc_destroy(krb5_context context,
+		krb5_rcache id)
+{
+    int ret;
+
+    if(remove(id->name) < 0) {
+	ret = errno;
+	krb5_set_error_string (context, "remove(%s): %s", id->name,
+			       strerror(ret));
+	return ret;
+    }
+    return krb5_rc_close(context, id);
+}
+
+krb5_error_code
+krb5_rc_close(krb5_context context,
+	      krb5_rcache id)
+{
+    free(id->name);
+    free(id);
+    return 0;
+}
+
+static void
+checksum_authenticator(Authenticator *auth, void *data)
+{
+    MD5_CTX md5;
+    int i;
+
+    MD5_Init (&md5);
+    MD5_Update (&md5, auth->crealm, strlen(auth->crealm));
+    for(i = 0; i < auth->cname.name_string.len; i++)
+	MD5_Update(&md5, auth->cname.name_string.val[i], 
+		   strlen(auth->cname.name_string.val[i]));
+    MD5_Update (&md5, &auth->ctime, sizeof(auth->ctime));
+    MD5_Update (&md5, &auth->cusec, sizeof(auth->cusec));
+    MD5_Final (data, &md5);
+}
+
+krb5_error_code
+krb5_rc_store(krb5_context context,
+	      krb5_rcache id,
+	      krb5_donot_replay *rep)
+{
+    struct rc_entry ent, tmp;
+    time_t t;
+    FILE *f;
+    int ret;
+
+    ent.stamp = time(NULL);
+    checksum_authenticator(rep, ent.data);
+    f = fopen(id->name, "r");
+    if(f == NULL) {
+	ret = errno;
+	krb5_set_error_string (context, "open(%s): %s", id->name,
+			       strerror(ret));
+	return ret;
+    }
+    fread(&tmp, sizeof(ent), 1, f);
+    t = ent.stamp - tmp.stamp;
+    while(fread(&tmp, sizeof(ent), 1, f)){
+	if(tmp.stamp < t)
+	    continue;
+	if(memcmp(tmp.data, ent.data, sizeof(ent.data)) == 0){
+	    fclose(f);
+	    krb5_clear_error_string (context);
+	    return KRB5_RC_REPLAY;
+	}
+    }
+    if(ferror(f)){
+	ret = errno;
+	fclose(f);
+	krb5_set_error_string (context, "%s: %s", id->name, strerror(ret));
+	return ret;
+    }
+    fclose(f);
+    f = fopen(id->name, "a");
+    if(f == NULL) {
+	krb5_set_error_string (context, "open(%s): %s", id->name,
+			       strerror(errno));
+	return KRB5_RC_IO_UNKNOWN;
+    }
+    fwrite(&ent, 1, sizeof(ent), f);
+    fclose(f);
+    return 0;
+}
+
+krb5_error_code
+krb5_rc_expunge(krb5_context context,
+		krb5_rcache id)
+{
+    return 0;
+}
+
+krb5_error_code
+krb5_rc_get_lifespan(krb5_context context,
+		     krb5_rcache id,
+		     krb5_deltat *auth_lifespan)
+{
+    FILE *f = fopen(id->name, "r");
+    int r;
+    struct rc_entry ent;
+    r = fread(&ent, sizeof(ent), 1, f);
+    fclose(f);
+    if(r){
+	*auth_lifespan = ent.stamp;
+	return 0;
+    }
+    krb5_clear_error_string (context);
+    return KRB5_RC_IO_UNKNOWN;
+}
+
+const char*
+krb5_rc_get_name(krb5_context context,
+		 krb5_rcache id)
+{
+    return id->name;
+}
+		 
+const char*
+krb5_rc_get_type(krb5_context context,
+		 krb5_rcache id)
+{
+    return "FILE";
+}
+		 
+krb5_error_code
+krb5_get_server_rcache(krb5_context context, 
+		       const krb5_data *piece, 
+		       krb5_rcache *id)
+{
+    krb5_rcache rcache;
+    krb5_error_code ret;
+
+    char *tmp = malloc(4 * piece->length + 1);
+    char *name;
+
+    if(tmp == NULL) {
+	krb5_set_error_string (context, "malloc: out of memory");
+	return ENOMEM;
+    }
+    strvisx(tmp, piece->data, piece->length, VIS_WHITE | VIS_OCTAL);
+#ifdef HAVE_GETEUID
+    asprintf(&name, "FILE:rc_%s_%u", tmp, geteuid());
+#else
+    asprintf(&name, "FILE:rc_%s", tmp);
+#endif
+    free(tmp);
+    if(name == NULL) {
+	krb5_set_error_string (context, "malloc: out of memory");
+	return ENOMEM;
+    }
+
+    ret = krb5_rc_resolve_full(context, &rcache, name);
+    free(name);
+    if(ret)
+	return ret;
+    *id = rcache;
+    return ret;
+}
diff --git a/crypto/heimdal/lib/krb5/send_to_kdc.c b/crypto/heimdal/lib/krb5/send_to_kdc.c
new file mode 100644
index 0000000..5a66f02
--- /dev/null
+++ b/crypto/heimdal/lib/krb5/send_to_kdc.c
@@ -0,0 +1,429 @@
+/*
+ * Copyright (c) 1997 - 2001 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "krb5_locl.h"
+
+RCSID("$Id: send_to_kdc.c,v 1.44 2001/05/14 22:49:56 assar Exp $");
+
+/*
+ * send the data in `req' on the socket `fd' (which is datagram iff udp)
+ * waiting `tmout' for a reply and returning the reply in `rep'.
+ * iff limit read up to this many bytes
+ * returns 0 and data in `rep' if succesful, otherwise -1
+ */
+
+static int
+recv_loop (int fd,
+	   time_t tmout,
+	   int udp,
+	   size_t limit,
+	   krb5_data *rep)
+{
+     fd_set fdset;
+     struct timeval timeout;
+     int ret;
+     int nbytes;
+
+     if (fd >= FD_SETSIZE) {
+	 return -1;
+     }
+
+     krb5_data_zero(rep);
+     do {
+	 FD_ZERO(&fdset);
+	 FD_SET(fd, &fdset);
+	 timeout.tv_sec  = tmout;
+	 timeout.tv_usec = 0;
+	 ret = select (fd + 1, &fdset, NULL, NULL, &timeout);
+	 if (ret < 0) {
+	     if (errno == EINTR)
+		 continue;
+	     return -1;
+	 } else if (ret == 0) {
+	     return 0;
+	 } else {
+	     void *tmp;
+
+	     if (ioctl (fd, FIONREAD, &nbytes) < 0) {
+		 krb5_data_free (rep);
+		 return -1;
+	     }
+	     if(nbytes == 0)
+		 return 0;
+
+	     if (limit)
+		 nbytes = min(nbytes, limit - rep->length);
+
+	     tmp = realloc (rep->data, rep->length + nbytes);
+	     if (tmp == NULL) {
+		 krb5_data_free (rep);
+		 return -1;
+	     }
+	     rep->data = tmp;
+	     ret = recv (fd, (char*)tmp + rep->length, nbytes, 0);
+	     if (ret < 0) {
+		 krb5_data_free (rep);
+		 return -1;
+	     }
+	     rep->length += ret;
+	 }
+     } while(!udp && (limit == 0 || rep->length < limit));
+     return 0;
+}
+
+/*
+ * Send kerberos requests and receive a reply on a udp or any other kind
+ * of a datagram socket.  See `recv_loop'.
+ */
+
+static int
+send_and_recv_udp(int fd, 
+		  time_t tmout,
+		  const krb5_data *req,
+		  krb5_data *rep)
+{
+    if (send (fd, req->data, req->length, 0) < 0)
+	return -1;
+
+    return recv_loop(fd, tmout, 1, 0, rep);
+}
+
+/*
+ * `send_and_recv' for a TCP (or any other stream) socket.
+ * Since there are no record limits on a stream socket the protocol here
+ * is to prepend the request with 4 bytes of its length and the reply
+ * is similarly encoded.
+ */
+
+static int
+send_and_recv_tcp(int fd, 
+		  time_t tmout,
+		  const krb5_data *req,
+		  krb5_data *rep)
+{
+    unsigned char len[4];
+    unsigned long rep_len;
+    krb5_data len_data;
+
+    _krb5_put_int(len, req->length, 4);
+    if(net_write(fd, len, sizeof(len)) < 0)
+	return -1;
+    if(net_write(fd, req->data, req->length) < 0)
+	return -1;
+    if (recv_loop (fd, tmout, 0, 4, &len_data) < 0)
+	return -1;
+    if (len_data.length != 4) {
+	krb5_data_free (&len_data);
+	return -1;
+    }
+    _krb5_get_int(len_data.data, &rep_len, 4);
+    krb5_data_free (&len_data);
+    if (recv_loop (fd, tmout, 0, rep_len, rep) < 0)
+	return -1;
+    if(rep->length != rep_len) {
+	krb5_data_free (rep);
+	return -1;
+    }
+    return 0;
+}
+
+/*
+ * `send_and_recv' tailored for the HTTP protocol.
+ */
+
+static int
+send_and_recv_http(int fd, 
+		   time_t tmout,
+		   const char *prefix,
+		   const krb5_data *req,
+		   krb5_data *rep)
+{
+    char *request;
+    char *str;
+    int ret;
+    int len = base64_encode(req->data, req->length, &str);
+
+    if(len < 0)
+	return -1;
+    asprintf(&request, "GET %s%s HTTP/1.0\r\n\r\n", prefix, str);
+    free(str);
+    if (request == NULL)
+	return -1;
+    ret = net_write (fd, request, strlen(request));
+    free (request);
+    if (ret < 0)
+	return ret;
+    ret = recv_loop(fd, tmout, 0, 0, rep);
+    if(ret)
+	return ret;
+    {
+	unsigned long rep_len;
+	char *s, *p;
+
+	s = realloc(rep->data, rep->length + 1);
+	if (s == NULL) {
+	    krb5_data_free (rep);
+	    return -1;
+	}
+	s[rep->length] = 0;
+	p = strstr(s, "\r\n\r\n");
+	if(p == NULL) {
+	    free(s);
+	    return -1;
+	}
+	p += 4;
+	rep->data = s;
+	rep->length -= p - s;
+	if(rep->length < 4) { /* remove length */
+	    free(s);
+	    return -1;
+	}
+	rep->length -= 4;
+	_krb5_get_int(p, &rep_len, 4);
+	if (rep_len != rep->length) {
+	    free(s);
+	    return -1;
+	}
+	memmove(rep->data, p + 4, rep->length);
+    }
+    return 0;
+}
+
+static int
+init_port(const char *s, int fallback)
+{
+    if (s) {
+	int tmp;
+
+	sscanf (s, "%d", &tmp);
+	return htons(tmp);
+    } else
+	return fallback;
+}
+
+/*
+ * Return 0 if succesful, otherwise 1
+ */
+
+static int
+send_via_proxy (krb5_context context,
+		const char *hostname,
+		const krb5_data *send,
+		krb5_data *receive)
+{
+    char *proxy2 = strdup(context->http_proxy);
+    char *proxy  = proxy2;
+    char *prefix;
+    char *colon;
+    struct addrinfo hints;
+    struct addrinfo *ai, *a;
+    int ret;
+    int s;
+    char portstr[NI_MAXSERV];
+		 
+    if (proxy == NULL)
+	return ENOMEM;
+    if (strncmp (proxy, "http://", 7) == 0)
+	proxy += 7;
+
+    colon = strchr(proxy, ':');
+    if(colon != NULL)
+	*colon++ = '\0';
+    memset (&hints, 0, sizeof(hints));
+    hints.ai_family   = PF_UNSPEC;
+    hints.ai_socktype = SOCK_STREAM;
+    snprintf (portstr, sizeof(portstr), "%d",
+	      ntohs(init_port (colon, htons(80))));
+    ret = getaddrinfo (proxy, portstr, &hints, &ai);
+    free (proxy2);
+    if (ret)
+	return krb5_eai_to_heim_errno(ret, errno);
+
+    for (a = ai; a != NULL; a = a->ai_next) {
+	s = socket (a->ai_family, a->ai_socktype, a->ai_protocol);
+	if (s < 0)
+	    continue;
+	if (connect (s, a->ai_addr, a->ai_addrlen) < 0) {
+	    close (s);
+	    continue;
+	}
+	break;
+    }
+    if (a == NULL) {
+	freeaddrinfo (ai);
+	return 1;
+    }
+    freeaddrinfo (ai);
+
+    asprintf(&prefix, "http://%s/", hostname);
+    if(prefix == NULL) {
+	close(s);
+	return 1;
+    }
+    ret = send_and_recv_http(s, context->kdc_timeout,
+			     prefix, send, receive);
+    close (s);
+    free(prefix);
+    if(ret == 0 && receive->length != 0)
+	return 0;
+    return 1;
+}
+
+/*
+ * Send the data `send' to one hots in `hostlist' and get back the reply
+ * in `receive'.
+ */
+
+krb5_error_code
+krb5_sendto (krb5_context context,
+	     const krb5_data *send,
+	     char **hostlist,
+	     int port,
+	     krb5_data *receive)
+{
+     krb5_error_code ret = 0;
+     char **hp, *p;
+     int fd;
+     int i;
+
+     for (i = 0; i < context->max_retries; ++i) {
+	 for (hp = hostlist; (p = *hp); ++hp) {
+	     char *colon;
+	     int http_flag = 0;
+	     int tcp_flag = 0;
+	     struct addrinfo *ai, *a;
+	     struct addrinfo hints;
+	     char portstr[NI_MAXSERV];
+
+	     if(strncmp(p, "http://", 7) == 0){
+		 p += 7;
+		 http_flag = 1;
+		 port = htons(80);
+	     } else if(strncmp(p, "http/", 5) == 0) {
+		 p += 5;
+		 http_flag = 1;
+		 port = htons(80);
+	     }else if(strncmp(p, "tcp/", 4) == 0){
+		 p += 4;
+		 tcp_flag = 1;
+	     } else if(strncmp(p, "udp/", 4) == 0) {
+		 p += 4;
+	     }
+	     if(http_flag && context->http_proxy) {
+		 if (send_via_proxy (context, p, send, receive))
+		     continue;
+		 else
+		     goto out;
+	     }
+	     colon = strchr (p, ':');
+	     if (colon)
+		 *colon++ = '\0';
+
+	     memset (&hints, 0, sizeof(hints));
+	     hints.ai_family = PF_UNSPEC;
+	     if (tcp_flag || http_flag)
+		 hints.ai_socktype = SOCK_STREAM;
+	     else
+		 hints.ai_socktype = SOCK_DGRAM;
+	     snprintf (portstr, sizeof(portstr), "%d",
+		       ntohs(init_port (colon, port)));
+	     ret = getaddrinfo (p, portstr, &hints, &ai);
+	     if (ret)
+		 continue;
+	     for (a = ai; a != NULL; a = a->ai_next) {
+		 fd = socket (a->ai_family, a->ai_socktype, a->ai_protocol);
+		 if (fd < 0)
+		     continue;
+		 if (connect (fd, a->ai_addr, a->ai_addrlen) < 0) {
+		     close (fd);
+		     continue;
+		 }
+		 if(http_flag)
+		     ret = send_and_recv_http(fd, context->kdc_timeout,
+					      "", send, receive);
+		 else if(tcp_flag)
+		     ret = send_and_recv_tcp (fd, context->kdc_timeout,
+					      send, receive);
+		 else
+		     ret = send_and_recv_udp (fd, context->kdc_timeout,
+					      send, receive);
+		 close (fd);
+		 if(ret == 0 && receive->length != 0) {
+		     freeaddrinfo(ai);
+		     goto out;
+		 }
+	     }
+	     freeaddrinfo(ai);
+	 }
+     }
+     krb5_clear_error_string (context);
+     ret = KRB5_KDC_UNREACH;
+out:
+     return ret;
+}
+
+krb5_error_code
+krb5_sendto_kdc2(krb5_context context,
+		 const krb5_data *send,
+		 const krb5_realm *realm,
+		 krb5_data *receive,
+		 krb5_boolean master)
+{
+    krb5_error_code ret;
+    char **hostlist;
+    int port;
+    
+    port = krb5_getportbyname (context, "kerberos", "udp", 88);
+    
+    if (master || context->use_admin_kdc)
+	ret = krb5_get_krb_admin_hst (context, realm, &hostlist);
+    else
+	ret = krb5_get_krbhst (context, realm, &hostlist);
+    if (ret)
+	return ret;
+    ret = krb5_sendto(context, send, hostlist, port, receive);
+    krb5_free_krbhst (context, hostlist);
+    if (ret == KRB5_KDC_UNREACH)
+	krb5_set_error_string(context,
+			      "unable to reach any KDC in realm %s", *realm);
+    return ret;
+}
+
+krb5_error_code
+krb5_sendto_kdc(krb5_context context,
+		const krb5_data *send,
+		const krb5_realm *realm,
+		krb5_data *receive)
+{
+    return krb5_sendto_kdc2(context, send, realm, receive, FALSE);
+}
diff --git a/crypto/heimdal/lib/krb5/sendauth.c b/crypto/heimdal/lib/krb5/sendauth.c
new file mode 100644
index 0000000..8f2c544
--- /dev/null
+++ b/crypto/heimdal/lib/krb5/sendauth.c
@@ -0,0 +1,223 @@
+/*
+ * Copyright (c) 1997 - 2001 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "krb5_locl.h"
+
+RCSID("$Id: sendauth.c,v 1.18 2001/05/14 06:14:51 assar Exp $");
+
+/*
+ * The format seems to be:
+ * client -> server
+ *
+ * 4 bytes - length
+ * KRB5_SENDAUTH_V1.0 (including zero)
+ * 4 bytes - length
+ * protocol string (with terminating zero)
+ *
+ * server -> client
+ * 1 byte - (0 = OK, else some kind of error)
+ *
+ * client -> server
+ * 4 bytes - length
+ * AP-REQ
+ *
+ * server -> client
+ * 4 bytes - length (0 = OK, else length of error)
+ * (error)
+ *
+ * if(mutual) {
+ * server -> client
+ * 4 bytes - length
+ * AP-REP
+ * }
+ */
+
+krb5_error_code
+krb5_sendauth(krb5_context context,
+	      krb5_auth_context *auth_context,
+	      krb5_pointer p_fd,
+	      const char *appl_version,
+	      krb5_principal client,
+	      krb5_principal server,
+	      krb5_flags ap_req_options,
+	      krb5_data *in_data,
+	      krb5_creds *in_creds,
+	      krb5_ccache ccache,
+	      krb5_error **ret_error,
+	      krb5_ap_rep_enc_part **rep_result,
+	      krb5_creds **out_creds)
+{
+    krb5_error_code ret;
+    u_int32_t len, net_len;
+    const char *version = KRB5_SENDAUTH_VERSION;
+    u_char repl;
+    krb5_data ap_req, error_data;
+    krb5_creds this_cred;
+    krb5_principal this_client = NULL;
+    krb5_creds *creds;
+    ssize_t sret;
+
+    len = strlen(version) + 1;
+    net_len = htonl(len);
+    if (krb5_net_write (context, p_fd, &net_len, 4) != 4
+	|| krb5_net_write (context, p_fd, version, len) != len) {
+	ret = errno;
+	krb5_set_error_string (context, "write: %s", strerror(ret));
+	return ret;
+    }
+
+    len = strlen(appl_version) + 1;
+    net_len = htonl(len);
+    if (krb5_net_write (context, p_fd, &net_len, 4) != 4
+	|| krb5_net_write (context, p_fd, appl_version, len) != len) {
+	ret = errno;
+	krb5_set_error_string (context, "write: %s", strerror(ret));
+	return ret;
+    }
+
+    sret = krb5_net_read (context, p_fd, &repl, sizeof(repl));
+    if (sret < 0) {
+	ret = errno;
+	krb5_set_error_string (context, "read: %s", strerror(ret));
+	return ret;
+    } else if (sret != sizeof(repl)) {
+	krb5_clear_error_string (context);
+	return KRB5_SENDAUTH_BADRESPONSE;
+    }
+
+    if (repl != 0) {
+	krb5_clear_error_string (context);
+	return KRB5_SENDAUTH_REJECTED;
+    }
+
+    if (in_creds == NULL) {
+	if (ccache == NULL) {
+	    ret = krb5_cc_default (context, &ccache);
+	    if (ret)
+		return ret;
+	}
+
+	if (client == NULL) {
+	    ret = krb5_cc_get_principal (context, ccache, &this_client);
+	    if (ret)
+		return ret;
+	    client = this_client;
+	}
+	memset(&this_cred, 0, sizeof(this_cred));
+	this_cred.client = client;
+	this_cred.server = server;
+	this_cred.times.endtime = 0;
+	this_cred.ticket.length = 0;
+	in_creds = &this_cred;
+    }
+    if (in_creds->ticket.length == 0) {
+	ret = krb5_get_credentials (context, 0, ccache, in_creds, &creds);
+	if (ret)
+	    return ret;
+    } else {
+	creds = in_creds;
+    }
+    ret = krb5_mk_req_extended (context,
+				auth_context,
+				ap_req_options,
+				in_data,
+				creds,
+				&ap_req);
+
+    if (out_creds)
+	*out_creds = creds;
+    else
+	krb5_free_creds(context, creds);
+    if(this_client)
+	krb5_free_principal(context, this_client);
+
+    if (ret)
+	return ret;
+
+    ret = krb5_write_message (context,
+			      p_fd,
+			      &ap_req);
+    if (ret)
+	return ret;
+
+    krb5_data_free (&ap_req);
+
+    ret = krb5_read_message (context, p_fd, &error_data);
+    if (ret)
+	return ret;
+
+    if (error_data.length != 0) {
+	KRB_ERROR error;
+
+	ret = krb5_rd_error (context, &error_data, &error);
+	krb5_data_free (&error_data);
+	if (ret == 0) {
+	    ret = krb5_error_from_rd_error(context, &error, NULL);
+	    if (ret_error != NULL) {
+		*ret_error = malloc (sizeof(krb5_error));
+		if (*ret_error == NULL) {
+		    krb5_free_error_contents (context, &error);
+		} else {
+		    **ret_error = error;
+		}
+	    } else {
+		krb5_free_error_contents (context, &error);
+	    }
+	    return ret;
+	} else {
+	    krb5_clear_error_string(context);
+	    return ret;
+	}
+    }
+
+    if (ap_req_options & AP_OPTS_MUTUAL_REQUIRED) {
+	krb5_data ap_rep;
+	krb5_ap_rep_enc_part *ignore;
+
+	krb5_data_zero (&ap_rep);
+	ret = krb5_read_message (context,
+				 p_fd,
+				 &ap_rep);
+	if (ret)
+	    return ret;
+
+	ret = krb5_rd_rep (context, *auth_context, &ap_rep,
+			   rep_result ? rep_result : &ignore);
+	if (ret)
+	    return ret;
+	if (rep_result == NULL)
+	    krb5_free_ap_rep_enc_part (context, ignore);
+	krb5_data_free (&ap_rep);
+    }
+    return 0;
+}
diff --git a/crypto/heimdal/lib/krb5/set_default_realm.c b/crypto/heimdal/lib/krb5/set_default_realm.c
new file mode 100644
index 0000000..9cb49c3
--- /dev/null
+++ b/crypto/heimdal/lib/krb5/set_default_realm.c
@@ -0,0 +1,90 @@
+/*
+ * Copyright (c) 1997 - 2001 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "krb5_locl.h"
+
+RCSID("$Id: set_default_realm.c,v 1.12 2001/05/14 06:14:51 assar Exp $");
+
+/*
+ * Convert the simple string `s' into a NULL-terminated and freshly allocated 
+ * list in `list'.  Return an error code.
+ */
+
+static krb5_error_code
+string_to_list (krb5_context context, const char *s, krb5_realm **list)
+{
+
+    *list = malloc (2 * sizeof(**list));
+    if (*list == NULL) {
+	krb5_set_error_string (context, "malloc: out of memory");
+	return ENOMEM;
+    }
+    (*list)[0] = strdup (s);
+    if ((*list)[0] == NULL) {
+	free (*list);
+	krb5_set_error_string (context, "malloc: out of memory");
+	return ENOMEM;
+    }
+    (*list)[1] = NULL;
+    return 0;
+}
+
+/*
+ * Set the knowledge of the default realm(s) in `context'.
+ * If realm != NULL, that's the new default realm.
+ * Otherwise, the realm(s) are figured out from configuration or DNS.  
+ */
+
+krb5_error_code
+krb5_set_default_realm(krb5_context context,
+		       char *realm)
+{
+    krb5_error_code ret = 0;
+    krb5_realm *realms = NULL;
+
+    if (realm == NULL) {
+	realms = krb5_config_get_strings (context, NULL,
+					  "libdefaults",
+					  "default_realm",
+					  NULL);
+	if (realms == NULL)
+	    ret = krb5_get_host_realm(context, NULL, &realms);
+    } else {
+	ret = string_to_list (context, realm, &realms);
+    }
+    if (ret)
+	return ret;
+    krb5_free_host_realm (context, context->default_realms);
+    context->default_realms = realms;
+    return 0;
+}
diff --git a/crypto/heimdal/lib/krb5/sock_principal.c b/crypto/heimdal/lib/krb5/sock_principal.c
new file mode 100644
index 0000000..d7a77a4
--- /dev/null
+++ b/crypto/heimdal/lib/krb5/sock_principal.c
@@ -0,0 +1,90 @@
+/*
+ * Copyright (c) 1997 - 2001 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "krb5_locl.h"
+
+RCSID("$Id: sock_principal.c,v 1.13 2001/05/14 06:14:51 assar Exp $");
+			
+krb5_error_code
+krb5_sock_to_principal (krb5_context context,
+			int sock,
+			const char *sname,
+			int32_t type,
+			krb5_principal *ret_princ)
+{
+    krb5_error_code ret;
+    krb5_address address;
+    struct sockaddr_storage __ss;
+    struct sockaddr *sa = (struct sockaddr *)&__ss;
+    socklen_t len = sizeof(__ss);
+    struct hostent *hostent;
+    int family;
+    char *hname = NULL;
+
+    if (getsockname (sock, sa, &len) < 0) {
+	ret = errno;
+	krb5_set_error_string (context, "getsockname: %s", strerror(ret));
+	return ret;
+    }
+    family = sa->sa_family;
+    
+    ret = krb5_sockaddr2address (context, sa, &address);
+    if (ret)
+	return ret;
+
+    hostent = roken_gethostbyaddr (address.address.data,
+				   address.address.length,
+				   family);
+
+    if (hostent == NULL) {
+	krb5_set_error_string (context, "gethostbyaddr: %s",
+			       hstrerror(h_errno));
+	return krb5_h_errno_to_heim_errno(h_errno);
+    }
+    hname = hostent->h_name;
+    if (strchr(hname, '.') == NULL) {
+	char **a;
+
+	for (a = hostent->h_aliases; a != NULL && *a != NULL; ++a)
+	    if (strchr(*a, '.') != NULL) {
+		hname = *a;
+		break;
+	    }
+    }
+
+    return krb5_sname_to_principal (context,
+				    hname,
+				    sname,
+				    type,
+				    ret_princ);
+}
diff --git a/crypto/heimdal/lib/krb5/store-test.c b/crypto/heimdal/lib/krb5/store-test.c
new file mode 100644
index 0000000..512d2a5
--- /dev/null
+++ b/crypto/heimdal/lib/krb5/store-test.c
@@ -0,0 +1,115 @@
+/*
+ * Copyright (c) 2001 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of KTH nor the names of its contributors may be
+ *    used to endorse or promote products derived from this software without
+ *    specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY KTH AND ITS CONTRIBUTORS ``AS IS'' AND ANY
+ * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL KTH OR ITS CONTRIBUTORS BE
+ * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+ * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+ * WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
+ * OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
+ * ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */
+
+#include "krb5_locl.h"
+
+RCSID("$Id: store-test.c,v 1.1 2001/05/11 16:06:25 joda Exp $");
+
+static void
+print_data(unsigned char *data, size_t len)
+{
+    int i;
+    for(i = 0; i < len; i++) {
+	if(i > 0 && (i % 16) == 0)
+	    printf("\n            ");
+	printf("%02x ", data[i]);
+    }
+    printf("\n");
+}
+
+static int
+compare(const char *name, krb5_storage *sp, void *expected, size_t len)
+{
+    int ret = 0;
+    krb5_data data;
+    krb5_storage_to_data(sp, &data);
+    krb5_storage_free(sp);
+    if(data.length != len || memcmp(data.data, expected, len) != 0) {
+	printf("%s mismatch\n", name);
+	printf("  Expected: ");
+	print_data(expected, len);
+	printf("  Actual:   ");
+	print_data(data.data, data.length);
+	ret++;
+    }
+    krb5_data_free(&data);
+    return ret;
+}
+
+int
+main(int argc, char **argv)
+{
+    int nerr = 0;
+    krb5_storage *sp;
+    krb5_context context;
+    krb5_principal principal;
+	
+
+    krb5_init_context(&context);
+
+    sp = krb5_storage_emem();
+    krb5_store_int32(sp, 0x01020304);
+    nerr += compare("Integer", sp, "\x1\x2\x3\x4", 4);
+
+    sp = krb5_storage_emem();
+    krb5_storage_set_byteorder(sp, KRB5_STORAGE_BYTEORDER_LE);
+    krb5_store_int32(sp, 0x01020304);
+    nerr += compare("Integer (LE)", sp, "\x4\x3\x2\x1", 4);
+
+    sp = krb5_storage_emem();
+    krb5_storage_set_byteorder(sp, KRB5_STORAGE_BYTEORDER_BE);
+    krb5_store_int32(sp, 0x01020304);
+    nerr += compare("Integer (BE)", sp, "\x1\x2\x3\x4", 4);
+
+    sp = krb5_storage_emem();
+    krb5_storage_set_byteorder(sp, KRB5_STORAGE_BYTEORDER_HOST);
+    krb5_store_int32(sp, 0x01020304);
+    {
+	int test = 1;
+	void *data;
+	if(*(char*)&test) 
+	    data = "\x4\x3\x2\x1";
+	else 
+	    data = "\x1\x2\x3\x4";
+	nerr += compare("Integer (host)", sp, data, 4);
+    }
+
+    sp = krb5_storage_emem();
+    krb5_make_principal(context, &principal, "TEST", "foobar", NULL);
+    krb5_store_principal(sp, principal);
+    nerr += compare("Principal", sp, "\x0\x0\x0\x1"
+		    "\x0\x0\x0\x1"
+		    "\x0\x0\x0\x4TEST"
+		    "\x0\x0\x0\x6""foobar", 26);
+    
+    return nerr ? 1 : 0;
+}
diff --git a/crypto/heimdal/lib/krb5/store.c b/crypto/heimdal/lib/krb5/store.c
new file mode 100644
index 0000000..4dd96a8
--- /dev/null
+++ b/crypto/heimdal/lib/krb5/store.c
@@ -0,0 +1,664 @@
+/*
+ * Copyright (c) 1997-2001 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "krb5_locl.h"
+
+RCSID("$Id: store.c,v 1.35 2001/05/11 13:01:43 joda Exp $");
+
+#define BYTEORDER_IS(SP, V) (((SP)->flags & KRB5_STORAGE_BYTEORDER_MASK) == (V))
+#define BYTEORDER_IS_LE(SP) BYTEORDER_IS((SP), KRB5_STORAGE_BYTEORDER_LE)
+#define BYTEORDER_IS_BE(SP) BYTEORDER_IS((SP), KRB5_STORAGE_BYTEORDER_BE)
+#define BYTEORDER_IS_HOST(SP) (BYTEORDER_IS((SP), KRB5_STORAGE_BYTEORDER_HOST) || \
+			       krb5_storage_is_flags((SP), KRB5_STORAGE_HOST_BYTEORDER))
+
+void
+krb5_storage_set_flags(krb5_storage *sp, krb5_flags flags)
+{
+    sp->flags |= flags;
+}
+
+void
+krb5_storage_clear_flags(krb5_storage *sp, krb5_flags flags)
+{
+    sp->flags &= ~flags;
+}
+
+krb5_boolean
+krb5_storage_is_flags(krb5_storage *sp, krb5_flags flags)
+{
+    return (sp->flags & flags) == flags;
+}
+
+void
+krb5_storage_set_byteorder(krb5_storage *sp, krb5_flags byteorder)
+{
+    sp->flags &= ~KRB5_STORAGE_BYTEORDER_MASK;
+    sp->flags |= byteorder;
+}
+
+krb5_flags
+krb5_storage_get_byteorder(krb5_storage *sp, krb5_flags byteorder)
+{
+    return sp->flags & KRB5_STORAGE_BYTEORDER_MASK;
+}
+
+
+ssize_t
+_krb5_put_int(void *buffer, unsigned long value, size_t size)
+{
+    unsigned char *p = buffer;
+    int i;
+    for (i = size - 1; i >= 0; i--) {
+	p[i] = value & 0xff;
+	value >>= 8;
+    }
+    return size;
+}
+
+ssize_t
+_krb5_get_int(void *buffer, unsigned long *value, size_t size)
+{
+    unsigned char *p = buffer;
+    unsigned long v = 0;
+    int i;
+    for (i = 0; i < size; i++)
+	v = (v << 8) + p[i];
+    *value = v;
+    return size;
+}
+
+krb5_error_code
+krb5_storage_free(krb5_storage *sp)
+{
+    if(sp->free)
+	(*sp->free)(sp);
+    free(sp->data);
+    free(sp);
+    return 0;
+}
+
+krb5_error_code
+krb5_storage_to_data(krb5_storage *sp, krb5_data *data)
+{
+    off_t pos;
+    size_t size;
+    krb5_error_code ret;
+
+    pos = sp->seek(sp, 0, SEEK_CUR);
+    size = (size_t)sp->seek(sp, 0, SEEK_END);
+    ret = krb5_data_alloc (data, size);
+    if (ret) {
+	sp->seek(sp, pos, SEEK_SET);
+	return ret;
+    }
+    if (size) {
+	sp->seek(sp, 0, SEEK_SET);
+	sp->fetch(sp, data->data, data->length);
+	sp->seek(sp, pos, SEEK_SET);
+    }
+    return 0;
+}
+
+static krb5_error_code
+krb5_store_int(krb5_storage *sp,
+	       int32_t value,
+	       size_t len)
+{
+    int ret;
+    unsigned char v[16];
+
+    if(len > sizeof(v))
+	return EINVAL;
+    _krb5_put_int(v, value, len);
+    ret = sp->store(sp, v, len);
+    if (ret != len)
+	return (ret<0)?errno:KRB5_CC_END;
+    return 0;
+}
+
+krb5_error_code
+krb5_store_int32(krb5_storage *sp,
+		 int32_t value)
+{
+    if(BYTEORDER_IS_HOST(sp))
+	value = htonl(value);
+    else if(BYTEORDER_IS_LE(sp))
+	value = bswap32(value);
+    return krb5_store_int(sp, value, 4);
+}
+
+static krb5_error_code
+krb5_ret_int(krb5_storage *sp,
+	     int32_t *value,
+	     size_t len)
+{
+    int ret;
+    unsigned char v[4];
+    unsigned long w;
+    ret = sp->fetch(sp, v, len);
+    if(ret != len)
+	return (ret<0)?errno:KRB5_CC_END;
+    _krb5_get_int(v, &w, len);
+    *value = w;
+    return 0;
+}
+
+krb5_error_code
+krb5_ret_int32(krb5_storage *sp,
+	       int32_t *value)
+{
+    krb5_error_code ret = krb5_ret_int(sp, value, 4);
+    if(ret)
+	return ret;
+    if(BYTEORDER_IS_HOST(sp))
+	*value = htonl(*value);
+    else if(BYTEORDER_IS_LE(sp))
+	*value = bswap32(*value);
+    return 0;
+}
+
+krb5_error_code
+krb5_store_int16(krb5_storage *sp,
+		 int16_t value)
+{
+    if(BYTEORDER_IS_HOST(sp))
+	value = htons(value);
+    else if(BYTEORDER_IS_LE(sp))
+	value = bswap16(value);
+    return krb5_store_int(sp, value, 2);
+}
+
+krb5_error_code
+krb5_ret_int16(krb5_storage *sp,
+	       int16_t *value)
+{
+    int32_t v;
+    int ret;
+    ret = krb5_ret_int(sp, &v, 2);
+    if(ret)
+	return ret;
+    *value = v;
+    if(BYTEORDER_IS_HOST(sp))
+	*value = htons(*value);
+    else if(BYTEORDER_IS_LE(sp))
+	*value = bswap16(*value);
+    return 0;
+}
+
+krb5_error_code
+krb5_store_int8(krb5_storage *sp,
+		int8_t value)
+{
+    int ret;
+
+    ret = sp->store(sp, &value, sizeof(value));
+    if (ret != sizeof(value))
+	return (ret<0)?errno:KRB5_CC_END;
+    return 0;
+}
+
+krb5_error_code
+krb5_ret_int8(krb5_storage *sp,
+	      int8_t *value)
+{
+    int ret;
+
+    ret = sp->fetch(sp, value, sizeof(*value));
+    if (ret != sizeof(*value))
+	return (ret<0)?errno:KRB5_CC_END;
+    return 0;
+}
+
+krb5_error_code
+krb5_store_data(krb5_storage *sp,
+		krb5_data data)
+{
+    int ret;
+    ret = krb5_store_int32(sp, data.length);
+    if(ret < 0)
+	return ret;
+    ret = sp->store(sp, data.data, data.length);
+    if(ret != data.length){
+	if(ret < 0)
+	    return errno;
+	return KRB5_CC_END;
+    }
+    return 0;
+}
+
+krb5_error_code
+krb5_ret_data(krb5_storage *sp,
+	      krb5_data *data)
+{
+    int ret;
+    int32_t size;
+
+    ret = krb5_ret_int32(sp, &size);
+    if(ret)
+	return ret;
+    ret = krb5_data_alloc (data, size);
+    if (ret)
+	return ret;
+    if (size) {
+	ret = sp->fetch(sp, data->data, size);
+	if(ret != size)
+	    return (ret < 0)? errno : KRB5_CC_END;
+    }
+    return 0;
+}
+
+krb5_error_code
+krb5_store_string(krb5_storage *sp, const char *s)
+{
+    krb5_data data;
+    data.length = strlen(s);
+    data.data = (void*)s;
+    return krb5_store_data(sp, data);
+}
+
+krb5_error_code
+krb5_ret_string(krb5_storage *sp,
+		char **string)
+{
+    int ret;
+    krb5_data data;
+    ret = krb5_ret_data(sp, &data);
+    if(ret)
+	return ret;
+    *string = realloc(data.data, data.length + 1);
+    if(*string == NULL){
+	free(data.data);
+	return ENOMEM;
+    }
+    (*string)[data.length] = 0;
+    return 0;
+}
+
+krb5_error_code
+krb5_store_stringz(krb5_storage *sp, const char *s)
+{
+    size_t len = strlen(s) + 1;
+    ssize_t ret;
+
+    ret = sp->store(sp, s, len);
+    if(ret != len) {
+	if(ret < 0)
+	    return ret;
+	else
+	    return KRB5_CC_END;
+    }
+    return 0;
+}
+
+krb5_error_code
+krb5_ret_stringz(krb5_storage *sp,
+		char **string)
+{
+    char c;
+    char *s = NULL;
+    size_t len = 0;
+    ssize_t ret;
+
+    while((ret = sp->fetch(sp, &c, 1)) == 1){
+	char *tmp;
+
+	len++;
+	tmp = realloc (s, len);
+	if (tmp == NULL) {
+	    free (s);
+	    return ENOMEM;
+	}
+	s = tmp;
+	s[len - 1] = c;
+	if(c == 0)
+	    break;
+    }
+    if(ret != 1){
+	free(s);
+	if(ret == 0)
+	    return KRB5_CC_END;
+	return ret;
+    }
+    *string = s;
+    return 0;
+}
+
+
+krb5_error_code
+krb5_store_principal(krb5_storage *sp,
+		     krb5_principal p)
+{
+    int i;
+    int ret;
+
+    if(!krb5_storage_is_flags(sp, KRB5_STORAGE_PRINCIPAL_NO_NAME_TYPE)) {
+    ret = krb5_store_int32(sp, p->name.name_type);
+    if(ret) return ret;
+    }
+    if(krb5_storage_is_flags(sp, KRB5_STORAGE_PRINCIPAL_WRONG_NUM_COMPONENTS))
+	ret = krb5_store_int32(sp, p->name.name_string.len + 1);
+    else
+    ret = krb5_store_int32(sp, p->name.name_string.len);
+    
+    if(ret) return ret;
+    ret = krb5_store_string(sp, p->realm);
+    if(ret) return ret;
+    for(i = 0; i < p->name.name_string.len; i++){
+	ret = krb5_store_string(sp, p->name.name_string.val[i]);
+	if(ret) return ret;
+    }
+    return 0;
+}
+
+krb5_error_code
+krb5_ret_principal(krb5_storage *sp,
+		   krb5_principal *princ)
+{
+    int i;
+    int ret;
+    krb5_principal p;
+    int32_t type;
+    int32_t ncomp;
+    
+    p = calloc(1, sizeof(*p));
+    if(p == NULL)
+	return ENOMEM;
+
+    if(krb5_storage_is_flags(sp, KRB5_STORAGE_PRINCIPAL_NO_NAME_TYPE))
+	type = KRB5_NT_UNKNOWN;
+    else 	if((ret = krb5_ret_int32(sp, &type))){
+	free(p);
+	return ret;
+    }
+    if((ret = krb5_ret_int32(sp, &ncomp))){
+	free(p);
+	return ret;
+    }
+    if(krb5_storage_is_flags(sp, KRB5_STORAGE_PRINCIPAL_WRONG_NUM_COMPONENTS))
+	ncomp--;
+    p->name.name_type = type;
+    p->name.name_string.len = ncomp;
+    ret = krb5_ret_string(sp, &p->realm);
+    if(ret) return ret;
+    p->name.name_string.val = calloc(ncomp, sizeof(*p->name.name_string.val));
+    if(p->name.name_string.val == NULL){
+	free(p->realm);
+	return ENOMEM;
+    }
+    for(i = 0; i < ncomp; i++){
+	ret = krb5_ret_string(sp, &p->name.name_string.val[i]);
+	if(ret) return ret; /* XXX */
+    }
+    *princ = p;
+    return 0;
+}
+
+krb5_error_code
+krb5_store_keyblock(krb5_storage *sp, krb5_keyblock p)
+{
+    int ret;
+    ret = krb5_store_int16(sp, p.keytype);
+    if(ret) return ret;
+
+    if(krb5_storage_is_flags(sp, KRB5_STORAGE_KEYBLOCK_KEYTYPE_TWICE)){
+	/* this should really be enctype, but it is the same as
+           keytype nowadays */
+    ret = krb5_store_int16(sp, p.keytype);
+    if(ret) return ret;
+    }
+
+    ret = krb5_store_data(sp, p.keyvalue);
+    return ret;
+}
+
+krb5_error_code
+krb5_ret_keyblock(krb5_storage *sp, krb5_keyblock *p)
+{
+    int ret;
+    int16_t tmp;
+
+    ret = krb5_ret_int16(sp, &tmp);
+    if(ret) return ret;
+    p->keytype = tmp;
+
+    if(krb5_storage_is_flags(sp, KRB5_STORAGE_KEYBLOCK_KEYTYPE_TWICE)){
+    ret = krb5_ret_int16(sp, &tmp);
+    if(ret) return ret;
+    }
+
+    ret = krb5_ret_data(sp, &p->keyvalue);
+    return ret;
+}
+
+krb5_error_code
+krb5_store_times(krb5_storage *sp, krb5_times times)
+{
+    int ret;
+    ret = krb5_store_int32(sp, times.authtime);
+    if(ret) return ret;
+    ret = krb5_store_int32(sp, times.starttime);
+    if(ret) return ret;
+    ret = krb5_store_int32(sp, times.endtime);
+    if(ret) return ret;
+    ret = krb5_store_int32(sp, times.renew_till);
+    return ret;
+}
+
+krb5_error_code
+krb5_ret_times(krb5_storage *sp, krb5_times *times)
+{
+    int ret;
+    int32_t tmp;
+    ret = krb5_ret_int32(sp, &tmp);
+    times->authtime = tmp;
+    if(ret) return ret;
+    ret = krb5_ret_int32(sp, &tmp);
+    times->starttime = tmp;
+    if(ret) return ret;
+    ret = krb5_ret_int32(sp, &tmp);
+    times->endtime = tmp;
+    if(ret) return ret;
+    ret = krb5_ret_int32(sp, &tmp);
+    times->renew_till = tmp;
+    return ret;
+}
+
+krb5_error_code
+krb5_store_address(krb5_storage *sp, krb5_address p)
+{
+    int ret;
+    ret = krb5_store_int16(sp, p.addr_type);
+    if(ret) return ret;
+    ret = krb5_store_data(sp, p.address);
+    return ret;
+}
+
+krb5_error_code
+krb5_ret_address(krb5_storage *sp, krb5_address *adr)
+{
+    int16_t t;
+    int ret;
+    ret = krb5_ret_int16(sp, &t);
+    if(ret) return ret;
+    adr->addr_type = t;
+    ret = krb5_ret_data(sp, &adr->address);
+    return ret;
+}
+
+krb5_error_code
+krb5_store_addrs(krb5_storage *sp, krb5_addresses p)
+{
+    int i;
+    int ret;
+    ret = krb5_store_int32(sp, p.len);
+    if(ret) return ret;
+    for(i = 0; i<p.len; i++){
+	ret = krb5_store_address(sp, p.val[i]);
+	if(ret) break;
+    }
+    return ret;
+}
+
+krb5_error_code
+krb5_ret_addrs(krb5_storage *sp, krb5_addresses *adr)
+{
+    int i;
+    int ret;
+    int32_t tmp;
+
+    ret = krb5_ret_int32(sp, &tmp);
+    if(ret) return ret;
+    adr->len = tmp;
+    ALLOC(adr->val, adr->len);
+    for(i = 0; i < adr->len; i++){
+	ret = krb5_ret_address(sp, &adr->val[i]);
+	if(ret) break;
+    }
+    return ret;
+}
+
+krb5_error_code
+krb5_store_authdata(krb5_storage *sp, krb5_authdata auth)
+{
+    krb5_error_code ret;
+    int i;
+    ret = krb5_store_int32(sp, auth.len);
+    if(ret) return ret;
+    for(i = 0; i < auth.len; i++){
+	ret = krb5_store_int16(sp, auth.val[i].ad_type);
+	if(ret) break;
+	ret = krb5_store_data(sp, auth.val[i].ad_data);
+	if(ret) break;
+    }
+    return 0;
+}
+
+krb5_error_code
+krb5_ret_authdata(krb5_storage *sp, krb5_authdata *auth)
+{
+    krb5_error_code ret;
+    int32_t tmp;
+    int16_t tmp2;
+    int i;
+    ret = krb5_ret_int32(sp, &tmp);
+    if(ret) return ret;
+    ALLOC_SEQ(auth, tmp);
+    for(i = 0; i < tmp; i++){
+	ret = krb5_ret_int16(sp, &tmp2);
+	if(ret) break;
+	auth->val[i].ad_type = tmp2;
+	ret = krb5_ret_data(sp, &auth->val[i].ad_data);
+	if(ret) break;
+    }
+    return ret;
+}
+
+/*
+ * store `creds' on `sp' returning error or zero
+ */
+
+krb5_error_code
+krb5_store_creds(krb5_storage *sp, krb5_creds *creds)
+{
+    int ret;
+
+    ret = krb5_store_principal(sp, creds->client);
+    if (ret)
+	return ret;
+    ret = krb5_store_principal(sp, creds->server);
+    if (ret)
+	return ret;
+    ret = krb5_store_keyblock(sp, creds->session);
+    if (ret)
+	return ret;
+    ret = krb5_store_times(sp, creds->times);
+    if (ret)
+	return ret;
+    ret = krb5_store_int8(sp, 0);  /* this is probably the
+				enc-tkt-in-skey bit from KDCOptions */
+    if (ret)
+	return ret;
+    ret = krb5_store_int32(sp, creds->flags.i);
+    if (ret)
+	return ret;
+    ret = krb5_store_addrs(sp, creds->addresses);
+    if (ret)
+	return ret;
+    ret = krb5_store_authdata(sp, creds->authdata);
+    if (ret)
+	return ret;
+    ret = krb5_store_data(sp, creds->ticket);
+    if (ret)
+	return ret;
+    ret = krb5_store_data(sp, creds->second_ticket);
+    if (ret)
+	return ret;
+    return 0;
+}
+
+krb5_error_code
+krb5_ret_creds(krb5_storage *sp, krb5_creds *creds)
+{
+    krb5_error_code ret;
+    int8_t dummy8;
+    int32_t dummy32;
+
+    memset(creds, 0, sizeof(*creds));
+    ret = krb5_ret_principal (sp,  &creds->client);
+    if(ret) goto cleanup;
+    ret = krb5_ret_principal (sp,  &creds->server);
+    if(ret) goto cleanup;
+    ret = krb5_ret_keyblock (sp,  &creds->session);
+    if(ret) goto cleanup;
+    ret = krb5_ret_times (sp,  &creds->times);
+    if(ret) goto cleanup;
+    ret = krb5_ret_int8 (sp,  &dummy8);
+    if(ret) goto cleanup;
+    ret = krb5_ret_int32 (sp,  &dummy32);
+    if(ret) goto cleanup;
+    creds->flags.i = dummy32;
+    ret = krb5_ret_addrs (sp,  &creds->addresses);
+    if(ret) goto cleanup;
+    ret = krb5_ret_authdata (sp,  &creds->authdata);
+    if(ret) goto cleanup;
+    ret = krb5_ret_data (sp,  &creds->ticket);
+    if(ret) goto cleanup;
+    ret = krb5_ret_data (sp,  &creds->second_ticket);
+cleanup:
+    if(ret)
+#if 0	
+	krb5_free_creds_contents(context, creds) /* XXX */
+#endif
+	    ;
+    return ret;
+}
diff --git a/crypto/heimdal/lib/krb5/store_emem.c b/crypto/heimdal/lib/krb5/store_emem.c
new file mode 100644
index 0000000..4d531c6
--- /dev/null
+++ b/crypto/heimdal/lib/krb5/store_emem.c
@@ -0,0 +1,126 @@
+/*
+ * Copyright (c) 1997 - 200 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "krb5_locl.h"
+
+RCSID("$Id: store_emem.c,v 1.10 2000/05/19 14:39:49 assar Exp $");
+
+typedef struct emem_storage{
+    unsigned char *base;
+    size_t size;
+    size_t len;
+    unsigned char *ptr;
+}emem_storage;
+
+static ssize_t
+emem_fetch(krb5_storage *sp, void *data, size_t size)
+{
+    emem_storage *s = (emem_storage*)sp->data;
+    if(s->base + s->len - s->ptr < size)
+	size = s->base + s->len - s->ptr;
+    memmove(data, s->ptr, size);
+    sp->seek(sp, size, SEEK_CUR);
+    return size;
+}
+
+static ssize_t
+emem_store(krb5_storage *sp, const void *data, size_t size)
+{
+    emem_storage *s = (emem_storage*)sp->data;
+    if(size > s->base + s->size - s->ptr){
+	void *base;
+	size_t sz, off;
+	sz = 2 * (size + (s->ptr - s->base)); /* XXX */
+	off = s->ptr - s->base;
+	base = realloc(s->base, sz);
+	if(base == NULL)
+	    return 0;
+	s->size = sz;
+	s->base = base;
+	s->ptr = (unsigned char*)base + off;
+    }
+    memmove(s->ptr, data, size);
+    sp->seek(sp, size, SEEK_CUR);
+    return size;
+}
+
+static off_t
+emem_seek(krb5_storage *sp, off_t offset, int whence)
+{
+    emem_storage *s = (emem_storage*)sp->data;
+    switch(whence){
+    case SEEK_SET:
+	if(offset > s->size)
+	    offset = s->size;
+	if(offset < 0)
+	    offset = 0;
+	s->ptr = s->base + offset;
+	if(offset > s->len)
+	    s->len = offset;
+	break;
+    case SEEK_CUR:
+	sp->seek(sp,s->ptr - s->base + offset, SEEK_SET);
+	break;
+    case SEEK_END:
+	sp->seek(sp, s->len + offset, SEEK_SET);
+	break;
+    default:
+	errno = EINVAL;
+	return -1;
+    }
+    return s->ptr - s->base;
+}
+
+static void
+emem_free(krb5_storage *sp)
+{
+    free(((emem_storage*)sp->data)->base);
+}
+
+krb5_storage *
+krb5_storage_emem(void)
+{
+    krb5_storage *sp = malloc(sizeof(krb5_storage));
+    emem_storage *s = malloc(sizeof(*s));
+    sp->data = s;
+    sp->flags = 0;
+    s->size = 1024;
+    s->base = malloc(s->size);
+    s->len = 0;
+    s->ptr = s->base;
+    sp->fetch = emem_fetch;
+    sp->store = emem_store;
+    sp->seek = emem_seek;
+    sp->free = emem_free;
+    return sp;
+}
diff --git a/crypto/heimdal/lib/krb5/store_fd.c b/crypto/heimdal/lib/krb5/store_fd.c
new file mode 100644
index 0000000..2c795bd
--- /dev/null
+++ b/crypto/heimdal/lib/krb5/store_fd.c
@@ -0,0 +1,74 @@
+/*
+ * Copyright (c) 1997 - 2001 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "krb5_locl.h"
+
+RCSID("$Id: store_fd.c,v 1.8 2001/01/29 02:32:35 assar Exp $");
+
+typedef struct fd_storage{
+    int fd;
+}fd_storage;
+
+#define FD(S) (((fd_storage*)(S)->data)->fd)
+
+static ssize_t
+fd_fetch(krb5_storage *sp, void *data, size_t size)
+{
+    return net_read(FD(sp), data, size);
+}
+
+static ssize_t
+fd_store(krb5_storage *sp, const void *data, size_t size)
+{
+    return net_write(FD(sp), data, size);
+}
+
+static off_t
+fd_seek(krb5_storage *sp, off_t offset, int whence)
+{
+    return lseek(FD(sp), offset, whence);
+}
+
+krb5_storage *
+krb5_storage_from_fd(int fd)
+{
+    krb5_storage *sp = malloc(sizeof(krb5_storage));
+    sp->data = malloc(sizeof(fd_storage));
+    sp->flags = 0;
+    FD(sp) = fd;
+    sp->fetch = fd_fetch;
+    sp->store = fd_store;
+    sp->seek = fd_seek;
+    sp->free = NULL;
+    return sp;
+}
diff --git a/crypto/heimdal/lib/krb5/store_mem.c b/crypto/heimdal/lib/krb5/store_mem.c
new file mode 100644
index 0000000..e6c277a
--- /dev/null
+++ b/crypto/heimdal/lib/krb5/store_mem.c
@@ -0,0 +1,117 @@
+/*
+ * Copyright (c) 1997 - 2000 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "krb5_locl.h"
+
+RCSID("$Id: store_mem.c,v 1.10 2000/05/19 14:39:02 assar Exp $");
+
+typedef struct mem_storage{
+    unsigned char *base;
+    size_t size;
+    unsigned char *ptr;
+}mem_storage;
+
+static ssize_t
+mem_fetch(krb5_storage *sp, void *data, size_t size)
+{
+    mem_storage *s = (mem_storage*)sp->data;
+    if(size > s->base + s->size - s->ptr)
+	size = s->base + s->size - s->ptr;
+    memmove(data, s->ptr, size);
+    sp->seek(sp, size, SEEK_CUR);
+    return size;
+}
+
+static ssize_t
+mem_store(krb5_storage *sp, const void *data, size_t size)
+{
+    mem_storage *s = (mem_storage*)sp->data;
+    if(size > s->base + s->size - s->ptr)
+	size = s->base + s->size - s->ptr;
+    memmove(s->ptr, data, size);
+    sp->seek(sp, size, SEEK_CUR);
+    return size;
+}
+
+static off_t
+mem_seek(krb5_storage *sp, off_t offset, int whence)
+{
+    mem_storage *s = (mem_storage*)sp->data;
+    switch(whence){
+    case SEEK_SET:
+	if(offset > s->size)
+	    offset = s->size;
+	if(offset < 0)
+	    offset = 0;
+	s->ptr = s->base + offset;
+	break;
+    case SEEK_CUR:
+	return sp->seek(sp, s->ptr - s->base + offset, SEEK_SET);
+    case SEEK_END:
+	return sp->seek(sp, s->size + offset, SEEK_SET);
+    default:
+	errno = EINVAL;
+	return -1;
+    }
+    return s->ptr - s->base;
+}
+
+krb5_storage *
+krb5_storage_from_mem(void *buf, size_t len)
+{
+    krb5_storage *sp = malloc(sizeof(krb5_storage));
+    mem_storage *s;
+    if(sp == NULL)
+	return NULL;
+    s = malloc(sizeof(*s));
+    if(s == NULL) {
+	free(sp);
+	return NULL;
+    }
+    sp->data = s;
+    sp->flags = 0;
+    s->base = buf;
+    s->size = len;
+    s->ptr = buf;
+    sp->fetch = mem_fetch;
+    sp->store = mem_store;
+    sp->seek = mem_seek;
+    sp->free = NULL;
+    return sp;
+}
+
+krb5_storage *
+krb5_storage_from_data(krb5_data *data)
+{
+	return krb5_storage_from_mem(data->data, data->length);
+}
diff --git a/crypto/heimdal/lib/krb5/string-to-key-test.c b/crypto/heimdal/lib/krb5/string-to-key-test.c
new file mode 100644
index 0000000..0ea5cd1
--- /dev/null
+++ b/crypto/heimdal/lib/krb5/string-to-key-test.c
@@ -0,0 +1,135 @@
+/*
+ * Copyright (c) 1999 - 2001 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of KTH nor the names of its contributors may be
+ *    used to endorse or promote products derived from this software without
+ *    specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY KTH AND ITS CONTRIBUTORS ``AS IS'' AND ANY
+ * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL KTH OR ITS CONTRIBUTORS BE
+ * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+ * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+ * WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
+ * OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
+ * ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */
+
+#include "krb5_locl.h"
+
+RCSID("$Id: string-to-key-test.c,v 1.7 2001/05/11 16:15:27 joda Exp $");
+
+enum { MAXSIZE = 24 };
+
+static struct testcase {
+    const char *principal_name;
+    const char *password;
+    krb5_enctype enctype;
+    unsigned char res[MAXSIZE];
+} tests[] = {
+    {"@", "", ETYPE_DES_CBC_MD5,
+     {0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0xf1}},
+    {"nisse@FOO.SE", "hej", ETYPE_DES_CBC_MD5,
+     {0xfe, 0x67, 0xbf, 0x9e, 0x57, 0x6b, 0xfe, 0x52}},
+    {"assar/liten@FOO.SE", "hemligt", ETYPE_DES_CBC_MD5,
+     {0x5b, 0x9b, 0xcb, 0xf2, 0x97, 0x43, 0xc8, 0x40}},
+    {"@", "", ETYPE_DES3_CBC_SHA1,
+     {0xce, 0xa2, 0x2f, 0x9b, 0x52, 0x2c, 0xb0, 0x15, 0x6e, 0x6b, 0x64,
+      0x73, 0x62, 0x64, 0x73, 0x4f, 0x6e, 0x73, 0xce, 0xa2, 0x2f, 0x9b,
+      0x52, 0x57}},
+    {"nisse@FOO.SE", "hej", ETYPE_DES3_CBC_SHA1,
+     {0x0e, 0xbc, 0x23, 0x9d, 0x68, 0x46, 0xf2, 0xd5, 0x51, 0x98, 0x5b,
+      0x57, 0xc1, 0x57, 0x01, 0x79, 0x04, 0xc4, 0xe9, 0xfe, 0xc1, 0x0e,
+      0x13, 0xd0}},
+    {"assar/liten@FOO.SE", "hemligt", ETYPE_DES3_CBC_SHA1,
+     {0x7f, 0x40, 0x67, 0xb9, 0xbc, 0xc4, 0x40, 0xfb, 0x43, 0x73, 0xd9,
+      0xd3, 0xcd, 0x7c, 0xc7, 0x67, 0xe6, 0x79, 0x94, 0xd0, 0xa8, 0x34,
+      0xdf, 0x62}},
+    {"does/not@MATTER", "foo", ETYPE_ARCFOUR_HMAC_MD5,
+     {0xac, 0x8e, 0x65, 0x7f, 0x83, 0xdf, 0x82, 0xbe,
+      0xea, 0x5d, 0x43, 0xbd, 0xaf, 0x78, 0x00, 0xcc}},
+    {"raeburn@ATHENA.MIT.EDU", "password", ETYPE_DES_CBC_MD5,
+     {0xcb, 0xc2, 0x2f, 0xae, 0x23, 0x52, 0x98, 0xe3}},
+    {"danny@WHITEHOUSE.GOV", "potatoe", ETYPE_DES_CBC_MD5,
+     {0xdf, 0x3d, 0x32, 0xa7, 0x4f, 0xd9, 0x2a, 0x01}},
+    {"buckaroo@EXAMPLE.COM", "penny", ETYPE_DES_CBC_MD5,
+     {0x94, 0x43, 0xa2, 0xe5, 0x32, 0xfd, 0xc4, 0xf1}},
+    {"Juri\xc5\xa1i\xc4\x87@ATHENA.MIT.EDU", "\xc3\x9f", ETYPE_DES_CBC_MD5,
+     {0x62, 0xc8, 0x1a, 0x52, 0x32, 0xb5, 0xe6, 0x9d}},
+    {"AAAAAAAA", "11119999", ETYPE_DES_CBC_MD5,
+     {0x98, 0x40, 0x54, 0xd0, 0xf1, 0xa7, 0x3e, 0x31}},
+    {"FFFFAAAA", "NNNN6666", ETYPE_DES_CBC_MD5,
+     {0xc4, 0xbf, 0x6b, 0x25, 0xad, 0xf7, 0xa4, 0xf8}},
+    {"raeburn@ATHENA.MIT.EDU", "password", ETYPE_DES3_CBC_SHA1,
+     {0x85, 0x0b, 0xb5, 0x13, 0x58, 0x54, 0x8c, 0xd0, 0x5e, 0x86, 0x76, 0x8c, 0x31, 0x3e, 0x3b, 0xfe, 0xf7, 0x51, 0x19, 0x37, 0xdc, 0xf7, 0x2c, 0x3e}},
+    {"danny@WHITEHOUSE.GOV", "potatoe", ETYPE_DES3_CBC_SHA1,
+     {0xdf, 0xcd, 0x23, 0x3d, 0xd0, 0xa4, 0x32, 0x04, 0xea, 0x6d, 0xc4, 0x37, 0xfb, 0x15, 0xe0, 0x61, 0xb0, 0x29, 0x79, 0xc1, 0xf7, 0x4f, 0x37, 0x7a}},
+    {"buckaroo@EXAMPLE.COM", "penny", ETYPE_DES3_CBC_SHA1,
+     {0x6d, 0x2f, 0xcd, 0xf2, 0xd6, 0xfb, 0xbc, 0x3d, 0xdc, 0xad, 0xb5, 0xda, 0x57, 0x10, 0xa2, 0x34, 0x89, 0xb0, 0xd3, 0xb6, 0x9d, 0x5d, 0x9d, 0x4a}},
+    {"Juri\xc5\xa1i\xc4\x87@ATHENA.MIT.EDU", "\xc3\x9f", ETYPE_DES3_CBC_SHA1,
+     {0x16, 0xd5, 0xa4, 0x0e, 0x1c, 0xe3, 0xba, 0xcb, 0x61, 0xb9, 0xdc, 0xe0, 0x04, 0x70, 0x32, 0x4c, 0x83, 0x19, 0x73, 0xa7, 0xb9, 0x52, 0xfe, 0xb0}},
+    {NULL}
+};
+
+int
+main(int argc, char **argv)
+{
+    struct testcase *t;
+    krb5_context context;
+    krb5_error_code ret;
+    int val = 0;
+
+    ret = krb5_init_context (&context);
+    if (ret)
+	errx (1, "krb5_init_context failed: %d", ret);
+
+    /* to enable realm-less principal name above */
+
+    krb5_set_default_realm(context, "");
+
+    for (t = tests; t->principal_name; ++t) {
+	krb5_keyblock key;
+	krb5_principal principal;
+	int i;
+
+	ret = krb5_parse_name (context, t->principal_name, &principal);
+	if (ret)
+	    krb5_err (context, 1, ret, "krb5_parse_name %s",
+		      t->principal_name);
+	ret = krb5_string_to_key (context, t->enctype, t->password,
+				  principal, &key);
+	if (ret)
+	    krb5_err (context, 1, ret, "krb5_string_to_key");
+	krb5_free_principal (context, principal);
+	if (memcmp (key.keyvalue.data, t->res, key.keyvalue.length) != 0) {
+	    const unsigned char *p = key.keyvalue.data;
+
+	    printf ("string_to_key(%s, %s) failed\n",
+		    t->principal_name, t->password);
+	    printf ("should be: ");
+	    for (i = 0; i < key.keyvalue.length; ++i)
+		printf ("%02x", t->res[i]);
+	    printf ("\nresult was: ");
+	    for (i = 0; i < key.keyvalue.length; ++i)
+		printf ("%02x", p[i]);
+	    printf ("\n");
+	    val = 1;
+	}
+    }
+    return val;
+}
diff --git a/crypto/heimdal/lib/krb5/test_get_addrs.c b/crypto/heimdal/lib/krb5/test_get_addrs.c
new file mode 100644
index 0000000..96a8f89
--- /dev/null
+++ b/crypto/heimdal/lib/krb5/test_get_addrs.c
@@ -0,0 +1,78 @@
+/*
+ * Copyright (c) 2000 - 2001 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of KTH nor the names of its contributors may be
+ *    used to endorse or promote products derived from this software without
+ *    specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY KTH AND ITS CONTRIBUTORS ``AS IS'' AND ANY
+ * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL KTH OR ITS CONTRIBUTORS BE
+ * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+ * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+ * WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
+ * OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
+ * ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */
+
+#include "krb5_locl.h"
+#include <err.h>
+
+RCSID("$Id: test_get_addrs.c,v 1.3 2001/01/25 12:45:15 assar Exp $");
+
+/* print all addresses that we find */
+
+static void
+print_addresses (krb5_context context, const krb5_addresses *addrs)
+{
+    int i;
+    char buf[256];
+    size_t len;
+    
+    for (i = 0; i < addrs->len; ++i) {
+	krb5_print_address (&addrs->val[i], buf, sizeof(buf), &len);
+	printf ("%s\n", buf);
+    }
+}
+
+int
+main(int argc, char **argv)
+{
+    krb5_context context;
+    krb5_error_code ret;
+    krb5_addresses addrs;
+
+    ret = krb5_init_context(&context);
+    if (ret)
+	errx (1, "krb5_init_context failed: %d", ret);
+
+    ret = krb5_get_all_client_addrs (context, &addrs);
+    if (ret)
+	krb5_err (context, 1, ret, "krb5_get_all_client_addrs");
+    printf ("client addresses\n");
+    print_addresses (context, &addrs);
+    krb5_free_addresses (context, &addrs);
+
+    ret = krb5_get_all_server_addrs (context, &addrs);
+    if (ret)
+	krb5_err (context, 1, ret, "krb5_get_all_server_addrs");
+    printf ("server addresses\n");
+    print_addresses (context, &addrs);
+    krb5_free_addresses (context, &addrs);
+    return 0;
+}
diff --git a/crypto/heimdal/lib/krb5/ticket.c b/crypto/heimdal/lib/krb5/ticket.c
new file mode 100644
index 0000000..8d2397b
--- /dev/null
+++ b/crypto/heimdal/lib/krb5/ticket.c
@@ -0,0 +1,76 @@
+/*
+ * Copyright (c) 1997 - 2001 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "krb5_locl.h"
+
+RCSID("$Id: ticket.c,v 1.5 2001/05/14 06:14:51 assar Exp $");
+
+krb5_error_code
+krb5_free_ticket(krb5_context context,
+		 krb5_ticket *ticket)
+{
+    free_EncTicketPart(&ticket->ticket);
+    krb5_free_principal(context, ticket->client);
+    krb5_free_principal(context, ticket->server);
+    return 0;
+}
+
+krb5_error_code
+krb5_copy_ticket(krb5_context context,
+		 const krb5_ticket *from,
+		 krb5_ticket **to)
+{
+    krb5_error_code ret;
+    krb5_ticket *tmp = malloc(sizeof(*tmp));
+    if(tmp == NULL) {
+	krb5_set_error_string (context, "malloc: out of memory");
+	return ENOMEM;
+    }
+    if((ret = copy_EncTicketPart(&from->ticket, &tmp->ticket))){
+	free(tmp);
+	return ret;
+    }
+    ret = krb5_copy_principal(context, from->client, &tmp->client);
+    if(ret){
+	free_EncTicketPart(&tmp->ticket);
+	return ret;
+    }
+    ret = krb5_copy_principal(context, from->server, &(*to)->server);
+    if(ret){
+	krb5_free_principal(context, tmp->client);
+	free_EncTicketPart(&tmp->ticket);
+	return ret;
+    }
+    *to = tmp;
+    return 0;
+}
diff --git a/crypto/heimdal/lib/krb5/time.c b/crypto/heimdal/lib/krb5/time.c
new file mode 100644
index 0000000..9346546
--- /dev/null
+++ b/crypto/heimdal/lib/krb5/time.c
@@ -0,0 +1,87 @@
+/*
+ * Copyright (c) 1997 - 2001 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "krb5_locl.h"
+
+RCSID("$Id: time.c,v 1.5 2001/05/02 10:06:11 joda Exp $");
+
+/*
+ * return ``corrected'' time in `timeret'.
+ */
+
+krb5_error_code
+krb5_timeofday (krb5_context context,
+		krb5_timestamp *timeret)
+{
+    *timeret = time(NULL) + context->kdc_sec_offset;
+    return 0;
+}
+
+/*
+ * like gettimeofday but with time correction to the KDC
+ */
+
+krb5_error_code
+krb5_us_timeofday (krb5_context context,
+		   int32_t *sec,
+		   int32_t *usec)
+{
+    struct timeval tv;
+
+    gettimeofday (&tv, NULL);
+
+    *sec  = tv.tv_sec + context->kdc_sec_offset;
+    *usec = tv.tv_usec;		/* XXX */
+    return 0;
+}
+
+krb5_error_code
+krb5_format_time(krb5_context context, time_t t, 
+		 char *s, size_t len, krb5_boolean include_time)
+{
+    struct tm *tm;
+    if(context->log_utc)
+	tm = gmtime (&t);
+    else
+	tm = localtime(&t);
+    strftime(s, len, include_time ? context->time_fmt : context->date_fmt, tm);
+    return 0;
+}
+
+krb5_error_code
+krb5_string_to_deltat(const char *string, krb5_deltat *deltat)
+{
+    if((*deltat = parse_time(string, "s")) == -1)
+	return EINVAL;
+    return 0;
+}
diff --git a/crypto/heimdal/lib/krb5/transited.c b/crypto/heimdal/lib/krb5/transited.c
new file mode 100644
index 0000000..dbe6c80
--- /dev/null
+++ b/crypto/heimdal/lib/krb5/transited.c
@@ -0,0 +1,429 @@
+/*
+ * Copyright (c) 1997 - 2001 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "krb5_locl.h"
+
+RCSID("$Id: transited.c,v 1.8 2001/05/14 06:14:52 assar Exp $");
+
+/* this is an attempt at one of the most horrible `compression'
+   schemes that has ever been invented; it's so amazingly brain-dead
+   that words can not describe it, and all this just to save a few
+   silly bytes */
+
+struct tr_realm {
+    char *realm;
+    unsigned leading_space:1;
+    unsigned leading_slash:1;
+    unsigned trailing_dot:1;
+    struct tr_realm *next;
+};
+
+static void
+free_realms(struct tr_realm *r)
+{
+    struct tr_realm *p;
+    while(r){
+	p = r;
+	r = r->next;
+	free(p->realm);
+	free(p);
+    }	
+}
+
+static int
+make_path(krb5_context context, struct tr_realm *r,
+	  const char *from, const char *to)
+{
+    const char *p;
+    struct tr_realm *path = r->next;
+    struct tr_realm *tmp;
+
+    if(strlen(from) < strlen(to)){
+	const char *tmp;
+	tmp = from;
+	from = to;
+	to = tmp;
+    }
+	
+    if(strcmp(from + strlen(from) - strlen(to), to) == 0){
+	p = from;
+	while(1){
+	    p = strchr(p, '.');
+	    if(p == NULL) {
+		krb5_clear_error_string (context);
+		return KRB5KDC_ERR_POLICY;
+	    }
+	    p++;
+	    if(strcmp(p, to) == 0)
+		break;
+	    tmp = calloc(1, sizeof(*tmp));
+	    tmp->next = path;
+	    path = tmp;
+	    path->realm = strdup(p);
+	    if(path->realm == NULL){
+		r->next = path; /* XXX */
+		krb5_set_error_string (context, "malloc: out of memory");
+		return ENOMEM;;
+	    }
+	}
+    }else if(strncmp(from, to, strlen(to)) == 0){
+	p = from + strlen(from);
+	while(1){
+	    while(p >= from && *p != '/') p--;
+	    if(p == from)
+		return KRB5KDC_ERR_POLICY;
+	    if(strncmp(to, from, p - from) == 0)
+		break;
+	    tmp = calloc(1, sizeof(*tmp));
+	    tmp->next = path;
+	    path = tmp;
+	    path->realm = malloc(p - from + 1);
+	    if(path->realm == NULL){
+		r->next = path; /* XXX */
+		krb5_set_error_string (context, "malloc: out of memory");
+		return ENOMEM;
+	    }
+	    memcpy(path->realm, from, p - from);
+	    path->realm[p - from] = '\0';
+	    p--;
+	}
+    } else {
+	krb5_clear_error_string (context);
+	return KRB5KDC_ERR_POLICY;
+    }
+    r->next = path;
+    
+    return 0;
+}
+
+static int
+make_paths(krb5_context context,
+	   struct tr_realm *realms, const char *client_realm, 
+	   const char *server_realm)
+{
+    struct tr_realm *r;
+    int ret;
+    const char *prev_realm = client_realm;
+    const char *next_realm = NULL;
+    for(r = realms; r; r = r->next){
+	/* it *might* be that you can have more than one empty
+	   component in a row, at least that's how I interpret the
+	   "," exception in 1510 */
+	if(r->realm[0] == '\0'){
+	    while(r->next && r->next->realm[0] == '\0')
+		r = r->next;
+	    if(r->next)
+		next_realm = r->next->realm;
+	    else
+		next_realm = server_realm;
+	    ret = make_path(context, r, prev_realm, next_realm);
+	    if(ret){
+		free_realms(realms);
+		return ret;
+	    }
+	}
+	prev_realm = r->realm;
+    }
+    return 0;
+}
+
+static int
+expand_realms(krb5_context context,
+	      struct tr_realm *realms, const char *client_realm)
+{
+    struct tr_realm *r;
+    const char *prev_realm = NULL;
+    for(r = realms; r; r = r->next){
+	if(r->trailing_dot){
+	    char *tmp;
+	    if(prev_realm == NULL)
+		prev_realm = client_realm;
+	    tmp = realloc(r->realm, strlen(r->realm) + strlen(prev_realm) + 1);
+	    if(tmp == NULL){
+		free_realms(realms);
+		krb5_set_error_string (context, "malloc: out of memory");
+		return ENOMEM;
+	    }
+	    r->realm = tmp;
+	    strcat(r->realm, prev_realm);
+	}else if(r->leading_slash && !r->leading_space && prev_realm){
+	    /* yet another exception: if you use x500-names, the
+               leading realm doesn't have to be "quoted" with a space */
+	    char *tmp;
+	    tmp = malloc(strlen(r->realm) + strlen(prev_realm) + 1);
+	    if(tmp == NULL){
+		free_realms(realms);
+		krb5_set_error_string (context, "malloc: out of memory");
+		return ENOMEM;
+	    }
+	    strcpy(tmp, prev_realm);
+	    strcat(tmp, r->realm);
+	    free(r->realm);
+	    r->realm = tmp;
+	}
+	prev_realm = r->realm;
+    }
+    return 0;
+}
+
+static struct tr_realm *
+make_realm(char *realm)
+{
+    struct tr_realm *r;
+    char *p, *q;
+    int quote = 0;
+    r = calloc(1, sizeof(*r));
+    if(r == NULL){
+	free(realm);
+	return NULL;
+    }
+    r->realm = realm;
+    for(p = q = r->realm; *p; p++){
+	if(p == r->realm && *p == ' '){
+	    r->leading_space = 1;
+	    continue;
+	}
+	if(q == r->realm && *p == '/')
+	    r->leading_slash = 1;
+	if(quote){
+	    *q++ = *p;
+	    quote = 0;
+	    continue;
+	}
+	if(*p == '\\'){
+	    quote = 1;
+	    continue;
+	}
+	if(p[0] == '.' && p[1] == '\0')
+	    r->trailing_dot = 1;
+	*q++ = *p;
+    }
+    *q = '\0';
+    return r;
+}
+
+static struct tr_realm*
+append_realm(struct tr_realm *head, struct tr_realm *r)
+{
+    struct tr_realm *p;
+    if(head == NULL){
+	r->next = NULL;
+	return r;
+    }
+    p = head;
+    while(p->next) p = p->next;
+    p->next = r;
+    return head;
+}
+
+static int
+decode_realms(krb5_context context,
+	      const char *tr, int length, struct tr_realm **realms)
+{
+    struct tr_realm *r = NULL;
+
+    char *tmp;
+    int quote = 0;
+    const char *start = tr;
+    int i;
+
+    for(i = 0; i < length; i++){
+	if(quote){
+	    quote = 0;
+	    continue;
+	}
+	if(tr[i] == '\\'){
+	    quote = 1;
+	    continue;
+	}
+	if(tr[i] == ','){
+	    tmp = malloc(tr + i - start + 1);
+	    memcpy(tmp, start, tr + i - start);
+	    tmp[tr + i - start] = '\0';
+	    r = make_realm(tmp);
+	    if(r == NULL){
+		free_realms(*realms);
+		krb5_set_error_string (context, "malloc: out of memory");
+		return ENOMEM;
+	    }
+	    *realms = append_realm(*realms, r);
+	    start = tr + i + 1;
+	}
+    }
+    tmp = malloc(tr + i - start + 1);
+    memcpy(tmp, start, tr + i - start);
+    tmp[tr + i - start] = '\0';
+    r = make_realm(tmp);
+    if(r == NULL){
+	free_realms(*realms);
+	krb5_set_error_string (context, "malloc: out of memory");
+	return ENOMEM;
+    }
+    *realms = append_realm(*realms, r);
+    
+    return 0;
+}
+
+
+krb5_error_code
+krb5_domain_x500_decode(krb5_context context,
+			krb5_data tr, char ***realms, int *num_realms, 
+			const char *client_realm, const char *server_realm)
+{
+    struct tr_realm *r = NULL;
+    struct tr_realm *p, **q;
+    int ret;
+    
+    /* split string in components */
+    ret = decode_realms(context, tr.data, tr.length, &r);
+    if(ret)
+	return ret;
+    
+    /* apply prefix rule */
+    ret = expand_realms(context, r, client_realm);
+    if(ret)
+	return ret;
+    
+    ret = make_paths(context, r, client_realm, server_realm);
+    if(ret)
+	return ret;
+    
+    /* remove empty components */
+    q = &r;
+    for(p = r; p; ){
+	if(p->realm[0] == '\0'){
+	    free(p->realm);
+	    *q = p->next;
+	    free(p);
+	    p = *q;
+	}else{
+	    q = &p->next;
+	    p = p->next;
+	}
+    }
+    {
+	char **R;
+	*realms = NULL;
+	*num_realms = 0;
+	while(r){
+	    R = realloc(*realms, (*num_realms + 1) * sizeof(**realms));
+	    if(R == NULL) {
+		free(*realms);
+		krb5_set_error_string (context, "malloc: out of memory");
+		return ENOMEM;
+	    }
+	    R[*num_realms] = r->realm;
+	    (*num_realms)++;
+	    *realms = R;
+	    p = r->next;
+	    free(r);
+	    r = p;
+	}
+    }
+    return 0;
+}
+
+krb5_error_code
+krb5_domain_x500_encode(char **realms, int num_realms, krb5_data *encoding)
+{
+    char *s = NULL;
+    int len = 0;
+    int i;
+    for(i = 0; i < num_realms; i++){
+	len += strlen(realms[i]);
+	if(realms[i][0] == '/')
+	    len++;
+    }
+    len += num_realms - 1;
+    s = malloc(len + 1);
+    *s = '\0';
+    for(i = 0; i < num_realms; i++){
+	if(i && i < num_realms - 1)
+	    strcat(s, ",");
+	if(realms[i][0] == '/')
+	    strcat(s, " ");
+	strcat(s, realms[i]);
+    }
+    encoding->data = s;
+    encoding->length = strlen(s);
+    return 0;
+}
+
+krb5_error_code
+krb5_check_transited_realms(krb5_context context,
+			    const char *const *realms, 
+			    int num_realms, 
+			    int *bad_realm)
+{
+    int i;
+    int ret = 0;
+    char **bad_realms = krb5_config_get_strings(context, NULL, 
+						"libdefaults", 
+						"transited_realms_reject", 
+						NULL);
+    if(bad_realms == NULL)
+	return 0;
+
+    for(i = 0; i < num_realms; i++) {
+	char **p;
+	for(p = bad_realms; *p; p++)
+	    if(strcmp(*p, realms[i]) == 0) {
+		krb5_set_error_string (context, "no transit through realm %s",
+				       *p);
+		ret = KRB5KRB_AP_ERR_ILL_CR_TKT;
+		if(bad_realm)
+		    *bad_realm = i;
+		break;
+	    }
+    }
+    krb5_config_free_strings(bad_realms);
+    return ret;
+}
+
+#if 0
+int
+main(int argc, char **argv)
+{
+    krb5_data x;
+    char **r;
+    int num, i;
+    x.data = argv[1];
+    x.length = strlen(x.data);
+    if(domain_expand(x, &r, &num, argv[2], argv[3]))
+	exit(1);
+    for(i = 0; i < num; i++)
+	printf("%s\n", r[i]);
+    return 0;
+}
+#endif
+
diff --git a/crypto/heimdal/lib/krb5/verify_init.c b/crypto/heimdal/lib/krb5/verify_init.c
new file mode 100644
index 0000000..7e4618e
--- /dev/null
+++ b/crypto/heimdal/lib/krb5/verify_init.c
@@ -0,0 +1,202 @@
+/*
+ * Copyright (c) 1997 - 2001 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "krb5_locl.h"
+
+RCSID("$Id: verify_init.c,v 1.14 2001/05/14 06:14:52 assar Exp $");
+
+void
+krb5_verify_init_creds_opt_init(krb5_verify_init_creds_opt *options)
+{
+    memset (options, 0, sizeof(*options));
+}
+
+void
+krb5_verify_init_creds_opt_set_ap_req_nofail(krb5_verify_init_creds_opt *options,
+					     int ap_req_nofail)
+{
+    options->flags |= KRB5_VERIFY_INIT_CREDS_OPT_AP_REQ_NOFAIL;
+    options->ap_req_nofail = ap_req_nofail;
+}
+
+/*
+ *
+ */
+
+static krb5_boolean
+fail_verify_is_ok (krb5_context context,
+		   krb5_verify_init_creds_opt *options)
+{
+    if ((options->flags & KRB5_VERIFY_INIT_CREDS_OPT_AP_REQ_NOFAIL
+	&& options->ap_req_nofail == 1)
+	|| krb5_config_get_bool (context,
+				 NULL,
+				 "libdefaults",
+				 "verify_ap_req_nofail",
+				 NULL))
+	return FALSE;
+    else
+	return TRUE;
+}
+
+krb5_error_code
+krb5_verify_init_creds(krb5_context context,
+		       krb5_creds *creds,
+		       krb5_principal ap_req_server,
+		       krb5_keytab ap_req_keytab,
+		       krb5_ccache *ccache,
+		       krb5_verify_init_creds_opt *options)
+{
+    krb5_error_code ret;
+    krb5_data req;
+    krb5_ccache local_ccache = NULL;
+    krb5_keytab_entry entry;
+    krb5_creds *new_creds = NULL;
+    krb5_auth_context auth_context = NULL;
+    krb5_principal server = NULL;
+    krb5_keytab keytab = NULL;
+
+    krb5_data_zero (&req);
+    memset (&entry, 0, sizeof(entry));
+
+    if (ap_req_server == NULL) {
+	char local_hostname[MAXHOSTNAMELEN];
+
+	if (gethostname (local_hostname, sizeof(local_hostname)) < 0) {
+	    ret = errno;
+	    krb5_set_error_string (context, "getsockname: %s",
+				   strerror(ret));
+	    return ret;
+	}
+
+	ret = krb5_sname_to_principal (context,
+				       local_hostname,
+				       "host",
+				       KRB5_NT_SRV_HST,
+				       &server);
+	if (ret)
+	    goto cleanup;
+    } else
+	server = ap_req_server;
+
+    if (ap_req_keytab == NULL) {
+	ret = krb5_kt_default (context, &keytab);
+	if (ret)
+	    goto cleanup;
+    } else
+	keytab = ap_req_keytab;
+
+    if (ccache && *ccache)
+	local_ccache = *ccache;
+    else {
+	ret = krb5_cc_gen_new (context, &krb5_mcc_ops, &local_ccache);
+	if (ret)
+	    goto cleanup;
+	ret = krb5_cc_initialize (context,
+				  local_ccache,
+				  creds->client);
+	if (ret)
+	    goto cleanup;
+	ret = krb5_cc_store_cred (context,
+				  local_ccache,
+				  creds);
+	if (ret)
+	    goto cleanup;
+    }
+
+    if (!krb5_principal_compare (context, server, creds->server)) {
+	krb5_creds match_cred;
+
+	memset (&match_cred, 0, sizeof(match_cred));
+
+	match_cred.client = creds->client;
+	match_cred.server = server;
+
+	ret = krb5_get_credentials (context,
+				    0,
+				    local_ccache,
+				    &match_cred,
+				    &new_creds);
+	if (ret) {
+	    if (fail_verify_is_ok (context, options))
+		ret = 0;
+	    goto cleanup;
+	}
+	creds = new_creds;
+    }
+
+    ret = krb5_mk_req_extended (context,
+				&auth_context,
+				0,
+				NULL,
+				creds,
+				&req);
+    
+    krb5_auth_con_free (context, auth_context);
+    auth_context = NULL;
+
+    if (ret)
+	goto cleanup;
+
+    ret = krb5_rd_req (context,
+		       &auth_context,
+		       &req,
+		       server,
+		       keytab,
+		       0,
+		       NULL);
+
+    if (ret == KRB5_KT_NOTFOUND && fail_verify_is_ok (context, options))
+	ret = 0;
+cleanup:
+    if (auth_context)
+	krb5_auth_con_free (context, auth_context);
+    krb5_data_free (&req);
+    krb5_kt_free_entry (context, &entry);
+    if (new_creds != NULL)
+	krb5_free_creds (context, new_creds);
+    if (ap_req_server == NULL && server)
+	krb5_free_principal (context, server);
+    if (ap_req_keytab == NULL && keytab)
+	krb5_kt_close (context, keytab);
+    if (local_ccache != NULL
+	&&
+	(ccache == NULL
+	 || (ret != 0 && *ccache == NULL)))
+	krb5_cc_destroy (context, local_ccache);
+
+    if (ret == 0 && ccache != NULL && *ccache == NULL)
+	*ccache = local_ccache;
+
+    return ret;
+}
diff --git a/crypto/heimdal/lib/krb5/verify_krb5_conf.8 b/crypto/heimdal/lib/krb5/verify_krb5_conf.8
new file mode 100644
index 0000000..5aba5d8
--- /dev/null
+++ b/crypto/heimdal/lib/krb5/verify_krb5_conf.8
@@ -0,0 +1,32 @@
+.\" $Id: verify_krb5_conf.8,v 1.3 2001/05/02 08:59:23 assar Exp $
+.\"
+.Dd March  4, 2000
+.Dt VERIFY_KRB5_CONF 8
+.Os HEIMDAL
+.Sh NAME
+.Nm verify_krb5_conf
+.Nd does a crude test that
+.Pa krb5.conf
+does not contain any obvious syntax error
+.Sh SYNOPSIS
+.Nm
+.Ar [config-file]
+.Sh DESCRIPTION
+.Nm
+reads the configuration file
+.Pa krb5.conf ,
+or the file given on the command line,
+and parses it, thereby verifying that the syntax is not correctly wrong.
+Since that file is read by almost all Kerberos programs but most of
+them have no way of notifying the user that it could not be parsed,
+this program is useful.
+.Sh ENVIRONMENT
+.Ev KRB5_CONFIG
+points to the configuration file to read.
+.Sh FILES
+.Xr krb5.conf 5
+.Sh SEE ALSO
+.Xr krb5.conf 5
+.Sh BUGS
+It should know about what variables are actually used and warn about
+unknown ones.
diff --git a/crypto/heimdal/lib/krb5/verify_krb5_conf.c b/crypto/heimdal/lib/krb5/verify_krb5_conf.c
new file mode 100644
index 0000000..e480324
--- /dev/null
+++ b/crypto/heimdal/lib/krb5/verify_krb5_conf.c
@@ -0,0 +1,104 @@
+/*
+ * Copyright (c) 1999 - 2001 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "krb5_locl.h"
+#include <getarg.h>
+RCSID("$Id: verify_krb5_conf.c,v 1.5 2001/05/14 06:14:52 assar Exp $");
+
+/* verify krb5.conf */
+
+static int version_flag = 0;
+static int help_flag	= 0;
+
+static struct getargs args[] = {
+    {"version",	0,	arg_flag,	&version_flag,
+     "print version", NULL },
+    {"help",	0,	arg_flag,	&help_flag,
+     NULL, NULL }
+};
+
+static void
+usage (int ret)
+{
+    arg_printusage (args,
+		    sizeof(args)/sizeof(*args),
+		    NULL,
+		    "[config-file]");
+    exit (ret);
+}
+
+int
+main(int argc, char **argv)
+{
+    krb5_context context;
+    const char *config_file = NULL;
+    krb5_error_code ret;
+    krb5_config_section *tmp_cf;
+    int optind = 0;
+
+    setprogname (argv[0]);
+
+    ret = krb5_init_context(&context);
+    if (ret)
+	errx (1, "krb5_init_context failed");
+
+    if(getarg(args, sizeof(args) / sizeof(args[0]), argc, argv, &optind))
+	usage(1);
+    
+    if (help_flag)
+	usage (0);
+
+    if(version_flag){
+	print_version(NULL);
+	exit(0);
+    }
+
+    argc -= optind;
+    argv += optind;
+
+    if (argc == 0) {
+	config_file = getenv("KRB5_CONFIG");
+	if (config_file == NULL)
+	    config_file = krb5_config_file;
+    } else if (argc == 1) {
+	config_file = argv[0];
+    } else {
+	usage (1);
+    }
+    
+    ret = krb5_config_parse_file (context, config_file, &tmp_cf);
+    if (ret == 0)
+	return 0;
+    krb5_warn (context, ret, "krb5_config_parse_file");
+    return 1;
+}
diff --git a/crypto/heimdal/lib/krb5/verify_user.c b/crypto/heimdal/lib/krb5/verify_user.c
new file mode 100644
index 0000000..25cd77b
--- /dev/null
+++ b/crypto/heimdal/lib/krb5/verify_user.c
@@ -0,0 +1,244 @@
+/*
+ * Copyright (c) 1997-2001 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "krb5_locl.h"
+
+RCSID("$Id: verify_user.c,v 1.14 2001/05/14 09:06:53 joda Exp $");
+
+static krb5_error_code
+verify_common (krb5_context context,
+	       krb5_principal principal,
+	       krb5_ccache ccache,
+	       krb5_keytab keytab,
+	       krb5_boolean secure,
+	       const char *service,
+	       krb5_creds cred)
+{
+    krb5_error_code ret;
+    krb5_principal server;
+    krb5_verify_init_creds_opt vopt;
+    krb5_ccache id;
+
+    ret = krb5_sname_to_principal (context, NULL, service, KRB5_NT_SRV_HST,
+				   &server);
+    if(ret)
+	return ret;
+
+    krb5_verify_init_creds_opt_init(&vopt);
+    krb5_verify_init_creds_opt_set_ap_req_nofail(&vopt, secure);
+
+    ret = krb5_verify_init_creds(context,
+				 &cred,
+				 server,
+				 keytab,
+				 NULL,
+				 &vopt);
+    krb5_free_principal(context, server);
+    if(ret)
+	return ret;
+    if(ccache == NULL)
+	ret = krb5_cc_default (context, &id);
+    else
+	id = ccache;
+    if(ret == 0){
+	ret = krb5_cc_initialize(context, id, principal);
+	if(ret == 0){
+	    ret = krb5_cc_store_cred(context, id, &cred);
+	}
+	if(ccache == NULL)
+	    krb5_cc_close(context, id);
+    }
+    krb5_free_creds_contents(context, &cred);
+    return ret;
+}
+
+/*
+ * Verify user `principal' with `password'.
+ *
+ * If `secure', also verify against local service key for `service'.
+ *
+ * As a side effect, fresh tickets are obtained and stored in `ccache'.
+ */
+
+void
+krb5_verify_opt_init(krb5_verify_opt *opt)
+{
+    memset(opt, 0, sizeof(*opt));
+    opt->secure = TRUE;
+    opt->service = "host";
+}
+
+void
+krb5_verify_opt_set_ccache(krb5_verify_opt *opt, krb5_ccache ccache)
+{
+    opt->ccache = ccache;
+}
+
+void
+krb5_verify_opt_set_keytab(krb5_verify_opt *opt, krb5_keytab keytab)
+{
+    opt->keytab = keytab;
+}
+
+void
+krb5_verify_opt_set_secure(krb5_verify_opt *opt, krb5_boolean secure)
+{
+    opt->secure = secure;
+}
+
+void
+krb5_verify_opt_set_service(krb5_verify_opt *opt, const char *service)
+{
+    opt->service = service;
+}
+
+void
+krb5_verify_opt_set_flags(krb5_verify_opt *opt, unsigned int flags)
+{
+    opt->flags |= flags;
+}
+
+static krb5_error_code
+verify_user_opt_int(krb5_context context,
+		    krb5_principal principal,
+		    const char *password,
+		    krb5_verify_opt *vopt)
+
+{
+    krb5_error_code ret;
+    krb5_get_init_creds_opt opt;
+    krb5_creds cred;
+
+    krb5_get_init_creds_opt_init (&opt);
+    krb5_get_init_creds_opt_set_default_flags(context, NULL, 
+					      *krb5_princ_realm(context, principal), 
+					      &opt);
+    ret = krb5_get_init_creds_password (context,
+					&cred,
+					principal,
+					(char*)password,
+					krb5_prompter_posix,
+					NULL,
+					0,
+					NULL,
+					&opt);
+    if(ret)
+	return ret;
+#define OPT(V, D) ((vopt && (vopt->V)) ? (vopt->V) : (D))
+    return verify_common (context, principal, OPT(ccache, NULL), 
+			  OPT(keytab, NULL), vopt ? vopt->secure : TRUE, 
+			  OPT(service, "host"), cred);
+#undef OPT
+}
+
+krb5_error_code
+krb5_verify_user_opt(krb5_context context,
+		     krb5_principal principal,
+		     const char *password,
+		     krb5_verify_opt *opt)
+{
+    krb5_error_code ret;
+
+    if(opt && (opt->flags & KRB5_VERIFY_LREALMS)) {
+	krb5_realm *realms, *r;
+	ret = krb5_get_default_realms (context, &realms);
+	if (ret)
+	    return ret;
+	ret = KRB5_CONFIG_NODEFREALM;
+	
+	for (r = realms; *r != NULL && ret != 0; ++r) {
+	    char *tmp = strdup (*r);
+	    
+	    if (tmp == NULL) {
+		krb5_free_host_realm (context, realms);
+		krb5_set_error_string (context, "malloc: out of memory");
+		return ENOMEM;
+	    }
+	    free (*krb5_princ_realm (context, principal));
+	    krb5_princ_set_realm (context, principal, &tmp);
+	    
+	    ret = verify_user_opt_int(context, principal, password, opt);
+	}
+	krb5_free_host_realm (context, realms);
+	if(ret)
+	    return ret;
+    } else
+	ret = verify_user_opt_int(context, principal, password, opt);
+    return ret;
+}
+
+/* compat function that calls above */
+
+krb5_error_code
+krb5_verify_user(krb5_context context, 
+		 krb5_principal principal,
+		 krb5_ccache ccache,
+		 const char *password,
+		 krb5_boolean secure,
+		 const char *service)
+{
+    krb5_verify_opt opt;
+    
+    krb5_verify_opt_init(&opt);
+    
+    krb5_verify_opt_set_ccache(&opt, ccache);
+    krb5_verify_opt_set_secure(&opt, secure);
+    krb5_verify_opt_set_service(&opt, service);
+    
+    return krb5_verify_user_opt(context, principal, password, &opt);
+}
+
+/*
+ * A variant of `krb5_verify_user'.  The realm of `principal' is
+ * ignored and all the local realms are tried.
+ */
+
+krb5_error_code
+krb5_verify_user_lrealm(krb5_context context, 
+			krb5_principal principal,
+			krb5_ccache ccache,
+			const char *password,
+			krb5_boolean secure,
+			const char *service)
+{
+    krb5_verify_opt opt;
+    
+    krb5_verify_opt_init(&opt);
+    
+    krb5_verify_opt_set_ccache(&opt, ccache);
+    krb5_verify_opt_set_secure(&opt, secure);
+    krb5_verify_opt_set_service(&opt, service);
+    krb5_verify_opt_set_flags(&opt, KRB5_VERIFY_LREALMS);
+    
+    return krb5_verify_user_opt(context, principal, password, &opt);
+}
diff --git a/crypto/heimdal/lib/krb5/version.c b/crypto/heimdal/lib/krb5/version.c
new file mode 100644
index 0000000..5f0fd66
--- /dev/null
+++ b/crypto/heimdal/lib/krb5/version.c
@@ -0,0 +1,43 @@
+/*
+ * Copyright (c) 1997 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "krb5_locl.h"
+
+RCSID("$Id: version.c,v 1.3 1999/12/02 17:05:13 joda Exp $");
+
+/* this is just to get a version stamp in the library file */
+
+#define heimdal_version __heimdal_version
+#define heimdal_long_version __heimdal_long_version
+#include "version.h"
+
diff --git a/crypto/heimdal/lib/krb5/warn.c b/crypto/heimdal/lib/krb5/warn.c
new file mode 100644
index 0000000..ec009b2
--- /dev/null
+++ b/crypto/heimdal/lib/krb5/warn.c
@@ -0,0 +1,205 @@
+/*
+ * Copyright (c) 1997 - 2001 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "krb5_locl.h"
+#include <err.h>
+
+RCSID("$Id: warn.c,v 1.13 2001/05/07 21:04:34 assar Exp $");
+
+static krb5_error_code _warnerr(krb5_context context, int do_errtext, 
+	 krb5_error_code code, int level, const char *fmt, va_list ap)
+	__attribute__((__format__(__printf__, 5, 0)));
+	
+static krb5_error_code
+_warnerr(krb5_context context, int do_errtext, 
+	 krb5_error_code code, int level, const char *fmt, va_list ap)
+{
+    char xfmt[7] = "";
+    const char *args[2], **arg;
+    char *msg = NULL;
+    char *err_str = NULL;
+    
+    args[0] = args[1] = NULL;
+    arg = args;
+    if(fmt){
+	strcat(xfmt, "%s");
+	if(do_errtext)
+	    strcat(xfmt, ": ");
+	vasprintf(&msg, fmt, ap);
+	if(msg == NULL)
+	    return ENOMEM;
+	*arg++ = msg;
+    }
+    if(context && do_errtext){
+	const char *err_msg;
+
+	strcat(xfmt, "%s");
+
+	err_str = krb5_get_error_string(context);
+	if (err_str != NULL) {
+	    *arg++ = err_str;
+	} else {
+	    err_msg = krb5_get_err_text(context, code);
+	    if (err_msg)
+		*arg++ = err_msg;
+	    else
+		*arg++ = "<unknown error>";
+	}
+    }
+	
+    if(context && context->warn_dest)
+	krb5_log(context, context->warn_dest, level, xfmt, args[0], args[1]);
+    else
+	warnx(xfmt, args[0], args[1]);
+    free(msg);
+    free(err_str);
+    return 0;
+}
+
+#define FUNC(ETEXT, CODE, LEVEL)					\
+    krb5_error_code ret;						\
+    va_list ap;								\
+    va_start(ap, fmt);							\
+    ret = _warnerr(context, ETEXT, CODE, LEVEL, fmt, ap); 		\
+    va_end(ap);
+
+#undef __attribute__
+#define __attribute__(X)
+
+krb5_error_code
+krb5_vwarn(krb5_context context, krb5_error_code code, 
+	   const char *fmt, va_list ap)
+     __attribute__ ((format (printf, 3, 0)))
+{
+    return _warnerr(context, 1, code, 1, fmt, ap);
+}
+
+
+krb5_error_code
+krb5_warn(krb5_context context, krb5_error_code code, const char *fmt, ...)
+     __attribute__ ((format (printf, 3, 4)))
+{
+    FUNC(1, code, 1);
+    return ret;
+}
+
+krb5_error_code
+krb5_vwarnx(krb5_context context, const char *fmt, va_list ap)
+     __attribute__ ((format (printf, 2, 0)))
+{
+    return _warnerr(context, 0, 0, 1, fmt, ap);
+}
+
+krb5_error_code
+krb5_warnx(krb5_context context, const char *fmt, ...)
+     __attribute__ ((format (printf, 2, 3)))
+{
+    FUNC(0, 0, 1);
+    return ret;
+}
+
+krb5_error_code
+krb5_verr(krb5_context context, int eval, krb5_error_code code, 
+	  const char *fmt, va_list ap)
+     __attribute__ ((noreturn, format (printf, 4, 0)))
+{
+    _warnerr(context, 1, code, 0, fmt, ap);
+    exit(eval);
+}
+
+
+krb5_error_code
+krb5_err(krb5_context context, int eval, krb5_error_code code, 
+	 const char *fmt, ...)
+     __attribute__ ((noreturn, format (printf, 4, 5)))
+{
+    FUNC(1, code, 0);
+    exit(eval);
+}
+
+krb5_error_code
+krb5_verrx(krb5_context context, int eval, const char *fmt, va_list ap)
+     __attribute__ ((noreturn, format (printf, 3, 0)))
+{
+    _warnerr(context, 0, 0, 0, fmt, ap);
+    exit(eval);
+}
+
+krb5_error_code
+krb5_errx(krb5_context context, int eval, const char *fmt, ...)
+     __attribute__ ((noreturn, format (printf, 3, 4)))
+{
+    FUNC(0, 0, 0);
+    exit(eval);
+}
+
+krb5_error_code
+krb5_vabort(krb5_context context, krb5_error_code code, 
+	    const char *fmt, va_list ap)
+     __attribute__ ((noreturn, format (printf, 3, 0)))
+{
+    _warnerr(context, 1, code, 0, fmt, ap);
+    abort();
+}
+
+
+krb5_error_code
+krb5_abort(krb5_context context, krb5_error_code code, const char *fmt, ...)
+     __attribute__ ((noreturn, format (printf, 3, 4)))
+{
+    FUNC(1, code, 0);
+    abort();
+}
+
+krb5_error_code
+krb5_vabortx(krb5_context context, const char *fmt, va_list ap)
+     __attribute__ ((noreturn, format (printf, 2, 0)))
+{
+    _warnerr(context, 0, 0, 0, fmt, ap);
+    abort();
+}
+
+krb5_error_code
+krb5_abortx(krb5_context context, const char *fmt, ...)
+     __attribute__ ((noreturn, format (printf, 2, 3)))
+{
+    FUNC(0, 0, 0);
+    abort();
+}
+
+krb5_error_code
+krb5_set_warn_dest(krb5_context context, krb5_log_facility *fac)
+{
+    context->warn_dest = fac;
+    return 0;
+}
diff --git a/crypto/heimdal/lib/krb5/write_message.c b/crypto/heimdal/lib/krb5/write_message.c
new file mode 100644
index 0000000..16a40f0
--- /dev/null
+++ b/crypto/heimdal/lib/krb5/write_message.c
@@ -0,0 +1,90 @@
+/*
+ * Copyright (c) 1997 - 2001 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "krb5_locl.h"
+
+RCSID("$Id: write_message.c,v 1.7 2001/05/14 06:14:52 assar Exp $");
+
+krb5_error_code
+krb5_write_message (krb5_context context,
+		    krb5_pointer p_fd,
+		    krb5_data *data)
+{
+    u_int32_t len;
+    u_int8_t buf[4];
+    int ret;
+
+    len = data->length;
+    _krb5_put_int(buf, len, 4);
+    if (krb5_net_write (context, p_fd, buf, 4) != 4
+	|| krb5_net_write (context, p_fd, data->data, len) != len) {
+	ret = errno;
+	krb5_set_error_string (context, "write: %s", strerror(ret));
+	return ret;
+    }
+    return 0;
+}
+
+krb5_error_code
+krb5_write_priv_message(krb5_context context,
+			krb5_auth_context ac,
+			krb5_pointer p_fd,
+			krb5_data *data)
+{
+    krb5_error_code ret;
+    krb5_data packet;
+
+    ret = krb5_mk_priv (context, ac, data, &packet, NULL);
+    if(ret)
+	return ret;
+    ret = krb5_write_message(context, p_fd, &packet);
+    krb5_data_free(&packet);
+    return ret;
+}
+
+krb5_error_code
+krb5_write_safe_message(krb5_context context,
+			krb5_auth_context ac,
+			krb5_boolean priv,
+			krb5_pointer p_fd,
+			krb5_data *data)
+{
+    krb5_error_code ret;
+    krb5_data packet;
+    ret = krb5_mk_safe (context, ac, data, &packet, NULL);
+    if(ret)
+	return ret;
+    ret = krb5_write_message(context, p_fd, &packet);
+    krb5_data_free(&packet);
+    return ret;
+}
diff --git a/crypto/heimdal/lib/otp/ChangeLog b/crypto/heimdal/lib/otp/ChangeLog
new file mode 100644
index 0000000..064d9b9
--- /dev/null
+++ b/crypto/heimdal/lib/otp/ChangeLog
@@ -0,0 +1,71 @@
+2001-01-30  Assar Westerlund  <assar@sics.se>
+
+	* Makefile.am (libotp_la_LDFLAGS): bump version to 1:2:1
+
+2001-01-29  Assar Westerlund  <assar@sics.se>
+
+	* otp_md.c: update to new md4/md5/sha API
+
+2000-12-11  Assar Westerlund  <assar@sics.se>
+
+	* Makefile.am (INCLUDES): add krb4 includes here, which are
+	somewhat bogusly used when linking against libdes supplied by krb4
+
+2000-07-25  Johan Danielsson  <joda@pdc.kth.se>
+
+	* Makefile.am: bump version to 1:1:1
+
+2000-07-01  Assar Westerlund  <assar@sics.se>
+
+	*  const-ify
+
+2000-02-07  Assar Westerlund  <assar@sics.se>
+
+	* Makefile.am: update version to 1:0:1
+
+2000-01-26  Assar Westerlund  <assar@sics.se>
+
+	* otp_md.c: update to pseudo-standard APIs for md4,md5,sha.
+	* otp_md.c: start using the pseudo-standard APIs for the hash
+	functions
+
+1999-10-20  Assar Westerlund  <assar@sics.se>
+
+	* Makefile.am: set version to 0:1:0
+
+Fri Mar 19 14:52:48 1999  Johan Danielsson  <joda@hella.pdc.kth.se>
+
+	* Makefile.am: add version-info
+
+Thu Mar 18 11:24:19 1999  Johan Danielsson  <joda@hella.pdc.kth.se>
+
+	* Makefile.am: include Makefile.am.common
+
+Sat Mar 13 22:27:10 1999  Assar Westerlund  <assar@sics.se>
+
+	* otp_parse.c: unsigned-ify
+
+Sun Nov 22 10:44:16 1998  Assar Westerlund  <assar@sics.se>
+
+	* Makefile.in (WFLAGS): set
+
+Mon May 25 05:27:07 1998  Assar Westerlund  <assar@sics.se>
+
+	* Makefile.in (clean): try to remove shared library debris
+
+Sat May 23 20:54:28 1998  Assar Westerlund  <assar@sics.se>
+
+	* Makefile.am: link with DBLIB
+
+Sun Apr 19 09:59:46 1998  Assar Westerlund  <assar@sics.se>
+
+	* Makefile.in: add symlink magic for linux
+
+Sat Feb  7 07:27:18 1998  Assar Westerlund  <assar@sics.se>
+
+	* otp_db.c (otp_put): make sure we don't overrun `buf'
+
+Sun Nov  9 07:14:59 1997  Assar Westerlund  <assar@sics.se>
+
+	* otp_locl.h: use xdbm.h
+
diff --git a/crypto/heimdal/lib/otp/Makefile.am b/crypto/heimdal/lib/otp/Makefile.am
new file mode 100644
index 0000000..b2bbed4
--- /dev/null
+++ b/crypto/heimdal/lib/otp/Makefile.am
@@ -0,0 +1,29 @@
+# $Id: Makefile.am,v 1.16 2001/01/30 01:54:48 assar Exp $
+
+include $(top_srcdir)/Makefile.am.common
+
+INCLUDES += $(INCLUDE_krb4)
+
+noinst_PROGRAMS = otptest
+
+otptest_LDADD = libotp.la \
+	$(LIB_des) \
+	$(LIB_roken) \
+	$(DBLIB)
+
+include_HEADERS = otp.h
+
+lib_LTLIBRARIES = libotp.la
+libotp_la_LDFLAGS = -version-info 1:2:1
+
+libotp_la_SOURCES = \
+	otp.c \
+	otp_challenge.c \
+	otp_db.c \
+	otp_md.c \
+	otp_parse.c \
+	otp_print.c \
+	otp_verify.c \
+	otp_locl.h \
+	otp_md.h \
+	roken_rename.h
diff --git a/crypto/heimdal/lib/otp/Makefile.in b/crypto/heimdal/lib/otp/Makefile.in
new file mode 100644
index 0000000..221fbd2
--- /dev/null
+++ b/crypto/heimdal/lib/otp/Makefile.in
@@ -0,0 +1,627 @@
+# Makefile.in generated automatically by automake 1.4b from Makefile.am
+
+# Copyright 1994, 1995, 1996, 1997, 1998, 1999, 2000
+# Free Software Foundation, Inc.
+# This Makefile.in is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+
+SHELL = @SHELL@
+
+srcdir = @srcdir@
+top_srcdir = @top_srcdir@
+VPATH = @srcdir@
+prefix = @prefix@
+exec_prefix = @exec_prefix@
+
+bindir = @bindir@
+sbindir = @sbindir@
+libexecdir = @libexecdir@
+datadir = @datadir@
+sysconfdir = @sysconfdir@
+sharedstatedir = @sharedstatedir@
+localstatedir = @localstatedir@
+libdir = @libdir@
+infodir = @infodir@
+mandir = @mandir@
+includedir = @includedir@
+oldincludedir = /usr/include
+
+pkgdatadir = $(datadir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkgincludedir = $(includedir)/@PACKAGE@
+
+top_builddir = ../..
+
+ACLOCAL = @ACLOCAL@
+AUTOCONF = @AUTOCONF@
+AUTOMAKE = @AUTOMAKE@
+AUTOHEADER = @AUTOHEADER@
+
+INSTALL = @INSTALL@
+INSTALL_PROGRAM = @INSTALL_PROGRAM@
+INSTALL_DATA = @INSTALL_DATA@
+INSTALL_SCRIPT = @INSTALL_SCRIPT@
+INSTALL_STRIP_FLAG =
+transform = @program_transform_name@
+
+NORMAL_INSTALL = :
+PRE_INSTALL = :
+POST_INSTALL = :
+NORMAL_UNINSTALL = :
+PRE_UNINSTALL = :
+POST_UNINSTALL = :
+
+@SET_MAKE@
+host_alias = @host_alias@
+host_triplet = @host@
+AIX_EXTRA_KAFS = @AIX_EXTRA_KAFS@
+AMDEP = @AMDEP@
+AMTAR = @AMTAR@
+AS = @AS@
+AWK = @AWK@
+CANONICAL_HOST = @CANONICAL_HOST@
+CATMAN = @CATMAN@
+CATMANEXT = @CATMANEXT@
+CC = @CC@
+CPP = @CPP@
+CXX = @CXX@
+CXXCPP = @CXXCPP@
+DBLIB = @DBLIB@
+DEPDIR = @DEPDIR@
+DIR_des = @DIR_des@
+DIR_roken = @DIR_roken@
+DLLTOOL = @DLLTOOL@
+EXEEXT = @EXEEXT@
+EXTRA_LIB45 = @EXTRA_LIB45@
+GROFF = @GROFF@
+INCLUDES_roken = @INCLUDES_roken@
+INCLUDE_ = @INCLUDE_@
+LEX = @LEX@
+LIBOBJS = @LIBOBJS@
+LIBTOOL = @LIBTOOL@
+LIB_ = @LIB_@
+LIB_AUTH_SUBDIRS = @LIB_AUTH_SUBDIRS@
+LIB_des = @LIB_des@
+LIB_des_appl = @LIB_des_appl@
+LIB_kdb = @LIB_kdb@
+LIB_otp = @LIB_otp@
+LIB_roken = @LIB_roken@
+LIB_security = @LIB_security@
+LN_S = @LN_S@
+LTLIBOBJS = @LTLIBOBJS@
+MAKEINFO = @MAKEINFO@
+NEED_WRITEAUTH_FALSE = @NEED_WRITEAUTH_FALSE@
+NEED_WRITEAUTH_TRUE = @NEED_WRITEAUTH_TRUE@
+NROFF = @NROFF@
+OBJDUMP = @OBJDUMP@
+OBJEXT = @OBJEXT@
+PACKAGE = @PACKAGE@
+RANLIB = @RANLIB@
+STRIP = @STRIP@
+VERSION = @VERSION@
+VOID_RETSIGTYPE = @VOID_RETSIGTYPE@
+WFLAGS = @WFLAGS@
+WFLAGS_NOIMPLICITINT = @WFLAGS_NOIMPLICITINT@
+WFLAGS_NOUNUSED = @WFLAGS_NOUNUSED@
+YACC = @YACC@
+dpagaix_CFLAGS = @dpagaix_CFLAGS@
+dpagaix_LDADD = @dpagaix_LDADD@
+install_sh = @install_sh@
+
+# $Id: Makefile.am,v 1.16 2001/01/30 01:54:48 assar Exp $
+
+
+# $Id: Makefile.am.common,v 1.3 1999/04/01 14:58:43 joda Exp $
+
+
+# $Id: Makefile.am.common,v 1.26 2001/05/21 13:27:48 joda Exp $
+
+
+AUTOMAKE_OPTIONS = foreign no-dependencies
+
+SUFFIXES = .et .h .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .x
+
+INCLUDES = -I$(top_builddir)/include $(INCLUDES_roken) $(INCLUDE_krb4)
+
+AM_CFLAGS =  $(WFLAGS)
+
+CP = cp
+
+COMPILE_ET = $(top_builddir)/lib/com_err/compile_et
+
+buildinclude = $(top_builddir)/include
+
+LIB_XauReadAuth = @LIB_XauReadAuth@
+LIB_crypt = @LIB_crypt@
+LIB_dbm_firstkey = @LIB_dbm_firstkey@
+LIB_dbopen = @LIB_dbopen@
+LIB_dlopen = @LIB_dlopen@
+LIB_dn_expand = @LIB_dn_expand@
+LIB_el_init = @LIB_el_init@
+LIB_getattr = @LIB_getattr@
+LIB_gethostbyname = @LIB_gethostbyname@
+LIB_getpwent_r = @LIB_getpwent_r@
+LIB_getpwnam_r = @LIB_getpwnam_r@
+LIB_getsockopt = @LIB_getsockopt@
+LIB_logout = @LIB_logout@
+LIB_logwtmp = @LIB_logwtmp@
+LIB_odm_initialize = @LIB_odm_initialize@
+LIB_pidfile = @LIB_pidfile@
+LIB_readline = @LIB_readline@
+LIB_res_search = @LIB_res_search@
+LIB_setpcred = @LIB_setpcred@
+LIB_setsockopt = @LIB_setsockopt@
+LIB_socket = @LIB_socket@
+LIB_syslog = @LIB_syslog@
+LIB_tgetent = @LIB_tgetent@
+
+LIBS = @LIBS@
+
+HESIODLIB = @HESIODLIB@
+HESIODINCLUDE = @HESIODINCLUDE@
+INCLUDE_hesiod = @INCLUDE_hesiod@
+LIB_hesiod = @LIB_hesiod@
+
+INCLUDE_krb4 = @INCLUDE_krb4@
+LIB_krb4 = @LIB_krb4@
+
+INCLUDE_openldap = @INCLUDE_openldap@
+LIB_openldap = @LIB_openldap@
+
+INCLUDE_readline = @INCLUDE_readline@
+
+LEXLIB = @LEXLIB@
+
+NROFF_MAN = groff -mandoc -Tascii
+
+@KRB4_TRUE@LIB_kafs = @KRB4_TRUE@$(top_builddir)/lib/kafs/libkafs.la $(AIX_EXTRA_KAFS)
+
+@KRB5_TRUE@LIB_krb5 = @KRB5_TRUE@$(top_builddir)/lib/krb5/libkrb5.la \
+@KRB5_TRUE@	$(top_builddir)/lib/asn1/libasn1.la
+@KRB5_TRUE@LIB_gssapi = @KRB5_TRUE@$(top_builddir)/lib/gssapi/libgssapi.la
+
+@DCE_TRUE@LIB_kdfs = @DCE_TRUE@$(top_builddir)/lib/kdfs/libkdfs.la
+
+CHECK_LOCAL = $(PROGRAMS)
+
+noinst_PROGRAMS = otptest
+
+otptest_LDADD = libotp.la \
+	$(LIB_des) \
+	$(LIB_roken) \
+	$(DBLIB)
+
+
+include_HEADERS = otp.h
+
+lib_LTLIBRARIES = libotp.la
+libotp_la_LDFLAGS = -version-info 1:2:1
+
+libotp_la_SOURCES = \
+	otp.c \
+	otp_challenge.c \
+	otp_db.c \
+	otp_md.c \
+	otp_parse.c \
+	otp_print.c \
+	otp_verify.c \
+	otp_locl.h \
+	otp_md.h \
+	roken_rename.h
+
+subdir = lib/otp
+mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs
+CONFIG_HEADER = ../../include/config.h
+CONFIG_CLEAN_FILES = 
+LTLIBRARIES =  $(lib_LTLIBRARIES)
+
+
+DEFS = @DEFS@ -I. -I$(srcdir) -I../../include
+CPPFLAGS = @CPPFLAGS@
+LDFLAGS = @LDFLAGS@
+X_CFLAGS = @X_CFLAGS@
+X_LIBS = @X_LIBS@
+X_EXTRA_LIBS = @X_EXTRA_LIBS@
+X_PRE_LIBS = @X_PRE_LIBS@
+libotp_la_LIBADD = 
+am_libotp_la_OBJECTS =  otp.lo otp_challenge.lo otp_db.lo otp_md.lo \
+otp_parse.lo otp_print.lo otp_verify.lo
+libotp_la_OBJECTS =  $(am_libotp_la_OBJECTS)
+noinst_PROGRAMS =  otptest$(EXEEXT)
+PROGRAMS =  $(noinst_PROGRAMS)
+
+otptest_SOURCES = otptest.c
+otptest_OBJECTS =  otptest.$(OBJEXT)
+otptest_DEPENDENCIES =  libotp.la
+otptest_LDFLAGS = 
+COMPILE = $(CC) $(DEFS) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) --mode=compile $(CC) $(DEFS) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+CFLAGS = @CFLAGS@
+CCLD = $(CC)
+LINK = $(LIBTOOL) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) $(LDFLAGS) -o $@
+DIST_SOURCES =  $(libotp_la_SOURCES) otptest.c
+HEADERS =  $(include_HEADERS)
+
+depcomp = 
+DIST_COMMON =  $(include_HEADERS) ChangeLog Makefile.am Makefile.in
+
+
+DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
+
+GZIP_ENV = --best
+SOURCES = $(libotp_la_SOURCES) otptest.c
+OBJECTS = $(am_libotp_la_OBJECTS) otptest.$(OBJEXT)
+
+all: all-redirect
+.SUFFIXES:
+.SUFFIXES: .et .h .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .x .c .lo .o .obj
+$(srcdir)/Makefile.in: Makefile.am $(top_srcdir)/configure.in $(ACLOCAL_M4) $(top_srcdir)/Makefile.am.common $(top_srcdir)/cf/Makefile.am.common
+	cd $(top_srcdir) && $(AUTOMAKE) --foreign lib/otp/Makefile
+
+Makefile: $(srcdir)/Makefile.in  $(top_builddir)/config.status
+	cd $(top_builddir) \
+	  && CONFIG_FILES=$(subdir)/$@ CONFIG_HEADERS= $(SHELL) ./config.status
+
+
+mostlyclean-libLTLIBRARIES:
+
+clean-libLTLIBRARIES:
+	-test -z "$(lib_LTLIBRARIES)" || rm -f $(lib_LTLIBRARIES)
+
+distclean-libLTLIBRARIES:
+
+maintainer-clean-libLTLIBRARIES:
+
+install-libLTLIBRARIES: $(lib_LTLIBRARIES)
+	@$(NORMAL_INSTALL)
+	$(mkinstalldirs) $(DESTDIR)$(libdir)
+	@list='$(lib_LTLIBRARIES)'; for p in $$list; do \
+	  if test -f $$p; then \
+	    echo " $(LIBTOOL)  --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$p $(DESTDIR)$(libdir)/$$p"; \
+	    $(LIBTOOL)  --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$p $(DESTDIR)$(libdir)/$$p; \
+	  else :; fi; \
+	done
+
+uninstall-libLTLIBRARIES:
+	@$(NORMAL_UNINSTALL)
+	@list='$(lib_LTLIBRARIES)'; for p in $$list; do \
+	  echo " $(LIBTOOL)  --mode=uninstall rm -f $(DESTDIR)$(libdir)/$$p"; \
+	  $(LIBTOOL)  --mode=uninstall rm -f $(DESTDIR)$(libdir)/$$p; \
+	done
+
+mostlyclean-compile:
+	-rm -f *.o core *.core
+	-rm -f *.$(OBJEXT)
+
+clean-compile:
+
+distclean-compile:
+	-rm -f *.tab.c
+
+maintainer-clean-compile:
+
+mostlyclean-libtool:
+	-rm -f *.lo
+
+clean-libtool:
+	-rm -rf .libs _libs
+
+distclean-libtool:
+
+maintainer-clean-libtool:
+
+libotp.la: $(libotp_la_OBJECTS) $(libotp_la_DEPENDENCIES)
+	$(LINK) -rpath $(libdir) $(libotp_la_LDFLAGS) $(libotp_la_OBJECTS) $(libotp_la_LIBADD) $(LIBS)
+
+mostlyclean-noinstPROGRAMS:
+
+clean-noinstPROGRAMS:
+	-test -z "$(noinst_PROGRAMS)" || rm -f $(noinst_PROGRAMS)
+
+distclean-noinstPROGRAMS:
+
+maintainer-clean-noinstPROGRAMS:
+
+otptest$(EXEEXT): $(otptest_OBJECTS) $(otptest_DEPENDENCIES)
+	@rm -f otptest$(EXEEXT)
+	$(LINK) $(otptest_LDFLAGS) $(otptest_OBJECTS) $(otptest_LDADD) $(LIBS)
+.c.o:
+	$(COMPILE) -c $<
+.c.obj:
+	$(COMPILE) -c `cygpath -w $<`
+.c.lo:
+	$(LTCOMPILE) -c -o $@ $<
+
+install-includeHEADERS: $(include_HEADERS)
+	@$(NORMAL_INSTALL)
+	$(mkinstalldirs) $(DESTDIR)$(includedir)
+	@list='$(include_HEADERS)'; for p in $$list; do \
+	  if test -f "$$p"; then d= ; else d="$(srcdir)/"; fi; \
+	  f="`echo $$p | sed -e 's|^.*/||'`"; \
+	  echo " $(INSTALL_DATA) $$d$$p $(DESTDIR)$(includedir)/$$f"; \
+	  $(INSTALL_DATA) $$d$$p $(DESTDIR)$(includedir)/$$f; \
+	done
+
+uninstall-includeHEADERS:
+	@$(NORMAL_UNINSTALL)
+	@list='$(include_HEADERS)'; for p in $$list; do \
+	  f="`echo $$p | sed -e 's|^.*/||'`"; \
+	  echo " rm -f $(DESTDIR)$(includedir)/$$f"; \
+	  rm -f $(DESTDIR)$(includedir)/$$f; \
+	done
+
+tags: TAGS
+
+ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
+	list='$(SOURCES) $(HEADERS) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '    { files[$$0] = 1; } \
+	       END { for (i in files) print i; }'`; \
+	mkid -fID $$unique $(LISP)
+
+TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	tags=; \
+	here=`pwd`; \
+	list='$(SOURCES) $(HEADERS) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '    { files[$$0] = 1; } \
+	       END { for (i in files) print i; }'`; \
+	test -z "$(ETAGS_ARGS)$$unique$(LISP)$$tags" \
+	  || etags $(ETAGS_ARGS) $$tags  $$unique $(LISP)
+
+GTAGS:
+	here=`CDPATH=: && cd $(top_builddir) && pwd` \
+	  && cd $(top_srcdir) \
+	  && gtags -i $$here
+
+mostlyclean-tags:
+
+clean-tags:
+
+distclean-tags:
+	-rm -f TAGS ID
+
+maintainer-clean-tags:
+
+distdir = $(top_builddir)/$(PACKAGE)-$(VERSION)/$(subdir)
+
+distdir: $(DISTFILES)
+	@for file in $(DISTFILES); do \
+	  d=$(srcdir); \
+	  if test -d $$d/$$file; then \
+	    cp -pR $$d/$$file $(distdir) \
+	    || exit 1; \
+	  else \
+	    test -f $(distdir)/$$file \
+	    || cp -p $$d/$$file $(distdir)/$$file \
+	    || exit 1; \
+	  fi; \
+	done
+	$(MAKE) $(AM_MAKEFLAGS) top_distdir="$(top_distdir)" distdir="$(distdir)" dist-hook
+info-am:
+info: info-am
+dvi-am:
+dvi: dvi-am
+check-am: all-am
+	$(MAKE) $(AM_MAKEFLAGS) check-local
+check: check-am
+installcheck-am:
+installcheck: installcheck-am
+install-exec-am: install-libLTLIBRARIES
+	@$(NORMAL_INSTALL)
+	$(MAKE) $(AM_MAKEFLAGS) install-exec-hook
+install-exec: install-exec-am
+
+install-data-am: install-includeHEADERS install-data-local
+install-data: install-data-am
+
+install-am: all-am
+	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
+install: install-am
+uninstall-am: uninstall-libLTLIBRARIES uninstall-includeHEADERS
+uninstall: uninstall-am
+all-am: Makefile $(LTLIBRARIES) $(PROGRAMS) $(HEADERS) all-local
+all-redirect: all-am
+install-strip:
+	$(MAKE) $(AM_MAKEFLAGS) INSTALL_STRIP_FLAG=-s install
+installdirs:
+	$(mkinstalldirs)  $(DESTDIR)$(libdir) $(DESTDIR)$(includedir)
+
+
+mostlyclean-generic:
+
+clean-generic:
+
+distclean-generic:
+	-rm -f Makefile $(CONFIG_CLEAN_FILES)
+	-rm -f config.cache config.log stamp-h stamp-h[0-9]*
+
+maintainer-clean-generic:
+	-rm -f Makefile.in
+mostlyclean-am:  mostlyclean-libLTLIBRARIES mostlyclean-compile \
+		mostlyclean-libtool mostlyclean-noinstPROGRAMS \
+		mostlyclean-tags mostlyclean-generic
+
+mostlyclean: mostlyclean-am
+
+clean-am:  clean-libLTLIBRARIES clean-compile clean-libtool \
+		clean-noinstPROGRAMS clean-tags clean-generic \
+		mostlyclean-am
+
+clean: clean-am
+
+distclean-am:  distclean-libLTLIBRARIES distclean-compile \
+		distclean-libtool distclean-noinstPROGRAMS \
+		distclean-tags distclean-generic clean-am
+	-rm -f libtool
+
+distclean: distclean-am
+
+maintainer-clean-am:  maintainer-clean-libLTLIBRARIES \
+		maintainer-clean-compile maintainer-clean-libtool \
+		maintainer-clean-noinstPROGRAMS maintainer-clean-tags \
+		maintainer-clean-generic distclean-am
+	@echo "This command is intended for maintainers to use;"
+	@echo "it deletes files that may require special tools to rebuild."
+
+maintainer-clean: maintainer-clean-am
+
+.PHONY: mostlyclean-libLTLIBRARIES distclean-libLTLIBRARIES \
+clean-libLTLIBRARIES maintainer-clean-libLTLIBRARIES \
+uninstall-libLTLIBRARIES install-libLTLIBRARIES mostlyclean-compile \
+distclean-compile clean-compile maintainer-clean-compile \
+mostlyclean-libtool distclean-libtool clean-libtool \
+maintainer-clean-libtool mostlyclean-noinstPROGRAMS \
+distclean-noinstPROGRAMS clean-noinstPROGRAMS \
+maintainer-clean-noinstPROGRAMS uninstall-includeHEADERS \
+install-includeHEADERS tags mostlyclean-tags distclean-tags clean-tags \
+maintainer-clean-tags distdir info-am info dvi-am dvi check-local check \
+check-am installcheck-am installcheck install-exec-am install-exec \
+install-data-local install-data-am install-data install-am install \
+uninstall-am uninstall all-local all-redirect all-am all install-strip \
+installdirs mostlyclean-generic distclean-generic clean-generic \
+maintainer-clean-generic clean mostlyclean distclean maintainer-clean
+
+
+install-suid-programs:
+	@foo='$(bin_SUIDS)'; \
+	for file in $$foo; do \
+	x=$(DESTDIR)$(bindir)/$$file; \
+	if chown 0:0 $$x && chmod u+s $$x; then :; else \
+	echo "*"; \
+	echo "* Failed to install $$x setuid root"; \
+	echo "*"; \
+	fi; done
+
+install-exec-hook: install-suid-programs
+
+install-build-headers:: $(include_HEADERS) $(build_HEADERZ)
+	@foo='$(include_HEADERS) $(build_HEADERZ)'; \
+	for f in $$foo; do \
+		f=`basename $$f`; \
+		if test -f "$(srcdir)/$$f"; then file="$(srcdir)/$$f"; \
+		else file="$$f"; fi; \
+		if cmp -s  $$file $(buildinclude)/$$f 2> /dev/null ; then \
+		: ; else \
+			echo " $(CP) $$file $(buildinclude)/$$f"; \
+			$(CP) $$file $(buildinclude)/$$f; \
+		fi ; \
+	done
+
+all-local: install-build-headers
+#NROFF_MAN = nroff -man
+.1.cat1:
+	$(NROFF_MAN) $< > $@
+.3.cat3:
+	$(NROFF_MAN) $< > $@
+.5.cat5:
+	$(NROFF_MAN) $< > $@
+.8.cat8:
+	$(NROFF_MAN) $< > $@
+
+dist-cat1-mans:
+	@foo='$(man1_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.1) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat1/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-cat3-mans:
+	@foo='$(man3_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.3) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat3/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-cat5-mans:
+	@foo='$(man5_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.5) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat5/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-cat8-mans:
+	@foo='$(man8_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.8) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat8/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-hook: dist-cat1-mans dist-cat3-mans dist-cat5-mans dist-cat8-mans
+
+install-cat-mans:
+	$(SHELL) $(top_srcdir)/cf/install-catman.sh "$(INSTALL_DATA)" "$(mkinstalldirs)" "$(srcdir)" "$(DESTDIR)$(mandir)" '$(CATMANEXT)' $(man_MANS) $(man1_MANS) $(man3_MANS) $(man5_MANS) $(man8_MANS)
+
+install-data-local: install-cat-mans
+
+.et.h:
+	$(COMPILE_ET) $<
+.et.c:
+	$(COMPILE_ET) $<
+
+.x.c:
+	@cmp -s $< $@ 2> /dev/null || cp $< $@
+
+check-local::
+	@foo='$(CHECK_LOCAL)'; \
+	  if test "$$foo"; then \
+	  failed=0; all=0; \
+	  for i in $$foo; do \
+	    all=`expr $$all + 1`; \
+	    if ./$$i --version > /dev/null 2>&1; then \
+	      echo "PASS: $$i"; \
+	    else \
+	      echo "FAIL: $$i"; \
+	      failed=`expr $$failed + 1`; \
+	    fi; \
+	  done; \
+	  if test "$$failed" -eq 0; then \
+	    banner="All $$all tests passed"; \
+	  else \
+	    banner="$$failed of $$all tests failed"; \
+	  fi; \
+	  dashes=`echo "$$banner" | sed s/./=/g`; \
+	  echo "$$dashes"; \
+	  echo "$$banner"; \
+	  echo "$$dashes"; \
+	  test "$$failed" -eq 0; \
+	fi
+
+# Tell versions [3.59,3.63) of GNU make to not export all variables.
+# Otherwise a system limit (for SysV at least) may be exceeded.
+.NOEXPORT:
diff --git a/crypto/heimdal/lib/otp/otp.c b/crypto/heimdal/lib/otp/otp.c
new file mode 100644
index 0000000..746f3cb
--- /dev/null
+++ b/crypto/heimdal/lib/otp/otp.c
@@ -0,0 +1,63 @@
+/*
+ * Copyright (c) 1995 - 2000 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#ifdef HAVE_CONFIG_H
+#include "config.h"
+RCSID("$Id: otp.c,v 1.8 2000/07/12 00:26:43 assar Exp $");
+#endif
+
+#include "otp_locl.h"
+#include "otp_md.h"
+
+static OtpAlgorithm algorithms[] = {
+  {OTP_ALG_MD4, "md4", 16, otp_md4_hash, otp_md4_init, otp_md4_next},
+  {OTP_ALG_MD5, "md5", 16, otp_md5_hash, otp_md5_init, otp_md5_next},
+  {OTP_ALG_SHA, "sha", 20, otp_sha_hash, otp_sha_init, otp_sha_next}
+};
+
+OtpAlgorithm *
+otp_find_alg (char *name)
+{
+  int i;
+
+  for (i = 0; i < sizeof(algorithms)/sizeof(*algorithms); ++i)
+    if (strcmp (name, algorithms[i].name) == 0)
+      return &algorithms[i];
+  return NULL;
+}
+
+char *
+otp_error (OtpContext *o)
+{
+  return o->err;
+}
diff --git a/crypto/heimdal/lib/otp/otp.h b/crypto/heimdal/lib/otp/otp.h
new file mode 100644
index 0000000..e813458
--- /dev/null
+++ b/crypto/heimdal/lib/otp/otp.h
@@ -0,0 +1,101 @@
+/*
+ * Copyright (c) 1995 - 2000 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+/* $Id: otp.h,v 1.19 2000/07/12 00:26:43 assar Exp $ */
+
+#ifndef _OTP_H
+#define _OTP_H
+
+#include <stdlib.h>
+#include <time.h>
+
+enum {OTPKEYSIZE = 8};
+
+typedef unsigned char OtpKey[OTPKEYSIZE];
+
+#define OTP_MIN_PASSPHRASE 10
+#define OTP_MAX_PASSPHRASE 63
+
+#define OTP_USER_TIMEOUT   120
+#define OTP_DB_TIMEOUT      60
+
+#define OTP_HEXPREFIX "hex:"
+#define OTP_WORDPREFIX "word:"
+
+typedef enum { OTP_ALG_MD4, OTP_ALG_MD5, OTP_ALG_SHA } OtpAlgID;
+
+#define OTP_ALG_DEFAULT "md5"
+
+typedef struct {
+  OtpAlgID id;
+  char *name;
+  int hashsize;
+  int (*hash)(const char *s, size_t len, unsigned char *res);
+  int (*init)(OtpKey key, const char *pwd, const char *seed);
+  int (*next)(OtpKey key);
+} OtpAlgorithm;
+
+typedef struct {
+  char *user;
+  OtpAlgorithm *alg;
+  unsigned n;
+  char seed[17];
+  OtpKey key;
+  int challengep;
+  time_t lock_time;
+  char *err;
+} OtpContext;
+
+OtpAlgorithm *otp_find_alg (char *name);
+void otp_print_stddict (OtpKey key, char *str, size_t sz);
+void otp_print_hex (OtpKey key, char *str, size_t sz);
+void otp_print_stddict_extended (OtpKey key, char *str, size_t sz);
+void otp_print_hex_extended (OtpKey key, char *str, size_t sz);
+unsigned otp_checksum (OtpKey key);
+int otp_parse_hex (OtpKey key, const char *);
+int otp_parse_stddict (OtpKey key, const char *);
+int otp_parse_altdict (OtpKey key, const char *, OtpAlgorithm *);
+int otp_parse (OtpKey key, const char *, OtpAlgorithm *);
+int otp_challenge (OtpContext *ctx, char *user, char *str, size_t len);
+int otp_verify_user (OtpContext *ctx, const char *passwd);
+int otp_verify_user_1 (OtpContext *ctx, const char *passwd);
+char *otp_error (OtpContext *ctx);
+
+void *otp_db_open (void);
+void otp_db_close (void *);
+int otp_put (void *, OtpContext *ctx);
+int otp_get (void *, OtpContext *ctx);
+int otp_simple_get (void *, OtpContext *ctx);
+int otp_delete (void *, OtpContext *ctx);
+
+#endif /* _OTP_H */
diff --git a/crypto/heimdal/lib/otp/otp_challenge.c b/crypto/heimdal/lib/otp/otp_challenge.c
new file mode 100644
index 0000000..3507c4f
--- /dev/null
+++ b/crypto/heimdal/lib/otp/otp_challenge.c
@@ -0,0 +1,69 @@
+/*
+ * Copyright (c) 1995, 1996, 1997 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#ifdef HAVE_CONFIG_H
+#include "config.h"
+RCSID("$Id: otp_challenge.c,v 1.10 1999/12/02 16:58:44 joda Exp $");
+#endif
+
+#include "otp_locl.h"
+
+int
+otp_challenge (OtpContext *ctx, char *user, char *str, size_t len)
+{
+  void *dbm;
+  int ret;
+
+  ctx->challengep = 0;
+  ctx->err = NULL;
+  ctx->user = malloc(strlen(user) + 1);
+  if (ctx->user == NULL) {
+    ctx->err = "Out of memory";
+    return -1;
+  }
+  strcpy(ctx->user, user);
+  dbm = otp_db_open ();
+  if (dbm == NULL) {
+    ctx->err = "Cannot open database";
+    return -1;
+  }
+  ret = otp_get (dbm, ctx);
+  otp_db_close (dbm);
+  if (ret)
+    return ret;
+  snprintf (str, len,
+	    "[ otp-%s %u %s ]",
+	    ctx->alg->name, ctx->n-1, ctx->seed);
+  ctx->challengep = 1;
+  return 0;
+}
diff --git a/crypto/heimdal/lib/otp/otp_db.c b/crypto/heimdal/lib/otp/otp_db.c
new file mode 100644
index 0000000..3cc5d849
--- /dev/null
+++ b/crypto/heimdal/lib/otp/otp_db.c
@@ -0,0 +1,229 @@
+/*
+ * Copyright (c) 1995, 1996, 1997, 1998 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#ifdef HAVE_CONFIG_H
+#include "config.h"
+RCSID("$Id: otp_db.c,v 1.17 1999/12/02 16:58:44 joda Exp $");
+#endif
+
+#include "otp_locl.h"
+
+#define RETRIES 5
+
+void *
+otp_db_open (void)
+{
+  int lock;
+  int i;
+  void *ret;
+
+  for(i = 0; i < RETRIES; ++i) {
+    struct stat statbuf;
+
+    lock = open (OTP_DB_LOCK, O_WRONLY | O_CREAT | O_EXCL, 0666);
+    if (lock >= 0) {
+      close(lock);
+      break;
+    }
+    if (stat (OTP_DB_LOCK, &statbuf) == 0) {
+      if (time(NULL) - statbuf.st_mtime > OTP_DB_TIMEOUT)
+	unlink (OTP_DB_LOCK);
+      else
+	sleep (1);
+    }
+  }
+  if (i == RETRIES)
+    return NULL;
+  ret = dbm_open (OTP_DB, O_RDWR | O_CREAT, 0600);
+  if (ret == NULL)
+    unlink (OTP_DB_LOCK);
+  return ret;
+}
+
+void
+otp_db_close (void *dbm)
+{
+  dbm_close ((DBM *)dbm);
+  unlink (OTP_DB_LOCK);
+}
+
+/*
+ * Remove this entry from the database.
+ * return 0 if ok.
+ */
+
+int 
+otp_delete (void *v, OtpContext *ctx)
+{
+  DBM *dbm = (DBM *)v;
+  datum key;
+
+  key.dsize = strlen(ctx->user);
+  key.dptr  = ctx->user;
+ 
+  return dbm_delete(dbm, key);
+}
+
+/*
+ * Read this entry from the database and lock it if lockp.
+ */
+
+static int
+otp_get_internal (void *v, OtpContext *ctx, int lockp)
+{
+  DBM *dbm = (DBM *)v;
+  datum dat, key;
+  char *p;
+  time_t now, then;
+
+  key.dsize = strlen(ctx->user);
+  key.dptr  = ctx->user;
+
+  dat = dbm_fetch (dbm, key);
+  if (dat.dptr == NULL) {
+    ctx->err = "Entry not found";
+    return -1;
+  }
+  p = dat.dptr;
+
+  memcpy (&then, p, sizeof(then));
+  ctx->lock_time = then;
+  if (lockp) {
+    time(&now);
+    if (then && now - then < OTP_USER_TIMEOUT) {
+      ctx->err = "Entry locked";
+      return -1;
+    }
+    memcpy (p, &now, sizeof(now));
+  }
+  p += sizeof(now);
+  ctx->alg = otp_find_alg (p);
+  if (ctx->alg == NULL) {
+    ctx->err = "Bad algorithm";
+    return -1;
+  }
+  p += strlen(p) + 1;
+  {
+    unsigned char *up = (unsigned char *)p;
+    ctx->n = (up[0] << 24) | (up[1] << 16) | (up[2] << 8) | up[3];
+  }
+  p += 4;
+  memcpy (ctx->key, p, OTPKEYSIZE);
+  p += OTPKEYSIZE;
+  strlcpy (ctx->seed, p, sizeof(ctx->seed));
+  if (lockp)
+    return dbm_store (dbm, key, dat, DBM_REPLACE);
+  else
+    return 0;
+}
+
+/*
+ * Get and lock.
+ */
+
+int
+otp_get (void *v, OtpContext *ctx)
+{
+  return otp_get_internal (v, ctx, 1);
+}
+
+/*
+ * Get and don't lock.
+ */
+
+int
+otp_simple_get (void *v, OtpContext *ctx)
+{
+  return otp_get_internal (v, ctx, 0);
+}
+
+/*
+ * Write this entry to the database.
+ */
+
+int
+otp_put (void *v, OtpContext *ctx)
+{
+  DBM *dbm = (DBM *)v;
+  datum dat, key;
+  char buf[1024], *p;
+  time_t zero = 0;
+  size_t len, rem;
+
+  key.dsize = strlen(ctx->user);
+  key.dptr  = ctx->user;
+
+  p = buf;
+  rem = sizeof(buf);
+
+  if (rem < sizeof(zero))
+      return -1;
+  memcpy (p, &zero, sizeof(zero));
+  p += sizeof(zero);
+  rem -= sizeof(zero);
+  len = strlen(ctx->alg->name) + 1;
+
+  if (rem < len)
+      return -1;
+  strcpy (p, ctx->alg->name);
+  p += len;
+  rem -= len;
+
+  if (rem < 4)
+      return -1;
+  {
+    unsigned char *up = (unsigned char *)p;
+    *up++ = (ctx->n >> 24) & 0xFF;
+    *up++ = (ctx->n >> 16) & 0xFF;
+    *up++ = (ctx->n >>  8) & 0xFF;
+    *up++ = (ctx->n >>  0) & 0xFF;
+  }
+  p += 4;
+  rem -= 4;
+
+  if (rem < OTPKEYSIZE)
+      return -1;
+  memcpy (p, ctx->key, OTPKEYSIZE);
+  p += OTPKEYSIZE;
+  rem -= OTPKEYSIZE;
+
+  len = strlen(ctx->seed) + 1;
+  if (rem < len)
+      return -1;
+  strcpy (p, ctx->seed);
+  p += len;
+  rem -= len;
+  dat.dptr  = buf;
+  dat.dsize = p - buf;
+  return dbm_store (dbm, key, dat, DBM_REPLACE);
+}
diff --git a/crypto/heimdal/lib/otp/otp_locl.h b/crypto/heimdal/lib/otp/otp_locl.h
new file mode 100644
index 0000000..391d04e
--- /dev/null
+++ b/crypto/heimdal/lib/otp/otp_locl.h
@@ -0,0 +1,70 @@
+/*
+ * Copyright (c) 1995, 1996, 1997 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+/* $Id: otp_locl.h,v 1.11 1999/12/02 16:58:44 joda Exp $ */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <ctype.h>
+#include <string.h>
+#include <time.h>
+#include <errno.h>
+#ifdef HAVE_SYS_TYPES_H
+#include <sys/types.h>
+#endif
+#ifdef HAVE_SYS_STAT_H
+#include <sys/stat.h>
+#endif
+#ifdef HAVE_PWD_H
+#include <pwd.h>
+#endif
+#ifdef HAVE_FCNTL_H
+#include <fcntl.h>
+#endif
+#ifdef HAVE_UNISTD_H
+#include <unistd.h>
+#endif
+#ifdef HAVE_IO_H
+#include <io.h>
+#endif
+
+#include <roken.h>
+
+#include <otp.h>
+
+#include <xdbm.h>
+
+#define OTPKEYS "/.otpkeys"
+
+#define OTP_DB "/etc/otp"
+#define OTP_DB_LOCK "/etc/otp-lock"
diff --git a/crypto/heimdal/lib/otp/otp_md.c b/crypto/heimdal/lib/otp/otp_md.c
new file mode 100644
index 0000000..d408fcd
--- /dev/null
+++ b/crypto/heimdal/lib/otp/otp_md.c
@@ -0,0 +1,280 @@
+/*
+ * Copyright (c) 1995 - 2001 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#ifdef HAVE_CONFIG_H
+#include "config.h"
+RCSID("$Id: otp_md.c,v 1.14 2001/01/29 05:55:18 assar Exp $");
+#endif
+#include "otp_locl.h"
+
+#include "otp_md.h"
+#ifdef HAVE_OPENSSL_MD4_H
+#include <openssl/md4.h>
+#else
+#include <md4.h>
+#endif
+#ifdef HAVE_OPENSSL_MD5_H
+#include <openssl/md5.h>
+#else
+#include <md5.h>
+#endif
+#ifdef HAVE_OPENSSL_SHA_H
+#include <openssl/sha.h>
+#else
+#include <sha.h>
+#endif
+
+/*
+ * Compress len bytes from md into key
+ */
+
+static void
+compressmd (OtpKey key, unsigned char *md, size_t len)
+{
+  u_char *p = key;
+
+  memset (p, 0, OTPKEYSIZE);
+  while(len) {
+    *p++ ^= *md++;
+    *p++ ^= *md++;
+    *p++ ^= *md++;
+    *p++ ^= *md++;
+    len -= 4;
+    if (p == key + OTPKEYSIZE)
+      p = key;
+  }
+}
+
+static int
+otp_md_init (OtpKey key,
+	     const char *pwd,
+	     const char *seed,
+	     void (*init)(void *),
+	     void (*update)(void *, const void *, size_t),
+	     void (*final)(void *, void *),
+	     void *arg,
+	     unsigned char *res,
+	     size_t ressz)
+{
+  char *p;
+  int len;
+
+  len = strlen(pwd) + strlen(seed);
+  p = malloc (len + 1);
+  if (p == NULL)
+    return -1;
+  strcpy (p, seed);
+  strlwr (p);
+  strcat (p, pwd);
+  (*init)(arg);
+  (*update)(arg, p, len);
+  (*final)(res, arg);
+  free (p);
+  compressmd (key, res, ressz);
+  return 0;
+}
+
+static int
+otp_md_next (OtpKey key,
+	     void (*init)(void *),
+	     void (*update)(void *, const void *, size_t),
+	     void (*final)(void *, void *),
+	     void *arg,
+	     unsigned char *res,
+	     size_t ressz)
+{
+  (*init)(arg);
+  (*update)(arg, key, OTPKEYSIZE);
+  (*final)(res, arg);
+  compressmd (key, res, ressz);
+  return 0;
+}
+
+static int
+otp_md_hash (const char *data,
+	     size_t len,
+	     void (*init)(void *),
+	     void (*update)(void *, const void *, size_t),
+	     void (*final)(void *, void *),
+	     void *arg,
+	     unsigned char *res,
+	     size_t ressz)
+{
+  (*init)(arg);
+  (*update)(arg, data, len);
+  (*final)(res, arg);
+  return 0;
+}
+
+int
+otp_md4_init (OtpKey key, const char *pwd, const char *seed)
+{
+  unsigned char res[16];
+  MD4_CTX md4;
+
+  return otp_md_init (key, pwd, seed,
+		      (void (*)(void *))MD4_Init,
+		      (void (*)(void *, const void *, size_t))MD4_Update, 
+		      (void (*)(void *, void *))MD4_Final,
+		      &md4, res, sizeof(res));
+}
+
+int
+otp_md4_hash (const char *data,
+	      size_t len,
+	      unsigned char *res)
+{
+  MD4_CTX md4;
+
+  return otp_md_hash (data, len,
+		      (void (*)(void *))MD4_Init,
+		      (void (*)(void *, const void *, size_t))MD4_Update, 
+		      (void (*)(void *, void *))MD4_Final,
+		      &md4, res, 16);
+}
+
+int
+otp_md4_next (OtpKey key)
+{
+  unsigned char res[16];
+  MD4_CTX md4;
+
+  return otp_md_next (key, 
+		      (void (*)(void *))MD4_Init, 
+		      (void (*)(void *, const void *, size_t))MD4_Update, 
+		      (void (*)(void *, void *))MD4_Final,
+		      &md4, res, sizeof(res));
+}
+
+
+int
+otp_md5_init (OtpKey key, const char *pwd, const char *seed)
+{
+  unsigned char res[16];
+  MD5_CTX md5;
+
+  return otp_md_init (key, pwd, seed, 
+		      (void (*)(void *))MD5_Init, 
+		      (void (*)(void *, const void *, size_t))MD5_Update, 
+		      (void (*)(void *, void *))MD5_Final,
+		      &md5, res, sizeof(res));
+}
+
+int
+otp_md5_hash (const char *data,
+	      size_t len,
+	      unsigned char *res)
+{
+  MD5_CTX md5;
+
+  return otp_md_hash (data, len,
+		      (void (*)(void *))MD5_Init,
+		      (void (*)(void *, const void *, size_t))MD5_Update, 
+		      (void (*)(void *, void *))MD5_Final,
+		      &md5, res, 16);
+}
+
+int
+otp_md5_next (OtpKey key)
+{
+  unsigned char res[16];
+  MD5_CTX md5;
+
+  return otp_md_next (key, 
+		      (void (*)(void *))MD5_Init, 
+		      (void (*)(void *, const void *, size_t))MD5_Update, 
+		      (void (*)(void *, void *))MD5_Final,
+		      &md5, res, sizeof(res));
+}
+
+/* 
+ * For histerical reasons, in the OTP definition it's said that the
+ * result from SHA must be stored in little-endian order.  See
+ * draft-ietf-otp-01.txt.
+ */
+
+static void
+SHA1_Final_little_endian (void *res, SHA_CTX *m)
+{
+  unsigned char tmp[20];
+  unsigned char *p = res;
+  int j;
+
+  SHA1_Final (tmp, m);
+  for (j = 0; j < 20; j += 4) {
+    p[j]   = tmp[j+3];
+    p[j+1] = tmp[j+2];
+    p[j+2] = tmp[j+1];
+    p[j+3] = tmp[j];
+  }
+}
+
+int
+otp_sha_init (OtpKey key, const char *pwd, const char *seed)
+{
+  unsigned char res[20];
+  SHA_CTX sha1;
+
+  return otp_md_init (key, pwd, seed, 
+		      (void (*)(void *))SHA1_Init, 
+		      (void (*)(void *, const void *, size_t))SHA1_Update, 
+		      (void (*)(void *, void *))SHA1_Final_little_endian,
+		      &sha1, res, sizeof(res));
+}
+
+int
+otp_sha_hash (const char *data,
+	      size_t len,
+	      unsigned char *res)
+{
+  SHA_CTX sha1;
+
+  return otp_md_hash (data, len,
+		      (void (*)(void *))SHA1_Init,
+		      (void (*)(void *, const void *, size_t))SHA1_Update, 
+		      (void (*)(void *, void *))SHA1_Final_little_endian,
+		      &sha1, res, 20);
+}
+
+int
+otp_sha_next (OtpKey key)
+{
+  unsigned char res[20];
+  SHA_CTX sha1;
+
+  return otp_md_next (key, 
+		      (void (*)(void *))SHA1_Init,
+		      (void (*)(void *, const void *, size_t))SHA1_Update,
+		      (void (*)(void *, void *))SHA1_Final_little_endian,
+		      &sha1, res, sizeof(res));
+}
diff --git a/crypto/heimdal/lib/otp/otp_md.h b/crypto/heimdal/lib/otp/otp_md.h
new file mode 100644
index 0000000..5732606
--- /dev/null
+++ b/crypto/heimdal/lib/otp/otp_md.h
@@ -0,0 +1,46 @@
+/*
+ * Copyright (c) 1995 - 2000 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+/* $Id: otp_md.h,v 1.7 2000/07/12 00:26:44 assar Exp $ */
+
+int otp_md4_init (OtpKey key, const char *pwd, const char *seed);
+int otp_md4_hash (const char *, size_t, unsigned char *res);
+int otp_md4_next (OtpKey key);
+
+int otp_md5_init (OtpKey key, const char *pwd, const char *seed);
+int otp_md5_hash (const char *, size_t, unsigned char *res);
+int otp_md5_next (OtpKey key);
+
+int otp_sha_init (OtpKey key, const char *pwd, const char *seed);
+int otp_sha_hash (const char *, size_t, unsigned char *res);
+int otp_sha_next (OtpKey key);
diff --git a/crypto/heimdal/lib/otp/otp_parse.c b/crypto/heimdal/lib/otp/otp_parse.c
new file mode 100644
index 0000000..cc69de5
--- /dev/null
+++ b/crypto/heimdal/lib/otp/otp_parse.c
@@ -0,0 +1,2515 @@
+/*
+ * Copyright (c) 1995 - 2000 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#ifdef HAVE_CONFIG_H
+#include "config.h"
+RCSID("$Id: otp_parse.c,v 1.20 2000/07/01 13:58:38 assar Exp $");
+#endif
+
+#include "otp_locl.h"
+
+struct e {
+  char *s;
+  unsigned n;
+};
+
+extern const struct e inv_std_dict[2048];
+
+static int
+cmp(const void *a, const void *b)
+{
+  struct e *e1, *e2;
+  
+  e1 = (struct e *)a;
+  e2 = (struct e *)b;
+  return strcasecmp (e1->s, e2->s);
+}
+
+static int
+get_stdword (const char *s, void *v)
+{
+  struct e e, *r;
+
+  e.s = (char *)s;
+  e.n = -1;
+  r = (struct e *) bsearch (&e, inv_std_dict,
+			    sizeof(inv_std_dict)/sizeof(*inv_std_dict),
+			    sizeof(*inv_std_dict), cmp);
+  if (r)
+    return r->n;
+  else
+    return -1;
+}
+
+static void
+compress (OtpKey key, unsigned wn[])
+{
+  key[0] = wn[0] >> 3;
+  key[1] = ((wn[0] & 0x07) << 5) | (wn[1] >> 6);
+  key[2] = ((wn[1] & 0x3F) << 2) | (wn[2] >> 9);
+  key[3] = ((wn[2] >> 1) & 0xFF);
+  key[4] = ((wn[2] & 0x01) << 7) | (wn[3] >> 4);
+  key[5] = ((wn[3] & 0x0F) << 4) | (wn[4] >> 7);
+  key[6] = ((wn[4] & 0x7F) << 1) | (wn[5] >> 10);
+  key[7] = ((wn[5] >> 2) & 0xFF);
+}
+
+static int
+get_altword (const char *s, void *a)
+{
+  OtpAlgorithm *alg = (OtpAlgorithm *)a;
+  int ret;
+  unsigned char *res = malloc(alg->hashsize);
+
+  if (res == NULL)
+    return -1;
+  alg->hash (s, strlen(s), res);
+  ret = (unsigned)(res[alg->hashsize - 1]) | 
+      ((res[alg->hashsize - 2] & 0x03) << 8);
+  free (res);
+  return ret;
+}
+
+static int
+parse_words(unsigned wn[],
+	    const char *str,
+	    int (*convert)(const char *, void *),
+	    void *arg)
+{
+  unsigned char *w, *wend, c;
+  int i;
+  int tmp;
+
+  w = (unsigned char *)str;
+  for (i = 0; i < 6; ++i) {
+    while (isspace(*w))
+      ++w;
+    wend = w;
+    while (isalpha (*wend))
+      ++wend;
+    c = *wend;
+    *wend = '\0';
+    tmp = (*convert)((char *)w, arg);
+    *wend = c;
+    w = wend;
+    if (tmp < 0)
+      return -1;
+    wn[i] = tmp;
+  }
+  return 0;
+}
+
+static int
+otp_parse_internal (OtpKey key, const char *str,
+		    OtpAlgorithm *alg,
+		    int (*convert)(const char *, void *))
+{
+  unsigned wn[6];
+
+  if (parse_words (wn, str, convert, alg))
+    return -1;
+  compress (key, wn);
+  if (otp_checksum (key) != (wn[5] & 0x03))
+    return -1;
+  return 0;
+}
+
+int
+otp_parse_stddict (OtpKey key, const char *str)
+{
+  return otp_parse_internal (key, str, NULL, get_stdword);
+}
+
+int
+otp_parse_altdict (OtpKey key, const char *str, OtpAlgorithm *alg)
+{
+  return otp_parse_internal (key, str, alg, get_altword);
+}
+
+int
+otp_parse_hex (OtpKey key, const char *s)
+{
+  char buf[17], *b;
+  int is[8];
+  int i;
+
+  b = buf;
+  while (*s) {
+    if (strchr ("0123456789ABCDEFabcdef", *s)) {
+      if (b - buf >= 16)
+	return -1;
+      else
+	*b++ = tolower(*s);
+    }
+    s++;
+  }
+  *b = '\0';
+  if (sscanf (buf, "%2x%2x%2x%2x%2x%2x%2x%2x",
+	      &is[0], &is[1], &is[2], &is[3], &is[4],
+	      &is[5], &is[6], &is[7]) != 8)
+    return -1;
+  for (i = 0; i < OTPKEYSIZE; ++i)
+    key[i] = is[i];
+  return 0;
+}
+
+int
+otp_parse (OtpKey key, const char *s, OtpAlgorithm *alg)
+{
+  int ret;
+  int dohex = 1;
+
+  if (strncmp (s, OTP_HEXPREFIX, strlen(OTP_HEXPREFIX)) == 0)
+    return otp_parse_hex (key, s + strlen(OTP_HEXPREFIX));
+  if (strncmp (s, OTP_WORDPREFIX, strlen(OTP_WORDPREFIX)) == 0) {
+    s += strlen(OTP_WORDPREFIX);
+    dohex = 0;
+  }
+
+  ret = otp_parse_stddict (key, s);
+  if (ret)
+    ret = otp_parse_altdict (key, s, alg);
+  if (ret && dohex)
+    ret = otp_parse_hex (key, s);
+  return ret;
+}
+
+const char *const std_dict[2048] =
+{        "A",    "ABE",   "ACE",   "ACT",   "AD",    "ADA",   "ADD",
+"AGO",   "AID",  "AIM",   "AIR",   "ALL",   "ALP",   "AM",    "AMY",
+"AN",    "ANA",  "AND",   "ANN",   "ANT",   "ANY",   "APE",   "APS",
+"APT",   "ARC",  "ARE",   "ARK",   "ARM",   "ART",   "AS",    "ASH",
+"ASK",   "AT",   "ATE",   "AUG",   "AUK",   "AVE",   "AWE",   "AWK",
+"AWL",   "AWN",  "AX",    "AYE",   "BAD",   "BAG",   "BAH",   "BAM",
+"BAN",   "BAR",  "BAT",   "BAY",   "BE",    "BED",   "BEE",   "BEG",
+"BEN",   "BET",  "BEY",   "BIB",   "BID",   "BIG",   "BIN",   "BIT",
+"BOB",   "BOG",  "BON",   "BOO",   "BOP",   "BOW",   "BOY",   "BUB",
+"BUD",   "BUG",  "BUM",   "BUN",   "BUS",   "BUT",   "BUY",   "BY",
+"BYE",   "CAB",  "CAL",   "CAM",   "CAN",   "CAP",   "CAR",   "CAT",
+"CAW",   "COD",  "COG",   "COL",   "CON",   "COO",   "COP",   "COT",
+"COW",   "COY",  "CRY",   "CUB",   "CUE",   "CUP",   "CUR",   "CUT",
+"DAB",   "DAD",  "DAM",   "DAN",   "DAR",   "DAY",   "DEE",   "DEL",
+"DEN",   "DES",  "DEW",   "DID",   "DIE",   "DIG",   "DIN",   "DIP",
+"DO",    "DOE",  "DOG",   "DON",   "DOT",   "DOW",   "DRY",   "DUB",
+"DUD",   "DUE",  "DUG",   "DUN",   "EAR",   "EAT",   "ED",    "EEL",
+"EGG",   "EGO",  "ELI",   "ELK",   "ELM",   "ELY",   "EM",    "END",
+"EST",   "ETC",  "EVA",   "EVE",   "EWE",   "EYE",   "FAD",   "FAN",
+"FAR",   "FAT",  "FAY",   "FED",   "FEE",   "FEW",   "FIB",   "FIG",
+"FIN",   "FIR",  "FIT",   "FLO",   "FLY",   "FOE",   "FOG",   "FOR",
+"FRY",   "FUM",  "FUN",   "FUR",   "GAB",   "GAD",   "GAG",   "GAL",
+"GAM",   "GAP",  "GAS",   "GAY",   "GEE",   "GEL",   "GEM",   "GET",
+"GIG",   "GIL",  "GIN",   "GO",    "GOT",   "GUM",   "GUN",   "GUS",
+"GUT",   "GUY",  "GYM",   "GYP",   "HA",    "HAD",   "HAL",   "HAM",
+"HAN",   "HAP",  "HAS",   "HAT",   "HAW",   "HAY",   "HE",    "HEM",
+"HEN",   "HER",  "HEW",   "HEY",   "HI",    "HID",   "HIM",   "HIP",
+"HIS",   "HIT",  "HO",    "HOB",   "HOC",   "HOE",   "HOG",   "HOP",
+"HOT",   "HOW",  "HUB",   "HUE",   "HUG",   "HUH",   "HUM",   "HUT",
+"I",     "ICY",  "IDA",   "IF",    "IKE",   "ILL",   "INK",   "INN",
+"IO",    "ION",  "IQ",    "IRA",   "IRE",   "IRK",   "IS",    "IT",
+"ITS",   "IVY",  "JAB",   "JAG",   "JAM",   "JAN",   "JAR",   "JAW",
+"JAY",   "JET",  "JIG",   "JIM",   "JO",    "JOB",   "JOE",   "JOG",
+"JOT",   "JOY",  "JUG",   "JUT",   "KAY",   "KEG",   "KEN",   "KEY",
+"KID",   "KIM",  "KIN",   "KIT",   "LA",    "LAB",   "LAC",   "LAD",
+"LAG",   "LAM",  "LAP",   "LAW",   "LAY",   "LEA",   "LED",   "LEE",
+"LEG",   "LEN",  "LEO",   "LET",   "LEW",   "LID",   "LIE",   "LIN",
+"LIP",   "LIT",  "LO",    "LOB",   "LOG",   "LOP",   "LOS",   "LOT",
+"LOU",   "LOW",  "LOY",   "LUG",   "LYE",   "MA",    "MAC",   "MAD",
+"MAE",   "MAN",  "MAO",   "MAP",   "MAT",   "MAW",   "MAY",   "ME",
+"MEG",   "MEL",  "MEN",   "MET",   "MEW",   "MID",   "MIN",   "MIT",
+"MOB",   "MOD",  "MOE",   "MOO",   "MOP",   "MOS",   "MOT",   "MOW",
+"MUD",   "MUG",  "MUM",   "MY",    "NAB",   "NAG",   "NAN",   "NAP",
+"NAT",   "NAY",  "NE",    "NED",   "NEE",   "NET",   "NEW",   "NIB",
+"NIIL",  "NIP",  "NIT",   "NO",    "NOB",   "NOD",   "NON",   "NOR",
+"NOT",   "NOV",  "NOW",   "NU",    "NUN",   "NUT",   "O",     "OAF",
+"OAK",   "OAR",  "OAT",   "ODD",   "ODE",   "OF",    "OFF",   "OFT",
+"OH",    "OIL",  "OK",    "OLD",   "ON",    "ONE",   "OR",    "ORB",
+"ORE",   "ORR",  "OS",    "OTT",   "OUR",   "OUT",   "OVA",   "OW",
+"OWE",   "OWL",  "OWN",   "OX",    "PA",    "PAD",   "PAL",   "PAM",
+"PAN",   "PAP",  "PAR",   "PAT",   "PAW",   "PAY",   "PEA",   "PEG",
+"PEN",   "PEP",  "PER",   "PET",   "PEW",   "PHI",   "PI",    "PIE",
+"PIN",   "PIT",  "PLY",   "PO",    "POD",   "POE",   "POP",   "POT",
+"POW",   "PRO",  "PRY",   "PUB",   "PUG",   "PUN",   "PUP",   "PUT",
+"QUO",   "RAG",  "RAM",   "RAN",   "RAP",   "RAT",   "RAW",   "RAY",
+"REB",   "RED",  "REP",   "RET",   "RIB",   "RID",   "RIG",   "RIM",
+"RIO",   "RIP",  "ROB",   "ROD",   "ROE",   "RON",   "ROT",   "ROW",
+"ROY",   "RUB",  "RUE",   "RUG",   "RUM",   "RUN",   "RYE",   "SAC",
+"SAD",   "SAG",  "SAL",   "SAM",   "SAN",   "SAP",   "SAT",   "SAW",
+"SAY",   "SEA",  "SEC",   "SEE",   "SEN",   "SET",   "SEW",   "SHE",
+"SHY",   "SIN",  "SIP",   "SIR",   "SIS",   "SIT",   "SKI",   "SKY",
+"SLY",   "SO",   "SOB",   "SOD",   "SON",   "SOP",   "SOW",   "SOY",
+"SPA",   "SPY",  "SUB",   "SUD",   "SUE",   "SUM",   "SUN",   "SUP",
+"TAB",   "TAD",  "TAG",   "TAN",   "TAP",   "TAR",   "TEA",   "TED",
+"TEE",   "TEN",  "THE",   "THY",   "TIC",   "TIE",   "TIM",   "TIN",
+"TIP",   "TO",   "TOE",   "TOG",   "TOM",   "TON",   "TOO",   "TOP",
+"TOW",   "TOY",  "TRY",   "TUB",   "TUG",   "TUM",   "TUN",   "TWO",
+"UN",    "UP",   "US",    "USE",   "VAN",   "VAT",   "VET",   "VIE",
+"WAD",   "WAG",  "WAR",   "WAS",   "WAY",   "WE",    "WEB",   "WED",
+"WEE",   "WET",  "WHO",   "WHY",   "WIN",   "WIT",   "WOK",   "WON",
+"WOO",   "WOW",  "WRY",   "WU",    "YAM",   "YAP",   "YAW",   "YE",
+"YEA",   "YES",  "YET",   "YOU",   "ABED",  "ABEL",  "ABET",  "ABLE",
+"ABUT",  "ACHE",  "ACID", "ACME",  "ACRE",  "ACTA",  "ACTS",  "ADAM",
+"ADDS",  "ADEN",  "AFAR", "AFRO",  "AGEE",  "AHEM",  "AHOY",  "AIDA",
+"AIDE",  "AIDS",  "AIRY", "AJAR",  "AKIN",  "ALAN",  "ALEC",  "ALGA",
+"ALIA",  "ALLY",  "ALMA", "ALOE",  "ALSO",  "ALTO",  "ALUM",  "ALVA",
+"AMEN",  "AMES",  "AMID", "AMMO",  "AMOK",  "AMOS",  "AMRA",  "ANDY",
+"ANEW",  "ANNA",  "ANNE", "ANTE",  "ANTI",  "AQUA",  "ARAB",  "ARCH",
+"AREA",  "ARGO",  "ARID", "ARMY",  "ARTS",  "ARTY",  "ASIA",  "ASKS",
+"ATOM",  "AUNT",  "AURA", "AUTO",  "AVER",  "AVID",  "AVIS",  "AVON",
+"AVOW",  "AWAY",  "AWRY", "BABE",  "BABY",  "BACH",  "BACK",  "BADE",
+"BAIL",  "BAIT",  "BAKE", "BALD",  "BALE",  "BALI",  "BALK",  "BALL",
+"BALM",  "BAND",  "BANE", "BANG",  "BANK",  "BARB",  "BARD",  "BARE",
+"BARK",  "BARN",  "BARR", "BASE",  "BASH",  "BASK",  "BASS",  "BATE",
+"BATH",  "BAWD",  "BAWL", "BEAD",  "BEAK",  "BEAM",  "BEAN",  "BEAR",
+"BEAT",  "BEAU",  "BECK", "BEEF",  "BEEN",  "BEER",  "BEET",  "BELA",
+"BELL",  "BELT",  "BEND", "BENT",  "BERG",  "BERN",  "BERT",  "BESS",
+"BEST",  "BETA",  "BETH", "BHOY",  "BIAS",  "BIDE",  "BIEN",  "BILE",
+"BILK",  "BILL",  "BIND", "BING",  "BIRD",  "BITE",  "BITS",  "BLAB",
+"BLAT",  "BLED",  "BLEW", "BLOB",  "BLOC",  "BLOT",  "BLOW",  "BLUE",
+"BLUM",  "BLUR",  "BOAR", "BOAT",  "BOCA",  "BOCK",  "BODE",  "BODY",
+"BOGY",  "BOHR",  "BOIL", "BOLD",  "BOLO",  "BOLT",  "BOMB",  "BONA",
+"BOND",  "BONE",  "BONG", "BONN",  "BONY",  "BOOK",  "BOOM",  "BOON",
+"BOOT",  "BORE",  "BORG", "BORN",  "BOSE",  "BOSS",  "BOTH",  "BOUT",
+"BOWL",  "BOYD",  "BRAD", "BRAE",  "BRAG",  "BRAN",  "BRAY",  "BRED",
+"BREW",  "BRIG",  "BRIM", "BROW",  "BUCK",  "BUDD",  "BUFF",  "BULB",
+"BULK",  "BULL",  "BUNK", "BUNT",  "BUOY",  "BURG",  "BURL",  "BURN",
+"BURR",  "BURT",  "BURY", "BUSH",  "BUSS",  "BUST",  "BUSY",  "BYTE",
+"CADY",  "CAFE",  "CAGE", "CAIN",  "CAKE",  "CALF",  "CALL",  "CALM",
+"CAME",  "CANE",  "CANT", "CARD",  "CARE",  "CARL",  "CARR",  "CART",
+"CASE",  "CASH",  "CASK", "CAST",  "CAVE",  "CEIL",  "CELL",  "CENT",
+"CERN",  "CHAD",  "CHAR", "CHAT",  "CHAW",  "CHEF",  "CHEN",  "CHEW",
+"CHIC",  "CHIN",  "CHOU", "CHOW",  "CHUB",  "CHUG",  "CHUM",  "CITE",
+"CITY",  "CLAD",  "CLAM", "CLAN",  "CLAW",  "CLAY",  "CLOD",  "CLOG",
+"CLOT",  "CLUB",  "CLUE", "COAL",  "COAT",  "COCA",  "COCK",  "COCO",
+"CODA",  "CODE",  "CODY", "COED",  "COIL",  "COIN",  "COKE",  "COLA",
+"COLD",  "COLT",  "COMA", "COMB",  "COME",  "COOK",  "COOL",  "COON",
+"COOT",  "CORD",  "CORE", "CORK",  "CORN",  "COST",  "COVE",  "COWL",
+"CRAB",  "CRAG",  "CRAM", "CRAY",  "CREW",  "CRIB",  "CROW",  "CRUD",
+"CUBA",  "CUBE",  "CUFF", "CULL",  "CULT",  "CUNY",  "CURB",  "CURD",
+"CURE",  "CURL",  "CURT", "CUTS",  "DADE",  "DALE",  "DAME",  "DANA",
+"DANE",  "DANG",  "DANK", "DARE",  "DARK",  "DARN",  "DART",  "DASH",
+"DATA",  "DATE",  "DAVE", "DAVY",  "DAWN",  "DAYS",  "DEAD",  "DEAF",
+"DEAL",  "DEAN",  "DEAR", "DEBT",  "DECK",  "DEED",  "DEEM",  "DEER",
+"DEFT",  "DEFY",  "DELL", "DENT",  "DENY",  "DESK",  "DIAL",  "DICE",
+"DIED",  "DIET",  "DIME", "DINE",  "DING",  "DINT",  "DIRE",  "DIRT",
+"DISC",  "DISH",  "DISK", "DIVE",  "DOCK",  "DOES",  "DOLE",  "DOLL",
+"DOLT",  "DOME",  "DONE", "DOOM",  "DOOR",  "DORA",  "DOSE",  "DOTE",
+"DOUG",  "DOUR",  "DOVE", "DOWN",  "DRAB",  "DRAG",  "DRAM",  "DRAW",
+"DREW",  "DRUB",  "DRUG", "DRUM",  "DUAL",  "DUCK",  "DUCT",  "DUEL",
+"DUET",  "DUKE",  "DULL", "DUMB",  "DUNE",  "DUNK",  "DUSK",  "DUST",
+"DUTY",  "EACH",  "EARL", "EARN",  "EASE",  "EAST",  "EASY",  "EBEN",
+"ECHO",  "EDDY",  "EDEN", "EDGE",  "EDGY",  "EDIT",  "EDNA",  "EGAN",
+"ELAN",  "ELBA",  "ELLA", "ELSE",  "EMIL",  "EMIT",  "EMMA",  "ENDS",
+"ERIC",  "EROS",  "EVEN", "EVER",  "EVIL",  "EYED",  "FACE",  "FACT",
+"FADE",  "FAIL",  "FAIN", "FAIR",  "FAKE",  "FALL",  "FAME",  "FANG",
+"FARM",  "FAST",  "FATE", "FAWN",  "FEAR",  "FEAT",  "FEED",  "FEEL",
+"FEET",  "FELL",  "FELT", "FEND",  "FERN",  "FEST",  "FEUD",  "FIEF",
+"FIGS",  "FILE",  "FILL", "FILM",  "FIND",  "FINE",  "FINK",  "FIRE",
+"FIRM",  "FISH",  "FISK", "FIST",  "FITS",  "FIVE",  "FLAG",  "FLAK",
+"FLAM",  "FLAT",  "FLAW", "FLEA",  "FLED",  "FLEW",  "FLIT",  "FLOC",
+"FLOG",  "FLOW",  "FLUB", "FLUE",  "FOAL",  "FOAM",  "FOGY",  "FOIL",
+"FOLD",  "FOLK",  "FOND", "FONT",  "FOOD",  "FOOL",  "FOOT",  "FORD",
+"FORE",  "FORK",  "FORM", "FORT",  "FOSS",  "FOUL",  "FOUR",  "FOWL",
+"FRAU",  "FRAY",  "FRED", "FREE",  "FRET",  "FREY",  "FROG",  "FROM",
+"FUEL",  "FULL",  "FUME", "FUND",  "FUNK",  "FURY",  "FUSE",  "FUSS",
+"GAFF",  "GAGE",  "GAIL", "GAIN",  "GAIT",  "GALA",  "GALE",  "GALL",
+"GALT",  "GAME",  "GANG", "GARB",  "GARY",  "GASH",  "GATE",  "GAUL",
+"GAUR",  "GAVE",  "GAWK", "GEAR",  "GELD",  "GENE",  "GENT",  "GERM",
+"GETS",  "GIBE",  "GIFT", "GILD",  "GILL",  "GILT",  "GINA",  "GIRD",
+"GIRL",  "GIST",  "GIVE", "GLAD",  "GLEE",  "GLEN",  "GLIB",  "GLOB",
+"GLOM",  "GLOW",  "GLUE", "GLUM",  "GLUT",  "GOAD",  "GOAL",  "GOAT",
+"GOER",  "GOES",  "GOLD", "GOLF",  "GONE",  "GONG",  "GOOD",  "GOOF",
+"GORE",  "GORY",  "GOSH", "GOUT",  "GOWN",  "GRAB",  "GRAD",  "GRAY",
+"GREG",  "GREW",  "GREY", "GRID",  "GRIM",  "GRIN",  "GRIT",  "GROW",
+"GRUB",  "GULF",  "GULL", "GUNK",  "GURU",  "GUSH",  "GUST",  "GWEN",
+"GWYN",  "HAAG",  "HAAS", "HACK",  "HAIL",  "HAIR",  "HALE",  "HALF",
+"HALL",  "HALO",  "HALT", "HAND",  "HANG",  "HANK",  "HANS",  "HARD",
+"HARK",  "HARM",  "HART", "HASH",  "HAST",  "HATE",  "HATH",  "HAUL",
+"HAVE",  "HAWK",  "HAYS", "HEAD",  "HEAL",  "HEAR",  "HEAT",  "HEBE",
+"HECK",  "HEED",  "HEEL", "HEFT",  "HELD",  "HELL",  "HELM",  "HERB",
+"HERD",  "HERE",  "HERO", "HERS",  "HESS",  "HEWN",  "HICK",  "HIDE",
+"HIGH",  "HIKE",  "HILL", "HILT",  "HIND",  "HINT",  "HIRE",  "HISS",
+"HIVE",  "HOBO",  "HOCK", "HOFF",  "HOLD",  "HOLE",  "HOLM",  "HOLT",
+"HOME",  "HONE",  "HONK", "HOOD",  "HOOF",  "HOOK",  "HOOT",  "HORN",
+"HOSE",  "HOST",  "HOUR", "HOVE",  "HOWE",  "HOWL",  "HOYT",  "HUCK",
+"HUED",  "HUFF",  "HUGE", "HUGH",  "HUGO",  "HULK",  "HULL",  "HUNK",
+"HUNT",  "HURD",  "HURL", "HURT",  "HUSH",  "HYDE",  "HYMN",  "IBIS",
+"ICON",  "IDEA",  "IDLE", "IFFY",  "INCA",  "INCH",  "INTO",  "IONS",
+"IOTA",  "IOWA",  "IRIS", "IRMA",  "IRON",  "ISLE",  "ITCH",  "ITEM",
+"IVAN",  "JACK",  "JADE", "JAIL",  "JAKE",  "JANE",  "JAVA",  "JEAN",
+"JEFF",  "JERK",  "JESS", "JEST",  "JIBE",  "JILL",  "JILT",  "JIVE",
+"JOAN",  "JOBS",  "JOCK", "JOEL",  "JOEY",  "JOHN",  "JOIN",  "JOKE",
+"JOLT",  "JOVE",  "JUDD", "JUDE",  "JUDO",  "JUDY",  "JUJU",  "JUKE",
+"JULY",  "JUNE",  "JUNK", "JUNO",  "JURY",  "JUST",  "JUTE",  "KAHN",
+"KALE",  "KANE",  "KANT", "KARL",  "KATE",  "KEEL",  "KEEN",  "KENO",
+"KENT",  "KERN",  "KERR", "KEYS",  "KICK",  "KILL",  "KIND",  "KING",
+"KIRK",  "KISS",  "KITE", "KLAN",  "KNEE",  "KNEW",  "KNIT",  "KNOB",
+"KNOT",  "KNOW",  "KOCH", "KONG",  "KUDO",  "KURD",  "KURT",  "KYLE",
+"LACE",  "LACK",  "LACY", "LADY",  "LAID",  "LAIN",  "LAIR",  "LAKE",
+"LAMB",  "LAME",  "LAND", "LANE",  "LANG",  "LARD",  "LARK",  "LASS",
+"LAST",  "LATE",  "LAUD", "LAVA",  "LAWN",  "LAWS",  "LAYS",  "LEAD",
+"LEAF",  "LEAK",  "LEAN", "LEAR",  "LEEK",  "LEER",  "LEFT",  "LEND",
+"LENS",  "LENT",  "LEON", "LESK",  "LESS",  "LEST",  "LETS",  "LIAR",
+"LICE",  "LICK",  "LIED", "LIEN",  "LIES",  "LIEU",  "LIFE",  "LIFT",
+"LIKE",  "LILA",  "LILT", "LILY",  "LIMA",  "LIMB",  "LIME",  "LIND",
+"LINE",  "LINK",  "LINT", "LION",  "LISA",  "LIST",  "LIVE",  "LOAD",
+"LOAF",  "LOAM",  "LOAN", "LOCK",  "LOFT",  "LOGE",  "LOIS",  "LOLA",
+"LONE",  "LONG",  "LOOK", "LOON",  "LOOT",  "LORD",  "LORE",  "LOSE",
+"LOSS",  "LOST",  "LOUD", "LOVE",  "LOWE",  "LUCK",  "LUCY",  "LUGE",
+"LUKE",  "LULU",  "LUND", "LUNG",  "LURA",  "LURE",  "LURK",  "LUSH",
+"LUST",  "LYLE",  "LYNN", "LYON",  "LYRA",  "MACE",  "MADE",  "MAGI",
+"MAID",  "MAIL",  "MAIN", "MAKE",  "MALE",  "MALI",  "MALL",  "MALT",
+"MANA",  "MANN",  "MANY", "MARC",  "MARE",  "MARK",  "MARS",  "MART",
+"MARY",  "MASH",  "MASK", "MASS",  "MAST",  "MATE",  "MATH",  "MAUL",
+"MAYO",  "MEAD",  "MEAL", "MEAN",  "MEAT",  "MEEK",  "MEET",  "MELD",
+"MELT",  "MEMO",  "MEND", "MENU",  "MERT",  "MESH",  "MESS",  "MICE",
+"MIKE",  "MILD",  "MILE", "MILK",  "MILL",  "MILT",  "MIMI",  "MIND",
+"MINE",  "MINI",  "MINK", "MINT",  "MIRE",  "MISS",  "MIST",  "MITE",
+"MITT",  "MOAN",  "MOAT", "MOCK",  "MODE",  "MOLD",  "MOLE",  "MOLL",
+"MOLT",  "MONA",  "MONK", "MONT",  "MOOD",  "MOON",  "MOOR",  "MOOT",
+"MORE",  "MORN",  "MORT", "MOSS",  "MOST",  "MOTH",  "MOVE",  "MUCH",
+"MUCK",  "MUDD",  "MUFF", "MULE",  "MULL",  "MURK",  "MUSH",  "MUST",
+"MUTE",  "MUTT",  "MYRA", "MYTH",  "NAGY",  "NAIL",  "NAIR",  "NAME",
+"NARY",  "NASH",  "NAVE", "NAVY",  "NEAL",  "NEAR",  "NEAT",  "NECK",
+"NEED",  "NEIL",  "NELL", "NEON",  "NERO",  "NESS",  "NEST",  "NEWS",
+"NEWT",  "NIBS",  "NICE", "NICK",  "NILE",  "NINA",  "NINE",  "NOAH",
+"NODE",  "NOEL",  "NOLL", "NONE",  "NOOK",  "NOON",  "NORM",  "NOSE",
+"NOTE",  "NOUN",  "NOVA", "NUDE",  "NULL",  "NUMB",  "OATH",  "OBEY",
+"OBOE",  "ODIN",  "OHIO", "OILY",  "OINT",  "OKAY",  "OLAF",  "OLDY",
+"OLGA",  "OLIN",  "OMAN", "OMEN",  "OMIT",  "ONCE",  "ONES",  "ONLY",
+"ONTO",  "ONUS",  "ORAL", "ORGY",  "OSLO",  "OTIS",  "OTTO",  "OUCH",
+"OUST",  "OUTS",  "OVAL", "OVEN",  "OVER",  "OWLY",  "OWNS",  "QUAD",
+"QUIT",  "QUOD",  "RACE", "RACK",  "RACY",  "RAFT",  "RAGE",  "RAID",
+"RAIL",  "RAIN",  "RAKE", "RANK",  "RANT",  "RARE",  "RASH",  "RATE",
+"RAVE",  "RAYS",  "READ", "REAL",  "REAM",  "REAR",  "RECK",  "REED",
+"REEF",  "REEK",  "REEL", "REID",  "REIN",  "RENA",  "REND",  "RENT",
+"REST",  "RICE",  "RICH", "RICK",  "RIDE",  "RIFT",  "RILL",  "RIME",
+"RING",  "RINK",  "RISE", "RISK",  "RITE",  "ROAD",  "ROAM",  "ROAR",
+"ROBE",  "ROCK",  "RODE", "ROIL",  "ROLL",  "ROME",  "ROOD",  "ROOF",
+"ROOK",  "ROOM",  "ROOT", "ROSA",  "ROSE",  "ROSS",  "ROSY",  "ROTH",
+"ROUT",  "ROVE",  "ROWE", "ROWS",  "RUBE",  "RUBY",  "RUDE",  "RUDY",
+"RUIN",  "RULE",  "RUNG", "RUNS",  "RUNT",  "RUSE",  "RUSH",  "RUSK",
+"RUSS",  "RUST",  "RUTH", "SACK",  "SAFE",  "SAGE",  "SAID",  "SAIL",
+"SALE",  "SALK",  "SALT", "SAME",  "SAND",  "SANE",  "SANG",  "SANK",
+"SARA",  "SAUL",  "SAVE", "SAYS",  "SCAN",  "SCAR",  "SCAT",  "SCOT",
+"SEAL",  "SEAM",  "SEAR", "SEAT",  "SEED",  "SEEK",  "SEEM",  "SEEN",
+"SEES",  "SELF",  "SELL", "SEND",  "SENT",  "SETS",  "SEWN",  "SHAG",
+"SHAM",  "SHAW",  "SHAY", "SHED",  "SHIM",  "SHIN",  "SHOD",  "SHOE",
+"SHOT",  "SHOW",  "SHUN", "SHUT",  "SICK",  "SIDE",  "SIFT",  "SIGH",
+"SIGN",  "SILK",  "SILL", "SILO",  "SILT",  "SINE",  "SING",  "SINK",
+"SIRE",  "SITE",  "SITS", "SITU",  "SKAT",  "SKEW",  "SKID",  "SKIM",
+"SKIN",  "SKIT",  "SLAB", "SLAM",  "SLAT",  "SLAY",  "SLED",  "SLEW",
+"SLID",  "SLIM",  "SLIT", "SLOB",  "SLOG",  "SLOT",  "SLOW",  "SLUG",
+"SLUM",  "SLUR",  "SMOG", "SMUG",  "SNAG",  "SNOB",  "SNOW",  "SNUB",
+"SNUG",  "SOAK",  "SOAR", "SOCK",  "SODA",  "SOFA",  "SOFT",  "SOIL",
+"SOLD",  "SOME",  "SONG", "SOON",  "SOOT",  "SORE",  "SORT",  "SOUL",
+"SOUR",  "SOWN",  "STAB", "STAG",  "STAN",  "STAR",  "STAY",  "STEM",
+"STEW",  "STIR",  "STOW", "STUB",  "STUN",  "SUCH",  "SUDS",  "SUIT",
+"SULK",  "SUMS",  "SUNG", "SUNK",  "SURE",  "SURF",  "SWAB",  "SWAG",
+"SWAM",  "SWAN",  "SWAT", "SWAY",  "SWIM",  "SWUM",  "TACK",  "TACT",
+"TAIL",  "TAKE",  "TALE", "TALK",  "TALL",  "TANK",  "TASK",  "TATE",
+"TAUT",  "TEAL",  "TEAM", "TEAR",  "TECH",  "TEEM",  "TEEN",  "TEET",
+"TELL",  "TEND",  "TENT", "TERM",  "TERN",  "TESS",  "TEST",  "THAN",
+"THAT",  "THEE",  "THEM", "THEN",  "THEY",  "THIN",  "THIS",  "THUD",
+"THUG",  "TICK",  "TIDE", "TIDY",  "TIED",  "TIER",  "TILE",  "TILL",
+"TILT",  "TIME",  "TINA", "TINE",  "TINT",  "TINY",  "TIRE",  "TOAD",
+"TOGO",  "TOIL",  "TOLD", "TOLL",  "TONE",  "TONG",  "TONY",  "TOOK",
+"TOOL",  "TOOT",  "TORE", "TORN",  "TOTE",  "TOUR",  "TOUT",  "TOWN",
+"TRAG",  "TRAM",  "TRAY", "TREE",  "TREK",  "TRIG",  "TRIM",  "TRIO",
+"TROD",  "TROT",  "TROY", "TRUE",  "TUBA",  "TUBE",  "TUCK",  "TUFT",
+"TUNA",  "TUNE",  "TUNG", "TURF",  "TURN",  "TUSK",  "TWIG",  "TWIN",
+"TWIT",  "ULAN",  "UNIT", "URGE",  "USED",  "USER",  "USES",  "UTAH",
+"VAIL",  "VAIN",  "VALE", "VARY",  "VASE",  "VAST",  "VEAL",  "VEDA",
+"VEIL",  "VEIN",  "VEND", "VENT",  "VERB",  "VERY",  "VETO",  "VICE",
+"VIEW",  "VINE",  "VISE", "VOID",  "VOLT",  "VOTE",  "WACK",  "WADE",
+"WAGE",  "WAIL",  "WAIT", "WAKE",  "WALE",  "WALK",  "WALL",  "WALT",
+"WAND",  "WANE",  "WANG", "WANT",  "WARD",  "WARM",  "WARN",  "WART",
+"WASH",  "WAST",  "WATS", "WATT",  "WAVE",  "WAVY",  "WAYS",  "WEAK",
+"WEAL",  "WEAN",  "WEAR", "WEED",  "WEEK",  "WEIR",  "WELD",  "WELL",
+"WELT",  "WENT",  "WERE", "WERT",  "WEST",  "WHAM",  "WHAT",  "WHEE",
+"WHEN",  "WHET",  "WHOA", "WHOM",  "WICK",  "WIFE",  "WILD",  "WILL",
+"WIND",  "WINE",  "WING", "WINK",  "WINO",  "WIRE",  "WISE",  "WISH",
+"WITH",  "WOLF",  "WONT", "WOOD",  "WOOL",  "WORD",  "WORE",  "WORK",
+"WORM",  "WORN",  "WOVE", "WRIT",  "WYNN",  "YALE",  "YANG",  "YANK",
+"YARD",  "YARN",  "YAWL", "YAWN",  "YEAH",  "YEAR",  "YELL",  "YOGA",
+"YOKE"                         };
+
+const struct e inv_std_dict[2048] = {
+{"A", 0},
+{"ABE", 1},
+{"ABED", 571},
+{"ABEL", 572},
+{"ABET", 573},
+{"ABLE", 574},
+{"ABUT", 575},
+{"ACE", 2},
+{"ACHE", 576},
+{"ACID", 577},
+{"ACME", 578},
+{"ACRE", 579},
+{"ACT", 3},
+{"ACTA", 580},
+{"ACTS", 581},
+{"AD", 4},
+{"ADA", 5},
+{"ADAM", 582},
+{"ADD", 6},
+{"ADDS", 583},
+{"ADEN", 584},
+{"AFAR", 585},
+{"AFRO", 586},
+{"AGEE", 587},
+{"AGO", 7},
+{"AHEM", 588},
+{"AHOY", 589},
+{"AID", 8},
+{"AIDA", 590},
+{"AIDE", 591},
+{"AIDS", 592},
+{"AIM", 9},
+{"AIR", 10},
+{"AIRY", 593},
+{"AJAR", 594},
+{"AKIN", 595},
+{"ALAN", 596},
+{"ALEC", 597},
+{"ALGA", 598},
+{"ALIA", 599},
+{"ALL", 11},
+{"ALLY", 600},
+{"ALMA", 601},
+{"ALOE", 602},
+{"ALP", 12},
+{"ALSO", 603},
+{"ALTO", 604},
+{"ALUM", 605},
+{"ALVA", 606},
+{"AM", 13},
+{"AMEN", 607},
+{"AMES", 608},
+{"AMID", 609},
+{"AMMO", 610},
+{"AMOK", 611},
+{"AMOS", 612},
+{"AMRA", 613},
+{"AMY", 14},
+{"AN", 15},
+{"ANA", 16},
+{"AND", 17},
+{"ANDY", 614},
+{"ANEW", 615},
+{"ANN", 18},
+{"ANNA", 616},
+{"ANNE", 617},
+{"ANT", 19},
+{"ANTE", 618},
+{"ANTI", 619},
+{"ANY", 20},
+{"APE", 21},
+{"APS", 22},
+{"APT", 23},
+{"AQUA", 620},
+{"ARAB", 621},
+{"ARC", 24},
+{"ARCH", 622},
+{"ARE", 25},
+{"AREA", 623},
+{"ARGO", 624},
+{"ARID", 625},
+{"ARK", 26},
+{"ARM", 27},
+{"ARMY", 626},
+{"ART", 28},
+{"ARTS", 627},
+{"ARTY", 628},
+{"AS", 29},
+{"ASH", 30},
+{"ASIA", 629},
+{"ASK", 31},
+{"ASKS", 630},
+{"AT", 32},
+{"ATE", 33},
+{"ATOM", 631},
+{"AUG", 34},
+{"AUK", 35},
+{"AUNT", 632},
+{"AURA", 633},
+{"AUTO", 634},
+{"AVE", 36},
+{"AVER", 635},
+{"AVID", 636},
+{"AVIS", 637},
+{"AVON", 638},
+{"AVOW", 639},
+{"AWAY", 640},
+{"AWE", 37},
+{"AWK", 38},
+{"AWL", 39},
+{"AWN", 40},
+{"AWRY", 641},
+{"AX", 41},
+{"AYE", 42},
+{"BABE", 642},
+{"BABY", 643},
+{"BACH", 644},
+{"BACK", 645},
+{"BAD", 43},
+{"BADE", 646},
+{"BAG", 44},
+{"BAH", 45},
+{"BAIL", 647},
+{"BAIT", 648},
+{"BAKE", 649},
+{"BALD", 650},
+{"BALE", 651},
+{"BALI", 652},
+{"BALK", 653},
+{"BALL", 654},
+{"BALM", 655},
+{"BAM", 46},
+{"BAN", 47},
+{"BAND", 656},
+{"BANE", 657},
+{"BANG", 658},
+{"BANK", 659},
+{"BAR", 48},
+{"BARB", 660},
+{"BARD", 661},
+{"BARE", 662},
+{"BARK", 663},
+{"BARN", 664},
+{"BARR", 665},
+{"BASE", 666},
+{"BASH", 667},
+{"BASK", 668},
+{"BASS", 669},
+{"BAT", 49},
+{"BATE", 670},
+{"BATH", 671},
+{"BAWD", 672},
+{"BAWL", 673},
+{"BAY", 50},
+{"BE", 51},
+{"BEAD", 674},
+{"BEAK", 675},
+{"BEAM", 676},
+{"BEAN", 677},
+{"BEAR", 678},
+{"BEAT", 679},
+{"BEAU", 680},
+{"BECK", 681},
+{"BED", 52},
+{"BEE", 53},
+{"BEEF", 682},
+{"BEEN", 683},
+{"BEER", 684},
+{"BEET", 685},
+{"BEG", 54},
+{"BELA", 686},
+{"BELL", 687},
+{"BELT", 688},
+{"BEN", 55},
+{"BEND", 689},
+{"BENT", 690},
+{"BERG", 691},
+{"BERN", 692},
+{"BERT", 693},
+{"BESS", 694},
+{"BEST", 695},
+{"BET", 56},
+{"BETA", 696},
+{"BETH", 697},
+{"BEY", 57},
+{"BHOY", 698},
+{"BIAS", 699},
+{"BIB", 58},
+{"BID", 59},
+{"BIDE", 700},
+{"BIEN", 701},
+{"BIG", 60},
+{"BILE", 702},
+{"BILK", 703},
+{"BILL", 704},
+{"BIN", 61},
+{"BIND", 705},
+{"BING", 706},
+{"BIRD", 707},
+{"BIT", 62},
+{"BITE", 708},
+{"BITS", 709},
+{"BLAB", 710},
+{"BLAT", 711},
+{"BLED", 712},
+{"BLEW", 713},
+{"BLOB", 714},
+{"BLOC", 715},
+{"BLOT", 716},
+{"BLOW", 717},
+{"BLUE", 718},
+{"BLUM", 719},
+{"BLUR", 720},
+{"BOAR", 721},
+{"BOAT", 722},
+{"BOB", 63},
+{"BOCA", 723},
+{"BOCK", 724},
+{"BODE", 725},
+{"BODY", 726},
+{"BOG", 64},
+{"BOGY", 727},
+{"BOHR", 728},
+{"BOIL", 729},
+{"BOLD", 730},
+{"BOLO", 731},
+{"BOLT", 732},
+{"BOMB", 733},
+{"BON", 65},
+{"BONA", 734},
+{"BOND", 735},
+{"BONE", 736},
+{"BONG", 737},
+{"BONN", 738},
+{"BONY", 739},
+{"BOO", 66},
+{"BOOK", 740},
+{"BOOM", 741},
+{"BOON", 742},
+{"BOOT", 743},
+{"BOP", 67},
+{"BORE", 744},
+{"BORG", 745},
+{"BORN", 746},
+{"BOSE", 747},
+{"BOSS", 748},
+{"BOTH", 749},
+{"BOUT", 750},
+{"BOW", 68},
+{"BOWL", 751},
+{"BOY", 69},
+{"BOYD", 752},
+{"BRAD", 753},
+{"BRAE", 754},
+{"BRAG", 755},
+{"BRAN", 756},
+{"BRAY", 757},
+{"BRED", 758},
+{"BREW", 759},
+{"BRIG", 760},
+{"BRIM", 761},
+{"BROW", 762},
+{"BUB", 70},
+{"BUCK", 763},
+{"BUD", 71},
+{"BUDD", 764},
+{"BUFF", 765},
+{"BUG", 72},
+{"BULB", 766},
+{"BULK", 767},
+{"BULL", 768},
+{"BUM", 73},
+{"BUN", 74},
+{"BUNK", 769},
+{"BUNT", 770},
+{"BUOY", 771},
+{"BURG", 772},
+{"BURL", 773},
+{"BURN", 774},
+{"BURR", 775},
+{"BURT", 776},
+{"BURY", 777},
+{"BUS", 75},
+{"BUSH", 778},
+{"BUSS", 779},
+{"BUST", 780},
+{"BUSY", 781},
+{"BUT", 76},
+{"BUY", 77},
+{"BY", 78},
+{"BYE", 79},
+{"BYTE", 782},
+{"CAB", 80},
+{"CADY", 783},
+{"CAFE", 784},
+{"CAGE", 785},
+{"CAIN", 786},
+{"CAKE", 787},
+{"CAL", 81},
+{"CALF", 788},
+{"CALL", 789},
+{"CALM", 790},
+{"CAM", 82},
+{"CAME", 791},
+{"CAN", 83},
+{"CANE", 792},
+{"CANT", 793},
+{"CAP", 84},
+{"CAR", 85},
+{"CARD", 794},
+{"CARE", 795},
+{"CARL", 796},
+{"CARR", 797},
+{"CART", 798},
+{"CASE", 799},
+{"CASH", 800},
+{"CASK", 801},
+{"CAST", 802},
+{"CAT", 86},
+{"CAVE", 803},
+{"CAW", 87},
+{"CEIL", 804},
+{"CELL", 805},
+{"CENT", 806},
+{"CERN", 807},
+{"CHAD", 808},
+{"CHAR", 809},
+{"CHAT", 810},
+{"CHAW", 811},
+{"CHEF", 812},
+{"CHEN", 813},
+{"CHEW", 814},
+{"CHIC", 815},
+{"CHIN", 816},
+{"CHOU", 817},
+{"CHOW", 818},
+{"CHUB", 819},
+{"CHUG", 820},
+{"CHUM", 821},
+{"CITE", 822},
+{"CITY", 823},
+{"CLAD", 824},
+{"CLAM", 825},
+{"CLAN", 826},
+{"CLAW", 827},
+{"CLAY", 828},
+{"CLOD", 829},
+{"CLOG", 830},
+{"CLOT", 831},
+{"CLUB", 832},
+{"CLUE", 833},
+{"COAL", 834},
+{"COAT", 835},
+{"COCA", 836},
+{"COCK", 837},
+{"COCO", 838},
+{"COD", 88},
+{"CODA", 839},
+{"CODE", 840},
+{"CODY", 841},
+{"COED", 842},
+{"COG", 89},
+{"COIL", 843},
+{"COIN", 844},
+{"COKE", 845},
+{"COL", 90},
+{"COLA", 846},
+{"COLD", 847},
+{"COLT", 848},
+{"COMA", 849},
+{"COMB", 850},
+{"COME", 851},
+{"CON", 91},
+{"COO", 92},
+{"COOK", 852},
+{"COOL", 853},
+{"COON", 854},
+{"COOT", 855},
+{"COP", 93},
+{"CORD", 856},
+{"CORE", 857},
+{"CORK", 858},
+{"CORN", 859},
+{"COST", 860},
+{"COT", 94},
+{"COVE", 861},
+{"COW", 95},
+{"COWL", 862},
+{"COY", 96},
+{"CRAB", 863},
+{"CRAG", 864},
+{"CRAM", 865},
+{"CRAY", 866},
+{"CREW", 867},
+{"CRIB", 868},
+{"CROW", 869},
+{"CRUD", 870},
+{"CRY", 97},
+{"CUB", 98},
+{"CUBA", 871},
+{"CUBE", 872},
+{"CUE", 99},
+{"CUFF", 873},
+{"CULL", 874},
+{"CULT", 875},
+{"CUNY", 876},
+{"CUP", 100},
+{"CUR", 101},
+{"CURB", 877},
+{"CURD", 878},
+{"CURE", 879},
+{"CURL", 880},
+{"CURT", 881},
+{"CUT", 102},
+{"CUTS", 882},
+{"DAB", 103},
+{"DAD", 104},
+{"DADE", 883},
+{"DALE", 884},
+{"DAM", 105},
+{"DAME", 885},
+{"DAN", 106},
+{"DANA", 886},
+{"DANE", 887},
+{"DANG", 888},
+{"DANK", 889},
+{"DAR", 107},
+{"DARE", 890},
+{"DARK", 891},
+{"DARN", 892},
+{"DART", 893},
+{"DASH", 894},
+{"DATA", 895},
+{"DATE", 896},
+{"DAVE", 897},
+{"DAVY", 898},
+{"DAWN", 899},
+{"DAY", 108},
+{"DAYS", 900},
+{"DEAD", 901},
+{"DEAF", 902},
+{"DEAL", 903},
+{"DEAN", 904},
+{"DEAR", 905},
+{"DEBT", 906},
+{"DECK", 907},
+{"DEE", 109},
+{"DEED", 908},
+{"DEEM", 909},
+{"DEER", 910},
+{"DEFT", 911},
+{"DEFY", 912},
+{"DEL", 110},
+{"DELL", 913},
+{"DEN", 111},
+{"DENT", 914},
+{"DENY", 915},
+{"DES", 112},
+{"DESK", 916},
+{"DEW", 113},
+{"DIAL", 917},
+{"DICE", 918},
+{"DID", 114},
+{"DIE", 115},
+{"DIED", 919},
+{"DIET", 920},
+{"DIG", 116},
+{"DIME", 921},
+{"DIN", 117},
+{"DINE", 922},
+{"DING", 923},
+{"DINT", 924},
+{"DIP", 118},
+{"DIRE", 925},
+{"DIRT", 926},
+{"DISC", 927},
+{"DISH", 928},
+{"DISK", 929},
+{"DIVE", 930},
+{"DO", 119},
+{"DOCK", 931},
+{"DOE", 120},
+{"DOES", 932},
+{"DOG", 121},
+{"DOLE", 933},
+{"DOLL", 934},
+{"DOLT", 935},
+{"DOME", 936},
+{"DON", 122},
+{"DONE", 937},
+{"DOOM", 938},
+{"DOOR", 939},
+{"DORA", 940},
+{"DOSE", 941},
+{"DOT", 123},
+{"DOTE", 942},
+{"DOUG", 943},
+{"DOUR", 944},
+{"DOVE", 945},
+{"DOW", 124},
+{"DOWN", 946},
+{"DRAB", 947},
+{"DRAG", 948},
+{"DRAM", 949},
+{"DRAW", 950},
+{"DREW", 951},
+{"DRUB", 952},
+{"DRUG", 953},
+{"DRUM", 954},
+{"DRY", 125},
+{"DUAL", 955},
+{"DUB", 126},
+{"DUCK", 956},
+{"DUCT", 957},
+{"DUD", 127},
+{"DUE", 128},
+{"DUEL", 958},
+{"DUET", 959},
+{"DUG", 129},
+{"DUKE", 960},
+{"DULL", 961},
+{"DUMB", 962},
+{"DUN", 130},
+{"DUNE", 963},
+{"DUNK", 964},
+{"DUSK", 965},
+{"DUST", 966},
+{"DUTY", 967},
+{"EACH", 968},
+{"EAR", 131},
+{"EARL", 969},
+{"EARN", 970},
+{"EASE", 971},
+{"EAST", 972},
+{"EASY", 973},
+{"EAT", 132},
+{"EBEN", 974},
+{"ECHO", 975},
+{"ED", 133},
+{"EDDY", 976},
+{"EDEN", 977},
+{"EDGE", 978},
+{"EDGY", 979},
+{"EDIT", 980},
+{"EDNA", 981},
+{"EEL", 134},
+{"EGAN", 982},
+{"EGG", 135},
+{"EGO", 136},
+{"ELAN", 983},
+{"ELBA", 984},
+{"ELI", 137},
+{"ELK", 138},
+{"ELLA", 985},
+{"ELM", 139},
+{"ELSE", 986},
+{"ELY", 140},
+{"EM", 141},
+{"EMIL", 987},
+{"EMIT", 988},
+{"EMMA", 989},
+{"END", 142},
+{"ENDS", 990},
+{"ERIC", 991},
+{"EROS", 992},
+{"EST", 143},
+{"ETC", 144},
+{"EVA", 145},
+{"EVE", 146},
+{"EVEN", 993},
+{"EVER", 994},
+{"EVIL", 995},
+{"EWE", 147},
+{"EYE", 148},
+{"EYED", 996},
+{"FACE", 997},
+{"FACT", 998},
+{"FAD", 149},
+{"FADE", 999},
+{"FAIL", 1000},
+{"FAIN", 1001},
+{"FAIR", 1002},
+{"FAKE", 1003},
+{"FALL", 1004},
+{"FAME", 1005},
+{"FAN", 150},
+{"FANG", 1006},
+{"FAR", 151},
+{"FARM", 1007},
+{"FAST", 1008},
+{"FAT", 152},
+{"FATE", 1009},
+{"FAWN", 1010},
+{"FAY", 153},
+{"FEAR", 1011},
+{"FEAT", 1012},
+{"FED", 154},
+{"FEE", 155},
+{"FEED", 1013},
+{"FEEL", 1014},
+{"FEET", 1015},
+{"FELL", 1016},
+{"FELT", 1017},
+{"FEND", 1018},
+{"FERN", 1019},
+{"FEST", 1020},
+{"FEUD", 1021},
+{"FEW", 156},
+{"FIB", 157},
+{"FIEF", 1022},
+{"FIG", 158},
+{"FIGS", 1023},
+{"FILE", 1024},
+{"FILL", 1025},
+{"FILM", 1026},
+{"FIN", 159},
+{"FIND", 1027},
+{"FINE", 1028},
+{"FINK", 1029},
+{"FIR", 160},
+{"FIRE", 1030},
+{"FIRM", 1031},
+{"FISH", 1032},
+{"FISK", 1033},
+{"FIST", 1034},
+{"FIT", 161},
+{"FITS", 1035},
+{"FIVE", 1036},
+{"FLAG", 1037},
+{"FLAK", 1038},
+{"FLAM", 1039},
+{"FLAT", 1040},
+{"FLAW", 1041},
+{"FLEA", 1042},
+{"FLED", 1043},
+{"FLEW", 1044},
+{"FLIT", 1045},
+{"FLO", 162},
+{"FLOC", 1046},
+{"FLOG", 1047},
+{"FLOW", 1048},
+{"FLUB", 1049},
+{"FLUE", 1050},
+{"FLY", 163},
+{"FOAL", 1051},
+{"FOAM", 1052},
+{"FOE", 164},
+{"FOG", 165},
+{"FOGY", 1053},
+{"FOIL", 1054},
+{"FOLD", 1055},
+{"FOLK", 1056},
+{"FOND", 1057},
+{"FONT", 1058},
+{"FOOD", 1059},
+{"FOOL", 1060},
+{"FOOT", 1061},
+{"FOR", 166},
+{"FORD", 1062},
+{"FORE", 1063},
+{"FORK", 1064},
+{"FORM", 1065},
+{"FORT", 1066},
+{"FOSS", 1067},
+{"FOUL", 1068},
+{"FOUR", 1069},
+{"FOWL", 1070},
+{"FRAU", 1071},
+{"FRAY", 1072},
+{"FRED", 1073},
+{"FREE", 1074},
+{"FRET", 1075},
+{"FREY", 1076},
+{"FROG", 1077},
+{"FROM", 1078},
+{"FRY", 167},
+{"FUEL", 1079},
+{"FULL", 1080},
+{"FUM", 168},
+{"FUME", 1081},
+{"FUN", 169},
+{"FUND", 1082},
+{"FUNK", 1083},
+{"FUR", 170},
+{"FURY", 1084},
+{"FUSE", 1085},
+{"FUSS", 1086},
+{"GAB", 171},
+{"GAD", 172},
+{"GAFF", 1087},
+{"GAG", 173},
+{"GAGE", 1088},
+{"GAIL", 1089},
+{"GAIN", 1090},
+{"GAIT", 1091},
+{"GAL", 174},
+{"GALA", 1092},
+{"GALE", 1093},
+{"GALL", 1094},
+{"GALT", 1095},
+{"GAM", 175},
+{"GAME", 1096},
+{"GANG", 1097},
+{"GAP", 176},
+{"GARB", 1098},
+{"GARY", 1099},
+{"GAS", 177},
+{"GASH", 1100},
+{"GATE", 1101},
+{"GAUL", 1102},
+{"GAUR", 1103},
+{"GAVE", 1104},
+{"GAWK", 1105},
+{"GAY", 178},
+{"GEAR", 1106},
+{"GEE", 179},
+{"GEL", 180},
+{"GELD", 1107},
+{"GEM", 181},
+{"GENE", 1108},
+{"GENT", 1109},
+{"GERM", 1110},
+{"GET", 182},
+{"GETS", 1111},
+{"GIBE", 1112},
+{"GIFT", 1113},
+{"GIG", 183},
+{"GIL", 184},
+{"GILD", 1114},
+{"GILL", 1115},
+{"GILT", 1116},
+{"GIN", 185},
+{"GINA", 1117},
+{"GIRD", 1118},
+{"GIRL", 1119},
+{"GIST", 1120},
+{"GIVE", 1121},
+{"GLAD", 1122},
+{"GLEE", 1123},
+{"GLEN", 1124},
+{"GLIB", 1125},
+{"GLOB", 1126},
+{"GLOM", 1127},
+{"GLOW", 1128},
+{"GLUE", 1129},
+{"GLUM", 1130},
+{"GLUT", 1131},
+{"GO", 186},
+{"GOAD", 1132},
+{"GOAL", 1133},
+{"GOAT", 1134},
+{"GOER", 1135},
+{"GOES", 1136},
+{"GOLD", 1137},
+{"GOLF", 1138},
+{"GONE", 1139},
+{"GONG", 1140},
+{"GOOD", 1141},
+{"GOOF", 1142},
+{"GORE", 1143},
+{"GORY", 1144},
+{"GOSH", 1145},
+{"GOT", 187},
+{"GOUT", 1146},
+{"GOWN", 1147},
+{"GRAB", 1148},
+{"GRAD", 1149},
+{"GRAY", 1150},
+{"GREG", 1151},
+{"GREW", 1152},
+{"GREY", 1153},
+{"GRID", 1154},
+{"GRIM", 1155},
+{"GRIN", 1156},
+{"GRIT", 1157},
+{"GROW", 1158},
+{"GRUB", 1159},
+{"GULF", 1160},
+{"GULL", 1161},
+{"GUM", 188},
+{"GUN", 189},
+{"GUNK", 1162},
+{"GURU", 1163},
+{"GUS", 190},
+{"GUSH", 1164},
+{"GUST", 1165},
+{"GUT", 191},
+{"GUY", 192},
+{"GWEN", 1166},
+{"GWYN", 1167},
+{"GYM", 193},
+{"GYP", 194},
+{"HA", 195},
+{"HAAG", 1168},
+{"HAAS", 1169},
+{"HACK", 1170},
+{"HAD", 196},
+{"HAIL", 1171},
+{"HAIR", 1172},
+{"HAL", 197},
+{"HALE", 1173},
+{"HALF", 1174},
+{"HALL", 1175},
+{"HALO", 1176},
+{"HALT", 1177},
+{"HAM", 198},
+{"HAN", 199},
+{"HAND", 1178},
+{"HANG", 1179},
+{"HANK", 1180},
+{"HANS", 1181},
+{"HAP", 200},
+{"HARD", 1182},
+{"HARK", 1183},
+{"HARM", 1184},
+{"HART", 1185},
+{"HAS", 201},
+{"HASH", 1186},
+{"HAST", 1187},
+{"HAT", 202},
+{"HATE", 1188},
+{"HATH", 1189},
+{"HAUL", 1190},
+{"HAVE", 1191},
+{"HAW", 203},
+{"HAWK", 1192},
+{"HAY", 204},
+{"HAYS", 1193},
+{"HE", 205},
+{"HEAD", 1194},
+{"HEAL", 1195},
+{"HEAR", 1196},
+{"HEAT", 1197},
+{"HEBE", 1198},
+{"HECK", 1199},
+{"HEED", 1200},
+{"HEEL", 1201},
+{"HEFT", 1202},
+{"HELD", 1203},
+{"HELL", 1204},
+{"HELM", 1205},
+{"HEM", 206},
+{"HEN", 207},
+{"HER", 208},
+{"HERB", 1206},
+{"HERD", 1207},
+{"HERE", 1208},
+{"HERO", 1209},
+{"HERS", 1210},
+{"HESS", 1211},
+{"HEW", 209},
+{"HEWN", 1212},
+{"HEY", 210},
+{"HI", 211},
+{"HICK", 1213},
+{"HID", 212},
+{"HIDE", 1214},
+{"HIGH", 1215},
+{"HIKE", 1216},
+{"HILL", 1217},
+{"HILT", 1218},
+{"HIM", 213},
+{"HIND", 1219},
+{"HINT", 1220},
+{"HIP", 214},
+{"HIRE", 1221},
+{"HIS", 215},
+{"HISS", 1222},
+{"HIT", 216},
+{"HIVE", 1223},
+{"HO", 217},
+{"HOB", 218},
+{"HOBO", 1224},
+{"HOC", 219},
+{"HOCK", 1225},
+{"HOE", 220},
+{"HOFF", 1226},
+{"HOG", 221},
+{"HOLD", 1227},
+{"HOLE", 1228},
+{"HOLM", 1229},
+{"HOLT", 1230},
+{"HOME", 1231},
+{"HONE", 1232},
+{"HONK", 1233},
+{"HOOD", 1234},
+{"HOOF", 1235},
+{"HOOK", 1236},
+{"HOOT", 1237},
+{"HOP", 222},
+{"HORN", 1238},
+{"HOSE", 1239},
+{"HOST", 1240},
+{"HOT", 223},
+{"HOUR", 1241},
+{"HOVE", 1242},
+{"HOW", 224},
+{"HOWE", 1243},
+{"HOWL", 1244},
+{"HOYT", 1245},
+{"HUB", 225},
+{"HUCK", 1246},
+{"HUE", 226},
+{"HUED", 1247},
+{"HUFF", 1248},
+{"HUG", 227},
+{"HUGE", 1249},
+{"HUGH", 1250},
+{"HUGO", 1251},
+{"HUH", 228},
+{"HULK", 1252},
+{"HULL", 1253},
+{"HUM", 229},
+{"HUNK", 1254},
+{"HUNT", 1255},
+{"HURD", 1256},
+{"HURL", 1257},
+{"HURT", 1258},
+{"HUSH", 1259},
+{"HUT", 230},
+{"HYDE", 1260},
+{"HYMN", 1261},
+{"I", 231},
+{"IBIS", 1262},
+{"ICON", 1263},
+{"ICY", 232},
+{"IDA", 233},
+{"IDEA", 1264},
+{"IDLE", 1265},
+{"IF", 234},
+{"IFFY", 1266},
+{"IKE", 235},
+{"ILL", 236},
+{"INCA", 1267},
+{"INCH", 1268},
+{"INK", 237},
+{"INN", 238},
+{"INTO", 1269},
+{"IO", 239},
+{"ION", 240},
+{"IONS", 1270},
+{"IOTA", 1271},
+{"IOWA", 1272},
+{"IQ", 241},
+{"IRA", 242},
+{"IRE", 243},
+{"IRIS", 1273},
+{"IRK", 244},
+{"IRMA", 1274},
+{"IRON", 1275},
+{"IS", 245},
+{"ISLE", 1276},
+{"IT", 246},
+{"ITCH", 1277},
+{"ITEM", 1278},
+{"ITS", 247},
+{"IVAN", 1279},
+{"IVY", 248},
+{"JAB", 249},
+{"JACK", 1280},
+{"JADE", 1281},
+{"JAG", 250},
+{"JAIL", 1282},
+{"JAKE", 1283},
+{"JAM", 251},
+{"JAN", 252},
+{"JANE", 1284},
+{"JAR", 253},
+{"JAVA", 1285},
+{"JAW", 254},
+{"JAY", 255},
+{"JEAN", 1286},
+{"JEFF", 1287},
+{"JERK", 1288},
+{"JESS", 1289},
+{"JEST", 1290},
+{"JET", 256},
+{"JIBE", 1291},
+{"JIG", 257},
+{"JILL", 1292},
+{"JILT", 1293},
+{"JIM", 258},
+{"JIVE", 1294},
+{"JO", 259},
+{"JOAN", 1295},
+{"JOB", 260},
+{"JOBS", 1296},
+{"JOCK", 1297},
+{"JOE", 261},
+{"JOEL", 1298},
+{"JOEY", 1299},
+{"JOG", 262},
+{"JOHN", 1300},
+{"JOIN", 1301},
+{"JOKE", 1302},
+{"JOLT", 1303},
+{"JOT", 263},
+{"JOVE", 1304},
+{"JOY", 264},
+{"JUDD", 1305},
+{"JUDE", 1306},
+{"JUDO", 1307},
+{"JUDY", 1308},
+{"JUG", 265},
+{"JUJU", 1309},
+{"JUKE", 1310},
+{"JULY", 1311},
+{"JUNE", 1312},
+{"JUNK", 1313},
+{"JUNO", 1314},
+{"JURY", 1315},
+{"JUST", 1316},
+{"JUT", 266},
+{"JUTE", 1317},
+{"KAHN", 1318},
+{"KALE", 1319},
+{"KANE", 1320},
+{"KANT", 1321},
+{"KARL", 1322},
+{"KATE", 1323},
+{"KAY", 267},
+{"KEEL", 1324},
+{"KEEN", 1325},
+{"KEG", 268},
+{"KEN", 269},
+{"KENO", 1326},
+{"KENT", 1327},
+{"KERN", 1328},
+{"KERR", 1329},
+{"KEY", 270},
+{"KEYS", 1330},
+{"KICK", 1331},
+{"KID", 271},
+{"KILL", 1332},
+{"KIM", 272},
+{"KIN", 273},
+{"KIND", 1333},
+{"KING", 1334},
+{"KIRK", 1335},
+{"KISS", 1336},
+{"KIT", 274},
+{"KITE", 1337},
+{"KLAN", 1338},
+{"KNEE", 1339},
+{"KNEW", 1340},
+{"KNIT", 1341},
+{"KNOB", 1342},
+{"KNOT", 1343},
+{"KNOW", 1344},
+{"KOCH", 1345},
+{"KONG", 1346},
+{"KUDO", 1347},
+{"KURD", 1348},
+{"KURT", 1349},
+{"KYLE", 1350},
+{"LA", 275},
+{"LAB", 276},
+{"LAC", 277},
+{"LACE", 1351},
+{"LACK", 1352},
+{"LACY", 1353},
+{"LAD", 278},
+{"LADY", 1354},
+{"LAG", 279},
+{"LAID", 1355},
+{"LAIN", 1356},
+{"LAIR", 1357},
+{"LAKE", 1358},
+{"LAM", 280},
+{"LAMB", 1359},
+{"LAME", 1360},
+{"LAND", 1361},
+{"LANE", 1362},
+{"LANG", 1363},
+{"LAP", 281},
+{"LARD", 1364},
+{"LARK", 1365},
+{"LASS", 1366},
+{"LAST", 1367},
+{"LATE", 1368},
+{"LAUD", 1369},
+{"LAVA", 1370},
+{"LAW", 282},
+{"LAWN", 1371},
+{"LAWS", 1372},
+{"LAY", 283},
+{"LAYS", 1373},
+{"LEA", 284},
+{"LEAD", 1374},
+{"LEAF", 1375},
+{"LEAK", 1376},
+{"LEAN", 1377},
+{"LEAR", 1378},
+{"LED", 285},
+{"LEE", 286},
+{"LEEK", 1379},
+{"LEER", 1380},
+{"LEFT", 1381},
+{"LEG", 287},
+{"LEN", 288},
+{"LEND", 1382},
+{"LENS", 1383},
+{"LENT", 1384},
+{"LEO", 289},
+{"LEON", 1385},
+{"LESK", 1386},
+{"LESS", 1387},
+{"LEST", 1388},
+{"LET", 290},
+{"LETS", 1389},
+{"LEW", 291},
+{"LIAR", 1390},
+{"LICE", 1391},
+{"LICK", 1392},
+{"LID", 292},
+{"LIE", 293},
+{"LIED", 1393},
+{"LIEN", 1394},
+{"LIES", 1395},
+{"LIEU", 1396},
+{"LIFE", 1397},
+{"LIFT", 1398},
+{"LIKE", 1399},
+{"LILA", 1400},
+{"LILT", 1401},
+{"LILY", 1402},
+{"LIMA", 1403},
+{"LIMB", 1404},
+{"LIME", 1405},
+{"LIN", 294},
+{"LIND", 1406},
+{"LINE", 1407},
+{"LINK", 1408},
+{"LINT", 1409},
+{"LION", 1410},
+{"LIP", 295},
+{"LISA", 1411},
+{"LIST", 1412},
+{"LIT", 296},
+{"LIVE", 1413},
+{"LO", 297},
+{"LOAD", 1414},
+{"LOAF", 1415},
+{"LOAM", 1416},
+{"LOAN", 1417},
+{"LOB", 298},
+{"LOCK", 1418},
+{"LOFT", 1419},
+{"LOG", 299},
+{"LOGE", 1420},
+{"LOIS", 1421},
+{"LOLA", 1422},
+{"LONE", 1423},
+{"LONG", 1424},
+{"LOOK", 1425},
+{"LOON", 1426},
+{"LOOT", 1427},
+{"LOP", 300},
+{"LORD", 1428},
+{"LORE", 1429},
+{"LOS", 301},
+{"LOSE", 1430},
+{"LOSS", 1431},
+{"LOST", 1432},
+{"LOT", 302},
+{"LOU", 303},
+{"LOUD", 1433},
+{"LOVE", 1434},
+{"LOW", 304},
+{"LOWE", 1435},
+{"LOY", 305},
+{"LUCK", 1436},
+{"LUCY", 1437},
+{"LUG", 306},
+{"LUGE", 1438},
+{"LUKE", 1439},
+{"LULU", 1440},
+{"LUND", 1441},
+{"LUNG", 1442},
+{"LURA", 1443},
+{"LURE", 1444},
+{"LURK", 1445},
+{"LUSH", 1446},
+{"LUST", 1447},
+{"LYE", 307},
+{"LYLE", 1448},
+{"LYNN", 1449},
+{"LYON", 1450},
+{"LYRA", 1451},
+{"MA", 308},
+{"MAC", 309},
+{"MACE", 1452},
+{"MAD", 310},
+{"MADE", 1453},
+{"MAE", 311},
+{"MAGI", 1454},
+{"MAID", 1455},
+{"MAIL", 1456},
+{"MAIN", 1457},
+{"MAKE", 1458},
+{"MALE", 1459},
+{"MALI", 1460},
+{"MALL", 1461},
+{"MALT", 1462},
+{"MAN", 312},
+{"MANA", 1463},
+{"MANN", 1464},
+{"MANY", 1465},
+{"MAO", 313},
+{"MAP", 314},
+{"MARC", 1466},
+{"MARE", 1467},
+{"MARK", 1468},
+{"MARS", 1469},
+{"MART", 1470},
+{"MARY", 1471},
+{"MASH", 1472},
+{"MASK", 1473},
+{"MASS", 1474},
+{"MAST", 1475},
+{"MAT", 315},
+{"MATE", 1476},
+{"MATH", 1477},
+{"MAUL", 1478},
+{"MAW", 316},
+{"MAY", 317},
+{"MAYO", 1479},
+{"ME", 318},
+{"MEAD", 1480},
+{"MEAL", 1481},
+{"MEAN", 1482},
+{"MEAT", 1483},
+{"MEEK", 1484},
+{"MEET", 1485},
+{"MEG", 319},
+{"MEL", 320},
+{"MELD", 1486},
+{"MELT", 1487},
+{"MEMO", 1488},
+{"MEN", 321},
+{"MEND", 1489},
+{"MENU", 1490},
+{"MERT", 1491},
+{"MESH", 1492},
+{"MESS", 1493},
+{"MET", 322},
+{"MEW", 323},
+{"MICE", 1494},
+{"MID", 324},
+{"MIKE", 1495},
+{"MILD", 1496},
+{"MILE", 1497},
+{"MILK", 1498},
+{"MILL", 1499},
+{"MILT", 1500},
+{"MIMI", 1501},
+{"MIN", 325},
+{"MIND", 1502},
+{"MINE", 1503},
+{"MINI", 1504},
+{"MINK", 1505},
+{"MINT", 1506},
+{"MIRE", 1507},
+{"MISS", 1508},
+{"MIST", 1509},
+{"MIT", 326},
+{"MITE", 1510},
+{"MITT", 1511},
+{"MOAN", 1512},
+{"MOAT", 1513},
+{"MOB", 327},
+{"MOCK", 1514},
+{"MOD", 328},
+{"MODE", 1515},
+{"MOE", 329},
+{"MOLD", 1516},
+{"MOLE", 1517},
+{"MOLL", 1518},
+{"MOLT", 1519},
+{"MONA", 1520},
+{"MONK", 1521},
+{"MONT", 1522},
+{"MOO", 330},
+{"MOOD", 1523},
+{"MOON", 1524},
+{"MOOR", 1525},
+{"MOOT", 1526},
+{"MOP", 331},
+{"MORE", 1527},
+{"MORN", 1528},
+{"MORT", 1529},
+{"MOS", 332},
+{"MOSS", 1530},
+{"MOST", 1531},
+{"MOT", 333},
+{"MOTH", 1532},
+{"MOVE", 1533},
+{"MOW", 334},
+{"MUCH", 1534},
+{"MUCK", 1535},
+{"MUD", 335},
+{"MUDD", 1536},
+{"MUFF", 1537},
+{"MUG", 336},
+{"MULE", 1538},
+{"MULL", 1539},
+{"MUM", 337},
+{"MURK", 1540},
+{"MUSH", 1541},
+{"MUST", 1542},
+{"MUTE", 1543},
+{"MUTT", 1544},
+{"MY", 338},
+{"MYRA", 1545},
+{"MYTH", 1546},
+{"NAB", 339},
+{"NAG", 340},
+{"NAGY", 1547},
+{"NAIL", 1548},
+{"NAIR", 1549},
+{"NAME", 1550},
+{"NAN", 341},
+{"NAP", 342},
+{"NARY", 1551},
+{"NASH", 1552},
+{"NAT", 343},
+{"NAVE", 1553},
+{"NAVY", 1554},
+{"NAY", 344},
+{"NE", 345},
+{"NEAL", 1555},
+{"NEAR", 1556},
+{"NEAT", 1557},
+{"NECK", 1558},
+{"NED", 346},
+{"NEE", 347},
+{"NEED", 1559},
+{"NEIL", 1560},
+{"NELL", 1561},
+{"NEON", 1562},
+{"NERO", 1563},
+{"NESS", 1564},
+{"NEST", 1565},
+{"NET", 348},
+{"NEW", 349},
+{"NEWS", 1566},
+{"NEWT", 1567},
+{"NIB", 350},
+{"NIBS", 1568},
+{"NICE", 1569},
+{"NICK", 1570},
+{"NIIL", 351},
+{"NILE", 1571},
+{"NINA", 1572},
+{"NINE", 1573},
+{"NIP", 352},
+{"NIT", 353},
+{"NO", 354},
+{"NOAH", 1574},
+{"NOB", 355},
+{"NOD", 356},
+{"NODE", 1575},
+{"NOEL", 1576},
+{"NOLL", 1577},
+{"NON", 357},
+{"NONE", 1578},
+{"NOOK", 1579},
+{"NOON", 1580},
+{"NOR", 358},
+{"NORM", 1581},
+{"NOSE", 1582},
+{"NOT", 359},
+{"NOTE", 1583},
+{"NOUN", 1584},
+{"NOV", 360},
+{"NOVA", 1585},
+{"NOW", 361},
+{"NU", 362},
+{"NUDE", 1586},
+{"NULL", 1587},
+{"NUMB", 1588},
+{"NUN", 363},
+{"NUT", 364},
+{"O", 365},
+{"OAF", 366},
+{"OAK", 367},
+{"OAR", 368},
+{"OAT", 369},
+{"OATH", 1589},
+{"OBEY", 1590},
+{"OBOE", 1591},
+{"ODD", 370},
+{"ODE", 371},
+{"ODIN", 1592},
+{"OF", 372},
+{"OFF", 373},
+{"OFT", 374},
+{"OH", 375},
+{"OHIO", 1593},
+{"OIL", 376},
+{"OILY", 1594},
+{"OINT", 1595},
+{"OK", 377},
+{"OKAY", 1596},
+{"OLAF", 1597},
+{"OLD", 378},
+{"OLDY", 1598},
+{"OLGA", 1599},
+{"OLIN", 1600},
+{"OMAN", 1601},
+{"OMEN", 1602},
+{"OMIT", 1603},
+{"ON", 379},
+{"ONCE", 1604},
+{"ONE", 380},
+{"ONES", 1605},
+{"ONLY", 1606},
+{"ONTO", 1607},
+{"ONUS", 1608},
+{"OR", 381},
+{"ORAL", 1609},
+{"ORB", 382},
+{"ORE", 383},
+{"ORGY", 1610},
+{"ORR", 384},
+{"OS", 385},
+{"OSLO", 1611},
+{"OTIS", 1612},
+{"OTT", 386},
+{"OTTO", 1613},
+{"OUCH", 1614},
+{"OUR", 387},
+{"OUST", 1615},
+{"OUT", 388},
+{"OUTS", 1616},
+{"OVA", 389},
+{"OVAL", 1617},
+{"OVEN", 1618},
+{"OVER", 1619},
+{"OW", 390},
+{"OWE", 391},
+{"OWL", 392},
+{"OWLY", 1620},
+{"OWN", 393},
+{"OWNS", 1621},
+{"OX", 394},
+{"PA", 395},
+{"PAD", 396},
+{"PAL", 397},
+{"PAM", 398},
+{"PAN", 399},
+{"PAP", 400},
+{"PAR", 401},
+{"PAT", 402},
+{"PAW", 403},
+{"PAY", 404},
+{"PEA", 405},
+{"PEG", 406},
+{"PEN", 407},
+{"PEP", 408},
+{"PER", 409},
+{"PET", 410},
+{"PEW", 411},
+{"PHI", 412},
+{"PI", 413},
+{"PIE", 414},
+{"PIN", 415},
+{"PIT", 416},
+{"PLY", 417},
+{"PO", 418},
+{"POD", 419},
+{"POE", 420},
+{"POP", 421},
+{"POT", 422},
+{"POW", 423},
+{"PRO", 424},
+{"PRY", 425},
+{"PUB", 426},
+{"PUG", 427},
+{"PUN", 428},
+{"PUP", 429},
+{"PUT", 430},
+{"QUAD", 1622},
+{"QUIT", 1623},
+{"QUO", 431},
+{"QUOD", 1624},
+{"RACE", 1625},
+{"RACK", 1626},
+{"RACY", 1627},
+{"RAFT", 1628},
+{"RAG", 432},
+{"RAGE", 1629},
+{"RAID", 1630},
+{"RAIL", 1631},
+{"RAIN", 1632},
+{"RAKE", 1633},
+{"RAM", 433},
+{"RAN", 434},
+{"RANK", 1634},
+{"RANT", 1635},
+{"RAP", 435},
+{"RARE", 1636},
+{"RASH", 1637},
+{"RAT", 436},
+{"RATE", 1638},
+{"RAVE", 1639},
+{"RAW", 437},
+{"RAY", 438},
+{"RAYS", 1640},
+{"READ", 1641},
+{"REAL", 1642},
+{"REAM", 1643},
+{"REAR", 1644},
+{"REB", 439},
+{"RECK", 1645},
+{"RED", 440},
+{"REED", 1646},
+{"REEF", 1647},
+{"REEK", 1648},
+{"REEL", 1649},
+{"REID", 1650},
+{"REIN", 1651},
+{"RENA", 1652},
+{"REND", 1653},
+{"RENT", 1654},
+{"REP", 441},
+{"REST", 1655},
+{"RET", 442},
+{"RIB", 443},
+{"RICE", 1656},
+{"RICH", 1657},
+{"RICK", 1658},
+{"RID", 444},
+{"RIDE", 1659},
+{"RIFT", 1660},
+{"RIG", 445},
+{"RILL", 1661},
+{"RIM", 446},
+{"RIME", 1662},
+{"RING", 1663},
+{"RINK", 1664},
+{"RIO", 447},
+{"RIP", 448},
+{"RISE", 1665},
+{"RISK", 1666},
+{"RITE", 1667},
+{"ROAD", 1668},
+{"ROAM", 1669},
+{"ROAR", 1670},
+{"ROB", 449},
+{"ROBE", 1671},
+{"ROCK", 1672},
+{"ROD", 450},
+{"RODE", 1673},
+{"ROE", 451},
+{"ROIL", 1674},
+{"ROLL", 1675},
+{"ROME", 1676},
+{"RON", 452},
+{"ROOD", 1677},
+{"ROOF", 1678},
+{"ROOK", 1679},
+{"ROOM", 1680},
+{"ROOT", 1681},
+{"ROSA", 1682},
+{"ROSE", 1683},
+{"ROSS", 1684},
+{"ROSY", 1685},
+{"ROT", 453},
+{"ROTH", 1686},
+{"ROUT", 1687},
+{"ROVE", 1688},
+{"ROW", 454},
+{"ROWE", 1689},
+{"ROWS", 1690},
+{"ROY", 455},
+{"RUB", 456},
+{"RUBE", 1691},
+{"RUBY", 1692},
+{"RUDE", 1693},
+{"RUDY", 1694},
+{"RUE", 457},
+{"RUG", 458},
+{"RUIN", 1695},
+{"RULE", 1696},
+{"RUM", 459},
+{"RUN", 460},
+{"RUNG", 1697},
+{"RUNS", 1698},
+{"RUNT", 1699},
+{"RUSE", 1700},
+{"RUSH", 1701},
+{"RUSK", 1702},
+{"RUSS", 1703},
+{"RUST", 1704},
+{"RUTH", 1705},
+{"RYE", 461},
+{"SAC", 462},
+{"SACK", 1706},
+{"SAD", 463},
+{"SAFE", 1707},
+{"SAG", 464},
+{"SAGE", 1708},
+{"SAID", 1709},
+{"SAIL", 1710},
+{"SAL", 465},
+{"SALE", 1711},
+{"SALK", 1712},
+{"SALT", 1713},
+{"SAM", 466},
+{"SAME", 1714},
+{"SAN", 467},
+{"SAND", 1715},
+{"SANE", 1716},
+{"SANG", 1717},
+{"SANK", 1718},
+{"SAP", 468},
+{"SARA", 1719},
+{"SAT", 469},
+{"SAUL", 1720},
+{"SAVE", 1721},
+{"SAW", 470},
+{"SAY", 471},
+{"SAYS", 1722},
+{"SCAN", 1723},
+{"SCAR", 1724},
+{"SCAT", 1725},
+{"SCOT", 1726},
+{"SEA", 472},
+{"SEAL", 1727},
+{"SEAM", 1728},
+{"SEAR", 1729},
+{"SEAT", 1730},
+{"SEC", 473},
+{"SEE", 474},
+{"SEED", 1731},
+{"SEEK", 1732},
+{"SEEM", 1733},
+{"SEEN", 1734},
+{"SEES", 1735},
+{"SELF", 1736},
+{"SELL", 1737},
+{"SEN", 475},
+{"SEND", 1738},
+{"SENT", 1739},
+{"SET", 476},
+{"SETS", 1740},
+{"SEW", 477},
+{"SEWN", 1741},
+{"SHAG", 1742},
+{"SHAM", 1743},
+{"SHAW", 1744},
+{"SHAY", 1745},
+{"SHE", 478},
+{"SHED", 1746},
+{"SHIM", 1747},
+{"SHIN", 1748},
+{"SHOD", 1749},
+{"SHOE", 1750},
+{"SHOT", 1751},
+{"SHOW", 1752},
+{"SHUN", 1753},
+{"SHUT", 1754},
+{"SHY", 479},
+{"SICK", 1755},
+{"SIDE", 1756},
+{"SIFT", 1757},
+{"SIGH", 1758},
+{"SIGN", 1759},
+{"SILK", 1760},
+{"SILL", 1761},
+{"SILO", 1762},
+{"SILT", 1763},
+{"SIN", 480},
+{"SINE", 1764},
+{"SING", 1765},
+{"SINK", 1766},
+{"SIP", 481},
+{"SIR", 482},
+{"SIRE", 1767},
+{"SIS", 483},
+{"SIT", 484},
+{"SITE", 1768},
+{"SITS", 1769},
+{"SITU", 1770},
+{"SKAT", 1771},
+{"SKEW", 1772},
+{"SKI", 485},
+{"SKID", 1773},
+{"SKIM", 1774},
+{"SKIN", 1775},
+{"SKIT", 1776},
+{"SKY", 486},
+{"SLAB", 1777},
+{"SLAM", 1778},
+{"SLAT", 1779},
+{"SLAY", 1780},
+{"SLED", 1781},
+{"SLEW", 1782},
+{"SLID", 1783},
+{"SLIM", 1784},
+{"SLIT", 1785},
+{"SLOB", 1786},
+{"SLOG", 1787},
+{"SLOT", 1788},
+{"SLOW", 1789},
+{"SLUG", 1790},
+{"SLUM", 1791},
+{"SLUR", 1792},
+{"SLY", 487},
+{"SMOG", 1793},
+{"SMUG", 1794},
+{"SNAG", 1795},
+{"SNOB", 1796},
+{"SNOW", 1797},
+{"SNUB", 1798},
+{"SNUG", 1799},
+{"SO", 488},
+{"SOAK", 1800},
+{"SOAR", 1801},
+{"SOB", 489},
+{"SOCK", 1802},
+{"SOD", 490},
+{"SODA", 1803},
+{"SOFA", 1804},
+{"SOFT", 1805},
+{"SOIL", 1806},
+{"SOLD", 1807},
+{"SOME", 1808},
+{"SON", 491},
+{"SONG", 1809},
+{"SOON", 1810},
+{"SOOT", 1811},
+{"SOP", 492},
+{"SORE", 1812},
+{"SORT", 1813},
+{"SOUL", 1814},
+{"SOUR", 1815},
+{"SOW", 493},
+{"SOWN", 1816},
+{"SOY", 494},
+{"SPA", 495},
+{"SPY", 496},
+{"STAB", 1817},
+{"STAG", 1818},
+{"STAN", 1819},
+{"STAR", 1820},
+{"STAY", 1821},
+{"STEM", 1822},
+{"STEW", 1823},
+{"STIR", 1824},
+{"STOW", 1825},
+{"STUB", 1826},
+{"STUN", 1827},
+{"SUB", 497},
+{"SUCH", 1828},
+{"SUD", 498},
+{"SUDS", 1829},
+{"SUE", 499},
+{"SUIT", 1830},
+{"SULK", 1831},
+{"SUM", 500},
+{"SUMS", 1832},
+{"SUN", 501},
+{"SUNG", 1833},
+{"SUNK", 1834},
+{"SUP", 502},
+{"SURE", 1835},
+{"SURF", 1836},
+{"SWAB", 1837},
+{"SWAG", 1838},
+{"SWAM", 1839},
+{"SWAN", 1840},
+{"SWAT", 1841},
+{"SWAY", 1842},
+{"SWIM", 1843},
+{"SWUM", 1844},
+{"TAB", 503},
+{"TACK", 1845},
+{"TACT", 1846},
+{"TAD", 504},
+{"TAG", 505},
+{"TAIL", 1847},
+{"TAKE", 1848},
+{"TALE", 1849},
+{"TALK", 1850},
+{"TALL", 1851},
+{"TAN", 506},
+{"TANK", 1852},
+{"TAP", 507},
+{"TAR", 508},
+{"TASK", 1853},
+{"TATE", 1854},
+{"TAUT", 1855},
+{"TEA", 509},
+{"TEAL", 1856},
+{"TEAM", 1857},
+{"TEAR", 1858},
+{"TECH", 1859},
+{"TED", 510},
+{"TEE", 511},
+{"TEEM", 1860},
+{"TEEN", 1861},
+{"TEET", 1862},
+{"TELL", 1863},
+{"TEN", 512},
+{"TEND", 1864},
+{"TENT", 1865},
+{"TERM", 1866},
+{"TERN", 1867},
+{"TESS", 1868},
+{"TEST", 1869},
+{"THAN", 1870},
+{"THAT", 1871},
+{"THE", 513},
+{"THEE", 1872},
+{"THEM", 1873},
+{"THEN", 1874},
+{"THEY", 1875},
+{"THIN", 1876},
+{"THIS", 1877},
+{"THUD", 1878},
+{"THUG", 1879},
+{"THY", 514},
+{"TIC", 515},
+{"TICK", 1880},
+{"TIDE", 1881},
+{"TIDY", 1882},
+{"TIE", 516},
+{"TIED", 1883},
+{"TIER", 1884},
+{"TILE", 1885},
+{"TILL", 1886},
+{"TILT", 1887},
+{"TIM", 517},
+{"TIME", 1888},
+{"TIN", 518},
+{"TINA", 1889},
+{"TINE", 1890},
+{"TINT", 1891},
+{"TINY", 1892},
+{"TIP", 519},
+{"TIRE", 1893},
+{"TO", 520},
+{"TOAD", 1894},
+{"TOE", 521},
+{"TOG", 522},
+{"TOGO", 1895},
+{"TOIL", 1896},
+{"TOLD", 1897},
+{"TOLL", 1898},
+{"TOM", 523},
+{"TON", 524},
+{"TONE", 1899},
+{"TONG", 1900},
+{"TONY", 1901},
+{"TOO", 525},
+{"TOOK", 1902},
+{"TOOL", 1903},
+{"TOOT", 1904},
+{"TOP", 526},
+{"TORE", 1905},
+{"TORN", 1906},
+{"TOTE", 1907},
+{"TOUR", 1908},
+{"TOUT", 1909},
+{"TOW", 527},
+{"TOWN", 1910},
+{"TOY", 528},
+{"TRAG", 1911},
+{"TRAM", 1912},
+{"TRAY", 1913},
+{"TREE", 1914},
+{"TREK", 1915},
+{"TRIG", 1916},
+{"TRIM", 1917},
+{"TRIO", 1918},
+{"TROD", 1919},
+{"TROT", 1920},
+{"TROY", 1921},
+{"TRUE", 1922},
+{"TRY", 529},
+{"TUB", 530},
+{"TUBA", 1923},
+{"TUBE", 1924},
+{"TUCK", 1925},
+{"TUFT", 1926},
+{"TUG", 531},
+{"TUM", 532},
+{"TUN", 533},
+{"TUNA", 1927},
+{"TUNE", 1928},
+{"TUNG", 1929},
+{"TURF", 1930},
+{"TURN", 1931},
+{"TUSK", 1932},
+{"TWIG", 1933},
+{"TWIN", 1934},
+{"TWIT", 1935},
+{"TWO", 534},
+{"ULAN", 1936},
+{"UN", 535},
+{"UNIT", 1937},
+{"UP", 536},
+{"URGE", 1938},
+{"US", 537},
+{"USE", 538},
+{"USED", 1939},
+{"USER", 1940},
+{"USES", 1941},
+{"UTAH", 1942},
+{"VAIL", 1943},
+{"VAIN", 1944},
+{"VALE", 1945},
+{"VAN", 539},
+{"VARY", 1946},
+{"VASE", 1947},
+{"VAST", 1948},
+{"VAT", 540},
+{"VEAL", 1949},
+{"VEDA", 1950},
+{"VEIL", 1951},
+{"VEIN", 1952},
+{"VEND", 1953},
+{"VENT", 1954},
+{"VERB", 1955},
+{"VERY", 1956},
+{"VET", 541},
+{"VETO", 1957},
+{"VICE", 1958},
+{"VIE", 542},
+{"VIEW", 1959},
+{"VINE", 1960},
+{"VISE", 1961},
+{"VOID", 1962},
+{"VOLT", 1963},
+{"VOTE", 1964},
+{"WACK", 1965},
+{"WAD", 543},
+{"WADE", 1966},
+{"WAG", 544},
+{"WAGE", 1967},
+{"WAIL", 1968},
+{"WAIT", 1969},
+{"WAKE", 1970},
+{"WALE", 1971},
+{"WALK", 1972},
+{"WALL", 1973},
+{"WALT", 1974},
+{"WAND", 1975},
+{"WANE", 1976},
+{"WANG", 1977},
+{"WANT", 1978},
+{"WAR", 545},
+{"WARD", 1979},
+{"WARM", 1980},
+{"WARN", 1981},
+{"WART", 1982},
+{"WAS", 546},
+{"WASH", 1983},
+{"WAST", 1984},
+{"WATS", 1985},
+{"WATT", 1986},
+{"WAVE", 1987},
+{"WAVY", 1988},
+{"WAY", 547},
+{"WAYS", 1989},
+{"WE", 548},
+{"WEAK", 1990},
+{"WEAL", 1991},
+{"WEAN", 1992},
+{"WEAR", 1993},
+{"WEB", 549},
+{"WED", 550},
+{"WEE", 551},
+{"WEED", 1994},
+{"WEEK", 1995},
+{"WEIR", 1996},
+{"WELD", 1997},
+{"WELL", 1998},
+{"WELT", 1999},
+{"WENT", 2000},
+{"WERE", 2001},
+{"WERT", 2002},
+{"WEST", 2003},
+{"WET", 552},
+{"WHAM", 2004},
+{"WHAT", 2005},
+{"WHEE", 2006},
+{"WHEN", 2007},
+{"WHET", 2008},
+{"WHO", 553},
+{"WHOA", 2009},
+{"WHOM", 2010},
+{"WHY", 554},
+{"WICK", 2011},
+{"WIFE", 2012},
+{"WILD", 2013},
+{"WILL", 2014},
+{"WIN", 555},
+{"WIND", 2015},
+{"WINE", 2016},
+{"WING", 2017},
+{"WINK", 2018},
+{"WINO", 2019},
+{"WIRE", 2020},
+{"WISE", 2021},
+{"WISH", 2022},
+{"WIT", 556},
+{"WITH", 2023},
+{"WOK", 557},
+{"WOLF", 2024},
+{"WON", 558},
+{"WONT", 2025},
+{"WOO", 559},
+{"WOOD", 2026},
+{"WOOL", 2027},
+{"WORD", 2028},
+{"WORE", 2029},
+{"WORK", 2030},
+{"WORM", 2031},
+{"WORN", 2032},
+{"WOVE", 2033},
+{"WOW", 560},
+{"WRIT", 2034},
+{"WRY", 561},
+{"WU", 562},
+{"WYNN", 2035},
+{"YALE", 2036},
+{"YAM", 563},
+{"YANG", 2037},
+{"YANK", 2038},
+{"YAP", 564},
+{"YARD", 2039},
+{"YARN", 2040},
+{"YAW", 565},
+{"YAWL", 2041},
+{"YAWN", 2042},
+{"YE", 566},
+{"YEA", 567},
+{"YEAH", 2043},
+{"YEAR", 2044},
+{"YELL", 2045},
+{"YES", 568},
+{"YET", 569},
+{"YOGA", 2046},
+{"YOKE", 2047},
+{"YOU", 570}
+};
diff --git a/crypto/heimdal/lib/otp/otp_print.c b/crypto/heimdal/lib/otp/otp_print.c
new file mode 100644
index 0000000..701a74c
--- /dev/null
+++ b/crypto/heimdal/lib/otp/otp_print.c
@@ -0,0 +1,99 @@
+/*
+ * Copyright (c) 1995, 1996, 1997 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#ifdef HAVE_CONFIG_H
+#include "config.h"
+RCSID("$Id: otp_print.c,v 1.14 1999/12/02 16:58:45 joda Exp $");
+#endif
+
+#include "otp_locl.h"
+
+extern const char *const std_dict[];
+
+unsigned
+otp_checksum (OtpKey key)
+{
+  int i;
+  unsigned sum = 0;
+
+  for (i = 0; i < OTPKEYSIZE; ++i)
+    sum += ((key[i] >> 0) & 0x03)
+      + ((key[i] >> 2) & 0x03) 
+      + ((key[i] >> 4) & 0x03)
+      + ((key[i] >> 6) & 0x03);
+  sum &= 0x03;
+  return sum;
+}
+
+void
+otp_print_stddict (OtpKey key, char *str, size_t sz)
+{
+  unsigned sum;
+
+  sum = otp_checksum (key);
+  snprintf (str, sz,
+	    "%s %s %s %s %s %s",
+	    std_dict[(key[0] << 3) | (key[1] >> 5)],
+	    std_dict[((key[1] & 0x1F) << 6) | (key[2] >> 2)],
+	    std_dict[((key[2] & 0x03) << 9) | (key[3] << 1) | (key[4] >> 7)],
+	    std_dict[((key[4] & 0x7F) << 4) | (key[5] >> 4)],
+	    std_dict[((key[5] & 0x0F) << 7) | (key[6] >> 1)],
+	    std_dict[((key[6] & 0x01) << 10) | (key[7] << 2) | sum]);
+}
+
+void
+otp_print_hex (OtpKey key, char *str, size_t sz)
+{
+  snprintf (str, sz,
+	    "%02x%02x%02x%02x%02x%02x%02x%02x",
+	    key[0], key[1], key[2], key[3], 
+	    key[4], key[5], key[6], key[7]);
+}
+
+void
+otp_print_hex_extended (OtpKey key, char *str, size_t sz)
+{
+  strlcpy (str, OTP_HEXPREFIX, sz);
+  otp_print_hex (key,
+		 str + strlen(OTP_HEXPREFIX),
+		 sz - strlen(OTP_HEXPREFIX));
+}
+
+void
+otp_print_stddict_extended (OtpKey key, char *str, size_t sz)
+{
+  strlcpy (str, OTP_WORDPREFIX, sz);
+  otp_print_stddict (key,
+		     str + strlen(OTP_WORDPREFIX),
+		     sz - strlen(OTP_WORDPREFIX));
+}
diff --git a/crypto/heimdal/lib/otp/otp_verify.c b/crypto/heimdal/lib/otp/otp_verify.c
new file mode 100644
index 0000000..5fec82e
--- /dev/null
+++ b/crypto/heimdal/lib/otp/otp_verify.c
@@ -0,0 +1,78 @@
+/*
+ * Copyright (c) 1995 - 2000 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#ifdef HAVE_CONFIG_H
+#include "config.h"
+RCSID("$Id: otp_verify.c,v 1.7 2000/07/01 13:58:38 assar Exp $");
+#endif
+
+#include "otp_locl.h"
+
+int
+otp_verify_user_1 (OtpContext *ctx, const char *passwd)
+{
+  OtpKey key1, key2;
+
+  if (otp_parse (key1, passwd, ctx->alg)) {
+    ctx->err = "Syntax error in reply";
+    return -1;
+  }
+  memcpy (key2, key1, sizeof(key1));
+  ctx->alg->next (key2);
+  if (memcmp (ctx->key, key2, sizeof(key2)) == 0) {
+    --ctx->n;
+    memcpy (ctx->key, key1, sizeof(key1));
+    return 0;
+  } else
+    return -1;
+}
+
+int
+otp_verify_user (OtpContext *ctx, const char *passwd)
+{
+  void *dbm;
+  int ret;
+
+  if (!ctx->challengep)
+    return -1;
+  ret = otp_verify_user_1 (ctx, passwd);
+  dbm = otp_db_open ();
+  if (dbm == NULL) {
+    free(ctx->user);
+    return -1;
+  }
+  otp_put (dbm, ctx);
+  free(ctx->user);
+  otp_db_close (dbm);
+  return ret;
+}
diff --git a/crypto/heimdal/lib/otp/otptest.c b/crypto/heimdal/lib/otp/otptest.c
new file mode 100644
index 0000000..4eb342c
--- /dev/null
+++ b/crypto/heimdal/lib/otp/otptest.c
@@ -0,0 +1,145 @@
+/*
+ * Copyright (c) 1995, 1996, 1997 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#ifdef HAVE_CONFIG_H
+#include "config.h"
+RCSID("$Id: otptest.c,v 1.6 1999/12/02 16:58:45 joda Exp $");
+#endif
+
+#include <stdio.h>
+#include <string.h>
+#include <otp.h>
+
+static int
+test_one(OtpKey key1, char *name, char *val,
+	 void (*print)(OtpKey,char*, size_t),
+	 OtpAlgorithm *alg)
+{
+  char buf[256];
+  OtpKey key2;
+
+  (*print)(key1, buf, sizeof(buf));
+  printf ("%s: %s, ", name, buf);
+  if (strcmp (buf, val) != 0) {
+    printf ("failed(*%s* != *%s*)\n", buf, val);
+    return 1;
+  }
+  if (otp_parse (key2, buf, alg)) {
+    printf ("parse of %s failed\n", name);
+    return 1;
+  }
+  if (memcmp (key1, key2, OTPKEYSIZE) != 0) {
+    printf ("key1 != key2, ");
+  }
+  printf ("success\n");
+  return 0;
+}
+
+static int
+test (void)
+{
+  struct test {
+    char *alg;
+    char *passphrase;
+    char *seed;
+    int count;
+    char *hex;
+    char *word;
+  } tests[] = {
+
+    /* md4 */
+    {"md4", "This is a test.", "TeSt", 0, "d1854218ebbb0b51", "ROME MUG FRED SCAN LIVE LACE"},
+    {"md4", "This is a test.", "TeSt", 1, "63473ef01cd0b444", "CARD SAD MINI RYE COL KIN"},
+    {"md4", "This is a test.", "TeSt", 99, "c5e612776e6c237a", "NOTE OUT IBIS SINK NAVE MODE"},
+    {"md4", "AbCdEfGhIjK", "alpha1", 0, "50076f47eb1ade4e", "AWAY SEN ROOK SALT LICE MAP"},
+    {"md4", "AbCdEfGhIjK", "alpha1", 1, "65d20d1949b5f7ab", "CHEW GRIM WU HANG BUCK SAID"},
+    {"md4", "AbCdEfGhIjK", "alpha1", 99, "d150c82cce6f62d1", "ROIL FREE COG HUNK WAIT COCA"},
+    {"md4", "OTP's are good", "correct", 0, "849c79d4f6f55388", "FOOL STEM DONE TOOL BECK NILE"},
+    {"md4", "OTP's are good", "correct", 1, "8c0992fb250847b1", "GIST AMOS MOOT AIDS FOOD SEEM"},
+    {"md4", "OTP's are good", "correct",99, "3f3bf4b4145fd74b", "TAG SLOW NOV MIN WOOL KENO"},
+
+
+    /* md5 */
+    {"md5", "This is a test.", "TeSt", 0, "9e876134d90499dd", "INCH SEA ANNE LONG AHEM TOUR"},
+    {"md5", "This is a test.", "TeSt", 1, "7965e05436f5029f", "EASE OIL FUM CURE AWRY AVIS"},
+    {"md5", "This is a test.", "TeSt", 99, "50fe1962c4965880", "BAIL TUFT BITS GANG CHEF THY"},
+    {"md5", "AbCdEfGhIjK", "alpha1",  0, "87066dd9644bf206", "FULL PEW DOWN ONCE MORT ARC"},
+    {"md5", "AbCdEfGhIjK", "alpha1",   1, "7cd34c1040add14b", "FACT HOOF AT FIST SITE KENT"},
+    {"md5", "AbCdEfGhIjK", "alpha1",  99, "5aa37a81f212146c", "BODE HOP JAKE STOW JUT RAP"},
+    {"md5", "OTP's are good", "correct", 0,  "f205753943de4cf9", "ULAN NEW ARMY FUSE SUIT EYED"},
+    {"md5", "OTP's are good", "correct", 1, "ddcdac956f234937", "SKIM CULT LOB SLAM POE HOWL"},
+    {"md5", "OTP's are good", "correct",99, "b203e28fa525be47", "LONG IVY JULY AJAR BOND LEE"},
+
+    /* sha */
+    {"sha", "This is a test.", "TeSt", 0, "bb9e6ae1979d8ff4", "MILT VARY MAST OK SEES WENT"},
+    {"sha", "This is a test.", "TeSt", 1, "63d936639734385b", "CART OTTO HIVE ODE VAT NUT"},
+    {"sha", "This is a test.", "TeSt", 99, "87fec7768b73ccf9", "GAFF WAIT SKID GIG SKY EYED"},
+    {"sha", "AbCdEfGhIjK", "alpha1", 0, "ad85f658ebe383c9", "LEST OR HEEL SCOT ROB SUIT"},
+    {"sha", "AbCdEfGhIjK", "alpha1", 1, "d07ce229b5cf119b", "RITE TAKE GELD COST TUNE RECK"},
+    {"sha", "AbCdEfGhIjK", "alpha1", 99, "27bc71035aaf3dc6", "MAY STAR TIN LYON VEDA STAN"},
+    {"sha", "OTP's are good", "correct", 0, "d51f3e99bf8e6f0b", "RUST WELT KICK FELL TAIL FRAU"},
+    {"sha", "OTP's are good", "correct", 1, "82aeb52d943774e4", "FLIT DOSE ALSO MEW DRUM DEFY"},
+    {"sha", "OTP's are good", "correct", 99, "4f296a74fe1567ec", "AURA ALOE HURL WING BERG WAIT"},
+    {NULL}
+  };
+
+  struct test *t;
+  int sum = 0;
+
+  for(t = tests; t->alg; ++t) {
+    int i;
+    OtpAlgorithm *alg = otp_find_alg (t->alg);
+    OtpKey key;
+
+    if (alg == NULL) {
+      printf ("Could not find alg %s\n", t->alg);
+      return 1;
+    }
+    if(alg->init (key, t->passphrase, t->seed))
+      return 1;
+    for (i = 0; i < t->count; ++i) {
+      if (alg->next (key))
+	return 1;
+    }
+    sum += test_one (key, "hexadecimal", t->hex, otp_print_hex,
+		     alg) +
+      test_one (key, "standard_word", t->word, otp_print_stddict, alg);
+  }
+  return sum;
+}
+
+int
+main (void)
+{
+  return test ();
+}
diff --git a/crypto/heimdal/lib/otp/roken_rename.h b/crypto/heimdal/lib/otp/roken_rename.h
new file mode 100644
index 0000000..202b9a6
--- /dev/null
+++ b/crypto/heimdal/lib/otp/roken_rename.h
@@ -0,0 +1,67 @@
+/*
+ * Copyright (c) 1998 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+/* $Id: roken_rename.h,v 1.2 1999/12/02 16:58:45 joda Exp $ */
+
+#ifndef __roken_rename_h__
+#define __roken_rename_h__
+
+#ifndef HAVE_SNPRINTF
+#define snprintf _otp_snprintf
+#endif
+#ifndef HAVE_ASPRINTF
+#define asprintf _otp_asprintf
+#endif
+#ifndef HAVE_ASNPRINTF
+#define asnprintf _otp_asnprintf
+#endif
+#ifndef HAVE_VASPRINTF
+#define vasprintf _otp_vasprintf
+#endif
+#ifndef HAVE_VASNPRINTF
+#define vasnprintf _otp_vasnprintf
+#endif
+#ifndef HAVE_VSNPRINTF
+#define vsnprintf _otp_vsnprintf
+#endif
+#ifndef HAVE_STRCASECMP
+#define strcasecmp _otp_strcasecmp
+#endif
+#ifndef HAVE_STRNCASECMP
+#define strncasecmp _otp_strncasecmp
+#endif
+#ifndef HAVE_STRLWR
+#define strlwr _otp_strlwr
+#endif
+
+#endif /* __roken_rename_h__ */
diff --git a/crypto/heimdal/lib/roken/ChangeLog b/crypto/heimdal/lib/roken/ChangeLog
new file mode 100644
index 0000000..cbc7393
--- /dev/null
+++ b/crypto/heimdal/lib/roken/ChangeLog
@@ -0,0 +1,1099 @@
+2001-05-17  Assar Westerlund  <assar@sics.se>
+
+	* Makefile.am: bump version to 12:0:3
+	* roken.h.in: re-add set_progname and get_progname for backwards
+	compatability
+	* warnerr.c: re-add set_progname and get_progname for backwards
+	compatability
+
+2001-05-12  Assar Westerlund  <assar@sics.se>
+
+	* glob.c: add limits.h, from <shadow@dementia.org>
+
+2001-05-11  Johan Danielsson  <joda@pdc.kth.se>
+
+	* Makefile.am: bswap.c
+	
+	* bswap.c: bswap{16,32}
+	
+2001-05-08  Assar Westerlund  <assar@sics.se>
+
+	* freeaddrinfo.c (freeaddrinfo): also free every `struct
+	addrinfo'.  from <tmartin@mirapoint.com>
+
+2001-04-25  Assar Westerlund  <assar@sics.se>
+
+	* getarg.h (free_getarg_strings): add prototype
+	* getarg.c (free_getarg_strings): add function
+
+2001-04-21  Johan Danielsson  <joda@pdc.kth.se>
+
+	* getarg.c: pack short flag options togther, to shorten the usage
+	string
+
+2001-04-17  Johan Danielsson  <joda@pdc.kth.se>
+
+	* getifaddrs.c (getifaddrs2): close socket when done
+
+2001-03-26  Johan Danielsson  <joda@pdc.kth.se>
+
+	* roken.awk: END has to be last with Sun's awk
+
+2001-03-26  Assar Westerlund  <assar@sics.se>
+
+	* parse_units.c (parse_something): do not check the return value
+	from strtod, it might return != 0.0 when the string has no digits.
+	just testing if it consumed any characters is enough and more
+	resilient
+	* glob.c: add GLOB_LIMIT (from NetBSD)
+
+2001-02-20  Assar Westerlund  <assar@sics.se>
+
+	* warnerr.c (warnerr): do not use __progname
+	* roken.h.in (setprogname, getprogname): add prototypes
+	* warnerr.c (setprogname, getprogname): rename to. change all
+	callers
+	
+2001-02-12  Assar Westerlund  <assar@sics.se>
+
+	* getnameinfo_verified.c (getnameinfo_verified): do the first
+	getnameinfo with NI_NUMERICSERV to avoid the error that bind 8.2.3
+	reports on not finding the service
+	(ENI_NOSERVNAME).  reported by Ake Sandgren <ake@cs.umu.se>
+
+2001-02-09  Assar Westerlund  <assar@sics.se>
+
+	* getnameinfo.c (doit): call inet_ntop with correct af, noted by
+	Ake Sandgren <ake@cs.umu.se>
+
+2001-02-08  Assar Westerlund  <assar@sics.se>
+
+	* getnameinfo_verified.c (getnameinfo_verified): always capture
+	the service from getnameinfo so it can be sent back to getaddrinfo
+	and set socktype to avoid getaddrinfo not returning any addresses
+
+2001-01-30  Assar Westerlund  <assar@sics.se>
+
+	* Makefile.am (libroken_la_LDFLAGS): bump version to 11:1:2
+	* print_version.c (print_version): add 2001
+
+2001-01-29  Assar Westerlund  <assar@sics.se>
+
+	* getifaddrs.c (getifaddrs2): copy the entire sockaddr
+
+	* roken-common.h (_PATH_BSHELL): add
+
+2001-01-27  Assar Westerlund  <assar@sics.se>
+
+	* roken.h.in: move __attribute__ to roken-common.h
+
+	* esetenv.c (esetenv): cast to handle a setenv that takes a `char
+ 	* which is the case on Unicos
+
+2000-12-29  Assar Westerlund  <assar@sics.se>
+
+	* Makefile.am (EXTRA_libroken_la_SOURCES): ifaddrs.h ->
+	ifaddrs.hin
+
+2000-12-25  Assar Westerlund  <assar@sics.se>
+
+	* getarg.c (print_arg): add a case for arg_strings
+
+2000-12-15  Johan Danielsson  <joda@pdc.kth.se>
+
+	* snprintf.c (append_string): handle NULL strings by printing
+	`(null)'
+
+2000-12-12  Johan Danielsson  <joda@pdc.kth.se>
+
+	* roken-common.h: add c++ externs
+
+	* roken.h.in: fix last commit differently
+
+2000-12-11  Assar Westerlund  <assar@sics.se>
+
+	* err.hin (warnerr): remove, it's not part of the err.h interface
+	* roken-common.h (warnerr): moved here from err.hin
+	* Makefile.am (libroken_la_LDFLAGS): set version to 11:0:2
+	* vis.c: s/u_int32_t/unsigned/ for systems that do not define
+	u_int32_t
+
+2000-12-10  Johan Danielsson  <joda@pdc.kth.se>
+
+	* Makefile.am: rename some headers to avoid conflict with possible
+	system headers
+
+2000-12-06  Johan Danielsson  <joda@pdc.kth.se>
+
+	* vis.c: make sure _DIAGASSERT is defined
+
+	* unvis.c: make sure _DIAGASSERT is defined
+
+	* Makefile.am: unvis.c, and vis.h
+
+	* vis.h: vis.h from NetBSD
+
+	* unvis.c: unvis from NetBSD
+
+	* roken.h.in: cleanup previous
+
+	* roken-common.h: make `extern "C"' into a macro, this make emacs
+	much happier
+
+	* vis.c: strvis implementation from NetBSD
+
+	* roken.h.in: add prototypes for strvis*
+
+2000-12-05  Johan Danielsson  <joda@pdc.kth.se>
+
+	* ifaddrs.h: fix freeifaddrs prototype, and add ifa_broadaddr
+	macro
+
+	* getifaddrs.c: free some memory
+
+2000-12-04  Johan Danielsson  <joda@pdc.kth.se>
+
+	* ifaddrs.h: getifaddrs implementation using SIOCGIFCONFIG etc
+
+	* getifaddrs.c: getifaddrs implementation using SIOCGIFCONFIG etc
+
+2000-10-08  Assar Westerlund  <assar@sics.se>
+
+	* mini_inetd.c (mini_inetd): check that fds are not too large to
+	select on
+
+2000-09-24  Assar Westerlund  <assar@sics.se>
+
+	*  esetenv.c: new file/function
+
+2000-08-16  Assar Westerlund  <assar@sics.se>
+
+	* Makefile.am: bump version to 10:0:1
+
+2000-08-10  Assar Westerlund  <assar@sics.se>
+
+	* mini_inetd.c (accept_it): type-correctness on parameters to
+	accept
+
+2000-08-07  Johan Danielsson  <joda@pdc.kth.se>
+
+	* roken.h.in: add proto compat for getsockname
+
+2000-08-04  Johan Danielsson  <joda@pdc.kth.se>
+
+	* write_pid.c: conditionalise pidfile
+
+	* write_pid.c: add pidfile function
+
+2000-07-25  Johan Danielsson  <joda@pdc.kth.se>
+
+	* Makefile.am: bump version to 9:0:0
+
+	* warnerr.c: add get_progname
+
+2000-07-24  Assar Westerlund  <assar@sics.se>
+
+	* getaddrinfo.c (add_hostent): if there's no fqdn in `he' try
+	reverse resolving to see if there's a fuller name there.  don't
+	use just-freed memory
+
+2000-07-22  Assar Westerlund  <assar@sics.se>
+
+	* xdbm.h: do not define ndbm functions in terms of dbm functions
+	if we're using db
+
+2000-07-20  Assar Westerlund  <assar@sics.se>
+
+	* rtbl.c (rtbl_format): avoid printing an empty row at the end
+
+2000-07-19  Johan Danielsson  <joda@pdc.kth.se>
+
+	* Makefile.am: make this compatible with `make dist'
+
+	* Makefile.am: revert version number for now
+
+2000-07-18  Johan Danielsson  <joda@pdc.kth.se>
+
+	* configure.in: AM_PROG_LIBTOOL -> AC_PROG_LIBTOOL
+
+2000-07-17  Johan Danielsson  <joda@pdc.kth.se>
+
+	* Makefile.am: set ACLOCAL_AMFLAGS
+
+2000-07-15  Johan Danielsson  <joda@pdc.kth.se>
+
+	* getaddrinfo_hostspec.c: add new function that takes socktype
+	hint as parameter
+
+2000-07-09  Assar Westerlund  <assar@sics.se>
+
+	* rtbl.c (rtbl_add_column): initialize `col' completely
+
+	* configure.in: bring headers and functions more in-line with
+	what's actually being used
+
+2000-07-08  Johan Danielsson  <joda@pdc.kth.se>
+
+	* roken.h.in: declare ether_addr and sockaddr_dl for AIX
+
+	* rtbl.{c,h}: simple table functions
+
+2000-07-08  Assar Westerlund  <assar@sics.se>
+
+	* configure.in (AM_INIT_AUTOMAKE): bump version to 10
+	* configure.in (AC_BROKEN): add strsep_copy
+	* Makefile.am (ACLOCAL): fetch files from cf
+
+2000-07-01  Assar Westerlund  <assar@sics.se>
+
+	* roken-common.h (pid_file_*): fix protos
+
+2000-06-28  Assar Westerlund  <assar@sics.se>
+
+	* getnameinfo_verified.c (getnameinfo_verified): free memory
+	returned from getaddrinfo
+
+2000-06-27  Assar Westerlund  <assar@sics.se>
+
+	* resolve.c: export string_to_type and type_to_string
+	* resolve.c: add key,sig,cert update test-program
+	* resolve.h: add key,sig,cert
+
+2000-06-21  Assar Westerlund  <assar@sics.se>
+
+	* resolve.h: add T_SIG, T_KEY
+	* resolve.c: add SIG and KEY
+	* Makefile.am (libroken_la_SOURCES): add environment.c and
+	write_pid.c
+
+	* write_pid.c: new file for writing a pid file.
+
+	* environment.c: new file with functionality for reading
+	/etc/environment.  From Ake Sandgren <ake@cs.umu.se>
+
+2000-06-12  Johan Danielsson  <joda@pdc.kth.se>
+
+	* strsep_copy.c: strsep, but with const stringp so returns string
+	in separate buffer
+
+2000-05-23  Assar Westerlund  <assar@sics.se>
+
+	* vsyslog.c (vsyslog): calculate length of new format string
+	correctly
+
+2000-05-22  Johan Danielsson  <joda@pdc.kth.se>
+
+	* getusershell.c: implment the AIX version use
+	/etc/security/login.cfg
+
+2000-05-21  Assar Westerlund  <assar@sics.se>
+
+	* vsyslog.c (vsyslog): actually handle `%m'
+
+2000-05-15  Assar Westerlund  <assar@sics.se>
+
+	* Makefile.am (libroken_la_LDFLAGS): set version to 8:1:3
+
+	* roken-common.h: moved __attribute__ to roken.h.in
+
+2000-04-14  Assar Westerlund  <assar@sics.se>
+
+	* getaddrinfo_hostspec.c (roken_getaddrinfo_hostspec): copy the
+	correct length from `hostspec'.  based on a patch from Love
+	<lha@s3.kth.se>
+
+2000-04-09  Assar Westerlund  <assar@sics.se>
+
+	* xdbm.h: only include one of db.h and the dbm-series
+
+2000-04-05  Assar Westerlund  <assar@sics.se>
+
+	* resolve.c (_resolve_debug): explicitly set to zero.  this moves
+	the variable from bss to data and the dynamic linker on MacOS
+	X/Darwin seems unhappy with stuff in the bss segment.
+
+2000-04-03  Assar Westerlund  <assar@sics.se>
+
+	* Makefile.am: set version to 8:0:3
+
+2000-03-11  Assar Westerlund  <assar@sics.se>
+
+	* roken.h.in (_SS_PAD1SIZE): try to write an inpenetrable
+	expression that also works on Crays
+
+2000-03-09  Assar Westerlund  <assar@sics.se>
+
+	* getarg.c (arg_match_short): backup optind when there's a missing
+	argument so that the error can point at the flag and not the
+	non-existant argument
+
+2000-03-03  Assar Westerlund  <assar@sics.se>
+
+	* Makefile.in (SOURCES): add timeval.c
+	* Makefile.am (libroken_la_SOURCES): add timeval.c
+	* timeval.c: new file
+
+2000-02-19  Assar Westerlund  <assar@sics.se>
+
+	* Makefile.am: set version to 7:1:2
+	
+2000-02-16  Assar Westerlund  <assar@sics.se>
+
+	* snprintf.c (PARSE_INT_FORMAT): note that shorts are actually
+	transmitted as ints
+	(according to the integer protomotion rules) in variable arguments
+	lists.  Therefore, we should not call va_arg with short but rather
+	with int.  See <http://www.debian.org/Bugs/db/57/57919.html> for
+	original bug report
+
+2000-02-13  Assar Westerlund  <assar@sics.se>
+
+	* Makefile.am: bump version to 7:0:2
+
+	* getarg.c (mandoc_template): also fix no- prefix in .Sh OPTIONS
+	* getarg.c (mandoc_template): better man-stuff for negative
+	options
+
+2000-02-07  Assar Westerlund  <assar@sics.se>
+
+	* Makefile.am: set version to 6:0:1
+
+2000-02-06  Assar Westerlund  <assar@sics.se>
+
+	* xdbm.h: hopefully catch a few more declarations by including
+	<ndbm.h> even if <db.h> was found
+
+2000-01-26  Assar Westerlund  <assar@sics.se>
+
+	* mini_inetd.c (mini_inetd): separate number of allocated sockets
+	and number of actual ones
+	* mini_inetd.c (mini_inetd): count sockets properly.  and fail if
+	we cannot bind any
+	* mini_inetd.c (mini_inetd): make failing to create a socket
+	non-fatal
+
+2000-01-09  Assar Westerlund  <assar@sics.se>
+
+ 	* Makefile.am(libroken_la_SOURCES): add strcollect.c
+	* Makefile.in: add strcollect.[co]
+	* simple_exec.c: use vstrcollect
+	* roken-common.h (_PATH_DEV): add
+	(strcollect, vstrcollect): add prototypes
+	* strcollect.c: new file.  functions for collapsing an `va_list'
+	into an `char **'
+
+2000-01-06  Assar Westerlund  <assar@sics.se>
+
+	* Makefile.am: bump version to 5:0:0
+
+1999-12-30  Assar Westerlund  <assar@sics.se>
+
+	* Makefile.am (strpftime_test_SOURCES): correct source file name
+
+	* roken.h.in (sockaddr_storage): change padding so that we have
+ 	one char[] of pad and then an unsigned long[] (for alignment and
+ 	padding).  this works much better in practice.
+
+1999-12-22  Assar Westerlund  <assar@sics.se>
+
+	* roken.h.in (sockaddr_storage): drop leading underscore on
+ 	`public' fields.  this was the consensus on the ipng mailing list
+
+1999-12-21  Assar Westerlund  <assar@sics.se>
+
+	* Makefile.am (strpftime-test): define sources to avoid having
+ 	'.o'
+	* Makefile.am (print_version.h): use $(EXEEXT)
+	* Makefile.am (roken.h): add $(EXEEXT) to make this work on cygwin
+ 	et al
+
+1999-12-20  Assar Westerlund  <assar@sics.se>
+
+	* Makefile.am (libroken_la_LDFLAGS): bump version to 4:3:0
+
+	* getaddrinfo.c (get_nodes): use getipnodebyname instead of
+	gethostbyname(2)
+
+1999-12-16  Assar Westerlund  <assar@sics.se>
+
+	* Makefile.am (libroken_la_LDFLAGS): bump version to 4:2:0
+
+	* roken.h.in (struct sockaddr_storage): redefine with the example
+ 	code from rfc2553
+
+	* getaddrinfo.c (get_null): set loopback with correct endianess
+	for v4.  dunno about v6.
+
+1999-12-13  Assar Westerlund  <assar@sics.se>
+
+	* roken.h.in: add prototypes for str[pf]time
+
+	* signal.c: macosx = rhapsody ~= nextstep also can't handle
+ 	various definitions of the same symbol.
+
+1999-12-12  Assar Westerlund  <assar@sics.se>
+
+	* Makefile.am: bump version to 4:1:0
+
+1999-12-06  Assar Westerlund  <assar@sics.se>
+
+	* Makefile.am: bump version to 4:0:0
+
+1999-12-05  Assar Westerlund  <assar@sics.se>
+
+	* Makefile.in: replace inaddr2str with getnameinfo_verified
+
+	* roken-common.h (INADDR_LOOPBACK): add fallback definition
+
+	* roken-common.h: move getnameinfo_verified to roken.h.in
+	* roken.h.in (inaddr2str): remove
+	* Makefile.am (libroken_la_SOURCES); removed inaddr2str
+	* roken-common.h (getnameinfo_verified): add prototype
+	* getnameinfo_verified.c: new file
+
+1999-12-04  Assar Westerlund  <assar@sics.se>
+
+	* roken-common.h: add constants for getaddrinfo, getnameinfo
+	* roken.h.in (socklen_t): make independent of sockaddr_storage
+	(AI_*, NI_*, EAI_*): move to roken-common.h
+
+1999-12-03  Assar Westerlund  <assar@sics.se>
+
+	* mini_inetd.c (mini_inted): rewrite to use `getaddrinfo'
+	* getaddrinfo.c (const_v*): no sizeof(sizeof())
+	* getaddrinfo.c (add_hostent): search for the canonical name among
+	all aliases
+	(getaddrinfo): handle AI_NUMERICHOST correctly
+	* Makefile.am (EXTRA_libroken_la_SOURCES): add freeaddinfo,
+	getaddrinfo, getnameinfo, gai_strerror
+	(getaddrinfo_test): add
+	* Makefile.in (SOURCES): add freeaddinfo, getaddrinfo,
+	getnameinfo, gai_strerror
+	(getaddrinfo_test): add
+	* roken.h.in: arpa/inet.h: include
+	(socklen_t): add
+	(struct addrinfo): add
+	(EAI_*): add
+	(NI_*): add
+	(AI_*): add
+	(getaddrinfo, getnameinfo, freeaddrinfo, gai_strerror): add
+	* getnameinfo.c: new file
+	* getaddrinfo-test.c: new file
+	* gai_strerror.c: new file
+	* getaddrinfo.c: new file
+	* freeaddrinfo.c: new file
+
+1999-11-25  Assar Westerlund  <assar@sics.se>
+
+	* getopt.c (getopt): return -1 instead of EOF.  From
+	<art@stacken.kth.se>
+
+1999-11-13  Assar Westerlund  <assar@sics.se>
+
+	* strftime.c (strftime): handle `%z' and `%Z' in a tm_gmtoff-less
+	world
+
+	* getcap.c: make sure to use db only if we have both the library
+	and the header file
+	
+1999-11-12  Assar Westerlund  <assar@sics.se>
+
+	* getarg.h: add arg_counter
+	* getarg.c: add a new type of argument: `arg_counter' re-organize
+	the code somewhat
+	
+	* Makefile.am: add strptime and strpftime-test
+	
+	* snprintf.c (xyzprintf): try to do the right thing with an % at
+	the end of the format string
+	
+	* strptime.c (strptime): implement '%U', '%V', '%W'
+	* strftime.c (strftime): implement '%U', '%V', '%W', '%z'
+	
+	* strftime.c (strftime): correct %E and %O handling.  do something
+ 	reasonable with "...%"
+
+	* strftime.c: replace the BSD implementation by one of our own
+	coding
+
+	* strptime.c : new file
+	* strpftime-test.c: new file
+
+1999-11-07  Assar Westerlund  <assar@sics.se>
+
+	* parse_bytes-test.c: new file
+
+	* Makefile.am: add parse_bytes-test
+
+	* parse_units.c (parse_something): try to handle the case of no
+ 	value specified a little bit better
+
+1999-11-04  Assar Westerlund  <assar@sics.se>
+
+	* Makefile.am: bump version to 3:2:0
+
+1999-10-30  Assar Westerlund  <assar@sics.se>
+
+	* snprintf.c (PARSE_INT_FORMAT): add redundant casts to work
+ 	around a gcc-bug that manifests itself on Linux-PPC.  From Tom
+ 	Rini <trini@kernel.crashing.org>
+
+1999-10-28  Assar Westerlund  <assar@sics.se>
+
+	* Makefile.am: bump version to 3:1:0
+
+	* roken.h.in: use `unsigned char' instead of `u_int8_t' to avoid
+ 	having to have that definition.  this is the easy way out instead
+ 	of getting the definition here where it's needed.  flame me.
+
+Fri Oct 22 15:39:31 1999  Bjoern Groenvall  <bg@sics.se>
+
+	* k_getpwuid.c (k_getpwuid): getspuid() does not exist (even
+ 	though it should), use getspnam().
+
+1999-10-20  Assar Westerlund  <assar@sics.se>
+
+	* Makefile.am: set version to 3:0:0
+
+1999-10-18  Johan Danielsson  <joda@pdc.kth.se>
+
+	* getarg.3: document arg_collect
+
+	* getarg.c: change the way arg_collect works; it's still quite
+	horrible though
+
+	* getarg.h: change type of the collect function
+
+1999-10-17  Assar Westerlund  <assar@sics.se>
+
+	* xdbm.h: undo last commit
+
+	* xdbm.h: reorder db includes
+
+1999-10-10  Assar Westerlund  <assar@sics.se>
+
+	* socket.c: const-ize and comment
+
+	* net_write.c: const-ize
+
+	* base64.c: const-ize
+
+1999-10-06  Assar Westerlund  <assar@sics.se>
+
+	* getarg.c (getarg): also set optind when returning error
+
+1999-09-26  Assar Westerlund  <assar@sics.se>
+
+	* Makefile.am: add parse_bytes.[ch]
+
+1999-09-24  Johan Danielsson  <joda@pdc.kth.se>
+
+	* getarg.3: getarg manpage
+
+	* getarg.{c,h}: add a callback type to do more complicated processing
+
+	* getarg.{c,h}: add floating point support
+
+1999-09-16  Assar Westerlund  <assar@sics.se>
+
+	* strlcat.c (strlcat): call strlcpy
+
+	* strlcpy.c: update name and prototype
+
+	* strlcat.c: update name and prototype
+
+	* roken.h.in: rename strc{py,at}_truncate to strlc{py,at}
+
+	* Makefile.am: rename strc{py,at}_truncate -> strlc{py,at}
+
+	* Makefile.in: rename strc{py,at}_truncate -> strlc{py,at}
+
+ 	* strcpy_truncate.c (strcpy_truncate): change return value to be
+ 	the length of `src'
+
+1999-08-16  Assar Westerlund  <assar@sics.se>
+
+	* getcap.c: try to make this work on systems with DB
+
+1999-08-16  Johan Danielsson  <joda@pdc.kth.se>
+
+	* getcap.c: protect from db-less systems
+
+1999-08-09  Johan Danielsson  <joda@pdc.kth.se>
+
+	* simple_exec.c: add simple_exec{ve,le}
+
+	* getcap.c: getcap from NetBSD
+
+1999-08-06  Assar Westerlund  <assar@sics.se>
+
+	* roken.h.in (sockaddr_storage): cater for those that have
+ 	v6-support also
+
+1999-08-05  Assar Westerlund  <assar@sics.se>
+
+	* inet_ntop.c (inet_ntop_v4): remember to call ntohl
+
+1999-08-04  Assar Westerlund  <assar@sics.se>
+
+	* roken-common.h: add shutdown constants
+
+	* mini_inetd.c (listen_v4, listen_v6): handle the case of the
+ 	protocol not being supported
+
+1999-08-01  Assar Westerlund  <assar@sics.se>
+
+	* mini_inetd.c (socket_set_reuseaddr): remove duplicate
+
+1999-07-29  Assar Westerlund  <assar@sics.se>
+
+	* mini_inetd.c (mini_inetd): fix my stupid bugs
+
+1999-07-28  Assar Westerlund  <assar@sics.se>
+
+	* roken-common.h: add socket* functions
+
+	* Makefile.am (libroken_la_SOURCES): add socket.c
+
+	* socket.c: new file, originally from appl/ftp/common
+
+	* Makefile.am: set version to 2:0:2
+
+	* roken.h.in (inet_pton): add prototype
+
+	* Makefile.am (EXTRA_libroken_la_SOURCES): add inet_pton
+
+	* inet_pton.c: new file
+
+	* getipnodebyname.c (getipnodebyname): try gethostbyname2 if we
+ 	have it
+
+1999-07-27  Assar Westerlund  <assar@sics.se>
+
+	* mini_inetd.c: support IPv6
+
+1999-07-26  Assar Westerlund  <assar@sics.se>
+
+	* Makefile.am: set version to 1:0:1
+
+	* roken.h.in (inet_ntop): add prototype
+
+ 	* roken-common.h: (INET{,6}_ADDRSTRLEN): add
+
+	* inet_ntop.c: new file
+
+	* Makefile.am (EXTRA_libroken_la_SOURCES): add inet_ntop.c
+
+	* Makefile.am: move some files from libroken_la_SOURCES to
+ 	EXTRA_libroken_la_SOURCES
+
+	* snprintf.c: some signed vs unsigned casts
+	
+1999-07-24  Assar Westerlund  <assar@sics.se>
+
+	* roken.h.in (struct sockaddr_storage): define it needed
+
+1999-07-19  Assar Westerlund  <assar@sics.se>
+
+	* Makefile.am (libroken_la_SOURCES): add copyhostent.c,
+ 	freehostent.c, getipnodebyname.c, getipnodebyaddr.c
+	
+	* roken.h.in: <netdb.h>: include
+	(copyhostent, freehostent, getipnodebyname, getipnodebyaddr): add
+	prototypes
+
+	* roken-common.h: new constants for getipnodeby*
+
+	* Makefile.in (SOURCES): add freehostent, copyhostent,
+ 	getipnodebyname, getipnodebyaddr
+
+	* freehostent.c: new file
+
+	* copyhostent.c: new file
+
+	* getipnodebyaddr.c: new file
+
+	* getipnodebyname.c: new file
+
+1999-07-13  Assar Westerlund  <assar@sics.se>
+
+	* roken.h.in (k_getpwnam): update prototype
+
+	* k_getpwnam.c (k_getpwnam): const-ize
+
+	* get_default_username.c (get_default_username): a better way of
+ 	guessing when the user has su:ed
+
+1999-07-08  Johan Danielsson  <joda@pdc.kth.se>
+
+	* roken.awk: use puts, as suggested by Jeffrey Hutzelman
+	<jhutz+@cmu.edu>
+
+1999-07-06  Assar Westerlund  <assar@sics.se>
+
+	* readv.c (readv): typo
+
+1999-07-03  Assar Westerlund  <assar@sics.se>
+
+	* writev.c (writev): error check malloc properly
+
+	* sendmsg.c (sendmsg): error check malloc properly
+
+	* resolve.c (parse_reply): error check malloc properly
+
+	* recvmsg.c (recvmsg): error check malloc properly
+
+	* readv.c (readv): error check malloc properly
+
+1999-06-23  Assar Westerlund  <assar@sics.se>
+
+	* parse_units.c (acc_units): move the special case of 0 -> 1 to
+ 	parse_something to avoid having it happen at the end of the string
+
+1999-06-15  Assar Westerlund  <assar@sics.se>
+
+	* Makefile.in: add get_default_username
+
+	* get_default_username.c: new file
+
+	* roken.h.in (get_default_username): add prototype
+
+	* Makefile.am: add get_default_username
+
+1999-05-08  Assar Westerlund  <assar@sics.se>
+
+	* xdbm.h: also try <db.h> with DB_DBM_HSEARCH == 1
+
+	* strnlen.c (strnlen): update prototype
+
+	* Makefile.am: strndup.c: add
+
+	* Makefile.in: strndup.c: add
+
+	* roken.h.in (strndup): add
+	(strnlen): update prototype
+
+	* strndup.c: new file
+
+Fri Apr 16 17:59:30 1999  Assar Westerlund  <assar@sics.se>
+
+	* roken.h.in: include strsep prototype if needed
+
+Thu Apr 15 14:04:03 1999  Johan Danielsson  <joda@hella.pdc.kth.se>
+
+	* Makefile.am: make make-print-version.o depend on version.h
+
+Wed Apr  7 14:11:00 1999  Johan Danielsson  <joda@hella.pdc.kth.se>
+
+	* Makefile.am: make it compile w/o krb4
+
+Sat Mar 27 17:33:03 1999  Johan Danielsson  <joda@blubb.pdc.kth.se>
+
+	* snprintf.c (vasnprintf): correct check if realloc returns NULL
+
+Sat Mar 27 12:37:55 1999  Johan Danielsson  <joda@hella.pdc.kth.se>
+
+	* Makefile.am: link print_version with -ldes to avoid unresolved
+ 	references if -lkrb is shared
+
+Sat Mar 20 03:42:30 1999  Assar Westerlund  <assar@sics.se>
+
+	* roken-common.h (eread, ewrite): add
+
+	* simple_exec.c: add <roken.h>
+
+Fri Mar 19 21:29:58 1999  Assar Westerlund  <assar@sics.se>
+
+	* Makefile.in: add eread, ewrite
+
+	* eread.c, ewrite.c: new files
+
+	* Makefile.am (libroken_la_SOURCES): add eread and ewrite
+
+Fri Mar 19 14:52:57 1999  Johan Danielsson  <joda@hella.pdc.kth.se>
+
+	* Makefile.am: add version-info
+
+Thu Mar 18 12:53:32 1999  Johan Danielsson  <joda@hella.pdc.kth.se>
+
+	* Makefile.am: remove include_dir hack
+
+	* Makefile.am: parse_units.h
+
+	* Makefile.am: include Makefile.am.common
+
+Sat Mar 13 23:31:35 1999  Assar Westerlund  <assar@sics.se>
+
+	* Makefile.in (SOURCES): add glob.c
+
+Thu Mar 11 15:02:21 1999  Johan Danielsson  <joda@hella.pdc.kth.se>
+
+	* iruserok.c: move innetgr() to separate file
+
+	* innetgr.c: move innetgr() to separate file
+
+	* hstrerror.c (hstrerror): add const to return type
+
+	* erealloc.c: fix types in format string
+
+	* emalloc.c: fix types in format string
+
+Wed Mar 10 16:36:55 1999  Johan Danielsson  <joda@hella.pdc.kth.se>
+
+	* resolve.c: ugly fix for crays
+
+Mon Mar  8 11:52:20 1999  Johan Danielsson  <joda@hella.pdc.kth.se>
+
+	* roken.h.in: protos for {un,}setenv
+
+1999-02-16  Assar Westerlund  <assar@sics.se>
+
+	* Makefile.in (SOURCES): add fnmatch
+
+	* roken-common.h (abs): add
+
+Sat Feb 13 17:12:53 1999  Assar Westerlund  <assar@sics.se>
+
+	* emalloc.c, erealloc.c, estrup.c: new files
+
+	* roken.h.in (mkstemp, gethostname): also includes prototypes if
+ 	they are needed.
+
+1998-12-23  Assar Westerlund  <assar@sics.se>
+
+	* roken.h.in: mkstemp: add prototype
+
+1998-12-20  Assar Westerlund  <assar@sics.se>
+
+	* snprintf.c, iruserok.c, parse-units.c: unsigned char-correctness
+
+	* roken.h.in (inet_aton): also chedk NEED_INET_ATON_PROTO
+
+	* roken-common.h: __attribute__: check for autoconf'd
+	HAVE___ATTRIBUTE__ instead of GNUC
+
+Sun Dec  6 19:53:21 1998  Assar Westerlund  <assar@sics.se>
+
+	* parse_units.c (parse_something): func is called with val == 0 if
+ 	no unit was given
+	(acc_flags, acc_units): update to new standard
+
+Fri Nov 27 03:09:42 1998  Assar Westerlund  <assar@sics.se>
+
+	* resolve.c (stot): constify
+	(type_to_string): always declare
+	(dns_lookup_int): correct debug output
+
+Thu Nov 26 23:43:55 1998  Assar Westerlund  <assar@sics.se>
+
+	* resolve.c (dns_lookup_int): send rr_class to res_search
+
+Thu Nov 26 17:09:47 1998  Johan Danielsson  <joda@hella.pdc.kth.se>
+
+	* resolve.c: some cleanup
+
+	* resolve.h: add T_NAPTR
+
+Sun Nov 22 10:23:07 1998  Assar Westerlund  <assar@sics.se>
+
+	* Makefile.in (WFLAGS): set
+
+	* k_getpwnam.c (k_getpwnam): check for `struct spwd'
+
+	* k_getpwuid.c (k_getpwuid): check for `struct spwd'
+
+Tue Sep  8 05:18:31 1998  Assar Westerlund  <assar@sics.se>
+
+	* recvmsg.c (recvmsg): patch from bpreece@unity.ncsu.edu
+
+Fri Sep  4 16:29:27 1998  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* vsyslog.c: asprintf -> vasprintf
+
+Tue Aug 18 22:25:52 1998  Assar Westerlund  <assar@sics.se>
+
+	* getarg.h (arg_printusage): new signature
+
+	* getarg.c (arg_printusage): new parameter `progname'.  NULL means
+ 	__progname.
+
+Sun Aug  9 14:53:44 1998  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* Makefile.am: net_{read,write}.c
+
+Fri Jul 24 21:56:02 1998  Assar Westerlund  <assar@sics.se>
+
+	* simple_exec.c (simple_execvp): loop around waitpid when errno ==
+ 	EINTR
+
+Thu Jul 23 20:24:35 1998  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* Makefile.am: net_{read,write}.c
+
+Wed Jul 22 21:38:35 1998  Assar Westerlund  <assar@sics.se>
+
+	* simple_exec.c (simple_execlp): initialize `argv'
+
+Mon Jul 13 23:01:22 1998  Assar Westerlund  <assar@sics.se>
+
+	* inaddr2str.c (inaddr2str): don't advance hostent->h_addr_list,
+ 	use a copy instead
+
+Fri Jul 10 01:20:08 1998  Assar Westerlund  <assar@sics.se>
+
+	* roken.h.in (net_write, net_read): add prototypes
+
+	* Makefile.in: net_{read,write}.c: add
+
+	* net_{read,write}.c: new files
+
+Tue Jun 30 17:29:09 1998  Assar Westerlund  <assar@sics.se>
+
+	* roken.h.in (issuid): add
+
+	* get_window_size.c: fix misspelling of TIOCGWINSZ and bad use of
+ 	fields
+
+Sun May 31 03:24:34 1998  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* getarg.c (mandoc_template): Put short and long options in
+ 	SYNOPSIS within the same [ ] pair.
+
+Sat May 30 00:13:01 1998  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* getarg.c (arg_printusage): try to keep options shorter than
+ 	column width
+
+	* get_window_size.c (get_window_size): check COLUMNS and LINES
+
+Fri May 29 00:05:04 1998  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* getarg.c (mandoc_template): Put short and long options in
+ 	DESCRIPTION on the same line.
+
+	* getarg.c (arg_match_long): make sure you only get an exact match
+ 	if the strings are the same length
+
+Thu May 14 02:23:40 1998  Assar Westerlund  <assar@sics.se>
+
+	* roken.awk: stupid cray awk wants \#
+
+Fri May  1 01:29:36 1998  Assar Westerlund  <assar@sics.se>
+
+	* print_version.c (print_version): according to ISO/ANSI C the
+ 	elements of `arg' are not constant and therefore not settable at
+ 	compile-time.  Set the at run-time instead.
+
+Sun Apr 19 10:00:06 1998  Assar Westerlund  <assar@sics.se>
+
+	* roken.h.in: include paths.h
+
+Sun Apr  5 12:30:49 1998  Assar Westerlund  <assar@sics.se>
+
+	* Makefile.in (SOURCES): add roken_gethostby.c to make solaris
+ 	make happy
+
+Thu Mar 19 20:41:25 1998  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* simple_exec.c: Simple fork+exec system() replacement.
+
+Fri Mar  6 00:21:53 1998  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* roken_gethostby.c: Make `roken_gethostby_setup' take url-like
+ 	specification instead of split up versions. Makes it easier for
+ 	calling applications.
+
+	* roken_gethostby.c: Another miracle of the 20th century:
+ 	gethostby* over HTTP.
+
+Sat Feb 21 15:18:36 1998  assar westerlund  <assar@sics.se>
+
+	* parse_time.c (unparse_time_approx): new function that calls
+ 	`unparse_units_approx'
+
+	* parse_units.c (unparse_units_approx): new function that will
+ 	only print the first unit.
+
+	* Makefile.in: include parse_{time,units}
+
+Thu Feb 12 03:30:08 1998  Assar Westerlund  <assar@sics.se>
+
+	* parse_time.c (print_time_table): don't return a void value.
+
+Tue Feb  3 11:06:24 1998  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* getarg.c (mandoc_template): Change date format to full month
+ 	name, and day of month without leading zero.
+
+Thu Jan 22 21:23:23 1998  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* getarg.c: Fix long form of negative flags.
+
+Mon Dec 29 23:31:10 1997  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* roken.h.in: Include <err.h>, to get linux __progname.
+
+Sun Dec 21 09:45:18 1997  Assar Westerlund  <assar@sics.se>
+
+	* parse_time.c (print_time_table): new function
+
+	* parse_units.c (print_flags_table, print_units_table): new
+ 	functions.
+
+Thu Dec  4 02:51:46 1997  Assar Westerlund  <assar@sics.se>
+
+	* iruserok.c: moved here.
+
+	* snprintf.c (sn_append_char): don't write any terminating zero.
+	(as_reserve): don't loop.  better heuristic for how much space to
+ 	realloc.
+	(vasnprintf): simplify initializing to one.
+
+Sun Nov 30 14:56:59 1997  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* getarg.c: Add mandoc help back-end to getarg.
+
+Wed Nov 12 01:09:17 1997  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* verr.c, verrx.c: Fix warnings by moving exit from.
+
+Tue Nov 11 21:12:09 1997  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* parse_units.c: Change the list of separating characters (between
+ 	units) to comma, space, and tab, removing digits. Having digits in
+ 	this list makes a flag like `T42 generate a parse error. This
+ 	change makes `17m3s' an invalid time-spec (you need a space).
+
+Tue Nov 11 02:38:44 1997  Assar Westerlund  <assar@sics.se>
+
+	* roken.h: add <sys/socket.h>
+
+Sun Nov  9 04:48:46 1997  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* fnmatch.c: Add fnmatch from NetBSD
+
+Sun Nov  9 02:00:08 1997  Assar Westerlund  <assar@sics.se>
+
+	* parse_units.c (parse_something): ignore white-space and ','
+
+Mon Nov  3 22:38:32 1997  Assar Westerlund  <assar@sics.se>
+	
+	* roken.h: fclose prototype
+
+	* roken.h: add prototype for vsyslog
+
+	* Makefile.in: add some more source files to make soriasis make
+ 	happy
+
+Sat Nov  1 00:19:21 1997  Assar Westerlund  <assar@sics.se>
+
+	* roken.h: include <sys/uio.h> and <errno.h>.
+	prototypes for readv and writev
+
+	* readv.c, writev.c: new files
+
+Wed Oct 29 02:21:38 1997  Assar Westerlund  <assar@sics.se>
+
+	* roken.h: Add ugly macros for openlog, gethostbyname,
+ 	gethostbyaddr, and getservbyname for the benefit of Crays.  Add
+ 	default definition of MAXPATHLEN
diff --git a/crypto/heimdal/lib/roken/Makefile.am b/crypto/heimdal/lib/roken/Makefile.am
new file mode 100644
index 0000000..ce874b0
--- /dev/null
+++ b/crypto/heimdal/lib/roken/Makefile.am
@@ -0,0 +1,218 @@
+# $Id: Makefile.am,v 1.96 2001/05/16 23:57:10 assar Exp $
+
+AUTOMAKE_OPTIONS = foreign no-dependencies
+
+AM_CFLAGS += $(WFLAGS)
+
+## ACLOCAL = @ACLOCAL@ -I cf
+ACLOCAL_AMFLAGS = -I ../../cf
+
+CLEANFILES = roken.h make-roken.c $(XHEADERS)
+
+lib_LTLIBRARIES = libroken.la
+libroken_la_LDFLAGS = -version-info 12:0:3
+
+noinst_PROGRAMS = make-roken
+
+nodist_make_roken_SOURCES = make-roken.c
+
+check_PROGRAMS = parse_bytes-test \
+		strpftime-test \
+		getaddrinfo-test
+
+TESTS = $(check_PROGRAMS)
+
+LIB_crypt = @LIB_crypt@
+
+common_LDADD = libroken.la $(LIB_crypt)
+
+strpftime_test_SOURCES = strpftime-test.c strftime.c strptime.c snprintf.c
+##snprintf_test_SOURCES  = snprintf-test.c snprintf.c
+##snprintf_test_LDADD    = $(common_LDADD) -lm
+getaddrinfo_test_LDADD = $(common_LDADD)
+parse_bytes_test_LDADD = $(common_LDADD)
+
+libroken_la_SOURCES =		\
+	base64.c		\
+	bswap.c			\
+	concat.c		\
+	emalloc.c		\
+	environment.c		\
+	eread.c			\
+	erealloc.c		\
+	esetenv.c		\
+	estrdup.c		\
+	ewrite.c		\
+	getaddrinfo_hostspec.c	\
+	get_default_username.c	\
+	get_window_size.c	\
+	getarg.c		\
+	getnameinfo_verified.c	\
+	issuid.c		\
+	k_getpwnam.c		\
+	k_getpwuid.c		\
+	mini_inetd.c		\
+	net_read.c		\
+	net_write.c		\
+	parse_bytes.c		\
+	parse_time.c		\
+	parse_units.c		\
+	resolve.c		\
+	roken_gethostby.c	\
+	rtbl.c			\
+	rtbl.h			\
+	signal.c		\
+	simple_exec.c		\
+	snprintf.c		\
+	socket.c		\
+	strcollect.c		\
+	timeval.c		\
+	tm2time.c		\
+	unvis.c			\
+	verify.c		\
+	vis.c			\
+	vis.h			\
+	warnerr.c		\
+	write_pid.c		\
+	xdbm.h
+
+EXTRA_libroken_la_SOURCES =	\
+	chown.c			\
+	copyhostent.c		\
+	daemon.c		\
+	err.c			\
+	err.hin			\
+	errx.c			\
+	fchown.c		\
+	flock.c			\
+	fnmatch.c		\
+	fnmatch.hin		\
+	freeaddrinfo.c		\
+	freehostent.c		\
+	gai_strerror.c		\
+	getaddrinfo.c		\
+	getdtablesize.c		\
+	getegid.c		\
+	geteuid.c		\
+	getgid.c		\
+	gethostname.c		\
+	getifaddrs.c		\
+	getipnodebyaddr.c	\
+	getipnodebyname.c	\
+	getopt.c		\
+	gettimeofday.c		\
+	getuid.c		\
+	getusershell.c		\
+	glob.hin		\
+	hstrerror.c		\
+	ifaddrs.hin		\
+	inet_aton.c		\
+	inet_ntop.c		\
+	inet_pton.c		\
+	initgroups.c		\
+	innetgr.c		\
+	iruserok.c		\
+	lstat.c			\
+	memmove.c		\
+	mkstemp.c		\
+	putenv.c		\
+	rcmd.c			\
+	readv.c			\
+	recvmsg.c		\
+	sendmsg.c		\
+	setegid.c		\
+	setenv.c		\
+	seteuid.c		\
+	strcasecmp.c		\
+	strdup.c		\
+	strerror.c		\
+	strftime.c		\
+	strlcat.c		\
+	strlcpy.c		\
+	strlwr.c		\
+	strncasecmp.c		\
+	strndup.c		\
+	strnlen.c		\
+	strptime.c		\
+	strsep.c		\
+	strsep_copy.c		\
+	strtok_r.c		\
+	strupr.c		\
+	swab.c			\
+	unsetenv.c		\
+	verr.c			\
+	verrx.c			\
+	vsyslog.c		\
+	vwarn.c			\
+	vwarnx.c		\
+	warn.c			\
+	warnx.c			\
+	writev.c
+
+EXTRA_DIST = roken.awk roken.h.in
+
+libroken_la_LIBADD = @LTLIBOBJS@
+
+$(LTLIBOBJS) $(libroken_la_OBJECTS): $(include_HEADERS) roken.h
+
+BUILT_SOURCES = make-roken.c roken.h
+
+if have_err_h
+err_h =
+else
+err_h = err.h
+endif
+
+if have_fnmatch_h
+fnmatch_h =
+else
+fnmatch_h = fnmatch.h
+endif
+
+if have_glob_h
+glob_h =
+else
+glob_h = glob.h
+endif
+
+if have_ifaddrs_h
+ifaddrs_h =
+else
+ifaddrs_h = ifaddrs.h
+endif
+
+if have_vis_h
+vis_h = 
+else
+vis_h = vis.h
+endif
+
+## these are controlled by configure
+XHEADERS = $(err_h) $(fnmatch_h) $(glob_h) $(ifaddrs_h) $(vis_h)
+
+include_HEADERS = 				\
+	base64.h				\
+	getarg.h				\
+	parse_bytes.h 				\
+	parse_time.h 				\
+	parse_units.h				\
+	resolve.h 				\
+	roken-common.h 				\
+	rtbl.h 					\
+	xdbm.h					\
+	$(XHEADERS) 
+
+nodist_include_HEADERS = roken.h
+
+
+SUFFIXES += .hin
+.hin.h:
+	cp $< $@
+
+roken.h: make-roken$(EXEEXT)
+	@./make-roken$(EXEEXT) > tmp.h ;\
+	if [ -f roken.h ] && cmp -s tmp.h roken.h ; then rm -f tmp.h ; \
+	else rm -f roken.h; mv tmp.h roken.h; fi
+
+make-roken.c: roken.h.in roken.awk
+	$(AWK) -f $(srcdir)/roken.awk $(srcdir)/roken.h.in > make-roken.c
diff --git a/crypto/heimdal/lib/roken/Makefile.in b/crypto/heimdal/lib/roken/Makefile.in
new file mode 100644
index 0000000..b72df46
--- /dev/null
+++ b/crypto/heimdal/lib/roken/Makefile.in
@@ -0,0 +1,727 @@
+# Makefile.in generated automatically by automake 1.4b from Makefile.am
+
+# Copyright 1994, 1995, 1996, 1997, 1998, 1999, 2000
+# Free Software Foundation, Inc.
+# This Makefile.in is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+
+SHELL = @SHELL@
+
+srcdir = @srcdir@
+top_srcdir = @top_srcdir@
+VPATH = @srcdir@
+prefix = @prefix@
+exec_prefix = @exec_prefix@
+
+bindir = @bindir@
+sbindir = @sbindir@
+libexecdir = @libexecdir@
+datadir = @datadir@
+sysconfdir = @sysconfdir@
+sharedstatedir = @sharedstatedir@
+localstatedir = @localstatedir@
+libdir = @libdir@
+infodir = @infodir@
+mandir = @mandir@
+includedir = @includedir@
+oldincludedir = /usr/include
+
+pkgdatadir = $(datadir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkgincludedir = $(includedir)/@PACKAGE@
+
+top_builddir = ../..
+
+ACLOCAL = @ACLOCAL@
+AUTOCONF = @AUTOCONF@
+AUTOMAKE = @AUTOMAKE@
+AUTOHEADER = @AUTOHEADER@
+
+INSTALL = @INSTALL@
+INSTALL_PROGRAM = @INSTALL_PROGRAM@
+INSTALL_DATA = @INSTALL_DATA@
+INSTALL_SCRIPT = @INSTALL_SCRIPT@
+INSTALL_STRIP_FLAG =
+transform = @program_transform_name@
+
+NORMAL_INSTALL = :
+PRE_INSTALL = :
+POST_INSTALL = :
+NORMAL_UNINSTALL = :
+PRE_UNINSTALL = :
+POST_UNINSTALL = :
+
+@SET_MAKE@
+host_alias = @host_alias@
+host_triplet = @host@
+AIX_EXTRA_KAFS = @AIX_EXTRA_KAFS@
+AMDEP = @AMDEP@
+AMTAR = @AMTAR@
+AS = @AS@
+AWK = @AWK@
+CANONICAL_HOST = @CANONICAL_HOST@
+CATMAN = @CATMAN@
+CATMANEXT = @CATMANEXT@
+CC = @CC@
+CPP = @CPP@
+CXX = @CXX@
+CXXCPP = @CXXCPP@
+DBLIB = @DBLIB@
+DEPDIR = @DEPDIR@
+DIR_des = @DIR_des@
+DIR_roken = @DIR_roken@
+DLLTOOL = @DLLTOOL@
+EXEEXT = @EXEEXT@
+EXTRA_LIB45 = @EXTRA_LIB45@
+GROFF = @GROFF@
+INCLUDES_roken = @INCLUDES_roken@
+INCLUDE_ = @INCLUDE_@
+LEX = @LEX@
+LIBOBJS = @LIBOBJS@
+LIBTOOL = @LIBTOOL@
+LIB_ = @LIB_@
+LIB_AUTH_SUBDIRS = @LIB_AUTH_SUBDIRS@
+LIB_des = @LIB_des@
+LIB_des_appl = @LIB_des_appl@
+LIB_kdb = @LIB_kdb@
+LIB_otp = @LIB_otp@
+LIB_roken = @LIB_roken@
+LIB_security = @LIB_security@
+LN_S = @LN_S@
+LTLIBOBJS = @LTLIBOBJS@
+MAKEINFO = @MAKEINFO@
+NEED_WRITEAUTH_FALSE = @NEED_WRITEAUTH_FALSE@
+NEED_WRITEAUTH_TRUE = @NEED_WRITEAUTH_TRUE@
+NROFF = @NROFF@
+OBJDUMP = @OBJDUMP@
+OBJEXT = @OBJEXT@
+PACKAGE = @PACKAGE@
+RANLIB = @RANLIB@
+STRIP = @STRIP@
+VERSION = @VERSION@
+VOID_RETSIGTYPE = @VOID_RETSIGTYPE@
+WFLAGS = @WFLAGS@
+WFLAGS_NOIMPLICITINT = @WFLAGS_NOIMPLICITINT@
+WFLAGS_NOUNUSED = @WFLAGS_NOUNUSED@
+YACC = @YACC@
+dpagaix_CFLAGS = @dpagaix_CFLAGS@
+dpagaix_LDADD = @dpagaix_LDADD@
+install_sh = @install_sh@
+
+# $Id: Makefile.am,v 1.96 2001/05/16 23:57:10 assar Exp $
+
+
+AUTOMAKE_OPTIONS = foreign no-dependencies
+
+AM_CFLAGS =  $(WFLAGS)
+
+ACLOCAL_AMFLAGS = -I ../../cf
+
+CLEANFILES = roken.h make-roken.c $(XHEADERS)
+
+lib_LTLIBRARIES = libroken.la
+libroken_la_LDFLAGS = -version-info 12:0:3
+
+noinst_PROGRAMS = make-roken
+
+nodist_make_roken_SOURCES = make-roken.c
+
+check_PROGRAMS = parse_bytes-test \
+		strpftime-test \
+		getaddrinfo-test
+
+
+TESTS = $(check_PROGRAMS)
+
+LIB_crypt = @LIB_crypt@
+
+common_LDADD = libroken.la $(LIB_crypt)
+
+strpftime_test_SOURCES = strpftime-test.c strftime.c strptime.c snprintf.c
+getaddrinfo_test_LDADD = $(common_LDADD)
+parse_bytes_test_LDADD = $(common_LDADD)
+
+libroken_la_SOURCES = \
+	base64.c		\
+	bswap.c			\
+	concat.c		\
+	emalloc.c		\
+	environment.c		\
+	eread.c			\
+	erealloc.c		\
+	esetenv.c		\
+	estrdup.c		\
+	ewrite.c		\
+	getaddrinfo_hostspec.c	\
+	get_default_username.c	\
+	get_window_size.c	\
+	getarg.c		\
+	getnameinfo_verified.c	\
+	issuid.c		\
+	k_getpwnam.c		\
+	k_getpwuid.c		\
+	mini_inetd.c		\
+	net_read.c		\
+	net_write.c		\
+	parse_bytes.c		\
+	parse_time.c		\
+	parse_units.c		\
+	resolve.c		\
+	roken_gethostby.c	\
+	rtbl.c			\
+	rtbl.h			\
+	signal.c		\
+	simple_exec.c		\
+	snprintf.c		\
+	socket.c		\
+	strcollect.c		\
+	timeval.c		\
+	tm2time.c		\
+	unvis.c			\
+	verify.c		\
+	vis.c			\
+	vis.h			\
+	warnerr.c		\
+	write_pid.c		\
+	xdbm.h
+
+
+EXTRA_libroken_la_SOURCES = \
+	chown.c			\
+	copyhostent.c		\
+	daemon.c		\
+	err.c			\
+	err.hin			\
+	errx.c			\
+	fchown.c		\
+	flock.c			\
+	fnmatch.c		\
+	fnmatch.hin		\
+	freeaddrinfo.c		\
+	freehostent.c		\
+	gai_strerror.c		\
+	getaddrinfo.c		\
+	getdtablesize.c		\
+	getegid.c		\
+	geteuid.c		\
+	getgid.c		\
+	gethostname.c		\
+	getifaddrs.c		\
+	getipnodebyaddr.c	\
+	getipnodebyname.c	\
+	getopt.c		\
+	gettimeofday.c		\
+	getuid.c		\
+	getusershell.c		\
+	glob.hin		\
+	hstrerror.c		\
+	ifaddrs.hin		\
+	inet_aton.c		\
+	inet_ntop.c		\
+	inet_pton.c		\
+	initgroups.c		\
+	innetgr.c		\
+	iruserok.c		\
+	lstat.c			\
+	memmove.c		\
+	mkstemp.c		\
+	putenv.c		\
+	rcmd.c			\
+	readv.c			\
+	recvmsg.c		\
+	sendmsg.c		\
+	setegid.c		\
+	setenv.c		\
+	seteuid.c		\
+	strcasecmp.c		\
+	strdup.c		\
+	strerror.c		\
+	strftime.c		\
+	strlcat.c		\
+	strlcpy.c		\
+	strlwr.c		\
+	strncasecmp.c		\
+	strndup.c		\
+	strnlen.c		\
+	strptime.c		\
+	strsep.c		\
+	strsep_copy.c		\
+	strtok_r.c		\
+	strupr.c		\
+	swab.c			\
+	unsetenv.c		\
+	verr.c			\
+	verrx.c			\
+	vsyslog.c		\
+	vwarn.c			\
+	vwarnx.c		\
+	warn.c			\
+	warnx.c			\
+	writev.c
+
+
+EXTRA_DIST = roken.awk roken.h.in
+
+libroken_la_LIBADD = @LTLIBOBJS@
+
+BUILT_SOURCES = make-roken.c roken.h
+@have_err_h_TRUE@err_h = 
+@have_err_h_FALSE@err_h = @have_err_h_FALSE@err.h
+@have_fnmatch_h_TRUE@fnmatch_h = 
+@have_fnmatch_h_FALSE@fnmatch_h = @have_fnmatch_h_FALSE@fnmatch.h
+@have_glob_h_TRUE@glob_h = 
+@have_glob_h_FALSE@glob_h = @have_glob_h_FALSE@glob.h
+@have_ifaddrs_h_TRUE@ifaddrs_h = 
+@have_ifaddrs_h_FALSE@ifaddrs_h = @have_ifaddrs_h_FALSE@ifaddrs.h
+@have_vis_h_TRUE@vis_h = 
+@have_vis_h_FALSE@vis_h = @have_vis_h_FALSE@vis.h
+
+XHEADERS = $(err_h) $(fnmatch_h) $(glob_h) $(ifaddrs_h) $(vis_h)
+
+include_HEADERS = \
+	base64.h				\
+	getarg.h				\
+	parse_bytes.h 				\
+	parse_time.h 				\
+	parse_units.h				\
+	resolve.h 				\
+	roken-common.h 				\
+	rtbl.h 					\
+	xdbm.h					\
+	$(XHEADERS) 
+
+
+nodist_include_HEADERS = roken.h
+
+SUFFIXES =  .hin
+subdir = lib/roken
+mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs
+CONFIG_HEADER = ../../include/config.h
+CONFIG_CLEAN_FILES = 
+LTLIBRARIES =  $(lib_LTLIBRARIES)
+
+
+DEFS = @DEFS@ -I. -I$(srcdir) -I../../include
+CPPFLAGS = @CPPFLAGS@
+LDFLAGS = @LDFLAGS@
+LIBS = @LIBS@
+X_CFLAGS = @X_CFLAGS@
+X_LIBS = @X_LIBS@
+X_EXTRA_LIBS = @X_EXTRA_LIBS@
+X_PRE_LIBS = @X_PRE_LIBS@
+libroken_la_DEPENDENCIES =  @LTLIBOBJS@
+am_libroken_la_OBJECTS =  base64.lo bswap.lo concat.lo emalloc.lo \
+environment.lo eread.lo erealloc.lo esetenv.lo estrdup.lo ewrite.lo \
+getaddrinfo_hostspec.lo get_default_username.lo get_window_size.lo \
+getarg.lo getnameinfo_verified.lo issuid.lo k_getpwnam.lo k_getpwuid.lo \
+mini_inetd.lo net_read.lo net_write.lo parse_bytes.lo parse_time.lo \
+parse_units.lo resolve.lo roken_gethostby.lo rtbl.lo signal.lo \
+simple_exec.lo snprintf.lo socket.lo strcollect.lo timeval.lo \
+tm2time.lo unvis.lo verify.lo vis.lo warnerr.lo write_pid.lo
+libroken_la_OBJECTS =  $(am_libroken_la_OBJECTS)
+check_PROGRAMS =  parse_bytes-test$(EXEEXT) strpftime-test$(EXEEXT) \
+getaddrinfo-test$(EXEEXT)
+noinst_PROGRAMS =  make-roken$(EXEEXT)
+PROGRAMS =  $(noinst_PROGRAMS)
+
+getaddrinfo_test_SOURCES = getaddrinfo-test.c
+getaddrinfo_test_OBJECTS =  getaddrinfo-test.$(OBJEXT)
+getaddrinfo_test_DEPENDENCIES =  libroken.la
+getaddrinfo_test_LDFLAGS = 
+nodist_make_roken_OBJECTS =  make-roken.$(OBJEXT)
+make_roken_OBJECTS =  $(nodist_make_roken_OBJECTS)
+make_roken_LDADD = $(LDADD)
+make_roken_DEPENDENCIES = 
+make_roken_LDFLAGS = 
+parse_bytes_test_SOURCES = parse_bytes-test.c
+parse_bytes_test_OBJECTS =  parse_bytes-test.$(OBJEXT)
+parse_bytes_test_DEPENDENCIES =  libroken.la
+parse_bytes_test_LDFLAGS = 
+am_strpftime_test_OBJECTS =  strpftime-test.$(OBJEXT) strftime.$(OBJEXT) \
+strptime.$(OBJEXT) snprintf.$(OBJEXT)
+strpftime_test_OBJECTS =  $(am_strpftime_test_OBJECTS)
+strpftime_test_LDADD = $(LDADD)
+strpftime_test_DEPENDENCIES = 
+strpftime_test_LDFLAGS = 
+COMPILE = $(CC) $(DEFS) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) --mode=compile $(CC) $(DEFS) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+CFLAGS = @CFLAGS@
+CCLD = $(CC)
+LINK = $(LIBTOOL) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) $(LDFLAGS) -o $@
+DIST_SOURCES =  $(libroken_la_SOURCES) $(EXTRA_libroken_la_SOURCES) \
+getaddrinfo-test.c parse_bytes-test.c $(strpftime_test_SOURCES)
+HEADERS =  $(include_HEADERS) $(nodist_include_HEADERS)
+
+depcomp = 
+DIST_COMMON =  $(include_HEADERS) ChangeLog Makefile.am Makefile.in \
+acinclude.m4 getcap.c getnameinfo.c glob.c install-sh \
+make-print-version.c missing mkinstalldirs
+
+
+DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
+
+GZIP_ENV = --best
+SOURCES = $(libroken_la_SOURCES) $(EXTRA_libroken_la_SOURCES) getaddrinfo-test.c $(nodist_make_roken_SOURCES) parse_bytes-test.c $(strpftime_test_SOURCES)
+OBJECTS = $(am_libroken_la_OBJECTS) getaddrinfo-test.$(OBJEXT) $(nodist_make_roken_OBJECTS) parse_bytes-test.$(OBJEXT) $(am_strpftime_test_OBJECTS)
+
+all: all-redirect
+.SUFFIXES:
+.SUFFIXES: .hin .c .h .lo .o .obj
+$(srcdir)/Makefile.in: Makefile.am $(top_srcdir)/configure.in $(ACLOCAL_M4) 
+	cd $(top_srcdir) && $(AUTOMAKE) --foreign lib/roken/Makefile
+
+Makefile: $(srcdir)/Makefile.in  $(top_builddir)/config.status
+	cd $(top_builddir) \
+	  && CONFIG_FILES=$(subdir)/$@ CONFIG_HEADERS= $(SHELL) ./config.status
+
+
+mostlyclean-libLTLIBRARIES:
+
+clean-libLTLIBRARIES:
+	-test -z "$(lib_LTLIBRARIES)" || rm -f $(lib_LTLIBRARIES)
+
+distclean-libLTLIBRARIES:
+
+maintainer-clean-libLTLIBRARIES:
+
+install-libLTLIBRARIES: $(lib_LTLIBRARIES)
+	@$(NORMAL_INSTALL)
+	$(mkinstalldirs) $(DESTDIR)$(libdir)
+	@list='$(lib_LTLIBRARIES)'; for p in $$list; do \
+	  if test -f $$p; then \
+	    echo " $(LIBTOOL)  --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$p $(DESTDIR)$(libdir)/$$p"; \
+	    $(LIBTOOL)  --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$p $(DESTDIR)$(libdir)/$$p; \
+	  else :; fi; \
+	done
+
+uninstall-libLTLIBRARIES:
+	@$(NORMAL_UNINSTALL)
+	@list='$(lib_LTLIBRARIES)'; for p in $$list; do \
+	  echo " $(LIBTOOL)  --mode=uninstall rm -f $(DESTDIR)$(libdir)/$$p"; \
+	  $(LIBTOOL)  --mode=uninstall rm -f $(DESTDIR)$(libdir)/$$p; \
+	done
+
+mostlyclean-compile:
+	-rm -f *.o core *.core
+	-rm -f *.$(OBJEXT)
+
+clean-compile:
+
+distclean-compile:
+	-rm -f *.tab.c
+
+maintainer-clean-compile:
+
+mostlyclean-libtool:
+	-rm -f *.lo
+
+clean-libtool:
+	-rm -rf .libs _libs
+
+distclean-libtool:
+
+maintainer-clean-libtool:
+
+libroken.la: $(libroken_la_OBJECTS) $(libroken_la_DEPENDENCIES)
+	$(LINK) -rpath $(libdir) $(libroken_la_LDFLAGS) $(libroken_la_OBJECTS) $(libroken_la_LIBADD) $(LIBS)
+
+mostlyclean-checkPROGRAMS:
+
+clean-checkPROGRAMS:
+	-test -z "$(check_PROGRAMS)" || rm -f $(check_PROGRAMS)
+
+distclean-checkPROGRAMS:
+
+maintainer-clean-checkPROGRAMS:
+
+mostlyclean-noinstPROGRAMS:
+
+clean-noinstPROGRAMS:
+	-test -z "$(noinst_PROGRAMS)" || rm -f $(noinst_PROGRAMS)
+
+distclean-noinstPROGRAMS:
+
+maintainer-clean-noinstPROGRAMS:
+
+getaddrinfo-test$(EXEEXT): $(getaddrinfo_test_OBJECTS) $(getaddrinfo_test_DEPENDENCIES)
+	@rm -f getaddrinfo-test$(EXEEXT)
+	$(LINK) $(getaddrinfo_test_LDFLAGS) $(getaddrinfo_test_OBJECTS) $(getaddrinfo_test_LDADD) $(LIBS)
+
+make-roken$(EXEEXT): $(make_roken_OBJECTS) $(make_roken_DEPENDENCIES)
+	@rm -f make-roken$(EXEEXT)
+	$(LINK) $(make_roken_LDFLAGS) $(make_roken_OBJECTS) $(make_roken_LDADD) $(LIBS)
+
+parse_bytes-test$(EXEEXT): $(parse_bytes_test_OBJECTS) $(parse_bytes_test_DEPENDENCIES)
+	@rm -f parse_bytes-test$(EXEEXT)
+	$(LINK) $(parse_bytes_test_LDFLAGS) $(parse_bytes_test_OBJECTS) $(parse_bytes_test_LDADD) $(LIBS)
+
+strpftime-test$(EXEEXT): $(strpftime_test_OBJECTS) $(strpftime_test_DEPENDENCIES)
+	@rm -f strpftime-test$(EXEEXT)
+	$(LINK) $(strpftime_test_LDFLAGS) $(strpftime_test_OBJECTS) $(strpftime_test_LDADD) $(LIBS)
+.c.o:
+	$(COMPILE) -c $<
+.c.obj:
+	$(COMPILE) -c `cygpath -w $<`
+.c.lo:
+	$(LTCOMPILE) -c -o $@ $<
+
+install-includeHEADERS: $(include_HEADERS)
+	@$(NORMAL_INSTALL)
+	$(mkinstalldirs) $(DESTDIR)$(includedir)
+	@list='$(include_HEADERS)'; for p in $$list; do \
+	  if test -f "$$p"; then d= ; else d="$(srcdir)/"; fi; \
+	  f="`echo $$p | sed -e 's|^.*/||'`"; \
+	  echo " $(INSTALL_DATA) $$d$$p $(DESTDIR)$(includedir)/$$f"; \
+	  $(INSTALL_DATA) $$d$$p $(DESTDIR)$(includedir)/$$f; \
+	done
+
+uninstall-includeHEADERS:
+	@$(NORMAL_UNINSTALL)
+	@list='$(include_HEADERS)'; for p in $$list; do \
+	  f="`echo $$p | sed -e 's|^.*/||'`"; \
+	  echo " rm -f $(DESTDIR)$(includedir)/$$f"; \
+	  rm -f $(DESTDIR)$(includedir)/$$f; \
+	done
+
+install-nodist_includeHEADERS: $(nodist_include_HEADERS)
+	@$(NORMAL_INSTALL)
+	$(mkinstalldirs) $(DESTDIR)$(includedir)
+	@list='$(nodist_include_HEADERS)'; for p in $$list; do \
+	  if test -f "$$p"; then d= ; else d="$(srcdir)/"; fi; \
+	  f="`echo $$p | sed -e 's|^.*/||'`"; \
+	  echo " $(INSTALL_DATA) $$d$$p $(DESTDIR)$(includedir)/$$f"; \
+	  $(INSTALL_DATA) $$d$$p $(DESTDIR)$(includedir)/$$f; \
+	done
+
+uninstall-nodist_includeHEADERS:
+	@$(NORMAL_UNINSTALL)
+	@list='$(nodist_include_HEADERS)'; for p in $$list; do \
+	  f="`echo $$p | sed -e 's|^.*/||'`"; \
+	  echo " rm -f $(DESTDIR)$(includedir)/$$f"; \
+	  rm -f $(DESTDIR)$(includedir)/$$f; \
+	done
+
+tags: TAGS
+
+ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
+	list='$(SOURCES) $(HEADERS) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '    { files[$$0] = 1; } \
+	       END { for (i in files) print i; }'`; \
+	mkid -fID $$unique $(LISP)
+
+TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	tags=; \
+	here=`pwd`; \
+	list='$(SOURCES) $(HEADERS) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '    { files[$$0] = 1; } \
+	       END { for (i in files) print i; }'`; \
+	test -z "$(ETAGS_ARGS)$$unique$(LISP)$$tags" \
+	  || etags $(ETAGS_ARGS) $$tags  $$unique $(LISP)
+
+GTAGS:
+	here=`CDPATH=: && cd $(top_builddir) && pwd` \
+	  && cd $(top_srcdir) \
+	  && gtags -i $$here
+
+mostlyclean-tags:
+
+clean-tags:
+
+distclean-tags:
+	-rm -f TAGS ID
+
+maintainer-clean-tags:
+check-TESTS: $(TESTS)
+	@failed=0; all=0; xfail=0; xpass=0; \
+	srcdir=$(srcdir); export srcdir; \
+	list='$(TESTS)'; \
+	if test -n "$$list"; then \
+	  for tst in $$list; do \
+	    if test -f ./$$tst; then dir=./; \
+	    elif test -f $$tst; then dir=; \
+	    else dir="$(srcdir)/"; fi; \
+	    if $(TESTS_ENVIRONMENT) $${dir}$$tst; then \
+	      all=`expr $$all + 1`; \
+	      case " $(XFAIL_TESTS) " in \
+	      *" $$tst "*) \
+	        xpass=`expr $$xpass + 1`; \
+	        failed=`expr $$failed + 1`; \
+	        echo "XPASS: $$tst"; \
+	      ;; \
+	      *) \
+	        echo "PASS: $$tst"; \
+	      ;; \
+	      esac; \
+	    elif test $$? -ne 77; then \
+	      all=`expr $$all + 1`; \
+	      case " $(XFAIL_TESTS) " in \
+	      *" $$tst "*) \
+	        xfail=`expr $$xfail + 1`; \
+	        echo "XFAIL: $$tst"; \
+	      ;; \
+	      *) \
+	        failed=`expr $$failed + 1`; \
+	        echo "FAIL: $$tst"; \
+	      ;; \
+	      esac; \
+	    fi; \
+	  done; \
+	  if test "$$failed" -eq 0; then \
+	    if test "$$xfail" -eq 0; then \
+	      banner="All $$all tests passed"; \
+	    else \
+	      banner="All $$all tests behaved as expected ($$xfail expected failures)"; \
+	    fi; \
+	  else \
+	    if test "$$xpass" -eq 0; then \
+	      banner="$$failed of $$all tests failed"; \
+	    else \
+	      banner="$$failed of $$all tests did not behave as expected ($$xpass unexpected passes)"; \
+	    fi; \
+	  fi; \
+	  dashes=`echo "$$banner" | sed s/./=/g`; \
+	  echo "$$dashes"; \
+	  echo "$$banner"; \
+	  echo "$$dashes"; \
+	  test "$$failed" -eq 0; \
+	fi
+
+distdir = $(top_builddir)/$(PACKAGE)-$(VERSION)/$(subdir)
+
+distdir: $(DISTFILES)
+	@for file in $(DISTFILES); do \
+	  d=$(srcdir); \
+	  if test -d $$d/$$file; then \
+	    cp -pR $$d/$$file $(distdir) \
+	    || exit 1; \
+	  else \
+	    test -f $(distdir)/$$file \
+	    || cp -p $$d/$$file $(distdir)/$$file \
+	    || exit 1; \
+	  fi; \
+	done
+info-am:
+info: info-am
+dvi-am:
+dvi: dvi-am
+check-am: all-am
+	$(MAKE) $(AM_MAKEFLAGS) $(check_PROGRAMS)
+	$(MAKE) $(AM_MAKEFLAGS) check-TESTS
+check: check-am
+installcheck-am:
+installcheck: installcheck-am
+all-recursive-am: $(BUILT_SOURCES)
+	$(MAKE) $(AM_MAKEFLAGS) all-recursive
+
+install-exec-am: install-libLTLIBRARIES
+install-exec: install-exec-am
+
+install-data-am: install-includeHEADERS install-nodist_includeHEADERS
+install-data: install-data-am
+
+install-am: all-am
+	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
+install: install-am
+uninstall-am: uninstall-libLTLIBRARIES uninstall-includeHEADERS \
+		uninstall-nodist_includeHEADERS
+uninstall: uninstall-am
+all-am: Makefile $(LTLIBRARIES) $(PROGRAMS) $(HEADERS)
+all-redirect: all-am
+install-strip:
+	$(MAKE) $(AM_MAKEFLAGS) INSTALL_STRIP_FLAG=-s install
+installdirs:
+	$(mkinstalldirs)  $(DESTDIR)$(libdir) $(DESTDIR)$(includedir) \
+		$(DESTDIR)$(nodist_includedir)
+
+
+mostlyclean-generic:
+
+clean-generic:
+	-test -z "$(CLEANFILES)" || rm -f $(CLEANFILES)
+
+distclean-generic:
+	-rm -f Makefile $(CONFIG_CLEAN_FILES)
+	-rm -f config.cache config.log stamp-h stamp-h[0-9]*
+
+maintainer-clean-generic:
+	-rm -f Makefile.in
+	-test -z "$(BUILT_SOURCES)" || rm -f $(BUILT_SOURCES)
+mostlyclean-am:  mostlyclean-libLTLIBRARIES mostlyclean-compile \
+		mostlyclean-libtool mostlyclean-checkPROGRAMS \
+		mostlyclean-noinstPROGRAMS mostlyclean-tags \
+		mostlyclean-generic
+
+mostlyclean: mostlyclean-am
+
+clean-am:  clean-libLTLIBRARIES clean-compile clean-libtool \
+		clean-checkPROGRAMS clean-noinstPROGRAMS clean-tags \
+		clean-generic mostlyclean-am
+
+clean: clean-am
+
+distclean-am:  distclean-libLTLIBRARIES distclean-compile \
+		distclean-libtool distclean-checkPROGRAMS \
+		distclean-noinstPROGRAMS distclean-tags \
+		distclean-generic clean-am
+	-rm -f libtool
+
+distclean: distclean-am
+
+maintainer-clean-am:  maintainer-clean-libLTLIBRARIES \
+		maintainer-clean-compile maintainer-clean-libtool \
+		maintainer-clean-checkPROGRAMS \
+		maintainer-clean-noinstPROGRAMS maintainer-clean-tags \
+		maintainer-clean-generic distclean-am
+	@echo "This command is intended for maintainers to use;"
+	@echo "it deletes files that may require special tools to rebuild."
+
+maintainer-clean: maintainer-clean-am
+
+.PHONY: mostlyclean-libLTLIBRARIES distclean-libLTLIBRARIES \
+clean-libLTLIBRARIES maintainer-clean-libLTLIBRARIES \
+uninstall-libLTLIBRARIES install-libLTLIBRARIES mostlyclean-compile \
+distclean-compile clean-compile maintainer-clean-compile \
+mostlyclean-libtool distclean-libtool clean-libtool \
+maintainer-clean-libtool mostlyclean-checkPROGRAMS \
+distclean-checkPROGRAMS clean-checkPROGRAMS \
+maintainer-clean-checkPROGRAMS mostlyclean-noinstPROGRAMS \
+distclean-noinstPROGRAMS clean-noinstPROGRAMS \
+maintainer-clean-noinstPROGRAMS uninstall-includeHEADERS \
+install-includeHEADERS uninstall-nodist_includeHEADERS \
+install-nodist_includeHEADERS tags mostlyclean-tags distclean-tags \
+clean-tags maintainer-clean-tags check-TESTS distdir info-am info \
+dvi-am dvi check check-am installcheck-am installcheck all-recursive-am \
+install-exec-am install-exec install-data-am install-data install-am \
+install uninstall-am uninstall all-redirect all-am all install-strip \
+installdirs mostlyclean-generic distclean-generic clean-generic \
+maintainer-clean-generic clean mostlyclean distclean maintainer-clean
+
+
+$(LTLIBOBJS) $(libroken_la_OBJECTS): $(include_HEADERS) roken.h
+.hin.h:
+	cp $< $@
+
+roken.h: make-roken$(EXEEXT)
+	@./make-roken$(EXEEXT) > tmp.h ;\
+	if [ -f roken.h ] && cmp -s tmp.h roken.h ; then rm -f tmp.h ; \
+	else rm -f roken.h; mv tmp.h roken.h; fi
+
+make-roken.c: roken.h.in roken.awk
+	$(AWK) -f $(srcdir)/roken.awk $(srcdir)/roken.h.in > make-roken.c
+
+# Tell versions [3.59,3.63) of GNU make to not export all variables.
+# Otherwise a system limit (for SysV at least) may be exceeded.
+.NOEXPORT:
diff --git a/crypto/heimdal/lib/roken/acconfig.h b/crypto/heimdal/lib/roken/acconfig.h
new file mode 100644
index 0000000..5fbe685
--- /dev/null
+++ b/crypto/heimdal/lib/roken/acconfig.h
@@ -0,0 +1,36 @@
+@BOTTOM@
+
+#ifdef BROKEN_REALLOC
+#define realloc(X, Y) isoc_realloc((X), (Y))
+#define isoc_realloc(X, Y) ((X) ? realloc((X), (Y)) : malloc(Y))
+#endif
+
+#ifdef VOID_RETSIGTYPE
+#define SIGRETURN(x) return
+#else
+#define SIGRETURN(x) return (RETSIGTYPE)(x)
+#endif
+
+#define RCSID(msg) \
+static /**/const char *const rcsid[] = { (const char *)rcsid, "\100(#)" msg }
+
+#undef PROTOTYPES
+
+/* Maximum values on all known systems */
+#define MaxHostNameLen (64+4)
+#define MaxPathLen (1024+4)
+
+/*
+ * Define NDBM if you are using the 4.3 ndbm library (which is part of
+ * libc).  If not defined, 4.2 dbm will be assumed.
+ */
+#if defined(HAVE_DBM_FIRSTKEY)
+#define NDBM
+#endif
+
+/*
+ * Defining this enables lots of useful (and used) extensions on
+ * glibc-based systems such as Linux
+ */
+
+#define _GNU_SOURCE
diff --git a/crypto/heimdal/lib/roken/acinclude.m4 b/crypto/heimdal/lib/roken/acinclude.m4
new file mode 100644
index 0000000..1d0197c
--- /dev/null
+++ b/crypto/heimdal/lib/roken/acinclude.m4
@@ -0,0 +1,9 @@
+dnl $Id$
+dnl
+dnl Only put things that for some reason can't live in the `cf'
+dnl directory in this file.
+dnl
+
+dnl $xId: misc.m4,v 1.1 1997/12/14 15:59:04 joda Exp $
+dnl
+define(upcase,`echo $1 | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`)dnl
diff --git a/crypto/heimdal/lib/roken/base64.c b/crypto/heimdal/lib/roken/base64.c
new file mode 100644
index 0000000..daed869
--- /dev/null
+++ b/crypto/heimdal/lib/roken/base64.c
@@ -0,0 +1,146 @@
+/*
+ * Copyright (c) 1995 - 1999 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+RCSID("$Id: base64.c,v 1.4 1999/12/02 16:58:45 joda Exp $");
+#endif
+#include <stdlib.h>
+#include <string.h>
+#include "base64.h"
+
+static char base64[] = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/";
+
+static int pos(char c)
+{
+  char *p;
+  for(p = base64; *p; p++)
+    if(*p == c)
+      return p - base64;
+  return -1;
+}
+
+int base64_encode(const void *data, int size, char **str)
+{
+  char *s, *p;
+  int i;
+  int c;
+  const unsigned char *q;
+
+  p = s = (char*)malloc(size*4/3+4);
+  if (p == NULL)
+      return -1;
+  q = (const unsigned char*)data;
+  i=0;
+  for(i = 0; i < size;){
+    c=q[i++];
+    c*=256;
+    if(i < size)
+      c+=q[i];
+    i++;
+    c*=256;
+    if(i < size)
+      c+=q[i];
+    i++;
+    p[0]=base64[(c&0x00fc0000) >> 18];
+    p[1]=base64[(c&0x0003f000) >> 12];
+    p[2]=base64[(c&0x00000fc0) >> 6];
+    p[3]=base64[(c&0x0000003f) >> 0];
+    if(i > size)
+      p[3]='=';
+    if(i > size+1)
+      p[2]='=';
+    p+=4;
+  }
+  *p=0;
+  *str = s;
+  return strlen(s);
+}
+
+int base64_decode(const char *str, void *data)
+{
+  const char *p;
+  unsigned char *q;
+  int c;
+  int x;
+  int done = 0;
+  q=(unsigned char*)data;
+  for(p=str; *p && !done; p+=4){
+    x = pos(p[0]);
+    if(x >= 0)
+      c = x;
+    else{
+      done = 3;
+      break;
+    }
+    c*=64;
+    
+    x = pos(p[1]);
+    if(x >= 0)
+      c += x;
+    else
+      return -1;
+    c*=64;
+    
+    if(p[2] == '=')
+      done++;
+    else{
+      x = pos(p[2]);
+      if(x >= 0)
+	c += x;
+      else
+	return -1;
+    }
+    c*=64;
+    
+    if(p[3] == '=')
+      done++;
+    else{
+      if(done)
+	return -1;
+      x = pos(p[3]);
+      if(x >= 0)
+	c += x;
+      else
+	return -1;
+    }
+    if(done < 3)
+      *q++=(c&0x00ff0000)>>16;
+      
+    if(done < 2)
+      *q++=(c&0x0000ff00)>>8;
+    if(done < 1)
+      *q++=(c&0x000000ff)>>0;
+  }
+  return q - (unsigned char*)data;
+}
diff --git a/crypto/heimdal/lib/roken/base64.h b/crypto/heimdal/lib/roken/base64.h
new file mode 100644
index 0000000..5ad1e3b
--- /dev/null
+++ b/crypto/heimdal/lib/roken/base64.h
@@ -0,0 +1,42 @@
+/*
+ * Copyright (c) 1995, 1996, 1997 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+/* $Id: base64.h,v 1.2 1999/12/02 16:58:45 joda Exp $ */
+
+#ifndef _BASE64_H_
+#define _BASE64_H_
+
+int base64_encode(const void *data, int size, char **str);
+int base64_decode(const char *str, void *data);
+
+#endif
diff --git a/crypto/heimdal/lib/roken/bswap.c b/crypto/heimdal/lib/roken/bswap.c
new file mode 100644
index 0000000..c57dc6f
--- /dev/null
+++ b/crypto/heimdal/lib/roken/bswap.c
@@ -0,0 +1,61 @@
+/*
+ * Copyright (c) 2001 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+#endif
+#include "roken.h"
+
+RCSID("$Id: bswap.c,v 1.3 2001/05/18 15:32:11 joda Exp $");
+
+#ifndef HAVE_BSWAP32
+
+unsigned int
+bswap32 (unsigned int val)
+{
+    return (val & 0xff) << 24 |
+	(val & 0xff00) << 8 |
+	(val & 0xff0000) >> 8 |
+	(val & 0xff000000) >> 24;
+}
+#endif
+
+#ifndef HAVE_BSWAP16
+
+unsigned short
+bswap16 (unsigned short val)
+{
+    return (val & 0xff) << 8 |
+	(val & 0xff00) >> 8;
+}
+#endif
diff --git a/crypto/heimdal/lib/roken/chown.c b/crypto/heimdal/lib/roken/chown.c
new file mode 100644
index 0000000..f3d34e3
--- /dev/null
+++ b/crypto/heimdal/lib/roken/chown.c
@@ -0,0 +1,45 @@
+/*
+ * Copyright (c) 1995, 1996, 1997 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+RCSID("$Id: chown.c,v 1.3 1999/12/02 16:58:45 joda Exp $");
+#endif
+
+#include "roken.h"
+
+int
+chown(const char *path, uid_t owner, gid_t group)
+{
+  return 0;
+}
diff --git a/crypto/heimdal/lib/roken/concat.c b/crypto/heimdal/lib/roken/concat.c
new file mode 100644
index 0000000..ca295c0
--- /dev/null
+++ b/crypto/heimdal/lib/roken/concat.c
@@ -0,0 +1,112 @@
+/*
+ * Copyright (c) 1995, 1996, 1997 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+RCSID("$Id: concat.c,v 1.4 1999/12/02 16:58:45 joda Exp $");
+#endif
+#include "roken.h"
+
+int
+roken_concat (char *s, size_t len, ...)
+{
+    int ret;
+    va_list args;
+
+    va_start(args, len);
+    ret = roken_vconcat (s, len, args);
+    va_end(args);
+    return ret;
+}
+
+int
+roken_vconcat (char *s, size_t len, va_list args)
+{
+    const char *a;
+
+    while ((a = va_arg(args, const char*))) {
+	size_t n = strlen (a);
+
+	if (n >= len)
+	    return -1;
+	memcpy (s, a, n);
+	s += n;
+	len -= n;
+    }
+    *s = '\0';
+    return 0;
+}
+
+size_t
+roken_vmconcat (char **s, size_t max_len, va_list args)
+{
+    const char *a;
+    char *p, *q;
+    size_t len = 0;
+    *s = NULL;
+    p = malloc(1);
+    if(p == NULL)
+	return 0;
+    len = 1;
+    while ((a = va_arg(args, const char*))) {
+	size_t n = strlen (a);
+	
+	if(max_len && len + n > max_len){
+	    free(p);
+	    return 0;
+	}
+	q = realloc(p, len + n);
+	if(q == NULL){
+	    free(p);
+	    return 0;
+	}
+	p = q;
+	memcpy (p + len - 1, a, n);
+	len += n;
+    }
+    p[len - 1] = '\0';
+    *s = p;
+    return len;
+}
+
+size_t
+roken_mconcat (char **s, size_t max_len, ...)
+{
+    int ret;
+    va_list args;
+
+    va_start(args, max_len);
+    ret = roken_vmconcat (s, max_len, args);
+    va_end(args);
+    return ret;
+}
diff --git a/crypto/heimdal/lib/roken/config.h.in b/crypto/heimdal/lib/roken/config.h.in
new file mode 100644
index 0000000..b3df989
--- /dev/null
+++ b/crypto/heimdal/lib/roken/config.h.in
@@ -0,0 +1 @@
+/*autoheader*/
diff --git a/crypto/heimdal/lib/roken/copyhostent.c b/crypto/heimdal/lib/roken/copyhostent.c
new file mode 100644
index 0000000..a3be6db
--- /dev/null
+++ b/crypto/heimdal/lib/roken/copyhostent.c
@@ -0,0 +1,102 @@
+/*
+ * Copyright (c) 1999 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+RCSID("$Id: copyhostent.c,v 1.2 1999/12/02 16:58:45 joda Exp $");
+#endif
+
+#include "roken.h"
+
+/*
+ * return a malloced copy of `h'
+ */
+
+struct hostent *
+copyhostent (const struct hostent *h)
+{
+    struct hostent *res;
+    char **p;
+    int i, n;
+
+    res = malloc (sizeof (*res));
+    if (res == NULL)
+	return NULL;
+    res->h_name      = NULL;
+    res->h_aliases   = NULL;
+    res->h_addrtype  = h->h_addrtype;
+    res->h_length    = h->h_length;
+    res->h_addr_list = NULL;
+    res->h_name = strdup (h->h_name);
+    if (res->h_name == NULL) {
+	freehostent (res);
+	return NULL;
+    }
+    for (n = 0, p = h->h_aliases; *p != NULL; ++p)
+	++n;
+    res->h_aliases = malloc ((n + 1) * sizeof(*res->h_aliases));
+    if (res->h_aliases == NULL) {
+	freehostent (res);
+	return NULL;
+    }
+    for (i = 0; i < n + 1; ++i)
+	res->h_aliases[i] = NULL;
+    for (i = 0; i < n; ++i) {
+	res->h_aliases[i] = strdup (h->h_aliases[i]);
+	if (res->h_aliases[i] == NULL) {
+	    freehostent (res);
+	    return NULL;
+	}
+    }
+
+    for (n = 0, p = h->h_addr_list; *p != NULL; ++p)
+	++n;
+    res->h_addr_list = malloc ((n + 1) * sizeof(*res->h_addr_list));
+    if (res->h_addr_list == NULL) {
+	freehostent (res);
+	return NULL;
+    }
+    for (i = 0; i < n + 1; ++i) {
+	res->h_addr_list[i] = NULL;
+    }
+    for (i = 0; i < n; ++i) {
+	res->h_addr_list[i] = malloc (h->h_length);
+	if (res->h_addr_list[i] == NULL) {
+	    freehostent (res);
+	    return NULL;
+	}
+	memcpy (res->h_addr_list[i], h->h_addr_list[i], h->h_length);
+    }
+    return res;
+}
+
diff --git a/crypto/heimdal/lib/roken/daemon.c b/crypto/heimdal/lib/roken/daemon.c
new file mode 100644
index 0000000..758856c
--- /dev/null
+++ b/crypto/heimdal/lib/roken/daemon.c
@@ -0,0 +1,88 @@
+/*-
+ * Copyright (c) 1990, 1993
+ *	The Regents of the University of California.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *	This product includes software developed by the University of
+ *	California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#if defined(LIBC_SCCS) && !defined(lint)
+static char sccsid[] = "@(#)daemon.c	8.1 (Berkeley) 6/4/93";
+#endif /* LIBC_SCCS and not lint */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+#endif
+
+RCSID("$Id: daemon.c,v 1.3 1997/10/04 21:55:48 joda Exp $");
+
+#ifndef HAVE_DAEMON
+
+#ifdef HAVE_FCNTL_H
+#include <fcntl.h>
+#endif
+#ifdef HAVE_PATHS_H
+#include <paths.h>
+#endif
+#ifdef HAVE_UNISTD_H
+#include <unistd.h>
+#endif
+
+#include "roken.h"
+
+int
+daemon(int nochdir, int noclose)
+{
+    int fd;
+
+    switch (fork()) {
+    case -1:
+	return (-1);
+    case 0:
+	break;
+    default:
+	_exit(0);
+    }
+
+    if (setsid() == -1)
+	return (-1);
+
+    if (!nochdir)
+	chdir("/");
+
+    if (!noclose && (fd = open(_PATH_DEVNULL, O_RDWR, 0)) != -1) {
+	dup2(fd, STDIN_FILENO);
+	dup2(fd, STDOUT_FILENO);
+	dup2(fd, STDERR_FILENO);
+	if (fd > 2)
+	    close (fd);
+    }
+    return (0);
+}
+
+#endif /* HAVE_DAEMON */
diff --git a/crypto/heimdal/lib/roken/emalloc.c b/crypto/heimdal/lib/roken/emalloc.c
new file mode 100644
index 0000000..bbea1e0
--- /dev/null
+++ b/crypto/heimdal/lib/roken/emalloc.c
@@ -0,0 +1,56 @@
+/*
+ * Copyright (c) 1999 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+RCSID("$Id: emalloc.c,v 1.4 1999/12/02 16:58:45 joda Exp $");
+#endif
+
+#include <stdlib.h>
+#include <err.h>
+
+#include <roken.h>
+
+/*
+ * Like malloc but never fails.
+ */
+
+void *
+emalloc (size_t sz)
+{
+    void *tmp = malloc (sz);
+
+    if (tmp == NULL && sz != 0)
+	err (1, "malloc %lu", (unsigned long)sz);
+    return tmp;
+}
diff --git a/crypto/heimdal/lib/roken/environment.c b/crypto/heimdal/lib/roken/environment.c
new file mode 100644
index 0000000..62c732c
--- /dev/null
+++ b/crypto/heimdal/lib/roken/environment.c
@@ -0,0 +1,103 @@
+/*
+ * Copyright (c) 2000 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+RCSID("$Id: environment.c,v 1.1 2000/06/21 02:05:03 assar Exp $");
+#endif
+
+#include <stdio.h>
+#include <string.h>
+#include "roken.h"
+
+/*
+ * return count of environment assignments from `file' and 
+ * list of malloced strings in `env'
+ */
+
+int
+read_environment(const char *file, char ***env)
+{
+    int i, k;
+    FILE *F;
+    char **l;
+    char buf[BUFSIZ], *p, *r;
+
+    if ((F = fopen(file, "r")) == NULL) {
+	return 0;
+    }
+
+    i = 0;
+    if (*env) {
+	l = *env;
+	while (*l != NULL) {
+	    i++;
+	    l++;
+	}
+    }
+    l = *env;
+    /* This is somewhat more relaxed on what it accepts then
+     * Wietses sysv_environ from K4 was...
+     */
+    while (fgets(buf, BUFSIZ, F) != NULL) {
+	if (buf[0] == '#')
+	    continue;
+
+	p = strchr(buf, '#');
+	if (p != NULL)
+	    *p = '\0';
+
+	p = buf;
+	while (*p == ' ' || *p == '\t' || *p == '\n') p++;
+	if (*p == '\0')
+	    continue;
+
+	k = strlen(p);
+	if (p[k-1] == '\n')
+	    p[k-1] = '\0';
+
+	/* Here one should check that is is a 'valid' env string... */
+	r = strchr(p, '=');
+	if (r == NULL)
+	    continue;
+
+	l = realloc(l, (i+1) * sizeof (char *));
+	l[i++] = strdup(p);
+    }
+    fclose(F);
+    l = realloc(l, (i+1) * sizeof (char *));
+    l[i] = NULL;
+    *env = l;
+    return i;
+}
diff --git a/crypto/heimdal/lib/roken/eread.c b/crypto/heimdal/lib/roken/eread.c
new file mode 100644
index 0000000..9a1b24b
--- /dev/null
+++ b/crypto/heimdal/lib/roken/eread.c
@@ -0,0 +1,57 @@
+/*
+ * Copyright (c) 1999 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+RCSID("$Id: eread.c,v 1.2 1999/12/02 16:58:45 joda Exp $");
+#endif
+
+#include <unistd.h>
+#include <err.h>
+
+#include <roken.h>
+
+/*
+ * Like read but never fails (and never returns partial data).
+ */
+
+ssize_t
+eread (int fd, void *buf, size_t nbytes)
+{
+    ssize_t ret;
+
+    ret = net_read (fd, buf, nbytes);
+    if (ret < 0)
+	err (1, "read");
+    return ret;
+}
diff --git a/crypto/heimdal/lib/roken/erealloc.c b/crypto/heimdal/lib/roken/erealloc.c
new file mode 100644
index 0000000..8afa8f3
--- /dev/null
+++ b/crypto/heimdal/lib/roken/erealloc.c
@@ -0,0 +1,56 @@
+/*
+ * Copyright (c) 1999 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+RCSID("$Id: erealloc.c,v 1.4 1999/12/02 16:58:45 joda Exp $");
+#endif
+
+#include <stdlib.h>
+#include <err.h>
+
+#include <roken.h>
+
+/*
+ * Like realloc but never fails.
+ */
+
+void *
+erealloc (void *ptr, size_t sz)
+{
+    void *tmp = realloc (ptr, sz);
+
+    if (tmp == NULL && sz != 0)
+	err (1, "realloc %lu", (unsigned long)sz);
+    return tmp;
+}
diff --git a/crypto/heimdal/lib/roken/err.c b/crypto/heimdal/lib/roken/err.c
new file mode 100644
index 0000000..29b1f7b
--- /dev/null
+++ b/crypto/heimdal/lib/roken/err.c
@@ -0,0 +1,48 @@
+/*
+ * Copyright (c) 1995, 1996, 1997 Kungliga Tekniska Högskolan 
+ * (Royal Institute of Technology, Stockholm, Sweden).  
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+RCSID("$Id: err.c,v 1.6 1999/12/02 16:58:45 joda Exp $");
+#endif
+
+#include "err.h"
+
+void
+err(int eval, const char *fmt, ...)
+{
+  va_list ap;
+  va_start(ap, fmt);
+  verr(eval, fmt, ap);
+  va_end(ap);
+}
diff --git a/crypto/heimdal/lib/roken/err.h b/crypto/heimdal/lib/roken/err.h
new file mode 100644
index 0000000..b0b649f
--- /dev/null
+++ b/crypto/heimdal/lib/roken/err.h
@@ -0,0 +1,71 @@
+/*
+ * Copyright (c) 1995, 1996, 1997 Kungliga Tekniska Högskolan 
+ * (Royal Institute of Technology, Stockholm, Sweden).  
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+/* $Id: err.h,v 1.15 1999/12/02 16:58:45 joda Exp $ */
+
+#ifndef __ERR_H__
+#define __ERR_H__
+
+#include <errno.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <stdarg.h>
+
+extern const char *__progname;
+
+#if !defined(__GNUC__) && !defined(__attribute__)
+#define __attribute__(x)
+#endif
+
+void warnerr(int doerrno, const char *fmt, va_list ap)
+     __attribute__ ((format (printf, 2, 0)));
+
+void verr(int eval, const char *fmt, va_list ap)
+     __attribute__ ((noreturn, format (printf, 2, 0)));
+void err(int eval, const char *fmt, ...)
+     __attribute__ ((noreturn, format (printf, 2, 3)));
+void verrx(int eval, const char *fmt, va_list ap)
+     __attribute__ ((noreturn, format (printf, 2, 0)));
+void errx(int eval, const char *fmt, ...)
+     __attribute__ ((noreturn, format (printf, 2, 3)));
+void vwarn(const char *fmt, va_list ap)
+     __attribute__ ((format (printf, 1, 0)));
+void warn(const char *fmt, ...)
+     __attribute__ ((format (printf, 1, 2)));
+void vwarnx(const char *fmt, va_list ap)
+     __attribute__ ((format (printf, 1, 0)));
+void warnx(const char *fmt, ...)
+     __attribute__ ((format (printf, 1, 2)));
+
+#endif /* __ERR_H__ */
diff --git a/crypto/heimdal/lib/roken/err.hin b/crypto/heimdal/lib/roken/err.hin
new file mode 100644
index 0000000..1fa7774
--- /dev/null
+++ b/crypto/heimdal/lib/roken/err.hin
@@ -0,0 +1,68 @@
+/*
+ * Copyright (c) 1995 - 2000 Kungliga Tekniska Högskolan 
+ * (Royal Institute of Technology, Stockholm, Sweden).  
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+/* $Id: err.hin,v 1.16 2000/12/11 04:40:59 assar Exp $ */
+
+#ifndef __ERR_H__
+#define __ERR_H__
+
+#include <errno.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <stdarg.h>
+
+extern const char *__progname;
+
+#if !defined(__GNUC__) && !defined(__attribute__)
+#define __attribute__(x)
+#endif
+
+void verr(int eval, const char *fmt, va_list ap)
+     __attribute__ ((noreturn, format (printf, 2, 0)));
+void err(int eval, const char *fmt, ...)
+     __attribute__ ((noreturn, format (printf, 2, 3)));
+void verrx(int eval, const char *fmt, va_list ap)
+     __attribute__ ((noreturn, format (printf, 2, 0)));
+void errx(int eval, const char *fmt, ...)
+     __attribute__ ((noreturn, format (printf, 2, 3)));
+void vwarn(const char *fmt, va_list ap)
+     __attribute__ ((format (printf, 1, 0)));
+void warn(const char *fmt, ...)
+     __attribute__ ((format (printf, 1, 2)));
+void vwarnx(const char *fmt, va_list ap)
+     __attribute__ ((format (printf, 1, 0)));
+void warnx(const char *fmt, ...)
+     __attribute__ ((format (printf, 1, 2)));
+
+#endif /* __ERR_H__ */
diff --git a/crypto/heimdal/lib/roken/errx.c b/crypto/heimdal/lib/roken/errx.c
new file mode 100644
index 0000000..2f8ec18
--- /dev/null
+++ b/crypto/heimdal/lib/roken/errx.c
@@ -0,0 +1,48 @@
+/*
+ * Copyright (c) 1995, 1996, 1997 Kungliga Tekniska Högskolan 
+ * (Royal Institute of Technology, Stockholm, Sweden).  
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+RCSID("$Id: errx.c,v 1.6 1999/12/02 16:58:45 joda Exp $");
+#endif
+
+#include "err.h"
+
+void
+errx(int eval, const char *fmt, ...)
+{
+  va_list ap;
+  va_start(ap, fmt);
+  verrx(eval, fmt, ap);
+  va_end(ap);
+}
diff --git a/crypto/heimdal/lib/roken/esetenv.c b/crypto/heimdal/lib/roken/esetenv.c
new file mode 100644
index 0000000..cb35752
--- /dev/null
+++ b/crypto/heimdal/lib/roken/esetenv.c
@@ -0,0 +1,48 @@
+/*
+ * Copyright (c) 2000, 2001 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+RCSID("$Id: esetenv.c,v 1.3 2001/01/27 05:28:38 assar Exp $");
+#endif
+
+#include "roken.h"
+
+#include <err.h>
+
+void
+esetenv(const char *var, const char *val, int rewrite)
+{
+    if (setenv ((char *)var, (char *)val, rewrite))
+	errx (1, "failed setting environment variable %s", var);
+}
diff --git a/crypto/heimdal/lib/roken/estrdup.c b/crypto/heimdal/lib/roken/estrdup.c
new file mode 100644
index 0000000..8c0d9a7
--- /dev/null
+++ b/crypto/heimdal/lib/roken/estrdup.c
@@ -0,0 +1,56 @@
+/*
+ * Copyright (c) 1999 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+RCSID("$Id: estrdup.c,v 1.2 1999/12/02 16:58:45 joda Exp $");
+#endif
+
+#include <stdlib.h>
+#include <err.h>
+
+#include <roken.h>
+
+/*
+ * Like strdup but never fails.
+ */
+
+char *
+estrdup (const char *str)
+{
+    char *tmp = strdup (str);
+
+    if (tmp == NULL)
+	err (1, "strdup");
+    return tmp;
+}
diff --git a/crypto/heimdal/lib/roken/ewrite.c b/crypto/heimdal/lib/roken/ewrite.c
new file mode 100644
index 0000000..b2c43de
--- /dev/null
+++ b/crypto/heimdal/lib/roken/ewrite.c
@@ -0,0 +1,57 @@
+/*
+ * Copyright (c) 1999 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+RCSID("$Id: ewrite.c,v 1.2 1999/12/02 16:58:45 joda Exp $");
+#endif
+
+#include <unistd.h>
+#include <err.h>
+
+#include <roken.h>
+
+/*
+ * Like write but never fails (and never returns partial data).
+ */
+
+ssize_t
+ewrite (int fd, const void *buf, size_t nbytes)
+{
+    ssize_t ret;
+
+    ret = net_write (fd, buf, nbytes);
+    if (ret < 0)
+	err (1, "write");
+    return ret;
+}
diff --git a/crypto/heimdal/lib/roken/fchown.c b/crypto/heimdal/lib/roken/fchown.c
new file mode 100644
index 0000000..61e8546
--- /dev/null
+++ b/crypto/heimdal/lib/roken/fchown.c
@@ -0,0 +1,45 @@
+/*
+ * Copyright (c) 1995, 1996, 1997 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+RCSID("$Id: fchown.c,v 1.3 1999/12/02 16:58:46 joda Exp $");
+#endif
+
+#include "roken.h"
+
+int
+fchown(int fd, uid_t owner, gid_t group)
+{
+  return 0;
+}
diff --git a/crypto/heimdal/lib/roken/flock.c b/crypto/heimdal/lib/roken/flock.c
new file mode 100644
index 0000000..13da4f4
--- /dev/null
+++ b/crypto/heimdal/lib/roken/flock.c
@@ -0,0 +1,87 @@
+/*
+ * Copyright (c) 1995, 1996, 1997 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+#endif
+
+#ifndef HAVE_FLOCK
+RCSID("$Id: flock.c,v 1.4 1999/12/02 16:58:46 joda Exp $");
+
+#include "roken.h"
+
+
+#define OP_MASK (LOCK_SH | LOCK_EX | LOCK_UN)
+
+int
+flock(int fd, int operation)
+{
+#if defined(HAVE_FCNTL) && defined(F_SETLK)
+  struct flock arg;
+  int code, cmd;
+  
+  arg.l_whence = SEEK_SET;
+  arg.l_start = 0;
+  arg.l_len = 0;		/* means to EOF */
+
+  if (operation & LOCK_NB)
+    cmd = F_SETLK;
+  else
+    cmd = F_SETLKW;		/* Blocking */
+
+  switch (operation & OP_MASK) {
+  case LOCK_UN:
+    arg.l_type = F_UNLCK;
+    code = fcntl(fd, F_SETLK, &arg);
+    break;
+  case LOCK_SH:
+    arg.l_type = F_RDLCK;
+    code = fcntl(fd, cmd, &arg);
+    break;
+  case LOCK_EX:
+    arg.l_type = F_WRLCK;
+    code = fcntl(fd, cmd, &arg);
+    break;
+  default:
+    errno = EINVAL;
+    code = -1;
+    break;
+  }
+  return code;
+#else
+  return -1;
+#endif
+}
+
+#endif
+
diff --git a/crypto/heimdal/lib/roken/fnmatch.c b/crypto/heimdal/lib/roken/fnmatch.c
new file mode 100644
index 0000000..dc01d6e
--- /dev/null
+++ b/crypto/heimdal/lib/roken/fnmatch.c
@@ -0,0 +1,173 @@
+/*	$NetBSD: fnmatch.c,v 1.11 1995/02/27 03:43:06 cgd Exp $	*/
+
+/*
+ * Copyright (c) 1989, 1993, 1994
+ *	The Regents of the University of California.  All rights reserved.
+ *
+ * This code is derived from software contributed to Berkeley by
+ * Guido van Rossum.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *	This product includes software developed by the University of
+ *	California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#if defined(LIBC_SCCS) && !defined(lint)
+#if 0
+static char sccsid[] = "@(#)fnmatch.c	8.2 (Berkeley) 4/16/94";
+#else
+static char rcsid[] = "$NetBSD: fnmatch.c,v 1.11 1995/02/27 03:43:06 cgd Exp $";
+#endif
+#endif /* LIBC_SCCS and not lint */
+
+/*
+ * Function fnmatch() as specified in POSIX 1003.2-1992, section B.6.
+ * Compares a filename or pathname to a pattern.
+ */
+
+#include <fnmatch.h>
+#include <string.h>
+
+#define	EOS	'\0'
+
+static const char *rangematch (const char *, int, int);
+
+int
+fnmatch(const char *pattern, const char *string, int flags)
+{
+	const char *stringstart;
+	char c, test;
+
+	for (stringstart = string;;)
+		switch (c = *pattern++) {
+		case EOS:
+			return (*string == EOS ? 0 : FNM_NOMATCH);
+		case '?':
+			if (*string == EOS)
+				return (FNM_NOMATCH);
+			if (*string == '/' && (flags & FNM_PATHNAME))
+				return (FNM_NOMATCH);
+			if (*string == '.' && (flags & FNM_PERIOD) &&
+			    (string == stringstart ||
+			    ((flags & FNM_PATHNAME) && *(string - 1) == '/')))
+				return (FNM_NOMATCH);
+			++string;
+			break;
+		case '*':
+			c = *pattern;
+			/* Collapse multiple stars. */
+			while (c == '*')
+				c = *++pattern;
+
+			if (*string == '.' && (flags & FNM_PERIOD) &&
+			    (string == stringstart ||
+			    ((flags & FNM_PATHNAME) && *(string - 1) == '/')))
+				return (FNM_NOMATCH);
+
+			/* Optimize for pattern with * at end or before /. */
+			if (c == EOS)
+				if (flags & FNM_PATHNAME)
+					return (strchr(string, '/') == NULL ?
+					    0 : FNM_NOMATCH);
+				else
+					return (0);
+			else if (c == '/' && flags & FNM_PATHNAME) {
+				if ((string = strchr(string, '/')) == NULL)
+					return (FNM_NOMATCH);
+				break;
+			}
+
+			/* General case, use recursion. */
+			while ((test = *string) != EOS) {
+				if (!fnmatch(pattern, string, flags & ~FNM_PERIOD))
+					return (0);
+				if (test == '/' && flags & FNM_PATHNAME)
+					break;
+				++string;
+			}
+			return (FNM_NOMATCH);
+		case '[':
+			if (*string == EOS)
+				return (FNM_NOMATCH);
+			if (*string == '/' && flags & FNM_PATHNAME)
+				return (FNM_NOMATCH);
+			if ((pattern =
+			    rangematch(pattern, *string, flags)) == NULL)
+				return (FNM_NOMATCH);
+			++string;
+			break;
+		case '\\':
+			if (!(flags & FNM_NOESCAPE)) {
+				if ((c = *pattern++) == EOS) {
+					c = '\\';
+					--pattern;
+				}
+			}
+			/* FALLTHROUGH */
+		default:
+			if (c != *string++)
+				return (FNM_NOMATCH);
+			break;
+		}
+	/* NOTREACHED */
+}
+
+static const char *
+rangematch(const char *pattern, int test, int flags)
+{
+	int negate, ok;
+	char c, c2;
+
+	/*
+	 * A bracket expression starting with an unquoted circumflex
+	 * character produces unspecified results (IEEE 1003.2-1992,
+	 * 3.13.2).  This implementation treats it like '!', for
+	 * consistency with the regular expression syntax.
+	 * J.T. Conklin (conklin@ngai.kaleida.com)
+	 */
+	if (negate = (*pattern == '!' || *pattern == '^'))
+		++pattern;
+	
+	for (ok = 0; (c = *pattern++) != ']';) {
+		if (c == '\\' && !(flags & FNM_NOESCAPE))
+			c = *pattern++;
+		if (c == EOS)
+			return (NULL);
+		if (*pattern == '-' 
+		    && (c2 = *(pattern+1)) != EOS && c2 != ']') {
+			pattern += 2;
+			if (c2 == '\\' && !(flags & FNM_NOESCAPE))
+				c2 = *pattern++;
+			if (c2 == EOS)
+				return (NULL);
+			if (c <= test && test <= c2)
+				ok = 1;
+		} else if (c == test)
+			ok = 1;
+	}
+	return (ok == negate ? NULL : pattern);
+}
diff --git a/crypto/heimdal/lib/roken/fnmatch.h b/crypto/heimdal/lib/roken/fnmatch.h
new file mode 100644
index 0000000..95c91d6
--- /dev/null
+++ b/crypto/heimdal/lib/roken/fnmatch.h
@@ -0,0 +1,49 @@
+/*	$NetBSD: fnmatch.h,v 1.5 1994/10/26 00:55:53 cgd Exp $	*/
+
+/*-
+ * Copyright (c) 1992, 1993
+ *	The Regents of the University of California.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *	This product includes software developed by the University of
+ *	California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ *	@(#)fnmatch.h	8.1 (Berkeley) 6/2/93
+ */
+
+#ifndef	_FNMATCH_H_
+#define	_FNMATCH_H_
+
+#define	FNM_NOMATCH	1	/* Match failed. */
+
+#define	FNM_NOESCAPE	0x01	/* Disable backslash escaping. */
+#define	FNM_PATHNAME	0x02	/* Slash must be matched by slash. */
+#define	FNM_PERIOD	0x04	/* Period must be matched by period. */
+
+int	 fnmatch (const char *, const char *, int);
+
+#endif /* !_FNMATCH_H_ */
diff --git a/crypto/heimdal/lib/roken/fnmatch.hin b/crypto/heimdal/lib/roken/fnmatch.hin
new file mode 100644
index 0000000..95c91d6
--- /dev/null
+++ b/crypto/heimdal/lib/roken/fnmatch.hin
@@ -0,0 +1,49 @@
+/*	$NetBSD: fnmatch.h,v 1.5 1994/10/26 00:55:53 cgd Exp $	*/
+
+/*-
+ * Copyright (c) 1992, 1993
+ *	The Regents of the University of California.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *	This product includes software developed by the University of
+ *	California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ *	@(#)fnmatch.h	8.1 (Berkeley) 6/2/93
+ */
+
+#ifndef	_FNMATCH_H_
+#define	_FNMATCH_H_
+
+#define	FNM_NOMATCH	1	/* Match failed. */
+
+#define	FNM_NOESCAPE	0x01	/* Disable backslash escaping. */
+#define	FNM_PATHNAME	0x02	/* Slash must be matched by slash. */
+#define	FNM_PERIOD	0x04	/* Period must be matched by period. */
+
+int	 fnmatch (const char *, const char *, int);
+
+#endif /* !_FNMATCH_H_ */
diff --git a/crypto/heimdal/lib/roken/freeaddrinfo.c b/crypto/heimdal/lib/roken/freeaddrinfo.c
new file mode 100644
index 0000000..56124e5
--- /dev/null
+++ b/crypto/heimdal/lib/roken/freeaddrinfo.c
@@ -0,0 +1,57 @@
+/*
+ * Copyright (c) 1999 - 2001 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+RCSID("$Id: freeaddrinfo.c,v 1.4 2001/05/11 09:10:32 joda Exp $");
+#endif
+
+#include "roken.h"
+
+/*
+ * free the list of `struct addrinfo' starting at `ai'
+ */
+
+void
+freeaddrinfo(struct addrinfo *ai)
+{
+    struct addrinfo *tofree;
+
+    while(ai != NULL) {
+	free (ai->ai_canonname);
+	free (ai->ai_addr);
+	tofree = ai;
+	ai = ai->ai_next;
+	free (tofree);
+    }
+}
diff --git a/crypto/heimdal/lib/roken/freehostent.c b/crypto/heimdal/lib/roken/freehostent.c
new file mode 100644
index 0000000..0cd92cd
--- /dev/null
+++ b/crypto/heimdal/lib/roken/freehostent.c
@@ -0,0 +1,62 @@
+/*
+ * Copyright (c) 1999 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+RCSID("$Id: freehostent.c,v 1.2 1999/12/02 16:58:46 joda Exp $");
+#endif
+
+#include "roken.h"
+
+/*
+ * free a malloced hostent
+ */
+
+void
+freehostent (struct hostent *h)
+{
+    char **p;
+
+    free (h->h_name);
+    if (h->h_aliases != NULL) {
+	for (p = h->h_aliases; *p != NULL; ++p)
+	    free (*p);
+	free (h->h_aliases);
+    }
+    if (h->h_addr_list != NULL) {
+	for (p = h->h_addr_list; *p != NULL; ++p)
+	    free (*p);
+	free (h->h_addr_list);
+    }
+    free (h);
+}
diff --git a/crypto/heimdal/lib/roken/gai_strerror.c b/crypto/heimdal/lib/roken/gai_strerror.c
new file mode 100644
index 0000000..07f7c39
--- /dev/null
+++ b/crypto/heimdal/lib/roken/gai_strerror.c
@@ -0,0 +1,73 @@
+/*
+ * Copyright (c) 1999 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+RCSID("$Id: gai_strerror.c,v 1.2 1999/12/03 04:10:06 assar Exp $");
+#endif
+
+#include "roken.h"
+
+static struct gai_error {
+    int code;
+    char *str;
+} errors[] = {
+{EAI_NOERROR,		"no error"},
+{EAI_ADDRFAMILY,	"address family for nodename not supported"},
+{EAI_AGAIN,		"temporary failure in name resolution"},
+{EAI_BADFLAGS,		"invalid value for ai_flags"},
+{EAI_FAIL,		"non-recoverable failure in name resolution"},
+{EAI_FAMILY,		"ai_family not supported"},
+{EAI_MEMORY,		"memory allocation failure"},
+{EAI_NODATA,		"no address associated with nodename"},
+{EAI_NONAME,		"nodename nor servname provided, or not known"},
+{EAI_SERVICE,		"servname not supported for ai_socktype"},
+{EAI_SOCKTYPE,		"ai_socktype not supported"},
+{EAI_SYSTEM,		"system error returned in errno"},
+{0,			NULL},
+};
+
+/*
+ *
+ */
+
+char *
+gai_strerror(int ecode)
+{
+    struct gai_error *g;
+
+    for (g = errors; g->str != NULL; ++g)
+	if (g->code == ecode)
+	    return g->str;
+    return "unknown error code in gai_strerror";
+}
diff --git a/crypto/heimdal/lib/roken/get_default_username.c b/crypto/heimdal/lib/roken/get_default_username.c
new file mode 100644
index 0000000..10b0863
--- /dev/null
+++ b/crypto/heimdal/lib/roken/get_default_username.c
@@ -0,0 +1,80 @@
+/*
+ * Copyright (c) 1997 - 1999 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+RCSID("$Id: get_default_username.c,v 1.3 1999/12/02 16:58:46 joda Exp $");
+#endif /* HAVE_CONFIG_H */
+
+#include "roken.h"
+
+/*
+ * Try to return what should be considered the default username or
+ * NULL if we can't guess at all.
+ */
+
+const char *
+get_default_username (void)
+{
+    const char *user;
+
+    user = getenv ("USER");
+    if (user == NULL)
+	user = getenv ("LOGNAME");
+    if (user == NULL)
+	user = getenv ("USERNAME");
+
+#if defined(HAVE_GETLOGIN) && !defined(POSIX_GETLOGIN)
+    if (user == NULL) {
+	user = (const char *)getlogin ();
+	if (user != NULL)
+	    return user;
+    }
+#endif
+#ifdef HAVE_PWD_H
+    {
+	uid_t uid = getuid ();
+	struct passwd *pwd;
+
+	if (user != NULL) {
+	    pwd = k_getpwnam (user);
+	    if (pwd != NULL && pwd->pw_uid == uid)
+		return user;
+	}
+	pwd = k_getpwuid (uid);
+	if (pwd != NULL)
+	    return pwd->pw_name;
+    }
+#endif
+    return user;
+}
diff --git a/crypto/heimdal/lib/roken/get_window_size.c b/crypto/heimdal/lib/roken/get_window_size.c
new file mode 100644
index 0000000..4eff8d2
--- /dev/null
+++ b/crypto/heimdal/lib/roken/get_window_size.c
@@ -0,0 +1,102 @@
+/*
+ * Copyright (c) 1995, 1996, 1997, 1998 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+RCSID("$Id: get_window_size.c,v 1.9 1999/12/02 16:58:46 joda Exp $");
+#endif
+
+#include <stdlib.h>
+#ifdef HAVE_UNISTD_H
+#include <unistd.h>
+#endif
+#ifdef HAVE_SYS_TYPES_H
+#include <sys/types.h>
+#endif
+
+#if 0 /* Where were those needed? /confused */
+#ifdef HAVE_SYS_PROC_H
+#include <sys/proc.h>
+#endif
+
+#ifdef HAVE_SYS_TTY_H
+#include <sys/tty.h>
+#endif
+#endif
+
+#ifdef HAVE_TERMIOS_H
+#include <termios.h>
+#endif
+
+#include <roken.h>
+
+int
+get_window_size(int fd, struct winsize *wp)
+{
+    int ret = -1;
+    
+    memset(wp, 0, sizeof(*wp));
+
+#if defined(TIOCGWINSZ)
+    ret = ioctl(fd, TIOCGWINSZ, wp);
+#elif defined(TIOCGSIZE)
+    {
+	struct ttysize ts;
+	
+	ret = ioctl(fd, TIOCGSIZE, &ts);
+	if(ret == 0) {
+	    wp->ws_row = ts.ts_lines;
+	    wp->ws_col = ts.ts_cols;
+	}
+    }
+#elif defined(HAVE__SCRSIZE)
+    {
+	int dst[2];
+	
+	_scrsize(dst);
+	wp->ws_row = dst[1];
+	wp->ws_col = dst[0];
+	ret = 0;
+    }
+#endif
+    if (ret != 0) {
+        char *s;
+        if((s = getenv("COLUMNS")))
+	    wp->ws_col = atoi(s);
+	if((s = getenv("LINES")))
+	    wp->ws_row = atoi(s);
+	if(wp->ws_col > 0 && wp->ws_row > 0)
+	    ret = 0;
+    }
+    return ret;
+}
diff --git a/crypto/heimdal/lib/roken/getaddrinfo-test.c b/crypto/heimdal/lib/roken/getaddrinfo-test.c
new file mode 100644
index 0000000..4274081
--- /dev/null
+++ b/crypto/heimdal/lib/roken/getaddrinfo-test.c
@@ -0,0 +1,144 @@
+/*
+ * Copyright (c) 1999 - 2000 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+RCSID("$Id: getaddrinfo-test.c,v 1.4 2001/02/20 01:44:54 assar Exp $");
+#endif
+
+#include "roken.h"
+#include "getarg.h"
+
+static int flags;
+static int family;
+static int socktype;
+
+static int version_flag;
+static int help_flag;
+
+static struct getargs args[] = {
+    {"flags",	0,	arg_integer,	&flags,		"flags",	NULL},
+    {"family",	0,	arg_integer,	&family,	"family",	NULL},
+    {"socktype",0,	arg_integer,	&socktype,	"socktype",	NULL},
+    {"version",	0,	arg_flag,	&version_flag,	"print version",NULL},
+    {"help",	0,	arg_flag,	&help_flag,	NULL,		NULL}
+};
+
+static void
+usage(int ret)
+{
+    arg_printusage (args,
+		    sizeof(args) / sizeof(args[0]),
+		    NULL,
+		    "[nodename servname...]");
+    exit (ret);
+}
+
+static void
+doit (const char *nodename, const char *servname)
+{
+    struct addrinfo hints;
+    struct addrinfo *res, *r;
+    int ret;
+
+    printf ("(%s,%s)... ", nodename ? nodename : "null", servname);
+
+    memset (&hints, 0, sizeof(hints));
+    hints.ai_flags    = flags;
+    hints.ai_family   = family;
+    hints.ai_socktype = socktype;
+
+    ret = getaddrinfo (nodename, servname, &hints, &res);
+    if (ret) {
+	printf ("error: %s\n", gai_strerror(ret));
+	return;
+    }
+    printf ("\n");
+
+    for (r = res; r != NULL; r = r->ai_next) {
+	char addrstr[256];
+
+	if (inet_ntop (r->ai_family, 
+		       socket_get_address (r->ai_addr),
+		       addrstr, sizeof(addrstr)) == NULL) {
+	    printf ("\tbad address?\n");
+	    continue;
+	} 
+	printf ("\t(family = %d, socktype = %d, protocol = %d, "
+		"address = \"%s\", port = %d",
+		r->ai_family, r->ai_socktype, r->ai_protocol,
+		addrstr,
+		ntohs(socket_get_port (r->ai_addr)));
+	if (r->ai_canonname)
+	    printf (", canonname = \"%s\"", r->ai_canonname);
+	printf ("\n");
+    }
+    freeaddrinfo (res);
+}
+
+int
+main(int argc, char **argv)
+{
+    int optind = 0;
+    int i;
+
+    setprogname (argv[0]);
+
+    if (getarg (args, sizeof(args) / sizeof(args[0]), argc, argv,
+		&optind))
+	usage (1);
+
+    if (help_flag)
+	usage (0);
+
+    if (version_flag) {
+	fprintf (stderr, "%s from %s-%s)\n", getprogname(), PACKAGE, VERSION);
+	return 0;
+    }
+
+    argc -= optind;
+    argv += optind;
+
+    if (argc % 2 != 0)
+	usage (1);
+
+    for (i = 0; i < argc; i += 2) {
+	const char *nodename = argv[i];
+
+	if (strcmp (nodename, "null") == 0)
+	    nodename = NULL;
+
+	doit (nodename, argv[i+1]);
+    }
+    return 0;
+}
diff --git a/crypto/heimdal/lib/roken/getaddrinfo.c b/crypto/heimdal/lib/roken/getaddrinfo.c
new file mode 100644
index 0000000..4b94d3d
--- /dev/null
+++ b/crypto/heimdal/lib/roken/getaddrinfo.c
@@ -0,0 +1,429 @@
+/*
+ * Copyright (c) 1999 - 2000 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+RCSID("$Id: getaddrinfo.c,v 1.9 2000/07/24 02:34:20 assar Exp $");
+#endif
+
+#include "roken.h"
+
+/*
+ * uses hints->ai_socktype and hints->ai_protocol
+ */
+
+static int
+get_port_protocol_socktype (const char *servname,
+			    const struct addrinfo *hints,
+			    int *port,
+			    int *protocol,
+			    int *socktype)
+{
+    struct servent *se;
+    const char *proto_str = NULL;
+
+    *socktype = 0;
+
+    if (hints != NULL && hints->ai_protocol != 0) {
+	struct protoent *protoent = getprotobynumber (hints->ai_protocol);
+
+	if (protoent == NULL)
+	    return EAI_SOCKTYPE; /* XXX */
+
+	proto_str = protoent->p_name;
+	*protocol = protoent->p_proto;
+    }
+
+    if (hints != NULL)
+	*socktype = hints->ai_socktype;
+
+    if (*socktype == SOCK_STREAM) {
+	se = getservbyname (servname, proto_str ? proto_str : "tcp");
+	if (proto_str == NULL)
+	    *protocol = IPPROTO_TCP;
+    } else if (*socktype == SOCK_DGRAM) {
+	se = getservbyname (servname, proto_str ? proto_str : "udp");
+	if (proto_str == NULL)
+	    *protocol = IPPROTO_UDP;
+    } else if (*socktype == 0) {
+	if (proto_str != NULL) {
+	    se = getservbyname (servname, proto_str);
+	} else {
+	    se = getservbyname (servname, "tcp");
+	    *protocol = IPPROTO_TCP;
+	    *socktype = SOCK_STREAM;
+	    if (se == NULL) {
+		se = getservbyname (servname, "udp");
+		*protocol = IPPROTO_UDP;
+		*socktype = SOCK_DGRAM;
+	    }
+	}
+    } else
+	return EAI_SOCKTYPE;
+
+    if (se == NULL) {
+	char *endstr;
+
+	*port = htons(strtol (servname, &endstr, 10));
+	if (servname == endstr)
+	    return EAI_NONAME;
+    } else {
+	*port = se->s_port;
+    }
+    return 0;
+}
+
+static int
+add_one (int port, int protocol, int socktype,
+	 struct addrinfo ***ptr,
+	 int (*func)(struct addrinfo *, void *data, int port),
+	 void *data,
+	 char *canonname)
+{
+    struct addrinfo *a;
+    int ret;
+
+    a = malloc (sizeof (*a));
+    if (a == NULL)
+	return EAI_MEMORY;
+    memset (a, 0, sizeof(*a));
+    a->ai_flags     = 0;
+    a->ai_next      = NULL;
+    a->ai_protocol  = protocol;
+    a->ai_socktype  = socktype;
+    a->ai_canonname = canonname;
+    ret = (*func)(a, data, port);
+    if (ret) {
+	free (a);
+	return ret;
+    }
+    **ptr = a;
+    *ptr = &a->ai_next;
+    return 0;
+}
+
+static int
+const_v4 (struct addrinfo *a, void *data, int port)
+{
+    struct sockaddr_in *sin;
+    struct in_addr *addr = (struct in_addr *)data;
+
+    a->ai_family  = PF_INET;
+    a->ai_addrlen = sizeof(*sin);
+    a->ai_addr    = malloc (sizeof(*sin));
+    if (a->ai_addr == NULL)
+	return EAI_MEMORY;
+    sin = (struct sockaddr_in *)a->ai_addr;
+    memset (sin, 0, sizeof(*sin));
+    sin->sin_family = AF_INET;
+    sin->sin_port   = port;
+    sin->sin_addr   = *addr;
+    return 0;
+}
+
+#ifdef HAVE_IPV6
+static int
+const_v6 (struct addrinfo *a, void *data, int port)
+{
+    struct sockaddr_in6 *sin6;
+    struct in6_addr *addr = (struct in6_addr *)data;
+
+    a->ai_family  = PF_INET6;
+    a->ai_addrlen = sizeof(*sin6);
+    a->ai_addr    = malloc (sizeof(*sin6));
+    if (a->ai_addr == NULL)
+	return EAI_MEMORY;
+    sin6 = (struct sockaddr_in6 *)a->ai_addr;
+    memset (sin6, 0, sizeof(*sin6));
+    sin6->sin6_family = AF_INET6;
+    sin6->sin6_port   = port;
+    sin6->sin6_addr   = *addr;
+    return 0;
+}
+#endif
+
+static int
+get_null (const struct addrinfo *hints,
+	  int port, int protocol, int socktype,
+	  struct addrinfo **res)
+{
+    struct in_addr v4_addr;
+#ifdef HAVE_IPV6
+    struct in6_addr v6_addr;
+#endif
+    struct addrinfo *first = NULL;
+    struct addrinfo **current = &first;
+    int family = PF_UNSPEC;
+    int ret;
+
+    if (hints != NULL)
+	family = hints->ai_family;
+
+    if (hints && hints->ai_flags & AI_PASSIVE) {
+	v4_addr.s_addr = INADDR_ANY;
+#ifdef HAVE_IPV6
+	v6_addr        = in6addr_any;
+#endif
+    } else {
+	v4_addr.s_addr = htonl(INADDR_LOOPBACK);
+#ifdef HAVE_IPV6
+	v6_addr        = in6addr_loopback;
+#endif
+    }
+
+#ifdef HAVE_IPV6
+    if (family == PF_INET6 || family == PF_UNSPEC) {
+	ret = add_one (port, protocol, socktype,
+		       &current, const_v6, &v6_addr, NULL);
+    }
+#endif
+    if (family == PF_INET || family == PF_UNSPEC) {
+	ret = add_one (port, protocol, socktype,
+		       &current, const_v4, &v4_addr, NULL);
+    }
+    *res = first;
+    return 0;
+}
+
+/*
+ * Try to find a fqdn (with `.') in he if possible, else return h_name
+ */
+
+static char *
+find_fqdn (const struct hostent *he)
+{
+    char *ret = he->h_name;
+    char **h;
+
+    if (strchr (ret, '.') == NULL)
+	for (h = he->h_aliases; *h; ++h) {
+	    if (strchr (*h, '.') != NULL) {
+		ret = *h;
+		break;
+	    }
+	}
+    return ret;
+}
+
+static int
+add_hostent (int port, int protocol, int socktype,
+	     struct addrinfo ***current,
+	     int (*func)(struct addrinfo *, void *data, int port),
+	     struct hostent *he, int *flags)
+{
+    int ret;
+    char *canonname = NULL;
+    char **h;
+
+    if (*flags & AI_CANONNAME) {
+	struct hostent *he2 = NULL;
+
+	canonname = find_fqdn (he);
+	if (strchr (canonname, '.') == NULL) {
+	    int error;
+
+	    he2 = getipnodebyaddr (he->h_addr_list[0], he->h_length,
+				   he->h_addrtype, &error);
+	    if (he2 != NULL) {
+		char *tmp = find_fqdn (he2);
+
+		if (strchr (tmp, '.') != NULL)
+		    canonname = tmp;
+	    }
+	}
+
+	canonname = strdup (canonname);
+	if (he2 != NULL)
+	    freehostent (he2);
+	if (canonname == NULL)
+	    return EAI_MEMORY;
+    }
+
+    for (h = he->h_addr_list; *h != NULL; ++h) {
+	ret = add_one (port, protocol, socktype,
+		       current, func, *h, canonname);
+	if (ret)
+	    return ret;
+	if (*flags & AI_CANONNAME) {
+	    *flags &= ~AI_CANONNAME;
+	    canonname = NULL;
+	}
+    }
+    return 0;
+}
+
+static int
+get_number (const char *nodename,
+	    const struct addrinfo *hints,
+	    int port, int protocol, int socktype,
+	    struct addrinfo **res)
+{
+    struct addrinfo *first = NULL;
+    struct addrinfo **current = &first;
+    int family = PF_UNSPEC;
+    int ret;
+
+    if (hints != NULL) {
+	family = hints->ai_family;
+    }
+
+#ifdef HAVE_IPV6
+    if (family == PF_INET6 || family == PF_UNSPEC) {
+	struct in6_addr v6_addr;
+
+	if (inet_pton (PF_INET6, nodename, &v6_addr) == 1) {
+	    ret = add_one (port, protocol, socktype,
+			   &current, const_v6, &v6_addr, NULL);
+	    *res = first;
+	    return ret;
+	}
+    }
+#endif
+    if (family == PF_INET || family == PF_UNSPEC) {
+	struct in_addr v4_addr;
+
+	if (inet_pton (PF_INET, nodename, &v4_addr) == 1) {
+	    ret = add_one (port, protocol, socktype,
+			   &current, const_v4, &v4_addr, NULL);
+	    *res = first;
+	    return ret;
+	}
+    }
+    return EAI_NONAME;
+}
+
+static int
+get_nodes (const char *nodename,
+	   const struct addrinfo *hints,
+	   int port, int protocol, int socktype,
+	   struct addrinfo **res)
+{
+    struct addrinfo *first = NULL;
+    struct addrinfo **current = &first;
+    int family = PF_UNSPEC;
+    int flags  = 0;
+    int ret = EAI_NONAME;
+    int error;
+
+    if (hints != NULL) {
+	family = hints->ai_family;
+	flags  = hints->ai_flags;
+    }
+
+#ifdef HAVE_IPV6
+    if (family == PF_INET6 || family == PF_UNSPEC) {
+	struct hostent *he;
+
+	he = getipnodebyname (nodename, PF_INET6, 0, &error);
+
+	if (he != NULL) {
+	    ret = add_hostent (port, protocol, socktype,
+			       &current, const_v6, he, &flags);
+	    freehostent (he);
+	}
+    }
+#endif
+    if (family == PF_INET || family == PF_UNSPEC) {
+	struct hostent *he;
+
+	he = getipnodebyname (nodename, PF_INET, 0, &error);
+
+	if (he != NULL) {
+	    ret = add_hostent (port, protocol, socktype,
+			       &current, const_v4, he, &flags);
+	    freehostent (he);
+	}
+    }
+    *res = first;
+    return ret;
+}
+
+/*
+ * hints:
+ *
+ * struct addrinfo {
+ *     int    ai_flags;
+ *     int    ai_family;
+ *     int    ai_socktype;
+ *     int    ai_protocol;
+ * ...
+ * };
+ */
+
+int
+getaddrinfo(const char *nodename,
+	    const char *servname,
+	    const struct addrinfo *hints,
+	    struct addrinfo **res)
+{
+    int ret;
+    int port     = 0;
+    int protocol = 0;
+    int socktype = 0;
+
+    *res = NULL;
+
+    if (servname == NULL && nodename == NULL)
+	return EAI_NONAME;
+
+    if (hints != NULL
+	&& hints->ai_family != PF_UNSPEC
+	&& hints->ai_family != PF_INET
+#ifdef HAVE_IPV6
+	&& hints->ai_family != PF_INET6
+#endif
+	)
+	return EAI_FAMILY;
+
+    if (servname != NULL) {
+	ret = get_port_protocol_socktype (servname, hints,
+					  &port, &protocol, &socktype);
+	if (ret)
+	    return ret;
+    }
+    if (nodename != NULL) {
+	ret = get_number (nodename, hints, port, protocol, socktype, res);
+	if (ret) {
+	    if(hints && hints->ai_flags & AI_NUMERICHOST)
+		ret = EAI_NONAME;
+	    else
+		ret = get_nodes (nodename, hints, port, protocol, socktype,
+				 res);
+	}
+    } else {
+	ret = get_null (hints, port, protocol, socktype, res);
+    }
+    if (ret)
+	freeaddrinfo (*res);
+    return ret;
+}
diff --git a/crypto/heimdal/lib/roken/getaddrinfo_hostspec.c b/crypto/heimdal/lib/roken/getaddrinfo_hostspec.c
new file mode 100644
index 0000000..7f6b0d1
--- /dev/null
+++ b/crypto/heimdal/lib/roken/getaddrinfo_hostspec.c
@@ -0,0 +1,104 @@
+/*
+ * Copyright (c) 2000 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+RCSID("$Id: getaddrinfo_hostspec.c,v 1.3 2000/07/15 12:50:32 joda Exp $");
+#endif
+
+#include "roken.h"
+
+/* getaddrinfo via string specifying host and port */
+
+int
+roken_getaddrinfo_hostspec2(const char *hostspec, 
+			    int socktype,
+			    int port,
+			    struct addrinfo **ai)
+{
+    const char *p;
+    char portstr[NI_MAXSERV];
+    char host[MAXHOSTNAMELEN];
+    struct addrinfo hints;
+    int hostspec_len;
+
+    struct hst {
+	const char *prefix;
+	int socktype;
+	int protocol;
+	int port;
+    } *hstp, hst[] = {
+	{ "http://", SOCK_STREAM, IPPROTO_TCP, 80 },
+	{ "http/", SOCK_STREAM, IPPROTO_TCP, 80 },
+	{ "tcp/", SOCK_STREAM, IPPROTO_TCP },
+	{ "udp/", SOCK_DGRAM, IPPROTO_UDP },
+	{ NULL }
+    };
+
+    memset(&hints, 0, sizeof(hints));
+
+    hints.ai_socktype = socktype;
+	
+    for(hstp = hst; hstp->prefix; hstp++) {
+	if(strncmp(hostspec, hstp->prefix, strlen(hstp->prefix)) == 0) {
+	    hints.ai_socktype = hstp->socktype;
+	    hints.ai_protocol = hstp->protocol;
+	    if(port == 0)
+		port = hstp->port;
+	    hostspec += strlen(hstp->prefix);
+	    break;
+	}
+    }
+    
+    p = strchr (hostspec, ':');
+    if (p != NULL) {
+	char *end;
+
+	port = strtol (p + 1, &end, 0);
+	hostspec_len = p - hostspec;
+    } else {
+	hostspec_len = strlen(hostspec);
+    }
+    snprintf (portstr, sizeof(portstr), "%u", port);
+    
+    snprintf (host, sizeof(host), "%.*s", hostspec_len, hostspec);
+    return getaddrinfo (host, portstr, &hints, ai);
+}
+
+int
+roken_getaddrinfo_hostspec(const char *hostspec, 
+			   int port,
+			   struct addrinfo **ai)
+{
+    return roken_getaddrinfo_hostspec2(hostspec, 0, port, ai);
+}
diff --git a/crypto/heimdal/lib/roken/getarg.3 b/crypto/heimdal/lib/roken/getarg.3
new file mode 100644
index 0000000..e3b5c9f
--- /dev/null
+++ b/crypto/heimdal/lib/roken/getarg.3
@@ -0,0 +1,311 @@
+.\" Copyright (c) 1999 Kungliga Tekniska Högskolan
+.\" $Id: getarg.3,v 1.3 2001/01/11 16:16:30 assar Exp $
+.Dd September 24, 1999
+.Dt GETARG 3
+.Os ROKEN
+.Sh NAME
+.Nm getarg , 
+.Nm arg_printusage
+.Nd collect command line options
+.Sh SYNOPSIS
+.Fd #include <getarg.h>
+.Ft int
+.Fn getarg "struct getargs *args" "size_t num_args" "int argc" "char **argv" "int *optind"
+.Ft void
+.Fn arg_printusage "struct getargs *args" "size_t num_args" "const char *progname" "const char *extra_string"
+.Sh DESCRIPTION
+.Fn getarg
+collects any command line options given to a program in an easily used way. 
+.Fn arg_printusage 
+pretty-prints the available options, with a short help text.
+.Pp
+.Fa args
+is the option specification to use, and it's an array of 
+.Fa struct getargs
+elements.
+.Fa num_args
+is the size of
+.Fa args
+(in elements).
+.Fa argc
+and
+.Fa argv
+are the argument count and argument vector to extract option from.
+.Fa optind
+is a pointer to an integer where the index to the last processed
+argument is stored, it must be initialised to the first index (minus
+one) to process (normally 0) before the first call.
+.Pp
+.Fa arg_printusage
+take the same
+.Fa args
+and
+.Fa num_args
+as getarg;
+.Fa progname
+is the name of the program (to be used in the help text), and 
+.Fa extra_string
+is a string to print after the actual options to indicate more
+arguments. The usefulness of this function is realised only be people
+who has used programs that has help strings that doesn't match what
+the code does.
+.Pp
+The
+.Fa getargs
+struct has the following elements.
+.Bd -literal
+struct getargs{
+    const char *long_name;
+    char short_name;
+    enum { arg_integer, 
+	   arg_string, 
+	   arg_flag, 
+	   arg_negative_flag, 
+	   arg_strings,
+	   arg_double,
+           arg_collect
+    } type;
+    void *value;
+    const char *help;
+    const char *arg_help;
+};
+.Ed
+.Pp
+.Fa long_name
+is the long name of the option, it can be 
+.Dv NULL ,
+if you don't want a long name.
+.Fa short_name 
+is the characted to use as short option, it can be zero. If the option
+has a value the
+.Fa value
+field gets filled in with that value interpreted as specified by the 
+.Fa type
+field.
+.Fa help
+is a longer help string for the option as a whole, if it's
+.Dv NULL
+the help text for the option is omitted (but it's still displayed in
+the synopsis).
+.Fa arg_help
+is a description of the argument, if
+.Dv NULL
+a default value will be used, depending on the type of the option:
+.Pp
+.Bl -hang -width arg_negative_flag
+.It arg_integer
+the argument is a signed integer, and
+.Fa value
+should point to an
+.Fa int .
+.It Fa arg_string
+the argument is a string, and
+.Fa value
+should point to a
+.Fa char* .
+.It Fa arg_flag
+the argument is a flag, and
+.Fa value
+should point to a
+.Fa int . 
+It gets filled in with either zero or one, depending on how the option
+is given, the normal case beeing one. Note that if the option isn't
+given, the value isn't altered, so it should be initialised to some
+useful default.
+.It Fa arg_negative_flag
+this is the same as 
+.Fa arg_flag
+but it reverses the meaning of the flag (a given short option clears
+the flag), and the synopsis of a long option is negated.
+.It Fa arg_strings
+the argument can be given multiple times, and the values are collected
+in an array;
+.Fa value
+should be a pointer to a 
+.Fa struct getarg_strings
+structure, which holds a length and a string pointer.
+.It Fa arg_double
+argument is a double precision floating point value, and
+.Fa value
+should point to a
+.Fa double .
+.It Fa arg_collect
+allows more fine-grained control of the option parsing process.
+.Fa value
+should be a pointer to a 
+.Fa getarg_collect_info
+structure:
+.Bd -literal
+typedef int (*getarg_collect_func)(int short_opt,
+				   int argc,
+				   char **argv,
+				   int *optind,
+				   int *optarg,
+				   void *data);
+
+typedef struct getarg_collect_info {
+    getarg_collect_func func;
+    void *data;
+} getarg_collect_info;
+.Ed
+.Pp
+With the
+.Fa func
+member set to a function to call, and 
+.Fa data
+to some application specific data. The parameters to the collect function are:
+.Bl -inset
+.It Fa short_flag
+non-zero if this call is via a short option flag, zero otherwise
+.It Fa argc , argv
+the whole argument list
+.It Fa optind
+pointer to the index in argv where the flag is
+.It Fa optarg
+pointer to the index in argv[*optind] where the flag name starts
+.It Fa data
+application specific data
+.El
+.Pp
+You can modify
+.Fa *optind ,
+and 
+.Fa *optarg ,
+but to do this correct you (more or less) have to know about the inner
+workings of getarg.
+.Pp 
+You can skip parts of arguments by increasing
+.Fa *optarg
+(you could
+implement the 
+.Fl z Ns Ar 3
+set of flags from
+.Nm gzip
+with this), or whole argument strings by increasing
+.Fa *optind
+(let's say you want a flag 
+.Fl c Ar x y z
+to specify a coordinate); if you also have to set
+.Fa *optarg
+to a sane value.
+.Pp
+The collect function should return one of 
+.Dv ARG_ERR_NO_MATCH , ARG_ERR_BAD_ARG , ARG_ERR_NO_ARG
+on error, zero otherwise.
+.Pp
+For your convenience there is a function,
+.Fn getarg_optarg ,
+that returns the traditional argument string, and you pass it all
+arguments, sans data, that where given to the collection function.
+.Pp
+Don't use this more this unless you absolutely have to.
+.El
+.Pp
+Option parsing is similar to what 
+.Xr getopt
+uses. Short options without arguments can be compressed
+.Pf ( Fl xyz
+is the same as
+.Fl x y z ) ,
+and short
+options with arguments take these as either the rest of the
+argv-string or as the next option
+.Pf ( Fl o Ns Ar foo ,
+or
+.Fl o Ar foo ) .
+.Pp
+Long option names are prefixed with -- (double dash), and the value
+with a = (equal),
+.Fl -foo= Ns Ar bar .
+Long option flags can either be specified as they are 
+.Pf ( Fl -help ) ,
+or with an (boolean parsable) option
+.Pf ( Fl -help= Ns Ar yes ,
+.Fl -help= Ns Ar true ,
+or similar), or they can also be negated 
+.Pf ( Fl -no-help
+is the same as 
+.Fl -help= Ns no ) ,
+and if you're really confused you can do it multiple times
+.Pf ( Fl -no-no-help= Ns Ar false ,
+or even 
+.Fl -no-no-help= Ns Ar maybe ) .
+.Sh EXAMPLE
+.Bd -literal
+#include <stdio.h>
+#include <string.h>
+#include <getarg.h>
+
+char *source = "Ouagadougou";
+char *destination;
+int weight;
+int include_catalog = 1;
+int help_flag;
+
+struct getargs args[] = {
+    { "source",      's', arg_string,  &source, 
+      "source of shippment", "city" },
+    { "destination", 'd', arg_string,  &destination, 
+      "destination of shippment", "city" },
+    { "weight",      'w', arg_integer, &weight, 
+      "weight of shippment", "tons" },
+    { "catalog",     'c', arg_negative_flag, &include_catalog, 
+      "include product catalog" },
+    { "help",        'h', arg_flag, &help_flag }
+};
+
+int num_args = sizeof(args) / sizeof(args[0]); /* number of elements in args */
+
+const char *progname = "ship++";
+
+int
+main(int argc, char **argv)
+{
+    int optind = 0;
+    if (getarg(args, num_args, argc, argv, &optind)) {
+	arg_printusage(args, num_args, progname, "stuff...");
+	exit (1);
+    }
+    if (help_flag) {
+	arg_printusage(args, num_args, progname, "stuff...");
+	exit (0);
+    }
+    if (destination == NULL) {
+	fprintf(stderr, "%s: must specify destination\en", progname);
+	exit(1);
+    }
+    if (strcmp(source, destination) == 0) {
+	fprintf(stderr, "%s: destination must be different from source\en");
+	exit(1);
+    }
+    /* include more stuff here ... */
+    exit(2);
+}
+.Ed
+.Pp
+The output help output from this program looks like this:
+.Bd -literal
+$ ship++ --help                                            
+Usage: ship++ [--source=city] [-s city] [--destination=city] [-d city]
+   [--weight=tons] [-w tons] [--no-catalog] [-c] [--help] [-h] stuff...
+-s city, --source=city      source of shippment
+-d city, --destination=city destination of shippment
+-w tons, --weight=tons      weight of shippment
+-c, --no-catalog            include product catalog
+.Ed
+.Sh BUGS
+It should be more flexible, so it would be possible to use other more
+complicated option syntaxes, such as what
+.Xr ps 1 ,
+and 
+.Xr tar 1 ,
+uses, or the AFS model where you can skip the flag names as long as
+the options come in the correct order.
+.Pp
+Options with multiple arguments should be handled better.
+.Pp
+Should be integreated with SL.
+.Pp
+It's very confusing that the struct you pass in is called getargS.
+.Sh SEE ALSO
+.Xr getopt 3
diff --git a/crypto/heimdal/lib/roken/getarg.c b/crypto/heimdal/lib/roken/getarg.c
new file mode 100644
index 0000000..dc2df50
--- /dev/null
+++ b/crypto/heimdal/lib/roken/getarg.c
@@ -0,0 +1,581 @@
+/*
+ * Copyright (c) 1997 - 2001 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+RCSID("$Id: getarg.c,v 1.40 2001/04/25 12:06:10 assar Exp $");
+#endif
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <roken.h>
+#include "getarg.h"
+
+#define ISFLAG(X) ((X).type == arg_flag || (X).type == arg_negative_flag)
+
+static size_t
+print_arg (char *string, size_t len, int mdoc, int longp, struct getargs *arg)
+{
+    const char *s;
+
+    *string = '\0';
+
+    if (ISFLAG(*arg) || (!longp && arg->type == arg_counter))
+	return 0;
+
+    if(mdoc){
+	if(longp)
+	    strlcat(string, "= Ns", len);
+	strlcat(string, " Ar ", len);
+    } else {
+	if (longp)
+	    strlcat (string, "=", len);
+	else
+	    strlcat (string, " ", len);
+    }
+
+    if (arg->arg_help)
+	s = arg->arg_help;
+    else if (arg->type == arg_integer || arg->type == arg_counter)
+	s = "integer";
+    else if (arg->type == arg_string)
+	s = "string";
+    else if (arg->type == arg_strings)
+	s = "strings";
+    else if (arg->type == arg_double)
+	s = "float";
+    else
+	s = "<undefined>";
+
+    strlcat(string, s, len);
+    return 1 + strlen(s);
+}
+
+static void
+mandoc_template(struct getargs *args,
+		size_t num_args,
+		const char *progname,
+		const char *extra_string)
+{
+    int i;
+    char timestr[64], cmd[64];
+    char buf[128];
+    const char *p;
+    time_t t;
+
+    printf(".\\\" Things to fix:\n");
+    printf(".\\\"   * correct section, and operating system\n");
+    printf(".\\\"   * remove Op from mandatory flags\n");
+    printf(".\\\"   * use better macros for arguments (like .Pa for files)\n");
+    printf(".\\\"\n");
+    t = time(NULL);
+    strftime(timestr, sizeof(timestr), "%B %e, %Y", localtime(&t));
+    printf(".Dd %s\n", timestr);
+    p = strrchr(progname, '/');
+    if(p) p++; else p = progname;
+    strlcpy(cmd, p, sizeof(cmd));
+    strupr(cmd);
+       
+    printf(".Dt %s SECTION\n", cmd);
+    printf(".Os OPERATING_SYSTEM\n");
+    printf(".Sh NAME\n");
+    printf(".Nm %s\n", p);
+    printf(".Nd\n");
+    printf("in search of a description\n");
+    printf(".Sh SYNOPSIS\n");
+    printf(".Nm\n");
+    for(i = 0; i < num_args; i++){
+	/* we seem to hit a limit on number of arguments if doing
+           short and long flags with arguments -- split on two lines */
+	if(ISFLAG(args[i]) || 
+	   args[i].short_name == 0 || args[i].long_name == NULL) {
+	    printf(".Op ");
+
+	    if(args[i].short_name) {
+		print_arg(buf, sizeof(buf), 1, 0, args + i);
+		printf("Fl %c%s", args[i].short_name, buf);
+		if(args[i].long_name)
+		    printf(" | ");
+	    }
+	    if(args[i].long_name) {
+		print_arg(buf, sizeof(buf), 1, 1, args + i);
+		printf("Fl -%s%s%s",
+		       args[i].type == arg_negative_flag ? "no-" : "",
+		       args[i].long_name, buf);
+	    }
+	    printf("\n");
+	} else {
+	    print_arg(buf, sizeof(buf), 1, 0, args + i);
+	    printf(".Oo Fl %c%s \\*(Ba Xo\n", args[i].short_name, buf);
+	    print_arg(buf, sizeof(buf), 1, 1, args + i);
+	    printf(".Fl -%s%s Oc\n.Xc\n", args[i].long_name, buf);
+	}
+    /*
+	    if(args[i].type == arg_strings)
+		fprintf (stderr, "...");
+		*/
+    }
+    if (extra_string && *extra_string)
+	printf (".Ar %s\n", extra_string);
+    printf(".Sh DESCRIPTION\n");
+    printf("Supported options:\n");
+    printf(".Bl -tag -width Ds\n");
+    for(i = 0; i < num_args; i++){
+	printf(".It Xo\n");
+	if(args[i].short_name){
+	    printf(".Fl %c", args[i].short_name);
+	    print_arg(buf, sizeof(buf), 1, 0, args + i);
+	    printf("%s", buf);
+	    if(args[i].long_name)
+		printf(" Ns ,");
+	    printf("\n");
+	}
+	if(args[i].long_name){
+	    printf(".Fl -%s%s",
+		   args[i].type == arg_negative_flag ? "no-" : "",
+		   args[i].long_name);
+	    print_arg(buf, sizeof(buf), 1, 1, args + i);
+	    printf("%s\n", buf);
+	}
+	printf(".Xc\n");
+	if(args[i].help)
+	    printf("%s\n", args[i].help);
+    /*
+	    if(args[i].type == arg_strings)
+		fprintf (stderr, "...");
+		*/
+    }
+    printf(".El\n");
+    printf(".\\\".Sh ENVIRONMENT\n");
+    printf(".\\\".Sh FILES\n");
+    printf(".\\\".Sh EXAMPLES\n");
+    printf(".\\\".Sh DIAGNOSTICS\n");
+    printf(".\\\".Sh SEE ALSO\n");
+    printf(".\\\".Sh STANDARDS\n");
+    printf(".\\\".Sh HISTORY\n");
+    printf(".\\\".Sh AUTHORS\n");
+    printf(".\\\".Sh BUGS\n");
+}
+
+static int
+check_column(FILE *f, int col, int len, int columns)
+{
+    if(col + len > columns) {
+	fprintf(f, "\n");
+	col = fprintf(f, "  ");
+    }
+    return col;
+}
+
+void
+arg_printusage (struct getargs *args,
+		size_t num_args,
+		const char *progname,
+		const char *extra_string)
+{
+    int i;
+    size_t max_len = 0;
+    char buf[128];
+    int col = 0, columns;
+    struct winsize ws;
+
+    if (progname == NULL)
+	progname = getprogname();
+
+    if(getenv("GETARGMANDOC")){
+	mandoc_template(args, num_args, progname, extra_string);
+	return;
+    }
+    if(get_window_size(2, &ws) == 0)
+	columns = ws.ws_col;
+    else
+	columns = 80;
+    col = 0;
+    col += fprintf (stderr, "Usage: %s", progname);
+    buf[0] = '\0';
+    for (i = 0; i < num_args; ++i) {
+	if(args[i].short_name && ISFLAG(args[i])) {
+	    char s[2];
+	    if(buf[0] == '\0')
+		strlcpy(buf, "[-", sizeof(buf));
+	    s[0] = args[i].short_name;
+	    s[1] = '\0';
+	    strlcat(buf, s, sizeof(buf));
+	}
+    }
+    if(buf[0] != '\0') {
+	strlcat(buf, "]", sizeof(buf));
+	col = check_column(stderr, col, strlen(buf) + 1, columns);
+	col += fprintf(stderr, " %s", buf);
+    }
+
+    for (i = 0; i < num_args; ++i) {
+	size_t len = 0;
+
+	if (args[i].long_name) {
+	    buf[0] = '\0';
+	    strlcat(buf, "[--", sizeof(buf));
+	    len += 2;
+	    if(args[i].type == arg_negative_flag) {
+		strlcat(buf, "no-", sizeof(buf));
+		len += 3;
+	    }
+	    strlcat(buf, args[i].long_name, sizeof(buf));
+	    len += strlen(args[i].long_name);
+	    len += print_arg(buf + strlen(buf), sizeof(buf) - strlen(buf), 
+			     0, 1, &args[i]);
+	    strlcat(buf, "]", sizeof(buf));
+	    if(args[i].type == arg_strings)
+		strlcat(buf, "...", sizeof(buf));
+	    col = check_column(stderr, col, strlen(buf) + 1, columns);
+	    col += fprintf(stderr, " %s", buf);
+	}
+	if (args[i].short_name && !ISFLAG(args[i])) {
+	    snprintf(buf, sizeof(buf), "[-%c", args[i].short_name);
+	    len += 2;
+	    len += print_arg(buf + strlen(buf), sizeof(buf) - strlen(buf), 
+			     0, 0, &args[i]);
+	    strlcat(buf, "]", sizeof(buf));
+	    if(args[i].type == arg_strings)
+		strlcat(buf, "...", sizeof(buf));
+	    col = check_column(stderr, col, strlen(buf) + 1, columns);
+	    col += fprintf(stderr, " %s", buf);
+	}
+	if (args[i].long_name && args[i].short_name)
+	    len += 2; /* ", " */
+	max_len = max(max_len, len);
+    }
+    if (extra_string) {
+	col = check_column(stderr, col, strlen(extra_string) + 1, columns);
+	fprintf (stderr, " %s\n", extra_string);
+    } else
+	fprintf (stderr, "\n");
+    for (i = 0; i < num_args; ++i) {
+	if (args[i].help) {
+	    size_t count = 0;
+
+	    if (args[i].short_name) {
+		count += fprintf (stderr, "-%c", args[i].short_name);
+		print_arg (buf, sizeof(buf), 0, 0, &args[i]);
+		count += fprintf(stderr, "%s", buf);
+	    }
+	    if (args[i].short_name && args[i].long_name)
+		count += fprintf (stderr, ", ");
+	    if (args[i].long_name) {
+		count += fprintf (stderr, "--");
+		if (args[i].type == arg_negative_flag)
+		    count += fprintf (stderr, "no-");
+		count += fprintf (stderr, "%s", args[i].long_name);
+		print_arg (buf, sizeof(buf), 0, 1, &args[i]);
+		count += fprintf(stderr, "%s", buf);
+	    }
+	    while(count++ <= max_len)
+		putc (' ', stderr);
+	    fprintf (stderr, "%s\n", args[i].help);
+	}
+    }
+}
+
+static void
+add_string(getarg_strings *s, char *value)
+{
+    s->strings = realloc(s->strings, (s->num_strings + 1) * sizeof(*s->strings));
+    s->strings[s->num_strings] = value;
+    s->num_strings++;
+}
+
+static int
+arg_match_long(struct getargs *args, size_t num_args,
+	       char *argv, int argc, char **rargv, int *optind)
+{
+    int i;
+    char *optarg = NULL;
+    int negate = 0;
+    int partial_match = 0;
+    struct getargs *partial = NULL;
+    struct getargs *current = NULL;
+    int argv_len;
+    char *p;
+
+    argv_len = strlen(argv);
+    p = strchr (argv, '=');
+    if (p != NULL)
+	argv_len = p - argv;
+
+    for (i = 0; i < num_args; ++i) {
+	if(args[i].long_name) {
+	    int len = strlen(args[i].long_name);
+	    char *p = argv;
+	    int p_len = argv_len;
+	    negate = 0;
+
+	    for (;;) {
+		if (strncmp (args[i].long_name, p, p_len) == 0) {
+		    if(p_len == len)
+			current = &args[i];
+		    else {
+			++partial_match;
+			partial = &args[i];
+		    }
+		    optarg  = p + p_len;
+		} else if (ISFLAG(args[i]) && strncmp (p, "no-", 3) == 0) {
+		    negate = !negate;
+		    p += 3;
+		    p_len -= 3;
+		    continue;
+		}
+		break;
+	    }
+	    if (current)
+		break;
+	}
+    }
+    if (current == NULL) {
+	if (partial_match == 1)
+	    current = partial;
+	else
+	    return ARG_ERR_NO_MATCH;
+    }
+    
+    if(*optarg == '\0'
+       && !ISFLAG(*current)
+       && current->type != arg_collect
+       && current->type != arg_counter)
+	return ARG_ERR_NO_MATCH;
+    switch(current->type){
+    case arg_integer:
+    {
+	int tmp;
+	if(sscanf(optarg + 1, "%d", &tmp) != 1)
+	    return ARG_ERR_BAD_ARG;
+	*(int*)current->value = tmp;
+	return 0;
+    }
+    case arg_string:
+    {
+	*(char**)current->value = optarg + 1;
+	return 0;
+    }
+    case arg_strings:
+    {
+	add_string((getarg_strings*)current->value, optarg + 1);
+	return 0;
+    }
+    case arg_flag:
+    case arg_negative_flag:
+    {
+	int *flag = current->value;
+	if(*optarg == '\0' ||
+	   strcmp(optarg + 1, "yes") == 0 || 
+	   strcmp(optarg + 1, "true") == 0){
+	    *flag = !negate;
+	    return 0;
+	} else if (*optarg && strcmp(optarg + 1, "maybe") == 0) {
+	    *flag = rand() & 1;
+	} else {
+	    *flag = negate;
+	    return 0;
+	}
+	return ARG_ERR_BAD_ARG;
+    }
+    case arg_counter :
+    {
+	int val;
+
+	if (*optarg == '\0')
+	    val = 1;
+	else {
+	    char *endstr;
+
+	    val = strtol (optarg, &endstr, 0);
+	    if (endstr == optarg)
+		return ARG_ERR_BAD_ARG;
+	}
+	*(int *)current->value += val;
+	return 0;
+    }
+    case arg_double:
+    {
+	double tmp;
+	if(sscanf(optarg + 1, "%lf", &tmp) != 1)
+	    return ARG_ERR_BAD_ARG;
+	*(double*)current->value = tmp;
+	return 0;
+    }
+    case arg_collect:{
+	struct getarg_collect_info *c = current->value;
+	int o = argv - rargv[*optind];
+	return (*c->func)(FALSE, argc, rargv, optind, &o, c->data);
+    }
+
+    default:
+	abort ();
+    }
+}
+
+static int
+arg_match_short (struct getargs *args, size_t num_args,
+		 char *argv, int argc, char **rargv, int *optind)
+{
+    int j, k;
+
+    for(j = 1; j > 0 && j < strlen(rargv[*optind]); j++) {
+	for(k = 0; k < num_args; k++) {
+	    char *optarg;
+
+	    if(args[k].short_name == 0)
+		continue;
+	    if(argv[j] == args[k].short_name) {
+		if(args[k].type == arg_flag) {
+		    *(int*)args[k].value = 1;
+		    break;
+		}
+		if(args[k].type == arg_negative_flag) {
+		    *(int*)args[k].value = 0;
+		    break;
+		} 
+		if(args[k].type == arg_counter) {
+		    ++*(int *)args[k].value;
+		    break;
+		}
+		if(args[k].type == arg_collect) {
+		    struct getarg_collect_info *c = args[k].value;
+
+		    if((*c->func)(TRUE, argc, rargv, optind, &j, c->data))
+			return ARG_ERR_BAD_ARG;
+		    break;
+		}
+
+		if(argv[j + 1])
+		    optarg = &argv[j + 1];
+		else {
+		    ++*optind;
+		    optarg = rargv[*optind];
+		}
+		if(optarg == NULL) {
+		    --*optind;
+		    return ARG_ERR_NO_ARG;
+		}
+		if(args[k].type == arg_integer) {
+		    int tmp;
+		    if(sscanf(optarg, "%d", &tmp) != 1)
+			return ARG_ERR_BAD_ARG;
+		    *(int*)args[k].value = tmp;
+		    return 0;
+		} else if(args[k].type == arg_string) {
+		    *(char**)args[k].value = optarg;
+		    return 0;
+		} else if(args[k].type == arg_strings) {
+		    add_string((getarg_strings*)args[k].value, optarg);
+		    return 0;
+		} else if(args[k].type == arg_double) {
+		    double tmp;
+		    if(sscanf(optarg, "%lf", &tmp) != 1)
+			return ARG_ERR_BAD_ARG;
+		    *(double*)args[k].value = tmp;
+		    return 0;
+		}
+		return ARG_ERR_BAD_ARG;
+	    }
+	}
+	if (k == num_args)
+	    return ARG_ERR_NO_MATCH;
+    }
+    return 0;
+}
+
+int
+getarg(struct getargs *args, size_t num_args, 
+       int argc, char **argv, int *optind)
+{
+    int i;
+    int ret = 0;
+
+    srand (time(NULL));
+    (*optind)++;
+    for(i = *optind; i < argc; i++) {
+	if(argv[i][0] != '-')
+	    break;
+	if(argv[i][1] == '-'){
+	    if(argv[i][2] == 0){
+		i++;
+		break;
+	    }
+	    ret = arg_match_long (args, num_args, argv[i] + 2, 
+				  argc, argv, &i);
+	} else {
+	    ret = arg_match_short (args, num_args, argv[i],
+				   argc, argv, &i);
+	}
+	if(ret)
+	    break;
+    }
+    *optind = i;
+    return ret;
+}
+
+void
+free_getarg_strings (getarg_strings *s)
+{
+    free (s->strings);
+}
+
+#if TEST
+int foo_flag = 2;
+int flag1 = 0;
+int flag2 = 0;
+int bar_int;
+char *baz_string;
+
+struct getargs args[] = {
+    { NULL, '1', arg_flag, &flag1, "one", NULL },
+    { NULL, '2', arg_flag, &flag2, "two", NULL },
+    { "foo", 'f', arg_negative_flag, &foo_flag, "foo", NULL },
+    { "bar", 'b', arg_integer, &bar_int, "bar", "seconds"},
+    { "baz", 'x', arg_string, &baz_string, "baz", "name" },
+};
+
+int main(int argc, char **argv)
+{
+    int optind = 0;
+    while(getarg(args, 5, argc, argv, &optind))
+	printf("Bad arg: %s\n", argv[optind]);
+    printf("flag1 = %d\n", flag1);  
+    printf("flag2 = %d\n", flag2);  
+    printf("foo_flag = %d\n", foo_flag);  
+    printf("bar_int = %d\n", bar_int);
+    printf("baz_flag = %s\n", baz_string);
+    arg_printusage (args, 5, argv[0], "nothing here");
+}
+#endif
diff --git a/crypto/heimdal/lib/roken/getarg.h b/crypto/heimdal/lib/roken/getarg.h
new file mode 100644
index 0000000..3892eb4
--- /dev/null
+++ b/crypto/heimdal/lib/roken/getarg.h
@@ -0,0 +1,91 @@
+/*
+ * Copyright (c) 1997 - 2001 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+/* $Id: getarg.h,v 1.11 2001/04/25 12:06:37 assar Exp $ */
+
+#ifndef __GETARG_H__
+#define __GETARG_H__
+
+#include <stddef.h>
+
+struct getargs{
+    const char *long_name;
+    char short_name;
+    enum { arg_integer, 
+	   arg_string, 
+	   arg_flag, 
+	   arg_negative_flag, 
+	   arg_strings,
+	   arg_double,
+	   arg_collect,
+	   arg_counter
+    } type;
+    void *value;
+    const char *help;
+    const char *arg_help;
+};
+
+enum {
+    ARG_ERR_NO_MATCH  = 1,
+    ARG_ERR_BAD_ARG,
+    ARG_ERR_NO_ARG
+};
+
+typedef struct getarg_strings {
+    int num_strings;
+    char **strings;
+} getarg_strings;
+
+typedef int (*getarg_collect_func)(int short_opt,
+				   int argc,
+				   char **argv,
+				   int *optind,
+				   int *optarg,
+				   void *data);
+
+typedef struct getarg_collect_info {
+    getarg_collect_func func;
+    void *data;
+} getarg_collect_info;
+
+int getarg(struct getargs *args, size_t num_args, 
+	   int argc, char **argv, int *optind);
+
+void arg_printusage (struct getargs *args,
+		     size_t num_args,
+		     const char *progname,
+		     const char *extra_string);
+
+void free_getarg_strings (getarg_strings *);
+
+#endif /* __GETARG_H__ */
diff --git a/crypto/heimdal/lib/roken/getcap.c b/crypto/heimdal/lib/roken/getcap.c
new file mode 100644
index 0000000..997fabf
--- /dev/null
+++ b/crypto/heimdal/lib/roken/getcap.c
@@ -0,0 +1,1118 @@
+/*	$NetBSD: getcap.c,v 1.29 1999/03/29 09:27:29 abs Exp $	*/
+
+/*-
+ * Copyright (c) 1992, 1993
+ *	The Regents of the University of California.  All rights reserved.
+ *
+ * This code is derived from software contributed to Berkeley by
+ * Casey Leedom of Lawrence Livermore National Laboratory.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *	This product includes software developed by the University of
+ *	California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+#endif
+#include "roken.h"
+RCSID("$Id: getcap.c,v 1.7 1999/11/17 21:11:58 assar Exp $");
+
+#include <sys/types.h>
+#include <ctype.h>
+#if defined(HAVE_DB_185_H)
+#include <db_185.h>
+#elif defined(HAVE_DB_H)
+#include <db.h>
+#endif
+#include <errno.h>	
+#include <fcntl.h>
+#include <limits.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+
+#define	BFRAG		1024
+#if 0
+#define	BSIZE		1024
+#endif
+#define	ESC		('[' & 037)	/* ASCII ESC */
+#define	MAX_RECURSION	32		/* maximum getent recursion */
+#define	SFRAG		100		/* cgetstr mallocs in SFRAG chunks */
+
+#define RECOK	(char)0
+#define TCERR	(char)1
+#define	SHADOW	(char)2
+
+static size_t	 topreclen;	/* toprec length */
+static char	*toprec;	/* Additional record specified by cgetset() */
+static int	 gottoprec;	/* Flag indicating retrieval of toprecord */
+
+#if defined(HAVE_DBOPEN) && defined(HAVE_DB_H)
+#define USE_DB
+#endif
+
+#ifdef USE_DB
+static int	cdbget (DB *, char **, const char *);
+#endif
+static int 	getent (char **, size_t *, char **, int, const char *, int, char *);
+static int	nfcmp (char *, char *);
+
+
+int cgetset(const char *ent);
+char *cgetcap(char *buf, const char *cap, int type);
+int cgetent(char **buf, char **db_array, const char *name);
+int cgetmatch(const char *buf, const char *name);
+int cgetclose(void);
+#if 0
+int cgetfirst(char **buf, char **db_array);
+int cgetnext(char **bp, char **db_array);
+#endif
+int cgetstr(char *buf, const char *cap, char **str);
+int cgetustr(char *buf, const char *cap, char **str);
+int cgetnum(char *buf, const char *cap, long *num);
+/*
+ * Cgetset() allows the addition of a user specified buffer to be added
+ * to the database array, in effect "pushing" the buffer on top of the
+ * virtual database. 0 is returned on success, -1 on failure.
+ */
+int
+cgetset(const char *ent)
+{
+    const char *source, *check;
+    char *dest;
+
+    if (ent == NULL) {
+	if (toprec)
+	    free(toprec);
+	toprec = NULL;
+	topreclen = 0;
+	return (0);
+    }
+    topreclen = strlen(ent);
+    if ((toprec = malloc (topreclen + 1)) == NULL) {
+	errno = ENOMEM;
+	return (-1);
+    }
+    gottoprec = 0;
+
+    source=ent;
+    dest=toprec;
+    while (*source) { /* Strip whitespace */
+	*dest++ = *source++; /* Do not check first field */
+	while (*source == ':') {
+	    check=source+1;
+	    while (*check && (isspace((unsigned char)*check) ||
+			      (*check=='\\' && isspace((unsigned char)check[1]))))
+		++check;
+	    if( *check == ':' )
+		source=check;
+	    else
+		break;
+
+	}
+    }
+    *dest=0;
+
+    return (0);
+}
+
+/*
+ * Cgetcap searches the capability record buf for the capability cap with
+ * type `type'.  A pointer to the value of cap is returned on success, NULL
+ * if the requested capability couldn't be found.
+ *
+ * Specifying a type of ':' means that nothing should follow cap (:cap:).
+ * In this case a pointer to the terminating ':' or NUL will be returned if
+ * cap is found.
+ *
+ * If (cap, '@') or (cap, terminator, '@') is found before (cap, terminator)
+ * return NULL.
+ */
+char *
+cgetcap(char *buf, const char *cap, int type)
+{
+    char *bp;
+    const char *cp;
+
+    bp = buf;
+    for (;;) {
+	/*
+	 * Skip past the current capability field - it's either the
+	 * name field if this is the first time through the loop, or
+	 * the remainder of a field whose name failed to match cap.
+	 */
+	for (;;)
+	    if (*bp == '\0')
+		return (NULL);
+	    else
+		if (*bp++ == ':')
+		    break;
+
+	/*
+	 * Try to match (cap, type) in buf.
+	 */
+	for (cp = cap; *cp == *bp && *bp != '\0'; cp++, bp++)
+	    continue;
+	if (*cp != '\0')
+	    continue;
+	if (*bp == '@')
+	    return (NULL);
+	if (type == ':') {
+	    if (*bp != '\0' && *bp != ':')
+		continue;
+	    return(bp);
+	}
+	if (*bp != type)
+	    continue;
+	bp++;
+	return (*bp == '@' ? NULL : bp);
+    }
+    /* NOTREACHED */
+}
+
+/*
+ * Cgetent extracts the capability record name from the NULL terminated file
+ * array db_array and returns a pointer to a malloc'd copy of it in buf.
+ * Buf must be retained through all subsequent calls to cgetcap, cgetnum,
+ * cgetflag, and cgetstr, but may then be free'd.  0 is returned on success,
+ * -1 if the requested record couldn't be found, -2 if a system error was
+ * encountered (couldn't open/read a file, etc.), and -3 if a potential
+ * reference loop is detected.
+ */
+int
+cgetent(char **buf, char **db_array, const char *name)
+{
+    size_t dummy;
+
+    return (getent(buf, &dummy, db_array, -1, name, 0, NULL));
+}
+
+/*
+ * Getent implements the functions of cgetent.  If fd is non-negative,
+ * *db_array has already been opened and fd is the open file descriptor.  We
+ * do this to save time and avoid using up file descriptors for tc=
+ * recursions.
+ *
+ * Getent returns the same success/failure codes as cgetent.  On success, a
+ * pointer to a malloc'ed capability record with all tc= capabilities fully
+ * expanded and its length (not including trailing ASCII NUL) are left in
+ * *cap and *len.
+ *
+ * Basic algorithm:
+ *	+ Allocate memory incrementally as needed in chunks of size BFRAG
+ *	  for capability buffer.
+ *	+ Recurse for each tc=name and interpolate result.  Stop when all
+ *	  names interpolated, a name can't be found, or depth exceeds
+ *	  MAX_RECURSION.
+ */
+static int
+getent(char **cap, size_t *len, char **db_array, int fd, 
+       const char *name, int depth, char *nfield)
+{
+    char *r_end, *rp = NULL, **db_p;	/* pacify gcc */
+    int myfd = 0, eof, foundit;
+    char *record;
+    int tc_not_resolved;
+	
+    /*
+     * Return with ``loop detected'' error if we've recursed more than
+     * MAX_RECURSION times.
+     */
+    if (depth > MAX_RECURSION)
+	return (-3);
+
+    /*
+     * Check if we have a top record from cgetset().
+     */
+    if (depth == 0 && toprec != NULL && cgetmatch(toprec, name) == 0) {
+	if ((record = malloc (topreclen + BFRAG)) == NULL) {
+	    errno = ENOMEM;
+	    return (-2);
+	}
+	(void)strcpy(record, toprec);	/* XXX: strcpy is safe */
+	db_p = db_array;
+	rp = record + topreclen + 1;
+	r_end = rp + BFRAG;
+	goto tc_exp;
+    }
+    /*
+     * Allocate first chunk of memory.
+     */
+    if ((record = malloc(BFRAG)) == NULL) {
+	errno = ENOMEM;
+	return (-2);
+    }
+    r_end = record + BFRAG;
+    foundit = 0;
+    /*
+     * Loop through database array until finding the record.
+     */
+
+    for (db_p = db_array; *db_p != NULL; db_p++) {
+	eof = 0;
+
+	/*
+	 * Open database if not already open.
+	 */
+
+	if (fd >= 0) {
+	    (void)lseek(fd, (off_t)0, SEEK_SET);
+	} else {
+#ifdef USE_DB
+	    char pbuf[_POSIX_PATH_MAX];
+	    char *cbuf;
+	    size_t clen;
+	    int retval;
+	    DB *capdbp;
+
+	    (void)snprintf(pbuf, sizeof(pbuf), "%s.db", *db_p);
+	    if ((capdbp = dbopen(pbuf, O_RDONLY, 0, DB_HASH, 0))
+		!= NULL) {
+		free(record);
+		retval = cdbget(capdbp, &record, name);
+		if (retval < 0) {
+		    /* no record available */
+		    (void)capdbp->close(capdbp);
+		    return (retval);
+		}
+				/* save the data; close frees it */
+		clen = strlen(record);
+		cbuf = malloc(clen + 1);
+		memmove(cbuf, record, clen + 1);
+		if (capdbp->close(capdbp) < 0) {
+		    free(cbuf);
+		    return (-2);
+		}
+		*len = clen;
+		*cap = cbuf;
+		return (retval);
+	    } else
+#endif
+	    {
+		fd = open(*db_p, O_RDONLY, 0);
+		if (fd < 0) {
+		    /* No error on unfound file. */
+		    continue;
+		}
+		myfd = 1;
+	    }
+	}
+	/*
+	 * Find the requested capability record ...
+	 */
+	{
+	    char buf[BUFSIZ];
+	    char *b_end, *bp, *cp;
+	    int c, slash;
+
+	    /*
+	     * Loop invariants:
+	     *	There is always room for one more character in record.
+	     *	R_end always points just past end of record.
+	     *	Rp always points just past last character in record.
+	     *	B_end always points just past last character in buf.
+	     *	Bp always points at next character in buf.
+	     *	Cp remembers where the last colon was.
+	     */
+	    b_end = buf;
+	    bp = buf;
+	    cp = 0;
+	    slash = 0;
+	    for (;;) {
+
+		/*
+		 * Read in a line implementing (\, newline)
+		 * line continuation.
+		 */
+		rp = record;
+		for (;;) {
+		    if (bp >= b_end) {
+			int n;
+		
+			n = read(fd, buf, sizeof(buf));
+			if (n <= 0) {
+			    if (myfd)
+				(void)close(fd);
+			    if (n < 0) {
+				free(record);
+				return (-2);
+			    } else {
+				fd = -1;
+				eof = 1;
+				break;
+			    }
+			}
+			b_end = buf+n;
+			bp = buf;
+		    }
+	
+		    c = *bp++;
+		    if (c == '\n') {
+			if (slash) {
+			    slash = 0;
+			    rp--;
+			    continue;
+			} else
+			    break;
+		    }
+		    if (slash) {
+			slash = 0;
+			cp = 0;
+		    }
+		    if (c == ':') {
+			/*
+			 * If the field was `empty' (i.e.
+			 * contained only white space), back up
+			 * to the colon (eliminating the
+			 * field).
+			 */
+			if (cp)
+			    rp = cp;
+			else
+			    cp = rp;
+		    } else if (c == '\\') {
+			slash = 1;
+		    } else if (c != ' ' && c != '\t') {
+			/*
+			 * Forget where the colon was, as this
+			 * is not an empty field.
+			 */
+			cp = 0;
+		    }
+		    *rp++ = c;
+
+				/*
+				 * Enforce loop invariant: if no room 
+				 * left in record buffer, try to get
+				 * some more.
+				 */
+		    if (rp >= r_end) {
+			u_int pos;
+			size_t newsize;
+
+			pos = rp - record;
+			newsize = r_end - record + BFRAG;
+			record = realloc(record, newsize);
+			if (record == NULL) {
+			    errno = ENOMEM;
+			    if (myfd)
+				(void)close(fd);
+			    return (-2);
+			}
+			r_end = record + newsize;
+			rp = record + pos;
+		    }
+		}
+		/* Eliminate any white space after the last colon. */
+		if (cp)
+		    rp = cp + 1;
+		/* Loop invariant lets us do this. */
+		*rp++ = '\0';
+
+		/*
+		 * If encountered eof check next file.
+		 */
+		if (eof)
+		    break;
+				
+		/*
+		 * Toss blank lines and comments.
+		 */
+		if (*record == '\0' || *record == '#')
+		    continue;
+	
+		/*
+		 * See if this is the record we want ...
+		 */
+		if (cgetmatch(record, name) == 0) {
+		    if (nfield == NULL || !nfcmp(nfield, record)) {
+			foundit = 1;
+			break;	/* found it! */
+		    }
+		}
+	    }
+	}
+	if (foundit)
+	    break;
+    }
+
+    if (!foundit)
+	return (-1);
+
+    /*
+     * Got the capability record, but now we have to expand all tc=name
+     * references in it ...
+     */
+ tc_exp:	{
+	char *newicap, *s;
+	size_t ilen, newilen;
+	int diff, iret, tclen;
+	char *icap, *scan, *tc, *tcstart, *tcend;
+
+	/*
+	 * Loop invariants:
+	 *	There is room for one more character in record.
+	 *	R_end points just past end of record.
+	 *	Rp points just past last character in record.
+	 *	Scan points at remainder of record that needs to be
+	 *	scanned for tc=name constructs.
+	 */
+	scan = record;
+	tc_not_resolved = 0;
+	for (;;) {
+	    if ((tc = cgetcap(scan, "tc", '=')) == NULL)
+		break;
+
+	    /*
+	     * Find end of tc=name and stomp on the trailing `:'
+	     * (if present) so we can use it to call ourselves.
+	     */
+	    s = tc;
+	    for (;;)
+		if (*s == '\0')
+		    break;
+		else
+		    if (*s++ == ':') {
+			*(s - 1) = '\0';
+			break;
+		    }
+	    tcstart = tc - 3;
+	    tclen = s - tcstart;
+	    tcend = s;
+
+	    iret = getent(&icap, &ilen, db_p, fd, tc, depth+1, 
+			  NULL);
+	    newicap = icap;		/* Put into a register. */
+	    newilen = ilen;
+	    if (iret != 0) {
+				/* an error */
+		if (iret < -1) {
+		    if (myfd)
+			(void)close(fd);
+		    free(record);
+		    return (iret);
+		}
+		if (iret == 1)
+		    tc_not_resolved = 1;
+				/* couldn't resolve tc */
+		if (iret == -1) {
+		    *(s - 1) = ':';			
+		    scan = s - 1;
+		    tc_not_resolved = 1;
+		    continue;
+					
+		}
+	    }
+	    /* not interested in name field of tc'ed record */
+	    s = newicap;
+	    for (;;)
+		if (*s == '\0')
+		    break;
+		else
+		    if (*s++ == ':')
+			break;
+	    newilen -= s - newicap;
+	    newicap = s;
+
+	    /* make sure interpolated record is `:'-terminated */
+	    s += newilen;
+	    if (*(s-1) != ':') {
+		*s = ':';	/* overwrite NUL with : */
+		newilen++;
+	    }
+
+	    /*
+	     * Make sure there's enough room to insert the
+	     * new record.
+	     */
+	    diff = newilen - tclen;
+	    if (diff >= r_end - rp) {
+		u_int pos, tcpos, tcposend;
+		size_t newsize;
+
+		pos = rp - record;
+		newsize = r_end - record + diff + BFRAG;
+		tcpos = tcstart - record;
+		tcposend = tcend - record;
+		record = realloc(record, newsize);
+		if (record == NULL) {
+		    errno = ENOMEM;
+		    if (myfd)
+			(void)close(fd);
+		    free(icap);
+		    return (-2);
+		}
+		r_end = record + newsize;
+		rp = record + pos;
+		tcstart = record + tcpos;
+		tcend = record + tcposend;
+	    }
+
+	    /*
+	     * Insert tc'ed record into our record.
+	     */
+	    s = tcstart + newilen;
+	    memmove(s, tcend,  (size_t)(rp - tcend));
+	    memmove(tcstart, newicap, newilen);
+	    rp += diff;
+	    free(icap);
+
+	    /*
+	     * Start scan on `:' so next cgetcap works properly
+	     * (cgetcap always skips first field).
+	     */
+	    scan = s-1;
+	}
+	
+    }
+    /*
+     * Close file (if we opened it), give back any extra memory, and
+     * return capability, length and success.
+     */
+    if (myfd)
+	(void)close(fd);
+    *len = rp - record - 1;	/* don't count NUL */
+    if (r_end > rp)
+	if ((record = 
+	     realloc(record, (size_t)(rp - record))) == NULL) {
+	    errno = ENOMEM;
+	    return (-2);
+	}
+		
+    *cap = record;
+    if (tc_not_resolved)
+	return (1);
+    return (0);
+}	
+
+#ifdef USE_DB
+static int
+cdbget(DB *capdbp, char **bp, const char *name)
+{
+	DBT key;
+	DBT data;
+
+	/* LINTED key is not modified */
+	key.data = (char *)name;
+	key.size = strlen(name);
+
+	for (;;) {
+		/* Get the reference. */
+		switch(capdbp->get(capdbp, &key, &data, 0)) {
+		case -1:
+			return (-2);
+		case 1:
+			return (-1);
+		}
+
+		/* If not an index to another record, leave. */
+		if (((char *)data.data)[0] != SHADOW)
+			break;
+
+		key.data = (char *)data.data + 1;
+		key.size = data.size - 1;
+	}
+	
+	*bp = (char *)data.data + 1;
+	return (((char *)(data.data))[0] == TCERR ? 1 : 0);
+}
+#endif /* USE_DB */
+
+/*
+ * Cgetmatch will return 0 if name is one of the names of the capability
+ * record buf, -1 if not.
+ */
+int
+cgetmatch(const char *buf, const char *name)
+{
+    const char *np, *bp;
+
+    /*
+     * Start search at beginning of record.
+     */
+    bp = buf;
+    for (;;) {
+	/*
+	 * Try to match a record name.
+	 */
+	np = name;
+	for (;;)
+	    if (*np == '\0') {
+		if (*bp == '|' || *bp == ':' || *bp == '\0')
+		    return (0);
+		else
+		    break;
+	    } else
+		if (*bp++ != *np++)
+		    break;
+
+	/*
+	 * Match failed, skip to next name in record.
+	 */
+	bp--;	/* a '|' or ':' may have stopped the match */
+	for (;;)
+	    if (*bp == '\0' || *bp == ':')
+		return (-1);	/* match failed totally */
+	    else
+		if (*bp++ == '|')
+		    break;	/* found next name */
+    }
+}
+
+#if 0
+int
+cgetfirst(char **buf, char **db_array)
+{
+    (void)cgetclose();
+    return (cgetnext(buf, db_array));
+}
+#endif
+
+static FILE *pfp;
+static int slash;
+static char **dbp;
+
+int
+cgetclose(void)
+{
+    if (pfp != NULL) {
+	(void)fclose(pfp);
+	pfp = NULL;
+    }
+    dbp = NULL;
+    gottoprec = 0;
+    slash = 0;
+    return(0);
+}
+
+#if 0
+/*
+ * Cgetnext() gets either the first or next entry in the logical database 
+ * specified by db_array.  It returns 0 upon completion of the database, 1
+ * upon returning an entry with more remaining, and -1 if an error occurs.
+ */
+int
+cgetnext(char **bp, char **db_array)
+{
+    size_t len;
+    int status, done;
+    char *cp, *line, *rp, *np, buf[BSIZE], nbuf[BSIZE];
+    size_t dummy;
+
+    if (dbp == NULL)
+	dbp = db_array;
+
+    if (pfp == NULL && (pfp = fopen(*dbp, "r")) == NULL) {
+	(void)cgetclose();
+	return (-1);
+    }
+    for(;;) {
+	if (toprec && !gottoprec) {
+	    gottoprec = 1;
+	    line = toprec;
+	} else {
+	    line = fgetln(pfp, &len);
+	    if (line == NULL && pfp) {
+		if (ferror(pfp)) {
+		    (void)cgetclose();
+		    return (-1);
+		} else {
+		    (void)fclose(pfp);
+		    pfp = NULL;
+		    if (*++dbp == NULL) {
+			(void)cgetclose();
+			return (0);
+		    } else if ((pfp =
+				fopen(*dbp, "r")) == NULL) {
+			(void)cgetclose();
+			return (-1);
+		    } else
+			continue;
+		}
+	    } else
+		line[len - 1] = '\0';
+	    if (len == 1) {
+		slash = 0;
+		continue;
+	    }
+	    if (isspace((unsigned char)*line) ||
+		*line == ':' || *line == '#' || slash) {
+		if (line[len - 2] == '\\')
+		    slash = 1;
+		else
+		    slash = 0;
+		continue;
+	    }
+	    if (line[len - 2] == '\\')
+		slash = 1;
+	    else
+		slash = 0;
+	}			
+
+
+	/* 
+	 * Line points to a name line.
+	 */
+	done = 0;
+	np = nbuf;
+	for (;;) {
+	    for (cp = line; *cp != '\0'; cp++) {
+		if (*cp == ':') {
+		    *np++ = ':';
+		    done = 1;
+		    break;
+		}
+		if (*cp == '\\')
+		    break;
+		*np++ = *cp;
+	    }
+	    if (done) {
+		*np = '\0';
+		break;
+	    } else { /* name field extends beyond the line */
+		line = fgetln(pfp, &len);
+		if (line == NULL && pfp) {
+		    if (ferror(pfp)) {
+			(void)cgetclose();
+			return (-1);
+		    }
+		    (void)fclose(pfp);
+		    pfp = NULL;
+		    *np = '\0';
+		    break;
+		} else
+		    line[len - 1] = '\0';
+	    }
+	}
+	rp = buf;
+	for(cp = nbuf; *cp != '\0'; cp++)
+	    if (*cp == '|' || *cp == ':')
+		break;
+	    else
+		*rp++ = *cp;
+
+	*rp = '\0';
+	/* 
+	 * XXX 
+	 * Last argument of getent here should be nbuf if we want true
+	 * sequential access in the case of duplicates.  
+	 * With NULL, getent will return the first entry found
+	 * rather than the duplicate entry record.  This is a 
+	 * matter of semantics that should be resolved.
+	 */
+	status = getent(bp, &dummy, db_array, -1, buf, 0, NULL);
+	if (status == -2 || status == -3)
+	    (void)cgetclose();
+
+	return (status + 1);
+    }
+    /* NOTREACHED */
+}
+#endif
+
+/*
+ * Cgetstr retrieves the value of the string capability cap from the
+ * capability record pointed to by buf.  A pointer to a decoded, NUL
+ * terminated, malloc'd copy of the string is returned in the char *
+ * pointed to by str.  The length of the string not including the trailing
+ * NUL is returned on success, -1 if the requested string capability
+ * couldn't be found, -2 if a system error was encountered (storage
+ * allocation failure).
+ */
+int
+cgetstr(char *buf, const char *cap, char **str)
+{
+    u_int m_room;
+    const char *bp;
+    char *mp;
+    int len;
+    char *mem;
+
+    /*
+     * Find string capability cap
+     */
+    bp = cgetcap(buf, cap, '=');
+    if (bp == NULL)
+	return (-1);
+
+    /*
+     * Conversion / storage allocation loop ...  Allocate memory in
+     * chunks SFRAG in size.
+     */
+    if ((mem = malloc(SFRAG)) == NULL) {
+	errno = ENOMEM;
+	return (-2);	/* couldn't even allocate the first fragment */
+    }
+    m_room = SFRAG;
+    mp = mem;
+
+    while (*bp != ':' && *bp != '\0') {
+	/*
+	 * Loop invariants:
+	 *	There is always room for one more character in mem.
+	 *	Mp always points just past last character in mem.
+	 *	Bp always points at next character in buf.
+	 */
+	if (*bp == '^') {
+	    bp++;
+	    if (*bp == ':' || *bp == '\0')
+		break;	/* drop unfinished escape */
+	    *mp++ = *bp++ & 037;
+	} else if (*bp == '\\') {
+	    bp++;
+	    if (*bp == ':' || *bp == '\0')
+		break;	/* drop unfinished escape */
+	    if ('0' <= *bp && *bp <= '7') {
+		int n, i;
+
+		n = 0;
+		i = 3;	/* maximum of three octal digits */
+		do {
+		    n = n * 8 + (*bp++ - '0');
+		} while (--i && '0' <= *bp && *bp <= '7');
+		*mp++ = n;
+	    }
+	    else switch (*bp++) {
+	    case 'b': case 'B':
+		*mp++ = '\b';
+		break;
+	    case 't': case 'T':
+		*mp++ = '\t';
+		break;
+	    case 'n': case 'N':
+		*mp++ = '\n';
+		break;
+	    case 'f': case 'F':
+		*mp++ = '\f';
+		break;
+	    case 'r': case 'R':
+		*mp++ = '\r';
+		break;
+	    case 'e': case 'E':
+		*mp++ = ESC;
+		break;
+	    case 'c': case 'C':
+		*mp++ = ':';
+		break;
+	    default:
+		/*
+		 * Catches '\', '^', and
+		 *  everything else.
+		 */
+		*mp++ = *(bp-1);
+		break;
+	    }
+	} else
+	    *mp++ = *bp++;
+	m_room--;
+
+	/*
+	 * Enforce loop invariant: if no room left in current
+	 * buffer, try to get some more.
+	 */
+	if (m_room == 0) {
+	    size_t size = mp - mem;
+
+	    if ((mem = realloc(mem, size + SFRAG)) == NULL)
+		return (-2);
+	    m_room = SFRAG;
+	    mp = mem + size;
+	}
+    }
+    *mp++ = '\0';	/* loop invariant let's us do this */
+    m_room--;
+    len = mp - mem - 1;
+
+    /*
+     * Give back any extra memory and return value and success.
+     */
+    if (m_room != 0)
+	if ((mem = realloc(mem, (size_t)(mp - mem))) == NULL)
+	    return (-2);
+    *str = mem;
+    return (len);
+}
+
+/*
+ * Cgetustr retrieves the value of the string capability cap from the
+ * capability record pointed to by buf.  The difference between cgetustr()
+ * and cgetstr() is that cgetustr does not decode escapes but rather treats
+ * all characters literally.  A pointer to a  NUL terminated malloc'd 
+ * copy of the string is returned in the char pointed to by str.  The 
+ * length of the string not including the trailing NUL is returned on success,
+ * -1 if the requested string capability couldn't be found, -2 if a system 
+ * error was encountered (storage allocation failure).
+ */
+int
+cgetustr(char *buf, const char *cap, char **str)
+{
+    u_int m_room;
+    const char *bp;
+    char *mp;
+    int len;
+    char *mem;
+
+    /*
+     * Find string capability cap
+     */
+    if ((bp = cgetcap(buf, cap, '=')) == NULL)
+	return (-1);
+
+    /*
+     * Conversion / storage allocation loop ...  Allocate memory in
+     * chunks SFRAG in size.
+     */
+    if ((mem = malloc(SFRAG)) == NULL) {
+	errno = ENOMEM;
+	return (-2);	/* couldn't even allocate the first fragment */
+    }
+    m_room = SFRAG;
+    mp = mem;
+
+    while (*bp != ':' && *bp != '\0') {
+	/*
+	 * Loop invariants:
+	 *	There is always room for one more character in mem.
+	 *	Mp always points just past last character in mem.
+	 *	Bp always points at next character in buf.
+	 */
+	*mp++ = *bp++;
+	m_room--;
+
+	/*
+	 * Enforce loop invariant: if no room left in current
+	 * buffer, try to get some more.
+	 */
+	if (m_room == 0) {
+	    size_t size = mp - mem;
+
+	    if ((mem = realloc(mem, size + SFRAG)) == NULL)
+		return (-2);
+	    m_room = SFRAG;
+	    mp = mem + size;
+	}
+    }
+    *mp++ = '\0';	/* loop invariant let's us do this */
+    m_room--;
+    len = mp - mem - 1;
+
+    /*
+     * Give back any extra memory and return value and success.
+     */
+    if (m_room != 0)
+	if ((mem = realloc(mem, (size_t)(mp - mem))) == NULL)
+	    return (-2);
+    *str = mem;
+    return (len);
+}
+
+/*
+ * Cgetnum retrieves the value of the numeric capability cap from the
+ * capability record pointed to by buf.  The numeric value is returned in
+ * the long pointed to by num.  0 is returned on success, -1 if the requested
+ * numeric capability couldn't be found.
+ */
+int
+cgetnum(char *buf, const char *cap, long *num)
+{
+    long n;
+    int base, digit;
+    const char *bp;
+
+    /*
+     * Find numeric capability cap
+     */
+    bp = cgetcap(buf, cap, '#');
+    if (bp == NULL)
+	return (-1);
+
+    /*
+     * Look at value and determine numeric base:
+     *	0x... or 0X...	hexadecimal,
+     * else	0...		octal,
+     * else			decimal.
+     */
+    if (*bp == '0') {
+	bp++;
+	if (*bp == 'x' || *bp == 'X') {
+	    bp++;
+	    base = 16;
+	} else
+	    base = 8;
+    } else
+	base = 10;
+
+    /*
+     * Conversion loop ...
+     */
+    n = 0;
+    for (;;) {
+	if ('0' <= *bp && *bp <= '9')
+	    digit = *bp - '0';
+	else if ('a' <= *bp && *bp <= 'f')
+	    digit = 10 + *bp - 'a';
+	else if ('A' <= *bp && *bp <= 'F')
+	    digit = 10 + *bp - 'A';
+	else
+	    break;
+
+	if (digit >= base)
+	    break;
+
+	n = n * base + digit;
+	bp++;
+    }
+
+    /*
+     * Return value and success.
+     */
+    *num = n;
+    return (0);
+}
+
+
+/*
+ * Compare name field of record.
+ */
+static int
+nfcmp(char *nf, char *rec)
+{
+    char *cp, tmp;
+    int ret;
+	
+    for (cp = rec; *cp != ':'; cp++)
+	;
+	
+    tmp = *(cp + 1);
+    *(cp + 1) = '\0';
+    ret = strcmp(nf, rec);
+    *(cp + 1) = tmp;
+
+    return (ret);
+}
diff --git a/crypto/heimdal/lib/roken/getcwd.c b/crypto/heimdal/lib/roken/getcwd.c
new file mode 100644
index 0000000..c1f2610
--- /dev/null
+++ b/crypto/heimdal/lib/roken/getcwd.c
@@ -0,0 +1,57 @@
+/*
+ * Copyright (c) 1995, 1996, 1997 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+RCSID("$Id: getcwd.c,v 1.12 1999/12/02 16:58:46 joda Exp $");
+#endif
+
+#ifdef HAVE_UNISTD_H
+#include <unistd.h>
+#endif
+#ifdef HAVE_SYS_PARAM_H
+#include <sys/param.h>
+#endif
+
+#include "roken.h"
+
+char*
+getcwd(char *path, size_t size)
+{
+    char xxx[MaxPathLen];
+    char *ret;
+    ret = getwd(xxx);
+    if(ret)
+	strlcpy(path, xxx, size);
+    return ret;
+}
diff --git a/crypto/heimdal/lib/roken/getdtablesize.c b/crypto/heimdal/lib/roken/getdtablesize.c
new file mode 100644
index 0000000..9f9c74b
--- /dev/null
+++ b/crypto/heimdal/lib/roken/getdtablesize.c
@@ -0,0 +1,101 @@
+/*
+ * Copyright (c) 1995, 1996, 1997 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+RCSID("$Id: getdtablesize.c,v 1.10 1999/12/02 16:58:46 joda Exp $");
+#endif
+
+#include "roken.h"
+
+#ifdef HAVE_SYS_TYPES_H
+#include <sys/types.h>
+#endif
+#ifdef TIME_WITH_SYS_TIME
+#include <sys/time.h>
+#include <time.h>
+#elif defined(HAVE_SYS_TIME_H)
+#include <sys/time.h>
+#else
+#include <time.h>
+#endif
+#ifdef HAVE_SYS_PARAM_H
+#include <sys/param.h>
+#endif
+#ifdef HAVE_UNISTD_H
+#include <unistd.h>
+#endif
+
+#ifdef HAVE_SYS_RESOURCE_H
+#include <sys/resource.h>
+#endif
+
+#ifdef HAVE_SYS_SYSCTL_H
+#include <sys/sysctl.h>
+#endif
+
+int getdtablesize(void)
+{
+  int files = -1;
+#if defined(HAVE_SYSCONF) && defined(_SC_OPEN_MAX)
+  files = sysconf(_SC_OPEN_MAX);
+#else /* !defined(HAVE_SYSCONF) */
+#if defined(HAVE_GETRLIMIT) && defined(RLIMIT_NOFILE)
+  struct rlimit res;
+  if (getrlimit(RLIMIT_NOFILE, &res) == 0)
+    files = res.rlim_cur;
+#else /* !definded(HAVE_GETRLIMIT) */
+#if defined(HAVE_SYSCTL) && defined(CTL_KERN) && defined(KERN_MAXFILES)
+  int mib[2];
+  size_t len;
+    
+  mib[0] = CTL_KERN;
+  mib[1] = KERN_MAXFILES;
+  len = sizeof(files);
+  sysctl(&mib, 2, &files, sizeof(nfil), NULL, 0);
+#endif /* defined(HAVE_SYSCTL) */
+#endif /* !definded(HAVE_GETRLIMIT) */
+#endif /* !defined(HAVE_SYSCONF) */
+
+#ifdef OPEN_MAX
+  if (files < 0)
+    files = OPEN_MAX;
+#endif
+
+#ifdef NOFILE
+  if (files < 0)
+    files = NOFILE;
+#endif    
+    
+  return files;
+}
diff --git a/crypto/heimdal/lib/roken/getegid.c b/crypto/heimdal/lib/roken/getegid.c
new file mode 100644
index 0000000..b6eab85
--- /dev/null
+++ b/crypto/heimdal/lib/roken/getegid.c
@@ -0,0 +1,48 @@
+/*
+ * Copyright (c) 1995, 1996, 1997 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+#endif
+#include "roken.h"
+
+#ifndef HAVE_GETEGID
+
+RCSID("$Id: getegid.c,v 1.2 1999/12/02 16:58:46 joda Exp $");
+
+int getegid(void)
+{
+    return getgid();
+}
+
+#endif
diff --git a/crypto/heimdal/lib/roken/geteuid.c b/crypto/heimdal/lib/roken/geteuid.c
new file mode 100644
index 0000000..4bdf531
--- /dev/null
+++ b/crypto/heimdal/lib/roken/geteuid.c
@@ -0,0 +1,48 @@
+/*
+ * Copyright (c) 1995, 1996, 1997 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+#endif
+#include "roken.h"
+
+#ifndef HAVE_GETEUID
+
+RCSID("$Id: geteuid.c,v 1.2 1999/12/02 16:58:46 joda Exp $");
+
+int geteuid(void)
+{
+    return getuid();
+}
+
+#endif
diff --git a/crypto/heimdal/lib/roken/getgid.c b/crypto/heimdal/lib/roken/getgid.c
new file mode 100644
index 0000000..f2ca01a
--- /dev/null
+++ b/crypto/heimdal/lib/roken/getgid.c
@@ -0,0 +1,48 @@
+/*
+ * Copyright (c) 1995, 1996, 1997 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+#endif
+#include "roken.h"
+
+#ifndef HAVE_GETGID
+
+RCSID("$Id: getgid.c,v 1.2 1999/12/02 16:58:46 joda Exp $");
+
+int getgid(void)
+{
+    return 17;
+}
+
+#endif
diff --git a/crypto/heimdal/lib/roken/gethostname.c b/crypto/heimdal/lib/roken/gethostname.c
new file mode 100644
index 0000000..753ba9f
--- /dev/null
+++ b/crypto/heimdal/lib/roken/gethostname.c
@@ -0,0 +1,72 @@
+/*
+ * Copyright (c) 1995, 1996, 1997 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+#endif
+#include "roken.h"
+
+#ifndef HAVE_GETHOSTNAME
+
+#ifdef HAVE_SYS_UTSNAME_H
+#include <sys/utsname.h>
+#endif
+
+/*
+ * Return the local host's name in "name", up to "namelen" characters.
+ * "name" will be null-terminated if "namelen" is big enough.
+ * The return code is 0 on success, -1 on failure.  (The calling
+ * interface is identical to gethostname(2).)
+ */
+
+int
+gethostname(char *name, int namelen)
+{
+#if defined(HAVE_UNAME)
+    {
+	struct utsname utsname;
+	int ret;
+
+	ret = uname (&utsname);
+	if (ret < 0)
+	    return ret;
+	strlcpy (name, utsname.nodename, namelen);
+	return 0;
+    }
+#else
+    strlcpy (name, "some.random.host", namelen);
+    return 0;
+#endif
+}
+
+#endif /* GETHOSTNAME */
diff --git a/crypto/heimdal/lib/roken/getifaddrs.c b/crypto/heimdal/lib/roken/getifaddrs.c
new file mode 100644
index 0000000..04935ed
--- /dev/null
+++ b/crypto/heimdal/lib/roken/getifaddrs.c
@@ -0,0 +1,273 @@
+/*
+ * Copyright (c) 2000 - 2001 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+RCSID("$Id: getifaddrs.c,v 1.5 2001/04/17 08:27:47 joda Exp $");
+#endif
+#include "roken.h"
+
+#ifdef __osf__
+/* hate */
+struct rtentry;
+struct mbuf;
+#endif
+#ifdef HAVE_NET_IF_H
+#include <net/if.h>
+#endif
+
+#ifdef HAVE_SYS_SOCKIO_H
+#include <sys/sockio.h>
+#endif /* HAVE_SYS_SOCKIO_H */
+
+#ifdef HAVE_NETINET_IN6_VAR_H
+#include <netinet/in6_var.h>
+#endif /* HAVE_NETINET_IN6_VAR_H */
+
+#include <ifaddrs.h>
+
+static int
+getifaddrs2(struct ifaddrs **ifap, 
+	    int af, int siocgifconf, int siocgifflags,
+	    size_t ifreq_sz)
+{
+    int ret;
+    int fd;
+    size_t buf_size;
+    char *buf;
+    struct ifconf ifconf;
+    int num, j = 0;
+    char *p;
+    size_t sz;
+    struct sockaddr sa_zero;
+    struct ifreq *ifr;
+
+    struct ifaddrs *start,  **end = &start;
+
+    buf = NULL;
+
+    memset (&sa_zero, 0, sizeof(sa_zero));
+    fd = socket(af, SOCK_DGRAM, 0);
+    if (fd < 0)
+	return -1;
+
+    buf_size = 8192;
+    for (;;) {
+	buf = calloc(1, buf_size);
+	if (buf == NULL) {
+	    ret = ENOMEM;
+	    goto error_out;
+	}
+	ifconf.ifc_len = buf_size;
+	ifconf.ifc_buf = buf;
+
+	/*
+	 * Solaris returns EINVAL when the buffer is too small.
+	 */
+	if (ioctl (fd, siocgifconf, &ifconf) < 0 && errno != EINVAL) {
+	    ret = errno;
+	    goto error_out;
+	}
+	/*
+	 * Can the difference between a full and a overfull buf
+	 * be determined?
+	 */
+
+	if (ifconf.ifc_len < buf_size)
+	    break;
+	free (buf);
+	buf_size *= 2;
+    }
+
+    num = ifconf.ifc_len / ifreq_sz;
+    j = 0;
+    for (p = ifconf.ifc_buf;
+	 p < ifconf.ifc_buf + ifconf.ifc_len;
+	 p += sz) {
+	struct ifreq ifreq;
+	struct sockaddr *sa;
+	size_t salen;
+
+	ifr = (struct ifreq *)p;
+	sa  = &ifr->ifr_addr;
+
+	sz = ifreq_sz;
+	salen = sizeof(struct sockaddr);
+#ifdef HAVE_STRUCT_SOCKADDR_SA_LEN
+	salen = sa->sa_len;
+	sz = max(sz, sizeof(ifr->ifr_name) + sa->sa_len);
+#endif
+#ifdef SA_LEN
+	salen = SA_LEN(sa);
+	sz = max(sz, sizeof(ifr->ifr_name) + SA_LEN(sa));
+#endif
+	memset (&ifreq, 0, sizeof(ifreq));
+	memcpy (ifreq.ifr_name, ifr->ifr_name, sizeof(ifr->ifr_name));
+
+	if (ioctl(fd, siocgifflags, &ifreq) < 0) {
+	    ret = errno;
+	    goto error_out;
+	}
+
+	*end = malloc(sizeof(**end));
+
+	(*end)->ifa_next = NULL;
+	(*end)->ifa_name = strdup(ifr->ifr_name);
+	(*end)->ifa_flags = ifreq.ifr_flags;
+	(*end)->ifa_addr = malloc(salen);
+	memcpy((*end)->ifa_addr, sa, salen);
+	(*end)->ifa_netmask = NULL;
+
+#if 0
+	/* fix these when we actually need them */
+	if(ifreq.ifr_flags & IFF_BROADCAST) {
+	    (*end)->ifa_broadaddr = malloc(sizeof(ifr->ifr_broadaddr));
+	    memcpy((*end)->ifa_broadaddr, &ifr->ifr_broadaddr, 
+		   sizeof(ifr->ifr_broadaddr));
+	} else if(ifreq.ifr_flags & IFF_POINTOPOINT) {
+	    (*end)->ifa_dstaddr = malloc(sizeof(ifr->ifr_dstaddr));
+	    memcpy((*end)->ifa_dstaddr, &ifr->ifr_dstaddr, 
+		   sizeof(ifr->ifr_dstaddr));
+	} else
+	    (*end)->ifa_dstaddr = NULL;
+#else
+	    (*end)->ifa_dstaddr = NULL;
+#endif
+
+	(*end)->ifa_data = NULL;
+
+	end = &(*end)->ifa_next;
+	
+    }
+    *ifap = start;
+    close(fd);
+    free(buf);
+    return 0;
+  error_out:
+    close(fd);
+    free(buf);
+    errno = ret;
+    return -1;
+}
+
+int
+getifaddrs(struct ifaddrs **ifap) 
+{
+    int ret = -1;
+    errno = ENXIO;
+#if defined(AF_INET6) && defined(SIOCGIF6CONF) && defined(SIOCGIF6FLAGS)
+    if (ret)
+	ret = getifaddrs2 (ifap, AF_INET6, SIOCGIF6CONF, SIOCGIF6FLAGS,
+			   sizeof(struct in6_ifreq));
+#endif
+#if defined(HAVE_IPV6) && defined(SIOCGIFCONF)
+    if (ret)
+	ret = getifaddrs2 (ifap, AF_INET6, SIOCGIFCONF, SIOCGIFFLAGS,
+			   sizeof(struct ifreq));
+#endif
+#if defined(AF_INET) && defined(SIOCGIFCONF) && defined(SIOCGIFFLAGS)
+    if (ret)
+	ret = getifaddrs2 (ifap, AF_INET, SIOCGIFCONF, SIOCGIFFLAGS,
+			   sizeof(struct ifreq));
+#endif
+    return ret;
+}
+
+void
+freeifaddrs(struct ifaddrs *ifp)
+{
+    struct ifaddrs *p, *q;
+    
+    for(p = ifp; p; ) {
+	free(p->ifa_name);
+	if(p->ifa_addr)
+	    free(p->ifa_addr);
+	if(p->ifa_dstaddr) 
+	    free(p->ifa_dstaddr);
+	if(p->ifa_netmask) 
+	    free(p->ifa_netmask);
+	if(p->ifa_data)
+	    free(p->ifa_data);
+	q = p;
+	p = p->ifa_next;
+	free(q);
+    }
+}
+
+#ifdef TEST
+
+void
+print_addr(const char *s, struct sockaddr *sa)
+{
+    int i;
+    printf("  %s=%d/", s, sa->sa_family);
+#ifdef HAVE_STRUCT_SOCKADDR_SA_LEN
+    for(i = 0; i < sa->sa_len - ((long)sa->sa_data - (long)&sa->sa_family); i++)
+	printf("%02x", ((unsigned char*)sa->sa_data)[i]);
+#else
+    for(i = 0; i < sizeof(sa->sa_data); i++) 
+	printf("%02x", ((unsigned char*)sa->sa_data)[i]);
+#endif
+    printf("\n");
+}
+
+void 
+print_ifaddrs(struct ifaddrs *x)
+{
+    struct ifaddrs *p;
+    
+    for(p = x; p; p = p->ifa_next) {
+	printf("%s\n", p->ifa_name);
+	printf("  flags=%x\n", p->ifa_flags);
+	if(p->ifa_addr)
+	    print_addr("addr", p->ifa_addr);
+	if(p->ifa_dstaddr) 
+	    print_addr("dstaddr", p->ifa_dstaddr);
+	if(p->ifa_netmask) 
+	    print_addr("netmask", p->ifa_netmask);
+	printf("  %p\n", p->ifa_data);
+    }
+}
+
+int
+main()
+{
+    struct ifaddrs *a = NULL, *b;
+    getifaddrs2(&a, AF_INET, SIOCGIFCONF, SIOCGIFFLAGS, sizeof(struct ifreq));
+    print_ifaddrs(a);
+    printf("---\n");
+    getifaddrs(&b);
+    print_ifaddrs(b);
+    return 0;
+}
+#endif
diff --git a/crypto/heimdal/lib/roken/getipnodebyaddr.c b/crypto/heimdal/lib/roken/getipnodebyaddr.c
new file mode 100644
index 0000000..f22aad7
--- /dev/null
+++ b/crypto/heimdal/lib/roken/getipnodebyaddr.c
@@ -0,0 +1,74 @@
+/*
+ * Copyright (c) 1999 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+RCSID("$Id: getipnodebyaddr.c,v 1.2 1999/12/02 16:58:46 joda Exp $");
+#endif
+
+#include "roken.h"
+
+/*
+ * lookup `src, len' (address family `af') in DNS and return a pointer
+ * to a malloced struct hostent or NULL.
+ */
+
+struct hostent *
+getipnodebyaddr (const void *src, size_t len, int af, int *error_num)
+{
+    struct hostent *tmp;
+
+    tmp = gethostbyaddr (src, len, af);
+    if (tmp == NULL) {
+	switch (h_errno) {
+	case HOST_NOT_FOUND :
+	case TRY_AGAIN :
+	case NO_RECOVERY :
+	    *error_num = h_errno;
+	    break;
+	case NO_DATA :
+	    *error_num = NO_ADDRESS;
+	    break;
+	default :
+	    *error_num = NO_RECOVERY;
+	    break;
+	}
+	return NULL;
+    }
+    tmp = copyhostent (tmp);
+    if (tmp == NULL) {
+	*error_num = TRY_AGAIN;
+	return NULL;
+    }
+    return tmp;
+}
diff --git a/crypto/heimdal/lib/roken/getipnodebyname.c b/crypto/heimdal/lib/roken/getipnodebyname.c
new file mode 100644
index 0000000..576feef
--- /dev/null
+++ b/crypto/heimdal/lib/roken/getipnodebyname.c
@@ -0,0 +1,86 @@
+/*
+ * Copyright (c) 1999 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+RCSID("$Id: getipnodebyname.c,v 1.3 1999/12/02 16:58:46 joda Exp $");
+#endif
+
+#include "roken.h"
+
+#ifndef HAVE_H_ERRNO
+static int h_errno = NO_RECOVERY;
+#endif
+
+/*
+ * lookup `name' (address family `af') in DNS and return a pointer
+ * to a malloced struct hostent or NULL.
+ */
+
+struct hostent *
+getipnodebyname (const char *name, int af, int flags, int *error_num)
+{
+    struct hostent *tmp;
+
+#ifdef HAVE_GETHOSTBYNAME2
+    tmp = gethostbyname2 (name, af);
+#else
+    if (af != AF_INET) {
+	*error_num = NO_ADDRESS;
+	return NULL;
+    }
+    tmp = gethostbyname (name);
+#endif
+    if (tmp == NULL) {
+	switch (h_errno) {
+	case HOST_NOT_FOUND :
+	case TRY_AGAIN :
+	case NO_RECOVERY :
+	    *error_num = h_errno;
+	    break;
+	case NO_DATA :
+	    *error_num = NO_ADDRESS;
+	    break;
+	default :
+	    *error_num = NO_RECOVERY;
+	    break;
+	}
+	return NULL;
+    }
+    tmp = copyhostent (tmp);
+    if (tmp == NULL) {
+	*error_num = TRY_AGAIN;
+	return NULL;
+    }
+    return tmp;
+}
diff --git a/crypto/heimdal/lib/roken/getnameinfo.c b/crypto/heimdal/lib/roken/getnameinfo.c
new file mode 100644
index 0000000..0f0cbd1
--- /dev/null
+++ b/crypto/heimdal/lib/roken/getnameinfo.c
@@ -0,0 +1,127 @@
+/*
+ * Copyright (c) 1999 - 2001 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+RCSID("$Id: getnameinfo.c,v 1.3 2001/02/09 14:45:30 assar Exp $");
+#endif
+
+#include "roken.h"
+
+static int
+doit (int af,
+      const void *addr,
+      size_t addrlen,
+      int port,
+      char *host, size_t hostlen,
+      char *serv, size_t servlen,
+      int flags)
+{
+    if (host != NULL) {
+	if (flags & NI_NUMERICHOST) {
+	    if (inet_ntop (af, addr, host, hostlen) == NULL)
+		return EAI_SYSTEM;
+	} else {
+	    struct hostent *he = gethostbyaddr (addr,
+						addrlen,
+						af);
+	    if (he != NULL) {
+		strlcpy (host, he->h_name, hostlen);
+		if (flags & NI_NOFQDN) {
+		    char *dot = strchr (host, '.');
+		    if (dot != NULL)
+			*dot = '\0';
+		}
+	    } else if (flags & NI_NAMEREQD) {
+		return EAI_NONAME;
+	    } else if (inet_ntop (af, addr, host, hostlen) == NULL)
+		return EAI_SYSTEM;
+	}
+    }
+
+    if (serv != NULL) {
+	if (flags & NI_NUMERICSERV) {
+	    snprintf (serv, servlen, "%u", ntohs(port));
+	} else {
+	    const char *proto = "tcp";
+	    struct servent *se;
+
+	    if (flags & NI_DGRAM)
+		proto = "udp";
+
+	    se = getservbyport (port, proto);
+	    if (se == NULL) {
+		snprintf (serv, servlen, "%u", ntohs(port));
+	    } else {
+		strlcpy (serv, se->s_name, servlen);
+	    }
+	}
+    }
+    return 0;
+}
+
+/*
+ *
+ */
+
+int
+getnameinfo(const struct sockaddr *sa, socklen_t salen,
+	    char *host, size_t hostlen,
+	    char *serv, size_t servlen,
+	    int flags)
+{
+    switch (sa->sa_family) {
+#ifdef HAVE_IPV6
+    case AF_INET6 : {
+	const struct sockaddr_in6 *sin6 = (const struct sockaddr_in6 *)sa;
+
+	return doit (AF_INET6, &sin6->sin6_addr, sizeof(sin6->sin6_addr),
+		     sin6->sin6_port,
+		     host, hostlen,
+		     serv, servlen,
+		     flags);
+    }
+#endif
+    case AF_INET : {
+	const struct sockaddr_in *sin = (const struct sockaddr_in *)sa;
+
+	return doit (AF_INET, &sin->sin_addr, sizeof(sin->sin_addr),
+		     sin->sin_port,
+		     host, hostlen,
+		     serv, servlen,
+		     flags);
+    }
+    default :
+	return EAI_FAMILY;
+    }
+}
diff --git a/crypto/heimdal/lib/roken/getnameinfo_verified.c b/crypto/heimdal/lib/roken/getnameinfo_verified.c
new file mode 100644
index 0000000..de3c8bf
--- /dev/null
+++ b/crypto/heimdal/lib/roken/getnameinfo_verified.c
@@ -0,0 +1,83 @@
+/*
+ * Copyright (c) 1999 - 2001 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+RCSID("$Id: getnameinfo_verified.c,v 1.5 2001/02/12 13:55:07 assar Exp $");
+#endif
+
+#include "roken.h"
+
+int
+getnameinfo_verified(const struct sockaddr *sa, socklen_t salen,
+		     char *host, size_t hostlen,
+		     char *serv, size_t servlen,
+		     int flags)
+{
+    int ret;
+    struct addrinfo *ai, *a;
+    char servbuf[NI_MAXSERV];
+    struct addrinfo hints;
+
+    if (host == NULL)
+	return EAI_NONAME;
+
+    if (serv == NULL) {
+	serv = servbuf;
+	servlen = sizeof(servbuf);
+    }
+
+    ret = getnameinfo (sa, salen, host, hostlen, serv, servlen,
+		       flags | NI_NUMERICSERV);
+    if (ret)
+	return ret;
+
+    memset (&hints, 0, sizeof(hints));
+    hints.ai_socktype = SOCK_STREAM;
+    ret = getaddrinfo (host, serv, &hints, &ai);
+    if (ret)
+	return ret;
+    for (a = ai; a != NULL; a = a->ai_next) {
+	if (a->ai_addrlen == salen
+	    && memcmp (a->ai_addr, sa, salen) == 0) {
+	    freeaddrinfo (ai);
+	    return 0;
+	}
+    }
+    freeaddrinfo (ai);
+    if (flags & NI_NAMEREQD)
+	return EAI_NONAME;
+    ret = getnameinfo (sa, salen, host, hostlen, serv, servlen,
+		       flags | NI_NUMERICSERV | NI_NUMERICHOST);
+    return ret;
+}
diff --git a/crypto/heimdal/lib/roken/getopt.c b/crypto/heimdal/lib/roken/getopt.c
new file mode 100644
index 0000000..45fc350
--- /dev/null
+++ b/crypto/heimdal/lib/roken/getopt.c
@@ -0,0 +1,128 @@
+/*
+ * Copyright (c) 1987, 1993
+ *	The Regents of the University of California.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *	This product includes software developed by the University of
+ *	California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#if defined(LIBC_SCCS) && !defined(lint)
+static char sccsid[] = "@(#)getopt.c	8.1 (Berkeley) 6/4/93";
+#endif /* LIBC_SCCS and not lint */
+
+#ifndef __STDC__
+#define const
+#endif
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+
+/*
+ * get option letter from argument vector
+ */
+int	opterr = 1,		/* if error message should be printed */
+	optind = 1,		/* index into parent argv vector */
+	optopt,			/* character checked for validity */
+	optreset;		/* reset getopt */
+char	*optarg;		/* argument associated with option */
+
+#define	BADCH	(int)'?'
+#define	BADARG	(int)':'
+#define	EMSG	""
+
+int
+getopt(nargc, nargv, ostr)
+	int nargc;
+	char * const *nargv;
+	const char *ostr;
+{
+	static char *place = EMSG;		/* option letter processing */
+	char *oli;			/* option letter list index */
+	char *p;
+
+	if (optreset || !*place) {		/* update scanning pointer */
+		optreset = 0;
+		if (optind >= nargc || *(place = nargv[optind]) != '-') {
+			place = EMSG;
+			return(-1);
+		}
+		if (place[1] && *++place == '-') {	/* found "--" */
+			++optind;
+			place = EMSG;
+			return(-1);
+		}
+	}					/* option letter okay? */
+	if ((optopt = (int)*place++) == (int)':' ||
+	    !(oli = strchr(ostr, optopt))) {
+		/*
+		 * if the user didn't specify '-' as an option,
+		 * assume it means -1 (EOF).
+		 */
+		if (optopt == (int)'-')
+			return(-1);
+		if (!*place)
+			++optind;
+		if (opterr && *ostr != ':') {
+			if (!(p = strrchr(*nargv, '/')))
+				p = *nargv;
+			else
+				++p;
+			fprintf(stderr, "%s: illegal option -- %c\n",
+			    p, optopt);
+		}
+		return(BADCH);
+	}
+	if (*++oli != ':') {			/* don't need argument */
+		optarg = NULL;
+		if (!*place)
+			++optind;
+	}
+	else {					/* need an argument */
+		if (*place)			/* no white space */
+			optarg = place;
+		else if (nargc <= ++optind) {	/* no arg */
+			place = EMSG;
+			if (!(p = strrchr(*nargv, '/')))
+				p = *nargv;
+			else
+				++p;
+			if (*ostr == ':')
+				return(BADARG);
+			if (opterr)
+				fprintf(stderr,
+				    "%s: option requires an argument -- %c\n",
+				    p, optopt);
+			return(BADCH);
+		}
+	 	else				/* white space */
+			optarg = nargv[optind];
+		place = EMSG;
+		++optind;
+	}
+	return(optopt);				/* dump back option letter */
+}
diff --git a/crypto/heimdal/lib/roken/gettimeofday.c b/crypto/heimdal/lib/roken/gettimeofday.c
new file mode 100644
index 0000000..ec8b62f
--- /dev/null
+++ b/crypto/heimdal/lib/roken/gettimeofday.c
@@ -0,0 +1,55 @@
+/*
+ * Copyright (c) 1995, 1996, 1997 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+#endif
+#include "roken.h"
+#ifndef HAVE_GETTIMEOFDAY
+
+RCSID("$Id: gettimeofday.c,v 1.8 1999/12/02 16:58:46 joda Exp $");
+
+/*
+ * Simple gettimeofday that only returns seconds.
+ */
+int
+gettimeofday (struct timeval *tp, void *ignore)
+{
+     time_t t;
+
+     t = time(NULL);
+     tp->tv_sec  = t;
+     tp->tv_usec = 0;
+     return 0;
+}
+#endif
diff --git a/crypto/heimdal/lib/roken/getuid.c b/crypto/heimdal/lib/roken/getuid.c
new file mode 100644
index 0000000..6ebce0a
--- /dev/null
+++ b/crypto/heimdal/lib/roken/getuid.c
@@ -0,0 +1,48 @@
+/*
+ * Copyright (c) 1995, 1996, 1997 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+#endif
+#include "roken.h"
+
+#ifndef HAVE_GETUID
+
+RCSID("$Id: getuid.c,v 1.3 1999/12/02 16:58:46 joda Exp $");
+
+int getuid(void)
+{
+    return 17;
+}
+
+#endif
diff --git a/crypto/heimdal/lib/roken/getusershell.c b/crypto/heimdal/lib/roken/getusershell.c
new file mode 100644
index 0000000..eb990f3
--- /dev/null
+++ b/crypto/heimdal/lib/roken/getusershell.c
@@ -0,0 +1,191 @@
+/*
+ * Copyright (c) 1985, 1993
+ *	The Regents of the University of California.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *	This product includes software developed by the University of
+ *	California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+#endif
+
+RCSID("$Id: getusershell.c,v 1.10 2000/05/22 09:11:59 joda Exp $");
+
+#ifndef HAVE_GETUSERSHELL
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#ifdef HAVE_PATHS_H
+#include <paths.h>
+#endif
+#ifdef HAVE_SYS_TYPES_H
+#include <sys/types.h>
+#endif
+#ifdef HAVE_SYS_STAT_H
+#include <sys/stat.h>
+#endif
+#ifdef HAVE_SYS_PARAM_H
+#include <sys/param.h>
+#endif
+
+#ifdef HAVE_USERSEC_H
+struct aud_rec;
+#include <usersec.h>
+#endif
+#ifdef HAVE_USERCONF_H
+#include <userconf.h>
+#endif
+
+#ifndef _PATH_SHELLS
+#define _PATH_SHELLS "/etc/shells"
+#endif
+
+#ifndef _PATH_BSHELL
+#define _PATH_BSHELL "/bin/sh"
+#endif
+
+#ifndef _PATH_CSHELL
+#define _PATH_CSHELL "/bin/csh"
+#endif
+
+/*
+ * Local shells should NOT be added here.  They should be added in
+ * /etc/shells.
+ */
+
+static char *okshells[] = { _PATH_BSHELL, _PATH_CSHELL, NULL };
+static char **curshell, **shells, *strings;
+static char **initshells (void);
+
+/*
+ * Get a list of shells from _PATH_SHELLS, if it exists.
+ */
+char *
+getusershell()
+{
+    char *ret;
+
+    if (curshell == NULL)
+	curshell = initshells();
+    ret = *curshell;
+    if (ret != NULL)
+	curshell++;
+    return (ret);
+}
+
+void
+endusershell()
+{
+    if (shells != NULL)
+	free(shells);
+    shells = NULL;
+    if (strings != NULL)
+	free(strings);
+    strings = NULL;
+    curshell = NULL;
+}
+
+void
+setusershell()
+{
+    curshell = initshells();
+}
+
+static char **
+initshells()
+{
+    char **sp, *cp;
+#ifdef HAVE_GETCONFATTR
+    char *tmp;
+    int nsh;
+#else
+    FILE *fp;
+#endif
+    struct stat statb;
+
+    free(shells);
+    shells = NULL;
+    free(strings);
+    strings = NULL;
+#ifdef HAVE_GETCONFATTR
+    if(getconfattr(SC_SYS_LOGIN, SC_SHELLS, &tmp, SEC_LIST) != 0)
+	return okshells;
+
+    for(cp = tmp, nsh = 0; *cp; cp += strlen(cp) + 1, nsh++);
+
+    shells = calloc(nsh + 1, sizeof(*shells));
+    if(shells == NULL)
+	return okshells;
+
+    strings = malloc(cp - tmp);
+    if(strings == NULL) {
+	free(shells);
+	shells = NULL;
+	return okshells;
+    }
+    memcpy(strings, tmp, cp - tmp);
+    for(sp = shells, cp = strings; *cp; cp += strlen(cp) + 1, sp++)
+	*sp = cp;
+#else
+    if ((fp = fopen(_PATH_SHELLS, "r")) == NULL)
+	return (okshells);
+    if (fstat(fileno(fp), &statb) == -1) {
+	fclose(fp);
+	return (okshells);
+    }
+    if ((strings = malloc((u_int)statb.st_size)) == NULL) {
+	fclose(fp);
+	return (okshells);
+    }
+    shells = calloc((unsigned)statb.st_size / 3, sizeof (char *));
+    if (shells == NULL) {
+	fclose(fp);
+	free(strings);
+	strings = NULL;
+	return (okshells);
+    }
+    sp = shells;
+    cp = strings;
+    while (fgets(cp, MaxPathLen + 1, fp) != NULL) {
+	while (*cp != '#' && *cp != '/' && *cp != '\0')
+	    cp++;
+	if (*cp == '#' || *cp == '\0')
+	    continue;
+	*sp++ = cp;
+	while (!isspace(*cp) && *cp != '#' && *cp != '\0')
+	    cp++;
+	*cp++ = '\0';
+    }
+    fclose(fp);
+#endif
+    *sp = NULL;
+    return (shells);
+}
+#endif /* HAVE_GETUSERSHELL */
diff --git a/crypto/heimdal/lib/roken/glob.c b/crypto/heimdal/lib/roken/glob.c
new file mode 100644
index 0000000..e4bc0dc
--- /dev/null
+++ b/crypto/heimdal/lib/roken/glob.c
@@ -0,0 +1,850 @@
+/*
+ * Copyright (c) 1989, 1993
+ *	The Regents of the University of California.  All rights reserved.
+ *
+ * This code is derived from software contributed to Berkeley by
+ * Guido van Rossum.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *	This product includes software developed by the University of
+ *	California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+/*
+ * glob(3) -- a superset of the one defined in POSIX 1003.2.
+ *
+ * The [!...] convention to negate a range is supported (SysV, Posix, ksh).
+ *
+ * Optional extra services, controlled by flags not defined by POSIX:
+ *
+ * GLOB_QUOTE:
+ *	Escaping convention: \ inhibits any special meaning the following
+ *	character might have (except \ at end of string is retained).
+ * GLOB_MAGCHAR:
+ *	Set in gl_flags if pattern contained a globbing character.
+ * GLOB_NOMAGIC:
+ *	Same as GLOB_NOCHECK, but it will only append pattern if it did
+ *	not contain any magic characters.  [Used in csh style globbing]
+ * GLOB_ALTDIRFUNC:
+ *	Use alternately specified directory access functions.
+ * GLOB_TILDE:
+ *	expand ~user/foo to the /home/dir/of/user/foo
+ * GLOB_BRACE:
+ *	expand {1,2}{a,b} to 1a 1b 2a 2b 
+ * gl_matchc:
+ *	Number of matches in the current invocation of glob.
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+#endif
+
+#ifdef HAVE_SYS_PARAM_H
+#include <sys/param.h>
+#endif
+#ifdef HAVE_SYS_TYPES_H
+#include <sys/types.h>
+#endif
+#ifdef HAVE_SYS_STAT_H
+#include <sys/stat.h>
+#endif
+
+#include <ctype.h>
+#ifdef HAVE_DIRENT_H
+#include <dirent.h>
+#endif
+#include <errno.h>
+#ifdef HAVE_PWD_H
+#include <pwd.h>
+#endif
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#ifdef HAVE_UNISTD_H
+#include <unistd.h>
+#endif
+#ifdef HAVE_LIMITS_H
+#include <limits.h>
+#endif
+
+#include "glob.h"
+#include "roken.h"
+
+#define	CHAR_DOLLAR		'$'
+#define	CHAR_DOT		'.'
+#define	CHAR_EOS		'\0'
+#define	CHAR_LBRACKET		'['
+#define	CHAR_NOT		'!'
+#define	CHAR_QUESTION		'?'
+#define	CHAR_QUOTE		'\\'
+#define	CHAR_RANGE		'-'
+#define	CHAR_RBRACKET		']'
+#define	CHAR_SEP		'/'
+#define	CHAR_STAR		'*'
+#define	CHAR_TILDE		'~'
+#define	CHAR_UNDERSCORE		'_'
+#define	CHAR_LBRACE		'{'
+#define	CHAR_RBRACE		'}'
+#define	CHAR_SLASH		'/'
+#define	CHAR_COMMA		','
+
+#ifndef DEBUG
+
+#define	M_QUOTE		0x8000
+#define	M_PROTECT	0x4000
+#define	M_MASK		0xffff
+#define	M_ASCII		0x00ff
+
+typedef u_short Char;
+
+#else
+
+#define	M_QUOTE		0x80
+#define	M_PROTECT	0x40
+#define	M_MASK		0xff
+#define	M_ASCII		0x7f
+
+typedef char Char;
+
+#endif
+
+
+#define	CHAR(c)		((Char)((c)&M_ASCII))
+#define	META(c)		((Char)((c)|M_QUOTE))
+#define	M_ALL		META('*')
+#define	M_END		META(']')
+#define	M_NOT		META('!')
+#define	M_ONE		META('?')
+#define	M_RNG		META('-')
+#define	M_SET		META('[')
+#define	ismeta(c)	(((c)&M_QUOTE) != 0)
+
+
+static int	 compare (const void *, const void *);
+static void	 g_Ctoc (const Char *, char *);
+static int	 g_lstat (Char *, struct stat *, glob_t *);
+static DIR	*g_opendir (Char *, glob_t *);
+static Char	*g_strchr (const Char *, int);
+#ifdef notdef
+static Char	*g_strcat (Char *, const Char *);
+#endif
+static int	 g_stat (Char *, struct stat *, glob_t *);
+static int	 glob0 (const Char *, glob_t *);
+static int	 glob1 (Char *, glob_t *, size_t *);
+static int	 glob2 (Char *, Char *, Char *, glob_t *, size_t *);
+static int	 glob3 (Char *, Char *, Char *, Char *, glob_t *, size_t *);
+static int	 globextend (const Char *, glob_t *, size_t *);
+static const Char *	 globtilde (const Char *, Char *, glob_t *);
+static int	 globexp1 (const Char *, glob_t *);
+static int	 globexp2 (const Char *, const Char *, glob_t *, int *);
+static int	 match (Char *, Char *, Char *);
+#ifdef DEBUG
+static void	 qprintf (const char *, Char *);
+#endif
+
+int
+glob(const char *pattern, 
+     int flags, 
+     int (*errfunc)(const char *, int), 
+     glob_t *pglob)
+{
+	const u_char *patnext;
+	int c;
+	Char *bufnext, *bufend, patbuf[MaxPathLen+1];
+
+	patnext = (const u_char *) pattern;
+	if (!(flags & GLOB_APPEND)) {
+		pglob->gl_pathc = 0;
+		pglob->gl_pathv = NULL;
+		if (!(flags & GLOB_DOOFFS))
+			pglob->gl_offs = 0;
+	}
+	pglob->gl_flags = flags & ~GLOB_MAGCHAR;
+	pglob->gl_errfunc = errfunc;
+	pglob->gl_matchc = 0;
+
+	bufnext = patbuf;
+	bufend = bufnext + MaxPathLen;
+	if (flags & GLOB_QUOTE) {
+		/* Protect the quoted characters. */
+		while (bufnext < bufend && (c = *patnext++) != CHAR_EOS) 
+			if (c == CHAR_QUOTE) {
+				if ((c = *patnext++) == CHAR_EOS) {
+					c = CHAR_QUOTE;
+					--patnext;
+				}
+				*bufnext++ = c | M_PROTECT;
+			}
+			else
+				*bufnext++ = c;
+	}
+	else 
+	    while (bufnext < bufend && (c = *patnext++) != CHAR_EOS) 
+		    *bufnext++ = c;
+	*bufnext = CHAR_EOS;
+
+	if (flags & GLOB_BRACE)
+	    return globexp1(patbuf, pglob);
+	else
+	    return glob0(patbuf, pglob);
+}
+
+/*
+ * Expand recursively a glob {} pattern. When there is no more expansion
+ * invoke the standard globbing routine to glob the rest of the magic
+ * characters
+ */
+static int globexp1(const Char *pattern, glob_t *pglob)
+{
+	const Char* ptr = pattern;
+	int rv;
+
+	/* Protect a single {}, for find(1), like csh */
+	if (pattern[0] == CHAR_LBRACE && pattern[1] == CHAR_RBRACE && pattern[2] == CHAR_EOS)
+		return glob0(pattern, pglob);
+
+	while ((ptr = (const Char *) g_strchr(ptr, CHAR_LBRACE)) != NULL)
+		if (!globexp2(ptr, pattern, pglob, &rv))
+			return rv;
+
+	return glob0(pattern, pglob);
+}
+
+
+/*
+ * Recursive brace globbing helper. Tries to expand a single brace.
+ * If it succeeds then it invokes globexp1 with the new pattern.
+ * If it fails then it tries to glob the rest of the pattern and returns.
+ */
+static int globexp2(const Char *ptr, const Char *pattern, 
+		    glob_t *pglob, int *rv)
+{
+	int     i;
+	Char   *lm, *ls;
+	const Char *pe, *pm, *pl;
+	Char    patbuf[MaxPathLen + 1];
+
+	/* copy part up to the brace */
+	for (lm = patbuf, pm = pattern; pm != ptr; *lm++ = *pm++)
+		continue;
+	ls = lm;
+
+	/* Find the balanced brace */
+	for (i = 0, pe = ++ptr; *pe; pe++)
+		if (*pe == CHAR_LBRACKET) {
+			/* Ignore everything between [] */
+			for (pm = pe++; *pe != CHAR_RBRACKET && *pe != CHAR_EOS; pe++)
+				continue;
+			if (*pe == CHAR_EOS) {
+				/* 
+				 * We could not find a matching CHAR_RBRACKET.
+				 * Ignore and just look for CHAR_RBRACE
+				 */
+				pe = pm;
+			}
+		}
+		else if (*pe == CHAR_LBRACE)
+			i++;
+		else if (*pe == CHAR_RBRACE) {
+			if (i == 0)
+				break;
+			i--;
+		}
+
+	/* Non matching braces; just glob the pattern */
+	if (i != 0 || *pe == CHAR_EOS) {
+		*rv = glob0(patbuf, pglob);
+		return 0;
+	}
+
+	for (i = 0, pl = pm = ptr; pm <= pe; pm++)
+		switch (*pm) {
+		case CHAR_LBRACKET:
+			/* Ignore everything between [] */
+			for (pl = pm++; *pm != CHAR_RBRACKET && *pm != CHAR_EOS; pm++)
+				continue;
+			if (*pm == CHAR_EOS) {
+				/* 
+				 * We could not find a matching CHAR_RBRACKET.
+				 * Ignore and just look for CHAR_RBRACE
+				 */
+				pm = pl;
+			}
+			break;
+
+		case CHAR_LBRACE:
+			i++;
+			break;
+
+		case CHAR_RBRACE:
+			if (i) {
+			    i--;
+			    break;
+			}
+			/* FALLTHROUGH */
+		case CHAR_COMMA:
+			if (i && *pm == CHAR_COMMA)
+				break;
+			else {
+				/* Append the current string */
+				for (lm = ls; (pl < pm); *lm++ = *pl++)
+					continue;
+				/* 
+				 * Append the rest of the pattern after the
+				 * closing brace
+				 */
+				for (pl = pe + 1; (*lm++ = *pl++) != CHAR_EOS;)
+					continue;
+
+				/* Expand the current pattern */
+#ifdef DEBUG
+				qprintf("globexp2:", patbuf);
+#endif
+				*rv = globexp1(patbuf, pglob);
+
+				/* move after the comma, to the next string */
+				pl = pm + 1;
+			}
+			break;
+
+		default:
+			break;
+		}
+	*rv = 0;
+	return 0;
+}
+
+
+
+/*
+ * expand tilde from the passwd file.
+ */
+static const Char *
+globtilde(const Char *pattern, Char *patbuf, glob_t *pglob)
+{
+	struct passwd *pwd;
+	char *h;
+	const Char *p;
+	Char *b;
+
+	if (*pattern != CHAR_TILDE || !(pglob->gl_flags & GLOB_TILDE))
+		return pattern;
+
+	/* Copy up to the end of the string or / */
+	for (p = pattern + 1, h = (char *) patbuf; *p && *p != CHAR_SLASH; 
+	     *h++ = *p++)
+		continue;
+
+	*h = CHAR_EOS;
+
+	if (((char *) patbuf)[0] == CHAR_EOS) {
+		/* 
+		 * handle a plain ~ or ~/ by expanding $HOME 
+		 * first and then trying the password file
+		 */
+		if ((h = getenv("HOME")) == NULL) {
+			if ((pwd = k_getpwuid(getuid())) == NULL)
+				return pattern;
+			else
+				h = pwd->pw_dir;
+		}
+	}
+	else {
+		/*
+		 * Expand a ~user
+		 */
+		if ((pwd = k_getpwnam((char*) patbuf)) == NULL)
+			return pattern;
+		else
+			h = pwd->pw_dir;
+	}
+
+	/* Copy the home directory */
+	for (b = patbuf; *h; *b++ = *h++)
+		continue;
+	
+	/* Append the rest of the pattern */
+	while ((*b++ = *p++) != CHAR_EOS)
+		continue;
+
+	return patbuf;
+}
+	
+
+/*
+ * The main glob() routine: compiles the pattern (optionally processing
+ * quotes), calls glob1() to do the real pattern matching, and finally
+ * sorts the list (unless unsorted operation is requested).  Returns 0
+ * if things went well, nonzero if errors occurred.  It is not an error
+ * to find no matches.
+ */
+static int
+glob0(const Char *pattern, glob_t *pglob)
+{
+	const Char *qpatnext;
+	int c, err, oldpathc;
+	Char *bufnext, patbuf[MaxPathLen+1];
+	size_t limit = 0;
+
+	qpatnext = globtilde(pattern, patbuf, pglob);
+	oldpathc = pglob->gl_pathc;
+	bufnext = patbuf;
+
+	/* We don't need to check for buffer overflow any more. */
+	while ((c = *qpatnext++) != CHAR_EOS) {
+		switch (c) {
+		case CHAR_LBRACKET:
+			c = *qpatnext;
+			if (c == CHAR_NOT)
+				++qpatnext;
+			if (*qpatnext == CHAR_EOS ||
+			    g_strchr(qpatnext+1, CHAR_RBRACKET) == NULL) {
+				*bufnext++ = CHAR_LBRACKET;
+				if (c == CHAR_NOT)
+					--qpatnext;
+				break;
+			}
+			*bufnext++ = M_SET;
+			if (c == CHAR_NOT)
+				*bufnext++ = M_NOT;
+			c = *qpatnext++;
+			do {
+				*bufnext++ = CHAR(c);
+				if (*qpatnext == CHAR_RANGE &&
+				    (c = qpatnext[1]) != CHAR_RBRACKET) {
+					*bufnext++ = M_RNG;
+					*bufnext++ = CHAR(c);
+					qpatnext += 2;
+				}
+			} while ((c = *qpatnext++) != CHAR_RBRACKET);
+			pglob->gl_flags |= GLOB_MAGCHAR;
+			*bufnext++ = M_END;
+			break;
+		case CHAR_QUESTION:
+			pglob->gl_flags |= GLOB_MAGCHAR;
+			*bufnext++ = M_ONE;
+			break;
+		case CHAR_STAR:
+			pglob->gl_flags |= GLOB_MAGCHAR;
+			/* collapse adjacent stars to one, 
+			 * to avoid exponential behavior
+			 */
+			if (bufnext == patbuf || bufnext[-1] != M_ALL)
+			    *bufnext++ = M_ALL;
+			break;
+		default:
+			*bufnext++ = CHAR(c);
+			break;
+		}
+	}
+	*bufnext = CHAR_EOS;
+#ifdef DEBUG
+	qprintf("glob0:", patbuf);
+#endif
+
+	if ((err = glob1(patbuf, pglob, &limit)) != 0)
+		return(err);
+
+	/*
+	 * If there was no match we are going to append the pattern 
+	 * if GLOB_NOCHECK was specified or if GLOB_NOMAGIC was specified
+	 * and the pattern did not contain any magic characters
+	 * GLOB_NOMAGIC is there just for compatibility with csh.
+	 */
+	if (pglob->gl_pathc == oldpathc && 
+	    ((pglob->gl_flags & GLOB_NOCHECK) || 
+	      ((pglob->gl_flags & GLOB_NOMAGIC) &&
+	       !(pglob->gl_flags & GLOB_MAGCHAR))))
+		return(globextend(pattern, pglob, &limit));
+	else if (!(pglob->gl_flags & GLOB_NOSORT)) 
+		qsort(pglob->gl_pathv + pglob->gl_offs + oldpathc,
+		    pglob->gl_pathc - oldpathc, sizeof(char *), compare);
+	return(0);
+}
+
+static int
+compare(const void *p, const void *q)
+{
+	return(strcmp(*(char **)p, *(char **)q));
+}
+
+static int
+glob1(Char *pattern, glob_t *pglob, size_t *limit)
+{
+	Char pathbuf[MaxPathLen+1];
+
+	/* A null pathname is invalid -- POSIX 1003.1 sect. 2.4. */
+	if (*pattern == CHAR_EOS)
+		return(0);
+	return(glob2(pathbuf, pathbuf, pattern, pglob, limit));
+}
+
+/*
+ * The functions glob2 and glob3 are mutually recursive; there is one level
+ * of recursion for each segment in the pattern that contains one or more
+ * meta characters.
+ */
+
+#ifndef S_ISLNK
+#if defined(S_IFLNK) && defined(S_IFMT)
+#define S_ISLNK(mode) (((mode) & S_IFMT) == S_IFLNK)
+#else
+#define S_ISLNK(mode) 0
+#endif
+#endif
+
+static int
+glob2(Char *pathbuf, Char *pathend, Char *pattern, glob_t *pglob,
+      size_t *limit)
+{
+	struct stat sb;
+	Char *p, *q;
+	int anymeta;
+
+	/*
+	 * Loop over pattern segments until end of pattern or until
+	 * segment with meta character found.
+	 */
+	for (anymeta = 0;;) {
+		if (*pattern == CHAR_EOS) {		/* End of pattern? */
+			*pathend = CHAR_EOS;
+			if (g_lstat(pathbuf, &sb, pglob))
+				return(0);
+		
+			if (((pglob->gl_flags & GLOB_MARK) &&
+			    pathend[-1] != CHAR_SEP) && (S_ISDIR(sb.st_mode)
+			    || (S_ISLNK(sb.st_mode) &&
+			    (g_stat(pathbuf, &sb, pglob) == 0) &&
+			    S_ISDIR(sb.st_mode)))) {
+				*pathend++ = CHAR_SEP;
+				*pathend = CHAR_EOS;
+			}
+			++pglob->gl_matchc;
+			return(globextend(pathbuf, pglob, limit));
+		}
+
+		/* Find end of next segment, copy tentatively to pathend. */
+		q = pathend;
+		p = pattern;
+		while (*p != CHAR_EOS && *p != CHAR_SEP) {
+			if (ismeta(*p))
+				anymeta = 1;
+			*q++ = *p++;
+		}
+
+		if (!anymeta) {		/* No expansion, do next segment. */
+			pathend = q;
+			pattern = p;
+			while (*pattern == CHAR_SEP)
+				*pathend++ = *pattern++;
+		} else			/* Need expansion, recurse. */
+			return(glob3(pathbuf, pathend, pattern, p, pglob,
+			    limit));
+	}
+	/* NOTREACHED */
+}
+
+static int
+glob3(Char *pathbuf, Char *pathend, Char *pattern, Char *restpattern, 
+      glob_t *pglob, size_t *limit)
+{
+	struct dirent *dp;
+	DIR *dirp;
+	int err;
+	char buf[MaxPathLen];
+
+	/*
+	 * The readdirfunc declaration can't be prototyped, because it is
+	 * assigned, below, to two functions which are prototyped in glob.h
+	 * and dirent.h as taking pointers to differently typed opaque
+	 * structures.
+	 */
+	struct dirent *(*readdirfunc)(void *);
+
+	*pathend = CHAR_EOS;
+	errno = 0;
+	    
+	if ((dirp = g_opendir(pathbuf, pglob)) == NULL) {
+		/* TODO: don't call for ENOENT or ENOTDIR? */
+		if (pglob->gl_errfunc) {
+			g_Ctoc(pathbuf, buf);
+			if (pglob->gl_errfunc(buf, errno) ||
+			    pglob->gl_flags & GLOB_ERR)
+				return (GLOB_ABEND);
+		}
+		return(0);
+	}
+
+	err = 0;
+
+	/* Search directory for matching names. */
+	if (pglob->gl_flags & GLOB_ALTDIRFUNC)
+		readdirfunc = pglob->gl_readdir;
+	else
+		readdirfunc = (struct dirent *(*)(void *))readdir;
+	while ((dp = (*readdirfunc)(dirp))) {
+		u_char *sc;
+		Char *dc;
+
+		/* Initial CHAR_DOT must be matched literally. */
+		if (dp->d_name[0] == CHAR_DOT && *pattern != CHAR_DOT)
+			continue;
+		for (sc = (u_char *) dp->d_name, dc = pathend; 
+		     (*dc++ = *sc++) != CHAR_EOS;)
+			continue;
+		if (!match(pathend, pattern, restpattern)) {
+			*pathend = CHAR_EOS;
+			continue;
+		}
+		err = glob2(pathbuf, --dc, restpattern, pglob, limit);
+		if (err)
+			break;
+	}
+
+	if (pglob->gl_flags & GLOB_ALTDIRFUNC)
+		(*pglob->gl_closedir)(dirp);
+	else
+		closedir(dirp);
+	return(err);
+}
+
+
+/*
+ * Extend the gl_pathv member of a glob_t structure to accomodate a new item,
+ * add the new item, and update gl_pathc.
+ *
+ * This assumes the BSD realloc, which only copies the block when its size
+ * crosses a power-of-two boundary; for v7 realloc, this would cause quadratic
+ * behavior.
+ *
+ * Return 0 if new item added, error code if memory couldn't be allocated.
+ *
+ * Invariant of the glob_t structure:
+ *	Either gl_pathc is zero and gl_pathv is NULL; or gl_pathc > 0 and
+ *	gl_pathv points to (gl_offs + gl_pathc + 1) items.
+ */
+static int
+globextend(const Char *path, glob_t *pglob, size_t *limit)
+{
+	char **pathv;
+	int i;
+	size_t newsize, len;
+	char *copy;
+	const Char *p;
+
+	newsize = sizeof(*pathv) * (2 + pglob->gl_pathc + pglob->gl_offs);
+	pathv = pglob->gl_pathv ? 
+		    realloc(pglob->gl_pathv, newsize) :
+		    malloc(newsize);
+	if (pathv == NULL)
+		return(GLOB_NOSPACE);
+
+	if (pglob->gl_pathv == NULL && pglob->gl_offs > 0) {
+		/* first time around -- clear initial gl_offs items */
+		pathv += pglob->gl_offs;
+		for (i = pglob->gl_offs; --i >= 0; )
+			*--pathv = NULL;
+	}
+	pglob->gl_pathv = pathv;
+
+	for (p = path; *p++;)
+		continue;
+	len = (size_t)(p - path);
+	*limit += len;
+	if ((copy = malloc(len)) != NULL) {
+		g_Ctoc(path, copy);
+		pathv[pglob->gl_offs + pglob->gl_pathc++] = copy;
+	}
+	pathv[pglob->gl_offs + pglob->gl_pathc] = NULL;
+
+	if ((pglob->gl_flags & GLOB_LIMIT) && (newsize + *limit) >= ARG_MAX) {
+		errno = 0;
+		return(GLOB_NOSPACE);
+	}
+
+	return(copy == NULL ? GLOB_NOSPACE : 0);
+}
+
+
+/*
+ * pattern matching function for filenames.  Each occurrence of the *
+ * pattern causes a recursion level.
+ */
+static int
+match(Char *name, Char *pat, Char *patend)
+{
+	int ok, negate_range;
+	Char c, k;
+
+	while (pat < patend) {
+		c = *pat++;
+		switch (c & M_MASK) {
+		case M_ALL:
+			if (pat == patend)
+				return(1);
+			do 
+			    if (match(name, pat, patend))
+				    return(1);
+			while (*name++ != CHAR_EOS);
+			return(0);
+		case M_ONE:
+			if (*name++ == CHAR_EOS)
+				return(0);
+			break;
+		case M_SET:
+			ok = 0;
+			if ((k = *name++) == CHAR_EOS)
+				return(0);
+			if ((negate_range = ((*pat & M_MASK) == M_NOT)) != CHAR_EOS)
+				++pat;
+			while (((c = *pat++) & M_MASK) != M_END)
+				if ((*pat & M_MASK) == M_RNG) {
+					if (c <= k && k <= pat[1])
+						ok = 1;
+					pat += 2;
+				} else if (c == k)
+					ok = 1;
+			if (ok == negate_range)
+				return(0);
+			break;
+		default:
+			if (*name++ != c)
+				return(0);
+			break;
+		}
+	}
+	return(*name == CHAR_EOS);
+}
+
+/* Free allocated data belonging to a glob_t structure. */
+void
+globfree(glob_t *pglob)
+{
+	int i;
+	char **pp;
+
+	if (pglob->gl_pathv != NULL) {
+		pp = pglob->gl_pathv + pglob->gl_offs;
+		for (i = pglob->gl_pathc; i--; ++pp)
+			if (*pp)
+				free(*pp);
+		free(pglob->gl_pathv);
+		pglob->gl_pathv = NULL;
+	}
+}
+
+static DIR *
+g_opendir(Char *str, glob_t *pglob)
+{
+	char buf[MaxPathLen];
+
+	if (!*str)
+		strlcpy(buf, ".", sizeof(buf));
+	else
+		g_Ctoc(str, buf);
+
+	if (pglob->gl_flags & GLOB_ALTDIRFUNC)
+		return((*pglob->gl_opendir)(buf));
+
+	return(opendir(buf));
+}
+
+static int
+g_lstat(Char *fn, struct stat *sb, glob_t *pglob)
+{
+	char buf[MaxPathLen];
+
+	g_Ctoc(fn, buf);
+	if (pglob->gl_flags & GLOB_ALTDIRFUNC)
+		return((*pglob->gl_lstat)(buf, sb));
+	return(lstat(buf, sb));
+}
+
+static int
+g_stat(Char *fn, struct stat *sb, glob_t *pglob)
+{
+	char buf[MaxPathLen];
+
+	g_Ctoc(fn, buf);
+	if (pglob->gl_flags & GLOB_ALTDIRFUNC)
+		return((*pglob->gl_stat)(buf, sb));
+	return(stat(buf, sb));
+}
+
+static Char *
+g_strchr(const Char *str, int ch)
+{
+	do {
+		if (*str == ch)
+			return (Char *)str;
+	} while (*str++);
+	return (NULL);
+}
+
+#ifdef notdef
+static Char *
+g_strcat(Char *dst, const Char *src)
+{
+	Char *sdst = dst;
+
+	while (*dst++)
+		continue;
+	--dst;
+	while((*dst++ = *src++) != CHAR_EOS)
+	    continue;
+
+	return (sdst);
+}
+#endif
+
+static void
+g_Ctoc(const Char *str, char *buf)
+{
+	char *dc;
+
+	for (dc = buf; (*dc++ = *str++) != CHAR_EOS;)
+		continue;
+}
+
+#ifdef DEBUG
+static void 
+qprintf(const Char *str, Char *s)
+{
+	Char *p;
+
+	printf("%s:\n", str);
+	for (p = s; *p; p++)
+		printf("%c", CHAR(*p));
+	printf("\n");
+	for (p = s; *p; p++)
+		printf("%c", *p & M_PROTECT ? '"' : ' ');
+	printf("\n");
+	for (p = s; *p; p++)
+		printf("%c", ismeta(*p) ? '_' : ' ');
+	printf("\n");
+}
+#endif
diff --git a/crypto/heimdal/lib/roken/glob.h b/crypto/heimdal/lib/roken/glob.h
new file mode 100644
index 0000000..bece48a
--- /dev/null
+++ b/crypto/heimdal/lib/roken/glob.h
@@ -0,0 +1,84 @@
+/*
+ * Copyright (c) 1989, 1993
+ *	The Regents of the University of California.  All rights reserved.
+ *
+ * This code is derived from software contributed to Berkeley by
+ * Guido van Rossum.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *	This product includes software developed by the University of
+ *	California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ *	@(#)glob.h	8.1 (Berkeley) 6/2/93
+ */
+
+#ifndef _GLOB_H_
+#define	_GLOB_H_
+
+struct stat;
+typedef struct {
+	int gl_pathc;		/* Count of total paths so far. */
+	int gl_matchc;		/* Count of paths matching pattern. */
+	int gl_offs;		/* Reserved at beginning of gl_pathv. */
+	int gl_flags;		/* Copy of flags parameter to glob. */
+	char **gl_pathv;	/* List of paths matching pattern. */
+				/* Copy of errfunc parameter to glob. */
+	int (*gl_errfunc) (const char *, int);
+
+	/*
+	 * Alternate filesystem access methods for glob; replacement
+	 * versions of closedir(3), readdir(3), opendir(3), stat(2)
+	 * and lstat(2).
+	 */
+	void (*gl_closedir) (void *);
+	struct dirent *(*gl_readdir) (void *);	
+	void *(*gl_opendir) (const char *);
+	int (*gl_lstat) (const char *, struct stat *);
+	int (*gl_stat) (const char *, struct stat *);
+} glob_t;
+
+#define	GLOB_APPEND	0x0001	/* Append to output from previous call. */
+#define	GLOB_DOOFFS	0x0002	/* Use gl_offs. */
+#define	GLOB_ERR	0x0004	/* Return on error. */
+#define	GLOB_MARK	0x0008	/* Append / to matching directories. */
+#define	GLOB_NOCHECK	0x0010	/* Return pattern itself if nothing matches. */
+#define	GLOB_NOSORT	0x0020	/* Don't sort. */
+
+#define	GLOB_ALTDIRFUNC	0x0040	/* Use alternately specified directory funcs. */
+#define	GLOB_BRACE	0x0080	/* Expand braces ala csh. */
+#define	GLOB_MAGCHAR	0x0100	/* Pattern had globbing characters. */
+#define	GLOB_NOMAGIC	0x0200	/* GLOB_NOCHECK without magic chars (csh). */
+#define	GLOB_QUOTE	0x0400	/* Quote special chars with \. */
+#define	GLOB_TILDE	0x0800	/* Expand tilde names from the passwd file. */
+
+#define	GLOB_NOSPACE	(-1)	/* Malloc call failed. */
+#define	GLOB_ABEND	(-2)	/* Unignored error. */
+
+int	glob (const char *, int, int (*)(const char *, int), glob_t *);
+void	globfree (glob_t *);
+
+#endif /* !_GLOB_H_ */
diff --git a/crypto/heimdal/lib/roken/glob.hin b/crypto/heimdal/lib/roken/glob.hin
new file mode 100644
index 0000000..98d8796
--- /dev/null
+++ b/crypto/heimdal/lib/roken/glob.hin
@@ -0,0 +1,85 @@
+/*
+ * Copyright (c) 1989, 1993
+ *	The Regents of the University of California.  All rights reserved.
+ *
+ * This code is derived from software contributed to Berkeley by
+ * Guido van Rossum.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *	This product includes software developed by the University of
+ *	California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ *	@(#)glob.h	8.1 (Berkeley) 6/2/93
+ */
+
+#ifndef _GLOB_H_
+#define	_GLOB_H_
+
+struct stat;
+typedef struct {
+	int gl_pathc;		/* Count of total paths so far. */
+	int gl_matchc;		/* Count of paths matching pattern. */
+	int gl_offs;		/* Reserved at beginning of gl_pathv. */
+	int gl_flags;		/* Copy of flags parameter to glob. */
+	char **gl_pathv;	/* List of paths matching pattern. */
+				/* Copy of errfunc parameter to glob. */
+	int (*gl_errfunc) (const char *, int);
+
+	/*
+	 * Alternate filesystem access methods for glob; replacement
+	 * versions of closedir(3), readdir(3), opendir(3), stat(2)
+	 * and lstat(2).
+	 */
+	void (*gl_closedir) (void *);
+	struct dirent *(*gl_readdir) (void *);	
+	void *(*gl_opendir) (const char *);
+	int (*gl_lstat) (const char *, struct stat *);
+	int (*gl_stat) (const char *, struct stat *);
+} glob_t;
+
+#define	GLOB_APPEND	0x0001	/* Append to output from previous call. */
+#define	GLOB_DOOFFS	0x0002	/* Use gl_offs. */
+#define	GLOB_ERR	0x0004	/* Return on error. */
+#define	GLOB_MARK	0x0008	/* Append / to matching directories. */
+#define	GLOB_NOCHECK	0x0010	/* Return pattern itself if nothing matches. */
+#define	GLOB_NOSORT	0x0020	/* Don't sort. */
+
+#define	GLOB_ALTDIRFUNC	0x0040	/* Use alternately specified directory funcs. */
+#define	GLOB_BRACE	0x0080	/* Expand braces ala csh. */
+#define	GLOB_MAGCHAR	0x0100	/* Pattern had globbing characters. */
+#define	GLOB_NOMAGIC	0x0200	/* GLOB_NOCHECK without magic chars (csh). */
+#define	GLOB_QUOTE	0x0400	/* Quote special chars with \. */
+#define	GLOB_TILDE	0x0800	/* Expand tilde names from the passwd file. */
+#define GLOB_LIMIT	0x1000	/* Limit memory used by matches to ARG_MAX */
+
+#define	GLOB_NOSPACE	(-1)	/* Malloc call failed. */
+#define	GLOB_ABEND	(-2)	/* Unignored error. */
+
+int	glob (const char *, int, int (*)(const char *, int), glob_t *);
+void	globfree (glob_t *);
+
+#endif /* !_GLOB_H_ */
diff --git a/crypto/heimdal/lib/roken/hstrerror.c b/crypto/heimdal/lib/roken/hstrerror.c
new file mode 100644
index 0000000..11b6a03
--- /dev/null
+++ b/crypto/heimdal/lib/roken/hstrerror.c
@@ -0,0 +1,85 @@
+/*
+ * Copyright (c) 1995 - 1999 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+RCSID("$Id: hstrerror.c,v 1.23 1999/12/05 13:18:55 assar Exp $");
+#endif
+
+#ifndef HAVE_HSTRERROR
+
+#if (defined(SunOS) && (SunOS >= 50))
+#define hstrerror broken_proto
+#endif
+#include "roken.h"
+#if (defined(SunOS) && (SunOS >= 50))
+#undef hstrerror
+#endif
+
+#ifndef HAVE_H_ERRNO
+int h_errno = -17; /* Some magic number */
+#endif
+
+#if !(defined(HAVE_H_ERRLIST) && defined(HAVE_H_NERR))
+static const char *const h_errlist[] = {
+    "Resolver Error 0 (no error)",
+    "Unknown host",		/* 1 HOST_NOT_FOUND */
+    "Host name lookup failure",	/* 2 TRY_AGAIN */
+    "Unknown server error",	/* 3 NO_RECOVERY */
+    "No address associated with name", /* 4 NO_ADDRESS */
+};
+
+static
+const
+int h_nerr = { sizeof h_errlist / sizeof h_errlist[0] };
+#else
+
+#ifndef HAVE_H_ERRLIST_DECLARATION
+extern const char *h_errlist[];
+extern int h_nerr;
+#endif
+
+#endif
+
+const char *
+hstrerror(int herr)
+{
+    if (0 <= herr && herr < h_nerr)
+	return h_errlist[herr];
+    else if(herr == -17)
+	return "unknown error";
+    else
+	return "Error number out of range (hstrerror)";
+}
+
+#endif
diff --git a/crypto/heimdal/lib/roken/ifaddrs.hin b/crypto/heimdal/lib/roken/ifaddrs.hin
new file mode 100644
index 0000000..d2b9be8
--- /dev/null
+++ b/crypto/heimdal/lib/roken/ifaddrs.hin
@@ -0,0 +1,64 @@
+/*
+ * Copyright (c) 2000 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+/* $Id: ifaddrs.hin,v 1.3 2000/12/11 00:01:13 assar Exp $ */
+
+#ifndef __ifaddrs_h__
+#define __ifaddrs_h__
+
+/*
+ * the interface is defined in terms of the fields below, and this is
+ * sometimes #define'd, so there seems to be no simple way of solving
+ * this and this seemed the best. */
+
+#undef ifa_dstaddr
+
+struct ifaddrs {
+    struct ifaddrs *ifa_next;
+    char *ifa_name;
+    unsigned int ifa_flags;
+    struct sockaddr *ifa_addr;
+    struct sockaddr *ifa_netmask;
+    struct sockaddr *ifa_dstaddr;
+    void *ifa_data;
+};
+
+#ifndef ifa_broadaddr
+#define ifa_broadaddr ifa_dstaddr
+#endif
+
+int getifaddrs(struct ifaddrs**);
+
+void freeifaddrs(struct ifaddrs*);
+
+#endif /* __ifaddrs_h__ */
diff --git a/crypto/heimdal/lib/roken/inet_aton.c b/crypto/heimdal/lib/roken/inet_aton.c
new file mode 100644
index 0000000..cdc6bdd
--- /dev/null
+++ b/crypto/heimdal/lib/roken/inet_aton.c
@@ -0,0 +1,49 @@
+/*
+ * Copyright (c) 1995, 1996, 1997, 1998, 1999 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+RCSID("$Id: inet_aton.c,v 1.13 1999/12/05 13:26:20 assar Exp $");
+#endif
+
+#include "roken.h"
+
+/* Minimal implementation of inet_aton.
+ * Cannot distinguish between failure and a local broadcast address. */
+
+int
+inet_aton(const char *cp, struct in_addr *addr)
+{
+  addr->s_addr = inet_addr(cp);
+  return (addr->s_addr == INADDR_NONE) ? 0 : 1;
+}
diff --git a/crypto/heimdal/lib/roken/inet_ntop.c b/crypto/heimdal/lib/roken/inet_ntop.c
new file mode 100644
index 0000000..63c99a5
--- /dev/null
+++ b/crypto/heimdal/lib/roken/inet_ntop.c
@@ -0,0 +1,133 @@
+/*
+ * Copyright (c) 1999 - 2001 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+RCSID("$Id: inet_ntop.c,v 1.5 2001/04/04 23:58:01 assar Exp $");
+#endif
+
+#include <roken.h>
+
+/*
+ *
+ */
+
+static const char *
+inet_ntop_v4 (const void *src, char *dst, size_t size)
+{
+    const char digits[] = "0123456789";
+    int i;
+    struct in_addr *addr = (struct in_addr *)src;
+    u_long a = ntohl(addr->s_addr);
+    const char *orig_dst = dst;
+
+    if (size < INET_ADDRSTRLEN) {
+	errno = ENOSPC;
+	return NULL;
+    }
+    for (i = 0; i < 4; ++i) {
+	int n = (a >> (24 - i * 8)) & 0xFF;
+	int non_zerop = 0;
+
+	if (non_zerop || n / 100 > 0) {
+	    *dst++ = digits[n / 100];
+	    n %= 100;
+	    non_zerop = 1;
+	}
+	if (non_zerop || n / 10 > 0) {
+	    *dst++ = digits[n / 10];
+	    n %= 10;
+	    non_zerop = 1;
+	}
+	*dst++ = digits[n];
+	if (i != 3)
+	    *dst++ = '.';
+    }
+    *dst++ = '\0';
+    return orig_dst;
+}
+
+#ifdef HAVE_IPV6
+static const char *
+inet_ntop_v6 (const void *src, char *dst, size_t size)
+{
+    const char xdigits[] = "0123456789abcdef";
+    int i;
+    const struct in6_addr *addr = (struct in6_addr *)src;
+    const u_char *ptr = addr->s6_addr;
+    const char *orig_dst = dst;
+
+    if (size < INET6_ADDRSTRLEN) {
+	errno = ENOSPC;
+	return NULL;
+    }
+    for (i = 0; i < 8; ++i) {
+	int non_zerop = 0;
+
+	if (non_zerop || (ptr[0] >> 4)) {
+	    *dst++ = xdigits[ptr[0] >> 4];
+	    non_zerop = 1;
+	}
+	if (non_zerop || (ptr[0] & 0x0F)) {
+	    *dst++ = xdigits[ptr[0] & 0x0F];
+	    non_zerop = 1;
+	}
+	if (non_zerop || (ptr[1] >> 4)) {
+	    *dst++ = xdigits[ptr[1] >> 4];
+	    non_zerop = 1;
+	}
+	*dst++ = xdigits[ptr[1] & 0x0F];
+	if (i != 7)
+	    *dst++ = ':';
+	ptr += 2;
+    }
+    *dst++ = '\0';
+    return orig_dst;
+}
+#endif /* HAVE_IPV6 */
+
+const char *
+inet_ntop(int af, const void *src, char *dst, size_t size)
+{
+    switch (af) {
+    case AF_INET :
+	return inet_ntop_v4 (src, dst, size);
+#ifdef HAVE_IPV6
+    case AF_INET6 :
+	return inet_ntop_v6 (src, dst, size);
+#endif
+    default :
+	errno = EAFNOSUPPORT;
+	return NULL;
+    }
+}
diff --git a/crypto/heimdal/lib/roken/inet_pton.c b/crypto/heimdal/lib/roken/inet_pton.c
new file mode 100644
index 0000000..d9c976c
--- /dev/null
+++ b/crypto/heimdal/lib/roken/inet_pton.c
@@ -0,0 +1,49 @@
+/*
+ * Copyright (c) 1999 - 2000 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+RCSID("$Id: inet_pton.c,v 1.3 2000/07/27 04:56:13 assar Exp $");
+#endif
+
+#include <roken.h>
+
+int
+inet_pton(int af, const char *src, void *dst)
+{
+    if (af != AF_INET) {
+	errno = EAFNOSUPPORT;
+	return -1;
+    }
+    return inet_aton (src, dst);
+}
diff --git a/crypto/heimdal/lib/roken/initgroups.c b/crypto/heimdal/lib/roken/initgroups.c
new file mode 100644
index 0000000..dcf1d08
--- /dev/null
+++ b/crypto/heimdal/lib/roken/initgroups.c
@@ -0,0 +1,45 @@
+/*
+ * Copyright (c) 1995, 1996, 1997 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+RCSID("$Id: initgroups.c,v 1.3 1999/12/02 16:58:47 joda Exp $");
+#endif
+
+#include "roken.h"
+
+int
+initgroups(const char *name, gid_t basegid)
+{
+  return 0;
+}
diff --git a/crypto/heimdal/lib/roken/innetgr.c b/crypto/heimdal/lib/roken/innetgr.c
new file mode 100644
index 0000000..4bc57f9
--- /dev/null
+++ b/crypto/heimdal/lib/roken/innetgr.c
@@ -0,0 +1,49 @@
+/*
+ * Copyright (c) 1999 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of KTH nor the names of its contributors may be
+ *    used to endorse or promote products derived from this software without
+ *    specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY KTH AND ITS CONTRIBUTORS ``AS IS'' AND ANY
+ * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL KTH OR ITS CONTRIBUTORS BE
+ * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+ * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+ * WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
+ * OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
+ * ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+#endif
+#include "roken.h"
+
+#ifndef HAVE_INNETGR
+
+RCSID("$Id: innetgr.c,v 1.1 1999/03/11 14:04:01 joda Exp $");
+
+int
+innetgr(const char *netgroup, const char *machine, 
+	const char *user, const char *domain)
+{
+    return 0;
+}
+#endif
+
diff --git a/crypto/heimdal/lib/roken/install-sh b/crypto/heimdal/lib/roken/install-sh
new file mode 100755
index 0000000..e9de238
--- /dev/null
+++ b/crypto/heimdal/lib/roken/install-sh
@@ -0,0 +1,251 @@
+#!/bin/sh
+#
+# install - install a program, script, or datafile
+# This comes from X11R5 (mit/util/scripts/install.sh).
+#
+# Copyright 1991 by the Massachusetts Institute of Technology
+#
+# Permission to use, copy, modify, distribute, and sell this software and its
+# documentation for any purpose is hereby granted without fee, provided that
+# the above copyright notice appear in all copies and that both that
+# copyright notice and this permission notice appear in supporting
+# documentation, and that the name of M.I.T. not be used in advertising or
+# publicity pertaining to distribution of the software without specific,
+# written prior permission.  M.I.T. makes no representations about the
+# suitability of this software for any purpose.  It is provided "as is"
+# without express or implied warranty.
+#
+# Calling this script install-sh is preferred over install.sh, to prevent
+# `make' implicit rules from creating a file called install from it
+# when there is no Makefile.
+#
+# This script is compatible with the BSD install script, but was written
+# from scratch.  It can only install one file at a time, a restriction
+# shared with many OS's install programs.
+
+
+# set DOITPROG to echo to test this script
+
+# Don't use :- since 4.3BSD and earlier shells don't like it.
+doit="${DOITPROG-}"
+
+
+# put in absolute paths if you don't have them in your path; or use env. vars.
+
+mvprog="${MVPROG-mv}"
+cpprog="${CPPROG-cp}"
+chmodprog="${CHMODPROG-chmod}"
+chownprog="${CHOWNPROG-chown}"
+chgrpprog="${CHGRPPROG-chgrp}"
+stripprog="${STRIPPROG-strip}"
+rmprog="${RMPROG-rm}"
+mkdirprog="${MKDIRPROG-mkdir}"
+
+transformbasename=""
+transform_arg=""
+instcmd="$mvprog"
+chmodcmd="$chmodprog 0755"
+chowncmd=""
+chgrpcmd=""
+stripcmd=""
+rmcmd="$rmprog -f"
+mvcmd="$mvprog"
+src=""
+dst=""
+dir_arg=""
+
+while [ x"$1" != x ]; do
+    case $1 in
+	-c) instcmd="$cpprog"
+	    shift
+	    continue;;
+
+	-d) dir_arg=true
+	    shift
+	    continue;;
+
+	-m) chmodcmd="$chmodprog $2"
+	    shift
+	    shift
+	    continue;;
+
+	-o) chowncmd="$chownprog $2"
+	    shift
+	    shift
+	    continue;;
+
+	-g) chgrpcmd="$chgrpprog $2"
+	    shift
+	    shift
+	    continue;;
+
+	-s) stripcmd="$stripprog"
+	    shift
+	    continue;;
+
+	-t=*) transformarg=`echo $1 | sed 's/-t=//'`
+	    shift
+	    continue;;
+
+	-b=*) transformbasename=`echo $1 | sed 's/-b=//'`
+	    shift
+	    continue;;
+
+	*)  if [ x"$src" = x ]
+	    then
+		src=$1
+	    else
+		# this colon is to work around a 386BSD /bin/sh bug
+		:
+		dst=$1
+	    fi
+	    shift
+	    continue;;
+    esac
+done
+
+if [ x"$src" = x ]
+then
+	echo "install:	no input file specified"
+	exit 1
+else
+	true
+fi
+
+if [ x"$dir_arg" != x ]; then
+	dst=$src
+	src=""
+	
+	if [ -d $dst ]; then
+		instcmd=:
+		chmodcmd=""
+	else
+		instcmd=mkdir
+	fi
+else
+
+# Waiting for this to be detected by the "$instcmd $src $dsttmp" command
+# might cause directories to be created, which would be especially bad 
+# if $src (and thus $dsttmp) contains '*'.
+
+	if [ -f $src -o -d $src ]
+	then
+		true
+	else
+		echo "install:  $src does not exist"
+		exit 1
+	fi
+	
+	if [ x"$dst" = x ]
+	then
+		echo "install:	no destination specified"
+		exit 1
+	else
+		true
+	fi
+
+# If destination is a directory, append the input filename; if your system
+# does not like double slashes in filenames, you may need to add some logic
+
+	if [ -d $dst ]
+	then
+		dst="$dst"/`basename $src`
+	else
+		true
+	fi
+fi
+
+## this sed command emulates the dirname command
+dstdir=`echo $dst | sed -e 's,[^/]*$,,;s,/$,,;s,^$,.,'`
+
+# Make sure that the destination directory exists.
+#  this part is taken from Noah Friedman's mkinstalldirs script
+
+# Skip lots of stat calls in the usual case.
+if [ ! -d "$dstdir" ]; then
+defaultIFS='	
+'
+IFS="${IFS-${defaultIFS}}"
+
+oIFS="${IFS}"
+# Some sh's can't handle IFS=/ for some reason.
+IFS='%'
+set - `echo ${dstdir} | sed -e 's@/@%@g' -e 's@^%@/@'`
+IFS="${oIFS}"
+
+pathcomp=''
+
+while [ $# -ne 0 ] ; do
+	pathcomp="${pathcomp}${1}"
+	shift
+
+	if [ ! -d "${pathcomp}" ] ;
+        then
+		$mkdirprog "${pathcomp}"
+	else
+		true
+	fi
+
+	pathcomp="${pathcomp}/"
+done
+fi
+
+if [ x"$dir_arg" != x ]
+then
+	$doit $instcmd $dst &&
+
+	if [ x"$chowncmd" != x ]; then $doit $chowncmd $dst; else true ; fi &&
+	if [ x"$chgrpcmd" != x ]; then $doit $chgrpcmd $dst; else true ; fi &&
+	if [ x"$stripcmd" != x ]; then $doit $stripcmd $dst; else true ; fi &&
+	if [ x"$chmodcmd" != x ]; then $doit $chmodcmd $dst; else true ; fi
+else
+
+# If we're going to rename the final executable, determine the name now.
+
+	if [ x"$transformarg" = x ] 
+	then
+		dstfile=`basename $dst`
+	else
+		dstfile=`basename $dst $transformbasename | 
+			sed $transformarg`$transformbasename
+	fi
+
+# don't allow the sed command to completely eliminate the filename
+
+	if [ x"$dstfile" = x ] 
+	then
+		dstfile=`basename $dst`
+	else
+		true
+	fi
+
+# Make a temp file name in the proper directory.
+
+	dsttmp=$dstdir/#inst.$$#
+
+# Move or copy the file name to the temp name
+
+	$doit $instcmd $src $dsttmp &&
+
+	trap "rm -f ${dsttmp}" 0 &&
+
+# and set any options; do chmod last to preserve setuid bits
+
+# If any of these fail, we abort the whole thing.  If we want to
+# ignore errors from any of these, just make sure not to ignore
+# errors from the above "$doit $instcmd $src $dsttmp" command.
+
+	if [ x"$chowncmd" != x ]; then $doit $chowncmd $dsttmp; else true;fi &&
+	if [ x"$chgrpcmd" != x ]; then $doit $chgrpcmd $dsttmp; else true;fi &&
+	if [ x"$stripcmd" != x ]; then $doit $stripcmd $dsttmp; else true;fi &&
+	if [ x"$chmodcmd" != x ]; then $doit $chmodcmd $dsttmp; else true;fi &&
+
+# Now rename the file to the real destination.
+
+	$doit $rmcmd -f $dstdir/$dstfile &&
+	$doit $mvcmd $dsttmp $dstdir/$dstfile 
+
+fi &&
+
+
+exit 0
diff --git a/crypto/heimdal/lib/roken/iruserok.c b/crypto/heimdal/lib/roken/iruserok.c
new file mode 100644
index 0000000..3b3880b
--- /dev/null
+++ b/crypto/heimdal/lib/roken/iruserok.c
@@ -0,0 +1,287 @@
+/*
+ * Copyright (c) 1983, 1993, 1994
+ *	The Regents of the University of California.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *	This product includes software developed by the University of
+ *	California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+RCSID("$Id: iruserok.c,v 1.23 1999/12/05 13:27:05 assar Exp $");
+#endif
+
+#include <stdio.h>
+#include <ctype.h>
+#ifdef HAVE_SYS_TYPES_H
+#include <sys/types.h>
+#endif
+#ifdef HAVE_NETINET_IN_H
+#include <netinet/in.h>
+#endif
+#ifdef HAVE_NETINET_IN6_H
+#include <netinet/in6.h>
+#endif
+#ifdef HAVE_NETINET6_IN6_H
+#include <netinet6/in6.h>
+#endif
+#ifdef HAVE_RPCSVC_YPCLNT_H
+#include <rpcsvc/ypclnt.h>
+#endif
+
+#include "roken.h"
+
+int     __check_rhosts_file = 1;
+char    *__rcmd_errstr = 0;
+
+/*
+ * Returns "true" if match, 0 if no match.
+ */
+static
+int
+__icheckhost(unsigned raddr, const char *lhost)
+{
+	struct hostent *hp;
+	u_long laddr;
+	char **pp;
+
+	/* Try for raw ip address first. */
+	if (isdigit((unsigned char)*lhost)
+	    && (long)(laddr = inet_addr(lhost)) != -1)
+		return (raddr == laddr);
+
+	/* Better be a hostname. */
+	if ((hp = gethostbyname(lhost)) == NULL)
+		return (0);
+
+	/* Spin through ip addresses. */
+	for (pp = hp->h_addr_list; *pp; ++pp)
+	        if (memcmp(&raddr, *pp, sizeof(u_long)) == 0)
+			return (1);
+
+	/* No match. */
+	return (0);
+}
+
+/*
+ * Returns 0 if ok, -1 if not ok.
+ */
+static
+int
+__ivaliduser(FILE *hostf, unsigned raddr, const char *luser,
+	     const char *ruser)
+{
+	char *user, *p;
+	int ch;
+	char buf[MaxHostNameLen + 128];		/* host + login */
+	char hname[MaxHostNameLen];
+	struct hostent *hp;
+	/* Presumed guilty until proven innocent. */
+	int userok = 0, hostok = 0;
+#ifdef HAVE_YP_GET_DEFAULT_DOMAIN
+	char *ypdomain;
+
+	if (yp_get_default_domain(&ypdomain))
+		ypdomain = NULL;
+#else
+#define	ypdomain NULL
+#endif
+	/* We need to get the damn hostname back for netgroup matching. */
+	if ((hp = gethostbyaddr((char *)&raddr,
+				sizeof(u_long),
+				AF_INET)) == NULL)
+		return (-1);
+	strlcpy(hname, hp->h_name, sizeof(hname));
+
+	while (fgets(buf, sizeof(buf), hostf)) {
+		p = buf;
+		/* Skip lines that are too long. */
+		if (strchr(p, '\n') == NULL) {
+			while ((ch = getc(hostf)) != '\n' && ch != EOF);
+			continue;
+		}
+		if (*p == '\n' || *p == '#') {
+			/* comment... */
+			continue;
+		}
+		while (*p != '\n' && *p != ' ' && *p != '\t' && *p != '\0') {
+		        if (isupper((unsigned char)*p))
+			    *p = tolower((unsigned char)*p);
+			p++;
+		}
+		if (*p == ' ' || *p == '\t') {
+			*p++ = '\0';
+			while (*p == ' ' || *p == '\t')
+				p++;
+			user = p;
+			while (*p != '\n' && *p != ' ' &&
+			    *p != '\t' && *p != '\0')
+				p++;
+		} else
+			user = p;
+		*p = '\0';
+		/*
+		 * Do +/- and +@/-@ checking. This looks really nasty,
+		 * but it matches SunOS's behavior so far as I can tell.
+		 */
+		switch(buf[0]) {
+		case '+':
+			if (!buf[1]) {     /* '+' matches all hosts */
+				hostok = 1;
+				break;
+			}
+			if (buf[1] == '@')  /* match a host by netgroup */
+				hostok = innetgr((char *)&buf[2],
+					(char *)&hname, NULL, ypdomain);
+			else		/* match a host by addr */
+				hostok = __icheckhost(raddr,(char *)&buf[1]);
+			break;
+		case '-':     /* reject '-' hosts and all their users */
+			if (buf[1] == '@') {
+				if (innetgr((char *)&buf[2],
+					      (char *)&hname, NULL, ypdomain))
+					return(-1);
+			} else {
+				if (__icheckhost(raddr,(char *)&buf[1]))
+					return(-1);
+			}
+			break;
+		default:  /* if no '+' or '-', do a simple match */
+			hostok = __icheckhost(raddr, buf);
+			break;
+		}
+		switch(*user) {
+		case '+':
+			if (!*(user+1)) {      /* '+' matches all users */
+				userok = 1;
+				break;
+			}
+			if (*(user+1) == '@')  /* match a user by netgroup */
+				userok = innetgr(user+2, NULL, (char *)ruser,
+						 ypdomain);
+			else	   /* match a user by direct specification */
+				userok = !(strcmp(ruser, user+1));
+			break;
+		case '-': 		/* if we matched a hostname, */
+			if (hostok) {   /* check for user field rejections */
+				if (!*(user+1))
+					return(-1);
+				if (*(user+1) == '@') {
+					if (innetgr(user+2, NULL,
+						    (char *)ruser, ypdomain))
+						return(-1);
+				} else {
+					if (!strcmp(ruser, user+1))
+						return(-1);
+				}
+			}
+			break;
+		default:	/* no rejections: try to match the user */
+			if (hostok)
+				userok = !(strcmp(ruser,*user ? user : luser));
+			break;
+		}
+		if (hostok && userok)
+			return(0);
+	}
+	return (-1);
+}
+
+/*
+ * New .rhosts strategy: We are passed an ip address. We spin through
+ * hosts.equiv and .rhosts looking for a match. When the .rhosts only
+ * has ip addresses, we don't have to trust a nameserver.  When it
+ * contains hostnames, we spin through the list of addresses the nameserver
+ * gives us and look for a match.
+ *
+ * Returns 0 if ok, -1 if not ok.
+ */
+int
+iruserok(unsigned raddr, int superuser, const char *ruser, const char *luser)
+{
+	char *cp;
+	struct stat sbuf;
+	struct passwd *pwd;
+	FILE *hostf;
+	uid_t uid;
+	int first;
+	char pbuf[MaxPathLen];
+
+	first = 1;
+	hostf = superuser ? NULL : fopen(_PATH_HEQUIV, "r");
+again:
+	if (hostf) {
+		if (__ivaliduser(hostf, raddr, luser, ruser) == 0) {
+			fclose(hostf);
+			return (0);
+		}
+		fclose(hostf);
+	}
+	if (first == 1 && (__check_rhosts_file || superuser)) {
+		first = 0;
+		if ((pwd = k_getpwnam((char*)luser)) == NULL)
+			return (-1);
+		snprintf (pbuf, sizeof(pbuf), "%s/.rhosts", pwd->pw_dir);
+
+		/*
+		 * Change effective uid while opening .rhosts.  If root and
+		 * reading an NFS mounted file system, can't read files that
+		 * are protected read/write owner only.
+		 */
+		uid = geteuid();
+		seteuid(pwd->pw_uid);
+		hostf = fopen(pbuf, "r");
+		seteuid(uid);
+
+		if (hostf == NULL)
+			return (-1);
+		/*
+		 * If not a regular file, or is owned by someone other than
+		 * user or root or if writeable by anyone but the owner, quit.
+		 */
+		cp = NULL;
+		if (lstat(pbuf, &sbuf) < 0)
+			cp = ".rhosts lstat failed";
+		else if (!S_ISREG(sbuf.st_mode))
+			cp = ".rhosts not regular file";
+		else if (fstat(fileno(hostf), &sbuf) < 0)
+			cp = ".rhosts fstat failed";
+		else if (sbuf.st_uid && sbuf.st_uid != pwd->pw_uid)
+			cp = "bad .rhosts owner";
+		else if (sbuf.st_mode & (S_IWGRP|S_IWOTH))
+			cp = ".rhosts writeable by other than owner";
+		/* If there were any problems, quit. */
+		if (cp) {
+			__rcmd_errstr = cp;
+			fclose(hostf);
+			return (-1);
+		}
+		goto again;
+	}
+	return (-1);
+}
diff --git a/crypto/heimdal/lib/roken/issuid.c b/crypto/heimdal/lib/roken/issuid.c
new file mode 100644
index 0000000..af2aae5
--- /dev/null
+++ b/crypto/heimdal/lib/roken/issuid.c
@@ -0,0 +1,53 @@
+/*
+ * Copyright (c) 1998 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+RCSID("$Id: issuid.c,v 1.3 1999/12/02 16:58:47 joda Exp $");
+#endif
+
+#include "roken.h"
+
+int
+issuid(void)
+{
+#if defined(HAVE_GETUID) && defined(HAVE_GETEUID)
+    if(getuid() != geteuid())
+	return 1;
+#endif
+#if defined(HAVE_GETGID) && defined(HAVE_GETEGID)
+    if(getgid() != getegid())
+	return 2;
+#endif
+    return 0;
+}
diff --git a/crypto/heimdal/lib/roken/k_getpwnam.c b/crypto/heimdal/lib/roken/k_getpwnam.c
new file mode 100644
index 0000000..40681cd
--- /dev/null
+++ b/crypto/heimdal/lib/roken/k_getpwnam.c
@@ -0,0 +1,64 @@
+/*
+ * Copyright (c) 1995, 1996, 1997, 1998, 1999 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+RCSID("$Id: k_getpwnam.c,v 1.9 1999/12/02 16:58:47 joda Exp $");
+#endif /* HAVE_CONFIG_H */
+
+#include "roken.h"
+#ifdef HAVE_SHADOW_H
+#include <shadow.h>
+#endif
+
+struct passwd *
+k_getpwnam (const char *user)
+{
+     struct passwd *p;
+
+     p = getpwnam (user);
+#if defined(HAVE_GETSPNAM) && defined(HAVE_STRUCT_SPWD)
+     if(p)
+     {
+	  struct spwd *spwd;
+
+	  spwd = getspnam (user);
+	  if (spwd)
+	       p->pw_passwd = spwd->sp_pwdp;
+	  endspent ();
+     }
+#else
+     endpwent ();
+#endif
+     return p;
+}
diff --git a/crypto/heimdal/lib/roken/k_getpwuid.c b/crypto/heimdal/lib/roken/k_getpwuid.c
new file mode 100644
index 0000000..1e2ca54
--- /dev/null
+++ b/crypto/heimdal/lib/roken/k_getpwuid.c
@@ -0,0 +1,64 @@
+/*
+ * Copyright (c) 1995, 1996, 1997, 1998 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+RCSID("$Id: k_getpwuid.c,v 1.9 1999/12/02 16:58:47 joda Exp $");
+#endif /* HAVE_CONFIG_H */
+
+#include "roken.h"
+#ifdef HAVE_SHADOW_H
+#include <shadow.h>
+#endif
+
+struct passwd *
+k_getpwuid (uid_t uid)
+{
+     struct passwd *p;
+
+     p = getpwuid (uid);
+#if defined(HAVE_GETSPNAM) && defined(HAVE_STRUCT_SPWD)
+     if (p)
+     {
+	  struct spwd *spwd;
+
+	  spwd = getspnam (p->pw_name);
+	  if (spwd)
+	       p->pw_passwd = spwd->sp_pwdp;
+	  endspent ();
+     }
+#else
+     endpwent ();
+#endif
+     return p;
+}
diff --git a/crypto/heimdal/lib/roken/lstat.c b/crypto/heimdal/lib/roken/lstat.c
new file mode 100644
index 0000000..2f03e19
--- /dev/null
+++ b/crypto/heimdal/lib/roken/lstat.c
@@ -0,0 +1,45 @@
+/*
+ * Copyright (c) 1995, 1996, 1997 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+RCSID("$Id: lstat.c,v 1.4 1999/12/02 16:58:51 joda Exp $");
+#endif
+
+#include "roken.h"
+
+int
+lstat(const char *path, struct stat *buf)
+{
+  return stat(path, buf);
+}
diff --git a/crypto/heimdal/lib/roken/make-print-version.c b/crypto/heimdal/lib/roken/make-print-version.c
new file mode 100644
index 0000000..d7c8cf9
--- /dev/null
+++ b/crypto/heimdal/lib/roken/make-print-version.c
@@ -0,0 +1,70 @@
+/*
+ * Copyright (c) 1998 - 2000 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ *
+ * $FreeBSD$
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+RCSID("$Id: make-print-version.c,v 1.3 2000/08/16 11:30:04 assar Exp $");
+#endif
+
+#include <stdio.h>
+
+#ifdef KRB5
+extern const char *heimdal_version;
+#endif
+#ifdef KRB4
+extern const char *krb4_version;
+#endif
+#include <version.h>
+
+int
+main(int argc, char **argv)
+{
+    FILE *f;
+    if(argc != 2)
+	return 1;
+    f = fopen(argv[1], "w");
+    if(f == NULL)
+	return 1;
+    fprintf(f, "#define VERSIONLIST { ");
+#ifdef KRB5
+    fprintf(f, "\"%s\", ", heimdal_version);
+#endif
+#ifdef KRB4
+    fprintf(f, "\"%s\", ", krb4_version);
+#endif
+    fprintf(f, "}\n");
+    fclose(f);
+    return 0;
+}
diff --git a/crypto/heimdal/lib/roken/memmove.c b/crypto/heimdal/lib/roken/memmove.c
new file mode 100644
index 0000000..b77d56a
--- /dev/null
+++ b/crypto/heimdal/lib/roken/memmove.c
@@ -0,0 +1,64 @@
+/*
+ * Copyright (c) 1995, 1996, 1997 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+RCSID("$Id: memmove.c,v 1.7 1999/12/02 16:58:51 joda Exp $");
+#endif
+
+/* 
+ * memmove for systems that doesn't have it 
+ */
+
+#ifdef HAVE_SYS_TYPES_H
+#include <sys/types.h>
+#endif
+
+void* memmove(void *s1, const void *s2, size_t n)
+{
+  char *s=(char*)s2, *d=(char*)s1;
+
+  if(d > s){
+    s+=n-1;
+    d+=n-1;
+    while(n){
+      *d--=*s--;
+      n--;
+    }
+  }else if(d < s)
+    while(n){
+      *d++=*s++;
+      n--;
+    }
+  return s1;
+}
diff --git a/crypto/heimdal/lib/roken/mini_inetd.c b/crypto/heimdal/lib/roken/mini_inetd.c
new file mode 100644
index 0000000..bb31962
--- /dev/null
+++ b/crypto/heimdal/lib/roken/mini_inetd.c
@@ -0,0 +1,131 @@
+/*
+ * Copyright (c) 1995 - 2000 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+RCSID("$Id: mini_inetd.c,v 1.28 2000/10/08 13:38:47 assar Exp $");
+#endif
+
+#include <err.h>
+#include "roken.h"
+
+/*
+ * accept a connection on `s' and pretend it's served by inetd.
+ */
+
+static void
+accept_it (int s)
+{
+    int s2;
+
+    s2 = accept(s, NULL, NULL);
+    if(s2 < 0)
+	err (1, "accept");
+    close(s);
+    dup2(s2, STDIN_FILENO);
+    dup2(s2, STDOUT_FILENO);
+    /* dup2(s2, STDERR_FILENO); */
+    close(s2);
+}
+
+/*
+ * Listen on `port' emulating inetd.
+ */
+
+void
+mini_inetd (int port)
+{
+    int error, ret;
+    struct addrinfo *ai, *a, hints;
+    char portstr[NI_MAXSERV];
+    int n, nalloc, i;
+    int *fds;
+    fd_set orig_read_set, read_set;
+    int max_fd = -1;
+
+    memset (&hints, 0, sizeof(hints));
+    hints.ai_flags    = AI_PASSIVE;
+    hints.ai_socktype = SOCK_STREAM;
+
+    snprintf (portstr, sizeof(portstr), "%d", ntohs(port));
+
+    error = getaddrinfo (NULL, portstr, &hints, &ai);
+    if (error)
+	errx (1, "getaddrinfo: %s", gai_strerror (error));
+
+    for (nalloc = 0, a = ai; a != NULL; a = a->ai_next)
+	++nalloc;
+
+    fds = malloc (nalloc * sizeof(*fds));
+    if (fds == NULL)
+	errx (1, "mini_inetd: out of memory");
+
+    FD_ZERO(&orig_read_set);
+
+    for (i = 0, a = ai; a != NULL; a = a->ai_next) {
+	fds[i] = socket (a->ai_family, a->ai_socktype, a->ai_protocol);
+	if (fds[i] < 0) {
+	    warn ("socket");
+	    continue;
+	}
+	socket_set_reuseaddr (fds[i], 1);
+	if (bind (fds[i], a->ai_addr, a->ai_addrlen) < 0)
+	    err (1, "bind");
+	if (listen (fds[i], SOMAXCONN) < 0)
+	    err (1, "listen");
+	if (fds[i] >= FD_SETSIZE)
+	    errx (1, "fd too large");
+	FD_SET(fds[i], &orig_read_set);
+	max_fd = max(max_fd, fds[i]);
+	++i;
+    }
+    freeaddrinfo (ai);
+    if (i == 0)
+	errx (1, "no sockets");
+    n = i;
+
+    do {
+	read_set = orig_read_set;
+
+	ret = select (max_fd + 1, &read_set, NULL, NULL, NULL);
+	if (ret < 0 && errno != EINTR)
+	    err (1, "select");
+    } while (ret <= 0);
+
+    for (i = 0; i < n; ++i)
+	if (FD_ISSET (fds[i], &read_set)) {
+	    accept_it (fds[i]);
+	    return;
+	}
+    abort ();
+}
diff --git a/crypto/heimdal/lib/roken/missing b/crypto/heimdal/lib/roken/missing
new file mode 100755
index 0000000..7789652
--- /dev/null
+++ b/crypto/heimdal/lib/roken/missing
@@ -0,0 +1,190 @@
+#! /bin/sh
+# Common stub for a few missing GNU programs while installing.
+# Copyright (C) 1996, 1997 Free Software Foundation, Inc.
+# Franc,ois Pinard <pinard@iro.umontreal.ca>, 1996.
+
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 2, or (at your option)
+# any later version.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
+# 02111-1307, USA.
+
+if test $# -eq 0; then
+  echo 1>&2 "Try \`$0 --help' for more information"
+  exit 1
+fi
+
+case "$1" in
+
+  -h|--h|--he|--hel|--help)
+    echo "\
+$0 [OPTION]... PROGRAM [ARGUMENT]...
+
+Handle \`PROGRAM [ARGUMENT]...' for when PROGRAM is missing, or return an
+error status if there is no known handling for PROGRAM.
+
+Options:
+  -h, --help      display this help and exit
+  -v, --version   output version information and exit
+
+Supported PROGRAM values:
+  aclocal      touch file \`aclocal.m4'
+  autoconf     touch file \`configure'
+  autoheader   touch file \`config.h.in'
+  automake     touch all \`Makefile.in' files
+  bison        create \`y.tab.[ch]', if possible, from existing .[ch]
+  flex         create \`lex.yy.c', if possible, from existing .c
+  lex          create \`lex.yy.c', if possible, from existing .c
+  makeinfo     touch the output file
+  yacc         create \`y.tab.[ch]', if possible, from existing .[ch]"
+    ;;
+
+  -v|--v|--ve|--ver|--vers|--versi|--versio|--version)
+    echo "missing - GNU libit 0.0"
+    ;;
+
+  -*)
+    echo 1>&2 "$0: Unknown \`$1' option"
+    echo 1>&2 "Try \`$0 --help' for more information"
+    exit 1
+    ;;
+
+  aclocal)
+    echo 1>&2 "\
+WARNING: \`$1' is missing on your system.  You should only need it if
+         you modified \`acinclude.m4' or \`configure.in'.  You might want
+         to install the \`Automake' and \`Perl' packages.  Grab them from
+         any GNU archive site."
+    touch aclocal.m4
+    ;;
+
+  autoconf)
+    echo 1>&2 "\
+WARNING: \`$1' is missing on your system.  You should only need it if
+         you modified \`configure.in'.  You might want to install the
+         \`Autoconf' and \`GNU m4' packages.  Grab them from any GNU
+         archive site."
+    touch configure
+    ;;
+
+  autoheader)
+    echo 1>&2 "\
+WARNING: \`$1' is missing on your system.  You should only need it if
+         you modified \`acconfig.h' or \`configure.in'.  You might want
+         to install the \`Autoconf' and \`GNU m4' packages.  Grab them
+         from any GNU archive site."
+    files=`sed -n 's/^[ ]*A[CM]_CONFIG_HEADER(\([^)]*\)).*/\1/p' configure.in`
+    test -z "$files" && files="config.h"
+    touch_files=
+    for f in $files; do
+      case "$f" in
+      *:*) touch_files="$touch_files "`echo "$f" |
+				       sed -e 's/^[^:]*://' -e 's/:.*//'`;;
+      *) touch_files="$touch_files $f.in";;
+      esac
+    done
+    touch $touch_files
+    ;;
+
+  automake)
+    echo 1>&2 "\
+WARNING: \`$1' is missing on your system.  You should only need it if
+         you modified \`Makefile.am', \`acinclude.m4' or \`configure.in'.
+         You might want to install the \`Automake' and \`Perl' packages.
+         Grab them from any GNU archive site."
+    find . -type f -name Makefile.am -print |
+	   sed 's/\.am$/.in/' |
+	   while read f; do touch "$f"; done
+    ;;
+
+  bison|yacc)
+    echo 1>&2 "\
+WARNING: \`$1' is missing on your system.  You should only need it if
+         you modified a \`.y' file.  You may need the \`Bison' package
+         in order for those modifications to take effect.  You can get
+         \`Bison' from any GNU archive site."
+    rm -f y.tab.c y.tab.h
+    if [ $# -ne 1 ]; then
+        eval LASTARG="\${$#}"
+	case "$LASTARG" in
+	*.y)
+	    SRCFILE=`echo "$LASTARG" | sed 's/y$/c/'`
+	    if [ -f "$SRCFILE" ]; then
+	         cp "$SRCFILE" y.tab.c
+	    fi
+	    SRCFILE=`echo "$LASTARG" | sed 's/y$/h/'`
+	    if [ -f "$SRCFILE" ]; then
+	         cp "$SRCFILE" y.tab.h
+	    fi
+	  ;;
+	esac
+    fi
+    if [ ! -f y.tab.h ]; then
+	echo >y.tab.h
+    fi
+    if [ ! -f y.tab.c ]; then
+	echo 'main() { return 0; }' >y.tab.c
+    fi
+    ;;
+
+  lex|flex)
+    echo 1>&2 "\
+WARNING: \`$1' is missing on your system.  You should only need it if
+         you modified a \`.l' file.  You may need the \`Flex' package
+         in order for those modifications to take effect.  You can get
+         \`Flex' from any GNU archive site."
+    rm -f lex.yy.c
+    if [ $# -ne 1 ]; then
+        eval LASTARG="\${$#}"
+	case "$LASTARG" in
+	*.l)
+	    SRCFILE=`echo "$LASTARG" | sed 's/l$/c/'`
+	    if [ -f "$SRCFILE" ]; then
+	         cp "$SRCFILE" lex.yy.c
+	    fi
+	  ;;
+	esac
+    fi
+    if [ ! -f lex.yy.c ]; then
+	echo 'main() { return 0; }' >lex.yy.c
+    fi
+    ;;
+
+  makeinfo)
+    echo 1>&2 "\
+WARNING: \`$1' is missing on your system.  You should only need it if
+         you modified a \`.texi' or \`.texinfo' file, or any other file
+         indirectly affecting the aspect of the manual.  The spurious
+         call might also be the consequence of using a buggy \`make' (AIX,
+         DU, IRIX).  You might want to install the \`Texinfo' package or
+         the \`GNU make' package.  Grab either from any GNU archive site."
+    file=`echo "$*" | sed -n 's/.*-o \([^ ]*\).*/\1/p'`
+    if test -z "$file"; then
+      file=`echo "$*" | sed 's/.* \([^ ]*\) *$/\1/'`
+      file=`sed -n '/^@setfilename/ { s/.* \([^ ]*\) *$/\1/; p; q; }' $file`
+    fi
+    touch $file
+    ;;
+
+  *)
+    echo 1>&2 "\
+WARNING: \`$1' is needed, and you do not seem to have it handy on your
+         system.  You might have modified some files without having the
+         proper tools for further handling them.  Check the \`README' file,
+         it often tells you about the needed prerequirements for installing
+         this package.  You may also peek at any GNU archive site, in case
+         some other package would contain this missing \`$1' program."
+    exit 1
+    ;;
+esac
+
+exit 0
diff --git a/crypto/heimdal/lib/roken/mkinstalldirs b/crypto/heimdal/lib/roken/mkinstalldirs
new file mode 100755
index 0000000..6b3b5fc
--- /dev/null
+++ b/crypto/heimdal/lib/roken/mkinstalldirs
@@ -0,0 +1,40 @@
+#! /bin/sh
+# mkinstalldirs --- make directory hierarchy
+# Author: Noah Friedman <friedman@prep.ai.mit.edu>
+# Created: 1993-05-16
+# Public domain
+
+# $Id$
+
+errstatus=0
+
+for file
+do
+   set fnord `echo ":$file" | sed -ne 's/^:\//#/;s/^://;s/\// /g;s/^#/\//;p'`
+   shift
+
+   pathcomp=
+   for d
+   do
+     pathcomp="$pathcomp$d"
+     case "$pathcomp" in
+       -* ) pathcomp=./$pathcomp ;;
+     esac
+
+     if test ! -d "$pathcomp"; then
+        echo "mkdir $pathcomp"
+
+        mkdir "$pathcomp" || lasterr=$?
+
+        if test ! -d "$pathcomp"; then
+  	  errstatus=$lasterr
+        fi
+     fi
+
+     pathcomp="$pathcomp/"
+   done
+done
+
+exit $errstatus
+
+# mkinstalldirs ends here
diff --git a/crypto/heimdal/lib/roken/mkstemp.c b/crypto/heimdal/lib/roken/mkstemp.c
new file mode 100644
index 0000000..350f4cb
--- /dev/null
+++ b/crypto/heimdal/lib/roken/mkstemp.c
@@ -0,0 +1,84 @@
+/*
+ * Copyright (c) 1995, 1996, 1997 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+#endif
+
+#include <string.h>
+#ifdef HAVE_UNISTD_H
+#include <unistd.h>
+#endif
+#ifdef HAVE_FCNTL_H
+#include <fcntl.h>
+#endif
+#include <errno.h>
+
+RCSID("$Id: mkstemp.c,v 1.3 1999/12/02 16:58:51 joda Exp $");
+
+#ifndef HAVE_MKSTEMP
+
+int
+mkstemp(char *template)
+{
+    int start, i;
+    pid_t val;
+    val = getpid();
+    start = strlen(template) - 1;
+    while(template[start] == 'X') {
+	template[start] = '0' + val % 10;
+	val /= 10;
+	start--;
+    }
+    
+    do{
+	int fd;
+	fd = open(template, O_RDWR | O_CREAT | O_EXCL, 0600);
+	if(fd >= 0 || errno != EEXIST)
+	    return fd;
+	i = start + 1;
+	do{
+	    if(template[i] == 0)
+		return -1;
+	    template[i]++;
+	    if(template[i] == '9' + 1)
+		template[i] = 'a';
+	    if(template[i] <= 'z')
+		break;
+	    template[i] = 'a';
+	    i++;
+	}while(1);
+    }while(1);
+}
+
+#endif
diff --git a/crypto/heimdal/lib/roken/net_read.c b/crypto/heimdal/lib/roken/net_read.c
new file mode 100644
index 0000000..6d45bfa
--- /dev/null
+++ b/crypto/heimdal/lib/roken/net_read.c
@@ -0,0 +1,74 @@
+/*
+ * Copyright (c) 1995, 1996, 1997, 1998 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+RCSID("$Id: net_read.c,v 1.3 1999/12/02 16:58:51 joda Exp $");
+#endif
+
+#include <sys/types.h>
+#include <unistd.h>
+#include <errno.h>
+
+#include <roken.h>
+
+/*
+ * Like read but never return partial data.
+ */
+
+ssize_t
+net_read (int fd, void *buf, size_t nbytes)
+{
+    char *cbuf = (char *)buf;
+    ssize_t count;
+    size_t rem = nbytes;
+
+    while (rem > 0) {
+#ifdef WIN32
+	count = recv (fd, cbuf, rem, 0);
+#else
+	count = read (fd, cbuf, rem);
+#endif
+	if (count < 0) {
+	    if (errno == EINTR)
+		continue;
+	    else
+		return count;
+	} else if (count == 0) {
+	    return count;
+	}
+	cbuf += count;
+	rem -= count;
+    }
+    return nbytes;
+}
diff --git a/crypto/heimdal/lib/roken/net_write.c b/crypto/heimdal/lib/roken/net_write.c
new file mode 100644
index 0000000..2f63dbe
--- /dev/null
+++ b/crypto/heimdal/lib/roken/net_write.c
@@ -0,0 +1,72 @@
+/*
+ * Copyright (c) 1995, 1996, 1997, 1998 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+RCSID("$Id: net_write.c,v 1.4 1999/12/02 16:58:51 joda Exp $");
+#endif
+
+#include <sys/types.h>
+#include <unistd.h>
+#include <errno.h>
+
+#include <roken.h>
+
+/*
+ * Like write but never return partial data.
+ */
+
+ssize_t
+net_write (int fd, const void *buf, size_t nbytes)
+{
+    const char *cbuf = (const char *)buf;
+    ssize_t count;
+    size_t rem = nbytes;
+
+    while (rem > 0) {
+#ifdef WIN32
+	count = send (fd, cbuf, rem, 0);
+#else
+	count = write (fd, cbuf, rem);
+#endif
+	if (count < 0) {
+	    if (errno == EINTR)
+		continue;
+	    else
+		return count;
+	}
+	cbuf += count;
+	rem -= count;
+    }
+    return nbytes;
+}
diff --git a/crypto/heimdal/lib/roken/parse_bytes-test.c b/crypto/heimdal/lib/roken/parse_bytes-test.c
new file mode 100644
index 0000000..499d942
--- /dev/null
+++ b/crypto/heimdal/lib/roken/parse_bytes-test.c
@@ -0,0 +1,92 @@
+/*
+ * Copyright (c) 1999 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+RCSID("$Id: parse_bytes-test.c,v 1.2 1999/12/02 16:58:51 joda Exp $");
+#endif
+
+#include "roken.h"
+#include "parse_bytes.h"
+
+static struct testcase {
+    int canonicalp;
+    int val;
+    const char *def_unit;
+    const char *str;
+} tests[] = {
+    {0, 0, NULL, "0 bytes"},
+    {1, 0, NULL, "0"},
+    {0, 1, NULL, "1"},
+    {1, 1, NULL, "1 byte"},
+    {0, 0, "kilobyte", "0"},
+    {0, 1024, "kilobyte", "1"},
+    {1, 1024, "kilobyte", "1 kilobyte"},
+    {1, 1024 * 1024, NULL, "1 megabyte"},
+    {0, 1025, NULL, "1 kilobyte 1"},
+    {1, 1025, NULL, "1 kilobyte 1 byte"},
+};
+
+int
+main(int argc, char **argv)
+{
+    int i;
+    int ret = 0;
+
+    for (i = 0; i < sizeof(tests)/sizeof(tests[0]); ++i) {
+	char buf[256];
+	int val = parse_bytes (tests[i].str, tests[i].def_unit);
+	size_t len;
+
+	if (val != tests[i].val) {
+	    printf ("parse_bytes (%s, %s) = %d != %d\n",
+		    tests[i].str,
+		    tests[i].def_unit ? tests[i].def_unit : "none",
+		    val, tests[i].val);
+	    ++ret;
+	}
+	if (tests[i].canonicalp) {
+	    len = unparse_bytes (tests[i].val, buf, sizeof(buf));
+	    if (strcmp (tests[i].str, buf) != 0) {
+		printf ("unparse_bytes (%d) = \"%s\" != \"%s\"\n",
+			tests[i].val, buf, tests[i].str);
+		++ret;
+	    }
+	}    
+    }
+    if (ret) {
+	printf ("%d errors\n", ret);
+	return 1;
+    } else
+	return 0;
+}
diff --git a/crypto/heimdal/lib/roken/parse_bytes.c b/crypto/heimdal/lib/roken/parse_bytes.c
new file mode 100644
index 0000000..f3c514f
--- /dev/null
+++ b/crypto/heimdal/lib/roken/parse_bytes.c
@@ -0,0 +1,78 @@
+/*
+ * Copyright (c) 1999 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+RCSID("$Id: parse_bytes.c,v 1.2 1999/12/02 16:58:51 joda Exp $");
+#endif
+
+#include <parse_units.h>
+#include "parse_bytes.h"
+
+static units bytes_units[] = {
+    { "gigabyte", 1024 * 1024 * 1024 },
+    { "gbyte", 1024 * 1024 * 1024 },
+    { "GB", 1024 * 1024 * 1024 },
+    { "megabyte", 1024 * 1024 },
+    { "mbyte", 1024 * 1024 },
+    { "MB", 1024 * 1024 },
+    { "kilobyte", 1024 },
+    { "KB", 1024 },
+    { "byte", 1 },
+    { NULL, 0 }
+};
+
+static units bytes_short_units[] = {
+    { "GB", 1024 * 1024 * 1024 },
+    { "MB", 1024 * 1024 },
+    { "KB", 1024 },
+    { NULL, 0 }
+};
+
+int
+parse_bytes (const char *s, const char *def_unit)
+{
+    return parse_units (s, bytes_units, def_unit);
+}
+
+size_t
+unparse_bytes (int t, char *s, size_t len)
+{
+    return unparse_units (t, bytes_units, s, len);
+}
+
+size_t
+unparse_bytes_short (int t, char *s, size_t len)
+{
+    return unparse_units_approx (t, bytes_short_units, s, len);
+}
diff --git a/crypto/heimdal/lib/roken/parse_bytes.h b/crypto/heimdal/lib/roken/parse_bytes.h
new file mode 100644
index 0000000..8116c1c
--- /dev/null
+++ b/crypto/heimdal/lib/roken/parse_bytes.h
@@ -0,0 +1,48 @@
+/*
+ * Copyright (c) 1999 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+/* $Id: parse_bytes.h,v 1.2 1999/12/02 16:58:51 joda Exp $ */
+
+#ifndef __PARSE_BYTES_H__
+#define __PARSE_BYTES_H__
+
+int
+parse_bytes (const char *s, const char *def_unit);
+
+size_t
+unparse_bytes (int t, char *s, size_t len);
+
+size_t
+unparse_bytes_short (int t, char *s, size_t len);
+
+#endif /* __PARSE_BYTES_H__ */
diff --git a/crypto/heimdal/lib/roken/parse_time.c b/crypto/heimdal/lib/roken/parse_time.c
new file mode 100644
index 0000000..a09ded7
--- /dev/null
+++ b/crypto/heimdal/lib/roken/parse_time.c
@@ -0,0 +1,78 @@
+/*
+ * Copyright (c) 1997, 1998 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+RCSID("$Id: parse_time.c,v 1.5 1999/12/02 16:58:51 joda Exp $");
+#endif
+
+#include <parse_units.h>
+#include "parse_time.h"
+
+static units time_units[] = {
+    {"year",	365 * 24 * 60 * 60},
+    {"month",	30 * 24 * 60 * 60},
+    {"week",	7 * 24 * 60 * 60},
+    {"day",	24 * 60 * 60},
+    {"hour",	60 * 60},
+    {"h",	60 * 60},
+    {"minute",	60},
+    {"m",	60},
+    {"second",	1},
+    {"s",	1},
+    {NULL, 0},
+};
+
+int
+parse_time (const char *s, const char *def_unit)
+{
+    return parse_units (s, time_units, def_unit);
+}
+
+size_t
+unparse_time (int t, char *s, size_t len)
+{
+    return unparse_units (t, time_units, s, len);
+}
+
+size_t
+unparse_time_approx (int t, char *s, size_t len)
+{
+    return unparse_units_approx (t, time_units, s, len);
+}
+
+void
+print_time_table (FILE *f)
+{
+    print_units_table (time_units, f);
+}
diff --git a/crypto/heimdal/lib/roken/parse_time.h b/crypto/heimdal/lib/roken/parse_time.h
new file mode 100644
index 0000000..55de505
--- /dev/null
+++ b/crypto/heimdal/lib/roken/parse_time.h
@@ -0,0 +1,51 @@
+/*
+ * Copyright (c) 1997 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+/* $Id: parse_time.h,v 1.4 1999/12/02 16:58:51 joda Exp $ */
+
+#ifndef __PARSE_TIME_H__
+#define __PARSE_TIME_H__
+
+int
+parse_time (const char *s, const char *def_unit);
+
+size_t
+unparse_time (int t, char *s, size_t len);
+
+size_t
+unparse_time_approx (int t, char *s, size_t len);
+
+void
+print_time_table (FILE *f);
+
+#endif /* __PARSE_TIME_H__ */
diff --git a/crypto/heimdal/lib/roken/parse_units.c b/crypto/heimdal/lib/roken/parse_units.c
new file mode 100644
index 0000000..2b32ad6
--- /dev/null
+++ b/crypto/heimdal/lib/roken/parse_units.c
@@ -0,0 +1,325 @@
+/*
+ * Copyright (c) 1997 - 2001 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+RCSID("$Id: parse_units.c,v 1.13 2001/03/26 00:47:06 assar Exp $");
+#endif
+
+#include <stdio.h>
+#include <ctype.h>
+#include <string.h>
+#include <roken.h>
+#include "parse_units.h"
+
+/*
+ * Parse string in `s' according to `units' and return value.
+ * def_unit defines the default unit.
+ */
+
+static int
+parse_something (const char *s, const struct units *units,
+		 const char *def_unit,
+		 int (*func)(int res, int val, unsigned mult),
+		 int init,
+		 int accept_no_val_p)
+{
+    const char *p;
+    int res = init;
+    unsigned def_mult = 1;
+
+    if (def_unit != NULL) {
+	const struct units *u;
+
+	for (u = units; u->name; ++u) {
+	    if (strcasecmp (u->name, def_unit) == 0) {
+		def_mult = u->mult;
+		break;
+	    }
+	}
+	if (u->name == NULL)
+	    return -1;
+    }
+
+    p = s;
+    while (*p) {
+	double val;
+	char *next;
+	const struct units *u, *partial_unit;
+	size_t u_len;
+	unsigned partial;
+	int no_val_p = 0;
+
+	while(isspace((unsigned char)*p) || *p == ',')
+	    ++p;
+
+	val = strtod (p, &next); /* strtol(p, &next, 0); */
+	if (p == next) {
+	    val = 0;
+	    if(!accept_no_val_p)
+		return -1;
+	    no_val_p = 1;
+	}
+	p = next;
+	while (isspace((unsigned char)*p))
+	    ++p;
+	if (*p == '\0') {
+	    res = (*func)(res, val, def_mult);
+	    if (res < 0)
+		return res;
+	    break;
+	} else if (*p == '+') {
+	    ++p;
+	    val = 1;
+	} else if (*p == '-') {
+	    ++p;
+	    val = -1;
+	}
+	if (no_val_p && val == 0)
+	    val = 1;
+	u_len = strcspn (p, ", \t");
+	partial = 0;
+	partial_unit = NULL;
+	if (u_len > 1 && p[u_len - 1] == 's')
+	    --u_len;
+	for (u = units; u->name; ++u) {
+	    if (strncasecmp (p, u->name, u_len) == 0) {
+		if (u_len == strlen (u->name)) {
+		    p += u_len;
+		    res = (*func)(res, val, u->mult);
+		    if (res < 0)
+			return res;
+		    break;
+		} else {
+		    ++partial;
+		    partial_unit = u;
+		}
+	    }
+	}
+	if (u->name == NULL) {
+	    if (partial == 1) {
+		p += u_len;
+		res = (*func)(res, val, partial_unit->mult);
+		if (res < 0)
+		    return res;
+	    } else {
+		return -1;
+	    }
+	}
+	if (*p == 's')
+	    ++p;
+    }
+    return res;
+}
+
+/*
+ * The string consists of a sequence of `n unit'
+ */
+
+static int
+acc_units(int res, int val, unsigned mult)
+{
+    return res + val * mult;
+}
+
+int
+parse_units (const char *s, const struct units *units,
+	     const char *def_unit)
+{
+    return parse_something (s, units, def_unit, acc_units, 0, 0);
+}
+
+/*
+ * The string consists of a sequence of `[+-]flag'.  `orig' consists
+ * the original set of flags, those are then modified and returned as
+ * the function value.
+ */
+
+static int
+acc_flags(int res, int val, unsigned mult)
+{
+    if(val == 1)
+	return res | mult;
+    else if(val == -1)
+	return res & ~mult;
+    else if (val == 0)
+	return mult;
+    else
+	return -1;
+}
+
+int
+parse_flags (const char *s, const struct units *units,
+	     int orig)
+{
+    return parse_something (s, units, NULL, acc_flags, orig, 1);
+}
+
+/*
+ * Return a string representation according to `units' of `num' in `s'
+ * with maximum length `len'.  The actual length is the function value.
+ */
+
+static size_t
+unparse_something (int num, const struct units *units, char *s, size_t len,
+		   int (*print) (char *s, size_t len, int div,
+				const char *name, int rem),
+		   int (*update) (int in, unsigned mult),
+		   const char *zero_string)
+{
+    const struct units *u;
+    size_t ret = 0, tmp;
+
+    if (num == 0)
+	return snprintf (s, len, "%s", zero_string);
+
+    for (u = units; num > 0 && u->name; ++u) {
+	int div;
+
+	div = num / u->mult;
+	if (div) {
+	    num = (*update) (num, u->mult);
+	    tmp = (*print) (s, len, div, u->name, num);
+
+	    len -= tmp;
+	    s += tmp;
+	    ret += tmp;
+	}
+    }
+    return ret;
+}
+
+static int
+print_unit (char *s, size_t len, int div, const char *name, int rem)
+{
+    return snprintf (s, len, "%u %s%s%s",
+		     div, name,
+		     div == 1 ? "" : "s",
+		     rem > 0 ? " " : "");
+}
+
+static int
+update_unit (int in, unsigned mult)
+{
+    return in % mult;
+}
+
+static int
+update_unit_approx (int in, unsigned mult)
+{
+    if (in / mult > 0)
+	return 0;
+    else
+	return update_unit (in, mult);
+}
+
+size_t
+unparse_units (int num, const struct units *units, char *s, size_t len)
+{
+    return unparse_something (num, units, s, len,
+			      print_unit,
+			      update_unit,
+			      "0");
+}
+
+size_t
+unparse_units_approx (int num, const struct units *units, char *s, size_t len)
+{
+    return unparse_something (num, units, s, len,
+			      print_unit,
+			      update_unit_approx,
+			      "0");
+}
+
+void
+print_units_table (const struct units *units, FILE *f)
+{
+    const struct units *u, *u2;
+    unsigned max_sz = 0;
+
+    for (u = units; u->name; ++u) {
+	max_sz = max(max_sz, strlen(u->name));
+    }
+
+    for (u = units; u->name;) {
+	char buf[1024];
+	const struct units *next;
+
+	for (next = u + 1; next->name && next->mult == u->mult; ++next)
+	    ;
+
+	if (next->name) {
+	    for (u2 = next;
+		 u2->name && u->mult % u2->mult != 0;
+		 ++u2)
+		;
+	    if (u2->name == NULL)
+		--u2;
+	    unparse_units (u->mult, u2, buf, sizeof(buf));
+	    fprintf (f, "1 %*s = %s\n", max_sz, u->name, buf);
+	} else {
+	    fprintf (f, "1 %s\n", u->name);
+	}
+	u = next;
+    }
+}
+
+static int
+print_flag (char *s, size_t len, int div, const char *name, int rem)
+{
+    return snprintf (s, len, "%s%s", name, rem > 0 ? ", " : "");
+}
+
+static int
+update_flag (int in, unsigned mult)
+{
+    return in - mult;
+}
+
+size_t
+unparse_flags (int num, const struct units *units, char *s, size_t len)
+{
+    return unparse_something (num, units, s, len,
+			      print_flag,
+			      update_flag,
+			      "");
+}
+
+void
+print_flags_table (const struct units *units, FILE *f)
+{
+    const struct units *u;
+
+    for(u = units; u->name; ++u)
+	fprintf(f, "%s%s", u->name, (u+1)->name ? ", " : "\n");
+}
diff --git a/crypto/heimdal/lib/roken/parse_units.h b/crypto/heimdal/lib/roken/parse_units.h
new file mode 100644
index 0000000..f159d30
--- /dev/null
+++ b/crypto/heimdal/lib/roken/parse_units.h
@@ -0,0 +1,73 @@
+/*
+ * Copyright (c) 1997 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+/* $Id: parse_units.h,v 1.6 1999/12/02 16:58:51 joda Exp $ */
+
+#ifndef __PARSE_UNITS_H__
+#define __PARSE_UNITS_H__
+
+#include <stdio.h>
+#include <stddef.h>
+
+struct units {
+    const char *name;
+    unsigned mult;
+};
+
+typedef struct units units;
+
+int
+parse_units (const char *s, const struct units *units,
+	     const char *def_unit);
+
+void
+print_units_table (const struct units *units, FILE *f);
+
+int
+parse_flags (const char *s, const struct units *units,
+	     int orig);
+
+size_t
+unparse_units (int num, const struct units *units, char *s, size_t len);
+
+size_t
+unparse_units_approx (int num, const struct units *units, char *s,
+		      size_t len);
+
+size_t
+unparse_flags (int num, const struct units *units, char *s, size_t len);
+
+void
+print_flags_table (const struct units *units, FILE *f);
+
+#endif /* __PARSE_UNITS_H__ */
diff --git a/crypto/heimdal/lib/roken/print_version.c b/crypto/heimdal/lib/roken/print_version.c
new file mode 100644
index 0000000..b5ce816
--- /dev/null
+++ b/crypto/heimdal/lib/roken/print_version.c
@@ -0,0 +1,78 @@
+/*
+ * Copyright (c) 1998 - 2001 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+RCSID("$Id: print_version.c,v 1.8 2001/02/20 01:44:55 assar Exp $");
+#endif
+#include "roken.h"
+
+#include "print_version.h"
+
+void
+print_version(const char *progname)
+{
+    const char *arg[] = VERSIONLIST;
+    const int num_args = sizeof(arg) / sizeof(arg[0]);
+    char *msg;
+    size_t len = 0;
+    int i;
+    
+    if(progname == NULL)
+	progname = getprogname();
+    
+    if(num_args == 0)
+	msg = "no version information";
+    else {
+	for(i = 0; i < num_args; i++) {
+	    if(i > 0)
+		len += 2;
+	    len += strlen(arg[i]);
+	}
+	msg = malloc(len + 1);
+	if(msg == NULL) {
+	    fprintf(stderr, "%s: out of memory\n", progname);
+	    return;
+	}
+	msg[0] = '\0';
+	for(i = 0; i < num_args; i++) {
+	    if(i > 0)
+		strcat(msg, ", ");
+	    strcat(msg, arg[i]);
+	}
+    }
+    fprintf(stderr, "%s (%s)\n", progname, msg);
+    fprintf(stderr, "Copyright (c) 1999 - 2001 Kungliga Tekniska Högskolan\n");
+    if(num_args != 0)
+	free(msg);
+}
diff --git a/crypto/heimdal/lib/roken/putenv.c b/crypto/heimdal/lib/roken/putenv.c
new file mode 100644
index 0000000..a6bdf60
--- /dev/null
+++ b/crypto/heimdal/lib/roken/putenv.c
@@ -0,0 +1,80 @@
+/*
+ * Copyright (c) 1995, 1996, 1997 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+RCSID("$Id: putenv.c,v 1.7 2000/03/26 23:08:24 assar Exp $");
+#endif
+
+#include <stdlib.h>
+
+extern char **environ;
+
+/*
+ * putenv --
+ *	String points to a string of the form name=value.
+ *
+ *      Makes the value of the environment variable name equal to
+ *      value by altering an existing variable or creating a new one.
+ */
+
+int
+putenv(const char *string)
+{
+    int i;
+    const char *eq = (const char *)strchr(string, '=');
+    int len;
+    
+    if (eq == NULL)
+	return 1;
+    len = eq - string;
+
+    if(environ == NULL) {
+	environ = malloc(sizeof(char*));
+	if(environ == NULL)
+	    return 1;
+	environ[0] = NULL;
+    }
+
+    for(i = 0; environ[i] != NULL; i++)
+	if(strncmp(string, environ[i], len) == 0) {
+	    environ[i] = string;
+	    return 0;
+	}
+    environ = realloc(environ, sizeof(char*) * (i + 2));
+    if(environ == NULL)
+	return 1;
+    environ[i]   = string;
+    environ[i+1] = NULL;
+    return 0;
+}
diff --git a/crypto/heimdal/lib/roken/rcmd.c b/crypto/heimdal/lib/roken/rcmd.c
new file mode 100644
index 0000000..4117948
--- /dev/null
+++ b/crypto/heimdal/lib/roken/rcmd.c
@@ -0,0 +1,52 @@
+/*
+ * Copyright (c) 1995, 1996, 1997 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+RCSID("$Id: rcmd.c,v 1.3 1999/12/02 16:58:51 joda Exp $");
+#endif
+
+#include "roken.h"
+#include <stdio.h>
+
+int
+rcmd(char **ahost,
+     unsigned short inport,
+     const char *locuser,
+     const char *remuser,
+     const char *cmd,
+     int *fd2p)
+{
+  fprintf(stderr, "Only kerberized services are implemented\n");
+  return -1;
+}
diff --git a/crypto/heimdal/lib/roken/readv.c b/crypto/heimdal/lib/roken/readv.c
new file mode 100644
index 0000000..de2f9ea
--- /dev/null
+++ b/crypto/heimdal/lib/roken/readv.c
@@ -0,0 +1,67 @@
+/*
+ * Copyright (c) 1995, 1996, 1997, 1998, 1999 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+RCSID("$Id: readv.c,v 1.5 1999/12/02 16:58:52 joda Exp $");
+#endif
+
+#include "roken.h"
+
+ssize_t
+readv(int d, const struct iovec *iov, int iovcnt)
+{
+    ssize_t ret, nb;
+    size_t tot = 0;
+    int i;
+    char *buf, *p;
+
+    for(i = 0; i < iovcnt; ++i)
+	tot += iov[i].iov_len;
+    buf = malloc(tot);
+    if (tot != 0 && buf == NULL) {
+	errno = ENOMEM;
+	return -1;
+    }
+    nb = ret = read (d, buf, tot);
+    p = buf;
+    while (nb > 0) {
+	ssize_t cnt = min(nb, iov->iov_len);
+
+	memcpy (iov->iov_base, p, cnt);
+	p += cnt;
+	nb -= cnt;
+    }
+    free(buf);
+    return ret;
+}
diff --git a/crypto/heimdal/lib/roken/recvmsg.c b/crypto/heimdal/lib/roken/recvmsg.c
new file mode 100644
index 0000000..e94ad68
--- /dev/null
+++ b/crypto/heimdal/lib/roken/recvmsg.c
@@ -0,0 +1,69 @@
+/*
+ * Copyright (c) 1995, 1996, 1997, 1998, 1999 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+RCSID("$Id: recvmsg.c,v 1.5 1999/12/02 16:58:52 joda Exp $");
+#endif
+
+#include "roken.h"
+
+ssize_t
+recvmsg(int s, struct msghdr *msg, int flags)
+{
+    ssize_t ret, nb;
+    size_t tot = 0;
+    int i;
+    char *buf, *p;
+    struct iovec *iov = msg->msg_iov;
+
+    for(i = 0; i < msg->msg_iovlen; ++i)
+	tot += iov[i].iov_len;
+    buf = malloc(tot);
+    if (tot != 0 && buf == NULL) {
+	errno = ENOMEM;
+	return -1;
+    }
+    nb = ret = recvfrom (s, buf, tot, flags, msg->msg_name, &msg->msg_namelen);
+    p = buf;
+    while (nb > 0) {
+	ssize_t cnt = min(nb, iov->iov_len);
+
+	memcpy (iov->iov_base, p, cnt);
+	p += cnt;
+	nb -= cnt;
+	++iov;
+    }
+    free(buf);
+    return ret;
+}
diff --git a/crypto/heimdal/lib/roken/resolve.c b/crypto/heimdal/lib/roken/resolve.c
new file mode 100644
index 0000000..76df287
--- /dev/null
+++ b/crypto/heimdal/lib/roken/resolve.c
@@ -0,0 +1,441 @@
+/*
+ * Copyright (c) 1995 - 2000 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+#endif
+#include "roken.h"
+#ifdef HAVE_ARPA_NAMESER_H
+#include <arpa/nameser.h>
+#endif
+#ifdef HAVE_RESOLV_H
+#include <resolv.h>
+#endif
+#include "resolve.h"
+
+RCSID("$Id: resolve.c,v 1.26 2000/06/27 01:15:53 assar Exp $");
+
+#if defined(HAVE_RES_SEARCH) && defined(HAVE_DN_EXPAND)
+
+#define DECL(X) {#X, T_##X}
+
+static struct stot{
+    const char *name;
+    int type;
+}stot[] = {
+    DECL(A),
+    DECL(NS),
+    DECL(CNAME),
+    DECL(SOA),
+    DECL(PTR),
+    DECL(MX),
+    DECL(TXT),
+    DECL(AFSDB),
+    DECL(SIG),
+    DECL(KEY),
+    DECL(SRV),
+    DECL(NAPTR),
+    {NULL, 	0}
+};
+
+int _resolve_debug = 0;
+
+int
+dns_string_to_type(const char *name)
+{
+    struct stot *p = stot;
+    for(p = stot; p->name; p++)
+	if(strcasecmp(name, p->name) == 0)
+	    return p->type;
+    return -1;
+}
+
+const char *
+dns_type_to_string(int type)
+{
+    struct stot *p = stot;
+    for(p = stot; p->name; p++)
+	if(type == p->type)
+	    return p->name;
+    return NULL;
+}
+
+void
+dns_free_data(struct dns_reply *r)
+{
+    struct resource_record *rr;
+    if(r->q.domain)
+	free(r->q.domain);
+    for(rr = r->head; rr;){
+	struct resource_record *tmp = rr;
+	if(rr->domain)
+	    free(rr->domain);
+	if(rr->u.data)
+	    free(rr->u.data);
+	rr = rr->next;
+	free(tmp);
+    }
+    free (r);
+}
+
+static struct dns_reply*
+parse_reply(unsigned char *data, int len)
+{
+    unsigned char *p;
+    char host[128];
+    int status;
+    
+    struct dns_reply *r;
+    struct resource_record **rr;
+    
+    r = calloc(1, sizeof(*r));
+    if (r == NULL)
+	return NULL;
+
+    p = data;
+#if 0
+    /* doesn't work on Crays */
+    memcpy(&r->h, p, sizeof(HEADER));
+    p += sizeof(HEADER);
+#else
+    memcpy(&r->h, p, 12); /* XXX this will probably be mostly garbage */
+    p += 12;
+#endif
+    status = dn_expand(data, data + len, p, host, sizeof(host));
+    if(status < 0){
+	dns_free_data(r);
+	return NULL;
+    }
+    r->q.domain = strdup(host);
+    if(r->q.domain == NULL) {
+	dns_free_data(r);
+	return NULL;
+    }
+    p += status;
+    r->q.type = (p[0] << 8 | p[1]);
+    p += 2;
+    r->q.class = (p[0] << 8 | p[1]);
+    p += 2;
+    rr = &r->head;
+    while(p < data + len){
+	int type, class, ttl, size;
+	status = dn_expand(data, data + len, p, host, sizeof(host));
+	if(status < 0){
+	    dns_free_data(r);
+	    return NULL;
+	}
+	p += status;
+	type = (p[0] << 8) | p[1];
+	p += 2;
+	class = (p[0] << 8) | p[1];
+	p += 2;
+	ttl = (p[0] << 24) | (p[1] << 16) | (p[2] << 8) | p[3];
+	p += 4;
+	size = (p[0] << 8) | p[1];
+	p += 2;
+	*rr = (struct resource_record*)calloc(1, 
+					      sizeof(struct resource_record));
+	if(*rr == NULL) {
+	    dns_free_data(r);
+	    return NULL;
+	}
+	(*rr)->domain = strdup(host);
+	if((*rr)->domain == NULL) {
+	    dns_free_data(r);
+	    return NULL;
+	}
+	(*rr)->type = type;
+	(*rr)->class = class;
+	(*rr)->ttl = ttl;
+	(*rr)->size = size;
+	switch(type){
+	case T_NS:
+	case T_CNAME:
+	case T_PTR:
+	    status = dn_expand(data, data + len, p, host, sizeof(host));
+	    if(status < 0){
+		dns_free_data(r);
+		return NULL;
+	    }
+	    (*rr)->u.txt = strdup(host);
+	    if((*rr)->u.txt == NULL) {
+		dns_free_data(r);
+		return NULL;
+	    }
+	    break;
+	case T_MX:
+	case T_AFSDB:{
+	    status = dn_expand(data, data + len, p + 2, host, sizeof(host));
+	    if(status < 0){
+		dns_free_data(r);
+		return NULL;
+	    }
+	    (*rr)->u.mx = (struct mx_record*)malloc(sizeof(struct mx_record) + 
+						    strlen(host));
+	    if((*rr)->u.mx == NULL) {
+		dns_free_data(r);
+		return NULL;
+	    }
+	    (*rr)->u.mx->preference = (p[0] << 8) | p[1];
+	    strcpy((*rr)->u.mx->domain, host);
+	    break;
+	}
+	case T_SRV:{
+	    status = dn_expand(data, data + len, p + 6, host, sizeof(host));
+	    if(status < 0){
+		dns_free_data(r);
+		return NULL;
+	    }
+	    (*rr)->u.srv = 
+		(struct srv_record*)malloc(sizeof(struct srv_record) + 
+					   strlen(host));
+	    if((*rr)->u.srv == NULL) {
+		dns_free_data(r);
+		return NULL;
+	    }
+	    (*rr)->u.srv->priority = (p[0] << 8) | p[1];
+	    (*rr)->u.srv->weight = (p[2] << 8) | p[3];
+	    (*rr)->u.srv->port = (p[4] << 8) | p[5];
+	    strcpy((*rr)->u.srv->target, host);
+	    break;
+	}
+	case T_TXT:{
+	    (*rr)->u.txt = (char*)malloc(size + 1);
+	    if((*rr)->u.txt == NULL) {
+		dns_free_data(r);
+		return NULL;
+	    }
+	    strncpy((*rr)->u.txt, (char*)p + 1, *p);
+	    (*rr)->u.txt[*p] = 0;
+	    break;
+	}
+	case T_KEY : {
+	    size_t key_len;
+
+	    key_len = size - 4;
+	    (*rr)->u.key = malloc (sizeof(*(*rr)->u.key) + key_len - 1);
+	    if ((*rr)->u.key == NULL) {
+		dns_free_data (r);
+		return NULL;
+	    }
+
+	    (*rr)->u.key->flags     = (p[0] << 8) | p[1];
+	    (*rr)->u.key->protocol  = p[2];
+	    (*rr)->u.key->algorithm = p[3];
+	    (*rr)->u.key->key_len   = key_len;
+	    memcpy ((*rr)->u.key->key_data, p + 4, key_len);
+	    break;
+	}
+	case T_SIG : {
+	    size_t sig_len;
+
+	    status = dn_expand (data, data + len, p + 18, host, sizeof(host));
+	    if (status < 0) {
+		dns_free_data (r);
+		return NULL;
+	    }
+	    sig_len = len - 18 - status;
+	    (*rr)->u.sig = malloc(sizeof(*(*rr)->u.sig)
+				  + strlen(host) + sig_len);
+	    if ((*rr)->u.sig == NULL) {
+		dns_free_data (r);
+		return NULL;
+	    }
+	    (*rr)->u.sig->type           = (p[0] << 8) | p[1];
+	    (*rr)->u.sig->algorithm      = p[2];
+	    (*rr)->u.sig->labels         = p[3];
+	    (*rr)->u.sig->orig_ttl       = (p[4] << 24) | (p[5] << 16)
+		| (p[6] << 8) | p[7];
+	    (*rr)->u.sig->sig_expiration = (p[8] << 24) | (p[9] << 16)
+		| (p[10] << 8) | p[11];
+	    (*rr)->u.sig->sig_inception  = (p[12] << 24) | (p[13] << 16)
+		| (p[14] << 8) | p[15];
+	    (*rr)->u.sig->key_tag        = (p[16] << 8) | p[17];
+	    (*rr)->u.sig->sig_len        = sig_len;
+	    memcpy ((*rr)->u.sig->sig_data, p + 18 + status, sig_len);
+	    (*rr)->u.sig->signer         = &(*rr)->u.sig->sig_data[sig_len];
+	    strcpy((*rr)->u.sig->signer, host);
+	    break;
+	}
+
+	case T_CERT : {
+	    size_t cert_len;
+
+	    cert_len = size - 5;
+	    (*rr)->u.cert = malloc (sizeof(*(*rr)->u.cert) + cert_len - 1);
+	    if ((*rr)->u.cert == NULL) {
+		dns_free_data (r);
+		return NULL;
+	    }
+
+	    (*rr)->u.cert->type      = (p[0] << 8) | p[1];
+	    (*rr)->u.cert->tag       = (p[2] << 8) | p[3];
+	    (*rr)->u.cert->algorithm = p[4];
+	    (*rr)->u.cert->cert_len  = cert_len;
+	    memcpy ((*rr)->u.cert->cert_data, p + 5, cert_len);
+	    break;
+	}
+	default:
+	    (*rr)->u.data = (unsigned char*)malloc(size);
+	    if(size != 0 && (*rr)->u.data == NULL) {
+		dns_free_data(r);
+		return NULL;
+	    }
+	    memcpy((*rr)->u.data, p, size);
+	}
+	p += size;
+	rr = &(*rr)->next;
+    }
+    *rr = NULL;
+    return r;
+}
+
+static struct dns_reply *
+dns_lookup_int(const char *domain, int rr_class, int rr_type)
+{
+    unsigned char reply[1024];
+    int len;
+    struct dns_reply *r = NULL;
+    u_long old_options = 0;
+    
+    if (_resolve_debug) {
+        old_options = _res.options;
+	_res.options |= RES_DEBUG;
+	fprintf(stderr, "dns_lookup(%s, %d, %s)\n", domain,
+		rr_class, dns_type_to_string(rr_type));
+    }
+    len = res_search(domain, rr_class, rr_type, reply, sizeof(reply));
+    if (_resolve_debug) {
+        _res.options = old_options;
+	fprintf(stderr, "dns_lookup(%s, %d, %s) --> %d\n",
+		domain, rr_class, dns_type_to_string(rr_type), len);
+    }
+    if (len >= 0)
+	r = parse_reply(reply, len);
+    return r;
+}
+
+struct dns_reply *
+dns_lookup(const char *domain, const char *type_name)
+{
+    int type;
+    
+    type = dns_string_to_type(type_name);
+    if(type == -1) {
+	if(_resolve_debug)
+	    fprintf(stderr, "dns_lookup: unknown resource type: `%s'\n", 
+		    type_name);
+	return NULL;
+    }
+    return dns_lookup_int(domain, C_IN, type);
+}
+
+#else /* NOT defined(HAVE_RES_SEARCH) && defined(HAVE_DN_EXPAND) */
+
+struct dns_reply *
+dns_lookup(const char *domain, const char *type_name)
+{
+    return NULL;
+}
+
+void
+dns_free_data(struct dns_reply *r)
+{
+}
+
+#endif
+
+#ifdef TEST
+int 
+main(int argc, char **argv)
+{
+    struct dns_reply *r;
+    struct resource_record *rr;
+    r = dns_lookup(argv[1], argv[2]);
+    if(r == NULL){
+	printf("No reply.\n");
+	return 1;
+    }
+    for(rr = r->head; rr;rr=rr->next){
+	printf("%s %s %d ", rr->domain, dns_type_to_string(rr->type), rr->ttl);
+	switch(rr->type){
+	case T_NS:
+	case T_CNAME:
+	case T_PTR:
+	    printf("%s\n", (char*)rr->u.data);
+	    break;
+	case T_A:
+	    printf("%s\n", inet_ntoa(*rr->u.a));
+	    break;
+	case T_MX:
+	case T_AFSDB:{
+	    printf("%d %s\n", rr->u.mx->preference, rr->u.mx->domain);
+	    break;
+	}
+	case T_SRV:{
+	    struct srv_record *srv = rr->u.srv;
+	    printf("%d %d %d %s\n", srv->priority, srv->weight, 
+		   srv->port, srv->target);
+	    break;
+	}
+	case T_TXT: {
+	    printf("%s\n", rr->u.txt);
+	    break;
+	}
+	case T_SIG : {
+	    struct sig_record *sig = rr->u.sig;
+	    const char *type_string = dns_type_to_string (sig->type);
+
+	    printf ("type %u (%s), algorithm %u, labels %u, orig_ttl %u, sig_expiration %u, sig_inception %u, key_tag %u, signer %s\n",
+		    sig->type, type_string ? type_string : "",
+		    sig->algorithm, sig->labels, sig->orig_ttl,
+		    sig->sig_expiration, sig->sig_inception, sig->key_tag,
+		    sig->signer);
+	    break;
+	}
+	case T_KEY : {
+	    struct key_record *key = rr->u.key;
+
+	    printf ("flags %u, protocol %u, algorithm %u\n",
+		    key->flags, key->protocol, key->algorithm);
+	    break;
+	}
+	default:
+	    printf("\n");
+	    break;
+	}
+    }
+    
+    return 0;
+}
+#endif
diff --git a/crypto/heimdal/lib/roken/resolve.h b/crypto/heimdal/lib/roken/resolve.h
new file mode 100644
index 0000000..1c2e9a7
--- /dev/null
+++ b/crypto/heimdal/lib/roken/resolve.h
@@ -0,0 +1,146 @@
+/*
+ * Copyright (c) 1995 - 2000 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+/* $Id: resolve.h,v 1.12 2000/10/15 21:28:56 assar Exp $ */
+
+#ifndef __RESOLVE_H__
+#define __RESOLVE_H__
+
+/* We use these, but they are not always present in <arpa/nameser.h> */
+
+#ifndef T_TXT
+#define T_TXT		16
+#endif
+#ifndef T_AFSDB
+#define T_AFSDB		18
+#endif
+#ifndef T_SIG
+#define T_SIG		24
+#endif
+#ifndef T_KEY
+#define T_KEY		25
+#endif
+#ifndef T_SRV
+#define T_SRV		33
+#endif
+#ifndef T_NAPTR
+#define T_NAPTR		35
+#endif
+#ifndef T_CERT
+#define T_CERT		37
+#endif
+
+struct dns_query{
+    char *domain;
+    unsigned type;
+    unsigned class;
+};
+
+struct mx_record{
+    unsigned  preference;
+    char domain[1];
+};
+
+struct srv_record{
+    unsigned priority;
+    unsigned weight;
+    unsigned port;
+    char target[1];
+};
+
+struct key_record {
+    unsigned flags;
+    unsigned protocol;
+    unsigned algorithm;
+    size_t   key_len;
+    u_char   key_data[1];
+};
+
+struct sig_record {
+    unsigned type;
+    unsigned algorithm;
+    unsigned labels;
+    unsigned orig_ttl;
+    unsigned sig_expiration;
+    unsigned sig_inception;
+    unsigned key_tag;
+    char     *signer;
+    unsigned sig_len;
+    char     sig_data[1];	/* also includes signer */
+};
+
+struct cert_record {
+    unsigned type;
+    unsigned tag;
+    unsigned algorithm;
+    size_t   cert_len;
+    u_char   cert_data[1];
+};
+
+struct resource_record{
+    char *domain;
+    unsigned type;
+    unsigned class;
+    unsigned ttl;
+    unsigned size;
+    union {
+	void *data;
+	struct mx_record *mx;
+	struct mx_record *afsdb; /* mx and afsdb are identical */
+	struct srv_record *srv;
+	struct in_addr *a;
+	char *txt;
+	struct key_record *key;
+	struct cert_record *cert;
+	struct sig_record *sig;
+    }u;
+    struct resource_record *next;
+};
+
+#ifndef T_A /* XXX if <arpa/nameser.h> isn't included */
+typedef int HEADER; /* will never be used */
+#endif
+
+struct dns_reply{
+    HEADER h;
+    struct dns_query q;
+    struct resource_record *head;
+};
+
+
+struct dns_reply* dns_lookup(const char *, const char *);
+void dns_free_data(struct dns_reply *);
+int dns_string_to_type(const char *name);
+const char *dns_type_to_string(int type);
+
+#endif /* __RESOLVE_H__ */
diff --git a/crypto/heimdal/lib/roken/resource.h b/crypto/heimdal/lib/roken/resource.h
new file mode 100644
index 0000000..01cd01d
--- /dev/null
+++ b/crypto/heimdal/lib/roken/resource.h
@@ -0,0 +1,15 @@
+//{{NO_DEPENDENCIES}}

+// Microsoft Developer Studio generated include file.

+// Used by roken.rc

+//

+

+// Next default values for new objects

+// 

+#ifdef APSTUDIO_INVOKED

+#ifndef APSTUDIO_READONLY_SYMBOLS

+#define _APS_NEXT_RESOURCE_VALUE        101

+#define _APS_NEXT_COMMAND_VALUE         40001

+#define _APS_NEXT_CONTROL_VALUE         1000

+#define _APS_NEXT_SYMED_VALUE           101

+#endif

+#endif

diff --git a/crypto/heimdal/lib/roken/roken-common.h b/crypto/heimdal/lib/roken/roken-common.h
new file mode 100644
index 0000000..2227336
--- /dev/null
+++ b/crypto/heimdal/lib/roken/roken-common.h
@@ -0,0 +1,330 @@
+/*
+ * Copyright (c) 1995 - 2001 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+/* $Id: roken-common.h,v 1.42 2001/01/29 02:09:09 assar Exp $ */
+
+#ifndef __ROKEN_COMMON_H__
+#define __ROKEN_COMMON_H__
+
+#ifdef __cplusplus
+#define ROKEN_CPP_START	extern "C" {
+#define ROKEN_CPP_END	}
+#else
+#define ROKEN_CPP_START
+#define ROKEN_CPP_END
+#endif
+
+#ifndef INADDR_NONE
+#define INADDR_NONE 0xffffffff
+#endif
+
+#ifndef INADDR_LOOPBACK
+#define INADDR_LOOPBACK 0x7f000001
+#endif
+
+#ifndef SOMAXCONN
+#define SOMAXCONN 5
+#endif
+
+#ifndef STDIN_FILENO
+#define STDIN_FILENO 0
+#endif
+
+#ifndef STDOUT_FILENO
+#define STDOUT_FILENO 1
+#endif
+
+#ifndef STDERR_FILENO
+#define STDERR_FILENO 2
+#endif
+
+#ifndef max
+#define max(a,b) (((a)>(b))?(a):(b))
+#endif
+
+#ifndef min
+#define min(a,b) (((a)<(b))?(a):(b))
+#endif
+
+#ifndef TRUE
+#define TRUE 1
+#endif
+
+#ifndef FALSE
+#define FALSE 0
+#endif
+
+#ifndef LOG_DAEMON
+#define openlog(id,option,facility) openlog((id),(option))
+#define	LOG_DAEMON	0
+#endif
+#ifndef LOG_ODELAY
+#define LOG_ODELAY 0
+#endif
+#ifndef LOG_NDELAY
+#define LOG_NDELAY 0x08
+#endif
+#ifndef LOG_CONS
+#define LOG_CONS 0
+#endif
+#ifndef LOG_AUTH
+#define LOG_AUTH 0
+#endif
+#ifndef LOG_AUTHPRIV
+#define LOG_AUTHPRIV LOG_AUTH
+#endif
+
+#ifndef F_OK
+#define F_OK 0
+#endif
+
+#ifndef O_ACCMODE
+#define O_ACCMODE	003
+#endif
+
+#ifndef _PATH_DEV
+#define _PATH_DEV "/dev/"
+#endif
+
+#ifndef _PATH_DEVNULL
+#define _PATH_DEVNULL "/dev/null"
+#endif
+
+#ifndef _PATH_HEQUIV
+#define _PATH_HEQUIV "/etc/hosts.equiv"
+#endif
+
+#ifndef _PATH_VARRUN
+#define _PATH_VARRUN "/var/run/"
+#endif
+
+#ifndef _PATH_BSHELL
+#define _PATH_BSHELL "/bin/sh"
+#endif
+
+#ifndef MAXPATHLEN
+#define MAXPATHLEN (1024+4)
+#endif
+
+#ifndef SIG_ERR
+#define SIG_ERR ((RETSIGTYPE (*)(int))-1)
+#endif
+
+/*
+ * error code for getipnodeby{name,addr}
+ */
+
+#ifndef HOST_NOT_FOUND
+#define HOST_NOT_FOUND 1
+#endif
+
+#ifndef TRY_AGAIN
+#define TRY_AGAIN 2
+#endif
+
+#ifndef NO_RECOVERY
+#define NO_RECOVERY 3
+#endif
+
+#ifndef NO_DATA
+#define NO_DATA 4
+#endif
+
+#ifndef NO_ADDRESS
+#define NO_ADDRESS NO_DATA
+#endif
+
+/*
+ * error code for getaddrinfo
+ */
+
+#ifndef EAI_NOERROR
+#define EAI_NOERROR	0	/* no error */
+#endif
+
+#ifndef EAI_ADDRFAMILY
+
+#define EAI_ADDRFAMILY	1	/* address family for nodename not supported */
+#define EAI_AGAIN	2	/* temporary failure in name resolution */
+#define EAI_BADFLAGS	3	/* invalid value for ai_flags */
+#define EAI_FAIL	4	/* non-recoverable failure in name resolution */
+#define EAI_FAMILY	5	/* ai_family not supported */
+#define EAI_MEMORY	6	/* memory allocation failure */
+#define EAI_NODATA	7	/* no address associated with nodename */
+#define EAI_NONAME	8	/* nodename nor servname provided, or not known */
+#define EAI_SERVICE	9	/* servname not supported for ai_socktype */
+#define EAI_SOCKTYPE   10	/* ai_socktype not supported */
+#define EAI_SYSTEM     11	/* system error returned in errno */
+
+#endif /* EAI_ADDRFAMILY */
+
+/* flags for getaddrinfo() */
+
+#ifndef AI_PASSIVE
+
+#define AI_PASSIVE	0x01
+#define AI_CANONNAME	0x02
+#define AI_NUMERICHOST	0x04
+
+#endif /* AI_PASSIVE */
+
+/* flags for getnameinfo() */
+
+#ifndef NI_DGRAM
+#define NI_DGRAM	0x01
+#define NI_NAMEREQD	0x02
+#define NI_NOFQDN	0x04
+#define NI_NUMERICHOST	0x08
+#define NI_NUMERICSERV	0x10
+#endif
+
+/*
+ * constants for getnameinfo
+ */
+
+#ifndef NI_MAXHOST
+#define NI_MAXHOST  1025
+#define NI_MAXSERV    32
+#endif
+
+/*
+ * constants for inet_ntop
+ */
+
+#ifndef INET_ADDRSTRLEN
+#define INET_ADDRSTRLEN    16
+#endif
+
+#ifndef INET6_ADDRSTRLEN
+#define INET6_ADDRSTRLEN   46
+#endif
+
+/*
+ * for shutdown(2)
+ */
+
+#ifndef SHUT_RD
+#define SHUT_RD 0
+#endif
+
+#ifndef SHUT_WR
+#define SHUT_WR 1
+#endif
+
+#ifndef SHUT_RDWR
+#define SHUT_RDWR 2
+#endif
+
+#ifndef HAVE___ATTRIBUTE__
+#define __attribute__(x)
+#endif
+
+ROKEN_CPP_START
+
+#if IRIX != 4 /* fix for compiler bug */
+#ifdef RETSIGTYPE
+typedef RETSIGTYPE (*SigAction)(int);
+SigAction signal(int iSig, SigAction pAction); /* BSD compatible */
+#endif
+#endif
+
+int ROKEN_LIB_FUNCTION simple_execve(const char*, char*const[], char*const[]);
+int ROKEN_LIB_FUNCTION simple_execvp(const char*, char *const[]);
+int ROKEN_LIB_FUNCTION simple_execlp(const char*, ...);
+int ROKEN_LIB_FUNCTION simple_execle(const char*, ...);
+int ROKEN_LIB_FUNCTION simple_execl(const char *file, ...);
+
+void ROKEN_LIB_FUNCTION print_version(const char *);
+
+void *ROKEN_LIB_FUNCTION emalloc (size_t);
+void *ROKEN_LIB_FUNCTION erealloc (void *, size_t);
+char *ROKEN_LIB_FUNCTION estrdup (const char *);
+
+ssize_t ROKEN_LIB_FUNCTION eread (int fd, void *buf, size_t nbytes);
+ssize_t ROKEN_LIB_FUNCTION ewrite (int fd, const void *buf, size_t nbytes);
+
+void
+esetenv(const char *var, const char *val, int rewrite);
+
+void
+socket_set_address_and_port (struct sockaddr *sa, const void *ptr, int port);
+
+size_t
+socket_addr_size (const struct sockaddr *sa);
+
+void
+socket_set_any (struct sockaddr *sa, int af);
+
+size_t
+socket_sockaddr_size (const struct sockaddr *sa);
+
+void *
+socket_get_address (struct sockaddr *sa);
+
+int
+socket_get_port (const struct sockaddr *sa);
+
+void
+socket_set_port (struct sockaddr *sa, int port);
+
+void
+socket_set_debug (int sock);
+
+void
+socket_set_tos (int sock, int tos);
+
+void
+socket_set_reuseaddr (int sock, int val);
+
+char **
+vstrcollect(va_list *ap);
+
+char **
+strcollect(char *first, ...);
+
+void timevalfix(struct timeval *t1);
+void timevaladd(struct timeval *t1, const struct timeval *t2);
+void timevalsub(struct timeval *t1, const struct timeval *t2);
+
+char *pid_file_write (const char *progname);
+void pid_file_delete (char **);
+
+int
+read_environment(const char *file, char ***env);
+
+void warnerr(int doerrno, const char *fmt, va_list ap)
+    __attribute__ ((format (printf, 2, 0)));
+
+ROKEN_CPP_END
+
+#endif /* __ROKEN_COMMON_H__ */
diff --git a/crypto/heimdal/lib/roken/roken.awk b/crypto/heimdal/lib/roken/roken.awk
new file mode 100644
index 0000000..057b4fd
--- /dev/null
+++ b/crypto/heimdal/lib/roken/roken.awk
@@ -0,0 +1,40 @@
+# $Id: roken.awk,v 1.7 2001/03/26 09:26:35 joda Exp $
+
+BEGIN {
+	print "#include <stdio.h>"
+	print "#ifdef HAVE_CONFIG_H"
+	print "#include <config.h>"
+	print "#endif"
+	print ""
+	print "int main()"
+	print "{"
+	    print "puts(\"/* This is an OS dependent, generated file */\");"
+	print "puts(\"\\n\");"
+	print "puts(\"#ifndef __ROKEN_H__\");"
+	print "puts(\"#define __ROKEN_H__\");"
+	print "puts(\"\");"
+}
+
+$1 == "\#ifdef" || $1 == "\#ifndef" || $1 == "\#if" || $1 == "\#else" || $1 == "\#elif" || $1 == "\#endif" || $1 == "#ifdef" || $1 == "#ifndef" || $1 == "#if" || $1 == "#else" || $1 == "#elif" || $1 == "#endif" {
+	print $0;
+	next
+}
+
+{
+	s = ""
+	for(i = 1; i <= length; i++){
+		x = substr($0, i, 1)
+		if(x == "\"" || x == "\\")
+			s = s "\\";
+		s = s x;
+	}
+	print "puts(\"" s "\");"
+}
+
+END {
+	print "puts(\"#define ROKEN_VERSION \" VERSION );"
+	print "puts(\"\");"
+	print "puts(\"#endif /* __ROKEN_H__ */\");"
+	print "return 0;"
+	print "}"
+}
diff --git a/crypto/heimdal/lib/roken/roken.def b/crypto/heimdal/lib/roken/roken.def
new file mode 100644
index 0000000..f9b0369
--- /dev/null
+++ b/crypto/heimdal/lib/roken/roken.def
@@ -0,0 +1,17 @@
+LIBRARY roken BASE=0x68f0000
+EXPORTS
+	gettimeofday
+	strcasecmp
+	strtok_r
+	snprintf
+	asprintf
+	vsnprintf
+	base64_decode
+	base64_encode
+	roken_concat
+	roken_vconcat
+	roken_vmconcat
+	roken_mconcat
+	getuid
+	dns_free_data
+	dns_lookup
diff --git a/crypto/heimdal/lib/roken/roken.dsp b/crypto/heimdal/lib/roken/roken.dsp
new file mode 100644
index 0000000..d84854e
--- /dev/null
+++ b/crypto/heimdal/lib/roken/roken.dsp
@@ -0,0 +1,156 @@
+# Microsoft Developer Studio Project File - Name="roken" - Package Owner=<4>
+# Microsoft Developer Studio Generated Build File, Format Version 5.00
+# ** DO NOT EDIT **
+
+# TARGTYPE "Win32 (x86) Dynamic-Link Library" 0x0102
+
+CFG=roken - Win32 Release
+!MESSAGE This is not a valid makefile. To build this project using NMAKE,
+!MESSAGE use the Export Makefile command and run
+!MESSAGE 
+!MESSAGE NMAKE /f "roken.mak".
+!MESSAGE 
+!MESSAGE You can specify a configuration when running NMAKE
+!MESSAGE by defining the macro CFG on the command line. For example:
+!MESSAGE 
+!MESSAGE NMAKE /f "roken.mak" CFG="roken - Win32 Release"
+!MESSAGE 
+!MESSAGE Possible choices for configuration are:
+!MESSAGE 
+!MESSAGE "roken - Win32 Release" (based on "Win32 (x86) Dynamic-Link Library")
+!MESSAGE "roken - Win32 Debug" (based on "Win32 (x86) Dynamic-Link Library")
+!MESSAGE 
+
+# Begin Project
+# PROP Scc_ProjName ""
+# PROP Scc_LocalPath ""
+CPP=cl.exe
+MTL=midl.exe
+RSC=rc.exe
+
+!IF  "$(CFG)" == "roken - Win32 Release"
+
+# PROP BASE Use_MFC 0
+# PROP BASE Use_Debug_Libraries 0
+# PROP BASE Output_Dir ".\Release"
+# PROP BASE Intermediate_Dir ".\Release"
+# PROP BASE Target_Dir ""
+# PROP Use_MFC 0
+# PROP Use_Debug_Libraries 0
+# PROP Output_Dir ".\Release"
+# PROP Intermediate_Dir ".\Release"
+# PROP Ignore_Export_Lib 0
+# PROP Target_Dir ""
+# ADD BASE CPP /nologo /MT /W3 /GX /O2 /D "WIN32" /D "NDEBUG" /D "_WINDOWS" /YX /c
+# ADD CPP /nologo /MT /GX /O2 /I "..\krb" /I "..\des" /I "..\..\include" /I "..\..\include\win32" /I "." /D "NDEBUG" /D "WIN32" /D "_WINDOWS" /D "HAVE_CONFIG_H" /YX /FD /c
+# ADD BASE MTL /nologo /D "NDEBUG" /win32
+# ADD MTL /nologo /D "NDEBUG" /mktyplib203 /win32
+# ADD BASE RSC /l 0x409 /d "NDEBUG"
+# ADD RSC /l 0x409 /d "NDEBUG"
+BSC32=bscmake.exe
+# ADD BASE BSC32 /nologo
+# ADD BSC32 /nologo
+LINK32=link.exe
+# ADD BASE LINK32 kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /subsystem:windows /dll /machine:I386
+# ADD LINK32 kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib /nologo /base:"0x68e7780" /subsystem:windows /dll /machine:I386
+
+!ELSEIF  "$(CFG)" == "roken - Win32 Debug"
+
+# PROP BASE Use_MFC 0
+# PROP BASE Use_Debug_Libraries 1
+# PROP BASE Output_Dir ".\Debug"
+# PROP BASE Intermediate_Dir ".\Debug"
+# PROP BASE Target_Dir ""
+# PROP Use_MFC 0
+# PROP Use_Debug_Libraries 1
+# PROP Output_Dir ".\Debug"
+# PROP Intermediate_Dir ".\Debug"
+# PROP Ignore_Export_Lib 0
+# PROP Target_Dir ""
+# ADD BASE CPP /nologo /MTd /W3 /Gm /GX /Zi /Od /D "WIN32" /D "_DEBUG" /D "_WINDOWS" /YX /c
+# ADD CPP /nologo /MDd /Gm /GX /Zi /Od /I "..\krb" /I "..\des" /I "..\..\include" /I "..\..\include\win32" /I "." /D "_DEBUG" /D "WIN32" /D "_WINDOWS" /D "HAVE_CONFIG_H" /YX /FD /c
+# ADD BASE MTL /nologo /D "_DEBUG" /win32
+# ADD MTL /nologo /D "_DEBUG" /mktyplib203 /win32
+# ADD BASE RSC /l 0x409 /d "_DEBUG"
+# ADD RSC /l 0x409 /d "_DEBUG"
+BSC32=bscmake.exe
+# ADD BASE BSC32 /nologo
+# ADD BSC32 /nologo
+LINK32=link.exe
+# ADD BASE LINK32 kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /subsystem:windows /dll /debug /machine:I386
+# ADD LINK32 kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib /nologo /subsystem:windows /dll /debug /machine:I386 /def:".\roken.def"
+# SUBTRACT LINK32 /pdb:none
+
+!ENDIF 
+
+# Begin Target
+
+# Name "roken - Win32 Release"
+# Name "roken - Win32 Debug"
+# Begin Group "Source Files"
+
+# PROP Default_Filter "cpp;c;cxx;rc;def;r;odl;hpj;bat;for;f90"
+# Begin Source File
+
+SOURCE=.\base64.c
+# End Source File
+# Begin Source File
+
+SOURCE=.\concat.c
+# End Source File
+# Begin Source File
+
+SOURCE=.\gettimeofday.c
+# End Source File
+# Begin Source File
+
+SOURCE=.\getuid.c
+# End Source File
+# Begin Source File
+
+SOURCE=.\resolve.c
+# End Source File
+# Begin Source File
+
+SOURCE=.\roken.def
+
+!IF  "$(CFG)" == "roken - Win32 Release"
+
+!ELSEIF  "$(CFG)" == "roken - Win32 Debug"
+
+# PROP Exclude_From_Build 1
+
+!ENDIF 
+
+# End Source File
+# Begin Source File
+
+SOURCE=.\snprintf.c
+# End Source File
+# Begin Source File
+
+SOURCE=.\strcasecmp.c
+# End Source File
+# Begin Source File
+
+SOURCE=.\strtok_r.c
+# End Source File
+# End Group
+# Begin Group "Header Files"
+
+# PROP Default_Filter "h;hpp;hxx;hm;inl;fi;fd"
+# Begin Source File
+
+SOURCE=.\resolve.h
+# End Source File
+# End Group
+# Begin Group "Resource Files"
+
+# PROP Default_Filter "ico;cur;bmp;dlg;rc2;rct;bin;cnt;rtf;gif;jpg;jpeg;jpe"
+# Begin Source File
+
+SOURCE=.\roken.rc
+# End Source File
+# End Group
+# End Target
+# End Project
diff --git a/crypto/heimdal/lib/roken/roken.h.in b/crypto/heimdal/lib/roken/roken.h.in
new file mode 100644
index 0000000..538a530
--- /dev/null
+++ b/crypto/heimdal/lib/roken/roken.h.in
@@ -0,0 +1,621 @@
+/* -*- C -*- */
+/*
+ * Copyright (c) 1995 - 2001 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+/* $Id: roken.h.in,v 1.157 2001/05/18 18:00:12 assar Exp $ */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <stdarg.h>
+#include <string.h>
+#include <signal.h>
+
+#ifdef _AIX
+struct ether_addr;
+struct sockaddr_dl;
+#endif
+#ifdef HAVE_SYS_PARAM_H
+#include <sys/param.h>
+#endif
+#ifdef HAVE_INTTYPES_H
+#include <inttypes.h>
+#endif
+#ifdef HAVE_SYS_TYPES_H
+#include <sys/types.h>
+#endif
+#ifdef HAVE_SYS_BITYPES_H
+#include <sys/bitypes.h>
+#endif
+#ifdef HAVE_BIND_BITYPES_H
+#include <bind/bitypes.h>
+#endif
+#ifdef HAVE_NETINET_IN6_MACHTYPES_H
+#include <netinet/in6_machtypes.h>
+#endif
+#ifdef HAVE_UNISTD_H
+#include <unistd.h>
+#endif
+#ifdef HAVE_SYS_SOCKET_H
+#include <sys/socket.h>
+#endif
+#ifdef HAVE_SYS_UIO_H
+#include <sys/uio.h>
+#endif
+#ifdef HAVE_GRP_H
+#include <grp.h>
+#endif
+#ifdef HAVE_SYS_STAT_H
+#include <sys/stat.h>
+#endif
+#ifdef HAVE_NETINET_IN_H
+#include <netinet/in.h>
+#endif
+#ifdef HAVE_NETINET_IN6_H
+#include <netinet/in6.h>
+#endif
+#ifdef HAVE_NETINET6_IN6_H
+#include <netinet6/in6.h>
+#endif
+#ifdef HAVE_ARPA_INET_H
+#include <arpa/inet.h>
+#endif
+#ifdef HAVE_NETDB_H
+#include <netdb.h>
+#endif
+#ifdef HAVE_SYSLOG_H
+#include <syslog.h>
+#endif
+#ifdef HAVE_WINSOCK_H
+#include <winsock.h>
+#endif
+#ifdef HAVE_FCNTL_H
+#include <fcntl.h>
+#endif
+#ifdef HAVE_ERRNO_H
+#include <errno.h>
+#endif
+#ifdef HAVE_ERR_H
+#include <err.h>
+#endif
+#ifdef HAVE_TERMIOS_H
+#include <termios.h>
+#endif
+#if defined(HAVE_SYS_IOCTL_H) && SunOS != 40
+#include <sys/ioctl.h>
+#endif
+#ifdef TIME_WITH_SYS_TIME
+#include <sys/time.h>
+#include <time.h>
+#elif defined(HAVE_SYS_TIME_H)
+#include <sys/time.h>
+#else
+#include <time.h>
+#endif
+
+#ifdef HAVE_PATHS_H
+#include <paths.h>
+#endif
+
+
+#ifndef ROKEN_LIB_FUNCTION
+#if defined(__BORLANDC__)
+#define ROKEN_LIB_FUNCTION /* not-ready-definition-yet */
+#elif defined(_MSC_VER)
+#define ROKEN_LIB_FUNCTION /* not-ready-definition-yet2 */
+#else
+#define ROKEN_LIB_FUNCTION
+#endif
+#endif
+
+#include <roken-common.h>
+
+ROKEN_CPP_START
+
+#if !defined(HAVE_SETSID) && defined(HAVE__SETSID)
+#define setsid _setsid
+#endif
+
+#ifndef HAVE_PUTENV
+int putenv(const char *string);
+#endif
+
+#if !defined(HAVE_SETENV) || defined(NEED_SETENV_PROTO)
+int setenv(const char *var, const char *val, int rewrite);
+#endif
+
+#if !defined(HAVE_UNSETENV) || defined(NEED_UNSETENV_PROTO)
+void unsetenv(const char *name);
+#endif
+
+#if !defined(HAVE_GETUSERSHELL) || defined(NEED_GETUSERSHELL_PROTO)
+char *getusershell(void);
+void endusershell(void);
+#endif
+
+#if !defined(HAVE_SNPRINTF) || defined(NEED_SNPRINTF_PROTO)
+int snprintf (char *str, size_t sz, const char *format, ...)
+     __attribute__ ((format (printf, 3, 4)));
+#endif
+
+#if !defined(HAVE_VSNPRINTF) || defined(NEED_VSNPRINTF_PROTO)
+int vsnprintf (char *str, size_t sz, const char *format, va_list ap)
+     __attribute__((format (printf, 3, 0)));
+#endif
+
+#if !defined(HAVE_ASPRINTF) || defined(NEED_ASPRINTF_PROTO)
+int asprintf (char **ret, const char *format, ...)
+     __attribute__ ((format (printf, 2, 3)));
+#endif
+
+#if !defined(HAVE_VASPRINTF) || defined(NEED_VASPRINTF_PROTO)
+int vasprintf (char **ret, const char *format, va_list ap)
+     __attribute__((format (printf, 2, 0)));
+#endif
+
+#if !defined(HAVE_ASNPRINTF) || defined(NEED_ASNPRINTF_PROTO)
+int asnprintf (char **ret, size_t max_sz, const char *format, ...)
+     __attribute__ ((format (printf, 3, 4)));
+#endif
+
+#if !defined(HAVE_VASNPRINTF) || defined(NEED_VASNPRINTF_PROTO)
+int vasnprintf (char **ret, size_t max_sz, const char *format, va_list ap)
+     __attribute__((format (printf, 3, 0)));
+#endif
+
+#ifndef HAVE_STRDUP
+char * strdup(const char *old);
+#endif
+
+#ifndef HAVE_STRNDUP
+char * strndup(const char *old, size_t sz);
+#endif
+
+#ifndef HAVE_STRLWR
+char * strlwr(char *);
+#endif
+
+#ifndef HAVE_STRNLEN
+size_t strnlen(const char*, size_t);
+#endif
+
+#if !defined(HAVE_STRSEP) || defined(NEED_STRSEP_PROTO)
+char *strsep(char**, const char*);
+#endif
+
+#if !defined(HAVE_STRSEP_COPY) || defined(NEED_STRSEP_COPY_PROTO)
+ssize_t strsep_copy(const char**, const char*, char*, size_t);
+#endif
+
+#ifndef HAVE_STRCASECMP
+int strcasecmp(const char *s1, const char *s2);
+#endif
+
+#ifdef NEED_FCLOSE_PROTO
+int fclose(FILE *);
+#endif
+
+#ifdef NEED_STRTOK_R_PROTO
+char *strtok_r(char *s1, const char *s2, char **lasts);
+#endif
+
+#ifndef HAVE_STRUPR
+char * strupr(char *);
+#endif
+
+#ifndef HAVE_STRLCPY
+size_t strlcpy (char *dst, const char *src, size_t dst_sz);
+#endif
+
+#ifndef HAVE_STRLCAT
+size_t strlcat (char *dst, const char *src, size_t dst_sz);
+#endif
+
+#ifndef HAVE_GETDTABLESIZE
+int getdtablesize(void);
+#endif
+
+#if !defined(HAVE_STRERROR) && !defined(strerror)
+char *strerror(int eno);
+#endif
+
+#if !defined(HAVE_HSTRERROR) || defined(NEED_HSTRERROR_PROTO)
+/* This causes a fatal error under Psoriasis */
+#if !(defined(SunOS) && (SunOS >= 50))
+const char *hstrerror(int herr);
+#endif
+#endif
+
+#ifndef HAVE_H_ERRNO_DECLARATION
+extern int h_errno;
+#endif
+
+#if !defined(HAVE_INET_ATON) || defined(NEED_INET_ATON_PROTO)
+int inet_aton(const char *cp, struct in_addr *adr);
+#endif
+
+#ifndef HAVE_INET_NTOP
+const char *
+inet_ntop(int af, const void *src, char *dst, size_t size);
+#endif
+
+#ifndef HAVE_INET_PTON
+int
+inet_pton(int af, const char *src, void *dst);
+#endif
+
+#if !defined(HAVE_GETCWD)
+char* getcwd(char *path, size_t size);
+#endif
+
+#ifdef HAVE_PWD_H
+#include <pwd.h>
+struct passwd *k_getpwnam (const char *user);
+struct passwd *k_getpwuid (uid_t uid);
+#endif
+
+const char *get_default_username (void);
+
+#ifndef HAVE_SETEUID
+int seteuid(uid_t euid);
+#endif
+
+#ifndef HAVE_SETEGID
+int setegid(gid_t egid);
+#endif
+
+#ifndef HAVE_LSTAT
+int lstat(const char *path, struct stat *buf);
+#endif
+
+#if !defined(HAVE_MKSTEMP) || defined(NEED_MKSTEMP_PROTO)
+int mkstemp(char *);
+#endif
+
+#ifndef HAVE_CGETENT
+int cgetent(char **buf, char **db_array, const char *name);
+int cgetstr(char *buf, const char *cap, char **str);
+#endif
+
+#ifndef HAVE_INITGROUPS
+int initgroups(const char *name, gid_t basegid);
+#endif
+
+#ifndef HAVE_FCHOWN
+int fchown(int fd, uid_t owner, gid_t group);
+#endif
+
+#ifndef HAVE_DAEMON
+int daemon(int nochdir, int noclose);
+#endif
+
+#ifndef HAVE_INNETGR
+int innetgr(const char *netgroup, const char *machine, 
+	    const char *user, const char *domain);
+#endif
+
+#ifndef HAVE_CHOWN
+int chown(const char *path, uid_t owner, gid_t group);
+#endif
+
+#ifndef HAVE_RCMD
+int rcmd(char **ahost, unsigned short inport, const char *locuser,
+	 const char *remuser, const char *cmd, int *fd2p);
+#endif
+
+#if !defined(HAVE_INNETGR) || defined(NEED_INNETGR_PROTO)
+int innetgr(const char*, const char*, const char*, const char*);
+#endif
+
+#ifndef HAVE_IRUSEROK
+int iruserok(unsigned raddr, int superuser, const char *ruser,
+	     const char *luser);
+#endif
+
+#if !defined(HAVE_GETHOSTNAME) || defined(NEED_GETHOSTNAME_PROTO)
+int gethostname(char *name, int namelen);
+#endif
+
+#ifndef HAVE_WRITEV
+ssize_t
+writev(int d, const struct iovec *iov, int iovcnt);
+#endif
+
+#ifndef HAVE_READV
+ssize_t
+readv(int d, const struct iovec *iov, int iovcnt);
+#endif
+
+#ifndef HAVE_MKSTEMP
+int
+mkstemp(char *template);
+#endif
+
+#ifndef HAVE_PIDFILE
+void pidfile (const char*);
+#endif
+
+#ifndef HAVE_BSWAP32
+unsigned int bswap32(unsigned int);
+#endif
+
+#ifndef HAVE_BSWAP16
+unsigned short bswap16(unsigned short);
+#endif
+
+#ifndef HAVE_FLOCK
+#ifndef LOCK_SH
+#define LOCK_SH   1		/* Shared lock */
+#endif
+#ifndef	LOCK_EX
+#define LOCK_EX   2		/* Exclusive lock */
+#endif
+#ifndef LOCK_NB
+#define LOCK_NB   4		/* Don't block when locking */
+#endif
+#ifndef LOCK_UN
+#define LOCK_UN   8		/* Unlock */
+#endif
+
+int flock(int fd, int operation);
+#endif /* HAVE_FLOCK */
+
+time_t tm2time (struct tm tm, int local);
+
+int unix_verify_user(char *user, char *password);
+
+void mini_inetd (int port);
+
+int roken_concat (char *s, size_t len, ...);
+
+size_t roken_mconcat (char **s, size_t max_len, ...);
+
+int roken_vconcat (char *s, size_t len, va_list args);
+
+size_t roken_vmconcat (char **s, size_t max_len, va_list args);
+
+ssize_t net_write (int fd, const void *buf, size_t nbytes);
+
+ssize_t net_read (int fd, void *buf, size_t nbytes);
+
+int issuid(void);
+
+#ifndef HAVE_STRUCT_WINSIZE
+struct winsize {
+	unsigned short ws_row, ws_col;
+	unsigned short ws_xpixel, ws_ypixel;
+};
+#endif
+
+int get_window_size(int fd, struct winsize *);
+
+#ifndef HAVE_VSYSLOG
+void vsyslog(int pri, const char *fmt, va_list ap);
+#endif
+
+#ifndef HAVE_OPTARG_DECLARATION
+extern char *optarg;
+#endif
+#ifndef HAVE_OPTIND_DECLARATION
+extern int optind;
+#endif
+#ifndef HAVE_OPTERR_DECLARATION
+extern int opterr;
+#endif
+
+#ifndef HAVE___PROGNAME_DECLARATION
+extern const char *__progname;
+#endif
+
+#ifndef HAVE_ENVIRON_DECLARATION
+extern char **environ;
+#endif
+
+#ifndef HAVE_GETIPNODEBYNAME
+struct hostent *
+getipnodebyname (const char *name, int af, int flags, int *error_num);
+#endif
+
+#ifndef HAVE_GETIPNODEBYADDR
+struct hostent *
+getipnodebyaddr (const void *src, size_t len, int af, int *error_num);
+#endif
+
+#ifndef HAVE_FREEHOSTENT
+void
+freehostent (struct hostent *h);
+#endif
+
+#ifndef HAVE_COPYHOSTENT
+struct hostent *
+copyhostent (const struct hostent *h);
+#endif
+
+#ifndef HAVE_SOCKLEN_T
+typedef int socklen_t;
+#endif
+
+#ifndef HAVE_STRUCT_SOCKADDR_STORAGE
+
+#ifndef HAVE_SA_FAMILY_T
+typedef unsigned short sa_family_t;
+#endif
+
+#ifdef HAVE_IPV6
+#define _SS_MAXSIZE sizeof(struct sockaddr_in6)
+#else
+#define _SS_MAXSIZE sizeof(struct sockaddr_in)
+#endif
+
+#define _SS_ALIGNSIZE	sizeof(unsigned long)
+
+#if HAVE_STRUCT_SOCKADDR_SA_LEN
+
+typedef unsigned char roken_sa_family_t;
+
+#define _SS_PAD1SIZE   ((2 * _SS_ALIGNSIZE - sizeof (roken_sa_family_t) - sizeof(unsigned char)) % _SS_ALIGNSIZE)
+#define _SS_PAD2SIZE   (_SS_MAXSIZE - (sizeof (roken_sa_family_t) + sizeof(unsigned char) + _SS_PAD1SIZE + _SS_ALIGNSIZE))
+
+struct sockaddr_storage {
+    unsigned char	ss_len;
+    roken_sa_family_t	ss_family;
+    char		__ss_pad1[_SS_PAD1SIZE];
+    unsigned long	__ss_align[_SS_PAD2SIZE / sizeof(unsigned long) + 1];
+};
+
+#else /* !HAVE_STRUCT_SOCKADDR_SA_LEN */
+
+typedef unsigned short roken_sa_family_t;
+
+#define _SS_PAD1SIZE   ((2 * _SS_ALIGNSIZE - sizeof (roken_sa_family_t)) % _SS_ALIGNSIZE)
+#define _SS_PAD2SIZE   (_SS_MAXSIZE - (sizeof (roken_sa_family_t) + _SS_PAD1SIZE + _SS_ALIGNSIZE))
+
+struct sockaddr_storage {
+    roken_sa_family_t	ss_family;
+    char		__ss_pad1[_SS_PAD1SIZE];
+    unsigned long	__ss_align[_SS_PAD2SIZE / sizeof(unsigned long) + 1];
+};
+
+#endif /* HAVE_STRUCT_SOCKADDR_SA_LEN */
+
+#endif /* HAVE_STRUCT_SOCKADDR_STORAGE */
+
+#ifndef HAVE_STRUCT_ADDRINFO
+struct addrinfo {
+    int    ai_flags;
+    int    ai_family;
+    int    ai_socktype;
+    int    ai_protocol;
+    size_t ai_addrlen;
+    char  *ai_canonname;
+    struct sockaddr *ai_addr;
+    struct addrinfo *ai_next;
+};
+#endif
+
+#ifndef HAVE_GETADDRINFO
+int
+getaddrinfo(const char *nodename,
+	    const char *servname,
+	    const struct addrinfo *hints,
+	    struct addrinfo **res);
+#endif
+
+#ifndef HAVE_GETNAMEINFO
+int getnameinfo(const struct sockaddr *sa, socklen_t salen,
+		char *host, size_t hostlen,
+		char *serv, size_t servlen,
+		int flags);
+#endif
+
+#ifndef HAVE_FREEADDRINFO
+void
+freeaddrinfo(struct addrinfo *ai);
+#endif
+
+#ifndef HAVE_GAI_STRERROR
+char *
+gai_strerror(int ecode);
+#endif
+
+int
+getnameinfo_verified(const struct sockaddr *sa, socklen_t salen,
+		     char *host, size_t hostlen,
+		     char *serv, size_t servlen,
+		     int flags);
+
+int roken_getaddrinfo_hostspec(const char *, int, struct addrinfo **); 
+int roken_getaddrinfo_hostspec2(const char *, int, int, struct addrinfo **);
+
+#ifndef HAVE_STRFTIME
+size_t
+strftime (char *buf, size_t maxsize, const char *format,
+	  const struct tm *tm);
+#endif
+
+#ifndef HAVE_STRPTIME
+char *
+strptime (const char *buf, const char *format, struct tm *timeptr);
+#endif
+
+/*
+ * kludges and such
+ */
+
+#if 1
+int roken_gethostby_setup(const char*, const char*);
+struct hostent* roken_gethostbyname(const char*);
+struct hostent* roken_gethostbyaddr(const void*, size_t, int);
+#else
+#ifdef GETHOSTBYNAME_PROTO_COMPATIBLE
+#define roken_gethostbyname(x) gethostbyname(x)
+#else
+#define roken_gethostbyname(x) gethostbyname((char *)x)
+#endif
+
+#ifdef GETHOSTBYADDR_PROTO_COMPATIBLE
+#define roken_gethostbyaddr(a, l, t) gethostbyaddr(a, l, t)
+#else
+#define roken_gethostbyaddr(a, l, t) gethostbyaddr((char *)a, l, t)
+#endif
+#endif
+
+#ifdef GETSERVBYNAME_PROTO_COMPATIBLE
+#define roken_getservbyname(x,y) getservbyname(x,y)
+#else
+#define roken_getservbyname(x,y) getservbyname((char *)x, (char *)y)
+#endif
+
+#ifdef OPENLOG_PROTO_COMPATIBLE
+#define roken_openlog(a,b,c) openlog(a,b,c)
+#else
+#define roken_openlog(a,b,c) openlog((char *)a,b,c)
+#endif
+
+#ifdef GETSOCKNAME_PROTO_COMPATIBLE
+#define roken_getsockname(a,b,c) getsockname(a,b,c)
+#else
+#define roken_getsockname(a,b,c) getsockname(a, b, (void*)c)
+#endif
+
+#ifndef HAVE_SETPROGNAME
+void setprogname(const char *argv0);
+#endif
+
+#ifndef HAVE_GETPROGNAME
+const char *getprogname(void);
+#endif
+
+void set_progname(char *argv0);
+const char *get_progname(void);
+
+ROKEN_CPP_END
diff --git a/crypto/heimdal/lib/roken/roken.mak b/crypto/heimdal/lib/roken/roken.mak
new file mode 100644
index 0000000..da9a834
--- /dev/null
+++ b/crypto/heimdal/lib/roken/roken.mak
@@ -0,0 +1,316 @@
+# Microsoft Developer Studio Generated NMAKE File, Based on roken.dsp
+!IF "$(CFG)" == ""
+CFG=roken - Win32 Release
+!MESSAGE No configuration specified. Defaulting to roken - Win32 Release.
+!ENDIF 
+
+!IF "$(CFG)" != "roken - Win32 Release" && "$(CFG)" != "roken - Win32 Debug"
+!MESSAGE Invalid configuration "$(CFG)" specified.
+!MESSAGE You can specify a configuration when running NMAKE
+!MESSAGE by defining the macro CFG on the command line.  For example:
+!MESSAGE 
+!MESSAGE NMAKE /f "roken.mak" CFG="roken - Win32 Release"
+!MESSAGE 
+!MESSAGE Possible choices for configuration are:
+!MESSAGE 
+!MESSAGE "roken - Win32 Release" (based on "Win32 (x86) Dynamic-Link Library")
+!MESSAGE "roken - Win32 Debug" (based on "Win32 (x86) Dynamic-Link Library")
+!MESSAGE 
+!ERROR An invalid configuration is specified.
+!ENDIF 
+
+!IF "$(OS)" == "Windows_NT"
+NULL=
+!ELSE 
+NULL=nul
+!ENDIF 
+
+CPP=cl.exe
+MTL=midl.exe
+RSC=rc.exe
+
+!IF  "$(CFG)" == "roken - Win32 Release"
+
+OUTDIR=.\Release
+INTDIR=.\Release
+# Begin Custom Macros
+OutDir=.\.\Release
+# End Custom Macros
+
+!IF "$(RECURSE)" == "0" 
+
+ALL : "$(OUTDIR)\roken.dll"
+
+!ELSE 
+
+ALL : "$(OUTDIR)\roken.dll"
+
+!ENDIF 
+
+CLEAN : 
+	-@erase "$(INTDIR)\base64.obj"
+	-@erase "$(INTDIR)\concat.obj"
+	-@erase "$(INTDIR)\gettimeofday.obj"
+	-@erase "$(INTDIR)\getuid.obj"
+	-@erase "$(INTDIR)\resolve.obj"
+	-@erase "$(INTDIR)\roken.res"
+	-@erase "$(INTDIR)\snprintf.obj"
+	-@erase "$(INTDIR)\strcasecmp.obj"
+	-@erase "$(INTDIR)\strtok_r.obj"
+	-@erase "$(INTDIR)\vc50.idb"
+	-@erase "$(OUTDIR)\roken.dll"
+	-@erase "$(OUTDIR)\roken.exp"
+	-@erase "$(OUTDIR)\roken.lib"
+
+"$(OUTDIR)" :
+    if not exist "$(OUTDIR)/$(NULL)" mkdir "$(OUTDIR)"
+
+CPP_PROJ=/nologo /MT /GX /O2 /I "..\krb" /I "..\des" /I "..\..\include" /I\
+ "..\..\include\win32" /I "." /D "NDEBUG" /D "WIN32" /D "_WINDOWS" /D\
+ "HAVE_CONFIG_H" /Fp"$(INTDIR)\roken.pch" /YX /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\"\
+ /FD /c 
+CPP_OBJS=.\Release/
+CPP_SBRS=.
+MTL_PROJ=/nologo /D "NDEBUG" /mktyplib203 /win32 
+RSC_PROJ=/l 0x409 /fo"$(INTDIR)\roken.res" /d "NDEBUG" 
+BSC32=bscmake.exe
+BSC32_FLAGS=/nologo /o"$(OUTDIR)\roken.bsc" 
+BSC32_SBRS= \
+	
+LINK32=link.exe
+LINK32_FLAGS=kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib\
+ advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib /nologo\
+ /base:"0x68e7780" /subsystem:windows /dll /incremental:no\
+ /pdb:"$(OUTDIR)\roken.pdb" /machine:I386 /def:".\roken.def"\
+ /out:"$(OUTDIR)\roken.dll" /implib:"$(OUTDIR)\roken.lib" 
+DEF_FILE= \
+	".\roken.def"
+LINK32_OBJS= \
+	"$(INTDIR)\base64.obj" \
+	"$(INTDIR)\concat.obj" \
+	"$(INTDIR)\gettimeofday.obj" \
+	"$(INTDIR)\getuid.obj" \
+	"$(INTDIR)\resolve.obj" \
+	"$(INTDIR)\roken.res" \
+	"$(INTDIR)\snprintf.obj" \
+	"$(INTDIR)\strcasecmp.obj" \
+	"$(INTDIR)\strtok_r.obj"
+
+"$(OUTDIR)\roken.dll" : "$(OUTDIR)" $(DEF_FILE) $(LINK32_OBJS)
+    $(LINK32) @<<
+  $(LINK32_FLAGS) $(LINK32_OBJS)
+<<
+
+!ELSEIF  "$(CFG)" == "roken - Win32 Debug"
+
+OUTDIR=.\Debug
+INTDIR=.\Debug
+# Begin Custom Macros
+OutDir=.\.\Debug
+# End Custom Macros
+
+!IF "$(RECURSE)" == "0" 
+
+ALL : "$(OUTDIR)\roken.dll"
+
+!ELSE 
+
+ALL : "$(OUTDIR)\roken.dll"
+
+!ENDIF 
+
+CLEAN : 
+	-@erase "$(INTDIR)\base64.obj"
+	-@erase "$(INTDIR)\concat.obj"
+	-@erase "$(INTDIR)\gettimeofday.obj"
+	-@erase "$(INTDIR)\getuid.obj"
+	-@erase "$(INTDIR)\resolve.obj"
+	-@erase "$(INTDIR)\roken.res"
+	-@erase "$(INTDIR)\snprintf.obj"
+	-@erase "$(INTDIR)\strcasecmp.obj"
+	-@erase "$(INTDIR)\strtok_r.obj"
+	-@erase "$(INTDIR)\vc50.idb"
+	-@erase "$(INTDIR)\vc50.pdb"
+	-@erase "$(OUTDIR)\roken.dll"
+	-@erase "$(OUTDIR)\roken.exp"
+	-@erase "$(OUTDIR)\roken.ilk"
+	-@erase "$(OUTDIR)\roken.lib"
+	-@erase "$(OUTDIR)\roken.pdb"
+
+"$(OUTDIR)" :
+    if not exist "$(OUTDIR)/$(NULL)" mkdir "$(OUTDIR)"
+
+CPP_PROJ=/nologo /MDd /Gm /GX /Zi /Od /I "..\krb" /I "..\des" /I\
+ "..\..\include" /I "..\..\include\win32" /I "." /D "_DEBUG" /D "WIN32" /D\
+ "_WINDOWS" /D "HAVE_CONFIG_H" /Fp"$(INTDIR)\roken.pch" /YX /Fo"$(INTDIR)\\"\
+ /Fd"$(INTDIR)\\" /FD /c 
+CPP_OBJS=.\Debug/
+CPP_SBRS=.
+MTL_PROJ=/nologo /D "_DEBUG" /mktyplib203 /win32 
+RSC_PROJ=/l 0x409 /fo"$(INTDIR)\roken.res" /d "_DEBUG" 
+BSC32=bscmake.exe
+BSC32_FLAGS=/nologo /o"$(OUTDIR)\roken.bsc" 
+BSC32_SBRS= \
+	
+LINK32=link.exe
+LINK32_FLAGS=kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib\
+ advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib /nologo\
+ /subsystem:windows /dll /incremental:yes /pdb:"$(OUTDIR)\roken.pdb" /debug\
+ /machine:I386 /def:".\roken.def" /out:"$(OUTDIR)\roken.dll"\
+ /implib:"$(OUTDIR)\roken.lib" 
+LINK32_OBJS= \
+	"$(INTDIR)\base64.obj" \
+	"$(INTDIR)\concat.obj" \
+	"$(INTDIR)\gettimeofday.obj" \
+	"$(INTDIR)\getuid.obj" \
+	"$(INTDIR)\resolve.obj" \
+	"$(INTDIR)\roken.res" \
+	"$(INTDIR)\snprintf.obj" \
+	"$(INTDIR)\strcasecmp.obj" \
+	"$(INTDIR)\strtok_r.obj"
+
+"$(OUTDIR)\roken.dll" : "$(OUTDIR)" $(DEF_FILE) $(LINK32_OBJS)
+    $(LINK32) @<<
+  $(LINK32_FLAGS) $(LINK32_OBJS)
+<<
+
+!ENDIF 
+
+.c{$(CPP_OBJS)}.obj::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+.cpp{$(CPP_OBJS)}.obj::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+.cxx{$(CPP_OBJS)}.obj::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+.c{$(CPP_SBRS)}.sbr::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+.cpp{$(CPP_SBRS)}.sbr::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+.cxx{$(CPP_SBRS)}.sbr::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+
+!IF "$(CFG)" == "roken - Win32 Release" || "$(CFG)" == "roken - Win32 Debug"
+SOURCE=.\base64.c
+DEP_CPP_BASE6=\
+	"..\..\include\win32\config.h"\
+	".\base64.h"\
+
+
+"$(INTDIR)\base64.obj" : $(SOURCE) $(DEP_CPP_BASE6) "$(INTDIR)"
+
+
+SOURCE=.\concat.c
+DEP_CPP_CONCA=\
+	"..\..\include\win32\config.h"\
+	"..\..\include\win32\roken.h"\
+	".\err.h"\
+	".\roken-common.h"\
+	{$(INCLUDE)}"sys\stat.h"\
+	{$(INCLUDE)}"sys\types.h"\
+	
+
+"$(INTDIR)\concat.obj" : $(SOURCE) $(DEP_CPP_CONCA) "$(INTDIR)"
+
+
+SOURCE=.\gettimeofday.c
+DEP_CPP_GETTI=\
+	"..\..\include\win32\config.h"\
+	"..\..\include\win32\roken.h"\
+	".\err.h"\
+	".\roken-common.h"\
+	{$(INCLUDE)}"sys\stat.h"\
+	{$(INCLUDE)}"sys\types.h"\
+	
+
+"$(INTDIR)\gettimeofday.obj" : $(SOURCE) $(DEP_CPP_GETTI) "$(INTDIR)"
+
+
+SOURCE=.\getuid.c
+DEP_CPP_GETUI=\
+	"..\..\include\win32\config.h"\
+	"..\..\include\win32\roken.h"\
+	".\err.h"\
+	".\roken-common.h"\
+	{$(INCLUDE)}"sys\stat.h"\
+	{$(INCLUDE)}"sys\types.h"\
+	
+
+"$(INTDIR)\getuid.obj" : $(SOURCE) $(DEP_CPP_GETUI) "$(INTDIR)"
+
+
+SOURCE=.\resolve.c
+DEP_CPP_RESOL=\
+	"..\..\include\win32\config.h"\
+	"..\..\include\win32\roken.h"\
+	".\err.h"\
+	".\resolve.h"\
+	".\roken-common.h"\
+	{$(INCLUDE)}"sys\stat.h"\
+	{$(INCLUDE)}"sys\types.h"\
+	
+
+"$(INTDIR)\resolve.obj" : $(SOURCE) $(DEP_CPP_RESOL) "$(INTDIR)"
+
+
+SOURCE=.\snprintf.c
+DEP_CPP_SNPRI=\
+	"..\..\include\win32\config.h"\
+	"..\..\include\win32\roken.h"\
+	".\err.h"\
+	".\roken-common.h"\
+	{$(INCLUDE)}"sys\stat.h"\
+	{$(INCLUDE)}"sys\types.h"\
+	
+
+"$(INTDIR)\snprintf.obj" : $(SOURCE) $(DEP_CPP_SNPRI) "$(INTDIR)"
+
+
+SOURCE=.\strcasecmp.c
+DEP_CPP_STRCA=\
+	"..\..\include\win32\config.h"\
+	{$(INCLUDE)}"sys\types.h"\
+	
+
+"$(INTDIR)\strcasecmp.obj" : $(SOURCE) $(DEP_CPP_STRCA) "$(INTDIR)"
+
+
+SOURCE=.\strtok_r.c
+DEP_CPP_STRTO=\
+	"..\..\include\win32\config.h"\
+	"..\..\include\win32\roken.h"\
+	".\err.h"\
+	".\roken-common.h"\
+	{$(INCLUDE)}"sys\stat.h"\
+	{$(INCLUDE)}"sys\types.h"\
+	
+
+"$(INTDIR)\strtok_r.obj" : $(SOURCE) $(DEP_CPP_STRTO) "$(INTDIR)"
+
+
+SOURCE=.\roken.rc
+
+"$(INTDIR)\roken.res" : $(SOURCE) "$(INTDIR)"
+	$(RSC) $(RSC_PROJ) $(SOURCE)
+	
+
+
+!ENDIF 
+
diff --git a/crypto/heimdal/lib/roken/roken.rc b/crypto/heimdal/lib/roken/roken.rc
new file mode 100644
index 0000000..e7e2f3e
--- /dev/null
+++ b/crypto/heimdal/lib/roken/roken.rc
@@ -0,0 +1,105 @@
+//Microsoft Developer Studio generated resource script.
+//
+#include "resource.h"
+
+#define APSTUDIO_READONLY_SYMBOLS
+/////////////////////////////////////////////////////////////////////////////
+//
+// Generated from the TEXTINCLUDE 2 resource.
+//
+#include "afxres.h"
+
+/////////////////////////////////////////////////////////////////////////////
+#undef APSTUDIO_READONLY_SYMBOLS
+
+/////////////////////////////////////////////////////////////////////////////
+// Swedish resources
+
+#if !defined(AFX_RESOURCE_DLL) || defined(AFX_TARG_SVE)
+#ifdef _WIN32
+LANGUAGE LANG_SWEDISH, SUBLANG_DEFAULT
+#pragma code_page(1252)
+#endif //_WIN32
+
+#ifdef APSTUDIO_INVOKED
+/////////////////////////////////////////////////////////////////////////////
+//
+// TEXTINCLUDE
+//
+
+1 TEXTINCLUDE DISCARDABLE 
+BEGIN
+    "resource.h\0"
+END
+
+2 TEXTINCLUDE DISCARDABLE 
+BEGIN
+    "#include ""afxres.h""\r\n"
+    "\0"
+END
+
+3 TEXTINCLUDE DISCARDABLE 
+BEGIN
+    "\r\n"
+    "\0"
+END
+
+#endif    // APSTUDIO_INVOKED
+
+
+#ifndef _MAC
+/////////////////////////////////////////////////////////////////////////////
+//
+// Version
+//
+
+VS_VERSION_INFO VERSIONINFO
+ FILEVERSION 1,0,0,1
+ PRODUCTVERSION 1,0,0,1
+ FILEFLAGSMASK 0x3fL
+#ifdef _DEBUG
+ FILEFLAGS 0x1L
+#else
+ FILEFLAGS 0x0L
+#endif
+ FILEOS 0x40004L
+ FILETYPE 0x2L
+ FILESUBTYPE 0x0L
+BEGIN
+    BLOCK "StringFileInfo"
+    BEGIN
+        BLOCK "040904b0"
+        BEGIN
+            VALUE "CompanyName", "Royal Institute of Technology (KTH)\0"
+            VALUE "FileDescription", "roken\0"
+            VALUE "FileVersion", "4, 0, 9, 9\0"
+            VALUE "InternalName", "roken\0"
+            VALUE "LegalCopyright", "Copyright © 1996 - 1998  Royal Institute of Technology (KTH)\0"
+            VALUE "OriginalFilename", "roken.dll\0"
+            VALUE "ProductName", "KTH Kerberos\0"
+            VALUE "ProductVersion", "4,0,9,9\0"
+        END
+    END
+    BLOCK "VarFileInfo"
+    BEGIN
+        VALUE "Translation", 0x409, 1200
+    END
+END
+
+#endif    // !_MAC
+
+#endif    // Swedish resources
+/////////////////////////////////////////////////////////////////////////////
+
+
+
+#ifndef APSTUDIO_INVOKED
+/////////////////////////////////////////////////////////////////////////////
+//
+// Generated from the TEXTINCLUDE 3 resource.
+//
+
+
+/////////////////////////////////////////////////////////////////////////////
+#endif    // not APSTUDIO_INVOKED
+
diff --git a/crypto/heimdal/lib/roken/roken_gethostby.c b/crypto/heimdal/lib/roken/roken_gethostby.c
new file mode 100644
index 0000000..6df6c57
--- /dev/null
+++ b/crypto/heimdal/lib/roken/roken_gethostby.c
@@ -0,0 +1,274 @@
+/*
+ * Copyright (c) 1998 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+RCSID("$Id: roken_gethostby.c,v 1.5 1999/12/05 13:16:44 assar Exp $");
+#endif
+
+#include <roken.h>
+
+#undef roken_gethostbyname
+#undef roken_gethostbyaddr
+
+static struct sockaddr_in dns_addr;
+static char *dns_req;
+
+static int
+make_address(const char *address, struct in_addr *ip)
+{
+    if(inet_aton(address, ip) == 0){
+	/* try to resolve as hostname, it might work if the address we
+           are trying to lookup is local, for instance a web proxy */
+	struct hostent *he = gethostbyname(address);
+	if(he) {
+	    unsigned char *p = (unsigned char*)he->h_addr;
+	    ip->s_addr = (p[0] << 24) | (p[1] << 16) | (p[2] << 8) | p[3];
+	} else {
+	    return -1;
+	}
+    }
+    return 0;
+}
+
+static int
+setup_int(const char *proxy_host, short proxy_port,
+	  const char *dns_host, short dns_port,
+	  const char *dns_path)
+{
+    memset(&dns_addr, 0, sizeof(dns_addr));
+    if(dns_req)
+	free(dns_req);
+    if(proxy_host) {
+	if(make_address(proxy_host, &dns_addr.sin_addr) != 0)
+	    return -1;
+	dns_addr.sin_port = htons(proxy_port);
+	asprintf(&dns_req, "http://%s:%d%s", dns_host, dns_port, dns_path);
+    } else {
+	if(make_address(dns_host, &dns_addr.sin_addr) != 0)
+	    return -1;
+	dns_addr.sin_port = htons(dns_port);
+	asprintf(&dns_req, "%s", dns_path);
+    }
+    dns_addr.sin_family = AF_INET;
+    return 0;
+}
+
+static void
+split_spec(const char *spec, char **host, int *port, char **path, int def_port)
+{
+    char *p;
+    *host = strdup(spec);
+    p = strchr(*host, ':');
+    if(p) {
+	*p++ = '\0';
+	if(sscanf(p, "%d", port) != 1)
+	    *port = def_port;
+    } else
+	*port = def_port;
+    p = strchr(p ? p : *host, '/');
+    if(p) {
+	if(path) 
+	    *path = strdup(p);
+	*p = '\0';
+    }else
+	if(path) 
+	    *path = NULL;
+}
+
+
+int
+roken_gethostby_setup(const char *proxy_spec, const char *dns_spec)
+{
+    char *proxy_host = NULL;
+    int proxy_port;
+    char *dns_host, *dns_path;
+    int dns_port;
+    
+    int ret = -1;
+    
+    split_spec(dns_spec, &dns_host, &dns_port, &dns_path, 80);
+    if(dns_path == NULL)
+	goto out;
+    if(proxy_spec)
+	split_spec(proxy_spec, &proxy_host, &proxy_port, NULL, 80);
+    ret = setup_int(proxy_host, proxy_port, dns_host, dns_port, dns_path);
+out:
+    free(proxy_host);
+    free(dns_host);
+    free(dns_path);
+    return ret;
+}
+    
+
+/* Try to lookup a name or an ip-address using http as transport
+   mechanism. See the end of this file for an example program. */
+static struct hostent*
+roken_gethostby(const char *hostname)
+{
+    int s;
+    struct sockaddr_in sin;
+    char *request;
+    char buf[1024];
+    int offset = 0;
+    int n;
+    char *p, *foo;
+    
+    if(dns_addr.sin_family == 0)
+	return NULL; /* no configured host */
+    sin = dns_addr;
+    asprintf(&request, "GET %s?%s HTTP/1.0\r\n\r\n", dns_req, hostname);
+    if(request == NULL)
+	return NULL;
+    s  = socket(AF_INET, SOCK_STREAM, 0);
+    if(s < 0) {
+	free(request);
+	return NULL;
+    }
+    if(connect(s, (struct sockaddr*)&sin, sizeof(sin)) < 0) {
+	close(s);
+	free(request);
+	return NULL;
+    }
+    if(write(s, request, strlen(request)) != strlen(request)) {
+	close(s);
+	free(request);
+	return NULL;
+    }
+    free(request);
+    while(1) {
+	n = read(s, buf + offset, sizeof(buf) - offset);
+	if(n <= 0)
+	    break;
+	offset += n;
+    }
+    buf[offset] = '\0';
+    close(s);
+    p = strstr(buf, "\r\n\r\n"); /* find end of header */
+    if(p) p += 4;
+    else return NULL;
+    foo = NULL;
+    p = strtok_r(p, " \t\r\n", &foo);
+    if(p == NULL)
+	return NULL;
+    {
+	/* make a hostent to return */
+#define MAX_ADDRS 16
+	static struct hostent he;
+	static char addrs[4 * MAX_ADDRS];
+	static char *addr_list[MAX_ADDRS];
+	int num_addrs = 0;
+	
+	he.h_name = p;
+	he.h_aliases = NULL;
+	he.h_addrtype = AF_INET;
+	he.h_length = 4;
+	
+	while((p = strtok_r(NULL, " \t\r\n", &foo)) && num_addrs < MAX_ADDRS) {
+	    struct in_addr ip;
+	    inet_aton(p, &ip);
+	    ip.s_addr = ntohl(ip.s_addr);
+	    addr_list[num_addrs] = &addrs[num_addrs * 4];
+	    addrs[num_addrs * 4 + 0] = (ip.s_addr >> 24) & 0xff;
+	    addrs[num_addrs * 4 + 1] = (ip.s_addr >> 16) & 0xff;
+	    addrs[num_addrs * 4 + 2] = (ip.s_addr >> 8) & 0xff;
+	    addrs[num_addrs * 4 + 3] = (ip.s_addr >> 0) & 0xff;
+	    addr_list[++num_addrs] = NULL;
+	}
+	he.h_addr_list = addr_list;
+	return &he;
+    }
+}
+
+struct hostent*
+roken_gethostbyname(const char *hostname)
+{
+    struct hostent *he;
+    he = gethostbyname(hostname);
+    if(he)
+	return he;
+    return roken_gethostby(hostname);
+}
+
+struct hostent*
+roken_gethostbyaddr(const void *addr, size_t len, int type)
+{
+    struct in_addr a;
+    const char *p;
+    struct hostent *he;
+    he = gethostbyaddr(addr, len, type);
+    if(he)
+	return he;
+    if(type != AF_INET || len != 4)
+	return NULL;
+    p = addr;
+    a.s_addr = htonl((p[0] << 24) | (p[1] << 16) | (p[2] << 8) | p[3]);
+    return roken_gethostby(inet_ntoa(a));
+}
+
+#if 0
+
+/* this program can be used as a cgi `script' to lookup names and
+   ip-addresses */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <netdb.h>
+#include <sys/param.h>
+
+int
+main(int argc, char **argv)
+{
+    char *query = getenv("QUERY_STRING");
+    char host[MAXHOSTNAMELEN];
+    int i;
+    struct hostent *he;
+    
+    printf("Content-type: text/plain\n\n");
+    if(query == NULL)
+	exit(0);
+    he = gethostbyname(query);
+    strncpy(host, he->h_name, sizeof(host));
+    host[sizeof(host) - 1] = '\0';
+    he = gethostbyaddr(he->h_addr, he->h_length, AF_INET);
+    printf("%s\n", he->h_name);
+    for(i = 0; he->h_addr_list[i]; i++) {
+	struct in_addr ip;
+	unsigned char *p = (unsigned char*)he->h_addr_list[i];
+	ip.s_addr = htonl((p[0] << 24) | (p[1] << 16) | (p[2] << 8) | p[3]);
+	printf("%s\n", inet_ntoa(ip));
+    }
+    exit(0);
+}
+
+#endif
diff --git a/crypto/heimdal/lib/roken/rtbl.c b/crypto/heimdal/lib/roken/rtbl.c
new file mode 100644
index 0000000..098b601
--- /dev/null
+++ b/crypto/heimdal/lib/roken/rtbl.c
@@ -0,0 +1,278 @@
+/*
+ * Copyright (c) 2000 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+RCSID ("$Id: rtbl.c,v 1.3 2000/07/20 14:42:31 assar Exp $");
+#endif
+#include "roken.h"
+#include "rtbl.h"
+
+struct column_entry {
+    char *data;
+};
+
+struct column_data {
+    char *header;
+    char *prefix;
+    int width;
+    unsigned flags;
+    size_t num_rows;
+    struct column_entry *rows;
+};
+
+struct rtbl_data {
+    char *column_prefix;
+    size_t num_columns;
+    struct column_data **columns;
+};
+
+rtbl_t
+rtbl_create (void)
+{
+    return calloc (1, sizeof (struct rtbl_data));
+}
+
+static struct column_data *
+rtbl_get_column (rtbl_t table, const char *column)
+{
+    int i;
+    for(i = 0; i < table->num_columns; i++)
+	if(strcmp(table->columns[i]->header, column) == 0)
+	    return table->columns[i];
+    return NULL;
+}
+
+void
+rtbl_destroy (rtbl_t table)
+{
+    int i, j;
+
+    for (i = 0; i < table->num_columns; i++) {
+	struct column_data *c = table->columns[i];
+
+	for (j = 0; j < c->num_rows; j++)
+	    free (c->rows[j].data);
+	free (c->header);
+	free (c->prefix);
+	free (c);
+    }
+    free (table->column_prefix);
+    free (table->columns);
+}
+
+int
+rtbl_add_column (rtbl_t table, const char *header, unsigned int flags)
+{
+    struct column_data *col, **tmp;
+
+    tmp = realloc (table->columns, (table->num_columns + 1) * sizeof (*tmp));
+    if (tmp == NULL)
+	return ENOMEM;
+    table->columns = tmp;
+    col = malloc (sizeof (*col));
+    if (col == NULL)
+	return ENOMEM;
+    col->header = strdup (header);
+    if (col->header == NULL) {
+	free (col);
+	return ENOMEM;
+    }
+    col->prefix   = NULL;
+    col->width    = 0;
+    col->flags    = flags;
+    col->num_rows = 0;
+    col->rows     = NULL;
+    table->columns[table->num_columns++] = col;
+    return 0;
+}
+
+static void
+column_compute_width (struct column_data *column)
+{
+    int i;
+
+    column->width = strlen (column->header);
+    for (i = 0; i < column->num_rows; i++)
+	column->width = max (column->width, strlen (column->rows[i].data));
+}
+
+int
+rtbl_set_prefix (rtbl_t table, const char *prefix)
+{
+    if (table->column_prefix)
+	free (table->column_prefix);
+    table->column_prefix = strdup (prefix);
+    if (table->column_prefix == NULL)
+	return ENOMEM;
+    return 0;
+}
+
+int
+rtbl_set_column_prefix (rtbl_t table, const char *column,
+			const char *prefix)
+{
+    struct column_data *c = rtbl_get_column (table, column);
+
+    if (c == NULL)
+	return -1;
+    if (c->prefix)
+	free (c->prefix);
+    c->prefix = strdup (prefix);
+    if (c->prefix == NULL)
+	return ENOMEM;
+    return 0;
+}
+
+
+static const char *
+get_column_prefix (rtbl_t table, struct column_data *c)
+{
+    if (c == NULL)
+	return "";
+    if (c->prefix)
+	return c->prefix;
+    if (table->column_prefix)
+	return table->column_prefix;
+    return "";
+}
+
+int
+rtbl_add_column_entry (rtbl_t table, const char *column, const char *data)
+{
+    struct column_entry row, *tmp;
+
+    struct column_data *c = rtbl_get_column (table, column);
+
+    if (c == NULL)
+	return -1;
+
+    row.data = strdup (data);
+    if (row.data == NULL)
+	return ENOMEM;
+    tmp = realloc (c->rows, (c->num_rows + 1) * sizeof (*tmp));
+    if (tmp == NULL) {
+	free (row.data);
+	return ENOMEM;
+    }
+    c->rows = tmp;
+    c->rows[c->num_rows++] = row;
+    return 0;
+}
+
+int
+rtbl_format (rtbl_t table, FILE * f)
+{
+    int i, j;
+
+    for (i = 0; i < table->num_columns; i++)
+	column_compute_width (table->columns[i]);
+    for (i = 0; i < table->num_columns; i++) {
+	struct column_data *c = table->columns[i];
+
+	fprintf (f, "%s", get_column_prefix (table, c));
+	fprintf (f, "%-*s", (int)c->width, c->header);
+    }
+    fprintf (f, "\n");
+
+    for (j = 0;; j++) {
+	int flag = 0;
+
+	for (i = 0; flag == 0 && i < table->num_columns; ++i) {
+	    struct column_data *c = table->columns[i];
+
+	    if (c->num_rows > j) {
+		++flag;
+		break;
+	    }
+	}
+	if (flag == 0)
+	    break;
+
+	for (i = 0; i < table->num_columns; i++) {
+	    int w;
+	    struct column_data *c = table->columns[i];
+
+	    w = c->width;
+
+	    if ((c->flags & RTBL_ALIGN_RIGHT) == 0)
+		w = -w;
+	    fprintf (f, "%s", get_column_prefix (table, c));
+	    if (c->num_rows <= j)
+		fprintf (f, "%*s", w, "");
+	    else
+		fprintf (f, "%*s", w, c->rows[j].data);
+	}
+	fprintf (f, "\n");
+    }
+    return 0;
+}
+
+#ifdef TEST
+int
+main (int argc, char **argv)
+{
+    rtbl_t table;
+    unsigned int a, b, c, d;
+
+    table = rtbl_create ();
+    rtbl_add_column (table, "Issued", 0, &a);
+    rtbl_add_column (table, "Expires", 0, &b);
+    rtbl_add_column (table, "Foo", RTBL_ALIGN_RIGHT, &d);
+    rtbl_add_column (table, "Principal", 0, &c);
+
+    rtbl_add_column_entry (table, a, "Jul  7 21:19:29");
+    rtbl_add_column_entry (table, b, "Jul  8 07:19:29");
+    rtbl_add_column_entry (table, d, "73");
+    rtbl_add_column_entry (table, d, "0");
+    rtbl_add_column_entry (table, d, "-2000");
+    rtbl_add_column_entry (table, c, "krbtgt/NADA.KTH.SE@NADA.KTH.SE");
+
+    rtbl_add_column_entry (table, a, "Jul  7 21:19:29");
+    rtbl_add_column_entry (table, b, "Jul  8 07:19:29");
+    rtbl_add_column_entry (table, c, "afs/pdc.kth.se@NADA.KTH.SE");
+
+    rtbl_add_column_entry (table, a, "Jul  7 21:19:29");
+    rtbl_add_column_entry (table, b, "Jul  8 07:19:29");
+    rtbl_add_column_entry (table, c, "afs@NADA.KTH.SE");
+
+    rtbl_set_prefix (table, "  ");
+    rtbl_set_column_prefix (table, a, "");
+
+    rtbl_format (table, stdout);
+
+    rtbl_destroy (table);
+
+}
+
+#endif
diff --git a/crypto/heimdal/lib/roken/rtbl.h b/crypto/heimdal/lib/roken/rtbl.h
new file mode 100644
index 0000000..16496a7
--- /dev/null
+++ b/crypto/heimdal/lib/roken/rtbl.h
@@ -0,0 +1,57 @@
+/*
+ * Copyright (c) 2000 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#ifndef __rtbl_h__
+#define __rtbl_h__
+
+struct rtbl_data;
+typedef struct rtbl_data *rtbl_t;
+
+#define RTBL_ALIGN_LEFT		0
+#define RTBL_ALIGN_RIGHT	1
+
+rtbl_t rtbl_create (void);
+
+void rtbl_destroy (rtbl_t);
+
+int rtbl_set_prefix (rtbl_t, const char*);
+
+int rtbl_set_column_prefix (rtbl_t, const char*, const char*);
+
+int rtbl_add_column (rtbl_t, const char*, unsigned int);
+
+int rtbl_add_column_entry (rtbl_t, const char*, const char*);
+
+int rtbl_format (rtbl_t, FILE*);
+
+#endif /* __rtbl_h__ */
diff --git a/crypto/heimdal/lib/roken/sendmsg.c b/crypto/heimdal/lib/roken/sendmsg.c
new file mode 100644
index 0000000..7075bf2
--- /dev/null
+++ b/crypto/heimdal/lib/roken/sendmsg.c
@@ -0,0 +1,65 @@
+/*
+ * Copyright (c) 1995, 1996, 1997, 1998, 1999 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+RCSID("$Id: sendmsg.c,v 1.4 1999/12/02 16:58:52 joda Exp $");
+#endif
+
+#include "roken.h"
+
+ssize_t
+sendmsg(int s, const struct msghdr *msg, int flags)
+{
+    ssize_t ret;
+    size_t tot = 0;
+    int i;
+    char *buf, *p;
+    struct iovec *iov = msg->msg_iov;
+
+    for(i = 0; i < msg->msg_iovlen; ++i)
+	tot += iov[i].iov_len;
+    buf = malloc(tot);
+    if (tot != 0 && buf == NULL) {
+	errno = ENOMEM;
+	return -1;
+    }
+    p = buf;
+    for (i = 0; i < msg->msg_iovlen; ++i) {
+	memcpy (p, iov[i].iov_base, iov[i].iov_len);
+	p += iov[i].iov_len;
+    }
+    ret = sendto (s, buf, tot, flags, msg->msg_name, msg->msg_namelen);
+    free (buf);
+    return ret;
+}
diff --git a/crypto/heimdal/lib/roken/setegid.c b/crypto/heimdal/lib/roken/setegid.c
new file mode 100644
index 0000000..2f46fe4
--- /dev/null
+++ b/crypto/heimdal/lib/roken/setegid.c
@@ -0,0 +1,57 @@
+/*
+ * Copyright (c) 1995, 1996, 1997 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+RCSID("$Id: setegid.c,v 1.9 1999/12/02 16:58:52 joda Exp $");
+#endif
+
+#ifdef HAVE_UNISTD_H
+#include <unistd.h>
+#endif
+
+#include "roken.h"
+
+int
+setegid(gid_t egid)
+{
+#ifdef HAVE_SETREGID
+    return setregid(-1, egid);
+#endif
+
+#ifdef HAVE_SETRESGID
+    return setresgid(-1, egid, -1);
+#endif
+
+    return -1;
+}
diff --git a/crypto/heimdal/lib/roken/setenv.c b/crypto/heimdal/lib/roken/setenv.c
new file mode 100644
index 0000000..15b5811
--- /dev/null
+++ b/crypto/heimdal/lib/roken/setenv.c
@@ -0,0 +1,66 @@
+/*
+ * Copyright (c) 1995, 1996, 1997 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+RCSID("$Id: setenv.c,v 1.9 1999/12/02 16:58:52 joda Exp $");
+#endif
+
+#include "roken.h"
+
+#include <stdlib.h>
+#include <string.h>
+
+/*
+ * This is the easy way out, use putenv to implement setenv. We might
+ * leak some memory but that is ok since we are usally about to exec
+ * anyway.
+ */
+
+int
+setenv(const char *var, const char *val, int rewrite)
+{
+    char *t;
+
+    if (!rewrite && getenv(var) != 0)
+	return 0;
+  
+    asprintf (&t, "%s=%s", var, val);
+    if (t == NULL)
+	return -1;
+
+    if (putenv(t) == 0)
+	return 0;
+    else
+	return -1;
+}
diff --git a/crypto/heimdal/lib/roken/seteuid.c b/crypto/heimdal/lib/roken/seteuid.c
new file mode 100644
index 0000000..ee68ba7
--- /dev/null
+++ b/crypto/heimdal/lib/roken/seteuid.c
@@ -0,0 +1,57 @@
+/*
+ * Copyright (c) 1995, 1996, 1997 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+RCSID("$Id: seteuid.c,v 1.10 1999/12/02 16:58:52 joda Exp $");
+#endif
+
+#ifdef HAVE_UNISTD_H
+#include <unistd.h>
+#endif
+
+#include "roken.h"
+
+int
+seteuid(uid_t euid)
+{
+#ifdef HAVE_SETREUID
+    return setreuid(-1, euid);
+#endif
+
+#ifdef HAVE_SETRESUID
+    return setresuid(-1, euid, -1);
+#endif
+
+    return -1;
+}
diff --git a/crypto/heimdal/lib/roken/signal.c b/crypto/heimdal/lib/roken/signal.c
new file mode 100644
index 0000000..1d482a0
--- /dev/null
+++ b/crypto/heimdal/lib/roken/signal.c
@@ -0,0 +1,80 @@
+/*
+ * Copyright (c) 1995 - 2000 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+RCSID("$Id: signal.c,v 1.12 2000/07/08 12:39:06 assar Exp $");
+#endif
+
+#include <signal.h>
+#include "roken.h"
+
+/*
+ * We would like to always use this signal but there is a link error
+ * on NEXTSTEP
+ */
+#if !defined(NeXT) && !defined(__APPLE__)
+/*
+ * Bugs:
+ *
+ * Do we need any extra hacks for SIGCLD and/or SIGCHLD?
+ */
+
+SigAction
+signal(int iSig, SigAction pAction)
+{
+    struct sigaction saNew, saOld;
+
+    saNew.sa_handler = pAction;
+    sigemptyset(&saNew.sa_mask);
+    saNew.sa_flags = 0;
+
+    if (iSig == SIGALRM)
+	{
+#ifdef SA_INTERRUPT
+	    saNew.sa_flags |= SA_INTERRUPT;
+#endif
+	}
+    else
+	{
+#ifdef SA_RESTART
+	    saNew.sa_flags |= SA_RESTART;
+#endif
+	}
+
+    if (sigaction(iSig, &saNew, &saOld) < 0)
+	return(SIG_ERR);
+
+    return(saOld.sa_handler);
+}
+#endif
diff --git a/crypto/heimdal/lib/roken/simple_exec.c b/crypto/heimdal/lib/roken/simple_exec.c
new file mode 100644
index 0000000..c7e22d9
--- /dev/null
+++ b/crypto/heimdal/lib/roken/simple_exec.c
@@ -0,0 +1,167 @@
+/*
+ * Copyright (c) 1998 - 2000 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+RCSID("$Id: simple_exec.c,v 1.8 2000/11/05 16:41:06 joda Exp $");
+#endif
+
+#include <stdarg.h>
+#include <stdlib.h>
+#ifdef HAVE_SYS_TYPES_H
+#include <sys/types.h>
+#endif
+#ifdef HAVE_SYS_WAIT_H
+#include <sys/wait.h>
+#endif
+#ifdef HAVE_UNISTD_H
+#include <unistd.h>
+#endif
+#include <errno.h>
+
+#include <roken.h>
+
+#define EX_NOEXEC	126
+#define EX_NOTFOUND	127
+
+/* return values:
+   -1   on `unspecified' system errors
+   -2   on fork failures
+   -3   on waitpid errors
+   0-   is return value from subprocess
+   126  if the program couldn't be executed
+   127  if the program couldn't be found
+   128- is 128 + signal that killed subprocess
+   */
+
+static int
+check_status(pid_t pid)
+{
+    while(1) {
+	int status;
+
+	while(waitpid(pid, &status, 0) < 0)
+	    if (errno != EINTR)
+		return -3;
+	if(WIFSTOPPED(status))
+	    continue;
+	if(WIFEXITED(status))
+	    return WEXITSTATUS(status);
+	if(WIFSIGNALED(status))
+	    return WTERMSIG(status) + 128;
+    }
+}
+
+int
+simple_execvp(const char *file, char *const args[])
+{
+    pid_t pid = fork();
+    switch(pid){
+    case -1:
+	return -2;
+    case 0:
+	execvp(file, args);
+	exit((errno == ENOENT) ? EX_NOTFOUND : EX_NOEXEC);
+    default: 
+	return check_status(pid);
+    }
+}
+
+/* gee, I'd like a execvpe */
+int
+simple_execve(const char *file, char *const args[], char *const envp[])
+{
+    pid_t pid = fork();
+    switch(pid){
+    case -1:
+	return -2;
+    case 0:
+	execve(file, args, envp);
+	exit((errno == ENOENT) ? EX_NOTFOUND : EX_NOEXEC);
+    default: 
+	return check_status(pid);
+    }
+}
+
+int
+simple_execlp(const char *file, ...)
+{
+    va_list ap;
+    char **argv;
+    int ret;
+
+    va_start(ap, file);
+    argv = vstrcollect(&ap);
+    va_end(ap);
+    if(argv == NULL)
+	return -1;
+    ret = simple_execvp(file, argv);
+    free(argv);
+    return ret;
+}
+
+int
+simple_execle(const char *file, ... /* ,char *const envp[] */)
+{
+    va_list ap;
+    char **argv;
+    char *const* envp;
+    int ret;
+
+    va_start(ap, file);
+    argv = vstrcollect(&ap);
+    envp = va_arg(ap, char **);
+    va_end(ap);
+    if(argv == NULL)
+	return -1;
+    ret = simple_execve(file, argv, envp);
+    free(argv);
+    return ret;
+}
+
+int
+simple_execl(const char *file, ...) 
+{
+    va_list ap;
+    char **argv;
+    int ret;
+
+    va_start(ap, file);
+    argv = vstrcollect(&ap);
+    va_end(ap);
+    if(argv == NULL)
+	return -1;
+    ret = simple_execve(file, argv, environ);
+    free(argv);
+    return ret;
+}
diff --git a/crypto/heimdal/lib/roken/snprintf.c b/crypto/heimdal/lib/roken/snprintf.c
new file mode 100644
index 0000000..205dc58
--- /dev/null
+++ b/crypto/heimdal/lib/roken/snprintf.c
@@ -0,0 +1,622 @@
+/*
+ * Copyright (c) 1995-2000 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+RCSID("$Id: snprintf.c,v 1.28 2000/12/15 14:04:42 joda Exp $");
+#endif
+#include <stdio.h>
+#include <stdarg.h>
+#include <stdlib.h>
+#include <string.h>
+#include <ctype.h>
+#include <roken.h>
+
+enum format_flags {
+    minus_flag     =  1,
+    plus_flag      =  2,
+    space_flag     =  4,
+    alternate_flag =  8,
+    zero_flag      = 16
+};
+
+/*
+ * Common state
+ */
+
+struct state {
+  unsigned char *str;
+  unsigned char *s;
+  unsigned char *theend;
+  size_t sz;
+  size_t max_sz;
+  int (*append_char)(struct state *, unsigned char);
+  int (*reserve)(struct state *, size_t);
+  /* XXX - methods */
+};
+
+#ifndef HAVE_VSNPRINTF
+static int
+sn_reserve (struct state *state, size_t n)
+{
+  return state->s + n > state->theend;
+}
+
+static int
+sn_append_char (struct state *state, unsigned char c)
+{
+  if (sn_reserve (state, 1)) {
+    return 1;
+  } else {
+    *state->s++ = c;
+    return 0;
+  }
+}
+#endif
+
+static int
+as_reserve (struct state *state, size_t n)
+{
+  if (state->s + n > state->theend) {
+    int off = state->s - state->str;
+    unsigned char *tmp;
+
+    if (state->max_sz && state->sz >= state->max_sz)
+      return 1;
+
+    state->sz = max(state->sz * 2, state->sz + n);
+    if (state->max_sz)
+      state->sz = min(state->sz, state->max_sz);
+    tmp = realloc (state->str, state->sz);
+    if (tmp == NULL)
+      return 1;
+    state->str = tmp;
+    state->s = state->str + off;
+    state->theend = state->str + state->sz - 1;
+  }
+  return 0;
+}
+
+static int
+as_append_char (struct state *state, unsigned char c)
+{
+  if(as_reserve (state, 1))
+    return 1;
+  else {
+    *state->s++ = c;
+    return 0;
+  }
+}
+
+static int
+append_number(struct state *state,
+	      unsigned long num, unsigned base, char *rep,
+	      int width, int prec, int flags, int minusp)
+{
+  int len = 0;
+  int i;
+
+  /* given precision, ignore zero flag */
+  if(prec != -1)
+    flags &= ~zero_flag;
+  else
+    prec = 1;
+  /* zero value with zero precision -> "" */
+  if(prec == 0 && num == 0)
+    return 0;
+  do{
+    if((*state->append_char)(state, rep[num % base]))
+      return 1;
+    len++;
+    num /= base;
+  }while(num);
+  prec -= len;
+  /* pad with prec zeros */
+  while(prec-- > 0){
+    if((*state->append_char)(state, '0'))
+      return 1;
+    len++;
+  }
+  /* add length of alternate prefix (added later) to len */
+  if(flags & alternate_flag && (base == 16 || base == 8))
+    len += base / 8;
+  /* pad with zeros */
+  if(flags & zero_flag){
+    width -= len;
+    if(minusp || (flags & space_flag) || (flags & plus_flag))
+      width--;
+    while(width-- > 0){
+      if((*state->append_char)(state, '0'))
+	return 1;
+      len++;
+    }
+  }
+  /* add alternate prefix */
+  if(flags & alternate_flag && (base == 16 || base == 8)){
+    if(base == 16)
+      if((*state->append_char)(state, rep[10] + 23)) /* XXX */
+	return 1;
+    if((*state->append_char)(state, '0'))
+      return 1;
+  }
+  /* add sign */
+  if(minusp){
+    if((*state->append_char)(state, '-'))
+      return 1;
+    len++;
+  } else if(flags & plus_flag) {
+    if((*state->append_char)(state, '+'))
+      return 1;
+    len++;
+  } else if(flags & space_flag) {
+    if((*state->append_char)(state, ' '))
+      return 1;
+    len++;
+  }
+  if(flags & minus_flag)
+    /* swap before padding with spaces */
+    for(i = 0; i < len / 2; i++){
+      char c = state->s[-i-1];
+      state->s[-i-1] = state->s[-len+i];
+      state->s[-len+i] = c;
+    }
+  width -= len;
+  while(width-- > 0){
+    if((*state->append_char)(state,  ' '))
+      return 1;
+    len++;
+  }
+  if(!(flags & minus_flag))
+    /* swap after padding with spaces */
+    for(i = 0; i < len / 2; i++){
+      char c = state->s[-i-1];
+      state->s[-i-1] = state->s[-len+i];
+      state->s[-len+i] = c;
+    }
+    
+  return 0;
+}
+
+static int
+append_string (struct state *state,
+	       unsigned char *arg,
+	       int width,
+	       int prec,
+	       int flags)
+{
+    if(arg == NULL)
+	arg = (unsigned char*)"(null)";
+
+    if(prec != -1)
+	width -= prec;
+    else
+	width -= strlen((char *)arg);
+    if(!(flags & minus_flag))
+	while(width-- > 0)
+	    if((*state->append_char) (state, ' '))
+		return 1;
+    if (prec != -1) {
+	while (*arg && prec--)
+	    if ((*state->append_char) (state, *arg++))
+		return 1;
+    } else {
+	while (*arg)
+	    if ((*state->append_char) (state, *arg++))
+		return 1;
+    }
+    if(flags & minus_flag)
+	while(width-- > 0)
+	    if((*state->append_char) (state, ' '))
+		return 1;
+    return 0;
+}
+
+static int
+append_char(struct state *state,
+	    unsigned char arg,
+	    int width,
+	    int flags)
+{
+  while(!(flags & minus_flag) && --width > 0)
+    if((*state->append_char) (state, ' '))
+      return 1;
+    
+  if((*state->append_char) (state, arg))
+    return 1;
+  while((flags & minus_flag) && --width > 0)
+    if((*state->append_char) (state, ' '))
+      return 1;
+    
+  return 0;
+}
+
+/*
+ * This can't be made into a function...
+ */
+
+#define PARSE_INT_FORMAT(res, arg, unsig) \
+if (long_flag) \
+     res = (unsig long)va_arg(arg, unsig long); \
+else if (short_flag) \
+     res = (unsig short)va_arg(arg, unsig int); \
+else \
+     res = (unsig int)va_arg(arg, unsig int)
+
+/*
+ * zyxprintf - return 0 or -1
+ */
+
+static int
+xyzprintf (struct state *state, const char *char_format, va_list ap)
+{
+  const unsigned char *format = (const unsigned char *)char_format;
+  unsigned char c;
+
+  while((c = *format++)) {
+    if (c == '%') {
+      int flags      = 0;
+      int width      = 0;
+      int prec       = -1;
+      int long_flag  = 0;
+      int short_flag = 0;
+
+      /* flags */
+      while((c = *format++)){
+	if(c == '-')
+	  flags |= minus_flag;
+	else if(c == '+')
+	  flags |= plus_flag;
+	else if(c == ' ')
+	  flags |= space_flag;
+	else if(c == '#')
+	  flags |= alternate_flag;
+	else if(c == '0')
+	  flags |= zero_flag;
+	else
+	  break;
+      }
+      
+      if((flags & space_flag) && (flags & plus_flag))
+	flags ^= space_flag;
+
+      if((flags & minus_flag) && (flags & zero_flag))
+	flags ^= zero_flag;
+
+      /* width */
+      if (isdigit(c))
+	do {
+	  width = width * 10 + c - '0';
+	  c = *format++;
+	} while(isdigit(c));
+      else if(c == '*') {
+	width = va_arg(ap, int);
+	c = *format++;
+      }
+
+      /* precision */
+      if (c == '.') {
+	prec = 0;
+	c = *format++;
+	if (isdigit(c))
+	  do {
+	    prec = prec * 10 + c - '0';
+	    c = *format++;
+	  } while(isdigit(c));
+	else if (c == '*') {
+	  prec = va_arg(ap, int);
+	  c = *format++;
+	}
+      }
+
+      /* size */
+
+      if (c == 'h') {
+	short_flag = 1;
+	c = *format++;
+      } else if (c == 'l') {
+	long_flag = 1;
+	c = *format++;
+      }
+
+      switch (c) {
+      case 'c' :
+	if(append_char(state, va_arg(ap, int), width, flags))
+	  return -1;
+	break;
+      case 's' :
+	if (append_string(state,
+			  va_arg(ap, unsigned char*),
+			  width,
+			  prec, 
+			  flags))
+	  return -1;
+	break;
+      case 'd' :
+      case 'i' : {
+	long arg;
+	unsigned long num;
+	int minusp = 0;
+
+	PARSE_INT_FORMAT(arg, ap, signed);
+
+	if (arg < 0) {
+	  minusp = 1;
+	  num = -arg;
+	} else
+	  num = arg;
+
+	if (append_number (state, num, 10, "0123456789",
+			   width, prec, flags, minusp))
+	  return -1;
+	break;
+      }
+      case 'u' : {
+	unsigned long arg;
+
+	PARSE_INT_FORMAT(arg, ap, unsigned);
+
+	if (append_number (state, arg, 10, "0123456789",
+			   width, prec, flags, 0))
+	  return -1;
+	break;
+      }
+      case 'o' : {
+	unsigned long arg;
+
+	PARSE_INT_FORMAT(arg, ap, unsigned);
+
+	if (append_number (state, arg, 010, "01234567",
+			   width, prec, flags, 0))
+	  return -1;
+	break;
+      }
+      case 'x' : {
+	unsigned long arg;
+
+	PARSE_INT_FORMAT(arg, ap, unsigned);
+
+	if (append_number (state, arg, 0x10, "0123456789abcdef",
+			   width, prec, flags, 0))
+	  return -1;
+	break;
+      }
+      case 'X' :{
+	unsigned long arg;
+
+	PARSE_INT_FORMAT(arg, ap, unsigned);
+
+	if (append_number (state, arg, 0x10, "0123456789ABCDEF",
+			   width, prec, flags, 0))
+	  return -1;
+	break;
+      }
+      case 'p' : {
+	unsigned long arg = (unsigned long)va_arg(ap, void*);
+
+	if (append_number (state, arg, 0x10, "0123456789ABCDEF",
+			   width, prec, flags, 0))
+	  return -1;
+	break;
+      }
+      case 'n' : {
+	int *arg = va_arg(ap, int*);
+	*arg = state->s - state->str;
+	break;
+      }
+      case '\0' :
+	  --format;
+	  /* FALLTHROUGH */
+      case '%' :
+	if ((*state->append_char)(state, c))
+	  return -1;
+	break;
+      default :
+	if (   (*state->append_char)(state, '%')
+	    || (*state->append_char)(state, c))
+	  return -1;
+	break;
+      }
+    } else
+      if ((*state->append_char) (state, c))
+	return -1;
+  }
+  return 0;
+}
+
+#ifndef HAVE_SNPRINTF
+int
+snprintf (char *str, size_t sz, const char *format, ...)
+{
+  va_list args;
+  int ret;
+
+  va_start(args, format);
+  ret = vsnprintf (str, sz, format, args);
+
+#ifdef PARANOIA
+  {
+    int ret2;
+    char *tmp;
+
+    tmp = malloc (sz);
+    if (tmp == NULL)
+      abort ();
+
+    ret2 = vsprintf (tmp, format, args);
+    if (ret != ret2 || strcmp(str, tmp))
+      abort ();
+    free (tmp);
+  }
+#endif
+
+  va_end(args);
+  return ret;
+}
+#endif
+
+#ifndef HAVE_ASPRINTF
+int
+asprintf (char **ret, const char *format, ...)
+{
+  va_list args;
+  int val;
+
+  va_start(args, format);
+  val = vasprintf (ret, format, args);
+
+#ifdef PARANOIA
+  {
+    int ret2;
+    char *tmp;
+    tmp = malloc (val + 1);
+    if (tmp == NULL)
+      abort ();
+
+    ret2 = vsprintf (tmp, format, args);
+    if (val != ret2 || strcmp(*ret, tmp))
+      abort ();
+    free (tmp);
+  }
+#endif
+
+  va_end(args);
+  return val;
+}
+#endif
+
+#ifndef HAVE_ASNPRINTF
+int
+asnprintf (char **ret, size_t max_sz, const char *format, ...)
+{
+  va_list args;
+  int val;
+
+  va_start(args, format);
+  val = vasnprintf (ret, max_sz, format, args);
+
+#ifdef PARANOIA
+  {
+    int ret2;
+    char *tmp;
+    tmp = malloc (val + 1);
+    if (tmp == NULL)
+      abort ();
+
+    ret2 = vsprintf (tmp, format, args);
+    if (val != ret2 || strcmp(*ret, tmp))
+      abort ();
+    free (tmp);
+  }
+#endif
+
+  va_end(args);
+  return val;
+}
+#endif
+
+#ifndef HAVE_VASPRINTF
+int
+vasprintf (char **ret, const char *format, va_list args)
+{
+  return vasnprintf (ret, 0, format, args);
+}
+#endif
+
+
+#ifndef HAVE_VASNPRINTF
+int
+vasnprintf (char **ret, size_t max_sz, const char *format, va_list args)
+{
+  int st;
+  size_t len;
+  struct state state;
+
+  state.max_sz = max_sz;
+  state.sz     = 1;
+  state.str    = malloc(state.sz);
+  if (state.str == NULL) {
+    *ret = NULL;
+    return -1;
+  }
+  state.s = state.str;
+  state.theend = state.s + state.sz - 1;
+  state.append_char = as_append_char;
+  state.reserve     = as_reserve;
+
+  st = xyzprintf (&state, format, args);
+  if (st) {
+    free (state.str);
+    *ret = NULL;
+    return -1;
+  } else {
+    char *tmp;
+
+    *state.s = '\0';
+    len = state.s - state.str;
+    tmp = realloc (state.str, len+1);
+    if (tmp == NULL) {
+      free (state.str);
+      *ret = NULL;
+      return -1;
+    }
+    *ret = tmp;
+    return len;
+  }
+}
+#endif
+
+#ifndef HAVE_VSNPRINTF
+int
+vsnprintf (char *str, size_t sz, const char *format, va_list args)
+{
+  struct state state;
+  int ret;
+  unsigned char *ustr = (unsigned char *)str;
+
+  state.max_sz = 0;
+  state.sz     = sz;
+  state.str    = ustr;
+  state.s      = ustr;
+  state.theend = ustr + sz - 1;
+  state.append_char = sn_append_char;
+  state.reserve     = sn_reserve;
+
+  ret = xyzprintf (&state, format, args);
+  *state.s = '\0';
+  if (ret)
+    return sz;
+  else
+    return state.s - state.str;
+}
+#endif
+
diff --git a/crypto/heimdal/lib/roken/socket.c b/crypto/heimdal/lib/roken/socket.c
new file mode 100644
index 0000000..d8463d5
--- /dev/null
+++ b/crypto/heimdal/lib/roken/socket.c
@@ -0,0 +1,264 @@
+/*
+ * Copyright (c) 1999 - 2000 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+RCSID("$Id: socket.c,v 1.5 2000/07/27 04:41:06 assar Exp $");
+#endif
+
+#include <roken.h>
+#include <err.h>
+
+/*
+ * Set `sa' to the unitialized address of address family `af'
+ */
+
+void
+socket_set_any (struct sockaddr *sa, int af)
+{
+    switch (af) {
+    case AF_INET : {
+	struct sockaddr_in *sin = (struct sockaddr_in *)sa;
+
+	memset (sin, 0, sizeof(*sin));
+	sin->sin_family = AF_INET;
+	sin->sin_port   = 0;
+	sin->sin_addr.s_addr = INADDR_ANY;
+	break;
+    }
+#ifdef HAVE_IPV6
+    case AF_INET6 : {
+	struct sockaddr_in6 *sin6 = (struct sockaddr_in6 *)sa;
+
+	memset (sin6, 0, sizeof(*sin6));
+	sin6->sin6_family = AF_INET6;
+	sin6->sin6_port   = 0;
+	sin6->sin6_addr   = in6addr_any;
+	break;
+    }
+#endif
+    default :
+	errx (1, "unknown address family %d", sa->sa_family);
+	break;
+    }
+}
+
+/*
+ * set `sa' to (`ptr', `port')
+ */
+
+void
+socket_set_address_and_port (struct sockaddr *sa, const void *ptr, int port)
+{
+    switch (sa->sa_family) {
+    case AF_INET : {
+	struct sockaddr_in *sin = (struct sockaddr_in *)sa;
+
+	memset (sin, 0, sizeof(*sin));
+	sin->sin_family = AF_INET;
+	sin->sin_port   = port;
+	memcpy (&sin->sin_addr, ptr, sizeof(struct in_addr));
+	break;
+    }
+#ifdef HAVE_IPV6
+    case AF_INET6 : {
+	struct sockaddr_in6 *sin6 = (struct sockaddr_in6 *)sa;
+
+	memset (sin6, 0, sizeof(*sin6));
+	sin6->sin6_family = AF_INET6;
+	sin6->sin6_port   = port;
+	memcpy (&sin6->sin6_addr, ptr, sizeof(struct in6_addr));
+	break;
+    }
+#endif
+    default :
+	errx (1, "unknown address family %d", sa->sa_family);
+	break;
+    }
+}
+
+/*
+ * Return the size of an address of the type in `sa'
+ */
+
+size_t
+socket_addr_size (const struct sockaddr *sa)
+{
+    switch (sa->sa_family) {
+    case AF_INET :
+	return sizeof(struct in_addr);
+#ifdef HAVE_IPV6
+    case AF_INET6 :
+	return sizeof(struct in6_addr);
+#endif
+    default :
+	errx (1, "unknown address family %d", sa->sa_family);
+	break;
+    }
+}
+
+/*
+ * Return the size of a `struct sockaddr' in `sa'.
+ */
+
+size_t
+socket_sockaddr_size (const struct sockaddr *sa)
+{
+    switch (sa->sa_family) {
+    case AF_INET :
+	return sizeof(struct sockaddr_in);
+#ifdef HAVE_IPV6
+    case AF_INET6 :
+	return sizeof(struct sockaddr_in6);
+#endif
+    default :
+	errx (1, "unknown address family %d", sa->sa_family);
+	break;
+    }
+}
+
+/*
+ * Return the binary address of `sa'.
+ */
+
+void *
+socket_get_address (struct sockaddr *sa)
+{
+    switch (sa->sa_family) {
+    case AF_INET : {
+	struct sockaddr_in *sin = (struct sockaddr_in *)sa;
+	return &sin->sin_addr;
+    }
+#ifdef HAVE_IPV6
+    case AF_INET6 : {
+	struct sockaddr_in6 *sin6 = (struct sockaddr_in6 *)sa;
+	return &sin6->sin6_addr;
+    }
+#endif
+    default :
+	errx (1, "unknown address family %d", sa->sa_family);
+	break;
+    }
+}
+
+/*
+ * Return the port number from `sa'.
+ */
+
+int
+socket_get_port (const struct sockaddr *sa)
+{
+    switch (sa->sa_family) {
+    case AF_INET : {
+	const struct sockaddr_in *sin = (const struct sockaddr_in *)sa;
+	return sin->sin_port;
+    }
+#ifdef HAVE_IPV6
+    case AF_INET6 : {
+	const struct sockaddr_in6 *sin6 = (const struct sockaddr_in6 *)sa;
+	return sin6->sin6_port;
+    }
+#endif
+    default :
+	errx (1, "unknown address family %d", sa->sa_family);
+	break;
+    }
+}
+
+/*
+ * Set the port in `sa' to `port'.
+ */
+
+void
+socket_set_port (struct sockaddr *sa, int port)
+{
+    switch (sa->sa_family) {
+    case AF_INET : {
+	struct sockaddr_in *sin = (struct sockaddr_in *)sa;
+	sin->sin_port = port;
+	break;
+    }
+#ifdef HAVE_IPV6
+    case AF_INET6 : {
+	struct sockaddr_in6 *sin6 = (struct sockaddr_in6 *)sa;
+	sin6->sin6_port = port;
+	break;
+    }
+#endif
+    default :
+	errx (1, "unknown address family %d", sa->sa_family);
+	break;
+    }
+}
+
+/*
+ * Enable debug on `sock'.
+ */
+
+void
+socket_set_debug (int sock)
+{
+#if defined(SO_DEBUG) && defined(HAVE_SETSOCKOPT)
+    int on = 1;
+
+    if (setsockopt (sock, SOL_SOCKET, SO_DEBUG, (void *) &on, sizeof (on)) < 0)
+	warn ("setsockopt SO_DEBUG (ignored)");
+#endif
+}
+
+/*
+ * Set the type-of-service of `sock' to `tos'.
+ */
+
+void
+socket_set_tos (int sock, int tos)
+{
+#if defined(IP_TOS) && defined(HAVE_SETSOCKOPT)
+    if (setsockopt (sock, IPPROTO_IP, IP_TOS, (void *) &tos, sizeof (int)) < 0)
+	warn ("setsockopt TOS (ignored)");
+#endif
+}
+
+/*
+ * set the reuse of addresses on `sock' to `val'.
+ */
+
+void
+socket_set_reuseaddr (int sock, int val)
+{
+#if defined(SO_REUSEADDR) && defined(HAVE_SETSOCKOPT)
+    if(setsockopt(sock, SOL_SOCKET, SO_REUSEADDR, (void *)&val,
+		  sizeof(val)) < 0)
+	err (1, "setsockopt SO_REUSEADDR");
+#endif
+}
diff --git a/crypto/heimdal/lib/roken/strcasecmp.c b/crypto/heimdal/lib/roken/strcasecmp.c
new file mode 100644
index 0000000..b5e20e7
--- /dev/null
+++ b/crypto/heimdal/lib/roken/strcasecmp.c
@@ -0,0 +1,58 @@
+/*
+ * Copyright (c) 1998 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+RCSID("$Id: strcasecmp.c,v 1.9 1999/12/02 16:58:52 joda Exp $");
+#endif
+
+#include <string.h>
+#include <ctype.h>
+#include <stddef.h>
+#include "roken.h"
+
+#ifndef HAVE_STRCASECMP
+
+int
+strcasecmp(const char *s1, const char *s2)
+{
+    while(toupper(*s1) == toupper(*s2)) {
+	if(*s1 == '\0')
+	    return 0;
+	s1++;
+	s2++;
+    }
+    return toupper(*s1) - toupper(*s2);
+}
+
+#endif
diff --git a/crypto/heimdal/lib/roken/strcollect.c b/crypto/heimdal/lib/roken/strcollect.c
new file mode 100644
index 0000000..1e82ad0
--- /dev/null
+++ b/crypto/heimdal/lib/roken/strcollect.c
@@ -0,0 +1,96 @@
+/*
+ * Copyright (c) 1998, 1999 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+RCSID("$Id: strcollect.c,v 1.1 2000/01/09 10:57:43 assar Exp $");
+#endif
+
+#include <stdarg.h>
+#include <stdlib.h>
+#include <string.h>
+#include <errno.h>
+#include <roken.h>
+
+enum { initial = 10, increment = 5 };
+
+static char **
+sub (char **argv, int i, int argc, va_list *ap)
+{
+    do {
+	if(i == argc) {
+	    /* realloc argv */
+	    char **tmp = realloc(argv, (argc + increment) * sizeof(*argv));
+	    if(tmp == NULL) {
+		free(argv);
+		errno = ENOMEM;
+		return NULL;
+	    }
+	    argv  = tmp;
+	    argc += increment;
+	}
+	argv[i++] = va_arg(*ap, char*);
+    } while(argv[i - 1] != NULL);
+    return argv;
+}
+
+/*
+ * return a malloced vector of pointers to the strings in `ap'
+ * terminated by NULL.
+ */
+
+char **
+vstrcollect(va_list *ap)
+{
+    return sub (NULL, 0, 0, ap);
+}
+
+/*
+ *
+ */
+
+char **
+strcollect(char *first, ...)
+{
+    va_list ap;
+    char **ret = malloc (initial * sizeof(char *));
+
+    if (ret == NULL)
+	return ret;
+
+    ret[0] = first;
+    va_start(ap, first);
+    ret = sub (ret, 1, initial, &ap);
+    va_end(ap);
+    return ret;
+}
diff --git a/crypto/heimdal/lib/roken/strdup.c b/crypto/heimdal/lib/roken/strdup.c
new file mode 100644
index 0000000..87fb43e
--- /dev/null
+++ b/crypto/heimdal/lib/roken/strdup.c
@@ -0,0 +1,50 @@
+/*
+ * Copyright (c) 1995, 1996, 1997 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+RCSID("$Id: strdup.c,v 1.10 1999/12/02 16:58:53 joda Exp $");
+#endif
+#include <stdlib.h>
+#include <string.h>
+
+#ifndef HAVE_STRDUP
+char *
+strdup(const char *old)
+{
+	char *t = malloc(strlen(old)+1);
+	if (t != 0)
+		strcpy(t, old);
+	return t;
+}
+#endif
diff --git a/crypto/heimdal/lib/roken/strerror.c b/crypto/heimdal/lib/roken/strerror.c
new file mode 100644
index 0000000..21936d7
--- /dev/null
+++ b/crypto/heimdal/lib/roken/strerror.c
@@ -0,0 +1,57 @@
+/*
+ * Copyright (c) 1995, 1996, 1997, 1998 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+RCSID("$Id: strerror.c,v 1.10 1999/12/02 16:58:53 joda Exp $");
+#endif
+
+#include <stdio.h>
+#include <string.h>
+#include <errno.h>
+
+extern int sys_nerr;
+extern char *sys_errlist[];
+
+char*
+strerror(int eno)
+{
+    static char emsg[1024];
+
+    if(eno < 0 || eno >= sys_nerr)
+	snprintf(emsg, sizeof(emsg), "Error %d occurred.", eno);
+    else
+	snprintf(emsg, sizeof(emsg), "%s", sys_errlist[eno]);
+
+    return emsg;
+}
diff --git a/crypto/heimdal/lib/roken/strftime.c b/crypto/heimdal/lib/roken/strftime.c
new file mode 100644
index 0000000..6056073
--- /dev/null
+++ b/crypto/heimdal/lib/roken/strftime.c
@@ -0,0 +1,396 @@
+/*
+ * Copyright (c) 1999 - 2000 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of KTH nor the names of its contributors may be
+ *    used to endorse or promote products derived from this software without
+ *    specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY KTH AND ITS CONTRIBUTORS ``AS IS'' AND ANY
+ * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL KTH OR ITS CONTRIBUTORS BE
+ * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+ * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+ * WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
+ * OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
+ * ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+#endif
+#include "roken.h"
+
+RCSID("$Id: strftime.c,v 1.11 2000/07/08 14:22:12 assar Exp $");
+
+static const char *abb_weekdays[] = {
+    "Sun",
+    "Mon",
+    "Tue",
+    "Wed",
+    "Thu",
+    "Fri",
+    "Sat",
+};
+
+static const char *full_weekdays[] = {
+    "Sunday",
+    "Monday",
+    "Tuesday",
+    "Wednesday",
+    "Thursday",
+    "Friday",
+    "Saturday",
+};
+
+static const char *abb_month[] = {
+    "Jan",
+    "Feb",
+    "Mar",
+    "Apr",
+    "May",
+    "Jun",
+    "Jul",
+    "Aug",
+    "Sep",
+    "Oct",
+    "Nov",
+    "Dec"
+};
+
+static const char *full_month[] = {
+    "January",
+    "February",
+    "Mars",
+    "April",
+    "May",
+    "June",
+    "July",
+    "August",
+    "September",
+    "October",
+    "November",
+    "December"
+};
+
+static const char *ampm[] = {
+    "AM",
+    "PM"
+};
+
+/*
+ * Convert hour in [0, 24] to [12 1 - 11 12 1 - 11 12]
+ */
+
+static int
+hour_24to12 (int hour)
+{
+    int ret = hour % 12;
+
+    if (ret == 0)
+	ret = 12;
+    return ret;
+}
+
+/*
+ * Return AM or PM for `hour'
+ */
+
+static const char *
+hour_to_ampm (int hour)
+{
+    return ampm[hour / 12];
+}
+
+/*
+ * Return the week number of `tm' (Sunday being the first day of the week)
+ * as [0, 53]
+ */
+
+static int
+week_number_sun (const struct tm *tm)
+{
+    return (tm->tm_yday + 7 - (tm->tm_yday % 7 - tm->tm_wday + 7) % 7) / 7;
+}
+
+/*
+ * Return the week number of `tm' (Monday being the first day of the week)
+ * as [0, 53]
+ */
+
+static int
+week_number_mon (const struct tm *tm)
+{
+    int wday = (tm->tm_wday + 6) % 7;
+
+    return (tm->tm_yday + 7 - (tm->tm_yday % 7 - wday + 7) % 7) / 7;
+}
+
+/*
+ * Return the week number of `tm' (Monday being the first day of the
+ * week) as [01, 53].  Week number one is the one that has four or more
+ * days in that year.
+ */
+
+static int
+week_number_mon4 (const struct tm *tm)
+{
+    int wday  = (tm->tm_wday + 6) % 7;
+    int w1day = (wday - tm->tm_yday % 7 + 7) % 7;
+    int ret;
+    
+    ret = (tm->tm_yday + w1day) / 7;
+    if (w1day >= 4)
+	--ret;
+    if (ret == -1)
+	ret = 53;
+    else
+	++ret;
+    return ret;
+}
+
+/*
+ *
+ */
+
+size_t
+strftime (char *buf, size_t maxsize, const char *format,
+	  const struct tm *tm)
+{
+    size_t n = 0;
+    size_t ret;
+
+    while (*format != '\0' && n < maxsize) {
+	if (*format == '%') {
+	    ++format;
+	    if(*format == 'E' || *format == 'O')
+		++format;
+	    switch (*format) {
+	    case 'a' :
+		ret = snprintf (buf, maxsize - n,
+				"%s", abb_weekdays[tm->tm_wday]);
+		break;
+	    case 'A' :
+		ret = snprintf (buf, maxsize - n,
+				"%s", full_weekdays[tm->tm_wday]);
+		break;
+	    case 'h' :
+	    case 'b' :
+		ret = snprintf (buf, maxsize - n,
+				"%s", abb_month[tm->tm_mon]);
+		break;
+	    case 'B' :
+		ret = snprintf (buf, maxsize - n,
+				"%s", full_month[tm->tm_mon]);
+		break;
+	    case 'c' :
+		ret = snprintf (buf, maxsize - n,
+				"%d:%02d:%02d %02d:%02d:%02d",
+				tm->tm_year,
+				tm->tm_mon + 1,
+				tm->tm_mday,
+				tm->tm_hour,
+				tm->tm_min,
+				tm->tm_sec);
+		break;
+	    case 'C' :
+		ret = snprintf (buf, maxsize - n,
+				"%02d", (tm->tm_year + 1900) / 100);
+		break;
+	    case 'd' :
+		ret = snprintf (buf, maxsize - n,
+				"%02d", tm->tm_mday);
+		break;
+	    case 'D' :
+		ret = snprintf (buf, maxsize - n,
+				"%02d/%02d/%02d",
+				tm->tm_mon + 1,
+				tm->tm_mday,
+				(tm->tm_year + 1900) % 100);
+		break;
+	    case 'e' :
+		ret = snprintf (buf, maxsize - n,
+				"%2d", tm->tm_mday);
+		break;
+	    case 'F':
+		ret = snprintf (buf, maxsize - n,
+				"%04d-%02d-%02d", tm->tm_year + 1900,
+				tm->tm_mon + 1, tm->tm_mday);
+		break;
+	    case 'g':
+		/* last two digits of week-based year */
+		abort();
+	    case 'G':
+		/* week-based year */
+		abort();
+	    case 'H' :
+		ret = snprintf (buf, maxsize - n,
+				"%02d", tm->tm_hour);
+		break;
+	    case 'I' :
+		ret = snprintf (buf, maxsize - n,
+				"%02d",
+				hour_24to12 (tm->tm_hour));
+		break;
+	    case 'j' :
+		ret = snprintf (buf, maxsize - n,
+				"%03d", tm->tm_yday + 1);
+		break;
+	    case 'k' :
+		ret = snprintf (buf, maxsize - n,
+				"%2d", tm->tm_hour);
+		break;
+	    case 'l' :
+		ret = snprintf (buf, maxsize - n,
+				"%2d",
+				hour_24to12 (tm->tm_hour));
+		break;
+	    case 'm' :
+		ret = snprintf (buf, maxsize - n,
+				"%02d", tm->tm_mon + 1);
+		break;
+	    case 'M' :
+		ret = snprintf (buf, maxsize - n,
+				"%02d", tm->tm_min);
+		break;
+	    case 'n' :
+		ret = snprintf (buf, maxsize - n, "\n");
+		break;
+	    case 'p' :
+		ret = snprintf (buf, maxsize - n, "%s",
+				hour_to_ampm (tm->tm_hour));
+		break;
+	    case 'r' :
+		ret = snprintf (buf, maxsize - n,
+				"%02d:%02d:%02d %s",
+				hour_24to12 (tm->tm_hour),
+				tm->tm_min,
+				tm->tm_sec,
+				hour_to_ampm (tm->tm_hour));
+		break;
+	    case 'R' :
+		ret = snprintf (buf, maxsize - n,
+				"%02d:%02d",
+				tm->tm_hour,
+				tm->tm_min);
+		    
+	    case 's' :
+		ret = snprintf (buf, maxsize - n,
+				"%d", (int)mktime((struct tm *)tm));
+		break;
+	    case 'S' :
+		ret = snprintf (buf, maxsize - n,
+				"%02d", tm->tm_sec);
+		break;
+	    case 't' :
+		ret = snprintf (buf, maxsize - n, "\t");
+		break;
+	    case 'T' :
+	    case 'X' :
+		ret = snprintf (buf, maxsize - n,
+				"%02d:%02d:%02d",
+				tm->tm_hour,
+				tm->tm_min,
+				tm->tm_sec);
+		break;
+	    case 'u' :
+		ret = snprintf (buf, maxsize - n,
+				"%d", (tm->tm_wday == 0) ? 7 : tm->tm_wday);
+		break;
+	    case 'U' :
+		ret = snprintf (buf, maxsize - n,
+				"%02d", week_number_sun (tm));
+		break;
+	    case 'V' :
+		ret = snprintf (buf, maxsize - n,
+				"%02d", week_number_mon4 (tm));
+		break;
+	    case 'w' :
+		ret = snprintf (buf, maxsize - n,
+				"%d", tm->tm_wday);
+		break;
+	    case 'W' :
+		ret = snprintf (buf, maxsize - n,
+				"%02d", week_number_mon (tm));
+		break;
+	    case 'x' :
+		ret = snprintf (buf, maxsize - n,
+				"%d:%02d:%02d",
+				tm->tm_year,
+				tm->tm_mon + 1,
+				tm->tm_mday);
+		break;
+	    case 'y' :
+		ret = snprintf (buf, maxsize - n,
+				"%02d", (tm->tm_year + 1900) % 100);
+		break;
+	    case 'Y' :
+		ret = snprintf (buf, maxsize - n,
+				"%d", tm->tm_year + 1900);
+		break;
+	    case 'z':
+		ret = snprintf (buf, maxsize - n,
+				"%ld",
+#if defined(HAVE_STRUCT_TM_TM_GMTOFF)
+				(long)tm->tm_gmtoff
+#elif defined(HAVE_TIMEZONE)
+				tm->tm_isdst ?
+				(long)altzone :
+				(long)timezone
+#else
+#error Where in timezone chaos are you?
+#endif    
+				);
+		break;
+	    case 'Z' :
+		ret = snprintf (buf, maxsize - n,
+				"%s",
+
+#if defined(HAVE_STRUCT_TM_TM_ZONE)
+				tm->tm_zone
+#elif defined(HAVE_TIMEZONE)
+				tzname[tm->tm_isdst]
+#else
+#error what?
+#endif
+		    );
+		break;
+	    case '\0' :
+		--format;
+		/* FALLTHROUGH */
+	    case '%' :
+		ret = snprintf (buf, maxsize - n,
+				"%%");
+		break;
+	    default :
+		ret = snprintf (buf, maxsize - n,
+				"%%%c", *format);
+		break;
+	    }
+	    if (ret >= maxsize - n)
+		return 0;
+	    n   += ret;
+	    buf += ret;
+	    ++format;
+	} else {
+	    *buf++ = *format++;
+	    ++n;
+	}
+    }
+    *buf++ = '\0';
+    return n;
+}
diff --git a/crypto/heimdal/lib/roken/strlcat.c b/crypto/heimdal/lib/roken/strlcat.c
new file mode 100644
index 0000000..d3c8baa
--- /dev/null
+++ b/crypto/heimdal/lib/roken/strlcat.c
@@ -0,0 +1,50 @@
+/*
+ * Copyright (c) 1995 - 1999 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+#endif
+#include "roken.h"
+
+RCSID("$Id: strlcat.c,v 1.5 1999/12/02 16:58:53 joda Exp $");
+
+#ifndef HAVE_STRLCAT
+
+size_t
+strlcat (char *dst, const char *src, size_t dst_sz)
+{
+    size_t len = strlen(dst);
+
+    return len + strlcpy (dst + len, src, dst_sz - len);
+}
+#endif
diff --git a/crypto/heimdal/lib/roken/strlcpy.c b/crypto/heimdal/lib/roken/strlcpy.c
new file mode 100644
index 0000000..33cd9cb
--- /dev/null
+++ b/crypto/heimdal/lib/roken/strlcpy.c
@@ -0,0 +1,60 @@
+/*
+ * Copyright (c) 1995 - 1999 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+#endif
+#include "roken.h"
+
+RCSID("$Id: strlcpy.c,v 1.5 1999/12/02 16:58:53 joda Exp $");
+
+#ifndef HAVE_STRLCPY
+
+size_t
+strlcpy (char *dst, const char *src, size_t dst_sz)
+{
+    size_t n;
+    char *p;
+
+    for (p = dst, n = 0;
+	 n + 1 < dst_sz && *src != '\0';
+	 ++p, ++src, ++n)
+	*p = *src;
+    *p = '\0';
+    if (*src == '\0')
+	return n;
+    else
+	return n + strlen (src);
+}
+
+#endif
diff --git a/crypto/heimdal/lib/roken/strlwr.c b/crypto/heimdal/lib/roken/strlwr.c
new file mode 100644
index 0000000..cb36789
--- /dev/null
+++ b/crypto/heimdal/lib/roken/strlwr.c
@@ -0,0 +1,53 @@
+/*
+ * Copyright (c) 1995, 1996, 1997 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+RCSID("$Id: strlwr.c,v 1.4 1999/12/02 16:58:53 joda Exp $");
+#endif
+#include <string.h>
+#include <ctype.h>
+
+#include <roken.h>
+
+#ifndef HAVE_STRLWR
+char *
+strlwr(char *str)
+{
+  char *s;
+
+  for(s = str; *s; s++)
+    *s = tolower(*s);
+  return str;
+}
+#endif
diff --git a/crypto/heimdal/lib/roken/strncasecmp.c b/crypto/heimdal/lib/roken/strncasecmp.c
new file mode 100644
index 0000000..7c6474f
--- /dev/null
+++ b/crypto/heimdal/lib/roken/strncasecmp.c
@@ -0,0 +1,60 @@
+/*
+ * Copyright (c) 1998 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+RCSID("$Id: strncasecmp.c,v 1.2 1999/12/02 16:58:53 joda Exp $");
+#endif
+
+#include <string.h>
+#include <ctype.h>
+#include <stddef.h>
+
+#ifndef HAVE_STRNCASECMP
+
+int
+strncasecmp(const char *s1, const char *s2, size_t n)
+{
+    while(n > 0 && toupper(*s1) == toupper(*s2)) {
+	if(*s1 == '\0')
+	    return 0;
+	s1++;
+	s2++;
+	n--;
+    }
+    if(n == 0)
+	return 0;
+    return toupper(*s1) - toupper(*s2);
+}
+
+#endif
diff --git a/crypto/heimdal/lib/roken/strndup.c b/crypto/heimdal/lib/roken/strndup.c
new file mode 100644
index 0000000..31e7e9f
--- /dev/null
+++ b/crypto/heimdal/lib/roken/strndup.c
@@ -0,0 +1,56 @@
+/*
+ * Copyright (c) 1995 - 1999 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+RCSID("$Id: strndup.c,v 1.2 1999/12/02 16:58:53 joda Exp $");
+#endif
+#include <stdlib.h>
+#include <string.h>
+
+#include <roken.h>
+
+#ifndef HAVE_STRNDUP
+char *
+strndup(const char *old, size_t sz)
+{
+    size_t len = strnlen (old, sz);
+    char *t    = malloc(len + 1);
+
+    if (t != NULL) {
+	memcpy (t, old, len);
+	t[len] = '\0';
+    }
+    return t;
+}
+#endif /* HAVE_STRNDUP */
diff --git a/crypto/heimdal/lib/roken/strnlen.c b/crypto/heimdal/lib/roken/strnlen.c
new file mode 100644
index 0000000..fffb3b7
--- /dev/null
+++ b/crypto/heimdal/lib/roken/strnlen.c
@@ -0,0 +1,49 @@
+/*
+ * Copyright (c) 1995 - 1999 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+RCSID("$Id: strnlen.c,v 1.7 1999/12/02 16:58:53 joda Exp $");
+#endif
+
+#include "roken.h"
+
+size_t
+strnlen(const char *s, size_t len)
+{
+    size_t i;
+
+    for(i = 0; i < len && s[i]; i++)
+	;
+    return i;
+}
diff --git a/crypto/heimdal/lib/roken/strpftime-test.c b/crypto/heimdal/lib/roken/strpftime-test.c
new file mode 100644
index 0000000..7eb8fb8
--- /dev/null
+++ b/crypto/heimdal/lib/roken/strpftime-test.c
@@ -0,0 +1,287 @@
+/*
+ * Copyright (c) 1999 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of KTH nor the names of its contributors may be
+ *    used to endorse or promote products derived from this software without
+ *    specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY KTH AND ITS CONTRIBUTORS ``AS IS'' AND ANY
+ * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL KTH OR ITS CONTRIBUTORS BE
+ * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+ * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+ * WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
+ * OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
+ * ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+#endif
+#include "roken.h"
+
+RCSID("$Id: strpftime-test.c,v 1.2 1999/11/12 15:29:55 assar Exp $");
+
+enum { MAXSIZE = 26 };
+
+static struct testcase {
+    time_t t;
+    struct {
+	const char *format;
+	const char *result;
+    } vals[MAXSIZE];
+} tests[] = {
+    {0,
+     {
+	 {"%A", "Thursday"},
+	 {"%a", "Thu"},
+	 {"%B", "January"},
+	 {"%b", "Jan"},
+	 {"%C", "19"},
+	 {"%d", "01"},
+	 {"%e", " 1"},
+	 {"%H", "00"},
+	 {"%I", "12"},
+	 {"%j", "001"},
+	 {"%k", " 0"},
+	 {"%l", "12"},
+	 {"%M", "00"},
+	 {"%m", "01"},
+	 {"%n", "\n"},
+	 {"%p", "AM"},
+	 {"%S", "00"},
+	 {"%t", "\t"},
+	 {"%w", "4"},
+	 {"%Y", "1970"},
+	 {"%y", "70"},
+	 {"%U", "00"},
+	 {"%W", "00"},
+	 {"%V", "01"},
+	 {"%%", "%"},
+	 {NULL, NULL}}
+    },
+    {90000,
+     {
+	 {"%A", "Friday"},
+	 {"%a", "Fri"},
+	 {"%B", "January"},
+	 {"%b", "Jan"},
+	 {"%C", "19"},
+	 {"%d", "02"},
+	 {"%e", " 2"},
+	 {"%H", "01"},
+	 {"%I", "01"},
+	 {"%j", "002"},
+	 {"%k", " 1"},
+	 {"%l", " 1"},
+	 {"%M", "00"},
+	 {"%m", "01"},
+	 {"%n", "\n"},
+	 {"%p", "AM"},
+	 {"%S", "00"},
+	 {"%t", "\t"},
+	 {"%w", "5"},
+	 {"%Y", "1970"},
+	 {"%y", "70"},
+	 {"%U", "00"},
+	 {"%W", "00"},
+	 {"%V", "01"},
+	 {"%%", "%"},
+	 {NULL, NULL}
+     }
+    },
+    {216306,
+     {
+	 {"%A", "Saturday"},
+	 {"%a", "Sat"},
+	 {"%B", "January"},
+	 {"%b", "Jan"},
+	 {"%C", "19"},
+	 {"%d", "03"},
+	 {"%e", " 3"},
+	 {"%H", "12"},
+	 {"%I", "12"},
+	 {"%j", "003"},
+	 {"%k", "12"},
+	 {"%l", "12"},
+	 {"%M", "05"},
+	 {"%m", "01"},
+	 {"%n", "\n"},
+	 {"%p", "PM"},
+	 {"%S", "06"},
+	 {"%t", "\t"},
+	 {"%w", "6"},
+	 {"%Y", "1970"},
+	 {"%y", "70"},
+	 {"%U", "00"},
+	 {"%W", "00"},
+	 {"%V", "01"},
+	 {"%%", "%"},
+	 {NULL, NULL}
+     }
+    },
+    {259200,
+     {
+	 {"%A", "Sunday"},
+	 {"%a", "Sun"},
+	 {"%B", "January"},
+	 {"%b", "Jan"},
+	 {"%C", "19"},
+	 {"%d", "04"},
+	 {"%e", " 4"},
+	 {"%H", "00"},
+	 {"%I", "12"},
+	 {"%j", "004"},
+	 {"%k", " 0"},
+	 {"%l", "12"},
+	 {"%M", "00"},
+	 {"%m", "01"},
+	 {"%n", "\n"},
+	 {"%p", "AM"},
+	 {"%S", "00"},
+	 {"%t", "\t"},
+	 {"%w", "0"},
+	 {"%Y", "1970"},
+	 {"%y", "70"},
+	 {"%U", "01"},
+	 {"%W", "00"},
+	 {"%V", "01"},
+	 {"%%", "%"},
+	 {NULL, NULL}
+     }
+    },
+    {915148800,
+     {
+	 {"%A", "Friday"},
+	 {"%a", "Fri"},
+	 {"%B", "January"},
+	 {"%b", "Jan"},
+	 {"%C", "19"},
+	 {"%d", "01"},
+	 {"%e", " 1"},
+	 {"%H", "00"},
+	 {"%I", "12"},
+	 {"%j", "001"},
+	 {"%k", " 0"},
+	 {"%l", "12"},
+	 {"%M", "00"},
+	 {"%m", "01"},
+	 {"%n", "\n"},
+	 {"%p", "AM"},
+	 {"%S", "00"},
+	 {"%t", "\t"},
+	 {"%w", "5"},
+	 {"%Y", "1999"},
+	 {"%y", "99"},
+	 {"%U", "00"},
+	 {"%W", "00"},
+	 {"%V", "53"},
+	 {"%%", "%"},
+	 {NULL, NULL}}
+    },
+    {942161105,
+     {
+
+	 {"%A", "Tuesday"},
+	 {"%a", "Tue"},
+	 {"%B", "November"},
+	 {"%b", "Nov"},
+	 {"%C", "19"},
+	 {"%d", "09"},
+	 {"%e", " 9"},
+	 {"%H", "15"},
+	 {"%I", "03"},
+	 {"%j", "313"},
+	 {"%k", "15"},
+	 {"%l", " 3"},
+	 {"%M", "25"},
+	 {"%m", "11"},
+	 {"%n", "\n"},
+	 {"%p", "PM"},
+	 {"%S", "05"},
+	 {"%t", "\t"},
+	 {"%w", "2"},
+	 {"%Y", "1999"},
+	 {"%y", "99"},
+	 {"%U", "45"},
+	 {"%W", "45"},
+	 {"%V", "45"},
+	 {"%%", "%"},
+	 {NULL, NULL}
+     }
+    }
+};
+
+int
+main(int argc, char **argv)
+{
+    int i, j;
+    int ret = 0;
+
+    for (i = 0; i < sizeof(tests)/sizeof(tests[0]); ++i) {
+	struct tm *tm;
+
+	tm = gmtime (&tests[i].t);
+
+	for (j = 0; tests[i].vals[j].format != NULL; ++j) {
+	    char buf[128];
+	    size_t len;
+	    struct tm tm2;
+	    char *ptr;
+
+	    len = strftime (buf, sizeof(buf), tests[i].vals[j].format, tm);
+	    if (len != strlen (buf)) {
+		printf ("length of strftime(\"%s\") = %d (\"%s\")\n",
+			tests[i].vals[j].format, len,
+			buf);
+		++ret;
+		continue;
+	    }
+	    if (strcmp (buf, tests[i].vals[j].result) != 0) {
+		printf ("result of strftime(\"%s\") = \"%s\" != \"%s\"\n",
+			tests[i].vals[j].format, buf,
+			tests[i].vals[j].result);
+		++ret;
+		continue;
+	    }
+	    memset (&tm2, 0, sizeof(tm2));
+	    ptr = strptime (tests[i].vals[j].result,
+			    tests[i].vals[j].format,
+			    &tm2);
+	    if (ptr == NULL || *ptr != '\0') {
+		printf ("bad return value from strptime("
+			"\"%s\", \"%s\")\n",
+			tests[i].vals[j].result,
+			tests[i].vals[j].format);
+		++ret;
+	    }
+	    strftime (buf, sizeof(buf), tests[i].vals[j].format, &tm2);
+	    if (strcmp (buf, tests[i].vals[j].result) != 0) {
+		printf ("reverse of \"%s\" failed: \"%s\" vs \"%s\"\n",
+			tests[i].vals[j].format,
+			buf, tests[i].vals[j].result);
+		++ret;
+	    }
+	}
+    }
+    if (ret) {
+	printf ("%d errors\n", ret);
+	return 1;
+    } else
+	return 0;
+}
diff --git a/crypto/heimdal/lib/roken/strptime.c b/crypto/heimdal/lib/roken/strptime.c
new file mode 100644
index 0000000..36f0822
--- /dev/null
+++ b/crypto/heimdal/lib/roken/strptime.c
@@ -0,0 +1,444 @@
+/*
+ * Copyright (c) 1999 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of KTH nor the names of its contributors may be
+ *    used to endorse or promote products derived from this software without
+ *    specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY KTH AND ITS CONTRIBUTORS ``AS IS'' AND ANY
+ * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL KTH OR ITS CONTRIBUTORS BE
+ * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+ * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+ * WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
+ * OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
+ * ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+#endif
+#include <ctype.h>
+#include "roken.h"
+
+RCSID("$Id: strptime.c,v 1.2 1999/11/12 15:29:55 assar Exp $");
+
+static const char *abb_weekdays[] = {
+    "Sun",
+    "Mon",
+    "Tue",
+    "Wed",
+    "Thu",
+    "Fri",
+    "Sat",
+    NULL
+};
+
+static const char *full_weekdays[] = {
+    "Sunday",
+    "Monday",
+    "Tuesday",
+    "Wednesday",
+    "Thursday",
+    "Friday",
+    "Saturday",
+    NULL
+};
+
+static const char *abb_month[] = {
+    "Jan",
+    "Feb",
+    "Mar",
+    "Apr",
+    "May",
+    "Jun",
+    "Jul",
+    "Aug",
+    "Sep",
+    "Oct",
+    "Nov",
+    "Dec",
+    NULL
+};
+
+static const char *full_month[] = {
+    "January",
+    "February",
+    "Mars",
+    "April",
+    "May",
+    "June",
+    "July",
+    "August",
+    "September",
+    "October",
+    "November",
+    "December",
+    NULL,
+};
+
+static const char *ampm[] = {
+    "am",
+    "pm",
+    NULL
+};
+
+/*
+ * Try to match `*buf' to one of the strings in `strs'.  Return the
+ * index of the matching string (or -1 if none).  Also advance buf.
+ */
+
+static int
+match_string (const char **buf, const char **strs)
+{
+    int i = 0;
+
+    for (i = 0; strs[i] != NULL; ++i) {
+	int len = strlen (strs[i]);
+
+	if (strncasecmp (*buf, strs[i], len) == 0) {
+	    *buf += len;
+	    return i;
+	}
+    }
+    return -1;
+}
+
+/*
+ * tm_year is relative this year */
+
+const int tm_year_base = 1900;
+
+/*
+ * Return TRUE iff `year' was a leap year.
+ */
+
+static int
+is_leap_year (int year)
+{
+    return (year % 4) == 0 && ((year % 100) != 0 || (year % 400) == 0);
+}
+
+/*
+ * Return the weekday [0,6] (0 = Sunday) of the first day of `year'
+ */
+
+static int
+first_day (int year)
+{
+    int ret = 4;
+
+    for (; year > 1970; --year)
+	ret = (ret + 365 + is_leap_year (year) ? 1 : 0) % 7;
+    return ret;
+}
+
+/*
+ * Set `timeptr' given `wnum' (week number [0, 53])
+ */
+
+static void
+set_week_number_sun (struct tm *timeptr, int wnum)
+{
+    int fday = first_day (timeptr->tm_year + tm_year_base);
+
+    timeptr->tm_yday = wnum * 7 + timeptr->tm_wday - fday;
+    if (timeptr->tm_yday < 0) {
+	timeptr->tm_wday = fday;
+	timeptr->tm_yday = 0;
+    }
+}
+
+/*
+ * Set `timeptr' given `wnum' (week number [0, 53])
+ */
+
+static void
+set_week_number_mon (struct tm *timeptr, int wnum)
+{
+    int fday = (first_day (timeptr->tm_year + tm_year_base) + 6) % 7;
+
+    timeptr->tm_yday = wnum * 7 + (timeptr->tm_wday + 6) % 7 - fday;
+    if (timeptr->tm_yday < 0) {
+	timeptr->tm_wday = (fday + 1) % 7;
+	timeptr->tm_yday = 0;
+    }
+}
+
+/*
+ * Set `timeptr' given `wnum' (week number [0, 53])
+ */
+
+static void
+set_week_number_mon4 (struct tm *timeptr, int wnum)
+{
+    int fday = (first_day (timeptr->tm_year + tm_year_base) + 6) % 7;
+    int offset = 0;
+
+    if (fday < 4)
+	offset += 7;
+
+    timeptr->tm_yday = offset + (wnum - 1) * 7 + timeptr->tm_wday - fday;
+    if (timeptr->tm_yday < 0) {
+	timeptr->tm_wday = fday;
+	timeptr->tm_yday = 0;
+    }
+}
+
+/*
+ *
+ */
+
+char *
+strptime (const char *buf, const char *format, struct tm *timeptr)
+{
+    char c;
+
+    for (; (c = *format) != '\0'; ++format) {
+	char *s;
+	int ret;
+
+	if (isspace (c)) {
+	    while (isspace (*buf))
+		++buf;
+	} else if (c == '%' && format[1] != '\0') {
+	    c = *++format;
+	    if (c == 'E' || c == 'O')
+		c = *++format;
+	    switch (c) {
+	    case 'A' :
+		ret = match_string (&buf, full_weekdays);
+		if (ret < 0)
+		    return NULL;
+		timeptr->tm_wday = ret;
+		break;
+	    case 'a' :
+		ret = match_string (&buf, abb_weekdays);
+		if (ret < 0)
+		    return NULL;
+		timeptr->tm_wday = ret;
+		break;
+	    case 'B' :
+		ret = match_string (&buf, full_month);
+		if (ret < 0)
+		    return NULL;
+		timeptr->tm_mon = ret;
+		break;
+	    case 'b' :
+	    case 'h' :
+		ret = match_string (&buf, abb_month);
+		if (ret < 0)
+		    return NULL;
+		timeptr->tm_mon = ret;
+		break;
+	    case 'C' :
+		ret = strtol (buf, &s, 10);
+		if (s == buf)
+		    return NULL;
+		timeptr->tm_year = (ret * 100) - tm_year_base;
+		buf = s;
+		break;
+	    case 'c' :
+		abort ();
+	    case 'D' :		/* %m/%d/%y */
+		s = strptime (buf, "%m/%d/%y", timeptr);
+		if (s == NULL)
+		    return NULL;
+		buf = s;
+		break;
+	    case 'd' :
+	    case 'e' :
+		ret = strtol (buf, &s, 10);
+		if (s == buf)
+		    return NULL;
+		timeptr->tm_mday = ret;
+		buf = s;
+		break;
+	    case 'H' :
+	    case 'k' :
+		ret = strtol (buf, &s, 10);
+		if (s == buf)
+		    return NULL;
+		timeptr->tm_hour = ret;
+		buf = s;
+		break;
+	    case 'I' :
+	    case 'l' :
+		ret = strtol (buf, &s, 10);
+		if (s == buf)
+		    return NULL;
+		if (ret == 12)
+		    timeptr->tm_hour = 0;
+		else
+		    timeptr->tm_hour = ret;
+		buf = s;
+		break;
+	    case 'j' :
+		ret = strtol (buf, &s, 10);
+		if (s == buf)
+		    return NULL;
+		timeptr->tm_yday = ret - 1;
+		buf = s;
+		break;
+	    case 'm' :
+		ret = strtol (buf, &s, 10);
+		if (s == buf)
+		    return NULL;
+		timeptr->tm_mon = ret - 1;
+		buf = s;
+		break;
+	    case 'M' :
+		ret = strtol (buf, &s, 10);
+		if (s == buf)
+		    return NULL;
+		timeptr->tm_min = ret;
+		buf = s;
+		break;
+	    case 'n' :
+		if (*buf == '\n')
+		    ++buf;
+		else
+		    return NULL;
+		break;
+	    case 'p' :
+		ret = match_string (&buf, ampm);
+		if (ret < 0)
+		    return NULL;
+		if (timeptr->tm_hour == 0) {
+		    if (ret == 1)
+			timeptr->tm_hour = 12;
+		} else
+		    timeptr->tm_hour += 12;
+		break;
+	    case 'r' :		/* %I:%M:%S %p */
+		s = strptime (buf, "%I:%M:%S %p", timeptr);
+		if (s == NULL)
+		    return NULL;
+		buf = s;
+		break;
+	    case 'R' :		/* %H:%M */
+		s = strptime (buf, "%H:%M", timeptr);
+		if (s == NULL)
+		    return NULL;
+		buf = s;
+		break;
+	    case 'S' :
+		ret = strtol (buf, &s, 10);
+		if (s == buf)
+		    return NULL;
+		timeptr->tm_sec = ret;
+		buf = s;
+		break;
+	    case 't' :
+		if (*buf == '\t')
+		    ++buf;
+		else
+		    return NULL;
+		break;
+	    case 'T' :		/* %H:%M:%S */
+	    case 'X' :
+		s = strptime (buf, "%H:%M:%S", timeptr);
+		if (s == NULL)
+		    return NULL;
+		buf = s;
+		break;
+	    case 'u' :
+		ret = strtol (buf, &s, 10);
+		if (s == buf)
+		    return NULL;
+		timeptr->tm_wday = ret - 1;
+		buf = s;
+		break;
+	    case 'w' :
+		ret = strtol (buf, &s, 10);
+		if (s == buf)
+		    return NULL;
+		timeptr->tm_wday = ret;
+		buf = s;
+		break;
+	    case 'U' :
+		ret = strtol (buf, &s, 10);
+		if (s == buf)
+		    return NULL;
+		set_week_number_sun (timeptr, ret);
+		buf = s;
+		break;
+	    case 'V' :
+		ret = strtol (buf, &s, 10);
+		if (s == buf)
+		    return NULL;
+		set_week_number_mon4 (timeptr, ret);
+		buf = s;
+		break;
+	    case 'W' :
+		ret = strtol (buf, &s, 10);
+		if (s == buf)
+		    return NULL;
+		set_week_number_mon (timeptr, ret);
+		buf = s;
+		break;
+	    case 'x' :
+		s = strptime (buf, "%Y:%m:%d", timeptr);
+		if (s == NULL)
+		    return NULL;
+		buf = s;
+		break;
+	    case 'y' :
+		ret = strtol (buf, &s, 10);
+		if (s == buf)
+		    return NULL;
+		if (ret < 70)
+		    timeptr->tm_year = 100 + ret;
+		else
+		    timeptr->tm_year = ret;
+		buf = s;
+		break;
+	    case 'Y' :
+		ret = strtol (buf, &s, 10);
+		if (s == buf)
+		    return NULL;
+		timeptr->tm_year = ret - tm_year_base;
+		buf = s;
+		break;
+	    case 'Z' :
+		abort ();
+	    case '\0' :
+		--format;
+		/* FALLTHROUGH */
+	    case '%' :
+		if (*buf == '%')
+		    ++buf;
+		else
+		    return NULL;
+		break;
+	    default :
+		if (*buf == '%' || *++buf == c)
+		    ++buf;
+		else
+		    return NULL;
+		break;
+	    }
+	} else {
+	    if (*buf == c)
+		++buf;
+	    else
+		return NULL;
+	}
+    }
+    return (char *)buf;
+}
diff --git a/crypto/heimdal/lib/roken/strsep.c b/crypto/heimdal/lib/roken/strsep.c
new file mode 100644
index 0000000..efc714a
--- /dev/null
+++ b/crypto/heimdal/lib/roken/strsep.c
@@ -0,0 +1,61 @@
+/*
+ * Copyright (c) 1997 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+RCSID("$Id: strsep.c,v 1.3 1999/12/02 16:58:53 joda Exp $");
+#endif
+
+#include <string.h>
+
+#include "roken.h"
+
+#ifndef HAVE_STRSEP
+
+char *
+strsep(char **str, const char *delim)
+{
+    char *save = *str;
+    if(*str == NULL)
+	return NULL;
+    *str = *str + strcspn(*str, delim);
+    if(**str == 0)
+	*str = NULL;
+    else{
+	**str = 0;
+	(*str)++;
+    }
+    return save;
+}
+
+#endif
diff --git a/crypto/heimdal/lib/roken/strsep_copy.c b/crypto/heimdal/lib/roken/strsep_copy.c
new file mode 100644
index 0000000..f097022
--- /dev/null
+++ b/crypto/heimdal/lib/roken/strsep_copy.c
@@ -0,0 +1,67 @@
+/*
+ * Copyright (c) 2000 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+RCSID("$Id: strsep_copy.c,v 1.3 2000/06/29 03:13:36 assar Exp $");
+#endif
+
+#include <string.h>
+
+#include "roken.h"
+
+#ifndef HAVE_STRSEP_COPY
+
+/* strsep, but with const stringp, so return string in buf */
+
+ssize_t
+strsep_copy(const char **stringp, const char *delim, char *buf, size_t len)
+{
+    const char *save = *stringp;
+    size_t l;
+    if(save == NULL)
+	return -1;
+    *stringp = *stringp + strcspn(*stringp, delim);
+    l = min(len, *stringp - save);
+    memcpy(buf, save, l);
+    buf[l] = '\0';
+
+    l = *stringp - save;
+    if(**stringp == '\0')
+	*stringp = NULL;
+    else
+	(*stringp)++;
+    return l;
+}
+
+#endif
diff --git a/crypto/heimdal/lib/roken/strtok_r.c b/crypto/heimdal/lib/roken/strtok_r.c
new file mode 100644
index 0000000..45b036a
--- /dev/null
+++ b/crypto/heimdal/lib/roken/strtok_r.c
@@ -0,0 +1,65 @@
+/*
+ * Copyright (c) 1995, 1996, 1997 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+RCSID("$Id: strtok_r.c,v 1.5 1999/12/02 16:58:53 joda Exp $");
+#endif
+
+#include <string.h>
+
+#include "roken.h"
+
+#ifndef HAVE_STRTOK_R
+
+char *
+strtok_r(char *s1, const char *s2, char **lasts)
+{
+  char *ret;
+
+  if (s1 == NULL)
+    s1 = *lasts;
+  while(*s1 && strchr(s2, *s1))
+    ++s1;
+  if(*s1 == '\0')
+    return NULL;
+  ret = s1;
+  while(*s1 && !strchr(s2, *s1))
+    ++s1;
+  if(*s1)
+    *s1++ = '\0';
+  *lasts = s1;
+  return ret;
+}
+
+#endif /* HAVE_STRTOK_R */
diff --git a/crypto/heimdal/lib/roken/strupr.c b/crypto/heimdal/lib/roken/strupr.c
new file mode 100644
index 0000000..96dd042
--- /dev/null
+++ b/crypto/heimdal/lib/roken/strupr.c
@@ -0,0 +1,53 @@
+/*
+ * Copyright (c) 1995, 1996, 1997 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+RCSID("$Id: strupr.c,v 1.4 1999/12/02 16:58:53 joda Exp $");
+#endif
+#include <string.h>
+#include <ctype.h>
+
+#include <roken.h>
+
+#ifndef HAVE_STRUPR
+char *
+strupr(char *str)
+{
+  char *s;
+
+  for(s = str; *s; s++)
+    *s = toupper(*s);
+  return str;
+}
+#endif
diff --git a/crypto/heimdal/lib/roken/swab.c b/crypto/heimdal/lib/roken/swab.c
new file mode 100644
index 0000000..c623bd0
--- /dev/null
+++ b/crypto/heimdal/lib/roken/swab.c
@@ -0,0 +1,54 @@
+/*
+ * Copyright (c) 1995, 1996, 1997 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+#endif
+#include "roken.h"
+
+#ifndef HAVE_SWAB
+
+RCSID("$Id: swab.c,v 1.7 1999/12/02 16:58:53 joda Exp $");
+
+void
+swab (char *from, char *to, int nbytes)
+{
+     while(nbytes >= 2) {
+	  *(to + 1) = *from;
+	  *to = *(from + 1);
+	  to += 2;
+	  from += 2;
+	  nbytes -= 2;
+     }
+}
+#endif
diff --git a/crypto/heimdal/lib/roken/timeval.c b/crypto/heimdal/lib/roken/timeval.c
new file mode 100644
index 0000000..ea4dee8
--- /dev/null
+++ b/crypto/heimdal/lib/roken/timeval.c
@@ -0,0 +1,84 @@
+/*
+ * Copyright (c) 1999 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+/*
+ * Timeval stuff
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+RCSID("$Id: timeval.c,v 1.1 2000/03/03 09:02:42 assar Exp $");
+#endif
+
+#include "roken.h"
+
+/*
+ * Make `t1' consistent.
+ */
+
+void
+timevalfix(struct timeval *t1)
+{
+    if (t1->tv_usec < 0) {
+        t1->tv_sec--;
+        t1->tv_usec += 1000000;
+    }
+    if (t1->tv_usec >= 1000000) {
+        t1->tv_sec++;
+        t1->tv_usec -= 1000000;
+    }
+}
+ 
+/*
+ * t1 += t2
+ */
+
+void
+timevaladd(struct timeval *t1, const struct timeval *t2)
+{
+    t1->tv_sec  += t2->tv_sec;
+    t1->tv_usec += t2->tv_usec;
+    timevalfix(t1);
+}
+ 
+/*
+ * t1 -= t2
+ */
+
+void
+timevalsub(struct timeval *t1, const struct timeval *t2)
+{
+    t1->tv_sec  -= t2->tv_sec;
+    t1->tv_usec -= t2->tv_usec;
+    timevalfix(t1);
+}
diff --git a/crypto/heimdal/lib/roken/tm2time.c b/crypto/heimdal/lib/roken/tm2time.c
new file mode 100644
index 0000000..b912e32
--- /dev/null
+++ b/crypto/heimdal/lib/roken/tm2time.c
@@ -0,0 +1,61 @@
+/*
+ * Copyright (c) 1995, 1996, 1997 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+RCSID("$Id: tm2time.c,v 1.7 1999/12/02 16:58:53 joda Exp $");
+#endif
+
+#ifdef TIME_WITH_SYS_TIME
+#include <sys/time.h>
+#include <time.h>
+#elif defined(HAVE_SYS_TIME_H)
+#include <sys/time.h>
+#else
+#include <time.h>
+#endif
+#include "roken.h"
+
+time_t
+tm2time (struct tm tm, int local)
+{
+     time_t t;
+
+     tm.tm_isdst = -1;
+
+     t = mktime (&tm);
+
+     if (!local)
+       t += t - mktime (gmtime (&t));
+     return t;
+}
diff --git a/crypto/heimdal/lib/roken/unsetenv.c b/crypto/heimdal/lib/roken/unsetenv.c
new file mode 100644
index 0000000..6d95a51
--- /dev/null
+++ b/crypto/heimdal/lib/roken/unsetenv.c
@@ -0,0 +1,70 @@
+/*
+ * Copyright (c) 1995, 1996, 1997 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+RCSID("$Id: unsetenv.c,v 1.7 1999/12/02 16:58:53 joda Exp $");
+#endif
+
+#include <stdlib.h>
+#include <string.h>
+
+#include "roken.h"
+
+extern char **environ;
+
+/*
+ * unsetenv --
+ */
+void
+unsetenv(const char *name)
+{
+  int len;
+  const char *np;
+  char **p;
+
+  if (name == 0 || environ == 0)
+    return;
+
+  for (np = name; *np && *np != '='; np++)
+    /* nop */;
+  len = np - name;
+  
+  for (p = environ; *p != 0; p++)
+    if (strncmp(*p, name, len) == 0 && (*p)[len] == '=')
+      break;
+
+  for (; *p != 0; p++)
+    *p = *(p + 1);
+}
+
diff --git a/crypto/heimdal/lib/roken/unvis.c b/crypto/heimdal/lib/roken/unvis.c
new file mode 100644
index 0000000..363564c
--- /dev/null
+++ b/crypto/heimdal/lib/roken/unvis.c
@@ -0,0 +1,288 @@
+/*	$NetBSD: unvis.c,v 1.19 2000/01/22 22:19:13 mycroft Exp $	*/
+
+/*-
+ * Copyright (c) 1989, 1993
+ *	The Regents of the University of California.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *	This product includes software developed by the University of
+ *	California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#if 1
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+RCSID("$Id: unvis.c,v 1.2 2000/12/06 21:41:46 joda Exp $");
+#endif
+#include <roken.h>
+#ifndef _DIAGASSERT
+#define _DIAGASSERT(X)
+#endif
+#else
+#include <sys/cdefs.h>
+#if defined(LIBC_SCCS) && !defined(lint)
+#if 0
+static char sccsid[] = "@(#)unvis.c	8.1 (Berkeley) 6/4/93";
+#else
+__RCSID("$NetBSD: unvis.c,v 1.19 2000/01/22 22:19:13 mycroft Exp $");
+#endif
+#endif /* LIBC_SCCS and not lint */
+
+#define __LIBC12_SOURCE__
+
+#include "namespace.h"
+#endif
+#include <sys/types.h>
+
+#include <assert.h>
+#include <ctype.h>
+#include <stdio.h>
+#include <vis.h>
+
+#if 0
+#ifdef __weak_alias
+__weak_alias(strunvis,_strunvis)
+__weak_alias(unvis,_unvis)
+#endif
+
+__warn_references(unvis,
+    "warning: reference to compatibility unvis(); include <vis.h> for correct reference")
+#endif
+
+/*
+ * decode driven by state machine
+ */
+#define	S_GROUND	0	/* haven't seen escape char */
+#define	S_START		1	/* start decoding special sequence */
+#define	S_META		2	/* metachar started (M) */
+#define	S_META1		3	/* metachar more, regular char (-) */
+#define	S_CTRL		4	/* control char started (^) */
+#define	S_OCTAL2	5	/* octal digit 2 */
+#define	S_OCTAL3	6	/* octal digit 3 */
+
+#define	isoctal(c)	(((u_char)(c)) >= '0' && ((u_char)(c)) <= '7')
+
+/*
+ * unvis - decode characters previously encoded by vis
+ */
+#ifndef HAVE_UNVIS
+int
+unvis(char *cp, int c, int *astate, int flag)
+{
+
+	_DIAGASSERT(cp != NULL);
+	_DIAGASSERT(astate != NULL);
+
+	if (flag & UNVIS_END) {
+		if (*astate == S_OCTAL2 || *astate == S_OCTAL3) {
+			*astate = S_GROUND;
+			return (UNVIS_VALID);
+		} 
+		return (*astate == S_GROUND ? UNVIS_NOCHAR : UNVIS_SYNBAD);
+	}
+
+	switch (*astate) {
+
+	case S_GROUND:
+		*cp = 0;
+		if (c == '\\') {
+			*astate = S_START;
+			return (0);
+		} 
+		*cp = c;
+		return (UNVIS_VALID);
+
+	case S_START:
+		switch(c) {
+		case '\\':
+			*cp = c;
+			*astate = S_GROUND;
+			return (UNVIS_VALID);
+		case '0': case '1': case '2': case '3':
+		case '4': case '5': case '6': case '7':
+			*cp = (c - '0');
+			*astate = S_OCTAL2;
+			return (0);
+		case 'M':
+			*cp = (char)0200;
+			*astate = S_META;
+			return (0);
+		case '^':
+			*astate = S_CTRL;
+			return (0);
+		case 'n':
+			*cp = '\n';
+			*astate = S_GROUND;
+			return (UNVIS_VALID);
+		case 'r':
+			*cp = '\r';
+			*astate = S_GROUND;
+			return (UNVIS_VALID);
+		case 'b':
+			*cp = '\b';
+			*astate = S_GROUND;
+			return (UNVIS_VALID);
+		case 'a':
+			*cp = '\007';
+			*astate = S_GROUND;
+			return (UNVIS_VALID);
+		case 'v':
+			*cp = '\v';
+			*astate = S_GROUND;
+			return (UNVIS_VALID);
+		case 't':
+			*cp = '\t';
+			*astate = S_GROUND;
+			return (UNVIS_VALID);
+		case 'f':
+			*cp = '\f';
+			*astate = S_GROUND;
+			return (UNVIS_VALID);
+		case 's':
+			*cp = ' ';
+			*astate = S_GROUND;
+			return (UNVIS_VALID);
+		case 'E':
+			*cp = '\033';
+			*astate = S_GROUND;
+			return (UNVIS_VALID);
+		case '\n':
+			/*
+			 * hidden newline
+			 */
+			*astate = S_GROUND;
+			return (UNVIS_NOCHAR);
+		case '$':
+			/*
+			 * hidden marker
+			 */
+			*astate = S_GROUND;
+			return (UNVIS_NOCHAR);
+		}
+		*astate = S_GROUND;
+		return (UNVIS_SYNBAD);
+		 
+	case S_META:
+		if (c == '-')
+			*astate = S_META1;
+		else if (c == '^')
+			*astate = S_CTRL;
+		else {
+			*astate = S_GROUND;
+			return (UNVIS_SYNBAD);
+		}
+		return (0);
+		 
+	case S_META1:
+		*astate = S_GROUND;
+		*cp |= c;
+		return (UNVIS_VALID);
+		 
+	case S_CTRL:
+		if (c == '?')
+			*cp |= 0177;
+		else
+			*cp |= c & 037;
+		*astate = S_GROUND;
+		return (UNVIS_VALID);
+
+	case S_OCTAL2:	/* second possible octal digit */
+		if (isoctal(c)) {
+			/* 
+			 * yes - and maybe a third 
+			 */
+			*cp = (*cp << 3) + (c - '0');
+			*astate = S_OCTAL3;	
+			return (0);
+		} 
+		/* 
+		 * no - done with current sequence, push back passed char 
+		 */
+		*astate = S_GROUND;
+		return (UNVIS_VALIDPUSH);
+
+	case S_OCTAL3:	/* third possible octal digit */
+		*astate = S_GROUND;
+		if (isoctal(c)) {
+			*cp = (*cp << 3) + (c - '0');
+			return (UNVIS_VALID);
+		}
+		/*
+		 * we were done, push back passed char
+		 */
+		return (UNVIS_VALIDPUSH);
+			
+	default:	
+		/* 
+		 * decoder in unknown state - (probably uninitialized) 
+		 */
+		*astate = S_GROUND;
+		return (UNVIS_SYNBAD);
+	}
+}
+#endif
+
+/*
+ * strunvis - decode src into dst 
+ *
+ *	Number of chars decoded into dst is returned, -1 on error.
+ *	Dst is null terminated.
+ */
+
+#ifndef HAVE_STRUNVIS
+int
+strunvis(char *dst, const char *src)
+{
+	char c;
+	char *start = dst;
+	int state = 0;
+
+	_DIAGASSERT(src != NULL);
+	_DIAGASSERT(dst != NULL);
+
+	while ((c = *src++) != '\0') {
+	again:
+		switch (unvis(dst, c, &state, 0)) {
+		case UNVIS_VALID:
+			dst++;
+			break;
+		case UNVIS_VALIDPUSH:
+			dst++;
+			goto again;
+		case 0:
+		case UNVIS_NOCHAR:
+			break;
+		default:
+			return (-1);
+		}
+	}
+	if (unvis(dst, c, &state, UNVIS_END) == UNVIS_VALID)
+		dst++;
+	*dst = '\0';
+	return (dst - start);
+}
+#endif
diff --git a/crypto/heimdal/lib/roken/verify.c b/crypto/heimdal/lib/roken/verify.c
new file mode 100644
index 0000000..842fa9a
--- /dev/null
+++ b/crypto/heimdal/lib/roken/verify.c
@@ -0,0 +1,62 @@
+/*
+ * Copyright (c) 1995, 1996, 1997 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+RCSID("$Id: verify.c,v 1.13 1999/12/02 16:58:53 joda Exp $");
+#endif
+
+#include <stdio.h>
+#ifdef HAVE_UNISTD_H
+#include <unistd.h>
+#endif
+#ifdef HAVE_CRYPT_H
+#include <crypt.h>
+#endif
+#include "roken.h"
+
+int
+unix_verify_user(char *user, char *password)
+{
+    struct passwd *pw;
+    
+    pw = k_getpwnam(user);
+    if(pw == NULL)
+	return -1;
+    if(strlen(pw->pw_passwd) == 0 && strlen(password) == 0)
+	return 0;
+    if(strcmp(crypt(password, pw->pw_passwd), pw->pw_passwd) == 0)
+        return 0;
+    return -1;
+}
+
diff --git a/crypto/heimdal/lib/roken/verr.c b/crypto/heimdal/lib/roken/verr.c
new file mode 100644
index 0000000..67b4512
--- /dev/null
+++ b/crypto/heimdal/lib/roken/verr.c
@@ -0,0 +1,47 @@
+/*
+ * Copyright (c) 1995 - 2001 Kungliga Tekniska Högskolan 
+ * (Royal Institute of Technology, Stockholm, Sweden).  
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+RCSID("$Id: verr.c,v 1.10 2001/01/25 12:41:39 assar Exp $");
+#endif
+
+#include "roken.h"
+#include <err.h>
+
+void
+verr(int eval, const char *fmt, va_list ap)
+{
+    warnerr(1, fmt, ap);
+    exit(eval);
+}
diff --git a/crypto/heimdal/lib/roken/verrx.c b/crypto/heimdal/lib/roken/verrx.c
new file mode 100644
index 0000000..5df5c8d
--- /dev/null
+++ b/crypto/heimdal/lib/roken/verrx.c
@@ -0,0 +1,47 @@
+/*
+ * Copyright (c) 1995 - 2001 Kungliga Tekniska Högskolan 
+ * (Royal Institute of Technology, Stockholm, Sweden).  
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+RCSID("$Id: verrx.c,v 1.10 2001/01/25 12:41:39 assar Exp $");
+#endif
+
+#include "roken.h"
+#include <err.h>
+
+void
+verrx(int eval, const char *fmt, va_list ap)
+{
+    warnerr(0, fmt, ap);
+    exit(eval);
+}
diff --git a/crypto/heimdal/lib/roken/vis.c b/crypto/heimdal/lib/roken/vis.c
new file mode 100644
index 0000000..82a6ba5
--- /dev/null
+++ b/crypto/heimdal/lib/roken/vis.c
@@ -0,0 +1,301 @@
+/*	$NetBSD: vis.c,v 1.19 2000/01/22 22:42:45 mycroft Exp $	*/
+
+/*-
+ * Copyright (c) 1999 The NetBSD Foundation, Inc.
+ * Copyright (c) 1989, 1993
+ *	The Regents of the University of California.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *	This product includes software developed by the University of
+ *	California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+
+#if 1
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+RCSID("$Id: vis.c,v 1.3 2000/12/10 23:10:48 assar Exp $");
+#endif
+#include <roken.h>
+#ifndef _DIAGASSERT
+#define _DIAGASSERT(X)
+#endif
+#else
+#include <sys/cdefs.h>
+#if !defined(lint)
+__RCSID("$NetBSD: vis.c,v 1.19 2000/01/22 22:42:45 mycroft Exp $");
+#endif /* not lint */
+#endif
+
+#if 0
+#include "namespace.h"
+#endif
+#include <sys/types.h>
+
+#include <assert.h>
+#include <ctype.h>
+#include <limits.h>
+#include <stdio.h>
+#include <string.h>
+#include <vis.h>
+
+#if 0
+#ifdef __weak_alias
+__weak_alias(strsvis,_strsvis)
+__weak_alias(strsvisx,_strsvisx)
+__weak_alias(strvis,_strvis)
+__weak_alias(strvisx,_strvisx)
+__weak_alias(svis,_svis)
+__weak_alias(vis,_vis)
+#endif
+#endif
+
+#undef BELL
+#if defined(__STDC__)
+#define BELL '\a'
+#else
+#define BELL '\007'
+#endif
+
+#define isoctal(c)	(((u_char)(c)) >= '0' && ((u_char)(c)) <= '7')
+#define iswhite(c)	(c == ' ' || c == '\t' || c == '\n')
+#define issafe(c)	(c == '\b' || c == BELL || c == '\r')
+
+#define MAXEXTRAS       5
+
+
+#define MAKEEXTRALIST(flag, extra)					      \
+do {									      \
+	char *pextra = extra;						      \
+	if (flag & VIS_SP) *pextra++ = ' ';				      \
+	if (flag & VIS_TAB) *pextra++ = '\t';				      \
+	if (flag & VIS_NL) *pextra++ = '\n';				      \
+	if ((flag & VIS_NOSLASH) == 0) *pextra++ = '\\';		      \
+	*pextra = '\0';							      \
+} while (/*CONSTCOND*/0)
+
+/*
+ * This is SVIS, the central macro of vis.
+ * dst:	      Pointer to the destination buffer
+ * c:	      Character to encode
+ * flag:      Flag word
+ * nextc:     The character following 'c'
+ * extra:     Pointer to the list of extra characters to be
+ *	      backslash-protected.
+ */
+#define SVIS(dst, c, flag, nextc, extra)				      \
+do {									      \
+	int isextra, isc;						      \
+	isextra = strchr(extra, c) != NULL;				      \
+	if (!isextra && isascii(c) && (isgraph(c) || iswhite(c) ||	      \
+	    ((flag & VIS_SAFE) && issafe(c)))) {			      \
+		*dst++ = c;						      \
+		break;							      \
+	}								      \
+	isc = 0;							      \
+	if (flag & VIS_CSTYLE) {					      \
+		switch (c) {						      \
+		case '\n':						      \
+			isc = 1; *dst++ = '\\'; *dst++ = 'n';		      \
+			break;						      \
+		case '\r':						      \
+			isc = 1; *dst++ = '\\'; *dst++ = 'r';		      \
+			break;						      \
+		case '\b':						      \
+			isc = 1; *dst++ = '\\'; *dst++ = 'b';		      \
+			break;						      \
+		case BELL:						      \
+			isc = 1; *dst++ = '\\'; *dst++ = 'a';		      \
+			break;						      \
+		case '\v':						      \
+			isc = 1; *dst++ = '\\'; *dst++ = 'v';		      \
+			break;						      \
+		case '\t':						      \
+			isc = 1; *dst++ = '\\'; *dst++ = 't';		      \
+			break;						      \
+		case '\f':						      \
+			isc = 1; *dst++ = '\\'; *dst++ = 'f';		      \
+			break;						      \
+		case ' ':						      \
+			isc = 1; *dst++ = '\\'; *dst++ = 's';		      \
+			break;						      \
+		case '\0':						      \
+			isc = 1; *dst++ = '\\'; *dst++ = '0';		      \
+			if (isoctal(nextc)) {				      \
+				*dst++ = '0';				      \
+				*dst++ = '0';				      \
+			}						      \
+		}							      \
+	}								      \
+	if (isc) break;							      \
+	if (isextra || ((c & 0177) == ' ') || (flag & VIS_OCTAL)) {	      \
+		*dst++ = '\\';						      \
+		*dst++ = (u_char)(((unsigned)(u_char)c >> 6) & 03) + '0';     \
+		*dst++ = (u_char)(((unsigned)(u_char)c >> 3) & 07) + '0';     \
+		*dst++ =			     (c	      & 07) + '0';    \
+	} else {							      \
+		if ((flag & VIS_NOSLASH) == 0) *dst++ = '\\';		      \
+		if (c & 0200) {						      \
+			c &= 0177; *dst++ = 'M';			      \
+		}							      \
+		if (iscntrl(c)) {					      \
+			*dst++ = '^';					      \
+			if (c == 0177)					      \
+				*dst++ = '?';				      \
+			else						      \
+				*dst++ = c + '@';			      \
+		} else {						      \
+			*dst++ = '-'; *dst++ = c;			      \
+		}							      \
+	}								      \
+} while (/*CONSTCOND*/0)
+
+
+/*
+ * svis - visually encode characters, also encoding the characters
+ * 	  pointed to by `extra'
+ */
+#ifndef HAVE_SVIS
+char *
+svis(char *dst, int c, int flag, int nextc, const char *extra)
+{
+	_DIAGASSERT(dst != NULL);
+	_DIAGASSERT(extra != NULL);
+
+	SVIS(dst, c, flag, nextc, extra);
+	*dst = '\0';
+	return(dst);
+}
+#endif
+
+
+/*
+ * strsvis, strsvisx - visually encode characters from src into dst
+ *
+ *	Extra is a pointer to a \0-terminated list of characters to
+ *	be encoded, too. These functions are useful e. g. to
+ *	encode strings in such a way so that they are not interpreted
+ *	by a shell.
+ *	
+ *	Dst must be 4 times the size of src to account for possible
+ *	expansion.  The length of dst, not including the trailing NULL,
+ *	is returned. 
+ *
+ *	Strsvisx encodes exactly len bytes from src into dst.
+ *	This is useful for encoding a block of data.
+ */
+#ifndef HAVE_STRSVIS
+int
+strsvis(char *dst, const char *src, int flag, const char *extra)
+{
+	char c;
+	char *start;
+
+	_DIAGASSERT(dst != NULL);
+	_DIAGASSERT(src != NULL);
+	_DIAGASSERT(extra != NULL);
+
+	for (start = dst; (c = *src++) != '\0'; /* empty */)
+	    SVIS(dst, c, flag, *src, extra);
+	*dst = '\0';
+	return (dst - start);
+}
+#endif
+
+
+#ifndef HAVE_STRVISX
+int
+strsvisx(char *dst, const char *src, size_t len, int flag, const char *extra)
+{
+	char c;
+	char *start;
+
+	_DIAGASSERT(dst != NULL);
+	_DIAGASSERT(src != NULL);
+	_DIAGASSERT(extra != NULL);
+
+	for (start = dst; len > 0; len--) {
+		c = *src++;
+		SVIS(dst, c, flag, len ? *src : '\0', extra);
+	}
+	*dst = '\0';
+	return (dst - start);
+}
+#endif
+
+
+/*
+ * vis - visually encode characters
+ */
+#ifndef HAVE_VIS
+char *
+vis(char *dst, int c, int flag, int nextc)
+{
+	char extra[MAXEXTRAS];
+
+	_DIAGASSERT(dst != NULL);
+
+	MAKEEXTRALIST(flag, extra);
+	SVIS(dst, c, flag, nextc, extra);
+	*dst = '\0';
+	return (dst);
+}
+#endif
+
+
+/*
+ * strvis, strvisx - visually encode characters from src into dst
+ *	
+ *	Dst must be 4 times the size of src to account for possible
+ *	expansion.  The length of dst, not including the trailing NULL,
+ *	is returned. 
+ *
+ *	Strvisx encodes exactly len bytes from src into dst.
+ *	This is useful for encoding a block of data.
+ */
+#ifndef HAVE_STRVIS
+int
+strvis(char *dst, const char *src, int flag)
+{
+	char extra[MAXEXTRAS];
+
+	MAKEEXTRALIST(flag, extra);
+	return (strsvis(dst, src, flag, extra));
+}
+#endif
+
+
+#ifndef HAVE_STRVISX
+int
+strvisx(char *dst, const char *src, size_t len, int flag)
+{
+	char extra[MAXEXTRAS];
+
+	MAKEEXTRALIST(flag, extra);
+	return (strsvisx(dst, src, len, flag, extra));
+}
+#endif
diff --git a/crypto/heimdal/lib/roken/vis.hin b/crypto/heimdal/lib/roken/vis.hin
new file mode 100644
index 0000000..a9d09da9
--- /dev/null
+++ b/crypto/heimdal/lib/roken/vis.hin
@@ -0,0 +1,86 @@
+/*	$NetBSD: vis.h,v 1.11 1999/11/25 16:55:50 wennmach Exp $	*/
+/*	$Id: vis.hin,v 1.1 2000/12/06 21:35:47 joda Exp $	*/
+
+/*-
+ * Copyright (c) 1990, 1993
+ *	The Regents of the University of California.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *	This product includes software developed by the University of
+ *	California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ *	@(#)vis.h	8.1 (Berkeley) 6/2/93
+ */
+
+#ifndef _VIS_H_
+#define	_VIS_H_
+
+/*
+ * to select alternate encoding format
+ */
+#define	VIS_OCTAL	0x01	/* use octal \ddd format */
+#define	VIS_CSTYLE	0x02	/* use \[nrft0..] where appropiate */
+
+/*
+ * to alter set of characters encoded (default is to encode all
+ * non-graphic except space, tab, and newline).
+ */
+#define	VIS_SP		0x04	/* also encode space */
+#define	VIS_TAB		0x08	/* also encode tab */
+#define	VIS_NL		0x10	/* also encode newline */
+#define	VIS_WHITE	(VIS_SP | VIS_TAB | VIS_NL)
+#define	VIS_SAFE	0x20	/* only encode "unsafe" characters */
+
+/*
+ * other
+ */
+#define	VIS_NOSLASH	0x40	/* inhibit printing '\' */
+
+/*
+ * unvis return codes
+ */
+#define	UNVIS_VALID	 1	/* character valid */
+#define	UNVIS_VALIDPUSH	 2	/* character valid, push back passed char */
+#define	UNVIS_NOCHAR	 3	/* valid sequence, no character produced */
+#define	UNVIS_SYNBAD	-1	/* unrecognized escape sequence */
+#define	UNVIS_ERROR	-2	/* decoder in unknown state (unrecoverable) */
+
+/*
+ * unvis flags
+ */
+#define	UNVIS_END	1	/* no more characters */
+
+char	*vis (char *, int, int, int);
+char	*svis (char *, int, int, int, const char *);
+int	strvis (char *, const char *, int);
+int	strsvis (char *, const char *, int, const char *);
+int	strvisx (char *, const char *, size_t, int);
+int	strsvisx (char *, const char *, size_t, int, const char *);
+int	strunvis (char *, const char *);
+int	unvis (char *, int, int *, int);
+
+#endif /* !_VIS_H_ */
diff --git a/crypto/heimdal/lib/roken/vsyslog.c b/crypto/heimdal/lib/roken/vsyslog.c
new file mode 100644
index 0000000..c72cf33
--- /dev/null
+++ b/crypto/heimdal/lib/roken/vsyslog.c
@@ -0,0 +1,115 @@
+/*
+ * Copyright (c) 1995 - 2000 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+RCSID("$Id: vsyslog.c,v 1.6 2000/05/22 22:09:25 assar Exp $");
+#endif
+
+#ifndef HAVE_VSYSLOG
+
+#include <stdio.h>
+#include <syslog.h>
+#include <stdarg.h>
+
+#include "roken.h"
+
+/*
+ * the theory behind this is that we might be trying to call vsyslog
+ * when there's no memory left, and we should try to be as useful as
+ * possible.  And the format string should say something about what's
+ * failing.
+ */
+
+static void
+simple_vsyslog(int pri, const char *fmt, va_list ap)
+{
+    syslog (pri, "%s", fmt);
+}
+
+/*
+ * do like syslog but with a `va_list'
+ */
+
+void
+vsyslog(int pri, const char *fmt, va_list ap)
+{
+    char *fmt2;
+    const char *p;
+    char *p2;
+    int saved_errno = errno;
+    int fmt_len  = strlen (fmt);
+    int fmt2_len = fmt_len;
+    char *buf;
+
+    fmt2 = malloc (fmt_len + 1);
+    if (fmt2 == NULL) {
+	simple_vsyslog (pri, fmt, ap);
+	return;
+    }
+
+    for (p = fmt, p2 = fmt2; *p != '\0'; ++p) {
+	if (p[0] == '%' && p[1] == 'm') {
+	    const char *e = strerror (saved_errno);
+	    int e_len = strlen (e);
+	    char *tmp;
+	    int pos;
+
+	    pos = p2 - fmt2;
+	    fmt2_len += e_len - 2;
+	    tmp = realloc (fmt2, fmt2_len + 1);
+	    if (tmp == NULL) {
+		free (fmt2);
+		simple_vsyslog (pri, fmt, ap);
+		return;
+	    }
+	    fmt2 = tmp;
+	    p2   = fmt2 + pos;
+	    memmove (p2, e, e_len);
+	    p2 += e_len;
+	    ++p;
+	} else
+	    *p2++ = *p;
+    }
+    *p2 = '\0';
+
+    vasprintf (&buf, fmt2, ap);
+    free (fmt2);
+    if (buf == NULL) {
+	simple_vsyslog (pri, fmt, ap);
+	return;
+    }
+    syslog (pri, "%s", buf);
+    free (buf);
+}
+#endif
diff --git a/crypto/heimdal/lib/roken/vwarn.c b/crypto/heimdal/lib/roken/vwarn.c
new file mode 100644
index 0000000..4034b1b
--- /dev/null
+++ b/crypto/heimdal/lib/roken/vwarn.c
@@ -0,0 +1,46 @@
+/*
+ * Copyright (c) 1995 - 2001 Kungliga Tekniska Högskolan 
+ * (Royal Institute of Technology, Stockholm, Sweden).  
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+RCSID("$Id: vwarn.c,v 1.10 2001/01/25 12:41:39 assar Exp $");
+#endif
+
+#include "roken.h"
+#include <err.h>
+
+void
+vwarn(const char *fmt, va_list ap)
+{
+    warnerr(1, fmt, ap);
+}
diff --git a/crypto/heimdal/lib/roken/vwarnx.c b/crypto/heimdal/lib/roken/vwarnx.c
new file mode 100644
index 0000000..7449a75
--- /dev/null
+++ b/crypto/heimdal/lib/roken/vwarnx.c
@@ -0,0 +1,47 @@
+/*
+ * Copyright (c) 1995 - 2001 Kungliga Tekniska Högskolan 
+ * (Royal Institute of Technology, Stockholm, Sweden).  
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+RCSID("$Id: vwarnx.c,v 1.10 2001/01/25 12:41:39 assar Exp $");
+#endif
+
+#include "roken.h"
+#include <err.h>
+
+void
+vwarnx(const char *fmt, va_list ap)
+{
+    warnerr(0, fmt, ap);
+}
+
diff --git a/crypto/heimdal/lib/roken/warn.c b/crypto/heimdal/lib/roken/warn.c
new file mode 100644
index 0000000..d8ee335
--- /dev/null
+++ b/crypto/heimdal/lib/roken/warn.c
@@ -0,0 +1,48 @@
+/*
+ * Copyright (c) 1995, 1996, 1997 Kungliga Tekniska Högskolan 
+ * (Royal Institute of Technology, Stockholm, Sweden).  
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+RCSID("$Id: warn.c,v 1.6 1999/12/02 16:58:54 joda Exp $");
+#endif
+
+#include "err.h"
+
+void
+warn(const char *fmt, ...)
+{
+  va_list ap;
+  va_start(ap, fmt);
+  vwarn(fmt, ap);
+  va_end(ap);
+}
diff --git a/crypto/heimdal/lib/roken/warnerr.c b/crypto/heimdal/lib/roken/warnerr.c
new file mode 100644
index 0000000..0ebae25
--- /dev/null
+++ b/crypto/heimdal/lib/roken/warnerr.c
@@ -0,0 +1,103 @@
+/*
+ * Copyright (c) 1995 - 2001 Kungliga Tekniska Högskolan 
+ * (Royal Institute of Technology, Stockholm, Sweden).  
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+RCSID("$Id: warnerr.c,v 1.13 2001/05/16 23:54:19 assar Exp $");
+#endif
+
+#include "roken.h"
+#include "err.h"
+
+#ifndef HAVE___PROGNAME
+const char *__progname;
+#endif
+
+#ifndef HAVE_GETPROGNAME
+const char *
+getprogname(void)
+{
+    return __progname;
+}
+#endif
+
+#ifndef HAVE_SETPROGNAME
+void
+setprogname(const char *argv0)
+{
+#ifndef HAVE___PROGNAME
+    char *p;
+    if(argv0 == NULL)
+	return;
+    p = strrchr(argv0, '/');
+    if(p == NULL)
+	p = argv0;
+    else
+	p++;
+    __progname = p;
+#endif
+}
+#endif /* HAVE_SETPROGNAME */
+
+void
+set_progname(char *argv0)
+{
+    setprogname ((const char *)argv0);
+}
+
+const char *
+get_progname (void)
+{
+    return getprogname ();
+}
+
+void
+warnerr(int doerrno, const char *fmt, va_list ap)
+{
+    int sverrno = errno;
+    const char *progname = getprogname();
+
+    if(progname != NULL){
+	fprintf(stderr, "%s", progname);
+	if(fmt != NULL || doerrno)
+	    fprintf(stderr, ": ");
+    }
+    if (fmt != NULL){
+	vfprintf(stderr, fmt, ap);
+	if(doerrno)
+	    fprintf(stderr, ": ");
+    }
+    if(doerrno)
+	fprintf(stderr, "%s", strerror(sverrno));
+    fprintf(stderr, "\n");
+}
diff --git a/crypto/heimdal/lib/roken/warnx.c b/crypto/heimdal/lib/roken/warnx.c
new file mode 100644
index 0000000..c991176
--- /dev/null
+++ b/crypto/heimdal/lib/roken/warnx.c
@@ -0,0 +1,48 @@
+/*
+ * Copyright (c) 1995, 1996, 1997 Kungliga Tekniska Högskolan 
+ * (Royal Institute of Technology, Stockholm, Sweden).  
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+RCSID("$Id: warnx.c,v 1.6 1999/12/02 16:58:54 joda Exp $");
+#endif
+
+#include "err.h"
+
+void
+warnx(const char *fmt, ...)
+{
+  va_list ap;
+  va_start(ap, fmt);
+  vwarnx(fmt, ap);
+  va_end(ap);
+}
diff --git a/crypto/heimdal/lib/roken/write_pid.c b/crypto/heimdal/lib/roken/write_pid.c
new file mode 100644
index 0000000..ce02506
--- /dev/null
+++ b/crypto/heimdal/lib/roken/write_pid.c
@@ -0,0 +1,95 @@
+/*
+ * Copyright (c) 1999 - 2000 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+RCSID("$Id: write_pid.c,v 1.5 2001/02/20 01:44:55 assar Exp $");
+#endif
+
+#include <stdio.h>
+#include <sys/types.h>
+#include <unistd.h>
+#include <roken.h>
+
+#include "roken.h"
+
+char *
+pid_file_write (const char *progname)
+{
+    FILE *fp;
+    char *ret;
+
+    asprintf (&ret, "%s%s.pid", _PATH_VARRUN, progname);
+    if (ret == NULL)
+	return NULL;
+    fp = fopen (ret, "w");
+    if (fp == NULL) {
+	free (ret);
+	return NULL;
+    }
+    fprintf (fp, "%u", (unsigned)getpid());
+    fclose (fp);
+    return ret;
+}
+
+void
+pid_file_delete (char **filename)
+{
+    if (*filename != NULL) {
+	unlink (*filename);
+	free (*filename);
+	*filename = NULL;
+    }
+}
+
+#ifndef HAVE_PIDFILE
+static char *pidfile_path;
+
+static void
+pidfile_cleanup(void)
+{
+    if(pidfile_path != NULL)
+	pid_file_delete(&pidfile_path);
+}
+
+void
+pidfile(const char *basename)
+{
+    if(pidfile_path != NULL)
+	return;
+    if(basename == NULL)
+	basename = getprogname();
+    pidfile_path = pid_file_write(basename);
+    atexit(pidfile_cleanup);
+}
+#endif
diff --git a/crypto/heimdal/lib/roken/writev.c b/crypto/heimdal/lib/roken/writev.c
new file mode 100644
index 0000000..e3859bf
--- /dev/null
+++ b/crypto/heimdal/lib/roken/writev.c
@@ -0,0 +1,64 @@
+/*
+ * Copyright (c) 1995, 1996, 1997, 1998, 1999 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+RCSID("$Id: writev.c,v 1.3 1999/12/02 16:58:54 joda Exp $");
+#endif
+
+#include "roken.h"
+
+ssize_t
+writev(int d, const struct iovec *iov, int iovcnt)
+{
+    ssize_t ret;
+    size_t tot = 0;
+    int i;
+    char *buf, *p;
+
+    for(i = 0; i < iovcnt; ++i)
+	tot += iov[i].iov_len;
+    buf = malloc(tot);
+    if (tot != 0 && buf == NULL) {
+	errno = ENOMEM;
+	return -1;
+    }
+    p = buf;
+    for (i = 0; i < iovcnt; ++i) {
+	memcpy (p, iov[i].iov_base, iov[i].iov_len);
+	p += iov[i].iov_len;
+    }
+    ret = write (d, buf, tot);
+    free (buf);
+    return ret;
+}
diff --git a/crypto/heimdal/lib/roken/xdbm.h b/crypto/heimdal/lib/roken/xdbm.h
new file mode 100644
index 0000000..429c3d1
--- /dev/null
+++ b/crypto/heimdal/lib/roken/xdbm.h
@@ -0,0 +1,79 @@
+/*
+ * Copyright (c) 1995 - 2000 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+/* $Id: xdbm.h,v 1.12 2000/08/16 03:57:21 assar Exp $ */
+
+/* Generic *dbm include file */
+
+#ifndef __XDBM_H__
+#define __XDBM_H__
+
+#if defined(HAVE_DB_H)
+#define DB_DBM_HSEARCH 1
+#include <db.h>
+#endif
+
+#ifndef DBM_INSERT
+#if defined(HAVE_NDBM_H)
+#include <ndbm.h>
+#elif defined(HAVE_GDBM_NDBM_H)
+#include <gdbm/ndbm.h>
+#elif defined(HAVE_DBM_H)
+#include <dbm.h>
+#elif defined(HAVE_RPCSVC_DBM_H)
+#include <rpcsvc/dbm.h>
+#endif
+#endif
+
+/* Macros to convert ndbm names to dbm names.
+ * Note that dbm_nextkey() cannot be simply converted using a macro, since
+ * it is invoked giving the database, and nextkey() needs the previous key.
+ *
+ * Instead, all routines call "dbm_next" instead.
+ */
+
+#if !defined(NDBM) && !defined(HAVE_DB_H)
+typedef char DBM;
+
+#define dbm_open(file, flags, mode) ((dbminit(file) == 0)?"":((char *)0))
+#define dbm_fetch(db, key) fetch(key)
+#define dbm_store(db, key, content, flag) store(key, content)
+#define dbm_delete(db, key) delete(key)
+#define dbm_firstkey(db) firstkey()
+#define dbm_next(db,key) nextkey(key)
+#define dbm_close(db) dbmclose()
+#else
+#define dbm_next(db,key) dbm_nextkey(db)
+#endif
+
+#endif /* __XDBM_H__ */
diff --git a/crypto/heimdal/lib/sl/ChangeLog b/crypto/heimdal/lib/sl/ChangeLog
new file mode 100644
index 0000000..249ac09
--- /dev/null
+++ b/crypto/heimdal/lib/sl/ChangeLog
@@ -0,0 +1,182 @@
+2001-05-17  Assar Westerlund  <assar@sics.se>
+
+	* Makefile.am: bump versions to 1:2:1 and 1:4:1
+
+2001-05-06  Assar Westerlund  <assar@sics.se>
+
+	* roken_rename.h (strdup): add
+
+2001-03-06  Assar Westerlund  <assar@sics.se>
+
+	* Makefile.am: re do the roken-renaming properly
+
+2001-02-13  Assar Westerlund  <assar@sics.se>
+
+	* Makefile.am: add more functions to rename
+
+2001-01-26  Johan Danielsson  <joda@pdc.kth.se>
+
+	* sl.h: proto
+
+	* sl.c (sl_command_loop): try to handle user pressing C-c
+
+2000-12-11  Assar Westerlund  <assar@sics.se>
+
+	* Makefile.am (libss_la_LDFLAGS): bump version to 1:2:1
+
+2000-08-19  Assar Westerlund  <assar@sics.se>
+
+	* Makefile.am: add dependencies for libss/libsl shared libraries
+
+2000-07-25  Johan Danielsson  <joda@pdc.kth.se>
+
+	* Makefile.am: bump ss version to 1:1:1
+
+2000-06-27  Assar Westerlund  <assar@sics.se>
+
+	* parse.y (yyerror): static-ize
+	* make_cmds.h (error_message, yylex): add prototypes
+	* lex.l: fix prototypes and kill warnings
+
+2000-05-24  Assar Westerlund  <assar@sics.se>
+
+	* ss.h (SS_ET_COMMAND_NOT_FOUND): add
+	* ss.c: check allocation and return some other error codes too
+
+2000-04-29  Assar Westerlund  <assar@sics.se>
+
+	* Makefile.in: add LIB_tgetent.  From Derrick J Brashear
+	<shadow@dementia.org>
+
+2000-04-03  Assar Westerlund  <assar@sics.se>
+
+	* Makefile.am: set version to 1:0:1
+
+2000-03-07  Assar Westerlund  <assar@sics.se>
+
+	* sl.h (SL_BADCOMMAND): define
+	(sl_apropos): add prototype
+
+	* sl.c: mandoc-generation
+	(sl_apropos): stolen from arla
+
+2000-01-06  Assar Westerlund  <assar@sics.se>
+
+	* Makefile.am: bump both versions to 0:1:0
+
+1999-12-16  Assar Westerlund  <assar@sics.se>
+
+	* parse.y (name2number): not used here.  remove.
+
+Thu Apr  1 17:03:59 1999  Johan Danielsson  <joda@hella.pdc.kth.se>
+
+	* make_cmds.c: use getarg
+
+Tue Mar 23 14:36:21 1999  Johan Danielsson  <joda@hella.pdc.kth.se>
+
+	* Makefile.am: don't rename
+
+Sun Mar 21 14:13:29 1999  Johan Danielsson  <joda@hella.pdc.kth.se>
+
+	* Makefile.am: don't roken-rename
+
+Sat Mar 20 03:43:30 1999  Assar Westerlund  <assar@sics.se>
+
+	* parse.y: replace return with YYACCEPT
+
+Fri Mar 19 14:53:20 1999  Johan Danielsson  <joda@hella.pdc.kth.se>
+
+	* Makefile.am: add libss; add version-info
+
+Thu Mar 18 15:07:06 1999  Johan Danielsson  <joda@hella.pdc.kth.se>
+
+	* Makefile.am: clean lex.c parse.c parse.h
+
+	* Makefile.am: install ss.h
+
+	* Makefile.am: include Makefile.am.common
+
+Thu Mar 11 15:01:01 1999  Johan Danielsson  <joda@hella.pdc.kth.se>
+
+	* parse.y: prototype for error_message
+
+Tue Feb  9 23:45:37 1999  Johan Danielsson  <joda@hella.pdc.kth.se>
+
+	* Makefile.in: add snprintf.o to make_cmds
+
+Sun Nov 22 10:46:23 1998  Assar Westerlund  <assar@sics.se>
+
+	* sl.c (sl_command_loop): remove unused variable
+
+	* ss.c (ss_error): remove unused variable
+
+	* make_cmds.c: include err.h
+	(main): remove unused variable
+
+	* Makefile.in (WFLAGS): set
+
+Sun Sep 27 01:28:21 1998  Assar Westerlund  <assar@sics.se>
+
+	* make_cmds.c: clean-up and simplification
+
+Mon May 25 02:54:13 1998  Assar Westerlund  <assar@sics.se>
+
+	* Makefile.in (clean): try to remove shared library debris
+
+	* Makefile.in: make symlink magic work
+
+Sun Apr 19 10:00:26 1998  Assar Westerlund  <assar@sics.se>
+
+	* Makefile.in: add symlink magic for linux
+
+Sun Apr  5 09:21:43 1998  Assar Westerlund  <assar@sics.se>
+
+	* parse.y: define alloca to malloc in case we're using bison but
+ 	don't have alloca
+
+Sat Mar 28 11:39:00 1998  Assar Westerlund  <assar@sics.se>
+
+	* sl.c (sl_loop): s/2/1
+
+Sat Mar 21 00:46:51 1998  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* sl.c (sl_loop): check that there is at least one argument before
+ 	calling sl_command
+
+Sun Mar  1 05:14:37 1998  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* sl.c (sl_loop): Fix general broken-ness.
+
+	* sl.c: Cleanup printing of help strings.
+
+Thu Feb 26 02:22:02 1998  Assar Westerlund  <assar@sics.se>
+
+	* Makefile.am: @LEXLIB@
+
+Sat Feb 21 15:18:21 1998  assar westerlund  <assar@sics.se>
+
+	* Makefile.in: set YACC and LEX
+
+Mon Feb 16 16:08:25 1998  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* Makefile.am: Some fixes for ss/mk_cmds.
+
+Sun Feb 15 05:12:11 1998  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* Makefile.in: Install libsl under the `libss' name too. Install
+ 	mk_cmds, and ss.h.
+
+	* make_cmds.c: A mk_cmds clone that creates SL structures.
+
+	* ss.c: SS compatibility functions.
+
+	* sl.c: Move command line split to function `sl_make_argv'.
+
+Tue Feb  3 16:45:44 1998  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* sl.c: Add sl_command_loop, that is the loop body of sl_loop.
+
+Mon Oct 20 01:13:21 1997  Assar Westerlund  <assar@sics.se>
+
+	* sl.c (sl_help): actually use the `help' field of `SL_cmd'
+
diff --git a/crypto/heimdal/lib/sl/Makefile.am b/crypto/heimdal/lib/sl/Makefile.am
new file mode 100644
index 0000000..07faf4e
--- /dev/null
+++ b/crypto/heimdal/lib/sl/Makefile.am
@@ -0,0 +1,50 @@
+# $Id: Makefile.am,v 1.24 2001/05/16 23:58:12 assar Exp $
+
+include $(top_srcdir)/Makefile.am.common
+
+if do_roken_rename
+IS = -DROKEN_RENAME
+ES = strtok_r.c snprintf.c strdup.c strupr.c
+endif
+
+INCLUDES += $(IS)
+
+YFLAGS = -d
+
+include_HEADERS = sl.h
+
+lib_LTLIBRARIES = libsl.la libss.la
+libsl_la_LDFLAGS = -version-info 1:2:1
+libss_la_LDFLAGS = -version-info 1:4:1
+
+libsl_la_LIBADD = @LIB_readline@
+libss_la_LIBADD = @LIB_readline@
+
+libsl_la_SOURCES = sl_locl.h sl.c $(ES)
+libss_la_SOURCES = $(libsl_la_SOURCES) ss.c ss.h
+
+# install these?
+
+bin_PROGRAMS = mk_cmds
+
+mk_cmds_SOURCES = make_cmds.c make_cmds.h parse.y lex.l $(ES)
+
+ssincludedir = $(includedir)/ss
+ssinclude_HEADERS = ss.h
+
+CLEANFILES = lex.c parse.c parse.h snprintf.c strtok_r.c strdup.c strupr.c
+
+$(mk_cmds_OBJECTS): parse.h
+
+LDADD =						\
+	$(LIB_roken)				\
+	$(LEXLIB)
+
+strtok_r.c:
+	$(LN_S) $(srcdir)/../roken/strtok_r.c .
+snprintf.c:
+	$(LN_S) $(srcdir)/../roken/snprintf.c .
+strdup.c:
+	$(LN_S) $(srcdir)/../roken/strdup.c .
+strupr.c:
+	$(LN_S) $(srcdir)/../roken/strupr.c .
diff --git a/crypto/heimdal/lib/sl/Makefile.in b/crypto/heimdal/lib/sl/Makefile.in
new file mode 100644
index 0000000..0f59a37
--- /dev/null
+++ b/crypto/heimdal/lib/sl/Makefile.in
@@ -0,0 +1,717 @@
+# Makefile.in generated automatically by automake 1.4b from Makefile.am
+
+# Copyright 1994, 1995, 1996, 1997, 1998, 1999, 2000
+# Free Software Foundation, Inc.
+# This Makefile.in is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+
+SHELL = @SHELL@
+
+srcdir = @srcdir@
+top_srcdir = @top_srcdir@
+VPATH = @srcdir@
+prefix = @prefix@
+exec_prefix = @exec_prefix@
+
+bindir = @bindir@
+sbindir = @sbindir@
+libexecdir = @libexecdir@
+datadir = @datadir@
+sysconfdir = @sysconfdir@
+sharedstatedir = @sharedstatedir@
+localstatedir = @localstatedir@
+libdir = @libdir@
+infodir = @infodir@
+mandir = @mandir@
+includedir = @includedir@
+oldincludedir = /usr/include
+
+pkgdatadir = $(datadir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkgincludedir = $(includedir)/@PACKAGE@
+
+top_builddir = ../..
+
+ACLOCAL = @ACLOCAL@
+AUTOCONF = @AUTOCONF@
+AUTOMAKE = @AUTOMAKE@
+AUTOHEADER = @AUTOHEADER@
+
+INSTALL = @INSTALL@
+INSTALL_PROGRAM = @INSTALL_PROGRAM@
+INSTALL_DATA = @INSTALL_DATA@
+INSTALL_SCRIPT = @INSTALL_SCRIPT@
+INSTALL_STRIP_FLAG =
+transform = @program_transform_name@
+
+NORMAL_INSTALL = :
+PRE_INSTALL = :
+POST_INSTALL = :
+NORMAL_UNINSTALL = :
+PRE_UNINSTALL = :
+POST_UNINSTALL = :
+
+@SET_MAKE@
+host_alias = @host_alias@
+host_triplet = @host@
+AIX_EXTRA_KAFS = @AIX_EXTRA_KAFS@
+AMDEP = @AMDEP@
+AMTAR = @AMTAR@
+AS = @AS@
+AWK = @AWK@
+CANONICAL_HOST = @CANONICAL_HOST@
+CATMAN = @CATMAN@
+CATMANEXT = @CATMANEXT@
+CC = @CC@
+CPP = @CPP@
+CXX = @CXX@
+CXXCPP = @CXXCPP@
+DBLIB = @DBLIB@
+DEPDIR = @DEPDIR@
+DIR_des = @DIR_des@
+DIR_roken = @DIR_roken@
+DLLTOOL = @DLLTOOL@
+EXEEXT = @EXEEXT@
+EXTRA_LIB45 = @EXTRA_LIB45@
+GROFF = @GROFF@
+INCLUDES_roken = @INCLUDES_roken@
+INCLUDE_ = @INCLUDE_@
+LEX = @LEX@
+LIBOBJS = @LIBOBJS@
+LIBTOOL = @LIBTOOL@
+LIB_ = @LIB_@
+LIB_AUTH_SUBDIRS = @LIB_AUTH_SUBDIRS@
+LIB_des = @LIB_des@
+LIB_des_appl = @LIB_des_appl@
+LIB_kdb = @LIB_kdb@
+LIB_otp = @LIB_otp@
+LIB_roken = @LIB_roken@
+LIB_security = @LIB_security@
+LN_S = @LN_S@
+LTLIBOBJS = @LTLIBOBJS@
+MAKEINFO = @MAKEINFO@
+NEED_WRITEAUTH_FALSE = @NEED_WRITEAUTH_FALSE@
+NEED_WRITEAUTH_TRUE = @NEED_WRITEAUTH_TRUE@
+NROFF = @NROFF@
+OBJDUMP = @OBJDUMP@
+OBJEXT = @OBJEXT@
+PACKAGE = @PACKAGE@
+RANLIB = @RANLIB@
+STRIP = @STRIP@
+VERSION = @VERSION@
+VOID_RETSIGTYPE = @VOID_RETSIGTYPE@
+WFLAGS = @WFLAGS@
+WFLAGS_NOIMPLICITINT = @WFLAGS_NOIMPLICITINT@
+WFLAGS_NOUNUSED = @WFLAGS_NOUNUSED@
+YACC = @YACC@
+dpagaix_CFLAGS = @dpagaix_CFLAGS@
+dpagaix_LDADD = @dpagaix_LDADD@
+install_sh = @install_sh@
+
+# $Id: Makefile.am,v 1.24 2001/05/16 23:58:12 assar Exp $
+
+
+# $Id: Makefile.am.common,v 1.3 1999/04/01 14:58:43 joda Exp $
+
+
+# $Id: Makefile.am.common,v 1.26 2001/05/21 13:27:48 joda Exp $
+
+
+AUTOMAKE_OPTIONS = foreign no-dependencies
+
+SUFFIXES = .et .h .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .x
+
+INCLUDES = -I$(top_builddir)/include $(INCLUDES_roken) $(IS)
+
+AM_CFLAGS =  $(WFLAGS)
+
+CP = cp
+
+COMPILE_ET = $(top_builddir)/lib/com_err/compile_et
+
+buildinclude = $(top_builddir)/include
+
+LIB_XauReadAuth = @LIB_XauReadAuth@
+LIB_crypt = @LIB_crypt@
+LIB_dbm_firstkey = @LIB_dbm_firstkey@
+LIB_dbopen = @LIB_dbopen@
+LIB_dlopen = @LIB_dlopen@
+LIB_dn_expand = @LIB_dn_expand@
+LIB_el_init = @LIB_el_init@
+LIB_getattr = @LIB_getattr@
+LIB_gethostbyname = @LIB_gethostbyname@
+LIB_getpwent_r = @LIB_getpwent_r@
+LIB_getpwnam_r = @LIB_getpwnam_r@
+LIB_getsockopt = @LIB_getsockopt@
+LIB_logout = @LIB_logout@
+LIB_logwtmp = @LIB_logwtmp@
+LIB_odm_initialize = @LIB_odm_initialize@
+LIB_pidfile = @LIB_pidfile@
+LIB_readline = @LIB_readline@
+LIB_res_search = @LIB_res_search@
+LIB_setpcred = @LIB_setpcred@
+LIB_setsockopt = @LIB_setsockopt@
+LIB_socket = @LIB_socket@
+LIB_syslog = @LIB_syslog@
+LIB_tgetent = @LIB_tgetent@
+
+LIBS = @LIBS@
+
+HESIODLIB = @HESIODLIB@
+HESIODINCLUDE = @HESIODINCLUDE@
+INCLUDE_hesiod = @INCLUDE_hesiod@
+LIB_hesiod = @LIB_hesiod@
+
+INCLUDE_krb4 = @INCLUDE_krb4@
+LIB_krb4 = @LIB_krb4@
+
+INCLUDE_openldap = @INCLUDE_openldap@
+LIB_openldap = @LIB_openldap@
+
+INCLUDE_readline = @INCLUDE_readline@
+
+LEXLIB = @LEXLIB@
+
+NROFF_MAN = groff -mandoc -Tascii
+
+@KRB4_TRUE@LIB_kafs = @KRB4_TRUE@$(top_builddir)/lib/kafs/libkafs.la $(AIX_EXTRA_KAFS)
+
+@KRB5_TRUE@LIB_krb5 = @KRB5_TRUE@$(top_builddir)/lib/krb5/libkrb5.la \
+@KRB5_TRUE@	$(top_builddir)/lib/asn1/libasn1.la
+@KRB5_TRUE@LIB_gssapi = @KRB5_TRUE@$(top_builddir)/lib/gssapi/libgssapi.la
+
+@DCE_TRUE@LIB_kdfs = @DCE_TRUE@$(top_builddir)/lib/kdfs/libkdfs.la
+
+CHECK_LOCAL = $(PROGRAMS)
+
+@do_roken_rename_TRUE@IS = @do_roken_rename_TRUE@-DROKEN_RENAME
+@do_roken_rename_TRUE@ES = @do_roken_rename_TRUE@strtok_r.c snprintf.c strdup.c strupr.c
+
+YFLAGS = -d
+
+include_HEADERS = sl.h
+
+lib_LTLIBRARIES = libsl.la libss.la
+libsl_la_LDFLAGS = -version-info 1:2:1
+libss_la_LDFLAGS = -version-info 1:4:1
+
+libsl_la_LIBADD = @LIB_readline@
+libss_la_LIBADD = @LIB_readline@
+
+libsl_la_SOURCES = sl_locl.h sl.c $(ES)
+libss_la_SOURCES = $(libsl_la_SOURCES) ss.c ss.h
+
+# install these?
+
+bin_PROGRAMS = mk_cmds
+
+mk_cmds_SOURCES = make_cmds.c make_cmds.h parse.y lex.l $(ES)
+
+ssincludedir = $(includedir)/ss
+ssinclude_HEADERS = ss.h
+
+CLEANFILES = lex.c parse.c parse.h snprintf.c strtok_r.c strdup.c strupr.c
+
+LDADD = \
+	$(LIB_roken)				\
+	$(LEXLIB)
+
+subdir = lib/sl
+mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs
+CONFIG_HEADER = ../../include/config.h
+CONFIG_CLEAN_FILES = 
+LTLIBRARIES =  $(lib_LTLIBRARIES)
+
+
+DEFS = @DEFS@ -I. -I$(srcdir) -I../../include
+CPPFLAGS = @CPPFLAGS@
+LDFLAGS = @LDFLAGS@
+X_CFLAGS = @X_CFLAGS@
+X_LIBS = @X_LIBS@
+X_EXTRA_LIBS = @X_EXTRA_LIBS@
+X_PRE_LIBS = @X_PRE_LIBS@
+libsl_la_DEPENDENCIES = 
+@do_roken_rename_FALSE@am_libsl_la_OBJECTS =  sl.lo
+@do_roken_rename_TRUE@am_libsl_la_OBJECTS =  sl.lo strtok_r.lo \
+@do_roken_rename_TRUE@snprintf.lo strdup.lo strupr.lo
+libsl_la_OBJECTS =  $(am_libsl_la_OBJECTS)
+libss_la_DEPENDENCIES = 
+@do_roken_rename_FALSE@am_libss_la_OBJECTS =  sl.lo ss.lo
+@do_roken_rename_TRUE@am_libss_la_OBJECTS =  sl.lo strtok_r.lo \
+@do_roken_rename_TRUE@snprintf.lo strdup.lo strupr.lo ss.lo
+libss_la_OBJECTS =  $(am_libss_la_OBJECTS)
+bin_PROGRAMS =  mk_cmds$(EXEEXT)
+PROGRAMS =  $(bin_PROGRAMS)
+
+@do_roken_rename_FALSE@am_mk_cmds_OBJECTS =  make_cmds.$(OBJEXT) \
+@do_roken_rename_FALSE@parse.$(OBJEXT) lex.$(OBJEXT)
+@do_roken_rename_TRUE@am_mk_cmds_OBJECTS =  make_cmds.$(OBJEXT) \
+@do_roken_rename_TRUE@parse.$(OBJEXT) lex.$(OBJEXT) strtok_r.$(OBJEXT) \
+@do_roken_rename_TRUE@snprintf.$(OBJEXT) strdup.$(OBJEXT) \
+@do_roken_rename_TRUE@strupr.$(OBJEXT)
+mk_cmds_OBJECTS =  $(am_mk_cmds_OBJECTS)
+mk_cmds_LDADD = $(LDADD)
+mk_cmds_DEPENDENCIES = 
+mk_cmds_LDFLAGS = 
+COMPILE = $(CC) $(DEFS) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) --mode=compile $(CC) $(DEFS) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+CFLAGS = @CFLAGS@
+LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
+CCLD = $(CC)
+LINK = $(LIBTOOL) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) $(LDFLAGS) -o $@
+DIST_SOURCES =  $(libsl_la_SOURCES) $(libss_la_SOURCES) \
+$(mk_cmds_SOURCES)
+HEADERS =  $(include_HEADERS) $(ssinclude_HEADERS)
+
+depcomp = 
+DIST_COMMON =  $(include_HEADERS) $(ssinclude_HEADERS) ChangeLog \
+Makefile.am Makefile.in lex.c parse.c parse.h
+
+
+DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
+
+GZIP_ENV = --best
+SOURCES = $(libsl_la_SOURCES) $(libss_la_SOURCES) $(mk_cmds_SOURCES)
+OBJECTS = $(am_libsl_la_OBJECTS) $(am_libss_la_OBJECTS) $(am_mk_cmds_OBJECTS)
+
+all: all-redirect
+.SUFFIXES:
+.SUFFIXES: .et .h .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .x .c .l .lo .o .obj .y
+$(srcdir)/Makefile.in: Makefile.am $(top_srcdir)/configure.in $(ACLOCAL_M4) $(top_srcdir)/Makefile.am.common $(top_srcdir)/cf/Makefile.am.common
+	cd $(top_srcdir) && $(AUTOMAKE) --foreign lib/sl/Makefile
+
+Makefile: $(srcdir)/Makefile.in  $(top_builddir)/config.status
+	cd $(top_builddir) \
+	  && CONFIG_FILES=$(subdir)/$@ CONFIG_HEADERS= $(SHELL) ./config.status
+
+
+mostlyclean-libLTLIBRARIES:
+
+clean-libLTLIBRARIES:
+	-test -z "$(lib_LTLIBRARIES)" || rm -f $(lib_LTLIBRARIES)
+
+distclean-libLTLIBRARIES:
+
+maintainer-clean-libLTLIBRARIES:
+
+install-libLTLIBRARIES: $(lib_LTLIBRARIES)
+	@$(NORMAL_INSTALL)
+	$(mkinstalldirs) $(DESTDIR)$(libdir)
+	@list='$(lib_LTLIBRARIES)'; for p in $$list; do \
+	  if test -f $$p; then \
+	    echo " $(LIBTOOL)  --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$p $(DESTDIR)$(libdir)/$$p"; \
+	    $(LIBTOOL)  --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$p $(DESTDIR)$(libdir)/$$p; \
+	  else :; fi; \
+	done
+
+uninstall-libLTLIBRARIES:
+	@$(NORMAL_UNINSTALL)
+	@list='$(lib_LTLIBRARIES)'; for p in $$list; do \
+	  echo " $(LIBTOOL)  --mode=uninstall rm -f $(DESTDIR)$(libdir)/$$p"; \
+	  $(LIBTOOL)  --mode=uninstall rm -f $(DESTDIR)$(libdir)/$$p; \
+	done
+
+mostlyclean-compile:
+	-rm -f *.o core *.core
+	-rm -f *.$(OBJEXT)
+
+clean-compile:
+
+distclean-compile:
+	-rm -f *.tab.c
+
+maintainer-clean-compile:
+
+mostlyclean-libtool:
+	-rm -f *.lo
+
+clean-libtool:
+	-rm -rf .libs _libs
+
+distclean-libtool:
+
+maintainer-clean-libtool:
+
+libsl.la: $(libsl_la_OBJECTS) $(libsl_la_DEPENDENCIES)
+	$(LINK) -rpath $(libdir) $(libsl_la_LDFLAGS) $(libsl_la_OBJECTS) $(libsl_la_LIBADD) $(LIBS)
+
+libss.la: $(libss_la_OBJECTS) $(libss_la_DEPENDENCIES)
+	$(LINK) -rpath $(libdir) $(libss_la_LDFLAGS) $(libss_la_OBJECTS) $(libss_la_LIBADD) $(LIBS)
+
+mostlyclean-binPROGRAMS:
+
+clean-binPROGRAMS:
+	-test -z "$(bin_PROGRAMS)" || rm -f $(bin_PROGRAMS)
+
+distclean-binPROGRAMS:
+
+maintainer-clean-binPROGRAMS:
+
+install-binPROGRAMS: $(bin_PROGRAMS)
+	@$(NORMAL_INSTALL)
+	$(mkinstalldirs) $(DESTDIR)$(bindir)
+	@list='$(bin_PROGRAMS)'; for p in $$list; do \
+	  if test -f $$p; then \
+	    f="`echo $$p|sed -e 's/$(EXEEXT)$$//' -e '$(transform)' -e 's/$$/$(EXEEXT)/'`"; \
+	    echo " $(LIBTOOL)  --mode=install $(INSTALL_PROGRAM) $(INSTALL_STRIP_FLAG) $$p $(DESTDIR)$(bindir)/$$f"; \
+	    $(LIBTOOL)  --mode=install $(INSTALL_PROGRAM) $(INSTALL_STRIP_FLAG) $$p $(DESTDIR)$(bindir)/$$f; \
+	  else :; fi; \
+	done
+
+uninstall-binPROGRAMS:
+	@$(NORMAL_UNINSTALL)
+	@list='$(bin_PROGRAMS)'; for p in $$list; do \
+	  f="`echo $$p|sed -e 's/$(EXEEXT)$$//' -e '$(transform)' -e 's/$$/$(EXEEXT)/'`"; \
+	  echo " rm -f $(DESTDIR)$(bindir)/$$f"; \
+	  rm -f $(DESTDIR)$(bindir)/$$f; \
+	done
+
+mk_cmds$(EXEEXT): $(mk_cmds_OBJECTS) $(mk_cmds_DEPENDENCIES)
+	@rm -f mk_cmds$(EXEEXT)
+	$(LINK) $(mk_cmds_LDFLAGS) $(mk_cmds_OBJECTS) $(mk_cmds_LDADD) $(LIBS)
+.c.o:
+	$(COMPILE) -c $<
+.c.obj:
+	$(COMPILE) -c `cygpath -w $<`
+.c.lo:
+	$(LTCOMPILE) -c -o $@ $<
+.l.c:
+	$(LEX) $(AM_LFLAGS) $(LFLAGS) $< && mv $(LEX_OUTPUT_ROOT).c $@
+.y.c:
+	$(YACC) $(AM_YFLAGS) $(YFLAGS) $< && mv y.tab.c $*.c
+	if test -f y.tab.h; then \
+	if cmp -s y.tab.h $*.h; then rm -f y.tab.h; else mv y.tab.h $*.h; fi; \
+	else :; fi
+parse.h: parse.c
+
+
+install-includeHEADERS: $(include_HEADERS)
+	@$(NORMAL_INSTALL)
+	$(mkinstalldirs) $(DESTDIR)$(includedir)
+	@list='$(include_HEADERS)'; for p in $$list; do \
+	  if test -f "$$p"; then d= ; else d="$(srcdir)/"; fi; \
+	  f="`echo $$p | sed -e 's|^.*/||'`"; \
+	  echo " $(INSTALL_DATA) $$d$$p $(DESTDIR)$(includedir)/$$f"; \
+	  $(INSTALL_DATA) $$d$$p $(DESTDIR)$(includedir)/$$f; \
+	done
+
+uninstall-includeHEADERS:
+	@$(NORMAL_UNINSTALL)
+	@list='$(include_HEADERS)'; for p in $$list; do \
+	  f="`echo $$p | sed -e 's|^.*/||'`"; \
+	  echo " rm -f $(DESTDIR)$(includedir)/$$f"; \
+	  rm -f $(DESTDIR)$(includedir)/$$f; \
+	done
+
+install-ssincludeHEADERS: $(ssinclude_HEADERS)
+	@$(NORMAL_INSTALL)
+	$(mkinstalldirs) $(DESTDIR)$(ssincludedir)
+	@list='$(ssinclude_HEADERS)'; for p in $$list; do \
+	  if test -f "$$p"; then d= ; else d="$(srcdir)/"; fi; \
+	  f="`echo $$p | sed -e 's|^.*/||'`"; \
+	  echo " $(INSTALL_DATA) $$d$$p $(DESTDIR)$(ssincludedir)/$$f"; \
+	  $(INSTALL_DATA) $$d$$p $(DESTDIR)$(ssincludedir)/$$f; \
+	done
+
+uninstall-ssincludeHEADERS:
+	@$(NORMAL_UNINSTALL)
+	@list='$(ssinclude_HEADERS)'; for p in $$list; do \
+	  f="`echo $$p | sed -e 's|^.*/||'`"; \
+	  echo " rm -f $(DESTDIR)$(ssincludedir)/$$f"; \
+	  rm -f $(DESTDIR)$(ssincludedir)/$$f; \
+	done
+
+tags: TAGS
+
+ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
+	list='$(SOURCES) $(HEADERS) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '    { files[$$0] = 1; } \
+	       END { for (i in files) print i; }'`; \
+	mkid -fID $$unique $(LISP)
+
+TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	tags=; \
+	here=`pwd`; \
+	list='$(SOURCES) $(HEADERS) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '    { files[$$0] = 1; } \
+	       END { for (i in files) print i; }'`; \
+	test -z "$(ETAGS_ARGS)$$unique$(LISP)$$tags" \
+	  || etags $(ETAGS_ARGS) $$tags  $$unique $(LISP)
+
+GTAGS:
+	here=`CDPATH=: && cd $(top_builddir) && pwd` \
+	  && cd $(top_srcdir) \
+	  && gtags -i $$here
+
+mostlyclean-tags:
+
+clean-tags:
+
+distclean-tags:
+	-rm -f TAGS ID
+
+maintainer-clean-tags:
+
+distdir = $(top_builddir)/$(PACKAGE)-$(VERSION)/$(subdir)
+
+distdir: $(DISTFILES)
+	@for file in $(DISTFILES); do \
+	  d=$(srcdir); \
+	  if test -d $$d/$$file; then \
+	    cp -pR $$d/$$file $(distdir) \
+	    || exit 1; \
+	  else \
+	    test -f $(distdir)/$$file \
+	    || cp -p $$d/$$file $(distdir)/$$file \
+	    || exit 1; \
+	  fi; \
+	done
+	$(MAKE) $(AM_MAKEFLAGS) top_distdir="$(top_distdir)" distdir="$(distdir)" dist-hook
+info-am:
+info: info-am
+dvi-am:
+dvi: dvi-am
+check-am: all-am
+	$(MAKE) $(AM_MAKEFLAGS) check-local
+check: check-am
+installcheck-am:
+installcheck: installcheck-am
+install-binPROGRAMS: install-libLTLIBRARIES
+
+install-exec-am: install-libLTLIBRARIES install-binPROGRAMS
+	@$(NORMAL_INSTALL)
+	$(MAKE) $(AM_MAKEFLAGS) install-exec-hook
+install-exec: install-exec-am
+
+install-data-am: install-includeHEADERS install-ssincludeHEADERS \
+		install-data-local
+install-data: install-data-am
+
+install-am: all-am
+	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
+install: install-am
+uninstall-am: uninstall-libLTLIBRARIES uninstall-binPROGRAMS \
+		uninstall-includeHEADERS uninstall-ssincludeHEADERS
+uninstall: uninstall-am
+all-am: Makefile $(LTLIBRARIES) $(PROGRAMS) $(HEADERS) all-local
+all-redirect: all-am
+install-strip:
+	$(MAKE) $(AM_MAKEFLAGS) INSTALL_STRIP_FLAG=-s install
+installdirs:
+	$(mkinstalldirs)  $(DESTDIR)$(libdir) $(DESTDIR)$(bindir) \
+		$(DESTDIR)$(includedir) $(DESTDIR)$(ssincludedir)
+
+
+mostlyclean-generic:
+
+clean-generic:
+	-test -z "$(CLEANFILES)" || rm -f $(CLEANFILES)
+
+distclean-generic:
+	-rm -f Makefile $(CONFIG_CLEAN_FILES)
+	-rm -f config.cache config.log stamp-h stamp-h[0-9]*
+
+maintainer-clean-generic:
+	-rm -f Makefile.in
+	-test -z "lex.cparse.hparse.c" || rm -f lex.c parse.h parse.c
+mostlyclean-am:  mostlyclean-libLTLIBRARIES mostlyclean-compile \
+		mostlyclean-libtool mostlyclean-binPROGRAMS \
+		mostlyclean-tags mostlyclean-generic
+
+mostlyclean: mostlyclean-am
+
+clean-am:  clean-libLTLIBRARIES clean-compile clean-libtool \
+		clean-binPROGRAMS clean-tags clean-generic \
+		mostlyclean-am
+
+clean: clean-am
+
+distclean-am:  distclean-libLTLIBRARIES distclean-compile \
+		distclean-libtool distclean-binPROGRAMS distclean-tags \
+		distclean-generic clean-am
+	-rm -f libtool
+
+distclean: distclean-am
+
+maintainer-clean-am:  maintainer-clean-libLTLIBRARIES \
+		maintainer-clean-compile maintainer-clean-libtool \
+		maintainer-clean-binPROGRAMS maintainer-clean-tags \
+		maintainer-clean-generic distclean-am
+	@echo "This command is intended for maintainers to use;"
+	@echo "it deletes files that may require special tools to rebuild."
+
+maintainer-clean: maintainer-clean-am
+
+.PHONY: mostlyclean-libLTLIBRARIES distclean-libLTLIBRARIES \
+clean-libLTLIBRARIES maintainer-clean-libLTLIBRARIES \
+uninstall-libLTLIBRARIES install-libLTLIBRARIES mostlyclean-compile \
+distclean-compile clean-compile maintainer-clean-compile \
+mostlyclean-libtool distclean-libtool clean-libtool \
+maintainer-clean-libtool mostlyclean-binPROGRAMS distclean-binPROGRAMS \
+clean-binPROGRAMS maintainer-clean-binPROGRAMS uninstall-binPROGRAMS \
+install-binPROGRAMS uninstall-includeHEADERS install-includeHEADERS \
+uninstall-ssincludeHEADERS install-ssincludeHEADERS tags \
+mostlyclean-tags distclean-tags clean-tags maintainer-clean-tags \
+distdir info-am info dvi-am dvi check-local check check-am \
+installcheck-am installcheck install-exec-am install-exec \
+install-data-local install-data-am install-data install-am install \
+uninstall-am uninstall all-local all-redirect all-am all install-strip \
+installdirs mostlyclean-generic distclean-generic clean-generic \
+maintainer-clean-generic clean mostlyclean distclean maintainer-clean
+
+
+install-suid-programs:
+	@foo='$(bin_SUIDS)'; \
+	for file in $$foo; do \
+	x=$(DESTDIR)$(bindir)/$$file; \
+	if chown 0:0 $$x && chmod u+s $$x; then :; else \
+	echo "*"; \
+	echo "* Failed to install $$x setuid root"; \
+	echo "*"; \
+	fi; done
+
+install-exec-hook: install-suid-programs
+
+install-build-headers:: $(include_HEADERS) $(build_HEADERZ)
+	@foo='$(include_HEADERS) $(build_HEADERZ)'; \
+	for f in $$foo; do \
+		f=`basename $$f`; \
+		if test -f "$(srcdir)/$$f"; then file="$(srcdir)/$$f"; \
+		else file="$$f"; fi; \
+		if cmp -s  $$file $(buildinclude)/$$f 2> /dev/null ; then \
+		: ; else \
+			echo " $(CP) $$file $(buildinclude)/$$f"; \
+			$(CP) $$file $(buildinclude)/$$f; \
+		fi ; \
+	done
+
+all-local: install-build-headers
+#NROFF_MAN = nroff -man
+.1.cat1:
+	$(NROFF_MAN) $< > $@
+.3.cat3:
+	$(NROFF_MAN) $< > $@
+.5.cat5:
+	$(NROFF_MAN) $< > $@
+.8.cat8:
+	$(NROFF_MAN) $< > $@
+
+dist-cat1-mans:
+	@foo='$(man1_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.1) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat1/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-cat3-mans:
+	@foo='$(man3_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.3) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat3/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-cat5-mans:
+	@foo='$(man5_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.5) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat5/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-cat8-mans:
+	@foo='$(man8_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.8) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat8/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-hook: dist-cat1-mans dist-cat3-mans dist-cat5-mans dist-cat8-mans
+
+install-cat-mans:
+	$(SHELL) $(top_srcdir)/cf/install-catman.sh "$(INSTALL_DATA)" "$(mkinstalldirs)" "$(srcdir)" "$(DESTDIR)$(mandir)" '$(CATMANEXT)' $(man_MANS) $(man1_MANS) $(man3_MANS) $(man5_MANS) $(man8_MANS)
+
+install-data-local: install-cat-mans
+
+.et.h:
+	$(COMPILE_ET) $<
+.et.c:
+	$(COMPILE_ET) $<
+
+.x.c:
+	@cmp -s $< $@ 2> /dev/null || cp $< $@
+
+check-local::
+	@foo='$(CHECK_LOCAL)'; \
+	  if test "$$foo"; then \
+	  failed=0; all=0; \
+	  for i in $$foo; do \
+	    all=`expr $$all + 1`; \
+	    if ./$$i --version > /dev/null 2>&1; then \
+	      echo "PASS: $$i"; \
+	    else \
+	      echo "FAIL: $$i"; \
+	      failed=`expr $$failed + 1`; \
+	    fi; \
+	  done; \
+	  if test "$$failed" -eq 0; then \
+	    banner="All $$all tests passed"; \
+	  else \
+	    banner="$$failed of $$all tests failed"; \
+	  fi; \
+	  dashes=`echo "$$banner" | sed s/./=/g`; \
+	  echo "$$dashes"; \
+	  echo "$$banner"; \
+	  echo "$$dashes"; \
+	  test "$$failed" -eq 0; \
+	fi
+
+$(mk_cmds_OBJECTS): parse.h
+
+strtok_r.c:
+	$(LN_S) $(srcdir)/../roken/strtok_r.c .
+snprintf.c:
+	$(LN_S) $(srcdir)/../roken/snprintf.c .
+strdup.c:
+	$(LN_S) $(srcdir)/../roken/strdup.c .
+strupr.c:
+	$(LN_S) $(srcdir)/../roken/strupr.c .
+
+# Tell versions [3.59,3.63) of GNU make to not export all variables.
+# Otherwise a system limit (for SysV at least) may be exceeded.
+.NOEXPORT:
diff --git a/crypto/heimdal/lib/sl/lex.l b/crypto/heimdal/lib/sl/lex.l
new file mode 100644
index 0000000..c83e5d1
--- /dev/null
+++ b/crypto/heimdal/lib/sl/lex.l
@@ -0,0 +1,117 @@
+%{
+/*
+ * Copyright (c) 1998 - 2000 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#undef ECHO
+
+#include "make_cmds.h"
+#include "parse.h"
+
+RCSID("$Id: lex.l,v 1.5 2000/12/05 09:21:46 joda Exp $");
+
+static unsigned lineno = 1;
+static int getstring(void);
+
+#define YY_NO_UNPUT
+
+%}
+
+
+%%
+command_table		{ return TABLE; }
+request			{ return REQUEST; }
+unknown			{ return UNKNOWN; }
+unimplemented		{ return UNIMPLEMENTED; }
+end			{ return END; }
+#[^\n]*			;
+[ \t]			;
+\n			{ lineno++; }
+\"			{ return getstring(); }
+[a-zA-Z0-9_]+		{ yylval.string = strdup(yytext); return STRING; }
+.			{ return *yytext; }
+%%
+
+#ifndef yywrap /* XXX */
+int
+yywrap () 
+{
+     return 1;
+}
+#endif
+
+static int
+getstring(void)
+{
+    char x[128];
+    int i = 0;
+    int c;
+    int backslash = 0;
+    while((c = input()) != EOF){
+	if(backslash) {
+	    if(c == 'n')
+		c = '\n';
+	    else if(c == 't')
+		c = '\t';
+	    x[i++] = c;
+	    backslash = 0;
+	    continue;
+	}
+	if(c == '\n'){
+	    error_message("unterminated string");
+	    lineno++;
+	    break;
+	}
+	if(c == '\\'){
+	    backslash++;
+	    continue;
+	}
+	if(c == '\"')
+	    break;
+	x[i++] = c;
+    }
+    x[i] = '\0';
+    yylval.string = strdup(x);
+    return STRING;
+}
+
+void
+error_message (const char *format, ...)
+{
+     va_list args;
+
+     va_start (args, format);
+     fprintf (stderr, "%s:%d: ", filename, lineno);
+     vfprintf (stderr, format, args);
+     va_end (args);
+     numerror++;
+}
diff --git a/crypto/heimdal/lib/sl/make_cmds.c b/crypto/heimdal/lib/sl/make_cmds.c
new file mode 100644
index 0000000..723dfdc
--- /dev/null
+++ b/crypto/heimdal/lib/sl/make_cmds.c
@@ -0,0 +1,240 @@
+/*
+ * Copyright (c) 1998-1999 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "make_cmds.h"
+#include <getarg.h>
+
+RCSID("$Id: make_cmds.c,v 1.7 2001/02/20 01:44:55 assar Exp $");
+
+#include <roken.h>
+#include <err.h>
+#include "parse.h"
+
+int numerror;
+extern FILE *yyin;
+FILE *c_file;
+
+extern void yyparse(void);
+
+#ifdef YYDEBUG
+extern int yydebug = 1;
+#endif
+
+char *filename;
+char *table_name;
+
+static struct command_list *commands;
+
+void
+add_command(char *function, 
+	    char *help, 
+	    struct string_list *aliases, 
+	    unsigned flags)
+{
+    struct command_list *cl = malloc(sizeof(*cl));
+
+    if (cl == NULL)
+	err (1, "malloc");
+    cl->function = function;
+    cl->help = help;
+    cl->aliases = aliases;
+    cl->flags = flags;
+    cl->next = NULL;
+    if(commands) {
+	*commands->tail = cl;
+	commands->tail = &cl->next;
+	return;
+    }
+    cl->tail = &cl->next;
+    commands = cl;
+}
+
+static char *
+quote(const char *str)
+{
+    char buf[1024]; /* XXX */
+    const char *p;
+    char *q;
+    q = buf;
+    
+    *q++ = '\"';
+    for(p = str; *p != '\0'; p++) {
+	if(*p == '\n') {
+	    *q++ = '\\';
+	    *q++ = 'n';
+	    continue;
+	}
+	if(*p == '\t') {
+	    *q++ = '\\';
+	    *q++ = 't';
+	    continue;
+	}
+	if(*p == '\"' || *p == '\\')
+	    *q++ = '\\';
+	*q++ = *p;
+    }
+    *q++ = '\"';
+    *q++ = '\0';
+    return strdup(buf);
+}
+
+static void
+generate_commands(void)
+{
+    char *base;
+    char *cfn;
+    char *p;
+
+    p = strrchr(table_name, '/');
+    if(p == NULL)
+	p = table_name;
+    else
+	p++;
+
+    base = strdup (p);
+    if (base == NULL)
+	err (1, "strdup");
+
+    p = strrchr(base, '.');
+    if(p)
+	*p = '\0';
+    
+    asprintf(&cfn, "%s.c", base);
+    if (cfn == NULL)
+	err (1, "asprintf");
+
+    c_file = fopen(cfn, "w");
+    if (c_file == NULL)
+	err (1, "cannot fopen %s", cfn);
+    
+    fprintf(c_file, "/* Generated from %s */\n", filename);
+    fprintf(c_file, "\n");
+    fprintf(c_file, "#include <stddef.h>\n");
+    fprintf(c_file, "#include <sl.h>\n");
+    fprintf(c_file, "\n");
+
+    {
+	struct command_list *cl, *xl;
+	char *p, *q;
+
+	for(cl = commands; cl; cl = cl->next) {
+	    for(xl = commands; xl != cl; xl = xl->next)
+		if(strcmp(cl->function, xl->function) == 0)
+		    break;
+	    if(xl != cl)
+		continue;
+	    /* XXX hack for ss_quit */
+	    if(strcmp(cl->function, "ss_quit") == 0) {
+		fprintf(c_file, "int %s (int, char**);\n", cl->function);
+		fprintf(c_file, "#define _ss_quit_wrap ss_quit\n\n"); 
+		continue;
+	    }
+	    fprintf(c_file, "void %s (int, char**);\n", cl->function);
+	    fprintf(c_file, "static int _%s_wrap (int argc, char **argv)\n", 
+		    cl->function);
+	    fprintf(c_file, "{\n");
+	    fprintf(c_file, "  %s (argc, argv);\n", cl->function);
+	    fprintf(c_file, "  return 0;\n");
+	    fprintf(c_file, "}\n\n");
+	}
+
+	fprintf(c_file, "SL_cmd %s[] = {\n", table_name);
+	for(cl = commands; cl; cl = cl->next) {
+	    struct string_list *sl;
+	    sl = cl->aliases;
+	    p = quote(sl->string);
+	    q = quote(cl->help);
+	    fprintf(c_file, "  { %s, _%s_wrap, %s },\n", p, cl->function, q);
+	    free(p);
+	    free(q);
+    
+	    for(sl = sl->next; sl; sl = sl->next) {
+		p = quote(sl->string);
+		fprintf(c_file, "  { %s },\n", p);
+		free(p);
+	    }
+	}
+	fprintf(c_file, "  { NULL },\n");
+	fprintf(c_file, "};\n");
+	fprintf(c_file, "\n");
+    }
+    fclose(c_file);
+    free(base);
+    free(cfn);
+}
+
+int version_flag;
+int help_flag;
+struct getargs args[] = {
+    { "version", 0, arg_flag, &version_flag },
+    { "help", 0, arg_flag, &help_flag }
+};
+int num_args = sizeof(args) / sizeof(args[0]);
+
+static void
+usage(int code)
+{
+    arg_printusage(args, num_args, NULL, "command-table");
+    exit(code);
+}
+
+int
+main(int argc, char **argv)
+{
+    int optind = 0;
+
+    setprogname(argv[0]);
+    if(getarg(args, num_args, argc, argv, &optind))
+	usage(1);
+    if(help_flag)
+	usage(0);
+    if(version_flag) {
+	print_version(NULL);
+	exit(0);
+    }
+    
+    if(argc == optind)
+	usage(1);
+    filename = argv[optind];
+    yyin = fopen(filename, "r");
+    if(yyin == NULL)
+	err(1, "%s", filename);
+    
+    yyparse();
+    
+    generate_commands();
+
+    if(numerror)
+	return 1;
+    return 0;
+}
diff --git a/crypto/heimdal/lib/sl/make_cmds.h b/crypto/heimdal/lib/sl/make_cmds.h
new file mode 100644
index 0000000..6d64d97
--- /dev/null
+++ b/crypto/heimdal/lib/sl/make_cmds.h
@@ -0,0 +1,76 @@
+/*
+ * Copyright (c) 1998 - 2000 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+/* $Id: make_cmds.h,v 1.3 2000/06/27 02:36:56 assar Exp $ */
+
+#ifndef __MAKE_CMDS_H__
+#define __MAKE_CMDS_H__
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+#endif
+
+#include <stdio.h>
+#include <string.h>
+#include <stdlib.h>
+#include <stdarg.h>
+
+#include <roken.h>
+
+extern char *filename;
+extern char *table_name;
+extern int numerror;
+
+struct command_list {
+    char *function;
+    char *help;
+    struct string_list *aliases;
+    unsigned flags;
+    struct command_list *next;
+    struct command_list **tail;
+};
+
+struct string_list {
+    char *string;
+    struct string_list *next;
+    struct string_list **tail;
+};
+
+void add_command(char*, char*, struct string_list*, unsigned);
+
+void error_message(const char *, ...)
+    __attribute__ ((format (printf, 1,2)));
+
+int yylex (void);
+
+#endif /* __MAKE_CMDS_H__ */
diff --git a/crypto/heimdal/lib/sl/parse.y b/crypto/heimdal/lib/sl/parse.y
new file mode 100644
index 0000000..deff933
--- /dev/null
+++ b/crypto/heimdal/lib/sl/parse.y
@@ -0,0 +1,167 @@
+%{
+/*
+ * Copyright (c) 1998 - 2000 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "make_cmds.h"
+RCSID("$Id: parse.y,v 1.7 2000/06/27 02:37:18 assar Exp $");
+
+static void yyerror (char *s);
+
+struct string_list* append_string(struct string_list*, char*);
+void free_string_list(struct string_list *list);
+unsigned string_to_flag(const char *);
+
+/* This is for bison */
+
+#if !defined(alloca) && !defined(HAVE_ALLOCA)
+#define alloca(x) malloc(x)
+#endif
+
+%}
+
+%union {
+  char *string;
+  unsigned number;
+  struct string_list *list;
+}
+
+%token TABLE REQUEST UNKNOWN UNIMPLEMENTED END
+%token <string> STRING
+%type <number> flag flags
+%type <list> aliases
+
+%%
+
+file		: /* */ 
+		| statements
+		;
+
+statements	: statement
+		| statements statement
+		;
+
+statement	: TABLE STRING ';'
+		{
+		    table_name = $2;
+		}
+		| REQUEST STRING ',' STRING ',' aliases ',' '(' flags ')' ';'
+		{
+		    add_command($2, $4, $6, $9);
+		}
+		| REQUEST STRING ',' STRING ',' aliases ';'
+		{
+		    add_command($2, $4, $6, 0);
+		}
+		| UNIMPLEMENTED STRING ',' STRING ',' aliases ';'
+		{
+		    free($2);
+		    free($4);
+		    free_string_list($6);
+		}
+		| UNKNOWN aliases ';'
+		{
+		    free_string_list($2);
+		}
+		| END ';'
+		{
+		    YYACCEPT;
+		}
+		;
+
+aliases		: STRING
+		{
+		    $$ = append_string(NULL, $1);
+		}
+		| aliases ',' STRING
+		{
+		    $$ = append_string($1, $3);
+		}
+		;
+
+flags		: flag
+		{
+		    $$ = $1;
+		}
+		| flags ',' flag
+		{
+		    $$ = $1 | $3;
+		}
+		;
+flag		: STRING
+		{
+		    $$ = string_to_flag($1);
+		    free($1);
+		}
+		;
+
+
+
+%%
+
+static void
+yyerror (char *s)
+{
+    error_message ("%s\n", s);
+}
+
+struct string_list*
+append_string(struct string_list *list, char *str)
+{
+    struct string_list *sl = malloc(sizeof(*sl));
+    sl->string = str;
+    sl->next = NULL;
+    if(list) {
+	*list->tail = sl;
+	list->tail = &sl->next;
+	return list;
+    }
+    sl->tail = &sl->next;
+    return sl;
+}
+
+void
+free_string_list(struct string_list *list)
+{
+    while(list) {
+	struct string_list *sl = list->next;
+	free(list->string);
+	free(list);
+	list = sl;
+    }
+}
+
+unsigned
+string_to_flag(const char *string)
+{
+    return 0;
+}
diff --git a/crypto/heimdal/lib/sl/roken_rename.h b/crypto/heimdal/lib/sl/roken_rename.h
new file mode 100644
index 0000000..17837fb
--- /dev/null
+++ b/crypto/heimdal/lib/sl/roken_rename.h
@@ -0,0 +1,67 @@
+/*
+ * Copyright (c) 1998 - 2001 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+/* $Id: roken_rename.h,v 1.5 2001/05/06 21:47:54 assar Exp $ */
+
+#ifndef __roken_rename_h__
+#define __roken_rename_h__
+
+#ifndef HAVE_STRTOK_R
+#define strtok_r _sl_strtok_r
+#endif
+#ifndef HAVE_SNPRINTF
+#define snprintf _sl_snprintf
+#endif
+#ifndef HAVE_ASPRINTF
+#define asprintf _sl_asprintf
+#endif
+#ifndef HAVE_ASNPRINTF
+#define asnprintf _sl_asnprintf
+#endif
+#ifndef HAVE_VASPRINTF
+#define vasprintf _sl_vasprintf
+#endif
+#ifndef HAVE_VASNPRINTF
+#define vasnprintf _sl_vasnprintf
+#endif
+#ifndef HAVE_VSNPRINTF
+#define vsnprintf _sl_vsnprintf
+#endif
+#ifndef HAVE_STRUPR
+#define strupr _sl_strupr
+#endif
+#ifndef HAVE_STRDUP
+#define strdup _sl_strdup
+#endif
+
+#endif /* __roken_rename_h__ */
diff --git a/crypto/heimdal/lib/sl/sl.c b/crypto/heimdal/lib/sl/sl.c
new file mode 100644
index 0000000..98b101c
--- /dev/null
+++ b/crypto/heimdal/lib/sl/sl.c
@@ -0,0 +1,346 @@
+/*
+ * Copyright (c) 1995 - 2001 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+RCSID("$Id: sl.c,v 1.29 2001/02/20 01:44:55 assar Exp $");
+#endif
+
+#include "sl_locl.h"
+#include <setjmp.h>
+
+static size_t
+print_sl (FILE *stream, int mdoc, int longp, SL_cmd *c)
+    __attribute__ ((unused));
+
+static size_t
+print_sl (FILE *stream, int mdoc, int longp, SL_cmd *c)
+{
+    if(mdoc){
+	if(longp)
+	    fprintf(stream, "= Ns");
+	fprintf(stream, " Ar ");
+    }else
+	if (longp)
+	    putc ('=', stream);
+	else
+	    putc (' ', stream);
+
+    return 1;
+}
+
+static void
+mandoc_template(SL_cmd *cmds,
+		const char *extra_string)
+{
+    SL_cmd *c, *prev;
+    char timestr[64], cmd[64];
+    const char *p;
+    time_t t;
+
+    printf(".\\\" Things to fix:\n");
+    printf(".\\\"   * correct section, and operating system\n");
+    printf(".\\\"   * remove Op from mandatory flags\n");
+    printf(".\\\"   * use better macros for arguments (like .Pa for files)\n");
+    printf(".\\\"\n");
+    t = time(NULL);
+    strftime(timestr, sizeof(timestr), "%b %d, %Y", localtime(&t));
+    printf(".Dd %s\n", timestr);
+    p = strrchr(getprogname(), '/');
+    if(p) p++; else p = getprogname();
+    strncpy(cmd, p, sizeof(cmd));
+    cmd[sizeof(cmd)-1] = '\0';
+    strupr(cmd);
+       
+    printf(".Dt %s SECTION\n", cmd);
+    printf(".Os OPERATING_SYSTEM\n");
+    printf(".Sh NAME\n");
+    printf(".Nm %s\n", p);
+    printf(".Nd\n");
+    printf("in search of a description\n");
+    printf(".Sh SYNOPSIS\n");
+    printf(".Nm\n");
+    for(c = cmds; c->name; ++c) {
+/*	if (c->func == NULL)
+	    continue; */
+	printf(".Op Fl %s", c->name);
+/*	print_sl(stdout, 1, 0, c);*/
+	printf("\n");
+	
+    }
+    if (extra_string && *extra_string)
+	printf (".Ar %s\n", extra_string);
+    printf(".Sh DESCRIPTION\n");
+    printf("Supported options:\n");
+    printf(".Bl -tag -width Ds\n");
+    prev = NULL;
+    for(c = cmds; c->name; ++c) {
+	if (c->func) {
+	    if (prev)
+		printf ("\n%s\n", prev->usage);
+
+	    printf (".It Fl %s", c->name);
+	    prev = c;
+	} else
+	    printf (", %s\n", c->name);
+    }
+    if (prev)
+	printf ("\n%s\n", prev->usage);
+
+    printf(".El\n");
+    printf(".\\\".Sh ENVIRONMENT\n");
+    printf(".\\\".Sh FILES\n");
+    printf(".\\\".Sh EXAMPLES\n");
+    printf(".\\\".Sh DIAGNOSTICS\n");
+    printf(".\\\".Sh SEE ALSO\n");
+    printf(".\\\".Sh STANDARDS\n");
+    printf(".\\\".Sh HISTORY\n");
+    printf(".\\\".Sh AUTHORS\n");
+    printf(".\\\".Sh BUGS\n");
+}
+
+static SL_cmd *
+sl_match (SL_cmd *cmds, char *cmd, int exactp)
+{
+    SL_cmd *c, *current = NULL, *partial_cmd = NULL;
+    int partial_match = 0;
+
+    for (c = cmds; c->name; ++c) {
+	if (c->func)
+	    current = c;
+	if (strcmp (cmd, c->name) == 0)
+	    return current;
+	else if (strncmp (cmd, c->name, strlen(cmd)) == 0 &&
+		 partial_cmd != current) {
+	    ++partial_match;
+	    partial_cmd = current;
+	}
+    }
+    if (partial_match == 1 && !exactp)
+	return partial_cmd;
+    else
+	return NULL;
+}
+
+void
+sl_help (SL_cmd *cmds, int argc, char **argv)
+{
+    SL_cmd *c, *prev_c;
+
+    if (getenv("SLMANDOC")) {
+	mandoc_template(cmds, NULL);
+	return;
+    }
+
+    if (argc == 1) {
+	prev_c = NULL;
+	for (c = cmds; c->name; ++c) {
+	    if (c->func) {
+		if(prev_c)
+		    printf ("\n\t%s%s", prev_c->usage ? prev_c->usage : "",
+			    prev_c->usage ? "\n" : "");
+		prev_c = c;
+		printf ("%s", c->name);
+	    } else
+		printf (", %s", c->name);
+	}
+	if(prev_c)
+	    printf ("\n\t%s%s", prev_c->usage ? prev_c->usage : "",
+		    prev_c->usage ? "\n" : "");
+    } else { 
+	c = sl_match (cmds, argv[1], 0);
+	if (c == NULL)
+	    printf ("No such command: %s. "
+		    "Try \"help\" for a list of all commands\n",
+		    argv[1]);
+	else {
+	    printf ("%s\t%s\n", c->name, c->usage);
+	    if(c->help && *c->help)
+		printf ("%s\n", c->help);
+	    if((++c)->name && c->func == NULL) {
+		printf ("Synonyms:");
+		while (c->name && c->func == NULL)
+		    printf ("\t%s", (c++)->name);
+		printf ("\n");
+	    }
+	}
+    }
+}
+
+#ifdef HAVE_READLINE
+
+char *readline(char *prompt);
+void add_history(char *p);
+
+#else
+
+static char *
+readline(char *prompt)
+{
+    char buf[BUFSIZ];
+    printf ("%s", prompt);
+    fflush (stdout);
+    if(fgets(buf, sizeof(buf), stdin) == NULL)
+	return NULL;
+    if (buf[strlen(buf) - 1] == '\n')
+	buf[strlen(buf) - 1] = '\0';
+    return strdup(buf);
+}
+
+static void
+add_history(char *p)
+{
+}
+
+#endif
+
+int
+sl_command(SL_cmd *cmds, int argc, char **argv)
+{
+    SL_cmd *c;
+    c = sl_match (cmds, argv[0], 0);
+    if (c == NULL)
+	return -1;
+    return (*c->func)(argc, argv);
+}
+
+struct sl_data {
+    int max_count;
+    char **ptr;
+};
+
+int
+sl_make_argv(char *line, int *ret_argc, char ***ret_argv)
+{
+    char *foo = NULL;
+    char *p;
+    int argc, nargv;
+    char **argv;
+    
+    nargv = 10;
+    argv = malloc(nargv * sizeof(*argv));
+    if(argv == NULL)
+	return ENOMEM;
+    argc = 0;
+
+    for(p = strtok_r (line, " \t", &foo);
+	p;
+	p = strtok_r (NULL, " \t", &foo)) {
+	if(argc == nargv - 1) {
+	    char **tmp;
+	    nargv *= 2;
+	    tmp = realloc (argv, nargv * sizeof(*argv));
+	    if (tmp == NULL) {
+		free(argv);
+		return ENOMEM;
+	    }
+	    argv = tmp;
+	}
+	argv[argc++] = p;
+    }
+    argv[argc] = NULL;
+    *ret_argc = argc;
+    *ret_argv = argv;
+    return 0;
+}
+
+static jmp_buf sl_jmp;
+
+static void sl_sigint(int sig)
+{
+    longjmp(sl_jmp, 1);
+}
+
+static char *sl_readline(const char *prompt)
+{
+    char *s;
+    void (*old)(int);
+    old = signal(SIGINT, sl_sigint);
+    if(setjmp(sl_jmp))
+	printf("\n");
+    s = readline((char*)prompt);
+    signal(SIGINT, old);
+    return s;
+}
+
+/* return values: 0 on success, -1 on fatal error, or return value of command */
+int
+sl_command_loop(SL_cmd *cmds, const char *prompt, void **data)
+{
+    int ret = 0;
+    char *buf;
+    int argc;
+    char **argv;
+	
+    ret = 0;
+    buf = sl_readline(prompt);
+    if(buf == NULL)
+	return 1;
+
+    if(*buf)
+	add_history(buf);
+    ret = sl_make_argv(buf, &argc, &argv);
+    if(ret) {
+	fprintf(stderr, "sl_loop: out of memory\n");
+	free(buf);
+	return -1;
+    }
+    if (argc >= 1) {
+	ret = sl_command(cmds, argc, argv);
+	if(ret == -1) {
+	    printf ("Unrecognized command: %s\n", argv[0]);
+	    ret = 0;
+	}
+    }
+    free(buf);
+    free(argv);
+    return ret;
+}
+
+int 
+sl_loop(SL_cmd *cmds, const char *prompt)
+{
+    void *data = NULL;
+    int ret;
+    while((ret = sl_command_loop(cmds, prompt, &data)) == 0)
+	;
+    return ret;
+}
+
+void
+sl_apropos (SL_cmd *cmd, const char *topic)
+{
+    for (; cmd->name != NULL; ++cmd)
+        if (cmd->usage != NULL && strstr(cmd->usage, topic) != NULL)
+	    printf ("%-20s%s\n", cmd->name, cmd->usage);
+}
diff --git a/crypto/heimdal/lib/sl/sl.h b/crypto/heimdal/lib/sl/sl.h
new file mode 100644
index 0000000..5b3e4b7
--- /dev/null
+++ b/crypto/heimdal/lib/sl/sl.h
@@ -0,0 +1,60 @@
+/*
+ * Copyright (c) 1995 - 2000 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+/* $Id: sl.h,v 1.9 2001/01/26 14:58:41 joda Exp $ */
+
+#ifndef _SL_H
+#define _SL_H
+
+#define SL_BADCOMMAND -1
+
+typedef int (*cmd_func)(int, char **);
+
+struct sl_cmd {
+  char *name;
+  cmd_func func;
+  char *usage;
+  char *help;
+};
+
+typedef struct sl_cmd SL_cmd;
+
+void sl_help (SL_cmd *, int argc, char **argv);
+int  sl_loop (SL_cmd *, const char *prompt);
+int  sl_command_loop (SL_cmd *cmds, const char *prompt, void **data);
+int  sl_command (SL_cmd *cmds, int argc, char **argv);
+int sl_make_argv(char*, int*, char***);
+void sl_apropos (SL_cmd *cmd, const char *topic);
+
+
+#endif /* _SL_H */
diff --git a/crypto/heimdal/lib/sl/sl_locl.h b/crypto/heimdal/lib/sl/sl_locl.h
new file mode 100644
index 0000000..4bd9660
--- /dev/null
+++ b/crypto/heimdal/lib/sl/sl_locl.h
@@ -0,0 +1,46 @@
+/*
+ * Copyright (c) 1995, 1996, 1997, 1998 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+/* $Id: sl_locl.h,v 1.6 1999/12/02 16:58:55 joda Exp $ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+#endif
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <stdarg.h>
+
+#include <roken.h>
+
+#include <sl.h>
diff --git a/crypto/heimdal/lib/sl/ss.c b/crypto/heimdal/lib/sl/ss.c
new file mode 100644
index 0000000..7655a9e
--- /dev/null
+++ b/crypto/heimdal/lib/sl/ss.c
@@ -0,0 +1,162 @@
+/*
+ * Copyright (c) 1998 - 2000 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "sl_locl.h"
+#include <com_err.h>
+#include "ss.h"
+
+RCSID("$Id: ss.c,v 1.6 2000/05/25 00:14:58 assar Exp $");
+
+struct ss_subst {
+    char *name;
+    char *version;
+    char *info;
+    ss_request_table *table;
+};
+
+static struct ss_subst subsystems[2];
+static int num_subsystems;
+
+int
+ss_create_invocation(const char *subsystem, 
+		     const char *version, 
+		     const char *info, 
+		     ss_request_table *table, 
+		     int *code)
+{
+    struct ss_subst *ss;
+
+    if(num_subsystems >= sizeof(subsystems) / sizeof(subsystems[0])) {
+	*code = 17;
+	return 0;
+    }
+    ss = &subsystems[num_subsystems];
+    ss->name = ss->version = ss->info = NULL;
+    if (subsystem != NULL) {
+	ss->name = strdup (subsystem);
+	if (ss->name == NULL) {
+	    *code = ENOMEM;
+	    return 0;
+	}
+    }
+    if (version != NULL) {
+	ss->version = strdup (version);
+	if (ss->version == NULL) {
+	    *code = ENOMEM;
+	    return 0;
+	}
+    }
+    if (info != NULL) {
+	ss->info = strdup (info);
+	if (ss->info == NULL) {
+	    *code = ENOMEM;
+	    return 0;
+	}
+    }
+    ss->table = table;
+    *code = 0;
+    return num_subsystems++;
+}
+
+void
+ss_error (int index, long code, const char *fmt, ...)
+{
+    va_list ap;
+    va_start(ap, fmt);
+    com_err_va (subsystems[index].name, code, fmt, ap);
+    va_end(ap);
+}
+
+void
+ss_perror (int index, long code, const char *msg)
+{
+    ss_error(index, code, "%s", msg);
+}
+
+int
+ss_execute_command(int index, char **argv)
+{
+    int argc = 0;
+    int ret;
+
+    while(argv[argc++]);
+    ret = sl_command(subsystems[index].table, argc, argv);
+    if (ret == SL_BADCOMMAND)
+	return SS_ET_COMMAND_NOT_FOUND;
+    return 0;
+}
+
+int
+ss_execute_line (int index, const char *line)
+{
+    char *buf = strdup(line);
+    int argc;
+    char **argv;
+    int ret;
+    
+    if (buf == NULL)
+	return ENOMEM;
+    sl_make_argv(buf, &argc, &argv);
+    ret = sl_command(subsystems[index].table, argc, argv);
+    free(buf);
+    if (ret == SL_BADCOMMAND)
+	return SS_ET_COMMAND_NOT_FOUND;
+    return 0;
+}
+
+int
+ss_listen (int index)
+{
+    char *prompt = malloc(strlen(subsystems[index].name) + 3);
+    if (prompt == NULL)
+	return ENOMEM;
+
+    strcpy(prompt, subsystems[index].name);
+    strcat(prompt, ": ");
+    sl_loop(subsystems[index].table, prompt);
+    free(prompt);
+    return 0;
+}
+
+int
+ss_list_requests(int argc, char **argv /* , int index, void *info */)
+{
+    sl_help(subsystems[0 /* index */].table, argc, argv);
+    return 0;
+}
+
+int
+ss_quit(int argc, char **argv)
+{
+    return 1;
+}
diff --git a/crypto/heimdal/lib/sl/ss.h b/crypto/heimdal/lib/sl/ss.h
new file mode 100644
index 0000000..0149fa1
--- /dev/null
+++ b/crypto/heimdal/lib/sl/ss.h
@@ -0,0 +1,57 @@
+/*
+ * Copyright (c) 1998 - 2000 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+/* $Id: ss.h,v 1.3 2000/05/25 00:15:21 assar Exp $ */
+
+/* SS compatibility for SL */
+
+#ifndef __ss_h__
+#define __ss_h__
+
+#include <sl.h>
+
+typedef SL_cmd ss_request_table;
+
+int ss_create_invocation (const char *, const char *, const char*, 
+			  ss_request_table*, int*);
+
+void ss_error (int, long, const char*, ...);
+int ss_execute_command (int, char**);
+int ss_execute_line (int, const char*);
+int ss_list_requests (int argc, char**);
+int ss_listen (int);
+void ss_perror (int, long, const char*);
+int ss_quit (int argc, char**);
+
+#define SS_ET_COMMAND_NOT_FOUND (-1)
+
+#endif /* __ss_h__ */
diff --git a/crypto/heimdal/lib/vers/ChangeLog b/crypto/heimdal/lib/vers/ChangeLog
new file mode 100644
index 0000000..0de5d15
--- /dev/null
+++ b/crypto/heimdal/lib/vers/ChangeLog
@@ -0,0 +1,17 @@
+2001-04-21  Johan Danielsson  <joda@pdc.kth.se>
+
+	* print_version.c: 2001
+
+2001-01-31  Assar Westerlund  <assar@sics.se>
+
+	* Makefile.am: remove -static turning this into a convenience
+	library
+
+2000-11-15  Assar Westerlund  <assar@sics.se>
+
+	* Makefile.am: make the library static and don't install it
+
+2000-07-08  Assar Westerlund  <assar@sics.se>
+
+	* make-print-version.c (heimdal_version, krb4_version): const-ize,
+	based on thorpej@netbsd.org's change to NetBSD
diff --git a/crypto/heimdal/lib/vers/Makefile.am b/crypto/heimdal/lib/vers/Makefile.am
new file mode 100644
index 0000000..87ef246
--- /dev/null
+++ b/crypto/heimdal/lib/vers/Makefile.am
@@ -0,0 +1,28 @@
+# $Id: Makefile.am,v 1.3 2001/01/31 03:50:48 assar Exp $
+
+include $(top_srcdir)/Makefile.am.common
+
+CLEANFILES		= print_version.h
+
+noinst_LTLIBRARIES	= libvers.la
+
+build_HEADERZ		= vers.h
+
+noinst_PROGRAMS		= make-print-version
+
+if KRB4
+if KRB5
+## need to link with des here; otherwise, if krb4 is shared the link
+## will fail with unresolved references
+make_print_version_LDADD += $(LIB_krb4) -ldes
+endif
+endif
+
+libvers_la_SOURCES	= print_version.c
+
+print_version.lo: print_version.h
+
+print_version.h: make-print-version$(EXEEXT)
+	./make-print-version$(EXEEXT) print_version.h
+
+make-print-version.o: $(top_builddir)/include/version.h
diff --git a/crypto/heimdal/lib/vers/Makefile.in b/crypto/heimdal/lib/vers/Makefile.in
new file mode 100644
index 0000000..1dffc80
--- /dev/null
+++ b/crypto/heimdal/lib/vers/Makefile.in
@@ -0,0 +1,582 @@
+# Makefile.in generated automatically by automake 1.4b from Makefile.am
+
+# Copyright 1994, 1995, 1996, 1997, 1998, 1999, 2000
+# Free Software Foundation, Inc.
+# This Makefile.in is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+
+SHELL = @SHELL@
+
+srcdir = @srcdir@
+top_srcdir = @top_srcdir@
+VPATH = @srcdir@
+prefix = @prefix@
+exec_prefix = @exec_prefix@
+
+bindir = @bindir@
+sbindir = @sbindir@
+libexecdir = @libexecdir@
+datadir = @datadir@
+sysconfdir = @sysconfdir@
+sharedstatedir = @sharedstatedir@
+localstatedir = @localstatedir@
+libdir = @libdir@
+infodir = @infodir@
+mandir = @mandir@
+includedir = @includedir@
+oldincludedir = /usr/include
+
+pkgdatadir = $(datadir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkgincludedir = $(includedir)/@PACKAGE@
+
+top_builddir = ../..
+
+ACLOCAL = @ACLOCAL@
+AUTOCONF = @AUTOCONF@
+AUTOMAKE = @AUTOMAKE@
+AUTOHEADER = @AUTOHEADER@
+
+INSTALL = @INSTALL@
+INSTALL_PROGRAM = @INSTALL_PROGRAM@
+INSTALL_DATA = @INSTALL_DATA@
+INSTALL_SCRIPT = @INSTALL_SCRIPT@
+INSTALL_STRIP_FLAG =
+transform = @program_transform_name@
+
+NORMAL_INSTALL = :
+PRE_INSTALL = :
+POST_INSTALL = :
+NORMAL_UNINSTALL = :
+PRE_UNINSTALL = :
+POST_UNINSTALL = :
+
+@SET_MAKE@
+host_alias = @host_alias@
+host_triplet = @host@
+AIX_EXTRA_KAFS = @AIX_EXTRA_KAFS@
+AMDEP = @AMDEP@
+AMTAR = @AMTAR@
+AS = @AS@
+AWK = @AWK@
+CANONICAL_HOST = @CANONICAL_HOST@
+CATMAN = @CATMAN@
+CATMANEXT = @CATMANEXT@
+CC = @CC@
+CPP = @CPP@
+CXX = @CXX@
+CXXCPP = @CXXCPP@
+DBLIB = @DBLIB@
+DEPDIR = @DEPDIR@
+DIR_des = @DIR_des@
+DIR_roken = @DIR_roken@
+DLLTOOL = @DLLTOOL@
+EXEEXT = @EXEEXT@
+EXTRA_LIB45 = @EXTRA_LIB45@
+GROFF = @GROFF@
+INCLUDES_roken = @INCLUDES_roken@
+INCLUDE_ = @INCLUDE_@
+LEX = @LEX@
+LIBOBJS = @LIBOBJS@
+LIBTOOL = @LIBTOOL@
+LIB_ = @LIB_@
+LIB_AUTH_SUBDIRS = @LIB_AUTH_SUBDIRS@
+LIB_des = @LIB_des@
+LIB_des_appl = @LIB_des_appl@
+LIB_kdb = @LIB_kdb@
+LIB_otp = @LIB_otp@
+LIB_roken = @LIB_roken@
+LIB_security = @LIB_security@
+LN_S = @LN_S@
+LTLIBOBJS = @LTLIBOBJS@
+MAKEINFO = @MAKEINFO@
+NEED_WRITEAUTH_FALSE = @NEED_WRITEAUTH_FALSE@
+NEED_WRITEAUTH_TRUE = @NEED_WRITEAUTH_TRUE@
+NROFF = @NROFF@
+OBJDUMP = @OBJDUMP@
+OBJEXT = @OBJEXT@
+PACKAGE = @PACKAGE@
+RANLIB = @RANLIB@
+STRIP = @STRIP@
+VERSION = @VERSION@
+VOID_RETSIGTYPE = @VOID_RETSIGTYPE@
+WFLAGS = @WFLAGS@
+WFLAGS_NOIMPLICITINT = @WFLAGS_NOIMPLICITINT@
+WFLAGS_NOUNUSED = @WFLAGS_NOUNUSED@
+YACC = @YACC@
+dpagaix_CFLAGS = @dpagaix_CFLAGS@
+dpagaix_LDADD = @dpagaix_LDADD@
+install_sh = @install_sh@
+
+# $Id: Makefile.am,v 1.3 2001/01/31 03:50:48 assar Exp $
+
+
+# $Id: Makefile.am.common,v 1.3 1999/04/01 14:58:43 joda Exp $
+
+
+# $Id: Makefile.am.common,v 1.26 2001/05/21 13:27:48 joda Exp $
+
+
+AUTOMAKE_OPTIONS = foreign no-dependencies
+
+SUFFIXES = .et .h .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .x
+
+INCLUDES = -I$(top_builddir)/include $(INCLUDES_roken)
+
+AM_CFLAGS =  $(WFLAGS)
+
+CP = cp
+
+COMPILE_ET = $(top_builddir)/lib/com_err/compile_et
+
+buildinclude = $(top_builddir)/include
+
+LIB_XauReadAuth = @LIB_XauReadAuth@
+LIB_crypt = @LIB_crypt@
+LIB_dbm_firstkey = @LIB_dbm_firstkey@
+LIB_dbopen = @LIB_dbopen@
+LIB_dlopen = @LIB_dlopen@
+LIB_dn_expand = @LIB_dn_expand@
+LIB_el_init = @LIB_el_init@
+LIB_getattr = @LIB_getattr@
+LIB_gethostbyname = @LIB_gethostbyname@
+LIB_getpwent_r = @LIB_getpwent_r@
+LIB_getpwnam_r = @LIB_getpwnam_r@
+LIB_getsockopt = @LIB_getsockopt@
+LIB_logout = @LIB_logout@
+LIB_logwtmp = @LIB_logwtmp@
+LIB_odm_initialize = @LIB_odm_initialize@
+LIB_pidfile = @LIB_pidfile@
+LIB_readline = @LIB_readline@
+LIB_res_search = @LIB_res_search@
+LIB_setpcred = @LIB_setpcred@
+LIB_setsockopt = @LIB_setsockopt@
+LIB_socket = @LIB_socket@
+LIB_syslog = @LIB_syslog@
+LIB_tgetent = @LIB_tgetent@
+
+LIBS = @LIBS@
+
+HESIODLIB = @HESIODLIB@
+HESIODINCLUDE = @HESIODINCLUDE@
+INCLUDE_hesiod = @INCLUDE_hesiod@
+LIB_hesiod = @LIB_hesiod@
+
+INCLUDE_krb4 = @INCLUDE_krb4@
+LIB_krb4 = @LIB_krb4@
+
+INCLUDE_openldap = @INCLUDE_openldap@
+LIB_openldap = @LIB_openldap@
+
+INCLUDE_readline = @INCLUDE_readline@
+
+LEXLIB = @LEXLIB@
+
+NROFF_MAN = groff -mandoc -Tascii
+
+@KRB4_TRUE@LIB_kafs = @KRB4_TRUE@$(top_builddir)/lib/kafs/libkafs.la $(AIX_EXTRA_KAFS)
+
+@KRB5_TRUE@LIB_krb5 = @KRB5_TRUE@$(top_builddir)/lib/krb5/libkrb5.la \
+@KRB5_TRUE@	$(top_builddir)/lib/asn1/libasn1.la
+@KRB5_TRUE@LIB_gssapi = @KRB5_TRUE@$(top_builddir)/lib/gssapi/libgssapi.la
+
+@DCE_TRUE@LIB_kdfs = @DCE_TRUE@$(top_builddir)/lib/kdfs/libkdfs.la
+
+CHECK_LOCAL = $(PROGRAMS)
+
+CLEANFILES = print_version.h
+
+noinst_LTLIBRARIES = libvers.la
+
+build_HEADERZ = vers.h
+
+noinst_PROGRAMS = make-print-version
+
+@KRB4_TRUE@@KRB5_TRUE@make_print_version_LDADD = @KRB4_TRUE@@KRB5_TRUE@ $(LIB_krb4) -ldes
+
+libvers_la_SOURCES = print_version.c
+subdir = lib/vers
+mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs
+CONFIG_HEADER = ../../include/config.h
+CONFIG_CLEAN_FILES = 
+LTLIBRARIES =  $(noinst_LTLIBRARIES)
+
+
+DEFS = @DEFS@ -I. -I$(srcdir) -I../../include
+CPPFLAGS = @CPPFLAGS@
+LDFLAGS = @LDFLAGS@
+X_CFLAGS = @X_CFLAGS@
+X_LIBS = @X_LIBS@
+X_EXTRA_LIBS = @X_EXTRA_LIBS@
+X_PRE_LIBS = @X_PRE_LIBS@
+libvers_la_LDFLAGS = 
+libvers_la_LIBADD = 
+am_libvers_la_OBJECTS =  print_version.lo
+libvers_la_OBJECTS =  $(am_libvers_la_OBJECTS)
+noinst_PROGRAMS =  make-print-version$(EXEEXT)
+PROGRAMS =  $(noinst_PROGRAMS)
+
+make_print_version_SOURCES = make-print-version.c
+make_print_version_OBJECTS =  make-print-version.$(OBJEXT)
+@KRB4_TRUE@@KRB5_TRUE@make_print_version_DEPENDENCIES = 
+make_print_version_LDFLAGS = 
+COMPILE = $(CC) $(DEFS) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) --mode=compile $(CC) $(DEFS) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+CFLAGS = @CFLAGS@
+CCLD = $(CC)
+LINK = $(LIBTOOL) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) $(LDFLAGS) -o $@
+DIST_SOURCES =  $(libvers_la_SOURCES) make-print-version.c
+depcomp = 
+DIST_COMMON =  ChangeLog Makefile.am Makefile.in
+
+
+DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
+
+GZIP_ENV = --best
+SOURCES = $(libvers_la_SOURCES) make-print-version.c
+OBJECTS = $(am_libvers_la_OBJECTS) make-print-version.$(OBJEXT)
+
+all: all-redirect
+.SUFFIXES:
+.SUFFIXES: .et .h .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .x .c .lo .o .obj
+$(srcdir)/Makefile.in: Makefile.am $(top_srcdir)/configure.in $(ACLOCAL_M4) $(top_srcdir)/Makefile.am.common $(top_srcdir)/cf/Makefile.am.common
+	cd $(top_srcdir) && $(AUTOMAKE) --foreign lib/vers/Makefile
+
+Makefile: $(srcdir)/Makefile.in  $(top_builddir)/config.status
+	cd $(top_builddir) \
+	  && CONFIG_FILES=$(subdir)/$@ CONFIG_HEADERS= $(SHELL) ./config.status
+
+
+mostlyclean-noinstLTLIBRARIES:
+
+clean-noinstLTLIBRARIES:
+	-test -z "$(noinst_LTLIBRARIES)" || rm -f $(noinst_LTLIBRARIES)
+
+distclean-noinstLTLIBRARIES:
+
+maintainer-clean-noinstLTLIBRARIES:
+
+mostlyclean-compile:
+	-rm -f *.o core *.core
+	-rm -f *.$(OBJEXT)
+
+clean-compile:
+
+distclean-compile:
+	-rm -f *.tab.c
+
+maintainer-clean-compile:
+
+mostlyclean-libtool:
+	-rm -f *.lo
+
+clean-libtool:
+	-rm -rf .libs _libs
+
+distclean-libtool:
+
+maintainer-clean-libtool:
+
+libvers.la: $(libvers_la_OBJECTS) $(libvers_la_DEPENDENCIES)
+	$(LINK)  $(libvers_la_LDFLAGS) $(libvers_la_OBJECTS) $(libvers_la_LIBADD) $(LIBS)
+
+mostlyclean-noinstPROGRAMS:
+
+clean-noinstPROGRAMS:
+	-test -z "$(noinst_PROGRAMS)" || rm -f $(noinst_PROGRAMS)
+
+distclean-noinstPROGRAMS:
+
+maintainer-clean-noinstPROGRAMS:
+
+make-print-version$(EXEEXT): $(make_print_version_OBJECTS) $(make_print_version_DEPENDENCIES)
+	@rm -f make-print-version$(EXEEXT)
+	$(LINK) $(make_print_version_LDFLAGS) $(make_print_version_OBJECTS) $(make_print_version_LDADD) $(LIBS)
+.c.o:
+	$(COMPILE) -c $<
+.c.obj:
+	$(COMPILE) -c `cygpath -w $<`
+.c.lo:
+	$(LTCOMPILE) -c -o $@ $<
+
+tags: TAGS
+
+ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
+	list='$(SOURCES) $(HEADERS) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '    { files[$$0] = 1; } \
+	       END { for (i in files) print i; }'`; \
+	mkid -fID $$unique $(LISP)
+
+TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	tags=; \
+	here=`pwd`; \
+	list='$(SOURCES) $(HEADERS) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '    { files[$$0] = 1; } \
+	       END { for (i in files) print i; }'`; \
+	test -z "$(ETAGS_ARGS)$$unique$(LISP)$$tags" \
+	  || etags $(ETAGS_ARGS) $$tags  $$unique $(LISP)
+
+GTAGS:
+	here=`CDPATH=: && cd $(top_builddir) && pwd` \
+	  && cd $(top_srcdir) \
+	  && gtags -i $$here
+
+mostlyclean-tags:
+
+clean-tags:
+
+distclean-tags:
+	-rm -f TAGS ID
+
+maintainer-clean-tags:
+
+distdir = $(top_builddir)/$(PACKAGE)-$(VERSION)/$(subdir)
+
+distdir: $(DISTFILES)
+	@for file in $(DISTFILES); do \
+	  d=$(srcdir); \
+	  if test -d $$d/$$file; then \
+	    cp -pR $$d/$$file $(distdir) \
+	    || exit 1; \
+	  else \
+	    test -f $(distdir)/$$file \
+	    || cp -p $$d/$$file $(distdir)/$$file \
+	    || exit 1; \
+	  fi; \
+	done
+	$(MAKE) $(AM_MAKEFLAGS) top_distdir="$(top_distdir)" distdir="$(distdir)" dist-hook
+info-am:
+info: info-am
+dvi-am:
+dvi: dvi-am
+check-am: all-am
+	$(MAKE) $(AM_MAKEFLAGS) check-local
+check: check-am
+installcheck-am:
+installcheck: installcheck-am
+install-exec-am:
+	@$(NORMAL_INSTALL)
+	$(MAKE) $(AM_MAKEFLAGS) install-exec-hook
+install-exec: install-exec-am
+
+install-data-am: install-data-local
+install-data: install-data-am
+
+install-am: all-am
+	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
+install: install-am
+uninstall-am:
+uninstall: uninstall-am
+all-am: Makefile $(LTLIBRARIES) $(PROGRAMS) all-local
+all-redirect: all-am
+install-strip:
+	$(MAKE) $(AM_MAKEFLAGS) INSTALL_STRIP_FLAG=-s install
+installdirs:
+
+
+mostlyclean-generic:
+
+clean-generic:
+	-test -z "$(CLEANFILES)" || rm -f $(CLEANFILES)
+
+distclean-generic:
+	-rm -f Makefile $(CONFIG_CLEAN_FILES)
+	-rm -f config.cache config.log stamp-h stamp-h[0-9]*
+
+maintainer-clean-generic:
+	-rm -f Makefile.in
+mostlyclean-am:  mostlyclean-noinstLTLIBRARIES mostlyclean-compile \
+		mostlyclean-libtool mostlyclean-noinstPROGRAMS \
+		mostlyclean-tags mostlyclean-generic
+
+mostlyclean: mostlyclean-am
+
+clean-am:  clean-noinstLTLIBRARIES clean-compile clean-libtool \
+		clean-noinstPROGRAMS clean-tags clean-generic \
+		mostlyclean-am
+
+clean: clean-am
+
+distclean-am:  distclean-noinstLTLIBRARIES distclean-compile \
+		distclean-libtool distclean-noinstPROGRAMS \
+		distclean-tags distclean-generic clean-am
+	-rm -f libtool
+
+distclean: distclean-am
+
+maintainer-clean-am:  maintainer-clean-noinstLTLIBRARIES \
+		maintainer-clean-compile maintainer-clean-libtool \
+		maintainer-clean-noinstPROGRAMS maintainer-clean-tags \
+		maintainer-clean-generic distclean-am
+	@echo "This command is intended for maintainers to use;"
+	@echo "it deletes files that may require special tools to rebuild."
+
+maintainer-clean: maintainer-clean-am
+
+.PHONY: mostlyclean-noinstLTLIBRARIES distclean-noinstLTLIBRARIES \
+clean-noinstLTLIBRARIES maintainer-clean-noinstLTLIBRARIES \
+mostlyclean-compile distclean-compile clean-compile \
+maintainer-clean-compile mostlyclean-libtool distclean-libtool \
+clean-libtool maintainer-clean-libtool mostlyclean-noinstPROGRAMS \
+distclean-noinstPROGRAMS clean-noinstPROGRAMS \
+maintainer-clean-noinstPROGRAMS tags mostlyclean-tags distclean-tags \
+clean-tags maintainer-clean-tags distdir info-am info dvi-am dvi \
+check-local check check-am installcheck-am installcheck install-exec-am \
+install-exec install-data-local install-data-am install-data install-am \
+install uninstall-am uninstall all-local all-redirect all-am all \
+install-strip installdirs mostlyclean-generic distclean-generic \
+clean-generic maintainer-clean-generic clean mostlyclean distclean \
+maintainer-clean
+
+
+install-suid-programs:
+	@foo='$(bin_SUIDS)'; \
+	for file in $$foo; do \
+	x=$(DESTDIR)$(bindir)/$$file; \
+	if chown 0:0 $$x && chmod u+s $$x; then :; else \
+	echo "*"; \
+	echo "* Failed to install $$x setuid root"; \
+	echo "*"; \
+	fi; done
+
+install-exec-hook: install-suid-programs
+
+install-build-headers:: $(include_HEADERS) $(build_HEADERZ)
+	@foo='$(include_HEADERS) $(build_HEADERZ)'; \
+	for f in $$foo; do \
+		f=`basename $$f`; \
+		if test -f "$(srcdir)/$$f"; then file="$(srcdir)/$$f"; \
+		else file="$$f"; fi; \
+		if cmp -s  $$file $(buildinclude)/$$f 2> /dev/null ; then \
+		: ; else \
+			echo " $(CP) $$file $(buildinclude)/$$f"; \
+			$(CP) $$file $(buildinclude)/$$f; \
+		fi ; \
+	done
+
+all-local: install-build-headers
+#NROFF_MAN = nroff -man
+.1.cat1:
+	$(NROFF_MAN) $< > $@
+.3.cat3:
+	$(NROFF_MAN) $< > $@
+.5.cat5:
+	$(NROFF_MAN) $< > $@
+.8.cat8:
+	$(NROFF_MAN) $< > $@
+
+dist-cat1-mans:
+	@foo='$(man1_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.1) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat1/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-cat3-mans:
+	@foo='$(man3_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.3) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat3/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-cat5-mans:
+	@foo='$(man5_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.5) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat5/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-cat8-mans:
+	@foo='$(man8_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.8) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat8/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-hook: dist-cat1-mans dist-cat3-mans dist-cat5-mans dist-cat8-mans
+
+install-cat-mans:
+	$(SHELL) $(top_srcdir)/cf/install-catman.sh "$(INSTALL_DATA)" "$(mkinstalldirs)" "$(srcdir)" "$(DESTDIR)$(mandir)" '$(CATMANEXT)' $(man_MANS) $(man1_MANS) $(man3_MANS) $(man5_MANS) $(man8_MANS)
+
+install-data-local: install-cat-mans
+
+.et.h:
+	$(COMPILE_ET) $<
+.et.c:
+	$(COMPILE_ET) $<
+
+.x.c:
+	@cmp -s $< $@ 2> /dev/null || cp $< $@
+
+check-local::
+	@foo='$(CHECK_LOCAL)'; \
+	  if test "$$foo"; then \
+	  failed=0; all=0; \
+	  for i in $$foo; do \
+	    all=`expr $$all + 1`; \
+	    if ./$$i --version > /dev/null 2>&1; then \
+	      echo "PASS: $$i"; \
+	    else \
+	      echo "FAIL: $$i"; \
+	      failed=`expr $$failed + 1`; \
+	    fi; \
+	  done; \
+	  if test "$$failed" -eq 0; then \
+	    banner="All $$all tests passed"; \
+	  else \
+	    banner="$$failed of $$all tests failed"; \
+	  fi; \
+	  dashes=`echo "$$banner" | sed s/./=/g`; \
+	  echo "$$dashes"; \
+	  echo "$$banner"; \
+	  echo "$$dashes"; \
+	  test "$$failed" -eq 0; \
+	fi
+
+print_version.lo: print_version.h
+
+print_version.h: make-print-version$(EXEEXT)
+	./make-print-version$(EXEEXT) print_version.h
+
+make-print-version.o: $(top_builddir)/include/version.h
+
+# Tell versions [3.59,3.63) of GNU make to not export all variables.
+# Otherwise a system limit (for SysV at least) may be exceeded.
+.NOEXPORT:
diff --git a/crypto/heimdal/lib/vers/make-print-version.c b/crypto/heimdal/lib/vers/make-print-version.c
new file mode 100644
index 0000000..6102e75
--- /dev/null
+++ b/crypto/heimdal/lib/vers/make-print-version.c
@@ -0,0 +1,68 @@
+/*
+ * Copyright (c) 1998 - 2000 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+RCSID("$Id: make-print-version.c,v 1.2 2000/07/08 10:46:36 assar Exp $");
+#endif
+
+#include <stdio.h>
+
+#ifdef KRB5
+extern const char *heimdal_version;
+#endif
+#ifdef KRB4
+extern const char *krb4_version;
+#endif
+#include <version.h>
+
+int
+main(int argc, char **argv)
+{
+    FILE *f;
+    if(argc != 2)
+	return 1;
+    f = fopen(argv[1], "w");
+    if(f == NULL)
+	return 1;
+    fprintf(f, "#define VERSIONLIST { ");
+#ifdef KRB5
+    fprintf(f, "\"%s\", ", heimdal_version);
+#endif
+#ifdef KRB4
+    fprintf(f, "\"%s\", ", krb4_version);
+#endif
+    fprintf(f, "}\n");
+    fclose(f);
+    return 0;
+}
diff --git a/crypto/heimdal/lib/vers/print_version.c b/crypto/heimdal/lib/vers/print_version.c
new file mode 100644
index 0000000..8ece96b
--- /dev/null
+++ b/crypto/heimdal/lib/vers/print_version.c
@@ -0,0 +1,78 @@
+/*
+ * Copyright (c) 1998 - 2000 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+RCSID("$Id: print_version.c,v 1.3 2001/04/21 16:05:48 joda Exp $");
+#endif
+#include "roken.h"
+
+#include "print_version.h"
+
+void
+print_version(const char *progname)
+{
+    const char *arg[] = VERSIONLIST;
+    const int num_args = sizeof(arg) / sizeof(arg[0]);
+    char *msg;
+    size_t len = 0;
+    int i;
+    
+    if(progname == NULL)
+	progname = getprogname();
+    
+    if(num_args == 0)
+	msg = "no version information";
+    else {
+	for(i = 0; i < num_args; i++) {
+	    if(i > 0)
+		len += 2;
+	    len += strlen(arg[i]);
+	}
+	msg = malloc(len + 1);
+	if(msg == NULL) {
+	    fprintf(stderr, "%s: out of memory\n", progname);
+	    return;
+	}
+	msg[0] = '\0';
+	for(i = 0; i < num_args; i++) {
+	    if(i > 0)
+		strcat(msg, ", ");
+	    strcat(msg, arg[i]);
+	}
+    }
+    fprintf(stderr, "%s (%s)\n", progname, msg);
+    fprintf(stderr, "Copyright (c) 1999-2001 Kungliga Tekniska Högskolan\n");
+    if(num_args != 0)
+	free(msg);
+}
diff --git a/crypto/heimdal/lib/vers/vers.h b/crypto/heimdal/lib/vers/vers.h
new file mode 100644
index 0000000..cc70355
--- /dev/null
+++ b/crypto/heimdal/lib/vers/vers.h
@@ -0,0 +1,41 @@
+/*
+ * Copyright (c) 1995 - 2000 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+/* $Id: vers.h,v 1.1 2000/07/01 19:47:36 assar Exp $ */
+
+#ifndef __VERS_H__
+#define __VERS_H__
+
+void print_version(const char *);
+
+#endif /*  __VERS_H__ */
diff --git a/crypto/heimdal/ltconfig b/crypto/heimdal/ltconfig
new file mode 100755
index 0000000..335271c
--- /dev/null
+++ b/crypto/heimdal/ltconfig
@@ -0,0 +1,3139 @@
+#! /bin/sh
+
+# ltconfig - Create a system-specific libtool.
+# Copyright (C) 1996-2000 Free Software Foundation, Inc.
+# Originally by Gordon Matzigkeit <gord@gnu.ai.mit.edu>, 1996
+#
+# This file is free software; you can redistribute it and/or modify it
+# under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 2 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful, but
+# WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+# General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
+#
+# As a special exception to the GNU General Public License, if you
+# distribute this file as part of a program that contains a
+# configuration script generated by Autoconf, you may include it under
+# the same distribution terms that you use for the rest of that program.
+
+# A lot of this script is taken from autoconf-2.10.
+
+# Check that we are running under the correct shell.
+SHELL=${CONFIG_SHELL-/bin/sh}
+echo=echo
+if test "X$1" = X--no-reexec; then
+  # Discard the --no-reexec flag, and continue.
+  shift
+elif test "X$1" = X--fallback-echo; then
+  # Avoid inline document here, it may be left over
+  :
+elif test "X`($echo '\t') 2>/dev/null`" = 'X\t'; then
+  # Yippee, $echo works!
+  :
+else
+  # Restart under the correct shell.
+  exec "$SHELL" "$0" --no-reexec ${1+"$@"}
+fi
+
+if test "X$1" = X--fallback-echo; then
+  # used as fallback echo
+  shift
+  cat <<EOF
+$*
+EOF
+  exit 0
+fi
+
+# Find the correct PATH separator.  Usually this is `:', but
+# DJGPP uses `;' like DOS.
+if test "X${PATH_SEPARATOR+set}" != Xset; then
+  UNAME=${UNAME-`uname 2>/dev/null`}
+  case X$UNAME in
+    *-DOS) PATH_SEPARATOR=';' ;;
+    *)     PATH_SEPARATOR=':' ;;
+  esac
+fi
+
+# The HP-UX ksh and POSIX shell print the target directory to stdout
+# if CDPATH is set.
+if test "X${CDPATH+set}" = Xset; then CDPATH=:; export CDPATH; fi
+
+if test "X${echo_test_string+set}" != Xset; then
+  # find a string as large as possible, as long as the shell can cope with it
+  for cmd in 'sed 50q "$0"' 'sed 20q "$0"' 'sed 10q "$0"' 'sed 2q "$0"' 'echo test'; do
+    # expected sizes: less than 2Kb, 1Kb, 512 bytes, 16 bytes, ...
+    if (echo_test_string="`eval $cmd`") 2>/dev/null &&
+       echo_test_string="`eval $cmd`" &&
+       (test "X$echo_test_string" = "X$echo_test_string") 2>/dev/null; then
+      break
+    fi
+  done
+fi
+
+if test "X`($echo '\t') 2>/dev/null`" = 'X\t' &&
+   echo_testing_string=`($echo "$echo_test_string") 2>/dev/null` &&
+   test "X$echo_testing_string" = "X$echo_test_string"; then
+  :
+else
+  # The Solaris, AIX, and Digital Unix default echo programs unquote
+  # backslashes.  This makes it impossible to quote backslashes using
+  #   echo "$something" | sed 's/\\/\\\\/g'
+  #
+  # So, first we look for a working echo in the user's PATH.
+
+  IFS="${IFS= 	}"; save_ifs="$IFS"; IFS="${IFS}${PATH_SEPARATOR}"
+  for dir in $PATH /usr/ucb; do
+    if (test -f $dir/echo || test -f $dir/echo$ac_exeext) &&
+       test "X`($dir/echo '\t') 2>/dev/null`" = 'X\t' &&
+       echo_testing_string=`($dir/echo "$echo_test_string") 2>/dev/null` &&
+       test "X$echo_testing_string" = "X$echo_test_string"; then
+      echo="$dir/echo"
+      break
+    fi
+  done
+  IFS="$save_ifs"
+
+  if test "X$echo" = Xecho; then
+    # We didn't find a better echo, so look for alternatives.
+    if test "X`(print -r '\t') 2>/dev/null`" = 'X\t' &&
+       echo_testing_string=`(print -r "$echo_test_string") 2>/dev/null` &&
+       test "X$echo_testing_string" = "X$echo_test_string"; then
+      # This shell has a builtin print -r that does the trick.
+      echo='print -r'
+    elif (test -f /bin/ksh || test -f /bin/ksh$ac_exeext) &&
+	 test "X$CONFIG_SHELL" != X/bin/ksh; then
+      # If we have ksh, try running ltconfig again with it.
+      ORIGINAL_CONFIG_SHELL="${CONFIG_SHELL-/bin/sh}"
+      export ORIGINAL_CONFIG_SHELL
+      CONFIG_SHELL=/bin/ksh
+      export CONFIG_SHELL
+      exec "$CONFIG_SHELL" "$0" --no-reexec ${1+"$@"}
+    else
+      # Try using printf.
+      echo='printf %s\n'
+      if test "X`($echo '\t') 2>/dev/null`" = 'X\t' &&
+	 echo_testing_string=`($echo "$echo_test_string") 2>/dev/null` &&
+	 test "X$echo_testing_string" = "X$echo_test_string"; then
+	# Cool, printf works
+	:
+      elif echo_testing_string=`("$ORIGINAL_CONFIG_SHELL" "$0" --fallback-echo '\t') 2>/dev/null` &&
+	   test "X$echo_testing_string" = 'X\t' &&
+	   echo_testing_string=`("$ORIGINAL_CONFIG_SHELL" "$0" --fallback-echo "$echo_test_string") 2>/dev/null` &&
+	   test "X$echo_testing_string" = "X$echo_test_string"; then
+	CONFIG_SHELL="$ORIGINAL_CONFIG_SHELL"
+	export CONFIG_SHELL
+	SHELL="$CONFIG_SHELL"
+	export SHELL
+	echo="$CONFIG_SHELL $0 --fallback-echo"
+      elif echo_testing_string=`("$CONFIG_SHELL" "$0" --fallback-echo '\t') 2>/dev/null` &&
+	   test "X$echo_testing_string" = 'X\t' &&
+	   echo_testing_string=`("$CONFIG_SHELL" "$0" --fallback-echo "$echo_test_string") 2>/dev/null` &&
+	   test "X$echo_testing_string" = "X$echo_test_string"; then
+	echo="$CONFIG_SHELL $0 --fallback-echo"
+      else
+	# maybe with a smaller string...
+	prev=:
+
+	for cmd in 'echo test' 'sed 2q "$0"' 'sed 10q "$0"' 'sed 20q "$0"' 'sed 50q "$0"'; do
+	  if (test "X$echo_test_string" = "X`eval $cmd`") 2>/dev/null; then
+	    break
+	  fi
+	  prev="$cmd"
+	done
+
+	if test "$prev" != 'sed 50q "$0"'; then
+	  echo_test_string=`eval $prev`
+	  export echo_test_string
+	  exec "${ORIGINAL_CONFIG_SHELL-${CONFIG_SHELL-/bin/sh}}" "$0" ${1+"$@"}
+	else
+	  # Oops.  We lost completely, so just stick with echo.
+	  echo=echo
+	fi
+      fi
+    fi
+  fi
+fi
+
+# Sed substitution that helps us do robust quoting.  It backslashifies
+# metacharacters that are still active within double-quoted strings.
+Xsed='sed -e s/^X//'
+sed_quote_subst='s/\([\\"\\`$\\\\]\)/\\\1/g'
+
+# Same as above, but do not quote variable references.
+double_quote_subst='s/\([\\"\\`\\\\]\)/\\\1/g'
+
+# Sed substitution to delay expansion of an escaped shell variable in a
+# double_quote_subst'ed string.
+delay_variable_subst='s/\\\\\\\\\\\$/\\\\\\$/g'
+
+# The name of this program.
+progname=`$echo "X$0" | $Xsed -e 's%^.*/%%'`
+
+# Constants:
+PROGRAM=ltconfig
+PACKAGE=libtool
+VERSION=1.3c
+TIMESTAMP=" (1.731 2000/07/10 09:42:21)"
+ac_compile='${CC-cc} -c $CFLAGS $CPPFLAGS conftest.$ac_ext 1>&5'
+ac_link='${CC-cc} -o conftest $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS 1>&5'
+rm="rm -f"
+
+help="Try \`$progname --help' for more information."
+
+# Global variables:
+default_ofile=libtool
+can_build_shared=yes
+enable_shared=yes
+# All known linkers require a `.a' archive for static linking (except M$VC,
+# which needs '.lib').
+enable_static=yes
+enable_fast_install=yes
+enable_dlopen=unknown
+enable_win32_dll=no
+pic_mode=default
+ltmain=
+silent=
+srcdir=
+ac_config_guess=
+ac_config_sub=
+host=
+build=NONE
+nonopt=NONE
+ofile="$default_ofile"
+verify_host=yes
+with_gcc=no
+with_gnu_ld=no
+need_locks=yes
+ac_ext=c
+libext=a
+cache_file=
+
+old_AR="$AR"
+old_AR_FLAGS="$AR_FLAGS"
+old_CC="$CC"
+old_CFLAGS="$CFLAGS"
+old_CPPFLAGS="$CPPFLAGS"
+old_LDFLAGS="$LDFLAGS"
+old_LIBS="$LIBS"
+old_MAGIC="$MAGIC"
+old_LD="$LD"
+old_LN_S="$LN_S"
+old_NM="$NM"
+old_RANLIB="$RANLIB"
+old_STRIP="$STRIP"
+old_AS="$AS"
+old_DLLTOOL="$DLLTOOL"
+old_OBJDUMP="$OBJDUMP"
+old_OBJEXT="$OBJEXT"
+old_EXEEXT="$EXEEXT"
+old_reload_Flag="$reload_flag"
+old_deplibs_check_method="$deplibs_check_method"
+old_file_magic_cmd="$file_magic_cmd"
+
+# Parse the command line options.
+args=
+prev=
+for option
+do
+  case "$option" in
+  -*=*) optarg=`echo "$option" | sed 's/[-_a-zA-Z0-9]*=//'` ;;
+  *) optarg= ;;
+  esac
+
+  # If the previous option needs an argument, assign it.
+  if test -n "$prev"; then
+    eval "$prev=\$option"
+    prev=
+    continue
+  fi
+
+  case "$option" in
+  --help) cat <<EOM
+Usage: $progname [OPTION]... LTMAIN [HOST]
+
+Generate a system-specific libtool script.
+
+    --build                configure for building on BUILD [BUILD=HOST]
+    --debug                enable verbose shell tracing
+    --disable-shared       do not build shared libraries
+    --disable-static       do not build static libraries
+    --disable-fast-install do not optimize for fast installation
+    --enable-dlopen        enable dlopen support
+    --enable-win32-dll     enable building dlls on win32 hosts
+    --help                 display this help and exit
+    --no-verify            do not verify that HOST is a valid host type
+-o, --output=FILE          specify the output file [default=$default_ofile]
+    --quiet                same as \`--silent'
+    --silent               do not print informational messages
+    --srcdir=DIR           find \`config.guess' in DIR
+    --version              output version information and exit
+    --with-gcc             assume that the GNU C compiler will be used
+    --with-gnu-ld          assume that the C compiler uses the GNU linker
+    --prefer-pic           try to use only PIC objects
+    --prefer-non-pic       try to use only non-PIC objects
+    --disable-lock         disable file locking
+    --cache-file=FILE      configure cache file
+
+LTMAIN is the \`ltmain.sh' shell script fragment or \`ltmain.c' program
+that provides basic libtool functionality.
+
+HOST is the canonical host system name [default=guessed].
+EOM
+  exit 0
+  ;;
+
+  --build) prev=build ;;
+  --build=*) build="$optarg" ;;
+
+  --debug)
+    echo "$progname: enabling shell trace mode"
+    set -x
+    ;;
+
+  --disable-shared) enable_shared=no ;;
+
+  --disable-static) enable_static=no ;;
+
+  --disable-fast-install) enable_fast_install=no ;;
+
+  --enable-dlopen) enable_dlopen=yes ;;
+
+  --enable-win32-dll) enable_win32_dll=yes ;;
+
+  --quiet | --silent) silent=yes ;;
+
+  --srcdir) prev=srcdir ;;
+  --srcdir=*) srcdir="$optarg" ;;
+
+  --no-verify) verify_host=no ;;
+
+  --output | -o) prev=ofile ;;
+  --output=*) ofile="$optarg" ;;
+
+  --version) echo "$PROGRAM (GNU $PACKAGE) $VERSION$TIMESTAMP"; exit 0 ;;
+
+  --with-gcc) with_gcc=yes ;;
+  --with-gnu-ld) with_gnu_ld=yes ;;
+
+  --prefer-pic) pic_mode=yes ;;
+  --prefer-non-pic) pic_mode=no ;;
+
+  --disable-lock) need_locks=no ;;
+
+  --cache-file=*) cache_file="$optarg" ;;
+
+  -*)
+    echo "$progname: unrecognized option \`$option'" 1>&2
+    echo "$help" 1>&2
+    exit 1
+    ;;
+
+  *)
+    if test -z "$ltmain"; then
+      ltmain="$option"
+    elif test -z "$host"; then
+# This generates an unnecessary warning for sparc-sun-solaris4.1.3_U1
+#      if test -n "`echo $option| sed 's/[-a-z0-9.]//g'`"; then
+#        echo "$progname: warning \`$option' is not a valid host type" 1>&2
+#      fi
+      host="$option"
+    else
+      echo "$progname: too many arguments" 1>&2
+      echo "$help" 1>&2
+      exit 1
+    fi ;;
+  esac
+done
+
+if test -z "$ltmain"; then
+  echo "$progname: you must specify a LTMAIN file" 1>&2
+  echo "$help" 1>&2
+  exit 1
+fi
+
+if test ! -f "$ltmain"; then
+  echo "$progname: \`$ltmain' does not exist" 1>&2
+  echo "$help" 1>&2
+  exit 1
+fi
+
+# Quote any args containing shell metacharacters.
+ltconfig_args=
+for arg
+do
+  case "$arg" in
+  *" "*|*"	"*|*[\[\]\~\#\$\^\&\*\(\)\{\}\\\|\;\<\>\?]*)
+  ltconfig_args="$ltconfig_args '$arg'" ;;
+  *) ltconfig_args="$ltconfig_args $arg" ;;
+  esac
+done
+
+# A relevant subset of AC_INIT.
+
+# File descriptor usage:
+# 0 standard input
+# 1 file creation
+# 2 errors and warnings
+# 3 some systems may open it to /dev/tty
+# 4 used on the Kubota Titan
+# 5 compiler messages saved in config.log
+# 6 checking for... messages and results
+if test "$silent" = yes; then
+  exec 6>/dev/null
+else
+  exec 6>&1
+fi
+exec 5>>./config.log
+
+# NLS nuisances.
+# Only set LANG and LC_ALL to C if already set.
+# These must not be set unconditionally because not all systems understand
+# e.g. LANG=C (notably SCO).
+if test "X${LC_ALL+set}" = Xset; then LC_ALL=C; export LC_ALL; fi
+if test "X${LANG+set}"   = Xset; then LANG=C;   export LANG;   fi
+
+if test -n "$cache_file" && test -r "$cache_file" && test -f "$cache_file"; then
+  echo "loading cache $cache_file within ltconfig"
+  . $cache_file
+fi
+
+if (echo "testing\c"; echo 1,2,3) | grep c >/dev/null; then
+  # Stardent Vistra SVR4 grep lacks -e, says ghazi@caip.rutgers.edu.
+  if (echo -n testing; echo 1,2,3) | sed s/-n/xn/ | grep xn >/dev/null; then
+    ac_n= ac_c='
+' ac_t='	'
+  else
+    ac_n=-n ac_c= ac_t=
+  fi
+else
+  ac_n= ac_c='\c' ac_t=
+fi
+
+if test -z "$srcdir"; then
+  # Assume the source directory is the same one as the path to LTMAIN.
+  srcdir=`$echo "X$ltmain" | $Xsed -e 's%/[^/]*$%%'`
+  test "$srcdir" = "$ltmain" && srcdir=.
+fi
+
+trap "$rm conftest*; exit 1" 1 2 15
+if test "$verify_host" = yes; then
+  # Check for config.guess and config.sub.
+  ac_aux_dir=
+  for ac_dir in $srcdir $srcdir/.. $srcdir/../..; do
+    if test -f $ac_dir/config.guess; then
+      ac_aux_dir=$ac_dir
+      break
+    fi
+  done
+  if test -z "$ac_aux_dir"; then
+    echo "$progname: cannot find config.guess in $srcdir $srcdir/.. $srcdir/../.." 1>&2
+    echo "$help" 1>&2
+    exit 1
+  fi
+  ac_config_guess=$ac_aux_dir/config.guess
+  ac_config_sub=$ac_aux_dir/config.sub
+
+  # Make sure we can run config.sub.
+  if $SHELL $ac_config_sub sun4 >/dev/null 2>&1; then :
+  else
+    echo "$progname: cannot run $ac_config_sub" 1>&2
+    echo "$help" 1>&2
+    exit 1
+  fi
+
+  echo $ac_n "checking host system type""... $ac_c" 1>&6
+
+  host_alias=$host
+  case "$host_alias" in
+  "")
+    if host_alias=`$SHELL $ac_config_guess`; then :
+    else
+      echo "$progname: cannot guess host type; you must specify one" 1>&2
+      echo "$help" 1>&2
+      exit 1
+    fi ;;
+  esac
+  host=`$SHELL $ac_config_sub $host_alias`
+  echo "$ac_t$host" 1>&6
+
+  # Make sure the host verified.
+  test -z "$host" && exit 1
+
+  # Check for the build system type
+  echo $ac_n "checking build system type... $ac_c" 1>&6
+
+  build_alias=$build
+  case "$build_alias" in
+  NONE)
+    case $nonopt in
+    NONE) build_alias=$host_alias ;;
+    *) build_alias=$nonopt ;;
+    esac ;;
+  esac
+
+  build=`$SHELL $ac_config_sub $build_alias`
+  build_cpu=`echo $build | sed 's/^\([^-]*\)-\([^-]*\)-\(.*\)$/\1/'`
+  build_vendor=`echo $build | sed 's/^\([^-]*\)-\([^-]*\)-\(.*\)$/\2/'`
+  build_os=`echo $build | sed 's/^\([^-]*\)-\([^-]*\)-\(.*\)$/\3/'`
+  echo "$ac_t""$build" 1>&6
+
+elif test -z "$host"; then
+  echo "$progname: you must specify a host type if you use \`--no-verify'" 1>&2
+  echo "$help" 1>&2
+  exit 1
+else
+  host_alias=$host
+  build_alias=$host_alias
+  build=$host
+fi
+
+if test x"$host" != x"$build"; then
+  ac_tool_prefix=${host_alias}-
+else
+  ac_tool_prefix=
+fi
+
+host_cpu=`echo $host | sed 's/^\([^-]*\)-\([^-]*\)-\(.*\)$/\1/'`
+host_vendor=`echo $host | sed 's/^\([^-]*\)-\([^-]*\)-\(.*\)$/\2/'`
+host_os=`echo $host | sed 's/^\([^-]*\)-\([^-]*\)-\(.*\)$/\3/'`
+
+# Transform linux* to *-*-linux-gnu*, to support old configure scripts.
+case "$host_os" in
+linux-gnu*) ;;
+linux*) host=`echo $host | sed 's/^\(.*-.*-linux\)\(.*\)$/\1-gnu\2/'`
+esac
+
+case "$host_os" in
+aix3*)
+  # AIX sometimes has problems with the GCC collect2 program.  For some
+  # reason, if we set the COLLECT_NAMES environment variable, the problems
+  # vanish in a puff of smoke.
+  if test "X${COLLECT_NAMES+set}" != Xset; then
+    COLLECT_NAMES=
+    export COLLECT_NAMES
+  fi
+  ;;
+esac
+
+# Determine commands to create old-style static archives.
+old_archive_cmds='$AR $AR_FLAGS $oldlib$oldobjs$old_deplibs'
+old_postinstall_cmds='chmod 644 $oldlib'
+old_postuninstall_cmds=
+
+if test -n "$RANLIB"; then
+  old_archive_cmds="$old_archive_cmds~\$RANLIB \$oldlib"
+  old_postinstall_cmds="\$RANLIB \$oldlib~$old_postinstall_cmds"
+fi
+
+# Set sane defaults for various variables
+test -z "$AR" && AR=ar
+test -z "$AR_FLAGS" && AR_FLAGS=cru
+test -z "$AS" && AS=as
+test -z "$CC" && CC=cc
+test -z "$DLLTOOL" && DLLTOOL=dlltool
+test -z "$MAGIC" && MAGIC=file
+test -z "$LD" && LD=ld
+test -z "$LN_S" && LN_S="ln -s"
+test -z "$NM" && NM=nm
+test -z "$OBJDUMP" && OBJDUMP=objdump
+test -z "$RANLIB" && RANLIB=:
+test -z "$STRIP" && STRIP=:
+test -z "$objext" && objext=o
+
+echo $ac_n "checking for objdir... $ac_c" 1>&6
+rm -f .libs 2>/dev/null
+mkdir .libs 2>/dev/null
+if test -d .libs; then
+  objdir=.libs
+else
+  # MS-DOS does not allow filenames that begin with a dot.
+  objdir=_libs
+fi
+rmdir .libs 2>/dev/null
+echo "$ac_t$objdir" 1>&6
+
+# Allow CC to be a program name with arguments.
+set dummy $CC
+compiler="$2"
+
+# We assume here that the value for ac_cv_prog_cc_pic will not be cached
+# in isolation, and that seeing it set (from the cache) indicates that
+# the associated values are set (in the cache) correctly too.
+echo $ac_n "checking for $compiler option to produce PIC... $ac_c" 1>&6
+echo "$progname:565:checking for $compiler option to produce PIC" 1>&5
+if test "X${ac_cv_prog_cc_pic+set}" = Xset; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  ac_cv_prog_cc_pic=
+  ac_cv_prog_cc_shlib=
+  ac_cv_prog_cc_wl=
+  ac_cv_prog_cc_static=
+  ac_cv_prog_cc_no_builtin=
+  ac_cv_prog_cc_can_build_shared=$can_build_shared
+
+  if test "$with_gcc" = yes; then
+    ac_cv_prog_cc_wl='-Wl,'
+    ac_cv_prog_cc_static='-static'
+
+    case "$host_os" in
+    beos* | irix5* | irix6* | osf3* | osf4* | osf5*)
+      # PIC is the default for these OSes.
+      ;;
+    aix*)
+      # Below there is a dirty hack to force normal static linking with -ldl
+      # The problem is because libdl dynamically linked with both libc and
+      # libC (AIX C++ library), which obviously doesn't included in libraries
+      # list by gcc. This cause undefined symbols with -static flags.
+      # This hack allows C programs to be linked with "-static -ldl", but
+      # we not sure about C++ programs.
+      ac_cv_prog_cc_static="$ac_cv_prog_cc_static ${ac_cv_prog_cc_wl}-lC"
+      ;;
+    cygwin* | mingw* | os2*)
+      # This hack is so that the source file can tell whether it is being
+      # built for inclusion in a dll (and should export symbols for example).
+      ac_cv_prog_cc_pic='-DDLL_EXPORT'
+      ;;
+    amigaos*)
+      # FIXME: we need at least 68020 code to build shared libraries, but
+      # adding the `-m68020' flag to GCC prevents building anything better,
+      # like `-m68040'.
+      ac_cv_prog_cc_pic='-m68020 -resident32 -malways-restore-a4'
+      ;;
+    sysv4*MP*)
+      if test -d /usr/nec; then
+	 ac_cv_prog_cc_pic=-Kconform_pic
+      fi
+      ;;
+    *)
+      ac_cv_prog_cc_pic='-fPIC'
+      ;;
+    esac
+  else
+    # PORTME Check for PIC flags for the system compiler.
+    case "$host_os" in
+    aix3* | aix4*)
+     # All AIX code is PIC.
+      ac_cv_prog_cc_static='-bnso -bI:/lib/syscalls.exp'
+      ;;
+
+    hpux9* | hpux10* | hpux11*)
+      # Is there a better ac_cv_prog_cc_static that works with the bundled CC?
+      ac_cv_prog_cc_wl='-Wl,'
+      ac_cv_prog_cc_static="${ac_cv_prog_cc_wl}-a ${ac_cv_prog_cc_wl}archive"
+      ac_cv_prog_cc_pic='+Z'
+      ;;
+
+    irix5* | irix6*)
+      ac_cv_prog_cc_wl='-Wl,'
+      ac_cv_prog_cc_static='-non_shared'
+      # PIC (with -KPIC) is the default.
+      ;;
+
+    cygwin* | mingw* | os2*)
+      # This hack is so that the source file can tell whether it is being
+      # built for inclusion in a dll (and should export symbols for example).
+      ac_cv_prog_cc_pic='-DDLL_EXPORT'
+      ;;
+
+    osf3* | osf4* | osf5*)
+      # All OSF/1 code is PIC.
+      ac_cv_prog_cc_wl='-Wl,'
+      ac_cv_prog_cc_static='-non_shared'
+      ;;
+
+    sco3.2v5*)
+      ac_cv_prog_cc_pic='-Kpic'
+      ac_cv_prog_cc_static='-dn'
+      ac_cv_prog_cc_shlib='-belf'
+      ;;
+
+    solaris*)
+      ac_cv_prog_cc_pic='-KPIC'
+      ac_cv_prog_cc_static='-Bstatic'
+      ac_cv_prog_cc_wl='-Wl,'
+      ;;
+
+    sunos4*)
+      ac_cv_prog_cc_pic='-PIC'
+      ac_cv_prog_cc_static='-Bstatic'
+      ac_cv_prog_cc_wl='-Qoption ld '
+      ;;
+
+    sysv4 | sysv4.2uw2* | sysv4.3* | sysv5*)
+      ac_cv_prog_cc_pic='-KPIC'
+      ac_cv_prog_cc_static='-Bstatic'
+      ac_cv_prog_cc_wl='-Wl,'
+      ;;
+
+    uts4*)
+      ac_cv_prog_cc_pic='-pic'
+      ac_cv_prog_cc_static='-Bstatic'
+      ;;
+
+    sysv4*MP*)
+      if test -d /usr/nec ;then
+	ac_cv_prog_cc_pic='-Kconform_pic'
+	ac_cv_prog_cc_static='-Bstatic'
+      fi
+      ;;
+
+    *)
+      ac_cv_prog_cc_can_build_shared=no
+      ;;
+    esac
+  fi
+fi
+if test -z "$ac_cv_prog_cc_pic"; then
+  echo "$ac_t"none 1>&6
+else
+  echo "$ac_t""$ac_cv_prog_cc_pic" 1>&6
+
+  # Check to make sure the pic_flag actually works.
+  echo $ac_n "checking if $compiler PIC flag $ac_cv_prog_cc_pic works... $ac_c" 1>&6
+  echo "$progname:695:checking that $compiler PIC flag $ac_cv_prog_cc_pic works." 1>&5
+  if test "X${ac_cv_prog_cc_pic_works+set}" = Xset; then
+    echo $ac_n "(cached) $ac_c" 1>&6
+  else
+    ac_cv_prog_cc_pic_works=yes
+    $rm conftest*
+    echo "int some_variable = 0;" > conftest.c
+    save_CFLAGS="$CFLAGS"
+    CFLAGS="$CFLAGS $ac_cv_prog_cc_pic -DPIC"
+    if { (eval echo $progname:704: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>conftest.err; } && test -s conftest.$objext; then
+      # Append any warnings to the config.log.
+      cat conftest.err 1>&5
+
+      case "$host_os" in
+      hpux9* | hpux10* | hpux11*)
+	# On HP-UX, both CC and GCC only warn that PIC is supported... then
+	# they create non-PIC objects.  So, if there were any warnings, we
+	# assume that PIC is not supported.
+	if test -s conftest.err; then
+	  ac_cv_prog_cc_pic_works=no
+	  ac_cv_prog_cc_can_build_shared=no
+	  ac_cv_prog_cc_pic=
+	else
+	  ac_cv_prog_cc_pic_works=yes
+	  ac_cv_prog_cc_pic=" $ac_cv_prog_cc_pic"
+	fi
+	;;
+      *)
+	ac_cv_prog_cc_pic_works=yes
+	ac_cv_prog_cc_pic=" $ac_cv_prog_cc_pic"
+	;;
+      esac
+    else
+      # Append any errors to the config.log.
+      cat conftest.err 1>&5
+      ac_cv_prog_cc_pic_works=no
+      ac_cv_prog_cc_can_build_shared=no
+      ac_cv_prog_cc_pic=
+    fi
+    CFLAGS="$save_CFLAGS"
+    $rm conftest*
+  fi
+  # Belt *and* braces to stop my trousers falling down:
+  if test "X$ac_cv_prog_cc_pic_works" = Xno; then
+    ac_cv_prog_cc_pic=
+    ac_cv_prog_cc_can_build_shared=no
+  fi
+  echo "$ac_t""$ac_cv_prog_cc_pic_works" 1>&6
+fi
+
+# Check for any special shared library compilation flags.
+if test -n "$ac_cv_prog_cc_shlib"; then
+  echo "$progname: warning: \`$CC' requires \`$ac_cv_prog_cc_shlib' to build shared libraries" 1>&2
+  if echo "$old_CC $old_CFLAGS " | egrep -e "[ 	]$ac_cv_prog_cc_shlib[ 	]" >/dev/null; then :
+  else
+    echo "$progname: add \`$ac_cv_prog_cc_shlib' to the CC or CFLAGS env variable and reconfigure" 1>&2
+    ac_cv_prog_cc_can_build_shared=no
+  fi
+fi
+
+echo $ac_n "checking if $compiler static flag $ac_cv_prog_cc_static works... $ac_c" 1>&6
+echo "$progname:756: checking if $compiler static flag $ac_cv_prog_cc_static works" >&5
+if test "X${ac_cv_prog_cc_static_works+set}" = Xset; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  $rm conftest*
+  echo 'main(){return(0);}' > conftest.c
+  save_LDFLAGS="$LDFLAGS"
+  LDFLAGS="$LDFLAGS $ac_cv_prog_cc_static"
+  if { (eval echo $progname:764: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest; then
+    ac_cv_prog_cc_static_works=yes
+  else
+    ac_cv_prog_cc_static_works=no
+    ac_cv_prog_cc_static=
+  fi
+  LDFLAGS="$save_LDFLAGS"
+  $rm conftest*
+fi
+# Belt *and* braces to stop my trousers falling down:
+if test "X$ac_cv_prog_cc_static_works" = Xno; then
+  ac_cv_prog_cc_static=
+fi
+echo "$ac_t""$ac_cv_prog_cc_static_works" 1>&6
+pic_flag="$ac_cv_prog_cc_pic"
+special_shlib_compile_flags="$ac_cv_prog_cc_shlib"
+wl="$ac_cv_prog_cc_wl"
+link_static_flag="$ac_cv_prog_cc_static"
+no_builtin_flag="$ac_cv_prog_cc_no_builtin"
+can_build_shared="$ac_cv_prog_cc_can_build_shared"
+
+# Check to see if options -o and -c are simultaneously supported by compiler
+echo $ac_n "checking if $compiler supports -c -o file.o... $ac_c" 1>&6
+$rm -r conftest 2>/dev/null
+mkdir conftest
+cd conftest
+$rm conftest*
+echo "int some_variable = 0;" > conftest.c
+mkdir out
+# According to Tom Tromey, Ian Lance Taylor reported there are C compilers
+# that will create temporary files in the current directory regardless of
+# the output directory.  Thus, making CWD read-only will cause this test
+# to fail, enabling locking or at least warning the user not to do parallel
+# builds.
+chmod -w .
+save_CFLAGS="$CFLAGS"
+CFLAGS="$CFLAGS -o out/conftest2.o"
+echo "$progname:801: checking if $compiler supports -c -o file.o" >&5
+if { (eval echo $progname:802: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>out/conftest.err; } && test -s out/conftest2.o; then
+
+  # The compiler can only warn and ignore the option if not recognized
+  # So say no if there are warnings
+    if test -s out/conftest.err; then
+      echo "$ac_t"no 1>&6
+      compiler_c_o=no
+    else
+      echo "$ac_t"yes 1>&6
+      compiler_c_o=yes
+    fi
+else
+  # Append any errors to the config.log.
+  cat out/conftest.err 1>&5
+  compiler_c_o=no
+  echo "$ac_t"no 1>&6
+fi
+CFLAGS="$save_CFLAGS"
+chmod u+w .
+$rm conftest* out/*
+rmdir out
+cd ..
+rmdir conftest
+$rm -r conftest 2>/dev/null
+
+if test x"$compiler_c_o" = x"yes"; then
+  # Check to see if we can write to a .lo
+  echo $ac_n "checking if $compiler supports -c -o file.lo... $ac_c" 1>&6
+  $rm conftest*
+  echo "int some_variable = 0;" > conftest.c
+  save_CFLAGS="$CFLAGS"
+  CFLAGS="$CFLAGS -c -o conftest.lo"
+  echo "$progname:834: checking if $compiler supports -c -o file.lo" >&5
+if { (eval echo $progname:835: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>conftest.err; } && test -s conftest.lo; then
+
+    # The compiler can only warn and ignore the option if not recognized
+    # So say no if there are warnings
+      if test -s conftest.err; then
+	echo "$ac_t"no 1>&6
+	compiler_o_lo=no
+      else
+	echo "$ac_t"yes 1>&6
+	compiler_o_lo=yes
+      fi
+  else
+    # Append any errors to the config.log.
+    cat conftest.err 1>&5
+    compiler_o_lo=no
+    echo "$ac_t"no 1>&6
+  fi
+  CFLAGS="$save_CFLAGS"
+  $rm conftest*
+else
+  compiler_o_lo=no
+fi
+
+# Check to see if we can do hard links to lock some files if needed
+hard_links="nottested"
+if test "$compiler_c_o" = no && test "$need_locks" != no; then
+  # do not overwrite the value of need_locks provided by the user
+  echo $ac_n "checking if we can lock with hard links... $ac_c" 1>&6
+  hard_links=yes
+  $rm conftest*
+  ln conftest.a conftest.b 2>/dev/null && hard_links=no
+  touch conftest.a
+  ln conftest.a conftest.b 2>&5 || hard_links=no
+  ln conftest.a conftest.b 2>/dev/null && hard_links=no
+  echo "$ac_t$hard_links" 1>&6
+  $rm conftest*
+  if test "$hard_links" = no; then
+    echo "*** WARNING: \`$CC' does not support \`-c -o', so \`make -j' may be unsafe" >&2
+    need_locks=warn
+  fi
+else
+  need_locks=no
+fi
+
+if test "$with_gcc" = yes; then
+  # Check to see if options -fno-rtti -fno-exceptions are supported by compiler
+  echo $ac_n "checking if $compiler supports -fno-rtti -fno-exceptions ... $ac_c" 1>&6
+  $rm conftest*
+  echo "int some_variable = 0;" > conftest.c
+  save_CFLAGS="$CFLAGS"
+  CFLAGS="$CFLAGS -fno-rtti -fno-exceptions -c conftest.c"
+  echo "$progname:886: checking if $compiler supports -fno-rtti -fno-exceptions" >&5
+  if { (eval echo $progname:887: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>conftest.err; } && test -s conftest.o; then
+
+    # The compiler can only warn and ignore the option if not recognized
+    # So say no if there are warnings
+      if test -s conftest.err; then
+	echo "$ac_t"no 1>&6
+	compiler_rtti_exceptions=no
+      else
+	echo "$ac_t"yes 1>&6
+	compiler_rtti_exceptions=yes
+      fi
+  else
+    # Append any errors to the config.log.
+    cat conftest.err 1>&5
+    compiler_rtti_exceptions=no
+    echo "$ac_t"no 1>&6
+  fi
+  CFLAGS="$save_CFLAGS"
+  $rm conftest*
+
+  if test "$compiler_rtti_exceptions" = "yes"; then
+    no_builtin_flag=' -fno-builtin -fno-rtti -fno-exceptions'
+  else
+    no_builtin_flag=' -fno-builtin'
+  fi
+
+fi
+
+# See if the linker supports building shared libraries.
+echo $ac_n "checking whether the linker ($LD) supports shared libraries... $ac_c" 1>&6
+
+allow_undefined_flag=
+no_undefined_flag=
+need_lib_prefix=unknown
+need_version=unknown
+# when you set need_version to no, make sure it does not cause -set_version
+# flags to be left without arguments
+archive_cmds=
+archive_expsym_cmds=
+old_archive_from_new_cmds=
+old_archive_from_expsyms_cmds=
+striplib=
+old_striplib=
+export_dynamic_flag_spec=
+whole_archive_flag_spec=
+thread_safe_flag_spec=
+hardcode_into_libs=no
+hardcode_libdir_flag_spec=
+hardcode_libdir_separator=
+hardcode_direct=no
+hardcode_minus_L=no
+hardcode_shlibpath_var=unsupported
+runpath_var=
+link_all_deplibs=unknown
+always_export_symbols=no
+export_symbols_cmds='$NM $libobjs $convenience | $global_symbol_pipe | sed '\''s/.* //'\'' | sort | uniq > $export_symbols'
+# include_expsyms should be a list of space-separated symbols to be *always*
+# included in the symbol list
+include_expsyms=
+# exclude_expsyms can be an egrep regular expression of symbols to exclude
+# it will be wrapped by ` (' and `)$', so one must not match beginning or
+# end of line.  Example: `a|bc|.*d.*' will exclude the symbols `a' and `bc',
+# as well as any symbol that contains `d'.
+exclude_expsyms="_GLOBAL_OFFSET_TABLE_"
+# Although _GLOBAL_OFFSET_TABLE_ is a valid symbol C name, most a.out
+# platforms (ab)use it in PIC code, but their linkers get confused if
+# the symbol is explicitly referenced.  Since portable code cannot
+# rely on this symbol name, it's probably fine to never include it in
+# preloaded symbol tables.
+extract_expsyms_cmds=
+
+case "$host_os" in
+cygwin* | mingw*)
+  # FIXME: the MSVC++ port hasn't been tested in a loooong time
+  # When not using gcc, we currently assume that we are using
+  # Microsoft Visual C++.
+  if test "$with_gcc" != yes; then
+    with_gnu_ld=no
+  fi
+  ;;
+
+esac
+
+ld_shlibs=yes
+if test "$with_gnu_ld" = yes; then
+  # If archive_cmds runs LD, not CC, wlarc should be empty
+  wlarc='${wl}'
+
+  # See if GNU ld supports shared libraries.
+  case "$host_os" in
+  aix3* | aix4*)
+    # On AIX, the GNU linker is very broken
+    ld_shlibs=no
+    cat <<EOF 1>&2
+
+*** Warning: the GNU linker, at least up to release 2.9.1, is reported
+*** to be unable to reliably create shared libraries on AIX.
+*** Therefore, libtool is disabling shared libraries support.  If you
+*** really care for shared libraries, you may want to modify your PATH
+*** so that a non-GNU linker is found, and then restart.
+
+EOF
+    ;;
+
+  amigaos*)
+    archive_cmds='$rm $output_objdir/a2ixlibrary.data~$echo "#define NAME $libname" > $output_objdir/a2ixlibrary.data~$echo "#define LIBRARY_ID 1" >> $output_objdir/a2ixlibrary.data~$echo "#define VERSION $major" >> $output_objdir/a2ixlibrary.data~$echo "#define REVISION $revision" >> $output_objdir/a2ixlibrary.data~$AR $AR_FLAGS $lib $libobjs~$RANLIB $lib~(cd $output_objdir && a2ixlibrary -32)'
+    hardcode_libdir_flag_spec='-L$libdir'
+    hardcode_minus_L=yes
+
+    # Samuel A. Falvo II <kc5tja@dolphin.openprojects.net> reports
+    # that the semantics of dynamic libraries on AmigaOS, at least up
+    # to version 4, is to share data among multiple programs linked
+    # with the same dynamic library.  Since this doesn't match the
+    # behavior of shared libraries on other platforms, we can use
+    # them.
+    ld_shlibs=no
+    ;;
+
+  beos*)
+    if $LD --help 2>&1 | egrep ': supported targets:.* elf' > /dev/null; then
+      allow_undefined_flag=unsupported
+      # Joseph Beckenbach <jrb3@best.com> says some releases of gcc
+      # support --undefined.  This deserves some investigation.  FIXME
+      archive_cmds='$CC -nostart $libobjs $deplibs $linker_flags ${wl}-soname $wl$soname -o $lib'
+    else
+      ld_shlibs=no
+    fi
+    ;;
+
+  cygwin* | mingw*)
+    # hardcode_libdir_flag_spec is actually meaningless, as there is
+    # no search path for DLLs.
+    hardcode_libdir_flag_spec='-L$libdir'
+    allow_undefined_flag=unsupported
+    always_export_symbols=yes
+
+    extract_expsyms_cmds='test -f $output_objdir/impgen.c || \
+      sed -e "/^# \/\* impgen\.c starts here \*\//,/^# \/\* impgen.c ends here \*\// { s/^# //; p; }" -e d < $0 > $output_objdir/impgen.c~
+      test -f $output_objdir/impgen.exe || (cd $output_objdir && \
+      if test "x$HOST_CC" != "x" ; then $HOST_CC -o impgen impgen.c ; \
+      else $CC -o impgen impgen.c ; fi)~
+      $output_objdir/impgen $dir/$soname > $output_objdir/$soname-def'
+
+    old_archive_from_expsyms_cmds='$DLLTOOL --as=$AS --dllname $soname --def $output_objdir/$soname-def --output-lib $output_objdir/$newlib'
+
+    # cygwin and mingw dlls have different entry points and sets of symbols
+    # to exclude.
+    # FIXME: what about values for MSVC?
+    dll_entry=__cygwin_dll_entry@12
+    dll_exclude_symbols=DllMain@12,_cygwin_dll_entry@12,_cygwin_noncygwin_dll_entry@12~
+    case "$host_os" in
+    mingw*)
+      # mingw values
+      dll_entry=_DllMainCRTStartup@12
+      dll_exclude_symbols=DllMain@12,DllMainCRTStartup@12,DllEntryPoint@12~
+      ;;
+    esac
+
+    # mingw and cygwin differ, and it's simplest to just exclude the union
+    # of the two symbol sets.
+    dll_exclude_symbols=DllMain@12,_cygwin_dll_entry@12,_cygwin_noncygwin_dll_entry@12,DllMainCRTStartup@12,DllEntryPoint@12
+
+    # recent cygwin and mingw systems supply a stub DllMain which the user
+    # can override, but on older systems we have to supply one (in ltdll.c)
+    if test "x$lt_cv_need_dllmain" = "xyes"; then
+      ltdll_obj='$output_objdir/$soname-ltdll.'"$objext "
+      ltdll_cmds='test -f $output_objdir/$soname-ltdll.c || sed -e "/^# \/\* ltdll\.c starts here \*\//,/^# \/\* ltdll.c ends here \*\// { s/^# //; p; }" -e d < $0 > $output_objdir/$soname-ltdll.c~
+	test -f $output_objdir/$soname-ltdll.$objext || (cd $output_objdir && $CC -c $soname-ltdll.c)~'
+    else
+      ltdll_obj=
+      ltdll_cmds=
+    fi
+
+    # Extract the symbol export list from an `--export-all' def file,
+    # then regenerate the def file from the symbol export list, so that
+    # the compiled dll only exports the symbol export list.
+    # Be careful not to strip the DATA tag left be newer dlltools.
+    export_symbols_cmds="$ltdll_cmds"'
+      $DLLTOOL --export-all --exclude-symbols '$dll_exclude_symbols' --output-def $output_objdir/$soname-def '$ltdll_obj'$libobjs $convenience~
+      sed -e "1,/EXPORTS/d" -e "s/ @ [0-9]*//" -e "s/ *;.*$//" < $output_objdir/$soname-def > $export_symbols'
+
+    # If DATA tags from a recent dlltool are present, honour them!
+    archive_expsym_cmds='echo EXPORTS > $output_objdir/$soname-def~
+      _lt_hint=1;
+      cat $export_symbols | while read symbol; do
+	set dummy \$symbol;
+	case \$# in
+	  2) echo "	\$2 @ \$_lt_hint ; " >> $output_objdir/$soname-def;;
+	  *) echo "     \$2 @ \$_lt_hint \$3 ; " >> $output_objdir/$soname-def;;
+	esac;
+	_lt_hint=`expr 1 + \$_lt_hint`;
+      done~
+      '"$ltdll_cmds"'
+      $CC -Wl,--base-file,$output_objdir/$soname-base '$lt_cv_cc_dll_switch' -Wl,-e,'$dll_entry' -o $lib '$ltdll_obj'$libobjs $deplibs $compiler_flags~
+      $DLLTOOL --as=$AS --dllname $soname --exclude-symbols '$dll_exclude_symbols' --def $output_objdir/$soname-def --base-file $output_objdir/$soname-base --output-exp $output_objdir/$soname-exp~
+      $CC -Wl,--base-file,$output_objdir/$soname-base $output_objdir/$soname-exp '$lt_cv_cc_dll_switch' -Wl,-e,'$dll_entry' -o $lib '$ltdll_obj'$libobjs $deplibs $compiler_flags~
+      $DLLTOOL --as=$AS --dllname $soname --exclude-symbols '$dll_exclude_symbols' --def $output_objdir/$soname-def --base-file $output_objdir/$soname-base --output-exp $output_objdir/$soname-exp~
+      $CC $output_objdir/$soname-exp '$lt_cv_cc_dll_switch' -Wl,-e,'$dll_entry' -o $lib '$ltdll_obj'$libobjs $deplibs $compiler_flags'
+    ;;
+
+  netbsd*)
+    if echo __ELF__ | $CC -E - | grep __ELF__ >/dev/null; then
+      archive_cmds='$LD -Bshareable $libobjs $deplibs $linker_flags -o $lib'
+      wlarc=
+    else
+      archive_cmds='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname -o $lib'
+      archive_expsym_cmds='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname ${wl}-retain-symbols-file $wl$export_symbols -o $lib'
+    fi
+    ;;
+
+  solaris* | sysv5*)
+    if $LD -v 2>&1 | egrep 'BFD 2\.8' > /dev/null; then
+      ld_shlibs=no
+      cat <<EOF 1>&2
+
+*** Warning: The releases 2.8.* of the GNU linker cannot reliably
+*** create shared libraries on Solaris systems.  Therefore, libtool
+*** is disabling shared libraries support.  We urge you to upgrade GNU
+*** binutils to release 2.9.1 or newer.  Another option is to modify
+*** your PATH or compiler configuration so that the native linker is
+*** used, and then restart.
+
+EOF
+    elif $LD --help 2>&1 | egrep ': supported targets:.* elf' > /dev/null; then
+      archive_cmds='$CC -shared $libobjs $deplibs $linker_flags ${wl}-soname $wl$soname -o $lib'
+      archive_expsym_cmds='$CC -shared $libobjs $deplibs $linker_flags ${wl}-soname $wl$soname ${wl}-retain-symbols-file $wl$export_symbols -o $lib'
+    else
+      ld_shlibs=no
+    fi
+    ;;
+
+  sunos4*)
+    archive_cmds='$LD -assert pure-text -Bshareable -o $lib $libobjs $deplibs $linker_flags'
+    wlarc=
+    hardcode_direct=yes
+    hardcode_shlibpath_var=no
+    ;;
+
+  *)
+    if $LD --help 2>&1 | egrep ': supported targets:.* elf' > /dev/null; then
+      archive_cmds='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname -o $lib'
+      archive_expsym_cmds='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname ${wl}-retain-symbols-file $wl$export_symbols -o $lib'
+    else
+      ld_shlibs=no
+    fi
+    ;;
+  esac
+
+  if test "$ld_shlibs" = yes; then
+    runpath_var=LD_RUN_PATH
+    hardcode_libdir_flag_spec="$wlarc"'--rpath '"$wlarc"'$libdir'
+    export_dynamic_flag_spec="$wlarc"'--export-dynamic'
+    case $host_os in
+    cygwin* | mingw*)
+      # dlltool doesn't understand --whole-archive et. al.
+      whole_archive_flag_spec=
+      ;;
+    *)
+      # ancient GNU ld didn't support --whole-archive et. al.
+      if $LD --help 2>&1 | egrep 'no-whole-archive' > /dev/null; then
+	whole_archive_flag_spec="$wlarc"'--whole-archive$convenience '"$wlarc"'--no-whole-archive'
+      else
+	whole_archive_flag_spec=
+      fi
+      ;;
+    esac
+  fi
+else
+  # PORTME fill in a description of your system's linker (not GNU ld)
+  case "$host_os" in
+  aix3*)
+    allow_undefined_flag=unsupported
+    always_export_symbols=yes
+    archive_expsym_cmds='$LD -o $output_objdir/$soname $libobjs $deplibs $linker_flags -bE:$export_symbols -T512 -H512 -bM:SRE~$AR $AR_FLAGS $lib $output_objdir/$soname'
+    # Note: this linker hardcodes the directories in LIBPATH if there
+    # are no directories specified by -L.
+    hardcode_minus_L=yes
+    if test "$with_gcc" = yes && test -z "$link_static_flag"; then
+      # Neither direct hardcoding nor static linking is supported with a
+      # broken collect2.
+      hardcode_direct=unsupported
+    fi
+    ;;
+
+  aix4*)
+    hardcode_libdir_flag_spec='${wl}-b ${wl}nolibpath ${wl}-b ${wl}libpath:$libdir:/usr/lib:/lib'
+    hardcode_libdir_separator=':'
+    if test "$with_gcc" = yes; then
+      collect2name=`${CC} -print-prog-name=collect2`
+      if test -f "$collect2name" && \
+	 strings "$collect2name" | grep resolve_lib_name >/dev/null
+      then
+	# We have reworked collect2
+	hardcode_direct=yes
+      else
+	# We have old collect2
+	hardcode_direct=unsupported
+	# It fails to find uninstalled libraries when the uninstalled
+	# path is not listed in the libpath.  Setting hardcode_minus_L
+	# to unsupported forces relinking
+	hardcode_minus_L=yes
+	hardcode_libdir_flag_spec='-L$libdir'
+	hardcode_libdir_separator=
+      fi
+      shared_flag='-shared'
+    else
+      shared_flag='${wl}-bM:SRE'
+      hardcode_direct=yes
+    fi
+    allow_undefined_flag=' ${wl}-berok'
+    archive_cmds="\$CC $shared_flag"' -o $output_objdir/$soname $libobjs $deplibs $compiler_flags ${wl}-bexpall ${wl}-bnoentry${allow_undefined_flag}'
+    archive_expsym_cmds="\$CC $shared_flag"' -o $output_objdir/$soname $libobjs $deplibs $compiler_flags ${wl}-bE:$export_symbols ${wl}-bnoentry${allow_undefined_flag}'
+    case "$host_os" in aix4.[01]|aix4.[01].*)
+      # According to Greg Wooledge, -bexpall is only supported from AIX 4.2 on
+      always_export_symbols=yes ;;
+    esac
+   ;;
+
+  amigaos*)
+    archive_cmds='$rm $output_objdir/a2ixlibrary.data~$echo "#define NAME $libname" > $output_objdir/a2ixlibrary.data~$echo "#define LIBRARY_ID 1" >> $output_objdir/a2ixlibrary.data~$echo "#define VERSION $major" >> $output_objdir/a2ixlibrary.data~$echo "#define REVISION $revision" >> $output_objdir/a2ixlibrary.data~$AR $AR_FLAGS $lib $libobjs~$RANLIB $lib~(cd $output_objdir && a2ixlibrary -32)'
+    hardcode_libdir_flag_spec='-L$libdir'
+    hardcode_minus_L=yes
+    # see comment about different semantics on the GNU ld section
+    ld_shlibs=no
+    ;;
+
+  cygwin* | mingw*)
+    # When not using gcc, we currently assume that we are using
+    # Microsoft Visual C++.
+    # hardcode_libdir_flag_spec is actually meaningless, as there is
+    # no search path for DLLs.
+    hardcode_libdir_flag_spec=' '
+    allow_undefined_flag=unsupported
+    # Tell ltmain to make .lib files, not .a files.
+    libext=lib
+    # FIXME: Setting linknames here is a bad hack.
+    archive_cmds='$CC -o $lib $libobjs $compiler_flags `echo "$deplibs" | sed -e '\''s/ -lc$//'\''` -link -dll~linknames='
+    # The linker will automatically build a .lib file if we build a DLL.
+    old_archive_from_new_cmds='true'
+    # FIXME: Should let the user specify the lib program.
+    old_archive_cmds='lib /OUT:$oldlib$oldobjs$old_deplibs'
+    fix_srcfile_path='`cygpath -w $srcfile`'
+    ;;
+
+  freebsd1*)
+    ld_shlibs=no
+    ;;
+
+  # FreeBSD 2.2.[012] allows us to include c++rt0.o to get C++ constructor
+  # support.  Future versions do this automatically, but an explicit c++rt0.o
+  # does not break anything, and helps significantly (at the cost of a little
+  # extra space).
+  freebsd2.2*)
+    archive_cmds='$LD -Bshareable -o $lib $libobjs $deplibs $linker_flags /usr/lib/c++rt0.o'
+    hardcode_libdir_flag_spec='-R$libdir'
+    hardcode_direct=yes
+    hardcode_shlibpath_var=no
+    ;;
+
+  # Unfortunately, older versions of FreeBSD 2 do not have this feature.
+  freebsd2*)
+    archive_cmds='$LD -Bshareable -o $lib $libobjs $deplibs $linker_flags'
+    hardcode_direct=yes
+    hardcode_minus_L=yes
+    hardcode_shlibpath_var=no
+    ;;
+
+  # FreeBSD 3 and greater uses gcc -shared to do shared libraries.
+  freebsd*)
+    archive_cmds='$CC -shared -o $lib $libobjs $deplibs $compiler_flags'
+    hardcode_libdir_flag_spec='-R$libdir'
+    hardcode_direct=yes
+    hardcode_shlibpath_var=no
+    ;;
+
+  hpux9* | hpux10* | hpux11*)
+    case "$host_os" in
+    hpux9*) archive_cmds='$rm $output_objdir/$soname~$LD -b +b $install_libdir -o $output_objdir/$soname $libobjs $deplibs $linker_flags~test $output_objdir/$soname = $lib || mv $output_objdir/$soname $lib' ;;
+    *) archive_cmds='$LD -b +h $soname +b $install_libdir -o $lib $libobjs $deplibs $linker_flags' ;;
+    esac
+    hardcode_libdir_flag_spec='${wl}+b ${wl}$libdir'
+    hardcode_libdir_separator=:
+    hardcode_direct=yes
+    hardcode_minus_L=yes # Not in the search PATH, but as the default
+			 # location of the library.
+    export_dynamic_flag_spec='${wl}-E'
+    ;;
+
+  irix5* | irix6*)
+    if test "$with_gcc" = yes; then
+      archive_cmds='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname ${wl}$soname `test -n "$verstring" && echo ${wl}-set_version ${wl}$verstring` ${wl}-update_registry ${wl}${output_objdir}/so_locations -o $lib'
+    else
+      archive_cmds='$LD -shared $libobjs $deplibs $linker_flags -soname $soname `test -n "$verstring" && echo -set_version $verstring` -update_registry ${output_objdir}/so_locations -o $lib'
+    fi
+    hardcode_libdir_flag_spec='${wl}-rpath ${wl}$libdir'
+    hardcode_libdir_separator=:
+    link_all_deplibs=yes
+    ;;
+
+  netbsd*)
+    if echo __ELF__ | $CC -E - | grep __ELF__ >/dev/null; then
+      archive_cmds='$LD -Bshareable -o $lib $libobjs $deplibs $linker_flags'  # a.out
+    else
+      archive_cmds='$LD -shared -o $lib $libobjs $deplibs $linker_flags'      # ELF
+    fi
+    hardcode_libdir_flag_spec='${wl}-R$libdir'
+    hardcode_direct=yes
+    hardcode_shlibpath_var=no
+    ;;
+
+  openbsd*)
+    archive_cmds='$LD -Bshareable -o $lib $libobjs $deplibs $linker_flags'
+    hardcode_libdir_flag_spec='-R$libdir'
+    hardcode_direct=yes
+    hardcode_shlibpath_var=no
+    ;;
+
+  os2*)
+    hardcode_libdir_flag_spec='-L$libdir'
+    hardcode_minus_L=yes
+    allow_undefined_flag=unsupported
+    archive_cmds='$echo "LIBRARY $libname INITINSTANCE" > $output_objdir/$libname.def~$echo "DESCRIPTION \"$libname\"" >> $output_objdir/$libname.def~$echo DATA >> $output_objdir/$libname.def~$echo " SINGLE NONSHARED" >> $output_objdir/$libname.def~$echo EXPORTS >> $output_objdir/$libname.def~emxexp $libobjs >> $output_objdir/$libname.def~$CC -Zdll -Zcrtdll -o $lib $libobjs $deplibs $compiler_flags $output_objdir/$libname.def'
+    old_archive_from_new_cmds='emximp -o $output_objdir/$libname.a $output_objdir/$libname.def'
+    ;;
+
+  osf3*)
+    if test "$with_gcc" = yes; then
+      allow_undefined_flag=' ${wl}-expect_unresolved ${wl}\*'
+      archive_cmds='$CC -shared${allow_undefined_flag} $libobjs $deplibs $compiler_flags ${wl}-soname ${wl}$soname `test -n "$verstring" && echo ${wl}-set_version ${wl}$verstring` ${wl}-update_registry ${wl}${output_objdir}/so_locations -o $lib'
+    else
+      allow_undefined_flag=' -expect_unresolved \*'
+      archive_cmds='$LD -shared${allow_undefined_flag} $libobjs $deplibs $linker_flags -soname $soname `test -n "$verstring" && echo -set_version $verstring` -update_registry ${output_objdir}/so_locations -o $lib'
+    fi
+    hardcode_libdir_flag_spec='${wl}-rpath ${wl}$libdir'
+    hardcode_libdir_separator=:
+    ;;
+
+  osf4* | osf5*)	# as osf3* with the addition of -msym flag
+    if test "$with_gcc" = yes; then
+      allow_undefined_flag=' ${wl}-expect_unresolved ${wl}\*'
+      archive_cmds='$CC -shared${allow_undefined_flag} $libobjs $deplibs $compiler_flags ${wl}-msym ${wl}-soname ${wl}$soname `test -n "$verstring" && echo ${wl}-set_version ${wl}$verstring` ${wl}-update_registry ${wl}${output_objdir}/so_locations -o $lib'
+    else
+      allow_undefined_flag=' -expect_unresolved \*'
+      archive_cmds='$LD -shared${allow_undefined_flag} $libobjs $deplibs $linker_flags -msym -soname $soname `test -n "$verstring" && echo -set_version $verstring` -update_registry ${output_objdir}/so_locations -o $lib'
+    fi
+    hardcode_libdir_flag_spec='${wl}-rpath ${wl}$libdir'
+    hardcode_libdir_separator=:
+    ;;
+  rhapsody*)
+    archive_cmds='$CC -bundle -undefined suppress -o $lib $libobjs $deplibs $linkopts'
+    hardcode_libdir_flags_spec='-L$libdir'
+    hardcode_direct=yes
+    hardcode_shlibpath_var=no
+    ;;
+
+  sco3.2v5*)
+    archive_cmds='$LD -G -h $soname -o $lib $libobjs $deplibs $linker_flags'
+    hardcode_shlibpath_var=no
+    runpath_var=LD_RUN_PATH
+    hardcode_runpath_var=yes
+    ;;
+
+  solaris*)
+    no_undefined_flag=' -z text'
+    # $CC -shared without GNU ld will not create a library from C++
+    # object files and a static libstdc++, better avoid it by now
+    archive_cmds='$LD -G${allow_undefined_flag} -h $soname -o $lib $libobjs $deplibs $linker_flags'
+    archive_expsym_cmds='$echo "{ global:" > $lib.exp~cat $export_symbols | sed -e "s/\(.*\)/\1;/" >> $lib.exp~$echo "local: *; };" >> $lib.exp~
+		$LD -G${allow_undefined_flag} -M $lib.exp -h $soname -o $lib $libobjs $deplibs $linker_flags~$rm $lib.exp'
+    hardcode_libdir_flag_spec='-R$libdir'
+    hardcode_shlibpath_var=no
+    case "$host_os" in
+    solaris2.[0-5] | solaris2.[0-5].*) ;;
+    *) # Supported since Solaris 2.6 (maybe 2.5.1?)
+      whole_archive_flag_spec='-z allextract$convenience -z defaultextract' ;;
+    esac
+    link_all_deplibs=yes
+    ;;
+
+  sunos4*)
+    if test "x$host_vendor" = xsequent; then
+      # Use $CC to link under sequent, because it throws in some extra .o 
+      # files that make .init and .fini sections work.
+      archive_cmds='$CC -G ${wl}-h $soname -o $lib $libobjs $deplibs $linkopts'
+    else
+      archive_cmds='$LD -assert pure-text -Bstatic -o $lib $libobjs $deplibs $linker_flags'
+    fi
+    hardcode_libdir_flag_spec='-L$libdir'
+    hardcode_direct=yes
+    hardcode_minus_L=yes
+    hardcode_shlibpath_var=no
+    ;;
+
+  sysv4)
+    archive_cmds='$LD -G -h $soname -o $lib $libobjs $deplibs $linker_flags'
+    runpath_var='LD_RUN_PATH'
+    hardcode_shlibpath_var=no
+    hardcode_direct=no #Motorola manual says yes, but my tests say they lie
+    ;;
+
+  sysv4.3*)
+    archive_cmds='$LD -G -h $soname -o $lib $libobjs $deplibs $linker_flags'
+    hardcode_shlibpath_var=no
+    export_dynamic_flag_spec='-Bexport'
+    ;;
+
+  sysv5*)
+    no_undefined_flag=' -z text'
+    # $CC -shared without GNU ld will not create a library from C++
+    # object files and a static libstdc++, better avoid it by now
+    archive_cmds='$LD -G${allow_undefined_flag} -h $soname -o $lib $libobjs $deplibs $linker_flags'
+    archive_expsym_cmds='$echo "{ global:" > $lib.exp~cat $export_symbols | sed -e "s/\(.*\)/\1;/" >> $lib.exp~$echo "local: *; };" >> $lib.exp~
+		$LD -G${allow_undefined_flag} -M $lib.exp -h $soname -o $lib $libobjs $deplibs $linker_flags~$rm $lib.exp'
+    hardcode_libdir_flag_spec=
+    hardcode_shlibpath_var=no
+    runpath_var='LD_RUN_PATH'
+    ;;
+
+  uts4*)
+    archive_cmds='$LD -G -h $soname -o $lib $libobjs $deplibs $linker_flags'
+    hardcode_libdir_flag_spec='-L$libdir'
+    hardcode_shlibpath_var=no
+    ;;
+
+  dgux*)
+    archive_cmds='$LD -G -h $soname -o $lib $libobjs $deplibs $linker_flags'
+    hardcode_libdir_flag_spec='-L$libdir'
+    hardcode_shlibpath_var=no
+    ;;
+
+  sysv4*MP*)
+    if test -d /usr/nec; then
+      archive_cmds='$LD -G -h $soname -o $lib $libobjs $deplibs $linker_flags'
+      hardcode_shlibpath_var=no
+      runpath_var=LD_RUN_PATH
+      hardcode_runpath_var=yes
+      ld_shlibs=yes
+    fi
+    ;;
+
+  sysv4.2uw2*)
+    archive_cmds='$LD -G -o $lib $libobjs $deplibs $linker_flags'
+    hardcode_direct=yes
+    hardcode_minus_L=no
+    hardcode_shlibpath_var=no
+    hardcode_runpath_var=yes
+    runpath_var=LD_RUN_PATH
+    ;;
+
+  unixware7*)
+    archive_cmds='$LD -G -h $soname -o $lib $libobjs $deplibs $linker_flags'
+    runpath_var='LD_RUN_PATH'
+    hardcode_shlibpath_var=no
+    ;;
+
+  *)
+    ld_shlibs=no
+    ;;
+  esac
+fi
+echo "$ac_t$ld_shlibs" 1>&6
+test "$ld_shlibs" = no && can_build_shared=no
+
+# Check hardcoding attributes.
+echo $ac_n "checking how to hardcode library paths into programs... $ac_c" 1>&6
+hardcode_action=
+if test -n "$hardcode_libdir_flag_spec" || \
+   test -n "$runpath_var"; then
+
+  # We can hardcode non-existant directories.
+  if test "$hardcode_direct" != no &&
+     # If the only mechanism to avoid hardcoding is shlibpath_var, we
+     # have to relink, otherwise we might link with an installed library
+     # when we should be linking with a yet-to-be-installed one
+     ## test "$hardcode_shlibpath_var" != no &&
+     test "$hardcode_minus_L" != no; then
+    # Linking always hardcodes the temporary library directory.
+    hardcode_action=relink
+  else
+    # We can link without hardcoding, and we can hardcode nonexisting dirs.
+    hardcode_action=immediate
+  fi
+else
+  # We cannot hardcode anything, or else we can only hardcode existing
+  # directories.
+  hardcode_action=unsupported
+fi
+echo "$ac_t$hardcode_action" 1>&6
+
+echo $ac_n "checking whether stripping libraries is possible... $ac_c" 1>&6
+if test -n "$STRIP" && $STRIP -V 2>&1 | grep "GNU strip" >/dev/null; then
+  test -z "$old_striplib" && old_striplib="$STRIP --strip-debug"
+  test -z "$striplib" && striplib="$STRIP --strip-unneeded"
+  echo "${ac_t}yes" 1>&6
+else
+  echo "${ac_t}no" 1>&6
+fi
+
+reload_cmds='$LD$reload_flag -o $output$reload_objs'
+test -z "$deplibs_check_method" && deplibs_check_method=unknown
+
+# PORTME Fill in your ld.so characteristics
+library_names_spec=
+libname_spec='lib$name'
+soname_spec=
+postinstall_cmds=
+postuninstall_cmds=
+finish_cmds=
+finish_eval=
+shlibpath_var=
+shlibpath_overrides_runpath=unknown
+version_type=none
+dynamic_linker="$host_os ld.so"
+sys_lib_dlsearch_path_spec="/lib /usr/lib"
+sys_lib_search_path_spec="/lib /usr/lib /usr/local/lib"
+
+echo $ac_n "checking dynamic linker characteristics... $ac_c" 1>&6
+case "$host_os" in
+aix3*)
+  version_type=linux
+  library_names_spec='${libname}${release}.so$versuffix $libname.a'
+  shlibpath_var=LIBPATH
+
+  # AIX has no versioning support, so we append a major version to the name.
+  soname_spec='${libname}${release}.so$major'
+  ;;
+
+aix4*)
+  version_type=linux
+  # AIX has no versioning support, so currently we can not hardcode correct
+  # soname into executable. Probably we can add versioning support to
+  # collect2, so additional links can be useful in future.
+  # We preserve .a as extension for shared libraries though AIX4.2
+  # and later linker supports .so
+  library_names_spec='${libname}${release}.so$versuffix ${libname}${release}.so$major $libname.a'
+  shlibpath_var=LIBPATH
+  ;;
+
+amigaos*)
+  library_names_spec='$libname.ixlibrary $libname.a'
+  # Create ${libname}_ixlibrary.a entries in /sys/libs.
+  finish_eval='for lib in `ls $libdir/*.ixlibrary 2>/dev/null`; do libname=`$echo "X$lib" | $Xsed -e '\''s%^.*/\([^/]*\)\.ixlibrary$%\1%'\''`; test $rm /sys/libs/${libname}_ixlibrary.a; $show "(cd /sys/libs && $LN_S $lib ${libname}_ixlibrary.a)"; (cd /sys/libs && $LN_S $lib ${libname}_ixlibrary.a) || exit 1; done'
+  ;;
+
+beos*)
+  library_names_spec='${libname}.so'
+  dynamic_linker="$host_os ld.so"
+  shlibpath_var=LIBRARY_PATH
+  lt_cv_dlopen="load_add_on"
+  lt_cv_dlopen_libs=
+  lt_cv_dlopen_self=yes
+  ;;
+
+bsdi4*)
+  version_type=linux
+  need_version=no
+  library_names_spec='${libname}${release}.so$versuffix ${libname}${release}.so$major $libname.so'
+  soname_spec='${libname}${release}.so$major'
+  finish_cmds='PATH="\$PATH:/sbin" ldconfig $libdir'
+  shlibpath_var=LD_LIBRARY_PATH
+  sys_lib_search_path_spec="/shlib /usr/lib /usr/X11/lib /usr/contrib/lib /lib /usr/local/lib"
+  sys_lib_dlsearch_path_spec="/shlib /usr/lib /usr/local/lib"
+  export_dynamic_flag_spec=-rdynamic
+  # the default ld.so.conf also contains /usr/contrib/lib and
+  # /usr/X11R6/lib (/usr/X11 is a link to /usr/X11R6), but let us allow
+  # libtool to hard-code these into programs
+  ;;
+
+cygwin* | mingw*)
+  version_type=windows
+  need_version=no
+  need_lib_prefix=no
+  if test "$with_gcc" = yes; then
+    library_names_spec='${libname}`echo ${release} | sed -e 's/[.]/-/g'`${versuffix}.dll'
+  else
+    library_names_spec='${libname}`echo ${release} | sed -e 's/[.]/-/g'`${versuffix}.dll $libname.lib'
+  fi
+  dynamic_linker='Win32 ld.exe'
+  # FIXME: first we should search . and the directory the executable is in
+  shlibpath_var=PATH
+  lt_cv_dlopen="LoadLibrary"
+  lt_cv_dlopen_libs=
+  ;;
+
+freebsd1*)
+  dynamic_linker=no
+  ;;
+
+freebsd*)
+  objformat=`test -x /usr/bin/objformat && /usr/bin/objformat || echo aout`
+  version_type=freebsd-$objformat
+  case "$version_type" in
+    freebsd-elf*)
+      library_names_spec='${libname}${release}.so$versuffix ${libname}${release}.so $libname.so'
+      need_version=no
+      need_lib_prefix=no
+      ;;
+    freebsd-*)
+      library_names_spec='${libname}${release}.so$versuffix $libname.so$versuffix'
+      need_version=yes
+      ;;
+  esac
+  shlibpath_var=LD_LIBRARY_PATH
+  case "$host_os" in
+  freebsd2*)
+    shlibpath_overrides_runpath=yes
+    ;;
+  freebsd3.[01]* | freebsdelf3.[01]*)
+    shlibpath_overrides_runpath=yes
+    hardcode_into_libs=yes
+    ;;
+  *) # from 3.2 on
+    shlibpath_overrides_runpath=no
+    hardcode_into_libs=yes
+    ;;
+  esac
+  ;;
+
+gnu*)
+  version_type=linux
+  need_lib_prefix=no
+  need_version=no
+  library_names_spec='${libname}${release}.so$versuffix ${libname}${release}.so${major} ${libname}.so'
+  soname_spec='${libname}${release}.so$major'
+  shlibpath_var=LD_LIBRARY_PATH
+  hardcode_into_libs=yes
+  ;;
+
+hpux9* | hpux10* | hpux11*)
+  # Give a soname corresponding to the major version so that dld.sl refuses to
+  # link against other versions.
+  dynamic_linker="$host_os dld.sl"
+  version_type=sunos
+  need_lib_prefix=no
+  need_version=no
+  shlibpath_var=SHLIB_PATH
+  shlibpath_overrides_runpath=no # +s is required to enable SHLIB_PATH
+  library_names_spec='${libname}${release}.sl$versuffix ${libname}${release}.sl$major $libname.sl'
+  soname_spec='${libname}${release}.sl$major'
+  # HP-UX runs *really* slowly unless shared libraries are mode 555.
+  postinstall_cmds='chmod 555 $lib'
+  ;;
+
+irix5* | irix6*)
+  version_type=irix
+  need_lib_prefix=no
+  need_version=no
+  soname_spec='${libname}${release}.so.$major'
+  library_names_spec='${libname}${release}.so.$versuffix ${libname}${release}.so.$major ${libname}${release}.so $libname.so'
+  case "$host_os" in
+  irix5*)
+    libsuff= shlibsuff=
+    ;;
+  *)
+    case "$LD" in # libtool.m4 will add one of these switches to LD
+    *-32|*"-32 ") libsuff= shlibsuff= libmagic=32-bit;;
+    *-n32|*"-n32 ") libsuff=32 shlibsuff=N32 libmagic=N32;;
+    *-64|*"-64 ") libsuff=64 shlibsuff=64 libmagic=64-bit;;
+    *) libsuff= shlibsuff= libmagic=never-match;;
+    esac
+    ;;
+  esac
+  shlibpath_var=LD_LIBRARY${shlibsuff}_PATH
+  shlibpath_overrides_runpath=no
+  sys_lib_search_path_spec="/usr/lib${libsuff} /lib${libsuff} /usr/local/lib${libsuff}"
+  sys_lib_dlsearch_path_spec="/usr/lib${libsuff} /lib${libsuff}"
+  ;;
+
+# No shared lib support for Linux oldld, aout, or coff.
+linux-gnuoldld* | linux-gnuaout* | linux-gnucoff*)
+  dynamic_linker=no
+  ;;
+
+# This must be Linux ELF.
+linux-gnu*)
+  version_type=linux
+  need_lib_prefix=no
+  need_version=no
+  library_names_spec='${libname}${release}.so$versuffix ${libname}${release}.so$major $libname.so'
+  soname_spec='${libname}${release}.so$major'
+  finish_cmds='PATH="\$PATH:/sbin" ldconfig -n $libdir'
+  shlibpath_var=LD_LIBRARY_PATH
+  shlibpath_overrides_runpath=no
+  # This implies no fast_install, which is unacceptable.
+  # Some rework will be needed to allow for fast_install
+  # before this can be enabled.
+  hardcode_into_libs=yes
+
+  # We used to test for /lib/ld.so.1 and disable shared libraries on
+  # powerpc, because MkLinux only supported shared libraries with the
+  # GNU dynamic linker.  Since this was broken with cross compilers,
+  # most powerpc-linux boxes support dynamic linking these days and
+  # people can always --disable-shared, the test was removed, and we
+  # assume the GNU/Linux dynamic linker is in use.
+  dynamic_linker='GNU/Linux ld.so'
+  ;;
+
+netbsd*)
+  version_type=sunos
+  if echo __ELF__ | $CC -E - | grep __ELF__ >/dev/null; then
+    library_names_spec='${libname}${release}.so$versuffix ${libname}.so$versuffix'
+    finish_cmds='PATH="\$PATH:/sbin" ldconfig -m $libdir'
+    dynamic_linker='NetBSD (a.out) ld.so'
+  else
+    library_names_spec='${libname}${release}.so$versuffix ${libname}${release}.so$major ${libname}${release}.so ${libname}.so'
+    soname_spec='${libname}${release}.so$major'
+    dynamic_linker='NetBSD ld.elf_so'
+  fi
+  shlibpath_var=LD_LIBRARY_PATH
+  ;;
+
+openbsd*)
+  version_type=sunos
+  if test "$with_gnu_ld" = yes; then
+    need_lib_prefix=no
+    need_version=no
+  fi
+  library_names_spec='${libname}${release}.so$versuffix ${libname}.so$versuffix'
+  finish_cmds='PATH="\$PATH:/sbin" ldconfig -m $libdir'
+  shlibpath_var=LD_LIBRARY_PATH
+  ;;
+
+os2*)
+  libname_spec='$name'
+  need_lib_prefix=no
+  library_names_spec='$libname.dll $libname.a'
+  dynamic_linker='OS/2 ld.exe'
+  shlibpath_var=LIBPATH
+  ;;
+
+osf3* | osf4* | osf5*)
+  version_type=osf
+  need_version=no
+  soname_spec='${libname}${release}.so'
+  library_names_spec='${libname}${release}.so$versuffix ${libname}${release}.so $libname.so'
+  shlibpath_var=LD_LIBRARY_PATH
+  sys_lib_search_path_spec="/usr/shlib /usr/ccs/lib /usr/lib/cmplrs/cc /usr/lib /usr/local/lib /var/shlib"
+  sys_lib_dlsearch_path_spec="$sys_lib_search_path_spec"
+  ;;
+
+rhapsody*)
+  version_type=sunos
+  library_names_spec='${libname}.so'
+  soname_spec='${libname}.so'
+  shlibpath_var=DYLD_LIBRARY_PATH
+  deplibs_check_method=pass_all
+  ;;
+
+sco3.2v5*)
+  version_type=osf
+  soname_spec='${libname}${release}.so$major'
+  library_names_spec='${libname}${release}.so$versuffix ${libname}${release}.so$major $libname.so'
+  shlibpath_var=LD_LIBRARY_PATH
+  ;;
+
+solaris*)
+  version_type=linux
+  need_lib_prefix=no
+  need_version=no
+  library_names_spec='${libname}${release}.so$versuffix ${libname}${release}.so$major $libname.so'
+  soname_spec='${libname}${release}.so$major'
+  shlibpath_var=LD_LIBRARY_PATH
+  shlibpath_overrides_runpath=yes
+  hardcode_into_libs=yes
+  # ldd complains unless libraries are executable
+  postinstall_cmds='chmod +x $lib'
+  ;;
+
+sunos4*)
+  version_type=sunos
+  library_names_spec='${libname}${release}.so$versuffix ${libname}.so$versuffix'
+  finish_cmds='PATH="\$PATH:/usr/etc" ldconfig $libdir'
+  shlibpath_var=LD_LIBRARY_PATH
+  shlibpath_overrides_runpath=yes
+  if test "$with_gnu_ld" = yes; then
+    need_lib_prefix=no
+  fi
+  need_version=yes
+  ;;
+
+sysv4 | sysv4.2uw2* | sysv4.3* | sysv5*)
+  version_type=linux
+  library_names_spec='${libname}${release}.so$versuffix ${libname}${release}.so$major $libname.so'
+  soname_spec='${libname}${release}.so$major'
+  shlibpath_var=LD_LIBRARY_PATH
+  case "$host_vendor" in
+    sequent)
+      file_magic_cmd='/bin/file'
+      deplibs_check_method='file_magic ELF [0-9][0-9]*-bit [LM]SB (shared object|dynamic lib )'
+      ;;
+    motorola)
+      need_lib_prefix=no
+      need_version=no
+      shlibpath_overrides_runpath=no
+      sys_lib_search_path_spec='/lib /usr/lib /usr/ccs/lib'
+      ;;
+  esac
+  ;;
+
+uts4*)
+  version_type=linux
+  library_names_spec='${libname}${release}.so$versuffix ${libname}${release}.so$major $libname.so'
+  soname_spec='${libname}${release}.so$major'
+  shlibpath_var=LD_LIBRARY_PATH
+  ;;
+
+dgux*)
+  version_type=linux
+  need_lib_prefix=no
+  need_version=no
+  library_names_spec='${libname}${release}.so$versuffix ${libname}${release}.so$major $libname.so'
+  soname_spec='${libname}${release}.so$major'
+  shlibpath_var=LD_LIBRARY_PATH
+  ;;
+
+sysv4*MP*)
+  if test -d /usr/nec ;then
+    version_type=linux
+    library_names_spec='$libname.so.$versuffix $libname.so.$major $libname.so'
+    soname_spec='$libname.so.$major'
+    shlibpath_var=LD_LIBRARY_PATH
+  fi
+  ;;
+
+*)
+  dynamic_linker=no
+  ;;
+esac
+echo "$ac_t$dynamic_linker" 1>&6
+test "$dynamic_linker" = no && can_build_shared=no
+
+# Check for command to grab the raw symbol name followed by C symbol from nm.
+echo $ac_n "checking command to parse $NM output... $ac_c" 1>&6
+
+# These are sane defaults that work on at least a few old systems.
+# [They come from Ultrix.  What could be older than Ultrix?!! ;)]
+
+# Character class describing NM global symbol codes.
+symcode='[BCDEGRST]'
+
+# Regexp to match symbols that can be accessed directly from C.
+sympat='\([_A-Za-z][_A-Za-z0-9]*\)'
+
+# Transform the above into a raw symbol and a C symbol.
+symxfrm='\1 \2\3 \3'
+
+# Transform an extracted symbol line into a proper C declaration
+global_symbol_to_cdecl="sed -n -e 's/^. .* \(.*\)$/extern char \1;/p'"
+
+# Define system-specific variables.
+case "$host_os" in
+aix*)
+  symcode='[BCDT]'
+  ;;
+cygwin* | mingw*)
+  symcode='[ABCDGISTW]'
+  ;;
+hpux*) # Its linker distinguishes data from code symbols
+  global_symbol_to_cdecl="sed -n -e 's/^T .* \(.*\)$/extern char \1();/p' -e 's/^. .* \(.*\)$/extern char \1;/p'"
+  ;;
+irix*)
+  symcode='[BCDEGRST]'
+  ;;
+solaris* | sysv5*)
+  symcode='[BDT]'
+  ;;
+sysv4)
+  symcode='[DFNSTU]'
+  ;;
+esac
+
+# Handle CRLF in mingw too chain
+opt_cr=
+case "$host_os" in
+mingw*)
+  opt_cr=`echo 'x\{0,1\}' | tr x '\015'` # option cr in regexp
+  ;;
+esac
+
+# If we're using GNU nm, then use its standard symbol codes.
+if $NM -V 2>&1 | egrep '(GNU|with BFD)' > /dev/null; then
+  symcode='[ABCDGISTW]'
+fi
+
+# Try without a prefix undercore, then with it.
+for ac_symprfx in "" "_"; do
+
+  # Write the raw and C identifiers.
+global_symbol_pipe="sed -n -e 's/^.*[ 	]\($symcode\)[ 	][ 	]*\($ac_symprfx\)$sympat$opt_cr$/$symxfrm/p'"
+
+  # Check to see that the pipe works correctly.
+  pipe_works=no
+  $rm conftest*
+  cat > conftest.c <<EOF
+#ifdef __cplusplus
+extern "C" {
+#endif
+char nm_test_var;
+void nm_test_func(){}
+#ifdef __cplusplus
+}
+#endif
+main(){nm_test_var='a';nm_test_func();return(0);}
+EOF
+
+  echo "$progname:1892: checking if global_symbol_pipe works" >&5
+  if { (eval echo $progname:1893: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; } && test -s conftest.$objext; then
+    # Now try to grab the symbols.
+    nlist=conftest.nm
+    if { echo "$progname:1896: eval \"$NM conftest.$objext | $global_symbol_pipe > $nlist\"" >&5; eval "$NM conftest.$objext | $global_symbol_pipe > $nlist 2>&5"; } && test -s "$nlist"; then
+
+      # Try sorting and uniquifying the output.
+      if sort "$nlist" | uniq > "$nlist"T; then
+	mv -f "$nlist"T "$nlist"
+      else
+	rm -f "$nlist"T
+      fi
+
+      # Make sure that we snagged all the symbols we need.
+      if egrep ' nm_test_var$' "$nlist" >/dev/null; then
+	if egrep ' nm_test_func$' "$nlist" >/dev/null; then
+	  cat <<EOF > conftest.c
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+EOF
+	  # Now generate the symbol file.
+	  eval "$global_symbol_to_cdecl"' < "$nlist" >> conftest.c'
+
+	  cat <<EOF >> conftest.c
+#if defined (__STDC__) && __STDC__
+# define lt_ptr_t void *
+#else
+# define lt_ptr_t char *
+# define const
+#endif
+
+/* The mapping between symbol names and symbols. */
+const struct {
+  const char *name;
+  lt_ptr_t address;
+}
+lt_preloaded_symbols[] =
+{
+EOF
+	  sed 's/^. \(.*\) \(.*\)$/  {"\2", (lt_ptr_t) \&\2},/' < "$nlist" >> conftest.c
+	  cat <<\EOF >> conftest.c
+  {0, (lt_ptr_t) 0}
+};
+
+#ifdef __cplusplus
+}
+#endif
+EOF
+	  # Now try linking the two files.
+	  mv conftest.$objext conftstm.$objext
+	  save_LIBS="$LIBS"
+	  save_CFLAGS="$CFLAGS"
+	  LIBS="conftstm.$objext"
+	  CFLAGS="$CFLAGS$no_builtin_flag"
+	  if { (eval echo $progname:1948: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest; then
+	    pipe_works=yes
+	  else
+	    echo "$progname: failed program was:" >&5
+	    cat conftest.c >&5
+	  fi
+	  LIBS="$save_LIBS"
+	else
+	  echo "cannot find nm_test_func in $nlist" >&5
+	fi
+      else
+	echo "cannot find nm_test_var in $nlist" >&5
+      fi
+    else
+      echo "cannot run $global_symbol_pipe" >&5
+    fi
+  else
+    echo "$progname: failed program was:" >&5
+    cat conftest.c >&5
+  fi
+  $rm conftest* conftst*
+
+  # Do not use the global_symbol_pipe unless it works.
+  if test "$pipe_works" = yes; then
+    break
+  else
+    global_symbol_pipe=
+  fi
+done
+if test "$pipe_works" = yes; then
+  echo "${ac_t}ok" 1>&6
+else
+  echo "${ac_t}failed" 1>&6
+fi
+
+if test -z "$global_symbol_pipe"; then
+  global_symbol_to_cdecl=
+fi
+
+# Report the final consequences.
+echo "checking if libtool supports shared libraries... $can_build_shared" 1>&6
+
+# Only try to build win32 dlls if AC_LIBTOOL_WIN32_DLL was used in
+# configure.in, otherwise build static only libraries.
+case "$host_os" in
+cygwin* | mingw* | os2*)
+  if test x$can_build_shared = xyes; then
+    test x$enable_win32_dll = xno && can_build_shared=no
+    echo "checking if package supports dlls... $can_build_shared" 1>&6
+  fi
+;;
+esac
+
+echo $ac_n "checking whether to build shared libraries... $ac_c" 1>&6
+test "$can_build_shared" = "no" && enable_shared=no
+
+# On AIX, shared libraries and static libraries use the same namespace, and
+# are all built from PIC.
+case "$host_os" in
+aix3*)
+  test "$enable_shared" = yes && enable_static=no
+  if test -n "$RANLIB"; then
+    archive_cmds="$archive_cmds~\$RANLIB \$lib"
+    postinstall_cmds='$RANLIB $lib'
+  fi
+  ;;
+
+aix4*)
+  test "$enable_shared" = yes && enable_static=no
+  ;;
+esac
+
+echo "$ac_t$enable_shared" 1>&6
+
+# Make sure either enable_shared or enable_static is yes.
+test "$enable_shared" = yes || enable_static=yes
+
+echo "checking whether to build static libraries... $enable_static" 1>&6
+
+if test "$hardcode_action" = relink || test "$hardcode_into_libs" = all; then
+  # Fast installation is not supported
+  enable_fast_install=no
+elif test "$shlibpath_overrides_runpath" = yes ||
+     test "$enable_shared" = no; then
+  # Fast installation is not necessary
+  enable_fast_install=needless
+fi
+
+variables_saved_for_relink="PATH $shlibpath_var $runpath_var"
+if test "$with_gcc" = yes; then
+  variables_saved_for_relink="$variables_saved_for_relink GCC_EXEC_PREFIX COMPILER_PATH LIBRARY_PATH"
+fi
+
+# Check whether we must set pic_mode to default
+test -z "$pic_flag" && pic_mode=default
+
+if test "x$enable_dlopen" != xyes; then
+  enable_dlopen=unknown
+  enable_dlopen_self=unknown
+  enable_dlopen_self_static=unknown
+else
+if test "X${lt_cv_dlopen+set}" != Xset; then
+  lt_cv_dlopen=no lt_cv_dlopen_libs=
+echo $ac_n "checking for dlopen in -ldl""... $ac_c" 1>&6
+echo "$progname:2052: checking for dlopen in -ldl" >&5
+if test "X${ac_cv_lib_dl_dlopen+set}" = Xset; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  ac_save_LIBS="$LIBS"
+LIBS="-ldl  $LIBS"
+cat > conftest.$ac_ext <<EOF
+#line 2059 "ltconfig"
+/* Override any gcc2 internal prototype to avoid an error.  */
+/* We use char because int might match the return type of a gcc2
+    builtin and then its argument prototype would still apply.  */
+#ifdef __cplusplus
+extern "C"
+#endif
+char dlopen();
+
+int main() {
+dlopen()
+; return 0; }
+EOF
+if { (eval echo $progname:2072: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+  rm -rf conftest*
+  ac_cv_lib_dl_dlopen=yes
+else
+  echo "$progname: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  rm -rf conftest*
+  ac_cv_lib_dl_dlopen=no
+fi
+rm -f conftest*
+LIBS="$ac_save_LIBS"
+
+fi
+if test "X$ac_cv_lib_dl_dlopen" = Xyes; then
+  echo "$ac_t""yes" 1>&6
+  lt_cv_dlopen="dlopen" lt_cv_dlopen_libs="-ldl"
+else
+  echo "$ac_t""no" 1>&6
+echo $ac_n "checking for dlopen""... $ac_c" 1>&6
+echo "$progname:2091: checking for dlopen" >&5
+if test "X${ac_cv_func_dlopen+set}" = Xset; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  cat > conftest.$ac_ext <<EOF
+#line 2096 "ltconfig"
+/* System header to define __stub macros and hopefully few prototypes,
+    which can conflict with char dlopen(); below.  */
+#include <assert.h>
+/* Override any gcc2 internal prototype to avoid an error.  */
+/* We use char because int might match the return type of a gcc2
+    builtin and then its argument prototype would still apply.  */
+#ifdef __cplusplus
+extern "C"
+#endif
+char dlopen();
+
+int main() {
+
+/* The GNU C library defines this for functions which it implements
+    to always fail with ENOSYS.  Some functions are actually named
+    something starting with __ and the normal name is an alias.  */
+#if defined (__stub_dlopen) || defined (__stub___dlopen)
+choke me
+#else
+dlopen();
+#endif
+
+; return 0; }
+EOF
+if { (eval echo $progname:2121: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+  rm -rf conftest*
+  ac_cv_func_dlopen=yes
+else
+  echo "$progname: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  rm -rf conftest*
+  ac_cv_func_dlopen=no
+fi
+rm -f conftest*
+fi
+if test "X$ac_cv_func_dlopen" = Xyes; then
+  echo "$ac_t""yes" 1>&6
+  lt_cv_dlopen="dlopen"
+else
+  echo "$ac_t""no" 1>&6
+echo $ac_n "checking for dld_link in -ldld""... $ac_c" 1>&6
+echo "$progname:2138: checking for dld_link in -ldld" >&5
+if test "X${ac_cv_lib_dld_dld_link+set}" = Xset; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  ac_save_LIBS="$LIBS"
+LIBS="-ldld  $LIBS"
+cat > conftest.$ac_ext <<EOF
+#line 2145 "ltconfig"
+/* Override any gcc2 internal prototype to avoid an error.  */
+/* We use char because int might match the return type of a gcc2
+    builtin and then its argument prototype would still apply.  */
+#ifdef __cplusplus
+extern "C"
+#endif
+char dld_link();
+
+int main() {
+dld_link()
+; return 0; }
+EOF
+if { (eval echo $progname:2158: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+  rm -rf conftest*
+  ac_cv_lib_dld_dld_link=yes
+else
+  echo "$progname: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  rm -rf conftest*
+  ac_cv_lib_dld_dld_link=no
+fi
+rm -f conftest*
+LIBS="$ac_save_LIBS"
+
+fi
+if test "X$ac_cv_lib_dld_dld_link" = Xyes; then
+  echo "$ac_t""yes" 1>&6
+  lt_cv_dlopen="dld_link" lt_cv_dlopen_libs="-ldld"
+else
+  echo "$ac_t""no" 1>&6
+echo $ac_n "checking for shl_load""... $ac_c" 1>&6
+echo "$progname:2177: checking for shl_load" >&5
+if test "X${ac_cv_func_shl_load+set}" = Xset; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  cat > conftest.$ac_ext <<EOF
+#line 2182 "ltconfig"
+/* System header to define __stub macros and hopefully few prototypes,
+    which can conflict with char shl_load(); below.  */
+#include <assert.h>
+/* Override any gcc2 internal prototype to avoid an error.  */
+/* We use char because int might match the return type of a gcc2
+    builtin and then its argument prototype would still apply.  */
+#ifdef __cplusplus
+extern "C"
+#endif
+char shl_load();
+
+int main() {
+
+/* The GNU C library defines this for functions which it implements
+    to always fail with ENOSYS.  Some functions are actually named
+    something starting with __ and the normal name is an alias.  */
+#if defined (__stub_shl_load) || defined (__stub___shl_load)
+choke me
+#else
+shl_load();
+#endif
+
+; return 0; }
+EOF
+if { (eval echo $progname:2207: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+  rm -rf conftest*
+  ac_cv_func_shl_load=yes
+else
+  echo "$progname: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  rm -rf conftest*
+  ac_cv_func_shl_load=no
+fi
+rm -f conftest*
+fi
+
+if test "X$ac_cv_func_shl_load" = Xyes; then
+  echo "$ac_t""yes" 1>&6
+  lt_cv_dlopen="shl_load"
+else
+  echo "$ac_t""no" 1>&6
+echo $ac_n "checking for shl_load in -ldld""... $ac_c" 1>&6
+echo "$progname:2225: checking for shl_load in -ldld" >&5
+if test "X${ac_cv_lib_dld_shl_load+set}" = Xset; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  ac_save_LIBS="$LIBS"
+LIBS="-ldld  $LIBS"
+cat > conftest.$ac_ext <<EOF
+#line 2232 "ltconfig"
+#include "confdefs.h"
+/* Override any gcc2 internal prototype to avoid an error.  */
+/* We use char because int might match the return type of a gcc2
+    builtin and then its argument prototype would still apply.  */
+#ifdef __cplusplus
+extern "C"
+#endif
+char shl_load();
+
+int main() {
+shl_load()
+; return 0; }
+EOF
+if { (eval echo $progname:2246: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+  rm -rf conftest*
+  ac_cv_lib_dld_shl_load=yes
+else
+  echo "$progname: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  rm -rf conftest*
+  ac_cv_lib_dld_shl_load=no
+fi
+rm -f conftest*
+LIBS="$ac_save_LIBS"
+
+fi
+if test "X$ac_cv_lib_dld_shl_load" = Xyes; then
+  echo "$ac_t""yes" 1>&6
+  lt_cv_dlopen="shl_load" lt_cv_dlopen_libs="-ldld"
+else
+  echo "$ac_t""no" 1>&6
+fi
+
+
+fi
+
+
+fi
+
+
+fi
+
+
+fi
+
+fi
+
+  if test "x$lt_cv_dlopen" != xno; then
+    enable_dlopen=yes
+  fi
+
+  case "$lt_cv_dlopen" in
+  dlopen)
+for ac_hdr in dlfcn.h; do
+ac_safe=`echo "$ac_hdr" | sed 'y%./+-%__p_%'`
+echo $ac_n "checking for $ac_hdr""... $ac_c" 1>&6
+echo "$progname:2289: checking for $ac_hdr" >&5
+if eval "test \"`echo 'X$''{'ac_cv_header_$ac_safe'+set}'`\" = Xset"; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  cat > conftest.$ac_ext <<EOF
+#line 2294 "ltconfig"
+#include <$ac_hdr>
+int fnord = 0;
+int main () { return (0); }
+EOF
+ac_try="$ac_compile >/dev/null 2>conftest.out"
+{ (eval echo $progname:2300: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; }
+ac_err=`grep -v '^ *+' conftest.out | grep -v "^conftest.${ac_ext}\$"`
+if test -z "$ac_err"; then
+  rm -rf conftest*
+  eval "ac_cv_header_$ac_safe=yes"
+else
+  echo "$ac_err" >&5
+  echo "$progname: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  rm -rf conftest*
+  eval "ac_cv_header_$ac_safe=no"
+fi
+rm -f conftest*
+fi
+if eval "test \"`echo '$ac_cv_header_'$ac_safe`\" = yes"; then
+  echo "$ac_t""yes" 1>&6
+else
+  echo "$ac_t""no" 1>&6
+fi
+done
+
+    if test "x$ac_cv_header_dlfcn_h" = xyes; then
+      CPPFLAGS="$CPPFLAGS -DHAVE_DLFCN_H"
+    fi
+    eval LDFLAGS=\"\$LDFLAGS $export_dynamic_flag_spec\"
+    LIBS="$lt_cv_dlopen_libs $LIBS"
+
+  echo $ac_n "checking whether a program can dlopen itself""... $ac_c" 1>&6
+echo "$progname:2328: checking whether a program can dlopen itself" >&5
+if test "X${lt_cv_dlopen_self+set}" = Xset; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  if test "$cross_compiling" = yes; then
+    lt_cv_dlopen_self=cross
+  else
+    cat > conftest.c <<EOF
+#line 2336 "ltconfig"
+
+#if HAVE_DLFCN_H
+#include <dlfcn.h>
+#endif
+
+#include <stdio.h>
+
+#ifdef RTLD_GLOBAL
+# define LTDL_GLOBAL	RTLD_GLOBAL
+#else
+# ifdef DL_GLOBAL
+#  define LTDL_GLOBAL	DL_GLOBAL
+# else
+#  define LTDL_GLOBAL	0
+# endif
+#endif
+
+/* We may have to define LTDL_LAZY_OR_NOW in the command line if we
+   find out it does not work in some platform. */
+#ifndef LTDL_LAZY_OR_NOW
+# ifdef RTLD_LAZY
+#  define LTDL_LAZY_OR_NOW	RTLD_LAZY
+# else
+#  ifdef DL_LAZY
+#   define LTDL_LAZY_OR_NOW	DL_LAZY
+#  else
+#   ifdef RTLD_NOW
+#    define LTDL_LAZY_OR_NOW	RTLD_NOW
+#   else
+#    ifdef DL_NOW
+#     define LTDL_LAZY_OR_NOW	DL_NOW
+#    else
+#     define LTDL_LAZY_OR_NOW	0
+#    endif
+#   endif
+#  endif
+# endif
+#endif
+
+fnord() { int i=42;}
+main() { void *self, *ptr1, *ptr2; self=dlopen(0,LTDL_GLOBAL|LTDL_LAZY_OR_NOW);
+    if(self) { ptr1=dlsym(self,"fnord"); ptr2=dlsym(self,"_fnord");
+	       if(ptr1 || ptr2) { dlclose(self); exit(0); } } exit(1); }
+
+EOF
+if { (eval echo $progname:2382: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest && (./conftest; exit) 2>/dev/null
+then
+  lt_cv_dlopen_self=yes
+else
+  echo "$progname: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  rm -fr conftest*
+  lt_cv_dlopen_self=no
+fi
+rm -fr conftest*
+fi
+
+fi
+
+echo "$ac_t""$lt_cv_dlopen_self" 1>&6
+
+  if test "$lt_cv_dlopen_self" = yes; then
+    LDFLAGS="$LDFLAGS $link_static_flag"
+  echo $ac_n "checking whether a statically linked program can dlopen itself""... $ac_c" 1>&6
+echo "$progname:2401: checking whether a statically linked program can dlopen itself" >&5
+if test "X${lt_cv_dlopen_self_static+set}" = Xset; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  if test "$cross_compiling" = yes; then
+    lt_cv_dlopen_self_static=cross
+  else
+    cat > conftest.c <<EOF
+#line 2409 "ltconfig"
+
+#if HAVE_DLFCN_H
+#include <dlfcn.h>
+#endif
+
+#include <stdio.h>
+
+#ifdef RTLD_GLOBAL
+# define LTDL_GLOBAL	RTLD_GLOBAL
+#else
+# ifdef DL_GLOBAL
+#  define LTDL_GLOBAL	DL_GLOBAL
+# else
+#  define LTDL_GLOBAL	0
+# endif
+#endif
+
+/* We may have to define LTDL_LAZY_OR_NOW in the command line if we
+   find out it does not work in some platform. */
+#ifndef LTDL_LAZY_OR_NOW
+# ifdef RTLD_LAZY
+#  define LTDL_LAZY_OR_NOW	RTLD_LAZY
+# else
+#  ifdef DL_LAZY
+#   define LTDL_LAZY_OR_NOW	DL_LAZY
+#  else
+#   ifdef RTLD_NOW
+#    define LTDL_LAZY_OR_NOW	RTLD_NOW
+#   else
+#    ifdef DL_NOW
+#     define LTDL_LAZY_OR_NOW	DL_NOW
+#    else
+#     define LTDL_LAZY_OR_NOW	0
+#    endif
+#   endif
+#  endif
+# endif
+#endif
+
+fnord() { int i=42;}
+main() { void *self, *ptr1, *ptr2; self=dlopen(0,LTDL_GLOBAL|LTDL_LAZY_OR_NOW);
+    if(self) { ptr1=dlsym(self,"fnord"); ptr2=dlsym(self,"_fnord");
+    if(ptr1 || ptr2) { dlclose(self); exit(0); } } exit(1); }
+
+EOF
+if { (eval echo $progname:2455: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest && (./conftest; exit) 2>/dev/null
+then
+  lt_cv_dlopen_self_static=yes
+else
+  echo "$progname: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  rm -fr conftest*
+  lt_cv_dlopen_self_static=no
+fi
+rm -fr conftest*
+fi
+
+fi
+
+echo "$ac_t""$lt_cv_dlopen_self_static" 1>&6
+fi
+    ;;
+  esac
+
+  case "$lt_cv_dlopen_self" in
+  yes|no) enable_dlopen_self=$lt_cv_dlopen_self ;;
+  *) enable_dlopen_self=unknown ;;
+  esac
+
+  case "$lt_cv_dlopen_self_static" in
+  yes|no) enable_dlopen_self_static=$lt_cv_dlopen_self_static ;;
+  *) enable_dlopen_self_static=unknown ;;
+  esac
+fi
+
+# Copy echo and quote the copy, instead of the original, because it is
+# used later.
+ltecho="$echo"
+if test "X$ltecho" = "X$CONFIG_SHELL $0 --fallback-echo"; then
+   ltecho="$CONFIG_SHELL \$0 --fallback-echo"
+fi
+LTSHELL="$SHELL"
+
+LTCONFIG_VERSION="$VERSION"
+
+# Only quote variables if we're using ltmain.sh.
+case "$ltmain" in
+*.sh)
+  # Now quote all the things that may contain metacharacters.
+  for var in ltecho old_AR old_ARFLAGS old_CC old_CFLAGS old_CPPFLAGS \
+    old_MAGIC old_LD old_LDFLAGS old_LIBS \
+    old_LN_S old_NM old_RANLIB old_STRIP \
+    old_AS old_DLLTOOL old_OBJDUMP \
+    old_OBJEXT old_EXEEXT old_reload_flag \
+    old_deplibs_check_method old_file_magic_cmd \
+    AR AR_FLAGS CC LD LN_S NM LTSHELL LTCONFIG_VERSION \
+    reload_flag reload_cmds wl \
+    pic_flag link_static_flag no_builtin_flag export_dynamic_flag_spec \
+    thread_safe_flag_spec whole_archive_flag_spec libname_spec \
+    library_names_spec soname_spec \
+    RANLIB old_archive_cmds old_archive_from_new_cmds old_postinstall_cmds \
+    old_postuninstall_cmds archive_cmds archive_expsym_cmds postinstall_cmds \
+    postuninstall_cmds extract_expsyms_cmds old_archive_from_expsyms_cmds \
+    old_striplib striplib file_magic_cmd export_symbols_cmds \
+    deplibs_check_method allow_undefined_flag no_undefined_flag \
+    finish_cmds finish_eval global_symbol_pipe global_symbol_to_cdecl \
+    hardcode_libdir_flag_spec hardcode_libdir_separator  \
+    sys_lib_search_path_spec sys_lib_dlsearch_path_spec \
+    compiler_c_o compiler_o_lo need_locks exclude_expsyms include_expsyms; do
+
+    case "$var" in
+    reload_cmds | old_archive_cmds | old_archive_from_new_cmds | \
+    old_postinstall_cmds | old_postuninstall_cmds | \
+    export_symbols_cmds | archive_cmds | archive_expsym_cmds | \
+    extract_expsyms_cmds | old_archive_from_expsyms_cmds | \
+    postinstall_cmds | postuninstall_cmds | \
+    finish_cmds | sys_lib_search_path_spec | sys_lib_dlsearch_path_spec)
+      # Double-quote double-evaled strings.
+      eval "$var=\\\"\`\$echo \"X\$$var\" | \$Xsed -e \"\$double_quote_subst\" -e \"\$sed_quote_subst\" -e \"\$delay_variable_subst\"\`\\\"" ### testsuite: skip nested quoting test
+      ;;
+    *)
+      eval "$var=\\\"\`\$echo \"X\$$var\" | \$Xsed -e \"\$sed_quote_subst\"\`\\\"" ### testsuite: skip nested quoting test
+      ;;
+    esac
+  done
+
+  case "$ltecho" in
+  *'\$0 --fallback-echo"')
+    ltecho=`$echo "X$ltecho" | $Xsed -e 's/\\\\\\\$0 --fallback-echo"$/$0 --fallback-echo"/'`
+    ;;
+  esac
+
+  trap "$rm \"$ofile\"; exit 1" 1 2 15
+  echo "creating $ofile"
+  $rm "$ofile"
+  cat <<EOF > "$ofile"
+#! $SHELL
+
+# `$echo "$ofile" | sed 's%^.*/%%'` - Provide generalized library-building support services.
+# Generated automatically by $PROGRAM (GNU $PACKAGE $VERSION$TIMESTAMP)
+# NOTE: Changes made to this file will be lost: look at ltconfig or ltmain.sh.
+#
+# Copyright (C) 1996-2000 Free Software Foundation, Inc.
+# Originally by Gordon Matzigkeit <gord@gnu.ai.mit.edu>, 1996
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 2 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful, but
+# WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+# General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
+#
+# As a special exception to the GNU General Public License, if you
+# distribute this file as part of a program that contains a
+# configuration script generated by Autoconf, you may include it under
+# the same distribution terms that you use for the rest of that program.
+
+# Sed that helps us avoid accidentally triggering echo(1) options like -n.
+Xsed="sed -e s/^X//"
+
+# The HP-UX ksh and POSIX shell print the target directory to stdout
+# if CDPATH is set.
+if test "X\${CDPATH+set}" = Xset; then CDPATH=:; export CDPATH; fi
+
+### BEGIN LIBTOOL CONFIG
+EOF
+  cfgfile="$ofile"
+  ;;
+
+*)
+  # Double-quote the variables that need it (for aesthetics).
+  for var in old_AR old_AR_FLAGS old_CC old_CFLAGS old_CPPFLAGS \
+    old_MAGIC old_LD old_LDFLAGS old_LIBS \
+    old_LN_S old_NM old_RANLIB old_STRIP \
+    old_AS old_DLLTOOL old_OBJDUMP \
+    old_OBJEXT old_EXEEXT old_reload_flag \
+    old_deplibs_check_method old_file_magic_cmd; do
+    eval "$var=\\\"\$var\\\""
+  done
+
+  # Just create a config file.
+  cfgfile="$ofile.cfg"
+  trap "$rm \"$cfgfile\"; exit 1" 1 2 15
+  echo "creating $cfgfile"
+  $rm "$cfgfile"
+  cat <<EOF > "$cfgfile"
+# `$echo "$cfgfile" | sed 's%^.*/%%'` - Libtool configuration file.
+# Generated automatically by $PROGRAM (GNU $PACKAGE $VERSION$TIMESTAMP)
+EOF
+  ;;
+esac
+
+cat <<EOF >> "$cfgfile"
+# Libtool was configured as follows, on host `(hostname || uname -n) 2>/dev/null | sed 1q`:
+#
+# AR=$old_AR AR_FLAGS=$old_AR_FLAGS CC=$old_CC CFLAGS=$old_CFLAGS \\
+# CPPFLAGS=$old_CPPFLAGS MAGIC=$old_MAGIC LD=$old_LD LDFLAGS=$old_LDFLAGS \\
+# LIBS=$old_LIBS LN_S=$old_LN_S NM=$old_NM RANLIB=$old_RANLIB \\
+# STRIP=$old_STRIP AS=$old_AS DLLTOOL=$old_DLLTOOL OBJDUMP=$old_OBJDUMP \\
+# objext=$old_OBJEXT exeext=$old_EXEEXT reload_flag=$old_reload_flag \\
+# deplibs_check_method=$old_deplibs_check_method file_magic_cmd=$old_file_magic_cmd \\
+#   $0$ltconfig_args
+#
+# Compiler and other test output produced by $progname, useful for
+# debugging $progname, is in ./config.log if it exists.
+# The version of $progname that generated this script.
+LTCONFIG_VERSION=$LTCONFIG_VERSION
+
+# Shell to use when invoking shell scripts.
+SHELL=$LTSHELL
+
+# Whether or not to build shared libraries.
+build_libtool_libs=$enable_shared
+
+# Whether or not to build static libraries.
+build_old_libs=$enable_static
+
+# Whether or not to optimize for fast installation.
+fast_install=$enable_fast_install
+
+# The host system.
+host_alias=$host_alias
+host=$host
+
+# An echo program that does not interpret backslashes.
+echo=$ltecho
+
+# The archiver.
+AR=$AR
+AR_FLAGS=$AR_FLAGS
+
+# The default C compiler.
+CC=$CC
+
+# The linker used to build libraries.
+LD=$LD
+
+# Whether we need hard or soft links.
+LN_S=$LN_S
+
+# A BSD-compatible nm program.
+NM=$NM
+
+# A symbol stripping program
+STRIP=$STRIP
+
+# Used to examine libraries when file_magic_cmd begins "file"
+MAGIC=$MAGIC
+
+# Used on cygwin: DLL creation program.
+DLLTOOL="$DLLTOOL"
+
+# Used on cygwin: object dumper.
+OBJDUMP="$OBJDUMP"
+
+# Used on cygwin: assembler.
+AS="$AS"
+
+# The name of the directory that contains temporary libtool files.
+objdir=$objdir
+
+# How to create reloadable object files.
+reload_flag=$reload_flag
+reload_cmds=$reload_cmds
+
+# How to pass a linker flag through the compiler.
+wl=$wl
+
+# Object file suffix (normally "o").
+objext="$objext"
+
+# Old archive suffix (normally "a").
+libext="$libext"
+
+# Executable file suffix (normally "").
+exeext="$exeext"
+
+# Additional compiler flags for building library objects.
+pic_flag=$pic_flag
+pic_mode=$pic_mode
+
+# Does compiler simultaneously support -c and -o options?
+compiler_c_o=$compiler_c_o
+
+# Can we write directly to a .lo ?
+compiler_o_lo=$compiler_o_lo
+
+# Must we lock files when doing compilation ?
+need_locks=$need_locks
+
+# Do we need the lib prefix for modules?
+need_lib_prefix=$need_lib_prefix
+
+# Do we need a version for libraries?
+need_version=$need_version
+
+# Whether dlopen is supported.
+dlopen_support=$enable_dlopen
+
+# Whether dlopen of programs is supported.
+dlopen_self=$enable_dlopen_self
+
+# Whether dlopen of statically linked programs is supported.
+dlopen_self_static=$enable_dlopen_self_static
+
+# Compiler flag to prevent dynamic linking.
+link_static_flag=$link_static_flag
+
+# Compiler flag to turn off builtin functions.
+no_builtin_flag=$no_builtin_flag
+
+# Compiler flag to allow reflexive dlopens.
+export_dynamic_flag_spec=$export_dynamic_flag_spec
+
+# Compiler flag to generate shared objects directly from archives.
+whole_archive_flag_spec=$whole_archive_flag_spec
+
+# Compiler flag to generate thread-safe objects.
+thread_safe_flag_spec=$thread_safe_flag_spec
+
+# Library versioning type.
+version_type=$version_type
+
+# Format of library name prefix.
+libname_spec=$libname_spec
+
+# List of archive names.  First name is the real one, the rest are links.
+# The last name is the one that the linker finds with -lNAME.
+library_names_spec=$library_names_spec
+
+# The coded name of the library, if different from the real name.
+soname_spec=$soname_spec
+
+# Commands used to build and install an old-style archive.
+RANLIB=$RANLIB
+old_archive_cmds=$old_archive_cmds
+old_postinstall_cmds=$old_postinstall_cmds
+old_postuninstall_cmds=$old_postuninstall_cmds
+
+# Create an old-style archive from a shared archive.
+old_archive_from_new_cmds=$old_archive_from_new_cmds
+
+# Create a temporary old-style archive to link instead of a shared archive.
+old_archive_from_expsyms_cmds=$old_archive_from_expsyms_cmds
+
+# Commands used to build and install a shared archive.
+archive_cmds=$archive_cmds
+archive_expsym_cmds=$archive_expsym_cmds
+postinstall_cmds=$postinstall_cmds
+postuninstall_cmds=$postuninstall_cmds
+
+# Commands to strip libraries.
+old_striplib=$old_striplib
+striplib=$striplib
+
+# Method to check whether dependent libraries are shared objects.
+deplibs_check_method=$deplibs_check_method
+
+# Command to use when deplibs_check_method == file_magic.
+file_magic_cmd=$file_magic_cmd
+
+# Flag that allows shared libraries with undefined symbols to be built.
+allow_undefined_flag=$allow_undefined_flag
+
+# Flag that forces no undefined symbols.
+no_undefined_flag=$no_undefined_flag
+
+# Commands used to finish a libtool library installation in a directory.
+finish_cmds=$finish_cmds
+
+# Same as above, but a single script fragment to be evaled but not shown.
+finish_eval=$finish_eval
+
+# Take the output of nm and produce a listing of raw symbols and C names.
+global_symbol_pipe=$global_symbol_pipe
+
+# Transform the output of nm in a proper C declaration
+global_symbol_to_cdecl=$global_symbol_to_cdecl
+
+# This is the shared library runtime path variable.
+runpath_var=$runpath_var
+
+# This is the shared library path variable.
+shlibpath_var=$shlibpath_var
+
+# Is shlibpath searched before the hard-coded library search path?
+shlibpath_overrides_runpath=$shlibpath_overrides_runpath
+
+# How to hardcode a shared library path into an executable.
+hardcode_action=$hardcode_action
+
+# Whether we should hardcode library paths into libraries.
+hardcode_into_libs=$hardcode_into_libs
+
+# Flag to hardcode \$libdir into a binary during linking.
+# This must work even if \$libdir does not exist.
+hardcode_libdir_flag_spec=$hardcode_libdir_flag_spec
+
+# Whether we need a single -rpath flag with a separated argument.
+hardcode_libdir_separator=$hardcode_libdir_separator
+
+# Set to yes if using DIR/libNAME.so during linking hardcodes DIR into the
+# resulting binary.
+hardcode_direct=$hardcode_direct
+
+# Set to yes if using the -LDIR flag during linking hardcodes DIR into the
+# resulting binary.
+hardcode_minus_L=$hardcode_minus_L
+
+# Set to yes if using SHLIBPATH_VAR=DIR during linking hardcodes DIR into
+# the resulting binary.
+hardcode_shlibpath_var=$hardcode_shlibpath_var
+
+# Variables whose values should be saved in libtool wrapper scripts and
+# restored at relink time.
+variables_saved_for_relink="$variables_saved_for_relink"
+
+# Whether libtool must link a program against all its dependency libraries.
+link_all_deplibs=$link_all_deplibs
+
+# Compile-time system search path for libraries
+sys_lib_search_path_spec=$sys_lib_search_path_spec
+
+# Run-time system search path for libraries
+sys_lib_dlsearch_path_spec=$sys_lib_dlsearch_path_spec
+
+# Fix the shell variable \$srcfile for the compiler.
+fix_srcfile_path="$fix_srcfile_path"
+
+# Set to yes if exported symbols are required.
+always_export_symbols=$always_export_symbols
+
+# The commands to list exported symbols.
+export_symbols_cmds=$export_symbols_cmds
+
+# The commands to extract the exported symbol list from a shared archive.
+extract_expsyms_cmds=$extract_expsyms_cmds
+
+# Symbols that should not be listed in the preloaded symbols.
+exclude_expsyms=$exclude_expsyms
+
+# Symbols that must always be exported.
+include_expsyms=$include_expsyms
+
+EOF
+
+case "$ltmain" in
+*.sh)
+  echo '### END LIBTOOL CONFIG' >> "$ofile"
+  echo >> "$ofile"
+  case "$host_os" in
+  aix3*)
+    cat <<\EOF >> "$ofile"
+
+# AIX sometimes has problems with the GCC collect2 program.  For some
+# reason, if we set the COLLECT_NAMES environment variable, the problems
+# vanish in a puff of smoke.
+if test "X${COLLECT_NAMES+set}" != Xset; then
+  COLLECT_NAMES=
+  export COLLECT_NAMES
+fi
+EOF
+    ;;
+  esac
+  case "$host" in
+  *-*-cygwin* | *-*-mingw* | *-*-os2*)
+    cat <<'EOF' >> "$ofile"
+      # This is a source program that is used to create dlls on Windows
+      # Don't remove nor modify the starting and closing comments
+# /* ltdll.c starts here */
+# #define WIN32_LEAN_AND_MEAN
+# #include <windows.h>
+# #undef WIN32_LEAN_AND_MEAN
+# #include <stdio.h>
+#
+# #ifndef __CYGWIN__
+# #  ifdef __CYGWIN32__
+# #    define __CYGWIN__ __CYGWIN32__
+# #  endif
+# #endif
+#
+# #ifdef __cplusplus
+# extern "C" {
+# #endif
+# BOOL APIENTRY DllMain (HINSTANCE hInst, DWORD reason, LPVOID reserved);
+# #ifdef __cplusplus
+# }
+# #endif
+#
+# #ifdef __CYGWIN__
+# #include <cygwin/cygwin_dll.h>
+# DECLARE_CYGWIN_DLL( DllMain );
+# #endif
+# HINSTANCE __hDllInstance_base;
+#
+# BOOL APIENTRY
+# DllMain (HINSTANCE hInst, DWORD reason, LPVOID reserved)
+# {
+#   __hDllInstance_base = hInst;
+#   return TRUE;
+# }
+# /* ltdll.c ends here */
+      # This is a source program that is used to create import libraries
+      # on Windows for dlls which lack them. Don't remove nor modify the
+      # starting and closing comments
+# /* impgen.c starts here */
+# /*   Copyright (C) 1999-2000 Free Software Foundation, Inc.
+#
+#  This file is part of GNU libtool.
+#
+#  This program is free software; you can redistribute it and/or modify
+#  it under the terms of the GNU General Public License as published by
+#  the Free Software Foundation; either version 2 of the License, or
+#  (at your option) any later version.
+#
+#  This program is distributed in the hope that it will be useful,
+#  but WITHOUT ANY WARRANTY; without even the implied warranty of
+#  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+#  GNU General Public License for more details.
+#
+#  You should have received a copy of the GNU General Public License
+#  along with this program; if not, write to the Free Software
+#  Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
+#  */
+#
+#  #include <stdio.h>		/* for printf() */
+#  #include <unistd.h>		/* for open(), lseek(), read() */
+#  #include <fcntl.h>		/* for O_RDONLY, O_BINARY */
+#  #include <string.h>		/* for strdup() */
+#
+#  /* O_BINARY isn't required (or even defined sometimes) under Unix */
+#  #ifndef O_BINARY
+#  #define O_BINARY 0
+#  #endif
+#
+#  static unsigned int
+#  pe_get16 (fd, offset)
+#       int fd;
+#       int offset;
+#  {
+#    unsigned char b[2];
+#    lseek (fd, offset, SEEK_SET);
+#    read (fd, b, 2);
+#    return b[0] + (b[1]<<8);
+#  }
+#
+#  static unsigned int
+#  pe_get32 (fd, offset)
+#      int fd;
+#      int offset;
+#  {
+#    unsigned char b[4];
+#    lseek (fd, offset, SEEK_SET);
+#    read (fd, b, 4);
+#    return b[0] + (b[1]<<8) + (b[2]<<16) + (b[3]<<24);
+#  }
+#
+#  static unsigned int
+#  pe_as32 (ptr)
+#       void *ptr;
+#  {
+#    unsigned char *b = ptr;
+#    return b[0] + (b[1]<<8) + (b[2]<<16) + (b[3]<<24);
+#  }
+#
+#  int
+#  main (argc, argv)
+#      int argc;
+#      char *argv[];
+#  {
+#      int dll;
+#      unsigned long pe_header_offset, opthdr_ofs, num_entries, i;
+#      unsigned long export_rva, export_size, nsections, secptr, expptr;
+#      unsigned long name_rvas, nexp;
+#      unsigned char *expdata, *erva;
+#      char *filename, *dll_name;
+#
+#      filename = argv[1];
+#
+#      dll = open(filename, O_RDONLY|O_BINARY);
+#      if (!dll)
+#  	return 1;
+#
+#      dll_name = filename;
+#
+#      for (i=0; filename[i]; i++)
+#  	if (filename[i] == '/' || filename[i] == '\\'  || filename[i] == ':')
+#  	    dll_name = filename + i +1;
+#
+#      pe_header_offset = pe_get32 (dll, 0x3c);
+#      opthdr_ofs = pe_header_offset + 4 + 20;
+#      num_entries = pe_get32 (dll, opthdr_ofs + 92);
+#
+#      if (num_entries < 1) /* no exports */
+#  	return 1;
+#
+#      export_rva = pe_get32 (dll, opthdr_ofs + 96);
+#      export_size = pe_get32 (dll, opthdr_ofs + 100);
+#      nsections = pe_get16 (dll, pe_header_offset + 4 +2);
+#      secptr = (pe_header_offset + 4 + 20 +
+#  	      pe_get16 (dll, pe_header_offset + 4 + 16));
+#
+#      expptr = 0;
+#      for (i = 0; i < nsections; i++)
+#      {
+#  	char sname[8];
+#  	unsigned long secptr1 = secptr + 40 * i;
+#  	unsigned long vaddr = pe_get32 (dll, secptr1 + 12);
+#  	unsigned long vsize = pe_get32 (dll, secptr1 + 16);
+#  	unsigned long fptr = pe_get32 (dll, secptr1 + 20);
+#  	lseek(dll, secptr1, SEEK_SET);
+#  	read(dll, sname, 8);
+#  	if (vaddr <= export_rva && vaddr+vsize > export_rva)
+#  	{
+#  	    expptr = fptr + (export_rva - vaddr);
+#  	    if (export_rva + export_size > vaddr + vsize)
+#  		export_size = vsize - (export_rva - vaddr);
+#  	    break;
+#  	}
+#      }
+#
+#      expdata = (unsigned char*)malloc(export_size);
+#      lseek (dll, expptr, SEEK_SET);
+#      read (dll, expdata, export_size);
+#      erva = expdata - export_rva;
+#
+#      nexp = pe_as32 (expdata+24);
+#      name_rvas = pe_as32 (expdata+32);
+#
+#      printf ("EXPORTS\n");
+#      for (i = 0; i<nexp; i++)
+#      {
+#  	unsigned long name_rva = pe_as32 (erva+name_rvas+i*4);
+#  	printf ("\t%s @ %ld ;\n", erva+name_rva, 1+ i);
+#      }
+#
+#      return 0;
+#  }
+# /* impgen.c ends here */
+
+EOF
+    ;;
+  esac
+
+
+  # Append the ltmain.sh script.
+  sed '$q' "$ltmain" >> "$ofile" || (rm -f "$ofile"; exit 1)
+  # We use sed instead of cat because bash on DJGPP gets confused if
+  # if finds mixed CR/LF and LF-only lines.  Since sed operates in
+  # text mode, it properly converts lines to CR/LF.  This bash problem
+  # is reportedly fixed, but why not run on old versions too?
+
+  chmod +x "$ofile"
+  ;;
+
+*)
+  # Compile the libtool program.
+  echo "FIXME: would compile $ltmain"
+  ;;
+esac
+
+test -n "$cache_file" || exit 0
+
+# AC_CACHE_SAVE
+trap '' 1 2 15
+cat > confcache <<\EOF
+# This file is a shell script that caches the results of configure
+# tests run on this system so they can be shared between configure
+# scripts and configure runs.  It is not useful on other systems.
+# If it contains results you don't want to keep, you may remove or edit it.
+#
+# By default, configure uses ./config.cache as the cache file,
+# creating it if it does not exist already.  You can give configure
+# the --cache-file=FILE option to use a different cache file; that is
+# what configure does when it calls configure scripts in
+# subdirectories, so they share the cache.
+# Giving --cache-file=/dev/null disables caching, for debugging configure.
+# config.status only pays attention to the cache file if you give it the
+# --recheck option to rerun configure.
+#
+EOF
+# The following way of writing the cache mishandles newlines in values,
+# but we know of no workaround that is simple, portable, and efficient.
+# So, don't put newlines in cache variables' values.
+# Ultrix sh set writes to stderr and can't be redirected directly,
+# and sets the high bit in the cache file unless we assign to the vars.
+(set) 2>&1 |
+  case `(ac_space=' '; set | grep ac_space) 2>&1` in
+  *ac_space=\ *)
+    # `set' does not quote correctly, so add quotes (double-quote substitution
+    # turns \\\\ into \\, and sed turns \\ into \).
+    sed -n \
+      -e "s/'/'\\\\''/g" \
+      -e "s/^\\([a-zA-Z0-9_]*_cv_[a-zA-Z0-9_]*\\)=\\(.*\\)/\\1=\${\\1='\\2'}/p"
+    ;;
+  *)
+    # `set' quotes correctly as required by POSIX, so do not add quotes.
+    sed -n -e 's/^\([a-zA-Z0-9_]*_cv_[a-zA-Z0-9_]*\)=\(.*\)/\1=${\1=\2}/p'
+    ;;
+  esac >> confcache
+if cmp -s $cache_file confcache; then
+  :
+else
+  if test -w $cache_file; then
+    echo "updating cache $cache_file"
+    cat confcache > $cache_file
+  else
+    echo "not updating unwritable cache $cache_file"
+  fi
+fi
+rm -f confcache
+
+exit 0
+
+# Local Variables:
+# mode:shell-script
+# sh-indentation:2
+# End:
diff --git a/crypto/heimdal/ltmain.sh b/crypto/heimdal/ltmain.sh
new file mode 100644
index 0000000..19a0e7d
--- /dev/null
+++ b/crypto/heimdal/ltmain.sh
@@ -0,0 +1,4771 @@
+# ltmain.sh - Provide generalized library-building support services.
+# NOTE: Changing this file will not affect anything until you rerun ltconfig.
+#
+# Copyright (C) 1996-2000 Free Software Foundation, Inc.
+# Originally by Gordon Matzigkeit <gord@gnu.ai.mit.edu>, 1996
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 2 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful, but
+# WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+# General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
+#
+# As a special exception to the GNU General Public License, if you
+# distribute this file as part of a program that contains a
+# configuration script generated by Autoconf, you may include it under
+# the same distribution terms that you use for the rest of that program.
+
+# Check that we have a working $echo.
+if test "X$1" = X--no-reexec; then
+  # Discard the --no-reexec flag, and continue.
+  shift
+elif test "X$1" = X--fallback-echo; then
+  # Avoid inline document here, it may be left over
+  :
+elif test "X`($echo '\t') 2>/dev/null`" = 'X\t'; then
+  # Yippee, $echo works!
+  :
+else
+  # Restart under the correct shell, and then maybe $echo will work.
+  exec $SHELL "$0" --no-reexec ${1+"$@"}
+fi
+
+if test "X$1" = X--fallback-echo; then
+  # used as fallback echo
+  shift
+  cat <<EOF
+$*
+EOF
+  exit 0
+fi
+
+# The name of this program.
+progname=`$echo "$0" | sed 's%^.*/%%'`
+modename="$progname"
+
+# Constants.
+PROGRAM=ltmain.sh
+PACKAGE=libtool
+VERSION=1.3c
+TIMESTAMP=" (1.731 2000/07/10 09:42:21)"
+
+default_mode=
+help="Try \`$progname --help' for more information."
+magic="%%%MAGIC variable%%%"
+mkdir="mkdir"
+mv="mv -f"
+rm="rm -f"
+
+# Sed substitution that helps us do robust quoting.  It backslashifies
+# metacharacters that are still active within double-quoted strings.
+Xsed='sed -e 1s/^X//'
+sed_quote_subst='s/\([\\`\\"$\\\\]\)/\\\1/g'
+SP2NL='tr \040 \012'
+NL2SP='tr \015\012 \040\040'
+
+# NLS nuisances.
+# Only set LANG and LC_ALL to C if already set.
+# These must not be set unconditionally because not all systems understand
+# e.g. LANG=C (notably SCO).
+# We save the old values to restore during execute mode.
+if test "${LC_ALL+set}" = set; then
+  save_LC_ALL="$LC_ALL"; LC_ALL=C; export LC_ALL
+fi
+if test "${LANG+set}" = set; then
+  save_LANG="$LANG"; LANG=C; export LANG
+fi
+
+if test "$LTCONFIG_VERSION" != "$VERSION"; then
+  echo "$modename: ltconfig version \`$LTCONFIG_VERSION' does not match $PROGRAM version \`$VERSION'" 1>&2
+  echo "Fatal configuration error.  See the $PACKAGE docs for more information." 1>&2
+  exit 1
+fi
+
+if test "$build_libtool_libs" != yes && test "$build_old_libs" != yes; then
+  echo "$modename: not configured to build any kind of library" 1>&2
+  echo "Fatal configuration error.  See the $PACKAGE docs for more information." 1>&2
+  exit 1
+fi
+
+# Global variables.
+mode=$default_mode
+nonopt=
+prev=
+prevopt=
+run=
+show="$echo"
+show_help=
+execute_dlfiles=
+lo2o="s/\\.lo\$/.${objext}/"
+o2lo="s/\\.${objext}\$/.lo/"
+
+# Parse our command line options once, thoroughly.
+while test $# -gt 0
+do
+  arg="$1"
+  shift
+
+  case "$arg" in
+  -*=*) optarg=`$echo "X$arg" | $Xsed -e 's/[-_a-zA-Z0-9]*=//'` ;;
+  *) optarg= ;;
+  esac
+
+  # If the previous option needs an argument, assign it.
+  if test -n "$prev"; then
+    case "$prev" in
+    execute_dlfiles)
+      eval "$prev=\"\$$prev \$arg\""
+      ;;
+    *)
+      eval "$prev=\$arg"
+      ;;
+    esac
+
+    prev=
+    prevopt=
+    continue
+  fi
+
+  # Have we seen a non-optional argument yet?
+  case "$arg" in
+  --help)
+    show_help=yes
+    ;;
+
+  --version)
+    echo "$PROGRAM (GNU $PACKAGE) $VERSION$TIMESTAMP"
+    exit 0
+    ;;
+
+  --config)
+    sed -e '1,/^### BEGIN LIBTOOL CONFIG/d' -e '/^### END LIBTOOL CONFIG/,$d' $0
+    exit 0
+    ;;
+
+  --debug)
+    echo "$progname: enabling shell trace mode"
+    set -x
+    ;;
+
+  --dry-run | -n)
+    run=:
+    ;;
+
+  --features)
+    echo "host: $host"
+    if test "$build_libtool_libs" = yes; then
+      echo "enable shared libraries"
+    else
+      echo "disable shared libraries"
+    fi
+    if test "$build_old_libs" = yes; then
+      echo "enable static libraries"
+    else
+      echo "disable static libraries"
+    fi
+    exit 0
+    ;;
+
+  --finish) mode="finish" ;;
+
+  --mode) prevopt="--mode" prev=mode ;;
+  --mode=*) mode="$optarg" ;;
+
+  --quiet | --silent)
+    show=:
+    ;;
+
+  -dlopen)
+    prevopt="-dlopen"
+    prev=execute_dlfiles
+    ;;
+
+  -*)
+    $echo "$modename: unrecognized option \`$arg'" 1>&2
+    $echo "$help" 1>&2
+    exit 1
+    ;;
+
+  *)
+    nonopt="$arg"
+    break
+    ;;
+  esac
+done
+
+if test -n "$prevopt"; then
+  $echo "$modename: option \`$prevopt' requires an argument" 1>&2
+  $echo "$help" 1>&2
+  exit 1
+fi
+
+if test -z "$show_help"; then
+
+  # Infer the operation mode.
+  if test -z "$mode"; then
+    case "$nonopt" in
+    *cc | *++ | gcc* | *-gcc*)
+      mode=link
+      for arg
+      do
+	case "$arg" in
+	-c)
+	   mode=compile
+	   break
+	   ;;
+	esac
+      done
+      ;;
+    *db | *dbx | *strace | *truss)
+      mode=execute
+      ;;
+    *install*|cp|mv)
+      mode=install
+      ;;
+    *rm)
+      mode=uninstall
+      ;;
+    *)
+      # If we have no mode, but dlfiles were specified, then do execute mode.
+      test -n "$execute_dlfiles" && mode=execute
+
+      # Just use the default operation mode.
+      if test -z "$mode"; then
+	if test -n "$nonopt"; then
+	  $echo "$modename: warning: cannot infer operation mode from \`$nonopt'" 1>&2
+	else
+	  $echo "$modename: warning: cannot infer operation mode without MODE-ARGS" 1>&2
+	fi
+      fi
+      ;;
+    esac
+  fi
+
+  # Only execute mode is allowed to have -dlopen flags.
+  if test -n "$execute_dlfiles" && test "$mode" != execute; then
+    $echo "$modename: unrecognized option \`-dlopen'" 1>&2
+    $echo "$help" 1>&2
+    exit 1
+  fi
+
+  # Change the help message to a mode-specific one.
+  generic_help="$help"
+  help="Try \`$modename --help --mode=$mode' for more information."
+
+  # These modes are in order of execution frequency so that they run quickly.
+  case "$mode" in
+  # libtool compile mode
+  compile)
+    modename="$modename: compile"
+    # Get the compilation command and the source file.
+    base_compile=
+    prev=
+    lastarg=
+    srcfile="$nonopt"
+    suppress_output=
+
+    user_target=no
+    for arg
+    do
+      case "$prev" in
+      "") ;;
+      xcompiler)
+	# Aesthetically quote the previous argument.
+	prev=
+	lastarg=`$echo "X$arg" | $Xsed -e "$sed_quote_subst"`
+
+	case "$arg" in
+	# Double-quote args containing other shell metacharacters.
+	# Many Bourne shells cannot handle close brackets correctly
+	# in scan sets, so we specify it separately.
+	*[\[\~\#\^\&\*\(\)\{\}\|\;\<\>\?\'\ \	]*|*]*|"")
+	  arg="\"$arg\""
+	  ;;
+	esac
+
+	# Add the previous argument to base_compile.
+	if test -z "$base_compile"; then
+	  base_compile="$lastarg"
+	else
+	  base_compile="$base_compile $lastarg"
+	fi
+	continue
+	;;
+      esac
+
+      # Accept any command-line options.
+      case "$arg" in
+      -o)
+	if test "$user_target" != "no"; then
+	  $echo "$modename: you cannot specify \`-o' more than once" 1>&2
+	  exit 1
+	fi
+	user_target=next
+	;;
+
+      -static)
+	build_old_libs=yes
+	continue
+	;;
+
+      -prefer-pic)
+	pic_mode=yes
+	continue
+	;;
+
+      -prefer-non-pic)
+	pic_mode=no
+	continue
+	;;
+
+      -Xcompiler)
+	prev=xcompiler
+	continue
+	;;
+
+      -Wc,*)
+	args=`$echo "X$arg" | $Xsed -e "s/^-Wc,//"`
+	lastarg=
+	IFS="${IFS= 	}"; save_ifs="$IFS"; IFS=','
+	for arg in $args; do
+	  IFS="$save_ifs"
+
+	  # Double-quote args containing other shell metacharacters.
+	  # Many Bourne shells cannot handle close brackets correctly
+	  # in scan sets, so we specify it separately.
+	  case "$arg" in
+	    *[\[\~\#\^\&\*\(\)\{\}\|\;\<\>\?\'\ \	]*|*]*|"")
+	    arg="\"$arg\""
+	    ;;
+	  esac
+	  lastarg="$lastarg $arg"
+	done
+	IFS="$save_ifs"
+	lastarg=`$echo "X$lastarg" | $Xsed -e "s/^ //"`
+
+	# Add the arguments to base_compile.
+	if test -z "$base_compile"; then
+	  base_compile="$lastarg"
+	else
+	  base_compile="$base_compile $lastarg"
+	fi
+	continue
+	;;
+      esac
+
+      case "$user_target" in
+      next)
+	# The next one is the -o target name
+	user_target=yes
+	continue
+	;;
+      yes)
+	# We got the output file
+	user_target=set
+	libobj="$arg"
+	continue
+	;;
+      esac
+
+      # Accept the current argument as the source file.
+      lastarg="$srcfile"
+      srcfile="$arg"
+
+      # Aesthetically quote the previous argument.
+
+      # Backslashify any backslashes, double quotes, and dollar signs.
+      # These are the only characters that are still specially
+      # interpreted inside of double-quoted scrings.
+      lastarg=`$echo "X$lastarg" | $Xsed -e "$sed_quote_subst"`
+
+      # Double-quote args containing other shell metacharacters.
+      # Many Bourne shells cannot handle close brackets correctly
+      # in scan sets, so we specify it separately.
+      case "$lastarg" in
+      *[\[\~\#\^\&\*\(\)\{\}\|\;\<\>\?\'\ \	]*|*]*|"")
+	lastarg="\"$lastarg\""
+	;;
+      esac
+
+      # Add the previous argument to base_compile.
+      if test -z "$base_compile"; then
+	base_compile="$lastarg"
+      else
+	base_compile="$base_compile $lastarg"
+      fi
+    done
+
+    case "$user_target" in
+    set)
+      ;;
+    no)
+      # Get the name of the library object.
+      libobj=`$echo "X$srcfile" | $Xsed -e 's%^.*/%%'`
+      ;;
+    *)
+      $echo "$modename: you must specify a target with \`-o'" 1>&2
+      exit 1
+      ;;
+    esac
+
+    # Recognize several different file suffixes.
+    # If the user specifies -o file.o, it is replaced with file.lo
+    xform='[cCFSfmso]'
+    case "$libobj" in
+    *.ada) xform=ada ;;
+    *.adb) xform=adb ;;
+    *.ads) xform=ads ;;
+    *.asm) xform=asm ;;
+    *.c++) xform=c++ ;;
+    *.cc) xform=cc ;;
+    *.cpp) xform=cpp ;;
+    *.cxx) xform=cxx ;;
+    *.f90) xform=f90 ;;
+    *.for) xform=for ;;
+    esac
+
+    libobj=`$echo "X$libobj" | $Xsed -e "s/\.$xform$/.lo/"`
+
+    case "$libobj" in
+    *.lo) obj=`$echo "X$libobj" | $Xsed -e "$lo2o"` ;;
+    *)
+      $echo "$modename: cannot determine name of library object from \`$libobj'" 1>&2
+      exit 1
+      ;;
+    esac
+
+    if test -z "$base_compile"; then
+      $echo "$modename: you must specify a compilation command" 1>&2
+      $echo "$help" 1>&2
+      exit 1
+    fi
+
+    # Delete any leftover library objects.
+    if test "$build_old_libs" = yes; then
+      removelist="$obj $libobj"
+    else
+      removelist="$libobj"
+    fi
+
+    $run $rm $removelist
+    trap "$run $rm $removelist; exit 1" 1 2 15
+
+    # On Cygwin there's no "real" PIC flag so we must build both object types
+    case "$host_os" in
+    cygwin* | mingw* | os2*)
+      pic_mode=default
+      ;;
+    esac
+    if test $pic_mode = no && test "$deplibs_check_method" != pass_all; then
+      # non-PIC code in shared libraries is not supported
+      pic_mode=default
+    fi
+
+    # Calculate the filename of the output object if compiler does
+    # not support -o with -c
+    if test "$compiler_c_o" = no; then
+      output_obj=`$echo "X$srcfile" | $Xsed -e 's%^.*/%%' -e 's%\..*$%%'`.${objext}
+      lockfile="$output_obj.lock"
+      removelist="$removelist $output_obj $lockfile"
+      trap "$run $rm $removelist; exit 1" 1 2 15
+    else
+      need_locks=no
+      lockfile=
+    fi
+
+    # Lock this critical section if it is needed
+    # We use this script file to make the link, it avoids creating a new file
+    if test "$need_locks" = yes; then
+      until ln "$0" "$lockfile" 2>/dev/null; do
+	$show "Waiting for $lockfile to be removed"
+	sleep 2
+      done
+    elif test "$need_locks" = warn; then
+      if test -f "$lockfile"; then
+	echo "\
+*** ERROR, $lockfile exists and contains:
+`cat $lockfile 2>/dev/null`
+
+This indicates that another process is trying to use the same
+temporary object file, and libtool could not work around it because
+your compiler does not support \`-c' and \`-o' together.  If you
+repeat this compilation, it may succeed, by chance, but you had better
+avoid parallel builds (make -j) in this platform, or get a better
+compiler."
+
+	$run $rm $removelist
+	exit 1
+      fi
+      echo $srcfile > "$lockfile"
+    fi
+
+    if test -n "$fix_srcfile_path"; then
+      eval srcfile=\"$fix_srcfile_path\"
+    fi
+
+    # Only build a PIC object if we are building libtool libraries.
+    if test "$build_libtool_libs" = yes; then
+      # Without this assignment, base_compile gets emptied.
+      fbsd_hideous_sh_bug=$base_compile
+
+      if test "$pic_mode" != no; then
+	# All platforms use -DPIC, to notify preprocessed assembler code.
+	command="$base_compile $srcfile $pic_flag -DPIC"
+      else
+	# Don't build PIC code
+	command="$base_compile $srcfile"
+      fi
+      if test "$build_old_libs" = yes; then
+	lo_libobj="$libobj"
+	dir=`$echo "X$libobj" | $Xsed -e 's%/[^/]*$%%'`
+	if test "X$dir" = "X$libobj"; then
+	  dir="$objdir"
+	else
+	  dir="$dir/$objdir"
+	fi
+	libobj="$dir/"`$echo "X$libobj" | $Xsed -e 's%^.*/%%'`
+
+	if test -d "$dir"; then
+	  $show "$rm $libobj"
+	  $run $rm $libobj
+	else
+	  $show "$mkdir $dir"
+	  $run $mkdir $dir
+	  status=$?
+	  if test $status -ne 0 && test ! -d $dir; then
+	    exit $status
+	  fi
+	fi
+      fi
+      if test "$compiler_o_lo" = yes; then
+	output_obj="$libobj"
+	command="$command -o $output_obj"
+      elif test "$compiler_c_o" = yes; then
+	output_obj="$obj"
+	command="$command -o $output_obj"
+      fi
+
+      $run $rm "$output_obj"
+      $show "$command"
+      if $run eval "$command"; then :
+      else
+	test -n "$output_obj" && $run $rm $removelist
+	exit 1
+      fi
+
+      if test "$need_locks" = warn &&
+	 test x"`cat $lockfile 2>/dev/null`" != x"$srcfile"; then
+	echo "\
+*** ERROR, $lockfile contains:
+`cat $lockfile 2>/dev/null`
+
+but it should contain:
+$srcfile
+
+This indicates that another process is trying to use the same
+temporary object file, and libtool could not work around it because
+your compiler does not support \`-c' and \`-o' together.  If you
+repeat this compilation, it may succeed, by chance, but you had better
+avoid parallel builds (make -j) in this platform, or get a better
+compiler."
+
+	$run $rm $removelist
+	exit 1
+      fi
+
+      # Just move the object if needed, then go on to compile the next one
+      if test x"$output_obj" != x"$libobj"; then
+	$show "$mv $output_obj $libobj"
+	if $run $mv $output_obj $libobj; then :
+	else
+	  error=$?
+	  $run $rm $removelist
+	  exit $error
+	fi
+      fi
+
+      # If we have no pic_flag, then copy the object into place and finish.
+      if (test -z "$pic_flag" || test "$pic_mode" != default) &&
+	 test "$build_old_libs" = yes; then
+	# Rename the .lo from within objdir to obj
+	if test -f $obj; then
+	  $show $rm $obj
+	  $run $rm $obj
+	fi
+
+	$show "$mv $libobj $obj"
+	if $run $mv $libobj $obj; then :
+	else
+	  error=$?
+	  $run $rm $removelist
+	  exit $error
+	fi
+
+	xdir=`$echo "X$obj" | $Xsed -e 's%/[^/]*$%%'`
+	if test "X$xdir" = "X$obj"; then
+	  xdir="."
+	else
+	  xdir="$xdir"
+	fi
+	baseobj=`$echo "X$obj" | $Xsed -e "s%.*/%%"`
+	libobj=`$echo "X$baseobj" | $Xsed -e "$o2lo"`
+	# Now arrange that obj and lo_libobj become the same file
+	$show "(cd $xdir && $LN_S $baseobj $libobj)"
+	if $run eval '(cd $xdir && $LN_S $baseobj $libobj)'; then
+	  exit 0
+	else
+	  error=$?
+	  $run $rm $removelist
+	  exit $error
+	fi
+      fi
+
+      # Allow error messages only from the first compilation.
+      suppress_output=' >/dev/null 2>&1'
+    fi
+
+    # Only build a position-dependent object if we build old libraries.
+    if test "$build_old_libs" = yes; then
+      if test "$pic_mode" != yes; then
+	# Don't build PIC code
+	command="$base_compile $srcfile"
+      else
+	# All platforms use -DPIC, to notify preprocessed assembler code.
+	command="$base_compile $srcfile $pic_flag -DPIC"
+      fi
+      if test "$compiler_c_o" = yes; then
+	command="$command -o $obj"
+	output_obj="$obj"
+      fi
+
+      # Suppress compiler output if we already did a PIC compilation.
+      command="$command$suppress_output"
+      $run $rm "$output_obj"
+      $show "$command"
+      if $run eval "$command"; then :
+      else
+	$run $rm $removelist
+	exit 1
+      fi
+
+      if test "$need_locks" = warn &&
+	 test x"`cat $lockfile 2>/dev/null`" != x"$srcfile"; then
+	echo "\
+*** ERROR, $lockfile contains:
+`cat $lockfile 2>/dev/null`
+
+but it should contain:
+$srcfile
+
+This indicates that another process is trying to use the same
+temporary object file, and libtool could not work around it because
+your compiler does not support \`-c' and \`-o' together.  If you
+repeat this compilation, it may succeed, by chance, but you had better
+avoid parallel builds (make -j) in this platform, or get a better
+compiler."
+
+	$run $rm $removelist
+	exit 1
+      fi
+
+      # Just move the object if needed
+      if test x"$output_obj" != x"$obj"; then
+	$show "$mv $output_obj $obj"
+	if $run $mv $output_obj $obj; then :
+	else
+	  error=$?
+	  $run $rm $removelist
+	  exit $error
+	fi
+      fi
+
+      # Create an invalid libtool object if no PIC, so that we do not
+      # accidentally link it into a program.
+      if test "$build_libtool_libs" != yes; then
+	$show "echo timestamp > $libobj"
+	$run eval "echo timestamp > \$libobj" || exit $?
+      else
+	# Move the .lo from within objdir
+	$show "$mv $libobj $lo_libobj"
+	if $run $mv $libobj $lo_libobj; then :
+	else
+	  error=$?
+	  $run $rm $removelist
+	  exit $error
+	fi
+      fi
+    fi
+
+    # Unlock the critical section if it was locked
+    if test "$need_locks" != no; then
+      $rm "$lockfile"
+    fi
+
+    exit 0
+    ;;
+
+  # libtool link mode
+  link | relink)
+    modename="$modename: link"
+    case "$host" in
+    *-*-cygwin* | *-*-mingw* | *-*-os2*)
+      # It is impossible to link a dll without this setting, and
+      # we shouldn't force the makefile maintainer to figure out
+      # which system we are compiling for in order to pass an extra
+      # flag for every libtool invokation.
+      # allow_undefined=no
+
+      # FIXME: Unfortunately, there are problems with the above when trying
+      # to make a dll which has undefined symbols, in which case not
+      # even a static library is built.  For now, we need to specify
+      # -no-undefined on the libtool link line when we can be certain
+      # that all symbols are satisfied, otherwise we get a static library.
+      allow_undefined=yes
+      ;;
+    *)
+      allow_undefined=yes
+      ;;
+    esac
+    libtool_args="$nonopt"
+    compile_command="$nonopt"
+    finalize_command="$nonopt"
+
+    compile_rpath=
+    finalize_rpath=
+    compile_shlibpath=
+    finalize_shlibpath=
+    convenience=
+    old_convenience=
+    deplibs=
+    old_deplibs=
+    compiler_flags=
+    linker_flags=
+    dllsearchpath=
+    lib_search_path=`pwd`
+
+    avoid_version=no
+    dlfiles=
+    dlprefiles=
+    dlself=no
+    export_dynamic=no
+    export_symbols=
+    export_symbols_regex=
+    generated=
+    libobjs=
+    ltlibs=
+    module=no
+    no_install=no
+    objs=
+    prefer_static_libs=no
+    preload=no
+    prev=
+    prevarg=
+    release=
+    rpath=
+    xrpath=
+    perm_rpath=
+    temp_rpath=
+    thread_safe=no
+    vinfo=
+
+    # We need to know -static, to get the right output filenames.
+    for arg
+    do
+      case "$arg" in
+      -all-static | -static)
+	if test "X$arg" = "X-all-static"; then
+	  if test "$build_libtool_libs" = yes && test -z "$link_static_flag"; then
+	    $echo "$modename: warning: complete static linking is impossible in this configuration" 1>&2
+	  fi
+	  if test -n "$link_static_flag"; then
+	    dlopen_self=$dlopen_self_static
+	  fi
+	else
+	  if test -z "$pic_flag" && test -n "$link_static_flag"; then
+	    dlopen_self=$dlopen_self_static
+	  fi
+	fi
+	build_libtool_libs=no
+	build_old_libs=yes
+	prefer_static_libs=yes
+	break
+	;;
+      esac
+    done
+
+    # See if our shared archives depend on static archives.
+    test -n "$old_archive_from_new_cmds" && build_old_libs=yes
+
+    # Go through the arguments, transforming them on the way.
+    while test $# -gt 0; do
+      arg="$1"
+      shift
+      case "$arg" in
+      *[\[\~\#\^\&\*\(\)\{\}\|\;\<\>\?\'\ \	]*|*]*|"")
+	qarg=\"`$echo "X$arg" | $Xsed -e "$sed_quote_subst"`\" ### testsuite: skip nested quoting test
+	;;
+      *) qarg=$arg ;;
+      esac
+      libtool_args="$libtool_args $qarg"
+
+      # If the previous option needs an argument, assign it.
+      if test -n "$prev"; then
+	case "$prev" in
+	output)
+	  compile_command="$compile_command @OUTPUT@"
+	  finalize_command="$finalize_command @OUTPUT@"
+	  ;;
+	esac
+
+	case "$prev" in
+	dlfiles|dlprefiles)
+	  if test "$preload" = no; then
+	    # Add the symbol object into the linking commands.
+	    compile_command="$compile_command @SYMFILE@"
+	    finalize_command="$finalize_command @SYMFILE@"
+	    preload=yes
+	  fi
+	  case "$arg" in
+	  *.la | *.lo) ;;  # We handle these cases below.
+	  force)
+	    if test "$dlself" = no; then
+	      dlself=needless
+	      export_dynamic=yes
+	    fi
+	    prev=
+	    continue
+	    ;;
+	  self)
+	    if test "$prev" = dlprefiles; then
+	      dlself=yes
+	    elif test "$prev" = dlfiles && test "$dlopen_self" != yes; then
+	      dlself=yes
+	    else
+	      dlself=needless
+	      export_dynamic=yes
+	    fi
+	    prev=
+	    continue
+	    ;;
+	  *)
+	    if test "$prev" = dlfiles; then
+	      dlfiles="$dlfiles $arg"
+	    else
+	      dlprefiles="$dlprefiles $arg"
+	    fi
+	    prev=
+	    continue
+	    ;;
+	  esac
+	  ;;
+	expsyms)
+	  export_symbols="$arg"
+	  if test ! -f "$arg"; then
+	    $echo "$modename: symbol file \`$arg' does not exist"
+	    exit 1
+	  fi
+	  prev=
+	  continue
+	  ;;
+	expsyms_regex)
+	  export_symbols_regex="$arg"
+	  prev=
+	  continue
+	  ;;
+	release)
+	  release="-$arg"
+	  prev=
+	  continue
+	  ;;
+	rpath | xrpath)
+	  # We need an absolute path.
+	  case "$arg" in
+	  [\\/]* | [A-Za-z]:[\\/]*) ;;
+	  *)
+	    $echo "$modename: only absolute run-paths are allowed" 1>&2
+	    exit 1
+	    ;;
+	  esac
+	  if test "$prev" = rpath; then
+	    case "$rpath " in
+	    *" $arg "*) ;;
+	    *) rpath="$rpath $arg" ;;
+	    esac
+	  else
+	    case "$xrpath " in
+	    *" $arg "*) ;;
+	    *) xrpath="$xrpath $arg" ;;
+	    esac
+	  fi
+	  prev=
+	  continue
+	  ;;
+	xcompiler)
+	  compiler_flags="$compiler_flags $qarg"
+	  prev=
+	  compile_command="$compile_command $qarg"
+	  finalize_command="$finalize_command $qarg"
+	  continue
+	  ;;
+	xlinker)
+	  linker_flags="$linker_flags $qarg"
+	  compiler_flags="$compiler_flags $wl$qarg"
+	  prev=
+	  compile_command="$compile_command $wl$qarg"
+	  finalize_command="$finalize_command $wl$qarg"
+	  continue
+	  ;;
+	*)
+	  eval "$prev=\"\$arg\""
+	  prev=
+	  continue
+	  ;;
+	esac
+      fi
+
+      prevarg="$arg"
+
+      case "$arg" in
+      -all-static)
+	if test -n "$link_static_flag"; then
+	  compile_command="$compile_command $link_static_flag"
+	  finalize_command="$finalize_command $link_static_flag"
+	fi
+	continue
+	;;
+
+      -allow-undefined)
+	# FIXME: remove this flag sometime in the future.
+	$echo "$modename: \`-allow-undefined' is deprecated because it is the default" 1>&2
+	continue
+	;;
+
+      -avoid-version)
+	avoid_version=yes
+	continue
+	;;
+
+      -dlopen)
+	prev=dlfiles
+	continue
+	;;
+
+      -dlpreopen)
+	prev=dlprefiles
+	continue
+	;;
+
+      -export-dynamic)
+	export_dynamic=yes
+	continue
+	;;
+
+      -export-symbols | -export-symbols-regex)
+	if test -n "$export_symbols" || test -n "$export_symbols_regex"; then
+	  $echo "$modename: not more than one -exported-symbols argument allowed"
+	  exit 1
+	fi
+	if test "X$arg" = "X-export-symbols"; then
+	  prev=expsyms
+	else
+	  prev=expsyms_regex
+	fi
+	continue
+	;;
+
+      -L*)
+	dir=`$echo "X$arg" | $Xsed -e 's/^-L//'`
+	# We need an absolute path.
+	case "$dir" in
+	[\\/]* | [A-Za-z]:[\\/]*) ;;
+	*)
+	  absdir=`cd "$dir" && pwd`
+	  if test -z "$absdir"; then
+	    $echo "$modename: cannot determine absolute directory name of \`$dir'" 1>&2
+	    exit 1
+	  fi
+	  dir="$absdir"
+	  ;;
+	esac
+	case "$deplibs " in
+	*" -L$dir "*) ;;
+	*)
+	  deplibs="$deplibs -L$dir"
+	  lib_search_path="$lib_search_path $dir"
+	  ;;
+	esac
+	case "$host" in
+	*-*-cygwin* | *-*-mingw* | *-*-os2*)
+	  case ":$dllsearchpath:" in
+	  *":$dir:"*) ;;
+	  *) dllsearchpath="$dllsearchpath:$dir";;
+	  esac
+	  ;;
+	esac
+	continue
+	;;
+
+      -l*)
+	if test "$arg" = "-lc"; then
+	  case "$host" in
+	  *-*-cygwin* | *-*-mingw* | *-*-os2* | *-*-beos*)
+	    # These systems don't actually have c library (as such)
+	    continue
+	    ;;
+	  esac
+	elif test "$arg" = "-lm"; then
+	  case "$host" in
+	  *-*-cygwin* | *-*-beos*)
+	    # These systems don't actually have math library (as such)
+	    continue
+	    ;;
+	  esac
+	fi
+	deplibs="$deplibs $arg"
+	continue
+	;;
+
+      -module)
+	module=yes
+	continue
+	;;
+
+      -no-fast-install)
+	fast_install=no
+	continue
+	;;
+
+      -no-install)
+	case "$host" in
+	*-*-cygwin* | *-*-mingw* | *-*-os2*)
+	  # The PATH hackery in wrapper scripts is required on Windows
+	  # in order for the loader to find any dlls it needs.
+	  $echo "$modename: warning: \`-no-install' is ignored for $host" 1>&2
+	  $echo "$modename: warning: assuming \`-no-fast-install' instead" 1>&2
+	  fast_install=no
+	  ;;
+        *-*-rhapsody*)
+	  # rhapsody is a little odd...
+	  deplibs="$deplibs -framework System"
+	  ;;
+	*)
+	  no_install=yes
+	  ;;
+	esac
+	continue
+	;;
+
+      -no-undefined)
+	allow_undefined=no
+	continue
+	;;
+
+      -o) prev=output ;;
+
+      -release)
+	prev=release
+	continue
+	;;
+
+      -rpath)
+	prev=rpath
+	continue
+	;;
+
+      -R)
+	prev=xrpath
+	continue
+	;;
+
+      -R*)
+	dir=`$echo "X$arg" | $Xsed -e 's/^-R//'`
+	# We need an absolute path.
+	case "$dir" in
+	[\\/]* | [A-Za-z]:[\\/]*) ;;
+	*)
+	  $echo "$modename: only absolute run-paths are allowed" 1>&2
+	  exit 1
+	  ;;
+	esac
+	case "$xrpath " in
+	*" $dir "*) ;;
+	*) xrpath="$xrpath $dir" ;;
+	esac
+	continue
+	;;
+
+      -static)
+	# If we have no pic_flag, then this is the same as -all-static.
+	if test -z "$pic_flag" && test -n "$link_static_flag"; then
+	  compile_command="$compile_command $link_static_flag"
+	  finalize_command="$finalize_command $link_static_flag"
+	fi
+	continue
+	;;
+
+      -thread-safe)
+	thread_safe=yes
+	continue
+	;;
+
+      -version-info)
+	prev=vinfo
+	continue
+	;;
+
+      -Wc,*)
+	args=`$echo "X$arg" | $Xsed -e "$sed_quote_subst" -e 's/^-Wc,//'`
+	arg=
+	IFS="${IFS= 	}"; save_ifs="$IFS"; IFS=','
+	for flag in $args; do
+	  IFS="$save_ifs"
+	  case "$flag" in
+	    *[\[\~\#\^\&\*\(\)\{\}\|\;\<\>\?\'\ \	]*|*]*|"")
+	    flag="\"$flag\""
+	    ;;
+	  esac
+	  arg="$arg $wl$flag"
+	  compiler_flags="$compiler_flags $flag"
+	done
+	IFS="$save_ifs"
+	arg=`$echo "X$arg" | $Xsed -e "s/^ //"`
+	;;
+
+      -Wl,*)
+	args=`$echo "X$arg" | $Xsed -e "$sed_quote_subst" -e 's/^-Wl,//'`
+	arg=
+	IFS="${IFS= 	}"; save_ifs="$IFS"; IFS=','
+	for flag in $args; do
+	  IFS="$save_ifs"
+	  case "$flag" in
+	    *[\[\~\#\^\&\*\(\)\{\}\|\;\<\>\?\'\ \	]*|*]*|"")
+	    flag="\"$flag\""
+	    ;;
+	  esac
+	  arg="$arg $wl$flag"
+	  compiler_flags="$compiler_flags $wl$flag"
+	  linker_flags="$linker_flags $flag"
+	done
+	IFS="$save_ifs"
+	arg=`$echo "X$arg" | $Xsed -e "s/^ //"`
+	;;
+
+      -Xcompiler)
+	prev=xcompiler
+	continue
+	;;
+
+      -Xlinker)
+	prev=xlinker
+	continue
+	;;
+
+      # Some other compiler flag.
+      -* | +*)
+	# Unknown arguments in both finalize_command and compile_command need
+	# to be aesthetically quoted because they are evaled later.
+	arg=`$echo "X$arg" | $Xsed -e "$sed_quote_subst"`
+	case "$arg" in
+	*[\[\~\#\^\&\*\(\)\{\}\|\;\<\>\?\'\ \	]*|*]*|"")
+	  arg="\"$arg\""
+	  ;;
+	esac
+	;;
+
+      *.$objext)
+	# A standard object.
+	objs="$objs $arg"
+	;;
+
+      *.lo)
+	# A library object.
+	if test "$prev" = dlfiles; then
+	  # This file was specified with -dlopen.
+	  if test "$build_libtool_libs" = yes && test "$dlopen_support" = yes; then
+	    dlfiles="$dlfiles $arg"
+	    prev=
+	    continue
+	  else
+	    # If libtool objects are unsupported, then we need to preload.
+	    prev=dlprefiles
+	  fi
+	fi
+
+	if test "$prev" = dlprefiles; then
+	  # Preload the old-style object.
+	  dlprefiles="$dlprefiles "`$echo "X$arg" | $Xsed -e "$lo2o"`
+	  prev=
+	else
+	  libobjs="$libobjs $arg"
+	fi
+	;;
+
+      *.$libext)
+	# An archive.
+	deplibs="$deplibs $arg"
+	old_deplibs="$old_deplibs $arg"
+	continue
+	;;
+
+      *.la)
+	# A libtool-controlled library.
+
+	if test "$prev" = dlfiles; then
+	  # This library was specified with -dlopen.
+	  dlfiles="$dlfiles $arg"
+	  prev=
+	elif test "$prev" = dlprefiles; then
+	  # The library was specified with -dlpreopen.
+	  dlprefiles="$dlprefiles $arg"
+	  prev=
+	else
+	  deplibs="$deplibs $arg"
+	fi
+	continue
+	;;
+
+      # Some other compiler argument.
+      *)
+	# Unknown arguments in both finalize_command and compile_command need
+	# to be aesthetically quoted because they are evaled later.
+	arg=`$echo "X$arg" | $Xsed -e "$sed_quote_subst"`
+	case "$arg" in
+	*[\[\~\#\^\&\*\(\)\{\}\|\;\<\>\?\'\ \	]*|*]*|"")
+	  arg="\"$arg\""
+	  ;;
+	esac
+	;;
+      esac
+
+      # Now actually substitute the argument into the commands.
+      if test -n "$arg"; then
+	compile_command="$compile_command $arg"
+	finalize_command="$finalize_command $arg"
+      fi
+    done
+
+    if test -n "$prev"; then
+      $echo "$modename: the \`$prevarg' option requires an argument" 1>&2
+      $echo "$help" 1>&2
+      exit 1
+    fi
+
+    if test "$export_dynamic" = yes && test -n "$export_dynamic_flag_spec"; then
+      eval arg=\"$export_dynamic_flag_spec\"
+      compile_command="$compile_command $arg"
+      finalize_command="$finalize_command $arg"
+    fi
+
+    oldlibs=
+    # calculate the name of the file, without its directory
+    outputname=`$echo "X$output" | $Xsed -e 's%^.*/%%'`
+    libobjs_save="$libobjs"
+
+    if test -n "$shlibpath_var"; then
+      # get the directories listed in $shlibpath_var
+      eval shlib_search_path=\`\$echo \"X\${$shlibpath_var}\" \| \$Xsed -e \'s/:/ /g\'\`
+    else
+      shlib_search_path=
+    fi
+    eval sys_lib_search_path=\"$sys_lib_search_path_spec\"
+    eval sys_lib_dlsearch_path=\"$sys_lib_dlsearch_path_spec\"
+
+    output_objdir=`$echo "X$output" | $Xsed -e 's%/[^/]*$%%'`
+    if test "X$output_objdir" = "X$output"; then
+      output_objdir="$objdir"
+    else
+      output_objdir="$output_objdir/$objdir"
+    fi
+    # Create the object directory.
+    if test ! -d $output_objdir; then
+      $show "$mkdir $output_objdir"
+      $run $mkdir $output_objdir
+      status=$?
+      if test $status -ne 0 && test ! -d $output_objdir; then
+	exit $status
+      fi
+    fi
+
+    # Determine the type of output
+    case "$output" in
+    "")
+      $echo "$modename: you must specify an output file" 1>&2
+      $echo "$help" 1>&2
+      exit 1
+      ;;
+    *.$libext) linkmode=oldlib ;;
+    *.lo | *.$objext) linkmode=obj ;;
+    *.la) linkmode=lib ;;
+    *) linkmode=prog ;; # Anything else should be a program.
+    esac
+
+    specialdeplibs=
+    libs=
+    # Find all interdependent deplibs by searching for libraries
+    # that are linked more than once (e.g. -la -lb -la)
+    for deplib in $deplibs; do
+      case "$libs " in
+      *" $deplib "*) specialdeplibs="$specialdeplibs $deplib" ;;
+      esac
+      libs="$libs $deplib"
+    done
+    deplibs=
+    newdependency_libs=
+    newlib_search_path=
+    need_relink=no # whether we're linking any uninstalled libtool libraries
+    uninst_deplibs= # uninstalled libtool libraries
+    uninst_path= # paths that contain uninstalled libtool libraries
+    case $linkmode in
+    lib)
+	passes="conv link"
+	for file in $dlfiles $dlprefiles; do
+	  case "$file" in
+	  *.la) ;;
+	  *)
+	    $echo "$modename: libraries can \`-dlopen' only libtool libraries: $file" 1>&2
+	    exit 1
+	    ;;
+	  esac
+	done
+	;;
+    prog)
+	compile_deplibs=
+	finalize_deplibs=
+	alldeplibs=no
+	newdlfiles=
+	newdlprefiles=
+	passes="conv scan dlopen dlpreopen link"
+	;;
+    *)	passes="conv"
+	;;
+    esac
+    for pass in $passes; do
+      if test "$linkmode,$pass" = "lib,link" ||
+	 test "$linkmode,$pass" = "prog,scan"; then
+	libs="$deplibs"
+	deplibs=
+      fi
+      if test $linkmode = prog; then
+	case $pass in
+	dlopen) libs="$dlfiles" ;;
+	dlpreopen) libs="$dlprefiles" ;;
+	link) libs="$deplibs %DEPLIBS% $dependency_libs" ;;
+	esac
+      fi
+      if test $pass = dlopen; then
+	# Collect dlpreopened libraries
+	save_deplibs="$deplibs"
+	deplibs=
+      fi
+      for deplib in $libs; do
+	lib=
+	found=no
+	case "$deplib" in
+	-l*)
+	  if test $linkmode != lib && test $linkmode != prog; then
+	    $echo "$modename: warning: \`-l' is ignored for archives/objects" 1>&2
+	    continue
+	  fi
+	  if test $pass = conv; then
+	    deplibs="$deplib $deplibs"
+	    continue
+	  fi
+	  name=`$echo "X$deplib" | $Xsed -e 's/^-l//'`
+	  for searchdir in $newlib_search_path $lib_search_path $sys_lib_search_path $shlib_search_path; do
+	    # Search the libtool library
+	    lib="$searchdir/lib${name}.la"
+	    if test -f "$lib"; then
+	      found=yes
+	      break
+	    fi
+	  done
+	  if test "$found" != yes; then
+	    if test "$linkmode,$pass" = "prog,link"; then
+	      compile_deplibs="$deplib $compile_deplibs"
+	      finalize_deplibs="$deplib $finalize_deplibs"
+	    else
+	      deplibs="$deplib $deplibs"
+	      test $linkmode = lib && newdependency_libs="$deplib $newdependency_libs"
+	    fi
+	    continue
+	  fi
+	  ;;
+	-L*)
+	  case $linkmode in
+	  lib)
+	    deplibs="$deplib $deplibs"
+	    test $pass = conv && continue
+	    newdependency_libs="$deplib $newdependency_libs"
+	    newlib_search_path="$newlib_search_path "`$echo "X$deplib" | $Xsed -e 's/^-L//'`
+	    ;;
+	  prog)
+	    if test $pass = conv; then
+	      deplibs="$deplib $deplibs"
+	      continue
+	    fi
+	    if test $pass = scan; then
+	      deplibs="$deplib $deplibs"
+	      newlib_search_path="$newlib_search_path "`$echo "X$deplib" | $Xsed -e 's/^-L//'`
+	    else
+	      compile_deplibs="$deplib $compile_deplibs"
+	      finalize_deplibs="$deplib $finalize_deplibs"
+	    fi
+	    ;;
+	  *)
+	    $echo "$modename: warning: \`-L' is ignored for archives/objects" 1>&2
+	    ;;
+	  esac
+	  continue
+	  ;;
+	-R*)
+	  if test $pass = link; then
+	    dir=`$echo "X$deplib" | $Xsed -e 's/^-R//'`
+	    # Make sure the xrpath contains only unique directories.
+	    case "$xrpath " in
+	    *" $dir "*) ;;
+	    *) xrpath="$xrpath $dir" ;;
+	    esac
+	  fi
+	  deplibs="$deplib $deplibs"
+	  continue
+	  ;;
+	*.la) lib="$deplib" ;;
+	*.$libext)
+	  if test $pass = conv; then
+	    deplibs="$deplib $deplibs"
+	    continue
+	  fi
+	  case $linkmode in
+	  lib)
+	    if test "$deplibs_check_method" != pass_all; then
+	      echo
+	      echo "*** Warning: This library needs some functionality provided by $deplib."
+	      echo "*** I have the capability to make that library automatically link in when"
+	      echo "*** you link to this library.  But I can only do this if you have a"
+	      echo "*** shared version of the library, which you do not appear to have."
+	    else
+	      echo
+	      echo "*** Warning: Linking the shared library $output against the"
+	      echo "*** static library $deplib is not portable!"
+	      deplibs="$deplib $deplibs"
+	    fi
+	    continue
+	    ;;
+	  prog)
+	    if test $pass != link; then
+	      deplibs="$deplib $deplibs"
+	    else
+	      compile_deplibs="$deplib $compile_deplibs"
+	      finalize_deplibs="$deplib $finalize_deplibs"
+	    fi
+	    continue
+	    ;;
+	  esac
+	  ;;
+	*.lo | *.$objext)
+	  if test $pass = conv; then
+	    deplibs="$deplib $deplibs"
+	  elif test $linkmode = prog; then
+	    if test $pass = dlpreopen || test "$dlopen_support" != yes || test "$build_libtool_libs" = no; then
+	      # If there is no dlopen support or we're linking statically,
+	      # we need to preload.
+	      newdlprefiles="$newdlprefiles $deplib"
+	      compile_deplibs="$deplib $compile_deplibs"
+	      finalize_deplibs="$deplib $finalize_deplibs"
+	    else
+	      newdlfiles="$newdlfiles $deplib"
+	    fi
+	  fi
+	  continue
+	  ;;
+	%DEPLIBS%)
+	  alldeplibs=yes
+	  continue
+	  ;;
+	esac
+	if test $found = yes || test -f "$lib"; then :
+	else
+	  $echo "$modename: cannot find the library \`$lib'" 1>&2
+	  exit 1
+	fi
+
+	# Check to see that this really is a libtool archive.
+	if (sed -e '2q' $lib | egrep "^# Generated by .*$PACKAGE") >/dev/null 2>&1; then :
+	else
+	  $echo "$modename: \`$lib' is not a valid libtool archive" 1>&2
+	  exit 1
+	fi
+
+	ladir=`$echo "X$lib" | $Xsed -e 's%/[^/]*$%%'`
+	test "X$ladir" = "X$lib" && ladir="."
+
+	dlname=
+	dlopen=
+	dlpreopen=
+	libdir=
+	library_names=
+	old_library=
+	# If the library was installed with an old release of libtool,
+	# it will not redefine variable installed.
+	installed=yes
+
+	# Read the .la file
+	case "$lib" in
+	*/* | *\\*) . $lib ;;
+	*) . ./$lib ;;
+	esac
+
+	if test "$linkmode,$pass" = "lib,link" ||
+	   test "$linkmode,$pass" = "prog,scan" ||
+	   { test $linkmode != prog && test $linkmode != lib; }; then
+	  test -n "$dlopen" && dlfiles="$dlfiles $dlopen"
+	  test -n "$dlpreopen" && dlprefiles="$dlprefiles $dlpreopen"
+	fi
+
+	if test $pass = conv; then
+	  # only check for convenience libraries
+	  deplibs="$lib $deplibs"
+	  if test -z "$libdir"; then
+	    if test -z "$old_library"; then
+	      $echo "$modename: cannot find name of link library for \`$lib'" 1>&2
+	      exit 1
+	    fi
+	    # It is a libtool convenience library, so add in its objects.
+	    convenience="$convenience $ladir/$objdir/$old_library"
+	    old_convenience="$old_convenience $ladir/$objdir/$old_library"
+	    tmp_libs=
+	    for deplib in $dependency_libs; do
+	      deplibs="$deplib $deplibs"
+	      case "$tmp_libs " in
+	      *" $deplib "*) specialdeplibs="$specialdeplibs $deplib" ;;
+	      esac
+	      tmp_libs="$tmp_libs $deplib"
+	    done
+	  elif test $linkmode != prog && test $linkmode != lib; then
+	    $echo "$modename: \`$lib' is not a convenience library" 1>&2
+	    exit 1
+	  fi
+	  continue
+	fi
+
+	# Get the name of the library we link against.
+	linklib=
+	for l in $old_library $library_names; do
+	  linklib="$l"
+	done
+	if test -z "$linklib"; then
+	  $echo "$modename: cannot find name of link library for \`$lib'" 1>&2
+	  exit 1
+	fi
+
+	# This library was specified with -dlopen.
+	if test $pass = dlopen; then
+	  if test -z "$libdir"; then
+	    $echo "$modename: cannot -dlopen a convenience library: \`$lib'" 1>&2
+	    exit 1
+	  fi
+	  if test -z "$dlname" || test "$dlopen_support" != yes || test "$build_libtool_libs" = no; then
+	    # If there is no dlname, no dlopen support or we're linking statically,
+	    # we need to preload.
+	    dlprefiles="$dlprefiles $lib"
+	  else
+	    newdlfiles="$newdlfiles $lib"
+	  fi
+	  continue
+	fi
+
+	# We need an absolute path.
+	case "$ladir" in
+	[\\/]* | [A-Za-z]:[\\/]*) abs_ladir="$ladir" ;;
+	*)
+	  abs_ladir=`cd "$ladir" && pwd`
+	  if test -z "$abs_ladir"; then
+	    $echo "$modename: warning: cannot determine absolute directory name of \`$ladir'" 1>&2
+	    $echo "$modename: passing it literally to the linker, although it might fail" 1>&2
+	    abs_ladir="$ladir"
+	  fi
+	  ;;
+	esac
+	laname=`$echo "X$lib" | $Xsed -e 's%^.*/%%'`
+
+	# Find the relevant object directory and library name.
+	if test "X$installed" = Xyes; then
+	  if test ! -f "$libdir/$linklib" && test -f "$abs_ladir/$linklib"; then
+	    $echo "$modename: warning: library \`$lib' was moved." 1>&2
+	    dir="$ladir"
+	    absdir="$abs_ladir"
+	    libdir="$abs_ladir"
+	  else
+	    dir="$libdir"
+	    absdir="$libdir"
+	  fi
+	else
+	  dir="$ladir/$objdir"
+	  absdir="$abs_ladir/$objdir"
+	  # Remove this search path later
+	  uninst_path="$uninst_path $abs_ladir"
+	fi
+	name=`$echo "X$laname" | $Xsed -e 's/\.la$//' -e 's/^lib//'`
+
+	# This library was specified with -dlpreopen.
+	if test $pass = dlpreopen; then
+	  if test -z "$libdir"; then
+	    $echo "$modename: cannot -dlpreopen a convenience library: \`$lib'" 1>&2
+	    exit 1
+	  fi
+	  # Prefer using a static library (so that no silly _DYNAMIC symbols
+	  # are required to link).
+	  if test -n "$old_library"; then
+	    newdlprefiles="$newdlprefiles $dir/$old_library"
+	  else
+	    newdlprefiles="$newdlprefiles $dir/$linklib"
+	  fi
+	fi
+
+	if test -z "$libdir"; then
+	  # link the convenience library
+	  if test $linkmode = lib; then
+	    deplibs="$dir/$old_library $deplibs"
+	  elif test "$linkmode,$pass" = "prog,link"; then
+	    compile_deplibs="$dir/$old_library $compile_deplibs"
+	    finalize_deplibs="$dir/$old_library $finalize_deplibs"
+	  else
+	    deplibs="$lib $deplibs" # used for prog,scan pass
+	  fi
+	  continue
+	fi
+
+	if test $linkmode = prog && test $pass != link; then
+	  newlib_search_path="$newlib_search_path $ladir"
+	  deplibs="$lib $deplibs"
+
+	  linkalldeplibs=no
+	  if test "$link_all_deplibs" != no || test -z "$library_names" ||
+	     test "$build_libtool_libs" = no; then
+	    linkalldeplibs=yes
+	  fi
+
+	  tmp_libs=
+	  for deplib in $dependency_libs; do
+	    case "$deplib" in
+	    -L*) newlib_search_path="$newlib_search_path "`$echo "X$deplib" | $Xsed -e 's/^-L//'`;; ### testsuite: skip nested quoting test
+	    esac
+	    # Need to link against all dependency_libs?
+	    if test $linkalldeplibs = yes; then
+	      deplibs="$deplib $deplibs"
+	    else
+	      # Need to hardcode shared library paths
+	      # or/and link against static libraries
+	      newdependency_libs="$deplib $newdependency_libs"
+	    fi
+	    case "$tmp_libs " in
+	    *" $deplib "*) specialdeplibs="$specialdeplibs $deplib" ;;
+	    esac
+	    tmp_libs="$tmp_libs $deplib"
+	  done
+	  continue
+	fi
+
+	if test "$linkmode,$pass" = "prog,link"; then
+	  if test -n "$library_names" &&
+	     { test "$hardcode_into_libs" != all || test "$alldeplibs" != yes; } &&
+	     { test "$prefer_static_libs" = no || test -z "$old_library"; }; then
+	    # We need to hardcode the library path
+	    if test -n "$shlibpath_var"; then
+	      # Make sure the rpath contains only unique directories.
+	      case "$temp_rpath " in
+	      *" $dir "*) ;;
+	      *" $absdir "*) ;;
+	      *) temp_rpath="$temp_rpath $dir" ;;
+	      esac
+	    fi
+
+	    # Hardcode the library path.
+	    # Skip directories that are in the system default run-time
+	    # search path.
+	    case " $sys_lib_dlsearch_path " in
+	    *" $absdir "*) ;;
+	    *)
+	      case "$compile_rpath " in
+	      *" $absdir "*) ;;
+	      *) compile_rpath="$compile_rpath $absdir"
+	      esac
+	      ;;
+	    esac
+
+	    case " $sys_lib_dlsearch_path " in
+	    *" $libdir "*) ;;
+	    *)
+	      case "$finalize_rpath " in
+	      *" $libdir "*) ;;
+	      *) finalize_rpath="$finalize_rpath $libdir"
+	      esac
+	      ;;
+	    esac
+	  fi
+
+	  if test "$alldeplibs" = yes &&
+	     { test "$deplibs_check_method" = pass_all ||
+	       { test "$build_libtool_libs" = yes &&
+		 test -n "$library_names"; }; }; then
+	    # We only need to search for static libraries
+	    continue
+	  fi
+	fi
+
+	link_static=no # Whether the deplib will be linked statically
+	if test -n "$library_names" &&
+	   { test "$prefer_static_libs" = no || test -z "$old_library"; }; then
+	  if test "$installed" = no; then
+	    uninst_deplibs="$uninst_deplibs $lib"
+	    need_relink=yes
+	  fi
+	  # This is a shared library
+	  if test $linkmode = lib && test "$hardcode_into_libs" = all; then
+	    # Hardcode the library path.
+	    # Skip directories that are in the system default run-time
+	    # search path.
+	    case " $sys_lib_dlsearch_path " in
+	    *" $absdir "*) ;;
+	    *)
+	      case "$compile_rpath " in
+	      *" $absdir "*) ;;
+	      *) compile_rpath="$compile_rpath $absdir"
+	      esac
+	      ;;
+	    esac
+	    case " $sys_lib_dlsearch_path " in
+	    *" $libdir "*) ;;
+	    *)
+	      case "$finalize_rpath " in
+	      *" $libdir "*) ;;
+	      *) finalize_rpath="$finalize_rpath $libdir"
+	      esac
+	      ;;
+	    esac
+	  fi
+
+	  if test -n "$old_archive_from_expsyms_cmds"; then
+	    # figure out the soname
+	    set dummy $library_names
+	    realname="$2"
+	    shift; shift
+	    libname=`eval \\$echo \"$libname_spec\"`
+	    if test -n "$soname_spec"; then
+	      eval soname=\"$soname_spec\"
+	    else
+	      soname="$realname"
+	    fi
+
+	    # Make a new name for the extract_expsyms_cmds to use
+	    newlib="libimp-`echo $soname | sed 's/^lib//;s/\.dll$//'`.a"
+
+	    # If the library has no export list, then create one now
+	    if test -f "$output_objdir/$soname-def"; then :
+	    else
+	      $show "extracting exported symbol list from \`$soname'"
+	      IFS="${IFS= 	}"; save_ifs="$IFS"; IFS='~'
+	      eval cmds=\"$extract_expsyms_cmds\"
+	      for cmd in $cmds; do
+		IFS="$save_ifs"
+		$show "$cmd"
+		$run eval "$cmd" || exit $?
+	      done
+	      IFS="$save_ifs"
+	    fi
+
+	    # Create $newlib
+	    if test -f "$output_objdir/$newlib"; then :; else
+	      $show "generating import library for \`$soname'"
+	      IFS="${IFS= 	}"; save_ifs="$IFS"; IFS='~'
+	      eval cmds=\"$old_archive_from_expsyms_cmds\"
+	      for cmd in $cmds; do
+		IFS="$save_ifs"
+		$show "$cmd"
+		$run eval "$cmd" || exit $?
+	      done
+	      IFS="$save_ifs"
+	    fi
+	    # make sure the library variables are pointing to the new library
+	    dir=$output_objdir
+	    linklib=$newlib
+	  fi
+
+	  if test $linkmode = prog || test "$mode" != relink; then
+	    add_shlibpath=
+	    add_dir=
+	    add=
+	    lib_linked=yes
+	    case "$hardcode_action" in
+	    immediate | unsupported)
+	      if test "$hardcode_direct" = no; then
+		add="$dir/$linklib"
+	      elif test "$hardcode_minus_L" = no; then
+		case "$host" in
+		*-*-sunos*) add_shlibpath="$dir" ;;
+		esac
+		add_dir="-L$dir"
+		add="-l$name"
+	      elif test "$hardcode_shlibpath_var" = no; then
+		add_shlibpath="$dir"
+		add="-l$name"
+	      else
+		lib_linked=no
+	      fi
+	      ;;
+	    relink)
+	      if test "$hardcode_direct" = yes; then
+		add="$dir/$linklib"
+	      elif test "$hardcode_minus_L" = yes; then
+		add_dir="-L$dir"
+		add="-l$name"
+	      elif test "$hardcode_shlibpath_var" = yes; then
+		add_shlibpath="$dir"
+		add="-l$name"
+	      else
+		lib_linked=no
+	      fi
+	      ;;
+	    *) lib_linked=no ;;
+	    esac
+
+	    if test "$lib_linked" != yes; then
+	      $echo "$modename: configuration error: unsupported hardcode properties"
+	      exit 1
+	    fi
+
+	    if test -n "$add_shlibpath"; then
+	      case ":$compile_shlibpath:" in
+	      *":$add_shlibpath:"*) ;;
+	      *) compile_shlibpath="$compile_shlibpath$add_shlibpath:" ;;
+	      esac
+	    fi
+	    if test $linkmode = prog; then
+	      test -n "$add_dir" && compile_deplibs="$add_dir $compile_deplibs"
+	      test -n "$add" && compile_deplibs="$add $compile_deplibs"
+	    else
+	      test -n "$add_dir" && deplibs="$add_dir $deplibs"
+	      test -n "$add" && deplibs="$add $deplibs"
+	      if test "$hardcode_direct" != yes && \
+		 test "$hardcode_minus_L" != yes && \
+		 test "$hardcode_shlibpath_var" = yes; then
+		case ":$finalize_shlibpath:" in
+		*":$libdir:"*) ;;
+		*) finalize_shlibpath="$finalize_shlibpath$libdir:" ;;
+		esac
+	      fi
+	    fi
+	  fi
+
+	  if test $linkmode = prog || test "$mode" = relink; then
+	    add_shlibpath=
+	    add_dir=
+	    add=
+	    # Finalize command for both is simple: just hardcode it.
+	    if test "$hardcode_direct" = yes; then
+	      add="$libdir/$linklib"
+	    elif test "$hardcode_minus_L" = yes; then
+	      add_dir="-L$libdir"
+	      add="-l$name"
+	    elif test "$hardcode_shlibpath_var" = yes; then
+	      case ":$finalize_shlibpath:" in
+	      *":$libdir:"*) ;;
+	      *) finalize_shlibpath="$finalize_shlibpath$libdir:" ;;
+	      esac
+	      add="-l$name"
+	    else
+	      # We cannot seem to hardcode it, guess we'll fake it.
+	      add_dir="-L$libdir"
+	      add="-l$name"
+	    fi
+
+	    if test $linkmode = prog; then
+	      test -n "$add_dir" && finalize_deplibs="$add_dir $finalize_deplibs"
+	      test -n "$add" && finalize_deplibs="$add $finalize_deplibs"
+	    else
+	      test -n "$add_dir" && deplibs="$add_dir $deplibs"
+	      test -n "$add" && deplibs="$add deplibs"
+	    fi
+	  fi
+	elif test $linkmode = prog; then
+	  # Here we assume that one of hardcode_direct or hardcode_minus_L
+	  # is not unsupported.  This is valid on all known static and
+	  # shared platforms.
+	  if test "$hardcode_direct" != unsupported; then
+	    test -n "$old_library" && linklib="$old_library"
+	    compile_deplibs="$dir/$linklib $compile_deplibs"
+	    finalize_deplibs="$dir/$linklib $finalize_deplibs"
+	  else
+	    compile_deplibs="-l$name -L$dir $compile_deplibs"
+	    finalize_deplibs="-l$name -L$dir $finalize_deplibs"
+	  fi
+	elif test "$build_libtool_libs" = yes; then
+	  # Not a shared library
+	  if test "$deplibs_check_method" != pass_all; then
+	    # We're trying link a shared library against a static one
+	    # but the system doesn't support it.
+	    # Just print a warning and add the library to dependency_libs so
+	    # that the program can be linked against the static library.
+	    echo
+	    echo "*** Warning: This library needs some functionality provided by $lib."
+	    echo "*** I have the capability to make that library automatically link in when"
+	    echo "*** you link to this library.  But I can only do this if you have a"
+	    echo "*** shared version of the library, which you do not appear to have."
+	  else
+	    convenience="$convenience $dir/$old_library"
+	    old_convenience="$old_convenience $dir/$old_library"
+	    deplibs="$dir/$old_library $deplibs"
+	    link_static=yes
+	  fi
+	fi
+
+	if test $linkmode = lib; then
+	  if test -n "$dependency_libs" &&
+	     { test "$hardcode_into_libs" = no || test $build_old_libs = yes ||
+	       test $link_static = yes; }; then
+	    # Extract -R from dependency_libs
+	    temp_deplibs=
+	    for libdir in $dependency_libs; do
+	      case "$libdir" in
+	      -R*) temp_xrpath=`$echo "X$libdir" | $Xsed -e 's/^-R//'`
+		   case " $xrpath " in
+		   *" $temp_xrpath "*) ;;
+		   *) xrpath="$xrpath $temp_xrpath";;
+		   esac;;
+	      *) temp_deplibs="$temp_deplibs $libdir";;
+	      esac
+	    done
+	    dependency_libs="$temp_deplibs"
+	  fi
+
+	  newlib_search_path="$newlib_search_path $absdir"
+	  # Link against this library
+	  test "$link_static" = no && newdependency_libs="$abs_ladir/$laname $newdependency_libs"
+	  # ... and its dependency_libs
+	  tmp_libs=
+	  for deplib in $dependency_libs; do
+	    newdependency_libs="$deplib $newdependency_libs"
+	    case "$tmp_libs " in
+	    *" $deplib "*) specialdeplibs="$specialdeplibs $deplib" ;;
+	    esac
+	    tmp_libs="$tmp_libs $deplib"
+	  done
+
+	  if test $link_all_deplibs != no; then
+	    # Add the search paths of all dependency libraries
+	    for deplib in $dependency_libs; do
+	      case "$deplib" in
+	      -L*) path="$deplib" ;;
+	      *.la)
+		dir=`$echo "X$deplib" | $Xsed -e 's%/[^/]*$%%'`
+		test "X$dir" = "X$deplib" && dir="."
+		# We need an absolute path.
+		case "$dir" in
+		[\\/]* | [A-Za-z]:[\\/]*) absdir="$dir" ;;
+		*)
+		  absdir=`cd "$dir" && pwd`
+		  if test -z "$absdir"; then
+		    $echo "$modename: warning: cannot determine absolute directory name of \`$dir'" 1>&2
+		    absdir="$dir"
+		  fi
+		  ;;
+		esac
+		if grep "^installed=no" $deplib > /dev/null; then
+		  path="-L$absdir/$objdir"
+		else
+		  eval libdir=`sed -n -e 's/^libdir=\(.*\)$/\1/p' $deplib`
+		  if test -z "$libdir"; then
+		    $echo "$modename: \`$deplib' is not a valid libtool archive" 1>&2
+		    exit 1
+		  fi
+		  if test "$absdir" != "$libdir"; then
+		    $echo "$modename: warning: \`$deplib' seems to be moved" 1>&2
+		  fi
+		  path="-L$absdir"
+		fi
+		;;
+	      *) continue ;;
+	      esac
+	      case " $deplibs " in
+	      *" $path "*) ;;
+	      *) deplibs="$deplibs $path" ;;
+	      esac
+	    done
+	  fi
+	fi
+      done
+      dependency_libs="$newdependency_libs"
+      if test $pass = dlpreopen; then
+	# Link the dlpreopened libraries before other libraries
+	for deplib in $save_deplibs; do
+	  deplibs="$deplib $deplibs"
+	done
+      fi
+      if test $pass != dlopen; then
+	if test $pass != conv; then
+	  # Make sure lib_search_path contains only unique directories.
+	  lib_search_path=
+	  for dir in $newlib_search_path; do
+	    case "$lib_search_path " in
+	    *" $dir "*) ;;
+	    *) lib_search_path="$lib_search_path $dir" ;;
+	    esac
+	  done
+	  newlib_search_path=
+	fi
+
+	if test "$linkmode,$pass" != "prog,link"; then
+	  vars="deplibs"
+	else
+	  vars="compile_deplibs finalize_deplibs"
+	fi
+	for var in $vars dependency_libs; do
+	  # Make sure that $var contains only unique libraries
+	  # and add them in reverse order
+	  eval tmp_libs=\"\$$var\"
+	  new_libs=
+	  for deplib in $tmp_libs; do
+	    case "$deplib" in
+	    -L*) new_libs="$deplib $new_libs" ;;
+	    *)
+	      case " $specialdeplibs " in
+	      *" $deplib "*) new_libs="$deplib $new_libs" ;;
+	      *)
+		case " $new_libs " in
+		*" $deplib "*) ;;
+		*) new_libs="$deplib $new_libs" ;;
+		esac
+		;;
+	      esac
+	      ;;
+	    esac
+	  done
+	  tmp_libs=
+	  for deplib in $new_libs; do
+	    case "$deplib" in
+	    -L*)
+	      case " $tmp_libs " in
+	      *" $deplib "*) ;;
+	      *) tmp_libs="$tmp_libs $deplib" ;;
+	      esac
+	      ;;
+	    *) tmp_libs="$tmp_libs $deplib" ;;
+	    esac
+	  done
+	  eval $var=\"$tmp_libs\"
+	done
+      fi
+    done
+    if test $linkmode = prog; then
+      dlfiles="$newdlfiles"
+      dlprefiles="$newdlprefiles"
+    fi
+
+    case $linkmode in
+    oldlib)
+      if test -n "$deplibs"; then
+	$echo "$modename: warning: \`-l' and \`-L' are ignored for archives" 1>&2
+      fi
+
+      if test -n "$dlfiles$dlprefiles" || test "$dlself" != no; then
+	$echo "$modename: warning: \`-dlopen' is ignored for archives" 1>&2
+      fi
+
+      if test -n "$rpath"; then
+	$echo "$modename: warning: \`-rpath' is ignored for archives" 1>&2
+      fi
+
+      if test -n "$xrpath"; then
+	$echo "$modename: warning: \`-R' is ignored for archives" 1>&2
+      fi
+
+      if test -n "$vinfo"; then
+	$echo "$modename: warning: \`-version-info' is ignored for archives" 1>&2
+      fi
+
+      if test -n "$release"; then
+	$echo "$modename: warning: \`-release' is ignored for archives" 1>&2
+      fi
+
+      if test -n "$export_symbols" || test -n "$export_symbols_regex"; then
+	$echo "$modename: warning: \`-export-symbols' is ignored for archives" 1>&2
+      fi
+
+      # Now set the variables for building old libraries.
+      build_libtool_libs=no
+      oldlibs="$output"
+      objs="$objs$old_deplibs"
+      ;;
+
+    lib)
+      # Make sure we only generate libraries of the form `libNAME.la'.
+      case "$outputname" in
+      lib*)
+	name=`$echo "X$outputname" | $Xsed -e 's/\.la$//' -e 's/^lib//'`
+	eval libname=\"$libname_spec\"
+	;;
+      *)
+	if test "$module" = no; then
+	  $echo "$modename: libtool library \`$output' must begin with \`lib'" 1>&2
+	  $echo "$help" 1>&2
+	  exit 1
+	fi
+	if test "$need_lib_prefix" != no; then
+	  # Add the "lib" prefix for modules if required
+	  name=`$echo "X$outputname" | $Xsed -e 's/\.la$//'`
+	  eval libname=\"$libname_spec\"
+	else
+	  libname=`$echo "X$outputname" | $Xsed -e 's/\.la$//'`
+	fi
+	;;
+      esac
+
+      if test -n "$objs"; then
+	if test "$deplibs_check_method" != pass_all; then
+	  $echo "$modename: cannot build libtool library \`$output' from non-libtool objects on this host:$objs" 2>&1
+	  exit 1
+	else
+	  echo
+	  echo "*** Warning: Linking the shared library $output against the non-libtool"
+	  echo "*** objects $objs is not portable!"
+	  libobjs="$libobjs $objs"
+	fi
+      fi
+
+      if test "$dlself" != no; then
+	$echo "$modename: warning: \`-dlopen self' is ignored for libtool libraries" 1>&2
+      fi
+
+      set dummy $rpath
+      if test $# -gt 2; then
+	$echo "$modename: warning: ignoring multiple \`-rpath's for a libtool library" 1>&2
+      fi
+      install_libdir="$2"
+
+      oldlibs=
+      if test -z "$rpath"; then
+	if test "$build_libtool_libs" = yes; then
+	  # Building a libtool convenience library.
+	  libext=al
+	  oldlibs="$output_objdir/$libname.$libext $oldlibs"
+	  build_libtool_libs=convenience
+	  build_old_libs=yes
+	fi
+
+	if test -n "$vinfo"; then
+	  $echo "$modename: warning: \`-version-info' is ignored for convenience libraries" 1>&2
+	fi
+
+	if test -n "$release"; then
+	  $echo "$modename: warning: \`-release' is ignored for convenience libraries" 1>&2
+	fi
+      else
+
+	# Parse the version information argument.
+	IFS="${IFS= 	}"; save_ifs="$IFS"; IFS=':'
+	set dummy $vinfo 0 0 0
+	IFS="$save_ifs"
+
+	if test -n "$8"; then
+	  $echo "$modename: too many parameters to \`-version-info'" 1>&2
+	  $echo "$help" 1>&2
+	  exit 1
+	fi
+
+	current="$2"
+	revision="$3"
+	age="$4"
+
+	# Check that each of the things are valid numbers.
+	case "$current" in
+	0 | [1-9] | [1-9][0-9]*) ;;
+	*)
+	  $echo "$modename: CURRENT \`$current' is not a nonnegative integer" 1>&2
+	  $echo "$modename: \`$vinfo' is not valid version information" 1>&2
+	  exit 1
+	  ;;
+	esac
+
+	case "$revision" in
+	0 | [1-9] | [1-9][0-9]*) ;;
+	*)
+	  $echo "$modename: REVISION \`$revision' is not a nonnegative integer" 1>&2
+	  $echo "$modename: \`$vinfo' is not valid version information" 1>&2
+	  exit 1
+	  ;;
+	esac
+
+	case "$age" in
+	0 | [1-9] | [1-9][0-9]*) ;;
+	*)
+	  $echo "$modename: AGE \`$age' is not a nonnegative integer" 1>&2
+	  $echo "$modename: \`$vinfo' is not valid version information" 1>&2
+	  exit 1
+	  ;;
+	esac
+
+	if test $age -gt $current; then
+	  $echo "$modename: AGE \`$age' is greater than the current interface number \`$current'" 1>&2
+	  $echo "$modename: \`$vinfo' is not valid version information" 1>&2
+	  exit 1
+	fi
+
+	# Calculate the version variables.
+	major=
+	versuffix=
+	verstring=
+	case "$version_type" in
+	none) ;;
+
+	irix)
+	  major=`expr $current - $age + 1`
+	  versuffix="$major.$revision"
+	  verstring="sgi$major.$revision"
+
+	  # Add in all the interfaces that we are compatible with.
+	  loop=$revision
+	  while test $loop != 0; do
+	    iface=`expr $revision - $loop`
+	    loop=`expr $loop - 1`
+	    verstring="sgi$major.$iface:$verstring"
+	  done
+	  ;;
+
+	linux)
+	  major=.`expr $current - $age`
+	  versuffix="$major.$age.$revision"
+	  ;;
+
+	osf)
+	  major=`expr $current - $age`
+	  versuffix=".$current.$age.$revision"
+	  verstring="$current.$age.$revision"
+
+	  # Add in all the interfaces that we are compatible with.
+	  loop=$age
+	  while test $loop != 0; do
+	    iface=`expr $current - $loop`
+	    loop=`expr $loop - 1`
+	    verstring="$verstring:${iface}.0"
+	  done
+
+	  # Make executables depend on our current version.
+	  verstring="$verstring:${current}.0"
+	  ;;
+
+	sunos)
+	  major=".$current"
+	  versuffix=".$current.$revision"
+	  ;;
+
+	freebsd-aout)
+	  major=".$current"
+	  versuffix=".$current.$revision";
+	  ;;
+
+	freebsd-elf)
+	  major=".$current"
+	  versuffix=".$current";
+	  ;;
+
+	windows)
+	  # Like Linux, but with '-' rather than '.', since we only
+	  # want one extension on Windows 95.
+	  major=`expr $current - $age`
+	  versuffix="-$major-$age-$revision"
+	  ;;
+
+	*)
+	  $echo "$modename: unknown library version type \`$version_type'" 1>&2
+	  echo "Fatal configuration error.  See the $PACKAGE docs for more information." 1>&2
+	  exit 1
+	  ;;
+	esac
+
+	# Clear the version info if we defaulted, and they specified a release.
+	if test -z "$vinfo" && test -n "$release"; then
+	  major=
+	  verstring="0.0"
+	  if test "$need_version" = no; then
+	    versuffix=
+	  else
+	    versuffix=".0.0"
+	  fi
+	fi
+
+	# Remove version info from name if versioning should be avoided
+	if test "$avoid_version" = yes && test "$need_version" = no; then
+	  major=
+	  versuffix=
+	  verstring=""
+	fi
+
+	# Check to see if the archive will have undefined symbols.
+	if test "$allow_undefined" = yes; then
+	  if test "$allow_undefined_flag" = unsupported; then
+	    $echo "$modename: warning: undefined symbols not allowed in $host shared libraries" 1>&2
+	    build_libtool_libs=no
+	    build_old_libs=yes
+	  fi
+	else
+	  # Don't allow undefined symbols.
+	  allow_undefined_flag="$no_undefined_flag"
+	fi
+      fi
+
+      if test "$mode" != relink; then
+	# Remove our outputs.
+	$show "${rm}r $output_objdir/$outputname $output_objdir/$libname.* $output_objdir/${libname}${release}.*"
+	$run ${rm}r $output_objdir/$outputname $output_objdir/$libname.* $output_objdir/${libname}${release}.*
+      fi
+
+      # Now set the variables for building old libraries.
+      if test "$build_old_libs" = yes && test "$build_libtool_libs" != convenience ; then
+	oldlibs="$oldlibs $output_objdir/$libname.$libext"
+
+	# Transform .lo files to .o files.
+	oldobjs="$objs "`$echo "X$libobjs" | $SP2NL | $Xsed -e '/\.'${libext}'$/d' -e "$lo2o" | $NL2SP`
+      fi
+
+      # Eliminate all temporary directories.
+      for path in $uninst_path; do
+	lib_search_path=`echo "$lib_search_path " | sed -e 's% $path % %g'`
+	deplibs=`echo "$deplibs " | sed -e 's% -L$path % %g'`
+	dependency_libs=`echo "$dependency_libs " | sed -e 's% -L$path % %g'`
+      done
+
+      if test -n "$xrpath"; then
+	# If the user specified any rpath flags, then add them.
+	temp_xrpath=
+	for libdir in $xrpath; do
+	  temp_xrpath="$temp_xrpath -R$libdir"
+	  case "$finalize_rpath " in
+	  *" $libdir "*) ;;
+	  *) finalize_rpath="$finalize_rpath $libdir" ;;
+	  esac
+	done
+	if test "$hardcode_into_libs" = no || test $build_old_libs = yes; then
+	  dependency_libs="$temp_xrpath $dependency_libs"
+	fi
+      fi
+
+      # Make sure dlfiles contains only unique files that won't be dlpreopened
+      old_dlfiles="$dlfiles"
+      dlfiles=
+      for lib in $old_dlfiles; do
+	case " $dlprefiles $dlfiles " in
+	*" $lib "*) ;;
+	*) dlfiles="$dlfiles $lib" ;;
+	esac
+      done
+
+      # Make sure dlprefiles contains only unique files
+      old_dlprefiles="$dlprefiles"
+      dlprefiles=
+      for lib in $old_dlprefiles; do
+	case "$dlprefiles " in
+	*" $lib "*) ;;
+	*) dlprefiles="$dlprefiles $lib" ;;
+	esac
+      done
+
+      if test "$build_libtool_libs" = yes; then
+	if test -n "$rpath"; then
+	  case "$host" in
+	  *-*-cygwin* | *-*-mingw* | *-*-os2* | *-*-beos*)
+	    # these systems don't actually have a c library (as such)!
+	    ;;
+	  *)
+	    # Add libc to deplibs on all other systems.
+	    deplibs="$deplibs -lc"
+	    ;;
+	  esac
+	fi
+
+	# Transform deplibs into only deplibs that can be linked in shared.
+	name_save=$name
+	libname_save=$libname
+	release_save=$release
+	versuffix_save=$versuffix
+	major_save=$major
+	# I'm not sure if I'm treating the release correctly.  I think
+	# release should show up in the -l (ie -lgmp5) so we don't want to
+	# add it in twice.  Is that correct?
+	release=""
+	versuffix=""
+	major=""
+	newdeplibs=
+	droppeddeps=no
+	case "$deplibs_check_method" in
+	pass_all)
+	  # Don't check for shared/static.  Everything works.
+	  # This might be a little naive.  We might want to check
+	  # whether the library exists or not.  But this is on
+	  # osf3 & osf4 and I'm not really sure... Just
+	  # implementing what was already the behaviour.
+	  newdeplibs=$deplibs
+	  ;;
+	test_compile)
+	  # This code stresses the "libraries are programs" paradigm to its
+	  # limits. Maybe even breaks it.  We compile a program, linking it
+	  # against the deplibs as a proxy for the library.  Then we can check
+	  # whether they linked in statically or dynamically with ldd.
+	  $rm conftest.c
+	  cat > conftest.c <<EOF
+	  int main() { return 0; }
+EOF
+	  $rm conftest
+	  $CC -o conftest conftest.c $deplibs
+	  if test $? -eq 0 ; then
+	    ldd_output=`ldd conftest`
+	    for i in $deplibs; do
+	      name="`expr $i : '-l\(.*\)'`"
+	      # If $name is empty we are operating on a -L argument.
+	      if test "$name" != "" ; then
+		libname=`eval \\$echo \"$libname_spec\"`
+		deplib_matches=`eval \\$echo \"$library_names_spec\"`
+		set dummy $deplib_matches
+		deplib_match=$2
+		if test `expr "$ldd_output" : ".*$deplib_match"` -ne 0 ; then
+		  newdeplibs="$newdeplibs $i"
+		else
+		  droppeddeps=yes
+		  echo
+		  echo "*** Warning: This library needs some functionality provided by $i."
+		  echo "*** I have the capability to make that library automatically link in when"
+		  echo "*** you link to this library.  But I can only do this if you have a"
+		  echo "*** shared version of the library, which you do not appear to have."
+		fi
+	      else
+		newdeplibs="$newdeplibs $i"
+	      fi
+	    done
+	  else
+	    # Error occured in the first compile.  Let's try to salvage the situation:
+	    # Compile a seperate program for each library.
+	    for i in $deplibs; do
+	      name="`expr $i : '-l\(.*\)'`"
+	     # If $name is empty we are operating on a -L argument.
+	      if test "$name" != "" ; then
+		$rm conftest
+		$CC -o conftest conftest.c $i
+		# Did it work?
+		if test $? -eq 0 ; then
+		  ldd_output=`ldd conftest`
+		  libname=`eval \\$echo \"$libname_spec\"`
+		  deplib_matches=`eval \\$echo \"$library_names_spec\"`
+		  set dummy $deplib_matches
+		  deplib_match=$2
+		  if test `expr "$ldd_output" : ".*$deplib_match"` -ne 0 ; then
+		    newdeplibs="$newdeplibs $i"
+		  else
+		    droppeddeps=yes
+		    echo
+		    echo "*** Warning: This library needs some functionality provided by $i."
+		    echo "*** I have the capability to make that library automatically link in when"
+		    echo "*** you link to this library.  But I can only do this if you have a"
+		    echo "*** shared version of the library, which you do not appear to have."
+		  fi
+		else
+		  droppeddeps=yes
+		  echo
+		  echo "*** Warning!  Library $i is needed by this library but I was not able to"
+		  echo "***  make it link in!  You will probably need to install it or some"
+		  echo "*** library that it depends on before this library will be fully"
+		  echo "*** functional.  Installing it before continuing would be even better."
+		fi
+	      else
+		newdeplibs="$newdeplibs $i"
+	      fi
+	    done
+	  fi
+	  ;;
+	file_magic*)
+	  set dummy $deplibs_check_method
+	  file_magic_regex=`expr "$deplibs_check_method" : "$2 \(.*\)"`
+	  for a_deplib in $deplibs; do
+	    name="`expr $a_deplib : '-l\(.*\)'`"
+	    # If $name is empty we are operating on a -L argument.
+	    if test "$name" != "" ; then
+	      libname=`eval \\$echo \"$libname_spec\"`
+	      for i in $lib_search_path $sys_lib_search_path $shlib_search_path; do
+		    potential_libs=`ls $i/$libname[.-]* 2>/dev/null`
+		    for potent_lib in $potential_libs; do
+		      # Follow soft links.
+		      if ls -lLd "$potent_lib" 2>/dev/null \
+			 | grep " -> " >/dev/null; then
+			continue
+		      fi
+		      # The statement above tries to avoid entering an
+		      # endless loop below, in case of cyclic links.
+		      # We might still enter an endless loop, since a link
+		      # loop can be closed while we follow links,
+		      # but so what?
+		      potlib="$potent_lib"
+		      while test -h "$potlib" 2>/dev/null; do
+			potliblink=`ls -ld $potlib | sed 's/.* -> //'`
+			case "$potliblink" in
+			[\\/]* | [A-Za-z]:[\\/]*) potlib="$potliblink";;
+			*) potlib=`$echo "X$potlib" | $Xsed -e 's,[^/]*$,,'`"$potliblink";;
+			esac
+		      done
+		      if eval $file_magic_cmd \"\$potlib\" 2>/dev/null \
+			 | sed 10q \
+			 | egrep "$file_magic_regex" > /dev/null; then
+			newdeplibs="$newdeplibs $a_deplib"
+			a_deplib=""
+			break 2
+		      fi
+		    done
+	      done
+	      if test -n "$a_deplib" ; then
+		droppeddeps=yes
+		echo
+		echo "*** Warning: This library needs some functionality provided by $a_deplib."
+		echo "*** I have the capability to make that library automatically link in when"
+		echo "*** you link to this library.  But I can only do this if you have a"
+		echo "*** shared version of the library, which you do not appear to have."
+	      fi
+	    else
+	      # Add a -L argument.
+	      newdeplibs="$newdeplibs $a_deplib"
+	    fi
+	  done # Gone through all deplibs.
+	  ;;
+	none | unknown | *)
+	  newdeplibs=""
+	  if $echo "X $deplibs" | $Xsed -e 's/ -lc$//' \
+	       -e 's/ -[LR][^ ]*//g' -e 's/[ 	]//g' |
+	     grep . >/dev/null; then
+	    echo
+	    if test "X$deplibs_check_method" = "Xnone"; then
+	      echo "*** Warning: inter-library dependencies are not supported in this platform."
+	    else
+	      echo "*** Warning: inter-library dependencies are not known to be supported."
+	    fi
+	    echo "*** All declared inter-library dependencies are being dropped."
+	    droppeddeps=yes
+	  fi
+	  ;;
+	esac
+	versuffix=$versuffix_save
+	major=$major_save
+	release=$release_save
+	libname=$libname_save
+	name=$name_save
+
+	if test "$droppeddeps" = yes; then
+	  if test "$module" = yes; then
+	    echo
+	    echo "*** Warning: libtool could not satisfy all declared inter-library"
+	    echo "*** dependencies of module $libname.  Therefore, libtool will create"
+	    echo "*** a static module, that should work as long as the dlopening"
+	    echo "*** application is linked with the -dlopen flag."
+	    if test -z "$global_symbol_pipe"; then
+	      echo
+	      echo "*** However, this would only work if libtool was able to extract symbol"
+	      echo "*** lists from a program, using \`nm' or equivalent, but libtool could"
+	      echo "*** not find such a program.  So, this module is probably useless."
+	      echo "*** \`nm' from GNU binutils and a full rebuild may help."
+	    fi
+	    if test "$build_old_libs" = no; then
+	      oldlibs="$output_objdir/$libname.$libext"
+	      build_libtool_libs=module
+	      build_old_libs=yes
+	    else
+	      build_libtool_libs=no
+	    fi
+	  else
+	    echo "*** The inter-library dependencies that have been dropped here will be"
+	    echo "*** automatically added whenever a program is linked with this library"
+	    echo "*** or is declared to -dlopen it."
+	  fi
+	fi
+	# Done checking deplibs!
+	deplibs=$newdeplibs
+      fi
+
+      # All the library-specific variables (install_libdir is set above).
+      library_names=
+      old_library=
+      dlname=
+
+      # Test again, we may have decided not to build it any more
+      if test "$build_libtool_libs" = yes; then
+	if test "$hardcode_into_libs" != no; then
+	  # Hardcode the library paths
+	  hardcode_libdirs=
+	  dep_rpath=
+	  rpath="$finalize_rpath"
+	  test "$mode" != relink && rpath="$compile_rpath$rpath"
+	  for libdir in $rpath; do
+	    if test -n "$hardcode_libdir_flag_spec"; then
+	      if test -n "$hardcode_libdir_separator"; then
+		if test -z "$hardcode_libdirs"; then
+		  hardcode_libdirs="$libdir"
+		else
+		  # Just accumulate the unique libdirs.
+		  case "$hardcode_libdir_separator$hardcode_libdirs$hardcode_libdir_separator" in
+		  *"$hardcode_libdir_separator$libdir$hardcode_libdir_separator"*)
+		    ;;
+		  *)
+		    hardcode_libdirs="$hardcode_libdirs$hardcode_libdir_separator$libdir"
+		    ;;
+		  esac
+		fi
+	      else
+		eval flag=\"$hardcode_libdir_flag_spec\"
+		dep_rpath="$dep_rpath $flag"
+	      fi
+	    elif test -n "$runpath_var"; then
+	      case "$perm_rpath " in
+	      *" $libdir "*) ;;
+	      *) perm_rpath="$perm_rpath $libdir" ;;
+	      esac
+	    fi
+	  done
+	  # Substitute the hardcoded libdirs into the rpath.
+	  if test -n "$hardcode_libdir_separator" &&
+	     test -n "$hardcode_libdirs"; then
+	    libdir="$hardcode_libdirs"
+	    eval dep_rpath=\"$hardcode_libdir_flag_spec\"
+	  fi
+	  if test -n "$runpath_var" && test -n "$perm_rpath"; then
+	    # We should set the runpath_var.
+	    rpath=
+	    for dir in $perm_rpath; do
+	      rpath="$rpath$dir:"
+	    done
+	    eval "$runpath_var='$rpath\$$runpath_var'; export $runpath_var"
+	  fi
+	  test -n "$dep_rpath" && deplibs="$dep_rpath $deplibs"
+	fi
+
+	shlibpath="$finalize_shlibpath"
+	test "$mode" != relink && shlibpath="$compile_shlibpath$shlibpath"
+	if test -n "$shlibpath"; then
+	  eval "$shlibpath_var='$shlibpath\$$shlibpath_var'; export $shlibpath_var"
+	fi
+
+	# Get the real and link names of the library.
+	eval library_names=\"$library_names_spec\"
+	set dummy $library_names
+	realname="$2"
+	shift; shift
+
+	if test -n "$soname_spec"; then
+	  eval soname=\"$soname_spec\"
+	else
+	  soname="$realname"
+	fi
+
+	lib="$output_objdir/$realname"
+	for link
+	do
+	  linknames="$linknames $link"
+	done
+
+	# Ensure that we have .o objects for linkers which dislike .lo
+	# (e.g. aix) in case we are running --disable-static
+	for obj in $libobjs; do
+	  xdir=`$echo "X$obj" | $Xsed -e 's%/[^/]*$%%'`
+	  if test "X$xdir" = "X$obj"; then
+	    xdir="."
+	  else
+	    xdir="$xdir"
+	  fi
+	  baseobj=`$echo "X$obj" | $Xsed -e 's%^.*/%%'`
+	  oldobj=`$echo "X$baseobj" | $Xsed -e "$lo2o"`
+	  if test ! -f $xdir/$oldobj; then
+	    $show "(cd $xdir && ${LN_S} $baseobj $oldobj)"
+	    $run eval '(cd $xdir && ${LN_S} $baseobj $oldobj)' || exit $?
+	  fi
+	done
+
+	# Use standard objects if they are pic
+	test -z "$pic_flag" && libobjs=`$echo "X$libobjs" | $SP2NL | $Xsed -e "$lo2o" | $NL2SP`
+
+	# Prepare the list of exported symbols
+	if test -z "$export_symbols"; then
+	  if test "$always_export_symbols" = yes || test -n "$export_symbols_regex"; then
+	    $show "generating symbol list for \`$libname.la'"
+	    export_symbols="$output_objdir/$libname.exp"
+	    $run $rm $export_symbols
+	    eval cmds=\"$export_symbols_cmds\"
+	    IFS="${IFS= 	}"; save_ifs="$IFS"; IFS='~'
+	    for cmd in $cmds; do
+	      IFS="$save_ifs"
+	      $show "$cmd"
+	      $run eval "$cmd" || exit $?
+	    done
+	    IFS="$save_ifs"
+	    if test -n "$export_symbols_regex"; then
+	      $show "egrep -e \"$export_symbols_regex\" \"$export_symbols\" > \"${export_symbols}T\""
+	      $run eval 'egrep -e "$export_symbols_regex" "$export_symbols" > "${export_symbols}T"'
+	      $show "$mv \"${export_symbols}T\" \"$export_symbols\""
+	      $run eval '$mv "${export_symbols}T" "$export_symbols"'
+	    fi
+	  fi
+	fi
+
+	if test -n "$export_symbols" && test -n "$include_expsyms"; then
+	  $run eval '$echo "X$include_expsyms" | $SP2NL >> "$export_symbols"'
+	fi
+
+	if test -n "$convenience"; then
+	  if test -n "$whole_archive_flag_spec"; then
+	    eval libobjs=\"\$libobjs $whole_archive_flag_spec\"
+	  else
+	    gentop="$output_objdir/${outputname}x"
+	    $show "${rm}r $gentop"
+	    $run ${rm}r "$gentop"
+	    $show "mkdir $gentop"
+	    $run mkdir "$gentop"
+	    status=$?
+	    if test $status -ne 0 && test ! -d "$gentop"; then
+	      exit $status
+	    fi
+	    generated="$generated $gentop"
+
+	    for xlib in $convenience; do
+	      # Extract the objects.
+	      case "$xlib" in
+	      [\\/]* | [A-Za-z]:[\\/]*) xabs="$xlib" ;;
+	      *) xabs=`pwd`"/$xlib" ;;
+	      esac
+	      xlib=`$echo "X$xlib" | $Xsed -e 's%^.*/%%'`
+	      xdir="$gentop/$xlib"
+
+	      $show "${rm}r $xdir"
+	      $run ${rm}r "$xdir"
+	      $show "mkdir $xdir"
+	      $run mkdir "$xdir"
+	      status=$?
+	      if test $status -ne 0 && test ! -d "$xdir"; then
+		exit $status
+	      fi
+	      $show "(cd $xdir && $AR x $xabs)"
+	      $run eval "(cd \$xdir && $AR x \$xabs)" || exit $?
+
+	      libobjs="$libobjs "`find $xdir -name \*.o -print -o -name \*.lo -print | $NL2SP`
+	    done
+	  fi
+	fi
+
+	if test "$thread_safe" = yes && test -n "$thread_safe_flag_spec"; then
+	  eval flag=\"$thread_safe_flag_spec\"
+	  linker_flags="$linker_flags $flag"
+	fi
+
+	# Make a backup of the uninstalled library when relinking
+	if test "$mode" = relink && test "$hardcode_into_libs" = all; then
+	  $run eval '(cd $output_objdir && $rm ${realname}U && $mv $realname ${realname}U)' || exit $?
+	fi
+
+	# Do each of the archive commands.
+	if test -n "$export_symbols" && test -n "$archive_expsym_cmds"; then
+	  eval cmds=\"$archive_expsym_cmds\"
+	else
+	  eval cmds=\"$archive_cmds\"
+	fi
+	IFS="${IFS= 	}"; save_ifs="$IFS"; IFS='~'
+	for cmd in $cmds; do
+	  IFS="$save_ifs"
+	  $show "$cmd"
+	  $run eval "$cmd" || exit $?
+	done
+	IFS="$save_ifs"
+
+	# Restore the uninstalled library and exit
+	if test "$mode" = relink && test "$hardcode_into_libs" = all; then
+	  $run eval '(cd $output_objdir && $rm ${realname}T && $mv $realname ${realname}T && $mv "$realname"U $realname)' || exit $?
+	  exit 0
+	fi
+
+	# Create links to the real library.
+	for linkname in $linknames; do
+	  if test "$realname" != "$linkname"; then
+	    $show "(cd $output_objdir && $rm $linkname && $LN_S $realname $linkname)"
+	    $run eval '(cd $output_objdir && $rm $linkname && $LN_S $realname $linkname)' || exit $?
+	  fi
+	done
+
+	# If -module or -export-dynamic was specified, set the dlname.
+	if test "$module" = yes || test "$export_dynamic" = yes; then
+	  # On all known operating systems, these are identical.
+	  dlname="$soname"
+	fi
+      fi
+      ;;
+
+    obj)
+      if test -n "$deplibs"; then
+	$echo "$modename: warning: \`-l' and \`-L' are ignored for objects" 1>&2
+      fi
+
+      if test -n "$dlfiles$dlprefiles" || test "$dlself" != no; then
+	$echo "$modename: warning: \`-dlopen' is ignored for objects" 1>&2
+      fi
+
+      if test -n "$rpath"; then
+	$echo "$modename: warning: \`-rpath' is ignored for objects" 1>&2
+      fi
+
+      if test -n "$xrpath"; then
+	$echo "$modename: warning: \`-R' is ignored for objects" 1>&2
+      fi
+
+      if test -n "$vinfo"; then
+	$echo "$modename: warning: \`-version-info' is ignored for objects" 1>&2
+      fi
+
+      if test -n "$release"; then
+	$echo "$modename: warning: \`-release' is ignored for objects" 1>&2
+      fi
+
+      case "$output" in
+      *.lo)
+	if test -n "$objs$old_deplibs"; then
+	  $echo "$modename: cannot build library object \`$output' from non-libtool objects" 1>&2
+	  exit 1
+	fi
+	libobj="$output"
+	obj=`$echo "X$output" | $Xsed -e "$lo2o"`
+	;;
+      *)
+	libobj=
+	obj="$output"
+	;;
+      esac
+
+      # Delete the old objects.
+      $run $rm $obj $libobj
+
+      # Objects from convenience libraries.  This assumes
+      # single-version convenience libraries.  Whenever we create
+      # different ones for PIC/non-PIC, this we'll have to duplicate
+      # the extraction.
+      reload_conv_objs=
+      gentop=
+      # reload_cmds runs $LD directly, so let us get rid of
+      # -Wl from whole_archive_flag_spec
+      wl=
+
+      if test -n "$convenience"; then
+	if test -n "$whole_archive_flag_spec"; then
+	  eval reload_conv_objs=\"\$reload_objs $whole_archive_flag_spec\"
+	else
+	  gentop="$output_objdir/${obj}x"
+	  $show "${rm}r $gentop"
+	  $run ${rm}r "$gentop"
+	  $show "mkdir $gentop"
+	  $run mkdir "$gentop"
+	  status=$?
+	  if test $status -ne 0 && test ! -d "$gentop"; then
+	    exit $status
+	  fi
+	  generated="$generated $gentop"
+
+	  for xlib in $convenience; do
+	    # Extract the objects.
+	    case "$xlib" in
+	    [\\/]* | [A-Za-z]:[\\/]*) xabs="$xlib" ;;
+	    *) xabs=`pwd`"/$xlib" ;;
+	    esac
+	    xlib=`$echo "X$xlib" | $Xsed -e 's%^.*/%%'`
+	    xdir="$gentop/$xlib"
+
+	    $show "${rm}r $xdir"
+	    $run ${rm}r "$xdir"
+	    $show "mkdir $xdir"
+	    $run mkdir "$xdir"
+	    status=$?
+	    if test $status -ne 0 && test ! -d "$xdir"; then
+	      exit $status
+	    fi
+	    $show "(cd $xdir && $AR x $xabs)"
+	    $run eval "(cd \$xdir && $AR x \$xabs)" || exit $?
+
+	    reload_conv_objs="$reload_objs "`find $xdir -name \*.o -print -o -name \*.lo -print | $NL2SP`
+	  done
+	fi
+      fi
+
+      # Create the old-style object.
+      reload_objs="$objs$old_deplibs "`$echo "X$libobjs" | $SP2NL | $Xsed -e '/\.'${libext}$'/d' -e '/\.lib$/d' -e "$lo2o" | $NL2SP`" $reload_conv_objs" ### testsuite: skip nested quoting test
+
+      output="$obj"
+      eval cmds=\"$reload_cmds\"
+      IFS="${IFS= 	}"; save_ifs="$IFS"; IFS='~'
+      for cmd in $cmds; do
+	IFS="$save_ifs"
+	$show "$cmd"
+	$run eval "$cmd" || exit $?
+      done
+      IFS="$save_ifs"
+
+      # Exit if we aren't doing a library object file.
+      if test -z "$libobj"; then
+	if test -n "$gentop"; then
+	  $show "${rm}r $gentop"
+	  $run ${rm}r $gentop
+	fi
+
+	exit 0
+      fi
+
+      if test "$build_libtool_libs" != yes; then
+	if test -n "$gentop"; then
+	  $show "${rm}r $gentop"
+	  $run ${rm}r $gentop
+	fi
+
+	# Create an invalid libtool object if no PIC, so that we don't
+	# accidentally link it into a program.
+	$show "echo timestamp > $libobj"
+	$run eval "echo timestamp > $libobj" || exit $?
+	exit 0
+      fi
+
+      if test -n "$pic_flag" || test "$pic_mode" != default; then
+	# Only do commands if we really have different PIC objects.
+	reload_objs="$libobjs $reload_conv_objs"
+	output="$libobj"
+	eval cmds=\"$reload_cmds\"
+	IFS="${IFS= 	}"; save_ifs="$IFS"; IFS='~'
+	for cmd in $cmds; do
+	  IFS="$save_ifs"
+	  $show "$cmd"
+	  $run eval "$cmd" || exit $?
+	done
+	IFS="$save_ifs"
+      else
+	# Just create a symlink.
+	$show $rm $libobj
+	$run $rm $libobj
+	xdir=`$echo "X$libobj" | $Xsed -e 's%/[^/]*$%%'`
+	if test "X$xdir" = "X$libobj"; then
+	  xdir="."
+	else
+	  xdir="$xdir"
+	fi
+	baseobj=`$echo "X$libobj" | $Xsed -e 's%^.*/%%'`
+	oldobj=`$echo "X$baseobj" | $Xsed -e "$lo2o"`
+	$show "(cd $xdir && $LN_S $oldobj $baseobj)"
+	$run eval '(cd $xdir && $LN_S $oldobj $baseobj)' || exit $?
+      fi
+
+      if test -n "$gentop"; then
+	$show "${rm}r $gentop"
+	$run ${rm}r $gentop
+      fi
+
+      exit 0
+      ;;
+
+    prog)
+      if test -n "$vinfo"; then
+	$echo "$modename: warning: \`-version-info' is ignored for programs" 1>&2
+      fi
+
+      if test -n "$release"; then
+	$echo "$modename: warning: \`-release' is ignored for programs" 1>&2
+      fi
+
+      if test "$preload" = yes; then
+	if test "$dlopen_support" = unknown && test "$dlopen_self" = unknown &&
+	   test "$dlopen_self_static" = unknown; then
+	  $echo "$modename: warning: \`AC_LIBTOOL_DLOPEN' not used. Assuming no dlopen support."
+	fi
+      fi
+
+      compile_command="$compile_command $compile_deplibs"
+      finalize_command="$finalize_command $finalize_deplibs"
+
+      if test -n "$rpath$xrpath"; then
+	# If the user specified any rpath flags, then add them.
+	for libdir in $rpath $xrpath; do
+	  # This is the magic to use -rpath.
+	  case "$finalize_rpath " in
+	  *" $libdir "*) ;;
+	  *) finalize_rpath="$finalize_rpath $libdir" ;;
+	  esac
+	done
+      fi
+
+      # Now hardcode the library paths
+      rpath=
+      hardcode_libdirs=
+      for libdir in $compile_rpath $finalize_rpath; do
+	if test -n "$hardcode_libdir_flag_spec"; then
+	  if test -n "$hardcode_libdir_separator"; then
+	    if test -z "$hardcode_libdirs"; then
+	      hardcode_libdirs="$libdir"
+	    else
+	      # Just accumulate the unique libdirs.
+	      case "$hardcode_libdir_separator$hardcode_libdirs$hardcode_libdir_separator" in
+	      *"$hardcode_libdir_separator$libdir$hardcode_libdir_separator"*)
+		;;
+	      *)
+		hardcode_libdirs="$hardcode_libdirs$hardcode_libdir_separator$libdir"
+		;;
+	      esac
+	    fi
+	  else
+	    eval flag=\"$hardcode_libdir_flag_spec\"
+	    rpath="$rpath $flag"
+	  fi
+	elif test -n "$runpath_var"; then
+	  case "$perm_rpath " in
+	  *" $libdir "*) ;;
+	  *) perm_rpath="$perm_rpath $libdir" ;;
+	  esac
+	fi
+	case "$host" in
+	*-*-cygwin* | *-*-mingw* | *-*-os2*)
+	  case ":$dllsearchpath:" in
+	  *":$libdir:"*) ;;
+	  *) dllsearchpath="$dllsearchpath:$libdir";;
+	  esac
+	  ;;
+	esac
+      done
+      # Substitute the hardcoded libdirs into the rpath.
+      if test -n "$hardcode_libdir_separator" &&
+	 test -n "$hardcode_libdirs"; then
+	libdir="$hardcode_libdirs"
+	eval rpath=\" $hardcode_libdir_flag_spec\"
+      fi
+      compile_rpath="$rpath"
+
+      rpath=
+      hardcode_libdirs=
+      for libdir in $finalize_rpath; do
+	if test -n "$hardcode_libdir_flag_spec"; then
+	  if test -n "$hardcode_libdir_separator"; then
+	    if test -z "$hardcode_libdirs"; then
+	      hardcode_libdirs="$libdir"
+	    else
+	      # Just accumulate the unique libdirs.
+	      case "$hardcode_libdir_separator$hardcode_libdirs$hardcode_libdir_separator" in
+	      *"$hardcode_libdir_separator$libdir$hardcode_libdir_separator"*)
+		;;
+	      *)
+		hardcode_libdirs="$hardcode_libdirs$hardcode_libdir_separator$libdir"
+		;;
+	      esac
+	    fi
+	  else
+	    eval flag=\"$hardcode_libdir_flag_spec\"
+	    rpath="$rpath $flag"
+	  fi
+	elif test -n "$runpath_var"; then
+	  case "$finalize_perm_rpath " in
+	  *" $libdir "*) ;;
+	  *) finalize_perm_rpath="$finalize_perm_rpath $libdir" ;;
+	  esac
+	fi
+      done
+      # Substitute the hardcoded libdirs into the rpath.
+      if test -n "$hardcode_libdir_separator" &&
+	 test -n "$hardcode_libdirs"; then
+	libdir="$hardcode_libdirs"
+	eval rpath=\" $hardcode_libdir_flag_spec\"
+      fi
+      finalize_rpath="$rpath"
+
+      if test -n "$libobjs" && test "$build_old_libs" = yes; then
+	# Transform all the library objects into standard objects.
+	compile_command=`$echo "X$compile_command" | $SP2NL | $Xsed -e "$lo2o" | $NL2SP`
+	finalize_command=`$echo "X$finalize_command" | $SP2NL | $Xsed -e "$lo2o" | $NL2SP`
+      fi
+
+      dlsyms=
+      if test -n "$dlfiles$dlprefiles" || test "$dlself" != no; then
+	if test -n "$NM" && test -n "$global_symbol_pipe"; then
+	  dlsyms="${outputname}S.c"
+	else
+	  $echo "$modename: not configured to extract global symbols from dlpreopened files" 1>&2
+	fi
+      fi
+
+      if test -n "$dlsyms"; then
+	case "$dlsyms" in
+	"") ;;
+	*.c)
+	  # Discover the nlist of each of the dlfiles.
+	  nlist="$output_objdir/${outputname}.nm"
+
+	  $show "$rm $nlist ${nlist}S ${nlist}T"
+	  $run $rm "$nlist" "${nlist}S" "${nlist}T"
+
+	  # Parse the name list into a source file.
+	  $show "creating $output_objdir/$dlsyms"
+
+	  test -z "$run" && $echo > "$output_objdir/$dlsyms" "\
+/* $dlsyms - symbol resolution table for \`$outputname' dlsym emulation. */
+/* Generated by $PROGRAM - GNU $PACKAGE $VERSION$TIMESTAMP */
+
+#ifdef __cplusplus
+extern \"C\" {
+#endif
+
+/* Prevent the only kind of declaration conflicts we can make. */
+#define lt_preloaded_symbols some_other_symbol
+
+/* External symbol declarations for the compiler. */\
+"
+
+	  if test "$dlself" = yes; then
+	    $show "generating symbol list for \`$output'"
+
+	    test -z "$run" && $echo ': @PROGRAM@ ' > "$nlist"
+
+	    # Add our own program objects to the symbol list.
+	    progfiles=`$echo "X$objs$old_deplibs" | $SP2NL | $Xsed -e "$lo2o" | $NL2SP`
+	    for arg in $progfiles; do
+	      $show "extracting global C symbols from \`$arg'"
+	      $run eval "$NM $arg | $global_symbol_pipe >> '$nlist'"
+	    done
+
+	    if test -n "$exclude_expsyms"; then
+	      $run eval 'egrep -v " ($exclude_expsyms)$" "$nlist" > "$nlist"T'
+	      $run eval '$mv "$nlist"T "$nlist"'
+	    fi
+
+	    if test -n "$export_symbols_regex"; then
+	      $run eval 'egrep -e "$export_symbols_regex" "$nlist" > "$nlist"T'
+	      $run eval '$mv "$nlist"T "$nlist"'
+	    fi
+
+	    # Prepare the list of exported symbols
+	    if test -z "$export_symbols"; then
+	      export_symbols="$output_objdir/$output.exp"
+	      $run $rm $export_symbols
+	      $run eval "sed -n -e '/^: @PROGRAM@$/d' -e 's/^.* \(.*\)$/\1/p' "'< "$nlist" > "$export_symbols"'
+	    else
+	      $run eval "sed -e 's/\([][.*^$]\)/\\\1/g' -e 's/^/ /' -e 's/$/$/'"' < "$export_symbols" > "$output_objdir/$output.exp"'
+	      $run eval 'grep -f "$output_objdir/$output.exp" < "$nlist" > "$nlist"T'
+	      $run eval 'mv "$nlist"T "$nlist"'
+	    fi
+	  fi
+
+	  for arg in $dlprefiles; do
+	    $show "extracting global C symbols from \`$arg'"
+	    name=`echo "$arg" | sed -e 's%^.*/%%'`
+	    $run eval 'echo ": $name " >> "$nlist"'
+	    $run eval "$NM $arg | $global_symbol_pipe >> '$nlist'"
+	  done
+
+	  if test -z "$run"; then
+	    # Make sure we have at least an empty file.
+	    test -f "$nlist" || : > "$nlist"
+
+	    if test -n "$exclude_expsyms"; then
+	      egrep -v " ($exclude_expsyms)$" "$nlist" > "$nlist"T
+	      $mv "$nlist"T "$nlist"
+	    fi
+
+	    # Try sorting and uniquifying the output.
+	    if grep -v "^: " < "$nlist" | sort +2 | uniq > "$nlist"S; then
+	      :
+	    else
+	      grep -v "^: " < "$nlist" > "$nlist"S
+	    fi
+
+	    if test -f "$nlist"S; then
+	      eval "$global_symbol_to_cdecl"' < "$nlist"S >> "$output_objdir/$dlsyms"'
+	    else
+	      echo '/* NONE */' >> "$output_objdir/$dlsyms"
+	    fi
+
+	    $echo >> "$output_objdir/$dlsyms" "\
+
+#undef lt_preloaded_symbols
+
+#if defined (__STDC__) && __STDC__
+# define lt_ptr_t void *
+#else
+# define lt_ptr_t char *
+# define const
+#endif
+
+/* The mapping between symbol names and symbols. */
+const struct {
+  const char *name;
+  lt_ptr_t address;
+}
+lt_preloaded_symbols[] =
+{\
+"
+
+	    sed -n -e 's/^: \([^ ]*\) $/  {\"\1\", (lt_ptr_t) 0},/p' \
+		-e 's/^. \([^ ]*\) \([^ ]*\)$/  {"\2", (lt_ptr_t) \&\2},/p' \
+		  < "$nlist" >> "$output_objdir/$dlsyms"
+
+	    $echo >> "$output_objdir/$dlsyms" "\
+  {0, (lt_ptr_t) 0}
+};
+
+/* This works around a problem in FreeBSD linker */
+#ifdef FREEBSD_WORKAROUND
+static const void *lt_preloaded_setup() {
+  return lt_preloaded_symbols;
+}
+#endif
+
+#ifdef __cplusplus
+}
+#endif\
+"
+	  fi
+
+	  pic_flag_for_symtable=
+	  case "$host" in
+	  # compiling the symbol table file with pic_flag works around
+	  # a FreeBSD bug that causes programs to crash when -lm is
+	  # linked before any other PIC object.  But we must not use
+	  # pic_flag when linking with -static.  The problem exists in
+	  # FreeBSD 2.2.6 and is fixed in FreeBSD 3.1.
+	  *-*-freebsd2*|*-*-freebsd3.0*|*-*-freebsdelf3.0*)
+	    case "$compile_command " in
+	    *" -static "*) ;;
+	    *) pic_flag_for_symtable=" $pic_flag -DPIC -DFREEBSD_WORKAROUND";;
+	    esac;;
+	  *-*-hpux*)
+	    case "$compile_command " in
+	    *" -static "*) ;;
+	    *) pic_flag_for_symtable=" $pic_flag -DPIC";;
+	    esac
+	  esac
+
+	  # Now compile the dynamic symbol file.
+	  $show "(cd $output_objdir && $CC -c$no_builtin_flag$pic_flag_for_symtable \"$dlsyms\")"
+	  $run eval '(cd $output_objdir && $CC -c$no_builtin_flag$pic_flag_for_symtable "$dlsyms")' || exit $?
+
+	  # Clean up the generated files.
+	  $show "$rm $output_objdir/$dlsyms $nlist ${nlist}S ${nlist}T"
+	  $run $rm "$output_objdir/$dlsyms" "$nlist" "${nlist}S" "${nlist}T"
+
+	  # Transform the symbol file into the correct name.
+	  compile_command=`$echo "X$compile_command" | $Xsed -e "s%@SYMFILE@%$output_objdir/${outputname}S.${objext}%"`
+	  finalize_command=`$echo "X$finalize_command" | $Xsed -e "s%@SYMFILE@%$output_objdir/${outputname}S.${objext}%"`
+	  ;;
+	*)
+	  $echo "$modename: unknown suffix for \`$dlsyms'" 1>&2
+	  exit 1
+	  ;;
+	esac
+      else
+	# We keep going just in case the user didn't refer to
+	# lt_preloaded_symbols.  The linker will fail if global_symbol_pipe
+	# really was required.
+
+	# Nullify the symbol file.
+	compile_command=`$echo "X$compile_command" | $Xsed -e "s% @SYMFILE@%%"`
+	finalize_command=`$echo "X$finalize_command" | $Xsed -e "s% @SYMFILE@%%"`
+      fi
+
+      if test $need_relink = no || test "$build_libtool_libs" != yes; then
+	# Replace the output file specification.
+	compile_command=`$echo "X$compile_command" | $Xsed -e 's%@OUTPUT@%'"$output"'%g'`
+	link_command="$compile_command$compile_rpath"
+
+	# We have no uninstalled library dependencies, so finalize right now.
+	$show "$link_command"
+	$run eval "$link_command"
+	status=$?
+
+	# Delete the generated files.
+	if test -n "$dlsyms"; then
+	  $show "$rm $output_objdir/${outputname}S.${objext}"
+	  $run $rm "$output_objdir/${outputname}S.${objext}"
+	fi
+
+	exit $status
+      fi
+
+      if test -n "$shlibpath_var"; then
+	# We should set the shlibpath_var
+	rpath=
+	for dir in $temp_rpath; do
+	  case "$dir" in
+	  [\\/]* | [A-Za-z]:[\\/]*)
+	    # Absolute path.
+	    rpath="$rpath$dir:"
+	    ;;
+	  *)
+	    # Relative path: add a thisdir entry.
+	    rpath="$rpath\$thisdir/$dir:"
+	    ;;
+	  esac
+	done
+	temp_rpath="$rpath"
+      fi
+
+      if test -n "$compile_shlibpath$finalize_shlibpath"; then
+	compile_command="$shlibpath_var=\"$compile_shlibpath$finalize_shlibpath\$$shlibpath_var\" $compile_command"
+      fi
+      if test -n "$finalize_shlibpath"; then
+	finalize_command="$shlibpath_var=\"$finalize_shlibpath\$$shlibpath_var\" $finalize_command"
+      fi
+
+      compile_var=
+      finalize_var=
+      if test -n "$runpath_var"; then
+	if test -n "$perm_rpath"; then
+	  # We should set the runpath_var.
+	  rpath=
+	  for dir in $perm_rpath; do
+	    rpath="$rpath$dir:"
+	  done
+	  compile_var="$runpath_var=\"$rpath\$$runpath_var\" "
+	fi
+	if test -n "$finalize_perm_rpath"; then
+	  # We should set the runpath_var.
+	  rpath=
+	  for dir in $finalize_perm_rpath; do
+	    rpath="$rpath$dir:"
+	  done
+	  finalize_var="$runpath_var=\"$rpath\$$runpath_var\" "
+	fi
+      fi
+
+      if test "$no_install" = yes; then
+	# We don't need to create a wrapper script.
+	link_command="$compile_var$compile_command$compile_rpath"
+	# Replace the output file specification.
+	link_command=`$echo "X$link_command" | $Xsed -e 's%@OUTPUT@%'"$output"'%g'`
+	# Delete the old output file.
+	$run $rm $output
+	# Link the executable and exit
+	$show "$link_command"
+	$run eval "$link_command" || exit $?
+	exit 0
+      fi
+
+      if test "$hardcode_action" = relink || test "$hardcode_into_libs" = all; then
+	# Fast installation is not supported
+	link_command="$compile_var$compile_command$compile_rpath"
+	relink_command="$finalize_var$finalize_command$finalize_rpath"
+
+	$echo "$modename: warning: this platform does not like uninstalled shared libraries" 1>&2
+	$echo "$modename: \`$output' will be relinked during installation" 1>&2
+      else
+	if test "$fast_install" != no; then
+	  link_command="$finalize_var$compile_command$finalize_rpath"
+	  if test "$fast_install" = yes; then
+	    relink_command=`$echo "X$compile_var$compile_command$compile_rpath" | $Xsed -e 's%@OUTPUT@%\$progdir/\$file%g'`
+	  else
+	    # fast_install is set to needless
+	    relink_command=
+	  fi
+	else
+	  link_command="$compile_var$compile_command$compile_rpath"
+	  relink_command="$finalize_var$finalize_command$finalize_rpath"
+	fi
+      fi
+
+      # Replace the output file specification.
+      link_command=`$echo "X$link_command" | $Xsed -e 's%@OUTPUT@%'"$output_objdir/$outputname"'%g'`
+
+      # Delete the old output files.
+      $run $rm $output $output_objdir/$outputname $output_objdir/lt-$outputname
+
+      $show "$link_command"
+      $run eval "$link_command" || exit $?
+
+      # Now create the wrapper script.
+      $show "creating $output"
+
+      # Quote the relink command for shipping.
+      if test -n "$relink_command"; then
+	# Preserve any variables that may affect compiler behavior
+	for var in $variables_saved_for_relink; do
+	  eval var_value=\$$var
+	  var_value=`$echo "X$var_value" | $Xsed -e "$sed_quote_subst"`
+	  relink_command="$var=\"$var_value\"; export $var; $relink_command"
+	done
+	relink_command="cd `pwd`; $relink_command"
+	relink_command=`$echo "X$relink_command" | $Xsed -e "$sed_quote_subst"`
+      fi
+
+      # Quote $echo for shipping.
+      if test "X$echo" = "X$SHELL $0 --fallback-echo"; then
+	case "$0" in
+	[\\/]* | [A-Za-z]:[\\/]*) qecho="$SHELL $0 --fallback-echo";;
+	*) qecho="$SHELL `pwd`/$0 --fallback-echo";;
+	esac
+	qecho=`$echo "X$qecho" | $Xsed -e "$sed_quote_subst"`
+      else
+	qecho=`$echo "X$echo" | $Xsed -e "$sed_quote_subst"`
+      fi
+
+      # Only actually do things if our run command is non-null.
+      if test -z "$run"; then
+	# win32 will think the script is a binary if it has
+	# a .exe suffix, so we strip it off here.
+	case $output in
+	  *.exe) output=`echo $output|sed 's,.exe$,,'` ;;
+	esac
+	$rm $output
+	trap "$rm $output; exit 1" 1 2 15
+
+	$echo > $output "\
+#! $SHELL
+
+# $output - temporary wrapper script for $objdir/$outputname
+# Generated by $PROGRAM - GNU $PACKAGE $VERSION$TIMESTAMP
+#
+# The $output program cannot be directly executed until all the libtool
+# libraries that it depends on are installed.
+#
+# This wrapper script should never be moved out of the build directory.
+# If it is, it will not operate correctly.
+
+# Sed substitution that helps us do robust quoting.  It backslashifies
+# metacharacters that are still active within double-quoted strings.
+Xsed='sed -e 1s/^X//'
+sed_quote_subst='$sed_quote_subst'
+
+# The HP-UX ksh and POSIX shell print the target directory to stdout
+# if CDPATH is set.
+if test \"\${CDPATH+set}\" = set; then CDPATH=:; export CDPATH; fi
+
+relink_command=\"$relink_command\"
+
+# This environment variable determines our operation mode.
+if test \"\$libtool_install_magic\" = \"$magic\"; then
+  # install mode needs the following variable:
+  uninst_deplibs='$uninst_deplibs'
+else
+  # When we are sourced in execute mode, \$file and \$echo are already set.
+  if test \"\$libtool_execute_magic\" != \"$magic\"; then
+    echo=\"$qecho\"
+    file=\"\$0\"
+    # Make sure echo works.
+    if test \"X\$1\" = X--no-reexec; then
+      # Discard the --no-reexec flag, and continue.
+      shift
+    elif test \"X\`(\$echo '\t') 2>/dev/null\`\" = 'X\t'; then
+      # Yippee, \$echo works!
+      :
+    else
+      # Restart under the correct shell, and then maybe \$echo will work.
+      exec $SHELL \"\$0\" --no-reexec \${1+\"\$@\"}
+    fi
+  fi\
+"
+	$echo >> $output "\
+
+  # Find the directory that this script lives in.
+  thisdir=\`\$echo \"X\$file\" | \$Xsed -e 's%/[^/]*$%%'\`
+  test \"x\$thisdir\" = \"x\$file\" && thisdir=.
+
+  # Follow symbolic links until we get to the real thisdir.
+  file=\`ls -ld \"\$file\" | sed -n 's/.*-> //p'\`
+  while test -n \"\$file\"; do
+    destdir=\`\$echo \"X\$file\" | \$Xsed -e 's%/[^/]*\$%%'\`
+
+    # If there was a directory component, then change thisdir.
+    if test \"x\$destdir\" != \"x\$file\"; then
+      case \"\$destdir\" in
+      [\\\\/]* | [A-Za-z]:[\\\\/]*) thisdir=\"\$destdir\" ;;
+      *) thisdir=\"\$thisdir/\$destdir\" ;;
+      esac
+    fi
+
+    file=\`\$echo \"X\$file\" | \$Xsed -e 's%^.*/%%'\`
+    file=\`ls -ld \"\$thisdir/\$file\" | sed -n 's/.*-> //p'\`
+  done
+
+  # Try to get the absolute directory name.
+  absdir=\`cd \"\$thisdir\" && pwd\`
+  test -n \"\$absdir\" && thisdir=\"\$absdir\"
+"
+
+	if test "$fast_install" = yes; then
+	  echo >> $output "\
+  program=lt-'$outputname'
+  progdir=\"\$thisdir/$objdir\"
+
+  if test ! -f \"\$progdir/\$program\" || \\
+     { file=\`ls -1dt \"\$progdir/\$program\" \"\$progdir/../\$program\" 2>/dev/null | sed 1q\`; \\
+       test \"X\$file\" != \"X\$progdir/\$program\"; }; then
+
+    file=\"\$\$-\$program\"
+
+    if test ! -d \"\$progdir\"; then
+      $mkdir \"\$progdir\"
+    else
+      $rm \"\$progdir/\$file\"
+    fi"
+
+	  echo >> $output "\
+
+    # relink executable if necessary
+    if test -n \"\$relink_command\"; then
+      if (eval \$relink_command); then :
+      else
+	$rm \"\$progdir/\$file\"
+	exit 1
+      fi
+    fi
+
+    $mv \"\$progdir/\$file\" \"\$progdir/\$program\" 2>/dev/null ||
+    { $rm \"\$progdir/\$program\";
+      $mv \"\$progdir/\$file\" \"\$progdir/\$program\"; }
+    $rm \"\$progdir/\$file\"
+  fi"
+	else
+	  echo >> $output "\
+  program='$outputname'
+  progdir=\"\$thisdir/$objdir\"
+"
+	fi
+
+	echo >> $output "\
+
+  if test -f \"\$progdir/\$program\"; then"
+
+	# Export our shlibpath_var if we have one.
+	if test "$shlibpath_overrides_runpath" = yes && test -n "$shlibpath_var" && test -n "$temp_rpath"; then
+	  $echo >> $output "\
+    # Add our own library path to $shlibpath_var
+    $shlibpath_var=\"$temp_rpath\$$shlibpath_var\"
+
+    # Some systems cannot cope with colon-terminated $shlibpath_var
+    # The second colon is a workaround for a bug in BeOS R4 sed
+    $shlibpath_var=\`\$echo \"X\$$shlibpath_var\" | \$Xsed -e 's/::*\$//'\`
+
+    export $shlibpath_var
+"
+	fi
+
+	# fixup the dll searchpath if we need to.
+	if test -n "$dllsearchpath"; then
+	  $echo >> $output "\
+    # Add the dll search path components to the executable PATH
+    PATH=$dllsearchpath:\$PATH
+"
+	fi
+
+	$echo >> $output "\
+    if test \"\$libtool_execute_magic\" != \"$magic\"; then
+      # Run the actual program with our arguments.
+"
+	case $host in
+	# win32 systems need to use the prog path for dll
+	# lookup to work
+	*-*-cygwin*)
+	  $echo >> $output "\
+      exec \$progdir/\$program \${1+\"\$@\"}
+"
+	  ;;
+
+	# Backslashes separate directories on plain windows
+	*-*-mingw | *-*-os2*)
+	  $echo >> $output "\
+      exec \$progdir\\\\\$program \${1+\"\$@\"}
+"
+	  ;;
+
+	*)
+	  $echo >> $output "\
+      # Export the path to the program.
+      PATH=\"\$progdir:\$PATH\"
+      export PATH
+
+      exec \$program \${1+\"\$@\"}
+"
+	  ;;
+	esac
+	$echo >> $output "\
+      \$echo \"\$0: cannot exec \$program \${1+\"\$@\"}\"
+      exit 1
+    fi
+  else
+    # The program doesn't exist.
+    \$echo \"\$0: error: \$progdir/\$program does not exist\" 1>&2
+    \$echo \"This script is just a wrapper for \$program.\" 1>&2
+    echo \"See the $PACKAGE documentation for more information.\" 1>&2
+    exit 1
+  fi
+fi\
+"
+	chmod +x $output
+      fi
+      exit 0
+      ;;
+    esac
+
+    # See if we need to build an old-fashioned archive.
+    for oldlib in $oldlibs; do
+
+      if test "$build_libtool_libs" = convenience; then
+	oldobjs="$libobjs_save"
+	addlibs="$convenience"
+	build_libtool_libs=no
+      else
+	if test "$build_libtool_libs" = module; then
+	  oldobjs="$libobjs_save"
+	  build_libtool_libs=no
+	else
+	  oldobjs="$objs$old_deplibs "`$echo "X$libobjs_save" | $SP2NL | $Xsed -e '/\.'${libext}'$/d' -e '/\.lib$/d' -e "$lo2o" | $NL2SP`
+	fi
+	addlibs="$old_convenience"
+      fi
+
+      if test -n "$addlibs"; then
+	gentop="$output_objdir/${outputname}x"
+	$show "${rm}r $gentop"
+	$run ${rm}r "$gentop"
+	$show "mkdir $gentop"
+	$run mkdir "$gentop"
+	status=$?
+	if test $status -ne 0 && test ! -d "$gentop"; then
+	  exit $status
+	fi
+	generated="$generated $gentop"
+
+	# Add in members from convenience archives.
+	for xlib in $addlibs; do
+	  # Extract the objects.
+	  case "$xlib" in
+	  [\\/]* | [A-Za-z]:[\\/]*) xabs="$xlib" ;;
+	  *) xabs=`pwd`"/$xlib" ;;
+	  esac
+	  xlib=`$echo "X$xlib" | $Xsed -e 's%^.*/%%'`
+	  xdir="$gentop/$xlib"
+
+	  $show "${rm}r $xdir"
+	  $run ${rm}r "$xdir"
+	  $show "mkdir $xdir"
+	  $run mkdir "$xdir"
+	  status=$?
+	  if test $status -ne 0 && test ! -d "$xdir"; then
+	    exit $status
+	  fi
+	  $show "(cd $xdir && $AR x $xabs)"
+	  $run eval "(cd \$xdir && $AR x \$xabs)" || exit $?
+
+	  oldobjs="$oldobjs "`find $xdir -name \*.${objext} -print -o -name \*.lo -print | $NL2SP`
+	done
+      fi
+
+      # Do each command in the archive commands.
+      if test -n "$old_archive_from_new_cmds" && test "$build_libtool_libs" = yes; then
+	eval cmds=\"$old_archive_from_new_cmds\"
+      else
+	# Ensure that we have .o objects in place in case we decided
+	# not to build a shared library, and have fallen back to building
+	# static libs even though --disable-static was passed!
+	for oldobj in $oldobjs; do
+	  if test ! -f $oldobj; then
+	    xdir=`$echo "X$oldobj" | $Xsed -e 's%/[^/]*$%%'`
+	    if test "X$xdir" = "X$oldobj"; then
+	      xdir="."
+	    else
+	      xdir="$xdir"
+	    fi
+	    baseobj=`$echo "X$oldobj" | $Xsed -e 's%^.*/%%'`
+	    obj=`$echo "X$baseobj" | $Xsed -e "$o2lo"`
+	    $show "(cd $xdir && ${LN_S} $obj $baseobj)"
+	    $run eval '(cd $xdir && ${LN_S} $obj $baseobj)' || exit $?
+	  fi
+	done
+
+	eval cmds=\"$old_archive_cmds\"
+      fi
+      IFS="${IFS= 	}"; save_ifs="$IFS"; IFS='~'
+      for cmd in $cmds; do
+	IFS="$save_ifs"
+	$show "$cmd"
+	$run eval "$cmd" || exit $?
+      done
+      IFS="$save_ifs"
+    done
+
+    if test -n "$generated"; then
+      $show "${rm}r$generated"
+      $run ${rm}r$generated
+    fi
+
+    # Now create the libtool archive.
+    case "$output" in
+    *.la)
+      old_library=
+      test "$build_old_libs" = yes && old_library="$libname.$libext"
+      $show "creating $output"
+
+      # Preserve any variables that may affect compiler behavior
+      for var in $variables_saved_for_relink; do
+	eval var_value=\$$var
+	var_value=`$echo "X$var_value" | $Xsed -e "$sed_quote_subst"`
+	relink_command="$var=\"$var_value\"; export $var; $relink_command"
+      done
+      # Quote the link command for shipping.
+      relink_command="cd `pwd`; $SHELL $0 --mode=relink $libtool_args"
+      relink_command=`$echo "X$relink_command" | $Xsed -e "$sed_quote_subst"`
+
+      # Only create the output if not a dry run.
+      if test -z "$run"; then
+	for installed in no yes; do
+	  if test "$installed" = yes; then
+	    if test -z "$install_libdir"; then
+	      break
+	    fi
+	    output="$output_objdir/$outputname"i
+	    # Replace all uninstalled libtool libraries with the installed ones
+	    newdependency_libs=
+	    for deplib in $dependency_libs; do
+	      case "$deplib" in
+	      *.la)
+		name=`$echo "X$deplib" | $Xsed -e 's%^.*/%%'`
+		eval libdir=`sed -n -e 's/^libdir=\(.*\)$/\1/p' $deplib`
+		if test -z "$libdir"; then
+		  $echo "$modename: \`$deplib' is not a valid libtool archive" 1>&2
+		  exit 1
+		fi
+		newdependency_libs="$newdependency_libs $libdir/$name"
+		;;
+	      *) newdependency_libs="$newdependency_libs $deplib" ;;
+	      esac
+	    done
+	    dependency_libs="$newdependency_libs"
+	    newdlfiles=
+	    for lib in $dlfiles; do
+	      name=`$echo "X$lib" | $Xsed -e 's%^.*/%%'`
+	      eval libdir=`sed -n -e 's/^libdir=\(.*\)$/\1/p' $lib`
+	      if test -z "$libdir"; then
+		$echo "$modename: \`$lib' is not a valid libtool archive" 1>&2
+		exit 1
+	      fi
+	      newdlfiles="$newdlfiles $libdir/$name"
+	    done
+	    dlfiles="$newdlfiles"
+	    newdlprefiles=
+	    for lib in $dlprefiles; do
+	      name=`$echo "X$lib" | $Xsed -e 's%^.*/%%'`
+	      eval libdir=`sed -n -e 's/^libdir=\(.*\)$/\1/p' $lib`
+	      if test -z "$libdir"; then
+		$echo "$modename: \`$lib' is not a valid libtool archive" 1>&2
+		exit 1
+	      fi
+	      newdlprefiles="$newdlprefiles $libdir/$name"
+	    done
+	    dlprefiles="$newdlprefiles"
+	  fi
+	  $rm $output
+	  $echo > $output "\
+# $outputname - a libtool library file
+# Generated by $PROGRAM - GNU $PACKAGE $VERSION$TIMESTAMP
+#
+# Please DO NOT delete this file!
+# It is necessary for linking the library.
+
+# The name that we can dlopen(3).
+dlname='$dlname'
+
+# Names of this library.
+library_names='$library_names'
+
+# The name of the static archive.
+old_library='$old_library'
+
+# Libraries that this one depends upon.
+dependency_libs='$dependency_libs'
+
+# Version information for $libname.
+current=$current
+age=$age
+revision=$revision
+
+# Is this an already installed library?
+installed=$installed
+
+# Files to dlopen/dlpreopen
+dlopen='$dlfiles'
+dlpreopen='$dlprefiles'
+
+# Directory that this library needs to be installed in:
+libdir='$install_libdir'"
+	  if test $hardcode_into_libs = all &&
+	     test "$installed" = no && test $need_relink = yes; then
+	    $echo >> $output "\
+relink_command=\"$relink_command\""
+	  fi
+	done
+      fi
+
+      # Do a symbolic link so that the libtool archive can be found in
+      # LD_LIBRARY_PATH before the program is installed.
+      $show "(cd $output_objdir && $rm $outputname && $LN_S ../$outputname $outputname)"
+      $run eval '(cd $output_objdir && $rm $outputname && $LN_S ../$outputname $outputname)' || exit $?
+      ;;
+    esac
+    exit 0
+    ;;
+
+  # libtool install mode
+  install)
+    modename="$modename: install"
+
+    # There may be an optional sh(1) argument at the beginning of
+    # install_prog (especially on Windows NT).
+    if test "$nonopt" = "$SHELL" || test "$nonopt" = /bin/sh; then
+      # Aesthetically quote it.
+      arg=`$echo "X$nonopt" | $Xsed -e "$sed_quote_subst"`
+      case "$arg" in
+      *[\[\~\#\^\&\*\(\)\{\}\|\;\<\>\?\'\ \	]*|*]*)
+	arg="\"$arg\""
+	;;
+      esac
+      install_prog="$arg "
+      arg="$1"
+      shift
+    else
+      install_prog=
+      arg="$nonopt"
+    fi
+
+    # The real first argument should be the name of the installation program.
+    # Aesthetically quote it.
+    arg=`$echo "X$arg" | $Xsed -e "$sed_quote_subst"`
+    case "$arg" in
+    *[\[\~\#\^\&\*\(\)\{\}\|\;\<\>\?\'\ \	]*|*]*)
+      arg="\"$arg\""
+      ;;
+    esac
+    install_prog="$install_prog$arg"
+
+    # We need to accept at least all the BSD install flags.
+    dest=
+    files=
+    opts=
+    prev=
+    install_type=
+    isdir=no
+    stripme=
+    for arg
+    do
+      if test -n "$dest"; then
+	files="$files $dest"
+	dest="$arg"
+	continue
+      fi
+
+      case "$arg" in
+      -d) isdir=yes ;;
+      -f) prev="-f" ;;
+      -g) prev="-g" ;;
+      -m) prev="-m" ;;
+      -o) prev="-o" ;;
+      -s)
+	stripme=" -s"
+	continue
+	;;
+      -*) ;;
+
+      *)
+	# If the previous option needed an argument, then skip it.
+	if test -n "$prev"; then
+	  prev=
+	else
+	  dest="$arg"
+	  continue
+	fi
+	;;
+      esac
+
+      # Aesthetically quote the argument.
+      arg=`$echo "X$arg" | $Xsed -e "$sed_quote_subst"`
+      case "$arg" in
+      *[\[\~\#\^\&\*\(\)\{\}\|\;\<\>\?\'\ \	]*|*]*)
+	arg="\"$arg\""
+	;;
+      esac
+      install_prog="$install_prog $arg"
+    done
+
+    if test -z "$install_prog"; then
+      $echo "$modename: you must specify an install program" 1>&2
+      $echo "$help" 1>&2
+      exit 1
+    fi
+
+    if test -n "$prev"; then
+      $echo "$modename: the \`$prev' option requires an argument" 1>&2
+      $echo "$help" 1>&2
+      exit 1
+    fi
+
+    if test -z "$files"; then
+      if test -z "$dest"; then
+	$echo "$modename: no file or destination specified" 1>&2
+      else
+	$echo "$modename: you must specify a destination" 1>&2
+      fi
+      $echo "$help" 1>&2
+      exit 1
+    fi
+
+    # Strip any trailing slash from the destination.
+    dest=`$echo "X$dest" | $Xsed -e 's%/$%%'`
+
+    # Check to see that the destination is a directory.
+    test -d "$dest" && isdir=yes
+    if test "$isdir" = yes; then
+      destdir="$dest"
+      destname=
+    else
+      destdir=`$echo "X$dest" | $Xsed -e 's%/[^/]*$%%'`
+      test "X$destdir" = "X$dest" && destdir=.
+      destname=`$echo "X$dest" | $Xsed -e 's%^.*/%%'`
+
+      # Not a directory, so check to see that there is only one file specified.
+      set dummy $files
+      if test $# -gt 2; then
+	$echo "$modename: \`$dest' is not a directory" 1>&2
+	$echo "$help" 1>&2
+	exit 1
+      fi
+    fi
+    case "$destdir" in
+    [\\/]* | [A-Za-z]:[\\/]*) ;;
+    *)
+      for file in $files; do
+	case "$file" in
+	*.lo) ;;
+	*)
+	  $echo "$modename: \`$destdir' must be an absolute directory name" 1>&2
+	  $echo "$help" 1>&2
+	  exit 1
+	  ;;
+	esac
+      done
+      ;;
+    esac
+
+    # This variable tells wrapper scripts just to set variables rather
+    # than running their programs.
+    libtool_install_magic="$magic"
+
+    staticlibs=
+    future_libdirs=
+    current_libdirs=
+    for file in $files; do
+
+      # Do each installation.
+      case "$file" in
+      *.$libext)
+	# Do the static libraries later.
+	staticlibs="$staticlibs $file"
+	;;
+
+      *.la)
+	# Check to see that this really is a libtool archive.
+	if (sed -e '2q' $file | egrep "^# Generated by .*$PACKAGE") >/dev/null 2>&1; then :
+	else
+	  $echo "$modename: \`$file' is not a valid libtool archive" 1>&2
+	  $echo "$help" 1>&2
+	  exit 1
+	fi
+
+	library_names=
+	old_library=
+	relink_command=
+	# If there is no directory component, then add one.
+	case "$file" in
+	*/* | *\\*) . $file ;;
+	*) . ./$file ;;
+	esac
+
+	# Add the libdir to current_libdirs if it is the destination.
+	if test "X$destdir" = "X$libdir"; then
+	  case "$current_libdirs " in
+	  *" $libdir "*) ;;
+	  *) current_libdirs="$current_libdirs $libdir" ;;
+	  esac
+	else
+	  # Note the libdir as a future libdir.
+	  case "$future_libdirs " in
+	  *" $libdir "*) ;;
+	  *) future_libdirs="$future_libdirs $libdir" ;;
+	  esac
+	fi
+
+	dir=`$echo "X$file" | $Xsed -e 's%/[^/]*$%%'`/
+	test "X$dir" = "X$file/" && dir=
+	dir="$dir$objdir"
+
+	if test "$hardcode_into_libs" = all && test -n "$relink_command"; then
+	  $echo "$modename: warning: relinking \`$file'" 1>&2
+	  $show "$relink_command"
+	  if $run eval "$relink_command"; then :
+	  else
+	    $echo "$modename: error: relink \`$file' with the above command before installing it" 1>&2
+	    continue
+	  fi
+	fi
+
+	# See the names of the shared library.
+	set dummy $library_names
+	if test -n "$2"; then
+	  realname="$2"
+	  shift
+	  shift
+
+	  srcname="$realname"
+	  test "$hardcode_into_libs" = all && test -n "$relink_command" && srcname="$realname"T
+
+	  # Install the shared library and build the symlinks.
+	  $show "$install_prog $dir/$srcname $destdir/$realname"
+	  $run eval "$install_prog $dir/$srcname $destdir/$realname" || exit $?
+	  if test -n "$stripme" && test -n "$striplib"; then
+	    $show "$striplib $destdir/$realname"
+	    $run eval "$striplib $destdir/$realname" || exit $?
+	  fi
+
+	  if test $# -gt 0; then
+	    # Delete the old symlinks, and create new ones.
+	    for linkname
+	    do
+	      if test "$linkname" != "$realname"; then
+		$show "(cd $destdir && $rm $linkname && $LN_S $realname $linkname)"
+		$run eval "(cd $destdir && $rm $linkname && $LN_S $realname $linkname)"
+	      fi
+	    done
+	  fi
+
+	  # Do each command in the postinstall commands.
+	  lib="$destdir/$realname"
+	  eval cmds=\"$postinstall_cmds\"
+	  IFS="${IFS= 	}"; save_ifs="$IFS"; IFS='~'
+	  for cmd in $cmds; do
+	    IFS="$save_ifs"
+	    $show "$cmd"
+	    $run eval "$cmd" || exit $?
+	  done
+	  IFS="$save_ifs"
+	fi
+
+	# Install the pseudo-library for information purposes.
+	name=`$echo "X$file" | $Xsed -e 's%^.*/%%'`
+	instname="$dir/$name"i
+	$show "$install_prog $instname $destdir/$name"
+	$run eval "$install_prog $instname $destdir/$name" || exit $?
+
+	# Maybe install the static library, too.
+	test -n "$old_library" && staticlibs="$staticlibs $dir/$old_library"
+	;;
+
+      *.lo)
+	# Install (i.e. copy) a libtool object.
+
+	# Figure out destination file name, if it wasn't already specified.
+	if test -n "$destname"; then
+	  destfile="$destdir/$destname"
+	else
+	  destfile=`$echo "X$file" | $Xsed -e 's%^.*/%%'`
+	  destfile="$destdir/$destfile"
+	fi
+
+	# Deduce the name of the destination old-style object file.
+	case "$destfile" in
+	*.lo)
+	  staticdest=`$echo "X$destfile" | $Xsed -e "$lo2o"`
+	  ;;
+	*.$objext)
+	  staticdest="$destfile"
+	  destfile=
+	  ;;
+	*)
+	  $echo "$modename: cannot copy a libtool object to \`$destfile'" 1>&2
+	  $echo "$help" 1>&2
+	  exit 1
+	  ;;
+	esac
+
+	# Install the libtool object if requested.
+	if test -n "$destfile"; then
+	  $show "$install_prog $file $destfile"
+	  $run eval "$install_prog $file $destfile" || exit $?
+	fi
+
+	# Install the old object if enabled.
+	if test "$build_old_libs" = yes; then
+	  # Deduce the name of the old-style object file.
+	  staticobj=`$echo "X$file" | $Xsed -e "$lo2o"`
+
+	  $show "$install_prog $staticobj $staticdest"
+	  $run eval "$install_prog \$staticobj \$staticdest" || exit $?
+	fi
+	exit 0
+	;;
+
+      *)
+	# Figure out destination file name, if it wasn't already specified.
+	if test -n "$destname"; then
+	  destfile="$destdir/$destname"
+	else
+	  destfile=`$echo "X$file" | $Xsed -e 's%^.*/%%'`
+	  destfile="$destdir/$destfile"
+	fi
+
+	# Do a test to see if this is really a libtool program.
+	if (sed -e '4q' $file | egrep "^# Generated by .*$PACKAGE") >/dev/null 2>&1; then
+	  uninst_deplibs=
+	  relink_command=
+
+	  # If there is no directory component, then add one.
+	  case "$file" in
+	  */* | *\\*) . $file ;;
+	  *) . ./$file ;;
+	  esac
+
+	  # Check the variables that should have been set.
+	  if test -z "$uninst_deplibs"; then
+	    $echo "$modename: invalid libtool wrapper script \`$file'" 1>&2
+	    exit 1
+	  fi
+
+	  finalize=yes
+	  for lib in $uninst_deplibs; do
+	    # Check to see that each library is installed.
+	    libdir=
+	    if test -f "$lib"; then
+	      # If there is no directory component, then add one.
+	      case "$lib" in
+	      */* | *\\*) . $lib ;;
+	      *) . ./$lib ;;
+	      esac
+	    fi
+	    libfile="$libdir/"`$echo "X$lib" | $Xsed -e 's%^.*/%%g'` ### testsuite: skip nested quoting test
+	    if test -n "$libdir" && test ! -f "$libfile"; then
+	      $echo "$modename: warning: \`$lib' has not been installed in \`$libdir'" 1>&2
+	      finalize=no
+	    fi
+	  done
+
+	  relink_command=
+	  # If there is no directory component, then add one.
+	  case "$file" in
+	  */* | *\\*) . $file ;;
+	  *) . ./$file ;;
+	  esac
+
+	  outputname=
+	  if test "$fast_install" = no && test -n "$relink_command"; then
+	    if test "$finalize" = yes && test -z "$run"; then
+	      tmpdir="/tmp"
+	      test -n "$TMPDIR" && tmpdir="$TMPDIR"
+	      tmpdir="$tmpdir/libtool-$$"
+	      if $mkdir -p "$tmpdir" && chmod 700 "$tmpdir"; then :
+	      else
+		$echo "$modename: error: cannot create temporary directory \`$tmpdir'" 1>&2
+		continue
+	      fi
+	      file=`$echo "X$file" | $Xsed -e 's%^.*/%%'`
+	      outputname="$tmpdir/$file"
+	      # Replace the output file specification.
+	      relink_command=`$echo "X$relink_command" | $Xsed -e 's%@OUTPUT@%'"$outputname"'%g'`
+
+	      $show "$relink_command"
+	      if $run eval "$relink_command"; then :
+	      else
+		$echo "$modename: error: relink \`$file' with the above command before installing it" 1>&2
+		${rm}r "$tmpdir"
+		continue
+	      fi
+	      file="$outputname"
+	    else
+	      $echo "$modename: warning: cannot relink \`$file'" 1>&2
+	    fi
+	  else
+	    # Install the binary that we compiled earlier.
+	    file=`$echo "X$file" | $Xsed -e "s%\([^/]*\)$%$objdir/\1%"`
+	  fi
+	fi
+
+	$show "$install_prog$stripme $file $destfile"
+	$run eval "$install_prog\$stripme \$file \$destfile" || exit $?
+	test -n "$outputname" && ${rm}r "$tmpdir"
+	;;
+      esac
+    done
+
+    for file in $staticlibs; do
+      name=`$echo "X$file" | $Xsed -e 's%^.*/%%'`
+
+      # Set up the ranlib parameters.
+      oldlib="$destdir/$name"
+
+      $show "$install_prog $file $oldlib"
+      $run eval "$install_prog \$file \$oldlib" || exit $?
+
+      if test -n "$stripme" && test -n "$striplib"; then
+	$show "$old_striplib $oldlib"
+	$run eval "$old_striplib $oldlib" || exit $?
+      fi
+
+      # Do each command in the postinstall commands.
+      eval cmds=\"$old_postinstall_cmds\"
+      IFS="${IFS= 	}"; save_ifs="$IFS"; IFS='~'
+      for cmd in $cmds; do
+	IFS="$save_ifs"
+	$show "$cmd"
+	$run eval "$cmd" || exit $?
+      done
+      IFS="$save_ifs"
+    done
+
+    if test -n "$future_libdirs"; then
+      $echo "$modename: warning: remember to run \`$progname --finish$future_libdirs'" 1>&2
+    fi
+
+    if test -n "$current_libdirs"; then
+      # Maybe just do a dry run.
+      test -n "$run" && current_libdirs=" -n$current_libdirs"
+      exec $SHELL $0 --finish$current_libdirs
+      exit 1
+    fi
+
+    exit 0
+    ;;
+
+  # libtool finish mode
+  finish)
+    modename="$modename: finish"
+    libdirs="$nonopt"
+    admincmds=
+
+    if test -n "$finish_cmds$finish_eval" && test -n "$libdirs"; then
+      for dir
+      do
+	libdirs="$libdirs $dir"
+      done
+
+      for libdir in $libdirs; do
+	if test -n "$finish_cmds"; then
+	  # Do each command in the finish commands.
+	  eval cmds=\"$finish_cmds\"
+	  IFS="${IFS= 	}"; save_ifs="$IFS"; IFS='~'
+	  for cmd in $cmds; do
+	    IFS="$save_ifs"
+	    $show "$cmd"
+	    $run eval "$cmd" || admincmds="$admincmds
+       $cmd"
+	  done
+	  IFS="$save_ifs"
+	fi
+	if test -n "$finish_eval"; then
+	  # Do the single finish_eval.
+	  eval cmds=\"$finish_eval\"
+	  $run eval "$cmds" || admincmds="$admincmds
+       $cmds"
+	fi
+      done
+    fi
+
+    # Exit here if they wanted silent mode.
+    test "$show" = : && exit 0
+
+    echo "----------------------------------------------------------------------"
+    echo "Libraries have been installed in:"
+    for libdir in $libdirs; do
+      echo "   $libdir"
+    done
+    echo
+    echo "If you ever happen to want to link against installed libraries"
+    echo "in a given directory, LIBDIR, you must either use libtool, and"
+    echo "specify the full pathname of the library, or use \`-LLIBDIR'"
+    echo "flag during linking and do at least one of the following:"
+    if test -n "$shlibpath_var"; then
+      echo "   - add LIBDIR to the \`$shlibpath_var' environment variable"
+      echo "     during execution"
+    fi
+    if test -n "$runpath_var"; then
+      echo "   - add LIBDIR to the \`$runpath_var' environment variable"
+      echo "     during linking"
+    fi
+    if test -n "$hardcode_libdir_flag_spec"; then
+      libdir=LIBDIR
+      eval flag=\"$hardcode_libdir_flag_spec\"
+
+      echo "   - use the \`$flag' linker flag"
+    fi
+    if test -n "$admincmds"; then
+      echo "   - have your system administrator run these commands:$admincmds"
+    fi
+    if test -f /etc/ld.so.conf; then
+      echo "   - have your system administrator add LIBDIR to \`/etc/ld.so.conf'"
+    fi
+    echo
+    echo "See any operating system documentation about shared libraries for"
+    echo "more information, such as the ld(1) and ld.so(8) manual pages."
+    echo "----------------------------------------------------------------------"
+    exit 0
+    ;;
+
+  # libtool execute mode
+  execute)
+    modename="$modename: execute"
+
+    # The first argument is the command name.
+    cmd="$nonopt"
+    if test -z "$cmd"; then
+      $echo "$modename: you must specify a COMMAND" 1>&2
+      $echo "$help"
+      exit 1
+    fi
+
+    # Handle -dlopen flags immediately.
+    for file in $execute_dlfiles; do
+      if test ! -f "$file"; then
+	$echo "$modename: \`$file' is not a file" 1>&2
+	$echo "$help" 1>&2
+	exit 1
+      fi
+
+      dir=
+      case "$file" in
+      *.la)
+	# Check to see that this really is a libtool archive.
+	if (sed -e '2q' $file | egrep "^# Generated by .*$PACKAGE") >/dev/null 2>&1; then :
+	else
+	  $echo "$modename: \`$lib' is not a valid libtool archive" 1>&2
+	  $echo "$help" 1>&2
+	  exit 1
+	fi
+
+	# Read the libtool library.
+	dlname=
+	library_names=
+
+	# If there is no directory component, then add one.
+	case "$file" in
+	*/* | *\\*) . $file ;;
+	*) . ./$file ;;
+	esac
+
+	# Skip this library if it cannot be dlopened.
+	if test -z "$dlname"; then
+	  # Warn if it was a shared library.
+	  test -n "$library_names" && $echo "$modename: warning: \`$file' was not linked with \`-export-dynamic'"
+	  continue
+	fi
+
+	dir=`$echo "X$file" | $Xsed -e 's%/[^/]*$%%'`
+	test "X$dir" = "X$file" && dir=.
+
+	if test -f "$dir/$objdir/$dlname"; then
+	  dir="$dir/$objdir"
+	else
+	  $echo "$modename: cannot find \`$dlname' in \`$dir' or \`$dir/$objdir'" 1>&2
+	  exit 1
+	fi
+	;;
+
+      *.lo)
+	# Just add the directory containing the .lo file.
+	dir=`$echo "X$file" | $Xsed -e 's%/[^/]*$%%'`
+	test "X$dir" = "X$file" && dir=.
+	;;
+
+      *)
+	$echo "$modename: warning \`-dlopen' is ignored for non-libtool libraries and objects" 1>&2
+	continue
+	;;
+      esac
+
+      # Get the absolute pathname.
+      absdir=`cd "$dir" && pwd`
+      test -n "$absdir" && dir="$absdir"
+
+      # Now add the directory to shlibpath_var.
+      if eval "test -z \"\$$shlibpath_var\""; then
+	eval "$shlibpath_var=\"\$dir\""
+      else
+	eval "$shlibpath_var=\"\$dir:\$$shlibpath_var\""
+      fi
+    done
+
+    # This variable tells wrapper scripts just to set shlibpath_var
+    # rather than running their programs.
+    libtool_execute_magic="$magic"
+
+    # Check if any of the arguments is a wrapper script.
+    args=
+    for file
+    do
+      case "$file" in
+      -*) ;;
+      *)
+	# Do a test to see if this is really a libtool program.
+	if (sed -e '4q' $file | egrep "^# Generated by .*$PACKAGE") >/dev/null 2>&1; then
+	  # If there is no directory component, then add one.
+	  case "$file" in
+	  */* | *\\*) . $file ;;
+	  *) . ./$file ;;
+	  esac
+
+	  # Transform arg to wrapped name.
+	  file="$progdir/$program"
+	fi
+	;;
+      esac
+      # Quote arguments (to preserve shell metacharacters).
+      file=`$echo "X$file" | $Xsed -e "$sed_quote_subst"`
+      args="$args \"$file\""
+    done
+
+    if test -z "$run"; then
+      if test -n "$shlibpath_var"; then
+	# Export the shlibpath_var.
+	eval "export $shlibpath_var"
+      fi
+
+      # Restore saved enviroment variables
+      if test "${save_LC_ALL+set}" = set; then
+	LC_ALL="$save_LC_ALL"; export LC_ALL
+      fi
+      if test "${save_LANG+set}" = set; then
+	LANG="$save_LANG"; export LANG
+      fi
+
+      # Now actually exec the command.
+      eval "exec \$cmd$args"
+
+      $echo "$modename: cannot exec \$cmd$args"
+      exit 1
+    else
+      # Display what would be done.
+      if test -n "$shlibpath_var"; then
+	eval "\$echo \"\$shlibpath_var=\$$shlibpath_var\""
+	$echo "export $shlibpath_var"
+      fi
+      $echo "$cmd$args"
+      exit 0
+    fi
+    ;;
+
+  # libtool clean and uninstall mode
+  clean | uninstall)
+    modename="$modename: $mode"
+    rm="$nonopt"
+    files=
+
+    # This variable tells wrapper scripts just to set variables rather
+    # than running their programs.
+    libtool_install_magic="$magic"
+
+    for arg
+    do
+      case "$arg" in
+      -*) rm="$rm $arg" ;;
+      *) files="$files $arg" ;;
+      esac
+    done
+
+    if test -z "$rm"; then
+      $echo "$modename: you must specify an RM program" 1>&2
+      $echo "$help" 1>&2
+      exit 1
+    fi
+
+    for file in $files; do
+      dir=`$echo "X$file" | $Xsed -e 's%/[^/]*$%%'`
+      if test "X$dir" = "X$file"; then
+	dir=.
+	objdir="$objdir"
+      else
+	objdir="$dir/$objdir"
+      fi
+      name=`$echo "X$file" | $Xsed -e 's%^.*/%%'`
+      test $mode = uninstall && objdir="$dir"
+
+      rmfiles="$file"
+
+      case "$name" in
+      *.la)
+	# Possibly a libtool archive, so verify it.
+	if (sed -e '2q' $file | egrep "^# Generated by .*$PACKAGE") >/dev/null 2>&1; then
+	  . $dir/$name
+
+	  # Delete the libtool libraries and symlinks.
+	  for n in $library_names; do
+	    rmfiles="$rmfiles $objdir/$n"
+	  done
+	  test -n "$old_library" && rmfiles="$rmfiles $objdir/$old_library"
+	  test $mode = clean && rmfiles="$rmfiles $objdir/$name $objdir/${name}i"
+
+	  if test $mode = uninstall; then
+	    if test -n "$library_names"; then
+	      # Do each command in the postuninstall commands.
+	      eval cmds=\"$postuninstall_cmds\"
+	      IFS="${IFS= 	}"; save_ifs="$IFS"; IFS='~'
+	      for cmd in $cmds; do
+		IFS="$save_ifs"
+		$show "$cmd"
+		$run eval "$cmd"
+	      done
+	      IFS="$save_ifs"
+	    fi
+
+	    if test -n "$old_library"; then
+	      # Do each command in the old_postuninstall commands.
+	      eval cmds=\"$old_postuninstall_cmds\"
+	      IFS="${IFS= 	}"; save_ifs="$IFS"; IFS='~'
+	      for cmd in $cmds; do
+		IFS="$save_ifs"
+		$show "$cmd"
+		$run eval "$cmd"
+	      done
+	      IFS="$save_ifs"
+	    fi
+	    # FIXME: should reinstall the best remaining shared library.
+	  fi
+	fi
+	;;
+
+      *.lo)
+	if test "$build_old_libs" = yes; then
+	  oldobj=`$echo "X$name" | $Xsed -e "$lo2o"`
+	  rmfiles="$rmfiles $dir/$oldobj"
+	fi
+	;;
+
+      *)
+	# Do a test to see if this is a libtool program.
+	if test $mode = clean &&
+	   (sed -e '4q' $file | egrep "^# Generated by .*$PACKAGE") >/dev/null 2>&1; then
+	  relink_command=
+	  . $dir/$file
+
+	  rmfiles="$rmfiles $objdir/$name $objdir/${name}S.${objext}"
+	  if test "$fast_install" = yes && test -n "$relink_command"; then
+	    rmfiles="$rmfiles $objdir/lt-$name"
+	  fi
+	fi
+	;;
+      esac
+      $show "$rm $rmfiles"
+      $run $rm $rmfiles
+    done
+    exit 0
+    ;;
+
+  "")
+    $echo "$modename: you must specify a MODE" 1>&2
+    $echo "$generic_help" 1>&2
+    exit 1
+    ;;
+  esac
+
+  $echo "$modename: invalid operation mode \`$mode'" 1>&2
+  $echo "$generic_help" 1>&2
+  exit 1
+fi # test -z "$show_help"
+
+# We need to display help for each of the modes.
+case "$mode" in
+"") $echo \
+"Usage: $modename [OPTION]... [MODE-ARG]...
+
+Provide generalized library-building support services.
+
+    --config          show all configuration variables
+    --debug           enable verbose shell tracing
+-n, --dry-run         display commands without modifying any files
+    --features        display basic configuration information and exit
+    --finish          same as \`--mode=finish'
+    --help            display this help message and exit
+    --mode=MODE       use operation mode MODE [default=inferred from MODE-ARGS]
+    --quiet           same as \`--silent'
+    --silent          don't print informational messages
+    --version         print version information
+
+MODE must be one of the following:
+
+      clean           remove files from the build directory
+      compile         compile a source file into a libtool object
+      execute         automatically set library path, then run a program
+      finish          complete the installation of libtool libraries
+      install         install libraries or executables
+      link            create a library or an executable
+      uninstall       remove libraries from an installed directory
+
+MODE-ARGS vary depending on the MODE.  Try \`$modename --help --mode=MODE' for
+a more detailed description of MODE."
+  exit 0
+  ;;
+
+clean)
+  $echo \
+"Usage: $modename [OPTION]... --mode=clean RM [RM-OPTION]... FILE...
+
+Remove files from the build directory.
+
+RM is the name of the program to use to delete files associated with each FILE
+(typically \`/bin/rm').  RM-OPTIONS are options (such as \`-f') to be passed
+to RM.
+
+If FILE is a libtool library, object or program, all the files associated
+with it are deleted. Otherwise, only FILE itself is deleted using RM."
+  ;;
+
+compile)
+  $echo \
+"Usage: $modename [OPTION]... --mode=compile COMPILE-COMMAND... SOURCEFILE
+
+Compile a source file into a libtool library object.
+
+This mode accepts the following additional options:
+
+  -o OUTPUT-FILE    set the output file name to OUTPUT-FILE
+  -static           always build a \`.o' file suitable for static linking
+
+COMPILE-COMMAND is a command to be used in creating a \`standard' object file
+from the given SOURCEFILE.
+
+The output file name is determined by removing the directory component from
+SOURCEFILE, then substituting the C source code suffix \`.c' with the
+library object suffix, \`.lo'."
+  ;;
+
+execute)
+  $echo \
+"Usage: $modename [OPTION]... --mode=execute COMMAND [ARGS]...
+
+Automatically set library path, then run a program.
+
+This mode accepts the following additional options:
+
+  -dlopen FILE      add the directory containing FILE to the library path
+
+This mode sets the library path environment variable according to \`-dlopen'
+flags.
+
+If any of the ARGS are libtool executable wrappers, then they are translated
+into their corresponding uninstalled binary, and any of their required library
+directories are added to the library path.
+
+Then, COMMAND is executed, with ARGS as arguments."
+  ;;
+
+finish)
+  $echo \
+"Usage: $modename [OPTION]... --mode=finish [LIBDIR]...
+
+Complete the installation of libtool libraries.
+
+Each LIBDIR is a directory that contains libtool libraries.
+
+The commands that this mode executes may require superuser privileges.  Use
+the \`--dry-run' option if you just want to see what would be executed."
+  ;;
+
+install)
+  $echo \
+"Usage: $modename [OPTION]... --mode=install INSTALL-COMMAND...
+
+Install executables or libraries.
+
+INSTALL-COMMAND is the installation command.  The first component should be
+either the \`install' or \`cp' program.
+
+The rest of the components are interpreted as arguments to that command (only
+BSD-compatible install options are recognized)."
+  ;;
+
+link)
+  $echo \
+"Usage: $modename [OPTION]... --mode=link LINK-COMMAND...
+
+Link object files or libraries together to form another library, or to
+create an executable program.
+
+LINK-COMMAND is a command using the C compiler that you would use to create
+a program from several object files.
+
+The following components of LINK-COMMAND are treated specially:
+
+  -all-static       do not do any dynamic linking at all
+  -avoid-version    do not add a version suffix if possible
+  -dlopen FILE      \`-dlpreopen' FILE if it cannot be dlopened at runtime
+  -dlpreopen FILE   link in FILE and add its symbols to lt_preloaded_symbols
+  -export-dynamic   allow symbols from OUTPUT-FILE to be resolved with dlsym(3)
+  -export-symbols SYMFILE
+		    try to export only the symbols listed in SYMFILE
+  -export-symbols-regex REGEX
+		    try to export only the symbols matching REGEX
+  -LLIBDIR          search LIBDIR for required installed libraries
+  -lNAME            OUTPUT-FILE requires the installed library libNAME
+  -module           build a library that can dlopened
+  -no-fast-install  disable the fast-install mode
+  -no-install       link a not-installable executable
+  -no-undefined     declare that a library does not refer to external symbols
+  -o OUTPUT-FILE    create OUTPUT-FILE from the specified objects
+  -release RELEASE  specify package release information
+  -rpath LIBDIR     the created library will eventually be installed in LIBDIR
+  -R[ ]LIBDIR       add LIBDIR to the runtime path of programs and libraries
+  -static           do not do any dynamic linking of libtool libraries
+  -version-info CURRENT[:REVISION[:AGE]]
+		    specify library version info [each variable defaults to 0]
+
+All other options (arguments beginning with \`-') are ignored.
+
+Every other argument is treated as a filename.  Files ending in \`.la' are
+treated as uninstalled libtool libraries, other files are standard or library
+object files.
+
+If the OUTPUT-FILE ends in \`.la', then a libtool library is created,
+only library objects (\`.lo' files) may be specified, and \`-rpath' is
+required, except when creating a convenience library.
+
+If OUTPUT-FILE ends in \`.a' or \`.lib', then a standard library is created
+using \`ar' and \`ranlib', or on Windows using \`lib'.
+
+If OUTPUT-FILE ends in \`.lo' or \`.${objext}', then a reloadable object file
+is created, otherwise an executable program is created."
+  ;;
+
+uninstall)
+  $echo \
+"Usage: $modename [OPTION]... --mode=uninstall RM [RM-OPTION]... FILE...
+
+Remove libraries from an installation directory.
+
+RM is the name of the program to use to delete files associated with each FILE
+(typically \`/bin/rm').  RM-OPTIONS are options (such as \`-f') to be passed
+to RM.
+
+If FILE is a libtool library, all the files associated with it are deleted.
+Otherwise, only FILE itself is deleted using RM."
+  ;;
+
+*)
+  $echo "$modename: invalid operation mode \`$mode'" 1>&2
+  $echo "$help" 1>&2
+  exit 1
+  ;;
+esac
+
+echo
+$echo "Try \`$modename --help' for more information about other modes."
+
+exit 0
+
+# Local Variables:
+# mode:shell-script
+# sh-indentation:2
+# End:
diff --git a/crypto/heimdal/missing b/crypto/heimdal/missing
new file mode 100644
index 0000000..1570c79
--- /dev/null
+++ b/crypto/heimdal/missing
@@ -0,0 +1,265 @@
+#! /bin/sh
+# Common stub for a few missing GNU programs while installing.
+# Copyright (C) 1996, 1997, 1999, 2000 Free Software Foundation, Inc.
+# Originally by Fran,cois Pinard <pinard@iro.umontreal.ca>, 1996.
+
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 2, or (at your option)
+# any later version.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
+# 02111-1307, USA.
+
+if test $# -eq 0; then
+  echo 1>&2 "Try \`$0 --help' for more information"
+  exit 1
+fi
+
+run=:
+
+case "$1" in
+--run)
+  # Try to run requested program, and just exit if it succeeds.
+  run=
+  shift
+  "$@" && exit 0
+  ;;
+esac
+
+# If it does not exist, or fails to run (possibly an outdated version),
+# try to emulate it.
+case "$1" in
+
+  -h|--h|--he|--hel|--help)
+    echo "\
+$0 [OPTION]... PROGRAM [ARGUMENT]...
+
+Handle \`PROGRAM [ARGUMENT]...' for when PROGRAM is missing, or return an
+error status if there is no known handling for PROGRAM.
+
+Options:
+  -h, --help      display this help and exit
+  -v, --version   output version information and exit
+  --run           try to run the given command, and emulate it if it fails
+
+Supported PROGRAM values:
+  aclocal      touch file \`aclocal.m4'
+  autoconf     touch file \`configure'
+  autoheader   touch file \`config.h.in'
+  automake     touch all \`Makefile.in' files
+  bison        create \`y.tab.[ch]', if possible, from existing .[ch]
+  flex         create \`lex.yy.c', if possible, from existing .c
+  help2man     touch the output file
+  lex          create \`lex.yy.c', if possible, from existing .c
+  makeinfo     touch the output file
+  tar          try tar, gnutar, gtar, then tar without non-portable flags
+  yacc         create \`y.tab.[ch]', if possible, from existing .[ch]"
+    ;;
+
+  -v|--v|--ve|--ver|--vers|--versi|--versio|--version)
+    echo "missing 0.3 - GNU automake"
+    ;;
+
+  -*)
+    echo 1>&2 "$0: Unknown \`$1' option"
+    echo 1>&2 "Try \`$0 --help' for more information"
+    exit 1
+    ;;
+
+  aclocal)
+    echo 1>&2 "\
+WARNING: \`$1' is missing on your system.  You should only need it if
+         you modified \`acinclude.m4' or \`configure.in'.  You might want
+         to install the \`Automake' and \`Perl' packages.  Grab them from
+         any GNU archive site."
+    touch aclocal.m4
+    ;;
+
+  autoconf)
+    echo 1>&2 "\
+WARNING: \`$1' is missing on your system.  You should only need it if
+         you modified \`configure.in'.  You might want to install the
+         \`Autoconf' and \`GNU m4' packages.  Grab them from any GNU
+         archive site."
+    touch configure
+    ;;
+
+  autoheader)
+    echo 1>&2 "\
+WARNING: \`$1' is missing on your system.  You should only need it if
+         you modified \`acconfig.h' or \`configure.in'.  You might want
+         to install the \`Autoconf' and \`GNU m4' packages.  Grab them
+         from any GNU archive site."
+    files=`sed -n 's/^[ ]*A[CM]_CONFIG_HEADER(\([^)]*\)).*/\1/p' configure.in`
+    test -z "$files" && files="config.h"
+    touch_files=
+    for f in $files; do
+      case "$f" in
+      *:*) touch_files="$touch_files "`echo "$f" |
+				       sed -e 's/^[^:]*://' -e 's/:.*//'`;;
+      *) touch_files="$touch_files $f.in";;
+      esac
+    done
+    touch $touch_files
+    ;;
+
+  automake)
+    echo 1>&2 "\
+WARNING: \`$1' is missing on your system.  You should only need it if
+         you modified \`Makefile.am', \`acinclude.m4' or \`configure.in'.
+         You might want to install the \`Automake' and \`Perl' packages.
+         Grab them from any GNU archive site."
+    find . -type f -name Makefile.am -print |
+	   sed 's/\.am$/.in/' |
+	   while read f; do touch "$f"; done
+    ;;
+
+  bison|yacc)
+    echo 1>&2 "\
+WARNING: \`$1' is missing on your system.  You should only need it if
+         you modified a \`.y' file.  You may need the \`Bison' package
+         in order for those modifications to take effect.  You can get
+         \`Bison' from any GNU archive site."
+    rm -f y.tab.c y.tab.h
+    if [ $# -ne 1 ]; then
+        eval LASTARG="\${$#}"
+	case "$LASTARG" in
+	*.y)
+	    SRCFILE=`echo "$LASTARG" | sed 's/y$/c/'`
+	    if [ -f "$SRCFILE" ]; then
+	         cp "$SRCFILE" y.tab.c
+	    fi
+	    SRCFILE=`echo "$LASTARG" | sed 's/y$/h/'`
+	    if [ -f "$SRCFILE" ]; then
+	         cp "$SRCFILE" y.tab.h
+	    fi
+	  ;;
+	esac
+    fi
+    if [ ! -f y.tab.h ]; then
+	echo >y.tab.h
+    fi
+    if [ ! -f y.tab.c ]; then
+	echo 'main() { return 0; }' >y.tab.c
+    fi
+    ;;
+
+  lex|flex)
+    echo 1>&2 "\
+WARNING: \`$1' is missing on your system.  You should only need it if
+         you modified a \`.l' file.  You may need the \`Flex' package
+         in order for those modifications to take effect.  You can get
+         \`Flex' from any GNU archive site."
+    rm -f lex.yy.c
+    if [ $# -ne 1 ]; then
+        eval LASTARG="\${$#}"
+	case "$LASTARG" in
+	*.l)
+	    SRCFILE=`echo "$LASTARG" | sed 's/l$/c/'`
+	    if [ -f "$SRCFILE" ]; then
+	         cp "$SRCFILE" lex.yy.c
+	    fi
+	  ;;
+	esac
+    fi
+    if [ ! -f lex.yy.c ]; then
+	echo 'main() { return 0; }' >lex.yy.c
+    fi
+    ;;
+
+  help2man)
+    echo 1>&2 "\
+WARNING: \`$1' is missing on your system.  You should only need it if
+	 you modified a dependency of a manual page.  You may need the
+	 \`Help2man' package in order for those modifications to take
+	 effect.  You can get \`Help2man' from any GNU archive site."
+
+    file=`echo "$*" | sed -n 's/.*-o \([^ ]*\).*/\1/p'`
+    if test -z "$file"; then
+	file=`echo "$*" | sed -n 's/.*--output=\([^ ]*\).*/\1/p'`
+    fi
+    if [ -f "$file" ]; then
+	touch $file
+    else
+	test -z "$file" || exec >$file
+	echo ".ab help2man is required to generate this page"
+	exit 1
+    fi
+    ;;
+
+  makeinfo)
+    echo 1>&2 "\
+WARNING: \`$1' is missing on your system.  You should only need it if
+         you modified a \`.texi' or \`.texinfo' file, or any other file
+         indirectly affecting the aspect of the manual.  The spurious
+         call might also be the consequence of using a buggy \`make' (AIX,
+         DU, IRIX).  You might want to install the \`Texinfo' package or
+         the \`GNU make' package.  Grab either from any GNU archive site."
+    file=`echo "$*" | sed -n 's/.*-o \([^ ]*\).*/\1/p'`
+    if test -z "$file"; then
+      file=`echo "$*" | sed 's/.* \([^ ]*\) *$/\1/'`
+      file=`sed -n '/^@setfilename/ { s/.* \([^ ]*\) *$/\1/; p; q; }' $file`
+    fi
+    touch $file
+    ;;
+
+  tar)
+    shift
+    if test -n "$run"; then
+      echo 1>&2 "ERROR: \`tar' requires --run"
+      exit 1
+    fi
+
+    # We have already tried tar in the generic part.
+    # Look for gnutar/gtar before invocation to avoid ugly error
+    # messages.
+    if (gnutar --version > /dev/null 2>&1); then
+       gnutar ${1+"$@"} && exit 0
+    fi
+    if (gtar --version > /dev/null 2>&1); then
+       gtar ${1+"$@"} && exit 0
+    fi
+    firstarg="$1"
+    if shift; then
+	case "$firstarg" in
+	*o*)
+	    firstarg=`echo "$firstarg" | sed s/o//`
+	    tar "$firstarg" ${1+"$@"} && exit 0
+	    ;;
+	esac
+	case "$firstarg" in
+	*h*)
+	    firstarg=`echo "$firstarg" | sed s/h//`
+	    tar "$firstarg" ${1+"$@"} && exit 0
+	    ;;
+	esac
+    fi
+
+    echo 1>&2 "\
+WARNING: I can't seem to be able to run \`tar' with the given arguments.
+         You may want to install GNU tar or Free paxutils, or check the
+         command line arguments."
+    exit 1
+    ;;
+
+  *)
+    echo 1>&2 "\
+WARNING: \`$1' is needed, and you do not seem to have it handy on your
+         system.  You might have modified some files without having the
+         proper tools for further handling them.  Check the \`README' file,
+         it often tells you about the needed prerequirements for installing
+         this package.  You may also peek at any GNU archive site, in case
+         some other package would contain this missing \`$1' program."
+    exit 1
+    ;;
+esac
+
+exit 0
diff --git a/crypto/heimdal/mkinstalldirs b/crypto/heimdal/mkinstalldirs
new file mode 100755
index 0000000..018b680
--- /dev/null
+++ b/crypto/heimdal/mkinstalldirs
@@ -0,0 +1,40 @@
+#! /bin/sh
+# mkinstalldirs --- make directory hierarchy
+# Author: Noah Friedman <friedman@prep.ai.mit.edu>
+# Created: 1993-05-16
+# Public domain
+
+# $Id: mkinstalldirs,v 1.1 1996/10/22 22:25:14 joda Exp $
+
+errstatus=0
+
+for file
+do
+   set fnord `echo ":$file" | sed -ne 's/^:\//#/;s/^://;s/\// /g;s/^#/\//;p'`
+   shift
+
+   pathcomp=
+   for d
+   do
+     pathcomp="$pathcomp$d"
+     case "$pathcomp" in
+       -* ) pathcomp=./$pathcomp ;;
+     esac
+
+     if test ! -d "$pathcomp"; then
+        echo "mkdir $pathcomp" 1>&2
+
+        mkdir "$pathcomp" || lasterr=$?
+
+        if test ! -d "$pathcomp"; then
+  	  errstatus=$lasterr
+        fi
+     fi
+
+     pathcomp="$pathcomp/"
+   done
+done
+
+exit $errstatus
+
+# mkinstalldirs ends here
diff --git a/crypto/heimdal/tools/Makefile.am b/crypto/heimdal/tools/Makefile.am
new file mode 100644
index 0000000..4f02904
--- /dev/null
+++ b/crypto/heimdal/tools/Makefile.am
@@ -0,0 +1,25 @@
+# $Id: Makefile.am,v 1.5 2001/01/29 06:56:33 assar Exp $
+
+include $(top_srcdir)/Makefile.am.common
+
+EXTRA_DIST = krb5-config.1
+
+CLEANFILES = krb5-config
+
+bin_SCRIPTS = krb5-config
+
+man_MANS = krb5-config.1
+
+krb5-config: krb5-config.in
+	sed	-e "s,@PACKAGE\@,$(PACKAGE),g" \
+		-e "s,@VERSION\@,$(VERSION),g" \
+		-e "s,@prefix\@,$(prefix),g" \
+		-e "s,@exec_prefix\@,$(exec_prefix),g" \
+		-e "s,@libdir\@,$(libdir),g" \
+		-e "s,@includedir\@,$(includedir),g" \
+		-e "s,@LIB_crypt\@,$(LIB_crypt),g" \
+		-e "s,@LIB_dbopen\@,$(LIB_dbopen),g" \
+		-e "s,@LIB_des_appl\@,$(LIB_des_appl),g" \
+		-e "s,@LIBS\@,$(LIBS),g" \
+		$(srcdir)/krb5-config.in > $@
+	chmod +x $@
diff --git a/crypto/heimdal/tools/Makefile.in b/crypto/heimdal/tools/Makefile.in
new file mode 100644
index 0000000..c189730
--- /dev/null
+++ b/crypto/heimdal/tools/Makefile.in
@@ -0,0 +1,527 @@
+# Makefile.in generated automatically by automake 1.4b from Makefile.am
+
+# Copyright 1994, 1995, 1996, 1997, 1998, 1999, 2000
+# Free Software Foundation, Inc.
+# This Makefile.in is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+
+SHELL = @SHELL@
+
+srcdir = @srcdir@
+top_srcdir = @top_srcdir@
+VPATH = @srcdir@
+prefix = @prefix@
+exec_prefix = @exec_prefix@
+
+bindir = @bindir@
+sbindir = @sbindir@
+libexecdir = @libexecdir@
+datadir = @datadir@
+sysconfdir = @sysconfdir@
+sharedstatedir = @sharedstatedir@
+localstatedir = @localstatedir@
+libdir = @libdir@
+infodir = @infodir@
+mandir = @mandir@
+includedir = @includedir@
+oldincludedir = /usr/include
+
+pkgdatadir = $(datadir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkgincludedir = $(includedir)/@PACKAGE@
+
+top_builddir = ..
+
+ACLOCAL = @ACLOCAL@
+AUTOCONF = @AUTOCONF@
+AUTOMAKE = @AUTOMAKE@
+AUTOHEADER = @AUTOHEADER@
+
+INSTALL = @INSTALL@
+INSTALL_PROGRAM = @INSTALL_PROGRAM@
+INSTALL_DATA = @INSTALL_DATA@
+INSTALL_SCRIPT = @INSTALL_SCRIPT@
+INSTALL_STRIP_FLAG =
+transform = @program_transform_name@
+
+NORMAL_INSTALL = :
+PRE_INSTALL = :
+POST_INSTALL = :
+NORMAL_UNINSTALL = :
+PRE_UNINSTALL = :
+POST_UNINSTALL = :
+
+@SET_MAKE@
+host_alias = @host_alias@
+host_triplet = @host@
+AIX_EXTRA_KAFS = @AIX_EXTRA_KAFS@
+AMDEP = @AMDEP@
+AMTAR = @AMTAR@
+AS = @AS@
+AWK = @AWK@
+CANONICAL_HOST = @CANONICAL_HOST@
+CATMAN = @CATMAN@
+CATMANEXT = @CATMANEXT@
+CC = @CC@
+CPP = @CPP@
+CXX = @CXX@
+CXXCPP = @CXXCPP@
+DBLIB = @DBLIB@
+DEPDIR = @DEPDIR@
+DIR_des = @DIR_des@
+DIR_roken = @DIR_roken@
+DLLTOOL = @DLLTOOL@
+EXEEXT = @EXEEXT@
+EXTRA_LIB45 = @EXTRA_LIB45@
+GROFF = @GROFF@
+INCLUDES_roken = @INCLUDES_roken@
+INCLUDE_ = @INCLUDE_@
+LEX = @LEX@
+LIBOBJS = @LIBOBJS@
+LIBTOOL = @LIBTOOL@
+LIB_ = @LIB_@
+LIB_AUTH_SUBDIRS = @LIB_AUTH_SUBDIRS@
+LIB_des = @LIB_des@
+LIB_des_appl = @LIB_des_appl@
+LIB_kdb = @LIB_kdb@
+LIB_otp = @LIB_otp@
+LIB_roken = @LIB_roken@
+LIB_security = @LIB_security@
+LN_S = @LN_S@
+LTLIBOBJS = @LTLIBOBJS@
+MAKEINFO = @MAKEINFO@
+NEED_WRITEAUTH_FALSE = @NEED_WRITEAUTH_FALSE@
+NEED_WRITEAUTH_TRUE = @NEED_WRITEAUTH_TRUE@
+NROFF = @NROFF@
+OBJDUMP = @OBJDUMP@
+OBJEXT = @OBJEXT@
+PACKAGE = @PACKAGE@
+RANLIB = @RANLIB@
+STRIP = @STRIP@
+VERSION = @VERSION@
+VOID_RETSIGTYPE = @VOID_RETSIGTYPE@
+WFLAGS = @WFLAGS@
+WFLAGS_NOIMPLICITINT = @WFLAGS_NOIMPLICITINT@
+WFLAGS_NOUNUSED = @WFLAGS_NOUNUSED@
+YACC = @YACC@
+dpagaix_CFLAGS = @dpagaix_CFLAGS@
+dpagaix_LDADD = @dpagaix_LDADD@
+install_sh = @install_sh@
+
+# $Id: Makefile.am,v 1.5 2001/01/29 06:56:33 assar Exp $
+
+
+# $Id: Makefile.am.common,v 1.3 1999/04/01 14:58:43 joda Exp $
+
+
+# $Id: Makefile.am.common,v 1.26 2001/05/21 13:27:48 joda Exp $
+
+
+AUTOMAKE_OPTIONS = foreign no-dependencies
+
+SUFFIXES = .et .h .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .x
+
+INCLUDES = -I$(top_builddir)/include $(INCLUDES_roken)
+
+AM_CFLAGS =  $(WFLAGS)
+
+CP = cp
+
+COMPILE_ET = $(top_builddir)/lib/com_err/compile_et
+
+buildinclude = $(top_builddir)/include
+
+LIB_XauReadAuth = @LIB_XauReadAuth@
+LIB_crypt = @LIB_crypt@
+LIB_dbm_firstkey = @LIB_dbm_firstkey@
+LIB_dbopen = @LIB_dbopen@
+LIB_dlopen = @LIB_dlopen@
+LIB_dn_expand = @LIB_dn_expand@
+LIB_el_init = @LIB_el_init@
+LIB_getattr = @LIB_getattr@
+LIB_gethostbyname = @LIB_gethostbyname@
+LIB_getpwent_r = @LIB_getpwent_r@
+LIB_getpwnam_r = @LIB_getpwnam_r@
+LIB_getsockopt = @LIB_getsockopt@
+LIB_logout = @LIB_logout@
+LIB_logwtmp = @LIB_logwtmp@
+LIB_odm_initialize = @LIB_odm_initialize@
+LIB_pidfile = @LIB_pidfile@
+LIB_readline = @LIB_readline@
+LIB_res_search = @LIB_res_search@
+LIB_setpcred = @LIB_setpcred@
+LIB_setsockopt = @LIB_setsockopt@
+LIB_socket = @LIB_socket@
+LIB_syslog = @LIB_syslog@
+LIB_tgetent = @LIB_tgetent@
+
+LIBS = @LIBS@
+
+HESIODLIB = @HESIODLIB@
+HESIODINCLUDE = @HESIODINCLUDE@
+INCLUDE_hesiod = @INCLUDE_hesiod@
+LIB_hesiod = @LIB_hesiod@
+
+INCLUDE_krb4 = @INCLUDE_krb4@
+LIB_krb4 = @LIB_krb4@
+
+INCLUDE_openldap = @INCLUDE_openldap@
+LIB_openldap = @LIB_openldap@
+
+INCLUDE_readline = @INCLUDE_readline@
+
+LEXLIB = @LEXLIB@
+
+NROFF_MAN = groff -mandoc -Tascii
+
+@KRB4_TRUE@LIB_kafs = @KRB4_TRUE@$(top_builddir)/lib/kafs/libkafs.la $(AIX_EXTRA_KAFS)
+
+@KRB5_TRUE@LIB_krb5 = @KRB5_TRUE@$(top_builddir)/lib/krb5/libkrb5.la \
+@KRB5_TRUE@	$(top_builddir)/lib/asn1/libasn1.la
+@KRB5_TRUE@LIB_gssapi = @KRB5_TRUE@$(top_builddir)/lib/gssapi/libgssapi.la
+
+@DCE_TRUE@LIB_kdfs = @DCE_TRUE@$(top_builddir)/lib/kdfs/libkdfs.la
+
+CHECK_LOCAL = $(PROGRAMS)
+
+EXTRA_DIST = krb5-config.1
+
+CLEANFILES = krb5-config
+
+bin_SCRIPTS = krb5-config
+
+man_MANS = krb5-config.1
+subdir = tools
+mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs
+CONFIG_HEADER = ../include/config.h
+CONFIG_CLEAN_FILES = 
+SCRIPTS =  $(bin_SCRIPTS)
+
+CFLAGS = @CFLAGS@
+COMPILE = $(CC) $(DEFS) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) --mode=compile $(CC) $(DEFS) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+CCLD = $(CC)
+LINK = $(LIBTOOL) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) $(LDFLAGS) -o $@
+DIST_SOURCES = 
+man1dir = $(mandir)/man1
+MANS = $(man_MANS)
+depcomp = 
+DIST_COMMON =  Makefile.am Makefile.in
+
+
+DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
+
+GZIP_ENV = --best
+all: all-redirect
+.SUFFIXES:
+.SUFFIXES: .et .h .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .x
+$(srcdir)/Makefile.in: Makefile.am $(top_srcdir)/configure.in $(ACLOCAL_M4) $(top_srcdir)/Makefile.am.common $(top_srcdir)/cf/Makefile.am.common
+	cd $(top_srcdir) && $(AUTOMAKE) --foreign tools/Makefile
+
+Makefile: $(srcdir)/Makefile.in  $(top_builddir)/config.status
+	cd $(top_builddir) \
+	  && CONFIG_FILES=$(subdir)/$@ CONFIG_HEADERS= $(SHELL) ./config.status
+
+
+install-binSCRIPTS: $(bin_SCRIPTS)
+	@$(NORMAL_INSTALL)
+	$(mkinstalldirs) $(DESTDIR)$(bindir)
+	@list='$(bin_SCRIPTS)'; for p in $$list; do \
+	  f="`echo $$p|sed '$(transform)'`"; \
+	  if test -f $$p; then \
+	    echo " $(INSTALL_SCRIPT) $$p $(DESTDIR)$(bindir)/$$f"; \
+	    $(INSTALL_SCRIPT) $$p $(DESTDIR)$(bindir)/$$f; \
+	  elif test -f $(srcdir)/$$p; then \
+	    echo " $(INSTALL_SCRIPT) $(srcdir)/$$p $(DESTDIR)$(bindir)/$$f"; \
+	    $(INSTALL_SCRIPT) $(srcdir)/$$p $(DESTDIR)$(bindir)/$$f; \
+	  else :; fi; \
+	done
+
+uninstall-binSCRIPTS:
+	@$(NORMAL_UNINSTALL)
+	@list='$(bin_SCRIPTS)'; for p in $$list; do \
+	  f="`echo $$p|sed '$(transform)'`"; \
+	  echo " rm -f $(DESTDIR)$(bindir)/$$f"; \
+	  rm -f $(DESTDIR)$(bindir)/$$f; \
+	done
+
+install-man1:
+	$(mkinstalldirs) $(DESTDIR)$(man1dir)
+	@list='$(man1_MANS)'; \
+	l2='$(man_MANS)'; for i in $$l2; do \
+	  case "$$i" in \
+	    *.1*) list="$$list $$i" ;; \
+	  esac; \
+	done; \
+	for i in $$list; do \
+	  if test -f $(srcdir)/$$i; then file=$(srcdir)/$$i; \
+	  else file=$$i; fi; \
+	  ext=`echo $$i | sed -e 's/^.*\\.//'`; \
+	  inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \
+	  inst=`echo $$inst | sed -e 's/^.*\///'`; \
+	  inst=`echo $$inst | sed '$(transform)'`.$$ext; \
+	  echo " $(INSTALL_DATA) $$file $(DESTDIR)$(man1dir)/$$inst"; \
+	  $(INSTALL_DATA) $$file $(DESTDIR)$(man1dir)/$$inst; \
+	done
+
+uninstall-man1:
+	@list='$(man1_MANS)'; \
+	l2='$(man_MANS)'; for i in $$l2; do \
+	  case "$$i" in \
+	    *.1*) list="$$list $$i" ;; \
+	  esac; \
+	done; \
+	for i in $$list; do \
+	  ext=`echo $$i | sed -e 's/^.*\\.//'`; \
+	  inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \
+	  inst=`echo $$inst | sed -e 's/^.*\///'`; \
+	  inst=`echo $$inst | sed '$(transform)'`.$$ext; \
+	  echo " rm -f $(DESTDIR)$(man1dir)/$$inst"; \
+	  rm -f $(DESTDIR)$(man1dir)/$$inst; \
+	done
+install-man: $(MANS)
+	@$(NORMAL_INSTALL)
+	$(MAKE) $(AM_MAKEFLAGS) install-man1
+uninstall-man:
+	@$(NORMAL_UNINSTALL)
+	$(MAKE) $(AM_MAKEFLAGS) uninstall-man1
+tags: TAGS
+TAGS:
+
+
+distdir = $(top_builddir)/$(PACKAGE)-$(VERSION)/$(subdir)
+
+distdir: $(DISTFILES)
+	@for file in $(DISTFILES); do \
+	  d=$(srcdir); \
+	  if test -d $$d/$$file; then \
+	    cp -pR $$d/$$file $(distdir) \
+	    || exit 1; \
+	  else \
+	    test -f $(distdir)/$$file \
+	    || cp -p $$d/$$file $(distdir)/$$file \
+	    || exit 1; \
+	  fi; \
+	done
+	$(MAKE) $(AM_MAKEFLAGS) top_distdir="$(top_distdir)" distdir="$(distdir)" dist-hook
+info-am:
+info: info-am
+dvi-am:
+dvi: dvi-am
+check-am: all-am
+	$(MAKE) $(AM_MAKEFLAGS) check-local
+check: check-am
+installcheck-am:
+installcheck: installcheck-am
+install-exec-am: install-binSCRIPTS
+	@$(NORMAL_INSTALL)
+	$(MAKE) $(AM_MAKEFLAGS) install-exec-hook
+install-exec: install-exec-am
+
+install-data-am: install-man install-data-local
+install-data: install-data-am
+
+install-am: all-am
+	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
+install: install-am
+uninstall-am: uninstall-binSCRIPTS uninstall-man
+uninstall: uninstall-am
+all-am: Makefile $(SCRIPTS) $(MANS) all-local
+all-redirect: all-am
+install-strip:
+	$(MAKE) $(AM_MAKEFLAGS) INSTALL_STRIP_FLAG=-s install
+installdirs:
+	$(mkinstalldirs)  $(DESTDIR)$(bindir) $(DESTDIR)$(mandir)/man1
+
+
+mostlyclean-generic:
+
+clean-generic:
+	-test -z "$(CLEANFILES)" || rm -f $(CLEANFILES)
+
+distclean-generic:
+	-rm -f Makefile $(CONFIG_CLEAN_FILES)
+	-rm -f config.cache config.log stamp-h stamp-h[0-9]*
+
+maintainer-clean-generic:
+	-rm -f Makefile.in
+mostlyclean-am:  mostlyclean-generic
+
+mostlyclean: mostlyclean-am
+
+clean-am:  clean-generic mostlyclean-am
+
+clean: clean-am
+
+distclean-am:  distclean-generic clean-am
+	-rm -f libtool
+
+distclean: distclean-am
+
+maintainer-clean-am:  maintainer-clean-generic distclean-am
+	@echo "This command is intended for maintainers to use;"
+	@echo "it deletes files that may require special tools to rebuild."
+
+maintainer-clean: maintainer-clean-am
+
+.PHONY: uninstall-binSCRIPTS install-binSCRIPTS install-man1 \
+uninstall-man1 install-man uninstall-man tags distdir info-am info \
+dvi-am dvi check-local check check-am installcheck-am installcheck \
+install-exec-am install-exec install-data-local install-data-am \
+install-data install-am install uninstall-am uninstall all-local \
+all-redirect all-am all install-strip installdirs mostlyclean-generic \
+distclean-generic clean-generic maintainer-clean-generic clean \
+mostlyclean distclean maintainer-clean
+
+
+install-suid-programs:
+	@foo='$(bin_SUIDS)'; \
+	for file in $$foo; do \
+	x=$(DESTDIR)$(bindir)/$$file; \
+	if chown 0:0 $$x && chmod u+s $$x; then :; else \
+	echo "*"; \
+	echo "* Failed to install $$x setuid root"; \
+	echo "*"; \
+	fi; done
+
+install-exec-hook: install-suid-programs
+
+install-build-headers:: $(include_HEADERS) $(build_HEADERZ)
+	@foo='$(include_HEADERS) $(build_HEADERZ)'; \
+	for f in $$foo; do \
+		f=`basename $$f`; \
+		if test -f "$(srcdir)/$$f"; then file="$(srcdir)/$$f"; \
+		else file="$$f"; fi; \
+		if cmp -s  $$file $(buildinclude)/$$f 2> /dev/null ; then \
+		: ; else \
+			echo " $(CP) $$file $(buildinclude)/$$f"; \
+			$(CP) $$file $(buildinclude)/$$f; \
+		fi ; \
+	done
+
+all-local: install-build-headers
+#NROFF_MAN = nroff -man
+.1.cat1:
+	$(NROFF_MAN) $< > $@
+.3.cat3:
+	$(NROFF_MAN) $< > $@
+.5.cat5:
+	$(NROFF_MAN) $< > $@
+.8.cat8:
+	$(NROFF_MAN) $< > $@
+
+dist-cat1-mans:
+	@foo='$(man1_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.1) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat1/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-cat3-mans:
+	@foo='$(man3_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.3) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat3/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-cat5-mans:
+	@foo='$(man5_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.5) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat5/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-cat8-mans:
+	@foo='$(man8_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.8) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat8/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-hook: dist-cat1-mans dist-cat3-mans dist-cat5-mans dist-cat8-mans
+
+install-cat-mans:
+	$(SHELL) $(top_srcdir)/cf/install-catman.sh "$(INSTALL_DATA)" "$(mkinstalldirs)" "$(srcdir)" "$(DESTDIR)$(mandir)" '$(CATMANEXT)' $(man_MANS) $(man1_MANS) $(man3_MANS) $(man5_MANS) $(man8_MANS)
+
+install-data-local: install-cat-mans
+
+.et.h:
+	$(COMPILE_ET) $<
+.et.c:
+	$(COMPILE_ET) $<
+
+.x.c:
+	@cmp -s $< $@ 2> /dev/null || cp $< $@
+
+check-local::
+	@foo='$(CHECK_LOCAL)'; \
+	  if test "$$foo"; then \
+	  failed=0; all=0; \
+	  for i in $$foo; do \
+	    all=`expr $$all + 1`; \
+	    if ./$$i --version > /dev/null 2>&1; then \
+	      echo "PASS: $$i"; \
+	    else \
+	      echo "FAIL: $$i"; \
+	      failed=`expr $$failed + 1`; \
+	    fi; \
+	  done; \
+	  if test "$$failed" -eq 0; then \
+	    banner="All $$all tests passed"; \
+	  else \
+	    banner="$$failed of $$all tests failed"; \
+	  fi; \
+	  dashes=`echo "$$banner" | sed s/./=/g`; \
+	  echo "$$dashes"; \
+	  echo "$$banner"; \
+	  echo "$$dashes"; \
+	  test "$$failed" -eq 0; \
+	fi
+
+krb5-config: krb5-config.in
+	sed	-e "s,@PACKAGE\@,$(PACKAGE),g" \
+		-e "s,@VERSION\@,$(VERSION),g" \
+		-e "s,@prefix\@,$(prefix),g" \
+		-e "s,@exec_prefix\@,$(exec_prefix),g" \
+		-e "s,@libdir\@,$(libdir),g" \
+		-e "s,@includedir\@,$(includedir),g" \
+		-e "s,@LIB_crypt\@,$(LIB_crypt),g" \
+		-e "s,@LIB_dbopen\@,$(LIB_dbopen),g" \
+		-e "s,@LIB_des_appl\@,$(LIB_des_appl),g" \
+		-e "s,@LIBS\@,$(LIBS),g" \
+		$(srcdir)/krb5-config.in > $@
+	chmod +x $@
+
+# Tell versions [3.59,3.63) of GNU make to not export all variables.
+# Otherwise a system limit (for SysV at least) may be exceeded.
+.NOEXPORT:
diff --git a/crypto/heimdal/tools/krb5-config.1 b/crypto/heimdal/tools/krb5-config.1
new file mode 100644
index 0000000..e87176c
--- /dev/null
+++ b/crypto/heimdal/tools/krb5-config.1
@@ -0,0 +1,59 @@
+.\" $Id: krb5-config.1,v 1.4 2001/05/02 08:59:23 assar Exp $
+.\"
+.Dd November 30, 2000
+.Dt KRB5-CONFIG 1
+.Os HEIMDAL
+.Sh NAME
+.Nm krb5-config
+.Nd "give information on how to link code against Heimdal libraries"
+.Sh SYNOPSIS
+.Nm
+.Op Fl -prefix Ns Op = Ns Ar dir
+.Op Fl -exec-prefix Ns Op = Ns Ar dir
+.Op Fl -libs
+.Op Fl -cflags
+.Op Ar libraries
+.Sh DESCRIPTION
+.Nm
+tells the application programmer what special flags to use to compile
+and link programs against the libraries installed by Heimdal.
+.Pp
+Options supported:
+.Bl -tag -width Ds
+.It Fl -prefix Ns Op = Ns Ar dir
+Print the prefix if no
+.Ar dir
+is specified, otherwise set prefix to
+.Ar dir .
+.It Fl -exec-prefix Ns Op = Ns Ar dir
+Print the exec-prefix if no
+.Ar dir
+is specified, otherwise set exec-prefix to
+.Ar dir .
+.It Fl -libs
+Output the set of libraries that should be linked against.
+.It Fl -cflags
+Output the set of flags to give to the C compiler when using the
+Heimdal libraries.
+.El
+.Pp
+By default
+.Nm
+will output the set of flags and libraries to be used by a normal
+program using the krb5 API.  The user can also supply a library to be
+used, the supported ones are:
+.Bl -tag -width Ds
+.It krb5
+(the default)
+.It gssapi
+use the krb5 gssapi mechanism
+.It kadm-client
+use the client-side kadmin libraries
+.It kadm-server
+use the server-side kadmin libraries
+.El
+.Sh SEE ALSO
+.Xr cc 1
+.Sh HISTORY
+.Nm
+appeared in Heimdal 0.3d.
diff --git a/crypto/heimdal/tools/krb5-config.cat1 b/crypto/heimdal/tools/krb5-config.cat1
new file mode 100644
index 0000000..298f57b
--- /dev/null
+++ b/crypto/heimdal/tools/krb5-config.cat1
@@ -0,0 +1,52 @@
+
+KRB5-CONFIG(1)               UNIX Reference Manual              KRB5-CONFIG(1)
+
+NNAAMMEE
+     kkrrbb55--ccoonnffiigg - give information on how to link code against Heimdal li-
+     braries
+
+SSYYNNOOPPSSIISS
+     kkrrbb55--ccoonnffiigg [----pprreeffiixx[=_d_i_r]] [----eexxeecc--pprreeffiixx[=_d_i_r]] [----lliibbss] [----ccffllaaggss]
+     [_l_i_b_r_a_r_i_e_s]
+
+DDEESSCCRRIIPPTTIIOONN
+     kkrrbb55--ccoonnffiigg tells the application programmer what special flags to use to
+     compile and link programs against the libraries installed by Heimdal.
+
+     Options supported:
+
+     ----pprreeffiixx[=_d_i_r]
+             Print the prefix if no _d_i_r is specified, otherwise set prefix to
+             _d_i_r.
+
+     ----eexxeecc--pprreeffiixx[=_d_i_r]
+             Print the exec-prefix if no _d_i_r is specified, otherwise set exec-
+             prefix to _d_i_r.
+
+     ----lliibbss  Output the set of libraries that should be linked against.
+
+     ----ccffllaaggss
+             Output the set of flags to give to the C compiler when using the
+             Heimdal libraries.
+
+     By default kkrrbb55--ccoonnffiigg will output the set of flags and libraries to be
+     used by a normal program using the krb5 API.  The user can also supply a
+     library to be used, the supported ones are:
+
+     krb5    (the default)
+
+     gssapi  use the krb5 gssapi mechanism
+
+     kadm-client
+             use the client-side kadmin libraries
+
+     kadm-server
+             use the server-side kadmin libraries
+
+SSEEEE AALLSSOO
+     cc(1)
+
+HHIISSTTOORRYY
+     kkrrbb55--ccoonnffiigg appeared in Heimdal 0.3d.
+
+ HEIMDAL                       November 30, 2000                             1
diff --git a/crypto/heimdal/tools/krb5-config.in b/crypto/heimdal/tools/krb5-config.in
new file mode 100755
index 0000000..e1235ac
--- /dev/null
+++ b/crypto/heimdal/tools/krb5-config.in
@@ -0,0 +1,110 @@
+#!/bin/sh
+# $Id: krb5-config.in,v 1.8 2001/01/29 06:56:51 assar Exp $
+
+do_libs=no
+do_cflags=no
+do_usage=no
+print_prefix=no
+print_exec_prefix=no
+library=krb5
+
+if test $# -eq 0; then
+  do_usage=yes
+  usage_exit=1
+fi
+
+for i in $*; do
+  case $i in
+  --help)
+    do_usage=yes
+    usage_exit=0
+    ;;
+  --version)
+    echo "@PACKAGE@ @VERSION@"
+    echo '$Id: krb5-config.in,v 1.8 2001/01/29 06:56:51 assar Exp $'
+    exit 0
+    ;;
+  --prefix=*)
+    prefix=`echo $i | sed 's/^--prefix=//'`
+    ;;
+  --prefix)
+    print_prefix=yes
+    ;;
+  --exec-prefix=*)
+    exec_prefix=`echo $i | sed 's/^--exec-prefix=//'`
+    ;;
+  --exec-prefix)
+    print_exec_prefix=yes
+    ;;
+  --libs)
+    do_libs=yes
+    ;;
+  --cflags)
+    do_cflags=yes
+    ;;
+  krb5)
+    library=krb5
+    ;;
+  gssapi)
+    library=gssapi
+    ;;
+  kadm-client)
+    library=kadm-client
+    ;;
+  kadm-server)
+    library=kadm-server
+    ;;
+  *)
+    echo "unknown option: $i"
+    exit 1
+    ;;
+  esac
+done
+
+if test "$do_usage" = "yes"; then
+    echo "usage: $0 [options] [libraries]"
+    echo "options: [--prefix[=dir]] [--exec-prefix[=dir]] [--libs] [--cflags]"
+    echo "libraries: krb5 gssapi kadm-client kadm-server"
+    exit $usage_exit
+fi
+
+if test "$prefix" = ""; then
+  prefix=@prefix@
+fi
+if test "$exec_prefix" = ""; then
+  exec_prefix=@exec_prefix@
+fi
+
+libdir=@libdir@
+includedir=@includedir@
+
+if test "$print_prefix" = "yes"; then
+    echo $prefix
+fi
+
+if test "$print_exec_prefix" = "yes"; then
+    echo $exec_prefix
+fi
+
+if test "$do_libs" = "yes"; then
+    lib_flags="-L${libdir}"
+    case $library in
+    gssapi)
+	lib_flags="$lib_flags -lgssapi"
+	;;
+    kadm-client)
+	lib_flags="$lib_flags -lkadm5clnt"
+	;;
+    kadm-server)
+	lib_flags="$lib_flags -lkadm5srv"
+	;;
+    esac
+    lib_flags="$lib_flags -lkrb5 -lasn1 @LIB_des_appl@ -lroken"
+    lib_flags="$lib_flags @LIB_crypt@ @LIB_dbopen@ @LIBS@"
+    echo $lib_flags
+fi
+if test "$do_cflags" = "yes"; then
+    echo "-I${includedir}"
+fi
+
+exit 0
diff --git a/crypto/kerberosIV/COPYRIGHT b/crypto/kerberosIV/COPYRIGHT
new file mode 100644
index 0000000..4222459
--- /dev/null
+++ b/crypto/kerberosIV/COPYRIGHT
@@ -0,0 +1,161 @@
+Copyright (c) 1995-1999 Kungliga Tekniska Högskolan 
+(Royal Institute of Technology, Stockholm, Sweden).
+All rights reserved.
+
+Redistribution and use in source and binary forms, with or without
+modification, are permitted provided that the following conditions
+are met:
+
+1. Redistributions of source code must retain the above copyright
+   notice, this list of conditions and the following disclaimer.
+
+2. Redistributions in binary form must reproduce the above copyright
+   notice, this list of conditions and the following disclaimer in the
+   documentation and/or other materials provided with the distribution.
+
+3. Neither the name of the Institute nor the names of its contributors
+   may be used to endorse or promote products derived from this software
+   without specific prior written permission.
+
+THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+SUCH DAMAGE.
+
+
+
+Copyright (C) 1995 Eric Young (eay@mincom.oz.au)
+All rights reserved.
+
+Redistribution and use in source and binary forms, with or without
+modification, are permitted provided that the following conditions
+are met:
+
+1. Redistributions of source code must retain the copyright
+   notice, this list of conditions and the following disclaimer.
+
+2. Redistributions in binary form must reproduce the above copyright
+   notice, this list of conditions and the following disclaimer in the
+   documentation and/or other materials provided with the distribution.
+
+3. All advertising materials mentioning features or use of this software
+   must display the following acknowledgement:
+   This product includes software developed by Eric Young (eay@mincom.oz.au)
+
+THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+SUCH DAMAGE.
+
+
+
+Copyright (c) 1983, 1990 The Regents of the University of California.
+All rights reserved.
+
+Redistribution and use in source and binary forms, with or without
+modification, are permitted provided that the following conditions
+are met:
+
+1. Redistributions of source code must retain the above copyright
+   notice, this list of conditions and the following disclaimer.
+
+2. Redistributions in binary form must reproduce the above copyright
+   notice, this list of conditions and the following disclaimer in the
+   documentation and/or other materials provided with the distribution.
+
+3. All advertising materials mentioning features or use of this software
+   must display the following acknowledgement:
+     This product includes software developed by the University of
+     California, Berkeley and its contributors.
+
+4. Neither the name of the University nor the names of its contributors
+   may be used to endorse or promote products derived from this software
+   without specific prior written permission.
+
+THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+SUCH DAMAGE.
+
+
+
+Copyright (C) 1990 by the Massachusetts Institute of Technology
+
+Export of this software from the United States of America is assumed
+to require a specific license from the United States Government.
+It is the responsibility of any person or organization contemplating
+export to obtain such a license before exporting.
+
+WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
+distribute this software and its documentation for any purpose and
+without fee is hereby granted, provided that the above copyright
+notice appear in all copies and that both that copyright notice and
+this permission notice appear in supporting documentation, and that
+the name of M.I.T. not be used in advertising or publicity pertaining
+to distribution of the software without specific, written prior
+permission.  M.I.T. makes no representations about the suitability of
+this software for any purpose.  It is provided "as is" without express
+or implied warranty.
+
+
+
+Copyright 1987, 1989 by the Student Information Processing Board
+	of the Massachusetts Institute of Technology
+
+Permission to use, copy, modify, and distribute this software
+and its documentation for any purpose and without fee is
+hereby granted, provided that the above copyright notice
+appear in all copies and that both that copyright notice and
+this permission notice appear in supporting documentation,
+and that the names of M.I.T. and the M.I.T. S.I.P.B. not be
+used in advertising or publicity pertaining to distribution
+of the software without specific, written prior permission.
+M.I.T. and the M.I.T. S.I.P.B. make no representations about
+the suitability of this software for any purpose.  It is
+provided "as is" without express or implied warranty.
+
+
+
+Copyright 1992 Simmule Turner and Rich Salz.  All rights reserved. 
+
+This software is not subject to any license of the American Telephone 
+and Telegraph Company or of the Regents of the University of California. 
+
+Permission is granted to anyone to use this software for any purpose on
+any computer system, and to alter it and redistribute it freely, subject
+to the following restrictions:
+
+1. The authors are not responsible for the consequences of use of this
+   software, no matter how awful, even if they arise from flaws in it.
+
+2. The origin of this software must not be misrepresented, either by
+   explicit claim or by omission.  Since few users ever read sources,
+   credits must appear in the documentation.
+
+3. Altered versions must be plainly marked as such, and must not be
+   misrepresented as being the original software.  Since few users
+   ever read sources, credits must appear in the documentation.
+
+4. This notice may not be removed or altered.
+
diff --git a/crypto/kerberosIV/ChangeLog b/crypto/kerberosIV/ChangeLog
new file mode 100644
index 0000000..d0300be
--- /dev/null
+++ b/crypto/kerberosIV/ChangeLog
@@ -0,0 +1,5519 @@
+2000-12-25
+
+	* configure.in (VERSION): bump to 1.0.5
+
+2000-10-19
+
+	* include/Makefile.in (HEADERS): add md4.h, md5.h, sha.h and rc4.h
+	* appl/kip/common.c (WCOREDUMP): add fallback definition
+
+2000-10-18
+
+	* lib/krb/dest_tkt.c (dest_tkt): only return valid error codes
+	back
+
+	* kadmin/admin_server.c: re-structure code to handle DoS attacks
+	better only allow a constant number of children (100 currently)
+	keep track of which children have gotten authentication
+	information and kill the non-authenticated children when there are
+	new connections
+
+2000-10-16
+
+	* server/kerberos.c: handle a fixed number (100) of TCP
+	connections and kill some randomly if all are busy to try to
+	mitigate the effects of DoS attacks
+
+2000-10-08
+
+	* lib/krb/send_to_kdc.c (send_recv): check that fds are not too
+	large to select on
+	* kadmin/admin_server.c (kadm_listen): check that fds are not too
+	large to select on
+	* appl/kip/common.c (*): check that fds are not too large to
+	select on
+	* appl/bsd/rshd.c (doit): check that fds are not too large to
+	select on
+	* appl/bsd/rsh.c (talk): check that fds are not too large to
+	select on
+	* appl/bsd/rlogin.c (reader): check that fds are not too large to
+	select on
+	* appl/bsd/kcmd.c (kcmd): check that fds are not too large to
+	select on
+
+2000-09-25
+
+	* config.guess: update to version 2000-09-05 (aka 1.156) from
+	subversions.gnu.org plus some minor tweaks
+	* config.sub: update to version 2000-09-11 (aka 1.181) from
+	subversions.gnu.org
+
+2000-09-09
+
+	* appl/kip/kipd.c: add back droped slash in kip-control
+
+2000-08-16
+
+	* configure.in (getmsg): re-do so it possibly works on redhat 7.0
+
+2000-08-09
+
+	* kuser/klist.c (display_srvtab): do not call warn with a variable
+	as format string
+
+	* appl/bsd/rshd.c (doit): do not call warnx with a variable as
+	format string
+
+2000-07-30
+
+	* doc/install.texi: say something about siacfg
+	
+2000-06-28
+
+	* lib/krb/dest_tkt.c (dest_tkt): rewrite to lstat and compare
+	numbers
+
+2000-06-10
+
+	* appl/bsd: work-around setuid and capabilities bug fixed in Linux
+	2.2.16
+
+2000-06-08
+
+	* configure.in: do not use streams ptys on HP-UX 11
+
+2000-05-15
+
+	* lib/krb/rw.c (krb_get_nir): add explicit lengths to the
+	parameters.  before this the function `knew'.  change callers.
+
+2000-05-14
+
+	* appl/afsutil/aklog.c: look not only in /usr/vice/etc but also in
+	/usr/arla/etc for configuration files
+
+2000-04-25
+
+	* lib/krb/tf_util.c (tf_create): just remove the over-writing of
+	the old ticket file.
+
+2000-04-09
+
+	* lib/krb/getaddrs.c (k_get_all_addrs): apperently solaris can
+	return EINVAL when the buffer is too small.  cope.
+	* appl/bsd/rshd.c (doit): exec the correct shell
+
+2000-03-26
+
+	* config.guess, config.sub: update to current version from
+	:pserver:anoncvs@subversions.gnu.org:/home/cvs
+
+	* appl/bsd/rlogind.c (rlogind_logout, logwtmp): make sure to
+	always call time and ctime with `time_t's.  there were some types
+	(like in lastlog) that we believed to always be time_t.  this has
+	proven wrong on Solaris 8 in 64-bit mode, where they are stored as
+	32-bit quantities but time_t has gone up to 64 bits
+	* appl/bsd/login.c: dito
+
+2000-03-20
+
+	* configure.in: add solaris2.8
+
+2000-03-15
+
+	* configure.in: on all versions of aix, add `-bnolibpath' to the
+	linker.  otherwise ld will interpret -L as run-time path for where
+	to find shared libraries and looking in ../../foo is a bad idea.
+	bug report from Niklas Edmundsson <nikke@ing.umu.se>
+
+2000-03-09
+
+	*  Release 1.0.1
+
+1999-11-29
+
+	*  Release 1.0
+
+	* lib/krb/krb-protos.h (tf_get_cred_addr): add prototype
+
+	* lib/krb/tf_util.c (tf_get_cred_addr): new function for fetching
+	the NAT addresses stored in the ticket file. From
+	<thn@stacken.kth.se>
+
+	* kuser/klist.c (display_tktfile): dump the IP address being used
+	when in NAT-mode.  From <thn@stacken.kth.se>
+
+1999-11-25
+
+	* appl/bsd/rlogind.c (main): getopt returns -1 and not EOF.  From
+	<art@stacken.kth.se>
+
+	* lib/krb/krb_ip_realm.c (krb_add_our_ip_for_realm): new function
+	for obtaining the IP address that the KDC sees us as coming from.
+	From <thn@stacken.kth.se>
+
+	* lib/krb/tf_util.c (tf_get_addr, tf_store_addr): new functions
+	for storing the NAT-ed address per realm
+	(tf_get_cred): make sure to ignore all magic credentials
+
+	* lib/krb/get_in_tkt.c (krb_get_pw_in_tkt2): if using NAT, store
+	the address the the KDC saw. (krb_add_our_ip_for_realm)
+
+	* lib/krb/send_to_kdc.c: rewrite some.  Make sure that we do not
+	do any hostname lookups when using http through a proxy (the proxy
+	is supposed to do that in the `real' name-space).
+
+1999-11-19
+
+	* appl/bsd/rcmd_util.c (conv): add EXTA and EXTB
+	
+Tue Nov 16 1999
+
+	* lib/krb/defaults.c (krb_get_default_keyfile): Get value of
+ 	KEYFILE from /etc/krb.extra.
+
+1999-11-13
+
+	* **/*.c (main): getopt returns -1 not EOF.  From
+	<art@stacken.kth.se>
+
+	* configure.in: check for fields in `struct tm' and variable
+	`timezone', used by strftime
+	* configure.in (AC_BROKEN): strptime is a new function in roken
+	opt*: more header files for the tests
+	
+Tue Nov 2 1999
+
+	* lib/krb/krb.h (TKT_ROOT): Change the definition of TKT_ROOT to a
+ 	function call. The returned value is settable in /etc/krb.extra
+ 	with the construct krb_default_tkt_root = /tmp/tkt_.
+
+1999-10-06
+
+	* lib/krb/verify_user.c: remove ERICSSON_COMPAT, it's apparently
+ 	no longer needed
+
+Mon Oct 4 1999
+
+	* appl/bsd/klogin.c (multiple_get_tkt): Must use appropiate realm
+ 	name when calling krb_get_pw_in_tkt or else you will receive an
+ 	inter-realm TGT.
+
+1999-10-03
+
+	* doc/problems.texi: add blurb about irix abi:s
+
+1999-09-27
+
+	* lib/krb/tf_util.c (tf_init): cygwin work-around
+
+1999-09-16
+
+	* configure.in: test for strlcpy, strlcat
+
+	* admin/kdb_util.c (main): support `-' as an alias for stdout.
+  	originally from Fredrik Ljungberg <flag@astrogator.se>
+
+1999-09-15
+
+	* include/Makefile.in: remove duplicate parse_time.h
+
+	* kadmin/ksrvutil_get.c (get_srvtab_ent): better error messages
+
+1999-09-12
+
+	* configure.in: revert back awk test, now worked around in
+ 	roken.awk
+
+1999-09-06
+
+	* doc/problems.texi: document a really working fix for the xlc
+	-qnolm bug
+
+1999-09-04
+
+	* doc/problems.texi: comment about xlc -E brokenness
+
+1999-09-01
+
+	* lib/krb/get_krbrlm.c (krb_get_lrealm_f): treat n = 0 the same as
+	if it were 1 (this should make it backwards compatible with apps
+	that pass 0 for n)
+
+1999-08-25
+
+	* appl/bsd/login.c: surround SGI capability stuff with
+	`defined(HAVE_CAP_SET_PROC)'
+
+1999-08-24
+
+	* kadmin/kadmin.c (add_new_key): add missing space when printing
+ 	generated passwords.  bug reported by Per Eriksson DMC
+ 	<perixon@dsv.su.se>
+	
+	* lib/krb/verify_user.c (krb_verify_user_srvtab): return last
+ 	error instead of KFAILURE when everything fails.
+
+	* appl/bsd/klogin.c (multiple_get_tkt): return last error instead
+ 	of KFAILURE when everything fails.
+
+1999-08-18
+
+	* doc/problems.texi: some y2k stuff
+
+	* doc/kth-krb.texi: update copyright, and menu
+
+	* doc/intro.texi: remove unix-system section, since it's
+	impossible to keep up to date
+
+1999-08-13
+
+	* configure.in: test for inet_pton include <sys/types.h> in all
+ 	utmp tests
+
+1999-07-27
+
+	* configure.in: test for struct sockaddr_storage and sa_family
+ 	brokenize inet_ntop
+
+1999-07-24
+
+	* kadmin/ksrvutil_get.c (get_srvtab_ent): try to print better
+ 	error messages
+
+	* configure.in (AC_PROG_AWK): disable. mawk seems to mishandle \#
+ 	in lib/roken/roken.awk
+
+1999-07-22
+
+	* acconfig.h (SunOS): remove definition
+
+	* configure.in: define SunOS to xy for SunOS x.y
+
+1999-07-19
+
+	* configure.in (AC_BROKEN): check for copyhostent, freehostent,
+ 	getipnodebyname, getipnodebyaddr
+
+1999-07-13
+
+	* configure.in: use AC_FUNC_GETLOGIN
+
+1999-07-07
+
+	* kadmin/admin_server.c (main): call krb_get_lrealm correctly
+
+	* appl/bsd/rlogind.c (lowtmp): fill in ut_id
+
+1999-07-06
+
+	* include/bits.c: move around __attribute__ to make it work with
+ 	old gcc
+
+	* appl/bsd/rcp.c (rsource): remove trailing slashes which
+ 	otherwise makes us fail
+
+1999-07-04
+
+	* appl/afsutil/aklog.c (epxand_cell_name): terminate on #
+
+	* lib/kadm/kadm_cli_wrap.c (kadm_cli_send): free the right memory
+ 	(none) when kadm_cli_out fails.  based on a patch by Buck Huppmann
+ 	<Charles-Huppmann@UIowa.edu>
+
+1999-06-24
+
+	* configure.in: check for sgi capability stuff
+
+	* appl/bsd/login.c: add some kind of sgi capability capability
+
+1999-06-23
+
+	* acconfig.h (HAVE_KRB_DISABLE_DEBUG): always define.  this makes
+ 	the telnet code easier when building heimdal with an older krb4
+
+	* lib/krb/kuserok.c (krb_kuserok): add support for multiple local
+ 	realms and de-support entries without realm in ~/.klogin
+
+1999-06-19
+
+	* lib/krb/send_to_kdc.c: and a new variable `timeout' in krb.extra
+ 	instead of always having a timeout of four seconds.  based on a
+ 	patch by Mattias Amnefelt <mattiasa@stacken.kth.se>
+
+1999-06-17
+
+	* appl/bsd/rshd.c: use DES_RW_MAXWRITE instead of BUFSIZ (for
+ 	consistency)
+
+	* appl/bsd/rsh.c: use DES_RW_MAXWRITE instead of BUFSIZ.
+  	Otherwise, des_enc_read might be buffering data to us and it can
+ 	get returned on a des_enc_read to another fd that the original one
+ 	:-(
+
+	* appl/bsd/bsd_locl.h: DES_RW_{MAXWRITE,BSIZE}
+
+	* appl/bsd/encrypt.c: move MAXWRITE and BSIZE to bsd_locl.h and
+ 	rename them to DES_RW_\1
+
+1999-06-16
+
+	* kuser/kdestroy.c: make unlog and tickets function correctly
+
+	* configure.in: correct variables used for socks includes and libs
+
+
+	* lib/krb/{debug_decl.c,krb-protos.h}: add krb_disable_debug
+
+1999-06-15
+
+	* kuser/klist.c (display_tokens): type correctness
+
+	* lib/krb/send_to_kdc.c (url_parse): always return the port in
+ 	network byte order (and be more careful when parsing the port
+ 	number)
+
+	* lib/krb/send_to_kdc.c (http_recv): handle both HTTP/1.0 and
+ 	HTTP/1.1 in reply
+
+1999-06-06
+
+	* configure.in: use KRB_CHECK_X
+	
+	* kuser/kdestroy.c: use print_version
+	
+Wed Jun 2 1999
+
+	* kadmin/kadmin.c: use print_version; (mod_entry): add command
+	line options
+	
+1999-05-21
+
+	* appl/bsd/login.c: limit more stuff for crays; fix call to
+	login_access
+
+1999-05-19
+
+	* man/Makefile.in (install, uninstall): handle relative paths (fix
+ 	editline)
+
+1999-05-18
+
+	* appl/bsd/bsd_locl.h: update prototype for login_access; declare
+	`struct aud_rec' to keep AIX xlc happy
+
+1999-05-14
+
+	* appl/bsd/login_access.c: merge in more recent code
+
+	* configure.in (CHECK_NETINET_IP_AND_TCP): use
+
+1999-05-10
+
+	* lib/krb/get_host.c (parse_address): remove trailing slash
+	
+	* lib/krb/send_to_kdc.c (prog): nuke
+	(send_to_kdc): restructure.  make sure we have used all of the
+	addresses from gethostbyname before calling send_recv
+	(send_recv): removed unused parameters
+	(url_parse): remove trailing slash
+	(http_recv): make sure the http transaction was succesful
+
+1999-05-08
+
+	* configure.in: use the correct include files for the utmp tests
+
+	* appl/movemail/pop.c: rename getline -> pop_getline removed
+ 	duplicate prototypes
+
+	* configure.in: db.h: test for
+	(getmsg): check for existence before checking if it works (otherwise
+	it fails with glibc2.1 that implements an always failing getmsg)
+
+	* acconfig.h (_GNU_SOURCE): define this to enable (used)
+ 	extensions on glibc-based systems such as linux
+
+	* configure.in: test for strndup
+
+1999-04-21
+
+	* configure.in: replace AC_TEST_PACKAGE with AC_TEST_PACKAGE_NEW
+ 	fix test for readline.h add test for four argument el_init
+ 	remember to link with $LIB_tgetent when trying linking with
+ 	readline
+
+1999-04-16
+
+	* configure.in: check for prototype of strsep
+
+Sat Apr 10 1999
+
+	* configure.in: fix readline logic
+
+Fri Apr 9 1999
+
+	* man/Makefile.in: add editline and push.  make install rules
+ 	handle paths
+
+Wed Apr 7 1999
+
+	* appl/movemail/Makefile.in: fix names of hesiod variables
+
+	* configure.in: fix readline flags
+
+Mon Mar 29 1999
+
+	* appl/bsd/utmpx_login.c: HAVE_UT_* -> HAVE_STRUCT_UTMP*_UT_*
+
+	* appl/bsd/utmp_login.c: HAVE_UT_* -> HAVE_STRUCT_UTMP*_UT_*
+
+	* appl/bsd/rlogind.c: HAVE_UT_* -> HAVE_STRUCT_UTMP*_UT_*
+
+	* configure.in: include <sys/types.h> in test for ut_*; use
+ 	AC_CHECK_XAU
+
+	* configure.in: utmp{,x} -> struct utmp{,x}
+
+Sat Mar 27 1999
+
+	* configure.in: AC_CHECK_OSFC2
+
+Fri Mar 19 1999
+
+	* configure.in: use AC_SHARED_LIBS
+
+	* configure.in: remove AIX install hack (fixed in autoconf 2.13)
+
+
+	* server/kerberos.c: fix some printf format strings
+
+Wed Mar 17 1999
+
+	* lib/krb/krb.h (KRB_VERIFY_NOT_SECURE): add for completeness
+
+	* lib/auth/sia/sia.c (common_auth): use KRB_VERIFY_SECURE instead
+ 	of 1
+
+	* lib/auth/pam/pam.c (doit): use KRB_VERIFY_SECURE instead of 1
+
+	* lib/auth/afskauthlib/verify.c (afs_verify): use
+ 	KRB_VERIFY_SECURE instead of 1
+
+Tue Mar 16 1999
+
+	* lib/krb/verify_user.c (krb_verify_user): handle multiple local
+ 	realms
+	(krb_verify_user_multiple): remove
+
+	* lib/krb/krb-protos.h (krb_verify_user_multiple): remove
+
+	* lib/auth/pam/pam.c: krb_verify_user_multiple -> krb_verify_user
+
+	* lib/auth/sia/sia.c: krb_verify_user_multiple -> krb_verify_user
+
+	* lib/auth/afskauthlib/verify.c: krb_verify_user_multiple ->
+ 	krb_verify_user
+
+
+	* lib/krb/getaddrs.c: SOCKADDR_HAS_SA_LEN ->
+ 	HAVE_STRUCT_SOCKADDR_SA_LEN
+
+Sat Mar 13 1999
+
+	* lib/kadm/check_password.c (kadm_check_pw): cast when calling is*
+ 	to get rid of a warning
+
+	* lib/acl/acl_files.c (nuke_whitespace): cast when calling is* to
+ 	get rid of a warning
+
+	* kadmin/ksrvutil.c (usage): update. improve error messages
+	
+	* appl/bsd/sysv_default.c (trim): cast when calling is* to get rid
+ 	of a warning
+
+	* appl/bsd/rshd.c (doit): more parenthesis to make gcc happy
+
+	* appl/bsd/rsh.c: add `-p'
+
+	* appl/bsd/rlogin.c (main): more paranoid parsing of `-p'
+
+	* appl/bsd/rcp.c (sink): cast when calling is* to get rid of a
+ 	warning
+
+	* appl/bsd/login_access.c (login_access): cast when calling
+ 	isspace to get rid of a warning
+
+	* include/bits.c (my_strupr): rename to strupr and ifdef
+	(try_signed, try_unsigned): add __attribute__ junk to get rid of two
+	warnings
+
+	* appl/bsd/Makefile.in (SOURCES): add osfc2.c
+
+	* admin/kdb_util.c (update_ok_file): add fallback utimes (some
+ 	systems seem to fail updating the timestamp with open(), close())
+
+	* server/kerberos.c (main): more paranoid parsing of `-a' and `-p'
+
+Thu Mar 11 1999
+
+	* configure.in: AC_BROKEN innetgr
+
+	* lib/krb/send_to_kdc.c: fix types in format string
+
+	* lib/krb/get_host.c: add some if-braces to keep gcc happy
+
+	* lib/kadm/kadm_supp.c: fix types in format string
+
+	* lib/auth/sia/Makefile.in: WFLAGS
+
+	* include/bits.c: fix types in format string
+
+	* appl/bsd/su.c: add some if-braces to keep gcc happy
+
+	* appl/bsd/rlogind.c: add some if-braces to keep gcc happy
+
+	* appl/bsd/rlogin.c: add some if-braces to keep gcc happy
+
+	* appl/bsd/login.c: add some if-braces to keep gcc happy
+
+	* appl/afsutil/pagsh.c: fix types in format string
+
+Wed Mar 10 1999
+
+	* server/kerberos.c: remove unused k_instance
+
+	* lib/krb/krb-protos.h (read_service_key): add some consts to
+ 	prototype
+
+	* lib/krb/read_service_key.c (read_service_key): add some consts
+ 	to prototype
+
+	* appl/sample/sample_server.c: openlog -> roken_openlog
+
+	* appl/kip/kipd.c: openlog -> roken_openlog
+
+	* configure.in: use AC_WFLAGS
+
+Mon Mar 1 1999
+
+	* acinclude.m4: add
+
+	* configure.in: typo
+
+	* Makefile.in: use aclocal
+
+	* Makefile.export: use aclocal
+
+	* configure.in: update to autoconf 2.13
+
+	* aclocal.m4.in: have-struct-field.m4, check-type-extra.m4
+
+	* acconfig.h: update to autoconf 2.13
+
+	* lib/auth/sia/sia.c: SIAENTITY_HAS_OUID -> HAVE_SIAENTITY_OUID
+
+Tue Feb 23 1999
+
+	* configure.in: don't include afsl.exp in libkafs.a if building
+ 	with dynamic afs support (breaks egcs 1.1.1)
+
+	* configure.in: don't build rxkad if not building afs-support
+
+Mon Feb 22 1999
+
+	* include/Makefile.in: clean up handling of missing system headers
+
+	* configure.in: clean up handling of missing system headers
+
+	* aclocal.m4.in: broken-snprintf.m4 broken-glob.m4
+
+	* acconfig.h: NEED_{SNPRINTF,GLOB}_PROTO
+
+Mon Feb 15 1999
+
+	* configure.in (gethostname, mkstemp): test for prototype
+
+	* configure.in: homogenize broken detection with heimdal
+
+Thu Feb 11 1999
+
+	* lib/krb/verify_user.c: If secure == KRB_VERIFY_SECURE_FAIL,
+ 	return ok if there isn't any service key (or if it can't be read).
+
+	* lib/krb/krb.h: KRB_VERIFY_SECURE, KRB_VERIFY_SECURE_FAIL
+
+Wed Jan 13 1999
+
+	* kadmin/kadmin.c (add_new_key): enable the `-p password' option
+ 	and add the missing code.
+
+	* appl/bsd/login_fbtab.c (login_protect): remove `/*' from string
+ 	before reading the directory.  From "Brandon S. Allbery"
+ 	<allbery@ece.cmu.edu>
+
+Fri Dec 18 1998
+
+	* man/kadmin.8 (-t): add a note about using `kinit -p'
+
+Mon Dec 14 1998
+
+	* lib/krb/name2name.c (krb_name_to_name): really verify we have an
+ 	alias before trying to use it as the primary name.
+
+Fri Nov 27 1998
+
+	* lib/krb/send_to_kdc.c (url_parse): use correct length when
+ 	copying the hostname
+
+Sun Nov 22 1998
+
+	* configure.in, acconfig.h: NEED_HSTRERROR_PROTO
+
+
+	* configure.in: use AC_KRB_STRUCT_SPWD
+
+	* slave/Makefile.in (WFLAGS): set
+
+	* server/Makefile.in (WFLAGS): set
+
+	* lib/krb/send_to_kdc.c (send_recv): add `int'
+
+	* lib/krb/decomp_ticket.c (decomp_ticket): if the realm is empty,
+ 	use the local realm.
+
+	* lib/krb/Makefile.in (WFLAGS): set
+
+	* lib/kdb/krb_lib.c (kerb_get_principal): correct test
+	(kerb_put_principal): remove unused variable
+
+	* lib/kdb/Makefile.in (WFLAGS): set
+
+	* lib/auth/pam/Makefile.in (WFLAGS): set
+
+	* lib/auth/afskauthlib/Makefile.in (WFLAGS): set
+
+	* lib/acl/Makefile.in (WFLAGS): set
+
+	* kuser/Makefile.in (WFLAGS): set
+
+	* kadmin/Makefile.in (WFLAGS): set
+
+	* include/Makefile.in (WFLAGS): set
+
+	* appl/sample/sample_client.c (main): remove unused variable
+
+	* appl/sample/Makefile.in (WFLAGS): set
+
+	* appl/movemail/Makefile.in (WFLAGS): set
+
+	* appl/kip/Makefile.in (WFLAGS): set
+
+	* appl/bsd/Makefile.in (WFLAGS): set
+
+	* appl/afsutil/pagsh.c (main): fall back to running /bin/sh if
+ 	execvp fails.
+
+	* appl/afsutil/Makefile.in (WFLAGS): set
+
+	* admin/kdb_edit.c (change_principal): remove unused variable
+
+	* admin/Makefile.in (WFLAGS): set
+
+	* configure.in: check for crypt, environ and struct spwd
+
+Thu Nov 19 1998
+
+	* appl/movemail/Makefile.in: link and include hesiod
+
+	* configure.in: test for hesiod
+
+Wed Nov 18 1998
+
+	* kadmin/kadm_locl.h: include <arpa/inet.h>
+
+	* configure.in (freebsd3): seems to like symbolic links for the
+ 	shared libraries
+
+1998-11-07
+
+	* Makefile.export (ChangeLOG): handle emacs20-style changelog
+	entries
+
+	* lib/kdb/krb_dbm.c (kerb_db_get_principal, kerb_db_iterate):
+	check return value from `dbm_open'
+
+Fri Oct 23 1998
+
+	* lib/kadm/kadm.h: enable new extended kadmin fields by default
+
+Thu Oct 22 1998
+
+	* lib/krb/get_host.c (read_file): add more kinds of whitespace
+
+	* lib/krb/lsb_addr_comp.c: fix(?) calculations regrding
+ 	`firewall_address'
+
+	* kadmin/kadmin.c: change timeout to 5 minutes, (sigarlm): only
+ 	print message if any tickets were actually destroyed, (main): less
+ 	noise, (add_new_key): some cleanup, (del_entry): allow more than
+ 	one principal on command line, (get_entry): set more flags
+
+	* lib/kadm/kadm.h: add code to get modification date, modifier and
+ 	key version number
+
+	* lib/kadm/kadm_supp.c: add code to get modification date,
+ 	modifier and key version number
+
+	* lib/kadm/kadm_stream.c: add code to get modification date,
+ 	modifier and key version number
+
+Tue Oct 13 1998
+
+	* lib/kadm/Makefile.in: ROKEN_RENAME
+
+	* lib/krb/roken_rename.h: add strnlen
+
+	* lib/krb/Makefile.in: add strnlen
+
+Sat Oct 3 1998
+
+	* doc/install.texi: add comment about afskauthlib being in the
+ 	correct object format
+
+Thu Oct 1 1998
+
+	* kadmin/kadmin.c (change_admin_password): add `alarm(0)' to
+ 	prevent it from timing out
+
+
+	* lib/krb/time.c (krb_kdctimeofday): set `tv'.  fix from Thomas
+ 	Nyström <thn@stacken.kth.se>
+
+Mon Sep 28 1998
+
+	* appl/bsd/osfc2.c: lots of C2 magic
+
+	* appl/bsd/{rshd,rcp_util,rcp}.c: do C2 stuff
+
+	* appl/bsd/login.c: move C2 stuff to osfc2.c
+
+	* appl/bsd/login.c: call `set_auth_parameters' if OSFC2
+
+Sun Sep 27 1998
+
+	* appl/bsd/login.c: add some code to call setluid
+
+Sat Sep 26 1998
+
+	* appl/sample/sample_client.c (main): correct test
+
+Sat Sep 12 1998
+
+	* configure.in (XauReadAuth): reverse test and check for -lX11
+ 	before -lXau, otherwise the test fails on Irix 6.5
+
+Sun Sep 6 1998
+
+	* lib/krb/krb-protos.h: fix prototypes for krb_net_{read,write}
+
+	* lib/krb/krb_net_{read,write}.c: new files
+
+	* lib/krb/Makefile.in: add krb_net_{read,write}
+
+Fri Sep 4 1998
+
+	* lib/auth/sia/sia.c (siad_ses_launch, siad_ses_reauthent): use
+ 	krb_afslog_home
+
+	* lib/auth/pam/pam.c (pam_sm_open_session): use krb_afslog_home
+
+	* lib/auth/afskauthlib/verify.c (afs_verify): use
+ 	krb_afslog_uid_home
+
+Sun Aug 30 1998
+
+	* lib/krb/get_host.c: patch from Derrick J Brashear
+ 	<shadow@dementia.org> for doing less DNS lookups
+
+Sun Aug 23 1998
+
+	* lib/krb/ticket_memory.c (tf_save_cred): use memcpy to copy the
+ 	session key.
+
+Tue Aug 18 1998
+
+	* kadmin/kadmin.c (change_password): add `--random'.  From Love
+ 	Hörnquist-Åstrand <lha@elixir.e.kth.se>
+
+Thu Aug 13 1998
+
+	* lib/kclient/KClient.c (KClientErrorText): copy the string.
+  	Patch from Daniel Staaf <d96-dst@nada.kth.se>
+
+Tue Jul 28 1998
+
+	* appl/bsd/rsh.c (main): make sure not to send `-K' before the
+ 	hostname when re-execing
+
+	* appl/bsd/su.c: openlog LOG_AUTH
+
+Fri Jul 24 1998
+
+	* lib/krb/create_ciph.c: typo: s/tmp/rem/
+
+Wed Jul 22 1998
+
+	* lib/krb/send_to_kdc.c (send_recv): return FALSE if recv failed
+ 	so that we try the next server
+
+	* configure.in (*-*-sunos): no lib_deps
+
+	* include/protos.H (utime): update prototype
+
+Thu Jul 16 1998
+
+	* acconfig.h (DBDIR, MATCH_SUBDOMAINS): added
+
+	* configure.in (--enable-match-subdomains): added
+	(--with-db-dir): added
+
+	* lib/krb/getrealm.c (file_find_realm): fix MATCH_SUBDOMAINS code.
+  	Patch originally from R Lindsay Todd <toddr@rpi.edu>
+
+	* lib/krb/dllmain.c: clean-up patch from <d96-dst@nada.kth.se>
+
+	* appl/krbmanager: patches from <d96-dst>
+
+Mon Jul 13 1998
+
+	* appl/sample/sample_client.c (main): don't advance
+ 	hostent->h_addr_list, use a copy instead
+
+	* appl/bsd/kcmd.c (kcmd): don't advance hostent->h_addr_list, use
+ 	a copy instead
+
+Fri Jul 10 1998
+
+	* lib/krb/net{read,write}.c: removed
+
+	* lib/krb/Makefile.in: grab net_{read,write}.c from roken
+
+	* lib/krb/roken_rename.h: add krb_net_{write,read}
+
+	* lib/krb/create_ciph.c (create_ciph): return KFAILURE instead of
+ 	NULL
+
+	* lib/kadm/kadm_cli_wrap.c (kadm_get): return KADM_NOMEM, not NULL
+
+Wed Jul 8 1998
+
+	* server/kerberos.c (make_sockets): strdup the port specification
+ 	before strtok_r:ing it
+
+	* lib/krb/extra.c (define_variable): return 0
+
+	* kuser/klist.c (display_tktfile): only print time diff and
+ 	newline if using the longform
+
+Tue Jun 30 1998
+
+	* lib/krb/send_to_kdc.c (send_to_kdc): be careful in not advancing
+ 	the h_addr_list pointer in the hostent structure
+
+	* lib/krb/time.c (krb_kdctimeofday): handle the case of `time_t'
+ 	and the type of `tv_sec' being different.  patch originally from
+ 	<art@stacken.kth.se>
+
+	* man/afslog.1: add refs to kafs and kauth
+
+	* man/kauth.1: add refs to kafs
+
+	* lib/krb/krb_get_in_tkt.c (krb_mk_as_req): remove old code laying
+ 	around.
+
+	* lib/krb/Makefile.in: add strcat_truncate.c
+
+	* lib/auth/sia/krb4+c2_matrix.conf: fix broken lines and typos
+
+	* kuser/klist.c (display_tokens): print expired for expired tokens
+
+Sat Jun 13 1998
+
+	* kadmin/kadm_ser_wrap.c (kadm_ser_init): new argument `addr'
+
+	* kadmin/admin_server.c: new argument `-i' for listening on a
+ 	single address
+
+Mon Jun 8 1998
+
+	*  Release 0.9.9
+
+Wed Jun 3 1998
+
+	* lib/krb/extra.c: implement read_extra_file() for Win32
+
+Fri May 29 1998
+
+	* configure.in: removed duplicate crypt
+
+	* lib/kdb/Makefile.in (roken_rename.h): remove dependency
+
+	* lib/acl/Makefile.in (roken_rename.h): remove dependency
+
+	* lib/krb/roken_rename.h: remove duplicate flock
+
+	* appl/afsutil/aklog.c (createuser): fclose the file
+
+Wed May 27 1998
+
+	* lib/krb/Makefile.in (extra.c): add
+
+	* slave/kpropd.c: k_flock -> flock
+
+	* slave/kprop.c: k_flock -> flock
+
+	* lib/krb/tf_util.c: k_flock -> flock
+
+	* lib/krb/roken_rename.h: add base64* and flock
+
+	* lib/krb/kntoln.c: k_flock -> flock
+
+	* lib/kdb/krb_dbm.c: k_flock -> flock
+
+	* lib/kdb/Makefile.in: use ROKEN_RENAME to get hold of renames
+ 	symbols
+
+Tue May 26 1998
+
+	* lib/krb/extra.c: add read flag, so we don't have to look for
+ 	non-existant files several times
+
+	* lib/krb/send_to_kdc.c: use krb_get_config_string()
+
+	* lib/krb/lsb_addr_comp.c: use krb_get_config_bool()
+
+	* lib/krb/krb_get_in_tkt.c: use krb_get_config_bool()
+
+	* lib/krb/extra.c: parse and use krb.extra file for special
+ 	configurations, to lessen the number of environment variables used
+
+	* lib/krb/getfile.c: cleanup and add `krb_get_krbextra'
+
+	* lib/krb/debug_decl.c: add krb_enable_debug
+
+	* lib/krb/lsb_addr_comp.c (lsb_time): if KRB_REVERSE_DIRECTION is
+ 	set, negate time (fix for some firewalls)
+
+Mon May 25 1998
+
+	* lib/krb/Makefile.in (clean): try to remove shared library debris
+	(LIBDES and LIB_DEPS): try to figure out dependencies
+
+	* lib/kdb/Makefile.in (clean): try to remove shared library debris
+
+	* lib/kadm/Makefile.in (clean): try to remove shared library
+ 	debris
+
+	* configure.in: make symlink magic work with libsl
+
+Mon May 18 1998
+
+	* appl/bsd/login.c: Hack for AIX 4.3.
+
+Thu May 14 1998
+
+	* configure.in: mips-api support.  From Derrick J Brashear
+ 	<shadow@dementia.org>
+
+	* configure.in: --enable-legacy-kdestroy: added.  From Derrick J
+ 	Brashear <shadow@dementia.org>
+
+	* kuser/kdestroy.c: LEGACY_KDESTROY: add
+
+Wed May 13 1998
+
+	* lib/krb/krb.h (const, signed): define when compiling with
+ 	non-ANSI comilers.  From Derrick J Brashear <shadow@dementia.org>
+
+Mon May 11 1998
+
+	* kadmin/admin_server.c: Fix reallocation bug.
+
+Fri May 1 1998
+
+	* configure.in: don't test for winsock.h
+
+	* slave/kprop.c: unifdef -DHAVE_H_ERRNO
+
+	* appl/sample/sample_client.c: unifdef -DHAVE_H_ERRNO
+
+	* appl/movemail/pop.c: unifdef -DHAVE_H_ERRNO
+
+	* appl/kip/kip.c: unifdef -DHAVE_H_ERRNO
+
+Mon Apr 27 1998
+
+	* appl/ftp/ftpd/krb4.c (krb4_adat): applied patch from Love
+ 	<lha@elixir.e.kth.se> for checking address in krb_rd_req
+
+Sun Apr 26 1998
+
+	* appl/Makefile.in (SUBDIRS): add push
+
+Sun Apr 19 1998
+
+	* configure.in: fix for the symlink magic. From Gregory S. Stark
+ 	<gsstark@mit.edu>
+
+	* doc/Makefile.in (install): ignore failures from install-info.
+
+	* lib/krb/Makefile.in (install): don't install include files with
+ 	x bit
+
+	* lib/kadm/Makefile.in (install): don't install include files with
+ 	x bit
+
+	* man/Makefile.in: don't install getusershell
+
+	* lib/krb/Makefile.in: add symlink magic for linux.
+	only link in com_err.o and error.o if building shared
+
+	* lib/kdb/Makefile.in: add symlink magic for linux
+
+	* lib/kadm/Makefile.in: add symlink magic for linux
+
+	* configure.in: add symlink magic for Linux
+
+	* appl/kx/common.c (connect_local_xsocket): update to try the list
+ 	of potential socket pathnames
+
+Tue Apr 7 1998
+
+	* lib/krb/getaddrs.c: Don't bail out if various ioctl's fail.
+
+
+	* doc/Makefile.in (kth-krb.info): use `--no-split'
+
+Mon Apr 6 1998
+
+	* configure.in: add --disable-cat-manpages
+
+	* configure.in: call the shared libraries so.0.9.9 on linux
+
+Sat Apr 4 1998
+
+	* lib/Makefile.in (SUBDIRS): changed order so that editline is
+ 	built before sl
+
+	* lib/*/Makefile.in: shared library dependency information
+
+	* doc/Makefile.in (clean): remove *.info*
+
+	* merge in win32 changes from <flag@astrogator.se> and
+ 	<jfa@pobox.se>
+
+	* Makefile.export: aux -> cf
+
+	* Makefile.in: aux -> cf
+
+	* appl/voodoo/TelnetEngine.cpp (TelnetEngine::Connect): check the
+ 	return from `gethostbyname'
+
+	* appl/bsd/bsd_locl.h: Check for <io.h> and conditionalize
+ 	prepare_utmp.  From <d96-mst@nada.kth.se>
+
+	* acconfig.h (__EMX__): define MAIL_USE_SYSTEM_LOCK.  From
+ 	<d96-mst@nada.kth.se>
+
+	* include/bits.c: renamed `strupr' to `my_strupr' not to conflict
+ 	with any exiting strupr.
+
+Sat Mar 28 1998
+
+	* Makefile.in (install): use DESTDIR
+
+	* include/Makefile.in (install): depend on all
+
+	* man/Makefile.in (install, uninstall): use transform correctly
+
+Fri Mar 27 1998
+
+	* configure.in: don't look for dbopen.  From Derrick J Brashear
+ 	<shadow@dementia.org>
+	(termcap.h): check for
+
+	* lib/krb/Makefile.in: fix for LD options on solaris.  From
+ 	Derrick J Brashear <shadow@dementia.org>
+
+Thu Mar 19 1998
+
+	* appl/kx/common.c: Trying binding sockets in the special
+	directories for some versions of Solaris and HP-UX
+
+
+	* lib/krb/kdc_reply.c: Check for error code of zero in error
+ 	packet from KDC.
+
+Wed Mar 18 1998
+
+	* appl/kx/common.c (get_xsockets): try getting sockets in lots of
+ 	places
+	
+	* appl/kauth/kauth.c: return error code from child (plus shell
+ 	magic)
+
+
+	* lib/krb/getrealm.c (krb_realmofhost), lib/krb/get_krbrlm.c
+ 	(krb_get_lrealm, krb_get_default_realm): When figuring out a
+ 	default local realm name avoid going into infinite loops.
+
+Sun Mar 15 1998
+
+	* configure.in: test for <term.h> and search for `tgetent' in
+	ncurses.  From Gregory S. Stark <gsstark@mit.edu>
+
+	* **/Makefile.in: add DESTDIR support and .PHONY
+
+Sat Mar 7 1998
+
+	* kadmin/ksrvutil.c: Remove kvno zero restriction.
+
+	* configure.in: Add option `--disable-dynamic-afs' do disable AIX
+ 	dynamic loading of afs syscall library. This should hopefully also
+ 	work with AIX 3.
+
+	* kadmin/ksrvutil.c: Add `delete' function (from Chris Chiappa
+ 	<griffon+@cmu.edu>).
+
+Thu Feb 26 1998
+
+	* kadmin/kadmin.c (do_init): fix check of return value from
+ 	krb_get_default_principal
+
+	* lib/kadm/kadm_stream.c (stv_string): use correct offset
+
+Sat Feb 21 1998
+
+	* include/Makefile.in: add parse_time.h
+
+	* lib/krb/solaris_compat.c: new file with alternative entry points
+	compatible with solaris's libkrb.
+
+Thu Feb 19 1998
+
+	* lib/krb/time.c: Various time related functions.
+
+Tue Feb 17 1998
+
+	* lib/krb/send_to_kdc.c: Add some more connection debug traces.
+
+Sun Feb 15 1998
+
+	* lib/krb/get_host.c (init_hosts): call k_getportbyname with proto
+ 	== "udp" instead of NULL.  NULL would be the right thing, but some
+ 	libraries are not happy with that.
+
+	* appl/bsd/rcp.c: renamed `{local,foreign}' to \1_addr to avoid
+ 	conflicts with system header files on mklinux.
+
+
+	* lib/kadm/Makefile.in: Fix rules for kadm_err.[ch].
+
+	* lib/krb/krb_err.et: Fix for changes to compile_et.
+
+	* lib/com_err/{error.c,com_err.h,com_right.h}: Rename error.h to
+ 	com_right.h.
+
+	* lib/com_err/{compile_et.c,compile_et.h,lex.l,parse.y}: Switch
+ 	back to a yacc-based compile_et.
+
+Tue Feb 10 1998
+
+	* appl/kx/kxd.c (doit): fix stupid mistake when marshalling
+
+	* lib/krb/Makefile.in: add strcpy_truncate
+
+Sun Feb 8 1998
+
+	* lib/krb/netwrite.c (krb_net_write): restart if errno == EINTR
+
+	* lib/krb/netread.c (krb_net_read): restart if errno == EINTR
+
+	* appl/kx/rxterm.in: redirect std{in,out,err} of xterm to make
+ 	sure rshd does not hang.
+
+Sat Feb 7 1998
+
+	* lib/acl/acl_files.c (acl_canonicalize_principal): use
+ 	krb_parse_name
+
+
+	* lib/krb/rw.c: add a parameter containting maximum size.  Change
+	all callers.
+
+	* lots-of-files: replace {REALM_SZ, *_SZ, MaxPathLen,
+ 	MaxHostNameLen} + 1 with \1
+
+	* appl/bsd/rlogind.c (cleanup): logout -> rlogind_logout
+
+	* lib/acl/acl_files.c (acl_canonicalize_principal): use
+ 	strcpy_truncate
+
+	* include/Makefile.in: fnmatch.h
+
+	* appl/ftp/ftpd/ftpd.c: <fnmatch.h>
+
+	* lib/kadm/kadm_stream.c (stv_string): don't use strncpy
+
+	* lib/auth/sia/sia.c (siad_ses_suauthent): do ugly magic to make
+ 	sure `entity->name' is long enough.
+
+	* appl/ftp/ftpd/ftpcmd.y: HASSETPROCTITLE -> HAVE_SETPROCTITLE
+
+	* appl/bsd/rlogind.c (logout): renamed to rlogind_logout to avoid
+ 	conflict with logout() in libutil.
+	(doit): use forkpty_truncate it there's one
+
+	* appl/afsutil/kstring2key.c (krb5_string_to_key): don't use
+ 	strcat
+
+	* configure.in: add lots of functions and headers that were used
+ 	in the code but not tested for.
+
+	* lib/krb/send_to_kdc.c (url_parse): re-structured
+
+	* kadmin/kadm_locl.h: add prototype for random_password and remove
+ 	__P
+
+	* appl/bsd/forkpty.c (forkpty_truncate): new function.
+	use strcpy_truncate instead of strcpy
+
+	* appl/bsd/bsd_locl.h: include <libutil.h>.
+	prototype for forkpty_truncate()
+
+	* configure.in: test for <libutil.h>
+
+Fri Feb 6 1998
+
+	* kadmin/random_password.c: Random password generation.
+
+	* kadmin/kadmin.c: Add some functionality to add_new_key, to make
+ 	it more useful with batch creation.
+
+Wed Feb 4 1998
+
+	* appl/bsd/login.c (find_in_etc_securetty): new function
+	(rootterm): call `find_in_etc_securetty'
+
+	* appl/bsd/pathnames.h (_PATH_ETC_SECURETTY): add
+
+Tue Feb 3 1998
+
+	* kadmin/kadmin.c: Fix `-t' flag. Centralize the calling of
+ 	alarm() to a modified sl_loop().
+
+	* kadmin/kadmin.c: Add support for `batch' processing, taking a
+ 	command from the command line. Remove the automatic destruction of
+ 	tickets, instead add a timeout (initially set to 1 minute), after
+ 	which any tickets will be destroyed. Option `-m' now sets this
+ 	timeout to 0 (disabling timeout). Options `-p' takes a full
+ 	principal, and `-u' takes a `username' that is used as the name of
+ 	the admin principal to use.
+
+Sat Jan 31 1998
+
+	* lib/auth/sia/sia.c: Chown ticket file when doing reauth.
+
+Thu Jan 29 1998
+
+	* lib/auth/sia/sia.c: Add support for reauthentication.
+
+Mon Jan 26 1998
+
+	* appl/kauth/kauth.c (main): Add debug switch -d to kauth to aid
+ 	in finding miss-configurations.
+
+Mon Jan 19 1998
+
+	* lib/krb/name2name.c: If inet_addr thinks host's a valid
+ 	ip-address, assume it is, and don't call gethostbyname().  This
+ 	should fix things like `rsh 1.2.3.4'.
+
+Sat Jan 17 1998
+
+	* lib/krb/get_host.c: Check for http-srv records.
+
+	* lib/krb/get_host.c: Don't use getprotobyname. Check for `http'
+ 	as well as `udp' and `tcp'.
+
+	* lib/auth/sia/sia.c: Add password changing support.
+
+	* kadmin/new_pwd.c: Use kadm_check_pw.
+
+	* lib/kadm/check_password.c: Password quality check, moved from
+ 	kpasswd.c.
+
+Fri Jan 16 1998
+
+	* kadmin/ksrvutil_get.c: Add `-u' flag to put each key in a
+ 	separate file.
+
+Mon Jan 12 1998
+
+	* kadmin/admin_server.c: Fix broken realloc of pidarray.
+
+Fri Jan 9 1998
+
+	* rename logwtmp -> ftpd_logwtmp not to conflict with libc.
+
+Sun Dec 21 1997
+
+	* lib/krb/verify_user.c (krb_verify_user): new argument `srvtab'.
+	Changed all callers.
+
+Sat Dec 13 1997
+
+	* lib/kdb/krb_dbm.c: check return value from dbm_store
+
+Thu Dec 11 1997
+
+	* lib/krb/k_flock.c (k_flock): Re-included an implementaion of
+ 	k_flock. Changed all library and core application source to use
+ 	k_flock.
+
+Tue Dec 9 1997
+
+	* appl/kx/kxd.c,common.c: more error testing from Love
+ 	Hörnquist-Åstrand <e96_lho@elixir.e.kth.se>
+	Use the correct number of X for mkstemp.
+
+
+	* Release 0.9.8
+
+	* Add `--disable-mmap' configure option, do disable all use of
+ 	mmap.
+
+	* Rename all k_afsklog to krb_afslog.
+
+Mon Dec 8 1997
+
+	* kuser/klist.c: Add a header for tokens.
+
+Fri Dec 5 1997
+
+	* lib/krb/krb.h: Moved prototypes to krb-protos.h, cruft to
+ 	krb-archaeology.h.
+
+Thu Dec 4 1997
+
+	* appl/kauth/kauth.c: Use krb_get_pw_in_tkt2.
+
+	* lib/krb/get_in_tkt.c: krb_get_pw_in_tkt2 that returns key.
+
+Sun Nov 30 1997
+
+	* configure.in: check for tgetent in libcurses
+
+Mon Nov 24 1997
+
+	* appl/krbmanager: incorporate patches from <d96-dst@nada.kth.se>
+	for making sure there's only one instance of krbmanager.
+
+Fri Nov 21 1997
+
+	* admin/ext_srvtab.c: use atexit() to stamp out secrets.
+
+Thu Nov 20 1997
+
+	* server/kerberos.c: Log funny HTTP requests.
+
+	* server/kerberos.c: Add comma to list of port separators for
+ 	`-P'.
+
+
+	* appl/voodoo/TelnetEngine.cpp (TelnetEngine::Connect): better
+ 	error message (from <d96-dst@nada.kth.se>)
+
+Wed Nov 12 1997
+
+	* kuser/klist.c (display_tokens): patch from <e96_lho@e.kth.se>
+
+Sun Nov 9 1997
+
+	* Release 0.9.7
+
+
+	* configure.in: test for ssize_t
+
+	* appl/bsd/rlogind.c: Fill in ut_type, and ut_exit if they exist.
+
+	* appl/kx/common.c (create_and_write_cookie): Create temp file
+ 	with mkstemp.
+
+
+	* appl/ftp/ftpd/ftpd.c: conditionalize otp
+
+	* appl/bsd/login.c: conditionalize otp
+
+	* configure.in: add --disable-otp.  update Makefile.in's
+
+	* configure.in: define CANONICAL_HOST
+	
+	* configure.in, aclocal.m4: remove <bind/bitypes.h>.  contains
+ 	bogus information on Crays.
+
+	* include/bits.c: stolen from Heimdal
+
+	* include/Makefile.in: replace ktypes.c with bits.c
+
+	* lib/krb/getaddrs.c (k_get_all_addrs): cray fix
+
+	* configure.in: updated header files
+
+
+	* slave/kpropd.c: Make sure it's the kprop service that tries to
+ 	send data.
+
+Fri Nov 7 1997
+
+	* configure.in: Added option --with-afsws=/usr/afsws.
+
+	* lib/Makefile.in: Build lib/rxkad if we have include file rx/rx.h
+
+Thu Nov 6 1997
+
+	* appl/ftp/ftp/ftp.c (sendrequest, recvrequest): do correct tests
+ 	for `-'
+
+	* appl/ftp/ftp/cmds.c (getit): removed stupid goto
+
+
+	* appl/kauth/kauth.c: Use krb_get_pw_in_tkt(), now that it is
+ 	fixed.
+
+	* appl/ftp/ftp/cmds.c: Don't retrieve files that start with `..'
+ 	or `/' without asking.  Reverse test in confirm() to check for `y'
+ 	rather than not `n'.  Use mkstemp.
+
+	* appl/ftp/ftp/ftp.c: Add extra parameter to recvrequest,
+ 	specifying if local filenames should be parsed as "-" and "|".
+
+Mon Nov 3 1997
+
+	* configure.in: updated broken list.  add fclose for proto check.
+
+	* kadmin/kadmin.c: updated functions to new style of sl
+
+	* appl/bsd/rcp.c, rlogin.c, rsh.c: setuid before doing kerberos
+ 	authentication.  if that fails, exec ourselves with -K
+
+	* appl/bsd/pathnames.h: add _PATH_RCP
+
+	* configure.in: test for readv, writev
+
+Fri Oct 24 1997
+
+	* lib/krb/tkt_string.c (krb_set_tkt_string): const-ized
+
+	* appl/ftp/ftp{,d}: new commands: kdestroy, krbtkfile and afslog.
+
+	* appl/afsutil/aklog.c (expand_cell_name): fix parsing of
+ 	CellServDB
+
+Sat Oct 11 1997
+
+	* appl/telnet/telnetd/sys_term.c (start_login): moved `user' so it
+ 	works even if !defined(HAVE_UTMPX_H)
+
+Fri Oct 10 1997
+
+	* lib/krb/send_to_kdc.c: Change send_recv* to use a lookup table
+ 	indexed by protocol.
+	
+	Implement http proxy use, enabled via `krb4_proxy' environment
+ 	variable.
+
+Thu Oct 9 1997
+
+	* lib/krb/getrealm.c: Don't lookup top-level domains. Try files
+ 	before doing DNS.
+
+Thu Oct 2 1997
+
+	* appl/krbmanager: Turned into a ticket management program.
+
+	* lib/krb/{dllmain,ticket_memory}.c: Add some KrbManager
+ 	interaction.
+
+Sat Sep 27 1997
+
+	* appl/voodoo: Major fixes of terminal emulation, and other
+	things.
+
+Fri Sep 26 1997
+
+	* server/kerberos.c: Cleanup socket-opening code. Add HTTP
+ 	support.
+
+	* lib/krb/send_to_kdc.c: Add Kerberos over HTTP.
+
+	* lib/krb/get_host.c: Parse URL-style host-specifications.
+
+
+	* include/win32: add `version.h' and `ktypes.h'
+
+	* lib/kclient/KClient.def: rename kclnt32 to make Eudora
+ 	happy. Add SendTicketForService
+
+	* lib/kclient/KClient.c: implement SendTicketForService.  Used by
+ 	Eudora.
+
+	* appl/voodoo/voodoo.mak: kclient renamed as kclnt32
+
+Thu Sep 25 1997
+
+	* Moved various base64 implementations to roken.
+
+Thu Sep 18 1997
+
+	* appl/telnet/telnetd/telnetd.c: Move the call to startslave()
+ 	into the telnet() loop. This way we'll maximise the chance that
+ 	the transmission is encrypted before starting login. This will
+ 	hopefully remove the irritating warning you would get with some
+ 	macintosh telnet clients.
+
+Wed Sep 17 1997
+
+	* appl/telnet/telnetd/sys_term.c: Fix for duplicate `-- user'.
+
+Tue Sep 9 1997
+
+	* server/kerberos.c: More detailed logging
+
+Fri Sep 5 1997
+
+	* lib/kafs/afssysdefs.h: HP-UX 10.20 seems to use 48
+
+Thu Sep 4 1997
+
+	* lib/des/Makefile.in: quote the test for $(CC) correctly
+
+Wed Sep 3 1997
+
+	* include/ktypes.c: Move __BIT_TYPES_DEFINED__ to after including
+ 	other stuff.
+
+
+	* lib/rxkad/rxk_locl.c (rxkad_calc_header_iv): Simplify header IV
+ 	calculation.
+
+	* lib/rxkad/osi_alloc.c (osi_Alloc): Memory allocation routines
+ 	for user space. There is no longer any need for conditional
+ 	compilation of user/kernel-space versions of librxkad.a.
+
+	* lib/rxkad/rxk_clnt.c (rxkad_NewClientSecurityObject): Use
+ 	Transarc FC-crypto to generate random numbers. We no longer need
+ 	to link a DES library into the kernel.
+
+Tue Sep 2 1997
+
+	* appl/ftp/ftpd/ftpd.c (pass): chown the ticket file is logging in
+ 	with clear-text passwords and using kerberos
+
+	* lib/krb/krb_log.h: new file
+
+	* lib/krb/krb.h: moved all logging functions to krb_log.h.
+  	Include krb_log.h in appropriate places.  From
+ 	<shadow@dementia.org>
+
+Mon Sep 1 1997
+
+	* appl/kx/kx.c: more intelligent check for passive mode new option
+ 	`-P' to force passive mode
+
+Sat Aug 23 1997
+
+	* lib/krb/krb_get_in_tkt.c: rename krb_as_req -> krb_mk_as_req
+
+Wed Aug 20 1997
+
+	* lib/rxkad/rxkad.h, rxk_serv.c (server_CheckResponse): Increase
+ 	limit of ticket lengths to 1024 at server end.
+
+	* lib/rxkad/rxk_clnt.c (rxkad_NewClientSecurityObject): Support
+ 	for almost arbitrary ticket lengths.
+
+Tue Aug 19 1997
+
+	* kadmin/ksrvutil_get.c: Make sure we're talking to the admin
+ 	server when getting ticket.
+
+	* lib/krb/send_to_kdc.c: Add flag to always use admin server.
+
+Sun Aug 17 1997
+
+	* appl/kx/rxtelnet.in: reverse the looking for xterm loops Use
+ 	`-n' and not `-name' to xterm
+	
+	* server/kerberos.c: implement `-i' for only listening on one
+ 	address
+
+	* lib/kadm/kadm_cli_wrap.c: Implement kadm_change_pw2 to be
+ 	compatible with CNS.  From <shadow@dementia.org>
+
+	* appl/ftp/ftpd/ftpd.c: removed bogus reset of `debug'
+
+	* appl/ftp/ftpd/extern.h: define NBBY if needed
+
+	* configure.in: os2 fixes: -Zcrtdll and check for chroot
+
+Wed Aug 13 1997
+
+	* lib/krb/get_in_tkt.c: Use new get_in_tkt functions, and
+ 	implement kerberos 5 salts.
+
+	* lib/krb/krb_get_in_tkt.c: Split krb_get_in_tkt in two functions
+ 	so it's possible to try several key-procs with just one request to
+ 	the KDC.
+
+Wed Jul 23 1997
+
+	* lib/rxkad/rxk_serv.c (decode_krb4_ticket): New functions
+ 	decode_xxx_ticket so that it is possible to also decode kerberos
+ 	version 5 tickets.
+
+Sat Jul 19 1997
+
+	* doc/Makefile.in: `test -f' is more portable than `test -e'
+
+Tue Jul 15 1997
+
+	* lib/kafs/kafs.h, lib/krb/krb.h: swap order of <sys/cdefs.h> and
+ 	<ktypes.h>.  Another fix form <shadow@dementia.org>
+
+Fri Jul 11 1997
+
+	* lib/krb/krb.h: non-ANSI fix from <shadow@dementia.org>
+
+Fri Jun 27 1997
+
+	* man/otp.1: `-o' option
+
+	* appl/otp/otp.c: List lock-time with `-l'.  New option `-o' to
+ 	open an locked entry.
+
+	* lib/otp/otp_db.c (otp_get_internal): Save lock_time in returned
+ 	struct.
+
+	* lib/otp/otp.h: New field `lock_time' in OtpContext
+
+Thu Jun 26 1997
+
+	* man/otp.1, man/otpprint.1: Update changed default to `md5'
+
+	* appl/bsd/rsh.c: Don't use a hard-coded constant in `select'
+
+	* configure.in, include/ktypes.c: Handle the case of there being
+ 	an old version of our `sys/bitypes.h'.
+
+Sun Jun 22 1997
+
+	* lib/des: Merge in changes from libdes 4.01. The optimizations
+ 	written in assembler are not used since they in general wont't
+ 	work with shared libraries.
+
+Fri Jun 20 1997
+
+	* lib/krb/netread.c, netwrite.c: Handle windows discrimation of
+	sockets.
+
+Sun Jun 15 1997
+
+	* appl/kpopper/pop_init.c: Use `STDIN_FILENO' and `STDOUT_FILENO'
+ 	instead of `sp'.  OSF's libc isn't quite prepared to have two
+ 	different FILEs refer to the same file descriptor.
+
+Thu Jun 12 1997
+
+	* doc/dir: Add dir template file.
+
+
+	* appl/kauth/kauth.c (main): AFS style positional argument for -n
+ 	option.
+
+	* appl/xnlock/xnlock.c (verify): New resource destroyTickets and
+ 	corresponding option -nodestroytickets. First try local
+ 	authentication and if it fails try kerberos.
+	
+Sun Jun 8 1997
+
+	* appl/ftp/ftpd/popen.c (ftpd_popen): Correct initialization of
+ 	`foo' before call to `strtok_r'
+
+Wed Jun 4 1997
+
+	* doc/*.texi: Use @url.
+
+	* doc/setup.texi: Added @ifinfo around @dircategory
+
+Tue Jun 3 1997
+
+	* Release 0.9.6
+
+	* appl/kx/rxtelnet.in, appl/kx/rxterm.in: new argument '-w
+ 	term_emulator' for specifiying which terminal emulator to use.
+  	Based on a patch from <arve@nada.kth.se>.
+
+Mon Jun 2 1997
+
+	* appl/xnlock/Makefile.in, appl/kx/Makefile.in,
+ 	lib/auth/Makefile.in: fix the Makefile to do the for loops the
+ 	automake way.
+
+Sun Jun 1 1997
+
+	* appl/xnlock/Makefile.in, appl/kx/Makefile.in: do install
+ 	correctly even if there are no programs to install
+
+	* configure.in: Check for `h_nerr'.
+
+	* lib/auth/pam/pam.c: Include <security/pam_appl.h> to make it
+ 	compile on Solaris 2.6
+
+	lib/sl/sl.c, lib/krb/realm_parse.c, appl/ftp/ftpd/popen.c,
+ 	appl/ftp/ftpd/ftpd.c, appl/bsd/login_fbtab.c,
+ 	appl/bsd/login_access.c: Initialize the `lasts' to NULL before
+ 	calling strtok_r the first time.  With our strtok_r it's not
+ 	necessary, but the man-page on SGIs says it should be done.
+
+Fri May 30 1997
+
+	* lib/krb/mk_req.c (krb_mk_req, get_ad_tkt): Support for
+ 	multi-realm ticket files by using the best matching TGT to define
+ 	the realm of the ticket holder.
+
+
+	* appl/bsd/utmpx_login.c (utmpx_update): Set `ut_id' if we're
+ 	using utmpx
+
+	* appl/telnet/telnetd/sys_term.c (start_login): Set `ut_id' if
+ 	we're using utmpx
+
+Wed May 28 1997
+
+	* lib/roken/daemon.c: New file.
+
+	* include/protos.H: <sys/types.h> needed on solaris 2.4
+
+Mon May 26 1997
+
+	* appl/bsd/su.c (kerberos): If kerberos password is zero length
+ 	immediately try next scheme.
+
+
+	* lib/kafs/afskrb.c (k_afsklog_uid): Token lifetime should be even
+ 	if we don't know the proper ViceId.
+
+
+	* Release 0.9.5
+
+	* man/Makefile.in: Install preformatted manual pages with correct
+ 	suffix on *BSD.
+
+Sun May 25 1997
+
+	* appl/kpopper/popper.h: Remove XTND, and XTND XMIT. Rename XTND
+ 	XOVER to XOVER.
+
+
+	* appl/telnet/telnetd/sys_term.c: Only include <utmp.h> and
+ 	<utmpx.h> once
+
+	* fix-export: Also create cat manpages.
+
+	* appl/ftp/ftpd/logwtmp.c: Check for `_PATH_WTMP'
+
+	* appl/telnet/telnetd/sys_term.c: Ditto.
+	Remove stupid macros.
+
+	* appl/ftp/ftp/cmds.c (setpeer): Check for `__unix'.  This is
+ 	(apparently) a standard with many representations.
+
+	* appl/ftp/ftpd/ftpcmd.y (SYST): Ditto.
+
+	* appl/ftp/ftpd/ftpd.c (retrieve): file must exist to apply a
+ 	command to it.
+
+	* appl/ftp/ftpd/ftpd.c (retrieve): Generalise list of commands and
+ 	basename argument.
+
+	* appl/ftp/ftpd/popen.c (ftpd_popen): Try standard binary if the
+ 	one in ~ftp fails.
+
+	* appl/telnet/telnetd/sys_term.c: Use `_getpty' if there's one
+
+	* appl/bsd/forkpty.c: Use `_getpty' if there's one
+
+	* configure.in: check for `_getpty'
+
+	* acconfig.h: correct test for IRIX
+
+	* lib/roken/snprintf.c: code for checking the correct functioning
+ 	of *nprintf is now #ifdef PARANOIA
+
+	* appl/bsd/rlogind.c: fix logging in wtmp and parsing of winsize
+
+	* appl/bsd/rlogin.c: New option `-p'.
+
+	* lib/des/fcrypt.c: removed `inline' from `des_set_key'
+
+Thu May 22 1997
+
+	* lib/des/md5.c (MD5Final): Made signature compliant with FreeBSD.
+	
+	* lib/des/md5.h: Remove digest from MD5_CTX, it is now an argument
+ 	to MD5Final instead.
+
+	* lib/des/fcrypt.c: Also support MD5 style crypt(2).
+
+Tue May 20 1997
+
+	* appl/telnet/telnetd/sys_term.c: utmp stuff now seems to be
+ 	compatible with login
+
+	* appl/ftp/ftpd/logwtmp.c: Add support for logging to wtmpx
+
+
+	* (*/)*/Makefile.in:s (install): Avoid redundant multiple
+ 	recursion in install targets.
+
+	* Made things compile with socks5-v1.0r1.
+
+
+	* appl/telnet/telnetd/sys_term.c: changed utmp-stuff not to use
+ 	ut_id at all
+
+	* appl/bsd/utmpx_login.c: handle case where there's no wtmpx (such
+ 	as HP-UX 10)
+
+	* appl/bsd/rlogind.c: Added support for utmpx
+
+Sun May 18 1997
+
+	* lib/roken: removed herror, strchr, and strrchr
+
+ 	* lib/krb/dest_tkt.c(dest_tkt): Only use `lstat' iff HAVE_LSTAT
+
+	* lib/krb: snprintf, strdup, strtok_r, and strcasecmp always live
+ 	in lib/roken and get linked here when needed.
+
+	* lib/roken: removed strchr, strrchr.
+
+	* appl/telnet/telnet/telnet.c: Always use our own `setupterm' for
+ 	compatibility reasons.
+
+	* appl/telnet/telnetd/telnetd.c: Removed <curses.h> and <term.h>.
+  	They doesn't seem to be used and breaks on fujitsu.
+
+	* appl/kx/kx.c: try to give a better error message (than a core
+ 	dump :-) when talking to an old kxd.
+
+	* appl/kx/kxd.c, appl/kip/kipd.c, appl/kauth/kauthd.c: corrected
+	fencepost error with KRB_SENDAUTH_VLEN.
+
+	* appl/ftp/common/buffer.c: new file.
+
+	* configure.in: cray hides their bitypes in <bind/bitypes.h>.
+  	Also check for this file.
+
+	* appl/telnet/telnet/telnet_locl.h: moved termios.h before
+ 	curses.h.  This was needed to compile on cray, but will probably
+ 	break on some other host.
+
+Thu May 15 1997
+
+	* server/kerberos.c: Implement changes to the tcp protocol, while
+ 	being compatible with the old protocol.
+
+	* lib/krb/send_to_kdc.c: The old method to signal end of
+ 	transmission by closing the sending side of the socket does not
+ 	work well through some firewalls. This is now changed so that the
+ 	client instead sends the length of the request as a four byte
+ 	integer (in network byte order) before sending the data.
+
+Wed May 14 1997
+
+	* appl/telnet/telnetd/sys_term.c: HAVE_UTMPX -> HAVE_UTMPX_H.  Fix
+ 	for OSF1.
+
+	* appl/bsd/utmp_login.c: UTMPX_DOES_UTMP_LOGGING -> HAVE_UTMPX_H
+
+	* appl/bsd/sysv_environ.c: Use k_concat rather than snprintf.
+
+Tue May 13 1997
+
+	* kuser/klist.c: updated usage string
+
+	* lib/otp/otp_print.c: make word table and reverse word table
+ 	constant
+
+Sun May 11 1997
+
+	* */*: Added some __attribute__ ((format (printf))) and fixes
+	where needed.
+
+	* appl/ftp/common/sockbuf.c: start probing at 4Mb
+
+	* appl/ftp/ftpd/ftpd.c: use MAP_FAILED
+
+	* appl/ftp/ftp/ftp.c: Use MAP_FAILED.
+	(alloc_buffer): new function for allocating a buffer of size
+ 	max(BUFSIZ, st.st_blksize) (Based on a patch from
+ 	<haba@pdc.kth.se>)
+
+	* appl/ftpd/ftpdcmd.y: hack for reget.
+
+	* appl/kx/kxd.c: Give a error message to old-version kx.
+
+	* replaced vsprintf with vsnprintf.
+	
+	* lib/roken/vsyslog.c: not used. removed.
+	
+	* Changed <sys/bitypes.h> -> <ktypes.h>
+
+	* include/Makefile.in: Added ktypes.h
+
+	* include/sys/Makefile.in: removed bitypes.h
+
+Wed May 7 1997
+
+	* appl/ftp/ftp/ftp.c: Open files in binary mode.
+
+	* appl/ftp/ftpd/ftpd.c (checkaccess): Changed to make absent file
+ 	mean `allow'. Added shell matching to names (if fnmatch is
+ 	available).
+
+
+	* appl/ftp/ftpd/kauth.c (kauth): Use `DEFAULT_TKT_LIFE'
+
+	* appl/ftp/ftpd/ftpcmd.y, appl/ftp/ftpd/ftpd.c: always cast to
+ 	(long) before printing out an `off_t'
+
+	* lib/kdb/print_princ.c (krb_print_principal),
+	  lib/kdb/krb_lib.c (kerb_put_principal),
+	  admin/kdb_edit.c (change_principal),
+	  admin/kdb_util.c (print_time) : gmtime should never return
+ 	tm_year > 1900
+
+	* appl/ftp/ftpd/ftpcmd.y: Year 2000 fix
+
+	* appl/telnet/telnetd/telnetd.c: removed code that used `getent'
+
+	* lib/roken/getent.c: removed
+
+Mon May 5 1997
+
+	* appl/ftp/ftpd/ftpd.c: fix for mmap and restart_point
+
+	* kadmin/ksrvutil_get.c (ksrvutil_get): get correct default realm
+
+Sun May 4 1997
+
+	* configure.in (REAL_PICFLAGS): Use `-fPIC' instead of `-fpic',
+ 	otherwise it's not possible to make libotp on hpux.
+
+	* configure.in: try sending picflags even when linking a shared
+ 	library with $CC
+
+	* lib/roken/getent.c: remove getstr
+
+	* configure.in: removed unneeded REAL_-variables working shared
+ 	libraries on *bsd*
+
+	* appl/kip/kip.h: Added <net/if_var.h>
+
+	* */Makefile.in: Use @LDSHARED@
+
+	* configure.in: Fix shared libraries on HP/UX.
+	check for curses.h
+ 	check for `getstr' and `cgetstr' in curses
+
+	* appl/telnet/telnet: clean-up
+
+	* lib/kafs/afssys.c: ifdef-out the code that is not used to avoid
+ 	referencing `syscall' on AIX.
+
+	* lib/krb/et_list.c: s/WEAK_PRAGMA/PRAGMA_WEAK/
+
+	* aclocal.m4 (AC_HAVE_PRAGMA_WEAK): redirect output
+
+	* lib/roken/snprintf.c: fix for the case of max_sz == 0
+
+	* doc/kth-krb.texi: Add @dircategory and @direntry to enable
+ 	`install-info' to install this entry in `dir'.
+
+	* appl/telnet/telnetd/Makefile.in: Don't link with getstr
+
+
+	* lib/auth/sia/krb4_matrix.conf: Fix entries for ses_release and
+ 	chk_user.
+
+Sat May 3 1997
+
+	* lib/auth/sia/sia.c: Some cleanup.
+
+Fri May 2 1997
+
+	* configure.in: only link the programs that need it with the
+ 	db/dbm library
+
+
+	* lib/auth/sia/sia.c: Merge code for for normal and su
+ 	authentication.
+
+
+	* Replaced sprintf with snprintf and asprintf all over the place.
+
+	* lib/roken/snprintf.c: Added asnprintf and vasnprintf
+
+	* lib/roken/snprintf.c: implemented asprintf, vasprintf
+
+	* lib/roken/snprintf.c: new file
+
+Thu May 1 1997
+
+	* lib/kafs/afskrb.c (k_afsklog_all_local_cells): Use `k_concat'
+
+Wed Apr 30 1997
+
+	* lib/krb/{get_host,get_krbrlm,getrealm,realm_parse}.c: Fix some
+ 	potential buffer overruns.
+
+	* lib/krb/k_concat.c: Safely concatenate two strings.
+
+Sat Apr 26 1997
+
+	* appl/telnet/libtelnet/kerberos.c: removed stupid #if 0
+
+	* appl/bsd/rlogind.c (send_oob): different default for `last_oob'
+ 	to avoid losing first OOB packet
+
+Fri Apr 25 1997
+
+	* appl/voodoo/AuthOption.cpp: provoke the telnetd in turning on
+ 	encryption
+
+Wed Apr 23 1997
+
+	* lib/kafs/afskrb.c (realm_of_cell): don't overflow buffer with
+ 	result from `gethostbyaddr'
+
+	* lib/krb/name2name.c (krb_name_to_name): new parameter
+ 	`phost_size' to disable buffer overflowing.  Changed all callers.
+
+	* lib/krb/k_getsockinst.c: New parameter `inst_size' to disable
+ 	buffer overflowing.  Changed all callers.
+
+	* appl/kpopper/Makefile.in: soriasis make stupidity
+
+	* appl/kx/Makefile.in: don't include encdata.c in SOURCES_COMMON,
+ 	otherwise DEC make gets upset.
+
+Tue Apr 22 1997
+
+	* lib/krb/k_getsockinst.c: Use same name as in krb_get_phost.
+
+
+	* acconfig.h: hp-ux 10 also has `pututxline' that writes both to
+ 	utmp and utmpx.
+
+Sun Apr 20 1997
+
+	* include/win32/config.h: adapted to win95/NT
+
+	* appl/voodoo: Merged in win32-telnet from <d93-jka@nada.kth.se>
+
+	* lib/krb/tkt_string.c: dummy `getuid' function.
+
+	* lib/krb/ticket_memory.c (tf_setup): implement
+
+	* lib/roken/roken.mak, roken.def: new files
+
+	* lib/des/des.def: Removed des_random_{seed,key}
+
+	* lib/krb/dllmain.c: Rewrote `msg'.
+	Better explanation when it fails to spawn `krbmanager'.
+
+	* lib/krb/tf_util.c: backwards `in_tkt' added.
+
+	* lib/krb/in_tkt.c: removed
+
+	* lib/kclient/KClient: Reformatted and fixed.
+
+Sat Apr 19 1997
+
+	* appl/ftp/ftpd/ftpd.c: Incorporate /etc/ftpusers changes from
+ 	NetBSD.
+
+	* appl/ftp/ftpd/ftpd.c: Handle oob-stuff better.
+
+Fri Apr 18 1997
+
+	* appl/kpopper/pop_{dropinfo,send,updt}.c: Fix 'From ' line
+ 	parsing bug.
+
+	* appl/kpopper/pop_dropinfo.c: Add support for xover.
+
+	* appl/kpopper/pop_xover.c: Add some kind of xover support.
+
+	* appl/kpopper/pop_debug.c: New tiny popper debugging program.
+
+Tue Apr 15 1997
+
+	* lib/krb/kdc_reply.c (kdc_reply_cred): fix sanity checks.
+
+	* appl/bsd/rshd.c: k_afsklog so that remote command gets a token.
+  	fix usage string.
+
+Sat Apr 12 1997
+
+	* appl/bsd/rcp.c (main): Rcp implements encrypted file transfer
+ 	without using the kshell service.
+
+
+	* lib/krb/mk_safe.c: Emit new checksum.
+
+	* lib/krb/rd_safe.c: New code to handle both new and old
+ 	checksums.
+
+	* lib/des/qud_cksm.c: Fix compatibility with mit deslib.
+
+Fri Apr 11 1997
+
+	* lib/sl/sl.c (sl_match): initialize `partial_cmd'
+
+Sun Apr 6 1997
+
+	* lib/kafs/kafs.h: Ugly addition of `_P'
+
+	* lib/kafs/afssys.c: <sys/socket.h> contains the definition of
+ 	`_IOW' on cygwin32.
+
+	* appl/telnet/telnet/utilities.c: <sys/socket.h> needed by
+ 	cygwin32
+
+	* doc/Makefile.in: always run $(MAKEINFO).
+	
+	* lib/otp/otp_md.c (sha_finito_little_endian): byte-swap
+ 	correctly.
+
+	* include/sys/bitypes.H: Added #ifndef for types
+
+	* configure.in: test for types
+
+	* aclocal.m4: Stolen AC_GROK_TYPES? from heimdal
+
+
+	* appl/ftp/ftp/ftp.c: Fix passive mode.
+
+Sat Apr 5 1997
+
+	* appl/kauth/ksrvtgt.in: New ksrvtgt script.
+
+Fri Apr 4 1997
+
+	* lib/krb/kdc_reply.c: Add some range checking.
+
+
+	* lib/otp/otptest.c: Updated tests from `draft-ietf-otp-01.txt'.
+	Passes verification examples from appendix C.
+
+	* admin/kdb_util.c: All usage strings are now consistent (and even
+ 	with the code)!
+
+Thu Apr 3 1997
+
+	* lib/kafs/afssys.c (k_pioctl): Separate syscall functionality and
+ 	kerberos convenience routines into afssys.c and afskrb.c. This to
+ 	make it possible to use k_pioctl() without linking in all
+ 	libraries in the world.
+
+Tue Apr 1 1997
+
+	* appl/telnet/telnet/commands.c: Rename suspend to telnetsuspend,
+ 	since Unicos has one of its own.
+
+Sun Mar 30 1997
+
+	* appl/bsd/{rsh,rlogin}.c: Don't look at argv[0].
+
+
+	* man/tenletxr.1: new file
+
+	* appl/kx/rxtelnet.in, appl/kx/rxterm.in, appl/kx/tenletxr.in:
+ 	Support `-k'
+
+	* appl/kx/tenletxr.in: new script for running kx in backwards
+ 	mode.
+
+	* appl/kx: New version of protocol.
+
+	* appl/kauth: Use err & c:o
+
+	* appl/kauth/encdata.c (read_encrypted): Give better return code
+ 	for EOF
+
+
+	* appl/ftp/ftp/krb4.c: Use stdout rather than stderr. Add newlines
+ 	to many strings.
+
+	* kuser/kdestroy.c: Use set_progname, make -q equal to -f, remove
+ 	bell.
+
+	* lib/roken/warnerr.c: New function set_progname.
+	* aclocal.m4: Invert test of AC_NEED_DECLARATION and rename it to
+ 	AC_CHECK_DECLARATION.  Add new function AC_CHECK_VAR, that looks
+ 	for a variable, including a declaration.
+
+	* lib/roken/roken.h: Add optional declaration for __progname.
+
+	* lib/roken/*{err,warn}.c: Restructure err and warn functions.
+
+Sat Mar 29 1997
+
+	* appl/telnet/telnet/sys_bsd.c: Maybe-fix for HP-UX 10: Ifdef
+ 	SO_OOBINLINE, don't even select for exceptional conditions.
+
+	* lib/otp/otp_md.c: always downcase the seed.
+	byte-swap the SHA result.
+
+Thu Mar 27 1997
+
+	* appl/otp/otp.c: removed bad free of global data
+
+Sun Mar 23 1997
+
+	* configure.in: moved version.h and config.h to include
+
+
+	* acconfig.h: Fix utmp/utmpx stuff on OSF/1.
+
+
+	* appl/bsd/rlogind.c (control): Rewritten to handle the case of
+ 	there being no `ws_xpixel' and `ws_ypixel'
+
+	* appl/bsd/rlogin.c (sendwindow): Rewritten to handle the case of
+ 	there being no `ws_xpixel' and `ws_ypixel'
+
+	* aclocal.m4 (AC_KRB_STRUCT_WINSIZE): Also test for `ws_xpixel'
+ 	and `ws_ypixel'
+
+	* lib/otp/otp.h: Change default global timeout
+
+	* lib/krb/tf_util.c (tf_setup): Also take `pname' and `pinst'
+
+	* appl/telnet/telnetd/sys_term.c, appl/bsd/utmpx_login.c: Do
+ 	gettimeofday and then copy the data for the sake of those systems
+ 	like SGI that can have different timevals in file and memory.
+
+	* configure.in: Allow `--with-readline'
+
+	* lib/editline/edit_compat.c (readline): strdup data before
+ 	returning it.
+
+
+	* appl/telnet/telnetd/state.c: Change size of subbuffer to 2k.
+
+Thu Mar 20 1997
+
+	* lib/krb/decomp_ticket.c: Add some range checking.
+
+	* appl/ftp/ftpd/krb4.c: Check return value from krb_net_write.
+
+	* appl/ftp/ftp/ftp.c: Fix hash mark printing.
+
+Wed Mar 19 1997
+
+	* appl/kauth/kauthd.c: more logging
+
+	* man/kx.1, man/kxd.8: Updated.
+
+	* appl/kx/kx.c, kxd.c: Hacked so that all TCP-connections are kx
+ 	-> kxd
+
+
+	* lib/editline/edit_compat.c: BSD libedit comatibility.
+
+Wed Mar 12 1997
+
+	* appl/ftp/ftpd/ftpd.c: Set `byte_count' even when using mmap.
+	Log foreign IP address together with hostname.
+
+Mon Mar 10 1997
+
+	* server/kerberos.c: Fix log file muddle.
+
+Sun Mar 9 1997
+
+	* appl/bsd/kcmd.c (kcmd): check malloc for failure.
+
+Tue Feb 25 1997
+
+	* man/ftpd.8: Documented the `-g' option.
+
+	* appl/ftp/ftpd/ftpd.c: New option `-g umask' for specifying the
+ 	umask for anonymous users.
+
+	* appl/ftp/ftpd/ftpd.c: conditionalize SIGURG
+
+	* appl/otp/otp.c: More fixes from Fabien COELHO
+ 	<coelho@cri.ensmp.fr>.  Check for current OTP before allowing the
+ 	update.
+
+Wed Feb 19 1997
+
+	* appl/otp/otp.c: updated help string
+
+	* appl/bsd/Makefile.in: Fixed installation of suid programs.
+
+	* appl/telnet/libtelnet/kerberos.c: fix some stuff to get
+ 	forwarding code to compile
+
+	* lib/otp/otp_db.c: fix for signed char overflow.
+
+
+	* lib/krb/resolve.c: Patch from Jörgen Wahlsten
+ 	<wahlsten@pathfinder.com>: Zero out resource record, and send
+ 	correct length to dn_expand.
+
+Mon Feb 17 1997
+
+	* lib/roken/roken.h: Check for `_setsid'
+
+	* appl/ftp/ftp/ftp.c: s/__CYGWIN32__/HAVE_H_ERRNO/
+
+	* include/Makefile.in: Generete krb_err.h and kadm_err.h before
+ 	linking/copying them
+
+	* aclocal.m4: AC_FIND_FUNC: Add the library at the beginning of
+ 	the list.
+
+	* configure.in: Use AC_PROG_RANLIB
+	Always use EMXOMF under OS/2
+	Check for sys/termio.h and _setsid
+
+
+	* configure.in: A preliminary fix for editline.
+
+	* appl/telnet/libtelnet/kerberos.c: Include ticket forwarding
+ 	stuff.
+
+	* lib/krb/krb_get_in_tkt.c: Use tf_setup.
+
+	* lib/krb/krb_get_in_tkt.c: New function tf_setup.
+
+Sat Feb 15 1997
+
+	* man/otp.1: updated
+
+	* appl/otp/otp.c: New options `-d' and `-r'.  From Fabien COELHO
+ 	<coelho@cri.ensmp.fr>
+
+	* lib/otp/otp.h: Changed default from md4 to md5
+	* lib/otp/otp_db.c (otp_get, otp_simple_get): New functions.
+
+Thu Feb 13 1997
+
+	* appl/kx/rxtelnet.in: allow specification of port number
+
+	* appl/otp/otp.c: Add `-u' option
+
+Sun Feb 9 1997
+
+	* appl/ftp/common/glob.c: Rename FOO -> CHAR_FOO to avoid
+ 	collision with symbol in sys/ioctl.h
+
+Fri Feb 7 1997
+
+	* man/kpropd.8: updated
+
+	* appl/bsd/rcmd_util.c: warning needs to know what program is
+ 	used.
+
+	* slave/kpropd.c: New explicit flag `-i' for interactive.  Don't
+ 	use AI to figure out if we have been started by inetd or not.
+
+Thu Feb 6 1997
+
+	* appl/kx/rxtelnet.in, appl/kx/rxterm.in: Patch for sending -l to
+ 	kx.  From <map@stacken.kth.se>
+
+	* kuser/klist.c: corrected alignment of `expired'
+
+	* appl/telnet/telnet/commands.c: replaced lots of \n by \r\n
+
+Mon Feb 3 1997
+
+	* configure.in (socket, gethostbyname, getsockopt, setsockopt):
+ 	Better tests.
+	(HAVE_H_ERRNO): New test
+
+	* lib/roken/herror.c (herror): Check HAVE_H_ERRNO
+	lots of other files as well.
+
+Sat Feb 1 1997
+
+	* appl/bsd/rcp.c: Work around the non-working getpw* in cygwin32
+
+	* lib/krb/logging.c: Init function for `std_log´
+
+	* appl/telnet/telnet/utilities.c: Remove `upcase´
+	Check HAVE_SETSOCKOPT
+
+	* appl/telnet/telnet/telnet.c: Use `strupr´ instead of `upcase´
+
+	* appl/telnet/telnet/commands.c, appl/movemail/pop.c,
+ 	appl/kauth/rkinit.c, appl/ftp/ftp/ftp.c,
+ 	appl/sample/sample_client.c: Ifdef around for the non-existence of
+ 	`h_errno' in cygwin32.
+
+	* lib/des/read_pwd.c: work-around for cygwin32
+
+	* appl/telnet/telnet/sys_bsd.c: work-around for cygwin32
+
+Fri Jan 31 1997
+
+	* lib/krb/tf_util.c: gnu-win32 needs to open files with O_BINARY.
+
+Sun Jan 26 1997
+
+	* configure.in: removed duplicate of initgroups and lstat
+	Use AC_KRB_STRUCT_WINSIZE
+
+	* aclocal.m4 (AC_KRB_STRUCT_WINSIZE): New test
+
+	* lib/krb/getaddrs.c: Check for SIOCGIFFLAGS and SIOCGIFADDR
+
+	* appl/bsd/rlogin.c: conditional on SIGWINCH
+
+	* appl/bsd/rcmd_util.c et al: conditional getsockopt
+
+	* configure.in (cygwin32): New target
+	(getsockopt, getsockopt): Test for
+	(herror, hstrerror): Better tests
+
+	* aclocal.m4 (AC_FIND_IF_NOT_BROKEN): Pass arguments to
+ 	AC_FIND_FUNC
+
+Thu Jan 23 1997
+
+	* configure.in: Add EXECSUFFIX
+
+	* appl/kx/rxterm.in: rsh -n
+
+	* lib/krb/unparse_name.c (krb_unparse_name_long_r): new function
+
+
+	* lib/auth/sia/sia.c: Fix a bug with ticket filename. Add afs
+ 	support.
+
+	* lib/krb/get_host.c: Use KRB_SERVICE.
+
+Wed Jan 22 1997
+
+	* lib/auth/sia/Makefile.in: Add linker magic fix for broken,
+ 	conflicting kerberos code in xdm.
+
+Tue Jan 21 1997
+
+	* appl/xnlock/xnlock.c (verify): Change the "LOGOUT" password to
+ 	be manageable as X-resource XNlock*logoutPasswd. The password is
+ 	stored in UNIX crypt format so that it can be stored in a global
+ 	resource file for sites that whish to keep it a secret.
+
+
+	* configure.in: Check for winsize in sys/ioctl.h also.
+
+Sat Jan 18 1997
+
+	* lib/krb/get_default_principal.c: Use principal from
+ 	KRB4PRINCIPAL before using uid.
+
+Wed Jan 15 1997
+
+	* appl/telnet/telnet/sys_bsd.c: Use `get_window_size'
+
+	* lib/roken/get_window_size.c: New file
+
+	* appl/bsd/rlogin.c: Use `get_window_size'
+
+	* appl/bsd/forkpty.c, appl/bsd/rlogind.c: conditionalize on
+ 	TIOCSWINSZ
+
+	* configure.in: Check for `_scrsize' and `struct winsize'
+
+Tue Jan 14 1997
+
+	* Makefile.in (install-strip, travelkit-strip): New targets.
+
+Thu Jan 9 1997
+
+	* */Makefile.in: Use @foo_prefix@ and @program_transform_name@
+ 	Add code to uninstall target
+
+Thu Dec 19 1996
+
+	* configure.in: Set LIBPREFIX
+
+	* config.sub: Add os2 as a system
+
+	* config.guess: Try to recognize i386-pc-os2_emx
+
+	* configure.in: case for *-*-os2_emx
+	NEED_PROTO for `strtok_r'
+	
+	* aclocal.m4: ranlib is apparently calld EMXOMF on OS/2
+	(AC_KRB_PROG_LN_S): New test that uses cp if ln fails
+
+Wed Dec 18 1996
+
+	* appl/bsd/login.c (main): First try to verify password using
+ 	standard UNIX method and if it fails try kerberos authentication.
+	
+Sat Dec 14 1996
+
+	* appl/bsd/rcp.c: consider case of no fchmod
+
+	* appl/kpopper/pop_init.c: Use k_getsockinst.
+
+	* lib/roken/{strupr,strlwr,strchr,strrchr,lstat,initgroups,chown,
+	fchown,rcmd}.c: new files
+
+	* appl/kpopper/pop_lower.c: Removed.
+
+	* Makefile.in (travelkit): New target.
+
+Tue Dec 10 1996
+
+	* lib/krb/parse_name.c (kname_parse): Only copy realm if it is
+ 	specified.
+
+	* lib/krb/get_host.c (krb_get_host): Treat no realm as local
+ 	realm.
+
+Mon Dec 9 1996
+
+	* appl/ftp/ftpd/ftpd.c: Get afs-tokens when logging in with
+ 	password.
+
+
+	* slave/kprop.c: flock with K_LOCK_SH
+
+Wed Dec 4 1996
+
+	* appl/telnet/telnet/commands.c: Also export XAUTHORITY
+
+Sun Dec 1 1996
+
+	* kadmin/ksrvutil.c: If realm is not specified, use the local one.
+
+Sat Nov 30 1996
+
+	* appl/kauth/kauthd.c: Use KAUTH_VERSION.  Try to give correct
+ 	error messages back to kauth.
+
+	* config.sub, config.guess: Merged in changes from autoconf 2.12
+
+	* appl/bsd/rsh.c: quick hack to make `-n' to the right thing.
+
+	* kadmin/kadm_locl.h: Add prototype for FascistCheck.
+
+Thu Nov 28 1996
+
+	* man/afslog.1: Documented `-createuser'
+
+	* appl/afsutil/aklog.c: removed `cell_of_file' Added option
+ 	`-createuser' to run pts to create a foreign principal.
+
+Tue Nov 26 1996
+
+	* lib/otp/otp_challenge.c: Initialize error string and check for
+ 	NULL from strdup.
+
+	* lib/roken/mini_inetd.c: Initialize `sin_family'
+
+	* appl/kpopper/pop_init.c: Add `-p' option and make `-a'
+ 	auth-style
+
+	* appl/bsd/rshd.c: Add `-p' option.
+
+	* appl/bsd/rlogind.c: Handle `-p' correctly.
+
+	* appl/bsd/login.c: Removed confusing initialization of
+ 	`login_timeout'
+
+	* appl/kpopper/pop_dropinfo.c: Remove white-space at the beginning
+ 	of UIDL-string.
+
+Sun Nov 24 1996
+
+	* Release 0.9.3
+
+Sat Nov 23 1996
+
+	* kadmin/ksrvutil_get.c: Use `krb_unparse_name_long' Better
+ 	defaults.
+
+	* lib/krb/krb.h: Added *_to_key
+
+	* lib/krb/get_svc_in_tkt.c (srvtab_to_key): Make public
+
+	* kadmin/kadmin.c (do_init): `-p' is a synonym for `-u'
+	(do_init): more logical defaults
+	(help): removed old code
+	better error messages
+
+	* lib/krb/get_in_tkt.c (passwd_to_key, passwd_to_afskey): Export
+ 	and remove functionality for reading passwords.
+
+	* lib/sl/sl.c: Nicer help output.
+
+	* lib/otp/otp_challenge.c: Initialize `challengep'
+
+	* lib/krb/Makefile.in: Removed get_pw_tkt.c
+
+Fri Nov 22 1996
+
+	* lib/auth/sia/sia.c: Now compiles under Digital UNIX 4.0.
+
+Wed Nov 20 1996
+
+	* lib/auth/pam/pam.c: Chown ticketfile to correct GID.
+
+Tue Nov 19 1996
+
+	* appl/kx/rxtelnet.in: Try to set the screen number as well.
+
+	* Be careful not to thrust `h_length' from gethostby{name,addr}
+
+	* appl/bsd/rcmd_util.c (ip_options_and_die): New function.
+
+	* configure.in: moved headers before functions.
+	call AC_PATH_XTRA_XTRA.
+	Add strchr, index, rindex, and strrchr to AC_CHECK_FUNCS.
+	remove strchr and strrchr, add strtok_r from/to AC_BROKEN.
+
+	* aclocal.m4 (AC_PATH_XTRA_XTRA): New macro.
+
+	* aclocal.m4 (AC_FIND_FUNC, AC_FIND_FUNC_NO_LIBS): Two new
+ 	arguments: includes and arguments)
+
+	* configure.in: Need to supply arguments and includes to test for
+ 	`res_search' and `dn_expand'
+
+	* lib/kafs/afssys.c (k_setpag): Handle AFS_SYSCALL3
+
+	* Use `k_getpw{nam,uid}' instead of getpw{nam,uid}.
+
+	* Replace lots of `strtok' with `strtok_r'.
+
+	* lib/sl/sl.c: Allow unlimited number of arguments.  Use
+ 	`strtok_r' to divide up string into arguments.
+
+	* lib/roken/roken.h: Added `strtok_r'
+
+	* configure.in: Test for `strtok_r'
+
+	* include/Makefile.in: Don't build in ss
+
+	* Makefile.export: Fixed ChangeLog-generation
+
+	* lib/sl/sl.c: Let `readline' to the \n-removal.  Handle empty
+ 	lines.  Don't store empty lines in the history.
+
+Mon Nov 18 1996
+
+	* lib/sl/sl.c: Use readline compatible i/o.
+
+
+	* lib/otp/otp_locl.h: Changed location of otp database to /etc
+
+	* appl/otp/Makefile.in: Install otp setuid root.
+
+	* util/Makefile.in: don't build SS
+
+	* lib/sl: New directory.
+
+	* kadmin/kadmin.c: Replaced SS by SL.
+
+Sun Nov 17 1996
+
+	* kadmin/kadm_funcs.c: Improved log messages.
+
+
+	* Use KRB_TICKET_GRANTING_TICKET.
+
+
+	* server/kerberos.c: Don't do any special logging when running as
+ 	slave.
+
+
+	* Lots of files: remove unnecessary `(void)'
+
+	* Lots of files: remove unnecessary `register' declaration.
+
+
+	* lib/krb/get_host.c: Only keep list of hosts from requested
+ 	realm.
+
+
+	* man/otpprint.1, otp.1: New files.
+
+	* appl/otp/otp.c: `-s' is now default.
+
+	* appl/otp/otp.c: removed count
+
+	* lib/des/destest.c: more general quad_cksum test.
+
+	* lib/otp/otp_print.c (otp_print_stddict_extended,
+ 	otp_print_hex_extended): New functions.
+
+	* lib/otp/otptest.c: New file.
+
+
+	* appl/ftp/ftpd/ftpd.c: Change default auth level to what was
+ 	formerly known as `user'.
+
+	* appl/ftp/ftpd/ftpd.c: Orthogonalize arguments to -a
+
+
+	* appl/kip/kip.c: Try all addresses we get back from the name
+ 	server.
+
+	* kadmin/kpasswd.c: updated to new functions.
+
+	* lib/otp/otp_db.c (otp_db_open): Do a few retries.  Unlock in
+ 	case this file cannot be opened.
+
+	* doc/kth-krb.texi: New chapter about OTPs.
+
+	* appl/otp/otpprint.c, appl/otp/otp.c: Use OTP_ALG_DEFAULT.
+  	Consistent language Check return value from des_read_pw_string.
+
+	* lib/otp/otp.h: Add OTP_ALG_DEFAULT
+
+
+	* lib/krb/parse_name.c: New function krb_parse_name
+
+Sat Nov 16 1996
+
+	* appl/bsd/login.c: removed S/Key.
+	Added OTP with option `-a otp'
+	Reorganized verification loop.
+
+	* appl/bsd/Makefile.in (login): Remove skey and add OTP
+
+	* configure.in: Test for `uid_t' and `off_t'
+
+	* appl/telnet/telnetd/telnetd.c: Removed `-s' for securID and
+ 	added `-a otp' for OTP.
+
+	* appl/kpopper: removed s/key and added OTP support.  Updated
+ 	man-page.
+
+	* lib/otp/otp.h: more fields in the struct and a new function.
+
+	* appl/ftp/ftpd/ftpd.c: Full OTP support.
+
+	* appl/kx/rxterm.in: Add options: -l username, -r args_to_rsh, and
+ 	-x args_to_xterm
+
+	* appl/kx/rxtelnet.in: Add options: -l username, -t
+ 	args_to_telnet, and -x args_to_xterm
+
+	* man/kx.cat1: regenerated
+
+	* man/kx.1: Added `-l' option.
+
+	* appl/kx/kxd.c: Accept username from `kx'
+
+	* appl/kx/kx.c: Introduced option `-l user' to be able to login as
+ 	some other user.
+
+Fri Nov 15 1996
+
+	* appl/kx/kx.c: Print out display and not display_nr
+
+	* lib/auth/Makefile.in: Fix the case with empty SUBDIRS.
+
+	* */Makefile.in: Use $(LN_S) instead of ln -s
+
+	* */Makefile.in: Add @SET_MAKE@
+
+	* doc/latin1.tex: New file.
+
+	* doc/kth-krb.texi: Use latin1.tex to be able to use one letter
+ 	that some bear seem to think is important.
+
+	* doc/kth-krb.texi: Added acknowledgements.
+
+	* lib/auth/Makefile.in: Only build relevant subdirectories.
+
+	* configure.in: Set @LIB_AUTH_SUBDIRS@ to the subdirectories of
+ 	lib/auth that should be built.
+
+
+	* lib/kafs/afssys.c: Only get tokens for each cell once.
+
+Thu Nov 14 1996
+
+	* man: Added man pages for movemail(1) and kerberos(8).
+
+
+	* kadmin/kadmin_cmds.ct: Add `add' for add_new_key and `passwd'
+ 	for change_password.
+
+
+	* lib/krb/logging.c: Now actually compiles!
+
+
+	* config.{guess,sub}: Merge changes from Autoconf
+
+
+	* lib/krb/{recv,send}auth.c: Don't return errno if there is a
+ 	system error.
+
+Wed Nov 13 1996
+
+	* util/ss/Makefile.in: Now even compiles with BSD make!
+
+	* appl/kx: Now send the complete display from `kxd' to `kx'.  This
+ 	should enable it to work better with Xlibraries that don't support
+ 	unix sockets.
+
+	* kuser/klist.c: conditionally include <sys/ioctl.h> and
+ 	<sys/ioccom.h> before <kafs.h>
+
+	* lib/krb/resolve.h: Add fallback for `T_TXT'.
+
+	* appl/otp/otp.c: removed print-functionality.
+
+	* appl/otp/otpprint.c: New file.
+
+	* appl/otp/Makefile.in: New program `otpprint'
+
+	* lots of Makefile.in: Now should be possible to build with makes
+ 	that have broken VPATH-handling.
+
+	* configure.in: Always replace REAL_SHARED & c:o so that some
+ 	libraries may be built as shared.
+	Removed unused AC_SUBST.
+	Only build afskauthlib on irix.
+
+	* lib/auth/afskauthlib/Makefile.in, lib/auth/sia/Makefile.in,
+ 	lib/auth/pam/Makefile.in: Always build as a shared library.
+
+	* appl/kx/rxtelnet.in, appl/kx/rxterm.in: export PATH (from
+ 	<jas@pdc.kth.se>).
+
+
+	* lib/krb/{pkt_cipher,fgetst}.c: Removed
+
+	* lib/krb/name2name.c: Renamed k_name_to_name to krb_name_to_name
+
+Mon Nov 11 1996
+
+	* appl/telnet/telnetd/sys_term.c: Really remove bad stuff from
+ 	environment.
+
+Fri Nov 8 1996
+
+	* appl/bsd/rlogind.c (main): `portnum' should be int.
+
+	* appl/bsd/sysv_environ.c: Use _PATH_ETC_ENVIRONMENT
+
+	* appl/bsd/pathnames.h: _PATH_ETC_ENVIRONMENT: new
+
+	* lib/krb/get_host.c (srv_find_realm): New parameter `service'
+
+
+	* lib/krb/unparse_name.c: New function.
+
+Tue Nov 5 1996
+
+	* lib/auth/pam/pam.c: Add PAM Kerberos module.
+
+Mon Nov 4 1996
+
+	* configure.in: configure in lib/auth/afskauthlib
+
+	* lib/kafs/afssys.c: New function `k_afsklog_uid'.
+
+	* lib/auth/afskauthlib: New library that works like
+	`afskauthlib.so' from Transarc.
+
+
+	*lib/krb/get_host.c, lib/krb/getrealm.c, lib/kafs/afssys.c: Use
+ 	dns_lookup().
+	
+	* lib/krb/resolve.c (dns_lookup): Replaced several different
+ 	resolver functions with one more generalized.
+
+Sun Nov 3 1996
+
+	* Add check target in lib/krb.
+	
+	* appl/bsd/login.c (main): Sleep 10 seconds before bailing out so
+ 	that there is a chance of reading the error message.
+
+	* appl/bsd/rsh.c (main): When invoked as rlogin equivalent change
+ 	to real uid before execing rlogin.
+
+Sat Nov 2 1996
+
+	* appl/bsd/utmp_login.c: Do the right thing on systems where
+ 	UTMPX_DOES_UTMP_LOGGING is defined.
+
+
+	* lib/krb/krb.h: names for `krb_kuserok' prototype
+
+	* lib/krb/get_host.c: Add tcp/kerberos.REALM as well.
+
+	* appl/bsd/su.c: Replace call to `kuserok' by `krb_kuserok'.
+
+	* lib/otp/otp_parse.c: Add support for parsing extended responses
+ 	(draft-ietf-otp-ext-01).
+
+	* lib/otp/otp.h: Define OTP_HEXPREFIX and OTP_WORDPREFIX.
+
+	* appl/otp/otp.c: Add option `-e' for printing responses in
+ 	extended mode (according to draft-ietf-otp-ext-01.txt).
+
+
+	* lib/krb/kuserok.c: Function krb_kuserok now takes name,
+ 	instance, realm rather than an AUTH_DAT.
+
+Fri Nov 1 1996
+
+	* lib/auth/sia: Add SIA Kerberos module.
+
+
+	* lib/roken/roken.h: Need to include signal.h prior to defining
+ 	SIG_ERR.
+
+	* appl/bsd/utmpx_login.c (utmpx_update): Minor restructuring for
+ 	simplified maintainability.
+
+	* appl/bsd/utmp_login.c (utmp_login): Even when there are utmpx
+ 	files on this system we should also log to the utmp files. If
+ 	there are no utmp files we of course don't have to log to them.
+
+
+	* Makefile.export: now generate PROBLEMS and COPYRIGHT as well.
+
+	* PROBLEMS, COPYRIGHT, doc/kth-krb.info: removed
+
+	* doc/kth-krb.texi: Put copyrights in marketing order.
+
+	* appl/kpopper/popper.h: client and ipaddr should be char [] so
+ 	that we can store the names there.
+
+	* appl/kpopper/pop_init.c: save copies of addresses that otherwise
+ 	get overwritten.
+
+Mon Oct 28 1996
+
+	* lib/krb/send_to_kdc.c (send_recv_it): Use `recv' not `recvfrom'
+ 	to make winsock happy.  Also don't care anymore about from which
+ 	address we got the answer since we do a `connect'.
+
+	* admin/adm_locl.h, lib/kdb/kdb_locl.h, kadmin/kadm_locl.h,
+ 	lib/krb/krb_locl.h, lib/roken/strftime.c, server/kerberos.c: Do
+ 	not use #if, use #ifdef.
+
+	* configure.in: Test for `rand' and `getuid'
+
+
+	* slave/kprop.c: Don't terminate on trivial errors in slaves-file.
+
+Sun Oct 27 1996
+
+	* doc/Makefile.in: Install from source directory if necessary.
+
+	* lib/krb/kuserok.c: Do not use `k_getpwnam' in libkrb.
+
+	* configure.in: You can't even use `unset', Ultrix sh does not
+ 	have it.
+
+
+	* several files: Check status from des_read_pw_string.
+
+
+	* server/kerberos.c: Make sure all data is recieved on a tcp
+ 	socket before trying to reply.
+
+
+	* lib/krb/krb.h: Add <time.h> for `struct tm'
+
+	* appl/kx/Makefile.in: Both kx and kxd requires @XauWriteAuth@
+
+	* configure.in: Fix test for `XauReadAuth'
+
+Fri Oct 25 1996
+
+	* lib/krb/get_host.c (init_hosts): Must ntohs(KRB_PORT) on
+ 	machines running backwards.
+
+	* More consistent use of CRLF in telnet and telnetd.
+
+	* Removed redundant -I$(srcsdir)/../../include from compiler args.
+	
+
+	* appl/ftp/ftpd/ftpd.c: New option `-a otp' to allow OTPs but no
+ 	ordinary passwords in cleartext.
+
+	* appl/ftp/ftpd/Makefile.in: Link `ftpd' with -lotp
+
+	* lib/Makefile.in: Add otp
+
+	* include/Makefile.in: Add otp.h
+
+	* configure.in: Test for ndbm.h
+	Generate Makefiles in lib/otp and appl/otp
+
+	* appl/otp: New program to set up and generate OTPs.
+	
+	* lib/otp: New library for one-time passwords (RFC1938).
+
+	* lib/krb/get_host.c (srv_find_realm): Added parameter `proto'
+
+	* lib/des/Makefile.in: Add md4 and sha.  run `mdtest' from check.
+
+	* lib/des/md4.h, lib/des/md4.c, lib/des/sha.c, lib/des/sha.h,
+ 	lib/des/mdtest.c: New files.
+
+	* appl/kauth/Makefile.in: Make $(libexedir) as well.
+
+Thu Oct 24 1996
+
+	* appl/bsd/rlogind.c (setup_term): Actually set the speed of the
+ 	terminal.
+
+	* appl/bsd/rlogin.c (main): Do a `speed_t2int' before putting the
+ 	speed in the TERM variable.
+
+	* appl/bsd/rcmd_util.c: New functions: `speed_t2int' and
+ 	`int2speed_t'.
+
+	* appl/bsd/bsd_locl.h: Added prototype of `speed_t2int' and
+ 	`int2speed_t'.
+
+Sun Oct 20 1996
+
+	* appl/bsd/login.c: Do `getspnam' before change the UID. Also call
+ 	`endspent'
+
+	* appl/krbmanager: New program used on PCs by kclient.
+
+	* lib/kclient: New library.
+
+	* lib/des, lib/krb: Added some PC-specific files.
+
+	* doc/kth-krb.info: Regenerated.
+
+	* doc/Makefile.in (kth-krb.info): Some stupid makes don't
+ 	understand $<
+	(kth-krb.html): New rule.
+
+	* doc/kth-krb.texi (Compiling from source): Added some references
+ 	about Socks.
+
+Sat Oct 19 1996
+
+	* doc/kth-krb.texi: Added text about ``--with-socks''.
+
+	* configure.in: Use `AC_TEST_PACKAGE' for skey and socks.
+
+	* aclocal.m4: Replaced `AC_TEST_SOCKS' and `AC_TEST_SKEY' with the
+ 	more general `AC_TEST_PACKAGE'.
+
+Fri Oct 18 1996
+
+	* configure.in: call AC_TEST_SOCKS
+
+	* acconfig.h: SOCKS
+
+	* aclocal.m4: Added AC_TEST_SOCKS
+
+	* lib/krb/send_to_kdc.c (send_to_kdc): Removed unused `f' and
+ 	close.
+
+Thu Oct 17 1996
+
+	* man/popper.8: Option `-i'
+
+	* appl/kpopper/pop_send.c: clean-up
+
+	* appl/kpopper/popper.h: Removed old garbage and added SKEY.
+
+	* appl/kpopper/pop_xmit.c: clean up
+
+	* appl/kpopper/pop_user.c: SKEY-support
+
+	* appl/kpopper/pop_pass.c: Added support for spaces in passwords
+ 	and S/Key.
+
+	* appl/kpopper/pop_init.c: Moved some variables into struct pop
+	(main): Added support for `-i'
+
+	* appl/kpopper/pop_get_command.c: New command "HELP".
+
+	* appl/kpopper/Makefile.in: Add SKEY-stuff.
+
+	* lib/krb/get_host.c: Use `k_getportbyname(KRB_SERVICE,...)' as a
+ 	default instead of KRB_PORT
+
+	* lib/krb/getaddrs.c (k_get_all_addrs): Add
+ 	gethostbyname(k_gethostname()) as a fallback.
+
+	* lib/krb/k_getport.c (k_getportbyname): proto can be NULL
+
+	* lib/krb/krb.h: Only include <sys/types.h> if HAVE_SYS_TYPES_H
+
+	* lib/krb/prot.h: KRB_SERVICE: Added
+
+
+	* server/kerberos.c: Replaced linked list with a vector.
+
+Wed Oct 16 1996
+
+	* server/kerberos.c: Add support for TCP connections.
+
+	* lib/krb/send_to_kdc.c: On stream sockets, use krb_net_read
+ 	rather than recvfrom.
+
+Mon Oct 14 1996
+	
+	* doc/kth-krb.texi: Only use `kdb_edit' to add the initial
+ 	`nisse.admin'.  Add all other users with `kadmin'.
+
+	* doc/kth-krb.info: new file.
+
+	* doc/kth-krb.texi: Added some text about kx and ftp.
+
+	* appl/ftp/ftpd/ftpcmd.y,
+	  util/ss/ct.y,
+	  util/et/error_table.y :
+ 	Added code for handling the case of using `bison' and having no
+ 	`alloca'.  Alloca is usually never called anyway, so we just use
+ 	`malloc'.
+
+	* appl/kx/kxd.c: All static variables are now global and in
+ 	common.c.
+	(doit_conn, doit): Turn on TCP_NODELAY.
+	(create_and_write_cookie, suspicious_address): Moved to common.c
+
+	* appl/kx/kx.c (connect_host): Try all addresses of `host'. Turn
+ 	on TCP_NODELAY.
+	(doit): prepare for TCP-only hosts.
+	(usage,main): add `-t'
+	(main): Passive mode is possible again.
+
+	* appl/kx/kx.h: More #ifdefs for include files.  Declarations for
+ 	global variables.
+
+	* appl/kx/common.c (get_xsockets): Try to chmod
+ 	dirname(`X_UNIX_PATH')
+	(get_xsockets): Turn on TCP_NODELAY on TCP connections.
+
+	* doc/Makefile.in: New file
+
+	* Makefile.in: Added `doc' to `SUBDIRS'
+
+	* configure.in: Generate `doc/Makefile'
+
+Sun Oct 13 1996
+
+	* appl/bsd/rcp.c (main): Made rcp AFS aware.
+
+	* lib/krb/kuserok.c (kuserok): Act as if luser@LOCALREALM is
+ 	always an entry of .klogin.
+
+Sat Oct 12 1996
+
+	* appl/kx/rxtelnet.in: Start the `xterm' process correctly.
+
+	* lib/des/rnd_keys.c (sumFile): consider the case that `res' is
+ 	not longword-aligned.
+
+	* lib/krb/get_host.c (parse_address): `getservbyname' should
+ 	really get proto = NULL
+
+	* lib/krb/send_to_kdc.c (krb_udp_port): removed
+	(send_to_kdc): removed `addrlist'
+
+	* lib/krb/send_to_kdc.c: Support not only UDP.
+
+	* lib/krb/get_host.c (krb_get_admhst): Really ask for a admin host
+ 	if that's what we want.
+
+Thu Oct 10 1996
+
+	* lib/krb/get_host.c: Simplified some code. Added stub-support for
+ 	SRV-records.
+
+Wed Oct 9 1996
+
+	* appl/kx/rxtelnet.in, appl/kx/rxterm.in: PDC are unable to give
+ 	correct instructions to their users and therefore we have to add
+ 	strange directories to the PATH.
+
+	* appl/kx/rxtelnet.in: Support sending arguments to telnet.
+
+	* appl/kx/rxterm.in: rsh can reside in path or %bindir% support
+ 	extra arguments to xterm (from <jas@pdc.kth.se>).
+
+	* appl/kx/rxtelnet.in: Try to find some kind of terminal emulator
+ 	for X.
+
+	* appl/kx/rxterm.in, appl/kx/rxtelnet.in: Look for kx in $PATH and
+ 	%bindir%.
+
+	* appl/kx/common.c (get_xsockets): `mkdir' the correct directory.
+  	From <jas@pdc.kth.se>
+
+
+	* lib/krb/send_to_kdc.c: Changes to allow other than udp port 750
+ 	connections.
+
+	* lib/krb/get_host.c: rewrite of krb_get_{adm,krb}hst.
+
+Sun Oct 6 1996
+
+	* appl/ftp/ftpd/ftpd.c (retrieve): Got rid of `sprintf'.
+
+	* configure.in: Fix order for x libs.  From <jas@pdc.kth.se>.
+  	Check for `fcntl', `alloca', `winsock.h', and `io.h'.
+
+	* lib/krb/krb_locl.h: Check for <io.h> and <winsock.h>
+
+	* lib/krb/krb.h: Check for winsock.h
+
+	* lib/krb/k_flock.c: Better test for `fcntl' with locking.
+
+	* lib/krb/et_list.c: Hopefully correct pragma this time.  From
+ 	<jas@pdc.kth.se>
+
+Thu Oct 3 1996
+
+	* lib/krb/klog.c (klog): Do not forget to print the text.
+
+	* lib/krb/log.c (krb_log): Print space after time in log.
+
+Wed Oct 2 1996
+
+	* appl/kpopper/popper.h: Add field msg_id to hold Message-Id for
+ 	UIDL command.
+
+	* appl/kpopper/pop_dropinfo.c (pop_dropinfo): Support for UIDL
+ 	command. Saves Message-Id to be used as unique id. Everything is
+ 	#ifdef:ed UIDL.
+
+	* appl/kpopper/pop_get_command.c: Recognize UIDL command.
+
+	* appl/kpopper/pop_uidl.c (pop_uidl): POP3 UIDL command
+ 	implementation.
+
+	* appl/kpopper/Makefile.in: New file pop_uidl.c.
+
+
+	* configure.in: Made some of the tests into macros defined in
+ 	aclocal.m4
+
+	* appl/telnet/libtelnet/kerberos.c: Given better error message
+ 	when user is not authorized to login.
+
+	* lib/roken/k_getpwuid.c, lib/roken/k_getpwnam.c: Call `endpwent'.
+  	If we are using a BSD-kind of system we should not leave the
+ 	shadow password database open.
+
+	* appl/xnlock/xnlock.c: Got rid of all `register' declarations.
+
+	* appl/kx/rxterm.in, appl/kx/rxtelnet.in: Use `set --'
+
+Mon Sep 30 1996
+
+	* lib/roken/k_getpwnam.c, lib/roken_k_getpwuid.c: Call `endspent'
+ 	to try to close the shadow password file.
+
+	* appl/ftp/ftpd/ftpd.c (retrieve): Cut the argument to the command
+ 	and the first character of the extension.
+
+	* lib/krb/send_to_kdc.c: Sun doesn't have any strerror so we can't
+ 	use that here.  We are only printing debug messages anyway, so
+ 	just print errno for now.
+
+	* appl/kx/rxtelnet.in: Now using SIGUSR2.
+
+	* appl/kx/kx.c: Now using SIGUSR1 to mean `exit when number of
+ 	children goes down to zero'.  SIGUSR2 is `exit when number of
+ 	children is equal to zero'.
+
+	* appl/xnlock/xnlock.c: More fixup of old code.
+
+	* appl/ftp/ftpd/ftpd.c: Only call `filename_check' for guest
+ 	users.
+
+	* configure.in: Added tests for more header files.  Also added
+	more ifdefs when actually including those files.
+
+	* appl/kx/Makefile.in: Do not build programs if we have no X11.
+	
+Sun Sep 29 1996
+
+	* appl/xnlock/xnlock.c (main): Support for shadow passwords.
+
+	* lib/roken/k_getpwuid.c: New file, better support for shadow
+ 	passwords.
+
+
+	* appl/telnet/Makefile.in: Use SET_MAKE
+
+
+	* appl/ftp/ftpd/ftpcmd.y: Remove access to several commands for
+ 	anonymous users.
+
+	* lib/krb/get_krbhst.c: Look for kerberos-#.realm.
+
+	* appl/ftp/ftpd/popen.c: Execute files from ~ftp if possible.
+
+	* appl/ftp/ftpd/ftpd.c: Add find site command.
+
+	* appl/ftp/ftpd/ftpd.c: Add special handling of nonexistant files
+ 	with extensions {,.tar}{,.gz,Z}.
+
+Sat Sep 28 1996
+
+	* configure.in: Check for sys/times.h, sys/param.h, and
+ 	sys/timeb.h
+
+	* lib/des: autoconfed a little to make it compile.
+
+	* lib/roken/roken.h: Add `max', `min', and definitions for broken
+ 	syslogs.
+
+	* appl/bsd/bsd_locl.h: Removed SYSLOG-garbage and max.
+
+	* appl/kx/kx.h: Remove prototype of childhandler.
+
+	* appl/kx/common.c: Remove childhandler.  Not common any more.
+
+	* appl/kx/rxterm.in: Send SIGUSR1 to kx before starting xterm.
+
+	* appl/kx/rxtelnet.in: Send USR1 to kx at appropriate moment.
+
+	* appl/kx/kx.c: Die after receiving SIGUSR1 and when number of
+ 	children goes to zero.
+
+	* lib/roken/roken.h: Add STDERR_FILENO
+
+	* lib/roken/mini_inetd.c (mini_inetd): Also dup onto stderr.
+
+	* lib/kafs/Makefile.in (afslib.so): Change argument so they work
+ 	with `ld' instead of `cc'
+
+	* appl/kx/kxd.c: writeauth.c as separate file.
+
+	* appl/kx/kx.c: `-d' option to disable forking.
+
+	* appl/kx/Makefile.in: Compile and link writeauth.c if necessary.
+  	For some stupid reason $< does not work correctly in BSD make.
+  	Use $(srcdir) instead.
+
+	* appl/ftp/ftp/ftp_locl.h: Only include <roken.h> once.
+
+	* configure.in: Use strange X flags when looking for XauReadAuth.
+  	Add XauWriteAuth if we need to include it.
+
+Fri Sep 27 1996
+
+	* appl/sample: Sample programs work again.
+
+
+	* appl/kx/kxd.c (main): use `mini_inetd'
+
+	* appl/kx/kx.c: Use KX_PORT
+
+	* appl/kx/kx.h: Remove SOMAXCONN and add KX_PORT
+
+	* appl/kauth/kauthd.c (main): use `mini_inetd'
+
+	* appl/ftp/ftpd/ftpd.c: Removed `conn_wait' and use `mini_inetd'
+ 	instead.
+
+	* appl/bsd/bsd_locl.h: Prototypes for `get_shell_port' and
+ 	`get_login_port'
+
+	* appl/bsd/rcmd_util.c: New file.
+
+	* appl/bsd/Makefile.in: Added rcmd_util.c
+
+	* appl/bsd/rcp.c: Moved `get_shell_port' to rcmd_util.c
+
+	* appl/bsd/rsh.c: Moved `get_shell_port' to rcmd_util.c
+
+	* appl/bsd/rlogind.c (main): Use `mini_inetd'
+
+	* appl/bsd/rshd.c (main): Add support for interactive mode with
+ 	`-i'.
+
+	* appl/telnet/telnetd/telnetd.c (main): use `mini_inetd'
+
+	* lib/roken/roken.h: Added prototype for `mini_inetd', and
+ 	fallback definitions for SOMAXCONN, STDIN_FILENO, and
+ 	STDOUT_FILENO.
+
+	* lib/roken/Makefile.in: Added mini_inetd.o
+
+	* lib/roken/mini_inetd.c: New file.
+
+Thu Sep 26 1996
+
+	* appl/kx/kxd.c (doit): read port number in ascii.
+
+	* appl/kx/kx.c (doit): write port number in ascii.
+
+	* appl/kauth/rkinit.c (doit_host): Check return value from
+ 	`read_encrypted'.
+
+	* appl/kauth/kauthd.c (doit): Removed unnecessary sprintf's before
+ 	syslog.
+
+	* lib/krb/krb_get_in_tkt.c (krb_get_in_tkt): Return error code
+ 	from `tf_create' and not always INTK_ERR.
+
+	* lib/krb/tf_util.c (tf_create): Correct check for return value
+ 	from `open'.
+
+	* lib/des/rnd_keys.c (des_rand_data): Try /dev/urandom as well.
+
+Wed Sep 25 1996
+
+	* appl/afsutil/pagsh.c (main): One-of error hopefully fixed this
+ 	time.
+
+	* configure.in: Add test for <sys/un.h>
+
+	* kadmin/Makefile.in: Add back $(CRACKLIB)
+
+Mon Sep 16 1996
+
+	* appl/kx/Makefile.in: Create rxterm and rxtelnet at compile time.
+
+	* kstring2key moved to appl/afsutil.
+
+Sun Sep 15 1996
+
+	* appl/kx/kx.c (main): For now always use passive mode.  That's
+ 	the only thing that has been tested and not a lot of people are
+ 	going to use non-passive anyways.
+
+	* appl/kx/kx.c (connect_host): write display_number in ascii.
+
+	* appl/kx/kxd.c (doit): read display_number in ascii.
+
+	* appl/kx/common.c (get_local_xsocket): Generate the
+ 	/tmp/.X11-unix directory with the sticky bit set.
+
+	* configure.in: Generate appl/kx/rxterm and appl/kx/rxtelnet.
+
+	* appl/kx/Makefile.in: Install rxterm and rxtelnet.
+
+	* appl/kx/rxterm.in, appl/kx/rxtelnet.in: New files.
+
+	* appl/kx/common.c (get_local_xsocket): try to bind the socket
+ 	instead of checking for existence with lstat.
+
+
+	* appl/kx/kxd.c: Detect remote termination and cleanup on exit.
+
+Sat Sep 14 1996
+
+	* lib/des/rnd_keys.c: Hack for systems that lack setitimer (like
+ 	crays).
+
+
+	* appl/kx/kxd.c (doit): Send over the display number and the
+ 	authority file actually used to kx.
+	
+	(create_and_write_cookie):  New function to generate and write into a
+	file a local cookie used between this pseudo-server and the
+ 	clients on this host.
+	
+	(start_session):  New function to check and remove the local cookie
+	before the data is sent over to `kx'.
+
+	* appl/kx/kx.c (display_num, xauthfile): New variables.  Now `kx'
+ 	prints out the values of those two variables and then goes to the
+ 	background to enable some script to set these on the other host.
+	
+	(start_session): New function that adds a local cookie before sending
+	the rest of the connection to the local X-server.
+	
+	(main): Also recognize "unix" as a local DISPLAY.
+
+	* appl/kx/kx.h: <X11/Xauth.h> used.
+	(get_local_xsocket): Changed parameter.
+
+	* appl/kx/common.c (get_local_xsocket): Now try to allocate the
+ 	first free socket in /tmp/.X11-unix.  Also `mkdir' this directory
+ 	first.  Return the number of the display opened.
+
+	* appl/kx/Makefile.in: Added X libraries.
+
+	* lib/des/des.h: Added prototype for `des_rand_data'.
+
+	* lib/des/rnd_keys.c: Made `des_rand_data' non-static.  This
+ 	function is useful and now even used.
+
+Wed Sep 11 1996
+
+	* appl/bsd/login.c: Use k_afs_cell_of_file() to get tokens for the
+ 	cell of the home catalog rather than the local cell.
+
+	* lib/kafs/afssys.c: Add k_afs_cell_of_file.
+
+Tue Sep 10 1996
+
+	* appl/telnet/telnetd/telnetd.c, appl/telnet/telnetd/sys_term.c:
+ 	Removed all convex code.
+
+Mon Sep 9 1996
+
+	* appl/telnet/telnetd/termstat.c: UNICOS5: removed
+
+	* appl/telnet/telnetd/telnetd.c, appl/telnet/telnetd/sys_term.c:
+ 	NEWINIT, UNICOS7x, UNICOS5: removed
+	
+	STREAMSPTY: added variable `really_stream' Now able to handle the
+ 	case where the OS supports stream ptys but we run out of them and
+ 	start using ordinary BSD ones.
+
+	* appl/telnet/telnetd/state.c: UNICOS5: removed
+
+	* appl/telnet/telnetd/pathnames.h: BFTPPATH: removed
+
+	* appl/telnet/telnetd/ext.h, appl/telnet/telnetd/global.c:
+	BFTPDAEMON: removed.
+	UNICOS5: removed.
+	
+	* appl/telnet/telnetd/ext.h: STREAMSPTY: added variable
+ 	`really_stream'.
+
+	* lib/krb/stime.c (krb_stime): argument should be `time_t'.
+	lib/krb/krb_locl.h: changed prototype.
+
+Sun Sep 8 1996
+
+	* configure.in: Also generate `appl/sample/Makefile'
+
+	* appl/Makefile.in: Use @SET_MAKE@.
+	Include sample
+
+	* lib/krb/Makefile.in: Add krb_stime, krb_mk_auth, and
+ 	krb_check_auth.
+
+	* util/et/compile_et.c (main): Include <foo.h> in foo.c
+
+	* slave/kprop.c: exit with return code == 1 to indicate failure.
+
+	* server/kerberos.c (usage): Fixed usage string.
+
+	* lib/krb/tkt_string.c (tkt_string): Removed bogus extern
+ 	declaration of `getuid'.
+
+	* lib/krb/tf_util.c (tf_save_cred): Removed bogus extern
+ 	declaration of `lseek'.
+
+	* lib/krb/stime.c (stime): Renamed to `krb_stime'
+
+	* lib/krb/sendauth.c (krb_sendauth): reimplemented using
+ 	`krb_mk_auth' and `krb_check_auth'.
+
+	* lib/krb/send_to_kdc.c (send_recv): Removed stupid cast.
+
+	* lib/krb/recvauth.c: Removed KRB_SENDAUTH_VERS
+
+	* lib/krb/prot.h: create_auth_reply: correct prototype.
+  	krb_create_death_packet: ditto.
+	KRB_SENDAUTH_VERS: moved here from sendauth.c and recvauth.c
+
+	* lib/krb/month_sname.c: Made `month_sname' const.
+
+	* lib/krb/mk_req.c: Remove stupid `register'
+
+	* lib/krb/log.c (krb_log): Use `krb_stime'
+
+	* lib/krb/kuserok.c (kuserok): Nightmare Filesystem might return
+ 	ESTALE.  Treat it the same way as ENOENT.
+
+	* lib/krb/krb_locl.h: Added prototype for `krb_stime'
+
+	* lib/krb/krb_check_auth.c: New file with `krb_check_auth',
+	implemented for compatibility with CNS.
+	lib/krb/krb_mk_auth.c: Ditto.
+
+	* lib/krb/krb.h: Removed duplicate declarations of `get_request'
+ 	and `krb_get_admhst'.
+	Added declarations for `krb_mk_auth' and `krb_check_auth'.
+
+	* lib/krb/kparse.h: removed prototype for `strsave'
+
+	* lib/krb/kparse.c (fGetParameterSet): Use `strdup' instead of
+ 	`strsave'.
+	(strsave): Removed.
+
+	* lib/krb/kname_parse.c: Removed stupid `register' declarations.
+
+	* lib/krb/klog.c (klog): Use `krb_stime'
+
+	* lib/krb/get_phost.c: Handle the case where the name has no dots
+ 	in it by just returning it as-is.
+
+	* lib/knet/Imakefile, lib/knet/getkdata.c, lib/knet/phost.c,
+	lib/knet/sendkdata.c: removed unused files.
+
+	* lib/kadm/kadm_cli_wrap.c (kadm_init_link): use `k_getportbyname'
+
+	* kadmin/ksrvutil_get.c (get_srvtab_ent): Erase the key if
+ 	something goes wrong.  Include realm in the message when writing a
+ 	key.
+	(parseinput): New function that removes quotes and backslashes
+ 	from input.
+	(ksrvutil_get): Use `parseinput' to read input.
+
+	* kadmin/ksrvutil.c (safe_read_stdin): Correct use of printf.
+  	Removed bogus casts and fflush of stdin.
+	(main): Use `return' instead of `exit'.
+
+	* kadmin/kpasswd.c (main): Use `return' instead of `exit'.
+
+	* kadmin/admin_server.c: exit with return code == 1 to indicate
+ 	failure.
+
+	* appl/sample/sample_server.c: Rewrote to use all new functions.
+
+	* appl/sample/sample_client.c: Rewrote to use all new functions.
+
+	* appl/sample/sample.h: new file.
+
+	* appl/sample/Makefile.in: new file.
+
+	* appl/movemail/pop.c (socket_connection): use `k_getportbyname'
+
+	* appl/kpopper/pop_init.c: exit with return code == 1 to indicate
+ 	failure.
+
+	* appl/kauth/kauth.c (doexec): new-style definition.  ret should
+ 	be a `pid_t'.
+	(main): new-style definition.  Use `prog' instead of `argv[0]'
+
+	* appl/ftp/ftp/extern.h: Removed unused `abortsend'
+
+	* appl/ftp/Makefile.in: Use @SET_MAKE@
+
+	* appl/bsd/rsh.c: get_shell_port: use `k_getportbyname'
+
+	* appl/bsd/rlogin.c: get_login_port: use `k_getportbyname'
+
+	* appl/bsd/kcmd.c: Removed bogus casts to `caddr_t'
+
+	* admin/kstash.c: Removed bogus flushing of stderr.  Replaced lots
+ 	of `exit(-1)' by `return 1'
+
+	* admin/kdb_util.c: Removed unused variable `aprinc'.
+	Removed bogus flushing of stderr.
+	Replaced lots of `exit(-1)' by `return 1'.
+
+	* admin/kdb_edit.c, admin/kdb_init.c: use `return' instead of
+ 	calling `exit' and use 1, not -1, for failure.
+
+	* Makefile.in: Use @SET_MAKE@
+
+	* aclocal.m4: AC_NEED_PROTO: need macro to determine if we need to
+ 	define a prototype for a function.
+
+	* configure.in: Reordered.  Removed unused stuff.  Start using
+ 	AC_NEED_PROTO.
+
+	* config.guess: merged in FSF version from 960908.
+
+Tue Sep 3 1996
+
+	* include/protos.H: Added optarg, opterr, optind, optopt and
+ 	(fclose under Sunos 4).  Removed these declarations from lots of
+	other files.
+
+	* acconfig.h: Add undefs for h_errno, h_errlist, optarg, optind,
+ 	opterr, and optopt.
+
+	* configure.in: Use `AC_NEED_DECLARATION' for h_errno, h_errlist,
+ 	optarg, optind, opterr, and optopt.
+
+	* aclocal.m4: New macro `AC_NEED_DECLARATION' to figure out if we
+ 	need to have an external declaration of a variable.
+
+Mon Sep 2 1996
+
+	* lib/krb/krb.h: Removed unused `req_act_vno' and `k_log'.
+  	Changed all callers.
+
+	* lib/krb/krb.h: Removed definition of `MAX_HSTNM'.
+
+	* lib/krb/send_to_kdc.c: Removed use of `MAX_HSTNM'.
+
+	* appl/afsutil/pagsh.c: Some reformatting and fixed the off-by-one
+ 	args bug.
+
+Sat Aug 31 1996
+
+	* lib/krb/{send_to_kdc.c, getrealm.c}, appl/xnlock/xnlock.c,
+ 	appl/kauthkauth.c, appl/bsd/{rshd.c,rlogind.c}: Removed '#if 0'-ed
+ 	code.
+
+	* lib/krb/get_in_tkt.c: Removed '#if 0'-ed code and now compiles
+ 	with NOENCRYPTION.
+
+	* kadmin/ksrvutil.c: Now compiles with NOENCRYPTION.
+
+	* appl/ftp/ftpd/ftpcmd.y: Throw away passwd after use.
+
+	* appl/ftp/ftpd/ftpd.c: Fixed old comment.
+
+	* slave/kpropd.c: s/sa_len/salen/ Irix has a #define for sa_len.
+	
+	* lib/kdb/krb_dbm.c: If key->dptr is not a `char *' we have to
+ 	cast it before adding to it.
+
+	* configure.in: Old test for `sa_len' in `struct sockaddr' fails
+ 	on IRIX 6.2.  Try to compile a program refering to that field
+ 	instead of grepping for it in <sys/socket.h>.
+
+	* appl/bsd/kcmd.c: Removed old and broken code.
+
+	* configure.in: Check for `gethostname', `uname', and
+ 	<sys/utsname.h>
+
+	* lib/krb/k_gethostname.c: Try to use `uname' if we have no
+ 	`gethostname'.
+
+	* appl/ftp/ftpd/klogin.c: Incorrect use of `gethostname' replaced
+ 	by correct use of `k_gethostname'.
+
+
+	* lib/roken/verify.c: Change name verify_unix_user ->
+ 	unix_verify_user in analogy with krb_verify_user.
+
+Fri Aug 30 1996
+
+	* appl/xnlock/Makefile.in: Install man-page.
+
+	* configure.in, */Makefile.in: Replace `-shared' with some other
+ 	option when not using gcc.
+
+	* lib/kafs/afssys.c: Do not start by checking if we have AFS in
+ 	`k_afsklog'.
+
+	* appl/bsd/rlogin.c: More kludges to make it work with rlogin on
+ 	linux: Do not select for an exceptional condition on `rem' after
+ 	having received EINVAL.
+	
+	Also rewrote ifndef NOENCRYPTION stuff.
+
+	* appl/bsd/rlogind.c: More kludges to make it work with rlogin on
+ 	linux: Only send oob data just after having sent normal data to
+ 	make sure we never send two consecutive bytes of oob data.
+
+	Also rewrote ifndef NOENCRYPTION stuff.
+
+Thu Aug 29 1996
+
+	* lib/kafs/Makefile.in: Use `ld' instead of `cc' for linking
+ 	afslib.so.  Not everybody has cc.
+
+Wed Aug 28 1996
+
+	* Release 0.9.2a
+
+Mon Aug 26 1996
+
+	* appl/bsd/login.c: Clean-up.  Made static a lot of functions and
+ 	variables.  Rewrote some function definitions to ANSI-style.
+
+	* appl/bsd/sysv_environ.c: KRB4_MAILDIR may and may not contain a
+ 	trailing slash.  We need to be very careful to make sure the
+ 	contents of $MAIL does not contain two, because RMAIL in emacs
+ 	uses it and emacs is no friend with double slashing.
+
+
+	* lib/kafs/afssys.c (k_afsklog_all_local_cells): Now should return
+ 	correct value.
+
+Sun Aug 25 1996
+
+	* Release 0.9.2.
+
+Sat Aug 24 1996
+
+	* lib/roken/hstrerror.c: Check for h_errlist prototype.
+
+Thu Aug 22 1996
+
+	* lib/krb/send_to_kdc.c, etc/services.append, server/kerberos.c:
+ 	Changed `kerberos' to `kerberos-iv' now that it has been
+ 	registered with IANA.
+
+	* man/rshd.8, man/rlogind.8: updated documentation of `-a'
+
+	* lib/roken/roken.h: Added declaration of `h_errno'
+
+	* kuser/Makefile.in: Link kdestroy with KRB_KAFS_LIB
+
+	* appl/kauth/kauth.h: Stupid declarations for syslog.
+
+	* appl/kauth/kauthd.c: syslog errors and success.
+
+	* include/protos.H: Removed `h_errno', now in roken.h Declare
+ 	`getusershell' under solaris.
+
+	* configure.in, acconfig.h: Figure out if we have to declare
+ 	`h_errno'.
+
+	* appl/ftp/ftp/kauth.c: Added support for afs_string_to_key.
+
+Wed Aug 21 1996
+
+	* lib/kafs/afssys.c: Look for AFS database servers in dns also.
+
+	* lib/kafs/afssys.c: Add support for a ~/.TheseCells-file.
+
+Sun Aug 18 1996
+
+	* appl/bsd/rlogind.c: Removed unused `check_all' variable.  Use
+ 	`inaddr2str'.
+
+	* appl/bsd/rshd.c: Use `inaddr2str'.
+	
+	* appl/bsd/iruserok.c: Removed potential buffer overrun after
+ 	`gethostbyaddr'.
+
+	* lib/roken/inet_aton.c: Some const-ness.
+
+	* lib/roken/Makefile.in: Add `inaddr2str.o'.
+
+	* appl/ftp/ftpd/ftpd.c: Use `inaddr2str'.
+
+	* lib/roken/inaddr2str.c, lib/roken/roken.h: New function
+ 	`inaddr2str' to convert an IP address into a verified hostname or
+ 	a string of the form x.y.z.a
+
+	* lib/krb/{krb_locl.h, krb.h, k_name_to_name.c, k_getsockinst.c,
+ 	getrealm.c}: Some const-ness.
+	
+	* appl/bsd/bsd_locl.h: Removed another prototype for `crypt'.
+
+	* appl/kpopper/popper.h: Some const-ness to get rid of a warning.
+
+	* appl/bsd/rshd.c: Always check reverse mapping.  Removed
+ 	`local_domain' and `top_domain'.  Added some const-ness.
+
+Sat Aug 17 1996
+
+	* include/Makefile.in: Removed VPATH.  With it this makefile does
+ 	not work correctly.
+
+	* lib/krb/rw.c, lib/krb/krb_locl.h: Changed parameters to
+ 	`krb_{get,put}'-functions to void *.
+
+	* include/protos.H: Add `getusershell' in solaris.
+
+	* appl/kauth/kauthd.c, appl/bsd/{rlogin.c,rlogind.c}: Less
+ 	warnings because of arguments to `setsockopt'.
+
+	* lib/roken/roken.h: Fixed prototype of `inet_aton'
+
+Wed Aug 14 1996
+
+	* lib/roken/verify.c: Use <crypt.h> if there is one.
+
+	* lib/kafs/Makefile.in: AFS_EXTRA_LIBS is always called
+ 	`afslib.so'.  Otherwise some makes get upset when there is no such
+ 	library to be made.
+
+	* appl/telnet/telnetd/telnetd.h: <protos.h> are needed to get
+ 	prototype for `ptsname'.
+
+	* appl/bsd/rlogind.c, appl/kpopper/pop_dropinfo.c,
+	appl/telnet/libtelnet/{auth.h,enc_des.c,kerberos.c},
+	appl/telnet/telnet/utilities.c, appl/telnet/telnetd/{sys_term.c,
+	telnetd.h, kadmin/admin_server.c, kuser/klist.c,
+	lib/kdb/{krb_cache.c, krb_dbm.c}, lib/krb/{fgetst.c, getst.c,
+	log.c, tf_util.c}: Include type `int' on all definitions and
+ 	remove unnecessary `register'.
+
+	* appl/bsd/login_access.c: Fix parameter declaration to
+ 	`netgroup_match'.
+
+	* appl/bsd/forkpty.c, include/protos.h: s/__sgi__/__sgi//g
+
+	* admin/kdb_util.c: Use `errno' for error message instead of
+ 	uninitialized variable.
+
+Tue Aug 13 1996
+
+	* appl/kauth/rkinit.c: Default port should be the same in kauth
+ 	and kauthd.
+
+Sun Aug 11 1996
+
+	* configure.in: Added `AC_REVISION'
+
+	* slave/kpropd.c: Cleaned up structure.  Now returns useful value.
+
+	* lib/roken/verify.c: Broken OSes need declartion of `crypt'.
+
+	* lib/roken/roken.h: Added prototype for `verify_unix_user'.
+
+	* lib/krb/lsb_addr_comp.h: Added prototype for `lsb_time'.
+
+	* lib/krb/{get_admhst.c, get_default_principal.c, get_krbhst.c,
+ 	get_krbrlm.c, getrealm.c, realm_parse.c} : Check for buffer
+ 	overwrite correctly.
+
+	* lib/krb/rw.c, lib/krb/krb_locl.h: Prepended `krb_' to `get_int',
+ 	`put_int', `get_address', `put_address', `put_string',
+ 	`get_string', `get_nir', and `put_nir'.  Changed all callers.
+
+	* lib/kdb/krb_db.h: Added prototype for `kerb_delete_principal'
+ 	and `kerb_db_delete_principal'.
+
+	* lib/kadm/kadm_cli_wrap.c: Removed unused variable.
+
+	* appl/telnet/telnetd/telnetd.c: Changed bogus `strncpy' to
+ 	`strcpy'.
+
+	* appl/bsd/su.c: Fixed error messages from execv.
+
+	* appl/bsd/rlogin.c: Fixed potential buffer overrun when reading
+ 	"TERM".
+
+Thu Aug 8 1996
+
+	* appl/telnet/telnet/commands.c, appl/kauth/rkinit.c: Replaced
+ 	`herror' by `hstrerror'.
+	
+	* appl/bsd/login.c: chmod the tty so that it is writable for group
+ 	tty.
+
+	* configure.in: Use AC_FIND_IF_NOT_BROKEN for herror and
+ 	hstrerror.
+
+	* aclocal.m4: New macro `AC_FIND_IF_NOT_BROKEN'
+
+	* config.guess: Add 686
+
+Tue Aug 6 1996
+
+	* lib/krb/getrealm.c: Fallback for `T_TXT'
+
+	* configure.in: Look for `res_search' and `dn_expand' in
+ 	libresolv.
+
+Mon Aug 5 1996
+
+	* */Makefile.in: Add Id to those missing it.
+
+	* configure.in: Small fix in comment.
+
+
+	* Release 0.9.1.
+
+
+	* appl/ftp/ftpd/ftpcmd.y: s/timeout/ftpd_timeout/
+
+	* appl/kstring2key/kstring2key.c: `usage' changed to void.
+
+	* lib/krb/mk_req.c: `build_request' changed to void.
+
+	* appl/ftp/ftp/ftp_locl.h: Changed order of includes.
+
+	* appl/bsd/login.c, appl/ftp/ftpd/*: s/timeout/login_timeout/
+
+	* lib/kafs/afssysdefs.h: undef AFS_SYSCALL if we are defining it.
+
+Sun Aug 4 1996
+
+	* lib/kafs/afssys.c: AIX systems will now correctly (I hope)
+ 	detect whether AFS is loaded or not. This is currently a bit
+ 	kludgy, and involves loading an external shared library,
+ 	afslib.so, which can be put in athena/lib or pointed to with
+ 	environment variable AFSLIBPATH.  This is only tested on AIX 4
+ 	(due to lack of an AIX 3 system).
+
+
+	* lib/krb/getrealm.c: Range-check the result from the DNS.
+
+	* lib/krb/get_krbrlm.c: Try to use the DNS to find out which realm
+ 	this host belongs to.
+
+	* kadmin/ksrvutil_get.c: Fixed error message.
+
+
+	* lib/kafs/*: Fix aix/afs brokenness.
+
+	* lib/kadm/kadm_stream.c (stv_string): Range check.
+
+Fri Jul 26 1996
+
+	* appl/ftp/common/{ftp,ruserpass}.c: Less bogus domain name
+ 	handling.
+
+Mon Jul 22 1996
+
+	* lib/krb/mk_req.c: Use encrypt_ktext()
+
+	* configure.in, lib/kafs/afssys.c: Add option to exclude AFS
+ 	support (this is useful only on AIX systems that doesn't have
+ 	AFS).
+
+	* configure.in: Removed configuration from subdirectories.
+
+Sat Jul 13 1996
+
+	* appl/ftp/ftp/extern.h, appl/ftp/ftp/ftp.c: Substitute `struct
+ 	fd_set' with `fd_set'.
+
+Mon Jul 8 1996
+
+	* Makefile.in: install should depend on all.
+
+Sun Jul 7 1996
+
+	* appl/bsd/su.c: Allow root to set the uid without entering a
+ 	password.
+
+Fri Jul 5 1996
+
+	* lib/krb/getrealm.c: Add automatic dns realm search.
+
+Thu Jul 4 1996
+
+	* lib/krb/log.c (krb_log): Renamed k_log(...) to krb_log(...) for
+ 	compatibility with CNS. There is still a #define k_log krb_log.
+
+	* util/et/et_list.c: Hack to resolve _et_list in shared libraries.
+
+Fri Jun 28 1996
+
+	* appl/bsd/rlogin.c (reader): If after a select rlogin fails to
+ 	read expected OOB data try to read ordinary data before	continuing.
+
+	* appl/bsd/rlogin.c (oob_real): SunOS5 tty race kludge.
+
+	* appl/bsd/rlogind.c: Cleanup oobdata stuff.
+
+Thu Jun 27 1996
+
+	* appl/bsd/login.c (main): Also check for complete tty name with
+ 	`rootterm'.
+
+	* lib/krb/check_time.c: New function `krb_check_tm'.
+
+	* lib/roken/tm2time.c: New function `tm2time', mktime generalized
+	to local timezone and UTC.
+
+	* kadmin, admin: Use `tm2time' and `krb_check_time' instead of
+ 	`maketime'.
+
+Tue Jun 25 1996
+
+	* lib/krb/mk_priv.c (krb_mk_priv): Send correct address.
+
+	* appl/kauth/kauthd.c: Set ticket file to some sane default, and
+ 	add -i debugging switch.
+
+Mon Jun 24 1996
+
+	* appl/xnlock, appl/kauth, appl/telnet/telnetd: Use BINDIR and not
+	`/usr/athena/bin'.
+
+Wed Jun 19 1996
+
+	* appl/bsd/rlogin.c: consistent usage of oob_real.
+
+	* appl/bsd/rlogind.c: Do not send oob garbage when running
+ 	solaris?  Seems that linux is unable to handle the duplicate
+ 	urgent data that is the result.
+	
+	* appl/bsd/rlogind.c: Fix usage.
+
+	* appl/bsd/kcmd.c: Don't F_SETOWN.
+
+Mon Jun 17 1996
+
+	* lib/krb/rw.c: Add get_address() and put_address().
+
+
+	* appl/telnet/telnetd/telnetd.c: updated usage
+
+	* appl/bsd/su.c: Replaced getpass by des_read_pw_string
+
+	* appl/bsd/forkpty.c (ptym_open): Removed unused `ptr2'.
+
+	* appl/bsd/rlogind.c: Removed unused functions and made others
+ 	static.
+
+Sun Jun 16 1996
+
+	* Release 0.9.
+	
+
+	* appl/ftp/ftpd/ftpd.c: Don't just send data in plain when doing
+ 	NLST.
+
+
+	* configure.in: test for setresgid.
+
+	* kadmin/ksrvutil_get.c: Fixed byte manipulations of keys.
+
+Sat Jun 15 1996
+
+	* lib/des/rnd_keys.c (des_rand_data): At least `srandom'.
+
+	* appl/ftp/ftp/cmds.c: Support longer passwords when retrying
+ 	login.
+
+	* kadmin/admin_server.c, man/kadmind.8, kth-krb.texi: Reading key
+ 	file from file is now the default.  Use `-m' to enter it manually.
+  	`-n' is currently a no-op.
+
+	* appl/ftp/ftpd/ftpd.c: Add S/Key support.
+
+	* appl/ftp/ftpd/Makefile.in: Link with S/Key.
+
+	* appl/ftp/configure.in: Test for S/key.
+	
+	* configure.in, aclocal.m4: Moved skey test
+	to aclocal.m4.
+
+	* appl/bsd/login.c: Correct argument to `skeyaccess'.
+
+Fri Jun 14 1996
+
+	* lib/krb/verify_user.c: New parameter to specify service key
+	instance, NULL means "rcmd".
+
+	* lots of files: All ticket filenames uses `TKT_ROOT'.
+
+	* appl/bsd/rlogind.c: Check for uid == 0 and user != "root".
+
+Tue Jun 11 1996
+
+	* appl/kpopper/pop_init.c(pop_init): Got rid of some old ifdef'ed
+	code.
+
+	* lib/kdb/krb_dbm.c: Add macro for `dbm_delete' for the people
+ 	that are ndbm challenged.
+
+Mon Jun 10 1996
+
+	* lib/krb/kname_parse.c: Got rid of duplicate defintions.
+
+	* appl/ftp/ftp/ruserpass.c: Get hostname even if user has no
+ 	'.netrc' file.
+
+
+	* lib/kadm, lib/kdb, kadmin: Add database delete operation.
+
+	* lib/krb/kname_parse.c: Allow dots in instances.
+
+
+	* appl/bsd/rlogind.c (logwtmp): Only define `logwtmp' if it does
+	not exist.  Log more garbage.
+
+Sun Jun 9 1996
+
+	* appl/telnet/configure.in: Check for `logwtmp'.
+
+	* appl/ftp/configure.in: Use `AC_FUNC_MMAP'
+
+
+	* appl/bsd/forkpty.c: Removed all ugly pty search stuff from
+ 	ptym_open().
+
+	* configure.in: Modified the creation of version.h, now actually
+ 	shows up with ident.It is now also slightly more keen on creating
+ 	a new version.h.
+
+Sat Jun 8 1996
+
+	* lib/roken/verify.c: <stdio.h> for NULL.
+
+	* appl/xnlock/xnlock.c (leave): Call XCloseDisplay, otherwise
+ 	screen saver changes are not updated before closing the X
+ 	connection.
+
+
+	* appl/bsd/utmp_login.c: Remove tty-prefix from ut_id; this field
+ 	is usually very short.
+
+Fri Jun 7 1996
+
+	* slave/kpropd.c: Add option -m to merge rather then load
+ 	database.
+
+Thu Jun 6 1996
+
+	* admin/kdb_util.c: Add a merge operation.  (One day it might be
+ 	used to propagate only patches to the database)
+
+Wed Jun 5 1996
+
+	* appl/kpopper: Support both POP3 and KPOP3.
+
+	* appl/xnlock/xnlock.c: Use `verify_unix_user'
+
+	* lib/roken/verify.c: verify_unix_user: New function from xnlock
+ 	for checking passwd in `/etc/passwd'.
+
+	* appl/telnet/telnetd/sys_term.c: gettimeofday buglet
+
+
+	* slave/kpropd.c: Rewrite of kpropd.
+
+	* admin/kdb_util.c: Sanity check on input to load_db.
+
+	* slave/kpropd.c: Use default value for fname.
+
+	* slave/kprop.c: Use some sane default values for data_file and
+ 	slaves_file.
+
+	* admin/kdb_util.c: If there isn't any database when loading,
+ 	create an empty one.
+
+Mon Jun 3 1996
+
+	* appl/telnet/telnetd/sys_term.c: Somewhat changed the way utmpx
+ 	entries are created. It should now work on both Solaris and IRIX,
+ 	without stale login information.
+
+Sat Jun 1 1996
+
+	* lib/krb/k_gethostname.c (k_gethostname): Fallback.
+
+	* lib/krb/send_to_kdc.c (send_to_kdc),
+	  kadmin/kadm_ser_wrap.c (kadm_ser_init),
+	  slave/kprop.c (prop_to_slaves),
+	  slave/kpropd.c (main): Use `k_getportbyname'.
+
+Fri May 31 1996
+
+	* Lots of files: more #includes ifdefad and cleaned up.
+
+Thu May 30 1996
+
+	* Lots of files: Replaced bcopy/bzero/bcmp with
+ 	memcpy/memset/memcmp.
+
+
+	* lib/krb/get_default_principal.c: Use getlogin() if it is the BSD
+ 	variant that actually gives some information.
+
+	* lib/krb/create_ticket.c: Write correct address byteorder.
+
+	* lib/kadm/kadm_stream.c,kadm_cli_wrap.c: Don't assume int32_t is
+ 	four bytes.
+
+	* kadmin/kpasswd.c: Allow principal without -n.
+
+	* kadmin/kadmin.c: Use krb_get_default_principal.
+
+	* appl/ftp/ftpd/ftpd.c: Fix bare newline bug.
+
+	* appl/bsd/rlogind.c: Add -i and -p options to start rlogind from
+ 	command line (for debugging).
+
+	* INSTALL: Rewritten.
+
+Wed May 29 1996
+
+	* appl/ftp/ftp/krb4.c: Handle different sizes of returned
+ 	checksum.
+
+
+	* appl/bsd/Makefile.in: Don't install login setuid.
+
+Fri May 24 1996
+
+	* appl/bsd/rsh.c: Don't run away yelling if someone calls you
+ 	`remsh'.
+
+Sun May 19 1996
+
+	* lib/krb/kdc_reply.c: Remove unused function decrypt_tkt. Sanity
+ 	check on decrypted ticket.
+
+Wed May 15 1996
+
+	* server/kerberos.c: Should work with the new libkrb
+
+	* appl/kip: Support more than one tunnel device.
+
+
+	* lib/krb/*.c: All functions that create or decode kerberos
+ 	packets have been rewritten.  Hopefully, everything still
+ 	works. This is to eliminate problems with wierd systems, like
+ 	Crays, that doesn't have any two or four byte integers. Some of
+ 	these changes could be a lot more pretty, and *many* assumptions
+ 	that sizeof(int32) == 4 still exist in the rest of the code,
+ 	though.
+
+	As a side effect, all packets sent are now in network byte order.
+
+Mon May 13 1996
+
+	* configure.in: Shared libraries for Irix
+
+
+	* Several fixes for UNICOS.
+
+	* appl/ftp/ftp/krb4.c: Allow default data protection level through
+ 	a "prot level" in .netrc. This really should be done in a more
+ 	useful manner.
+
+Sun May 12 1996
+
+	* appl/xnlock/xnlock.c: Cleaned up user verification code. Now
+ 	uses new function krb_verify_user.  Also fixed a few problems with
+ 	the password prompt box.
+
+	* lib/krb/verify_user.c: New function krb_verify_user to verify a
+ 	user with kerberos.
+
+
+	* appl/kip: New program for forwarding IP packets over kerberised
+	connections using tunnel devices.
+
+	* appl/kauth/kauth.c, kadmin/ksrvutil.c: Use
+ 	krb_get_default_principal
+
+	* appl/bsd/rlogind.c: Do not change portnumber to host order if
+ 	using kerberos.  This will cause the magic
+ 	`reverse-time-if-port-is-less-than' to fail.
+
+	* lib/des/GNUmakefile: Removed file.  This file causes problem
+	when building in the source directory and when using GNU make
+	which prefers this file to the generated Makefile.
+
+	* appl/bsd/login.c: More careful when handling returned value from
+ 	`getspnam'.
+
+Sat May 11 1996
+
+	* lib/krb/realm_parse.c: New function to expand a non-complete
+ 	realm to its official name, e.g nada -> NADA.KTH.SE.
+
+	* lib/krb/get_default_principal.c: New function to guess the
+ 	default principal to use. Looks at any existing ticket file first,
+ 	then at uid/logname etc.
+
+
+	* kadmin/kadmin.c: Use kname_parse and allow different instances
+ 	and realms.
+
+	* lib/roken/k_getpwnam.c: New function k_getpwnam that should work
+ 	with and without shadow passwords.
+
+	* Lots of files: s/getpwnam/k_&/g.
+
+Tue May 7 1996
+
+	* lib/des/des_locl.h: DES library updated to version 3.23,
+ 	des_locl.h now includes configure.h to get HAVE_TERMIOS etc.
+
+	* lib/des/des.h: On the alpha define DES_LONG to unsigned int.
+	
+
+	* kuser/kinit.c: Handle passwords longer than 16 characters.
+
+	* appl/xnlock/xnlock.c (GetPasswd): Handle longer passwords than
+	16 characters.
+
+Sun May 5 1996
+
+	* Release 0.8.
+
+
+	* appl/ftp/ftpd/kauth.c: Klist command.
+
+
+	* appl/ftp/ftpd: Removed `-g' from calls to ls.
+
+	* appl/ftp/ftp/cmds.c (setpeer): Fix so that opening a second
+	connection to a specified port works.
+
+	* appl/telnet/telnet: Default is binary.
+
+	* appl: Now build under Ultrix.
+
+	* appl/kx: Now even builds on AIX.
+
+Sat May 4 1996
+
+	* lib/des: Now merged in libdes 3.21 on main branch.
+
+
+	* appl/ftp/ftpd/logwtmp.c: Slightly different functionality. Works
+ 	on systems that has more fields in struct utmp such as OSF/1.
+  	Still some questions about Solaris.
+
+	* lib/krb/lsb_addr_comp.c: Now byteorder independent.
+
+
+	* appl/kx: Rewrote kx & kxd to share more code.  They are also now
+ 	able to talk both ways.
+
+	* lib/kdb/krb_dbm.c (kerb_db_rename): Now works properly when
+	using berkeley DB.
+
+Thu Apr 25 1996
+
+	* lib/krb/get_krbrlm.c (krb_get_default_realm): New function for
+ 	SunOS5 compat.
+
+	* When building shared libraries link libkrb with libdes to be
+ 	compatible with SunOS5.
+
+	* Move lib/krb/krb_err.et to lib/kadm since it is only used there,
+ 	no longer need to link libkrb against libcom_err.
+	
+Wed Apr 24 1996
+
+	* lib/krb/lsb_addr_comp.h: Renamed ugly lsb_addr_comp.
+
+	* Some porting to UNICOS.
+
+Tue Apr 23 1996
+
+	* Moved some junk from appl/bsd to libroken.
+	
+	* lib/roken/Makefile.in (LIBNAME): Added header file roken.h for
+ 	library libroken.a.
+
+
+	* Add kerberized ftp.
+
+	* Add libroken.
+
+Mon Apr 22 1996
+
+	* appl/kauth/kauth.c: When commands are given to kauth, a new
+ 	ticket file is used.
+
+Sat Apr 20 1996
+
+	* appl/xnlock/xnlock.c: Fixed a potential overwrite bug. Also
+ 	works with more than one screen, only fancy stuff on screen 0,
+ 	though.
+
+Fri Apr 19 1996
+
+	* appl/bsd/login.c, su.c, rshd.c, rlogind.c: Syslog and abort when
+ 	getpwnam returns uid == 0 but user is not root. This is usually
+ 	the result of an attack on NIS (former YP).
+
+Wed Apr 17 1996
+
+	* kadmin/ksrvutil.c (get_key_from_password): Support for
+ 	generating AFS keys.  From <flag@it.kth.se>
+
+Sun Apr 14 1996
+
+	* appl/kx: New program for forwarding a X connection.
+
+Mon Apr 8 1996
+
+	* appl/bsd/rsh.c (get_shell_port): Default port number for ekshell
+ 	changed from 2106 to 545.
+
+	* appl/bsd/login.c (doremotelogin): Remove terminal speed from the
+ 	value of $TERM in the case of an ancient rlogind being used.
+
+Thu Apr 4 1996
+
+	* lib/kafs/afssys.c (k_afsklog): Try to read from
+	/usr/vice/etc/TheseCells for list of cells we should try to obtain
+	tokens for.
+
+	* appl/kauth/kauth.c (renew): Use cell even when renewing.
+	
+	* appl/kauth/kauth.c, appl/xnlock/xnlock.c: Always call k_afsklog
+ 	with realm == NULL.
+
+
+	* lib/kafs/afssys.c: More thorough guessing of what realm a cell
+ 	belongs to.
+
+Wed Apr 3 1996
+
+	* appl/bsd/login.c: If setuid() failes and not logging in as root,
+ 	exit.
+
+Tue Apr 2 1996
+
+	* server/kerberos.c: Set name, inst, and realm to NULL in
+ 	APPL_REQUEST, error replies tend to look a bit funny otherwise.
+
+Thu Mar 28 1996
+
+	* appl/bsd/iruserok.c (iruserok): Imported iruserok() FreeBSD.
+
+Tue Mar 26 1996
+
+	* lib/des/Makefile.in: Removed enc_read.c enc_writ.c.
+	
+	* appl/bsd/Makefile.in: New file with the old functions from
+ 	libdes.
+
+
+	* appl/bsd/utmp_login.c: Fixed (hopefully) double utmp-entries in
+ 	Solaris. Only put entries in one of utmp/utmpx, since they both
+ 	get updated by putut*ent() anyway.
+
+Mon Mar 25 1996
+
+	* kuser/klist.c (main): Use verbose option (-v) to list key
+ 	version numbers.
+
+
+	* Release 0.7.
+
+Sun Mar 24 1996
+
+	* appl/bsd/rlogin.c (doit): Moved signal junk (as far as possible)
+        to doit().
+
+
+	* configure.in: Check for getmsg with AC_TRY_RUN instead.
+	Otherwise it fails under AIx 3.2.  Now rlogind works on this
+	so-called OS.  Also cache value of berkeley db check.
+
+
+	* lib/kdb/krb_kdb_utils.c: New experimental masterkey generation,
+ 	enabled with --enable-random-mkey. This makes kdb_init et al
+ 	generate random master keys, based on random input from the
+ 	user. This comes in a package with auto-kstash, and possibility to
+ 	enter lost master keys as base64.
+
+	Moved default master key file from /.k to
+ 	/var/kerberos/master-key, override with --with-mkey=file.
+
+
+	* kadmin/kadmin.c (do_init): Handle the `-t' option to kadmin,
+	meaning do not get a new ticket file.  (From CNS).
+
+Fri Mar 22 1996
+
+	* appl/xnlock/xnlock.c: Removed some dead code, and a few unused
+ 	header files.
+
+
+	* kadmin/pw_check.c (kadm_pw_check): If kadm_pw_check()
+ 	fails *pw_msg can't be 0! At the very least use the
+	empty string but a descriptive error-message is preferred.
+
+	* libtelnet: add nonbroken signal() function.
+
+Wed Mar 20 1996
+
+	* appl/kpopper/pop_pass.c (pop_pass): Use kuserok to determine if
+	user is allowed to fetch mail.
+
+	* appl/kpopper/*. Got rid of some ugly codes and some warnings.
+
+	* appl/bsd/Makefile.in: signal.o was not included in OBJECTS,
+	which made strange makes not doing what they should.
+
+	* configure.in, appl/kpopper/popper.h, appl/bsd/pathnames.h: Now
+ 	should work on systems that do not have mail spool files in
+ 	/var/spool/mail.  Looks for MAILDIR or _PATH_MAILDIR, usually from
+ 	<paths.h> or <maillock.h>.  Defaults to /var/spool/mail.
+
+Mon Mar 18 1996
+
+	* appl/bsd/bsd_locl.h: TIOCPKT for those systems missing it.
+
+Fri Mar 15 1996
+
+	* lib/kafs/kafs.h: Use <sys/ioctl.h> instead of <sys/ioccom.h>
+
+	* appl/bsd/rshd.c (doit): Don't set environ, send it as an
+ 	argument to execle instead.
+
+	* lib/kafs/kafs.h: Find definition of _IOW.
+
+	* configure.in: Check for random.
+
+	* appl/bsd/bsd_locl.h: Including <crypt.h> gives too many conflicts.
+
+	* appl/afsutil/pagsh.c: Check for random.
+
+Thu Mar 14 1996
+
+	* appl/bsd/bsd_locl.h, appl/telnet/telnetd/defs.h: Default values
+	of `TIOCPKT_FLUSHWRITE' & c:o.
+
+	* appl/telnet/telnet{,d}/Makefile.in (telnetd): Change order of
+	linking in libraries.
+
+	* configure.in: Check for interesting functions in libsocket and
+	libnsl and not strange soriasis inventions.
+
+Wed Mar 13 1996
+
+	* appl/bsd/bsd_locl.h (fatal): Only use prototype or iruserok if
+	the function does not exist.
+
+Mon Mar 11 1996
+
+	* lib/krb/krb_err_txt.c (krb_get_err_text): Changed name of
+ 	krb_err_msg to krb_get_err_text(int) to be compatible with the CNS
+ 	distribution. This function is used for instance by CVS-1.7.
+
+Sun Mar 10 1996
+
+	* configure.in, appl/Makefile.in: removed rkinit
+
+	* etc/inetd.conf.changes, etc/services.append: Added kauth.
+
+	* appl/kauth: Integrated rkinit into kauth.
+	
+	* appl/kauth/kauth.c (main): Only look for principal name if no -p
+	has been given.
+
+	* lots of files: prototypes and other small fixes.
+	
+	* appl/bsd/sysv_shadow.h: spwd multiple defined.
+
+	* appl/bsd/bsd_locl.h: include <crypt.h>
+
+	* configure.in: Added afsutil and rkinit.
+
+	* */Makefile.in: Do cd $$i && $(MAKE).  Otherwise, if cd fails you
+	end up with an infinite recursion.
+
+	* kuser/klist.c (display_tktfile): Another warning removed.
+
+Tue Mar 5 1996
+
+	* appl/bsd/forkpty.c (forkpty): Kludge for Ultrix, rlogind now
+ 	works properly also under this system.
+
+
+	* appl/afsutil: New aklog and pagsh
+
+
+	* lib/krb/krb_equiv.c (krb_equiv): Fix bugs with '\\'.
+
+	* lib/des/rnd_keys.c: Include <sys/time.h>.
+
+Mon Mar 4 1996
+
+	* appl/kauth/kauth.c (main): Handle name when given after options.
+
+Sun Mar 3 1996
+
+	* appl/rkinit/rkinit.c (getalladdrs): Check for herror.  Solaris
+	apparently does not have any.
+	(main): Use memset instead of bzero.
+
+	* appl/rkinit/rkinitd.c (decrypt_remote_tkt): bcopy -> memcpy.
+
+	* kuser/kinit.c (main): Corrected lifetime.
+
+	* lib/krb/krb_equiv.c (krb_equiv): Now handles longer lines,
+	continuation lines and addresses of the form 193.10.156.0/24.
+
+
+	* kuser/Makefile.in (kdestroy): Link kdestroy with libkafs.
+
+Wed Feb 28 1996
+
+	* Replaced all occurencies of krb_err_txt[] with new function
+ 	krb_err_msg(), that does some sanity checks before indexing
+ 	krb_err_txt.
+
+Mon Feb 26 1996
+
+	* appl/telnet/telnetd: Added flags -z to have telnetd log
+ 	unauthenticated logins, such as when using an old telnet
+ 	client. Unfortunately in most of these cases, the user name is not
+ 	known.
+	
+	There should also be a way to tell the difference between bad
+ 	authentication (such as with expired tickets) and no attempt to
+ 	provide authentication (such as with an old client).
+
+Sun Feb 25 1996
+
+	* kuser/kdestroy.c: Remove afs-tokens as well as tickets, -t flags
+ 	added to prevent this.
+
+Thu Feb 22 1996
+
+	* appl/rkinit/rkinitd.c (doit): Use k_getsockinst to make it work
+	correctly for multi-homed hosts.
+
+	* appl/rkinit: New program with rkinit functionality.
+
+	* lib/krb/k_getport.c: Function for finding port in /etc/services
+	with fallback.
+
+	* lib/krb/netread.c,netwrite.c (krb_net_{read,write}): Now correct
+	prototype with void * and size_t.
+
+Wed Feb 21 1996
+
+	* kadmin/new_pwd.c (get_pw_new_pwd): Moved get_pw_new_pwd to
+	seperate file.  Now called both from kadmin and kpasswd.
+
+	* kadmin/pw_check.c (kadm_pw_check): Handle the case of no
+	password provided.  This is really a policy decision.  The server
+	should be able to say `use a client that sends the password'.
+
+	* appl/bsd/rlogind.c (local_domain): MAXHOSTNAMELEN -> MaxHostNameLen.
+
+Sun Feb 18 1996
+
+	* appl/bsd/rcp.c (answer_auth): Made rcp multihome aware.
+
+	* appl/bsd/rlogind.c (do_krb_login): Made rlogind multihome aware.
+
+	* appl/bsd/rshd.c (doit): Made rshd multihome aware.
+
+	* lib/krb/k_getsockinst.c (k_getsockinst): New function to figure
+        out the instance name of interfaces on multihomed hosts. Use this
+        function when making daemons multihome aware.
+
+	* appl/telnet/libtelnet/kerberos.c (kerberos4_is): Made telnetd
+        multihome aware.
+
+Mon Feb 12 1996
+
+	* Release 0.6.
+
+Sun Feb 11 1996
+
+	* lots of files: hacks to make it all compile.
+
+	* configure.in, appl/telnet/configure.in: More broken AIX.
+
+
+	* appl/bsd/bsd_locl.h: Fix for old syslogs (as in Ultrix).
+
+
+	* appl/telnet/libtelnet/encrypt.c: encrypt_verbose by default.
+
+
+	* appl/telnet/libtelnet/kerberos.c: Show difference between
+ 	MUTUAL and ONE_WAY KERBEROS4.
+
+	* appl/telnet/libtelnet/encrypt.c:
+	Print message about not encrypting when receiving WONT or DONT encrypt.
+
+
+	* configure.in: Automatic check for HAVE_NEW_DB.
+
+
+	* lib/krb/getaddrs.c (k_get_all_addrs): Fixed for systems with
+        SOCKADDR_HAS_SA_LEN, aka 4.4BSD-based.
+
+	* appl/telnet/telnetd/global.c: Removed some multiple defined
+        variables.
+
+	* appl/bsd/rlogind.c (cleanup): ifndef HAVE_VHANGUP.
+
+	* appl/bsd/sysv_shadow.h: Add DAY and DAY_NOW ifndef.
+
+	* configure.in: Check if `struct sockaddr' has `sa_len'.
+
+Sat Feb 10 1996
+
+	* appl/telnet/telnetd/telnetd.c (recv_ayt): pty -> ourpty.
+
+	* appl/bsd/bsd_locl.h: More include-files: <sys/uio.h> and <userpw.h>
+
+	* appl/kpopper/popper.c (catchSIGHUP): Got rid of some warnings.
+
+	* lib/krb/log.c (new_log): Yet another year 2000.
+
+	* appl/bsd/sysv_environ.c (read_etc_environment): Support setting
+	environment variables from /etc/environment.
+
+	* appl/bsd/bsd_locl.h: <usersec.h>
+
+	* configure.in: check for setpcred, libs.a and <usersec.h>.
+
+	* appl/bsd/login.c (main): setpcred is used on AIX.
+
+	* appl/bsd/rshd.c (doit): Added setpcred for AIX.
+
+	* lib/krb/getaddrs.c: <sys/sockio.h> is sometimes needed.
+
+	* admin/kdb_init.c (main): Now verifies master key.
+
+	* lib/kdb/krb_kdb_utils.c (kdb_get_master_key): Added possibility
+	of asking for verfication.
+
+	* appl/bsd/bsd_locl.h: Try to include <sys/stream.h>
+
+	* appl/telnet/telnetd/utility.c (printsub): Mismatch arguments.
+
+	* lib/krb/send_to_kdc.c (send_to_kdc): Send to all A records and
+	accept an answer from anything we have sent to.
+
+	* appl/kauth/kauth.c (renew): Use strange return types for strange
+	OSes.
+	(doexec): Remove tokens.
+
+	* server/kerberos.c (main): Uses k_get_all_addrs and binds to each
+	of these addresses.
+
+	* kadmin/ksrvutil_get.c (ksrvutil_get): Added support for
+	specifying key to create on command line to get.
+
+Wed Feb 7 1996
+
+	* lib/krb/log.c (k_log): Now using YYYY for years.
+
+	* lib/krb/klog.c (klog): Preparing for the year 2000.
+
+	* kuser/kinit.c (main): Added option -p to get changepw-tickets.
+
+	* lib/krb/getaddrs.c: New file to get all the addresses of all the
+	interfaces on this machine.
+
+Tue Feb 6 1996
+
+	* configure.in: Support for S/Key in login.c. Use --with-skeylib
+        switch to configure. The code assumes that the skeylib.a comes
+        from logdaemon.
+
+	* General support for shadow password files if there is an
+        shadow.h.
+
+	* appl/bsd/su.c: Arrange so that it supports shadow passords.
+
+Sun Feb 4 1996
+
+	* appl/telnet/*: Hacks to make it work on strange OSes.
+
+	* appl/bsd/bsd_locl.h: Check for sys/ptyvar.h
+
+	* appl/telnet/configure.in (telnet_msg): sys/str_tty.h, sys/uio.h
+
+	* configure.in: test for crypt.h and sys/ptyvar.h
+
+	* appl/telnet/telnetd/*.c: pty -> ourpty.
+
+
+	* telnetd: Changes to make more systems work better, specifically
+ 	AIX 4. Hopefully this will work on both STREAM and BSD
+ 	systems. Not tested on some systems, like CRAY and Linux.
+
+
+	* util/ss/mk_cmds.c: Generating cleaner code.
+
+	* lib/krb/krb_err_txt.c (krb_err_txt): Clarification.
+
+	* kadmin/admin_server.c: Less varnings.
+
+	* appl/xnlock/xnlock.c: Changed some types and added some casts.
+
+	* appl/movemail/movemail.c: Not using syswait.h anymore.
+
+	* appl/xnlock/xnlock.c: God rid of some warnings.
+
+	* util/ss/*.[ch]: cleanup
+
+	* util/et/*.[ch]: cleanup
+
+	* appl/bsd/rcp.c: Less warnings.
+
+	* kadmin/admin_server.c (kadm_listen): Get rid of another warning.
+
+	* kadmin/pw_check.c (kadm_pw_check): Support for letting cracklib
+	check the quality of the password.
+
+	* kadmin/pw_check.h (kadm_pw_check): New argument to
+	kadm_pw_check: list of useful strings to check for.
+
+	* kadmin/kadm_server.c (kadm_ser_cpw): Send a few `useful' strings
+	to kadm_pw_check (name, instance, and realm).
+
+	* kadmin/Makefile.in (kadmind): Linking with -lcrack.
+
+	* configure.in: Support for --with-cracklib and --with-dictpath.
+
+	* kadmin/ksrvutil_get.c: Now seems to be working.
+
+	* kadmin/ksrvutil.h: Some new parameters.
+
+	* kadmin/ksrvutil.c: Some reorganisation and uses a working
+	ksrvutil_get.
+
+	* appl/movemail/movemail.c: Some more include-files.
+
+	* appl/bsd/rlogind.c: Testing for the existence of vhangup.
+
+Wed Jan 31 1996
+
+	* configure.in: Massaged the configure files so that we can build
+        under NEXTSTEP 3.3. Some kludges to prevent cpp bugs and link
+        errors where also neccessary.
+
+Tue Jan 30 1996
+
+        * appl/xnlock/xnlock.c (main): Improved user feedback on password
+        input.
+
+	* appl/xnlock/xnlock.c: Applied patch made by flag@it.kth.se that
+        enables C-u to erase the password field.
+
+	* lib/krb/lifetime.c: configure now creates a version string which
+        is referenced here. Use what and grep version to figure out where,
+        when and by whom binaries where created.
+
+	* appl/bsd/forkpty.c (ptys_open): Call revoke before pty slave is
+        opened. Add revoke using vhangup for those system lacking revoke.
+        Also call vhangup when rlogind exits.
+
+Mon Jan 29 1996
+
+	* lib/krb/send_to_kdc.c (send_to_kdc): Removed kludge for SunOS
+        3.2 and Ultrix 2.2 that prevented multihomed kerberos servers to
+        operate correctly.
+
+	* kadmin/kadmin.c (change_key): Add new subcommand change_key so
+        that it is possible to enter keys in the DB on binary form. Most
+        usefull for sites running AFS.
+
+Fri Jan 26 1996
+
+	* appl/bsd/su.c (koktologin): New option -i root-instance. If you
+        want a user.afs ticket in a root shell and user.afs is on root's
+        ACL then do a "su -i afs".
+
+	* Makefile.in: Rearrange the order of object files to make shared
+        libraries slightly more efficient.
+
+	* appl/kauth/kauth.c (main): Always up case realm. Better error
+        messages on failed exec.
+
+Mon Jan 22 1996
+
+	* appl/bsd/rshd.c (main): New option -P to prevent rshd from using
+        a new PAG. Expert use only!
+
+	* appl/bsd/rlogind.c (doit): Avoid race when setting tty size.
+
+	* appl/bsd/rlogin.c (reader): Use select rather than horrible
+        signal hacks to handle OOB data.
+
+	* appl/bsd/login.c (main) sysv_environ.c (sysv_newenv): Login does
+        now honor the -p switch when invoked by root. This is used by
+        telnetd to export environment variables.
+
+Fri Jan 5 1996
+
+	* appl/bsd/signal.c (signal): New BSD compatible signal
+        function. Most r* applications assume reliable signals.
+
+
+	* appl/bsd/login.c (main): Check HAVE_ULIMIT.
+
+	* appl/bsd/bsd_locl.h: Include sys/ioctl.h.
+
+	* configure.in: Check for ulimit.
+
+	* admin/kdb_edit.c: Flush stdout after printing prompts.
+
+	* appl/kpopper/pop_xmit.c: Remember to include config.h.
+
+Tue Jan 2 1996
+
+	* appl/bsd/login.c (main): New function stty_default to setup
+        default tty settings.
+
+Fri Dec 29 1995
+
+	* appl/kstring2key/kstring2key.c (main): New program that converts
+        passwords to DES keys, either using des_string_to_key or
+        afs_string_to_key.
+
+	* server/kerberos.c: Kerberos server now listen on 2 ports,
+        kerberos/udp and kerberos-sec/udp.
+
+Wed Dec 27 1995
+
+	* appl/bsd/rcp.c (main): Integrated -x option to rcp. This
+        required some real horrible hacks in lib/des/enc_{read,write}.c
+
+	* acconfig.h: Enabled MULTIHOMED_KADMIN in acconfig.h.
+
+	* Add RCSID stuff to telnet files.
+
+Fri Dec 22 1995
+
+	* appl/bsd/login.c (main): The login program does now by default
+	read /etc/default/login, even on non Psoriasis systems. Unifdef
+	SYSV4, this was essentially only for prompting.
+
+Mon Dec 18 1995
+
+	* appl/kpopper/popper.c (main): Integrate default timeout of 120
+        seconds from Qualcomm popper. Timeout is also set able with -T
+        seconds.
+
+
+	* lib/kadm/kadm_cli_wrap.c (kadm_change_pw_plain): If there's no
+	password, don't even send the empty string.
+
+Thu Dec 7 1995
+
+	* lots of files: all debug messages now printed to stderr (from
+ 	<lama@pdc.kth.se>)
+
+	* lib/krb/tf_util.c (tf_create): New method for creating a new
+ 	ticket file.  Remove the old old and then open with O_CREAT and
+ 	O_EXCL.
+
+	* server/kerberos.c, slave/kpropd.c: Some casts to get rid of warnings.
+
+	* configure.in: Added checks for unistd.h, memmove and const.
+
+	* appl/telnet/telnet/commands.c: Changed types of functions to
+	confirm with struct Command.
+
+	* appl/telnet/configure.in: Check for setpgid.
+
+	* appl/bsd/rlogin.c: Get rid of another warning.
+
+	* appl/bsd/bsd_locl.h, appl/telnet/acconfig.h: New synonym for
+ 	solaris.
+
+Wed Dec 6 1995
+
+	* (movemail): Now from emacs-19.30. If you have a newish emacs
+ 	there is no reason to use this movemail.
+
+	* (kadm): Added support for server side password checks. Hopefully
+ 	this is compatible with kerberos 4.10. Old kpasswd:s will give
+ 	funny error messages. For examples of checks, see
+ 	kadmin/pw_check.c. Since this is mostly political matters,
+ 	kadm_pw_check() should probably return KADM_SUCCESS by default.
+
+Mon Nov 27 1995
+
+	* appl/telnet/telnetd/telnetd.c (main): Kludge to fix encryption
+        problem with Mac NCSA telnet 2.6.
+
+
+	* lib/krb/stime.c: Now using YYYY for years.  (2000 is soon here).
+
+	* appl/bsd/rsh.c, rcp.c, rlogin.c: Fixed fallback for port number
+ 	(added missing ntohs).
+
+Sun Nov 12 1995
+
+	* (many files): More ANSI/ISO 9899-1990 to the people!  
+	Now actually builds (not including util) with DEC "cc -std1" and
+ 	Sun "acc -Xc".  There are still major prototype conflicts, but
+ 	there isn't much to do about this.
+
+Sat Oct 28 1995
+
+	* lib/kadm/kadm_cli_wrap.c: Fallback for kerberos and
+ 	kerberos_master services.
+
+Fri Oct 27 1995
+
+	* Released version 0.5
+
+
+	* lib/des/read_pwd.c: Redifine TIOCGETP and TIOCSETP so that the
+        same code is used both for posix termios and others.
+
+	* rsh, rlogin: Add environment variable RSTAR_NO_WARN which when
+	set to "yes" make warnings about "rlogin: warning, using standard
+	rlogin: remote host doesn't support Kerberos." go away.
+
+Tue Oct 24 1995
+
+	* admin/kdb_util.c (load_db) lib/kdb/krb_dbm.c (kerb_db_update):
+        Optimized so that it can handle large databases, previously a
+        10000 entry DB would take *many* minutes, this can now be done in
+        under a minute.
+
+Sat Oct 21 1995
+
+	* Changes in server/kerberos.c, kadmin/*.c slave/*.c to support 64
+        bit machines. Source should now be free of 64 bit assumptions.
+
+	* admin/copykey.c (copy_from_key): New functions for copying to
+        and from keys. Neccessary to solve som problems with longs on 64
+        bit machines in kdb_init, kdb_edit, kdb_util and ext_srvtab.
+
+	* lib/kdb/krb_kdb_utils.c (kdb_verify_master_key): More problems
+        with longs on 64 bit machines.
+
+Mon Oct 16 1995
+
+	* appl/bsd/login.c (main): Lots of stuff to support Psoriasis
+        login. Courtesy of gertz@lysator.liu.se.
+
+	* configure.in, all Makefile.in's: Support for Linux shared
+        libraries. Courtesy of svedja@lysator.liu.se.
+
+	* lib/krb/cr_err_reply.c server/kerberos.c: Moved int req_act_vno
+	= KRB_PROT_VERSION; from server kode to libkrb where it really
+	belongs.
+
+        * appl/bsd/forkpty.c (forkpty): New function that allocates master
+        and slave ptys in a portable way. Used by rlogind.
+
+	* appl/telnet/telnetd/sys_term.c (start_login): Under SunOS5 the
+	same utmpx slot got used by sevral sessions. Courtesy of
+	gertz@lysator.liu.se.
+
+Wed Oct 4 1995
+
+	* util/{ss, et}/Makefile.in (LEX): Use flex or lex. Courtesy of
+        svedja@lysator.liu.se.
+
+	* Fix the above Makefiles to work around bugs in Solaris and OSF/1
+        make rules that was triggered by VPATH functionality in the yacc
+        and lex rules.
+
+Mon Oct 2 1995
+
+	* appl/kpopper/pop_log.c (pop_log) appl/kpopper/pop_msg.c (pop_msg):
+	Use stdarg instead of varargs. The code is still broken though,
+	you'll realize	that on a machine with 64 bit pointers and 32 bit 
+	int:s and no vsprintf, let's hope there will be no such beasts ;-).
+
+	* appl/telnet/telnetd/sys_term.c (getptyslave): Not all systems
+	 have (or need) modules ttcompat and pckt so don't flag it as a
+	 fatal error if they don't exist.
+
+Mon Sep 25 1995
+
+	* kadmin/admin_server.c (kadm_listen) kadmind/kadm_ser_wrap.c
+	(kadm_listen): Add kludge for kadmind running on a multihomed
+	server. #ifdef:ed under MULTIHOMED_KADMIN. Change in acconfig.h
+	if you need this feature.
+
+	* appl/Makefile.in (SUBDIRS): Add applications movemail kpopper
+        and xnlock.
+
+Wed Sep 20 1995
+
+	* appl/bsd/rlogin.c (main): New rlogind.c, forkpty() is not
+        implemented yet though.
+
+Wed Sep 13 1995
+
+	* appl/xnlock/Makefile.in: Some stubs for X11 programs in
+        configure.in as well as a kerberized version of xnlock.
+
+	* appl/bsd/{rlogin.c, rsh.c, rcp.c}: Add code to support fallback
+        port numbers if they can not be found using getservbyname.
+
+Tue Sep 12 1995
+
+	* appl/bsd/klogin.c (klogin): Use differnet ticket files for each
+        login so that a malicous user won't be able to destroy our tickets
+        with a failed login attempt.
+
+	* lib/kafs/afssys.c (k_afsklog): First we try afs.cell@REALM, if
+	there is no such thing try afs@CELL instead. There is now two
+	arguments to k_afslog(char *cell, char *realm).
+
+Mon Sep 11 1995
+
+	* kadmin/admin_server.c (kadm_listen): If we are multihomed we
+        need to figure out which local address that is used this time
+        since it is used in "direction" comparison.
+
+Wed Sep 6 1995
+
+	* kadmin/kadm_ser_wrap.c (kadm_ser_init): Fallback to use default
+        port number.
+
+	* lib/krb/send_to_kdc.c (send_to_kdc): Default port number
+        (KRB_PORT) was not in network byte order.
+
+Tue Sep 5 1995
+
+	* lib/krb/send_to_kdc.c (send_recv): Linux clears timeout struct
+        when selecting.
+
+
+Mon Sep 4 1995
+
+	* appl/bsd/rcp.c, appl/bsd/rlogin.c, appl/bsd/rsh.c:
+	Now does fallback if there isn't any entries in /etc/services for
+	klogin/kshell. This also made the code a bit more pretty.
+
+
+	* appl/bsd/login.c: Added support for lots of more struct utmp fields.
+	If there is no ttyslot() use setutent and friends.
+
+	* appl/bsd/Makefile.in, appl/bsd/rlogind.c, appl/bsd/rshd.c:
+	Added extern iruserok().
+
+	* appl/bsd/iruserok.c: Initial revision
+
+	* appl/bsd/bsd_locl.h: Must include sys/filio.h on Psoriasis.
+
+	* appl/bsd/Makefile.in: New install
+
+	* appl/bsd/pathnames.h: Fix default path, rsh and rlogin.
+
+	* appl/bsd/rshd.c: Extend default PATH with bindir to find rcp.
+
+
+	* appl/bsd/login.c (login): If there is no ttyslot use setutent
+	and friends. Added support for lots of more struct utmp fields.
+
+	* server/kerberos.c (main) lib/kafs/afssys.c appl/bsd/bsd_locl.h:
+        Must include sys/filio.h on Psoriasis to find _IOW and FIO* macros.
+
+	* appl/bsd/rlogind.c (doit): Use _PATH_DEFPATH rather than
+        _PATH_DEF.
+
+	* appl/bsd/login.c, su.c (main): Use fallback to bourne shell if
+        running as root.
+
+	* appl/bsd/su.c (main): Update usage message to reflect that '-'
+	option must come after the ordinary options and before login-id.
+
+Sat Sep 2 1995
+
+	* appl/telnet/telnetd/telnetd.c (doit): If remote host name is to
+	long to fit into utmp try to remove domain part if it does match
+	our local domain.
+
+	(main): Add new option -L /bin/login so that it is possible to 
+	specify an alternate login program.
+
+	* appl/telnet/telnet/commands.c (env_init): When exporting
+	variable DISPLAY and if hostname is not the full name, try to get
+	the full name from DNS.
+
+	* appl/telnet/telnet/main.c (main): Option -k realm was broken due
+        to a bogous external declaration.
+
+Fri Sep 1 1995
+
+	* kadmin/kadmin.c (add_new_key): Kadmin now properly sets
+	lifetime, expiration date and attributes in add_new_key command.
+
+Wed Aug 30 1995
+
+	* appl/bsd/su.c (main): Don't handle '-' option with getopt.
+
+	* appl/telnet/telnet/externs.h: Removed protection for multiple
+	inclusions of termio(s).h since it broke definition of termio
+	macro on POSIX systems.
+
+Tue Aug 29 1995
+
+	* lib/krb/lifetime.c (krb_life_to_time): If you want to disable
+	AFS compatible long lifetimes set krb_no_long_lifetimes = 1.
+	
+	Please note that the long lifetimes are 100% compatible up to
+	10h so this should rarely be necessary.
+
+	* lib/krb/krb_equiv.c (krb_equiv): If you don't want to use
+	ipaddress protection of tickets set krb_ignore_ip_address. This
+	makes it possible for an intruder to steal a ticket and then use
+	it from som other machine anywhere on the net.
+
+Mon Aug 28 1995
+
+	* kadmin/kadm_ser_wrap.c (kadm_ser_init): Don't bind to only one
+        local address. Accept request on all interfaces.
+
+	* admin/kdb_edit.c (change_principal): Don't accept illegal
+        dates. Courtesy of gertz@lysator.liu.se.
+
+Sat Aug 26 1995
+
+	* configure.in: AIX specific libraries needed when using standard
+        libc routine getttyent, IBM should be ashamed!
+
+	* lib/krb/recvauth.c (krb_recvauth): Long that should be int32_t
+        problem.
+
+	* Added strdup for su and rlogin.
+
+	* Fix for old syslog macros in appl/bsd/bsd_locl.
+
+Fri Aug 25 1995
+
+	* lib/kdb/krb_dbm.c (kerb_db_rename) admin/kdb_destroy.c: New
+        ifdef HAVE_NEW_DB for new databases residing in one file only.
+
+	* appl/bsd/rlogin.c (oob): Add workaround for Linux.
+
+Mon Aug 21 1995
+
+	* appl/bsd/getpass.c: New routine that reads up to 127 char
+        passwords. Used in su.c and login.c.
+
+Tue Aug 15 1995
+
+	* appl/telnet/telnetd/sys_term.c (login_tty): Ioctl TIOCSCTTY
+        should not be used on HP-UX.
+
+Mon Aug 14 1995
+
+	* appl/bsd/rlogin.c (main): Added dummy rlogind that tells user to
+        rather use telnet.
+
+Thu Aug 10 1995
+
+	* lib/krb/ krb.h, decomp_ticket.c, getrealm.c, get_krbhst.c,
+	get_krbrlm.c, get_admhst.c: 
+
+	Use multiple configuration directories for krb.conf and
+	krb.realms, KRB_CONF and KRB_REALM_TRANS macros substituted with
+	KRB_CNF_FILES and KRB_RLM_FILES. Currently /etc and
+	/etc/kerberosIV are searched. Directory specified by envioronment
+	variable KRBCONFDIR is searched first if set. No hardcoded
+	realmname or kerberos server. Instead use domainname for deafult
+	realm and kerberos.domain as kerberos server if they are not
+	listed in krb.conf and/or krb.realms. In the normal case there
+	should be no need for configuration files if administrators add a
+	CNAME pointing to the kerberos server.
+
+	* appl/bsd/Makefile.in and friends: GNU make should no longer be
+        neccessary unless building with VPATH.
+
+Wed Aug 9 1995
+
+	* appl/bsd/klogin.c (klogin): Old ticket file need to be removed
+	before we call krb_get_pw_in_tkt or we might get a Kerberos intkt
+	error because the wrong user owns the file.
+
+Tue Aug 8 1995
+
+	* configure.in : Telnet.beta2 is now official and has been moved
+        to appl/telnet.
+
+	* appl/bsd/su.c (main): Reenable -K flag, won't work if not
+        PASSWD_FALLBACK is enabled. Cosmetics for Password prompt.
+
+Fri Aug 4 1995
+
+	* appl/bsd/su.c (kerberos): Don't allow su from possibly bogous
+        kerberos server. Controlled by #ifdef KLOGIN_PARANOID.
+
+	* lib/kafs/afssys.c (SIGSYS_handler): Need to reinstall handler on
+        SYSV.
+
+Mon Jul 24 1995
+
+	* lib/kafs/afssys.c (k_afsklog): Use default realm on null argument.
+
+	* appl/bsd/rlogin.c, login.c: New programs.
+
+Fri Jul 21 1995
+
+	* appl/bsd/kcmd.c rsh.c rlogin.c: Use POSIX signals.
+
+	* appl/telnet.95.05.31.NE/telnetd/sys_term.c, telnetd.c: Port to
+        IRIX.
+
+Tue Jul 11 1995
+
+	* admin/kdb_init.c (main): Use new random generator.  Dito in
+	admin/kdb_edit.c. Use master key to initialize random sequence.
+
+Mon Jul 10 1995
+
+	* kadmin/kadmin.c (get_password): Fix for random passwords.
+	Dito for admin/kdb_edit.c
+
+	* appl/kauth/kauth.c (main): Updated for krb distribution, now
+        uses new library libkafs.
+
+	* appl/telnet.beta/telnet/main.c (main): New telnet with
+        encryption hacks from ftp.funet.fi:/pub/unix/security/esrasrc-1.0.
+        Encryption does not currently work though.
+
+Tue Jun 20 1995
+
+	* New library to support AFS. Routines:
+
+	  int k_hasafs(void);
+	  int k_afsklog(...);
+	  int k_setpag(void);
+	  int k_unlog(void);
+	  int k_pioctl(char *, int, struct ViceIoctl *, int);
+
+	  Modified it to support more than one single entry point AFS
+	  syscalls (needed by HPUX and OSF/1 when running DFS). Don't rely
+	  on transarc headers or library code.
+
+	  This has not been tested and will most probably need some
+	  serious violence to get working under AIX. (AIX has since been
+	  fixed to. /bg)
+
+Fri Jun 16 1995
+
+	* lib/krb/krb_equiv.c (krb_equiv): Compare IP adresses using
+        krb_equiv() to allow for hosts with more than one address in files
+        rd_priv.c rd_req.c and rd_safe.c.
+
+	* slave/kpropd.c (main): Fix uninitialized variables and rewind
+        file in kprop.c.
+
+Thu Jun 15 1995
+
+	* appl/bsd/rcp.c (allocbuf): Fix various bugs.
+
+	* slave/kpropd.c (main): Responder uses
+        KPROP_SERVICE_NAME.`hostname' and requestor always uses
+        KPROP_SERVICE_NAME.KRB_MASTER, i.e rcmd.kerberos in kprop/kpropd
+        protocol.
+
+Wed Jun 14 1995
+
+	* appl/bsd/rshd.c (doit): Encryption should now work both ways.
+
+Tue Jun 13 1995
+
+	* appl/bsd/pathnames.h: Fixup paths.
+
+	* server/Makefile.in and friends (install): Install daemons in in
+	libexec and administrator programs in sbin.
+
+
+	* Makefile.in: Joda (d91-jda) added install target
+
+Wed Jun 7 1995
+
+	* lib/krb/k_strerror.c: New function k_strerror() to use instead
+        of the non portable sys_errlist[].
diff --git a/crypto/kerberosIV/Makefile.in b/crypto/kerberosIV/Makefile.in
new file mode 100644
index 0000000..b2e9864
--- /dev/null
+++ b/crypto/kerberosIV/Makefile.in
@@ -0,0 +1,73 @@
+# $Id: Makefile.in,v 1.36 1999/03/01 13:04:23 joda Exp $
+
+srcdir		= @srcdir@
+prefix		= @prefix@
+VPATH		= @srcdir@
+
+SHELL		= /bin/sh
+INSTALL = @INSTALL@
+INSTALL_PROGRAM = @INSTALL_PROGRAM@
+INSTALL_DATA = @INSTALL_DATA@
+MKINSTALLDIRS = @top_srcdir@/mkinstalldirs
+TRAVELKIT = appl/kauth/kauth kuser/klist appl/telnet/telnet/telnet \
+	    appl/ftp/ftp/ftp appl/kx/kx appl/kx/rxtelnet
+
+@SET_MAKE@
+
+SUBDIRS		= include lib kuser server slave admin kadmin appl man doc
+
+all:
+	for i in $(SUBDIRS); \
+	do (cd $$i && $(MAKE) $(MFLAGS) all); done
+
+Wall:
+	make CFLAGS="-g -Wall -Wno-comment -Wmissing-prototypes -Wmissing-declarations -D__USE_FIXED_PROTOTYPES__"
+
+check:
+	cd lib && $(MAKE) $(MFLAGS) check
+
+install:
+	$(MKINSTALLDIRS) $(DESTDIR)$(prefix)
+	for i in $(SUBDIRS); \
+	do (cd $$i && $(MAKE) $(MFLAGS) install); done
+
+install-strip:
+	$(MAKE) INSTALL_PROGRAM='$(INSTALL_PROGRAM) -s' install
+
+uninstall:
+	for i in $(SUBDIRS); \
+	do (cd $$i && $(MAKE) $(MFLAGS) uninstall); done
+
+travelkit:	all
+	$(MKINSTALLDIRS) tmp
+	for i in $(TRAVELKIT); \
+	do $(INSTALL_PROGRAM) $$i tmp; done
+	(cd tmp; tar cf ../travelkit.tar `for i in $(TRAVELKIT); do basename $$i; done`)
+	rm -rf tmp
+
+travelkit-strip:
+	$(MAKE) INSTALL_PROGRAM='$(INSTALL_PROGRAM) -s' travelkit
+
+TAGS:
+	find . -name '*.[chyl]' -print | etags -
+
+clean:
+	for i in $(SUBDIRS); \
+	do (cd $$i && $(MAKE) $(MFLAGS) clean); done
+
+mostlyclean:	clean
+
+distclean:
+	$(MAKE) clean
+	for i in $(SUBDIRS); \
+	do (cd $$i && $(MAKE) $(MFLAGS) distclean); done
+	rm -f Makefile config.status config.cache config.log version.h newversion.h.in version.h.in *~
+
+realclean:
+	for i in $(SUBDIRS); \
+	do (cd $$i && $(MAKE) $(MFLAGS) realclean); done
+
+$(srcdir)/aclocal.m4:
+	cd $(srcdir) && aclocal -I cf
+
+.PHONY: all Wall check install install-strip uninstall travelkit travelkit-strip clean mostlyclean distclean realclean
diff --git a/crypto/kerberosIV/NEWS b/crypto/kerberosIV/NEWS
new file mode 100644
index 0000000..ac51078
--- /dev/null
+++ b/crypto/kerberosIV/NEWS
@@ -0,0 +1,755 @@
+Changes in release 1.0.5:
+
+* Remember to update version string.
+
+* Build fixes
+
+* multiple local realm fix in krb_verify_user
+
+Changes in release 1.0.4:
+
+* Only allow a small list of environment variables in telnetd
+
+* Fix one buffer overflow in libkrb
+
+* Make su handle multiple local realms
+
+* Build pic-ed archives (to be used with the pam module)
+
+* do not handle environment variables, use krb.extra instead
+
+* Disable KRBCONFDIR environment variable for root
+
+* fix shared libraries building on solaris
+
+Changes in release 1.0.3:
+
+* Handle DoS attacks in the KDC and the admin server better.
+
+* updated config.guess and config.sub
+
+* better db/gdbm discovery
+
+* bug fixes
+
+Changes in release 1.0.2:
+
+* Fix syslog(LOG_FOO, bug) calls in kauthd, kipd
+
+* Fix bug with systems have a 64bit `time_t'
+
+* Port to Solaris 8 (aka SunOS 5.8), HP-UX 11
+
+* Add AIX fix for shared libraries
+
+* Make afslog work with Arla
+
+* Be more paranoid about setuid for the sake of Linux 2.2.15
+
+* Make rshd afslog to the cell of the home directory
+
+* Improved kip/kipd
+
+* syslog with correct level in popper
+
+* install libraries correctly in lib/sl
+
+* more paranoia when overwriting and removing ticket files
+
+Changes in release 1.0.1:
+
+* Fix bug in ftpd when accepting connections
+
+* Make `-d' in kauth not imply `-a'
+
+* Adapt sia to new TKT_ROOT
+
+* Define `sockaddr_storage' in a fashion that works on
+  alignment-restricted architectures
+
+* Rewrite PAM module to work better.
+
+* Make all files in libdes build with CFLAGS
+
+Changes in release 1.0:
+
+* A new configuration option `nat_in_use' in krb.extra to ease use
+  through Network Address Translators.
+
+* Support configuration value of KEYFILE and TKT_ROOT in krb.extra
+
+* Easier building on some platforms
+
+* built-in ls in ftpd.
+
+* Bug fixes.
+
+Changes in release 0.10:
+
+* Some support for Irix 6.5 capabilities
+
+* Improved kadmin interface; you can get more info via kadmin.
+
+* Some improved support for OSF C2.
+
+* General bug-fixes and improvements, including a large number of
+  potential buffer overrun fixes.  A large number of portability
+  improvements.
+
+* Support for multiple local realms.
+
+* Support batch kadmin operation.
+
+* Heimdal support in push.
+
+* Removed `--with-shared' configure option (use `--enable-shared'.)
+
+* Now uses Autoconf 2.13.
+
+Changes in release 0.9.9:
+
+* New configuration file /etc/krb.extra
+
+* New program `push' for popping mail.
+
+* Add (still little tested) support for maildir spool files in popper.
+
+* Added `delete' to ksrvutil.
+
+* Support the strange X11 sockets used on HP-UX and some versions of
+  Solaris.
+
+* Arla compatibility in libkafs.
+
+* More compatibility with the Solaris version of libkrb.
+
+* New configure option `--with-mips-abi'
+
+* Support `/etc/securetty' in login.
+
+* Bug fixes and improvements to the Win32 telnet.
+
+* Add support for installing with DESTDIR
+
+* SIA module with added support for password changing, and
+  reauthentication.
+
+* Add better support for MIT `compile_et' and `mk_cmds', this should
+  make it easier to build things like `zephyr'.
+
+* Bug fixes:
+  - Krb: fixed dangling references to flock in libkrb
+  - FTP: fixed `logwtmp' name conflict
+  - Telnet: fix a few literal IP-number bugs
+  - Telnet: hopefully fixed stair-stepping bug
+  - Kafs: don't store expired tokens in the kernel
+  - Kafs: fix broken installation of afslib.so in AIX
+
+Changes in release 0.9.8:
+
+* several bug fixes; some which deserve mentioning:
+  - fix non-working `kauth -h'
+  - the sia-module should work again
+  - don't leave tickets in popper
+
+Changes in release 0.9.7:
+
+* new configure option --disable-otp
+
+* new configure option --with-afsws
+
+* includes rxkad implementation
+
+* ftp client is more careful with suspicious filenames (|, .., /)
+
+* fixed setuid-vulnerability of rcp, rlogin, and rsh.
+
+* removed use of tgetent from telnetd (thereby eliminating buffer-overflow)
+
+* new commands in ftp and ftpd: kdestroy, krbtkfile, and afslog.
+
+* implement HTTP transport in libkrb and KDC.
+
+* win32 terminal program much improved.  also implemented ticket
+  management program.
+
+* introduce `-i' option to kerberos server for listening only on one
+  interface.
+
+* updated otp applications and man pages.
+
+* merged in libdes 4.01
+
+* popper is more resilient to badly formatted mails.
+
+* minor fixes for Cray support.
+
+* fix popen bug i ftpd.
+
+* lots of bug fixes and portability fixes.
+
+* better compatibility with Heimdal.
+
+Minor changes in release 0.9.6:
+
+* utmp(x) works correctly on systems with utmpx.
+
+* A security-related bug in ftpd fixed.
+
+* Compiles on solaris 2.4, 2.6 and on WinNT/95 with cygwin32 beta18.
+
+* New option `-w' to rxtelnet, rxterm.
+
+Major changes in release 0.9.5:
+
+* We made some changes to be compatible with the other kerberised ftp
+  implementations and this means that an old kerberised ftp client will
+  not be able to talk to a new ftp server.  So try to upgrade your ftp
+  clients and servers at the same time.  The reason for this change is
+  described in more detail below.
+
+* The interpretation of /etc/ftpusers has changed slightly, see
+  ftpusers(5). These changes come from NetBSD.
+
+* The function `des_quad_cksum', which is used by `krb_rd_safe', and
+  `krb_mk_safe', has never been compatible with MIT's DES
+  library. This has now been fixed.
+
+  This fix will however break some programs that used those functions,
+  for instance `ftp'. In this version `krb_rd_safe' is modified to
+  accept checksums of both the new and the old format; `krb_mk_safe'
+  will always emit checksums of the new type *unless* `krb_rd_safe'
+  has detected that the client is using the old checksum (this feature
+  may be removed in some future release).
+
+  If you have programs that use `krb_mk_safe' and `krb_rd_safe' you
+  should upgrade all clients before upgrading your servers. Client is
+  here defined as the program that first calls `krb_rd_safe'.
+
+  If you are using some protocol that talks to more than one client or
+  server in one session, the heuristics to detect which kind of
+  checksum to use might fail.
+
+  The problem with `des_quad_cksum' was just a byte-order problem, so
+  there are no security problems with using the old versions. Thanks
+  to Derrick J Brashear <shadow@DEMENTIA.ORG> for pointing in the
+  right general direction.
+
+* Rewrote kx to work always open TCP connections in the same
+  direction.  This was needed to make it work through NATs and is
+  generally a cleaner way of doing it.  Also added `tenletxr'.
+  Unfortunately the new protocol is not compatible with the old one.
+  The new kx and kxd programs try to figure out if they are talking to
+  old versions.
+
+* Quite a bit of new functionality in otp.  Changed default hash
+  function to `md5'.  Fixed implementation of SHA and added downcasing
+  of seed to conform with `draft-ietf-otp-01.txt'.  All verification
+  examples in the draft now work.
+
+* Fixed buffer overflows.
+
+* Add history/line editing in kadmin and ftp.
+
+* utmp/utmpx and wtmp/wtmpx might work better on strange machines.
+
+* Bug fixes for `rsh -n' and `rcp -x'.
+
+* reget now works in ftp and ftpd.  Passive mode works.  Other minor
+  bug fixes as well.
+
+* New option `-g umask' to ftpd for specifying the umask for anonymous users.
+
+* Fix for `-l' option in rxtelnet and rxterm.
+
+* XOVER support in popper.
+
+* Better support for building shared libraries.
+
+* Better support for talking to the KDC over TCP.  This could make it
+  easier to use brain-damaged firewalls.
+
+* Support FreeBSD-style MD5 /etc/passwd.
+
+* New option `-createuser' to afslog.
+
+* Upgraded to work with socks5-v1.0r1.
+
+* Almost compiles and works on OS/2 with EMX, and Win95/NT with gnu-win32.
+
+* Merged in win32-telnet, see README-WIN32 for more details.
+
+* Possibly fixed telnet bug on HP-UX 10.
+
+* Updated man-pages.
+
+* Support for NetBSD/OpenBSD manual page circus.
+
+* Bug fixes.
+
+Major changes in release 0.9.3:
+
+* kx has been rewritten and is now a lot easier to use.  Two new
+  scripts: rxtelnet and rxterm.  It also works on machines such as
+  Cray where the X-libraries cannot talk unix sockets.
+	
+* experimental OTP (RFC1938).  Included in login, ftpd, and popper.
+
+* authentication modules: PAM for linux, SIA for OSF/1, and
+  afskauthlib for Irix.
+
+* popper now has the UIDL command.
+
+* ftpd can now tar and compress files and directories on the fly, also
+  added a find site command.
+
+* updated documentation and man pages.
+
+* Change kuserok so that it acts as if luser@LOCALREALM is always an
+  entry of .klogin, even when it's not possible to verify that there
+  is no such file or the file is unreadable.
+
+* Support for SRV-records.
+
+* Socks v5 support.
+
+* rcp is AFS-aware.
+
+* allow for other transport mechanisms than udp (useful for firewall
+  tormented souls); as a side effect the format of krb.conf had to
+  become more flexible
+
+* sample programs included.
+
+* work arounds for Linux networking bugs in rlogind and rlogin.
+
+* more portable
+
+* quite a number of improvments/bugfixes
+
+* New platforms: HP-UX 10, Irix 6.2
+
+Major changes in release 0.9.2a:
+
+* fix annoying bug with kauth (et al) returning incorrect error
+
+Major changes in release 0.9.2:
+
+* service `kerberos-iv' and port 750 has been registered with IANA.
+
+* Bugfixes.
+
+  - Compiles with gcc on AIX.
+
+  - Compiles with really old resolvers.
+
+  - ftp works with afs string-to-key.
+
+  - shared libraries should work on Linux/ELF.
+
+  - some potential buffer overruns.
+
+  - general code clean-up.
+
+* Better Cray/UNICOS support.
+
+* New platforms: AIX 4.2, IRIX 6.1, and Linux 2.0
+
+Major changes in release 0.9.1:
+
+* Mostly bugfixes.
+
+  - No hardcoded references to /usr/athena
+
+  - Better Linux support with rlogin
+
+  - Fix for broken handling of NULL password in kadmind (such as with
+    `ksrvutil change')
+
+  - AFS-aware programs should work on AIX systems without AFS
+
+* New platforms: Digital UNIX 4.0 and Fujitsu UXP/V
+
+* New mechanism to determine realm from hostname based on DNS. To find
+  the realm of a.b.c.d it tries to find krb4-realm.a.b.c.d and then
+  krb4-realm.b.c.d and so on. The entry in DNS should be a TXT record
+  with the realm name.
+
+  krb4-realm.pdc.kth.se.  7200    TXT     "NADA.KTH.SE"
+
+Major changes in release 0.9:
+
+* Tested platforms:
+
+Dec Alpha	OSF/1 3.2	with cc -std1
+HP 9000/735	HP/UX 9.05	with gcc
+DEC Pmax	Ultrix 4.4	with gcc (cc does not work)
+IBM RS/6000	AIX 4.1		with xlc (gcc works, cc does not)
+SGI		IRIX 5.3	with cc
+Sun		SunOS 4.1.4	with gcc (cc is not ANSI and does not work)
+Sun		SunOS 5.5	with gcc
+Intel i386	NetBSD 1.2	with gcc
+Intel i386	Linux 1.3.95	with gcc
+Cray J90	Unicos 9	with cc
+
+* Mostly ported to Crays running Unicos 9.
+
+* S/Key-support in ftpd.
+
+* Delete operation supported in kerberos database.
+
+* Cleaner and more portable code.
+
+* Even less bugs than before.
+
+* kpopper now supports the old pop3 protocol and has been renamed to popper.
+
+* rsh can be renamed remsh.
+
+* Experimental program for forwarding IP over a kerberos tunnel.
+
+* Updated to libdes 3.23.
+
+Major changes in release 0.8:
+
+* New programs: ftp & ftpd.
+
+* New programs: kx & kxd.  These programs forward X connections over
+  kerberos-encrypted connections.
+
+* Incorporated version 3.21 of libdes.
+
+* login: No double utmp-entries on Solaris.
+
+* kafs
+
+  * Better guessing of what realm a cell belongs to.
+
+  * Support for authenticating to several cells.  Reads
+    /usr/vice/etc/TheseCells, if present.
+
+* ksrvutil: Support for generating AFS keys.
+
+* login, su, rshd, rlogind: tries to counter possible NIS-attack.
+
+* xnlock: several bug fixes and support for more than one screen.
+
+* Default port number for ekshell changed from 2106 to 545.  kauth
+  port changed from 4711 to 2120.
+
+* Rumored to work on Fujitsu UXP/V and Cray UNICOS.
+
+Major changes in release 0.7:
+
+* New experimental masterkey generation.   Enable with
+  --enable-random-mkey. Also the default place for the master key has
+  moved from /.k to /var/kerberos/master-key. This is customizable
+  with --with-mkey=file. If you don't want you master key to be on the
+  same backup medium as your database, remember to use this flag. All
+  relevant programs still checks for /.k.
+
+* `-t' option to kadmin.
+
+* Kpopper uses kuserok to verify if user is allowed to pop mail.
+
+* Kpopper tries to locate the mail spool directory: /var/mail or
+  /var/spool/mail.
+
+* kauth has ability to get ticket on a remove host with the `-h' option.
+
+* afslog (aklog clone) and pagsh included.
+
+* New format for /etc/krb.equiv.
+
+* Better multi-homed hosts support in kauth, rcp, rlogin, rlogind,
+  rshd, telnet, telnetd.
+
+* rlogind works on ultrix and aix 3.2.
+
+* lots of bug fixes.
+
+Major changes in release 0.6:
+
+* Tested platforms:
+
+DEC/Alpha	OSF3.2
+HP700		HPux 9.x
+Dec/Pmax	Ultrix 4.4	(rlogind not working)
+IBM RS/6000	AIX 3.2		(rlogind not working)
+IBM RS/6000	AIX 4.1
+SGI		Irix 5.3
+Sun		Sunos 4.1.x
+Sun		Sunos 5.4
+386		BSD/OS 2.0.1
+386		NetBSD 1.1
+386		Linux 1.2.13
+
+It is rumored to work to some extent on NextStep 3.3.
+
+* ksrvutil get to create new keys and put them in the database at the
+same time.
+
+* Support for S/Key in login.
+
+* kstring2key: new program to show string to key conversion.
+
+* Kerberos server should now listen on all available network
+interfaces and on both port 88 and 750.
+
+* Timeout in kpopper.
+
+* Support password quality checks in kadmind.  Use --with-crack-lib to
+link kadmind with cracklib.  The patches in cracklib.patch are needed.
+
+* Movemail from emacs 19.30.
+
+* Logging format uses four digits for years.
+
+* Fallback if port numbers are not listed in /etc/services.
+
+
+	* Relesed version 0.5
+
+	* lib/des/read_pwd.c: Redifine TIOCGETP and TIOCSETP so that the
+        same code is used both for posix termios and others.
+
+	* rsh, rlogin: Add environment variable RSTAR_NO_WARN which when
+	set to "yes" make warnings about "rlogin: warning, using standard
+	rlogin: remote host doesn't support Kerberos." go away.
+
+	* admin/kdb_util.c (load_db) lib/kdb/krb_dbm.c (kerb_db_update):
+        Optimized so that it can handle large databases, previously a
+        10000 entry DB would take *many* minutes, this can now be done in
+        under a minute.
+
+	* Changes in server/kerberos.c, kadmin/*.c slave/*.c to support 64
+        bit machines. Source should now be free of 64 bit assumptions.
+
+	* admin/copykey.c (copy_from_key): New functions for copying to
+        and from keys. Neccessary to solve som problems with longs on 64
+        bit machines in kdb_init, kdb_edit, kdb_util and ext_srvtab.
+
+	* lib/kdb/krb_kdb_utils.c (kdb_verify_master_key): More problems
+        with longs on 64 bit machines.
+
+	* appl/bsd/login.c (main): Lots of stuff to support Psoriasis
+        login. Courtesy of gertz@lysator.liu.se.
+
+	* configure.in, all Makefile.in's: Support for Linux shared
+        libraries. Courtesy of svedja@lysator.liu.se.
+
+	* lib/krb/cr_err_reply.c server/kerberos.c: Moved int req_act_vno
+	= KRB_PROT_VERSION; from server kode to libkrb where it really
+	belongs.
+
+        * appl/bsd/forkpty.c (forkpty): New function that allocates master
+        and slave ptys in a portable way. Used by rlogind.
+
+	* appl/telnet/telnetd/sys_term.c (start_login): Under SunOS5 the
+	same utmpx slot got used by sevral sessions. Courtesy of
+	gertz@lysator.liu.se.
+
+	* util/{ss, et}/Makefile.in (LEX): Use flex or lex. Courtesy of
+        svedja@lysator.liu.se.
+
+	* Fix the above Makefiles to work around bugs in Solaris and OSF/1
+        make rules that was triggered by VPATH functionality in the yacc
+        and lex rules.
+
+	* appl/kpopper/pop_log.c (pop_log) appl/kpopper/pop_msg.c (pop_msg):
+	Use stdarg instead of varargs. The code is still broken though,
+	you'll realize	that on a machine with 64 bit pointers and 32 bit 
+	int:s and no vsprintf, let's hope there will be no such beasts ;-).
+
+	* appl/telnet/telnetd/sys_term.c (getptyslave): Not all systems
+	 have (or need) modules ttcompat and pckt so don't flag it as a
+	 fatal error if they don't exist.
+
+	* kadmin/admin_server.c (kadm_listen) kadmind/kadm_ser_wrap.c
+	(kadm_listen): Add kludge for kadmind running on a multihomed
+	server. #ifdef:ed under MULTIHOMED_KADMIN. Change in acconfig.h
+	if you need this feature.
+
+	* appl/Makefile.in (SUBDIRS): Add applications movemail kpopper
+        and xnlock.
+
+	* appl/bsd/rlogin.c (main): New rlogind.c, forkpty() is not
+        implemented yet though.
+
+	* appl/xnlock/Makefile.in: Some stubs for X11 programs in
+        configure.in as well as a kerberized version of xnlock.
+
+	* appl/bsd/{rlogin.c, rsh.c, rcp.c}: Add code to support fallback
+        port numbers if they can not be found using getservbyname.
+
+	* appl/bsd/klogin.c (klogin): Use differnet ticket files for each
+        login so that a malicous user won't be able to destroy our tickets
+        with a failed login attempt.
+
+	* lib/kafs/afssys.c (k_afsklog): First we try afs.cell@REALM, if
+	there is no such thing try afs@CELL instead. There is now two
+	arguments to k_afslog(char *cell, char *realm).
+
+	* kadmin/admin_server.c (kadm_listen): If we are multihomed we
+        need to figure out which local address that is used this time
+        since it is used in "direction" comparison.
+
+	* kadmin/kadm_ser_wrap.c (kadm_ser_init): Fallback to use default
+        port number.
+
+	* lib/krb/send_to_kdc.c (send_to_kdc): Default port number
+        (KRB_PORT) was not in network byte order.
+
+	* lib/krb/send_to_kdc.c (send_recv): Linux clears timeout struct
+        when selecting.
+
+	* appl/bsd/rcp.c, appl/bsd/rlogin.c, appl/bsd/rsh.c:
+	Now does fallback if there isn't any entries in /etc/services for
+	klogin/kshell. This also made the code a bit more pretty.
+
+	* appl/bsd/login.c: Added support for lots of more struct utmp fields.
+	If there is no ttyslot() use setutent and friends.
+
+	* appl/bsd/Makefile.in, appl/bsd/rlogind.c, appl/bsd/rshd.c:
+	Added extern iruserok().
+
+	* appl/bsd/iruserok.c: Initial revision
+
+	* appl/bsd/bsd_locl.h: Must include sys/filio.h on Psoriasis.
+
+	* appl/bsd/Makefile.in: New install
+
+	* appl/bsd/pathnames.h: Fix default path, rsh and rlogin.
+
+	* appl/bsd/rshd.c: Extend default PATH with bindir to find rcp.
+
+	* appl/bsd/login.c (login): If there is no ttyslot use setutent
+	and friends. Added support for lots of more struct utmp fields.
+
+	* server/kerberos.c (main) lib/kafs/afssys.c appl/bsd/bsd_locl.h:
+        Must include sys/filio.h on Psoriasis to find _IOW and FIO* macros.
+
+	* appl/bsd/rlogind.c (doit): Use _PATH_DEFPATH rather than
+        _PATH_DEF.
+
+	* appl/bsd/login.c, su.c (main): Use fallback to bourne shell if
+        running as root.
+
+	* appl/bsd/su.c (main): Update usage message to reflect that '-'
+	option must come after the ordinary options and before login-id.
+
+	* appl/telnet/telnetd/telnetd.c (doit): If remote host name is to
+	long to fit into utmp try to remove domain part if it does match
+	our local domain.
+
+	(main): Add new option -L /bin/login so that it is possible to 
+	specify an alternate login program.
+
+	* appl/telnet/telnet/commands.c (env_init): When exporting
+	variable DISPLAY and if hostname is not the full name, try to get
+	the full name from DNS.
+
+	* appl/telnet/telnet/main.c (main): Option -k realm was broken due
+        to a bogous external declaration.
+
+	* kadmin/kadmin.c (add_new_key): Kadmin now properly sets
+	lifetime, expiration date and attributes in add_new_key command.
+
+	* appl/bsd/su.c (main): Don't handle '-' option with getopt.
+
+	* appl/telnet/telnet/externs.h: Removed protection for multiple
+	inclusions of termio(s).h since it broke definition of termio
+	macro on POSIX systems.
+
+	* lib/krb/lifetime.c (krb_life_to_time): If you want to disable
+	AFS compatible long lifetimes set krb_no_long_lifetimes = 1.
+	
+	Please note that the long lifetimes are 100% compatible up to
+	10h so this should rarely be necessary.
+
+	* lib/krb/krb_equiv.c (krb_equiv): If you don't want to use
+	ipaddress protection of tickets set krb_ignore_ip_address. This
+	makes it possible for an intruder to steal a ticket and then use
+	it from som other machine anywhere on the net.
+
+	* kadmin/kadm_ser_wrap.c (kadm_ser_init): Don't bind to only one
+        local address. Accept request on all interfaces.
+
+	* admin/kdb_edit.c (change_principal): Don't accept illegal
+        dates. Courtesy of gertz@lysator.liu.se.
+
+	* configure.in: AIX specific libraries needed when using standard
+        libc routine getttyent, IBM should be ashamed!
+
+	* lib/krb/recvauth.c (krb_recvauth): Long that should be int32_t
+        problem.
+
+	* Added strdup for su and rlogin.
+
+	* Fix for old syslog macros in appl/bsd/bsd_locl.
+
+	* lib/kdb/krb_dbm.c (kerb_db_rename) admin/kdb_destroy.c: New
+        ifdef HAVE_NEW_DB for new databases residing in one file only.
+
+	* appl/bsd/rlogin.c (oob): Add workaround for Linux.
+
+	* appl/bsd/getpass.c: New routine that reads up to 127 char
+        passwords. Used in su.c and login.c.
+
+	* appl/telnet/telnetd/sys_term.c (login_tty): Ioctl TIOCSCTTY
+        should not be used on HP-UX.
+
+==========================*** Released 0.2? ***=============================
+
+ksrvutil
+  If there is a dot in the about to be added principals name there is
+  no need to ask for instance name.
+
+kerberos & kadmind
+  Logfiles are created with small permissions (600).
+
+krb.conf and krb.realms
+ Use domain part as realm name if there is no match in krb.realms.
+ Use kerberos.REALMNAME if there is no match in krb.realms.
+
+rlogin
+  The rlogin client is supported both with and without encryption,
+  there is no rlogind yet though.
+
+login
+  There is login program that supports the -f option. Both kerberos
+  and /etc/passwd authentication is enabled.
+
+  Vendors login programs typically have no -f option (needed by
+  telnetd) and also does not know how to verify passwords againts
+  kerberos.
+
+appl/bsd/*
+  Now uses POSIX signals.
+
+kdb_edit, kadmin
+  Generate random passwords if administrator enters empty password.
+
+lib/kafs
+  New library to support AFS. Routines:
+  int k_hasafs(void);
+  int k_afsklog(...); or some other name
+  int k_setpag(void);
+  int k_unlog(void);
+  int k_pioctl(char *, int, struct ViceIoctl *, int);
+
+  Library supports more than one single entry point AFS syscalls
+  (needed be HP/UX and OSF/1 when running DFS). Doesn't rely on
+  transarc headers or library code. Same binaries can be used both on
+  machines running AFS and others.
+
+  This library is used in telnetd, login and the r* programs.
+
+telnet & telnetd
+  Based on telnet.95.05.31.NE but with the encryption hacks from
+  ftp.funet.fi:/pub/unix/security/esrasrc-1.0 added.  This encryption
+  stuff needed some more modifications (done by joda@nada.kth.se)
+  before it was usable. Telnet has also been modified to use GNU
+  autoconf.
+
+Numerous other changes that are long since forgotten.
diff --git a/crypto/kerberosIV/PROBLEMS b/crypto/kerberosIV/PROBLEMS
new file mode 100644
index 0000000..b72c521
--- /dev/null
+++ b/crypto/kerberosIV/PROBLEMS
@@ -0,0 +1,147 @@
+
+Problems compiling Kerberos
+===========================
+
+Many compilers require a switch to become ANSI compliant. Since krb4 is
+written in ANSI C it is necessary to specify the name of the compiler
+to be used and the required switch to make it ANSI compliant. This is
+most easily done when running configure using the `env' command. For
+instance to build under HP-UX using the native compiler do:
+
+     datan$ env CC="cc -Ae" ./configure
+
+In general `gcc' works. The following combinations have also been
+verified to successfully compile the distribution:
+
+`HP-UX'
+     `cc -Ae'
+
+`Digital UNIX'
+     `cc -std1'
+
+`AIX'
+     `xlc'
+
+`Solaris 2.x'
+     `cc' (unbundled one)
+
+`IRIX'
+     `cc'
+
+Linux problems
+--------------
+
+The libc functions gethostby*() under RedHat4.2 can sometimes cause
+core dumps. If you experience these problems make sure that the file
+`/etc/nsswitch.conf' contains a hosts entry no more complex than the
+line
+
+hosts: files dns
+
+Some systems have lost `/usr/include/ndbm.h' which is necessary to
+build krb4 correctly. There is a `ndbm.h.Linux' right next to the
+source distribution.
+
+There has been reports of non-working `libdb' on some Linux
+distributions.  If that happens, use the `--without-berkeley-db' when
+configuring.
+
+SunOS 5 (aka Solaris 2) problems
+--------------------------------
+
+When building shared libraries and using some combinations of GNU gcc/ld
+you better set the environment variable RUN_PATH to /usr/athena/lib
+(your target libdir). If you don't, then you will have to set
+LD_LIBRARY_PATH during runtime and the PAM module will not work.
+
+HP-UX problems
+--------------
+
+The shared library `/usr/lib/libndbm.sl' doesn't exist on all systems.
+To make problems even worse, there is never an archive version for
+static linking either. Therefore, when building "truly portable"
+binaries first install GNU gdbm or Berkeley DB, and make sure that you
+are linking against that library.
+
+Cray problems
+-------------
+
+`rlogind' won't work on Crays until `forkpty()' has been ported, in the
+mean time use `telnetd'.
+
+IRIX problems
+-------------
+
+IRIX has three different ABI:s (Application Binary Interface), there's
+an old 32 bit interface (known as O32, or just 32), a new 32 bit
+interface (N32), and a 64 bit interface (64). O32 and N32 are both 32
+bits, but they have different calling conventions, and alignment
+constraints, and similar. The N32 format is the default format from IRIX
+6.4.
+
+You select ABI at compile time, and you can do this with the
+`--with-mips-abi' configure option. The valid arguments are `o32',
+`n32', and `64', N32 is the default. Libraries for the three different
+ABI:s are normally installed installed in different directories (`lib',
+`lib32', and `lib64'). If you want more than one set of libraries you
+have to reconfigure and recompile for each ABI, but you should probably
+install only N32 binaries.
+
+GCC had had some known problems with the different ABI:s. Old GCC could
+only handle O32, newer GCC can handle N32, and 64, but not O32, but in
+some versions of GCC the structure alignment was broken in N32.
+
+This confusion with different ABI:s can cause some trouble. For
+instance, the `afskauthlib.so' library has to use the same ABI as
+`xdm', and `login'. The easiest way to check what ABI to use is to run
+`file' on `/usr/bin/X11/xdm'.
+
+Another problem that you might encounter if you run AFS is that Transarc
+apparently doesn't support the 64-bit ABI, and because of this you can't
+get tokens with a 64 bit application. If you really need to do this,
+there is a kernel module that provides this functionality at
+<ftp://ftp.pdc.kth.se/home/joda/irix-afs64.tar.gz>.
+
+AIX problems
+------------
+
+`gcc' version 2.7.2.* has a bug which makes it miscompile
+`appl/telnet/telnetd/sys_term.c' (and possibily `appl/bsd/forkpty.c'),
+if used with too much optimization.
+
+Some versions of the `xlc' preprocessor doesn't recognise the
+(undocumented) `-qnolm' option. If this option is passed to the
+preprocessor (like via the configuration file `/etc/ibmcxx.cfg',
+configure will fail.
+
+The solution is to remove this option from the configuration file,
+either globally, or for just the preprocessor:
+
+     $ cp /etc/ibmcxx.cfg /tmp
+     $ed /tmp/ibmcxx.cfg
+     8328
+     /nolm
+             options   = -D_AIX,-D_AIX32,-D_AIX41,-D_AIX43,-D_IBMR2,-D_POWER,-bpT:0x10000000,-bpD:0x20000000,-qnolm
+     s/,-qnolm//p
+             options   = -D_AIX,-D_AIX32,-D_AIX41,-D_AIX43,-D_IBMR2,-D_POWER,-bpT:0x10000000,-bpD:0x20000000
+     w
+     8321
+     q
+     $ env CC=xlc CPP="xlc -E -F/tmp/ibmcxx.cfg" configure
+
+There is a bug in AFS 3.4 version 5.38 for AIX 4.3 that causes the
+kernel to panic in some cases. There is a hack for this in `login', but
+other programs could be affected also. This seems to be fixed in
+version 5.55.
+
+C2 problems
+-----------
+
+The programs that checks passwords works with `passwd', OTP, and
+Kerberos paswords. This is problem if you use C2 security (or use some
+other password database), that normally keeps passwords in some obscure
+place. If you want to use Kerberos with C2 security you will have to
+think about what kind of changes are necessary. See also the discussion
+about Digital's SIA and C2 security, see *Note Digital SIA::.
+
+
diff --git a/crypto/kerberosIV/README b/crypto/kerberosIV/README
new file mode 100644
index 0000000..9c2f4a1
--- /dev/null
+++ b/crypto/kerberosIV/README
@@ -0,0 +1,47 @@
+
+*** PLEASE REPORT BUGS AND PROBLEMS TO kth-krb-bugs@nada.kth.se ***
+
+This is a severly hacked up version of Eric Young's eBones-p9 kerberos
+version. The DES library has been updated with his 3.23 version and
+numerous patches collected over the years have been applied to both
+the kerberos and DES sources, most notably the CMU patches for extended
+lifetimes that AFS uses. There is also support for AFS built into most
+programs. 
+
+The source has been changed to use ANSI C and POSIX to the largest
+possible extent. The code in util/et and appl/bsd have not been
+updated in this way though (they really need it).
+
+Telnet and telnetd are based on the telnet.95.10.23.NE.tar.Z. Kerberos
+authentication is the default and warnings are issued by telnetd if
+the telnet client does not turn on encryption.
+
+The r* programs in appl/bsd have been updated with newer sources from
+NetBSD and FreeBSD. NOTE: use of telnet is prefered to the use of
+rlogin which is a temporary hack and not an Internet standard (and has
+only been documented quite recently).  Telnet uses kerberos
+authentication to prevent the passing of cleartext passwords and is
+thus superior to rlogin.
+
+The distribution has been configured to primarily use kerberos
+authentication with a fallback to /etc/passwd passwords. This should
+make it easy to do a slow migration to kerberos.  OTP support is also
+included in login, popper, and ftpd.
+
+All programs in this distribution follow these conventions:
+
+/usr/athena/bin:	User programs
+/usr/athena/sbin:	Administrator programs
+/usr/athena/libexec:	Daemons
+/etc:			Configuration files
+/var/log:		Logfiles
+/var/kerberos:		Kerberos database and ACL files
+
+A W3-page is at http://www.pdc.kth.se/kth-krb/
+
+You can get some documentation from ftp://ftp.pdc.kth.se/pub/krb/doc.
+
+Please report bugs and problems to kth-krb-bugs@nada.kth.se
+
+There is a mailing list discussing kerberos at krb4@sics.se, send a
+message to majordomo@sics.se to subscribe.
diff --git a/crypto/kerberosIV/TODO b/crypto/kerberosIV/TODO
new file mode 100644
index 0000000..83c308e
--- /dev/null
+++ b/crypto/kerberosIV/TODO
@@ -0,0 +1,42 @@
+-*- indented-text -*-
+rlogind, rshd, popper, ftpd (telnetd uses nonce?)
+  Add a replay cache.
+
+rcp
+  figure out how it should really behave with -r
+
+telnet, rlogin, rsh, rcp
+  Some form of support for ticket forwarding, perhaps only for AFS tickets.
+
+telnet, telnetd
+  Add negotiation for keep-alives.
+
+rlogind
+  Fix utmp logging.
+
+documentation
+  Write more info on:
+  * how to use
+
+rshd
+  Read default environment from /etc/default/login and other files.
+  Encryption without secondary port is bugged, it currently does no
+  encryption. But, nobody uses it anyway.
+
+autoconf
+
+libraries
+  generate archive and shared libraries in some portable way.
+
+ftpd
+
+kx
+  Compress and recode X protocol?
+
+kip
+  Other kinds of encapsulations?
+  Tunnel device as loadable kernel module.
+  Speed?
+
+BUGS
+  Where?
diff --git a/crypto/kerberosIV/acconfig.h b/crypto/kerberosIV/acconfig.h
new file mode 100644
index 0000000..771207b
--- /dev/null
+++ b/crypto/kerberosIV/acconfig.h
@@ -0,0 +1,172 @@
+/* $Id: acconfig.h,v 1.105 1999/12/02 13:09:41 joda Exp $ */
+
+@BOTTOM@
+
+#undef HAVE_INT8_T
+#undef HAVE_INT16_T
+#undef HAVE_INT32_T
+#undef HAVE_INT64_T
+#undef HAVE_U_INT8_T
+#undef HAVE_U_INT16_T
+#undef HAVE_U_INT32_T
+#undef HAVE_U_INT64_T
+
+/* This for compat with heimdal (or something) */
+#define KRB_PUT_INT(f, t, l, s) krb_put_int((f), (t), (l), (s))
+
+#define HAVE_KRB_ENABLE_DEBUG 1
+
+#define HAVE_KRB_DISABLE_DEBUG 1
+
+#define HAVE_KRB_GET_OUR_IP_FOR_REALM 1
+
+#define RCSID(msg) \
+static /**/const char *const rcsid[] = { (char *)rcsid, "\100(#)" msg }
+
+/*
+ * Set ORGANIZATION to be the desired organization string printed
+ * by the 'kinit' program.  It may have spaces.
+ */
+#define ORGANIZATION "eBones International"
+
+#if 0
+#undef BINDIR 
+#undef LIBDIR
+#undef LIBEXECDIR
+#undef SBINDIR
+#endif
+
+#if 0
+#define KRB_CNF_FILES	{ "/etc/krb.conf",   "/etc/kerberosIV/krb.conf", 0}
+#define KRB_RLM_FILES	{ "/etc/krb.realms", "/etc/kerberosIV/krb.realms", 0}
+#define KRB_EQUIV	"/etc/krb.equiv"
+
+#define KEYFILE		"/etc/srvtab"
+
+#define KRBDIR		"/var/kerberos"
+#define DBM_FILE	KRBDIR "/principal"
+#define DEFAULT_ACL_DIR	KRBDIR
+
+#define KRBLOG		"/var/log/kerberos.log"	/* master server  */
+#define KRBSLAVELOG	"/var/log/kerberos_slave.log" /* slave server  */
+#define KADM_SYSLOG	"/var/log/admin_server.syslog"
+#define K_LOGFIL	"/var/log/kpropd.log"
+#endif
+
+/* Maximum values on all known systems */
+#define MaxHostNameLen (64+4)
+#define MaxPathLen (1024+4)
+
+/* ftp stuff -------------------------------------------------- */
+
+#define KERBEROS
+
+/* telnet stuff ----------------------------------------------- */
+
+/* define this for OTP support */
+#undef OTP
+
+/* define this if you have kerberos 4 */
+#undef KRB4
+
+/* define this if you want encryption */
+#undef ENCRYPTION
+
+/* define this if you want authentication */
+#undef AUTHENTICATION
+
+#if defined(ENCRYPTION) && !defined(AUTHENTICATION)
+#define AUTHENTICATION 1
+#endif
+
+/* Set this if you want des encryption */
+#undef DES_ENCRYPTION
+
+/* Set this to the default system lead string for telnetd 
+ * can contain %-escapes: %s=sysname, %m=machine, %r=os-release
+ * %v=os-version, %t=tty, %h=hostname, %d=date and time
+ */
+#undef USE_IM
+
+/* define this if you want diagnostics in telnetd */
+#undef DIAGNOSTICS
+
+/* define this if you want support for broken ENV_{VALUE,VAR} systems  */
+#undef ENV_HACK
+
+/*  */
+#undef OLD_ENVIRON
+
+/* Used with login -p */
+#undef LOGIN_ARGS
+
+/* set this to a sensible login */
+#ifndef LOGIN_PATH
+#define LOGIN_PATH BINDIR "/login"
+#endif
+
+
+/* ------------------------------------------------------------ */
+
+#ifdef BROKEN_REALLOC
+#define realloc(X, Y) isoc_realloc((X), (Y))
+#define isoc_realloc(X, Y) ((X) ? realloc((X), (Y)) : malloc(Y))
+#endif
+
+#ifdef VOID_RETSIGTYPE
+#define SIGRETURN(x) return
+#else
+#define SIGRETURN(x) return (RETSIGTYPE)(x)
+#endif
+
+/* Temporary fixes for krb_{rd,mk}_safe */
+#define DES_QUAD_GUESS 0
+#define DES_QUAD_NEW 1
+#define DES_QUAD_OLD 2
+
+/*
+ * All these are system-specific defines that I would rather not have at all.
+ */
+
+/*
+ * AIX braindamage!
+ */
+#if _AIX
+#define _ALL_SOURCE
+/* XXX this is gross, but kills about a gazillion warnings */
+struct ether_addr;
+struct sockaddr;
+struct sockaddr_dl;
+struct sockaddr_in;
+#endif
+
+#if defined(__sgi) || defined(sgi)
+#if defined(__SYSTYPE_SVR4) || defined(_SYSTYPE_SVR4)
+#define IRIX 5
+#else
+#define IRIX 4
+#endif
+#endif
+
+/* IRIX 4 braindamage */
+#if IRIX == 4 && !defined(__STDC__)
+#define __STDC__ 0
+#endif
+
+/*
+ * Defining this enables lots of useful (and used) extensions on
+ * glibc-based systems such as Linux
+ */
+
+#define _GNU_SOURCE
+
+/* some strange OS/2 stuff.  From <d96-mst@nada.kth.se> */
+
+#ifdef __EMX__
+#define _EMX_TCPIP
+#define MAIL_USE_SYSTEM_LOCK
+#endif
+
+#ifdef ROKEN_RENAME
+#include "roken_rename.h"
+#endif
diff --git a/crypto/kerberosIV/acinclude.m4 b/crypto/kerberosIV/acinclude.m4
new file mode 100644
index 0000000..7e7de6f
--- /dev/null
+++ b/crypto/kerberosIV/acinclude.m4
@@ -0,0 +1,9 @@
+dnl $Id: acinclude.m4,v 1.2 1999/03/01 13:06:21 joda Exp $
+dnl
+dnl Only put things that for some reason can't live in the `cf'
+dnl directory in this file.
+dnl
+
+dnl $xId: misc.m4,v 1.1 1997/12/14 15:59:04 joda Exp $
+dnl
+define(upcase,`echo $1 | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`)dnl
diff --git a/crypto/kerberosIV/aclocal.m4 b/crypto/kerberosIV/aclocal.m4
new file mode 100644
index 0000000..0819f16
--- /dev/null
+++ b/crypto/kerberosIV/aclocal.m4
@@ -0,0 +1,1372 @@
+dnl aclocal.m4 generated automatically by aclocal 1.4
+
+dnl Copyright (C) 1994, 1995-8, 1999 Free Software Foundation, Inc.
+dnl This file is free software; the Free Software Foundation
+dnl gives unlimited permission to copy and/or distribute it,
+dnl with or without modifications, as long as this notice is preserved.
+
+dnl This program is distributed in the hope that it will be useful,
+dnl but WITHOUT ANY WARRANTY, to the extent permitted by law; without
+dnl even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+dnl PARTICULAR PURPOSE.
+
+dnl $Id: acinclude.m4,v 1.2 1999/03/01 13:06:21 joda Exp $
+dnl
+dnl Only put things that for some reason can't live in the `cf'
+dnl directory in this file.
+dnl
+
+dnl $xId: misc.m4,v 1.1 1997/12/14 15:59:04 joda Exp $
+dnl
+define(upcase,`echo $1 | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`)dnl
+
+dnl $Id: krb-prog-ln-s.m4,v 1.1 1997/12/14 15:59:01 joda Exp $
+dnl
+dnl
+dnl Better test for ln -s, ln or cp
+dnl
+
+AC_DEFUN(AC_KRB_PROG_LN_S,
+[AC_MSG_CHECKING(for ln -s or something else)
+AC_CACHE_VAL(ac_cv_prog_LN_S,
+[rm -f conftestdata
+if ln -s X conftestdata 2>/dev/null
+then
+  rm -f conftestdata
+  ac_cv_prog_LN_S="ln -s"
+else
+  touch conftestdata1
+  if ln conftestdata1 conftestdata2; then
+    rm -f conftestdata*
+    ac_cv_prog_LN_S=ln
+  else
+    ac_cv_prog_LN_S=cp
+  fi
+fi])dnl
+LN_S="$ac_cv_prog_LN_S"
+AC_MSG_RESULT($ac_cv_prog_LN_S)
+AC_SUBST(LN_S)dnl
+])
+
+
+dnl $Id: krb-prog-yacc.m4,v 1.1 1997/12/14 15:59:02 joda Exp $
+dnl
+dnl
+dnl We prefer byacc or yacc because they do not use `alloca'
+dnl
+
+AC_DEFUN(AC_KRB_PROG_YACC,
+[AC_CHECK_PROGS(YACC, byacc yacc 'bison -y')])
+
+dnl $Id: test-package.m4,v 1.7 1999/04/19 13:33:05 assar Exp $
+dnl
+dnl AC_TEST_PACKAGE_NEW(package,headers,libraries,extra libs,default locations)
+
+AC_DEFUN(AC_TEST_PACKAGE,[AC_TEST_PACKAGE_NEW($1,[#include <$2>],$4,,$5)])
+
+AC_DEFUN(AC_TEST_PACKAGE_NEW,[
+AC_ARG_WITH($1,
+[  --with-$1=dir                use $1 in dir])
+AC_ARG_WITH($1-lib,
+[  --with-$1-lib=dir            use $1 libraries in dir],
+[if test "$withval" = "yes" -o "$withval" = "no"; then
+  AC_MSG_ERROR([No argument for --with-$1-lib])
+elif test "X$with_$1" = "X"; then
+  with_$1=yes
+fi])
+AC_ARG_WITH($1-include,
+[  --with-$1-include=dir        use $1 headers in dir],
+[if test "$withval" = "yes" -o "$withval" = "no"; then
+  AC_MSG_ERROR([No argument for --with-$1-include])
+elif test "X$with_$1" = "X"; then
+  with_$1=yes
+fi])
+
+AC_MSG_CHECKING(for $1)
+
+case "$with_$1" in
+yes)	;;
+no)	;;
+"")	;;
+*)	if test "$with_$1_include" = ""; then
+		with_$1_include="$with_$1/include"
+	fi
+	if test "$with_$1_lib" = ""; then
+		with_$1_lib="$with_$1/lib$abilibdirext"
+	fi
+	;;
+esac
+header_dirs=
+lib_dirs=
+d='$5'
+for i in $d; do
+	header_dirs="$header_dirs $i/include"
+	lib_dirs="$lib_dirs $i/lib$abilibdirext"
+done
+
+case "$with_$1_include" in
+yes) ;;
+no)  ;;
+*)   header_dirs="$with_$1_include $header_dirs";;
+esac
+case "$with_$1_lib" in
+yes) ;;
+no)  ;;
+*)   lib_dirs="$with_$1_lib $lib_dirs";;
+esac
+
+save_CFLAGS="$CFLAGS"
+save_LIBS="$LIBS"
+ires= lres=
+for i in $header_dirs; do
+	CFLAGS="-I$i $save_CFLAGS"
+	AC_TRY_COMPILE([$2],,ires=$i;break)
+done
+for i in $lib_dirs; do
+	LIBS="-L$i $3 $4 $save_LIBS"
+	AC_TRY_LINK([$2],,lres=$i;break)
+done
+CFLAGS="$save_CFLAGS"
+LIBS="$save_LIBS"
+
+if test "$ires" -a "$lres" -a "$with_$1" != "no"; then
+	$1_includedir="$ires"
+	$1_libdir="$lres"
+	INCLUDE_$1="-I$$1_includedir"
+	LIB_$1="-L$$1_libdir $3"
+	AC_DEFINE_UNQUOTED(upcase($1),1,[Define if you have the $1 package.])
+	with_$1=yes
+	AC_MSG_RESULT([headers $ires, libraries $lres])
+else
+	INCLUDE_$1=
+	LIB_$1=
+	with_$1=no
+	AC_MSG_RESULT($with_$1)
+fi
+AC_SUBST(INCLUDE_$1)
+AC_SUBST(LIB_$1)
+])
+
+dnl $Id: osfc2.m4,v 1.2 1999/03/27 17:28:16 joda Exp $
+dnl
+dnl enable OSF C2 stuff
+
+AC_DEFUN(AC_CHECK_OSFC2,[
+AC_ARG_ENABLE(osfc2,
+[  --enable-osfc2          enable some OSF C2 support])
+LIB_security=
+if test "$enable_osfc2" = yes; then
+	AC_DEFINE(HAVE_OSFC2, 1, [Define to enable basic OSF C2 support.])
+	LIB_security=-lsecurity
+fi
+AC_SUBST(LIB_security)
+])
+
+dnl $Id: mips-abi.m4,v 1.4 1998/05/16 20:44:15 joda Exp $
+dnl
+dnl
+dnl Check for MIPS/IRIX ABI flags. Sets $abi and $abilibdirext to some
+dnl value.
+
+AC_DEFUN(AC_MIPS_ABI, [
+AC_ARG_WITH(mips_abi,
+[  --with-mips-abi=abi     ABI to use for IRIX (32, n32, or 64)])
+
+case "$host_os" in
+irix*)
+with_mips_abi="${with_mips_abi:-yes}"
+if test -n "$GCC"; then
+
+# GCC < 2.8 only supports the O32 ABI. GCC >= 2.8 has a flag to select
+# which ABI to use, but only supports (as of 2.8.1) the N32 and 64 ABIs.
+#
+# Default to N32, but if GCC doesn't grok -mabi=n32, we assume an old
+# GCC and revert back to O32. The same goes if O32 is asked for - old
+# GCCs doesn't like the -mabi option, and new GCCs can't output O32.
+#
+# Don't you just love *all* the different SGI ABIs?
+
+case "${with_mips_abi}" in 
+        32|o32) abi='-mabi=32';  abilibdirext=''     ;;
+       n32|yes) abi='-mabi=n32'; abilibdirext='32'  ;;
+        64) abi='-mabi=64';  abilibdirext='64'   ;;
+	no) abi=''; abilibdirext='';;
+         *) AC_ERROR("Invalid ABI specified") ;;
+esac
+if test -n "$abi" ; then
+ac_foo=krb_cv_gcc_`echo $abi | tr =- __`
+dnl
+dnl can't use AC_CACHE_CHECK here, since it doesn't quote CACHE-ID to
+dnl AC_MSG_RESULT
+dnl
+AC_MSG_CHECKING([if $CC supports the $abi option])
+AC_CACHE_VAL($ac_foo, [
+save_CFLAGS="$CFLAGS"
+CFLAGS="$CFLAGS $abi"
+AC_TRY_COMPILE(,int x;, eval $ac_foo=yes, eval $ac_foo=no)
+CFLAGS="$save_CFLAGS"
+])
+ac_res=`eval echo \\\$$ac_foo`
+AC_MSG_RESULT($ac_res)
+if test $ac_res = no; then
+# Try to figure out why that failed...
+case $abi in
+	-mabi=32) 
+	save_CFLAGS="$CFLAGS"
+	CFLAGS="$CFLAGS -mabi=n32"
+	AC_TRY_COMPILE(,int x;, ac_res=yes, ac_res=no)
+	CLAGS="$save_CFLAGS"
+	if test $ac_res = yes; then
+		# New GCC
+		AC_ERROR([$CC does not support the $with_mips_abi ABI])
+	fi
+	# Old GCC
+	abi=''
+	abilibdirext=''
+	;;
+	-mabi=n32|-mabi=64)
+		if test $with_mips_abi = yes; then
+			# Old GCC, default to O32
+			abi=''
+			abilibdirext=''
+		else
+			# Some broken GCC
+			AC_ERROR([$CC does not support the $with_mips_abi ABI])
+		fi
+	;;
+esac
+fi #if test $ac_res = no; then
+fi #if test -n "$abi" ; then
+else
+case "${with_mips_abi}" in
+        32|o32) abi='-32'; abilibdirext=''     ;;
+       n32|yes) abi='-n32'; abilibdirext='32'  ;;
+        64) abi='-64'; abilibdirext='64'   ;;
+	no) abi=''; abilibdirext='';;
+         *) AC_ERROR("Invalid ABI specified") ;;
+esac
+fi #if test -n "$GCC"; then
+;;
+esac
+])
+
+dnl
+dnl $Id: shared-libs.m4,v 1.4.14.3 2000/12/07 18:03:00 bg Exp $
+dnl
+dnl Shared library stuff has to be different everywhere
+dnl
+
+AC_DEFUN(AC_SHARED_LIBS, [
+
+dnl Check if we want to use shared libraries
+AC_ARG_ENABLE(shared,
+[  --enable-shared         create shared libraries for Kerberos])
+
+AC_SUBST(CFLAGS)dnl
+AC_SUBST(LDFLAGS)dnl
+
+case ${enable_shared} in
+  yes ) enable_shared=yes;;
+  no  ) enable_shared=no;;
+  *   ) enable_shared=no;;
+esac
+
+# NOTE: Building shared libraries may not work if you do not use gcc!
+#
+# OS		$SHLIBEXT
+# HP-UX		sl
+# Linux		so
+# NetBSD	so
+# FreeBSD	so
+# OSF		so
+# SunOS5	so
+# SunOS4	so.0.5
+# Irix		so
+#
+# LIBEXT is the extension we should build (.a or $SHLIBEXT)
+LINK='$(CC)'
+AC_SUBST(LINK)
+lib_deps=yes
+REAL_PICFLAGS="-fpic"
+LDSHARED='$(CC) $(PICFLAGS) -shared'
+LIBPREFIX=lib
+build_symlink_command=@true
+install_symlink_command=@true
+install_symlink_command2=@true
+REAL_SHLIBEXT=so
+changequote({,})dnl
+SHLIB_VERSION=`echo $VERSION | sed 's/\([0-9.]*\).*/\1/'`
+SHLIB_SONAME=`echo $VERSION | sed 's/\([0-9]*\).*/\1/'`
+changequote([,])dnl
+case "${host}" in
+*-*-hpux*)
+	REAL_SHLIBEXT=sl
+	REAL_LD_FLAGS='-Wl,+b$(libdir)'
+	if test -z "$GCC"; then
+		LDSHARED="ld -b"
+		REAL_PICFLAGS="+z"
+	fi
+	lib_deps=no
+	;;
+*-*-linux*)
+	LDSHARED='$(CC) -shared -Wl,-soname,$(LIBNAME).so.'"${SHLIB_SONAME}"
+	REAL_LD_FLAGS='-Wl,-rpath,$(libdir)'
+	REAL_SHLIBEXT=so.$SHLIB_VERSION
+	build_symlink_command='$(LN_S) -f [$][@] $(LIBNAME).so'
+	install_symlink_command='$(LN_S) -f $(LIB) $(DESTDIR)$(libdir)/$(LIBNAME).so.'"${SHLIB_SONAME}"';$(LN_S) -f $(LIB) $(DESTDIR)$(libdir)/$(LIBNAME).so'
+	install_symlink_command2='$(LN_S) -f $(LIB2) $(DESTDIR)$(libdir)/$(LIBNAME2).so.'"${SHLIB_SONAME}"';$(LN_S) -f $(LIB2) $(DESTDIR)$(libdir)/$(LIBNAME2).so'
+	;;
+changequote(,)dnl
+*-*-freebsd[345]* | *-*-freebsdelf[345]*)
+changequote([,])dnl
+	REAL_SHLIBEXT=so.$SHLIB_VERSION
+	REAL_LD_FLAGS='-Wl,-R$(libdir)'
+	build_symlink_command='$(LN_S) -f [$][@] $(LIBNAME).so'
+	install_symlink_command='$(LN_S) -f $(LIB) $(DESTDIR)$(libdir)/$(LIBNAME).so'
+	install_symlink_command2='$(LN_S) -f $(LIB2) $(DESTDIR)$(libdir)/$(LIBNAME2).so'
+	;;
+*-*-*bsd*)
+	REAL_SHLIBEXT=so.$SHLIB_VERSION
+	LDSHARED='ld -Bshareable'
+	REAL_LD_FLAGS='-Wl,-R$(libdir)'
+	;;
+*-*-osf*)
+	REAL_LD_FLAGS='-Wl,-rpath,$(libdir)'
+	REAL_PICFLAGS=
+	LDSHARED='ld -shared -expect_unresolved \*'
+	;;
+*-*-solaris2*)
+	LDSHARED='$(CC) -shared -Wl,-h$(LIBNAME).so.'"${SHLIB_SONAME}"
+	REAL_SHLIBEXT=so.$SHLIB_VERSION
+	build_symlink_command='$(LN_S) [$][@] $(LIBNAME).so'
+	install_symlink_command='$(LN_S) $(LIB) $(DESTDIR)$(libdir)/$(LIBNAME).so.'"${SHLIB_SONAME}"';$(LN_S) $(LIB) $(DESTDIR)$(libdir)/$(LIBNAME).so'
+	install_symlink_command2='$(LN_S) $(LIB2) $(DESTDIR)$(libdir)/$(LIBNAME2).so.'"${SHLIB_SONAME}"';$(LN_S) $(LIB2) $(DESTDIR)$(libdir)/$(LIBNAME2).so'
+	REAL_LD_FLAGS='-Wl,-R$(libdir)'
+	if test -z "$GCC"; then
+		LDSHARED='$(CC) -G -h$(LIBNAME).so.'"${SHLIB_SONAME}"
+		REAL_PICFLAGS="-Kpic"
+	fi
+	;;
+*-fujitsu-uxpv*)
+	REAL_LD_FLAGS='' # really: LD_RUN_PATH=$(libdir) cc -o ...
+	REAL_LINK='LD_RUN_PATH=$(libdir) $(CC)'
+	LDSHARED='$(CC) -G'
+	REAL_PICFLAGS="-Kpic"
+	lib_deps=no # fails in mysterious ways
+	;;
+*-*-sunos*)
+	REAL_SHLIBEXT=so.$SHLIB_VERSION
+	REAL_LD_FLAGS='-Wl,-L$(libdir)'
+	lib_deps=no
+	;;
+*-*-irix*)
+        libdir="${libdir}${abilibdirext}"
+        REAL_LD_FLAGS="${abi} -Wl,-rpath,\$(libdir)"
+        LD_FLAGS="${abi} -Wl,-rpath,\$(libdir)"
+	LDSHARED="\$(CC) -shared ${abi}"
+        REAL_PICFLAGS=
+        CFLAGS="${abi} ${CFLAGS}"
+	;;
+*-*-os2*)
+	LIBPREFIX=
+	EXECSUFFIX='.exe'
+	RANLIB=EMXOMF
+	LD_FLAGS=-Zcrtdll
+	REAL_SHLIBEXT=nobuild
+	;;
+*-*-cygwin32*)
+	EXECSUFFIX='.exe'
+	REAL_SHLIBEXT=nobuild
+	;;
+*)	REAL_SHLIBEXT=nobuild
+	REAL_PICFLAGS= 
+	;;
+esac
+
+if test "${enable_shared}" != "yes" ; then 
+ PICFLAGS=""
+ SHLIBEXT="nobuild"
+ LIBEXT="a"
+ build_symlink_command=@true
+ install_symlink_command=@true
+ install_symlink_command2=@true
+else
+ PICFLAGS="$REAL_PICFLAGS"
+ SHLIBEXT="$REAL_SHLIBEXT"
+ LIBEXT="$SHLIBEXT"
+ AC_MSG_CHECKING(whether to use -rpath)
+ case "$libdir" in
+   /lib | /usr/lib | /usr/local/lib)
+     AC_MSG_RESULT(no)
+     REAL_LD_FLAGS=
+     LD_FLAGS=
+     ;;
+   *)
+     LD_FLAGS="$REAL_LD_FLAGS"
+     test "$REAL_LINK" && LINK="$REAL_LINK"
+     AC_MSG_RESULT($LD_FLAGS)
+     ;;
+   esac
+fi
+
+if test "$lib_deps" = yes; then
+	lib_deps_yes=""
+	lib_deps_no="# "
+else
+	lib_deps_yes="# "
+	lib_deps_no=""
+fi
+AC_SUBST(lib_deps_yes)
+AC_SUBST(lib_deps_no)
+
+# use supplied ld-flags, or none if `no'
+if test "$with_ld_flags" = no; then
+	LD_FLAGS=
+elif test -n "$with_ld_flags"; then
+	LD_FLAGS="$with_ld_flags"
+fi
+
+AC_SUBST(REAL_PICFLAGS) dnl
+AC_SUBST(REAL_SHLIBEXT) dnl
+AC_SUBST(REAL_LD_FLAGS) dnl
+
+AC_SUBST(PICFLAGS) dnl
+AC_SUBST(SHLIBEXT) dnl
+AC_SUBST(LDSHARED) dnl
+AC_SUBST(LD_FLAGS) dnl
+AC_SUBST(LIBEXT) dnl
+AC_SUBST(LIBPREFIX) dnl
+AC_SUBST(EXECSUFFIX) dnl
+
+AC_SUBST(build_symlink_command)dnl
+AC_SUBST(install_symlink_command)dnl
+AC_SUBST(install_symlink_command2)dnl
+])
+
+dnl
+dnl $Id: c-attribute.m4,v 1.2 1999/03/01 09:52:23 joda Exp $
+dnl
+
+dnl
+dnl Test for __attribute__
+dnl
+
+AC_DEFUN(AC_C___ATTRIBUTE__, [
+AC_MSG_CHECKING(for __attribute__)
+AC_CACHE_VAL(ac_cv___attribute__, [
+AC_TRY_COMPILE([
+#include <stdlib.h>
+],
+[
+static void foo(void) __attribute__ ((noreturn));
+
+static void
+foo(void)
+{
+  exit(1);
+}
+],
+ac_cv___attribute__=yes,
+ac_cv___attribute__=no)])
+if test "$ac_cv___attribute__" = "yes"; then
+  AC_DEFINE(HAVE___ATTRIBUTE__, 1, [define if your compiler has __attribute__])
+fi
+AC_MSG_RESULT($ac_cv___attribute__)
+])
+
+
+dnl $Id: krb-sys-nextstep.m4,v 1.2 1998/06/03 23:48:40 joda Exp $
+dnl
+dnl
+dnl NEXTSTEP is not posix compliant by default,
+dnl you need a switch -posix to the compiler
+dnl
+
+AC_DEFUN(AC_KRB_SYS_NEXTSTEP, [
+AC_MSG_CHECKING(for NEXTSTEP)
+AC_CACHE_VAL(krb_cv_sys_nextstep,
+AC_EGREP_CPP(yes, 
+[#if defined(NeXT) && !defined(__APPLE__)
+	yes
+#endif 
+], krb_cv_sys_nextstep=yes, krb_cv_sys_nextstep=no) )
+if test "$krb_cv_sys_nextstep" = "yes"; then
+  CFLAGS="$CFLAGS -posix"
+  LIBS="$LIBS -posix"
+fi
+AC_MSG_RESULT($krb_cv_sys_nextstep)
+])
+
+dnl $Id: krb-sys-aix.m4,v 1.1 1997/12/14 15:59:02 joda Exp $
+dnl
+dnl
+dnl AIX have a very different syscall convention
+dnl
+AC_DEFUN(AC_KRB_SYS_AIX, [
+AC_MSG_CHECKING(for AIX)
+AC_CACHE_VAL(krb_cv_sys_aix,
+AC_EGREP_CPP(yes, 
+[#ifdef _AIX
+	yes
+#endif 
+], krb_cv_sys_aix=yes, krb_cv_sys_aix=no) )
+AC_MSG_RESULT($krb_cv_sys_aix)
+])
+
+dnl $Id: find-func-no-libs.m4,v 1.5 1999/10/30 21:08:18 assar Exp $
+dnl
+dnl
+dnl Look for function in any of the specified libraries
+dnl
+
+dnl AC_FIND_FUNC_NO_LIBS(func, libraries, includes, arguments, extra libs, extra args)
+AC_DEFUN(AC_FIND_FUNC_NO_LIBS, [
+AC_FIND_FUNC_NO_LIBS2([$1], ["" $2], [$3], [$4], [$5], [$6])])
+
+dnl $Id: find-func-no-libs2.m4,v 1.3 1999/10/30 21:09:53 assar Exp $
+dnl
+dnl
+dnl Look for function in any of the specified libraries
+dnl
+
+dnl AC_FIND_FUNC_NO_LIBS2(func, libraries, includes, arguments, extra libs, extra args)
+AC_DEFUN(AC_FIND_FUNC_NO_LIBS2, [
+
+AC_MSG_CHECKING([for $1])
+AC_CACHE_VAL(ac_cv_funclib_$1,
+[
+if eval "test \"\$ac_cv_func_$1\" != yes" ; then
+	ac_save_LIBS="$LIBS"
+	for ac_lib in $2; do
+		if test -n "$ac_lib"; then 
+			ac_lib="-l$ac_lib"
+		else
+			ac_lib=""
+		fi
+		LIBS="$6 $ac_lib $5 $ac_save_LIBS"
+		AC_TRY_LINK([$3],[$1($4)],eval "if test -n \"$ac_lib\";then ac_cv_funclib_$1=$ac_lib; else ac_cv_funclib_$1=yes; fi";break)
+	done
+	eval "ac_cv_funclib_$1=\${ac_cv_funclib_$1-no}"
+	LIBS="$ac_save_LIBS"
+fi
+])
+
+eval "ac_res=\$ac_cv_funclib_$1"
+
+dnl autoheader tricks *sigh*
+: << END
+@@@funcs="$funcs $1"@@@
+@@@libs="$libs $2"@@@
+END
+
+# $1
+eval "ac_tr_func=HAVE_[]upcase($1)"
+eval "ac_tr_lib=HAVE_LIB[]upcase($ac_res | sed -e 's/-l//')"
+eval "LIB_$1=$ac_res"
+
+case "$ac_res" in
+	yes)
+	eval "ac_cv_func_$1=yes"
+	eval "LIB_$1="
+	AC_DEFINE_UNQUOTED($ac_tr_func)
+	AC_MSG_RESULT([yes])
+	;;
+	no)
+	eval "ac_cv_func_$1=no"
+	eval "LIB_$1="
+	AC_MSG_RESULT([no])
+	;;
+	*)
+	eval "ac_cv_func_$1=yes"
+	eval "ac_cv_lib_`echo "$ac_res" | sed 's/-l//'`=yes"
+	AC_DEFINE_UNQUOTED($ac_tr_func)
+	AC_DEFINE_UNQUOTED($ac_tr_lib)
+	AC_MSG_RESULT([yes, in $ac_res])
+	;;
+esac
+AC_SUBST(LIB_$1)
+])
+
+dnl
+dnl $Id: check-netinet-ip-and-tcp.m4,v 1.2 1999/05/14 13:15:40 assar Exp $
+dnl
+
+dnl extra magic check for netinet/{ip.h,tcp.h} because on irix 6.5.3
+dnl you have to include standards.h before including these files
+
+AC_DEFUN(CHECK_NETINET_IP_AND_TCP,
+[
+AC_CHECK_HEADERS(standards.h)
+for i in netinet/ip.h netinet/tcp.h; do
+
+cv=`echo "$i" | sed 'y%./+-%__p_%'`
+
+AC_MSG_CHECKING([for $i])
+AC_CACHE_VAL([ac_cv_header_$cv],
+[AC_TRY_CPP([\
+#ifdef HAVE_STANDARDS_H
+#include <standards.h>
+#endif
+#include <$i>
+],
+eval "ac_cv_header_$cv=yes",
+eval "ac_cv_header_$cv=no")])
+AC_MSG_RESULT(`eval echo \\$ac_cv_header_$cv`)
+changequote(, )dnl
+if test `eval echo \\$ac_cv_header_$cv` = yes; then
+  ac_tr_hdr=HAVE_`echo $i | sed 'y%abcdefghijklmnopqrstuvwxyz./-%ABCDEFGHIJKLMNOPQRSTUVWXYZ___%'`
+changequote([, ])dnl
+  AC_DEFINE_UNQUOTED($ac_tr_hdr, 1)
+fi
+done
+dnl autoheader tricks *sigh*
+: << END
+@@@headers="$headers netinet/ip.h netinet/tcp.h"@@@
+END
+
+])
+
+dnl $Id: grok-type.m4,v 1.4 1999/11/29 11:16:48 joda Exp $
+dnl
+AC_DEFUN(AC_GROK_TYPE, [
+AC_CACHE_VAL(ac_cv_type_$1, 
+AC_TRY_COMPILE([
+#ifdef HAVE_INTTYPES_H
+#include <inttypes.h>
+#endif
+#ifdef HAVE_SYS_TYPES_H
+#include <sys/types.h>
+#endif
+#ifdef HAVE_SYS_BITYPES_H
+#include <sys/bitypes.h>
+#endif
+#ifdef HAVE_BIND_BITYPES_H
+#include <bind/bitypes.h>
+#endif
+#ifdef HAVE_NETINET_IN6_MACHTYPES_H
+#include <netinet/in6_machtypes.h>
+#endif
+],
+$i x;
+,
+eval ac_cv_type_$1=yes,
+eval ac_cv_type_$1=no))])
+
+AC_DEFUN(AC_GROK_TYPES, [
+for i in $1; do
+	AC_MSG_CHECKING(for $i)
+	AC_GROK_TYPE($i)
+	eval ac_res=\$ac_cv_type_$i
+	if test "$ac_res" = yes; then
+		type=HAVE_[]upcase($i)
+		AC_DEFINE_UNQUOTED($type)
+	fi
+	AC_MSG_RESULT($ac_res)
+done
+])
+
+dnl $Id: find-func.m4,v 1.1 1997/12/14 15:58:58 joda Exp $
+dnl
+dnl AC_FIND_FUNC(func, libraries, includes, arguments)
+AC_DEFUN(AC_FIND_FUNC, [
+AC_FIND_FUNC_NO_LIBS([$1], [$2], [$3], [$4])
+if test -n "$LIB_$1"; then
+	LIBS="$LIB_$1 $LIBS"
+fi
+])
+
+dnl 
+dnl See if there is any X11 present
+dnl
+dnl $Id: check-x.m4,v 1.2 1999/11/05 04:25:23 assar Exp $
+
+AC_DEFUN(KRB_CHECK_X,[
+AC_PATH_XTRA
+
+# try to figure out if we need any additional ld flags, like -R
+# and yes, the autoconf X test is utterly broken
+if test "$no_x" != yes; then
+	AC_CACHE_CHECK(for special X linker flags,krb_cv_sys_x_libs_rpath,[
+	ac_save_libs="$LIBS"
+	ac_save_cflags="$CFLAGS"
+	CFLAGS="$CFLAGS $X_CFLAGS"
+	krb_cv_sys_x_libs_rpath=""
+	krb_cv_sys_x_libs=""
+	for rflag in "" "-R" "-R " "-rpath "; do
+		if test "$rflag" = ""; then
+			foo="$X_LIBS"
+		else
+			foo=""
+			for flag in $X_LIBS; do
+			case $flag in
+			-L*)
+				foo="$foo $flag `echo $flag | sed \"s/-L/$rflag/\"`"
+				;;
+			*)
+				foo="$foo $flag"
+				;;
+			esac
+			done
+		fi
+		LIBS="$ac_save_libs $foo $X_PRE_LIBS -lX11 $X_EXTRA_LIBS"
+		AC_TRY_RUN([
+		#include <X11/Xlib.h>
+		foo()
+		{
+		XOpenDisplay(NULL);
+		}
+		main()
+		{
+		return 0;
+		}
+		], krb_cv_sys_x_libs_rpath="$rflag"; krb_cv_sys_x_libs="$foo"; break,:)
+	done
+	LIBS="$ac_save_libs"
+	CFLAGS="$ac_save_cflags"
+	])
+	X_LIBS="$krb_cv_sys_x_libs"
+fi
+])
+
+dnl $Id: check-xau.m4,v 1.3 1999/05/14 01:17:06 assar Exp $
+dnl
+dnl check for Xau{Read,Write}Auth and XauFileName
+dnl
+AC_DEFUN(AC_CHECK_XAU,[
+save_CFLAGS="$CFLAGS"
+CFLAGS="$X_CFLAGS $CFLAGS"
+save_LIBS="$LIBS"
+dnl LIBS="$X_LIBS $X_PRE_LIBS $X_EXTRA_LIBS $LIBS"
+LIBS="$X_PRE_LIBS $X_EXTRA_LIBS $LIBS"
+save_LDFLAGS="$LDFLAGS"
+LDFLAGS="$LDFLAGS $X_LIBS"
+
+
+AC_FIND_FUNC_NO_LIBS(XauWriteAuth, X11 Xau)
+ac_xxx="$LIBS"
+LIBS="$LIB_XauWriteAuth $LIBS"
+AC_FIND_FUNC_NO_LIBS(XauReadAuth, X11 Xau)
+LIBS="$LIB_XauReadAauth $LIBS"
+AC_FIND_FUNC_NO_LIBS(XauFileName, X11 Xau)
+LIBS="$ac_xxx"
+
+case "$ac_cv_funclib_XauWriteAuth" in
+yes)	;;
+no)	;;
+*)	if test "$ac_cv_funclib_XauReadAuth" = yes; then
+		if test "$ac_cv_funclib_XauFileName" = yes; then
+			LIB_XauReadAuth="$LIB_XauWriteAuth"
+		else
+			LIB_XauReadAuth="$LIB_XauWriteAuth $LIB_XauFileName"
+		fi
+	else
+		if test "$ac_cv_funclib_XauFileName" = yes; then
+			LIB_XauReadAuth="$LIB_XauReadAuth $LIB_XauWriteAuth"
+		else
+			LIB_XauReadAuth="$LIB_XauReadAuth $LIB_XauWriteAuth $LIB_XauFileName"
+		fi
+	fi
+	;;
+esac
+
+if test "$AUTOMAKE" != ""; then
+	AM_CONDITIONAL(NEED_WRITEAUTH, test "$ac_cv_func_XauWriteAuth" != "yes")
+else
+	AC_SUBST(NEED_WRITEAUTH_TRUE)
+	AC_SUBST(NEED_WRITEAUTH_FALSE)
+	if test "$ac_cv_func_XauWriteAuth" != "yes"; then
+		NEED_WRITEAUTH_TRUE=
+		NEED_WRITEAUTH_FALSE='#'
+	else
+		NEED_WRITEAUTH_TRUE='#'
+		NEED_WRITEAUTH_FALSE=
+	fi
+fi
+CFLAGS=$save_CFLAGS
+LIBS=$save_LIBS
+LDFLAGS=$save_LDFLAGS
+])
+
+# Define a conditional.
+
+AC_DEFUN(AM_CONDITIONAL,
+[AC_SUBST($1_TRUE)
+AC_SUBST($1_FALSE)
+if $2; then
+  $1_TRUE=
+  $1_FALSE='#'
+else
+  $1_TRUE='#'
+  $1_FALSE=
+fi])
+
+dnl $Id: krb-find-db.m4,v 1.5.16.1 2000/08/16 04:11:57 assar Exp $
+dnl
+dnl find a suitable database library
+dnl
+dnl AC_FIND_DB(libraries)
+AC_DEFUN(KRB_FIND_DB, [
+
+lib_dbm=no
+lib_db=no
+
+for i in $1; do
+
+	if test "$i"; then
+		m="lib$i"
+		l="-l$i"
+	else
+		m="libc"
+		l=""
+	fi	
+
+	AC_MSG_CHECKING(for dbm_open in $m)
+	AC_CACHE_VAL(ac_cv_krb_dbm_open_$m, [
+
+	save_LIBS="$LIBS"
+	LIBS="$l $LIBS"
+	AC_TRY_RUN([
+#include <unistd.h>
+#include <fcntl.h>
+#if defined(HAVE_NDBM_H)
+#include <ndbm.h>
+#elif defined(HAVE_GDBM_NDBM_H)
+#include <gdbm/ndbm.h>
+#elif defined(HAVE_DBM_H)
+#include <dbm.h>
+#elif defined(HAVE_RPCSVC_DBM_H)
+#include <rpcsvc/dbm.h>
+#elif defined(HAVE_DB_H)
+#define DB_DBM_HSEARCH 1
+#include <db.h>
+#endif
+int main()
+{
+  DBM *d;
+
+  d = dbm_open("conftest", O_RDWR | O_CREAT, 0666);
+  if(d == NULL)
+    return 1;
+  dbm_close(d);
+  return 0;
+}], [
+	if test -f conftest.db; then
+		ac_res=db
+	else
+		ac_res=dbm
+	fi], ac_res=no, ac_res=no)
+
+	LIBS="$save_LIBS"
+
+	eval ac_cv_krb_dbm_open_$m=$ac_res])
+	eval ac_res=\$ac_cv_krb_dbm_open_$m
+	AC_MSG_RESULT($ac_res)
+
+	if test "$lib_dbm" = no -a $ac_res = dbm; then
+		lib_dbm="$l"
+	elif test "$lib_db" = no -a $ac_res = db; then
+		lib_db="$l"
+		break
+	fi
+done
+
+AC_MSG_CHECKING(for NDBM library)
+ac_ndbm=no
+if test "$lib_db" != no; then
+	LIB_DBM="$lib_db"
+	ac_ndbm=yes
+	AC_DEFINE(HAVE_NEW_DB, 1, [Define if NDBM really is DB (creates files ending in .db).])
+	if test "$LIB_DBM"; then
+		ac_res="yes, $LIB_DBM"
+	else
+		ac_res=yes
+	fi
+elif test "$lib_dbm" != no; then
+	LIB_DBM="$lib_dbm"
+	ac_ndbm=yes
+	if test "$LIB_DBM"; then
+		ac_res="yes, $LIB_DBM"
+	else
+		ac_res=yes
+	fi
+else
+	LIB_DBM=""
+	ac_res=no
+fi
+test "$ac_ndbm" = yes && AC_DEFINE(NDBM, 1, [Define if you have NDBM (and not DBM)])dnl
+AC_SUBST(LIB_DBM)
+DBLIB="$LIB_DBM"
+AC_SUBST(DBLIB)
+AC_MSG_RESULT($ac_res)
+
+])
+
+dnl $Id: broken-snprintf.m4,v 1.3 1999/03/01 09:52:22 joda Exp $
+dnl
+AC_DEFUN(AC_BROKEN_SNPRINTF, [
+AC_CACHE_CHECK(for working snprintf,ac_cv_func_snprintf_working,
+ac_cv_func_snprintf_working=yes
+AC_TRY_RUN([
+#include <stdio.h>
+#include <string.h>
+int main()
+{
+changequote(`,')dnl
+	char foo[3];
+changequote([,])dnl
+	snprintf(foo, 2, "12");
+	return strcmp(foo, "1");
+}],:,ac_cv_func_snprintf_working=no,:))
+
+if test "$ac_cv_func_snprintf_working" = yes; then
+	AC_DEFINE_UNQUOTED(HAVE_SNPRINTF, 1, [define if you have a working snprintf])
+fi
+if test "$ac_cv_func_snprintf_working" = yes; then
+AC_NEED_PROTO([#include <stdio.h>],snprintf)
+fi
+])
+
+AC_DEFUN(AC_BROKEN_VSNPRINTF,[
+AC_CACHE_CHECK(for working vsnprintf,ac_cv_func_vsnprintf_working,
+ac_cv_func_vsnprintf_working=yes
+AC_TRY_RUN([
+#include <stdio.h>
+#include <string.h>
+#include <stdarg.h>
+
+int foo(int num, ...)
+{
+changequote(`,')dnl
+	char bar[3];
+changequote([,])dnl
+	va_list arg;
+	va_start(arg, num);
+	vsnprintf(bar, 2, "%s", arg);
+	va_end(arg);
+	return strcmp(bar, "1");
+}
+
+
+int main()
+{
+	return foo(0, "12");
+}],:,ac_cv_func_vsnprintf_working=no,:))
+
+if test "$ac_cv_func_vsnprintf_working" = yes; then
+	AC_DEFINE_UNQUOTED(HAVE_VSNPRINTF, 1, [define if you have a working vsnprintf])
+fi
+if test "$ac_cv_func_vsnprintf_working" = yes; then
+AC_NEED_PROTO([#include <stdio.h>],vsnprintf)
+fi
+])
+
+dnl $Id: need-proto.m4,v 1.2 1999/03/01 09:52:24 joda Exp $
+dnl
+dnl
+dnl Check if we need the prototype for a function
+dnl
+
+dnl AC_NEED_PROTO(includes, function)
+
+AC_DEFUN(AC_NEED_PROTO, [
+if test "$ac_cv_func_$2+set" != set -o "$ac_cv_func_$2" = yes; then
+AC_CACHE_CHECK([if $2 needs a prototype], ac_cv_func_$2_noproto,
+AC_TRY_COMPILE([$1],
+[struct foo { int foo; } xx;
+extern int $2 (struct foo*);
+$2(&xx);
+],
+eval "ac_cv_func_$2_noproto=yes",
+eval "ac_cv_func_$2_noproto=no"))
+define([foo], [NEED_]translit($2, [a-z], [A-Z])[_PROTO])
+if test "$ac_cv_func_$2_noproto" = yes; then
+	AC_DEFINE(foo, 1, [define if the system is missing a prototype for $2()])
+fi
+undefine([foo])
+fi
+])
+
+dnl $Id: broken-glob.m4,v 1.2 1999/03/01 09:52:15 joda Exp $
+dnl
+dnl check for glob(3)
+dnl
+AC_DEFUN(AC_BROKEN_GLOB,[
+AC_CACHE_CHECK(for working glob, ac_cv_func_glob_working,
+ac_cv_func_glob_working=yes
+AC_TRY_LINK([
+#include <stdio.h>
+#include <glob.h>],[
+glob(NULL, GLOB_BRACE|GLOB_NOCHECK|GLOB_QUOTE|GLOB_TILDE, NULL, NULL);
+],:,ac_cv_func_glob_working=no,:))
+
+if test "$ac_cv_func_glob_working" = yes; then
+	AC_DEFINE(HAVE_GLOB, 1, [define if you have a glob() that groks 
+	GLOB_BRACE, GLOB_NOCHECK, GLOB_QUOTE, and GLOB_TILDE])
+fi
+if test "$ac_cv_func_glob_working" = yes; then
+AC_NEED_PROTO([#include <stdio.h>
+#include <glob.h>],glob)
+fi
+])
+
+dnl
+dnl $Id: capabilities.m4,v 1.2 1999/09/01 11:02:26 joda Exp $
+dnl
+
+dnl
+dnl Test SGI capabilities
+dnl
+
+AC_DEFUN(KRB_CAPABILITIES,[
+
+AC_CHECK_HEADERS(capability.h sys/capability.h)
+
+AC_CHECK_FUNCS(sgi_getcapabilitybyname cap_set_proc)
+])
+
+dnl $Id: check-getpwnam_r-posix.m4,v 1.2 1999/03/23 16:47:31 joda Exp $
+dnl
+dnl check for getpwnam_r, and if it's posix or not
+
+AC_DEFUN(AC_CHECK_GETPWNAM_R_POSIX,[
+AC_FIND_FUNC_NO_LIBS(getpwnam_r,c_r)
+if test "$ac_cv_func_getpwnam_r" = yes; then
+	AC_CACHE_CHECK(if getpwnam_r is posix,ac_cv_func_getpwnam_r_posix,
+	ac_libs="$LIBS"
+	LIBS="$LIBS $LIB_getpwnam_r"
+	AC_TRY_RUN([
+#include <pwd.h>
+int main()
+{
+	struct passwd pw, *pwd;
+	return getpwnam_r("", &pw, NULL, 0, &pwd) < 0;
+}
+],ac_cv_func_getpwnam_r_posix=yes,ac_cv_func_getpwnam_r_posix=no,:)
+LIBS="$ac_libs")
+if test "$ac_cv_func_getpwnam_r_posix" = yes; then
+	AC_DEFINE(POSIX_GETPWNAM_R, 1, [Define if getpwnam_r has POSIX flavour.])
+fi
+fi
+])
+dnl
+dnl $Id: krb-func-getlogin.m4,v 1.1 1999/07/13 17:45:30 assar Exp $
+dnl
+dnl test for POSIX (broken) getlogin
+dnl
+
+
+AC_DEFUN(AC_FUNC_GETLOGIN, [
+AC_CHECK_FUNCS(getlogin setlogin)
+if test "$ac_cv_func_getlogin" = yes; then
+AC_CACHE_CHECK(if getlogin is posix, ac_cv_func_getlogin_posix, [
+if test "$ac_cv_func_getlogin" = yes -a "$ac_cv_func_setlogin" = yes; then
+	ac_cv_func_getlogin_posix=no
+else
+	ac_cv_func_getlogin_posix=yes
+fi
+])
+if test "$ac_cv_func_getlogin_posix" = yes; then
+	AC_DEFINE(POSIX_GETLOGIN, 1, [Define if getlogin has POSIX flavour (and not BSD).])
+fi
+fi
+])
+
+dnl $Id: find-if-not-broken.m4,v 1.2 1998/03/16 22:16:27 joda Exp $
+dnl
+dnl
+dnl Mix between AC_FIND_FUNC and AC_BROKEN
+dnl
+
+AC_DEFUN(AC_FIND_IF_NOT_BROKEN,
+[AC_FIND_FUNC([$1], [$2], [$3], [$4])
+if eval "test \"$ac_cv_func_$1\" != yes"; then
+LIBOBJS[]="$LIBOBJS $1.o"
+fi
+AC_SUBST(LIBOBJS)dnl
+])
+
+dnl $Id: broken.m4,v 1.3 1998/03/16 22:16:19 joda Exp $
+dnl
+dnl
+dnl Same as AC _REPLACE_FUNCS, just define HAVE_func if found in normal
+dnl libraries 
+
+AC_DEFUN(AC_BROKEN,
+[for ac_func in $1
+do
+AC_CHECK_FUNC($ac_func, [
+ac_tr_func=HAVE_[]upcase($ac_func)
+AC_DEFINE_UNQUOTED($ac_tr_func)],[LIBOBJS[]="$LIBOBJS ${ac_func}.o"])
+dnl autoheader tricks *sigh*
+: << END
+@@@funcs="$funcs $1"@@@
+END
+done
+AC_SUBST(LIBOBJS)dnl
+])
+
+dnl $Id: krb-func-getcwd-broken.m4,v 1.2 1999/03/01 13:03:32 joda Exp $
+dnl
+dnl
+dnl test for broken getcwd in (SunOS braindamage)
+dnl
+
+AC_DEFUN(AC_KRB_FUNC_GETCWD_BROKEN, [
+if test "$ac_cv_func_getcwd" = yes; then
+AC_MSG_CHECKING(if getcwd is broken)
+AC_CACHE_VAL(ac_cv_func_getcwd_broken, [
+ac_cv_func_getcwd_broken=no
+
+AC_TRY_RUN([
+#include <errno.h>
+char *getcwd(char*, int);
+
+void *popen(char *cmd, char *mode)
+{
+	errno = ENOTTY;
+	return 0;
+}
+
+int main()
+{
+	char *ret;
+	ret = getcwd(0, 1024);
+	if(ret == 0 && errno == ENOTTY)
+		return 0;
+	return 1;
+}
+], ac_cv_func_getcwd_broken=yes,:,:)
+])
+if test "$ac_cv_func_getcwd_broken" = yes; then
+	AC_DEFINE(BROKEN_GETCWD, 1, [Define if getcwd is broken (like in SunOS 4).])dnl
+	LIBOBJS="$LIBOBJS getcwd.o"
+	AC_SUBST(LIBOBJS)dnl
+	AC_MSG_RESULT($ac_cv_func_getcwd_broken)
+else
+	AC_MSG_RESULT([seems ok])
+fi
+fi
+])
+
+dnl $Id: proto-compat.m4,v 1.3 1999/03/01 13:03:48 joda Exp $
+dnl
+dnl
+dnl Check if the prototype of a function is compatible with another one
+dnl
+
+dnl AC_PROTO_COMPAT(includes, function, prototype)
+
+AC_DEFUN(AC_PROTO_COMPAT, [
+AC_CACHE_CHECK([if $2 is compatible with system prototype],
+ac_cv_func_$2_proto_compat,
+AC_TRY_COMPILE([$1],
+[$3;],
+eval "ac_cv_func_$2_proto_compat=yes",
+eval "ac_cv_func_$2_proto_compat=no"))
+define([foo], translit($2, [a-z], [A-Z])[_PROTO_COMPATIBLE])
+if test "$ac_cv_func_$2_proto_compat" = yes; then
+	AC_DEFINE(foo, 1, [define if prototype of $2 is compatible with
+	$3])
+fi
+undefine([foo])
+])
+dnl $Id: check-var.m4,v 1.2 1999/03/01 09:52:23 joda Exp $
+dnl
+dnl AC_CHECK_VAR(includes, variable)
+AC_DEFUN(AC_CHECK_VAR, [
+AC_MSG_CHECKING(for $2)
+AC_CACHE_VAL(ac_cv_var_$2, [
+AC_TRY_LINK([extern int $2;
+int foo() { return $2; }],
+	    [foo()],
+	    ac_cv_var_$2=yes, ac_cv_var_$2=no)
+])
+define([foo], [HAVE_]translit($2, [a-z], [A-Z]))
+
+AC_MSG_RESULT(`eval echo \\$ac_cv_var_$2`)
+if test `eval echo \\$ac_cv_var_$2` = yes; then
+	AC_DEFINE_UNQUOTED(foo, 1, [define if you have $2])
+	AC_CHECK_DECLARATION([$1],[$2])
+fi
+undefine([foo])
+])
+
+dnl $Id: check-declaration.m4,v 1.3 1999/03/01 13:03:08 joda Exp $
+dnl
+dnl
+dnl Check if we need the declaration of a variable
+dnl
+
+dnl AC_HAVE_DECLARATION(includes, variable)
+AC_DEFUN(AC_CHECK_DECLARATION, [
+AC_MSG_CHECKING([if $2 is properly declared])
+AC_CACHE_VAL(ac_cv_var_$2_declaration, [
+AC_TRY_COMPILE([$1
+extern struct { int foo; } $2;],
+[$2.foo = 1;],
+eval "ac_cv_var_$2_declaration=no",
+eval "ac_cv_var_$2_declaration=yes")
+])
+
+define(foo, [HAVE_]translit($2, [a-z], [A-Z])[_DECLARATION])
+
+AC_MSG_RESULT($ac_cv_var_$2_declaration)
+if eval "test \"\$ac_cv_var_$2_declaration\" = yes"; then
+	AC_DEFINE(foo, 1, [define if your system declares $2])
+fi
+undefine([foo])
+])
+
+dnl $Id: have-struct-field.m4,v 1.6 1999/07/29 01:44:32 assar Exp $
+dnl
+dnl check for fields in a structure
+dnl
+dnl AC_HAVE_STRUCT_FIELD(struct, field, headers)
+
+AC_DEFUN(AC_HAVE_STRUCT_FIELD, [
+define(cache_val, translit(ac_cv_type_$1_$2, [A-Z ], [a-z_]))
+AC_CACHE_CHECK([for $2 in $1], cache_val,[
+AC_TRY_COMPILE([$3],[$1 x; x.$2;],
+cache_val=yes,
+cache_val=no)])
+if test "$cache_val" = yes; then
+	define(foo, translit(HAVE_$1_$2, [a-z ], [A-Z_]))
+	AC_DEFINE(foo, 1, [Define if $1 has field $2.])
+	undefine([foo])
+fi
+undefine([cache_val])
+])
+
+dnl $Id: have-type.m4,v 1.4 1999/07/24 19:23:01 assar Exp $
+dnl
+dnl check for existance of a type
+
+dnl AC_HAVE_TYPE(TYPE,INCLUDES)
+AC_DEFUN(AC_HAVE_TYPE, [
+cv=`echo "$1" | sed 'y%./+- %__p__%'`
+AC_MSG_CHECKING(for $1)
+AC_CACHE_VAL([ac_cv_type_$cv],
+AC_TRY_COMPILE(
+[#include <sys/types.h>
+#if STDC_HEADERS
+#include <stdlib.h>
+#include <stddef.h>
+#endif
+$2],
+[$1 foo;],
+eval "ac_cv_type_$cv=yes",
+eval "ac_cv_type_$cv=no"))dnl
+AC_MSG_RESULT(`eval echo \\$ac_cv_type_$cv`)
+if test `eval echo \\$ac_cv_type_$cv` = yes; then
+  ac_tr_hdr=HAVE_`echo $1 | sed 'y%abcdefghijklmnopqrstuvwxyz./- %ABCDEFGHIJKLMNOPQRSTUVWXYZ____%'`
+dnl autoheader tricks *sigh*
+define(foo,translit($1, [ ], [_]))
+: << END
+@@@funcs="$funcs foo"@@@
+END
+undefine([foo])
+  AC_DEFINE_UNQUOTED($ac_tr_hdr, 1)
+fi
+])
+
+dnl $Id: krb-struct-spwd.m4,v 1.3 1999/07/13 21:04:11 assar Exp $
+dnl
+dnl Test for `struct spwd'
+
+AC_DEFUN(AC_KRB_STRUCT_SPWD, [
+AC_MSG_CHECKING(for struct spwd)
+AC_CACHE_VAL(ac_cv_struct_spwd, [
+AC_TRY_COMPILE(
+[#include <pwd.h>
+#ifdef HAVE_SHADOW_H
+#include <shadow.h>
+#endif],
+[struct spwd foo;],
+ac_cv_struct_spwd=yes,
+ac_cv_struct_spwd=no)
+])
+AC_MSG_RESULT($ac_cv_struct_spwd)
+
+if test "$ac_cv_struct_spwd" = "yes"; then
+  AC_DEFINE(HAVE_STRUCT_SPWD, 1, [define if you have struct spwd])
+fi
+])
+
+dnl $Id: krb-struct-winsize.m4,v 1.2 1999/03/01 09:52:23 joda Exp $
+dnl
+dnl
+dnl Search for struct winsize
+dnl
+
+AC_DEFUN(AC_KRB_STRUCT_WINSIZE, [
+AC_MSG_CHECKING(for struct winsize)
+AC_CACHE_VAL(ac_cv_struct_winsize, [
+ac_cv_struct_winsize=no
+for i in sys/termios.h sys/ioctl.h; do
+AC_EGREP_HEADER(
+changequote(, )dnl
+struct[ 	]*winsize,dnl
+changequote([,])dnl
+$i, ac_cv_struct_winsize=yes; break)dnl
+done
+])
+if test "$ac_cv_struct_winsize" = "yes"; then
+  AC_DEFINE(HAVE_STRUCT_WINSIZE, 1, [define if struct winsize is declared in sys/termios.h])
+fi
+AC_MSG_RESULT($ac_cv_struct_winsize)
+AC_EGREP_HEADER(ws_xpixel, termios.h, 
+	AC_DEFINE(HAVE_WS_XPIXEL, 1, [define if struct winsize has ws_xpixel]))
+AC_EGREP_HEADER(ws_ypixel, termios.h, 
+	AC_DEFINE(HAVE_WS_YPIXEL, 1, [define if struct winsize has ws_ypixel]))
+])
+
+dnl $Id: check-type-extra.m4,v 1.2 1999/03/01 09:52:23 joda Exp $
+dnl
+dnl ac_check_type + extra headers
+
+dnl AC_CHECK_TYPE_EXTRA(TYPE, DEFAULT, HEADERS)
+AC_DEFUN(AC_CHECK_TYPE_EXTRA,
+[AC_REQUIRE([AC_HEADER_STDC])dnl
+AC_MSG_CHECKING(for $1)
+AC_CACHE_VAL(ac_cv_type_$1,
+[AC_EGREP_CPP(dnl
+changequote(<<,>>)dnl
+<<$1[^a-zA-Z_0-9]>>dnl
+changequote([,]), [#include <sys/types.h>
+#if STDC_HEADERS
+#include <stdlib.h>
+#include <stddef.h>
+#endif
+$3], ac_cv_type_$1=yes, ac_cv_type_$1=no)])dnl
+AC_MSG_RESULT($ac_cv_type_$1)
+if test $ac_cv_type_$1 = no; then
+  AC_DEFINE($1, $2, [Define this to what the type $1 should be.])
+fi
+])
+
+dnl $Id: krb-version.m4,v 1.1 1997/12/14 15:59:03 joda Exp $
+dnl
+dnl
+dnl output a C header-file with some version strings
+dnl
+AC_DEFUN(AC_KRB_VERSION,[
+dnl AC_OUTPUT_COMMANDS([
+cat > include/newversion.h.in <<FOOBAR
+char *${PACKAGE}_long_version = "@(#)\$Version: $PACKAGE-$VERSION by @USER@ on @HOST@ ($host) @DATE@ \$";
+char *${PACKAGE}_version = "$PACKAGE-$VERSION";
+FOOBAR
+
+if test -f include/version.h && cmp -s include/newversion.h.in include/version.h.in; then
+	echo "include/version.h is unchanged"
+	rm -f include/newversion.h.in
+else
+ 	echo "creating include/version.h"
+ 	User=${USER-${LOGNAME}}
+ 	Host=`(hostname || uname -n) 2>/dev/null | sed 1q`
+ 	Date=`date`
+	mv -f include/newversion.h.in include/version.h.in
+	sed -e "s/@USER@/$User/" -e "s/@HOST@/$Host/" -e "s/@DATE@/$Date/" include/version.h.in > include/version.h
+fi
+dnl ],host=$host PACKAGE=$PACKAGE VERSION=$VERSION)
+])
+
diff --git a/crypto/kerberosIV/admin/Makefile.in b/crypto/kerberosIV/admin/Makefile.in
new file mode 100644
index 0000000..31de19d
--- /dev/null
+++ b/crypto/kerberosIV/admin/Makefile.in
@@ -0,0 +1,102 @@
+# $Id: Makefile.in,v 1.32 1999/03/10 19:01:10 joda Exp $
+
+SHELL = /bin/sh
+
+srcdir = @srcdir@
+VPATH = @srcdir@
+
+CC = @CC@
+LINK = @LINK@
+AR = ar
+RANLIB = @RANLIB@
+DEFS = @DEFS@
+CFLAGS = @CFLAGS@ $(WFLAGS)
+WFLAGS = @WFLAGS@
+LD_FLAGS = @LD_FLAGS@
+LIBS = @LIBS@
+LIB_DBM = @LIB_DBM@
+
+INSTALL = @INSTALL@
+INSTALL_PROGRAM = @INSTALL_PROGRAM@
+
+MKINSTALLDIRS = @top_srcdir@/mkinstalldirs
+
+prefix = @prefix@
+exec_prefix = @exec_prefix@
+libdir = @libdir@
+sbindir = @sbindir@
+transform=@program_transform_name@
+EXECSUFFIX=@EXECSUFFIX@
+
+PROGS = ext_srvtab$(EXECSUFFIX) \
+	kdb_destroy$(EXECSUFFIX) \
+	kdb_edit$(EXECSUFFIX) \
+	kdb_init$(EXECSUFFIX) \
+	kdb_util$(EXECSUFFIX) \
+	kstash$(EXECSUFFIX)
+
+SOURCES = ext_srvtab.c kdb_destroy.c kdb_edit.c \
+          kdb_init.c kdb_util.c kstash.c
+
+OBJECTS = ext_srvtab.o kdb_destroy.o kdb_edit.o \
+          kdb_init.o kdb_util.o kstash.o
+
+all: $(PROGS)
+
+Wall:
+	make CFLAGS="-g -Wall -Wno-comment -Wmissing-prototypes -Wmissing-declarations -D__USE_FIXED_PROTOTYPES__"
+
+.c.o:
+	$(CC) -c $(DEFS) -I../include -I$(srcdir) $(CFLAGS) $(CPPFLAGS) $<
+
+install: all
+	$(MKINSTALLDIRS) $(DESTDIR)$(sbindir)
+	for x in $(PROGS); do \
+	  $(INSTALL_PROGRAM) $$x $(DESTDIR)$(sbindir)/`echo $$x|sed '$(transform)'`; \
+	done
+
+uninstall:
+	for x in $(PROGS); do \
+	  rm -f $(DESTDIR)$(sbindir)/`echo $$x|sed '$(transform)'`; \
+	done
+
+TAGS: $(SOURCES)
+	etags $(SOURCES)
+
+check:
+
+clean:
+	rm -f *.a *.o $(PROGS)
+
+mostlyclean: clean
+
+distclean: clean
+	rm -f Makefile *.tab.c *~
+
+realclean: distclean
+	rm -f TAGS
+
+KLIB=-L../lib/kdb -lkdb -L../lib/krb -lkrb -L../lib/des -ldes
+LIBROKEN= -L../lib/roken -lroken
+
+ext_srvtab$(EXECSUFFIX): ext_srvtab.o
+	$(LINK) $(LD_FLAGS) $(LDFLAGS) -o $@ ext_srvtab.o $(KLIB) $(LIBROKEN) $(LIB_DBM) $(LIBS) $(LIBROKEN)
+
+kdb_destroy$(EXECSUFFIX): kdb_destroy.o
+	$(LINK) $(LD_FLAGS) $(LDFLAGS) -o $@ kdb_destroy.o $(KLIB) $(LIBROKEN) $(LIB_DBM) $(LIBS) $(LIBROKEN)
+
+kdb_edit$(EXECSUFFIX): kdb_edit.o
+	$(LINK) $(LD_FLAGS) $(LDFLAGS) -o $@ kdb_edit.o $(KLIB) $(LIBROKEN) $(LIB_DBM) $(LIBS) $(LIBROKEN)
+
+kdb_init$(EXECSUFFIX): kdb_init.o
+	$(LINK) $(LD_FLAGS) $(LDFLAGS) -o $@ kdb_init.o $(KLIB) $(LIBROKEN) $(LIB_DBM) $(LIBS) $(LIBROKEN)
+
+kdb_util$(EXECSUFFIX): kdb_util.o
+	$(LINK) $(LD_FLAGS) $(LDFLAGS) -o $@ kdb_util.o $(KLIB) $(LIBROKEN) $(LIB_DBM) $(LIBS) $(LIBROKEN)
+
+kstash$(EXECSUFFIX): kstash.o
+	$(LINK) $(LD_FLAGS) $(LDFLAGS) -o $@ kstash.o $(KLIB) $(LIBROKEN) $(LIB_DBM) $(LIBS) $(LIBROKEN)
+
+$(OBJECTS): ../include/config.h
+
+.PHONY: all Wall install uninstall check clean mostlyclean distclean realclean
diff --git a/crypto/kerberosIV/admin/adm_locl.h b/crypto/kerberosIV/admin/adm_locl.h
new file mode 100644
index 0000000..8004d0a
--- /dev/null
+++ b/crypto/kerberosIV/admin/adm_locl.h
@@ -0,0 +1,87 @@
+/*
+ * Copyright (c) 1995, 1996, 1997 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+/* $Id: adm_locl.h,v 1.17 1999/12/02 16:58:27 joda Exp $ */
+/* $FreeBSD$ */
+
+#ifndef __adm_locl_h
+#define __adm_locl_h
+
+#include "config.h"
+#include "protos.h"
+
+#include <stdio.h>
+#include <string.h>
+#include <stdlib.h>
+#include <assert.h>
+
+#ifdef HAVE_SYS_TYPES_H
+#include <sys/types.h>
+#endif
+
+#ifdef TIME_WITH_SYS_TIME
+#include <sys/time.h>
+#include <time.h>
+#elif defined(HAVE_SYS_TIME_H)
+#include <sys/time.h>
+#else
+#include <time.h>
+#endif /* !TIME_WITH_SYS_TIME */
+
+#ifdef HAVE_UNISTD_H
+#include <unistd.h>
+#endif
+#ifdef HAVE_SYS_STAT_H
+#include <sys/stat.h>
+#endif
+#ifdef HAVE_FCNTL_H
+#include <fcntl.h>
+#endif
+#include <signal.h>
+#include <errno.h>
+
+#ifdef HAVE_NETINET_IN_H
+#include <netinet/in.h>
+#endif
+
+#include <err.h>
+
+#include <roken.h>
+
+#include <openssl/des.h>
+#include <krb.h>
+#include <krb_db.h>
+#include <kdc.h>
+#include <kadm.h>
+
+#endif /*  __adm_locl_h */
diff --git a/crypto/kerberosIV/admin/ext_srvtab.c b/crypto/kerberosIV/admin/ext_srvtab.c
new file mode 100644
index 0000000..5cab583
--- /dev/null
+++ b/crypto/kerberosIV/admin/ext_srvtab.c
@@ -0,0 +1,140 @@
+/*
+ * Copyright 1987, 1988 by the Massachusetts Institute of Technology. 
+ *
+ * For copying and distribution information, please see the file
+ * <mit-copyright.h>. 
+ *
+ * Description 
+ */
+
+#include "adm_locl.h"
+
+RCSID("$Id: ext_srvtab.c,v 1.18 1999/09/16 20:37:20 assar Exp $");
+
+static des_cblock master_key;
+static des_cblock session_key;
+static des_key_schedule master_key_schedule;
+static char realm[REALM_SZ];
+
+static void
+StampOutSecrets(void)
+{
+    memset(master_key, 0, sizeof master_key);
+    memset(session_key, 0, sizeof session_key);
+    memset(master_key_schedule, 0, sizeof master_key_schedule);
+}
+
+static void
+usage(void)
+{
+    fprintf(stderr, 
+	    "Usage: %s [-n] [-r realm] instance [instance ...]\n",
+	    __progname);
+    StampOutSecrets();
+    exit(1);
+}
+
+static void
+FWrite(void *p, int size, int n, FILE *f)
+{
+    if (fwrite(p, size, n, f) != n) {
+        StampOutSecrets();
+	errx(1, "Error writing output file.  Terminating.\n");
+    }
+}
+
+int
+main(int argc, char **argv)
+{
+    FILE *fout;
+    char fname[1024];
+    int fopen_errs = 0;
+    int arg;
+    Principal princs[40];
+    int more; 
+    int prompt = KDB_GET_PROMPT;
+    int n, i;
+    
+    set_progname (argv[0]);
+    memset(realm, 0, sizeof(realm));
+    
+#ifdef HAVE_ATEXIT
+    atexit(StampOutSecrets);
+#endif
+
+    /* Parse commandline arguments */
+    if (argc < 2)
+	usage();
+    else {
+	for (i = 1; i < argc; i++) {
+	    if (strcmp(argv[i], "-n") == 0)
+		prompt = FALSE;
+	    else if (strcmp(argv[i], "-r") == 0) {
+		if (++i >= argc)
+		    usage();
+		else {
+		    strlcpy(realm, argv[i], REALM_SZ);
+		    /* 
+		     * This is to humor the broken way commandline
+		     * argument parsing is done.  Later, this
+		     * program ignores everything that starts with -.
+		     */
+		    argv[i][0] = '-';
+		}
+	    }
+	    else if (argv[i][0] == '-')
+		usage();
+	    else
+		if (!k_isinst(argv[i])) {
+		  warnx("bad instance name: %s", argv[i]);
+		  usage();
+	    }
+	}
+    }
+
+    if (kdb_get_master_key (prompt, &master_key, master_key_schedule) != 0)
+      errx (1, "Couldn't read master key.");
+
+    if (kdb_verify_master_key (&master_key, master_key_schedule, stderr) < 0) {
+      exit(1);
+    }
+
+    /* For each arg, search for instances of arg, and produce */
+    /* srvtab file */
+    if (!realm[0])
+      if (krb_get_lrealm(realm, 1) != KSUCCESS) {
+	  StampOutSecrets();
+	  errx (1, "couldn't get local realm");
+      }
+    umask(077);
+
+    for (arg = 1; arg < argc; arg++) {
+	if (argv[arg][0] == '-')
+	    continue;
+	snprintf(fname, sizeof(fname), "%s-new-srvtab", argv[arg]);
+	if ((fout = fopen(fname, "w")) == NULL) {
+	    warn("Couldn't create file '%s'.", fname);
+	    fopen_errs++;
+	    continue;
+	}
+	printf("Generating '%s'....\n", fname);
+	n = kerb_get_principal("*", argv[arg], &princs[0], 40, &more);
+	if (more)
+	    fprintf(stderr, "More than 40 found...\n");
+	for (i = 0; i < n; i++) {
+	    FWrite(princs[i].name, strlen(princs[i].name) + 1, 1, fout);
+	    FWrite(princs[i].instance, strlen(princs[i].instance) + 1,
+		   1, fout);
+	    FWrite(realm, strlen(realm) + 1, 1, fout);
+	    FWrite(&princs[i].key_version,
+		sizeof(princs[i].key_version), 1, fout);
+	    copy_to_key(&princs[i].key_low, &princs[i].key_high, session_key);
+	    kdb_encrypt_key (&session_key, &session_key, 
+			     &master_key, master_key_schedule, DES_DECRYPT);
+	    FWrite(session_key, sizeof session_key, 1, fout);
+	}
+	fclose(fout);
+    }
+    StampOutSecrets();
+    return fopen_errs;		/* 0 errors if successful */
+}
diff --git a/crypto/kerberosIV/admin/kdb_destroy.c b/crypto/kerberosIV/admin/kdb_destroy.c
new file mode 100644
index 0000000..ec4a5d00
--- /dev/null
+++ b/crypto/kerberosIV/admin/kdb_destroy.c
@@ -0,0 +1,56 @@
+/*
+ * Copyright 1988 by the Massachusetts Institute of Technology.
+ *
+ * For copying and distribution information, please see the file
+ * <mit-copyright.h>.
+ *
+ * Description.
+ */
+
+#include "adm_locl.h"
+
+RCSID("$Id: kdb_destroy.c,v 1.9 1998/06/09 19:24:13 joda Exp $");
+
+int
+main(int argc, char **argv)
+{
+    char    answer[10];		/* user input */
+#ifdef HAVE_NEW_DB
+    char   *file;               /* database file names */
+#else
+    char   *file1, *file2;	/* database file names */
+#endif
+
+    set_progname (argv[0]);
+
+#ifdef HAVE_NEW_DB
+    asprintf(&file, "%s.db", DBM_FILE);
+    if (file == NULL)
+	err (1, "malloc");
+#else
+    asprintf(&file1, "%s.dir", DBM_FILE);
+    asprintf(&file2, "%s.pag", DBM_FILE);
+    if (file1 == NULL || file2 == NULL)
+	err (1, "malloc");
+#endif
+
+    printf("You are about to destroy the Kerberos database ");
+    printf("on this machine.\n");
+    printf("Are you sure you want to do this (y/n)? ");
+    if (fgets(answer, sizeof(answer), stdin) != NULL
+	&& (answer[0] == 'y' || answer[0] == 'Y')) {
+#ifdef HAVE_NEW_DB
+      if (unlink(file) == 0)
+#else
+	if (unlink(file1) == 0 && unlink(file2) == 0)
+#endif
+	  {
+	    warnx ("Database deleted at %s", DBM_FILE);
+	    return 0;
+	  }
+	else
+	    warn ("Database cannot be deleted at %s", DBM_FILE);
+    } else
+        warnx ("Database not deleted at %s", DBM_FILE);
+    return 1;
+}
diff --git a/crypto/kerberosIV/admin/kdb_edit.c b/crypto/kerberosIV/admin/kdb_edit.c
new file mode 100644
index 0000000..1ba6aaf
--- /dev/null
+++ b/crypto/kerberosIV/admin/kdb_edit.c
@@ -0,0 +1,403 @@
+/*
+ * Copyright 1985, 1986, 1987, 1988 by the Massachusetts Institute
+ * of Technology.
+ *
+ * For copying and distribution information, please see the file
+ * <mit-copyright.h>.
+ *
+ * This routine changes the Kerberos encryption keys for principals,
+ * i.e., users or services. 
+ */
+
+/*
+ * exit returns 	 0 ==> success -1 ==> error 
+ */
+
+#include "adm_locl.h"
+
+RCSID("$Id: kdb_edit.c,v 1.28 1999/09/16 20:37:21 assar Exp $");
+
+#ifdef DEBUG
+extern  kerb_debug;
+#endif
+
+static int     nflag = 0;
+static int     debug;
+
+static des_cblock new_key;
+
+static int     i, j;
+static int     more;
+
+static char    input_name[ANAME_SZ];
+static char    input_instance[INST_SZ];
+
+#define	MAX_PRINCIPAL	10
+static Principal principal_data[MAX_PRINCIPAL];
+
+static Principal old_principal;
+static Principal default_princ;
+
+static des_cblock master_key;
+static des_cblock session_key;
+static des_key_schedule master_key_schedule;
+static char pw_str[255];
+static long master_key_version;
+
+static void
+Usage(void)
+{
+    fprintf(stderr, "Usage: %s [-n]\n", __progname);
+    exit(1);
+}
+
+static char *
+n_gets(char *buf, int size)
+{
+    char *p;
+    char *ret;
+    ret = fgets(buf, size, stdin);
+  
+    if (ret && (p = strchr(buf, '\n')))
+	*p = 0;
+    return ret;
+}
+
+
+static int
+change_principal(void)
+{
+    static char temp[255];
+    int     creating = 0;
+    int     editpw = 0;
+    int     changed = 0;
+    long    temp_long;		/* Don't change to int32_t, used by scanf */
+    struct tm 	edate;
+
+    fprintf(stdout, "\nPrincipal name: ");
+    fflush(stdout);
+    if (!n_gets(input_name, sizeof(input_name)) || *input_name == '\0')
+	return 0;
+    fprintf(stdout, "Instance: ");
+    fflush(stdout);
+    /* instance can be null */
+    n_gets(input_instance, sizeof(input_instance));
+    j = kerb_get_principal(input_name, input_instance, principal_data,
+			   MAX_PRINCIPAL, &more);
+    if (!j) {
+	fprintf(stdout, "\n\07\07<Not found>, Create [y] ? ");
+	fflush(stdout);
+	n_gets(temp, sizeof(temp));		/* Default case should work, it didn't */
+	if (temp[0] != 'y' && temp[0] != 'Y' && temp[0] != '\0')
+	    return -1;
+	/* make a new principal, fill in defaults */
+	j = 1;
+	creating = 1;
+	strlcpy(principal_data[0].name,
+			input_name,
+			ANAME_SZ);
+	strlcpy(principal_data[0].instance,
+			input_instance,
+			INST_SZ);
+	principal_data[0].old = NULL;
+	principal_data[0].exp_date = default_princ.exp_date;
+	if (strcmp(input_instance, "admin") == 0)
+	  principal_data[0].max_life = 1 + (CLOCK_SKEW/(5*60)); /*5+5 minutes*/
+	else if (strcmp(input_instance, "root") == 0)
+	  principal_data[0].max_life = 96; /* 8 hours */
+	else
+	  principal_data[0].max_life = default_princ.max_life;
+	principal_data[0].attributes = default_princ.attributes;
+	principal_data[0].kdc_key_ver = (unsigned char) master_key_version;
+	principal_data[0].key_version = 0; /* bumped up later */
+    }
+    *principal_data[0].exp_date_txt = '\0';
+    for (i = 0; i < j; i++) {
+	for (;;) {
+	    fprintf(stdout,
+		    "\nPrincipal: %s, Instance: %s, kdc_key_ver: %d",
+		    principal_data[i].name, principal_data[i].instance,
+		    principal_data[i].kdc_key_ver);
+	    fflush(stdout);
+	    editpw = 1;
+	    changed = 0;
+	    if (!creating) {
+		/*
+		 * copy the existing data so we can use the old values
+		 * for the qualifier clause of the replace 
+		 */
+		principal_data[i].old = (char *) &old_principal;
+		memcpy(&old_principal, &principal_data[i],
+		       sizeof(old_principal));
+		printf("\nChange password [n] ? ");
+		n_gets(temp, sizeof(temp));
+		if (strcmp("y", temp) && strcmp("Y", temp))
+		    editpw = 0;
+	    }
+	    /* password */
+	    if (editpw) {
+#ifdef NOENCRYPTION
+		placebo_read_pw_string(pw_str, sizeof pw_str,
+		    "\nNew Password: ", TRUE);
+#else
+                if(des_read_pw_string(pw_str, sizeof pw_str,
+			"\nNew Password: ", TRUE))
+		    continue;
+#endif
+		if (   strcmp(pw_str, "RANDOM") == 0
+		    || strcmp(pw_str, "") == 0) {
+		    printf("\nRandom password [y] ? ");
+		    n_gets(temp, sizeof(temp));
+		    if (!strcmp("n", temp) || !strcmp("N", temp)) {
+			/* no, use literal */
+#ifdef NOENCRYPTION
+			memset(new_key, 0, sizeof(des_cblock));
+			new_key[0] = 127;
+#else
+			des_string_to_key(pw_str, &new_key);
+#endif
+			memset(pw_str, 0, sizeof pw_str);	/* "RANDOM" */
+		    } else {
+#ifdef NOENCRYPTION
+			memset(new_key, 0, sizeof(des_cblock));
+			new_key[0] = 127;
+#else
+			des_new_random_key(&new_key);
+#endif
+			memset(pw_str, 0, sizeof pw_str);
+		    }
+		} else if (!strcmp(pw_str, "NULL")) {
+		    printf("\nNull Key [y] ? ");
+		    n_gets(temp, sizeof(temp));
+		    if (!strcmp("n", temp) || !strcmp("N", temp)) {
+			/* no, use literal */
+#ifdef NOENCRYPTION
+			memset(new_key, 0, sizeof(des_cblock));
+			new_key[0] = 127;
+#else
+			des_string_to_key(pw_str, &new_key);
+#endif
+			memset(pw_str, 0, sizeof pw_str);	/* "NULL" */
+		    } else {
+
+			principal_data[i].key_low = 0;
+			principal_data[i].key_high = 0;
+			goto null_key;
+		    }
+		} else {
+#ifdef NOENCRYPTION
+		    memset(new_key, 0, sizeof(des_cblock));
+		    new_key[0] = 127;
+#else
+		    des_string_to_key(pw_str, &new_key);
+#endif
+		    memset(pw_str, 0, sizeof pw_str);
+		}
+
+		/* seal it under the kerberos master key */
+		kdb_encrypt_key (&new_key, &new_key, 
+				 &master_key, master_key_schedule,
+				 DES_ENCRYPT);
+		copy_from_key(new_key,
+			      &principal_data[i].key_low,
+			      &principal_data[i].key_high);
+		memset(new_key, 0, sizeof(new_key));
+	null_key:
+		/* set master key version */
+		principal_data[i].kdc_key_ver =
+		    (unsigned char) master_key_version;
+		/* bump key version # */
+		principal_data[i].key_version++;
+		fprintf(stdout,
+			"\nPrincipal's new key version = %d\n",
+			principal_data[i].key_version);
+		fflush(stdout);
+		changed = 1;
+	    }
+	    /* expiration date */
+	    {
+		char d[DATE_SZ];
+		struct tm *tm;
+		tm = k_localtime(&principal_data[i].exp_date);
+		strftime(d, sizeof(d), "%Y-%m-%d", tm);
+		while(1) {
+		    printf("Expiration date (yyyy-mm-dd) [ %s ] ? ", d);
+		    fflush(stdout);
+		    if(n_gets(temp, sizeof(temp)) == NULL) {
+			printf("Invalid date.\n");
+			continue;
+		    }
+		    if (*temp) {
+			memset(&edate, 0, sizeof(edate));
+			if (sscanf(temp, "%d-%d-%d", &edate.tm_year,
+				   &edate.tm_mon, &edate.tm_mday) != 3) {
+			    printf("Invalid date.\n");
+			    continue;
+			}
+			edate.tm_mon--;     /* January is 0, not 1 */
+			edate.tm_hour = 23; /* at the end of the */
+			edate.tm_min = 59;  /* specified day */
+			if (krb_check_tm (edate)) {
+			    printf("Invalid date.\n");
+			    continue;
+			}
+			edate.tm_year -= 1900;
+			principal_data[i].exp_date = tm2time (edate, 1);
+			changed = 1;
+		    }
+		    break;
+		}
+	    }
+
+	    /* maximum lifetime */
+	    fprintf(stdout, "Max ticket lifetime (*5 minutes) [ %d ] ? ",
+		    principal_data[i].max_life);
+	    fflush(stdout);
+	    while (n_gets(temp, sizeof(temp)) && *temp) {
+		if (sscanf(temp, "%ld", &temp_long) != 1)
+		    goto bad_life;
+		if (temp_long > 255 || (temp_long < 0)) {
+		bad_life:
+		    fprintf(stdout, "\07\07Invalid, choose 0-255\n");
+		    fprintf(stdout,
+			    "Max ticket lifetime (*5 minutes) [ %d ] ? ",
+			    principal_data[i].max_life);
+		    fflush(stdout);
+		    continue;
+		}
+		changed = 1;
+		/* dont clobber */
+		principal_data[i].max_life = (unsigned short) temp_long;
+		break;
+	    }
+
+	    /* attributes */
+	    fprintf(stdout, "Attributes [ %d ] ? ",
+		    principal_data[i].attributes);
+	    fflush(stdout);
+	    while (n_gets(temp, sizeof(temp)) && *temp) {
+		if (sscanf(temp, "%ld", &temp_long) != 1)
+		    goto bad_att;
+		if (temp_long > 65535 || (temp_long < 0)) {
+		bad_att:
+		    fprintf(stdout, "Invalid, choose 0-65535\n");
+		    fprintf(stdout, "Attributes [ %d ] ? ",
+			    principal_data[i].attributes);
+		    fflush(stdout);
+		    continue;
+		}
+		changed = 1;
+		/* dont clobber */
+		principal_data[i].attributes =
+		    (unsigned short) temp_long;
+		break;
+	    }
+
+	    /*
+	     * remaining fields -- key versions and mod info, should
+	     * not be directly manipulated 
+	     */
+	    if (changed) {
+		if (kerb_put_principal(&principal_data[i], 1)) {
+		    fprintf(stdout,
+			"\nError updating Kerberos database");
+		} else {
+		    fprintf(stdout, "Edit O.K.");
+		}
+	    } else {
+		fprintf(stdout, "Unchanged");
+	    }
+
+
+	    memset(&principal_data[i].key_low, 0, 4);
+	    memset(&principal_data[i].key_high, 0, 4);
+	    fflush(stdout);
+	    break;
+	}
+    }
+    if (more) {
+	fprintf(stdout, "\nThere were more tuples found ");
+	fprintf(stdout, "than there were space for");
+      }
+    return 1;
+}
+
+static void
+cleanup(void)
+{
+
+    memset(master_key, 0, sizeof(master_key));
+    memset(session_key, 0, sizeof(session_key));
+    memset(master_key_schedule, 0, sizeof(master_key_schedule));
+    memset(principal_data, 0, sizeof(principal_data));
+    memset(new_key, 0, sizeof(new_key));
+    memset(pw_str, 0, sizeof(pw_str));
+}
+
+int
+main(int argc, char **argv)
+{
+    /* Local Declarations */
+
+    long    n;
+
+    set_progname (argv[0]);
+
+    while (--argc > 0 && (*++argv)[0] == '-')
+	for (i = 1; argv[0][i] != '\0'; i++) {
+	    switch (argv[0][i]) {
+
+		/* debug flag */
+	    case 'd':
+		debug = 1;
+		continue;
+
+		/* debug flag */
+#ifdef DEBUG
+	    case 'l':
+		kerb_debug |= 1;
+		continue;
+#endif
+	    case 'n':		/* read MKEYFILE for master key */
+		nflag = 1;
+		continue;
+
+	    default:
+		warnx ("illegal flag \"%c\"", argv[0][i]);
+		Usage();	/* Give message and die */
+	    }
+	}
+
+    fprintf(stdout, "Opening database...\n");
+    fflush(stdout);
+    kerb_init();
+    if (argc > 0)
+	if (kerb_db_set_name(*argv) != 0)
+	    errx (1, "Could not open altername database name");
+
+    if (kdb_get_master_key ((nflag == 0) ? KDB_GET_PROMPT : 0, 
+			    &master_key, master_key_schedule) != 0)
+	errx (1, "Couldn't read master key.");
+
+    if ((master_key_version = kdb_verify_master_key(&master_key,
+						    master_key_schedule,
+						    stdout)) < 0)
+      return 1;
+
+    /* Initialize non shared random sequence */
+    des_init_random_number_generator(&master_key);
+
+    /* lookup the default values */
+    n = kerb_get_principal(KERB_DEFAULT_NAME, KERB_DEFAULT_INST,
+			   &default_princ, 1, &more);
+    if (n != 1)
+	errx (1, "Kerberos error on default value lookup, %ld found.", n);
+    fprintf(stdout, "Previous or default values are in [brackets] ,\n");
+    fprintf(stdout, "enter return to leave the same, or new value.\n");
+
+    while (change_principal()) {
+    }
+
+    cleanup();
+    return 0;
+}
diff --git a/crypto/kerberosIV/admin/kdb_init.c b/crypto/kerberosIV/admin/kdb_init.c
new file mode 100644
index 0000000..0116ea2
--- /dev/null
+++ b/crypto/kerberosIV/admin/kdb_init.c
@@ -0,0 +1,173 @@
+/*
+ * Copyright 1987, 1988 by the Massachusetts Institute of Technology. 
+ *
+ * For copying and distribution information, please see the file
+ * <mit-copyright.h>. 
+ *
+ * program to initialize the database,  reports error if database file
+ * already exists. 
+ */
+
+#include "adm_locl.h"
+
+RCSID("$Id: kdb_init.c,v 1.25 1999/09/16 20:37:21 assar Exp $");
+
+enum ap_op {
+    NULL_KEY,			/* setup null keys */
+    MASTER_KEY,                 /* use master key as new key */
+    RANDOM_KEY			/* choose a random key */
+};
+
+static des_cblock master_key;
+static des_key_schedule master_key_schedule;
+
+/* use a return code to indicate success or failure.  check the return */
+/* values of the routines called by this routine. */
+
+static int
+add_principal(char *name, char *instance, enum ap_op aap_op, int maxlife)
+{
+    Principal principal;
+    des_cblock new_key;
+
+    memset(&principal, 0, sizeof(principal));
+    strlcpy(principal.name, name, ANAME_SZ);
+    strlcpy(principal.instance, instance, INST_SZ);
+    switch (aap_op) {
+    case NULL_KEY:
+	principal.key_low = 0;
+	principal.key_high = 0;
+	break;
+    case RANDOM_KEY:
+#ifdef NOENCRYPTION
+        memset(new_key, 0, sizeof(des_cblock));
+	new_key[0] = 127;
+#else
+	des_new_random_key(&new_key);
+#endif
+	kdb_encrypt_key (&new_key, &new_key, &master_key, master_key_schedule,
+			 DES_ENCRYPT);
+	copy_from_key(new_key, &principal.key_low, &principal.key_high);
+	memset(new_key, 0, sizeof(new_key));
+	break;
+    case MASTER_KEY:
+	memcpy(new_key, master_key, sizeof (des_cblock));
+	kdb_encrypt_key (&new_key, &new_key, &master_key, master_key_schedule,
+			 DES_ENCRYPT);
+	copy_from_key(new_key, &principal.key_low, &principal.key_high);
+	break;
+    }
+    principal.mod_date = time(0);
+    *principal.mod_date_txt = '\0';
+    principal.exp_date = principal.mod_date + 5 * 365 * 24 * 60 * 60;
+    *principal.exp_date_txt = '\0';
+
+    principal.attributes = 0;
+    principal.max_life = maxlife;
+
+    principal.kdc_key_ver = 1;
+    principal.key_version = 1;
+
+    strlcpy(principal.mod_name, "db_creation", ANAME_SZ);
+    strlcpy(principal.mod_instance, "", INST_SZ);
+    principal.old = 0;
+
+    if (kerb_db_put_principal(&principal, 1) != 1)
+        return -1;		/* FAIL */
+    
+    /* let's play it safe */
+    memset(new_key, 0, sizeof (des_cblock));
+    memset(&principal.key_low, 0, 4);
+    memset(&principal.key_high, 0, 4);
+    return 0;
+}
+
+int
+main(int argc, char **argv)
+{
+    char    realm[REALM_SZ];
+    char   *cp;
+    int code;
+    char *database;
+    
+    set_progname (argv[0]);
+
+    if (argc > 3) {
+	fprintf(stderr, "Usage: %s [realm-name] [database-name]\n", argv[0]);
+	return 1;
+    }
+    if (argc == 3) {
+	database = argv[2];
+	--argc;
+    } else
+	database = DBM_FILE;
+
+    /* Do this first, it'll fail if the database exists */
+    if ((code = kerb_db_create(database)) != 0)
+	err (1, "Couldn't create database %s", database);
+    kerb_db_set_name(database);
+
+    if (argc == 2)
+	strlcpy(realm, argv[1], REALM_SZ);
+    else {
+        if (krb_get_lrealm(realm, 1) != KSUCCESS)
+	    strlcpy(realm, KRB_REALM, REALM_SZ);
+	fprintf(stderr, "Realm name [default  %s ]: ", realm);
+	if (fgets(realm, sizeof(realm), stdin) == NULL)
+	    errx (1, "\nEOF reading realm");
+	if ((cp = strchr(realm, '\n')))
+	    *cp = '\0';
+	if (!*realm)			/* no realm given */
+		if (krb_get_lrealm(realm, 1) != KSUCCESS)
+		    strlcpy(realm, KRB_REALM, REALM_SZ);
+    }
+    if (!k_isrealm(realm))
+	errx (1, "Bad kerberos realm name \"%s\"", realm);
+#ifndef RANDOM_MKEY
+    printf("You will be prompted for the database Master Password.\n");
+    printf("It is important that you NOT FORGET this password.\n");
+#else
+    printf("To generate a master key, please enter some random data.\n");
+    printf("You do not have to remember this.\n");
+#endif
+    fflush(stdout);
+
+    if (kdb_get_master_key (KDB_GET_TWICE, &master_key,
+			    master_key_schedule) != 0)
+	errx (1, "Couldn't read master key.");
+
+#ifdef RANDOM_MKEY
+    if(kdb_kstash(&master_key, MKEYFILE) < 0)
+	err (1, "Error writing master key");
+    fprintf(stderr, "Wrote master key to %s\n", MKEYFILE);
+#endif
+
+    /* Initialize non shared random sequence */
+    des_init_random_number_generator(&master_key);
+
+    /* Maximum lifetime for changepw.kerberos (kadmin) tickets, 10 minutes */
+#define ADMLIFE (1 + (CLOCK_SKEW/(5*60)))
+
+    /* Maximum lifetime for ticket granting tickets, 4 days or 21.25h */
+#define TGTLIFE ((krb_life_to_time(0, 162) >= 24*60*60) ? 161 : 255)
+
+    /* This means that default lifetimes have not been initialized */
+#define DEFLIFE 255
+
+#define NOLIFE 0
+
+    if (
+	add_principal(KERB_M_NAME, KERB_M_INST, MASTER_KEY, NOLIFE) ||
+	add_principal(KERB_DEFAULT_NAME, KERB_DEFAULT_INST, NULL_KEY,DEFLIFE)||
+	add_principal(KRB_TICKET_GRANTING_TICKET, realm, RANDOM_KEY, TGTLIFE)||
+	add_principal(PWSERV_NAME, KRB_MASTER, RANDOM_KEY, ADMLIFE) 
+	) {
+      putc ('\n', stderr);
+      errx (1, "couldn't initialize database.");
+    }
+
+    /* play it safe */
+    memset(master_key, 0, sizeof (des_cblock));
+    memset(master_key_schedule, 0, sizeof (des_key_schedule));
+    return 0;
+}
diff --git a/crypto/kerberosIV/admin/kdb_util.c b/crypto/kerberosIV/admin/kdb_util.c
new file mode 100644
index 0000000..1e3d190
--- /dev/null
+++ b/crypto/kerberosIV/admin/kdb_util.c
@@ -0,0 +1,522 @@
+/*
+ * Copyright 1987, 1988 by the Massachusetts Institute of Technology.
+ * 
+ * For copying and distribution information, please see the file
+ * <mit-copyright.h>.
+ *
+ * Kerberos database manipulation utility. This program allows you to
+ * dump a kerberos database to an ascii readable file and load this
+ * file into the database. Read locking of the database is done during a
+ * dump operation. NO LOCKING is done during a load operation. Loads
+ * should happen with other processes shutdown. 
+ *
+ * Written July 9, 1987 by Jeffrey I. Schiller
+ */
+
+#include "adm_locl.h"
+
+RCSID("$Id: kdb_util.c,v 1.42.2.1 2000/10/10 12:59:16 assar Exp $");
+
+static des_cblock master_key, new_master_key;
+static des_key_schedule master_key_schedule, new_master_key_schedule;
+
+/* cv_key is a procedure which takes a principle and changes its key, 
+   either for a new method of encrypting the keys, or a new master key.
+   if cv_key is null no transformation of key is done (other than net byte
+   order). */
+
+struct callback_args {
+    void (*cv_key)(Principal *);
+    FILE *output_file;
+};
+
+static void
+print_time(FILE *file, time_t timeval)
+{
+    struct tm *tm;
+    tm = gmtime(&timeval);
+    fprintf(file, " %04d%02d%02d%02d%02d",
+	    tm->tm_year + 1900,
+            tm->tm_mon + 1,
+            tm->tm_mday,
+            tm->tm_hour,
+            tm->tm_min);
+}
+
+static long
+time_explode(char *cp)
+{
+    char wbuf[5];
+    struct tm tp;
+    int local;
+
+    memset(&tp, 0, sizeof(tp));	/* clear out the struct */
+    
+    if (strlen(cp) > 10) {		/* new format */
+	strlcpy(wbuf, cp, sizeof(wbuf));
+	tp.tm_year = atoi(wbuf) - 1900;
+	cp += 4;			/* step over the year */
+	local = 0;			/* GMT */
+    } else {				/* old format: local time, 
+					   year is 2 digits, assuming 19xx */
+	wbuf[0] = *cp++;
+	wbuf[1] = *cp++;
+	wbuf[2] = 0;
+	tp.tm_year = atoi(wbuf);
+	local = 1;			/* local */
+    }
+
+    wbuf[0] = *cp++;
+    wbuf[1] = *cp++;
+    wbuf[2] = 0;
+    tp.tm_mon = atoi(wbuf)-1;
+
+    wbuf[0] = *cp++;
+    wbuf[1] = *cp++;
+    tp.tm_mday = atoi(wbuf);
+    
+    wbuf[0] = *cp++;
+    wbuf[1] = *cp++;
+    tp.tm_hour = atoi(wbuf);
+    
+    wbuf[0] = *cp++;
+    wbuf[1] = *cp++;
+    tp.tm_min = atoi(wbuf);
+
+    return(tm2time(tp, local));
+}
+
+static int
+dump_db_1(void *arg,
+	  Principal *principal)	/* replace null strings with "*" */
+{
+    struct callback_args *a = (struct callback_args *)arg;
+    
+    if (principal->instance[0] == '\0') {
+	principal->instance[0] = '*';
+	principal->instance[1] = '\0';
+    }
+    if (principal->mod_name[0] == '\0') {
+	principal->mod_name[0] = '*';
+	principal->mod_name[1] = '\0';
+    }
+    if (principal->mod_instance[0] == '\0') {
+	principal->mod_instance[0] = '*';
+	principal->mod_instance[1] = '\0';
+    }
+    if (a->cv_key != NULL) {
+	(*a->cv_key) (principal);
+    }
+    fprintf(a->output_file, "%s %s %d %d %d %d %x %x",
+	    principal->name,
+	    principal->instance,
+	    principal->max_life,
+	    principal->kdc_key_ver,
+	    principal->key_version,
+	    principal->attributes,
+	    (int)htonl (principal->key_low),
+	    (int)htonl (principal->key_high));
+    print_time(a->output_file, principal->exp_date);
+    print_time(a->output_file, principal->mod_date);
+    fprintf(a->output_file, " %s %s\n",
+	    principal->mod_name,
+	    principal->mod_instance);
+    return 0;
+}
+
+static int
+dump_db (char *db_file, FILE *output_file, void (*cv_key) (Principal *))
+{
+    struct callback_args a;
+
+    a.cv_key = cv_key;
+    a.output_file = output_file;
+    
+    kerb_db_iterate (dump_db_1, &a);
+    return fflush(output_file);
+}
+
+static int
+add_file(void *db, FILE *file)
+{
+    int ret;
+    int lineno = 0;
+    char line[1024];
+    unsigned long key[2]; /* yes, long */
+    Principal pr;
+    
+    char exp_date[64], mod_date[64];
+    
+    int life, kkvno, kvno;
+    
+    while(1){
+	memset(&pr, 0, sizeof(pr));
+	errno = 0;
+	if(fgets(line, sizeof(line), file) == NULL){
+	    if(errno != 0)
+	      err (1, "fgets");
+	    break;
+	}
+	lineno++;
+	ret = sscanf(line, "%s %s %d %d %d %hd %lx %lx %s %s %s %s",
+		     pr.name, pr.instance,
+		     &life, &kkvno, &kvno,
+		     &pr.attributes,
+		     &key[0], &key[1],
+		     exp_date, mod_date,
+		     pr.mod_name, pr.mod_instance);
+	if(ret != 12){
+	    warnx("Line %d malformed (ignored)", lineno);
+	    continue;
+	}
+	pr.key_low = ntohl (key[0]);
+	pr.key_high = ntohl (key[1]);
+	pr.max_life = life;
+	pr.kdc_key_ver = kkvno;
+	pr.key_version = kvno;
+	pr.exp_date = time_explode(exp_date);
+	pr.mod_date = time_explode(mod_date);
+	if (pr.instance[0] == '*')
+	    pr.instance[0] = 0;
+	if (pr.mod_name[0] == '*')
+	    pr.mod_name[0] = 0;
+	if (pr.mod_instance[0] == '*')
+	    pr.mod_instance[0] = 0;
+	if (kerb_db_update(db, &pr, 1) != 1) {
+	    warn ("store %s.%s aborted",
+		  pr.name, pr.instance);
+	    return 1;
+	}
+    }
+    return 0;
+}
+
+static void
+load_db (char *db_file, FILE *input_file)
+{
+    long *db;
+    int code;
+    char *temp_db_file;
+
+    asprintf (&temp_db_file, "%s~", db_file);
+    if(temp_db_file == NULL)
+	errx (1, "out of memory");
+
+    /* Create the database */
+    if ((code = kerb_db_create(temp_db_file)) != 0)
+	err (1, "creating temp database %s", temp_db_file);
+    kerb_db_set_name(temp_db_file);
+    db = kerb_db_begin_update();
+    if (db == NULL)
+	err (1, "opening temp database %s", temp_db_file);
+    
+    if(add_file(db, input_file))
+	errx (1, "Load aborted");
+
+    kerb_db_end_update(db);
+    if ((code = kerb_db_rename(temp_db_file, db_file)) != 0)
+        warn("database rename failed");
+    fclose(input_file);
+    free(temp_db_file);
+}
+
+static void
+merge_db(char *db_file, FILE *input_file)
+{
+    void *db;
+    
+    db = kerb_db_begin_update();
+    if(db == NULL)
+        err (1, "Couldn't open database");
+    if(add_file(db, input_file))
+        errx (1, "Merge aborted");
+    kerb_db_end_update(db);
+}
+
+static void
+update_ok_file (char *file_name)
+{
+    /* handle slave locking/failure stuff */
+    char *file_ok;
+    int fd;
+
+    asprintf (&file_ok, "%s.dump_ok", file_name);
+    if (file_ok == NULL)
+      errx (1, "out of memory");
+    if ((fd = open(file_ok, O_WRONLY|O_CREAT|O_TRUNC, 0600)) < 0)
+        err (1, "Error creating %s", file_ok);
+    free(file_ok);
+    close(fd);
+    /*
+     * Some versions of BSD don't update the mtime in the above open so
+     * we call utimes just in case.
+     */
+    if (utime(file_name, NULL) < 0)
+	err (1, "utime %s", file_name);
+}
+
+static void
+convert_key_new_master (Principal *p)
+{
+  des_cblock key;
+
+  /* leave null keys alone */
+  if ((p->key_low == 0) && (p->key_high == 0)) return;
+
+  /* move current key to des_cblock for encryption, special case master key
+     since that's changing */
+  if ((strncmp (p->name, KERB_M_NAME, ANAME_SZ) == 0) &&
+      (strncmp (p->instance, KERB_M_INST, INST_SZ) == 0)) {
+    memcpy (key, new_master_key, sizeof(des_cblock));
+    (p->key_version)++;
+  } else {
+    copy_to_key(&p->key_low, &p->key_high, key);
+    kdb_encrypt_key (&key, &key, &master_key,
+		     master_key_schedule, DES_DECRYPT);
+  }
+
+  kdb_encrypt_key (&key, &key, &new_master_key,
+		   new_master_key_schedule, DES_ENCRYPT);
+
+  copy_from_key(key, &(p->key_low), &(p->key_high));
+  memset(key, 0, sizeof (key));  /* a little paranoia ... */
+
+  (p->kdc_key_ver)++;
+}
+
+static void
+clear_secrets (void)
+{
+  memset(master_key, 0, sizeof (des_cblock));
+  memset(master_key_schedule, 0, sizeof (des_key_schedule));
+  memset(new_master_key, 0, sizeof (des_cblock));
+  memset(new_master_key_schedule, 0, sizeof (des_key_schedule));
+}
+
+static void
+convert_new_master_key (char *db_file, FILE *out)
+{
+#ifdef RANDOM_MKEY
+  errx (1, "Sorry, this function is not available with "
+	"the new master key scheme.");
+#else
+  printf ("\n\nEnter the CURRENT master key.");
+  if (kdb_get_master_key (KDB_GET_PROMPT, &master_key,
+			  master_key_schedule) != 0) {
+    clear_secrets ();
+    errx (1, "Couldn't get master key.");
+  }
+
+  if (kdb_verify_master_key (&master_key, master_key_schedule, stderr) < 0) {
+    clear_secrets ();
+    exit (1);
+  }
+
+  printf ("\n\nNow enter the NEW master key.  Do not forget it!!");
+  if (kdb_get_master_key (KDB_GET_TWICE, &new_master_key,
+			  new_master_key_schedule) != 0) {
+    clear_secrets ();
+    errx (1, "Couldn't get new master key.");
+  }
+
+  dump_db (db_file, out, convert_key_new_master);
+  {
+    char *fname;
+
+    asprintf(&fname, "%s.new", MKEYFILE);
+    if(fname == NULL) {
+      clear_secrets();
+      errx(1, "malloc: failed");
+    }
+    kdb_kstash(&new_master_key, fname);
+    free(fname);
+  }
+#endif /* RANDOM_MKEY */
+}
+
+static void
+convert_key_old_db (Principal *p)
+{
+  des_cblock key;
+
+ /* leave null keys alone */
+  if ((p->key_low == 0) && (p->key_high == 0)) return;
+
+  copy_to_key(&p->key_low, &p->key_high, key);
+
+#ifndef NOENCRYPTION
+  des_pcbc_encrypt((des_cblock *)key,(des_cblock *)key,
+	(long)sizeof(des_cblock),master_key_schedule,
+	(des_cblock *)master_key_schedule, DES_DECRYPT);
+#endif
+
+  /* make new key, new style */
+  kdb_encrypt_key (&key, &key, &master_key, master_key_schedule, DES_ENCRYPT);
+
+  copy_from_key(key, &(p->key_low), &(p->key_high));
+  memset(key, 0, sizeof (key));  /* a little paranoia ... */
+}
+
+static void
+convert_old_format_db (char *db_file, FILE *out)
+{
+  des_cblock key_from_db;
+  Principal principal_data[1];
+  int n, more;
+
+  if (kdb_get_master_key (KDB_GET_PROMPT, &master_key,
+			  master_key_schedule) != 0L) {
+    clear_secrets();
+    errx (1, "Couldn't get master key.");
+  }
+
+  /* can't call kdb_verify_master_key because this is an old style db */
+  /* lookup the master key version */
+  n = kerb_get_principal(KERB_M_NAME, KERB_M_INST, principal_data,
+			 1 /* only one please */, &more);
+  if ((n != 1) || more)
+    errx (1, "verify_master_key: Kerberos error on master key lookup, %d found.\n", n);
+
+  /* set up the master key */
+  fprintf(stderr, "Current Kerberos master key version is %d.\n",
+	  principal_data[0].kdc_key_ver);
+
+  /*
+   * now use the master key to decrypt (old style) the key in the db, had better
+   * be the same! 
+   */
+  copy_to_key(&principal_data[0].key_low,
+	      &principal_data[0].key_high,
+	      key_from_db);
+#ifndef NOENCRYPTION
+  des_pcbc_encrypt(&key_from_db,&key_from_db,(long)sizeof(key_from_db),
+	master_key_schedule,(des_cblock *)master_key_schedule, DES_DECRYPT);
+#endif
+  /* the decrypted database key had better equal the master key */
+
+  n = memcmp(master_key, key_from_db, sizeof(master_key));
+  memset(key_from_db, 0, sizeof(key_from_db));
+
+  if (n) {
+    fprintf(stderr, "\n\07\07verify_master_key: Invalid master key, ");
+    fprintf(stderr, "does not match database.\n");
+    exit (1);
+  }
+    
+  fprintf(stderr, "Master key verified.\n");
+
+  dump_db (db_file, out, convert_key_old_db);
+}
+
+int
+main(int argc, char **argv)
+{
+    int ret;
+    FILE   *file;
+    enum {
+	OP_LOAD,
+	OP_MERGE,
+	OP_DUMP,
+	OP_SLAVE_DUMP,
+	OP_NEW_MASTER,
+	OP_CONVERT_OLD_DB
+    }       op;
+    char *file_name;
+    char *db_name;
+
+    set_progname (argv[0]);
+    
+    if (argc != 3 && argc != 4) {
+	fprintf(stderr, "Usage: %s operation file [database name].\n",
+		argv[0]);
+	fprintf(stderr, "Operation is one of: "
+		"load, merge, dump, slave_dump, new_master_key, "
+		"convert_old_db\n");
+	fprintf(stderr, "use file `-' for stdout\n");
+	exit(1);
+    }
+    if (argc == 3)
+	db_name = DBM_FILE;
+    else
+	db_name = argv[3];
+    
+    ret = kerb_db_set_name (db_name);
+    
+    /* this makes starting slave servers ~14.3 times easier */
+    if(ret && strcmp(argv[1], "load") == 0)
+       ret = kerb_db_create (db_name);
+
+    if(ret)
+      err (1, "Can't open database");
+
+    if (!strcmp(argv[1], "load"))
+	op = OP_LOAD;
+    else if (!strcmp(argv[1], "merge"))
+	op = OP_MERGE;
+    else if (!strcmp(argv[1], "dump"))
+	op = OP_DUMP;
+    else if (!strcmp(argv[1], "slave_dump"))
+        op = OP_SLAVE_DUMP;
+    else if (!strcmp(argv[1], "new_master_key"))
+        op = OP_NEW_MASTER;
+    else if (!strcmp(argv[1], "convert_old_db"))
+        op = OP_CONVERT_OLD_DB;
+    else {
+        warnx ("%s is an invalid operation.", argv[1]);
+	warnx ("Valid operations are \"load\", \"merge\", "
+	       "\"dump\", \"slave_dump\", \"new_master_key\", "
+	       "and \"convert_old_db\"");
+	return 1;
+    }
+
+    file_name = argv[2];
+    if (strcmp (file_name, "-") == 0
+	&& op != OP_LOAD
+	&& op != OP_MERGE)
+	file = stdout;
+    else {
+	char *mode;
+
+	if (op == OP_LOAD || op == OP_MERGE)
+	    mode = "r";
+	else
+	    mode = "w";
+
+	file = fopen (file_name, mode);
+    }
+    if (file == NULL)
+        err (1, "open %s", argv[2]);
+
+    switch (op) {
+    case OP_DUMP:
+      if ((dump_db(db_name, file, (void (*)(Principal *)) 0) == EOF)
+	  || (fflush(file) != 0)
+	  || (fsync(fileno(file)) != 0)
+	  || (fclose(file) == EOF))
+	err(1, "%s", file_name);
+      break;
+    case OP_SLAVE_DUMP:
+      if ((dump_db(db_name, file, (void (*)(Principal *)) 0) == EOF)
+	  || (fflush(file) != 0)
+	  || (fsync(fileno(file)) != 0)
+	  || (fclose(file) == EOF))
+	err(1, "%s", file_name);
+      update_ok_file(file_name);
+      break;
+    case OP_LOAD:
+      load_db (db_name, file);
+      break;
+    case OP_MERGE:
+      merge_db (db_name, file);
+      break;
+    case OP_NEW_MASTER:
+      convert_new_master_key (db_name, file);
+      printf("Don't forget to do a `kdb_util load %s' to reload the database!\n", file_name);
+      break;
+    case OP_CONVERT_OLD_DB:
+      convert_old_format_db (db_name, file);
+      printf("Don't forget to do a `kdb_util load %s' to reload the database!\n", file_name);      
+      break;
+    }
+    return 0;
+}
diff --git a/crypto/kerberosIV/admin/kstash.c b/crypto/kerberosIV/admin/kstash.c
new file mode 100644
index 0000000..4595de5
--- /dev/null
+++ b/crypto/kerberosIV/admin/kstash.c
@@ -0,0 +1,56 @@
+/*
+ * Copyright 1985, 1986, 1987, 1988 by the Massachusetts Institute
+ * of Technology 
+ *
+ * For copying and distribution information, please see the file
+ * <mit-copyright.h>.
+ *
+ * Description.
+ */
+
+#include "adm_locl.h"
+
+RCSID("$Id: kstash.c,v 1.10 1997/03/30 17:35:37 assar Exp $");
+
+/* change this later, but krblib_dbm needs it for now */
+
+static des_cblock master_key;
+static des_key_schedule master_key_schedule;
+
+static void 
+clear_secrets(void)
+{
+    memset(master_key_schedule, 0, sizeof(master_key_schedule));
+    memset(master_key, 0, sizeof(master_key));
+}
+
+int
+main(int argc, char **argv)
+{
+    long    n;
+    int ret = 0;
+    set_progname (argv[0]);
+
+    if ((n = kerb_init()))
+        errx(1, "Kerberos db and cache init failed = %ld\n", n);
+
+    if (kdb_get_master_key (KDB_GET_PROMPT, &master_key,
+			    master_key_schedule) != 0) {
+	clear_secrets();
+	errx(1, "Couldn't read master key.");
+    }
+
+    if (kdb_verify_master_key (&master_key, master_key_schedule, stderr) < 0) {
+	clear_secrets();
+	return 1;
+    }
+
+    ret = kdb_kstash(&master_key, MKEYFILE);
+    if(ret < 0)
+        warn("writing master key");
+    else
+	fprintf(stderr, "Wrote master key to %s\n", MKEYFILE);
+    
+    clear_secrets();
+    return ret;
+}
diff --git a/crypto/kerberosIV/appl/Makefile.in b/crypto/kerberosIV/appl/Makefile.in
new file mode 100644
index 0000000..74a3b9a
--- /dev/null
+++ b/crypto/kerberosIV/appl/Makefile.in
@@ -0,0 +1,43 @@
+# $Id: Makefile.in,v 1.31.6.1 2000/06/23 04:30:11 assar Exp $
+
+srcdir		= @srcdir@
+VPATH		= @srcdir@
+
+SHELL		= /bin/sh
+
+@SET_MAKE@
+
+SUBDIRS		= sample kauth bsd movemail push afsutil \
+		  popper xnlock kx kip @OTP_dir@ ftp telnet
+
+all:
+	for i in $(SUBDIRS); \
+	do (cd $$i && $(MAKE) $(MFLAGS) all); done
+
+Wall:
+	make CFLAGS="-g -Wall -Wno-comment -Wmissing-prototypes -Wmissing-declarations -D__USE_FIXED_PROTOTYPES__"
+
+install:
+	for i in $(SUBDIRS); \
+	do (cd $$i && $(MAKE) $(MFLAGS) install); done
+
+uninstall:
+	for i in $(SUBDIRS); \
+	do (cd $$i && $(MAKE) $(MFLAGS) uninstall); done
+
+clean:
+	for i in $(SUBDIRS); \
+	do (cd $$i && $(MAKE) $(MFLAGS) clean); done
+
+mostlyclean:	clean
+
+distclean:
+	for i in $(SUBDIRS);\
+	do (cd $$i && $(MAKE) $(MFLAGS) distclean); done
+	rm -f Makefile *~
+
+realclean:
+	for i in $(SUBDIRS); \
+	do (cd $$i && $(MAKE) $(MFLAGS) realclean); done
+
+.PHONY: all Wall install uninstall clean mostlyclean distclean realclean
diff --git a/crypto/kerberosIV/appl/afsutil/Makefile.in b/crypto/kerberosIV/appl/afsutil/Makefile.in
new file mode 100644
index 0000000..86adb88
--- /dev/null
+++ b/crypto/kerberosIV/appl/afsutil/Makefile.in
@@ -0,0 +1,89 @@
+# $Id: Makefile.in,v 1.27 1999/03/10 19:01:10 joda Exp $
+
+SHELL	= /bin/sh
+
+srcdir	= @srcdir@
+VPATH	= @srcdir@
+
+top_builddir	= ../..
+
+CC	= @CC@
+LINK	= @LINK@
+AR	= ar
+RANLIB	= @RANLIB@
+DEFS	= @DEFS@
+CFLAGS	= @CFLAGS@ $(WFLAGS)
+WFLAGS = @WFLAGS@
+LD_FLAGS= @LD_FLAGS@
+INSTALL	= @INSTALL@
+INSTALL_PROGRAM = @INSTALL_PROGRAM@
+LIBROKEN = -L../../lib/roken -lroken
+LIBS	= @KRB_KAFS_LIB@ -L../../lib/krb -lkrb -L../../lib/des -ldes $(LIBROKEN) @LIBS@ $(LIBROKEN)
+MKINSTALLDIRS = @top_srcdir@/mkinstalldirs
+
+prefix = @prefix@
+exec_prefix = @exec_prefix@
+libdir = @libdir@
+libexecdir = @libexecdir@
+bindir = @bindir@
+transform=@program_transform_name@
+EXECSUFFIX=@EXECSUFFIX@
+
+PROG_BIN	= pagsh$(EXECSUFFIX) \
+		  afslog$(EXECSUFFIX) \
+		  kstring2key$(EXECSUFFIX)
+PROG_LIBEXEC	= 
+PROGS = $(PROG_BIN) $(PROG_LIBEXEC)
+
+SOURCES = pagsh.c aklog.c kstring2key.c
+
+OBJECTS = pagsh.o aklog.o kstring2key.o
+
+all: $(PROGS)
+
+Wall:
+	make CFLAGS="-g -Wall -Wno-comment -Wmissing-prototypes -Wmissing-declarations -D__USE_FIXED_PROTOTYPES__"
+
+.c.o:
+	$(CC) -c $(DEFS) -I../../include -I$(srcdir) $(CFLAGS) $(CPPFLAGS) $<
+
+install: all
+	$(MKINSTALLDIRS) $(DESTDIR)$(bindir)
+	for x in $(PROG_BIN); do \
+	  $(INSTALL_PROGRAM) $$x $(DESTDIR)$(bindir)/`echo $$x | sed '$(transform)'`; \
+	done
+
+uninstall:
+	for x in $(PROG_BIN); do \
+	  rm -f $(DESTDIR)$(bindir)/`echo $$x | sed '$(transform)'`; \
+	done
+
+TAGS: $(SOURCES)
+	etags $(SOURCES)
+
+check:
+
+clean:
+	rm -f *.a *.o $(PROGS)
+
+mostlyclean: clean
+
+distclean: clean
+	rm -f Makefile *.tab.c *~
+
+realclean: distclean
+	rm -f TAGS
+
+pagsh$(EXECSUFFIX): pagsh.o
+	$(LINK) $(LD_FLAGS) $(LDFLAGS) -o $@ pagsh.o $(LIBS)
+
+afslog$(EXECSUFFIX): aklog.o
+	$(LINK) $(LD_FLAGS) $(LDFLAGS) -o $@ aklog.o $(LIBS)
+
+kstring2key$(EXECSUFFIX): kstring2key.o
+	$(LINK) $(LD_FLAGS) $(LDFLAGS) -o $@ kstring2key.o $(LIBS)
+
+
+$(OBJECTS): ../../include/config.h
+
+.PHONY: all Wall install uninstall check clean mostlyclean distclean realclean
diff --git a/crypto/kerberosIV/appl/afsutil/aklog.c b/crypto/kerberosIV/appl/afsutil/aklog.c
new file mode 100644
index 0000000..b3370da
--- /dev/null
+++ b/crypto/kerberosIV/appl/afsutil/aklog.c
@@ -0,0 +1,250 @@
+/*
+ * Copyright (c) 1995 - 2000 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+#endif
+#include <stdio.h>
+#include <stdlib.h>
+#include <stdarg.h>
+#include <string.h>
+#include <ctype.h>
+#ifdef HAVE_UNISTD_H
+#include <unistd.h>
+#endif
+#ifdef HAVE_FCNTL_H
+#include <fcntl.h>
+#endif
+#ifdef HAVE_SYS_TYPES_H
+#include <sys/types.h>
+#endif
+#ifdef HAVE_SYS_SOCKET_H
+#include <sys/socket.h>
+#endif
+#if defined(HAVE_SYS_IOCTL_H) && SunOS != 40
+#include <sys/ioctl.h>
+#endif
+#ifdef HAVE_SYS_IOCCOM_H
+#include <sys/ioccom.h>
+#endif
+#ifdef HAVE_PWD_H
+#include <pwd.h>
+#endif
+#include <err.h>
+#include <krb.h>
+#include <kafs.h>
+
+#include <roken.h>
+
+RCSID("$Id: aklog.c,v 1.24.2.1 2000/06/23 02:31:15 assar Exp $");
+
+static int debug = 0;
+
+static void
+DEBUG(const char *, ...)
+#ifdef __GNUC__
+__attribute__ ((format (printf, 1, 2)))
+#endif
+;
+
+static void
+DEBUG(const char *fmt, ...)
+{
+  va_list ap;
+  if (debug) {
+    va_start(ap, fmt);
+    vwarnx(fmt, ap);
+    va_end(ap);
+  }
+}
+
+static char *
+expand_1 (const char *cell, const char *filename)
+{
+  FILE *f;
+  static char buf[128];
+  char *p;
+
+  f = fopen(filename, "r");
+  if(f == NULL)
+    return NULL;
+  while(fgets(buf, sizeof(buf), f) != NULL) {
+    if(buf[0] == '>') {
+      for(p=buf; *p && !isspace(*p) && *p != '#'; p++)
+	  ;
+      *p = '\0';
+      if(strstr(buf, cell)){
+	fclose(f);
+	return buf + 1;
+      }
+    }
+    buf[0] = 0;
+  }
+  fclose(f);
+  return NULL;
+}
+
+static const char *
+expand_cell_name(const char *cell)
+{
+  char *ret;
+
+  ret = expand_1(cell, _PATH_CELLSERVDB);
+  if (ret != NULL)
+    return ret;
+  ret = expand_1(cell, _PATH_ARLA_CELLSERVDB);
+  if (ret != NULL)
+    return ret;
+  return cell;
+}
+
+static int
+createuser (const char *cell)
+{
+  char cellbuf[64];
+  char name[ANAME_SZ];
+  char instance[INST_SZ];
+  char realm[REALM_SZ];
+  char cmd[1024];
+
+  if (cell == NULL) {
+    FILE *f;
+    int len;
+
+    f = fopen (_PATH_THISCELL, "r");
+    if (f == NULL)
+      f = fopen (_PATH_ARLA_THISCELL, "r");
+    if (f == NULL)
+      err (1, "open(%s, %s)", _PATH_THISCELL, _PATH_ARLA_THISCELL);
+    if (fgets (cellbuf, sizeof(cellbuf), f) == NULL)
+      err (1, "read cellname from %s %s", _PATH_THISCELL, _PATH_ARLA_THISCELL);
+    fclose (f);
+    len = strlen(cellbuf);
+    if (cellbuf[len-1] == '\n')
+      cellbuf[len-1] = '\0';
+    cell = cellbuf;
+  }
+
+  if(krb_get_default_principal(name, instance, realm))
+    errx (1, "Could not even figure out who you are");
+
+  snprintf (cmd, sizeof(cmd),
+	    "pts createuser %s%s%s@%s -cell %s",
+	    name, *instance ? "." : "", instance, strlwr(realm),
+	    cell);
+  DEBUG("Executing %s", cmd);
+  return system(cmd);
+}
+
+int
+main(int argc, char **argv)
+{
+  int i;
+  int do_aklog = -1;
+  int do_createuser = -1;
+  const char *cell = NULL;
+  char *realm = NULL;
+  char cellbuf[64];
+  
+  set_progname (argv[0]);
+
+  if(!k_hasafs())
+    exit(1);
+
+  for(i = 1; i < argc; i++){
+    if(!strncmp(argv[i], "-createuser", 11)){
+      do_createuser = do_aklog = 1;
+
+    }else if(!strncmp(argv[i], "-c", 2) && i + 1 < argc){
+      cell = expand_cell_name(argv[++i]);
+      do_aklog = 1;
+
+    }else if(!strncmp(argv[i], "-k", 2) && i + 1 < argc){
+      realm = argv[++i];
+
+    }else if(!strncmp(argv[i], "-p", 2) && i + 1 < argc){
+      if(k_afs_cell_of_file(argv[++i], cellbuf, sizeof(cellbuf)))
+	errx (1, "No cell found for file \"%s\".", argv[i]);
+      else
+	cell = cellbuf;
+      do_aklog = 1;
+
+    }else if(!strncmp(argv[i], "-unlog", 6)){
+      exit(k_unlog());
+
+    }else if(!strncmp(argv[i], "-hosts", 6)){
+      warnx ("Argument -hosts is not implemented.");
+
+    }else if(!strncmp(argv[i], "-zsubs", 6)){
+      warnx("Argument -zsubs is not implemented.");
+
+    }else if(!strncmp(argv[i], "-noprdb", 6)){
+      warnx("Argument -noprdb is not implemented.");
+
+    }else if(!strncmp(argv[i], "-d", 6)){
+      debug = 1;
+
+    }else{
+      if(!strcmp(argv[i], ".") ||
+	 !strcmp(argv[i], "..") ||
+	 strchr(argv[i], '/')){
+	DEBUG("I guess that \"%s\" is a filename.", argv[i]);
+	if(k_afs_cell_of_file(argv[i], cellbuf, sizeof(cellbuf)))
+	  errx (1, "No cell found for file \"%s\".", argv[i]);
+	else {
+	  cell = cellbuf;
+	  DEBUG("The file \"%s\" lives in cell \"%s\".", argv[i], cell);
+	}
+      }else{
+	cell = expand_cell_name(argv[i]);
+	DEBUG("I guess that %s is cell %s.", argv[i], cell);
+      }
+      do_aklog = 1;
+    }
+    if(do_aklog == 1){
+      do_aklog = 0;
+      if(krb_afslog(cell, realm))
+	errx (1, "Failed getting tokens for cell %s in realm %s.", 
+	      cell?cell:"(local cell)", realm?realm:"(local realm)");
+    }
+    if(do_createuser == 1) {
+      do_createuser = 0;
+      if(createuser(cell))
+	errx (1, "Failed creating user in cell %s", cell?cell:"(local cell)");
+    }
+  }
+  if(do_aklog == -1 && do_createuser == -1 && krb_afslog(0, realm))
+    errx (1, "Failed getting tokens for cell %s in realm %s.", 
+	  cell?cell:"(local cell)", realm?realm:"(local realm)");
+  return 0;
+}
diff --git a/crypto/kerberosIV/appl/afsutil/kstring2key.c b/crypto/kerberosIV/appl/afsutil/kstring2key.c
new file mode 100644
index 0000000..70246f9
--- /dev/null
+++ b/crypto/kerberosIV/appl/afsutil/kstring2key.c
@@ -0,0 +1,138 @@
+/*
+ * Copyright (c) 1995, 1996, 1997, 1998 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+/* $FreeBSD$ */
+
+#include "config.h"
+
+RCSID("$Id: kstring2key.c,v 1.16 1999/12/02 16:58:28 joda Exp $");
+
+#include <stdio.h>
+#include <string.h>
+#include <ctype.h>
+#include <err.h>
+
+#include <roken.h>
+
+#include <openssl/des.h>
+#include <krb.h>
+
+#define VERIFY 0
+
+static void
+usage(void)
+{
+    fprintf(stderr,
+	    "Usage: %s [-c AFS cellname] [ -5 krb5salt ] [ password ]\n",
+	    __progname);
+    fprintf(stderr,
+	    "       krb5salt is realmname APPEND principal APPEND instance\n");
+    exit(1);
+}
+
+static
+void
+krb5_string_to_key(char *str,
+		   char *salt,
+		   des_cblock *key)
+{
+    char *foo;
+
+    asprintf(&foo, "%s%s", str, salt);
+    if (foo == NULL)
+	errx (1, "malloc: out of memory");
+    des_string_to_key(foo, key);
+    free (foo);
+}
+
+
+int
+main(int argc, char **argv)
+{
+    des_cblock key;
+    char buf[1024];
+    char *cellname = 0, *salt = 0;
+
+    set_progname (argv[0]);
+
+    if (argc >= 3 && argv[1][0] == '-' && argv[1][1] == 'c')
+	{
+	    cellname = argv[2];
+	    argv += 2;
+	    argc -= 2;
+	}
+    else if (argc >= 3 && argv[1][0] == '-' && argv[1][1] == '5')
+	{
+	    salt = argv[2];
+	    argv += 2;
+	    argc -= 2;
+	}
+    if (argc >= 2 && argv[1][0] == '-')
+	usage();
+
+    switch (argc) {
+    case 1:
+	if (des_read_pw_string(buf, sizeof(buf)-1, "password: ", VERIFY))
+	    errx (1, "Error reading password.");
+	break;
+    case 2:
+	strlcpy(buf, argv[1], sizeof(buf));
+	break;
+    default:
+	usage();
+	break;
+    }
+
+    if (cellname != 0)
+	afs_string_to_key(buf, cellname, &key);
+    else if (salt != 0)
+        krb5_string_to_key(buf, salt, &key);
+    else
+	des_string_to_key(buf, &key);
+
+    {
+	int j;
+	unsigned char *tkey = (unsigned char *) &key;
+	printf("ascii = ");
+	for(j = 0; j < 8; j++)
+	    if(tkey[j] != '\\' && isalpha(tkey[j]) != 0)
+		printf("%c", tkey[j]);
+	    else
+		printf("\\%03o",(unsigned char)tkey[j]);
+	printf("\n");
+	printf("hex   = ");
+	for(j = 0; j < 8; j++)
+	    printf("%02x",(unsigned char)tkey[j]);
+	printf("\n");
+    }
+    exit(0);
+}
diff --git a/crypto/kerberosIV/appl/afsutil/pagsh.c b/crypto/kerberosIV/appl/afsutil/pagsh.c
new file mode 100644
index 0000000..c6704be
--- /dev/null
+++ b/crypto/kerberosIV/appl/afsutil/pagsh.c
@@ -0,0 +1,136 @@
+/*
+ * Copyright (c) 1995, 1996, 1997, 1998, 1999 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+#endif
+
+RCSID("$Id: pagsh.c,v 1.22 1999/12/02 16:58:28 joda Exp $");
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+#ifdef HAVE_SYS_TYPES_H
+#include <sys/types.h>
+#endif
+#include <time.h>
+#ifdef HAVE_FCNTL_H
+#include <fcntl.h>
+#endif
+#ifdef HAVE_PWD_H
+#include <pwd.h>
+#endif
+
+#include <err.h>
+#include <roken.h>
+
+#include <krb.h>
+#include <kafs.h>
+
+int
+main(int argc, char **argv)
+{
+  int f;
+  char tf[1024];
+  char *p;
+
+  char *path;
+  char **args;
+  int i;
+
+  do {
+    snprintf(tf, sizeof(tf), "%s%u_%u", TKT_ROOT, (unsigned int)getuid(),
+	    (unsigned int)(getpid()*time(0)));
+    f = open(tf, O_CREAT|O_EXCL|O_RDWR);
+  } while(f < 0);
+  close(f);
+  unlink(tf);
+  setenv("KRBTKFILE", tf, 1);
+
+  i = 0;
+
+  args = (char **) malloc((argc + 10)*sizeof(char *));
+  if (args == NULL)
+      errx (1, "Out of memory allocating %lu bytes",
+	    (unsigned long)((argc + 10)*sizeof(char *)));
+  
+  argv++;
+
+  if(*argv == NULL) {
+    path = getenv("SHELL");
+    if(path == NULL){
+      struct passwd *pw = k_getpwuid(geteuid());
+      path = strdup(pw->pw_shell);
+    }
+  } else {
+    if(strcmp(*argv, "-c") ==  0) argv++;
+    path = strdup(*argv++);
+  }
+  if (path == NULL)
+      errx (1, "Out of memory copying path");
+  
+  p=strrchr(path, '/');
+  if(p)
+    args[i] = strdup(p+1);
+  else
+    args[i] = strdup(path);
+
+  if (args[i++] == NULL)
+      errx (1, "Out of memory copying arguments");
+  
+  while(*argv)
+    args[i++] = *argv++;
+
+  args[i++] = NULL;
+
+  if(k_hasafs())
+    k_setpag();
+
+  execvp(path, args);
+  if (errno == ENOENT) {
+      char **sh_args = malloc ((i + 2) * sizeof(char *));
+      int j;
+
+      if (sh_args == NULL)
+	  errx (1, "Out of memory copying sh arguments");
+      for (j = 1; j < i; ++j)
+	  sh_args[j + 2] = args[j];
+      sh_args[0] = "sh";
+      sh_args[1] = "-c";
+      sh_args[2] = path;
+      execv ("/bin/sh", sh_args);
+  }
+  perror("execvp");
+  exit(1);
+}
diff --git a/crypto/kerberosIV/appl/bsd/Makefile.in b/crypto/kerberosIV/appl/bsd/Makefile.in
new file mode 100644
index 0000000..fdda8c1
--- /dev/null
+++ b/crypto/kerberosIV/appl/bsd/Makefile.in
@@ -0,0 +1,136 @@
+# $Id: Makefile.in,v 1.68 1999/03/27 17:05:34 joda Exp $
+
+SHELL = /bin/sh
+
+srcdir = @srcdir@
+top_srcdir = @top_srcdir@
+VPATH = @srcdir@
+
+top_builddir = ../..
+
+CC = @CC@
+LINK = @LINK@
+AR = ar
+RANLIB = @RANLIB@
+DEFS = @DEFS@ -DBINDIR='"$(bindir)"'
+CFLAGS = @CFLAGS@ $(WFLAGS)
+WFLAGS = @WFLAGS@
+LD_FLAGS = @LD_FLAGS@
+INSTALL = @INSTALL@
+INSTALL_PROGRAM = @INSTALL_PROGRAM@
+LIBS = @LIBS@
+LIB_DBM = @LIB_DBM@
+MKINSTALLDIRS = @top_srcdir@/mkinstalldirs
+
+prefix = @prefix@
+exec_prefix = @exec_prefix@
+libdir = @libdir@
+libexecdir = @libexecdir@
+bindir = @bindir@
+transform=@program_transform_name@
+EXECSUFFIX=@EXECSUFFIX@
+
+# Beware, these are all setuid root programs
+PROG_SUIDBIN	= rsh$(EXECSUFFIX) \
+		  rcp$(EXECSUFFIX) \
+		  rlogin$(EXECSUFFIX) \
+		  su$(EXECSUFFIX)
+PROG_BIN	= login$(EXECSUFFIX)
+PROG_LIBEXEC	= rshd$(EXECSUFFIX) \
+		  rlogind$(EXECSUFFIX)
+PROGS = $(PROG_SUIDBIN) $(PROG_BIN) $(PROG_LIBEXEC)
+
+SOURCES = rsh.c kcmd.c krcmd.c rlogin.c rcp.c rcp_util.c rshd.c \
+	login.c klogin.c login_access.c su.c rlogind.c \
+	login_fbtab.c forkpty.c sysv_default.c sysv_environ.c sysv_shadow.c \
+	utmp_login.c utmpx_login.c stty_default.c encrypt.c rcmd_util.c tty.c \
+	osfc2.c
+
+rsh_OBJS	= rsh.o kcmd.o krcmd.o encrypt.o rcmd_util.o
+rcp_OBJS	= rcp.o rcp_util.o kcmd.o krcmd.o encrypt.o rcmd_util.o osfc2.o
+rlogin_OBJS	= rlogin.o kcmd.o krcmd.o encrypt.o rcmd_util.o
+login_OBJS 	= login.o klogin.o login_fbtab.o login_access.o \
+		  sysv_default.o sysv_environ.o sysv_shadow.o \
+		  utmp_login.o utmpx_login.o stty_default.o tty.o osfc2.o
+su_OBJS		= su.o
+rshd_OBJS	= rshd.o encrypt.o rcmd_util.o osfc2.o
+rlogind_OBJS	= rlogind.o forkpty.o encrypt.o rcmd_util.o tty.o
+
+
+all: $(PROGS) 
+
+Wall:
+	make CFLAGS="-g -Wall -Wno-comment -Wmissing-prototypes -Wmissing-declarations -D__USE_FIXED_PROTOTYPES__"
+
+.c.o: 
+	$(CC) -c $(DEFS) -I../../include -I$(srcdir) $(CFLAGS) $(CPPFLAGS) $<
+
+install: all
+	$(MKINSTALLDIRS) $(DESTDIR)$(libexecdir)
+	for x in $(PROG_LIBEXEC); do \
+	  $(INSTALL_PROGRAM) $$x $(DESTDIR)$(libexecdir)/`echo $$x| sed '$(transform)'`; \
+	done
+	$(MKINSTALLDIRS) $(DESTDIR)$(bindir)
+	for x in $(PROG_BIN); do \
+	  $(INSTALL_PROGRAM) $$x $(DESTDIR)$(bindir)/`echo $$x| sed '$(transform)'`; \
+	done
+	-for x in $(PROG_SUIDBIN); do \
+	  $(INSTALL_PROGRAM) -o root -m 04555 $$x $(DESTDIR)$(bindir)/`echo $$x| sed '$(transform)'`; \
+	done
+
+uninstall:
+	for x in $(PROG_LIBEXEC); do \
+	  rm -f $(DESTDIR)$(libexecdir)/`echo $$x| sed '$(transform)'`; \
+	done
+	for x in $(PROG_BIN); do \
+	  rm -f $(DESTDIR)$(bindir)/`echo $$x| sed '$(transform)'`; \
+	done
+	for x in $(PROG_SUIDBIN); do \
+	  rm -f $(DESTDIR)$(bindir)/`echo $$x| sed '$(transform)'`; \
+	done
+
+TAGS: $(SOURCES)
+	etags $(SOURCES)
+
+check:
+
+clean:
+	rm -f *.a *.o $(PROGS)
+
+mostlyclean: clean
+
+distclean: clean
+	rm -f Makefile *.tab.c *~
+
+realclean: distclean
+	rm -f TAGS
+
+KLIB=-L../../lib/krb -lkrb -L../../lib/des -ldes
+KLIB_AFS=@KRB_KAFS_LIB@ $(KLIB)
+OTPLIB=@LIB_otp@
+LIBROKEN=-L../../lib/roken -lroken
+
+LIB_security=@LIB_security@
+
+rcp$(EXECSUFFIX): $(rcp_OBJS)
+	$(LINK) $(LD_FLAGS) $(LDFLAGS) -o $@ $(rcp_OBJS) $(KLIB_AFS) $(LIBROKEN) $(LIBS) $(LIBROKEN) $(LIB_security)
+
+rsh$(EXECSUFFIX): $(rsh_OBJS)
+	$(LINK) $(LD_FLAGS) $(LDFLAGS) -o $@ $(rsh_OBJS) $(KLIB) $(LIBROKEN) $(LIBS) $(LIBROKEN)
+
+rshd$(EXECSUFFIX): $(rshd_OBJS)
+	$(LINK) $(LD_FLAGS) $(LDFLAGS) -o $@ $(rshd_OBJS) $(KLIB_AFS) $(LIBROKEN) $(LIBS) $(LIBROKEN) $(LIB_security)
+
+rlogin$(EXECSUFFIX): $(rlogin_OBJS)
+	$(LINK) $(LD_FLAGS) $(LDFLAGS) -o $@  $(rlogin_OBJS) $(KLIB) $(LIBROKEN) $(LIBS) $(LIBROKEN)
+
+rlogind$(EXECSUFFIX): $(rlogind_OBJS)
+	$(LINK) $(LD_FLAGS) $(LDFLAGS) -o $@ $(rlogind_OBJS) $(KLIB_AFS) $(LIBROKEN) $(LIBS) $(LIBROKEN)
+
+login$(EXECSUFFIX): $(login_OBJS)
+	$(LINK) $(LD_FLAGS) $(LDFLAGS) -o $@ $(login_OBJS) $(OTPLIB) $(KLIB_AFS) $(LIBROKEN) $(LIB_DBM) $(LIBS) $(LIBROKEN) $(LIB_security)
+
+su$(EXECSUFFIX): $(su_OBJS)
+	$(LINK) $(LD_FLAGS) $(LDFLAGS) -o $@ $(su_OBJS) $(KLIB_AFS) $(LIBROKEN) $(LIBS) $(LIBROKEN)
+
+.PHONY: all Wall install uninstall check clean mostlyclean distclean realclean
diff --git a/crypto/kerberosIV/appl/bsd/README.login b/crypto/kerberosIV/appl/bsd/README.login
new file mode 100644
index 0000000..c072969
--- /dev/null
+++ b/crypto/kerberosIV/appl/bsd/README.login
@@ -0,0 +1,20 @@
+This login has additional functionalities. They are all based on (part of)
+Wietse Venema's logdaemon package.
+
+
+The following defines can be used:
+1) LOGIN_ACCESS to allow access control on a per tty/user combination
+2) LOGALL to log all logins
+
+-Guido
+
+This login has some of Berkeley's paranoid/broken (depending on your point
+of view) Kerberos code conditionalized out, so that by default it works like
+klogin does at MIT-LCS.  You can define KLOGIN_PARANOID to re-enable this code.
+This define also controls whether a warning message is printed when logging
+into a system with no krb.conf file, which usually means that Kerberos is
+not configured.
+
+-GAWollman
+
+(removed S/Key,	/assar)
diff --git a/crypto/kerberosIV/appl/bsd/bsd_locl.h b/crypto/kerberosIV/appl/bsd/bsd_locl.h
new file mode 100644
index 0000000..565eb96
--- /dev/null
+++ b/crypto/kerberosIV/appl/bsd/bsd_locl.h
@@ -0,0 +1,400 @@
+/*
+ * Copyright (c) 1995 - 2000 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+/* $Id: bsd_locl.h,v 1.111 1999/12/02 16:58:28 joda Exp $ */
+/* $FreeBSD$ */
+
+#define LOGALL
+#ifndef KERBEROS
+#define KERBEROS
+#endif
+#define KLOGIN_PARANOID
+#define LOGIN_ACCESS
+#define PASSWD_FALLBACK
+
+#ifdef HAVE_CONFIG_H
+#include "config.h"
+#endif
+
+/* Any better way to test NO_MOTD? */
+#if (SunOS >= 50) || defined(__hpux)
+#define NO_MOTD
+#endif
+
+#ifdef HAVE_SHADOW_H
+#define SYSV_SHADOW
+#endif
+
+#include <stdio.h>
+#include <string.h>
+#include <stdlib.h>
+#include <ctype.h>
+#include <setjmp.h>
+#include <limits.h>
+
+#include <stdarg.h>
+
+#include <errno.h>
+#ifdef HAVE_IO_H
+#include <io.h>
+#endif
+#ifdef HAVE_UNISTD_H
+#include <unistd.h>
+#endif
+#ifdef HAVE_LIBUTIL_H
+#include <libutil.h>
+#endif
+#ifdef HAVE_SYS_TYPES_H
+#include <sys/types.h>
+#endif
+#ifdef TIME_WITH_SYS_TIME
+#include <sys/time.h>
+#include <time.h>
+#elif defined(HAVE_SYS_TIME_H)
+#include <sys/time.h>
+#else
+#include <time.h>
+#endif
+#ifdef HAVE_SYS_STAT_H
+#include <sys/stat.h>
+#endif
+
+#ifndef S_ISTXT
+#ifdef S_ISVTX
+#define S_ISTXT S_ISVTX
+#else
+#define S_ISTXT 0
+#endif
+#endif
+
+#ifdef HAVE_FCNTL_H
+#include <fcntl.h>
+#endif
+#ifdef HAVE_DIRENT_H
+#include <dirent.h>
+#endif
+#include <signal.h>
+#ifdef HAVE_SYS_RESOURCE_H
+#include <sys/resource.h>
+#endif /* HAVE_SYS_RESOURCE_H */
+#ifdef HAVE_SYS_WAIT_H
+#include <sys/wait.h>
+#endif
+#ifdef HAVE_SYS_PARAM_H
+#include <sys/param.h>
+#endif
+
+#ifndef NCARGS
+#define NCARGS  0x100000 /* (absolute) max # characters in exec arglist */
+#endif
+#ifdef HAVE_PWD_H
+#include <pwd.h>
+#endif
+
+#ifdef HAVE_GRP_H
+#include <grp.h>
+#endif
+#ifdef HAVE_UTIME_H
+#include <utime.h>
+#endif
+
+#ifdef HAVE_SYS_SOCKET_H
+#include <sys/socket.h>
+#endif
+#ifdef HAVE_NETINET_IN_H
+#include <netinet/in.h>
+#endif
+#ifdef HAVE_NETINET_IN_SYSTM_H
+#include <netinet/in_systm.h>
+#endif
+#ifdef HAVE_NETINET_IP_H
+#include <netinet/ip.h>
+#endif
+#ifdef HAVE_NETINET_TCP_H
+#include <netinet/tcp.h>
+#endif
+#ifdef HAVE_ARPA_INET_H
+#include <arpa/inet.h>
+#endif
+#ifdef HAVE_NETDB_H
+#include <netdb.h>
+#endif
+
+#if defined(HAVE_SYS_IOCTL_H) && SunOS != 40
+#include <sys/ioctl.h>
+#endif
+#ifdef HAVE_SYS_IOCCOM_H
+#include <sys/ioccom.h>
+#endif
+
+#ifdef HAVE_SYS_SOCKIO_H
+#include <sys/sockio.h>
+#endif
+
+#ifdef HAVE_SYS_SELECT_H
+#include <sys/select.h>
+#endif
+
+#ifdef HAVE_SYS_FILIO_H
+#include <sys/filio.h>
+#endif
+
+#ifdef HAVE_SYS_STREAM_H
+#ifdef HAVE_SYS_UIO_H
+#include <sys/uio.h>
+#endif /* HAVE_SYS_UIO_H */
+#include <sys/stream.h>
+#endif /* HAVE_SYS_STREAM_H */
+
+#ifdef HAVE_SYS_PTYVAR_H
+#ifdef HAVE_SYS_PROC_H
+#include <sys/proc.h>
+#endif
+#ifdef HAVE_SYS_TTY_H
+#include <sys/tty.h>
+#endif
+#ifdef HAVE_SYS_PTYIO_H
+#include <sys/ptyio.h>
+#endif
+#include <sys/ptyvar.h>
+#endif /* HAVE_SYS_PTYVAR_H */
+
+/* Cray stuff */
+#ifdef HAVE_UDB_H
+#include <udb.h>
+#endif
+#ifdef HAVE_SYS_CATEGORY_H
+#include <sys/category.h>
+#endif
+
+/* Strange ioctls that are not always defined */
+
+#ifndef TIOCPKT_FLUSHWRITE
+#define TIOCPKT_FLUSHWRITE      0x02
+#endif
+ 
+#ifndef TIOCPKT_NOSTOP
+#define TIOCPKT_NOSTOP  0x10
+#endif
+ 
+#ifndef TIOCPKT_DOSTOP
+#define TIOCPKT_DOSTOP  0x20
+#endif
+
+#ifndef TIOCPKT
+#define TIOCPKT		_IOW('t', 112, int)   /* pty: set/clear packet mode */
+#endif
+
+#ifdef HAVE_LASTLOG_H
+#include <lastlog.h>
+#endif
+
+#ifdef HAVE_LOGIN_H
+#include <login.h>
+#endif
+
+#ifdef HAVE_TTYENT_H
+#include <ttyent.h>
+#endif
+
+#ifdef HAVE_STROPTS_H
+#include <stropts.h>
+#endif
+
+#ifdef HAVE_UTMP_H
+#include <utmp.h>
+#ifndef UT_NAMESIZE
+#define UT_NAMESIZE     sizeof(((struct utmp *)0)->ut_name)
+#endif
+#endif
+
+#ifdef HAVE_UTMPX_H
+#include <utmpx.h>
+#endif
+
+#ifdef HAVE_USERPW_H
+#include <userpw.h>
+#endif /* HAVE_USERPW_H */
+
+#ifdef HAVE_USERSEC_H
+struct aud_rec;
+#include <usersec.h>
+#endif /* HAVE_USERSEC_H */
+
+#ifdef HAVE_OSFC2
+#include "/usr/include/prot.h"
+#endif
+
+#ifndef PRIO_PROCESS
+#define PRIO_PROCESS 0
+#endif
+
+#include <err.h>
+
+#include <roken.h>
+
+#ifdef SOCKS
+#include <socks.h>
+/* This doesn't belong here. */
+struct tm *localtime(const time_t *);
+struct hostent  *gethostbyname(const char *);
+#endif
+
+#include <openssl/des.h>
+#include <krb.h>
+#include <kafs.h>
+
+int kcmd(int *sock, char **ahost, u_int16_t rport, char *locuser,
+	 char *remuser, char *cmd, int *fd2p, KTEXT ticket,
+	 char *service, char *realm, CREDENTIALS *cred,
+	 Key_schedule schedule, MSG_DAT *msg_data,
+	 struct sockaddr_in *laddr, struct sockaddr_in *faddr,
+	 int32_t authopts);
+
+int krcmd(char **ahost, u_int16_t rport, char *remuser, char *cmd,
+	  int *fd2p, char *realm);
+
+int krcmd_mutual(char **ahost, u_int16_t rport, char *remuser,
+		 char *cmd,int *fd2p, char *realm,
+		 CREDENTIALS *cred, Key_schedule sched);
+
+int klogin(struct passwd *pw, char *instance, char *localhost, char *password);
+
+#if 0
+typedef struct {
+        int cnt;
+        char *buf;
+} BUF;
+#endif
+
+char *colon(char *cp);
+int okname(char *cp0);
+int susystem(char *s, int userid);
+
+int forkpty(int *amaster, char *name,
+	    struct termios *termp, struct winsize *winp);
+
+int forkpty_truncate(int *amaster, char *name, size_t name_sz,
+		     struct termios *termp, struct winsize *winp);
+
+#ifndef MODEMASK
+#define	MODEMASK	(S_ISUID|S_ISGID|S_ISTXT|S_IRWXU|S_IRWXG|S_IRWXO)
+#endif
+
+#ifdef HAVE_PATHS_H
+#include <paths.h>
+#endif
+#ifdef HAVE_MAILLOCK_H
+#include <maillock.h>
+#endif
+#include "pathnames.h"
+
+void stty_default (void);
+
+int utmpx_login(char *line, char *user, char *host);
+
+extern char **environ;
+
+void sysv_newenv(int argc, char **argv, struct passwd *pwd,
+		 char *term, int pflag);
+
+int login_access(struct passwd *user, char *from);
+void fatal(int f, const char *msg, int syserr);
+
+extern int LEFT_JUSTIFIED;
+
+/* used in des_read and des_write */
+#define DES_RW_MAXWRITE	(1024*16)
+#define DES_RW_BSIZE	(DES_RW_MAXWRITE+4)
+
+void sysv_defaults(void);
+void utmp_login(char *tty, char *username, char *hostname);
+void sleepexit (int);
+
+#ifndef HAVE_SETPRIORITY
+#define setpriority(which, who, niceval) 0
+#endif
+
+#ifndef HAVE_GETPRIORITY
+#define getpriority(which, who) 0
+#endif
+
+#ifdef HAVE_TERMIOS_H
+#include <termios.h>
+#endif
+
+#ifndef _POSIX_VDISABLE
+#define _POSIX_VDISABLE 0
+#endif /* _POSIX_VDISABLE */
+#if SunOS == 40
+#include <sys/ttold.h>
+#endif
+
+#if defined(HAVE_SYS_TERMIO_H) && !defined(HAVE_TERMIOS_H)
+#include <sys/termio.h>
+#endif
+
+#ifndef CEOF
+#define CEOF 04
+#endif
+
+/* concession to Sun */
+#ifndef SIGUSR1
+#define	SIGUSR1	30
+#endif
+
+#ifndef TIOCPKT_WINDOW
+#define TIOCPKT_WINDOW 0x80
+#endif
+
+int get_shell_port(int kerberos, int encryption);
+int get_login_port(int kerberos, int encryption);
+int speed_t2int (speed_t);
+speed_t int2speed_t (int);
+void ip_options_and_die (int sock, struct sockaddr_in *);
+void warning(const char *fmt, ...)
+#ifdef __GNUC__
+__attribute__ ((format (printf, 1, 2)))
+#endif
+;
+
+char *clean_ttyname (char *tty);
+char *make_id (char *tty);
+#ifdef HAVE_UTMP_H
+void prepare_utmp (struct utmp *utmp, char *tty, char *username,
+		   char *hostname);
+#endif
+
+int do_osfc2_magic(uid_t);
+
+void paranoid_setuid (uid_t uid);
diff --git a/crypto/kerberosIV/appl/bsd/encrypt.c b/crypto/kerberosIV/appl/bsd/encrypt.c
new file mode 100644
index 0000000..9f835c6
--- /dev/null
+++ b/crypto/kerberosIV/appl/bsd/encrypt.c
@@ -0,0 +1,305 @@
+/* Copyright (C) 1995 Eric Young (eay@mincom.oz.au)
+ * All rights reserved.
+ * 
+ * This file is part of an SSL implementation written
+ * by Eric Young (eay@mincom.oz.au).
+ * The implementation was written so as to conform with Netscapes SSL
+ * specification.  This library and applications are
+ * FREE FOR COMMERCIAL AND NON-COMMERCIAL USE
+ * as long as the following conditions are aheared to.
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.  If this code is used in a product,
+ * Eric Young should be given attribution as the author of the parts used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    This product includes software developed by Eric Young (eay@mincom.oz.au)
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#include "bsd_locl.h"
+
+RCSID("$Id: encrypt.c,v 1.4 1999/06/17 18:47:26 assar Exp $");
+
+/* replacements for htonl and ntohl since I have no idea what to do
+ * when faced with machines with 8 byte longs. */
+#define HDRSIZE 4
+
+#define n2l(c,l)	(l =((u_int32_t)(*((c)++)))<<24, \
+			 l|=((u_int32_t)(*((c)++)))<<16, \
+			 l|=((u_int32_t)(*((c)++)))<< 8, \
+			 l|=((u_int32_t)(*((c)++))))
+
+#define l2n(l,c)	(*((c)++)=(unsigned char)(((l)>>24)&0xff), \
+			 *((c)++)=(unsigned char)(((l)>>16)&0xff), \
+			 *((c)++)=(unsigned char)(((l)>> 8)&0xff), \
+			 *((c)++)=(unsigned char)(((l)    )&0xff))
+
+/* This has some uglies in it but it works - even over sockets. */
+extern int errno;
+int des_rw_mode=DES_PCBC_MODE;
+int LEFT_JUSTIFIED = 0;
+
+int
+des_enc_read(int fd, char *buf, int len, struct des_ks_struct *sched, des_cblock *iv)
+{
+  /* data to be unencrypted */
+  int net_num=0;
+  unsigned char net[DES_RW_BSIZE];
+  /* extra unencrypted data 
+   * for when a block of 100 comes in but is des_read one byte at
+   * a time. */
+  static char unnet[DES_RW_BSIZE];
+  static int unnet_start=0;
+  static int unnet_left=0;
+  int i;
+  long num=0,rnum;
+  unsigned char *p;
+
+  /* left over data from last decrypt */
+  if (unnet_left != 0)
+    {
+      if (unnet_left < len)
+	{
+	  /* we still still need more data but will return
+	   * with the number of bytes we have - should always
+	   * check the return value */
+	  memcpy(buf,&(unnet[unnet_start]),unnet_left);
+	  /* eay 26/08/92 I had the next 2 lines
+	   * reversed :-( */
+	  i=unnet_left;
+	  unnet_start=unnet_left=0;
+	}
+      else
+	{
+	  memcpy(buf,&(unnet[unnet_start]),len);
+	  unnet_start+=len;
+	  unnet_left-=len;
+	  i=len;
+	}
+      return(i);
+    }
+
+  /* We need to get more data. */
+  if (len > DES_RW_MAXWRITE) len=DES_RW_MAXWRITE;
+
+  /* first - get the length */
+  net_num=0;
+  while (net_num < HDRSIZE) 
+    {
+      i=read(fd,&(net[net_num]),(unsigned int)HDRSIZE-net_num);
+      if ((i == -1) && (errno == EINTR)) continue;
+      if (i <= 0) return(0);
+      net_num+=i;
+    }
+
+  /* we now have at net_num bytes in net */
+  p=net;
+  num=0;
+  n2l(p,num);
+  /* num should be rounded up to the next group of eight
+   * we make sure that we have read a multiple of 8 bytes from the net.
+   */
+  if ((num > DES_RW_MAXWRITE) || (num < 0)) /* error */
+    return(-1);
+  rnum=(num < 8)?8:((num+7)/8*8);
+
+  net_num=0;
+  while (net_num < rnum)
+    {
+      i=read(fd,&(net[net_num]),(unsigned int)rnum-net_num);
+      if ((i == -1) && (errno == EINTR)) continue;
+      if (i <= 0) return(0);
+      net_num+=i;
+    }
+
+  /* Check if there will be data left over. */
+  if (len < num)
+    {
+      if (des_rw_mode & DES_PCBC_MODE)
+	des_pcbc_encrypt((des_cblock *)net,(des_cblock *)unnet,
+		     num,sched,iv,DES_DECRYPT);
+      else
+	des_cbc_encrypt((des_cblock *)net,(des_cblock *)unnet,
+		    num,sched,iv,DES_DECRYPT);
+      memcpy(buf,unnet,len);
+      unnet_start=len;
+      unnet_left=num-len;
+
+      /* The following line is done because we return num
+       * as the number of bytes read. */
+      num=len;
+    }
+  else
+    {
+      /* >output is a multiple of 8 byes, if len < rnum
+       * >we must be careful.  The user must be aware that this
+       * >routine will write more bytes than he asked for.
+       * >The length of the buffer must be correct.
+       * FIXED - Should be ok now 18-9-90 - eay */
+      if (len < rnum)
+	{
+	  char tmpbuf[DES_RW_BSIZE];
+
+	  if (des_rw_mode & DES_PCBC_MODE)
+	    des_pcbc_encrypt((des_cblock *)net,
+			 (des_cblock *)tmpbuf,
+			 num,sched,iv,DES_DECRYPT);
+	  else
+	    des_cbc_encrypt((des_cblock *)net,
+			(des_cblock *)tmpbuf,
+			num,sched,iv,DES_DECRYPT);
+
+	  /* eay 26/08/92 fix a bug that returned more
+	   * bytes than you asked for (returned len bytes :-( */
+	  if (LEFT_JUSTIFIED || (len >= 8))
+	      memcpy(buf,tmpbuf,num);
+	  else
+	      memcpy(buf,tmpbuf+(8-num),num); /* Right justified */
+	}
+      else if (num >= 8)
+	{
+	  if (des_rw_mode & DES_PCBC_MODE)
+	    des_pcbc_encrypt((des_cblock *)net,
+			 (des_cblock *)buf,num,sched,iv,
+			 DES_DECRYPT);
+	  else
+	    des_cbc_encrypt((des_cblock *)net,
+			(des_cblock *)buf,num,sched,iv,
+			DES_DECRYPT);
+	}
+      else
+	{
+	  if (des_rw_mode & DES_PCBC_MODE)
+	    des_pcbc_encrypt((des_cblock *)net,
+			 (des_cblock *)buf,8,sched,iv,
+			 DES_DECRYPT);
+	  else
+	    des_cbc_encrypt((des_cblock *)net,
+			(des_cblock *)buf,8,sched,iv,
+			DES_DECRYPT);
+	  if (!LEFT_JUSTIFIED)
+	      memcpy(buf, buf+(8-num), num); /* Right justified */
+	}
+    }
+  return(num);
+}
+
+int
+des_enc_write(int fd, char *buf, int len, struct des_ks_struct *sched, des_cblock *iv)
+{
+  long rnum;
+  int i,j,k,outnum;
+  char outbuf[DES_RW_BSIZE+HDRSIZE];
+  char shortbuf[8];
+  char *p;
+  static int start=1;
+
+  /* If we are sending less than 8 bytes, the same char will look
+   * the same if we don't pad it out with random bytes */
+  if (start)
+    {
+      start=0;
+      srand(time(NULL));
+    }
+
+  /* lets recurse if we want to send the data in small chunks */
+  if (len > DES_RW_MAXWRITE)
+    {
+      j=0;
+      for (i=0; i<len; i+=k)
+	{
+	  k=des_enc_write(fd,&(buf[i]),
+			  ((len-i) > DES_RW_MAXWRITE)?DES_RW_MAXWRITE:(len-i),sched,iv);
+	  if (k < 0)
+	    return(k);
+	  else
+	    j+=k;
+	}
+      return(j);
+    }
+
+  /* write length first */
+  p=outbuf;
+  l2n(len,p);
+
+  /* pad short strings */
+  if (len < 8)
+    {
+	if (LEFT_JUSTIFIED)
+	    {
+		p=shortbuf;
+		memcpy(shortbuf,buf,(unsigned int)len);
+		for (i=len; i<8; i++)
+		    shortbuf[i]=rand();
+		rnum=8;
+	    }
+	else
+	    {
+		p=shortbuf;
+		for (i=0; i<8-len; i++)
+		    shortbuf[i]=rand();
+		memcpy(shortbuf + 8 - len, buf, len);
+		rnum=8;
+	    }
+    }
+  else
+    {
+      p=buf;
+      rnum=((len+7)/8*8);	/* round up to nearest eight */
+    }
+
+  if (des_rw_mode & DES_PCBC_MODE)
+    des_pcbc_encrypt((des_cblock *)p,(des_cblock *)&(outbuf[HDRSIZE]),
+		 (long)((len<8)?8:len),sched,iv,DES_ENCRYPT); 
+  else
+    des_cbc_encrypt((des_cblock *)p,(des_cblock *)&(outbuf[HDRSIZE]),
+		(long)((len<8)?8:len),sched,iv,DES_ENCRYPT); 
+
+  /* output */
+  outnum=rnum+HDRSIZE;
+
+  for (j=0; j<outnum; j+=i)
+    {
+      /* eay 26/08/92 I was not doing writing from where we
+       * got upto. */
+      i=write(fd,&(outbuf[j]),(unsigned int)(outnum-j));
+      if (i == -1)
+	{
+	  if (errno == EINTR)
+	    i=0;
+	  else			/* This is really a bad error - very bad
+				 * It will stuff-up both ends. */
+	    return(-1);
+	}
+    }
+
+  return(len);
+}
diff --git a/crypto/kerberosIV/appl/bsd/forkpty.c b/crypto/kerberosIV/appl/bsd/forkpty.c
new file mode 100644
index 0000000..891fb91
--- /dev/null
+++ b/crypto/kerberosIV/appl/bsd/forkpty.c
@@ -0,0 +1,477 @@
+/*
+ * Copyright (c) 1995, 1996, 1997 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#include "bsd_locl.h"
+
+#ifndef HAVE_FORKPTY
+
+RCSID("$Id: forkpty.c,v 1.57 1999/12/02 16:58:28 joda Exp $");
+
+/* Only CRAY is known to have problems with forkpty(). */
+#if defined(CRAY)
+static int forkpty_ok = 0;
+#else
+static int forkpty_ok = 1;
+#endif
+
+#ifndef HAVE_PTSNAME
+static char *ptsname(int fd)
+{
+#ifdef HAVE_TTYNAME
+  return ttyname(fd);
+#else
+  return NULL;
+#endif
+}
+#endif
+
+#ifndef HAVE_GRANTPT
+#define grantpt(fdm) (0)
+#endif
+
+#ifndef HAVE_UNLOCKPT
+#define unlockpt(fdm) (0)
+#endif
+
+#ifndef HAVE_VHANGUP
+#define vhangup() (0)
+#endif
+
+#ifndef HAVE_REVOKE
+static
+void
+revoke(char *line)
+{
+    int slave;
+    RETSIGTYPE (*ofun)();
+
+    if ( (slave = open(line, O_RDWR)) < 0)
+	return;
+    
+    ofun = signal(SIGHUP, SIG_IGN);
+    vhangup();
+    signal(SIGHUP, ofun);
+    /*
+     * Some systems (atleast SunOS4) want to have the slave end open
+     * at all times to prevent a race in the child. Login will close
+     * it so it should really not be a problem. However for the
+     * paranoid we use the close on exec flag so it will only be open
+     * in the parent. Additionally since this will be the controlling
+     * tty of rlogind the final vhangup() in rlogind should hangup all
+     * processes. A working revoke would of course have been prefered
+     * though (sigh).
+     */
+    fcntl(slave, F_SETFD, 1);
+    /* close(slave); */
+}
+#endif
+
+
+static int pty_major, pty_minor;
+
+static void
+pty_scan_start(void)
+{
+    pty_major = -1;
+    pty_minor = 0;
+}
+
+static char *bsd_1 = "0123456789abcdefghijklmnopqrstuv";
+/* there are many more */
+static char *bsd_2 = "pqrstuvwxyzabcdefghijklmnoABCDEFGHIJKLMNOPQRSTUVWXYZ";
+
+static int
+pty_scan_next(char *buf, size_t sz)
+{
+#ifdef CRAY
+    if(++pty_major >= sysconf(_SC_CRAY_NPTY))
+	return -1;
+    snprintf(buf, sz, "/dev/pty/%03d", pty_major);
+#else
+    if(++pty_major == strlen(bsd_1)){
+	pty_major = 0;
+	if(++pty_minor == strlen(bsd_2))
+	    return -1;
+    }
+#ifdef __hpux
+    snprintf(buf, sz, "/dev/ptym/pty%c%c", bsd_2[pty_major], bsd_1[pty_minor]);
+#else
+    snprintf(buf, sz, "/dev/pty%c%c", bsd_2[pty_major], bsd_1[pty_minor]);
+#endif /* __hpux */
+#endif /* CRAY */
+    return 0;
+}
+
+static void
+pty_scan_tty(char *buf, size_t sz)
+{
+#ifdef CRAY
+    snprintf(buf, sz, "/dev/ttyp%03d", pty_major);
+#elif defined(__hpux)
+    snprintf(buf, sz, "/dev/pty/tty%c%c", bsd_2[pty_major], bsd_1[pty_minor]);
+#else
+    snprintf(buf, sz, "/dev/tty%c%c", bsd_2[pty_major], bsd_1[pty_minor]);
+#endif
+}
+
+static int
+ptym_open_streams_flavor(char *pts_name,
+			 size_t pts_name_sz,
+			 int *streams_pty)
+{
+    /* Try clone device master ptys */
+    const char *const clone[] = { "/dev/ptc", "/dev/ptmx",
+				  "/dev/ptm", "/dev/ptym/clone", 0 };
+    int	fdm;
+    const char *const *q;
+    
+    for (q = clone; *q; q++) {
+	fdm = open(*q, O_RDWR);
+	if (fdm >= 0)
+	    break;
+    }
+    if (fdm >= 0) {
+	char *ptr1;
+	if ((ptr1 = ptsname(fdm)) != NULL) /* Get slave's name */
+	    /* Return name of slave */  
+	    strlcpy(pts_name, ptr1, pts_name_sz);
+	else {
+	    close(fdm);
+	    return(-4);
+	}
+	if (grantpt(fdm) < 0) {	/* Grant access to slave */
+	    close(fdm);
+	    return(-2);
+	}
+	if (unlockpt(fdm) < 0) {	/* Clear slave's lock flag */
+	    close(fdm);
+	    return(-3);
+	}
+	return(fdm);			/* return fd of master */
+    }
+    return -1;
+}
+
+static int
+ptym_open_bsd_flavor(char *pts_name, size_t pts_name_sz, int *streams_pty)
+{
+    int fdm;
+    char ptm[MaxPathLen];
+
+    pty_scan_start();
+
+    while (pty_scan_next(ptm, sizeof(ptm)) != -1) {
+	fdm = open(ptm, O_RDWR);
+	if (fdm < 0)
+	    continue;
+#if SunOS == 40
+	/* Avoid a bug in SunOS4 ttydriver */
+	if (fdm > 0) {
+	    int pgrp;
+	    if ((ioctl(fdm, TIOCGPGRP, &pgrp) == -1)
+		&& (errno == EIO))
+		/* All fine */;
+	    else {
+		close(fdm);
+		continue;
+	    }
+	}
+#endif
+	pty_scan_tty(pts_name, sizeof(ptm));
+#if CRAY
+	/* this is some magic from the telnet code */
+	{
+	    struct stat sb;
+	    if(stat(pts_name, &sb) < 0) {
+		close(fdm);
+		continue;
+	    }
+	    if(sb.st_uid || sb.st_gid || sb.st_mode != 0600) {
+		chown(pts_name, 0, 0);
+		chmod(pts_name, 0600);
+		close(fdm);
+		fdm = open(ptm, 2);
+		if (fdm < 0)
+		    continue;
+	    }
+	}
+	/*
+	 * Now it should be safe...check for accessability.
+	 */
+	if (access(pts_name, 6) != 0){
+	    /* no tty side to pty so skip it */
+	    close(fdm);
+	    continue;
+	}
+#endif
+	return fdm;	/* All done! */
+    }
+    
+    /* We failed to find BSD style pty */
+    errno = ENOENT;
+    return -1;
+}
+
+/*
+ *
+ * Open a master pty either using the STREAM flavor or the BSD flavor.
+ * Depending on if there are any free ptys in the different classes we
+ * need to try both. Normally try STREAMS first and then BSD.
+ *
+ * Kludge alert: Under HP-UX 10 and perhaps other systems STREAM ptys
+ * doesn't get initialized properly so we try them in different order
+ * until the problem has been resolved.
+ *
+ */
+static int
+ptym_open(char *pts_name, size_t pts_name_sz, int *streams_pty)
+{
+    int	fdm;
+
+#ifdef HAVE__GETPTY
+    {
+	char *p = _getpty(&fdm, O_RDWR, 0600, 1);
+	if (p) {
+	    *streams_pty = 1;
+	    strlcpy (pts_name, p, pts_name_sz);
+	    return fdm;
+	}
+    }
+#endif
+
+#ifdef STREAMSPTY
+    fdm = ptym_open_streams_flavor(pts_name, pts_name_sz, streams_pty);
+    if (fdm >= 0)
+      {
+	*streams_pty = 1;
+	return fdm;
+      }
+#endif
+    
+    fdm = ptym_open_bsd_flavor(pts_name, pts_name_sz, streams_pty);
+    if (fdm >= 0)
+      {
+	*streams_pty = 0;
+	return fdm;
+      }
+
+#ifndef STREAMSPTY
+    fdm = ptym_open_streams_flavor(pts_name, pts_name_sz, streams_pty);
+    if (fdm >= 0)
+      {
+	*streams_pty = 1;
+	return fdm;
+      }
+#endif
+    
+    return -1;
+}
+
+static int
+maybe_push_modules(int fd, char **modules)
+{
+#ifdef I_PUSH
+  char **p;
+  int err;
+
+  for(p=modules; *p; p++){
+    err=ioctl(fd, I_FIND, *p);
+    if(err == 1)
+      break;
+    if(err < 0 && errno != EINVAL)
+      return -17;
+    /* module not pushed or does not exist */
+  }
+  /* p points to null or to an already pushed module, now push all
+     modules before this one */
+
+  for(p--; p >= modules; p--){
+    err = ioctl(fd, I_PUSH, *p);
+    if(err < 0 && errno != EINVAL)
+      return -17;
+  }
+#endif
+  return 0;
+}
+
+static int
+ptys_open(int fdm, char *pts_name, int streams_pty)
+{
+    int fds;
+
+    if (streams_pty) {
+	/* Streams style slave ptys */
+	if ( (fds = open(pts_name, O_RDWR)) < 0) {
+	    close(fdm);
+	    return(-5);
+	}
+
+	{
+	  char *ttymodules[] = { "ttcompat", "ldterm", "ptem", NULL };
+	  char *ptymodules[] = { "pckt", NULL };
+	  
+	  if(maybe_push_modules(fds, ttymodules)<0){
+	    close(fdm);
+	    close(fds);
+	    return -6;
+	  }
+	  if(maybe_push_modules(fdm, ptymodules)<0){
+	    close(fdm);
+	    close(fds);
+	    return -7;
+	  }
+	}
+    } else {
+        /* BSD style slave ptys */
+	struct group *grptr;
+	int gid;
+	if ( (grptr = getgrnam("tty")) != NULL)
+	    gid = grptr->gr_gid;
+	else
+	    gid = -1;	/* group tty is not in the group file */
+
+	/* Grant access to slave */
+	if (chown(pts_name, getuid(), gid) < 0)
+	  fatal(0, "chown slave tty failed", 1);
+	if (chmod(pts_name, S_IRUSR | S_IWUSR | S_IWGRP) < 0)
+	  fatal(0, "chmod slave tty failed", 1);
+
+	if ( (fds = open(pts_name, O_RDWR)) < 0) {
+	    close(fdm);
+	    return(-1);
+	}
+    }
+    return(fds);
+}
+
+int
+forkpty_truncate(int *ptrfdm,
+		 char *slave_name,
+		 size_t slave_name_sz,
+		 struct termios *slave_termios,
+		 struct winsize *slave_winsize)
+{
+    int		fdm, fds, streams_pty;
+    pid_t	pid;
+    char	pts_name[20];
+
+    if (!forkpty_ok)
+        fatal(0, "Protocol not yet supported, use telnet", 0);
+
+    if ( (fdm = ptym_open(pts_name, sizeof(pts_name), &streams_pty)) < 0)
+	return -1;
+
+    if (slave_name != NULL)
+	/* Return name of slave */
+	strlcpy(slave_name, pts_name, slave_name_sz);
+
+    pid = fork();
+    if (pid < 0)
+	return(-1);
+    else if (pid == 0) {		/* Child */
+	if (setsid() < 0)
+	    fatal(0, "setsid() failure", errno);
+
+        revoke(slave_name);
+
+#if defined(NeXT) || defined(ultrix)
+	/* The NeXT is severely broken, this makes things slightly
+	 * better but we still doesn't get a working pty. If there
+	 * where a TIOCSCTTY we could perhaps fix things but... The
+	 * same problem also exists in xterm! */
+	if (setpgrp(0, 0) < 0)
+	    fatal(0, "NeXT kludge failed setpgrp", errno);
+#endif
+
+	/* SVR4 acquires controlling terminal on open() */
+	if ( (fds = ptys_open(fdm, pts_name, streams_pty)) < 0)
+	    return -1;
+	close(fdm);		/* All done with master in child */
+	
+#if	defined(TIOCSCTTY) && !defined(CIBAUD) && !defined(__hpux)
+	/* 44BSD way to acquire controlling terminal */
+	/* !CIBAUD to avoid doing this under SunOS */
+	if (ioctl(fds, TIOCSCTTY, (char *) 0) < 0)
+	    return -1;
+#endif
+#if defined(NeXT)
+	{
+	    int t = open("/dev/tty", O_RDWR);
+	    if (t < 0)
+	        fatal(0, "Failed to open /dev/tty", errno);
+	    close(fds);
+	    fds = t;
+	}
+#endif
+	/* Set slave's termios and window size */
+	if (slave_termios != NULL) {
+	    if (tcsetattr(fds, TCSANOW, slave_termios) < 0)
+		return -1;
+	}
+#ifdef TIOCSWINSZ
+	if (slave_winsize != NULL) {
+	    if (ioctl(fds, TIOCSWINSZ, slave_winsize) < 0)
+		return -1;
+	}
+#endif
+	/* slave becomes stdin/stdout/stderr of child */
+	if (dup2(fds, STDIN_FILENO) != STDIN_FILENO)
+	    return -1;
+	if (dup2(fds, STDOUT_FILENO) != STDOUT_FILENO)
+	    return -1;
+	if (dup2(fds, STDERR_FILENO) != STDERR_FILENO)
+	    return -1;
+	if (fds > STDERR_FILENO)
+	    close(fds);
+	return(0);		/* child returns 0 just like fork() */
+    }
+    else {			/* Parent */
+	*ptrfdm = fdm;	/* Return fd of master */
+	return(pid);	/* Parent returns pid of child */
+    }
+}
+
+int
+forkpty(int *ptrfdm,
+	char *slave_name,
+	struct termios *slave_termios,
+	struct winsize *slave_winsize)
+{
+    return forkpty_truncate (ptrfdm,
+			     slave_name,
+			     MaxPathLen,
+			     slave_termios,
+			     slave_winsize);
+}
+
+#endif /* HAVE_FORKPTY */
diff --git a/crypto/kerberosIV/appl/bsd/kcmd.c b/crypto/kerberosIV/appl/bsd/kcmd.c
new file mode 100644
index 0000000..93b2b70
--- /dev/null
+++ b/crypto/kerberosIV/appl/bsd/kcmd.c
@@ -0,0 +1,280 @@
+/*
+ * Copyright (c) 1983, 1993
+ *	The Regents of the University of California.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *	This product includes software developed by the University of
+ *	California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#include "bsd_locl.h"
+
+RCSID("$Id: kcmd.c,v 1.20.4.1 2000/10/10 12:55:55 assar Exp $");
+
+#define	START_PORT	5120	 /* arbitrary */
+
+static int
+getport(int *alport)
+{
+	struct sockaddr_in sin;
+	int s;
+
+	sin.sin_family = AF_INET;
+	sin.sin_addr.s_addr = INADDR_ANY;
+	s = socket(AF_INET, SOCK_STREAM, 0);
+	if (s < 0)
+		return (-1);
+	for (;;) {
+		sin.sin_port = htons((u_short)*alport);
+		if (bind(s, (struct sockaddr *)&sin, sizeof(sin)) >= 0)
+			return (s);
+		if (errno != EADDRINUSE) {
+			close(s);
+			return (-1);
+		}
+		(*alport)--;
+#ifdef ATHENA_COMPAT
+		if (*alport == IPPORT_RESERVED/2) {
+#else
+		if (*alport == IPPORT_RESERVED) {
+#endif
+			close(s);
+			errno = EAGAIN;		/* close */
+			return (-1);
+		}
+	}
+}
+
+int
+kcmd(int *sock,
+     char **ahost,
+     u_int16_t rport, 
+     char *locuser,
+     char *remuser,
+     char *cmd,
+     int *fd2p,
+     KTEXT ticket,
+     char *service,
+     char *realm,
+     CREDENTIALS *cred,
+     Key_schedule schedule,
+     MSG_DAT *msg_data,
+     struct sockaddr_in *laddr,
+     struct sockaddr_in *faddr,
+     int32_t authopts)
+{
+	int s, timo = 1;
+	pid_t pid;
+	struct sockaddr_in sin, from;
+	char c;
+#ifdef ATHENA_COMPAT
+	int lport = IPPORT_RESERVED - 1;
+#else
+	int lport = START_PORT;
+#endif
+	struct hostent *hp;
+	int rc;
+	char *host_save;
+	int status;
+	char **h_addr_list;
+
+	pid = getpid();
+	hp = gethostbyname(*ahost);
+	if (hp == NULL) {
+		/* fprintf(stderr, "%s: unknown host\n", *ahost); */
+		return (-1);
+	}
+
+	host_save = strdup(hp->h_name);
+	if (host_save == NULL)
+		return -1;
+	*ahost = host_save;
+	h_addr_list = hp->h_addr_list;
+
+	/* If realm is null, look up from table */
+	if (realm == NULL || realm[0] == '\0')
+		realm = krb_realmofhost(host_save);
+
+	for (;;) {
+		s = getport(&lport);
+		if (s < 0) {
+			if (errno == EAGAIN)
+				warnx("kcmd(socket): All ports in use\n");
+			else
+				warn("kcmd: socket");
+			return (-1);
+		}
+		sin.sin_family = hp->h_addrtype;
+		memcpy (&sin.sin_addr, h_addr_list[0], sizeof(sin.sin_addr));
+		sin.sin_port = rport;
+		if (connect(s, (struct sockaddr *)&sin, sizeof(sin)) >= 0)
+			break;
+		close(s);
+		if (errno == EADDRINUSE) {
+			lport--;
+			continue;
+		}
+		/*
+		 * don't wait very long for Kerberos rcmd.
+		 */
+		if (errno == ECONNREFUSED && timo <= 4) {
+			/* sleep(timo); don't wait at all here */
+			timo *= 2;
+			continue;
+		}
+		if (h_addr_list[1] != NULL) {
+			warn ("kcmd: connect (%s)",
+			      inet_ntoa(sin.sin_addr));
+			h_addr_list++;
+			memcpy(&sin.sin_addr,
+			       *h_addr_list, 
+			       sizeof(sin.sin_addr));
+			fprintf(stderr, "Trying %s...\n",
+				inet_ntoa(sin.sin_addr));
+			continue;
+		}
+		if (errno != ECONNREFUSED)
+			warn ("connect(%s)", hp->h_name);
+		return (-1);
+	}
+	lport--;
+	if (fd2p == 0) {
+		write(s, "", 1);
+		lport = 0;
+	} else {
+		char num[8];
+		int s2 = getport(&lport), s3;
+		int len = sizeof(from);
+
+		if (s2 < 0) {
+			status = -1;
+			goto bad;
+		}
+		listen(s2, 1);
+		snprintf(num, sizeof(num), "%d", lport);
+		if (write(s, num, strlen(num) + 1) != strlen(num) + 1) {
+			warn("kcmd(write): setting up stderr");
+			close(s2);
+			status = -1;
+			goto bad;
+		}
+		{
+		    fd_set fds;
+		    FD_ZERO(&fds);
+		    if (s >= FD_SETSIZE || s2 >= FD_SETSIZE) {
+			warnx("file descriptor too large");
+			close(s);
+			close(s2);
+			status = -1;
+			goto bad;
+		    }
+
+		    FD_SET(s, &fds);
+		    FD_SET(s2, &fds);
+		    status = select(FD_SETSIZE, &fds, NULL, NULL, NULL);
+		    if(FD_ISSET(s, &fds)){
+			warnx("kcmd: connection unexpectedly closed.");
+			close(s2);
+			status = -1;
+			goto bad;
+		    }
+		}
+		s3 = accept(s2, (struct sockaddr *)&from, &len);
+		close(s2);
+		if (s3 < 0) {
+			warn ("kcmd: accept");
+			lport = 0;
+			status = -1;
+			goto bad;
+		}
+		
+		*fd2p = s3;
+		from.sin_port = ntohs((u_short)from.sin_port);
+		if (from.sin_family != AF_INET ||
+		    from.sin_port >= IPPORT_RESERVED) {
+			warnx("kcmd(socket): "
+			      "protocol failure in circuit setup.");
+			status = -1;
+			goto bad2;
+		}
+	}
+	/*
+	 * Kerberos-authenticated service.  Don't have to send locuser,
+	 * since its already in the ticket, and we'll extract it on
+	 * the other side.
+	 */
+	/* write(s, locuser, strlen(locuser)+1); */
+
+	/* set up the needed stuff for mutual auth, but only if necessary */
+	if (authopts & KOPT_DO_MUTUAL) {
+		int sin_len;
+		*faddr = sin;
+
+		sin_len = sizeof(struct sockaddr_in);
+		if (getsockname(s, (struct sockaddr *)laddr, &sin_len) < 0) {
+			warn("kcmd(getsockname)");
+			status = -1;
+			goto bad2;
+		}
+	}
+	if ((status = krb_sendauth(authopts, s, ticket, service, *ahost,
+			       realm, (unsigned long) getpid(), msg_data,
+			       cred, schedule,
+			       laddr,
+			       faddr,
+			       "KCMDV0.1")) != KSUCCESS)
+		goto bad2;
+
+	write(s, remuser, strlen(remuser)+1);
+	write(s, cmd, strlen(cmd)+1);
+
+	if ((rc = read(s, &c, 1)) != 1) {
+		if (rc == -1)
+			warn("read(%s)", *ahost);
+		else
+			warnx("kcmd: bad connection with remote host");
+		status = -1;
+		goto bad2;
+	}
+	if (c != '\0') {
+		while (read(s, &c, 1) == 1) {
+			write(2, &c, 1);
+			if (c == '\n')
+				break;
+		}
+		status = -1;
+		goto bad2;
+	}
+	*sock = s;
+	return (KSUCCESS);
+bad2:
+	if (lport)
+		close(*fd2p);
+bad:
+	close(s);
+	return (status);
+}
diff --git a/crypto/kerberosIV/appl/bsd/klogin.c b/crypto/kerberosIV/appl/bsd/klogin.c
new file mode 100644
index 0000000..df21dbf
--- /dev/null
+++ b/crypto/kerberosIV/appl/bsd/klogin.c
@@ -0,0 +1,229 @@
+/*-
+ * Copyright (c) 1990, 1993, 1994
+ *	The Regents of the University of California.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *	This product includes software developed by the University of
+ *	California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#include "bsd_locl.h"
+
+RCSID("$Id: klogin.c,v 1.27 1999/10/04 16:11:48 bg Exp $");
+
+#ifdef KERBEROS
+
+#define	VERIFY_SERVICE	"rcmd"
+
+extern int notickets;
+extern char *krbtkfile_env;
+
+static char tkt_location[MaxPathLen];
+
+static int
+multiple_get_tkt(char *name,
+		 char *instance,
+		 char *realm,
+		 char *service,
+		 char *sinstance,
+		 int life,
+		 char *password)
+{
+  int ret;
+  int n;
+  char rlm[256];
+
+  /* First try to verify against the supplied realm. */
+  ret = krb_get_pw_in_tkt(name, instance, realm, service, realm, life,
+			  password);
+  if(ret == KSUCCESS)
+    return KSUCCESS;
+
+  /* Verify all local realms, except the supplied realm. */
+  for (n = 1; krb_get_lrealm(rlm, n) == KSUCCESS; n++)
+    if (strcmp(rlm, realm) != 0) {
+      ret = krb_get_pw_in_tkt(name, instance, rlm,service, rlm,life, password);
+      if (ret == KSUCCESS)
+	return KSUCCESS;
+    }
+
+  return ret;
+}
+
+/*
+ * Attempt to log the user in using Kerberos authentication
+ *
+ * return 0 on success (will be logged in)
+ *	  1 if Kerberos failed (try local password in login)
+ */
+int
+klogin(struct passwd *pw, char *instance, char *localhost, char *password)
+{
+    int kerror;
+    AUTH_DAT authdata;
+    KTEXT_ST ticket;
+    struct hostent *hp;
+    u_int32_t faddr;
+    char realm[REALM_SZ], savehost[MaxHostNameLen];
+    extern int noticketsdontcomplain;
+
+#ifdef KLOGIN_PARANOID
+    noticketsdontcomplain = 0; /* enable warning message */
+#endif
+    /*
+     * Root logins don't use Kerberos.
+     * If we have a realm, try getting a ticket-granting ticket
+     * and using it to authenticate.  Otherwise, return
+     * failure so that we can try the normal passwd file
+     * for a password.  If that's ok, log the user in
+     * without issuing any tickets.
+     */
+    if (strcmp(pw->pw_name, "root") == 0 ||
+	krb_get_lrealm(realm, 1) != KSUCCESS)
+	return (1);
+
+    noticketsdontcomplain = 0; /* enable warning message */
+
+    /*
+     * get TGT for local realm
+     * tickets are stored in a file named TKT_ROOT plus uid
+     * except for user.root tickets.
+     */
+
+    if (strcmp(instance, "root") != 0)
+	snprintf(tkt_location, sizeof(tkt_location),
+		 "%s%u_%u",
+		TKT_ROOT, (unsigned)pw->pw_uid, (unsigned)getpid());
+    else {
+	snprintf(tkt_location, sizeof(tkt_location),
+		 "%s_root_%d", TKT_ROOT,
+		(unsigned)pw->pw_uid);
+    }
+    krbtkfile_env = tkt_location;
+    krb_set_tkt_string(tkt_location);
+
+    /*
+     * Set real as well as effective ID to 0 for the moment,
+     * to make the kerberos library do the right thing.
+     */
+    if (setuid(0) < 0) {
+        warnx("setuid");
+	return (1);
+    }
+
+    /*
+     * Get ticket
+     */
+    kerror = multiple_get_tkt(pw->pw_name,
+			      instance,
+			      realm,
+			      KRB_TICKET_GRANTING_TICKET,
+			      realm,
+			      DEFAULT_TKT_LIFE,
+			      password);
+
+    /*
+     * If we got a TGT, get a local "rcmd" ticket and check it so as to
+     * ensure that we are not talking to a bogus Kerberos server.
+     *
+     * There are 2 cases where we still allow a login:
+     *	1: the VERIFY_SERVICE doesn't exist in the KDC
+     *	2: local host has no srvtab, as (hopefully) indicated by a
+     *	   return value of RD_AP_UNDEC from krb_rd_req().
+     */
+    if (kerror != INTK_OK) {
+	if (kerror != INTK_BADPW && kerror != KDC_PR_UNKNOWN) {
+	    syslog(LOG_ERR, "Kerberos intkt error: %s",
+		   krb_get_err_text(kerror));
+	    dest_tkt();
+	}
+	return (1);
+    }
+
+    if (chown(TKT_FILE, pw->pw_uid, pw->pw_gid) < 0)
+	syslog(LOG_ERR, "chown tkfile (%s): %m", TKT_FILE);
+
+    strlcpy(savehost, krb_get_phost(localhost), sizeof(savehost));
+
+#ifdef KLOGIN_PARANOID
+    /*
+     * if the "VERIFY_SERVICE" doesn't exist in the KDC for this host,
+     * don't allow kerberos login, also log the error condition.
+     */
+
+    kerror = krb_mk_req(&ticket, VERIFY_SERVICE, savehost, realm, 33);
+    if (kerror == KDC_PR_UNKNOWN) {
+	syslog(LOG_NOTICE,
+	       "warning: TGT not verified (%s); %s.%s not registered, or srvtab is wrong?",
+	       krb_get_err_text(kerror), VERIFY_SERVICE, savehost);
+	notickets = 0;
+	return (1);
+    }
+
+    if (kerror != KSUCCESS) {
+	warnx("unable to use TGT: (%s)", krb_get_err_text(kerror));
+	syslog(LOG_NOTICE, "unable to use TGT: (%s)",
+	       krb_get_err_text(kerror));
+	dest_tkt();
+	return (1);
+    }
+
+    if (!(hp = gethostbyname(localhost))) {
+	syslog(LOG_ERR, "couldn't get local host address");
+	dest_tkt();
+	return (1);
+    }
+
+    memcpy(&faddr, hp->h_addr, sizeof(faddr));
+
+    kerror = krb_rd_req(&ticket, VERIFY_SERVICE, savehost, faddr,
+			&authdata, "");
+
+    if (kerror == KSUCCESS) {
+	notickets = 0;
+	return (0);
+    }
+
+    /* undecipherable: probably didn't have a srvtab on the local host */
+    if (kerror == RD_AP_UNDEC) {
+	syslog(LOG_NOTICE, "krb_rd_req: (%s)\n", krb_get_err_text(kerror));
+	dest_tkt();
+	return (1);
+    }
+    /* failed for some other reason */
+    warnx("unable to verify %s ticket: (%s)", VERIFY_SERVICE,
+	  krb_get_err_text(kerror));
+    syslog(LOG_NOTICE, "couldn't verify %s ticket: %s", VERIFY_SERVICE,
+	   krb_get_err_text(kerror));
+    dest_tkt();
+    return (1);
+#else
+    notickets = 0;
+    return (0);
+#endif
+}
+#endif
diff --git a/crypto/kerberosIV/appl/bsd/krcmd.c b/crypto/kerberosIV/appl/bsd/krcmd.c
new file mode 100644
index 0000000..8c3c6f3
--- /dev/null
+++ b/crypto/kerberosIV/appl/bsd/krcmd.c
@@ -0,0 +1,117 @@
+/*
+ * Copyright (c) 1989, 1993
+ *	The Regents of the University of California.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *	This product includes software developed by the University of
+ *	California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#include "bsd_locl.h"
+
+RCSID("$Id: krcmd.c,v 1.10 1997/03/30 18:20:18 joda Exp $");
+
+#define	SERVICE_NAME	"rcmd"
+
+/*
+ * krcmd: simplified version of Athena's "kcmd"
+ *	returns a socket attached to the destination, -1 or krb error on error 
+ *	if fd2p is non-NULL, another socket is filled in for it
+ */
+
+int
+krcmd(char **ahost, u_short rport, char *remuser, char *cmd, int *fd2p, char *realm)
+{
+	int		sock = -1, err = 0;
+	KTEXT_ST	ticket;
+	long		authopts = 0L;
+
+	err = kcmd(
+		&sock,
+		ahost,
+		rport,
+		NULL,	/* locuser not used */
+		remuser,
+		cmd,
+		fd2p,
+		&ticket,
+		SERVICE_NAME,
+		realm,
+		(CREDENTIALS *)  NULL,		/* credentials not used */
+		0,				/* key schedule not used */
+		(MSG_DAT *) NULL,		/* MSG_DAT not used */
+		(struct sockaddr_in *) NULL,	/* local addr not used */
+		(struct sockaddr_in *) NULL,	/* foreign addr not used */
+		authopts
+	);
+
+	if (err > KSUCCESS && err < MAX_KRB_ERRORS) {
+	    warning("krcmd: %s", krb_get_err_text(err));
+	    return(-1);
+	}
+	if (err < 0)
+	    return(-1);
+	return(sock);
+}
+
+int
+krcmd_mutual(char **ahost, u_short rport, char *remuser, char *cmd, int *fd2p, char *realm, CREDENTIALS *cred, Key_schedule sched)
+{
+	int		sock, err;
+	KTEXT_ST	ticket;
+	MSG_DAT		msg_dat;
+	struct sockaddr_in	laddr, faddr;
+	long authopts = KOPT_DO_MUTUAL;
+
+	err = kcmd(
+		&sock,
+		ahost,
+		rport,
+		NULL,	/* locuser not used */
+		remuser,
+		cmd,
+		fd2p,
+		&ticket,
+		SERVICE_NAME,
+		realm,
+		cred,		/* filled in */
+		sched,		/* filled in */
+		&msg_dat,	/* filled in */
+		&laddr,		/* filled in */
+		&faddr,		/* filled in */
+		authopts
+	);
+
+	if (err > KSUCCESS && err < MAX_KRB_ERRORS) {
+	    warnx("krcmd_mutual: %s", krb_get_err_text(err));
+	    return(-1);
+	}
+	
+	if (err < 0)
+	    return (-1);
+	return(sock);
+}
diff --git a/crypto/kerberosIV/appl/bsd/login.c b/crypto/kerberosIV/appl/bsd/login.c
new file mode 100644
index 0000000..f2f0873
--- /dev/null
+++ b/crypto/kerberosIV/appl/bsd/login.c
@@ -0,0 +1,1118 @@
+/*-
+ * Copyright (c) 1980, 1987, 1988, 1991, 1993, 1994
+ *	The Regents of the University of California.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *	This product includes software developed by the University of
+ *	California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+/*
+ * login [ name ]
+ * login -h hostname	(for telnetd, etc.)
+ * login -f name	(for pre-authenticated login: datakit, xterm, etc.)
+ */
+
+#include "bsd_locl.h"
+#ifdef HAVE_CAPABILITY_H
+#include <capability.h>
+#endif
+#ifdef HAVE_SYS_CAPABILITY_H
+#include <sys/capability.h>
+#endif
+
+RCSID("$Id: login.c,v 1.125.2.2 2000/06/23 02:33:07 assar Exp $");
+
+#ifdef OTP
+#include <otp.h>
+#endif
+
+#include "sysv_default.h"
+#ifdef SYSV_SHADOW
+#include "sysv_shadow.h"
+#endif
+
+static	void	 badlogin (char *);
+static	void	 checknologin (void);
+static	void	 dolastlog (int);
+static	void	 getloginname (int);
+static	int	 rootterm (char *);
+static	char	*stypeof (char *);
+static	RETSIGTYPE	 timedout (int);
+static	int	 doremotelogin (char *);
+void	login_fbtab (char *, uid_t, gid_t);
+#ifdef KERBEROS
+int	klogin (struct passwd *, char *, char *, char *);
+#endif
+
+#define	TTYGRPNAME	"tty"		/* name of group to own ttys */
+
+/*
+ * This bounds the time given to login.  Change it in
+ * `/etc/default/login'.
+ */
+
+static	u_int	login_timeout;
+
+#ifdef KERBEROS
+int	notickets = 1;
+int	noticketsdontcomplain = 1;
+char	*instance;
+char	*krbtkfile_env;
+int	authok;
+#endif
+
+#ifdef HAVE_SHADOW_H
+static  struct spwd *spwd = NULL;
+#endif
+
+static	char    *ttyprompt;
+
+static	struct	passwd *pwd;
+static	int	failures;
+static	char	term[64], *hostname, *username, *tty;
+
+static  char rusername[100], lusername[100];
+
+static int
+change_passwd(struct passwd  *who)
+{
+    int status;
+    pid_t pid;
+ 
+    switch (pid = fork()) {
+    case -1:
+	warn("fork /bin/passwd");
+	sleepexit(1);
+    case 0:
+	execlp("/bin/passwd", "passwd", who->pw_name, (char *) 0);
+	_exit(1);
+    default:
+	waitpid(pid, &status, 0);
+	return (status);
+    }
+}
+
+#ifndef NO_MOTD /* message of the day stuff */
+
+jmp_buf motdinterrupt;
+
+static RETSIGTYPE
+sigint(int signo)
+{
+	longjmp(motdinterrupt, 1);
+}
+
+static void
+motd(void)
+{
+	int fd, nchars;
+	RETSIGTYPE (*oldint)();
+	char tbuf[8192];
+
+	if ((fd = open(_PATH_MOTDFILE, O_RDONLY, 0)) < 0)
+		return;
+	oldint = signal(SIGINT, sigint);
+	if (setjmp(motdinterrupt) == 0)
+		while ((nchars = read(fd, tbuf, sizeof(tbuf))) > 0)
+			write(fileno(stdout), tbuf, nchars);
+	signal(SIGINT, oldint);
+	close(fd);
+}
+
+#endif /* !NO_MOTD */
+
+#define AUTH_NONE 0
+#define AUTH_OTP  1
+
+/*
+ * getpwnam and try to detect the worst form of NIS attack.
+ */
+
+static struct passwd *
+paranoid_getpwnam (char *user)
+{
+	struct passwd *p;
+
+	p = k_getpwnam (user);
+	if (p == NULL)
+		return p;
+	if (p->pw_uid == 0 && strcmp (username, "root") != 0) {
+		syslog (LOG_ALERT,
+			"NIS attack, user %s has uid 0", username);
+		return NULL;
+	}
+	return p;
+}
+
+int
+main(int argc, char **argv)
+{
+	struct group *gr;
+	int ask, ch, cnt, fflag, hflag, pflag, quietlog, nomailcheck;
+	int rootlogin, rval;
+	int rflag;
+	int changepass = 0;
+	uid_t uid;
+	char *domain, *p, passwd[128], *ttyn;
+	char tbuf[MaxPathLen + 2], tname[sizeof(_PATH_TTY) + 10];
+	char localhost[MaxHostNameLen];
+	char full_hostname[MaxHostNameLen];
+	int auth_level = AUTH_NONE;
+#ifdef OTP
+	OtpContext otp_ctx;
+#endif
+	int mask = 022;		/* Default umask (set below) */
+	int maxtrys = 5;	/* Default number of allowed failed logins */
+
+	set_progname(argv[0]);
+
+	openlog("login", LOG_ODELAY, LOG_AUTH);
+
+        /* Read defaults file and set the login timeout period. */
+        sysv_defaults();
+        login_timeout = atoi(default_timeout);
+        maxtrys = atoi(default_maxtrys);
+        if (sscanf(default_umask, "%o", &mask) != 1 || (mask & ~0777))
+                syslog(LOG_WARNING, "bad umask default: %s", default_umask);
+        else
+                umask(mask);
+
+	signal(SIGALRM, timedout);
+	alarm(login_timeout);
+	signal(SIGQUIT, SIG_IGN);
+	signal(SIGINT, SIG_IGN);
+	setpriority(PRIO_PROCESS, 0, 0);
+
+	/*
+	 * -p is used by getty to tell login not to destroy the environment
+	 * -f is used to skip a second login authentication
+	 * -h is used by other servers to pass the name of the remote
+	 *    host to login so that it may be placed in utmp and wtmp
+	 * -r is used by old-style rlogind to execute the autologin protocol
+	 */
+
+	*full_hostname = '\0';
+	domain = NULL;
+	if (gethostname(localhost, sizeof(localhost)) < 0)
+		syslog(LOG_ERR, "couldn't get local hostname: %m");
+	else
+		domain = strchr(localhost, '.');
+
+	fflag = hflag = pflag = rflag = 0;
+	uid = getuid();
+	while ((ch = getopt(argc, argv, "a:d:fh:pr:")) != -1)
+	        switch (ch) {
+		case 'a':
+			if (strcmp (optarg, "none") == 0)
+				auth_level = AUTH_NONE;
+#ifdef OTP
+			else if (strcmp (optarg, "otp") == 0)
+				auth_level = AUTH_OTP;
+#endif
+			else
+				warnx ("bad value for -a: %s", optarg);
+			break;
+		case 'd':
+			break;
+		case 'f':
+			fflag = 1;
+			break;
+		case 'h':
+			if (rflag || hflag) {
+			    printf("Only one of -r and -h allowed\n");
+			    exit(1);
+                        }
+			if (uid)
+				errx(1, "-h option: %s", strerror(EPERM));
+			hflag = 1;
+			strlcpy(full_hostname,
+					optarg,
+					sizeof(full_hostname));
+			if (domain && (p = strchr(optarg, '.')) &&
+			    strcasecmp(p, domain) == 0)
+				*p = 0;
+			hostname = optarg;
+			break;
+		case 'p':
+			if (getuid()) {
+				warnx("-p for super-user only.");
+				exit(1);
+                        }
+			pflag = 1;
+			break;
+	        case 'r':
+			if (rflag || hflag) {
+				warnx("Only one of -r and -h allowed\n");
+				exit(1);
+                        }
+			if (getuid()) {
+				warnx("-r for super-user only.");
+				exit(1);
+                        }
+			rflag = 1;
+			strlcpy(full_hostname,
+					optarg,
+					sizeof(full_hostname));
+			if (domain && (p = strchr(optarg, '.')) &&
+			    strcasecmp(p, domain) == 0)
+				*p = 0;
+			hostname = optarg;
+			fflag = (doremotelogin(full_hostname) == 0);
+			break;
+		case '?':
+		default:
+			if (!uid)
+				syslog(LOG_ERR, "invalid flag %c", ch);
+			fprintf(stderr,
+				"usage: login [-fp]"
+#ifdef OTP
+				" [-a otp]"
+#endif
+				" [-h hostname | -r hostname] [username]\n");
+			exit(1);
+		}
+	argc -= optind;
+	argv += optind;
+
+	if (geteuid() != 0) {
+		warnx("only root may use login, use su");
+	        /* Or install login setuid root, which is not necessary */
+		sleep(10);
+		exit(1);
+	}
+        /*
+         * Figure out if we should ask for the username or not. The name
+         * may be given on the command line or via the environment, and
+         * it may even be in the terminal input queue.
+         */
+        if (rflag) {
+                username = lusername;
+                ask = 0;
+	      } else
+        if (*argv && strchr(*argv, '=')) {
+                ask = 1;
+	      } else
+        if (*argv && strcmp(*argv, "-") == 0) {
+                argc--;
+                argv++;
+                ask = 1;
+	      } else
+	if (*argv) {
+		username = *argv;
+		ask = 0;
+                argc--;
+                argv++;
+        } else if ((ttyprompt = getenv("TTYPROMPT")) && *ttyprompt) {
+                getloginname(0);
+                ask = 0;
+	} else
+		ask = 1;
+
+	/* Default tty settings. */
+	stty_default();
+
+	for (cnt = getdtablesize(); cnt > 2; cnt--)
+		close(cnt);
+
+        /*
+         * Determine the tty name. BSD takes the basename, SYSV4 takes
+         * whatever remains after stripping the "/dev/" prefix. The code
+         * below should produce sensible results in either environment.
+         */
+        ttyn = ttyname(STDIN_FILENO);
+        if (ttyn == NULL || *ttyn == '\0') {
+	        snprintf(tname, sizeof(tname), "%s??", _PATH_TTY);
+	        ttyn = tname;
+	}
+        if ((tty = strchr(ttyn + 1, '/')))
+	        ++tty;
+        else
+	        tty = ttyn;
+
+	for (cnt = 0;; ask = 1) {
+	        char prompt[128], ss[256];
+		if (ask) {
+			fflag = 0;
+			getloginname(1);
+		}
+		rootlogin = 0;
+		rval = 1;
+#ifdef	KERBEROS
+		if ((instance = strchr(username, '.')) != NULL) {
+		    if (strcmp(instance, ".root") == 0)
+			rootlogin = 1;
+		    *instance++ = '\0';
+		} else
+		    instance = "";
+#endif
+		if (strlen(username) > UT_NAMESIZE)
+			username[UT_NAMESIZE] = '\0';
+
+		/*
+		 * Note if trying multiple user names; log failures for
+		 * previous user name, but don't bother logging one failure
+		 * for nonexistent name (mistyped username).
+		 */
+		if (failures && strcmp(tbuf, username)) {
+			if (failures > (pwd ? 0 : 1))
+				badlogin(tbuf);
+			failures = 0;
+		}
+		strlcpy(tbuf, username, sizeof(tbuf));
+
+		pwd = paranoid_getpwnam (username);
+
+		/*
+		 * if we have a valid account name, and it doesn't have a
+		 * password, or the -f option was specified and the caller
+		 * is root or the caller isn't changing their uid, don't
+		 * authenticate.
+		 */
+		if (pwd) {
+			if (pwd->pw_uid == 0)
+				rootlogin = 1;
+
+			if (fflag && (uid == 0 || uid == pwd->pw_uid)) {
+				/* already authenticated */
+				break;
+			} else if (pwd->pw_passwd[0] == '\0') {
+				/* pretend password okay */
+				rval = 0;
+				goto ttycheck;
+			}
+		}
+
+		fflag = 0;
+
+		setpriority(PRIO_PROCESS, 0, -4);
+
+#ifdef OTP
+		if (otp_challenge (&otp_ctx, username,
+				   ss, sizeof(ss)) == 0)
+			snprintf (prompt, sizeof(prompt), "%s's %s Password: ",
+				  username, ss);
+		else
+#endif
+		{
+			if (auth_level == AUTH_NONE)
+				snprintf(prompt, sizeof(prompt), "%s's Password: ",
+					 username);
+			else {
+				char *s;
+
+				rval = 1;
+#ifdef OTP
+				s = otp_error(&otp_ctx);
+				if(s)
+					printf ("OTP: %s\n", s);
+#endif
+				continue;
+			}
+		}
+
+		if (des_read_pw_string (passwd, sizeof(passwd) - 1, prompt, 0))
+			continue;
+		passwd[sizeof(passwd) - 1] = '\0';
+
+		/* Verify it somehow */
+
+#ifdef OTP
+		if (otp_verify_user (&otp_ctx, passwd) == 0)
+			rval = 0;
+		else
+#endif
+		if (pwd == NULL)
+			;
+		else if (auth_level == AUTH_NONE) {
+			uid_t pwd_uid = pwd->pw_uid;
+
+			rval = unix_verify_user (username, passwd);
+
+			if (rval == 0)
+			  {
+			    if (rootlogin && pwd_uid != 0)
+			      rootlogin = 0;
+			  }
+			else
+			  {
+			    rval = klogin(pwd, instance, localhost, passwd);
+			    if (rval != 0 && rootlogin && pwd_uid != 0)
+			      rootlogin = 0;
+			    if (rval == 0)
+			      authok = 1;
+			  }
+		} else {
+			char *s;
+
+			rval = 1;
+#ifdef OTP
+			if ((s = otp_error(&otp_ctx)))
+				printf ("OTP: %s\n", s);
+#endif
+		}
+
+		memset (passwd, 0, sizeof(passwd));
+		setpriority (PRIO_PROCESS, 0, 0);
+
+		/*
+		 * Santa Claus, give me a portable and reentrant getpwnam.
+		 */
+		pwd = paranoid_getpwnam (username);
+
+	ttycheck:
+		/*
+		 * If trying to log in as root without Kerberos,
+		 * but with insecure terminal, refuse the login attempt.
+		 */
+#ifdef KERBEROS
+		if (authok == 0)
+#endif
+		if (pwd && !rval && rootlogin && !rootterm(tty)
+		    && !rootterm(ttyn)) {
+			warnx("%s login refused on this terminal.",
+			      pwd->pw_name);
+			if (hostname)
+				syslog(LOG_NOTICE,
+				       "LOGIN %s REFUSED FROM %s ON TTY %s",
+				       pwd->pw_name, hostname, tty);
+			else
+				syslog(LOG_NOTICE,
+				       "LOGIN %s REFUSED ON TTY %s",
+				       pwd->pw_name, tty);
+			continue;
+		}
+
+		if (rval == 0)
+			break;
+
+		printf("Login incorrect\n");
+		failures++;
+
+                /* max number of attemps and delays taken from defaults file */
+		/* we allow maxtrys tries, but after 2 we start backing off */
+		if (++cnt > 2) {
+			if (cnt >= maxtrys) {
+				badlogin(username);
+				sleepexit(1);
+			}
+			sleep((u_int)((cnt - 2) * atoi(default_sleep)));
+		}
+	}
+
+	/* committed to login -- turn off timeout */
+	alarm(0);
+
+	endpwent();
+
+#if defined(HAVE_GETUDBNAM) && defined(HAVE_SETLIM)
+	{
+	    struct udb *udb;
+	    long t;
+	    const long maxcpu = 46116860184; /* some random constant */
+	    
+	    if(setjob(pwd->pw_uid, 0) < 0) 
+		warn("setjob");
+
+	    udb = getudbnam(pwd->pw_name);
+	    if(udb == UDB_NULL)
+		errx(1, "Failed to get UDB entry.");
+
+	    /* per process cpu limit */
+	    t = udb->ue_pcpulim[UDBRC_INTER];
+	    if(t == 0 || t > maxcpu)
+		t = CPUUNLIM;
+	    else
+		t *= CLK_TCK;
+
+	    if(limit(C_PROC, 0, L_CPU, t) < 0)
+		warn("limit process cpu");
+
+	    /* per process memory limit */
+	    if(limit(C_PROC, 0, L_MEM, udb->ue_pmemlim[UDBRC_INTER]) < 0)
+		warn("limit process memory");
+
+	    /* per job cpu limit */
+	    t = udb->ue_jcpulim[UDBRC_INTER];
+	    if(t == 0 || t > maxcpu)
+		t = CPUUNLIM;
+	    else
+		t *= CLK_TCK;
+
+	    if(limit(C_JOB, 0, L_CPU, t) < 0)
+		warn("limit job cpu");
+	    
+	    /* per job processor limit */
+	    if(limit(C_JOB, 0, L_CPROC, udb->ue_jproclim[UDBRC_INTER]) < 0)
+		warn("limit job processors");
+
+	    /* per job memory limit */
+	    if(limit(C_JOB, 0, L_MEM, udb->ue_jmemlim[UDBRC_INTER]) < 0)
+		warn("limit job memory");
+
+	    nice(udb->ue_nice[UDBRC_INTER]);
+	}
+#endif
+	/* if user not super-user, check for disabled logins */
+	if (!rootlogin)
+		checknologin();
+
+	if (chdir(pwd->pw_dir) < 0) {
+		printf("No home directory %s!\n", pwd->pw_dir);
+		if (chdir("/"))
+			exit(0);
+		pwd->pw_dir = "/";
+		printf("Logging in with home = \"/\".\n");
+	}
+
+	quietlog = access(_PATH_HUSHLOGIN, F_OK) == 0;
+	nomailcheck = access(_PATH_NOMAILCHECK, F_OK) == 0;
+
+#if defined(HAVE_PASSWD_CHANGE) && defined(HAVE_PASSWD_EXPIRE)
+	if (pwd->pw_change || pwd->pw_expire)
+		gettimeofday(&tp, (struct timezone *)NULL);
+
+	if (pwd->pw_change) {
+		time_t t;
+
+		if (tp.tv_sec >= pwd->pw_change) {
+			printf("Sorry -- your password has expired.\n");
+			changepass=1;
+		} else if (pwd->pw_change - tp.tv_sec <
+			   2 * DAYSPERWEEK * SECSPERDAY && !quietlog) {
+			t = pwd->pw_change;
+			printf("Warning: your password expires on %s",
+			       ctime(&t));
+		}
+	if (pwd->pw_expire)
+		if (tp.tv_sec >= pwd->pw_expire) {
+			printf("Sorry -- your account has expired.\n");
+			sleepexit(1);
+		} else if (pwd->pw_expire - tp.tv_sec <
+			   2 * DAYSPERWEEK * SECSPERDAY && !quietlog) {
+			t = pwd->pw_expire;
+			printf("Warning: your account expires on %s",
+			       ctime(&t));
+		}
+#endif /* defined(HAVE_PASSWD_CHANGE) && defined(HAVE_PASSWD_EXPIRE) */
+
+	/* Nothing else left to fail -- really log in. */
+
+        /*
+         * Update the utmp files, both BSD and SYSV style.
+         */
+        if (utmpx_login(tty, username, hostname ? hostname : "") != 0
+	    && !fflag) {
+                printf("No utmpx entry.  You must exec \"login\" from the lowest level \"sh\".\n");
+                sleepexit(0);
+        }
+	utmp_login(ttyn, username, hostname ? hostname : "");
+	dolastlog(quietlog);
+
+	/*
+	 * Set device protections, depending on what terminal the
+	 * user is logged in. This feature is used on Suns to give
+	 * console users better privacy.
+	 */
+	login_fbtab(tty, pwd->pw_uid, pwd->pw_gid);
+
+	if (chown(ttyn, pwd->pw_uid,
+	    (gr = getgrnam(TTYGRPNAME)) ? gr->gr_gid : pwd->pw_gid) < 0)
+	  err(1, "chown tty failed");
+	if (chmod(ttyn, S_IRUSR | S_IWUSR | S_IWGRP) < 0)
+	  err(1, "chmod tty failed");
+	setgid(pwd->pw_gid);
+
+	initgroups(username, pwd->pw_gid);
+
+	if (*pwd->pw_shell == '\0')
+		pwd->pw_shell = _PATH_BSHELL;
+
+        /*
+         * Set up a new environment. With SYSV, some variables are always
+         * preserved; some varables are never preserved, and some variables
+         * are always clobbered. With BSD, nothing is always preserved, and
+         * some variables are always clobbered. We add code to make sure
+         * that LD_* and IFS are never preserved.
+         */
+	if (term[0] == '\0')
+		strlcpy(term, stypeof(tty), sizeof(term));
+        /* set up a somewhat censored environment. */
+        sysv_newenv(argc, argv, pwd, term, pflag);
+#ifdef KERBEROS
+	if (krbtkfile_env)
+	    setenv("KRBTKFILE", krbtkfile_env, 1);
+#endif
+
+	if (tty[sizeof("tty")-1] == 'd')
+		syslog(LOG_INFO, "DIALUP %s, %s", tty, pwd->pw_name);
+
+	/* If fflag is on, assume caller/authenticator has logged root login. */
+	if (rootlogin && fflag == 0) {
+		if (hostname)
+			syslog(LOG_NOTICE, "ROOT LOGIN (%s) ON %s FROM %s",
+			    username, tty, hostname);
+		else
+			syslog(LOG_NOTICE, "ROOT LOGIN (%s) ON %s", username, tty);
+	}
+
+#ifdef KERBEROS
+	if (!quietlog && notickets == 1 && !noticketsdontcomplain)
+		printf("Warning: no Kerberos tickets issued.\n");
+#endif
+
+#ifdef LOGALL
+	/*
+	 * Syslog each successful login, so we don't have to watch hundreds
+	 * of wtmp or lastlogin files.
+	 */
+	if (hostname) {
+		syslog(LOG_INFO, "login from %s as %s", hostname, pwd->pw_name);
+	} else {
+		syslog(LOG_INFO, "login on %s as %s", tty, pwd->pw_name);
+	}
+#endif
+
+#ifndef NO_MOTD
+        /*
+         * Optionally show the message of the day. System V login leaves
+         * motd and mail stuff up to the shell startup file.
+         */
+	if (!quietlog) {
+	        struct stat st;
+#if 0
+		printf("%s\n\t%s  %s\n\n",
+	    "Copyright (c) 1980, 1983, 1986, 1988, 1990, 1991, 1993, 1994",
+		    "The Regents of the University of California. ",
+		    "All rights reserved.");
+#endif
+		motd();
+		if(!nomailcheck){
+		    snprintf(tbuf, sizeof(tbuf), "%s/%s", _PATH_MAILDIR, pwd->pw_name);
+		    if (stat(tbuf, &st) == 0 && st.st_size != 0)
+			printf("You have %smail.\n",
+			       (st.st_mtime > st.st_atime) ? "new " : "");
+		}
+	}
+#endif /* NO_MOTD */
+
+#ifdef LOGIN_ACCESS
+	if (login_access(pwd, hostname ? full_hostname : tty) == 0) {
+		printf("Permission denied\n");
+		if (hostname)
+			syslog(LOG_NOTICE, "%s LOGIN REFUSED FROM %s",
+				pwd->pw_name, hostname);
+		else
+			syslog(LOG_NOTICE, "%s LOGIN REFUSED ON %s",
+				pwd->pw_name, tty);
+		sleepexit(1);
+	}
+#endif
+
+	signal(SIGALRM, SIG_DFL);
+	signal(SIGQUIT, SIG_DFL);
+	signal(SIGINT, SIG_DFL);
+#ifdef SIGTSTP
+	signal(SIGTSTP, SIG_IGN);
+#endif
+
+	p = strrchr(pwd->pw_shell, '/');
+	snprintf (tbuf, sizeof(tbuf), "-%s", p ? p + 1 : pwd->pw_shell);
+
+#ifdef HAVE_SETLOGIN
+     	if (setlogin(pwd->pw_name) < 0)
+                syslog(LOG_ERR, "setlogin() failure: %m");
+#endif
+
+#ifdef HAVE_SETPCRED
+	if (setpcred (pwd->pw_name, NULL) == -1)
+		syslog(LOG_ERR, "setpcred() failure: %m");
+#endif /* HAVE_SETPCRED */
+
+#if defined(SYSV_SHADOW) && defined(HAVE_GETSPNAM)
+	spwd = getspnam (username);
+	endspent ();
+#endif
+	/* perhaps work some magic */
+	if(do_osfc2_magic(pwd->pw_uid))
+	    sleepexit(1);
+#if defined(HAVE_SGI_GETCAPABILITYBYNAME) && defined(HAVE_CAP_SET_PROC)
+	/* XXX SGI capability hack IRIX 6.x (x >= 0?) has something
+	   called capabilities, that allow you to give away
+	   permissions (such as chown) to specific processes. From 6.5
+	   this is default on, and the default capability set seems to
+	   not always be the empty set. The problem is that the
+	   runtime linker refuses to do just about anything if the
+	   process has *any* capabilities set, so we have to remove
+	   them here (unless otherwise instructed by /etc/capability).
+	   In IRIX < 6.5, these functions was called sgi_cap_setproc,
+	   etc, but we ignore this fact (it works anyway). */
+	{
+	    struct user_cap *ucap = sgi_getcapabilitybyname(pwd->pw_name);
+	    cap_t cap;
+	    if(ucap == NULL)
+		cap = cap_from_text("all=");
+	    else
+		cap = cap_from_text(ucap->ca_default);
+	    if(cap == NULL)
+		err(1, "cap_from_text");
+	    if(cap_set_proc(cap) < 0)
+		err(1, "cap_set_proc");
+	    cap_free(cap);
+	    free(ucap);
+	}
+#endif
+	/* Discard permissions last so can't get killed and drop core. */
+	{
+	    int uid = rootlogin ? 0 : pwd->pw_uid;
+	    if(setuid(uid) != 0){
+		    warn("setuid(%d)", uid);
+		    if(!rootlogin)
+			    exit(1);
+	    }
+	    if (uid != 0 && setuid(0) != -1) {
+	            syslog(LOG_ALERT | LOG_AUTH,
+			   "Failed to drop privileges for user %d", uid);
+		    errx(1, "Sorry");
+	    }
+	}
+		       
+
+	/*
+         * After dropping privileges and after cleaning up the environment,
+         * optionally run, as the user, /bin/passwd.
+         */
+ 
+        if (pwd->pw_passwd[0] == 0 &&
+	    strcasecmp(default_passreq, "YES") == 0) {
+                printf("You don't have a password.  Choose one.\n");
+                if (change_passwd(pwd))
+                        sleepexit(0);
+		changepass = 0;
+        }
+
+#ifdef SYSV_SHADOW
+        if (spwd && sysv_expire(spwd)) {
+                if (change_passwd(pwd))
+                        sleepexit(0);
+		changepass = 0;
+        }
+#endif /* SYSV_SHADOW */
+	if (changepass) {
+		int res;
+		if ((res=system(_PATH_CHPASS)))
+			sleepexit(1);
+	}
+
+	if (k_hasafs()) {
+	    char cell[64];
+#ifdef _AIX
+	    /* XXX this is a fix for a bug in AFS for AIX 4.3, w/o
+               this hack the kernel crashes on the following
+               pioctl... */
+	    char *pw_dir = strdup(pwd->pw_dir);
+#else
+	    char *pw_dir = pwd->pw_dir;
+#endif
+	    k_setpag();
+	    if(k_afs_cell_of_file(pw_dir, cell, sizeof(cell)) == 0)
+		krb_afslog(cell, 0);
+	    krb_afslog(0, 0);
+	}
+
+	execlp(pwd->pw_shell, tbuf, 0);
+	if (getuid() == 0) {
+		warnx("Can't exec %s, trying %s\n", 
+		      pwd->pw_shell, _PATH_BSHELL);
+		execlp(_PATH_BSHELL, tbuf, 0);
+		err(1, "%s", _PATH_BSHELL);
+	}
+	err(1, "%s", pwd->pw_shell);
+	return 1;
+}
+
+#ifdef	KERBEROS
+#define	NBUFSIZ		(UT_NAMESIZE + 1 + 5)	/* .root suffix */
+#else
+#define	NBUFSIZ		(UT_NAMESIZE + 1)
+#endif
+
+static void
+getloginname(int prompt)
+{
+    int ch;
+    char *p;
+    static char nbuf[NBUFSIZ];
+
+    for (;;) {
+	if (prompt) {
+	    if (ttyprompt && *ttyprompt)
+		printf("%s", ttyprompt);
+	    else
+		printf("login: ");
+	}
+	prompt = 1;
+	for (p = nbuf; (ch = getchar()) != '\n'; ) {
+	    if (ch == EOF) {
+		badlogin(username);
+		exit(0);
+	    }
+	    if (p < nbuf + (NBUFSIZ - 1))
+		*p++ = ch;
+	}
+	if (p > nbuf) {
+	    if (nbuf[0] == '-')
+		warnx("login names may not start with '-'.");
+	    else {
+		*p = '\0';
+		username = nbuf;
+		break;
+	    }
+	}
+    }
+}
+
+static int
+find_in_etc_securetty (char *ttyn)
+{
+    FILE *f;
+    char buf[128];
+    int ret = 0;
+
+    f = fopen (_PATH_ETC_SECURETTY, "r");
+    if (f == NULL)
+	return 0;
+    while (fgets(buf, sizeof(buf), f) != NULL) {
+	if(buf[strlen(buf) - 1] == '\n')
+	    buf[strlen(buf) - 1] = '\0';
+	if (strcmp (buf, ttyn) == 0) {
+	    ret = 1;
+	    break;
+	}
+    }
+    fclose(f);
+    return ret;
+}
+
+static int
+rootterm(char *ttyn)
+{
+#ifdef HAVE_TTYENT_H
+    {
+	struct ttyent *t;
+
+	t = getttynam (ttyn);
+	if (t && t->ty_status & TTY_SECURE)
+	    return 1;
+    }
+#endif
+    if (find_in_etc_securetty(ttyn))
+	return 1;
+    if (default_console == 0 || strcmp(default_console, ttyn) == 0)
+	return 1;
+    return 0;
+}
+
+static RETSIGTYPE
+timedout(int signo)
+{
+	fprintf(stderr, "Login timed out after %d seconds\n",
+		login_timeout);
+	exit(0);
+}
+
+static void
+checknologin(void)
+{
+	int fd, nchars;
+	char tbuf[8192];
+
+	if ((fd = open(_PATH_NOLOGIN, O_RDONLY, 0)) >= 0) {
+		while ((nchars = read(fd, tbuf, sizeof(tbuf))) > 0)
+			write(fileno(stdout), tbuf, nchars);
+		sleepexit(0);
+	}
+}
+
+static void
+dolastlog(int quiet)
+{
+#if defined(HAVE_LASTLOG_H) || defined(HAVE_LOGIN_H)
+	struct lastlog ll;
+	int fd;
+	time_t t;
+
+	if ((fd = open(_PATH_LASTLOG, O_RDWR, 0)) >= 0) {
+		lseek(fd, (off_t)pwd->pw_uid * sizeof(ll), SEEK_SET);
+#ifdef SYSV_SHADOW
+                if (read(fd, &ll, sizeof(ll)) == sizeof(ll) &&
+                    ll.ll_time != 0) {
+                        if (pwd->pw_uid && spwd && spwd->sp_inact > 0
+                            && ll.ll_time / (24 * 60 * 60)
+			    + spwd->sp_inact < time(0)) {
+                                printf("Your account has been inactive too long.\n");
+                                sleepexit(1);
+                        }
+                        if (!quiet) {
+				t = ll.ll_time;
+                                printf("Last login: %.*s ", 24-5, ctime(&t));
+                                if (*ll.ll_host != '\0') {
+                                        printf("from %.*s\n",
+                                            (int)sizeof(ll.ll_host),
+					       ll.ll_host);
+                                } else
+                                        printf("on %.*s\n",
+                                            (int)sizeof(ll.ll_line),
+					       ll.ll_line);
+                        }
+                }
+                lseek(fd, (off_t)pwd->pw_uid * sizeof(ll), SEEK_SET);
+#else /* SYSV_SHADOW */
+		if (!quiet) {
+			if (read(fd, &ll, sizeof(ll)) == sizeof(ll) &&
+			    ll.ll_time != 0) {
+				t = ll.ll_time;
+				printf("Last login: %.*s ", 24-5, ctime(&t));
+				if (*ll.ll_host != '\0')
+					printf("from %.*s\n",
+					    (int)sizeof(ll.ll_host),
+					    ll.ll_host);
+				else
+					printf("on %.*s\n",
+					    (int)sizeof(ll.ll_line),
+					    ll.ll_line);
+			}
+			lseek(fd, (off_t)pwd->pw_uid * sizeof(ll), SEEK_SET);
+		}
+#endif /* SYSV_SHADOW */
+		memset(&ll, 0, sizeof(ll));
+		ll.ll_time = time(NULL);
+		strncpy(ll.ll_line, tty, sizeof(ll.ll_line));
+		if (hostname)
+			strncpy(ll.ll_host, hostname, sizeof(ll.ll_host));
+		write(fd, &ll, sizeof(ll));
+		close(fd);
+	}
+#endif /* DOLASTLOG */
+}
+
+static void
+badlogin(char *name)
+{
+
+	if (failures == 0)
+		return;
+	if (hostname) {
+		syslog(LOG_NOTICE, "%d LOGIN FAILURE%s FROM %s",
+		    failures, failures > 1 ? "S" : "", hostname);
+		syslog(LOG_AUTHPRIV|LOG_NOTICE,
+		    "%d LOGIN FAILURE%s FROM %s, %s",
+		    failures, failures > 1 ? "S" : "", hostname, name);
+	} else {
+		syslog(LOG_NOTICE, "%d LOGIN FAILURE%s ON %s",
+		    failures, failures > 1 ? "S" : "", tty);
+		syslog(LOG_AUTHPRIV|LOG_NOTICE,
+		    "%d LOGIN FAILURE%s ON %s, %s",
+		    failures, failures > 1 ? "S" : "", tty, name);
+	}
+}
+
+#undef	UNKNOWN
+#define	UNKNOWN	"su"
+
+static char *
+stypeof(char *ttyid)
+{
+    /* TERM is probably a better guess than anything else. */
+    char *term = getenv("TERM");
+
+    if (term != 0 && term[0] != 0)
+	return term;
+
+    {
+#ifndef HAVE_TTYENT_H
+	return UNKNOWN;
+#else
+	struct ttyent *t;
+	return (ttyid && (t = getttynam(ttyid)) ? t->ty_type : UNKNOWN);
+#endif
+    }
+}
+
+static void
+xgetstr(char *buf, int cnt, char *err)
+{
+        char ch;
+ 
+        do {
+                if (read(0, &ch, sizeof(ch)) != sizeof(ch))
+                        exit(1);
+                if (--cnt < 0) {
+                        fprintf(stderr, "%s too long\r\n", err);
+                        sleepexit(1);
+                }
+                *buf++ = ch;
+        } while (ch);
+}
+
+/*
+ * Some old rlogind's unknowingly pass remuser, locuser and
+ * terminal_type/speed so we need to take care of that part of the
+ * protocol here. Also, we can't make a getpeername(2) on the socket
+ * so we have to trust that rlogind resolved the name correctly.
+ */
+
+static int
+doremotelogin(char *host)
+{
+        int code;
+        char *cp;
+
+        xgetstr(rusername, sizeof (rusername), "remuser");
+        xgetstr(lusername, sizeof (lusername), "locuser");
+        xgetstr(term, sizeof(term), "Terminal type");
+	cp = strchr(term, '/');
+	if (cp != 0)
+		*cp = 0;	/* For now ignore speed/bg */
+        pwd = k_getpwnam(lusername);
+        if (pwd == NULL)
+                return(-1);
+        code = ruserok(host, (pwd->pw_uid == 0), rusername, lusername);
+	if (code == 0)
+	  syslog(LOG_NOTICE,
+		 "Warning: An old rlogind accepted login probably from host %s",
+		 host);
+	return(code);
+}
+ 
+void
+sleepexit(int eval)
+{
+
+	sleep(5);
+	exit(eval);
+}
diff --git a/crypto/kerberosIV/appl/bsd/login_access.c b/crypto/kerberosIV/appl/bsd/login_access.c
new file mode 100644
index 0000000..7b79dc8
--- /dev/null
+++ b/crypto/kerberosIV/appl/bsd/login_access.c
@@ -0,0 +1,264 @@
+ /*
+  * This module implements a simple but effective form of login access
+  * control based on login names and on host (or domain) names, internet
+  * addresses (or network numbers), or on terminal line names in case of
+  * non-networked logins. Diagnostics are reported through syslog(3).
+  *
+  * Author: Wietse Venema, Eindhoven University of Technology, The Netherlands.
+  */
+
+#include "bsd_locl.h"
+
+RCSID("$Id: login_access.c,v 1.19 1999/05/14 22:02:14 assar Exp $");
+
+#ifdef LOGIN_ACCESS
+
+ /* Delimiters for fields and for lists of users, ttys or hosts. */
+
+static char fs[] = ":";			/* field separator */
+static char sep[] = ", \t";		/* list-element separator */
+
+ /* Constants to be used in assignments only, not in comparisons... */
+
+#define YES             1
+#define NO              0
+
+ /*
+  * A structure to bundle up all login-related information to keep the
+  * functional interfaces as generic as possible.
+  */
+struct login_info {
+    struct passwd *user;
+    char   *from;
+};
+
+static int list_match(char *list, struct login_info *item,
+		      int (*match_fn)(char *, struct login_info *));
+static int user_match(char *tok, struct login_info *item);
+static int from_match(char *tok, struct login_info *item);
+static int string_match(char *tok, char *string);
+
+/* login_access - match username/group and host/tty with access control file */
+
+int login_access(struct passwd *user, char *from)
+{
+    struct login_info item;
+    FILE   *fp;
+    char    line[BUFSIZ];
+    char   *perm;			/* becomes permission field */
+    char   *users;			/* becomes list of login names */
+    char   *froms;			/* becomes list of terminals or hosts */
+    int     match = NO;
+    int     end;
+    int     lineno = 0;			/* for diagnostics */
+    char   *foo;
+
+    /*
+     * Bundle up the arguments to avoid unnecessary clumsiness lateron.
+     */
+    item.user = user;
+    item.from = from;
+
+    /*
+     * Process the table one line at a time and stop at the first match.
+     * Blank lines and lines that begin with a '#' character are ignored.
+     * Non-comment lines are broken at the ':' character. All fields are
+     * mandatory. The first field should be a "+" or "-" character. A
+     * non-existing table means no access control.
+     */
+
+    if ((fp = fopen(_PATH_LOGACCESS, "r")) != 0) {
+	while (!match && fgets(line, sizeof(line), fp)) {
+	    lineno++;
+	    if (line[end = strlen(line) - 1] != '\n') {
+		syslog(LOG_ERR, "%s: line %d: missing newline or line too long",
+		       _PATH_LOGACCESS, lineno);
+		continue;
+	    }
+	    if (line[0] == '#')
+		continue;			/* comment line */
+	    while (end > 0 && isspace((unsigned char)line[end - 1]))
+		end--;
+	    line[end] = 0;			/* strip trailing whitespace */
+	    if (line[0] == 0)			/* skip blank lines */
+		continue;
+	    foo = NULL;
+	    if (!(perm = strtok_r(line, fs, &foo))
+		|| !(users = strtok_r(NULL, fs, &foo))
+		|| !(froms = strtok_r(NULL, fs, &foo))
+		|| strtok_r(NULL, fs, &foo)) {
+		syslog(LOG_ERR, "%s: line %d: bad field count", 
+		       _PATH_LOGACCESS,
+		       lineno);
+		continue;
+	    }
+	    if (perm[0] != '+' && perm[0] != '-') {
+		syslog(LOG_ERR, "%s: line %d: bad first field", 
+		       _PATH_LOGACCESS,
+		       lineno);
+		continue;
+	    }
+	    match = (list_match(froms, &item, from_match)
+		     && list_match(users, &item, user_match));
+	}
+	fclose(fp);
+    } else if (errno != ENOENT) {
+	syslog(LOG_ERR, "cannot open %s: %m", _PATH_LOGACCESS);
+    }
+    return (match == 0 || (line[0] == '+'));
+}
+
+/* list_match - match an item against a list of tokens with exceptions */
+
+static int
+list_match(char *list,
+	   struct login_info *item,
+	   int (*match_fn)(char *, struct login_info *))
+{
+    char   *tok;
+    int     match = NO;
+    char   *foo = NULL;
+
+    /*
+     * Process tokens one at a time. We have exhausted all possible matches
+     * when we reach an "EXCEPT" token or the end of the list. If we do find
+     * a match, look for an "EXCEPT" list and recurse to determine whether
+     * the match is affected by any exceptions.
+     */
+
+    for (tok = strtok_r(list, sep, &foo);
+	 tok != NULL;
+	 tok = strtok_r(NULL, sep, &foo)) {
+	if (strcasecmp(tok, "EXCEPT") == 0)	/* EXCEPT: give up */
+	    break;
+	if ((match = (*match_fn) (tok, item)) != 0)	/* YES */
+	    break;
+    }
+    /* Process exceptions to matches. */
+
+    if (match != NO) {
+	while ((tok = strtok_r(NULL, sep, &foo)) && strcasecmp(tok, "EXCEPT"))
+	     /* VOID */ ;
+	if (tok == 0 || list_match(NULL, item, match_fn) == NO)
+	    return (match);
+    }
+    return (NO);
+}
+
+/* myhostname - figure out local machine name */
+
+static char *myhostname(void)
+{
+    static char name[MAXHOSTNAMELEN + 1] = "";
+
+    if (name[0] == 0) {
+	gethostname(name, sizeof(name));
+	name[MAXHOSTNAMELEN] = 0;
+    }
+    return (name);
+}
+
+/* netgroup_match - match group against machine or user */
+
+static int netgroup_match(char *group, char *machine, char *user)
+{
+#ifdef HAVE_YP_GET_DEFAULT_DOMAIN
+    static char *mydomain = 0;
+
+    if (mydomain == 0)
+	yp_get_default_domain(&mydomain);
+    return (innetgr(group, machine, user, mydomain));
+#else
+    syslog(LOG_ERR, "NIS netgroup support not configured");
+    return 0;
+#endif
+}
+
+/* user_match - match a username against one token */
+
+static int user_match(char *tok, struct login_info *item)
+{
+    char   *string = item->user->pw_name;
+    struct login_info fake_item;
+    struct group *group;
+    int     i;
+    char   *at;
+
+    /*
+     * If a token has the magic value "ALL" the match always succeeds.
+     * Otherwise, return YES if the token fully matches the username, if the
+     * token is a group that contains the username, or if the token is the
+     * name of the user's primary group.
+     */
+
+    if ((at = strchr(tok + 1, '@')) != 0) {	/* split user@host pattern */
+	*at = 0;
+	fake_item.from = myhostname();
+	return (user_match(tok, item) && from_match(at + 1, &fake_item));
+    } else if (tok[0] == '@') {			/* netgroup */
+	return (netgroup_match(tok + 1, (char *) 0, string));
+    } else if (string_match(tok, string)) {	/* ALL or exact match */
+	return (YES);
+    } else if ((group = getgrnam(tok)) != 0) { /* try group membership */
+	if (item->user->pw_gid == group->gr_gid)
+	    return (YES);
+	for (i = 0; group->gr_mem[i]; i++)
+	    if (strcasecmp(string, group->gr_mem[i]) == 0)
+		return (YES);
+    }
+    return (NO);
+}
+
+/* from_match - match a host or tty against a list of tokens */
+
+static int from_match(char *tok, struct login_info *item)
+{
+    char   *string = item->from;
+    int     tok_len;
+    int     str_len;
+
+    /*
+     * If a token has the magic value "ALL" the match always succeeds. Return
+     * YES if the token fully matches the string. If the token is a domain
+     * name, return YES if it matches the last fields of the string. If the
+     * token has the magic value "LOCAL", return YES if the string does not
+     * contain a "." character. If the token is a network number, return YES
+     * if it matches the head of the string.
+     */
+
+    if (tok[0] == '@') {			/* netgroup */
+	return (netgroup_match(tok + 1, string, (char *) 0));
+    } else if (string_match(tok, string)) {	/* ALL or exact match */
+	return (YES);
+    } else if (tok[0] == '.') {			/* domain: match last fields */
+	if ((str_len = strlen(string)) > (tok_len = strlen(tok))
+	    && strcasecmp(tok, string + str_len - tok_len) == 0)
+	    return (YES);
+    } else if (strcasecmp(tok, "LOCAL") == 0) {	/* local: no dots */
+	if (strchr(string, '.') == 0)
+	    return (YES);
+    } else if (tok[(tok_len = strlen(tok)) - 1] == '.'	/* network */
+	       && strncmp(tok, string, tok_len) == 0) {
+	return (YES);
+    }
+    return (NO);
+}
+
+/* string_match - match a string against one token */
+
+static int string_match(char *tok, char *string)
+{
+
+    /*
+     * If the token has the magic value "ALL" the match always succeeds.
+     * Otherwise, return YES if the token fully matches the string.
+     */
+
+    if (strcasecmp(tok, "ALL") == 0) {		/* all: always matches */
+	return (YES);
+    } else if (strcasecmp(tok, string) == 0) {	/* try exact match */
+	return (YES);
+    }
+    return (NO);
+}
+#endif /* LOGIN_ACCES */
diff --git a/crypto/kerberosIV/appl/bsd/login_fbtab.c b/crypto/kerberosIV/appl/bsd/login_fbtab.c
new file mode 100644
index 0000000..3aa5e4c
--- /dev/null
+++ b/crypto/kerberosIV/appl/bsd/login_fbtab.c
@@ -0,0 +1,154 @@
+/************************************************************************
+* Copyright 1995 by Wietse Venema.  All rights reserved.
+*
+* This material was originally written and compiled by Wietse Venema at
+* Eindhoven University of Technology, The Netherlands, in 1990, 1991,
+* 1992, 1993, 1994 and 1995.
+*
+* Redistribution and use in source and binary forms are permitted
+* provided that this entire copyright notice is duplicated in all such
+* copies.
+*
+* This software is provided "as is" and without any expressed or implied
+* warranties, including, without limitation, the implied warranties of
+* merchantibility and fitness for any particular purpose.
+************************************************************************/
+/*
+    SYNOPSIS
+	void login_fbtab(tty, uid, gid)
+	char *tty;
+	uid_t uid;
+	gid_t gid;
+
+    DESCRIPTION
+	This module implements device security as described in the
+	SunOS 4.1.x fbtab(5) and SunOS 5.x logindevperm(4) manual
+	pages. The program first looks for /etc/fbtab. If that file
+	cannot be opened it attempts to process /etc/logindevperm.
+	We expect entries with the folowing format:
+
+	    Comments start with a # and extend to the end of the line.
+
+	    Blank lines or lines with only a comment are ignored.
+
+	    All other lines consist of three fields delimited by
+	    whitespace: a login device (/dev/console), an octal
+	    permission number (0600), and a ":"-delimited list of
+	    devices (/dev/kbd:/dev/mouse). All device names are
+	    absolute paths. A path that ends in "/*" refers to all
+	    directory entries except "." and "..".
+
+	    If the tty argument (relative path) matches a login device
+	    name (absolute path), the permissions of the devices in the
+	    ":"-delimited list are set as specified in the second
+	    field, and their ownership is changed to that of the uid
+	    and gid arguments.
+
+    DIAGNOSTICS
+	Problems are reported via the syslog daemon with severity
+	LOG_ERR.
+
+    BUGS
+
+    AUTHOR
+	Wietse Venema (wietse@wzv.win.tue.nl)
+	Eindhoven University of Technology
+	The Netherlands
+ */
+
+#include "bsd_locl.h"
+
+RCSID("$Id: login_fbtab.c,v 1.14 1999/09/16 20:37:24 assar Exp $");
+
+void	login_protect	(char *, char *, int, uid_t, gid_t);
+void	login_fbtab	(char *tty, uid_t uid, gid_t gid);
+
+#define	WSPACE		" \t\n"
+
+/* login_fbtab - apply protections specified in /etc/fbtab or logindevperm */
+
+void
+login_fbtab(char *tty, uid_t uid, gid_t gid)
+{
+    FILE   *fp;
+    char    buf[BUFSIZ];
+    char   *devname;
+    char   *cp;
+    int     prot;
+    char   *table;
+    char   *foo;
+
+    if ((fp = fopen(table = _PATH_FBTAB, "r")) == 0
+    && (fp = fopen(table = _PATH_LOGINDEVPERM, "r")) == 0)
+	return;
+
+    while (fgets(buf, sizeof(buf), fp)) {
+	if ((cp = strchr(buf, '#')) != 0)
+	    *cp = 0;				/* strip comment */
+	foo = NULL;
+	if ((cp = devname = strtok_r(buf, WSPACE, &foo)) == 0)
+	    continue;				/* empty or comment */
+	if (strncmp(devname, "/dev/", 5) != 0
+	       || (cp = strtok_r(NULL, WSPACE, &foo)) == 0
+	       || *cp != '0'
+	       || sscanf(cp, "%o", &prot) == 0
+	       || prot == 0
+	       || (prot & 0777) != prot
+	       || (cp = strtok_r(NULL, WSPACE, &foo)) == 0) {
+	    syslog(LOG_ERR, "%s: bad entry: %s", table, cp ? cp : "(null)");
+	    continue;
+	}
+	if (strcmp(devname + 5, tty) == 0) {
+	    foo = NULL;
+	    for (cp = strtok_r(cp, ":", &foo);
+		 cp;
+		 cp = strtok_r(NULL, ":", &foo)) {
+		login_protect(table, cp, prot, uid, gid);
+	    }
+	}
+    }
+    fclose(fp);
+}
+
+/* login_protect - protect one device entry */
+
+void
+login_protect(char *table, char *path, int mask, uid_t uid, gid_t gid)
+{
+    char    buf[BUFSIZ];
+    int     pathlen = strlen(path);
+    struct dirent *ent;
+    DIR    *dir;
+
+    if (strcmp("/*", path + pathlen - 2) != 0) {
+	if (chmod(path, mask) && errno != ENOENT)
+	    syslog(LOG_ERR, "%s: chmod(%s): %m", table, path);
+	if (chown(path, uid, gid) && errno != ENOENT)
+	    syslog(LOG_ERR, "%s: chown(%s): %m", table, path);
+    } else {
+	strlcpy (buf, path, sizeof(buf));
+	if (sizeof(buf) > pathlen)
+	    buf[pathlen - 2] = '\0';
+ 	/* Solaris evidently operates on the directory as well */
+ 	login_protect(table, buf, mask | ((mask & 0444) >> 2), uid, gid);
+	if ((dir = opendir(buf)) == 0) {
+	    syslog(LOG_ERR, "%s: opendir(%s): %m", table, path);
+	} else {
+	    if (sizeof(buf) > pathlen) {
+		buf[pathlen - 2] = '/';
+		buf[pathlen - 1] = '\0';
+	    }
+
+	    while ((ent = readdir(dir)) != 0) {
+		if (strcmp(ent->d_name, ".") != 0
+		    && strcmp(ent->d_name, "..") != 0) {
+		    strlcpy (buf + pathlen - 1,
+				     ent->d_name,
+				     sizeof(buf) - (pathlen + 1));
+		    login_protect(table, buf, mask, uid, gid);
+		}
+	    }
+	    closedir(dir);
+	}
+    }
+}
diff --git a/crypto/kerberosIV/appl/bsd/osfc2.c b/crypto/kerberosIV/appl/bsd/osfc2.c
new file mode 100644
index 0000000..fbfd742
--- /dev/null
+++ b/crypto/kerberosIV/appl/bsd/osfc2.c
@@ -0,0 +1,79 @@
+/*
+ * Copyright (c) 1998 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "bsd_locl.h"
+RCSID("$Id: osfc2.c,v 1.2 1999/12/02 16:58:28 joda Exp $");
+
+int
+do_osfc2_magic(uid_t uid)
+{
+#ifdef HAVE_OSFC2
+    struct es_passwd *epw;
+    char *argv[2];
+    
+    /* fake */
+    argv[0] = (char*)__progname;
+    argv[1] = NULL;
+    set_auth_parameters(1, argv);
+    
+    epw = getespwuid(uid);
+    if(epw == NULL) {
+	syslog(LOG_AUTHPRIV|LOG_NOTICE, 
+	       "getespwuid failed for %d", uid);
+	printf("Sorry.\n");
+	return 1;
+    }
+    /* We don't check for auto-retired, foo-retired,
+       bar-retired, or any other kind of retired accounts
+       here; neither do we check for time-locked accounts, or
+       any other kind of serious C2 mumbo-jumbo. We do,
+       however, call setluid, since failing to do so it not
+       very good (take my word for it). */
+    
+    if(!epw->uflg->fg_uid) {
+	syslog(LOG_AUTHPRIV|LOG_NOTICE, 
+	       "attempted login by %s (has no uid)", epw->ufld->fd_name);
+	printf("Sorry.\n");
+	return 1;
+    }
+    setluid(epw->ufld->fd_uid);
+    if(getluid() != epw->ufld->fd_uid) {
+	syslog(LOG_AUTHPRIV|LOG_NOTICE, 
+	       "failed to set LUID for %s (%d)", 
+	       epw->ufld->fd_name, epw->ufld->fd_uid);
+	printf("Sorry.\n");
+	return 1;
+    }
+#endif /* HAVE_OSFC2 */
+    return 0;
+}
diff --git a/crypto/kerberosIV/appl/bsd/pathnames.h_ b/crypto/kerberosIV/appl/bsd/pathnames.h_
new file mode 100644
index 0000000..6db8f68
--- /dev/null
+++ b/crypto/kerberosIV/appl/bsd/pathnames.h_
@@ -0,0 +1,201 @@
+/*
+ * Copyright (c) 1989 The Regents of the University of California.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *	This product includes software developed by the University of
+ *	California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ *	from: @(#)pathnames.h	5.2 (Berkeley) 4/9/90
+ *	$Id: pathnames.h,v 1.25 1998/02/03 23:29:30 assar Exp $
+ * $FreeBSD$
+ */
+
+/******* First fix default path, we stick to _PATH_DEFPATH everywhere */
+
+#if !defined(_PATH_DEFPATH) && defined(_PATH_USERPATH)
+#define _PATH_DEFPATH _PATH_USERPATH
+#endif
+
+#if defined(_PATH_DEFPATH) && !defined(_DEF_PATH)
+#define _DEF_PATH _PATH_DEFPATH
+#endif
+
+#if !defined(_PATH_DEFPATH) && defined(_DEF_PATH)
+#define _PATH_DEFPATH _DEF_PATH
+#endif
+
+#ifndef _PATH_DEFPATH
+#define _PATH_DEFPATH "/usr/ucb:/usr/bin:/bin"
+#define _DEF_PATH _PATH_DEFPATH
+#endif /* !_PATH_DEFPATH */
+
+#ifndef _PATH_DEFSUPATH
+#define _PATH_DEFSUPATH "/usr/sbin:"  _DEF_PATH
+#endif /* _PATH_DEFSUPATH */
+
+/******* Default PATH fixed! */
+
+#undef  _PATH_RLOGIN		/* Redifine rlogin */
+#define	_PATH_RLOGIN	BINDIR  "/rlogin"
+
+#undef _PATH_RSH		/* Redifine rsh */
+#define _PATH_RSH	BINDIR  "/rsh"
+
+#undef _PATH_RCP		/* Redifine rcp */
+#define _PATH_RCP	BINDIR  "/rcp"
+
+#undef _PATH_LOGIN
+#define _PATH_LOGIN	BINDIR "/login"
+
+/******* The rest is fallback defaults */
+
+#ifndef _PATH_DEV
+#define _PATH_DEV "/dev/"
+#endif
+
+#ifndef _PATH_CP
+#define _PATH_CP "/bin/cp"
+#endif /* _PATH_CP */
+
+#ifndef _PATH_SHELLS
+#define _PATH_SHELLS "/etc/shells"
+#endif /* _PATH_SHELLS */
+
+#ifndef _PATH_BSHELL
+#define _PATH_BSHELL "/bin/sh"
+#endif /* _PATH_BSHELL */
+
+#ifndef _PATH_CSHELL
+#define _PATH_CSHELL "/bin/csh"
+#endif /* _PATH_CSHELL */
+
+#ifndef _PATH_NOLOGIN
+#define _PATH_NOLOGIN "/etc/nologin"
+#endif /* _PATH_NOLOGIN */
+
+#ifndef _PATH_TTY
+#define _PATH_TTY "/dev/tty"
+#endif /* _PATH_TTY */
+
+#ifndef _PATH_HUSHLOGIN
+#define _PATH_HUSHLOGIN ".hushlogin"
+#endif /* _PATH_HUSHLOGIN */
+
+#ifndef _PATH_NOMAILCHECK
+#define _PATH_NOMAILCHECK ".nomailcheck"
+#endif /* _PATH_NOMAILCHECK */
+
+#ifndef _PATH_MOTDFILE
+#define _PATH_MOTDFILE "/etc/motd"
+#endif /* _PATH_MOTDFILE */
+
+#ifndef _PATH_LOGACCESS
+#define _PATH_LOGACCESS "/etc/login.access"
+#endif /* _PATH_LOGACCESS */
+
+#ifndef _PATH_HEQUIV
+#define _PATH_HEQUIV "/etc/hosts.equiv"
+#endif
+
+#ifndef _PATH_FBTAB
+#define _PATH_FBTAB "/etc/fbtab"
+#endif /* _PATH_FBTAB */
+
+#ifndef _PATH_LOGINDEVPERM
+#define _PATH_LOGINDEVPERM "/etc/logindevperm"
+#endif /* _PATH_LOGINDEVPERM */
+
+#ifndef _PATH_CHPASS
+#define _PATH_CHPASS "/usr/bin/passwd"
+#endif /* _PATH_CHPASS */
+
+#if defined(__hpux)
+#define __FALLBACK_MAILDIR__ "/usr/mail"
+#else
+#define __FALLBACK_MAILDIR__ "/usr/spool/mail"
+#endif
+
+#ifndef KRB4_MAILDIR
+#ifndef _PATH_MAILDIR
+#ifdef MAILDIR
+#define _PATH_MAILDIR MAILDIR
+#else
+#define _PATH_MAILDIR __FALLBACK_MAILDIR__
+#endif
+#endif /* _PATH_MAILDIR */
+#define KRB4_MAILDIR _PATH_MAILDIR
+#endif
+
+#ifndef _PATH_LASTLOG
+#define _PATH_LASTLOG		"/var/adm/lastlog"
+#endif
+
+#if defined(UTMP_FILE) && !defined(_PATH_UTMP)
+#define _PATH_UTMP UTMP_FILE
+#endif
+
+#ifndef _PATH_UTMP
+#define _PATH_UTMP   "/etc/utmp"
+#endif
+
+#if defined(WTMP_FILE) && !defined(_PATH_WTMP)
+#define _PATH_WTMP WTMP_FILE
+#endif
+
+#ifndef _PATH_WTMP
+#define _PATH_WTMP   "/usr/adm/wtmp"
+#endif
+
+#ifndef _PATH_ETC_DEFAULT_LOGIN
+#define _PATH_ETC_DEFAULT_LOGIN	"/etc/default/login"
+#endif
+
+#ifndef _PATH_ETC_ENVIRONMENT
+#define _PATH_ETC_ENVIRONMENT "/etc/environment"
+#endif
+
+#ifndef _PATH_ETC_SECURETTY
+#define _PATH_ETC_SECURETTY "/etc/securetty"
+#endif
+
+/*
+ * NeXT KLUDGE ALERT!!!!!!!!!!!!!!!!!!
+ * Some sort of bug in the NEXTSTEP cpp.
+ */
+#ifdef NeXT
+#undef  _PATH_DEFSUPATH
+#define _PATH_DEFSUPATH "/usr/sbin:/usr/ucb:/usr/bin:/bin"
+#undef  _PATH_RLOGIN
+#define	_PATH_RLOGIN	"/usr/athena/bin/rlogin"
+#undef  _PATH_RSH
+#define _PATH_RSH	"/usr/athena/bin/rsh"
+#undef  _PATH_RCP
+#define _PATH_RCP	"/usr/athena/bin/rcp"
+#undef  _PATH_LOGIN
+#define _PATH_LOGIN	"/usr/athena/bin/login"
+#endif
diff --git a/crypto/kerberosIV/appl/bsd/rcmd_util.c b/crypto/kerberosIV/appl/bsd/rcmd_util.c
new file mode 100644
index 0000000..cd431e3
--- /dev/null
+++ b/crypto/kerberosIV/appl/bsd/rcmd_util.c
@@ -0,0 +1,263 @@
+/*
+ * Copyright (c) 1995 - 2000 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#include "bsd_locl.h"
+
+RCSID("$Id: rcmd_util.c,v 1.19.2.1 2000/06/23 02:34:48 assar Exp $");
+
+int
+get_login_port(int kerberos, int encryption)
+{
+  char *service="login";
+  int port=htons(513);
+
+  if(kerberos && encryption){
+    service="eklogin";
+    port=htons(2105);
+  }
+  
+  if(kerberos && !encryption){
+    service="klogin";
+    port=htons(543);
+  }
+  return k_getportbyname (service, "tcp", port);
+}
+
+int
+get_shell_port(int kerberos, int encryption)
+{
+  char *service="shell";
+  int port=htons(514);
+
+  if(kerberos && encryption){
+    service="ekshell";
+    port=htons(545);
+  }
+  
+  if(kerberos && !encryption){
+    service="kshell";
+    port=htons(544);
+  }
+
+  return k_getportbyname (service, "tcp", port);
+}
+
+/* 
+ * On reasonable systems, `cf[gs]et[io]speed' use values of bit/s
+ * directly, and the following functions are just identity functions.
+ * This is however a slower way of doing those
+ * should-be-but-are-not-always idenity functions.  
+ */
+
+static struct { int speed; int bps; } conv[] = {
+#ifdef B0
+    {B0, 0},
+#endif
+#ifdef B50
+    {B50, 50},
+#endif
+#ifdef B75
+    {B75, 75},
+#endif
+#ifdef B110
+    {B110, 110},
+#endif
+#ifdef B134
+    {B134, 134},
+#endif
+#ifdef B150
+    {B150, 150},
+#endif
+#ifdef B200
+    {B200, 200},
+#endif
+#ifdef B300
+    {B300, 300},
+#endif
+#ifdef B600
+    {B600, 600},
+#endif
+#ifdef B1200
+    {B1200, 1200},
+#endif
+#ifdef B1800
+    {B1800, 1800},
+#endif
+#ifdef B2400
+    {B2400, 2400},
+#endif
+#ifdef B4800
+    {B4800, 4800},
+#endif
+#ifdef B9600
+    {B9600, 9600},
+#endif
+#ifdef B19200
+    {B19200, 19200},
+#endif
+#ifdef EXTA
+    {EXTA, 19200},
+#endif
+#ifdef B38400
+    {B38400, 38400},
+#endif
+#ifdef EXTB
+    {EXTB, 38400},
+#endif
+#ifdef B57600
+    {B57600, 57600},
+#endif
+#ifdef B115200
+    {B115200, 115200},
+#endif
+#ifdef B153600
+    {B153600, 153600},
+#endif
+#ifdef B230400
+    {B230400, 230400},
+#endif
+#ifdef B307200
+    {B307200, 307200},
+#endif
+#ifdef B460800
+    {B460800, 460800},
+#endif
+};
+
+#define N (sizeof(conv)/sizeof(*conv))
+
+int
+speed_t2int (speed_t s)
+{
+  int l, r, m;
+
+  l = 0;
+  r = N - 1;
+  while(l <= r) {
+    m = (l + r) / 2;
+    if (conv[m].speed == s)
+      return conv[m].bps;
+    else if(conv[m].speed < s)
+      l = m + 1;
+    else
+      r = m - 1; 
+  }
+  return -1;
+}
+
+/*
+ *
+ */
+
+speed_t
+int2speed_t (int i)
+{
+  int l, r, m;
+
+  l = 0;
+  r = N - 1;
+  while(l <= r) {
+    m = (l + r) / 2;
+    if (conv[m].bps == i)
+      return conv[m].speed;
+    else if(conv[m].bps < i)
+      l = m + 1;
+    else
+      r = m - 1;
+  }
+  return -1;
+}
+
+/*
+ * If there are any IP options on `sock', die.
+ */
+
+void
+ip_options_and_die (int sock, struct sockaddr_in *fromp)
+{
+#if defined(IP_OPTIONS) && defined(HAVE_GETSOCKOPT)
+  u_char optbuf[BUFSIZ/3], *cp;
+  char lbuf[BUFSIZ], *lp;
+  int optsize = sizeof(optbuf), ipproto;
+  struct protoent *ip;
+
+  if ((ip = getprotobyname("ip")) != NULL)
+    ipproto = ip->p_proto;
+  else
+    ipproto = IPPROTO_IP;
+  if (getsockopt(sock, ipproto, IP_OPTIONS,
+		 (void *)optbuf, &optsize) == 0 &&
+      optsize != 0) {
+    lp = lbuf;
+    for (cp = optbuf; optsize > 0; cp++, optsize--, lp += 3)
+      snprintf(lp, sizeof(lbuf) - (lp - lbuf), " %2.2x", *cp);
+    syslog(LOG_NOTICE,
+	   "Connection received from %s using IP options (dead):%s",
+	   inet_ntoa(fromp->sin_addr), lbuf);
+    exit(1);
+  }
+#endif
+}
+
+void
+warning(const char *fmt, ...)
+{
+    char *rstar_no_warn = getenv("RSTAR_NO_WARN");
+    va_list args;
+
+    va_start(args, fmt);
+    if (rstar_no_warn == NULL)
+	rstar_no_warn = "";
+    if (strncmp(rstar_no_warn, "yes", 3) != 0) {
+	/* XXX */
+	fprintf(stderr, "%s: warning, using standard ", __progname);
+	vwarnx(fmt, args);
+    }
+    va_end(args);
+}
+
+/*
+ * setuid but work-around Linux 2.2.15 bug with setuid and capabilities
+ */
+
+void
+paranoid_setuid (uid_t uid)
+{
+    if (setuid (uid) < 0)
+	err (1, "setuid");
+    if (uid != 0 && setuid (0) == 0) {
+	syslog(LOG_ALERT | LOG_AUTH,
+	       "Failed to drop privileges for uid %u", (unsigned)uid);
+	err (1, "setuid");
+    }
+}
diff --git a/crypto/kerberosIV/appl/bsd/rcp.c b/crypto/kerberosIV/appl/bsd/rcp.c
new file mode 100644
index 0000000..660be91
--- /dev/null
+++ b/crypto/kerberosIV/appl/bsd/rcp.c
@@ -0,0 +1,1047 @@
+/*
+ * Copyright (c) 1983, 1990, 1992, 1993
+ *	The Regents of the University of California.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *	This product includes software developed by the University of
+ *	California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#include "bsd_locl.h"
+
+RCSID("$Id: rcp.c,v 1.52.2.1 2000/06/23 02:35:16 assar Exp $");
+
+/* Globals */
+static char	dst_realm_buf[REALM_SZ];
+static char	*dest_realm = NULL;
+static int	use_kerberos = 1;
+
+static int	doencrypt = 0;
+#define	OPTIONS	"dfKk:prtxl:"
+
+static char *user_name = NULL;	/* Given as -l option. */
+
+static int errs, rem;
+static struct passwd *pwd;
+static u_short	port;
+static uid_t	userid;
+static int pflag, iamremote, iamrecursive, targetshouldbedirectory;
+
+static int argc_copy;
+static char **argv_copy;
+
+#define	CMDNEEDS	64
+static char cmd[CMDNEEDS];		/* must hold "rcp -r -p -d\0" */
+
+void rsource(char *name, struct stat *statp);
+
+#define	SERVICE_NAME	"rcmd"
+
+CREDENTIALS cred;
+MSG_DAT msg_data;
+struct sockaddr_in foreign_addr, local_addr;
+Key_schedule schedule;
+
+KTEXT_ST ticket;
+AUTH_DAT kdata;
+
+static void
+send_auth(char *h, char *r)
+{
+    int lslen, fslen, status;
+    long opts;
+
+    lslen = sizeof(struct sockaddr_in);
+    if (getsockname(rem, (struct sockaddr *)&local_addr, &lslen) < 0)
+	err(1, "getsockname");
+    fslen = sizeof(struct sockaddr_in);
+    if (getpeername(rem, (struct sockaddr *)&foreign_addr, &fslen) < 0)
+	err(1, "getpeername");
+    if ((r == NULL) || (*r == '\0'))
+	r = krb_realmofhost(h);
+    opts = KOPT_DO_MUTUAL;
+    if ((status = krb_sendauth(opts, rem, &ticket, SERVICE_NAME, h, r, 
+			       (unsigned long)getpid(), &msg_data, &cred, 
+			       schedule, &local_addr, 
+			       &foreign_addr, "KCMDV0.1")) != KSUCCESS)
+	errx(1, "krb_sendauth failure: %s", krb_get_err_text(status));
+}
+
+static void
+answer_auth(void)
+{
+    int lslen, fslen, status;
+    long opts;
+    char inst[INST_SZ], v[9];
+
+    lslen = sizeof(struct sockaddr_in);
+    if (getsockname(rem, (struct sockaddr *)&local_addr, &lslen) < 0)
+	err(1, "getsockname");
+    fslen = sizeof(struct sockaddr_in);
+    if(getpeername(rem, (struct sockaddr *)&foreign_addr, &fslen) < 0)
+	    err(1, "getperrname");
+    k_getsockinst(rem, inst, sizeof(inst));
+    opts = KOPT_DO_MUTUAL;
+    if ((status = krb_recvauth(opts, rem, &ticket, SERVICE_NAME, inst,
+			       &foreign_addr, &local_addr, 
+			       &kdata, "", schedule, v)) != KSUCCESS)
+	errx(1, "krb_recvauth failure: %s", krb_get_err_text(status));
+}
+
+static int
+des_read(int fd, char *buf, int len)
+{
+    if (doencrypt)
+	return(des_enc_read(fd, buf, len, schedule, 
+			    (iamremote? &kdata.session : &cred.session)));
+    else
+	return(read(fd, buf, len));
+}
+
+static int
+des_write(int fd, char *buf, int len)
+{
+    if (doencrypt)
+	return(des_enc_write(fd, buf, len, schedule, 
+			     (iamremote? &kdata.session : &cred.session)));
+    else
+	return(write(fd, buf, len));
+}
+
+static void run_err(const char *fmt, ...)
+#ifdef __GNUC__
+__attribute__ ((format (printf, 1, 2)))
+#endif
+;
+
+
+static void
+run_err(const char *fmt, ...)
+{
+	char errbuf[1024];
+
+	va_list args;
+	va_start(args, fmt);
+	++errs;
+#define RCPERR "\001rcp: "
+	strlcpy (errbuf, RCPERR, sizeof(errbuf));
+	vsnprintf (errbuf + strlen(errbuf),
+		   sizeof(errbuf) - strlen(errbuf),
+		   fmt, args);
+	strlcat (errbuf, "\n", sizeof(errbuf));
+	des_write (rem, errbuf, strlen(errbuf));
+	if (!iamremote)
+		vwarnx(fmt, args);
+	va_end(args);
+}
+
+static void
+verifydir(char *cp)
+{
+	struct stat stb;
+
+	if (!stat(cp, &stb)) {
+		if (S_ISDIR(stb.st_mode))
+			return;
+		errno = ENOTDIR;
+	}
+	run_err("%s: %s", cp, strerror(errno));
+	exit(1);
+}
+
+#define ROUNDUP(x, y)   ((((x)+((y)-1))/(y))*(y))
+
+static BUF *
+allocbuf(BUF *bp, int fd, int blksize)
+{
+	struct stat stb;
+	size_t size;
+
+	if (fstat(fd, &stb) < 0) {
+		run_err("fstat: %s", strerror(errno));
+		return (0);
+	}
+#ifdef HAVE_ST_BLKSIZE
+	size = ROUNDUP(stb.st_blksize, blksize);
+#else
+	size = blksize;
+#endif
+	if (size == 0)
+		size = blksize;
+	if (bp->cnt >= size)
+		return (bp);
+	if (bp->buf == NULL)
+		bp->buf = malloc(size);
+	else
+		bp->buf = realloc(bp->buf, size);
+	if (bp->buf == NULL) {
+		bp->cnt = 0;
+		run_err("%s", strerror(errno));
+		return (0);
+	}
+	bp->cnt = size;
+	return (bp);
+}
+
+static void
+usage(void)
+{
+	fprintf(stderr, "%s\n\t%s\n",
+	    "usage: rcp [-Kpx] [-k realm] f1 f2",
+	    "or: rcp [-Kprx] [-k realm] f1 ... fn directory");
+	exit(1);
+}
+
+static void
+oldw(const char *s)
+{
+    char *rstar_no_warn = getenv("RSTAR_NO_WARN");
+    if (rstar_no_warn == 0)
+	rstar_no_warn = "";
+    if (strncmp(rstar_no_warn, "yes", 3) != 0)
+	warnx("%s, using standard rcp", s);
+}
+
+static RETSIGTYPE
+lostconn(int signo)
+{
+	if (!iamremote)
+		warnx("lost connection");
+	exit(1);
+}
+
+static int
+response(void)
+{
+	char ch, *cp, resp, rbuf[BUFSIZ];
+
+	if (des_read(rem, &resp, sizeof(resp)) != sizeof(resp))
+		lostconn(0);
+
+	cp = rbuf;
+	switch(resp) {
+	case 0:				/* ok */
+		return (0);
+	default:
+		*cp++ = resp;
+		/* FALLTHROUGH */
+	case 1:				/* error, followed by error msg */
+	case 2:				/* fatal error, "" */
+		do {
+			if (des_read(rem, &ch, sizeof(ch)) != sizeof(ch))
+				lostconn(0);
+			*cp++ = ch;
+		} while (cp < &rbuf[BUFSIZ] && ch != '\n');
+
+		if (!iamremote)
+			write(STDERR_FILENO, rbuf, cp - rbuf);
+		++errs;
+		if (resp == 1)
+			return (-1);
+		exit(1);
+	}
+	/* NOTREACHED */
+}
+
+static void
+source(int argc, char **argv)
+{
+	struct stat stb;
+	static BUF buffer;
+	BUF *bp;
+	off_t i;
+	int amt, fd, haderr, indx, result;
+	char *last, *name, buf[BUFSIZ];
+
+	for (indx = 0; indx < argc; ++indx) {
+                name = argv[indx];
+		if ((fd = open(name, O_RDONLY, 0)) < 0)
+			goto syserr;
+		if (fstat(fd, &stb)) {
+syserr:			run_err("%s: %s", name, strerror(errno));
+			goto next;
+		}
+		switch (stb.st_mode & S_IFMT) {
+		case S_IFREG:
+			break;
+		case S_IFDIR:
+			if (iamrecursive) {
+				rsource(name, &stb);
+				goto next;
+			}
+			/* FALLTHROUGH */
+		default:
+			run_err("%s: not a regular file", name);
+			goto next;
+		}
+		if ((last = strrchr(name, '/')) == NULL)
+			last = name;
+		else
+			++last;
+		if (pflag) {
+			/*
+			 * Make it compatible with possible future
+			 * versions expecting microseconds.
+			 */
+			snprintf(buf, sizeof(buf), "T%ld 0 %ld 0\n",
+			    (long)stb.st_mtime, (long)stb.st_atime);
+			des_write(rem, buf, strlen(buf));
+			if (response() < 0)
+				goto next;
+		}
+		snprintf(buf, sizeof(buf), "C%04o %ld %s\n",
+		    (int)stb.st_mode & MODEMASK, (long) stb.st_size, last);
+		des_write(rem, buf, strlen(buf));
+		if (response() < 0)
+			goto next;
+		if ((bp = allocbuf(&buffer, fd, BUFSIZ)) == NULL) {
+next:			close(fd);
+			continue;
+		}
+
+		/* Keep writing after an error so that we stay sync'd up. */
+		for (haderr = i = 0; i < stb.st_size; i += bp->cnt) {
+			amt = bp->cnt;
+			if (i + amt > stb.st_size)
+				amt = stb.st_size - i;
+			if (!haderr) {
+				result = read(fd, bp->buf, amt);
+				if (result != amt)
+					haderr = result >= 0 ? EIO : errno;
+			}
+			if (haderr)
+				des_write(rem, bp->buf, amt);
+			else {
+				result = des_write(rem, bp->buf, amt);
+				if (result != amt)
+					haderr = result >= 0 ? EIO : errno;
+			}
+		}
+		if (close(fd) && !haderr)
+			haderr = errno;
+		if (!haderr)
+			des_write(rem, "", 1);
+		else
+			run_err("%s: %s", name, strerror(haderr));
+		response();
+	}
+}
+
+void
+rsource(char *name, struct stat *statp)
+{
+	DIR *dirp;
+	struct dirent *dp;
+	char *last, *vect[1], path[MaxPathLen];
+	char *p;
+
+	if (!(dirp = opendir(name))) {
+		run_err("%s: %s", name, strerror(errno));
+		return;
+	}
+	for (p = name + strlen(name) - 1; p >= name && *p == '/'; --p)
+	    *p = '\0';
+
+	last = strrchr(name, '/');
+	if (last == 0)
+		last = name;
+	else
+		last++;
+	if (pflag) {
+		snprintf(path, sizeof(path), "T%ld 0 %ld 0\n",
+		    (long)statp->st_mtime, (long)statp->st_atime);
+		des_write(rem, path, strlen(path));
+		if (response() < 0) {
+			closedir(dirp);
+			return;
+		}
+	}
+	snprintf(path, sizeof(path),
+		 "D%04o %d %s\n", (int)statp->st_mode & MODEMASK, 0, last);
+	des_write(rem, path, strlen(path));
+	if (response() < 0) {
+		closedir(dirp);
+		return;
+	}
+	while ((dp = readdir(dirp))) {
+		if (dp->d_ino == 0)
+			continue;
+		if (!strcmp(dp->d_name, ".") || !strcmp(dp->d_name, ".."))
+			continue;
+		if (strlen(name) + 1 + strlen(dp->d_name) >= MaxPathLen - 1) {
+			run_err("%s/%s: name too long", name, dp->d_name);
+			continue;
+		}
+		if (snprintf(path, sizeof(path),
+			     "%s/%s", name, dp->d_name) >= sizeof(path)) {
+			run_err("%s/%s: name too long", name, dp->d_name);
+			continue;
+		}
+		vect[0] = path;
+		source(1, vect);
+	}
+	closedir(dirp);
+	des_write(rem, "E\n", 2);
+	response();
+}
+
+static int
+kerberos(char **host, char *bp, char *locuser, char *user)
+{
+        int sock = -1, err;
+
+	if (use_kerberos) {
+	        paranoid_setuid(getuid());
+		rem = KSUCCESS;
+		errno = 0;
+		if (dest_realm == NULL)
+			dest_realm = krb_realmofhost(*host);
+
+#if 0
+		rem = krcmd(host, port, user, bp, 0, dest_realm);
+#else
+		err = kcmd(
+		    &sock,
+		    host,
+		    port,
+		    NULL,	/* locuser not used */
+		    user,
+		    bp,
+		    0,
+		    &ticket,
+		    SERVICE_NAME,
+		    dest_realm,
+		    (CREDENTIALS *) NULL, /* credentials not used */
+		    0,		/* key schedule not used */
+		    (MSG_DAT *) NULL, /* MSG_DAT not used */
+		    (struct sockaddr_in *) NULL, /* local addr not used */
+		    (struct sockaddr_in *) NULL, /* foreign addr not used */
+		    0L);	/* authopts */
+		if (err > KSUCCESS && err < MAX_KRB_ERRORS) {
+		    warnx("kcmd: %s", krb_get_err_text(err));
+		    rem = -1;
+		} else if (err < 0)
+		    rem = -1;
+		else
+		    rem = sock;
+#endif
+		if (rem < 0) {
+			if (errno == ECONNREFUSED)
+			    oldw("remote host doesn't support Kerberos");
+			else if (errno == ENOENT)
+			    oldw("can't provide Kerberos authentication data");
+			execv(_PATH_RCP, argv_copy);
+		}
+	} else {
+		if (doencrypt)
+			errx(1,
+			   "the -x option requires Kerberos authentication");
+		if (geteuid() != 0) {
+		    errx(1, "not installed setuid root, "
+			 "only root may use non kerberized rcp");
+		}
+		rem = rcmd(host, port, locuser, user, bp, 0);
+	}
+	return (rem);
+}
+
+static void
+toremote(char *targ, int argc, char **argv)
+{
+	int i, len;
+#ifdef IP_TOS
+	int tos;
+#endif
+	char *bp, *host, *src, *suser, *thost, *tuser;
+
+	*targ++ = 0;
+	if (*targ == 0)
+		targ = ".";
+
+	if ((thost = strchr(argv[argc - 1], '@'))) {
+		/* user@host */
+		*thost++ = 0;
+		tuser = argv[argc - 1];
+		if (*tuser == '\0')
+			tuser = NULL;
+		else if (!okname(tuser))
+			exit(1);
+	} else {
+		thost = argv[argc - 1];
+		tuser = user_name;
+	}
+
+	for (i = 0; i < argc - 1; i++) {
+		src = colon(argv[i]);
+		if (src) {			/* remote to remote */
+			*src++ = 0;
+			if (*src == 0)
+				src = ".";
+			host = strchr(argv[i], '@');
+			if (host) {
+			    *host++ = 0;
+			    suser = argv[i];
+			    if (*suser == '\0')
+				suser = pwd->pw_name;
+			    else if (!okname(suser))
+				continue;
+			    asprintf(&bp, "%s %s -l %s -n %s %s '%s%s%s:%s'",
+				     _PATH_RSH, host, suser, cmd, src,
+				     tuser ? tuser : "", tuser ? "@" : "",
+				     thost, targ);
+			} else
+			    asprintf(&bp, "exec %s %s -n %s %s '%s%s%s:%s'",
+				     _PATH_RSH, argv[i], cmd, src,
+				     tuser ? tuser : "", tuser ? "@" : "",
+				     thost, targ);
+			if(bp == NULL)
+			    errx(1, "out of memory");
+			susystem(bp, userid);
+			free(bp);
+		} else {			/* local to remote */
+			if (rem == -1) {
+				len = strlen(targ) + CMDNEEDS + 20;
+				if (!(bp = malloc(len)))
+					err(1, " ");
+				snprintf(bp, len, "%s -t %s", cmd, targ);
+				host = thost;
+				if (use_kerberos)
+					rem = kerberos(&host, bp,
+#ifdef __CYGWIN32__
+						       tuser,
+#else
+					    pwd->pw_name,
+#endif
+					    tuser ? tuser : pwd->pw_name);
+				else
+					rem = rcmd(&host, port,
+#ifdef __CYGWIN32__
+						   tuser,
+#else
+						   pwd->pw_name,
+#endif
+					    tuser ? tuser : pwd->pw_name,
+					    bp, 0);
+				if (rem < 0)
+					exit(1);
+#if defined(IP_TOS) && defined(HAVE_SETSOCKOPT)
+				tos = IPTOS_THROUGHPUT;
+				if (setsockopt(rem, IPPROTO_IP, IP_TOS,
+				    (void *)&tos, sizeof(int)) < 0)
+					warn("TOS (ignored)");
+#endif /* IP_TOS */
+				if (doencrypt)
+				    send_auth(host, dest_realm);
+				if (response() < 0)
+					exit(1);
+				free(bp);
+				paranoid_setuid(userid);
+			}
+			source(1, argv+i);
+		}
+	}
+}
+
+static void
+sink(int argc, char **argv)
+{
+	static BUF buffer;
+	struct stat stb;
+	struct timeval tv[2];
+	enum { YES, NO, DISPLAYED } wrerr;
+	BUF *bp;
+	off_t i, j;
+	int amt, count, exists, first, mask, mode, ofd, omode;
+	int setimes, size, targisdir, wrerrno=0;
+	char ch, *cp, *np, *targ, *why, *vect[1], buf[BUFSIZ];
+
+#define	atime	tv[0]
+#define	mtime	tv[1]
+#define	SCREWUP(str)	{ why = str; goto screwup; }
+
+	setimes = targisdir = 0;
+	mask = umask(0);
+	if (!pflag)
+		umask(mask);
+	if (argc != 1) {
+		run_err("ambiguous target");
+		exit(1);
+	}
+	targ = *argv;
+	if (targetshouldbedirectory)
+		verifydir(targ);
+	des_write(rem, "", 1);
+	if (stat(targ, &stb) == 0 && S_ISDIR(stb.st_mode))
+		targisdir = 1;
+	for (first = 1;; first = 0) {
+		cp = buf;
+		if (des_read(rem, cp, 1) <= 0)
+			return;
+		if (*cp++ == '\n')
+			SCREWUP("unexpected <newline>");
+		do {
+			if (des_read(rem, &ch, sizeof(ch)) != sizeof(ch))
+				SCREWUP("lost connection");
+			*cp++ = ch;
+		} while (cp < &buf[BUFSIZ - 1] && ch != '\n');
+		*cp = 0;
+
+		if (buf[0] == '\01' || buf[0] == '\02') {
+			if (iamremote == 0)
+				write(STDERR_FILENO,
+				    buf + 1, strlen(buf + 1));
+			if (buf[0] == '\02')
+				exit(1);
+			++errs;
+			continue;
+		}
+		if (buf[0] == 'E') {
+			des_write(rem, "", 1);
+			return;
+		}
+
+		if (ch == '\n')
+			*--cp = 0;
+
+#define getnum(t)					\
+		do {					\
+		    (t) = 0;				\
+		    while (isdigit((unsigned char)*cp))	\
+			(t) = (t) * 10 + (*cp++ - '0');	\
+		} while(0)
+
+		cp = buf;
+		if (*cp == 'T') {
+			setimes++;
+			cp++;
+			getnum(mtime.tv_sec);
+			if (*cp++ != ' ')
+				SCREWUP("mtime.sec not delimited");
+			getnum(mtime.tv_usec);
+			if (*cp++ != ' ')
+				SCREWUP("mtime.usec not delimited");
+			getnum(atime.tv_sec);
+			if (*cp++ != ' ')
+				SCREWUP("atime.sec not delimited");
+			getnum(atime.tv_usec);
+			if (*cp++ != '\0')
+				SCREWUP("atime.usec not delimited");
+			des_write(rem, "", 1);
+			continue;
+		}
+		if (*cp != 'C' && *cp != 'D') {
+			/*
+			 * Check for the case "rcp remote:foo\* local:bar".
+			 * In this case, the line "No match." can be returned
+			 * by the shell before the rcp command on the remote is
+			 * executed so the ^Aerror_message convention isn't
+			 * followed.
+			 */
+			if (first) {
+				run_err("%s", cp);
+				exit(1);
+			}
+			SCREWUP("expected control record");
+		}
+		mode = 0;
+		for (++cp; cp < buf + 5; cp++) {
+			if (*cp < '0' || *cp > '7')
+				SCREWUP("bad mode");
+			mode = (mode << 3) | (*cp - '0');
+		}
+		if (*cp++ != ' ')
+			SCREWUP("mode not delimited");
+
+		for (size = 0; isdigit((unsigned char)*cp);)
+			size = size * 10 + (*cp++ - '0');
+		if (*cp++ != ' ')
+			SCREWUP("size not delimited");
+		if (targisdir) {
+			static char *namebuf;
+			static int cursize;
+			size_t need;
+
+			need = strlen(targ) + strlen(cp) + 250;
+			if (need > cursize) {
+				if (!(namebuf = malloc(need)))
+					run_err("%s", strerror(errno));
+			}
+			snprintf(namebuf, need, "%s%s%s", targ,
+			    *targ ? "/" : "", cp);
+			np = namebuf;
+		} else
+			np = targ;
+		exists = stat(np, &stb) == 0;
+		if (buf[0] == 'D') {
+			int mod_flag = pflag;
+			if (exists) {
+				if (!S_ISDIR(stb.st_mode)) {
+					errno = ENOTDIR;
+					goto bad;
+				}
+				if (pflag)
+					chmod(np, mode);
+			} else {
+				/* Handle copying from a read-only directory */
+				mod_flag = 1;
+				if (mkdir(np, mode | S_IRWXU) < 0)
+					goto bad;
+			}
+			vect[0] = np;
+			sink(1, vect);
+			if (setimes) {
+			        struct utimbuf times;
+				times.actime = atime.tv_sec;
+				times.modtime = mtime.tv_sec;
+				setimes = 0;
+				if (utime(np, &times) < 0)
+				    run_err("%s: set times: %s",
+					    np, strerror(errno));
+			}
+			if (mod_flag)
+				chmod(np, mode);
+			continue;
+		}
+		omode = mode;
+		mode |= S_IWRITE;
+		if ((ofd = open(np, O_WRONLY|O_CREAT, mode)) < 0) {
+bad:			run_err("%s: %s", np, strerror(errno));
+			continue;
+		}
+		des_write(rem, "", 1);
+		if ((bp = allocbuf(&buffer, ofd, BUFSIZ)) == NULL) {
+			close(ofd);
+			continue;
+		}
+		cp = bp->buf;
+		wrerr = NO;
+		for (count = i = 0; i < size; i += BUFSIZ) {
+			amt = BUFSIZ;
+			if (i + amt > size)
+				amt = size - i;
+			count += amt;
+			do {
+				j = des_read(rem, cp, amt);
+				if (j <= 0) {
+					run_err("%s", j ? strerror(errno) :
+						"dropped connection");
+					exit(1);
+				}
+				amt -= j;
+				cp += j;
+			} while (amt > 0);
+			if (count == bp->cnt) {
+				/* Keep reading so we stay sync'd up. */
+				if (wrerr == NO) {
+					j = write(ofd, bp->buf, count);
+					if (j != count) {
+						wrerr = YES;
+						wrerrno = j >= 0 ? EIO : errno; 
+					}
+				}
+				count = 0;
+				cp = bp->buf;
+			}
+		}
+		if (count != 0 && wrerr == NO &&
+		    (j = write(ofd, bp->buf, count)) != count) {
+			wrerr = YES;
+			wrerrno = j >= 0 ? EIO : errno; 
+		}
+		if (ftruncate(ofd, size)) {
+			run_err("%s: truncate: %s", np, strerror(errno));
+			wrerr = DISPLAYED;
+		}
+		if (pflag) {
+			if (exists || omode != mode)
+#ifdef HAVE_FCHMOD
+				if (fchmod(ofd, omode))
+#else
+				if (chmod(np, omode))
+#endif
+					run_err("%s: set mode: %s",
+						np, strerror(errno));
+		} else {
+			if (!exists && omode != mode)
+#ifdef HAVE_FCHMOD
+				if (fchmod(ofd, omode & ~mask))
+#else
+				if (chmod(np, omode & ~mask))
+#endif
+					run_err("%s: set mode: %s",
+						np, strerror(errno));
+		}
+		close(ofd);
+		response();
+		if (setimes && wrerr == NO) {
+		        struct utimbuf times;
+			times.actime = atime.tv_sec;
+			times.modtime = mtime.tv_sec;
+			setimes = 0;
+			if (utime(np, &times) < 0) {
+				run_err("%s: set times: %s",
+					np, strerror(errno));
+				wrerr = DISPLAYED;
+			}
+		}
+		switch(wrerr) {
+		case YES:
+			run_err("%s: %s", np, strerror(wrerrno));
+			break;
+		case NO:
+			des_write(rem, "", 1);
+			break;
+		case DISPLAYED:
+			break;
+		}
+	}
+screwup:
+	run_err("protocol error: %s", why);
+	exit(1);
+}
+
+static void
+tolocal(int argc, char **argv)
+{
+	int i, len;
+#ifdef IP_TOS
+	int tos;
+#endif
+	char *bp, *host, *src, *suser;
+
+	for (i = 0; i < argc - 1; i++) {
+		if (!(src = colon(argv[i]))) {		/* Local to local. */
+			len = strlen(_PATH_CP) + strlen(argv[i]) +
+			    strlen(argv[argc - 1]) + 20;
+			if (!(bp = malloc(len)))
+				err(1, " ");
+			snprintf(bp, len, "exec %s%s%s %s %s", _PATH_CP,
+				 iamrecursive ? " -r" : "", pflag ? " -p" : "",
+				 argv[i], argv[argc - 1]);
+			if (susystem(bp, userid))
+				++errs;
+			free(bp);
+			continue;
+		}
+		*src++ = 0;
+		if (*src == 0)
+			src = ".";
+		if ((host = strchr(argv[i], '@')) == NULL) {
+#ifdef __CYGWIN32__
+			errx (1, "Sorry, you need to specify the username");
+#else
+			host = argv[i];
+			suser = pwd->pw_name;
+			if (user_name)
+			    suser = user_name;
+#endif
+		} else {
+			*host++ = 0;
+			suser = argv[i];
+			if (*suser == '\0')
+#ifdef __CYGWIN32__
+			errx (1, "Sorry, you need to specify the username");
+#else
+				suser = pwd->pw_name;
+#endif
+			else if (!okname(suser))
+				continue;
+		}
+		len = strlen(src) + CMDNEEDS + 20;
+		if ((bp = malloc(len)) == NULL)
+			err(1, " ");
+		snprintf(bp, len, "%s -f %s", cmd, src);
+		rem = 
+		    use_kerberos ? 
+			kerberos(&host, bp,
+#ifndef __CYGWIN32__
+				 pwd->pw_name,
+#else
+				 suser,
+#endif
+				 suser) : 
+			rcmd(&host, port,
+#ifndef __CYGWIN32__
+			     pwd->pw_name,
+#else
+			     suser,
+#endif
+			     suser, bp, 0);
+		free(bp);
+		if (rem < 0) {
+			++errs;
+			continue;
+		}
+		seteuid(userid);
+#if defined(IP_TOS) && defined(HAVE_SETSOCKOPT)
+		tos = IPTOS_THROUGHPUT;
+		if (setsockopt(rem, IPPROTO_IP, IP_TOS, (void *)&tos,
+			       sizeof(int)) < 0)
+			warn("TOS (ignored)");
+#endif /* IP_TOS */
+		if (doencrypt)
+			send_auth(host, dest_realm);
+		sink(1, argv + argc - 1);
+		seteuid(0);
+		close(rem);
+		rem = -1;
+	}
+}
+
+
+int
+main(int argc, char **argv)
+{
+	int ch, fflag, tflag;
+	char *targ;
+	int i;
+
+	set_progname(argv[0]);
+
+	/*
+	 * Prepare for execing ourselves.
+	 */
+
+	argc_copy = argc + 1;
+	argv_copy = malloc((argc_copy + 1) * sizeof(*argv_copy));
+	if (argv_copy == NULL)
+	    err(1, "malloc");
+	argv_copy[0] = argv[0];
+	argv_copy[1] = "-K";
+	for(i = 1; i < argc; ++i) {
+	    argv_copy[i + 1] = strdup(argv[i]);
+	    if (argv_copy[i + 1] == NULL)
+		errx(1, "strdup: out of memory");
+	}
+	argv_copy[argc + 1] = NULL;
+
+
+	fflag = tflag = 0;
+	while ((ch = getopt(argc, argv, OPTIONS)) != -1)
+		switch(ch) {			/* User-visible flags. */
+		case 'K':
+			use_kerberos = 0;
+			break;
+		case 'k':
+			dest_realm = dst_realm_buf;
+			strlcpy(dst_realm_buf, optarg, REALM_SZ);
+			break;
+		case 'x':
+			doencrypt = 1;
+			LEFT_JUSTIFIED = 1;
+			break;
+		case 'p':
+			pflag = 1;
+			break;
+		case 'r':
+			iamrecursive = 1;
+			break;
+						/* Server options. */
+		case 'd':
+			targetshouldbedirectory = 1;
+			break;
+		case 'f':			/* "from" */
+			iamremote = 1;
+			fflag = 1;
+			break;
+		case 't':			/* "to" */
+			iamremote = 1;
+			tflag = 1;
+			break;
+		case 'l':
+		        user_name = optarg;
+			break;
+		case '?':
+		default:
+			usage();
+		}
+	argc -= optind;
+	argv += optind;
+
+	/* Rcp implements encrypted file transfer without using the
+	 * kshell service, pass 0 for no encryption */
+	port = get_shell_port(use_kerberos, 0);
+
+	userid = getuid();
+
+#ifndef __CYGWIN32__
+	if ((pwd = k_getpwuid(userid)) == NULL)
+		errx(1, "unknown user %d", (int)userid);
+#endif
+
+	rem = STDIN_FILENO;		/* XXX */
+
+	if (fflag || tflag) {
+	    if (doencrypt)
+		answer_auth();
+	    if(fflag)
+		response();
+	    if(do_osfc2_magic(pwd->pw_uid))
+		exit(1);
+	    paranoid_setuid(userid);
+	    if (k_hasafs()) {
+		/* Sometimes we will need cell specific tokens
+		 * to be able to read and write files, thus,
+		 * the token stuff done in rshd might not
+		 * suffice.
+		 */
+		char cell[64];
+		if (k_afs_cell_of_file(pwd->pw_dir,
+				       cell, sizeof(cell)) == 0)
+		    krb_afslog(cell, 0);
+		krb_afslog(0, 0);
+	    }
+	    if(fflag)
+		source(argc, argv);
+	    else
+		sink(argc, argv);
+	    exit(errs);
+	}
+
+	if (argc < 2)
+		usage();
+	if (argc > 2)
+		targetshouldbedirectory = 1;
+
+	rem = -1;
+	/* Command to be executed on remote system using "rsh". */
+	snprintf(cmd, sizeof(cmd),
+		 "rcp%s%s%s%s", iamrecursive ? " -r" : "",
+		 (doencrypt && use_kerberos ? " -x" : ""),
+		 pflag ? " -p" : "", targetshouldbedirectory ? " -d" : "");
+
+	signal(SIGPIPE, lostconn);
+
+	if ((targ = colon(argv[argc - 1])))	/* Dest is remote host. */
+		toremote(targ, argc, argv);
+	else {
+		tolocal(argc, argv);		/* Dest is local host. */
+		if (targetshouldbedirectory)
+			verifydir(argv[argc - 1]);
+	}
+	exit(errs);
+}
diff --git a/crypto/kerberosIV/appl/bsd/rcp_util.c b/crypto/kerberosIV/appl/bsd/rcp_util.c
new file mode 100644
index 0000000..54233af
--- /dev/null
+++ b/crypto/kerberosIV/appl/bsd/rcp_util.c
@@ -0,0 +1,99 @@
+/*-
+ * Copyright (c) 1992, 1993
+ *	The Regents of the University of California.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *	This product includes software developed by the University of
+ *	California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#include "bsd_locl.h"
+
+RCSID("$Id: rcp_util.c,v 1.8 1998/09/28 11:45:21 joda Exp $");
+
+char *
+colon(char *cp)
+{
+	if (*cp == ':')		/* Leading colon is part of file name. */
+		return (0);
+
+	for (; *cp; ++cp) {
+		if (*cp == ':')
+			return (cp);
+		if (*cp == '/')
+			return (0);
+	}
+	return (0);
+}
+
+int
+okname(char *cp0)
+{
+	int c;
+	char *cp;
+
+	cp = cp0;
+	do {
+		c = *cp;
+		if (c & 0200)
+			goto bad;
+		if (!isalpha(c) && !isdigit(c) && c != '_' && c != '-')
+			goto bad;
+	} while (*++cp);
+	return (1);
+
+bad:	warnx("%s: invalid user name", cp0);
+	return (0);
+}
+
+int
+susystem(char *s, int userid)
+{
+    RETSIGTYPE (*istat)(), (*qstat)();
+    int status;
+    pid_t pid;
+
+    pid = fork();
+    switch (pid) {
+    case -1:
+	return (127);
+	
+    case 0:
+	if(do_osfc2_magic(userid))
+	    exit(1);
+	setuid(userid);
+	execl(_PATH_BSHELL, "sh", "-c", s, NULL);
+	_exit(127);
+    }
+    istat = signal(SIGINT, SIG_IGN);
+    qstat = signal(SIGQUIT, SIG_IGN);
+    if (waitpid(pid, &status, 0) < 0)
+	status = -1;
+    signal(SIGINT, istat);
+    signal(SIGQUIT, qstat);
+    return (status);
+}
diff --git a/crypto/kerberosIV/appl/bsd/rlogin.c b/crypto/kerberosIV/appl/bsd/rlogin.c
new file mode 100644
index 0000000..60bed67
--- /dev/null
+++ b/crypto/kerberosIV/appl/bsd/rlogin.c
@@ -0,0 +1,711 @@
+/*
+ * Copyright (c) 1983, 1990, 1993
+ *	The Regents of the University of California.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *	This product includes software developed by the University of
+ *	California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+/*
+ * rlogin - remote login
+ */
+#include "bsd_locl.h"
+
+RCSID("$Id: rlogin.c,v 1.67.2.2 2000/10/10 12:54:26 assar Exp $");
+
+CREDENTIALS cred;
+Key_schedule schedule;
+int use_kerberos = 1, doencrypt;
+char dst_realm_buf[REALM_SZ], *dest_realm = NULL;
+
+#ifndef CCEQ
+#define c2uc(x) ((unsigned char) x)
+#define CCEQ__(val, c)	(c == val ? val != c2uc(_POSIX_VDISABLE) : 0)
+#define CCEQ(val, c) CCEQ__(c2uc(val), c2uc(c))
+#endif
+
+int eight, rem;
+struct termios deftty;
+
+int noescape;
+char escapechar = '~';
+
+struct	winsize winsize;
+
+int parent, rcvcnt;
+char rcvbuf[8 * 1024];
+
+int child;
+
+static void
+echo(char c)
+{
+	char *p;
+	char buf[8];
+
+	p = buf;
+	c &= 0177;
+	*p++ = escapechar;
+	if (c < ' ') {
+		*p++ = '^';
+		*p++ = c + '@';
+	} else if (c == 0177) {
+		*p++ = '^';
+		*p++ = '?';
+	} else
+		*p++ = c;
+	*p++ = '\r';
+	*p++ = '\n';
+	write(STDOUT_FILENO, buf, p - buf);
+}
+
+static void
+mode(int f)
+{
+	struct termios tty;
+
+	switch (f) {
+	case 0:
+		tcsetattr(0, TCSANOW, &deftty);
+		break;
+	case 1:
+		tcgetattr(0, &deftty);
+		tty = deftty;
+		/* This is loosely derived from sys/compat/tty_compat.c. */
+		tty.c_lflag &= ~(ECHO|ICANON|ISIG|IEXTEN);
+		tty.c_iflag &= ~ICRNL;
+		tty.c_oflag &= ~OPOST;
+		tty.c_cc[VMIN] = 1;
+		tty.c_cc[VTIME] = 0;
+		if (eight) {
+			tty.c_iflag &= IXOFF;
+			tty.c_cflag &= ~(CSIZE|PARENB);
+			tty.c_cflag |= CS8;
+		}
+		tcsetattr(0, TCSANOW, &tty);
+		break;
+	default:
+		return;
+	}
+}
+
+static void
+done(int status)
+{
+	int w, wstatus;
+
+	mode(0);
+	if (child > 0) {
+		/* make sure catch_child does not snap it up */
+		signal(SIGCHLD, SIG_DFL);
+		if (kill(child, SIGKILL) >= 0)
+			while ((w = wait(&wstatus)) > 0 && w != child);
+	}
+	exit(status);
+}
+
+static
+RETSIGTYPE
+catch_child(int foo)
+{
+	int status;
+	int pid;
+
+	for (;;) {
+		pid = waitpid(-1, &status, WNOHANG|WUNTRACED);
+		if (pid == 0)
+			return;
+		/* if the child (reader) dies, just quit */
+		if (pid < 0 || (pid == child && !WIFSTOPPED(status)))
+			done(WTERMSIG(status) | WEXITSTATUS(status));
+	}
+	/* NOTREACHED */
+}
+
+/*
+ * There is a race in the SunOS5 rlogind. If the slave end has not yet
+ * been opened by the child when setting tty size the size is reset to
+ * zero when the child opens it. Therefore we send the window update
+ * twice.
+ */
+
+static int tty_kludge = 1;
+
+/* Return the number of OOB bytes processed. */
+static int
+oob_real(void)
+{
+	struct termios tty;
+	int atmark, n, out, rcvd;
+	char waste[BUFSIZ], mark;
+
+	out = O_RDWR;
+	rcvd = 0;
+	if (recv(rem, &mark, 1, MSG_OOB) < 0) {
+		return -1;
+	}
+	if (mark & TIOCPKT_WINDOW) {
+		/* Let server know about window size changes */
+		kill(parent, SIGUSR1);
+	} else if (tty_kludge) {
+		/* Let server know about window size changes */
+		kill(parent, SIGUSR1);
+		tty_kludge = 0;
+	}
+	if (!eight && (mark & TIOCPKT_NOSTOP)) {
+		tcgetattr(0, &tty);
+		tty.c_iflag &= ~IXON;
+		tcsetattr(0, TCSANOW, &tty);
+	}
+	if (!eight && (mark & TIOCPKT_DOSTOP)) {
+		tcgetattr(0, &tty);
+		tty.c_iflag |= (deftty.c_iflag & IXON);
+		tcsetattr(0, TCSANOW, &tty);
+	}
+	if (mark & TIOCPKT_FLUSHWRITE) {
+#ifdef TCOFLUSH
+		tcflush(1, TCOFLUSH);
+#else
+		ioctl(1, TIOCFLUSH, (char *)&out);
+#endif
+		for (;;) {
+			if (ioctl(rem, SIOCATMARK, &atmark) < 0) {
+			    warn("ioctl");
+			    break;
+			}
+			if (atmark)
+				break;
+			n = read(rem, waste, sizeof (waste));
+			if (n <= 0)
+				break;
+		}
+		/*
+		 * Don't want any pending data to be output, so clear the recv
+		 * buffer.  If we were hanging on a write when interrupted,
+		 * don't want it to restart.  If we were reading, restart
+		 * anyway.
+		 */
+		rcvcnt = 0;
+	}
+
+	/* oob does not do FLUSHREAD (alas!) */
+	return 1;
+}
+
+/* reader: read from remote: line -> 1 */
+static int
+reader(void)
+{
+	int n, remaining;
+	char *bufp;
+	int kludgep = 1;
+
+	bufp = rcvbuf;
+	for (;;) {
+	        fd_set readfds, exceptfds;
+		while ((remaining = rcvcnt - (bufp - rcvbuf)) > 0) {
+			n = write(STDOUT_FILENO, bufp, remaining);
+			if (n < 0) {
+				if (errno != EINTR)
+					return (-1);
+				continue;
+			}
+			bufp += n;
+		}
+		bufp = rcvbuf;
+		rcvcnt = 0;
+
+		FD_ZERO (&readfds);
+		if (rem >= FD_SETSIZE)
+		    errx (1, "fd too large");
+		FD_SET (rem, &readfds);
+		FD_ZERO (&exceptfds);
+		if (kludgep)
+		  FD_SET (rem, &exceptfds);
+		if (select(rem+1, &readfds, 0, &exceptfds, 0) == -1) {
+		    if (errno == EINTR)
+			continue; /* Got signal */
+		    else
+			errx(1, "select failed mysteriously");
+		}
+
+		if (!FD_ISSET(rem, &exceptfds) && !FD_ISSET(rem, &readfds)) {
+		    warnx("select: nothing to read?");
+		    continue;
+		  }
+
+		if (FD_ISSET(rem, &exceptfds)) {
+		  int foo = oob_real ();
+		  if (foo >= 1)
+		    continue;	/* First check if there is more OOB data. */
+		  else if (foo < 0)
+		    kludgep = 0;
+		}
+
+		if (!FD_ISSET(rem, &readfds))
+		    continue;	/* Nothing to read. */
+
+		kludgep = 1;
+#ifndef NOENCRYPTION
+		if (doencrypt)
+			rcvcnt = des_enc_read(rem, rcvbuf,
+					      sizeof(rcvbuf),
+					      schedule, &cred.session);
+		else
+#endif
+			rcvcnt = read(rem, rcvbuf, sizeof (rcvbuf));
+		if (rcvcnt == 0)
+			return (0);
+		if (rcvcnt < 0) {
+			if (errno == EINTR)
+				continue;
+			warn("read");
+			return (-1);
+		}
+	}
+}
+
+/*
+ * Send the window size to the server via the magic escape
+ */
+static void
+sendwindow(void)
+{
+	char obuf[4 + 4 * sizeof (u_int16_t)];
+	unsigned short *p;
+
+	p = (u_int16_t *)(obuf + 4);
+	obuf[0] = 0377;
+	obuf[1] = 0377;
+	obuf[2] = 's';
+	obuf[3] = 's';
+	*p++ = htons(winsize.ws_row);
+	*p++ = htons(winsize.ws_col);
+#ifdef HAVE_WS_XPIXEL
+	*p++ = htons(winsize.ws_xpixel);
+#else
+	*p++ = htons(0);
+#endif	
+#ifdef HAVE_WS_YPIXEL
+	*p++ = htons(winsize.ws_ypixel);
+#else
+	*p++ = htons(0);
+#endif	
+
+#ifndef NOENCRYPTION
+	if(doencrypt)
+		des_enc_write(rem, obuf, sizeof(obuf), schedule,
+			      &cred.session);
+	else
+#endif
+		write(rem, obuf, sizeof(obuf));
+}
+
+static
+RETSIGTYPE
+sigwinch(int foo)
+{
+	struct winsize ws;
+
+	if (get_window_size(0, &ws) == 0 &&
+	    memcmp(&ws, &winsize, sizeof(ws))) {
+		winsize = ws;
+		sendwindow();
+	}
+}
+
+static void
+stop(int all)
+{
+	mode(0);
+	signal(SIGCHLD, SIG_IGN);
+	kill(all ? 0 : getpid(), SIGTSTP);
+	signal(SIGCHLD, catch_child);
+	mode(1);
+#ifdef SIGWINCH
+	kill(SIGWINCH, getpid()); /* check for size changes, if caught */
+#endif
+}
+
+/*
+ * writer: write to remote: 0 -> line.
+ * ~.				terminate
+ * ~^Z				suspend rlogin process.
+ * ~<delayed-suspend char>	suspend rlogin process, but leave reader alone.
+ */
+static void
+writer(void)
+{
+	int bol, local, n;
+	char c;
+
+	bol = 1;			/* beginning of line */
+	local = 0;
+	for (;;) {
+		n = read(STDIN_FILENO, &c, 1);
+		if (n <= 0) {
+			if (n < 0 && errno == EINTR)
+				continue;
+			break;
+		}
+		/*
+		 * If we're at the beginning of the line and recognize a
+		 * command character, then we echo locally.  Otherwise,
+		 * characters are echo'd remotely.  If the command character
+		 * is doubled, this acts as a force and local echo is
+		 * suppressed.
+		 */
+		if (bol) {
+			bol = 0;
+			if (!noescape && c == escapechar) {
+				local = 1;
+				continue;
+			}
+		} else if (local) {
+			local = 0;
+			if (c == '.' || CCEQ(deftty.c_cc[VEOF], c)) {
+				echo(c);
+				break;
+			}
+			if (CCEQ(deftty.c_cc[VSUSP], c)) {
+				bol = 1;
+				echo(c);
+				stop(1);
+				continue;
+			}
+#ifdef VDSUSP
+			/* Is VDSUSP called something else on Linux?
+			 * Perhaps VDELAY is a better thing? */		
+			if (CCEQ(deftty.c_cc[VDSUSP], c)) {
+				bol = 1;
+				echo(c);
+				stop(0);
+				continue;
+			}
+#endif /* VDSUSP */
+			if (c != escapechar) {
+#ifndef NOENCRYPTION
+				if (doencrypt)
+					des_enc_write(rem, &escapechar,1, schedule, &cred.session);
+				else
+#endif
+					write(rem, &escapechar, 1);
+			}
+		}
+
+		if (doencrypt) {
+#ifdef NOENCRYPTION
+			if (write(rem, &c, 1) == 0) {
+#else
+			if (des_enc_write(rem, &c, 1, schedule, &cred.session) == 0) {
+#endif
+				warnx("line gone");
+				break;
+			}
+		} else
+			if (write(rem, &c, 1) == 0) {
+				warnx("line gone");
+				break;
+			}
+		bol = CCEQ(deftty.c_cc[VKILL], c) ||
+		    CCEQ(deftty.c_cc[VEOF], c) ||
+		    CCEQ(deftty.c_cc[VINTR], c) ||
+		    CCEQ(deftty.c_cc[VSUSP], c) ||
+		    c == '\r' || c == '\n';
+	}
+}
+
+static
+RETSIGTYPE
+lostpeer(int foo)
+{
+	signal(SIGPIPE, SIG_IGN);
+	warnx("\aconnection closed.\r");
+	done(1);
+}
+
+/*
+ * This is called in the parent when the reader process gets the
+ * out-of-band (urgent) request to turn on the window-changing
+ * protocol. It is signalled from the child(reader).
+ */
+static
+RETSIGTYPE
+sigusr1(int foo)
+{
+        /*
+	 * Now we now daemon supports winsize hack,
+	 */
+	sendwindow();
+#ifdef SIGWINCH
+	signal(SIGWINCH, sigwinch); /* so we start to support it */
+#endif
+	SIGRETURN(0);
+}
+
+static void
+doit(void)
+{
+	signal(SIGINT, SIG_IGN);
+	signal(SIGHUP, SIG_IGN);
+	signal(SIGQUIT, SIG_IGN);
+
+	signal(SIGCHLD, catch_child);
+
+	/*
+	 * Child sends parent this signal for window size hack.
+	 */
+	signal(SIGUSR1, sigusr1);
+
+	signal(SIGPIPE, lostpeer);
+
+	mode(1);
+	parent = getpid();
+	child = fork();
+	if (child == -1) {
+	    warn("fork");
+	    done(1);
+	}
+	if (child == 0) {
+	        signal(SIGCHLD, SIG_IGN);
+	        signal(SIGTTOU, SIG_IGN);
+		if (reader() == 0)
+		    errx(1, "connection closed.\r");
+		sleep(1);
+		errx(1, "\aconnection closed.\r");
+	}
+
+	writer();
+	warnx("closed connection.\r");
+	done(0);
+}
+
+static void
+usage(void)
+{
+    fprintf(stderr,
+	    "usage: rlogin [ -%s]%s[-e char] [ -l username ] host\n",
+	    "8DEKLdx", " [-k realm] ");
+    exit(1);
+}
+
+static u_int
+getescape(char *p)
+{
+	long val;
+	int len;
+
+	if ((len = strlen(p)) == 1)	/* use any single char, including '\' */
+		return ((u_int)*p);
+					/* otherwise, \nnn */
+	if (*p == '\\' && len >= 2 && len <= 4) {
+		val = strtol(++p, NULL, 8);
+		for (;;) {
+			if (!*++p)
+				return ((u_int)val);
+			if (*p < '0' || *p > '8')
+				break;
+		}
+	}
+	warnx("illegal option value -- e");
+	usage();
+	return 0;
+}
+
+int
+main(int argc, char **argv)
+{
+	struct passwd *pw;
+	int sv_port, user_port = 0;
+	int argoff, ch, dflag, Dflag, one, uid;
+	char *host, *user, term[1024];
+
+	argoff = dflag = Dflag = 0;
+	one = 1;
+	host = user = NULL;
+
+	set_progname(argv[0]);
+
+	/* handle "rlogin host flags" */
+	if (argc > 2 && argv[1][0] != '-') {
+	    host = argv[1];
+	    argoff = 1;
+	}
+
+#define	OPTIONS	"8DEKLde:k:l:xp:"
+	while ((ch = getopt(argc - argoff, argv + argoff, OPTIONS)) != -1)
+		switch(ch) {
+		case '8':
+			eight = 1;
+			break;
+		case 'D':
+		        Dflag = 1;
+			break;
+		case 'E':
+			noescape = 1;
+			break;
+		case 'K':
+			use_kerberos = 0;
+			break;
+		case 'd':
+			dflag = 1;
+			break;
+		case 'e':
+			noescape = 0;
+			escapechar = getescape(optarg);
+			break;
+		case 'k':
+			dest_realm = dst_realm_buf;
+			strlcpy(dest_realm, optarg, REALM_SZ);
+			break;
+		case 'l':
+			user = optarg;
+			break;
+		case 'x':
+			doencrypt = 1;
+			break;
+		case 'p': {
+		    char *endptr;
+
+		    user_port = strtol (optarg, &endptr, 0);
+		    if (user_port == 0 && optarg == endptr)
+			errx (1, "Bad port `%s'", optarg);
+		    user_port = htons(user_port);
+		    break;
+		}
+		case '?':
+		default:
+			usage();
+		}
+	optind += argoff;
+
+	/* if haven't gotten a host yet, do so */
+	if (!host && !(host = argv[optind++]))
+		usage();
+
+	if (argv[optind])
+		usage();
+
+	if (!(pw = k_getpwuid(uid = getuid())))
+	    errx(1, "unknown user id.");
+	if (!user)
+	    user = pw->pw_name;
+
+	if (user_port)
+		sv_port = user_port;
+	else
+		sv_port = get_login_port(use_kerberos, doencrypt);
+
+	{
+	    char *p = getenv("TERM");
+	    struct termios tty;
+	    int i;
+
+	    if (p == NULL)
+		p = "network";
+
+	    if (tcgetattr(0, &tty) == 0
+		&& (i = speed_t2int (cfgetospeed(&tty))) > 0)
+		snprintf (term, sizeof(term),
+			  "%s/%d",
+			  p, i);
+	    else
+		snprintf (term, sizeof(term),
+			  "%s",
+			  p);
+	}
+
+	get_window_size(0, &winsize);
+
+	if (use_kerberos) {
+	        paranoid_setuid(getuid());
+		rem = KSUCCESS;
+		errno = 0;
+		if (dest_realm == NULL)
+		    dest_realm = krb_realmofhost(host);
+
+		if (doencrypt)
+		    rem = krcmd_mutual(&host, sv_port, user, term, 0,
+				       dest_realm, &cred, schedule);
+		else
+		    rem = krcmd(&host, sv_port, user, term, 0,
+				dest_realm);
+		if (rem < 0) {
+		    int i;
+		    char **newargv;
+
+		    if (errno == ECONNREFUSED)
+			warning("remote host doesn't support Kerberos");
+		    if (errno == ENOENT)
+			warning("can't provide Kerberos auth data");
+		    newargv = malloc((argc + 2) * sizeof(*newargv));
+		    if (newargv == NULL)
+			err(1, "malloc");
+		    newargv[0] = argv[0];
+		    newargv[1] = "-K";
+		    for(i = 1; i < argc; ++i)
+			newargv[i + 1] = argv[i];
+		    newargv[argc + 1] = NULL;
+		    execv(_PATH_RLOGIN, newargv);
+		}
+	} else {
+		if (doencrypt)
+		    errx(1, "the -x flag requires Kerberos authentication.");
+		if (geteuid() != 0)
+		    errx(1, "not installed setuid root, "
+			 "only root may use non kerberized rlogin");
+		rem = rcmd(&host, sv_port, pw->pw_name, user, term, 0);
+	}
+	
+	if (rem < 0)
+		exit(1);
+
+#ifdef HAVE_SETSOCKOPT
+#ifdef SO_DEBUG
+	if (dflag &&
+	    setsockopt(rem, SOL_SOCKET, SO_DEBUG, (void *)&one,
+		       sizeof(one)) < 0)
+	    warn("setsockopt");
+#endif
+#ifdef TCP_NODELAY
+	if (Dflag &&
+	    setsockopt(rem, IPPROTO_TCP, TCP_NODELAY, (void *)&one,
+		       sizeof(one)) < 0)
+	    warn("setsockopt(TCP_NODELAY)");
+#endif
+#ifdef IP_TOS
+	one = IPTOS_LOWDELAY;
+	if (setsockopt(rem, IPPROTO_IP, IP_TOS, (void *)&one, sizeof(int)) < 0)
+	    warn("setsockopt(IP_TOS)");
+#endif /* IP_TOS */
+#endif /* HAVE_SETSOCKOPT */
+
+	paranoid_setuid(uid);
+	doit();
+	return 0;
+}
diff --git a/crypto/kerberosIV/appl/bsd/rlogind.c b/crypto/kerberosIV/appl/bsd/rlogind.c
new file mode 100644
index 0000000..eae2dd6
--- /dev/null
+++ b/crypto/kerberosIV/appl/bsd/rlogind.c
@@ -0,0 +1,970 @@
+/*-
+ * Copyright (c) 1983, 1988, 1989, 1993
+ *	The Regents of the University of California.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *	This product includes software developed by the University of
+ *	California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+/*
+ * remote login server:
+ *	\0
+ *	remuser\0
+ *	locuser\0
+ *	terminal_type/speed\0
+ *	data
+ */
+
+#include "bsd_locl.h"
+
+RCSID("$Id: rlogind.c,v 1.109.2.2 2000/06/23 02:37:06 assar Exp $");
+
+extern int __check_rhosts_file;
+
+char *INSECURE_MESSAGE =
+"\r\n*** Connection not encrypted! Communication may be eavesdropped. ***"
+"\r\n*** Use telnet or rlogin -x instead! ***\r\n";
+
+#ifndef NOENCRYPTION
+char *SECURE_MESSAGE =
+"This rlogin session is using DES encryption for all transmissions.\r\n";
+#else
+#define	SECURE_MESSAGE INSECURE_MESSAGE
+#endif
+
+AUTH_DAT	*kdata;
+KTEXT		ticket;
+u_char		auth_buf[sizeof(AUTH_DAT)];
+u_char		tick_buf[sizeof(KTEXT_ST)];
+Key_schedule	schedule;
+int		doencrypt, retval, use_kerberos, vacuous;
+
+#define		ARGSTR			"Daip:lnkvxL:"
+
+char	*env[2];
+#define	NMAX 30
+char	lusername[NMAX+1], rusername[NMAX+1];
+static	char term[64] = "TERM=";
+#define	ENVSIZE	(sizeof("TERM=")-1)	/* skip null for concatenation */
+int	keepalive = 1;
+int	check_all = 0;
+int     no_delay = 0;
+
+struct	passwd *pwd;
+
+static const char *new_login = _PATH_LOGIN;
+
+static void	doit (int, struct sockaddr_in *);
+static int	control (int, char *, int);
+static void	protocol (int, int);
+static RETSIGTYPE cleanup (int);
+void	fatal (int, const char *, int);
+static int	do_rlogin (struct sockaddr_in *);
+static void	setup_term (int);
+static int	do_krb_login (struct sockaddr_in *);
+static void	usage (void);
+
+static int
+readstream(int p, char *ibuf, int bufsize)
+{
+#ifndef HAVE_GETMSG
+    return read(p, ibuf, bufsize);
+#else
+    static int flowison = -1;  /* current state of flow: -1 is unknown */
+    static struct strbuf strbufc, strbufd;
+    static unsigned char ctlbuf[BUFSIZ];
+    static int use_read = 1;
+
+    int flags = 0;
+    int ret;
+    struct termios tsp;
+
+    struct iocblk ip;
+    char vstop, vstart;
+    int ixon;
+    int newflow;
+
+    if (use_read)
+	{
+	    ret = read(p, ibuf, bufsize);
+	    if (ret < 0 && errno == EBADMSG)
+		use_read = 0;
+	    else
+		return ret;
+	}
+
+    strbufc.maxlen = BUFSIZ;
+    strbufc.buf = (char *)ctlbuf;
+    strbufd.maxlen = bufsize-1;
+    strbufd.len = 0;
+    strbufd.buf = ibuf+1;
+    ibuf[0] = 0;
+
+    ret = getmsg(p, &strbufc, &strbufd, &flags);
+    if (ret < 0)  /* error of some sort -- probably EAGAIN */
+	return(-1);
+
+    if (strbufc.len <= 0 || ctlbuf[0] == M_DATA) {
+	/* data message */
+	if (strbufd.len > 0) {			/* real data */
+	    return(strbufd.len + 1);	/* count header char */
+	} else {
+	    /* nothing there */
+	    errno = EAGAIN;
+	    return(-1);
+	}
+    }
+
+    /*
+     * It's a control message.  Return 1, to look at the flag we set
+     */
+
+    switch (ctlbuf[0]) {
+    case M_FLUSH:
+	if (ibuf[1] & FLUSHW)
+	    ibuf[0] = TIOCPKT_FLUSHWRITE;
+	return(1);
+
+    case M_IOCTL:
+	memcpy(&ip, (ibuf+1), sizeof(ip));
+
+	switch (ip.ioc_cmd) {
+#ifdef TCSETS
+	case TCSETS:
+	case TCSETSW:
+	case TCSETSF:
+	    memcpy(&tsp,
+		   (ibuf+1 + sizeof(struct iocblk)),
+		   sizeof(tsp));
+	    vstop = tsp.c_cc[VSTOP];
+	    vstart = tsp.c_cc[VSTART];
+	    ixon = tsp.c_iflag & IXON;
+	    break;
+#endif
+	default:
+	    errno = EAGAIN;
+	    return(-1);
+	}
+
+	newflow =  (ixon && (vstart == 021) && (vstop == 023)) ? 1 : 0;
+	if (newflow != flowison) {  /* it's a change */
+	    flowison = newflow;
+	    ibuf[0] = newflow ? TIOCPKT_DOSTOP : TIOCPKT_NOSTOP;
+	    return(1);
+	}
+    }
+
+    /* nothing worth doing anything about */
+    errno = EAGAIN;
+    return(-1);
+#endif
+}
+
+#ifdef HAVE_UTMPX_H
+static int
+rlogind_logout(const char *line)
+{
+    struct utmpx utmpx, *utxp;
+    int ret = 1;
+
+    setutxent ();
+    memset(&utmpx, 0, sizeof(utmpx));
+    utmpx.ut_type = USER_PROCESS;
+    strncpy(utmpx.ut_line, line, sizeof(utmpx.ut_line));
+    utxp = getutxline(&utmpx);
+    if (utxp) {
+	utxp->ut_user[0] = '\0';
+	utxp->ut_type = DEAD_PROCESS;
+#ifdef HAVE_STRUCT_UTMPX_UT_EXIT
+#ifdef _STRUCT___EXIT_STATUS
+	utxp->ut_exit.__e_termination = 0;
+	utxp->ut_exit.__e_exit = 0;
+#elif defined(__osf__) /* XXX */
+	utxp->ut_exit.ut_termination = 0;
+	utxp->ut_exit.ut_exit = 0;
+#else	
+	utxp->ut_exit.e_termination = 0;
+	utxp->ut_exit.e_exit = 0;
+#endif
+#endif
+	gettimeofday(&utxp->ut_tv, NULL);
+	pututxline(utxp);
+#ifdef WTMPX_FILE
+	updwtmpx(WTMPX_FILE, utxp);
+#else
+	ret = 0;
+#endif
+    }
+    endutxent();
+    return ret;
+}
+#else
+static int
+rlogind_logout(const char *line)
+{
+    FILE *fp;
+    struct utmp ut;
+    int rval;
+
+    if (!(fp = fopen(_PATH_UTMP, "r+")))
+	return(0);
+    rval = 1;
+    while (fread(&ut, sizeof(struct utmp), 1, fp) == 1) {
+	if (!ut.ut_name[0] ||
+	    strncmp(ut.ut_line, line, sizeof(ut.ut_line)))
+	    continue;
+	memset(ut.ut_name, 0, sizeof(ut.ut_name));
+#ifdef HAVE_STRUCT_UTMP_UT_HOST
+	memset(ut.ut_host, 0, sizeof(ut.ut_host));
+#endif
+#ifdef HAVE_STRUCT_UTMP_UT_TYPE
+	ut.ut_type = DEAD_PROCESS;
+#endif
+#ifdef HAVE_STRUCT_UTMP_UT_EXIT
+#ifdef _STRUCT___EXIT_STATUS
+	ut.ut_exit.__e_termination = 0;
+	ut.ut_exit.__e_exit = 0;
+#elif defined(__osf__) /* XXX */
+	ut.ut_exit.ut_termination = 0;
+	ut.ut_exit.ut_exit = 0;
+#else	
+	ut.ut_exit.e_termination = 0;
+	ut.ut_exit.e_exit = 0;
+#endif
+#endif
+	ut.ut_time = time(NULL);
+	fseek(fp, (long)-sizeof(struct utmp), SEEK_CUR);
+	fwrite(&ut, sizeof(struct utmp), 1, fp);
+	fseek(fp, (long)0, SEEK_CUR);
+	rval = 0;
+    }
+    fclose(fp);
+    return(rval);
+}
+#endif
+
+#ifndef HAVE_LOGWTMP
+static void
+logwtmp(const char *line, const char *name, const char *host)
+{
+    struct utmp ut;
+    struct stat buf;
+    int fd;
+
+    memset (&ut, 0, sizeof(ut));
+    if ((fd = open(_PATH_WTMP, O_WRONLY|O_APPEND, 0)) < 0)
+	return;
+    if (!fstat(fd, &buf)) {
+	strncpy(ut.ut_line, line, sizeof(ut.ut_line));
+	strncpy(ut.ut_name, name, sizeof(ut.ut_name));
+#ifdef HAVE_STRUCT_UTMP_UT_ID
+	strncpy(ut.ut_id, make_id((char *)line), sizeof(ut.ut_id));
+#endif
+#ifdef HAVE_STRUCT_UTMP_UT_HOST
+	strncpy(ut.ut_host, host, sizeof(ut.ut_host));
+#endif
+#ifdef HAVE_STRUCT_UTMP_UT_PID
+	ut.ut_pid = getpid();
+#endif
+#ifdef HAVE_STRUCT_UTMP_UT_TYPE
+	if(name[0])
+	    ut.ut_type = USER_PROCESS;
+	else
+	    ut.ut_type = DEAD_PROCESS;
+#endif
+	ut.ut_time = time(NULL);
+	if (write(fd, &ut, sizeof(struct utmp)) !=
+	    sizeof(struct utmp))
+	    ftruncate(fd, buf.st_size);
+    }
+    close(fd);
+}
+#endif
+
+int
+main(int argc, char **argv)
+{
+    struct sockaddr_in from;
+    int ch, fromlen, on;
+    int interactive = 0;
+    int portnum = 0;
+
+    set_progname(argv[0]);
+
+    openlog("rlogind", LOG_PID | LOG_CONS, LOG_AUTH);
+
+    opterr = 0;
+    while ((ch = getopt(argc, argv, ARGSTR)) != -1)
+	switch (ch) {
+	case 'D':
+	    no_delay = 1;
+	    break;
+	case 'a':
+	    break;
+	case 'i':
+	    interactive = 1;
+	    break;
+	case 'p':
+	    portnum = htons(atoi(optarg));
+	    break;
+	case 'l':
+	    __check_rhosts_file = 0;
+	    break;
+	case 'n':
+	    keepalive = 0;
+	    break;
+	case 'k':
+	    use_kerberos = 1;
+	    break;
+	case 'v':
+	    vacuous = 1;
+	    break;
+	case 'x':
+	    doencrypt = 1;
+	    break;
+	case 'L':
+	    new_login = optarg;
+	    break;
+	case '?':
+	default:
+	    usage();
+	    break;
+	}
+    argc -= optind;
+    argv += optind;
+
+    if (use_kerberos && vacuous) {
+	usage();
+	fatal(STDERR_FILENO, "only one of -k and -v allowed", 0);
+    }
+    if (interactive) {
+	if(portnum == 0)
+	    portnum = get_login_port (use_kerberos, doencrypt);
+	mini_inetd (portnum);
+    }
+
+    fromlen = sizeof (from);
+    if (getpeername(0, (struct sockaddr *)&from, &fromlen) < 0) {
+	syslog(LOG_ERR,"Can't get peer name of remote host: %m");
+	fatal(STDERR_FILENO, "Can't get peer name of remote host", 1);
+    }
+    on = 1;
+#ifdef HAVE_SETSOCKOPT
+#ifdef SO_KEEPALIVE
+    if (keepalive &&
+	setsockopt(0, SOL_SOCKET, SO_KEEPALIVE, (void *)&on,
+		   sizeof (on)) < 0)
+	syslog(LOG_WARNING, "setsockopt (SO_KEEPALIVE): %m");
+#endif
+#ifdef TCP_NODELAY
+    if (no_delay &&
+	setsockopt(0, IPPROTO_TCP, TCP_NODELAY, (void *)&on,
+		   sizeof(on)) < 0)
+	syslog(LOG_WARNING, "setsockopt (TCP_NODELAY): %m");
+#endif
+
+#ifdef IP_TOS
+    on = IPTOS_LOWDELAY;
+    if (setsockopt(0, IPPROTO_IP, IP_TOS, (void *)&on, sizeof(int)) < 0)
+	syslog(LOG_WARNING, "setsockopt (IP_TOS): %m");
+#endif
+#endif /* HAVE_SETSOCKOPT */
+    doit(0, &from);
+    return 0;
+}
+
+int	child;
+int	netf;
+char	line[MaxPathLen];
+int	confirmed;
+
+struct winsize win = { 0, 0, 0, 0 };
+
+
+static void
+doit(int f, struct sockaddr_in *fromp)
+{
+    int master, pid, on = 1;
+    int authenticated = 0;
+    char hostname[2 * MaxHostNameLen + 1];
+    char c;
+
+    alarm(60);
+    read(f, &c, 1);
+
+    if (c != 0)
+	exit(1);
+    if (vacuous)
+	fatal(f, "Remote host requires Kerberos authentication", 0);
+
+    alarm(0);
+    inaddr2str (fromp->sin_addr, hostname, sizeof(hostname));
+
+    if (use_kerberos) {
+	retval = do_krb_login(fromp);
+	if (retval == 0)
+	    authenticated++;
+	else if (retval > 0)
+	    fatal(f, krb_get_err_text(retval), 0);
+	write(f, &c, 1);
+	confirmed = 1;		/* we sent the null! */
+    } else {
+	fromp->sin_port = ntohs((u_short)fromp->sin_port);
+	if (fromp->sin_family != AF_INET ||
+	    fromp->sin_port >= IPPORT_RESERVED ||
+	    fromp->sin_port < IPPORT_RESERVED/2) {
+	    syslog(LOG_NOTICE, "Connection from %s on illegal port",
+		   inet_ntoa(fromp->sin_addr));
+	    fatal(f, "Permission denied", 0);
+	}
+	ip_options_and_die (0, fromp);
+	if (do_rlogin(fromp) == 0)
+	    authenticated++;
+    }
+    if (confirmed == 0) {
+	write(f, "", 1);
+	confirmed = 1;		/* we sent the null! */
+    }
+#ifndef NOENCRYPTION
+    if (doencrypt)
+	des_enc_write(f, SECURE_MESSAGE,
+		      strlen(SECURE_MESSAGE),
+		      schedule, &kdata->session);
+    else
+#endif
+	write(f, INSECURE_MESSAGE, strlen(INSECURE_MESSAGE));
+    netf = f;
+
+#ifdef HAVE_FORKPTY
+    pid = forkpty(&master, line, NULL, NULL);
+#else
+    pid = forkpty_truncate(&master, line, sizeof(line), NULL, NULL);
+#endif
+    if (pid < 0) {
+	if (errno == ENOENT)
+	    fatal(f, "Out of ptys", 0);
+	else
+	    fatal(f, "Forkpty", 1);
+    }
+    if (pid == 0) {
+	if (f > 2)	/* f should always be 0, but... */
+	    close(f);
+	setup_term(0);
+	if (lusername[0] == '-'){
+	    syslog(LOG_ERR, "tried to pass user \"%s\" to login",
+		   lusername);
+	    fatal(STDERR_FILENO, "invalid user", 0);
+	}
+	if (authenticated) {
+	    if (use_kerberos && (pwd->pw_uid == 0))
+		syslog(LOG_INFO|LOG_AUTH,
+		       "ROOT Kerberos login from %s on %s\n",
+		       krb_unparse_name_long(kdata->pname, 
+					     kdata->pinst, 
+					     kdata->prealm), 
+		       hostname);
+		    
+	    execl(new_login, "login", "-p",
+		  "-h", hostname, "-f", "--", lusername, 0);
+	} else if (use_kerberos) {
+	    fprintf(stderr, "User `%s' is not authorized to login as `%s'!\n",
+		    krb_unparse_name_long(kdata->pname, 
+					  kdata->pinst, 
+					  kdata->prealm),
+		    lusername);
+	    exit(1);
+	} else
+	    execl(new_login, "login", "-p",
+		  "-h", hostname, "--", lusername, 0);
+	fatal(STDERR_FILENO, new_login, 1);
+	/*NOTREACHED*/
+    }
+    /*
+     * If encrypted, don't turn on NBIO or the des read/write
+     * routines will croak.
+     */
+
+    if (!doencrypt)
+	ioctl(f, FIONBIO, &on);
+    ioctl(master, FIONBIO, &on);
+    ioctl(master, TIOCPKT, &on);
+#ifdef SIGTSTP
+    signal(SIGTSTP, SIG_IGN);
+#endif
+    signal(SIGCHLD, cleanup);
+    setsid();
+    protocol(f, master);
+    signal(SIGCHLD, SIG_IGN);
+    cleanup(0);
+}
+
+const char	magic[2] = { 0377, 0377 };
+
+/*
+ * Handle a "control" request (signaled by magic being present)
+ * in the data stream.  For now, we are only willing to handle
+ * window size changes.
+ */
+static int
+control(int master, char *cp, int n)
+{
+    struct winsize w;
+    char *p;
+    u_int32_t tmp;
+
+    if (n < 4 + 4 * sizeof (u_int16_t) || cp[2] != 's' || cp[3] != 's')
+	return (0);
+#ifdef TIOCSWINSZ
+    p = cp + 4;
+    p += krb_get_int(p, &tmp, 2, 0);
+    w.ws_row = tmp;
+    p += krb_get_int(p, &tmp, 2, 0);
+    w.ws_col = tmp;
+
+    p += krb_get_int(p, &tmp, 2, 0);
+#ifdef HAVE_WS_XPIXEL
+    w.ws_xpixel = tmp;
+#endif
+    p += krb_get_int(p, &tmp, 2, 0);
+#ifdef HAVE_WS_YPIXEL
+    w.ws_ypixel = tmp;
+#endif
+    ioctl(master, TIOCSWINSZ, &w);
+#endif
+    return p - cp;
+}
+
+static
+void
+send_oob(int fd, char c)
+{
+    static char last_oob = 0xFF;
+
+#if (SunOS >= 50) || defined(__hpux)
+    /*
+     * PSoriasis and HP-UX always send TIOCPKT_DOSTOP at startup so we
+     * can avoid sending OOB data and thus not break on Linux by merging
+     * TIOCPKT_DOSTOP into the first TIOCPKT_WINDOW.
+     */
+    static int oob_kludge = 2;
+    if (oob_kludge == 2)
+	{
+	    oob_kludge--;		/* First time send nothing */
+	    return;
+	}
+    else if (oob_kludge == 1)
+	{
+	    oob_kludge--;		/* Second time merge TIOCPKT_WINDOW */
+	    c |= TIOCPKT_WINDOW;
+	}
+#endif
+
+#define	pkcontrol(c) ((c)&(TIOCPKT_FLUSHWRITE|TIOCPKT_NOSTOP|TIOCPKT_DOSTOP))
+    c = pkcontrol(c);
+    /* Multiple OOB data breaks on Linux, avoid it when possible. */
+    if (c != last_oob)
+	send(fd, &c, 1, MSG_OOB);
+    last_oob = c;
+}
+
+/*
+ * rlogin "protocol" machine.
+ */
+static void
+protocol(int f, int master)
+{
+    char pibuf[1024+1], fibuf[1024], *pbp, *fbp;
+    int pcc = 0, fcc = 0;
+    int cc, nfd, n;
+    char cntl;
+    unsigned char oob_queue = 0;
+
+#ifdef SIGTTOU
+    /*
+     * Must ignore SIGTTOU, otherwise we'll stop
+     * when we try and set slave pty's window shape
+     * (our controlling tty is the master pty).
+     */
+    signal(SIGTTOU, SIG_IGN);
+#endif
+
+    send_oob(f, TIOCPKT_WINDOW); /* indicate new rlogin */
+
+    if (f > master)
+	nfd = f + 1;
+    else
+	nfd = master + 1;
+    if (nfd > FD_SETSIZE) {
+	syslog(LOG_ERR, "select mask too small, increase FD_SETSIZE");
+	fatal(f, "internal error (select mask too small)", 0);
+    }
+    for (;;) {
+	fd_set ibits, obits, ebits, *omask;
+
+	FD_ZERO(&ebits);
+	FD_ZERO(&ibits);
+	FD_ZERO(&obits);
+	omask = (fd_set *)NULL;
+	if (fcc) {
+	    FD_SET(master, &obits);
+	    omask = &obits;
+	} else
+	    FD_SET(f, &ibits);
+	if (pcc >= 0) {
+	    if (pcc) {
+		FD_SET(f, &obits);
+		omask = &obits;
+	    } else
+		FD_SET(master, &ibits);
+	}
+	FD_SET(master, &ebits);
+	if ((n = select(nfd, &ibits, omask, &ebits, 0)) < 0) {
+	    if (errno == EINTR)
+		continue;
+	    fatal(f, "select", 1);
+	}
+	if (n == 0) {
+	    /* shouldn't happen... */
+	    sleep(5);
+	    continue;
+	}
+	if (FD_ISSET(master, &ebits)) {
+	    cc = readstream(master, &cntl, 1);
+	    if (cc == 1 && pkcontrol(cntl)) {
+#if 0				/* Kludge around */
+		send_oob(f, cntl);
+#endif
+		oob_queue = cntl;
+		if (cntl & TIOCPKT_FLUSHWRITE) {
+		    pcc = 0;
+		    FD_CLR(master, &ibits);
+		}
+	    }
+	}
+	if (FD_ISSET(f, &ibits)) {
+#ifndef NOENCRYPTION
+	    if (doencrypt)
+		fcc = des_enc_read(f, fibuf,
+				   sizeof(fibuf),
+				   schedule, &kdata->session);
+	    else
+#endif
+		fcc = read(f, fibuf, sizeof(fibuf));
+	    if (fcc < 0 && errno == EWOULDBLOCK)
+		fcc = 0;
+	    else {
+		char *cp;
+		int left, n;
+
+		if (fcc <= 0)
+		    break;
+		fbp = fibuf;
+
+	    top:
+		for (cp = fibuf; cp < fibuf+fcc-1; cp++)
+		    if (cp[0] == magic[0] &&
+			cp[1] == magic[1]) {
+			left = fcc - (cp-fibuf);
+			n = control(master, cp, left);
+			if (n) {
+			    left -= n;
+			    if (left > 0)
+				memmove(cp, cp+n, left);
+			    fcc -= n;
+			    goto top; /* n^2 */
+			}
+		    }
+		FD_SET(master, &obits);		/* try write */
+	    }
+	}
+
+	if (FD_ISSET(master, &obits) && fcc > 0) {
+	    cc = write(master, fbp, fcc);
+	    if (cc > 0) {
+		fcc -= cc;
+		fbp += cc;
+	    }
+	}
+
+	if (FD_ISSET(master, &ibits)) {
+	    pcc = readstream(master, pibuf, sizeof (pibuf));
+	    pbp = pibuf;
+	    if (pcc < 0 && errno == EWOULDBLOCK)
+		pcc = 0;
+	    else if (pcc <= 0)
+		break;
+	    else if (pibuf[0] == 0) {
+		pbp++, pcc--;
+		if (!doencrypt)
+		    FD_SET(f, &obits);	/* try write */
+	    } else {
+		if (pkcontrol(pibuf[0])) {
+		    oob_queue = pibuf[0];
+#if 0				/* Kludge around */
+		    send_oob(f, pibuf[0]);
+#endif
+		}
+		pcc = 0;
+	    }
+	}
+	if ((FD_ISSET(f, &obits)) && pcc > 0) {
+#ifndef NOENCRYPTION
+	    if (doencrypt)
+		cc = des_enc_write(f, pbp, pcc, schedule, &kdata->session);
+	    else
+#endif
+		cc = write(f, pbp, pcc);
+	    if (cc < 0 && errno == EWOULDBLOCK) {
+		/*
+		 * This happens when we try write after read
+		 * from p, but some old kernels balk at large
+		 * writes even when select returns true.
+		 */
+		if (!FD_ISSET(master, &ibits))
+		    sleep(5);
+		continue;
+	    }
+	    if (cc > 0) {
+		pcc -= cc;
+		pbp += cc;
+		/* Only send urg data when normal data
+		 * has just been sent.
+		 * Linux has deep problems with more
+		 * than one byte of OOB data.
+		 */
+		if (oob_queue) {
+		    send_oob (f, oob_queue);
+		    oob_queue = 0;
+		}
+	    }
+	}
+    }
+}
+
+static RETSIGTYPE
+cleanup(int signo)
+{
+    char *p = clean_ttyname (line);
+
+    if (rlogind_logout(p) == 0)
+	logwtmp(p, "", "");
+    chmod(line, 0666);
+    chown(line, 0, 0);
+    *p = 'p';
+    chmod(line, 0666);
+    chown(line, 0, 0);
+    shutdown(netf, 2);
+    signal(SIGHUP, SIG_IGN);
+#ifdef HAVE_VHANGUP
+    vhangup();
+#endif /* HAVE_VHANGUP */
+    exit(1);
+}
+
+void
+fatal(int f, const char *msg, int syserr)
+{
+    int len;
+    char buf[BUFSIZ], *bp = buf;
+
+    /*
+     * Prepend binary one to message if we haven't sent
+     * the magic null as confirmation.
+     */
+    if (!confirmed)
+	*bp++ = '\01';		/* error indicator */
+    if (syserr)
+	snprintf(bp, sizeof(buf) - (bp - buf),
+		 "rlogind: %s: %s.\r\n",
+		 msg, strerror(errno));
+    else
+	snprintf(bp, sizeof(buf) - (bp - buf),
+		 "rlogind: %s.\r\n", msg);
+    len = strlen(bp);
+#ifndef NOENCRYPTION
+    if (doencrypt)
+	des_enc_write(f, buf, bp + len - buf, schedule, &kdata->session);
+    else
+#endif
+	write(f, buf, bp + len - buf);
+    exit(1);
+}
+
+static void
+xgetstr(char *buf, int cnt, char *errmsg)
+{
+    char c;
+
+    do {
+	if (read(0, &c, 1) != 1)
+	    exit(1);
+	if (--cnt < 0)
+	    fatal(STDOUT_FILENO, errmsg, 0);
+	*buf++ = c;
+    } while (c != 0);
+}
+
+static int
+do_rlogin(struct sockaddr_in *dest)
+{
+    xgetstr(rusername, sizeof(rusername), "remuser too long");
+    xgetstr(lusername, sizeof(lusername), "locuser too long");
+    xgetstr(term+ENVSIZE, sizeof(term)-ENVSIZE, "Terminal type too long");
+
+    pwd = k_getpwnam(lusername);
+    if (pwd == NULL)
+	return (-1);
+    if (pwd->pw_uid == 0 && strcmp("root", lusername) != 0)
+	{
+	    syslog(LOG_ALERT, "NIS attack, user %s has uid 0", lusername);
+	    return (-1);
+	}
+    return (iruserok(dest->sin_addr.s_addr,
+		     (pwd->pw_uid == 0),
+		     rusername,
+		     lusername));
+}
+
+static void 
+setup_term(int fd)
+{
+    char *cp = strchr(term+ENVSIZE, '/');
+    char *speed;
+    struct termios tt;
+
+    tcgetattr(fd, &tt);
+    if (cp) {
+	int s;
+
+	*cp++ = '\0';
+	speed = cp;
+	cp = strchr(speed, '/');
+	if (cp)
+	    *cp++ = '\0';
+	s = int2speed_t (atoi (speed));
+	if (s > 0) {
+	    cfsetospeed (&tt, s);
+	    cfsetispeed (&tt, s);
+	}
+    }
+
+    tt.c_iflag &= ~INPCK;
+    tt.c_iflag |= ICRNL|IXON;
+    tt.c_oflag |= OPOST|ONLCR;
+#ifdef TAB3
+    tt.c_oflag |= TAB3;
+#endif /* TAB3 */
+#ifdef ONLRET
+    tt.c_oflag &= ~ONLRET;
+#endif /* ONLRET */
+    tt.c_lflag |= (ECHO|ECHOE|ECHOK|ISIG|ICANON);
+    tt.c_cflag &= ~PARENB;
+    tt.c_cflag |= CS8;
+    tt.c_cc[VMIN] = 1;
+    tt.c_cc[VTIME] = 0;
+    tt.c_cc[VEOF] = CEOF;
+    tcsetattr(fd, TCSAFLUSH, &tt);
+
+    env[0] = term;
+    env[1] = 0;
+    environ = env;
+}
+
+#define	VERSION_SIZE	9
+
+/*
+ * Do the remote kerberos login to the named host with the
+ * given inet address
+ *
+ * Return 0 on valid authorization
+ * Return -1 on valid authentication, no authorization
+ * Return >0 for error conditions
+ */
+static int
+do_krb_login(struct sockaddr_in *dest)
+{
+    int rc;
+    char instance[INST_SZ], version[VERSION_SIZE];
+    long authopts = 0L;	/* !mutual */
+    struct sockaddr_in faddr;
+
+    kdata = (AUTH_DAT *) auth_buf;
+    ticket = (KTEXT) tick_buf;
+
+    k_getsockinst(0, instance, sizeof(instance));
+
+    if (doencrypt) {
+	rc = sizeof(faddr);
+	if (getsockname(0, (struct sockaddr *)&faddr, &rc))
+	    return (-1);
+	authopts = KOPT_DO_MUTUAL;
+	rc = krb_recvauth(
+			  authopts, 0,
+			  ticket, "rcmd",
+			  instance, dest, &faddr,
+			  kdata, "", schedule, version);
+	des_set_key(&kdata->session, schedule);
+
+    } else
+	rc = krb_recvauth(
+			  authopts, 0,
+			  ticket, "rcmd",
+			  instance, dest, (struct sockaddr_in *) 0,
+			  kdata, "", 0, version);
+
+    if (rc != KSUCCESS)
+	return (rc);
+
+    xgetstr(lusername, sizeof(lusername), "locuser");
+    /* get the "cmd" in the rcmd protocol */
+    xgetstr(term+ENVSIZE, sizeof(term)-ENVSIZE, "Terminal type");
+
+    pwd = k_getpwnam(lusername);
+    if (pwd == NULL)
+	return (-1);
+    if (pwd->pw_uid == 0 && strcmp("root", lusername) != 0)
+	{
+	    syslog(LOG_ALERT, "NIS attack, user %s has uid 0", lusername);
+	    return (-1);
+	}
+
+    /* returns nonzero for no access */
+    if (kuserok(kdata, lusername) != 0)
+	return (-1);
+
+    return (0);
+
+}
+
+static void
+usage(void)
+{
+    syslog(LOG_ERR,
+	   "usage: rlogind [-Dailn] [-p port] [-x] [-L login] [-k | -v]");
+    exit(1);
+}
diff --git a/crypto/kerberosIV/appl/bsd/rsh.c b/crypto/kerberosIV/appl/bsd/rsh.c
new file mode 100644
index 0000000..a18f775
--- /dev/null
+++ b/crypto/kerberosIV/appl/bsd/rsh.c
@@ -0,0 +1,384 @@
+/*-
+ * Copyright (c) 1983, 1990 The Regents of the University of California.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *	This product includes software developed by the University of
+ *	California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#include "bsd_locl.h"
+
+RCSID("$Id: rsh.c,v 1.43.2.2 2000/10/10 12:53:50 assar Exp $");
+
+CREDENTIALS cred;
+Key_schedule schedule;
+int use_kerberos = 1, doencrypt;
+char dst_realm_buf[REALM_SZ], *dest_realm;
+
+/*
+ * rsh - remote shell
+ */
+int rfd2;
+
+static void
+usage(void)
+{
+    fprintf(stderr,
+	    "usage: rsh [-ndKx] [-k realm] [-p port] [-l login] host [command]\n");
+    exit(1);
+}
+
+static char *
+copyargs(char **argv)
+{
+    int cc;
+    char **ap, *p;
+    char *args;
+
+    cc = 0;
+    for (ap = argv; *ap; ++ap)
+	cc += strlen(*ap) + 1;
+    args = malloc(cc);
+    if (args == NULL)
+	errx(1, "Out of memory.");
+    for (p = args, ap = argv; *ap; ++ap) {
+	strcpy(p, *ap);
+	while(*p)
+	    ++p;
+	if (ap[1])
+	    *p++ = ' ';
+    }
+    return(args);
+}
+
+static RETSIGTYPE
+sendsig(int signo_)
+{
+    char signo = signo_;
+#ifndef NOENCRYPTION
+    if (doencrypt)
+	des_enc_write(rfd2, &signo, 1, schedule, &cred.session);
+    else
+#endif
+	write(rfd2, &signo, 1);
+}
+
+static void
+talk(int nflag, sigset_t omask, int pid, int rem)
+{
+    int cc, wc;
+    char *bp;
+    fd_set readfrom, ready, rembits;
+    char buf[DES_RW_MAXWRITE];
+
+    if (pid == 0) {
+	if (nflag)
+	    goto done;
+
+	close(rfd2);
+
+    reread:		errno = 0;
+    if ((cc = read(0, buf, sizeof buf)) <= 0)
+	goto done;
+    bp = buf;
+
+    rewrite:   
+    FD_ZERO(&rembits);
+    if (rem >= FD_SETSIZE)
+	errx(1, "fd too large");
+    FD_SET(rem, &rembits);
+    if (select(rem + 1, 0, &rembits, 0, 0) < 0) {
+	if (errno != EINTR) 
+	    err(1, "select");
+	goto rewrite;
+    }
+    if (!FD_ISSET(rem, &rembits))
+	goto rewrite;
+#ifndef NOENCRYPTION
+    if (doencrypt)
+	wc = des_enc_write(rem, bp, cc, schedule, &cred.session);
+    else
+#endif
+	wc = write(rem, bp, cc);
+    if (wc < 0) {
+	if (errno == EWOULDBLOCK)
+	    goto rewrite;
+	goto done;
+    }
+    bp += wc;
+    cc -= wc;
+    if (cc == 0)
+	goto reread;
+    goto rewrite;
+    done:
+    shutdown(rem, 1);
+    exit(0);
+    }
+
+    if (sigprocmask(SIG_SETMASK, &omask, 0) != 0)
+	warn("sigprocmask");
+    FD_ZERO(&readfrom);
+    if (rem >= FD_SETSIZE || rfd2 >= FD_SETSIZE)
+	errx(1, "fd too large");
+    FD_SET(rem, &readfrom);
+    FD_SET(rfd2, &readfrom);
+    do {
+	ready = readfrom;
+	if (select(max(rem,rfd2)+1, &ready, 0, 0, 0) < 0) {
+	    if (errno != EINTR)
+		err(1, "select");
+	    continue;
+	}
+	if (FD_ISSET(rfd2, &ready)) {
+	    errno = 0;
+#ifndef NOENCRYPTION
+	    if (doencrypt)
+		cc = des_enc_read(rfd2, buf, sizeof buf,
+				  schedule, &cred.session);
+	    else
+#endif
+		cc = read(rfd2, buf, sizeof buf);
+	    if (cc <= 0) {
+		if (errno != EWOULDBLOCK)
+		    FD_CLR(rfd2, &readfrom);
+	    } else
+		write(2, buf, cc);
+	}
+	if (FD_ISSET(rem, &ready)) {
+	    errno = 0;
+#ifndef NOENCRYPTION
+	    if (doencrypt)
+		cc = des_enc_read(rem, buf, sizeof buf,
+				  schedule, &cred.session);
+	    else
+#endif
+		cc = read(rem, buf, sizeof buf);
+	    if (cc <= 0) {
+		if (errno != EWOULDBLOCK)
+		    FD_CLR(rem, &readfrom);
+	    } else
+		write(1, buf, cc);
+	}
+    } while (FD_ISSET(rfd2, &readfrom) || FD_ISSET(rem, &readfrom));
+}
+
+int
+main(int argc, char **argv)
+{
+    struct passwd *pw;
+    int sv_port, user_port = 0;
+    sigset_t omask;
+    int argoff, ch, dflag, nflag, nfork, one, pid, rem, uid;
+    char *args, *host, *user, *local_user;
+
+    argoff = dflag = nflag = nfork = 0;
+    one = 1;
+    host = user = NULL;
+    pid = 1;
+
+    set_progname(argv[0]);
+
+    /* handle "rsh host flags" */
+    if (argc > 2 && argv[1][0] != '-') {
+	host = argv[1];
+	argoff = 1;
+    }
+
+#define	OPTIONS	"+8KLde:k:l:np:wx"
+    while ((ch = getopt(argc - argoff, argv + argoff, OPTIONS)) != -1)
+	switch(ch) {
+	case 'K':
+	    use_kerberos = 0;
+	    break;
+	case 'L':	/* -8Lew are ignored to allow rlogin aliases */
+	case 'e':
+	case 'w':
+	case '8':
+	    break;
+	case 'd':
+	    dflag = 1;
+	    break;
+	case 'l':
+	    user = optarg;
+	    break;
+	case 'k':
+	    dest_realm = dst_realm_buf;
+	    strlcpy(dest_realm, optarg, REALM_SZ);
+	    break;
+	case 'n':
+	    nflag = nfork = 1;
+	    break;
+	case 'x':
+	    doencrypt = 1;
+	    break;
+	case 'p': {
+	    char *endptr;
+
+	    user_port = strtol (optarg, &endptr, 0);
+	    if (user_port == 0 && optarg == endptr)
+		errx (1, "Bad port `%s'", optarg);
+	    user_port = htons(user_port);
+	    break;
+	}
+	case '?':
+	default:
+	    usage();
+	}
+    optind += argoff;
+
+    /* if haven't gotten a host yet, do so */
+    if (!host && !(host = argv[optind++]))
+	usage();
+
+    /* if no further arguments, must have been called as rlogin. */
+    if (!argv[optind]) {
+	*argv = "rlogin";
+	paranoid_setuid (getuid ());
+	execv(_PATH_RLOGIN, argv);
+	err(1, "can't exec %s", _PATH_RLOGIN);
+    }
+
+#ifndef __CYGWIN32__
+    if (!(pw = k_getpwuid(uid = getuid())))
+	errx(1, "unknown user id.");
+    local_user = pw->pw_name;
+    if (!user)
+	user = local_user;
+#else
+    if (!user)
+	errx(1, "Sorry, you need to specify the username (with -l)");
+    local_user = user;
+#endif
+
+    /* -n must still fork but does not turn of the -n functionality */
+    if (doencrypt)
+	nfork = 0;
+
+    args = copyargs(argv+optind);
+
+    if (user_port)
+	sv_port = user_port;
+    else
+	sv_port = get_shell_port(use_kerberos, doencrypt);
+
+    if (use_kerberos) {
+	paranoid_setuid(getuid());
+	rem = KSUCCESS;
+	errno = 0;
+	if (dest_realm == NULL)
+	    dest_realm = krb_realmofhost(host);
+
+	if (doencrypt)
+	    rem = krcmd_mutual(&host, sv_port, user, args,
+			       &rfd2, dest_realm, &cred, schedule);
+	else
+	    rem = krcmd(&host, sv_port, user, args, &rfd2,
+			dest_realm);
+	if (rem < 0) {
+	    int i = 0;
+	    char **newargv;
+
+	    if (errno == ECONNREFUSED)
+		warning("remote host doesn't support Kerberos");
+	    if (errno == ENOENT)
+		warning("can't provide Kerberos auth data");
+	    newargv = malloc((argc + 2) * sizeof(*newargv));
+	    if (newargv == NULL)
+		err(1, "malloc");
+	    newargv[i] = argv[i];
+	    ++i;
+	    if (argv[i][0] != '-') {
+		newargv[i] = argv[i];
+		++i;
+	    }
+	    newargv[i++] = "-K";
+	    for(; i <= argc; ++i)
+		newargv[i] = argv[i - 1];
+	    newargv[argc + 1] = NULL;
+	    execv(_PATH_RSH, newargv);
+	}
+    } else {
+	if (doencrypt)
+	    errx(1, "the -x flag requires Kerberos authentication.");
+	if (geteuid() != 0)
+	    errx(1, "not installed setuid root, "
+		 "only root may use non kerberized rsh");
+	rem = rcmd(&host, sv_port, local_user, user, args, &rfd2);
+    }
+
+    if (rem < 0)
+	exit(1);
+
+    if (rfd2 < 0)
+	errx(1, "can't establish stderr.");
+#if defined(SO_DEBUG) && defined(HAVE_SETSOCKOPT)
+    if (dflag) {
+	if (setsockopt(rem, SOL_SOCKET, SO_DEBUG, (void *)&one,
+		       sizeof(one)) < 0)
+	    warn("setsockopt");
+	if (setsockopt(rfd2, SOL_SOCKET, SO_DEBUG, (void *)&one,
+		       sizeof(one)) < 0)
+	    warn("setsockopt");
+    }
+#endif
+
+    paranoid_setuid(uid);
+    {
+	sigset_t sigmsk;
+	sigemptyset(&sigmsk);
+	sigaddset(&sigmsk, SIGINT);
+	sigaddset(&sigmsk, SIGQUIT);
+	sigaddset(&sigmsk, SIGTERM);
+	if (sigprocmask(SIG_BLOCK, &sigmsk, &omask) != 0)
+	    warn("sigprocmask");
+    }
+    if (signal(SIGINT, SIG_IGN) != SIG_IGN)
+	signal(SIGINT, sendsig);
+    if (signal(SIGQUIT, SIG_IGN) != SIG_IGN)
+	signal(SIGQUIT, sendsig);
+    if (signal(SIGTERM, SIG_IGN) != SIG_IGN)
+	signal(SIGTERM, sendsig);
+    signal(SIGPIPE, SIG_IGN);
+
+    if (!nfork) {
+	pid = fork();
+	if (pid < 0)
+	    err(1, "fork");
+    }
+
+    if (!doencrypt) {
+	ioctl(rfd2, FIONBIO, &one);
+	ioctl(rem, FIONBIO, &one);
+    }
+
+    talk(nflag, omask, pid, rem);
+    
+    if (!nflag)
+	kill(pid, SIGKILL);
+    exit(0);
+}
diff --git a/crypto/kerberosIV/appl/bsd/rshd.c b/crypto/kerberosIV/appl/bsd/rshd.c
new file mode 100644
index 0000000..496fa88
--- /dev/null
+++ b/crypto/kerberosIV/appl/bsd/rshd.c
@@ -0,0 +1,652 @@
+/*-
+ * Copyright (c) 1988, 1989, 1992, 1993, 1994
+ *	The Regents of the University of California.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *	This product includes software developed by the University of
+ *	California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+/*
+ * remote shell server:
+ *	[port]\0
+ *	remuser\0
+ *	locuser\0
+ *	command\0
+ *	data
+ */
+
+#include "bsd_locl.h"
+
+RCSID("$Id: rshd.c,v 1.60.2.3 2000/10/18 20:39:12 assar Exp $");
+
+extern char *__rcmd_errstr; /* syslog hook from libc/net/rcmd.c. */
+extern int __check_rhosts_file;
+
+static int	keepalive = 1;
+static int	log_success;	/* If TRUE, log all successful accesses */
+static int	new_pag = 1;	/* Put process in new PAG by default */
+static int	no_inetd = 0;
+static int	sent_null;
+
+static void		 doit (struct sockaddr_in *);
+static void		 error (const char *, ...)
+#ifdef __GNUC__
+__attribute__ ((format (printf, 1, 2)))
+#endif
+;
+static void		 usage (void);
+
+#define	VERSION_SIZE	9
+#define SECURE_MESSAGE  "This rsh session is using DES encryption for all transmissions.\r\n"
+#define	OPTIONS		"alnkvxLp:Pi"
+AUTH_DAT authbuf;
+KTEXT_ST tickbuf;
+int	doencrypt, use_kerberos, vacuous;
+Key_schedule	schedule;
+
+int
+main(int argc, char *argv[])
+{
+    struct linger linger;
+    int ch, on = 1, fromlen;
+    struct sockaddr_in from;
+    int portnum = 0;
+
+    set_progname(argv[0]);
+
+    openlog("rshd", LOG_PID | LOG_ODELAY, LOG_DAEMON);
+
+    opterr = 0;
+    while ((ch = getopt(argc, argv, OPTIONS)) != -1)
+	switch (ch) {
+	case 'a':
+	    break;
+	case 'l':
+	    __check_rhosts_file = 0;
+	    break;
+	case 'n':
+	    keepalive = 0;
+	    break;
+	case 'k':
+	    use_kerberos = 1;
+	    break;
+
+	case 'v':
+	    vacuous = 1;
+	    break;
+
+	case 'x':
+	    doencrypt = 1;
+	    break;
+	case 'L':
+	    log_success = 1;
+	    break;
+	case 'p':
+	    portnum = htons(atoi(optarg));
+	    break;
+	case 'P':
+	    new_pag = 0;
+	    break;
+	case 'i':
+	    no_inetd = 1;
+	    break;
+	case '?':
+	default:
+	    usage();
+	    break;
+	}
+
+    argc -= optind;
+    argv += optind;
+
+    if (use_kerberos && vacuous) {
+	syslog(LOG_ERR, "only one of -k and -v allowed");
+	exit(2);
+    }
+    if (doencrypt && !use_kerberos) {
+	syslog(LOG_ERR, "-k is required for -x");
+	exit(2);
+    }
+
+    if (no_inetd) {
+	if(portnum == 0)
+	    portnum = get_shell_port (use_kerberos, doencrypt);
+	mini_inetd (portnum);
+    }
+
+    fromlen = sizeof (from);
+    if (getpeername(0, (struct sockaddr *)&from, &fromlen) < 0) {
+	syslog(LOG_ERR, "getpeername: %m");
+	_exit(1);
+    }
+#ifdef HAVE_SETSOCKOPT
+#ifdef SO_KEEPALIVE
+    if (keepalive &&
+	setsockopt(0, SOL_SOCKET, SO_KEEPALIVE, (void *)&on,
+		   sizeof(on)) < 0)
+	syslog(LOG_WARNING, "setsockopt (SO_KEEPALIVE): %m");
+#endif
+#ifdef SO_LINGER
+    linger.l_onoff = 1;
+    linger.l_linger = 60;			/* XXX */
+    if (setsockopt(0, SOL_SOCKET, SO_LINGER, (void *)&linger,
+		   sizeof (linger)) < 0)
+	syslog(LOG_WARNING, "setsockopt (SO_LINGER): %m");
+#endif
+#endif /* HAVE_SETSOCKOPT */
+    doit(&from);
+    /* NOTREACHED */
+    return 0;
+}
+
+char	username[20] = "USER=";
+char	homedir[64] = "HOME=";
+char	shell[64] = "SHELL=";
+char	path[100] = "PATH=";
+char	*envinit[] =
+{homedir, shell, path, username, 0};
+
+static void
+xgetstr(char *buf, int cnt, char *err)
+{
+    char c;
+
+    do {
+	if (read(STDIN_FILENO, &c, 1) != 1)
+	    exit(1);
+	*buf++ = c;
+	if (--cnt == 0) {
+	    error("%s too long\n", err);
+	    exit(1);
+	}
+    } while (c != 0);
+}
+
+static void
+doit(struct sockaddr_in *fromp)
+{
+    struct passwd *pwd;
+    u_short port;
+    fd_set ready, readfrom;
+    int cc, nfd, pv[2], pid, s;
+    int one = 1;
+    const char *errorhost = "";
+    char *errorstr;
+    char *cp, sig, buf[DES_RW_MAXWRITE];
+    char cmdbuf[NCARGS+1], locuser[16], remuser[16];
+    char remotehost[2 * MaxHostNameLen + 1];
+    uid_t uid;
+    char shell_path[MAXPATHLEN];
+
+    AUTH_DAT	*kdata;
+    KTEXT		ticket;
+    char		instance[INST_SZ], version[VERSION_SIZE];
+    struct		sockaddr_in	fromaddr;
+    int		rc;
+    long		authopts;
+    int		pv1[2], pv2[2];
+    fd_set		wready, writeto;
+
+    fromaddr = *fromp;
+
+    signal(SIGINT, SIG_DFL);
+    signal(SIGQUIT, SIG_DFL);
+    signal(SIGTERM, SIG_DFL);
+#ifdef DEBUG
+    { int t = open(_PATH_TTY, 2);
+    if (t >= 0) {
+	ioctl(t, TIOCNOTTY, (char *)0);
+	close(t);
+    }
+    }
+#endif
+    fromp->sin_port = ntohs((u_short)fromp->sin_port);
+    if (fromp->sin_family != AF_INET) {
+	syslog(LOG_ERR, "malformed \"from\" address (af %d)\n",
+	       fromp->sin_family);
+	exit(1);
+    }
+
+
+    if (!use_kerberos) {
+	ip_options_and_die (0, fromp);
+	if (fromp->sin_port >= IPPORT_RESERVED ||
+	    fromp->sin_port < IPPORT_RESERVED/2) {
+	    syslog(LOG_NOTICE|LOG_AUTH,
+		   "Connection from %s on illegal port %u",
+		   inet_ntoa(fromp->sin_addr),
+		   fromp->sin_port);
+	    exit(1);
+	}
+    }
+
+    alarm(60);
+    port = 0;
+    for (;;) {
+	char c;
+	if ((cc = read(STDIN_FILENO, &c, 1)) != 1) {
+	    if (cc < 0)
+		syslog(LOG_NOTICE, "read: %m");
+	    shutdown(0, 1+1);
+	    exit(1);
+	}
+	if (c== 0)
+	    break;
+	port = port * 10 + c - '0';
+    }
+
+    alarm(0);
+    if (port != 0) {
+	int lport = IPPORT_RESERVED - 1;
+	s = rresvport(&lport);
+	if (s < 0) {
+	    syslog(LOG_ERR, "can't get stderr port: %m");
+	    exit(1);
+	}
+	if (!use_kerberos)
+	    if (port >= IPPORT_RESERVED) {
+		syslog(LOG_ERR, "2nd port not reserved\n");
+		exit(1);
+	    }
+	fromp->sin_port = htons(port);
+	if (connect(s, (struct sockaddr *)fromp, sizeof (*fromp)) < 0) {
+	    syslog(LOG_INFO, "connect second port %d: %m", port);
+	    exit(1);
+	}
+    }
+
+    if (vacuous) {
+	error("rshd: Remote host requires Kerberos authentication.\n");
+	exit(1);
+    }
+
+    errorstr = NULL;
+    inaddr2str (fromp->sin_addr, remotehost, sizeof(remotehost));
+
+    if (use_kerberos) {
+	kdata = &authbuf;
+	ticket = &tickbuf;
+	authopts = 0L;
+	k_getsockinst(0, instance, sizeof(instance));
+	version[VERSION_SIZE - 1] = '\0';
+	if (doencrypt) {
+	    struct sockaddr_in local_addr;
+	    rc = sizeof(local_addr);
+	    if (getsockname(0, (struct sockaddr *)&local_addr,
+			    &rc) < 0) {
+		syslog(LOG_ERR, "getsockname: %m");
+		error("rshd: getsockname: %m");
+		exit(1);
+	    }
+	    authopts = KOPT_DO_MUTUAL;
+	    rc = krb_recvauth(authopts, 0, ticket,
+			      "rcmd", instance, &fromaddr,
+			      &local_addr, kdata, "", schedule,
+			      version);
+#ifndef NOENCRYPTION
+	    des_set_key(&kdata->session, schedule);
+#else
+	    memset(schedule, 0, sizeof(schedule));
+#endif
+	} else
+	    rc = krb_recvauth(authopts, 0, ticket, "rcmd",
+			      instance, &fromaddr,
+			      (struct sockaddr_in *) 0,
+			      kdata, "", 0, version);
+	if (rc != KSUCCESS) {
+	    error("Kerberos authentication failure: %s\n",
+		  krb_get_err_text(rc));
+	    exit(1);
+	}
+    } else
+	xgetstr(remuser, sizeof(remuser), "remuser");
+
+    xgetstr(locuser, sizeof(locuser), "locuser");
+    xgetstr(cmdbuf, sizeof(cmdbuf), "command");
+    setpwent();
+    pwd = k_getpwnam(locuser);
+    if (pwd == NULL) {
+	syslog(LOG_INFO|LOG_AUTH,
+	       "%s@%s as %s: unknown login. cmd='%.80s'",
+	       remuser, remotehost, locuser, cmdbuf);
+	if (errorstr == NULL)
+	    errorstr = "Login incorrect.\n";
+	goto fail;
+    }
+    if (pwd->pw_uid == 0 && strcmp("root", locuser) != 0)
+	{
+	    syslog(LOG_ALERT, "NIS attack, user %s has uid 0", locuser);
+	    if (errorstr == NULL)
+		errorstr = "Login incorrect.\n";
+	    goto fail;
+	}
+    if (chdir(pwd->pw_dir) < 0) {
+	chdir("/");
+#ifdef notdef
+	syslog(LOG_INFO|LOG_AUTH,
+	       "%s@%s as %s: no home directory. cmd='%.80s'",
+	       remuser, remotehost, locuser, cmdbuf);
+	error("No remote directory.\n");
+	exit(1);
+#endif
+    }
+
+    if (use_kerberos) {
+	if (pwd->pw_passwd != 0 && *pwd->pw_passwd != '\0') {
+	    if (kuserok(kdata, locuser) != 0) {
+		syslog(LOG_INFO|LOG_AUTH,
+		       "Kerberos rsh denied to %s",
+		       krb_unparse_name_long(kdata->pname, 
+					     kdata->pinst, 
+					     kdata->prealm));
+		error("Permission denied.\n");
+		exit(1);
+	    }
+	}
+    } else
+
+	if (errorstr ||
+	    (pwd->pw_passwd != 0 && *pwd->pw_passwd != '\0' &&
+	    iruserok(fromp->sin_addr.s_addr, pwd->pw_uid == 0,
+		     remuser, locuser) < 0)) {
+	    if (__rcmd_errstr)
+		syslog(LOG_INFO|LOG_AUTH,
+		       "%s@%s as %s: permission denied (%s). cmd='%.80s'",
+		       remuser, remotehost, locuser,
+		       __rcmd_errstr, cmdbuf);
+	    else
+		syslog(LOG_INFO|LOG_AUTH,
+		       "%s@%s as %s: permission denied. cmd='%.80s'",
+		       remuser, remotehost, locuser, cmdbuf);
+		     fail:
+	    if (errorstr == NULL)
+		errorstr = "Permission denied.\n";
+	    error(errorstr, errorhost);
+	    exit(1);
+	}
+
+    if (pwd->pw_uid && !access(_PATH_NOLOGIN, F_OK)) {
+	error("Logins currently disabled.\n");
+	exit(1);
+    }
+
+    write(STDERR_FILENO, "\0", 1);
+    sent_null = 1;
+
+    if (port) {
+	if (pipe(pv) < 0) {
+	    error("Can't make pipe.\n");
+	    exit(1);
+	}
+	if (doencrypt) {
+	    if (pipe(pv1) < 0) {
+		error("Can't make 2nd pipe.\n");
+		exit(1);
+	    }
+	    if (pipe(pv2) < 0) {
+		error("Can't make 3rd pipe.\n");
+		exit(1);
+	    }
+	}
+	pid = fork();
+	if (pid == -1)  {
+	    error("Can't fork; try again.\n");
+	    exit(1);
+	}
+	if (pid) {
+	    if (doencrypt) {
+		static char msg[] = SECURE_MESSAGE;
+		close(pv1[1]);
+		close(pv2[0]);
+#ifndef NOENCRYPTION
+		des_enc_write(s, msg, sizeof(msg) - 1, schedule, &kdata->session);
+#else
+		write(s, msg, sizeof(msg) - 1);
+#endif
+	    } else {
+		close(0);
+		close(1);
+	    }
+	    close(2);
+	    close(pv[1]);
+
+	    if (s >= FD_SETSIZE || pv[0] >= FD_SETSIZE) {
+		error ("fd too large\n");
+		exit (1);
+	    }
+
+	    FD_ZERO(&readfrom);
+	    FD_SET(s, &readfrom);
+	    FD_SET(pv[0], &readfrom);
+	    if (pv[0] > s)
+		nfd = pv[0];
+	    else
+		nfd = s;
+	    if (doencrypt) {
+		if (pv2[1] >= FD_SETSIZE || pv1[0] >= FD_SETSIZE) {
+		    error ("fd too large\n");
+		    exit (1);
+		}
+
+		FD_ZERO(&writeto);
+		FD_SET(pv2[1], &writeto);
+		FD_SET(pv1[0], &readfrom);
+		FD_SET(STDIN_FILENO, &readfrom);
+
+		nfd = max(nfd, pv2[1]);
+		nfd = max(nfd, pv1[0]);
+	    } else
+		ioctl(pv[0], FIONBIO, (char *)&one);
+
+	    /* should set s nbio! */
+	    nfd++;
+	    do {
+		ready = readfrom;
+		if (doencrypt) {
+		    wready = writeto;
+		    if (select(nfd, &ready,
+			       &wready, 0,
+			       (struct timeval *) 0) < 0)
+			break;
+		} else
+		    if (select(nfd, &ready, 0,
+			       0, (struct timeval *)0) < 0)
+			break;
+		if (FD_ISSET(s, &ready)) {
+		    int	ret;
+		    if (doencrypt)
+#ifndef NOENCRYPTION
+			ret = des_enc_read(s, &sig, 1, schedule, &kdata->session);
+#else
+		    ret = read(s, &sig, 1);
+#endif
+		    else
+			ret = read(s, &sig, 1);
+		    if (ret <= 0)
+			FD_CLR(s, &readfrom);
+		    else
+			kill(-pid, sig);
+		}
+		if (FD_ISSET(pv[0], &ready)) {
+		    errno = 0;
+		    cc = read(pv[0], buf, sizeof(buf));
+		    if (cc <= 0) {
+			shutdown(s, 1+1);
+			FD_CLR(pv[0], &readfrom);
+		    } else {
+			if (doencrypt)
+#ifndef NOENCRYPTION
+			    des_enc_write(s, buf, cc, schedule, &kdata->session);
+#else
+			write(s, buf, cc);
+#endif
+			else
+			    (void)
+				write(s, buf, cc);
+		    }
+		}
+		if (doencrypt && FD_ISSET(pv1[0], &ready)) {
+		    errno = 0;
+		    cc = read(pv1[0], buf, sizeof(buf));
+		    if (cc <= 0) {
+			shutdown(pv1[0], 1+1);
+			FD_CLR(pv1[0], &readfrom);
+		    } else
+#ifndef NOENCRYPTION
+			des_enc_write(STDOUT_FILENO, buf, cc, schedule, &kdata->session);
+#else
+		    write(STDOUT_FILENO, buf, cc);
+#endif
+		}
+
+		if (doencrypt
+		    && FD_ISSET(STDIN_FILENO, &ready)
+		    && FD_ISSET(pv2[1], &wready)) {
+		    errno = 0;
+#ifndef NOENCRYPTION
+		    cc = des_enc_read(STDIN_FILENO, buf, sizeof(buf), schedule, &kdata->session);
+#else
+		    cc = read(STDIN_FILENO, buf, sizeof(buf));
+#endif
+		    if (cc <= 0) {
+			shutdown(STDIN_FILENO, 0);
+			FD_CLR(STDIN_FILENO, &readfrom);
+			close(pv2[1]);
+			FD_CLR(pv2[1], &writeto);
+		    } else
+			write(pv2[1], buf, cc);
+		}
+
+	    } while (FD_ISSET(s, &readfrom) ||
+		     (doencrypt && FD_ISSET(pv1[0], &readfrom)) ||
+		     FD_ISSET(pv[0], &readfrom));
+	    exit(0);
+	}
+	setsid();
+	close(s);
+	close(pv[0]);
+	if (doencrypt) {
+	    close(pv1[0]);
+	    close(pv2[1]);
+	    dup2(pv1[1], 1);
+	    dup2(pv2[0], 0);
+	    close(pv1[1]);
+	    close(pv2[0]);
+	}
+	dup2(pv[1], 2);
+	close(pv[1]);
+    }
+    if (*pwd->pw_shell == '\0')
+	pwd->pw_shell = _PATH_BSHELL;
+#ifdef HAVE_SETLOGIN
+    if (setlogin(pwd->pw_name) < 0)
+	syslog(LOG_ERR, "setlogin() failed: %m");
+#endif
+
+#ifdef HAVE_SETPCRED
+    if (setpcred (pwd->pw_name, NULL) == -1)
+	syslog(LOG_ERR, "setpcred() failure: %m");
+#endif /* HAVE_SETPCRED */
+    if(do_osfc2_magic(pwd->pw_uid))
+	exit(1);
+    setgid((gid_t)pwd->pw_gid);
+    initgroups(pwd->pw_name, pwd->pw_gid);
+    setuid((uid_t)pwd->pw_uid);
+    strlcat(homedir, pwd->pw_dir, sizeof(homedir));
+
+    /* Need to prepend path with BINDIR (/usr/athena/bin) to find rcp */
+    snprintf(path, sizeof(path), "PATH=%s:%s", BINDIR, _PATH_DEFPATH);
+
+    strlcat(shell, pwd->pw_shell, sizeof(shell));
+    strlcpy(shell_path, pwd->pw_shell, sizeof(shell_path));
+    strlcat(username, pwd->pw_name, sizeof(username));
+    uid = pwd->pw_uid;
+    cp = strrchr(pwd->pw_shell, '/');
+    if (cp)
+	cp++;
+    else
+	cp = pwd->pw_shell;
+    endpwent();
+    if (log_success || uid == 0) {
+	if (use_kerberos)
+	    syslog(LOG_INFO|LOG_AUTH,
+		   "Kerberos shell from %s on %s as %s, cmd='%.80s'",
+		   krb_unparse_name_long(kdata->pname, 
+					 kdata->pinst, 
+					 kdata->prealm),
+		   remotehost, locuser, cmdbuf);
+	else
+	    syslog(LOG_INFO|LOG_AUTH, "%s@%s as %s: cmd='%.80s'",
+		   remuser, remotehost, locuser, cmdbuf);
+    }
+    if (k_hasafs()) {
+	char cell[64];
+
+	if (new_pag)
+	    k_setpag();	/* Put users process in an new pag */
+	if (k_afs_cell_of_file (homedir, cell, sizeof(cell)) == 0)
+	    krb_afslog_uid_home (cell, NULL, uid, homedir);
+	krb_afslog_uid_home(NULL, NULL, uid, homedir);
+    }
+    execle(shell_path, cp, "-c", cmdbuf, 0, envinit);
+    err(1, "%s", shell_path);
+}
+
+/*
+ * Report error to client.  Note: can't be used until second socket has
+ * connected to client, or older clients will hang waiting for that
+ * connection first.
+ */
+
+static void
+error(const char *fmt, ...)
+{
+    va_list ap;
+    int len;
+    char *bp, buf[BUFSIZ];
+
+    va_start(ap, fmt);
+    bp = buf;
+    if (sent_null == 0) {
+	*bp++ = 1;
+	len = 1;
+    } else
+	len = 0;
+    len += vsnprintf(bp, sizeof(buf) - len, fmt, ap);
+    write(STDERR_FILENO, buf, len);
+    va_end(ap);
+}
+
+static void
+usage()
+{
+
+    syslog(LOG_ERR,
+	   "usage: rshd [-alnkvxLPi] [-p port]");
+    exit(2);
+}
diff --git a/crypto/kerberosIV/appl/bsd/stty_default.c b/crypto/kerberosIV/appl/bsd/stty_default.c
new file mode 100644
index 0000000..0135823
--- /dev/null
+++ b/crypto/kerberosIV/appl/bsd/stty_default.c
@@ -0,0 +1,100 @@
+/*
+ * Copyright (c) 1995, 1996, 1997 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#include "bsd_locl.h"
+
+RCSID("$Id: stty_default.c,v 1.7 1999/12/02 16:58:28 joda Exp $");
+
+#include <termios.h>
+
+/* HP-UX 9.0 termios doesn't define these */
+#ifndef FLUSHO
+#define	FLUSHO	0
+#endif
+
+#ifndef XTABS
+#define	XTABS	0
+#endif
+
+#ifndef OXTABS
+#define OXTABS	XTABS
+#endif
+
+/* Ultrix... */
+#ifndef ECHOPRT
+#define ECHOPRT	0
+#endif
+
+#ifndef ECHOCTL
+#define ECHOCTL	0
+#endif
+
+#ifndef ECHOKE
+#define ECHOKE	0
+#endif
+
+#ifndef IMAXBEL
+#define IMAXBEL	0
+#endif
+
+#define Ctl(x) ((x) ^ 0100)
+
+void
+stty_default(void)
+{
+    struct	termios termios;
+
+    /*
+     * Finalize the terminal settings. Some systems default to 8 bits,
+     * others to 7, so we should leave that alone.
+     */
+    tcgetattr(0, &termios);
+
+    termios.c_iflag |= (BRKINT|IGNPAR|ICRNL|IXON|IMAXBEL);
+    termios.c_iflag &= ~IXANY;
+
+    termios.c_lflag |= (ISIG|IEXTEN|ICANON|ECHO|ECHOE|ECHOK|ECHOCTL|ECHOKE);
+    termios.c_lflag &= ~(ECHOPRT|TOSTOP|FLUSHO);
+
+    termios.c_oflag |= (OPOST|ONLCR);
+    termios.c_oflag &= ~OXTABS;
+
+    termios.c_cc[VINTR] = Ctl('C');
+    termios.c_cc[VERASE] = Ctl('H');
+    termios.c_cc[VKILL] = Ctl('U');
+    termios.c_cc[VEOF] = Ctl('D');
+
+    termios.c_cc[VSUSP] = Ctl('Z');
+    
+    tcsetattr(0, TCSANOW, &termios);
+}
diff --git a/crypto/kerberosIV/appl/bsd/su.c b/crypto/kerberosIV/appl/bsd/su.c
new file mode 100644
index 0000000..7fc63ee
--- /dev/null
+++ b/crypto/kerberosIV/appl/bsd/su.c
@@ -0,0 +1,504 @@
+/*
+ * Copyright (c) 1988 The Regents of the University of California.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *	This product includes software developed by the University of
+ *	California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#include "bsd_locl.h"
+
+RCSID ("$Id: su.c,v 1.70.2.2 2000/12/07 14:04:19 assar Exp $");
+
+#ifdef SYSV_SHADOW
+#include "sysv_shadow.h"
+#endif
+
+static int kerberos (char *username, char *user, char *realm, int uid);
+static int chshell (char *sh);
+static char *ontty (void);
+static int koktologin (char *name, char *realm, char *toname);
+static int chshell (char *sh);
+
+/* Handle '-' option after all the getopt options */
+#define	ARGSTR	"Kkflmti:r:"
+
+int destroy_tickets = 0;
+static int use_kerberos = 1;
+static char *root_inst = "root";
+
+int
+main (int argc, char **argv)
+{
+    struct passwd *pwd;
+    char *p, **g;
+    struct group *gr;
+    uid_t ruid;
+    int asme, ch, asthem, fastlogin, prio;
+    enum { UNSET, YES, NO } iscsh = UNSET;
+    char *user, *shell, *avshell, *username, **np;
+    char shellbuf[MaxPathLen], avshellbuf[MaxPathLen];
+    char *realm = NULL;
+
+    set_progname (argv[0]);
+
+    if (getuid() == 0)
+    	use_kerberos = 0;
+
+    asme = asthem = fastlogin = 0;
+    while ((ch = getopt (argc, argv, ARGSTR)) != -1)
+	switch ((char) ch) {
+	case 'K':
+	    use_kerberos = 0;
+	    break;
+	case 'k':
+	    use_kerberos = 1;
+	    break;
+	case 'f':
+	    fastlogin = 1;
+	    break;
+	case 'l':
+	    asme = 0;
+	    asthem = 1;
+	    break;
+	case 'm':
+	    asme = 1;
+	    asthem = 0;
+	    break;
+	case 't':
+	    destroy_tickets = 1;
+	    break;
+	case 'i':
+	    root_inst = optarg;
+	    break;
+	case 'r':
+	    realm = optarg;
+	    break;
+	case '?':
+	default:
+	    fprintf (stderr,
+		     "usage: su [-Kkflmt] [-i root-instance] [-r realm] [-] [login]\n");
+	    exit (1);
+	}
+    /* Don't handle '-' option with getopt */
+    if (optind < argc && strcmp (argv[optind], "-") == 0) {
+	asme = 0;
+	asthem = 1;
+	optind++;
+    }
+    argv += optind;
+
+    if (use_kerberos) {
+	int fd = open (KEYFILE, O_RDONLY);
+
+	if (fd >= 0)
+	    close (fd);
+	else
+	    use_kerberos = 0;
+    }
+    errno = 0;
+    prio = getpriority (PRIO_PROCESS, 0);
+    if (errno)
+	prio = 0;
+    setpriority (PRIO_PROCESS, 0, -2);
+    openlog ("su", LOG_CONS, LOG_AUTH);
+
+    /* get current login name and shell */
+    ruid = getuid ();
+    username = getlogin ();
+    if (username == NULL || (pwd = k_getpwnam (username)) == NULL ||
+	pwd->pw_uid != ruid)
+	pwd = k_getpwuid (ruid);
+    if (pwd == NULL)
+	errx (1, "who are you?");
+    username = strdup (pwd->pw_name);
+    if (username == NULL)
+	errx (1, "strdup: out of memory");
+    if (asme) {
+	if (pwd->pw_shell && *pwd->pw_shell) {
+	    strlcpy (shellbuf, pwd->pw_shell, sizeof(shellbuf));
+	    shell = shellbuf;
+	} else {
+	    shell = _PATH_BSHELL;
+	    iscsh = NO;
+	}
+    }
+
+    /* get target login information, default to root */
+    user = *argv ? *argv : "root";
+    np = *argv ? argv : argv - 1;
+
+    pwd = k_getpwnam (user);
+    if (pwd == NULL)
+	errx (1, "unknown login %s", user);
+    if (pwd->pw_uid == 0 && strcmp ("root", user) != 0) {
+	syslog (LOG_ALERT, "NIS attack, user %s has uid 0", user);
+	errx (1, "unknown login %s", user);
+    }
+    if (!use_kerberos || kerberos (username, user, realm, pwd->pw_uid)) {
+#ifndef PASSWD_FALLBACK
+	errx (1, "won't use /etc/passwd authentication");
+#endif
+	/* getpwnam() is not reentrant and kerberos might use it! */
+	pwd = k_getpwnam (user);
+	if (pwd == NULL)
+	    errx (1, "unknown login %s", user);
+	/* only allow those in group zero to su to root. */
+	if (pwd->pw_uid == 0 && (gr = getgrgid ((gid_t) 0)))
+	    for (g = gr->gr_mem;; ++g) {
+		if (!*g) {
+#if 1
+		    /* if group 0 is empty or only 
+		       contains root su is still ok. */
+		    if (gr->gr_mem[0] == 0)
+			break;	/* group 0 is empty */
+		    if (gr->gr_mem[1] == 0 &&
+			strcmp (gr->gr_mem[0], "root") == 0)
+			break;	/* only root in group 0 */
+#endif
+		    errx (1, "you are not in the correct group to su %s.",
+			  user);
+		}
+		if (!strcmp (username, *g))
+		    break;
+	    }
+	/* if target requires a password, verify it */
+	if (ruid && *pwd->pw_passwd) {
+	    char prompt[128];
+	    char passwd[256];
+
+	    snprintf (prompt, sizeof(prompt), "%s's Password: ", pwd->pw_name);
+	    if (des_read_pw_string (passwd, sizeof (passwd),
+				    prompt, 0)) {
+		memset (passwd, 0, sizeof (passwd));
+		exit (1);
+	    }
+	    if (strcmp (pwd->pw_passwd,
+			crypt (passwd, pwd->pw_passwd))) {
+		memset (passwd, 0, sizeof (passwd));
+		syslog (LOG_AUTH | LOG_WARNING,
+			"BAD SU %s to %s%s", username,
+			user, ontty ());
+		errx (1, "Sorry");
+	    }
+	    memset (passwd, 0, sizeof (passwd));
+	}
+    }
+    if (asme) {
+	/* if asme and non-standard target shell, must be root */
+	if (!chshell (pwd->pw_shell) && ruid)
+	    errx (1, "permission denied (shell '%s' not in /etc/shells).",
+		  pwd->pw_shell);
+    } else if (pwd->pw_shell && *pwd->pw_shell) {
+	shell = pwd->pw_shell;
+	iscsh = UNSET;
+    } else {
+	shell = _PATH_BSHELL;
+	iscsh = NO;
+    }
+
+    if ((p = strrchr (shell, '/')) != 0)
+	avshell = p + 1;
+    else
+	avshell = shell;
+
+    /* if we're forking a csh, we want to slightly muck the args */
+    if (iscsh == UNSET)
+	iscsh = strcmp (avshell, "csh") ? NO : YES;
+
+    /* set permissions */
+
+    if (setgid (pwd->pw_gid) < 0)
+	err (1, "setgid");
+    if (initgroups (user, pwd->pw_gid)) {
+        if (errno == E2BIG)    /* Member of too many groups! */
+	    warn("initgroups failed.");
+	else
+	    errx(1, "initgroups failed.");
+    }
+
+    if (setuid (pwd->pw_uid) < 0)
+	err (1, "setuid");
+
+    if (pwd->pw_uid != 0 && setuid(0) != -1) {
+      syslog(LOG_ALERT | LOG_AUTH,
+	     "Failed to drop privileges for user %s", pwd->pw_name);
+      errx(1, "Sorry");
+    }
+
+    if (!asme) {
+	if (asthem) {
+	    char *k = getenv ("KRBTKFILE");
+	    char *t = getenv ("TERM");
+
+	    environ = malloc (10 * sizeof (char *));
+	    if (environ == NULL)
+		err (1, "malloc");
+	    environ[0] = NULL;
+	    setenv ("PATH", _PATH_DEFPATH, 1);
+	    if (t)
+		setenv ("TERM", t, 1);
+	    if (k)
+		setenv ("KRBTKFILE", k, 1);
+	    if (chdir (pwd->pw_dir) < 0)
+		errx (1, "no directory");
+	}
+	if (asthem || pwd->pw_uid)
+	    setenv ("USER", pwd->pw_name, 1);
+	setenv ("HOME", pwd->pw_dir, 1);
+	setenv ("SHELL", shell, 1);
+    }
+    if (iscsh == YES) {
+	if (fastlogin)
+	    *np-- = "-f";
+	if (asme)
+	    *np-- = "-m";
+    }
+    if (asthem) {
+	snprintf (avshellbuf, sizeof(avshellbuf),
+		  "-%s", avshell);
+	avshell = avshellbuf;
+    } else if (iscsh == YES) {
+	/* csh strips the first character... */
+	snprintf (avshellbuf, sizeof(avshellbuf),
+		  "_%s", avshell);
+	avshell = avshellbuf;
+    }
+    *np = avshell;
+
+    if (ruid != 0)
+	syslog (LOG_NOTICE | LOG_AUTH, "%s to %s%s",
+		username, user, ontty ());
+
+    setpriority (PRIO_PROCESS, 0, prio);
+
+    if (k_hasafs ()) {
+	int code;
+
+	if (k_setpag () != 0)
+	    warn ("setpag");
+	code = krb_afslog (0, 0);
+	if (code != KSUCCESS && code != KDC_PR_UNKNOWN)
+	    warnx ("afsklog: %s", krb_get_err_text (code));
+    }
+    if (destroy_tickets)
+        dest_tkt ();
+    execv (shell, np);
+    warn ("execv(%s)", shell);
+    if (getuid () == 0) {
+	execv (_PATH_BSHELL, np);
+	warn ("execv(%s)", _PATH_BSHELL);
+    }
+    exit (1);
+}
+
+static int
+chshell (char *sh)
+{
+    char *cp;
+
+    while ((cp = getusershell ()) != NULL)
+	if (!strcmp (cp, sh))
+	    return (1);
+    return (0);
+}
+
+static char *
+ontty (void)
+{
+    char *p;
+    static char buf[MaxPathLen + 4];
+
+    buf[0] = 0;
+    if ((p = ttyname (STDERR_FILENO)) != 0)
+	snprintf (buf, sizeof(buf), " on %s", p);
+    return (buf);
+}
+
+static int
+kerberos (char *username, char *user, char *lrealm, int uid)
+{
+    KTEXT_ST ticket;
+    AUTH_DAT authdata;
+    struct hostent *hp;
+    int kerno;
+    u_long faddr;
+    char tmp_realm[REALM_SZ], krbtkfile[MaxPathLen];
+    char hostname[MaxHostNameLen], savehost[MaxHostNameLen];
+    int n;
+    int allowed = 0;
+
+    if (lrealm != NULL) {
+	allowed = koktologin (username, lrealm, user) == 0;
+    } else {
+	for (n = 1; !allowed && krb_get_lrealm (tmp_realm, n) == KSUCCESS; ++n)
+	    allowed = koktologin (username, tmp_realm, user) == 0;
+	lrealm = tmp_realm;
+    }
+    if (!allowed && !uid) {
+#ifndef PASSWD_FALLBACK
+	warnx ("not in %s's ACL.", user);
+#endif
+	return (1);
+    }
+    snprintf (krbtkfile, sizeof(krbtkfile),
+	      "%s_%s_to_%s_%u", TKT_ROOT, username, user,
+	     (unsigned) getpid ());
+
+    setenv ("KRBTKFILE", krbtkfile, 1);
+    krb_set_tkt_string (krbtkfile);
+    /*
+     * Set real as well as effective ID to 0 for the moment,
+     * to make the kerberos library do the right thing.
+     */
+    if (setuid(0) < 0) {
+        warn("setuid");
+	return (1);
+    }
+
+    /*
+     * Little trick here -- if we are su'ing to root, we need to get a ticket
+     * for "xxx.root", where xxx represents the name of the person su'ing.
+     * Otherwise (non-root case), we need to get a ticket for "yyy.", where
+     * yyy represents the name of the person being su'd to, and the instance
+     * is null 
+     *
+     * We should have a way to set the ticket lifetime, with a system default
+     * for root. 
+     */
+    {
+	char prompt[128];
+	char passw[256];
+
+	snprintf (prompt, sizeof(prompt),
+		  "%s's Password: ",
+		  krb_unparse_name_long ((uid == 0 ? username : user),
+					 (uid == 0 ? root_inst : ""),
+					 lrealm));
+	if (des_read_pw_string (passw, sizeof (passw), prompt, 0)) {
+	    memset (passw, 0, sizeof (passw));
+	    return (1);
+	}
+	if (strlen(passw) == 0)
+	    return (1);		/* Empty passwords is not allowed */
+	kerno = krb_get_pw_in_tkt ((uid == 0 ? username : user),
+				   (uid == 0 ? root_inst : ""), lrealm,
+				   KRB_TICKET_GRANTING_TICKET,
+				   lrealm,
+				   DEFAULT_TKT_LIFE,
+				   passw);
+	memset (passw, 0, strlen (passw));
+    }
+
+    if (kerno != KSUCCESS) {
+	if (kerno == KDC_PR_UNKNOWN) {
+	    warnx ("principal unknown: %s",
+		   krb_unparse_name_long ((uid == 0 ? username : user),
+					  (uid == 0 ? root_inst : ""),
+					  lrealm));
+	    return (1);
+	}
+	warnx ("unable to su: %s", krb_get_err_text (kerno));
+	syslog (LOG_NOTICE | LOG_AUTH,
+		"BAD SU: %s to %s%s: %s",
+		username, user, ontty (), krb_get_err_text (kerno));
+	return (1);
+    }
+    if (chown (krbtkfile, uid, -1) < 0) {
+	warn ("chown");
+	unlink (krbtkfile);
+	return (1);
+    }
+    setpriority (PRIO_PROCESS, 0, -2);
+
+    if (gethostname (hostname, sizeof (hostname)) == -1) {
+	warn ("gethostname");
+	dest_tkt ();
+	return (1);
+    }
+    strlcpy (savehost, krb_get_phost (hostname), sizeof (savehost));
+
+    for (n = 1; krb_get_lrealm (tmp_realm, n) == KSUCCESS; ++n) {
+	kerno = krb_mk_req (&ticket, "rcmd", savehost, tmp_realm, 33);
+	if (kerno == 0)
+	    break;
+    }
+
+    if (kerno == KDC_PR_UNKNOWN) {
+	warnx ("Warning: TGT not verified.");
+	syslog (LOG_NOTICE | LOG_AUTH,
+		"%s to %s%s, TGT not verified (%s); "
+		"%s.%s not registered?",
+		username, user, ontty (), krb_get_err_text (kerno),
+		"rcmd", savehost);
+#ifdef KLOGIN_PARANOID
+	/*
+	 * if the "VERIFY_SERVICE" doesn't exist in the KDC for this host, *
+	 * don't allow kerberos login, also log the error condition. 
+	 */
+	warnx ("Trying local password!");
+	return (1);
+#endif
+    } else if (kerno != KSUCCESS) {
+	warnx ("Unable to use TGT: %s", krb_get_err_text (kerno));
+	syslog (LOG_NOTICE | LOG_AUTH, "failed su: %s to %s%s: %s",
+		username, user, ontty (), krb_get_err_text (kerno));
+	dest_tkt ();
+	return (1);
+    } else {
+	if (!(hp = gethostbyname (hostname))) {
+	    warnx ("can't get addr of %s", hostname);
+	    dest_tkt ();
+	    return (1);
+	}
+	memcpy (&faddr, hp->h_addr, sizeof (faddr));
+
+	if ((kerno = krb_rd_req (&ticket, "rcmd", savehost, faddr,
+				 &authdata, "")) != KSUCCESS) {
+	    warnx ("unable to verify rcmd ticket: %s",
+		   krb_get_err_text (kerno));
+	    syslog (LOG_NOTICE | LOG_AUTH,
+		    "failed su: %s to %s%s: %s", username,
+		    user, ontty (), krb_get_err_text (kerno));
+	    dest_tkt ();
+	    return (1);
+	}
+    }
+    if (!destroy_tickets)
+        fprintf (stderr, "Don't forget to kdestroy before exiting the shell.\n");
+    return (0);
+}
+
+static int
+koktologin (char *name, char *realm, char *toname)
+{
+    return krb_kuserok (name,
+			strcmp (toname, "root") == 0 ? root_inst : "",
+			realm,
+			toname);
+}
diff --git a/crypto/kerberosIV/appl/bsd/sysv_default.c b/crypto/kerberosIV/appl/bsd/sysv_default.c
new file mode 100644
index 0000000..e6b28a7
--- /dev/null
+++ b/crypto/kerberosIV/appl/bsd/sysv_default.c
@@ -0,0 +1,95 @@
+/* Author: Wietse Venema <wietse@wzv.win.tue.nl> */
+
+#include "bsd_locl.h"
+
+RCSID("$Id: sysv_default.c,v 1.11 1999/03/13 21:15:24 assar Exp $");
+
+#include "sysv_default.h"
+
+ /*
+  * Default values for stuff that can be read from the defaults file. The
+  * SunOS 5.1 documentation is incomplete and often disagrees with reality.
+  */
+
+static char default_umask_value[] = "022";
+
+char   *default_console	= 0;
+char   *default_altsh	= "YES";
+char   *default_passreq	= "NO";
+char   *default_timezone= 0;
+char   *default_hz	= 0;
+char   *default_path	= _PATH_DEFPATH;
+char   *default_supath	= _PATH_DEFSUPATH;
+char   *default_ulimit	= 0;
+char   *default_timeout	= "180";
+char   *default_umask	= default_umask_value;
+char   *default_sleep	= "4";
+char   *default_maxtrys	= "5";
+
+static struct sysv_default {
+    char  **valptr;
+    char   *prefix;
+    int     prefix_len;
+} defaults[] = {
+    {&default_console,	"CONSOLE=",	sizeof("CONSOLE=") -1},
+    {&default_altsh,	"ALTSHELL=",	sizeof("ALTSHELL=") -1},
+    {&default_passreq,	"PASSREQ=",	sizeof("PASSREQ=") -1},
+    {&default_timezone,	"TIMEZONE=",	sizeof("TIMEZONE=") -1},
+    {&default_hz,	"HZ=",		sizeof("HZ=") -1},
+    {&default_path,	"PATH=",	sizeof("PATH=") -1},
+    {&default_supath,	"SUPATH=",	sizeof("SUPATH=") -1},
+    {&default_ulimit,	"ULIMIT=",	sizeof("ULIMIT=") -1},
+    {&default_timeout,	"TIMEOUT=",	sizeof("TIMEOUT=") -1},
+    {&default_umask,	"UMASK=",	sizeof("UMASK=") -1},
+    {&default_sleep,	"SLEEPTIME=",	sizeof("SLEEPTIME=") -1},
+    {&default_maxtrys,	"MAXTRYS=",	sizeof("MAXTRYS=") -1},
+    {0},
+};
+
+#define trim(s) { \
+	char   *cp = s + strlen(s); \
+	while (cp > s && isspace((unsigned char)cp[-1])) \
+	    cp--; \
+	*cp = 0; \
+}
+
+/* sysv_defaults - read login defaults file */
+
+void
+sysv_defaults()
+{
+    struct sysv_default *dp;
+    FILE   *fp;
+    char    buf[BUFSIZ];
+
+    if ((fp = fopen(_PATH_ETC_DEFAULT_LOGIN, "r"))) {
+
+	/* Stupid quadratic algorithm. */
+
+	while (fgets(buf, sizeof(buf), fp)) {
+
+	    /* Skip comments and blank lines. */
+
+	    if (buf[0] == '#')
+		continue;
+	    trim(buf);
+	    if (buf[0] == 0)
+		continue;
+
+	    /* Assign defaults from file. */
+
+#define STREQN(x,y,l) (x[0] == y[0] && strncmp(x,y,l) == 0)
+
+	    for (dp = defaults; dp->valptr; dp++) {
+		if (STREQN(buf, dp->prefix, dp->prefix_len)) {
+		    if ((*(dp->valptr) = strdup(buf + dp->prefix_len)) == 0) {
+			warnx("Insufficient memory resources - try later.");
+			sleepexit(1);
+		    }
+		    break;
+		}
+	    }
+	}
+	fclose(fp);
+    }
+}
diff --git a/crypto/kerberosIV/appl/bsd/sysv_default.h b/crypto/kerberosIV/appl/bsd/sysv_default.h
new file mode 100644
index 0000000..0056059
--- /dev/null
+++ b/crypto/kerberosIV/appl/bsd/sysv_default.h
@@ -0,0 +1,18 @@
+/* Author: Wietse Venema <wietse@wzv.win.tue.nl> */
+
+/* $Id: sysv_default.h,v 1.5 1996/10/27 23:51:14 assar Exp $ */
+
+extern char *default_console;
+extern char *default_altsh;
+extern char *default_passreq;
+extern char *default_timezone;
+extern char *default_hz;
+extern char *default_path;
+extern char *default_supath;
+extern char *default_ulimit;
+extern char *default_timeout;
+extern char *default_umask;
+extern char *default_sleep;
+extern char *default_maxtrys;
+
+void sysv_defaults(void);
diff --git a/crypto/kerberosIV/appl/bsd/sysv_environ.c b/crypto/kerberosIV/appl/bsd/sysv_environ.c
new file mode 100644
index 0000000..3df800e
--- /dev/null
+++ b/crypto/kerberosIV/appl/bsd/sysv_environ.c
@@ -0,0 +1,193 @@
+/* Author: Wietse Venema <wietse@wzv.win.tue.nl> */
+
+#include "bsd_locl.h"
+
+RCSID("$Id: sysv_environ.c,v 1.23 1997/12/14 23:50:44 assar Exp $");
+
+#ifdef HAVE_ULIMIT_H
+#include <ulimit.h>
+#endif
+
+#ifndef UL_SETFSIZE
+#define UL_SETFSIZE 2
+#endif
+
+#include "sysv_default.h"
+
+/*
+ * Set 
+ */
+
+static void
+read_etc_environment (void)
+{
+    FILE *f;
+    char buf[BUFSIZ];
+
+    f = fopen(_PATH_ETC_ENVIRONMENT, "r");
+    if (f) {
+	char *val;
+
+	while (fgets (buf, sizeof(buf), f) != NULL) {
+	    if (buf[0] == '\n' || buf[0] == '#')
+		continue;
+	    buf[strlen(buf) - 1] = '\0';
+	    val = strchr (buf, '=');
+	    if (val == NULL)
+		continue;
+	    *val = '\0';
+	    setenv(buf, val + 1, 1);
+	}
+	fclose (f);
+    }
+}
+
+ /*
+  * Environment variables that are preserved (but may still be overruled by
+  * other means). Only TERM and TZ appear to survive (SunOS 5.1). These are
+  * typically inherited from the ttymon process.
+  */
+
+static struct preserved {
+    char   *name;
+    char   *value;
+} preserved[] = {
+    {"TZ", 0},
+    {"TERM", 0},
+    {0},
+};
+
+ /*
+  * Environment variables that are not preserved and that cannot be specified
+  * via commandline or stdin. Except for the LD_xxx (runtime linker) stuff,
+  * the list applies to most SYSV systems. The manpage mentions only that
+  * SHELL and PATH are censored. HOME, LOGNAME and MAIL are always
+  * overwritten; they are in the list to make the censoring explicit.
+  */
+
+static struct censored {
+    char   *prefix;
+    int     length;
+} censored[] = {
+  {"SHELL=",	sizeof("SHELL=") - 1},
+     {"HOME=",	sizeof("HOME=") - 1},
+     {"LOGNAME=",	sizeof("LOGNAME=") - 1},
+     {"MAIL=",	sizeof("MAIL=") - 1},
+     {"CDPATH=",	sizeof("CDPATH=") - 1},
+     {"IFS=",	sizeof("IFS=") - 1},
+     {"PATH=",	sizeof("PATH=") - 1},
+    {"LD_",	sizeof("LD_") - 1},
+    {0},
+};
+
+/* sysv_newenv - set up final environment after logging in */
+
+void sysv_newenv(int argc, char **argv, struct passwd *pwd,
+		 char *term, int pflag)
+{
+    unsigned umask_val;
+    char    buf[BUFSIZ];
+    int     count = 0;
+    struct censored *cp;
+    struct preserved *pp;
+
+    /* Preserve a selection of the environment. */
+
+    for (pp = preserved; pp->name; pp++)
+	pp->value = getenv(pp->name);
+
+    /*
+     * Note: it is a bad idea to assign a static array to the global environ
+     * variable. Reason is that putenv() can run into problems when it tries
+     * to realloc() the environment table. Instead, we just clear environ[0]
+     * and let putenv() work things out.
+     */
+
+    if (!pflag && environ)
+	environ[0] = 0;
+
+    /* Restore preserved environment variables. */
+
+    for (pp = preserved; pp->name; pp++)
+	if (pp->value)
+	    setenv(pp->name, pp->value, 1);
+
+    /* The TERM definition from e.g. rlogind can override an existing one. */
+
+    if (term[0])
+	setenv("TERM", term, 1);
+
+    /*
+     * Environment definitions from the command line overrule existing ones,
+     * but can be overruled by definitions from stdin. Some variables are
+     * censored.
+     * 
+     * Omission: we do not support environment definitions from stdin.
+     */
+
+#define STREQN(x,y,l) (x[0] == y[0] && strncmp(x,y,l) == 0)
+
+    while (argc && *argv) {
+	if (strchr(*argv, '=') == 0) {
+	    snprintf(buf, sizeof(buf), "L%d", count++);
+	    setenv(buf, *argv, 1);
+	} else {
+	    for (cp = censored; cp->prefix; cp++)
+		if (STREQN(*argv, cp->prefix, cp->length))
+		    break;
+	    if (cp->prefix == 0)
+		putenv(*argv);
+	}
+	argc--, argv++;
+    }
+
+    /* PATH is always reset. */
+
+    setenv("PATH", pwd->pw_uid ? default_path : default_supath, 1);
+
+    /* Undocumented: HOME, MAIL and LOGNAME are always reset (SunOS 5.1). */
+
+    setenv("HOME", pwd->pw_dir, 1);
+    {
+	char *sep = "/";
+	if(KRB4_MAILDIR[strlen(KRB4_MAILDIR) - 1] == '/')
+	    sep = "";
+	roken_concat(buf, sizeof(buf), KRB4_MAILDIR, sep, pwd->pw_name, NULL);
+    }
+    setenv("MAIL", buf, 1);
+    setenv("LOGNAME", pwd->pw_name, 1);
+    setenv("USER", pwd->pw_name, 1);
+
+    /*
+     * Variables that may be set according to specifications in the defaults
+     * file. HZ and TZ are set only if they are still uninitialized.
+     * 
+     * Extension: when ALTSHELL=YES, we set the SHELL variable even if it is
+     * /bin/sh.
+     */
+
+    if (strcasecmp(default_altsh, "YES") == 0)
+	setenv("SHELL", pwd->pw_shell, 1);
+    if (default_hz)
+	setenv("HZ", default_hz, 0);
+    if (default_timezone)
+	setenv("TZ", default_timezone, 0);
+
+    /* Non-environment stuff. */
+
+    if (default_umask) {
+	if (sscanf(default_umask, "%o", &umask_val) == 1 && umask_val)
+	    umask(umask_val);
+    }
+#ifdef HAVE_ULIMIT
+    if (default_ulimit) {
+	long    limit_val;
+
+	if (sscanf(default_ulimit, "%ld", &limit_val) == 1 && limit_val)
+	    if (ulimit(UL_SETFSIZE, limit_val) < 0)
+	        warn ("ulimit(UL_SETFSIZE, %ld)", limit_val);
+    }
+#endif
+    read_etc_environment();
+}
+
diff --git a/crypto/kerberosIV/appl/bsd/sysv_shadow.c b/crypto/kerberosIV/appl/bsd/sysv_shadow.c
new file mode 100644
index 0000000..99794bd
--- /dev/null
+++ b/crypto/kerberosIV/appl/bsd/sysv_shadow.c
@@ -0,0 +1,45 @@
+/* Author: Wietse Venema <wietse@wzv.win.tue.nl> */
+
+#include "bsd_locl.h"
+
+RCSID("$Id: sysv_shadow.c,v 1.8 1997/12/29 19:56:07 bg Exp $");
+
+#ifdef SYSV_SHADOW
+
+#include <sysv_shadow.h>
+
+/* sysv_expire - check account and password expiration times */
+
+int
+sysv_expire(struct spwd *spwd)
+{
+    long    today;
+
+    tzset();
+    today = time(0)/(60*60*24);	/* In days since Jan. 1, 1970 */
+
+    if (spwd->sp_expire > 0) {
+	if (today > spwd->sp_expire) {
+	    printf("Your account has expired.\n");
+	    sleepexit(1);
+	} else if (spwd->sp_expire - today < 14) {
+	    printf("Your account will expire in %d days.\n",
+		   (int)(spwd->sp_expire - today));
+	    return (0);
+	}
+    }
+    if (spwd->sp_max > 0) {
+	if (today > (spwd->sp_lstchg + spwd->sp_max)) {
+	    printf("Your password has expired. Choose a new one.\n");
+	    return (1);
+	} else if (spwd->sp_warn > 0
+	    && (today > (spwd->sp_lstchg + spwd->sp_max - spwd->sp_warn))) {
+	    printf("Your password will expire in %d days.\n",
+		   (int)(spwd->sp_lstchg + spwd->sp_max - today));
+	    return (0);
+	}
+    }
+    return (0);
+}
+
+#endif /* SYSV_SHADOW */
diff --git a/crypto/kerberosIV/appl/bsd/sysv_shadow.h b/crypto/kerberosIV/appl/bsd/sysv_shadow.h
new file mode 100644
index 0000000..339035b
--- /dev/null
+++ b/crypto/kerberosIV/appl/bsd/sysv_shadow.h
@@ -0,0 +1,5 @@
+/* $Id: sysv_shadow.h,v 1.7 1999/03/13 21:15:43 assar Exp $ */
+
+#include <shadow.h>
+
+int sysv_expire(struct spwd *);
diff --git a/crypto/kerberosIV/appl/bsd/tty.c b/crypto/kerberosIV/appl/bsd/tty.c
new file mode 100644
index 0000000..2a903db
--- /dev/null
+++ b/crypto/kerberosIV/appl/bsd/tty.c
@@ -0,0 +1,70 @@
+/*
+ * Copyright (c) 1995, 1996, 1997 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#include "bsd_locl.h"
+
+RCSID("$Id: tty.c,v 1.3 1999/12/02 16:58:28 joda Exp $");
+
+/*
+ * Clean the tty name.  Return a pointer to the cleaned version.
+ */
+
+char *
+clean_ttyname (char *tty)
+{
+  char *res = tty;
+
+  if (strncmp (res, _PATH_DEV, strlen(_PATH_DEV)) == 0)
+    res += strlen(_PATH_DEV);
+  if (strncmp (res, "pty/", 4) == 0)
+    res += 4;
+  if (strncmp (res, "ptym/", 5) == 0)
+    res += 5;
+  return res;
+}
+
+/*
+ * Generate a name usable as an `ut_id', typically without `tty'.
+ */
+
+char *
+make_id (char *tty)
+{
+  char *res = tty;
+  
+  if (strncmp (res, "pts/", 4) == 0)
+    res += 4;
+  if (strncmp (res, "tty", 3) == 0)
+    res += 3;
+  return res;
+}
diff --git a/crypto/kerberosIV/appl/bsd/utmp_login.c b/crypto/kerberosIV/appl/bsd/utmp_login.c
new file mode 100644
index 0000000..d2879fe
--- /dev/null
+++ b/crypto/kerberosIV/appl/bsd/utmp_login.c
@@ -0,0 +1,118 @@
+/*
+ * Copyright (c) 1995-1999 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#include "bsd_locl.h"
+
+RCSID("$Id: utmp_login.c,v 1.16 1999/12/02 16:58:29 joda Exp $");
+
+#ifdef HAVE_UTMP_H
+void
+prepare_utmp (struct utmp *utmp, char *tty, char *username, char *hostname)
+{
+    char *ttyx = clean_ttyname (tty);
+
+    memset(utmp, 0, sizeof(*utmp));
+    utmp->ut_time = time(NULL);
+    strncpy(utmp->ut_line, ttyx, sizeof(utmp->ut_line));
+    strncpy(utmp->ut_name, username, sizeof(utmp->ut_name));
+
+# ifdef HAVE_STRUCT_UTMP_UT_USER
+    strncpy(utmp->ut_user, username, sizeof(utmp->ut_user));
+# endif
+
+# ifdef HAVE_STRUCT_UTMP_UT_ADDR
+    if (hostname[0]) {
+        struct hostent *he;
+	if ((he = gethostbyname(hostname)))
+	    memcpy(&utmp->ut_addr, he->h_addr_list[0],
+		   sizeof(utmp->ut_addr));
+    }
+# endif
+
+# ifdef HAVE_STRUCT_UTMP_UT_HOST
+    strncpy(utmp->ut_host, hostname, sizeof(utmp->ut_host));
+# endif
+
+# ifdef HAVE_STRUCT_UTMP_UT_TYPE
+    utmp->ut_type = USER_PROCESS;
+# endif
+
+# ifdef HAVE_STRUCT_UTMP_UT_PID
+    utmp->ut_pid = getpid();
+# endif
+
+# ifdef HAVE_STRUCT_UTMP_UT_ID
+    strncpy(utmp->ut_id, make_id(ttyx), sizeof(utmp->ut_id));
+# endif
+}
+#endif
+
+#ifdef HAVE_UTMPX_H
+void utmp_login(char *tty, char *username, char *hostname) { return; }
+#else
+
+/* update utmp and wtmp - the BSD way */
+
+void utmp_login(char *tty, char *username, char *hostname)
+{
+    struct utmp utmp;
+    int fd;
+
+    prepare_utmp (&utmp, tty, username, hostname);
+
+#ifdef HAVE_SETUTENT
+    utmpname(_PATH_UTMP);
+    setutent();
+    pututline(&utmp);
+    endutent();
+#else
+
+#ifdef HAVE_TTYSLOT
+    {
+      int ttyno;
+      ttyno = ttyslot();
+      if (ttyno > 0 && (fd = open(_PATH_UTMP, O_WRONLY, 0)) >= 0) {
+	lseek(fd, (long)(ttyno * sizeof(struct utmp)), SEEK_SET);
+	write(fd, &utmp, sizeof(struct utmp));
+	close(fd);
+      }
+    }
+#endif /* HAVE_TTYSLOT */
+#endif /* HAVE_SETUTENT */
+
+    if ((fd = open(_PATH_WTMP, O_WRONLY|O_APPEND, 0)) >= 0) {
+	write(fd, &utmp, sizeof(struct utmp));
+	close(fd);
+    }
+}
+#endif /* !HAVE_UTMPX_H */
diff --git a/crypto/kerberosIV/appl/bsd/utmpx_login.c b/crypto/kerberosIV/appl/bsd/utmpx_login.c
new file mode 100644
index 0000000..acc6a154
--- /dev/null
+++ b/crypto/kerberosIV/appl/bsd/utmpx_login.c
@@ -0,0 +1,88 @@
+/* Author: Wietse Venema <wietse@wzv.win.tue.nl> */
+
+#include "bsd_locl.h"
+
+RCSID("$Id: utmpx_login.c,v 1.21 1999/03/29 17:57:31 joda Exp $");
+
+/* utmpx_login - update utmp and wtmp after login */
+
+#ifndef HAVE_UTMPX_H
+int utmpx_login(char *line, char *user, char *host) { return 0; }
+#else
+
+static void
+utmpx_update(struct utmpx *ut, char *line, char *user, char *host)
+{
+    struct timeval tmp;
+    char *clean_tty = clean_ttyname(line);
+
+    strncpy(ut->ut_line, clean_tty, sizeof(ut->ut_line));
+#ifdef HAVE_STRUCT_UTMPX_UT_ID
+    strncpy(ut->ut_id, make_id(clean_tty), sizeof(ut->ut_id));
+#endif
+    strncpy(ut->ut_user, user, sizeof(ut->ut_user));
+    strncpy(ut->ut_host, host, sizeof(ut->ut_host));
+#ifdef HAVE_STRUCT_UTMPX_UT_SYSLEN
+    ut->ut_syslen = strlen(host) + 1;
+    if (ut->ut_syslen > sizeof(ut->ut_host))
+        ut->ut_syslen = sizeof(ut->ut_host);
+#endif
+    ut->ut_type = USER_PROCESS;
+    gettimeofday (&tmp, 0);
+    ut->ut_tv.tv_sec = tmp.tv_sec;
+    ut->ut_tv.tv_usec = tmp.tv_usec;
+    pututxline(ut);
+#ifdef WTMPX_FILE
+    updwtmpx(WTMPX_FILE, ut);
+#elif defined(WTMP_FILE)
+    {
+	struct utmp utmp;
+	int fd;
+
+	prepare_utmp (&utmp, line, user, host);
+	if ((fd = open(_PATH_WTMP, O_WRONLY|O_APPEND, 0)) >= 0) {
+	    write(fd, &utmp, sizeof(struct utmp));
+	    close(fd);
+	}
+    }
+#endif
+}
+
+int
+utmpx_login(char *line, char *user, char *host)
+{
+    struct utmpx *ut;
+    pid_t   mypid = getpid();
+    int     ret = (-1);
+
+    /*
+     * SYSV4 ttymon and login use tty port names with the "/dev/" prefix
+     * stripped off. Rlogind and telnetd, on the other hand, make utmpx
+     * entries with device names like /dev/pts/nnn. We therefore cannot use
+     * getutxline(). Return nonzero if no utmp entry was found with our own
+     * process ID for a login or user process.
+     */
+
+    while ((ut = getutxent())) {
+        /* Try to find a reusable entry */
+	if (ut->ut_pid == mypid
+	    && (   ut->ut_type == INIT_PROCESS
+		|| ut->ut_type == LOGIN_PROCESS
+		|| ut->ut_type == USER_PROCESS)) {
+	    utmpx_update(ut, line, user, host);
+	    ret = 0;
+	    break;
+	}
+    }
+    if (ret == -1) {
+        /* Grow utmpx file by one record. */
+        struct utmpx newut;
+	memset(&newut, 0, sizeof(newut));
+	newut.ut_pid = mypid;
+        utmpx_update(&newut, line, user, host);
+	ret = 0;
+    }
+    endutxent();
+    return (ret);
+}
+#endif /* HAVE_UTMPX_H */
diff --git a/crypto/kerberosIV/appl/ftp/ChangeLog b/crypto/kerberosIV/appl/ftp/ChangeLog
new file mode 100644
index 0000000..0136a4b
--- /dev/null
+++ b/crypto/kerberosIV/appl/ftp/ChangeLog
@@ -0,0 +1,384 @@
+2000-03-26  Assar Westerlund  <assar@sics.se>
+
+	* ftpd/ls.c, ftpd/ftpcmd.y, ftp/cmds.c: make sure to always call
+	time, ctime, and gmtime with `time_t's.  there were some types
+	(like in lastlog) that we believed to always be time_t.  this has
+	proven wrong on Solaris 8 in 64-bit mode, where they are stored as
+	32-bit quantities but time_t has gone up to 64 bits
+
+1999-11-30  Assar Westerlund  <assar@sics.se>
+
+	* ftpd/ftpd.c (getdatasock): make sure to keep the port-number of
+ 	the outgoing connections.  It has to be `ftp-data' or some people
+ 	might get upset.
+
+	* ftpd/ftpd.c (args): set correct variable when `-l' so that
+ 	logging actually works
+
+1999-11-29  Assar Westerlund  <assar@sics.se>
+
+	* ftp/security.c (sec_login): check return value from realloc
+	(sec_end): set app_data to NULL
+
+1999-11-25  Assar Westerlund  <assar@sics.se>
+
+	* ftp/krb4.c (krb4_auth): obtain the `local' address when doing
+	NAT.  also turn on passive mode.  From <thn@stacken.kth.se>
+
+1999-11-20  Assar Westerlund  <assar@sics.se>
+
+	* ftpd/ls.c (make_fileinfo): cast to allow for non-const
+ 	prototypes of readlink
+
+1999-11-12  Assar Westerlund  <assar@sics.se>
+
+	* ftpd/ftpd.c (args): use arg_counter for `l'
+	
+1999-11-04  Assar Westerlund  <assar@sics.se>
+
+	* ftpd/ls.c (S_ISSOCK, S_ISLNK): fallback definitions for systems
+ 	that don't have them (such as ultrix)
+
+1999-10-29  Assar Westerlund  <assar@sics.se>
+
+	* ftpd/ls.c (make_fileinfo): cast uid's and gid's to unsigned in
+ 	printf, we don't know what types they might be.
+	(lstat_file): conditionalize the kafs part on KRB4
+
+	* ftpd/ftpd_locl.h: <sys/ioccom.h> is needed for kafs.h
+
+1999-10-28  Assar Westerlund  <assar@sics.se>
+
+	* ftpd/ls.c (lstat_file): don't set st_mode, it should already be
+ 	correct
+
+	* ftpd/ls.c: don't use warnx to print errors
+
+	* ftpd/ls.c (builtin_ls): fix typo, 'd' shouldn't imply 'f'
+
+	* ftpd/ls.c (lstat_file): new function for avoiding stating AFS
+ 	mount points.  From Love <lha@s3.kth.se>
+	(list_files): use `lstat_file'
+
+	* ftpd/ftpd.c: some const-poisoning
+
+	* ftpd/ftpd.c (args): add `-B' as an alias for `--builtin-ls' to
+ 	allow for stupid inetds that only support two arguments.  From
+ 	Love <lha@s3.kth.se>
+
+1999-10-26  Assar Westerlund  <assar@sics.se>
+
+	* ftpd/ftpcmd.y (help): it's unnecessary to interpret help strings
+ 	as printf commands
+
+	* ftpd/ftpd.c (show_issue): don't interpret contents of
+ 	/etc/issue* as printf commands.  From Brian A May
+ 	<bmay@dgs.monash.edu.au>
+
+1999-10-21  Johan Danielsson  <joda@pdc.kth.se>
+
+	* ftpd/kauth.c (kauth): complain if protection level isn't
+	`private'
+
+	* ftp/krb4.c (krb4_decode): syslog failure reason
+
+	* ftp/kauth.c (kauth): set private level earlier
+
+	* ftp/security.c: get_command_prot; (sec_prot): partially match
+	`command' and `data'
+
+1999-10-18  Johan Danielsson  <joda@pdc.kth.se>
+
+	* ftpd/ftpd.c: change `-l' flag to use arg_collect (this makes
+	`-ll' work again)
+
+	* ftpd/ftpd.c (list_file): pass filename to ls
+
+1999-10-04  Johan Danielsson  <joda@pdc.kth.se>
+
+	* ftpd/ftpcmd.y: FEAT
+
+1999-10-03  Assar Westerlund  <assar@sics.se>
+
+	* ftpd/ls.c: fall-back definitions for constans and casts for
+ 	printfs
+
+1999-10-03  Johan Danielsson  <joda@pdc.kth.se>
+
+	* ftpd/ftpd.c (main): make this use getarg; add `list_file'
+
+	* ftpd/ftpcmd.y (LIST): call list_file
+
+	* ftpd/ls.c: add simple built-in ls
+
+	* ftp/security.c: add `sec_vfprintf2' and `sec_fprintf2' that
+	prints to the data stream
+
+	* ftp/kauth.c (kauth): make sure we're using private protection
+	level
+
+	* ftp/security.c (set_command_prot): set command protection level
+
+	* ftp/security.c: make it possible to set the command protection
+	level with `prot'
+
+1999-09-30  Assar Westerlund  <assar@sics.se>
+
+	* ftpd/ftpd_locl.h: add prototype for fclose to make sunos happy
+
+1999-08-19  Johan Danielsson  <joda@pdc.kth.se>
+
+	* ftpd/ftpd.c (do_login): show issue-file
+	(send_data): change handling of zero-byte files
+
+1999-08-18  Assar Westerlund  <assar@sics.se>
+
+	* ftp/cmds.c (getit): be more suspicious when parsing the result
+ 	of MDTM.  Do the comparison of timestamps correctly.
+
+1999-08-13  Assar Westerlund  <assar@sics.se>
+
+	* ftpd/ftpd.c (send_data): avoid calling mmap with `len == 0'.
+  	Some mmap:s rather dislike that (Solaris) and some munmap (Linux)
+ 	get grumpy later.
+
+	* ftp/ftp.c (copy_stream): avoid calling mmap with `len == 0'.
+  	Some mmap:s rather dislike that (Solaris) and some munmap (Linux)
+ 	get grumpy later.
+
+1999-08-03  Assar Westerlund  <assar@sics.se>
+
+	* ftp/ftp.c (active_mode): hide failure of EPRT by setting verbose
+
+	* ftp/gssapi.c (gss_auth): initialize application_data in bindings
+
+1999-08-02  Assar Westerlund  <assar@sics.se>
+
+	* ftpd/ftpcmd.y: save file names when doing commands that might
+ 	get aborted (and longjmp:ed out of) to avoid overwriting them also
+ 	remove extra closing brace
+
+1999-08-01  Johan Danielsson  <joda@pdc.kth.se>
+
+	* ftpd/ftpcmd.y: change `site find' to `site locate' (to match
+	what it does, and other implementations) keep find as an alias
+
+1999-07-28  Assar Westerlund  <assar@sics.se>
+
+	* common/socket.c: moved to roken
+
+	* common/socket.c: new file with generic socket functions
+
+	* ftpd/ftpd.c: make it more AF-neutral and v6-capable
+
+	* ftpd/ftpcmd.y: add EPRT and EPSV
+
+	* ftpd/extern.h: update prototypes and variables
+
+	* ftp/krb4.c: update to new types of addresses
+
+	* ftp/gssapi.c: add support for both AF_INET and AF_INET6
+ 	addresses
+
+	* ftp/ftp.c: make it more AF-neutral and v6-capable
+
+	* ftp/extern.h (hookup): change prototype
+
+	* common/common.h: add prototypes for functions in socket.c
+
+	* common/Makefile.am (libcommon_a_SOURCES): add socket.c
+
+	* ftp/gssapi.c (gss_auth): check return value from
+ 	`gss_import_name' and print error messages if it fails
+
+1999-06-15  Assar Westerlund  <assar@sics.se>
+
+	* ftp/krb4.c (krb4_auth): type correctness
+
+1999-06-02  Johan Danielsson  <joda@pdc.kth.se>
+
+	* ftp/ftp.c (sendrequest): lmode != rmode
+	
+1999-05-21  Assar Westerlund  <assar@sics.se>
+
+	* ftp/extern.h (sendrequest): update prototype
+
+	* ftp/cmds.c: update calls to sendrequest and recvrequest to send
+ 	"b" when appropriate
+
+	* ftp/ftp.c (sendrequest): add argument for mode to open file in.
+
+1999-05-08  Assar Westerlund  <assar@sics.se>
+
+	* ftpd/ftpcmd.y: rename getline -> ftpd_getline
+
+	* ftp/main.c (makeargv): fill in unused slots with NULL
+
+Thu Apr  8 15:06:40 1999  Johan Danielsson  <joda@hella.pdc.kth.se>
+
+	* ftpd/ftpd.c: remove definition of KRB_VERIFY_USER (moved to
+ 	config.h)
+
+Wed Apr  7 16:15:21 1999  Johan Danielsson  <joda@hella.pdc.kth.se>
+
+	* ftp/gssapi.c (gss_auth): call gss_display_status to get a sane
+ 	error message; return AUTH_{CONTINUE,ERROR}, where appropriate
+
+	* ftp/krb4.c: return AUTH_{CONTINUE,ERROR}, where appropriate
+
+	* ftp/security.c (sec_login): if mechanism returns AUTH_CONTINUE,
+ 	just continue with the next mechanism, this fixes the case of
+ 	having GSSAPI fail because of non-existant of expired tickets
+
+	* ftp/security.h: add AUTH_{OK,CONTINUE,ERROR}
+
+Thu Apr  1 16:59:04 1999  Johan Danielsson  <joda@hella.pdc.kth.se>
+
+	* ftpd/Makefile.am: don't run check-local
+
+	* ftp/Makefile.am: don't run check-local
+
+Mon Mar 22 22:15:18 1999  Assar Westerlund  <assar@sics.se>
+
+	* ftpd/ftpd.c (pass): fall-back for KRB_VERIFY_SECURE
+
+	* ftpd/ftpd.c (pass): 1 -> KRB_VERIFY_SECURE
+
+Thu Mar 18 12:07:09 1999  Johan Danielsson  <joda@hella.pdc.kth.se>
+
+	* ftpd/Makefile.am: clean ftpcmd.c
+
+	* ftpd/ftpd_locl.h: remove krb5.h (breaks in ftpcmd.y)
+
+	* ftpd/ftpd.c: move include of krb5.h here
+
+	* ftpd/Makefile.am: include Makefile.am.common
+
+	* Makefile.am: include Makefile.am.common
+
+	* ftp/Makefile.am: include Makefile.am.common
+
+	* common/Makefile.am: include Makefile.am.common
+
+Tue Mar 16 22:28:37 1999  Assar Westerlund  <assar@sics.se>
+
+	* ftpd/ftpd_locl.h: add krb5.h to get heimdal_version
+
+	* ftpd/ftpd.c: krb_verify_user_multiple -> krb_verify_user
+
+Thu Mar 11 14:54:59 1999  Johan Danielsson  <joda@hella.pdc.kth.se>
+
+	* ftp/Makefile.in: WFLAGS
+
+	* ftp/ruserpass.c: add some if-braces
+
+Wed Mar 10 20:02:55 1999  Johan Danielsson  <joda@hella.pdc.kth.se>
+
+	* ftpd/ftpd_locl.h: remove ifdef HAVE_FNMATCH
+
+Mon Mar  8 21:29:24 1999  Johan Danielsson  <joda@hella.pdc.kth.se>
+
+	* ftpd/ftpd.c: re-add version in greeting message
+
+Mon Mar  1 10:49:38 1999  Johan Danielsson  <joda@hella.pdc.kth.se>
+
+	* ftpd/logwtmp.c: HAVE_UT_* -> HAVE_STRUCT_UTMP*_UT_*
+
+Mon Feb 22 19:20:51 1999  Johan Danielsson  <joda@hella.pdc.kth.se>
+
+	* common/Makefile.in: remove glob
+
+Sat Feb 13 17:19:35 1999  Assar Westerlund  <assar@sics.se>
+
+	* ftpd/ftpd.c (match): remove #ifdef HAVE_FNMATCH.  We have a
+ 	fnmatch implementation in roken and therefore always have it.
+
+	* ftp/ftp.c (copy_stream): initialize `werr'
+
+Wed Jan 13 23:52:57 1999  Assar Westerlund  <assar@sics.se>
+
+	* ftpd/ftpcmd.y: moved all check_login and check_login_no_guest to
+ 	the end of the rules to ensure we don't generate several
+ 	(independent) error messages.  once again, having a yacc-grammar
+ 	for FTP with embedded actions doesn't strike me as the most
+ 	optimal way of doing it.
+
+Tue Dec  1 14:44:29 1998  Johan Danielsson  <joda@hella.pdc.kth.se>
+
+	* ftpd/Makefile.am: link with extra libs for aix
+
+Sun Nov 22 10:28:20 1998  Assar Westerlund  <assar@sics.se>
+
+	* ftpd/ftpd.c (retrying): support on-the-fly decompression
+
+	* ftpd/Makefile.in (WFLAGS): set
+
+	* ftp/ruserpass.c (guess_domain): new function
+	(ruserpass): use it
+
+	* common/Makefile.in (WFLAGS): set
+
+	* Makefile.in (WFLAGS): set
+
+Sat Nov 21 23:13:03 1998  Assar Westerlund  <assar@sics.se>
+
+	* ftp/security.c: some more type correctness.
+
+	* ftp/gssapi.c (gss_adat): more braces to shut up warnings
+
+Wed Nov 18 21:47:55 1998  Assar Westerlund  <assar@sics.se>
+
+	* ftp/main.c (main): new option `-p' for enable passive mode.
+
+Mon Nov  2 01:57:49 1998  Assar Westerlund  <assar@sics.se>
+
+	* ftp/ftp.c (getreply): remove extra `break'
+
+	* ftp/gssapi.c (gss_auth): fixo typo(copyo?)
+
+	* ftp/security.c (sec_login): fix loop and return value
+
+Tue Sep  1 16:56:42 1998  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* ftp/cmds.c (quote1): fix % quoting bug
+
+Fri Aug 14 17:10:06 1998  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* ftp/krb4.c: krb_put_int -> KRB_PUT_INT
+
+Tue Jun 30 18:07:15 1998  Assar Westerlund  <assar@sics.se>
+
+	* ftp/security.c (auth): free `app_data'
+	(sec_end): only destroy if it was initialized
+
+Tue Jun  9 21:01:59 1998  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* ftp/krb4.c: pass client address to krb_rd_req
+
+Sat May 16 00:02:07 1998  Assar Westerlund  <assar@sics.se>
+
+	* ftpd/Makefile.am: link with DBLIB
+
+Tue May 12 14:15:32 1998  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* ftp/gssapi.c: Save client name for userok().
+
+	* ftpd/gss_userok.c: Userok for gssapi.
+
+Fri May  1 07:15:01 1998  Assar Westerlund  <assar@sics.se>
+
+	* ftp/ftp.c: unifdef -DHAVE_H_ERRNO
+
+Fri Mar 27 00:46:07 1998  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* Make compile w/o krb4.
+
+Thu Mar 26 03:49:12 1998  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* ftp/*, ftpd/*: Changes for new framework.
+
+	* ftp/gssapi.c: GSS-API backend for the new security framework.
+
+	* ftp/krb4.c: Updated for new framework.
+
+	* ftp/security.{c,h}: New unified security framework.
diff --git a/crypto/kerberosIV/appl/ftp/Makefile.am b/crypto/kerberosIV/appl/ftp/Makefile.am
new file mode 100644
index 0000000..f8831a3
--- /dev/null
+++ b/crypto/kerberosIV/appl/ftp/Makefile.am
@@ -0,0 +1,5 @@
+# $Id: Makefile.am,v 1.5 1999/03/20 13:58:14 joda Exp $
+
+include $(top_srcdir)/Makefile.am.common
+
+SUBDIRS = common ftp ftpd
diff --git a/crypto/kerberosIV/appl/ftp/Makefile.in b/crypto/kerberosIV/appl/ftp/Makefile.in
new file mode 100644
index 0000000..68546ab
--- /dev/null
+++ b/crypto/kerberosIV/appl/ftp/Makefile.in
@@ -0,0 +1,44 @@
+# $Id: Makefile.in,v 1.12 1999/03/10 19:01:11 joda Exp $
+
+srcdir		= @srcdir@
+top_srcdir	= @top_srcdir@
+VPATH		= @srcdir@
+
+SHELL		= /bin/sh
+
+@SET_MAKE@
+
+CC 	= @CC@
+RANLIB 	= @RANLIB@
+DEFS 	= @DEFS@
+CFLAGS 	= @CFLAGS@ $(WFLAGS)
+WFLAGS = @WFLAGS@
+
+INSTALL = @INSTALL@
+
+prefix 	= @prefix@
+
+SUBDIRS=common ftp ftpd
+
+all:
+	for i in $(SUBDIRS); \
+	do (cd $$i && $(MAKE) $(MFLAGS) all); done
+
+install: all
+	for i in $(SUBDIRS); \
+	do (cd $$i && $(MAKE) $(MFLAGS) install); done
+
+uninstall:
+	for i in $(SUBDIRS); \
+	do (cd $$i && $(MAKE) $(MFLAGS) uninstall); done
+
+clean cleandir:
+	for i in $(SUBDIRS); \
+	do (cd $$i && $(MAKE) $(MFLAGS) clean); done
+
+distclean: 
+	for i in $(SUBDIRS); \
+	do (cd $$i && $(MAKE) $(MFLAGS) distclean); done
+	rm -f Makefile *~
+
+.PHONY: all install uninstall clean cleandir distclean
diff --git a/crypto/kerberosIV/appl/ftp/common/Makefile.am b/crypto/kerberosIV/appl/ftp/common/Makefile.am
new file mode 100644
index 0000000..4fab07b
--- /dev/null
+++ b/crypto/kerberosIV/appl/ftp/common/Makefile.am
@@ -0,0 +1,12 @@
+# $Id: Makefile.am,v 1.9 1999/07/28 21:15:06 assar Exp $
+
+include $(top_srcdir)/Makefile.am.common
+
+INCLUDES += $(INCLUDE_krb4) 
+
+noinst_LIBRARIES = libcommon.a
+
+libcommon_a_SOURCES = \
+	sockbuf.c \
+	buffer.c \
+	common.h
diff --git a/crypto/kerberosIV/appl/ftp/common/Makefile.in b/crypto/kerberosIV/appl/ftp/common/Makefile.in
new file mode 100644
index 0000000..b00bd0a
--- /dev/null
+++ b/crypto/kerberosIV/appl/ftp/common/Makefile.in
@@ -0,0 +1,55 @@
+# $Id: Makefile.in,v 1.23 1999/03/10 19:01:11 joda Exp $
+
+SHELL		= /bin/sh
+
+srcdir		= @srcdir@
+top_srcdir	= @top_srcdir@
+VPATH		= @srcdir@
+
+CC 	= @CC@
+AR	= ar
+RANLIB 	= @RANLIB@
+DEFS 	= @DEFS@
+CFLAGS 	= @CFLAGS@ $(WFLAGS)
+WFLAGS = @WFLAGS@
+
+INSTALL = @INSTALL@
+
+prefix 	= @prefix@
+
+SOURCES = sockbuf.c buffer.c
+OBJECTS = $(libcommon_OBJS)
+
+libcommon_OBJS = sockbuf.o buffer.o
+
+LIBNAME = $(LIBPREFIX)common
+LIBEXT = a
+LIBPREFIX = @LIBPREFIX@
+LIB = $(LIBNAME).$(LIBEXT)
+
+all: $(LIB)
+
+.c.o:
+	$(CC) -c -I$(srcdir) -I../../../include $(DEFS) $(CFLAGS) $(CPPFLAGS) $<
+
+$(LIB): $(libcommon_OBJS)
+	rm -f $@
+	ar cr $@ $(libcommon_OBJS)
+	-$(RANLIB) $@
+
+install:
+
+uninstall:
+
+TAGS: $(SOURCES)
+	etags $(SOURCES)
+
+clean cleandir:
+	rm -f *~ *.o libcommon.a core \#*
+
+distclean: 
+	rm -f Makefile
+
+$(OBJECTS): ../../../include/config.h
+
+.PHONY: all install uninstall clean cleandir distclean
diff --git a/crypto/kerberosIV/appl/ftp/common/base64.c b/crypto/kerberosIV/appl/ftp/common/base64.c
new file mode 100644
index 0000000..648f32d
--- /dev/null
+++ b/crypto/kerberosIV/appl/ftp/common/base64.c
@@ -0,0 +1,149 @@
+/*
+ * Copyright (c) 1995, 1996, 1997 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *      This product includes software developed by the Kungliga Tekniska
+ *      Högskolan and its contributors.
+ * 
+ * 4. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+RCSID("$Id: base64.c,v 1.6 1997/05/30 17:24:06 assar Exp $");
+#endif
+#include <stdlib.h>
+#include <string.h>
+#include "base64.h"
+
+static char base64[] = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/";
+
+static int pos(char c)
+{
+  char *p;
+  for(p = base64; *p; p++)
+    if(*p == c)
+      return p - base64;
+  return -1;
+}
+
+int base64_encode(const void *data, int size, char **str)
+{
+  char *s, *p;
+  int i;
+  int c;
+  unsigned char *q;
+
+  p = s = (char*)malloc(size*4/3+4);
+  q = (unsigned char*)data;
+  i=0;
+  for(i = 0; i < size;){
+    c=q[i++];
+    c*=256;
+    if(i < size)
+      c+=q[i];
+    i++;
+    c*=256;
+    if(i < size)
+      c+=q[i];
+    i++;
+    p[0]=base64[(c&0x00fc0000) >> 18];
+    p[1]=base64[(c&0x0003f000) >> 12];
+    p[2]=base64[(c&0x00000fc0) >> 6];
+    p[3]=base64[(c&0x0000003f) >> 0];
+    if(i > size)
+      p[3]='=';
+    if(i > size+1)
+      p[2]='=';
+    p+=4;
+  }
+  *p=0;
+  *str = s;
+  return strlen(s);
+}
+
+int base64_decode(const char *str, void *data)
+{
+  const char *p;
+  unsigned char *q;
+  int c;
+  int x;
+  int done = 0;
+  q=(unsigned char*)data;
+  for(p=str; *p && !done; p+=4){
+    x = pos(p[0]);
+    if(x >= 0)
+      c = x;
+    else{
+      done = 3;
+      break;
+    }
+    c*=64;
+    
+    x = pos(p[1]);
+    if(x >= 0)
+      c += x;
+    else
+      return -1;
+    c*=64;
+    
+    if(p[2] == '=')
+      done++;
+    else{
+      x = pos(p[2]);
+      if(x >= 0)
+	c += x;
+      else
+	return -1;
+    }
+    c*=64;
+    
+    if(p[3] == '=')
+      done++;
+    else{
+      if(done)
+	return -1;
+      x = pos(p[3]);
+      if(x >= 0)
+	c += x;
+      else
+	return -1;
+    }
+    if(done < 3)
+      *q++=(c&0x00ff0000)>>16;
+      
+    if(done < 2)
+      *q++=(c&0x0000ff00)>>8;
+    if(done < 1)
+      *q++=(c&0x000000ff)>>0;
+  }
+  return q - (unsigned char*)data;
+}
diff --git a/crypto/kerberosIV/appl/ftp/common/base64.h b/crypto/kerberosIV/appl/ftp/common/base64.h
new file mode 100644
index 0000000..fe799a2
--- /dev/null
+++ b/crypto/kerberosIV/appl/ftp/common/base64.h
@@ -0,0 +1,47 @@
+/*
+ * Copyright (c) 1995, 1996, 1997 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *      This product includes software developed by the Kungliga Tekniska
+ *      Högskolan and its contributors.
+ * 
+ * 4. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+/* $Id: base64.h,v 1.5 1997/04/01 08:17:19 joda Exp $ */
+
+#ifndef _BASE64_H_
+#define _BASE64_H_
+
+int base64_encode(const void *data, int size, char **str);
+int base64_decode(const char *str, void *data);
+
+#endif
diff --git a/crypto/kerberosIV/appl/ftp/common/buffer.c b/crypto/kerberosIV/appl/ftp/common/buffer.c
new file mode 100644
index 0000000..0385d49
--- /dev/null
+++ b/crypto/kerberosIV/appl/ftp/common/buffer.c
@@ -0,0 +1,69 @@
+/*
+ * Copyright (c) 1995, 1996, 1997 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#include "common.h"
+#include <stdio.h>
+#include <err.h>
+#include "roken.h"
+
+RCSID("$Id: buffer.c,v 1.3 1999/12/02 16:58:29 joda Exp $");
+
+/*
+ * Allocate a buffer enough to handle st->st_blksize, if
+ * there is such a field, otherwise BUFSIZ.
+ */
+
+void *
+alloc_buffer (void *oldbuf, size_t *sz, struct stat *st)
+{
+    size_t new_sz;
+
+    new_sz = BUFSIZ;
+#ifdef HAVE_ST_BLKSIZE
+    if (st)
+	new_sz = max(BUFSIZ, st->st_blksize);
+#endif
+    if(new_sz > *sz) {
+	if (oldbuf)
+	    free (oldbuf);
+	oldbuf = malloc (new_sz);
+	if (oldbuf == NULL) {
+	    warn ("malloc");
+	    *sz = 0;
+	    return NULL;
+	}
+	*sz = new_sz;
+    }
+    return oldbuf;
+}
+
diff --git a/crypto/kerberosIV/appl/ftp/common/common.h b/crypto/kerberosIV/appl/ftp/common/common.h
new file mode 100644
index 0000000..5949b25
--- /dev/null
+++ b/crypto/kerberosIV/appl/ftp/common/common.h
@@ -0,0 +1,60 @@
+/*
+ * Copyright (c) 1995, 1996, 1997, 1998, 1999 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+/* $Id: common.h,v 1.12 1999/12/02 16:58:29 joda Exp $ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+#endif
+
+#ifndef __COMMON_H__
+#define __COMMON_H__
+
+#include "base64.h"
+
+void set_buffer_size(int, int);
+
+#include <stdlib.h>
+#ifdef HAVE_SYS_TYPES_H
+#include <sys/types.h>
+#endif
+#ifdef HAVE_SYS_STAT_H
+#include <sys/stat.h>
+#endif
+#ifdef HAVE_SYS_SOCKET_H
+#include <sys/socket.h>
+#endif
+
+void *alloc_buffer (void *oldbuf, size_t *sz, struct stat *st);
+
+#endif /* __COMMON_H__ */
diff --git a/crypto/kerberosIV/appl/ftp/common/glob.c b/crypto/kerberosIV/appl/ftp/common/glob.c
new file mode 100644
index 0000000..8f19d7c
--- /dev/null
+++ b/crypto/kerberosIV/appl/ftp/common/glob.c
@@ -0,0 +1,835 @@
+/*
+ * Copyright (c) 1989, 1993
+ *	The Regents of the University of California.  All rights reserved.
+ *
+ * This code is derived from software contributed to Berkeley by
+ * Guido van Rossum.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *	This product includes software developed by the University of
+ *	California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+/*
+ * glob(3) -- a superset of the one defined in POSIX 1003.2.
+ *
+ * The [!...] convention to negate a range is supported (SysV, Posix, ksh).
+ *
+ * Optional extra services, controlled by flags not defined by POSIX:
+ *
+ * GLOB_QUOTE:
+ *	Escaping convention: \ inhibits any special meaning the following
+ *	character might have (except \ at end of string is retained).
+ * GLOB_MAGCHAR:
+ *	Set in gl_flags if pattern contained a globbing character.
+ * GLOB_NOMAGIC:
+ *	Same as GLOB_NOCHECK, but it will only append pattern if it did
+ *	not contain any magic characters.  [Used in csh style globbing]
+ * GLOB_ALTDIRFUNC:
+ *	Use alternately specified directory access functions.
+ * GLOB_TILDE:
+ *	expand ~user/foo to the /home/dir/of/user/foo
+ * GLOB_BRACE:
+ *	expand {1,2}{a,b} to 1a 1b 2a 2b 
+ * gl_matchc:
+ *	Number of matches in the current invocation of glob.
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+#endif
+
+#ifdef HAVE_SYS_PARAM_H
+#include <sys/param.h>
+#endif
+#ifdef HAVE_SYS_TYPES_H
+#include <sys/types.h>
+#endif
+#ifdef HAVE_SYS_STAT_H
+#include <sys/stat.h>
+#endif
+
+#include <ctype.h>
+#ifdef HAVE_DIRENT_H
+#include <dirent.h>
+#endif
+#include <errno.h>
+#ifdef HAVE_PWD_H
+#include <pwd.h>
+#endif
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#ifdef HAVE_UNISTD_H
+#include <unistd.h>
+#endif
+
+#include "glob.h"
+#include "roken.h"
+
+#define	CHAR_DOLLAR		'$'
+#define	CHAR_DOT		'.'
+#define	CHAR_EOS		'\0'
+#define	CHAR_LBRACKET		'['
+#define	CHAR_NOT		'!'
+#define	CHAR_QUESTION		'?'
+#define	CHAR_QUOTE		'\\'
+#define	CHAR_RANGE		'-'
+#define	CHAR_RBRACKET		']'
+#define	CHAR_SEP		'/'
+#define	CHAR_STAR		'*'
+#define	CHAR_TILDE		'~'
+#define	CHAR_UNDERSCORE		'_'
+#define	CHAR_LBRACE		'{'
+#define	CHAR_RBRACE		'}'
+#define	CHAR_SLASH		'/'
+#define	CHAR_COMMA		','
+
+#ifndef DEBUG
+
+#define	M_QUOTE		0x8000
+#define	M_PROTECT	0x4000
+#define	M_MASK		0xffff
+#define	M_ASCII		0x00ff
+
+typedef u_short Char;
+
+#else
+
+#define	M_QUOTE		0x80
+#define	M_PROTECT	0x40
+#define	M_MASK		0xff
+#define	M_ASCII		0x7f
+
+typedef char Char;
+
+#endif
+
+
+#define	CHAR(c)		((Char)((c)&M_ASCII))
+#define	META(c)		((Char)((c)|M_QUOTE))
+#define	M_ALL		META('*')
+#define	M_END		META(']')
+#define	M_NOT		META('!')
+#define	M_ONE		META('?')
+#define	M_RNG		META('-')
+#define	M_SET		META('[')
+#define	ismeta(c)	(((c)&M_QUOTE) != 0)
+
+
+static int	 compare (const void *, const void *);
+static void	 g_Ctoc (const Char *, char *);
+static int	 g_lstat (Char *, struct stat *, glob_t *);
+static DIR	*g_opendir (Char *, glob_t *);
+static Char	*g_strchr (Char *, int);
+#ifdef notdef
+static Char	*g_strcat (Char *, const Char *);
+#endif
+static int	 g_stat (Char *, struct stat *, glob_t *);
+static int	 glob0 (const Char *, glob_t *);
+static int	 glob1 (Char *, glob_t *);
+static int	 glob2 (Char *, Char *, Char *, glob_t *);
+static int	 glob3 (Char *, Char *, Char *, Char *, glob_t *);
+static int	 globextend (const Char *, glob_t *);
+static const Char *	 globtilde (const Char *, Char *, glob_t *);
+static int	 globexp1 (const Char *, glob_t *);
+static int	 globexp2 (const Char *, const Char *, glob_t *, int *);
+static int	 match (Char *, Char *, Char *);
+#ifdef DEBUG
+static void	 qprintf (const char *, Char *);
+#endif
+
+int
+glob(const char *pattern, 
+     int flags, 
+     int (*errfunc)(const char *, int), 
+     glob_t *pglob)
+{
+	const u_char *patnext;
+	int c;
+	Char *bufnext, *bufend, patbuf[MaxPathLen+1];
+
+	patnext = (u_char *) pattern;
+	if (!(flags & GLOB_APPEND)) {
+		pglob->gl_pathc = 0;
+		pglob->gl_pathv = NULL;
+		if (!(flags & GLOB_DOOFFS))
+			pglob->gl_offs = 0;
+	}
+	pglob->gl_flags = flags & ~GLOB_MAGCHAR;
+	pglob->gl_errfunc = errfunc;
+	pglob->gl_matchc = 0;
+
+	bufnext = patbuf;
+	bufend = bufnext + MaxPathLen;
+	if (flags & GLOB_QUOTE) {
+		/* Protect the quoted characters. */
+		while (bufnext < bufend && (c = *patnext++) != CHAR_EOS) 
+			if (c == CHAR_QUOTE) {
+				if ((c = *patnext++) == CHAR_EOS) {
+					c = CHAR_QUOTE;
+					--patnext;
+				}
+				*bufnext++ = c | M_PROTECT;
+			}
+			else
+				*bufnext++ = c;
+	}
+	else 
+	    while (bufnext < bufend && (c = *patnext++) != CHAR_EOS) 
+		    *bufnext++ = c;
+	*bufnext = CHAR_EOS;
+
+	if (flags & GLOB_BRACE)
+	    return globexp1(patbuf, pglob);
+	else
+	    return glob0(patbuf, pglob);
+}
+
+/*
+ * Expand recursively a glob {} pattern. When there is no more expansion
+ * invoke the standard globbing routine to glob the rest of the magic
+ * characters
+ */
+static int globexp1(const Char *pattern, glob_t *pglob)
+{
+	const Char* ptr = pattern;
+	int rv;
+
+	/* Protect a single {}, for find(1), like csh */
+	if (pattern[0] == CHAR_LBRACE && pattern[1] == CHAR_RBRACE && pattern[2] == CHAR_EOS)
+		return glob0(pattern, pglob);
+
+	while ((ptr = (const Char *) g_strchr((Char *) ptr, CHAR_LBRACE)) != NULL)
+		if (!globexp2(ptr, pattern, pglob, &rv))
+			return rv;
+
+	return glob0(pattern, pglob);
+}
+
+
+/*
+ * Recursive brace globbing helper. Tries to expand a single brace.
+ * If it succeeds then it invokes globexp1 with the new pattern.
+ * If it fails then it tries to glob the rest of the pattern and returns.
+ */
+static int globexp2(const Char *ptr, const Char *pattern, 
+		    glob_t *pglob, int *rv)
+{
+	int     i;
+	Char   *lm, *ls;
+	const Char *pe, *pm, *pl;
+	Char    patbuf[MaxPathLen + 1];
+
+	/* copy part up to the brace */
+	for (lm = patbuf, pm = pattern; pm != ptr; *lm++ = *pm++)
+		continue;
+	ls = lm;
+
+	/* Find the balanced brace */
+	for (i = 0, pe = ++ptr; *pe; pe++)
+		if (*pe == CHAR_LBRACKET) {
+			/* Ignore everything between [] */
+			for (pm = pe++; *pe != CHAR_RBRACKET && *pe != CHAR_EOS; pe++)
+				continue;
+			if (*pe == CHAR_EOS) {
+				/* 
+				 * We could not find a matching CHAR_RBRACKET.
+				 * Ignore and just look for CHAR_RBRACE
+				 */
+				pe = pm;
+			}
+		}
+		else if (*pe == CHAR_LBRACE)
+			i++;
+		else if (*pe == CHAR_RBRACE) {
+			if (i == 0)
+				break;
+			i--;
+		}
+
+	/* Non matching braces; just glob the pattern */
+	if (i != 0 || *pe == CHAR_EOS) {
+		*rv = glob0(patbuf, pglob);
+		return 0;
+	}
+
+	for (i = 0, pl = pm = ptr; pm <= pe; pm++)
+		switch (*pm) {
+		case CHAR_LBRACKET:
+			/* Ignore everything between [] */
+			for (pl = pm++; *pm != CHAR_RBRACKET && *pm != CHAR_EOS; pm++)
+				continue;
+			if (*pm == CHAR_EOS) {
+				/* 
+				 * We could not find a matching CHAR_RBRACKET.
+				 * Ignore and just look for CHAR_RBRACE
+				 */
+				pm = pl;
+			}
+			break;
+
+		case CHAR_LBRACE:
+			i++;
+			break;
+
+		case CHAR_RBRACE:
+			if (i) {
+			    i--;
+			    break;
+			}
+			/* FALLTHROUGH */
+		case CHAR_COMMA:
+			if (i && *pm == CHAR_COMMA)
+				break;
+			else {
+				/* Append the current string */
+				for (lm = ls; (pl < pm); *lm++ = *pl++)
+					continue;
+				/* 
+				 * Append the rest of the pattern after the
+				 * closing brace
+				 */
+				for (pl = pe + 1; (*lm++ = *pl++) != CHAR_EOS;)
+					continue;
+
+				/* Expand the current pattern */
+#ifdef DEBUG
+				qprintf("globexp2:", patbuf);
+#endif
+				*rv = globexp1(patbuf, pglob);
+
+				/* move after the comma, to the next string */
+				pl = pm + 1;
+			}
+			break;
+
+		default:
+			break;
+		}
+	*rv = 0;
+	return 0;
+}
+
+
+
+/*
+ * expand tilde from the passwd file.
+ */
+static const Char *
+globtilde(const Char *pattern, Char *patbuf, glob_t *pglob)
+{
+	struct passwd *pwd;
+	char *h;
+	const Char *p;
+	Char *b;
+
+	if (*pattern != CHAR_TILDE || !(pglob->gl_flags & GLOB_TILDE))
+		return pattern;
+
+	/* Copy up to the end of the string or / */
+	for (p = pattern + 1, h = (char *) patbuf; *p && *p != CHAR_SLASH; 
+	     *h++ = *p++)
+		continue;
+
+	*h = CHAR_EOS;
+
+	if (((char *) patbuf)[0] == CHAR_EOS) {
+		/* 
+		 * handle a plain ~ or ~/ by expanding $HOME 
+		 * first and then trying the password file
+		 */
+		if ((h = getenv("HOME")) == NULL) {
+			if ((pwd = k_getpwuid(getuid())) == NULL)
+				return pattern;
+			else
+				h = pwd->pw_dir;
+		}
+	}
+	else {
+		/*
+		 * Expand a ~user
+		 */
+		if ((pwd = k_getpwnam((char*) patbuf)) == NULL)
+			return pattern;
+		else
+			h = pwd->pw_dir;
+	}
+
+	/* Copy the home directory */
+	for (b = patbuf; *h; *b++ = *h++)
+		continue;
+	
+	/* Append the rest of the pattern */
+	while ((*b++ = *p++) != CHAR_EOS)
+		continue;
+
+	return patbuf;
+}
+	
+
+/*
+ * The main glob() routine: compiles the pattern (optionally processing
+ * quotes), calls glob1() to do the real pattern matching, and finally
+ * sorts the list (unless unsorted operation is requested).  Returns 0
+ * if things went well, nonzero if errors occurred.  It is not an error
+ * to find no matches.
+ */
+static int
+glob0(const Char *pattern, glob_t *pglob)
+{
+	const Char *qpatnext;
+	int c, err, oldpathc;
+	Char *bufnext, patbuf[MaxPathLen+1];
+
+	qpatnext = globtilde(pattern, patbuf, pglob);
+	oldpathc = pglob->gl_pathc;
+	bufnext = patbuf;
+
+	/* We don't need to check for buffer overflow any more. */
+	while ((c = *qpatnext++) != CHAR_EOS) {
+		switch (c) {
+		case CHAR_LBRACKET:
+			c = *qpatnext;
+			if (c == CHAR_NOT)
+				++qpatnext;
+			if (*qpatnext == CHAR_EOS ||
+			    g_strchr((Char *) qpatnext+1, CHAR_RBRACKET) == NULL) {
+				*bufnext++ = CHAR_LBRACKET;
+				if (c == CHAR_NOT)
+					--qpatnext;
+				break;
+			}
+			*bufnext++ = M_SET;
+			if (c == CHAR_NOT)
+				*bufnext++ = M_NOT;
+			c = *qpatnext++;
+			do {
+				*bufnext++ = CHAR(c);
+				if (*qpatnext == CHAR_RANGE &&
+				    (c = qpatnext[1]) != CHAR_RBRACKET) {
+					*bufnext++ = M_RNG;
+					*bufnext++ = CHAR(c);
+					qpatnext += 2;
+				}
+			} while ((c = *qpatnext++) != CHAR_RBRACKET);
+			pglob->gl_flags |= GLOB_MAGCHAR;
+			*bufnext++ = M_END;
+			break;
+		case CHAR_QUESTION:
+			pglob->gl_flags |= GLOB_MAGCHAR;
+			*bufnext++ = M_ONE;
+			break;
+		case CHAR_STAR:
+			pglob->gl_flags |= GLOB_MAGCHAR;
+			/* collapse adjacent stars to one, 
+			 * to avoid exponential behavior
+			 */
+			if (bufnext == patbuf || bufnext[-1] != M_ALL)
+			    *bufnext++ = M_ALL;
+			break;
+		default:
+			*bufnext++ = CHAR(c);
+			break;
+		}
+	}
+	*bufnext = CHAR_EOS;
+#ifdef DEBUG
+	qprintf("glob0:", patbuf);
+#endif
+
+	if ((err = glob1(patbuf, pglob)) != 0)
+		return(err);
+
+	/*
+	 * If there was no match we are going to append the pattern 
+	 * if GLOB_NOCHECK was specified or if GLOB_NOMAGIC was specified
+	 * and the pattern did not contain any magic characters
+	 * GLOB_NOMAGIC is there just for compatibility with csh.
+	 */
+	if (pglob->gl_pathc == oldpathc && 
+	    ((pglob->gl_flags & GLOB_NOCHECK) || 
+	      ((pglob->gl_flags & GLOB_NOMAGIC) &&
+	       !(pglob->gl_flags & GLOB_MAGCHAR))))
+		return(globextend(pattern, pglob));
+	else if (!(pglob->gl_flags & GLOB_NOSORT)) 
+		qsort(pglob->gl_pathv + pglob->gl_offs + oldpathc,
+		    pglob->gl_pathc - oldpathc, sizeof(char *), compare);
+	return(0);
+}
+
+static int
+compare(const void *p, const void *q)
+{
+	return(strcmp(*(char **)p, *(char **)q));
+}
+
+static int
+glob1(Char *pattern, glob_t *pglob)
+{
+	Char pathbuf[MaxPathLen+1];
+
+	/* A null pathname is invalid -- POSIX 1003.1 sect. 2.4. */
+	if (*pattern == CHAR_EOS)
+		return(0);
+	return(glob2(pathbuf, pathbuf, pattern, pglob));
+}
+
+/*
+ * The functions glob2 and glob3 are mutually recursive; there is one level
+ * of recursion for each segment in the pattern that contains one or more
+ * meta characters.
+ */
+
+#ifndef S_ISLNK
+#if defined(S_IFLNK) && defined(S_IFMT)
+#define S_ISLNK(mode) (((mode) & S_IFMT) == S_IFLNK)
+#else
+#define S_ISLNK(mode) 0
+#endif
+#endif
+
+static int
+glob2(Char *pathbuf, Char *pathend, Char *pattern, glob_t *pglob)
+{
+	struct stat sb;
+	Char *p, *q;
+	int anymeta;
+
+	/*
+	 * Loop over pattern segments until end of pattern or until
+	 * segment with meta character found.
+	 */
+	for (anymeta = 0;;) {
+		if (*pattern == CHAR_EOS) {		/* End of pattern? */
+			*pathend = CHAR_EOS;
+			if (g_lstat(pathbuf, &sb, pglob))
+				return(0);
+		
+			if (((pglob->gl_flags & GLOB_MARK) &&
+			    pathend[-1] != CHAR_SEP) && (S_ISDIR(sb.st_mode)
+			    || (S_ISLNK(sb.st_mode) &&
+			    (g_stat(pathbuf, &sb, pglob) == 0) &&
+			    S_ISDIR(sb.st_mode)))) {
+				*pathend++ = CHAR_SEP;
+				*pathend = CHAR_EOS;
+			}
+			++pglob->gl_matchc;
+			return(globextend(pathbuf, pglob));
+		}
+
+		/* Find end of next segment, copy tentatively to pathend. */
+		q = pathend;
+		p = pattern;
+		while (*p != CHAR_EOS && *p != CHAR_SEP) {
+			if (ismeta(*p))
+				anymeta = 1;
+			*q++ = *p++;
+		}
+
+		if (!anymeta) {		/* No expansion, do next segment. */
+			pathend = q;
+			pattern = p;
+			while (*pattern == CHAR_SEP)
+				*pathend++ = *pattern++;
+		} else			/* Need expansion, recurse. */
+			return(glob3(pathbuf, pathend, pattern, p, pglob));
+	}
+	/* CHAR_NOTREACHED */
+}
+
+static int
+glob3(Char *pathbuf, Char *pathend, Char *pattern, Char *restpattern, 
+      glob_t *pglob)
+{
+	struct dirent *dp;
+	DIR *dirp;
+	int err;
+	char buf[MaxPathLen];
+
+	/*
+	 * The readdirfunc declaration can't be prototyped, because it is
+	 * assigned, below, to two functions which are prototyped in glob.h
+	 * and dirent.h as taking pointers to differently typed opaque
+	 * structures.
+	 */
+	struct dirent *(*readdirfunc)(void *);
+
+	*pathend = CHAR_EOS;
+	errno = 0;
+	    
+	if ((dirp = g_opendir(pathbuf, pglob)) == NULL) {
+		/* TODO: don't call for ENOENT or ENOTDIR? */
+		if (pglob->gl_errfunc) {
+			g_Ctoc(pathbuf, buf);
+			if (pglob->gl_errfunc(buf, errno) ||
+			    pglob->gl_flags & GLOB_ERR)
+				return (GLOB_ABEND);
+		}
+		return(0);
+	}
+
+	err = 0;
+
+	/* Search directory for matching names. */
+	if (pglob->gl_flags & GLOB_ALTDIRFUNC)
+		readdirfunc = pglob->gl_readdir;
+	else
+		readdirfunc = (struct dirent *(*)(void *))readdir;
+	while ((dp = (*readdirfunc)(dirp))) {
+		u_char *sc;
+		Char *dc;
+
+		/* Initial CHAR_DOT must be matched literally. */
+		if (dp->d_name[0] == CHAR_DOT && *pattern != CHAR_DOT)
+			continue;
+		for (sc = (u_char *) dp->d_name, dc = pathend; 
+		     (*dc++ = *sc++) != CHAR_EOS;)
+			continue;
+		if (!match(pathend, pattern, restpattern)) {
+			*pathend = CHAR_EOS;
+			continue;
+		}
+		err = glob2(pathbuf, --dc, restpattern, pglob);
+		if (err)
+			break;
+	}
+
+	if (pglob->gl_flags & GLOB_ALTDIRFUNC)
+		(*pglob->gl_closedir)(dirp);
+	else
+		closedir(dirp);
+	return(err);
+}
+
+
+/*
+ * Extend the gl_pathv member of a glob_t structure to accomodate a new item,
+ * add the new item, and update gl_pathc.
+ *
+ * This assumes the BSD realloc, which only copies the block when its size
+ * crosses a power-of-two boundary; for v7 realloc, this would cause quadratic
+ * behavior.
+ *
+ * Return 0 if new item added, error code if memory couldn't be allocated.
+ *
+ * Invariant of the glob_t structure:
+ *	Either gl_pathc is zero and gl_pathv is NULL; or gl_pathc > 0 and
+ *	gl_pathv points to (gl_offs + gl_pathc + 1) items.
+ */
+static int
+globextend(const Char *path, glob_t *pglob)
+{
+	char **pathv;
+	int i;
+	u_int newsize;
+	char *copy;
+	const Char *p;
+
+	newsize = sizeof(*pathv) * (2 + pglob->gl_pathc + pglob->gl_offs);
+	pathv = pglob->gl_pathv ? 
+		    realloc(pglob->gl_pathv, newsize) :
+		    malloc(newsize);
+	if (pathv == NULL)
+		return(GLOB_NOSPACE);
+
+	if (pglob->gl_pathv == NULL && pglob->gl_offs > 0) {
+		/* first time around -- clear initial gl_offs items */
+		pathv += pglob->gl_offs;
+		for (i = pglob->gl_offs; --i >= 0; )
+			*--pathv = NULL;
+	}
+	pglob->gl_pathv = pathv;
+
+	for (p = path; *p++;)
+		continue;
+	if ((copy = malloc(p - path)) != NULL) {
+		g_Ctoc(path, copy);
+		pathv[pglob->gl_offs + pglob->gl_pathc++] = copy;
+	}
+	pathv[pglob->gl_offs + pglob->gl_pathc] = NULL;
+	return(copy == NULL ? GLOB_NOSPACE : 0);
+}
+
+
+/*
+ * pattern matching function for filenames.  Each occurrence of the *
+ * pattern causes a recursion level.
+ */
+static int
+match(Char *name, Char *pat, Char *patend)
+{
+	int ok, negate_range;
+	Char c, k;
+
+	while (pat < patend) {
+		c = *pat++;
+		switch (c & M_MASK) {
+		case M_ALL:
+			if (pat == patend)
+				return(1);
+			do 
+			    if (match(name, pat, patend))
+				    return(1);
+			while (*name++ != CHAR_EOS);
+			return(0);
+		case M_ONE:
+			if (*name++ == CHAR_EOS)
+				return(0);
+			break;
+		case M_SET:
+			ok = 0;
+			if ((k = *name++) == CHAR_EOS)
+				return(0);
+			if ((negate_range = ((*pat & M_MASK) == M_NOT)) != CHAR_EOS)
+				++pat;
+			while (((c = *pat++) & M_MASK) != M_END)
+				if ((*pat & M_MASK) == M_RNG) {
+					if (c <= k && k <= pat[1])
+						ok = 1;
+					pat += 2;
+				} else if (c == k)
+					ok = 1;
+			if (ok == negate_range)
+				return(0);
+			break;
+		default:
+			if (*name++ != c)
+				return(0);
+			break;
+		}
+	}
+	return(*name == CHAR_EOS);
+}
+
+/* Free allocated data belonging to a glob_t structure. */
+void
+globfree(glob_t *pglob)
+{
+	int i;
+	char **pp;
+
+	if (pglob->gl_pathv != NULL) {
+		pp = pglob->gl_pathv + pglob->gl_offs;
+		for (i = pglob->gl_pathc; i--; ++pp)
+			if (*pp)
+				free(*pp);
+		free(pglob->gl_pathv);
+	}
+}
+
+static DIR *
+g_opendir(Char *str, glob_t *pglob)
+{
+	char buf[MaxPathLen];
+
+	if (!*str)
+		strcpy(buf, ".");
+	else
+		g_Ctoc(str, buf);
+
+	if (pglob->gl_flags & GLOB_ALTDIRFUNC)
+		return((*pglob->gl_opendir)(buf));
+
+	return(opendir(buf));
+}
+
+static int
+g_lstat(Char *fn, struct stat *sb, glob_t *pglob)
+{
+	char buf[MaxPathLen];
+
+	g_Ctoc(fn, buf);
+	if (pglob->gl_flags & GLOB_ALTDIRFUNC)
+		return((*pglob->gl_lstat)(buf, sb));
+	return(lstat(buf, sb));
+}
+
+static int
+g_stat(Char *fn, struct stat *sb, glob_t *pglob)
+{
+	char buf[MaxPathLen];
+
+	g_Ctoc(fn, buf);
+	if (pglob->gl_flags & GLOB_ALTDIRFUNC)
+		return((*pglob->gl_stat)(buf, sb));
+	return(stat(buf, sb));
+}
+
+static Char *
+g_strchr(Char *str, int ch)
+{
+	do {
+		if (*str == ch)
+			return (str);
+	} while (*str++);
+	return (NULL);
+}
+
+#ifdef notdef
+static Char *
+g_strcat(Char *dst, const Char *src)
+{
+	Char *sdst = dst;
+
+	while (*dst++)
+		continue;
+	--dst;
+	while((*dst++ = *src++) != CHAR_EOS)
+	    continue;
+
+	return (sdst);
+}
+#endif
+
+static void
+g_Ctoc(const Char *str, char *buf)
+{
+	char *dc;
+
+	for (dc = buf; (*dc++ = *str++) != CHAR_EOS;)
+		continue;
+}
+
+#ifdef DEBUG
+static void 
+qprintf(const Char *str, Char *s)
+{
+	Char *p;
+
+	printf("%s:\n", str);
+	for (p = s; *p; p++)
+		printf("%c", CHAR(*p));
+	printf("\n");
+	for (p = s; *p; p++)
+		printf("%c", *p & M_PROTECT ? '"' : ' ');
+	printf("\n");
+	for (p = s; *p; p++)
+		printf("%c", ismeta(*p) ? '_' : ' ');
+	printf("\n");
+}
+#endif
diff --git a/crypto/kerberosIV/appl/ftp/common/glob.h b/crypto/kerberosIV/appl/ftp/common/glob.h
new file mode 100644
index 0000000..bece48a
--- /dev/null
+++ b/crypto/kerberosIV/appl/ftp/common/glob.h
@@ -0,0 +1,84 @@
+/*
+ * Copyright (c) 1989, 1993
+ *	The Regents of the University of California.  All rights reserved.
+ *
+ * This code is derived from software contributed to Berkeley by
+ * Guido van Rossum.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *	This product includes software developed by the University of
+ *	California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ *	@(#)glob.h	8.1 (Berkeley) 6/2/93
+ */
+
+#ifndef _GLOB_H_
+#define	_GLOB_H_
+
+struct stat;
+typedef struct {
+	int gl_pathc;		/* Count of total paths so far. */
+	int gl_matchc;		/* Count of paths matching pattern. */
+	int gl_offs;		/* Reserved at beginning of gl_pathv. */
+	int gl_flags;		/* Copy of flags parameter to glob. */
+	char **gl_pathv;	/* List of paths matching pattern. */
+				/* Copy of errfunc parameter to glob. */
+	int (*gl_errfunc) (const char *, int);
+
+	/*
+	 * Alternate filesystem access methods for glob; replacement
+	 * versions of closedir(3), readdir(3), opendir(3), stat(2)
+	 * and lstat(2).
+	 */
+	void (*gl_closedir) (void *);
+	struct dirent *(*gl_readdir) (void *);	
+	void *(*gl_opendir) (const char *);
+	int (*gl_lstat) (const char *, struct stat *);
+	int (*gl_stat) (const char *, struct stat *);
+} glob_t;
+
+#define	GLOB_APPEND	0x0001	/* Append to output from previous call. */
+#define	GLOB_DOOFFS	0x0002	/* Use gl_offs. */
+#define	GLOB_ERR	0x0004	/* Return on error. */
+#define	GLOB_MARK	0x0008	/* Append / to matching directories. */
+#define	GLOB_NOCHECK	0x0010	/* Return pattern itself if nothing matches. */
+#define	GLOB_NOSORT	0x0020	/* Don't sort. */
+
+#define	GLOB_ALTDIRFUNC	0x0040	/* Use alternately specified directory funcs. */
+#define	GLOB_BRACE	0x0080	/* Expand braces ala csh. */
+#define	GLOB_MAGCHAR	0x0100	/* Pattern had globbing characters. */
+#define	GLOB_NOMAGIC	0x0200	/* GLOB_NOCHECK without magic chars (csh). */
+#define	GLOB_QUOTE	0x0400	/* Quote special chars with \. */
+#define	GLOB_TILDE	0x0800	/* Expand tilde names from the passwd file. */
+
+#define	GLOB_NOSPACE	(-1)	/* Malloc call failed. */
+#define	GLOB_ABEND	(-2)	/* Unignored error. */
+
+int	glob (const char *, int, int (*)(const char *, int), glob_t *);
+void	globfree (glob_t *);
+
+#endif /* !_GLOB_H_ */
diff --git a/crypto/kerberosIV/appl/ftp/common/sockbuf.c b/crypto/kerberosIV/appl/ftp/common/sockbuf.c
new file mode 100644
index 0000000..460cc6f
--- /dev/null
+++ b/crypto/kerberosIV/appl/ftp/common/sockbuf.c
@@ -0,0 +1,56 @@
+/*
+ * Copyright (c) 1995, 1996, 1997 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#include "common.h"
+#ifdef HAVE_SYS_TYPES_H
+#include <sys/types.h>
+#endif
+#ifdef HAVE_SYS_SOCKET_H
+#include <sys/socket.h>
+#endif
+
+RCSID("$Id: sockbuf.c,v 1.3 1999/12/02 16:58:29 joda Exp $");
+
+void
+set_buffer_size(int fd, int read)
+{
+#if defined(SO_RCVBUF) && defined(SO_SNDBUF) && defined(HAVE_SETSOCKOPT)
+    size_t size = 4194304;
+    while(size >= 131072 && 
+	  setsockopt(fd, SOL_SOCKET, read ? SO_RCVBUF : SO_SNDBUF, 
+		     (void *)&size, sizeof(size)) < 0)
+	size /= 2;
+#endif
+}
+
+
diff --git a/crypto/kerberosIV/appl/ftp/ftp/Makefile.am b/crypto/kerberosIV/appl/ftp/ftp/Makefile.am
new file mode 100644
index 0000000..081465a
--- /dev/null
+++ b/crypto/kerberosIV/appl/ftp/ftp/Makefile.am
@@ -0,0 +1,44 @@
+# $Id: Makefile.am,v 1.12 1999/04/09 18:22:08 assar Exp $
+
+include $(top_srcdir)/Makefile.am.common
+
+INCLUDES += -I$(srcdir)/../common $(INCLUDE_readline) $(INCLUDE_krb4)
+
+bin_PROGRAMS = ftp
+
+CHECK_LOCAL = 
+
+if KRB4
+krb4_sources = krb4.c kauth.c
+endif
+if KRB5
+krb5_sources = gssapi.c
+endif
+
+ftp_SOURCES = \
+	cmds.c \
+	cmdtab.c \
+	extern.h \
+	ftp.c \
+	ftp_locl.h \
+	ftp_var.h \
+	main.c \
+	pathnames.h \
+	ruserpass.c \
+	domacro.c \
+	globals.c \
+	security.c \
+	security.h \
+	$(krb4_sources) \
+	$(krb5_sources)
+
+EXTRA_ftp_SOURCES = krb4.c kauth.c gssapi.c
+
+LDADD = \
+	../common/libcommon.a \
+	$(LIB_gssapi) \
+	$(LIB_krb5) \
+	$(LIB_krb4) \
+	$(top_builddir)/lib/des/libdes.la \
+	$(LIB_roken) \
+	$(LIB_readline)
diff --git a/crypto/kerberosIV/appl/ftp/ftp/Makefile.in b/crypto/kerberosIV/appl/ftp/ftp/Makefile.in
new file mode 100644
index 0000000..637d553
--- /dev/null
+++ b/crypto/kerberosIV/appl/ftp/ftp/Makefile.in
@@ -0,0 +1,102 @@
+# 
+# $Id: Makefile.in,v 1.32 1999/03/11 13:58:09 joda Exp $
+#
+
+SHELL		= /bin/sh
+
+srcdir		= @srcdir@
+top_srcdir	= @top_srcdir@
+VPATH		= @srcdir@
+
+top_builddir		= ../../..
+
+CC 	= @CC@
+RANLIB 	= @RANLIB@
+DEFS 	= @DEFS@
+CFLAGS 	= @CFLAGS@ $(WFLAGS)
+WFLAGS	= @WFLAGS@
+CPPFLAGS= @CPPFLAGS@ -I. -I$(srcdir) -I$(top_builddir) -I$(top_srcdir) -I$(top_builddir)/include -I$(top_srcdir)/include -I$(srcdir)/../common  @INCLUDE_readline@
+LD_FLAGS = @LD_FLAGS@
+LIB_tgetent = @LIB_tgetent@
+LIBS	 = @LIBS@ @LIB_readline@
+MKINSTALLDIRS = $(top_srcdir)/mkinstalldirs
+
+INSTALL = @INSTALL@
+INSTALL_PROGRAM = @INSTALL_PROGRAM@
+
+prefix 	= @prefix@
+exec_prefix = @exec_prefix@
+bindir = @bindir@
+libdir = @libdir@
+transform=@program_transform_name@
+EXECSUFFIX=@EXECSUFFIX@
+
+INCTOP = $(top_builddir)/include
+
+LIBTOP = $(top_builddir)/lib
+
+PROGS = ftp$(EXECSUFFIX)
+
+ftp_SOURCES =		\
+	cmds.c		\
+	cmdtab.c	\
+	domacro.c	\
+	ftp.c		\
+	globals.c	\
+	kauth.c		\
+	krb4.c		\
+	main.c		\
+	ruserpass.c	\
+	security.c
+
+ftp_OBJS =		\
+	cmds.o		\
+	cmdtab.o	\
+	domacro.o	\
+	ftp.o		\
+	globals.o	\
+	kauth.o		\
+	krb4.o		\
+	main.o		\
+	ruserpass.o	\
+	security.o
+
+OBJECTS = $(ftp_OBJS)
+SOURCES = $(ftp_SOURCES)
+
+all: $(PROGS)
+
+.c.o:
+	$(CC) -c -I$(srcdir) -I../../../include $(DEFS) $(CFLAGS) $(CPPFLAGS) $<
+
+install: all
+	$(MKINSTALLDIRS) $(DESTDIR)$(bindir)
+	for x in $(PROGS); do \
+	  $(INSTALL_PROGRAM) $$x $(DESTDIR)$(bindir)/`echo $$x | sed '$(transform)'`; \
+	done
+
+uninstall:
+	for x in $(PROGS); do \
+	  rm -f $(DESTDIR)$(bindir)/`echo $$x | sed '$(transform)'`; \
+	done
+
+ftp$(EXECSUFFIX): $(ftp_OBJS)
+	$(CC) $(LD_FLAGS) $(LDFLAGS) -o $@ $(ftp_OBJS) -L../common -lcommon -L$(LIBTOP)/krb -lkrb -L$(LIBTOP)/des -ldes -L$(LIBTOP)/roken -lroken $(LIBS) -L$(LIBTOP)/roken -lroken
+
+TAGS:	$(SOURCES)
+	etags $(SOURCES)
+
+clean:
+	rm -f *~ *.o core ftp$(EXECSUFFIX) \#*
+
+mostlyclean: clean
+
+distclean: clean
+	rm -f Makefile
+
+realclean: distclean
+	rm -f TAGS
+
+$(OBJECTS): ../../../include/config.h
+
+.PHONY: all install uninstall clean cleandir distclean
diff --git a/crypto/kerberosIV/appl/ftp/ftp/cmds.c b/crypto/kerberosIV/appl/ftp/ftp/cmds.c
new file mode 100644
index 0000000..1b98932
--- /dev/null
+++ b/crypto/kerberosIV/appl/ftp/ftp/cmds.c
@@ -0,0 +1,2117 @@
+/*
+ * Copyright (c) 1985, 1989, 1993, 1994
+ *	The Regents of the University of California.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *	This product includes software developed by the University of
+ *	California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+/*
+ * FTP User Program -- Command Routines.
+ */
+
+#include "ftp_locl.h"
+RCSID("$Id: cmds.c,v 1.36.2.2 2000/06/23 02:43:49 assar Exp $");
+
+typedef void (*sighand)(int);
+
+jmp_buf	jabort;
+char   *mname;
+char   *home = "/";
+
+/*
+ * `Another' gets another argument, and stores the new argc and argv.
+ * It reverts to the top level (via main.c's intr()) on EOF/error.
+ *
+ * Returns false if no new arguments have been added.
+ */
+int
+another(int *pargc, char ***pargv, char *prompt)
+{
+	int len = strlen(line), ret;
+
+	if (len >= sizeof(line) - 3) {
+		printf("sorry, arguments too long\n");
+		intr(0);
+	}
+	printf("(%s) ", prompt);
+	line[len++] = ' ';
+	if (fgets(&line[len], sizeof(line) - len, stdin) == NULL)
+		intr(0);
+	len += strlen(&line[len]);
+	if (len > 0 && line[len - 1] == '\n')
+		line[len - 1] = '\0';
+	makeargv();
+	ret = margc > *pargc;
+	*pargc = margc;
+	*pargv = margv;
+	return (ret);
+}
+
+/*
+ * Connect to peer server and
+ * auto-login, if possible.
+ */
+void
+setpeer(int argc, char **argv)
+{
+	char *host;
+	short port;
+	struct servent *sp;
+
+	if (connected) {
+		printf("Already connected to %s, use close first.\n",
+			hostname);
+		code = -1;
+		return;
+	}
+	if (argc < 2)
+		another(&argc, &argv, "to");
+	if (argc < 2 || argc > 3) {
+		printf("usage: %s host-name [port]\n", argv[0]);
+		code = -1;
+		return;
+	}
+	sp = getservbyname("ftp", "tcp");
+	if (sp == NULL)
+		errx(1, "You bastard. You removed ftp/tcp from services");
+	port = sp->s_port;
+	if (argc > 2) {
+		port = atoi(argv[2]);
+		if (port <= 0) {
+			printf("%s: bad port number-- %s\n", argv[1], argv[2]);
+			printf ("usage: %s host-name [port]\n", argv[0]);
+			code = -1;
+			return;
+		}
+		port = htons(port);
+	}
+	host = hookup(argv[1], port);
+	if (host) {
+		int overbose;
+
+		connected = 1;
+		/*
+		 * Set up defaults for FTP.
+		 */
+		strlcpy(typename, "ascii", sizeof(typename));
+		type = TYPE_A;
+		curtype = TYPE_A;
+		strlcpy(formname, "non-print", sizeof(formname));
+		form = FORM_N;
+		strlcpy(modename, "stream", sizeof(modename));
+		mode = MODE_S;
+		strlcpy(structname, "file", sizeof(structname));
+		stru = STRU_F;
+		strlcpy(bytename, "8", sizeof(bytename));
+		bytesize = 8;
+		if (autologin)
+			login(argv[1]);
+
+#if (defined(unix) || defined(__unix__) || defined(__unix) || defined(_AIX) || defined(_CRAY)) && NBBY == 8
+/*
+ * this ifdef is to keep someone form "porting" this to an incompatible
+ * system and not checking this out. This way they have to think about it.
+ */
+		overbose = verbose;
+		if (debug == 0)
+			verbose = -1;
+		if (command("SYST") == COMPLETE && overbose) {
+			char *cp, c;
+			cp = strchr(reply_string+4, ' ');
+			if (cp == NULL)
+				cp = strchr(reply_string+4, '\r');
+			if (cp) {
+				if (cp[-1] == '.')
+					cp--;
+				c = *cp;
+				*cp = '\0';
+			}
+
+			printf("Remote system type is %s.\n",
+				reply_string+4);
+			if (cp)
+				*cp = c;
+		}
+		if (!strncmp(reply_string, "215 UNIX Type: L8", 17)) {
+			if (proxy)
+				unix_proxy = 1;
+			else
+				unix_server = 1;
+			/*
+			 * Set type to 0 (not specified by user),
+			 * meaning binary by default, but don't bother
+			 * telling server.  We can use binary
+			 * for text files unless changed by the user.
+			 */
+			type = 0;
+			strlcpy(typename, "binary", sizeof(typename));
+			if (overbose)
+			    printf("Using %s mode to transfer files.\n",
+				typename);
+		} else {
+			if (proxy)
+				unix_proxy = 0;
+			else
+				unix_server = 0;
+			if (overbose && 
+			    !strncmp(reply_string, "215 TOPS20", 10))
+				printf(
+"Remember to set tenex mode when transfering binary files from this machine.\n");
+		}
+		verbose = overbose;
+#endif /* unix */
+	}
+}
+
+struct	types {
+	char	*t_name;
+	char	*t_mode;
+	int	t_type;
+	char	*t_arg;
+} types[] = {
+	{ "ascii",	"A",	TYPE_A,	0 },
+	{ "binary",	"I",	TYPE_I,	0 },
+	{ "image",	"I",	TYPE_I,	0 },
+	{ "ebcdic",	"E",	TYPE_E,	0 },
+	{ "tenex",	"L",	TYPE_L,	bytename },
+	{ NULL }
+};
+
+/*
+ * Set transfer type.
+ */
+void
+settype(int argc, char **argv)
+{
+	struct types *p;
+	int comret;
+
+	if (argc > 2) {
+		char *sep;
+
+		printf("usage: %s [", argv[0]);
+		sep = " ";
+		for (p = types; p->t_name; p++) {
+			printf("%s%s", sep, p->t_name);
+			sep = " | ";
+		}
+		printf(" ]\n");
+		code = -1;
+		return;
+	}
+	if (argc < 2) {
+		printf("Using %s mode to transfer files.\n", typename);
+		code = 0;
+		return;
+	}
+	for (p = types; p->t_name; p++)
+		if (strcmp(argv[1], p->t_name) == 0)
+			break;
+	if (p->t_name == 0) {
+		printf("%s: unknown mode\n", argv[1]);
+		code = -1;
+		return;
+	}
+	if ((p->t_arg != NULL) && (*(p->t_arg) != '\0'))
+		comret = command ("TYPE %s %s", p->t_mode, p->t_arg);
+	else
+		comret = command("TYPE %s", p->t_mode);
+	if (comret == COMPLETE) {
+		strlcpy(typename, p->t_name, sizeof(typename));
+		curtype = type = p->t_type;
+	}
+}
+
+/*
+ * Internal form of settype; changes current type in use with server
+ * without changing our notion of the type for data transfers.
+ * Used to change to and from ascii for listings.
+ */
+void
+changetype(int newtype, int show)
+{
+	struct types *p;
+	int comret, oldverbose = verbose;
+
+	if (newtype == 0)
+		newtype = TYPE_I;
+	if (newtype == curtype)
+		return;
+	if (debug == 0 && show == 0)
+		verbose = 0;
+	for (p = types; p->t_name; p++)
+		if (newtype == p->t_type)
+			break;
+	if (p->t_name == 0) {
+		printf("ftp: internal error: unknown type %d\n", newtype);
+		return;
+	}
+	if (newtype == TYPE_L && bytename[0] != '\0')
+		comret = command("TYPE %s %s", p->t_mode, bytename);
+	else
+		comret = command("TYPE %s", p->t_mode);
+	if (comret == COMPLETE)
+		curtype = newtype;
+	verbose = oldverbose;
+}
+
+char *stype[] = {
+	"type",
+	"",
+	0
+};
+
+/*
+ * Set binary transfer type.
+ */
+/*VARARGS*/
+void
+setbinary(int argc, char **argv)
+{
+
+	stype[1] = "binary";
+	settype(2, stype);
+}
+
+/*
+ * Set ascii transfer type.
+ */
+/*VARARGS*/
+void
+setascii(int argc, char **argv)
+{
+
+	stype[1] = "ascii";
+	settype(2, stype);
+}
+
+/*
+ * Set tenex transfer type.
+ */
+/*VARARGS*/
+void
+settenex(int argc, char **argv)
+{
+
+	stype[1] = "tenex";
+	settype(2, stype);
+}
+
+/*
+ * Set file transfer mode.
+ */
+/*ARGSUSED*/
+void
+setftmode(int argc, char **argv)
+{
+
+	printf("We only support %s mode, sorry.\n", modename);
+	code = -1;
+}
+
+/*
+ * Set file transfer format.
+ */
+/*ARGSUSED*/
+void
+setform(int argc, char **argv)
+{
+
+	printf("We only support %s format, sorry.\n", formname);
+	code = -1;
+}
+
+/*
+ * Set file transfer structure.
+ */
+/*ARGSUSED*/
+void
+setstruct(int argc, char **argv)
+{
+
+	printf("We only support %s structure, sorry.\n", structname);
+	code = -1;
+}
+
+/*
+ * Send a single file.
+ */
+void
+put(int argc, char **argv)
+{
+	char *cmd;
+	int loc = 0;
+	char *oldargv1, *oldargv2;
+
+	if (argc == 2) {
+		argc++;
+		argv[2] = argv[1];
+		loc++;
+	}
+	if (argc < 2 && !another(&argc, &argv, "local-file"))
+		goto usage;
+	if (argc < 3 && !another(&argc, &argv, "remote-file")) {
+usage:
+		printf("usage: %s local-file remote-file\n", argv[0]);
+		code = -1;
+		return;
+	}
+	oldargv1 = argv[1];
+	oldargv2 = argv[2];
+	if (!globulize(&argv[1])) {
+		code = -1;
+		return;
+	}
+	/*
+	 * If "globulize" modifies argv[1], and argv[2] is a copy of
+	 * the old argv[1], make it a copy of the new argv[1].
+	 */
+	if (argv[1] != oldargv1 && argv[2] == oldargv1) {
+		argv[2] = argv[1];
+	}
+	cmd = (argv[0][0] == 'a') ? "APPE" : ((sunique) ? "STOU" : "STOR");
+	if (loc && ntflag) {
+		argv[2] = dotrans(argv[2]);
+	}
+	if (loc && mapflag) {
+		argv[2] = domap(argv[2]);
+	}
+	sendrequest(cmd, argv[1], argv[2],
+		    curtype == TYPE_I ? "rb" : "r",
+		    argv[1] != oldargv1 || argv[2] != oldargv2);
+}
+
+/* ARGSUSED */
+static RETSIGTYPE
+mabort(int signo)
+{
+	int ointer;
+
+	printf("\n");
+	fflush(stdout);
+	if (mflag && fromatty) {
+		ointer = interactive;
+		interactive = 1;
+		if (confirm("Continue with", mname)) {
+			interactive = ointer;
+			longjmp(jabort,0);
+		}
+		interactive = ointer;
+	}
+	mflag = 0;
+	longjmp(jabort,0);
+}
+
+/*
+ * Send multiple files.
+ */
+void
+mput(int argc, char **argv)
+{
+    int i;
+    RETSIGTYPE (*oldintr)();
+    int ointer;
+    char *tp;
+
+    if (argc < 2 && !another(&argc, &argv, "local-files")) {
+	printf("usage: %s local-files\n", argv[0]);
+	code = -1;
+	return;
+    }
+    mname = argv[0];
+    mflag = 1;
+    oldintr = signal(SIGINT, mabort);
+    setjmp(jabort);
+    if (proxy) {
+	char *cp, *tp2, tmpbuf[MaxPathLen];
+
+	while ((cp = remglob(argv,0)) != NULL) {
+	    if (*cp == 0) {
+		mflag = 0;
+		continue;
+	    }
+	    if (mflag && confirm(argv[0], cp)) {
+		tp = cp;
+		if (mcase) {
+		    while (*tp && !islower(*tp)) {
+			tp++;
+		    }
+		    if (!*tp) {
+			tp = cp;
+			tp2 = tmpbuf;
+			while ((*tp2 = *tp) != '\0') {
+			    if (isupper(*tp2)) {
+				*tp2 = 'a' + *tp2 - 'A';
+			    }
+			    tp++;
+			    tp2++;
+			}
+		    }
+		    tp = tmpbuf;
+		}
+		if (ntflag) {
+		    tp = dotrans(tp);
+		}
+		if (mapflag) {
+		    tp = domap(tp);
+		}
+		sendrequest((sunique) ? "STOU" : "STOR",
+			    cp, tp,
+			    curtype == TYPE_I ? "rb" : "r",
+			    cp != tp || !interactive);
+		if (!mflag && fromatty) {
+		    ointer = interactive;
+		    interactive = 1;
+		    if (confirm("Continue with","mput")) {
+			mflag++;
+		    }
+		    interactive = ointer;
+		}
+	    }
+	}
+	signal(SIGINT, oldintr);
+	mflag = 0;
+	return;
+    }
+    for (i = 1; i < argc; i++) {
+	char **cpp;
+	glob_t gl;
+	int flags;
+
+	if (!doglob) {
+	    if (mflag && confirm(argv[0], argv[i])) {
+		tp = (ntflag) ? dotrans(argv[i]) : argv[i];
+		tp = (mapflag) ? domap(tp) : tp;
+		sendrequest((sunique) ? "STOU" : "STOR",
+			    argv[i],
+			    curtype == TYPE_I ? "rb" : "r",
+			    tp, tp != argv[i] || !interactive);
+		if (!mflag && fromatty) {
+		    ointer = interactive;
+		    interactive = 1;
+		    if (confirm("Continue with","mput")) {
+			mflag++;
+		    }
+		    interactive = ointer;
+		}
+	    }
+	    continue;
+	}
+
+	memset(&gl, 0, sizeof(gl));
+	flags = GLOB_BRACE|GLOB_NOCHECK|GLOB_QUOTE|GLOB_TILDE;
+	if (glob(argv[i], flags, NULL, &gl) || gl.gl_pathc == 0) {
+	    warnx("%s: not found", argv[i]);
+	    globfree(&gl);
+	    continue;
+	}
+	for (cpp = gl.gl_pathv; cpp && *cpp != NULL; cpp++) {
+	    if (mflag && confirm(argv[0], *cpp)) {
+		tp = (ntflag) ? dotrans(*cpp) : *cpp;
+		tp = (mapflag) ? domap(tp) : tp;
+		sendrequest((sunique) ? "STOU" : "STOR",
+			    *cpp, tp,
+			    curtype == TYPE_I ? "rb" : "r",
+			    *cpp != tp || !interactive);
+		if (!mflag && fromatty) {
+		    ointer = interactive;
+		    interactive = 1;
+		    if (confirm("Continue with","mput")) {
+			mflag++;
+		    }
+		    interactive = ointer;
+		}
+	    }
+	}
+	globfree(&gl);
+    }
+    signal(SIGINT, oldintr);
+    mflag = 0;
+}
+
+void
+reget(int argc, char **argv)
+{
+    getit(argc, argv, 1, curtype == TYPE_I ? "r+wb" : "r+w");
+}
+
+void
+get(int argc, char **argv)
+{
+    char *mode;
+
+    if (restart_point)
+	if (curtype == TYPE_I)
+	    mode = "r+wb";
+	else
+	    mode = "r+w";
+    else
+	if (curtype == TYPE_I)
+	    mode = "wb";
+	else
+	    mode = "w";
+
+    getit(argc, argv, 0, mode);
+}
+
+/*
+ * Receive one file.
+ */
+int
+getit(int argc, char **argv, int restartit, char *mode)
+{
+	int loc = 0;
+	int local_given = 1;
+	char *oldargv1, *oldargv2;
+
+	if (argc == 2) {
+		argc++;
+		local_given = 0;
+		argv[2] = argv[1];
+		loc++;
+	}
+	if ((argc < 2 && !another(&argc, &argv, "remote-file")) ||
+	    (argc < 3 && !another(&argc, &argv, "local-file"))) {
+		printf("usage: %s remote-file [ local-file ]\n", argv[0]);
+		code = -1;
+		return (0);
+	}
+	oldargv1 = argv[1];
+	oldargv2 = argv[2];
+	if (!globulize(&argv[2])) {
+		code = -1;
+		return (0);
+	}
+	if (loc && mcase) {
+		char *tp = argv[1], *tp2, tmpbuf[MaxPathLen];
+
+		while (*tp && !islower(*tp)) {
+			tp++;
+		}
+		if (!*tp) {
+			tp = argv[2];
+			tp2 = tmpbuf;
+			while ((*tp2 = *tp) != '\0') {
+				if (isupper(*tp2)) {
+					*tp2 = 'a' + *tp2 - 'A';
+				}
+				tp++;
+				tp2++;
+			}
+			argv[2] = tmpbuf;
+		}
+	}
+	if (loc && ntflag)
+		argv[2] = dotrans(argv[2]);
+	if (loc && mapflag)
+		argv[2] = domap(argv[2]);
+	if (restartit) {
+		struct stat stbuf;
+		int ret;
+
+		ret = stat(argv[2], &stbuf);
+		if (restartit == 1) {
+			if (ret < 0) {
+				warn("local: %s", argv[2]);
+				return (0);
+			}
+			restart_point = stbuf.st_size;
+		} else if (ret == 0) {
+			int overbose;
+			int cmdret;
+			int yy, mo, day, hour, min, sec;
+			struct tm *tm;
+			time_t mtime = stbuf.st_mtime;
+
+			overbose = verbose;
+			if (debug == 0)
+				verbose = -1;
+			cmdret = command("MDTM %s", argv[1]);
+			verbose = overbose;
+			if (cmdret != COMPLETE) {
+				printf("%s\n", reply_string);
+				return (0);
+			}
+			if (sscanf(reply_string,
+				   "%*s %04d%02d%02d%02d%02d%02d",
+				   &yy, &mo, &day, &hour, &min, &sec)
+			    != 6) {
+				printf ("bad MDTM result\n");
+				return (0);
+			}
+
+			tm = gmtime(&mtime);
+			tm->tm_mon++;
+			tm->tm_year += 1900;
+
+			if ((tm->tm_year > yy) ||
+			    (tm->tm_year == yy && 
+			     tm->tm_mon > mo) ||
+			    (tm->tm_mon == mo && 
+			     tm->tm_mday > day) ||
+			    (tm->tm_mday == day && 
+			     tm->tm_hour > hour) ||
+			    (tm->tm_hour == hour && 
+			     tm->tm_min > min) ||
+			    (tm->tm_min == min && 
+			     tm->tm_sec > sec))
+				return (1);
+		}
+	}
+
+	recvrequest("RETR", argv[2], argv[1], mode,
+		    argv[1] != oldargv1 || argv[2] != oldargv2, local_given);
+	restart_point = 0;
+	return (0);
+}
+
+static int
+suspicious_filename(const char *fn)
+{
+    return strstr(fn, "../") != NULL || *fn == '/';
+}
+
+/*
+ * Get multiple files.
+ */
+void
+mget(int argc, char **argv)
+{
+	sighand oldintr;
+	int ch, ointer;
+	char *cp, *tp, *tp2, tmpbuf[MaxPathLen];
+
+	if (argc < 2 && !another(&argc, &argv, "remote-files")) {
+		printf("usage: %s remote-files\n", argv[0]);
+		code = -1;
+		return;
+	}
+	mname = argv[0];
+	mflag = 1;
+	oldintr = signal(SIGINT, mabort);
+	setjmp(jabort);
+	while ((cp = remglob(argv,proxy)) != NULL) {
+		if (*cp == '\0') {
+			mflag = 0;
+			continue;
+		}
+		if (mflag && suspicious_filename(cp))
+		    printf("*** Suspicious filename: %s\n", cp);
+		if (mflag && confirm(argv[0], cp)) {
+			tp = cp;
+			if (mcase) {
+				for (tp2 = tmpbuf; (ch = *tp++);)
+					*tp2++ = isupper(ch) ? tolower(ch) : ch;
+				*tp2 = '\0';
+				tp = tmpbuf;
+			}
+			if (ntflag) {
+				tp = dotrans(tp);
+			}
+			if (mapflag) {
+				tp = domap(tp);
+			}
+			recvrequest("RETR", tp, cp,
+				    curtype == TYPE_I ? "wb" : "w",
+				    tp != cp || !interactive, 0);
+			if (!mflag && fromatty) {
+				ointer = interactive;
+				interactive = 1;
+				if (confirm("Continue with","mget")) {
+					mflag++;
+				}
+				interactive = ointer;
+			}
+		}
+	}
+	signal(SIGINT,oldintr);
+	mflag = 0;
+}
+
+char *
+remglob(char **argv, int doswitch)
+{
+    char temp[16];
+    static char buf[MaxPathLen];
+    static FILE *ftemp = NULL;
+    static char **args;
+    int oldverbose, oldhash;
+    char *cp, *mode;
+
+    if (!mflag) {
+	if (!doglob) {
+	    args = NULL;
+	}
+	else {
+	    if (ftemp) {
+		fclose(ftemp);
+		ftemp = NULL;
+	    }
+	}
+	return (NULL);
+    }
+    if (!doglob) {
+	if (args == NULL)
+	    args = argv;
+	if ((cp = *++args) == NULL)
+	    args = NULL;
+	return (cp);
+    }
+    if (ftemp == NULL) {
+	int fd;
+	strlcpy(temp, _PATH_TMP_XXX, sizeof(temp));
+	fd = mkstemp(temp);
+	if(fd < 0){
+	    warn("unable to create temporary file %s", temp);
+	    return NULL;
+	}
+	close(fd);
+	oldverbose = verbose, verbose = 0;
+	oldhash = hash, hash = 0;
+	if (doswitch) {
+	    pswitch(!proxy);
+	}
+	for (mode = "w"; *++argv != NULL; mode = "a")
+	    recvrequest ("NLST", temp, *argv, mode, 0, 0);
+	if (doswitch) {
+	    pswitch(!proxy);
+	}
+	verbose = oldverbose; hash = oldhash;
+	ftemp = fopen(temp, "r");
+	unlink(temp);
+	if (ftemp == NULL) {
+	    printf("can't find list of remote files, oops\n");
+	    return (NULL);
+	}
+    }
+    while(fgets(buf, sizeof (buf), ftemp)) {
+	if ((cp = strchr(buf, '\n')) != NULL)
+	    *cp = '\0';
+	if(!interactive && suspicious_filename(buf)){
+	    printf("Ignoring remote globbed file `%s'\n", buf);
+	    continue;
+	}
+	return buf;
+    }
+    fclose(ftemp);
+    ftemp = NULL;
+    return (NULL);
+}
+
+char *
+onoff(int bool)
+{
+
+	return (bool ? "on" : "off");
+}
+
+/*
+ * Show status.
+ */
+/*ARGSUSED*/
+void
+status(int argc, char **argv)
+{
+	int i;
+
+	if (connected)
+		printf("Connected to %s.\n", hostname);
+	else
+		printf("Not connected.\n");
+	if (!proxy) {
+		pswitch(1);
+		if (connected) {
+			printf("Connected for proxy commands to %s.\n", hostname);
+		}
+		else {
+			printf("No proxy connection.\n");
+		}
+		pswitch(0);
+	}
+	sec_status();
+	printf("Mode: %s; Type: %s; Form: %s; Structure: %s\n",
+		modename, typename, formname, structname);
+	printf("Verbose: %s; Bell: %s; Prompting: %s; Globbing: %s\n", 
+		onoff(verbose), onoff(bell), onoff(interactive),
+		onoff(doglob));
+	printf("Store unique: %s; Receive unique: %s\n", onoff(sunique),
+		onoff(runique));
+	printf("Case: %s; CR stripping: %s\n",onoff(mcase),onoff(crflag));
+	if (ntflag) {
+		printf("Ntrans: (in) %s (out) %s\n", ntin,ntout);
+	}
+	else {
+		printf("Ntrans: off\n");
+	}
+	if (mapflag) {
+		printf("Nmap: (in) %s (out) %s\n", mapin, mapout);
+	}
+	else {
+		printf("Nmap: off\n");
+	}
+	printf("Hash mark printing: %s; Use of PORT cmds: %s\n",
+		onoff(hash), onoff(sendport));
+	if (macnum > 0) {
+		printf("Macros:\n");
+		for (i=0; i<macnum; i++) {
+			printf("\t%s\n",macros[i].mac_name);
+		}
+	}
+	code = 0;
+}
+
+/*
+ * Set beep on cmd completed mode.
+ */
+/*VARARGS*/
+void
+setbell(int argc, char **argv)
+{
+
+	bell = !bell;
+	printf("Bell mode %s.\n", onoff(bell));
+	code = bell;
+}
+
+/*
+ * Turn on packet tracing.
+ */
+/*VARARGS*/
+void
+settrace(int argc, char **argv)
+{
+
+	trace = !trace;
+	printf("Packet tracing %s.\n", onoff(trace));
+	code = trace;
+}
+
+/*
+ * Toggle hash mark printing during transfers.
+ */
+/*VARARGS*/
+void
+sethash(int argc, char **argv)
+{
+
+	hash = !hash;
+	printf("Hash mark printing %s", onoff(hash));
+	code = hash;
+	if (hash)
+		printf(" (%d bytes/hash mark)", 1024);
+	printf(".\n");
+}
+
+/*
+ * Turn on printing of server echo's.
+ */
+/*VARARGS*/
+void
+setverbose(int argc, char **argv)
+{
+
+	verbose = !verbose;
+	printf("Verbose mode %s.\n", onoff(verbose));
+	code = verbose;
+}
+
+/*
+ * Toggle PORT cmd use before each data connection.
+ */
+/*VARARGS*/
+void
+setport(int argc, char **argv)
+{
+
+	sendport = !sendport;
+	printf("Use of PORT cmds %s.\n", onoff(sendport));
+	code = sendport;
+}
+
+/*
+ * Turn on interactive prompting
+ * during mget, mput, and mdelete.
+ */
+/*VARARGS*/
+void
+setprompt(int argc, char **argv)
+{
+
+	interactive = !interactive;
+	printf("Interactive mode %s.\n", onoff(interactive));
+	code = interactive;
+}
+
+/*
+ * Toggle metacharacter interpretation
+ * on local file names.
+ */
+/*VARARGS*/
+void
+setglob(int argc, char **argv)
+{
+	
+	doglob = !doglob;
+	printf("Globbing %s.\n", onoff(doglob));
+	code = doglob;
+}
+
+/*
+ * Set debugging mode on/off and/or
+ * set level of debugging.
+ */
+/*VARARGS*/
+void
+setdebug(int argc, char **argv)
+{
+	int val;
+
+	if (argc > 1) {
+		val = atoi(argv[1]);
+		if (val < 0) {
+			printf("%s: bad debugging value.\n", argv[1]);
+			code = -1;
+			return;
+		}
+	} else
+		val = !debug;
+	debug = val;
+	if (debug)
+		options |= SO_DEBUG;
+	else
+		options &= ~SO_DEBUG;
+	printf("Debugging %s (debug=%d).\n", onoff(debug), debug);
+	code = debug > 0;
+}
+
+/*
+ * Set current working directory
+ * on remote machine.
+ */
+void
+cd(int argc, char **argv)
+{
+
+	if (argc < 2 && !another(&argc, &argv, "remote-directory")) {
+		printf("usage: %s remote-directory\n", argv[0]);
+		code = -1;
+		return;
+	}
+	if (command("CWD %s", argv[1]) == ERROR && code == 500) {
+		if (verbose)
+			printf("CWD command not recognized, trying XCWD\n");
+		command("XCWD %s", argv[1]);
+	}
+}
+
+/*
+ * Set current working directory
+ * on local machine.
+ */
+void
+lcd(int argc, char **argv)
+{
+	char buf[MaxPathLen];
+
+	if (argc < 2)
+		argc++, argv[1] = home;
+	if (argc != 2) {
+		printf("usage: %s local-directory\n", argv[0]);
+		code = -1;
+		return;
+	}
+	if (!globulize(&argv[1])) {
+		code = -1;
+		return;
+	}
+	if (chdir(argv[1]) < 0) {
+		warn("local: %s", argv[1]);
+		code = -1;
+		return;
+	}
+	if (getcwd(buf, sizeof(buf)) != NULL)
+		printf("Local directory now %s\n", buf);
+	else
+		warnx("getwd: %s", buf);
+	code = 0;
+}
+
+/*
+ * Delete a single file.
+ */
+void
+delete(int argc, char **argv)
+{
+
+	if (argc < 2 && !another(&argc, &argv, "remote-file")) {
+		printf("usage: %s remote-file\n", argv[0]);
+		code = -1;
+		return;
+	}
+	command("DELE %s", argv[1]);
+}
+
+/*
+ * Delete multiple files.
+ */
+void
+mdelete(int argc, char **argv)
+{
+    sighand oldintr;
+    int ointer;
+    char *cp;
+
+    if (argc < 2 && !another(&argc, &argv, "remote-files")) {
+	printf("usage: %s remote-files\n", argv[0]);
+	code = -1;
+	return;
+    }
+    mname = argv[0];
+    mflag = 1;
+    oldintr = signal(SIGINT, mabort);
+    setjmp(jabort);
+    while ((cp = remglob(argv,0)) != NULL) {
+	if (*cp == '\0') {
+	    mflag = 0;
+	    continue;
+	}
+	if (mflag && confirm(argv[0], cp)) {
+	    command("DELE %s", cp);
+	    if (!mflag && fromatty) {
+		ointer = interactive;
+		interactive = 1;
+		if (confirm("Continue with", "mdelete")) {
+		    mflag++;
+		}
+		interactive = ointer;
+	    }
+	}
+    }
+    signal(SIGINT, oldintr);
+    mflag = 0;
+}
+
+/*
+ * Rename a remote file.
+ */
+void
+renamefile(int argc, char **argv)
+{
+
+	if (argc < 2 && !another(&argc, &argv, "from-name"))
+		goto usage;
+	if (argc < 3 && !another(&argc, &argv, "to-name")) {
+usage:
+		printf("%s from-name to-name\n", argv[0]);
+		code = -1;
+		return;
+	}
+	if (command("RNFR %s", argv[1]) == CONTINUE)
+		command("RNTO %s", argv[2]);
+}
+
+/*
+ * Get a directory listing
+ * of remote files.
+ */
+void
+ls(int argc, char **argv)
+{
+	char *cmd;
+
+	if (argc < 2)
+		argc++, argv[1] = NULL;
+	if (argc < 3)
+		argc++, argv[2] = "-";
+	if (argc > 3) {
+		printf("usage: %s remote-directory local-file\n", argv[0]);
+		code = -1;
+		return;
+	}
+	cmd = argv[0][0] == 'n' ? "NLST" : "LIST";
+	if (strcmp(argv[2], "-") && !globulize(&argv[2])) {
+		code = -1;
+		return;
+	}
+	if (strcmp(argv[2], "-") && *argv[2] != '|')
+	    if (!globulize(&argv[2]) || !confirm("output to local-file:", 
+						 argv[2])) {
+		code = -1;
+		return;
+	    }
+	recvrequest(cmd, argv[2], argv[1], "w", 0, 1);
+}
+
+/*
+ * Get a directory listing
+ * of multiple remote files.
+ */
+void
+mls(int argc, char **argv)
+{
+	sighand oldintr;
+	int ointer, i;
+	char *cmd, mode[1], *dest;
+
+	if (argc < 2 && !another(&argc, &argv, "remote-files"))
+		goto usage;
+	if (argc < 3 && !another(&argc, &argv, "local-file")) {
+usage:
+		printf("usage: %s remote-files local-file\n", argv[0]);
+		code = -1;
+		return;
+	}
+	dest = argv[argc - 1];
+	argv[argc - 1] = NULL;
+	if (strcmp(dest, "-") && *dest != '|')
+		if (!globulize(&dest) ||
+		    !confirm("output to local-file:", dest)) {
+			code = -1;
+			return;
+	}
+	cmd = argv[0][1] == 'l' ? "NLST" : "LIST";
+	mname = argv[0];
+	mflag = 1;
+	oldintr = signal(SIGINT, mabort);
+	setjmp(jabort);
+	for (i = 1; mflag && i < argc-1; ++i) {
+		*mode = (i == 1) ? 'w' : 'a';
+		recvrequest(cmd, dest, argv[i], mode, 0, 1);
+		if (!mflag && fromatty) {
+			ointer = interactive;
+			interactive = 1;
+			if (confirm("Continue with", argv[0])) {
+				mflag ++;
+			}
+			interactive = ointer;
+		}
+	}
+	signal(SIGINT, oldintr);
+	mflag = 0;
+}
+
+/*
+ * Do a shell escape
+ */
+/*ARGSUSED*/
+void
+shell(int argc, char **argv)
+{
+	pid_t pid;
+	RETSIGTYPE (*old1)(), (*old2)();
+	char shellnam[40], *shell, *namep; 
+	int status;
+
+	old1 = signal (SIGINT, SIG_IGN);
+	old2 = signal (SIGQUIT, SIG_IGN);
+	if ((pid = fork()) == 0) {
+		for (pid = 3; pid < 20; pid++)
+			close(pid);
+		signal(SIGINT, SIG_DFL);
+		signal(SIGQUIT, SIG_DFL);
+		shell = getenv("SHELL");
+		if (shell == NULL)
+			shell = _PATH_BSHELL;
+		namep = strrchr(shell,'/');
+		if (namep == NULL)
+			namep = shell;
+		snprintf (shellnam, sizeof(shellnam),
+			  "-%s", ++namep);
+		if (strcmp(namep, "sh") != 0)
+			shellnam[0] = '+';
+		if (debug) {
+			printf ("%s\n", shell);
+			fflush (stdout);
+		}
+		if (argc > 1) {
+			execl(shell,shellnam,"-c",altarg,(char *)0);
+		}
+		else {
+			execl(shell,shellnam,(char *)0);
+		}
+		warn("%s", shell);
+		code = -1;
+		exit(1);
+	}
+	if (pid > 0)
+		while (waitpid(-1, &status, 0) != pid)
+			;
+	signal(SIGINT, old1);
+	signal(SIGQUIT, old2);
+	if (pid == -1) {
+		warn("%s", "Try again later");
+		code = -1;
+	}
+	else {
+		code = 0;
+	}
+}
+
+/*
+ * Send new user information (re-login)
+ */
+void
+user(int argc, char **argv)
+{
+	char acct[80];
+	int n, aflag = 0;
+	char tmp[256];
+
+	if (argc < 2)
+		another(&argc, &argv, "username");
+	if (argc < 2 || argc > 4) {
+		printf("usage: %s username [password] [account]\n", argv[0]);
+		code = -1;
+		return;
+	}
+	n = command("USER %s", argv[1]);
+	if (n == CONTINUE) {
+	    if (argc < 3 ) {
+		des_read_pw_string (tmp,
+				    sizeof(tmp),
+				    "Password: ", 0);
+		argv[2] = tmp;
+		argc++;
+	    }
+	    n = command("PASS %s", argv[2]);
+	}
+	if (n == CONTINUE) {
+		if (argc < 4) {
+			printf("Account: "); fflush(stdout);
+			fgets(acct, sizeof(acct) - 1, stdin);
+			acct[strlen(acct) - 1] = '\0';
+			argv[3] = acct; argc++;
+		}
+		n = command("ACCT %s", argv[3]);
+		aflag++;
+	}
+	if (n != COMPLETE) {
+		fprintf(stdout, "Login failed.\n");
+		return;
+	}
+	if (!aflag && argc == 4) {
+		command("ACCT %s", argv[3]);
+	}
+}
+
+/*
+ * Print working directory.
+ */
+/*VARARGS*/
+void
+pwd(int argc, char **argv)
+{
+	int oldverbose = verbose;
+
+	/*
+	 * If we aren't verbose, this doesn't do anything!
+	 */
+	verbose = 1;
+	if (command("PWD") == ERROR && code == 500) {
+		printf("PWD command not recognized, trying XPWD\n");
+		command("XPWD");
+	}
+	verbose = oldverbose;
+}
+
+/*
+ * Make a directory.
+ */
+void
+makedir(int argc, char **argv)
+{
+
+	if (argc < 2 && !another(&argc, &argv, "directory-name")) {
+		printf("usage: %s directory-name\n", argv[0]);
+		code = -1;
+		return;
+	}
+	if (command("MKD %s", argv[1]) == ERROR && code == 500) {
+		if (verbose)
+			printf("MKD command not recognized, trying XMKD\n");
+		command("XMKD %s", argv[1]);
+	}
+}
+
+/*
+ * Remove a directory.
+ */
+void
+removedir(int argc, char **argv)
+{
+
+	if (argc < 2 && !another(&argc, &argv, "directory-name")) {
+		printf("usage: %s directory-name\n", argv[0]);
+		code = -1;
+		return;
+	}
+	if (command("RMD %s", argv[1]) == ERROR && code == 500) {
+		if (verbose)
+			printf("RMD command not recognized, trying XRMD\n");
+		command("XRMD %s", argv[1]);
+	}
+}
+
+/*
+ * Send a line, verbatim, to the remote machine.
+ */
+void
+quote(int argc, char **argv)
+{
+
+	if (argc < 2 && !another(&argc, &argv, "command line to send")) {
+		printf("usage: %s line-to-send\n", argv[0]);
+		code = -1;
+		return;
+	}
+	quote1("", argc, argv);
+}
+
+/*
+ * Send a SITE command to the remote machine.  The line
+ * is sent verbatim to the remote machine, except that the
+ * word "SITE" is added at the front.
+ */
+void
+site(int argc, char **argv)
+{
+
+	if (argc < 2 && !another(&argc, &argv, "arguments to SITE command")) {
+		printf("usage: %s line-to-send\n", argv[0]);
+		code = -1;
+		return;
+	}
+	quote1("SITE ", argc, argv);
+}
+
+/*
+ * Turn argv[1..argc) into a space-separated string, then prepend initial text.
+ * Send the result as a one-line command and get response.
+ */
+void
+quote1(char *initial, int argc, char **argv)
+{
+    int i;
+    char buf[BUFSIZ];		/* must be >= sizeof(line) */
+
+    strlcpy(buf, initial, sizeof(buf));
+    for(i = 1; i < argc; i++) {
+	if(i > 1)
+	    strlcat(buf, " ", sizeof(buf));
+	strlcat(buf, argv[i], sizeof(buf));
+    }
+    if (command("%s", buf) == PRELIM) {
+	while (getreply(0) == PRELIM)
+	    continue;
+    }
+}
+
+void
+do_chmod(int argc, char **argv)
+{
+
+	if (argc < 2 && !another(&argc, &argv, "mode"))
+		goto usage;
+	if (argc < 3 && !another(&argc, &argv, "file-name")) {
+usage:
+		printf("usage: %s mode file-name\n", argv[0]);
+		code = -1;
+		return;
+	}
+	command("SITE CHMOD %s %s", argv[1], argv[2]);
+}
+
+void
+do_umask(int argc, char **argv)
+{
+	int oldverbose = verbose;
+
+	verbose = 1;
+	command(argc == 1 ? "SITE UMASK" : "SITE UMASK %s", argv[1]);
+	verbose = oldverbose;
+}
+
+void
+ftp_idle(int argc, char **argv)
+{
+	int oldverbose = verbose;
+
+	verbose = 1;
+	command(argc == 1 ? "SITE IDLE" : "SITE IDLE %s", argv[1]);
+	verbose = oldverbose;
+}
+
+/*
+ * Ask the other side for help.
+ */
+void
+rmthelp(int argc, char **argv)
+{
+	int oldverbose = verbose;
+
+	verbose = 1;
+	command(argc == 1 ? "HELP" : "HELP %s", argv[1]);
+	verbose = oldverbose;
+}
+
+/*
+ * Terminate session and exit.
+ */
+/*VARARGS*/
+void
+quit(int argc, char **argv)
+{
+
+	if (connected)
+		disconnect(0, 0);
+	pswitch(1);
+	if (connected) {
+		disconnect(0, 0);
+	}
+	exit(0);
+}
+
+/*
+ * Terminate session, but don't exit.
+ */
+void
+disconnect(int argc, char **argv)
+{
+
+	if (!connected)
+		return;
+	command("QUIT");
+	if (cout) {
+		fclose(cout);
+	}
+	cout = NULL;
+	connected = 0;
+	sec_end();
+	data = -1;
+	if (!proxy) {
+		macnum = 0;
+	}
+}
+
+int
+confirm(char *cmd, char *file)
+{
+	char line[BUFSIZ];
+
+	if (!interactive)
+		return (1);
+	printf("%s %s? ", cmd, file);
+	fflush(stdout);
+	if (fgets(line, sizeof line, stdin) == NULL)
+		return (0);
+	return (*line == 'y' || *line == 'Y');
+}
+
+void
+fatal(char *msg)
+{
+
+	errx(1, "%s", msg);
+}
+
+/*
+ * Glob a local file name specification with
+ * the expectation of a single return value.
+ * Can't control multiple values being expanded
+ * from the expression, we return only the first.
+ */
+int
+globulize(char **cpp)
+{
+	glob_t gl;
+	int flags;
+
+	if (!doglob)
+		return (1);
+
+	flags = GLOB_BRACE|GLOB_NOCHECK|GLOB_QUOTE|GLOB_TILDE;
+	memset(&gl, 0, sizeof(gl));
+	if (glob(*cpp, flags, NULL, &gl) ||
+	    gl.gl_pathc == 0) {
+		warnx("%s: not found", *cpp);
+		globfree(&gl);
+		return (0);
+	}
+	*cpp = strdup(gl.gl_pathv[0]);	/* XXX - wasted memory */
+	globfree(&gl);
+	return (1);
+}
+
+void
+account(int argc, char **argv)
+{
+	char acct[50];
+
+	if (argc > 1) {
+		++argv;
+		--argc;
+		strlcpy (acct, *argv, sizeof(acct));
+		while (argc > 1) {
+			--argc;
+			++argv;
+			strlcat(acct, *argv, sizeof(acct));
+		}
+	}
+	else {
+	    des_read_pw_string(acct, sizeof(acct), "Account:", 0);
+	}
+	command("ACCT %s", acct);
+}
+
+jmp_buf abortprox;
+
+static RETSIGTYPE
+proxabort(int sig)
+{
+
+	if (!proxy) {
+		pswitch(1);
+	}
+	if (connected) {
+		proxflag = 1;
+	}
+	else {
+		proxflag = 0;
+	}
+	pswitch(0);
+	longjmp(abortprox,1);
+}
+
+void
+doproxy(int argc, char **argv)
+{
+	struct cmd *c;
+	RETSIGTYPE (*oldintr)();
+
+	if (argc < 2 && !another(&argc, &argv, "command")) {
+		printf("usage: %s command\n", argv[0]);
+		code = -1;
+		return;
+	}
+	c = getcmd(argv[1]);
+	if (c == (struct cmd *) -1) {
+		printf("?Ambiguous command\n");
+		fflush(stdout);
+		code = -1;
+		return;
+	}
+	if (c == 0) {
+		printf("?Invalid command\n");
+		fflush(stdout);
+		code = -1;
+		return;
+	}
+	if (!c->c_proxy) {
+		printf("?Invalid proxy command\n");
+		fflush(stdout);
+		code = -1;
+		return;
+	}
+	if (setjmp(abortprox)) {
+		code = -1;
+		return;
+	}
+	oldintr = signal(SIGINT, proxabort);
+	pswitch(1);
+	if (c->c_conn && !connected) {
+		printf("Not connected\n");
+		fflush(stdout);
+		pswitch(0);
+		signal(SIGINT, oldintr);
+		code = -1;
+		return;
+	}
+	(*c->c_handler)(argc-1, argv+1);
+	if (connected) {
+		proxflag = 1;
+	}
+	else {
+		proxflag = 0;
+	}
+	pswitch(0);
+	signal(SIGINT, oldintr);
+}
+
+void
+setcase(int argc, char **argv)
+{
+
+	mcase = !mcase;
+	printf("Case mapping %s.\n", onoff(mcase));
+	code = mcase;
+}
+
+void
+setcr(int argc, char **argv)
+{
+
+	crflag = !crflag;
+	printf("Carriage Return stripping %s.\n", onoff(crflag));
+	code = crflag;
+}
+
+void
+setntrans(int argc, char **argv)
+{
+	if (argc == 1) {
+		ntflag = 0;
+		printf("Ntrans off.\n");
+		code = ntflag;
+		return;
+	}
+	ntflag++;
+	code = ntflag;
+	strlcpy (ntin, argv[1], 17);
+	if (argc == 2) {
+		ntout[0] = '\0';
+		return;
+	}
+	strlcpy (ntout, argv[2], 17);
+}
+
+char *
+dotrans(char *name)
+{
+	static char new[MaxPathLen];
+	char *cp1, *cp2 = new;
+	int i, ostop, found;
+
+	for (ostop = 0; *(ntout + ostop) && ostop < 16; ostop++)
+		continue;
+	for (cp1 = name; *cp1; cp1++) {
+		found = 0;
+		for (i = 0; *(ntin + i) && i < 16; i++) {
+			if (*cp1 == *(ntin + i)) {
+				found++;
+				if (i < ostop) {
+					*cp2++ = *(ntout + i);
+				}
+				break;
+			}
+		}
+		if (!found) {
+			*cp2++ = *cp1;
+		}
+	}
+	*cp2 = '\0';
+	return (new);
+}
+
+void
+setnmap(int argc, char **argv)
+{
+	char *cp;
+
+	if (argc == 1) {
+		mapflag = 0;
+		printf("Nmap off.\n");
+		code = mapflag;
+		return;
+	}
+	if (argc < 3 && !another(&argc, &argv, "mapout")) {
+		printf("Usage: %s [mapin mapout]\n",argv[0]);
+		code = -1;
+		return;
+	}
+	mapflag = 1;
+	code = 1;
+	cp = strchr(altarg, ' ');
+	if (proxy) {
+		while(*++cp == ' ')
+			continue;
+		altarg = cp;
+		cp = strchr(altarg, ' ');
+	}
+	*cp = '\0';
+	strlcpy(mapin, altarg, MaxPathLen);
+	while (*++cp == ' ')
+		continue;
+	strlcpy(mapout, cp, MaxPathLen);
+}
+
+char *
+domap(char *name)
+{
+	static char new[MaxPathLen];
+	char *cp1 = name, *cp2 = mapin;
+	char *tp[9], *te[9];
+	int i, toks[9], toknum = 0, match = 1;
+
+	for (i=0; i < 9; ++i) {
+		toks[i] = 0;
+	}
+	while (match && *cp1 && *cp2) {
+		switch (*cp2) {
+			case '\\':
+				if (*++cp2 != *cp1) {
+					match = 0;
+				}
+				break;
+			case '$':
+				if (*(cp2+1) >= '1' && (*cp2+1) <= '9') {
+					if (*cp1 != *(++cp2+1)) {
+						toks[toknum = *cp2 - '1']++;
+						tp[toknum] = cp1;
+						while (*++cp1 && *(cp2+1)
+							!= *cp1);
+						te[toknum] = cp1;
+					}
+					cp2++;
+					break;
+				}
+				/* FALLTHROUGH */
+			default:
+				if (*cp2 != *cp1) {
+					match = 0;
+				}
+				break;
+		}
+		if (match && *cp1) {
+			cp1++;
+		}
+		if (match && *cp2) {
+			cp2++;
+		}
+	}
+	if (!match && *cp1) /* last token mismatch */
+	{
+		toks[toknum] = 0;
+	}
+	cp1 = new;
+	*cp1 = '\0';
+	cp2 = mapout;
+	while (*cp2) {
+		match = 0;
+		switch (*cp2) {
+			case '\\':
+				if (*(cp2 + 1)) {
+					*cp1++ = *++cp2;
+				}
+				break;
+			case '[':
+LOOP:
+				if (*++cp2 == '$' && isdigit(*(cp2+1))) { 
+					if (*++cp2 == '0') {
+						char *cp3 = name;
+
+						while (*cp3) {
+							*cp1++ = *cp3++;
+						}
+						match = 1;
+					}
+					else if (toks[toknum = *cp2 - '1']) {
+						char *cp3 = tp[toknum];
+
+						while (cp3 != te[toknum]) {
+							*cp1++ = *cp3++;
+						}
+						match = 1;
+					}
+				}
+				else {
+					while (*cp2 && *cp2 != ',' && 
+					    *cp2 != ']') {
+						if (*cp2 == '\\') {
+							cp2++;
+						}
+						else if (*cp2 == '$' &&
+   						        isdigit(*(cp2+1))) {
+							if (*++cp2 == '0') {
+							   char *cp3 = name;
+
+							   while (*cp3) {
+								*cp1++ = *cp3++;
+							   }
+							}
+							else if (toks[toknum =
+							    *cp2 - '1']) {
+							   char *cp3=tp[toknum];
+
+							   while (cp3 !=
+								  te[toknum]) {
+								*cp1++ = *cp3++;
+							   }
+							}
+						}
+						else if (*cp2) {
+							*cp1++ = *cp2++;
+						}
+					}
+					if (!*cp2) {
+						printf("nmap: unbalanced brackets\n");
+						return (name);
+					}
+					match = 1;
+					cp2--;
+				}
+				if (match) {
+					while (*++cp2 && *cp2 != ']') {
+					      if (*cp2 == '\\' && *(cp2 + 1)) {
+							cp2++;
+					      }
+					}
+					if (!*cp2) {
+						printf("nmap: unbalanced brackets\n");
+						return (name);
+					}
+					break;
+				}
+				switch (*++cp2) {
+					case ',':
+						goto LOOP;
+					case ']':
+						break;
+					default:
+						cp2--;
+						goto LOOP;
+				}
+				break;
+			case '$':
+				if (isdigit(*(cp2 + 1))) {
+					if (*++cp2 == '0') {
+						char *cp3 = name;
+
+						while (*cp3) {
+							*cp1++ = *cp3++;
+						}
+					}
+					else if (toks[toknum = *cp2 - '1']) {
+						char *cp3 = tp[toknum];
+
+						while (cp3 != te[toknum]) {
+							*cp1++ = *cp3++;
+						}
+					}
+					break;
+				}
+				/* intentional drop through */
+			default:
+				*cp1++ = *cp2;
+				break;
+		}
+		cp2++;
+	}
+	*cp1 = '\0';
+	if (!*new) {
+		return (name);
+	}
+	return (new);
+}
+
+void
+setpassive(int argc, char **argv)
+{
+
+	passivemode = !passivemode;
+	printf("Passive mode %s.\n", onoff(passivemode));
+	code = passivemode;
+}
+
+void
+setsunique(int argc, char **argv)
+{
+
+	sunique = !sunique;
+	printf("Store unique %s.\n", onoff(sunique));
+	code = sunique;
+}
+
+void
+setrunique(int argc, char **argv)
+{
+
+	runique = !runique;
+	printf("Receive unique %s.\n", onoff(runique));
+	code = runique;
+}
+
+/* change directory to perent directory */
+void
+cdup(int argc, char **argv)
+{
+
+	if (command("CDUP") == ERROR && code == 500) {
+		if (verbose)
+			printf("CDUP command not recognized, trying XCUP\n");
+		command("XCUP");
+	}
+}
+
+/* restart transfer at specific point */
+void
+restart(int argc, char **argv)
+{
+
+    if (argc != 2)
+	printf("restart: offset not specified\n");
+    else {
+	restart_point = atol(argv[1]);
+	printf("restarting at %ld. %s\n", (long)restart_point,
+	       "execute get, put or append to initiate transfer");
+    }
+}
+
+/* show remote system type */
+void
+syst(int argc, char **argv)
+{
+
+	command("SYST");
+}
+
+void
+macdef(int argc, char **argv)
+{
+	char *tmp;
+	int c;
+
+	if (macnum == 16) {
+		printf("Limit of 16 macros have already been defined\n");
+		code = -1;
+		return;
+	}
+	if (argc < 2 && !another(&argc, &argv, "macro name")) {
+		printf("Usage: %s macro_name\n",argv[0]);
+		code = -1;
+		return;
+	}
+	if (interactive) {
+		printf("Enter macro line by line, terminating it with a null line\n");
+	}
+	strlcpy(macros[macnum].mac_name,
+			argv[1],
+			sizeof(macros[macnum].mac_name));
+	if (macnum == 0) {
+		macros[macnum].mac_start = macbuf;
+	}
+	else {
+		macros[macnum].mac_start = macros[macnum - 1].mac_end + 1;
+	}
+	tmp = macros[macnum].mac_start;
+	while (tmp != macbuf+4096) {
+		if ((c = getchar()) == EOF) {
+			printf("macdef:end of file encountered\n");
+			code = -1;
+			return;
+		}
+		if ((*tmp = c) == '\n') {
+			if (tmp == macros[macnum].mac_start) {
+				macros[macnum++].mac_end = tmp;
+				code = 0;
+				return;
+			}
+			if (*(tmp-1) == '\0') {
+				macros[macnum++].mac_end = tmp - 1;
+				code = 0;
+				return;
+			}
+			*tmp = '\0';
+		}
+		tmp++;
+	}
+	while (1) {
+		while ((c = getchar()) != '\n' && c != EOF)
+			/* LOOP */;
+		if (c == EOF || getchar() == '\n') {
+			printf("Macro not defined - 4k buffer exceeded\n");
+			code = -1;
+			return;
+		}
+	}
+}
+
+/*
+ * get size of file on remote machine
+ */
+void
+sizecmd(int argc, char **argv)
+{
+
+	if (argc < 2 && !another(&argc, &argv, "filename")) {
+		printf("usage: %s filename\n", argv[0]);
+		code = -1;
+		return;
+	}
+	command("SIZE %s", argv[1]);
+}
+
+/*
+ * get last modification time of file on remote machine
+ */
+void
+modtime(int argc, char **argv)
+{
+	int overbose;
+
+	if (argc < 2 && !another(&argc, &argv, "filename")) {
+		printf("usage: %s filename\n", argv[0]);
+		code = -1;
+		return;
+	}
+	overbose = verbose;
+	if (debug == 0)
+		verbose = -1;
+	if (command("MDTM %s", argv[1]) == COMPLETE) {
+		int yy, mo, day, hour, min, sec;
+		sscanf(reply_string, "%*s %04d%02d%02d%02d%02d%02d", &yy, &mo,
+			&day, &hour, &min, &sec);
+		/* might want to print this in local time */
+		printf("%s\t%02d/%02d/%04d %02d:%02d:%02d GMT\n", argv[1],
+			mo, day, yy, hour, min, sec);
+	} else
+		printf("%s\n", reply_string);
+	verbose = overbose;
+}
+
+/*
+ * show status on reomte machine
+ */
+void
+rmtstatus(int argc, char **argv)
+{
+
+	command(argc > 1 ? "STAT %s" : "STAT" , argv[1]);
+}
+
+/*
+ * get file if modtime is more recent than current file
+ */
+void
+newer(int argc, char **argv)
+{
+
+	if (getit(argc, argv, -1, curtype == TYPE_I ? "wb" : "w"))
+		printf("Local file \"%s\" is newer than remote file \"%s\"\n",
+			argv[2], argv[1]);
+}
diff --git a/crypto/kerberosIV/appl/ftp/ftp/cmdtab.c b/crypto/kerberosIV/appl/ftp/ftp/cmdtab.c
new file mode 100644
index 0000000..5dc96ef
--- /dev/null
+++ b/crypto/kerberosIV/appl/ftp/ftp/cmdtab.c
@@ -0,0 +1,202 @@
+/*
+ * Copyright (c) 1985, 1989, 1993, 1994
+ *	The Regents of the University of California.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *	This product includes software developed by the University of
+ *	California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#include "ftp_locl.h"
+
+/*
+ * User FTP -- Command Tables.
+ */
+
+char	accounthelp[] =	"send account command to remote server";
+char	appendhelp[] =	"append to a file";
+char	asciihelp[] =	"set ascii transfer type";
+char	beephelp[] =	"beep when command completed";
+char	binaryhelp[] =	"set binary transfer type";
+char	casehelp[] =	"toggle mget upper/lower case id mapping";
+char	cdhelp[] =	"change remote working directory";
+char	cduphelp[] = 	"change remote working directory to parent directory";
+char	chmodhelp[] =	"change file permissions of remote file";
+char	connecthelp[] =	"connect to remote tftp";
+char	crhelp[] =	"toggle carriage return stripping on ascii gets";
+char	deletehelp[] =	"delete remote file";
+char	debughelp[] =	"toggle/set debugging mode";
+char	dirhelp[] =	"list contents of remote directory";
+char	disconhelp[] =	"terminate ftp session";
+char	domachelp[] = 	"execute macro";
+char	formhelp[] =	"set file transfer format";
+char	globhelp[] =	"toggle metacharacter expansion of local file names";
+char	hashhelp[] =	"toggle printing `#' for each buffer transferred";
+char	helphelp[] =	"print local help information";
+char	idlehelp[] =	"get (set) idle timer on remote side";
+char	lcdhelp[] =	"change local working directory";
+char	lshelp[] =	"list contents of remote directory";
+char	macdefhelp[] =  "define a macro";
+char	mdeletehelp[] =	"delete multiple files";
+char	mdirhelp[] =	"list contents of multiple remote directories";
+char	mgethelp[] =	"get multiple files";
+char	mkdirhelp[] =	"make directory on the remote machine";
+char	mlshelp[] =	"list contents of multiple remote directories";
+char	modtimehelp[] = "show last modification time of remote file";
+char	modehelp[] =	"set file transfer mode";
+char	mputhelp[] =	"send multiple files";
+char	newerhelp[] =	"get file if remote file is newer than local file ";
+char	nlisthelp[] =	"nlist contents of remote directory";
+char	nmaphelp[] =	"set templates for default file name mapping";
+char	ntranshelp[] =	"set translation table for default file name mapping";
+char	porthelp[] =	"toggle use of PORT cmd for each data connection";
+char	prompthelp[] =	"force interactive prompting on multiple commands";
+char	proxyhelp[] =	"issue command on alternate connection";
+char	pwdhelp[] =	"print working directory on remote machine";
+char	quithelp[] =	"terminate ftp session and exit";
+char	quotehelp[] =	"send arbitrary ftp command";
+char	receivehelp[] =	"receive file";
+char	regethelp[] =	"get file restarting at end of local file";
+char	remotehelp[] =	"get help from remote server";
+char	renamehelp[] =	"rename file";
+char	restarthelp[]=	"restart file transfer at bytecount";
+char	rmdirhelp[] =	"remove directory on the remote machine";
+char	rmtstatushelp[]="show status of remote machine";
+char	runiquehelp[] = "toggle store unique for local files";
+char	resethelp[] =	"clear queued command replies";
+char	sendhelp[] =	"send one file";
+char	passivehelp[] =	"enter passive transfer mode";
+char	sitehelp[] =	"send site specific command to remote server\n\t\tTry \"rhelp site\" or \"site help\" for more information";
+char	shellhelp[] =	"escape to the shell";
+char	sizecmdhelp[] = "show size of remote file";
+char	statushelp[] =	"show current status";
+char	structhelp[] =	"set file transfer structure";
+char	suniquehelp[] = "toggle store unique on remote machine";
+char	systemhelp[] =  "show remote system type";
+char	tenexhelp[] =	"set tenex file transfer type";
+char	tracehelp[] =	"toggle packet tracing";
+char	typehelp[] =	"set file transfer type";
+char	umaskhelp[] =	"get (set) umask on remote side";
+char	userhelp[] =	"send new user information";
+char	verbosehelp[] =	"toggle verbose mode";
+
+char	prothelp[] = 	"set protection level";
+#ifdef KRB4
+char	kauthhelp[] = 	"get remote tokens";
+char	klisthelp[] =	"show remote tickets";
+char	kdestroyhelp[] = "destroy remote tickets";
+char	krbtkfilehelp[] = "set filename of remote tickets";
+char	afsloghelp[] = 	"obtain remote AFS tokens";
+#endif
+
+struct cmd cmdtab[] = {
+	{ "!",		shellhelp,	0,	0,	0,	shell },
+	{ "$",		domachelp,	1,	0,	0,	domacro },
+	{ "account",	accounthelp,	0,	1,	1,	account},
+	{ "append",	appendhelp,	1,	1,	1,	put },
+	{ "ascii",	asciihelp,	0,	1,	1,	setascii },
+	{ "bell",	beephelp,	0,	0,	0,	setbell },
+	{ "binary",	binaryhelp,	0,	1,	1,	setbinary },
+	{ "bye",	quithelp,	0,	0,	0,	quit },
+	{ "case",	casehelp,	0,	0,	1,	setcase },
+	{ "cd",		cdhelp,		0,	1,	1,	cd },
+	{ "cdup",	cduphelp,	0,	1,	1,	cdup },
+	{ "chmod",	chmodhelp,	0,	1,	1,	do_chmod },
+	{ "close",	disconhelp,	0,	1,	1,	disconnect },
+	{ "cr",		crhelp,		0,	0,	0,	setcr },
+	{ "delete",	deletehelp,	0,	1,	1,	delete },
+	{ "debug",	debughelp,	0,	0,	0,	setdebug },
+	{ "dir",	dirhelp,	1,	1,	1,	ls },
+	{ "disconnect",	disconhelp,	0,	1,	1,	disconnect },
+	{ "form",	formhelp,	0,	1,	1,	setform },
+	{ "get",	receivehelp,	1,	1,	1,	get },
+	{ "glob",	globhelp,	0,	0,	0,	setglob },
+	{ "hash",	hashhelp,	0,	0,	0,	sethash },
+	{ "help",	helphelp,	0,	0,	1,	help },
+	{ "idle",	idlehelp,	0,	1,	1,	ftp_idle },
+	{ "image",	binaryhelp,	0,	1,	1,	setbinary },
+	{ "lcd",	lcdhelp,	0,	0,	0,	lcd },
+	{ "ls",		lshelp,		1,	1,	1,	ls },
+	{ "macdef",	macdefhelp,	0,	0,	0,	macdef },
+	{ "mdelete",	mdeletehelp,	1,	1,	1,	mdelete },
+	{ "mdir",	mdirhelp,	1,	1,	1,	mls },
+	{ "mget",	mgethelp,	1,	1,	1,	mget },
+	{ "mkdir",	mkdirhelp,	0,	1,	1,	makedir },
+	{ "mls",	mlshelp,	1,	1,	1,	mls },
+	{ "mode",	modehelp,	0,	1,	1,	setftmode },
+	{ "modtime",	modtimehelp,	0,	1,	1,	modtime },
+	{ "mput",	mputhelp,	1,	1,	1,	mput },
+	{ "newer",	newerhelp,	1,	1,	1,	newer },
+	{ "nmap",	nmaphelp,	0,	0,	1,	setnmap },
+	{ "nlist",	nlisthelp,	1,	1,	1,	ls },
+	{ "ntrans",	ntranshelp,	0,	0,	1,	setntrans },
+	{ "open",	connecthelp,	0,	0,	1,	setpeer },
+	{ "passive",	passivehelp,	0,	0,	0,	setpassive },
+	{ "prompt",	prompthelp,	0,	0,	0,	setprompt },
+	{ "proxy",	proxyhelp,	0,	0,	1,	doproxy },
+	{ "sendport",	porthelp,	0,	0,	0,	setport },
+	{ "put",	sendhelp,	1,	1,	1,	put },
+	{ "pwd",	pwdhelp,	0,	1,	1,	pwd },
+	{ "quit",	quithelp,	0,	0,	0,	quit },
+	{ "quote",	quotehelp,	1,	1,	1,	quote },
+	{ "recv",	receivehelp,	1,	1,	1,	get },
+	{ "reget",	regethelp,	1,	1,	1,	reget },
+	{ "rstatus",	rmtstatushelp,	0,	1,	1,	rmtstatus },
+	{ "rhelp",	remotehelp,	0,	1,	1,	rmthelp },
+	{ "rename",	renamehelp,	0,	1,	1,	renamefile },
+	{ "reset",	resethelp,	0,	1,	1,	reset },
+	{ "restart",	restarthelp,	1,	1,	1,	restart },
+	{ "rmdir",	rmdirhelp,	0,	1,	1,	removedir },
+	{ "runique",	runiquehelp,	0,	0,	1,	setrunique },
+	{ "send",	sendhelp,	1,	1,	1,	put },
+	{ "site",	sitehelp,	0,	1,	1,	site },
+	{ "size",	sizecmdhelp,	1,	1,	1,	sizecmd },
+	{ "status",	statushelp,	0,	0,	1,	status },
+	{ "struct",	structhelp,	0,	1,	1,	setstruct },
+	{ "system",	systemhelp,	0,	1,	1,	syst },
+	{ "sunique",	suniquehelp,	0,	0,	1,	setsunique },
+	{ "tenex",	tenexhelp,	0,	1,	1,	settenex },
+	{ "trace",	tracehelp,	0,	0,	0,	settrace },
+	{ "type",	typehelp,	0,	1,	1,	settype },
+	{ "user",	userhelp,	0,	1,	1,	user },
+	{ "umask",	umaskhelp,	0,	1,	1,	do_umask },
+	{ "verbose",	verbosehelp,	0,	0,	0,	setverbose },
+	{ "?",		helphelp,	0,	0,	1,	help },
+
+	{ "prot", 	prothelp, 	0, 	1, 	0,	sec_prot },
+#ifdef KRB4
+	{ "kauth", 	kauthhelp, 	0, 	1, 	0,	kauth },
+	{ "klist", 	klisthelp, 	0, 	1, 	0,	klist },
+	{ "kdestroy",	kdestroyhelp,	0,	1,	0,	kdestroy },
+	{ "krbtkfile",	krbtkfilehelp,	0,	1,	0,	krbtkfile },
+	{ "afslog",	afsloghelp,	0,	1,	0,	afslog },
+#endif
+	
+	{ 0 },
+};
+
+int	NCMDS = (sizeof (cmdtab) / sizeof (cmdtab[0])) - 1;
diff --git a/crypto/kerberosIV/appl/ftp/ftp/domacro.c b/crypto/kerberosIV/appl/ftp/ftp/domacro.c
new file mode 100644
index 0000000..d91660d
--- /dev/null
+++ b/crypto/kerberosIV/appl/ftp/ftp/domacro.c
@@ -0,0 +1,138 @@
+/*
+ * Copyright (c) 1985, 1993, 1994
+ *	The Regents of the University of California.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *	This product includes software developed by the University of
+ *	California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#include "ftp_locl.h"
+RCSID("$Id: domacro.c,v 1.7 1999/09/16 20:37:29 assar Exp $");
+
+void
+domacro(int argc, char **argv)
+{
+	int i, j, count = 2, loopflg = 0;
+	char *cp1, *cp2, line2[200];
+	struct cmd *c;
+
+	if (argc < 2 && !another(&argc, &argv, "macro name")) {
+		printf("Usage: %s macro_name.\n", argv[0]);
+		code = -1;
+		return;
+	}
+	for (i = 0; i < macnum; ++i) {
+		if (!strncmp(argv[1], macros[i].mac_name, 9)) {
+			break;
+		}
+	}
+	if (i == macnum) {
+		printf("'%s' macro not found.\n", argv[1]);
+		code = -1;
+		return;
+	}
+	strlcpy(line2, line, sizeof(line2));
+TOP:
+	cp1 = macros[i].mac_start;
+	while (cp1 != macros[i].mac_end) {
+		while (isspace(*cp1)) {
+			cp1++;
+		}
+		cp2 = line;
+		while (*cp1 != '\0') {
+		      switch(*cp1) {
+		   	    case '\\':
+				 *cp2++ = *++cp1;
+				 break;
+			    case '$':
+				 if (isdigit(*(cp1+1))) {
+				    j = 0;
+				    while (isdigit(*++cp1)) {
+					  j = 10*j +  *cp1 - '0';
+				    }
+				    cp1--;
+				    if (argc - 2 >= j) {
+					strcpy(cp2, argv[j+1]);
+					cp2 += strlen(argv[j+1]);
+				    }
+				    break;
+				 }
+				 if (*(cp1+1) == 'i') {
+					loopflg = 1;
+					cp1++;
+					if (count < argc) {
+					   strcpy(cp2, argv[count]);
+					   cp2 += strlen(argv[count]);
+					}
+					break;
+				}
+				/* intentional drop through */
+			    default:
+				*cp2++ = *cp1;
+				break;
+		      }
+		      if (*cp1 != '\0') {
+			 cp1++;
+		      }
+		}
+		*cp2 = '\0';
+		makeargv();
+		c = getcmd(margv[0]);
+		if (c == (struct cmd *)-1) {
+			printf("?Ambiguous command\n");
+			code = -1;
+		}
+		else if (c == 0) {
+			printf("?Invalid command\n");
+			code = -1;
+		}
+		else if (c->c_conn && !connected) {
+			printf("Not connected.\n");
+			code = -1;
+		}
+		else {
+			if (verbose) {
+				printf("%s\n",line);
+			}
+			(*c->c_handler)(margc, margv);
+			if (bell && c->c_bell) {
+				putchar('\007');
+			}
+			strcpy(line, line2);
+			makeargv();
+			argc = margc;
+			argv = margv;
+		}
+		if (cp1 != macros[i].mac_end) {
+			cp1++;
+		}
+	}
+	if (loopflg && ++count < argc) {
+		goto TOP;
+	}
+}
diff --git a/crypto/kerberosIV/appl/ftp/ftp/extern.h b/crypto/kerberosIV/appl/ftp/ftp/extern.h
new file mode 100644
index 0000000..d488ecd
--- /dev/null
+++ b/crypto/kerberosIV/appl/ftp/ftp/extern.h
@@ -0,0 +1,173 @@
+/*-
+ * Copyright (c) 1994 The Regents of the University of California.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *	This product includes software developed by the University of
+ *	California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ *	@(#)extern.h	8.3 (Berkeley) 10/9/94
+ */
+
+/* $Id: extern.h,v 1.18 1999/10/28 20:49:10 assar Exp $ */
+
+#include <setjmp.h>
+#include <stdlib.h>
+#ifdef TIME_WITH_SYS_TIME
+#include <sys/time.h>
+#include <time.h>
+#elif defined(HAVE_SYS_TIME_H)
+#include <sys/time.h>
+#else
+#include <time.h>
+#endif
+#ifdef HAVE_SYS_SELECT_H
+#include <sys/select.h>
+#endif
+
+void    abort_remote (FILE *);
+void    abortpt (int);
+void    abortrecv (int);
+void	account (int, char **);
+int	another (int *, char ***, char *);
+void	blkfree (char **);
+void	cd (int, char **);
+void	cdup (int, char **);
+void	changetype (int, int);
+void	cmdabort (int);
+void	cmdscanner (int);
+int	command (char *fmt, ...);
+int	confirm (char *, char *);
+FILE   *dataconn (const char *);
+void	delete (int, char **);
+void	disconnect (int, char **);
+void	do_chmod (int, char **);
+void	do_umask (int, char **);
+void	domacro (int, char **);
+char   *domap (char *);
+void	doproxy (int, char **);
+char   *dotrans (char *);
+int     empty (fd_set *, int);
+void	fatal (char *);
+void	get (int, char **);
+struct cmd *getcmd (char *);
+int	getit (int, char **, int, char *);
+int	getreply (int);
+int	globulize (char **);
+char   *gunique (char *);
+void	help (int, char **);
+char   *hookup (const char *, int);
+void	ftp_idle (int, char **);
+int     initconn (void);
+void	intr (int);
+void	lcd (int, char **);
+int	login (char *);
+RETSIGTYPE	lostpeer (int);
+void	ls (int, char **);
+void	macdef (int, char **);
+void	makeargv (void);
+void	makedir (int, char **);
+void	mdelete (int, char **);
+void	mget (int, char **);
+void	mls (int, char **);
+void	modtime (int, char **);
+void	mput (int, char **);
+char   *onoff (int);
+void	newer (int, char **);
+void    proxtrans (char *, char *, char *);
+void    psabort (int);
+void    pswitch (int);
+void    ptransfer (char *, long, struct timeval *, struct timeval *);
+void	put (int, char **);
+void	pwd (int, char **);
+void	quit (int, char **);
+void	quote (int, char **);
+void	quote1 (char *, int, char **);
+void    recvrequest (char *, char *, char *, char *, int, int);
+void	reget (int, char **);
+char   *remglob (char **, int);
+void	removedir (int, char **);
+void	renamefile (int, char **);
+void    reset (int, char **);
+void	restart (int, char **);
+void	rmthelp (int, char **);
+void	rmtstatus (int, char **);
+int	ruserpass (char *, char **, char **, char **);
+void    sendrequest (char *, char *, char *, char *, int);
+void	setascii (int, char **);
+void	setbell (int, char **);
+void	setbinary (int, char **);
+void	setcase (int, char **);
+void	setcr (int, char **);
+void	setdebug (int, char **);
+void	setform (int, char **);
+void	setftmode (int, char **);
+void	setglob (int, char **);
+void	sethash (int, char **);
+void	setnmap (int, char **);
+void	setntrans (int, char **);
+void	setpassive (int, char **);
+void	setpeer (int, char **);
+void	setport (int, char **);
+void	setprompt (int, char **);
+void	setrunique (int, char **);
+void	setstruct (int, char **);
+void	setsunique (int, char **);
+void	settenex (int, char **);
+void	settrace (int, char **);
+void	settype (int, char **);
+void	setverbose (int, char **);
+void	shell (int, char **);
+void	site (int, char **);
+void	sizecmd (int, char **);
+char   *slurpstring (void);
+void	status (int, char **);
+void	syst (int, char **);
+void    tvsub (struct timeval *, struct timeval *, struct timeval *);
+void	user (int, char **);
+
+extern jmp_buf	abortprox;
+extern int	abrtflag;
+extern struct	cmd cmdtab[];
+extern FILE	*cout;
+extern int	data;
+extern char    *home;
+extern jmp_buf	jabort;
+extern int	proxy;
+extern char	reply_string[];
+extern off_t	restart_point;
+extern int	NCMDS;
+
+extern char 	username[32];
+extern char	myhostname[];
+extern char	*mydomain;
+
+void afslog (int, char **);
+void kauth (int, char **);
+void kdestroy (int, char **);
+void klist (int, char **);
+void krbtkfile (int, char **);
diff --git a/crypto/kerberosIV/appl/ftp/ftp/ftp.c b/crypto/kerberosIV/appl/ftp/ftp/ftp.c
new file mode 100644
index 0000000..848debd
--- /dev/null
+++ b/crypto/kerberosIV/appl/ftp/ftp/ftp.c
@@ -0,0 +1,1752 @@
+/*
+ * Copyright (c) 1985, 1989, 1993, 1994
+ *	The Regents of the University of California.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *	This product includes software developed by the University of
+ *	California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#include "ftp_locl.h"
+RCSID ("$Id: ftp.c,v 1.60.2.1 2000/06/23 02:45:40 assar Exp $");
+
+struct sockaddr_storage hisctladdr_ss;
+struct sockaddr *hisctladdr = (struct sockaddr *)&hisctladdr_ss;
+struct sockaddr_storage data_addr_ss;
+struct sockaddr *data_addr  = (struct sockaddr *)&data_addr_ss;
+struct sockaddr_storage myctladdr_ss;
+struct sockaddr *myctladdr = (struct sockaddr *)&myctladdr_ss;
+int data = -1;
+int abrtflag = 0;
+jmp_buf ptabort;
+int ptabflg;
+int ptflag = 0;
+off_t restart_point = 0;
+
+
+FILE *cin, *cout;
+
+typedef void (*sighand) (int);
+
+char *
+hookup (const char *host, int port)
+{
+    struct hostent *hp = NULL;
+    int s, len;
+    static char hostnamebuf[MaxHostNameLen];
+    int error;
+    int af;
+    char **h;
+    int ret;
+
+#ifdef HAVE_IPV6
+    if (hp == NULL)
+	hp = getipnodebyname (host, AF_INET6, 0, &error);
+#endif
+    if (hp == NULL)
+	hp = getipnodebyname (host, AF_INET, 0, &error);
+
+    if (hp == NULL) {
+	warnx ("%s: %s", host, hstrerror(error));
+	code = -1;
+	return NULL;
+    }
+    strlcpy (hostnamebuf, hp->h_name, sizeof(hostnamebuf));
+    hostname = hostnamebuf;
+    af = hisctladdr->sa_family = hp->h_addrtype;
+
+    for (h = hp->h_addr_list;
+	 *h != NULL;
+	 ++h) {
+	
+	s = socket (af, SOCK_STREAM, 0);
+	if (s < 0) {
+	    warn ("socket");
+	    code = -1;
+	    freehostent (hp);
+	    return (0);
+	}
+
+	socket_set_address_and_port (hisctladdr, *h, port);
+
+	ret = connect (s, hisctladdr, socket_sockaddr_size(hisctladdr));
+	if (ret < 0) {
+	    char addr[256];
+
+	    if (inet_ntop (af, socket_get_address(hisctladdr),
+			   addr, sizeof(addr)) == NULL)
+		strlcpy (addr, "unknown address",
+				 sizeof(addr));
+	    warn ("connect %s", addr);
+	    close (s);
+	    continue;
+	}
+	break;
+    }
+    freehostent (hp);
+    if (ret < 0) {
+	code = -1;
+	close (s);
+	return NULL;
+    }
+
+    len = sizeof(myctladdr_ss);
+    if (getsockname (s, myctladdr, &len) < 0) {
+	warn ("getsockname");
+	code = -1;
+	close (s);
+	return NULL;
+    }
+#ifdef IPTOS_LOWDELAY
+    socket_set_tos (s, IPTOS_LOWDELAY);
+#endif
+    cin = fdopen (s, "r");
+    cout = fdopen (s, "w");
+    if (cin == NULL || cout == NULL) {
+	warnx ("fdopen failed.");
+	if (cin)
+	    fclose (cin);
+	if (cout)
+	    fclose (cout);
+	code = -1;
+	goto bad;
+    }
+    if (verbose)
+	printf ("Connected to %s.\n", hostname);
+    if (getreply (0) > 2) {	/* read startup message from server */
+	if (cin)
+	    fclose (cin);
+	if (cout)
+	    fclose (cout);
+	code = -1;
+	goto bad;
+    }
+#if defined(SO_OOBINLINE) && defined(HAVE_SETSOCKOPT)
+    {
+	int on = 1;
+
+	if (setsockopt (s, SOL_SOCKET, SO_OOBINLINE, (char *) &on, sizeof (on))
+	    < 0 && debug) {
+	    warn ("setsockopt");
+	}
+    }
+#endif				/* SO_OOBINLINE */
+
+    return (hostname);
+bad:
+    close (s);
+    return NULL;
+}
+
+int
+login (char *host)
+{
+    char tmp[80];
+    char defaultpass[128];
+    char *user, *pass, *acct;
+    int n, aflag = 0;
+
+    char *myname = NULL;
+    struct passwd *pw = k_getpwuid(getuid());
+
+    if (pw != NULL)
+	myname = pw->pw_name;
+
+    user = pass = acct = 0;
+
+    if(sec_login(host))
+	printf("\n*** Using plaintext user and password ***\n\n");
+    else{
+	printf("Authentication successful.\n\n");
+    }
+
+    if (ruserpass (host, &user, &pass, &acct) < 0) {
+	code = -1;
+	return (0);
+    }
+    while (user == NULL) {
+	if (myname)
+	    printf ("Name (%s:%s): ", host, myname);
+	else
+	    printf ("Name (%s): ", host);
+	*tmp = '\0';
+	if (fgets (tmp, sizeof (tmp) - 1, stdin) != NULL)
+	    tmp[strlen (tmp) - 1] = '\0';
+	if (*tmp == '\0')
+	    user = myname;
+	else
+	    user = tmp;
+    }
+    strlcpy(username, user, sizeof(username));
+    n = command("USER %s", user);
+    if (n == CONTINUE) {
+	if (pass == NULL) {
+	    char prompt[128];
+	    if(myname && 
+	       (!strcmp(user, "ftp") || !strcmp(user, "anonymous"))) {
+		snprintf(defaultpass, sizeof(defaultpass), 
+			 "%s@%s", myname, mydomain);
+		snprintf(prompt, sizeof(prompt), 
+			 "Password (%s): ", defaultpass);
+	    } else if (sec_complete) {
+		pass = myname;
+	    } else {
+		*defaultpass = '\0';
+		snprintf(prompt, sizeof(prompt), "Password: ");
+	    }
+	    if (pass == NULL) {
+		pass = defaultpass;
+		des_read_pw_string (tmp, sizeof (tmp), prompt, 0);
+		if (tmp[0])
+		    pass = tmp;
+	    }
+	}
+	n = command ("PASS %s", pass);
+    }
+    if (n == CONTINUE) {
+	aflag++;
+	acct = tmp;
+	des_read_pw_string (acct, 128, "Account:", 0);
+	n = command ("ACCT %s", acct);
+    }
+    if (n != COMPLETE) {
+	warnx ("Login failed.");
+	return (0);
+    }
+    if (!aflag && acct != NULL)
+	command ("ACCT %s", acct);
+    if (proxy)
+	return (1);
+    for (n = 0; n < macnum; ++n) {
+	if (!strcmp("init", macros[n].mac_name)) {
+	    strlcpy (line, "$init", sizeof (line));
+	    makeargv();
+	    domacro(margc, margv);
+	    break;
+	}
+    }
+    sec_set_protection_level ();
+    return (1);
+}
+
+void
+cmdabort (int sig)
+{
+
+    printf ("\n");
+    fflush (stdout);
+    abrtflag++;
+    if (ptflag)
+	longjmp (ptabort, 1);
+}
+
+int
+command (char *fmt,...)
+{
+    va_list ap;
+    int r;
+    sighand oldintr;
+
+    abrtflag = 0;
+    if (cout == NULL) {
+	warn ("No control connection for command");
+	code = -1;
+	return (0);
+    }
+    oldintr = signal(SIGINT, cmdabort);
+    va_start(ap, fmt);
+    if(debug){
+	printf("---> ");
+	if (strncmp("PASS ", fmt, 5) == 0)
+	    printf("PASS XXXX");
+	else 
+	    vfprintf(stdout, fmt, ap);
+	va_start(ap, fmt);
+    }
+    sec_vfprintf(cout, fmt, ap);
+    va_end(ap);
+    if(debug){
+	printf("\n");
+	fflush(stdout);
+    }
+    fprintf (cout, "\r\n");
+    fflush (cout);
+    cpend = 1;
+    r = getreply (!strcmp (fmt, "QUIT"));
+    if (abrtflag && oldintr != SIG_IGN)
+	(*oldintr) (SIGINT);
+    signal (SIGINT, oldintr);
+    return (r);
+}
+
+char reply_string[BUFSIZ];	/* last line of previous reply */
+
+int
+getreply (int expecteof)
+{
+    char *p;
+    char *lead_string;
+    int c;
+    struct sigaction sa, osa;
+    char buf[1024];
+
+    sigemptyset (&sa.sa_mask);
+    sa.sa_flags = 0;
+    sa.sa_handler = cmdabort;
+    sigaction (SIGINT, &sa, &osa);
+
+    p = buf;
+
+    while (1) {
+	c = getc (cin);
+	switch (c) {
+	case EOF:
+	    if (expecteof) {
+		sigaction (SIGINT, &osa, NULL);
+		code = 221;
+		return 0;
+	    }
+	    lostpeer (0);
+	    if (verbose) {
+		printf ("421 Service not available, "
+			"remote server has closed connection\n");
+		fflush (stdout);
+	    }
+	    code = 421;
+	    return (4);
+	case IAC:
+	    c = getc (cin);
+	    if (c == WILL || c == WONT)
+		fprintf (cout, "%c%c%c", IAC, DONT, getc (cin));
+	    if (c == DO || c == DONT)
+		fprintf (cout, "%c%c%c", IAC, WONT, getc (cin));
+	    continue;
+	case '\n':
+	    *p++ = '\0';
+	    if(isdigit(buf[0])){
+		sscanf(buf, "%d", &code);
+		if(code == 631){
+		    sec_read_msg(buf, prot_safe);
+		    sscanf(buf, "%d", &code);
+		    lead_string = "S:";
+		} else if(code == 632){
+		    sec_read_msg(buf, prot_private);
+		    sscanf(buf, "%d", &code);
+		    lead_string = "P:";
+		}else if(code == 633){
+		    sec_read_msg(buf, prot_confidential);
+		    sscanf(buf, "%d", &code);
+		    lead_string = "C:";
+		}else if(sec_complete)
+		    lead_string = "!!";
+		else
+		    lead_string = "";
+		if (verbose > 0 || (verbose > -1 && code > 499))
+		    fprintf (stdout, "%s%s\n", lead_string, buf);
+		if (buf[3] == ' ') {
+		    strcpy (reply_string, buf);
+		    if (code >= 200)
+			cpend = 0;
+		    sigaction (SIGINT, &osa, NULL);
+		    if (code == 421)
+			lostpeer (0);
+#if 1
+		    if (abrtflag &&
+			osa.sa_handler != cmdabort &&
+			osa.sa_handler != SIG_IGN)
+			osa.sa_handler (SIGINT);
+#endif
+		    if (code == 227 || code == 229) {
+			char *p, *q;
+
+			pasv[0] = 0;
+			p = strchr (reply_string, '(');
+			if (p) {
+			    p++;
+			    q = strchr(p, ')');
+			    if(q){
+				memcpy (pasv, p, q - p);
+				pasv[q - p] = 0;
+			    }
+			}
+		    }
+		    return code / 100;
+		}
+	    }else{
+		if(verbose > 0 || (verbose > -1 && code > 499)){
+		    if(sec_complete)
+			fprintf(stdout, "!!");
+		    fprintf(stdout, "%s\n", buf);
+		}
+	    }
+	    p = buf;
+	    continue;
+	default:
+	    *p++ = c;
+	}
+    }
+
+}
+
+
+#if 0
+int
+getreply (int expecteof)
+{
+    int c, n;
+    int dig;
+    int originalcode = 0, continuation = 0;
+    sighand oldintr;
+    int pflag = 0;
+    char *cp, *pt = pasv;
+
+    oldintr = signal (SIGINT, cmdabort);
+    for (;;) {
+	dig = n = code = 0;
+	cp = reply_string;
+	while ((c = getc (cin)) != '\n') {
+	    if (c == IAC) {	/* handle telnet commands */
+		switch (c = getc (cin)) {
+		case WILL:
+		case WONT:
+		    c = getc (cin);
+		    fprintf (cout, "%c%c%c", IAC, DONT, c);
+		    fflush (cout);
+		    break;
+		case DO:
+		case DONT:
+		    c = getc (cin);
+		    fprintf (cout, "%c%c%c", IAC, WONT, c);
+		    fflush (cout);
+		    break;
+		default:
+		    break;
+		}
+		continue;
+	    }
+	    dig++;
+	    if (c == EOF) {
+		if (expecteof) {
+		    signal (SIGINT, oldintr);
+		    code = 221;
+		    return (0);
+		}
+		lostpeer (0);
+		if (verbose) {
+		    printf ("421 Service not available, remote server has closed connection\n");
+		    fflush (stdout);
+		}
+		code = 421;
+		return (4);
+	    }
+	    if (c != '\r' && (verbose > 0 ||
+			      (verbose > -1 && n == '5' && dig > 4))) {
+		if (proxflag &&
+		    (dig == 1 || dig == 5 && verbose == 0))
+		    printf ("%s:", hostname);
+		putchar (c);
+	    }
+	    if (dig < 4 && isdigit (c))
+		code = code * 10 + (c - '0');
+	    if (!pflag && code == 227)
+		pflag = 1;
+	    if (dig > 4 && pflag == 1 && isdigit (c))
+		pflag = 2;
+	    if (pflag == 2) {
+		if (c != '\r' && c != ')')
+		    *pt++ = c;
+		else {
+		    *pt = '\0';
+		    pflag = 3;
+		}
+	    }
+	    if (dig == 4 && c == '-') {
+		if (continuation)
+		    code = 0;
+		continuation++;
+	    }
+	    if (n == 0)
+		n = c;
+	    if (cp < &reply_string[sizeof (reply_string) - 1])
+		*cp++ = c;
+	}
+	if (verbose > 0 || verbose > -1 && n == '5') {
+	    putchar (c);
+	    fflush (stdout);
+	}
+	if (continuation && code != originalcode) {
+	    if (originalcode == 0)
+		originalcode = code;
+	    continue;
+	}
+	*cp = '\0';
+	if(sec_complete){
+	    if(code == 631)
+		sec_read_msg(reply_string, prot_safe);
+	    else if(code == 632)
+		sec_read_msg(reply_string, prot_private);
+	    else if(code == 633)
+		sec_read_msg(reply_string, prot_confidential);
+	    n = code / 100 + '0';
+	}
+	if (n != '1')
+	    cpend = 0;
+	signal (SIGINT, oldintr);
+	if (code == 421 || originalcode == 421)
+	    lostpeer (0);
+	if (abrtflag && oldintr != cmdabort && oldintr != SIG_IGN)
+	    (*oldintr) (SIGINT);
+	return (n - '0');
+    }
+}
+
+#endif
+
+int
+empty (fd_set * mask, int sec)
+{
+    struct timeval t;
+
+    t.tv_sec = (long) sec;
+    t.tv_usec = 0;
+    return (select (32, mask, NULL, NULL, &t));
+}
+
+jmp_buf sendabort;
+
+static RETSIGTYPE
+abortsend (int sig)
+{
+
+    mflag = 0;
+    abrtflag = 0;
+    printf ("\nsend aborted\nwaiting for remote to finish abort\n");
+    fflush (stdout);
+    longjmp (sendabort, 1);
+}
+
+#define HASHBYTES 1024
+
+static int
+copy_stream (FILE * from, FILE * to)
+{
+    static size_t bufsize;
+    static char *buf;
+    int n;
+    int bytes = 0;
+    int werr = 0;
+    int hashbytes = HASHBYTES;
+    struct stat st;
+
+#if defined(HAVE_MMAP) && !defined(NO_MMAP)
+    void *chunk;
+
+#ifndef MAP_FAILED
+#define MAP_FAILED (-1)
+#endif
+
+    if (fstat (fileno (from), &st) == 0 && S_ISREG (st.st_mode)) {
+	/*
+	 * mmap zero bytes has potential of loosing, don't do it.
+	 */
+	if (st.st_size == 0)
+	    return 0;
+	chunk = mmap (0, st.st_size, PROT_READ, MAP_SHARED, fileno (from), 0);
+	if (chunk != (void *) MAP_FAILED) {
+	    int res;
+
+	    res = sec_write (fileno (to), chunk, st.st_size);
+	    if (munmap (chunk, st.st_size) < 0)
+		warn ("munmap");
+	    sec_fflush (to);
+	    return res;
+	}
+    }
+#endif
+
+    buf = alloc_buffer (buf, &bufsize,
+			fstat (fileno (from), &st) >= 0 ? &st : NULL);
+    if (buf == NULL)
+	return -1;
+
+    while ((n = read (fileno (from), buf, bufsize)) > 0) {
+	werr = sec_write (fileno (to), buf, n);
+	if (werr < 0)
+	    break;
+	bytes += werr;
+	while (hash && bytes > hashbytes) {
+	    putchar ('#');
+	    hashbytes += HASHBYTES;
+	}
+    }
+    sec_fflush (to);
+    if (n < 0)
+	warn ("local");
+
+    if (werr < 0) {
+	if (errno != EPIPE)
+	    warn ("netout");
+	bytes = -1;
+    }
+    return bytes;
+}
+
+void
+sendrequest (char *cmd, char *local, char *remote, char *lmode, int printnames)
+{
+    struct stat st;
+    struct timeval start, stop;
+    int c, d;
+    FILE *fin, *dout = 0;
+    int (*closefunc) (FILE *);
+    RETSIGTYPE (*oldintr)(), (*oldintp)();
+    long bytes = 0, hashbytes = HASHBYTES;
+    char *rmode = "w";
+
+    if (verbose && printnames) {
+	if (local && strcmp (local, "-") != 0)
+	    printf ("local: %s ", local);
+	if (remote)
+	    printf ("remote: %s\n", remote);
+    }
+    if (proxy) {
+	proxtrans (cmd, local, remote);
+	return;
+    }
+    if (curtype != type)
+	changetype (type, 0);
+    closefunc = NULL;
+    oldintr = NULL;
+    oldintp = NULL;
+
+    if (setjmp (sendabort)) {
+	while (cpend) {
+	    getreply (0);
+	}
+	if (data >= 0) {
+	    close (data);
+	    data = -1;
+	}
+	if (oldintr)
+	    signal (SIGINT, oldintr);
+	if (oldintp)
+	    signal (SIGPIPE, oldintp);
+	code = -1;
+	return;
+    }
+    oldintr = signal (SIGINT, abortsend);
+    if (strcmp (local, "-") == 0)
+	fin = stdin;
+    else if (*local == '|') {
+	oldintp = signal (SIGPIPE, SIG_IGN);
+	fin = popen (local + 1, lmode);
+	if (fin == NULL) {
+	    warn ("%s", local + 1);
+	    signal (SIGINT, oldintr);
+	    signal (SIGPIPE, oldintp);
+	    code = -1;
+	    return;
+	}
+	closefunc = pclose;
+    } else {
+	fin = fopen (local, lmode);
+	if (fin == NULL) {
+	    warn ("local: %s", local);
+	    signal (SIGINT, oldintr);
+	    code = -1;
+	    return;
+	}
+	closefunc = fclose;
+	if (fstat (fileno (fin), &st) < 0 ||
+	    (st.st_mode & S_IFMT) != S_IFREG) {
+	    fprintf (stdout, "%s: not a plain file.\n", local);
+	    signal (SIGINT, oldintr);
+	    fclose (fin);
+	    code = -1;
+	    return;
+	}
+    }
+    if (initconn ()) {
+	signal (SIGINT, oldintr);
+	if (oldintp)
+	    signal (SIGPIPE, oldintp);
+	code = -1;
+	if (closefunc != NULL)
+	    (*closefunc) (fin);
+	return;
+    }
+    if (setjmp (sendabort))
+	goto abort;
+
+    if (restart_point &&
+	(strcmp (cmd, "STOR") == 0 || strcmp (cmd, "APPE") == 0)) {
+	int rc;
+
+	switch (curtype) {
+	case TYPE_A:
+	    rc = fseek (fin, (long) restart_point, SEEK_SET);
+	    break;
+	case TYPE_I:
+	case TYPE_L:
+	    rc = lseek (fileno (fin), restart_point, SEEK_SET);
+	    break;
+	}
+	if (rc < 0) {
+	    warn ("local: %s", local);
+	    restart_point = 0;
+	    if (closefunc != NULL)
+		(*closefunc) (fin);
+	    return;
+	}
+	if (command ("REST %ld", (long) restart_point)
+	    != CONTINUE) {
+	    restart_point = 0;
+	    if (closefunc != NULL)
+		(*closefunc) (fin);
+	    return;
+	}
+	restart_point = 0;
+	rmode = "r+w";
+    }
+    if (remote) {
+	if (command ("%s %s", cmd, remote) != PRELIM) {
+	    signal (SIGINT, oldintr);
+	    if (oldintp)
+		signal (SIGPIPE, oldintp);
+	    if (closefunc != NULL)
+		(*closefunc) (fin);
+	    return;
+	}
+    } else if (command ("%s", cmd) != PRELIM) {
+	    signal(SIGINT, oldintr);
+	    if (oldintp)
+		signal(SIGPIPE, oldintp);
+	    if (closefunc != NULL)
+		(*closefunc)(fin);
+	    return;
+	}
+    dout = dataconn(rmode);
+    if (dout == NULL)
+	goto abort;
+    set_buffer_size (fileno (dout), 0);
+    gettimeofday (&start, (struct timezone *) 0);
+    oldintp = signal (SIGPIPE, SIG_IGN);
+    switch (curtype) {
+
+    case TYPE_I:
+    case TYPE_L:
+	errno = d = c = 0;
+	bytes = copy_stream (fin, dout);
+	break;
+
+    case TYPE_A:
+	while ((c = getc (fin)) != EOF) {
+	    if (c == '\n') {
+		while (hash && (bytes >= hashbytes)) {
+		    putchar ('#');
+		    fflush (stdout);
+		    hashbytes += HASHBYTES;
+		}
+		if (ferror (dout))
+		    break;
+		sec_putc ('\r', dout);
+		bytes++;
+	    }
+	    sec_putc (c, dout);
+	    bytes++;
+	}
+	sec_fflush (dout);
+	if (hash) {
+	    if (bytes < hashbytes)
+		putchar ('#');
+	    putchar ('\n');
+	    fflush (stdout);
+	}
+	if (ferror (fin))
+	    warn ("local: %s", local);
+	if (ferror (dout)) {
+	    if (errno != EPIPE)
+		warn ("netout");
+	    bytes = -1;
+	}
+	break;
+    }
+    if (closefunc != NULL)
+	(*closefunc) (fin);
+    fclose (dout);
+    gettimeofday (&stop, (struct timezone *) 0);
+    getreply (0);
+    signal (SIGINT, oldintr);
+    if (oldintp)
+	signal (SIGPIPE, oldintp);
+    if (bytes > 0)
+	ptransfer ("sent", bytes, &start, &stop);
+    return;
+abort:
+    signal (SIGINT, oldintr);
+    if (oldintp)
+	signal (SIGPIPE, oldintp);
+    if (!cpend) {
+	code = -1;
+	return;
+    }
+    if (data >= 0) {
+	close (data);
+	data = -1;
+    }
+    if (dout)
+	fclose (dout);
+    getreply (0);
+    code = -1;
+    if (closefunc != NULL && fin != NULL)
+	(*closefunc) (fin);
+    gettimeofday (&stop, (struct timezone *) 0);
+    if (bytes > 0)
+	ptransfer ("sent", bytes, &start, &stop);
+}
+
+jmp_buf recvabort;
+
+void
+abortrecv (int sig)
+{
+
+    mflag = 0;
+    abrtflag = 0;
+    printf ("\nreceive aborted\nwaiting for remote to finish abort\n");
+    fflush (stdout);
+    longjmp (recvabort, 1);
+}
+
+void
+recvrequest (char *cmd, char *local, char *remote,
+	     char *lmode, int printnames, int local_given)
+{
+    FILE *fout, *din = 0;
+    int (*closefunc) (FILE *);
+    sighand oldintr, oldintp;
+    int c, d, is_retr, tcrflag, bare_lfs = 0;
+    static size_t bufsize;
+    static char *buf;
+    long bytes = 0, hashbytes = HASHBYTES;
+    struct timeval start, stop;
+    struct stat st;
+
+    is_retr = strcmp (cmd, "RETR") == 0;
+    if (is_retr && verbose && printnames) {
+	if (local && strcmp (local, "-") != 0)
+	    printf ("local: %s ", local);
+	if (remote)
+	    printf ("remote: %s\n", remote);
+    }
+    if (proxy && is_retr) {
+	proxtrans (cmd, local, remote);
+	return;
+    }
+    closefunc = NULL;
+    oldintr = NULL;
+    oldintp = NULL;
+    tcrflag = !crflag && is_retr;
+    if (setjmp (recvabort)) {
+	while (cpend) {
+	    getreply (0);
+	}
+	if (data >= 0) {
+	    close (data);
+	    data = -1;
+	}
+	if (oldintr)
+	    signal (SIGINT, oldintr);
+	code = -1;
+	return;
+    }
+    oldintr = signal (SIGINT, abortrecv);
+    if (!local_given || (strcmp (local, "-") && *local != '|')) {
+	if (access (local, 2) < 0) {
+	    char *dir = strrchr (local, '/');
+
+	    if (errno != ENOENT && errno != EACCES) {
+		warn ("local: %s", local);
+		signal (SIGINT, oldintr);
+		code = -1;
+		return;
+	    }
+	    if (dir != NULL)
+		*dir = 0;
+	    d = access (dir ? local : ".", 2);
+	    if (dir != NULL)
+		*dir = '/';
+	    if (d < 0) {
+		warn ("local: %s", local);
+		signal (SIGINT, oldintr);
+		code = -1;
+		return;
+	    }
+	    if (!runique && errno == EACCES &&
+		chmod (local, 0600) < 0) {
+		warn ("local: %s", local);
+		signal (SIGINT, oldintr);
+		signal (SIGINT, oldintr);
+		code = -1;
+		return;
+	    }
+	    if (runique && errno == EACCES &&
+		(local = gunique (local)) == NULL) {
+		signal (SIGINT, oldintr);
+		code = -1;
+		return;
+	    }
+	} else if (runique && (local = gunique (local)) == NULL) {
+	    signal(SIGINT, oldintr);
+	    code = -1;
+	    return;
+	}
+    }
+    if (!is_retr) {
+	if (curtype != TYPE_A)
+	    changetype (TYPE_A, 0);
+    } else if (curtype != type)
+	changetype (type, 0);
+    if (initconn ()) {
+	signal (SIGINT, oldintr);
+	code = -1;
+	return;
+    }
+    if (setjmp (recvabort))
+	goto abort;
+    if (is_retr && restart_point &&
+	command ("REST %ld", (long) restart_point) != CONTINUE)
+	return;
+    if (remote) {
+	if (command ("%s %s", cmd, remote) != PRELIM) {
+	    signal (SIGINT, oldintr);
+	    return;
+	}
+    } else {
+	if (command ("%s", cmd) != PRELIM) {
+	    signal (SIGINT, oldintr);
+	    return;
+	}
+    }
+    din = dataconn ("r");
+    if (din == NULL)
+	goto abort;
+    set_buffer_size (fileno (din), 1);
+    if (local_given && strcmp (local, "-") == 0)
+	fout = stdout;
+    else if (local_given && *local == '|') {
+	oldintp = signal (SIGPIPE, SIG_IGN);
+	fout = popen (local + 1, "w");
+	if (fout == NULL) {
+	    warn ("%s", local + 1);
+	    goto abort;
+	}
+	closefunc = pclose;
+    } else {
+	fout = fopen (local, lmode);
+	if (fout == NULL) {
+	    warn ("local: %s", local);
+	    goto abort;
+	}
+	closefunc = fclose;
+    }
+    buf = alloc_buffer (buf, &bufsize,
+			fstat (fileno (fout), &st) >= 0 ? &st : NULL);
+    if (buf == NULL)
+	goto abort;
+
+    gettimeofday (&start, (struct timezone *) 0);
+    switch (curtype) {
+
+    case TYPE_I:
+    case TYPE_L:
+	if (restart_point &&
+	    lseek (fileno (fout), restart_point, SEEK_SET) < 0) {
+	    warn ("local: %s", local);
+	    if (closefunc != NULL)
+		(*closefunc) (fout);
+	    return;
+	}
+	errno = d = 0;
+	while ((c = sec_read (fileno (din), buf, bufsize)) > 0) {
+	    if ((d = write (fileno (fout), buf, c)) != c)
+		break;
+	    bytes += c;
+	    if (hash) {
+		while (bytes >= hashbytes) {
+		    putchar ('#');
+		    hashbytes += HASHBYTES;
+		}
+		fflush (stdout);
+	    }
+	}
+	if (hash && bytes > 0) {
+	    if (bytes < HASHBYTES)
+		putchar ('#');
+	    putchar ('\n');
+	    fflush (stdout);
+	}
+	if (c < 0) {
+	    if (errno != EPIPE)
+		warn ("netin");
+	    bytes = -1;
+	}
+	if (d < c) {
+	    if (d < 0)
+		warn ("local: %s", local);
+	    else
+		warnx ("%s: short write", local);
+	}
+	break;
+
+    case TYPE_A:
+	if (restart_point) {
+	    int i, n, ch;
+
+	    if (fseek (fout, 0L, SEEK_SET) < 0)
+		goto done;
+	    n = restart_point;
+	    for (i = 0; i++ < n;) {
+		if ((ch = sec_getc (fout)) == EOF)
+		    goto done;
+		if (ch == '\n')
+		    i++;
+	    }
+	    if (fseek (fout, 0L, SEEK_CUR) < 0) {
+	done:
+		warn ("local: %s", local);
+		if (closefunc != NULL)
+		    (*closefunc) (fout);
+		return;
+	    }
+	}
+	while ((c = sec_getc(din)) != EOF) {
+	    if (c == '\n')
+		bare_lfs++;
+	    while (c == '\r') {
+		while (hash && (bytes >= hashbytes)) {
+		    putchar ('#');
+		    fflush (stdout);
+		    hashbytes += HASHBYTES;
+		}
+		bytes++;
+		if ((c = sec_getc (din)) != '\n' || tcrflag) {
+		    if (ferror (fout))
+			goto break2;
+		    putc ('\r', fout);
+		    if (c == '\0') {
+			bytes++;
+			goto contin2;
+		    }
+		    if (c == EOF)
+			goto contin2;
+		}
+	    }
+	    putc (c, fout);
+	    bytes++;
+    contin2:;
+	}
+break2:
+	if (bare_lfs) {
+	    printf ("WARNING! %d bare linefeeds received in ASCII mode\n",
+		    bare_lfs);
+	    printf ("File may not have transferred correctly.\n");
+	}
+	if (hash) {
+	    if (bytes < hashbytes)
+		putchar ('#');
+	    putchar ('\n');
+	    fflush (stdout);
+	}
+	if (ferror (din)) {
+	    if (errno != EPIPE)
+		warn ("netin");
+	    bytes = -1;
+	}
+	if (ferror (fout))
+	    warn ("local: %s", local);
+	break;
+    }
+    if (closefunc != NULL)
+	(*closefunc) (fout);
+    signal (SIGINT, oldintr);
+    if (oldintp)
+	signal (SIGPIPE, oldintp);
+    fclose (din);
+    gettimeofday (&stop, (struct timezone *) 0);
+    getreply (0);
+    if (bytes > 0 && is_retr)
+	ptransfer ("received", bytes, &start, &stop);
+    return;
+abort:
+
+    /* abort using RFC959 recommended IP,SYNC sequence  */
+
+    if (oldintp)
+	signal (SIGPIPE, oldintr);
+    signal (SIGINT, SIG_IGN);
+    if (!cpend) {
+	code = -1;
+	signal (SIGINT, oldintr);
+	return;
+    }
+    abort_remote(din);
+    code = -1;
+    if (data >= 0) {
+	close (data);
+	data = -1;
+    }
+    if (closefunc != NULL && fout != NULL)
+	(*closefunc) (fout);
+    if (din)
+	fclose (din);
+    gettimeofday (&stop, (struct timezone *) 0);
+    if (bytes > 0)
+	ptransfer ("received", bytes, &start, &stop);
+    signal (SIGINT, oldintr);
+}
+
+static int
+parse_epsv (const char *str)
+{
+    char sep;
+    char *end;
+    int port;
+
+    if (*str == '\0')
+	return -1;
+    sep = *str++;
+    if (sep != *str++)
+	return -1;
+    if (sep != *str++)
+	return -1;
+    port = strtol (str, &end, 0);
+    if (str == end)
+	return -1;
+    if (end[0] != sep || end[1] != '\0')
+	return -1;
+    return htons(port);
+}
+
+static int
+parse_pasv (struct sockaddr_in *sin, const char *str)
+{
+    int a0, a1, a2, a3, p0, p1;
+
+    /*
+     * What we've got at this point is a string of comma separated
+     * one-byte unsigned integer values. The first four are the an IP
+     * address. The fifth is the MSB of the port number, the sixth is the
+     * LSB. From that we'll prepare a sockaddr_in.
+     */
+
+    if (sscanf (str, "%d,%d,%d,%d,%d,%d",
+		&a0, &a1, &a2, &a3, &p0, &p1) != 6) {
+	printf ("Passive mode address scan failure. "
+		"Shouldn't happen!\n");
+	return -1;
+    }
+    if (a0 < 0 || a0 > 255 ||
+	a1 < 0 || a1 > 255 ||
+	a2 < 0 || a2 > 255 ||
+	a3 < 0 || a3 > 255 ||
+	p0 < 0 || p0 > 255 ||
+	p1 < 0 || p1 > 255) {
+	printf ("Can't parse passive mode string.\n");
+	return -1;
+    }
+    memset (sin, 0, sizeof(*sin));
+    sin->sin_family      = AF_INET;
+    sin->sin_addr.s_addr = htonl ((a0 << 24) | (a1 << 16) |
+				  (a2 << 8) | a3);
+    sin->sin_port = htons ((p0 << 8) | p1);
+    return 0;
+}
+
+static int
+passive_mode (void)
+{
+    int port;
+
+    data = socket (myctladdr->sa_family, SOCK_STREAM, 0);
+    if (data < 0) {
+	warn ("socket");
+	return (1);
+    }
+    if (options & SO_DEBUG)
+	socket_set_debug (data);
+    if (command ("EPSV") != COMPLETE) {
+	if (command ("PASV") != COMPLETE) {
+	    printf ("Passive mode refused.\n");
+	    goto bad;
+	}
+    }
+
+    /*
+     * Parse the reply to EPSV or PASV
+     */
+
+    port = parse_epsv (pasv);
+    if (port > 0) {
+	data_addr->sa_family = myctladdr->sa_family;
+	socket_set_address_and_port (data_addr,
+				     socket_get_address (hisctladdr),
+				     port);
+    } else {
+	if (parse_pasv ((struct sockaddr_in *)data_addr, pasv) < 0)
+	    goto bad;
+    }
+
+    if (connect (data, data_addr, socket_sockaddr_size (data_addr)) < 0) {
+	warn ("connect");
+	goto bad;
+    }
+#ifdef IPTOS_THROUGHPUT
+    socket_set_tos (data, IPTOS_THROUGHPUT);
+#endif
+    return (0);
+bad:
+    close (data);
+    data = -1;
+    sendport = 1;
+    return (1);
+}
+
+
+static int
+active_mode (void)
+{
+    int tmpno = 0;
+    int len;
+    int result;
+
+noport:
+    data_addr->sa_family = myctladdr->sa_family;
+    socket_set_address_and_port (data_addr, socket_get_address (myctladdr),
+				 sendport ? 0 : socket_get_port (myctladdr));
+
+    if (data != -1)
+	close (data);
+    data = socket (data_addr->sa_family, SOCK_STREAM, 0);
+    if (data < 0) {
+	warn ("socket");
+	if (tmpno)
+	    sendport = 1;
+	return (1);
+    }
+    if (!sendport)
+	socket_set_reuseaddr (data, 1);
+    if (bind (data, data_addr, socket_sockaddr_size (data_addr)) < 0) {
+	warn ("bind");
+	goto bad;
+    }
+    if (options & SO_DEBUG)
+	socket_set_debug (data);
+    len = sizeof (data_addr_ss);
+    if (getsockname (data, data_addr, &len) < 0) {
+	warn ("getsockname");
+	goto bad;
+    }
+    if (listen (data, 1) < 0)
+	warn ("listen");
+    if (sendport) {
+	char *cmd;
+	char addr_str[256];
+	int inet_af;
+	int overbose;
+
+	if (inet_ntop (data_addr->sa_family, socket_get_address (data_addr),
+		       addr_str, sizeof(addr_str)) == NULL)
+	    errx (1, "inet_ntop failed");
+	switch (data_addr->sa_family) {
+	case AF_INET :
+	    inet_af = 1;
+	    break;
+#ifdef HAVE_IPV6
+	case AF_INET6 :
+	    inet_af = 2;
+	    break;
+#endif
+	default :
+	    errx (1, "bad address family %d", data_addr->sa_family);
+	}
+
+	asprintf (&cmd, "EPRT |%d|%s|%d|",
+		  inet_af, addr_str, ntohs(socket_get_port (data_addr)));
+
+	overbose = verbose;
+	if (debug == 0)
+	    verbose  = -1;
+
+	result = command (cmd);
+
+	verbose = overbose;
+
+	if (result == ERROR) {
+	    struct sockaddr_in *sin = (struct sockaddr_in *)data_addr;
+
+	    unsigned int a = ntohl(sin->sin_addr.s_addr);
+	    unsigned int p = ntohs(sin->sin_port);
+
+	    if (data_addr->sa_family != AF_INET) {
+		warnx ("remote server doesn't support EPRT");
+		goto bad;
+	    }
+
+	    result = command("PORT %d,%d,%d,%d,%d,%d", 
+			     (a >> 24) & 0xff,
+			     (a >> 16) & 0xff,
+			     (a >> 8) & 0xff,
+			     a & 0xff,
+			     (p >> 8) & 0xff,
+			     p & 0xff);
+	    if (result == ERROR && sendport == -1) {
+		sendport = 0;
+		tmpno = 1;
+		goto noport;
+	    }
+	    return (result != COMPLETE);
+	}
+	return result != COMPLETE;
+    }
+    if (tmpno)
+	sendport = 1;
+
+
+#ifdef IPTOS_THROUGHPUT
+    socket_set_tos (data, IPTOS_THROUGHPUT);
+#endif
+    return (0);
+bad:
+    close (data);
+    data = -1;
+    if (tmpno)
+	sendport = 1;
+    return (1);
+}
+
+/*
+ * Need to start a listen on the data channel before we send the command,
+ * otherwise the server's connect may fail.
+ */
+int
+initconn (void)
+{
+    if (passivemode) 
+	return passive_mode ();
+    else
+	return active_mode ();
+}
+
+FILE *
+dataconn (const char *lmode)
+{
+    struct sockaddr_storage from_ss;
+    struct sockaddr *from = (struct sockaddr *)&from_ss;
+    int s, fromlen = sizeof (from_ss);
+
+    if (passivemode)
+	return (fdopen (data, lmode));
+
+    s = accept (data, from, &fromlen);
+    if (s < 0) {
+	warn ("accept");
+	close (data), data = -1;
+	return (NULL);
+    }
+    close (data);
+    data = s;
+#ifdef IPTOS_THROUGHPUT
+    socket_set_tos (s, IPTOS_THROUGHPUT);
+#endif
+    return (fdopen (data, lmode));
+}
+
+void
+ptransfer (char *direction, long int bytes,
+	   struct timeval * t0, struct timeval * t1)
+{
+    struct timeval td;
+    float s;
+    float bs;
+    int prec;
+    char *unit;
+
+    if (verbose) {
+	td.tv_sec = t1->tv_sec - t0->tv_sec;
+	td.tv_usec = t1->tv_usec - t0->tv_usec;
+	if (td.tv_usec < 0) {
+	    td.tv_sec--;
+	    td.tv_usec += 1000000;
+	}
+	s = td.tv_sec + (td.tv_usec / 1000000.);
+	bs = bytes / (s ? s : 1);
+	if (bs >= 1048576) {
+	    bs /= 1048576;
+	    unit = "M";
+	    prec = 2;
+	} else if (bs >= 1024) {
+	    bs /= 1024;
+	    unit = "k";
+	    prec = 1;
+	} else {
+	    unit = "";
+	    prec = 0;
+	}
+
+	printf ("%ld bytes %s in %.3g seconds (%.*f %sbyte/s)\n",
+		bytes, direction, s, prec, bs, unit);
+    }
+}
+
+void
+psabort (int sig)
+{
+
+    abrtflag++;
+}
+
+void
+pswitch (int flag)
+{
+    sighand oldintr;
+    static struct comvars {
+	int connect;
+	char name[MaxHostNameLen];
+	struct sockaddr_storage mctl;
+	struct sockaddr_storage hctl;
+	FILE *in;
+	FILE *out;
+	int tpe;
+	int curtpe;
+	int cpnd;
+	int sunqe;
+	int runqe;
+	int mcse;
+	int ntflg;
+	char nti[17];
+	char nto[17];
+	int mapflg;
+	char mi[MaxPathLen];
+	char mo[MaxPathLen];
+    } proxstruct, tmpstruct;
+    struct comvars *ip, *op;
+
+    abrtflag = 0;
+    oldintr = signal (SIGINT, psabort);
+    if (flag) {
+	if (proxy)
+	    return;
+	ip = &tmpstruct;
+	op = &proxstruct;
+	proxy++;
+    } else {
+	if (!proxy)
+	    return;
+	ip = &proxstruct;
+	op = &tmpstruct;
+	proxy = 0;
+    }
+    ip->connect = connected;
+    connected = op->connect;
+    if (hostname) {
+	strlcpy (ip->name, hostname, sizeof (ip->name));
+    } else
+	ip->name[0] = 0;
+    hostname = op->name;
+    ip->hctl = hisctladdr_ss;
+    hisctladdr_ss = op->hctl;
+    ip->mctl = myctladdr_ss;
+    myctladdr_ss = op->mctl;
+    ip->in = cin;
+    cin = op->in;
+    ip->out = cout;
+    cout = op->out;
+    ip->tpe = type;
+    type = op->tpe;
+    ip->curtpe = curtype;
+    curtype = op->curtpe;
+    ip->cpnd = cpend;
+    cpend = op->cpnd;
+    ip->sunqe = sunique;
+    sunique = op->sunqe;
+    ip->runqe = runique;
+    runique = op->runqe;
+    ip->mcse = mcase;
+    mcase = op->mcse;
+    ip->ntflg = ntflag;
+    ntflag = op->ntflg;
+    strlcpy (ip->nti, ntin, sizeof (ip->nti));
+    strlcpy (ntin, op->nti, 17);
+    strlcpy (ip->nto, ntout, sizeof (ip->nto));
+    strlcpy (ntout, op->nto, 17);
+    ip->mapflg = mapflag;
+    mapflag = op->mapflg;
+    strlcpy (ip->mi, mapin, MaxPathLen);
+    strlcpy (mapin, op->mi, MaxPathLen);
+    strlcpy (ip->mo, mapout, MaxPathLen);
+    strlcpy (mapout, op->mo, MaxPathLen);
+    signal(SIGINT, oldintr);
+    if (abrtflag) {
+	abrtflag = 0;
+	(*oldintr) (SIGINT);
+    }
+}
+
+void
+abortpt (int sig)
+{
+
+    printf ("\n");
+    fflush (stdout);
+    ptabflg++;
+    mflag = 0;
+    abrtflag = 0;
+    longjmp (ptabort, 1);
+}
+
+void
+proxtrans (char *cmd, char *local, char *remote)
+{
+    sighand oldintr;
+    int secndflag = 0, prox_type, nfnd;
+    char *cmd2;
+    fd_set mask;
+
+    if (strcmp (cmd, "RETR"))
+	cmd2 = "RETR";
+    else
+	cmd2 = runique ? "STOU" : "STOR";
+    if ((prox_type = type) == 0) {
+	if (unix_server && unix_proxy)
+	    prox_type = TYPE_I;
+	else
+	    prox_type = TYPE_A;
+    }
+    if (curtype != prox_type)
+	changetype (prox_type, 1);
+    if (command ("PASV") != COMPLETE) {
+	printf ("proxy server does not support third party transfers.\n");
+	return;
+    }
+    pswitch (0);
+    if (!connected) {
+	printf ("No primary connection\n");
+	pswitch (1);
+	code = -1;
+	return;
+    }
+    if (curtype != prox_type)
+	changetype (prox_type, 1);
+    if (command ("PORT %s", pasv) != COMPLETE) {
+	pswitch (1);
+	return;
+    }
+    if (setjmp (ptabort))
+	goto abort;
+    oldintr = signal (SIGINT, abortpt);
+    if (command ("%s %s", cmd, remote) != PRELIM) {
+	signal (SIGINT, oldintr);
+	pswitch (1);
+	return;
+    }
+    sleep (2);
+    pswitch (1);
+    secndflag++;
+    if (command ("%s %s", cmd2, local) != PRELIM)
+	goto abort;
+    ptflag++;
+    getreply (0);
+    pswitch (0);
+    getreply (0);
+    signal (SIGINT, oldintr);
+    pswitch (1);
+    ptflag = 0;
+    printf ("local: %s remote: %s\n", local, remote);
+    return;
+abort:
+    signal (SIGINT, SIG_IGN);
+    ptflag = 0;
+    if (strcmp (cmd, "RETR") && !proxy)
+	pswitch (1);
+    else if (!strcmp (cmd, "RETR") && proxy)
+	pswitch (0);
+    if (!cpend && !secndflag) {	/* only here if cmd = "STOR" (proxy=1) */
+	if (command ("%s %s", cmd2, local) != PRELIM) {
+	    pswitch (0);
+	    if (cpend)
+		abort_remote ((FILE *) NULL);
+	}
+	pswitch (1);
+	if (ptabflg)
+	    code = -1;
+	signal (SIGINT, oldintr);
+	return;
+    }
+    if (cpend)
+	abort_remote ((FILE *) NULL);
+    pswitch (!proxy);
+    if (!cpend && !secndflag) {	/* only if cmd = "RETR" (proxy=1) */
+	if (command ("%s %s", cmd2, local) != PRELIM) {
+	    pswitch (0);
+	    if (cpend)
+		abort_remote ((FILE *) NULL);
+	    pswitch (1);
+	    if (ptabflg)
+		code = -1;
+	    signal (SIGINT, oldintr);
+	    return;
+	}
+    }
+    if (cpend)
+	abort_remote ((FILE *) NULL);
+    pswitch (!proxy);
+    if (cpend) {
+	FD_ZERO (&mask);
+	FD_SET (fileno (cin), &mask);
+	if ((nfnd = empty (&mask, 10)) <= 0) {
+	    if (nfnd < 0) {
+		warn ("abort");
+	    }
+	    if (ptabflg)
+		code = -1;
+	    lostpeer (0);
+	}
+	getreply (0);
+	getreply (0);
+    }
+    if (proxy)
+	pswitch (0);
+    pswitch (1);
+    if (ptabflg)
+	code = -1;
+    signal (SIGINT, oldintr);
+}
+
+void
+reset (int argc, char **argv)
+{
+    fd_set mask;
+    int nfnd = 1;
+
+    FD_ZERO (&mask);
+    while (nfnd > 0) {
+	FD_SET (fileno (cin), &mask);
+	if ((nfnd = empty (&mask, 0)) < 0) {
+	    warn ("reset");
+	    code = -1;
+	    lostpeer(0);
+	} else if (nfnd) {
+	    getreply(0);
+	}
+    }
+}
+
+char *
+gunique (char *local)
+{
+    static char new[MaxPathLen];
+    char *cp = strrchr (local, '/');
+    int d, count = 0;
+    char ext = '1';
+
+    if (cp)
+	*cp = '\0';
+    d = access (cp ? local : ".", 2);
+    if (cp)
+	*cp = '/';
+    if (d < 0) {
+	warn ("local: %s", local);
+	return NULL;
+    }
+    strlcpy (new, local, sizeof(new));
+    cp = new + strlen(new);
+    *cp++ = '.';
+    while (!d) {
+	if (++count == 100) {
+	    printf ("runique: can't find unique file name.\n");
+	    return NULL;
+	}
+	*cp++ = ext;
+	*cp = '\0';
+	if (ext == '9')
+	    ext = '0';
+	else
+	    ext++;
+	if ((d = access (new, 0)) < 0)
+	    break;
+	if (ext != '0')
+	    cp--;
+	else if (*(cp - 2) == '.')
+	    *(cp - 1) = '1';
+	else {
+	    *(cp - 2) = *(cp - 2) + 1;
+	    cp--;
+	}
+    }
+    return (new);
+}
+
+void
+abort_remote (FILE * din)
+{
+    char buf[BUFSIZ];
+    int nfnd;
+    fd_set mask;
+
+    /*
+     * send IAC in urgent mode instead of DM because 4.3BSD places oob mark
+     * after urgent byte rather than before as is protocol now
+     */
+    snprintf (buf, sizeof (buf), "%c%c%c", IAC, IP, IAC);
+    if (send (fileno (cout), buf, 3, MSG_OOB) != 3)
+	warn ("abort");
+    fprintf (cout, "%cABOR\r\n", DM);
+    fflush (cout);
+    FD_ZERO (&mask);
+    FD_SET (fileno (cin), &mask);
+    if (din) {
+	FD_SET (fileno (din), &mask);
+    }
+    if ((nfnd = empty (&mask, 10)) <= 0) {
+	if (nfnd < 0) {
+	    warn ("abort");
+	}
+	if (ptabflg)
+	    code = -1;
+	lostpeer (0);
+    }
+    if (din && FD_ISSET (fileno (din), &mask)) {
+	while (read (fileno (din), buf, BUFSIZ) > 0)
+	     /* LOOP */ ;
+    }
+    if (getreply (0) == ERROR && code == 552) {
+	/* 552 needed for nic style abort */
+	getreply (0);
+    }
+    getreply (0);
+}
diff --git a/crypto/kerberosIV/appl/ftp/ftp/ftp_locl.h b/crypto/kerberosIV/appl/ftp/ftp/ftp_locl.h
new file mode 100644
index 0000000..c0d6cae
--- /dev/null
+++ b/crypto/kerberosIV/appl/ftp/ftp/ftp_locl.h
@@ -0,0 +1,140 @@
+/*
+ * Copyright (c) 1995, 1996, 1997, 1998 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+/* $Id: ftp_locl.h,v 1.34 1999/12/02 16:58:29 joda Exp $ */
+/* $FreeBSD$ */
+
+#ifndef __FTP_LOCL_H__
+#define __FTP_LOCL_H__
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+#endif
+
+#ifdef HAVE_PWD_H
+#include <pwd.h>
+#endif
+#include <signal.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <stdarg.h>
+#include <string.h>
+#ifdef TIME_WITH_SYS_TIME
+#include <sys/time.h>
+#include <time.h>
+#elif defined(HAVE_SYS_TIME_H)
+#include <sys/time.h>
+#else
+#include <time.h>
+#endif
+#ifdef HAVE_UNISTD_H
+#include <unistd.h>
+#endif
+
+#ifdef HAVE_SYS_TYPES_H
+#include <sys/types.h>
+#endif
+#ifdef HAVE_SYS_PARAM_H
+#include <sys/param.h>
+#endif
+#ifdef HAVE_SYS_RESOURCE_H
+#include <sys/resource.h>
+#endif
+#ifdef HAVE_SYS_WAIT_H
+#include <sys/wait.h>
+#endif
+#ifdef HAVE_SYS_STAT_H
+#include <sys/stat.h>
+#endif
+#ifdef HAVE_SYS_SOCKET_H
+#include <sys/socket.h>
+#endif
+
+#ifdef HAVE_NETINET_IN_H
+#include <netinet/in.h>
+#endif
+#ifdef HAVE_NETINET_IN_SYSTM_H
+#include <netinet/in_systm.h>
+#endif
+#ifdef HAVE_NETINET_IP_H
+#include <netinet/ip.h>
+#endif
+
+#ifdef HAVE_ARPA_FTP_H
+#include <arpa/ftp.h>
+#endif
+#ifdef HAVE_ARPA_INET_H
+#include <arpa/inet.h>
+#endif
+#ifdef HAVE_ARPA_TELNET_H
+#include <arpa/telnet.h>
+#endif
+
+#include <errno.h>
+#include <ctype.h>
+#include <glob.h>
+#ifdef HAVE_NETDB_H
+#include <netdb.h>
+#endif
+
+#ifdef HAVE_SYS_MMAN_H
+#include <sys/mman.h>
+#endif
+
+#include <err.h>
+
+#ifdef SOCKS
+#include <socks.h>
+extern int LIBPREFIX(fclose)      (FILE *);
+
+/* This doesn't belong here. */
+struct tm *localtime(const time_t *);
+struct hostent  *gethostbyname(const char *);
+
+#endif
+
+#include "ftp_var.h"
+#include "extern.h"
+#include "common.h"
+#include "pathnames.h"
+
+#include "roken.h"
+#include "security.h"
+#include <openssl/des.h> /* for des_read_pw_string */
+
+#if defined(__sun__) && !defined(__svr4)
+int fclose(FILE*);
+int pclose(FILE*);
+#endif
+
+#endif /* __FTP_LOCL_H__ */
diff --git a/crypto/kerberosIV/appl/ftp/ftp/ftp_var.h b/crypto/kerberosIV/appl/ftp/ftp/ftp_var.h
new file mode 100644
index 0000000..ffac59a
--- /dev/null
+++ b/crypto/kerberosIV/appl/ftp/ftp/ftp_var.h
@@ -0,0 +1,127 @@
+/*
+ * Copyright (c) 1985, 1989, 1993, 1994
+ *	The Regents of the University of California.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *	This product includes software developed by the University of
+ *	California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ *	@(#)ftp_var.h	8.4 (Berkeley) 10/9/94
+ */
+
+/*
+ * FTP global variables.
+ */
+
+#ifdef HAVE_SYS_PARAM_H
+#include <sys/param.h>
+#endif
+#include <setjmp.h>
+
+/*
+ * Options and other state info.
+ */
+extern int	trace;			/* trace packets exchanged */
+extern int	hash;			/* print # for each buffer transferred */
+extern int	sendport;		/* use PORT cmd for each data connection */
+extern int	verbose;		/* print messages coming back from server */
+extern int	connected;		/* connected to server */
+extern int	fromatty;		/* input is from a terminal */
+extern int	interactive;		/* interactively prompt on m* cmds */
+extern int	debug;			/* debugging level */
+extern int	bell;			/* ring bell on cmd completion */
+extern int	doglob;			/* glob local file names */
+extern int	autologin;		/* establish user account on connection */
+extern int	proxy;			/* proxy server connection active */
+extern int	proxflag;		/* proxy connection exists */
+extern int	sunique;		/* store files on server with unique name */
+extern int	runique;		/* store local files with unique name */
+extern int	mcase;			/* map upper to lower case for mget names */
+extern int	ntflag;			/* use ntin ntout tables for name translation */
+extern int	mapflag;		/* use mapin mapout templates on file names */
+extern int	code;			/* return/reply code for ftp command */
+extern int	crflag;			/* if 1, strip car. rets. on ascii gets */
+extern char	pasv[64];		/* passive port for proxy data connection */
+extern int	passivemode;		/* passive mode enabled */
+extern char	*altarg;		/* argv[1] with no shell-like preprocessing  */
+extern char	ntin[17];		/* input translation table */
+extern char	ntout[17];		/* output translation table */
+extern char	mapin[MaxPathLen];	/* input map template */
+extern char	mapout[MaxPathLen];	/* output map template */
+extern char	typename[32];		/* name of file transfer type */
+extern int	type;			/* requested file transfer type */
+extern int	curtype;		/* current file transfer type */
+extern char	structname[32];		/* name of file transfer structure */
+extern int	stru;			/* file transfer structure */
+extern char	formname[32];		/* name of file transfer format */
+extern int	form;			/* file transfer format */
+extern char	modename[32];		/* name of file transfer mode */
+extern int	mode;			/* file transfer mode */
+extern char	bytename[32];		/* local byte size in ascii */
+extern int	bytesize;		/* local byte size in binary */
+
+extern char	*hostname;		/* name of host connected to */
+extern int	unix_server;		/* server is unix, can use binary for ascii */
+extern int	unix_proxy;		/* proxy is unix, can use binary for ascii */
+
+extern jmp_buf	toplevel;		/* non-local goto stuff for cmd scanner */
+
+extern char	line[200];		/* input line buffer */
+extern char	*stringbase;		/* current scan point in line buffer */
+extern char	argbuf[200];		/* argument storage buffer */
+extern char	*argbase;		/* current storage point in arg buffer */
+extern int	margc;			/* count of arguments on input line */
+extern char	**margv;		/* args parsed from input line */
+extern int	margvlen;		/* how large margv is currently */
+extern int     cpend;                  /* flag: if != 0, then pending server reply */
+extern int	mflag;			/* flag: if != 0, then active multi command */
+
+extern int	options;		/* used during socket creation */
+
+/*
+ * Format of command table.
+ */
+struct cmd {
+	char	*c_name;	/* name of command */
+	char	*c_help;	/* help string */
+	char	c_bell;		/* give bell when command completes */
+	char	c_conn;		/* must be connected to use command */
+	char	c_proxy;	/* proxy server may execute */
+	void	(*c_handler) (int, char **); /* function to call */
+};
+
+struct macel {
+	char mac_name[9];	/* macro name */
+	char *mac_start;	/* start of macro in macbuf */
+	char *mac_end;		/* end of macro in macbuf */
+};
+
+extern int macnum;			/* number of defined macros */
+extern struct macel macros[16];
+extern char macbuf[4096];
+
+
diff --git a/crypto/kerberosIV/appl/ftp/ftp/globals.c b/crypto/kerberosIV/appl/ftp/ftp/globals.c
new file mode 100644
index 0000000..7199e65
--- /dev/null
+++ b/crypto/kerberosIV/appl/ftp/ftp/globals.c
@@ -0,0 +1,76 @@
+#include "ftp_locl.h"
+RCSID("$Id: globals.c,v 1.6 1996/08/26 22:46:26 assar Exp $");
+
+/*
+ * Options and other state info.
+ */
+int	trace;			/* trace packets exchanged */
+int	hash;			/* print # for each buffer transferred */
+int	sendport;		/* use PORT cmd for each data connection */
+int	verbose;		/* print messages coming back from server */
+int	connected;		/* connected to server */
+int	fromatty;		/* input is from a terminal */
+int	interactive;		/* interactively prompt on m* cmds */
+int	debug;			/* debugging level */
+int	bell;			/* ring bell on cmd completion */
+int	doglob;			/* glob local file names */
+int	autologin;		/* establish user account on connection */
+int	proxy;			/* proxy server connection active */
+int	proxflag;		/* proxy connection exists */
+int	sunique;		/* store files on server with unique name */
+int	runique;		/* store local files with unique name */
+int	mcase;			/* map upper to lower case for mget names */
+int	ntflag;			/* use ntin ntout tables for name translation */
+int	mapflag;		/* use mapin mapout templates on file names */
+int	code;			/* return/reply code for ftp command */
+int	crflag;			/* if 1, strip car. rets. on ascii gets */
+char	pasv[64];		/* passive port for proxy data connection */
+int	passivemode;		/* passive mode enabled */
+char	*altarg;		/* argv[1] with no shell-like preprocessing  */
+char	ntin[17];		/* input translation table */
+char	ntout[17];		/* output translation table */
+char	mapin[MaxPathLen];	/* input map template */
+char	mapout[MaxPathLen];	/* output map template */
+char	typename[32];		/* name of file transfer type */
+int	type;			/* requested file transfer type */
+int	curtype;		/* current file transfer type */
+char	structname[32];		/* name of file transfer structure */
+int	stru;			/* file transfer structure */
+char	formname[32];		/* name of file transfer format */
+int	form;			/* file transfer format */
+char	modename[32];		/* name of file transfer mode */
+int	mode;			/* file transfer mode */
+char	bytename[32];		/* local byte size in ascii */
+int	bytesize;		/* local byte size in binary */
+
+char	*hostname;		/* name of host connected to */
+int	unix_server;		/* server is unix, can use binary for ascii */
+int	unix_proxy;		/* proxy is unix, can use binary for ascii */
+
+jmp_buf	toplevel;		/* non-local goto stuff for cmd scanner */
+
+char	line[200];		/* input line buffer */
+char	*stringbase;		/* current scan point in line buffer */
+char	argbuf[200];		/* argument storage buffer */
+char	*argbase;		/* current storage point in arg buffer */
+int	margc;			/* count of arguments on input line */
+char	**margv;		/* args parsed from input line */
+int	margvlen;		/* how large margv is currently */
+int     cpend;                  /* flag: if != 0, then pending server reply */
+int	mflag;			/* flag: if != 0, then active multi command */
+
+int	options;		/* used during socket creation */
+
+/*
+ * Format of command table.
+ */
+
+int macnum;			/* number of defined macros */
+struct macel macros[16];
+char macbuf[4096];
+
+char username[32];
+
+/* these are set in ruserpass */
+char myhostname[MaxHostNameLen];
+char *mydomain;
diff --git a/crypto/kerberosIV/appl/ftp/ftp/gssapi.c b/crypto/kerberosIV/appl/ftp/ftp/gssapi.c
new file mode 100644
index 0000000..d06b5d6
--- /dev/null
+++ b/crypto/kerberosIV/appl/ftp/ftp/gssapi.c
@@ -0,0 +1,379 @@
+/*
+ * Copyright (c) 1998, 1999 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#ifdef FTP_SERVER
+#include "ftpd_locl.h"
+#else
+#include "ftp_locl.h"
+#endif
+#include <gssapi.h>
+
+RCSID("$Id: gssapi.c,v 1.13 1999/12/02 16:58:29 joda Exp $");
+
+struct gss_data {
+    gss_ctx_id_t context_hdl;
+    char *client_name;
+};
+
+static int
+gss_init(void *app_data)
+{
+    struct gss_data *d = app_data;
+    d->context_hdl = GSS_C_NO_CONTEXT;
+    return 0;
+}
+
+static int
+gss_check_prot(void *app_data, int level)
+{
+    if(level == prot_confidential)
+	return -1;
+    return 0;
+}
+
+static int
+gss_decode(void *app_data, void *buf, int len, int level)
+{
+    OM_uint32 maj_stat, min_stat;
+    gss_buffer_desc input, output;
+    gss_qop_t qop_state;
+    int conf_state;
+    struct gss_data *d = app_data;
+
+    input.length = len;
+    input.value = buf;
+    maj_stat = gss_unwrap (&min_stat,
+			   d->context_hdl,
+			   &input,
+			   &output,
+			   &conf_state,
+			   &qop_state);
+    if(GSS_ERROR(maj_stat))
+	return -1;
+    memmove(buf, output.value, output.length);
+    return output.length;
+}
+
+static int
+gss_overhead(void *app_data, int level, int len)
+{
+    return 100; /* dunno? */
+}
+
+
+static int
+gss_encode(void *app_data, void *from, int length, int level, void **to)
+{
+    OM_uint32 maj_stat, min_stat;
+    gss_buffer_desc input, output;
+    int conf_state;
+    struct gss_data *d = app_data;
+
+    input.length = length;
+    input.value = from;
+    maj_stat = gss_wrap (&min_stat,
+			 d->context_hdl,
+			 level == prot_private,
+			 GSS_C_QOP_DEFAULT,
+			 &input,
+			 &conf_state,
+			 &output);
+    *to = output.value;
+    return output.length;
+}
+
+static void
+sockaddr_to_gss_address (const struct sockaddr *sa,
+			 OM_uint32 *addr_type,
+			 gss_buffer_desc *gss_addr)
+{
+    switch (sa->sa_family) {
+#ifdef HAVE_IPV6
+    case AF_INET6 : {
+	struct sockaddr_in6 *sin6 = (struct sockaddr_in6 *)sa;
+
+	gss_addr->length = 16;
+	gss_addr->value  = &sin6->sin6_addr;
+	*addr_type       = GSS_C_AF_INET6;
+	break;
+    }
+#endif
+    case AF_INET : {
+	struct sockaddr_in *sin = (struct sockaddr_in *)sa;
+
+	gss_addr->length = 4;
+	gss_addr->value  = &sin->sin_addr;
+	*addr_type       = GSS_C_AF_INET;
+	break;
+    }
+    default :
+	errx (1, "unknown address family %d", sa->sa_family);
+	
+    }
+}
+
+/* end common stuff */
+
+#ifdef FTP_SERVER
+
+static int
+gss_adat(void *app_data, void *buf, size_t len)
+{
+    char *p = NULL;
+    gss_buffer_desc input_token, output_token;
+    OM_uint32 maj_stat, min_stat;
+    gss_name_t client_name;
+    struct gss_data *d = app_data;
+
+    gss_channel_bindings_t bindings = malloc(sizeof(*bindings));
+    sockaddr_to_gss_address (his_addr,
+			     &bindings->initiator_addrtype,
+			     &bindings->initiator_address);
+    sockaddr_to_gss_address (ctrl_addr,
+			     &bindings->acceptor_addrtype,
+			     &bindings->acceptor_address);
+
+    bindings->application_data.length = 0;
+    bindings->application_data.value = NULL;
+
+    input_token.value = buf;
+    input_token.length = len;
+    
+    maj_stat = gss_accept_sec_context (&min_stat,
+				       &d->context_hdl,
+				       GSS_C_NO_CREDENTIAL,
+				       &input_token,
+				       bindings,
+				       &client_name,
+				       NULL,
+				       &output_token,
+				       NULL,
+				       NULL,
+				       NULL);
+
+    if(output_token.length) {
+	if(base64_encode(output_token.value, output_token.length, &p) < 0) {
+	    reply(535, "Out of memory base64-encoding.");
+	    return -1;
+	}
+    }
+    if(maj_stat == GSS_S_COMPLETE){
+	char *name;
+	gss_buffer_desc export_name;
+	maj_stat = gss_export_name(&min_stat, client_name, &export_name);
+	if(maj_stat != 0) {
+	    reply(500, "Error exporting name");
+	    goto out;
+	}
+	name = realloc(export_name.value, export_name.length + 1);
+	if(name == NULL) {
+	    reply(500, "Out of memory");
+	    free(export_name.value);
+	    goto out;
+	}
+	name[export_name.length] = '\0';
+	d->client_name = name;
+	if(p)
+	    reply(235, "ADAT=%s", p);
+	else
+	    reply(235, "ADAT Complete");
+	sec_complete = 1;
+
+    } else if(maj_stat == GSS_S_CONTINUE_NEEDED) {
+	if(p)
+	    reply(335, "ADAT=%s", p);
+	else
+	    reply(335, "OK, need more data");
+    } else
+	reply(535, "foo?");
+out:
+    free(p);
+    return 0;
+}
+
+int gss_userok(void*, char*);
+
+struct sec_server_mech gss_server_mech = {
+    "GSSAPI",
+    sizeof(struct gss_data),
+    gss_init, /* init */
+    NULL, /* end */
+    gss_check_prot,
+    gss_overhead,
+    gss_encode,
+    gss_decode,
+    /* */
+    NULL,
+    gss_adat,
+    NULL, /* pbsz */
+    NULL, /* ccc */
+    gss_userok
+};
+
+#else /* FTP_SERVER */
+
+extern struct sockaddr *hisctladdr, *myctladdr;
+
+static int
+gss_auth(void *app_data, char *host)
+{
+    
+    OM_uint32 maj_stat, min_stat;
+    gss_buffer_desc name;
+    gss_name_t target_name;
+    gss_buffer_desc input, output_token;
+    int context_established = 0;
+    char *p;
+    int n;
+    gss_channel_bindings_t bindings;
+    struct gss_data *d = app_data;
+	    
+    name.length = asprintf((char**)&name.value, "ftp@%s", host);
+    maj_stat = gss_import_name(&min_stat,
+			       &name,
+			       GSS_C_NT_HOSTBASED_SERVICE,
+			       &target_name);
+    if (GSS_ERROR(maj_stat)) {
+	OM_uint32 new_stat;
+	OM_uint32 msg_ctx = 0;
+	gss_buffer_desc status_string;
+	    
+	gss_display_status(&new_stat,
+			   min_stat,
+			   GSS_C_MECH_CODE,
+			   GSS_C_NO_OID,
+			   &msg_ctx,
+			   &status_string);
+	printf("Error importing name %s: %s\n", 
+	       (char *)name.value,
+	       (char *)status_string.value);
+	gss_release_buffer(&new_stat, &status_string);
+	return AUTH_ERROR;
+    }
+    free(name.value);
+    
+
+    input.length = 0;
+    input.value = NULL;
+
+    bindings = malloc(sizeof(*bindings));
+
+    sockaddr_to_gss_address (myctladdr,
+			     &bindings->initiator_addrtype,
+			     &bindings->initiator_address);
+    sockaddr_to_gss_address (hisctladdr,
+			     &bindings->acceptor_addrtype,
+			     &bindings->acceptor_address);
+
+    bindings->application_data.length = 0;
+    bindings->application_data.value = NULL;
+
+    while(!context_established) {
+	maj_stat = gss_init_sec_context(&min_stat,
+					GSS_C_NO_CREDENTIAL,
+					&d->context_hdl,
+					target_name,
+					GSS_C_NO_OID,
+					GSS_C_MUTUAL_FLAG | GSS_C_SEQUENCE_FLAG,
+					0,
+					bindings,
+					&input,
+					NULL,
+					&output_token,
+					NULL,
+					NULL);
+	if (GSS_ERROR(maj_stat)) {
+	    OM_uint32 new_stat;
+	    OM_uint32 msg_ctx = 0;
+	    gss_buffer_desc status_string;
+	    
+	    gss_display_status(&new_stat,
+			       min_stat,
+			       GSS_C_MECH_CODE,
+			       GSS_C_NO_OID,
+			       &msg_ctx,
+			       &status_string);
+	    printf("Error initializing security context: %s\n", 
+		   (char*)status_string.value);
+	    gss_release_buffer(&new_stat, &status_string);
+	    return AUTH_CONTINUE;
+	}
+
+	gss_release_buffer(&min_stat, &input);
+	if (output_token.length != 0) {
+	    base64_encode(output_token.value, output_token.length, &p);
+	    gss_release_buffer(&min_stat, &output_token);
+	    n = command("ADAT %s", p);
+	    free(p);
+	}
+	if (GSS_ERROR(maj_stat)) {
+	    if (d->context_hdl != GSS_C_NO_CONTEXT)
+		gss_delete_sec_context (&min_stat,
+					&d->context_hdl,
+					GSS_C_NO_BUFFER);
+	    break;
+	}
+	if (maj_stat & GSS_S_CONTINUE_NEEDED) {
+	    p = strstr(reply_string, "ADAT=");
+	    if(p == NULL){
+		printf("Error: expected ADAT in reply.\n");
+		return AUTH_ERROR;
+	    } else {
+		p+=5;
+		input.value = malloc(strlen(p));
+		input.length = base64_decode(p, input.value);
+	    }
+	} else {
+	    if(code != 235) {
+		printf("Unrecognized response code: %d\n", code);
+		return AUTH_ERROR;
+	    }
+	    context_established = 1;
+	}
+    }
+    return AUTH_OK;
+}
+
+struct sec_client_mech gss_client_mech = {
+    "GSSAPI",
+    sizeof(struct gss_data),
+    gss_init,
+    gss_auth,
+    NULL, /* end */
+    gss_check_prot,
+    gss_overhead,
+    gss_encode,
+    gss_decode,
+};
+
+#endif /* FTP_SERVER */
diff --git a/crypto/kerberosIV/appl/ftp/ftp/kauth.c b/crypto/kerberosIV/appl/ftp/ftp/kauth.c
new file mode 100644
index 0000000..613593a
--- /dev/null
+++ b/crypto/kerberosIV/appl/ftp/ftp/kauth.c
@@ -0,0 +1,198 @@
+/*
+ * Copyright (c) 1995-1999 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#include "ftp_locl.h"
+#include <krb.h>
+RCSID("$Id: kauth.c,v 1.20 1999/12/02 16:58:29 joda Exp $");
+
+void
+kauth(int argc, char **argv)
+{
+    int ret;
+    char buf[1024];
+    des_cblock key;
+    des_key_schedule schedule;
+    KTEXT_ST tkt, tktcopy;
+    char *name;
+    char *p;
+    int overbose;
+    char passwd[100];
+    int tmp;
+	
+    int save;
+
+    if(argc > 2){
+	printf("usage: %s [principal]\n", argv[0]);
+	code = -1;
+	return;
+    }
+    if(argc == 2)
+	name = argv[1];
+    else
+	name = username;
+
+    overbose = verbose;
+    verbose = 0;
+
+    save = set_command_prot(prot_private);
+    ret = command("SITE KAUTH %s", name);
+    if(ret != CONTINUE){
+	verbose = overbose;
+	set_command_prot(save);
+	code = -1;
+	return;
+    }
+    verbose = overbose;
+    p = strstr(reply_string, "T=");
+    if(!p){
+	printf("Bad reply from server.\n");
+	set_command_prot(save);
+	code = -1;
+	return;
+    }
+    p += 2;
+    tmp = base64_decode(p, &tkt.dat);
+    if(tmp < 0){
+	printf("Failed to decode base64 in reply.\n");
+	set_command_prot(save);
+	code = -1;
+	return;
+    }
+    tkt.length = tmp;
+    tktcopy.length = tkt.length;
+    
+    p = strstr(reply_string, "P=");
+    if(!p){
+	printf("Bad reply from server.\n");
+	verbose = overbose;
+	set_command_prot(save);
+	code = -1;
+	return;
+    }
+    name = p + 2;
+    for(; *p && *p != ' ' && *p != '\r' && *p != '\n'; p++);
+    *p = 0;
+    
+    snprintf(buf, sizeof(buf), "Password for %s:", name);
+    if (des_read_pw_string (passwd, sizeof(passwd)-1, buf, 0))
+        *passwd = '\0';
+    des_string_to_key (passwd, &key);
+
+    des_key_sched(&key, schedule);
+    
+    des_pcbc_encrypt((des_cblock*)tkt.dat, (des_cblock*)tktcopy.dat,
+		     tkt.length,
+		     schedule, &key, DES_DECRYPT);
+    if (strcmp ((char*)tktcopy.dat + 8,
+		KRB_TICKET_GRANTING_TICKET) != 0) {
+        afs_string_to_key (passwd, krb_realmofhost(hostname), &key);
+	des_key_sched (&key, schedule);
+	des_pcbc_encrypt((des_cblock*)tkt.dat, (des_cblock*)tktcopy.dat,
+			 tkt.length,
+			 schedule, &key, DES_DECRYPT);
+    }
+    memset(key, 0, sizeof(key));
+    memset(schedule, 0, sizeof(schedule));
+    memset(passwd, 0, sizeof(passwd));
+    if(base64_encode(tktcopy.dat, tktcopy.length, &p) < 0) {
+	printf("Out of memory base64-encoding.\n");
+	set_command_prot(save);
+	code = -1;
+	return;
+    }
+    memset (tktcopy.dat, 0, tktcopy.length);
+    ret = command("SITE KAUTH %s %s", name, p);
+    free(p);
+    set_command_prot(save);
+    if(ret != COMPLETE){
+	code = -1;
+	return;
+    }
+    code = 0;
+}
+
+void
+klist(int argc, char **argv)
+{
+    int ret;
+    if(argc != 1){
+	printf("usage: %s\n", argv[0]);
+	code = -1;
+	return;
+    }
+    
+    ret = command("SITE KLIST");
+    code = (ret == COMPLETE);
+}
+
+void
+kdestroy(int argc, char **argv)
+{
+    int ret;
+    if (argc != 1) {
+	printf("usage: %s\n", argv[0]);
+	code = -1;
+	return;
+    }
+    ret = command("SITE KDESTROY");
+    code = (ret == COMPLETE);
+}
+
+void
+krbtkfile(int argc, char **argv)
+{
+    int ret;
+    if(argc != 2) {
+	printf("usage: %s tktfile\n", argv[0]);
+	code = -1;
+	return;
+    }
+    ret = command("SITE KRBTKFILE %s", argv[1]);
+    code = (ret == COMPLETE);
+}
+
+void
+afslog(int argc, char **argv)
+{
+    int ret;
+    if(argc > 2) {
+	printf("usage: %s [cell]\n", argv[0]);
+	code = -1;
+	return;
+    }
+    if(argc == 2)
+	ret = command("SITE AFSLOG %s", argv[1]);
+    else
+	ret = command("SITE AFSLOG");
+    code = (ret == COMPLETE);
+}
diff --git a/crypto/kerberosIV/appl/ftp/ftp/krb4.c b/crypto/kerberosIV/appl/ftp/ftp/krb4.c
new file mode 100644
index 0000000..aa30c1b
--- /dev/null
+++ b/crypto/kerberosIV/appl/ftp/ftp/krb4.c
@@ -0,0 +1,334 @@
+/*
+ * Copyright (c) 1995, 1996, 1997, 1998, 1999 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#ifdef FTP_SERVER
+#include "ftpd_locl.h"
+#else
+#include "ftp_locl.h"
+#endif
+#include <krb.h>
+
+RCSID("$Id: krb4.c,v 1.36.2.1 1999/12/06 17:29:45 assar Exp $");
+
+#ifdef FTP_SERVER
+#define LOCAL_ADDR ctrl_addr
+#define REMOTE_ADDR his_addr
+#else
+#define LOCAL_ADDR myctladdr
+#define REMOTE_ADDR hisctladdr
+#endif
+
+extern struct sockaddr *LOCAL_ADDR, *REMOTE_ADDR;
+
+struct krb4_data {
+    des_cblock key;
+    des_key_schedule schedule;
+    char name[ANAME_SZ];
+    char instance[INST_SZ];
+    char realm[REALM_SZ];
+};
+
+static int
+krb4_check_prot(void *app_data, int level)
+{
+    if(level == prot_confidential)
+	return -1;
+    return 0;
+}
+
+static int
+krb4_decode(void *app_data, void *buf, int len, int level)
+{
+    MSG_DAT m;
+    int e;
+    struct krb4_data *d = app_data;
+    
+    if(level == prot_safe)
+	e = krb_rd_safe(buf, len, &d->key,
+			(struct sockaddr_in *)REMOTE_ADDR,
+			(struct sockaddr_in *)LOCAL_ADDR, &m);
+    else
+	e = krb_rd_priv(buf, len, d->schedule, &d->key, 
+			(struct sockaddr_in *)REMOTE_ADDR,
+			(struct sockaddr_in *)LOCAL_ADDR, &m);
+    if(e){
+	syslog(LOG_ERR, "krb4_decode: %s", krb_get_err_text(e));
+	return -1;
+    }
+    memmove(buf, m.app_data, m.app_length);
+    return m.app_length;
+}
+
+static int
+krb4_overhead(void *app_data, int level, int len)
+{
+    return 31;
+}
+
+static int
+krb4_encode(void *app_data, void *from, int length, int level, void **to)
+{
+    struct krb4_data *d = app_data;
+    *to = malloc(length + 31);
+    if(level == prot_safe)
+	return krb_mk_safe(from, *to, length, &d->key, 
+			   (struct sockaddr_in *)LOCAL_ADDR,
+			   (struct sockaddr_in *)REMOTE_ADDR);
+    else if(level == prot_private)
+	return krb_mk_priv(from, *to, length, d->schedule, &d->key, 
+			   (struct sockaddr_in *)LOCAL_ADDR,
+			   (struct sockaddr_in *)REMOTE_ADDR);
+    else
+	return -1;
+}
+
+#ifdef FTP_SERVER
+
+static int
+krb4_adat(void *app_data, void *buf, size_t len)
+{
+    KTEXT_ST tkt;
+    AUTH_DAT auth_dat;
+    char *p;
+    int kerror;
+    u_int32_t cs;
+    char msg[35]; /* size of encrypted block */
+    int tmp_len;
+    struct krb4_data *d = app_data;
+    char inst[INST_SZ];
+    struct sockaddr_in *his_addr_sin = (struct sockaddr_in *)his_addr;
+
+    memcpy(tkt.dat, buf, len);
+    tkt.length = len;
+
+    k_getsockinst(0, inst, sizeof(inst));
+    kerror = krb_rd_req(&tkt, "ftp", inst, 
+			his_addr_sin->sin_addr.s_addr, &auth_dat, "");
+    if(kerror == RD_AP_UNDEC){
+	k_getsockinst(0, inst, sizeof(inst));
+	kerror = krb_rd_req(&tkt, "rcmd", inst, 
+			    his_addr_sin->sin_addr.s_addr, &auth_dat, "");
+    }
+
+    if(kerror){
+	reply(535, "Error reading request: %s.", krb_get_err_text(kerror));
+	return -1;
+    }
+    
+    memcpy(d->key, auth_dat.session, sizeof(d->key));
+    des_set_key(&d->key, d->schedule);
+
+    strlcpy(d->name, auth_dat.pname, sizeof(d->name));
+    strlcpy(d->instance, auth_dat.pinst, sizeof(d->instance));
+    strlcpy(d->realm, auth_dat.prealm, sizeof(d->instance));
+
+    cs = auth_dat.checksum + 1;
+    {
+	unsigned char tmp[4];
+	KRB_PUT_INT(cs, tmp, 4, sizeof(tmp));
+	tmp_len = krb_mk_safe(tmp, msg, 4, &d->key,
+			      (struct sockaddr_in *)LOCAL_ADDR,
+			      (struct sockaddr_in *)REMOTE_ADDR);
+    }
+    if(tmp_len < 0){
+	reply(535, "Error creating reply: %s.", strerror(errno));
+	return -1;
+    }
+    len = tmp_len;
+    if(base64_encode(msg, len, &p) < 0) {
+	reply(535, "Out of memory base64-encoding.");
+	return -1;
+    }
+    reply(235, "ADAT=%s", p);
+    sec_complete = 1;
+    free(p);
+    return 0;
+}
+
+static int
+krb4_userok(void *app_data, char *user)
+{
+    struct krb4_data *d = app_data;
+    return krb_kuserok(d->name, d->instance, d->realm, user);
+}
+
+struct sec_server_mech krb4_server_mech = {
+    "KERBEROS_V4",
+    sizeof(struct krb4_data),
+    NULL, /* init */
+    NULL, /* end */
+    krb4_check_prot,
+    krb4_overhead,
+    krb4_encode,
+    krb4_decode,
+    /* */
+    NULL,
+    krb4_adat,
+    NULL, /* pbsz */
+    NULL, /* ccc */
+    krb4_userok
+};
+
+#else /* FTP_SERVER */
+
+static int
+mk_auth(struct krb4_data *d, KTEXT adat, 
+	char *service, char *host, int checksum)
+{
+    int ret;
+    CREDENTIALS cred;
+    char sname[SNAME_SZ], inst[INST_SZ], realm[REALM_SZ];
+
+    strlcpy(sname, service, sizeof(sname));
+    strlcpy(inst, krb_get_phost(host), sizeof(inst));
+    strlcpy(realm, krb_realmofhost(host), sizeof(realm));
+    ret = krb_mk_req(adat, sname, inst, realm, checksum);
+    if(ret)
+	return ret;
+    strlcpy(sname, service, sizeof(sname));
+    strlcpy(inst, krb_get_phost(host), sizeof(inst));
+    strlcpy(realm, krb_realmofhost(host), sizeof(realm));
+    ret = krb_get_cred(sname, inst, realm, &cred);
+    memmove(&d->key, &cred.session, sizeof(des_cblock));
+    des_key_sched(&d->key, d->schedule);
+    memset(&cred, 0, sizeof(cred));
+    return ret;
+}
+
+static int
+krb4_auth(void *app_data, char *host)
+{
+    int ret;
+    char *p;
+    int len;
+    KTEXT_ST adat;
+    MSG_DAT msg_data;
+    int checksum;
+    u_int32_t cs;
+    struct krb4_data *d = app_data;
+    struct sockaddr_in *localaddr  = (struct sockaddr_in *)LOCAL_ADDR;
+    struct sockaddr_in *remoteaddr = (struct sockaddr_in *)REMOTE_ADDR;
+
+    checksum = getpid();
+    ret = mk_auth(d, &adat, "ftp", host, checksum);
+    if(ret == KDC_PR_UNKNOWN)
+	ret = mk_auth(d, &adat, "rcmd", host, checksum);
+    if(ret){
+	printf("%s\n", krb_get_err_text(ret));
+	return AUTH_CONTINUE;
+    }
+
+#ifdef HAVE_KRB_GET_OUR_IP_FOR_REALM
+    if (krb_get_config_bool("nat_in_use")) {
+      struct in_addr natAddr;
+
+      if (krb_get_our_ip_for_realm(krb_realmofhost(host),
+				   &natAddr) != KSUCCESS
+	  && krb_get_our_ip_for_realm(NULL, &natAddr) != KSUCCESS)
+	printf("Can't get address for realm %s\n",
+	       krb_realmofhost(host));
+      else {
+	if (natAddr.s_addr != localaddr->sin_addr.s_addr) {
+	  printf("Using NAT IP address (%s) for kerberos 4\n",
+		 inet_ntoa(natAddr));
+	  localaddr->sin_addr = natAddr;
+	  
+	  /*
+	   * This not the best place to do this, but it
+	   * is here we know that (probably) NAT is in
+	   * use!
+	   */
+
+	  passivemode = 1;
+	  printf("Setting: Passive mode on.\n");
+	}
+      }
+    }
+#endif
+
+    printf("Local address is %s\n", inet_ntoa(localaddr->sin_addr));
+    printf("Remote address is %s\n", inet_ntoa(remoteaddr->sin_addr));
+
+   if(base64_encode(adat.dat, adat.length, &p) < 0) {
+	printf("Out of memory base64-encoding.\n");
+	return AUTH_CONTINUE;
+    }
+    ret = command("ADAT %s", p);
+    free(p);
+
+    if(ret != COMPLETE){
+	printf("Server didn't accept auth data.\n");
+	return AUTH_ERROR;
+    }
+
+    p = strstr(reply_string, "ADAT=");
+    if(!p){
+	printf("Remote host didn't send adat reply.\n");
+	return AUTH_ERROR;
+    }
+    p += 5;
+    len = base64_decode(p, adat.dat);
+    if(len < 0){
+	printf("Failed to decode base64 from server.\n");
+	return AUTH_ERROR;
+    }
+    adat.length = len;
+    ret = krb_rd_safe(adat.dat, adat.length, &d->key, 
+		      (struct sockaddr_in *)hisctladdr, 
+		      (struct sockaddr_in *)myctladdr, &msg_data);
+    if(ret){
+	printf("Error reading reply from server: %s.\n", 
+	       krb_get_err_text(ret));
+	return AUTH_ERROR;
+    }
+    krb_get_int(msg_data.app_data, &cs, 4, 0);
+    if(cs - checksum != 1){
+	printf("Bad checksum returned from server.\n");
+	return AUTH_ERROR;
+    }
+    return AUTH_OK;
+}
+
+struct sec_client_mech krb4_client_mech = {
+    "KERBEROS_V4",
+    sizeof(struct krb4_data),
+    NULL, /* init */
+    krb4_auth,
+    NULL, /* end */
+    krb4_check_prot,
+    krb4_overhead,
+    krb4_encode,
+    krb4_decode
+};
+
+#endif /* FTP_SERVER */
diff --git a/crypto/kerberosIV/appl/ftp/ftp/krb4.h b/crypto/kerberosIV/appl/ftp/ftp/krb4.h
new file mode 100644
index 0000000..7cf8cec
--- /dev/null
+++ b/crypto/kerberosIV/appl/ftp/ftp/krb4.h
@@ -0,0 +1,81 @@
+/*
+ * Copyright (c) 1995, 1996, 1997 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *      This product includes software developed by the Kungliga Tekniska
+ *      Högskolan and its contributors.
+ * 
+ * 4. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+/* $Id: krb4.h,v 1.10 1997/04/01 08:17:22 joda Exp $ */
+
+#ifndef __KRB4_H__
+#define __KRB4_H__
+
+#include <stdio.h>
+#include <stdarg.h>
+
+extern int auth_complete;
+
+void sec_status(void);
+
+enum { prot_clear, prot_safe, prot_confidential, prot_private };
+
+void sec_prot(int, char**);
+
+int sec_getc(FILE *F);
+int sec_putc(int c, FILE *F);
+int sec_fflush(FILE *F);
+int sec_read(int fd, void *data, int length);
+int sec_write(int fd, char *data, int length);
+
+int krb4_getc(FILE *F);
+int krb4_read(int fd, char *data, int length);
+
+
+
+void sec_set_protection_level(void);
+int sec_request_prot(char *level);
+
+void kauth(int, char **);
+void klist(int, char **);
+
+void krb4_quit(void);
+
+int krb4_write_enc(FILE *F, char *fmt, va_list ap);
+int krb4_read_msg(char *s, int priv);
+int krb4_read_mic(char *s);
+int krb4_read_enc(char *s);
+
+int do_klogin(char *host);
+
+#endif /* __KRB4_H__ */
diff --git a/crypto/kerberosIV/appl/ftp/ftp/main.c b/crypto/kerberosIV/appl/ftp/ftp/main.c
new file mode 100644
index 0000000..929acac
--- /dev/null
+++ b/crypto/kerberosIV/appl/ftp/ftp/main.c
@@ -0,0 +1,551 @@
+/*
+ * Copyright (c) 1985, 1989, 1993, 1994
+ *	The Regents of the University of California.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *	This product includes software developed by the University of
+ *	California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+/*
+ * FTP User Program -- Command Interface.
+ */
+
+#include "ftp_locl.h"
+RCSID("$Id: main.c,v 1.27.2.1 2000/10/10 13:01:50 assar Exp $");
+
+int
+main(int argc, char **argv)
+{
+	int ch, top;
+	struct passwd *pw = NULL;
+	char homedir[MaxPathLen];
+	struct servent *sp;
+
+	set_progname(argv[0]);
+
+	sp = getservbyname("ftp", "tcp");
+	if (sp == 0)
+		errx(1, "ftp/tcp: unknown service");
+	doglob = 1;
+	interactive = 1;
+	autologin = 1;
+	passivemode = 0; /* passive mode not active */
+
+	while ((ch = getopt(argc, argv, "dginptv")) != -1) {
+		switch (ch) {
+		case 'd':
+			options |= SO_DEBUG;
+			debug++;
+			break;
+			
+		case 'g':
+			doglob = 0;
+			break;
+
+		case 'i':
+			interactive = 0;
+			break;
+
+		case 'n':
+			autologin = 0;
+			break;
+
+		case 'p':
+		        passivemode = 1;
+			break;
+		case 't':
+			trace++;
+			break;
+
+		case 'v':
+			verbose++;
+			break;
+
+		default:
+		    fprintf(stderr,
+			    "usage: ftp [-dginptv] [host [port]]\n");
+		    exit(1);
+		}
+	}
+	argc -= optind;
+	argv += optind;
+
+	fromatty = isatty(fileno(stdin));
+	if (fromatty)
+		verbose++;
+	cpend = 0;	/* no pending replies */
+	proxy = 0;	/* proxy not active */
+	crflag = 1;	/* strip c.r. on ascii gets */
+	sendport = -1;	/* not using ports */
+	/*
+	 * Set up the home directory in case we're globbing.
+	 */
+	pw = k_getpwuid(getuid());
+	if (pw != NULL) {
+		strlcpy(homedir, pw->pw_dir, sizeof(homedir));
+		home = homedir;
+	}
+	if (argc > 0) {
+	    char *xargv[5];
+	    
+	    if (setjmp(toplevel))
+		exit(0);
+	    signal(SIGINT, intr);
+	    signal(SIGPIPE, lostpeer);
+	    xargv[0] = (char*)__progname;
+	    xargv[1] = argv[0];
+	    xargv[2] = argv[1];
+	    xargv[3] = argv[2];
+	    xargv[4] = NULL;
+	    setpeer(argc+1, xargv);
+	}
+	if(setjmp(toplevel) == 0)
+	    top = 1;
+	else
+	    top = 0;
+	if (top) {
+	    signal(SIGINT, intr);
+	    signal(SIGPIPE, lostpeer);
+	}
+	for (;;) {
+	    cmdscanner(top);
+	    top = 1;
+	}
+}
+
+void
+intr(int sig)
+{
+
+	longjmp(toplevel, 1);
+}
+
+#ifndef SHUT_RDWR
+#define SHUT_RDWR 2
+#endif
+
+RETSIGTYPE
+lostpeer(int sig)
+{
+
+    if (connected) {
+	if (cout != NULL) {
+	    shutdown(fileno(cout), SHUT_RDWR);
+	    fclose(cout);
+	    cout = NULL;
+	}
+	if (data >= 0) {
+	    shutdown(data, SHUT_RDWR);
+	    close(data);
+	    data = -1;
+	}
+	connected = 0;
+    }
+    pswitch(1);
+    if (connected) {
+	if (cout != NULL) {
+	    shutdown(fileno(cout), SHUT_RDWR);
+	    fclose(cout);
+	    cout = NULL;
+	}
+	connected = 0;
+    }
+    proxflag = 0;
+    pswitch(0);
+    sec_end();
+    SIGRETURN(0);
+}
+
+/*
+char *
+tail(filename)
+	char *filename;
+{
+	char *s;
+	
+	while (*filename) {
+		s = strrchr(filename, '/');
+		if (s == NULL)
+			break;
+		if (s[1])
+			return (s + 1);
+		*s = '\0';
+	}
+	return (filename);
+}
+*/
+
+#ifndef HAVE_READLINE
+
+static char *
+readline(char *prompt)
+{
+    char buf[BUFSIZ];
+    printf ("%s", prompt);
+    fflush (stdout);
+    if(fgets(buf, sizeof(buf), stdin) == NULL)
+	return NULL;
+    if (buf[strlen(buf) - 1] == '\n')
+	buf[strlen(buf) - 1] = '\0';
+    return strdup(buf);
+}
+
+static void
+add_history(char *p)
+{
+}
+
+#else
+
+/* These should not really be here */
+
+char *readline(char *);
+void add_history(char *);
+
+#endif
+
+/*
+ * Command parser.
+ */
+void
+cmdscanner(int top)
+{
+    struct cmd *c;
+    int l;
+
+    if (!top)
+	putchar('\n');
+    for (;;) {
+	if (fromatty) {
+	    char *p;
+	    p = readline("ftp> ");
+	    if(p == NULL) {
+		printf("\n");
+		quit(0, 0);
+	    }
+	    strlcpy(line, p, sizeof(line));
+	    add_history(p);
+	    free(p);
+	} else{
+	    if (fgets(line, sizeof line, stdin) == NULL)
+		quit(0, 0);
+	}
+	/* XXX will break on long lines */
+	l = strlen(line);
+	if (l == 0)
+	    break;
+	if (line[--l] == '\n') {
+	    if (l == 0)
+		break;
+	    line[l] = '\0';
+	} else if (l == sizeof(line) - 2) {
+	    printf("sorry, input line too long\n");
+	    while ((l = getchar()) != '\n' && l != EOF)
+		/* void */;
+	    break;
+	} /* else it was a line without a newline */
+	makeargv();
+	if (margc == 0) {
+	    continue;
+	}
+	c = getcmd(margv[0]);
+	if (c == (struct cmd *)-1) {
+	    printf("?Ambiguous command\n");
+	    continue;
+	}
+	if (c == 0) {
+	    printf("?Invalid command\n");
+	    continue;
+	}
+	if (c->c_conn && !connected) {
+	    printf("Not connected.\n");
+	    continue;
+	}
+	(*c->c_handler)(margc, margv);
+	if (bell && c->c_bell)
+	    putchar('\007');
+	if (c->c_handler != help)
+	    break;
+    }
+    signal(SIGINT, intr);
+    signal(SIGPIPE, lostpeer);
+}
+
+struct cmd *
+getcmd(char *name)
+{
+	char *p, *q;
+	struct cmd *c, *found;
+	int nmatches, longest;
+
+	longest = 0;
+	nmatches = 0;
+	found = 0;
+	for (c = cmdtab; (p = c->c_name); c++) {
+		for (q = name; *q == *p++; q++)
+			if (*q == 0)		/* exact match? */
+				return (c);
+		if (!*q) {			/* the name was a prefix */
+			if (q - name > longest) {
+				longest = q - name;
+				nmatches = 1;
+				found = c;
+			} else if (q - name == longest)
+				nmatches++;
+		}
+	}
+	if (nmatches > 1)
+		return ((struct cmd *)-1);
+	return (found);
+}
+
+/*
+ * Slice a string up into argc/argv.
+ */
+
+int slrflag;
+
+void
+makeargv(void)
+{
+	char **argp;
+
+	argp = margv;
+	stringbase = line;		/* scan from first of buffer */
+	argbase = argbuf;		/* store from first of buffer */
+	slrflag = 0;
+	for (margc = 0; ; margc++) {
+		/* Expand array if necessary */
+		if (margc == margvlen) {
+			int i;
+
+			margv = (margvlen == 0)
+				? (char **)malloc(20 * sizeof(char *))
+				: (char **)realloc(margv,
+					(margvlen + 20)*sizeof(char *));
+			if (margv == NULL)
+				errx(1, "cannot realloc argv array");
+			for(i = margvlen; i < margvlen + 20; ++i)
+				margv[i] = NULL;
+			margvlen += 20;
+			argp = margv + margc;
+		}
+
+		if ((*argp++ = slurpstring()) == NULL)
+			break;
+	}
+
+}
+
+/*
+ * Parse string into argbuf;
+ * implemented with FSM to
+ * handle quoting and strings
+ */
+char *
+slurpstring(void)
+{
+	int got_one = 0;
+	char *sb = stringbase;
+	char *ap = argbase;
+	char *tmp = argbase;		/* will return this if token found */
+
+	if (*sb == '!' || *sb == '$') {	/* recognize ! as a token for shell */
+		switch (slrflag) {	/* and $ as token for macro invoke */
+			case 0:
+				slrflag++;
+				stringbase++;
+				return ((*sb == '!') ? "!" : "$");
+				/* NOTREACHED */
+			case 1:
+				slrflag++;
+				altarg = stringbase;
+				break;
+			default:
+				break;
+		}
+	}
+
+S0:
+	switch (*sb) {
+
+	case '\0':
+		goto OUT;
+
+	case ' ':
+	case '\t':
+		sb++; goto S0;
+
+	default:
+		switch (slrflag) {
+			case 0:
+				slrflag++;
+				break;
+			case 1:
+				slrflag++;
+				altarg = sb;
+				break;
+			default:
+				break;
+		}
+		goto S1;
+	}
+
+S1:
+	switch (*sb) {
+
+	case ' ':
+	case '\t':
+	case '\0':
+		goto OUT;	/* end of token */
+
+	case '\\':
+		sb++; goto S2;	/* slurp next character */
+
+	case '"':
+		sb++; goto S3;	/* slurp quoted string */
+
+	default:
+		*ap++ = *sb++;	/* add character to token */
+		got_one = 1;
+		goto S1;
+	}
+
+S2:
+	switch (*sb) {
+
+	case '\0':
+		goto OUT;
+
+	default:
+		*ap++ = *sb++;
+		got_one = 1;
+		goto S1;
+	}
+
+S3:
+	switch (*sb) {
+
+	case '\0':
+		goto OUT;
+
+	case '"':
+		sb++; goto S1;
+
+	default:
+		*ap++ = *sb++;
+		got_one = 1;
+		goto S3;
+	}
+
+OUT:
+	if (got_one)
+		*ap++ = '\0';
+	argbase = ap;			/* update storage pointer */
+	stringbase = sb;		/* update scan pointer */
+	if (got_one) {
+		return (tmp);
+	}
+	switch (slrflag) {
+		case 0:
+			slrflag++;
+			break;
+		case 1:
+			slrflag++;
+			altarg = (char *) 0;
+			break;
+		default:
+			break;
+	}
+	return NULL;
+}
+
+#define HELPINDENT ((int) sizeof ("directory"))
+
+/*
+ * Help command.
+ * Call each command handler with argc == 0 and argv[0] == name.
+ */
+void
+help(int argc, char **argv)
+{
+	struct cmd *c;
+
+	if (argc == 1) {
+		int i, j, w, k;
+		int columns, width = 0, lines;
+
+		printf("Commands may be abbreviated.  Commands are:\n\n");
+		for (c = cmdtab; c < &cmdtab[NCMDS]; c++) {
+			int len = strlen(c->c_name);
+
+			if (len > width)
+				width = len;
+		}
+		width = (width + 8) &~ 7;
+		columns = 80 / width;
+		if (columns == 0)
+			columns = 1;
+		lines = (NCMDS + columns - 1) / columns;
+		for (i = 0; i < lines; i++) {
+			for (j = 0; j < columns; j++) {
+				c = cmdtab + j * lines + i;
+				if (c->c_name && (!proxy || c->c_proxy)) {
+					printf("%s", c->c_name);
+				}
+				else if (c->c_name) {
+					for (k=0; k < strlen(c->c_name); k++) {
+						putchar(' ');
+					}
+				}
+				if (c + lines >= &cmdtab[NCMDS]) {
+					printf("\n");
+					break;
+				}
+				w = strlen(c->c_name);
+				while (w < width) {
+					w = (w + 8) &~ 7;
+					putchar('\t');
+				}
+			}
+		}
+		return;
+	}
+	while (--argc > 0) {
+		char *arg;
+		arg = *++argv;
+		c = getcmd(arg);
+		if (c == (struct cmd *)-1)
+			printf("?Ambiguous help command %s\n", arg);
+		else if (c == (struct cmd *)0)
+			printf("?Invalid help command %s\n", arg);
+		else
+			printf("%-*s\t%s\n", HELPINDENT,
+				c->c_name, c->c_help);
+	}
+}
diff --git a/crypto/kerberosIV/appl/ftp/ftp/pathnames.h b/crypto/kerberosIV/appl/ftp/ftp/pathnames.h
new file mode 100644
index 0000000..f7c1fb3
--- /dev/null
+++ b/crypto/kerberosIV/appl/ftp/ftp/pathnames.h
@@ -0,0 +1,44 @@
+/*
+ * Copyright (c) 1989, 1993
+ *	The Regents of the University of California.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *	This product includes software developed by the University of
+ *	California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ *	@(#)pathnames.h	8.1 (Berkeley) 6/6/93
+ */
+
+#ifdef HAVE_PATHS_H
+#include <paths.h>
+#endif
+
+#define	_PATH_TMP_XXX	"/tmp/ftpXXXXXX"
+
+#ifndef _PATH_BSHELL
+#define _PATH_BSHELL	"/bin/sh"
+#endif
diff --git a/crypto/kerberosIV/appl/ftp/ftp/ruserpass.c b/crypto/kerberosIV/appl/ftp/ftp/ruserpass.c
new file mode 100644
index 0000000..c687a59
--- /dev/null
+++ b/crypto/kerberosIV/appl/ftp/ftp/ruserpass.c
@@ -0,0 +1,312 @@
+/*
+ * Copyright (c) 1985, 1993, 1994
+ *	The Regents of the University of California.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *	This product includes software developed by the University of
+ *	California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#include "ftp_locl.h"
+RCSID("$Id: ruserpass.c,v 1.16 1999/09/16 20:37:31 assar Exp $");
+
+static	int token (void);
+static	FILE *cfile;
+
+#define	DEFAULT	1
+#define	LOGIN	2
+#define	PASSWD	3
+#define	ACCOUNT 4
+#define MACDEF  5
+#define PROT	6
+#define	ID	10
+#define	MACH	11
+
+static char tokval[100];
+
+static struct toktab {
+	char *tokstr;
+	int tval;
+} toktab[]= {
+	{ "default",	DEFAULT },
+	{ "login",	LOGIN },
+	{ "password",	PASSWD },
+	{ "passwd",	PASSWD },
+	{ "account",	ACCOUNT },
+	{ "machine",	MACH },
+	{ "macdef",	MACDEF },
+	{ "prot", 	PROT }, 
+	{ NULL,		0 }
+};
+
+/*
+ * Write a copy of the hostname into `hostname, sz' and return a guess
+ * as to the `domain' of that hostname.
+ */
+
+static char *
+guess_domain (char *hostname, size_t sz)
+{
+    struct hostent *he;
+    char *dot;
+    char *a;
+    char **aliases;
+
+    if (gethostname (hostname, sz) < 0) {
+	strlcpy (hostname, "", sz);
+	return "";
+    }
+    dot = strchr (hostname, '.');
+    if (dot != NULL)
+	return dot + 1;
+
+    he = gethostbyname (hostname);
+    if (he == NULL)
+	return hostname;
+
+    dot = strchr (he->h_name, '.');
+    if (dot != NULL) {
+	strlcpy (hostname, he->h_name, sz);
+	return dot + 1;
+    }
+    for (aliases = he->h_aliases; (a = *aliases) != NULL; ++aliases) {
+	dot = strchr (a, '.');
+	if (dot != NULL) {
+	    strlcpy (hostname, a, sz);
+	    return dot + 1;
+	}
+    }
+    return hostname;
+}
+
+int
+ruserpass(char *host, char **aname, char **apass, char **aacct)
+{
+    char *hdir, buf[BUFSIZ], *tmp;
+    int t, i, c, usedefault = 0;
+    struct stat stb;
+
+    mydomain = guess_domain (myhostname, MaxHostNameLen);
+
+    hdir = getenv("HOME");
+    if (hdir == NULL)
+	hdir = ".";
+    snprintf(buf, sizeof(buf), "%s/.netrc", hdir);
+    cfile = fopen(buf, "r");
+    if (cfile == NULL) {
+	if (errno != ENOENT)
+	    warn("%s", buf);
+	return (0);
+    }
+
+next:
+    while ((t = token())) switch(t) {
+
+    case DEFAULT:
+	usedefault = 1;
+	/* FALL THROUGH */
+
+    case MACH:
+	if (!usedefault) {
+	    if (token() != ID)
+		continue;
+	    /*
+	     * Allow match either for user's input host name
+	     * or official hostname.  Also allow match of 
+	     * incompletely-specified host in local domain.
+	     */
+	    if (strcasecmp(host, tokval) == 0)
+		goto match;
+	    if (strcasecmp(hostname, tokval) == 0)
+		goto match;
+	    if ((tmp = strchr(hostname, '.')) != NULL &&
+		tmp++ &&
+		strcasecmp(tmp, mydomain) == 0 &&
+		strncasecmp(hostname, tokval, tmp-hostname) == 0 &&
+		tokval[tmp - hostname] == '\0')
+		goto match;
+	    if ((tmp = strchr(host, '.')) != NULL &&
+		tmp++ &&
+		strcasecmp(tmp, mydomain) == 0 &&
+		strncasecmp(host, tokval, tmp - host) == 0 &&
+		tokval[tmp - host] == '\0')
+		goto match;
+	    continue;
+	}
+    match:
+	while ((t = token()) && t != MACH && t != DEFAULT) switch(t) {
+
+	case LOGIN:
+	    if (token()) {
+		if (*aname == 0) { 
+		    *aname = strdup(tokval);
+		} else {
+		    if (strcmp(*aname, tokval))
+			goto next;
+		}
+	    }
+	    break;
+	case PASSWD:
+	    if ((*aname == NULL || strcmp(*aname, "anonymous")) &&
+		fstat(fileno(cfile), &stb) >= 0 &&
+		(stb.st_mode & 077) != 0) {
+		warnx("Error: .netrc file is readable by others.");
+		warnx("Remove password or make file unreadable by others.");
+		goto bad;
+	    }
+	    if (token() && *apass == 0) {
+		*apass = strdup(tokval);
+	    }
+	    break;
+	case ACCOUNT:
+	    if (fstat(fileno(cfile), &stb) >= 0
+		&& (stb.st_mode & 077) != 0) {
+		warnx("Error: .netrc file is readable by others.");
+		warnx("Remove account or make file unreadable by others.");
+		goto bad;
+	    }
+	    if (token() && *aacct == 0) {
+		*aacct = strdup(tokval);
+	    }
+	    break;
+	case MACDEF:
+	    if (proxy) {
+		fclose(cfile);
+		return (0);
+	    }
+	    while ((c=getc(cfile)) != EOF && 
+		   (c == ' ' || c == '\t'));
+	    if (c == EOF || c == '\n') {
+		printf("Missing macdef name argument.\n");
+		goto bad;
+	    }
+	    if (macnum == 16) {
+		printf("Limit of 16 macros have already been defined\n");
+		goto bad;
+	    }
+	    tmp = macros[macnum].mac_name;
+	    *tmp++ = c;
+	    for (i=0; i < 8 && (c=getc(cfile)) != EOF &&
+		     !isspace(c); ++i) {
+		*tmp++ = c;
+	    }
+	    if (c == EOF) {
+		printf("Macro definition missing null line terminator.\n");
+		goto bad;
+	    }
+	    *tmp = '\0';
+	    if (c != '\n') {
+		while ((c=getc(cfile)) != EOF && c != '\n');
+	    }
+	    if (c == EOF) {
+		printf("Macro definition missing null line terminator.\n");
+		goto bad;
+	    }
+	    if (macnum == 0) {
+		macros[macnum].mac_start = macbuf;
+	    }
+	    else {
+		macros[macnum].mac_start = macros[macnum-1].mac_end + 1;
+	    }
+	    tmp = macros[macnum].mac_start;
+	    while (tmp != macbuf + 4096) {
+		if ((c=getc(cfile)) == EOF) {
+		    printf("Macro definition missing null line terminator.\n");
+		    goto bad;
+		}
+		*tmp = c;
+		if (*tmp == '\n') {
+		    if (*(tmp-1) == '\0') {
+			macros[macnum++].mac_end = tmp - 1;
+			break;
+		    }
+		    *tmp = '\0';
+		}
+		tmp++;
+	    }
+	    if (tmp == macbuf + 4096) {
+		printf("4K macro buffer exceeded\n");
+		goto bad;
+	    }
+	    break;
+	case PROT:
+	    token();
+	    if(sec_request_prot(tokval) < 0)
+		warnx("Unknown protection level \"%s\"", tokval);
+	    break;
+	default:
+	    warnx("Unknown .netrc keyword %s", tokval);
+	    break;
+	}
+	goto done;
+    }
+done:
+    fclose(cfile);
+    return (0);
+bad:
+    fclose(cfile);
+    return (-1);
+}
+
+static int
+token(void)
+{
+	char *cp;
+	int c;
+	struct toktab *t;
+
+	if (feof(cfile) || ferror(cfile))
+		return (0);
+	while ((c = getc(cfile)) != EOF &&
+	    (c == '\n' || c == '\t' || c == ' ' || c == ','))
+		continue;
+	if (c == EOF)
+		return (0);
+	cp = tokval;
+	if (c == '"') {
+		while ((c = getc(cfile)) != EOF && c != '"') {
+			if (c == '\\')
+				c = getc(cfile);
+			*cp++ = c;
+		}
+	} else {
+		*cp++ = c;
+		while ((c = getc(cfile)) != EOF
+		    && c != '\n' && c != '\t' && c != ' ' && c != ',') {
+			if (c == '\\')
+				c = getc(cfile);
+			*cp++ = c;
+		}
+	}
+	*cp = 0;
+	if (tokval[0] == 0)
+		return (0);
+	for (t = toktab; t->tokstr; t++)
+		if (!strcmp(t->tokstr, tokval))
+			return (t->tval);
+	return (ID);
+}
diff --git a/crypto/kerberosIV/appl/ftp/ftp/security.c b/crypto/kerberosIV/appl/ftp/ftp/security.c
new file mode 100644
index 0000000..ca7eb00
--- /dev/null
+++ b/crypto/kerberosIV/appl/ftp/ftp/security.c
@@ -0,0 +1,785 @@
+/*
+ * Copyright (c) 1998, 1999 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#ifdef FTP_SERVER
+#include "ftpd_locl.h"
+#else
+#include "ftp_locl.h"
+#endif
+
+RCSID("$Id: security.c,v 1.15 1999/12/02 16:58:30 joda Exp $");
+
+static enum protection_level command_prot;
+static enum protection_level data_prot;
+static size_t buffer_size;
+
+struct buffer {
+    void *data;
+    size_t size;
+    size_t index;
+    int eof_flag;
+};
+
+static struct buffer in_buffer, out_buffer;
+int sec_complete;
+
+static struct {
+    enum protection_level level;
+    const char *name;
+} level_names[] = {
+    { prot_clear, "clear" },
+    { prot_safe, "safe" },
+    { prot_confidential, "confidential" },
+    { prot_private, "private" }
+};
+
+static const char *
+level_to_name(enum protection_level level)
+{
+    int i;
+    for(i = 0; i < sizeof(level_names) / sizeof(level_names[0]); i++)
+	if(level_names[i].level == level)
+	    return level_names[i].name;
+    return "unknown";
+}
+
+#ifndef FTP_SERVER /* not used in server */
+static enum protection_level 
+name_to_level(const char *name)
+{
+    int i;
+    for(i = 0; i < sizeof(level_names) / sizeof(level_names[0]); i++)
+	if(!strncasecmp(level_names[i].name, name, strlen(name)))
+	    return level_names[i].level;
+    return (enum protection_level)-1;
+}
+#endif
+
+#ifdef FTP_SERVER
+
+static struct sec_server_mech *mechs[] = {
+#ifdef KRB5
+    &gss_server_mech,
+#endif
+#ifdef KRB4
+    &krb4_server_mech,
+#endif
+    NULL
+};
+
+static struct sec_server_mech *mech;
+
+#else
+
+static struct sec_client_mech *mechs[] = {
+#ifdef KRB5
+    &gss_client_mech,
+#endif
+#ifdef KRB4
+    &krb4_client_mech,
+#endif
+    NULL
+};
+
+static struct sec_client_mech *mech;
+
+#endif
+
+static void *app_data;
+
+int
+sec_getc(FILE *F)
+{
+    if(sec_complete && data_prot) {
+	char c;
+	if(sec_read(fileno(F), &c, 1) <= 0)
+	    return EOF;
+	return c;
+    } else
+	return getc(F);
+}
+
+static int
+block_read(int fd, void *buf, size_t len)
+{
+    unsigned char *p = buf;
+    int b;
+    while(len) {
+	b = read(fd, p, len);
+	if (b == 0)
+	    return 0;
+	else if (b < 0)
+	    return -1;
+	len -= b;
+	p += b;
+    }
+    return p - (unsigned char*)buf;
+}
+
+static int
+block_write(int fd, void *buf, size_t len)
+{
+    unsigned char *p = buf;
+    int b;
+    while(len) {
+	b = write(fd, p, len);
+	if(b < 0)
+	    return -1;
+	len -= b;
+	p += b;
+    }
+    return p - (unsigned char*)buf;
+}
+
+static int
+sec_get_data(int fd, struct buffer *buf, int level)
+{
+    int len;
+    int b;
+
+    b = block_read(fd, &len, sizeof(len));
+    if (b == 0)
+	return 0;
+    else if (b < 0)
+	return -1;
+    len = ntohl(len);
+    buf->data = realloc(buf->data, len);
+    b = block_read(fd, buf->data, len);
+    if (b == 0)
+	return 0;
+    else if (b < 0)
+	return -1;
+    buf->size = (*mech->decode)(app_data, buf->data, len, data_prot);
+    buf->index = 0;
+    return 0;
+}
+
+static size_t
+buffer_read(struct buffer *buf, void *data, size_t len)
+{
+    len = min(len, buf->size - buf->index);
+    memcpy(data, (char*)buf->data + buf->index, len);
+    buf->index += len;
+    return len;
+}
+
+static size_t
+buffer_write(struct buffer *buf, void *data, size_t len)
+{
+    if(buf->index + len > buf->size) {
+	void *tmp;
+	if(buf->data == NULL)
+	    tmp = malloc(1024);
+	else
+	    tmp = realloc(buf->data, buf->index + len);
+	if(tmp == NULL)
+	    return -1;
+	buf->data = tmp;
+	buf->size = buf->index + len;
+    }
+    memcpy((char*)buf->data + buf->index, data, len);
+    buf->index += len;
+    return len;
+}
+
+int
+sec_read(int fd, void *data, int length)
+{
+    size_t len;
+    int rx = 0;
+
+    if(sec_complete == 0 || data_prot == 0)
+	return read(fd, data, length);
+
+    if(in_buffer.eof_flag){
+	in_buffer.eof_flag = 0;
+	return 0;
+    }
+    
+    len = buffer_read(&in_buffer, data, length);
+    length -= len;
+    rx += len;
+    data = (char*)data + len;
+    
+    while(length){
+	if(sec_get_data(fd, &in_buffer, data_prot) < 0)
+	    return -1;
+	if(in_buffer.size == 0) {
+	    if(rx)
+		in_buffer.eof_flag = 1;
+	    return rx;
+	}
+	len = buffer_read(&in_buffer, data, length);
+	length -= len;
+	rx += len;
+	data = (char*)data + len;
+    }
+    return rx;
+}
+
+static int
+sec_send(int fd, char *from, int length)
+{
+    int bytes;
+    void *buf;
+    bytes = (*mech->encode)(app_data, from, length, data_prot, &buf);
+    bytes = htonl(bytes);
+    block_write(fd, &bytes, sizeof(bytes));
+    block_write(fd, buf, ntohl(bytes));
+    free(buf);
+    return length;
+}
+
+int
+sec_fflush(FILE *F)
+{
+    if(data_prot != prot_clear) {
+	if(out_buffer.index > 0){
+	    sec_write(fileno(F), out_buffer.data, out_buffer.index);
+	    out_buffer.index = 0;
+	}
+	sec_send(fileno(F), NULL, 0);
+    }
+    fflush(F);
+    return 0;
+}
+
+int
+sec_write(int fd, char *data, int length)
+{
+    int len = buffer_size;
+    int tx = 0;
+      
+    if(data_prot == prot_clear)
+	return write(fd, data, length);
+
+    len -= (*mech->overhead)(app_data, data_prot, len);
+    while(length){
+	if(length < len)
+	    len = length;
+	sec_send(fd, data, len);
+	length -= len;
+	data += len;
+	tx += len;
+    }
+    return tx;
+}
+
+int
+sec_vfprintf2(FILE *f, const char *fmt, va_list ap)
+{
+    char *buf;
+    int ret;
+    if(data_prot == prot_clear)
+	return vfprintf(f, fmt, ap);
+    else {
+	vasprintf(&buf, fmt, ap);
+	ret = buffer_write(&out_buffer, buf, strlen(buf));
+	free(buf);
+	return ret;
+    }
+}
+
+int
+sec_fprintf2(FILE *f, const char *fmt, ...)
+{
+    int ret;
+    va_list ap;
+    va_start(ap, fmt);
+    ret = sec_vfprintf2(f, fmt, ap);
+    va_end(ap);
+    return ret;
+}
+
+int
+sec_putc(int c, FILE *F)
+{
+    char ch = c;
+    if(data_prot == prot_clear)
+	return putc(c, F);
+    
+    buffer_write(&out_buffer, &ch, 1);
+    if(c == '\n' || out_buffer.index >= 1024 /* XXX */) {
+	sec_write(fileno(F), out_buffer.data, out_buffer.index);
+	out_buffer.index = 0;
+    }
+    return c;
+}
+
+int
+sec_read_msg(char *s, int level)
+{
+    int len;
+    char *buf;
+    int code;
+    
+    buf = malloc(strlen(s));
+    len = base64_decode(s + 4, buf); /* XXX */
+    
+    len = (*mech->decode)(app_data, buf, len, level);
+    if(len < 0)
+	return -1;
+    
+    buf[len] = '\0';
+
+    if(buf[3] == '-')
+	code = 0;
+    else
+	sscanf(buf, "%d", &code);
+    if(buf[len-1] == '\n')
+	buf[len-1] = '\0';
+    strcpy(s, buf);
+    free(buf);
+    return code;
+}
+
+int
+sec_vfprintf(FILE *f, const char *fmt, va_list ap)
+{
+    char *buf;
+    void *enc;
+    int len;
+    if(!sec_complete)
+	return vfprintf(f, fmt, ap);
+    
+    vasprintf(&buf, fmt, ap);
+    len = (*mech->encode)(app_data, buf, strlen(buf), command_prot, &enc);
+    free(buf);
+    if(len < 0) {
+	printf("Failed to encode command.\n");
+	return -1;
+    }
+    if(base64_encode(enc, len, &buf) < 0){
+	printf("Out of memory base64-encoding.\n");
+	return -1;
+    }
+#ifdef FTP_SERVER
+    if(command_prot == prot_safe)
+	fprintf(f, "631 %s\r\n", buf);
+    else if(command_prot == prot_private)
+	fprintf(f, "632 %s\r\n", buf);
+    else if(command_prot == prot_confidential)
+	fprintf(f, "633 %s\r\n", buf);
+#else
+    if(command_prot == prot_safe)
+	fprintf(f, "MIC %s", buf);
+    else if(command_prot == prot_private)
+	fprintf(f, "ENC %s", buf);
+    else if(command_prot == prot_confidential)
+	fprintf(f, "CONF %s", buf);
+#endif
+    free(buf);
+    return 0;
+}
+
+int
+sec_fprintf(FILE *f, const char *fmt, ...)
+{
+    va_list ap;
+    int ret;
+    va_start(ap, fmt);
+    ret = sec_vfprintf(f, fmt, ap);
+    va_end(ap);
+    return ret;
+}
+
+/* end common stuff */
+
+#ifdef FTP_SERVER
+
+void
+auth(char *auth_name)
+{
+    int i;
+    for(i = 0; (mech = mechs[i]) != NULL; i++){
+	if(!strcasecmp(auth_name, mech->name)){
+	    app_data = realloc(app_data, mech->size);
+	    if(mech->init && (*mech->init)(app_data) != 0) {
+		reply(431, "Unable to accept %s at this time", mech->name);
+		return;
+	    }
+	    if(mech->auth) {
+		(*mech->auth)(app_data);
+		return;
+	    }
+	    if(mech->adat)
+		reply(334, "Send authorization data.");
+	    else
+		reply(234, "Authorization complete.");
+	    return;
+	}
+    }
+    free (app_data);
+    reply(504, "%s is unknown to me", auth_name);
+}
+
+void
+adat(char *auth_data)
+{
+    if(mech && !sec_complete) {
+	void *buf = malloc(strlen(auth_data));
+	size_t len;
+	len = base64_decode(auth_data, buf);
+	(*mech->adat)(app_data, buf, len);
+	free(buf);
+    } else
+	reply(503, "You must %sissue an AUTH first.", mech ? "re-" : "");
+}
+
+void pbsz(int size)
+{
+    size_t new = size;
+    if(!sec_complete)
+	reply(503, "Incomplete security data exchange.");
+    if(mech->pbsz)
+	new = (*mech->pbsz)(app_data, size);
+    if(buffer_size != new){
+	buffer_size = size;
+    }
+    if(new != size)
+	reply(200, "PBSZ=%lu", (unsigned long)new);
+    else
+	reply(200, "OK");
+}
+
+void
+prot(char *pl)
+{
+    int p = -1;
+
+    if(buffer_size == 0){
+	reply(503, "No protection buffer size negotiated.");
+	return;
+    }
+
+    if(!strcasecmp(pl, "C"))
+	p = prot_clear;
+    else if(!strcasecmp(pl, "S"))
+	p = prot_safe;
+    else if(!strcasecmp(pl, "E"))
+	p = prot_confidential;
+    else if(!strcasecmp(pl, "P"))
+	p = prot_private;
+    else {
+	reply(504, "Unrecognized protection level.");
+	return;
+    }
+    
+    if(sec_complete){
+	if((*mech->check_prot)(app_data, p)){
+	    reply(536, "%s does not support %s protection.", 
+		  mech->name, level_to_name(p));
+	}else{
+	    data_prot = (enum protection_level)p;
+	    reply(200, "Data protection is %s.", level_to_name(p));
+	}
+    }else{
+	reply(503, "Incomplete security data exchange.");
+    }
+}
+
+void ccc(void)
+{
+    if(sec_complete){
+	if(mech->ccc && (*mech->ccc)(app_data) == 0)
+	    command_prot = data_prot = prot_clear;
+	else
+	    reply(534, "You must be joking.");
+    }else
+	reply(503, "Incomplete security data exchange.");
+}
+
+void mec(char *msg, enum protection_level level)
+{
+    void *buf;
+    size_t len;
+    if(!sec_complete) {
+	reply(503, "Incomplete security data exchange.");
+	return;
+    }
+    buf = malloc(strlen(msg) + 2); /* XXX go figure out where that 2
+				      comes from :-) */
+    len = base64_decode(msg, buf);
+    command_prot = level;
+    if(len == (size_t)-1) {
+	reply(501, "Failed to base64-decode command");
+	return;
+    }
+    len = (*mech->decode)(app_data, buf, len, level);
+    if(len == (size_t)-1) {
+	reply(535, "Failed to decode command");
+	return;
+    }
+    ((char*)buf)[len] = '\0';
+    if(strstr((char*)buf, "\r\n") == NULL)
+	strcat((char*)buf, "\r\n");
+    new_ftp_command(buf);
+}
+
+/* ------------------------------------------------------------ */
+
+int
+sec_userok(char *user)
+{
+    if(sec_complete)
+	return (*mech->userok)(app_data, user);
+    return 0;
+}
+
+char *ftp_command;
+
+void
+new_ftp_command(char *command)
+{
+    ftp_command = command;
+}
+
+void
+delete_ftp_command(void)
+{
+    free(ftp_command);
+    ftp_command = NULL;
+}
+
+int
+secure_command(void)
+{
+    return ftp_command != NULL;
+}
+
+enum protection_level
+get_command_prot(void)
+{
+    return command_prot;
+}
+
+#else /* FTP_SERVER */
+
+void
+sec_status(void)
+{
+    if(sec_complete){
+	printf("Using %s for authentication.\n", mech->name);
+	printf("Using %s command channel.\n", level_to_name(command_prot));
+	printf("Using %s data channel.\n", level_to_name(data_prot));
+	if(buffer_size > 0)
+	    printf("Protection buffer size: %lu.\n", 
+		   (unsigned long)buffer_size);
+    }else{
+	printf("Not using any security mechanism.\n");
+    }
+}
+
+static int
+sec_prot_internal(int level)
+{
+    int ret;
+    char *p;
+    unsigned int s = 1048576;
+
+    int old_verbose = verbose;
+    verbose = 0;
+
+    if(!sec_complete){
+	printf("No security data exchange has taken place.\n");
+	return -1;
+    }
+
+    if(level){
+	ret = command("PBSZ %u", s);
+	if(ret != COMPLETE){
+	    printf("Failed to set protection buffer size.\n");
+	    return -1;
+	}
+	buffer_size = s;
+	p = strstr(reply_string, "PBSZ=");
+	if(p)
+	    sscanf(p, "PBSZ=%u", &s);
+	if(s < buffer_size)
+	    buffer_size = s;
+    }
+    verbose = old_verbose;
+    ret = command("PROT %c", level["CSEP"]); /* XXX :-) */
+    if(ret != COMPLETE){
+	printf("Failed to set protection level.\n");
+	return -1;
+    }
+    
+    data_prot = (enum protection_level)level;
+    return 0;
+}
+
+enum protection_level
+set_command_prot(enum protection_level level)
+{
+    enum protection_level old = command_prot;
+    command_prot = level;
+    return old;
+}
+
+void
+sec_prot(int argc, char **argv)
+{
+    int level = -1;
+
+    if(argc < 2 || argc > 3)
+	goto usage;
+    if(!sec_complete) {
+	printf("No security data exchange has taken place.\n");
+	code = -1;
+	return;
+    }
+    level = name_to_level(argv[argc - 1]);
+    
+    if(level == -1)
+	goto usage;
+    
+    if((*mech->check_prot)(app_data, level)) {
+	printf("%s does not implement %s protection.\n", 
+	       mech->name, level_to_name(level));
+	code = -1;
+	return;
+    }
+    
+    if(argc == 2 || strncasecmp(argv[1], "data", strlen(argv[1])) == 0) {
+	if(sec_prot_internal(level) < 0){
+	    code = -1;
+	    return;
+	}
+    } else if(strncasecmp(argv[1], "command", strlen(argv[1])) == 0)
+	set_command_prot(level);
+    else
+	goto usage;
+    code = 0;
+    return;
+ usage:
+    printf("usage: %s [command|data] [clear|safe|confidential|private]\n",
+	   argv[0]);
+    code = -1;
+}
+
+static enum protection_level request_data_prot;
+
+void
+sec_set_protection_level(void)
+{
+    if(sec_complete && data_prot != request_data_prot)
+	sec_prot_internal(request_data_prot);
+}
+
+
+int
+sec_request_prot(char *level)
+{
+    int l = name_to_level(level);
+    if(l == -1)
+	return -1;
+    request_data_prot = (enum protection_level)l;
+    return 0;
+}
+
+int
+sec_login(char *host)
+{
+    int ret;
+    struct sec_client_mech **m;
+    int old_verbose = verbose;
+
+    verbose = -1; /* shut up all messages this will produce (they
+		     are usually not very user friendly) */
+    
+    for(m = mechs; *m && (*m)->name; m++) {
+	void *tmp;
+
+	tmp = realloc(app_data, (*m)->size);
+	if (tmp == NULL) {
+	    warnx ("realloc %u failed", (*m)->size);
+	    return -1;
+	}
+	app_data = tmp;
+	    
+	if((*m)->init && (*(*m)->init)(app_data) != 0) {
+	    printf("Skipping %s...\n", (*m)->name);
+	    continue;
+	}
+	printf("Trying %s...\n", (*m)->name);
+	ret = command("AUTH %s", (*m)->name);
+	if(ret != CONTINUE){
+	    if(code == 504){
+		printf("%s is not supported by the server.\n", (*m)->name);
+	    }else if(code == 534){
+		printf("%s rejected as security mechanism.\n", (*m)->name);
+	    }else if(ret == ERROR) {
+		printf("The server doesn't support the FTP "
+		       "security extensions.\n");
+		verbose = old_verbose;
+		return -1;
+	    }
+	    continue;
+	}
+
+	ret = (*(*m)->auth)(app_data, host);
+	
+	if(ret == AUTH_CONTINUE)
+	    continue;
+	else if(ret != AUTH_OK){
+	    /* mechanism is supposed to output error string */
+	    verbose = old_verbose;
+	    return -1;
+	}
+	mech = *m;
+	sec_complete = 1;
+	command_prot = prot_safe;
+	break;
+    }
+    
+    verbose = old_verbose;
+    return *m == NULL;
+}
+
+void
+sec_end(void)
+{
+    if (mech != NULL) {
+	if(mech->end)
+	    (*mech->end)(app_data);
+	memset(app_data, 0, mech->size);
+	free(app_data);
+	app_data = NULL;
+    }
+    sec_complete = 0;
+    data_prot = (enum protection_level)0;
+}
+
+#endif /* FTP_SERVER */
+
diff --git a/crypto/kerberosIV/appl/ftp/ftp/security.h b/crypto/kerberosIV/appl/ftp/ftp/security.h
new file mode 100644
index 0000000..6fe0694
--- /dev/null
+++ b/crypto/kerberosIV/appl/ftp/ftp/security.h
@@ -0,0 +1,131 @@
+/*
+ * Copyright (c) 1998, 1999 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+/* $Id: security.h,v 1.7 1999/12/02 16:58:30 joda Exp $ */
+
+#ifndef __security_h__
+#define __security_h__
+
+enum protection_level { 
+    prot_clear, 
+    prot_safe, 
+    prot_confidential, 
+    prot_private 
+};
+
+struct sec_client_mech {
+    char *name;
+    size_t size;
+    int (*init)(void *);
+    int (*auth)(void *, char*);
+    void (*end)(void *);
+    int (*check_prot)(void *, int);
+    int (*overhead)(void *, int, int);
+    int (*encode)(void *, void*, int, int, void**);
+    int (*decode)(void *, void*, int, int);
+};
+
+struct sec_server_mech {
+    char *name;
+    size_t size;
+    int (*init)(void *);
+    void (*end)(void *);
+    int (*check_prot)(void *, int);
+    int (*overhead)(void *, int, int);
+    int (*encode)(void *, void*, int, int, void**);
+    int (*decode)(void *, void*, int, int);
+
+    int (*auth)(void *);
+    int (*adat)(void *, void*, size_t);
+    size_t (*pbsz)(void *, size_t);
+    int (*ccc)(void*);
+    int (*userok)(void*, char*);
+};
+
+#define AUTH_OK		0
+#define AUTH_CONTINUE	1
+#define AUTH_ERROR	2
+
+#ifdef FTP_SERVER
+extern struct sec_server_mech krb4_server_mech, gss_server_mech;
+#else
+extern struct sec_client_mech krb4_client_mech, gss_client_mech;
+#endif
+
+extern int sec_complete;
+
+#ifdef FTP_SERVER
+extern char *ftp_command;
+void new_ftp_command(char*);
+void delete_ftp_command(void);
+#endif
+
+/* ---- */
+
+
+int sec_fflush (FILE *);
+int sec_fprintf (FILE *, const char *, ...);
+int sec_getc (FILE *);
+int sec_putc (int, FILE *);
+int sec_read (int, void *, int);
+int sec_read_msg (char *, int);
+int sec_vfprintf (FILE *, const char *, va_list);
+int sec_fprintf2(FILE *f, const char *fmt, ...);
+int sec_vfprintf2(FILE *, const char *, va_list);
+int sec_write (int, char *, int);
+
+#ifdef FTP_SERVER
+void adat (char *);
+void auth (char *);
+void ccc (void);
+void mec (char *, enum protection_level);
+void pbsz (int);
+void prot (char *);
+void delete_ftp_command (void);
+void new_ftp_command (char *);
+int sec_userok (char *);
+int secure_command (void);
+enum protection_level get_command_prot(void);
+#else
+void sec_end (void);
+int sec_login (char *);
+void sec_prot (int, char **);
+int sec_request_prot (char *);
+void sec_set_protection_level (void);
+void sec_status (void);
+
+enum protection_level set_command_prot(enum protection_level);
+
+#endif
+
+#endif /* __security_h__ */  
diff --git a/crypto/kerberosIV/appl/ftp/ftpd/Makefile.am b/crypto/kerberosIV/appl/ftp/ftpd/Makefile.am
new file mode 100644
index 0000000..282cb3a
--- /dev/null
+++ b/crypto/kerberosIV/appl/ftp/ftpd/Makefile.am
@@ -0,0 +1,54 @@
+# $Id: Makefile.am,v 1.20 1999/10/03 16:38:53 joda Exp $
+
+include $(top_srcdir)/Makefile.am.common
+
+INCLUDES += -I$(srcdir)/../common $(INCLUDE_krb4) -DFTP_SERVER
+
+libexec_PROGRAMS = ftpd
+
+CHECK_LOCAL = 
+
+if KRB4
+krb4_sources = krb4.c kauth.c
+endif
+if KRB5
+krb5_sources = gssapi.c gss_userok.c
+endif
+
+ftpd_SOURCES =		\
+	extern.h	\
+	ftpcmd.y	\
+	ftpd.c		\
+	ftpd_locl.h	\
+	logwtmp.c	\
+	ls.c		\
+	pathnames.h	\
+	popen.c		\
+	security.c	\
+	$(krb4_sources) \
+	$(krb5_sources)
+
+EXTRA_ftpd_SOURCES = krb4.c kauth.c gssapi.c gss_userok.c
+
+$(ftpd_OBJECTS): security.h
+
+security.c:
+	@test -f security.c || $(LN_S) $(srcdir)/../ftp/security.c .
+security.h:
+	@test -f security.h || $(LN_S) $(srcdir)/../ftp/security.h .
+krb4.c:
+	@test -f krb4.c || $(LN_S) $(srcdir)/../ftp/krb4.c .
+gssapi.c:
+	@test -f gssapi.c || $(LN_S) $(srcdir)/../ftp/gssapi.c .
+
+CLEANFILES = security.c security.h krb4.c gssapi.c ftpcmd.c
+
+LDADD = ../common/libcommon.a \
+	$(LIB_kafs) \
+	$(LIB_gssapi) \
+	$(LIB_krb5) \
+	$(LIB_krb4) \
+	$(LIB_otp) \
+	$(top_builddir)/lib/des/libdes.la \
+	$(LIB_roken) \
+	$(DBLIB)
diff --git a/crypto/kerberosIV/appl/ftp/ftpd/Makefile.in b/crypto/kerberosIV/appl/ftp/ftpd/Makefile.in
new file mode 100644
index 0000000..bc5c12e
--- /dev/null
+++ b/crypto/kerberosIV/appl/ftp/ftpd/Makefile.in
@@ -0,0 +1,102 @@
+# 
+# $Id: Makefile.in,v 1.41 1999/10/03 16:39:27 joda Exp $
+#
+
+srcdir		= @srcdir@
+top_srcdir	= @top_srcdir@
+VPATH		= @srcdir@
+
+top_builddir	= ../../..
+
+SHELL		= /bin/sh
+
+CC 	= @CC@
+YACC	= @YACC@
+RANLIB 	= @RANLIB@
+DEFS 	= @DEFS@
+WFLAGS = @WFLAGS@
+CFLAGS 	= @CFLAGS@ $(WFLAGS)
+LD_FLAGS = @LD_FLAGS@
+LIBS	= @LIBS@
+LIB_DBM = @LIB_DBM@
+MKINSTALLDIRS = $(top_srcdir)/mkinstalldirs
+
+INSTALL = @INSTALL@
+INSTALL_PROGRAM = @INSTALL_PROGRAM@
+
+LN_S = @LN_S@
+
+prefix 	= @prefix@
+exec_prefix = @exec_prefix@
+libdir = @libdir@
+libexecdir = @libexecdir@
+transform=@program_transform_name@
+EXECSUFFIX=@EXECSUFFIX@
+
+ATHENA = ../../..
+
+INCTOP = $(ATHENA)/include
+
+LIBTOP = $(ATHENA)/lib
+
+LIBKAFS = @KRB_KAFS_LIB@
+LIBKRB	= -L$(LIBTOP)/krb -lkrb
+LIBDES	= -L$(LIBTOP)/des -ldes
+LIBOTP  = @LIB_otp@
+LIBROKEN= -L$(LIBTOP)/roken -lroken
+
+PROGS = ftpd$(EXECSUFFIX)
+
+ftpd_SOURCES = ftpd.c ftpcmd.c logwtmp.c ls.c popen.c security.c krb4.c kauth.c
+ftpd_OBJS = ftpd.o ftpcmd.o logwtmp.o ls.o popen.o security.o krb4.o kauth.o
+
+SOURCES = $(ftpd_SOURCES)
+OBJECTS = $(ftpd_OBJS)
+
+all: $(PROGS)
+
+$(ftpd_OBJS): security.h
+
+security.c:
+	$(LN_S) $(srcdir)/../ftp/security.c .
+security.h:
+	$(LN_S) $(srcdir)/../ftp/security.h .
+krb4.c:
+	$(LN_S) $(srcdir)/../ftp/krb4.c .
+gssapi.c:
+	$(LN_S) $(srcdir)/../ftp/gssapi.c .
+
+.c.o:
+	$(CC) -c -DFTP_SERVER -I. -I$(srcdir) -I$(srcdir)/../common -I$(INCTOP) $(DEFS) $(CFLAGS) $(CPPFLAGS) $<
+
+install: all
+	$(MKINSTALLDIRS) $(DESTDIR)$(libexecdir)
+	for x in $(PROGS); do \
+	  $(INSTALL_PROGRAM) $$x $(DESTDIR)$(libexecdir)/`echo $$x | sed '$(transform)'`; \
+	done
+
+uninstall:
+	for x in $(PROGS); do \
+	  rm -f $(DESTDIR)$(libexecdir)/`echo $$x | sed '$(transform)'`; \
+	done
+
+ftpd$(EXECSUFFIX): $(ftpd_OBJS)
+	$(CC) $(LD_FLAGS) $(LDFLAGS) -o $@ $(ftpd_OBJS) -L../common -lcommon $(LIBKAFS) $(LIBKRB) $(LIBOTP) $(LIBDES) $(LIBROKEN) $(LIB_DBM) $(LIBS) $(LIBROKEN)
+
+ftpcmd.c: ftpcmd.y
+	$(YACC) $(YFLAGS) $<
+	chmod a-w y.tab.c
+	mv -f y.tab.c ftpcmd.c
+
+TAGS: $(SOURCES)
+	etags $(SOURCES)
+
+CLEANFILES = ftpd$(EXECSUFFIX) ftpcmd.c security.c security.h krb4.c gssapi.c
+
+clean cleandir:
+	rm -f *~ *.o core \#* $(CLEANFILES)
+
+distclean: 
+	rm -f Makefile
+
+.PHONY: all install uninstall clean cleandir distclean
diff --git a/crypto/kerberosIV/appl/ftp/ftpd/auth.c b/crypto/kerberosIV/appl/ftp/ftpd/auth.c
new file mode 100644
index 0000000..862eb6d
--- /dev/null
+++ b/crypto/kerberosIV/appl/ftp/ftpd/auth.c
@@ -0,0 +1,249 @@
+/*
+ * Copyright (c) 1995, 1996, 1997 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *      This product includes software developed by the Kungliga Tekniska
+ *      Högskolan and its contributors.
+ * 
+ * 4. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+RCSID("$Id: auth.c,v 1.11 1997/05/04 23:09:00 assar Exp $");
+#endif
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#ifdef HAVE_SYS_TYPES_H
+#include <sys/types.h>
+#endif
+#ifdef HAVE_SYS_SOCKET_H
+#include <sys/socket.h>
+#endif
+#if defined(HAVE_SYS_IOCTL_H) && SunOS != 4
+#include <sys/ioctl.h>
+#endif
+#ifdef HAVE_UNISTD_H
+#include <unistd.h>
+#endif
+
+#include "extern.h"
+#include "krb4.h"
+#include "auth.h"
+
+static struct at auth_types [] = {
+    { "KERBEROS_V4", krb4_auth, krb4_adat, krb4_pbsz, krb4_prot, krb4_ccc, 
+      krb4_mic, krb4_conf, krb4_enc, krb4_read, krb4_write, krb4_userok, 
+      krb4_vprintf },
+    { 0, 0, 0, 0, 0, 0, 0, 0, 0 }
+};
+
+struct at *ct;
+
+int data_protection;
+int buffer_size;
+unsigned char *data_buffer;
+int auth_complete;
+
+
+char *protection_names[] = {
+    "clear", "safe", 
+    "confidential", "private"
+};
+
+
+void auth_init(void)
+{
+}
+
+char *ftp_command;
+int prot_level;
+
+void new_ftp_command(char *command)
+{
+    ftp_command = command;
+}
+
+void delete_ftp_command(void)
+{
+    if(ftp_command){
+	free(ftp_command);
+	ftp_command = NULL;
+    }
+}
+
+int auth_ok(void)
+{
+    return ct && auth_complete;
+}
+
+void auth(char *auth)
+{
+    for(ct=auth_types; ct->name; ct++){
+	if(!strcasecmp(auth, ct->name)){
+	    ct->auth(auth);
+	    return;
+	}
+    }
+    reply(504, "%s is not a known security mechanism", auth);
+}
+
+void adat(char *auth)
+{
+    if(ct && !auth_complete)
+	ct->adat(auth);
+    else
+	reply(503, "You must (re)issue an AUTH first.");
+}
+
+void pbsz(int size)
+{
+    int old = buffer_size;
+    if(auth_ok())
+	ct->pbsz(size);
+    else
+	reply(503, "Incomplete security data exchange.");
+    if(buffer_size != old){
+	if(data_buffer)
+	    free(data_buffer);
+	data_buffer = malloc(buffer_size + 4);
+    }
+}
+
+void prot(char *pl)
+{
+    int p = -1;
+
+    if(buffer_size == 0){
+	reply(503, "No protection buffer size negotiated.");
+	return;
+    }
+
+    if(!strcasecmp(pl, "C"))
+	p = prot_clear;
+    
+    if(!strcasecmp(pl, "S"))
+	p = prot_safe;
+    
+    if(!strcasecmp(pl, "E"))
+	p = prot_confidential;
+    
+    if(!strcasecmp(pl, "P"))
+	p = prot_private;
+    
+    if(p == -1){
+	reply(504, "Unrecognized protection level.");
+	return;
+    }
+    
+    if(auth_ok()){
+	if(ct->prot(p)){
+	    reply(536, "%s does not support %s protection.", 
+		  ct->name, protection_names[p]);
+	}else{
+	    data_protection = p;
+	    reply(200, "Data protection is %s.", 
+		  protection_names[data_protection]);
+	}
+    }else{
+	reply(503, "Incomplete security data exchange.");
+    }
+}
+
+void ccc(void)
+{
+    if(auth_ok()){
+	if(!ct->ccc())
+	    prot_level = prot_clear;
+    }else
+	reply(503, "Incomplete security data exchange.");
+}
+
+void mic(char *msg)
+{
+    if(auth_ok()){
+	if(!ct->mic(msg))
+	    prot_level = prot_safe;
+    }else
+	reply(503, "Incomplete security data exchange.");
+}
+
+void conf(char *msg)
+{
+    if(auth_ok()){
+	if(!ct->conf(msg))
+	    prot_level = prot_confidential;
+    }else
+	reply(503, "Incomplete security data exchange.");
+}
+
+void enc(char *msg)
+{
+    if(auth_ok()){
+	if(!ct->enc(msg))
+	    prot_level = prot_private;
+    }else
+	reply(503, "Incomplete security data exchange.");
+}
+
+int auth_read(int fd, void *data, int length)
+{
+    if(auth_ok() && data_protection)
+	return ct->read(fd, data, length);
+    else
+	return read(fd, data, length);
+}
+
+int auth_write(int fd, void *data, int length)
+{
+    if(auth_ok() && data_protection)
+	return ct->write(fd, data, length);
+    else
+	return write(fd, data, length);
+}
+
+void auth_vprintf(const char *fmt, va_list ap)
+{
+    if(auth_ok() && prot_level){
+	ct->vprintf(fmt, ap);
+    }else
+	vprintf(fmt, ap);
+}
+
+void auth_printf(const char *fmt, ...)
+{
+    va_list ap;
+    va_start(ap, fmt);
+    auth_vprintf(fmt, ap);
+    va_end(ap);
+}
diff --git a/crypto/kerberosIV/appl/ftp/ftpd/auth.h b/crypto/kerberosIV/appl/ftp/ftpd/auth.h
new file mode 100644
index 0000000..17d9a13
--- /dev/null
+++ b/crypto/kerberosIV/appl/ftp/ftpd/auth.h
@@ -0,0 +1,109 @@
+/*
+ * Copyright (c) 1995, 1996, 1997 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *      This product includes software developed by the Kungliga Tekniska
+ *      Högskolan and its contributors.
+ * 
+ * 4. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+/* $Id: auth.h,v 1.9 1997/05/11 11:04:28 assar Exp $ */
+
+#ifndef __AUTH_H__
+#define __AUTH_H__
+
+#include <stdarg.h>
+
+struct at {
+  char *name;
+  int (*auth)(char*);
+  int (*adat)(char*);
+  int (*pbsz)(int);
+  int (*prot)(int);
+  int (*ccc)(void);
+  int (*mic)(char*);
+  int (*conf)(char*);
+  int (*enc)(char*);
+  int (*read)(int, void*, int);
+  int (*write)(int, void*, int);
+  int (*userok)(char*);
+  int (*vprintf)(const char*, va_list);
+};
+
+extern struct at *ct;
+
+enum protection_levels {
+  prot_clear, prot_safe, prot_confidential, prot_private
+};
+
+extern char *protection_names[];
+
+extern char *ftp_command;
+extern int prot_level;
+
+void delete_ftp_command(void);
+
+extern int data_protection;
+extern int buffer_size;
+extern unsigned char *data_buffer;
+extern int auth_complete;
+
+void auth_init(void);
+
+int auth_ok(void);
+
+void auth(char*);
+void adat(char*);
+void pbsz(int);
+void prot(char*);
+void ccc(void);
+void mic(char*);
+void conf(char*);
+void enc(char*);
+
+int auth_read(int, void*, int);
+int auth_write(int, void*, int);
+
+void auth_vprintf(const char *fmt, va_list ap)
+#ifdef __GNUC__
+__attribute__ ((format (printf, 1, 0)))
+#endif
+;
+void auth_printf(const char *fmt, ...)
+#ifdef __GNUC__
+__attribute__ ((format (printf, 1, 2)))
+#endif
+;
+
+void new_ftp_command(char *command);
+
+#endif /* __AUTH_H__ */
diff --git a/crypto/kerberosIV/appl/ftp/ftpd/extern.h b/crypto/kerberosIV/appl/ftp/ftpd/extern.h
new file mode 100644
index 0000000..2e1e0d0
--- /dev/null
+++ b/crypto/kerberosIV/appl/ftp/ftpd/extern.h
@@ -0,0 +1,160 @@
+/*-
+ * Copyright (c) 1992, 1993
+ *	The Regents of the University of California.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *	This product includes software developed by the University of
+ *	California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ *	@(#)extern.h	8.2 (Berkeley) 4/4/94
+ */
+
+#ifndef _EXTERN_H_
+#define _EXTERN_H_
+
+#ifdef HAVE_SYS_TYPES_H
+#include <sys/types.h>
+#endif
+#ifdef HAVE_NETINET_IN_H
+#include <netinet/in.h>
+#endif
+#ifdef HAVE_NETDB_H
+#include <netdb.h>
+#endif
+
+#include <stdio.h>
+#include <stdarg.h>
+#include <setjmp.h>
+#ifdef HAVE_PWD_H
+#include <pwd.h>
+#endif
+
+#ifdef HAVE_LIMITS_H
+#include <limits.h>
+#endif
+
+#ifndef NBBY
+#define NBBY CHAR_BIT
+#endif
+
+void	abor(void);
+void	blkfree(char **);
+char  **copyblk(char **);
+void	cwd(char *);
+void	do_delete(char *);
+void	dologout(int);
+void	eprt(char *);
+void	epsv(char *);
+void	fatal(char *);
+int	filename_check(char *);
+int	ftpd_pclose(FILE *);
+FILE   *ftpd_popen(char *, char *, int, int);
+char   *ftpd_getline(char *, int);
+void	ftpd_logwtmp(char *, char *, char *);
+void	lreply(int, const char *, ...)
+#ifdef __GNUC__
+__attribute__ ((format (printf, 2, 3)))
+#endif
+;
+void	makedir(char *);
+void	nack(char *);
+void	nreply(const char *, ...)
+#ifdef __GNUC__
+__attribute__ ((format (printf, 1, 2)))
+#endif
+;
+void	pass(char *);
+void	pasv(void);
+void	perror_reply(int, const char *);
+void	pwd(void);
+void	removedir(char *);
+void	renamecmd(char *, char *);
+char   *renamefrom(char *);
+void	reply(int, const char *, ...)
+#ifdef __GNUC__
+__attribute__ ((format (printf, 2, 3)))
+#endif
+;
+void	retrieve(const char *, char *);
+void	send_file_list(char *);
+void	setproctitle(const char *, ...)
+#ifdef __GNUC__
+__attribute__ ((format (printf, 1, 2)))
+#endif
+;
+void	statcmd(void);
+void	statfilecmd(char *);
+void	do_store(char *, char *, int);
+void	upper(char *);
+void	user(char *);
+void	yyerror(char *);
+
+void	list_file(char*);
+
+void	kauth(char *, char*);
+void	klist(void);
+void	cond_kdestroy(void);
+void	kdestroy(void);
+void	krbtkfile(const char *tkfile);
+void	afslog(const char *cell);
+void	afsunlog(void);
+
+int	find(char *);
+
+void	builtin_ls(FILE*, const char*);
+
+int	do_login(int code, char *passwd);
+int	klogin(char *name, char *password);
+
+const char *ftp_rooted(const char *path);
+
+extern struct sockaddr *ctrl_addr, *his_addr;
+extern char hostname[];
+
+extern	struct sockaddr *data_dest;
+extern	int logged_in;
+extern	struct passwd *pw;
+extern	int guest;
+extern	int logging;
+extern	int type;
+extern	int oobflag;
+extern off_t file_size;
+extern off_t byte_count;
+extern jmp_buf urgcatch;
+
+extern	int form;
+extern	int debug;
+extern	int ftpd_timeout;
+extern	int maxtimeout;
+extern  int pdata;
+extern	char hostname[], remotehost[];
+extern	char proctitle[];
+extern	int usedefault;
+extern  int transflag;
+extern  char tmpline[];
+
+#endif /* _EXTERN_H_ */
diff --git a/crypto/kerberosIV/appl/ftp/ftpd/ftpcmd.y b/crypto/kerberosIV/appl/ftp/ftpd/ftpcmd.y
new file mode 100644
index 0000000..c482029
--- /dev/null
+++ b/crypto/kerberosIV/appl/ftp/ftpd/ftpcmd.y
@@ -0,0 +1,1457 @@
+/*	$NetBSD: ftpcmd.y,v 1.6 1995/06/03 22:46:45 mycroft Exp $	*/
+
+/*
+ * Copyright (c) 1985, 1988, 1993, 1994
+ *	The Regents of the University of California.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *	This product includes software developed by the University of
+ *	California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ *	@(#)ftpcmd.y	8.3 (Berkeley) 4/6/94
+ */
+
+/*
+ * Grammar for FTP commands.
+ * See RFC 959.
+ */
+
+%{
+
+#include "ftpd_locl.h"
+RCSID("$Id: ftpcmd.y,v 1.56.2.2 2000/06/23 02:48:19 assar Exp $");
+
+off_t	restart_point;
+
+static	int cmd_type;
+static	int cmd_form;
+static	int cmd_bytesz;
+char	cbuf[2048];
+char	*fromname;
+
+struct tab {
+	char	*name;
+	short	token;
+	short	state;
+	short	implemented;	/* 1 if command is implemented */
+	char	*help;
+};
+
+extern struct tab cmdtab[];
+extern struct tab sitetab[];
+
+static char		*copy (char *);
+static void		 help (struct tab *, char *);
+static struct tab *
+			 lookup (struct tab *, char *);
+static void		 sizecmd (char *);
+static RETSIGTYPE	 toolong (int);
+static int		 yylex (void);
+
+/* This is for bison */
+
+#if !defined(alloca) && !defined(HAVE_ALLOCA)
+#define alloca(x) malloc(x)
+#endif
+
+%}
+
+%union {
+	int	i;
+	char   *s;
+}
+
+%token
+	A	B	C	E	F	I
+	L	N	P	R	S	T
+
+	SP	CRLF	COMMA
+
+	USER	PASS	ACCT	REIN	QUIT	PORT
+	PASV	TYPE	STRU	MODE	RETR	STOR
+	APPE	MLFL	MAIL	MSND	MSOM	MSAM
+	MRSQ	MRCP	ALLO	REST	RNFR	RNTO
+	ABOR	DELE	CWD	LIST	NLST	SITE
+	sTAT	HELP	NOOP	MKD	RMD	PWD
+	CDUP	STOU	SMNT	SYST	SIZE	MDTM
+	EPRT	EPSV
+
+	UMASK	IDLE	CHMOD
+
+	AUTH	ADAT	PROT	PBSZ	CCC	MIC
+	CONF	ENC
+
+	KAUTH	KLIST	KDESTROY KRBTKFILE AFSLOG
+	LOCATE	URL
+
+	FEAT	OPTS
+
+	LEXERR
+
+%token	<s> STRING
+%token	<i> NUMBER
+
+%type	<i> check_login check_login_no_guest check_secure octal_number byte_size
+%type	<i> struct_code mode_code type_code form_code
+%type	<s> pathstring pathname password username
+
+%start	cmd_list
+
+%%
+
+cmd_list
+	: /* empty */
+	| cmd_list cmd
+		{
+			fromname = (char *) 0;
+			restart_point = (off_t) 0;
+		}
+	| cmd_list rcmd
+	;
+
+cmd
+	: USER SP username CRLF
+		{
+			user($3);
+			free($3);
+		}
+	| PASS SP password CRLF
+		{
+			pass($3);
+			memset ($3, 0, strlen($3));
+			free($3);
+		}
+	| PORT SP host_port CRLF
+		{
+			usedefault = 0;
+			if (pdata >= 0) {
+				close(pdata);
+				pdata = -1;
+			}
+			reply(200, "PORT command successful.");
+		}
+	| EPRT SP STRING CRLF
+		{
+			eprt ($3);
+			free ($3);
+		}
+	| PASV CRLF
+		{
+			pasv ();
+		}
+	| EPSV CRLF
+		{
+			epsv (NULL);
+		}
+	| EPSV SP STRING CRLF
+		{
+			epsv ($3);
+			free ($3);
+		}
+	| TYPE SP type_code CRLF
+		{
+			switch (cmd_type) {
+
+			case TYPE_A:
+				if (cmd_form == FORM_N) {
+					reply(200, "Type set to A.");
+					type = cmd_type;
+					form = cmd_form;
+				} else
+					reply(504, "Form must be N.");
+				break;
+
+			case TYPE_E:
+				reply(504, "Type E not implemented.");
+				break;
+
+			case TYPE_I:
+				reply(200, "Type set to I.");
+				type = cmd_type;
+				break;
+
+			case TYPE_L:
+#if NBBY == 8
+				if (cmd_bytesz == 8) {
+					reply(200,
+					    "Type set to L (byte size 8).");
+					type = cmd_type;
+				} else
+					reply(504, "Byte size must be 8.");
+#else /* NBBY == 8 */
+				UNIMPLEMENTED for NBBY != 8
+#endif /* NBBY == 8 */
+			}
+		}
+	| STRU SP struct_code CRLF
+		{
+			switch ($3) {
+
+			case STRU_F:
+				reply(200, "STRU F ok.");
+				break;
+
+			default:
+				reply(504, "Unimplemented STRU type.");
+			}
+		}
+	| MODE SP mode_code CRLF
+		{
+			switch ($3) {
+
+			case MODE_S:
+				reply(200, "MODE S ok.");
+				break;
+
+			default:
+				reply(502, "Unimplemented MODE type.");
+			}
+		}
+	| ALLO SP NUMBER CRLF
+		{
+			reply(202, "ALLO command ignored.");
+		}
+	| ALLO SP NUMBER SP R SP NUMBER CRLF
+		{
+			reply(202, "ALLO command ignored.");
+		}
+	| RETR SP pathname CRLF check_login
+		{
+			char *name = $3;
+
+			if ($5 && name != NULL)
+				retrieve(0, name);
+			if (name != NULL)
+				free(name);
+		}
+	| STOR SP pathname CRLF check_login
+		{
+			char *name = $3;
+
+			if ($5 && name != NULL)
+				do_store(name, "w", 0);
+			if (name != NULL)
+				free(name);
+		}
+	| APPE SP pathname CRLF check_login
+		{
+			char *name = $3;
+
+			if ($5 && name != NULL)
+				do_store(name, "a", 0);
+			if (name != NULL)
+				free(name);
+		}
+	| NLST CRLF check_login
+		{
+			if ($3)
+				send_file_list(".");
+		}
+	| NLST SP STRING CRLF check_login
+		{
+			char *name = $3;
+
+			if ($5 && name != NULL)
+				send_file_list(name);
+			if (name != NULL)
+				free(name);
+		}
+	| LIST CRLF check_login
+		{
+		    if($3)
+			list_file(".");
+		}
+	| LIST SP pathname CRLF check_login
+		{
+		    if($5)
+			list_file($3);
+		    free($3);
+		}
+	| sTAT SP pathname CRLF check_login
+		{
+			if ($5 && $3 != NULL)
+				statfilecmd($3);
+			if ($3 != NULL)
+				free($3);
+		}
+	| sTAT CRLF
+		{
+		    if(oobflag){
+			if (file_size != (off_t) -1)
+			    reply(213, "Status: %lu of %lu bytes transferred",
+				  (unsigned long)byte_count, 
+				  (unsigned long)file_size);
+			else
+			    reply(213, "Status: %lu bytes transferred", 
+				  (unsigned long)byte_count);
+		    }else
+			statcmd();
+	}
+	| DELE SP pathname CRLF check_login_no_guest
+		{
+			if ($5 && $3 != NULL)
+				do_delete($3);
+			if ($3 != NULL)
+				free($3);
+		}
+	| RNTO SP pathname CRLF check_login_no_guest
+		{
+			if($5){
+				if (fromname) {
+					renamecmd(fromname, $3);
+					free(fromname);
+					fromname = (char *) 0;
+				} else {
+					reply(503, "Bad sequence of commands.");
+				}
+			}
+			if ($3 != NULL)
+				free($3);
+		}
+	| ABOR CRLF
+		{
+			if(oobflag){
+				reply(426, "Transfer aborted. Data connection closed.");
+				reply(226, "Abort successful");
+				oobflag = 0;
+				longjmp(urgcatch, 1);
+			}else
+				reply(225, "ABOR command successful.");
+		}
+	| CWD CRLF check_login
+		{
+			if ($3)
+				cwd(pw->pw_dir);
+		}
+	| CWD SP pathname CRLF check_login
+		{
+			if ($5 && $3 != NULL)
+				cwd($3);
+			if ($3 != NULL)
+				free($3);
+		}
+	| HELP CRLF
+		{
+			help(cmdtab, (char *) 0);
+		}
+	| HELP SP STRING CRLF
+		{
+			char *cp = $3;
+
+			if (strncasecmp(cp, "SITE", 4) == 0) {
+				cp = $3 + 4;
+				if (*cp == ' ')
+					cp++;
+				if (*cp)
+					help(sitetab, cp);
+				else
+					help(sitetab, (char *) 0);
+			} else
+				help(cmdtab, $3);
+		}
+	| NOOP CRLF
+		{
+			reply(200, "NOOP command successful.");
+		}
+	| MKD SP pathname CRLF check_login
+		{
+			if ($5 && $3 != NULL)
+				makedir($3);
+			if ($3 != NULL)
+				free($3);
+		}
+	| RMD SP pathname CRLF check_login_no_guest
+		{
+			if ($5 && $3 != NULL)
+				removedir($3);
+			if ($3 != NULL)
+				free($3);
+		}
+	| PWD CRLF check_login
+		{
+			if ($3)
+				pwd();
+		}
+	| CDUP CRLF check_login
+		{
+			if ($3)
+				cwd("..");
+		}
+	| FEAT CRLF
+		{
+			lreply(211, "Supported features:");
+			lreply(0, " MDTM");
+			lreply(0, " REST STREAM");
+			lreply(0, " SIZE");
+			reply(211, "End");
+		}
+	| OPTS SP STRING CRLF
+		{
+			free ($3);
+			reply(501, "Bad options");
+		}
+
+	| SITE SP HELP CRLF
+		{
+			help(sitetab, (char *) 0);
+		}
+	| SITE SP HELP SP STRING CRLF
+		{
+			help(sitetab, $5);
+		}
+	| SITE SP UMASK CRLF check_login
+		{
+			if ($5) {
+				int oldmask = umask(0);
+				umask(oldmask);
+				reply(200, "Current UMASK is %03o", oldmask);
+			}
+		}
+	| SITE SP UMASK SP octal_number CRLF check_login_no_guest
+		{
+			if ($7) {
+				if (($5 == -1) || ($5 > 0777)) {
+					reply(501, "Bad UMASK value");
+				} else {
+					int oldmask = umask($5);
+					reply(200,
+					      "UMASK set to %03o (was %03o)",
+					      $5, oldmask);
+				}
+			}
+		}
+	| SITE SP CHMOD SP octal_number SP pathname CRLF check_login_no_guest
+		{
+			if ($9 && $7 != NULL) {
+				if ($5 > 0777)
+					reply(501,
+				"CHMOD: Mode value must be between 0 and 0777");
+				else if (chmod($7, $5) < 0)
+					perror_reply(550, $7);
+				else
+					reply(200, "CHMOD command successful.");
+			}
+			if ($7 != NULL)
+				free($7);
+		}
+	| SITE SP IDLE CRLF
+		{
+			reply(200,
+			    "Current IDLE time limit is %d seconds; max %d",
+				ftpd_timeout, maxtimeout);
+		}
+	| SITE SP IDLE SP NUMBER CRLF
+		{
+			if ($5 < 30 || $5 > maxtimeout) {
+				reply(501,
+			"Maximum IDLE time must be between 30 and %d seconds",
+				    maxtimeout);
+			} else {
+				ftpd_timeout = $5;
+				alarm((unsigned) ftpd_timeout);
+				reply(200,
+				    "Maximum IDLE time set to %d seconds",
+				    ftpd_timeout);
+			}
+		}
+
+	| SITE SP KAUTH SP STRING CRLF check_login
+		{
+#ifdef KRB4
+			char *p;
+			
+			if(guest)
+				reply(500, "Can't be done as guest.");
+			else{
+				if($7 && $5 != NULL){
+				    p = strpbrk($5, " \t");
+				    if(p){
+					*p++ = 0;
+					kauth($5, p + strspn(p, " \t"));
+				    }else
+					kauth($5, NULL);
+				}
+			}
+			if($5 != NULL)
+			    free($5);
+#else
+			reply(500, "Command not implemented.");
+#endif
+		}
+	| SITE SP KLIST CRLF check_login
+		{
+#ifdef KRB4
+		    if($5)
+			klist();
+#else
+		    reply(500, "Command not implemented.");
+#endif
+		}
+	| SITE SP KDESTROY CRLF check_login
+		{
+#ifdef KRB4
+		    if($5)
+			kdestroy();
+#else
+		    reply(500, "Command not implemented.");
+#endif
+		}
+	| SITE SP KRBTKFILE SP STRING CRLF check_login
+		{
+#ifdef KRB4
+		    if(guest)
+			reply(500, "Can't be done as guest.");
+		    else if($7 && $5)
+			krbtkfile($5);
+		    if($5)
+			free($5);
+#else
+		    reply(500, "Command not implemented.");
+#endif
+		}
+	| SITE SP AFSLOG CRLF check_login
+		{
+#ifdef KRB4
+		    if(guest)
+			reply(500, "Can't be done as guest.");
+		    else if($5)
+			afslog(NULL);
+#else
+		    reply(500, "Command not implemented.");
+#endif
+		}
+	| SITE SP AFSLOG SP STRING CRLF check_login
+		{
+#ifdef KRB4
+		    if(guest)
+			reply(500, "Can't be done as guest.");
+		    else if($7)
+			afslog($5);
+		    if($5)
+			free($5);
+#else
+		    reply(500, "Command not implemented.");
+#endif
+		}
+	| SITE SP LOCATE SP STRING CRLF check_login
+		{
+		    if($7 && $5 != NULL)
+			find($5);
+		    if($5 != NULL)
+			free($5);
+		}
+	| SITE SP URL CRLF
+		{
+			reply(200, "http://www.pdc.kth.se/kth-krb/");
+		}
+	| STOU SP pathname CRLF check_login
+		{
+			if ($5 && $3 != NULL)
+				do_store($3, "w", 1);
+			if ($3 != NULL)
+				free($3);
+		}
+	| SYST CRLF
+		{
+#if !defined(WIN32) && !defined(__EMX__) && !defined(__OS2__) && !defined(__CYGWIN32__)
+		    reply(215, "UNIX Type: L%d", NBBY);
+#else
+		    reply(215, "UNKNOWN Type: L%d", NBBY);
+#endif
+		}
+
+		/*
+		 * SIZE is not in RFC959, but Postel has blessed it and
+		 * it will be in the updated RFC.
+		 *
+		 * Return size of file in a format suitable for
+		 * using with RESTART (we just count bytes).
+		 */
+	| SIZE SP pathname CRLF check_login
+		{
+			if ($5 && $3 != NULL)
+				sizecmd($3);
+			if ($3 != NULL)
+				free($3);
+		}
+
+		/*
+		 * MDTM is not in RFC959, but Postel has blessed it and
+		 * it will be in the updated RFC.
+		 *
+		 * Return modification time of file as an ISO 3307
+		 * style time. E.g. YYYYMMDDHHMMSS or YYYYMMDDHHMMSS.xxx
+		 * where xxx is the fractional second (of any precision,
+		 * not necessarily 3 digits)
+		 */
+	| MDTM SP pathname CRLF check_login
+		{
+			if ($5 && $3 != NULL) {
+				struct stat stbuf;
+				if (stat($3, &stbuf) < 0)
+					reply(550, "%s: %s",
+					    $3, strerror(errno));
+				else if (!S_ISREG(stbuf.st_mode)) {
+					reply(550,
+					      "%s: not a plain file.", $3);
+				} else {
+					struct tm *t;
+					time_t mtime = stbuf.st_mtime;
+
+					t = gmtime(&mtime);
+					reply(213,
+					      "%04d%02d%02d%02d%02d%02d",
+					      t->tm_year + 1900,
+					      t->tm_mon + 1,
+					      t->tm_mday,
+					      t->tm_hour,
+					      t->tm_min,
+					      t->tm_sec);
+				}
+			}
+			if ($3 != NULL)
+				free($3);
+		}
+	| QUIT CRLF
+		{
+			reply(221, "Goodbye.");
+			dologout(0);
+		}
+	| error CRLF
+		{
+			yyerrok;
+		}
+	;
+rcmd
+	: RNFR SP pathname CRLF check_login_no_guest
+		{
+			restart_point = (off_t) 0;
+			if ($5 && $3) {
+				fromname = renamefrom($3);
+				if (fromname == (char *) 0 && $3) {
+					free($3);
+				}
+			}
+		}
+	| REST SP byte_size CRLF
+		{
+			fromname = (char *) 0;
+			restart_point = $3;	/* XXX $3 is only "int" */
+			reply(350, "Restarting at %ld. %s",
+			      (long)restart_point,
+			      "Send STORE or RETRIEVE to initiate transfer.");
+		}
+	| AUTH SP STRING CRLF
+		{
+			auth($3);
+			free($3);
+		}
+	| ADAT SP STRING CRLF
+		{
+			adat($3);
+			free($3);
+		}
+	| PBSZ SP NUMBER CRLF
+		{
+			pbsz($3);
+		}
+	| PROT SP STRING CRLF
+		{
+			prot($3);
+		}
+	| CCC CRLF
+		{
+			ccc();
+		}
+	| MIC SP STRING CRLF
+		{
+			mec($3, prot_safe);
+			free($3);
+		}
+	| CONF SP STRING CRLF
+		{
+			mec($3, prot_confidential);
+			free($3);
+		}
+	| ENC SP STRING CRLF
+		{
+			mec($3, prot_private);
+			free($3);
+		}
+	;
+
+username
+	: STRING
+	;
+
+password
+	: /* empty */
+		{
+			$$ = (char *)calloc(1, sizeof(char));
+		}
+	| STRING
+	;
+
+byte_size
+	: NUMBER
+	;
+
+host_port
+	: NUMBER COMMA NUMBER COMMA NUMBER COMMA NUMBER COMMA
+		NUMBER COMMA NUMBER
+		{
+			struct sockaddr_in *sin = (struct sockaddr_in *)data_dest;
+
+			sin->sin_family = AF_INET;
+			sin->sin_port = htons($9 * 256 + $11);
+			sin->sin_addr.s_addr = 
+			    htonl(($1 << 24) | ($3 << 16) | ($5 << 8) | $7);
+		}
+	;
+
+form_code
+	: N
+		{
+			$$ = FORM_N;
+		}
+	| T
+		{
+			$$ = FORM_T;
+		}
+	| C
+		{
+			$$ = FORM_C;
+		}
+	;
+
+type_code
+	: A
+		{
+			cmd_type = TYPE_A;
+			cmd_form = FORM_N;
+		}
+	| A SP form_code
+		{
+			cmd_type = TYPE_A;
+			cmd_form = $3;
+		}
+	| E
+		{
+			cmd_type = TYPE_E;
+			cmd_form = FORM_N;
+		}
+	| E SP form_code
+		{
+			cmd_type = TYPE_E;
+			cmd_form = $3;
+		}
+	| I
+		{
+			cmd_type = TYPE_I;
+		}
+	| L
+		{
+			cmd_type = TYPE_L;
+			cmd_bytesz = NBBY;
+		}
+	| L SP byte_size
+		{
+			cmd_type = TYPE_L;
+			cmd_bytesz = $3;
+		}
+		/* this is for a bug in the BBN ftp */
+	| L byte_size
+		{
+			cmd_type = TYPE_L;
+			cmd_bytesz = $2;
+		}
+	;
+
+struct_code
+	: F
+		{
+			$$ = STRU_F;
+		}
+	| R
+		{
+			$$ = STRU_R;
+		}
+	| P
+		{
+			$$ = STRU_P;
+		}
+	;
+
+mode_code
+	: S
+		{
+			$$ = MODE_S;
+		}
+	| B
+		{
+			$$ = MODE_B;
+		}
+	| C
+		{
+			$$ = MODE_C;
+		}
+	;
+
+pathname
+	: pathstring
+		{
+			/*
+			 * Problem: this production is used for all pathname
+			 * processing, but only gives a 550 error reply.
+			 * This is a valid reply in some cases but not in others.
+			 */
+			if (logged_in && $1 && *$1 == '~') {
+				glob_t gl;
+				int flags =
+				 GLOB_BRACE|GLOB_NOCHECK|GLOB_QUOTE|GLOB_TILDE;
+
+				memset(&gl, 0, sizeof(gl));
+				if (glob($1, flags, NULL, &gl) ||
+				    gl.gl_pathc == 0) {
+					reply(550, "not found");
+					$$ = NULL;
+				} else {
+					$$ = strdup(gl.gl_pathv[0]);
+				}
+				globfree(&gl);
+				free($1);
+			} else
+				$$ = $1;
+		}
+	;
+
+pathstring
+	: STRING
+	;
+
+octal_number
+	: NUMBER
+		{
+			int ret, dec, multby, digit;
+
+			/*
+			 * Convert a number that was read as decimal number
+			 * to what it would be if it had been read as octal.
+			 */
+			dec = $1;
+			multby = 1;
+			ret = 0;
+			while (dec) {
+				digit = dec%10;
+				if (digit > 7) {
+					ret = -1;
+					break;
+				}
+				ret += digit * multby;
+				multby *= 8;
+				dec /= 10;
+			}
+			$$ = ret;
+		}
+	;
+
+
+check_login_no_guest : check_login
+		{
+			$$ = $1 && !guest;
+			if($1 && !$$)
+				reply(550, "Permission denied");
+		}
+	;
+
+check_login : check_secure
+		{
+		    if($1) {
+			if(($$ = logged_in) == 0)
+			    reply(530, "Please login with USER and PASS.");
+		    } else
+			$$ = 0;
+		}
+	;
+
+check_secure : /* empty */
+		{
+		    $$ = 1;
+		    if(sec_complete && !secure_command()) {
+			$$ = 0;
+			reply(533, "Command protection level denied "
+			      "for paranoid reasons.");
+		    }
+		}
+	;
+
+%%
+
+extern jmp_buf errcatch;
+
+#define	CMD	0	/* beginning of command */
+#define	ARGS	1	/* expect miscellaneous arguments */
+#define	STR1	2	/* expect SP followed by STRING */
+#define	STR2	3	/* expect STRING */
+#define	OSTR	4	/* optional SP then STRING */
+#define	ZSTR1	5	/* SP then optional STRING */
+#define	ZSTR2	6	/* optional STRING after SP */
+#define	SITECMD	7	/* SITE command */
+#define	NSTR	8	/* Number followed by a string */
+
+struct tab cmdtab[] = {		/* In order defined in RFC 765 */
+	{ "USER", USER, STR1, 1,	"<sp> username" },
+	{ "PASS", PASS, ZSTR1, 1,	"<sp> password" },
+	{ "ACCT", ACCT, STR1, 0,	"(specify account)" },
+	{ "SMNT", SMNT, ARGS, 0,	"(structure mount)" },
+	{ "REIN", REIN, ARGS, 0,	"(reinitialize server state)" },
+	{ "QUIT", QUIT, ARGS, 1,	"(terminate service)", },
+	{ "PORT", PORT, ARGS, 1,	"<sp> b0, b1, b2, b3, b4" },
+	{ "EPRT", EPRT, STR1, 1,	"<sp> string" },
+	{ "PASV", PASV, ARGS, 1,	"(set server in passive mode)" },
+	{ "EPSV", EPSV, OSTR, 1,	"[<sp> foo]" },
+	{ "TYPE", TYPE, ARGS, 1,	"<sp> [ A | E | I | L ]" },
+	{ "STRU", STRU, ARGS, 1,	"(specify file structure)" },
+	{ "MODE", MODE, ARGS, 1,	"(specify transfer mode)" },
+	{ "RETR", RETR, STR1, 1,	"<sp> file-name" },
+	{ "STOR", STOR, STR1, 1,	"<sp> file-name" },
+	{ "APPE", APPE, STR1, 1,	"<sp> file-name" },
+	{ "MLFL", MLFL, OSTR, 0,	"(mail file)" },
+	{ "MAIL", MAIL, OSTR, 0,	"(mail to user)" },
+	{ "MSND", MSND, OSTR, 0,	"(mail send to terminal)" },
+	{ "MSOM", MSOM, OSTR, 0,	"(mail send to terminal or mailbox)" },
+	{ "MSAM", MSAM, OSTR, 0,	"(mail send to terminal and mailbox)" },
+	{ "MRSQ", MRSQ, OSTR, 0,	"(mail recipient scheme question)" },
+	{ "MRCP", MRCP, STR1, 0,	"(mail recipient)" },
+	{ "ALLO", ALLO, ARGS, 1,	"allocate storage (vacuously)" },
+	{ "REST", REST, ARGS, 1,	"<sp> offset (restart command)" },
+	{ "RNFR", RNFR, STR1, 1,	"<sp> file-name" },
+	{ "RNTO", RNTO, STR1, 1,	"<sp> file-name" },
+	{ "ABOR", ABOR, ARGS, 1,	"(abort operation)" },
+	{ "DELE", DELE, STR1, 1,	"<sp> file-name" },
+	{ "CWD",  CWD,  OSTR, 1,	"[ <sp> directory-name ]" },
+	{ "XCWD", CWD,	OSTR, 1,	"[ <sp> directory-name ]" },
+	{ "LIST", LIST, OSTR, 1,	"[ <sp> path-name ]" },
+	{ "NLST", NLST, OSTR, 1,	"[ <sp> path-name ]" },
+	{ "SITE", SITE, SITECMD, 1,	"site-cmd [ <sp> arguments ]" },
+	{ "SYST", SYST, ARGS, 1,	"(get type of operating system)" },
+	{ "STAT", sTAT, OSTR, 1,	"[ <sp> path-name ]" },
+	{ "HELP", HELP, OSTR, 1,	"[ <sp> <string> ]" },
+	{ "NOOP", NOOP, ARGS, 1,	"" },
+	{ "MKD",  MKD,  STR1, 1,	"<sp> path-name" },
+	{ "XMKD", MKD,  STR1, 1,	"<sp> path-name" },
+	{ "RMD",  RMD,  STR1, 1,	"<sp> path-name" },
+	{ "XRMD", RMD,  STR1, 1,	"<sp> path-name" },
+	{ "PWD",  PWD,  ARGS, 1,	"(return current directory)" },
+	{ "XPWD", PWD,  ARGS, 1,	"(return current directory)" },
+	{ "CDUP", CDUP, ARGS, 1,	"(change to parent directory)" },
+	{ "XCUP", CDUP, ARGS, 1,	"(change to parent directory)" },
+	{ "STOU", STOU, STR1, 1,	"<sp> file-name" },
+	{ "SIZE", SIZE, OSTR, 1,	"<sp> path-name" },
+	{ "MDTM", MDTM, OSTR, 1,	"<sp> path-name" },
+
+	/* extensions from RFC2228 */
+	{ "AUTH", AUTH,	STR1, 1,	"<sp> auth-type" },
+	{ "ADAT", ADAT,	STR1, 1,	"<sp> auth-data" },
+	{ "PBSZ", PBSZ,	ARGS, 1,	"<sp> buffer-size" },
+	{ "PROT", PROT,	STR1, 1,	"<sp> prot-level" },
+	{ "CCC",  CCC,	ARGS, 1,	"" },
+	{ "MIC",  MIC,	STR1, 1,	"<sp> integrity command" },
+	{ "CONF", CONF,	STR1, 1,	"<sp> confidentiality command" },
+	{ "ENC",  ENC,	STR1, 1,	"<sp> privacy command" },
+
+	/* RFC2389 */
+	{ "FEAT", FEAT, ARGS, 1,	"" },
+	{ "OPTS", OPTS, ARGS, 1,	"<sp> command [<sp> options]" },
+
+	{ NULL,   0,    0,    0,	0 }
+};
+
+struct tab sitetab[] = {
+	{ "UMASK", UMASK, ARGS, 1,	"[ <sp> umask ]" },
+	{ "IDLE", IDLE, ARGS, 1,	"[ <sp> maximum-idle-time ]" },
+	{ "CHMOD", CHMOD, NSTR, 1,	"<sp> mode <sp> file-name" },
+	{ "HELP", HELP, OSTR, 1,	"[ <sp> <string> ]" },
+
+	{ "KAUTH", KAUTH, STR1, 1,	"<sp> principal [ <sp> ticket ]" },
+	{ "KLIST", KLIST, ARGS, 1,	"(show ticket file)" },
+	{ "KDESTROY", KDESTROY, ARGS, 1, "(destroy tickets)" },
+	{ "KRBTKFILE", KRBTKFILE, STR1, 1, "<sp> ticket-file" },
+	{ "AFSLOG", AFSLOG, OSTR, 1,	"[<sp> cell]" },
+
+	{ "LOCATE", LOCATE, STR1, 1,	"<sp> globexpr" },
+	{ "FIND", LOCATE, STR1, 1,	"<sp> globexpr" },
+
+	{ "URL",  URL,  ARGS, 1,	"?" },
+	
+	{ NULL,   0,    0,    0,	0 }
+};
+
+static struct tab *
+lookup(struct tab *p, char *cmd)
+{
+
+	for (; p->name != NULL; p++)
+		if (strcmp(cmd, p->name) == 0)
+			return (p);
+	return (0);
+}
+
+/*
+ * ftpd_getline - a hacked up version of fgets to ignore TELNET escape codes.
+ */
+char *
+ftpd_getline(char *s, int n)
+{
+	int c;
+	char *cs;
+
+	cs = s;
+/* tmpline may contain saved command from urgent mode interruption */
+	if(ftp_command){
+	  strlcpy(s, ftp_command, n);
+	  if (debug)
+	    syslog(LOG_DEBUG, "command: %s", s);
+#ifdef XXX
+	  fprintf(stderr, "%s\n", s);
+#endif
+	  return s;
+	}
+	while ((c = getc(stdin)) != EOF) {
+		c &= 0377;
+		if (c == IAC) {
+		    if ((c = getc(stdin)) != EOF) {
+			c &= 0377;
+			switch (c) {
+			case WILL:
+			case WONT:
+				c = getc(stdin);
+				printf("%c%c%c", IAC, DONT, 0377&c);
+				fflush(stdout);
+				continue;
+			case DO:
+			case DONT:
+				c = getc(stdin);
+				printf("%c%c%c", IAC, WONT, 0377&c);
+				fflush(stdout);
+				continue;
+			case IAC:
+				break;
+			default:
+				continue;	/* ignore command */
+			}
+		    }
+		}
+		*cs++ = c;
+		if (--n <= 0 || c == '\n')
+			break;
+	}
+	if (c == EOF && cs == s)
+		return (NULL);
+	*cs++ = '\0';
+	if (debug) {
+		if (!guest && strncasecmp("pass ", s, 5) == 0) {
+			/* Don't syslog passwords */
+			syslog(LOG_DEBUG, "command: %.5s ???", s);
+		} else {
+			char *cp;
+			int len;
+
+			/* Don't syslog trailing CR-LF */
+			len = strlen(s);
+			cp = s + len - 1;
+			while (cp >= s && (*cp == '\n' || *cp == '\r')) {
+				--cp;
+				--len;
+			}
+			syslog(LOG_DEBUG, "command: %.*s", len, s);
+		}
+	}
+#ifdef XXX
+	fprintf(stderr, "%s\n", s);
+#endif
+	return (s);
+}
+
+static RETSIGTYPE
+toolong(int signo)
+{
+
+	reply(421,
+	    "Timeout (%d seconds): closing control connection.",
+	      ftpd_timeout);
+	if (logging)
+		syslog(LOG_INFO, "User %s timed out after %d seconds",
+		    (pw ? pw -> pw_name : "unknown"), ftpd_timeout);
+	dologout(1);
+	SIGRETURN(0);
+}
+
+static int
+yylex(void)
+{
+	static int cpos, state;
+	char *cp, *cp2;
+	struct tab *p;
+	int n;
+	char c;
+
+	for (;;) {
+		switch (state) {
+
+		case CMD:
+			signal(SIGALRM, toolong);
+			alarm((unsigned) ftpd_timeout);
+			if (ftpd_getline(cbuf, sizeof(cbuf)-1) == NULL) {
+				reply(221, "You could at least say goodbye.");
+				dologout(0);
+			}
+			alarm(0);
+#ifdef HAVE_SETPROCTITLE
+			if (strncasecmp(cbuf, "PASS", 4) != NULL)
+				setproctitle("%s: %s", proctitle, cbuf);
+#endif /* HAVE_SETPROCTITLE */
+			if ((cp = strchr(cbuf, '\r'))) {
+				*cp++ = '\n';
+				*cp = '\0';
+			}
+			if ((cp = strpbrk(cbuf, " \n")))
+				cpos = cp - cbuf;
+			if (cpos == 0)
+				cpos = 4;
+			c = cbuf[cpos];
+			cbuf[cpos] = '\0';
+			strupr(cbuf);
+			p = lookup(cmdtab, cbuf);
+			cbuf[cpos] = c;
+			if (p != 0) {
+				if (p->implemented == 0) {
+					nack(p->name);
+					longjmp(errcatch,0);
+					/* NOTREACHED */
+				}
+				state = p->state;
+				yylval.s = p->name;
+				return (p->token);
+			}
+			break;
+
+		case SITECMD:
+			if (cbuf[cpos] == ' ') {
+				cpos++;
+				return (SP);
+			}
+			cp = &cbuf[cpos];
+			if ((cp2 = strpbrk(cp, " \n")))
+				cpos = cp2 - cbuf;
+			c = cbuf[cpos];
+			cbuf[cpos] = '\0';
+			strupr(cp);
+			p = lookup(sitetab, cp);
+			cbuf[cpos] = c;
+			if (p != 0) {
+				if (p->implemented == 0) {
+					state = CMD;
+					nack(p->name);
+					longjmp(errcatch,0);
+					/* NOTREACHED */
+				}
+				state = p->state;
+				yylval.s = p->name;
+				return (p->token);
+			}
+			state = CMD;
+			break;
+
+		case OSTR:
+			if (cbuf[cpos] == '\n') {
+				state = CMD;
+				return (CRLF);
+			}
+			/* FALLTHROUGH */
+
+		case STR1:
+		case ZSTR1:
+		dostr1:
+			if (cbuf[cpos] == ' ') {
+				cpos++;
+				if(state == OSTR)
+				    state = STR2;
+				else
+				    state++;
+				return (SP);
+			}
+			break;
+
+		case ZSTR2:
+			if (cbuf[cpos] == '\n') {
+				state = CMD;
+				return (CRLF);
+			}
+			/* FALLTHROUGH */
+
+		case STR2:
+			cp = &cbuf[cpos];
+			n = strlen(cp);
+			cpos += n - 1;
+			/*
+			 * Make sure the string is nonempty and \n terminated.
+			 */
+			if (n > 1 && cbuf[cpos] == '\n') {
+				cbuf[cpos] = '\0';
+				yylval.s = copy(cp);
+				cbuf[cpos] = '\n';
+				state = ARGS;
+				return (STRING);
+			}
+			break;
+
+		case NSTR:
+			if (cbuf[cpos] == ' ') {
+				cpos++;
+				return (SP);
+			}
+			if (isdigit(cbuf[cpos])) {
+				cp = &cbuf[cpos];
+				while (isdigit(cbuf[++cpos]))
+					;
+				c = cbuf[cpos];
+				cbuf[cpos] = '\0';
+				yylval.i = atoi(cp);
+				cbuf[cpos] = c;
+				state = STR1;
+				return (NUMBER);
+			}
+			state = STR1;
+			goto dostr1;
+
+		case ARGS:
+			if (isdigit(cbuf[cpos])) {
+				cp = &cbuf[cpos];
+				while (isdigit(cbuf[++cpos]))
+					;
+				c = cbuf[cpos];
+				cbuf[cpos] = '\0';
+				yylval.i = atoi(cp);
+				cbuf[cpos] = c;
+				return (NUMBER);
+			}
+			switch (cbuf[cpos++]) {
+
+			case '\n':
+				state = CMD;
+				return (CRLF);
+
+			case ' ':
+				return (SP);
+
+			case ',':
+				return (COMMA);
+
+			case 'A':
+			case 'a':
+				return (A);
+
+			case 'B':
+			case 'b':
+				return (B);
+
+			case 'C':
+			case 'c':
+				return (C);
+
+			case 'E':
+			case 'e':
+				return (E);
+
+			case 'F':
+			case 'f':
+				return (F);
+
+			case 'I':
+			case 'i':
+				return (I);
+
+			case 'L':
+			case 'l':
+				return (L);
+
+			case 'N':
+			case 'n':
+				return (N);
+
+			case 'P':
+			case 'p':
+				return (P);
+
+			case 'R':
+			case 'r':
+				return (R);
+
+			case 'S':
+			case 's':
+				return (S);
+
+			case 'T':
+			case 't':
+				return (T);
+
+			}
+			break;
+
+		default:
+			fatal("Unknown state in scanner.");
+		}
+		yyerror((char *) 0);
+		state = CMD;
+		longjmp(errcatch,0);
+	}
+}
+
+static char *
+copy(char *s)
+{
+	char *p;
+
+	p = strdup(s);
+	if (p == NULL)
+		fatal("Ran out of memory.");
+	return p;
+}
+
+static void
+help(struct tab *ctab, char *s)
+{
+	struct tab *c;
+	int width, NCMDS;
+	char *type;
+	char buf[1024];
+
+	if (ctab == sitetab)
+		type = "SITE ";
+	else
+		type = "";
+	width = 0, NCMDS = 0;
+	for (c = ctab; c->name != NULL; c++) {
+		int len = strlen(c->name);
+
+		if (len > width)
+			width = len;
+		NCMDS++;
+	}
+	width = (width + 8) &~ 7;
+	if (s == 0) {
+		int i, j, w;
+		int columns, lines;
+
+		lreply(214, "The following %scommands are recognized %s.",
+		    type, "(* =>'s unimplemented)");
+		columns = 76 / width;
+		if (columns == 0)
+			columns = 1;
+		lines = (NCMDS + columns - 1) / columns;
+		for (i = 0; i < lines; i++) {
+		    strlcpy (buf, "   ", sizeof(buf));
+		    for (j = 0; j < columns; j++) {
+			c = ctab + j * lines + i;
+			snprintf (buf + strlen(buf),
+				  sizeof(buf) - strlen(buf),
+				  "%s%c",
+				  c->name,
+				  c->implemented ? ' ' : '*');
+			if (c + lines >= &ctab[NCMDS])
+			    break;
+			w = strlen(c->name) + 1;
+			while (w < width) {
+			    strlcat (buf,
+					     " ",
+					     sizeof(buf));
+			    w++;
+			}
+		    }
+		    lreply(214, "%s", buf);
+		}
+		reply(214, "Direct comments to kth-krb-bugs@pdc.kth.se");
+		return;
+	}
+	strupr(s);
+	c = lookup(ctab, s);
+	if (c == (struct tab *)0) {
+		reply(502, "Unknown command %s.", s);
+		return;
+	}
+	if (c->implemented)
+		reply(214, "Syntax: %s%s %s", type, c->name, c->help);
+	else
+		reply(214, "%s%-*s\t%s; unimplemented.", type, width,
+		    c->name, c->help);
+}
+
+static void
+sizecmd(char *filename)
+{
+	switch (type) {
+	case TYPE_L:
+	case TYPE_I: {
+		struct stat stbuf;
+		if (stat(filename, &stbuf) < 0 || !S_ISREG(stbuf.st_mode))
+			reply(550, "%s: not a plain file.", filename);
+		else
+			reply(213, "%lu", (unsigned long)stbuf.st_size);
+		break;
+	}
+	case TYPE_A: {
+		FILE *fin;
+		int c;
+		size_t count;
+		struct stat stbuf;
+		fin = fopen(filename, "r");
+		if (fin == NULL) {
+			perror_reply(550, filename);
+			return;
+		}
+		if (fstat(fileno(fin), &stbuf) < 0 || !S_ISREG(stbuf.st_mode)) {
+			reply(550, "%s: not a plain file.", filename);
+			fclose(fin);
+			return;
+		}
+
+		count = 0;
+		while((c=getc(fin)) != EOF) {
+			if (c == '\n')	/* will get expanded to \r\n */
+				count++;
+			count++;
+		}
+		fclose(fin);
+
+		reply(213, "%lu", (unsigned long)count);
+		break;
+	}
+	default:
+		reply(504, "SIZE not implemented for Type %c.", "?AEIL"[type]);
+	}
+}
diff --git a/crypto/kerberosIV/appl/ftp/ftpd/ftpd.c b/crypto/kerberosIV/appl/ftp/ftpd/ftpd.c
new file mode 100644
index 0000000..6d8a392
--- /dev/null
+++ b/crypto/kerberosIV/appl/ftp/ftpd/ftpd.c
@@ -0,0 +1,2250 @@
+/*
+ * Copyright (c) 1985, 1988, 1990, 1992, 1993, 1994
+ *	The Regents of the University of California.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *	This product includes software developed by the University of
+ *	California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * $FreeBSD$
+ */
+
+#define	FTP_NAMES
+#include "ftpd_locl.h"
+#ifdef KRB5
+#include <krb5.h>
+#endif
+#include "getarg.h"
+
+RCSID("$Id: ftpd.c,v 1.131.2.4 2000/09/26 09:30:26 assar Exp $");
+
+static char version[] = "Version 6.00";
+
+extern	off_t restart_point;
+extern	char cbuf[];
+
+struct  sockaddr_storage ctrl_addr_ss;
+struct  sockaddr *ctrl_addr = (struct sockaddr *)&ctrl_addr_ss;
+
+struct  sockaddr_storage data_source_ss;
+struct  sockaddr *data_source = (struct sockaddr *)&data_source_ss;
+
+struct  sockaddr_storage data_dest_ss;
+struct  sockaddr *data_dest = (struct sockaddr *)&data_dest_ss;
+
+struct  sockaddr_storage his_addr_ss;
+struct  sockaddr *his_addr = (struct sockaddr *)&his_addr_ss;
+
+struct  sockaddr_storage pasv_addr_ss;
+struct  sockaddr *pasv_addr = (struct sockaddr *)&pasv_addr_ss;
+
+int	data;
+jmp_buf	errcatch, urgcatch;
+int	oobflag;
+int	logged_in;
+struct	passwd *pw;
+int	debug = 0;
+int	ftpd_timeout = 900;    /* timeout after 15 minutes of inactivity */
+int	maxtimeout = 7200;/* don't allow idle time to be set beyond 2 hours */
+int	logging;
+int	guest;
+int	dochroot;
+int	type;
+int	form;
+int	stru;			/* avoid C keyword */
+int	mode;
+int	usedefault = 1;		/* for data transfers */
+int	pdata = -1;		/* for passive mode */
+int	transflag;
+off_t	file_size;
+off_t	byte_count;
+#if !defined(CMASK) || CMASK == 0
+#undef CMASK
+#define CMASK 027
+#endif
+int	defumask = CMASK;		/* default umask value */
+int	guest_umask = 0777;	/* Paranoia for anonymous users */
+char	tmpline[10240];
+char	hostname[MaxHostNameLen];
+char	remotehost[MaxHostNameLen];
+static char ttyline[20];
+
+#define AUTH_PLAIN	(1 << 0) /* allow sending passwords */
+#define AUTH_OTP	(1 << 1) /* passwords are one-time */
+#define AUTH_FTP	(1 << 2) /* allow anonymous login */
+
+static int auth_level = 0; /* Only allow kerberos login by default */
+
+/*
+ * Timeout intervals for retrying connections
+ * to hosts that don't accept PORT cmds.  This
+ * is a kludge, but given the problems with TCP...
+ */
+#define	SWAITMAX	90	/* wait at most 90 seconds */
+#define	SWAITINT	5	/* interval between retries */
+
+int	swaitmax = SWAITMAX;
+int	swaitint = SWAITINT;
+
+#ifdef HAVE_SETPROCTITLE
+char	proctitle[BUFSIZ];	/* initial part of title */
+#endif /* HAVE_SETPROCTITLE */
+
+#define LOGCMD(cmd, file) \
+	if (logging > 1) \
+	    syslog(LOG_INFO,"%s %s%s", cmd, \
+		*(file) == '/' ? "" : curdir(), file);
+#define LOGCMD2(cmd, file1, file2) \
+	 if (logging > 1) \
+	    syslog(LOG_INFO,"%s %s%s %s%s", cmd, \
+		*(file1) == '/' ? "" : curdir(), file1, \
+		*(file2) == '/' ? "" : curdir(), file2);
+#define LOGBYTES(cmd, file, cnt) \
+	if (logging > 1) { \
+		if (cnt == (off_t)-1) \
+		    syslog(LOG_INFO,"%s %s%s", cmd, \
+			*(file) == '/' ? "" : curdir(), file); \
+		else \
+		    syslog(LOG_INFO, "%s %s%s = %ld bytes", \
+			cmd, (*(file) == '/') ? "" : curdir(), file, (long)cnt); \
+	}
+
+static void	 ack (char *);
+static void	 myoob (int);
+static int	 checkuser (char *, char *);
+static int	 checkaccess (char *);
+static FILE	*dataconn (const char *, off_t, const char *);
+static void	 dolog (struct sockaddr *);
+static void	 end_login (void);
+static FILE	*getdatasock (const char *);
+static char	*gunique (char *);
+static RETSIGTYPE	 lostconn (int);
+static int	 receive_data (FILE *, FILE *);
+static void	 send_data (FILE *, FILE *);
+static struct passwd * sgetpwnam (char *);
+
+static char *
+curdir(void)
+{
+	static char path[MaxPathLen+1];	/* path + '/' + '\0' */
+
+	if (getcwd(path, sizeof(path)-1) == NULL)
+		return ("");
+	if (path[1] != '\0')		/* special case for root dir. */
+		strlcat(path, "/", sizeof(path));
+	/* For guest account, skip / since it's chrooted */
+	return (guest ? path+1 : path);
+}
+
+#ifndef LINE_MAX
+#define LINE_MAX 1024
+#endif
+
+static int
+parse_auth_level(char *str)
+{
+    char *p;
+    int ret = 0;
+    char *foo = NULL;
+
+    for(p = strtok_r(str, ",", &foo);
+	p;
+	p = strtok_r(NULL, ",", &foo)) {
+	if(strcmp(p, "user") == 0)
+	    ;
+#ifdef OTP
+	else if(strcmp(p, "otp") == 0)
+	    ret |= AUTH_PLAIN|AUTH_OTP;
+#endif
+	else if(strcmp(p, "ftp") == 0 ||
+		strcmp(p, "safe") == 0)
+	    ret |= AUTH_FTP;
+	else if(strcmp(p, "plain") == 0)
+	    ret |= AUTH_PLAIN;
+	else if(strcmp(p, "none") == 0)
+	    ret |= AUTH_PLAIN|AUTH_FTP;
+	else
+	    warnx("bad value for -a: `%s'", p);
+    }
+    return ret;	    
+}
+
+/*
+ * Print usage and die.
+ */
+
+static int interactive_flag;
+static char *guest_umask_string;
+static char *port_string;
+static char *umask_string;
+static char *auth_string;
+
+int use_builtin_ls = -1;
+
+static int help_flag;
+static int version_flag;
+
+struct getargs args[] = {
+    { NULL, 'a', arg_string, &auth_string, "required authentication" },
+    { NULL, 'i', arg_flag, &interactive_flag, "don't assume stdin is a socket" },
+    { NULL, 'p', arg_string, &port_string, "what port to listen to" },
+    { NULL, 'g', arg_string, &guest_umask_string, "umask for guest logins" },
+    { NULL, 'l', arg_counter, &logging, "log more stuff", "" },
+    { NULL, 't', arg_integer, &ftpd_timeout, "initial timeout" },
+    { NULL, 'T', arg_integer, &maxtimeout, "max timeout" },
+    { NULL, 'u', arg_string, &umask_string, "umask for user logins" },
+    { NULL, 'd', arg_flag, &debug, "enable debugging" },
+    { NULL, 'v', arg_flag, &debug, "enable debugging" },
+    { "builtin-ls", 'B', arg_flag, &use_builtin_ls, "use built-in ls to list files" },
+    { "version", 0, arg_flag, &version_flag },
+    { "help", 'h', arg_flag, &help_flag }
+};
+
+static int num_args = sizeof(args) / sizeof(args[0]);
+
+static void
+usage (int code)
+{
+    arg_printusage(args, num_args, NULL, "");
+    exit (code);
+}
+
+/* output contents of a file */
+static int
+show_file(const char *file, int code)
+{
+    FILE *f;
+    char buf[128];
+
+    f = fopen(file, "r");
+    if(f == NULL)
+	return -1;
+    while(fgets(buf, sizeof(buf), f)){
+	buf[strcspn(buf, "\r\n")] = '\0';
+	lreply(code, "%s", buf);
+    }
+    fclose(f);
+    return 0;
+}
+
+int
+main(int argc, char **argv)
+{
+    int addrlen, on = 1, tos;
+    char *cp, line[LINE_MAX];
+    FILE *fd;
+    int port;
+    struct servent *sp;
+
+    int optind = 0;
+
+#ifdef KRB4
+    /* detach from any tickets and tokens */
+    {
+	char tkfile[1024];
+	snprintf(tkfile, sizeof(tkfile),
+		 "/tmp/ftp_%u", (unsigned)getpid());
+	krb_set_tkt_string(tkfile);
+	if(k_hasafs())
+	    k_setpag();
+    }
+#endif
+    if(getarg(args, num_args, argc, argv, &optind))
+	usage(1);
+
+    if(help_flag)
+	usage(0);
+	
+    if(version_flag) {
+	print_version(NULL);
+	exit(0);
+    }
+
+    if(auth_string)
+	auth_level = parse_auth_level(auth_string);
+    {
+	char *p;
+	long val = 0;
+	    
+	if(guest_umask_string) {
+	    val = strtol(guest_umask_string, &p, 8);
+	    if (*p != '\0' || val < 0)
+		warnx("bad value for -g");
+	    else
+		guest_umask = val;
+	}
+	if(umask_string) {
+	    val = strtol(umask_string, &p, 8);
+	    if (*p != '\0' || val < 0)
+		warnx("bad value for -u");
+	    else
+		defumask = val;
+	}
+    }
+    if(port_string) {
+	sp = getservbyname(port_string, "tcp");
+	if(sp)
+	    port = sp->s_port;
+	else
+	    if(isdigit(port_string[0]))
+		port = htons(atoi(port_string));
+	    else
+		warnx("bad value for -p");
+    } else {
+	sp = getservbyname("ftp", "tcp");
+	if(sp)
+	    port = sp->s_port;
+	else
+	    port = htons(21);
+    }
+		    
+    if (maxtimeout < ftpd_timeout)
+	maxtimeout = ftpd_timeout;
+
+#if 0
+    if (ftpd_timeout > maxtimeout)
+	ftpd_timeout = maxtimeout;
+#endif
+
+
+    if(interactive_flag)
+	mini_inetd (port);
+
+    /*
+     * LOG_NDELAY sets up the logging connection immediately,
+     * necessary for anonymous ftp's that chroot and can't do it later.
+     */
+    openlog("ftpd", LOG_PID | LOG_NDELAY, LOG_FTP);
+    addrlen = sizeof(his_addr_ss);
+    if (getpeername(STDIN_FILENO, his_addr, &addrlen) < 0) {
+	syslog(LOG_ERR, "getpeername (%s): %m",argv[0]);
+	exit(1);
+    }
+    addrlen = sizeof(ctrl_addr_ss);
+    if (getsockname(STDIN_FILENO, ctrl_addr, &addrlen) < 0) {
+	syslog(LOG_ERR, "getsockname (%s): %m",argv[0]);
+	exit(1);
+    }
+#if defined(IP_TOS) && defined(HAVE_SETSOCKOPT)
+    tos = IPTOS_LOWDELAY;
+    if (setsockopt(STDIN_FILENO, IPPROTO_IP, IP_TOS,
+		   (void *)&tos, sizeof(int)) < 0)
+	syslog(LOG_WARNING, "setsockopt (IP_TOS): %m");
+#endif
+    data_source->sa_family = ctrl_addr->sa_family;
+    socket_set_port (data_source,
+		     htons(ntohs(socket_get_port(ctrl_addr)) - 1));
+
+    /* set this here so it can be put in wtmp */
+    snprintf(ttyline, sizeof(ttyline), "ftp%u", (unsigned)getpid());
+
+
+    /*	freopen(_PATH_DEVNULL, "w", stderr); */
+    signal(SIGPIPE, lostconn);
+    signal(SIGCHLD, SIG_IGN);
+#ifdef SIGURG
+    if (signal(SIGURG, myoob) == SIG_ERR)
+	syslog(LOG_ERR, "signal: %m");
+#endif
+
+    /* Try to handle urgent data inline */
+#if defined(SO_OOBINLINE) && defined(HAVE_SETSOCKOPT)
+    if (setsockopt(0, SOL_SOCKET, SO_OOBINLINE, (void *)&on,
+		   sizeof(on)) < 0)
+	syslog(LOG_ERR, "setsockopt: %m");
+#endif
+
+#ifdef	F_SETOWN
+    if (fcntl(fileno(stdin), F_SETOWN, getpid()) == -1)
+	syslog(LOG_ERR, "fcntl F_SETOWN: %m");
+#endif
+    dolog(his_addr);
+    /*
+     * Set up default state
+     */
+    data = -1;
+    type = TYPE_A;
+    form = FORM_N;
+    stru = STRU_F;
+    mode = MODE_S;
+    tmpline[0] = '\0';
+
+    /* If logins are disabled, print out the message. */
+    if(show_file(_PATH_NOLOGIN, 530) == 0) {
+	reply(530, "System not available.");
+	exit(0);
+    }
+    show_file(_PATH_FTPWELCOME, 220);
+    /* reply(220,) must follow */
+    gethostname(hostname, sizeof(hostname));
+	
+    reply(220, "%s FTP server (%s"
+#ifdef KRB5
+	  "+%s"
+#endif
+#ifdef KRB4
+	  "+%s"
+#endif
+	  ") ready.", hostname, version
+#ifdef KRB5
+	  ,heimdal_version
+#endif
+#ifdef KRB4
+	  ,krb4_version
+#endif
+	  );
+
+    setjmp(errcatch);
+    for (;;)
+	yyparse();
+    /* NOTREACHED */
+}
+
+static RETSIGTYPE
+lostconn(int signo)
+{
+
+	if (debug)
+		syslog(LOG_DEBUG, "lost connection");
+	dologout(-1);
+}
+
+/*
+ * Helper function for sgetpwnam().
+ */
+static char *
+sgetsave(char *s)
+{
+	char *new = strdup(s);
+
+	if (new == NULL) {
+		perror_reply(421, "Local resource failure: malloc");
+		dologout(1);
+		/* NOTREACHED */
+	}
+	return new;
+}
+
+/*
+ * Save the result of a getpwnam.  Used for USER command, since
+ * the data returned must not be clobbered by any other command
+ * (e.g., globbing).
+ */
+static struct passwd *
+sgetpwnam(char *name)
+{
+	static struct passwd save;
+	struct passwd *p;
+
+	if ((p = k_getpwnam(name)) == NULL)
+		return (p);
+	if (save.pw_name) {
+		free(save.pw_name);
+		free(save.pw_passwd);
+		free(save.pw_gecos);
+		free(save.pw_dir);
+		free(save.pw_shell);
+	}
+	save = *p;
+	save.pw_name = sgetsave(p->pw_name);
+	save.pw_passwd = sgetsave(p->pw_passwd);
+	save.pw_gecos = sgetsave(p->pw_gecos);
+	save.pw_dir = sgetsave(p->pw_dir);
+	save.pw_shell = sgetsave(p->pw_shell);
+	return (&save);
+}
+
+static int login_attempts;	/* number of failed login attempts */
+static int askpasswd;		/* had user command, ask for passwd */
+static char curname[10];	/* current USER name */
+#ifdef OTP
+OtpContext otp_ctx;
+#endif
+
+/*
+ * USER command.
+ * Sets global passwd pointer pw if named account exists and is acceptable;
+ * sets askpasswd if a PASS command is expected.  If logged in previously,
+ * need to reset state.  If name is "ftp" or "anonymous", the name is not in
+ * _PATH_FTPUSERS, and ftp account exists, set guest and pw, then just return.
+ * If account doesn't exist, ask for passwd anyway.  Otherwise, check user
+ * requesting login privileges.  Disallow anyone who does not have a standard
+ * shell as returned by getusershell().  Disallow anyone mentioned in the file
+ * _PATH_FTPUSERS to allow people such as root and uucp to be avoided.
+ */
+void
+user(char *name)
+{
+	char *cp, *shell;
+
+	if(auth_level == 0 && !sec_complete){
+	    reply(530, "No login allowed without authorization.");
+	    return;
+	}
+
+	if (logged_in) {
+		if (guest) {
+			reply(530, "Can't change user from guest login.");
+			return;
+		} else if (dochroot) {
+			reply(530, "Can't change user from chroot user.");
+			return;
+		}
+		end_login();
+	}
+
+	guest = 0;
+	if (strcmp(name, "ftp") == 0 || strcmp(name, "anonymous") == 0) {
+	    if ((auth_level & AUTH_FTP) == 0 ||
+		checkaccess("ftp") || 
+		checkaccess("anonymous"))
+		reply(530, "User %s access denied.", name);
+	    else if ((pw = sgetpwnam("ftp")) != NULL) {
+		guest = 1;
+		defumask = guest_umask;	/* paranoia for incoming */
+		askpasswd = 1;
+		reply(331, "Guest login ok, type your name as password.");
+	    } else
+		reply(530, "User %s unknown.", name);
+	    if (!askpasswd && logging) {
+		char data_addr[256];
+
+		if (inet_ntop (his_addr->sa_family,
+			       socket_get_address(his_addr),
+			       data_addr, sizeof(data_addr)) == NULL)
+			strlcpy (data_addr, "unknown address",
+					 sizeof(data_addr));
+
+		syslog(LOG_NOTICE,
+		       "ANONYMOUS FTP LOGIN REFUSED FROM %s(%s)",
+		       remotehost, data_addr);
+	    }
+	    return;
+	}
+	if((auth_level & AUTH_PLAIN) == 0 && !sec_complete){
+	    reply(530, "Only authorized and anonymous login allowed.");
+	    return;
+	}
+	if ((pw = sgetpwnam(name))) {
+		if ((shell = pw->pw_shell) == NULL || *shell == 0)
+			shell = _PATH_BSHELL;
+		while ((cp = getusershell()) != NULL)
+			if (strcmp(cp, shell) == 0)
+				break;
+		endusershell();
+
+		if (cp == NULL || checkaccess(name)) {
+			reply(530, "User %s access denied.", name);
+			if (logging) {
+				char data_addr[256];
+
+				if (inet_ntop (his_addr->sa_family,
+					       socket_get_address(his_addr),
+					       data_addr,
+					       sizeof(data_addr)) == NULL)
+					strlcpy (data_addr,
+							 "unknown address",
+							 sizeof(data_addr));
+
+				syslog(LOG_NOTICE,
+				       "FTP LOGIN REFUSED FROM %s(%s), %s",
+				       remotehost,
+				       data_addr,
+				       name);
+			}
+			pw = (struct passwd *) NULL;
+			return;
+		}
+	}
+	if (logging)
+	    strlcpy(curname, name, sizeof(curname));
+	if(sec_complete) {
+	    if(sec_userok(name) == 0)
+		do_login(232, name);
+	    else
+		reply(530, "User %s access denied.", name);
+	} else {
+		char ss[256];
+
+#ifdef OTP
+		if (otp_challenge(&otp_ctx, name, ss, sizeof(ss)) == 0) {
+			reply(331, "Password %s for %s required.",
+			      ss, name);
+			askpasswd = 1;
+		} else
+#endif
+		if ((auth_level & AUTH_OTP) == 0) {
+		    reply(331, "Password required for %s.", name);
+		    askpasswd = 1;
+		} else {
+		    char *s;
+		    
+#ifdef OTP
+		    if ((s = otp_error (&otp_ctx)) != NULL)
+			lreply(530, "OTP: %s", s);
+#endif
+		    reply(530,
+			  "Only authorized, anonymous"
+#ifdef OTP
+			  " and OTP "
+#endif
+			  "login allowed.");
+		}
+
+	}
+	/*
+	 * Delay before reading passwd after first failed
+	 * attempt to slow down passwd-guessing programs.
+	 */
+	if (login_attempts)
+		sleep(login_attempts);
+}
+
+/*
+ * Check if a user is in the file "fname"
+ */
+static int
+checkuser(char *fname, char *name)
+{
+	FILE *fd;
+	int found = 0;
+	char *p, line[BUFSIZ];
+
+	if ((fd = fopen(fname, "r")) != NULL) {
+		while (fgets(line, sizeof(line), fd) != NULL)
+			if ((p = strchr(line, '\n')) != NULL) {
+				*p = '\0';
+				if (line[0] == '#')
+					continue;
+				if (strcmp(line, name) == 0) {
+					found = 1;
+					break;
+				}
+			}
+		fclose(fd);
+	}
+	return (found);
+}
+
+
+/*
+ * Determine whether a user has access, based on information in 
+ * _PATH_FTPUSERS. The users are listed one per line, with `allow'
+ * or `deny' after the username. If anything other than `allow', or
+ * just nothing, is given after the username, `deny' is assumed.
+ *
+ * If the user is not found in the file, but the pseudo-user `*' is,
+ * the permission is taken from that line.
+ *
+ * This preserves the old semantics where if a user was listed in the
+ * file he was denied, otherwise he was allowed.
+ *
+ * Return 1 if the user is denied, or 0 if he is allowed.  */
+
+static int
+match(const char *pattern, const char *string)
+{
+    return fnmatch(pattern, string, FNM_NOESCAPE);
+}
+
+static int
+checkaccess(char *name)
+{
+#define ALLOWED		0
+#define	NOT_ALLOWED	1
+    FILE *fd;
+    int allowed = ALLOWED;
+    char *user, *perm, line[BUFSIZ];
+    char *foo;
+    
+    fd = fopen(_PATH_FTPUSERS, "r");
+    
+    if(fd == NULL)
+	return allowed;
+
+    while (fgets(line, sizeof(line), fd) != NULL)  {
+	foo = NULL;
+	user = strtok_r(line, " \t\n", &foo);
+	if (user == NULL || user[0] == '#')
+	    continue;
+	perm = strtok_r(NULL, " \t\n", &foo);
+	if (match(user, name) == 0){
+	    if(perm && strcmp(perm, "allow") == 0)
+		allowed = ALLOWED;
+	    else
+		allowed = NOT_ALLOWED;
+	    break;
+	}
+    }
+    fclose(fd);
+    return allowed;
+}
+#undef	ALLOWED
+#undef	NOT_ALLOWED
+
+
+int do_login(int code, char *passwd)
+{
+    FILE *fd;
+    login_attempts = 0;		/* this time successful */
+    if (setegid((gid_t)pw->pw_gid) < 0) {
+	reply(550, "Can't set gid.");
+	return -1;
+    }
+    initgroups(pw->pw_name, pw->pw_gid);
+
+    /* open wtmp before chroot */
+    ftpd_logwtmp(ttyline, pw->pw_name, remotehost);
+    logged_in = 1;
+
+    dochroot = checkuser(_PATH_FTPCHROOT, pw->pw_name);
+    if (guest) {
+	/*
+	 * We MUST do a chdir() after the chroot. Otherwise
+	 * the old current directory will be accessible as "."
+	 * outside the new root!
+	 */
+	if (chroot(pw->pw_dir) < 0 || chdir("/") < 0) {
+	    reply(550, "Can't set guest privileges.");
+	    return -1;
+	}
+    } else if (dochroot) {
+	if (chroot(pw->pw_dir) < 0 || chdir("/") < 0) {
+	    reply(550, "Can't change root.");
+	    return -1;
+	}
+    } else if (chdir(pw->pw_dir) < 0) {
+	if (chdir("/") < 0) {
+	    reply(530, "User %s: can't change directory to %s.",
+		  pw->pw_name, pw->pw_dir);
+	    return -1;
+	} else
+	    lreply(code, "No directory! Logging in with home=/");
+    }
+    if (seteuid((uid_t)pw->pw_uid) < 0) {
+	reply(550, "Can't set uid.");
+	return -1;
+    }
+
+    if(use_builtin_ls == -1) {
+	struct stat st;
+	/* if /bin/ls exist and is a regular file, use it, otherwise
+           use built-in ls */
+	if(stat("/bin/ls", &st) == 0 &&
+	   S_ISREG(st.st_mode))
+	    use_builtin_ls = 0;
+	else
+	    use_builtin_ls = 1;
+    }
+
+    /*
+     * Display a login message, if it exists.
+     * N.B. reply(code,) must follow the message.
+     */
+    show_file(_PATH_FTPLOGINMESG, code);
+    if(show_file(_PATH_ISSUE_NET, code) != 0)
+	show_file(_PATH_ISSUE, code);
+    if (guest) {
+	reply(code, "Guest login ok, access restrictions apply.");
+#ifdef HAVE_SETPROCTITLE
+	snprintf (proctitle, sizeof(proctitle),
+		  "%s: anonymous/%s",
+		  remotehost,
+		  passwd);
+	setproctitle("%s", proctitle);
+#endif /* HAVE_SETPROCTITLE */
+	if (logging) {
+	    char data_addr[256];
+
+	    if (inet_ntop (his_addr->sa_family,
+			   socket_get_address(his_addr),
+			   data_addr, sizeof(data_addr)) == NULL)
+		strlcpy (data_addr, "unknown address",
+				 sizeof(data_addr));
+
+	    syslog(LOG_INFO, "ANONYMOUS FTP LOGIN FROM %s(%s), %s",
+		   remotehost, 
+		   data_addr,
+		   passwd);
+	}
+    } else {
+	reply(code, "User %s logged in.", pw->pw_name);
+#ifdef HAVE_SETPROCTITLE
+	snprintf(proctitle, sizeof(proctitle), "%s: %s", remotehost, pw->pw_name);
+	setproctitle("%s", proctitle);
+#endif /* HAVE_SETPROCTITLE */
+	if (logging) {
+	    char data_addr[256];
+
+	    if (inet_ntop (his_addr->sa_family,
+			   socket_get_address(his_addr),
+			   data_addr, sizeof(data_addr)) == NULL)
+		strlcpy (data_addr, "unknown address",
+				 sizeof(data_addr));
+
+	    syslog(LOG_INFO, "FTP LOGIN FROM %s(%s) as %s",
+		   remotehost,
+		   data_addr,
+		   pw->pw_name);
+	}
+    }
+    umask(defumask);
+    return 0;
+}
+
+/*
+ * Terminate login as previous user, if any, resetting state;
+ * used when USER command is given or login fails.
+ */
+static void
+end_login(void)
+{
+
+	seteuid((uid_t)0);
+	if (logged_in)
+		ftpd_logwtmp(ttyline, "", "");
+	pw = NULL;
+	logged_in = 0;
+	guest = 0;
+	dochroot = 0;
+}
+
+void
+pass(char *passwd)
+{
+	int rval;
+
+	/* some clients insists on sending a password */
+	if (logged_in && askpasswd == 0){
+	     reply(230, "Dumpucko!");
+	     return;
+	}
+
+	if (logged_in || askpasswd == 0) {
+		reply(503, "Login with USER first.");
+		return;
+	}
+	askpasswd = 0;
+	rval = 1;
+	if (!guest) {		/* "ftp" is only account allowed no password */
+		if (pw == NULL)
+			rval = 1;	/* failure below */
+#ifdef OTP
+		else if (otp_verify_user (&otp_ctx, passwd) == 0) {
+		    rval = 0;
+		}
+#endif
+		else if((auth_level & AUTH_OTP) == 0) {
+#ifdef KRB4
+		    char realm[REALM_SZ];
+		    if((rval = krb_get_lrealm(realm, 1)) == KSUCCESS)
+			rval = krb_verify_user(pw->pw_name,
+					       "", realm, 
+					       passwd, 
+					       KRB_VERIFY_SECURE, NULL);
+		    if (rval == KSUCCESS ) {
+			chown (tkt_string(), pw->pw_uid, pw->pw_gid);
+			if(k_hasafs())
+			    krb_afslog(0, 0);
+		    } else 
+#endif
+			rval = unix_verify_user(pw->pw_name, passwd);
+		} else {
+		    char *s;
+		    
+#ifdef OTP
+		    if ((s = otp_error(&otp_ctx)) != NULL)
+			lreply(530, "OTP: %s", s);
+#endif
+		}
+		memset (passwd, 0, strlen(passwd));
+
+		/*
+		 * If rval == 1, the user failed the authentication
+		 * check above.  If rval == 0, either Kerberos or
+		 * local authentication succeeded.
+		 */
+		if (rval) {
+			char data_addr[256];
+
+			if (inet_ntop (his_addr->sa_family,
+				       socket_get_address(his_addr),
+				       data_addr, sizeof(data_addr)) == NULL)
+				strlcpy (data_addr, "unknown address",
+						 sizeof(data_addr));
+
+			reply(530, "Login incorrect.");
+			if (logging)
+				syslog(LOG_NOTICE,
+				    "FTP LOGIN FAILED FROM %s(%s), %s",
+				       remotehost,
+				       data_addr,
+				       curname);
+			pw = NULL;
+			if (login_attempts++ >= 5) {
+				syslog(LOG_NOTICE,
+				       "repeated login failures from %s(%s)",
+				       remotehost,
+				       data_addr);
+				exit(0);
+			}
+			return;
+		}
+	}
+	if(!do_login(230, passwd))
+	  return;
+	
+	/* Forget all about it... */
+	end_login();
+}
+
+void
+retrieve(const char *cmd, char *name)
+{
+	FILE *fin = NULL, *dout;
+	struct stat st;
+	int (*closefunc) (FILE *);
+	char line[BUFSIZ];
+
+
+	if (cmd == 0) {
+		fin = fopen(name, "r");
+		closefunc = fclose;
+		st.st_size = 0;
+		if(fin == NULL){
+		    int save_errno = errno;
+		    struct cmds {
+			const char *ext;
+			const char *cmd;
+		        const char *rev_cmd;
+		    } cmds[] = {
+			{".tar", "/bin/gtar cPf - %s", NULL},
+			{".tar.gz", "/bin/gtar zcPf - %s", NULL},
+			{".tar.Z", "/bin/gtar ZcPf - %s", NULL},
+			{".gz", "/bin/gzip -c -- %s", "/bin/gzip -c -d -- %s"},
+			{".Z", "/bin/compress -c -- %s", "/bin/uncompress -c -- %s"},
+			{NULL, NULL}
+		    };
+		    struct cmds *p;
+		    for(p = cmds; p->ext; p++){
+			char *tail = name + strlen(name) - strlen(p->ext);
+			char c = *tail;
+			
+			if(strcmp(tail, p->ext) == 0 &&
+			   (*tail  = 0) == 0 &&
+			   access(name, R_OK) == 0){
+			    snprintf (line, sizeof(line), p->cmd, name);
+			    *tail  = c;
+			    break;
+			}
+			*tail = c;
+			if (p->rev_cmd != NULL) {
+			    char *ext;
+
+			    asprintf(&ext, "%s%s", name, p->ext);
+			    if (ext != NULL) { 
+  			        if (access(ext, R_OK) == 0) {
+				    snprintf (line, sizeof(line),
+					      p->rev_cmd, ext);
+				    free(ext);
+				    break;
+				}
+			        free(ext);
+			    }
+			}
+			
+		    }
+		    if(p->ext){
+			fin = ftpd_popen(line, "r", 0, 0);
+			closefunc = ftpd_pclose;
+			st.st_size = -1;
+			cmd = line;
+		    } else
+			errno = save_errno;
+		}
+	} else {
+		snprintf(line, sizeof(line), cmd, name);
+		name = line;
+		fin = ftpd_popen(line, "r", 1, 0);
+		closefunc = ftpd_pclose;
+		st.st_size = -1;
+	}
+	if (fin == NULL) {
+		if (errno != 0) {
+			perror_reply(550, name);
+			if (cmd == 0) {
+				LOGCMD("get", name);
+			}
+		}
+		return;
+	}
+	byte_count = -1;
+	if (cmd == 0){
+	    if(fstat(fileno(fin), &st) < 0 || !S_ISREG(st.st_mode)) {
+		reply(550, "%s: not a plain file.", name);
+		goto done;
+	    }
+	}
+	if (restart_point) {
+		if (type == TYPE_A) {
+			off_t i, n;
+			int c;
+
+			n = restart_point;
+			i = 0;
+			while (i++ < n) {
+				if ((c=getc(fin)) == EOF) {
+					perror_reply(550, name);
+					goto done;
+				}
+				if (c == '\n')
+					i++;
+			}
+		} else if (lseek(fileno(fin), restart_point, SEEK_SET) < 0) {
+			perror_reply(550, name);
+			goto done;
+		}
+	}
+	dout = dataconn(name, st.st_size, "w");
+	if (dout == NULL)
+		goto done;
+	set_buffer_size(fileno(dout), 0);
+	send_data(fin, dout);
+	fclose(dout);
+	data = -1;
+	pdata = -1;
+done:
+	if (cmd == 0)
+		LOGBYTES("get", name, byte_count);
+	(*closefunc)(fin);
+}
+
+/* filename sanity check */
+
+int 
+filename_check(char *filename)
+{
+  static const char good_chars[] = "+-=_,.";
+    char *p;
+
+    p = strrchr(filename, '/');
+    if(p)
+	filename = p + 1;
+
+    p = filename;
+
+    if(isalnum(*p)){
+	p++;
+	while(*p && (isalnum(*p) || strchr(good_chars, *p)))
+	    p++;
+	if(*p == '\0')
+	    return 0;
+    }
+    lreply(553, "\"%s\" is an illegal filename.", filename);
+    lreply(553, "The filename must start with an alphanumeric "
+	   "character and must only");
+    reply(553, "consist of alphanumeric characters or any of the following: %s", 
+	  good_chars);
+    return 1;
+}
+
+void
+do_store(char *name, char *mode, int unique)
+{
+	FILE *fout, *din;
+	struct stat st;
+	int (*closefunc) (FILE *);
+
+	if(guest && filename_check(name))
+	    return;
+	if (unique && stat(name, &st) == 0 &&
+	    (name = gunique(name)) == NULL) {
+		LOGCMD(*mode == 'w' ? "put" : "append", name);
+		return;
+	}
+
+	if (restart_point)
+		mode = "r+";
+	fout = fopen(name, mode);
+	closefunc = fclose;
+	if (fout == NULL) {
+		perror_reply(553, name);
+		LOGCMD(*mode == 'w' ? "put" : "append", name);
+		return;
+	}
+	byte_count = -1;
+	if (restart_point) {
+		if (type == TYPE_A) {
+			off_t i, n;
+			int c;
+
+			n = restart_point;
+			i = 0;
+			while (i++ < n) {
+				if ((c=getc(fout)) == EOF) {
+					perror_reply(550, name);
+					goto done;
+				}
+				if (c == '\n')
+					i++;
+			}
+			/*
+			 * We must do this seek to "current" position
+			 * because we are changing from reading to
+			 * writing.
+			 */
+			if (fseek(fout, 0L, SEEK_CUR) < 0) {
+				perror_reply(550, name);
+				goto done;
+			}
+		} else if (lseek(fileno(fout), restart_point, SEEK_SET) < 0) {
+			perror_reply(550, name);
+			goto done;
+		}
+	}
+	din = dataconn(name, (off_t)-1, "r");
+	if (din == NULL)
+		goto done;
+	set_buffer_size(fileno(din), 1);
+	if (receive_data(din, fout) == 0) {
+		if (unique)
+			reply(226, "Transfer complete (unique file name:%s).",
+			    name);
+		else
+			reply(226, "Transfer complete.");
+	}
+	fclose(din);
+	data = -1;
+	pdata = -1;
+done:
+	LOGBYTES(*mode == 'w' ? "put" : "append", name, byte_count);
+	(*closefunc)(fout);
+}
+
+static FILE *
+getdatasock(const char *mode)
+{
+	int s, t, tries;
+
+	if (data >= 0)
+		return (fdopen(data, mode));
+	seteuid(0);
+	s = socket(ctrl_addr->sa_family, SOCK_STREAM, 0);
+	if (s < 0)
+		goto bad;
+	socket_set_reuseaddr (s, 1);
+	/* anchor socket to avoid multi-homing problems */
+	socket_set_address_and_port (data_source,
+				     socket_get_address (ctrl_addr),
+				     socket_get_port (data_source));
+
+	for (tries = 1; ; tries++) {
+		if (bind(s, data_source,
+			 socket_sockaddr_size (data_source)) >= 0)
+			break;
+		if (errno != EADDRINUSE || tries > 10)
+			goto bad;
+		sleep(tries);
+	}
+	seteuid(pw->pw_uid);
+#ifdef IPTOS_THROUGHPUT
+	socket_set_tos (s, IPTOS_THROUGHPUT);
+#endif
+	return (fdopen(s, mode));
+bad:
+	/* Return the real value of errno (close may change it) */
+	t = errno;
+	seteuid((uid_t)pw->pw_uid);
+	close(s);
+	errno = t;
+	return (NULL);
+}
+
+static FILE *
+dataconn(const char *name, off_t size, const char *mode)
+{
+	char sizebuf[32];
+	FILE *file;
+	int retry = 0;
+
+	file_size = size;
+	byte_count = 0;
+	if (size >= 0)
+	    snprintf(sizebuf, sizeof(sizebuf), " (%ld bytes)", (long)size);
+	else
+	    *sizebuf = '\0';
+	if (pdata >= 0) {
+		struct sockaddr_storage from_ss;
+		struct sockaddr *from = (struct sockaddr *)&from_ss;
+		int s;
+		int fromlen = sizeof(from_ss);
+
+		s = accept(pdata, from, &fromlen);
+		if (s < 0) {
+			reply(425, "Can't open data connection.");
+			close(pdata);
+			pdata = -1;
+			return (NULL);
+		}
+		close(pdata);
+		pdata = s;
+#if defined(IP_TOS) && defined(HAVE_SETSOCKOPT)
+		{
+		    int tos = IPTOS_THROUGHPUT;
+		    
+		    setsockopt(s, IPPROTO_IP, IP_TOS, (void *)&tos,
+			       sizeof(tos));
+		}
+#endif
+		reply(150, "Opening %s mode data connection for '%s'%s.",
+		     type == TYPE_A ? "ASCII" : "BINARY", name, sizebuf);
+		return (fdopen(pdata, mode));
+	}
+	if (data >= 0) {
+		reply(125, "Using existing data connection for '%s'%s.",
+		    name, sizebuf);
+		usedefault = 1;
+		return (fdopen(data, mode));
+	}
+	if (usedefault)
+		data_dest = his_addr;
+	usedefault = 1;
+	file = getdatasock(mode);
+	if (file == NULL) {
+		char data_addr[256];
+
+		if (inet_ntop (data_source->sa_family,
+			       socket_get_address(data_source),
+			       data_addr, sizeof(data_addr)) == NULL)
+			strlcpy (data_addr, "unknown address",
+					 sizeof(data_addr));
+
+		reply(425, "Can't create data socket (%s,%d): %s.",
+		      data_addr,
+		      socket_get_port (data_source),
+		      strerror(errno));
+		return (NULL);
+	}
+	data = fileno(file);
+	while (connect(data, data_dest,
+		       socket_sockaddr_size(data_dest)) < 0) {
+		if (errno == EADDRINUSE && retry < swaitmax) {
+			sleep(swaitint);
+			retry += swaitint;
+			continue;
+		}
+		perror_reply(425, "Can't build data connection");
+		fclose(file);
+		data = -1;
+		return (NULL);
+	}
+	reply(150, "Opening %s mode data connection for '%s'%s.",
+	     type == TYPE_A ? "ASCII" : "BINARY", name, sizebuf);
+	return (file);
+}
+
+/*
+ * Tranfer the contents of "instr" to "outstr" peer using the appropriate
+ * encapsulation of the data subject * to Mode, Structure, and Type.
+ *
+ * NB: Form isn't handled.
+ */
+static void
+send_data(FILE *instr, FILE *outstr)
+{
+	int c, cnt, filefd, netfd;
+	static char *buf;
+	static size_t bufsize;
+
+	transflag++;
+	if (setjmp(urgcatch)) {
+		transflag = 0;
+		return;
+	}
+	switch (type) {
+
+	case TYPE_A:
+	    while ((c = getc(instr)) != EOF) {
+		byte_count++;
+		if(c == '\n')
+		    sec_putc('\r', outstr);
+		sec_putc(c, outstr);
+	    }
+	    sec_fflush(outstr);
+	    transflag = 0;
+	    if (ferror(instr))
+		goto file_err;
+	    if (ferror(outstr))
+		goto data_err;
+	    reply(226, "Transfer complete.");
+	    return;
+		
+	case TYPE_I:
+	case TYPE_L:
+#if defined(HAVE_MMAP) && !defined(NO_MMAP)
+#ifndef MAP_FAILED
+#define MAP_FAILED (-1)
+#endif
+	    {
+		struct stat st;
+		char *chunk;
+		int in = fileno(instr);
+		if(fstat(in, &st) == 0 && S_ISREG(st.st_mode) 
+		   && st.st_size > 0) {
+		    /*
+		     * mmap zero bytes has potential of loosing, don't do it.
+		     */
+		    chunk = mmap(0, st.st_size, PROT_READ,
+				 MAP_SHARED, in, 0);
+		    if((void *)chunk != (void *)MAP_FAILED) {
+			cnt = st.st_size - restart_point;
+			sec_write(fileno(outstr), chunk + restart_point, cnt);
+			if (munmap(chunk, st.st_size) < 0)
+			    warn ("munmap");
+			sec_fflush(outstr);
+			byte_count = cnt;
+			transflag = 0;
+		    }
+		}
+	    }
+#endif
+	if(transflag) {
+	    struct stat st;
+
+	    netfd = fileno(outstr);
+	    filefd = fileno(instr);
+	    buf = alloc_buffer (buf, &bufsize,
+				fstat(filefd, &st) >= 0 ? &st : NULL);
+	    if (buf == NULL) {
+		transflag = 0;
+		perror_reply(451, "Local resource failure: malloc");
+		return;
+	    }
+	    while ((cnt = read(filefd, buf, bufsize)) > 0 &&
+		   sec_write(netfd, buf, cnt) == cnt)
+		byte_count += cnt;
+	    sec_fflush(outstr); /* to end an encrypted stream */
+	    transflag = 0;
+	    if (cnt != 0) {
+		if (cnt < 0)
+		    goto file_err;
+		goto data_err;
+	    }
+	}
+	reply(226, "Transfer complete.");
+	return;
+	default:
+	    transflag = 0;
+	    reply(550, "Unimplemented TYPE %d in send_data", type);
+	    return;
+	}
+
+data_err:
+	transflag = 0;
+	perror_reply(426, "Data connection");
+	return;
+
+file_err:
+	transflag = 0;
+	perror_reply(551, "Error on input file");
+}
+
+/*
+ * Transfer data from peer to "outstr" using the appropriate encapulation of
+ * the data subject to Mode, Structure, and Type.
+ *
+ * N.B.: Form isn't handled.
+ */
+static int
+receive_data(FILE *instr, FILE *outstr)
+{
+    int cnt, bare_lfs = 0;
+    static char *buf;
+    static size_t bufsize;
+    struct stat st;
+
+    transflag++;
+    if (setjmp(urgcatch)) {
+	transflag = 0;
+	return (-1);
+    }
+
+    buf = alloc_buffer (buf, &bufsize,
+			fstat(fileno(outstr), &st) >= 0 ? &st : NULL);
+    if (buf == NULL) {
+	transflag = 0;
+	perror_reply(451, "Local resource failure: malloc");
+	return -1;
+    }
+    
+    switch (type) {
+
+    case TYPE_I:
+    case TYPE_L:
+	while ((cnt = sec_read(fileno(instr), buf, bufsize)) > 0) {
+	    if (write(fileno(outstr), buf, cnt) != cnt)
+		goto file_err;
+	    byte_count += cnt;
+	}
+	if (cnt < 0)
+	    goto data_err;
+	transflag = 0;
+	return (0);
+
+    case TYPE_E:
+	reply(553, "TYPE E not implemented.");
+	transflag = 0;
+	return (-1);
+
+    case TYPE_A:
+    {
+	char *p, *q;
+	int cr_flag = 0;
+	while ((cnt = sec_read(fileno(instr),
+				buf + cr_flag, 
+				bufsize - cr_flag)) > 0){
+	    byte_count += cnt;
+	    cnt += cr_flag;
+	    cr_flag = 0;
+	    for(p = buf, q = buf; p < buf + cnt;) {
+		if(*p == '\n')
+		    bare_lfs++;
+		if(*p == '\r') {
+		    if(p == buf + cnt - 1){
+			cr_flag = 1;
+			p++;
+			continue;
+		    }else if(p[1] == '\n'){
+			*q++ = '\n';
+			p += 2;
+			continue;
+		    }
+		}
+		*q++ = *p++;
+	    }
+	    fwrite(buf, q - buf, 1, outstr);
+	    if(cr_flag)
+		buf[0] = '\r';
+	}
+	if(cr_flag)
+	    putc('\r', outstr);
+	fflush(outstr);
+	if (ferror(instr))
+	    goto data_err;
+	if (ferror(outstr))
+	    goto file_err;
+	transflag = 0;
+	if (bare_lfs) {
+	    lreply(226, "WARNING! %d bare linefeeds received in ASCII mode\r\n"
+		   "    File may not have transferred correctly.\r\n",
+		   bare_lfs);
+	}
+	return (0);
+    }
+    default:
+	reply(550, "Unimplemented TYPE %d in receive_data", type);
+	transflag = 0;
+	return (-1);
+    }
+	
+data_err:
+    transflag = 0;
+    perror_reply(426, "Data Connection");
+    return (-1);
+	
+file_err:
+    transflag = 0;
+    perror_reply(452, "Error writing file");
+    return (-1);
+}
+
+void
+statfilecmd(char *filename)
+{
+	FILE *fin;
+	int c;
+	char line[LINE_MAX];
+
+	snprintf(line, sizeof(line), "/bin/ls -la -- %s", filename);
+	fin = ftpd_popen(line, "r", 1, 0);
+	lreply(211, "status of %s:", filename);
+	while ((c = getc(fin)) != EOF) {
+		if (c == '\n') {
+			if (ferror(stdout)){
+				perror_reply(421, "control connection");
+				ftpd_pclose(fin);
+				dologout(1);
+				/* NOTREACHED */
+			}
+			if (ferror(fin)) {
+				perror_reply(551, filename);
+				ftpd_pclose(fin);
+				return;
+			}
+			putc('\r', stdout);
+		}
+		putc(c, stdout);
+	}
+	ftpd_pclose(fin);
+	reply(211, "End of Status");
+}
+
+void
+statcmd(void)
+{
+#if 0
+	struct sockaddr_in *sin;
+	u_char *a, *p;
+
+	lreply(211, "%s FTP server (%s) status:", hostname, version);
+	printf("     %s\r\n", version);
+	printf("     Connected to %s", remotehost);
+	if (!isdigit(remotehost[0]))
+		printf(" (%s)", inet_ntoa(his_addr.sin_addr));
+	printf("\r\n");
+	if (logged_in) {
+		if (guest)
+			printf("     Logged in anonymously\r\n");
+		else
+			printf("     Logged in as %s\r\n", pw->pw_name);
+	} else if (askpasswd)
+		printf("     Waiting for password\r\n");
+	else
+		printf("     Waiting for user name\r\n");
+	printf("     TYPE: %s", typenames[type]);
+	if (type == TYPE_A || type == TYPE_E)
+		printf(", FORM: %s", formnames[form]);
+	if (type == TYPE_L)
+#if NBBY == 8
+		printf(" %d", NBBY);
+#else
+		printf(" %d", bytesize);	/* need definition! */
+#endif
+	printf("; STRUcture: %s; transfer MODE: %s\r\n",
+	    strunames[stru], modenames[mode]);
+	if (data != -1)
+		printf("     Data connection open\r\n");
+	else if (pdata != -1) {
+		printf("     in Passive mode");
+		sin = &pasv_addr;
+		goto printaddr;
+	} else if (usedefault == 0) {
+		printf("     PORT");
+		sin = &data_dest;
+printaddr:
+		a = (u_char *) &sin->sin_addr;
+		p = (u_char *) &sin->sin_port;
+#define UC(b) (((int) b) & 0xff)
+		printf(" (%d,%d,%d,%d,%d,%d)\r\n", UC(a[0]),
+			UC(a[1]), UC(a[2]), UC(a[3]), UC(p[0]), UC(p[1]));
+#undef UC
+	} else
+		printf("     No data connection\r\n");
+#endif
+	reply(211, "End of status");
+}
+
+void
+fatal(char *s)
+{
+
+	reply(451, "Error in server: %s\n", s);
+	reply(221, "Closing connection due to server error.");
+	dologout(0);
+	/* NOTREACHED */
+}
+
+static void
+int_reply(int, char *, const char *, va_list)
+#ifdef __GNUC__
+__attribute__ ((format (printf, 3, 0)))
+#endif
+;
+
+static void
+int_reply(int n, char *c, const char *fmt, va_list ap)
+{
+    char buf[10240];
+    char *p;
+    p=buf;
+    if(n){
+	snprintf(p, sizeof(buf), "%d%s", n, c);
+	p+=strlen(p);
+    }
+    vsnprintf(p, sizeof(buf) - strlen(p), fmt, ap);
+    p+=strlen(p);
+    snprintf(p, sizeof(buf) - strlen(p), "\r\n");
+    p+=strlen(p);
+    sec_fprintf(stdout, "%s", buf);
+    fflush(stdout);
+    if (debug)
+	syslog(LOG_DEBUG, "<--- %s- ", buf);
+}
+
+void
+reply(int n, const char *fmt, ...)
+{
+  va_list ap;
+  va_start(ap, fmt);
+  int_reply(n, " ", fmt, ap);
+  delete_ftp_command();
+  va_end(ap);
+}
+
+void
+lreply(int n, const char *fmt, ...)
+{
+  va_list ap;
+  va_start(ap, fmt);
+  int_reply(n, "-", fmt, ap);
+  va_end(ap);
+}
+
+void
+nreply(const char *fmt, ...)
+{
+  va_list ap;
+  va_start(ap, fmt);
+  int_reply(0, NULL, fmt, ap);
+  va_end(ap);
+}
+
+static void
+ack(char *s)
+{
+
+	reply(250, "%s command successful.", s);
+}
+
+void
+nack(char *s)
+{
+
+	reply(502, "%s command not implemented.", s);
+}
+
+/* ARGSUSED */
+void
+yyerror(char *s)
+{
+	char *cp;
+
+	if ((cp = strchr(cbuf,'\n')))
+		*cp = '\0';
+	reply(500, "'%s': command not understood.", cbuf);
+}
+
+void
+do_delete(char *name)
+{
+	struct stat st;
+
+	LOGCMD("delete", name);
+	if (stat(name, &st) < 0) {
+		perror_reply(550, name);
+		return;
+	}
+	if ((st.st_mode&S_IFMT) == S_IFDIR) {
+		if (rmdir(name) < 0) {
+			perror_reply(550, name);
+			return;
+		}
+		goto done;
+	}
+	if (unlink(name) < 0) {
+		perror_reply(550, name);
+		return;
+	}
+done:
+	ack("DELE");
+}
+
+void
+cwd(char *path)
+{
+
+	if (chdir(path) < 0)
+		perror_reply(550, path);
+	else
+		ack("CWD");
+}
+
+void
+makedir(char *name)
+{
+
+	LOGCMD("mkdir", name);
+	if(guest && filename_check(name))
+	    return;
+	if (mkdir(name, 0777) < 0)
+		perror_reply(550, name);
+	else{
+	    if(guest)
+		chmod(name, 0700); /* guest has umask 777 */
+	    reply(257, "MKD command successful.");
+	}
+}
+
+void
+removedir(char *name)
+{
+
+	LOGCMD("rmdir", name);
+	if (rmdir(name) < 0)
+		perror_reply(550, name);
+	else
+		ack("RMD");
+}
+
+void
+pwd(void)
+{
+    char path[MaxPathLen];
+    char *ret;
+
+    /* SunOS has a broken getcwd that does popen(pwd) (!!!), this
+     * failes miserably when running chroot 
+     */
+    ret = getcwd(path, sizeof(path));
+    if (ret == NULL)
+	reply(550, "%s.", strerror(errno));
+    else
+	reply(257, "\"%s\" is current directory.", path);
+}
+
+char *
+renamefrom(char *name)
+{
+	struct stat st;
+
+	if (stat(name, &st) < 0) {
+		perror_reply(550, name);
+		return NULL;
+	}
+	reply(350, "File exists, ready for destination name");
+	return (name);
+}
+
+void
+renamecmd(char *from, char *to)
+{
+
+	LOGCMD2("rename", from, to);
+	if(guest && filename_check(to))
+	    return;
+	if (rename(from, to) < 0)
+		perror_reply(550, "rename");
+	else
+		ack("RNTO");
+}
+
+static void
+dolog(struct sockaddr *sa)
+{
+	struct sockaddr_in *sin = (struct sockaddr_in *)sa;
+
+	inaddr2str (sin->sin_addr, remotehost, sizeof(remotehost));
+#ifdef HAVE_SETPROCTITLE
+	snprintf(proctitle, sizeof(proctitle), "%s: connected", remotehost);
+	setproctitle("%s", proctitle);
+#endif /* HAVE_SETPROCTITLE */
+
+	if (logging) {
+		char data_addr[256];
+
+		if (inet_ntop (his_addr->sa_family,
+			       socket_get_address(his_addr),
+			       data_addr, sizeof(data_addr)) == NULL)
+			strlcpy (data_addr, "unknown address",
+					 sizeof(data_addr));
+
+
+		syslog(LOG_INFO, "connection from %s(%s)",
+		       remotehost,
+		       data_addr);
+	}
+}
+
+/*
+ * Record logout in wtmp file
+ * and exit with supplied status.
+ */
+void
+dologout(int status)
+{
+    transflag = 0;
+    if (logged_in) {
+	seteuid((uid_t)0);
+	ftpd_logwtmp(ttyline, "", "");
+#ifdef KRB4
+	cond_kdestroy();
+#endif
+    }
+    /* beware of flushing buffers after a SIGPIPE */
+#ifdef XXX
+    exit(status);
+#else
+    _exit(status);
+#endif	
+}
+
+void abor(void)
+{
+}
+
+static void
+myoob(int signo)
+{
+#if 0
+	char *cp;
+#endif
+
+	/* only process if transfer occurring */
+	if (!transflag)
+		return;
+
+	/* This is all XXX */
+	oobflag = 1;
+	/* if the command resulted in a new command, 
+	   parse that as well */
+	do{
+	    yyparse();
+	} while(ftp_command);
+	oobflag = 0;
+
+#if 0 
+	cp = tmpline;
+	if (ftpd_getline(cp, 7) == NULL) {
+		reply(221, "You could at least say goodbye.");
+		dologout(0);
+	}
+	upper(cp);
+	if (strcmp(cp, "ABOR\r\n") == 0) {
+		tmpline[0] = '\0';
+		reply(426, "Transfer aborted. Data connection closed.");
+		reply(226, "Abort successful");
+		longjmp(urgcatch, 1);
+	}
+	if (strcmp(cp, "STAT\r\n") == 0) {
+		if (file_size != (off_t) -1)
+			reply(213, "Status: %ld of %ld bytes transferred",
+			      (long)byte_count,
+			      (long)file_size);
+		else
+			reply(213, "Status: %ld bytes transferred"
+			      (long)byte_count);
+	}
+#endif
+}
+
+/*
+ * Note: a response of 425 is not mentioned as a possible response to
+ *	the PASV command in RFC959. However, it has been blessed as
+ *	a legitimate response by Jon Postel in a telephone conversation
+ *	with Rick Adams on 25 Jan 89.
+ */
+void
+pasv(void)
+{
+	int len;
+	char *p, *a;
+	struct sockaddr_in *sin;
+
+	if (ctrl_addr->sa_family != AF_INET) {
+		reply(425,
+		      "You cannot do PASV with something that's not IPv4");
+		return;
+	}
+
+	pdata = socket(ctrl_addr->sa_family, SOCK_STREAM, 0);
+	if (pdata < 0) {
+		perror_reply(425, "Can't open passive connection");
+		return;
+	}
+	pasv_addr->sa_family = ctrl_addr->sa_family;
+	socket_set_address_and_port (pasv_addr,
+				     socket_get_address (ctrl_addr),
+				     0);
+	seteuid(0);
+	if (bind(pdata, pasv_addr, socket_sockaddr_size (pasv_addr)) < 0) {
+		seteuid(pw->pw_uid);
+		goto pasv_error;
+	}
+	seteuid(pw->pw_uid);
+	len = sizeof(pasv_addr_ss);
+	if (getsockname(pdata, pasv_addr, &len) < 0)
+		goto pasv_error;
+	if (listen(pdata, 1) < 0)
+		goto pasv_error;
+	sin = (struct sockaddr_in *)pasv_addr;
+	a = (char *) &sin->sin_addr;
+	p = (char *) &sin->sin_port;
+
+#define UC(b) (((int) b) & 0xff)
+
+	reply(227, "Entering Passive Mode (%d,%d,%d,%d,%d,%d)", UC(a[0]),
+		UC(a[1]), UC(a[2]), UC(a[3]), UC(p[0]), UC(p[1]));
+	return;
+
+pasv_error:
+	close(pdata);
+	pdata = -1;
+	perror_reply(425, "Can't open passive connection");
+	return;
+}
+
+void
+epsv(char *proto)
+{
+	int len;
+
+	pdata = socket(ctrl_addr->sa_family, SOCK_STREAM, 0);
+	if (pdata < 0) {
+		perror_reply(425, "Can't open passive connection");
+		return;
+	}
+	pasv_addr->sa_family = ctrl_addr->sa_family;
+	socket_set_address_and_port (pasv_addr,
+				     socket_get_address (ctrl_addr),
+				     0);
+	seteuid(0);
+	if (bind(pdata, pasv_addr, socket_sockaddr_size (pasv_addr)) < 0) {
+		seteuid(pw->pw_uid);
+		goto pasv_error;
+	}
+	seteuid(pw->pw_uid);
+	len = sizeof(pasv_addr_ss);
+	if (getsockname(pdata, pasv_addr, &len) < 0)
+		goto pasv_error;
+	if (listen(pdata, 1) < 0)
+		goto pasv_error;
+
+	reply(229, "Entering Extended Passive Mode (|||%d|)",
+	      ntohs(socket_get_port (pasv_addr)));
+	return;
+
+pasv_error:
+	close(pdata);
+	pdata = -1;
+	perror_reply(425, "Can't open passive connection");
+	return;
+}
+
+void
+eprt(char *str)
+{
+	char *end;
+	char sep;
+	int af;
+	int ret;
+	int port;
+
+	usedefault = 0;
+	if (pdata >= 0) {
+	    close(pdata);
+	    pdata = -1;
+	}
+
+	sep = *str++;
+	if (sep == '\0') {
+		reply(500, "Bad syntax in EPRT");
+		return;
+	}
+	af = strtol (str, &end, 0);
+	if (af == 0 || *end != sep) {
+		reply(500, "Bad syntax in EPRT");
+		return;
+	}
+	str = end + 1;
+	switch (af) {
+#ifdef HAVE_IPV6
+	case 2 :
+	    data_dest->sa_family = AF_INET6;
+	    break;
+#endif		
+	case 1 :
+	    data_dest->sa_family = AF_INET;
+		break;
+	default :
+		reply(522, "Network protocol %d not supported, use (1"
+#ifdef HAVE_IPV6
+		      ",2"
+#endif
+		      ")", af);
+		return;
+	}
+	end = strchr (str, sep);
+	if (end == NULL) {
+		reply(500, "Bad syntax in EPRT");
+		return;
+	}
+	*end = '\0';
+	ret = inet_pton (data_dest->sa_family, str,
+			 socket_get_address (data_dest));
+
+	if (ret != 1) {
+		reply(500, "Bad address syntax in EPRT");
+		return;
+	}
+	str = end + 1;
+	port = strtol (str, &end, 0);
+	if (port == 0 || *end != sep) {
+		reply(500, "Bad port syntax in EPRT");
+		return;
+	}
+	socket_set_port (data_dest, htons(port));
+	reply(200, "EPRT command successful.");
+}
+
+/*
+ * Generate unique name for file with basename "local".
+ * The file named "local" is already known to exist.
+ * Generates failure reply on error.
+ */
+static char *
+gunique(char *local)
+{
+	static char new[MaxPathLen];
+	struct stat st;
+	int count;
+	char *cp;
+
+	cp = strrchr(local, '/');
+	if (cp)
+		*cp = '\0';
+	if (stat(cp ? local : ".", &st) < 0) {
+		perror_reply(553, cp ? local : ".");
+		return NULL;
+	}
+	if (cp)
+		*cp = '/';
+	for (count = 1; count < 100; count++) {
+		snprintf (new, sizeof(new), "%s.%d", local, count);
+		if (stat(new, &st) < 0)
+			return (new);
+	}
+	reply(452, "Unique file name cannot be created.");
+	return (NULL);
+}
+
+/*
+ * Format and send reply containing system error number.
+ */
+void
+perror_reply(int code, const char *string)
+{
+	reply(code, "%s: %s.", string, strerror(errno));
+}
+
+static char *onefile[] = {
+	"",
+	0
+};
+
+void
+list_file(char *file)
+{
+    if(use_builtin_ls) {
+	FILE *dout;
+	dout = dataconn(file, -1, "w");
+	if (dout == NULL)
+	    return;
+	set_buffer_size(fileno(dout), 0);
+	builtin_ls(dout, file);
+	reply(226, "Transfer complete.");
+	fclose(dout);
+	data = -1;
+	pdata = -1;
+    } else {
+#ifdef HAVE_LS_A
+	const char *cmd = "/bin/ls -lA -- %s";
+#else
+	const char *cmd = "/bin/ls -la -- %s";
+#endif
+	retrieve(cmd, file);
+    }
+}
+
+void
+send_file_list(char *whichf)
+{
+  struct stat st;
+  DIR *dirp = NULL;
+  struct dirent *dir;
+  FILE *dout = NULL;
+  char **dirlist, *dirname;
+  int simple = 0;
+  int freeglob = 0;
+  glob_t gl;
+  char buf[MaxPathLen];
+
+  if (strpbrk(whichf, "~{[*?") != NULL) {
+    int flags = GLOB_BRACE|GLOB_NOCHECK|GLOB_QUOTE|GLOB_TILDE;
+
+    memset(&gl, 0, sizeof(gl));
+    freeglob = 1;
+    if (glob(whichf, flags, 0, &gl)) {
+      reply(550, "not found");
+      goto out;
+    } else if (gl.gl_pathc == 0) {
+      errno = ENOENT;
+      perror_reply(550, whichf);
+      goto out;
+    }
+    dirlist = gl.gl_pathv;
+  } else {
+    onefile[0] = whichf;
+    dirlist = onefile;
+    simple = 1;
+  }
+
+  if (setjmp(urgcatch)) {
+    transflag = 0;
+    goto out;
+  }
+  while ((dirname = *dirlist++)) {
+    if (stat(dirname, &st) < 0) {
+      /*
+       * If user typed "ls -l", etc, and the client
+       * used NLST, do what the user meant.
+       */
+      if (dirname[0] == '-' && *dirlist == NULL &&
+	  transflag == 0) {
+	  list_file(dirname);
+	  goto out;
+      }
+      perror_reply(550, whichf);
+      if (dout != NULL) {
+	fclose(dout);
+	transflag = 0;
+	data = -1;
+	pdata = -1;
+      }
+      goto out;
+    }
+
+    if (S_ISREG(st.st_mode)) {
+      if (dout == NULL) {
+	dout = dataconn("file list", (off_t)-1, "w");
+	if (dout == NULL)
+	  goto out;
+	transflag++;
+      }
+      snprintf(buf, sizeof(buf), "%s%s\n", dirname,
+	      type == TYPE_A ? "\r" : "");
+      sec_write(fileno(dout), buf, strlen(buf));
+      byte_count += strlen(dirname) + 1;
+      continue;
+    } else if (!S_ISDIR(st.st_mode))
+      continue;
+
+    if ((dirp = opendir(dirname)) == NULL)
+      continue;
+
+    while ((dir = readdir(dirp)) != NULL) {
+      char nbuf[MaxPathLen];
+
+      if (!strcmp(dir->d_name, "."))
+	continue;
+      if (!strcmp(dir->d_name, ".."))
+	continue;
+
+      snprintf(nbuf, sizeof(nbuf), "%s/%s", dirname, dir->d_name);
+
+      /*
+       * We have to do a stat to insure it's
+       * not a directory or special file.
+       */
+      if (simple || (stat(nbuf, &st) == 0 &&
+		     S_ISREG(st.st_mode))) {
+	if (dout == NULL) {
+	  dout = dataconn("file list", (off_t)-1, "w");
+	  if (dout == NULL)
+	    goto out;
+	  transflag++;
+	}
+	if(strncmp(nbuf, "./", 2) == 0)
+	  snprintf(buf, sizeof(buf), "%s%s\n", nbuf +2,
+		   type == TYPE_A ? "\r" : "");
+	else
+	  snprintf(buf, sizeof(buf), "%s%s\n", nbuf,
+		   type == TYPE_A ? "\r" : "");
+	sec_write(fileno(dout), buf, strlen(buf));
+	byte_count += strlen(nbuf) + 1;
+      }
+    }
+    closedir(dirp);
+  }
+  if (dout == NULL)
+    reply(550, "No files found.");
+  else if (ferror(dout) != 0)
+    perror_reply(550, "Data connection");
+  else
+    reply(226, "Transfer complete.");
+
+  transflag = 0;
+  if (dout != NULL){
+    sec_write(fileno(dout), buf, 0); /* XXX flush */
+	    
+    fclose(dout);
+  }
+  data = -1;
+  pdata = -1;
+out:
+  if (freeglob) {
+    freeglob = 0;
+    globfree(&gl);
+  }
+}
+
+
+int
+find(char *pattern)
+{
+    char line[1024];
+    FILE *f;
+
+    snprintf(line, sizeof(line),
+	     "/bin/locate -d %s -- %s",
+	     ftp_rooted("/etc/locatedb"),
+	     pattern);
+    f = ftpd_popen(line, "r", 1, 1);
+    if(f == NULL){
+	perror_reply(550, "/bin/locate");
+	return 1;
+    }
+    lreply(200, "Output from find.");
+    while(fgets(line, sizeof(line), f)){
+	if(line[strlen(line)-1] == '\n')
+	    line[strlen(line)-1] = 0;
+	nreply("%s", line);
+    }
+    reply(200, "Done");
+    ftpd_pclose(f);
+    return 0;
+}
+
diff --git a/crypto/kerberosIV/appl/ftp/ftpd/ftpd_locl.h b/crypto/kerberosIV/appl/ftp/ftpd/ftpd_locl.h
new file mode 100644
index 0000000..5cb4904
--- /dev/null
+++ b/crypto/kerberosIV/appl/ftp/ftpd/ftpd_locl.h
@@ -0,0 +1,170 @@
+/*
+ * Copyright (c) 1998, 1999 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+/* $Id: ftpd_locl.h,v 1.9 1999/12/02 16:58:30 joda Exp $ */
+
+#ifndef __ftpd_locl_h__
+#define __ftpd_locl_h__
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+#endif
+
+/*
+ * FTP server.
+ */
+#ifdef HAVE_SYS_TYPES_H
+#include <sys/types.h>
+#endif
+#ifdef HAVE_SYS_PARAM_H
+#include <sys/param.h>
+#endif
+#ifdef HAVE_SYS_STAT_H
+#include <sys/stat.h>
+#endif
+#ifdef HAVE_SYS_SOCKET_H
+#include <sys/socket.h>
+#endif
+#if defined(HAVE_SYS_IOCTL_H) && SunOS != 40
+#include <sys/ioctl.h>
+#endif
+#ifdef HAVE_SYS_IOCCOM_H
+#include <sys/ioccom.h>
+#endif
+#ifdef TIME_WITH_SYS_TIME
+#include <sys/time.h>
+#include <time.h>
+#elif defined(HAVE_SYS_TIME_H)
+#include <sys/time.h>
+#else
+#include <time.h>
+#endif
+#ifdef HAVE_SYS_RESOURCE_H
+#include <sys/resource.h>
+#endif
+#ifdef HAVE_SYS_WAIT_H
+#include <sys/wait.h>
+#endif
+
+#ifdef HAVE_NETINET_IN_H
+#include <netinet/in.h>
+#endif
+#ifdef HAVE_NETINET_IN_SYSTM_H
+#include <netinet/in_systm.h>
+#endif
+#ifdef HAVE_NETINET_IP_H
+#include <netinet/ip.h>
+#endif
+
+#ifdef HAVE_SYS_MMAN_H
+#include <sys/mman.h>
+#endif
+
+#include <arpa/ftp.h>
+#ifdef HAVE_ARPA_INET_H
+#include <arpa/inet.h>
+#endif
+#ifdef HAVE_ARPA_TELNET_H
+#include <arpa/telnet.h>
+#endif
+
+#include <ctype.h>
+#ifdef HAVE_DIRENT_H
+#include <dirent.h>
+#endif
+#include <errno.h>
+#ifdef HAVE_FCNTL_H
+#include <fcntl.h>
+#endif
+#include <glob.h>
+#include <limits.h>
+#ifdef HAVE_PWD_H
+#include <pwd.h>
+#endif
+#include <setjmp.h>
+#include <signal.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <stdarg.h>
+#include <string.h>
+#ifdef HAVE_SYSLOG_H
+#include <syslog.h>
+#endif
+#include <time.h>
+#ifdef HAVE_UNISTD_H
+#include <unistd.h>
+#endif
+#ifdef HAVE_GRP_H
+#include <grp.h>
+#endif
+#include <fnmatch.h>
+
+#ifdef HAVE_BSD_BSD_H
+#include <bsd/bsd.h>
+#endif
+
+#include <err.h>
+
+#include "pathnames.h"
+#include "extern.h"
+#include "common.h"
+
+#include "security.h"
+
+#include "roken.h"
+
+#ifdef KRB4
+#include <krb.h>
+#include <kafs.h>
+#endif
+
+#ifdef OTP
+#include <otp.h>
+#endif
+
+#ifdef SOCKS
+#include <socks.h>
+extern int LIBPREFIX(fclose)      (FILE *);
+#endif
+
+/* SunOS doesn't have any declaration of fclose */
+
+int fclose(FILE *stream);
+
+int yyparse();
+
+#ifndef LOG_FTP
+#define LOG_FTP LOG_DAEMON
+#endif
+
+#endif /* __ftpd_locl_h__ */
diff --git a/crypto/kerberosIV/appl/ftp/ftpd/gss_userok.c b/crypto/kerberosIV/appl/ftp/ftpd/gss_userok.c
new file mode 100644
index 0000000..28e3596
--- /dev/null
+++ b/crypto/kerberosIV/appl/ftp/ftpd/gss_userok.c
@@ -0,0 +1,69 @@
+/*
+ * Copyright (c) 1998 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "ftpd_locl.h"
+#include <gssapi.h>
+#include <krb5.h>
+
+RCSID("$Id: gss_userok.c,v 1.2 1999/12/02 16:58:31 joda Exp $");
+
+/* XXX a bit too much of krb5 dependency here... 
+   What is the correct way to do this? 
+   */
+
+extern krb5_context gssapi_krb5_context;
+
+/* XXX sync with gssapi.c */
+struct gss_data {
+    gss_ctx_id_t context_hdl;
+    char *client_name;
+};
+
+int gss_userok(void*, char*); /* to keep gcc happy */
+
+int
+gss_userok(void *app_data, char *username)
+{
+    struct gss_data *data = app_data;
+    if(gssapi_krb5_context) {
+	krb5_principal client;
+	krb5_error_code ret;
+	ret = krb5_parse_name(gssapi_krb5_context, data->client_name, &client);
+	if(ret)
+	    return 1;
+	ret = krb5_kuserok(gssapi_krb5_context, client, username);
+	krb5_free_principal(gssapi_krb5_context, client);
+	return !ret;
+    }
+    return 1;
+}
diff --git a/crypto/kerberosIV/appl/ftp/ftpd/kauth.c b/crypto/kerberosIV/appl/ftp/ftpd/kauth.c
new file mode 100644
index 0000000..dad4de5
--- /dev/null
+++ b/crypto/kerberosIV/appl/ftp/ftpd/kauth.c
@@ -0,0 +1,365 @@
+/*
+ * Copyright (c) 1995, 1996, 1997, 1998 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#include "ftpd_locl.h"
+
+RCSID("$Id: kauth.c,v 1.25 1999/12/02 16:58:31 joda Exp $");
+
+static KTEXT_ST cip;
+static unsigned int lifetime;
+static time_t local_time;
+
+static krb_principal pr;
+
+static int do_destroy_tickets = 1;
+
+static int
+save_tkt(const char *user,
+	 const char *instance,
+	 const char *realm,
+	 const void *arg, 
+	 key_proc_t key_proc,
+	 KTEXT *cipp)
+{
+    local_time = time(0);
+    memmove(&cip, *cipp, sizeof(cip));
+    return -1;
+}
+
+static int
+store_ticket(KTEXT cip)
+{
+    char *ptr;
+    des_cblock session;
+    krb_principal sp;
+    unsigned char kvno;
+    KTEXT_ST tkt;
+    int left = cip->length;
+    int len;
+    int kerror;
+    
+    ptr = (char *) cip->dat;
+
+    /* extract session key */
+    memmove(session, ptr, 8);
+    ptr += 8;
+    left -= 8;
+
+    len = strnlen(ptr, left);
+    if (len == left)
+	return(INTK_BADPW);
+    
+    /* extract server's name */
+    strlcpy(sp.name, ptr, sizeof(sp.name));
+    ptr += len + 1;
+    left -= len + 1;
+
+    len = strnlen(ptr, left);
+    if (len == left)
+	return(INTK_BADPW);
+    
+    /* extract server's instance */
+    strlcpy(sp.instance, ptr, sizeof(sp.instance));
+    ptr += len + 1;
+    left -= len + 1;
+
+    len = strnlen(ptr, left);
+    if (len == left)
+	return(INTK_BADPW);
+    
+    /* extract server's realm */
+    strlcpy(sp.realm, ptr, sizeof(sp.realm));
+    ptr += len + 1;
+    left -= len + 1;
+
+    if(left < 3)
+	return INTK_BADPW;
+    /* extract ticket lifetime, server key version, ticket length */
+    /* be sure to avoid sign extension on lifetime! */
+    lifetime = (unsigned char) ptr[0];
+    kvno = (unsigned char) ptr[1];
+    tkt.length = (unsigned char) ptr[2];
+    ptr += 3;
+    left -= 3;
+    
+    if (tkt.length > left)
+	return(INTK_BADPW);
+
+    /* extract ticket itself */
+    memmove(tkt.dat, ptr, tkt.length);
+    ptr += tkt.length;
+    left -= tkt.length;
+
+    /* Here is where the time should be verified against the KDC.
+     * Unfortunately everything is sent in host byte order (receiver
+     * makes wrong) , and at this stage there is no way for us to know
+     * which byteorder the KDC has. So we simply ignore the time,
+     * there are no security risks with this, the only thing that can
+     * happen is that we might receive a replayed ticket, which could
+     * at most be useless.
+     */
+    
+#if 0
+    /* check KDC time stamp */
+    {
+	time_t kdc_time;
+
+	memmove(&kdc_time, ptr, sizeof(kdc_time));
+	if (swap_bytes) swap_u_long(kdc_time);
+
+	ptr += 4;
+    
+	if (abs((int)(local_time - kdc_time)) > CLOCK_SKEW) {
+	    return(RD_AP_TIME);		/* XXX should probably be better
+					   code */
+	}
+    }
+#endif
+
+    /* initialize ticket cache */
+
+    if (tf_create(TKT_FILE) != KSUCCESS)
+	return(INTK_ERR);
+
+    if (tf_put_pname(pr.name) != KSUCCESS ||
+	tf_put_pinst(pr.instance) != KSUCCESS) {
+	tf_close();
+	return(INTK_ERR);
+    }
+
+    
+    kerror = tf_save_cred(sp.name, sp.instance, sp.realm, session, 
+			  lifetime, kvno, &tkt, local_time);
+    tf_close();
+
+    return(kerror);
+}
+
+void
+kauth(char *principal, char *ticket)
+{
+    char *p;
+    int ret;
+  
+    if(get_command_prot() != prot_private) {
+	reply(500, "Request denied (bad protection level)");
+	return;
+    }
+    ret = krb_parse_name(principal, &pr);
+    if(ret){
+	reply(500, "Bad principal: %s.", krb_get_err_text(ret));
+	return;
+    }
+    if(pr.realm[0] == 0)
+	krb_get_lrealm(pr.realm, 1);
+
+    if(ticket){
+	cip.length = base64_decode(ticket, &cip.dat);
+	if(cip.length == -1){
+	    reply(500, "Failed to decode data.");
+	    return;
+	}
+	ret = store_ticket(&cip);
+	if(ret){
+	    reply(500, "Kerberos error: %s.", krb_get_err_text(ret));
+	    memset(&cip, 0, sizeof(cip));
+	    return;
+	}
+	do_destroy_tickets = 1;
+
+	if(k_hasafs())
+	    krb_afslog(0, 0);
+	reply(200, "Tickets will be destroyed on exit.");
+	return;
+    }
+    
+    ret = krb_get_in_tkt (pr.name,
+			  pr.instance,
+			  pr.realm,
+			  KRB_TICKET_GRANTING_TICKET,
+			  pr.realm,
+			  DEFAULT_TKT_LIFE,
+			  NULL, save_tkt, NULL);
+    if(ret != INTK_BADPW){
+	reply(500, "Kerberos error: %s.", krb_get_err_text(ret));
+	return;
+    }
+    if(base64_encode(cip.dat, cip.length, &p) < 0) {
+	reply(500, "Out of memory while base64-encoding.");
+	return;
+    }
+    reply(300, "P=%s T=%s", krb_unparse_name(&pr), p);
+    free(p);
+    memset(&cip, 0, sizeof(cip));
+}
+
+
+static char *
+short_date(int32_t dp)
+{
+    char *cp;
+    time_t t = (time_t)dp;
+
+    if (t == (time_t)(-1L)) return "***  Never  *** ";
+    cp = ctime(&t) + 4;
+    cp[15] = '\0';
+    return (cp);
+}
+
+void
+klist(void)
+{
+    int err;
+
+    char *file = tkt_string();
+
+    krb_principal pr;
+    
+    char buf1[128], buf2[128];
+    int header = 1;
+    CREDENTIALS c;
+
+    
+
+    err = tf_init(file, R_TKT_FIL);
+    if(err != KSUCCESS){
+	reply(500, "%s", krb_get_err_text(err));
+	return;
+    }
+    tf_close();
+
+    /* 
+     * We must find the realm of the ticket file here before calling
+     * tf_init because since the realm of the ticket file is not
+     * really stored in the principal section of the file, the
+     * routine we use must itself call tf_init and tf_close.
+     */
+    err = krb_get_tf_realm(file, pr.realm);
+    if(err != KSUCCESS){
+	reply(500, "%s", krb_get_err_text(err));
+	return;
+    }
+
+    err = tf_init(file, R_TKT_FIL);
+    if(err != KSUCCESS){
+	reply(500, "%s", krb_get_err_text(err));
+	return;
+    }
+
+    err = tf_get_pname(pr.name);
+    if(err != KSUCCESS){
+	reply(500, "%s", krb_get_err_text(err));
+	return;
+    }
+    err = tf_get_pinst(pr.instance);
+    if(err != KSUCCESS){
+	reply(500, "%s", krb_get_err_text(err));
+	return;
+    }
+
+    /* 
+     * You may think that this is the obvious place to get the
+     * realm of the ticket file, but it can't be done here as the
+     * routine to do this must open the ticket file.  This is why 
+     * it was done before tf_init.
+     */
+       
+    lreply(200, "Ticket file: %s", tkt_string());
+
+    lreply(200, "Principal: %s", krb_unparse_name(&pr));
+    while ((err = tf_get_cred(&c)) == KSUCCESS) {
+	if (header) {
+	    lreply(200, "%-15s  %-15s  %s",
+		   "  Issued", "  Expires", "  Principal (kvno)");
+	    header = 0;
+	}
+	strlcpy(buf1, short_date(c.issue_date), sizeof(buf1));
+	c.issue_date = krb_life_to_time(c.issue_date, c.lifetime);
+	if (time(0) < (unsigned long) c.issue_date)
+	    strlcpy(buf2, short_date(c.issue_date), sizeof(buf2));
+	else
+	    strlcpy(buf2, ">>> Expired <<< ", sizeof(buf2));
+	lreply(200, "%s  %s  %s (%d)", buf1, buf2,
+	       krb_unparse_name_long(c.service, c.instance, c.realm), c.kvno); 
+    }
+    if (header && err == EOF) {
+	lreply(200, "No tickets in file.");
+    }
+    reply(200, " ");
+}
+
+/*
+ * Only destroy if we created the tickets
+ */
+
+void
+cond_kdestroy(void)
+{
+    if (do_destroy_tickets)
+	dest_tkt();
+    afsunlog();
+}
+
+void
+kdestroy(void)
+{
+    dest_tkt();
+    afsunlog();
+    reply(200, "Tickets destroyed");
+}
+
+void
+krbtkfile(const char *tkfile)
+{
+    do_destroy_tickets = 0;
+    krb_set_tkt_string(tkfile);
+    reply(200, "Using ticket file %s", tkfile);
+}
+
+void
+afslog(const char *cell)
+{
+    if(k_hasafs()) {
+	krb_afslog(cell, 0);
+	reply(200, "afslog done");
+    } else {
+	reply(200, "no AFS present");
+    }
+}
+
+void
+afsunlog(void)
+{
+    if(k_hasafs())
+	k_unlog();
+}
diff --git a/crypto/kerberosIV/appl/ftp/ftpd/krb4.c b/crypto/kerberosIV/appl/ftp/ftpd/krb4.c
new file mode 100644
index 0000000..2457c61
--- /dev/null
+++ b/crypto/kerberosIV/appl/ftp/ftpd/krb4.c
@@ -0,0 +1,372 @@
+/*
+ * Copyright (c) 1995, 1996, 1997 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *      This product includes software developed by the Kungliga Tekniska
+ *      Högskolan and its contributors.
+ * 
+ * 4. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+RCSID("$Id: krb4.c,v 1.19 1997/05/11 09:00:07 assar Exp $");
+#endif
+
+#ifdef HAVE_SYS_TYPES_H
+#include <sys/types.h>
+#endif
+#ifdef HAVE_SYS_PARAM_H
+#include <sys/param.h>
+#endif
+#ifdef HAVE_NETINET_IN_h
+#include <netinet/in.h>
+#endif
+
+#include <errno.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <krb.h>
+
+#include "base64.h"
+#include "extern.h"
+#include "auth.h"
+#include "krb4.h"
+
+#include <roken.h>
+
+static AUTH_DAT auth_dat;
+static des_key_schedule schedule;
+
+int krb4_auth(char *auth)
+{
+    auth_complete = 0;
+    reply(334, "Using authentication type %s; ADAT must follow", auth);
+    return 0;
+}
+
+int krb4_adat(char *auth)
+{
+    KTEXT_ST tkt;
+    char *p;
+    int kerror;
+    u_int32_t cs;
+    char msg[35]; /* size of encrypted block */
+    int len;
+
+    char inst[INST_SZ];
+
+    memset(&tkt, 0, sizeof(tkt));
+    len = base64_decode(auth, tkt.dat);
+
+    if(len < 0){
+	reply(501, "Failed to decode base64 data.");
+	return -1;
+    }
+    tkt.length = len;
+
+    k_getsockinst(0, inst, sizeof(inst));
+    kerror = krb_rd_req(&tkt, "ftp", inst, 0, &auth_dat, "");
+    if(kerror == RD_AP_UNDEC){
+	k_getsockinst(0, inst, sizeof(inst));
+	kerror = krb_rd_req(&tkt, "rcmd", inst, 0, &auth_dat, "");
+    }
+
+    if(kerror){
+	reply(535, "Error reading request: %s.", krb_get_err_text(kerror));
+	return -1;
+    }
+  
+    des_set_key(&auth_dat.session, schedule);
+
+    cs = auth_dat.checksum + 1;
+    {
+	unsigned char tmp[4];
+	tmp[0] = (cs >> 24) & 0xff;
+	tmp[1] = (cs >> 16) & 0xff;
+	tmp[2] = (cs >> 8) & 0xff;
+	tmp[3] = cs & 0xff;
+	len = krb_mk_safe(tmp, msg, 4, &auth_dat.session, 
+			  &ctrl_addr, &his_addr);
+    }
+    if(len < 0){
+	reply(535, "Error creating reply: %s.", strerror(errno));
+	return -1;
+    }
+    base64_encode(msg, len, &p);
+    reply(235, "ADAT=%s", p);
+    auth_complete = 1;
+    free(p);
+    return 0;
+}
+
+int krb4_pbsz(int size)
+{
+    if(size > 1048576) /* XXX arbitrary number */
+	size = 1048576;
+    buffer_size = size;
+    reply(200, "OK PBSZ=%d", buffer_size);
+    return 0;
+}
+
+int krb4_prot(int level)
+{
+    if(level == prot_confidential)
+	return -1;
+    return 0;
+}
+
+int krb4_ccc(void)
+{
+    reply(534, "Don't event think about it.");
+    return -1;
+}
+
+int krb4_mic(char *msg)
+{
+    int len;
+    int kerror;
+    MSG_DAT m_data;
+    char *tmp, *cmd;
+  
+    cmd = strdup(msg);
+    
+    len = base64_decode(msg, cmd);
+    if(len < 0){
+	reply(501, "Failed to decode base 64 data.");
+	free(cmd);
+	return -1;
+    }
+    kerror = krb_rd_safe(cmd, len, &auth_dat.session, 
+			 &his_addr, &ctrl_addr, &m_data);
+
+    if(kerror){
+	reply(535, "Error reading request: %s.", krb_get_err_text(kerror));
+	free(cmd);
+	return -1;
+    }
+    
+    tmp = malloc(strlen(msg) + 1);
+    snprintf(tmp, strlen(msg) + 1, "%.*s", (int)m_data.app_length, m_data.app_data);
+    if(!strstr(tmp, "\r\n"))
+	strcat(tmp, "\r\n");
+    new_ftp_command(tmp);
+    free(cmd);
+    return 0;
+}
+
+int krb4_conf(char *msg)
+{
+    prot_level = prot_safe;
+
+    reply(537, "Protection level not supported.");
+    return -1;
+}
+
+int krb4_enc(char *msg)
+{
+    int len;
+    int kerror;
+    MSG_DAT m_data;
+    char *tmp, *cmd;
+  
+    cmd = strdup(msg);
+    
+    len = base64_decode(msg, cmd);
+    if(len < 0){
+	reply(501, "Failed to decode base 64 data.");
+	free(cmd);
+	return -1;
+    }
+    kerror = krb_rd_priv(cmd, len, schedule, &auth_dat.session, 
+			 &his_addr, &ctrl_addr, &m_data);
+
+    if(kerror){
+	reply(535, "Error reading request: %s.", krb_get_err_text(kerror));
+	free(cmd);
+	return -1;
+    }
+    
+    tmp = strdup(msg);
+    snprintf(tmp, strlen(msg) + 1, "%.*s", (int)m_data.app_length, m_data.app_data);
+    if(!strstr(tmp, "\r\n"))
+	strcat(tmp, "\r\n");
+    new_ftp_command(tmp);
+    free(cmd);
+    return 0;
+}
+
+int krb4_read(int fd, void *data, int length)
+{
+    static int left;
+    static char *extra;
+    static int eof;
+    int len, bytes, tx = 0;
+    
+    MSG_DAT m_data;
+    int kerror;
+
+    if(eof){ /* if we haven't reported an end-of-file, do so */
+	eof = 0;
+	return 0;
+    }
+    
+    if(left){
+	if(length > left)
+	    bytes = left;
+	else
+	    bytes = length;
+	memmove(data, extra, bytes);
+	left -= bytes;
+	if(left)
+	    memmove(extra, extra + bytes, left);
+	else
+	    free(extra);
+	length -= bytes;
+	tx += bytes;
+    }
+
+    while(length){
+	unsigned char tmp[4];
+	if(krb_net_read(fd, tmp, 4) < 4){
+	    reply(400, "Unexpected end of file.\n");
+	    return -1;
+	}
+	len = (tmp[0] << 24) | (tmp[1] << 16) | (tmp[2] << 8) | tmp[3];
+	krb_net_read(fd, data_buffer, len);
+	if(data_protection == prot_safe)
+	    kerror = krb_rd_safe(data_buffer, len, &auth_dat.session, 
+				 &his_addr, &ctrl_addr, &m_data);
+	else
+	    kerror = krb_rd_priv(data_buffer, len, schedule, &auth_dat.session,
+				 &his_addr, &ctrl_addr, &m_data);
+	
+	if(kerror){
+	    reply(400, "Failed to read data: %s.", krb_get_err_text(kerror));
+	    return -1;
+	}
+	
+	bytes = m_data.app_length;
+	if(bytes == 0){
+	    if(tx) eof = 1;
+	    return  tx;
+	}
+	if(bytes > length){
+	    left = bytes - length;
+	    bytes = length;
+	    extra = malloc(left);
+	    memmove(extra, m_data.app_data + bytes, left);
+	}
+	memmove((unsigned char*)data + tx, m_data.app_data, bytes);
+	tx += bytes;
+	length -= bytes;
+    }
+    return tx;
+}
+
+int krb4_write(int fd, void *data, int length)
+{
+    int len, bytes, tx = 0;
+
+    len = buffer_size;
+    if(data_protection == prot_safe)
+	len -= 31; /* always 31 bytes overhead */
+    else
+	len -= 26; /* at most 26 bytes */
+    
+    do{
+	if(length < len)
+	    len = length;
+	if(data_protection == prot_safe)
+	    bytes = krb_mk_safe(data, data_buffer+4, len, &auth_dat.session,
+				&ctrl_addr, &his_addr);
+	else
+	    bytes = krb_mk_priv(data, data_buffer+4, len, schedule, 
+				&auth_dat.session,
+				&ctrl_addr, &his_addr);
+	if(bytes == -1){
+	    reply(535, "Failed to make packet: %s.", strerror(errno));
+	    return -1;
+	}
+	data_buffer[0] = (bytes >> 24) & 0xff;
+	data_buffer[1] = (bytes >> 16) & 0xff;
+	data_buffer[2] = (bytes >> 8) & 0xff;
+	data_buffer[3] = bytes & 0xff;
+	if(krb_net_write(fd, data_buffer, bytes+4) < 0)
+	    return -1;
+	length -= len;
+	data = (unsigned char*)data + len;
+	tx += len;
+    }while(length);
+    return tx;
+}
+
+int krb4_userok(char *name)
+{
+    if(!kuserok(&auth_dat, name)){
+	do_login(232, name);
+    }else{
+	reply(530, "User %s access denied.", name);
+    }
+    return 0;
+}
+
+
+int
+krb4_vprintf(const char *fmt, va_list ap)
+{
+    char buf[10240];
+    char *p;
+    char *enc;
+    int code;
+    int len;
+  
+    vsnprintf (buf, sizeof(buf), fmt, ap);
+    enc = malloc(strlen(buf) + 31);
+    if(prot_level == prot_safe){
+	len = krb_mk_safe((u_char*)buf, (u_char*)enc, strlen(buf), &auth_dat.session, 
+			  &ctrl_addr, &his_addr); 
+	code = 631;
+    }else if(prot_level == prot_private){
+	len = krb_mk_priv((u_char*)buf, (u_char*)enc, strlen(buf), schedule, 
+			  &auth_dat.session, &ctrl_addr, &his_addr); 
+	code = 632;
+    }else{
+	len = 0; /* XXX */
+	code = 631;
+    }
+    base64_encode(enc, len, &p);
+    fprintf(stdout, "%d %s\r\n", code, p);
+    free(enc);
+    free(p);
+    return 0;
+}
diff --git a/crypto/kerberosIV/appl/ftp/ftpd/krb4.h b/crypto/kerberosIV/appl/ftp/ftpd/krb4.h
new file mode 100644
index 0000000..f777dbd
--- /dev/null
+++ b/crypto/kerberosIV/appl/ftp/ftpd/krb4.h
@@ -0,0 +1,61 @@
+/*
+ * Copyright (c) 1995, 1996, 1997 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *      This product includes software developed by the Kungliga Tekniska
+ *      Högskolan and its contributors.
+ * 
+ * 4. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+/* $Id: krb4.h,v 1.6 1997/04/01 08:17:29 joda Exp $ */
+
+#ifndef __KRB4_H__
+#define __KRB4_H__
+
+#include <stdarg.h>
+
+int krb4_auth(char *auth);
+int krb4_adat(char *auth);
+int krb4_pbsz(int size);
+int krb4_prot(int level);
+int krb4_ccc(void);
+int krb4_mic(char *msg);
+int krb4_conf(char *msg);
+int krb4_enc(char *msg);
+
+int krb4_read(int fd, void *data, int length);
+int krb4_write(int fd, void *data, int length);
+
+int krb4_userok(char *name);
+int krb4_vprintf(const char *fmt, va_list ap);
+
+#endif /* __KRB4_H__ */
diff --git a/crypto/kerberosIV/appl/ftp/ftpd/logwtmp.c b/crypto/kerberosIV/appl/ftp/ftpd/logwtmp.c
new file mode 100644
index 0000000..019cc2d
--- /dev/null
+++ b/crypto/kerberosIV/appl/ftp/ftpd/logwtmp.c
@@ -0,0 +1,137 @@
+/*
+ * Copyright (c) 1995, 1996, 1997 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+RCSID("$Id: logwtmp.c,v 1.14 1999/12/02 16:58:31 joda Exp $");
+#endif
+
+#include <stdio.h>
+#include <string.h>
+#ifdef TIME_WITH_SYS_TIME
+#include <sys/time.h>
+#include <time.h>
+#elif defined(HAVE_SYS_TIME_H)
+#include <sys/time.h>
+#else
+#include <time.h>
+#endif
+#ifdef HAVE_UNISTD_H
+#include <unistd.h>
+#endif
+#ifdef HAVE_FCNTL_H
+#include <fcntl.h>
+#endif
+#ifdef HAVE_UTMP_H
+#include <utmp.h>
+#endif
+#ifdef HAVE_UTMPX_H
+#include <utmpx.h>
+#endif
+#include "extern.h"
+
+#ifndef WTMP_FILE
+#ifdef _PATH_WTMP
+#define WTMP_FILE _PATH_WTMP
+#else
+#define WTMP_FILE "/var/adm/wtmp"
+#endif
+#endif
+
+void
+ftpd_logwtmp(char *line, char *name, char *host)
+{
+    static int init = 0;
+    static int fd;
+#ifdef WTMPX_FILE
+    static int fdx;
+#endif
+    struct utmp ut;
+#ifdef WTMPX_FILE
+    struct utmpx utx;
+#endif
+
+    memset(&ut, 0, sizeof(struct utmp));
+#ifdef HAVE_STRUCT_UTMP_UT_TYPE
+    if(name[0])
+	ut.ut_type = USER_PROCESS;
+    else
+	ut.ut_type = DEAD_PROCESS;
+#endif
+    strncpy(ut.ut_line, line, sizeof(ut.ut_line));
+    strncpy(ut.ut_name, name, sizeof(ut.ut_name));
+#ifdef HAVE_STRUCT_UTMP_UT_PID
+    ut.ut_pid = getpid();
+#endif
+#ifdef HAVE_STRUCT_UTMP_UT_HOST
+    strncpy(ut.ut_host, host, sizeof(ut.ut_host));
+#endif
+    ut.ut_time = time(NULL);
+
+#ifdef WTMPX_FILE
+    strncpy(utx.ut_line, line, sizeof(utx.ut_line));
+    strncpy(utx.ut_user, name, sizeof(utx.ut_user));
+    strncpy(utx.ut_host, host, sizeof(utx.ut_host));
+#ifdef HAVE_STRUCT_UTMPX_UT_SYSLEN
+    utx.ut_syslen = strlen(host) + 1;
+    if (utx.ut_syslen > sizeof(utx.ut_host))
+        utx.ut_syslen = sizeof(utx.ut_host);
+#endif
+    {
+	struct timeval tv;
+
+	gettimeofday (&tv, 0);
+	utx.ut_tv.tv_sec = tv.tv_sec;
+	utx.ut_tv.tv_usec = tv.tv_usec;
+    }
+
+    if(name[0])
+	utx.ut_type = USER_PROCESS;
+    else
+	utx.ut_type = DEAD_PROCESS;
+#endif
+
+    if(!init){
+	fd = open(WTMP_FILE, O_WRONLY|O_APPEND, 0);
+#ifdef WTMPX_FILE
+	fdx = open(WTMPX_FILE, O_WRONLY|O_APPEND, 0);
+#endif
+	init = 1;
+    }
+    if(fd >= 0) {
+	write(fd, &ut, sizeof(struct utmp)); /* XXX */
+#ifdef WTMPX_FILE
+	write(fdx, &utx, sizeof(struct utmpx));
+#endif	
+    }
+}
diff --git a/crypto/kerberosIV/appl/ftp/ftpd/ls.c b/crypto/kerberosIV/appl/ftp/ftpd/ls.c
new file mode 100644
index 0000000..6e2c9a1
--- /dev/null
+++ b/crypto/kerberosIV/appl/ftp/ftpd/ls.c
@@ -0,0 +1,573 @@
+/*
+ * Copyright (c) 1999 - 2000 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of KTH nor the names of its contributors may be
+ *    used to endorse or promote products derived from this software without
+ *    specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY KTH AND ITS CONTRIBUTORS ``AS IS'' AND ANY
+ * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL KTH OR ITS CONTRIBUTORS BE
+ * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+ * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+ * WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
+ * OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
+ * ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */
+
+#include "ftpd_locl.h"
+
+RCSID("$Id: ls.c,v 1.13.2.2 2000/06/23 02:51:09 assar Exp $");
+
+struct fileinfo {
+    struct stat st;
+    int inode;
+    int bsize;
+    char mode[11];
+    int n_link;
+    char *user;
+    char *group;
+    char *size;
+    char *major;
+    char *minor;
+    char *date;
+    char *filename;
+    char *link;
+};
+
+#define LS_DIRS		 1
+#define LS_IGNORE_DOT	 2
+#define LS_SORT_MODE	 12
+#define SORT_MODE(f) ((f) & LS_SORT_MODE)
+#define LS_SORT_NAME	 4
+#define LS_SORT_MTIME	 8
+#define LS_SORT_SIZE	12
+#define LS_SORT_REVERSE	16
+
+#define LS_SIZE		32
+#define LS_INODE	64
+
+#ifndef S_ISTXT
+#define S_ISTXT S_ISVTX
+#endif
+
+#ifndef S_ISSOCK
+#define S_ISSOCK(mode)  (((mode) & _S_IFMT) == S_IFSOCK)
+#endif
+
+#ifndef S_ISLNK
+#define S_ISLNK(mode)   (((mode) & _S_IFMT) == S_IFLNK)
+#endif
+
+static void
+make_fileinfo(const char *filename, struct fileinfo *file, int flags)
+{
+    char buf[128];
+    struct stat *st = &file->st;
+
+    file->inode = st->st_ino;
+#ifdef S_BLKSIZE
+    file->bsize = st->st_blocks * S_BLKSIZE / 1024;
+#else
+    file->bsize = st->st_blocks * 512 / 1024;
+#endif
+
+    if(S_ISDIR(st->st_mode))
+	file->mode[0] = 'd';
+    else if(S_ISCHR(st->st_mode))
+	file->mode[0] = 'c';
+    else if(S_ISBLK(st->st_mode))
+	file->mode[0] = 'b';
+    else if(S_ISREG(st->st_mode))
+	file->mode[0] = '-';
+    else if(S_ISFIFO(st->st_mode))
+	file->mode[0] = 'p';
+    else if(S_ISLNK(st->st_mode))
+	file->mode[0] = 'l';
+    else if(S_ISSOCK(st->st_mode))
+	file->mode[0] = 's';
+#ifdef S_ISWHT
+    else if(S_ISWHT(st->st_mode))
+	file->mode[0] = 'w';
+#endif
+    else 
+	file->mode[0] = '?';
+    {
+	char *x[] = { "---", "--x", "-w-", "-wx", 
+		      "r--", "r-x", "rw-", "rwx" };
+	strcpy(file->mode + 1, x[(st->st_mode & S_IRWXU) >> 6]);
+	strcpy(file->mode + 4, x[(st->st_mode & S_IRWXG) >> 3]);
+	strcpy(file->mode + 7, x[(st->st_mode & S_IRWXO) >> 0]);
+	if((st->st_mode & S_ISUID)) {
+	    if((st->st_mode & S_IXUSR))
+		file->mode[3] = 's';
+	    else
+		file->mode[3] = 'S';
+	}
+	if((st->st_mode & S_ISGID)) {
+	    if((st->st_mode & S_IXGRP))
+		file->mode[6] = 's';
+	    else
+		file->mode[6] = 'S';
+	}
+	if((st->st_mode & S_ISTXT)) {
+	    if((st->st_mode & S_IXOTH))
+		file->mode[9] = 't';
+	    else
+		file->mode[9] = 'T';
+	}
+    }
+    file->n_link = st->st_nlink;
+    {
+	struct passwd *pwd;
+	pwd = getpwuid(st->st_uid);
+	if(pwd == NULL)
+	    asprintf(&file->user, "%u", (unsigned)st->st_uid);
+	else
+	    file->user = strdup(pwd->pw_name);
+    }
+    {
+	struct group *grp;
+	grp = getgrgid(st->st_gid);
+	if(grp == NULL)
+	    asprintf(&file->group, "%u", (unsigned)st->st_gid);
+	else
+	    file->group = strdup(grp->gr_name);
+    }
+    
+    if(S_ISCHR(st->st_mode) || S_ISBLK(st->st_mode)) {
+#if defined(major) && defined(minor)
+	asprintf(&file->major, "%u", (unsigned)major(st->st_rdev));
+	asprintf(&file->minor, "%u", (unsigned)minor(st->st_rdev));
+#else
+	/* Don't want to use the DDI/DKI crap. */
+	asprintf(&file->major, "%u", (unsigned)st->st_rdev);
+	asprintf(&file->minor, "%u", 0);
+#endif
+    } else
+	asprintf(&file->size, "%lu", (unsigned long)st->st_size);
+
+    {
+	time_t t = time(NULL);
+	time_t mtime = st->st_mtime;
+	struct tm *tm = localtime(&mtime);
+	if((t - mtime > 6*30*24*60*60) ||
+	   (mtime - t > 6*30*24*60*60))
+	    strftime(buf, sizeof(buf), "%b %e  %Y", tm);
+	else
+	    strftime(buf, sizeof(buf), "%b %e %H:%M", tm);
+	file->date = strdup(buf);
+    }
+    {
+	const char *p = strrchr(filename, '/');
+	if(p)
+	    p++;
+	else
+	    p = filename;
+	file->filename = strdup(p);
+    }
+    if(S_ISLNK(st->st_mode)) {
+	int n;
+	n = readlink((char *)filename, buf, sizeof(buf));
+	if(n >= 0) {
+	    buf[n] = '\0';
+	    file->link = strdup(buf);
+	} else
+	    warn("%s: readlink", filename);
+    }
+}
+
+static void
+print_file(FILE *out,
+	   int flags,
+	   struct fileinfo *f,
+	   int max_inode,
+	   int max_bsize,
+	   int max_n_link,
+	   int max_user,
+	   int max_group,
+	   int max_size,
+	   int max_major,
+	   int max_minor,
+	   int max_date)
+{
+    if(f->filename == NULL)
+	return;
+
+    if(flags & LS_INODE) {
+	sec_fprintf2(out, "%*d", max_inode, f->inode);
+	sec_fprintf2(out, "  ");
+    }
+    if(flags & LS_SIZE) {
+	sec_fprintf2(out, "%*d", max_bsize, f->bsize);
+	sec_fprintf2(out, "  ");
+    }
+    sec_fprintf2(out, "%s", f->mode);
+    sec_fprintf2(out, "  ");
+    sec_fprintf2(out, "%*d", max_n_link, f->n_link);
+    sec_fprintf2(out, " ");
+    sec_fprintf2(out, "%-*s", max_user, f->user);
+    sec_fprintf2(out, "  ");
+    sec_fprintf2(out, "%-*s", max_group, f->group);
+    sec_fprintf2(out, "  ");
+    if(f->major != NULL && f->minor != NULL)
+	sec_fprintf2(out, "%*s, %*s", max_major, f->major, max_minor, f->minor);
+    else
+	sec_fprintf2(out, "%*s", max_size, f->size);
+    sec_fprintf2(out, " ");
+    sec_fprintf2(out, "%*s", max_date, f->date);
+    sec_fprintf2(out, " ");
+    sec_fprintf2(out, "%s", f->filename);
+    if(f->link)
+	sec_fprintf2(out, " -> %s", f->link);
+    sec_fprintf2(out, "\r\n");
+}
+
+static int
+compare_filename(struct fileinfo *a, struct fileinfo *b)
+{
+    if(a->filename == NULL)
+	return 1;
+    if(b->filename == NULL)
+	return -1;
+    return strcmp(a->filename, b->filename);
+}
+
+static int
+compare_mtime(struct fileinfo *a, struct fileinfo *b)
+{
+    if(a->filename == NULL)
+	return 1;
+    if(b->filename == NULL)
+	return -1;
+    return a->st.st_mtime - b->st.st_mtime;
+}
+
+static int
+compare_size(struct fileinfo *a, struct fileinfo *b)
+{
+    if(a->filename == NULL)
+	return 1;
+    if(b->filename == NULL)
+	return -1;
+    return a->st.st_size - b->st.st_size;
+}
+
+static void
+list_dir(FILE *out, const char *directory, int flags);
+
+static int
+log10(int num)
+{
+    int i = 1;
+    while(num > 10) {
+	i++;
+	num /= 10;
+    }
+    return i;
+}
+
+/*
+ * Operate as lstat but fake up entries for AFS mount points so we don't
+ * have to fetch them.
+ */
+
+static int
+lstat_file (const char *file, struct stat *sb)
+{
+#ifdef KRB4
+    if (k_hasafs() 
+	&& strcmp(file, ".")
+	&& strcmp(file, "..")) 
+    {
+	struct ViceIoctl    a_params;
+	char               *last;
+	char               *path_bkp;
+	static ino_t	   ino_counter = 0, ino_last = 0;
+	int		   ret;
+	const int	   maxsize = 2048;
+	
+	path_bkp = strdup (file);
+	if (path_bkp == NULL)
+	    return -1;
+	
+	a_params.out = malloc (maxsize);
+	if (a_params.out == NULL) { 
+	    free (path_bkp);
+	    return -1;
+	}
+	
+	/* If path contains more than the filename alone - split it */
+	
+	last = strrchr (path_bkp, '/');
+	if (last != NULL) {
+	    *last = '\0';
+	    a_params.in = last + 1;
+	} else
+	    a_params.in = (char *)file;
+	
+	a_params.in_size  = strlen (a_params.in) + 1;
+	a_params.out_size = maxsize;
+	
+	ret = k_pioctl (last ? path_bkp : "." ,
+			VIOC_AFS_STAT_MT_PT, &a_params, 0);
+	free (a_params.out);
+	if (ret < 0) {
+	    free (path_bkp);
+
+	    if (errno != EINVAL)
+		return ret;
+	    else
+		/* if we get EINVAL this is probably not a mountpoint */
+		return lstat (file, sb);
+	}
+
+	/* 
+	 * wow this was a mountpoint, lets cook the struct stat
+	 * use . as a prototype
+	 */
+
+	ret = lstat (path_bkp, sb);
+	free (path_bkp);
+	if (ret < 0)
+	    return ret;
+
+	if (ino_last == sb->st_ino)
+	    ino_counter++;
+	else {
+	    ino_last    = sb->st_ino;
+	    ino_counter = 0;
+	}
+	sb->st_ino += ino_counter;
+	sb->st_nlink = 3;
+
+	return 0;
+    }
+#endif /* KRB4 */
+    return lstat (file, sb);
+}
+
+static void
+list_files(FILE *out, char **files, int n_files, int flags)
+{
+    struct fileinfo *fi;
+    int i;
+
+    fi = calloc(n_files, sizeof(*fi));
+    if (fi == NULL) {
+	sec_fprintf2(out, "ouf of memory\r\n");
+	return;
+    }
+    for(i = 0; i < n_files; i++) {
+	if(lstat_file(files[i], &fi[i].st) < 0) {
+	    sec_fprintf2(out, "%s: %s\r\n", files[i], strerror(errno));
+	    fi[i].filename = NULL;
+	} else {
+	    if((flags & LS_DIRS) == 0 && S_ISDIR(fi[i].st.st_mode)) {
+		if(n_files > 1)
+		    sec_fprintf2(out, "%s:\r\n", files[i]);
+		list_dir(out, files[i], flags);
+	    } else {
+		make_fileinfo(files[i], &fi[i], flags);
+	    }
+	}
+    }
+    switch(SORT_MODE(flags)) {
+    case LS_SORT_NAME:
+	qsort(fi, n_files, sizeof(*fi), 
+	      (int (*)(const void*, const void*))compare_filename);
+	break;
+    case LS_SORT_MTIME:
+	qsort(fi, n_files, sizeof(*fi), 
+	      (int (*)(const void*, const void*))compare_mtime);
+	break;
+    case LS_SORT_SIZE:
+	qsort(fi, n_files, sizeof(*fi), 
+	      (int (*)(const void*, const void*))compare_size);
+	break;
+    }
+    {
+	int max_inode = 0;
+	int max_bsize = 0;
+	int max_n_link = 0;
+	int max_user = 0;
+	int max_group = 0;
+	int max_size = 0;
+	int max_major = 0;
+	int max_minor = 0;
+	int max_date = 0;
+	for(i = 0; i < n_files; i++) {
+	    if(fi[i].filename == NULL)
+		continue;
+	    if(fi[i].inode > max_inode)
+		max_inode = fi[i].inode;
+	    if(fi[i].bsize > max_bsize)
+		max_bsize = fi[i].bsize;
+	    if(fi[i].n_link > max_n_link)
+		max_n_link = fi[i].n_link;
+	    if(strlen(fi[i].user) > max_user)
+		max_user = strlen(fi[i].user);
+	    if(strlen(fi[i].group) > max_group)
+		max_group = strlen(fi[i].group);
+	    if(fi[i].major != NULL && strlen(fi[i].major) > max_major)
+		max_major = strlen(fi[i].major);
+	    if(fi[i].minor != NULL && strlen(fi[i].minor) > max_minor)
+		max_minor = strlen(fi[i].minor);
+	    if(fi[i].size != NULL && strlen(fi[i].size) > max_size)
+		max_size = strlen(fi[i].size);
+	    if(strlen(fi[i].date) > max_date)
+		max_date = strlen(fi[i].date);
+	}
+	if(max_size < max_major + max_minor + 2)
+	    max_size = max_major + max_minor + 2;
+	else if(max_size - max_minor - 2 > max_major)
+	    max_major = max_size - max_minor - 2;
+	max_inode = log10(max_inode);
+	max_bsize = log10(max_bsize);
+	max_n_link = log10(max_n_link);
+
+	if(flags & LS_SORT_REVERSE)
+	    for(i = n_files - 1; i >= 0; i--)
+		print_file(out,
+			   flags,
+			   &fi[i],
+			   max_inode,
+			   max_bsize,
+			   max_n_link,
+			   max_user,
+			   max_group,
+			   max_size,
+			   max_major,
+			   max_minor,
+			   max_date);
+	else
+	    for(i = 0; i < n_files; i++)
+		print_file(out,
+			   flags,
+			   &fi[i],
+			   max_inode,
+			   max_bsize,
+			   max_n_link,
+			   max_user,
+			   max_group,
+			   max_size,
+			   max_major,
+			   max_minor,
+			   max_date);
+    }
+}
+
+static void
+free_files (char **files, int n)
+{
+    int i;
+
+    for (i = 0; i < n; ++i)
+	free (files[i]);
+    free (files);
+}
+
+static void
+list_dir(FILE *out, const char *directory, int flags)
+{
+    DIR *d = opendir(directory);
+    struct dirent *ent;
+    char **files = NULL;
+    int n_files = 0;
+
+    if(d == NULL) {
+	sec_fprintf2(out, "%s: %s\r\n", directory, strerror(errno));
+	return;
+    }
+    while((ent = readdir(d)) != NULL) {
+	void *tmp;
+
+	if(ent->d_name[0] == '.') {
+	    if (flags & LS_IGNORE_DOT)
+	        continue;
+	    if (ent->d_name[1] == 0) /* Ignore . */
+	        continue;
+	    if (ent->d_name[1] == '.' && ent->d_name[2] == 0) /* Ignore .. */
+	        continue;
+	}
+	tmp = realloc(files, (n_files + 1) * sizeof(*files));
+	if (tmp == NULL) {
+	    sec_fprintf2(out, "%s: out of memory\r\n", directory);
+	    free_files (files, n_files);
+	    closedir (d);
+	    return;
+	}
+	files = tmp;
+	asprintf(&files[n_files], "%s/%s", directory, ent->d_name);
+	if (files[n_files] == NULL) {
+	    sec_fprintf2(out, "%s: out of memory\r\n", directory);
+	    free_files (files, n_files);
+	    closedir (d);
+	    return;
+	}
+	++n_files;
+    }
+    closedir(d);
+    list_files(out, files, n_files, flags | LS_DIRS);
+}
+
+void
+builtin_ls(FILE *out, const char *file)
+{
+    int flags = LS_SORT_NAME;
+
+    if(*file == '-') {
+	const char *p;
+	for(p = file + 1; *p; p++) {
+	    switch(*p) {
+	    case 'a':
+	    case 'A':
+		flags &= ~LS_IGNORE_DOT;
+		break;
+	    case 'C':
+		break;
+	    case 'd':
+		flags |= LS_DIRS;
+		break;
+	    case 'f':
+		flags = (flags & ~LS_SORT_MODE);
+		break;
+	    case 'i':
+		flags |= flags | LS_INODE;
+		break;
+	    case 'l':
+		break;
+	    case 't':
+		flags = (flags & ~LS_SORT_MODE) | LS_SORT_MTIME;
+		break;
+	    case 's':
+		flags |= LS_SIZE;
+		break;
+	    case 'S':
+		flags = (flags & ~LS_SORT_MODE) | LS_SORT_SIZE;
+		break;
+	    case 'r':
+		flags |= LS_SORT_REVERSE;
+		break;
+	    }
+	}
+	file = ".";
+    }
+    list_files(out, &file, 1, flags);
+    sec_fflush(out);
+}
diff --git a/crypto/kerberosIV/appl/ftp/ftpd/pathnames.h b/crypto/kerberosIV/appl/ftp/ftpd/pathnames.h
new file mode 100644
index 0000000..ff2041b
--- /dev/null
+++ b/crypto/kerberosIV/appl/ftp/ftpd/pathnames.h
@@ -0,0 +1,58 @@
+/*
+ * Copyright (c) 1989, 1993
+ *	The Regents of the University of California.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *	This product includes software developed by the University of
+ *	California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ *	@(#)pathnames.h	8.1 (Berkeley) 6/4/93
+ */
+
+#ifdef HAVE_PATHS_H
+#include <paths.h>
+#endif
+
+#ifndef _PATH_DEVNULL
+#define _PATH_DEVNULL "/dev/null"
+#endif
+
+#ifndef _PATH_NOLOGIN
+#define _PATH_NOLOGIN "/etc/nologin"
+#endif
+
+#ifndef _PATH_BSHELL
+#define _PATH_BSHELL "/bin/sh"
+#endif
+
+#define	_PATH_FTPUSERS		"/etc/ftpusers"
+#define	_PATH_FTPCHROOT		"/etc/ftpchroot"
+#define	_PATH_FTPWELCOME	"/etc/ftpwelcome"
+#define	_PATH_FTPLOGINMESG	"/etc/motd"
+
+#define _PATH_ISSUE		"/etc/issue"
+#define _PATH_ISSUE_NET		"/etc/issue.net"
diff --git a/crypto/kerberosIV/appl/ftp/ftpd/popen.c b/crypto/kerberosIV/appl/ftp/ftpd/popen.c
new file mode 100644
index 0000000..5f36813
--- /dev/null
+++ b/crypto/kerberosIV/appl/ftp/ftpd/popen.c
@@ -0,0 +1,224 @@
+/*
+ * Copyright (c) 1988, 1993, 1994
+ *	The Regents of the University of California.  All rights reserved.
+ *
+ * This code is derived from software written by Ken Arnold and
+ * published in UNIX Review, Vol. 6, No. 8.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *	This product includes software developed by the University of
+ *	California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+RCSID("$Id: popen.c,v 1.19 1999/09/16 20:38:45 assar Exp $");
+#endif
+
+#include <sys/types.h>
+#ifdef TIME_WITH_SYS_TIME
+#include <sys/time.h>
+#include <time.h>
+#elif defined(HAVE_SYS_TIME_H)
+#include <sys/time.h>
+#else
+#include <time.h>
+#endif
+#ifdef HAVE_SYS_RESOURCE_H
+#include <sys/resource.h>
+#endif
+#include <sys/wait.h>
+
+#include <errno.h>
+#include <glob.h>
+#include <signal.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+
+#include "extern.h"
+
+#include <roken.h>
+
+/* 
+ * Special version of popen which avoids call to shell.  This ensures
+ * no one may create a pipe to a hidden program as a side effect of a
+ * list or dir command.
+ */
+static int *pids;
+static int fds;
+
+extern int dochroot;
+
+/* return path prepended with ~ftp if that file exists, otherwise
+ * return path unchanged
+ */
+
+const char *
+ftp_rooted(const char *path)
+{
+    static char home[MaxPathLen] = "";
+    static char newpath[MaxPathLen];
+    struct passwd *pwd;
+
+    if(!home[0])
+	if((pwd = k_getpwnam("ftp")))
+	    strlcpy(home, pwd->pw_dir, sizeof(home));
+    snprintf(newpath, sizeof(newpath), "%s/%s", home, path);
+    if(access(newpath, X_OK))
+	strlcpy(newpath, path, sizeof(newpath));
+    return newpath;
+}
+
+
+FILE *
+ftpd_popen(char *program, char *type, int do_stderr, int no_glob)
+{
+	char *cp;
+	FILE *iop;
+	int argc, gargc, pdes[2], pid;
+	char **pop, *argv[100], *gargv[1000];
+	char *foo;
+
+	if (strcmp(type, "r") && strcmp(type, "w"))
+		return (NULL);
+
+	if (!pids) {
+
+	    /* This function is ugly and should be rewritten, in
+	     * modern unices there is no such thing as a maximum
+	     * filedescriptor.
+	     */
+
+	    fds = getdtablesize();
+	    pids = (int*)calloc(fds, sizeof(int));
+	    if(!pids)
+		return NULL;
+	}
+	if (pipe(pdes) < 0)
+		return (NULL);
+
+	/* break up string into pieces */
+	foo = NULL;
+	for (argc = 0, cp = program;; cp = NULL) {
+		if (!(argv[argc++] = strtok_r(cp, " \t\n", &foo)))
+			break;
+	}
+
+	gargv[0] = (char*)ftp_rooted(argv[0]);
+	/* glob each piece */
+	for (gargc = argc = 1; argv[argc]; argc++) {
+		glob_t gl;
+		int flags = GLOB_BRACE|GLOB_NOCHECK|GLOB_QUOTE|GLOB_TILDE;
+
+		memset(&gl, 0, sizeof(gl));
+		if (no_glob || glob(argv[argc], flags, NULL, &gl))
+			gargv[gargc++] = strdup(argv[argc]);
+		else
+			for (pop = gl.gl_pathv; *pop; pop++)
+				gargv[gargc++] = strdup(*pop);
+		globfree(&gl);
+	}
+	gargv[gargc] = NULL;
+
+	iop = NULL;
+	switch(pid = fork()) {
+	case -1:			/* error */
+		close(pdes[0]);
+		close(pdes[1]);
+		goto pfree;
+		/* NOTREACHED */
+	case 0:				/* child */
+		if (*type == 'r') {
+			if (pdes[1] != STDOUT_FILENO) {
+				dup2(pdes[1], STDOUT_FILENO);
+				close(pdes[1]);
+			}
+			if(do_stderr)
+			    dup2(STDOUT_FILENO, STDERR_FILENO);
+			close(pdes[0]);
+		} else {
+			if (pdes[0] != STDIN_FILENO) {
+				dup2(pdes[0], STDIN_FILENO);
+				close(pdes[0]);
+			}
+			close(pdes[1]);
+		}
+		execv(gargv[0], gargv);
+		gargv[0] = argv[0];
+		execv(gargv[0], gargv);
+		_exit(1);
+	}
+	/* parent; assume fdopen can't fail...  */
+	if (*type == 'r') {
+		iop = fdopen(pdes[0], type);
+		close(pdes[1]);
+	} else {
+		iop = fdopen(pdes[1], type);
+		close(pdes[0]);
+	}
+	pids[fileno(iop)] = pid;
+	
+pfree:	
+	for (argc = 1; gargv[argc] != NULL; argc++)
+	    free(gargv[argc]);
+
+
+	return (iop);
+}
+
+int
+ftpd_pclose(FILE *iop)
+{
+	int fdes, status;
+	pid_t pid;
+	sigset_t sigset, osigset;
+
+	/*
+	 * pclose returns -1 if stream is not associated with a
+	 * `popened' command, or, if already `pclosed'.
+	 */
+	if (pids == 0 || pids[fdes = fileno(iop)] == 0)
+		return (-1);
+	fclose(iop);
+	sigemptyset(&sigset);
+	sigaddset(&sigset, SIGINT);
+	sigaddset(&sigset, SIGQUIT);
+	sigaddset(&sigset, SIGHUP);
+	sigprocmask(SIG_BLOCK, &sigset, &osigset);
+	while ((pid = waitpid(pids[fdes], &status, 0)) < 0 && errno == EINTR)
+		continue;
+	sigprocmask(SIG_SETMASK, &osigset, NULL);
+	pids[fdes] = 0;
+	if (pid < 0)
+		return (pid);
+	if (WIFEXITED(status))
+		return (WEXITSTATUS(status));
+	return (1);
+}
diff --git a/crypto/kerberosIV/appl/kauth/ChangeLog b/crypto/kerberosIV/appl/kauth/ChangeLog
new file mode 100644
index 0000000..7ce281c
--- /dev/null
+++ b/crypto/kerberosIV/appl/kauth/ChangeLog
@@ -0,0 +1,41 @@
+2000-02-28  Assar Westerlund  <assar@sics.se>
+
+	* kauth.c (main): don't enable aflag with `-d'.  this breaks with
+	kaservers that don't let you get a ticket for a user and besides,
+	adding debugging should not change the functionality
+
+1999-12-06  Assar Westerlund  <assar@sics.se>
+
+	* rkinit.c (doit_host): NAT work-around
+	* kauthd.c (doit): type correctness
+
+1999-08-31  Johan Danielsson  <joda@pdc.kth.se>
+
+	* kauth.c: cleanup usage string; handle `kauth -h' gracefully
+	(print usage); add `-a' flag to get the ticket address (useful for
+	firewall configurations)
+
+Thu Apr 15 15:05:33 1999  Johan Danielsson  <joda@hella.pdc.kth.se>
+
+	* kauth.c: add `-v'
+
+Thu Mar 18 11:17:14 1999  Johan Danielsson  <joda@hella.pdc.kth.se>
+
+	* Makefile.am: include Makefile.am.common
+
+Sun Nov 22 10:30:47 1998  Assar Westerlund  <assar@sics.se>
+
+	* Makefile.in (WFLAGS): set
+
+Tue May 26 17:41:47 1998  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* kauth.c: use krb_enable_debug
+
+Fri May  1 07:15:18 1998  Assar Westerlund  <assar@sics.se>
+
+	* rkinit.c: unifdef -DHAVE_H_ERRNO
+
+Thu Mar 19 16:07:18 1998  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* kauth.c: Check for negative return value from krb_afslog().
+
diff --git a/crypto/kerberosIV/appl/kauth/Makefile.am b/crypto/kerberosIV/appl/kauth/Makefile.am
new file mode 100644
index 0000000..a5bf0fdaca
--- /dev/null
+++ b/crypto/kerberosIV/appl/kauth/Makefile.am
@@ -0,0 +1,42 @@
+# $Id: Makefile.am,v 1.7 1999/04/09 18:22:45 assar Exp $
+
+include $(top_srcdir)/Makefile.am.common
+
+INCLUDES += $(INCLUDE_krb4)
+
+bin_PROGRAMS = kauth
+bin_SCRIPTS = ksrvtgt
+libexec_PROGRAMS = kauthd
+
+EXTRA_DIST = zrefresh ksrvtgt.in
+
+kauth_SOURCES = \
+	kauth.c \
+	kauth.h \
+	rkinit.c \
+	marshall.c \
+	encdata.c
+
+kauthd_SOURCES = \
+	kauthd.c \
+	kauth.h \
+	marshall.c \
+	encdata.c
+
+ksrvtgt: ksrvtgt.in
+	sed -e "s!%bindir%!$(bindir)!" $(srcdir)/ksrvtgt.in > $@
+	chmod +x $@
+
+install-exec-local:
+	if test -f $(bindir)/zrefresh -o -r  $(bindir)/zrefresh; then \
+	  true; \
+	else \
+	  $(INSTALL_PROGRAM) $(srcdir)/zrefresh $(bindir)/`echo zrefresh | sed '$(transform)'`; \
+	fi
+
+LDADD = \
+	$(LIB_kafs)				\
+	$(LIB_krb5)				\
+	$(LIB_krb4)				\
+	$(top_builddir)/lib/des/libdes.la	\
+	$(LIB_roken)
diff --git a/crypto/kerberosIV/appl/kauth/Makefile.in b/crypto/kerberosIV/appl/kauth/Makefile.in
new file mode 100644
index 0000000..1e8a4c1
--- /dev/null
+++ b/crypto/kerberosIV/appl/kauth/Makefile.in
@@ -0,0 +1,115 @@
+# $Id: Makefile.in,v 1.40.16.1 2000/06/23 02:52:31 assar Exp $
+
+SHELL = /bin/sh
+
+srcdir = @srcdir@
+VPATH = @srcdir@
+
+top_builddir = ../..
+
+CC = @CC@
+LINK = @LINK@
+AR = ar
+RANLIB = @RANLIB@
+DEFS = @DEFS@ -DBINDIR='"$(bindir)"'
+CFLAGS = @CFLAGS@ $(WFLAGS)
+WFLAGS = @WFLAGS@
+LD_FLAGS = @LD_FLAGS@
+INSTALL = @INSTALL@
+INSTALL_PROGRAM = @INSTALL_PROGRAM@
+INSTALL_SCRIPT  = @INSTALL_SCRIPT@
+LIBS = @LIBS@
+MKINSTALLDIRS = @top_srcdir@/mkinstalldirs
+
+prefix = @prefix@
+exec_prefix = @exec_prefix@
+libdir = @libdir@
+libexecdir = @libexecdir@
+bindir = @bindir@
+transform=@program_transform_name@
+EXECSUFFIX=@EXECSUFFIX@
+
+PROG_BIN	= kauth$(EXECSUFFIX)
+SCRIPT_BIN	= ksrvtgt
+PROG_LIBEXEC	= kauthd$(EXECSUFFIX)
+PROGS = $(PROG_BIN) $(SCRIPT_BIN) $(PROG_LIBEXEC)
+
+SOURCES_KAUTH  = kauth.c rkinit.c
+SOURCES_KAUTHD = kauthd.c
+SOURCES_COMMON = encdata.c marshall.c
+
+OBJECTS_KAUTH  = kauth.o rkinit.o
+OBJECTS_KAUTHD = kauthd.o
+OBJECTS_COMMON = marshall.o encdata.o
+
+OBJECTS = $(OBJECTS_KAUTH) $(OBJECTS_KAUTHD)
+SOURCES = $(SOURCES_KAUTH) $(SOURCES_KAUTHD) $(SOURCES_COMMON)
+
+KRB_KAFS_LIB = @KRB_KAFS_LIB@
+
+all: $(PROGS)
+
+Wall:
+	make CFLAGS="-g -Wall -Wno-comment -Wmissing-prototypes -Wmissing-declarations -D__USE_FIXED_PROTOTYPES__"
+
+.c.o:
+	$(CC) -c $(DEFS) -I../../include -I$(srcdir) $(CFLAGS) $(CPPFLAGS) $<
+
+install: all
+	$(MKINSTALLDIRS) $(DESTDIR)$(bindir) $(DESTDIR)$(libexecdir)
+	for x in $(PROG_BIN); do \
+	  $(INSTALL_PROGRAM) $$x $(DESTDIR)$(bindir)/`echo $$x| sed '$(transform)'`; \
+	done
+	for x in $(SCRIPT_BIN); do \
+	  $(INSTALL_SCRIPT) $$x $(DESTDIR)$(bindir)/`echo $$x| sed '$(transform)'`; \
+	done
+	if test -f $(DESTDIR)$(bindir)/zrefresh -o -r  $(DESTDIR)$(bindir)/zrefresh; then \
+	  true; \
+	else \
+	  $(INSTALL_PROGRAM) $(srcdir)/zrefresh $(DESTDIR)$(bindir)/`echo zrefresh | sed '$(transform)'`; \
+	fi
+	for x in $(PROG_LIBEXEC); do \
+	  $(INSTALL_PROGRAM) $$x $(DESTDIR)$(libexecdir)/`echo $$x| sed '$(transform)'`; \
+	done
+
+uninstall:
+	for x in $(PROG_BIN) $(SCRIPT_BIN); do \
+	  rm -f $(DESTDIR)$(bindir)/`echo $$x| sed '$(transform)'`; \
+	done
+	for x in $(PROG_LIBEXEC); do \
+	  rm -f $(DESTDIR)$(libexecdir)/`echo $$x| sed '$(transform)'`; \
+	done
+
+TAGS: $(SOURCES)
+	etags $(SOURCES)
+
+check:
+
+clean:
+	rm -f *.a *.o $(PROGS)
+
+mostlyclean: clean
+
+distclean: clean
+	rm -f Makefile *.tab.c *~
+
+realclean: distclean
+	rm -f TAGS
+
+KLIB=-L../../lib/krb -lkrb -L../../lib/des -ldes
+LIBROKEN=-L../../lib/roken -lroken
+
+kauth$(EXECSUFFIX): $(OBJECTS_KAUTH) $(OBJECTS_COMMON)
+	$(LINK) $(LD_FLAGS) $(LDFLAGS) -o $@ $(OBJECTS_KAUTH) $(OBJECTS_COMMON) $(KRB_KAFS_LIB) $(KLIB) $(LIBROKEN) $(LIBS) $(LIBROKEN)
+
+kauthd$(EXECSUFFIX): $(OBJECTS_KAUTHD) $(OBJECTS_COMMON)
+	$(LINK) $(LD_FLAGS) $(LDFLAGS) -o $@ $(OBJECTS_KAUTHD) $(OBJECTS_COMMON) $(KLIB) $(LIBROKEN) $(LIBS) $(LIBROKEN)
+
+ksrvtgt: ksrvtgt.in
+	sed -e "s!%bindir%!$(bindir)!" $(srcdir)/ksrvtgt.in > $@
+	chmod +x $@
+
+
+$(OBJECTS): ../../include/config.h
+
+.PHONY: all Wall install uninstall check clean mostlyclean distclean realclean
diff --git a/crypto/kerberosIV/appl/kauth/encdata.c b/crypto/kerberosIV/appl/kauth/encdata.c
new file mode 100644
index 0000000..886f549
--- /dev/null
+++ b/crypto/kerberosIV/appl/kauth/encdata.c
@@ -0,0 +1,96 @@
+/*
+ * Copyright (c) 1995, 1996, 1997 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#include "kauth.h"
+
+RCSID("$Id: encdata.c,v 1.10 1999/12/02 16:58:31 joda Exp $");
+
+int
+write_encrypted (int fd, void *buf, size_t len, des_key_schedule schedule,
+		 des_cblock *session, struct sockaddr_in *me,
+		 struct sockaddr_in *him)
+{
+     void *outbuf;
+     int32_t outlen, l;
+     int i;
+     unsigned char tmp[4];
+
+     outbuf = malloc(len + 30);
+     if (outbuf == NULL)
+	  return -1;
+     outlen = krb_mk_priv (buf, outbuf, len, schedule, session, me, him);
+     if (outlen < 0) {
+	  free(outbuf);
+	  return -1;
+     }
+     l = outlen;
+     for(i = 3; i >= 0; i--, l = l >> 8)
+	 tmp[i] = l & 0xff;
+     if (krb_net_write (fd, tmp, 4) != 4 ||
+	 krb_net_write (fd, outbuf, outlen) != outlen) {
+	  free(outbuf);
+	  return -1;
+     }
+     
+     free(outbuf);
+     return 0;
+}
+
+
+int
+read_encrypted (int fd, void *buf, size_t len, void **ret,
+		des_key_schedule schedule, des_cblock *session,
+		struct sockaddr_in *him, struct sockaddr_in *me)
+{
+     int status;
+     int32_t l;
+     MSG_DAT msg;
+     unsigned char tmp[4];
+
+     l = krb_net_read (fd, tmp, 4);
+     if (l != 4)
+	 return l;
+     l = (tmp[0] << 24) | (tmp[1] << 16) | (tmp[2] << 8) | tmp[3];
+     if (l > len)
+	  return -1;
+     if (krb_net_read (fd, buf, l) != l)
+	  return -1;
+     status = krb_rd_priv (buf, l, schedule, session, him, me, &msg);
+     if (status != RD_AP_OK) {
+	  fprintf (stderr, "read_encrypted: %s\n",
+		   krb_get_err_text(status));
+	  return -1;
+     }
+     *ret  = msg.app_data;
+     return  msg.app_length;
+}
diff --git a/crypto/kerberosIV/appl/kauth/kauth.c b/crypto/kerberosIV/appl/kauth/kauth.c
new file mode 100644
index 0000000..3f6f0bc
--- /dev/null
+++ b/crypto/kerberosIV/appl/kauth/kauth.c
@@ -0,0 +1,384 @@
+/*
+ * Copyright (c) 1995 - 2000 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+/*
+ * Little program that reads an srvtab or password and
+ * creates a suitable ticketfile and associated AFS tokens.
+ *
+ * If an optional command is given the command is executed in a
+ * new PAG and when the command exits the tickets are destroyed.
+ */
+
+#include "kauth.h"
+
+RCSID("$Id: kauth.c,v 1.97.2.1 2000/02/28 03:42:51 assar Exp $");
+
+krb_principal princ;
+static char srvtab[MaxPathLen];
+static int lifetime = DEFAULT_TKT_LIFE;
+static char remote_tktfile[MaxPathLen];
+static char remoteuser[100];
+static char *cell = 0;
+
+static void
+usage(void)
+{
+    fprintf(stderr,
+	    "Usage:\n"
+	    "  %s [name]\n"
+	    "or\n"
+	    "  %s [-ad] [-n name] [-r remoteuser] [-t remote ticketfile]\n"
+	    "        [-l lifetime (in minutes) ] [-f srvtab ] [-c AFS cell name ]\n"
+	    "        [-h hosts... [--]] [command ... ]\n\n",
+	    __progname, __progname);
+    fprintf(stderr, 
+	    "A fully qualified name can be given: user[.instance][@realm]\n"
+	    "Realm is converted to uppercase!\n");
+    exit(1);
+}
+
+#define EX_NOEXEC	126
+#define EX_NOTFOUND	127
+
+static int
+doexec(int argc, char **argv)
+{
+    int ret = simple_execvp(argv[0], argv);
+    if(ret == -2)
+	warn ("fork");
+    if(ret == -3)
+	warn("waitpid");
+    if(ret < 0)
+	return EX_NOEXEC;
+    if(ret == EX_NOEXEC || ret == EX_NOTFOUND)
+	warnx("Can't exec program ``%s''", argv[0]);
+	
+    return ret;
+}
+
+static RETSIGTYPE
+renew(int sig)
+{
+    int code;
+
+    signal(SIGALRM, renew);
+
+    code = krb_get_svc_in_tkt(princ.name, princ.instance, princ.realm,
+			      KRB_TICKET_GRANTING_TICKET,
+			      princ.realm, lifetime, srvtab);
+    if (code)
+	warnx ("%s", krb_get_err_text(code));
+    else if (k_hasafs())
+	{
+	    if ((code = krb_afslog(cell, NULL)) != 0 && code != KDC_PR_UNKNOWN) {
+		warnx ("%s", krb_get_err_text(code));
+	    }
+	}
+
+    alarm(krb_life_to_time(0, lifetime)/2 - 60);
+    SIGRETURN(0);
+}
+
+static int
+zrefresh(void)
+{
+    switch (fork()) {
+    case -1:
+	err (1, "Warning: Failed to fork zrefresh");
+	return -1;
+    case 0:
+	/* Child */
+	execlp("zrefresh", "zrefresh", 0);
+	execl(BINDIR "/zrefresh", "zrefresh", 0);
+	exit(1);
+    default:
+	/* Parent */
+	break;
+    }
+    return 0;
+}
+
+static int
+key_to_key(const char *user,
+	   char *instance,
+	   const char *realm,
+	   const void *arg,
+	   des_cblock *key)
+{
+    memcpy(key, arg, sizeof(des_cblock));
+    return 0;
+}
+
+static int
+get_ticket_address(krb_principal *princ, des_cblock *key)
+{
+    int code;
+    unsigned char flags;
+    krb_principal service;
+    u_int32_t addr;
+    struct in_addr addr2;
+    des_cblock session;
+    int life;
+    u_int32_t time_sec;
+    des_key_schedule schedule;
+    CREDENTIALS c;
+	
+    code = get_ad_tkt(princ->name, princ->instance, princ->realm, 0);
+    if(code) {
+	warnx("get_ad_tkt: %s\n", krb_get_err_text(code));
+	return code;
+    }
+    code = krb_get_cred(princ->name, princ->instance, princ->realm, &c);
+    if(code) {
+	warnx("krb_get_cred: %s\n", krb_get_err_text(code));
+	return code;
+    }
+
+    des_set_key(key, schedule);
+    code = decomp_ticket(&c.ticket_st, 
+			 &flags,
+			 princ->name,
+			 princ->instance,
+			 princ->realm,
+			 &addr,
+			 session,
+			 &life,
+			 &time_sec,
+			 service.name,
+			 service.instance,
+			 key,
+			 schedule);
+    if(code) {
+	warnx("decomp_ticket: %s\n", krb_get_err_text(code));
+	return code;
+    }
+    memset(&session, 0, sizeof(session));
+    memset(schedule, 0, sizeof(schedule));
+    addr2.s_addr = addr;
+    fprintf(stdout, "ticket address = %s\n", inet_ntoa(addr2));
+} 
+
+
+int
+main(int argc, char **argv)
+{
+    int code, more_args;
+    int ret;
+    int c;
+    char *file;
+    int pflag = 0;
+    int aflag = 0;
+    int version_flag = 0;
+    char passwd[100];
+    des_cblock key;
+    char **host;
+    int nhost;
+    char tf[MaxPathLen];
+
+    set_progname (argv[0]);
+
+    if ((file =  getenv("KRBTKFILE")) == 0)
+	file = TKT_FILE;  
+
+    memset(&princ, 0, sizeof(princ));
+    memset(srvtab, 0, sizeof(srvtab));
+    *remoteuser = '\0';
+    nhost = 0;
+    host = NULL;
+  
+    /* Look for kerberos name */
+    if (argc > 1 &&
+	argv[1][0] != '-' &&
+	krb_parse_name(argv[1], &princ) == 0)
+      {
+	argc--; argv++;
+	strupr(princ.realm);
+      }
+
+    while ((c = getopt(argc, argv, "ar:t:f:hdl:n:c:v")) != -1)
+	switch (c) {
+	case 'a':
+	    aflag++;
+	    break;
+	case 'd':
+	    krb_enable_debug();
+	    _kafs_debug = 1;
+	    break;
+	case 'f':
+	    strlcpy(srvtab, optarg, sizeof(srvtab));
+	    break;
+	case 't':
+	    strlcpy(remote_tktfile, optarg, sizeof(remote_tktfile));
+	    break;
+	case 'r':
+	    strlcpy(remoteuser, optarg, sizeof(remoteuser));
+	    break;
+	case 'l':
+	    lifetime = atoi(optarg);
+	    if (lifetime == -1)
+		lifetime = 255;
+	    else if (lifetime < 5)
+		lifetime = 1;
+	    else
+		lifetime = krb_time_to_life(0, lifetime*60);
+	    if (lifetime > 255)
+		lifetime = 255;
+	    break;
+	case 'n':
+	    if ((code = krb_parse_name(optarg, &princ)) != 0) {
+		warnx ("%s", krb_get_err_text(code));
+		usage();
+	    }
+	    strupr(princ.realm);
+	    pflag = 1;
+	    break;
+	case 'c':
+	    cell = optarg;
+	    break;
+	case 'h':
+	    host = argv + optind;
+	    for(nhost = 0; optind < argc && *argv[optind] != '-'; ++optind)
+		++nhost;
+	    if(nhost == 0)
+		usage();
+	    break;
+	case 'v':
+	    version_flag++;
+	    print_version(NULL);
+	    break;
+	case '?':
+	default:
+	    usage();
+	    break;
+	}
+  
+    if(version_flag) {
+	print_version(NULL);
+	exit(0);
+    }
+    if (princ.name[0] == '\0' && krb_get_default_principal (princ.name, 
+							    princ.instance, 
+							    princ.realm) < 0)
+	errx (1, "Could not get default principal");
+  
+    /* With root tickets assume remote user is root */
+    if (*remoteuser == '\0') {
+      if (strcmp(princ.instance, "root") == 0)
+	strlcpy(remoteuser, princ.instance, sizeof(remoteuser));
+      else
+	strlcpy(remoteuser, princ.name, sizeof(remoteuser));
+    }
+
+    more_args = argc - optind;
+  
+    if (princ.realm[0] == '\0')
+	if (krb_get_lrealm(princ.realm, 1) != KSUCCESS)
+	    strlcpy(princ.realm, KRB_REALM, REALM_SZ);
+  
+    if (more_args) {
+	int f;
+      
+	do{
+	    snprintf(tf, sizeof(tf), "%s%u_%u", TKT_ROOT, (unsigned)getuid(),
+		     (unsigned)(getpid()*time(0)));
+	    f = open(tf, O_CREAT|O_EXCL|O_RDWR);
+	}while(f < 0);
+	close(f);
+	unlink(tf);
+	setenv("KRBTKFILE", tf, 1);
+	krb_set_tkt_string (tf);
+    }
+    
+    if (srvtab[0])
+	{
+	    signal(SIGALRM, renew);
+
+	    code = read_service_key (princ.name, princ.instance, princ.realm, 0, 
+				     srvtab, (char *)&key);
+	    if (code == KSUCCESS)
+		code = krb_get_in_tkt(princ.name, princ.instance, princ.realm,
+				      KRB_TICKET_GRANTING_TICKET,
+				      princ.realm, lifetime,
+				      key_to_key, NULL, key);
+	    alarm(krb_life_to_time(0, lifetime)/2 - 60);
+	}
+    else {
+	char prompt[128];
+	  
+	snprintf(prompt, sizeof(prompt), "%s's Password: ", krb_unparse_name(&princ));
+	if (des_read_pw_string(passwd, sizeof(passwd)-1, prompt, 0)){
+	    memset(passwd, 0, sizeof(passwd));
+	    exit(1);
+	}
+	code = krb_get_pw_in_tkt2(princ.name, princ.instance, princ.realm, 
+				  KRB_TICKET_GRANTING_TICKET, princ.realm, 
+				  lifetime, passwd, &key);
+	
+	memset(passwd, 0, sizeof(passwd));
+    }
+    if (code) {
+	memset (key, 0, sizeof(key));
+	errx (1, "%s", krb_get_err_text(code));
+    }
+
+    if(aflag)
+	get_ticket_address(&princ, &key);
+
+    if (k_hasafs()) {
+	if (more_args)
+	    k_setpag();
+	if ((code = krb_afslog(cell, NULL)) != 0 && code != KDC_PR_UNKNOWN) {
+	    if(code > 0)
+		warnx ("%s", krb_get_err_text(code));
+	    else
+		warnx ("failed to store AFS token");
+	}
+    }
+
+    for(ret = 0; nhost-- > 0; host++)
+	ret += rkinit(&princ, lifetime, remoteuser, remote_tktfile, &key, *host);
+  
+    if (ret)
+	return ret;
+
+    if (more_args) {
+	ret = doexec(more_args, &argv[optind]);
+	dest_tkt();
+	if (k_hasafs())
+	    k_unlog();	 
+    }
+    else
+	zrefresh();
+  
+    return ret;
+}
diff --git a/crypto/kerberosIV/appl/kauth/kauth.h b/crypto/kerberosIV/appl/kauth/kauth.h
new file mode 100644
index 0000000..32243c7
--- /dev/null
+++ b/crypto/kerberosIV/appl/kauth/kauth.h
@@ -0,0 +1,116 @@
+/*
+ * Copyright (c) 1995, 1996, 1997 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+/* $Id: kauth.h,v 1.21 1999/12/02 16:58:31 joda Exp $ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+#endif /* HAVE_CONFIG_H */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <ctype.h>
+#include <string.h>
+#include <signal.h>
+#ifdef HAVE_FCNTL_H
+#include <fcntl.h>
+#endif
+#include <errno.h>
+#ifdef HAVE_UNISTD_H
+#include <unistd.h>
+#endif
+#ifdef HAVE_PWD_H
+#include <pwd.h>
+#endif
+#ifdef HAVE_GRP_H
+#include <grp.h>
+#endif
+
+#ifdef TIME_WITH_SYS_TIME
+#include <sys/time.h>
+#include <time.h>
+#elif defined(HAVE_SYS_TIME_H)
+#include <sys/time.h>
+#else
+#include <time.h>
+#endif
+#ifdef HAVE_SYS_RESOURCE_H
+#include <sys/resource.h>
+#endif /* HAVE_SYS_RESOURCE_H */
+#ifdef HAVE_SYS_WAIT_H
+#include <sys/wait.h>
+#endif
+#ifdef HAVE_SYS_TYPES_H
+#include <sys/types.h>
+#endif
+#ifdef HAVE_SYS_SOCKET_H
+#include <sys/socket.h>
+#endif
+#ifdef HAVE_NETINET_IN_H
+#include <netinet/in.h>
+#endif
+#ifdef HAVE_ARPA_INET_H
+#include <arpa/inet.h>
+#endif
+#ifdef HAVE_NETDB_H
+#include <netdb.h>
+#endif
+#ifdef SOCKS
+#include <socks.h>
+/* This doesn't belong here. */
+struct tm *localtime(const time_t *);
+struct hostent  *gethostbyname(const char *);
+#endif
+
+#include <err.h>
+
+#include <krb.h>
+#include <kafs.h>
+
+#include <roken.h>
+
+#define KAUTH_PORT 2120
+
+#define KAUTH_VERSION "RKINIT.0"
+
+int rkinit (krb_principal*, int, char*, char*, des_cblock*, char*);
+
+int write_encrypted (int, void*, size_t, des_key_schedule,
+		     des_cblock*, struct sockaddr_in*, struct sockaddr_in*);
+
+int read_encrypted (int, void*, size_t, void **, des_key_schedule,
+		    des_cblock*, struct sockaddr_in*, struct sockaddr_in*);
+
+int pack_args (char *, size_t, krb_principal*, int, const char*, const char*);
+
+int unpack_args (const char*, krb_principal*, int*, char*, char*);
diff --git a/crypto/kerberosIV/appl/kauth/kauthd.c b/crypto/kerberosIV/appl/kauth/kauthd.c
new file mode 100644
index 0000000..d0b61ec
--- /dev/null
+++ b/crypto/kerberosIV/appl/kauth/kauthd.c
@@ -0,0 +1,202 @@
+/* $FreeBSD$ */
+
+/*
+ * Copyright (c) 1995, 1996, 1997, 1998 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#include "kauth.h"
+
+RCSID("$Id: kauthd.c,v 1.25.2.1 2000/06/28 19:07:58 assar Exp $");
+
+krb_principal princ;
+static char locuser[SNAME_SZ];
+static int  lifetime;
+static char tktfile[MaxPathLen];
+
+struct remote_args {
+     int sock;
+     des_key_schedule *schedule;
+     des_cblock *session;
+     struct sockaddr_in *me, *her;
+};
+
+static int
+decrypt_remote_tkt (const char *user,
+		    const char *inst,
+		    const char *realm,
+		    const void *varg,
+		    key_proc_t key_proc,
+		    KTEXT *cipp)
+{
+     char buf[BUFSIZ];
+     void *ptr;
+     int len;
+     KTEXT cip  = *cipp;
+     struct remote_args *args = (struct remote_args *)varg;
+
+     write_encrypted (args->sock, cip->dat, cip->length,
+		      *args->schedule, args->session, args->me,
+		      args->her);
+     len = read_encrypted (args->sock, buf, sizeof(buf), &ptr, *args->schedule,
+			   args->session, args->her, args->me);
+     memcpy(cip->dat, ptr, cip->length);
+	  
+     return 0;
+}
+
+static int
+doit(int sock)
+{
+     int status;
+     KTEXT_ST ticket;
+     AUTH_DAT auth;
+     char instance[INST_SZ];
+     des_key_schedule schedule;
+     struct sockaddr_in thisaddr, thataddr;
+     int addrlen;
+     int len;
+     char buf[BUFSIZ];
+     void *data;
+     struct passwd *passwd;
+     char version[KRB_SENDAUTH_VLEN + 1];
+     char remotehost[MaxHostNameLen];
+
+     addrlen = sizeof(thisaddr);
+     if (getsockname (sock, (struct sockaddr *)&thisaddr, &addrlen) < 0 ||
+	 addrlen != sizeof(thisaddr)) {
+	  return 1;
+     }
+     addrlen = sizeof(thataddr);
+     if (getpeername (sock, (struct sockaddr *)&thataddr, &addrlen) < 0 ||
+	 addrlen != sizeof(thataddr)) {
+	  return 1;
+     }
+
+     inaddr2str (thataddr.sin_addr, remotehost, sizeof(remotehost));
+
+     k_getsockinst (sock, instance, sizeof(instance));
+     status = krb_recvauth (KOPT_DO_MUTUAL, sock, &ticket, "rcmd", instance,
+			    &thataddr, &thisaddr, &auth, "", schedule,
+			    version);
+     if (status != KSUCCESS ||
+	 strncmp(version, KAUTH_VERSION, KRB_SENDAUTH_VLEN) != 0) {
+	  return 1;
+     }
+     len = read_encrypted (sock, buf, sizeof(buf), &data, schedule,
+			   &auth.session, &thataddr, &thisaddr);
+     if (len < 0) {
+	  write_encrypted (sock, "read_enc failed",
+			   sizeof("read_enc failed") - 1, schedule,
+			   &auth.session, &thisaddr, &thataddr);
+	  return 1;
+     }
+     if (unpack_args(data, &princ, &lifetime, locuser,
+		     tktfile)) {
+	  write_encrypted (sock, "unpack_args failed",
+			   sizeof("unpack_args failed") - 1, schedule,
+			   &auth.session, &thisaddr, &thataddr);
+	  return 1;
+     }
+
+     if( kuserok(&auth, locuser) != 0) {
+	 snprintf(buf, sizeof(buf), "%s cannot get tickets for %s",
+		  locuser, krb_unparse_name(&princ));
+	 syslog (LOG_ERR, "%s", buf);
+	 write_encrypted (sock, buf, strlen(buf), schedule,
+			  &auth.session, &thisaddr, &thataddr);
+	 return 1;
+     }
+     passwd = k_getpwnam (locuser);
+     if (passwd == NULL) {
+	  snprintf (buf, sizeof(buf), "No user '%s'", locuser);
+	  syslog (LOG_ERR, "%s", buf);
+	  write_encrypted (sock, buf, strlen(buf), schedule,
+			   &auth.session, &thisaddr, &thataddr);
+	  return 1;
+     }
+     if (setgid (passwd->pw_gid) ||
+	 initgroups(passwd->pw_name, passwd->pw_gid) ||
+	 setuid(passwd->pw_uid)) {
+	  snprintf (buf, sizeof(buf), "Could not change user");
+	  syslog (LOG_ERR, "%s", buf);
+	  write_encrypted (sock, buf, strlen(buf), schedule,
+			   &auth.session, &thisaddr, &thataddr);
+	  return 1;
+     }
+     write_encrypted (sock, "ok", sizeof("ok") - 1, schedule,
+		      &auth.session, &thisaddr, &thataddr);
+
+     if (*tktfile == 0)
+	 snprintf(tktfile, sizeof(tktfile), "%s%u", TKT_ROOT, (unsigned)getuid());
+     krb_set_tkt_string (tktfile);
+
+     {
+	  struct remote_args arg;
+
+	  arg.sock     = sock;
+	  arg.schedule = &schedule;
+	  arg.session  = &auth.session;
+	  arg.me       = &thisaddr;
+	  arg.her      = &thataddr;
+
+	  status = krb_get_in_tkt (princ.name, princ.instance, princ.realm,
+				   KRB_TICKET_GRANTING_TICKET,
+				   princ.realm,
+				   lifetime, NULL, decrypt_remote_tkt, &arg);
+     }
+     if (status == KSUCCESS) {
+	 syslog (LOG_INFO, "from %s(%s): %s -> %s",
+		 remotehost,
+		 inet_ntoa(thataddr.sin_addr),
+		 locuser,
+		 krb_unparse_name (&princ));
+	  write_encrypted (sock, "ok", sizeof("ok") - 1, schedule,
+			   &auth.session, &thisaddr, &thataddr);
+	  return 0;
+     } else {
+	  snprintf (buf, sizeof(buf), "TGT failed: %s", krb_get_err_text(status));
+	  syslog (LOG_NOTICE, "%s", buf);
+	  write_encrypted (sock, buf, strlen(buf), schedule,
+			   &auth.session, &thisaddr, &thataddr);
+	  return 1;
+     }
+}
+
+int
+main (int argc, char **argv)
+{
+    openlog ("kauthd", LOG_ODELAY, LOG_AUTH);
+
+    if(argc > 1 && strcmp(argv[1], "-i") == 0)
+	mini_inetd (k_getportbyname("kauth", "tcp", htons(KAUTH_PORT)));
+    return doit(STDIN_FILENO);
+}
diff --git a/crypto/kerberosIV/appl/kauth/ksrvtgt.in b/crypto/kerberosIV/appl/kauth/ksrvtgt.in
new file mode 100644
index 0000000..7a520fd
--- /dev/null
+++ b/crypto/kerberosIV/appl/kauth/ksrvtgt.in
@@ -0,0 +1,15 @@
+#! /bin/sh
+# $Id: ksrvtgt.in,v 1.3 1997/09/13 03:39:03 joda Exp $
+# $FreeBSD$
+
+usage="Usage: `basename $0` name instance [[realm] srvtab]"
+
+if [ $# -lt 2 -o $# -gt 4 ]; then
+	echo "$usage"
+	exit 1
+fi
+
+srvtab="${4-${3-/etc/kerberosIV/srvtab}}"
+realm="${4+@$3}"
+
+%bindir%/kauth -n "$1.$2$realm" -l 5 -f "$srvtab"
diff --git a/crypto/kerberosIV/appl/kauth/marshall.c b/crypto/kerberosIV/appl/kauth/marshall.c
new file mode 100644
index 0000000..e37b8c9
--- /dev/null
+++ b/crypto/kerberosIV/appl/kauth/marshall.c
@@ -0,0 +1,126 @@
+/*
+ * Copyright (c) 1995, 1996, 1997 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#include "kauth.h"
+
+RCSID("$Id: marshall.c,v 1.10 1999/12/02 16:58:31 joda Exp $");
+
+int
+pack_args (char *buf,
+	   size_t sz,
+	   krb_principal *pr,
+	   int lifetime,
+	   const char *locuser,
+	   const char *tktfile)
+{
+    char *p = buf;
+    int len;
+
+    p = buf;
+
+    len = strlen(pr->name);
+    if (len >= sz)
+	return -1;
+    memcpy (p, pr->name, len + 1);
+    p += len + 1;
+    sz -= len + 1;
+
+    len = strlen(pr->instance);
+    if (len >= sz)
+	return -1;
+    memcpy (p, pr->instance, len + 1);
+    p += len + 1;
+    sz -= len + 1;
+
+    len = strlen(pr->realm);
+    if (len >= sz)
+	return -1;
+    memcpy(p, pr->realm, len + 1);
+    p += len + 1;
+    sz -= len + 1;
+
+    if (sz < 1)
+	return -1;
+    *p++ = (unsigned char)lifetime;
+
+    len = strlen(locuser);
+    if (len >= sz)
+	return -1;
+    memcpy (p, locuser, len + 1);
+    p += len + 1;
+    sz -= len + 1;
+
+    len = strlen(tktfile);
+    if (len >= sz)
+	return -1;
+    memcpy (p, tktfile, len + 1);
+    p += len + 1;
+    sz -= len + 1;
+
+    return p - buf;
+}
+
+int
+unpack_args (const char *buf, krb_principal *pr, int *lifetime,
+	     char *locuser, char *tktfile)
+{
+    int len;
+
+    len = strlen(buf);
+    if (len >= SNAME_SZ)
+	return -1;
+    strlcpy (pr->name, buf, ANAME_SZ);
+    buf += len + 1;
+    len = strlen (buf);
+    if (len >= INST_SZ)
+	return -1;
+    strlcpy (pr->instance, buf, INST_SZ);
+    buf += len + 1;
+    len = strlen (buf);
+    if (len >= REALM_SZ)
+	return -1;
+    strlcpy (pr->realm, buf, REALM_SZ);
+    buf += len + 1;
+    *lifetime = (unsigned char)*buf++;
+    len = strlen(buf);
+    if (len >= SNAME_SZ)
+	return -1;
+    strlcpy (locuser, buf, SNAME_SZ);
+    buf += len + 1;
+    len = strlen(buf);
+    if (len >= MaxPathLen)
+	return -1;
+    strlcpy (tktfile, buf, MaxPathLen);
+    buf += len + 1;
+    return 0;
+}
diff --git a/crypto/kerberosIV/appl/kauth/rkinit.c b/crypto/kerberosIV/appl/kauth/rkinit.c
new file mode 100644
index 0000000..cac62c9
--- /dev/null
+++ b/crypto/kerberosIV/appl/kauth/rkinit.c
@@ -0,0 +1,226 @@
+/*
+ * Copyright (c) 1995, 1996, 1997 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#include "kauth.h"
+
+RCSID("$Id: rkinit.c,v 1.22.2.1 1999/12/06 17:27:56 assar Exp $");
+
+static struct in_addr *
+getalladdrs (char *hostname, unsigned *count)
+{
+    struct hostent *hostent;
+    struct in_addr **h;
+    struct in_addr *addr;
+    unsigned naddr;
+    unsigned maxaddr;
+
+    hostent = gethostbyname (hostname);
+    if (hostent == NULL) {
+	warnx ("gethostbyname '%s' failed: %s\n",
+	       hostname,
+	       hstrerror(h_errno));
+	return NULL;
+    }
+    maxaddr = 1;
+    naddr = 0;
+    addr = malloc(sizeof(*addr) * maxaddr);
+    if (addr == NULL) {
+	warnx ("out of memory");
+	return NULL;
+    }
+    for (h = (struct in_addr **)(hostent->h_addr_list);
+	 *h != NULL;
+	 h++) {
+	if (naddr >= maxaddr) {
+	    maxaddr *= 2;
+	    addr = realloc (addr, sizeof(*addr) * maxaddr);
+	    if (addr == NULL) {
+		warnx ("out of memory");
+		return NULL;
+	    }
+	}
+	addr[naddr++] = **h;
+    }
+    addr = realloc (addr, sizeof(*addr) * naddr);
+    if (addr == NULL) {
+	warnx ("out of memory");
+	return NULL;
+    }
+    *count = naddr;
+    return addr;
+}
+
+static int
+doit_host (krb_principal *princ, int lifetime, char *locuser, 
+	   char *tktfile, des_cblock *key, int s, char *hostname)
+{
+    char buf[BUFSIZ];
+    int inlen;
+    KTEXT_ST text;
+    CREDENTIALS cred;
+    MSG_DAT msg;
+    int status;
+    des_key_schedule schedule;
+    struct sockaddr_in thisaddr, thataddr;
+    int addrlen;
+    void *ret;
+
+    addrlen = sizeof(thisaddr);
+    if (getsockname (s, (struct sockaddr *)&thisaddr, &addrlen) < 0 ||
+	addrlen != sizeof(thisaddr)) {
+	warn ("getsockname(%s)", hostname);
+	return 1;
+    }
+    addrlen = sizeof(thataddr);
+    if (getpeername (s, (struct sockaddr *)&thataddr, &addrlen) < 0 ||
+	addrlen != sizeof(thataddr)) {
+	warn ("getpeername(%s)", hostname);
+	return 1;
+    }
+
+    if (krb_get_config_bool("nat_in_use")) {
+	struct in_addr natAddr;
+
+	if (krb_get_our_ip_for_realm(krb_realmofhost(hostname),
+				     &natAddr) == KSUCCESS
+	    || krb_get_our_ip_for_realm (NULL, &natAddr) == KSUCCESS)
+	    thisaddr.sin_addr = natAddr;
+    }
+
+    status = krb_sendauth (KOPT_DO_MUTUAL, s, &text, "rcmd",
+			   hostname, krb_realmofhost (hostname),
+			   getpid(), &msg, &cred, schedule,
+			   &thisaddr, &thataddr, KAUTH_VERSION);
+    if (status != KSUCCESS) {
+	warnx ("%s: %s\n", hostname, krb_get_err_text(status));
+	return 1;
+    }
+    inlen = pack_args (buf, sizeof(buf),
+		       princ, lifetime, locuser, tktfile);
+    if (inlen < 0) {
+	warn ("cannot marshall arguments to %s", hostname);
+	return 1;
+    }
+
+    if (write_encrypted(s, buf, inlen, schedule, &cred.session,
+			&thisaddr, &thataddr) < 0) {
+	warn ("write to %s", hostname);
+	return 1;
+    }
+
+    inlen = read_encrypted (s, buf, sizeof(buf), &ret, schedule,
+			    &cred.session, &thataddr, &thisaddr);
+    if (inlen < 0) {
+	warn ("read from %s failed", hostname);
+	return 1;
+    }
+
+    if (strncmp(ret, "ok", inlen) != 0) {
+	warnx ("error from %s: %.*s\n",
+	       hostname, inlen, (char *)ret);
+	return 1;
+    }
+
+    inlen = read_encrypted (s, buf, sizeof(buf), &ret, schedule,
+			    &cred.session, &thataddr, &thisaddr);
+    if (inlen < 0) {
+	warn ("read from %s", hostname);
+	return 1;
+    }
+     
+    {
+	des_key_schedule key_s;
+
+	des_key_sched(key, key_s);
+	des_pcbc_encrypt(ret, ret, inlen, key_s, key, DES_DECRYPT);
+	memset(key_s, 0, sizeof(key_s));
+    }
+    write_encrypted (s, ret, inlen, schedule, &cred.session,
+		     &thisaddr, &thataddr);
+
+    inlen = read_encrypted (s, buf, sizeof(buf), &ret, schedule,
+			    &cred.session, &thataddr, &thisaddr);
+    if (inlen < 0) {
+	warn ("read from %s", hostname);
+	return 1;
+    }
+
+    if (strncmp(ret, "ok", inlen) != 0) {
+	warnx ("error from %s: %.*s\n",
+	       hostname, inlen, (char *)ret);
+	return 1;
+    }
+    return 0;
+}
+
+int
+rkinit (krb_principal *princ, int lifetime, char *locuser, 
+	char *tktfile, des_cblock *key, char *hostname)
+{
+    struct in_addr *addr;
+    unsigned naddr;
+    unsigned i;
+    int port;
+    int success;
+
+    addr = getalladdrs (hostname, &naddr);
+    if (addr == NULL)
+	return 1;
+    port = k_getportbyname ("kauth", "tcp", htons(KAUTH_PORT));
+    success = 0;
+    for (i = 0; !success && i < naddr; ++i) {
+	struct sockaddr_in a;
+	int s;
+
+	memset(&a, 0, sizeof(a));
+	a.sin_family = AF_INET;
+	a.sin_port   = port;
+	a.sin_addr   = addr[i];
+
+	s = socket (AF_INET, SOCK_STREAM, 0);
+	if (s < 0) {
+	    warn("socket");
+	    return 1;
+	}
+	if (connect(s, (struct sockaddr *)&a, sizeof(a)) < 0) {
+	    warn("connect(%s)", hostname);
+	    continue;
+	}
+
+	success = success || !doit_host (princ, lifetime,
+					 locuser, tktfile, key,
+					 s, hostname);
+	close (s);
+    }
+    return !success;
+}
diff --git a/crypto/kerberosIV/appl/kauth/zrefresh b/crypto/kerberosIV/appl/kauth/zrefresh
new file mode 100644
index 0000000..8347a1b
--- /dev/null
+++ b/crypto/kerberosIV/appl/kauth/zrefresh
@@ -0,0 +1,12 @@
+#!/bin/sh
+# 
+# @(#) $Id: zrefresh,v 1.3 1996/06/09 19:21:59 joda Exp $
+#
+# Substitute this script with a real zrefresh if running Zephyr. For
+# instance:
+#
+# if [ -f "$WGFILE" ] ; then
+#     zctl load
+# fi
+
+exit 0
diff --git a/crypto/kerberosIV/appl/kip/Makefile.in b/crypto/kerberosIV/appl/kip/Makefile.in
new file mode 100644
index 0000000..16ed049
--- /dev/null
+++ b/crypto/kerberosIV/appl/kip/Makefile.in
@@ -0,0 +1,110 @@
+# $Id: Makefile.in,v 1.18.4.1 2000/06/23 02:54:59 assar Exp $
+
+SHELL = /bin/sh
+
+srcdir = @srcdir@
+VPATH = @srcdir@
+
+CC = @CC@
+LINK = @LINK@
+AR = ar
+DEFS = @DEFS@ -DLIBEXECDIR="\"$(libexecdir)\""
+CFLAGS = @CFLAGS@ $(WFLAGS)
+WFLAGS = @WFLAGS@
+LD_FLAGS = @LD_FLAGS@
+INSTALL = @INSTALL@
+INSTALL_PROGRAM = @INSTALL_PROGRAM@
+INSTALL_SCRIPT = @INSTALL_SCRIPT@
+LIBS = @LIBS@
+MKINSTALLDIRS = @top_srcdir@/mkinstalldirs
+
+prefix = @prefix@
+exec_prefix = @exec_prefix@
+libexecdir = @libexecdir@
+libdir = @libdir@
+bindir = @bindir@
+transform=@program_transform_name@
+EXECSUFFIX=@EXECSUFFIX@
+
+PROG_BIN	= kip$(EXECSUFFIX)
+PROG_LIBEXEC	= kipd$(EXECSUFFIX)
+SCRIPT_LIBEXEC	= kip-join-network kipd-control
+PROGS = $(PROG_BIN) $(PROG_LIBEXEC) $(SCRIPT_LIBEXEC)
+
+SOURCES_KIP     = kip.c
+SOURCES_KIPD    = kipd.c
+SOURCES_COMMON  = common.c
+
+OBJECTS_KIP     = kip.o common.o
+OBJECTS_KIPD    = kipd.o common.o
+
+OBJECTS = $(OBJECTS_KIP) $(OBJECTS_KIPD)
+SOURCES = $(SOURCES_KIP) $(SOURCES_KIPD) $(SOURCES_COMMON)
+
+all: $(PROGS)
+
+Wall:
+	make CFLAGS="-g -Wall -Wno-comment -Wmissing-prototypes -Wmissing-declarations -D__USE_FIXED_PROTOTYPES__"
+
+.c.o:
+	$(CC) -c $(DEFS) -I../../include -I$(srcdir) $(CFLAGS) $(CPPFLAGS) $<
+
+install: all
+	$(MKINSTALLDIRS) $(DESTDIR)$(bindir) $(DESTDIR)$(libexecdir)
+	for x in $(PROG_BIN); do \
+	  $(INSTALL_PROGRAM) $$x $(DESTDIR)$(bindir)/`echo $$x | sed '$(transform)'`; \
+	done
+	for x in $(PROG_LIBEXEC); do \
+	  $(INSTALL_PROGRAM) $$x $(DESTDIR)$(libexecdir)/`echo $$x | sed '$(transform)'`; \
+	done
+	for x in $(SCRIPT_LIBEXEC); do \
+	  $(INSTALL_SCRIPT) $$x $(DESTDIR)$(libexecdir)/`echo $$x | sed '$(transform)'`; \
+	done
+
+uninstall:
+	for x in $(PROG_BIN); do \
+	  rm -f $(DESTDIR)$(bindir)/`echo $$x | sed '$(transform)'`; \
+	done
+	for x in $(PROG_LIBEXEC); do \
+	  rm -f $(DESTDIR)$(libexecdir)/`echo $$x | sed '$(transform)'`; \
+	done
+	for x in $(SCRIPT_LIBEXEC); do \
+	  rm -f $(DESTDIR)$(libexecdir)/`echo $$x | sed '$(transform)'`; \
+	done
+
+TAGS: $(SOURCES)
+	etags $(SOURCES)
+
+check:
+
+clean:
+	rm -f *.a *.o $(PROGS)
+
+mostlyclean: clean
+
+distclean: clean
+	rm -f Makefile *.tab.c *~
+
+realclean: distclean
+	rm -f TAGS
+
+KLIB=-L../../lib/krb -lkrb -L../../lib/des -ldes
+LIBROKEN=-L../../lib/roken -lroken
+
+kip$(EXECSUFFIX): $(OBJECTS_KIP)
+	$(LINK) $(LD_FLAGS) $(LDFLAGS) -o $@ $(OBJECTS_KIP) $(KLIB) $(LIBROKEN) $(LIBS) $(LIBROKEN)
+
+kipd$(EXECSUFFIX): $(OBJECTS_KIPD)
+	$(LINK) $(LD_FLAGS) $(LDFLAGS) -o $@ $(OBJECTS_KIPD) $(KLIB) $(LIBROKEN) $(LIBS) $(LIBROKEN)
+
+$(OBJECTS): ../../include/config.h
+
+kip-join-network: kip-join-network.in
+	sed -e "s!%bindir%!$(bindir)!" $(srcdir)/kip-join-network.in > $@
+	chmod +x $@
+
+kipd-control: kipd-control.in
+	sed -e "s!%bindir%!$(bindir)!" $(srcdir)/kipd-control.in > $@
+	chmod +x $@
+
+.PHONY: all Wall install uninstall check clean mostlyclean distclean realclean
diff --git a/crypto/kerberosIV/appl/kip/common.c b/crypto/kerberosIV/appl/kip/common.c
new file mode 100644
index 0000000..4feb9c8
--- /dev/null
+++ b/crypto/kerberosIV/appl/kip/common.c
@@ -0,0 +1,302 @@
+/*
+ * Copyright (c) 1995 - 2000 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#include "kip.h"
+
+RCSID("$Id: common.c,v 1.13.2.4 2000/10/18 23:31:51 assar Exp $");
+
+sig_atomic_t disconnect = 0;
+int isserver = 0;
+
+/*
+ * Copy packets from `tundev' to `netdev' or vice versa.
+ * Mode is used when reading from `tundev'
+ */
+
+int
+copy_packets (int tundev, int netdev, int mtu, des_cblock *iv,
+	      des_key_schedule schedule)
+{
+     des_cblock iv1, iv2;
+     int num1 = 0, num2 = 0;
+     u_char *buf;
+
+     buf = malloc (mtu + 2);
+     if (buf == NULL) {
+	 warnx("malloc(%d) failed", mtu);
+	 return 1;
+     }
+
+     memcpy (&iv1, iv, sizeof(iv1));
+     memcpy (&iv2, iv, sizeof(iv2));
+     while(!disconnect) {
+	  fd_set fdset;
+	  int ret, len;
+
+	  if (tundev >= FD_SETSIZE || netdev >= FD_SETSIZE) {
+	      warnx ("fd too large");
+	      return 1;
+	  }
+
+	  FD_ZERO(&fdset);
+	  FD_SET(tundev, &fdset);
+	  FD_SET(netdev, &fdset);
+
+	  ret = select (max(tundev, netdev)+1, &fdset, NULL, NULL, NULL);
+	  if (ret < 0) {
+	      if (errno == EINTR)
+		  continue;
+	      warn ("select");
+	      return 1;
+	  }
+	  if (FD_ISSET(tundev, &fdset)) {
+	       ret = read (tundev, buf + 2, mtu);
+	       if (ret == 0)
+		    return 0;
+	       if (ret < 0) {
+		    if (errno == EINTR)
+			 continue;
+		    else { 
+			warn("read");
+			return ret;
+		    }
+	       }
+	       buf[0] = ret >> 8;
+	       buf[1] = ret & 0xFF;
+	       ret += 2;
+	       des_cfb64_encrypt (buf, buf, ret, schedule,
+				  &iv1, &num1, DES_ENCRYPT);
+	       ret = krb_net_write (netdev, buf, ret);
+	       if (ret < 0) {
+		   warn("write");
+		   return ret;
+	       }
+	  }
+	  if (FD_ISSET(netdev, &fdset)) {
+	       ret = read (netdev, buf, 2);
+	       if (ret == 0)
+		    return 0;
+	       if (ret < 0) {
+		    if (errno == EINTR)
+			 continue;
+		    else { 
+			warn("read");
+			return ret;
+		    }
+	       }
+	       des_cfb64_encrypt (buf, buf, 2, schedule,
+				  &iv2, &num2, DES_DECRYPT);
+	       len = (buf[0] << 8 ) | buf[1];
+	       if (len > mtu) {
+		   fatal (-1, "buffer too large", schedule, &iv2);
+		   return -1;
+	       }
+
+	       if (len == 0) {
+		   len = read (netdev, buf, mtu);
+		   if (len < 1)
+		       len = 1;
+		   buf[len-1] = '\0';
+
+		   fatal (-1, buf, schedule, &iv2);
+		   return -1;
+	       }
+
+	       ret = krb_net_read (netdev, buf + 2, len);
+	       if (ret == 0)
+		    return 0;
+	       if (ret < 0) {
+		    if (errno == EINTR)
+			 continue;
+		    else { 
+			warn("read");
+			return ret;
+		    }
+	       }
+	       des_cfb64_encrypt (buf + 2, buf + 2, len, schedule,
+				  &iv2, &num2, DES_DECRYPT);
+	       ret = krb_net_write (tundev, buf + 2, len);
+	       if (ret < 0) {
+		   warn("write");
+		   return ret;
+	       }
+	  }
+     }
+     return 0;
+}
+
+/*
+ * Signal handler that justs waits for the children when they die.
+ */
+
+RETSIGTYPE
+childhandler (int sig)
+{
+     pid_t pid;
+     int status;
+
+     do { 
+	  pid = waitpid (-1, &status, WNOHANG|WUNTRACED);
+     } while(pid > 0);
+     signal (SIGCHLD, childhandler);
+     SIGRETURN(0);
+}
+
+/*
+ * Find a free tunnel device and open it.
+ * Return the interface name in `name, len'.
+ */
+
+int
+tunnel_open (char *name, size_t len)
+{
+     int fd;
+     int i;
+     char devname[256];
+
+     for (i = 0; i < 256; ++i) {
+	  snprintf (devname, len, "%s%s%d", _PATH_DEV, TUNDEV, i);
+	  fd = open (devname, O_RDWR, 0);
+	  if (fd >= 0)
+	       break;
+	  if (errno == ENOENT || errno == ENODEV) {
+	      warn("open %s", name);
+	      return fd;
+	  }
+     }
+     if (fd < 0)
+	 warn("open %s" ,name);
+     else
+	 snprintf (name, len, "%s%d", TUNDEV, i);
+     return fd;
+}
+
+/*
+ * run the command `cmd' with (...).  return 0 if succesful or error
+ * otherwise (and copy an error messages into `msg, len')
+ */
+
+int
+kip_exec (const char *cmd, char *msg, size_t len, ...)
+{
+    pid_t pid;
+    char **argv;
+    va_list ap;
+
+    va_start(ap, len);
+    argv = vstrcollect(&ap);
+    va_end(ap);
+
+    pid = fork();
+    switch (pid) {
+    case -1:
+	snprintf (msg, len, "fork: %s", strerror(errno));
+	return errno;
+    case 0: {
+	int fd = open (_PATH_DEVNULL, O_RDWR, 0600);
+	if (fd < 0) {
+	    snprintf (msg, len, "open " _PATH_DEVNULL ": %s", strerror(errno));
+	    return errno;
+	}
+
+	close (STDIN_FILENO);
+	close (STDOUT_FILENO);
+	close (STDERR_FILENO);
+	
+	dup2 (fd, STDIN_FILENO);
+	dup2 (fd, STDOUT_FILENO);
+	dup2 (fd, STDERR_FILENO);
+
+	execvp (cmd, argv);
+	snprintf (msg, len, "execvp %s: %s", cmd, strerror(errno));
+	return errno;
+    }
+    default: {
+	int status;
+
+	while (waitpid(pid, &status, 0) < 0)
+	    if (errno != EINTR) {
+		snprintf (msg, len, "waitpid: %s", strerror(errno));
+		return errno;
+	    }
+
+	if (WIFEXITED(status)) {
+	    if (WEXITSTATUS(status) == 0) {
+		return 0;
+	    } else {
+		snprintf (msg, len, "child returned with %d", 
+			  WEXITSTATUS(status));
+		return 1;
+	    }
+	} else if (WIFSIGNALED(status)) {
+#ifndef WCOREDUMP
+#define WCOREDUMP(X) 0
+#endif
+	    snprintf (msg, len, "terminated by signal num %d %s",
+		      WTERMSIG(status), 
+		      WCOREDUMP(status) ? " coredumped" : "");
+	    return 1;
+	} else if (WIFSTOPPED(status)) {
+	    snprintf (msg, len, "process stoped by signal %d",
+		      WSTOPSIG(status));
+	    return 1;
+	} else {
+	    snprintf (msg, len, "child died in mysterious circumstances");
+	    return 1;
+	}
+    }
+    }
+}
+
+/*
+ * fatal error `s' occured.
+ */
+
+void
+fatal (int fd, const char *s, des_key_schedule schedule, des_cblock *iv)
+{
+     int16_t err = 0;
+     int num = 0;
+
+     if (fd != -1) {
+	 des_cfb64_encrypt ((unsigned char*) &err, (unsigned char*) &err,
+			    sizeof(err), schedule, iv, &num, DES_ENCRYPT);
+
+	 write (fd, &err, sizeof(err));
+	 write (fd, s, strlen(s)+1);
+     }
+     if (isserver)
+	 syslog(LOG_ERR, "%s", s);
+     else
+	 warnx ("fatal error: %s", s);
+}
diff --git a/crypto/kerberosIV/appl/kip/kip-join-network.in b/crypto/kerberosIV/appl/kip/kip-join-network.in
new file mode 100644
index 0000000..c105fe6
--- /dev/null
+++ b/crypto/kerberosIV/appl/kip/kip-join-network.in
@@ -0,0 +1,53 @@
+#!/bin/sh
+# $Id$
+#
+# Join a network, see kipd-control from more comments.
+#
+
+PATH=/usr/sbin:/sbin:/usr/bin:/bin:%bindir%
+
+endpointhost=130.237.43.201
+thispointhost=130.237.43.17
+fakepoint=10.0.0.1
+dev=tun0
+
+case $# in
+    0)
+        modprobe tun
+	def=$(route -n | awk '$1 ~ /0.0.0.0/ && $3 ~ /0.0.0.0/ { print $2 }')
+
+	if test "X$def" = "X" ; then
+		echo "missing default route"
+		exit 1
+	fi
+
+	exec kip -c $0 -a $def $endpointhost
+	;;
+    *)
+	state=$1
+	dev=$2
+	host=$3
+	arg=$4
+	case $state in
+	up)
+		ifconfig $dev $thispointhost pointopoint $fakepoint
+		route delete default
+
+		route add -host $endpointhost gw $arg
+		route add default gw $fakepoint
+		;;
+	down)
+
+		echo $dev $arg > /tmp/kip-down
+
+		ifconfig $dev down
+
+		route delete default
+		route delete $endpointhost
+		route add default gw $arg
+		;;
+	*)
+		exit 17
+	;;
+	esac
+esac
diff --git a/crypto/kerberosIV/appl/kip/kip.c b/crypto/kerberosIV/appl/kip/kip.c
new file mode 100644
index 0000000..55b6032
--- /dev/null
+++ b/crypto/kerberosIV/appl/kip/kip.c
@@ -0,0 +1,261 @@
+/*
+ * Copyright (c) 1995 - 2000 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#include "kip.h"
+
+RCSID("$Id: kip.c,v 1.18.2.1 2000/06/23 02:55:01 assar Exp $");
+
+static char *cmd_str		= NULL;
+static char *arg_str		= NULL;
+static char *port_str		= NULL;
+static int version_flag		= 0;
+static int help_flag		= 0;
+
+struct getargs args[] = {
+    { "port",		'p',	arg_string,	&port_str,	"Use this port",
+      "port" },
+    { "cmd",		'c',	arg_string,	&cmd_str,
+      "command to run when starting", "cmd"},
+    { "arg",		'a',	arg_string,	&arg_str,
+      "argument to above command", "arg"},
+    { "version",	0, 	arg_flag,		&version_flag },
+    { "help",		0, 	arg_flag,		&help_flag }
+};
+
+
+static RETSIGTYPE
+disconnecthandler (int sig)
+{
+     disconnect = 1;
+     SIGRETURN(0);
+}
+
+/*
+ * Establish authenticated connection
+ */
+
+static int
+connect_host (char *host, int port,
+	      des_cblock *key, des_key_schedule schedule)
+{
+     CREDENTIALS cred;
+     KTEXT_ST text;
+     MSG_DAT msg;
+     int status;
+     struct sockaddr_in thisaddr, thataddr;
+     int addrlen;
+     struct hostent *hostent;
+     int s;
+     u_char b;
+     char **p;
+
+     hostent = gethostbyname (host);
+     if (hostent == NULL) {
+	 warnx ("gethostbyname '%s': %s", host,
+		hstrerror(h_errno));
+	  return -1;
+     }
+
+     memset (&thataddr, 0, sizeof(thataddr));
+     thataddr.sin_family = AF_INET;
+     thataddr.sin_port   = port;
+
+     for(p = hostent->h_addr_list; *p; ++p) {
+	 memcpy (&thataddr.sin_addr, *p, sizeof(thataddr.sin_addr));
+
+	 s = socket (AF_INET, SOCK_STREAM, 0);
+	 if (s < 0) {
+	     warn ("socket");
+	     return -1;
+	 }
+
+#if defined(TCP_NODELAY) && defined(HAVE_SETSOCKOPT)
+	 {
+	     int one = 1;
+
+	     setsockopt (s, IPPROTO_TCP, TCP_NODELAY,
+			 (void *)&one, sizeof(one));
+	 }
+#endif
+
+	 if (connect (s, (struct sockaddr *)&thataddr, sizeof(thataddr)) < 0) {
+	     warn ("connect(%s)", host);
+	     close (s);
+	     continue;
+	 } else {
+	     break;
+	 }
+     }
+     if (*p == NULL)
+	 return -1;
+
+     addrlen = sizeof(thisaddr);
+     if (getsockname (s, (struct sockaddr *)&thisaddr, &addrlen) < 0 ||
+	 addrlen != sizeof(thisaddr)) {
+	 warn ("getsockname(%s)", host);
+	 return -1;
+     }
+     status = krb_sendauth (KOPT_DO_MUTUAL, s, &text, "rcmd",
+			    host, krb_realmofhost (host),
+			    getpid(), &msg, &cred, schedule,
+			    &thisaddr, &thataddr, KIP_VERSION);
+     if (status != KSUCCESS) {
+	 warnx("%s: %s", host,
+	       krb_get_err_text(status));
+	 return -1;
+     }
+     if (read (s, &b, sizeof(b)) != sizeof(b)) {
+	 warn ("read");
+	 return -1;
+     }
+     if (b) {
+	  char buf[BUFSIZ];
+
+	  read (s, buf, sizeof(buf));
+	  buf[BUFSIZ - 1] = '\0';
+
+	  warnx ("%s: %s", host, buf);
+	  return -1;
+     }
+
+     memcpy(key, &cred.session, sizeof(des_cblock));
+     return s;
+}
+
+/*
+ * Connect to the given host.
+ */
+
+static int
+doit (char *host, int port)
+{
+     char tun_if_name[64];
+     des_key_schedule schedule;
+     des_cblock iv;
+     int other, this, ret;
+
+     other = connect_host (host, port, &iv, schedule);
+     if (other < 0)
+	  return 1;
+     this = tunnel_open (tun_if_name, sizeof(tun_if_name));
+     if (this < 0)
+	  return 1;
+
+     if (cmd_str) {
+	 char buf[1024];
+	 ret = kip_exec (cmd_str, buf, sizeof(buf),
+			 "kip-control", "up", tun_if_name, host, arg_str,
+			 NULL);
+	 if (ret)
+	     errx (1, "%s (up) failed: %s", cmd_str, buf);
+     }
+
+     ret = copy_packets (this, other, TUNMTU, &iv, schedule);
+
+     if (cmd_str) {
+	 char buf[1024];
+	 ret = kip_exec (cmd_str, buf, sizeof(buf),
+			 "kip-control", "down", tun_if_name, host, arg_str,
+			 NULL);
+	 if (ret)
+	     errx (1, "%s (down) failed: %s", cmd_str, buf);
+     }
+     return 0;
+}
+
+static void
+usage(int ret)
+{
+    arg_printusage (args,
+		    sizeof(args) / sizeof(args[0]),
+		    NULL,
+		    "hostname");
+    exit (ret);
+}
+
+/*
+ * kip - forward IP packets over a kerberos-encrypted channel.
+ *
+ */
+
+int
+main(int argc, char **argv)
+{
+    int port;
+    int optind = 0;
+    char *hostname;
+
+    set_progname (argv[0]);
+    if (getarg (args, sizeof(args) / sizeof(args[0]), argc, argv,
+		&optind))
+	usage (1);
+
+    if (help_flag)
+	usage (0);
+
+    if (version_flag) {
+	print_version (NULL);
+	return 0;
+    }
+
+    argv += optind;
+    argc -= optind;
+
+    if (argc != 1)
+	usage (1);
+    
+    hostname = argv[0];
+
+    if(port_str) {
+	struct servent *s = roken_getservbyname (port_str, "tcp");
+
+	if (s)
+	    port = s->s_port;
+	else {
+	    char *ptr;
+
+	    port = strtol (port_str, &ptr, 10);
+	    if (port == 0 && ptr == port_str)
+		errx (1, "bad port `%s'", port_str);
+	    port = htons(port);
+	}
+    } else {
+	port = k_getportbyname ("kip", "tcp", htons(KIPPORT));
+    }
+
+    signal (SIGCHLD, childhandler);
+    signal (SIGHUP,  disconnecthandler);
+    signal (SIGTERM, disconnecthandler);
+
+    return doit (hostname, port);
+}
diff --git a/crypto/kerberosIV/appl/kip/kip.h b/crypto/kerberosIV/appl/kip/kip.h
new file mode 100644
index 0000000..7bfc5f1
--- /dev/null
+++ b/crypto/kerberosIV/appl/kip/kip.h
@@ -0,0 +1,122 @@
+/*
+ * Copyright (c) 1995 - 2000 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+/* $Id: kip.h,v 1.18.2.1 2000/06/23 02:55:01 assar Exp $ */
+
+#ifdef HAVE_CONFIG_H
+#include "config.h"
+#endif /* HAVE_CONFIG_H */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+#include <errno.h>
+#include <pwd.h>
+#include <signal.h>
+#include <fcntl.h>
+#ifdef HAVE_SYSLOG_H
+#include <syslog.h>
+#endif
+#include <sys/types.h>
+#ifdef TIME_WITH_SYS_TIME
+#include <sys/time.h>
+#include <time.h>
+#elif defined(HAVE_SYS_TIME_H)
+#include <sys/time.h>
+#else
+#include <time.h>
+#endif
+#ifdef HAVE_SYS_RESOURCE_H
+#include <sys/resource.h>
+#endif
+#ifdef HAVE_SYS_SELECT_H
+#include <sys/select.h>
+#endif
+#include <sys/wait.h>
+#include <sys/stat.h>
+#include <sys/socket.h>
+#include <netinet/in.h>
+#ifdef HAVE_NETINET_TCP_H
+#include <netinet/tcp.h>
+#endif
+#include <netdb.h>
+#ifdef HAVE_SYS_SOCKIO_H
+#include <sys/sockio.h>
+#endif
+#include <net/if.h>
+#ifdef HAVE_NET_IF_VAR_H
+#include <net/if_var.h>
+#endif
+#ifdef HAVE_NET_IF_TUN_H
+#include <net/if_tun.h>
+#endif
+#include <err.h>
+
+#include <getarg.h>
+
+#ifdef SOCKS
+#include <socks.h>
+#endif
+
+#include <krb.h>
+
+#include <roken.h>
+
+#define TUNDEV "tun"
+
+#ifndef TUNMTU
+#define TUNMTU 1500		/* everything is ethernet :) */
+#endif
+
+#define KIPPORT 2112
+
+#define KIP_VERSION "KIPSRV.0"
+
+int
+copy_packets (int tundev, int netdev, int mtu, des_cblock *iv,
+	      des_key_schedule schedule);
+
+RETSIGTYPE childhandler (int);
+
+extern sig_atomic_t disconnect;
+extern int isserver;
+
+int
+tunnel_open (char *, size_t);
+
+void
+fatal (int fd, const char *s, des_key_schedule schedule, des_cblock *iv);
+
+int
+kip_exec (const char *cmd, char *msg, size_t len, ...);
diff --git a/crypto/kerberosIV/appl/kip/kipd-control.in b/crypto/kerberosIV/appl/kip/kipd-control.in
new file mode 100644
index 0000000..8fb0e9b
--- /dev/null
+++ b/crypto/kerberosIV/appl/kip/kipd-control.in
@@ -0,0 +1,54 @@
+#!/bin/sh
+#
+# $Id$
+#
+# Simple example how you can missuse kip to provide "mobile-ip".
+# This is since there is no way to tunnel ip over udp or any other
+# protocol. There is also problems to get thru firewalls and NATs
+# with mobile-ip since (today) they usully doesn't support IPIP or
+# GRE.
+#
+# All commands are for linux (redhat6.1) but it should be quite 
+# simple to fix it to support other OS.
+#
+
+PATH=/sbin:/usr/sbin:/usr/bin:/bin
+
+# arguments are: [up|down] dev remote-peer-addr user
+
+state=$1
+dev=$2
+remote=$3
+user=$4
+
+outdevice=eth0
+
+case "$state" in
+    up)
+        case "$user" in
+            lha.root@E.KTH.SE)
+                ifconfig $dev 10.0.0.1 pointopoint 130.237.43.17
+                route add -host 130.237.43.17 gw 10.0.0.1
+                arp -H ether -i $outdevice \
+                    -s 130.237.43.17 00:80:c8:82:83:61 pub
+            ;;
+        esac
+        ;;
+    down)
+        case "$user" in
+            lha.root@E.KTH.SE)
+                ifconfig $dev 0.0.0.0
+                ifconfig $dev down
+                arp -i $outdevice -d 130.237.43.17
+                arp -d 130.237.43.17
+                true
+            ;;
+        *)
+            ifconfig $dev down
+            ;;
+        esac
+        ;;
+    *)
+        exit 17
+        ;;
+esac
diff --git a/crypto/kerberosIV/appl/kip/kipd.c b/crypto/kerberosIV/appl/kip/kipd.c
new file mode 100644
index 0000000..0bbf06b
--- /dev/null
+++ b/crypto/kerberosIV/appl/kip/kipd.c
@@ -0,0 +1,204 @@
+/* $FreeBSD$ */
+
+/*
+ * Copyright (c) 1995 - 2000 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#include "kip.h"
+
+RCSID("$Id: kipd.c,v 1.16.2.3 2000/10/18 20:46:45 assar Exp $");
+
+static int
+recv_conn (int sock, des_cblock *key, des_key_schedule schedule,
+	   struct sockaddr_in *retaddr, char *user, size_t len)
+{
+     int status;
+     KTEXT_ST ticket;
+     AUTH_DAT auth;
+     char instance[INST_SZ];
+     struct sockaddr_in thisaddr, thataddr;
+     int addrlen;
+     char version[KRB_SENDAUTH_VLEN + 1];
+     u_char ok = 0;
+     struct passwd *passwd;
+
+     addrlen = sizeof(thisaddr);
+     if (getsockname (sock, (struct sockaddr *)&thisaddr, &addrlen) < 0 ||
+	 addrlen != sizeof(thisaddr)) {
+	  return 1;
+     }
+     addrlen = sizeof(thataddr);
+     if (getpeername (sock, (struct sockaddr *)&thataddr, &addrlen) < 0 ||
+	 addrlen != sizeof(thataddr)) {
+	  return 1;
+     }
+
+     k_getsockinst (sock, instance, sizeof(instance));
+     status = krb_recvauth (KOPT_DO_MUTUAL, sock, &ticket, "rcmd", instance,
+			    &thataddr, &thisaddr, &auth, "", schedule,
+			    version);
+     if (status != KSUCCESS ||
+	 strncmp(version, KIP_VERSION, KRB_SENDAUTH_VLEN) != 0) {
+	  return 1;
+     }
+     passwd = k_getpwnam ("root");
+     if (passwd == NULL) {
+	  fatal (sock, "Cannot find root", schedule, &auth.session);
+	  return 1;
+     }
+     if (kuserok(&auth, "root") != 0) {
+	  fatal (sock, "Permission denied", schedule, &auth.session);
+	  return 1;
+     }
+     if (write (sock, &ok, sizeof(ok)) != sizeof(ok))
+	  return 1;
+
+     snprintf (user, len, "%s%s%s@%s", auth.pname, 
+	       auth.pinst[0] != '\0' ? "." : "",
+	       auth.pinst, auth.prealm);
+
+     memcpy(key, &auth.session, sizeof(des_cblock));
+     *retaddr = thataddr;
+     return 0;
+}
+
+static int
+doit(int sock)
+{
+     char msg[1024];
+     char cmd[MAXPATHLEN];
+     char tun_if_name[64];
+     char user[MAX_K_NAME_SZ];
+     struct sockaddr_in thataddr;
+     des_key_schedule schedule;
+     des_cblock key;
+     int this, ret, ret2;
+
+     isserver = 1;
+
+     if (recv_conn (sock, &key, schedule, &thataddr, user, sizeof(user)))
+	  return 1;
+     this = tunnel_open (tun_if_name, sizeof(tun_if_name));
+     if (this < 0)
+	  fatal (sock, "Cannot open " _PATH_DEV TUNDEV, schedule, &key);
+
+     strlcpy(cmd, LIBEXECDIR "/kipd-control", sizeof(cmd));
+
+     ret = kip_exec (cmd, msg, sizeof(msg), "kipd-control",
+		     "up", tun_if_name, inet_ntoa(thataddr.sin_addr), user,
+		     NULL);
+     if (ret) {
+	 fatal (sock, msg, schedule, &key);
+	 return -1;
+     }
+
+     ret = copy_packets (this, sock, TUNMTU, &key, schedule);
+     
+     ret2 = kip_exec (cmd,  msg, sizeof(msg), "kipd-control",
+		      "down", tun_if_name, user, NULL);
+     if (ret2)
+	 syslog(LOG_ERR, "%s", msg);
+     return ret;
+}
+
+static char *port_str		= NULL;
+static int inetd_flag		= 1;
+static int version_flag		= 0;
+static int help_flag		= 0;
+
+struct getargs args[] = {
+    { "inetd",		'i',	arg_negative_flag,	&inetd_flag,
+      "Not started from inetd" },
+    { "port",		'p',	arg_string,	&port_str,	"Use this port",
+      "port" },
+    { "version",	0, 	arg_flag,		&version_flag },
+    { "help",		0, 	arg_flag,		&help_flag }
+};
+
+static void
+usage(int ret)
+{
+    arg_printusage (args,
+		    sizeof(args) / sizeof(args[0]),
+		    NULL,
+		    "");
+    exit (ret);
+}
+
+/*
+ * kipd - receive forwarded IP
+ */
+
+int
+main (int argc, char **argv)
+{
+    int port;
+    int optind = 0;
+
+    set_progname (argv[0]);
+    roken_openlog(__progname, LOG_PID|LOG_CONS, LOG_DAEMON);
+
+    if (getarg (args, sizeof(args) / sizeof(args[0]), argc, argv,
+		&optind))
+	usage (1);
+
+    if (help_flag)
+	usage (0);
+
+    if (version_flag) {
+	print_version (NULL);
+	return 0;
+    }
+
+    if(port_str) {
+	struct servent *s = roken_getservbyname (port_str, "tcp");
+
+	if (s)
+	    port = s->s_port;
+	else {
+	    char *ptr;
+
+	    port = strtol (port_str, &ptr, 10);
+	    if (port == 0 && ptr == port_str)
+		errx (1, "bad port `%s'", port_str);
+	    port = htons(port);
+	}
+    } else {
+	port = k_getportbyname ("kip", "tcp", htons(KIPPORT));
+    }
+
+    if (!inetd_flag)
+	mini_inetd (port);
+
+    signal (SIGCHLD, childhandler);
+    return doit(STDIN_FILENO);
+}
diff --git a/crypto/kerberosIV/appl/sample/Makefile.in b/crypto/kerberosIV/appl/sample/Makefile.in
new file mode 100644
index 0000000..d88023a
--- /dev/null
+++ b/crypto/kerberosIV/appl/sample/Makefile.in
@@ -0,0 +1,83 @@
+# $Id: Makefile.in,v 1.18 1999/03/10 19:01:13 joda Exp $
+
+SHELL = /bin/sh
+
+srcdir = @srcdir@
+VPATH = @srcdir@
+
+top_builddir = ../..
+
+CC = @CC@
+LINK = @LINK@
+AR = ar
+DEFS = @DEFS@
+CFLAGS = @CFLAGS@ $(WFLAGS)
+WFLAGS = @WFLAGS@
+LD_FLAGS = @LD_FLAGS@
+INSTALL = @INSTALL@
+LIBS = @LIBS@
+MKINSTALLDIRS = @top_srcdir@/mkinstalldirs
+
+prefix = @prefix@
+exec_prefix = @exec_prefix@
+libdir = @libdir@
+libexecdir = @libexecdir@
+bindir = @bindir@
+transform=@program_transform_name@
+EXECSUFFIX=@EXECSUFFIX@
+
+PROG_BIN	= sample_client$(EXECSUFFIX) \
+		  simple_client$(EXECSUFFIX)
+PROG_LIBEXEC	= sample_server$(EXECSUFFIX) \
+		  simple_server$(EXECSUFFIX)
+PROGS = $(PROG_BIN) $(PROG_LIBEXEC)
+
+OBJECTS = sample_client.o sample_server.o simple_client.o simple_server.o
+SOURCES = sample_client.c sample_server.c simple_client.c simple_server.c
+
+all: $(PROGS)
+
+Wall:
+	make CFLAGS="-g -Wall -Wno-comment -Wmissing-prototypes -Wmissing-declarations -D__USE_FIXED_PROTOTYPES__"
+
+.c.o:
+	$(CC) -c $(DEFS) -I../../include -I$(srcdir) $(CFLAGS) $(CPPFLAGS) $<
+
+install: all
+
+uninstall:
+
+TAGS: $(SOURCES)
+	etags $(SOURCES)
+
+check:
+
+clean:
+	rm -f *.a *.o $(PROGS)
+
+mostlyclean: clean
+
+distclean: clean
+	rm -f Makefile *.tab.c *~
+
+realclean: distclean
+	rm -f TAGS
+
+KLIB=-L../../lib/krb -lkrb -L../../lib/des -ldes
+LIBROKEN=-L../../lib/roken -lroken
+
+sample_client$(EXECSUFFIX): sample_client.o
+	$(LINK) $(LD_FLAGS) $(LDFLAGS) -o $@ sample_client.o $(KLIB) $(LIBROKEN) $(LIBS) $(LIBROKEN)
+
+simple_client$(EXECSUFFIX): simple_client.o
+	$(LINK) $(LD_FLAGS) $(LDFLAGS) -o $@ simple_client.o $(KLIB) $(LIBROKEN) $(LIBS) $(LIBROKEN)
+
+sample_server$(EXECSUFFIX): sample_server.o
+	$(LINK) $(LD_FLAGS) $(LDFLAGS) -o $@ sample_server.o $(KLIB) $(LIBROKEN) $(LIBS) $(LIBROKEN)
+
+simple_server$(EXECSUFFIX): simple_server.o
+	$(LINK) $(LD_FLAGS) $(LDFLAGS) -o $@ simple_server.o $(KLIB) $(LIBROKEN) $(LIBS) $(LIBROKEN)
+
+$(OBJECTS): ../../include/config.h
+
+.PHONY: all Wall install uninstall check clean mostlyclean distclean realclean
diff --git a/crypto/kerberosIV/appl/sample/sample.h b/crypto/kerberosIV/appl/sample/sample.h
new file mode 100644
index 0000000..d79d574
--- /dev/null
+++ b/crypto/kerberosIV/appl/sample/sample.h
@@ -0,0 +1,76 @@
+/*
+ * Copyright (c) 1995, 1996, 1997 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+/* $Id: sample.h,v 1.11 1999/12/02 16:58:33 joda Exp $ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+#endif /* HAVE_CONFIG_H */
+
+#include <stdio.h>
+#include <stdlib.h>
+#ifdef HAVE_UNISTD_H
+#include <unistd.h>
+#endif
+#ifdef HAVE_SYS_TYPES_H
+#include <sys/types.h>
+#endif
+#ifdef HAVE_SYS_SOCKET_H
+#include <sys/socket.h>
+#endif
+#ifdef HAVE_NETINET_IN_H
+#include <netinet/in.h>
+#endif
+#ifdef HAVE_ARPA_INET_H
+#include <arpa/inet.h>
+#endif
+#ifdef HAVE_NETDB_H
+#include <netdb.h>
+#endif
+#include <errno.h>
+#ifdef SOCKS
+#include <socks.h>
+/* This doesn't belong here. */
+struct tm *localtime(const time_t *);
+struct hostent  *gethostbyname(const char *);
+#endif
+
+#include <err.h>
+#include <krb.h>
+
+#include <roken.h>
+
+#define SAMPLE_PORT 6354
+
+#define SAMPLE_SERVICE "sample"
+#define SAMPLE_VERSION "VERSION9"
diff --git a/crypto/kerberosIV/appl/sample/sample_client.c b/crypto/kerberosIV/appl/sample/sample_client.c
new file mode 100644
index 0000000..d0ec1c5
--- /dev/null
+++ b/crypto/kerberosIV/appl/sample/sample_client.c
@@ -0,0 +1,168 @@
+/*
+ *
+ * Copyright 1987, 1988 by the Massachusetts Institute of Technology.
+ *
+ * For copying and distribution information,
+ * please see the file <mit-copyright.h>.
+ *
+ * sample_client:
+ * A sample Kerberos client, which connects to a server on a remote host,
+ * at port "sample" (be sure to define it in /etc/services)
+ * and authenticates itself to the server. The server then writes back
+ * (in ASCII) the authenticated name.
+ *
+ * Usage:
+ * sample_client <hostname> <checksum>
+ *
+ * <hostname> is the name of the foreign host to contact.
+ *
+ * <checksum> is an integer checksum to be used for the call to krb_mk_req()
+ *	and mutual authentication
+ *
+ */
+
+#include "sample.h"
+
+RCSID("$Id: sample_client.c,v 1.21 1999/11/13 06:27:01 assar Exp $");
+
+static void
+usage (void)
+{
+  fprintf (stderr, "Usage: %s [-s service] [-p port] hostname checksum\n",
+	   __progname);
+  exit (1);
+}
+
+int
+main(int argc, char **argv)
+{
+    struct hostent *hp;
+    struct sockaddr_in sin, lsin;
+    char *remote_host;
+    int status;
+    int namelen;
+    int sock = -1;
+    KTEXT_ST ticket;
+    char buf[512];
+    long authopts;
+    MSG_DAT msg_data;
+    CREDENTIALS cred;
+    des_key_schedule sched;
+    u_int32_t cksum;
+    int c;
+    char service[SNAME_SZ];
+    u_int16_t port;
+    struct servent *serv;
+    char **h_addr_list;
+
+    set_progname (argv[0]);
+    strlcpy (service, SAMPLE_SERVICE, sizeof(service));
+    port = 0;
+
+    while ((c = getopt(argc, argv, "s:p:")) != -1)
+	switch(c) {
+	case 's' :
+	    strlcpy (service, optarg, sizeof(service));
+	    break;
+	case 'p' :
+	    serv = getservbyname (optarg, "tcp");
+	    if (serv)
+		port = serv->s_port;
+	    else
+		port = htons(atoi(optarg));
+	    break;
+	case '?' :
+	default :
+	    usage();
+	}
+
+    argc -= optind;
+    argv += optind;
+
+    if (argc != 2)
+	usage ();
+    
+    /* convert cksum to internal rep */
+    cksum = atoi(argv[1]);
+
+    printf("Setting checksum to %ld\n", (long)cksum);
+
+    /* clear out the structure first */
+    memset(&sin, 0, sizeof(sin));
+    sin.sin_family = AF_INET;
+    if (port)
+	sin.sin_port = port;
+    else
+	sin.sin_port = k_getportbyname (service, "tcp", htons(SAMPLE_PORT));
+
+    /* look up the server host */
+    hp = gethostbyname(argv[0]);
+    if (hp == NULL)
+	errx (1, "gethostbyname(%s): %s", argv[0],
+	      hstrerror(h_errno));
+
+    /* copy the hostname into non-volatile storage */
+    remote_host = strdup(hp->h_name);
+    if (remote_host == NULL)
+	errx (1, "strdup: out of memory");
+
+    /* set up the address of the foreign socket for connect() */
+    sin.sin_family = hp->h_addrtype;
+
+    for (h_addr_list = hp->h_addr_list;
+	 *h_addr_list;
+	 ++h_addr_list) {
+	memcpy(&sin.sin_addr, *h_addr_list, sizeof(sin.sin_addr));
+	fprintf (stderr, "Trying %s...\n", inet_ntoa(sin.sin_addr));
+
+	/* open a TCP socket */
+	sock = socket(PF_INET, SOCK_STREAM, 0);
+	if (sock < 0)
+	    err (1, "socket");
+
+	/* connect to the server */
+	if (connect(sock, (struct sockaddr *)&sin, sizeof(sin)) >= 0)
+	    break;
+	close (sock);
+    }
+
+    if (*h_addr_list == NULL)
+	err (1, "connect");
+
+    /* find out who I am, now that we are connected and therefore bound */
+    namelen = sizeof(lsin);
+    if (getsockname(sock, (struct sockaddr *) &lsin, &namelen) < 0) {
+	close (sock);
+	err (1, "getsockname");
+    }
+
+    /* call Kerberos library routine to obtain an authenticator,
+       pass it over the socket to the server, and obtain mutual
+       authentication. */
+
+    authopts = KOPT_DO_MUTUAL;
+    status = krb_sendauth(authopts, sock, &ticket,
+			  service, remote_host,
+			  NULL, cksum, &msg_data, &cred,
+			  sched, &lsin, &sin, SAMPLE_VERSION);
+    if (status != KSUCCESS)
+	errx (1, "cannot authenticate to server: %s",
+	      krb_get_err_text(status));
+
+    /* After we send the authenticator to the server, it will write
+       back the name we authenticated to. Read what it has to say. */
+    status = read(sock, buf, sizeof(buf));
+    if (status < 0)
+	errx(1, "read");
+
+    /* make sure it's null terminated before printing */
+    if (status < sizeof(buf))
+	buf[status] = '\0';
+    else
+	buf[sizeof(buf) - 1] = '\0';
+
+    printf("The server says:\n%s\n", buf);
+
+    close(sock);
+    return 0;
+}
diff --git a/crypto/kerberosIV/appl/sample/sample_server.c b/crypto/kerberosIV/appl/sample/sample_server.c
new file mode 100644
index 0000000..65b61ae
--- /dev/null
+++ b/crypto/kerberosIV/appl/sample/sample_server.c
@@ -0,0 +1,155 @@
+/* $FreeBSD$ */
+
+/*
+ *
+ * Copyright 1987, 1988 by the Massachusetts Institute of Technology.
+ *
+ * For copying and distribution information,
+ * please see the file <mit-copyright.h>.
+ *
+ * sample_server:
+ * A sample Kerberos server, which reads a ticket from a TCP socket,
+ * decodes it, and writes back the results (in ASCII) to the client.
+ *
+ * Usage:
+ * sample_server
+ *
+ * file descriptor 0 (zero) should be a socket connected to the requesting
+ * client (this will be correct if this server is started by inetd).
+ */
+
+#include "sample.h"
+
+RCSID("$Id: sample_server.c,v 1.14.2.1 2000/06/28 19:08:00 assar Exp $");
+
+static void
+usage (void)
+{
+    fprintf (stderr, "Usage: %s [-i] [-s service] [-t srvtab]\n",
+	     __progname);
+    exit (1);
+}
+
+int
+main(int argc, char **argv)
+{
+    struct sockaddr_in peername, myname;
+    int namelen = sizeof(peername);
+    int status, count, len;
+    long authopts;
+    AUTH_DAT auth_data;
+    KTEXT_ST clt_ticket;
+    des_key_schedule sched;
+    char instance[INST_SZ];
+    char service[ANAME_SZ];
+    char version[KRB_SENDAUTH_VLEN+1];
+    char retbuf[512];
+    char lname[ANAME_SZ];
+    char srvtab[MaxPathLen];
+    int c;
+    int no_inetd = 0;
+
+    /* open a log connection */
+
+    set_progname (argv[0]);
+
+    roken_openlog(__progname, LOG_ODELAY, LOG_DAEMON);
+
+    strlcpy (service, SAMPLE_SERVICE, sizeof(service));
+    *srvtab = '\0';
+
+    while ((c = getopt (argc, argv, "s:t:i")) != -1)
+	switch (c) {
+	case 's' :
+	    strlcpy (service, optarg, sizeof(service));
+	    break;
+	case 't' :
+	    strlcpy (srvtab, optarg, sizeof(srvtab));
+	    break;
+	case 'i':
+	    no_inetd = 1;
+	    break;
+	case '?' :
+	default :
+	    usage ();
+	}
+
+    if (no_inetd)
+	mini_inetd (htons(SAMPLE_PORT));
+
+    /*
+     * To verify authenticity, we need to know the address of the
+     * client.
+     */
+    if (getpeername(STDIN_FILENO,
+		    (struct sockaddr *)&peername,
+		    &namelen) < 0) {
+	syslog(LOG_ERR, "getpeername: %m");
+	return 1;
+    }
+
+    /* for mutual authentication, we need to know our address */
+    namelen = sizeof(myname);
+    if (getsockname(STDIN_FILENO, (struct sockaddr *)&myname, &namelen) < 0) {
+	syslog(LOG_ERR, "getsocknamename: %m");
+	return 1;
+    }
+
+    /* read the authenticator and decode it.  Using `k_getsockinst' we
+     * always get the right instance on a multi-homed host.
+     */
+    k_getsockinst (STDIN_FILENO, instance, sizeof(instance));
+
+    /* we want mutual authentication */
+    authopts = KOPT_DO_MUTUAL;
+    status = krb_recvauth(authopts, STDIN_FILENO, &clt_ticket,
+			  service, instance, &peername, &myname,
+			  &auth_data, srvtab,
+			  sched, version);
+    if (status != KSUCCESS) {
+	snprintf(retbuf, sizeof(retbuf),
+		 "Kerberos error: %s\n",
+		 krb_get_err_text(status));
+	syslog(LOG_ERR, "%s", retbuf);
+    } else {
+	/* Check the version string (KRB_SENDAUTH_VLEN chars) */
+	if (strncmp(version, SAMPLE_VERSION, KRB_SENDAUTH_VLEN)) {
+	    /* didn't match the expected version */
+	    /* could do something different, but we just log an error
+	       and continue */
+	    version[8] = '\0';		/* make sure null term */
+	    syslog(LOG_ERR, "Version mismatch: '%s' isn't '%s'",
+		   version, SAMPLE_VERSION);
+	}
+	/* now that we have decoded the authenticator, translate
+	   the kerberos principal.instance@realm into a local name */
+	if (krb_kntoln(&auth_data, lname) != KSUCCESS)
+	    strlcpy(lname,
+			    "*No local name returned by krb_kntoln*",
+			    sizeof(lname));
+	/* compose the reply */
+	snprintf(retbuf, sizeof(retbuf),
+		"You are %s.%s@%s (local name %s),\n at address %s, version %s, cksum %ld\n",
+		auth_data.pname,
+		auth_data.pinst,
+		auth_data.prealm,
+		lname,
+		inet_ntoa(peername.sin_addr),
+		version,
+		(long)auth_data.checksum);
+    }
+
+    /* write back the response */
+    if ((count = write(0, retbuf, (len = strlen(retbuf) + 1))) < 0) {
+	syslog(LOG_ERR,"write: %m");
+	return 1;
+    } else if (count != len) {
+	syslog(LOG_ERR, "write count incorrect: %d != %d\n",
+		count, len);
+	return 1;
+    }
+
+    /* close up and exit */
+    close(0);
+    return 0;
+}
diff --git a/crypto/kerberosIV/appl/sample/simple.h b/crypto/kerberosIV/appl/sample/simple.h
new file mode 100644
index 0000000..17315b3
--- /dev/null
+++ b/crypto/kerberosIV/appl/sample/simple.h
@@ -0,0 +1,14 @@
+/*
+ * $Id: simple.h,v 1.3 1996/09/27 15:54:23 assar Exp $
+ *
+ * Copyright 1988 by the Massachusetts Institute of Technology.
+ *
+ * For copying and distribution information, please see the file
+ * <mit-copyright.h>.
+ *
+ * Common definitions for the simple UDP-based Kerberos-mediated
+ * server & client applications.
+ */
+
+#define SERVICE	"sample"
+#define	HOST	"bach"
diff --git a/crypto/kerberosIV/appl/sample/simple_client.c b/crypto/kerberosIV/appl/sample/simple_client.c
new file mode 100644
index 0000000..434150d
--- /dev/null
+++ b/crypto/kerberosIV/appl/sample/simple_client.c
@@ -0,0 +1,202 @@
+/*
+ *
+ * Copyright 1989 by the Massachusetts Institute of Technology.
+ *
+ * For copying and distribution information, please see the file
+ * <mit-copyright.h>.
+ *
+ * Simple UDP-based sample client program.  For demonstration.
+ * This program performs no useful function.
+ */
+
+#include "sample.h"
+RCSID("$Id: simple_client.c,v 1.15 1999/11/13 06:29:01 assar Exp $");
+
+#define MSG "hi, Jennifer!"		/* message text */
+
+static int
+talkto(char *hostname, char *service, int port)
+{
+  int flags = 0;			/* flags for sendto() */
+  long len;
+  u_long cksum = 0L;		/* cksum not used */
+  char c_realm[REALM_SZ];		/* local Kerberos realm */
+  char *s_realm;			/* server's Kerberos realm */
+
+  KTEXT_ST k;			/* Kerberos data */
+  KTEXT ktxt = &k;
+
+  int sock, i;
+  struct hostent *host;
+  struct sockaddr_in s_sock;	/* server address */
+  char myhostname[MaxHostNameLen]; /* local hostname */
+
+  /* for krb_mk_safe/priv */
+  struct sockaddr_in c_sock;	/* client address */
+  CREDENTIALS c;			/* ticket & session key */
+  CREDENTIALS *cred = &c;
+
+  /* for krb_mk_priv */
+  des_key_schedule sched;		/* session key schedule */
+
+  /* Look up server host */
+  if ((host = gethostbyname(hostname)) == NULL) {
+    fprintf(stderr, "%s: unknown host \n", hostname);
+    return 1;
+  }
+
+  /* Set server's address */
+  memset(&s_sock, 0, sizeof(s_sock));
+  memcpy(&s_sock.sin_addr, host->h_addr, sizeof(s_sock.sin_addr));
+  s_sock.sin_family = AF_INET;
+  if (port)
+    s_sock.sin_port = port;
+  else
+    s_sock.sin_port = k_getportbyname (service, "tcp", htons(SAMPLE_PORT));
+
+  if (gethostname(myhostname, sizeof(myhostname)) < 0) {
+    warn("gethostname");
+    return 1;
+  }
+
+  if ((host = gethostbyname(myhostname)) == NULL) {
+    fprintf(stderr, "%s: unknown host\n", myhostname);
+    return 1;
+  }
+
+  /* Open a socket */
+  if ((sock = socket(AF_INET, SOCK_DGRAM, 0)) < 0) {
+    warn("socket SOCK_DGRAM");
+    return 1;
+  }
+
+  memset(&c_sock, 0, sizeof(c_sock));
+  memcpy(&c_sock.sin_addr, host->h_addr, sizeof(c_sock.sin_addr));
+  c_sock.sin_family = AF_INET;
+
+  /* Bind it to set the address; kernel will fill in port # */
+  if (bind(sock, (struct sockaddr *)&c_sock, sizeof(c_sock)) < 0) {
+    warn("bind");
+    return 1;
+  }
+	
+  /* Get local realm, not needed, just an example */
+  if ((i = krb_get_lrealm(c_realm, 1)) != KSUCCESS) {
+    fprintf(stderr, "can't find local Kerberos realm\n");
+    return 1;
+  }
+  printf("Local Kerberos realm is %s\n", c_realm);
+
+  /* Get Kerberos realm of host */
+  s_realm = krb_realmofhost(hostname);
+
+  /* PREPARE KRB_MK_REQ MESSAGE */
+
+  /* Get credentials for server, create krb_mk_req message */
+  if ((i = krb_mk_req(ktxt, service, hostname, s_realm, cksum))
+      != KSUCCESS) {
+    fprintf(stderr, "%s\n", krb_get_err_text(i));
+    return 1;
+  }
+  printf("Got credentials for %s.\n", service);
+
+  /* Send authentication info to server */
+  i = sendto(sock, (char *)ktxt->dat, ktxt->length, flags,
+	     (struct sockaddr *)&s_sock, sizeof(s_sock));
+  if (i < 0)
+    warn("sending datagram message");
+  printf("Sent authentication data: %d bytes\n", i);
+
+  /* PREPARE KRB_MK_SAFE MESSAGE */
+
+  /* Get my address */
+  memset(&c_sock, 0, sizeof(c_sock));
+  i = sizeof(c_sock);
+  if (getsockname(sock, (struct sockaddr *)&c_sock, &i) < 0) {
+    warn("getsockname");
+    return 1;
+  }
+
+  /* Get session key */
+  i = krb_get_cred(service, hostname, s_realm, cred);
+  if (i != KSUCCESS)
+    return 1;
+
+  /* Make the safe message */
+  len = krb_mk_safe(MSG, ktxt->dat, strlen(MSG)+1,
+		    &cred->session, &c_sock, &s_sock);
+
+  /* Send it */
+  i = sendto(sock, (char *)ktxt->dat, (int) len, flags,
+	     (struct sockaddr *)&s_sock, sizeof(s_sock));
+  if (i < 0)
+    warn("sending safe message");
+  printf("Sent checksummed message: %d bytes\n", i);
+
+  /* PREPARE KRB_MK_PRIV MESSAGE */
+
+#ifdef NOENCRYPTION
+  memset(sched, 0, sizeof(sched));
+#else
+  /* Get key schedule for session key */
+  des_key_sched(&cred->session, sched);
+#endif
+
+  /* Make the encrypted message */
+  len = krb_mk_priv(MSG, ktxt->dat, strlen(MSG)+1,
+		    sched, &cred->session, &c_sock, &s_sock);
+
+  /* Send it */
+  i = sendto(sock, (char *)ktxt->dat, (int) len, flags,
+	     (struct sockaddr *)&s_sock, sizeof(s_sock));
+  if (i < 0)
+    warn("sending encrypted message");
+  printf("Sent encrypted message: %d bytes\n", i);
+  return 0;
+}
+
+static void
+usage (void)
+{
+  fprintf (stderr, "Usage: %s [-s service] [-p port] hostname\n",
+	   __progname);
+  exit (1);
+}
+
+int
+main(int argc, char **argv)
+{
+  int ret = 0;
+  int port = 0;
+  char service[SNAME_SZ];
+  struct servent *serv;
+  int c;
+
+  set_progname (argv[0]);
+
+  strlcpy (service, SAMPLE_SERVICE, sizeof(service));
+
+  while ((c = getopt(argc, argv, "s:p:")) != -1)
+    switch(c) {
+    case 's' :
+      strlcpy (service, optarg, sizeof(service));
+      break;
+    case 'p' :
+      serv = getservbyname (optarg, "tcp");
+      if (serv)
+	port = serv->s_port;
+      else
+	port = htons(atoi(optarg));
+      break;
+    case '?' :
+    default :
+      usage();
+    }
+
+  argc -= optind;
+  argv += optind;
+
+  while (argc-- > 0)
+    ret &= talkto (*argv++, service, port);
+  return ret;
+}
diff --git a/crypto/kerberosIV/appl/sample/simple_server.c b/crypto/kerberosIV/appl/sample/simple_server.c
new file mode 100644
index 0000000..05baa4e
--- /dev/null
+++ b/crypto/kerberosIV/appl/sample/simple_server.c
@@ -0,0 +1,140 @@
+/*
+ *
+ * Copyright 1989 by the Massachusetts Institute of Technology.
+ *
+ * For copying and distribution information, please see the file
+ * <mit-copyright.h>.
+ *
+ * Simple UDP-based server application.  For demonstration.
+ * This program performs no useful function.
+ */
+
+#include "sample.h"
+
+RCSID("$Id: simple_server.c,v 1.11 1999/11/13 06:29:24 assar Exp $");
+
+static void
+usage (void)
+{
+    fprintf (stderr, "Usage: %s [-p port] [-s service] [-t srvtab]\n",
+	     __progname);
+    exit (1);
+}
+
+int
+main(int argc, char **argv)
+{
+    char service[SNAME_SZ];
+    char instance[INST_SZ];
+    int port;
+    char srvtab[MaxPathLen];
+    struct sockaddr_in addr, otheraddr;
+    int c;
+    int sock;
+    int i;
+    int len;
+    KTEXT_ST k;
+    KTEXT ktxt = &k;
+    AUTH_DAT ad;
+    MSG_DAT msg_data;
+    des_key_schedule sched;
+
+    set_progname (argv[0]);
+    strlcpy (service, SAMPLE_SERVICE, sizeof(service));
+    strlcpy (instance, "*", sizeof(instance));
+    *srvtab = '\0';
+    port = 0;
+
+    while ((c = getopt (argc, argv, "p:s:t:")) != -1)
+	switch (c) {
+	case 'p' : {
+	    struct servent *sp;
+
+	    sp = getservbyname (optarg, "udp");
+	    if (sp)
+		port = sp->s_port;
+	    else
+		port = htons(atoi(optarg));
+	    break;
+	}
+	case 's' :
+	    strlcpy (service, optarg, sizeof(service));
+	    break;
+	case 't' :
+	    strlcpy (srvtab, optarg, sizeof(srvtab));
+	    break;
+	case '?' :
+	default :
+	    usage ();
+	}
+
+    if(port == 0)
+	port = k_getportbyname (SAMPLE_SERVICE, "udp", htons(SAMPLE_PORT));
+
+    memset (&addr, 0, sizeof(addr));
+    addr.sin_family = AF_INET;
+    addr.sin_port = port;
+
+    sock = socket (AF_INET, SOCK_DGRAM, 0);
+    if (sock < 0)
+	err (1, "socket");
+
+    if (bind (sock, (struct sockaddr *)&addr, sizeof(addr)) < 0)
+	err (1, "bind");
+
+    /* GET KRB_MK_REQ MESSAGE */
+
+    i = read(sock, ktxt->dat, MAX_KTXT_LEN);
+    if (i < 0)
+	err (1, "read");
+
+    printf("Received %d bytes\n", i);
+    ktxt->length = i;
+
+    /* Check authentication info */
+    i = krb_rd_req(ktxt, service, instance, 0, &ad, "");
+    if (i != KSUCCESS)
+	errx (1, "krb_rd_req: %s", krb_get_err_text(i));
+    printf("Got authentication info from %s%s%s@%s\n", ad.pname,
+	   *ad.pinst ? "." : "", ad.pinst, ad.prealm);
+	
+    /* GET KRB_MK_SAFE MESSAGE */
+
+    /* use "recvfrom" so we know client's address */
+    len = sizeof(otheraddr);
+    i = recvfrom(sock, ktxt->dat, MAX_KTXT_LEN, 0,
+		 (struct sockaddr *)&otheraddr, &len);
+    if (i < 0)
+	err (1, "recvfrom");
+    printf("Received %d bytes\n", i);
+
+    /* Verify the checksummed message */
+    i = krb_rd_safe(ktxt->dat, i, &ad.session, &otheraddr,
+		    &addr, &msg_data);
+    if (i != KSUCCESS)
+	errx (1, "krb_rd_safe: %s", krb_get_err_text(i));
+    printf("Safe message is: %s\n", msg_data.app_data);
+	
+    /* NOW GET ENCRYPTED MESSAGE */
+
+#ifdef NOENCRYPTION
+    memset(sched, 0, sizeof(sched));
+#else
+    /* need key schedule for session key */
+    des_key_sched(&ad.session, sched);
+#endif
+
+    /* use "recvfrom" so we know client's address */
+    len = sizeof(otheraddr);
+    i = recvfrom(sock, ktxt->dat, MAX_KTXT_LEN, 0,
+		 (struct sockaddr *)&otheraddr, &len);
+    if (i < 0)
+	err (1, "recvfrom");
+    printf("Received %d bytes\n", i);
+    i = krb_rd_priv(ktxt->dat, i, sched, &ad.session, &otheraddr,
+		    &addr, &msg_data);
+    if (i != KSUCCESS)
+	errx (1, "krb_rd_priv: %s", krb_get_err_text(i));
+    printf("Decrypted message is: %s\n", msg_data.app_data);
+    return(0);
+}
diff --git a/crypto/kerberosIV/appl/telnet/ChangeLog b/crypto/kerberosIV/appl/telnet/ChangeLog
new file mode 100644
index 0000000..b2c27bc
--- /dev/null
+++ b/crypto/kerberosIV/appl/telnet/ChangeLog
@@ -0,0 +1,286 @@
+2000-03-26  Assar Westerlund  <assar@sics.se>
+
+	* telnetd/sys_term.c (*): make sure to always call time, ctime,
+	and gmtime with `time_t's.  there were some types (like in
+	lastlog) that we believed to always be time_t.  this has proven
+	wrong on Solaris 8 in 64-bit mode, where they are stored as 32-bit
+	quantities but time_t has gone up to 64 bits
+
+1999-09-16  Assar Westerlund  <assar@sics.se>
+
+	* telnet/commands.c: revert 1.54, get_default_username should DTRT
+ 	now
+
+1999-09-05  Assar Westerlund  <assar@sics.se>
+
+	* telnetd/utility.c (ttloop): make it return 1 if interrupted by a
+ 	signal, which must have been what was meant from the beginning
+
+	* telnetd/ext.h (ttloop): update prototype
+
+	* telnetd/authenc.c (telnet_spin): actually return the value from
+ 	ttloop (otherwise it's kind of bogus)
+
+1999-08-05  Assar Westerlund  <assar@sics.se>
+
+	* telnetd/sys_term.c (rmut): free utxp
+
+1999-08-04  Assar Westerlund  <assar@sics.se>
+
+	* telnet/main.c: add -G and config file support.  From Miroslav
+ 	Ruda <ruda@ics.muni.cz>
+
+	* telnetd/sys_term.c (rmut): work around utmpx strangness.  From
+ 	Miroslav Ruda <ruda@ics.muni.cz>
+
+1999-08-02  Assar Westerlund  <assar@sics.se>
+
+	* telnetd/telnetd.c (doit): only free hp if != NULL.  From: Jonas
+ 	Oberg <jonas@coyote.org>
+
+1999-07-29  Assar Westerlund  <assar@sics.se>
+
+	* telnetd/telnetd.c (doit): remove unused variable mapped_sin
+
+1999-07-26  Assar Westerlund  <assar@sics.se>
+
+	* telnetd/ext.h: update prototypes
+	
+	* telnetd/telnetd.c: make it handle v4 and v6 sockets.  (it
+	doesn't handle being given a v6 socket that's really talking to an
+	v4 adress (mapped) because the rest of the code in telnetd is not
+	able to handle it anyway).  please run two telnetd from your
+	inetd, one for v4 and one for v6.
+
+1999-07-07  Assar Westerlund  <assar@sics.se>
+
+	* telnet/commands.c (tn): extra bogus const-cast
+
+1999-07-06  Assar Westerlund  <assar@sics.se>
+
+	* telnetd/sys_term.c (start_login): print a different warning with
+ 	`-a otp'
+
+1999-06-24  Assar Westerlund  <assar@sics.se>
+
+	* libtelnet/kerberos5.c (kerberos5_send): set the addresses in the
+ 	auth_context
+
+1999-06-23  Assar Westerlund  <assar@sics.se>
+
+	* telnet/Makefile.am (INCLUDES): add $(INCLUDE_krb4)
+
+	* telnet/commands.c (togkrbdebug): conditionalize on
+ 	krb_disable_debug
+
+1999-06-16  Johan Danielsson  <joda@pdc.kth.se>
+
+	* telnet/commands.c: add kerberos debugging option
+
+1999-06-15  Assar Westerlund  <assar@sics.se>
+
+	* telnet/commands.c (tn): use get_default_username
+
+1999-05-14  Assar Westerlund  <assar@sics.se>
+
+	* telnetd/state.c (telrcv): magic patch to make it work against
+ 	DOS Clarkson Telnet.  From Miroslav Ruda <ruda@ics.muni.cz>
+
+1999-04-25  Assar Westerlund  <assar@sics.se>
+
+	* libtelnet/kerberos5.c (kerberos5_send): use
+	`krb5_auth_setkeytype' instead of `krb5_auth_setenctype' to make
+	sure we get a DES session key.
+
+Thu Apr  1 16:59:27 1999  Johan Danielsson  <joda@hella.pdc.kth.se>
+
+	* telnetd/Makefile.am: don't run check-local
+
+	* telnet/Makefile.am: don't run check-local
+
+Mon Mar 29 16:11:33 1999  Johan Danielsson  <joda@hella.pdc.kth.se>
+
+	* telnetd/sys_term.c: _CRAY -> HAVE_STRUCT_UTMP_UT_ID
+
+Sat Mar 20 00:12:54 1999  Assar Westerlund  <assar@sics.se>
+
+	* telnet/authenc.c (telnet_gets): remove old extern declarations
+
+Thu Mar 18 11:20:16 1999  Johan Danielsson  <joda@hella.pdc.kth.se>
+
+	* telnetd/Makefile.am: include Makefile.am.common
+
+	* telnet/Makefile.am: include Makefile.am.common
+
+	* libtelnet/Makefile.am: include Makefile.am.common
+
+	* Makefile.am: include Makefile.am.common
+
+Mon Mar 15 17:40:53 1999  Johan Danielsson  <joda@hella.pdc.kth.se>
+
+	* telnetd/telnetd.c: replace perror/exit with fatalperror
+
+Sat Mar 13 22:18:57 1999  Assar Westerlund  <assar@sics.se>
+
+	* telnetd/telnetd.c (main): 0 -> STDIN_FILENO.  remove abs
+
+	* libtelnet/kerberos.c (kerberos4_is): syslog root logins
+
+Thu Mar 11 14:48:54 1999  Johan Danielsson  <joda@hella.pdc.kth.se>
+
+	* telnetd/Makefile.in: add WFLAGS
+
+	* telnet/Makefile.in: add WFLAGS
+
+	* libtelnet/Makefile.in: add WFLAGS
+
+	* telnetd/sys_term.c: remove unused variables
+
+	* telnet/telnet.c: fix some warnings
+
+	* telnet/main.c: fix some warnings
+
+	* telnet/commands.c: fix types in format string
+
+	* libtelnet/auth.c: fix types in format string
+
+Mon Mar  1 10:50:30 1999  Johan Danielsson  <joda@hella.pdc.kth.se>
+
+	* telnetd/sys_term.c: HAVE_UT_* -> HAVE_STRUCT_UTMP*_UT_*
+
+Mon Feb  1 04:08:36 1999  Assar Westerlund  <assar@sics.se>
+
+	* telnet/commands.c (tn): only call gethostbyname2 with AF_INET6
+ 	if we actually have IPv6.  From "Brandon S. Allbery KF8NH"
+ 	<allbery@kf8nh.apk.net>
+
+Sat Nov 21 16:51:00 1998  Johan Danielsson  <joda@hella.pdc.kth.se>
+
+	* telnetd/sys_term.c (cleanup): don't call vhangup() on sgi:s
+
+Fri Aug 14 16:29:18 1998  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* libtelnet/kerberos.c: krb_put_int -> KRB_PUT_INT
+
+Thu Jul 23 20:29:05 1998  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* libtelnet/kerberos5.c: use krb5_verify_authenticator_checksum
+
+Mon Jul 13 22:00:09 1998  Assar Westerlund  <assar@sics.se>
+
+	* telnet/commands.c (tn): don't advance hostent->h_addr_list, use
+ 	a copy instead
+
+Wed May 27 04:19:17 1998  Assar Westerlund  <assar@sics.se>
+
+	* telnet/sys_bsd.c (process_rings): correct call to `stilloob'
+
+Fri May 15 19:38:19 1998  Johan Danielsson  <joda@blubb.pdc.kth.se>
+
+	* libtelnet/kerberos5.c: Always print errors from mk_req.
+
+Fri May  1 07:16:59 1998  Assar Westerlund  <assar@sics.se>
+
+	* telnet/commands.c: unifdef -DHAVE_H_ERRNO
+
+Sat Apr  4 15:00:29 1998  Assar Westerlund  <assar@sics.se>
+
+	* telnet/commands.c (tn): moved the printing of `trying...' to the
+ 	loop
+
+Thu Mar 12 02:33:48 1998  Assar Westerlund  <assar@sics.se>
+
+	* telnet/telnet_locl.h: include <term.h>. From Gregory S. Stark
+ 	<gsstark@mit.edu>
+
+Sat Feb 21 15:12:38 1998  Assar Westerlund  <assar@sics.se>
+
+	* telnetd/ext.h: add prototype for login_tty
+
+	* telnet/utilities.c (printsub): `direction' is now an int.
+
+	* libtelnet/misc-proto.h: add prototype for `printsub'
+
+Tue Feb 17 02:45:01 1998  Assar Westerlund  <assar@sics.se>
+
+	* libtelnet/kerberos.c (kerberos4_is): cred.pname should be
+ 	cred.pinst.  From <art@stacken.kth.se>
+
+Sun Feb 15 02:46:39 1998  Assar Westerlund  <assar@sics.se>
+
+	* telnet/*/*.c: renamed `telnet' to `my_telnet' to avoid
+ 	conflicts with system header files on mklinux.
+
+Tue Feb 10 02:09:03 1998  Assar Westerlund  <assar@sics.se>
+
+	* telnetd/telnetd.c: new signature for `getterminaltype' and
+ 	`auth_wait'
+
+	* libtelnet: changed the signature of the authentication method
+ 	`status'
+
+Sat Feb  7 07:21:29 1998  Assar Westerlund  <assar@sics.se>
+
+	* */*.c: replace HAS_GETTOS by HAVE_PARSETOS and HAVE_GETTOSBYNAME
+
+Fri Dec 26 16:17:10 1997  Assar Westerlund  <assar@sics.se>
+
+	* telnet/commands.c (tn): repair support for numeric addresses
+
+Sun Dec 21 09:40:31 1997  Assar Westerlund  <assar@sics.se>
+
+	* libtelnet/kerberos.c: fix up lots of stuff related to the
+ 	forwarding of v4 tickets.
+
+	* libtelnet/kerberos5.c (kerberos5_forward): zero out `creds'.
+
+Mon Dec 15 20:53:13 1997  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* telnet/sys_bsd.c: Don't turn off OPOST in 8bit-mode.
+
+Tue Dec  9 19:26:50 1997  Assar Westerlund  <assar@sics.se>
+
+	* telnet/main.c (main): add 'b' to getopt
+
+Sat Nov 29 03:28:54 1997  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* telnet/telnet.c: Change binary mode to do just that, and add a
+ 	eight-bit mode for just passing all characters.
+
+Sun Nov 16 04:37:02 1997  Assar Westerlund  <assar@sics.se>
+
+	* libtelnet/kerberos5.c (kerberos5_send): always ask for a session
+ 	key of type DES
+
+	* libtelnet/kerberos5.c: remove old garbage and fix call to
+ 	krb5_auth_con_setaddrs_from_fd
+
+Fri Nov 14 20:35:18 1997  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* telnetd/telnetd.c: Output contents of /etc/issue.
+
+Mon Nov  3 07:09:16 1997  Assar Westerlund  <assar@sics.se>
+
+	* telnet/telnet_locl.h: only include <sys/termio.h> iff
+ 	!defined(HAVE_TERMIOS_H)
+
+	* libtelnet/kerberos.c (kerberos4_is): send the peer address to
+ 	krb_rd_req
+
+	* telnetd/telnetd.c (terminaltypeok): always return OK.  It used
+ 	to call `tgetent' to figure if it was a defined terminal type.
+  	It's possible to overflow tgetent so that's a bad idea.  The worst
+ 	that could happen by saying yes to all terminals is that the user
+ 	ends up with a terminal that has no definition on the local
+ 	system.  And besides, most telnet client has no support for
+ 	falling back to a different terminal type.
+
+Mon Oct 20 05:47:19 1997  Assar Westerlund  <assar@sics.se>
+
+	* libtelnet/kerberos5.c: remove lots of old junk.  clean-up.
+  	better error checking and reporting.  tell the user permission
+ 	denied much earlier.
+
+	* libtelnet/kerberos.c (kerberos4_is): only print
+ 	UserNameRequested if != NULL
+
diff --git a/crypto/kerberosIV/appl/telnet/Makefile.am b/crypto/kerberosIV/appl/telnet/Makefile.am
new file mode 100644
index 0000000..eec013b
--- /dev/null
+++ b/crypto/kerberosIV/appl/telnet/Makefile.am
@@ -0,0 +1,11 @@
+# $Id: Makefile.am,v 1.6 1999/03/20 13:58:15 joda Exp $
+
+include $(top_srcdir)/Makefile.am.common
+
+SUBDIRS = libtelnet telnet telnetd
+
+dist-hook:
+	$(mkinstalldirs) $(distdir)/arpa
+	$(INSTALL_DATA) $(srcdir)/arpa/telnet.h $(distdir)/arpa
+
+EXTRA_DIST = README.ORIG telnet.state
diff --git a/crypto/kerberosIV/appl/telnet/Makefile.in b/crypto/kerberosIV/appl/telnet/Makefile.in
new file mode 100644
index 0000000..840e757
--- /dev/null
+++ b/crypto/kerberosIV/appl/telnet/Makefile.in
@@ -0,0 +1,42 @@
+# $Id: Makefile.in,v 1.20 1998/05/31 18:04:50 joda Exp $
+
+srcdir		= @srcdir@
+top_srcdir	= @top_srcdir@
+VPATH		= @srcdir@
+
+SHELL		= /bin/sh
+
+@SET_MAKE@
+
+CC = @CC@
+LINK = @LINK@
+RANLIB = @RANLIB@
+DEFS = @DEFS@
+CFLAGS = @CFLAGS@
+
+INSTALL = @INSTALL@
+
+SUBDIRS=libtelnet telnet telnetd
+
+all:
+	for i in $(SUBDIRS); \
+	do (cd $$i && $(MAKE) $(MFLAGS) all); done
+
+install:
+	for i in $(SUBDIRS); \
+	do (cd $$i && $(MAKE) $(MFLAGS) install); done
+
+uninstall:
+	for i in $(SUBDIRS); \
+	do (cd $$i && $(MAKE) $(MFLAGS) uninstall); done
+
+clean cleandir:
+	for i in $(SUBDIRS); \
+	do (cd $$i && $(MAKE) $(MFLAGS) clean); done
+
+distclean: 
+	for i in $(SUBDIRS); \
+	do (cd $$i && $(MAKE) $(MFLAGS) distclean); done
+	rm -f Makefile *~
+
+.PHONY: all install uninstall clean cleandir distclean
diff --git a/crypto/kerberosIV/appl/telnet/README.ORIG b/crypto/kerberosIV/appl/telnet/README.ORIG
new file mode 100644
index 0000000..37b588f
--- /dev/null
+++ b/crypto/kerberosIV/appl/telnet/README.ORIG
@@ -0,0 +1,743 @@
+
+This is a distribution of both client and server telnet.  These programs
+have been compiled on:
+			telnet	telnetd
+	4.4 BSD-Lite	  x	  x
+	4.3 BSD Reno	  X	  X
+	UNICOS 9.1	  X	  X
+	UNICOS 9.0	  X	  X
+	UNICOS 8.0	  X	  X
+	BSDI 2.0	  X	  X
+	Solaris 2.4       x       x (no linemode in server)
+	SunOs 4.1.4	  X	  X (no linemode in server)
+	Ultrix 4.3	  X	  X (no linemode in server)
+	Ultrix 4.1	  X	  X (no linemode in server)
+
+In addition, previous versions have been compiled on the following
+machines, but were not available for testing this version.
+			telnet	telnetd
+	Next1.0		  X	  X
+	UNICOS 8.3	  X	  X
+	UNICOS 7.C	  X	  X
+	UNICOS 7.0	  X	  X
+	SunOs 4.0.3c	  X	  X (no linemode in server)
+	4.3 BSD		  X  	  X (no linemode in server)
+	DYNIX V3.0.12	  X	  X (no linemode in server)
+	Ultrix 3.1	  X	  X (no linemode in server)
+	Ultrix 4.0	  X	  X (no linemode in server)
+	SunOs 3.5	  X	  X (no linemode in server)
+	SunOs 4.1.3	  X	  X (no linemode in server)
+	Solaris 2.2       x       x (no linemode in server)
+	Solaris 2.3       x       x (no linemode in server)
+	BSDI 1.0	  X	  X
+	BSDI 1.1	  X	  X
+	DYNIX V3.0.17.9	  X	  X (no linemode in server)
+	HP-UX 8.0	  x       x (no linemode in server)
+
+This code should work, but there are no guarantees.
+
+May 30, 1995
+
+This release represents what is on the 4.4BSD-Lite2 release, which
+should be the final BSD release.  I will continue to support of
+telnet, The code (without encryption) is available via anonymous ftp
+from ftp.cray.com, in src/telnet/telnet.YY.MM.DD.NE.tar.Z, where
+YY.MM.DD is replaced with the year, month and day of the release.
+If you can't find it at one of these places, at some point in the
+near future information about the latest releases should be available
+from ftp.borman.com.
+
+In addition, the version with the encryption code is available via
+ftp from net-dist.mit.edu, in the directory /pub/telnet.  There
+is a README file there that gives further information on how
+to get the distribution.
+
+Questions, comments, bug reports and bug fixes can be sent to
+one of these addresses:
+		dab@borman.com
+		dab@cray.com
+		dab@bsdi.com
+
+This release is mainly bug fixes and code cleanup.
+
+	Replace all calls to bcopy()/bzero() with calls to
+	memmove()/memset() and all calls to index()/rindex()
+	with calls to strchr()/strrchr().
+
+	Add some missing diagnostics for option tracing
+	to telnetd.
+
+	Add support for BSDI 2.0 and Solaris 2.4.
+
+	Add support for UNICOS 8.0
+
+	Get rid of expanded tabs and trailing white spaces.
+
+	From Paul Vixie:
+		Fix for telnet going into an endless spin
+		when the session dies abnormally.
+
+	From Jef Poskanzer:
+		Changes to allow telnet to compile
+		under SunOS 3.5.
+
+	From Philip Guenther:
+		makeutx() doesn't expand utmpx,
+		use pututxline() instead.
+
+	From Chris Torek:
+		Add a sleep(1) before execing login
+		to avoid race condition that can eat
+		up the login prompt.
+		Use terminal speed directly if it is
+		not an encoded value.
+
+	From Steve Parker:
+		Fix to realloc() call.  Fix for execing
+		login on solaris with no user name.
+
+January 19, 1994
+
+This is a list of some of the changes since the last tar release
+of telnet/telnetd.  There are probably other changes that aren't
+listed here, but this should hit a lot of the main ones.
+
+   General:
+	Changed #define for AUTHENTICATE to AUTHENTICATION
+	Changed #define for ENCRYPT to ENCRYPTION
+	Changed #define for DES_ENCRYPT to DES_ENCRYPTION
+
+	Added support for SPX authentication: -DSPX
+
+	Added support for Kerberos Version 5 authentication: -DKRB5
+
+	Added support for ANSI C function prototypes
+
+	Added support for the NEW-ENVIRON option (RFC-1572)
+	including support for USERVAR.
+
+	Made support for the old Environment Option (RFC-1408)
+	conditional on -DOLD_ENVIRON
+
+	Added #define ENV_HACK - support for RFC 1571
+
+	The encryption code is removed from the public distributions.
+	Domestic 4.4 BSD distributions contain the encryption code.
+
+	ENV_HACK: Code to deal with systems that only implement
+		the old ENVIRON option, and have reversed definitions
+		of ENV_VAR and ENV_VAL.  Also fixes ENV processing in
+		client to handle things besides just the default set...
+
+	NO_BSD_SETJMP: UNICOS configuration for
+		UNICOS 6.1/6.0/5.1/5.0 systems.
+
+	STREAMSPTY: Use /dev/ptmx to get a clean pty.  This
+		is for SVr4 derivatives (Like Solaris)
+
+	UTMPX: For systems that have /etc/utmpx. This is for
+		SVr4 derivatives (Like Solaris)
+
+	Definitions for BSDI 1.0
+
+	Definitions for 4.3 Reno and 4.4 BSD.
+
+	Definitions for UNICOS 8.0 and UNICOS 7.C
+
+	Definitions for Solaris 2.0
+
+	Definitions for HP-UX 8.0
+
+	Latest Copyright notices from Berkeley.
+
+	FLOW-CONTROL: support for RFC-XXXx
+
+
+   Client Specific:
+
+	Fix the "send" command to not send garbage...
+
+	Fix status message for "skiprc"
+
+	Make sure to send NAWS after telnet has been suspended
+	or an external command has been run, if the window size
+	has changed.
+
+	sysV88 support.
+
+   Server Specific:
+
+	Support flowcontrol option in non-linemode servers.
+
+	-k Server supports Kludge Linemode, but will default to
+	   either single character mode or real Linemode support.
+	   The user will have to explicitly ask to switch into
+	   kludge linemode. ("stty extproc", or escape back to
+	   to telnet and say "mode line".)
+
+	-u Specify the length of the hostname field in the utmp
+	   file.  Hostname longer than this length will be put
+	   into the utmp file in dotted decimal notation, rather
+	   than putting in a truncated hostname.
+	
+	-U Registered hosts only.  If a reverse hostname lookup
+	   fails, the connection will be refused.
+
+	-f/-F
+	   Allows forwarding of credentials for KRB5.
+
+Februrary 22, 1991:
+
+    Features:
+
+	This version of telnet/telnetd has support for both
+	the AUTHENTICATION and ENCRYPTION options.  The
+	AUTHENTICATION option is fairly well defined, and
+	an option number has been assigned to it.  The
+	ENCRYPTION option is still in a state of flux; an
+	option number has been assigned to, but it is still
+	subject to change.  The code is provided in this release
+	for experimental and testing purposes.
+
+	The telnet "send" command can now be used to send
+	do/dont/will/wont commands, with any telnet option
+	name.  The rules for when do/dont/will/wont are sent
+	are still followed, so just because the user requests
+	that one of these be sent doesn't mean that it will
+	be sent...
+
+	The telnet "getstatus" command no longer requires
+	that option printing be enabled to see the response
+	to the "DO STATUS" command.
+
+	A -n flag has been added to telnetd to disable
+	keepalives.
+
+	A new telnet command, "auth" has been added (if
+	AUTHENTICATE is defined).  It has four sub-commands,
+	"status", "disable", "enable" and "help".
+
+	A new telnet command, "encrypt" has been added (if
+	ENCRYPT is defined).  It has many sub-commands:
+	"enable", "type", "start", "stop", "input",
+	"-input", "output", "-output", "status", and "help".
+
+	The LOGOUT option is now supported by both telnet
+	and telnetd, a new command, "logout", was added
+	to support this.
+
+	Several new toggle options were added:
+	    "autoencrypt", "autodecrypt", "autologin", "authdebug",
+	    "encdebug", "skiprc", "verbose_encrypt"
+
+	An "rlogin" interface has been added.  If the program
+	is named "rlogin", or the "-r" flag is given, then
+	an rlogin type of interface will be used.
+		~.	Terminates the session
+		~<susp> Suspend the session
+		~^]	Escape to telnet command mode
+		~~	Pass through the ~.
+	    BUG: If you type the rlogin escape character
+		 in the middle of a line while in rlogin
+		 mode, you cannot erase it or any characters
+		 before it.  Hopefully this can be fixed
+		 in a future release...
+
+    General changes:
+
+	A "libtelnet.a" has now been created.  This libraray
+	contains code that is common to both telnet and
+	telnetd.  This is also where library routines that
+	are needed, but are not in the standard C library,
+	are placed.
+
+	The makefiles have been re-done.  All of the site
+	specific configuration information has now been put
+	into a single "Config.generic" file, in the top level
+	directory.  Changing this one file will take care of
+	all three subdirectories.  Also, to add a new/local
+	definition, a "Config.local" file may be created
+	at the top level; if that file exists, the subdirectories
+	will use that file instead of "Config.generic".
+
+	Many 1-2 line functions in commands.c have been
+	removed, and just inserted in-line, or replaced
+	with a macro.
+
+    Bug Fixes:
+
+	The non-termio code in both telnet and telnetd was
+	setting/clearing CTLECH in the sg_flags word.  This
+	was incorrect, and has been changed to set/clear the
+	LCTLECH bit in the local mode word.
+
+	The SRCRT #define has been removed.  If IP_OPTIONS
+	and IPPROTO_IP are defined on the system, then the
+	source route code is automatically enabled.
+
+	The NO_GETTYTAB #define has been removed; there
+	is a compatability routine that can be built into
+	libtelnet to achive the same results.
+
+	The server, telnetd, has been switched to use getopt()
+	for parsing the argument list.
+
+	The code for getting the input/output speeds via
+	cfgetispeed()/cfgetospeed() was still not quite
+	right in telnet.  Posix says if the ispeed is 0,
+	then it is really equal to the ospeed.
+
+	The suboption processing code in telnet now has
+	explicit checks to make sure that we received
+	the entire suboption (telnetd was already doing this).
+
+	The telnet code for processing the terminal type
+	could cause a core dump if an existing connection
+	was closed, and a new connection opened without
+	exiting telnet.
+
+	Telnetd was doing a TCSADRAIN when setting the new
+	terminal settings;  This is not good, because it means
+	that the tcsetattr() will hang waiting for output to
+	drain, and telnetd is the only one that will drain
+	the output...  The fix is to use TCSANOW which does
+	not wait.
+
+	Telnetd was improperly setting/clearing the ISTRIP
+	flag in the c_lflag field, it should be using the
+	c_iflag field. 
+
+	When the child process of telnetd was opening the
+	slave side of the pty, it was re-setting the EXTPROC
+	bit too early, and some of the other initialization
+	code was wiping it out.  This would cause telnetd
+	to go out of linemode and into single character mode.
+
+	One instance of leaving linemode in telnetd forgot
+	to send a WILL ECHO to the client, the net result
+	would be that the user would see double character
+	echo.
+
+	If the MODE was being changed several times very
+	quickly, telnetd could get out of sync with the
+	state changes and the returning acks; and wind up
+	being left in the wrong state.
+
+September 14, 1990:
+
+	Switch the client to use getopt() for parsing the
+	argument list.  The 4.3Reno getopt.c is included for
+	systems that don't have getopt().
+
+	Use the posix _POSIX_VDISABLE value for what value
+	to use when disabling special characters.  If this
+	is undefined, it defaults to 0x3ff.
+
+	For non-termio systems, TIOCSETP was being used to
+	change the state of the terminal.  This causes the
+	input queue to be flushed, which we don't want.  This
+	is now changed to TIOCSETN.
+
+	Take out the "#ifdef notdef" around the code in the
+	server that generates a "sync" when the pty oputput
+	is flushed.  The potential problem is that some older
+	telnet clients may go into an infinate loop when they
+	receive a "sync", if so, the server can be compiled
+	with "NO_URGENT" defined.
+
+	Fix the client where it was setting/clearing the OPOST
+	bit in the c_lflag field, not the c_oflag field.
+
+	Fix the client where it was setting/clearing the ISTRIP
+	bit in the c_lflag field, not the c_iflag field.  (On
+	4.3Reno, this is the ECHOPRT bit in the c_lflag field.)
+	The client also had its interpretation of WILL BINARY
+	and DO BINARY reversed.
+
+	Fix a bug in client that would cause a core dump when
+	attempting to remove the last environment variable.
+
+	In the client, there were a few places were switch()
+	was being passed a character, and if it was a negative
+	value, it could get sign extended, and not match
+	the 8 bit case statements.  The fix is to and the
+	switch value with 0xff.
+
+	Add a couple more printoption() calls in the client, I
+	don't think there are any more places were a telnet
+	command can be received and not printed out when
+	"options" is on.
+
+	A new flag has been added to the client, "-a".  Currently,
+	this just causes the USER name to be sent across, in
+	the future this may be used to signify that automatic
+	authentication is requested.
+
+	The USER variable is now only sent by the client if
+	the "-a" or "-l user" options are explicity used, or
+	if the user explicitly asks for the "USER" environment
+	variable to be exported.  In the server, if it receives
+	the "USER" environment variable, it won't print out the
+	banner message, so that only "Password:" will be printed.
+	This makes the symantics more like rlogin, and should be
+	more familiar to the user.  (People are not used to
+	getting a banner message, and then getting just a
+	"Password:" prompt.)
+
+	Re-vamp the code for starting up the child login
+	process.  The code was getting ugly, and it was
+	hard to tell what was really going on.  What we
+	do now is after the fork(), in the child:
+		1) make sure we have no controlling tty
+		2) open and initialize the tty
+		3) do a setsid()/setpgrp()
+		4) makes the tty our controlling tty.
+	On some systems, #2 makes the tty our controlling
+	tty, and #4 is a no-op.  The parent process does
+	a gets rid of any controlling tty after the child
+	is fork()ed.
+
+	Use the strdup() library routine in telnet, instead
+	of the local savestr() routine.  If you don't have
+	strdup(), you need to define NO_STRDUP.
+
+	Add support for ^T (SIGINFO/VSTATUS), found in the
+	4.3Reno distribution.  This maps to the AYT character.
+	You need a 4-line bugfix in the kernel to get this
+	to work properly:
+
+	> *** tty_pty.c.ORG	Tue Sep 11 09:41:53 1990
+	> --- tty_pty.c	Tue Sep 11 17:48:03 1990
+	> ***************
+	> *** 609,613 ****
+	> 			if ((tp->t_lflag&NOFLSH) == 0)
+	> 				ttyflush(tp, FREAD|FWRITE);
+	> ! 			pgsignal(tp->t_pgrp, *(unsigned int *)data);
+	> 			return(0);
+	> 		}
+	> --- 609,616 ----
+	> 			if ((tp->t_lflag&NOFLSH) == 0)
+	> 				ttyflush(tp, FREAD|FWRITE);
+	> ! 			pgsignal(tp->t_pgrp, *(unsigned int *)data, 1);
+	> ! 			if ((*(unsigned int *)data == SIGINFO) &&
+	> ! 			    ((tp->t_lflag&NOKERNINFO) == 0))
+	> ! 				ttyinfo(tp);
+	> 			return(0);
+	> 		}
+
+	The client is now smarter when setting the telnet escape
+	character; it only sets it to one of VEOL and VEOL2 if
+	one of them is undefined, and the other one is not already
+	defined to the telnet escape character.
+
+	Handle TERMIOS systems that have seperate input and output
+	line speed settings imbedded in the flags.
+
+	Many other minor bug fixes.
+
+June 20, 1990:
+	Re-organize makefiles and source tree.  The telnet/Source
+	directory is now gone, and all the source that was in
+	telnet/Source is now just in the telnet directory.
+
+	Seperate makefile for each system are now gone.  There
+	are two makefiles, Makefile and Makefile.generic.
+	The "Makefile" has the definitions for the various
+	system, and "Makefile.generic" does all the work.
+	There is a variable called "WHAT" that is used to
+	specify what to make.  For example, in the telnet
+	directory, you might say:
+		make 4.4bsd WHAT=clean
+	to clean out the directory.
+
+	Add support for the ENVIRON and XDISPLOC options.
+	In order for the server to work, login has to have
+	the "-p" option to preserve environment variables.
+
+	Add the SOFT_TAB and LIT_ECHO modes in the LINEMODE support.
+
+	Add the "-l user" option to command line and open command
+	(This is passed through the ENVIRON option).
+
+	Add the "-e" command line option, for setting the escape
+	character.
+
+	Add the "-D", diagnostic, option to the server.  This allows
+	the server to print out debug information, which is very
+	useful when trying to debug a telnet that doesn't have any
+	debugging ability.
+
+	Turn off the literal next character when not in LINEMODE.
+
+	Don't recognize ^Y locally, just pass it through.
+
+	Make minor modifications for Sun4.0 and Sun4.1
+
+	Add support for both FORW1 and FORW2 characters.  The
+	telnet escpape character is set to whichever of the
+	two is not being used.  If both are in use, the escape
+	character is not set, so when in linemode the user will
+	have to follow the escape character with a <CR> or <EOF)
+	to get it passed through.
+
+	Commands can now be put in single and double quotes, and
+	a backslash is now an escape character.  This is needed
+	for allowing arbitrary strings to be assigned to environment
+	variables.
+
+	Switch telnetd to use macros like telnet for keeping
+	track of the state of all the options.
+
+	Fix telnetd's processing of options so that we always do
+	the right processing of the LINEMODE option, regardless
+	of who initiates the request to turn it on.  Also, make
+	sure that if the other side went "WILL ECHO" in response
+	to our "DO ECHO", that we send a "DONT ECHO" to get the
+	option turned back off!
+
+	Fix the TERMIOS setting of the terminal speed to handle both
+	BSD's seperate fields, and the SYSV method of CBAUD bits.
+
+	Change how we deal with the other side refusing to enable
+	an option.  The sequence used to be: send DO option; receive
+	WONT option; send DONT option.  Now, the sequence is: send
+	DO option; receive WONT option.  Both should be valid
+	according to the spec, but there has been at least one
+	client implementation of telnet identified that can get
+	really confused by this.  (The exact sequence, from a trace
+	on the server side, is (numbers are number of responses that
+	we expect to get after that line...):
+
+		send WILL ECHO	1 (initial request)
+		send WONT ECHO	2 (server is changing state)
+		recv DO ECHO	1 (first reply, ok.  expect DONT ECHO next)
+		send WILL ECHO	2 (server changes state again)
+		recv DONT ECHO	1 (second reply, ok.  expect DO ECHO next)
+		recv DONT ECHO	0 (third reply, wrong answer. got DONT!!!)
+	***	send WONT ECHO	  (send WONT to acknowledge the DONT)
+		send WILL ECHO	1 (ask again to enable option)
+		recv DO ECHO	0
+
+		recv DONT ECHO	0
+		send WONT ECHO	1
+		recv DONT ECHO	0
+		recv DO ECHO	1
+		send WILL ECHO	0
+		(and the last 5 lines loop forever)
+
+	The line with the "***" is last of the WILL/DONT/WONT sequence.
+	The change to the server to not generate that makes this same
+	example become:
+
+		send will ECHO	1
+		send wont ECHO	2
+		recv do ECHO	1
+		send will ECHO	2
+		recv dont ECHO	1
+		recv dont ECHO	0
+		recv do ECHO	1
+		send will ECHO	0
+
+	There is other option negotiation going on, and not sending
+	the third part changes some of the timings, but this specific
+	example no longer gets stuck in a loop.  The "telnet.state"
+	file has been modified to reflect this change to the algorithm.
+
+	A bunch of miscellaneous bug fixes and changes to make
+	lint happier.
+
+	This version of telnet also has some KERBEROS stuff in
+	it. This has not been tested, it uses an un-authorized
+	telnet option number, and uses an out-of-date version
+	of the (still being defined) AUTHENTICATION option.
+	There is no support for this code, do not enable it.
+
+
+March 1, 1990:
+CHANGES/BUGFIXES SINCE LAST RELEASE:
+	Some support for IP TOS has been added.  Requires that the
+	kernel support the IP_TOS socket option (currently this
+	is only in UNICOS 6.0).
+
+	Both telnet and telnetd now use the cc_t typedef.  typedefs are
+	included for systems that don't have it (in termios.h).
+
+	SLC_SUSP was not supported properly before.  It is now.
+
+	IAC EOF was not translated  properly in telnetd for SYSV_TERMIO
+	when not in linemode.  It now saves a copy of the VEOF character,
+	so that when ICANON is turned off and we can't trust it anymore
+	(because it is now the VMIN character) we use the saved value.
+
+	There were two missing "break" commands in the linemode
+	processing code in telnetd.
+
+	Telnetd wasn't setting the kernel window size information
+	properly.  It was using the rows for both rows and columns...
+
+Questions/comments go to
+		David Borman
+		Cray Research, Inc.
+		655F Lone Oak Drive
+		Eagan, MN 55123
+		dab@cray.com.
+
+README:	You are reading it.
+
+Config.generic:
+	This file contains all the OS specific definitions.  It
+	has pre-definitions for many common system types, and is
+	in standard makefile fromat.  See the comments at the top
+	of the file for more information.
+
+Config.local:
+	This is not part of the distribution, but if this file exists,
+	it is used instead of "Config.generic".  This allows site
+	specific configuration without having to modify the distributed
+	"Config.generic" file.
+
+kern.diff:
+	This file contains the diffs for the changes needed for the
+	kernel to support LINEMODE is the server.  These changes are
+	for a 4.3BSD system.  You may need to make some changes for
+	your particular system.
+
+	There is a new bit in the terminal state word, TS_EXTPROC.
+	When this bit is set, several aspects of the terminal driver
+	are disabled.  Input line editing, character echo, and
+	mapping of signals are all disabled.  This allows the telnetd
+	to turn of these functions when in linemode, but still keep
+	track of what state the user wants the terminal to be in.
+
+	New ioctl()s:
+
+		TIOCEXT		Turn on/off the TS_EXTPROC bit
+		TIOCGSTATE	Get t_state of tty to look at TS_EXTPROC bit
+		TIOCSIG		Generate a signal to processes in the
+				current process group of the pty.
+
+	There is a new mode for packet driver, the TIOCPKT_IOCTL bit.
+	When packet mode is turned on in the pty, and the TS_EXTPROC
+	bit is set, then whenever the state of the pty is changed, the
+	next read on the master side of the pty will have the TIOCPKT_IOCTL
+	bit set, and the data will contain the following:
+		struct xx {
+			struct sgttyb a;
+			struct tchars b;
+			struct ltchars c;
+			int t_state;
+			int t_flags;
+		}
+	This allows the process on the server side of the pty to know
+	when the state of the terminal has changed, and what the new
+	state is.
+
+	However, if you define USE_TERMIO or SYSV_TERMIO, the code will
+	expect that the structure returned in the TIOCPKT_IOCTL is
+	the termio/termios structure.
+
+stty.diff:
+	This file contains the changes needed for the stty(1) program
+	to report on the current status of the TS_EXTPROC bit.  It also
+	allows the user to turn on/off the TS_EXTPROC bit.  This is useful
+	because it allows the user to say "stty -extproc", and the
+	LINEMODE option will be automatically disabled, and saying "stty
+	extproc" will re-enable the LINEMODE option.
+
+telnet.state:
+	Both the client and server have code in them to deal
+	with option negotiation loops.  The algorithm that is
+	used is described in this file.
+
+telnet:
+	This directory contains the client code.  No kernel changes are
+	needed to use this code.
+
+telnetd:
+	This directory contains the server code.  If LINEMODE or KLUDGELINEMODE
+	are defined, then the kernel modifications listed above are needed.
+
+libtelnet:
+	This directory contains code that is common to both the client
+	and the server.
+
+arpa:
+	This directory has a new <arpa/telnet.h>
+
+libtelnet/Makefile.4.4:
+telnet/Makefile.4.4:
+telnetd/Makefile.4.4:
+	These are the makefiles that can be used on a 4.3Reno
+	system when this software is installed in /usr/src/lib/libtelnet,
+	/usr/src/libexec/telnetd, and /usr/src/usr.bin/telnet.
+
+
+The following TELNET options are supported:
+	
+	LINEMODE:
+		The LINEMODE option is supported as per RFC1116.  The
+		FORWARDMASK option is not currently supported.
+
+	BINARY: The client has the ability to turn on/off the BINARY
+		option in each direction.  Turning on BINARY from
+		server to client causes the LITOUT bit to get set in
+		the terminal driver on both ends,  turning on BINARY
+		from the client to the server causes the PASS8 bit
+		to get set in the terminal driver on both ends.
+
+	TERMINAL-TYPE:
+		This is supported as per RFC1091.  On the server side,
+		when a terminal type is received, termcap/terminfo
+		is consulted to determine if it is a known terminal
+		type.  It keeps requesting terminal types until it
+		gets one that it recongnizes, or hits the end of the
+		list.  The server side looks up the entry in the
+		termcap/terminfo data base, and generates a list of
+		names which it then passes one at a time to each
+		request for a terminal type, duplicating the last
+		entry in the list before cycling back to the beginning.
+
+	NAWS:	The Negotiate about Window Size, as per RFC 1073.
+
+	TERMINAL-SPEED:
+		Implemented as per RFC 1079
+
+	TOGGLE-FLOW-CONTROL:
+		Implemented as per RFC 1080
+
+	TIMING-MARK:
+		As per RFC 860
+
+	SGA:	As per RFC 858
+
+	ECHO:	As per RFC 857
+
+	LOGOUT: As per RFC 727
+
+	STATUS:
+		The server will send its current status upon
+		request.  It does not ask for the clients status.
+		The client will request the servers current status
+		from the "send getstatus" command.
+
+	ENVIRON:
+		This option is currently being defined by the IETF
+		Telnet Working Group, and an RFC has not yet been
+		issued, but should be in the near future...
+
+	X-DISPLAY-LOCATION:
+		This functionality can be done through the ENVIRON
+		option, it is added here for completeness.
+
+	AUTHENTICATION:
+		This option is currently being defined by the IETF
+		Telnet Working Group, and an RFC has not yet been
+		issued.  The basic framework is pretty much decided,
+		but the definitions for the specific authentication
+		schemes is still in a state of flux.
+
+	ENCRYPTION:
+		This option is currently being defined by the IETF
+		Telnet Working Group, and an RFC has not yet been
+		issued.  The draft RFC is still in a state of flux,
+		so this code may change in the future.
diff --git a/crypto/kerberosIV/appl/telnet/arpa/telnet.h b/crypto/kerberosIV/appl/telnet/arpa/telnet.h
new file mode 100644
index 0000000..5d9ef60
--- /dev/null
+++ b/crypto/kerberosIV/appl/telnet/arpa/telnet.h
@@ -0,0 +1,323 @@
+/*
+ * Copyright (c) 1983, 1993
+ *	The Regents of the University of California.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *	This product includes software developed by the University of
+ *	California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ *	@(#)telnet.h	8.2 (Berkeley) 12/15/93
+ */
+
+#ifndef _TELNET_H_
+#define	_TELNET_H_
+
+/*
+ * Definitions for the TELNET protocol.
+ */
+#define	IAC	255		/* interpret as command: */
+#define	DONT	254		/* you are not to use option */
+#define	DO	253		/* please, you use option */
+#define	WONT	252		/* I won't use option */
+#define	WILL	251		/* I will use option */
+#define	SB	250		/* interpret as subnegotiation */
+#define	GA	249		/* you may reverse the line */
+#define	EL	248		/* erase the current line */
+#define	EC	247		/* erase the current character */
+#define	AYT	246		/* are you there */
+#define	AO	245		/* abort output--but let prog finish */
+#define	IP	244		/* interrupt process--permanently */
+#define	BREAK	243		/* break */
+#define	DM	242		/* data mark--for connect. cleaning */
+#define	NOP	241		/* nop */
+#define	SE	240		/* end sub negotiation */
+#define EOR     239             /* end of record (transparent mode) */
+#define	ABORT	238		/* Abort process */
+#define	SUSP	237		/* Suspend process */
+#define	xEOF	236		/* End of file: EOF is already used... */
+
+#define SYNCH	242		/* for telfunc calls */
+
+#ifdef TELCMDS
+char *telcmds[] = {
+	"EOF", "SUSP", "ABORT", "EOR",
+	"SE", "NOP", "DMARK", "BRK", "IP", "AO", "AYT", "EC",
+	"EL", "GA", "SB", "WILL", "WONT", "DO", "DONT", "IAC", 0,
+};
+#else
+extern char *telcmds[];
+#endif
+
+#define	TELCMD_FIRST	xEOF
+#define	TELCMD_LAST	IAC
+#define	TELCMD_OK(x)	((unsigned int)(x) <= TELCMD_LAST && \
+			 (unsigned int)(x) >= TELCMD_FIRST)
+#define	TELCMD(x)	telcmds[(x)-TELCMD_FIRST]
+
+/* telnet options */
+#define TELOPT_BINARY	0	/* 8-bit data path */
+#define TELOPT_ECHO	1	/* echo */
+#define	TELOPT_RCP	2	/* prepare to reconnect */
+#define	TELOPT_SGA	3	/* suppress go ahead */
+#define	TELOPT_NAMS	4	/* approximate message size */
+#define	TELOPT_STATUS	5	/* give status */
+#define	TELOPT_TM	6	/* timing mark */
+#define	TELOPT_RCTE	7	/* remote controlled transmission and echo */
+#define TELOPT_NAOL 	8	/* negotiate about output line width */
+#define TELOPT_NAOP 	9	/* negotiate about output page size */
+#define TELOPT_NAOCRD	10	/* negotiate about CR disposition */
+#define TELOPT_NAOHTS	11	/* negotiate about horizontal tabstops */
+#define TELOPT_NAOHTD	12	/* negotiate about horizontal tab disposition */
+#define TELOPT_NAOFFD	13	/* negotiate about formfeed disposition */
+#define TELOPT_NAOVTS	14	/* negotiate about vertical tab stops */
+#define TELOPT_NAOVTD	15	/* negotiate about vertical tab disposition */
+#define TELOPT_NAOLFD	16	/* negotiate about output LF disposition */
+#define TELOPT_XASCII	17	/* extended ascic character set */
+#define	TELOPT_LOGOUT	18	/* force logout */
+#define	TELOPT_BM	19	/* byte macro */
+#define	TELOPT_DET	20	/* data entry terminal */
+#define	TELOPT_SUPDUP	21	/* supdup protocol */
+#define	TELOPT_SUPDUPOUTPUT 22	/* supdup output */
+#define	TELOPT_SNDLOC	23	/* send location */
+#define	TELOPT_TTYPE	24	/* terminal type */
+#define	TELOPT_EOR	25	/* end or record */
+#define	TELOPT_TUID	26	/* TACACS user identification */
+#define	TELOPT_OUTMRK	27	/* output marking */
+#define	TELOPT_TTYLOC	28	/* terminal location number */
+#define	TELOPT_3270REGIME 29	/* 3270 regime */
+#define	TELOPT_X3PAD	30	/* X.3 PAD */
+#define	TELOPT_NAWS	31	/* window size */
+#define	TELOPT_TSPEED	32	/* terminal speed */
+#define	TELOPT_LFLOW	33	/* remote flow control */
+#define TELOPT_LINEMODE	34	/* Linemode option */
+#define TELOPT_XDISPLOC	35	/* X Display Location */
+#define TELOPT_OLD_ENVIRON 36	/* Old - Environment variables */
+#define	TELOPT_AUTHENTICATION 37/* Authenticate */
+#define	TELOPT_ENCRYPT	38	/* Encryption option */
+#define TELOPT_NEW_ENVIRON 39	/* New - Environment variables */
+#define	TELOPT_EXOPL	255	/* extended-options-list */
+
+
+#define	NTELOPTS	(1+TELOPT_NEW_ENVIRON)
+#ifdef TELOPTS
+char *telopts[NTELOPTS+1] = {
+	"BINARY", "ECHO", "RCP", "SUPPRESS GO AHEAD", "NAME",
+	"STATUS", "TIMING MARK", "RCTE", "NAOL", "NAOP",
+	"NAOCRD", "NAOHTS", "NAOHTD", "NAOFFD", "NAOVTS",
+	"NAOVTD", "NAOLFD", "EXTEND ASCII", "LOGOUT", "BYTE MACRO",
+	"DATA ENTRY TERMINAL", "SUPDUP", "SUPDUP OUTPUT",
+	"SEND LOCATION", "TERMINAL TYPE", "END OF RECORD",
+	"TACACS UID", "OUTPUT MARKING", "TTYLOC",
+	"3270 REGIME", "X.3 PAD", "NAWS", "TSPEED", "LFLOW",
+	"LINEMODE", "XDISPLOC", "OLD-ENVIRON", "AUTHENTICATION",
+	"ENCRYPT", "NEW-ENVIRON",
+	0,
+};
+#define	TELOPT_FIRST	TELOPT_BINARY
+#define	TELOPT_LAST	TELOPT_NEW_ENVIRON
+#define	TELOPT_OK(x)	((unsigned int)(x) <= TELOPT_LAST)
+#define	TELOPT(x)	telopts[(x)-TELOPT_FIRST]
+#endif
+
+/* sub-option qualifiers */
+#define	TELQUAL_IS	0	/* option is... */
+#define	TELQUAL_SEND	1	/* send option */
+#define	TELQUAL_INFO	2	/* ENVIRON: informational version of IS */
+#define	TELQUAL_REPLY	2	/* AUTHENTICATION: client version of IS */
+#define	TELQUAL_NAME	3	/* AUTHENTICATION: client version of IS */
+
+#define	LFLOW_OFF		0	/* Disable remote flow control */
+#define	LFLOW_ON		1	/* Enable remote flow control */
+#define	LFLOW_RESTART_ANY	2	/* Restart output on any char */
+#define	LFLOW_RESTART_XON	3	/* Restart output only on XON */
+
+/*
+ * LINEMODE suboptions
+ */
+
+#define	LM_MODE		1
+#define	LM_FORWARDMASK	2
+#define	LM_SLC		3
+
+#define	MODE_EDIT	0x01
+#define	MODE_TRAPSIG	0x02
+#define	MODE_ACK	0x04
+#define MODE_SOFT_TAB	0x08
+#define MODE_LIT_ECHO	0x10
+
+#define	MODE_MASK	0x1f
+
+/* Not part of protocol, but needed to simplify things... */
+#define MODE_FLOW		0x0100
+#define MODE_ECHO		0x0200
+#define MODE_INBIN		0x0400
+#define MODE_OUTBIN		0x0800
+#define MODE_FORCE		0x1000
+
+#define	SLC_SYNCH	1
+#define	SLC_BRK		2
+#define	SLC_IP		3
+#define	SLC_AO		4
+#define	SLC_AYT		5
+#define	SLC_EOR		6
+#define	SLC_ABORT	7
+#define	SLC_EOF		8
+#define	SLC_SUSP	9
+#define	SLC_EC		10
+#define	SLC_EL		11
+#define	SLC_EW		12
+#define	SLC_RP		13
+#define	SLC_LNEXT	14
+#define	SLC_XON		15
+#define	SLC_XOFF	16
+#define	SLC_FORW1	17
+#define	SLC_FORW2	18
+
+#define	NSLC		18
+
+/*
+ * For backwards compatability, we define SLC_NAMES to be the
+ * list of names if SLC_NAMES is not defined.
+ */
+#define	SLC_NAMELIST	"0", "SYNCH", "BRK", "IP", "AO", "AYT", "EOR", \
+			"ABORT", "EOF", "SUSP", "EC", "EL", "EW", "RP", \
+			"LNEXT", "XON", "XOFF", "FORW1", "FORW2", 0,
+#ifdef	SLC_NAMES
+char *slc_names[] = {
+	SLC_NAMELIST
+};
+#else
+extern char *slc_names[];
+#define	SLC_NAMES SLC_NAMELIST
+#endif
+
+#define	SLC_NAME_OK(x)	((unsigned int)(x) <= NSLC)
+#define SLC_NAME(x)	slc_names[x]
+
+#define	SLC_NOSUPPORT	0
+#define	SLC_CANTCHANGE	1
+#define	SLC_VARIABLE	2
+#define	SLC_DEFAULT	3
+#define	SLC_LEVELBITS	0x03
+
+#define	SLC_FUNC	0
+#define	SLC_FLAGS	1
+#define	SLC_VALUE	2
+
+#define	SLC_ACK		0x80
+#define	SLC_FLUSHIN	0x40
+#define	SLC_FLUSHOUT	0x20
+
+#define	OLD_ENV_VAR	1
+#define	OLD_ENV_VALUE	0
+#define	NEW_ENV_VAR	0
+#define	NEW_ENV_VALUE	1
+#define	ENV_ESC		2
+#define ENV_USERVAR	3
+
+/*
+ * AUTHENTICATION suboptions
+ */
+
+/*
+ * Who is authenticating who ...
+ */
+#define	AUTH_WHO_CLIENT		0	/* Client authenticating server */
+#define	AUTH_WHO_SERVER		1	/* Server authenticating client */
+#define	AUTH_WHO_MASK		1
+
+/*
+ * amount of authentication done
+ */
+#define	AUTH_HOW_ONE_WAY	0
+#define	AUTH_HOW_MUTUAL		2
+#define	AUTH_HOW_MASK		2
+
+#define	AUTHTYPE_NULL		0
+#define	AUTHTYPE_KERBEROS_V4	1
+#define	AUTHTYPE_KERBEROS_V5	2
+#define	AUTHTYPE_SPX		3
+#define	AUTHTYPE_MINK		4
+#define	AUTHTYPE_SRA		5
+#define	AUTHTYPE_CNT		6
+/* #define	AUTHTYPE_UNSECURE 6 */
+
+#define	AUTHTYPE_TEST		99
+
+#ifdef	AUTH_NAMES
+char *authtype_names[] = {
+	"NULL", "KERBEROS_V4", "KERBEROS_V5", "SPX", "MINK",
+	"SRA", 0,
+};
+#else
+extern char *authtype_names[];
+#endif
+
+#define	AUTHTYPE_NAME_OK(x)	((unsigned int)(x) < AUTHTYPE_CNT)
+#define	AUTHTYPE_NAME(x)	authtype_names[x]
+
+/*
+ * ENCRYPTion suboptions
+ */
+#define	ENCRYPT_IS		0	/* I pick encryption type ... */
+#define	ENCRYPT_SUPPORT		1	/* I support encryption types ... */
+#define	ENCRYPT_REPLY		2	/* Initial setup response */
+#define	ENCRYPT_START		3	/* Am starting to send encrypted */
+#define	ENCRYPT_END		4	/* Am ending encrypted */
+#define	ENCRYPT_REQSTART	5	/* Request you start encrypting */
+#define	ENCRYPT_REQEND		6	/* Request you send encrypting */
+#define	ENCRYPT_ENC_KEYID	7
+#define	ENCRYPT_DEC_KEYID	8
+#define	ENCRYPT_CNT		9
+
+#define	ENCTYPE_ANY		0
+#define	ENCTYPE_DES_CFB64	1
+#define	ENCTYPE_DES_OFB64	2
+#define	ENCTYPE_CNT		3
+
+#ifdef	ENCRYPT_NAMES
+char *encrypt_names[] = {
+	"IS", "SUPPORT", "REPLY", "START", "END",
+	"REQUEST-START", "REQUEST-END", "ENC-KEYID", "DEC-KEYID",
+	0,
+};
+char *enctype_names[] = {
+	"ANY", "DES_CFB64",  "DES_OFB64",  0,
+};
+#else
+extern char *encrypt_names[];
+extern char *enctype_names[];
+#endif
+
+
+#define	ENCRYPT_NAME_OK(x)	((unsigned int)(x) < ENCRYPT_CNT)
+#define	ENCRYPT_NAME(x)		encrypt_names[x]
+
+#define	ENCTYPE_NAME_OK(x)	((unsigned int)(x) < ENCTYPE_CNT)
+#define	ENCTYPE_NAME(x)		enctype_names[x]
+
+#endif /* !_TELNET_H_ */
diff --git a/crypto/kerberosIV/appl/telnet/libtelnet/Makefile.am b/crypto/kerberosIV/appl/telnet/libtelnet/Makefile.am
new file mode 100644
index 0000000..8806f88
--- /dev/null
+++ b/crypto/kerberosIV/appl/telnet/libtelnet/Makefile.am
@@ -0,0 +1,24 @@
+# $Id: Makefile.am,v 1.8 1999/03/20 13:58:15 joda Exp $
+
+include $(top_srcdir)/Makefile.am.common
+
+INCLUDES += -I$(srcdir)/.. $(INCLUDE_krb4)
+
+noinst_LIBRARIES = libtelnet.a
+
+libtelnet_a_SOURCES = \
+	auth-proto.h	\
+	auth.c		\
+	auth.h		\
+	enc-proto.h	\
+	enc_des.c	\
+	encrypt.c	\
+	encrypt.h	\
+	genget.c	\
+	kerberos.c	\
+	kerberos5.c	\
+	misc-proto.h	\
+	misc.c		\
+	misc.h
+
+EXTRA_DIST = krb4encpwd.c rsaencpwd.c spx.c
diff --git a/crypto/kerberosIV/appl/telnet/libtelnet/Makefile.in b/crypto/kerberosIV/appl/telnet/libtelnet/Makefile.in
new file mode 100644
index 0000000..b8ca629
--- /dev/null
+++ b/crypto/kerberosIV/appl/telnet/libtelnet/Makefile.in
@@ -0,0 +1,54 @@
+# $Id: Makefile.in,v 1.28 1999/03/11 13:50:00 joda Exp $
+
+srcdir		= @srcdir@
+top_srcdir	= @top_srcdir@
+VPATH		= @srcdir@
+
+SHELL		= /bin/sh
+
+CC = @CC@
+LINK = @LINK@
+AR = ar
+RANLIB = @RANLIB@
+DEFS = @DEFS@
+CFLAGS = @CFLAGS@ $(WFLAGS)
+WFLAGS = @WFLAGS@
+LIBNAME = $(LIBPREFIX)telnet
+LIBEXT = a
+LIBPREFIX = @LIBPREFIX@
+LIB = $(LIBNAME).$(LIBEXT)
+
+prefix = @prefix@
+
+SOURCES=auth.c encrypt.c genget.c enc_des.c misc.c kerberos.c kerberos5.c
+
+OBJECTS=auth.o encrypt.o genget.o enc_des.o misc.o kerberos.o kerberos5.o
+
+all: $(LIB)
+
+libtop = @libtop@
+
+.c.o:
+	$(CC) -c $(DEFS) -I../../../include -I$(srcdir)/.. $(CFLAGS) $(CPPFLAGS) $<
+
+$(LIB): $(OBJECTS)
+	rm -f $@
+	$(AR) cr $@ $(OBJECTS)
+	-$(RANLIB) $@
+
+install:
+	@true
+
+uninstall:
+	@true
+
+TAGS: $(SOURCES)
+	etags $(SOURCES)
+
+clean cleandir:
+	rm -f *.o *.a \#* *~ core
+
+distclean: clean
+	rm -f Makefile *~
+
+.PHONY: all install uninstall clean cleandir distclean
diff --git a/crypto/kerberosIV/appl/telnet/libtelnet/auth-proto.h b/crypto/kerberosIV/appl/telnet/libtelnet/auth-proto.h
new file mode 100644
index 0000000..bcc4c64
--- /dev/null
+++ b/crypto/kerberosIV/appl/telnet/libtelnet/auth-proto.h
@@ -0,0 +1,122 @@
+/*-
+ * Copyright (c) 1991, 1993
+ *	The Regents of the University of California.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *	This product includes software developed by the University of
+ *	California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ *	@(#)auth-proto.h	8.1 (Berkeley) 6/4/93
+ */
+
+/*
+ * Copyright (C) 1990 by the Massachusetts Institute of Technology
+ *
+ * Export of this software from the United States of America is assumed
+ * to require a specific license from the United States Government.
+ * It is the responsibility of any person or organization contemplating
+ * export to obtain such a license before exporting.
+ * 
+ * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
+ * distribute this software and its documentation for any purpose and
+ * without fee is hereby granted, provided that the above copyright
+ * notice appear in all copies and that both that copyright notice and
+ * this permission notice appear in supporting documentation, and that
+ * the name of M.I.T. not be used in advertising or publicity pertaining
+ * to distribution of the software without specific, written prior
+ * permission.  M.I.T. makes no representations about the suitability of
+ * this software for any purpose.  It is provided "as is" without express
+ * or implied warranty.
+ */
+
+/* $Id: auth-proto.h,v 1.9 1998/06/09 19:24:40 joda Exp $ */
+
+#ifdef AUTHENTICATION
+Authenticator *findauthenticator (int, int);
+
+int auth_wait (char *, size_t);
+void auth_disable_name (char *);
+void auth_finished (Authenticator *, int);
+void auth_gen_printsub (unsigned char *, int, unsigned char *, int);
+void auth_init (char *, int);
+void auth_is (unsigned char *, int);
+void auth_name(unsigned char*, int);
+void auth_reply (unsigned char *, int);
+void auth_request (void);
+void auth_send (unsigned char *, int);
+void auth_send_retry (void);
+void auth_printsub(unsigned char*, int, unsigned char*, int);
+int getauthmask(char *type, int *maskp);
+int auth_enable(char *type);
+int auth_disable(char *type);
+int auth_onoff(char *type, int on);
+int auth_togdebug(int on);
+int auth_status(void);
+int auth_sendname(unsigned char *cp, int len);
+void auth_debug(int mode);
+void auth_gen_printsub(unsigned char *data, int cnt,
+		       unsigned char *buf, int buflen);
+
+#ifdef UNSAFE
+int unsafe_init (Authenticator *, int);
+int unsafe_send (Authenticator *);
+void unsafe_is (Authenticator *, unsigned char *, int);
+void unsafe_reply (Authenticator *, unsigned char *, int);
+int unsafe_status (Authenticator *, char *, int);
+void unsafe_printsub (unsigned char *, int, unsigned char *, int);
+#endif
+
+#ifdef SRA
+int sra_init (Authenticator *, int);
+int sra_send (Authenticator *);
+void sra_is (Authenticator *, unsigned char *, int);
+void sra_reply (Authenticator *, unsigned char *, int);
+int sra_status (Authenticator *, char *, int);
+void sra_printsub (unsigned char *, int, unsigned char *, int);
+#endif
+
+#ifdef	KRB4
+int kerberos4_init (Authenticator *, int);
+int kerberos4_send_mutual (Authenticator *);
+int kerberos4_send_oneway (Authenticator *);
+void kerberos4_is (Authenticator *, unsigned char *, int);
+void kerberos4_reply (Authenticator *, unsigned char *, int);
+int kerberos4_status (Authenticator *, char *, size_t, int);
+void kerberos4_printsub (unsigned char *, int, unsigned char *, int);
+int kerberos4_forward(Authenticator *ap, void *);
+#endif
+
+#ifdef	KRB5
+int kerberos5_init (Authenticator *, int);
+int kerberos5_send_mutual (Authenticator *);
+int kerberos5_send_oneway (Authenticator *);
+void kerberos5_is (Authenticator *, unsigned char *, int);
+void kerberos5_reply (Authenticator *, unsigned char *, int);
+int kerberos5_status (Authenticator *, char *, size_t, int);
+void kerberos5_printsub (unsigned char *, int, unsigned char *, int);
+#endif
+#endif
diff --git a/crypto/kerberosIV/appl/telnet/libtelnet/auth.c b/crypto/kerberosIV/appl/telnet/libtelnet/auth.c
new file mode 100644
index 0000000..31d3ede
--- /dev/null
+++ b/crypto/kerberosIV/appl/telnet/libtelnet/auth.c
@@ -0,0 +1,657 @@
+/*-
+ * Copyright (c) 1991, 1993
+ *	The Regents of the University of California.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *	This product includes software developed by the University of
+ *	California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+/*
+ * Copyright (C) 1990 by the Massachusetts Institute of Technology
+ *
+ * Export of this software from the United States of America is assumed
+ * to require a specific license from the United States Government.
+ * It is the responsibility of any person or organization contemplating
+ * export to obtain such a license before exporting.
+ *
+ * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
+ * distribute this software and its documentation for any purpose and
+ * without fee is hereby granted, provided that the above copyright
+ * notice appear in all copies and that both that copyright notice and
+ * this permission notice appear in supporting documentation, and that
+ * the name of M.I.T. not be used in advertising or publicity pertaining
+ * to distribution of the software without specific, written prior
+ * permission.  M.I.T. makes no representations about the suitability of
+ * this software for any purpose.  It is provided "as is" without express
+ * or implied warranty.
+ */
+
+#include <config.h>
+
+RCSID("$Id: auth.c,v 1.22 1999/03/11 13:48:52 joda Exp $");
+
+#if	defined(AUTHENTICATION)
+#include <stdio.h>
+#ifdef HAVE_SYS_TYPES_H
+#include <sys/types.h>
+#endif
+#include <signal.h>
+#define	AUTH_NAMES
+#ifdef HAVE_ARPA_TELNET_H
+#include <arpa/telnet.h>
+#endif
+#include <stdlib.h>
+#include <string.h>
+
+#include <roken.h>
+
+#ifdef SOCKS
+#include <socks.h>
+#endif
+
+#include "encrypt.h"
+#include "auth.h"
+#include "misc-proto.h"
+#include "auth-proto.h"
+
+#define	typemask(x)		(1<<((x)-1))
+
+#ifdef	KRB4_ENCPWD
+extern krb4encpwd_init();
+extern krb4encpwd_send();
+extern krb4encpwd_is();
+extern krb4encpwd_reply();
+extern krb4encpwd_status();
+extern krb4encpwd_printsub();
+#endif
+
+#ifdef	RSA_ENCPWD
+extern rsaencpwd_init();
+extern rsaencpwd_send();
+extern rsaencpwd_is();
+extern rsaencpwd_reply();
+extern rsaencpwd_status();
+extern rsaencpwd_printsub();
+#endif
+
+int auth_debug_mode = 0;
+static 	char	*Name = "Noname";
+static	int	Server = 0;
+static	Authenticator	*authenticated = 0;
+static	int	authenticating = 0;
+static	int	validuser = 0;
+static	unsigned char	_auth_send_data[256];
+static	unsigned char	*auth_send_data;
+static	int	auth_send_cnt = 0;
+
+/*
+ * Authentication types supported.  Plese note that these are stored
+ * in priority order, i.e. try the first one first.
+ */
+Authenticator authenticators[] = {
+#ifdef UNSAFE
+    { AUTHTYPE_UNSAFE, AUTH_WHO_CLIENT|AUTH_HOW_ONE_WAY,
+      unsafe_init,
+      unsafe_send,
+      unsafe_is,
+      unsafe_reply,
+      unsafe_status,
+      unsafe_printsub },
+#endif
+#ifdef SRA
+    { AUTHTYPE_SRA, AUTH_WHO_CLIENT|AUTH_HOW_ONE_WAY,
+      sra_init,
+      sra_send,
+      sra_is,
+      sra_reply,
+      sra_status,
+      sra_printsub },
+#endif
+#ifdef	SPX
+    { AUTHTYPE_SPX, AUTH_WHO_CLIENT|AUTH_HOW_MUTUAL,
+      spx_init,
+      spx_send,
+      spx_is,
+      spx_reply,
+      spx_status,
+      spx_printsub },
+    { AUTHTYPE_SPX, AUTH_WHO_CLIENT|AUTH_HOW_ONE_WAY,
+      spx_init,
+      spx_send,
+      spx_is,
+      spx_reply,
+      spx_status,
+      spx_printsub },
+#endif
+#ifdef	KRB5
+    { AUTHTYPE_KERBEROS_V5, AUTH_WHO_CLIENT|AUTH_HOW_MUTUAL,
+      kerberos5_init,
+      kerberos5_send_mutual,
+      kerberos5_is,
+      kerberos5_reply,
+      kerberos5_status,
+      kerberos5_printsub },
+    { AUTHTYPE_KERBEROS_V5, AUTH_WHO_CLIENT|AUTH_HOW_ONE_WAY,
+      kerberos5_init,
+      kerberos5_send_oneway,
+      kerberos5_is,
+      kerberos5_reply,
+      kerberos5_status,
+      kerberos5_printsub },
+#endif
+#ifdef	KRB4
+    { AUTHTYPE_KERBEROS_V4, AUTH_WHO_CLIENT|AUTH_HOW_MUTUAL,
+      kerberos4_init,
+      kerberos4_send_mutual,
+      kerberos4_is,
+      kerberos4_reply,
+      kerberos4_status,
+      kerberos4_printsub },
+    { AUTHTYPE_KERBEROS_V4, AUTH_WHO_CLIENT|AUTH_HOW_ONE_WAY,
+      kerberos4_init,
+      kerberos4_send_oneway,
+      kerberos4_is,
+      kerberos4_reply,
+      kerberos4_status,
+      kerberos4_printsub },
+#endif
+#ifdef	KRB4_ENCPWD
+    { AUTHTYPE_KRB4_ENCPWD, AUTH_WHO_CLIENT|AUTH_HOW_MUTUAL,
+      krb4encpwd_init,
+      krb4encpwd_send,
+      krb4encpwd_is,
+      krb4encpwd_reply,
+      krb4encpwd_status,
+      krb4encpwd_printsub },
+#endif
+#ifdef	RSA_ENCPWD
+    { AUTHTYPE_RSA_ENCPWD, AUTH_WHO_CLIENT|AUTH_HOW_ONE_WAY,
+      rsaencpwd_init,
+      rsaencpwd_send,
+      rsaencpwd_is,
+      rsaencpwd_reply,
+      rsaencpwd_status,
+      rsaencpwd_printsub },
+#endif
+    { 0, },
+};
+
+static Authenticator NoAuth = { 0 };
+
+static int	i_support = 0;
+static int	i_wont_support = 0;
+
+Authenticator *
+findauthenticator(int type, int way)
+{
+    Authenticator *ap = authenticators;
+
+    while (ap->type && (ap->type != type || ap->way != way))
+	++ap;
+    return(ap->type ? ap : 0);
+}
+
+void
+auth_init(char *name, int server)
+{
+    Authenticator *ap = authenticators;
+
+    Server = server;
+    Name = name;
+
+    i_support = 0;
+    authenticated = 0;
+    authenticating = 0;
+    while (ap->type) {
+	if (!ap->init || (*ap->init)(ap, server)) {
+	    i_support |= typemask(ap->type);
+	    if (auth_debug_mode)
+		printf(">>>%s: I support auth type %d %d\r\n",
+		       Name,
+		       ap->type, ap->way);
+	}
+	else if (auth_debug_mode)
+	    printf(">>>%s: Init failed: auth type %d %d\r\n",
+		   Name, ap->type, ap->way);
+	++ap;
+    }
+}
+
+void
+auth_disable_name(char *name)
+{
+    int x;
+    for (x = 0; x < AUTHTYPE_CNT; ++x) {
+	if (!strcasecmp(name, AUTHTYPE_NAME(x))) {
+	    i_wont_support |= typemask(x);
+	    break;
+	}
+    }
+}
+
+int
+getauthmask(char *type, int *maskp)
+{
+    int x;
+
+    if (!strcasecmp(type, AUTHTYPE_NAME(0))) {
+	*maskp = -1;
+	return(1);
+    }
+
+    for (x = 1; x < AUTHTYPE_CNT; ++x) {
+	if (!strcasecmp(type, AUTHTYPE_NAME(x))) {
+	    *maskp = typemask(x);
+	    return(1);
+	}
+    }
+    return(0);
+}
+
+int
+auth_enable(char *type)
+{
+    return(auth_onoff(type, 1));
+}
+
+int
+auth_disable(char *type)
+{
+    return(auth_onoff(type, 0));
+}
+
+int
+auth_onoff(char *type, int on)
+{
+    int i, mask = -1;
+    Authenticator *ap;
+
+    if (!strcasecmp(type, "?") || !strcasecmp(type, "help")) {
+	printf("auth %s 'type'\n", on ? "enable" : "disable");
+	printf("Where 'type' is one of:\n");
+	printf("\t%s\n", AUTHTYPE_NAME(0));
+	mask = 0;
+	for (ap = authenticators; ap->type; ap++) {
+	    if ((mask & (i = typemask(ap->type))) != 0)
+		continue;
+	    mask |= i;
+	    printf("\t%s\n", AUTHTYPE_NAME(ap->type));
+	}
+	return(0);
+    }
+
+    if (!getauthmask(type, &mask)) {
+	printf("%s: invalid authentication type\n", type);
+	return(0);
+    }
+    if (on)
+	i_wont_support &= ~mask;
+    else
+	i_wont_support |= mask;
+    return(1);
+}
+
+int
+auth_togdebug(int on)
+{
+    if (on < 0)
+	auth_debug_mode ^= 1;
+    else
+	auth_debug_mode = on;
+    printf("auth debugging %s\n", auth_debug_mode ? "enabled" : "disabled");
+    return(1);
+}
+
+int
+auth_status(void)
+{
+    Authenticator *ap;
+    int i, mask;
+
+    if (i_wont_support == -1)
+	printf("Authentication disabled\n");
+    else
+	printf("Authentication enabled\n");
+
+    mask = 0;
+    for (ap = authenticators; ap->type; ap++) {
+	if ((mask & (i = typemask(ap->type))) != 0)
+	    continue;
+	mask |= i;
+	printf("%s: %s\n", AUTHTYPE_NAME(ap->type),
+	       (i_wont_support & typemask(ap->type)) ?
+	       "disabled" : "enabled");
+    }
+    return(1);
+}
+
+/*
+ * This routine is called by the server to start authentication
+ * negotiation.
+ */
+void
+auth_request(void)
+{
+    static unsigned char str_request[64] = { IAC, SB,
+					     TELOPT_AUTHENTICATION,
+					     TELQUAL_SEND, };
+    Authenticator *ap = authenticators;
+    unsigned char *e = str_request + 4;
+
+    if (!authenticating) {
+	authenticating = 1;
+	while (ap->type) {
+	    if (i_support & ~i_wont_support & typemask(ap->type)) {
+		if (auth_debug_mode) {
+		    printf(">>>%s: Sending type %d %d\r\n",
+			   Name, ap->type, ap->way);
+		}
+		*e++ = ap->type;
+		*e++ = ap->way;
+	    }
+	    ++ap;
+	}
+	*e++ = IAC;
+	*e++ = SE;
+	telnet_net_write(str_request, e - str_request);
+	printsub('>', &str_request[2], e - str_request - 2);
+    }
+}
+
+/*
+ * This is called when an AUTH SEND is received.
+ * It should never arrive on the server side (as only the server can
+ * send an AUTH SEND).
+ * You should probably respond to it if you can...
+ *
+ * If you want to respond to the types out of order (i.e. even
+ * if he sends  LOGIN KERBEROS and you support both, you respond
+ * with KERBEROS instead of LOGIN (which is against what the
+ * protocol says)) you will have to hack this code...
+ */
+void
+auth_send(unsigned char *data, int cnt)
+{
+    Authenticator *ap;
+    static unsigned char str_none[] = { IAC, SB, TELOPT_AUTHENTICATION,
+					TELQUAL_IS, AUTHTYPE_NULL, 0,
+					IAC, SE };
+    if (Server) {
+	if (auth_debug_mode) {
+	    printf(">>>%s: auth_send called!\r\n", Name);
+	}
+	return;
+    }
+
+    if (auth_debug_mode) {
+	printf(">>>%s: auth_send got:", Name);
+	printd(data, cnt); printf("\r\n");
+    }
+
+    /*
+     * Save the data, if it is new, so that we can continue looking
+     * at it if the authorization we try doesn't work
+     */
+    if (data < _auth_send_data ||
+	data > _auth_send_data + sizeof(_auth_send_data)) {
+	auth_send_cnt = cnt > sizeof(_auth_send_data)
+	    ? sizeof(_auth_send_data)
+	    : cnt;
+	memmove(_auth_send_data, data, auth_send_cnt);
+	auth_send_data = _auth_send_data;
+    } else {
+	/*
+	 * This is probably a no-op, but we just make sure
+	 */
+	auth_send_data = data;
+	auth_send_cnt = cnt;
+    }
+    while ((auth_send_cnt -= 2) >= 0) {
+	if (auth_debug_mode)
+	    printf(">>>%s: He supports %d\r\n",
+		   Name, *auth_send_data);
+	if ((i_support & ~i_wont_support) & typemask(*auth_send_data)) {
+	    ap = findauthenticator(auth_send_data[0],
+				   auth_send_data[1]);
+	    if (ap && ap->send) {
+		if (auth_debug_mode)
+		    printf(">>>%s: Trying %d %d\r\n",
+			   Name, auth_send_data[0],
+			   auth_send_data[1]);
+		if ((*ap->send)(ap)) {
+		    /*
+		     * Okay, we found one we like
+		     * and did it.
+		     * we can go home now.
+		     */
+		    if (auth_debug_mode)
+			printf(">>>%s: Using type %d\r\n",
+			       Name, *auth_send_data);
+		    auth_send_data += 2;
+		    return;
+		}
+	    }
+	    /* else
+	     *	just continue on and look for the
+	     *	next one if we didn't do anything.
+	     */
+	}
+	auth_send_data += 2;
+    }
+    telnet_net_write(str_none, sizeof(str_none));
+    printsub('>', &str_none[2], sizeof(str_none) - 2);
+    if (auth_debug_mode)
+	printf(">>>%s: Sent failure message\r\n", Name);
+    auth_finished(0, AUTH_REJECT);
+#ifdef KANNAN
+    /*
+     *  We requested strong authentication, however no mechanisms worked.
+     *  Therefore, exit on client end.
+     */
+    printf("Unable to securely authenticate user ... exit\n");
+    exit(0);
+#endif /* KANNAN */
+}
+
+void
+auth_send_retry(void)
+{
+    /*
+     * if auth_send_cnt <= 0 then auth_send will end up rejecting
+     * the authentication and informing the other side of this.
+	 */
+    auth_send(auth_send_data, auth_send_cnt);
+}
+
+void
+auth_is(unsigned char *data, int cnt)
+{
+    Authenticator *ap;
+
+    if (cnt < 2)
+	return;
+
+    if (data[0] == AUTHTYPE_NULL) {
+	auth_finished(0, AUTH_REJECT);
+	return;
+    }
+
+    if ((ap = findauthenticator(data[0], data[1]))) {
+	if (ap->is)
+	    (*ap->is)(ap, data+2, cnt-2);
+    } else if (auth_debug_mode)
+	printf(">>>%s: Invalid authentication in IS: %d\r\n",
+	       Name, *data);
+}
+
+void
+auth_reply(unsigned char *data, int cnt)
+{
+    Authenticator *ap;
+
+    if (cnt < 2)
+	return;
+
+    if ((ap = findauthenticator(data[0], data[1]))) {
+	if (ap->reply)
+	    (*ap->reply)(ap, data+2, cnt-2);
+    } else if (auth_debug_mode)
+	printf(">>>%s: Invalid authentication in SEND: %d\r\n",
+	       Name, *data);
+}
+
+void
+auth_name(unsigned char *data, int cnt)
+{
+    char savename[256];
+
+    if (cnt < 1) {
+	if (auth_debug_mode)
+	    printf(">>>%s: Empty name in NAME\r\n", Name);
+	return;
+    }
+    if (cnt > sizeof(savename) - 1) {
+	if (auth_debug_mode)
+	    printf(">>>%s: Name in NAME (%d) exceeds %lu length\r\n",
+		   Name, cnt, (unsigned long)(sizeof(savename)-1));
+	return;
+    }
+    memmove(savename, data, cnt);
+    savename[cnt] = '\0';	/* Null terminate */
+    if (auth_debug_mode)
+	printf(">>>%s: Got NAME [%s]\r\n", Name, savename);
+    auth_encrypt_user(savename);
+}
+
+int
+auth_sendname(unsigned char *cp, int len)
+{
+    static unsigned char str_request[256+6]
+	= { IAC, SB, TELOPT_AUTHENTICATION, TELQUAL_NAME, };
+    unsigned char *e = str_request + 4;
+    unsigned char *ee = &str_request[sizeof(str_request)-2];
+
+    while (--len >= 0) {
+	if ((*e++ = *cp++) == IAC)
+	    *e++ = IAC;
+	if (e >= ee)
+	    return(0);
+    }
+    *e++ = IAC;
+    *e++ = SE;
+    telnet_net_write(str_request, e - str_request);
+    printsub('>', &str_request[2], e - &str_request[2]);
+    return(1);
+}
+
+void
+auth_finished(Authenticator *ap, int result)
+{
+    if (!(authenticated = ap))
+	authenticated = &NoAuth;
+    validuser = result;
+}
+
+/* ARGSUSED */
+static void
+auth_intr(int sig)
+{
+    auth_finished(0, AUTH_REJECT);
+}
+
+int
+auth_wait(char *name, size_t name_sz)
+{
+    if (auth_debug_mode)
+	printf(">>>%s: in auth_wait.\r\n", Name);
+
+    if (Server && !authenticating)
+	return(0);
+
+    signal(SIGALRM, auth_intr);
+    alarm(30);
+    while (!authenticated)
+	if (telnet_spin())
+	    break;
+    alarm(0);
+    signal(SIGALRM, SIG_DFL);
+
+    /*
+     * Now check to see if the user is valid or not
+     */
+    if (!authenticated || authenticated == &NoAuth)
+	return(AUTH_REJECT);
+
+    if (validuser == AUTH_VALID)
+	validuser = AUTH_USER;
+
+    if (authenticated->status)
+	validuser = (*authenticated->status)(authenticated,
+					     name, name_sz,
+					     validuser);
+    return(validuser);
+}
+
+void
+auth_debug(int mode)
+{
+    auth_debug_mode = mode;
+}
+
+void
+auth_printsub(unsigned char *data, int cnt, unsigned char *buf, int buflen)
+{
+    Authenticator *ap;
+
+    if ((ap = findauthenticator(data[1], data[2])) && ap->printsub)
+	(*ap->printsub)(data, cnt, buf, buflen);
+    else
+	auth_gen_printsub(data, cnt, buf, buflen);
+}
+
+void
+auth_gen_printsub(unsigned char *data, int cnt, unsigned char *buf, int buflen)
+{
+    unsigned char *cp;
+    unsigned char tbuf[16];
+
+    cnt -= 3;
+    data += 3;
+    buf[buflen-1] = '\0';
+    buf[buflen-2] = '*';
+    buflen -= 2;
+    for (; cnt > 0; cnt--, data++) {
+	snprintf(tbuf, sizeof(tbuf), " %d", *data);
+	for (cp = tbuf; *cp && buflen > 0; --buflen)
+	    *buf++ = *cp++;
+	if (buflen <= 0)
+	    return;
+    }
+    *buf = '\0';
+}
+#endif
diff --git a/crypto/kerberosIV/appl/telnet/libtelnet/auth.h b/crypto/kerberosIV/appl/telnet/libtelnet/auth.h
new file mode 100644
index 0000000..83dd701
--- /dev/null
+++ b/crypto/kerberosIV/appl/telnet/libtelnet/auth.h
@@ -0,0 +1,81 @@
+/*-
+ * Copyright (c) 1991, 1993
+ *	The Regents of the University of California.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *	This product includes software developed by the University of
+ *	California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ *	@(#)auth.h	8.1 (Berkeley) 6/4/93
+ */
+
+/*
+ * Copyright (C) 1990 by the Massachusetts Institute of Technology
+ *
+ * Export of this software from the United States of America is assumed
+ * to require a specific license from the United States Government.
+ * It is the responsibility of any person or organization contemplating
+ * export to obtain such a license before exporting.
+ *
+ * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
+ * distribute this software and its documentation for any purpose and
+ * without fee is hereby granted, provided that the above copyright
+ * notice appear in all copies and that both that copyright notice and
+ * this permission notice appear in supporting documentation, and that
+ * the name of M.I.T. not be used in advertising or publicity pertaining
+ * to distribution of the software without specific, written prior
+ * permission.  M.I.T. makes no representations about the suitability of
+ * this software for any purpose.  It is provided "as is" without express
+ * or implied warranty.
+ */
+
+/* $Id: auth.h,v 1.4 1998/06/09 19:24:41 joda Exp $ */
+
+#ifndef	__AUTH__
+#define	__AUTH__
+
+#define	AUTH_REJECT	0	/* Rejected */
+#define	AUTH_UNKNOWN	1	/* We don't know who he is, but he's okay */
+#define	AUTH_OTHER	2	/* We know him, but not his name */
+#define	AUTH_USER	3	/* We know he name */
+#define	AUTH_VALID	4	/* We know him, and he needs no password */
+
+typedef struct XauthP {
+	int	type;
+	int	way;
+	int	(*init) (struct XauthP *, int);
+	int	(*send) (struct XauthP *);
+	void	(*is) (struct XauthP *, unsigned char *, int);
+	void	(*reply) (struct XauthP *, unsigned char *, int);
+	int	(*status) (struct XauthP *, char *, size_t, int);
+	void	(*printsub) (unsigned char *, int, unsigned char *, int);
+} Authenticator;
+
+#include "auth-proto.h"
+
+extern int auth_debug_mode;
+#endif
diff --git a/crypto/kerberosIV/appl/telnet/libtelnet/enc-proto.h b/crypto/kerberosIV/appl/telnet/libtelnet/enc-proto.h
new file mode 100644
index 0000000..cb0077d
--- /dev/null
+++ b/crypto/kerberosIV/appl/telnet/libtelnet/enc-proto.h
@@ -0,0 +1,132 @@
+/*-
+ * Copyright (c) 1991, 1993
+ *	The Regents of the University of California.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *	This product includes software developed by the University of
+ *	California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ *	@(#)enc-proto.h	8.1 (Berkeley) 6/4/93
+ *
+ *	@(#)enc-proto.h	5.2 (Berkeley) 3/22/91
+ */
+
+/*
+ * Copyright (C) 1990 by the Massachusetts Institute of Technology
+ *
+ * Export of this software from the United States of America is assumed
+ * to require a specific license from the United States Government.
+ * It is the responsibility of any person or organization contemplating
+ * export to obtain such a license before exporting.
+ *
+ * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
+ * distribute this software and its documentation for any purpose and
+ * without fee is hereby granted, provided that the above copyright
+ * notice appear in all copies and that both that copyright notice and
+ * this permission notice appear in supporting documentation, and that
+ * the name of M.I.T. not be used in advertising or publicity pertaining
+ * to distribution of the software without specific, written prior
+ * permission.  M.I.T. makes no representations about the suitability of
+ * this software for any purpose.  It is provided "as is" without express
+ * or implied warranty.
+ */
+
+/* $Id: enc-proto.h,v 1.9 1998/07/09 23:16:22 assar Exp $ */
+
+#if	defined(ENCRYPTION)
+Encryptions *findencryption (int);
+Encryptions *finddecryption(int);
+int EncryptAutoDec(int);
+int EncryptAutoEnc(int);
+int EncryptDebug(int);
+int EncryptDisable(char*, char*);
+int EncryptEnable(char*, char*);
+int EncryptStart(char*);
+int EncryptStartInput(void);
+int EncryptStartOutput(void);
+int EncryptStatus(void);
+int EncryptStop(char*);
+int EncryptStopInput(void);
+int EncryptStopOutput(void);
+int EncryptType(char*, char*);
+int EncryptVerbose(int);
+void decrypt_auto(int);
+void encrypt_auto(int);
+void encrypt_debug(int);
+void encrypt_dec_keyid(unsigned char*, int);
+void encrypt_display(void);
+void encrypt_enc_keyid(unsigned char*, int);
+void encrypt_end(void);
+void encrypt_gen_printsub(unsigned char*, int, unsigned char*, int);
+void encrypt_init(char*, int);
+void encrypt_is(unsigned char*, int);
+void encrypt_list_types(void);
+void encrypt_not(void);
+void encrypt_printsub(unsigned char*, int, unsigned char*, int);
+void encrypt_reply(unsigned char*, int);
+void encrypt_request_end(void);
+void encrypt_request_start(unsigned char*, int);
+void encrypt_send_end(void);
+void encrypt_send_keyid(int, unsigned char*, int, int);
+void encrypt_send_request_end(void);
+void encrypt_send_request_start(void);
+void encrypt_send_support(void);
+void encrypt_session_key(Session_Key*, int);
+void encrypt_start(unsigned char*, int);
+void encrypt_start_output(int);
+void encrypt_support(unsigned char*, int);
+void encrypt_verbose_quiet(int);
+void encrypt_wait(void);
+int encrypt_delay(void);
+
+#ifdef	TELENTD
+void encrypt_wait (void);
+#else
+void encrypt_display (void);
+#endif
+
+void cfb64_encrypt (unsigned char *, int);
+int cfb64_decrypt (int);
+void cfb64_init (int);
+int cfb64_start (int, int);
+int cfb64_is (unsigned char *, int);
+int cfb64_reply (unsigned char *, int);
+void cfb64_session (Session_Key *, int);
+int cfb64_keyid (int, unsigned char *, int *);
+void cfb64_printsub (unsigned char *, int, unsigned char *, int);
+
+void ofb64_encrypt (unsigned char *, int);
+int ofb64_decrypt (int);
+void ofb64_init (int);
+int ofb64_start (int, int);
+int ofb64_is (unsigned char *, int);
+int ofb64_reply (unsigned char *, int);
+void ofb64_session (Session_Key *, int);
+int ofb64_keyid (int, unsigned char *, int *);
+void ofb64_printsub (unsigned char *, int, unsigned char *, int);
+
+#endif
diff --git a/crypto/kerberosIV/appl/telnet/libtelnet/enc_des.c b/crypto/kerberosIV/appl/telnet/libtelnet/enc_des.c
new file mode 100644
index 0000000..ec13b3f
--- /dev/null
+++ b/crypto/kerberosIV/appl/telnet/libtelnet/enc_des.c
@@ -0,0 +1,672 @@
+/*-
+ * Copyright (c) 1991, 1993
+ *	The Regents of the University of California.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *	This product includes software developed by the University of
+ *	California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+/* $FreeBSD$ */
+
+#include <config.h>
+
+RCSID("$Id: enc_des.c,v 1.16 1998/07/09 23:16:23 assar Exp $");
+
+#if	defined(AUTHENTICATION) && defined(ENCRYPTION) && defined(DES_ENCRYPTION)
+#include <arpa/telnet.h>
+#include <stdio.h>
+#ifdef	__STDC__
+#include <stdlib.h>
+#include <string.h>
+#endif
+#include <roken.h>
+#ifdef SOCKS
+#include <socks.h>
+#endif
+
+#include "encrypt.h"
+#include "misc-proto.h"
+
+#include <openssl/des.h>
+
+extern int encrypt_debug_mode;
+
+#define	CFB	0
+#define	OFB	1
+
+#define	NO_SEND_IV	1
+#define	NO_RECV_IV	2
+#define	NO_KEYID	4
+#define	IN_PROGRESS	(NO_SEND_IV|NO_RECV_IV|NO_KEYID)
+#define	SUCCESS		0
+#define	FAILED		-1
+
+
+struct stinfo {
+  des_cblock	str_output;
+  des_cblock	str_feed;
+  des_cblock	str_iv;
+  des_cblock	str_ikey;
+  des_key_schedule str_sched;
+  int		str_index;
+  int		str_flagshift;
+};
+
+struct fb {
+	des_cblock krbdes_key;
+	des_key_schedule krbdes_sched;
+	des_cblock temp_feed;
+	unsigned char fb_feed[64];
+	int need_start;
+	int state[2];
+	int keyid[2];
+	int once;
+	struct stinfo streams[2];
+};
+
+static struct fb fb[2];
+
+struct keyidlist {
+	char	*keyid;
+	int	keyidlen;
+	char	*key;
+	int	keylen;
+	int	flags;
+} keyidlist [] = {
+	{ "\0", 1, 0, 0, 0 },		/* default key of zero */
+	{ 0, 0, 0, 0, 0 }
+};
+
+#define	KEYFLAG_MASK	03
+
+#define	KEYFLAG_NOINIT	00
+#define	KEYFLAG_INIT	01
+#define	KEYFLAG_OK	02
+#define	KEYFLAG_BAD	03
+
+#define	KEYFLAG_SHIFT	2
+
+#define	SHIFT_VAL(a,b)	(KEYFLAG_SHIFT*((a)+((b)*2)))
+
+#define	FB64_IV		1
+#define	FB64_IV_OK	2
+#define	FB64_IV_BAD	3
+
+
+void fb64_stream_iv (des_cblock, struct stinfo *);
+void fb64_init (struct fb *);
+static int fb64_start (struct fb *, int, int);
+int fb64_is (unsigned char *, int, struct fb *);
+int fb64_reply (unsigned char *, int, struct fb *);
+static void fb64_session (Session_Key *, int, struct fb *);
+void fb64_stream_key (des_cblock, struct stinfo *);
+int fb64_keyid (int, unsigned char *, int *, struct fb *);
+
+void cfb64_init(int server)
+{
+	fb64_init(&fb[CFB]);
+	fb[CFB].fb_feed[4] = ENCTYPE_DES_CFB64;
+	fb[CFB].streams[0].str_flagshift = SHIFT_VAL(0, CFB);
+	fb[CFB].streams[1].str_flagshift = SHIFT_VAL(1, CFB);
+}
+
+
+void ofb64_init(int server)
+{
+	fb64_init(&fb[OFB]);
+	fb[OFB].fb_feed[4] = ENCTYPE_DES_OFB64;
+	fb[CFB].streams[0].str_flagshift = SHIFT_VAL(0, OFB);
+	fb[CFB].streams[1].str_flagshift = SHIFT_VAL(1, OFB);
+}
+
+void fb64_init(struct fb *fbp)
+{
+	memset(fbp,0, sizeof(*fbp));
+	fbp->state[0] = fbp->state[1] = FAILED;
+	fbp->fb_feed[0] = IAC;
+	fbp->fb_feed[1] = SB;
+	fbp->fb_feed[2] = TELOPT_ENCRYPT;
+	fbp->fb_feed[3] = ENCRYPT_IS;
+}
+
+/*
+ * Returns:
+ *	-1: some error.  Negotiation is done, encryption not ready.
+ *	 0: Successful, initial negotiation all done.
+ *	 1: successful, negotiation not done yet.
+ *	 2: Not yet.  Other things (like getting the key from
+ *	    Kerberos) have to happen before we can continue.
+ */
+int cfb64_start(int dir, int server)
+{
+	return(fb64_start(&fb[CFB], dir, server));
+}
+
+int ofb64_start(int dir, int server)
+{
+	return(fb64_start(&fb[OFB], dir, server));
+}
+
+static int fb64_start(struct fb *fbp, int dir, int server)
+{
+	int x;
+	unsigned char *p;
+	int state;
+
+	switch (dir) {
+	case DIR_DECRYPT:
+		/*
+		 * This is simply a request to have the other side
+		 * start output (our input).  He will negotiate an
+		 * IV so we need not look for it.
+		 */
+		state = fbp->state[dir-1];
+		if (state == FAILED)
+			state = IN_PROGRESS;
+		break;
+
+	case DIR_ENCRYPT:
+		state = fbp->state[dir-1];
+		if (state == FAILED)
+			state = IN_PROGRESS;
+		else if ((state & NO_SEND_IV) == 0) {
+			break;
+		}
+
+		if (!VALIDKEY(fbp->krbdes_key)) {
+		        fbp->need_start = 1;
+			break;
+		}
+
+		state &= ~NO_SEND_IV;
+		state |= NO_RECV_IV;
+		if (encrypt_debug_mode)
+			printf("Creating new feed\r\n");
+		/*
+		 * Create a random feed and send it over.
+		 */
+#ifndef OLD_DES_RANDOM_KEY
+		des_new_random_key(&fbp->temp_feed);
+#else
+		/*
+		 * From des_cryp.man "If the des_check_key flag is non-zero,
+		 *  des_set_key will check that the key passed is
+		 *  of odd parity and is not a week or semi-weak key."
+		 */
+		do {
+			des_random_key(fbp->temp_feed);
+			des_set_odd_parity(fbp->temp_feed);
+		} while (des_is_weak_key(fbp->temp_feed));
+#endif
+		des_ecb_encrypt(&fbp->temp_feed,
+				&fbp->temp_feed,
+				fbp->krbdes_sched, 1);
+		p = fbp->fb_feed + 3;
+		*p++ = ENCRYPT_IS;
+		p++;
+		*p++ = FB64_IV;
+		for (x = 0; x < sizeof(des_cblock); ++x) {
+			if ((*p++ = fbp->temp_feed[x]) == IAC)
+				*p++ = IAC;
+		}
+		*p++ = IAC;
+		*p++ = SE;
+		printsub('>', &fbp->fb_feed[2], p - &fbp->fb_feed[2]);
+		telnet_net_write(fbp->fb_feed, p - fbp->fb_feed);
+		break;
+	default:
+		return(FAILED);
+	}
+	return(fbp->state[dir-1] = state);
+}
+
+/*
+ * Returns:
+ *	-1: some error.  Negotiation is done, encryption not ready.
+ *	 0: Successful, initial negotiation all done.
+ *	 1: successful, negotiation not done yet.
+ */
+
+int cfb64_is(unsigned char *data, int cnt)
+{
+	return(fb64_is(data, cnt, &fb[CFB]));
+}
+
+int ofb64_is(unsigned char *data, int cnt)
+{
+	return(fb64_is(data, cnt, &fb[OFB]));
+}
+
+
+int fb64_is(unsigned char *data, int cnt, struct fb *fbp)
+{
+	unsigned char *p;
+	int state = fbp->state[DIR_DECRYPT-1];
+
+	if (cnt-- < 1)
+		goto failure;
+
+	switch (*data++) {
+	case FB64_IV:
+		if (cnt != sizeof(des_cblock)) {
+			if (encrypt_debug_mode)
+				printf("CFB64: initial vector failed on size\r\n");
+			state = FAILED;
+			goto failure;
+		}
+
+		if (encrypt_debug_mode)
+			printf("CFB64: initial vector received\r\n");
+
+		if (encrypt_debug_mode)
+			printf("Initializing Decrypt stream\r\n");
+
+		fb64_stream_iv(data, &fbp->streams[DIR_DECRYPT-1]);
+
+		p = fbp->fb_feed + 3;
+		*p++ = ENCRYPT_REPLY;
+		p++;
+		*p++ = FB64_IV_OK;
+		*p++ = IAC;
+		*p++ = SE;
+		printsub('>', &fbp->fb_feed[2], p - &fbp->fb_feed[2]);
+		telnet_net_write(fbp->fb_feed, p - fbp->fb_feed);
+
+		state = fbp->state[DIR_DECRYPT-1] = IN_PROGRESS;
+		break;
+
+	default:
+		if (encrypt_debug_mode) {
+			printf("Unknown option type: %d\r\n", *(data-1));
+			printd(data, cnt);
+			printf("\r\n");
+		}
+		/* FALL THROUGH */
+	failure:
+		/*
+		 * We failed.  Send an FB64_IV_BAD option
+		 * to the other side so it will know that
+		 * things failed.
+		 */
+		p = fbp->fb_feed + 3;
+		*p++ = ENCRYPT_REPLY;
+		p++;
+		*p++ = FB64_IV_BAD;
+		*p++ = IAC;
+		*p++ = SE;
+		printsub('>', &fbp->fb_feed[2], p - &fbp->fb_feed[2]);
+		telnet_net_write(fbp->fb_feed, p - fbp->fb_feed);
+
+		break;
+	}
+	return(fbp->state[DIR_DECRYPT-1] = state);
+}
+
+/*
+ * Returns:
+ *	-1: some error.  Negotiation is done, encryption not ready.
+ *	 0: Successful, initial negotiation all done.
+ *	 1: successful, negotiation not done yet.
+ */
+
+int cfb64_reply(unsigned char *data, int cnt)
+{
+	return(fb64_reply(data, cnt, &fb[CFB]));
+}
+
+int ofb64_reply(unsigned char *data, int cnt)
+{
+	return(fb64_reply(data, cnt, &fb[OFB]));
+}
+
+
+int fb64_reply(unsigned char *data, int cnt, struct fb *fbp)
+{
+	int state = fbp->state[DIR_ENCRYPT-1];
+
+	if (cnt-- < 1)
+		goto failure;
+
+	switch (*data++) {
+	case FB64_IV_OK:
+		fb64_stream_iv(fbp->temp_feed, &fbp->streams[DIR_ENCRYPT-1]);
+		if (state == FAILED)
+			state = IN_PROGRESS;
+		state &= ~NO_RECV_IV;
+		encrypt_send_keyid(DIR_ENCRYPT, (unsigned char *)"\0", 1, 1);
+		break;
+
+	case FB64_IV_BAD:
+		memset(fbp->temp_feed, 0, sizeof(des_cblock));
+		fb64_stream_iv(fbp->temp_feed, &fbp->streams[DIR_ENCRYPT-1]);
+		state = FAILED;
+		break;
+
+	default:
+		if (encrypt_debug_mode) {
+			printf("Unknown option type: %d\r\n", data[-1]);
+			printd(data, cnt);
+			printf("\r\n");
+		}
+		/* FALL THROUGH */
+	failure:
+		state = FAILED;
+		break;
+	}
+	return(fbp->state[DIR_ENCRYPT-1] = state);
+}
+
+void cfb64_session(Session_Key *key, int server)
+{
+	fb64_session(key, server, &fb[CFB]);
+}
+
+void ofb64_session(Session_Key *key, int server)
+{
+	fb64_session(key, server, &fb[OFB]);
+}
+
+static void fb64_session(Session_Key *key, int server, struct fb *fbp)
+{
+
+	if (!key || key->type != SK_DES) {
+		if (encrypt_debug_mode)
+			printf("Can't set krbdes's session key (%d != %d)\r\n",
+				key ? key->type : -1, SK_DES);
+		return;
+	}
+	memcpy(fbp->krbdes_key, key->data, sizeof(des_cblock));
+
+	fb64_stream_key(fbp->krbdes_key, &fbp->streams[DIR_ENCRYPT-1]);
+	fb64_stream_key(fbp->krbdes_key, &fbp->streams[DIR_DECRYPT-1]);
+
+	if (fbp->once == 0) {
+#ifndef OLD_DES_RANDOM_KEY
+		des_init_random_number_generator(&fbp->krbdes_key);
+#endif
+		fbp->once = 1;
+	}
+	des_key_sched(&fbp->krbdes_key, fbp->krbdes_sched);
+	/*
+	 * Now look to see if krbdes_start() was was waiting for
+	 * the key to show up.  If so, go ahead an call it now
+	 * that we have the key.
+	 */
+	if (fbp->need_start) {
+		fbp->need_start = 0;
+		fb64_start(fbp, DIR_ENCRYPT, server);
+	}
+}
+
+/*
+ * We only accept a keyid of 0.  If we get a keyid of
+ * 0, then mark the state as SUCCESS.
+ */
+
+int cfb64_keyid(int dir, unsigned char *kp, int *lenp)
+{
+	return(fb64_keyid(dir, kp, lenp, &fb[CFB]));
+}
+
+int ofb64_keyid(int dir, unsigned char *kp, int *lenp)
+{
+	return(fb64_keyid(dir, kp, lenp, &fb[OFB]));
+}
+
+int fb64_keyid(int dir, unsigned char *kp, int *lenp, struct fb *fbp)
+{
+	int state = fbp->state[dir-1];
+
+	if (*lenp != 1 || (*kp != '\0')) {
+		*lenp = 0;
+		return(state);
+	}
+
+	if (state == FAILED)
+		state = IN_PROGRESS;
+
+	state &= ~NO_KEYID;
+
+	return(fbp->state[dir-1] = state);
+}
+
+void fb64_printsub(unsigned char *data, int cnt, 
+		   unsigned char *buf, int buflen, char *type)
+{
+	char lbuf[32];
+	int i;
+	char *cp;
+
+	buf[buflen-1] = '\0';		/* make sure it's NULL terminated */
+	buflen -= 1;
+
+	switch(data[2]) {
+	case FB64_IV:
+		snprintf(lbuf, sizeof(lbuf), "%s_IV", type);
+		cp = lbuf;
+		goto common;
+
+	case FB64_IV_OK:
+		snprintf(lbuf, sizeof(lbuf), "%s_IV_OK", type);
+		cp = lbuf;
+		goto common;
+
+	case FB64_IV_BAD:
+		snprintf(lbuf, sizeof(lbuf), "%s_IV_BAD", type);
+		cp = lbuf;
+		goto common;
+
+	default:
+		snprintf(lbuf, sizeof(lbuf), " %d (unknown)", data[2]);
+		cp = lbuf;
+	common:
+		for (; (buflen > 0) && (*buf = *cp++); buf++)
+			buflen--;
+		for (i = 3; i < cnt; i++) {
+			snprintf(lbuf, sizeof(lbuf), " %d", data[i]);
+			for (cp = lbuf; (buflen > 0) && (*buf = *cp++); buf++)
+				buflen--;
+		}
+		break;
+	}
+}
+
+void cfb64_printsub(unsigned char *data, int cnt, 
+		    unsigned char *buf, int buflen)
+{
+	fb64_printsub(data, cnt, buf, buflen, "CFB64");
+}
+
+void ofb64_printsub(unsigned char *data, int cnt,
+		    unsigned char *buf, int buflen)
+{
+	fb64_printsub(data, cnt, buf, buflen, "OFB64");
+}
+
+void fb64_stream_iv(des_cblock seed, struct stinfo *stp)
+{
+
+	memcpy(stp->str_iv, seed,sizeof(des_cblock));
+	memcpy(stp->str_output, seed, sizeof(des_cblock));
+
+	des_key_sched(&stp->str_ikey, stp->str_sched);
+
+	stp->str_index = sizeof(des_cblock);
+}
+
+void fb64_stream_key(des_cblock key, struct stinfo *stp)
+{
+	memcpy(stp->str_ikey, key, sizeof(des_cblock));
+	des_key_sched((des_cblock*)key, stp->str_sched);
+
+	memcpy(stp->str_output, stp->str_iv, sizeof(des_cblock));
+
+	stp->str_index = sizeof(des_cblock);
+}
+
+/*
+ * DES 64 bit Cipher Feedback
+ *
+ *     key --->+-----+
+ *          +->| DES |--+
+ *          |  +-----+  |
+ *	    |           v
+ *  INPUT --(--------->(+)+---> DATA
+ *          |             |
+ *	    +-------------+
+ *         
+ *
+ * Given:
+ *	iV: Initial vector, 64 bits (8 bytes) long.
+ *	Dn: the nth chunk of 64 bits (8 bytes) of data to encrypt (decrypt).
+ *	On: the nth chunk of 64 bits (8 bytes) of encrypted (decrypted) output.
+ *
+ *	V0 = DES(iV, key)
+ *	On = Dn ^ Vn
+ *	V(n+1) = DES(On, key)
+ */
+
+void cfb64_encrypt(unsigned char *s, int c)
+{
+	struct stinfo *stp = &fb[CFB].streams[DIR_ENCRYPT-1];
+	int index;
+
+	index = stp->str_index;
+	while (c-- > 0) {
+		if (index == sizeof(des_cblock)) {
+			des_cblock b;
+			des_ecb_encrypt(&stp->str_output, &b,stp->str_sched, 1);
+			memcpy(stp->str_feed, b, sizeof(des_cblock));
+			index = 0;
+		}
+
+		/* On encryption, we store (feed ^ data) which is cypher */
+		*s = stp->str_output[index] = (stp->str_feed[index] ^ *s);
+		s++;
+		index++;
+	}
+	stp->str_index = index;
+}
+
+int cfb64_decrypt(int data)
+{
+	struct stinfo *stp = &fb[CFB].streams[DIR_DECRYPT-1];
+	int index;
+
+	if (data == -1) {
+		/*
+		 * Back up one byte.  It is assumed that we will
+		 * never back up more than one byte.  If we do, this
+		 * may or may not work.
+		 */
+		if (stp->str_index)
+			--stp->str_index;
+		return(0);
+	}
+
+	index = stp->str_index++;
+	if (index == sizeof(des_cblock)) {
+		des_cblock b;
+		des_ecb_encrypt(&stp->str_output,&b, stp->str_sched, 1);
+		memcpy(stp->str_feed, b, sizeof(des_cblock));
+		stp->str_index = 1;	/* Next time will be 1 */
+		index = 0;		/* But now use 0 */ 
+	}
+
+	/* On decryption we store (data) which is cypher. */
+	stp->str_output[index] = data;
+	return(data ^ stp->str_feed[index]);
+}
+
+/*
+ * DES 64 bit Output Feedback
+ *
+ * key --->+-----+
+ *	+->| DES |--+
+ *	|  +-----+  |
+ *	+-----------+
+ *	            v
+ *  INPUT -------->(+) ----> DATA
+ *
+ * Given:
+ *	iV: Initial vector, 64 bits (8 bytes) long.
+ *	Dn: the nth chunk of 64 bits (8 bytes) of data to encrypt (decrypt).
+ *	On: the nth chunk of 64 bits (8 bytes) of encrypted (decrypted) output.
+ *
+ *	V0 = DES(iV, key)
+ *	V(n+1) = DES(Vn, key)
+ *	On = Dn ^ Vn
+ */
+
+void ofb64_encrypt(unsigned char *s, int c)
+{
+	struct stinfo *stp = &fb[OFB].streams[DIR_ENCRYPT-1];
+	int index;
+
+	index = stp->str_index;
+	while (c-- > 0) {
+		if (index == sizeof(des_cblock)) {
+			des_cblock b;
+			des_ecb_encrypt(&stp->str_feed,&b, stp->str_sched, 1);
+			memcpy(stp->str_feed, b, sizeof(des_cblock));
+			index = 0;
+		}
+		*s++ ^= stp->str_feed[index];
+		index++;
+	}
+	stp->str_index = index;
+}
+
+int ofb64_decrypt(int data)
+{
+	struct stinfo *stp = &fb[OFB].streams[DIR_DECRYPT-1];
+	int index;
+
+	if (data == -1) {
+		/*
+		 * Back up one byte.  It is assumed that we will
+		 * never back up more than one byte.  If we do, this
+		 * may or may not work.
+		 */
+		if (stp->str_index)
+			--stp->str_index;
+		return(0);
+	}
+
+	index = stp->str_index++;
+	if (index == sizeof(des_cblock)) {
+		des_cblock b;
+		des_ecb_encrypt(&stp->str_feed,&b,stp->str_sched, 1);
+		memcpy(stp->str_feed, b, sizeof(des_cblock));
+		stp->str_index = 1;	/* Next time will be 1 */
+		index = 0;		/* But now use 0 */ 
+	}
+
+	return(data ^ stp->str_feed[index]);
+}
+#endif
+
diff --git a/crypto/kerberosIV/appl/telnet/libtelnet/encrypt.c b/crypto/kerberosIV/appl/telnet/libtelnet/encrypt.c
new file mode 100644
index 0000000..21f7a85
--- /dev/null
+++ b/crypto/kerberosIV/appl/telnet/libtelnet/encrypt.c
@@ -0,0 +1,995 @@
+/*-
+ * Copyright (c) 1991, 1993
+ *	The Regents of the University of California.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *	This product includes software developed by the University of
+ *	California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+/*
+ * Copyright (C) 1990 by the Massachusetts Institute of Technology
+ *
+ * Export of this software from the United States of America is assumed
+ * to require a specific license from the United States Government.
+ * It is the responsibility of any person or organization contemplating
+ * export to obtain such a license before exporting.
+ *
+ * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
+ * distribute this software and its documentation for any purpose and
+ * without fee is hereby granted, provided that the above copyright
+ * notice appear in all copies and that both that copyright notice and
+ * this permission notice appear in supporting documentation, and that
+ * the name of M.I.T. not be used in advertising or publicity pertaining
+ * to distribution of the software without specific, written prior
+ * permission.  M.I.T. makes no representations about the suitability of
+ * this software for any purpose.  It is provided "as is" without express
+ * or implied warranty.
+ */
+
+
+#include <config.h>
+
+RCSID("$Id: encrypt.c,v 1.21 1998/07/09 23:16:25 assar Exp $");
+
+#if	defined(ENCRYPTION)
+
+#define	ENCRYPT_NAMES
+#include <arpa/telnet.h>
+
+#include "encrypt.h"
+#include "misc.h"
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <roken.h>
+#ifdef SOCKS
+#include <socks.h>
+#endif
+
+
+/*
+ * These functions pointers point to the current routines
+ * for encrypting and decrypting data.
+ */
+void	(*encrypt_output) (unsigned char *, int);
+int	(*decrypt_input) (int);
+char	*nclearto;
+
+int encrypt_debug_mode = 0;
+static int decrypt_mode = 0;
+static int encrypt_mode = 0;
+static int encrypt_verbose = 0;
+static int autoencrypt = 0;
+static int autodecrypt = 0;
+static int havesessionkey = 0;
+static int Server = 0;
+static char *Name = "Noname";
+
+#define	typemask(x)	((x) > 0 ? 1 << ((x)-1) : 0)
+
+static long i_support_encrypt = typemask(ENCTYPE_DES_CFB64)
+     | typemask(ENCTYPE_DES_OFB64);
+     static long i_support_decrypt = typemask(ENCTYPE_DES_CFB64)
+     | typemask(ENCTYPE_DES_OFB64);
+     static long i_wont_support_encrypt = 0;
+     static long i_wont_support_decrypt = 0;
+#define	I_SUPPORT_ENCRYPT	(i_support_encrypt & ~i_wont_support_encrypt)
+#define	I_SUPPORT_DECRYPT	(i_support_decrypt & ~i_wont_support_decrypt)
+
+     static long remote_supports_encrypt = 0;
+     static long remote_supports_decrypt = 0;
+
+     static Encryptions encryptions[] = {
+#if	defined(DES_ENCRYPTION)
+	 { "DES_CFB64",	ENCTYPE_DES_CFB64,
+	   cfb64_encrypt,	
+	   cfb64_decrypt,
+	   cfb64_init,
+	   cfb64_start,
+	   cfb64_is,
+	   cfb64_reply,
+	   cfb64_session,
+	   cfb64_keyid,
+	   cfb64_printsub },
+	 { "DES_OFB64",	ENCTYPE_DES_OFB64,
+	   ofb64_encrypt,	
+	   ofb64_decrypt,
+	   ofb64_init,
+	   ofb64_start,
+	   ofb64_is,
+	   ofb64_reply,
+	   ofb64_session,
+	   ofb64_keyid,
+	   ofb64_printsub },
+#endif
+	 { 0, },
+     };
+
+static unsigned char str_send[64] = { IAC, SB, TELOPT_ENCRYPT,
+				      ENCRYPT_SUPPORT };
+static unsigned char str_suplen = 0;
+static unsigned char str_start[72] = { IAC, SB, TELOPT_ENCRYPT };
+static unsigned char str_end[] = { IAC, SB, TELOPT_ENCRYPT, 0, IAC, SE };
+
+Encryptions *
+findencryption(int type)
+{
+    Encryptions *ep = encryptions;
+
+    if (!(I_SUPPORT_ENCRYPT & remote_supports_decrypt & typemask(type)))
+	return(0);
+    while (ep->type && ep->type != type)
+	++ep;
+    return(ep->type ? ep : 0);
+}
+
+Encryptions *
+finddecryption(int type)
+{
+    Encryptions *ep = encryptions;
+
+    if (!(I_SUPPORT_DECRYPT & remote_supports_encrypt & typemask(type)))
+	return(0);
+    while (ep->type && ep->type != type)
+	++ep;
+    return(ep->type ? ep : 0);
+}
+
+#define	MAXKEYLEN 64
+
+static struct key_info {
+    unsigned char keyid[MAXKEYLEN];
+    int keylen;
+    int dir;
+    int *modep;
+    Encryptions *(*getcrypt)();
+} ki[2] = {
+    { { 0 }, 0, DIR_ENCRYPT, &encrypt_mode, findencryption },
+    { { 0 }, 0, DIR_DECRYPT, &decrypt_mode, finddecryption },
+};
+
+void
+encrypt_init(char *name, int server)
+{
+    Encryptions *ep = encryptions;
+
+    Name = name;
+    Server = server;
+    i_support_encrypt = i_support_decrypt = 0;
+    remote_supports_encrypt = remote_supports_decrypt = 0;
+    encrypt_mode = 0;
+    decrypt_mode = 0;
+    encrypt_output = 0;
+    decrypt_input = 0;
+#ifdef notdef
+    encrypt_verbose = !server;
+#endif
+
+    str_suplen = 4;
+
+    while (ep->type) {
+	if (encrypt_debug_mode)
+	    printf(">>>%s: I will support %s\r\n",
+		   Name, ENCTYPE_NAME(ep->type));
+	i_support_encrypt |= typemask(ep->type);
+	i_support_decrypt |= typemask(ep->type);
+	if ((i_wont_support_decrypt & typemask(ep->type)) == 0)
+	    if ((str_send[str_suplen++] = ep->type) == IAC)
+		str_send[str_suplen++] = IAC;
+	if (ep->init)
+	    (*ep->init)(Server);
+	++ep;
+    }
+    str_send[str_suplen++] = IAC;
+    str_send[str_suplen++] = SE;
+}
+
+void
+encrypt_list_types(void)
+{
+    Encryptions *ep = encryptions;
+
+    printf("Valid encryption types:\n");
+    while (ep->type) {
+	printf("\t%s (%d)\r\n", ENCTYPE_NAME(ep->type), ep->type);
+	++ep;
+    }
+}
+
+int
+EncryptEnable(char *type, char *mode)
+{
+    if (isprefix(type, "help") || isprefix(type, "?")) {
+	printf("Usage: encrypt enable <type> [input|output]\n");
+	encrypt_list_types();
+	return(0);
+    }
+    if (EncryptType(type, mode))
+	return(EncryptStart(mode));
+    return(0);
+}
+
+int
+EncryptDisable(char *type, char *mode)
+{
+    Encryptions *ep;
+    int ret = 0;
+
+    if (isprefix(type, "help") || isprefix(type, "?")) {
+	printf("Usage: encrypt disable <type> [input|output]\n");
+	encrypt_list_types();
+    } else if ((ep = (Encryptions *)genget(type, (char**)encryptions,
+					   sizeof(Encryptions))) == 0) {
+	printf("%s: invalid encryption type\n", type);
+    } else if (Ambiguous(ep)) {
+	printf("Ambiguous type '%s'\n", type);
+    } else {
+	if ((mode == 0) || (isprefix(mode, "input") ? 1 : 0)) {
+	    if (decrypt_mode == ep->type)
+		EncryptStopInput();
+	    i_wont_support_decrypt |= typemask(ep->type);
+	    ret = 1;
+	}
+	if ((mode == 0) || (isprefix(mode, "output"))) {
+	    if (encrypt_mode == ep->type)
+		EncryptStopOutput();
+	    i_wont_support_encrypt |= typemask(ep->type);
+	    ret = 1;
+	}
+	if (ret == 0)
+	    printf("%s: invalid encryption mode\n", mode);
+    }
+    return(ret);
+}
+
+int
+EncryptType(char *type, char *mode)
+{
+    Encryptions *ep;
+    int ret = 0;
+
+    if (isprefix(type, "help") || isprefix(type, "?")) {
+	printf("Usage: encrypt type <type> [input|output]\n");
+	encrypt_list_types();
+    } else if ((ep = (Encryptions *)genget(type, (char**)encryptions,
+					   sizeof(Encryptions))) == 0) {
+	printf("%s: invalid encryption type\n", type);
+    } else if (Ambiguous(ep)) {
+	printf("Ambiguous type '%s'\n", type);
+    } else {
+	if ((mode == 0) || isprefix(mode, "input")) {
+	    decrypt_mode = ep->type;
+	    i_wont_support_decrypt &= ~typemask(ep->type);
+	    ret = 1;
+	}
+	if ((mode == 0) || isprefix(mode, "output")) {
+	    encrypt_mode = ep->type;
+	    i_wont_support_encrypt &= ~typemask(ep->type);
+	    ret = 1;
+	}
+	if (ret == 0)
+	    printf("%s: invalid encryption mode\n", mode);
+    }
+    return(ret);
+}
+
+int
+EncryptStart(char *mode)
+{
+    int ret = 0;
+    if (mode) {
+	if (isprefix(mode, "input"))
+	    return(EncryptStartInput());
+	if (isprefix(mode, "output"))
+	    return(EncryptStartOutput());
+	if (isprefix(mode, "help") || isprefix(mode, "?")) {
+	    printf("Usage: encrypt start [input|output]\n");
+	    return(0);
+	}
+	printf("%s: invalid encryption mode 'encrypt start ?' for help\n", mode);
+	return(0);
+    }
+    ret += EncryptStartInput();
+    ret += EncryptStartOutput();
+    return(ret);
+}
+
+int
+EncryptStartInput(void)
+{
+    if (decrypt_mode) {
+	encrypt_send_request_start();
+	return(1);
+    }
+    printf("No previous decryption mode, decryption not enabled\r\n");
+    return(0);
+}
+
+int
+EncryptStartOutput(void)
+{
+    if (encrypt_mode) {
+	encrypt_start_output(encrypt_mode);
+	return(1);
+    }
+    printf("No previous encryption mode, encryption not enabled\r\n");
+    return(0);
+}
+
+int
+EncryptStop(char *mode)
+{
+    int ret = 0;
+    if (mode) {
+	if (isprefix(mode, "input"))
+	    return(EncryptStopInput());
+	if (isprefix(mode, "output"))
+	    return(EncryptStopOutput());
+	if (isprefix(mode, "help") || isprefix(mode, "?")) {
+	    printf("Usage: encrypt stop [input|output]\n");
+	    return(0);
+	}
+	printf("%s: invalid encryption mode 'encrypt stop ?' for help\n", mode);
+	return(0);
+    }
+    ret += EncryptStopInput();
+    ret += EncryptStopOutput();
+    return(ret);
+}
+
+int
+EncryptStopInput(void)
+{
+    encrypt_send_request_end();
+    return(1);
+}
+
+int
+EncryptStopOutput(void)
+{
+    encrypt_send_end();
+    return(1);
+}
+
+void
+encrypt_display(void)
+{
+    printf("Autoencrypt for output is %s. Autodecrypt for input is %s.\r\n",
+	   autoencrypt?"on":"off", autodecrypt?"on":"off");
+
+    if (encrypt_output)
+	printf("Currently encrypting output with %s\r\n",
+	       ENCTYPE_NAME(encrypt_mode));
+    else
+	printf("Currently not encrypting output\r\n");
+	
+    if (decrypt_input)
+	printf("Currently decrypting input with %s\r\n",
+	       ENCTYPE_NAME(decrypt_mode));
+    else
+	printf("Currently not decrypting input\r\n");
+}
+
+int
+EncryptStatus(void)
+{
+    printf("Autoencrypt for output is %s. Autodecrypt for input is %s.\r\n",
+	   autoencrypt?"on":"off", autodecrypt?"on":"off");
+
+    if (encrypt_output)
+	printf("Currently encrypting output with %s\r\n",
+	       ENCTYPE_NAME(encrypt_mode));
+    else if (encrypt_mode) {
+	printf("Currently output is clear text.\r\n");
+	printf("Last encryption mode was %s\r\n",
+	       ENCTYPE_NAME(encrypt_mode));
+    } else
+	printf("Currently not encrypting output\r\n");
+	
+    if (decrypt_input) {
+	printf("Currently decrypting input with %s\r\n",
+	       ENCTYPE_NAME(decrypt_mode));
+    } else if (decrypt_mode) {
+	printf("Currently input is clear text.\r\n");
+	printf("Last decryption mode was %s\r\n",
+	       ENCTYPE_NAME(decrypt_mode));
+    } else
+	printf("Currently not decrypting input\r\n");
+
+    return 1;
+}
+
+void
+encrypt_send_support(void)
+{
+    if (str_suplen) {
+	/*
+	 * If the user has requested that decryption start
+	 * immediatly, then send a "REQUEST START" before
+	 * we negotiate the type.
+	 */
+	if (!Server && autodecrypt)
+	    encrypt_send_request_start();
+	telnet_net_write(str_send, str_suplen);
+	printsub('>', &str_send[2], str_suplen - 2);
+	str_suplen = 0;
+    }
+}
+
+int
+EncryptDebug(int on)
+{
+    if (on < 0)
+	encrypt_debug_mode ^= 1;
+    else
+	encrypt_debug_mode = on;
+    printf("Encryption debugging %s\r\n",
+	   encrypt_debug_mode ? "enabled" : "disabled");
+    return(1);
+}
+
+/* turn on verbose encryption, but dont keep telling the whole world
+ */
+void encrypt_verbose_quiet(int on)
+{
+    if(on < 0)
+	encrypt_verbose ^= 1;
+    else
+	encrypt_verbose = on ? 1 : 0;
+}
+
+int
+EncryptVerbose(int on)
+{
+    encrypt_verbose_quiet(on);
+    printf("Encryption %s verbose\r\n",
+	   encrypt_verbose ? "is" : "is not");
+    return(1);
+}
+
+int
+EncryptAutoEnc(int on)
+{
+    encrypt_auto(on);
+    printf("Automatic encryption of output is %s\r\n",
+	   autoencrypt ? "enabled" : "disabled");
+    return(1);
+}
+
+int
+EncryptAutoDec(int on)
+{
+    decrypt_auto(on);
+    printf("Automatic decryption of input is %s\r\n",
+	   autodecrypt ? "enabled" : "disabled");
+    return(1);
+}
+
+/* Called when we receive a WONT or a DONT ENCRYPT after we sent a DO
+   encrypt */
+void
+encrypt_not(void)
+{
+    if (encrypt_verbose)
+  	printf("[ Connection is NOT encrypted ]\r\n");
+    else
+  	printf("\r\n*** Connection not encrypted! "
+	       "Communication may be eavesdropped. ***\r\n");
+}
+
+/*
+ * Called when ENCRYPT SUPPORT is received.
+ */
+void
+encrypt_support(unsigned char *typelist, int cnt)
+{
+    int type, use_type = 0;
+    Encryptions *ep;
+
+    /*
+     * Forget anything the other side has previously told us.
+     */
+    remote_supports_decrypt = 0;
+
+    while (cnt-- > 0) {
+	type = *typelist++;
+	if (encrypt_debug_mode)
+	    printf(">>>%s: He is supporting %s (%d)\r\n",
+		   Name,
+		   ENCTYPE_NAME(type), type);
+	if ((type < ENCTYPE_CNT) &&
+	    (I_SUPPORT_ENCRYPT & typemask(type))) {
+	    remote_supports_decrypt |= typemask(type);
+	    if (use_type == 0)
+		use_type = type;
+	}
+    }
+    if (use_type) {
+	ep = findencryption(use_type);
+	if (!ep)
+	    return;
+	type = ep->start ? (*ep->start)(DIR_ENCRYPT, Server) : 0;
+	if (encrypt_debug_mode)
+	    printf(">>>%s: (*ep->start)() returned %d\r\n",
+		   Name, type);
+	if (type < 0)
+	    return;
+	encrypt_mode = use_type;
+	if (type == 0)
+	    encrypt_start_output(use_type);
+    }
+}
+
+void
+encrypt_is(unsigned char *data, int cnt)
+{
+    Encryptions *ep;
+    int type, ret;
+
+    if (--cnt < 0)
+	return;
+    type = *data++;
+    if (type < ENCTYPE_CNT)
+	remote_supports_encrypt |= typemask(type);
+    if (!(ep = finddecryption(type))) {
+	if (encrypt_debug_mode)
+	    printf(">>>%s: Can't find type %s (%d) for initial negotiation\r\n",
+		   Name,
+		   ENCTYPE_NAME_OK(type)
+		   ? ENCTYPE_NAME(type) : "(unknown)",
+		   type);
+	return;
+    }
+    if (!ep->is) {
+	if (encrypt_debug_mode)
+	    printf(">>>%s: No initial negotiation needed for type %s (%d)\r\n",
+		   Name,
+		   ENCTYPE_NAME_OK(type)
+		   ? ENCTYPE_NAME(type) : "(unknown)",
+		   type);
+	ret = 0;
+    } else {
+	ret = (*ep->is)(data, cnt);
+	if (encrypt_debug_mode)
+	    printf("(*ep->is)(%p, %d) returned %s(%d)\n", data, cnt,
+		   (ret < 0) ? "FAIL " :
+		   (ret == 0) ? "SUCCESS " : "MORE_TO_DO ", ret);
+    }
+    if (ret < 0) {
+	autodecrypt = 0;
+    } else {
+	decrypt_mode = type;
+	if (ret == 0 && autodecrypt)
+	    encrypt_send_request_start();
+    }
+}
+
+void
+encrypt_reply(unsigned char *data, int cnt)
+{
+    Encryptions *ep;
+    int ret, type;
+
+    if (--cnt < 0)
+	return;
+    type = *data++;
+    if (!(ep = findencryption(type))) {
+	if (encrypt_debug_mode)
+	    printf(">>>%s: Can't find type %s (%d) for initial negotiation\r\n",
+		   Name,
+		   ENCTYPE_NAME_OK(type)
+		   ? ENCTYPE_NAME(type) : "(unknown)",
+		   type);
+	return;
+    }
+    if (!ep->reply) {
+	if (encrypt_debug_mode)
+	    printf(">>>%s: No initial negotiation needed for type %s (%d)\r\n",
+		   Name,
+		   ENCTYPE_NAME_OK(type)
+		   ? ENCTYPE_NAME(type) : "(unknown)",
+		   type);
+	ret = 0;
+    } else {
+	ret = (*ep->reply)(data, cnt);
+	if (encrypt_debug_mode)
+	    printf("(*ep->reply)(%p, %d) returned %s(%d)\n",
+		   data, cnt,
+		   (ret < 0) ? "FAIL " :
+		   (ret == 0) ? "SUCCESS " : "MORE_TO_DO ", ret);
+    }
+    if (encrypt_debug_mode)
+	printf(">>>%s: encrypt_reply returned %d\n", Name, ret);
+    if (ret < 0) {
+	autoencrypt = 0;
+    } else {
+	encrypt_mode = type;
+	if (ret == 0 && autoencrypt)
+	    encrypt_start_output(type);
+    }
+}
+
+/*
+ * Called when a ENCRYPT START command is received.
+ */
+void
+encrypt_start(unsigned char *data, int cnt)
+{
+    Encryptions *ep;
+
+    if (!decrypt_mode) {
+	/*
+	 * Something is wrong.  We should not get a START
+	 * command without having already picked our
+	 * decryption scheme.  Send a REQUEST-END to
+	 * attempt to clear the channel...
+	 */
+	printf("%s: Warning, Cannot decrypt input stream!!!\r\n", Name);
+	encrypt_send_request_end();
+	return;
+    }
+
+    if ((ep = finddecryption(decrypt_mode))) {
+	decrypt_input = ep->input;
+	if (encrypt_verbose)
+	    printf("[ Input is now decrypted with type %s ]\r\n",
+		   ENCTYPE_NAME(decrypt_mode));
+	if (encrypt_debug_mode)
+	    printf(">>>%s: Start to decrypt input with type %s\r\n",
+		   Name, ENCTYPE_NAME(decrypt_mode));
+    } else {
+	printf("%s: Warning, Cannot decrypt type %s (%d)!!!\r\n",
+	       Name,
+	       ENCTYPE_NAME_OK(decrypt_mode)
+	       ? ENCTYPE_NAME(decrypt_mode)
+	       : "(unknown)",
+	       decrypt_mode);
+	encrypt_send_request_end();
+    }
+}
+
+void
+encrypt_session_key(Session_Key *key, int server)
+{
+    Encryptions *ep = encryptions;
+
+    havesessionkey = 1;
+
+    while (ep->type) {
+	if (ep->session)
+	    (*ep->session)(key, server);
+	++ep;
+    }
+}
+
+/*
+ * Called when ENCRYPT END is received.
+ */
+void
+encrypt_end(void)
+{
+    decrypt_input = 0;
+    if (encrypt_debug_mode)
+	printf(">>>%s: Input is back to clear text\r\n", Name);
+    if (encrypt_verbose)
+	printf("[ Input is now clear text ]\r\n");
+}
+
+/*
+ * Called when ENCRYPT REQUEST-END is received.
+ */
+void
+encrypt_request_end(void)
+{
+    encrypt_send_end();
+}
+
+/*
+ * Called when ENCRYPT REQUEST-START is received.  If we receive
+ * this before a type is picked, then that indicates that the
+ * other side wants us to start encrypting data as soon as we
+ * can. 
+ */
+void
+encrypt_request_start(unsigned char *data, int cnt)
+{
+    if (encrypt_mode == 0)  {
+	if (Server)
+	    autoencrypt = 1;
+	return;
+    }
+    encrypt_start_output(encrypt_mode);
+}
+
+static unsigned char str_keyid[(MAXKEYLEN*2)+5] = { IAC, SB, TELOPT_ENCRYPT };
+
+static void
+encrypt_keyid(struct key_info *kp, unsigned char *keyid, int len)
+{
+    Encryptions *ep;
+    int dir = kp->dir;
+    int ret = 0;
+
+    if (!(ep = (*kp->getcrypt)(*kp->modep))) {
+	if (len == 0)
+	    return;
+	kp->keylen = 0;
+    } else if (len == 0) {
+	/*
+	 * Empty option, indicates a failure.
+	 */
+	if (kp->keylen == 0)
+	    return;
+	kp->keylen = 0;
+	if (ep->keyid)
+	    (void)(*ep->keyid)(dir, kp->keyid, &kp->keylen);
+
+    } else if ((len != kp->keylen) || (memcmp(keyid,kp->keyid,len) != 0)) {
+	/*
+	 * Length or contents are different
+	 */
+	kp->keylen = len;
+	memcpy(kp->keyid,keyid, len);
+	if (ep->keyid)
+	    (void)(*ep->keyid)(dir, kp->keyid, &kp->keylen);
+    } else {
+	if (ep->keyid)
+	    ret = (*ep->keyid)(dir, kp->keyid, &kp->keylen);
+	if ((ret == 0) && (dir == DIR_ENCRYPT) && autoencrypt)
+	    encrypt_start_output(*kp->modep);
+	return;
+    }
+
+    encrypt_send_keyid(dir, kp->keyid, kp->keylen, 0);
+}
+
+void encrypt_enc_keyid(unsigned char *keyid, int len)
+{
+    encrypt_keyid(&ki[1], keyid, len);
+}
+
+void encrypt_dec_keyid(unsigned char *keyid, int len)
+{
+    encrypt_keyid(&ki[0], keyid, len);
+}
+
+
+void encrypt_send_keyid(int dir, unsigned char *keyid, int keylen, int saveit)
+{
+    unsigned char *strp;
+
+    str_keyid[3] = (dir == DIR_ENCRYPT)
+	? ENCRYPT_ENC_KEYID : ENCRYPT_DEC_KEYID;
+    if (saveit) {
+	struct key_info *kp = &ki[(dir == DIR_ENCRYPT) ? 0 : 1];
+	memcpy(kp->keyid,keyid, keylen);
+	kp->keylen = keylen;
+    }
+
+    for (strp = &str_keyid[4]; keylen > 0; --keylen) {
+	if ((*strp++ = *keyid++) == IAC)
+	    *strp++ = IAC;
+    }
+    *strp++ = IAC;
+    *strp++ = SE;
+    telnet_net_write(str_keyid, strp - str_keyid);
+    printsub('>', &str_keyid[2], strp - str_keyid - 2);
+}
+
+void
+encrypt_auto(int on)
+{
+    if (on < 0)
+	autoencrypt ^= 1;
+    else
+	autoencrypt = on ? 1 : 0;
+}
+
+void
+decrypt_auto(int on)
+{
+    if (on < 0)
+	autodecrypt ^= 1;
+    else
+	autodecrypt = on ? 1 : 0;
+}
+
+void
+encrypt_start_output(int type)
+{
+    Encryptions *ep;
+    unsigned char *p;
+    int i;
+
+    if (!(ep = findencryption(type))) {
+	if (encrypt_debug_mode) {
+	    printf(">>>%s: Can't encrypt with type %s (%d)\r\n",
+		   Name,
+		   ENCTYPE_NAME_OK(type)
+		   ? ENCTYPE_NAME(type) : "(unknown)",
+		   type);
+	}
+	return;
+    }
+    if (ep->start) {
+	i = (*ep->start)(DIR_ENCRYPT, Server);
+	if (encrypt_debug_mode) {
+	    printf(">>>%s: Encrypt start: %s (%d) %s\r\n",
+		   Name, 
+		   (i < 0) ? "failed" :
+		   "initial negotiation in progress",
+		   i, ENCTYPE_NAME(type));
+	}
+	if (i)
+	    return;
+    }
+    p = str_start + 3;
+    *p++ = ENCRYPT_START;
+    for (i = 0; i < ki[0].keylen; ++i) {
+	if ((*p++ = ki[0].keyid[i]) == IAC)
+	    *p++ = IAC;
+    }
+    *p++ = IAC;
+    *p++ = SE;
+    telnet_net_write(str_start, p - str_start);
+    net_encrypt();
+    printsub('>', &str_start[2], p - &str_start[2]);
+    /*
+     * If we are already encrypting in some mode, then
+     * encrypt the ring (which includes our request) in
+     * the old mode, mark it all as "clear text" and then
+     * switch to the new mode.
+     */
+    encrypt_output = ep->output;
+    encrypt_mode = type;
+    if (encrypt_debug_mode)
+	printf(">>>%s: Started to encrypt output with type %s\r\n",
+	       Name, ENCTYPE_NAME(type));
+    if (encrypt_verbose)
+	printf("[ Output is now encrypted with type %s ]\r\n",
+	       ENCTYPE_NAME(type));
+}
+
+void
+encrypt_send_end(void)
+{
+    if (!encrypt_output)
+	return;
+
+    str_end[3] = ENCRYPT_END;
+    telnet_net_write(str_end, sizeof(str_end));
+    net_encrypt();
+    printsub('>', &str_end[2], sizeof(str_end) - 2);
+    /*
+     * Encrypt the output buffer now because it will not be done by
+     * netflush...
+     */
+    encrypt_output = 0;
+    if (encrypt_debug_mode)
+	printf(">>>%s: Output is back to clear text\r\n", Name);
+    if (encrypt_verbose)
+	printf("[ Output is now clear text ]\r\n");
+}
+
+void
+encrypt_send_request_start(void)
+{
+    unsigned char *p;
+    int i;
+
+    p = &str_start[3];
+    *p++ = ENCRYPT_REQSTART;
+    for (i = 0; i < ki[1].keylen; ++i) {
+	if ((*p++ = ki[1].keyid[i]) == IAC)
+	    *p++ = IAC;
+    }
+    *p++ = IAC;
+    *p++ = SE;
+    telnet_net_write(str_start, p - str_start);
+    printsub('>', &str_start[2], p - &str_start[2]);
+    if (encrypt_debug_mode)
+	printf(">>>%s: Request input to be encrypted\r\n", Name);
+}
+
+void
+encrypt_send_request_end(void)
+{
+    str_end[3] = ENCRYPT_REQEND;
+    telnet_net_write(str_end, sizeof(str_end));
+    printsub('>', &str_end[2], sizeof(str_end) - 2);
+
+    if (encrypt_debug_mode)
+	printf(">>>%s: Request input to be clear text\r\n", Name);
+}
+
+
+void encrypt_wait(void)
+{
+    if (encrypt_debug_mode)
+	printf(">>>%s: in encrypt_wait\r\n", Name);
+    if (!havesessionkey || !(I_SUPPORT_ENCRYPT & remote_supports_decrypt))
+	return;
+    while (autoencrypt && !encrypt_output)
+	if (telnet_spin())
+	    return;
+}
+
+int
+encrypt_delay(void)
+{
+    if(!havesessionkey ||
+       (I_SUPPORT_ENCRYPT & remote_supports_decrypt) == 0 ||
+       (I_SUPPORT_DECRYPT & remote_supports_encrypt) == 0)
+	return 0;
+    if(!(encrypt_output && decrypt_input))
+	return 1;
+    return 0;
+}
+
+void
+encrypt_debug(int mode)
+{
+    encrypt_debug_mode = mode;
+}
+
+void encrypt_gen_printsub(unsigned char *data, int cnt, 
+			  unsigned char *buf, int buflen)
+{
+    char tbuf[16], *cp;
+
+    cnt -= 2;
+    data += 2;
+    buf[buflen-1] = '\0';
+    buf[buflen-2] = '*';
+    buflen -= 2;;
+    for (; cnt > 0; cnt--, data++) {
+	snprintf(tbuf, sizeof(tbuf), " %d", *data);
+	for (cp = tbuf; *cp && buflen > 0; --buflen)
+	    *buf++ = *cp++;
+	if (buflen <= 0)
+	    return;
+    }
+    *buf = '\0';
+}
+
+void
+encrypt_printsub(unsigned char *data, int cnt, unsigned char *buf, int buflen)
+{
+    Encryptions *ep;
+    int type = data[1];
+
+    for (ep = encryptions; ep->type && ep->type != type; ep++)
+	;
+
+    if (ep->printsub)
+	(*ep->printsub)(data, cnt, buf, buflen);
+    else
+	encrypt_gen_printsub(data, cnt, buf, buflen);
+}
+#endif
diff --git a/crypto/kerberosIV/appl/telnet/libtelnet/encrypt.h b/crypto/kerberosIV/appl/telnet/libtelnet/encrypt.h
new file mode 100644
index 0000000..5919db5
--- /dev/null
+++ b/crypto/kerberosIV/appl/telnet/libtelnet/encrypt.h
@@ -0,0 +1,98 @@
+/*-
+ * Copyright (c) 1991, 1993
+ *	The Regents of the University of California.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *	This product includes software developed by the University of
+ *	California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ *	@(#)encrypt.h	8.1 (Berkeley) 6/4/93
+ *
+ *	@(#)encrypt.h	5.2 (Berkeley) 3/22/91
+ */
+
+/*
+ * Copyright (C) 1990 by the Massachusetts Institute of Technology
+ *
+ * Export of this software from the United States of America is assumed
+ * to require a specific license from the United States Government.
+ * It is the responsibility of any person or organization contemplating
+ * export to obtain such a license before exporting.
+ *
+ * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
+ * distribute this software and its documentation for any purpose and
+ * without fee is hereby granted, provided that the above copyright
+ * notice appear in all copies and that both that copyright notice and
+ * this permission notice appear in supporting documentation, and that
+ * the name of M.I.T. not be used in advertising or publicity pertaining
+ * to distribution of the software without specific, written prior
+ * permission.  M.I.T. makes no representations about the suitability of
+ * this software for any purpose.  It is provided "as is" without express
+ * or implied warranty.
+ */
+
+/* $Id: encrypt.h,v 1.4 1997/01/24 23:10:56 assar Exp $ */
+
+#ifndef	__ENCRYPT__
+#define	__ENCRYPT__
+
+#define	DIR_DECRYPT		1
+#define	DIR_ENCRYPT		2
+
+#define	VALIDKEY(key)	( key[0] | key[1] | key[2] | key[3] | \
+			  key[4] | key[5] | key[6] | key[7])
+
+#define	SAMEKEY(k1, k2)	(!memcmp(k1, k2, sizeof(des_cblock)))
+
+typedef	struct {
+	short		type;
+	int		length;
+	unsigned char	*data;
+} Session_Key;
+
+typedef struct {
+	char	*name;
+	int	type;
+	void	(*output) (unsigned char *, int);
+	int	(*input) (int);
+	void	(*init) (int);
+	int	(*start) (int, int);
+	int	(*is) (unsigned char *, int);
+	int	(*reply) (unsigned char *, int);
+	void	(*session) (Session_Key *, int);
+	int	(*keyid) (int, unsigned char *, int *);
+	void	(*printsub) (unsigned char *, int, unsigned char *, int);
+} Encryptions;
+
+#define	SK_DES		1	/* Matched Kerberos v5 KEYTYPE_DES */
+
+#include "enc-proto.h"
+
+extern int encrypt_debug_mode;
+extern int (*decrypt_input) (int);
+extern void (*encrypt_output) (unsigned char *, int);
+#endif
diff --git a/crypto/kerberosIV/appl/telnet/libtelnet/genget.c b/crypto/kerberosIV/appl/telnet/libtelnet/genget.c
new file mode 100644
index 0000000..c17a7bd
--- /dev/null
+++ b/crypto/kerberosIV/appl/telnet/libtelnet/genget.c
@@ -0,0 +1,103 @@
+/*-
+ * Copyright (c) 1991, 1993
+ *	The Regents of the University of California.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *	This product includes software developed by the University of
+ *	California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#include <config.h>
+#include "misc-proto.h"
+
+RCSID("$Id: genget.c,v 1.6 1997/05/04 09:01:34 assar Exp $");
+
+#include <ctype.h>
+
+#define	LOWER(x) (isupper(x) ? tolower(x) : (x))
+/*
+ * The prefix function returns 0 if *s1 is not a prefix
+ * of *s2.  If *s1 exactly matches *s2, the negative of
+ * the length is returned.  If *s1 is a prefix of *s2,
+ * the length of *s1 is returned.
+ */
+
+int
+isprefix(char *s1, char *s2)
+{
+    char *os1;
+    char c1, c2;
+
+    if (*s1 == '\0')
+	return(-1);
+    os1 = s1;
+    c1 = *s1;
+    c2 = *s2;
+    while (LOWER(c1) == LOWER(c2)) {
+	if (c1 == '\0')
+	    break;
+	c1 = *++s1;
+	c2 = *++s2;
+    }
+    return(*s1 ? 0 : (*s2 ? (s1 - os1) : (os1 - s1)));
+}
+
+static char *ambiguous;		/* special return value for command routines */
+
+char **
+genget(char *name, char **table, int stlen)
+     /* name to match */
+     /* name entry in table */
+	   	      
+{
+    char **c, **found;
+    int n;
+
+    if (name == 0)
+	return 0;
+
+    found = 0;
+    for (c = table; *c != 0; c = (char **)((char *)c + stlen)) {
+	if ((n = isprefix(name, *c)) == 0)
+	    continue;
+	if (n < 0)		/* exact match */
+	    return(c);
+	if (found)
+	    return(&ambiguous);
+	found = c;
+    }
+    return(found);
+}
+
+/*
+ * Function call version of Ambiguous()
+ */
+int
+Ambiguous(void *s)
+{
+    return((char **)s == &ambiguous);
+}
diff --git a/crypto/kerberosIV/appl/telnet/libtelnet/kerberos.c b/crypto/kerberosIV/appl/telnet/libtelnet/kerberos.c
new file mode 100644
index 0000000..9037ac6
--- /dev/null
+++ b/crypto/kerberosIV/appl/telnet/libtelnet/kerberos.c
@@ -0,0 +1,718 @@
+/*-
+ * Copyright (c) 1991, 1993
+ *	The Regents of the University of California.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *	This product includes software developed by the University of
+ *	California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+/* $FreeBSD$ */
+
+/*
+ * Copyright (C) 1990 by the Massachusetts Institute of Technology
+ *
+ * Export of this software from the United States of America is assumed
+ * to require a specific license from the United States Government.
+ * It is the responsibility of any person or organization contemplating
+ * export to obtain such a license before exporting.
+ *
+ * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
+ * distribute this software and its documentation for any purpose and
+ * without fee is hereby granted, provided that the above copyright
+ * notice appear in all copies and that both that copyright notice and
+ * this permission notice appear in supporting documentation, and that
+ * the name of M.I.T. not be used in advertising or publicity pertaining
+ * to distribution of the software without specific, written prior
+ * permission.  M.I.T. makes no representations about the suitability of
+ * this software for any purpose.  It is provided "as is" without express
+ * or implied warranty.
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+#endif
+
+RCSID("$Id: kerberos.c,v 1.46 1999/09/16 20:41:33 assar Exp $");
+
+#ifdef	KRB4
+#ifdef HAVE_SYS_TYPES_H
+#include <sys/types.h>
+#endif
+#ifdef HAVE_ARPA_TELNET_H
+#include <arpa/telnet.h>
+#endif
+#include <stdio.h>
+#include <openssl/des.h>	/* BSD wont include this in krb.h, so we do it here */
+#include <krb.h>
+#include <pwd.h>
+#include <stdlib.h>
+#include <string.h>
+#include <roken.h>
+#ifdef SOCKS
+#include <socks.h>
+#endif
+
+
+#include "encrypt.h"
+#include "auth.h"
+#include "misc.h"
+
+int kerberos4_cksum (unsigned char *, int);
+extern int auth_debug_mode;
+
+static unsigned char str_data[2048] = { IAC, SB, TELOPT_AUTHENTICATION, 0,
+			  		AUTHTYPE_KERBEROS_V4, };
+
+#define	KRB_AUTH	0		/* Authentication data follows */
+#define	KRB_REJECT	1		/* Rejected (reason might follow) */
+#define	KRB_ACCEPT	2		/* Accepted */
+#define	KRB_CHALLENGE	3		/* Challenge for mutual auth. */
+#define	KRB_RESPONSE	4		/* Response for mutual auth. */
+
+#define KRB_FORWARD		5	/* */
+#define KRB_FORWARD_ACCEPT	6	/* */
+#define KRB_FORWARD_REJECT	7	/* */
+
+#define KRB_SERVICE_NAME   "rcmd"
+
+static	KTEXT_ST auth;
+static	char name[ANAME_SZ];
+static	AUTH_DAT adat;
+static des_cblock session_key;
+static des_cblock cred_session;
+static des_key_schedule sched;
+static des_cblock challenge;
+static int auth_done; /* XXX */
+
+static int pack_cred(CREDENTIALS *cred, unsigned char *buf);
+static int unpack_cred(unsigned char *buf, int len, CREDENTIALS *cred);
+
+
+static int
+Data(Authenticator *ap, int type, const void *d, int c)
+{
+    unsigned char *p = str_data + 4;
+    const unsigned char *cd = (const unsigned char *)d;
+
+    if (c == -1)
+	c = strlen((const char *)cd);
+
+    if (auth_debug_mode) {
+	printf("%s:%d: [%d] (%d)",
+	       str_data[3] == TELQUAL_IS ? ">>>IS" : ">>>REPLY",
+	       str_data[3],
+	       type, c);
+	printd(d, c);
+	printf("\r\n");
+    }
+    *p++ = ap->type;
+    *p++ = ap->way;
+    *p++ = type;
+    while (c-- > 0) {
+	if ((*p++ = *cd++) == IAC)
+	    *p++ = IAC;
+    }
+    *p++ = IAC;
+    *p++ = SE;
+    if (str_data[3] == TELQUAL_IS)
+	printsub('>', &str_data[2], p - (&str_data[2]));
+    return(telnet_net_write(str_data, p - str_data));
+}
+
+int
+kerberos4_init(Authenticator *ap, int server)
+{
+    FILE *fp;
+
+    if (server) {
+	str_data[3] = TELQUAL_REPLY;
+	if ((fp = fopen(KEYFILE, "r")) == NULL)
+	    return(0);
+	fclose(fp);
+    } else {
+	str_data[3] = TELQUAL_IS;
+    }
+    return(1);
+}
+
+char dst_realm_buf[REALM_SZ], *dest_realm = NULL;
+int dst_realm_sz = REALM_SZ;
+
+static int
+kerberos4_send(char *name, Authenticator *ap)
+{
+    KTEXT_ST auth;
+    char instance[INST_SZ];
+    char *realm;
+    CREDENTIALS cred;
+    int r;
+
+    printf("[ Trying %s ... ]\r\n", name);
+    if (!UserNameRequested) {
+	if (auth_debug_mode) {
+	    printf("Kerberos V4: no user name supplied\r\n");
+	}
+	return(0);
+    }
+
+    memset(instance, 0, sizeof(instance));
+
+    strlcpy (instance,
+		     krb_get_phost(RemoteHostName),
+		     INST_SZ);
+
+    realm = dest_realm ? dest_realm : krb_realmofhost(RemoteHostName);
+
+    if (!realm) {
+	printf("Kerberos V4: no realm for %s\r\n", RemoteHostName);
+	return(0);
+    }
+    r = krb_mk_req(&auth, KRB_SERVICE_NAME, instance, realm, 0L);
+    if (r) {
+	printf("mk_req failed: %s\r\n", krb_get_err_text(r));
+	return(0);
+    }
+    r = krb_get_cred(KRB_SERVICE_NAME, instance, realm, &cred);
+    if (r) {
+	printf("get_cred failed: %s\r\n", krb_get_err_text(r));
+	return(0);
+    }
+    if (!auth_sendname(UserNameRequested, strlen(UserNameRequested))) {
+	if (auth_debug_mode)
+	    printf("Not enough room for user name\r\n");
+	return(0);
+    }
+    if (auth_debug_mode)
+	printf("Sent %d bytes of authentication data\r\n", auth.length);
+    if (!Data(ap, KRB_AUTH, (void *)auth.dat, auth.length)) {
+	if (auth_debug_mode)
+	    printf("Not enough room for authentication data\r\n");
+	return(0);
+    }
+#ifdef ENCRYPTION
+    /* create challenge */
+    if ((ap->way & AUTH_HOW_MASK)==AUTH_HOW_MUTUAL) {
+	int i;
+
+	des_key_sched(&cred.session, sched);
+	memcpy (&cred_session, &cred.session, sizeof(cred_session));
+	des_init_random_number_generator(&cred.session);
+	des_new_random_key(&session_key);
+	des_ecb_encrypt(&session_key, &session_key, sched, 0);
+	des_ecb_encrypt(&session_key, &challenge, sched, 0);
+
+	/*
+	  old code
+	  Some CERT Advisory thinks this is a bad thing...
+	    
+	  des_init_random_number_generator(&cred.session);
+	  des_new_random_key(&challenge);
+	  des_ecb_encrypt(&challenge, &session_key, sched, 1);
+	  */
+	  
+	/*
+	 * Increment the challenge by 1, and encrypt it for
+	 * later comparison.
+	 */
+	for (i = 7; i >= 0; --i) 
+	    if(++challenge[i] != 0) /* No carry! */
+		break;
+	des_ecb_encrypt(&challenge, &challenge, sched, 1);
+    }
+
+#endif
+
+    if (auth_debug_mode) {
+	printf("CK: %d:", kerberos4_cksum(auth.dat, auth.length));
+	printd(auth.dat, auth.length);
+	printf("\r\n");
+	printf("Sent Kerberos V4 credentials to server\r\n");
+    }
+    return(1);
+}
+int
+kerberos4_send_mutual(Authenticator *ap)
+{
+    return kerberos4_send("mutual KERBEROS4", ap);
+}
+
+int
+kerberos4_send_oneway(Authenticator *ap)
+{
+    return kerberos4_send("KERBEROS4", ap);
+}
+
+void
+kerberos4_is(Authenticator *ap, unsigned char *data, int cnt)
+{
+    struct sockaddr_in addr;
+    char realm[REALM_SZ];
+    char instance[INST_SZ];
+    int r;
+    int addr_len;
+
+    if (cnt-- < 1)
+	return;
+    switch (*data++) {
+    case KRB_AUTH:
+	if (krb_get_lrealm(realm, 1) != KSUCCESS) {
+	    Data(ap, KRB_REJECT, (void *)"No local V4 Realm.", -1);
+	    auth_finished(ap, AUTH_REJECT);
+	    if (auth_debug_mode)
+		printf("No local realm\r\n");
+	    return;
+	}
+	memmove(auth.dat, data, auth.length = cnt);
+	if (auth_debug_mode) {
+	    printf("Got %d bytes of authentication data\r\n", cnt);
+	    printf("CK: %d:", kerberos4_cksum(auth.dat, auth.length));
+	    printd(auth.dat, auth.length);
+	    printf("\r\n");
+	}
+	k_getsockinst(0, instance, sizeof(instance));
+	addr_len = sizeof(addr);
+	if(getpeername(0, (struct sockaddr *)&addr, &addr_len) < 0) {
+	    if(auth_debug_mode)
+		printf("getpeername failed\r\n");
+	    Data(ap, KRB_REJECT, "getpeername failed", -1);
+	    auth_finished(ap, AUTH_REJECT);
+	    return;
+	}
+	if (addr.sin_family != AF_INET) {
+	    if (auth_debug_mode)
+		printf("unknown address family: %d\r\n", addr.sin_family);
+	    Data(ap, KRB_REJECT, "bad address family", -1);
+	    auth_finished(ap, AUTH_REJECT);
+	    return;
+	}
+
+	r = krb_rd_req(&auth, KRB_SERVICE_NAME,
+		       instance, addr.sin_addr.s_addr, &adat, "");
+	if (r) {
+	    if (auth_debug_mode)
+		printf("Kerberos failed him as %s\r\n", name);
+	    Data(ap, KRB_REJECT, (void *)krb_get_err_text(r), -1);
+	    auth_finished(ap, AUTH_REJECT);
+	    return;
+	}
+	/* save the session key */
+	memmove(session_key, adat.session, sizeof(adat.session));
+	krb_kntoln(&adat, name);
+
+	if (UserNameRequested && !kuserok(&adat, UserNameRequested)){
+	    char ts[MaxPathLen];
+	    struct passwd *pw = getpwnam(UserNameRequested);
+
+	    if(pw){
+		snprintf(ts, sizeof(ts),
+			 "%s%u",
+			 TKT_ROOT,
+			 (unsigned)pw->pw_uid);
+		setenv("KRBTKFILE", ts, 1);
+
+		if (pw->pw_uid == 0)
+		    syslog(LOG_INFO|LOG_AUTH,
+			   "ROOT Kerberos login from %s on %s\n",
+			   krb_unparse_name_long(adat.pname,
+						 adat.pinst,
+						 adat.prealm),
+			   RemoteHostName);
+	    }
+	    Data(ap, KRB_ACCEPT, NULL, 0);
+	} else {
+	    char *msg;
+
+	    asprintf (&msg, "user `%s' is not authorized to "
+		      "login as `%s'", 
+		      krb_unparse_name_long(adat.pname, 
+					    adat.pinst, 
+					    adat.prealm), 
+		      UserNameRequested ? UserNameRequested : "<nobody>");
+	    if (msg == NULL)
+		Data(ap, KRB_REJECT, NULL, 0);
+	    else {
+		Data(ap, KRB_REJECT, (void *)msg, -1);
+		free(msg);
+	    }
+	}
+	auth_finished(ap, AUTH_USER);
+	break;
+	
+    case KRB_CHALLENGE:
+#ifndef ENCRYPTION
+	Data(ap, KRB_RESPONSE, NULL, 0);
+#else
+	if(!VALIDKEY(session_key)){
+	    Data(ap, KRB_RESPONSE, NULL, 0);
+	    break;
+	}
+	des_key_sched(&session_key, sched);
+	{
+	    des_cblock d_block;
+	    int i;
+	    Session_Key skey;
+
+	    memmove(d_block, data, sizeof(d_block));
+
+	    /* make a session key for encryption */
+	    des_ecb_encrypt(&d_block, &session_key, sched, 1);
+	    skey.type=SK_DES;
+	    skey.length=8;
+	    skey.data=session_key;
+	    encrypt_session_key(&skey, 1);
+
+	    /* decrypt challenge, add one and encrypt it */
+	    des_ecb_encrypt(&d_block, &challenge, sched, 0);
+	    for (i = 7; i >= 0; i--)
+		if(++challenge[i] != 0)
+		    break;
+	    des_ecb_encrypt(&challenge, &challenge, sched, 1);
+	    Data(ap, KRB_RESPONSE, (void *)challenge, sizeof(challenge));
+	}
+#endif
+	break;
+
+    case KRB_FORWARD:
+	{
+	    des_key_schedule ks;
+	    unsigned char netcred[sizeof(CREDENTIALS)];
+	    CREDENTIALS cred;
+	    int ret;
+	    if(cnt > sizeof(cred))
+		abort();
+
+	    memcpy (session_key, adat.session, sizeof(session_key));
+	    des_set_key(&session_key, ks);
+	    des_pcbc_encrypt((void*)data, (void*)netcred, cnt, 
+			     ks, &session_key, DES_DECRYPT);
+	    unpack_cred(netcred, cnt, &cred);
+	    {
+		if(strcmp(cred.service, KRB_TICKET_GRANTING_TICKET) ||
+		   strncmp(cred.instance, cred.realm, sizeof(cred.instance)) ||
+		   cred.lifetime < 0 || cred.lifetime > 255 ||
+		   cred.kvno < 0 || cred.kvno > 255 ||
+		   cred.issue_date < 0 || 
+		   cred.issue_date > time(0) + CLOCK_SKEW ||
+		   strncmp(cred.pname, adat.pname, sizeof(cred.pname)) ||
+		   strncmp(cred.pinst, adat.pinst, sizeof(cred.pinst))){
+		    Data(ap, KRB_FORWARD_REJECT, "Bad credentials", -1);
+		}else{
+		    if((ret = tf_setup(&cred,
+				       cred.pname,
+				       cred.pinst)) == KSUCCESS){
+		        struct passwd *pw = getpwnam(UserNameRequested);
+
+			if (pw)
+			  chown(tkt_string(), pw->pw_uid, pw->pw_gid);
+			Data(ap, KRB_FORWARD_ACCEPT, 0, 0);
+		    } else{
+			Data(ap, KRB_FORWARD_REJECT, 
+			     krb_get_err_text(ret), -1);
+		    }
+		}
+	    }
+	    memset(data, 0, cnt);
+	    memset(ks, 0, sizeof(ks));
+	    memset(&cred, 0, sizeof(cred));
+	}
+	
+	break;
+
+    default:
+	if (auth_debug_mode)
+	    printf("Unknown Kerberos option %d\r\n", data[-1]);
+	Data(ap, KRB_REJECT, 0, 0);
+	break;
+    }
+}
+
+void
+kerberos4_reply(Authenticator *ap, unsigned char *data, int cnt)
+{
+    Session_Key skey;
+
+    if (cnt-- < 1)
+	return;
+    switch (*data++) {
+    case KRB_REJECT:
+	if(auth_done){ /* XXX Ick! */
+	    printf("[ Kerberos V4 received unknown opcode ]\r\n");
+	}else{
+	    printf("[ Kerberos V4 refuses authentication ");
+	    if (cnt > 0) 
+		printf("because %.*s ", cnt, data);
+	    printf("]\r\n");
+	    auth_send_retry();
+	}
+	return;
+    case KRB_ACCEPT:
+	printf("[ Kerberos V4 accepts you ]\r\n");
+	auth_done = 1;
+	if ((ap->way & AUTH_HOW_MASK) == AUTH_HOW_MUTUAL) {
+	    /*
+	     * Send over the encrypted challenge.
+	     */
+	    Data(ap, KRB_CHALLENGE, session_key, 
+		 sizeof(session_key));
+	    des_ecb_encrypt(&session_key, &session_key, sched, 1);
+	    skey.type = SK_DES;
+	    skey.length = 8;
+	    skey.data = session_key;
+	    encrypt_session_key(&skey, 0);
+#if 0
+	    kerberos4_forward(ap, &cred_session);
+#endif
+	    return;
+	}
+	auth_finished(ap, AUTH_USER);
+	return;
+    case KRB_RESPONSE:
+	/* make sure the response is correct */
+	if ((cnt != sizeof(des_cblock)) ||
+	    (memcmp(data, challenge, sizeof(challenge)))){
+	    printf("[ Kerberos V4 challenge failed!!! ]\r\n");
+	    auth_send_retry();
+	    return;
+	}
+	printf("[ Kerberos V4 challenge successful ]\r\n");
+	auth_finished(ap, AUTH_USER);
+	break;
+    case KRB_FORWARD_ACCEPT:
+	printf("[ Kerberos V4 accepted forwarded credentials ]\r\n");
+	break;
+    case KRB_FORWARD_REJECT:
+	printf("[ Kerberos V4 rejected forwarded credentials: `%.*s']\r\n",
+	       cnt, data);
+	break;
+    default:
+	if (auth_debug_mode)
+	    printf("Unknown Kerberos option %d\r\n", data[-1]);
+	return;
+    }
+}
+
+int
+kerberos4_status(Authenticator *ap, char *name, size_t name_sz, int level)
+{
+    if (level < AUTH_USER)
+	return(level);
+
+    if (UserNameRequested && !kuserok(&adat, UserNameRequested)) {
+	strlcpy(name, UserNameRequested, name_sz);
+	return(AUTH_VALID);
+    } else
+	return(AUTH_USER);
+}
+
+#define	BUMP(buf, len)		while (*(buf)) {++(buf), --(len);}
+#define	ADDC(buf, len, c)	if ((len) > 0) {*(buf)++ = (c); --(len);}
+
+void
+kerberos4_printsub(unsigned char *data, int cnt, unsigned char *buf, int buflen)
+{
+    int i;
+
+    buf[buflen-1] = '\0';		/* make sure its NULL terminated */
+    buflen -= 1;
+
+    switch(data[3]) {
+    case KRB_REJECT:		/* Rejected (reason might follow) */
+	strlcpy((char *)buf, " REJECT ", buflen);
+	goto common;
+
+    case KRB_ACCEPT:		/* Accepted (name might follow) */
+	strlcpy((char *)buf, " ACCEPT ", buflen);
+    common:
+	BUMP(buf, buflen);
+	if (cnt <= 4)
+	    break;
+	ADDC(buf, buflen, '"');
+	for (i = 4; i < cnt; i++)
+	    ADDC(buf, buflen, data[i]);
+	ADDC(buf, buflen, '"');
+	ADDC(buf, buflen, '\0');
+	break;
+
+    case KRB_AUTH:			/* Authentication data follows */
+	strlcpy((char *)buf, " AUTH", buflen);
+	goto common2;
+
+    case KRB_CHALLENGE:
+	strlcpy((char *)buf, " CHALLENGE", buflen);
+	goto common2;
+
+    case KRB_RESPONSE:
+	strlcpy((char *)buf, " RESPONSE", buflen);
+	goto common2;
+
+    default:
+	snprintf(buf, buflen, " %d (unknown)", data[3]);
+    common2:
+	BUMP(buf, buflen);
+	for (i = 4; i < cnt; i++) {
+	    snprintf(buf, buflen, " %d", data[i]);
+	    BUMP(buf, buflen);
+	}
+	break;
+    }
+}
+
+int
+kerberos4_cksum(unsigned char *d, int n)
+{
+    int ck = 0;
+
+    /*
+     * A comment is probably needed here for those not
+     * well versed in the "C" language.  Yes, this is
+     * supposed to be a "switch" with the body of the
+     * "switch" being a "while" statement.  The whole
+     * purpose of the switch is to allow us to jump into
+     * the middle of the while() loop, and then not have
+     * to do any more switch()s.
+     *
+     * Some compilers will spit out a warning message
+     * about the loop not being entered at the top.
+     */
+    switch (n&03)
+	while (n > 0) {
+	case 0:
+	    ck ^= (int)*d++ << 24;
+	    --n;
+	case 3:
+	    ck ^= (int)*d++ << 16;
+	    --n;
+	case 2:
+	    ck ^= (int)*d++ << 8;
+	    --n;
+	case 1:
+	    ck ^= (int)*d++;
+	    --n;
+	}
+    return(ck);
+}
+
+static int
+pack_cred(CREDENTIALS *cred, unsigned char *buf)
+{
+    unsigned char *p = buf;
+    
+    memcpy (p, cred->service, ANAME_SZ);
+    p += ANAME_SZ;
+    memcpy (p, cred->instance, INST_SZ);
+    p += INST_SZ;
+    memcpy (p, cred->realm, REALM_SZ);
+    p += REALM_SZ;
+    memcpy(p, cred->session, 8);
+    p += 8;
+    p += KRB_PUT_INT(cred->lifetime, p, 4, 4);
+    p += KRB_PUT_INT(cred->kvno, p, 4, 4);
+    p += KRB_PUT_INT(cred->ticket_st.length, p, 4, 4);
+    memcpy(p, cred->ticket_st.dat, cred->ticket_st.length);
+    p += cred->ticket_st.length;
+    p += KRB_PUT_INT(0, p, 4, 4);
+    p += KRB_PUT_INT(cred->issue_date, p, 4, 4);
+    memcpy (p, cred->pname, ANAME_SZ);
+    p += ANAME_SZ;
+    memcpy (p, cred->pinst, INST_SZ);
+    p += INST_SZ;
+    return p - buf;
+}
+
+static int
+unpack_cred(unsigned char *buf, int len, CREDENTIALS *cred)
+{
+    unsigned char *p = buf;
+    u_int32_t tmp;
+
+    strncpy (cred->service, p, ANAME_SZ);
+    cred->service[ANAME_SZ - 1] = '\0';
+    p += ANAME_SZ;
+    strncpy (cred->instance, p, INST_SZ);
+    cred->instance[INST_SZ - 1] = '\0';
+    p += INST_SZ;
+    strncpy (cred->realm, p, REALM_SZ);
+    cred->realm[REALM_SZ - 1] = '\0';
+    p += REALM_SZ;
+
+    memcpy(cred->session, p, 8);
+    p += 8;
+    p += krb_get_int(p, &tmp, 4, 0);
+    cred->lifetime = tmp;
+    p += krb_get_int(p, &tmp, 4, 0);
+    cred->kvno = tmp;
+
+    p += krb_get_int(p, &cred->ticket_st.length, 4, 0);
+    memcpy(cred->ticket_st.dat, p, cred->ticket_st.length);
+    p += cred->ticket_st.length;
+    p += krb_get_int(p, &tmp, 4, 0);
+    cred->ticket_st.mbz = 0;
+    p += krb_get_int(p, (u_int32_t *)&cred->issue_date, 4, 0);
+
+    strncpy (cred->pname, p, ANAME_SZ);
+    cred->pname[ANAME_SZ - 1] = '\0';
+    p += ANAME_SZ;
+    strncpy (cred->pinst, p, INST_SZ);
+    cred->pinst[INST_SZ - 1] = '\0';
+    p += INST_SZ;
+    return 0;
+}
+
+
+int
+kerberos4_forward(Authenticator *ap, void *v)
+{
+    des_cblock *key = (des_cblock *)v;
+    CREDENTIALS cred;
+    char *realm;
+    des_key_schedule ks;
+    int len;
+    unsigned char netcred[sizeof(CREDENTIALS)];
+    int ret;
+
+    realm = krb_realmofhost(RemoteHostName);
+    if(realm == NULL)
+	return -1;
+    memset(&cred, 0, sizeof(cred));
+    ret = krb_get_cred(KRB_TICKET_GRANTING_TICKET,
+		       realm,
+		       realm, 
+		       &cred);
+    if(ret)
+	return ret;
+    des_set_key(key, ks);
+    len = pack_cred(&cred, netcred);
+    des_pcbc_encrypt((void*)netcred, (void*)netcred, len,
+		     ks, key, DES_ENCRYPT);
+    memset(ks, 0, sizeof(ks));
+    Data(ap, KRB_FORWARD, netcred, len);
+    memset(netcred, 0, sizeof(netcred));
+    return 0;
+}
+
+#endif /* KRB4 */
+
diff --git a/crypto/kerberosIV/appl/telnet/libtelnet/kerberos5.c b/crypto/kerberosIV/appl/telnet/libtelnet/kerberos5.c
new file mode 100644
index 0000000..3e6abbb
--- /dev/null
+++ b/crypto/kerberosIV/appl/telnet/libtelnet/kerberos5.c
@@ -0,0 +1,734 @@
+/*-
+ * Copyright (c) 1991, 1993
+ *	The Regents of the University of California.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *	This product includes software developed by the University of
+ *	California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+/*
+ * Copyright (C) 1990 by the Massachusetts Institute of Technology
+ *
+ * Export of this software from the United States of America may
+ * require a specific license from the United States Government.
+ * It is the responsibility of any person or organization contemplating
+ * export to obtain such a license before exporting.
+ *
+ * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
+ * distribute this software and its documentation for any purpose and
+ * without fee is hereby granted, provided that the above copyright
+ * notice appear in all copies and that both that copyright notice and
+ * this permission notice appear in supporting documentation, and that
+ * the name of M.I.T. not be used in advertising or publicity pertaining
+ * to distribution of the software without specific, written prior
+ * permission.  M.I.T. makes no representations about the suitability of
+ * this software for any purpose.  It is provided "as is" without express
+ * or implied warranty.
+ */
+
+#include <config.h>
+
+RCSID("$Id: kerberos5.c,v 1.38 1999/09/16 20:41:33 assar Exp $");
+
+#ifdef	KRB5
+
+#include <arpa/telnet.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+#include <netdb.h>
+#include <ctype.h>
+#include <pwd.h>
+#define Authenticator k5_Authenticator
+#include <krb5.h>
+#undef Authenticator
+#include <roken.h>
+#ifdef SOCKS
+#include <socks.h>
+#endif
+
+
+#include "encrypt.h"
+#include "auth.h"
+#include "misc.h"
+
+int forward_flags = 0;  /* Flags get set in telnet/main.c on -f and -F */
+
+/* These values need to be the same as those defined in telnet/main.c. */
+/* Either define them in both places, or put in some common header file. */
+#define OPTS_FORWARD_CREDS	0x00000002
+#define OPTS_FORWARDABLE_CREDS	0x00000001
+
+void kerberos5_forward (Authenticator *);
+
+static unsigned char str_data[1024] = { IAC, SB, TELOPT_AUTHENTICATION, 0,
+			  		AUTHTYPE_KERBEROS_V5, };
+
+#define	KRB_AUTH		0	/* Authentication data follows */
+#define	KRB_REJECT		1	/* Rejected (reason might follow) */
+#define	KRB_ACCEPT		2	/* Accepted */
+#define	KRB_RESPONSE		3	/* Response for mutual auth. */
+
+#define KRB_FORWARD     	4       /* Forwarded credentials follow */
+#define KRB_FORWARD_ACCEPT     	5       /* Forwarded credentials accepted */
+#define KRB_FORWARD_REJECT     	6       /* Forwarded credentials rejected */
+
+static	krb5_data auth;
+static  krb5_ticket *ticket;
+
+static krb5_context context;
+static krb5_auth_context auth_context;
+
+static int
+Data(Authenticator *ap, int type, void *d, int c)
+{
+    unsigned char *p = str_data + 4;
+    unsigned char *cd = (unsigned char *)d;
+
+    if (c == -1)
+	c = strlen(cd);
+
+    if (auth_debug_mode) {
+	printf("%s:%d: [%d] (%d)",
+	       str_data[3] == TELQUAL_IS ? ">>>IS" : ">>>REPLY",
+	       str_data[3],
+	       type, c);
+	printd(d, c);
+	printf("\r\n");
+    }
+    *p++ = ap->type;
+    *p++ = ap->way;
+    *p++ = type;
+    while (c-- > 0) {
+	if ((*p++ = *cd++) == IAC)
+	    *p++ = IAC;
+    }
+    *p++ = IAC;
+    *p++ = SE;
+    if (str_data[3] == TELQUAL_IS)
+	printsub('>', &str_data[2], p - &str_data[2]);
+    return(telnet_net_write(str_data, p - str_data));
+}
+
+int
+kerberos5_init(Authenticator *ap, int server)
+{
+    if (server)
+	str_data[3] = TELQUAL_REPLY;
+    else
+	str_data[3] = TELQUAL_IS;
+    krb5_init_context(&context);
+    return(1);
+}
+
+static int
+kerberos5_send(char *name, Authenticator *ap)
+{
+    krb5_error_code ret;
+    krb5_ccache ccache;
+    int ap_opts;
+    krb5_data cksum_data;
+    char foo[2];
+    extern int net;
+    
+    printf("[ Trying %s ... ]\r\n", name);
+    if (!UserNameRequested) {
+	if (auth_debug_mode) {
+	    printf("Kerberos V5: no user name supplied\r\n");
+	}
+	return(0);
+    }
+    
+    ret = krb5_cc_default(context, &ccache);
+    if (ret) {
+	if (auth_debug_mode) {
+	    printf("Kerberos V5: could not get default ccache: %s\r\n",
+		   krb5_get_err_text (context, ret));
+	}
+	return 0;
+    }
+	
+    if ((ap->way & AUTH_HOW_MASK) == AUTH_HOW_MUTUAL)
+	ap_opts = AP_OPTS_MUTUAL_REQUIRED;
+    else
+	ap_opts = 0;
+    
+    ret = krb5_auth_con_init (context, &auth_context);
+    if (ret) {
+	if (auth_debug_mode) {
+	    printf("Kerberos V5: krb5_auth_con_init failed (%s)\r\n",
+		   krb5_get_err_text(context, ret));
+	}
+	return(0);
+    }
+
+    ret = krb5_auth_con_setaddrs_from_fd (context,
+					  auth_context,
+					  &net);
+    if (ret) {
+	if (auth_debug_mode) {
+	    printf ("Kerberos V5:"
+		    " krb5_auth_con_setaddrs_from_fd failed (%s)\r\n",
+		    krb5_get_err_text(context, ret));
+	}
+	return(0);
+    }
+
+    krb5_auth_setkeytype (context, auth_context, KEYTYPE_DES);
+
+    foo[0] = ap->type;
+    foo[1] = ap->way;
+
+    cksum_data.length = sizeof(foo);
+    cksum_data.data   = foo;
+    ret = krb5_mk_req(context, &auth_context, ap_opts,
+		      "host", RemoteHostName, 
+		      &cksum_data, ccache, &auth);
+
+    if (ret) {
+	if (1 || auth_debug_mode) {
+	    printf("Kerberos V5: mk_req failed (%s)\r\n",
+		   krb5_get_err_text(context, ret));
+	}
+	return(0);
+    }
+
+    if (!auth_sendname((unsigned char *)UserNameRequested,
+		       strlen(UserNameRequested))) {
+	if (auth_debug_mode)
+	    printf("Not enough room for user name\r\n");
+	return(0);
+    }
+    if (!Data(ap, KRB_AUTH, auth.data, auth.length)) {
+	if (auth_debug_mode)
+	    printf("Not enough room for authentication data\r\n");
+	return(0);
+    }
+    if (auth_debug_mode) {
+	printf("Sent Kerberos V5 credentials to server\r\n");
+    }
+    return(1);
+}
+
+int
+kerberos5_send_mutual(Authenticator *ap)
+{
+    return kerberos5_send("mutual KERBEROS5", ap);
+}
+
+int
+kerberos5_send_oneway(Authenticator *ap)
+{
+    return kerberos5_send("KERBEROS5", ap);
+}
+
+void
+kerberos5_is(Authenticator *ap, unsigned char *data, int cnt)
+{
+    krb5_error_code ret;
+    krb5_data outbuf;
+    krb5_keyblock *key_block;
+    char *name;
+    krb5_principal server;
+    int zero = 0;
+
+    if (cnt-- < 1)
+	return;
+    switch (*data++) {
+    case KRB_AUTH:
+	auth.data = (char *)data;
+	auth.length = cnt;
+
+	auth_context = NULL;
+
+	ret = krb5_auth_con_init (context, &auth_context);
+	if (ret) {
+	    Data(ap, KRB_REJECT, "krb5_auth_con_init failed", -1);
+	    auth_finished(ap, AUTH_REJECT);
+	    if (auth_debug_mode)
+		printf("Kerberos V5: krb5_auth_con_init failed (%s)\r\n",
+		       krb5_get_err_text(context, ret));
+	    return;
+	}
+
+	ret = krb5_auth_con_setaddrs_from_fd (context,
+					      auth_context,
+					      &zero);
+	if (ret) {
+	    Data(ap, KRB_REJECT, "krb5_auth_con_setaddrs_from_fd failed", -1);
+	    auth_finished(ap, AUTH_REJECT);
+	    if (auth_debug_mode)
+		printf("Kerberos V5: "
+		       "krb5_auth_con_setaddrs_from_fd failed (%s)\r\n",
+		       krb5_get_err_text(context, ret));
+	    return;
+	}
+
+	ret = krb5_sock_to_principal (context,
+				      0,
+				      "host",
+				      KRB5_NT_SRV_HST,
+				      &server);
+	if (ret) {
+	    Data(ap, KRB_REJECT, "krb5_sock_to_principal failed", -1);
+	    auth_finished(ap, AUTH_REJECT);
+	    if (auth_debug_mode)
+		printf("Kerberos V5: "
+		       "krb5_sock_to_principal failed (%s)\r\n",
+		       krb5_get_err_text(context, ret));
+	    return;
+	}
+
+	ret = krb5_rd_req(context,
+			  &auth_context,
+			  &auth, 
+			  server,
+			  NULL,
+			  NULL,
+			  &ticket);
+	krb5_free_principal (context, server);
+
+	if (ret) {
+	    char *errbuf;
+
+	    asprintf(&errbuf,
+		     "Read req failed: %s",
+		     krb5_get_err_text(context, ret));
+	    Data(ap, KRB_REJECT, errbuf, -1);
+	    if (auth_debug_mode)
+		printf("%s\r\n", errbuf);
+	    free (errbuf);
+	    return;
+	}
+	
+	{
+	    char foo[2];
+	    
+	    foo[0] = ap->type;
+	    foo[1] = ap->way;
+	    
+	    ret = krb5_verify_authenticator_checksum(context,
+						     auth_context,
+						     foo, 
+						     sizeof(foo));
+
+	    if (ret) {
+		char *errbuf;
+		asprintf(&errbuf, "Bad checksum: %s", 
+			 krb5_get_err_text(context, ret));
+		Data(ap, KRB_REJECT, errbuf, -1);
+		if (auth_debug_mode)
+		    printf ("%s\r\n", errbuf);
+		free(errbuf);
+		return;
+	    }
+	}
+	ret = krb5_auth_con_getremotesubkey (context,
+					     auth_context,
+					     &key_block);
+
+	if (ret) {
+	    Data(ap, KRB_REJECT, "krb5_auth_con_getremotesubkey failed", -1);
+	    auth_finished(ap, AUTH_REJECT);
+	    if (auth_debug_mode)
+		printf("Kerberos V5: "
+		       "krb5_auth_con_getremotesubkey failed (%s)\r\n",
+		       krb5_get_err_text(context, ret));
+	    return;
+	}
+
+	if ((ap->way & AUTH_HOW_MASK) == AUTH_HOW_MUTUAL) {
+	    ret = krb5_mk_rep(context, &auth_context, &outbuf);
+	    if (ret) {
+		Data(ap, KRB_REJECT,
+		     "krb5_mk_rep failed", -1);
+		auth_finished(ap, AUTH_REJECT);
+		if (auth_debug_mode)
+		    printf("Kerberos V5: "
+			   "krb5_mk_rep failed (%s)\r\n",
+			   krb5_get_err_text(context, ret));
+		return;
+	    }
+	    Data(ap, KRB_RESPONSE, outbuf.data, outbuf.length);
+	}
+	if (krb5_unparse_name(context, ticket->client, &name))
+	    name = 0;
+
+	if(UserNameRequested && krb5_kuserok(context,
+					     ticket->client,
+					     UserNameRequested)) {
+	    Data(ap, KRB_ACCEPT, name, name ? -1 : 0);
+	    if (auth_debug_mode) {
+		printf("Kerberos5 identifies him as ``%s''\r\n",
+		       name ? name : "");
+	    }
+
+	    if(key_block->keytype == ETYPE_DES_CBC_MD5 ||
+	       key_block->keytype == ETYPE_DES_CBC_MD4 ||
+	       key_block->keytype == ETYPE_DES_CBC_CRC) {
+		Session_Key skey;
+
+		skey.type = SK_DES;
+		skey.length = 8;
+		skey.data = key_block->keyvalue.data;
+		encrypt_session_key(&skey, 0);
+	    }
+
+	} else {
+	    char *msg;
+
+	    asprintf (&msg, "user `%s' is not authorized to "
+		      "login as `%s'", 
+		      name ? name : "<unknown>",
+		      UserNameRequested ? UserNameRequested : "<nobody>");
+	    if (msg == NULL)
+		Data(ap, KRB_REJECT, NULL, 0);
+	    else {
+		Data(ap, KRB_REJECT, (void *)msg, -1);
+		free(msg);
+	    }
+	}
+	auth_finished(ap, AUTH_USER);
+
+	krb5_free_keyblock_contents(context, key_block);
+	
+	break;
+    case KRB_FORWARD: {
+	struct passwd *pwd;
+	char ccname[1024];	/* XXX */
+	krb5_data inbuf;
+	krb5_ccache ccache;
+	inbuf.data = (char *)data;
+	inbuf.length = cnt;
+
+	pwd = getpwnam (UserNameRequested);
+	if (pwd == NULL)
+	    break;
+
+	snprintf (ccname, sizeof(ccname),
+		  "FILE:/tmp/krb5cc_%u", pwd->pw_uid);
+
+	ret = krb5_cc_resolve (context, ccname, &ccache);
+	if (ret) {
+	    if (auth_debug_mode)
+		printf ("Kerberos V5: could not get ccache: %s\r\n",
+			krb5_get_err_text(context, ret));
+	    break;
+	}
+
+	ret = krb5_cc_initialize (context,
+				  ccache,
+				  ticket->client);
+	if (ret) {
+	    if (auth_debug_mode)
+		printf ("Kerberos V5: could not init ccache: %s\r\n",
+			krb5_get_err_text(context, ret));
+	    break;
+	}
+
+	ret = krb5_rd_cred (context,
+			    auth_context,
+			    ccache,
+			    &inbuf);
+	if(ret) {
+	    char *errbuf;
+
+	    asprintf (&errbuf,
+		      "Read forwarded creds failed: %s",
+		      krb5_get_err_text (context, ret));
+	    if(errbuf == NULL)
+		Data(ap, KRB_FORWARD_REJECT, NULL, 0);
+	    else
+		Data(ap, KRB_FORWARD_REJECT, errbuf, -1);
+	    if (auth_debug_mode)
+		printf("Could not read forwarded credentials: %s\r\n",
+		       errbuf);
+	    free (errbuf);
+	} else
+	    Data(ap, KRB_FORWARD_ACCEPT, 0, 0);
+	chown (ccname + 5, pwd->pw_uid, -1);
+	if (auth_debug_mode)
+	    printf("Forwarded credentials obtained\r\n");
+	break;
+    }
+    default:
+	if (auth_debug_mode)
+	    printf("Unknown Kerberos option %d\r\n", data[-1]);
+	Data(ap, KRB_REJECT, 0, 0);
+	break;
+    }
+}
+
+void
+kerberos5_reply(Authenticator *ap, unsigned char *data, int cnt)
+{
+    static int mutual_complete = 0;
+
+    if (cnt-- < 1)
+	return;
+    switch (*data++) {
+    case KRB_REJECT:
+	if (cnt > 0) {
+	    printf("[ Kerberos V5 refuses authentication because %.*s ]\r\n",
+		   cnt, data);
+	} else
+	    printf("[ Kerberos V5 refuses authentication ]\r\n");
+	auth_send_retry();
+	return;
+    case KRB_ACCEPT: {
+	krb5_error_code ret;
+	Session_Key skey;
+	krb5_keyblock *keyblock;
+	
+	if ((ap->way & AUTH_HOW_MASK) == AUTH_HOW_MUTUAL &&
+	    !mutual_complete) {
+	    printf("[ Kerberos V5 accepted you, but didn't provide mutual authentication! ]\r\n");
+	    auth_send_retry();
+	    return;
+	}
+	if (cnt)
+	    printf("[ Kerberos V5 accepts you as ``%.*s'' ]\r\n", cnt, data);
+	else
+	    printf("[ Kerberos V5 accepts you ]\r\n");
+	      
+	ret = krb5_auth_con_getlocalsubkey (context,
+					    auth_context,
+					    &keyblock);
+	if (ret)
+	    ret = krb5_auth_con_getkey (context,
+					auth_context,
+					&keyblock);
+	if(ret) {
+	    printf("[ krb5_auth_con_getkey: %s ]\r\n",
+		   krb5_get_err_text(context, ret));
+	    auth_send_retry();
+	    return;
+	}
+	      
+	skey.type = SK_DES;
+	skey.length = 8;
+	skey.data = keyblock->keyvalue.data;
+	encrypt_session_key(&skey, 0);
+	krb5_free_keyblock_contents (context, keyblock);
+	auth_finished(ap, AUTH_USER);
+	if (forward_flags & OPTS_FORWARD_CREDS)
+	    kerberos5_forward(ap);
+	break;
+    }
+    case KRB_RESPONSE:
+	if ((ap->way & AUTH_HOW_MASK) == AUTH_HOW_MUTUAL) {
+	    /* the rest of the reply should contain a krb_ap_rep */
+	  krb5_ap_rep_enc_part *reply;
+	  krb5_data inbuf;
+	  krb5_error_code ret;
+	    
+	  inbuf.length = cnt;
+	  inbuf.data = (char *)data;
+
+	  ret = krb5_rd_rep(context, auth_context, &inbuf, &reply);
+	  if (ret) {
+	      printf("[ Mutual authentication failed: %s ]\r\n",
+		     krb5_get_err_text (context, ret));
+	      auth_send_retry();
+	      return;
+	  }
+	  krb5_free_ap_rep_enc_part(context, reply);
+	  mutual_complete = 1;
+	}
+	return;
+    case KRB_FORWARD_ACCEPT:
+	printf("[ Kerberos V5 accepted forwarded credentials ]\r\n");
+	return;
+    case KRB_FORWARD_REJECT:
+	printf("[ Kerberos V5 refuses forwarded credentials because %.*s ]\r\n",
+	       cnt, data);
+	return;
+    default:
+	if (auth_debug_mode)
+	    printf("Unknown Kerberos option %d\r\n", data[-1]);
+	return;
+    }
+}
+
+int
+kerberos5_status(Authenticator *ap, char *name, size_t name_sz, int level)
+{
+    if (level < AUTH_USER)
+	return(level);
+
+    if (UserNameRequested &&
+	krb5_kuserok(context,
+		     ticket->client,
+		     UserNameRequested))
+	{
+	    strlcpy(name, UserNameRequested, name_sz);
+	    return(AUTH_VALID);
+	} else
+	    return(AUTH_USER);
+}
+
+#define	BUMP(buf, len)		while (*(buf)) {++(buf), --(len);}
+#define	ADDC(buf, len, c)	if ((len) > 0) {*(buf)++ = (c); --(len);}
+
+void
+kerberos5_printsub(unsigned char *data, int cnt, unsigned char *buf, int buflen)
+{
+    int i;
+
+    buf[buflen-1] = '\0';		/* make sure its NULL terminated */
+    buflen -= 1;
+
+    switch(data[3]) {
+    case KRB_REJECT:		/* Rejected (reason might follow) */
+	strlcpy((char *)buf, " REJECT ", buflen);
+	goto common;
+
+    case KRB_ACCEPT:		/* Accepted (name might follow) */
+	strlcpy((char *)buf, " ACCEPT ", buflen);
+    common:
+	BUMP(buf, buflen);
+	if (cnt <= 4)
+	    break;
+	ADDC(buf, buflen, '"');
+	for (i = 4; i < cnt; i++)
+	    ADDC(buf, buflen, data[i]);
+	ADDC(buf, buflen, '"');
+	ADDC(buf, buflen, '\0');
+	break;
+
+
+    case KRB_AUTH:			/* Authentication data follows */
+	strlcpy((char *)buf, " AUTH", buflen);
+	goto common2;
+
+    case KRB_RESPONSE:
+	strlcpy((char *)buf, " RESPONSE", buflen);
+	goto common2;
+
+    case KRB_FORWARD:		/* Forwarded credentials follow */
+	strlcpy((char *)buf, " FORWARD", buflen);
+	goto common2;
+
+    case KRB_FORWARD_ACCEPT:	/* Forwarded credentials accepted */
+	strlcpy((char *)buf, " FORWARD_ACCEPT", buflen);
+	goto common2;
+
+    case KRB_FORWARD_REJECT:	/* Forwarded credentials rejected */
+	/* (reason might follow) */
+	strlcpy((char *)buf, " FORWARD_REJECT", buflen);
+	goto common2;
+
+    default:
+	snprintf(buf, buflen, " %d (unknown)", data[3]);
+    common2:
+	BUMP(buf, buflen);
+	for (i = 4; i < cnt; i++) {
+	    snprintf(buf, buflen, " %d", data[i]);
+	    BUMP(buf, buflen);
+	}
+	break;
+    }
+}
+
+void
+kerberos5_forward(Authenticator *ap)
+{
+    krb5_error_code ret;
+    krb5_ccache     ccache;
+    krb5_creds      creds;
+    krb5_kdc_flags  flags;
+    krb5_data       out_data;
+    krb5_principal  principal;
+
+    ret = krb5_cc_default (context, &ccache);
+    if (ret) {
+	if (auth_debug_mode)
+	    printf ("KerberosV5: could not get default ccache: %s\r\n",
+		    krb5_get_err_text (context, ret));
+	return;
+    }
+
+    ret = krb5_cc_get_principal (context, ccache, &principal);
+    if (ret) {
+	if (auth_debug_mode)
+	    printf ("KerberosV5: could not get principal: %s\r\n",
+		    krb5_get_err_text (context, ret));
+	return;
+    }
+
+    memset (&creds, 0, sizeof(creds));
+
+    creds.client = principal;
+    
+    ret = krb5_build_principal (context,
+				&creds.server,
+				strlen(principal->realm),
+				principal->realm,
+				"krbtgt",
+				principal->realm,
+				NULL);
+
+    if (ret) {
+	if (auth_debug_mode)
+	    printf ("KerberosV5: could not get principal: %s\r\n",
+		    krb5_get_err_text (context, ret));
+	return;
+    }
+
+    creds.times.endtime = 0;
+
+    flags.i = 0;
+    flags.b.forwarded = 1;
+    if (forward_flags & OPTS_FORWARDABLE_CREDS)
+	flags.b.forwardable = 1;
+
+    ret = krb5_get_forwarded_creds (context,
+				    auth_context,
+				    ccache,
+				    flags.i,
+				    RemoteHostName,
+				    &creds,
+				    &out_data);
+    if (ret) {
+	if (auth_debug_mode)
+	    printf ("Kerberos V5: error gettting forwarded creds: %s\r\n",
+		    krb5_get_err_text (context, ret));
+	return;
+    }
+
+    if(!Data(ap, KRB_FORWARD, out_data.data, out_data.length)) {
+	if (auth_debug_mode)
+	    printf("Not enough room for authentication data\r\n");
+    } else {
+	if (auth_debug_mode)
+	    printf("Forwarded local Kerberos V5 credentials to server\r\n");
+    }
+}
+
+#endif /* KRB5 */
diff --git a/crypto/kerberosIV/appl/telnet/libtelnet/krb4encpwd.c b/crypto/kerberosIV/appl/telnet/libtelnet/krb4encpwd.c
new file mode 100644
index 0000000..a4f8a2c
--- /dev/null
+++ b/crypto/kerberosIV/appl/telnet/libtelnet/krb4encpwd.c
@@ -0,0 +1,438 @@
+/*-
+ * Copyright (c) 1992, 1993
+ *	The Regents of the University of California.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *	This product includes software developed by the University of
+ *	California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+/* $FreeBSD$ */
+
+#include <config.h>
+
+RCSID("$Id: krb4encpwd.c,v 1.18 1999/09/16 20:41:34 assar Exp $");
+
+#ifdef	KRB4_ENCPWD
+/*
+ * COPYRIGHT (C) 1990 DIGITAL EQUIPMENT CORPORATION
+ * ALL RIGHTS RESERVED
+ *
+ * "Digital Equipment Corporation authorizes the reproduction,
+ * distribution and modification of this software subject to the following
+ * restrictions:
+ *
+ * 1.  Any partial or whole copy of this software, or any modification
+ * thereof, must include this copyright notice in its entirety.
+ *
+ * 2.  This software is supplied "as is" with no warranty of any kind,
+ * expressed or implied, for any purpose, including any warranty of fitness
+ * or merchantibility.  DIGITAL assumes no responsibility for the use or
+ * reliability of this software, nor promises to provide any form of
+ * support for it on any basis.
+ *
+ * 3.  Distribution of this software is authorized only if no profit or
+ * remuneration of any kind is received in exchange for such distribution.
+ *
+ * 4.  This software produces public key authentication certificates
+ * bearing an expiration date established by DIGITAL and RSA Data
+ * Security, Inc.  It may cease to generate certificates after the expiration
+ * date.  Any modification of this software that changes or defeats
+ * the expiration date or its effect is unauthorized.
+ *
+ * 5.  Software that will renew or extend the expiration date of
+ * authentication certificates produced by this software may be obtained
+ * from RSA Data Security, Inc., 10 Twin Dolphin Drive, Redwood City, CA
+ * 94065, (415)595-8782, or from DIGITAL"
+ *
+ */
+
+#include <sys/types.h>
+#include <arpa/telnet.h>
+#include <pwd.h>
+#include <stdio.h>
+
+#include <openssl/des.h>
+#include <krb.h>
+#include <stdlib.h>
+#include <string.h>
+#ifdef SOCKS
+#include <socks.h>
+#endif
+
+#include "encrypt.h"
+#include "auth.h"
+#include "misc.h"
+
+int krb_mk_encpwd_req (KTEXT, char *, char *, char *, char *, char *, char *);
+int krb_rd_encpwd_req (KTEXT, char *, char *, u_long, AUTH_DAT *, char *, char *, char *, char *);
+
+extern auth_debug_mode;
+
+static unsigned char str_data[1024] = { IAC, SB, TELOPT_AUTHENTICATION, 0,
+			  		AUTHTYPE_KRB4_ENCPWD, };
+static unsigned char str_name[1024] = { IAC, SB, TELOPT_AUTHENTICATION,
+					TELQUAL_NAME, };
+
+#define	KRB4_ENCPWD_AUTH	0	/* Authentication data follows */
+#define	KRB4_ENCPWD_REJECT	1	/* Rejected (reason might follow) */
+#define KRB4_ENCPWD_ACCEPT	2	/* Accepted */
+#define	KRB4_ENCPWD_CHALLENGE	3	/* Challenge for mutual auth. */
+#define	KRB4_ENCPWD_ACK		4	/* Acknowledge */
+
+#define KRB_SERVICE_NAME    "rcmd"
+
+static	KTEXT_ST auth;
+static	char name[ANAME_SZ];
+static	char user_passwd[ANAME_SZ];
+static	AUTH_DAT adat = { 0 };
+static des_key_schedule sched;
+static char  challenge[REALM_SZ];
+
+	static int
+Data(ap, type, d, c)
+	Authenticator *ap;
+	int type;
+	void *d;
+	int c;
+{
+	unsigned char *p = str_data + 4;
+	unsigned char *cd = (unsigned char *)d;
+
+	if (c == -1)
+		c = strlen(cd);
+
+	if (0) {
+		printf("%s:%d: [%d] (%d)",
+			str_data[3] == TELQUAL_IS ? ">>>IS" : ">>>REPLY",
+			str_data[3],
+			type, c);
+		printd(d, c);
+		printf("\r\n");
+	}
+	*p++ = ap->type;
+	*p++ = ap->way;
+	*p++ = type;
+	while (c-- > 0) {
+		if ((*p++ = *cd++) == IAC)
+			*p++ = IAC;
+	}
+	*p++ = IAC;
+	*p++ = SE;
+	if (str_data[3] == TELQUAL_IS)
+		printsub('>', &str_data[2], p - (&str_data[2]));
+	return(telnet_net_write(str_data, p - str_data));
+}
+
+	int
+krb4encpwd_init(ap, server)
+	Authenticator *ap;
+	int server;
+{
+	char hostname[80], *cp, *realm;
+	des_clock skey;
+
+	if (server) {
+		str_data[3] = TELQUAL_REPLY;
+	} else {
+		str_data[3] = TELQUAL_IS;
+		gethostname(hostname, sizeof(hostname));
+		realm = krb_realmofhost(hostname);
+		cp = strchr(hostname, '.');
+		if (*cp != NULL) *cp = NULL;
+		if (read_service_key(KRB_SERVICE_NAME, hostname, realm, 0,
+					KEYFILE, (char *)skey)) {
+		  return(0);
+		}
+	}
+	return(1);
+}
+
+	int
+krb4encpwd_send(ap)
+	Authenticator *ap;
+{
+
+	printf("[ Trying KRB4ENCPWD ... ]\r\n");
+	if (!UserNameRequested) {
+		return(0);
+	}
+	if (!auth_sendname(UserNameRequested, strlen(UserNameRequested))) {
+		return(0);
+	}
+
+	if (!Data(ap, KRB4_ENCPWD_ACK, NULL, 0)) {
+		return(0);
+	}
+
+	return(1);
+}
+
+	void
+krb4encpwd_is(ap, data, cnt)
+	Authenticator *ap;
+	unsigned char *data;
+	int cnt;
+{
+	Session_Key skey;
+	des_cblock datablock;
+	char  r_passwd[ANAME_SZ], r_user[ANAME_SZ];
+	char  lhostname[ANAME_SZ], *cp;
+	int r;
+	time_t now;
+
+	if (cnt-- < 1)
+		return;
+	switch (*data++) {
+	case KRB4_ENCPWD_AUTH:
+		memmove(auth.dat, data, auth.length = cnt);
+
+		gethostname(lhostname, sizeof(lhostname));
+		if ((cp = strchr(lhostname, '.')) != 0)  *cp = '\0';
+
+		if (r = krb_rd_encpwd_req(&auth, KRB_SERVICE_NAME, lhostname, 0, &adat, NULL, challenge, r_user, r_passwd)) {
+			Data(ap, KRB4_ENCPWD_REJECT, "Auth failed", -1);
+			auth_finished(ap, AUTH_REJECT);
+			return;
+		}
+		auth_encrypt_userpwd(r_passwd);
+		if (passwdok(UserNameRequested, UserPassword) == 0) {
+		  /*
+		   *  illegal username and password
+		   */
+		  Data(ap, KRB4_ENCPWD_REJECT, "Illegal password", -1);
+		  auth_finished(ap, AUTH_REJECT);
+		  return;
+		}
+
+		memmove(session_key, adat.session, sizeof(des_cblock));
+		Data(ap, KRB4_ENCPWD_ACCEPT, 0, 0);
+		auth_finished(ap, AUTH_USER);
+		break;
+
+	case KRB4_ENCPWD_CHALLENGE:
+		/*
+		 *  Take the received random challenge text and save
+		 *  for future authentication.
+		 */
+		memmove(challenge, data, sizeof(des_cblock));
+		break;
+
+
+	case KRB4_ENCPWD_ACK:
+		/*
+		 *  Receive ack, if mutual then send random challenge
+		 */
+
+		/*
+		 * If we are doing mutual authentication, get set up to send
+		 * the challenge, and verify it when the response comes back.
+		 */
+
+		if ((ap->way & AUTH_HOW_MASK) == AUTH_HOW_MUTUAL) {
+		  int i;
+
+		  time(&now);
+		  snprintf(challenge, sizeof(challenge), "%x", now);
+		  Data(ap, KRB4_ENCPWD_CHALLENGE, challenge, strlen(challenge));
+		}
+		break;
+
+	default:
+		Data(ap, KRB4_ENCPWD_REJECT, 0, 0);
+		break;
+	}
+}
+
+
+	void
+krb4encpwd_reply(ap, data, cnt)
+	Authenticator *ap;
+	unsigned char *data;
+	int cnt;
+{
+	Session_Key skey;
+	KTEXT_ST krb_token;
+	des_cblock enckey;
+	CREDENTIALS cred;
+	int r;
+	char	randchal[REALM_SZ], instance[ANAME_SZ], *cp;
+	char	hostname[80], *realm;
+
+	if (cnt-- < 1)
+		return;
+	switch (*data++) {
+	case KRB4_ENCPWD_REJECT:
+		if (cnt > 0) {
+			printf("[ KRB4_ENCPWD refuses authentication because %.*s ]\r\n",
+				cnt, data);
+		} else
+			printf("[ KRB4_ENCPWD refuses authentication ]\r\n");
+		auth_send_retry();
+		return;
+	case KRB4_ENCPWD_ACCEPT:
+		printf("[ KRB4_ENCPWD accepts you ]\r\n");
+		auth_finished(ap, AUTH_USER);
+		return;
+	case KRB4_ENCPWD_CHALLENGE:
+		/*
+		 * Verify that the response to the challenge is correct.
+		 */
+
+		gethostname(hostname, sizeof(hostname));
+		realm = krb_realmofhost(hostname);
+		memmove(challenge, data, cnt);
+		memset(user_passwd, 0, sizeof(user_passwd));
+		des_read_pw_string(user_passwd, sizeof(user_passwd)-1, "Password: ", 0);
+		UserPassword = user_passwd;
+		Challenge = challenge;
+		strlcpy(instance, RemoteHostName, sizeof(instance));
+		if ((cp = strchr(instance, '.')) != 0)  *cp = '\0';
+
+		if (r = krb_mk_encpwd_req(&krb_token, KRB_SERVICE_NAME, instance, realm, Challenge, UserNameRequested, user_passwd)) {
+		  krb_token.length = 0;
+		}
+
+		if (!Data(ap, KRB4_ENCPWD_AUTH, krb_token.dat, krb_token.length)) {
+		  return;
+		}
+
+		break;
+
+	default:
+		return;
+	}
+}
+
+	int
+krb4encpwd_status(ap, name, name_sz, level)
+	Authenticator *ap;
+	char *name;
+	size_t name_sz;
+	int level;
+{
+
+	if (level < AUTH_USER)
+		return(level);
+
+	if (UserNameRequested && passwdok(UserNameRequested, UserPassword)) {
+		strlcpy(name, UserNameRequested, name_sz);
+		return(AUTH_VALID);
+	} else {
+		return(AUTH_USER);
+	}
+}
+
+#define	BUMP(buf, len)		while (*(buf)) {++(buf), --(len);}
+#define	ADDC(buf, len, c)	if ((len) > 0) {*(buf)++ = (c); --(len);}
+
+	void
+krb4encpwd_printsub(data, cnt, buf, buflen)
+	unsigned char *data, *buf;
+	int cnt, buflen;
+{
+	int i;
+
+	buf[buflen-1] = '\0';		/* make sure its NULL terminated */
+	buflen -= 1;
+
+	switch(data[3]) {
+	case KRB4_ENCPWD_REJECT:	/* Rejected (reason might follow) */
+		strlcpy((char *)buf, " REJECT ", buflen);
+		goto common;
+
+	case KRB4_ENCPWD_ACCEPT:	/* Accepted (name might follow) */
+		strlcpy((char *)buf, " ACCEPT ", buflen);
+	common:
+		BUMP(buf, buflen);
+		if (cnt <= 4)
+			break;
+		ADDC(buf, buflen, '"');
+		for (i = 4; i < cnt; i++)
+			ADDC(buf, buflen, data[i]);
+		ADDC(buf, buflen, '"');
+		ADDC(buf, buflen, '\0');
+		break;
+
+	case KRB4_ENCPWD_AUTH:		/* Authentication data follows */
+		strlcpy((char *)buf, " AUTH", buflen);
+		goto common2;
+
+	case KRB4_ENCPWD_CHALLENGE:
+		strlcpy((char *)buf, " CHALLENGE", buflen);
+		goto common2;
+
+	case KRB4_ENCPWD_ACK:
+		strlcpy((char *)buf, " ACK", buflen);
+		goto common2;
+
+	default:
+		snprintf(buf, buflen, " %d (unknown)", data[3]);
+	common2:
+		BUMP(buf, buflen);
+		for (i = 4; i < cnt; i++) {
+			snprintf(buf, buflen, " %d", data[i]);
+			BUMP(buf, buflen);
+		}
+		break;
+	}
+}
+
+int passwdok(name, passwd)
+char *name, *passwd;
+{
+  char *crypt();
+  char *salt, *p;
+  struct passwd *pwd;
+  int   passwdok_status = 0;
+
+  if (pwd = k_getpwnam(name))
+    salt = pwd->pw_passwd;
+  else salt = "xx";
+
+  p = crypt(passwd, salt);
+
+  if (pwd && !strcmp(p, pwd->pw_passwd)) {
+    passwdok_status = 1;
+  } else passwdok_status = 0;
+  return(passwdok_status);
+}
+
+#endif
+
+#ifdef notdef
+
+prkey(msg, key)
+	char *msg;
+	unsigned char *key;
+{
+	int i;
+	printf("%s:", msg);
+	for (i = 0; i < 8; i++)
+		printf(" %3d", key[i]);
+	printf("\r\n");
+}
+#endif
diff --git a/crypto/kerberosIV/appl/telnet/libtelnet/misc-proto.h b/crypto/kerberosIV/appl/telnet/libtelnet/misc-proto.h
new file mode 100644
index 0000000..a31d924
--- /dev/null
+++ b/crypto/kerberosIV/appl/telnet/libtelnet/misc-proto.h
@@ -0,0 +1,79 @@
+/*-
+ * Copyright (c) 1991, 1993
+ *	The Regents of the University of California.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *	This product includes software developed by the University of
+ *	California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ *	@(#)misc-proto.h	8.1 (Berkeley) 6/4/93
+ */
+
+/*
+ * Copyright (C) 1990 by the Massachusetts Institute of Technology
+ *
+ * Export of this software from the United States of America is assumed
+ * to require a specific license from the United States Government.
+ * It is the responsibility of any person or organization contemplating
+ * export to obtain such a license before exporting.
+ *
+ * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
+ * distribute this software and its documentation for any purpose and
+ * without fee is hereby granted, provided that the above copyright
+ * notice appear in all copies and that both that copyright notice and
+ * this permission notice appear in supporting documentation, and that
+ * the name of M.I.T. not be used in advertising or publicity pertaining
+ * to distribution of the software without specific, written prior
+ * permission.  M.I.T. makes no representations about the suitability of
+ * this software for any purpose.  It is provided "as is" without express
+ * or implied warranty.
+ */
+
+/* $Id: misc-proto.h,v 1.7 1998/07/09 23:16:30 assar Exp $ */
+
+#ifndef	__MISC_PROTO__
+#define	__MISC_PROTO__
+
+void auth_encrypt_init (char *, char *, char *, int);
+void auth_encrypt_user(char *name);
+void auth_encrypt_connect (int);
+void printd (const unsigned char *, int);
+
+char** genget (char *name, char **table, int stlen);
+int isprefix(char *s1, char *s2);
+int Ambiguous(void *s);
+
+/*
+ * These functions are imported from the application
+ */
+int telnet_net_write (unsigned char *, int);
+void net_encrypt (void);
+int telnet_spin (void);
+char *telnet_getenv (char *);
+char *telnet_gets (char *, char *, int, int);
+void printsub(int direction, unsigned char *pointer, int length);
+#endif
diff --git a/crypto/kerberosIV/appl/telnet/libtelnet/misc.c b/crypto/kerberosIV/appl/telnet/libtelnet/misc.c
new file mode 100644
index 0000000..2d9199f
--- /dev/null
+++ b/crypto/kerberosIV/appl/telnet/libtelnet/misc.c
@@ -0,0 +1,94 @@
+/*-
+ * Copyright (c) 1991, 1993
+ *	The Regents of the University of California.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *	This product includes software developed by the University of
+ *	California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#include <config.h>
+
+RCSID("$Id: misc.c,v 1.13 1998/06/13 00:06:54 assar Exp $");
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <roken.h>
+#ifdef SOCKS
+#include <socks.h>
+#endif
+#include "misc.h"
+#include "auth.h"
+#include "encrypt.h"
+
+
+char *RemoteHostName;
+char *LocalHostName;
+char *UserNameRequested = 0;
+int ConnectedCount = 0;
+
+void
+auth_encrypt_init(char *local, char *remote, char *name, int server)
+{
+    RemoteHostName = remote;
+    LocalHostName = local;
+#ifdef AUTHENTICATION
+    auth_init(name, server);
+#endif
+#ifdef ENCRYPTION
+    encrypt_init(name, server);
+#endif
+    if (UserNameRequested) {
+	free(UserNameRequested);
+	UserNameRequested = 0;
+    }
+}
+
+void
+auth_encrypt_user(char *name)
+{
+    if (UserNameRequested)
+	free(UserNameRequested);
+    UserNameRequested = name ? strdup(name) : 0;
+}
+
+void
+auth_encrypt_connect(int cnt)
+{
+}
+
+void
+printd(const unsigned char *data, int cnt)
+{
+    if (cnt > 16)
+	cnt = 16;
+    while (cnt-- > 0) {
+	printf(" %02x", *data);
+	++data;
+    }
+}
diff --git a/crypto/kerberosIV/appl/telnet/libtelnet/misc.h b/crypto/kerberosIV/appl/telnet/libtelnet/misc.h
new file mode 100644
index 0000000..41ffa7f
--- /dev/null
+++ b/crypto/kerberosIV/appl/telnet/libtelnet/misc.h
@@ -0,0 +1,42 @@
+/*-
+ * Copyright (c) 1991, 1993
+ *	The Regents of the University of California.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *	This product includes software developed by the University of
+ *	California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ *	@(#)misc.h	8.1 (Berkeley) 6/4/93
+ */
+
+extern char *UserNameRequested;
+extern char *LocalHostName;
+extern char *RemoteHostName;
+extern int ConnectedCount;
+extern int ReservedPort;
+
+#include "misc-proto.h"
diff --git a/crypto/kerberosIV/appl/telnet/libtelnet/rsaencpwd.c b/crypto/kerberosIV/appl/telnet/libtelnet/rsaencpwd.c
new file mode 100644
index 0000000..dafb448
--- /dev/null
+++ b/crypto/kerberosIV/appl/telnet/libtelnet/rsaencpwd.c
@@ -0,0 +1,487 @@
+/*-
+ * Copyright (c) 1992, 1993
+ *	The Regents of the University of California.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *	This product includes software developed by the University of
+ *	California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#include <config.h>
+
+RCSID("$Id: rsaencpwd.c,v 1.18 1999/09/16 20:41:34 assar Exp $");
+
+#ifdef	RSA_ENCPWD
+/*
+ * COPYRIGHT (C) 1990 DIGITAL EQUIPMENT CORPORATION
+ * ALL RIGHTS RESERVED
+ *
+ * "Digital Equipment Corporation authorizes the reproduction,
+ * distribution and modification of this software subject to the following
+ * restrictions:
+ *
+ * 1.  Any partial or whole copy of this software, or any modification
+ * thereof, must include this copyright notice in its entirety.
+ *
+ * 2.  This software is supplied "as is" with no warranty of any kind,
+ * expressed or implied, for any purpose, including any warranty of fitness
+ * or merchantibility.  DIGITAL assumes no responsibility for the use or
+ * reliability of this software, nor promises to provide any form of
+ * support for it on any basis.
+ *
+ * 3.  Distribution of this software is authorized only if no profit or
+ * remuneration of any kind is received in exchange for such distribution.
+ *
+ * 4.  This software produces public key authentication certificates
+ * bearing an expiration date established by DIGITAL and RSA Data
+ * Security, Inc.  It may cease to generate certificates after the expiration
+ * date.  Any modification of this software that changes or defeats
+ * the expiration date or its effect is unauthorized.
+ *
+ * 5.  Software that will renew or extend the expiration date of
+ * authentication certificates produced by this software may be obtained
+ * from RSA Data Security, Inc., 10 Twin Dolphin Drive, Redwood City, CA
+ * 94065, (415)595-8782, or from DIGITAL"
+ *
+ */
+
+#include <sys/types.h>
+#ifdef HAVE_ARPA_TELNET_H
+#include <arpa/telnet.h>
+#endif
+#include <pwd.h>
+#include <stdio.h>
+
+#include <stdlib.h>
+#include <string.h>
+#ifdef SOCKS
+#include <socks.h>
+#endif
+
+#include "encrypt.h"
+#include "auth.h"
+#include "misc.h"
+#include "cdc.h"
+
+extern auth_debug_mode;
+
+static unsigned char str_data[1024] = { IAC, SB, TELOPT_AUTHENTICATION, 0,
+			  		AUTHTYPE_RSA_ENCPWD, };
+static unsigned char str_name[1024] = { IAC, SB, TELOPT_AUTHENTICATION,
+					TELQUAL_NAME, };
+
+#define	RSA_ENCPWD_AUTH	0	/* Authentication data follows */
+#define	RSA_ENCPWD_REJECT	1	/* Rejected (reason might follow) */
+#define RSA_ENCPWD_ACCEPT	2	/* Accepted */
+#define	RSA_ENCPWD_CHALLENGEKEY	3	/* Challenge and public key */
+
+#define NAME_SZ   40
+#define CHAL_SZ   20
+#define PWD_SZ    40
+
+static	KTEXT_ST auth;
+static	char name[NAME_SZ];
+static	char user_passwd[PWD_SZ];
+static  char key_file[2*NAME_SZ];
+static  char lhostname[NAME_SZ];
+static char  challenge[CHAL_SZ];
+static int   challenge_len;
+
+	static int
+Data(ap, type, d, c)
+	Authenticator *ap;
+	int type;
+	void *d;
+	int c;
+{
+	unsigned char *p = str_data + 4;
+	unsigned char *cd = (unsigned char *)d;
+
+	if (c == -1)
+		c = strlen((char *)cd);
+
+	if (0) {
+		printf("%s:%d: [%d] (%d)",
+			str_data[3] == TELQUAL_IS ? ">>>IS" : ">>>REPLY",
+			str_data[3],
+			type, c);
+		printd(d, c);
+		printf("\r\n");
+	}
+	*p++ = ap->type;
+	*p++ = ap->way;
+	if (type != NULL) *p++ = type;
+	while (c-- > 0) {
+		if ((*p++ = *cd++) == IAC)
+			*p++ = IAC;
+	}
+	*p++ = IAC;
+	*p++ = SE;
+	if (str_data[3] == TELQUAL_IS)
+		printsub('>', &str_data[2], p - (&str_data[2]));
+	return(telnet_net_write(str_data, p - str_data));
+}
+
+	int
+rsaencpwd_init(ap, server)
+	Authenticator *ap;
+	int server;
+{
+	char  *cp;
+	FILE  *fp;
+
+	if (server) {
+		str_data[3] = TELQUAL_REPLY;
+		memset(key_file, 0, sizeof(key_file));
+		gethostname(lhostname, sizeof(lhostname));
+		if ((cp = strchr(lhostname, '.')) != 0)  *cp = '\0';
+		snprintf(key_file, sizeof(key_file),
+			 "/etc/.%s_privkey", lhostname);
+		if ((fp=fopen(key_file, "r"))==NULL) return(0);
+		fclose(fp);
+	} else {
+		str_data[3] = TELQUAL_IS;
+	}
+	return(1);
+}
+
+	int
+rsaencpwd_send(ap)
+	Authenticator *ap;
+{
+
+	printf("[ Trying RSAENCPWD ... ]\r\n");
+	if (!UserNameRequested) {
+		return(0);
+	}
+	if (!auth_sendname(UserNameRequested, strlen(UserNameRequested))) {
+		return(0);
+	}
+	if (!Data(ap, NULL, NULL, 0)) {
+		return(0);
+	}
+
+
+	return(1);
+}
+
+	void
+rsaencpwd_is(ap, data, cnt)
+	Authenticator *ap;
+	unsigned char *data;
+	int cnt;
+{
+	Session_Key skey;
+	des_cblock datablock;
+	char  r_passwd[PWD_SZ], r_user[NAME_SZ];
+	char  *cp, key[160];
+	char  chalkey[160], *ptr;
+	FILE  *fp;
+	int r, i, j, chalkey_len, len;
+	time_t now;
+
+	cnt--;
+	switch (*data++) {
+	case RSA_ENCPWD_AUTH:
+		memmove(auth.dat, data, auth.length = cnt);
+
+		if ((fp=fopen(key_file, "r"))==NULL) {
+		  Data(ap, RSA_ENCPWD_REJECT, "Auth failed", -1);
+		  auth_finished(ap, AUTH_REJECT);
+		  return;
+		}
+		/*
+		 *  get privkey
+		 */
+		fscanf(fp, "%x;", &len);
+		for (i=0;i<len;i++) {
+		  j = getc(fp);  key[i]=j;
+		}
+		fclose(fp);
+
+		r = accept_rsa_encpwd(&auth, key, challenge,
+				      challenge_len, r_passwd);
+		if (r < 0) {
+		  Data(ap, RSA_ENCPWD_REJECT, "Auth failed", -1);
+		  auth_finished(ap, AUTH_REJECT);
+		  return;
+		}
+		auth_encrypt_userpwd(r_passwd);
+		if (rsaencpwd_passwdok(UserNameRequested, UserPassword) == 0) {
+		  /*
+		   *  illegal username and password
+		   */
+		  Data(ap, RSA_ENCPWD_REJECT, "Illegal password", -1);
+		  auth_finished(ap, AUTH_REJECT);
+		  return;
+		}
+
+		Data(ap, RSA_ENCPWD_ACCEPT, 0, 0);
+		auth_finished(ap, AUTH_USER);
+		break;
+
+
+	case IAC:
+
+		/*
+		 * If we are doing mutual authentication, get set up to send
+		 * the challenge, and verify it when the response comes back.
+		 */
+		if ((ap->way & AUTH_HOW_MASK) == AUTH_HOW_ONE_WAY) {
+		  int i;
+
+
+		  time(&now);
+		  if ((now % 2) == 0) {
+		    snprintf(challenge, sizeof(challenge), "%x", now);
+		    challenge_len = strlen(challenge);
+		  } else {
+		    strlcpy(challenge, "randchal", sizeof(challenge));
+		    challenge_len = 8;
+		  }
+
+		  if ((fp=fopen(key_file, "r"))==NULL) {
+		    Data(ap, RSA_ENCPWD_REJECT, "Auth failed", -1);
+		    auth_finished(ap, AUTH_REJECT);
+		    return;
+		  }
+		  /*
+		   *  skip privkey
+		   */
+		  fscanf(fp, "%x;", &len);
+		  for (i=0;i<len;i++) {
+		    j = getc(fp);
+		  }
+		  /*
+		   * get pubkey
+		   */
+		  fscanf(fp, "%x;", &len);
+		  for (i=0;i<len;i++) {
+		    j = getc(fp);  key[i]=j;
+		  }
+		  fclose(fp);
+		  chalkey[0] = 0x30;
+		  ptr = (char *) &chalkey[1];
+		  chalkey_len = 1+NumEncodeLengthOctets(i)+i+1+NumEncodeLengthOctets(challenge_len)+challenge_len;
+		  EncodeLength(ptr, chalkey_len);
+		  ptr +=NumEncodeLengthOctets(chalkey_len);
+		  *ptr++ = 0x04;  /* OCTET STRING */
+		  *ptr++ = challenge_len;
+		  memmove(ptr, challenge, challenge_len);
+		  ptr += challenge_len;
+		  *ptr++ = 0x04;  /* OCTET STRING */
+		  EncodeLength(ptr, i);
+		  ptr += NumEncodeLengthOctets(i);
+		  memmove(ptr, key, i);
+		  chalkey_len = 1+NumEncodeLengthOctets(chalkey_len)+chalkey_len;
+		  Data(ap, RSA_ENCPWD_CHALLENGEKEY, chalkey, chalkey_len);
+		}
+		break;
+
+	default:
+		Data(ap, RSA_ENCPWD_REJECT, 0, 0);
+		break;
+	}
+}
+
+
+	void
+rsaencpwd_reply(ap, data, cnt)
+	Authenticator *ap;
+	unsigned char *data;
+	int cnt;
+{
+	Session_Key skey;
+	KTEXT_ST token;
+	des_cblock enckey;
+	int r, pubkey_len;
+	char	randchal[CHAL_SZ], *cp;
+	char	chalkey[160], pubkey[128], *ptr;
+
+	if (cnt-- < 1)
+		return;
+	switch (*data++) {
+	case RSA_ENCPWD_REJECT:
+		if (cnt > 0) {
+			printf("[ RSA_ENCPWD refuses authentication because %.*s ]\r\n",
+				cnt, data);
+		} else
+			printf("[ RSA_ENCPWD refuses authentication ]\r\n");
+		auth_send_retry();
+		return;
+	case RSA_ENCPWD_ACCEPT:
+		printf("[ RSA_ENCPWD accepts you ]\r\n");
+		auth_finished(ap, AUTH_USER);
+		return;
+	case RSA_ENCPWD_CHALLENGEKEY:
+		/*
+		 * Verify that the response to the challenge is correct.
+		 */
+
+		memmove(chalkey, data, cnt);
+		ptr = (char *) &chalkey[0];
+		ptr += DecodeHeaderLength(chalkey);
+		if (*ptr != 0x04) {
+		  return;
+		}
+		*ptr++;
+		challenge_len = DecodeValueLength(ptr);
+		ptr += NumEncodeLengthOctets(challenge_len);
+		memmove(challenge, ptr, challenge_len);
+		ptr += challenge_len;
+		if (*ptr != 0x04) {
+		  return;
+		}
+		*ptr++;
+		pubkey_len = DecodeValueLength(ptr);
+		ptr += NumEncodeLengthOctets(pubkey_len);
+		memmove(pubkey, ptr, pubkey_len);
+		memset(user_passwd, 0, sizeof(user_passwd));
+		des_read_pw_string(user_passwd, sizeof(user_passwd)-1, "Password: ", 0);
+		UserPassword = user_passwd;
+		Challenge = challenge;
+		r = init_rsa_encpwd(&token, user_passwd, challenge, challenge_len, pubkey);
+		if (r < 0) {
+		  token.length = 1;
+		}
+
+		if (!Data(ap, RSA_ENCPWD_AUTH, token.dat, token.length)) {
+		  return;
+		}
+
+		break;
+
+	default:
+		return;
+	}
+}
+
+	int
+rsaencpwd_status(ap, name, name_sz, level)
+	Authenticator *ap;
+	char *name;
+	size_t name_sz;
+	int level;
+{
+
+	if (level < AUTH_USER)
+		return(level);
+
+	if (UserNameRequested && rsaencpwd_passwdok(UserNameRequested, UserPassword)) {
+		strlcpy(name, UserNameRequested, name_sz);
+		return(AUTH_VALID);
+	} else {
+		return(AUTH_USER);
+	}
+}
+
+#define	BUMP(buf, len)		while (*(buf)) {++(buf), --(len);}
+#define	ADDC(buf, len, c)	if ((len) > 0) {*(buf)++ = (c); --(len);}
+
+	void
+rsaencpwd_printsub(data, cnt, buf, buflen)
+	unsigned char *data, *buf;
+	int cnt, buflen;
+{
+	int i;
+
+	buf[buflen-1] = '\0';		/* make sure its NULL terminated */
+	buflen -= 1;
+
+	switch(data[3]) {
+	case RSA_ENCPWD_REJECT:	/* Rejected (reason might follow) */
+		strlcpy((char *)buf, " REJECT ", buflen);
+		goto common;
+
+	case RSA_ENCPWD_ACCEPT:	/* Accepted (name might follow) */
+		strlcpy((char *)buf, " ACCEPT ", buflen);
+	common:
+		BUMP(buf, buflen);
+		if (cnt <= 4)
+			break;
+		ADDC(buf, buflen, '"');
+		for (i = 4; i < cnt; i++)
+			ADDC(buf, buflen, data[i]);
+		ADDC(buf, buflen, '"');
+		ADDC(buf, buflen, '\0');
+		break;
+
+	case RSA_ENCPWD_AUTH:		/* Authentication data follows */
+		strlcpy((char *)buf, " AUTH", buflen);
+		goto common2;
+
+	case RSA_ENCPWD_CHALLENGEKEY:
+		strlcpy((char *)buf, " CHALLENGEKEY", buflen);
+		goto common2;
+
+	default:
+		snprintf(buf, buflen, " %d (unknown)", data[3]);
+	common2:
+		BUMP(buf, buflen);
+		for (i = 4; i < cnt; i++) {
+			snprintf(buf, buflen, " %d", data[i]);
+			BUMP(buf, buflen);
+		}
+		break;
+	}
+}
+
+int rsaencpwd_passwdok(name, passwd)
+char *name, *passwd;
+{
+  char *crypt();
+  char *salt, *p;
+  struct passwd *pwd;
+  int   passwdok_status = 0;
+
+  if (pwd = k_getpwnam(name))
+    salt = pwd->pw_passwd;
+  else salt = "xx";
+
+  p = crypt(passwd, salt);
+
+  if (pwd && !strcmp(p, pwd->pw_passwd)) {
+    passwdok_status = 1;
+  } else passwdok_status = 0;
+  return(passwdok_status);
+}
+
+#endif
+
+#ifdef notdef
+
+prkey(msg, key)
+	char *msg;
+	unsigned char *key;
+{
+	int i;
+	printf("%s:", msg);
+	for (i = 0; i < 8; i++)
+		printf(" %3d", key[i]);
+	printf("\r\n");
+}
+#endif
diff --git a/crypto/kerberosIV/appl/telnet/libtelnet/spx.c b/crypto/kerberosIV/appl/telnet/libtelnet/spx.c
new file mode 100644
index 0000000..9155ef2
--- /dev/null
+++ b/crypto/kerberosIV/appl/telnet/libtelnet/spx.c
@@ -0,0 +1,586 @@
+/*-
+ * Copyright (c) 1992, 1993
+ *	The Regents of the University of California.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *	This product includes software developed by the University of
+ *	California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#include <config.h>
+
+RCSID("$Id: spx.c,v 1.17 1999/09/16 20:41:34 assar Exp $");
+
+#ifdef	SPX
+/*
+ * COPYRIGHT (C) 1990 DIGITAL EQUIPMENT CORPORATION
+ * ALL RIGHTS RESERVED
+ *
+ * "Digital Equipment Corporation authorizes the reproduction,
+ * distribution and modification of this software subject to the following
+ * restrictions:
+ *
+ * 1.  Any partial or whole copy of this software, or any modification
+ * thereof, must include this copyright notice in its entirety.
+ *
+ * 2.  This software is supplied "as is" with no warranty of any kind,
+ * expressed or implied, for any purpose, including any warranty of fitness
+ * or merchantibility.  DIGITAL assumes no responsibility for the use or
+ * reliability of this software, nor promises to provide any form of
+ * support for it on any basis.
+ *
+ * 3.  Distribution of this software is authorized only if no profit or
+ * remuneration of any kind is received in exchange for such distribution.
+ *
+ * 4.  This software produces public key authentication certificates
+ * bearing an expiration date established by DIGITAL and RSA Data
+ * Security, Inc.  It may cease to generate certificates after the expiration
+ * date.  Any modification of this software that changes or defeats
+ * the expiration date or its effect is unauthorized.
+ *
+ * 5.  Software that will renew or extend the expiration date of
+ * authentication certificates produced by this software may be obtained
+ * from RSA Data Security, Inc., 10 Twin Dolphin Drive, Redwood City, CA
+ * 94065, (415)595-8782, or from DIGITAL"
+ *
+ */
+
+#ifdef HAVE_SYS_TYPES_H
+#include <sys/types.h>
+#endif
+#ifdef HAVE_ARPA_TELNET_H
+#include <arpa/telnet.h>
+#endif
+#include <stdio.h>
+#include "gssapi_defs.h"
+#include <stdlib.h>
+#include <string.h>
+
+#include <pwd.h>
+#ifdef SOCKS
+#include <socks.h>
+#endif
+
+#include "encrypt.h"
+#include "auth.h"
+#include "misc.h"
+
+extern auth_debug_mode;
+
+static unsigned char str_data[1024] = { IAC, SB, TELOPT_AUTHENTICATION, 0,
+			  		AUTHTYPE_SPX, };
+static unsigned char str_name[1024] = { IAC, SB, TELOPT_AUTHENTICATION,
+					TELQUAL_NAME, };
+
+#define	SPX_AUTH	0		/* Authentication data follows */
+#define	SPX_REJECT	1		/* Rejected (reason might follow) */
+#define SPX_ACCEPT	2		/* Accepted */
+
+static des_key_schedule sched;
+static des_cblock	challenge	= { 0 };
+
+
+/*******************************************************************/
+
+gss_OID_set		actual_mechs;
+gss_OID			actual_mech_type, output_name_type;
+int			major_status, status, msg_ctx = 0, new_status;
+int			req_flags = 0, ret_flags, lifetime_rec;
+gss_cred_id_t		gss_cred_handle;
+gss_ctx_id_t		actual_ctxhandle, context_handle;
+gss_buffer_desc		output_token, input_token, input_name_buffer;
+gss_buffer_desc		status_string;
+gss_name_t		desired_targname, src_name;
+gss_channel_bindings	input_chan_bindings;
+char			lhostname[GSS_C_MAX_PRINTABLE_NAME];
+char			targ_printable[GSS_C_MAX_PRINTABLE_NAME];
+int			to_addr=0, from_addr=0;
+char			*address;
+gss_buffer_desc		fullname_buffer;
+gss_OID			fullname_type;
+gss_cred_id_t		gss_delegated_cred_handle;
+
+/*******************************************************************/
+
+
+
+	static int
+Data(ap, type, d, c)
+	Authenticator *ap;
+	int type;
+	void *d;
+	int c;
+{
+	unsigned char *p = str_data + 4;
+	unsigned char *cd = (unsigned char *)d;
+
+	if (c == -1)
+		c = strlen((char *)cd);
+
+	if (0) {
+		printf("%s:%d: [%d] (%d)",
+			str_data[3] == TELQUAL_IS ? ">>>IS" : ">>>REPLY",
+			str_data[3],
+			type, c);
+		printd(d, c);
+		printf("\r\n");
+	}
+	*p++ = ap->type;
+	*p++ = ap->way;
+	*p++ = type;
+	while (c-- > 0) {
+		if ((*p++ = *cd++) == IAC)
+			*p++ = IAC;
+	}
+	*p++ = IAC;
+	*p++ = SE;
+	if (str_data[3] == TELQUAL_IS)
+		printsub('>', &str_data[2], p - (&str_data[2]));
+	return(telnet_net_write(str_data, p - str_data));
+}
+
+	int
+spx_init(ap, server)
+	Authenticator *ap;
+	int server;
+{
+	gss_cred_id_t	tmp_cred_handle;
+
+	if (server) {
+		str_data[3] = TELQUAL_REPLY;
+		gethostname(lhostname, sizeof(lhostname));
+		snprintf (targ_printable, sizeof(targ_printable),
+			  "SERVICE:rcmd@%s", lhostname);
+		input_name_buffer.length = strlen(targ_printable);
+		input_name_buffer.value = targ_printable;
+		major_status = gss_import_name(&status,
+					&input_name_buffer,
+					GSS_C_NULL_OID,
+					&desired_targname);
+		major_status = gss_acquire_cred(&status,
+					desired_targname,
+					0,
+					GSS_C_NULL_OID_SET,
+					GSS_C_ACCEPT,
+					&tmp_cred_handle,
+					&actual_mechs,
+					&lifetime_rec);
+		if (major_status != GSS_S_COMPLETE) return(0);
+	} else {
+		str_data[3] = TELQUAL_IS;
+	}
+	return(1);
+}
+
+	int
+spx_send(ap)
+	Authenticator *ap;
+{
+	des_cblock enckey;
+	int r;
+
+	gss_OID	actual_mech_type, output_name_type;
+	int	msg_ctx = 0, new_status, status;
+	int	req_flags = 0, ret_flags, lifetime_rec, major_status;
+	gss_buffer_desc  output_token, input_token, input_name_buffer;
+	gss_buffer_desc  output_name_buffer, status_string;
+	gss_name_t    desired_targname;
+	gss_channel_bindings  input_chan_bindings;
+	char targ_printable[GSS_C_MAX_PRINTABLE_NAME];
+	int  from_addr=0, to_addr=0, myhostlen, j;
+	int  deleg_flag=1, mutual_flag=0, replay_flag=0, seq_flag=0;
+	char *address;
+
+	printf("[ Trying SPX ... ]\r\n");
+	snprintf (targ_printable, sizeof(targ_printable),
+		  "SERVICE:rcmd@%s", RemoteHostName);
+
+	input_name_buffer.length = strlen(targ_printable);
+	input_name_buffer.value = targ_printable;
+
+	if (!UserNameRequested) {
+		return(0);
+	}
+
+	major_status = gss_import_name(&status,
+					&input_name_buffer,
+					GSS_C_NULL_OID,
+					&desired_targname);
+
+
+	major_status = gss_display_name(&status,
+					desired_targname,
+					&output_name_buffer,
+					&output_name_type);
+
+	printf("target is '%s'\n", output_name_buffer.value); fflush(stdout);
+
+	major_status = gss_release_buffer(&status, &output_name_buffer);
+
+	input_chan_bindings = (gss_channel_bindings)
+	  malloc(sizeof(gss_channel_bindings_desc));
+
+	input_chan_bindings->initiator_addrtype = GSS_C_AF_INET;
+	input_chan_bindings->initiator_address.length = 4;
+	address = (char *) malloc(4);
+	input_chan_bindings->initiator_address.value = (char *) address;
+	address[0] = ((from_addr & 0xff000000) >> 24);
+	address[1] = ((from_addr & 0xff0000) >> 16);
+	address[2] = ((from_addr & 0xff00) >> 8);
+	address[3] = (from_addr & 0xff);
+	input_chan_bindings->acceptor_addrtype = GSS_C_AF_INET;
+	input_chan_bindings->acceptor_address.length = 4;
+	address = (char *) malloc(4);
+	input_chan_bindings->acceptor_address.value = (char *) address;
+	address[0] = ((to_addr & 0xff000000) >> 24);
+	address[1] = ((to_addr & 0xff0000) >> 16);
+	address[2] = ((to_addr & 0xff00) >> 8);
+	address[3] = (to_addr & 0xff);
+	input_chan_bindings->application_data.length = 0;
+
+	req_flags = 0;
+	if (deleg_flag)  req_flags = req_flags | 1;
+	if (mutual_flag) req_flags = req_flags | 2;
+	if (replay_flag) req_flags = req_flags | 4;
+	if (seq_flag)    req_flags = req_flags | 8;
+
+	major_status = gss_init_sec_context(&status,         /* minor status */
+					GSS_C_NO_CREDENTIAL, /* cred handle */
+					&actual_ctxhandle,   /* ctx handle */
+					desired_targname,    /* target name */
+					GSS_C_NULL_OID,      /* mech type */
+					req_flags,           /* req flags */
+					0,                   /* time req */
+					input_chan_bindings, /* chan binding */
+					GSS_C_NO_BUFFER,     /* input token */
+					&actual_mech_type,   /* actual mech */
+					&output_token,       /* output token */
+					&ret_flags,          /* ret flags */
+					&lifetime_rec);      /* time rec */
+
+	if ((major_status != GSS_S_COMPLETE) &&
+	    (major_status != GSS_S_CONTINUE_NEEDED)) {
+	  gss_display_status(&new_status,
+				status,
+				GSS_C_MECH_CODE,
+				GSS_C_NULL_OID,
+				&msg_ctx,
+				&status_string);
+	  printf("%s\n", status_string.value);
+	  return(0);
+	}
+
+	if (!auth_sendname(UserNameRequested, strlen(UserNameRequested))) {
+		return(0);
+	}
+
+	if (!Data(ap, SPX_AUTH, output_token.value, output_token.length)) {
+		return(0);
+	}
+
+	return(1);
+}
+
+	void
+spx_is(ap, data, cnt)
+	Authenticator *ap;
+	unsigned char *data;
+	int cnt;
+{
+	Session_Key skey;
+	des_cblock datablock;
+	int r;
+
+	if (cnt-- < 1)
+		return;
+	switch (*data++) {
+	case SPX_AUTH:
+		input_token.length = cnt;
+		input_token.value = (char *) data;
+
+		gethostname(lhostname, sizeof(lhostname));
+
+		snprintf(targ_printable, sizeof(targ_printable),
+			 "SERVICE:rcmd@%s", lhostname);
+
+		input_name_buffer.length = strlen(targ_printable);
+		input_name_buffer.value = targ_printable;
+
+		major_status = gss_import_name(&status,
+					&input_name_buffer,
+					GSS_C_NULL_OID,
+					&desired_targname);
+
+		major_status = gss_acquire_cred(&status,
+					desired_targname,
+					0,
+					GSS_C_NULL_OID_SET,
+					GSS_C_ACCEPT,
+					&gss_cred_handle,
+					&actual_mechs,
+					&lifetime_rec);
+
+		major_status = gss_release_name(&status, desired_targname);
+
+		input_chan_bindings = (gss_channel_bindings)
+		  malloc(sizeof(gss_channel_bindings_desc));
+
+		input_chan_bindings->initiator_addrtype = GSS_C_AF_INET;
+		input_chan_bindings->initiator_address.length = 4;
+		address = (char *) malloc(4);
+		input_chan_bindings->initiator_address.value = (char *) address;
+		address[0] = ((from_addr & 0xff000000) >> 24);
+		address[1] = ((from_addr & 0xff0000) >> 16);
+		address[2] = ((from_addr & 0xff00) >> 8);
+		address[3] = (from_addr & 0xff);
+		input_chan_bindings->acceptor_addrtype = GSS_C_AF_INET;
+		input_chan_bindings->acceptor_address.length = 4;
+		address = (char *) malloc(4);
+		input_chan_bindings->acceptor_address.value = (char *) address;
+		address[0] = ((to_addr & 0xff000000) >> 24);
+		address[1] = ((to_addr & 0xff0000) >> 16);
+		address[2] = ((to_addr & 0xff00) >> 8);
+		address[3] = (to_addr & 0xff);
+		input_chan_bindings->application_data.length = 0;
+
+		major_status = gss_accept_sec_context(&status,
+						&context_handle,
+						gss_cred_handle,
+						&input_token,
+						input_chan_bindings,
+						&src_name,
+						&actual_mech_type,
+						&output_token,
+						&ret_flags,
+						&lifetime_rec,
+						&gss_delegated_cred_handle);
+
+
+		if (major_status != GSS_S_COMPLETE) {
+
+		  major_status = gss_display_name(&status,
+					src_name,
+					&fullname_buffer,
+					&fullname_type);
+			Data(ap, SPX_REJECT, "auth failed", -1);
+			auth_finished(ap, AUTH_REJECT);
+			return;
+		}
+
+		major_status = gss_display_name(&status,
+					src_name,
+					&fullname_buffer,
+					&fullname_type);
+
+
+		Data(ap, SPX_ACCEPT, output_token.value, output_token.length);
+		auth_finished(ap, AUTH_USER);
+		break;
+
+	default:
+		Data(ap, SPX_REJECT, 0, 0);
+		break;
+	}
+}
+
+
+	void
+spx_reply(ap, data, cnt)
+	Authenticator *ap;
+	unsigned char *data;
+	int cnt;
+{
+	Session_Key skey;
+
+	if (cnt-- < 1)
+		return;
+	switch (*data++) {
+	case SPX_REJECT:
+		if (cnt > 0) {
+			printf("[ SPX refuses authentication because %.*s ]\r\n",
+				cnt, data);
+		} else
+			printf("[ SPX refuses authentication ]\r\n");
+		auth_send_retry();
+		return;
+	case SPX_ACCEPT:
+		printf("[ SPX accepts you ]\r\n");
+		if ((ap->way & AUTH_HOW_MASK) == AUTH_HOW_MUTUAL) {
+			/*
+			 * Send over the encrypted challenge.
+		 	 */
+		  input_token.value = (char *) data;
+		  input_token.length = cnt;
+
+		  major_status = gss_init_sec_context(&status, /* minor stat */
+					GSS_C_NO_CREDENTIAL, /* cred handle */
+					&actual_ctxhandle,   /* ctx handle */
+					desired_targname,    /* target name */
+					GSS_C_NULL_OID,      /* mech type */
+					req_flags,           /* req flags */
+					0,                   /* time req */
+					input_chan_bindings, /* chan binding */
+					&input_token,        /* input token */
+					&actual_mech_type,   /* actual mech */
+					&output_token,       /* output token */
+					&ret_flags,          /* ret flags */
+					&lifetime_rec);      /* time rec */
+
+		  if (major_status != GSS_S_COMPLETE) {
+		    gss_display_status(&new_status,
+					status,
+					GSS_C_MECH_CODE,
+					GSS_C_NULL_OID,
+					&msg_ctx,
+					&status_string);
+		    printf("[ SPX mutual response fails ... '%s' ]\r\n",
+			 status_string.value);
+		    auth_send_retry();
+		    return;
+		  }
+		}
+		auth_finished(ap, AUTH_USER);
+		return;
+
+	default:
+		return;
+	}
+}
+
+	int
+spx_status(ap, name, name_sz, level)
+	Authenticator *ap;
+	char *name;
+	size_t name_sz;
+	int level;
+{
+
+	gss_buffer_desc  fullname_buffer, acl_file_buffer;
+	gss_OID          fullname_type;
+	char acl_file[160], fullname[160];
+	int major_status, status = 0;
+	struct passwd  *pwd;
+
+	/*
+	 * hard code fullname to
+	 *   "SPX:/C=US/O=Digital/OU=LKG/OU=Sphinx/OU=Users/CN=Kannan Alagappan"
+	 * and acl_file to "~kannan/.sphinx"
+	 */
+
+	pwd = k_getpwnam(UserNameRequested);
+	if (pwd == NULL) {
+	  return(AUTH_USER);   /*  not authenticated  */
+	}
+
+	snprintf (acl_file, sizeof(acl_file),
+		  "%s/.sphinx", pwd->pw_dir);
+
+	acl_file_buffer.value = acl_file;
+	acl_file_buffer.length = strlen(acl_file);
+
+	major_status = gss_display_name(&status,
+					src_name,
+					&fullname_buffer,
+					&fullname_type);
+
+	if (level < AUTH_USER)
+		return(level);
+
+	major_status = gss__check_acl(&status, &fullname_buffer,
+					&acl_file_buffer);
+
+	if (major_status == GSS_S_COMPLETE) {
+	  strlcpy(name, UserNameRequested, name_sz);
+	  return(AUTH_VALID);
+	} else {
+	   return(AUTH_USER);
+	}
+
+}
+
+#define	BUMP(buf, len)		while (*(buf)) {++(buf), --(len);}
+#define	ADDC(buf, len, c)	if ((len) > 0) {*(buf)++ = (c); --(len);}
+
+	void
+spx_printsub(data, cnt, buf, buflen)
+	unsigned char *data, *buf;
+	int cnt, buflen;
+{
+	int i;
+
+	buf[buflen-1] = '\0';		/* make sure its NULL terminated */
+	buflen -= 1;
+
+	switch(data[3]) {
+	case SPX_REJECT:		/* Rejected (reason might follow) */
+		strlcpy((char *)buf, " REJECT ", buflen);
+		goto common;
+
+	case SPX_ACCEPT:		/* Accepted (name might follow) */
+		strlcpy((char *)buf, " ACCEPT ", buflen);
+	common:
+		BUMP(buf, buflen);
+		if (cnt <= 4)
+			break;
+		ADDC(buf, buflen, '"');
+		for (i = 4; i < cnt; i++)
+			ADDC(buf, buflen, data[i]);
+		ADDC(buf, buflen, '"');
+		ADDC(buf, buflen, '\0');
+		break;
+
+	case SPX_AUTH:			/* Authentication data follows */
+		strlcpy((char *)buf, " AUTH", buflen);
+		goto common2;
+
+	default:
+		snprintf(buf, buflen, " %d (unknown)", data[3]);
+	common2:
+		BUMP(buf, buflen);
+		for (i = 4; i < cnt; i++) {
+			snprintf(buf, buflen, " %d", data[i]);
+			BUMP(buf, buflen);
+		}
+		break;
+	}
+}
+
+#endif
+
+#ifdef notdef
+
+prkey(msg, key)
+	char *msg;
+	unsigned char *key;
+{
+	int i;
+	printf("%s:", msg);
+	for (i = 0; i < 8; i++)
+		printf(" %3d", key[i]);
+	printf("\r\n");
+}
+#endif
diff --git a/crypto/kerberosIV/appl/telnet/telnet.state b/crypto/kerberosIV/appl/telnet/telnet.state
new file mode 100644
index 0000000..1927a2b
--- /dev/null
+++ b/crypto/kerberosIV/appl/telnet/telnet.state
@@ -0,0 +1,80 @@
+
+   Three pieces of state need to be kept for each side of each option.
+   (You need the localside, sending WILL/WONT & receiving DO/DONT, and
+   the remoteside, sending DO/DONT and receiving WILL/WONT)
+
+	MY_STATE:	What state am I in?
+	WANT_STATE:	What state do I want?
+	WANT_RESP:	How many requests have I initiated?
+
+   Default values:
+	MY_STATE = WANT_STATE = DONT
+	WANT_RESP = 0
+
+   The local setup will change based on the state of the Telnet
+   variables.  When we are the originator, we can either make the
+   local setup changes at option request time (in which case if
+   the option is denied we need to change things back) or when
+   the option is acknowledged.
+
+   To initiate a switch to NEW_STATE:
+
+	if ((WANT_RESP == 0 && NEW_STATE == MY_STATE) ||
+			WANT_STATE == NEW_STATE) {
+	    do nothing;
+	} else {
+	    /*
+	     * This is where the logic goes to change the local setup
+	     * if we are doing so at request initiation
+	     */
+	    WANT_STATE = NEW_STATE;
+	    send NEW_STATE;
+	    WANT_RESP += 1;
+	}
+
+   When receiving NEW_STATE:
+
+	if (WANT_RESP) {
+	    --WANT_RESP;
+	    if (WANT_RESP && (NEW_STATE == MY_STATE))
+		--WANT_RESP;
+	}
+	if (WANT_RESP == 0) {
+	    if (NEW_STATE != WANT_STATE) {
+		/*
+		 * This is where the logic goes to decide if it is ok
+		 * to switch to NEW_STATE, and if so, do any necessary
+		 * local setup changes.
+		 */
+		if (ok_to_switch_to NEW_STATE)
+		    WANT_STATE = NEW_STATE;
+		else
+		    WANT_RESP++;
+*		if (MY_STATE != WANT_STATE)
+		    reply with WANT_STATE;
+	    } else {
+		/*
+		 * This is where the logic goes to change the local setup
+		 * if we are doing so at request acknowledgment
+		 */
+	    }
+	}
+	MY_STATE = NEW_STATE;
+
+* This if() line is not needed, it should be ok to always do the
+  "reply with WANT_STATE".  With the if() line, asking to turn on
+  an option that the other side doesn't understand is:
+		Send DO option
+		Recv WONT option
+  Without the if() line, it is:
+		Send DO option
+		Recv WONT option
+		Send DONT option
+  If the other side does not expect to receive the latter case,
+  but generates the latter case, then there is a potential for
+  option negotiation loops.  An implementation that does not expect
+  to get the second case should not generate it, an implementation
+  that does expect to get it may or may not generate it, and things
+  will still work.  Being conservative in what we send, we have the
+  if() statement in, but we expect the other side to generate the
+  last response.
diff --git a/crypto/kerberosIV/appl/telnet/telnet/Makefile.am b/crypto/kerberosIV/appl/telnet/telnet/Makefile.am
new file mode 100644
index 0000000..882aa24
--- /dev/null
+++ b/crypto/kerberosIV/appl/telnet/telnet/Makefile.am
@@ -0,0 +1,20 @@
+# $Id: Makefile.am,v 1.12 1999/06/23 12:37:58 assar Exp $
+
+include $(top_srcdir)/Makefile.am.common
+
+INCLUDES += -I$(srcdir)/.. $(INCLUDE_krb4)
+
+bin_PROGRAMS = telnet
+
+CHECK_LOCAL = 
+
+telnet_SOURCES  = authenc.c commands.c main.c network.c ring.c \
+		  sys_bsd.c telnet.c terminal.c \
+		  utilities.c defines.h externs.h ring.h telnet_locl.h types.h
+
+LDADD = ../libtelnet/libtelnet.a \
+	$(LIB_krb5) \
+	$(LIB_krb4) \
+	$(top_builddir)/lib/des/libdes.la \
+	$(LIB_tgetent) \
+	$(LIB_roken)
diff --git a/crypto/kerberosIV/appl/telnet/telnet/Makefile.in b/crypto/kerberosIV/appl/telnet/telnet/Makefile.in
new file mode 100644
index 0000000..4da3e05
--- /dev/null
+++ b/crypto/kerberosIV/appl/telnet/telnet/Makefile.in
@@ -0,0 +1,75 @@
+# $Id: Makefile.in,v 1.34 1999/03/11 13:50:09 joda Exp $
+
+srcdir		= @srcdir@
+top_srcdir	= @top_srcdir@
+VPATH		= @srcdir@
+
+SHELL		= /bin/sh
+
+CC = @CC@
+LINK = @LINK@
+AR = ar
+RANLIB = @RANLIB@
+DEFS = @DEFS@
+CFLAGS = @CFLAGS@ $(WFLAGS)
+WFLAGS = @WFLAGS@
+LD_FLAGS = @LD_FLAGS@
+LIBS = @LIBS@
+INSTALL = @INSTALL@
+INSTALL_PROGRAM = @INSTALL_PROGRAM@
+MKINSTALLDIRS = @top_srcdir@/mkinstalldirs
+
+PROGS = telnet$(EXECSUFFIX)
+
+prefix = @prefix@
+exec_prefix = @exec_prefix@
+bindir = @bindir@
+libdir = @libdir@
+transform=@program_transform_name@
+EXECSUFFIX=@EXECSUFFIX@
+
+SOURCES=authenc.c commands.c main.c network.c ring.c \
+	sys_bsd.c telnet.c terminal.c \
+	utilities.c
+
+OBJECTS=authenc.o commands.o main.o network.o ring.o sys_bsd.o \
+	telnet.o terminal.o utilities.o
+
+libtop=@libtop@
+
+LIBKRB		= -L../../../lib/krb -lkrb
+LIBDES		= -L../../../lib/des -ldes
+LIBROKEN	= -L../../../lib/roken -lroken
+
+KLIB=$(LIBKRB) $(LIBDES)
+
+
+all: $(PROGS)
+
+.c.o:
+	$(CC) -c $(DEFS) -I../../../include -I.. -I$(srcdir)/.. $(CFLAGS) $(CPPFLAGS) $<
+
+telnet$(EXECSUFFIX): $(OBJECTS)
+	$(LINK) $(LD_FLAGS) $(LDFLAGS) -o $@ $(OBJECTS) -L../libtelnet -ltelnet $(KLIB) $(LIBROKEN) $(LIBS) @LIB_tgetent@ $(LIBROKEN)
+
+install: all
+	$(MKINSTALLDIRS) $(DESTDIR)$(bindir)
+	for x in $(PROGS); do \
+	  $(INSTALL_PROGRAM) $$x $(DESTDIR)$(bindir)/`echo $$x | sed '$(transform)'`; \
+	done
+
+uninstall:
+	for x in $(PROGS); do \
+	  rm -f $(DESTDIR)$(bindir)/`echo $$x | sed '$(transform)'`; \
+	done
+
+TAGS: $(SOURCES)
+	etags $(SOURCES)
+
+clean cleandir:
+	rm -f *.o *.a telnet$(EXECSUFFIX) \#* *~ core
+
+distclean: clean
+	rm -f Makefile *~
+
+.PHONY: all install uninstall clean cleandir distclean
diff --git a/crypto/kerberosIV/appl/telnet/telnet/authenc.c b/crypto/kerberosIV/appl/telnet/telnet/authenc.c
new file mode 100644
index 0000000..6150fc7
--- /dev/null
+++ b/crypto/kerberosIV/appl/telnet/telnet/authenc.c
@@ -0,0 +1,91 @@
+/*-
+ * Copyright (c) 1991, 1993
+ *	The Regents of the University of California.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *	This product includes software developed by the University of
+ *	California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#include "telnet_locl.h"
+
+RCSID("$Id: authenc.c,v 1.10 1999/09/16 20:41:35 assar Exp $");
+
+#if	defined(AUTHENTICATION) || defined(ENCRYPTION)
+int
+telnet_net_write(unsigned char *str, int len)
+{
+	if (NETROOM() > len) {
+		ring_supply_data(&netoring, str, len);
+		if (str[0] == IAC && str[1] == SE)
+			printsub('>', &str[2], len-2);
+		return(len);
+	}
+	return(0);
+}
+
+void
+net_encrypt(void)
+{
+#if	defined(ENCRYPTION)
+	if (encrypt_output)
+		ring_encrypt(&netoring, encrypt_output);
+	else
+		ring_clearto(&netoring);
+#endif
+}
+
+int
+telnet_spin(void)
+{
+	return(-1);
+}
+
+char *
+telnet_getenv(char *val)
+{
+	return((char *)env_getvalue((unsigned char *)val));
+}
+
+char *
+telnet_gets(char *prompt, char *result, int length, int echo)
+{
+	int om = globalmode;
+	char *res;
+
+	TerminalNewMode(-1);
+	if (echo) {
+		printf("%s", prompt);
+		res = fgets(result, length, stdin);
+	} else if ((res = getpass(prompt))) {
+		strlcpy(result, res, length);
+		res = result;
+	}
+	TerminalNewMode(om);
+	return(res);
+}
+#endif
diff --git a/crypto/kerberosIV/appl/telnet/telnet/commands.c b/crypto/kerberosIV/appl/telnet/telnet/commands.c
new file mode 100644
index 0000000..fe77b56
--- /dev/null
+++ b/crypto/kerberosIV/appl/telnet/telnet/commands.c
@@ -0,0 +1,2693 @@
+/*
+ * Copyright (c) 1988, 1990, 1993
+ *	The Regents of the University of California.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *	This product includes software developed by the University of
+ *	California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#include "telnet_locl.h"
+
+RCSID("$Id: commands.c,v 1.56 1999/09/16 20:41:35 assar Exp $");
+
+#if	defined(IPPROTO_IP) && defined(IP_TOS)
+int tos = -1;
+#endif	/* defined(IPPROTO_IP) && defined(IP_TOS) */
+
+char	*hostname;
+static char _hostname[MaxHostNameLen];
+
+typedef int (*intrtn_t)(int, char**);
+static int call(intrtn_t, ...);
+
+typedef struct {
+	char	*name;		/* command name */
+	char	*help;		/* help string (NULL for no help) */
+	int	(*handler)();	/* routine which executes command */
+	int	needconnect;	/* Do we need to be connected to execute? */
+} Command;
+
+static char line[256];
+static char saveline[256];
+static int margc;
+static char *margv[20];
+
+static void
+makeargv()
+{
+    char *cp, *cp2, c;
+    char **argp = margv;
+
+    margc = 0;
+    cp = line;
+    if (*cp == '!') {		/* Special case shell escape */
+	/* save for shell command */
+	strlcpy(saveline, line, sizeof(saveline));
+	*argp++ = "!";		/* No room in string to get this */
+	margc++;
+	cp++;
+    }
+    while ((c = *cp)) {
+	int inquote = 0;
+	while (isspace(c))
+	    c = *++cp;
+	if (c == '\0')
+	    break;
+	*argp++ = cp;
+	margc += 1;
+	for (cp2 = cp; c != '\0'; c = *++cp) {
+	    if (inquote) {
+		if (c == inquote) {
+		    inquote = 0;
+		    continue;
+		}
+	    } else {
+		if (c == '\\') {
+		    if ((c = *++cp) == '\0')
+			break;
+		} else if (c == '"') {
+		    inquote = '"';
+		    continue;
+		} else if (c == '\'') {
+		    inquote = '\'';
+		    continue;
+		} else if (isspace(c))
+		    break;
+	    }
+	    *cp2++ = c;
+	}
+	*cp2 = '\0';
+	if (c == '\0')
+	    break;
+	cp++;
+    }
+    *argp++ = 0;
+}
+
+/*
+ * Make a character string into a number.
+ *
+ * Todo:  1.  Could take random integers (12, 0x12, 012, 0b1).
+ */
+
+static char
+special(char *s)
+{
+	char c;
+	char b;
+
+	switch (*s) {
+	case '^':
+		b = *++s;
+		if (b == '?') {
+		    c = b | 0x40;		/* DEL */
+		} else {
+		    c = b & 0x1f;
+		}
+		break;
+	default:
+		c = *s;
+		break;
+	}
+	return c;
+}
+
+/*
+ * Construct a control character sequence
+ * for a special character.
+ */
+static char *
+control(cc_t c)
+{
+	static char buf[5];
+	/*
+	 * The only way I could get the Sun 3.5 compiler
+	 * to shut up about
+	 *	if ((unsigned int)c >= 0x80)
+	 * was to assign "c" to an unsigned int variable...
+	 * Arggg....
+	 */
+	unsigned int uic = (unsigned int)c;
+
+	if (uic == 0x7f)
+		return ("^?");
+	if (c == (cc_t)_POSIX_VDISABLE) {
+		return "off";
+	}
+	if (uic >= 0x80) {
+		buf[0] = '\\';
+		buf[1] = ((c>>6)&07) + '0';
+		buf[2] = ((c>>3)&07) + '0';
+		buf[3] = (c&07) + '0';
+		buf[4] = 0;
+	} else if (uic >= 0x20) {
+		buf[0] = c;
+		buf[1] = 0;
+	} else {
+		buf[0] = '^';
+		buf[1] = '@'+c;
+		buf[2] = 0;
+	}
+	return (buf);
+}
+
+
+
+/*
+ *	The following are data structures and routines for
+ *	the "send" command.
+ *
+ */
+
+struct sendlist {
+    char	*name;		/* How user refers to it (case independent) */
+    char	*help;		/* Help information (0 ==> no help) */
+    int		needconnect;	/* Need to be connected */
+    int		narg;		/* Number of arguments */
+    int		(*handler)();	/* Routine to perform (for special ops) */
+    int		nbyte;		/* Number of bytes to send this command */
+    int		what;		/* Character to be sent (<0 ==> special) */
+};
+
+
+static int
+	send_esc (void),
+	send_help (void),
+	send_docmd (char *),
+	send_dontcmd (char *),
+	send_willcmd (char *),
+	send_wontcmd (char *);
+
+static struct sendlist Sendlist[] = {
+    { "ao",	"Send Telnet Abort output",		1, 0, 0, 2, AO },
+    { "ayt",	"Send Telnet 'Are You There'",		1, 0, 0, 2, AYT },
+    { "brk",	"Send Telnet Break",			1, 0, 0, 2, BREAK },
+    { "break",	0,					1, 0, 0, 2, BREAK },
+    { "ec",	"Send Telnet Erase Character",		1, 0, 0, 2, EC },
+    { "el",	"Send Telnet Erase Line",		1, 0, 0, 2, EL },
+    { "escape",	"Send current escape character",	1, 0, send_esc, 1, 0 },
+    { "ga",	"Send Telnet 'Go Ahead' sequence",	1, 0, 0, 2, GA },
+    { "ip",	"Send Telnet Interrupt Process",	1, 0, 0, 2, IP },
+    { "intp",	0,					1, 0, 0, 2, IP },
+    { "interrupt", 0,					1, 0, 0, 2, IP },
+    { "intr",	0,					1, 0, 0, 2, IP },
+    { "nop",	"Send Telnet 'No operation'",		1, 0, 0, 2, NOP },
+    { "eor",	"Send Telnet 'End of Record'",		1, 0, 0, 2, EOR },
+    { "abort",	"Send Telnet 'Abort Process'",		1, 0, 0, 2, ABORT },
+    { "susp",	"Send Telnet 'Suspend Process'",	1, 0, 0, 2, SUSP },
+    { "eof",	"Send Telnet End of File Character",	1, 0, 0, 2, xEOF },
+    { "synch",	"Perform Telnet 'Synch operation'",	1, 0, dosynch, 2, 0 },
+    { "getstatus", "Send request for STATUS",		1, 0, get_status, 6, 0 },
+    { "?",	"Display send options",			0, 0, send_help, 0, 0 },
+    { "help",	0,					0, 0, send_help, 0, 0 },
+    { "do",	0,					0, 1, send_docmd, 3, 0 },
+    { "dont",	0,					0, 1, send_dontcmd, 3, 0 },
+    { "will",	0,					0, 1, send_willcmd, 3, 0 },
+    { "wont",	0,					0, 1, send_wontcmd, 3, 0 },
+    { 0 }
+};
+
+#define	GETSEND(name) ((struct sendlist *) genget(name, (char **) Sendlist, \
+				sizeof(struct sendlist)))
+
+static int
+sendcmd(int argc, char **argv)
+{
+    int count;		/* how many bytes we are going to need to send */
+    int i;
+    struct sendlist *s;	/* pointer to current command */
+    int success = 0;
+    int needconnect = 0;
+
+    if (argc < 2) {
+	printf("need at least one argument for 'send' command\r\n");
+	printf("'send ?' for help\r\n");
+	return 0;
+    }
+    /*
+     * First, validate all the send arguments.
+     * In addition, we see how much space we are going to need, and
+     * whether or not we will be doing a "SYNCH" operation (which
+     * flushes the network queue).
+     */
+    count = 0;
+    for (i = 1; i < argc; i++) {
+	s = GETSEND(argv[i]);
+	if (s == 0) {
+	    printf("Unknown send argument '%s'\r\n'send ?' for help.\r\n",
+			argv[i]);
+	    return 0;
+	} else if (Ambiguous(s)) {
+	    printf("Ambiguous send argument '%s'\r\n'send ?' for help.\r\n",
+			argv[i]);
+	    return 0;
+	}
+	if (i + s->narg >= argc) {
+	    fprintf(stderr,
+	    "Need %d argument%s to 'send %s' command.  'send %s ?' for help.\r\n",
+		s->narg, s->narg == 1 ? "" : "s", s->name, s->name);
+	    return 0;
+	}
+	count += s->nbyte;
+	if (s->handler == send_help) {
+	    send_help();
+	    return 0;
+	}
+
+	i += s->narg;
+	needconnect += s->needconnect;
+    }
+    if (!connected && needconnect) {
+	printf("?Need to be connected first.\r\n");
+	printf("'send ?' for help\r\n");
+	return 0;
+    }
+    /* Now, do we have enough room? */
+    if (NETROOM() < count) {
+	printf("There is not enough room in the buffer TO the network\r\n");
+	printf("to process your request.  Nothing will be done.\r\n");
+	printf("('send synch' will throw away most data in the network\r\n");
+	printf("buffer, if this might help.)\r\n");
+	return 0;
+    }
+    /* OK, they are all OK, now go through again and actually send */
+    count = 0;
+    for (i = 1; i < argc; i++) {
+	if ((s = GETSEND(argv[i])) == 0) {
+	    fprintf(stderr, "Telnet 'send' error - argument disappeared!\r\n");
+	    quit();
+	    /*NOTREACHED*/
+	}
+	if (s->handler) {
+	    count++;
+	    success += (*s->handler)((s->narg > 0) ? argv[i+1] : 0,
+				  (s->narg > 1) ? argv[i+2] : 0);
+	    i += s->narg;
+	} else {
+	    NET2ADD(IAC, s->what);
+	    printoption("SENT", IAC, s->what);
+	}
+    }
+    return (count == success);
+}
+
+static int
+send_tncmd(void (*func)(), char *cmd, char *name);
+
+static int
+send_esc()
+{
+    NETADD(escape);
+    return 1;
+}
+
+static int
+send_docmd(char *name)
+{
+    return(send_tncmd(send_do, "do", name));
+}
+
+static int
+send_dontcmd(char *name)
+{
+    return(send_tncmd(send_dont, "dont", name));
+}
+
+static int
+send_willcmd(char *name)
+{
+    return(send_tncmd(send_will, "will", name));
+}
+
+static int
+send_wontcmd(char *name)
+{
+    return(send_tncmd(send_wont, "wont", name));
+}
+
+static int
+send_tncmd(void (*func)(), char *cmd, char *name)
+{
+    char **cpp;
+    extern char *telopts[];
+    int val = 0;
+
+    if (isprefix(name, "help") || isprefix(name, "?")) {
+	int col, len;
+
+	printf("Usage: send %s <value|option>\r\n", cmd);
+	printf("\"value\" must be from 0 to 255\r\n");
+	printf("Valid options are:\r\n\t");
+
+	col = 8;
+	for (cpp = telopts; *cpp; cpp++) {
+	    len = strlen(*cpp) + 3;
+	    if (col + len > 65) {
+		printf("\r\n\t");
+		col = 8;
+	    }
+	    printf(" \"%s\"", *cpp);
+	    col += len;
+	}
+	printf("\r\n");
+	return 0;
+    }
+    cpp = genget(name, telopts, sizeof(char *));
+    if (Ambiguous(cpp)) {
+	fprintf(stderr,"'%s': ambiguous argument ('send %s ?' for help).\r\n",
+					name, cmd);
+	return 0;
+    }
+    if (cpp) {
+	val = cpp - telopts;
+    } else {
+	char *cp = name;
+
+	while (*cp >= '0' && *cp <= '9') {
+	    val *= 10;
+	    val += *cp - '0';
+	    cp++;
+	}
+	if (*cp != 0) {
+	    fprintf(stderr, "'%s': unknown argument ('send %s ?' for help).\r\n",
+					name, cmd);
+	    return 0;
+	} else if (val < 0 || val > 255) {
+	    fprintf(stderr, "'%s': bad value ('send %s ?' for help).\r\n",
+					name, cmd);
+	    return 0;
+	}
+    }
+    if (!connected) {
+	printf("?Need to be connected first.\r\n");
+	return 0;
+    }
+    (*func)(val, 1);
+    return 1;
+}
+
+static int
+send_help()
+{
+    struct sendlist *s;	/* pointer to current command */
+    for (s = Sendlist; s->name; s++) {
+	if (s->help)
+	    printf("%-15s %s\r\n", s->name, s->help);
+    }
+    return(0);
+}
+
+/*
+ * The following are the routines and data structures referred
+ * to by the arguments to the "toggle" command.
+ */
+
+static int
+lclchars()
+{
+    donelclchars = 1;
+    return 1;
+}
+
+static int
+togdebug()
+{
+#ifndef	NOT43
+    if (net > 0 &&
+	(SetSockOpt(net, SOL_SOCKET, SO_DEBUG, debug)) < 0) {
+	    perror("setsockopt (SO_DEBUG)");
+    }
+#else	/* NOT43 */
+    if (debug) {
+	if (net > 0 && SetSockOpt(net, SOL_SOCKET, SO_DEBUG, 0, 0) < 0)
+	    perror("setsockopt (SO_DEBUG)");
+    } else
+	printf("Cannot turn off socket debugging\r\n");
+#endif	/* NOT43 */
+    return 1;
+}
+
+#if defined(KRB4) && defined(HAVE_KRB_DISABLE_DEBUG)
+#include <krb.h>
+
+static int
+togkrbdebug(void)
+{
+    if(krb_debug)
+	krb_enable_debug();
+    else
+	krb_disable_debug();
+    return 1;
+}
+#endif
+
+static int
+togcrlf()
+{
+    if (crlf) {
+	printf("Will send carriage returns as telnet <CR><LF>.\r\n");
+    } else {
+	printf("Will send carriage returns as telnet <CR><NUL>.\r\n");
+    }
+    return 1;
+}
+
+int binmode;
+
+static int
+togbinary(int val)
+{
+    donebinarytoggle = 1;
+
+    if (val >= 0) {
+	binmode = val;
+    } else {
+	if (my_want_state_is_will(TELOPT_BINARY) &&
+				my_want_state_is_do(TELOPT_BINARY)) {
+	    binmode = 1;
+	} else if (my_want_state_is_wont(TELOPT_BINARY) &&
+				my_want_state_is_dont(TELOPT_BINARY)) {
+	    binmode = 0;
+	}
+	val = binmode ? 0 : 1;
+    }
+
+    if (val == 1) {
+	if (my_want_state_is_will(TELOPT_BINARY) &&
+					my_want_state_is_do(TELOPT_BINARY)) {
+	    printf("Already operating in binary mode with remote host.\r\n");
+	} else {
+	    printf("Negotiating binary mode with remote host.\r\n");
+	    tel_enter_binary(3);
+	}
+    } else {
+	if (my_want_state_is_wont(TELOPT_BINARY) &&
+					my_want_state_is_dont(TELOPT_BINARY)) {
+	    printf("Already in network ascii mode with remote host.\r\n");
+	} else {
+	    printf("Negotiating network ascii mode with remote host.\r\n");
+	    tel_leave_binary(3);
+	}
+    }
+    return 1;
+}
+
+static int
+togrbinary(int val)
+{
+    donebinarytoggle = 1;
+
+    if (val == -1)
+	val = my_want_state_is_do(TELOPT_BINARY) ? 0 : 1;
+
+    if (val == 1) {
+	if (my_want_state_is_do(TELOPT_BINARY)) {
+	    printf("Already receiving in binary mode.\r\n");
+	} else {
+	    printf("Negotiating binary mode on input.\r\n");
+	    tel_enter_binary(1);
+	}
+    } else {
+	if (my_want_state_is_dont(TELOPT_BINARY)) {
+	    printf("Already receiving in network ascii mode.\r\n");
+	} else {
+	    printf("Negotiating network ascii mode on input.\r\n");
+	    tel_leave_binary(1);
+	}
+    }
+    return 1;
+}
+
+static int
+togxbinary(int val)
+{
+    donebinarytoggle = 1;
+
+    if (val == -1)
+	val = my_want_state_is_will(TELOPT_BINARY) ? 0 : 1;
+
+    if (val == 1) {
+	if (my_want_state_is_will(TELOPT_BINARY)) {
+	    printf("Already transmitting in binary mode.\r\n");
+	} else {
+	    printf("Negotiating binary mode on output.\r\n");
+	    tel_enter_binary(2);
+	}
+    } else {
+	if (my_want_state_is_wont(TELOPT_BINARY)) {
+	    printf("Already transmitting in network ascii mode.\r\n");
+	} else {
+	    printf("Negotiating network ascii mode on output.\r\n");
+	    tel_leave_binary(2);
+	}
+    }
+    return 1;
+}
+
+
+static int togglehelp (void);
+#if	defined(AUTHENTICATION)
+extern int auth_togdebug (int);
+#endif
+#if	defined(ENCRYPTION)
+extern int EncryptAutoEnc (int);
+extern int EncryptAutoDec (int);
+extern int EncryptDebug (int);
+extern int EncryptVerbose (int);
+#endif
+
+struct togglelist {
+    char	*name;		/* name of toggle */
+    char	*help;		/* help message */
+    int		(*handler)();	/* routine to do actual setting */
+    int		*variable;
+    char	*actionexplanation;
+};
+
+static struct togglelist Togglelist[] = {
+    { "autoflush",
+	"flushing of output when sending interrupt characters",
+	    0,
+		&autoflush,
+		    "flush output when sending interrupt characters" },
+    { "autosynch",
+	"automatic sending of interrupt characters in urgent mode",
+	    0,
+		&autosynch,
+		    "send interrupt characters in urgent mode" },
+#if	defined(AUTHENTICATION)
+    { "autologin",
+	"automatic sending of login and/or authentication info",
+	    0,
+		&autologin,
+		    "send login name and/or authentication information" },
+    { "authdebug",
+	"Toggle authentication debugging",
+	    auth_togdebug,
+		0,
+		     "print authentication debugging information" },
+#endif
+#if	defined(ENCRYPTION)
+    { "autoencrypt",
+	"automatic encryption of data stream",
+	    EncryptAutoEnc,
+		0,
+		    "automatically encrypt output" },
+    { "autodecrypt",
+	"automatic decryption of data stream",
+	    EncryptAutoDec,
+		0,
+		    "automatically decrypt input" },
+    { "verbose_encrypt",
+	"Toggle verbose encryption output",
+	    EncryptVerbose,
+		0,
+		    "print verbose encryption output" },
+    { "encdebug",
+	"Toggle encryption debugging",
+	    EncryptDebug,
+		0,
+		    "print encryption debugging information" },
+#endif
+    { "skiprc",
+	"don't read ~/.telnetrc file",
+	    0,
+		&skiprc,
+		    "skip reading of ~/.telnetrc file" },
+    { "binary",
+	"sending and receiving of binary data",
+	    togbinary,
+		0,
+		    0 },
+    { "inbinary",
+	"receiving of binary data",
+	    togrbinary,
+		0,
+		    0 },
+    { "outbinary",
+	"sending of binary data",
+	    togxbinary,
+		0,
+		    0 },
+    { "crlf",
+	"sending carriage returns as telnet <CR><LF>",
+	    togcrlf,
+		&crlf,
+		    0 },
+    { "crmod",
+	"mapping of received carriage returns",
+	    0,
+		&crmod,
+		    "map carriage return on output" },
+    { "localchars",
+	"local recognition of certain control characters",
+	    lclchars,
+		&localchars,
+		    "recognize certain control characters" },
+    { " ", "", 0 },		/* empty line */
+    { "debug",
+	"debugging",
+	    togdebug,
+		&debug,
+		    "turn on socket level debugging" },
+#if defined(KRB4) && defined(HAVE_KRB_DISABLE_DEBUG)
+    { "krb_debug",
+      "kerberos 4 debugging",
+      togkrbdebug,
+      &krb_debug,
+      "turn on kerberos 4 debugging" },
+#endif
+    { "netdata",
+	"printing of hexadecimal network data (debugging)",
+	    0,
+		&netdata,
+		    "print hexadecimal representation of network traffic" },
+    { "prettydump",
+	"output of \"netdata\" to user readable format (debugging)",
+	    0,
+		&prettydump,
+		    "print user readable output for \"netdata\"" },
+    { "options",
+	"viewing of options processing (debugging)",
+	    0,
+		&showoptions,
+		    "show option processing" },
+    { "termdata",
+	"(debugging) toggle printing of hexadecimal terminal data",
+	    0,
+		&termdata,
+		    "print hexadecimal representation of terminal traffic" },
+    { "?",
+	0,
+	    togglehelp },
+    { "help",
+	0,
+	    togglehelp },
+    { 0 }
+};
+
+static int
+togglehelp()
+{
+    struct togglelist *c;
+
+    for (c = Togglelist; c->name; c++) {
+	if (c->help) {
+	    if (*c->help)
+		printf("%-15s toggle %s\r\n", c->name, c->help);
+	    else
+		printf("\r\n");
+	}
+    }
+    printf("\r\n");
+    printf("%-15s %s\r\n", "?", "display help information");
+    return 0;
+}
+
+static void
+settogglehelp(int set)
+{
+    struct togglelist *c;
+
+    for (c = Togglelist; c->name; c++) {
+	if (c->help) {
+	    if (*c->help)
+		printf("%-15s %s %s\r\n", c->name, set ? "enable" : "disable",
+						c->help);
+	    else
+		printf("\r\n");
+	}
+    }
+}
+
+#define	GETTOGGLE(name) (struct togglelist *) \
+		genget(name, (char **) Togglelist, sizeof(struct togglelist))
+
+static int
+toggle(int argc, char *argv[])
+{
+    int retval = 1;
+    char *name;
+    struct togglelist *c;
+
+    if (argc < 2) {
+	fprintf(stderr,
+	    "Need an argument to 'toggle' command.  'toggle ?' for help.\r\n");
+	return 0;
+    }
+    argc--;
+    argv++;
+    while (argc--) {
+	name = *argv++;
+	c = GETTOGGLE(name);
+	if (Ambiguous(c)) {
+	    fprintf(stderr, "'%s': ambiguous argument ('toggle ?' for help).\r\n",
+					name);
+	    return 0;
+	} else if (c == 0) {
+	    fprintf(stderr, "'%s': unknown argument ('toggle ?' for help).\r\n",
+					name);
+	    return 0;
+	} else {
+	    if (c->variable) {
+		*c->variable = !*c->variable;		/* invert it */
+		if (c->actionexplanation) {
+		    printf("%s %s.\r\n", *c->variable? "Will" : "Won't",
+							c->actionexplanation);
+		}
+	    }
+	    if (c->handler) {
+		retval &= (*c->handler)(-1);
+	    }
+	}
+    }
+    return retval;
+}
+
+/*
+ * The following perform the "set" command.
+ */
+
+struct termios new_tc = { 0 };
+
+struct setlist {
+    char *name;				/* name */
+    char *help;				/* help information */
+    void (*handler)();
+    cc_t *charp;			/* where it is located at */
+};
+
+static struct setlist Setlist[] = {
+#ifdef	KLUDGELINEMODE
+    { "echo", 	"character to toggle local echoing on/off", 0, &echoc },
+#endif
+    { "escape",	"character to escape back to telnet command mode", 0, &escape },
+    { "rlogin", "rlogin escape character", 0, &rlogin },
+    { "tracefile", "file to write trace information to", SetNetTrace, (cc_t *)NetTraceFile},
+    { " ", "" },
+    { " ", "The following need 'localchars' to be toggled true", 0, 0 },
+    { "flushoutput", "character to cause an Abort Output", 0, &termFlushChar },
+    { "interrupt", "character to cause an Interrupt Process", 0, &termIntChar },
+    { "quit",	"character to cause an Abort process", 0, &termQuitChar },
+    { "eof",	"character to cause an EOF ", 0, &termEofChar },
+    { " ", "" },
+    { " ", "The following are for local editing in linemode", 0, 0 },
+    { "erase",	"character to use to erase a character", 0, &termEraseChar },
+    { "kill",	"character to use to erase a line", 0, &termKillChar },
+    { "lnext",	"character to use for literal next", 0, &termLiteralNextChar },
+    { "susp",	"character to cause a Suspend Process", 0, &termSuspChar },
+    { "reprint", "character to use for line reprint", 0, &termRprntChar },
+    { "worderase", "character to use to erase a word", 0, &termWerasChar },
+    { "start",	"character to use for XON", 0, &termStartChar },
+    { "stop",	"character to use for XOFF", 0, &termStopChar },
+    { "forw1",	"alternate end of line character", 0, &termForw1Char },
+    { "forw2",	"alternate end of line character", 0, &termForw2Char },
+    { "ayt",	"alternate AYT character", 0, &termAytChar },
+    { 0 }
+};
+
+static struct setlist *
+getset(char *name)
+{
+    return (struct setlist *)
+		genget(name, (char **) Setlist, sizeof(struct setlist));
+}
+
+void
+set_escape_char(char *s)
+{
+	if (rlogin != _POSIX_VDISABLE) {
+		rlogin = (s && *s) ? special(s) : _POSIX_VDISABLE;
+		printf("Telnet rlogin escape character is '%s'.\r\n",
+					control(rlogin));
+	} else {
+		escape = (s && *s) ? special(s) : _POSIX_VDISABLE;
+		printf("Telnet escape character is '%s'.\r\n", control(escape));
+	}
+}
+
+static int
+setcmd(int argc, char *argv[])
+{
+    int value;
+    struct setlist *ct;
+    struct togglelist *c;
+
+    if (argc < 2 || argc > 3) {
+	printf("Format is 'set Name Value'\r\n'set ?' for help.\r\n");
+	return 0;
+    }
+    if ((argc == 2) && (isprefix(argv[1], "?") || isprefix(argv[1], "help"))) {
+	for (ct = Setlist; ct->name; ct++)
+	    printf("%-15s %s\r\n", ct->name, ct->help);
+	printf("\r\n");
+	settogglehelp(1);
+	printf("%-15s %s\r\n", "?", "display help information");
+	return 0;
+    }
+
+    ct = getset(argv[1]);
+    if (ct == 0) {
+	c = GETTOGGLE(argv[1]);
+	if (c == 0) {
+	    fprintf(stderr, "'%s': unknown argument ('set ?' for help).\r\n",
+			argv[1]);
+	    return 0;
+	} else if (Ambiguous(c)) {
+	    fprintf(stderr, "'%s': ambiguous argument ('set ?' for help).\r\n",
+			argv[1]);
+	    return 0;
+	}
+	if (c->variable) {
+	    if ((argc == 2) || (strcmp("on", argv[2]) == 0))
+		*c->variable = 1;
+	    else if (strcmp("off", argv[2]) == 0)
+		*c->variable = 0;
+	    else {
+		printf("Format is 'set togglename [on|off]'\r\n'set ?' for help.\r\n");
+		return 0;
+	    }
+	    if (c->actionexplanation) {
+		printf("%s %s.\r\n", *c->variable? "Will" : "Won't",
+							c->actionexplanation);
+	    }
+	}
+	if (c->handler)
+	    (*c->handler)(1);
+    } else if (argc != 3) {
+	printf("Format is 'set Name Value'\r\n'set ?' for help.\r\n");
+	return 0;
+    } else if (Ambiguous(ct)) {
+	fprintf(stderr, "'%s': ambiguous argument ('set ?' for help).\r\n",
+			argv[1]);
+	return 0;
+    } else if (ct->handler) {
+	(*ct->handler)(argv[2]);
+	printf("%s set to \"%s\".\r\n", ct->name, (char *)ct->charp);
+    } else {
+	if (strcmp("off", argv[2])) {
+	    value = special(argv[2]);
+	} else {
+	    value = _POSIX_VDISABLE;
+	}
+	*(ct->charp) = (cc_t)value;
+	printf("%s character is '%s'.\r\n", ct->name, control(*(ct->charp)));
+    }
+    slc_check();
+    return 1;
+}
+
+static int
+unsetcmd(int argc, char *argv[])
+{
+    struct setlist *ct;
+    struct togglelist *c;
+    char *name;
+
+    if (argc < 2) {
+	fprintf(stderr,
+	    "Need an argument to 'unset' command.  'unset ?' for help.\r\n");
+	return 0;
+    }
+    if (isprefix(argv[1], "?") || isprefix(argv[1], "help")) {
+	for (ct = Setlist; ct->name; ct++)
+	    printf("%-15s %s\r\n", ct->name, ct->help);
+	printf("\r\n");
+	settogglehelp(0);
+	printf("%-15s %s\r\n", "?", "display help information");
+	return 0;
+    }
+
+    argc--;
+    argv++;
+    while (argc--) {
+	name = *argv++;
+	ct = getset(name);
+	if (ct == 0) {
+	    c = GETTOGGLE(name);
+	    if (c == 0) {
+		fprintf(stderr, "'%s': unknown argument ('unset ?' for help).\r\n",
+			name);
+		return 0;
+	    } else if (Ambiguous(c)) {
+		fprintf(stderr, "'%s': ambiguous argument ('unset ?' for help).\r\n",
+			name);
+		return 0;
+	    }
+	    if (c->variable) {
+		*c->variable = 0;
+		if (c->actionexplanation) {
+		    printf("%s %s.\r\n", *c->variable? "Will" : "Won't",
+							c->actionexplanation);
+		}
+	    }
+	    if (c->handler)
+		(*c->handler)(0);
+	} else if (Ambiguous(ct)) {
+	    fprintf(stderr, "'%s': ambiguous argument ('unset ?' for help).\r\n",
+			name);
+	    return 0;
+	} else if (ct->handler) {
+	    (*ct->handler)(0);
+	    printf("%s reset to \"%s\".\r\n", ct->name, (char *)ct->charp);
+	} else {
+	    *(ct->charp) = _POSIX_VDISABLE;
+	    printf("%s character is '%s'.\r\n", ct->name, control(*(ct->charp)));
+	}
+    }
+    return 1;
+}
+
+/*
+ * The following are the data structures and routines for the
+ * 'mode' command.
+ */
+#ifdef	KLUDGELINEMODE
+extern int kludgelinemode;
+
+static int
+dokludgemode(void)
+{
+    kludgelinemode = 1;
+    send_wont(TELOPT_LINEMODE, 1);
+    send_dont(TELOPT_SGA, 1);
+    send_dont(TELOPT_ECHO, 1);
+    return 1;
+}
+#endif
+
+static int
+dolinemode()
+{
+#ifdef	KLUDGELINEMODE
+    if (kludgelinemode)
+	send_dont(TELOPT_SGA, 1);
+#endif
+    send_will(TELOPT_LINEMODE, 1);
+    send_dont(TELOPT_ECHO, 1);
+    return 1;
+}
+
+static int
+docharmode()
+{
+#ifdef	KLUDGELINEMODE
+    if (kludgelinemode)
+	send_do(TELOPT_SGA, 1);
+    else
+#endif
+    send_wont(TELOPT_LINEMODE, 1);
+    send_do(TELOPT_ECHO, 1);
+    return 1;
+}
+
+static int
+dolmmode(int bit, int on)
+{
+    unsigned char c;
+    extern int linemode;
+
+    if (my_want_state_is_wont(TELOPT_LINEMODE)) {
+	printf("?Need to have LINEMODE option enabled first.\r\n");
+	printf("'mode ?' for help.\r\n");
+ 	return 0;
+    }
+
+    if (on)
+	c = (linemode | bit);
+    else
+	c = (linemode & ~bit);
+    lm_mode(&c, 1, 1);
+    return 1;
+}
+
+static int
+tn_setmode(int bit)
+{
+    return dolmmode(bit, 1);
+}
+
+static int
+tn_clearmode(int bit)
+{
+    return dolmmode(bit, 0);
+}
+
+struct modelist {
+	char	*name;		/* command name */
+	char	*help;		/* help string */
+	int	(*handler)();	/* routine which executes command */
+	int	needconnect;	/* Do we need to be connected to execute? */
+	int	arg1;
+};
+
+static int modehelp(void);
+
+static struct modelist ModeList[] = {
+    { "character", "Disable LINEMODE option",	docharmode, 1 },
+#ifdef	KLUDGELINEMODE
+    { "",	"(or disable obsolete line-by-line mode)", 0 },
+#endif
+    { "line",	"Enable LINEMODE option",	dolinemode, 1 },
+#ifdef	KLUDGELINEMODE
+    { "",	"(or enable obsolete line-by-line mode)", 0 },
+#endif
+    { "", "", 0 },
+    { "",	"These require the LINEMODE option to be enabled", 0 },
+    { "isig",	"Enable signal trapping",	tn_setmode, 1, MODE_TRAPSIG },
+    { "+isig",	0,				tn_setmode, 1, MODE_TRAPSIG },
+    { "-isig",	"Disable signal trapping",	tn_clearmode, 1, MODE_TRAPSIG },
+    { "edit",	"Enable character editing",	tn_setmode, 1, MODE_EDIT },
+    { "+edit",	0,				tn_setmode, 1, MODE_EDIT },
+    { "-edit",	"Disable character editing",	tn_clearmode, 1, MODE_EDIT },
+    { "softtabs", "Enable tab expansion",	tn_setmode, 1, MODE_SOFT_TAB },
+    { "+softtabs", 0,				tn_setmode, 1, MODE_SOFT_TAB },
+    { "-softtabs", "Disable character editing",	tn_clearmode, 1, MODE_SOFT_TAB },
+    { "litecho", "Enable literal character echo", tn_setmode, 1, MODE_LIT_ECHO },
+    { "+litecho", 0,				tn_setmode, 1, MODE_LIT_ECHO },
+    { "-litecho", "Disable literal character echo", tn_clearmode, 1, MODE_LIT_ECHO },
+    { "help",	0,				modehelp, 0 },
+#ifdef	KLUDGELINEMODE
+    { "kludgeline", 0,				dokludgemode, 1 },
+#endif
+    { "", "", 0 },
+    { "?",	"Print help information",	modehelp, 0 },
+    { 0 },
+};
+
+
+static int
+modehelp(void)
+{
+    struct modelist *mt;
+
+    printf("format is:  'mode Mode', where 'Mode' is one of:\r\n\r\n");
+    for (mt = ModeList; mt->name; mt++) {
+	if (mt->help) {
+	    if (*mt->help)
+		printf("%-15s %s\r\n", mt->name, mt->help);
+	    else
+		printf("\r\n");
+	}
+    }
+    return 0;
+}
+
+#define	GETMODECMD(name) (struct modelist *) \
+		genget(name, (char **) ModeList, sizeof(struct modelist))
+
+static int
+modecmd(int argc, char **argv)
+{
+    struct modelist *mt;
+
+    if (argc != 2) {
+	printf("'mode' command requires an argument\r\n");
+	printf("'mode ?' for help.\r\n");
+    } else if ((mt = GETMODECMD(argv[1])) == 0) {
+	fprintf(stderr, "Unknown mode '%s' ('mode ?' for help).\r\n", argv[1]);
+    } else if (Ambiguous(mt)) {
+	fprintf(stderr, "Ambiguous mode '%s' ('mode ?' for help).\r\n", argv[1]);
+    } else if (mt->needconnect && !connected) {
+	printf("?Need to be connected first.\r\n");
+	printf("'mode ?' for help.\r\n");
+    } else if (mt->handler) {
+	return (*mt->handler)(mt->arg1);
+    }
+    return 0;
+}
+
+/*
+ * The following data structures and routines implement the
+ * "display" command.
+ */
+
+static int
+display(int argc, char *argv[])
+{
+    struct togglelist *tl;
+    struct setlist *sl;
+
+#define	dotog(tl)	if (tl->variable && tl->actionexplanation) { \
+			    if (*tl->variable) { \
+				printf("will"); \
+			    } else { \
+				printf("won't"); \
+			    } \
+			    printf(" %s.\r\n", tl->actionexplanation); \
+			}
+
+#define	doset(sl)   if (sl->name && *sl->name != ' ') { \
+			if (sl->handler == 0) \
+			    printf("%-15s [%s]\r\n", sl->name, control(*sl->charp)); \
+			else \
+			    printf("%-15s \"%s\"\r\n", sl->name, (char *)sl->charp); \
+		    }
+
+    if (argc == 1) {
+	for (tl = Togglelist; tl->name; tl++) {
+	    dotog(tl);
+	}
+	printf("\r\n");
+	for (sl = Setlist; sl->name; sl++) {
+	    doset(sl);
+	}
+    } else {
+	int i;
+
+	for (i = 1; i < argc; i++) {
+	    sl = getset(argv[i]);
+	    tl = GETTOGGLE(argv[i]);
+	    if (Ambiguous(sl) || Ambiguous(tl)) {
+		printf("?Ambiguous argument '%s'.\r\n", argv[i]);
+		return 0;
+	    } else if (!sl && !tl) {
+		printf("?Unknown argument '%s'.\r\n", argv[i]);
+		return 0;
+	    } else {
+		if (tl) {
+		    dotog(tl);
+		}
+		if (sl) {
+		    doset(sl);
+		}
+	    }
+	}
+    }
+/*@*/optionstatus();
+#if	defined(ENCRYPTION)
+    EncryptStatus();
+#endif
+    return 1;
+#undef	doset
+#undef	dotog
+}
+
+/*
+ * The following are the data structures, and many of the routines,
+ * relating to command processing.
+ */
+
+/*
+ * Set the escape character.
+ */
+static int
+setescape(int argc, char *argv[])
+{
+	char *arg;
+	char buf[50];
+
+	printf(
+	    "Deprecated usage - please use 'set escape%s%s' in the future.\r\n",
+				(argc > 2)? " ":"", (argc > 2)? argv[1]: "");
+	if (argc > 2)
+		arg = argv[1];
+	else {
+		printf("new escape character: ");
+		fgets(buf, sizeof(buf), stdin);
+		arg = buf;
+	}
+	if (arg[0] != '\0')
+		escape = arg[0];
+	printf("Escape character is '%s'.\r\n", control(escape));
+
+	fflush(stdout);
+	return 1;
+}
+
+static int
+togcrmod()
+{
+    crmod = !crmod;
+    printf("Deprecated usage - please use 'toggle crmod' in the future.\r\n");
+    printf("%s map carriage return on output.\r\n", crmod ? "Will" : "Won't");
+    fflush(stdout);
+    return 1;
+}
+
+static int
+telnetsuspend()
+{
+#ifdef	SIGTSTP
+    setcommandmode();
+    {
+	long oldrows, oldcols, newrows, newcols, err;
+
+	err = (TerminalWindowSize(&oldrows, &oldcols) == 0) ? 1 : 0;
+	kill(0, SIGTSTP);
+	/*
+	 * If we didn't get the window size before the SUSPEND, but we
+	 * can get them now (?), then send the NAWS to make sure that
+	 * we are set up for the right window size.
+	 */
+	if (TerminalWindowSize(&newrows, &newcols) && connected &&
+	    (err || ((oldrows != newrows) || (oldcols != newcols)))) {
+		sendnaws();
+	}
+    }
+    /* reget parameters in case they were changed */
+    TerminalSaveState();
+    setconnmode(0);
+#else
+    printf("Suspend is not supported.  Try the '!' command instead\r\n");
+#endif
+    return 1;
+}
+
+static int
+shell(int argc, char **argv)
+{
+    long oldrows, oldcols, newrows, newcols, err;
+
+    setcommandmode();
+
+    err = (TerminalWindowSize(&oldrows, &oldcols) == 0) ? 1 : 0;
+    switch(fork()) {
+    case -1:
+	perror("Fork failed\r\n");
+	break;
+
+    case 0:
+	{
+	    /*
+	     * Fire up the shell in the child.
+	     */
+	    char *shellp, *shellname;
+
+	    shellp = getenv("SHELL");
+	    if (shellp == NULL)
+		shellp = "/bin/sh";
+	    if ((shellname = strrchr(shellp, '/')) == 0)
+		shellname = shellp;
+	    else
+		shellname++;
+	    if (argc > 1)
+		execl(shellp, shellname, "-c", &saveline[1], 0);
+	    else
+		execl(shellp, shellname, 0);
+	    perror("Execl");
+	    _exit(1);
+	}
+    default:
+	    wait((int *)0);	/* Wait for the shell to complete */
+
+	    if (TerminalWindowSize(&newrows, &newcols) && connected &&
+		(err || ((oldrows != newrows) || (oldcols != newcols)))) {
+		    sendnaws();
+	    }
+	    break;
+    }
+    return 1;
+}
+
+static int
+bye(int argc, char **argv)
+{
+    extern int resettermname;
+
+    if (connected) {
+	shutdown(net, 2);
+	printf("Connection closed.\r\n");
+	NetClose(net);
+	connected = 0;
+	resettermname = 1;
+#if	defined(AUTHENTICATION) || defined(ENCRYPTION)
+	auth_encrypt_connect(connected);
+#endif
+	/* reset options */
+	tninit();
+    }
+    if ((argc != 2) || (strcmp(argv[1], "fromquit") != 0)) 
+	longjmp(toplevel, 1);
+    return 0;	/* NOTREACHED */
+}
+
+int
+quit(void)
+{
+	call(bye, "bye", "fromquit", 0);
+	Exit(0);
+	return 0; /*NOTREACHED*/
+}
+
+static int
+logout()
+{
+	send_do(TELOPT_LOGOUT, 1);
+	netflush();
+	return 1;
+}
+
+
+/*
+ * The SLC command.
+ */
+
+struct slclist {
+	char	*name;
+	char	*help;
+	void	(*handler)();
+	int	arg;
+};
+
+static void slc_help(void);
+
+struct slclist SlcList[] = {
+    { "export",	"Use local special character definitions",
+						slc_mode_export,	0 },
+    { "import",	"Use remote special character definitions",
+						slc_mode_import,	1 },
+    { "check",	"Verify remote special character definitions",
+						slc_mode_import,	0 },
+    { "help",	0,				slc_help,		0 },
+    { "?",	"Print help information",	slc_help,		0 },
+    { 0 },
+};
+
+static void
+slc_help(void)
+{
+    struct slclist *c;
+
+    for (c = SlcList; c->name; c++) {
+	if (c->help) {
+	    if (*c->help)
+		printf("%-15s %s\r\n", c->name, c->help);
+	    else
+		printf("\r\n");
+	}
+    }
+}
+
+static struct slclist *
+getslc(char *name)
+{
+    return (struct slclist *)
+		genget(name, (char **) SlcList, sizeof(struct slclist));
+}
+
+static int
+slccmd(int argc, char **argv)
+{
+    struct slclist *c;
+
+    if (argc != 2) {
+	fprintf(stderr,
+	    "Need an argument to 'slc' command.  'slc ?' for help.\r\n");
+	return 0;
+    }
+    c = getslc(argv[1]);
+    if (c == 0) {
+	fprintf(stderr, "'%s': unknown argument ('slc ?' for help).\r\n",
+    				argv[1]);
+	return 0;
+    }
+    if (Ambiguous(c)) {
+	fprintf(stderr, "'%s': ambiguous argument ('slc ?' for help).\r\n",
+    				argv[1]);
+	return 0;
+    }
+    (*c->handler)(c->arg);
+    slcstate();
+    return 1;
+}
+
+/*
+ * The ENVIRON command.
+ */
+
+struct envlist {
+	char	*name;
+	char	*help;
+	void	(*handler)();
+	int	narg;
+};
+
+static void env_help (void);
+
+struct envlist EnvList[] = {
+    { "define",	"Define an environment variable",
+						(void (*)())env_define,	2 },
+    { "undefine", "Undefine an environment variable",
+						env_undefine,	1 },
+    { "export",	"Mark an environment variable for automatic export",
+						env_export,	1 },
+    { "unexport", "Don't mark an environment variable for automatic export",
+						env_unexport,	1 },
+    { "send",	"Send an environment variable", env_send,	1 },
+    { "list",	"List the current environment variables",
+						env_list,	0 },
+    { "help",	0,				env_help,		0 },
+    { "?",	"Print help information",	env_help,		0 },
+    { 0 },
+};
+
+static void
+env_help()
+{
+    struct envlist *c;
+
+    for (c = EnvList; c->name; c++) {
+	if (c->help) {
+	    if (*c->help)
+		printf("%-15s %s\r\n", c->name, c->help);
+	    else
+		printf("\r\n");
+	}
+    }
+}
+
+static struct envlist *
+getenvcmd(char *name)
+{
+    return (struct envlist *)
+		genget(name, (char **) EnvList, sizeof(struct envlist));
+}
+
+static int
+env_cmd(int argc, char **argv)
+{
+    struct envlist *c;
+
+    if (argc < 2) {
+	fprintf(stderr,
+	    "Need an argument to 'environ' command.  'environ ?' for help.\r\n");
+	return 0;
+    }
+    c = getenvcmd(argv[1]);
+    if (c == 0) {
+	fprintf(stderr, "'%s': unknown argument ('environ ?' for help).\r\n",
+    				argv[1]);
+	return 0;
+    }
+    if (Ambiguous(c)) {
+	fprintf(stderr, "'%s': ambiguous argument ('environ ?' for help).\r\n",
+    				argv[1]);
+	return 0;
+    }
+    if (c->narg + 2 != argc) {
+	fprintf(stderr,
+	    "Need %s%d argument%s to 'environ %s' command.  'environ ?' for help.\r\n",
+		c->narg < argc + 2 ? "only " : "",
+		c->narg, c->narg == 1 ? "" : "s", c->name);
+	return 0;
+    }
+    (*c->handler)(argv[2], argv[3]);
+    return 1;
+}
+
+struct env_lst {
+	struct env_lst *next;	/* pointer to next structure */
+	struct env_lst *prev;	/* pointer to previous structure */
+	unsigned char *var;	/* pointer to variable name */
+	unsigned char *value;	/* pointer to variable value */
+	int export;		/* 1 -> export with default list of variables */
+	int welldefined;	/* A well defined variable */
+};
+
+struct env_lst envlisthead;
+
+struct env_lst *
+env_find(unsigned char *var)
+{
+	struct env_lst *ep;
+
+	for (ep = envlisthead.next; ep; ep = ep->next) {
+		if (strcmp((char *)ep->var, (char *)var) == 0)
+			return(ep);
+	}
+	return(NULL);
+}
+
+#if IRIX == 4
+#define environ _environ
+#endif
+
+void
+env_init(void)
+{
+	extern char **environ;
+	char **epp, *cp;
+	struct env_lst *ep;
+
+	for (epp = environ; *epp; epp++) {
+		if ((cp = strchr(*epp, '='))) {
+			*cp = '\0';
+			ep = env_define((unsigned char *)*epp,
+					(unsigned char *)cp+1);
+			ep->export = 0;
+			*cp = '=';
+		}
+	}
+	/*
+	 * Special case for DISPLAY variable.  If it is ":0.0" or
+	 * "unix:0.0", we have to get rid of "unix" and insert our
+	 * hostname.
+	 */
+	if ((ep = env_find("DISPLAY"))
+	    && (*ep->value == ':'
+	    || strncmp((char *)ep->value, "unix:", 5) == 0)) {
+		char hbuf[256+1];
+		char *cp2 = strchr((char *)ep->value, ':');
+
+		/* XXX - should be k_gethostname? */
+		gethostname(hbuf, 256);
+		hbuf[256] = '\0';
+
+		/* If this is not the full name, try to get it via DNS */
+		if (strchr(hbuf, '.') == 0) {
+			struct hostent *he = roken_gethostbyname(hbuf);
+			if (he != NULL)
+				strlcpy(hbuf, he->h_name, 256);
+		}
+
+		asprintf (&cp, "%s%s", hbuf, cp2);
+		free (ep->value);
+		ep->value = (unsigned char *)cp;
+	}
+	/*
+	 * If USER is not defined, but LOGNAME is, then add
+	 * USER with the value from LOGNAME.  By default, we
+	 * don't export the USER variable.
+	 */
+	if ((env_find("USER") == NULL) && (ep = env_find("LOGNAME"))) {
+		env_define((unsigned char *)"USER", ep->value);
+		env_unexport((unsigned char *)"USER");
+	}
+	env_export((unsigned char *)"DISPLAY");
+	env_export((unsigned char *)"PRINTER");
+	env_export((unsigned char *)"XAUTHORITY");
+}
+
+struct env_lst *
+env_define(unsigned char *var, unsigned char *value)
+{
+	struct env_lst *ep;
+
+	if ((ep = env_find(var))) {
+		if (ep->var)
+			free(ep->var);
+		if (ep->value)
+			free(ep->value);
+	} else {
+		ep = (struct env_lst *)malloc(sizeof(struct env_lst));
+		ep->next = envlisthead.next;
+		envlisthead.next = ep;
+		ep->prev = &envlisthead;
+		if (ep->next)
+			ep->next->prev = ep;
+	}
+	ep->welldefined = opt_welldefined((char *)var);
+	ep->export = 1;
+	ep->var = (unsigned char *)strdup((char *)var);
+	ep->value = (unsigned char *)strdup((char *)value);
+	return(ep);
+}
+
+void
+env_undefine(unsigned char *var)
+{
+	struct env_lst *ep;
+
+	if ((ep = env_find(var))) {
+		ep->prev->next = ep->next;
+		if (ep->next)
+			ep->next->prev = ep->prev;
+		if (ep->var)
+			free(ep->var);
+		if (ep->value)
+			free(ep->value);
+		free(ep);
+	}
+}
+
+void
+env_export(unsigned char *var)
+{
+	struct env_lst *ep;
+
+	if ((ep = env_find(var)))
+		ep->export = 1;
+}
+
+void
+env_unexport(unsigned char *var)
+{
+	struct env_lst *ep;
+
+	if ((ep = env_find(var)))
+		ep->export = 0;
+}
+
+void
+env_send(unsigned char *var)
+{
+	struct env_lst *ep;
+
+	if (my_state_is_wont(TELOPT_NEW_ENVIRON)
+#ifdef	OLD_ENVIRON
+	    && my_state_is_wont(TELOPT_OLD_ENVIRON)
+#endif
+		) {
+		fprintf(stderr,
+		    "Cannot send '%s': Telnet ENVIRON option not enabled\r\n",
+									var);
+		return;
+	}
+	ep = env_find(var);
+	if (ep == 0) {
+		fprintf(stderr, "Cannot send '%s': variable not defined\r\n",
+									var);
+		return;
+	}
+	env_opt_start_info();
+	env_opt_add(ep->var);
+	env_opt_end(0);
+}
+
+void
+env_list(void)
+{
+	struct env_lst *ep;
+
+	for (ep = envlisthead.next; ep; ep = ep->next) {
+		printf("%c %-20s %s\r\n", ep->export ? '*' : ' ',
+					ep->var, ep->value);
+	}
+}
+
+unsigned char *
+env_default(int init, int welldefined)
+{
+	static struct env_lst *nep = NULL;
+
+	if (init) {
+		nep = &envlisthead;
+		return NULL;
+	}
+	if (nep) {
+		while ((nep = nep->next)) {
+			if (nep->export && (nep->welldefined == welldefined))
+				return(nep->var);
+		}
+	}
+	return(NULL);
+}
+
+unsigned char *
+env_getvalue(unsigned char *var)
+{
+	struct env_lst *ep;
+
+	if ((ep = env_find(var)))
+		return(ep->value);
+	return(NULL);
+}
+
+
+#if	defined(AUTHENTICATION)
+/*
+ * The AUTHENTICATE command.
+ */
+
+struct authlist {
+	char	*name;
+	char	*help;
+	int	(*handler)();
+	int	narg;
+};
+
+static int
+	auth_help (void);
+
+struct authlist AuthList[] = {
+    { "status",	"Display current status of authentication information",
+						auth_status,	0 },
+    { "disable", "Disable an authentication type ('auth disable ?' for more)",
+						auth_disable,	1 },
+    { "enable", "Enable an authentication type ('auth enable ?' for more)",
+						auth_enable,	1 },
+    { "help",	0,				auth_help,		0 },
+    { "?",	"Print help information",	auth_help,		0 },
+    { 0 },
+};
+
+static int
+auth_help()
+{
+    struct authlist *c;
+
+    for (c = AuthList; c->name; c++) {
+	if (c->help) {
+	    if (*c->help)
+		printf("%-15s %s\r\n", c->name, c->help);
+	    else
+		printf("\r\n");
+	}
+    }
+    return 0;
+}
+
+static int
+auth_cmd(int argc, char **argv)
+{
+    struct authlist *c;
+
+    if (argc < 2) {
+	fprintf(stderr,
+	    "Need an argument to 'auth' command.  'auth ?' for help.\r\n");
+	return 0;
+    }
+
+    c = (struct authlist *)
+		genget(argv[1], (char **) AuthList, sizeof(struct authlist));
+    if (c == 0) {
+	fprintf(stderr, "'%s': unknown argument ('auth ?' for help).\r\n",
+    				argv[1]);
+	return 0;
+    }
+    if (Ambiguous(c)) {
+	fprintf(stderr, "'%s': ambiguous argument ('auth ?' for help).\r\n",
+    				argv[1]);
+	return 0;
+    }
+    if (c->narg + 2 != argc) {
+	fprintf(stderr,
+	    "Need %s%d argument%s to 'auth %s' command.  'auth ?' for help.\r\n",
+		c->narg < argc + 2 ? "only " : "",
+		c->narg, c->narg == 1 ? "" : "s", c->name);
+	return 0;
+    }
+    return((*c->handler)(argv[2], argv[3]));
+}
+#endif
+
+
+#if	defined(ENCRYPTION)
+/*
+ * The ENCRYPT command.
+ */
+
+struct encryptlist {
+	char	*name;
+	char	*help;
+	int	(*handler)();
+	int	needconnect;
+	int	minarg;
+	int	maxarg;
+};
+
+static int
+	EncryptHelp (void);
+
+struct encryptlist EncryptList[] = {
+    { "enable", "Enable encryption. ('encrypt enable ?' for more)",
+						EncryptEnable, 1, 1, 2 },
+    { "disable", "Disable encryption. ('encrypt enable ?' for more)",
+						EncryptDisable, 0, 1, 2 },
+    { "type", "Set encryptiong type. ('encrypt type ?' for more)",
+						EncryptType, 0, 1, 1 },
+    { "start", "Start encryption. ('encrypt start ?' for more)",
+						EncryptStart, 1, 0, 1 },
+    { "stop", "Stop encryption. ('encrypt stop ?' for more)",
+						EncryptStop, 1, 0, 1 },
+    { "input", "Start encrypting the input stream",
+						EncryptStartInput, 1, 0, 0 },
+    { "-input", "Stop encrypting the input stream",
+						EncryptStopInput, 1, 0, 0 },
+    { "output", "Start encrypting the output stream",
+						EncryptStartOutput, 1, 0, 0 },
+    { "-output", "Stop encrypting the output stream",
+						EncryptStopOutput, 1, 0, 0 },
+
+    { "status",	"Display current status of authentication information",
+						EncryptStatus,	0, 0, 0 },
+    { "help",	0,				EncryptHelp,	0, 0, 0 },
+    { "?",	"Print help information",	EncryptHelp,	0, 0, 0 },
+    { 0 },
+};
+
+static int
+EncryptHelp()
+{
+    struct encryptlist *c;
+
+    for (c = EncryptList; c->name; c++) {
+	if (c->help) {
+	    if (*c->help)
+		printf("%-15s %s\r\n", c->name, c->help);
+	    else
+		printf("\r\n");
+	}
+    }
+    return 0;
+}
+
+static int
+encrypt_cmd(int argc, char **argv)
+{
+    struct encryptlist *c;
+
+    c = (struct encryptlist *)
+		genget(argv[1], (char **) EncryptList, sizeof(struct encryptlist));
+    if (c == 0) {
+        fprintf(stderr, "'%s': unknown argument ('encrypt ?' for help).\r\n",
+    				argv[1]);
+        return 0;
+    }
+    if (Ambiguous(c)) {
+        fprintf(stderr, "'%s': ambiguous argument ('encrypt ?' for help).\r\n",
+    				argv[1]);
+        return 0;
+    }
+    argc -= 2;
+    if (argc < c->minarg || argc > c->maxarg) {
+	if (c->minarg == c->maxarg) {
+	    fprintf(stderr, "Need %s%d argument%s ",
+		c->minarg < argc ? "only " : "", c->minarg,
+		c->minarg == 1 ? "" : "s");
+	} else {
+	    fprintf(stderr, "Need %s%d-%d arguments ",
+		c->maxarg < argc ? "only " : "", c->minarg, c->maxarg);
+	}
+	fprintf(stderr, "to 'encrypt %s' command.  'encrypt ?' for help.\r\n",
+		c->name);
+	return 0;
+    }
+    if (c->needconnect && !connected) {
+	if (!(argc && (isprefix(argv[2], "help") || isprefix(argv[2], "?")))) {
+	    printf("?Need to be connected first.\r\n");
+	    return 0;
+	}
+    }
+    return ((*c->handler)(argc > 0 ? argv[2] : 0,
+			argc > 1 ? argv[3] : 0,
+			argc > 2 ? argv[4] : 0));
+}
+#endif
+
+
+/*
+ * Print status about the connection.
+ */
+
+static int
+status(int argc, char **argv)
+{
+    if (connected) {
+	printf("Connected to %s.\r\n", hostname);
+	if ((argc < 2) || strcmp(argv[1], "notmuch")) {
+	    int mode = getconnmode();
+
+	    if (my_want_state_is_will(TELOPT_LINEMODE)) {
+		printf("Operating with LINEMODE option\r\n");
+		printf("%s line editing\r\n", (mode&MODE_EDIT) ? "Local" : "No");
+		printf("%s catching of signals\r\n",
+					(mode&MODE_TRAPSIG) ? "Local" : "No");
+		slcstate();
+#ifdef	KLUDGELINEMODE
+	    } else if (kludgelinemode && my_want_state_is_dont(TELOPT_SGA)) {
+		printf("Operating in obsolete linemode\r\n");
+#endif
+	    } else {
+		printf("Operating in single character mode\r\n");
+		if (localchars)
+		    printf("Catching signals locally\r\n");
+	    }
+	    printf("%s character echo\r\n", (mode&MODE_ECHO) ? "Local" : "Remote");
+	    if (my_want_state_is_will(TELOPT_LFLOW))
+		printf("%s flow control\r\n", (mode&MODE_FLOW) ? "Local" : "No");
+#if	defined(ENCRYPTION)
+	    encrypt_display();
+#endif
+	}
+    } else {
+	printf("No connection.\r\n");
+    }
+    printf("Escape character is '%s'.\r\n", control(escape));
+    fflush(stdout);
+    return 1;
+}
+
+#ifdef	SIGINFO
+/*
+ * Function that gets called when SIGINFO is received.
+ */
+void
+ayt_status(int ignore)
+{
+    call(status, "status", "notmuch", 0);
+}
+#endif
+
+static Command *getcmd(char *name);
+
+static void
+cmdrc(char *m1, char *m2)
+{
+    static char rcname[128];
+    Command *c;
+    FILE *rcfile;
+    int gotmachine = 0;
+    int l1 = strlen(m1);
+    int l2 = strlen(m2);
+    char m1save[64];
+
+    if (skiprc)
+	return;
+
+    strlcpy(m1save, m1, sizeof(m1save));
+    m1 = m1save;
+
+    if (rcname[0] == 0) {
+	char *home = getenv("HOME");
+
+	snprintf (rcname, sizeof(rcname), "%s/.telnetrc",
+		  home ? home : "");
+    }
+
+    if ((rcfile = fopen(rcname, "r")) == 0) {
+	return;
+    }
+
+    for (;;) {
+	if (fgets(line, sizeof(line), rcfile) == NULL)
+	    break;
+	if (line[0] == 0)
+	    break;
+	if (line[0] == '#')
+	    continue;
+	if (gotmachine) {
+	    if (!isspace(line[0]))
+		gotmachine = 0;
+	}
+	if (gotmachine == 0) {
+	    if (isspace(line[0]))
+		continue;
+	    if (strncasecmp(line, m1, l1) == 0)
+		strncpy(line, &line[l1], sizeof(line) - l1);
+	    else if (strncasecmp(line, m2, l2) == 0)
+		strncpy(line, &line[l2], sizeof(line) - l2);
+	    else if (strncasecmp(line, "DEFAULT", 7) == 0)
+		strncpy(line, &line[7], sizeof(line) - 7);
+	    else
+		continue;
+	    if (line[0] != ' ' && line[0] != '\t' && line[0] != '\n')
+		continue;
+	    gotmachine = 1;
+	}
+	makeargv();
+	if (margv[0] == 0)
+	    continue;
+	c = getcmd(margv[0]);
+	if (Ambiguous(c)) {
+	    printf("?Ambiguous command: %s\r\n", margv[0]);
+	    continue;
+	}
+	if (c == 0) {
+	    printf("?Invalid command: %s\r\n", margv[0]);
+	    continue;
+	}
+	/*
+	 * This should never happen...
+	 */
+	if (c->needconnect && !connected) {
+	    printf("?Need to be connected first for %s.\r\n", margv[0]);
+	    continue;
+	}
+	(*c->handler)(margc, margv);
+    }
+    fclose(rcfile);
+}
+
+int
+tn(int argc, char **argv)
+{
+    struct hostent *host = 0;
+#ifdef HAVE_IPV6
+    struct sockaddr_in6 sin6;
+#endif
+    struct sockaddr_in sin;
+    struct sockaddr *sa = NULL;
+    int sa_size = 0;
+    struct servent *sp = 0;
+    unsigned long temp;
+    extern char *inet_ntoa();
+#if defined(IP_OPTIONS) && defined(IPPROTO_IP)
+    char *srp = 0;
+    int srlen;
+#endif
+    char *cmd, *hostp = 0, *portp = 0;
+    char *user = 0;
+    int family, port = 0;
+    char **addr_list;
+
+    /* clear the socket address prior to use */
+
+    if (connected) {
+	printf("?Already connected to %s\r\n", hostname);
+	setuid(getuid());
+	return 0;
+    }
+    if (argc < 2) {
+	strlcpy(line, "open ", sizeof(line));
+	printf("(to) ");
+	fgets(&line[strlen(line)], sizeof(line) - strlen(line), stdin);
+	makeargv();
+	argc = margc;
+	argv = margv;
+    }
+    cmd = *argv;
+    --argc; ++argv;
+    while (argc) {
+	if (strcmp(*argv, "help") == 0 || isprefix(*argv, "?"))
+	    goto usage;
+	if (strcmp(*argv, "-l") == 0) {
+	    --argc; ++argv;
+	    if (argc == 0)
+		goto usage;
+	    user = strdup(*argv++);
+	    --argc;
+	    continue;
+	}
+	if (strcmp(*argv, "-a") == 0) {
+	    --argc; ++argv;
+	    autologin = 1;
+	    continue;
+	}
+	if (hostp == 0) {
+	    hostp = *argv++;
+	    --argc;
+	    continue;
+	}
+	if (portp == 0) {
+	    portp = *argv++;
+	    --argc;
+	    continue;
+	}
+    usage:
+	printf("usage: %s [-l user] [-a] host-name [port]\r\n", cmd);
+	setuid(getuid());
+	return 0;
+    }
+    if (hostp == 0)
+	goto usage;
+
+#if	defined(IP_OPTIONS) && defined(IPPROTO_IP)
+    if (hostp[0] == '@' || hostp[0] == '!') {
+	if ((hostname = strrchr(hostp, ':')) == NULL)
+	    hostname = strrchr(hostp, '@');
+	hostname++;
+	srp = 0;
+	temp = sourceroute(hostp, &srp, &srlen);
+	if (temp == 0) {
+	    fprintf (stderr, "%s: %s\r\n", srp ? srp : "", hstrerror(h_errno));
+	    setuid(getuid());
+	    return 0;
+	} else if (temp == -1) {
+	    printf("Bad source route option: %s\r\n", hostp);
+	    setuid(getuid());
+	    return 0;
+	} else {
+	    abort();
+	}
+    } else {
+#endif
+	memset (&sin, 0, sizeof(sin));
+#ifdef HAVE_IPV6
+	memset (&sin6, 0, sizeof(sin6));
+
+	if(inet_pton(AF_INET6, hostp, &sin6.sin6_addr)) {
+	    sin6.sin6_family = family = AF_INET6;
+	    sa = (struct sockaddr *)&sin6;
+	    sa_size = sizeof(sin6);
+	    strlcpy(_hostname, hostp, sizeof(_hostname));
+	    hostname =_hostname;
+	} else
+#endif
+	if(inet_aton(hostp, &sin.sin_addr)){
+	    sin.sin_family = family = AF_INET;
+	    sa = (struct sockaddr *)&sin;
+	    sa_size = sizeof(sin);
+	    strlcpy(_hostname, hostp, sizeof(_hostname));
+	    hostname = _hostname;
+	} else {
+#ifdef HAVE_GETHOSTBYNAME2
+#ifdef HAVE_IPV6
+	    host = gethostbyname2(hostp, AF_INET6);
+	    if(host == NULL)
+#endif
+		host = gethostbyname2(hostp, AF_INET);
+#else
+	    host = roken_gethostbyname(hostp);
+#endif
+	    if (host) {
+		strlcpy(_hostname, host->h_name, sizeof(_hostname));
+		family = host->h_addrtype;
+		addr_list = host->h_addr_list;
+
+		switch(family) {
+		case AF_INET:
+		    memset(&sin, 0, sizeof(sin));
+		    sa_size = sizeof(sin);
+		    sa = (struct sockaddr *)&sin;
+		    sin.sin_family = family;
+		    sin.sin_addr   = *((struct in_addr *)(*addr_list));
+		    break;
+#ifdef HAVE_IPV6
+		case AF_INET6:
+		    memset(&sin6, 0, sizeof(sin6));
+		    sa_size = sizeof(sin6);
+		    sa = (struct sockaddr *)&sin6;
+		    sin6.sin6_family = family;
+		    sin6.sin6_addr   = *((struct in6_addr *)(*addr_list));
+		    break;
+#endif
+		default:
+		    fprintf(stderr, "Bad address family: %d\n", family);
+		    return 0;
+		}
+
+		_hostname[sizeof(_hostname)-1] = '\0';
+		hostname = _hostname;
+	    } else {
+	        fprintf (stderr, "%s: %s\r\n", hostp ? hostp : "",
+			 hstrerror(h_errno));
+		setuid(getuid());
+		return 0;
+	    }
+	}
+#if	defined(IP_OPTIONS) && defined(IPPROTO_IP)
+    }
+#endif
+    if (portp) {
+	if (*portp == '-') {
+	    portp++;
+	    telnetport = 1;
+	} else
+	    telnetport = 0;
+	port = atoi(portp);
+	if (port == 0) {
+	    sp = roken_getservbyname(portp, "tcp");
+	    if (sp)
+		port = sp->s_port;
+	    else {
+		printf("%s: bad port number\r\n", portp);
+		setuid(getuid());
+		return 0;
+	    }
+	} else {
+	    port = htons(port);
+	}
+    } else {
+	if (sp == 0) {
+	    sp = roken_getservbyname("telnet", "tcp");
+	    if (sp == 0) {
+		fprintf(stderr, "telnet: tcp/telnet: unknown service\r\n");
+		setuid(getuid());
+		return 0;
+	    }
+	    port = sp->s_port;
+	}
+	telnetport = 1;
+    }
+    do {
+	switch(family) {
+	case AF_INET:
+	    sin.sin_port = port;
+	    printf("Trying %s...\r\n", inet_ntoa(sin.sin_addr));
+	    break;
+#ifdef HAVE_IPV6
+	case AF_INET6: {
+#ifndef INET6_ADDRSTRLEN
+#define INET6_ADDRSTRLEN 46 
+#endif
+
+	    char buf[INET6_ADDRSTRLEN];
+
+	    sin6.sin6_port = port;
+#ifdef HAVE_INET_NTOP
+	    printf("Trying %s...\r\n", inet_ntop(AF_INET6,
+						 &sin6.sin6_addr,
+						 buf,
+						 sizeof(buf)));
+#endif
+	    break;
+	}
+#endif
+	default:
+	    abort();
+	}
+
+
+	net = socket(family, SOCK_STREAM, 0);
+	setuid(getuid());
+	if (net < 0) {
+	    perror("telnet: socket");
+	    return 0;
+	}
+#if	defined(IP_OPTIONS) && defined(IPPROTO_IP) && defined(HAVE_SETSOCKOPT)
+	if (srp && setsockopt(net, IPPROTO_IP, IP_OPTIONS, (void *)srp,
+			      srlen) < 0)
+		perror("setsockopt (IP_OPTIONS)");
+#endif
+#if	defined(IPPROTO_IP) && defined(IP_TOS)
+	{
+# if	defined(HAVE_GETTOSBYNAME)
+	    struct tosent *tp;
+	    if (tos < 0 && (tp = gettosbyname("telnet", "tcp")))
+		tos = tp->t_tos;
+# endif
+	    if (tos < 0)
+		tos = 020;	/* Low Delay bit */
+	    if (tos
+		&& (setsockopt(net, IPPROTO_IP, IP_TOS,
+		    (void *)&tos, sizeof(int)) < 0)
+		&& (errno != ENOPROTOOPT))
+		    perror("telnet: setsockopt (IP_TOS) (ignored)");
+	}
+#endif	/* defined(IPPROTO_IP) && defined(IP_TOS) */
+
+	if (debug && SetSockOpt(net, SOL_SOCKET, SO_DEBUG, 1) < 0) {
+		perror("setsockopt (SO_DEBUG)");
+	}
+
+	if (connect(net, sa, sa_size) < 0) {
+	    if (host && addr_list[1]) {
+		int oerrno = errno;
+
+		switch(family) {
+		case AF_INET :
+		    fprintf(stderr, "telnet: connect to address %s: ",
+			    inet_ntoa(sin.sin_addr));
+		    sin.sin_addr = *((struct in_addr *)(*++addr_list));
+		    break;
+#ifdef HAVE_IPV6
+		case AF_INET6: {
+		    char buf[INET6_ADDRSTRLEN];
+
+		    fprintf(stderr, "telnet: connect to address %s: ",
+			    inet_ntop(AF_INET6, &sin6.sin6_addr, buf,
+				      sizeof(buf)));
+		    sin6.sin6_addr = *((struct in6_addr *)(*++addr_list));
+		    break;
+		}
+#endif
+		default:
+		    abort();
+		}
+		    
+		errno = oerrno;
+		perror(NULL);
+		NetClose(net);
+		continue;
+	    }
+	    perror("telnet: Unable to connect to remote host");
+	    return 0;
+	}
+	connected++;
+#if	defined(AUTHENTICATION) || defined(ENCRYPTION)
+	auth_encrypt_connect(connected);
+#endif
+    } while (connected == 0);
+    cmdrc(hostp, hostname);
+    if (autologin && user == NULL)
+	user = (char *)get_default_username ();
+    if (user) {
+	env_define((unsigned char *)"USER", (unsigned char *)user);
+	env_export((unsigned char *)"USER");
+    }
+    call(status, "status", "notmuch", 0);
+    if (setjmp(peerdied) == 0)
+	my_telnet((char *)user);
+    NetClose(net);
+    ExitString("Connection closed by foreign host.\r\n",1);
+    /*NOTREACHED*/
+    return 0;
+}
+
+#define HELPINDENT ((int)sizeof ("connect"))
+
+static char
+	openhelp[] =	"connect to a site",
+	closehelp[] =	"close current connection",
+	logouthelp[] =	"forcibly logout remote user and close the connection",
+	quithelp[] =	"exit telnet",
+	statushelp[] =	"print status information",
+	helphelp[] =	"print help information",
+	sendhelp[] =	"transmit special characters ('send ?' for more)",
+	sethelp[] = 	"set operating parameters ('set ?' for more)",
+	unsethelp[] = 	"unset operating parameters ('unset ?' for more)",
+	togglestring[] ="toggle operating parameters ('toggle ?' for more)",
+	slchelp[] =	"change state of special charaters ('slc ?' for more)",
+	displayhelp[] =	"display operating parameters",
+#if	defined(AUTHENTICATION)
+	authhelp[] =	"turn on (off) authentication ('auth ?' for more)",
+#endif
+#if	defined(ENCRYPTION)
+	encrypthelp[] =	"turn on (off) encryption ('encrypt ?' for more)",
+#endif
+	zhelp[] =	"suspend telnet",
+	shellhelp[] =	"invoke a subshell",
+	envhelp[] =	"change environment variables ('environ ?' for more)",
+	modestring[] = "try to enter line or character mode ('mode ?' for more)";
+
+static int help(int argc, char **argv);
+
+static Command cmdtab[] = {
+	{ "close",	closehelp,	bye,		1 },
+	{ "logout",	logouthelp,	logout,		1 },
+	{ "display",	displayhelp,	display,	0 },
+	{ "mode",	modestring,	modecmd,	0 },
+	{ "open",	openhelp,	tn,		0 },
+	{ "quit",	quithelp,	quit,		0 },
+	{ "send",	sendhelp,	sendcmd,	0 },
+	{ "set",	sethelp,	setcmd,		0 },
+	{ "unset",	unsethelp,	unsetcmd,	0 },
+	{ "status",	statushelp,	status,		0 },
+	{ "toggle",	togglestring,	toggle,		0 },
+	{ "slc",	slchelp,	slccmd,		0 },
+#if	defined(AUTHENTICATION)
+	{ "auth",	authhelp,	auth_cmd,	0 },
+#endif
+#if	defined(ENCRYPTION)
+	{ "encrypt",	encrypthelp,	encrypt_cmd,	0 },
+#endif
+	{ "z",		zhelp,		telnetsuspend,	0 },
+	{ "!",		shellhelp,	shell,		0 },
+	{ "environ",	envhelp,	env_cmd,	0 },
+	{ "?",		helphelp,	help,		0 },
+	{ 0,            0,              0,              0 }
+};
+
+static char	crmodhelp[] =	"deprecated command -- use 'toggle crmod' instead";
+static char	escapehelp[] =	"deprecated command -- use 'set escape' instead";
+
+static Command cmdtab2[] = {
+	{ "help",	0,		help,		0 },
+	{ "escape",	escapehelp,	setescape,	0 },
+	{ "crmod",	crmodhelp,	togcrmod,	0 },
+	{ 0,            0,		0, 		0 }
+};
+
+
+/*
+ * Call routine with argc, argv set from args (terminated by 0).
+ */
+
+static int
+call(intrtn_t routine, ...)
+{
+    va_list ap;
+    char *args[100];
+    int argno = 0;
+
+    va_start(ap, routine);
+    while ((args[argno++] = va_arg(ap, char *)) != 0);
+    va_end(ap);
+    return (*routine)(argno-1, args);
+}
+
+
+static Command
+*getcmd(char *name)
+{
+    Command *cm;
+
+    if ((cm = (Command *) genget(name, (char **) cmdtab, sizeof(Command))))
+	return cm;
+    return (Command *) genget(name, (char **) cmdtab2, sizeof(Command));
+}
+
+void
+command(int top, char *tbuf, int cnt)
+{
+    Command *c;
+
+    setcommandmode();
+    if (!top) {
+	putchar('\n');
+    } else {
+	signal(SIGINT, SIG_DFL);
+	signal(SIGQUIT, SIG_DFL);
+    }
+    for (;;) {
+	if (rlogin == _POSIX_VDISABLE)
+		printf("%s> ", prompt);
+	if (tbuf) {
+	    char *cp;
+	    cp = line;
+	    while (cnt > 0 && (*cp++ = *tbuf++) != '\n')
+		cnt--;
+	    tbuf = 0;
+	    if (cp == line || *--cp != '\n' || cp == line)
+		goto getline;
+	    *cp = '\0';
+	    if (rlogin == _POSIX_VDISABLE)
+		printf("%s\r\n", line);
+	} else {
+	getline:
+	    if (rlogin != _POSIX_VDISABLE)
+		printf("%s> ", prompt);
+	    if (fgets(line, sizeof(line), stdin) == NULL) {
+		if (feof(stdin) || ferror(stdin)) {
+		    quit();
+		    /*NOTREACHED*/
+		}
+		break;
+	    }
+	}
+	if (line[0] == 0)
+	    break;
+	makeargv();
+	if (margv[0] == 0) {
+	    break;
+	}
+	c = getcmd(margv[0]);
+	if (Ambiguous(c)) {
+	    printf("?Ambiguous command\r\n");
+	    continue;
+	}
+	if (c == 0) {
+	    printf("?Invalid command\r\n");
+	    continue;
+	}
+	if (c->needconnect && !connected) {
+	    printf("?Need to be connected first.\r\n");
+	    continue;
+	}
+	if ((*c->handler)(margc, margv)) {
+	    break;
+	}
+    }
+    if (!top) {
+	if (!connected) {
+	    longjmp(toplevel, 1);
+	    /*NOTREACHED*/
+	}
+	setconnmode(0);
+    }
+}
+
+/*
+ * Help command.
+ */
+static int
+help(int argc, char **argv)
+{
+	Command *c;
+
+	if (argc == 1) {
+		printf("Commands may be abbreviated.  Commands are:\r\n\r\n");
+		for (c = cmdtab; c->name; c++)
+			if (c->help) {
+				printf("%-*s\t%s\r\n", HELPINDENT, c->name,
+								    c->help);
+			}
+		return 0;
+	}
+	while (--argc > 0) {
+		char *arg;
+		arg = *++argv;
+		c = getcmd(arg);
+		if (Ambiguous(c))
+			printf("?Ambiguous help command %s\r\n", arg);
+		else if (c == (Command *)0)
+			printf("?Invalid help command %s\r\n", arg);
+		else
+			printf("%s\r\n", c->help);
+	}
+	return 0;
+}
+
+
+#if	defined(IP_OPTIONS) && defined(IPPROTO_IP)
+
+/*
+ * Source route is handed in as
+ *	[!]@hop1@hop2...[@|:]dst
+ * If the leading ! is present, it is a
+ * strict source route, otherwise it is
+ * assmed to be a loose source route.
+ *
+ * We fill in the source route option as
+ *	hop1,hop2,hop3...dest
+ * and return a pointer to hop1, which will
+ * be the address to connect() to.
+ *
+ * Arguments:
+ *	arg:	pointer to route list to decipher
+ *
+ *	cpp: 	If *cpp is not equal to NULL, this is a
+ *		pointer to a pointer to a character array
+ *		that should be filled in with the option.
+ *
+ *	lenp:	pointer to an integer that contains the
+ *		length of *cpp if *cpp != NULL.
+ *
+ * Return values:
+ *
+ *	Returns the address of the host to connect to.  If the
+ *	return value is -1, there was a syntax error in the
+ *	option, either unknown characters, or too many hosts.
+ *	If the return value is 0, one of the hostnames in the
+ *	path is unknown, and *cpp is set to point to the bad
+ *	hostname.
+ *
+ *	*cpp:	If *cpp was equal to NULL, it will be filled
+ *		in with a pointer to our static area that has
+ *		the option filled in.  This will be 32bit aligned.
+ *
+ *	*lenp:	This will be filled in with how long the option
+ *		pointed to by *cpp is.
+ *
+ */
+unsigned long
+sourceroute(char *arg, char **cpp, int *lenp)
+{
+	static char lsr[44];
+	char *cp, *cp2, *lsrp, *lsrep;
+	int tmp;
+	struct in_addr sin_addr;
+	struct hostent *host = 0;
+	char c;
+
+	/*
+	 * Verify the arguments, and make sure we have
+	 * at least 7 bytes for the option.
+	 */
+	if (cpp == NULL || lenp == NULL)
+		return((unsigned long)-1);
+	if (*cpp != NULL && *lenp < 7)
+		return((unsigned long)-1);
+	/*
+	 * Decide whether we have a buffer passed to us,
+	 * or if we need to use our own static buffer.
+	 */
+	if (*cpp) {
+		lsrp = *cpp;
+		lsrep = lsrp + *lenp;
+	} else {
+		*cpp = lsrp = lsr;
+		lsrep = lsrp + 44;
+	}
+
+	cp = arg;
+
+	/*
+	 * Next, decide whether we have a loose source
+	 * route or a strict source route, and fill in
+	 * the begining of the option.
+	 */
+	if (*cp == '!') {
+		cp++;
+		*lsrp++ = IPOPT_SSRR;
+	} else
+		*lsrp++ = IPOPT_LSRR;
+
+	if (*cp != '@')
+		return((unsigned long)-1);
+
+	lsrp++;		/* skip over length, we'll fill it in later */
+	*lsrp++ = 4;
+
+	cp++;
+
+	sin_addr.s_addr = 0;
+
+	for (c = 0;;) {
+		if (c == ':')
+			cp2 = 0;
+		else for (cp2 = cp; (c = *cp2); cp2++) {
+			if (c == ',') {
+				*cp2++ = '\0';
+				if (*cp2 == '@')
+					cp2++;
+			} else if (c == '@') {
+				*cp2++ = '\0';
+			} else if (c == ':') {
+				*cp2++ = '\0';
+			} else
+				continue;
+			break;
+		}
+		if (!c)
+			cp2 = 0;
+
+		if ((tmp = inet_addr(cp)) != -1) {
+			sin_addr.s_addr = tmp;
+		} else if ((host = roken_gethostbyname(cp))) {
+			memmove(&sin_addr,
+				host->h_addr_list[0],
+				sizeof(sin_addr));
+		} else {
+			*cpp = cp;
+			return(0);
+		}
+		memmove(lsrp, &sin_addr, 4);
+		lsrp += 4;
+		if (cp2)
+			cp = cp2;
+		else
+			break;
+		/*
+		 * Check to make sure there is space for next address
+		 */
+		if (lsrp + 4 > lsrep)
+			return((unsigned long)-1);
+	}
+	if ((*(*cpp+IPOPT_OLEN) = lsrp - *cpp) <= 7) {
+		*cpp = 0;
+		*lenp = 0;
+		return((unsigned long)-1);
+	}
+	*lsrp++ = IPOPT_NOP; /* 32 bit word align it */
+	*lenp = lsrp - *cpp;
+	return(sin_addr.s_addr);
+}
+#endif
diff --git a/crypto/kerberosIV/appl/telnet/telnet/defines.h b/crypto/kerberosIV/appl/telnet/telnet/defines.h
new file mode 100644
index 0000000..5c1ac2b
--- /dev/null
+++ b/crypto/kerberosIV/appl/telnet/telnet/defines.h
@@ -0,0 +1,60 @@
+/*
+ * Copyright (c) 1988, 1993
+ *	The Regents of the University of California.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *	This product includes software developed by the University of
+ *	California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ *	@(#)defines.h	8.1 (Berkeley) 6/6/93
+ */
+
+#define	settimer(x)	clocks.x = clocks.system++
+
+#define	NETADD(c)	{ *netoring.supply = c; ring_supplied(&netoring, 1); }
+#define	NET2ADD(c1,c2)	{ NETADD(c1); NETADD(c2); }
+#define	NETBYTES()	(ring_full_count(&netoring))
+#define	NETROOM()	(ring_empty_count(&netoring))
+
+#define	TTYADD(c)	if (!(SYNCHing||flushout)) { \
+				*ttyoring.supply = c; \
+				ring_supplied(&ttyoring, 1); \
+			}
+#define	TTYBYTES()	(ring_full_count(&ttyoring))
+#define	TTYROOM()	(ring_empty_count(&ttyoring))
+
+/*	Various modes */
+#define	MODE_LOCAL_CHARS(m)	((m)&(MODE_EDIT|MODE_TRAPSIG))
+#define	MODE_LOCAL_ECHO(m)	((m)&MODE_ECHO)
+#define	MODE_COMMAND_LINE(m)	((m)==-1)
+
+#define	CONTROL(x)	((x)&0x1f)		/* CTRL(x) is not portable */
+
+
+/* XXX extra mode bits, these should be synced with <arpa/telnet.h> */
+
+#define MODE_OUT8	0x8000 /* binary mode sans -opost */
diff --git a/crypto/kerberosIV/appl/telnet/telnet/externs.h b/crypto/kerberosIV/appl/telnet/telnet/externs.h
new file mode 100644
index 0000000..f8b1668
--- /dev/null
+++ b/crypto/kerberosIV/appl/telnet/telnet/externs.h
@@ -0,0 +1,429 @@
+/*
+ * Copyright (c) 1988, 1990, 1993
+ *	The Regents of the University of California.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *	This product includes software developed by the University of
+ *	California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ *	@(#)externs.h	8.3 (Berkeley) 5/30/95
+ */
+
+/* $Id: externs.h,v 1.18 1998/07/09 23:16:36 assar Exp $ */
+
+#ifndef	BSD
+# define BSD 43
+#endif
+
+#ifndef	_POSIX_VDISABLE
+# ifdef sun
+#  include <sys/param.h>	/* pick up VDISABLE definition, mayby */
+# endif
+# ifdef VDISABLE
+#  define _POSIX_VDISABLE VDISABLE
+# else
+#  define _POSIX_VDISABLE ((cc_t)'\377')
+# endif
+#endif
+
+#define	SUBBUFSIZE	256
+
+extern int
+    autologin,		/* Autologin enabled */
+    skiprc,		/* Don't process the ~/.telnetrc file */
+    eight,		/* use eight bit mode (binary in and/or out */
+    binary,
+    flushout,		/* flush output */
+    connected,		/* Are we connected to the other side? */
+    globalmode,		/* Mode tty should be in */
+    telnetport,		/* Are we connected to the telnet port? */
+    localflow,		/* Flow control handled locally */
+    restartany,		/* If flow control, restart output on any character */
+    localchars,		/* we recognize interrupt/quit */
+    donelclchars,	/* the user has set "localchars" */
+    showoptions,
+    net,		/* Network file descriptor */
+    tin,		/* Terminal input file descriptor */
+    tout,		/* Terminal output file descriptor */
+    crlf,		/* Should '\r' be mapped to <CR><LF> (or <CR><NUL>)? */
+    autoflush,		/* flush output when interrupting? */
+    autosynch,		/* send interrupt characters with SYNCH? */
+    SYNCHing,		/* Is the stream in telnet SYNCH mode? */
+    donebinarytoggle,	/* the user has put us in binary */
+    dontlecho,		/* do we suppress local echoing right now? */
+    crmod,
+    netdata,		/* Print out network data flow */
+    prettydump,		/* Print "netdata" output in user readable format */
+    termdata,		/* Print out terminal data flow */
+    debug;		/* Debug level */
+
+extern cc_t escape;	/* Escape to command mode */
+extern cc_t rlogin;	/* Rlogin mode escape character */
+#ifdef	KLUDGELINEMODE
+extern cc_t echoc;	/* Toggle local echoing */
+#endif
+
+extern char
+    *prompt;		/* Prompt for command. */
+
+extern char
+    doopt[],
+    dont[],
+    will[],
+    wont[],
+    options[],		/* All the little options */
+    *hostname;		/* Who are we connected to? */
+#if	defined(ENCRYPTION)
+extern void (*encrypt_output) (unsigned char *, int);
+extern int (*decrypt_input) (int);
+#endif
+
+/*
+ * We keep track of each side of the option negotiation.
+ */
+
+#define	MY_STATE_WILL		0x01
+#define	MY_WANT_STATE_WILL	0x02
+#define	MY_STATE_DO		0x04
+#define	MY_WANT_STATE_DO	0x08
+
+/*
+ * Macros to check the current state of things
+ */
+
+#define	my_state_is_do(opt)		(options[opt]&MY_STATE_DO)
+#define	my_state_is_will(opt)		(options[opt]&MY_STATE_WILL)
+#define my_want_state_is_do(opt)	(options[opt]&MY_WANT_STATE_DO)
+#define my_want_state_is_will(opt)	(options[opt]&MY_WANT_STATE_WILL)
+
+#define	my_state_is_dont(opt)		(!my_state_is_do(opt))
+#define	my_state_is_wont(opt)		(!my_state_is_will(opt))
+#define my_want_state_is_dont(opt)	(!my_want_state_is_do(opt))
+#define my_want_state_is_wont(opt)	(!my_want_state_is_will(opt))
+
+#define	set_my_state_do(opt)		{options[opt] |= MY_STATE_DO;}
+#define	set_my_state_will(opt)		{options[opt] |= MY_STATE_WILL;}
+#define	set_my_want_state_do(opt)	{options[opt] |= MY_WANT_STATE_DO;}
+#define	set_my_want_state_will(opt)	{options[opt] |= MY_WANT_STATE_WILL;}
+
+#define	set_my_state_dont(opt)		{options[opt] &= ~MY_STATE_DO;}
+#define	set_my_state_wont(opt)		{options[opt] &= ~MY_STATE_WILL;}
+#define	set_my_want_state_dont(opt)	{options[opt] &= ~MY_WANT_STATE_DO;}
+#define	set_my_want_state_wont(opt)	{options[opt] &= ~MY_WANT_STATE_WILL;}
+
+/*
+ * Make everything symetrical
+ */
+
+#define	HIS_STATE_WILL			MY_STATE_DO
+#define	HIS_WANT_STATE_WILL		MY_WANT_STATE_DO
+#define HIS_STATE_DO			MY_STATE_WILL
+#define HIS_WANT_STATE_DO		MY_WANT_STATE_WILL
+
+#define	his_state_is_do			my_state_is_will
+#define	his_state_is_will		my_state_is_do
+#define his_want_state_is_do		my_want_state_is_will
+#define his_want_state_is_will		my_want_state_is_do
+
+#define	his_state_is_dont		my_state_is_wont
+#define	his_state_is_wont		my_state_is_dont
+#define his_want_state_is_dont		my_want_state_is_wont
+#define his_want_state_is_wont		my_want_state_is_dont
+
+#define	set_his_state_do		set_my_state_will
+#define	set_his_state_will		set_my_state_do
+#define	set_his_want_state_do		set_my_want_state_will
+#define	set_his_want_state_will		set_my_want_state_do
+
+#define	set_his_state_dont		set_my_state_wont
+#define	set_his_state_wont		set_my_state_dont
+#define	set_his_want_state_dont		set_my_want_state_wont
+#define	set_his_want_state_wont		set_my_want_state_dont
+
+
+extern FILE
+    *NetTrace;		/* Where debugging output goes */
+extern char
+    NetTraceFile[];	/* Name of file where debugging output goes */
+extern void
+    SetNetTrace (char *);	/* Function to change where debugging goes */
+
+extern jmp_buf
+    peerdied,
+    toplevel;		/* For error conditions. */
+
+/* authenc.c */
+
+#if	defined(AUTHENTICATION) || defined(ENCRYPTION)
+int telnet_net_write(unsigned char *str, int len);
+void net_encrypt(void);
+int telnet_spin(void);
+char *telnet_getenv(char *val);
+char *telnet_gets(char *prompt, char *result, int length, int echo);
+#endif
+
+/* commands.c */
+
+struct env_lst *env_define (unsigned char *, unsigned char *);
+struct env_lst *env_find(unsigned char *var);
+void env_init (void);
+void env_undefine (unsigned char *);
+void env_export (unsigned char *);
+void env_unexport (unsigned char *);
+void env_send (unsigned char *);
+void env_list (void);
+unsigned char * env_default(int init, int welldefined);
+unsigned char * env_getvalue(unsigned char *var);
+
+void set_escape_char(char *s);
+unsigned long sourceroute(char *arg, char **cpp, int *lenp);
+
+#if	defined(AUTHENTICATION)
+int auth_enable (char *);
+int auth_disable (char *);
+int auth_status (void);
+#endif
+
+#if defined(ENCRYPTION)
+int 	EncryptEnable (char *, char *);
+int 	EncryptDisable (char *, char *);
+int 	EncryptType (char *, char *);
+int 	EncryptStart (char *);
+int 	EncryptStartInput (void);
+int 	EncryptStartOutput (void);
+int 	EncryptStop (char *);
+int 	EncryptStopInput (void);
+int 	EncryptStopOutput (void);
+int 	EncryptStatus (void);
+#endif
+
+#ifdef SIGINFO
+void ayt_status(int);
+#endif
+int tn(int argc, char **argv);
+void command(int top, char *tbuf, int cnt);
+
+/* main.c */
+
+void tninit(void);
+void usage(void);
+
+/* network.c */
+
+void init_network(void);
+int stilloob(void);
+void setneturg(void);
+int netflush(void);
+
+/* sys_bsd.c */
+
+void init_sys(void);
+int TerminalWrite(char *buf, int n);
+int TerminalRead(unsigned char *buf, int n);
+int TerminalAutoFlush(void);
+int TerminalSpecialChars(int c);
+void TerminalFlushOutput(void);
+void TerminalSaveState(void);
+void TerminalDefaultChars(void);
+void TerminalNewMode(int f);
+cc_t *tcval(int func);
+void TerminalSpeeds(long *input_speed, long *output_speed);
+int TerminalWindowSize(long *rows, long *cols);
+int NetClose(int fd);
+void NetNonblockingIO(int fd, int onoff);
+int process_rings(int netin, int netout, int netex, int ttyin, int ttyout,
+		  int poll);
+
+/* telnet.c */
+
+void init_telnet(void);
+
+void tel_leave_binary(int rw);
+void tel_enter_binary(int rw);
+int opt_welldefined(char *ep);
+int telrcv(void);
+int rlogin_susp(void);
+void intp(void);
+void sendbrk(void);
+void sendabort(void);
+void sendsusp(void);
+void sendeof(void);
+void sendayt(void);
+
+void xmitAO(void);
+void xmitEL(void);
+void xmitEC(void);
+
+
+void     Dump (char, unsigned char *, int);
+void     printoption (char *, int, int);
+void     printsub (int, unsigned char *, int);
+void     sendnaws (void);
+void     setconnmode (int);
+void     setcommandmode (void);
+void     setneturg (void);
+void     sys_telnet_init (void);
+void     my_telnet (char *);
+void     tel_enter_binary (int);
+void     TerminalFlushOutput (void);
+void     TerminalNewMode (int);
+void     TerminalRestoreState (void);
+void     TerminalSaveState (void);
+void     tninit (void);
+void     willoption (int);
+void     wontoption (int);
+
+
+void     send_do (int, int);
+void     send_dont (int, int);
+void     send_will (int, int);
+void     send_wont (int, int);
+
+void     lm_will (unsigned char *, int);
+void     lm_wont (unsigned char *, int);
+void     lm_do (unsigned char *, int);
+void     lm_dont (unsigned char *, int);
+void     lm_mode (unsigned char *, int, int);
+
+void     slc_init (void);
+void     slcstate (void);
+void     slc_mode_export (void);
+void     slc_mode_import (int);
+void     slc_import (int);
+void     slc_export (void);
+void     slc (unsigned char *, int);
+void     slc_check (void);
+void     slc_start_reply (void);
+void     slc_add_reply (unsigned char, unsigned char, cc_t);
+void     slc_end_reply (void);
+int	 slc_update (void);
+
+void     env_opt (unsigned char *, int);
+void     env_opt_start (void);
+void     env_opt_start_info (void);
+void     env_opt_add (unsigned char *);
+void     env_opt_end (int);
+
+unsigned char     *env_default (int, int);
+unsigned char     *env_getvalue (unsigned char *);
+
+int get_status (void);
+int dosynch (void);
+
+cc_t *tcval (int);
+
+int quit (void);
+
+/* terminal.c */
+
+void init_terminal(void);
+int ttyflush(int drop);
+int getconnmode(void);
+
+/* utilities.c */
+
+int SetSockOpt(int fd, int level, int option, int yesno);
+void SetNetTrace(char *file);
+void Dump(char direction, unsigned char *buffer, int length);
+void printoption(char *direction, int cmd, int option);
+void optionstatus(void);
+void printsub(int direction, unsigned char *pointer, int length);
+void EmptyTerminal(void);
+void SetForExit(void);
+void Exit(int returnCode);
+void ExitString(char *string, int returnCode);
+
+extern struct	termios new_tc;
+
+# define termEofChar		new_tc.c_cc[VEOF]
+# define termEraseChar		new_tc.c_cc[VERASE]
+# define termIntChar		new_tc.c_cc[VINTR]
+# define termKillChar		new_tc.c_cc[VKILL]
+# define termQuitChar		new_tc.c_cc[VQUIT]
+
+# ifndef	VSUSP
+extern cc_t termSuspChar;
+# else
+#  define termSuspChar		new_tc.c_cc[VSUSP]
+# endif
+# if	defined(VFLUSHO) && !defined(VDISCARD)
+#  define VDISCARD VFLUSHO
+# endif
+# ifndef	VDISCARD
+extern cc_t termFlushChar;
+# else
+#  define termFlushChar		new_tc.c_cc[VDISCARD]
+# endif
+# ifndef VWERASE
+extern cc_t termWerasChar;
+# else
+#  define termWerasChar		new_tc.c_cc[VWERASE]
+# endif
+# ifndef	VREPRINT
+extern cc_t termRprntChar;
+# else
+#  define termRprntChar		new_tc.c_cc[VREPRINT]
+# endif
+# ifndef	VLNEXT
+extern cc_t termLiteralNextChar;
+# else
+#  define termLiteralNextChar	new_tc.c_cc[VLNEXT]
+# endif
+# ifndef	VSTART
+extern cc_t termStartChar;
+# else
+#  define termStartChar		new_tc.c_cc[VSTART]
+# endif
+# ifndef	VSTOP
+extern cc_t termStopChar;
+# else
+#  define termStopChar		new_tc.c_cc[VSTOP]
+# endif
+# ifndef	VEOL
+extern cc_t termForw1Char;
+# else
+#  define termForw1Char		new_tc.c_cc[VEOL]
+# endif
+# ifndef	VEOL2
+extern cc_t termForw2Char;
+# else
+#  define termForw2Char		new_tc.c_cc[VEOL]
+# endif
+# ifndef	VSTATUS
+extern cc_t termAytChar;
+#else
+#  define termAytChar		new_tc.c_cc[VSTATUS]
+#endif
+
+/* Ring buffer structures which are shared */
+
+extern Ring
+    netoring,
+    netiring,
+    ttyoring,
+    ttyiring;
+
diff --git a/crypto/kerberosIV/appl/telnet/telnet/main.c b/crypto/kerberosIV/appl/telnet/telnet/main.c
new file mode 100644
index 0000000..ea60ae9
--- /dev/null
+++ b/crypto/kerberosIV/appl/telnet/telnet/main.c
@@ -0,0 +1,358 @@
+/*
+ * Copyright (c) 1988, 1990, 1993
+ *	The Regents of the University of California.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *	This product includes software developed by the University of
+ *	California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+static char *copyright[] = {
+    "@(#) Copyright (c) 1988, 1990, 1993\n"
+    "\tThe Regents of the University of California.  All rights reserved.\n",
+    (char*)copyright
+};
+
+#include "telnet_locl.h"
+RCSID("$Id: main.c,v 1.30 1999/11/13 06:30:11 assar Exp $");
+
+/* These values need to be the same as defined in libtelnet/kerberos5.c */
+/* Either define them in both places, or put in some common header file. */
+#define OPTS_FORWARD_CREDS	0x00000002
+#define OPTS_FORWARDABLE_CREDS	0x00000001
+
+#if KRB5
+#define FORWARD
+#endif
+
+/*
+ * Initialize variables.
+ */
+void
+tninit(void)
+{
+    init_terminal();
+
+    init_network();
+
+    init_telnet();
+
+    init_sys();
+}
+
+void
+usage(void)
+{
+  fprintf(stderr, "Usage: %s %s%s%s%s\n", prompt,
+#ifdef	AUTHENTICATION
+	  "[-8] [-E] [-K] [-L] [-G] [-S tos] [-X atype] [-a] [-c] [-d] [-e char]",
+	  "\n\t[-k realm] [-l user] [-f/-F] [-n tracefile] ",
+#else
+	  "[-8] [-E] [-L] [-S tos] [-a] [-c] [-d] [-e char] [-l user]",
+	  "\n\t[-n tracefile]",
+#endif
+	  "[-r] ",
+#ifdef	ENCRYPTION
+	  "[-x] [host-name [port]]"
+#else
+	  "[host-name [port]]"
+#endif
+    );
+  exit(1);
+}
+
+/*
+ * main.  Parse arguments, invoke the protocol or command parser.
+ */
+
+
+#ifdef	FORWARD
+extern int forward_flags;
+static int default_forward=0;
+#endif	/* FORWARD */
+
+#ifdef KRB5
+/* XXX ugly hack to setup dns-proxy stuff */
+#define Authenticator asn1_Authenticator
+#include <krb5.h>
+static void
+krb5_init(void)
+{
+    krb5_context context;
+    krb5_init_context(&context);
+
+#if defined(AUTHENTICATION) && defined(KRB5) && defined(FORWARD)
+    if (krb5_config_get_bool (context, NULL,
+         "libdefaults", "forward", NULL)) {
+           forward_flags |= OPTS_FORWARD_CREDS;
+           default_forward=1;
+    }
+    if (krb5_config_get_bool (context, NULL,
+         "libdefaults", "forwardable", NULL)) {
+           forward_flags |= OPTS_FORWARDABLE_CREDS;
+           default_forward=1;
+    }
+#endif
+#ifdef  ENCRYPTION
+    if (krb5_config_get_bool (context, NULL,
+        "libdefaults", "encrypt", NULL)) {
+          encrypt_auto(1);
+          decrypt_auto(1); 
+          EncryptVerbose(1);
+        }
+#endif
+
+    krb5_free_context(context);
+}
+#endif
+
+int
+main(int argc, char **argv)
+{
+	int ch;
+	char *user;
+
+#ifdef KRB5
+	krb5_init();
+#endif
+	
+	tninit();		/* Clear out things */
+
+	TerminalSaveState();
+
+	if ((prompt = strrchr(argv[0], '/')))
+		++prompt;
+	else
+		prompt = argv[0];
+
+	user = NULL;
+
+	rlogin = (strncmp(prompt, "rlog", 4) == 0) ? '~' : _POSIX_VDISABLE;
+
+	/* 
+	 * if AUTHENTICATION and ENCRYPTION is set autologin will be
+	 * se to true after the getopt switch; unless the -K option is
+	 * passed 
+	 */
+	autologin = -1;
+
+	while((ch = getopt(argc, argv,
+			   "78DEKLS:X:abcde:fFk:l:n:rxG")) != -1) {
+		switch(ch) {
+		case '8':
+			eight = 3;	/* binary output and input */
+			break;
+		case '7':
+			eight = 0;
+			break;
+		case 'b':
+		    binary = 3;
+		    break;
+		case 'D': {
+		    /* sometimes we don't want a mangled display */
+		    char *p;
+		    if((p = getenv("DISPLAY")))
+			env_define("DISPLAY", (unsigned char*)p);
+		    break;
+		}
+		case 'E':
+			rlogin = escape = _POSIX_VDISABLE;
+			break;
+		case 'K':
+#ifdef	AUTHENTICATION
+			autologin = 0;
+#endif
+			break;
+		case 'L':
+			eight |= 2;	/* binary output only */
+			break;
+		case 'S':
+		    {
+#ifdef	HAVE_PARSETOS
+			extern int tos;
+
+			if ((tos = parsetos(optarg, "tcp")) < 0)
+				fprintf(stderr, "%s%s%s%s\n",
+					prompt, ": Bad TOS argument '",
+					optarg,
+					"; will try to use default TOS");
+#else
+			fprintf(stderr,
+			   "%s: Warning: -S ignored, no parsetos() support.\n",
+								prompt);
+#endif
+		    }
+			break;
+		case 'X':
+#ifdef	AUTHENTICATION
+			auth_disable_name(optarg);
+#endif
+			break;
+		case 'a':
+			autologin = 1;
+			break;
+		case 'c':
+			skiprc = 1;
+			break;
+		case 'd':
+			debug = 1;
+			break;
+		case 'e':
+			set_escape_char(optarg);
+			break;
+		case 'f':
+#if defined(AUTHENTICATION) && defined(KRB5) && defined(FORWARD)
+			if ((forward_flags & OPTS_FORWARD_CREDS) &&
+			    !default_forward) {
+			    fprintf(stderr,
+				    "%s: Only one of -f and -F allowed.\n",
+				    prompt);
+			    usage();
+			}
+			forward_flags |= OPTS_FORWARD_CREDS;
+#else
+			fprintf(stderr,
+			 "%s: Warning: -f ignored, no Kerberos V5 support.\n",
+				prompt);
+#endif
+			break;
+		case 'F':
+#if defined(AUTHENTICATION) && defined(KRB5) && defined(FORWARD)
+			if ((forward_flags & OPTS_FORWARD_CREDS) &&
+			    !default_forward) {
+			    fprintf(stderr,
+				    "%s: Only one of -f and -F allowed.\n",
+				    prompt);
+			    usage();
+			}
+			forward_flags |= OPTS_FORWARD_CREDS;
+			forward_flags |= OPTS_FORWARDABLE_CREDS;
+#else
+			fprintf(stderr,
+			 "%s: Warning: -F ignored, no Kerberos V5 support.\n",
+				prompt);
+#endif
+			break;
+		case 'k':
+#if defined(AUTHENTICATION) && defined(KRB4)
+		    {
+			extern char *dest_realm, dst_realm_buf[];
+			extern int dst_realm_sz;
+			dest_realm = dst_realm_buf;
+			strlcpy(dest_realm, optarg, dst_realm_sz);
+		    }
+#else
+			fprintf(stderr,
+			   "%s: Warning: -k ignored, no Kerberos V4 support.\n",
+								prompt);
+#endif
+			break;
+		case 'l':
+		  if(autologin == 0){
+		    fprintf(stderr, "%s: Warning: -K ignored\n", prompt);
+		    autologin = -1;
+		  }
+			user = optarg;
+			break;
+		case 'n':
+				SetNetTrace(optarg);
+			break;
+		case 'r':
+			rlogin = '~';
+			break;
+		case 'x':
+#ifdef	ENCRYPTION
+			encrypt_auto(1);
+			decrypt_auto(1);
+			EncryptVerbose(1);
+#else
+			fprintf(stderr,
+			    "%s: Warning: -x ignored, no ENCRYPT support.\n",
+								prompt);
+#endif
+			break;
+		case 'G':
+#if defined(AUTHENTICATION) && defined(KRB5) && defined(FORWARD)
+                        forward_flags ^= OPTS_FORWARD_CREDS;
+                        forward_flags ^= OPTS_FORWARDABLE_CREDS;
+#else
+                        fprintf(stderr,
+                         "%s: Warning: -G ignored, no Kerberos V5 support.\n",
+                                prompt);
+#endif
+                        break;
+
+		case '?':
+		default:
+			usage();
+			/* NOTREACHED */
+		}
+	}
+
+	if (autologin == -1) {		/* esc@magic.fi; force  */
+#if defined(AUTHENTICATION)
+		autologin = 1;
+#endif
+#if defined(ENCRYPTION)
+		encrypt_auto(1);
+		decrypt_auto(1);
+#endif
+	}
+
+	if (autologin == -1)
+		autologin = (rlogin == _POSIX_VDISABLE) ? 0 : 1;
+
+	argc -= optind;
+	argv += optind;
+
+	if (argc) {
+		char *args[7], **argp = args;
+
+		if (argc > 2)
+			usage();
+		*argp++ = prompt;
+		if (user) {
+			*argp++ = "-l";
+			*argp++ = user;
+		}
+		*argp++ = argv[0];		/* host */
+		if (argc > 1)
+			*argp++ = argv[1];	/* port */
+		*argp = 0;
+
+		if (setjmp(toplevel) != 0)
+			Exit(0);
+		if (tn(argp - args, args) == 1)
+			return (0);
+		else
+			return (1);
+	}
+	setjmp(toplevel);
+	for (;;) {
+			command(1, 0, 0);
+	}
+}
diff --git a/crypto/kerberosIV/appl/telnet/telnet/network.c b/crypto/kerberosIV/appl/telnet/telnet/network.c
new file mode 100644
index 0000000..42ca388
--- /dev/null
+++ b/crypto/kerberosIV/appl/telnet/telnet/network.c
@@ -0,0 +1,165 @@
+/*
+ * Copyright (c) 1988, 1993
+ *	The Regents of the University of California.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *	This product includes software developed by the University of
+ *	California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#include "telnet_locl.h"
+
+RCSID("$Id: network.c,v 1.10.28.1 2000/10/10 13:08:27 assar Exp $");
+
+Ring		netoring, netiring;
+unsigned char	netobuf[2*BUFSIZ], netibuf[BUFSIZ];
+
+/*
+ * Initialize internal network data structures.
+ */
+
+void
+init_network(void)
+{
+    if (ring_init(&netoring, netobuf, sizeof netobuf) != 1) {
+	exit(1);
+    }
+    if (ring_init(&netiring, netibuf, sizeof netibuf) != 1) {
+	exit(1);
+    }
+    NetTrace = stdout;
+}
+
+
+/*
+ * Check to see if any out-of-band data exists on a socket (for
+ * Telnet "synch" processing).
+ */
+
+int
+stilloob(void)
+{
+    static struct timeval timeout = { 0 };
+    fd_set	excepts;
+    int value;
+
+    do {
+	FD_ZERO(&excepts);
+	if (net >= FD_SETSIZE)
+	    errx (1, "fd too large");
+	FD_SET(net, &excepts);
+	value = select(net+1, 0, 0, &excepts, &timeout);
+    } while ((value == -1) && (errno == EINTR));
+
+    if (value < 0) {
+	perror("select");
+	quit();
+	/* NOTREACHED */
+    }
+    if (FD_ISSET(net, &excepts)) {
+	return 1;
+    } else {
+	return 0;
+    }
+}
+
+
+/*
+ *  setneturg()
+ *
+ *	Sets "neturg" to the current location.
+ */
+
+void
+setneturg(void)
+{
+    ring_mark(&netoring);
+}
+
+
+/*
+ *  netflush
+ *		Send as much data as possible to the network,
+ *	handling requests for urgent data.
+ *
+ *		The return value indicates whether we did any
+ *	useful work.
+ */
+
+
+int
+netflush(void)
+{
+    int n, n1;
+
+#if	defined(ENCRYPTION)
+    if (encrypt_output)
+	ring_encrypt(&netoring, encrypt_output);
+#endif
+    if ((n1 = n = ring_full_consecutive(&netoring)) > 0) {
+	if (!ring_at_mark(&netoring)) {
+	    n = send(net, (char *)netoring.consume, n, 0); /* normal write */
+	} else {
+	    /*
+	     * In 4.2 (and 4.3) systems, there is some question about
+	     * what byte in a sendOOB operation is the "OOB" data.
+	     * To make ourselves compatible, we only send ONE byte
+	     * out of band, the one WE THINK should be OOB (though
+	     * we really have more the TCP philosophy of urgent data
+	     * rather than the Unix philosophy of OOB data).
+	     */
+	    n = send(net, (char *)netoring.consume, 1, MSG_OOB);/* URGENT data */
+	}
+    }
+    if (n < 0) {
+	if (errno != ENOBUFS && errno != EWOULDBLOCK) {
+	    setcommandmode();
+	    perror(hostname);
+	    NetClose(net);
+	    ring_clear_mark(&netoring);
+	    longjmp(peerdied, -1);
+	    /*NOTREACHED*/
+	}
+	n = 0;
+    }
+    if (netdata && n) {
+	Dump('>', netoring.consume, n);
+    }
+    if (n) {
+	ring_consumed(&netoring, n);
+	/*
+	 * If we sent all, and more to send, then recurse to pick
+	 * up the other half.
+	 */
+	if ((n1 == n) && ring_full_consecutive(&netoring)) {
+	    netflush();
+	}
+	return 1;
+    } else {
+	return 0;
+    }
+}
diff --git a/crypto/kerberosIV/appl/telnet/telnet/ring.c b/crypto/kerberosIV/appl/telnet/telnet/ring.c
new file mode 100644
index 0000000..d791476
--- /dev/null
+++ b/crypto/kerberosIV/appl/telnet/telnet/ring.c
@@ -0,0 +1,321 @@
+/*
+ * Copyright (c) 1988, 1993
+ *	The Regents of the University of California.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *	This product includes software developed by the University of
+ *	California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#include "telnet_locl.h"
+
+RCSID("$Id: ring.c,v 1.10 1997/05/04 04:01:08 assar Exp $");
+
+/*
+ * This defines a structure for a ring buffer.
+ *
+ * The circular buffer has two parts:
+ *(((
+ *	full:	[consume, supply)
+ *	empty:	[supply, consume)
+ *]]]
+ *
+ */
+
+/* Internal macros */
+
+#define	ring_subtract(d,a,b)	(((a)-(b) >= 0)? \
+					(a)-(b): (((a)-(b))+(d)->size))
+
+#define	ring_increment(d,a,c)	(((a)+(c) < (d)->top)? \
+					(a)+(c) : (((a)+(c))-(d)->size))
+
+#define	ring_decrement(d,a,c)	(((a)-(c) >= (d)->bottom)? \
+					(a)-(c) : (((a)-(c))-(d)->size))
+
+
+/*
+ * The following is a clock, used to determine full, empty, etc.
+ *
+ * There is some trickiness here.  Since the ring buffers are initialized
+ * to ZERO on allocation, we need to make sure, when interpreting the
+ * clock, that when the times are EQUAL, then the buffer is FULL.
+ */
+static u_long ring_clock = 0;
+
+
+#define	ring_empty(d) (((d)->consume == (d)->supply) && \
+				((d)->consumetime >= (d)->supplytime))
+#define	ring_full(d) (((d)->supply == (d)->consume) && \
+				((d)->supplytime > (d)->consumetime))
+
+
+
+
+
+/* Buffer state transition routines */
+
+int
+ring_init(Ring *ring, unsigned char *buffer, int count)
+{
+    memset(ring, 0, sizeof *ring);
+
+    ring->size = count;
+
+    ring->supply = ring->consume = ring->bottom = buffer;
+
+    ring->top = ring->bottom+ring->size;
+
+#if	defined(ENCRYPTION)
+    ring->clearto = 0;
+#endif
+
+    return 1;
+}
+
+/* Mark routines */
+
+/*
+ * Mark the most recently supplied byte.
+ */
+
+void
+ring_mark(Ring *ring)
+{
+    ring->mark = ring_decrement(ring, ring->supply, 1);
+}
+
+/*
+ * Is the ring pointing to the mark?
+ */
+
+int
+ring_at_mark(Ring *ring)
+{
+    if (ring->mark == ring->consume) {
+	return 1;
+    } else {
+	return 0;
+    }
+}
+
+/*
+ * Clear any mark set on the ring.
+ */
+
+void
+ring_clear_mark(Ring *ring)
+{
+    ring->mark = 0;
+}
+
+/*
+ * Add characters from current segment to ring buffer.
+ */
+void
+ring_supplied(Ring *ring, int count)
+{
+    ring->supply = ring_increment(ring, ring->supply, count);
+    ring->supplytime = ++ring_clock;
+}
+
+/*
+ * We have just consumed "c" bytes.
+ */
+void
+ring_consumed(Ring *ring, int count)
+{
+    if (count == 0)	/* don't update anything */
+	return;
+
+    if (ring->mark &&
+		(ring_subtract(ring, ring->mark, ring->consume) < count)) {
+	ring->mark = 0;
+    }
+#if	defined(ENCRYPTION)
+    if (ring->consume < ring->clearto &&
+		ring->clearto <= ring->consume + count)
+	ring->clearto = 0;
+    else if (ring->consume + count > ring->top &&
+		ring->bottom <= ring->clearto &&
+		ring->bottom + ((ring->consume + count) - ring->top))
+	ring->clearto = 0;
+#endif
+    ring->consume = ring_increment(ring, ring->consume, count);
+    ring->consumetime = ++ring_clock;
+    /*
+     * Try to encourage "ring_empty_consecutive()" to be large.
+     */
+    if (ring_empty(ring)) {
+	ring->consume = ring->supply = ring->bottom;
+    }
+}
+
+
+
+/* Buffer state query routines */
+
+
+/* Number of bytes that may be supplied */
+int
+ring_empty_count(Ring *ring)
+{
+    if (ring_empty(ring)) {	/* if empty */
+	    return ring->size;
+    } else {
+	return ring_subtract(ring, ring->consume, ring->supply);
+    }
+}
+
+/* number of CONSECUTIVE bytes that may be supplied */
+int
+ring_empty_consecutive(Ring *ring)
+{
+    if ((ring->consume < ring->supply) || ring_empty(ring)) {
+			    /*
+			     * if consume is "below" supply, or empty, then
+			     * return distance to the top
+			     */
+	return ring_subtract(ring, ring->top, ring->supply);
+    } else {
+				    /*
+				     * else, return what we may.
+				     */
+	return ring_subtract(ring, ring->consume, ring->supply);
+    }
+}
+
+/* Return the number of bytes that are available for consuming
+ * (but don't give more than enough to get to cross over set mark)
+ */
+
+int
+ring_full_count(Ring *ring)
+{
+    if ((ring->mark == 0) || (ring->mark == ring->consume)) {
+	if (ring_full(ring)) {
+	    return ring->size;	/* nothing consumed, but full */
+	} else {
+	    return ring_subtract(ring, ring->supply, ring->consume);
+	}
+    } else {
+	return ring_subtract(ring, ring->mark, ring->consume);
+    }
+}
+
+/*
+ * Return the number of CONSECUTIVE bytes available for consuming.
+ * However, don't return more than enough to cross over set mark.
+ */
+int
+ring_full_consecutive(Ring *ring)
+{
+    if ((ring->mark == 0) || (ring->mark == ring->consume)) {
+	if ((ring->supply < ring->consume) || ring_full(ring)) {
+	    return ring_subtract(ring, ring->top, ring->consume);
+	} else {
+	    return ring_subtract(ring, ring->supply, ring->consume);
+	}
+    } else {
+	if (ring->mark < ring->consume) {
+	    return ring_subtract(ring, ring->top, ring->consume);
+	} else {	/* Else, distance to mark */
+	    return ring_subtract(ring, ring->mark, ring->consume);
+	}
+    }
+}
+
+/*
+ * Move data into the "supply" portion of of the ring buffer.
+ */
+void
+ring_supply_data(Ring *ring, unsigned char *buffer, int count)
+{
+    int i;
+
+    while (count) {
+	i = min(count, ring_empty_consecutive(ring));
+	memmove(ring->supply, buffer, i);
+	ring_supplied(ring, i);
+	count -= i;
+	buffer += i;
+    }
+}
+
+#ifdef notdef
+
+/*
+ * Move data from the "consume" portion of the ring buffer
+ */
+void
+ring_consume_data(Ring *ring, unsigned char *buffer, int count)
+{
+    int i;
+
+    while (count) {
+	i = min(count, ring_full_consecutive(ring));
+	memmove(buffer, ring->consume, i);
+	ring_consumed(ring, i);
+	count -= i;
+	buffer += i;
+    }
+}
+#endif
+
+#if	defined(ENCRYPTION)
+void
+ring_encrypt(Ring *ring, void (*encryptor)())
+{
+    unsigned char *s, *c;
+
+    if (ring_empty(ring) || ring->clearto == ring->supply)
+	return;
+
+    if (!(c = ring->clearto))
+	c = ring->consume;
+
+    s = ring->supply;
+
+    if (s <= c) {
+	(*encryptor)(c, ring->top - c);
+	(*encryptor)(ring->bottom, s - ring->bottom);
+    } else
+	(*encryptor)(c, s - c);
+
+    ring->clearto = ring->supply;
+}
+
+void
+ring_clearto(Ring *ring)
+{
+    if (!ring_empty(ring))
+	ring->clearto = ring->supply;
+    else
+	ring->clearto = 0;
+}
+#endif
+
diff --git a/crypto/kerberosIV/appl/telnet/telnet/ring.h b/crypto/kerberosIV/appl/telnet/telnet/ring.h
new file mode 100644
index 0000000..fa7ad18
--- /dev/null
+++ b/crypto/kerberosIV/appl/telnet/telnet/ring.h
@@ -0,0 +1,99 @@
+/*
+ * Copyright (c) 1988, 1993
+ *	The Regents of the University of California.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *	This product includes software developed by the University of
+ *	California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ *	@(#)ring.h	8.1 (Berkeley) 6/6/93
+ */
+
+/* $Id: ring.h,v 1.3 1997/05/04 04:01:09 assar Exp $ */
+
+/*
+ * This defines a structure for a ring buffer.
+ *
+ * The circular buffer has two parts:
+ *(((
+ *	full:	[consume, supply)
+ *	empty:	[supply, consume)
+ *]]]
+ *
+ */
+typedef struct {
+    unsigned char	*consume,	/* where data comes out of */
+			*supply,	/* where data comes in to */
+			*bottom,	/* lowest address in buffer */
+			*top,		/* highest address+1 in buffer */
+			*mark;		/* marker (user defined) */
+#if	defined(ENCRYPTION)
+    unsigned char	*clearto;	/* Data to this point is clear text */
+    unsigned char	*encryyptedto;	/* Data is encrypted to here */
+#endif
+    int		size;		/* size in bytes of buffer */
+    u_long	consumetime,	/* help us keep straight full, empty, etc. */
+		supplytime;
+} Ring;
+
+/* Here are some functions and macros to deal with the ring buffer */
+
+/* Initialization routine */
+extern int
+	ring_init (Ring *ring, unsigned char *buffer, int count);
+
+/* Data movement routines */
+extern void
+	ring_supply_data (Ring *ring, unsigned char *buffer, int count);
+#ifdef notdef
+extern void
+	ring_consume_data (Ring *ring, unsigned char *buffer, int count);
+#endif
+
+/* Buffer state transition routines */
+extern void
+	ring_supplied (Ring *ring, int count),
+	ring_consumed (Ring *ring, int count);
+
+/* Buffer state query routines */
+extern int
+	ring_empty_count (Ring *ring),
+	ring_empty_consecutive (Ring *ring),
+	ring_full_count (Ring *ring),
+	ring_full_consecutive (Ring *ring);
+
+#if	defined(ENCRYPTION)
+extern void
+	ring_encrypt (Ring *ring, void (*func)()),
+	ring_clearto (Ring *ring);
+#endif
+
+extern int ring_at_mark(Ring *ring);
+
+extern void
+    ring_clear_mark(Ring *ring),
+    ring_mark(Ring *ring);
diff --git a/crypto/kerberosIV/appl/telnet/telnet/sys_bsd.c b/crypto/kerberosIV/appl/telnet/telnet/sys_bsd.c
new file mode 100644
index 0000000..6bff638
--- /dev/null
+++ b/crypto/kerberosIV/appl/telnet/telnet/sys_bsd.c
@@ -0,0 +1,977 @@
+/*
+ * Copyright (c) 1988, 1990, 1993
+ *	The Regents of the University of California.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *	This product includes software developed by the University of
+ *	California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#include "telnet_locl.h"
+
+RCSID("$Id: sys_bsd.c,v 1.23.18.2 2000/10/19 21:21:21 assar Exp $");
+
+/*
+ * The following routines try to encapsulate what is system dependent
+ * (at least between 4.x and dos) which is used in telnet.c.
+ */
+
+int
+	tout,			/* Output file descriptor */
+	tin,			/* Input file descriptor */
+	net;
+
+struct	termios old_tc = { 0 };
+extern struct termios new_tc;
+
+# ifndef	TCSANOW
+#  ifdef TCSETS
+#   define	TCSANOW		TCSETS
+#   define	TCSADRAIN	TCSETSW
+#   define	tcgetattr(f, t) ioctl(f, TCGETS, (char *)t)
+#  else
+#   ifdef TCSETA
+#    define	TCSANOW		TCSETA
+#    define	TCSADRAIN	TCSETAW
+#    define	tcgetattr(f, t) ioctl(f, TCGETA, (char *)t)
+#   else
+#    define	TCSANOW		TIOCSETA
+#    define	TCSADRAIN	TIOCSETAW
+#    define	tcgetattr(f, t) ioctl(f, TIOCGETA, (char *)t)
+#   endif
+#  endif
+#  define	tcsetattr(f, a, t) ioctl(f, a, (char *)t)
+#  define	cfgetospeed(ptr)	((ptr)->c_cflag&CBAUD)
+#  ifdef CIBAUD
+#   define	cfgetispeed(ptr)	(((ptr)->c_cflag&CIBAUD) >> IBSHIFT)
+#  else
+#   define	cfgetispeed(ptr)	cfgetospeed(ptr)
+#  endif
+# endif /* TCSANOW */
+
+static fd_set ibits, obits, xbits;
+
+
+void
+init_sys(void)
+{
+    tout = fileno(stdout);
+    tin = fileno(stdin);
+    FD_ZERO(&ibits);
+    FD_ZERO(&obits);
+    FD_ZERO(&xbits);
+
+    errno = 0;
+}
+
+
+int
+TerminalWrite(char *buf, int n)
+{
+    return write(tout, buf, n);
+}
+
+int
+TerminalRead(unsigned char *buf, int n)
+{
+    return read(tin, buf, n);
+}
+
+/*
+ *
+ */
+
+int
+TerminalAutoFlush(void)
+{
+#if	defined(LNOFLSH)
+    int flush;
+
+    ioctl(0, TIOCLGET, (char *)&flush);
+    return !(flush&LNOFLSH);	/* if LNOFLSH, no autoflush */
+#else	/* LNOFLSH */
+    return 1;
+#endif	/* LNOFLSH */
+}
+
+#ifdef	KLUDGELINEMODE
+extern int kludgelinemode;
+#endif
+/*
+ * TerminalSpecialChars()
+ *
+ * Look at an input character to see if it is a special character
+ * and decide what to do.
+ *
+ * Output:
+ *
+ *	0	Don't add this character.
+ *	1	Do add this character
+ */
+
+int
+TerminalSpecialChars(int c)
+{
+    if (c == termIntChar) {
+	intp();
+	return 0;
+    } else if (c == termQuitChar) {
+#ifdef	KLUDGELINEMODE
+	if (kludgelinemode)
+	    sendbrk();
+	else
+#endif
+	    sendabort();
+	return 0;
+    } else if (c == termEofChar) {
+	if (my_want_state_is_will(TELOPT_LINEMODE)) {
+	    sendeof();
+	    return 0;
+	}
+	return 1;
+    } else if (c == termSuspChar) {
+	sendsusp();
+	return(0);
+    } else if (c == termFlushChar) {
+	xmitAO();		/* Transmit Abort Output */
+	return 0;
+    } else if (!MODE_LOCAL_CHARS(globalmode)) {
+	if (c == termKillChar) {
+	    xmitEL();
+	    return 0;
+	} else if (c == termEraseChar) {
+	    xmitEC();		/* Transmit Erase Character */
+	    return 0;
+	}
+    }
+    return 1;
+}
+
+
+/*
+ * Flush output to the terminal
+ */
+
+void
+TerminalFlushOutput(void)
+{
+#ifdef	TIOCFLUSH
+    ioctl(fileno(stdout), TIOCFLUSH, (char *) 0);
+#else
+    ioctl(fileno(stdout), TCFLSH, (char *) 0);
+#endif
+}
+
+void
+TerminalSaveState(void)
+{
+    tcgetattr(0, &old_tc);
+
+    new_tc = old_tc;
+
+#ifndef	VDISCARD
+    termFlushChar = CONTROL('O');
+#endif
+#ifndef	VWERASE
+    termWerasChar = CONTROL('W');
+#endif
+#ifndef	VREPRINT
+    termRprntChar = CONTROL('R');
+#endif
+#ifndef	VLNEXT
+    termLiteralNextChar = CONTROL('V');
+#endif
+#ifndef	VSTART
+    termStartChar = CONTROL('Q');
+#endif
+#ifndef	VSTOP
+    termStopChar = CONTROL('S');
+#endif
+#ifndef	VSTATUS
+    termAytChar = CONTROL('T');
+#endif
+}
+
+cc_t*
+tcval(int func)
+{
+    switch(func) {
+    case SLC_IP:	return(&termIntChar);
+    case SLC_ABORT:	return(&termQuitChar);
+    case SLC_EOF:	return(&termEofChar);
+    case SLC_EC:	return(&termEraseChar);
+    case SLC_EL:	return(&termKillChar);
+    case SLC_XON:	return(&termStartChar);
+    case SLC_XOFF:	return(&termStopChar);
+    case SLC_FORW1:	return(&termForw1Char);
+    case SLC_FORW2:	return(&termForw2Char);
+# ifdef	VDISCARD
+    case SLC_AO:	return(&termFlushChar);
+# endif
+# ifdef	VSUSP
+    case SLC_SUSP:	return(&termSuspChar);
+# endif
+# ifdef	VWERASE
+    case SLC_EW:	return(&termWerasChar);
+# endif
+# ifdef	VREPRINT
+    case SLC_RP:	return(&termRprntChar);
+# endif
+# ifdef	VLNEXT
+    case SLC_LNEXT:	return(&termLiteralNextChar);
+# endif
+# ifdef	VSTATUS
+    case SLC_AYT:	return(&termAytChar);
+# endif
+
+    case SLC_SYNCH:
+    case SLC_BRK:
+    case SLC_EOR:
+    default:
+	return((cc_t *)0);
+    }
+}
+
+void
+TerminalDefaultChars(void)
+{
+    memmove(new_tc.c_cc, old_tc.c_cc, sizeof(old_tc.c_cc));
+# ifndef	VDISCARD
+    termFlushChar = CONTROL('O');
+# endif
+# ifndef	VWERASE
+    termWerasChar = CONTROL('W');
+# endif
+# ifndef	VREPRINT
+    termRprntChar = CONTROL('R');
+# endif
+# ifndef	VLNEXT
+    termLiteralNextChar = CONTROL('V');
+# endif
+# ifndef	VSTART
+    termStartChar = CONTROL('Q');
+# endif
+# ifndef	VSTOP
+    termStopChar = CONTROL('S');
+# endif
+# ifndef	VSTATUS
+    termAytChar = CONTROL('T');
+# endif
+}
+
+#ifdef notdef
+void
+TerminalRestoreState()
+{
+}
+#endif
+
+/*
+ * TerminalNewMode - set up terminal to a specific mode.
+ *	MODE_ECHO: do local terminal echo
+ *	MODE_FLOW: do local flow control
+ *	MODE_TRAPSIG: do local mapping to TELNET IAC sequences
+ *	MODE_EDIT: do local line editing
+ *
+ *	Command mode:
+ *		MODE_ECHO|MODE_EDIT|MODE_FLOW|MODE_TRAPSIG
+ *		local echo
+ *		local editing
+ *		local xon/xoff
+ *		local signal mapping
+ *
+ *	Linemode:
+ *		local/no editing
+ *	Both Linemode and Single Character mode:
+ *		local/remote echo
+ *		local/no xon/xoff
+ *		local/no signal mapping
+ */
+
+
+#ifdef	SIGTSTP
+static RETSIGTYPE susp();
+#endif	/* SIGTSTP */
+#ifdef	SIGINFO
+static RETSIGTYPE ayt();
+#endif
+
+void
+TerminalNewMode(int f)
+{
+    static int prevmode = 0;
+    struct termios tmp_tc;
+    int onoff;
+    int old;
+    cc_t esc;
+
+    globalmode = f&~MODE_FORCE;
+    if (prevmode == f)
+	return;
+
+    /*
+     * Write any outstanding data before switching modes
+     * ttyflush() returns 0 only when there is no more data
+     * left to write out, it returns -1 if it couldn't do
+     * anything at all, otherwise it returns 1 + the number
+     * of characters left to write.
+     */
+    old = ttyflush(SYNCHing|flushout);
+    if (old < 0 || old > 1) {
+	tcgetattr(tin, &tmp_tc);
+	do {
+	    /*
+	     * Wait for data to drain, then flush again.
+	     */
+	    tcsetattr(tin, TCSADRAIN, &tmp_tc);
+	    old = ttyflush(SYNCHing|flushout);
+	} while (old < 0 || old > 1);
+    }
+
+    old = prevmode;
+    prevmode = f&~MODE_FORCE;
+    tmp_tc = new_tc;
+
+    if (f&MODE_ECHO) {
+	tmp_tc.c_lflag |= ECHO;
+	tmp_tc.c_oflag |= ONLCR;
+	if (crlf)
+		tmp_tc.c_iflag |= ICRNL;
+    } else {
+	tmp_tc.c_lflag &= ~ECHO;
+	tmp_tc.c_oflag &= ~ONLCR;
+# ifdef notdef
+	if (crlf)
+		tmp_tc.c_iflag &= ~ICRNL;
+# endif
+    }
+
+    if ((f&MODE_FLOW) == 0) {
+	tmp_tc.c_iflag &= ~(IXOFF|IXON);	/* Leave the IXANY bit alone */
+    } else {
+	if (restartany < 0) {
+		tmp_tc.c_iflag |= IXOFF|IXON;	/* Leave the IXANY bit alone */
+	} else if (restartany > 0) {
+		tmp_tc.c_iflag |= IXOFF|IXON|IXANY;
+	} else {
+		tmp_tc.c_iflag |= IXOFF|IXON;
+		tmp_tc.c_iflag &= ~IXANY;
+	}
+    }
+
+    if ((f&MODE_TRAPSIG) == 0) {
+	tmp_tc.c_lflag &= ~ISIG;
+	localchars = 0;
+    } else {
+	tmp_tc.c_lflag |= ISIG;
+	localchars = 1;
+    }
+
+    if (f&MODE_EDIT) {
+	tmp_tc.c_lflag |= ICANON;
+    } else {
+	tmp_tc.c_lflag &= ~ICANON;
+	tmp_tc.c_iflag &= ~ICRNL;
+	tmp_tc.c_cc[VMIN] = 1;
+	tmp_tc.c_cc[VTIME] = 0;
+    }
+
+    if ((f&(MODE_EDIT|MODE_TRAPSIG)) == 0) {
+# ifdef VLNEXT
+	tmp_tc.c_cc[VLNEXT] = (cc_t)(_POSIX_VDISABLE);
+# endif
+    }
+
+    if (f&MODE_SOFT_TAB) {
+# ifdef	OXTABS
+	tmp_tc.c_oflag |= OXTABS;
+# endif
+# ifdef	TABDLY
+	tmp_tc.c_oflag &= ~TABDLY;
+	tmp_tc.c_oflag |= TAB3;
+# endif
+    } else {
+# ifdef	OXTABS
+	tmp_tc.c_oflag &= ~OXTABS;
+# endif
+# ifdef	TABDLY
+	tmp_tc.c_oflag &= ~TABDLY;
+# endif
+    }
+
+    if (f&MODE_LIT_ECHO) {
+# ifdef	ECHOCTL
+	tmp_tc.c_lflag &= ~ECHOCTL;
+# endif
+    } else {
+# ifdef	ECHOCTL
+	tmp_tc.c_lflag |= ECHOCTL;
+# endif
+    }
+
+    if (f == -1) {
+	onoff = 0;
+    } else {
+	if (f & MODE_INBIN)
+		tmp_tc.c_iflag &= ~ISTRIP;
+	else
+		tmp_tc.c_iflag |= ISTRIP;
+	if ((f & MODE_OUTBIN) || (f & MODE_OUT8)) {
+		tmp_tc.c_cflag &= ~(CSIZE|PARENB);
+		tmp_tc.c_cflag |= CS8;
+		if(f & MODE_OUTBIN)
+		    tmp_tc.c_oflag &= ~OPOST;
+		else
+		    tmp_tc.c_oflag |= OPOST;
+	} else {
+		tmp_tc.c_cflag &= ~(CSIZE|PARENB);
+		tmp_tc.c_cflag |= old_tc.c_cflag & (CSIZE|PARENB);
+		tmp_tc.c_oflag |= OPOST;
+	}
+	onoff = 1;
+    }
+
+    if (f != -1) {
+
+#ifdef	SIGTSTP
+	signal(SIGTSTP, susp);
+#endif	/* SIGTSTP */
+#ifdef	SIGINFO
+	signal(SIGINFO, ayt);
+#endif
+#ifdef NOKERNINFO
+	tmp_tc.c_lflag |= NOKERNINFO;
+#endif
+	/*
+	 * We don't want to process ^Y here.  It's just another
+	 * character that we'll pass on to the back end.  It has
+	 * to process it because it will be processed when the
+	 * user attempts to read it, not when we send it.
+	 */
+# ifdef	VDSUSP
+	tmp_tc.c_cc[VDSUSP] = (cc_t)(_POSIX_VDISABLE);
+# endif
+	/*
+	 * If the VEOL character is already set, then use VEOL2,
+	 * otherwise use VEOL.
+	 */
+	esc = (rlogin != _POSIX_VDISABLE) ? rlogin : escape;
+	if ((tmp_tc.c_cc[VEOL] != esc)
+# ifdef	VEOL2
+	    && (tmp_tc.c_cc[VEOL2] != esc)
+# endif
+	    ) {
+		if (tmp_tc.c_cc[VEOL] == (cc_t)(_POSIX_VDISABLE))
+		    tmp_tc.c_cc[VEOL] = esc;
+# ifdef	VEOL2
+		else if (tmp_tc.c_cc[VEOL2] == (cc_t)(_POSIX_VDISABLE))
+		    tmp_tc.c_cc[VEOL2] = esc;
+# endif
+	}
+    } else {
+        sigset_t sm;
+#ifdef	SIGINFO
+	RETSIGTYPE ayt_status();
+
+	signal(SIGINFO, ayt_status);
+#endif
+#ifdef	SIGTSTP
+	signal(SIGTSTP, SIG_DFL);
+	sigemptyset(&sm);
+	sigaddset(&sm, SIGTSTP);
+	sigprocmask(SIG_UNBLOCK, &sm, NULL);
+#endif	/* SIGTSTP */
+	tmp_tc = old_tc;
+    }
+    if (tcsetattr(tin, TCSADRAIN, &tmp_tc) < 0)
+	tcsetattr(tin, TCSANOW, &tmp_tc);
+
+    ioctl(tin, FIONBIO, (char *)&onoff);
+    ioctl(tout, FIONBIO, (char *)&onoff);
+
+}
+
+/*
+ * Try to guess whether speeds are "encoded" (4.2BSD) or just numeric (4.4BSD).
+ */
+#if B4800 != 4800
+#define	DECODE_BAUD
+#endif
+
+#ifdef	DECODE_BAUD
+#ifndef	B7200
+#define B7200   B4800
+#endif
+
+#ifndef	B14400
+#define B14400  B9600
+#endif
+
+#ifndef	B19200
+# define B19200 B14400
+#endif
+
+#ifndef	B28800
+#define B28800  B19200
+#endif
+
+#ifndef	B38400
+# define B38400 B28800
+#endif
+
+#ifndef B57600
+#define B57600  B38400
+#endif
+
+#ifndef B76800
+#define B76800  B57600
+#endif
+
+#ifndef B115200
+#define B115200 B76800
+#endif
+
+#ifndef B230400
+#define B230400 B115200
+#endif
+
+
+/*
+ * This code assumes that the values B0, B50, B75...
+ * are in ascending order.  They do not have to be
+ * contiguous.
+ */
+struct termspeeds {
+	long speed;
+	long value;
+} termspeeds[] = {
+	{ 0,      B0 },      { 50,    B50 },    { 75,     B75 },
+	{ 110,    B110 },    { 134,   B134 },   { 150,    B150 },
+	{ 200,    B200 },    { 300,   B300 },   { 600,    B600 },
+	{ 1200,   B1200 },   { 1800,  B1800 },  { 2400,   B2400 },
+	{ 4800,   B4800 },   { 7200,  B7200 },  { 9600,   B9600 },
+	{ 14400,  B14400 },  { 19200, B19200 }, { 28800,  B28800 },
+	{ 38400,  B38400 },  { 57600, B57600 }, { 115200, B115200 },
+	{ 230400, B230400 }, { -1,    B230400 }
+};
+#endif	/* DECODE_BAUD */
+
+void
+TerminalSpeeds(long *input_speed, long *output_speed)
+{
+#ifdef	DECODE_BAUD
+    struct termspeeds *tp;
+#endif	/* DECODE_BAUD */
+    long in, out;
+
+    out = cfgetospeed(&old_tc);
+    in = cfgetispeed(&old_tc);
+    if (in == 0)
+	in = out;
+
+#ifdef	DECODE_BAUD
+    tp = termspeeds;
+    while ((tp->speed != -1) && (tp->value < in))
+	tp++;
+    *input_speed = tp->speed;
+
+    tp = termspeeds;
+    while ((tp->speed != -1) && (tp->value < out))
+	tp++;
+    *output_speed = tp->speed;
+#else	/* DECODE_BAUD */
+	*input_speed = in;
+	*output_speed = out;
+#endif	/* DECODE_BAUD */
+}
+
+int
+TerminalWindowSize(long *rows, long *cols)
+{
+    struct winsize ws;
+
+    if (get_window_size (STDIN_FILENO, &ws) == 0) {
+	*rows = ws.ws_row;
+	*cols = ws.ws_col;
+	return 1;
+    } else
+	return 0;
+}
+
+int
+NetClose(int fd)
+{
+    return close(fd);
+}
+
+
+void
+NetNonblockingIO(int fd, int onoff)
+{
+    ioctl(fd, FIONBIO, (char *)&onoff);
+}
+
+
+/*
+ * Various signal handling routines.
+ */
+
+static RETSIGTYPE deadpeer(int),
+  intr(int), intr2(int), susp(int), sendwin(int);
+#ifdef SIGINFO
+static RETSIGTYPE ayt(int);
+#endif
+  
+
+    /* ARGSUSED */
+static RETSIGTYPE
+deadpeer(int sig)
+{
+	setcommandmode();
+	longjmp(peerdied, -1);
+}
+
+    /* ARGSUSED */
+static RETSIGTYPE
+intr(int sig)
+{
+    if (localchars) {
+	intp();
+	return;
+    }
+    setcommandmode();
+    longjmp(toplevel, -1);
+}
+
+    /* ARGSUSED */
+static RETSIGTYPE
+intr2(int sig)
+{
+    if (localchars) {
+#ifdef	KLUDGELINEMODE
+	if (kludgelinemode)
+	    sendbrk();
+	else
+#endif
+	    sendabort();
+	return;
+    }
+}
+
+#ifdef	SIGTSTP
+    /* ARGSUSED */
+static RETSIGTYPE
+susp(int sig)
+{
+    if ((rlogin != _POSIX_VDISABLE) && rlogin_susp())
+	return;
+    if (localchars)
+	sendsusp();
+}
+#endif
+
+#ifdef	SIGWINCH
+    /* ARGSUSED */
+static RETSIGTYPE
+sendwin(int sig)
+{
+    if (connected) {
+	sendnaws();
+    }
+}
+#endif
+
+#ifdef	SIGINFO
+    /* ARGSUSED */
+static RETSIGTYPE
+ayt(int sig)
+{
+    if (connected)
+	sendayt();
+    else
+	ayt_status(sig);
+}
+#endif
+
+
+void
+sys_telnet_init(void)
+{
+    signal(SIGINT, intr);
+    signal(SIGQUIT, intr2);
+    signal(SIGPIPE, deadpeer);
+#ifdef	SIGWINCH
+    signal(SIGWINCH, sendwin);
+#endif
+#ifdef	SIGTSTP
+    signal(SIGTSTP, susp);
+#endif
+#ifdef	SIGINFO
+    signal(SIGINFO, ayt);
+#endif
+
+    setconnmode(0);
+
+    NetNonblockingIO(net, 1);
+
+
+#if	defined(SO_OOBINLINE)
+    if (SetSockOpt(net, SOL_SOCKET, SO_OOBINLINE, 1) == -1) {
+	perror("SetSockOpt");
+    }
+#endif	/* defined(SO_OOBINLINE) */
+}
+
+/*
+ * Process rings -
+ *
+ *	This routine tries to fill up/empty our various rings.
+ *
+ *	The parameter specifies whether this is a poll operation,
+ *	or a block-until-something-happens operation.
+ *
+ *	The return value is 1 if something happened, 0 if not.
+ */
+
+int
+process_rings(int netin,
+	      int netout,
+	      int netex,
+	      int ttyin,
+	      int ttyout,
+	      int poll) /* If 0, then block until something to do */
+{
+    int c;
+		/* One wants to be a bit careful about setting returnValue
+		 * to one, since a one implies we did some useful work,
+		 * and therefore probably won't be called to block next
+		 * time (TN3270 mode only).
+		 */
+    int returnValue = 0;
+    static struct timeval TimeValue = { 0 };
+
+    if (net >= FD_SETSIZE
+	|| tout >= FD_SETSIZE
+	|| tin >= FD_SETSIZE)
+	errx (1, "fd too large");
+
+    if (netout) {
+	FD_SET(net, &obits);
+    }
+    if (ttyout) {
+	FD_SET(tout, &obits);
+    }
+    if (ttyin) {
+	FD_SET(tin, &ibits);
+    }
+    if (netin) {
+	FD_SET(net, &ibits);
+    }
+#if !defined(SO_OOBINLINE)
+    if (netex) {
+	FD_SET(net, &xbits);
+    }
+#endif
+    if ((c = select(FD_SETSIZE, &ibits, &obits, &xbits,
+			(poll == 0)? (struct timeval *)0 : &TimeValue)) < 0) {
+	if (c == -1) {
+		    /*
+		     * we can get EINTR if we are in line mode,
+		     * and the user does an escape (TSTP), or
+		     * some other signal generator.
+		     */
+	    if (errno == EINTR) {
+		return 0;
+	    }
+		    /* I don't like this, does it ever happen? */
+	    printf("sleep(5) from telnet, after select\r\n");
+	    sleep(5);
+	}
+	return 0;
+    }
+
+    /*
+     * Any urgent data?
+     */
+    if (FD_ISSET(net, &xbits)) {
+	FD_CLR(net, &xbits);
+	SYNCHing = 1;
+	ttyflush(1);	/* flush already enqueued data */
+    }
+
+    /*
+     * Something to read from the network...
+     */
+    if (FD_ISSET(net, &ibits)) {
+	int canread;
+
+	FD_CLR(net, &ibits);
+	canread = ring_empty_consecutive(&netiring);
+#if	!defined(SO_OOBINLINE)
+	    /*
+	     * In 4.2 (and some early 4.3) systems, the
+	     * OOB indication and data handling in the kernel
+	     * is such that if two separate TCP Urgent requests
+	     * come in, one byte of TCP data will be overlaid.
+	     * This is fatal for Telnet, but we try to live
+	     * with it.
+	     *
+	     * In addition, in 4.2 (and...), a special protocol
+	     * is needed to pick up the TCP Urgent data in
+	     * the correct sequence.
+	     *
+	     * What we do is:  if we think we are in urgent
+	     * mode, we look to see if we are "at the mark".
+	     * If we are, we do an OOB receive.  If we run
+	     * this twice, we will do the OOB receive twice,
+	     * but the second will fail, since the second
+	     * time we were "at the mark", but there wasn't
+	     * any data there (the kernel doesn't reset
+	     * "at the mark" until we do a normal read).
+	     * Once we've read the OOB data, we go ahead
+	     * and do normal reads.
+	     *
+	     * There is also another problem, which is that
+	     * since the OOB byte we read doesn't put us
+	     * out of OOB state, and since that byte is most
+	     * likely the TELNET DM (data mark), we would
+	     * stay in the TELNET SYNCH (SYNCHing) state.
+	     * So, clocks to the rescue.  If we've "just"
+	     * received a DM, then we test for the
+	     * presence of OOB data when the receive OOB
+	     * fails (and AFTER we did the normal mode read
+	     * to clear "at the mark").
+	     */
+	if (SYNCHing) {
+	    int atmark;
+	    static int bogus_oob = 0, first = 1;
+
+	    ioctl(net, SIOCATMARK, (char *)&atmark);
+	    if (atmark) {
+		c = recv(net, netiring.supply, canread, MSG_OOB);
+		if ((c == -1) && (errno == EINVAL)) {
+		    c = recv(net, netiring.supply, canread, 0);
+		    if (clocks.didnetreceive < clocks.gotDM) {
+			SYNCHing = stilloob();
+		    }
+		} else if (first && c > 0) {
+		    /*
+		     * Bogosity check.  Systems based on 4.2BSD
+		     * do not return an error if you do a second
+		     * recv(MSG_OOB).  So, we do one.  If it
+		     * succeeds and returns exactly the same
+		     * data, then assume that we are running
+		     * on a broken system and set the bogus_oob
+		     * flag.  (If the data was different, then
+		     * we probably got some valid new data, so
+		     * increment the count...)
+		     */
+		    int i;
+		    i = recv(net, netiring.supply + c, canread - c, MSG_OOB);
+		    if (i == c &&
+			 memcmp(netiring.supply, netiring.supply + c, i) == 0) {
+			bogus_oob = 1;
+			first = 0;
+		    } else if (i < 0) {
+			bogus_oob = 0;
+			first = 0;
+		    } else
+			c += i;
+		}
+		if (bogus_oob && c > 0) {
+		    int i;
+		    /*
+		     * Bogosity.  We have to do the read
+		     * to clear the atmark to get out of
+		     * an infinate loop.
+		     */
+		    i = read(net, netiring.supply + c, canread - c);
+		    if (i > 0)
+			c += i;
+		}
+	    } else {
+		c = recv(net, netiring.supply, canread, 0);
+	    }
+	} else {
+	    c = recv(net, netiring.supply, canread, 0);
+	}
+	settimer(didnetreceive);
+#else	/* !defined(SO_OOBINLINE) */
+	c = recv(net, (char *)netiring.supply, canread, 0);
+#endif	/* !defined(SO_OOBINLINE) */
+	if (c < 0 && errno == EWOULDBLOCK) {
+	    c = 0;
+	} else if (c <= 0) {
+	    return -1;
+	}
+	if (netdata) {
+	    Dump('<', netiring.supply, c);
+	}
+	if (c)
+	    ring_supplied(&netiring, c);
+	returnValue = 1;
+    }
+
+    /*
+     * Something to read from the tty...
+     */
+    if (FD_ISSET(tin, &ibits)) {
+	FD_CLR(tin, &ibits);
+	c = TerminalRead(ttyiring.supply, ring_empty_consecutive(&ttyiring));
+	if (c < 0 && errno == EIO)
+	    c = 0;
+	if (c < 0 && errno == EWOULDBLOCK) {
+	    c = 0;
+	} else {
+	    /* EOF detection for line mode!!!! */
+	    if ((c == 0) && MODE_LOCAL_CHARS(globalmode) && isatty(tin)) {
+			/* must be an EOF... */
+		*ttyiring.supply = termEofChar;
+		c = 1;
+	    }
+	    if (c <= 0) {
+		return -1;
+	    }
+	    if (termdata) {
+		Dump('<', ttyiring.supply, c);
+	    }
+	    ring_supplied(&ttyiring, c);
+	}
+	returnValue = 1;		/* did something useful */
+    }
+
+    if (FD_ISSET(net, &obits)) {
+	FD_CLR(net, &obits);
+	returnValue |= netflush();
+    }
+    if (FD_ISSET(tout, &obits)) {
+	FD_CLR(tout, &obits);
+	returnValue |= (ttyflush(SYNCHing|flushout) > 0);
+    }
+
+    return returnValue;
+}
diff --git a/crypto/kerberosIV/appl/telnet/telnet/telnet.c b/crypto/kerberosIV/appl/telnet/telnet/telnet.c
new file mode 100644
index 0000000..1df4d6e
--- /dev/null
+++ b/crypto/kerberosIV/appl/telnet/telnet/telnet.c
@@ -0,0 +1,2313 @@
+/*
+ * Copyright (c) 1988, 1990, 1993
+ *	The Regents of the University of California.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *	This product includes software developed by the University of
+ *	California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#include "telnet_locl.h"
+#ifdef HAVE_TERMCAP_H
+#include <termcap.h>
+#endif
+
+RCSID("$Id: telnet.c,v 1.25 1999/03/11 13:49:34 joda Exp $");
+
+#define	strip(x) (eight ? (x) : ((x) & 0x7f))
+
+static unsigned char	subbuffer[SUBBUFSIZE],
+			*subpointer, *subend;	 /* buffer for sub-options */
+#define	SB_CLEAR()	subpointer = subbuffer;
+#define	SB_TERM()	{ subend = subpointer; SB_CLEAR(); }
+#define	SB_ACCUM(c)	if (subpointer < (subbuffer+sizeof subbuffer)) { \
+				*subpointer++ = (c); \
+			}
+
+#define	SB_GET()	((*subpointer++)&0xff)
+#define	SB_PEEK()	((*subpointer)&0xff)
+#define	SB_EOF()	(subpointer >= subend)
+#define	SB_LEN()	(subend - subpointer)
+
+char	options[256];		/* The combined options */
+char	do_dont_resp[256];
+char	will_wont_resp[256];
+
+int
+	eight = 3,
+	binary = 0,
+	autologin = 0,	/* Autologin anyone? */
+	skiprc = 0,
+	connected,
+	showoptions,
+	ISend,		/* trying to send network data in */
+	debug = 0,
+	crmod,
+	netdata,	/* Print out network data flow */
+	crlf,		/* Should '\r' be mapped to <CR><LF> (or <CR><NUL>)? */
+	telnetport,
+	SYNCHing,	/* we are in TELNET SYNCH mode */
+	flushout,	/* flush output */
+	autoflush = 0,	/* flush output when interrupting? */
+	autosynch,	/* send interrupt characters with SYNCH? */
+	localflow,	/* we handle flow control locally */
+	restartany,	/* if flow control enabled, restart on any character */
+	localchars,	/* we recognize interrupt/quit */
+	donelclchars,	/* the user has set "localchars" */
+	donebinarytoggle,	/* the user has put us in binary */
+	dontlecho,	/* do we suppress local echoing right now? */
+	globalmode;
+
+char *prompt = 0;
+
+cc_t escape;
+cc_t rlogin;
+#ifdef	KLUDGELINEMODE
+cc_t echoc;
+#endif
+
+/*
+ * Telnet receiver states for fsm
+ */
+#define	TS_DATA		0
+#define	TS_IAC		1
+#define	TS_WILL		2
+#define	TS_WONT		3
+#define	TS_DO		4
+#define	TS_DONT		5
+#define	TS_CR		6
+#define	TS_SB		7		/* sub-option collection */
+#define	TS_SE		8		/* looking for sub-option end */
+
+static int	telrcv_state;
+#ifdef	OLD_ENVIRON
+unsigned char telopt_environ = TELOPT_NEW_ENVIRON;
+#else
+# define telopt_environ TELOPT_NEW_ENVIRON
+#endif
+
+jmp_buf	toplevel;
+jmp_buf	peerdied;
+
+int	flushline;
+int	linemode;
+
+#ifdef	KLUDGELINEMODE
+int	kludgelinemode = 1;
+#endif
+
+/*
+ * The following are some clocks used to decide how to interpret
+ * the relationship between various variables.
+ */
+
+Clocks clocks;
+
+static int is_unique(char *name, char **as, char **ae);
+
+
+/*
+ * Initialize telnet environment.
+ */
+
+void
+init_telnet(void)
+{
+    env_init();
+
+    SB_CLEAR();
+    memset(options, 0, sizeof options);
+
+    connected = ISend = localflow = donebinarytoggle = 0;
+#if	defined(AUTHENTICATION) || defined(ENCRYPTION)
+    auth_encrypt_connect(connected);
+#endif	/* defined(AUTHENTICATION) || defined(ENCRYPTION)  */
+    restartany = -1;
+
+    SYNCHing = 0;
+
+    /* Don't change NetTrace */
+
+    escape = CONTROL(']');
+    rlogin = _POSIX_VDISABLE;
+#ifdef	KLUDGELINEMODE
+    echoc = CONTROL('E');
+#endif
+
+    flushline = 1;
+    telrcv_state = TS_DATA;
+}
+
+
+/*
+ * These routines are in charge of sending option negotiations
+ * to the other side.
+ *
+ * The basic idea is that we send the negotiation if either side
+ * is in disagreement as to what the current state should be.
+ */
+
+void
+send_do(int c, int init)
+{
+    if (init) {
+	if (((do_dont_resp[c] == 0) && my_state_is_do(c)) ||
+				my_want_state_is_do(c))
+	    return;
+	set_my_want_state_do(c);
+	do_dont_resp[c]++;
+    }
+    NET2ADD(IAC, DO);
+    NETADD(c);
+    printoption("SENT", DO, c);
+}
+
+void
+send_dont(int c, int init)
+{
+    if (init) {
+	if (((do_dont_resp[c] == 0) && my_state_is_dont(c)) ||
+				my_want_state_is_dont(c))
+	    return;
+	set_my_want_state_dont(c);
+	do_dont_resp[c]++;
+    }
+    NET2ADD(IAC, DONT);
+    NETADD(c);
+    printoption("SENT", DONT, c);
+}
+
+void
+send_will(int c, int init)
+{
+    if (init) {
+	if (((will_wont_resp[c] == 0) && my_state_is_will(c)) ||
+				my_want_state_is_will(c))
+	    return;
+	set_my_want_state_will(c);
+	will_wont_resp[c]++;
+    }
+    NET2ADD(IAC, WILL);
+    NETADD(c);
+    printoption("SENT", WILL, c);
+}
+
+void
+send_wont(int c, int init)
+{
+    if (init) {
+	if (((will_wont_resp[c] == 0) && my_state_is_wont(c)) ||
+				my_want_state_is_wont(c))
+	    return;
+	set_my_want_state_wont(c);
+	will_wont_resp[c]++;
+    }
+    NET2ADD(IAC, WONT);
+    NETADD(c);
+    printoption("SENT", WONT, c);
+}
+
+
+void
+willoption(int option)
+{
+	int new_state_ok = 0;
+
+	if (do_dont_resp[option]) {
+	    --do_dont_resp[option];
+	    if (do_dont_resp[option] && my_state_is_do(option))
+		--do_dont_resp[option];
+	}
+
+	if ((do_dont_resp[option] == 0) && my_want_state_is_dont(option)) {
+
+	    switch (option) {
+
+	    case TELOPT_ECHO:
+	    case TELOPT_BINARY:
+	    case TELOPT_SGA:
+		settimer(modenegotiated);
+		/* FALL THROUGH */
+	    case TELOPT_STATUS:
+#if	defined(AUTHENTICATION)
+	    case TELOPT_AUTHENTICATION:
+#endif
+#if	defined(ENCRYPTION)
+	    case TELOPT_ENCRYPT:
+#endif
+		new_state_ok = 1;
+		break;
+
+	    case TELOPT_TM:
+		if (flushout)
+		    flushout = 0;
+		/*
+		 * Special case for TM.  If we get back a WILL,
+		 * pretend we got back a WONT.
+		 */
+		set_my_want_state_dont(option);
+		set_my_state_dont(option);
+		return;			/* Never reply to TM will's/wont's */
+
+	    case TELOPT_LINEMODE:
+	    default:
+		break;
+	    }
+
+	    if (new_state_ok) {
+		set_my_want_state_do(option);
+		send_do(option, 0);
+		setconnmode(0);		/* possibly set new tty mode */
+	    } else {
+		do_dont_resp[option]++;
+		send_dont(option, 0);
+	    }
+	}
+	set_my_state_do(option);
+#if	defined(ENCRYPTION)
+	if (option == TELOPT_ENCRYPT)
+		encrypt_send_support();
+#endif
+}
+
+void
+wontoption(int option)
+{
+	if (do_dont_resp[option]) {
+	    --do_dont_resp[option];
+	    if (do_dont_resp[option] && my_state_is_dont(option))
+		--do_dont_resp[option];
+	}
+
+	if ((do_dont_resp[option] == 0) && my_want_state_is_do(option)) {
+
+	    switch (option) {
+
+#ifdef	KLUDGELINEMODE
+	    case TELOPT_SGA:
+		if (!kludgelinemode)
+		    break;
+		/* FALL THROUGH */
+#endif
+	    case TELOPT_ECHO:
+		settimer(modenegotiated);
+		break;
+
+	    case TELOPT_TM:
+		if (flushout)
+		    flushout = 0;
+		set_my_want_state_dont(option);
+		set_my_state_dont(option);
+		return;		/* Never reply to TM will's/wont's */
+
+#ifdef ENCRYPTION
+  	    case TELOPT_ENCRYPT:
+	      encrypt_not();
+	      break;
+#endif
+	    default:
+		break;
+	    }
+	    set_my_want_state_dont(option);
+	    if (my_state_is_do(option))
+		send_dont(option, 0);
+	    setconnmode(0);			/* Set new tty mode */
+	} else if (option == TELOPT_TM) {
+	    /*
+	     * Special case for TM.
+	     */
+	    if (flushout)
+		flushout = 0;
+	    set_my_want_state_dont(option);
+	}
+	set_my_state_dont(option);
+}
+
+static void
+dooption(int option)
+{
+	int new_state_ok = 0;
+
+	if (will_wont_resp[option]) {
+	    --will_wont_resp[option];
+	    if (will_wont_resp[option] && my_state_is_will(option))
+		--will_wont_resp[option];
+	}
+
+	if (will_wont_resp[option] == 0) {
+	  if (my_want_state_is_wont(option)) {
+
+	    switch (option) {
+
+	    case TELOPT_TM:
+		/*
+		 * Special case for TM.  We send a WILL, but pretend
+		 * we sent WONT.
+		 */
+		send_will(option, 0);
+		set_my_want_state_wont(TELOPT_TM);
+		set_my_state_wont(TELOPT_TM);
+		return;
+
+	    case TELOPT_BINARY:		/* binary mode */
+	    case TELOPT_NAWS:		/* window size */
+	    case TELOPT_TSPEED:		/* terminal speed */
+	    case TELOPT_LFLOW:		/* local flow control */
+	    case TELOPT_TTYPE:		/* terminal type option */
+	    case TELOPT_SGA:		/* no big deal */
+#if	defined(ENCRYPTION)
+	    case TELOPT_ENCRYPT:	/* encryption variable option */
+#endif
+		new_state_ok = 1;
+		break;
+
+	    case TELOPT_NEW_ENVIRON:	/* New environment variable option */
+#ifdef	OLD_ENVIRON
+		if (my_state_is_will(TELOPT_OLD_ENVIRON))
+			send_wont(TELOPT_OLD_ENVIRON, 1); /* turn off the old */
+		goto env_common;
+	    case TELOPT_OLD_ENVIRON:	/* Old environment variable option */
+		if (my_state_is_will(TELOPT_NEW_ENVIRON))
+			break;		/* Don't enable if new one is in use! */
+	    env_common:
+		telopt_environ = option;
+#endif
+		new_state_ok = 1;
+		break;
+
+#if	defined(AUTHENTICATION)
+	    case TELOPT_AUTHENTICATION:
+		if (autologin)
+			new_state_ok = 1;
+		break;
+#endif
+
+	    case TELOPT_XDISPLOC:	/* X Display location */
+		if (env_getvalue((unsigned char *)"DISPLAY"))
+		    new_state_ok = 1;
+		break;
+
+	    case TELOPT_LINEMODE:
+#ifdef	KLUDGELINEMODE
+		kludgelinemode = 0;
+		send_do(TELOPT_SGA, 1);
+#endif
+		set_my_want_state_will(TELOPT_LINEMODE);
+		send_will(option, 0);
+		set_my_state_will(TELOPT_LINEMODE);
+		slc_init();
+		return;
+
+	    case TELOPT_ECHO:		/* We're never going to echo... */
+	    default:
+		break;
+	    }
+
+	    if (new_state_ok) {
+		set_my_want_state_will(option);
+		send_will(option, 0);
+		setconnmode(0);			/* Set new tty mode */
+	    } else {
+		will_wont_resp[option]++;
+		send_wont(option, 0);
+	    }
+	  } else {
+	    /*
+	     * Handle options that need more things done after the
+	     * other side has acknowledged the option.
+	     */
+	    switch (option) {
+	    case TELOPT_LINEMODE:
+#ifdef	KLUDGELINEMODE
+		kludgelinemode = 0;
+		send_do(TELOPT_SGA, 1);
+#endif
+		set_my_state_will(option);
+		slc_init();
+		send_do(TELOPT_SGA, 0);
+		return;
+	    }
+	  }
+	}
+	set_my_state_will(option);
+}
+
+static void
+dontoption(int option)
+{
+
+	if (will_wont_resp[option]) {
+	    --will_wont_resp[option];
+	    if (will_wont_resp[option] && my_state_is_wont(option))
+		--will_wont_resp[option];
+	}
+
+	if ((will_wont_resp[option] == 0) && my_want_state_is_will(option)) {
+	    switch (option) {
+	    case TELOPT_LINEMODE:
+		linemode = 0;	/* put us back to the default state */
+		break;
+#ifdef	OLD_ENVIRON
+	    case TELOPT_NEW_ENVIRON:
+		/*
+		 * The new environ option wasn't recognized, try
+		 * the old one.
+		 */
+		send_will(TELOPT_OLD_ENVIRON, 1);
+		telopt_environ = TELOPT_OLD_ENVIRON;
+		break;
+#endif
+#if 0
+#ifdef ENCRYPTION
+	    case TELOPT_ENCRYPT:
+	      encrypt_not();
+	      break;
+#endif
+#endif
+	    }
+	    /* we always accept a DONT */
+	    set_my_want_state_wont(option);
+	    if (my_state_is_will(option))
+		send_wont(option, 0);
+	    setconnmode(0);			/* Set new tty mode */
+	}
+	set_my_state_wont(option);
+}
+
+/*
+ * Given a buffer returned by tgetent(), this routine will turn
+ * the pipe seperated list of names in the buffer into an array
+ * of pointers to null terminated names.  We toss out any bad,
+ * duplicate, or verbose names (names with spaces).
+ */
+
+static char *name_unknown = "UNKNOWN";
+static char *unknown[] = { 0, 0 };
+
+static char **
+mklist(char *buf, char *name)
+{
+	int n;
+	char c, *cp, **argvp, *cp2, **argv, **avt;
+
+	if (name) {
+		if ((int)strlen(name) > 40) {
+			name = 0;
+			unknown[0] = name_unknown;
+		} else {
+			unknown[0] = name;
+			strupr(name);
+		}
+	} else
+		unknown[0] = name_unknown;
+	/*
+	 * Count up the number of names.
+	 */
+	for (n = 1, cp = buf; *cp && *cp != ':'; cp++) {
+		if (*cp == '|')
+			n++;
+	}
+	/*
+	 * Allocate an array to put the name pointers into
+	 */
+	argv = (char **)malloc((n+3)*sizeof(char *));
+	if (argv == 0)
+		return(unknown);
+
+	/*
+	 * Fill up the array of pointers to names.
+	 */
+	*argv = 0;
+	argvp = argv+1;
+	n = 0;
+	for (cp = cp2 = buf; (c = *cp);  cp++) {
+		if (c == '|' || c == ':') {
+			*cp++ = '\0';
+			/*
+			 * Skip entries that have spaces or are over 40
+			 * characters long.  If this is our environment
+			 * name, then put it up front.  Otherwise, as
+			 * long as this is not a duplicate name (case
+			 * insensitive) add it to the list.
+			 */
+			if (n || (cp - cp2 > 41))
+				;
+			else if (name && (strncasecmp(name, cp2, cp-cp2) == 0))
+				*argv = cp2;
+			else if (is_unique(cp2, argv+1, argvp))
+				*argvp++ = cp2;
+			if (c == ':')
+				break;
+			/*
+			 * Skip multiple delimiters. Reset cp2 to
+			 * the beginning of the next name. Reset n,
+			 * the flag for names with spaces.
+			 */
+			while ((c = *cp) == '|')
+				cp++;
+			cp2 = cp;
+			n = 0;
+		}
+		/*
+		 * Skip entries with spaces or non-ascii values.
+		 * Convert lower case letters to upper case.
+		 */
+#define ISASCII(c) (!((c)&0x80))
+		if ((c == ' ') || !ISASCII(c))
+			n = 1;
+		else if (islower(c))
+			*cp = toupper(c);
+	}
+
+	/*
+	 * Check for an old V6 2 character name.  If the second
+	 * name points to the beginning of the buffer, and is
+	 * only 2 characters long, move it to the end of the array.
+	 */
+	if ((argv[1] == buf) && (strlen(argv[1]) == 2)) {
+		--argvp;
+		for (avt = &argv[1]; avt < argvp; avt++)
+			*avt = *(avt+1);
+		*argvp++ = buf;
+	}
+
+	/*
+	 * Duplicate last name, for TTYPE option, and null
+	 * terminate the array.  If we didn't find a match on
+	 * our terminal name, put that name at the beginning.
+	 */
+	cp = *(argvp-1);
+	*argvp++ = cp;
+	*argvp = 0;
+
+	if (*argv == 0) {
+		if (name)
+			*argv = name;
+		else {
+			--argvp;
+			for (avt = argv; avt < argvp; avt++)
+				*avt = *(avt+1);
+		}
+	}
+	if (*argv)
+		return(argv);
+	else
+		return(unknown);
+}
+
+static int
+is_unique(char *name, char **as, char **ae)
+{
+	char **ap;
+	int n;
+
+	n = strlen(name) + 1;
+	for (ap = as; ap < ae; ap++)
+		if (strncasecmp(*ap, name, n) == 0)
+			return(0);
+	return (1);
+}
+
+static char termbuf[1024];
+
+static int
+telnet_setupterm(const char *tname, int fd, int *errp)
+{
+	if (tgetent(termbuf, tname) == 1) {
+		termbuf[1023] = '\0';
+		if (errp)
+			*errp = 1;
+		return(0);
+	}
+	if (errp)
+		*errp = 0;
+	return(-1);
+}
+
+int resettermname = 1;
+
+static char *
+gettermname()
+{
+	char *tname;
+	static char **tnamep = 0;
+	static char **next;
+	int err;
+
+	if (resettermname) {
+		resettermname = 0;
+		if (tnamep && tnamep != unknown)
+			free(tnamep);
+		if ((tname = (char *)env_getvalue((unsigned char *)"TERM")) &&
+				telnet_setupterm(tname, 1, &err) == 0) {
+			tnamep = mklist(termbuf, tname);
+		} else {
+			if (tname && ((int)strlen(tname) <= 40)) {
+				unknown[0] = tname;
+				strupr(tname);
+			} else
+				unknown[0] = name_unknown;
+			tnamep = unknown;
+		}
+		next = tnamep;
+	}
+	if (*next == 0)
+		next = tnamep;
+	return(*next++);
+}
+/*
+ * suboption()
+ *
+ *	Look at the sub-option buffer, and try to be helpful to the other
+ * side.
+ *
+ *	Currently we recognize:
+ *
+ *		Terminal type, send request.
+ *		Terminal speed (send request).
+ *		Local flow control (is request).
+ *		Linemode
+ */
+
+static void
+suboption()
+{
+    unsigned char subchar;
+
+    printsub('<', subbuffer, SB_LEN()+2);
+    switch (subchar = SB_GET()) {
+    case TELOPT_TTYPE:
+	if (my_want_state_is_wont(TELOPT_TTYPE))
+	    return;
+	if (SB_EOF() || SB_GET() != TELQUAL_SEND) {
+	    return;
+	} else {
+	    char *name;
+	    unsigned char temp[50];
+	    int len;
+
+	    name = gettermname();
+	    len = strlen(name) + 4 + 2;
+	    if (len < NETROOM()) {
+		snprintf((char *)temp, sizeof(temp),
+			 "%c%c%c%c%s%c%c", IAC, SB, TELOPT_TTYPE,
+			 TELQUAL_IS, name, IAC, SE);
+		ring_supply_data(&netoring, temp, len);
+		printsub('>', &temp[2], len-2);
+	    } else {
+		ExitString("No room in buffer for terminal type.\n", 1);
+		/*NOTREACHED*/
+	    }
+	}
+	break;
+    case TELOPT_TSPEED:
+	if (my_want_state_is_wont(TELOPT_TSPEED))
+	    return;
+	if (SB_EOF())
+	    return;
+	if (SB_GET() == TELQUAL_SEND) {
+	    long output_speed, input_speed;
+	    unsigned char temp[50];
+	    int len;
+
+	    TerminalSpeeds(&input_speed, &output_speed);
+
+	    snprintf((char *)temp, sizeof(temp),
+		     "%c%c%c%c%u,%u%c%c", IAC, SB, TELOPT_TSPEED,
+		     TELQUAL_IS,
+		     (unsigned)output_speed,
+		     (unsigned)input_speed, IAC, SE);
+	    len = strlen((char *)temp+4) + 4;	/* temp[3] is 0 ... */
+
+	    if (len < NETROOM()) {
+		ring_supply_data(&netoring, temp, len);
+		printsub('>', temp+2, len - 2);
+	    }
+/*@*/	    else printf("lm_will: not enough room in buffer\n");
+	}
+	break;
+    case TELOPT_LFLOW:
+	if (my_want_state_is_wont(TELOPT_LFLOW))
+	    return;
+	if (SB_EOF())
+	    return;
+	switch(SB_GET()) {
+	case LFLOW_RESTART_ANY:
+	    restartany = 1;
+	    break;
+	case LFLOW_RESTART_XON:
+	    restartany = 0;
+	    break;
+	case LFLOW_ON:
+	    localflow = 1;
+	    break;
+	case LFLOW_OFF:
+	    localflow = 0;
+	    break;
+	default:
+	    return;
+	}
+	setcommandmode();
+	setconnmode(0);
+	break;
+
+    case TELOPT_LINEMODE:
+	if (my_want_state_is_wont(TELOPT_LINEMODE))
+	    return;
+	if (SB_EOF())
+	    return;
+	switch (SB_GET()) {
+	case WILL:
+	    lm_will(subpointer, SB_LEN());
+	    break;
+	case WONT:
+	    lm_wont(subpointer, SB_LEN());
+	    break;
+	case DO:
+	    lm_do(subpointer, SB_LEN());
+	    break;
+	case DONT:
+	    lm_dont(subpointer, SB_LEN());
+	    break;
+	case LM_SLC:
+	    slc(subpointer, SB_LEN());
+	    break;
+	case LM_MODE:
+	    lm_mode(subpointer, SB_LEN(), 0);
+	    break;
+	default:
+	    break;
+	}
+	break;
+
+#ifdef	OLD_ENVIRON
+    case TELOPT_OLD_ENVIRON:
+#endif
+    case TELOPT_NEW_ENVIRON:
+	if (SB_EOF())
+	    return;
+	switch(SB_PEEK()) {
+	case TELQUAL_IS:
+	case TELQUAL_INFO:
+	    if (my_want_state_is_dont(subchar))
+		return;
+	    break;
+	case TELQUAL_SEND:
+	    if (my_want_state_is_wont(subchar)) {
+		return;
+	    }
+	    break;
+	default:
+	    return;
+	}
+	env_opt(subpointer, SB_LEN());
+	break;
+
+    case TELOPT_XDISPLOC:
+	if (my_want_state_is_wont(TELOPT_XDISPLOC))
+	    return;
+	if (SB_EOF())
+	    return;
+	if (SB_GET() == TELQUAL_SEND) {
+	    unsigned char temp[50], *dp;
+	    int len;
+
+	    if ((dp = env_getvalue((unsigned char *)"DISPLAY")) == NULL) {
+		/*
+		 * Something happened, we no longer have a DISPLAY
+		 * variable.  So, turn off the option.
+		 */
+		send_wont(TELOPT_XDISPLOC, 1);
+		break;
+	    }
+	    snprintf((char *)temp, sizeof(temp),
+		     "%c%c%c%c%s%c%c", IAC, SB, TELOPT_XDISPLOC,
+		     TELQUAL_IS, dp, IAC, SE);
+	    len = strlen((char *)temp+4) + 4;	/* temp[3] is 0 ... */
+
+	    if (len < NETROOM()) {
+		ring_supply_data(&netoring, temp, len);
+		printsub('>', temp+2, len - 2);
+	    }
+/*@*/	    else printf("lm_will: not enough room in buffer\n");
+	}
+	break;
+
+#if	defined(AUTHENTICATION)
+	case TELOPT_AUTHENTICATION: {
+		if (!autologin)
+			break;
+		if (SB_EOF())
+			return;
+		switch(SB_GET()) {
+		case TELQUAL_IS:
+			if (my_want_state_is_dont(TELOPT_AUTHENTICATION))
+				return;
+			auth_is(subpointer, SB_LEN());
+			break;
+		case TELQUAL_SEND:
+			if (my_want_state_is_wont(TELOPT_AUTHENTICATION))
+				return;
+			auth_send(subpointer, SB_LEN());
+			break;
+		case TELQUAL_REPLY:
+			if (my_want_state_is_wont(TELOPT_AUTHENTICATION))
+				return;
+			auth_reply(subpointer, SB_LEN());
+			break;
+		case TELQUAL_NAME:
+			if (my_want_state_is_dont(TELOPT_AUTHENTICATION))
+				return;
+			auth_name(subpointer, SB_LEN());
+			break;
+		}
+	}
+	break;
+#endif
+#if	defined(ENCRYPTION)
+	case TELOPT_ENCRYPT:
+		if (SB_EOF())
+			return;
+		switch(SB_GET()) {
+		case ENCRYPT_START:
+			if (my_want_state_is_dont(TELOPT_ENCRYPT))
+				return;
+			encrypt_start(subpointer, SB_LEN());
+			break;
+		case ENCRYPT_END:
+			if (my_want_state_is_dont(TELOPT_ENCRYPT))
+				return;
+			encrypt_end();
+			break;
+		case ENCRYPT_SUPPORT:
+			if (my_want_state_is_wont(TELOPT_ENCRYPT))
+				return;
+			encrypt_support(subpointer, SB_LEN());
+			break;
+		case ENCRYPT_REQSTART:
+			if (my_want_state_is_wont(TELOPT_ENCRYPT))
+				return;
+			encrypt_request_start(subpointer, SB_LEN());
+			break;
+		case ENCRYPT_REQEND:
+			if (my_want_state_is_wont(TELOPT_ENCRYPT))
+				return;
+			/*
+			 * We can always send an REQEND so that we cannot
+			 * get stuck encrypting.  We should only get this
+			 * if we have been able to get in the correct mode
+			 * anyhow.
+			 */
+			encrypt_request_end();
+			break;
+		case ENCRYPT_IS:
+			if (my_want_state_is_dont(TELOPT_ENCRYPT))
+				return;
+			encrypt_is(subpointer, SB_LEN());
+			break;
+		case ENCRYPT_REPLY:
+			if (my_want_state_is_wont(TELOPT_ENCRYPT))
+				return;
+			encrypt_reply(subpointer, SB_LEN());
+			break;
+		case ENCRYPT_ENC_KEYID:
+			if (my_want_state_is_dont(TELOPT_ENCRYPT))
+				return;
+			encrypt_enc_keyid(subpointer, SB_LEN());
+			break;
+		case ENCRYPT_DEC_KEYID:
+			if (my_want_state_is_wont(TELOPT_ENCRYPT))
+				return;
+			encrypt_dec_keyid(subpointer, SB_LEN());
+			break;
+		default:
+			break;
+		}
+		break;
+#endif
+    default:
+	break;
+    }
+}
+
+static unsigned char str_lm[] = { IAC, SB, TELOPT_LINEMODE, 0, 0, IAC, SE };
+
+void
+lm_will(unsigned char *cmd, int len)
+{
+    if (len < 1) {
+/*@*/	printf("lm_will: no command!!!\n");	/* Should not happen... */
+	return;
+    }
+    switch(cmd[0]) {
+    case LM_FORWARDMASK:	/* We shouldn't ever get this... */
+    default:
+	str_lm[3] = DONT;
+	str_lm[4] = cmd[0];
+	if (NETROOM() > sizeof(str_lm)) {
+	    ring_supply_data(&netoring, str_lm, sizeof(str_lm));
+	    printsub('>', &str_lm[2], sizeof(str_lm)-2);
+	}
+/*@*/	else printf("lm_will: not enough room in buffer\n");
+	break;
+    }
+}
+
+void
+lm_wont(unsigned char *cmd, int len)
+{
+    if (len < 1) {
+/*@*/	printf("lm_wont: no command!!!\n");	/* Should not happen... */
+	return;
+    }
+    switch(cmd[0]) {
+    case LM_FORWARDMASK:	/* We shouldn't ever get this... */
+    default:
+	/* We are always DONT, so don't respond */
+	return;
+    }
+}
+
+void
+lm_do(unsigned char *cmd, int len)
+{
+    if (len < 1) {
+/*@*/	printf("lm_do: no command!!!\n");	/* Should not happen... */
+	return;
+    }
+    switch(cmd[0]) {
+    case LM_FORWARDMASK:
+    default:
+	str_lm[3] = WONT;
+	str_lm[4] = cmd[0];
+	if (NETROOM() > sizeof(str_lm)) {
+	    ring_supply_data(&netoring, str_lm, sizeof(str_lm));
+	    printsub('>', &str_lm[2], sizeof(str_lm)-2);
+	}
+/*@*/	else printf("lm_do: not enough room in buffer\n");
+	break;
+    }
+}
+
+void
+lm_dont(unsigned char *cmd, int len)
+{
+    if (len < 1) {
+/*@*/	printf("lm_dont: no command!!!\n");	/* Should not happen... */
+	return;
+    }
+    switch(cmd[0]) {
+    case LM_FORWARDMASK:
+    default:
+	/* we are always WONT, so don't respond */
+	break;
+    }
+}
+
+static unsigned char str_lm_mode[] = {
+	IAC, SB, TELOPT_LINEMODE, LM_MODE, 0, IAC, SE
+};
+
+void
+lm_mode(unsigned char *cmd, int len, int init)
+{
+	if (len != 1)
+		return;
+	if ((linemode&MODE_MASK&~MODE_ACK) == *cmd)
+		return;
+	if (*cmd&MODE_ACK)
+		return;
+	linemode = *cmd&(MODE_MASK&~MODE_ACK);
+	str_lm_mode[4] = linemode;
+	if (!init)
+	    str_lm_mode[4] |= MODE_ACK;
+	if (NETROOM() > sizeof(str_lm_mode)) {
+	    ring_supply_data(&netoring, str_lm_mode, sizeof(str_lm_mode));
+	    printsub('>', &str_lm_mode[2], sizeof(str_lm_mode)-2);
+	}
+/*@*/	else printf("lm_mode: not enough room in buffer\n");
+	setconnmode(0);	/* set changed mode */
+}
+
+
+
+/*
+ * slc()
+ * Handle special character suboption of LINEMODE.
+ */
+
+struct spc {
+	cc_t val;
+	cc_t *valp;
+	char flags;	/* Current flags & level */
+	char mylevel;	/* Maximum level & flags */
+} spc_data[NSLC+1];
+
+#define SLC_IMPORT	0
+#define	SLC_EXPORT	1
+#define SLC_RVALUE	2
+static int slc_mode = SLC_EXPORT;
+
+void
+slc_init()
+{
+	struct spc *spcp;
+
+	localchars = 1;
+	for (spcp = spc_data; spcp < &spc_data[NSLC+1]; spcp++) {
+		spcp->val = 0;
+		spcp->valp = 0;
+		spcp->flags = spcp->mylevel = SLC_NOSUPPORT;
+	}
+
+#define	initfunc(func, flags) { \
+					spcp = &spc_data[func]; \
+					if ((spcp->valp = tcval(func))) { \
+					    spcp->val = *spcp->valp; \
+					    spcp->mylevel = SLC_VARIABLE|flags; \
+					} else { \
+					    spcp->val = 0; \
+					    spcp->mylevel = SLC_DEFAULT; \
+					} \
+				    }
+
+	initfunc(SLC_SYNCH, 0);
+	/* No BRK */
+	initfunc(SLC_AO, 0);
+	initfunc(SLC_AYT, 0);
+	/* No EOR */
+	initfunc(SLC_ABORT, SLC_FLUSHIN|SLC_FLUSHOUT);
+	initfunc(SLC_EOF, 0);
+	initfunc(SLC_SUSP, SLC_FLUSHIN);
+	initfunc(SLC_EC, 0);
+	initfunc(SLC_EL, 0);
+	initfunc(SLC_EW, 0);
+	initfunc(SLC_RP, 0);
+	initfunc(SLC_LNEXT, 0);
+	initfunc(SLC_XON, 0);
+	initfunc(SLC_XOFF, 0);
+	initfunc(SLC_FORW1, 0);
+	initfunc(SLC_FORW2, 0);
+	/* No FORW2 */
+
+	initfunc(SLC_IP, SLC_FLUSHIN|SLC_FLUSHOUT);
+#undef	initfunc
+
+	if (slc_mode == SLC_EXPORT)
+		slc_export();
+	else
+		slc_import(1);
+
+}
+
+void
+slcstate()
+{
+    printf("Special characters are %s values\n",
+		slc_mode == SLC_IMPORT ? "remote default" :
+		slc_mode == SLC_EXPORT ? "local" :
+					 "remote");
+}
+
+void
+slc_mode_export()
+{
+    slc_mode = SLC_EXPORT;
+    if (my_state_is_will(TELOPT_LINEMODE))
+	slc_export();
+}
+
+void
+slc_mode_import(int def)
+{
+    slc_mode = def ? SLC_IMPORT : SLC_RVALUE;
+    if (my_state_is_will(TELOPT_LINEMODE))
+	slc_import(def);
+}
+
+unsigned char slc_import_val[] = {
+	IAC, SB, TELOPT_LINEMODE, LM_SLC, 0, SLC_VARIABLE, 0, IAC, SE
+};
+unsigned char slc_import_def[] = {
+	IAC, SB, TELOPT_LINEMODE, LM_SLC, 0, SLC_DEFAULT, 0, IAC, SE
+};
+
+void
+slc_import(int def)
+{
+    if (NETROOM() > sizeof(slc_import_val)) {
+	if (def) {
+	    ring_supply_data(&netoring, slc_import_def, sizeof(slc_import_def));
+	    printsub('>', &slc_import_def[2], sizeof(slc_import_def)-2);
+	} else {
+	    ring_supply_data(&netoring, slc_import_val, sizeof(slc_import_val));
+	    printsub('>', &slc_import_val[2], sizeof(slc_import_val)-2);
+	}
+    }
+/*@*/ else printf("slc_import: not enough room\n");
+}
+
+void
+slc_export()
+{
+    struct spc *spcp;
+
+    TerminalDefaultChars();
+
+    slc_start_reply();
+    for (spcp = &spc_data[1]; spcp < &spc_data[NSLC+1]; spcp++) {
+	if (spcp->mylevel != SLC_NOSUPPORT) {
+	    if (spcp->val == (cc_t)(_POSIX_VDISABLE))
+		spcp->flags = SLC_NOSUPPORT;
+	    else
+		spcp->flags = spcp->mylevel;
+	    if (spcp->valp)
+		spcp->val = *spcp->valp;
+	    slc_add_reply(spcp - spc_data, spcp->flags, spcp->val);
+	}
+    }
+    slc_end_reply();
+    slc_update();
+    setconnmode(1);	/* Make sure the character values are set */
+}
+
+void
+slc(unsigned char *cp, int len)
+{
+	struct spc *spcp;
+	int func,level;
+
+	slc_start_reply();
+
+	for (; len >= 3; len -=3, cp +=3) {
+
+		func = cp[SLC_FUNC];
+
+		if (func == 0) {
+			/*
+			 * Client side: always ignore 0 function.
+			 */
+			continue;
+		}
+		if (func > NSLC) {
+			if ((cp[SLC_FLAGS] & SLC_LEVELBITS) != SLC_NOSUPPORT)
+				slc_add_reply(func, SLC_NOSUPPORT, 0);
+			continue;
+		}
+
+		spcp = &spc_data[func];
+
+		level = cp[SLC_FLAGS]&(SLC_LEVELBITS|SLC_ACK);
+
+		if ((cp[SLC_VALUE] == (unsigned char)spcp->val) &&
+		    ((level&SLC_LEVELBITS) == (spcp->flags&SLC_LEVELBITS))) {
+			continue;
+		}
+
+		if (level == (SLC_DEFAULT|SLC_ACK)) {
+			/*
+			 * This is an error condition, the SLC_ACK
+			 * bit should never be set for the SLC_DEFAULT
+			 * level.  Our best guess to recover is to
+			 * ignore the SLC_ACK bit.
+			 */
+			cp[SLC_FLAGS] &= ~SLC_ACK;
+		}
+
+		if (level == ((spcp->flags&SLC_LEVELBITS)|SLC_ACK)) {
+			spcp->val = (cc_t)cp[SLC_VALUE];
+			spcp->flags = cp[SLC_FLAGS];	/* include SLC_ACK */
+			continue;
+		}
+
+		level &= ~SLC_ACK;
+
+		if (level <= (spcp->mylevel&SLC_LEVELBITS)) {
+			spcp->flags = cp[SLC_FLAGS]|SLC_ACK;
+			spcp->val = (cc_t)cp[SLC_VALUE];
+		}
+		if (level == SLC_DEFAULT) {
+			if ((spcp->mylevel&SLC_LEVELBITS) != SLC_DEFAULT)
+				spcp->flags = spcp->mylevel;
+			else
+				spcp->flags = SLC_NOSUPPORT;
+		}
+		slc_add_reply(func, spcp->flags, spcp->val);
+	}
+	slc_end_reply();
+	if (slc_update())
+		setconnmode(1);	/* set the  new character values */
+}
+
+void
+slc_check()
+{
+    struct spc *spcp;
+
+    slc_start_reply();
+    for (spcp = &spc_data[1]; spcp < &spc_data[NSLC+1]; spcp++) {
+	if (spcp->valp && spcp->val != *spcp->valp) {
+	    spcp->val = *spcp->valp;
+	    if (spcp->val == (cc_t)(_POSIX_VDISABLE))
+		spcp->flags = SLC_NOSUPPORT;
+	    else
+		spcp->flags = spcp->mylevel;
+	    slc_add_reply(spcp - spc_data, spcp->flags, spcp->val);
+	}
+    }
+    slc_end_reply();
+    setconnmode(1);
+}
+
+
+unsigned char slc_reply[128];
+unsigned char *slc_replyp;
+
+void
+slc_start_reply()
+{
+	slc_replyp = slc_reply;
+	*slc_replyp++ = IAC;
+	*slc_replyp++ = SB;
+	*slc_replyp++ = TELOPT_LINEMODE;
+	*slc_replyp++ = LM_SLC;
+}
+
+void
+slc_add_reply(unsigned char func, unsigned char flags, cc_t value)
+{
+	if ((*slc_replyp++ = func) == IAC)
+		*slc_replyp++ = IAC;
+	if ((*slc_replyp++ = flags) == IAC)
+		*slc_replyp++ = IAC;
+	if ((*slc_replyp++ = (unsigned char)value) == IAC)
+		*slc_replyp++ = IAC;
+}
+
+void
+slc_end_reply()
+{
+    int len;
+
+    *slc_replyp++ = IAC;
+    *slc_replyp++ = SE;
+    len = slc_replyp - slc_reply;
+    if (len <= 6)
+	return;
+    if (NETROOM() > len) {
+	ring_supply_data(&netoring, slc_reply, slc_replyp - slc_reply);
+	printsub('>', &slc_reply[2], slc_replyp - slc_reply - 2);
+    }
+/*@*/else printf("slc_end_reply: not enough room\n");
+}
+
+int
+slc_update()
+{
+	struct spc *spcp;
+	int need_update = 0;
+
+	for (spcp = &spc_data[1]; spcp < &spc_data[NSLC+1]; spcp++) {
+		if (!(spcp->flags&SLC_ACK))
+			continue;
+		spcp->flags &= ~SLC_ACK;
+		if (spcp->valp && (*spcp->valp != spcp->val)) {
+			*spcp->valp = spcp->val;
+			need_update = 1;
+		}
+	}
+	return(need_update);
+}
+
+#ifdef	OLD_ENVIRON
+#  define old_env_var OLD_ENV_VAR
+#  define old_env_value OLD_ENV_VALUE
+#endif
+
+void
+env_opt(unsigned char *buf, int len)
+{
+	unsigned char *ep = 0, *epc = 0;
+	int i;
+
+	switch(buf[0]&0xff) {
+	case TELQUAL_SEND:
+		env_opt_start();
+		if (len == 1) {
+			env_opt_add(NULL);
+		} else for (i = 1; i < len; i++) {
+			switch (buf[i]&0xff) {
+#ifdef	OLD_ENVIRON
+			case OLD_ENV_VAR:
+			case OLD_ENV_VALUE:
+				/*
+				 * Although OLD_ENV_VALUE is not legal, we will
+				 * still recognize it, just in case it is an
+				 * old server that has VAR & VALUE mixed up...
+				 */
+				/* FALL THROUGH */
+#else
+			case NEW_ENV_VAR:
+#endif
+			case ENV_USERVAR:
+				if (ep) {
+					*epc = 0;
+					env_opt_add(ep);
+				}
+				ep = epc = &buf[i+1];
+				break;
+			case ENV_ESC:
+				i++;
+				/*FALL THROUGH*/
+			default:
+				if (epc)
+					*epc++ = buf[i];
+				break;
+			}
+		}
+		if (ep) {
+			*epc = 0;
+			env_opt_add(ep);
+		}
+		env_opt_end(1);
+		break;
+
+	case TELQUAL_IS:
+	case TELQUAL_INFO:
+		/* Ignore for now.  We shouldn't get it anyway. */
+		break;
+
+	default:
+		break;
+	}
+}
+
+#define	OPT_REPLY_SIZE	256
+unsigned char *opt_reply;
+unsigned char *opt_replyp;
+unsigned char *opt_replyend;
+
+void
+env_opt_start()
+{
+	if (opt_reply)
+		opt_reply = (unsigned char *)realloc(opt_reply, OPT_REPLY_SIZE);
+	else
+		opt_reply = (unsigned char *)malloc(OPT_REPLY_SIZE);
+	if (opt_reply == NULL) {
+/*@*/		printf("env_opt_start: malloc()/realloc() failed!!!\n");
+		opt_reply = opt_replyp = opt_replyend = NULL;
+		return;
+	}
+	opt_replyp = opt_reply;
+	opt_replyend = opt_reply + OPT_REPLY_SIZE;
+	*opt_replyp++ = IAC;
+	*opt_replyp++ = SB;
+	*opt_replyp++ = telopt_environ;
+	*opt_replyp++ = TELQUAL_IS;
+}
+
+void
+env_opt_start_info()
+{
+	env_opt_start();
+	if (opt_replyp)
+	    opt_replyp[-1] = TELQUAL_INFO;
+}
+
+void
+env_opt_add(unsigned char *ep)
+{
+	unsigned char *vp, c;
+
+	if (opt_reply == NULL)		/*XXX*/
+		return;			/*XXX*/
+
+	if (ep == NULL || *ep == '\0') {
+		/* Send user defined variables first. */
+		env_default(1, 0);
+		while ((ep = env_default(0, 0)))
+			env_opt_add(ep);
+
+		/* Now add the list of well know variables.  */
+		env_default(1, 1);
+		while ((ep = env_default(0, 1)))
+			env_opt_add(ep);
+		return;
+	}
+	vp = env_getvalue(ep);
+	if (opt_replyp + (vp ? strlen((char *)vp) : 0) +
+				strlen((char *)ep) + 6 > opt_replyend)
+	{
+		int len;
+		opt_replyend += OPT_REPLY_SIZE;
+		len = opt_replyend - opt_reply;
+		opt_reply = (unsigned char *)realloc(opt_reply, len);
+		if (opt_reply == NULL) {
+/*@*/			printf("env_opt_add: realloc() failed!!!\n");
+			opt_reply = opt_replyp = opt_replyend = NULL;
+			return;
+		}
+		opt_replyp = opt_reply + len - (opt_replyend - opt_replyp);
+		opt_replyend = opt_reply + len;
+	}
+	if (opt_welldefined((char *)ep)) {
+#ifdef	OLD_ENVIRON
+		if (telopt_environ == TELOPT_OLD_ENVIRON)
+			*opt_replyp++ = old_env_var;
+		else
+#endif
+			*opt_replyp++ = NEW_ENV_VAR;
+	} else
+		*opt_replyp++ = ENV_USERVAR;
+	for (;;) {
+		while ((c = *ep++)) {
+			switch(c&0xff) {
+			case IAC:
+				*opt_replyp++ = IAC;
+				break;
+			case NEW_ENV_VAR:
+			case NEW_ENV_VALUE:
+			case ENV_ESC:
+			case ENV_USERVAR:
+				*opt_replyp++ = ENV_ESC;
+				break;
+			}
+			*opt_replyp++ = c;
+		}
+		if ((ep = vp)) {
+#ifdef	OLD_ENVIRON
+			if (telopt_environ == TELOPT_OLD_ENVIRON)
+				*opt_replyp++ = old_env_value;
+			else
+#endif
+				*opt_replyp++ = NEW_ENV_VALUE;
+			vp = NULL;
+		} else
+			break;
+	}
+}
+
+int
+opt_welldefined(char *ep)
+{
+	if ((strcmp(ep, "USER") == 0) ||
+	    (strcmp(ep, "DISPLAY") == 0) ||
+	    (strcmp(ep, "PRINTER") == 0) ||
+	    (strcmp(ep, "SYSTEMTYPE") == 0) ||
+	    (strcmp(ep, "JOB") == 0) ||
+	    (strcmp(ep, "ACCT") == 0))
+		return(1);
+	return(0);
+}
+
+void
+env_opt_end(int emptyok)
+{
+	int len;
+
+	len = opt_replyp - opt_reply + 2;
+	if (emptyok || len > 6) {
+		*opt_replyp++ = IAC;
+		*opt_replyp++ = SE;
+		if (NETROOM() > len) {
+			ring_supply_data(&netoring, opt_reply, len);
+			printsub('>', &opt_reply[2], len - 2);
+		}
+/*@*/		else printf("slc_end_reply: not enough room\n");
+	}
+	if (opt_reply) {
+		free(opt_reply);
+		opt_reply = opt_replyp = opt_replyend = NULL;
+	}
+}
+
+
+
+int
+telrcv(void)
+{
+    int c;
+    int scc;
+    unsigned char *sbp = NULL;
+    int count;
+    int returnValue = 0;
+
+    scc = 0;
+    count = 0;
+    while (TTYROOM() > 2) {
+	if (scc == 0) {
+	    if (count) {
+		ring_consumed(&netiring, count);
+		returnValue = 1;
+		count = 0;
+	    }
+	    sbp = netiring.consume;
+	    scc = ring_full_consecutive(&netiring);
+	    if (scc == 0) {
+		/* No more data coming in */
+		break;
+	    }
+	}
+
+	c = *sbp++ & 0xff, scc--; count++;
+#if	defined(ENCRYPTION)
+	if (decrypt_input)
+		c = (*decrypt_input)(c);
+#endif
+
+	switch (telrcv_state) {
+
+	case TS_CR:
+	    telrcv_state = TS_DATA;
+	    if (c == '\0') {
+		break;	/* Ignore \0 after CR */
+	    }
+	    else if ((c == '\n') && my_want_state_is_dont(TELOPT_ECHO) && !crmod) {
+		TTYADD(c);
+		break;
+	    }
+	    /* Else, fall through */
+
+	case TS_DATA:
+	    if (c == IAC) {
+		telrcv_state = TS_IAC;
+		break;
+	    }
+		    /* 
+		     * The 'crmod' hack (see following) is needed
+		     * since we can't set CRMOD on output only.
+		     * Machines like MULTICS like to send \r without
+		     * \n; since we must turn off CRMOD to get proper
+		     * input, the mapping is done here (sigh).
+		     */
+	    if ((c == '\r') && my_want_state_is_dont(TELOPT_BINARY)) {
+		if (scc > 0) {
+		    c = *sbp&0xff;
+#if	defined(ENCRYPTION)
+		    if (decrypt_input)
+			c = (*decrypt_input)(c);
+#endif
+		    if (c == 0) {
+			sbp++, scc--; count++;
+			/* a "true" CR */
+			TTYADD('\r');
+		    } else if (my_want_state_is_dont(TELOPT_ECHO) &&
+					(c == '\n')) {
+			sbp++, scc--; count++;
+			TTYADD('\n');
+		    } else {
+#if	defined(ENCRYPTION)
+		        if (decrypt_input)
+			    (*decrypt_input)(-1);
+#endif
+
+			TTYADD('\r');
+			if (crmod) {
+				TTYADD('\n');
+			}
+		    }
+		} else {
+		    telrcv_state = TS_CR;
+		    TTYADD('\r');
+		    if (crmod) {
+			    TTYADD('\n');
+		    }
+		}
+	    } else {
+		TTYADD(c);
+	    }
+	    continue;
+
+	case TS_IAC:
+process_iac:
+	    switch (c) {
+
+	    case WILL:
+		telrcv_state = TS_WILL;
+		continue;
+
+	    case WONT:
+		telrcv_state = TS_WONT;
+		continue;
+
+	    case DO:
+		telrcv_state = TS_DO;
+		continue;
+
+	    case DONT:
+		telrcv_state = TS_DONT;
+		continue;
+
+	    case DM:
+		    /*
+		     * We may have missed an urgent notification,
+		     * so make sure we flush whatever is in the
+		     * buffer currently.
+		     */
+		printoption("RCVD", IAC, DM);
+		SYNCHing = 1;
+		ttyflush(1);
+		SYNCHing = stilloob();
+		settimer(gotDM);
+		break;
+
+	    case SB:
+		SB_CLEAR();
+		telrcv_state = TS_SB;
+		continue;
+
+
+	    case IAC:
+		TTYADD(IAC);
+		break;
+
+	    case NOP:
+	    case GA:
+	    default:
+		printoption("RCVD", IAC, c);
+		break;
+	    }
+	    telrcv_state = TS_DATA;
+	    continue;
+
+	case TS_WILL:
+	    printoption("RCVD", WILL, c);
+	    willoption(c);
+	    telrcv_state = TS_DATA;
+	    continue;
+
+	case TS_WONT:
+	    printoption("RCVD", WONT, c);
+	    wontoption(c);
+	    telrcv_state = TS_DATA;
+	    continue;
+
+	case TS_DO:
+	    printoption("RCVD", DO, c);
+	    dooption(c);
+	    if (c == TELOPT_NAWS) {
+		sendnaws();
+	    } else if (c == TELOPT_LFLOW) {
+		localflow = 1;
+		setcommandmode();
+		setconnmode(0);
+	    }
+	    telrcv_state = TS_DATA;
+	    continue;
+
+	case TS_DONT:
+	    printoption("RCVD", DONT, c);
+	    dontoption(c);
+	    flushline = 1;
+	    setconnmode(0);	/* set new tty mode (maybe) */
+	    telrcv_state = TS_DATA;
+	    continue;
+
+	case TS_SB:
+	    if (c == IAC) {
+		telrcv_state = TS_SE;
+	    } else {
+		SB_ACCUM(c);
+	    }
+	    continue;
+
+	case TS_SE:
+	    if (c != SE) {
+		if (c != IAC) {
+		    /*
+		     * This is an error.  We only expect to get
+		     * "IAC IAC" or "IAC SE".  Several things may
+		     * have happend.  An IAC was not doubled, the
+		     * IAC SE was left off, or another option got
+		     * inserted into the suboption are all possibilities.
+		     * If we assume that the IAC was not doubled,
+		     * and really the IAC SE was left off, we could
+		     * get into an infinate loop here.  So, instead,
+		     * we terminate the suboption, and process the
+		     * partial suboption if we can.
+		     */
+		    SB_ACCUM(IAC);
+		    SB_ACCUM(c);
+		    subpointer -= 2;
+		    SB_TERM();
+
+		    printoption("In SUBOPTION processing, RCVD", IAC, c);
+		    suboption();	/* handle sub-option */
+		    telrcv_state = TS_IAC;
+		    goto process_iac;
+		}
+		SB_ACCUM(c);
+		telrcv_state = TS_SB;
+	    } else {
+		SB_ACCUM(IAC);
+		SB_ACCUM(SE);
+		subpointer -= 2;
+		SB_TERM();
+		suboption();	/* handle sub-option */
+		telrcv_state = TS_DATA;
+	    }
+	}
+    }
+    if (count)
+	ring_consumed(&netiring, count);
+    return returnValue||count;
+}
+
+static int bol = 1, local = 0;
+
+int
+rlogin_susp(void)
+{
+    if (local) {
+	local = 0;
+	bol = 1;
+	command(0, "z\n", 2);
+	return(1);
+    }
+    return(0);
+}
+
+static int
+telsnd()
+{
+    int tcc;
+    int count;
+    int returnValue = 0;
+    unsigned char *tbp = NULL;
+
+    tcc = 0;
+    count = 0;
+    while (NETROOM() > 2) {
+	int sc;
+	int c;
+
+	if (tcc == 0) {
+	    if (count) {
+		ring_consumed(&ttyiring, count);
+		returnValue = 1;
+		count = 0;
+	    }
+	    tbp = ttyiring.consume;
+	    tcc = ring_full_consecutive(&ttyiring);
+	    if (tcc == 0) {
+		break;
+	    }
+	}
+	c = *tbp++ & 0xff, sc = strip(c), tcc--; count++;
+	if (rlogin != _POSIX_VDISABLE) {
+		if (bol) {
+			bol = 0;
+			if (sc == rlogin) {
+				local = 1;
+				continue;
+			}
+		} else if (local) {
+			local = 0;
+			if (sc == '.' || c == termEofChar) {
+				bol = 1;
+				command(0, "close\n", 6);
+				continue;
+			}
+			if (sc == termSuspChar) {
+				bol = 1;
+				command(0, "z\n", 2);
+				continue;
+			}
+			if (sc == escape) {
+				command(0, (char *)tbp, tcc);
+				bol = 1;
+				count += tcc;
+				tcc = 0;
+				flushline = 1;
+				break;
+			}
+			if (sc != rlogin) {
+				++tcc;
+				--tbp;
+				--count;
+				c = sc = rlogin;
+			}
+		}
+		if ((sc == '\n') || (sc == '\r'))
+			bol = 1;
+	} else if (sc == escape) {
+	    /*
+	     * Double escape is a pass through of a single escape character.
+	     */
+	    if (tcc && strip(*tbp) == escape) {
+		tbp++;
+		tcc--;
+		count++;
+		bol = 0;
+	    } else {
+		command(0, (char *)tbp, tcc);
+		bol = 1;
+		count += tcc;
+		tcc = 0;
+		flushline = 1;
+		break;
+	    }
+	} else
+	    bol = 0;
+#ifdef	KLUDGELINEMODE
+	if (kludgelinemode && (globalmode&MODE_EDIT) && (sc == echoc)) {
+	    if (tcc > 0 && strip(*tbp) == echoc) {
+		tcc--; tbp++; count++;
+	    } else {
+		dontlecho = !dontlecho;
+		settimer(echotoggle);
+		setconnmode(0);
+		flushline = 1;
+		break;
+	    }
+	}
+#endif
+	if (MODE_LOCAL_CHARS(globalmode)) {
+	    if (TerminalSpecialChars(sc) == 0) {
+		bol = 1;
+		break;
+	    }
+	}
+	if (my_want_state_is_wont(TELOPT_BINARY)) {
+	    switch (c) {
+	    case '\n':
+		    /*
+		     * If we are in CRMOD mode (\r ==> \n)
+		     * on our local machine, then probably
+		     * a newline (unix) is CRLF (TELNET).
+		     */
+		if (MODE_LOCAL_CHARS(globalmode)) {
+		    NETADD('\r');
+		}
+		NETADD('\n');
+		bol = flushline = 1;
+		break;
+	    case '\r':
+		if (!crlf) {
+		    NET2ADD('\r', '\0');
+		} else {
+		    NET2ADD('\r', '\n');
+		}
+		bol = flushline = 1;
+		break;
+	    case IAC:
+		NET2ADD(IAC, IAC);
+		break;
+	    default:
+		NETADD(c);
+		break;
+	    }
+	} else if (c == IAC) {
+	    NET2ADD(IAC, IAC);
+	} else {
+	    NETADD(c);
+	}
+    }
+    if (count)
+	ring_consumed(&ttyiring, count);
+    return returnValue||count;		/* Non-zero if we did anything */
+}
+
+/*
+ * Scheduler()
+ *
+ * Try to do something.
+ *
+ * If we do something useful, return 1; else return 0.
+ *
+ */
+
+
+static int
+Scheduler(int block) /* should we block in the select ? */
+{
+		/* One wants to be a bit careful about setting returnValue
+		 * to one, since a one implies we did some useful work,
+		 * and therefore probably won't be called to block next
+		 * time (TN3270 mode only).
+		 */
+    int returnValue;
+    int netin, netout, netex, ttyin, ttyout;
+
+    /* Decide which rings should be processed */
+
+    netout = ring_full_count(&netoring) &&
+	    (flushline ||
+		(my_want_state_is_wont(TELOPT_LINEMODE)
+#ifdef	KLUDGELINEMODE
+			&& (!kludgelinemode || my_want_state_is_do(TELOPT_SGA))
+#endif
+		) ||
+			my_want_state_is_will(TELOPT_BINARY));
+    ttyout = ring_full_count(&ttyoring);
+
+    ttyin = ring_empty_count(&ttyiring);
+
+    netin = !ISend && ring_empty_count(&netiring);
+
+    netex = !SYNCHing;
+
+    /* If we have seen a signal recently, reset things */
+
+    /* Call to system code to process rings */
+
+    returnValue = process_rings(netin, netout, netex, ttyin, ttyout, !block);
+
+    /* Now, look at the input rings, looking for work to do. */
+
+    if (ring_full_count(&ttyiring)) {
+	    returnValue |= telsnd();
+    }
+
+    if (ring_full_count(&netiring)) {
+	returnValue |= telrcv();
+    }
+    return returnValue;
+}
+
+/*
+ * Select from tty and network...
+ */
+void
+my_telnet(char *user)
+{
+    sys_telnet_init();
+
+#if	defined(AUTHENTICATION) || defined(ENCRYPTION)
+    {
+	static char local_host[256] = { 0 };
+
+	if (!local_host[0]) {
+		/* XXX - should be k_gethostname? */
+		gethostname(local_host, sizeof(local_host));
+		local_host[sizeof(local_host)-1] = 0;
+	}
+	auth_encrypt_init(local_host, hostname, "TELNET", 0);
+	auth_encrypt_user(user);
+    }
+#endif
+    if (telnetport) {
+#if	defined(AUTHENTICATION)
+	if (autologin)
+		send_will(TELOPT_AUTHENTICATION, 1);
+#endif
+#if	defined(ENCRYPTION)
+	send_do(TELOPT_ENCRYPT, 1);
+	send_will(TELOPT_ENCRYPT, 1);
+#endif
+	send_do(TELOPT_SGA, 1);
+	send_will(TELOPT_TTYPE, 1);
+	send_will(TELOPT_NAWS, 1);
+	send_will(TELOPT_TSPEED, 1);
+	send_will(TELOPT_LFLOW, 1);
+	send_will(TELOPT_LINEMODE, 1);
+	send_will(TELOPT_NEW_ENVIRON, 1);
+	send_do(TELOPT_STATUS, 1);
+	if (env_getvalue((unsigned char *)"DISPLAY"))
+	    send_will(TELOPT_XDISPLOC, 1);
+	if (binary)
+	    tel_enter_binary(binary);
+    }
+
+    for (;;) {
+	int schedValue;
+
+	while ((schedValue = Scheduler(0)) != 0) {
+	    if (schedValue == -1) {
+		setcommandmode();
+		return;
+	    }
+	}
+
+	if (Scheduler(1) == -1) {
+	    setcommandmode();
+	    return;
+	}
+    }
+}
+
+/*
+ * netclear()
+ *
+ *	We are about to do a TELNET SYNCH operation.  Clear
+ * the path to the network.
+ *
+ *	Things are a bit tricky since we may have sent the first
+ * byte or so of a previous TELNET command into the network.
+ * So, we have to scan the network buffer from the beginning
+ * until we are up to where we want to be.
+ *
+ *	A side effect of what we do, just to keep things
+ * simple, is to clear the urgent data pointer.  The principal
+ * caller should be setting the urgent data pointer AFTER calling
+ * us in any case.
+ */
+
+static void
+netclear()
+{
+#if	0	/* XXX */
+    char *thisitem, *next;
+    char *good;
+#define	wewant(p)	((nfrontp > p) && ((*p&0xff) == IAC) && \
+				((*(p+1)&0xff) != EC) && ((*(p+1)&0xff) != EL))
+
+    thisitem = netobuf;
+
+    while ((next = nextitem(thisitem)) <= netobuf.send) {
+	thisitem = next;
+    }
+
+    /* Now, thisitem is first before/at boundary. */
+
+    good = netobuf;	/* where the good bytes go */
+
+    while (netoring.add > thisitem) {
+	if (wewant(thisitem)) {
+	    int length;
+
+	    next = thisitem;
+	    do {
+		next = nextitem(next);
+	    } while (wewant(next) && (nfrontp > next));
+	    length = next-thisitem;
+	    memmove(good, thisitem, length);
+	    good += length;
+	    thisitem = next;
+	} else {
+	    thisitem = nextitem(thisitem);
+	}
+    }
+
+#endif	/* 0 */
+}
+
+/*
+ * These routines add various telnet commands to the data stream.
+ */
+
+static void
+doflush()
+{
+    NET2ADD(IAC, DO);
+    NETADD(TELOPT_TM);
+    flushline = 1;
+    flushout = 1;
+    ttyflush(1);			/* Flush/drop output */
+    /* do printoption AFTER flush, otherwise the output gets tossed... */
+    printoption("SENT", DO, TELOPT_TM);
+}
+
+void
+xmitAO(void)
+{
+    NET2ADD(IAC, AO);
+    printoption("SENT", IAC, AO);
+    if (autoflush) {
+	doflush();
+    }
+}
+
+
+void
+xmitEL(void)
+{
+    NET2ADD(IAC, EL);
+    printoption("SENT", IAC, EL);
+}
+
+void
+xmitEC(void)
+{
+    NET2ADD(IAC, EC);
+    printoption("SENT", IAC, EC);
+}
+
+
+int
+dosynch()
+{
+    netclear();			/* clear the path to the network */
+    NETADD(IAC);
+    setneturg();
+    NETADD(DM);
+    printoption("SENT", IAC, DM);
+    return 1;
+}
+
+int want_status_response = 0;
+
+int
+get_status()
+{
+    unsigned char tmp[16];
+    unsigned char *cp;
+
+    if (my_want_state_is_dont(TELOPT_STATUS)) {
+	printf("Remote side does not support STATUS option\n");
+	return 0;
+    }
+    cp = tmp;
+
+    *cp++ = IAC;
+    *cp++ = SB;
+    *cp++ = TELOPT_STATUS;
+    *cp++ = TELQUAL_SEND;
+    *cp++ = IAC;
+    *cp++ = SE;
+    if (NETROOM() >= cp - tmp) {
+	ring_supply_data(&netoring, tmp, cp-tmp);
+	printsub('>', tmp+2, cp - tmp - 2);
+    }
+    ++want_status_response;
+    return 1;
+}
+
+void
+intp(void)
+{
+    NET2ADD(IAC, IP);
+    printoption("SENT", IAC, IP);
+    flushline = 1;
+    if (autoflush) {
+	doflush();
+    }
+    if (autosynch) {
+	dosynch();
+    }
+}
+
+void
+sendbrk(void)
+{
+    NET2ADD(IAC, BREAK);
+    printoption("SENT", IAC, BREAK);
+    flushline = 1;
+    if (autoflush) {
+	doflush();
+    }
+    if (autosynch) {
+	dosynch();
+    }
+}
+
+void
+sendabort(void)
+{
+    NET2ADD(IAC, ABORT);
+    printoption("SENT", IAC, ABORT);
+    flushline = 1;
+    if (autoflush) {
+	doflush();
+    }
+    if (autosynch) {
+	dosynch();
+    }
+}
+
+void
+sendsusp(void)
+{
+    NET2ADD(IAC, SUSP);
+    printoption("SENT", IAC, SUSP);
+    flushline = 1;
+    if (autoflush) {
+	doflush();
+    }
+    if (autosynch) {
+	dosynch();
+    }
+}
+
+void
+sendeof(void)
+{
+    NET2ADD(IAC, xEOF);
+    printoption("SENT", IAC, xEOF);
+}
+
+void
+sendayt(void)
+{
+    NET2ADD(IAC, AYT);
+    printoption("SENT", IAC, AYT);
+}
+
+/*
+ * Send a window size update to the remote system.
+ */
+
+void
+sendnaws()
+{
+    long rows, cols;
+    unsigned char tmp[16];
+    unsigned char *cp;
+
+    if (my_state_is_wont(TELOPT_NAWS))
+	return;
+
+#define	PUTSHORT(cp, x) { if ((*cp++ = ((x)>>8)&0xff) == IAC) *cp++ = IAC; \
+			    if ((*cp++ = ((x))&0xff) == IAC) *cp++ = IAC; }
+
+    if (TerminalWindowSize(&rows, &cols) == 0) {	/* Failed */
+	return;
+    }
+
+    cp = tmp;
+
+    *cp++ = IAC;
+    *cp++ = SB;
+    *cp++ = TELOPT_NAWS;
+    PUTSHORT(cp, cols);
+    PUTSHORT(cp, rows);
+    *cp++ = IAC;
+    *cp++ = SE;
+    if (NETROOM() >= cp - tmp) {
+	ring_supply_data(&netoring, tmp, cp-tmp);
+	printsub('>', tmp+2, cp - tmp - 2);
+    }
+}
+
+void
+tel_enter_binary(int rw)
+{
+    if (rw&1)
+	send_do(TELOPT_BINARY, 1);
+    if (rw&2)
+	send_will(TELOPT_BINARY, 1);
+}
+
+void
+tel_leave_binary(int rw)
+{
+    if (rw&1)
+	send_dont(TELOPT_BINARY, 1);
+    if (rw&2)
+	send_wont(TELOPT_BINARY, 1);
+}
diff --git a/crypto/kerberosIV/appl/telnet/telnet/telnet_locl.h b/crypto/kerberosIV/appl/telnet/telnet/telnet_locl.h
new file mode 100644
index 0000000..0c883d6
--- /dev/null
+++ b/crypto/kerberosIV/appl/telnet/telnet/telnet_locl.h
@@ -0,0 +1,171 @@
+/*
+ * Copyright (c) 1995, 1996, 1997 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+/* $Id: telnet_locl.h,v 1.18 1999/12/02 16:58:34 joda Exp $ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+#endif
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <stdarg.h>
+#include <string.h>
+#include <ctype.h>
+#ifdef HAVE_SIGNAL_H
+#include <signal.h>
+#endif
+#include <errno.h>
+#include <setjmp.h>
+#ifdef HAVE_BSDSETJMP_H
+#include <bsdsetjmp.h>
+#endif
+
+#ifdef HAVE_SYS_TYPES_H
+#include <sys/types.h>
+#endif
+
+#ifdef HAVE_UNISTD_H
+#include <unistd.h>
+#endif
+
+/* termios.h *must* be included before curses.h */
+#ifdef HAVE_TERMIOS_H
+#include <termios.h>
+#endif
+
+#if defined(SOCKS) && defined(HAVE_CURSES_H)
+#include <curses.h>
+#endif
+
+#if defined(HAVE_SYS_TERMIO_H) && !defined(HAVE_TERMIOS_H)
+#include <sys/termio.h>
+#endif
+
+#if defined(HAVE_TERMCAP_H)
+#include <termcap.h>
+#endif
+
+#ifdef HAVE_FCNTL_H
+#include <fcntl.h>
+#endif
+
+#ifdef HAVE_NETDB_H
+#include <netdb.h>
+#endif
+
+#ifdef HAVE_PWD_H
+#include <pwd.h>
+#endif
+
+#ifdef HAVE_SYS_SELECT_H
+#include <sys/select.h>
+#endif
+#ifdef TIME_WITH_SYS_TIME
+#include <sys/time.h>
+#include <time.h>
+#elif defined(HAVE_SYS_TIME_H)
+#include <sys/time.h>
+#else
+#include <time.h>
+#endif
+#ifdef HAVE_SYS_PARAM_H
+#include <sys/param.h>
+#endif
+/* not with SunOS 4 */
+#if defined(HAVE_SYS_IOCTL_H) && SunOS != 40
+#include <sys/ioctl.h>
+#endif
+#ifdef HAVE_SYS_RESOURCE_H
+#include <sys/resource.h>
+#endif /* HAVE_SYS_RESOURCE_H */
+#ifdef HAVE_SYS_WAIT_H
+#include <sys/wait.h>
+#endif
+#ifdef HAVE_SYS_FILIO_H
+#include <sys/filio.h>
+#endif
+#ifdef HAVE_SYS_FILE_H
+#include <sys/file.h>
+#endif
+#ifdef HAVE_SYS_SOCKET_H
+#include <sys/socket.h>
+#endif
+#ifdef HAVE_NETINET_IN_H
+#include <netinet/in.h>
+#endif
+#ifdef HAVE_NETINET_IN6_H
+#include <netinet/in6.h>
+#endif
+#ifdef HAVE_NETINET6_IN6_H
+#include <netinet6/in6.h>
+#endif
+
+#ifdef HAVE_NETINET_IN_SYSTM_H
+#include <netinet/in_systm.h>
+#endif
+#ifdef HAVE_NETINET_IP_H
+#include <netinet/ip.h>
+#endif
+#ifdef HAVE_ARPA_INET_H
+#include <arpa/inet.h>
+#endif
+
+#ifdef HAVE_ARPA_TELNET_H
+#include <arpa/telnet.h>
+#endif
+
+#ifdef SOCKS
+#include <socks.h>
+#endif
+
+#include <roken.h>
+/* krb.h? */
+
+#if	defined(AUTHENTICATION) || defined(ENCRYPTION)
+#include <libtelnet/auth.h>
+#include <libtelnet/encrypt.h>
+#endif
+#include <libtelnet/misc.h>
+#include <libtelnet/misc-proto.h>
+
+#define LINEMODE
+#define KLUDGELINEMODE
+
+#include "ring.h"
+#include "externs.h"
+#include "defines.h"
+#include "types.h"
+
+/* prototypes */
+
diff --git a/crypto/kerberosIV/appl/telnet/telnet/terminal.c b/crypto/kerberosIV/appl/telnet/telnet/terminal.c
new file mode 100644
index 0000000..4404384
--- /dev/null
+++ b/crypto/kerberosIV/appl/telnet/telnet/terminal.c
@@ -0,0 +1,225 @@
+/*
+ * Copyright (c) 1988, 1990, 1993
+ *	The Regents of the University of California.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *	This product includes software developed by the University of
+ *	California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#include "telnet_locl.h"
+
+RCSID("$Id: terminal.c,v 1.10 1997/12/15 19:53:06 joda Exp $");
+
+Ring		ttyoring, ttyiring;
+unsigned char	ttyobuf[2*BUFSIZ], ttyibuf[BUFSIZ];
+
+int termdata;			/* Debugging flag */
+
+# ifndef VDISCARD
+cc_t termFlushChar;
+# endif
+# ifndef VLNEXT
+cc_t termLiteralNextChar;
+# endif
+# ifndef VSUSP
+cc_t termSuspChar;
+# endif
+# ifndef VWERASE
+cc_t termWerasChar;
+# endif
+# ifndef VREPRINT
+cc_t termRprntChar;
+# endif
+# ifndef VSTART
+cc_t termStartChar;
+# endif
+# ifndef VSTOP
+cc_t termStopChar;
+# endif
+# ifndef VEOL
+cc_t termForw1Char;
+# endif
+# ifndef VEOL2
+cc_t termForw2Char;
+# endif
+# ifndef VSTATUS
+cc_t termAytChar;
+# endif
+
+/*
+ * initialize the terminal data structures.
+ */
+
+void
+init_terminal(void)
+{
+    if (ring_init(&ttyoring, ttyobuf, sizeof ttyobuf) != 1) {
+	exit(1);
+    }
+    if (ring_init(&ttyiring, ttyibuf, sizeof ttyibuf) != 1) {
+	exit(1);
+    }
+    autoflush = TerminalAutoFlush();
+}
+
+
+/*
+ *		Send as much data as possible to the terminal.
+ *
+ *		Return value:
+ *			-1: No useful work done, data waiting to go out.
+ *			 0: No data was waiting, so nothing was done.
+ *			 1: All waiting data was written out.
+ *			 n: All data - n was written out.
+ */
+
+
+int
+ttyflush(int drop)
+{
+    int n, n0, n1;
+
+    n0 = ring_full_count(&ttyoring);
+    if ((n1 = n = ring_full_consecutive(&ttyoring)) > 0) {
+	if (drop) {
+	    TerminalFlushOutput();
+	    /* we leave 'n' alone! */
+	} else {
+	    n = TerminalWrite((char *)ttyoring.consume, n);
+	}
+    }
+    if (n > 0) {
+	if (termdata && n) {
+	    Dump('>', ttyoring.consume, n);
+	}
+	/*
+	 * If we wrote everything, and the full count is
+	 * larger than what we wrote, then write the
+	 * rest of the buffer.
+	 */
+	if (n1 == n && n0 > n) {
+		n1 = n0 - n;
+		if (!drop)
+			n1 = TerminalWrite((char *)ttyoring.bottom, n1);
+		if (n1 > 0)
+			n += n1;
+	}
+	ring_consumed(&ttyoring, n);
+    }
+    if (n < 0)
+	return -1;
+    if (n == n0) {
+	if (n0)
+	    return -1;
+	return 0;
+    }
+    return n0 - n + 1;
+}
+
+
+/*
+ * These routines decides on what the mode should be (based on the values
+ * of various global variables).
+ */
+
+
+int
+getconnmode(void)
+{
+    extern int linemode;
+    int mode = 0;
+#ifdef	KLUDGELINEMODE
+    extern int kludgelinemode;
+#endif
+
+    if (my_want_state_is_dont(TELOPT_ECHO))
+	mode |= MODE_ECHO;
+
+    if (localflow)
+	mode |= MODE_FLOW;
+
+    if ((eight & 1) || my_want_state_is_will(TELOPT_BINARY))
+	mode |= MODE_INBIN;
+
+    if (eight & 2)
+	mode |= MODE_OUT8;
+    if (his_want_state_is_will(TELOPT_BINARY))
+	mode |= MODE_OUTBIN;
+
+#ifdef	KLUDGELINEMODE
+    if (kludgelinemode) {
+	if (my_want_state_is_dont(TELOPT_SGA)) {
+	    mode |= (MODE_TRAPSIG|MODE_EDIT);
+	    if (dontlecho && (clocks.echotoggle > clocks.modenegotiated)) {
+		mode &= ~MODE_ECHO;
+	    }
+	}
+	return(mode);
+    }
+#endif
+    if (my_want_state_is_will(TELOPT_LINEMODE))
+	mode |= linemode;
+    return(mode);
+}
+
+    void
+setconnmode(force)
+    int force;
+{
+#ifdef	ENCRYPTION
+    static int enc_passwd = 0;
+#endif
+    int newmode;
+
+    newmode = getconnmode()|(force?MODE_FORCE:0);
+
+    TerminalNewMode(newmode);
+    
+#ifdef  ENCRYPTION
+    if ((newmode & (MODE_ECHO|MODE_EDIT)) == MODE_EDIT) {
+	if (my_want_state_is_will(TELOPT_ENCRYPT)
+				&& (enc_passwd == 0) && !encrypt_output) {
+	    encrypt_request_start(0, 0);
+	    enc_passwd = 1;
+	}
+    } else {
+	if (enc_passwd) {
+	    encrypt_request_end();
+	    enc_passwd = 0;
+	}
+    }
+#endif
+
+}
+
+
+    void
+setcommandmode()
+{
+    TerminalNewMode(-1);
+}
diff --git a/crypto/kerberosIV/appl/telnet/telnet/types.h b/crypto/kerberosIV/appl/telnet/telnet/types.h
new file mode 100644
index 0000000..191d311
--- /dev/null
+++ b/crypto/kerberosIV/appl/telnet/telnet/types.h
@@ -0,0 +1,52 @@
+/*
+ * Copyright (c) 1988, 1993
+ *	The Regents of the University of California.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *	This product includes software developed by the University of
+ *	California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ *	@(#)types.h	8.1 (Berkeley) 6/6/93
+ */
+
+typedef struct {
+    char *modedescriptions;
+    char modetype;
+} Modelist;
+
+extern Modelist modelist[];
+
+typedef struct {
+    int
+	system,			/* what the current time is */
+	echotoggle,		/* last time user entered echo character */
+	modenegotiated,		/* last time operating mode negotiated */
+	didnetreceive,		/* last time we read data from network */
+	gotDM;			/* when did we last see a data mark */
+} Clocks;
+
+extern Clocks clocks;
diff --git a/crypto/kerberosIV/appl/telnet/telnet/utilities.c b/crypto/kerberosIV/appl/telnet/telnet/utilities.c
new file mode 100644
index 0000000..ab281a5
--- /dev/null
+++ b/crypto/kerberosIV/appl/telnet/telnet/utilities.c
@@ -0,0 +1,866 @@
+/*
+ * Copyright (c) 1988, 1993
+ *	The Regents of the University of California.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *	This product includes software developed by the University of
+ *	California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#define TELOPTS
+#define TELCMDS
+#define SLC_NAMES
+
+#include "telnet_locl.h"
+
+RCSID("$Id: utilities.c,v 1.22.2.1 2000/10/10 13:10:27 assar Exp $");
+
+FILE	*NetTrace = 0;		/* Not in bss, since needs to stay */
+int	prettydump;
+
+/*
+ * SetSockOpt()
+ *
+ * Compensate for differences in 4.2 and 4.3 systems.
+ */
+
+int
+SetSockOpt(int fd, int level, int option, int yesno)
+{
+#ifdef HAVE_SETSOCKOPT
+#ifndef	NOT43
+    return setsockopt(fd, level, option,
+				(void *)&yesno, sizeof yesno);
+#else	/* NOT43 */
+    if (yesno == 0) {		/* Can't do that in 4.2! */
+	fprintf(stderr, "Error: attempt to turn off an option 0x%x.\n",
+				option);
+	return -1;
+    }
+    return setsockopt(fd, level, option, 0, 0);
+#endif	/* NOT43 */
+#else
+    return -1;
+#endif
+}
+
+/*
+ * The following are routines used to print out debugging information.
+ */
+
+char NetTraceFile[256] = "(standard output)";
+
+void
+SetNetTrace(char *file)
+{
+    if (NetTrace && NetTrace != stdout)
+	fclose(NetTrace);
+    if (file  && (strcmp(file, "-") != 0)) {
+	NetTrace = fopen(file, "w");
+	if (NetTrace) {
+	    strlcpy(NetTraceFile, file, sizeof(NetTraceFile));
+	    return;
+	}
+	fprintf(stderr, "Cannot open %s.\n", file);
+    }
+    NetTrace = stdout;
+    strlcpy(NetTraceFile, "(standard output)", sizeof(NetTraceFile));
+}
+
+void
+Dump(char direction, unsigned char *buffer, int length)
+{
+#   define BYTES_PER_LINE	32
+    unsigned char *pThis;
+    int offset;
+
+    offset = 0;
+
+    while (length) {
+	/* print one line */
+	fprintf(NetTrace, "%c 0x%x\t", direction, offset);
+	pThis = buffer;
+	if (prettydump) {
+	    buffer = buffer + min(length, BYTES_PER_LINE/2);
+	    while (pThis < buffer) {
+		fprintf(NetTrace, "%c%.2x",
+		    (((*pThis)&0xff) == 0xff) ? '*' : ' ',
+		    (*pThis)&0xff);
+		pThis++;
+	    }
+	    length -= BYTES_PER_LINE/2;
+	    offset += BYTES_PER_LINE/2;
+	} else {
+	    buffer = buffer + min(length, BYTES_PER_LINE);
+	    while (pThis < buffer) {
+		fprintf(NetTrace, "%.2x", (*pThis)&0xff);
+		pThis++;
+	    }
+	    length -= BYTES_PER_LINE;
+	    offset += BYTES_PER_LINE;
+	}
+	if (NetTrace == stdout) {
+	    fprintf(NetTrace, "\r\n");
+	} else {
+	    fprintf(NetTrace, "\n");
+	}
+	if (length < 0) {
+	    fflush(NetTrace);
+	    return;
+	}
+	/* find next unique line */
+    }
+    fflush(NetTrace);
+}
+
+
+void
+printoption(char *direction, int cmd, int option)
+{
+	if (!showoptions)
+		return;
+	if (cmd == IAC) {
+		if (TELCMD_OK(option))
+		    fprintf(NetTrace, "%s IAC %s", direction, TELCMD(option));
+		else
+		    fprintf(NetTrace, "%s IAC %d", direction, option);
+	} else {
+		char *fmt;
+		fmt = (cmd == WILL) ? "WILL" : (cmd == WONT) ? "WONT" :
+			(cmd == DO) ? "DO" : (cmd == DONT) ? "DONT" : 0;
+		if (fmt) {
+		    fprintf(NetTrace, "%s %s ", direction, fmt);
+		    if (TELOPT_OK(option))
+			fprintf(NetTrace, "%s", TELOPT(option));
+		    else if (option == TELOPT_EXOPL)
+			fprintf(NetTrace, "EXOPL");
+		    else
+			fprintf(NetTrace, "%d", option);
+		} else
+		    fprintf(NetTrace, "%s %d %d", direction, cmd, option);
+	}
+	if (NetTrace == stdout) {
+	    fprintf(NetTrace, "\r\n");
+	    fflush(NetTrace);
+	} else {
+	    fprintf(NetTrace, "\n");
+	}
+	return;
+}
+
+void
+optionstatus(void)
+{
+    int i;
+    extern char will_wont_resp[], do_dont_resp[];
+
+    for (i = 0; i < 256; i++) {
+	if (do_dont_resp[i]) {
+	    if (TELOPT_OK(i))
+		printf("resp DO_DONT %s: %d\n", TELOPT(i), do_dont_resp[i]);
+	    else if (TELCMD_OK(i))
+		printf("resp DO_DONT %s: %d\n", TELCMD(i), do_dont_resp[i]);
+	    else
+		printf("resp DO_DONT %d: %d\n", i,
+				do_dont_resp[i]);
+	    if (my_want_state_is_do(i)) {
+		if (TELOPT_OK(i))
+		    printf("want DO   %s\n", TELOPT(i));
+		else if (TELCMD_OK(i))
+		    printf("want DO   %s\n", TELCMD(i));
+		else
+		    printf("want DO   %d\n", i);
+	    } else {
+		if (TELOPT_OK(i))
+		    printf("want DONT %s\n", TELOPT(i));
+		else if (TELCMD_OK(i))
+		    printf("want DONT %s\n", TELCMD(i));
+		else
+		    printf("want DONT %d\n", i);
+	    }
+	} else {
+	    if (my_state_is_do(i)) {
+		if (TELOPT_OK(i))
+		    printf("     DO   %s\n", TELOPT(i));
+		else if (TELCMD_OK(i))
+		    printf("     DO   %s\n", TELCMD(i));
+		else
+		    printf("     DO   %d\n", i);
+	    }
+	}
+	if (will_wont_resp[i]) {
+	    if (TELOPT_OK(i))
+		printf("resp WILL_WONT %s: %d\n", TELOPT(i), will_wont_resp[i]);
+	    else if (TELCMD_OK(i))
+		printf("resp WILL_WONT %s: %d\n", TELCMD(i), will_wont_resp[i]);
+	    else
+		printf("resp WILL_WONT %d: %d\n",
+				i, will_wont_resp[i]);
+	    if (my_want_state_is_will(i)) {
+		if (TELOPT_OK(i))
+		    printf("want WILL %s\n", TELOPT(i));
+		else if (TELCMD_OK(i))
+		    printf("want WILL %s\n", TELCMD(i));
+		else
+		    printf("want WILL %d\n", i);
+	    } else {
+		if (TELOPT_OK(i))
+		    printf("want WONT %s\n", TELOPT(i));
+		else if (TELCMD_OK(i))
+		    printf("want WONT %s\n", TELCMD(i));
+		else
+		    printf("want WONT %d\n", i);
+	    }
+	} else {
+	    if (my_state_is_will(i)) {
+		if (TELOPT_OK(i))
+		    printf("     WILL %s\n", TELOPT(i));
+		else if (TELCMD_OK(i))
+		    printf("     WILL %s\n", TELCMD(i));
+		else
+		    printf("     WILL %d\n", i);
+	    }
+	}
+    }
+
+}
+
+void
+printsub(int direction, unsigned char *pointer, int length)
+{
+    int i;
+    unsigned char buf[512];
+    extern int want_status_response;
+
+    if (showoptions || direction == 0 ||
+	(want_status_response && (pointer[0] == TELOPT_STATUS))) {
+	if (direction) {
+	    fprintf(NetTrace, "%s IAC SB ",
+				(direction == '<')? "RCVD":"SENT");
+	    if (length >= 3) {
+		int j;
+
+		i = pointer[length-2];
+		j = pointer[length-1];
+
+		if (i != IAC || j != SE) {
+		    fprintf(NetTrace, "(terminated by ");
+		    if (TELOPT_OK(i))
+			fprintf(NetTrace, "%s ", TELOPT(i));
+		    else if (TELCMD_OK(i))
+			fprintf(NetTrace, "%s ", TELCMD(i));
+		    else
+			fprintf(NetTrace, "%d ", i);
+		    if (TELOPT_OK(j))
+			fprintf(NetTrace, "%s", TELOPT(j));
+		    else if (TELCMD_OK(j))
+			fprintf(NetTrace, "%s", TELCMD(j));
+		    else
+			fprintf(NetTrace, "%d", j);
+		    fprintf(NetTrace, ", not IAC SE!) ");
+		}
+	    }
+	    length -= 2;
+	}
+	if (length < 1) {
+	    fprintf(NetTrace, "(Empty suboption??\?)");
+	    if (NetTrace == stdout)
+		fflush(NetTrace);
+	    return;
+	}
+	switch (pointer[0]) {
+	case TELOPT_TTYPE:
+	    fprintf(NetTrace, "TERMINAL-TYPE ");
+	    switch (pointer[1]) {
+	    case TELQUAL_IS:
+		fprintf(NetTrace, "IS \"%.*s\"", length-2, (char *)pointer+2);
+		break;
+	    case TELQUAL_SEND:
+		fprintf(NetTrace, "SEND");
+		break;
+	    default:
+		fprintf(NetTrace,
+				"- unknown qualifier %d (0x%x).",
+				pointer[1], pointer[1]);
+	    }
+	    break;
+	case TELOPT_TSPEED:
+	    fprintf(NetTrace, "TERMINAL-SPEED");
+	    if (length < 2) {
+		fprintf(NetTrace, " (empty suboption??\?)");
+		break;
+	    }
+	    switch (pointer[1]) {
+	    case TELQUAL_IS:
+		fprintf(NetTrace, " IS ");
+		fprintf(NetTrace, "%.*s", length-2, (char *)pointer+2);
+		break;
+	    default:
+		if (pointer[1] == 1)
+		    fprintf(NetTrace, " SEND");
+		else
+		    fprintf(NetTrace, " %d (unknown)", pointer[1]);
+		for (i = 2; i < length; i++)
+		    fprintf(NetTrace, " ?%d?", pointer[i]);
+		break;
+	    }
+	    break;
+
+	case TELOPT_LFLOW:
+	    fprintf(NetTrace, "TOGGLE-FLOW-CONTROL");
+	    if (length < 2) {
+		fprintf(NetTrace, " (empty suboption??\?)");
+		break;
+	    }
+	    switch (pointer[1]) {
+	    case LFLOW_OFF:
+		fprintf(NetTrace, " OFF"); break;
+	    case LFLOW_ON:
+		fprintf(NetTrace, " ON"); break;
+	    case LFLOW_RESTART_ANY:
+		fprintf(NetTrace, " RESTART-ANY"); break;
+	    case LFLOW_RESTART_XON:
+		fprintf(NetTrace, " RESTART-XON"); break;
+	    default:
+		fprintf(NetTrace, " %d (unknown)", pointer[1]);
+	    }
+	    for (i = 2; i < length; i++)
+		fprintf(NetTrace, " ?%d?", pointer[i]);
+	    break;
+
+	case TELOPT_NAWS:
+	    fprintf(NetTrace, "NAWS");
+	    if (length < 2) {
+		fprintf(NetTrace, " (empty suboption??\?)");
+		break;
+	    }
+	    if (length == 2) {
+		fprintf(NetTrace, " ?%d?", pointer[1]);
+		break;
+	    }
+	    fprintf(NetTrace, " %d %d (%d)",
+		pointer[1], pointer[2],
+		(int)((((unsigned int)pointer[1])<<8)|((unsigned int)pointer[2])));
+	    if (length == 4) {
+		fprintf(NetTrace, " ?%d?", pointer[3]);
+		break;
+	    }
+	    fprintf(NetTrace, " %d %d (%d)",
+		pointer[3], pointer[4],
+		(int)((((unsigned int)pointer[3])<<8)|((unsigned int)pointer[4])));
+	    for (i = 5; i < length; i++)
+		fprintf(NetTrace, " ?%d?", pointer[i]);
+	    break;
+
+#if	defined(AUTHENTICATION)
+	case TELOPT_AUTHENTICATION:
+	    fprintf(NetTrace, "AUTHENTICATION");
+	    if (length < 2) {
+		fprintf(NetTrace, " (empty suboption??\?)");
+		break;
+	    }
+	    switch (pointer[1]) {
+	    case TELQUAL_REPLY:
+	    case TELQUAL_IS:
+		fprintf(NetTrace, " %s ", (pointer[1] == TELQUAL_IS) ?
+							"IS" : "REPLY");
+		if (AUTHTYPE_NAME_OK(pointer[2]))
+		    fprintf(NetTrace, "%s ", AUTHTYPE_NAME(pointer[2]));
+		else
+		    fprintf(NetTrace, "%d ", pointer[2]);
+		if (length < 3) {
+		    fprintf(NetTrace, "(partial suboption??\?)");
+		    break;
+		}
+		fprintf(NetTrace, "%s|%s",
+			((pointer[3] & AUTH_WHO_MASK) == AUTH_WHO_CLIENT) ?
+			"CLIENT" : "SERVER",
+			((pointer[3] & AUTH_HOW_MASK) == AUTH_HOW_MUTUAL) ?
+			"MUTUAL" : "ONE-WAY");
+
+		auth_printsub(&pointer[1], length - 1, buf, sizeof(buf));
+		fprintf(NetTrace, "%s", buf);
+		break;
+
+	    case TELQUAL_SEND:
+		i = 2;
+		fprintf(NetTrace, " SEND ");
+		while (i < length) {
+		    if (AUTHTYPE_NAME_OK(pointer[i]))
+			fprintf(NetTrace, "%s ", AUTHTYPE_NAME(pointer[i]));
+		    else
+			fprintf(NetTrace, "%d ", pointer[i]);
+		    if (++i >= length) {
+			fprintf(NetTrace, "(partial suboption??\?)");
+			break;
+		    }
+		    fprintf(NetTrace, "%s|%s ",
+			((pointer[i] & AUTH_WHO_MASK) == AUTH_WHO_CLIENT) ?
+							"CLIENT" : "SERVER",
+			((pointer[i] & AUTH_HOW_MASK) == AUTH_HOW_MUTUAL) ?
+							"MUTUAL" : "ONE-WAY");
+		    ++i;
+		}
+		break;
+
+	    case TELQUAL_NAME:
+		i = 2;
+		fprintf(NetTrace, " NAME \"");
+		while (i < length)
+		    putc(pointer[i++], NetTrace);
+		putc('"', NetTrace);
+		break;
+
+	    default:
+		    for (i = 2; i < length; i++)
+			fprintf(NetTrace, " ?%d?", pointer[i]);
+		    break;
+	    }
+	    break;
+#endif
+
+#if	defined(ENCRYPTION)
+	case TELOPT_ENCRYPT:
+	    fprintf(NetTrace, "ENCRYPT");
+	    if (length < 2) {
+		fprintf(NetTrace, " (empty suboption?)");
+		break;
+	    }
+	    switch (pointer[1]) {
+	    case ENCRYPT_START:
+		fprintf(NetTrace, " START");
+		break;
+
+	    case ENCRYPT_END:
+		fprintf(NetTrace, " END");
+		break;
+
+	    case ENCRYPT_REQSTART:
+		fprintf(NetTrace, " REQUEST-START");
+		break;
+
+	    case ENCRYPT_REQEND:
+		fprintf(NetTrace, " REQUEST-END");
+		break;
+
+	    case ENCRYPT_IS:
+	    case ENCRYPT_REPLY:
+		fprintf(NetTrace, " %s ", (pointer[1] == ENCRYPT_IS) ?
+							"IS" : "REPLY");
+		if (length < 3) {
+		    fprintf(NetTrace, " (partial suboption?)");
+		    break;
+		}
+		if (ENCTYPE_NAME_OK(pointer[2]))
+		    fprintf(NetTrace, "%s ", ENCTYPE_NAME(pointer[2]));
+		else
+		    fprintf(NetTrace, " %d (unknown)", pointer[2]);
+
+		encrypt_printsub(&pointer[1], length - 1, buf, sizeof(buf));
+		fprintf(NetTrace, "%s", buf);
+		break;
+
+	    case ENCRYPT_SUPPORT:
+		i = 2;
+		fprintf(NetTrace, " SUPPORT ");
+		while (i < length) {
+		    if (ENCTYPE_NAME_OK(pointer[i]))
+			fprintf(NetTrace, "%s ", ENCTYPE_NAME(pointer[i]));
+		    else
+			fprintf(NetTrace, "%d ", pointer[i]);
+		    i++;
+		}
+		break;
+
+	    case ENCRYPT_ENC_KEYID:
+		fprintf(NetTrace, " ENC_KEYID ");
+		goto encommon;
+
+	    case ENCRYPT_DEC_KEYID:
+		fprintf(NetTrace, " DEC_KEYID ");
+		goto encommon;
+
+	    default:
+		fprintf(NetTrace, " %d (unknown)", pointer[1]);
+	    encommon:
+		for (i = 2; i < length; i++)
+		    fprintf(NetTrace, " %d", pointer[i]);
+		break;
+	    }
+	    break;
+#endif
+
+	case TELOPT_LINEMODE:
+	    fprintf(NetTrace, "LINEMODE ");
+	    if (length < 2) {
+		fprintf(NetTrace, " (empty suboption??\?)");
+		break;
+	    }
+	    switch (pointer[1]) {
+	    case WILL:
+		fprintf(NetTrace, "WILL ");
+		goto common;
+	    case WONT:
+		fprintf(NetTrace, "WONT ");
+		goto common;
+	    case DO:
+		fprintf(NetTrace, "DO ");
+		goto common;
+	    case DONT:
+		fprintf(NetTrace, "DONT ");
+	    common:
+		if (length < 3) {
+		    fprintf(NetTrace, "(no option??\?)");
+		    break;
+		}
+		switch (pointer[2]) {
+		case LM_FORWARDMASK:
+		    fprintf(NetTrace, "Forward Mask");
+		    for (i = 3; i < length; i++)
+			fprintf(NetTrace, " %x", pointer[i]);
+		    break;
+		default:
+		    fprintf(NetTrace, "%d (unknown)", pointer[2]);
+		    for (i = 3; i < length; i++)
+			fprintf(NetTrace, " %d", pointer[i]);
+		    break;
+		}
+		break;
+
+	    case LM_SLC:
+		fprintf(NetTrace, "SLC");
+		for (i = 2; i < length - 2; i += 3) {
+		    if (SLC_NAME_OK(pointer[i+SLC_FUNC]))
+			fprintf(NetTrace, " %s", SLC_NAME(pointer[i+SLC_FUNC]));
+		    else
+			fprintf(NetTrace, " %d", pointer[i+SLC_FUNC]);
+		    switch (pointer[i+SLC_FLAGS]&SLC_LEVELBITS) {
+		    case SLC_NOSUPPORT:
+			fprintf(NetTrace, " NOSUPPORT"); break;
+		    case SLC_CANTCHANGE:
+			fprintf(NetTrace, " CANTCHANGE"); break;
+		    case SLC_VARIABLE:
+			fprintf(NetTrace, " VARIABLE"); break;
+		    case SLC_DEFAULT:
+			fprintf(NetTrace, " DEFAULT"); break;
+		    }
+		    fprintf(NetTrace, "%s%s%s",
+			pointer[i+SLC_FLAGS]&SLC_ACK ? "|ACK" : "",
+			pointer[i+SLC_FLAGS]&SLC_FLUSHIN ? "|FLUSHIN" : "",
+			pointer[i+SLC_FLAGS]&SLC_FLUSHOUT ? "|FLUSHOUT" : "");
+		    if (pointer[i+SLC_FLAGS]& ~(SLC_ACK|SLC_FLUSHIN|
+						SLC_FLUSHOUT| SLC_LEVELBITS))
+			fprintf(NetTrace, "(0x%x)", pointer[i+SLC_FLAGS]);
+		    fprintf(NetTrace, " %d;", pointer[i+SLC_VALUE]);
+		    if ((pointer[i+SLC_VALUE] == IAC) &&
+			(pointer[i+SLC_VALUE+1] == IAC))
+				i++;
+		}
+		for (; i < length; i++)
+		    fprintf(NetTrace, " ?%d?", pointer[i]);
+		break;
+
+	    case LM_MODE:
+		fprintf(NetTrace, "MODE ");
+		if (length < 3) {
+		    fprintf(NetTrace, "(no mode??\?)");
+		    break;
+		}
+		{
+		    char tbuf[64];
+		    snprintf(tbuf, sizeof(tbuf),
+			     "%s%s%s%s%s",
+			     pointer[2]&MODE_EDIT ? "|EDIT" : "",
+			     pointer[2]&MODE_TRAPSIG ? "|TRAPSIG" : "",
+			     pointer[2]&MODE_SOFT_TAB ? "|SOFT_TAB" : "",
+			     pointer[2]&MODE_LIT_ECHO ? "|LIT_ECHO" : "",
+			     pointer[2]&MODE_ACK ? "|ACK" : "");
+		    fprintf(NetTrace, "%s", tbuf[1] ? &tbuf[1] : "0");
+		}
+		if (pointer[2]&~(MODE_MASK))
+		    fprintf(NetTrace, " (0x%x)", pointer[2]);
+		for (i = 3; i < length; i++)
+		    fprintf(NetTrace, " ?0x%x?", pointer[i]);
+		break;
+	    default:
+		fprintf(NetTrace, "%d (unknown)", pointer[1]);
+		for (i = 2; i < length; i++)
+		    fprintf(NetTrace, " %d", pointer[i]);
+	    }
+	    break;
+
+	case TELOPT_STATUS: {
+	    char *cp;
+	    int j, k;
+
+	    fprintf(NetTrace, "STATUS");
+
+	    switch (pointer[1]) {
+	    default:
+		if (pointer[1] == TELQUAL_SEND)
+		    fprintf(NetTrace, " SEND");
+		else
+		    fprintf(NetTrace, " %d (unknown)", pointer[1]);
+		for (i = 2; i < length; i++)
+		    fprintf(NetTrace, " ?%d?", pointer[i]);
+		break;
+	    case TELQUAL_IS:
+		if (--want_status_response < 0)
+		    want_status_response = 0;
+		if (NetTrace == stdout)
+		    fprintf(NetTrace, " IS\r\n");
+		else
+		    fprintf(NetTrace, " IS\n");
+
+		for (i = 2; i < length; i++) {
+		    switch(pointer[i]) {
+		    case DO:	cp = "DO"; goto common2;
+		    case DONT:	cp = "DONT"; goto common2;
+		    case WILL:	cp = "WILL"; goto common2;
+		    case WONT:	cp = "WONT"; goto common2;
+		    common2:
+			i++;
+			if (TELOPT_OK((int)pointer[i]))
+			    fprintf(NetTrace, " %s %s", cp, TELOPT(pointer[i]));
+			else
+			    fprintf(NetTrace, " %s %d", cp, pointer[i]);
+
+			if (NetTrace == stdout)
+			    fprintf(NetTrace, "\r\n");
+			else
+			    fprintf(NetTrace, "\n");
+			break;
+
+		    case SB:
+			fprintf(NetTrace, " SB ");
+			i++;
+			j = k = i;
+			while (j < length) {
+			    if (pointer[j] == SE) {
+				if (j+1 == length)
+				    break;
+				if (pointer[j+1] == SE)
+				    j++;
+				else
+				    break;
+			    }
+			    pointer[k++] = pointer[j++];
+			}
+			printsub(0, &pointer[i], k - i);
+			if (i < length) {
+			    fprintf(NetTrace, " SE");
+			    i = j;
+			} else
+			    i = j - 1;
+
+			if (NetTrace == stdout)
+			    fprintf(NetTrace, "\r\n");
+			else
+			    fprintf(NetTrace, "\n");
+
+			break;
+
+		    default:
+			fprintf(NetTrace, " %d", pointer[i]);
+			break;
+		    }
+		}
+		break;
+	    }
+	    break;
+	  }
+
+	case TELOPT_XDISPLOC:
+	    fprintf(NetTrace, "X-DISPLAY-LOCATION ");
+	    switch (pointer[1]) {
+	    case TELQUAL_IS:
+		fprintf(NetTrace, "IS \"%.*s\"", length-2, (char *)pointer+2);
+		break;
+	    case TELQUAL_SEND:
+		fprintf(NetTrace, "SEND");
+		break;
+	    default:
+		fprintf(NetTrace, "- unknown qualifier %d (0x%x).",
+				pointer[1], pointer[1]);
+	    }
+	    break;
+
+	case TELOPT_NEW_ENVIRON:
+	    fprintf(NetTrace, "NEW-ENVIRON ");
+#ifdef	OLD_ENVIRON
+	    goto env_common1;
+	case TELOPT_OLD_ENVIRON:
+	    fprintf(NetTrace, "OLD-ENVIRON");
+	env_common1:
+#endif
+	    switch (pointer[1]) {
+	    case TELQUAL_IS:
+		fprintf(NetTrace, "IS ");
+		goto env_common;
+	    case TELQUAL_SEND:
+		fprintf(NetTrace, "SEND ");
+		goto env_common;
+	    case TELQUAL_INFO:
+		fprintf(NetTrace, "INFO ");
+	    env_common:
+		{
+		    int noquote = 2;
+		    for (i = 2; i < length; i++ ) {
+			switch (pointer[i]) {
+			case NEW_ENV_VALUE:
+#ifdef OLD_ENVIRON
+		     /*	case NEW_ENV_OVAR: */
+			    if (pointer[0] == TELOPT_OLD_ENVIRON) {
+				    fprintf(NetTrace, "\" VAR " + noquote);
+			    } else
+#endif /* OLD_ENVIRON */
+				fprintf(NetTrace, "\" VALUE " + noquote);
+			    noquote = 2;
+			    break;
+
+			case NEW_ENV_VAR:
+#ifdef OLD_ENVIRON
+		     /* case OLD_ENV_VALUE: */
+			    if (pointer[0] == TELOPT_OLD_ENVIRON) {
+				    fprintf(NetTrace, "\" VALUE " + noquote);
+			    } else
+#endif /* OLD_ENVIRON */
+				fprintf(NetTrace, "\" VAR " + noquote);
+			    noquote = 2;
+			    break;
+
+			case ENV_ESC:
+			    fprintf(NetTrace, "\" ESC " + noquote);
+			    noquote = 2;
+			    break;
+
+			case ENV_USERVAR:
+			    fprintf(NetTrace, "\" USERVAR " + noquote);
+			    noquote = 2;
+			    break;
+
+			default:
+			    if (isprint(pointer[i]) && pointer[i] != '"') {
+				if (noquote) {
+				    putc('"', NetTrace);
+				    noquote = 0;
+				}
+				putc(pointer[i], NetTrace);
+			    } else {
+				fprintf(NetTrace, "\" %03o " + noquote,
+							pointer[i]);
+				noquote = 2;
+			    }
+			    break;
+			}
+		    }
+		    if (!noquote)
+			putc('"', NetTrace);
+		    break;
+		}
+	    }
+	    break;
+
+	default:
+	    if (TELOPT_OK(pointer[0]))
+		fprintf(NetTrace, "%s (unknown)", TELOPT(pointer[0]));
+	    else
+		fprintf(NetTrace, "%d (unknown)", pointer[0]);
+	    for (i = 1; i < length; i++)
+		fprintf(NetTrace, " %d", pointer[i]);
+	    break;
+	}
+	if (direction) {
+	    if (NetTrace == stdout)
+		fprintf(NetTrace, "\r\n");
+	    else
+		fprintf(NetTrace, "\n");
+	}
+	if (NetTrace == stdout)
+	    fflush(NetTrace);
+    }
+}
+
+/* EmptyTerminal - called to make sure that the terminal buffer is empty.
+ *			Note that we consider the buffer to run all the
+ *			way to the kernel (thus the select).
+ */
+
+void
+EmptyTerminal(void)
+{
+    fd_set	outs;
+
+    FD_ZERO(&outs);
+
+    if (tout >= FD_SETSIZE)
+	ExitString("fd too large", 1);
+
+    if (TTYBYTES() == 0) {
+	FD_SET(tout, &outs);
+	select(tout+1, 0, &outs, 0,
+		      (struct timeval *) 0); /* wait for TTLOWAT */
+    } else {
+	while (TTYBYTES()) {
+	    ttyflush(0);
+	    FD_SET(tout, &outs);
+	    select(tout+1, 0, &outs, 0,
+			  (struct timeval *) 0); /* wait for TTLOWAT */
+	}
+    }
+}
+
+void
+SetForExit(void)
+{
+    setconnmode(0);
+    do {
+	telrcv();			/* Process any incoming data */
+	EmptyTerminal();
+    } while (ring_full_count(&netiring));	/* While there is any */
+    setcommandmode();
+    fflush(stdout);
+    fflush(stderr);
+    setconnmode(0);
+    EmptyTerminal();			/* Flush the path to the tty */
+    setcommandmode();
+}
+
+void
+Exit(int returnCode)
+{
+    SetForExit();
+    exit(returnCode);
+}
+
+void
+ExitString(char *string, int returnCode)
+{
+    SetForExit();
+    fwrite(string, 1, strlen(string), stderr);
+    exit(returnCode);
+}
diff --git a/crypto/kerberosIV/appl/telnet/telnetd/Makefile.am b/crypto/kerberosIV/appl/telnet/telnetd/Makefile.am
new file mode 100644
index 0000000..c228518
--- /dev/null
+++ b/crypto/kerberosIV/appl/telnet/telnetd/Makefile.am
@@ -0,0 +1,21 @@
+# $Id: Makefile.am,v 1.12 1999/04/09 18:24:38 assar Exp $
+
+include $(top_srcdir)/Makefile.am.common
+
+INCLUDES += -I$(srcdir)/.. $(INCLUDE_krb4)
+
+libexec_PROGRAMS = telnetd
+
+CHECK_LOCAL = 
+
+telnetd_SOURCES  = telnetd.c state.c termstat.c slc.c sys_term.c \
+		   utility.c global.c authenc.c defs.h ext.h telnetd.h
+
+LDADD = \
+	../libtelnet/libtelnet.a \
+	$(LIB_krb5) \
+	$(LIB_krb4) \
+	$(top_builddir)/lib/des/libdes.la \
+	$(LIB_tgetent) \
+	$(LIB_logwtmp) \
+	$(LIB_roken)
diff --git a/crypto/kerberosIV/appl/telnet/telnetd/Makefile.in b/crypto/kerberosIV/appl/telnet/telnetd/Makefile.in
new file mode 100644
index 0000000..ed42d1d
--- /dev/null
+++ b/crypto/kerberosIV/appl/telnet/telnetd/Makefile.in
@@ -0,0 +1,79 @@
+# $Id: Makefile.in,v 1.38 1999/03/11 13:50:16 joda Exp $
+
+srcdir		= @srcdir@
+top_srcdir	= @top_srcdir@
+VPATH		= @srcdir@
+
+top_builddir		= ../../..
+
+SHELL		= /bin/sh
+
+CC = @CC@
+LINK = @LINK@
+AR = ar
+RANLIB = @RANLIB@
+DEFS = @DEFS@ -DBINDIR='"$(bindir)"'
+CFLAGS = @CFLAGS@ $(WFLAGS)
+WFLAGS = @WFLAGS@
+LD_FLAGS = @LD_FLAGS@
+LIBS = @LIBS@
+INSTALL = @INSTALL@
+INSTALL_PROGRAM = @INSTALL_PROGRAM@
+MKINSTALLDIRS = @top_srcdir@/mkinstalldirs
+
+prefix = @prefix@
+exec_prefix = @exec_prefix@
+bindir = @bindir@
+libdir = @libdir@
+libexecdir = @libexecdir@
+transform=@program_transform_name@
+EXECSUFFIX=@EXECSUFFIX@
+
+PROGS = telnetd$(EXECSUFFIX)
+
+SOURCES=telnetd.c state.c termstat.c slc.c sys_term.c \
+	utility.c global.c authenc.c
+
+OBJECTS=telnetd.o state.o termstat.o slc.o sys_term.o \
+	utility.o global.o authenc.o
+
+libtop = @libtop@
+
+LIBKRB		= -L../../../lib/krb -lkrb
+LIBDES		= -L../../../lib/des -ldes
+LIBKAFS		= @KRB_KAFS_LIB@
+LIBROKEN	= -L../../../lib/roken -lroken
+
+KLIB=$(LIBKAFS) $(LIBKRB) $(LIBDES)
+
+
+all: $(PROGS)
+
+.c.o:
+	$(CC) -c $(DEFS) -I../../../include -I.. -I$(srcdir)/.. -I. -I$(srcdir) $(CFLAGS) $(CPPFLAGS) $<
+
+telnetd$(EXECSUFFIX): $(OBJECTS)
+	$(LINK) $(LD_FLAGS) $(LDFLAGS) -o $@ $(OBJECTS) -L../libtelnet -ltelnet $(KLIB) $(LIBROKEN) $(LIBS) @LIB_tgetent@ $(LIBROKEN)
+
+install: all
+	$(MKINSTALLDIRS) $(DESTDIR)$(libexecdir)
+	for x in $(PROGS); do \
+	  $(INSTALL_PROGRAM) $$x $(DESTDIR)$(libexecdir)/`echo $$x | sed '$(transform)'`; \
+	done
+
+uninstall:
+	for x in $(PROGS); do \
+	  rm -f $(DESTDIR)$(libexecdir)/`echo $$x | sed '$(transform)'`; \
+	done
+
+TAGS: $(SOURCES)
+	etags $(SOURCES)
+
+clean cleandir:
+	rm -f *.o *.a telnetd$(EXECSUFFIX) \#* *~ core
+
+distclean: clean
+	rm -f Makefile *~
+
+
+.PHONY: all install uninstall clean cleandir distclean
diff --git a/crypto/kerberosIV/appl/telnet/telnetd/authenc.c b/crypto/kerberosIV/appl/telnet/telnetd/authenc.c
new file mode 100644
index 0000000..ec5f2dc
--- /dev/null
+++ b/crypto/kerberosIV/appl/telnet/telnetd/authenc.c
@@ -0,0 +1,81 @@
+/*-
+ * Copyright (c) 1991, 1993
+ *	The Regents of the University of California.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *	This product includes software developed by the University of
+ *	California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#include "telnetd.h"
+
+RCSID("$Id: authenc.c,v 1.9 1999/09/05 19:14:50 assar Exp $");
+
+#ifdef AUTHENTICATION
+
+int
+telnet_net_write(unsigned char *str, int len)
+{
+    if (nfrontp + len < netobuf + BUFSIZ) {
+	memmove(nfrontp, str, len);
+	nfrontp += len;
+	return(len);
+    }
+    return(0);
+}
+
+void
+net_encrypt(void)
+{
+#ifdef ENCRYPTION
+    char *s = (nclearto > nbackp) ? nclearto : nbackp;
+    if (s < nfrontp && encrypt_output) {
+	(*encrypt_output)((unsigned char *)s, nfrontp - s);
+    }
+    nclearto = nfrontp;
+#endif
+}
+
+int
+telnet_spin(void)
+{
+    return ttloop();
+}
+
+char *
+telnet_getenv(char *val)
+{
+    extern char *getenv(const char *);
+    return(getenv(val));
+}
+
+char *
+telnet_gets(char *prompt, char *result, int length, int echo)
+{
+    return NULL;
+}
+#endif
diff --git a/crypto/kerberosIV/appl/telnet/telnetd/defs.h b/crypto/kerberosIV/appl/telnet/telnetd/defs.h
new file mode 100644
index 0000000..dc3f842
--- /dev/null
+++ b/crypto/kerberosIV/appl/telnet/telnetd/defs.h
@@ -0,0 +1,190 @@
+/*
+ * Copyright (c) 1989, 1993
+ *	The Regents of the University of California.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *	This product includes software developed by the University of
+ *	California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ *	@(#)defs.h	8.1 (Berkeley) 6/4/93
+ */
+
+/*
+ * Telnet server defines
+ */
+
+#ifndef __DEFS_H__
+#define __DEFS_H__
+
+#ifndef	BSD
+# define	BSD 43
+#endif
+
+#if defined(PRINTOPTIONS) && defined(DIAGNOSTICS)
+#define TELOPTS
+#define TELCMDS
+#define	SLC_NAMES
+#endif
+
+#if	!defined(TIOCSCTTY) && defined(TCSETCTTY)
+# define	TIOCSCTTY TCSETCTTY
+#endif
+
+#ifndef TIOCPKT_FLUSHWRITE
+#define TIOCPKT_FLUSHWRITE      0x02
+#endif
+ 
+#ifndef TIOCPKT_NOSTOP
+#define TIOCPKT_NOSTOP  0x10
+#endif
+ 
+#ifndef TIOCPKT_DOSTOP
+#define TIOCPKT_DOSTOP  0x20
+#endif
+
+/*
+ * I/O data buffers defines
+ */
+#define	NETSLOP	64
+#ifdef _CRAY
+#undef BUFSIZ
+#define BUFSIZ  2048
+#endif
+
+#define	NIACCUM(c)	{   *netip++ = c; \
+			    ncc++; \
+			}
+
+/* clock manipulations */
+#define	settimer(x)	(clocks.x = ++clocks.system)
+#define	sequenceIs(x,y)	(clocks.x < clocks.y)
+
+/*
+ * Structures of information for each special character function.
+ */
+typedef struct {
+	unsigned char	flag;		/* the flags for this function */
+	cc_t		val;		/* the value of the special character */
+} slcent, *Slcent;
+
+typedef struct {
+	slcent		defset;		/* the default settings */
+	slcent		current;	/* the current settings */
+	cc_t		*sptr;		/* a pointer to the char in */
+					/* system data structures */
+} slcfun, *Slcfun;
+
+#ifdef DIAGNOSTICS
+/*
+ * Diagnostics capabilities
+ */
+#define	TD_REPORT	0x01	/* Report operations to client */
+#define TD_EXERCISE	0x02	/* Exercise client's implementation */
+#define TD_NETDATA	0x04	/* Display received data stream */
+#define TD_PTYDATA	0x08	/* Display data passed to pty */
+#define	TD_OPTIONS	0x10	/* Report just telnet options */
+#endif /* DIAGNOSTICS */
+
+/*
+ * We keep track of each side of the option negotiation.
+ */
+
+#define	MY_STATE_WILL		0x01
+#define	MY_WANT_STATE_WILL	0x02
+#define	MY_STATE_DO		0x04
+#define	MY_WANT_STATE_DO	0x08
+
+/*
+ * Macros to check the current state of things
+ */
+
+#define	my_state_is_do(opt)		(options[opt]&MY_STATE_DO)
+#define	my_state_is_will(opt)		(options[opt]&MY_STATE_WILL)
+#define my_want_state_is_do(opt)	(options[opt]&MY_WANT_STATE_DO)
+#define my_want_state_is_will(opt)	(options[opt]&MY_WANT_STATE_WILL)
+
+#define	my_state_is_dont(opt)		(!my_state_is_do(opt))
+#define	my_state_is_wont(opt)		(!my_state_is_will(opt))
+#define my_want_state_is_dont(opt)	(!my_want_state_is_do(opt))
+#define my_want_state_is_wont(opt)	(!my_want_state_is_will(opt))
+
+#define	set_my_state_do(opt)		(options[opt] |= MY_STATE_DO)
+#define	set_my_state_will(opt)		(options[opt] |= MY_STATE_WILL)
+#define	set_my_want_state_do(opt)	(options[opt] |= MY_WANT_STATE_DO)
+#define	set_my_want_state_will(opt)	(options[opt] |= MY_WANT_STATE_WILL)
+
+#define	set_my_state_dont(opt)		(options[opt] &= ~MY_STATE_DO)
+#define	set_my_state_wont(opt)		(options[opt] &= ~MY_STATE_WILL)
+#define	set_my_want_state_dont(opt)	(options[opt] &= ~MY_WANT_STATE_DO)
+#define	set_my_want_state_wont(opt)	(options[opt] &= ~MY_WANT_STATE_WILL)
+
+/*
+ * Tricky code here.  What we want to know is if the MY_STATE_WILL
+ * and MY_WANT_STATE_WILL bits have the same value.  Since the two
+ * bits are adjacent, a little arithmatic will show that by adding
+ * in the lower bit, the upper bit will be set if the two bits were
+ * different, and clear if they were the same.
+ */
+#define my_will_wont_is_changing(opt) \
+			((options[opt]+MY_STATE_WILL) & MY_WANT_STATE_WILL)
+
+#define my_do_dont_is_changing(opt) \
+			((options[opt]+MY_STATE_DO) & MY_WANT_STATE_DO)
+
+/*
+ * Make everything symetrical
+ */
+
+#define	HIS_STATE_WILL			MY_STATE_DO
+#define	HIS_WANT_STATE_WILL		MY_WANT_STATE_DO
+#define HIS_STATE_DO			MY_STATE_WILL
+#define HIS_WANT_STATE_DO		MY_WANT_STATE_WILL
+
+#define	his_state_is_do			my_state_is_will
+#define	his_state_is_will		my_state_is_do
+#define his_want_state_is_do		my_want_state_is_will
+#define his_want_state_is_will		my_want_state_is_do
+
+#define	his_state_is_dont		my_state_is_wont
+#define	his_state_is_wont		my_state_is_dont
+#define his_want_state_is_dont		my_want_state_is_wont
+#define his_want_state_is_wont		my_want_state_is_dont
+
+#define	set_his_state_do		set_my_state_will
+#define	set_his_state_will		set_my_state_do
+#define	set_his_want_state_do		set_my_want_state_will
+#define	set_his_want_state_will		set_my_want_state_do
+
+#define	set_his_state_dont		set_my_state_wont
+#define	set_his_state_wont		set_my_state_dont
+#define	set_his_want_state_dont		set_my_want_state_wont
+#define	set_his_want_state_wont		set_my_want_state_dont
+
+#define his_will_wont_is_changing	my_do_dont_is_changing
+#define his_do_dont_is_changing		my_will_wont_is_changing
+
+#endif /* __DEFS_H__ */
diff --git a/crypto/kerberosIV/appl/telnet/telnetd/ext.h b/crypto/kerberosIV/appl/telnet/telnetd/ext.h
new file mode 100644
index 0000000..8f5edf1
--- /dev/null
+++ b/crypto/kerberosIV/appl/telnet/telnetd/ext.h
@@ -0,0 +1,202 @@
+/*
+ * Copyright (c) 1989, 1993
+ *	The Regents of the University of California.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *	This product includes software developed by the University of
+ *	California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ *	@(#)ext.h	8.2 (Berkeley) 12/15/93
+ */
+
+/* $Id: ext.h,v 1.19 1999/09/05 19:15:21 assar Exp $ */
+
+#ifndef __EXT_H__
+#define __EXT_H__
+
+/*
+ * Telnet server variable declarations
+ */
+extern char	options[256];
+extern char	do_dont_resp[256];
+extern char	will_wont_resp[256];
+extern int	flowmode;	/* current flow control state */
+extern int	restartany;	/* restart output on any character state */
+#ifdef DIAGNOSTICS
+extern int	diagnostic;	/* telnet diagnostic capabilities */
+#endif /* DIAGNOSTICS */
+extern int	require_otp;
+#ifdef AUTHENTICATION
+extern int	auth_level;
+#endif
+extern const char *new_login;
+
+extern slcfun	slctab[NSLC + 1];	/* slc mapping table */
+
+extern char	*terminaltype;
+
+/*
+ * I/O data buffers, pointers, and counters.
+ */
+extern char	ptyobuf[BUFSIZ+NETSLOP], *pfrontp, *pbackp;
+
+extern char	netibuf[BUFSIZ], *netip;
+
+extern char	netobuf[BUFSIZ+NETSLOP], *nfrontp, *nbackp;
+extern char	*neturg;		/* one past last bye of urgent data */
+
+extern int	pcc, ncc;
+
+extern int	ourpty, net;
+extern char	*line;
+extern int	SYNCHing;		/* we are in TELNET SYNCH mode */
+
+int telnet_net_write (unsigned char *str, int len);
+void net_encrypt (void);
+int telnet_spin (void);
+char *telnet_getenv (char *val);
+char *telnet_gets (char *prompt, char *result, int length, int echo);
+void get_slc_defaults (void);
+void telrcv (void);
+void send_do (int option, int init);
+void willoption (int option);
+void send_dont (int option, int init);
+void wontoption (int option);
+void send_will (int option, int init);
+void dooption (int option);
+void send_wont (int option, int init);
+void dontoption (int option);
+void suboption (void);
+void doclientstat (void);
+void send_status (void);
+void init_termbuf (void);
+void set_termbuf (void);
+int spcset (int func, cc_t *valp, cc_t **valpp);
+void set_utid (void);
+int getpty (int *ptynum);
+int tty_isecho (void);
+int tty_flowmode (void);
+int tty_restartany (void);
+void tty_setecho (int on);
+int tty_israw (void);
+void tty_binaryin (int on);
+void tty_binaryout (int on);
+int tty_isbinaryin (void);
+int tty_isbinaryout (void);
+int tty_issofttab (void);
+void tty_setsofttab (int on);
+int tty_islitecho (void);
+void tty_setlitecho (int on);
+int tty_iscrnl (void);
+void tty_tspeed (int val);
+void tty_rspeed (int val);
+void getptyslave (void);
+int cleanopen (char *line);
+void startslave (char *host, int autologin, char *autoname);
+void init_env (void);
+void start_login (char *host, int autologin, char *name);
+void cleanup (int sig);
+int main (int argc, char **argv);
+int getterminaltype (char *name, size_t);
+void _gettermname (void);
+int terminaltypeok (char *s);
+void my_telnet (int f, int p, char*, int, char*);
+void interrupt (void);
+void sendbrk (void);
+void sendsusp (void);
+void recv_ayt (void);
+void doeof (void);
+void flowstat (void);
+void clientstat (int code, int parm1, int parm2);
+int ttloop (void);
+int stilloob (int s);
+void ptyflush (void);
+char *nextitem (char *current);
+void netclear (void);
+void netflush (void);
+void writenet (unsigned char *ptr, int len);
+void fatal (int f, char *msg);
+void fatalperror (int f, const char *msg);
+void edithost (char *pat, char *host);
+void putstr (char *s);
+void putchr (int cc);
+void putf (char *cp, char *where);
+void printoption (char *fmt, int option);
+void printsub (int direction, unsigned char *pointer, int length);
+void printdata (char *tag, char *ptr, int cnt);
+int login_tty(int t);
+
+#ifdef ENCRYPTION
+extern void	(*encrypt_output) (unsigned char *, int);
+extern int	(*decrypt_input) (int);
+extern char	*nclearto;
+#endif
+
+
+/*
+ * The following are some clocks used to decide how to interpret
+ * the relationship between various variables.
+ */
+
+struct clocks_t{
+    int
+	system,			/* what the current time is */
+	echotoggle,		/* last time user entered echo character */
+	modenegotiated,		/* last time operating mode negotiated */
+	didnetreceive,		/* last time we read data from network */
+	ttypesubopt,		/* ttype subopt is received */
+	tspeedsubopt,		/* tspeed subopt is received */
+	environsubopt,		/* environ subopt is received */
+	oenvironsubopt,		/* old environ subopt is received */
+	xdisplocsubopt,		/* xdisploc subopt is received */
+	baseline,		/* time started to do timed action */
+	gotDM;			/* when did we last see a data mark */
+};
+extern struct clocks_t clocks;
+
+extern int log_unauth;
+extern int no_warn;
+
+#ifdef STREAMSPTY
+extern int really_stream;
+#endif
+
+#ifndef USE_IM
+# ifdef CRAY
+#  define USE_IM "Cray UNICOS (%h) (%t)"
+# endif
+# ifdef _AIX
+#  define USE_IM "%s %v.%r (%h) (%t)"
+# endif
+# ifndef USE_IM
+#  define USE_IM "%s %r (%h) (%t)"
+# endif
+#endif
+
+#define DEFAULT_IM "\r\n\r\n" USE_IM "\r\n\r\n\r\n"
+
+#endif /* __EXT_H__ */
diff --git a/crypto/kerberosIV/appl/telnet/telnetd/global.c b/crypto/kerberosIV/appl/telnet/telnetd/global.c
new file mode 100644
index 0000000..275cb45
--- /dev/null
+++ b/crypto/kerberosIV/appl/telnet/telnetd/global.c
@@ -0,0 +1,107 @@
+/*
+ * Copyright (c) 1989, 1993
+ *	The Regents of the University of California.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *	This product includes software developed by the University of
+ *	California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+/* a *lot* of ugly global definitions that really should be removed...
+ */
+
+#include "telnetd.h"
+
+RCSID("$Id: global.c,v 1.12 1997/05/11 06:29:59 assar Exp $");
+
+/*
+ * Telnet server variable declarations
+ */
+char	options[256];
+char	do_dont_resp[256];
+char	will_wont_resp[256];
+int	linemode;	/* linemode on/off */
+int	flowmode;	/* current flow control state */
+int	restartany;	/* restart output on any character state */
+#ifdef DIAGNOSTICS
+int	diagnostic;	/* telnet diagnostic capabilities */
+#endif /* DIAGNOSTICS */
+int	require_otp;
+
+slcfun	slctab[NSLC + 1];	/* slc mapping table */
+
+char	*terminaltype;
+
+/*
+ * I/O data buffers, pointers, and counters.
+ */
+char	ptyobuf[BUFSIZ+NETSLOP], *pfrontp, *pbackp;
+
+char	netibuf[BUFSIZ], *netip;
+
+char	netobuf[BUFSIZ+NETSLOP], *nfrontp, *nbackp;
+char	*neturg;		/* one past last bye of urgent data */
+
+int	pcc, ncc;
+
+int	ourpty, net;
+int	SYNCHing;		/* we are in TELNET SYNCH mode */
+
+/*
+ * The following are some clocks used to decide how to interpret
+ * the relationship between various variables.
+ */
+
+struct clocks_t clocks;
+
+
+/* whether to log unauthenticated login attempts */
+int log_unauth;
+
+/* do not print warning if connection is not encrypted */
+int no_warn;
+
+/*
+ * This function appends data to nfrontp and advances nfrontp.
+ */
+
+int
+output_data (const char *format, ...)
+{
+  va_list args;
+  size_t remaining, ret;
+
+  va_start(args, format);
+  remaining = BUFSIZ - (nfrontp - netobuf);
+  ret = vsnprintf (nfrontp,
+		   remaining,
+		   format,
+		   args);
+  nfrontp += ret;
+  va_end(args);
+  return ret;
+}
diff --git a/crypto/kerberosIV/appl/telnet/telnetd/slc.c b/crypto/kerberosIV/appl/telnet/telnetd/slc.c
new file mode 100644
index 0000000..799d2d8
--- /dev/null
+++ b/crypto/kerberosIV/appl/telnet/telnetd/slc.c
@@ -0,0 +1,57 @@
+/*
+ * Copyright (c) 1989, 1993
+ *	The Regents of the University of California.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *	This product includes software developed by the University of
+ *	California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#include "telnetd.h"
+
+RCSID("$Id: slc.c,v 1.10 1997/05/11 06:30:00 assar Exp $");
+
+/*
+ * get_slc_defaults
+ *
+ * Initialize the slc mapping table.
+ */
+void
+get_slc_defaults(void)
+{
+    int i;
+    
+    init_termbuf();
+    
+    for (i = 1; i <= NSLC; i++) {
+	slctab[i].defset.flag =
+	    spcset(i, &slctab[i].defset.val, &slctab[i].sptr);
+	slctab[i].current.flag = SLC_NOSUPPORT;
+	slctab[i].current.val = 0;
+    }
+    
+}
diff --git a/crypto/kerberosIV/appl/telnet/telnetd/state.c b/crypto/kerberosIV/appl/telnet/telnetd/state.c
new file mode 100644
index 0000000..80b90ea
--- /dev/null
+++ b/crypto/kerberosIV/appl/telnet/telnetd/state.c
@@ -0,0 +1,1356 @@
+/*
+ * Copyright (c) 1989, 1993
+ *	The Regents of the University of California.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *	This product includes software developed by the University of
+ *	California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#include "telnetd.h"
+
+RCSID("$Id: state.c,v 1.13 1999/05/13 23:12:50 assar Exp $");
+
+unsigned char	doopt[] = { IAC, DO, '%', 'c', 0 };
+unsigned char	dont[] = { IAC, DONT, '%', 'c', 0 };
+unsigned char	will[] = { IAC, WILL, '%', 'c', 0 };
+unsigned char	wont[] = { IAC, WONT, '%', 'c', 0 };
+int	not42 = 1;
+
+/*
+ * Buffer for sub-options, and macros
+ * for suboptions buffer manipulations
+ */
+unsigned char subbuffer[2048], *subpointer= subbuffer, *subend= subbuffer;
+
+#define	SB_CLEAR()	subpointer = subbuffer
+#define	SB_TERM()	{ subend = subpointer; SB_CLEAR(); }
+#define	SB_ACCUM(c)	if (subpointer < (subbuffer+sizeof subbuffer)) { \
+    *subpointer++ = (c); \
+			     }
+#define	SB_GET()	((*subpointer++)&0xff)
+#define	SB_EOF()	(subpointer >= subend)
+#define	SB_LEN()	(subend - subpointer)
+
+#ifdef	ENV_HACK
+unsigned char *subsave;
+#define SB_SAVE()	subsave = subpointer;
+#define	SB_RESTORE()	subpointer = subsave;
+#endif
+
+
+/*
+ * State for recv fsm
+ */
+#define	TS_DATA		0	/* base state */
+#define	TS_IAC		1	/* look for double IAC's */
+#define	TS_CR		2	/* CR-LF ->'s CR */
+#define	TS_SB		3	/* throw away begin's... */
+#define	TS_SE		4	/* ...end's (suboption negotiation) */
+#define	TS_WILL		5	/* will option negotiation */
+#define	TS_WONT		6	/* wont -''- */
+#define	TS_DO		7	/* do -''- */
+#define	TS_DONT		8	/* dont -''- */
+
+void
+telrcv(void)
+{
+    int c;
+    static int state = TS_DATA;
+
+    while (ncc > 0) {
+	if ((&ptyobuf[BUFSIZ] - pfrontp) < 2)
+	    break;
+	c = *netip++ & 0377, ncc--;
+#ifdef ENCRYPTION
+	if (decrypt_input)
+	    c = (*decrypt_input)(c);
+#endif
+	switch (state) {
+
+	case TS_CR:
+	    state = TS_DATA;
+	    /* Strip off \n or \0 after a \r */
+	    if ((c == 0) || (c == '\n')) {
+		break;
+	    }
+	    /* FALL THROUGH */
+
+	case TS_DATA:
+	    if (c == IAC) {
+		state = TS_IAC;
+		break;
+	    }
+	    /*
+	     * We now map \r\n ==> \r for pragmatic reasons.
+	     * Many client implementations send \r\n when
+	     * the user hits the CarriageReturn key.
+	     *
+	     * We USED to map \r\n ==> \n, since \r\n says
+	     * that we want to be in column 1 of the next
+	     * printable line, and \n is the standard
+	     * unix way of saying that (\r is only good
+	     * if CRMOD is set, which it normally is).
+	     */
+	    if ((c == '\r') && his_state_is_wont(TELOPT_BINARY)) {
+		int nc = *netip;
+#ifdef ENCRYPTION
+		if (decrypt_input)
+		    nc = (*decrypt_input)(nc & 0xff);
+#endif
+		{
+#ifdef ENCRYPTION
+		    if (decrypt_input)
+			(void)(*decrypt_input)(-1);
+#endif
+		    state = TS_CR;
+		}
+	    }
+	    *pfrontp++ = c;
+	    break;
+
+	case TS_IAC:
+	gotiac:			switch (c) {
+
+	    /*
+	     * Send the process on the pty side an
+	     * interrupt.  Do this with a NULL or
+	     * interrupt char; depending on the tty mode.
+	     */
+	case IP:
+	    DIAG(TD_OPTIONS,
+		 printoption("td: recv IAC", c));
+	    interrupt();
+	    break;
+
+	case BREAK:
+	    DIAG(TD_OPTIONS,
+		 printoption("td: recv IAC", c));
+	    sendbrk();
+	    break;
+
+	    /*
+	     * Are You There?
+	     */
+	case AYT:
+	    DIAG(TD_OPTIONS,
+		 printoption("td: recv IAC", c));
+	    recv_ayt();
+	    break;
+
+	    /*
+	     * Abort Output
+	     */
+	case AO:
+	    {
+		DIAG(TD_OPTIONS,
+		     printoption("td: recv IAC", c));
+		ptyflush();	/* half-hearted */
+		init_termbuf();
+
+		if (slctab[SLC_AO].sptr &&
+		    *slctab[SLC_AO].sptr != (cc_t)(_POSIX_VDISABLE)) {
+		    *pfrontp++ =
+			(unsigned char)*slctab[SLC_AO].sptr;
+		}
+
+		netclear();	/* clear buffer back */
+		output_data ("%c%c", IAC, DM);
+		neturg = nfrontp-1; /* off by one XXX */
+		DIAG(TD_OPTIONS,
+		     printoption("td: send IAC", DM));
+		break;
+	    }
+
+	/*
+	 * Erase Character and
+	 * Erase Line
+	 */
+	case EC:
+	case EL:
+	    {
+		cc_t ch;
+
+		DIAG(TD_OPTIONS,
+		     printoption("td: recv IAC", c));
+		ptyflush();	/* half-hearted */
+		init_termbuf();
+		if (c == EC)
+		    ch = *slctab[SLC_EC].sptr;
+		else
+		    ch = *slctab[SLC_EL].sptr;
+		if (ch != (cc_t)(_POSIX_VDISABLE))
+		    *pfrontp++ = (unsigned char)ch;
+		break;
+	    }
+
+	/*
+	 * Check for urgent data...
+	 */
+	case DM:
+	    DIAG(TD_OPTIONS,
+		 printoption("td: recv IAC", c));
+	    SYNCHing = stilloob(net);
+	    settimer(gotDM);
+	    break;
+
+
+	    /*
+	     * Begin option subnegotiation...
+	     */
+	case SB:
+	    state = TS_SB;
+	    SB_CLEAR();
+	    continue;
+
+	case WILL:
+	    state = TS_WILL;
+	    continue;
+
+	case WONT:
+	    state = TS_WONT;
+	    continue;
+
+	case DO:
+	    state = TS_DO;
+	    continue;
+
+	case DONT:
+	    state = TS_DONT;
+	    continue;
+	case EOR:
+	    if (his_state_is_will(TELOPT_EOR))
+		doeof();
+	    break;
+
+	    /*
+	     * Handle RFC 10xx Telnet linemode option additions
+	     * to command stream (EOF, SUSP, ABORT).
+	     */
+	case xEOF:
+	    doeof();
+	    break;
+
+	case SUSP:
+	    sendsusp();
+	    break;
+
+	case ABORT:
+	    sendbrk();
+	    break;
+
+	case IAC:
+	    *pfrontp++ = c;
+	    break;
+	}
+	state = TS_DATA;
+	break;
+
+	case TS_SB:
+	    if (c == IAC) {
+		state = TS_SE;
+	    } else {
+		SB_ACCUM(c);
+	    }
+	    break;
+
+	case TS_SE:
+	    if (c != SE) {
+		if (c != IAC) {
+		    /*
+		     * bad form of suboption negotiation.
+		     * handle it in such a way as to avoid
+		     * damage to local state.  Parse
+		     * suboption buffer found so far,
+		     * then treat remaining stream as
+		     * another command sequence.
+		     */
+
+		    /* for DIAGNOSTICS */
+		    SB_ACCUM(IAC);
+		    SB_ACCUM(c);
+		    subpointer -= 2;
+
+		    SB_TERM();
+		    suboption();
+		    state = TS_IAC;
+		    goto gotiac;
+		}
+		SB_ACCUM(c);
+		state = TS_SB;
+	    } else {
+		/* for DIAGNOSTICS */
+		SB_ACCUM(IAC);
+		SB_ACCUM(SE);
+		subpointer -= 2;
+
+		SB_TERM();
+		suboption();	/* handle sub-option */
+		state = TS_DATA;
+	    }
+	    break;
+
+	case TS_WILL:
+	    willoption(c);
+	    state = TS_DATA;
+	    continue;
+
+	case TS_WONT:
+	    wontoption(c);
+	    if (c==TELOPT_ENCRYPT && his_do_dont_is_changing(TELOPT_ENCRYPT) )
+                dontoption(c);
+	    state = TS_DATA;
+	    continue;
+
+	case TS_DO:
+	    dooption(c);
+	    state = TS_DATA;
+	    continue;
+
+	case TS_DONT:
+	    dontoption(c);
+	    state = TS_DATA;
+	    continue;
+
+	default:
+	    syslog(LOG_ERR, "telnetd: panic state=%d\n", state);
+	    printf("telnetd: panic state=%d\n", state);
+	    exit(1);
+	}
+    }
+}  /* end of telrcv */
+
+/*
+ * The will/wont/do/dont state machines are based on Dave Borman's
+ * Telnet option processing state machine.
+ *
+ * These correspond to the following states:
+ *	my_state = the last negotiated state
+ *	want_state = what I want the state to go to
+ *	want_resp = how many requests I have sent
+ * All state defaults are negative, and resp defaults to 0.
+ *
+ * When initiating a request to change state to new_state:
+ *
+ * if ((want_resp == 0 && new_state == my_state) || want_state == new_state) {
+ *	do nothing;
+ * } else {
+ *	want_state = new_state;
+ *	send new_state;
+ *	want_resp++;
+ * }
+ *
+ * When receiving new_state:
+ *
+ * if (want_resp) {
+ *	want_resp--;
+ *	if (want_resp && (new_state == my_state))
+ *		want_resp--;
+ * }
+ * if ((want_resp == 0) && (new_state != want_state)) {
+ *	if (ok_to_switch_to new_state)
+ *		want_state = new_state;
+ *	else
+ *		want_resp++;
+ *	send want_state;
+ * }
+ * my_state = new_state;
+ *
+ * Note that new_state is implied in these functions by the function itself.
+ * will and do imply positive new_state, wont and dont imply negative.
+ *
+ * Finally, there is one catch.  If we send a negative response to a
+ * positive request, my_state will be the positive while want_state will
+ * remain negative.  my_state will revert to negative when the negative
+ * acknowlegment arrives from the peer.  Thus, my_state generally tells
+ * us not only the last negotiated state, but also tells us what the peer
+ * wants to be doing as well.  It is important to understand this difference
+ * as we may wish to be processing data streams based on our desired state
+ * (want_state) or based on what the peer thinks the state is (my_state).
+ *
+ * This all works fine because if the peer sends a positive request, the data
+ * that we receive prior to negative acknowlegment will probably be affected
+ * by the positive state, and we can process it as such (if we can; if we
+ * can't then it really doesn't matter).  If it is that important, then the
+ * peer probably should be buffering until this option state negotiation
+ * is complete.
+ *
+ */
+void
+send_do(int option, int init)
+{
+    if (init) {
+	if ((do_dont_resp[option] == 0 && his_state_is_will(option)) ||
+	    his_want_state_is_will(option))
+	    return;
+	/*
+	 * Special case for TELOPT_TM:  We send a DO, but pretend
+	 * that we sent a DONT, so that we can send more DOs if
+	 * we want to.
+	 */
+	if (option == TELOPT_TM)
+	    set_his_want_state_wont(option);
+	else
+	    set_his_want_state_will(option);
+	do_dont_resp[option]++;
+    }
+    output_data((const char *)doopt, option);
+
+    DIAG(TD_OPTIONS, printoption("td: send do", option));
+}
+
+#ifdef	AUTHENTICATION
+extern void auth_request(void);
+#endif
+#ifdef	ENCRYPTION
+extern void encrypt_send_support();
+#endif
+
+void
+willoption(int option)
+{
+    int changeok = 0;
+    void (*func)() = 0;
+
+    /*
+     * process input from peer.
+     */
+
+    DIAG(TD_OPTIONS, printoption("td: recv will", option));
+
+    if (do_dont_resp[option]) {
+	do_dont_resp[option]--;
+	if (do_dont_resp[option] && his_state_is_will(option))
+	    do_dont_resp[option]--;
+    }
+    if (do_dont_resp[option] == 0) {
+	if (his_want_state_is_wont(option)) {
+	    switch (option) {
+
+	    case TELOPT_BINARY:
+		init_termbuf();
+		tty_binaryin(1);
+		set_termbuf();
+		changeok++;
+		break;
+
+	    case TELOPT_ECHO:
+		/*
+		 * See comments below for more info.
+		 */
+		not42 = 0;	/* looks like a 4.2 system */
+		break;
+
+	    case TELOPT_TM:
+		/*
+		 * We never respond to a WILL TM, and
+		 * we leave the state WONT.
+		 */
+		return;
+
+	    case TELOPT_LFLOW:
+		/*
+		 * If we are going to support flow control
+		 * option, then don't worry peer that we can't
+		 * change the flow control characters.
+		 */
+		slctab[SLC_XON].defset.flag &= ~SLC_LEVELBITS;
+		slctab[SLC_XON].defset.flag |= SLC_DEFAULT;
+		slctab[SLC_XOFF].defset.flag &= ~SLC_LEVELBITS;
+		slctab[SLC_XOFF].defset.flag |= SLC_DEFAULT;
+	    case TELOPT_TTYPE:
+	    case TELOPT_SGA:
+	    case TELOPT_NAWS:
+	    case TELOPT_TSPEED:
+	    case TELOPT_XDISPLOC:
+	    case TELOPT_NEW_ENVIRON:
+	    case TELOPT_OLD_ENVIRON:
+		changeok++;
+		break;
+
+
+#ifdef	AUTHENTICATION
+	    case TELOPT_AUTHENTICATION:
+		func = auth_request;
+		changeok++;
+		break;
+#endif
+
+#ifdef	ENCRYPTION
+	    case TELOPT_ENCRYPT:
+		func = encrypt_send_support;
+		changeok++;
+		break;
+#endif
+			
+	    default:
+		break;
+	    }
+	    if (changeok) {
+		set_his_want_state_will(option);
+		send_do(option, 0);
+	    } else {
+		do_dont_resp[option]++;
+		send_dont(option, 0);
+	    }
+	} else {
+	    /*
+	     * Option processing that should happen when
+	     * we receive conformation of a change in
+	     * state that we had requested.
+	     */
+	    switch (option) {
+	    case TELOPT_ECHO:
+		not42 = 0;	/* looks like a 4.2 system */
+		/*
+		 * Egads, he responded "WILL ECHO".  Turn
+		 * it off right now!
+		 */
+		send_dont(option, 1);
+		/*
+		 * "WILL ECHO".  Kludge upon kludge!
+		 * A 4.2 client is now echoing user input at
+		 * the tty.  This is probably undesireable and
+		 * it should be stopped.  The client will
+		 * respond WONT TM to the DO TM that we send to
+		 * check for kludge linemode.  When the WONT TM
+		 * arrives, linemode will be turned off and a
+		 * change propogated to the pty.  This change
+		 * will cause us to process the new pty state
+		 * in localstat(), which will notice that
+		 * linemode is off and send a WILL ECHO
+		 * so that we are properly in character mode and
+		 * all is well.
+		 */
+		break;
+
+#ifdef	AUTHENTICATION
+	    case TELOPT_AUTHENTICATION:
+		func = auth_request;
+		break;
+#endif
+
+#ifdef	ENCRYPTION
+	    case TELOPT_ENCRYPT:
+		func = encrypt_send_support;
+		break;
+#endif
+
+	    case TELOPT_LFLOW:
+		func = flowstat;
+		break;
+	    }
+	}
+    }
+    set_his_state_will(option);
+    if (func)
+	(*func)();
+}  /* end of willoption */
+
+void
+send_dont(int option, int init)
+{
+    if (init) {
+	if ((do_dont_resp[option] == 0 && his_state_is_wont(option)) ||
+	    his_want_state_is_wont(option))
+	    return;
+	set_his_want_state_wont(option);
+	do_dont_resp[option]++;
+    }
+    output_data((const char *)dont, option);
+
+    DIAG(TD_OPTIONS, printoption("td: send dont", option));
+}
+
+void
+wontoption(int option)
+{
+    /*
+     * Process client input.
+	 */
+
+    DIAG(TD_OPTIONS, printoption("td: recv wont", option));
+
+    if (do_dont_resp[option]) {
+	do_dont_resp[option]--;
+	if (do_dont_resp[option] && his_state_is_wont(option))
+	    do_dont_resp[option]--;
+    }
+    if (do_dont_resp[option] == 0) {
+	if (his_want_state_is_will(option)) {
+	    /* it is always ok to change to negative state */
+	    switch (option) {
+	    case TELOPT_ECHO:
+		not42 = 1; /* doesn't seem to be a 4.2 system */
+		break;
+
+	    case TELOPT_BINARY:
+		init_termbuf();
+		tty_binaryin(0);
+		set_termbuf();
+		break;
+
+	    case TELOPT_TM:
+		/*
+		 * If we get a WONT TM, and had sent a DO TM,
+		 * don't respond with a DONT TM, just leave it
+		 * as is.  Short circut the state machine to
+		 * achive this.
+		 */
+		set_his_want_state_wont(TELOPT_TM);
+		return;
+
+	    case TELOPT_LFLOW:
+		/*
+		 * If we are not going to support flow control
+		 * option, then let peer know that we can't
+		 * change the flow control characters.
+		 */
+		slctab[SLC_XON].defset.flag &= ~SLC_LEVELBITS;
+		slctab[SLC_XON].defset.flag |= SLC_CANTCHANGE;
+		slctab[SLC_XOFF].defset.flag &= ~SLC_LEVELBITS;
+		slctab[SLC_XOFF].defset.flag |= SLC_CANTCHANGE;
+		break;
+
+#ifdef AUTHENTICATION
+	    case TELOPT_AUTHENTICATION:
+		auth_finished(0, AUTH_REJECT);
+		break;
+#endif
+
+		/*
+		 * For options that we might spin waiting for
+		 * sub-negotiation, if the client turns off the
+		 * option rather than responding to the request,
+		 * we have to treat it here as if we got a response
+		 * to the sub-negotiation, (by updating the timers)
+		 * so that we'll break out of the loop.
+		 */
+	    case TELOPT_TTYPE:
+		settimer(ttypesubopt);
+		break;
+
+	    case TELOPT_TSPEED:
+		settimer(tspeedsubopt);
+		break;
+
+	    case TELOPT_XDISPLOC:
+		settimer(xdisplocsubopt);
+		break;
+
+	    case TELOPT_OLD_ENVIRON:
+		settimer(oenvironsubopt);
+		break;
+
+	    case TELOPT_NEW_ENVIRON:
+		settimer(environsubopt);
+		break;
+
+	    default:
+		break;
+	    }
+	    set_his_want_state_wont(option);
+	    if (his_state_is_will(option))
+		send_dont(option, 0);
+	} else {
+	    switch (option) {
+	    case TELOPT_TM:
+		break;
+
+#ifdef AUTHENTICATION
+	    case TELOPT_AUTHENTICATION:
+		auth_finished(0, AUTH_REJECT);
+		break;
+#endif
+	    default:
+		break;
+	    }
+	}
+    }
+    set_his_state_wont(option);
+
+}  /* end of wontoption */
+
+void
+send_will(int option, int init)
+{
+    if (init) {
+	if ((will_wont_resp[option] == 0 && my_state_is_will(option))||
+	    my_want_state_is_will(option))
+	    return;
+	set_my_want_state_will(option);
+	will_wont_resp[option]++;
+    }
+    output_data ((const char *)will, option);
+
+    DIAG(TD_OPTIONS, printoption("td: send will", option));
+}
+
+/*
+ * When we get a DONT SGA, we will try once to turn it
+ * back on.  If the other side responds DONT SGA, we
+ * leave it at that.  This is so that when we talk to
+ * clients that understand KLUDGELINEMODE but not LINEMODE,
+ * we'll keep them in char-at-a-time mode.
+ */
+int turn_on_sga = 0;
+
+void
+dooption(int option)
+{
+    int changeok = 0;
+
+    /*
+     * Process client input.
+     */
+
+    DIAG(TD_OPTIONS, printoption("td: recv do", option));
+
+    if (will_wont_resp[option]) {
+	will_wont_resp[option]--;
+	if (will_wont_resp[option] && my_state_is_will(option))
+	    will_wont_resp[option]--;
+    }
+    if ((will_wont_resp[option] == 0) && (my_want_state_is_wont(option))) {
+	switch (option) {
+	case TELOPT_ECHO:
+	    {
+		init_termbuf();
+		tty_setecho(1);
+		set_termbuf();
+	    }
+	changeok++;
+	break;
+
+	case TELOPT_BINARY:
+	    init_termbuf();
+	    tty_binaryout(1);
+	    set_termbuf();
+	    changeok++;
+	    break;
+
+	case TELOPT_SGA:
+	    turn_on_sga = 0;
+	    changeok++;
+	    break;
+
+	case TELOPT_STATUS:
+	    changeok++;
+	    break;
+
+	case TELOPT_TM:
+	    /*
+	     * Special case for TM.  We send a WILL, but
+	     * pretend we sent a WONT.
+	     */
+	    send_will(option, 0);
+	    set_my_want_state_wont(option);
+	    set_my_state_wont(option);
+	    return;
+
+	case TELOPT_LOGOUT:
+	    /*
+	     * When we get a LOGOUT option, respond
+	     * with a WILL LOGOUT, make sure that
+	     * it gets written out to the network,
+	     * and then just go away...
+	     */
+	    set_my_want_state_will(TELOPT_LOGOUT);
+	    send_will(TELOPT_LOGOUT, 0);
+	    set_my_state_will(TELOPT_LOGOUT);
+	    netflush();
+	    cleanup(0);
+	    /* NOT REACHED */
+	    break;
+
+#ifdef ENCRYPTION
+	case TELOPT_ENCRYPT:
+	    changeok++;
+	    break;
+#endif
+	case TELOPT_LINEMODE:
+	case TELOPT_TTYPE:
+	case TELOPT_NAWS:
+	case TELOPT_TSPEED:
+	case TELOPT_LFLOW:
+	case TELOPT_XDISPLOC:
+#ifdef	TELOPT_ENVIRON
+	case TELOPT_NEW_ENVIRON:
+#endif
+	case TELOPT_OLD_ENVIRON:
+	default:
+	    break;
+	}
+	if (changeok) {
+	    set_my_want_state_will(option);
+	    send_will(option, 0);
+	} else {
+	    will_wont_resp[option]++;
+	    send_wont(option, 0);
+	}
+    }
+    set_my_state_will(option);
+
+}  /* end of dooption */
+
+void
+send_wont(int option, int init)
+{
+    if (init) {
+	if ((will_wont_resp[option] == 0 && my_state_is_wont(option)) ||
+	    my_want_state_is_wont(option))
+	    return;
+	set_my_want_state_wont(option);
+	will_wont_resp[option]++;
+    }
+    output_data ((const char *)wont, option);
+
+    DIAG(TD_OPTIONS, printoption("td: send wont", option));
+}
+
+void
+dontoption(int option)
+{
+    /*
+     * Process client input.
+	 */
+
+
+    DIAG(TD_OPTIONS, printoption("td: recv dont", option));
+
+    if (will_wont_resp[option]) {
+	will_wont_resp[option]--;
+	if (will_wont_resp[option] && my_state_is_wont(option))
+	    will_wont_resp[option]--;
+    }
+    if ((will_wont_resp[option] == 0) && (my_want_state_is_will(option))) {
+	switch (option) {
+	case TELOPT_BINARY:
+	    init_termbuf();
+	    tty_binaryout(0);
+	    set_termbuf();
+	    break;
+
+	case TELOPT_ECHO:	/* we should stop echoing */
+	    {
+		init_termbuf();
+		tty_setecho(0);
+		set_termbuf();
+	    }
+	break;
+
+	case TELOPT_SGA:
+	    set_my_want_state_wont(option);
+	    if (my_state_is_will(option))
+		send_wont(option, 0);
+	    set_my_state_wont(option);
+	    if (turn_on_sga ^= 1)
+		send_will(option, 1);
+	    return;
+
+	default:
+	    break;
+	}
+
+	set_my_want_state_wont(option);
+	if (my_state_is_will(option))
+	    send_wont(option, 0);
+    }
+    set_my_state_wont(option);
+
+}  /* end of dontoption */
+
+#ifdef	ENV_HACK
+int env_ovar = -1;
+int env_ovalue = -1;
+#else	/* ENV_HACK */
+# define env_ovar OLD_ENV_VAR
+# define env_ovalue OLD_ENV_VALUE
+#endif	/* ENV_HACK */
+
+/*
+ * suboption()
+ *
+ *	Look at the sub-option buffer, and try to be helpful to the other
+ * side.
+ *
+ *	Currently we recognize:
+ *
+ *	Terminal type is
+ *	Linemode
+ *	Window size
+ *	Terminal speed
+ */
+void
+suboption(void)
+{
+    int subchar;
+
+    DIAG(TD_OPTIONS, {netflush(); printsub('<', subpointer, SB_LEN()+2);});
+
+    subchar = SB_GET();
+    switch (subchar) {
+    case TELOPT_TSPEED: {
+	int xspeed, rspeed;
+
+	if (his_state_is_wont(TELOPT_TSPEED))	/* Ignore if option disabled */
+	    break;
+
+	settimer(tspeedsubopt);
+
+	if (SB_EOF() || SB_GET() != TELQUAL_IS)
+	    return;
+
+	xspeed = atoi((char *)subpointer);
+
+	while (SB_GET() != ',' && !SB_EOF());
+	if (SB_EOF())
+	    return;
+
+	rspeed = atoi((char *)subpointer);
+	clientstat(TELOPT_TSPEED, xspeed, rspeed);
+
+	break;
+
+    }  /* end of case TELOPT_TSPEED */
+
+    case TELOPT_TTYPE: {		/* Yaaaay! */
+	static char terminalname[41];
+
+	if (his_state_is_wont(TELOPT_TTYPE))	/* Ignore if option disabled */
+	    break;
+	settimer(ttypesubopt);
+
+	if (SB_EOF() || SB_GET() != TELQUAL_IS) {
+	    return;		/* ??? XXX but, this is the most robust */
+	}
+
+	terminaltype = terminalname;
+
+	while ((terminaltype < (terminalname + sizeof terminalname-1)) &&
+	       !SB_EOF()) {
+	    int c;
+
+	    c = SB_GET();
+	    if (isupper(c)) {
+		c = tolower(c);
+	    }
+	    *terminaltype++ = c;    /* accumulate name */
+	}
+	*terminaltype = 0;
+	terminaltype = terminalname;
+	break;
+    }  /* end of case TELOPT_TTYPE */
+
+    case TELOPT_NAWS: {
+	int xwinsize, ywinsize;
+
+	if (his_state_is_wont(TELOPT_NAWS))	/* Ignore if option disabled */
+	    break;
+
+	if (SB_EOF())
+	    return;
+	xwinsize = SB_GET() << 8;
+	if (SB_EOF())
+	    return;
+	xwinsize |= SB_GET();
+	if (SB_EOF())
+	    return;
+	ywinsize = SB_GET() << 8;
+	if (SB_EOF())
+	    return;
+	ywinsize |= SB_GET();
+	clientstat(TELOPT_NAWS, xwinsize, ywinsize);
+
+	break;
+
+    }  /* end of case TELOPT_NAWS */
+
+    case TELOPT_STATUS: {
+	int mode;
+
+	if (SB_EOF())
+	    break;
+	mode = SB_GET();
+	switch (mode) {
+	case TELQUAL_SEND:
+	    if (my_state_is_will(TELOPT_STATUS))
+		send_status();
+	    break;
+
+	case TELQUAL_IS:
+	    break;
+
+	default:
+	    break;
+	}
+	break;
+    }  /* end of case TELOPT_STATUS */
+
+    case TELOPT_XDISPLOC: {
+	if (SB_EOF() || SB_GET() != TELQUAL_IS)
+	    return;
+	settimer(xdisplocsubopt);
+	subpointer[SB_LEN()] = '\0';
+	setenv("DISPLAY", (char *)subpointer, 1);
+	break;
+    }  /* end of case TELOPT_XDISPLOC */
+
+#ifdef	TELOPT_NEW_ENVIRON
+    case TELOPT_NEW_ENVIRON:
+#endif
+    case TELOPT_OLD_ENVIRON: {
+	int c;
+	char *cp, *varp, *valp;
+
+	if (SB_EOF())
+	    return;
+	c = SB_GET();
+	if (c == TELQUAL_IS) {
+	    if (subchar == TELOPT_OLD_ENVIRON)
+		settimer(oenvironsubopt);
+	    else
+		settimer(environsubopt);
+	} else if (c != TELQUAL_INFO) {
+	    return;
+	}
+
+#ifdef	TELOPT_NEW_ENVIRON
+	if (subchar == TELOPT_NEW_ENVIRON) {
+	    while (!SB_EOF()) {
+		c = SB_GET();
+		if ((c == NEW_ENV_VAR) || (c == ENV_USERVAR))
+		    break;
+	    }
+	} else
+#endif
+	    {
+#ifdef	ENV_HACK
+		/*
+		 * We only want to do this if we haven't already decided
+		 * whether or not the other side has its VALUE and VAR
+		 * reversed.
+		 */
+		if (env_ovar < 0) {
+		    int last = -1;		/* invalid value */
+		    int empty = 0;
+		    int got_var = 0, got_value = 0, got_uservar = 0;
+
+		    /*
+		     * The other side might have its VALUE and VAR values
+		     * reversed.  To be interoperable, we need to determine
+		     * which way it is.  If the first recognized character
+		     * is a VAR or VALUE, then that will tell us what
+		     * type of client it is.  If the fist recognized
+		     * character is a USERVAR, then we continue scanning
+		     * the suboption looking for two consecutive
+		     * VAR or VALUE fields.  We should not get two
+		     * consecutive VALUE fields, so finding two
+		     * consecutive VALUE or VAR fields will tell us
+		     * what the client is.
+		     */
+		    SB_SAVE();
+		    while (!SB_EOF()) {
+			c = SB_GET();
+			switch(c) {
+			case OLD_ENV_VAR:
+			    if (last < 0 || last == OLD_ENV_VAR
+				|| (empty && (last == OLD_ENV_VALUE)))
+				goto env_ovar_ok;
+			    got_var++;
+			    last = OLD_ENV_VAR;
+			    break;
+			case OLD_ENV_VALUE:
+			    if (last < 0 || last == OLD_ENV_VALUE
+				|| (empty && (last == OLD_ENV_VAR)))
+				goto env_ovar_wrong;
+			    got_value++;
+			    last = OLD_ENV_VALUE;
+			    break;
+			case ENV_USERVAR:
+			    /* count strings of USERVAR as one */
+			    if (last != ENV_USERVAR)
+				got_uservar++;
+			    if (empty) {
+				if (last == OLD_ENV_VALUE)
+				    goto env_ovar_ok;
+				if (last == OLD_ENV_VAR)
+				    goto env_ovar_wrong;
+			    }
+			    last = ENV_USERVAR;
+			    break;
+			case ENV_ESC:
+			    if (!SB_EOF())
+				c = SB_GET();
+			    /* FALL THROUGH */
+			default:
+			    empty = 0;
+			    continue;
+			}
+			empty = 1;
+		    }
+		    if (empty) {
+			if (last == OLD_ENV_VALUE)
+			    goto env_ovar_ok;
+			if (last == OLD_ENV_VAR)
+			    goto env_ovar_wrong;
+		    }
+		    /*
+		     * Ok, the first thing was a USERVAR, and there
+		     * are not two consecutive VAR or VALUE commands,
+		     * and none of the VAR or VALUE commands are empty.
+		     * If the client has sent us a well-formed option,
+		     * then the number of VALUEs received should always
+		     * be less than or equal to the number of VARs and
+		     * USERVARs received.
+		     *
+		     * If we got exactly as many VALUEs as VARs and
+		     * USERVARs, the client has the same definitions.
+		     *
+		     * If we got exactly as many VARs as VALUEs and
+		     * USERVARS, the client has reversed definitions.
+		     */
+		    if (got_uservar + got_var == got_value) {
+		    env_ovar_ok:
+			env_ovar = OLD_ENV_VAR;
+			env_ovalue = OLD_ENV_VALUE;
+		    } else if (got_uservar + got_value == got_var) {
+		    env_ovar_wrong:
+			env_ovar = OLD_ENV_VALUE;
+			env_ovalue = OLD_ENV_VAR;
+			DIAG(TD_OPTIONS, {
+			    output_data("ENVIRON VALUE and VAR are reversed!\r\n");
+			});
+
+		    }
+		}
+		SB_RESTORE();
+#endif
+
+		while (!SB_EOF()) {
+		    c = SB_GET();
+		    if ((c == env_ovar) || (c == ENV_USERVAR))
+			break;
+		}
+	    }
+
+	if (SB_EOF())
+	    return;
+
+	cp = varp = (char *)subpointer;
+	valp = 0;
+
+	while (!SB_EOF()) {
+	    c = SB_GET();
+	    if (subchar == TELOPT_OLD_ENVIRON) {
+		if (c == env_ovar)
+		    c = NEW_ENV_VAR;
+		else if (c == env_ovalue)
+		    c = NEW_ENV_VALUE;
+	    }
+	    switch (c) {
+
+	    case NEW_ENV_VALUE:
+		*cp = '\0';
+		cp = valp = (char *)subpointer;
+		break;
+
+	    case NEW_ENV_VAR:
+	    case ENV_USERVAR:
+		*cp = '\0';
+		if (valp)
+		    setenv(varp, valp, 1);
+		else
+		    unsetenv(varp);
+		cp = varp = (char *)subpointer;
+		valp = 0;
+		break;
+
+	    case ENV_ESC:
+		if (SB_EOF())
+		    break;
+		c = SB_GET();
+		/* FALL THROUGH */
+	    default:
+		*cp++ = c;
+		break;
+	    }
+	}
+	*cp = '\0';
+	if (valp)
+	    setenv(varp, valp, 1);
+	else
+	    unsetenv(varp);
+	break;
+    }  /* end of case TELOPT_NEW_ENVIRON */
+#ifdef AUTHENTICATION
+    case TELOPT_AUTHENTICATION:
+	if (SB_EOF())
+	    break;
+	switch(SB_GET()) {
+	case TELQUAL_SEND:
+	case TELQUAL_REPLY:
+	    /*
+	     * These are sent by us and cannot be sent by
+	     * the client.
+	     */
+	    break;
+	case TELQUAL_IS:
+	    auth_is(subpointer, SB_LEN());
+	    break;
+	case TELQUAL_NAME:
+	    auth_name(subpointer, SB_LEN());
+	    break;
+	}
+	break;
+#endif
+#ifdef ENCRYPTION
+    case TELOPT_ENCRYPT:
+	if (SB_EOF())
+	    break;
+	switch(SB_GET()) {
+	case ENCRYPT_SUPPORT:
+	    encrypt_support(subpointer, SB_LEN());
+	    break;
+	case ENCRYPT_IS:
+	    encrypt_is(subpointer, SB_LEN());
+	    break;
+	case ENCRYPT_REPLY:
+	    encrypt_reply(subpointer, SB_LEN());
+	    break;
+	case ENCRYPT_START:
+	    encrypt_start(subpointer, SB_LEN());
+	    break;
+	case ENCRYPT_END:
+	    encrypt_end();
+	    break;
+	case ENCRYPT_REQSTART:
+	    encrypt_request_start(subpointer, SB_LEN());
+	    break;
+	case ENCRYPT_REQEND:
+	    /*
+	     * We can always send an REQEND so that we cannot
+	     * get stuck encrypting.  We should only get this
+	     * if we have been able to get in the correct mode
+	     * anyhow.
+	     */
+	    encrypt_request_end();
+	    break;
+	case ENCRYPT_ENC_KEYID:
+	    encrypt_enc_keyid(subpointer, SB_LEN());
+	    break;
+	case ENCRYPT_DEC_KEYID:
+	    encrypt_dec_keyid(subpointer, SB_LEN());
+	    break;
+	default:
+	    break;
+	}
+	break;
+#endif
+
+    default:
+	break;
+    }  /* end of switch */
+
+}  /* end of suboption */
+
+void
+doclientstat(void)
+{
+    clientstat(TELOPT_LINEMODE, WILL, 0);
+}
+
+#define	ADD(c)	 *ncp++ = c
+#define	ADD_DATA(c) { *ncp++ = c; if (c == SE || c == IAC) *ncp++ = c; }
+
+void
+send_status(void)
+{
+    unsigned char statusbuf[256];
+    unsigned char *ncp;
+    unsigned char i;
+
+    ncp = statusbuf;
+
+    netflush();	/* get rid of anything waiting to go out */
+
+    ADD(IAC);
+    ADD(SB);
+    ADD(TELOPT_STATUS);
+    ADD(TELQUAL_IS);
+
+    /*
+     * We check the want_state rather than the current state,
+     * because if we received a DO/WILL for an option that we
+     * don't support, and the other side didn't send a DONT/WONT
+     * in response to our WONT/DONT, then the "state" will be
+     * WILL/DO, and the "want_state" will be WONT/DONT.  We
+     * need to go by the latter.
+     */
+    for (i = 0; i < (unsigned char)NTELOPTS; i++) {
+	if (my_want_state_is_will(i)) {
+	    ADD(WILL);
+	    ADD_DATA(i);
+	}
+	if (his_want_state_is_will(i)) {
+	    ADD(DO);
+	    ADD_DATA(i);
+	}
+    }
+
+    if (his_want_state_is_will(TELOPT_LFLOW)) {
+	ADD(SB);
+	ADD(TELOPT_LFLOW);
+	if (flowmode) {
+	    ADD(LFLOW_ON);
+	} else {
+	    ADD(LFLOW_OFF);
+	}
+	ADD(SE);
+
+	if (restartany >= 0) {
+	    ADD(SB);
+	    ADD(TELOPT_LFLOW);
+	    if (restartany) {
+		ADD(LFLOW_RESTART_ANY);
+	    } else {
+		ADD(LFLOW_RESTART_XON);
+	    }
+	    ADD(SE);
+	}
+    }
+
+
+    ADD(IAC);
+    ADD(SE);
+
+    writenet(statusbuf, ncp - statusbuf);
+    netflush();	/* Send it on its way */
+
+    DIAG(TD_OPTIONS,
+	 {printsub('>', statusbuf, ncp - statusbuf); netflush();});
+}
diff --git a/crypto/kerberosIV/appl/telnet/telnetd/sys_term.c b/crypto/kerberosIV/appl/telnet/telnetd/sys_term.c
new file mode 100644
index 0000000..2477c42
--- /dev/null
+++ b/crypto/kerberosIV/appl/telnet/telnetd/sys_term.c
@@ -0,0 +1,1893 @@
+/*
+ * Copyright (c) 1989, 1993
+ *	The Regents of the University of California.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *	This product includes software developed by the University of
+ *	California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#include "telnetd.h"
+
+RCSID("$Id: sys_term.c,v 1.89.2.6 2000/12/08 23:34:05 assar Exp $");
+
+#if defined(_CRAY) || (defined(__hpux) && !defined(HAVE_UTMPX_H))
+# define PARENT_DOES_UTMP
+#endif
+
+#ifdef HAVE_UTMP_H
+#include <utmp.h>
+#endif
+
+#ifdef HAVE_UTMPX_H
+#include <utmpx.h>
+#endif
+
+#ifdef HAVE_UTMPX_H
+struct	utmpx wtmp;
+#elif defined(HAVE_UTMP_H)
+struct	utmp wtmp;
+#endif /* HAVE_UTMPX_H */
+
+#ifdef HAVE_STRUCT_UTMP_UT_HOST
+int	utmp_len = sizeof(wtmp.ut_host);
+#else
+int	utmp_len = MaxHostNameLen;
+#endif
+
+#ifndef UTMP_FILE
+#ifdef _PATH_UTMP
+#define UTMP_FILE _PATH_UTMP
+#else
+#define UTMP_FILE "/etc/utmp"
+#endif
+#endif
+
+#if !defined(WTMP_FILE) && defined(_PATH_WTMP)
+#define WTMP_FILE _PATH_WTMP
+#endif
+
+#ifndef PARENT_DOES_UTMP
+#ifdef WTMP_FILE
+char	wtmpf[] = WTMP_FILE;
+#else
+char	wtmpf[]	= "/usr/adm/wtmp";
+#endif
+char	utmpf[] = UTMP_FILE;
+#else /* PARENT_DOES_UTMP */
+#ifdef WTMP_FILE
+char	wtmpf[] = WTMP_FILE;
+#else
+char	wtmpf[]	= "/etc/wtmp";
+#endif
+#endif /* PARENT_DOES_UTMP */
+
+#ifdef HAVE_TMPDIR_H
+#include <tmpdir.h>
+#endif	/* CRAY */
+
+#ifdef	STREAMSPTY
+
+#ifdef HAVE_SAC_H
+#include <sac.h>
+#endif
+
+#ifdef HAVE_SYS_STROPTS_H
+#include <sys/stropts.h>
+#endif
+
+#endif /* STREAMSPTY */
+
+#ifdef	HAVE_SYS_STREAM_H
+#ifdef  HAVE_SYS_UIO_H
+#include <sys/uio.h>
+#endif
+#ifdef __hpux
+#undef SE
+#endif
+#include <sys/stream.h>
+#endif
+#if !(defined(__sgi) || defined(__linux) || defined(_AIX)) && defined(HAVE_SYS_TTY)
+#include <sys/tty.h>
+#endif
+#ifdef	t_erase
+#undef	t_erase
+#undef	t_kill
+#undef	t_intrc
+#undef	t_quitc
+#undef	t_startc
+#undef	t_stopc
+#undef	t_eofc
+#undef	t_brkc
+#undef	t_suspc
+#undef	t_dsuspc
+#undef	t_rprntc
+#undef	t_flushc
+#undef	t_werasc
+#undef	t_lnextc
+#endif
+
+#ifdef HAVE_TERMIOS_H
+#include <termios.h>
+#else
+#ifdef HAVE_TERMIO_H
+#include <termio.h>
+#endif
+#endif
+
+#ifdef HAVE_UTIL_H
+#include <util.h>
+#endif
+
+# ifndef	TCSANOW
+#  ifdef TCSETS
+#   define	TCSANOW		TCSETS
+#   define	TCSADRAIN	TCSETSW
+#   define	tcgetattr(f, t)	ioctl(f, TCGETS, (char *)t)
+#  else
+#   ifdef TCSETA
+#    define	TCSANOW		TCSETA
+#    define	TCSADRAIN	TCSETAW
+#    define	tcgetattr(f, t)	ioctl(f, TCGETA, (char *)t)
+#   else
+#    define	TCSANOW		TIOCSETA
+#    define	TCSADRAIN	TIOCSETAW
+#    define	tcgetattr(f, t)	ioctl(f, TIOCGETA, (char *)t)
+#   endif
+#  endif
+#  define	tcsetattr(f, a, t)	ioctl(f, a, t)
+#  define	cfsetospeed(tp, val)	(tp)->c_cflag &= ~CBAUD; \
+(tp)->c_cflag |= (val)
+#  define	cfgetospeed(tp)		((tp)->c_cflag & CBAUD)
+#  ifdef CIBAUD
+#   define	cfsetispeed(tp, val)	(tp)->c_cflag &= ~CIBAUD; \
+     (tp)->c_cflag |= ((val)<<IBSHIFT)
+#   define	cfgetispeed(tp)		(((tp)->c_cflag & CIBAUD)>>IBSHIFT)
+#  else
+#   define	cfsetispeed(tp, val)	(tp)->c_cflag &= ~CBAUD; \
+     (tp)->c_cflag |= (val)
+#   define	cfgetispeed(tp)		((tp)->c_cflag & CBAUD)
+#  endif
+# endif /* TCSANOW */
+     struct termios termbuf, termbuf2;	/* pty control structure */
+# ifdef  STREAMSPTY
+     static int ttyfd = -1;
+     int really_stream = 0;
+# endif
+
+     const char *new_login = _PATH_LOGIN;
+
+/*
+ * init_termbuf()
+ * copy_termbuf(cp)
+ * set_termbuf()
+ *
+ * These three routines are used to get and set the "termbuf" structure
+ * to and from the kernel.  init_termbuf() gets the current settings.
+ * copy_termbuf() hands in a new "termbuf" to write to the kernel, and
+ * set_termbuf() writes the structure into the kernel.
+ */
+
+     void
+     init_termbuf(void)
+{
+# ifdef  STREAMSPTY
+    if (really_stream)
+	tcgetattr(ttyfd, &termbuf);
+    else
+# endif
+	tcgetattr(ourpty, &termbuf);
+    termbuf2 = termbuf;
+}
+
+void
+set_termbuf(void)
+{
+    /*
+     * Only make the necessary changes.
+	 */
+    if (memcmp(&termbuf, &termbuf2, sizeof(termbuf)))
+# ifdef  STREAMSPTY
+	if (really_stream)
+	    tcsetattr(ttyfd, TCSANOW, &termbuf);
+	else
+# endif
+	    tcsetattr(ourpty, TCSANOW, &termbuf);
+}
+
+
+/*
+ * spcset(func, valp, valpp)
+ *
+ * This function takes various special characters (func), and
+ * sets *valp to the current value of that character, and
+ * *valpp to point to where in the "termbuf" structure that
+ * value is kept.
+ *
+ * It returns the SLC_ level of support for this function.
+ */
+
+
+int
+spcset(int func, cc_t *valp, cc_t **valpp)
+{
+
+#define	setval(a, b)	*valp = termbuf.c_cc[a]; \
+    *valpp = &termbuf.c_cc[a]; \
+				   return(b);
+#define	defval(a) *valp = ((cc_t)a); *valpp = (cc_t *)0; return(SLC_DEFAULT);
+
+    switch(func) {
+    case SLC_EOF:
+	setval(VEOF, SLC_VARIABLE);
+    case SLC_EC:
+	setval(VERASE, SLC_VARIABLE);
+    case SLC_EL:
+	setval(VKILL, SLC_VARIABLE);
+    case SLC_IP:
+	setval(VINTR, SLC_VARIABLE|SLC_FLUSHIN|SLC_FLUSHOUT);
+    case SLC_ABORT:
+	setval(VQUIT, SLC_VARIABLE|SLC_FLUSHIN|SLC_FLUSHOUT);
+    case SLC_XON:
+#ifdef	VSTART
+	setval(VSTART, SLC_VARIABLE);
+#else
+	defval(0x13);
+#endif
+    case SLC_XOFF:
+#ifdef	VSTOP
+	setval(VSTOP, SLC_VARIABLE);
+#else
+	defval(0x11);
+#endif
+    case SLC_EW:
+#ifdef	VWERASE
+	setval(VWERASE, SLC_VARIABLE);
+#else
+	defval(0);
+#endif
+    case SLC_RP:
+#ifdef	VREPRINT
+	setval(VREPRINT, SLC_VARIABLE);
+#else
+	defval(0);
+#endif
+    case SLC_LNEXT:
+#ifdef	VLNEXT
+	setval(VLNEXT, SLC_VARIABLE);
+#else
+	defval(0);
+#endif
+    case SLC_AO:
+#if	!defined(VDISCARD) && defined(VFLUSHO)
+# define VDISCARD VFLUSHO
+#endif
+#ifdef	VDISCARD
+	setval(VDISCARD, SLC_VARIABLE|SLC_FLUSHOUT);
+#else
+	defval(0);
+#endif
+    case SLC_SUSP:
+#ifdef	VSUSP
+	setval(VSUSP, SLC_VARIABLE|SLC_FLUSHIN);
+#else
+	defval(0);
+#endif
+#ifdef	VEOL
+    case SLC_FORW1:
+	setval(VEOL, SLC_VARIABLE);
+#endif
+#ifdef	VEOL2
+    case SLC_FORW2:
+	setval(VEOL2, SLC_VARIABLE);
+#endif
+    case SLC_AYT:
+#ifdef	VSTATUS
+	setval(VSTATUS, SLC_VARIABLE);
+#else
+	defval(0);
+#endif
+
+    case SLC_BRK:
+    case SLC_SYNCH:
+    case SLC_EOR:
+	defval(0);
+
+    default:
+	*valp = 0;
+	*valpp = 0;
+	return(SLC_NOSUPPORT);
+    }
+}
+
+#ifdef _CRAY
+/*
+ * getnpty()
+ *
+ * Return the number of pty's configured into the system.
+ */
+int
+getnpty()
+{
+#ifdef _SC_CRAY_NPTY
+    int numptys;
+
+    if ((numptys = sysconf(_SC_CRAY_NPTY)) != -1)
+	return numptys;
+    else
+#endif /* _SC_CRAY_NPTY */
+	return 128;
+}
+#endif /* CRAY */
+
+/*
+ * getpty()
+ *
+ * Allocate a pty.  As a side effect, the external character
+ * array "line" contains the name of the slave side.
+ *
+ * Returns the file descriptor of the opened pty.
+ */
+
+static char Xline[] = "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0";
+char *line = Xline;
+
+#ifdef	_CRAY
+char myline[] = "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0";
+#endif	/* CRAY */
+
+#if !defined(HAVE_PTSNAME) && defined(STREAMSPTY)
+static char *ptsname(int fd)
+{
+#ifdef HAVE_TTYNAME
+    return ttyname(fd);
+#else
+    return NULL;
+#endif
+}
+#endif
+
+int getpty(int *ptynum)
+{
+#ifdef __osf__ /* XXX */
+    int master;
+    int slave;
+    if(openpty(&master, &slave, line, 0, 0) == 0){
+	close(slave);
+	return master;
+    }
+    return -1;
+#else
+#ifdef HAVE__GETPTY
+    int master, slave;
+    char *p;
+    p = _getpty(&master, O_RDWR, 0600, 1);
+    if(p == NULL)
+	return -1;
+    strlcpy(line, p, sizeof(Xline));
+    return master;
+#else
+
+    int p;
+    char *cp, *p1, *p2;
+    int i;
+#if SunOS == 40
+    int dummy;
+#endif
+#if 0 /* && defined(HAVE_OPENPTY) */
+    int master;
+    int slave;
+    if(openpty(&master, &slave, line, 0, 0) == 0){
+	close(slave);
+	return master;
+    }
+#else
+#ifdef	STREAMSPTY
+    char *clone[] = { "/dev/ptc", "/dev/ptmx", "/dev/ptm", 
+		      "/dev/ptym/clone", 0 };
+
+    char **q;
+    for(q=clone; *q; q++){
+	p=open(*q, O_RDWR);
+	if(p >= 0){
+#ifdef HAVE_GRANTPT
+	    grantpt(p);
+#endif
+#ifdef HAVE_UNLOCKPT
+	    unlockpt(p);
+#endif
+	    strlcpy(line, ptsname(p), sizeof(Xline));
+	    really_stream = 1;
+	    return p;
+	}
+    }
+#endif /* STREAMSPTY */
+#ifndef _CRAY
+
+#ifndef	__hpux
+    snprintf(line, sizeof(Xline), "/dev/ptyXX");
+    p1 = &line[8];
+    p2 = &line[9];
+#else
+    snprintf(line, sizeof(Xline), "/dev/ptym/ptyXX");
+    p1 = &line[13];
+    p2 = &line[14];
+#endif
+
+	
+    for (cp = "pqrstuvwxyzPQRST"; *cp; cp++) {
+	struct stat stb;
+
+	*p1 = *cp;
+	*p2 = '0';
+	/*
+	 * This stat() check is just to keep us from
+	 * looping through all 256 combinations if there
+	 * aren't that many ptys available.
+	 */
+	if (stat(line, &stb) < 0)
+	    break;
+	for (i = 0; i < 16; i++) {
+	    *p2 = "0123456789abcdef"[i];
+	    p = open(line, O_RDWR);
+	    if (p > 0) {
+#ifndef	__hpux
+		line[5] = 't';
+#else
+		for (p1 = &line[8]; *p1; p1++)
+		    *p1 = *(p1+1);
+		line[9] = 't';
+#endif
+		chown(line, 0, 0);
+		chmod(line, 0600);
+#if SunOS == 40
+		if (ioctl(p, TIOCGPGRP, &dummy) == 0
+		    || errno != EIO) {
+		    chmod(line, 0666);
+		    close(p);
+		    line[5] = 'p';
+		} else
+#endif /* SunOS == 40 */
+		    return(p);
+	    }
+	}
+    }
+#else	/* CRAY */
+    extern lowpty, highpty;
+    struct stat sb;
+
+    for (*ptynum = lowpty; *ptynum <= highpty; (*ptynum)++) {
+	snprintf(myline, sizeof(myline), "/dev/pty/%03d", *ptynum);
+	p = open(myline, 2);
+	if (p < 0)
+	    continue;
+	snprintf(line, sizeof(Xline), "/dev/ttyp%03d", *ptynum);
+	/*
+	 * Here are some shenanigans to make sure that there
+	 * are no listeners lurking on the line.
+	 */
+	if(stat(line, &sb) < 0) {
+	    close(p);
+	    continue;
+	}
+	if(sb.st_uid || sb.st_gid || sb.st_mode != 0600) {
+	    chown(line, 0, 0);
+	    chmod(line, 0600);
+	    close(p);
+	    p = open(myline, 2);
+	    if (p < 0)
+		continue;
+	}
+	/*
+	 * Now it should be safe...check for accessability.
+	 */
+	if (access(line, 6) == 0)
+	    return(p);
+	else {
+	    /* no tty side to pty so skip it */
+	    close(p);
+	}
+    }
+#endif	/* CRAY */
+#endif	/* STREAMSPTY */
+#endif /* OPENPTY */
+    return(-1);
+#endif
+}
+
+
+int
+tty_isecho(void)
+{
+    return (termbuf.c_lflag & ECHO);
+}
+
+int
+tty_flowmode(void)
+{
+    return((termbuf.c_iflag & IXON) ? 1 : 0);
+}
+
+int
+tty_restartany(void)
+{
+    return((termbuf.c_iflag & IXANY) ? 1 : 0);
+}
+
+void
+tty_setecho(int on)
+{
+    if (on)
+	termbuf.c_lflag |= ECHO;
+    else
+	termbuf.c_lflag &= ~ECHO;
+}
+
+int
+tty_israw(void)
+{
+    return(!(termbuf.c_lflag & ICANON));
+}
+
+void
+tty_binaryin(int on)
+{
+    if (on) {
+	termbuf.c_iflag &= ~ISTRIP;
+    } else {
+	termbuf.c_iflag |= ISTRIP;
+    }
+}
+
+void
+tty_binaryout(int on)
+{
+    if (on) {
+	termbuf.c_cflag &= ~(CSIZE|PARENB);
+	termbuf.c_cflag |= CS8;
+	termbuf.c_oflag &= ~OPOST;
+    } else {
+	termbuf.c_cflag &= ~CSIZE;
+	termbuf.c_cflag |= CS7|PARENB;
+	termbuf.c_oflag |= OPOST;
+    }
+}
+
+int
+tty_isbinaryin(void)
+{
+    return(!(termbuf.c_iflag & ISTRIP));
+}
+
+int
+tty_isbinaryout(void)
+{
+    return(!(termbuf.c_oflag&OPOST));
+}
+
+
+int
+tty_issofttab(void)
+{
+# ifdef	OXTABS
+    return (termbuf.c_oflag & OXTABS);
+# endif
+# ifdef	TABDLY
+    return ((termbuf.c_oflag & TABDLY) == TAB3);
+# endif
+}
+
+void
+tty_setsofttab(int on)
+{
+    if (on) {
+# ifdef	OXTABS
+	termbuf.c_oflag |= OXTABS;
+# endif
+# ifdef	TABDLY
+	termbuf.c_oflag &= ~TABDLY;
+	termbuf.c_oflag |= TAB3;
+# endif
+    } else {
+# ifdef	OXTABS
+	termbuf.c_oflag &= ~OXTABS;
+# endif
+# ifdef	TABDLY
+	termbuf.c_oflag &= ~TABDLY;
+	termbuf.c_oflag |= TAB0;
+# endif
+    }
+}
+
+int
+tty_islitecho(void)
+{
+# ifdef	ECHOCTL
+    return (!(termbuf.c_lflag & ECHOCTL));
+# endif
+# ifdef	TCTLECH
+    return (!(termbuf.c_lflag & TCTLECH));
+# endif
+# if	!defined(ECHOCTL) && !defined(TCTLECH)
+    return (0);	/* assumes ctl chars are echoed '^x' */
+# endif
+}
+
+void
+tty_setlitecho(int on)
+{
+# ifdef	ECHOCTL
+    if (on)
+	termbuf.c_lflag &= ~ECHOCTL;
+    else
+	termbuf.c_lflag |= ECHOCTL;
+# endif
+# ifdef	TCTLECH
+    if (on)
+	termbuf.c_lflag &= ~TCTLECH;
+    else
+	termbuf.c_lflag |= TCTLECH;
+# endif
+}
+
+int
+tty_iscrnl(void)
+{
+    return (termbuf.c_iflag & ICRNL);
+}
+
+/*
+ * Try to guess whether speeds are "encoded" (4.2BSD) or just numeric (4.4BSD).
+ */
+#if B4800 != 4800
+#define	DECODE_BAUD
+#endif
+
+#ifdef	DECODE_BAUD
+
+/*
+ * A table of available terminal speeds
+ */
+struct termspeeds {
+    int	speed;
+    int	value;
+} termspeeds[] = {
+    { 0,      B0 },      { 50,    B50 },    { 75,     B75 },
+    { 110,    B110 },    { 134,   B134 },   { 150,    B150 },
+    { 200,    B200 },    { 300,   B300 },   { 600,    B600 },
+    { 1200,   B1200 },   { 1800,  B1800 },  { 2400,   B2400 },
+    { 4800,   B4800 },
+#ifdef	B7200
+    { 7200,  B7200 },
+#endif
+    { 9600,   B9600 },
+#ifdef	B14400
+    { 14400,  B14400 },
+#endif
+#ifdef	B19200
+    { 19200,  B19200 },
+#endif
+#ifdef	B28800
+    { 28800,  B28800 },
+#endif
+#ifdef	B38400
+    { 38400,  B38400 },
+#endif
+#ifdef	B57600
+    { 57600,  B57600 },
+#endif
+#ifdef	B115200
+    { 115200, B115200 },
+#endif
+#ifdef	B230400
+    { 230400, B230400 },
+#endif
+    { -1,     0 }
+};
+#endif	/* DECODE_BUAD */
+
+void
+tty_tspeed(int val)
+{
+#ifdef	DECODE_BAUD
+    struct termspeeds *tp;
+
+    for (tp = termspeeds; (tp->speed != -1) && (val > tp->speed); tp++)
+	;
+    if (tp->speed == -1)	/* back up to last valid value */
+	--tp;
+    cfsetospeed(&termbuf, tp->value);
+#else	/* DECODE_BUAD */
+    cfsetospeed(&termbuf, val);
+#endif	/* DECODE_BUAD */
+}
+
+void
+tty_rspeed(int val)
+{
+#ifdef	DECODE_BAUD
+    struct termspeeds *tp;
+
+    for (tp = termspeeds; (tp->speed != -1) && (val > tp->speed); tp++)
+	;
+    if (tp->speed == -1)	/* back up to last valid value */
+	--tp;
+    cfsetispeed(&termbuf, tp->value);
+#else	/* DECODE_BAUD */
+    cfsetispeed(&termbuf, val);
+#endif	/* DECODE_BAUD */
+}
+
+#ifdef PARENT_DOES_UTMP
+extern	struct utmp wtmp;
+extern char wtmpf[];
+
+extern void utmp_sig_init (void);
+extern void utmp_sig_reset (void);
+extern void utmp_sig_wait (void);
+extern void utmp_sig_notify (int);
+# endif /* PARENT_DOES_UTMP */
+
+#ifdef STREAMSPTY
+
+/* I_FIND seems to live a life of its own */
+static int my_find(int fd, char *module)
+{
+#if defined(I_FIND) && defined(I_LIST)
+    static int flag;
+    static struct str_list sl;
+    int n;
+    int i;
+  
+    if(!flag){
+	n = ioctl(fd, I_LIST, 0);
+	if(n < 0){
+	    perror("ioctl(fd, I_LIST, 0)");
+	    return -1;
+	}
+	sl.sl_modlist=(struct str_mlist*)malloc(n * sizeof(struct str_mlist));
+	sl.sl_nmods = n;
+	n = ioctl(fd, I_LIST, &sl);
+	if(n < 0){
+	    perror("ioctl(fd, I_LIST, n)");
+	    return -1;
+	}
+	flag = 1;
+    }
+  
+    for(i=0; i<sl.sl_nmods; i++)
+	if(!strcmp(sl.sl_modlist[i].l_name, module))
+	    return 1;
+#endif
+    return 0;
+}
+
+static void maybe_push_modules(int fd, char **modules)
+{
+    char **p;
+    int err;
+
+    for(p=modules; *p; p++){
+	err = my_find(fd, *p);
+	if(err == 1)
+	    break;
+	if(err < 0 && errno != EINVAL)
+	    fatalperror(net, "my_find()");
+	/* module not pushed or does not exist */
+    }
+    /* p points to null or to an already pushed module, now push all
+       modules before this one */
+  
+    for(p--; p >= modules; p--){
+	err = ioctl(fd, I_PUSH, *p);
+	if(err < 0 && errno != EINVAL)
+	    fatalperror(net, "I_PUSH");
+    }
+}
+#endif
+
+/*
+ * getptyslave()
+ *
+ * Open the slave side of the pty, and do any initialization
+ * that is necessary.  The return value is a file descriptor
+ * for the slave side.
+ */
+void getptyslave(void)
+{
+    int t = -1;
+
+    struct winsize ws;
+    extern int def_row, def_col;
+    extern int def_tspeed, def_rspeed;
+    /*
+     * Opening the slave side may cause initilization of the
+     * kernel tty structure.  We need remember the state of
+     * 	if linemode was turned on
+     *	terminal window size
+     *	terminal speed
+     * so that we can re-set them if we need to.
+     */
+
+
+    /*
+     * Make sure that we don't have a controlling tty, and
+     * that we are the session (process group) leader.
+     */
+
+#ifdef HAVE_SETSID
+    if(setsid()<0)
+	fatalperror(net, "setsid()");
+#else
+# ifdef	TIOCNOTTY
+    t = open(_PATH_TTY, O_RDWR);
+    if (t >= 0) {
+	ioctl(t, TIOCNOTTY, (char *)0);
+	close(t);
+    }
+# endif
+#endif
+
+# ifdef PARENT_DOES_UTMP
+    /*
+     * Wait for our parent to get the utmp stuff to get done.
+     */
+    utmp_sig_wait();
+# endif
+
+    t = cleanopen(line);
+    if (t < 0)
+	fatalperror(net, line);
+
+#ifdef  STREAMSPTY
+    ttyfd = t;
+	  
+
+    /*
+     * Not all systems have (or need) modules ttcompat and pckt so
+     * don't flag it as a fatal error if they don't exist.
+     */
+
+    if (really_stream)
+	{
+	    /* these are the streams modules that we want pushed. note
+	       that they are in reverse order, ptem will be pushed
+	       first. maybe_push_modules() will try to push all modules
+	       before the first one that isn't already pushed. i.e if
+	       ldterm is pushed, only ttcompat will be attempted.
+
+	       all this is because we don't know which modules are
+	       available, and we don't know which modules are already
+	       pushed (via autopush, for instance).
+
+	       */
+	     
+	    char *ttymodules[] = { "ttcompat", "ldterm", "ptem", NULL };
+	    char *ptymodules[] = { "pckt", NULL };
+
+	    maybe_push_modules(t, ttymodules);
+	    maybe_push_modules(ourpty, ptymodules);
+	}
+#endif
+    /*
+     * set up the tty modes as we like them to be.
+     */
+    init_termbuf();
+# ifdef	TIOCSWINSZ
+    if (def_row || def_col) {
+	memset(&ws, 0, sizeof(ws));
+	ws.ws_col = def_col;
+	ws.ws_row = def_row;
+	ioctl(t, TIOCSWINSZ, (char *)&ws);
+    }
+# endif
+
+    /*
+     * Settings for sgtty based systems
+     */
+
+    /*
+     * Settings for UNICOS (and HPUX)
+     */
+# if defined(_CRAY) || defined(__hpux)
+    termbuf.c_oflag = OPOST|ONLCR|TAB3;
+    termbuf.c_iflag = IGNPAR|ISTRIP|ICRNL|IXON;
+    termbuf.c_lflag = ISIG|ICANON|ECHO|ECHOE|ECHOK;
+    termbuf.c_cflag = EXTB|HUPCL|CS8;
+# endif
+
+    /*
+     * Settings for all other termios/termio based
+     * systems, other than 4.4BSD.  In 4.4BSD the
+     * kernel does the initial terminal setup.
+     */
+# if !(defined(_CRAY) || defined(__hpux)) && (BSD <= 43)
+#  ifndef	OXTABS
+#   define OXTABS	0
+#  endif
+    termbuf.c_lflag |= ECHO;
+    termbuf.c_oflag |= ONLCR|OXTABS;
+    termbuf.c_iflag |= ICRNL;
+    termbuf.c_iflag &= ~IXOFF;
+# endif
+    tty_rspeed((def_rspeed > 0) ? def_rspeed : 9600);
+    tty_tspeed((def_tspeed > 0) ? def_tspeed : 9600);
+
+    /*
+     * Set the tty modes, and make this our controlling tty.
+     */
+    set_termbuf();
+    if (login_tty(t) == -1)
+	fatalperror(net, "login_tty");
+    if (net > 2)
+	close(net);
+    if (ourpty > 2) {
+	close(ourpty);
+	ourpty = -1;
+    }
+}
+
+#ifndef	O_NOCTTY
+#define	O_NOCTTY	0
+#endif
+/*
+ * Open the specified slave side of the pty,
+ * making sure that we have a clean tty.
+ */
+
+int cleanopen(char *line)
+{
+    int t;
+
+#ifdef STREAMSPTY
+    if (!really_stream)
+#endif
+	{
+	    /*
+	     * Make sure that other people can't open the
+	     * slave side of the connection.
+	     */
+	    chown(line, 0, 0);
+	    chmod(line, 0600);
+	}
+
+#ifdef HAVE_REVOKE
+    revoke(line);
+#endif
+
+    t = open(line, O_RDWR|O_NOCTTY);
+
+    if (t < 0)
+	return(-1);
+
+    /*
+     * Hangup anybody else using this ttyp, then reopen it for
+     * ourselves.
+     */
+# if !(defined(_CRAY) || defined(__hpux)) && (BSD <= 43) && !defined(STREAMSPTY)
+    signal(SIGHUP, SIG_IGN);
+#ifdef HAVE_VHANGUP
+    vhangup();
+#else
+#endif
+    signal(SIGHUP, SIG_DFL);
+    t = open(line, O_RDWR|O_NOCTTY);
+    if (t < 0)
+	return(-1);
+# endif
+# if	defined(_CRAY) && defined(TCVHUP)
+    {
+	int i;
+	signal(SIGHUP, SIG_IGN);
+	ioctl(t, TCVHUP, (char *)0);
+	signal(SIGHUP, SIG_DFL);
+
+	i = open(line, O_RDWR);
+
+	if (i < 0)
+	    return(-1);
+	close(t);
+	t = i;
+    }
+# endif	/* defined(CRAY) && defined(TCVHUP) */
+    return(t);
+}
+
+#if !defined(BSD4_4)
+
+int login_tty(int t)
+{
+# if defined(TIOCSCTTY) && !defined(__hpux)
+    if (ioctl(t, TIOCSCTTY, (char *)0) < 0)
+	fatalperror(net, "ioctl(sctty)");
+#  ifdef _CRAY
+    /*
+     * Close the hard fd to /dev/ttypXXX, and re-open through
+     * the indirect /dev/tty interface.
+     */
+    close(t);
+    if ((t = open("/dev/tty", O_RDWR)) < 0)
+	fatalperror(net, "open(/dev/tty)");
+#  endif
+# else
+    /*
+     * We get our controlling tty assigned as a side-effect
+     * of opening up a tty device.  But on BSD based systems,
+     * this only happens if our process group is zero.  The
+     * setsid() call above may have set our pgrp, so clear
+     * it out before opening the tty...
+     */
+#ifdef HAVE_SETPGID
+    setpgid(0, 0);
+#else
+    setpgrp(0, 0); /* if setpgid isn't available, setpgrp
+		      probably takes arguments */
+#endif
+    close(open(line, O_RDWR));
+# endif
+    if (t != 0)
+	dup2(t, 0);
+    if (t != 1)
+	dup2(t, 1);
+    if (t != 2)
+	dup2(t, 2);
+    if (t > 2)
+	close(t);
+    return(0);
+}
+#endif	/* BSD <= 43 */
+
+/*
+ * This comes from ../../bsd/tty.c and should not really be here.
+ */
+
+/*
+ * Clean the tty name.  Return a pointer to the cleaned version.
+ */
+
+static char *
+clean_ttyname (char *tty)
+{
+  char *res = tty;
+
+  if (strncmp (res, _PATH_DEV, strlen(_PATH_DEV)) == 0)
+    res += strlen(_PATH_DEV);
+  if (strncmp (res, "pty/", 4) == 0)
+    res += 4;
+  if (strncmp (res, "ptym/", 5) == 0)
+    res += 5;
+  return res;
+}
+
+/*
+ * Generate a name usable as an `ut_id', typically without `tty'.
+ */
+
+#ifdef HAVE_STRUCT_UTMP_UT_ID
+static char *
+make_id (char *tty)
+{
+  char *res = tty;
+  
+  if (strncmp (res, "pts/", 4) == 0)
+    res += 4;
+  if (strncmp (res, "tty", 3) == 0)
+    res += 3;
+  return res;
+}
+#endif
+
+/*
+ * startslave(host)
+ *
+ * Given a hostname, do whatever
+ * is necessary to startup the login process on the slave side of the pty.
+ */
+
+/* ARGSUSED */
+void
+startslave(char *host, int autologin, char *autoname)
+{
+    int i;
+
+#ifdef AUTHENTICATION
+    if (!autoname || !autoname[0])
+	autologin = 0;
+
+    if (autologin < auth_level) {
+	fatal(net, "Authorization failed");
+	exit(1);
+    }
+#endif
+
+    {
+	char *tbuf =
+	    "\r\n*** Connection not encrypted! "
+	    "Communication may be eavesdropped. ***\r\n";
+#ifdef ENCRYPTION
+	if (!no_warn && (encrypt_output == 0 || decrypt_input == 0))
+#endif
+	    writenet((unsigned char*)tbuf, strlen(tbuf));
+    }
+# ifdef	PARENT_DOES_UTMP
+    utmp_sig_init();
+# endif	/* PARENT_DOES_UTMP */
+
+    if ((i = fork()) < 0)
+	fatalperror(net, "fork");
+    if (i) {
+# ifdef PARENT_DOES_UTMP
+	/*
+	 * Cray parent will create utmp entry for child and send
+	 * signal to child to tell when done.  Child waits for signal
+	 * before doing anything important.
+	 */
+	int pid = i;
+	void sigjob (int);
+
+	setpgrp();
+	utmp_sig_reset();		/* reset handler to default */
+	/*
+	 * Create utmp entry for child
+	 */
+	wtmp.ut_time = time(NULL);
+	wtmp.ut_type = LOGIN_PROCESS;
+	wtmp.ut_pid = pid;
+	strncpy(wtmp.ut_user,  "LOGIN", sizeof(wtmp.ut_user));
+	strncpy(wtmp.ut_host,  host, sizeof(wtmp.ut_host));
+	strncpy(wtmp.ut_line,  clean_ttyname(line), sizeof(wtmp.ut_line));
+#ifdef HAVE_STRUCT_UTMP_UT_ID
+	strncpy(wtmp.ut_id, wtmp.ut_line + 3, sizeof(wtmp.ut_id));
+#endif
+
+	pututline(&wtmp);
+	endutent();
+	if ((i = open(wtmpf, O_WRONLY|O_APPEND)) >= 0) {
+	    write(i, &wtmp, sizeof(struct utmp));
+	    close(i);
+	}
+#ifdef	_CRAY
+	signal(WJSIGNAL, sigjob);
+#endif
+	utmp_sig_notify(pid);
+# endif	/* PARENT_DOES_UTMP */
+    } else {
+	getptyslave();
+	start_login(host, autologin, autoname);
+	/*NOTREACHED*/
+    }
+}
+
+char	*envinit[3];
+extern char **environ;
+
+void
+init_env(void)
+{
+    extern char *getenv(const char *);
+    char **envp;
+
+    envp = envinit;
+    if ((*envp = getenv("TZ")))
+	*envp++ -= 3;
+#if defined(_CRAY) || defined(__hpux)
+    else
+	*envp++ = "TZ=GMT0";
+#endif
+    *envp = 0;
+    environ = envinit;
+}
+
+/*
+ * scrub_env()
+ *
+ * We only accept the environment variables listed below.
+ */
+
+static void
+scrub_env(void)
+{
+    static const char *reject[] = {
+	"TERMCAP=/",
+	NULL
+    };
+
+    static const char *accept[] = {
+	"XAUTH=", "XAUTHORITY=", "DISPLAY=",
+	"TERM=",
+	"EDITOR=",
+	"PAGER=",
+	"PRINTER=",
+	"LOGNAME=",
+	"POSIXLY_CORRECT=",
+	"TERMCAP=",
+	NULL
+    };
+
+    char **cpp, **cpp2;
+    const char **p;
+  
+    for (cpp2 = cpp = environ; *cpp; cpp++) {
+	int reject_it = 0;
+
+	for(p = reject; *p; p++)
+	    if(strncmp(*cpp, *p, strlen(*p)) == 0) {
+		reject_it = 1;
+		break;
+	    }
+	if (reject_it)
+	    continue;
+
+	for(p = accept; *p; p++)
+	    if(strncmp(*cpp, *p, strlen(*p)) == 0)
+		break;
+	if(*p != NULL)
+	    *cpp2++ = *cpp;
+    }
+    *cpp2 = NULL;
+}
+
+
+struct arg_val {
+    int size;
+    int argc;
+    char **argv;
+};
+
+static int addarg(struct arg_val*, char*);
+
+/*
+ * start_login(host)
+ *
+ * Assuming that we are now running as a child processes, this
+ * function will turn us into the login process.
+ */
+
+void
+start_login(char *host, int autologin, char *name)
+{
+    struct arg_val argv;
+    char *user;
+
+#ifdef HAVE_UTMPX_H
+    int pid = getpid();
+    struct utmpx utmpx;
+    char *clean_tty;
+
+    /*
+     * Create utmp entry for child
+     */
+
+    clean_tty = clean_ttyname(line);
+    memset(&utmpx, 0, sizeof(utmpx));
+    strncpy(utmpx.ut_user,  ".telnet", sizeof(utmpx.ut_user));
+    strncpy(utmpx.ut_line,  clean_tty, sizeof(utmpx.ut_line));
+#ifdef HAVE_STRUCT_UTMP_UT_ID
+    strncpy(utmpx.ut_id, make_id(clean_tty), sizeof(utmpx.ut_id));
+#endif
+    utmpx.ut_pid = pid;
+	
+    utmpx.ut_type = LOGIN_PROCESS;
+
+    gettimeofday (&utmpx.ut_tv, NULL);
+    if (pututxline(&utmpx) == NULL)
+	fatal(net, "pututxline failed");
+#endif
+
+    scrub_env();
+	
+    /*
+     * -h : pass on name of host.
+     *		WARNING:  -h is accepted by login if and only if
+     *			getuid() == 0.
+     * -p : don't clobber the environment (so terminal type stays set).
+     *
+     * -f : force this login, he has already been authenticated
+     */
+
+    /* init argv structure */ 
+    argv.size=0;
+    argv.argc=0;
+    argv.argv=(char**)malloc(0); /*so we can call realloc later */
+    addarg(&argv, "login");
+    addarg(&argv, "-h");
+    addarg(&argv, host);
+    addarg(&argv, "-p");
+    if(name[0])
+	user = name;
+    else
+	user = getenv("USER");
+#ifdef AUTHENTICATION
+    if (auth_level < 0 || autologin != AUTH_VALID) {
+	if(!no_warn) {
+	    printf("User not authenticated. ");
+	    if (require_otp)
+		printf("Using one-time password\r\n");
+	    else
+		printf("Using plaintext username and password\r\n");
+	}
+	if (require_otp) {
+	    addarg(&argv, "-a");
+	    addarg(&argv, "otp");
+	}
+	if(log_unauth) 
+	    syslog(LOG_INFO, "unauthenticated access from %s (%s)", 
+		   host, user ? user : "unknown user");
+    }
+    if (auth_level >= 0 && autologin == AUTH_VALID)
+	addarg(&argv, "-f");
+#endif
+    if(user){
+	addarg(&argv, "--");
+	addarg(&argv, strdup(user));
+    }
+    if (getenv("USER")) {
+	/*
+	 * Assume that login will set the USER variable
+	 * correctly.  For SysV systems, this means that
+	 * USER will no longer be set, just LOGNAME by
+	 * login.  (The problem is that if the auto-login
+	 * fails, and the user then specifies a different
+	 * account name, he can get logged in with both
+	 * LOGNAME and USER in his environment, but the
+	 * USER value will be wrong.
+	 */
+	unsetenv("USER");
+    }
+    closelog();
+    /*
+     * This sleep(1) is in here so that telnetd can
+     * finish up with the tty.  There's a race condition
+     * the login banner message gets lost...
+     */
+    sleep(1);
+
+    execv(new_login, argv.argv);
+
+    syslog(LOG_ERR, "%s: %m\n", new_login);
+    fatalperror(net, new_login);
+    /*NOTREACHED*/
+}
+
+
+
+static int addarg(struct arg_val *argv, char *val)
+{
+    if(argv->size <= argv->argc+1){
+	argv->argv = (char**)realloc(argv->argv, sizeof(char*) * (argv->size + 10));
+	if(argv->argv == NULL)
+	    return 1; /* this should probably be handled better */
+	argv->size+=10;
+    }
+    argv->argv[argv->argc++]=val;
+    argv->argv[argv->argc]=NULL;
+    return 0;
+}
+
+
+/*
+ * rmut()
+ *
+ * This is the function called by cleanup() to
+ * remove the utmp entry for this person.
+ */
+
+#ifdef HAVE_UTMPX_H
+static void
+rmut(void)
+{
+    struct utmpx utmpx, *non_save_utxp;
+    char *clean_tty = clean_ttyname(line);
+
+    /*
+     * This updates the utmpx and utmp entries and make a wtmp/x entry
+     */
+
+    setutxent();
+    memset(&utmpx, 0, sizeof(utmpx));
+    strncpy(utmpx.ut_line, clean_tty, sizeof(utmpx.ut_line));
+    utmpx.ut_type = LOGIN_PROCESS;
+    non_save_utxp = getutxline(&utmpx);
+    if (non_save_utxp) {
+	struct utmpx *utxp;
+	char user0;
+
+	utxp = malloc(sizeof(struct utmpx));
+	*utxp = *non_save_utxp;
+	user0 = utxp->ut_user[0];
+	utxp->ut_user[0] = '\0';
+	utxp->ut_type = DEAD_PROCESS;
+#ifdef HAVE_STRUCT_UTMPX_UT_EXIT
+#ifdef _STRUCT___EXIT_STATUS
+	utxp->ut_exit.__e_termination = 0;
+	utxp->ut_exit.__e_exit = 0;
+#elif defined(__osf__) /* XXX */
+	utxp->ut_exit.ut_termination = 0;
+	utxp->ut_exit.ut_exit = 0;
+#else	
+	utxp->ut_exit.e_termination = 0;
+	utxp->ut_exit.e_exit = 0;
+#endif
+#endif
+	gettimeofday(&utxp->ut_tv, NULL);
+	pututxline(utxp);
+#ifdef WTMPX_FILE
+	utxp->ut_user[0] = user0;
+	updwtmpx(WTMPX_FILE, utxp);
+#elif defined(WTMP_FILE)
+	/* This is a strange system with a utmpx and a wtmp! */
+	{
+	  int f = open(wtmpf, O_WRONLY|O_APPEND);
+	  struct utmp wtmp;
+	  if (f >= 0) {
+	    strncpy(wtmp.ut_line,  clean_tty, sizeof(wtmp.ut_line));
+	    strncpy(wtmp.ut_name,  "", sizeof(wtmp.ut_name));
+#ifdef HAVE_STRUCT_UTMP_UT_HOST
+	    strncpy(wtmp.ut_host,  "", sizeof(wtmp.ut_host));
+#endif
+	    wtmp.ut_time = time(NULL);
+	    write(f, &wtmp, sizeof(wtmp));
+	    close(f);
+	  }
+	}
+#endif
+	free (utxp);
+    }
+    endutxent();
+}  /* end of rmut */
+#endif
+
+#if !defined(HAVE_UTMPX_H) && !(defined(_CRAY) || defined(__hpux)) && BSD <= 43
+static void
+rmut(void)
+{
+    int f;
+    int found = 0;
+    struct utmp *u, *utmp;
+    int nutmp;
+    struct stat statbf;
+    char *clean_tty = clean_ttyname(line);
+
+    f = open(utmpf, O_RDWR);
+    if (f >= 0) {
+	fstat(f, &statbf);
+	utmp = (struct utmp *)malloc((unsigned)statbf.st_size);
+	if (!utmp)
+	    syslog(LOG_ERR, "utmp malloc failed");
+	if (statbf.st_size && utmp) {
+	    nutmp = read(f, utmp, (int)statbf.st_size);
+	    nutmp /= sizeof(struct utmp);
+
+	    for (u = utmp ; u < &utmp[nutmp] ; u++) {
+		if (strncmp(u->ut_line,
+			    clean_tty,
+			    sizeof(u->ut_line)) ||
+		    u->ut_name[0]==0)
+		    continue;
+		lseek(f, ((long)u)-((long)utmp), L_SET);
+		strncpy(u->ut_name,  "", sizeof(u->ut_name));
+#ifdef HAVE_STRUCT_UTMP_UT_HOST
+		strncpy(u->ut_host,  "", sizeof(u->ut_host));
+#endif
+		u->ut_time = time(NULL);
+		write(f, u, sizeof(wtmp));
+		found++;
+	    }
+	}
+	close(f);
+    }
+    if (found) {
+	f = open(wtmpf, O_WRONLY|O_APPEND);
+	if (f >= 0) {
+	    strncpy(wtmp.ut_line,  clean_tty, sizeof(wtmp.ut_line));
+	    strncpy(wtmp.ut_name,  "", sizeof(wtmp.ut_name));
+#ifdef HAVE_STRUCT_UTMP_UT_HOST
+	    strncpy(wtmp.ut_host,  "", sizeof(wtmp.ut_host));
+#endif
+	    wtmp.ut_time = time(NULL);
+	    write(f, &wtmp, sizeof(wtmp));
+	    close(f);
+	}
+    }
+    chmod(line, 0666);
+    chown(line, 0, 0);
+    line[strlen("/dev/")] = 'p';
+    chmod(line, 0666);
+    chown(line, 0, 0);
+}  /* end of rmut */
+#endif	/* CRAY */
+
+#if defined(__hpux) && !defined(HAVE_UTMPX_H)
+static void
+rmut (char *line)
+{
+    struct utmp utmp;
+    struct utmp *utptr;
+    int fd;			/* for /etc/wtmp */
+
+    utmp.ut_type = USER_PROCESS;
+    strncpy(utmp.ut_line, clean_ttyname(line), sizeof(utmp.ut_line));
+    setutent();
+    utptr = getutline(&utmp);
+    /* write it out only if it exists */
+    if (utptr) {
+	utptr->ut_type = DEAD_PROCESS;
+	utptr->ut_time = time(NULL);
+	pututline(utptr);
+	/* set wtmp entry if wtmp file exists */
+	if ((fd = open(wtmpf, O_WRONLY | O_APPEND)) >= 0) {
+	    write(fd, utptr, sizeof(utmp));
+	    close(fd);
+	}
+    }
+    endutent();
+
+    chmod(line, 0666);
+    chown(line, 0, 0);
+    line[14] = line[13];
+    line[13] = line[12];
+    line[8] = 'm';
+    line[9] = '/';
+    line[10] = 'p';
+    line[11] = 't';
+    line[12] = 'y';
+    chmod(line, 0666);
+    chown(line, 0, 0);
+}
+#endif
+
+/*
+ * cleanup()
+ *
+ * This is the routine to call when we are all through, to
+ * clean up anything that needs to be cleaned up.
+ */
+
+#ifdef PARENT_DOES_UTMP
+
+void
+cleanup(int sig)
+{
+#ifdef _CRAY
+    static int incleanup = 0;
+    int t;
+    int child_status; /* status of child process as returned by waitpid */
+    int flags = WNOHANG|WUNTRACED;
+    
+    /*
+     * 1: Pick up the zombie, if we are being called
+     *    as the signal handler.
+     * 2: If we are a nested cleanup(), return.
+     * 3: Try to clean up TMPDIR.
+     * 4: Fill in utmp with shutdown of process.
+     * 5: Close down the network and pty connections.
+     * 6: Finish up the TMPDIR cleanup, if needed.
+     */
+    if (sig == SIGCHLD) {
+	while (waitpid(-1, &child_status, flags) > 0)
+	    ;	/* VOID */
+	/* Check if the child process was stopped
+	 * rather than exited.  We want cleanup only if
+	 * the child has died.
+	 */
+	if (WIFSTOPPED(child_status)) {
+	    return;
+	}
+    }
+    t = sigblock(sigmask(SIGCHLD));
+    if (incleanup) {
+	sigsetmask(t);
+	return;
+    }
+    incleanup = 1;
+    sigsetmask(t);
+    
+    t = cleantmp(&wtmp);
+    setutent();	/* just to make sure */
+#endif /* CRAY */
+    rmut(line);
+    close(ourpty);
+    shutdown(net, 2);
+#ifdef _CRAY
+    if (t == 0)
+	cleantmp(&wtmp);
+#endif /* CRAY */
+    exit(1);
+}
+
+#else /* PARENT_DOES_UTMP */
+
+void
+cleanup(int sig)
+{
+#if defined(HAVE_UTMPX_H) || !defined(HAVE_LOGWTMP)
+    rmut();
+#ifdef HAVE_VHANGUP
+#ifndef __sgi
+    vhangup(); /* XXX */
+#endif
+#endif
+#else
+    char *p;
+    
+    p = line + sizeof("/dev/") - 1;
+    if (logout(p))
+	logwtmp(p, "", "");
+    chmod(line, 0666);
+    chown(line, 0, 0);
+    *p = 'p';
+    chmod(line, 0666);
+    chown(line, 0, 0);
+#endif
+    shutdown(net, 2);
+    exit(1);
+}
+
+#endif /* PARENT_DOES_UTMP */
+
+#ifdef PARENT_DOES_UTMP
+/*
+ * _utmp_sig_rcv
+ * utmp_sig_init
+ * utmp_sig_wait
+ *	These three functions are used to coordinate the handling of
+ *	the utmp file between the server and the soon-to-be-login shell.
+ *	The server actually creates the utmp structure, the child calls
+ *	utmp_sig_wait(), until the server calls utmp_sig_notify() and
+ *	signals the future-login shell to proceed.
+ */
+static int caught=0;		/* NZ when signal intercepted */
+static void (*func)();		/* address of previous handler */
+
+void
+_utmp_sig_rcv(sig)
+     int sig;
+{
+    caught = 1;
+    signal(SIGUSR1, func);
+}
+
+void
+utmp_sig_init()
+{
+    /*
+     * register signal handler for UTMP creation
+     */
+    if ((int)(func = signal(SIGUSR1, _utmp_sig_rcv)) == -1)
+	fatalperror(net, "telnetd/signal");
+}
+
+void
+utmp_sig_reset()
+{
+    signal(SIGUSR1, func);	/* reset handler to default */
+}
+
+# ifdef __hpux
+# define sigoff() /* do nothing */
+# define sigon() /* do nothing */
+# endif
+
+void
+utmp_sig_wait()
+{
+    /*
+     * Wait for parent to write our utmp entry.
+	 */
+    sigoff();
+    while (caught == 0) {
+	pause();	/* wait until we get a signal (sigon) */
+	sigoff();	/* turn off signals while we check caught */
+    }
+    sigon();		/* turn on signals again */
+}
+
+void
+utmp_sig_notify(pid)
+{
+    kill(pid, SIGUSR1);
+}
+
+#ifdef _CRAY
+static int gotsigjob = 0;
+
+	/*ARGSUSED*/
+void
+sigjob(sig)
+     int sig;
+{
+    int jid;
+    struct jobtemp *jp;
+
+    while ((jid = waitjob(NULL)) != -1) {
+	if (jid == 0) {
+	    return;
+	}
+	gotsigjob++;
+	jobend(jid, NULL, NULL);
+    }
+}
+
+/*
+ *	jid_getutid:
+ *		called by jobend() before calling cleantmp()
+ *		to find the correct $TMPDIR to cleanup.
+ */
+
+struct utmp *
+jid_getutid(jid)
+     int jid;
+{
+    struct utmp *cur = NULL;
+
+    setutent();	/* just to make sure */
+    while (cur = getutent()) {
+	if ( (cur->ut_type != NULL) && (jid == cur->ut_jid) ) {
+	    return(cur);
+	}
+    }
+
+    return(0);
+}
+
+/*
+ * Clean up the TMPDIR that login created.
+ * The first time this is called we pick up the info
+ * from the utmp.  If the job has already gone away,
+ * then we'll clean up and be done.  If not, then
+ * when this is called the second time it will wait
+ * for the signal that the job is done.
+ */
+int
+cleantmp(wtp)
+     struct utmp *wtp;
+{
+    struct utmp *utp;
+    static int first = 1;
+    int mask, omask, ret;
+    extern struct utmp *getutid (const struct utmp *_Id);
+
+
+    mask = sigmask(WJSIGNAL);
+
+    if (first == 0) {
+	omask = sigblock(mask);
+	while (gotsigjob == 0)
+	    sigpause(omask);
+	return(1);
+    }
+    first = 0;
+    setutent();	/* just to make sure */
+
+    utp = getutid(wtp);
+    if (utp == 0) {
+	syslog(LOG_ERR, "Can't get /etc/utmp entry to clean TMPDIR");
+	return(-1);
+    }
+    /*
+     * Nothing to clean up if the user shell was never started.
+     */
+    if (utp->ut_type != USER_PROCESS || utp->ut_jid == 0)
+	return(1);
+
+    /*
+     * Block the WJSIGNAL while we are in jobend().
+     */
+    omask = sigblock(mask);
+    ret = jobend(utp->ut_jid, utp->ut_tpath, utp->ut_user);
+    sigsetmask(omask);
+    return(ret);
+}
+
+int
+jobend(jid, path, user)
+     int jid;
+     char *path;
+     char *user;
+{
+    static int saved_jid = 0;
+    static int pty_saved_jid = 0;
+    static char saved_path[sizeof(wtmp.ut_tpath)+1];
+    static char saved_user[sizeof(wtmp.ut_user)+1];
+
+    /*
+     * this little piece of code comes into play
+     * only when ptyreconnect is used to reconnect
+     * to an previous session.
+     *
+     * this is the only time when the
+     * "saved_jid != jid" code is executed.
+     */
+
+    if ( saved_jid && saved_jid != jid ) {
+	if (!path) {	/* called from signal handler */
+	    pty_saved_jid = jid;
+	} else {
+	    pty_saved_jid = saved_jid;
+	}
+    }
+
+    if (path) {
+	strncpy(saved_path, path, sizeof(wtmp.ut_tpath));
+	strncpy(saved_user, user, sizeof(wtmp.ut_user));
+	saved_path[sizeof(saved_path)] = '\0';
+	saved_user[sizeof(saved_user)] = '\0';
+    }
+    if (saved_jid == 0) {
+	saved_jid = jid;
+	return(0);
+    }
+
+    /* if the jid has changed, get the correct entry from the utmp file */
+
+    if ( saved_jid != jid ) {
+	struct utmp *utp = NULL;
+	struct utmp *jid_getutid();
+
+	utp = jid_getutid(pty_saved_jid);
+
+	if (utp == 0) {
+	    syslog(LOG_ERR, "Can't get /etc/utmp entry to clean TMPDIR");
+	    return(-1);
+	}
+
+	cleantmpdir(jid, utp->ut_tpath, utp->ut_user);
+	return(1);
+    }
+
+    cleantmpdir(jid, saved_path, saved_user);
+    return(1);
+}
+
+/*
+ * Fork a child process to clean up the TMPDIR
+ */
+cleantmpdir(jid, tpath, user)
+     int jid;
+     char *tpath;
+     char *user;
+{
+    switch(fork()) {
+    case -1:
+	syslog(LOG_ERR, "TMPDIR cleanup(%s): fork() failed: %m\n",
+	       tpath);
+	break;
+    case 0:
+	execl(CLEANTMPCMD, CLEANTMPCMD, user, tpath, 0);
+	syslog(LOG_ERR, "TMPDIR cleanup(%s): execl(%s) failed: %m\n",
+	       tpath, CLEANTMPCMD);
+	exit(1);
+    default:
+	/*
+	 * Forget about child.  We will exit, and
+	 * /etc/init will pick it up.
+	 */
+	break;
+    }
+}
+#endif /* CRAY */
+#endif	/* defined(PARENT_DOES_UTMP) */
diff --git a/crypto/kerberosIV/appl/telnet/telnetd/telnetd.c b/crypto/kerberosIV/appl/telnet/telnetd/telnetd.c
new file mode 100644
index 0000000..0c2750e
--- /dev/null
+++ b/crypto/kerberosIV/appl/telnet/telnetd/telnetd.c
@@ -0,0 +1,1399 @@
+/*
+ * Copyright (c) 1989, 1993
+ *	The Regents of the University of California.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *	This product includes software developed by the University of
+ *	California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#include "telnetd.h"
+
+RCSID("$Id: telnetd.c,v 1.58.2.1 2000/10/10 13:12:08 assar Exp $");
+
+#ifdef _SC_CRAY_SECURE_SYS
+#include <sys/sysv.h>
+#include <sys/secdev.h>
+#include <sys/secparm.h>
+#include <sys/usrv.h>
+int	secflag;
+char	tty_dev[16];
+struct	secdev dv;
+struct	sysv sysv;
+struct	socksec ss;
+#endif	/* _SC_CRAY_SECURE_SYS */
+
+#ifdef AUTHENTICATION
+int	auth_level = 0;
+#endif
+
+extern	int utmp_len;
+int	registerd_host_only = 0;
+
+#ifdef	STREAMSPTY
+# include <stropts.h>
+# include <termios.h>
+#ifdef HAVE_SYS_UIO_H
+#include <sys/uio.h>
+#endif /* HAVE_SYS_UIO_H */
+#ifdef HAVE_SYS_STREAM_H
+#include <sys/stream.h>
+#endif
+#ifdef _AIX
+#include <sys/termio.h>
+#endif
+# ifdef HAVE_SYS_STRTTY_H
+# include <sys/strtty.h>
+# endif
+# ifdef HAVE_SYS_STR_TTY_H
+# include <sys/str_tty.h>
+# endif
+/* make sure we don't get the bsd version */
+/* what is this here for? solaris? /joda */
+# ifdef HAVE_SYS_TTY_H
+# include "/usr/include/sys/tty.h"
+# endif
+# ifdef HAVE_SYS_PTYVAR_H
+# include <sys/ptyvar.h>
+# endif
+
+/*
+ * Because of the way ptyibuf is used with streams messages, we need
+ * ptyibuf+1 to be on a full-word boundary.  The following wierdness
+ * is simply to make that happen.
+ */
+long	ptyibufbuf[BUFSIZ/sizeof(long)+1];
+char	*ptyibuf = ((char *)&ptyibufbuf[1])-1;
+char	*ptyip = ((char *)&ptyibufbuf[1])-1;
+char	ptyibuf2[BUFSIZ];
+unsigned char ctlbuf[BUFSIZ];
+struct	strbuf strbufc, strbufd;
+
+int readstream(int, char*, int);
+
+#else	/* ! STREAMPTY */
+
+/*
+ * I/O data buffers,
+ * pointers, and counters.
+ */
+char	ptyibuf[BUFSIZ], *ptyip = ptyibuf;
+char	ptyibuf2[BUFSIZ];
+
+#endif /* ! STREAMPTY */
+
+int	hostinfo = 1;			/* do we print login banner? */
+
+#ifdef	_CRAY
+extern int      newmap; /* nonzero if \n maps to ^M^J */
+int	lowpty = 0, highpty;	/* low, high pty numbers */
+#endif /* CRAY */
+
+int debug = 0;
+int keepalive = 1;
+char *progname;
+
+static void usage (void);
+
+/*
+ * The string to pass to getopt().  We do it this way so
+ * that only the actual options that we support will be
+ * passed off to getopt().
+ */
+char valid_opts[] = "Bd:hklnS:u:UL:y"
+#ifdef AUTHENTICATION
+		    "a:X:z"
+#endif
+#ifdef DIAGNOSTICS
+		    "D:"
+#endif
+#ifdef _CRAY
+		    "r:"
+#endif
+		    ;
+
+static void doit(struct sockaddr*, int);
+
+int
+main(int argc, char **argv)
+{
+    struct sockaddr_storage __ss;
+    struct sockaddr *sa = (struct sockaddr *)&__ss;
+    int on = 1, sa_size;
+    int ch;
+#if	defined(IPPROTO_IP) && defined(IP_TOS)
+    int tos = -1;
+#endif
+#ifdef ENCRYPTION
+    extern int des_check_key;
+    des_check_key = 1;	/* Kludge for Mac NCSA telnet 2.6 /bg */
+#endif
+    pfrontp = pbackp = ptyobuf;
+    netip = netibuf;
+    nfrontp = nbackp = netobuf;
+
+    progname = *argv;
+#ifdef ENCRYPTION
+    nclearto = 0;
+#endif
+
+#ifdef _CRAY
+    /*
+     * Get number of pty's before trying to process options,
+     * which may include changing pty range.
+     */
+    highpty = getnpty();
+#endif /* CRAY */
+
+    while ((ch = getopt(argc, argv, valid_opts)) != -1) {
+	switch(ch) {
+
+#ifdef	AUTHENTICATION
+	case 'a':
+	    /*
+	     * Check for required authentication level
+	     */
+	    if (strcmp(optarg, "debug") == 0) {
+		auth_debug_mode = 1;
+	    } else if (strcasecmp(optarg, "none") == 0) {
+		auth_level = 0;
+	    } else if (strcasecmp(optarg, "otp") == 0) {
+		auth_level = 0;
+		require_otp = 1;
+	    } else if (strcasecmp(optarg, "other") == 0) {
+		auth_level = AUTH_OTHER;
+	    } else if (strcasecmp(optarg, "user") == 0) {
+		auth_level = AUTH_USER;
+	    } else if (strcasecmp(optarg, "valid") == 0) {
+		auth_level = AUTH_VALID;
+	    } else if (strcasecmp(optarg, "off") == 0) {
+		/*
+		 * This hack turns off authentication
+		 */
+		auth_level = -1;
+	    } else {
+		fprintf(stderr,
+			"telnetd: unknown authorization level for -a\n");
+	    }
+	    break;
+#endif	/* AUTHENTICATION */
+
+	case 'B': /* BFTP mode is not supported any more */
+	    break;
+	case 'd':
+	    if (strcmp(optarg, "ebug") == 0) {
+		debug++;
+		break;
+	    }
+	    usage();
+	    /* NOTREACHED */
+	    break;
+
+#ifdef DIAGNOSTICS
+	case 'D':
+	    /*
+	     * Check for desired diagnostics capabilities.
+	     */
+	    if (!strcmp(optarg, "report")) {
+		diagnostic |= TD_REPORT|TD_OPTIONS;
+	    } else if (!strcmp(optarg, "exercise")) {
+		diagnostic |= TD_EXERCISE;
+	    } else if (!strcmp(optarg, "netdata")) {
+		diagnostic |= TD_NETDATA;
+	    } else if (!strcmp(optarg, "ptydata")) {
+		diagnostic |= TD_PTYDATA;
+	    } else if (!strcmp(optarg, "options")) {
+		diagnostic |= TD_OPTIONS;
+	    } else {
+		usage();
+		/* NOT REACHED */
+	    }
+	    break;
+#endif /* DIAGNOSTICS */
+
+
+	case 'h':
+	    hostinfo = 0;
+	    break;
+
+	case 'k': /* Linemode is not supported any more */
+	case 'l':
+	    break;
+
+	case 'n':
+	    keepalive = 0;
+	    break;
+
+#ifdef _CRAY
+	case 'r':
+	    {
+		char *strchr();
+		char *c;
+
+		/*
+		 * Allow the specification of alterations
+		 * to the pty search range.  It is legal to
+		 * specify only one, and not change the
+		 * other from its default.
+		 */
+		c = strchr(optarg, '-');
+		if (c) {
+		    *c++ = '\0';
+		    highpty = atoi(c);
+		}
+		if (*optarg != '\0')
+		    lowpty = atoi(optarg);
+		if ((lowpty > highpty) || (lowpty < 0) ||
+		    (highpty > 32767)) {
+		    usage();
+		    /* NOT REACHED */
+		}
+		break;
+	    }
+#endif	/* CRAY */
+
+	case 'S':
+#ifdef	HAVE_PARSETOS
+	    if ((tos = parsetos(optarg, "tcp")) < 0)
+		fprintf(stderr, "%s%s%s\n",
+			"telnetd: Bad TOS argument '", optarg,
+			"'; will try to use default TOS");
+#else
+	    fprintf(stderr, "%s%s\n", "TOS option unavailable; ",
+		    "-S flag not supported\n");
+#endif
+	    break;
+
+	case 'u':
+	    utmp_len = atoi(optarg);
+	    break;
+
+	case 'U':
+	    registerd_host_only = 1;
+	    break;
+
+#ifdef	AUTHENTICATION
+	case 'X':
+	    /*
+	     * Check for invalid authentication types
+	     */
+	    auth_disable_name(optarg);
+	    break;
+#endif
+	case 'y':
+	    no_warn = 1;
+	    break;
+#ifdef AUTHENTICATION
+	case 'z':
+	    log_unauth = 1;
+	    break;
+
+#endif	/* AUTHENTICATION */
+
+	case 'L':
+	    new_login = optarg;
+	    break;
+			
+	default:
+	    fprintf(stderr, "telnetd: %c: unknown option\n", ch);
+	    /* FALLTHROUGH */
+	case '?':
+	    usage();
+	    /* NOTREACHED */
+	}
+    }
+
+    argc -= optind;
+    argv += optind;
+
+    if (debug) {
+	int port = 0;
+	struct servent *sp;
+
+	if (argc > 1) {
+	    usage ();
+	} else if (argc == 1) {
+	    sp = roken_getservbyname (*argv, "tcp");
+	    if (sp)
+		port = sp->s_port;
+	    else
+		port = htons(atoi(*argv));
+	} else {
+#ifdef KRB5
+	    port = krb5_getportbyname (NULL, "telnet", "tcp", 23);
+#else
+	    port = k_getportbyname("telnet", "tcp", htons(23));
+#endif
+	}
+	mini_inetd (port);
+    } else if (argc > 0) {
+	usage();
+	/* NOT REACHED */
+    }
+
+#ifdef _SC_CRAY_SECURE_SYS
+    secflag = sysconf(_SC_CRAY_SECURE_SYS);
+
+    /*
+     *	Get socket's security label
+     */
+    if (secflag)  {
+	int szss = sizeof(ss);
+	int sock_multi;
+	int szi = sizeof(int);
+
+	memset(&dv, 0, sizeof(dv));
+
+	if (getsysv(&sysv, sizeof(struct sysv)) != 0) 
+	    fatalperror(net, "getsysv");
+
+	/*
+	 *	Get socket security label and set device values
+	 *	   {security label to be set on ttyp device}
+	 */
+#ifdef SO_SEC_MULTI			/* 8.0 code */
+	if ((getsockopt(0, SOL_SOCKET, SO_SECURITY,
+			(void *)&ss, &szss) < 0) ||
+	    (getsockopt(0, SOL_SOCKET, SO_SEC_MULTI,
+			(void *)&sock_multi, &szi) < 0)) 
+	    fatalperror(net, "getsockopt");
+	else {
+	    dv.dv_actlvl = ss.ss_actlabel.lt_level;
+	    dv.dv_actcmp = ss.ss_actlabel.lt_compart;
+	    if (!sock_multi) {
+		dv.dv_minlvl = dv.dv_maxlvl = dv.dv_actlvl;
+		dv.dv_valcmp = dv.dv_actcmp;
+	    } else {
+		dv.dv_minlvl = ss.ss_minlabel.lt_level;
+		dv.dv_maxlvl = ss.ss_maxlabel.lt_level;
+		dv.dv_valcmp = ss.ss_maxlabel.lt_compart;
+	    }
+	    dv.dv_devflg = 0;
+	}
+#else /* SO_SEC_MULTI */		/* 7.0 code */
+	if (getsockopt(0, SOL_SOCKET, SO_SECURITY,
+		       (void *)&ss, &szss) >= 0) {
+	    dv.dv_actlvl = ss.ss_slevel;
+	    dv.dv_actcmp = ss.ss_compart;
+	    dv.dv_minlvl = ss.ss_minlvl;
+	    dv.dv_maxlvl = ss.ss_maxlvl;
+	    dv.dv_valcmp = ss.ss_maxcmp;
+	}
+#endif /* SO_SEC_MULTI */
+    }
+#endif	/* _SC_CRAY_SECURE_SYS */
+
+    roken_openlog("telnetd", LOG_PID | LOG_ODELAY, LOG_DAEMON);
+    sa_size = sizeof (__ss);
+    if (getpeername(STDIN_FILENO, sa, &sa_size) < 0) {
+	fprintf(stderr, "%s: ", progname);
+	perror("getpeername");
+	_exit(1);
+    }
+    if (keepalive &&
+	setsockopt(STDIN_FILENO, SOL_SOCKET, SO_KEEPALIVE,
+		   (void *)&on, sizeof (on)) < 0) {
+	syslog(LOG_WARNING, "setsockopt (SO_KEEPALIVE): %m");
+    }
+
+#if	defined(IPPROTO_IP) && defined(IP_TOS) && defined(HAVE_SETSOCKOPT)
+    {
+# ifdef HAVE_GETTOSBYNAME
+	struct tosent *tp;
+	if (tos < 0 && (tp = gettosbyname("telnet", "tcp")))
+	    tos = tp->t_tos;
+# endif
+	if (tos < 0)
+	    tos = 020;	/* Low Delay bit */
+	if (tos
+	    && sa->sa_family == AF_INET
+	    && (setsockopt(STDIN_FILENO, IPPROTO_IP, IP_TOS,
+			   (void *)&tos, sizeof(tos)) < 0)
+	    && (errno != ENOPROTOOPT) )
+	    syslog(LOG_WARNING, "setsockopt (IP_TOS): %m");
+    }
+#endif	/* defined(IPPROTO_IP) && defined(IP_TOS) */
+    net = STDIN_FILENO;
+    doit(sa, sa_size);
+    /* NOTREACHED */
+    return 0;
+}  /* end of main */
+
+static void
+usage(void)
+{
+    fprintf(stderr, "Usage: telnetd");
+#ifdef	AUTHENTICATION
+    fprintf(stderr, " [-a (debug|other|otp|user|valid|off|none)]\n\t");
+#endif
+    fprintf(stderr, " [-debug]");
+#ifdef DIAGNOSTICS
+    fprintf(stderr, " [-D (options|report|exercise|netdata|ptydata)]\n\t");
+#endif
+#ifdef	AUTHENTICATION
+    fprintf(stderr, " [-edebug]");
+#endif
+    fprintf(stderr, " [-h]");
+    fprintf(stderr, " [-L login]");
+    fprintf(stderr, " [-n]");
+#ifdef	_CRAY
+    fprintf(stderr, " [-r[lowpty]-[highpty]]");
+#endif
+    fprintf(stderr, "\n\t");
+#ifdef	HAVE_GETTOSBYNAME
+    fprintf(stderr, " [-S tos]");
+#endif
+#ifdef	AUTHENTICATION
+    fprintf(stderr, " [-X auth-type] [-y] [-z]");
+#endif
+    fprintf(stderr, " [-u utmp_hostname_length] [-U]");
+    fprintf(stderr, " [port]\n");
+    exit(1);
+}
+
+/*
+ * getterminaltype
+ *
+ *	Ask the other end to send along its terminal type and speed.
+ * Output is the variable terminaltype filled in.
+ */
+static unsigned char ttytype_sbbuf[] = {
+    IAC, SB, TELOPT_TTYPE, TELQUAL_SEND, IAC, SE
+};
+
+int
+getterminaltype(char *name, size_t name_sz)
+{
+    int retval = -1;
+    void _gettermname();
+
+    settimer(baseline);
+#ifdef AUTHENTICATION
+    /*
+     * Handle the Authentication option before we do anything else.
+     */
+    send_do(TELOPT_AUTHENTICATION, 1);
+    while (his_will_wont_is_changing(TELOPT_AUTHENTICATION))
+	ttloop();
+    if (his_state_is_will(TELOPT_AUTHENTICATION)) {
+	retval = auth_wait(name, name_sz);
+    }
+#endif
+
+#ifdef ENCRYPTION
+    send_will(TELOPT_ENCRYPT, 1);
+    send_do(TELOPT_ENCRYPT, 1);	/* esc@magic.fi */
+#endif
+    send_do(TELOPT_TTYPE, 1);
+    send_do(TELOPT_TSPEED, 1);
+    send_do(TELOPT_XDISPLOC, 1);
+    send_do(TELOPT_NEW_ENVIRON, 1);
+    send_do(TELOPT_OLD_ENVIRON, 1);
+    while (
+#ifdef ENCRYPTION
+	   his_do_dont_is_changing(TELOPT_ENCRYPT) ||
+#endif
+	   his_will_wont_is_changing(TELOPT_TTYPE) ||
+	   his_will_wont_is_changing(TELOPT_TSPEED) ||
+	   his_will_wont_is_changing(TELOPT_XDISPLOC) ||
+	   his_will_wont_is_changing(TELOPT_NEW_ENVIRON) ||
+	   his_will_wont_is_changing(TELOPT_OLD_ENVIRON)) {
+	ttloop();
+    }
+#ifdef ENCRYPTION
+    /*
+     * Wait for the negotiation of what type of encryption we can
+     * send with.  If autoencrypt is not set, this will just return.
+     */
+    if (his_state_is_will(TELOPT_ENCRYPT)) {
+	encrypt_wait();
+    }
+#endif
+    if (his_state_is_will(TELOPT_TSPEED)) {
+	static unsigned char sb[] =
+	{ IAC, SB, TELOPT_TSPEED, TELQUAL_SEND, IAC, SE };
+
+	telnet_net_write (sb, sizeof sb);
+	DIAG(TD_OPTIONS, printsub('>', sb + 2, sizeof sb - 2););
+    }
+    if (his_state_is_will(TELOPT_XDISPLOC)) {
+	static unsigned char sb[] =
+	{ IAC, SB, TELOPT_XDISPLOC, TELQUAL_SEND, IAC, SE };
+
+	telnet_net_write (sb, sizeof sb);
+	DIAG(TD_OPTIONS, printsub('>', sb + 2, sizeof sb - 2););
+    }
+    if (his_state_is_will(TELOPT_NEW_ENVIRON)) {
+	static unsigned char sb[] =
+	{ IAC, SB, TELOPT_NEW_ENVIRON, TELQUAL_SEND, IAC, SE };
+
+	telnet_net_write (sb, sizeof sb);
+	DIAG(TD_OPTIONS, printsub('>', sb + 2, sizeof sb - 2););
+    }
+    else if (his_state_is_will(TELOPT_OLD_ENVIRON)) {
+	static unsigned char sb[] =
+	{ IAC, SB, TELOPT_OLD_ENVIRON, TELQUAL_SEND, IAC, SE };
+
+	telnet_net_write (sb, sizeof sb);
+	DIAG(TD_OPTIONS, printsub('>', sb + 2, sizeof sb - 2););
+    }
+    if (his_state_is_will(TELOPT_TTYPE)) {
+
+	telnet_net_write (ttytype_sbbuf, sizeof ttytype_sbbuf);
+	DIAG(TD_OPTIONS, printsub('>', ttytype_sbbuf + 2,
+				  sizeof ttytype_sbbuf - 2););
+    }
+    if (his_state_is_will(TELOPT_TSPEED)) {
+	while (sequenceIs(tspeedsubopt, baseline))
+	    ttloop();
+    }
+    if (his_state_is_will(TELOPT_XDISPLOC)) {
+	while (sequenceIs(xdisplocsubopt, baseline))
+	    ttloop();
+    }
+    if (his_state_is_will(TELOPT_NEW_ENVIRON)) {
+	while (sequenceIs(environsubopt, baseline))
+	    ttloop();
+    }
+    if (his_state_is_will(TELOPT_OLD_ENVIRON)) {
+	while (sequenceIs(oenvironsubopt, baseline))
+	    ttloop();
+    }
+    if (his_state_is_will(TELOPT_TTYPE)) {
+	char first[256], last[256];
+
+	while (sequenceIs(ttypesubopt, baseline))
+	    ttloop();
+
+	/*
+	 * If the other side has already disabled the option, then
+	 * we have to just go with what we (might) have already gotten.
+	 */
+	if (his_state_is_will(TELOPT_TTYPE) && !terminaltypeok(terminaltype)) {
+	    strlcpy(first, terminaltype, sizeof(first));
+	    for(;;) {
+		/*
+		 * Save the unknown name, and request the next name.
+		 */
+		strlcpy(last, terminaltype, sizeof(last));
+		_gettermname();
+		if (terminaltypeok(terminaltype))
+		    break;
+		if ((strncmp(last, terminaltype, sizeof(last)) == 0) ||
+		    his_state_is_wont(TELOPT_TTYPE)) {
+		    /*
+		     * We've hit the end.  If this is the same as
+		     * the first name, just go with it.
+		     */
+		    if (strncmp(first, terminaltype, sizeof(first)) == 0)
+			break;
+		    /*
+		     * Get the terminal name one more time, so that
+		     * RFC1091 compliant telnets will cycle back to
+		     * the start of the list.
+		     */
+		    _gettermname();
+		    if (strncmp(first, terminaltype, sizeof(first)) != 0)
+			strcpy(terminaltype, first);
+		    break;
+		}
+	    }
+	}
+    }
+    return(retval);
+}  /* end of getterminaltype */
+
+void
+_gettermname()
+{
+    /*
+     * If the client turned off the option,
+     * we can't send another request, so we
+     * just return.
+     */
+    if (his_state_is_wont(TELOPT_TTYPE))
+	return;
+    settimer(baseline);
+    telnet_net_write (ttytype_sbbuf, sizeof ttytype_sbbuf);
+    DIAG(TD_OPTIONS, printsub('>', ttytype_sbbuf + 2,
+			      sizeof ttytype_sbbuf - 2););
+    while (sequenceIs(ttypesubopt, baseline))
+	ttloop();
+}
+
+int
+terminaltypeok(char *s)
+{
+    return 1;
+}
+
+
+char *hostname;
+char host_name[MaxHostNameLen];
+char remote_host_name[MaxHostNameLen];
+
+/*
+ * Get a pty, scan input lines.
+ */
+static void
+doit(struct sockaddr *who, int who_len)
+{
+    char *host = NULL;
+    struct hostent *hp = NULL;
+    int level;
+    int ptynum;
+    char user_name[256];
+    int error;
+    char host_addr[256];
+    void *addr;
+    int addr_sz;
+    const char *tmp;
+    int af;
+
+    /*
+     * Find an available pty to use.
+     */
+    ourpty = getpty(&ptynum);
+    if (ourpty < 0)
+	fatal(net, "All network ports in use");
+
+#ifdef _SC_CRAY_SECURE_SYS
+    /*
+     *	set ttyp line security label
+     */
+    if (secflag) {
+	char slave_dev[16];
+
+	snprintf(tty_dev, sizeof(tty_dev), "/dev/pty/%03d", ptynum);
+	if (setdevs(tty_dev, &dv) < 0)
+	    fatal(net, "cannot set pty security");
+	snprintf(slave_dev, sizeof(slave_dev), "/dev/ttyp%03d", ptynum);
+	if (setdevs(slave_dev, &dv) < 0)
+	    fatal(net, "cannot set tty security");
+    }
+#endif	/* _SC_CRAY_SECURE_SYS */
+
+    af = who->sa_family;
+    switch (af) {
+    case AF_INET : {
+	struct sockaddr_in *sin = (struct sockaddr_in *)who;
+
+	addr    = &sin->sin_addr;
+	addr_sz = sizeof(sin->sin_addr);
+	break;
+    }
+#ifdef HAVE_IPV6
+    case AF_INET6 : {
+	struct sockaddr_in6 *sin6 = (struct sockaddr_in6 *)who;
+
+	addr    = &sin6->sin6_addr;
+	addr_sz = sizeof(sin6->sin6_addr);
+	break;
+    }
+#endif
+    default :
+	fatal (net, "Unknown address family\r\n");
+	break;
+    }
+
+    hp = getipnodebyaddr (addr, addr_sz, af, &error);
+
+    if (hp == NULL && registerd_host_only) {
+	fatal(net, "Couldn't resolve your address into a host name.\r\n\
+Please contact your net administrator");
+    } else if (hp != NULL) {
+	host = hp->h_name;
+    }
+
+    tmp = inet_ntop(af, addr, host_addr, sizeof(host_addr));
+    if (tmp == NULL)
+	strlcpy (host_addr, "unknown address", sizeof(host_addr));
+
+    if (host == NULL)
+	host = host_addr;
+
+    /*
+     * We must make a copy because Kerberos is probably going
+     * to also do a gethost* and overwrite the static data...
+     */
+    strlcpy(remote_host_name, host, sizeof(remote_host_name));
+    if (hp != NULL)
+	freehostent (hp);
+    host = remote_host_name;
+
+    /* XXX - should be k_gethostname? */
+    gethostname(host_name, sizeof (host_name));
+    hostname = host_name;
+
+    /* Only trim if too long (and possible) */
+    if (strlen(remote_host_name) > abs(utmp_len)) {
+	char *domain = strchr(host_name, '.');
+	char *p = strchr(remote_host_name, '.');
+	if (domain && p && (strcmp(p, domain) == 0))
+	    *p = 0; /* remove domain part */
+    }
+
+
+    /*
+     * If hostname still doesn't fit utmp, use ipaddr.
+     */
+    if (strlen(remote_host_name) > abs(utmp_len))
+	strlcpy(remote_host_name,
+			host_addr,
+			sizeof(remote_host_name));
+
+#ifdef AUTHENTICATION
+    auth_encrypt_init(hostname, host, "TELNETD", 1);
+#endif
+
+    init_env();
+    /*
+     * get terminal type.
+     */
+    *user_name = 0;
+    level = getterminaltype(user_name, sizeof(user_name));
+    setenv("TERM", terminaltype ? terminaltype : "network", 1);
+
+#ifdef _SC_CRAY_SECURE_SYS
+    if (secflag) {
+	if (setulvl(dv.dv_actlvl) < 0)
+	    fatal(net,"cannot setulvl()");
+	if (setucmp(dv.dv_actcmp) < 0)
+	    fatal(net, "cannot setucmp()");
+    }
+#endif	/* _SC_CRAY_SECURE_SYS */
+
+    /* begin server processing */
+    my_telnet(net, ourpty, host, level, user_name);
+    /*NOTREACHED*/
+}  /* end of doit */
+
+/* output contents of /etc/issue.net, or /etc/issue */
+static void
+show_issue(void)
+{
+    FILE *f;
+    char buf[128];
+    f = fopen("/etc/issue.net", "r");
+    if(f == NULL)
+	f = fopen("/etc/issue", "r");
+    if(f){
+	while(fgets(buf, sizeof(buf)-2, f)){
+	    strcpy(buf + strcspn(buf, "\r\n"), "\r\n");
+	    writenet((unsigned char*)buf, strlen(buf));
+	}
+	fclose(f);
+    }
+}
+
+/*
+ * Main loop.  Select from pty and network, and
+ * hand data to telnet receiver finite state machine.
+ */
+void
+my_telnet(int f, int p, char *host, int level, char *autoname)
+{
+    int on = 1;
+    char *he;
+    char *IM;
+    int nfd;
+    int startslave_called = 0;
+    time_t timeout;
+
+    /*
+     * Initialize the slc mapping table.
+     */
+    get_slc_defaults();
+
+    /*
+     * Do some tests where it is desireable to wait for a response.
+     * Rather than doing them slowly, one at a time, do them all
+     * at once.
+     */
+    if (my_state_is_wont(TELOPT_SGA))
+	send_will(TELOPT_SGA, 1);
+    /*
+     * Is the client side a 4.2 (NOT 4.3) system?  We need to know this
+     * because 4.2 clients are unable to deal with TCP urgent data.
+     *
+     * To find out, we send out a "DO ECHO".  If the remote system
+     * answers "WILL ECHO" it is probably a 4.2 client, and we note
+     * that fact ("WILL ECHO" ==> that the client will echo what
+     * WE, the server, sends it; it does NOT mean that the client will
+     * echo the terminal input).
+     */
+    send_do(TELOPT_ECHO, 1);
+
+    /*
+     * Send along a couple of other options that we wish to negotiate.
+     */
+    send_do(TELOPT_NAWS, 1);
+    send_will(TELOPT_STATUS, 1);
+    flowmode = 1;		/* default flow control state */
+    restartany = -1;	/* uninitialized... */
+    send_do(TELOPT_LFLOW, 1);
+
+    /*
+     * Spin, waiting for a response from the DO ECHO.  However,
+     * some REALLY DUMB telnets out there might not respond
+     * to the DO ECHO.  So, we spin looking for NAWS, (most dumb
+     * telnets so far seem to respond with WONT for a DO that
+     * they don't understand...) because by the time we get the
+     * response, it will already have processed the DO ECHO.
+     * Kludge upon kludge.
+     */
+    while (his_will_wont_is_changing(TELOPT_NAWS))
+	ttloop();
+
+    /*
+     * But...
+     * The client might have sent a WILL NAWS as part of its
+     * startup code; if so, we'll be here before we get the
+     * response to the DO ECHO.  We'll make the assumption
+     * that any implementation that understands about NAWS
+     * is a modern enough implementation that it will respond
+     * to our DO ECHO request; hence we'll do another spin
+     * waiting for the ECHO option to settle down, which is
+     * what we wanted to do in the first place...
+     */
+    if (his_want_state_is_will(TELOPT_ECHO) &&
+	his_state_is_will(TELOPT_NAWS)) {
+	while (his_will_wont_is_changing(TELOPT_ECHO))
+	    ttloop();
+    }
+    /*
+     * On the off chance that the telnet client is broken and does not
+     * respond to the DO ECHO we sent, (after all, we did send the
+     * DO NAWS negotiation after the DO ECHO, and we won't get here
+     * until a response to the DO NAWS comes back) simulate the
+     * receipt of a will echo.  This will also send a WONT ECHO
+     * to the client, since we assume that the client failed to
+     * respond because it believes that it is already in DO ECHO
+     * mode, which we do not want.
+     */
+    if (his_want_state_is_will(TELOPT_ECHO)) {
+	DIAG(TD_OPTIONS,
+	     {output_data("td: simulating recv\r\n");
+	     });
+	willoption(TELOPT_ECHO);
+    }
+
+    /*
+     * Finally, to clean things up, we turn on our echo.  This
+     * will break stupid 4.2 telnets out of local terminal echo.
+     */
+
+    if (my_state_is_wont(TELOPT_ECHO))
+	send_will(TELOPT_ECHO, 1);
+
+#ifdef TIOCPKT
+#ifdef	STREAMSPTY
+    if (!really_stream)
+#endif
+	/*
+	 * Turn on packet mode
+	 */
+	ioctl(p, TIOCPKT, (char *)&on);
+#endif
+
+
+    /*
+     * Call telrcv() once to pick up anything received during
+     * terminal type negotiation, 4.2/4.3 determination, and
+     * linemode negotiation.
+     */
+    telrcv();
+
+    ioctl(f, FIONBIO, (char *)&on);
+    ioctl(p, FIONBIO, (char *)&on);
+
+#if	defined(SO_OOBINLINE) && defined(HAVE_SETSOCKOPT)
+    setsockopt(net, SOL_SOCKET, SO_OOBINLINE,
+	       (void *)&on, sizeof on);
+#endif	/* defined(SO_OOBINLINE) */
+
+#ifdef	SIGTSTP
+    signal(SIGTSTP, SIG_IGN);
+#endif
+#ifdef	SIGTTOU
+    /*
+     * Ignoring SIGTTOU keeps the kernel from blocking us
+     * in ttioct() in /sys/tty.c.
+     */
+    signal(SIGTTOU, SIG_IGN);
+#endif
+
+    signal(SIGCHLD, cleanup);
+
+#ifdef  TIOCNOTTY
+    {
+	int t;
+	t = open(_PATH_TTY, O_RDWR);
+	if (t >= 0) {
+	    ioctl(t, TIOCNOTTY, (char *)0);
+	    close(t);
+	}
+    }
+#endif
+
+    show_issue();
+    /*
+     * Show banner that getty never gave.
+     *
+     * We put the banner in the pty input buffer.  This way, it
+     * gets carriage return null processing, etc., just like all
+     * other pty --> client data.
+     */
+
+    if (getenv("USER"))
+	hostinfo = 0;
+
+    IM = DEFAULT_IM;
+    he = 0;
+    edithost(he, host_name);
+    if (hostinfo && *IM)
+	putf(IM, ptyibuf2);
+
+    if (pcc)
+	strncat(ptyibuf2, ptyip, pcc+1);
+    ptyip = ptyibuf2;
+    pcc = strlen(ptyip);
+
+    DIAG(TD_REPORT, {
+	output_data("td: Entering processing loop\r\n");
+    });
+
+
+    nfd = ((f > p) ? f : p) + 1;
+    timeout = time(NULL) + 5;
+    for (;;) {
+	fd_set ibits, obits, xbits;
+	int c;
+
+	/* wait for encryption to be turned on, but don't wait
+           indefinitely */
+	if(!startslave_called && (!encrypt_delay() || timeout > time(NULL))){
+	    startslave_called = 1;
+	    startslave(host, level, autoname);
+	}
+
+	if (ncc < 0 && pcc < 0)
+	    break;
+
+	FD_ZERO(&ibits);
+	FD_ZERO(&obits);
+	FD_ZERO(&xbits);
+
+	if (f >= FD_SETSIZE
+	    || p >= FD_SETSIZE)
+	    fatal(net, "fd too large");
+
+	/*
+	 * Never look for input if there's still
+	 * stuff in the corresponding output buffer
+	 */
+	if (nfrontp - nbackp || pcc > 0) {
+	    FD_SET(f, &obits);
+	} else {
+	    FD_SET(p, &ibits);
+	}
+	if (pfrontp - pbackp || ncc > 0) {
+	    FD_SET(p, &obits);
+	} else {
+	    FD_SET(f, &ibits);
+	}
+	if (!SYNCHing) {
+	    FD_SET(f, &xbits);
+	}
+	if ((c = select(nfd, &ibits, &obits, &xbits,
+			(struct timeval *)0)) < 1) {
+	    if (c == -1) {
+		if (errno == EINTR) {
+		    continue;
+		}
+	    }
+	    sleep(5);
+	    continue;
+	}
+
+	/*
+	 * Any urgent data?
+	 */
+	if (FD_ISSET(net, &xbits)) {
+	    SYNCHing = 1;
+	}
+
+	/*
+	 * Something to read from the network...
+	 */
+	if (FD_ISSET(net, &ibits)) {
+#ifndef SO_OOBINLINE
+	    /*
+	     * In 4.2 (and 4.3 beta) systems, the
+	     * OOB indication and data handling in the kernel
+	     * is such that if two separate TCP Urgent requests
+	     * come in, one byte of TCP data will be overlaid.
+	     * This is fatal for Telnet, but we try to live
+	     * with it.
+	     *
+	     * In addition, in 4.2 (and...), a special protocol
+	     * is needed to pick up the TCP Urgent data in
+	     * the correct sequence.
+	     *
+	     * What we do is:  if we think we are in urgent
+	     * mode, we look to see if we are "at the mark".
+	     * If we are, we do an OOB receive.  If we run
+	     * this twice, we will do the OOB receive twice,
+	     * but the second will fail, since the second
+	     * time we were "at the mark", but there wasn't
+	     * any data there (the kernel doesn't reset
+	     * "at the mark" until we do a normal read).
+	     * Once we've read the OOB data, we go ahead
+	     * and do normal reads.
+	     *
+	     * There is also another problem, which is that
+	     * since the OOB byte we read doesn't put us
+	     * out of OOB state, and since that byte is most
+	     * likely the TELNET DM (data mark), we would
+	     * stay in the TELNET SYNCH (SYNCHing) state.
+	     * So, clocks to the rescue.  If we've "just"
+	     * received a DM, then we test for the
+	     * presence of OOB data when the receive OOB
+	     * fails (and AFTER we did the normal mode read
+	     * to clear "at the mark").
+	     */
+	    if (SYNCHing) {
+		int atmark;
+
+		ioctl(net, SIOCATMARK, (char *)&atmark);
+		if (atmark) {
+		    ncc = recv(net, netibuf, sizeof (netibuf), MSG_OOB);
+		    if ((ncc == -1) && (errno == EINVAL)) {
+			ncc = read(net, netibuf, sizeof (netibuf));
+			if (sequenceIs(didnetreceive, gotDM)) {
+			    SYNCHing = stilloob(net);
+			}
+		    }
+		} else {
+		    ncc = read(net, netibuf, sizeof (netibuf));
+		}
+	    } else {
+		ncc = read(net, netibuf, sizeof (netibuf));
+	    }
+	    settimer(didnetreceive);
+#else	/* !defined(SO_OOBINLINE)) */
+	    ncc = read(net, netibuf, sizeof (netibuf));
+#endif	/* !defined(SO_OOBINLINE)) */
+	    if (ncc < 0 && errno == EWOULDBLOCK)
+		ncc = 0;
+	    else {
+		if (ncc <= 0) {
+		    break;
+		}
+		netip = netibuf;
+	    }
+	    DIAG((TD_REPORT | TD_NETDATA), {
+		output_data("td: netread %d chars\r\n", ncc);
+		});
+	    DIAG(TD_NETDATA, printdata("nd", netip, ncc));
+	}
+
+	/*
+	 * Something to read from the pty...
+	 */
+	if (FD_ISSET(p, &ibits)) {
+#ifdef STREAMSPTY
+	    if (really_stream)
+		pcc = readstream(p, ptyibuf, BUFSIZ);
+	    else
+#endif
+		pcc = read(p, ptyibuf, BUFSIZ);
+
+	    /*
+	     * On some systems, if we try to read something
+	     * off the master side before the slave side is
+	     * opened, we get EIO.
+	     */
+	    if (pcc < 0 && (errno == EWOULDBLOCK ||
+#ifdef	EAGAIN
+			    errno == EAGAIN ||
+#endif
+			    errno == EIO)) {
+		pcc = 0;
+	    } else {
+		if (pcc <= 0)
+		    break;
+		if (ptyibuf[0] & TIOCPKT_FLUSHWRITE) {
+		    netclear();	/* clear buffer back */
+#ifndef	NO_URGENT
+		    /*
+		     * There are client telnets on some
+		     * operating systems get screwed up
+		     * royally if we send them urgent
+		     * mode data.
+		     */
+		    output_data ("%c%c", IAC, DM);
+
+		    neturg = nfrontp-1; /* off by one XXX */
+		    DIAG(TD_OPTIONS,
+			 printoption("td: send IAC", DM));
+
+#endif
+		}
+		if (his_state_is_will(TELOPT_LFLOW) &&
+		    (ptyibuf[0] &
+		     (TIOCPKT_NOSTOP|TIOCPKT_DOSTOP))) {
+		    int newflow =
+			ptyibuf[0] & TIOCPKT_DOSTOP ? 1 : 0;
+		    if (newflow != flowmode) {
+			flowmode = newflow;
+			output_data("%c%c%c%c%c%c",
+				    IAC, SB, TELOPT_LFLOW,
+				    flowmode ? LFLOW_ON
+				    : LFLOW_OFF,
+				    IAC, SE);
+			DIAG(TD_OPTIONS, printsub('>',
+						  (unsigned char *)nfrontp-4,
+						  4););
+		    }
+		}
+		pcc--;
+		ptyip = ptyibuf+1;
+	    }
+	}
+
+	while (pcc > 0) {
+	    if ((&netobuf[BUFSIZ] - nfrontp) < 3)
+		break;
+	    c = *ptyip++ & 0377, pcc--;
+	    if (c == IAC)
+		*nfrontp++ = c;
+	    *nfrontp++ = c;
+	    if ((c == '\r') && (my_state_is_wont(TELOPT_BINARY))) {
+		if (pcc > 0 && ((*ptyip & 0377) == '\n')) {
+		    *nfrontp++ = *ptyip++ & 0377;
+		    pcc--;
+		} else
+		    *nfrontp++ = '\0';
+	    }
+	}
+
+	if (FD_ISSET(f, &obits) && (nfrontp - nbackp) > 0)
+	    netflush();
+	if (ncc > 0)
+	    telrcv();
+	if (FD_ISSET(p, &obits) && (pfrontp - pbackp) > 0)
+	    ptyflush();
+    }
+    cleanup(0);
+}
+
+#ifndef	TCSIG
+# ifdef	TIOCSIG
+#  define TCSIG TIOCSIG
+# endif
+#endif
+
+#ifdef	STREAMSPTY
+
+    int flowison = -1;  /* current state of flow: -1 is unknown */
+
+int
+readstream(int p, char *ibuf, int bufsize)
+{
+    int flags = 0;
+    int ret = 0;
+    struct termios *tsp;
+#if 0
+    struct termio *tp;
+#endif
+    struct iocblk *ip;
+    char vstop, vstart;
+    int ixon;
+    int newflow;
+
+    strbufc.maxlen = BUFSIZ;
+    strbufc.buf = (char *)ctlbuf;
+    strbufd.maxlen = bufsize-1;
+    strbufd.len = 0;
+    strbufd.buf = ibuf+1;
+    ibuf[0] = 0;
+
+    ret = getmsg(p, &strbufc, &strbufd, &flags);
+    if (ret < 0)  /* error of some sort -- probably EAGAIN */
+	return(-1);
+
+    if (strbufc.len <= 0 || ctlbuf[0] == M_DATA) {
+	/* data message */
+	if (strbufd.len > 0) {			/* real data */
+	    return(strbufd.len + 1);	/* count header char */
+	} else {
+	    /* nothing there */
+	    errno = EAGAIN;
+	    return(-1);
+	}
+    }
+
+    /*
+     * It's a control message.  Return 1, to look at the flag we set
+     */
+
+    switch (ctlbuf[0]) {
+    case M_FLUSH:
+	if (ibuf[1] & FLUSHW)
+	    ibuf[0] = TIOCPKT_FLUSHWRITE;
+	return(1);
+
+    case M_IOCTL:
+	ip = (struct iocblk *) (ibuf+1);
+
+	switch (ip->ioc_cmd) {
+#ifdef TCSETS
+	case TCSETS:
+	case TCSETSW:
+	case TCSETSF:
+	    tsp = (struct termios *)
+		(ibuf+1 + sizeof(struct iocblk));
+	    vstop = tsp->c_cc[VSTOP];
+	    vstart = tsp->c_cc[VSTART];
+	    ixon = tsp->c_iflag & IXON;
+	    break;
+#endif
+#if 0
+	case TCSETA:
+	case TCSETAW:
+	case TCSETAF:
+	    tp = (struct termio *) (ibuf+1 + sizeof(struct iocblk));
+	    vstop = tp->c_cc[VSTOP];
+	    vstart = tp->c_cc[VSTART];
+	    ixon = tp->c_iflag & IXON;
+	    break;
+#endif
+	default:
+	    errno = EAGAIN;
+	    return(-1);
+	}
+
+	newflow =  (ixon && (vstart == 021) && (vstop == 023)) ? 1 : 0;
+	if (newflow != flowison) {  /* it's a change */
+	    flowison = newflow;
+	    ibuf[0] = newflow ? TIOCPKT_DOSTOP : TIOCPKT_NOSTOP;
+	    return(1);
+	}
+    }
+
+    /* nothing worth doing anything about */
+    errno = EAGAIN;
+    return(-1);
+}
+#endif /* STREAMSPTY */
+
+/*
+ * Send interrupt to process on other side of pty.
+ * If it is in raw mode, just write NULL;
+ * otherwise, write intr char.
+ */
+void
+interrupt()
+{
+    ptyflush();	/* half-hearted */
+
+#if defined(STREAMSPTY) && defined(TIOCSIGNAL)
+    /* Streams PTY style ioctl to post a signal */
+    if (really_stream)
+	{
+	    int sig = SIGINT;
+	    ioctl(ourpty, TIOCSIGNAL, &sig);
+	    ioctl(ourpty, I_FLUSH, FLUSHR);
+	}
+#else
+#ifdef	TCSIG
+    ioctl(ourpty, TCSIG, (char *)SIGINT);
+#else	/* TCSIG */
+    init_termbuf();
+    *pfrontp++ = slctab[SLC_IP].sptr ?
+	(unsigned char)*slctab[SLC_IP].sptr : '\177';
+#endif	/* TCSIG */
+#endif
+}
+
+/*
+ * Send quit to process on other side of pty.
+ * If it is in raw mode, just write NULL;
+ * otherwise, write quit char.
+ */
+void
+sendbrk()
+{
+    ptyflush();	/* half-hearted */
+#ifdef	TCSIG
+    ioctl(ourpty, TCSIG, (char *)SIGQUIT);
+#else	/* TCSIG */
+    init_termbuf();
+    *pfrontp++ = slctab[SLC_ABORT].sptr ?
+	(unsigned char)*slctab[SLC_ABORT].sptr : '\034';
+#endif	/* TCSIG */
+}
+
+void
+sendsusp()
+{
+#ifdef	SIGTSTP
+    ptyflush();	/* half-hearted */
+# ifdef	TCSIG
+    ioctl(ourpty, TCSIG, (char *)SIGTSTP);
+# else	/* TCSIG */
+    *pfrontp++ = slctab[SLC_SUSP].sptr ?
+	(unsigned char)*slctab[SLC_SUSP].sptr : '\032';
+# endif	/* TCSIG */
+#endif	/* SIGTSTP */
+}
+
+/*
+ * When we get an AYT, if ^T is enabled, use that.  Otherwise,
+ * just send back "[Yes]".
+ */
+void
+recv_ayt()
+{
+#if	defined(SIGINFO) && defined(TCSIG)
+    if (slctab[SLC_AYT].sptr && *slctab[SLC_AYT].sptr != _POSIX_VDISABLE) {
+	ioctl(ourpty, TCSIG, (char *)SIGINFO);
+	return;
+    }
+#endif
+    output_data("\r\n[Yes]\r\n");
+}
+
+void
+doeof()
+{
+    init_termbuf();
+
+    *pfrontp++ = slctab[SLC_EOF].sptr ?
+	(unsigned char)*slctab[SLC_EOF].sptr : '\004';
+}
diff --git a/crypto/kerberosIV/appl/telnet/telnetd/telnetd.h b/crypto/kerberosIV/appl/telnet/telnetd/telnetd.h
new file mode 100644
index 0000000..c89ce0e
--- /dev/null
+++ b/crypto/kerberosIV/appl/telnet/telnetd/telnetd.h
@@ -0,0 +1,225 @@
+/*
+ * Copyright (c) 1989, 1993
+ *	The Regents of the University of California.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *	This product includes software developed by the University of
+ *	California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ *	@(#)telnetd.h	8.1 (Berkeley) 6/4/93
+ */
+/* $FreeBSD$ */
+
+
+#include <config.h>
+
+#include <stdio.h>
+#include <stdarg.h>
+#include <stdlib.h>
+#include <string.h>
+
+#ifdef HAVE_SYS_TYPES_H
+#include <sys/types.h>
+#endif
+#ifdef HAVE_SYS_PARAM_H
+#include <sys/param.h>
+#endif
+
+#ifdef HAVE_SYS_SOCKET_H
+#include <sys/socket.h>
+#endif
+#ifdef TIME_WITH_SYS_TIME
+#include <sys/time.h>
+#include <time.h>
+#elif defined(HAVE_SYS_TIME_H)
+#include <sys/time.h>
+#else
+#include <time.h>
+#endif
+
+#ifdef HAVE_SYS_RESOURCE_H
+#include <sys/resource.h>
+#endif /* HAVE_SYS_RESOURCE_H */
+
+#ifdef HAVE_SYS_WAIT_H
+#include <sys/wait.h>
+#endif
+
+#ifdef HAVE_FCNTL_H
+#include <fcntl.h>
+#endif
+#ifdef HAVE_SYS_FILE_H
+#include <sys/file.h>
+#endif
+#ifdef HAVE_SYS_STAT_H
+#include <sys/stat.h>
+#endif
+
+/* including both <sys/ioctl.h> and <termios.h> in SunOS 4 generates a
+   lot of warnings */
+
+#if defined(HAVE_SYS_IOCTL_H) && SunOS != 40
+#include <sys/ioctl.h>
+#endif
+#ifdef HAVE_SYS_FILIO_H
+#include <sys/filio.h>
+#endif
+
+#ifdef HAVE_NETINET_IN_H
+#include <netinet/in.h>
+#endif
+#ifdef HAVE_NETINET_IN6_H
+#include <netinet/in6.h>
+#endif
+#ifdef HAVE_NETINET6_IN6_H
+#include <netinet6/in6.h>
+#endif
+
+#ifdef HAVE_ARPA_INET_H
+#include <arpa/inet.h>
+#endif
+
+#include <signal.h>
+#include <errno.h>
+#ifdef HAVE_NETDB_H
+#include <netdb.h>
+#endif
+#ifdef HAVE_SYSLOG_H
+#include <syslog.h>
+#endif
+#include <ctype.h>
+
+#ifdef HAVE_UNISTD_H
+#include <unistd.h>
+#endif
+
+#include <termios.h>
+
+#ifdef HAVE_PTY_H
+#include <pty.h>
+#endif
+
+#include "defs.h"
+
+#ifndef _POSIX_VDISABLE
+# ifdef VDISABLE
+#  define _POSIX_VDISABLE VDISABLE
+# else
+#  define _POSIX_VDISABLE ((unsigned char)'\377')
+# endif
+#endif
+
+
+#ifdef HAVE_SYS_PTY_H
+#include <sys/pty.h>
+#endif
+#ifdef HAVE_SYS_SELECT_H
+#include <sys/select.h>
+#endif
+
+#ifdef HAVE_SYS_PTYIO_H
+#include <sys/ptyio.h>
+#endif
+
+#ifdef HAVE_SYS_UTSNAME_H
+#include <sys/utsname.h>
+#endif
+
+#ifdef HAVE_PATHS_H
+#include <paths.h>
+#endif
+
+#ifdef HAVE_ARPA_TELNET_H
+#include <arpa/telnet.h>
+#endif
+
+#include "ext.h"
+
+#ifdef SOCKS
+#include <socks.h>
+/* This doesn't belong here. */
+struct tm *localtime(const time_t *);
+struct hostent  *gethostbyname(const char *);
+#endif
+
+#ifdef KRB4
+#include <openssl/des.h>
+#include <krb.h>
+#endif
+
+#ifdef AUTHENTICATION
+#include <libtelnet/auth.h>
+#include <libtelnet/misc.h>
+#ifdef ENCRYPTION
+#include <libtelnet/encrypt.h>
+#endif
+#endif
+
+#ifdef HAVE_LIBUTIL_H
+#include <libutil.h>
+#endif
+
+#include <roken.h>
+
+/* Don't use the system login, use our version instead */
+
+/* BINDIR should be defined somewhere else... */
+
+#ifndef BINDIR
+#define BINDIR "/usr/athena/bin"
+#endif
+
+#undef _PATH_LOGIN
+#define _PATH_LOGIN	BINDIR "/login"
+
+/* fallbacks */
+
+#ifndef _PATH_DEV
+#define _PATH_DEV "/dev/"
+#endif
+
+#ifndef _PATH_TTY
+#define _PATH_TTY "/dev/tty"
+#endif /* _PATH_TTY */
+
+#ifdef	DIAGNOSTICS
+#define	DIAG(a,b)	if (diagnostic & (a)) b
+#else
+#define	DIAG(a,b)
+#endif
+
+/* other external variables */
+extern	char **environ;
+
+/* prototypes */
+
+/* appends data to nfrontp and advances */
+int output_data (const char *format, ...)
+#ifdef __GNUC__
+__attribute__ ((format (printf, 1, 2)))
+#endif
+;
diff --git a/crypto/kerberosIV/appl/telnet/telnetd/termstat.c b/crypto/kerberosIV/appl/telnet/telnetd/termstat.c
new file mode 100644
index 0000000..80ee145
--- /dev/null
+++ b/crypto/kerberosIV/appl/telnet/telnetd/termstat.c
@@ -0,0 +1,140 @@
+/*
+ * Copyright (c) 1989, 1993
+ *	The Regents of the University of California.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *	This product includes software developed by the University of
+ *	California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#include "telnetd.h"
+
+RCSID("$Id: termstat.c,v 1.11 1997/05/11 06:30:04 assar Exp $");
+
+/*
+ * local variables
+ */
+int def_tspeed = -1, def_rspeed = -1;
+#ifdef	TIOCSWINSZ
+int def_row = 0, def_col = 0;
+#endif
+
+/*
+ * flowstat
+ *
+ * Check for changes to flow control
+ */
+void
+flowstat()
+{
+    if (his_state_is_will(TELOPT_LFLOW)) {
+	if (tty_flowmode() != flowmode) {
+	    flowmode = tty_flowmode();
+	    output_data("%c%c%c%c%c%c",
+			IAC, SB, TELOPT_LFLOW,
+			flowmode ? LFLOW_ON : LFLOW_OFF,
+			IAC, SE);
+	}
+	if (tty_restartany() != restartany) {
+	    restartany = tty_restartany();
+	    output_data("%c%c%c%c%c%c",
+			IAC, SB, TELOPT_LFLOW,
+			restartany ? LFLOW_RESTART_ANY
+			: LFLOW_RESTART_XON,
+			IAC, SE);
+	}
+    }
+}
+
+/*
+ * clientstat
+ *
+ * Process linemode related requests from the client.
+ * Client can request a change to only one of linemode, editmode or slc's
+ * at a time, and if using kludge linemode, then only linemode may be
+ * affected.
+ */
+void
+clientstat(int code, int parm1, int parm2)
+{
+    void netflush();
+
+    /*
+     * Get a copy of terminal characteristics.
+     */
+    init_termbuf();
+
+    /*
+     * Process request from client. code tells what it is.
+     */
+    switch (code) {
+    case TELOPT_NAWS:
+#ifdef	TIOCSWINSZ
+	{
+	    struct winsize ws;
+
+	    def_col = parm1;
+	    def_row = parm2;
+
+	    /*
+	     * Change window size as requested by client.
+	     */
+
+	    ws.ws_col = parm1;
+	    ws.ws_row = parm2;
+	    ioctl(ourpty, TIOCSWINSZ, (char *)&ws);
+	}
+#endif	/* TIOCSWINSZ */
+
+    break;
+
+    case TELOPT_TSPEED:
+	{
+	    def_tspeed = parm1;
+	    def_rspeed = parm2;
+	    /*
+	     * Change terminal speed as requested by client.
+	     * We set the receive speed first, so that if we can't
+	     * store seperate receive and transmit speeds, the transmit
+	     * speed will take precedence.
+	     */
+	    tty_rspeed(parm2);
+	    tty_tspeed(parm1);
+	    set_termbuf();
+
+	    break;
+
+	}  /* end of case TELOPT_TSPEED */
+
+    default:
+	/* What? */
+	break;
+    }  /* end of switch */
+
+    netflush();
+
+}
diff --git a/crypto/kerberosIV/appl/telnet/telnetd/utility.c b/crypto/kerberosIV/appl/telnet/telnetd/utility.c
new file mode 100644
index 0000000..ff5192e
--- /dev/null
+++ b/crypto/kerberosIV/appl/telnet/telnetd/utility.c
@@ -0,0 +1,1165 @@
+/*
+ * Copyright (c) 1989, 1993
+ *	The Regents of the University of California.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *	This product includes software developed by the University of
+ *	California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#define PRINTOPTIONS
+#include "telnetd.h"
+
+RCSID("$Id: utility.c,v 1.22.2.1 2000/10/10 13:12:34 assar Exp $");
+
+/*
+ * utility functions performing io related tasks
+ */
+
+/*
+ * ttloop
+ *
+ * A small subroutine to flush the network output buffer, get some
+ * data from the network, and pass it through the telnet state
+ * machine.  We also flush the pty input buffer (by dropping its data)
+ * if it becomes too full.
+ *
+ * return 0 if OK or 1 if interrupted by a signal.
+ */
+
+int
+ttloop(void)
+{
+    void netflush(void);
+    
+    DIAG(TD_REPORT, {
+	output_data("td: ttloop\r\n");
+    });
+    if (nfrontp-nbackp)
+	netflush();
+    ncc = read(net, netibuf, sizeof netibuf);
+    if (ncc < 0) {
+	if (errno == EINTR)
+	    return 1;
+	syslog(LOG_INFO, "ttloop:  read: %m\n");
+	exit(1);
+    } else if (ncc == 0) {
+	syslog(LOG_INFO, "ttloop:  peer died\n");
+	exit(1);
+    }
+    DIAG(TD_REPORT, {
+	output_data("td: ttloop read %d chars\r\n", ncc);
+    });
+    netip = netibuf;
+    telrcv();			/* state machine */
+    if (ncc > 0) {
+	pfrontp = pbackp = ptyobuf;
+	telrcv();
+    }
+    return 0;
+}  /* end of ttloop */
+
+/*
+ * Check a descriptor to see if out of band data exists on it.
+ */
+int
+stilloob(int s)
+{
+    static struct timeval timeout = { 0 };
+    fd_set	excepts;
+    int value;
+
+    if (s >= FD_SETSIZE)
+	fatal(ourpty, "fd too large");
+
+    do {
+	FD_ZERO(&excepts);
+	FD_SET(s, &excepts);
+	value = select(s+1, 0, 0, &excepts, &timeout);
+    } while ((value == -1) && (errno == EINTR));
+
+    if (value < 0) {
+	fatalperror(ourpty, "select");
+    }
+    if (FD_ISSET(s, &excepts)) {
+	return 1;
+    } else {
+	return 0;
+    }
+}
+
+void
+ptyflush(void)
+{
+    int n;
+
+    if ((n = pfrontp - pbackp) > 0) {
+	DIAG((TD_REPORT | TD_PTYDATA), { 
+	    output_data("td: ptyflush %d chars\r\n", n);
+	});
+	DIAG(TD_PTYDATA, printdata("pd", pbackp, n));
+	n = write(ourpty, pbackp, n);
+    }
+    if (n < 0) {
+	if (errno == EWOULDBLOCK || errno == EINTR)
+	    return;
+	cleanup(0);
+    }
+    pbackp += n;
+    if (pbackp == pfrontp)
+	pbackp = pfrontp = ptyobuf;
+}
+
+/*
+ * nextitem()
+ *
+ *	Return the address of the next "item" in the TELNET data
+ * stream.  This will be the address of the next character if
+ * the current address is a user data character, or it will
+ * be the address of the character following the TELNET command
+ * if the current address is a TELNET IAC ("I Am a Command")
+ * character.
+ */
+char *
+nextitem(char *current)
+{
+    if ((*current&0xff) != IAC) {
+	return current+1;
+    }
+    switch (*(current+1)&0xff) {
+    case DO:
+    case DONT:
+    case WILL:
+    case WONT:
+	return current+3;
+    case SB:{
+	/* loop forever looking for the SE */
+	char *look = current+2;
+
+	for (;;) {
+	    if ((*look++&0xff) == IAC) {
+		if ((*look++&0xff) == SE) {
+		    return look;
+		}
+	    }
+	}
+    }
+    default:
+	return current+2;
+    }
+}
+
+
+/*
+ * netclear()
+ *
+ *	We are about to do a TELNET SYNCH operation.  Clear
+ * the path to the network.
+ *
+ *	Things are a bit tricky since we may have sent the first
+ * byte or so of a previous TELNET command into the network.
+ * So, we have to scan the network buffer from the beginning
+ * until we are up to where we want to be.
+ *
+ *	A side effect of what we do, just to keep things
+ * simple, is to clear the urgent data pointer.  The principal
+ * caller should be setting the urgent data pointer AFTER calling
+ * us in any case.
+ */
+void
+netclear(void)
+{
+    char *thisitem, *next;
+    char *good;
+#define	wewant(p)	((nfrontp > p) && ((*p&0xff) == IAC) && \
+			 ((*(p+1)&0xff) != EC) && ((*(p+1)&0xff) != EL))
+
+#ifdef ENCRYPTION
+	thisitem = nclearto > netobuf ? nclearto : netobuf;
+#else
+	thisitem = netobuf;
+#endif
+
+	while ((next = nextitem(thisitem)) <= nbackp) {
+	    thisitem = next;
+	}
+
+	/* Now, thisitem is first before/at boundary. */
+
+#ifdef ENCRYPTION
+	good = nclearto > netobuf ? nclearto : netobuf;
+#else
+	good = netobuf;	/* where the good bytes go */
+#endif
+
+	while (nfrontp > thisitem) {
+	    if (wewant(thisitem)) {
+		int length;
+
+		next = thisitem;
+		do {
+		    next = nextitem(next);
+		} while (wewant(next) && (nfrontp > next));
+		length = next-thisitem;
+		memmove(good, thisitem, length);
+		good += length;
+		thisitem = next;
+	    } else {
+		thisitem = nextitem(thisitem);
+	    }
+	}
+
+	nbackp = netobuf;
+	nfrontp = good;		/* next byte to be sent */
+	neturg = 0;
+}  /* end of netclear */
+
+/*
+ *  netflush
+ *		Send as much data as possible to the network,
+ *	handling requests for urgent data.
+ */
+void
+netflush(void)
+{
+    int n;
+    extern int not42;
+
+    if ((n = nfrontp - nbackp) > 0) {
+	DIAG(TD_REPORT,
+	     { n += output_data("td: netflush %d chars\r\n", n);
+	     });
+#ifdef ENCRYPTION
+	if (encrypt_output) {
+	    char *s = nclearto ? nclearto : nbackp;
+	    if (nfrontp - s > 0) {
+		(*encrypt_output)((unsigned char *)s, nfrontp-s);
+		nclearto = nfrontp;
+	    }
+	}
+#endif
+	/*
+	 * if no urgent data, or if the other side appears to be an
+	 * old 4.2 client (and thus unable to survive TCP urgent data),
+	 * write the entire buffer in non-OOB mode.
+	 */
+#if 1 /* remove this to make it work between solaris 2.6 and linux */
+	if ((neturg == 0) || (not42 == 0)) {
+#endif
+	    n = write(net, nbackp, n);	/* normal write */
+#if 1 /* remove this to make it work between solaris 2.6 and linux */
+	} else {
+	    n = neturg - nbackp;
+	    /*
+	     * In 4.2 (and 4.3) systems, there is some question about
+	     * what byte in a sendOOB operation is the "OOB" data.
+	     * To make ourselves compatible, we only send ONE byte
+	     * out of band, the one WE THINK should be OOB (though
+	     * we really have more the TCP philosophy of urgent data
+	     * rather than the Unix philosophy of OOB data).
+	     */
+	    if (n > 1) {
+		n = send(net, nbackp, n-1, 0);	/* send URGENT all by itself */
+	    } else {
+		n = send(net, nbackp, n, MSG_OOB);	/* URGENT data */
+	    }
+	}
+#endif
+    }
+    if (n < 0) {
+	if (errno == EWOULDBLOCK || errno == EINTR)
+	    return;
+	cleanup(0);
+    }
+    nbackp += n;
+#ifdef ENCRYPTION
+    if (nbackp > nclearto)
+	nclearto = 0;
+#endif
+    if (nbackp >= neturg) {
+	neturg = 0;
+    }
+    if (nbackp == nfrontp) {
+	nbackp = nfrontp = netobuf;
+#ifdef ENCRYPTION
+	nclearto = 0;
+#endif
+    }
+    return;
+}
+
+
+/*
+ * writenet
+ *
+ * Just a handy little function to write a bit of raw data to the net.
+ * It will force a transmit of the buffer if necessary
+ *
+ * arguments
+ *    ptr - A pointer to a character string to write
+ *    len - How many bytes to write
+ */
+void
+writenet(unsigned char *ptr, int len)
+{
+    /* flush buffer if no room for new data) */
+    while ((&netobuf[BUFSIZ] - nfrontp) < len) {
+	/* if this fails, don't worry, buffer is a little big */
+	netflush();
+    }
+
+    memmove(nfrontp, ptr, len);
+    nfrontp += len;
+}
+
+
+/*
+ * miscellaneous functions doing a variety of little jobs follow ...
+ */
+
+
+void fatal(int f, char *msg)
+{
+    char buf[BUFSIZ];
+
+    snprintf(buf, sizeof(buf), "telnetd: %s.\r\n", msg);
+#ifdef ENCRYPTION
+    if (encrypt_output) {
+	/*
+	 * Better turn off encryption first....
+	 * Hope it flushes...
+	 */
+	encrypt_send_end();
+	netflush();
+    }
+#endif
+    write(f, buf, (int)strlen(buf));
+    sleep(1);	/*XXX*/
+    exit(1);
+}
+
+void
+fatalperror(int f, const char *msg)
+{
+    char buf[BUFSIZ];
+    
+    snprintf(buf, sizeof(buf), "%s: %s", msg, strerror(errno));
+    fatal(f, buf);
+}
+
+char editedhost[32];
+
+void edithost(char *pat, char *host)
+{
+    char *res = editedhost;
+
+    if (!pat)
+	pat = "";
+    while (*pat) {
+	switch (*pat) {
+
+	case '#':
+	    if (*host)
+		host++;
+	    break;
+
+	case '@':
+	    if (*host)
+		*res++ = *host++;
+	    break;
+
+	default:
+	    *res++ = *pat;
+	    break;
+	}
+	if (res == &editedhost[sizeof editedhost - 1]) {
+	    *res = '\0';
+	    return;
+	}
+	pat++;
+    }
+    if (*host)
+	strlcpy (res, host,
+			 sizeof editedhost - (res - editedhost));
+    else
+	*res = '\0';
+    editedhost[sizeof editedhost - 1] = '\0';
+}
+
+static char *putlocation;
+
+void
+putstr(char *s)
+{
+
+    while (*s)
+	putchr(*s++);
+}
+
+void
+putchr(int cc)
+{
+    *putlocation++ = cc;
+}
+
+/*
+ * This is split on two lines so that SCCS will not see the M
+ * between two % signs and expand it...
+ */
+static char fmtstr[] = { "%l:%M" "%P on %A, %d %B %Y" };
+
+void putf(char *cp, char *where)
+{
+#ifdef HAVE_UNAME
+    struct utsname name;
+#endif
+    char *slash;
+    time_t t;
+    char db[100];
+
+    /* if we don't have uname, set these to sensible values */
+    char *sysname = "Unix", 
+	*machine = "", 
+	*release = "",
+	*version = ""; 
+
+#ifdef HAVE_UNAME
+    uname(&name);
+    sysname=name.sysname;
+    machine=name.machine;
+    release=name.release;
+    version=name.version;
+#endif
+
+    putlocation = where;
+
+    while (*cp) {
+	if (*cp != '%') {
+	    putchr(*cp++);
+	    continue;
+	}
+	switch (*++cp) {
+
+	case 't':
+#ifdef	STREAMSPTY
+	    /* names are like /dev/pts/2 -- we want pts/2 */
+	    slash = strchr(line+1, '/');
+#else
+	    slash = strrchr(line, '/');
+#endif
+	    if (slash == (char *) 0)
+		putstr(line);
+	    else
+		putstr(&slash[1]);
+	    break;
+
+	case 'h':
+	    putstr(editedhost);
+	    break;
+
+	case 's':
+	    putstr(sysname);
+	    break;
+
+	case 'm':
+	    putstr(machine);
+	    break;
+
+	case 'r':
+	    putstr(release);
+	    break;
+
+	case 'v':
+	    putstr(version);
+	    break;
+
+	case 'd':
+	    time(&t);
+	    strftime(db, sizeof(db), fmtstr, localtime(&t));
+	    putstr(db);
+	    break;
+
+	case '%':
+	    putchr('%');
+	    break;
+	}
+	cp++;
+    }
+}
+
+#ifdef DIAGNOSTICS
+/*
+ * Print telnet options and commands in plain text, if possible.
+ */
+void
+printoption(char *fmt, int option)
+{
+    if (TELOPT_OK(option))
+	output_data("%s %s\r\n",
+		    fmt,
+		    TELOPT(option));
+    else if (TELCMD_OK(option))
+	output_data("%s %s\r\n",
+		    fmt,
+		    TELCMD(option));
+    else
+	output_data("%s %d\r\n",
+		    fmt,
+		    option);
+    return;
+}
+
+void
+printsub(int direction, unsigned char *pointer, int length)
+        		          	/* '<' or '>' */
+                 	         	/* where suboption data sits */
+       			       		/* length of suboption data */
+{
+    int i = 0;
+    unsigned char buf[512];
+
+    if (!(diagnostic & TD_OPTIONS))
+	return;
+
+    if (direction) {
+	output_data("td: %s suboption ",
+		    direction == '<' ? "recv" : "send");
+	if (length >= 3) {
+	    int j;
+
+	    i = pointer[length-2];
+	    j = pointer[length-1];
+
+	    if (i != IAC || j != SE) {
+		output_data("(terminated by ");
+		if (TELOPT_OK(i))
+		    output_data("%s ",
+				TELOPT(i));
+		else if (TELCMD_OK(i))
+		    output_data("%s ",
+				TELCMD(i));
+		else
+		    output_data("%d ",
+				i);
+		if (TELOPT_OK(j))
+		    output_data("%s",
+				TELOPT(j));
+		else if (TELCMD_OK(j))
+		    output_data("%s",
+				TELCMD(j));
+		else
+		    output_data("%d",
+				j);
+		output_data(", not IAC SE!) ");
+	    }
+	}
+	length -= 2;
+    }
+    if (length < 1) {
+	output_data("(Empty suboption??\?)");
+	return;
+    }
+    switch (pointer[0]) {
+    case TELOPT_TTYPE:
+	output_data("TERMINAL-TYPE ");
+	switch (pointer[1]) {
+	case TELQUAL_IS:
+	    output_data("IS \"%.*s\"",
+			length-2,
+			(char *)pointer+2);
+	    break;
+	case TELQUAL_SEND:
+	    output_data("SEND");
+	    break;
+	default:
+	    output_data("- unknown qualifier %d (0x%x).",
+			pointer[1], pointer[1]);
+	}
+	break;
+    case TELOPT_TSPEED:
+	output_data("TERMINAL-SPEED");
+	if (length < 2) {
+	    output_data(" (empty suboption??\?)");
+	    break;
+	}
+	switch (pointer[1]) {
+	case TELQUAL_IS:
+	    output_data(" IS %.*s", length-2, (char *)pointer+2);
+	    break;
+	default:
+	    if (pointer[1] == 1)
+		output_data(" SEND");
+	    else
+		output_data(" %d (unknown)", pointer[1]);
+	    for (i = 2; i < length; i++) {
+		output_data(" ?%d?", pointer[i]);
+	    }
+	    break;
+	}
+	break;
+
+    case TELOPT_LFLOW:
+	output_data("TOGGLE-FLOW-CONTROL");
+	if (length < 2) {
+	    output_data(" (empty suboption??\?)");
+	    break;
+	}
+	switch (pointer[1]) {
+	case LFLOW_OFF:
+	    output_data(" OFF");
+	    break;
+	case LFLOW_ON:
+	    output_data(" ON");
+	    break;
+	case LFLOW_RESTART_ANY:
+	    output_data(" RESTART-ANY");
+	    break;
+	case LFLOW_RESTART_XON:
+	    output_data(" RESTART-XON");
+	    break;
+	default:
+	    output_data(" %d (unknown)",
+			pointer[1]);
+	}
+	for (i = 2; i < length; i++) {
+	    output_data(" ?%d?",
+			pointer[i]);
+	}
+	break;
+
+    case TELOPT_NAWS:
+	output_data("NAWS");
+	if (length < 2) {
+	    output_data(" (empty suboption??\?)");
+	    break;
+	}
+	if (length == 2) {
+	    output_data(" ?%d?",
+			pointer[1]);
+	    break;
+	}
+	output_data(" %u %u(%u)",
+		    pointer[1],
+		    pointer[2],
+		    (((unsigned int)pointer[1])<<8) + pointer[2]);
+	if (length == 4) {
+	    output_data(" ?%d?",
+			pointer[3]);
+	    break;
+	}
+	output_data(" %u %u(%u)",
+		    pointer[3],
+		    pointer[4],
+		    (((unsigned int)pointer[3])<<8) + pointer[4]);
+	for (i = 5; i < length; i++) {
+	    output_data(" ?%d?",
+			pointer[i]);
+	}
+	break;
+
+    case TELOPT_LINEMODE:
+	output_data("LINEMODE ");
+	if (length < 2) {
+	    output_data(" (empty suboption??\?)");
+	    break;
+	}
+	switch (pointer[1]) {
+	case WILL:
+	    output_data("WILL ");
+	    goto common;
+	case WONT:
+	    output_data("WONT ");
+	    goto common;
+	case DO:
+	    output_data("DO ");
+	    goto common;
+	case DONT:
+	    output_data("DONT ");
+	common:
+	    if (length < 3) {
+		output_data("(no option??\?)");
+		break;
+	    }
+	    switch (pointer[2]) {
+	    case LM_FORWARDMASK:
+		output_data("Forward Mask");
+		for (i = 3; i < length; i++) {
+		    output_data(" %x", pointer[i]);
+		}
+		break;
+	    default:
+		output_data("%d (unknown)",
+			    pointer[2]);
+		for (i = 3; i < length; i++) {
+		    output_data(" %d",
+				pointer[i]);
+		}
+		break;
+	    }
+	    break;
+
+	case LM_SLC:
+	    output_data("SLC");
+	    for (i = 2; i < length - 2; i += 3) {
+		if (SLC_NAME_OK(pointer[i+SLC_FUNC]))
+		    output_data(" %s",
+				SLC_NAME(pointer[i+SLC_FUNC]));
+		else
+		    output_data(" %d",
+				pointer[i+SLC_FUNC]);
+		switch (pointer[i+SLC_FLAGS]&SLC_LEVELBITS) {
+		case SLC_NOSUPPORT:
+		    output_data(" NOSUPPORT");
+		    break;
+		case SLC_CANTCHANGE:
+		    output_data(" CANTCHANGE");
+		    break;
+		case SLC_VARIABLE:
+		    output_data(" VARIABLE");
+		    break;
+		case SLC_DEFAULT:
+		    output_data(" DEFAULT");
+		    break;
+		}
+		output_data("%s%s%s",
+			    pointer[i+SLC_FLAGS]&SLC_ACK ? "|ACK" : "",
+			    pointer[i+SLC_FLAGS]&SLC_FLUSHIN ? "|FLUSHIN" : "",
+			    pointer[i+SLC_FLAGS]&SLC_FLUSHOUT ? "|FLUSHOUT" : "");
+		if (pointer[i+SLC_FLAGS]& ~(SLC_ACK|SLC_FLUSHIN|
+					    SLC_FLUSHOUT| SLC_LEVELBITS)) {
+		    output_data("(0x%x)",
+				pointer[i+SLC_FLAGS]);
+		}
+		output_data(" %d;",
+			    pointer[i+SLC_VALUE]);
+		if ((pointer[i+SLC_VALUE] == IAC) &&
+		    (pointer[i+SLC_VALUE+1] == IAC))
+		    i++;
+	    }
+	    for (; i < length; i++) {
+		output_data(" ?%d?",
+			    pointer[i]);
+	    }
+	    break;
+
+	case LM_MODE:
+	    output_data("MODE ");
+	    if (length < 3) {
+		output_data("(no mode??\?)");
+		break;
+	    }
+	    {
+		char tbuf[32];
+		snprintf(tbuf,
+			 sizeof(tbuf),
+			 "%s%s%s%s%s",
+			 pointer[2]&MODE_EDIT ? "|EDIT" : "",
+			 pointer[2]&MODE_TRAPSIG ? "|TRAPSIG" : "",
+			 pointer[2]&MODE_SOFT_TAB ? "|SOFT_TAB" : "",
+			 pointer[2]&MODE_LIT_ECHO ? "|LIT_ECHO" : "",
+			 pointer[2]&MODE_ACK ? "|ACK" : "");
+		output_data("%s",
+			    tbuf[1] ? &tbuf[1] : "0");
+	    }
+	    if (pointer[2]&~(MODE_EDIT|MODE_TRAPSIG|MODE_ACK)) {
+		output_data(" (0x%x)",
+			    pointer[2]);
+	    }
+	    for (i = 3; i < length; i++) {
+		output_data(" ?0x%x?",
+			 pointer[i]);
+	    }
+	    break;
+	default:
+	    output_data("%d (unknown)",
+			pointer[1]);
+	    for (i = 2; i < length; i++) {
+		output_data(" %d", pointer[i]);
+	    }
+	}
+	break;
+
+    case TELOPT_STATUS: {
+	char *cp;
+	int j, k;
+
+	output_data("STATUS");
+
+	switch (pointer[1]) {
+	default:
+	    if (pointer[1] == TELQUAL_SEND)
+		output_data(" SEND");
+	    else
+		output_data(" %d (unknown)",
+			    pointer[1]);
+	    for (i = 2; i < length; i++) {
+		output_data(" ?%d?",
+			    pointer[i]);
+	    }
+	    break;
+	case TELQUAL_IS:
+	    output_data(" IS\r\n");
+
+	    for (i = 2; i < length; i++) {
+		switch(pointer[i]) {
+		case DO:	cp = "DO"; goto common2;
+		case DONT:	cp = "DONT"; goto common2;
+		case WILL:	cp = "WILL"; goto common2;
+		case WONT:	cp = "WONT"; goto common2;
+		common2:
+		i++;
+		if (TELOPT_OK(pointer[i]))
+		    output_data(" %s %s",
+				cp,
+				TELOPT(pointer[i]));
+		else
+		    output_data(" %s %d",
+				cp,
+				pointer[i]);
+
+		output_data("\r\n");
+		break;
+
+		case SB:
+		    output_data(" SB ");
+		    i++;
+		    j = k = i;
+		    while (j < length) {
+			if (pointer[j] == SE) {
+			    if (j+1 == length)
+				break;
+			    if (pointer[j+1] == SE)
+				j++;
+			    else
+				break;
+			}
+			pointer[k++] = pointer[j++];
+		    }
+		    printsub(0, &pointer[i], k - i);
+		    if (i < length) {
+			output_data(" SE");
+			i = j;
+		    } else
+			i = j - 1;
+
+		    output_data("\r\n");
+
+		    break;
+
+		default:
+		    output_data(" %d",
+				pointer[i]);
+		    break;
+		}
+	    }
+	    break;
+	}
+	break;
+    }
+
+    case TELOPT_XDISPLOC:
+	output_data("X-DISPLAY-LOCATION ");
+	switch (pointer[1]) {
+	case TELQUAL_IS:
+	    output_data("IS \"%.*s\"",
+			length-2,
+			(char *)pointer+2);
+	    break;
+	case TELQUAL_SEND:
+	    output_data("SEND");
+	    break;
+	default:
+	    output_data("- unknown qualifier %d (0x%x).",
+			pointer[1], pointer[1]);
+	}
+	break;
+
+    case TELOPT_NEW_ENVIRON:
+	output_data("NEW-ENVIRON ");
+	goto env_common1;
+    case TELOPT_OLD_ENVIRON:
+	output_data("OLD-ENVIRON");
+    env_common1:
+	switch (pointer[1]) {
+	case TELQUAL_IS:
+	    output_data("IS ");
+	    goto env_common;
+	case TELQUAL_SEND:
+	    output_data("SEND ");
+	    goto env_common;
+	case TELQUAL_INFO:
+	    output_data("INFO ");
+	env_common:
+	    {
+		int noquote = 2;
+		for (i = 2; i < length; i++ ) {
+		    switch (pointer[i]) {
+		    case NEW_ENV_VAR:
+			output_data("\" VAR " + noquote);
+			noquote = 2;
+			break;
+
+		    case NEW_ENV_VALUE:
+			output_data("\" VALUE " + noquote);
+			noquote = 2;
+			break;
+
+		    case ENV_ESC:
+			output_data("\" ESC " + noquote);
+			noquote = 2;
+			break;
+
+		    case ENV_USERVAR:
+			output_data("\" USERVAR " + noquote);
+			noquote = 2;
+			break;
+
+		    default:
+			if (isprint(pointer[i]) && pointer[i] != '"') {
+			    if (noquote) {
+				output_data ("\"");
+				noquote = 0;
+			    }
+			    output_data ("%c", pointer[i]);
+			} else {
+			    output_data("\" %03o " + noquote,
+					pointer[i]);
+			    noquote = 2;
+			}
+			break;
+		    }
+		}
+		if (!noquote)
+		    output_data ("\"");
+		break;
+	    }
+	}
+	break;
+
+#ifdef AUTHENTICATION
+    case TELOPT_AUTHENTICATION:
+	output_data("AUTHENTICATION");
+
+	if (length < 2) {
+	    output_data(" (empty suboption??\?)");
+	    break;
+	}
+	switch (pointer[1]) {
+	case TELQUAL_REPLY:
+	case TELQUAL_IS:
+	    output_data(" %s ",
+			(pointer[1] == TELQUAL_IS) ?
+			"IS" : "REPLY");
+	    if (AUTHTYPE_NAME_OK(pointer[2]))
+		output_data("%s ",
+			    AUTHTYPE_NAME(pointer[2]));
+	    else
+		output_data("%d ",
+			    pointer[2]);
+	    if (length < 3) {
+		output_data("(partial suboption??\?)");
+		break;
+	    }
+	    output_data("%s|%s",
+			((pointer[3] & AUTH_WHO_MASK) == AUTH_WHO_CLIENT) ?
+			"CLIENT" : "SERVER",
+			((pointer[3] & AUTH_HOW_MASK) == AUTH_HOW_MUTUAL) ?
+			"MUTUAL" : "ONE-WAY");
+
+	    auth_printsub(&pointer[1], length - 1, buf, sizeof(buf));
+	    output_data("%s",
+			buf);
+	    break;
+
+	case TELQUAL_SEND:
+	    i = 2;
+	    output_data(" SEND ");
+	    while (i < length) {
+		if (AUTHTYPE_NAME_OK(pointer[i]))
+		    output_data("%s ",
+				AUTHTYPE_NAME(pointer[i]));
+		else
+		    output_data("%d ",
+				pointer[i]);
+		if (++i >= length) {
+		    output_data("(partial suboption??\?)");
+		    break;
+		}
+		output_data("%s|%s ",
+			    ((pointer[i] & AUTH_WHO_MASK) == AUTH_WHO_CLIENT) ?
+			    "CLIENT" : "SERVER",
+			    ((pointer[i] & AUTH_HOW_MASK) == AUTH_HOW_MUTUAL) ?
+			    "MUTUAL" : "ONE-WAY");
+		++i;
+	    }
+	    break;
+
+	case TELQUAL_NAME:
+	    i = 2;
+	    output_data(" NAME \"%.*s\"",
+			length - 2,
+			pointer);
+	    break;
+
+	default:
+	    for (i = 2; i < length; i++) {
+		output_data(" ?%d?",
+			    pointer[i]);
+	    }
+	    break;
+	}
+	break;
+#endif
+
+#ifdef ENCRYPTION
+    case TELOPT_ENCRYPT:
+	output_data("ENCRYPT");
+	if (length < 2) {
+	    output_data(" (empty suboption?)");
+	    break;
+	}
+	switch (pointer[1]) {
+	case ENCRYPT_START:
+	    output_data(" START");
+	    break;
+
+	case ENCRYPT_END:
+	    output_data(" END");
+	    break;
+
+	case ENCRYPT_REQSTART:
+	    output_data(" REQUEST-START");
+	    break;
+
+	case ENCRYPT_REQEND:
+	    output_data(" REQUEST-END");
+	    break;
+
+	case ENCRYPT_IS:
+	case ENCRYPT_REPLY:
+	    output_data(" %s ",
+			(pointer[1] == ENCRYPT_IS) ?
+			"IS" : "REPLY");
+	    if (length < 3) {
+		output_data(" (partial suboption?)");
+		break;
+	    }
+	    if (ENCTYPE_NAME_OK(pointer[2]))
+		output_data("%s ",
+			    ENCTYPE_NAME(pointer[2]));
+	    else
+		output_data(" %d (unknown)",
+			    pointer[2]);
+
+	    encrypt_printsub(&pointer[1], length - 1, buf, sizeof(buf));
+	    output_data("%s",
+			buf);
+	    break;
+
+	case ENCRYPT_SUPPORT:
+	    i = 2;
+	    output_data(" SUPPORT ");
+	    while (i < length) {
+		if (ENCTYPE_NAME_OK(pointer[i]))
+		    output_data("%s ",
+				ENCTYPE_NAME(pointer[i]));
+		else
+		    output_data("%d ",
+				pointer[i]);
+		i++;
+	    }
+	    break;
+
+	case ENCRYPT_ENC_KEYID:
+	    output_data(" ENC_KEYID %d", pointer[1]);
+	    goto encommon;
+
+	case ENCRYPT_DEC_KEYID:
+	    output_data(" DEC_KEYID %d", pointer[1]);
+	    goto encommon;
+
+	default:
+	    output_data(" %d (unknown)", pointer[1]);
+	encommon:
+	    for (i = 2; i < length; i++) {
+		output_data(" %d", pointer[i]);
+	    }
+	    break;
+	}
+	break;
+#endif
+
+    default:
+	if (TELOPT_OK(pointer[0]))
+	    output_data("%s (unknown)",
+			TELOPT(pointer[0]));
+	else
+	    output_data("%d (unknown)",
+			pointer[i]);
+	for (i = 1; i < length; i++) {
+	    output_data(" %d", pointer[i]);
+	}
+	break;
+    }
+    output_data("\r\n");
+}
+
+/*
+ * Dump a data buffer in hex and ascii to the output data stream.
+ */
+void
+printdata(char *tag, char *ptr, int cnt)
+{
+    int i;
+    char xbuf[30];
+
+    while (cnt) {
+	/* flush net output buffer if no room for new data) */
+	if ((&netobuf[BUFSIZ] - nfrontp) < 80) {
+	    netflush();
+	}
+
+	/* add a line of output */
+	output_data("%s: ", tag);
+	for (i = 0; i < 20 && cnt; i++) {
+	    output_data("%02x", *ptr);
+	    if (isprint(*ptr)) {
+		xbuf[i] = *ptr;
+	    } else {
+		xbuf[i] = '.';
+	    }
+	    if (i % 2) {
+		output_data(" ");
+	    }
+	    cnt--;
+	    ptr++;
+	}
+	xbuf[i] = '\0';
+	output_data(" %s\r\n", xbuf);
+    }
+}
+#endif /* DIAGNOSTICS */
diff --git a/crypto/kerberosIV/cf/ChangeLog b/crypto/kerberosIV/cf/ChangeLog
new file mode 100644
index 0000000..13d9bfd9
--- /dev/null
+++ b/crypto/kerberosIV/cf/ChangeLog
@@ -0,0 +1,216 @@
+1999-11-05  Assar Westerlund  <assar@sics.se>
+
+	* check-x.m4: include X_PRE_LIBS and X_EXTRA_LIBS when testing
+
+1999-11-01  Assar Westerlund  <assar@sics.se>
+
+	* Makefile.am.common (install-build-headers): use `cp' instead of
+ 	INSTALL_DATA for copying header files inside the build tree.  The
+ 	user might have redefined INSTALL_DATA to specify owners and other
+ 	information.
+
+1999-10-30  Assar Westerlund  <assar@sics.se>
+
+	* find-func-no-libs2.m4: add yet another argument to allow specify
+ 	linker flags that will be added _before_ the library when trying
+ 	to link
+
+	* find-func-no-libs.m4: add yet another argument to allow specify
+ 	linker flags that will be added _before_ the library when trying
+ 	to link
+
+1999-10-12  Assar Westerlund  <assar@sics.se>
+
+	* find-func-no-libs2.m4 (AC_FIND_FUNC_NO_LIBS2): new argument
+ 	`extra libs'
+
+	* find-func-no-libs.m4 (AC_FIND_FUNC_NO_LIBS): new argument `extra
+ 	libs'
+
+1999-09-01  Johan Danielsson  <joda@pdc.kth.se>
+
+	* capabilities.m4: sgi capabilities
+
+1999-07-29  Assar Westerlund  <assar@sics.se>
+
+	* have-struct-field.m4: quote macros when undefining
+
+1999-07-28  Assar Westerlund  <assar@sics.se>
+
+	* Makefile.am.common (install-build-headers): add dependencies
+
+1999-07-24  Assar Westerlund  <assar@sics.se>
+	
+	* have-type.m4: try to get autoheader to co-operate
+
+	* have-type.m4: stolen from Arla
+
+	* krb-struct-sockaddr-sa-len.m4: not used any longer.  removed.
+
+1999-06-13  Assar Westerlund  <assar@sics.se>
+
+	* krb-struct-spwd.m4: consequent name of cache variables
+
+	* krb-func-getlogin.m4: new file for testing for posix (broken)
+ 	getlogin
+
+	* shared-libs.m4 (freebsd[34]): don't use ld -Bshareable
+
+1999-06-02  Johan Danielsson  <joda@pdc.kth.se>
+
+	* check-x.m4: extended test for X
+	
+1999-05-14  Assar Westerlund  <assar@sics.se>
+
+	* check-netinet-ip-and-tcp.m4: proper autoheader tricks
+
+	* check-netinet-ip-and-tcp.m4: new file for checking for
+ 	netinet/{ip,tcp}.h.  These are special as they on Irix 6.5.3
+	require <standards.h> to be included in advance.
+ 
+	* check-xau.m4: we also need to check for XauFilename since it's
+ 	used by appl/kx.  And on Irix 6.5 that function requires linking
+ 	with -lX11.
+
+1999-05-08  Assar Westerlund  <assar@sics.se>
+
+	* krb-find-db.m4: try with more header files than ndbm.h
+
+1999-04-19  Assar Westerlund  <assar@sics.se>
+
+	* test-package.m4: try to handle the case of --without-package
+ 	correctly
+
+1999-04-17  Assar Westerlund  <assar@sics.se>
+
+	* make-aclocal: removed.  Not used anymore, being replaced by
+	aclocal from automake.
+
+Thu Apr 15 14:17:26 1999  Johan Danielsson  <joda@hella.pdc.kth.se>
+
+	* make-proto.pl: handle __attribute__
+
+Fri Apr  9 20:37:18 1999  Assar Westerlund  <assar@sics.se>
+
+	* shared-libs.m4: quote $@
+	(freebsd3): add install_symlink_command2
+
+Wed Apr  7 20:40:22 1999  Assar Westerlund  <assar@sics.se>
+
+	* shared-libs.m4 (hpux): no library dependencies
+
+Mon Apr  5 16:13:08 1999  Johan Danielsson  <joda@hella.pdc.kth.se>
+
+	* test-package.m4: compile and link, rather than looking for
+ 	files; also export more information, so it's possible to add rpath
+ 	information
+
+Tue Mar 30 13:49:54 1999  Johan Danielsson  <joda@hella.pdc.kth.se>
+
+	* Makefile.am.common: CFLAGS -> AM_CFLAGS
+
+Mon Mar 29 16:51:12 1999  Johan Danielsson  <joda@hella.pdc.kth.se>
+
+	* check-xau.m4: check for XauWriteAuth before checking for
+ 	XauReadAuth to catch -lX11:s not containing XauWriteAuth, and IRIX
+ 	6.5 that doesn't work with -lXau
+
+Sat Mar 27 18:03:58 1999  Johan Danielsson  <joda@hella.pdc.kth.se>
+
+	* osfc2.m4: --enable-osfc2
+
+Fri Mar 19 15:34:52 1999  Johan Danielsson  <joda@hella.pdc.kth.se>
+
+	* shared-libs.m4: move shared lib stuff here
+
+Wed Mar 24 23:24:51 1999  Assar Westerlund  <assar@sics.se>
+
+	* Makefile.am.common (install-build-headers): simplify loop
+
+Tue Mar 23 17:31:23 1999  Johan Danielsson  <joda@hella.pdc.kth.se>
+
+	* check-getpwnam_r-posix.m4: check for getpwnam_r, and if it's
+ 	posix or not
+
+Tue Mar 23 00:00:13 1999  Assar Westerlund  <assar@sics.se>
+
+	* Makefile.am.common (install_build_headers): try to make it work
+ 	better when list of headers is empty.  handle make rewriting the
+ 	filenames.
+
+	* Makefile.am.common: hesoid -> hesiod
+
+Sun Mar 21 14:48:03 1999  Johan Danielsson  <joda@hella.pdc.kth.se>
+
+	* grok-type.m4: <bind/bitypes.h>
+
+	* Makefile.am.common: fix for automake bug/feature; add more LIB_*
+
+	* test-package.m4: fix typo
+
+	* check-man.m4: fix some typos
+
+	* auth-modules.m4: tests for authentication modules
+
+Thu Mar 18 11:02:55 1999  Johan Danielsson  <joda@hella.pdc.kth.se>
+
+	* Makefile.am.common: make install-build-headers a multi
+ 	dependency target
+
+	* Makefile.am.common: remove include_dir hack
+
+	* Makefile.am.common: define LIB_kafs and LIB_gssapi
+
+	* krb-find-db.m4: subst DBLIB also
+
+	* check-xau.m4: test for Xau{Read,Write}Auth
+
+Wed Mar 10 19:29:20 1999  Johan Danielsson  <joda@hella.pdc.kth.se>
+
+	* wflags.m4: AC_WFLAGS
+
+Mon Mar  1 11:23:41 1999  Johan Danielsson  <joda@hella.pdc.kth.se>
+
+	* have-struct-field.m4: remove extra AC_MSG_RESULT
+
+	* proto-compat.m4: typo
+
+	* krb-func-getcwd-broken.m4: update to autoconf 2.13
+
+	* krb-find-db.m4: update to autoconf 2.13
+
+	* check-declaration.m4: typo
+
+	* have-pragma-weak.m4: update to autoconf 2.13
+
+	* have-struct-field.m4: better handling of types with spaces
+
+Mon Feb 22 20:05:06 1999  Johan Danielsson  <joda@hella.pdc.kth.se>
+
+	* broken-glob.m4: check for broken glob
+
+Sun Jan 31 06:50:33 1999  Assar Westerlund  <assar@sics.se>
+
+	* krb-ipv6.m4: more magic for different v6 implementations.  From
+ 	Jun-ichiro itojun Hagino <itojun@kame.net>
+
+Sun Nov 22 12:16:06 1998  Assar Westerlund  <assar@sics.se>
+
+	* krb-struct-spwd.m4: new file
+
+Thu Jun  4 04:07:41 1998  Assar Westerlund  <assar@sics.se>
+
+	* find-func-no-libs2.m4: new file
+
+Fri May  1 23:31:28 1998  Assar Westerlund  <assar@sics.se>
+
+	* c-attribute.m4, c-function.m4: new files (from arla)
+
+Wed Mar 18 23:11:29 1998  Assar Westerlund  <assar@sics.se>
+
+	* krb-ipv6.m4: rename HAVE_STRUCT_SOCKADDR_IN6 to HAVE_IPV6
+
+Thu Feb 26 02:37:49 1998  Assar Westerlund  <assar@sics.se>
+
+	* make-proto.pl: should work with perl4
+
diff --git a/crypto/kerberosIV/cf/Makefile.am.common b/crypto/kerberosIV/cf/Makefile.am.common
new file mode 100644
index 0000000..e7d747b
--- /dev/null
+++ b/crypto/kerberosIV/cf/Makefile.am.common
@@ -0,0 +1,255 @@
+# $Id: Makefile.am.common,v 1.13 1999/11/01 03:19:58 assar Exp $
+
+AUTOMAKE_OPTIONS = foreign no-dependencies
+
+SUFFIXES = .et .h
+
+INCLUDES = -I$(top_builddir)/include
+
+AM_CFLAGS += $(WFLAGS)
+
+COMPILE_ET = $(top_builddir)/lib/com_err/compile_et
+
+## set build_HEADERZ to headers that should just be installed in build tree
+
+buildinclude = $(top_builddir)/include
+
+## these aren't detected by automake
+LIB_XauReadAuth		= @LIB_XauReadAuth@
+LIB_crypt		= @LIB_crypt@
+LIB_dbm_firstkey	= @LIB_dbm_firstkey@
+LIB_dbopen		= @LIB_dbopen@
+LIB_dlopen		= @LIB_dlopen@
+LIB_dn_expand		= @LIB_dn_expand@
+LIB_el_init		= @LIB_el_init@
+LIB_getattr		= @LIB_getattr@
+LIB_gethostbyname	= @LIB_gethostbyname@
+LIB_getpwent_r		= @LIB_getpwent_r@
+LIB_getpwnam_r		= @LIB_getpwnam_r@
+LIB_getsockopt		= @LIB_getsockopt@
+LIB_logout		= @LIB_logout@
+LIB_logwtmp		= @LIB_logwtmp@
+LIB_odm_initialize	= @LIB_odm_initialize@
+LIB_readline		= @LIB_readline@
+LIB_res_search		= @LIB_res_search@
+LIB_setpcred		= @LIB_setpcred@
+LIB_setsockopt		= @LIB_setsockopt@
+LIB_socket		= @LIB_socket@
+LIB_syslog		= @LIB_syslog@
+LIB_tgetent		= @LIB_tgetent@
+
+HESIODLIB = @HESIODLIB@
+HESIODINCLUDE = @HESIODINCLUDE@
+INCLUDE_hesiod = @INCLUDE_hesiod@
+LIB_hesiod = @LIB_hesiod@
+
+INCLUDE_krb4 = @INCLUDE_krb4@
+LIB_krb4 = @LIB_krb4@
+
+INCLUDE_readline = @INCLUDE_readline@
+LIB_readline = @LIB_readline@
+
+LEXLIB = @LEXLIB@
+
+install-suid-programs:
+	@foo='$(bin_SUIDS)'; \
+	for file in $$foo; do \
+	x=$(DESTDIR)$(bindir)/$$file; \
+	if chown 0:0 $$x && chmod u+s $$x; then :; else \
+	chmod 0 $$x; fi; done
+
+install-exec-hook: install-suid-programs
+
+install-build-headers:: $(include_HEADERS) $(build_HEADERZ)
+	@foo='$(include_HEADERS) $(build_HEADERZ)'; \
+	for f in $$foo; do \
+		f=`basename $$f`; \
+		if test -f "$(srcdir)/$$f"; then file="$(srcdir)/$$f"; \
+		else file="$$f"; fi; \
+		if cmp -s  $$file $(buildinclude)/$$f 2> /dev/null ; then \
+		: ; else \
+			echo " cp $$file $(buildinclude)/$$f"; \
+			cp $$file $(buildinclude)/$$f; \
+		fi ; \
+	done
+
+all-local: install-build-headers
+
+cat1dir = $(mandir)/cat1
+cat3dir = $(mandir)/cat3
+cat5dir = $(mandir)/cat5
+cat8dir = $(mandir)/cat8
+
+MANRX = \(.*\)\.\([0-9]\)
+CATSUFFIX = @CATSUFFIX@
+
+SUFFIXES += .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8
+
+NROFF_MAN = groff -mandoc -Tascii
+#NROFF_MAN = nroff -man
+.1.cat1:
+	$(NROFF_MAN) $< > $@
+.3.cat3:
+	$(NROFF_MAN) $< > $@
+.5.cat5:
+	$(NROFF_MAN) $< > $@
+.8.cat8:
+	$(NROFF_MAN) $< > $@
+
+## MAINTAINERCLEANFILES += 
+
+dist-cat1-mans:
+	@foo='$(man1_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.1) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat1/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-cat3-mans:
+	@foo='$(man3_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.3) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat3/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-cat5-mans:
+	@foo='$(man5_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.5) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat5/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-cat8-mans:
+	@foo='$(man8_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.8) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat8/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-hook: dist-cat1-mans dist-cat3-mans dist-cat5-mans dist-cat8-mans
+
+install-cat1-mans:
+	@ext=1;\
+	foo='$(man1_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.1) foo="$$foo $$i";; \
+	esac; done; \
+	if test "$$foo"; then \
+		$(mkinstalldirs) $(DESTDIR)$(cat1dir); \
+		for x in $$foo; do \
+			f=`echo $$x | sed 's/\.[^.]*$$/.cat1/'`; \
+			if test -f "$(srcdir)/$$f"; then \
+				b=`echo $$x | sed 's!$(MANRX)!\1!'`; \
+				echo "$(INSTALL_DATA) $(srcdir)/$$f $(DESTDIR)$(cat1dir)/$$b.$(CATSUFFIX)";\
+				$(INSTALL_DATA) $(srcdir)/$$g $(DESTDIR)$(cat1dir)/$$b.$(CATSUFFIX);\
+			 fi; \
+		done ;\
+	fi
+
+install-cat3-mans:
+	@ext=3;\
+	foo='$(man3_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.3) foo="$$foo $$i";; \
+	esac; done; \
+	if test "$$foo"; then \
+		$(mkinstalldirs) $(DESTDIR)$(cat3dir); \
+		for x in $$foo; do \
+			f=`echo $$x | sed 's/\.[^.]*$$/.cat3/'`; \
+			if test -f "$(srcdir)/$$f"; then \
+				b=`echo $$x | sed 's!$(MANRX)!\1!'`; \
+				echo "$(INSTALL_DATA) $(srcdir)/$$f $(DESTDIR)$(cat3dir)/$$b.$(CATSUFFIX)";\
+				$(INSTALL_DATA) $(srcdir)/$$g $(DESTDIR)$(cat3dir)/$$b.$(CATSUFFIX);\
+			 fi; \
+		done ;\
+	fi
+	
+install-cat5-mans:
+	@ext=5;\
+	foo='$(man5_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.5) foo="$$foo $$i";; \
+	esac; done; \
+	if test "$$foo"; then \
+		$(mkinstalldirs) $(DESTDIR)$(cat5dir); \
+		for x in $$foo; do \
+			f=`echo $$x | sed 's/\.[^.]*$$/.cat5/'`; \
+			if test -f "$(srcdir)/$$f"; then \
+				b=`echo $$x | sed 's!$(MANRX)!\1!'`; \
+				echo "$(INSTALL_DATA) $(srcdir)/$$f $(DESTDIR)$(cat5dir)/$$b.$(CATSUFFIX)";\
+				$(INSTALL_DATA) $(srcdir)/$$g $(DESTDIR)$(cat5dir)/$$b.$(CATSUFFIX);\
+			 fi; \
+		done ;\
+	fi
+	
+install-cat8-mans:
+	@ext=8;\
+	foo='$(man8_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.8) foo="$$foo $$i";; \
+	esac; done; \
+	if test "$$foo"; then \
+		$(mkinstalldirs) $(DESTDIR)$(cat8dir); \
+		for x in $$foo; do \
+			f=`echo $$x | sed 's/\.[^.]*$$/.cat8/'`; \
+			if test -f "$(srcdir)/$$f"; then \
+				b=`echo $$x | sed 's!$(MANRX)!\1!'`; \
+				echo "$(INSTALL_DATA) $(srcdir)/$$f $(DESTDIR)$(cat8dir)/$$b.$(CATSUFFIX)";\
+				$(INSTALL_DATA) $(srcdir)/$$g $(DESTDIR)$(cat8dir)/$$b.$(CATSUFFIX);\
+			 fi; \
+		done ;\
+	fi
+	
+
+install-cat-mans: install-cat1-mans install-cat3-mans install-cat5-mans install-cat8-mans
+
+install-data-local: install-cat-mans
+
+
+.et.h:
+	$(COMPILE_ET) $<
+.et.c:
+	$(COMPILE_ET) $<
+
+if KRB4
+LIB_kafs = $(top_builddir)/lib/kafs/libkafs.la $(AIX_EXTRA_KAFS)
+endif
+
+if KRB5
+LIB_krb5 = $(top_builddir)/lib/krb5/libkrb5.la \
+	$(top_builddir)/lib/asn1/libasn1.la
+LIB_gssapi = $(top_builddir)/lib/gssapi/libgssapi.la
+endif
+
diff --git a/crypto/kerberosIV/cf/auth-modules.m4 b/crypto/kerberosIV/cf/auth-modules.m4
new file mode 100644
index 0000000..2f11c73
--- /dev/null
+++ b/crypto/kerberosIV/cf/auth-modules.m4
@@ -0,0 +1,27 @@
+dnl $Id: auth-modules.m4,v 1.1 1999/03/21 13:48:00 joda Exp $
+dnl
+dnl Figure what authentication modules should be built
+
+AC_DEFUN(AC_AUTH_MODULES,[
+AC_MSG_CHECKING(which authentication modules should be built)
+
+LIB_AUTH_SUBDIRS=
+
+if test "$ac_cv_header_siad_h" = yes; then
+	LIB_AUTH_SUBDIRS="$LIB_AUTH_SUBDIRS sia"
+fi
+
+if test "$ac_cv_header_security_pam_modules_h" = yes -a "$enable_shared" = yes; then
+	LIB_AUTH_SUBDIRS="$LIB_AUTH_SUBDIRS pam"
+fi
+
+case "${host}" in
+changequote(,)dnl
+*-*-irix[56]*) LIB_AUTH_SUBDIRS="$LIB_AUTH_SUBDIRS afskauthlib" ;;
+changequote([,])dnl
+esac
+
+AC_MSG_RESULT($LIB_AUTH_SUBDIRS)
+
+AC_SUBST(LIB_AUTH_SUBDIRS)dnl
+])
diff --git a/crypto/kerberosIV/cf/broken-glob.m4 b/crypto/kerberosIV/cf/broken-glob.m4
new file mode 100644
index 0000000..8d52792
--- /dev/null
+++ b/crypto/kerberosIV/cf/broken-glob.m4
@@ -0,0 +1,22 @@
+dnl $Id: broken-glob.m4,v 1.2 1999/03/01 09:52:15 joda Exp $
+dnl
+dnl check for glob(3)
+dnl
+AC_DEFUN(AC_BROKEN_GLOB,[
+AC_CACHE_CHECK(for working glob, ac_cv_func_glob_working,
+ac_cv_func_glob_working=yes
+AC_TRY_LINK([
+#include <stdio.h>
+#include <glob.h>],[
+glob(NULL, GLOB_BRACE|GLOB_NOCHECK|GLOB_QUOTE|GLOB_TILDE, NULL, NULL);
+],:,ac_cv_func_glob_working=no,:))
+
+if test "$ac_cv_func_glob_working" = yes; then
+	AC_DEFINE(HAVE_GLOB, 1, [define if you have a glob() that groks 
+	GLOB_BRACE, GLOB_NOCHECK, GLOB_QUOTE, and GLOB_TILDE])
+fi
+if test "$ac_cv_func_glob_working" = yes; then
+AC_NEED_PROTO([#include <stdio.h>
+#include <glob.h>],glob)
+fi
+])
diff --git a/crypto/kerberosIV/cf/broken-snprintf.m4 b/crypto/kerberosIV/cf/broken-snprintf.m4
new file mode 100644
index 0000000..efd69f0
--- /dev/null
+++ b/crypto/kerberosIV/cf/broken-snprintf.m4
@@ -0,0 +1,58 @@
+dnl $Id: broken-snprintf.m4,v 1.3 1999/03/01 09:52:22 joda Exp $
+dnl
+AC_DEFUN(AC_BROKEN_SNPRINTF, [
+AC_CACHE_CHECK(for working snprintf,ac_cv_func_snprintf_working,
+ac_cv_func_snprintf_working=yes
+AC_TRY_RUN([
+#include <stdio.h>
+#include <string.h>
+int main()
+{
+changequote(`,')dnl
+	char foo[3];
+changequote([,])dnl
+	snprintf(foo, 2, "12");
+	return strcmp(foo, "1");
+}],:,ac_cv_func_snprintf_working=no,:))
+
+if test "$ac_cv_func_snprintf_working" = yes; then
+	AC_DEFINE_UNQUOTED(HAVE_SNPRINTF, 1, [define if you have a working snprintf])
+fi
+if test "$ac_cv_func_snprintf_working" = yes; then
+AC_NEED_PROTO([#include <stdio.h>],snprintf)
+fi
+])
+
+AC_DEFUN(AC_BROKEN_VSNPRINTF,[
+AC_CACHE_CHECK(for working vsnprintf,ac_cv_func_vsnprintf_working,
+ac_cv_func_vsnprintf_working=yes
+AC_TRY_RUN([
+#include <stdio.h>
+#include <string.h>
+#include <stdarg.h>
+
+int foo(int num, ...)
+{
+changequote(`,')dnl
+	char bar[3];
+changequote([,])dnl
+	va_list arg;
+	va_start(arg, num);
+	vsnprintf(bar, 2, "%s", arg);
+	va_end(arg);
+	return strcmp(bar, "1");
+}
+
+
+int main()
+{
+	return foo(0, "12");
+}],:,ac_cv_func_vsnprintf_working=no,:))
+
+if test "$ac_cv_func_vsnprintf_working" = yes; then
+	AC_DEFINE_UNQUOTED(HAVE_VSNPRINTF, 1, [define if you have a working vsnprintf])
+fi
+if test "$ac_cv_func_vsnprintf_working" = yes; then
+AC_NEED_PROTO([#include <stdio.h>],vsnprintf)
+fi
+])
diff --git a/crypto/kerberosIV/cf/broken.m4 b/crypto/kerberosIV/cf/broken.m4
new file mode 100644
index 0000000..4044064
--- /dev/null
+++ b/crypto/kerberosIV/cf/broken.m4
@@ -0,0 +1,19 @@
+dnl $Id: broken.m4,v 1.3 1998/03/16 22:16:19 joda Exp $
+dnl
+dnl
+dnl Same as AC _REPLACE_FUNCS, just define HAVE_func if found in normal
+dnl libraries 
+
+AC_DEFUN(AC_BROKEN,
+[for ac_func in $1
+do
+AC_CHECK_FUNC($ac_func, [
+ac_tr_func=HAVE_[]upcase($ac_func)
+AC_DEFINE_UNQUOTED($ac_tr_func)],[LIBOBJS[]="$LIBOBJS ${ac_func}.o"])
+dnl autoheader tricks *sigh*
+: << END
+@@@funcs="$funcs $1"@@@
+END
+done
+AC_SUBST(LIBOBJS)dnl
+])
diff --git a/crypto/kerberosIV/cf/c-attribute.m4 b/crypto/kerberosIV/cf/c-attribute.m4
new file mode 100644
index 0000000..87cea03
--- /dev/null
+++ b/crypto/kerberosIV/cf/c-attribute.m4
@@ -0,0 +1,31 @@
+dnl
+dnl $Id: c-attribute.m4,v 1.2 1999/03/01 09:52:23 joda Exp $
+dnl
+
+dnl
+dnl Test for __attribute__
+dnl
+
+AC_DEFUN(AC_C___ATTRIBUTE__, [
+AC_MSG_CHECKING(for __attribute__)
+AC_CACHE_VAL(ac_cv___attribute__, [
+AC_TRY_COMPILE([
+#include <stdlib.h>
+],
+[
+static void foo(void) __attribute__ ((noreturn));
+
+static void
+foo(void)
+{
+  exit(1);
+}
+],
+ac_cv___attribute__=yes,
+ac_cv___attribute__=no)])
+if test "$ac_cv___attribute__" = "yes"; then
+  AC_DEFINE(HAVE___ATTRIBUTE__, 1, [define if your compiler has __attribute__])
+fi
+AC_MSG_RESULT($ac_cv___attribute__)
+])
+
diff --git a/crypto/kerberosIV/cf/c-function.m4 b/crypto/kerberosIV/cf/c-function.m4
new file mode 100644
index 0000000..b16d556
--- /dev/null
+++ b/crypto/kerberosIV/cf/c-function.m4
@@ -0,0 +1,33 @@
+dnl
+dnl $Id: c-function.m4,v 1.2 1999/03/01 09:52:23 joda Exp $
+dnl
+
+dnl
+dnl Test for __FUNCTION__
+dnl
+
+AC_DEFUN(AC_C___FUNCTION__, [
+AC_MSG_CHECKING(for __FUNCTION__)
+AC_CACHE_VAL(ac_cv___function__, [
+AC_TRY_RUN([
+#include <string.h>
+
+static char *foo()
+{
+  return __FUNCTION__;
+}
+
+int main()
+{
+  return strcmp(foo(), "foo") != 0;
+}
+],
+ac_cv___function__=yes,
+ac_cv___function__=no,
+ac_cv___function__=no)])
+if test "$ac_cv___function__" = "yes"; then
+  AC_DEFINE(HAVE___FUNCTION__, 1, [define if your compiler has __FUNCTION__])
+fi
+AC_MSG_RESULT($ac_cv___function__)
+])
+
diff --git a/crypto/kerberosIV/cf/capabilities.m4 b/crypto/kerberosIV/cf/capabilities.m4
new file mode 100644
index 0000000..6d2669b
--- /dev/null
+++ b/crypto/kerberosIV/cf/capabilities.m4
@@ -0,0 +1,14 @@
+dnl
+dnl $Id: capabilities.m4,v 1.2 1999/09/01 11:02:26 joda Exp $
+dnl
+
+dnl
+dnl Test SGI capabilities
+dnl
+
+AC_DEFUN(KRB_CAPABILITIES,[
+
+AC_CHECK_HEADERS(capability.h sys/capability.h)
+
+AC_CHECK_FUNCS(sgi_getcapabilitybyname cap_set_proc)
+])
diff --git a/crypto/kerberosIV/cf/check-declaration.m4 b/crypto/kerberosIV/cf/check-declaration.m4
new file mode 100644
index 0000000..5f584e5
--- /dev/null
+++ b/crypto/kerberosIV/cf/check-declaration.m4
@@ -0,0 +1,25 @@
+dnl $Id: check-declaration.m4,v 1.3 1999/03/01 13:03:08 joda Exp $
+dnl
+dnl
+dnl Check if we need the declaration of a variable
+dnl
+
+dnl AC_HAVE_DECLARATION(includes, variable)
+AC_DEFUN(AC_CHECK_DECLARATION, [
+AC_MSG_CHECKING([if $2 is properly declared])
+AC_CACHE_VAL(ac_cv_var_$2_declaration, [
+AC_TRY_COMPILE([$1
+extern struct { int foo; } $2;],
+[$2.foo = 1;],
+eval "ac_cv_var_$2_declaration=no",
+eval "ac_cv_var_$2_declaration=yes")
+])
+
+define(foo, [HAVE_]translit($2, [a-z], [A-Z])[_DECLARATION])
+
+AC_MSG_RESULT($ac_cv_var_$2_declaration)
+if eval "test \"\$ac_cv_var_$2_declaration\" = yes"; then
+	AC_DEFINE(foo, 1, [define if your system declares $2])
+fi
+undefine([foo])
+])
diff --git a/crypto/kerberosIV/cf/check-getpwnam_r-posix.m4 b/crypto/kerberosIV/cf/check-getpwnam_r-posix.m4
new file mode 100644
index 0000000..cc75666
--- /dev/null
+++ b/crypto/kerberosIV/cf/check-getpwnam_r-posix.m4
@@ -0,0 +1,24 @@
+dnl $Id: check-getpwnam_r-posix.m4,v 1.2 1999/03/23 16:47:31 joda Exp $
+dnl
+dnl check for getpwnam_r, and if it's posix or not
+
+AC_DEFUN(AC_CHECK_GETPWNAM_R_POSIX,[
+AC_FIND_FUNC_NO_LIBS(getpwnam_r,c_r)
+if test "$ac_cv_func_getpwnam_r" = yes; then
+	AC_CACHE_CHECK(if getpwnam_r is posix,ac_cv_func_getpwnam_r_posix,
+	ac_libs="$LIBS"
+	LIBS="$LIBS $LIB_getpwnam_r"
+	AC_TRY_RUN([
+#include <pwd.h>
+int main()
+{
+	struct passwd pw, *pwd;
+	return getpwnam_r("", &pw, NULL, 0, &pwd) < 0;
+}
+],ac_cv_func_getpwnam_r_posix=yes,ac_cv_func_getpwnam_r_posix=no,:)
+LIBS="$ac_libs")
+if test "$ac_cv_func_getpwnam_r_posix" = yes; then
+	AC_DEFINE(POSIX_GETPWNAM_R, 1, [Define if getpwnam_r has POSIX flavour.])
+fi
+fi
+])
\ No newline at end of file
diff --git a/crypto/kerberosIV/cf/check-man.m4 b/crypto/kerberosIV/cf/check-man.m4
new file mode 100644
index 0000000..2133069
--- /dev/null
+++ b/crypto/kerberosIV/cf/check-man.m4
@@ -0,0 +1,59 @@
+dnl $Id: check-man.m4,v 1.2 1999/03/21 14:30:50 joda Exp $
+dnl check how to format manual pages
+dnl
+
+AC_DEFUN(AC_CHECK_MAN,
+[AC_PATH_PROG(NROFF, nroff)
+AC_PATH_PROG(GROFF, groff)
+AC_CACHE_CHECK(how to format man pages,ac_cv_sys_man_format,
+[cat > conftest.1 << END
+.Dd January 1, 1970
+.Dt CONFTEST 1
+.Sh NAME
+.Nm conftest
+.Nd
+foobar
+END
+
+if test "$NROFF" ; then
+	for i in "-mdoc" "-mandoc"; do
+		if "$NROFF" $i conftest.1 2> /dev/null | \
+			grep Jan > /dev/null 2>&1 ; then
+			ac_cv_sys_man_format="$NROFF $i"
+			break
+		fi
+	done
+fi
+if test "$ac_cv_sys_man_format" = "" -a "$GROFF" ; then
+	for i in "-mdoc" "-mandoc"; do
+		if "$GROFF" -Tascii $i conftest.1 2> /dev/null | \
+			grep Jan > /dev/null 2>&1 ; then
+			ac_cv_sys_man_format="$GROFF -Tascii $i"
+			break
+		fi
+	done
+fi
+if test "$ac_cv_sys_man_format"; then
+	ac_cv_sys_man_format="$ac_cv_sys_man_format \[$]< > \[$]@"
+fi
+])
+if test "$ac_cv_sys_man_format"; then
+	CATMAN="$ac_cv_sys_man_format"
+	AC_SUBST(CATMAN)
+fi
+AM_CONDITIONAL(CATMAN, test "$CATMAN")
+AC_CACHE_CHECK(extension of pre-formatted manual pages,ac_cv_sys_catman_ext,
+[if grep _suffix /etc/man.conf > /dev/null 2>&1; then
+	ac_cv_sys_catman_ext=0
+else
+	ac_cv_sys_catman_ext=number
+fi
+])
+if test "$ac_cv_sys_catman_ext" = number; then
+	CATMANEXT='$$ext'
+else
+	CATMANEXT=0
+fi
+AC_SUBST(CATMANEXT)
+
+])
\ No newline at end of file
diff --git a/crypto/kerberosIV/cf/check-netinet-ip-and-tcp.m4 b/crypto/kerberosIV/cf/check-netinet-ip-and-tcp.m4
new file mode 100644
index 0000000..8cb529d
--- /dev/null
+++ b/crypto/kerberosIV/cf/check-netinet-ip-and-tcp.m4
@@ -0,0 +1,38 @@
+dnl
+dnl $Id: check-netinet-ip-and-tcp.m4,v 1.2 1999/05/14 13:15:40 assar Exp $
+dnl
+
+dnl extra magic check for netinet/{ip.h,tcp.h} because on irix 6.5.3
+dnl you have to include standards.h before including these files
+
+AC_DEFUN(CHECK_NETINET_IP_AND_TCP,
+[
+AC_CHECK_HEADERS(standards.h)
+for i in netinet/ip.h netinet/tcp.h; do
+
+cv=`echo "$i" | sed 'y%./+-%__p_%'`
+
+AC_MSG_CHECKING([for $i])
+AC_CACHE_VAL([ac_cv_header_$cv],
+[AC_TRY_CPP([\
+#ifdef HAVE_STANDARDS_H
+#include <standards.h>
+#endif
+#include <$i>
+],
+eval "ac_cv_header_$cv=yes",
+eval "ac_cv_header_$cv=no")])
+AC_MSG_RESULT(`eval echo \\$ac_cv_header_$cv`)
+changequote(, )dnl
+if test `eval echo \\$ac_cv_header_$cv` = yes; then
+  ac_tr_hdr=HAVE_`echo $i | sed 'y%abcdefghijklmnopqrstuvwxyz./-%ABCDEFGHIJKLMNOPQRSTUVWXYZ___%'`
+changequote([, ])dnl
+  AC_DEFINE_UNQUOTED($ac_tr_hdr, 1)
+fi
+done
+dnl autoheader tricks *sigh*
+: << END
+@@@headers="$headers netinet/ip.h netinet/tcp.h"@@@
+END
+
+])
diff --git a/crypto/kerberosIV/cf/check-type-extra.m4 b/crypto/kerberosIV/cf/check-type-extra.m4
new file mode 100644
index 0000000..e6af4bd
--- /dev/null
+++ b/crypto/kerberosIV/cf/check-type-extra.m4
@@ -0,0 +1,23 @@
+dnl $Id: check-type-extra.m4,v 1.2 1999/03/01 09:52:23 joda Exp $
+dnl
+dnl ac_check_type + extra headers
+
+dnl AC_CHECK_TYPE_EXTRA(TYPE, DEFAULT, HEADERS)
+AC_DEFUN(AC_CHECK_TYPE_EXTRA,
+[AC_REQUIRE([AC_HEADER_STDC])dnl
+AC_MSG_CHECKING(for $1)
+AC_CACHE_VAL(ac_cv_type_$1,
+[AC_EGREP_CPP(dnl
+changequote(<<,>>)dnl
+<<$1[^a-zA-Z_0-9]>>dnl
+changequote([,]), [#include <sys/types.h>
+#if STDC_HEADERS
+#include <stdlib.h>
+#include <stddef.h>
+#endif
+$3], ac_cv_type_$1=yes, ac_cv_type_$1=no)])dnl
+AC_MSG_RESULT($ac_cv_type_$1)
+if test $ac_cv_type_$1 = no; then
+  AC_DEFINE($1, $2, [Define this to what the type $1 should be.])
+fi
+])
diff --git a/crypto/kerberosIV/cf/check-var.m4 b/crypto/kerberosIV/cf/check-var.m4
new file mode 100644
index 0000000..9f37366
--- /dev/null
+++ b/crypto/kerberosIV/cf/check-var.m4
@@ -0,0 +1,20 @@
+dnl $Id: check-var.m4,v 1.2 1999/03/01 09:52:23 joda Exp $
+dnl
+dnl AC_CHECK_VAR(includes, variable)
+AC_DEFUN(AC_CHECK_VAR, [
+AC_MSG_CHECKING(for $2)
+AC_CACHE_VAL(ac_cv_var_$2, [
+AC_TRY_LINK([extern int $2;
+int foo() { return $2; }],
+	    [foo()],
+	    ac_cv_var_$2=yes, ac_cv_var_$2=no)
+])
+define([foo], [HAVE_]translit($2, [a-z], [A-Z]))
+
+AC_MSG_RESULT(`eval echo \\$ac_cv_var_$2`)
+if test `eval echo \\$ac_cv_var_$2` = yes; then
+	AC_DEFINE_UNQUOTED(foo, 1, [define if you have $2])
+	AC_CHECK_DECLARATION([$1],[$2])
+fi
+undefine([foo])
+])
diff --git a/crypto/kerberosIV/cf/check-x.m4 b/crypto/kerberosIV/cf/check-x.m4
new file mode 100644
index 0000000..1791e5a
--- /dev/null
+++ b/crypto/kerberosIV/cf/check-x.m4
@@ -0,0 +1,52 @@
+dnl 
+dnl See if there is any X11 present
+dnl
+dnl $Id: check-x.m4,v 1.2 1999/11/05 04:25:23 assar Exp $
+
+AC_DEFUN(KRB_CHECK_X,[
+AC_PATH_XTRA
+
+# try to figure out if we need any additional ld flags, like -R
+# and yes, the autoconf X test is utterly broken
+if test "$no_x" != yes; then
+	AC_CACHE_CHECK(for special X linker flags,krb_cv_sys_x_libs_rpath,[
+	ac_save_libs="$LIBS"
+	ac_save_cflags="$CFLAGS"
+	CFLAGS="$CFLAGS $X_CFLAGS"
+	krb_cv_sys_x_libs_rpath=""
+	krb_cv_sys_x_libs=""
+	for rflag in "" "-R" "-R " "-rpath "; do
+		if test "$rflag" = ""; then
+			foo="$X_LIBS"
+		else
+			foo=""
+			for flag in $X_LIBS; do
+			case $flag in
+			-L*)
+				foo="$foo $flag `echo $flag | sed \"s/-L/$rflag/\"`"
+				;;
+			*)
+				foo="$foo $flag"
+				;;
+			esac
+			done
+		fi
+		LIBS="$ac_save_libs $foo $X_PRE_LIBS -lX11 $X_EXTRA_LIBS"
+		AC_TRY_RUN([
+		#include <X11/Xlib.h>
+		foo()
+		{
+		XOpenDisplay(NULL);
+		}
+		main()
+		{
+		return 0;
+		}
+		], krb_cv_sys_x_libs_rpath="$rflag"; krb_cv_sys_x_libs="$foo"; break,:)
+	done
+	LIBS="$ac_save_libs"
+	CFLAGS="$ac_save_cflags"
+	])
+	X_LIBS="$krb_cv_sys_x_libs"
+fi
+])
diff --git a/crypto/kerberosIV/cf/check-xau.m4 b/crypto/kerberosIV/cf/check-xau.m4
new file mode 100644
index 0000000..bad2a60
--- /dev/null
+++ b/crypto/kerberosIV/cf/check-xau.m4
@@ -0,0 +1,64 @@
+dnl $Id: check-xau.m4,v 1.3 1999/05/14 01:17:06 assar Exp $
+dnl
+dnl check for Xau{Read,Write}Auth and XauFileName
+dnl
+AC_DEFUN(AC_CHECK_XAU,[
+save_CFLAGS="$CFLAGS"
+CFLAGS="$X_CFLAGS $CFLAGS"
+save_LIBS="$LIBS"
+dnl LIBS="$X_LIBS $X_PRE_LIBS $X_EXTRA_LIBS $LIBS"
+LIBS="$X_PRE_LIBS $X_EXTRA_LIBS $LIBS"
+save_LDFLAGS="$LDFLAGS"
+LDFLAGS="$LDFLAGS $X_LIBS"
+
+## check for XauWriteAuth first, so we detect the case where
+## XauReadAuth is in -lX11, but XauWriteAuth is only in -lXau this
+## could be done by checking for XauReadAuth in -lXau first, but this
+## breaks in IRIX 6.5
+
+AC_FIND_FUNC_NO_LIBS(XauWriteAuth, X11 Xau)
+ac_xxx="$LIBS"
+LIBS="$LIB_XauWriteAuth $LIBS"
+AC_FIND_FUNC_NO_LIBS(XauReadAuth, X11 Xau)
+LIBS="$LIB_XauReadAauth $LIBS"
+AC_FIND_FUNC_NO_LIBS(XauFileName, X11 Xau)
+LIBS="$ac_xxx"
+
+## set LIB_XauReadAuth to union of these tests, since this is what the
+## Makefiles are using
+case "$ac_cv_funclib_XauWriteAuth" in
+yes)	;;
+no)	;;
+*)	if test "$ac_cv_funclib_XauReadAuth" = yes; then
+		if test "$ac_cv_funclib_XauFileName" = yes; then
+			LIB_XauReadAuth="$LIB_XauWriteAuth"
+		else
+			LIB_XauReadAuth="$LIB_XauWriteAuth $LIB_XauFileName"
+		fi
+	else
+		if test "$ac_cv_funclib_XauFileName" = yes; then
+			LIB_XauReadAuth="$LIB_XauReadAuth $LIB_XauWriteAuth"
+		else
+			LIB_XauReadAuth="$LIB_XauReadAuth $LIB_XauWriteAuth $LIB_XauFileName"
+		fi
+	fi
+	;;
+esac
+
+if test "$AUTOMAKE" != ""; then
+	AM_CONDITIONAL(NEED_WRITEAUTH, test "$ac_cv_func_XauWriteAuth" != "yes")
+else
+	AC_SUBST(NEED_WRITEAUTH_TRUE)
+	AC_SUBST(NEED_WRITEAUTH_FALSE)
+	if test "$ac_cv_func_XauWriteAuth" != "yes"; then
+		NEED_WRITEAUTH_TRUE=
+		NEED_WRITEAUTH_FALSE='#'
+	else
+		NEED_WRITEAUTH_TRUE='#'
+		NEED_WRITEAUTH_FALSE=
+	fi
+fi
+CFLAGS=$save_CFLAGS
+LIBS=$save_LIBS
+LDFLAGS=$save_LDFLAGS
+])
diff --git a/crypto/kerberosIV/cf/find-func-no-libs.m4 b/crypto/kerberosIV/cf/find-func-no-libs.m4
new file mode 100644
index 0000000..3deab02
--- /dev/null
+++ b/crypto/kerberosIV/cf/find-func-no-libs.m4
@@ -0,0 +1,9 @@
+dnl $Id: find-func-no-libs.m4,v 1.5 1999/10/30 21:08:18 assar Exp $
+dnl
+dnl
+dnl Look for function in any of the specified libraries
+dnl
+
+dnl AC_FIND_FUNC_NO_LIBS(func, libraries, includes, arguments, extra libs, extra args)
+AC_DEFUN(AC_FIND_FUNC_NO_LIBS, [
+AC_FIND_FUNC_NO_LIBS2([$1], ["" $2], [$3], [$4], [$5], [$6])])
diff --git a/crypto/kerberosIV/cf/find-func-no-libs2.m4 b/crypto/kerberosIV/cf/find-func-no-libs2.m4
new file mode 100644
index 0000000..c404a7c
--- /dev/null
+++ b/crypto/kerberosIV/cf/find-func-no-libs2.m4
@@ -0,0 +1,63 @@
+dnl $Id: find-func-no-libs2.m4,v 1.3 1999/10/30 21:09:53 assar Exp $
+dnl
+dnl
+dnl Look for function in any of the specified libraries
+dnl
+
+dnl AC_FIND_FUNC_NO_LIBS2(func, libraries, includes, arguments, extra libs, extra args)
+AC_DEFUN(AC_FIND_FUNC_NO_LIBS2, [
+
+AC_MSG_CHECKING([for $1])
+AC_CACHE_VAL(ac_cv_funclib_$1,
+[
+if eval "test \"\$ac_cv_func_$1\" != yes" ; then
+	ac_save_LIBS="$LIBS"
+	for ac_lib in $2; do
+		if test -n "$ac_lib"; then 
+			ac_lib="-l$ac_lib"
+		else
+			ac_lib=""
+		fi
+		LIBS="$6 $ac_lib $5 $ac_save_LIBS"
+		AC_TRY_LINK([$3],[$1($4)],eval "if test -n \"$ac_lib\";then ac_cv_funclib_$1=$ac_lib; else ac_cv_funclib_$1=yes; fi";break)
+	done
+	eval "ac_cv_funclib_$1=\${ac_cv_funclib_$1-no}"
+	LIBS="$ac_save_LIBS"
+fi
+])
+
+eval "ac_res=\$ac_cv_funclib_$1"
+
+dnl autoheader tricks *sigh*
+: << END
+@@@funcs="$funcs $1"@@@
+@@@libs="$libs $2"@@@
+END
+
+# $1
+eval "ac_tr_func=HAVE_[]upcase($1)"
+eval "ac_tr_lib=HAVE_LIB[]upcase($ac_res | sed -e 's/-l//')"
+eval "LIB_$1=$ac_res"
+
+case "$ac_res" in
+	yes)
+	eval "ac_cv_func_$1=yes"
+	eval "LIB_$1="
+	AC_DEFINE_UNQUOTED($ac_tr_func)
+	AC_MSG_RESULT([yes])
+	;;
+	no)
+	eval "ac_cv_func_$1=no"
+	eval "LIB_$1="
+	AC_MSG_RESULT([no])
+	;;
+	*)
+	eval "ac_cv_func_$1=yes"
+	eval "ac_cv_lib_`echo "$ac_res" | sed 's/-l//'`=yes"
+	AC_DEFINE_UNQUOTED($ac_tr_func)
+	AC_DEFINE_UNQUOTED($ac_tr_lib)
+	AC_MSG_RESULT([yes, in $ac_res])
+	;;
+esac
+AC_SUBST(LIB_$1)
+])
diff --git a/crypto/kerberosIV/cf/find-func.m4 b/crypto/kerberosIV/cf/find-func.m4
new file mode 100644
index 0000000..bb2b3ac
--- /dev/null
+++ b/crypto/kerberosIV/cf/find-func.m4
@@ -0,0 +1,9 @@
+dnl $Id: find-func.m4,v 1.1 1997/12/14 15:58:58 joda Exp $
+dnl
+dnl AC_FIND_FUNC(func, libraries, includes, arguments)
+AC_DEFUN(AC_FIND_FUNC, [
+AC_FIND_FUNC_NO_LIBS([$1], [$2], [$3], [$4])
+if test -n "$LIB_$1"; then
+	LIBS="$LIB_$1 $LIBS"
+fi
+])
diff --git a/crypto/kerberosIV/cf/find-if-not-broken.m4 b/crypto/kerberosIV/cf/find-if-not-broken.m4
new file mode 100644
index 0000000..e855ec7
--- /dev/null
+++ b/crypto/kerberosIV/cf/find-if-not-broken.m4
@@ -0,0 +1,13 @@
+dnl $Id: find-if-not-broken.m4,v 1.2 1998/03/16 22:16:27 joda Exp $
+dnl
+dnl
+dnl Mix between AC_FIND_FUNC and AC_BROKEN
+dnl
+
+AC_DEFUN(AC_FIND_IF_NOT_BROKEN,
+[AC_FIND_FUNC([$1], [$2], [$3], [$4])
+if eval "test \"$ac_cv_func_$1\" != yes"; then
+LIBOBJS[]="$LIBOBJS $1.o"
+fi
+AC_SUBST(LIBOBJS)dnl
+])
diff --git a/crypto/kerberosIV/cf/grok-type.m4 b/crypto/kerberosIV/cf/grok-type.m4
new file mode 100644
index 0000000..5bc6a66
--- /dev/null
+++ b/crypto/kerberosIV/cf/grok-type.m4
@@ -0,0 +1,38 @@
+dnl $Id: grok-type.m4,v 1.4 1999/11/29 11:16:48 joda Exp $
+dnl
+AC_DEFUN(AC_GROK_TYPE, [
+AC_CACHE_VAL(ac_cv_type_$1, 
+AC_TRY_COMPILE([
+#ifdef HAVE_INTTYPES_H
+#include <inttypes.h>
+#endif
+#ifdef HAVE_SYS_TYPES_H
+#include <sys/types.h>
+#endif
+#ifdef HAVE_SYS_BITYPES_H
+#include <sys/bitypes.h>
+#endif
+#ifdef HAVE_BIND_BITYPES_H
+#include <bind/bitypes.h>
+#endif
+#ifdef HAVE_NETINET_IN6_MACHTYPES_H
+#include <netinet/in6_machtypes.h>
+#endif
+],
+$i x;
+,
+eval ac_cv_type_$1=yes,
+eval ac_cv_type_$1=no))])
+
+AC_DEFUN(AC_GROK_TYPES, [
+for i in $1; do
+	AC_MSG_CHECKING(for $i)
+	AC_GROK_TYPE($i)
+	eval ac_res=\$ac_cv_type_$i
+	if test "$ac_res" = yes; then
+		type=HAVE_[]upcase($i)
+		AC_DEFINE_UNQUOTED($type)
+	fi
+	AC_MSG_RESULT($ac_res)
+done
+])
diff --git a/crypto/kerberosIV/cf/have-pragma-weak.m4 b/crypto/kerberosIV/cf/have-pragma-weak.m4
new file mode 100644
index 0000000..330e601
--- /dev/null
+++ b/crypto/kerberosIV/cf/have-pragma-weak.m4
@@ -0,0 +1,37 @@
+dnl $Id: have-pragma-weak.m4,v 1.3 1999/03/01 11:55:25 joda Exp $
+dnl
+AC_DEFUN(AC_HAVE_PRAGMA_WEAK, [
+if test "${enable_shared}" = "yes"; then
+AC_MSG_CHECKING(for pragma weak)
+AC_CACHE_VAL(ac_have_pragma_weak, [
+ac_have_pragma_weak=no
+cat > conftest_foo.$ac_ext <<'EOF'
+[#]line __oline__ "configure"
+#include "confdefs.h"
+#pragma weak foo = _foo
+int _foo = 17;
+EOF
+cat > conftest_bar.$ac_ext <<'EOF'
+[#]line __oline__ "configure"
+#include "confdefs.h"
+extern int foo;
+
+int t() {
+  return foo;
+}
+
+int main() {
+  return t();
+}
+EOF
+if AC_TRY_EVAL('CC -o conftest $CFLAGS $CPPFLAGS $LDFLAGS conftest_foo.$ac_ext conftest_bar.$ac_ext 1>&AC_FD_CC'); then
+ac_have_pragma_weak=yes
+fi
+rm -rf conftest*
+])
+if test "$ac_have_pragma_weak" = "yes"; then
+	AC_DEFINE(HAVE_PRAGMA_WEAK, 1, [Define this if your compiler supports \`#pragma weak.'])dnl
+fi
+AC_MSG_RESULT($ac_have_pragma_weak)
+fi
+])
diff --git a/crypto/kerberosIV/cf/have-struct-field.m4 b/crypto/kerberosIV/cf/have-struct-field.m4
new file mode 100644
index 0000000..88ad5c3
--- /dev/null
+++ b/crypto/kerberosIV/cf/have-struct-field.m4
@@ -0,0 +1,19 @@
+dnl $Id: have-struct-field.m4,v 1.6 1999/07/29 01:44:32 assar Exp $
+dnl
+dnl check for fields in a structure
+dnl
+dnl AC_HAVE_STRUCT_FIELD(struct, field, headers)
+
+AC_DEFUN(AC_HAVE_STRUCT_FIELD, [
+define(cache_val, translit(ac_cv_type_$1_$2, [A-Z ], [a-z_]))
+AC_CACHE_CHECK([for $2 in $1], cache_val,[
+AC_TRY_COMPILE([$3],[$1 x; x.$2;],
+cache_val=yes,
+cache_val=no)])
+if test "$cache_val" = yes; then
+	define(foo, translit(HAVE_$1_$2, [a-z ], [A-Z_]))
+	AC_DEFINE(foo, 1, [Define if $1 has field $2.])
+	undefine([foo])
+fi
+undefine([cache_val])
+])
diff --git a/crypto/kerberosIV/cf/have-type.m4 b/crypto/kerberosIV/cf/have-type.m4
new file mode 100644
index 0000000..7963355
--- /dev/null
+++ b/crypto/kerberosIV/cf/have-type.m4
@@ -0,0 +1,31 @@
+dnl $Id: have-type.m4,v 1.4 1999/07/24 19:23:01 assar Exp $
+dnl
+dnl check for existance of a type
+
+dnl AC_HAVE_TYPE(TYPE,INCLUDES)
+AC_DEFUN(AC_HAVE_TYPE, [
+cv=`echo "$1" | sed 'y%./+- %__p__%'`
+AC_MSG_CHECKING(for $1)
+AC_CACHE_VAL([ac_cv_type_$cv],
+AC_TRY_COMPILE(
+[#include <sys/types.h>
+#if STDC_HEADERS
+#include <stdlib.h>
+#include <stddef.h>
+#endif
+$2],
+[$1 foo;],
+eval "ac_cv_type_$cv=yes",
+eval "ac_cv_type_$cv=no"))dnl
+AC_MSG_RESULT(`eval echo \\$ac_cv_type_$cv`)
+if test `eval echo \\$ac_cv_type_$cv` = yes; then
+  ac_tr_hdr=HAVE_`echo $1 | sed 'y%abcdefghijklmnopqrstuvwxyz./- %ABCDEFGHIJKLMNOPQRSTUVWXYZ____%'`
+dnl autoheader tricks *sigh*
+define(foo,translit($1, [ ], [_]))
+: << END
+@@@funcs="$funcs foo"@@@
+END
+undefine([foo])
+  AC_DEFINE_UNQUOTED($ac_tr_hdr, 1)
+fi
+])
diff --git a/crypto/kerberosIV/cf/have-types.m4 b/crypto/kerberosIV/cf/have-types.m4
new file mode 100644
index 0000000..7c85c5d
--- /dev/null
+++ b/crypto/kerberosIV/cf/have-types.m4
@@ -0,0 +1,14 @@
+dnl
+dnl $Id: have-types.m4,v 1.1 1999/07/24 18:38:58 assar Exp $
+dnl
+
+AC_DEFUN(AC_HAVE_TYPES, [
+for i in $1; do
+        AC_HAVE_TYPE($i)
+done
+: << END
+changequote(`,')dnl
+@@@funcs="$funcs $1"@@@
+changequote([,])dnl
+END
+])
diff --git a/crypto/kerberosIV/cf/krb-find-db.m4 b/crypto/kerberosIV/cf/krb-find-db.m4
new file mode 100644
index 0000000..002730c
--- /dev/null
+++ b/crypto/kerberosIV/cf/krb-find-db.m4
@@ -0,0 +1,100 @@
+dnl $Id: krb-find-db.m4,v 1.5.16.1 2000/08/16 04:11:57 assar Exp $
+dnl
+dnl find a suitable database library
+dnl
+dnl AC_FIND_DB(libraries)
+AC_DEFUN(KRB_FIND_DB, [
+
+lib_dbm=no
+lib_db=no
+
+for i in $1; do
+
+	if test "$i"; then
+		m="lib$i"
+		l="-l$i"
+	else
+		m="libc"
+		l=""
+	fi	
+
+	AC_MSG_CHECKING(for dbm_open in $m)
+	AC_CACHE_VAL(ac_cv_krb_dbm_open_$m, [
+
+	save_LIBS="$LIBS"
+	LIBS="$l $LIBS"
+	AC_TRY_RUN([
+#include <unistd.h>
+#include <fcntl.h>
+#if defined(HAVE_NDBM_H)
+#include <ndbm.h>
+#elif defined(HAVE_GDBM_NDBM_H)
+#include <gdbm/ndbm.h>
+#elif defined(HAVE_DBM_H)
+#include <dbm.h>
+#elif defined(HAVE_RPCSVC_DBM_H)
+#include <rpcsvc/dbm.h>
+#elif defined(HAVE_DB_H)
+#define DB_DBM_HSEARCH 1
+#include <db.h>
+#endif
+int main()
+{
+  DBM *d;
+
+  d = dbm_open("conftest", O_RDWR | O_CREAT, 0666);
+  if(d == NULL)
+    return 1;
+  dbm_close(d);
+  return 0;
+}], [
+	if test -f conftest.db; then
+		ac_res=db
+	else
+		ac_res=dbm
+	fi], ac_res=no, ac_res=no)
+
+	LIBS="$save_LIBS"
+
+	eval ac_cv_krb_dbm_open_$m=$ac_res])
+	eval ac_res=\$ac_cv_krb_dbm_open_$m
+	AC_MSG_RESULT($ac_res)
+
+	if test "$lib_dbm" = no -a $ac_res = dbm; then
+		lib_dbm="$l"
+	elif test "$lib_db" = no -a $ac_res = db; then
+		lib_db="$l"
+		break
+	fi
+done
+
+AC_MSG_CHECKING(for NDBM library)
+ac_ndbm=no
+if test "$lib_db" != no; then
+	LIB_DBM="$lib_db"
+	ac_ndbm=yes
+	AC_DEFINE(HAVE_NEW_DB, 1, [Define if NDBM really is DB (creates files ending in .db).])
+	if test "$LIB_DBM"; then
+		ac_res="yes, $LIB_DBM"
+	else
+		ac_res=yes
+	fi
+elif test "$lib_dbm" != no; then
+	LIB_DBM="$lib_dbm"
+	ac_ndbm=yes
+	if test "$LIB_DBM"; then
+		ac_res="yes, $LIB_DBM"
+	else
+		ac_res=yes
+	fi
+else
+	LIB_DBM=""
+	ac_res=no
+fi
+test "$ac_ndbm" = yes && AC_DEFINE(NDBM, 1, [Define if you have NDBM (and not DBM)])dnl
+AC_SUBST(LIB_DBM)
+DBLIB="$LIB_DBM"
+AC_SUBST(DBLIB)
+AC_MSG_RESULT($ac_res)
+
+])
diff --git a/crypto/kerberosIV/cf/krb-func-getcwd-broken.m4 b/crypto/kerberosIV/cf/krb-func-getcwd-broken.m4
new file mode 100644
index 0000000..d248922
--- /dev/null
+++ b/crypto/kerberosIV/cf/krb-func-getcwd-broken.m4
@@ -0,0 +1,42 @@
+dnl $Id: krb-func-getcwd-broken.m4,v 1.2 1999/03/01 13:03:32 joda Exp $
+dnl
+dnl
+dnl test for broken getcwd in (SunOS braindamage)
+dnl
+
+AC_DEFUN(AC_KRB_FUNC_GETCWD_BROKEN, [
+if test "$ac_cv_func_getcwd" = yes; then
+AC_MSG_CHECKING(if getcwd is broken)
+AC_CACHE_VAL(ac_cv_func_getcwd_broken, [
+ac_cv_func_getcwd_broken=no
+
+AC_TRY_RUN([
+#include <errno.h>
+char *getcwd(char*, int);
+
+void *popen(char *cmd, char *mode)
+{
+	errno = ENOTTY;
+	return 0;
+}
+
+int main()
+{
+	char *ret;
+	ret = getcwd(0, 1024);
+	if(ret == 0 && errno == ENOTTY)
+		return 0;
+	return 1;
+}
+], ac_cv_func_getcwd_broken=yes,:,:)
+])
+if test "$ac_cv_func_getcwd_broken" = yes; then
+	AC_DEFINE(BROKEN_GETCWD, 1, [Define if getcwd is broken (like in SunOS 4).])dnl
+	LIBOBJS="$LIBOBJS getcwd.o"
+	AC_SUBST(LIBOBJS)dnl
+	AC_MSG_RESULT($ac_cv_func_getcwd_broken)
+else
+	AC_MSG_RESULT([seems ok])
+fi
+fi
+])
diff --git a/crypto/kerberosIV/cf/krb-func-getlogin.m4 b/crypto/kerberosIV/cf/krb-func-getlogin.m4
new file mode 100644
index 0000000..921c5ab
--- /dev/null
+++ b/crypto/kerberosIV/cf/krb-func-getlogin.m4
@@ -0,0 +1,22 @@
+dnl
+dnl $Id: krb-func-getlogin.m4,v 1.1 1999/07/13 17:45:30 assar Exp $
+dnl
+dnl test for POSIX (broken) getlogin
+dnl
+
+
+AC_DEFUN(AC_FUNC_GETLOGIN, [
+AC_CHECK_FUNCS(getlogin setlogin)
+if test "$ac_cv_func_getlogin" = yes; then
+AC_CACHE_CHECK(if getlogin is posix, ac_cv_func_getlogin_posix, [
+if test "$ac_cv_func_getlogin" = yes -a "$ac_cv_func_setlogin" = yes; then
+	ac_cv_func_getlogin_posix=no
+else
+	ac_cv_func_getlogin_posix=yes
+fi
+])
+if test "$ac_cv_func_getlogin_posix" = yes; then
+	AC_DEFINE(POSIX_GETLOGIN, 1, [Define if getlogin has POSIX flavour (and not BSD).])
+fi
+fi
+])
diff --git a/crypto/kerberosIV/cf/krb-ipv6.m4 b/crypto/kerberosIV/cf/krb-ipv6.m4
new file mode 100644
index 0000000..490058d
--- /dev/null
+++ b/crypto/kerberosIV/cf/krb-ipv6.m4
@@ -0,0 +1,130 @@
+dnl $Id: krb-ipv6.m4,v 1.5 1999/03/21 14:06:16 joda Exp $
+dnl
+dnl test for IPv6
+dnl
+AC_DEFUN(AC_KRB_IPV6, [
+AC_CACHE_CHECK(for IPv6,ac_cv_lib_ipv6,
+AC_TRY_COMPILE([
+#ifdef HAVE_SYS_TYPES_H
+#include <sys/types.h>
+#endif
+#ifdef HAVE_SYS_SOCKET_H
+#include <sys/socket.h>
+#endif
+#ifdef HAVE_NETINET_IN_H
+#include <netinet/in.h>
+#endif
+#ifdef HAVE_NETINET_IN6_H
+#include <netinet/in6.h>
+#endif
+],
+[
+#if defined(IN6ADDR_ANY_INIT)
+struct in6_addr any = IN6ADDR_ANY_INIT;
+#elif defined(IPV6ADDR_ANY_INIT)
+struct in6_addr any = IPV6ADDR_ANY_INIT;
+#else
+#error no any?
+#endif
+ struct sockaddr_in6 sin6;
+ int s;
+
+ s = socket(AF_INET6, SOCK_DGRAM, 0);
+
+ sin6.sin6_family = AF_INET6;
+ sin6.sin6_port = htons(17);
+ sin6.sin6_addr = any;
+ bind(s, (struct sockaddr *)&sin6, sizeof(sin6));
+],
+ac_cv_lib_ipv6=yes,
+ac_cv_lib_ipv6=no))
+if test "$ac_cv_lib_ipv6" = yes; then
+  AC_DEFINE(HAVE_IPV6, 1, [Define if you have IPv6.])
+
+	dnl check for different v6 implementations (by itojun)
+	v6type=unknown
+	v6lib=none
+
+	AC_MSG_CHECKING([ipv6 stack type])
+	for i in v6d toshiba kame inria zeta linux; do
+		case $i in
+		v6d)
+			AC_EGREP_CPP(yes, [dnl
+#include </usr/local/v6/include/sys/types.h>
+#ifdef __V6D__
+yes
+#endif],
+				[v6type=$i; v6lib=v6;
+				v6libdir=/usr/local/v6/lib;
+				CFLAGS="-I/usr/local/v6/include $CFLAGS"])
+			;;
+		toshiba)
+			AC_EGREP_CPP(yes, [dnl
+#include <sys/param.h>
+#ifdef _TOSHIBA_INET6
+yes
+#endif],
+				[v6type=$i; v6lib=inet6;
+				v6libdir=/usr/local/v6/lib;
+				CFLAGS="-DINET6 $CFLAGS"])
+			;;
+		kame)
+			AC_EGREP_CPP(yes, [dnl
+#include <netinet/in.h>
+#ifdef __KAME__
+yes
+#endif],
+				[v6type=$i; v6lib=inet6;
+				v6libdir=/usr/local/v6/lib;
+				CFLAGS="-DINET6 $CFLAGS"])
+			;;
+		inria)
+			AC_EGREP_CPP(yes, [dnl
+#include <netinet/in.h>
+#ifdef IPV6_INRIA_VERSION
+yes
+#endif],
+				[v6type=$i; CFLAGS="-DINET6 $CFLAGS"])
+			;;
+		zeta)
+			AC_EGREP_CPP(yes, [dnl
+#include <sys/param.h>
+#ifdef _ZETA_MINAMI_INET6
+yes
+#endif],
+				[v6type=$i; v6lib=inet6;
+				v6libdir=/usr/local/v6/lib;
+				CFLAGS="-DINET6 $CFLAGS"])
+			;;
+		linux)
+			if test -d /usr/inet6; then
+				v6type=$i
+				v6lib=inet6
+				v6libdir=/usr/inet6
+				CFLAGS="-DINET6 $CFLAGS"
+			fi
+			;;
+		esac
+		if test "$v6type" != "unknown"; then
+			break
+		fi
+	done
+	AC_MSG_RESULT($v6type)
+
+	if test "$v6lib" != "none"; then
+		for dir in $v6libdir /usr/local/v6/lib /usr/local/lib; do
+			if test -d $dir -a -f $dir/lib$v6lib.a; then
+				LIBS="-L$dir -l$v6lib $LIBS"
+				break
+			fi
+		done
+dnl		AC_CHECK_LIB($v6lib, getaddrinfo,
+dnl			[SERVER_LIBS="-l$v6lib $SERVER_LIBS"],
+dnl			[dnl
+dnl			echo "Fatal: no $v6lib library found.  cannot continue."
+dnl			echo "You need to fetch lib$v6lib.a from appropriate v6 kit and"
+dnl			echo 'compile beforehand.'
+dnl			exit 1])
+	fi
+fi
+])
diff --git a/crypto/kerberosIV/cf/krb-prog-ln-s.m4 b/crypto/kerberosIV/cf/krb-prog-ln-s.m4
new file mode 100644
index 0000000..efb706e
--- /dev/null
+++ b/crypto/kerberosIV/cf/krb-prog-ln-s.m4
@@ -0,0 +1,28 @@
+dnl $Id: krb-prog-ln-s.m4,v 1.1 1997/12/14 15:59:01 joda Exp $
+dnl
+dnl
+dnl Better test for ln -s, ln or cp
+dnl
+
+AC_DEFUN(AC_KRB_PROG_LN_S,
+[AC_MSG_CHECKING(for ln -s or something else)
+AC_CACHE_VAL(ac_cv_prog_LN_S,
+[rm -f conftestdata
+if ln -s X conftestdata 2>/dev/null
+then
+  rm -f conftestdata
+  ac_cv_prog_LN_S="ln -s"
+else
+  touch conftestdata1
+  if ln conftestdata1 conftestdata2; then
+    rm -f conftestdata*
+    ac_cv_prog_LN_S=ln
+  else
+    ac_cv_prog_LN_S=cp
+  fi
+fi])dnl
+LN_S="$ac_cv_prog_LN_S"
+AC_MSG_RESULT($ac_cv_prog_LN_S)
+AC_SUBST(LN_S)dnl
+])
+
diff --git a/crypto/kerberosIV/cf/krb-prog-ranlib.m4 b/crypto/kerberosIV/cf/krb-prog-ranlib.m4
new file mode 100644
index 0000000..fd1d3db
--- /dev/null
+++ b/crypto/kerberosIV/cf/krb-prog-ranlib.m4
@@ -0,0 +1,8 @@
+dnl $Id: krb-prog-ranlib.m4,v 1.1 1997/12/14 15:59:01 joda Exp $
+dnl
+dnl
+dnl Also look for EMXOMF for OS/2
+dnl
+
+AC_DEFUN(AC_KRB_PROG_RANLIB,
+[AC_CHECK_PROGS(RANLIB, ranlib EMXOMF, :)])
diff --git a/crypto/kerberosIV/cf/krb-prog-yacc.m4 b/crypto/kerberosIV/cf/krb-prog-yacc.m4
new file mode 100644
index 0000000..28ae59c
--- /dev/null
+++ b/crypto/kerberosIV/cf/krb-prog-yacc.m4
@@ -0,0 +1,8 @@
+dnl $Id: krb-prog-yacc.m4,v 1.1 1997/12/14 15:59:02 joda Exp $
+dnl
+dnl
+dnl We prefer byacc or yacc because they do not use `alloca'
+dnl
+
+AC_DEFUN(AC_KRB_PROG_YACC,
+[AC_CHECK_PROGS(YACC, byacc yacc 'bison -y')])
diff --git a/crypto/kerberosIV/cf/krb-struct-sockaddr-sa-len.m4 b/crypto/kerberosIV/cf/krb-struct-sockaddr-sa-len.m4
new file mode 100644
index 0000000..ac80690
--- /dev/null
+++ b/crypto/kerberosIV/cf/krb-struct-sockaddr-sa-len.m4
@@ -0,0 +1,22 @@
+dnl $Id: krb-struct-sockaddr-sa-len.m4,v 1.1 1997/12/14 15:59:02 joda Exp $
+dnl
+dnl
+dnl Check for sa_len in sys/socket.h
+dnl
+
+AC_DEFUN(AC_KRB_STRUCT_SOCKADDR_SA_LEN, [
+AC_MSG_CHECKING(for sa_len in struct sockaddr)
+AC_CACHE_VAL(ac_cv_struct_sockaddr_sa_len, [
+AC_TRY_COMPILE(
+[#include <sys/types.h>
+#include <sys/socket.h>],
+[struct sockaddr sa;
+int foo = sa.sa_len;],
+ac_cv_struct_sockaddr_sa_len=yes,
+ac_cv_struct_sockaddr_sa_len=no)
+])
+if test "$ac_cv_struct_sockaddr_sa_len" = yes; then
+	AC_DEFINE(SOCKADDR_HAS_SA_LEN)dnl
+fi
+AC_MSG_RESULT($ac_cv_struct_sockaddr_sa_len)
+])
diff --git a/crypto/kerberosIV/cf/krb-struct-spwd.m4 b/crypto/kerberosIV/cf/krb-struct-spwd.m4
new file mode 100644
index 0000000..4ab81fd
--- /dev/null
+++ b/crypto/kerberosIV/cf/krb-struct-spwd.m4
@@ -0,0 +1,22 @@
+dnl $Id: krb-struct-spwd.m4,v 1.3 1999/07/13 21:04:11 assar Exp $
+dnl
+dnl Test for `struct spwd'
+
+AC_DEFUN(AC_KRB_STRUCT_SPWD, [
+AC_MSG_CHECKING(for struct spwd)
+AC_CACHE_VAL(ac_cv_struct_spwd, [
+AC_TRY_COMPILE(
+[#include <pwd.h>
+#ifdef HAVE_SHADOW_H
+#include <shadow.h>
+#endif],
+[struct spwd foo;],
+ac_cv_struct_spwd=yes,
+ac_cv_struct_spwd=no)
+])
+AC_MSG_RESULT($ac_cv_struct_spwd)
+
+if test "$ac_cv_struct_spwd" = "yes"; then
+  AC_DEFINE(HAVE_STRUCT_SPWD, 1, [define if you have struct spwd])
+fi
+])
diff --git a/crypto/kerberosIV/cf/krb-struct-winsize.m4 b/crypto/kerberosIV/cf/krb-struct-winsize.m4
new file mode 100644
index 0000000..f89f683
--- /dev/null
+++ b/crypto/kerberosIV/cf/krb-struct-winsize.m4
@@ -0,0 +1,27 @@
+dnl $Id: krb-struct-winsize.m4,v 1.2 1999/03/01 09:52:23 joda Exp $
+dnl
+dnl
+dnl Search for struct winsize
+dnl
+
+AC_DEFUN(AC_KRB_STRUCT_WINSIZE, [
+AC_MSG_CHECKING(for struct winsize)
+AC_CACHE_VAL(ac_cv_struct_winsize, [
+ac_cv_struct_winsize=no
+for i in sys/termios.h sys/ioctl.h; do
+AC_EGREP_HEADER(
+changequote(, )dnl
+struct[ 	]*winsize,dnl
+changequote([,])dnl
+$i, ac_cv_struct_winsize=yes; break)dnl
+done
+])
+if test "$ac_cv_struct_winsize" = "yes"; then
+  AC_DEFINE(HAVE_STRUCT_WINSIZE, 1, [define if struct winsize is declared in sys/termios.h])
+fi
+AC_MSG_RESULT($ac_cv_struct_winsize)
+AC_EGREP_HEADER(ws_xpixel, termios.h, 
+	AC_DEFINE(HAVE_WS_XPIXEL, 1, [define if struct winsize has ws_xpixel]))
+AC_EGREP_HEADER(ws_ypixel, termios.h, 
+	AC_DEFINE(HAVE_WS_YPIXEL, 1, [define if struct winsize has ws_ypixel]))
+])
diff --git a/crypto/kerberosIV/cf/krb-sys-aix.m4 b/crypto/kerberosIV/cf/krb-sys-aix.m4
new file mode 100644
index 0000000..a538005
--- /dev/null
+++ b/crypto/kerberosIV/cf/krb-sys-aix.m4
@@ -0,0 +1,15 @@
+dnl $Id: krb-sys-aix.m4,v 1.1 1997/12/14 15:59:02 joda Exp $
+dnl
+dnl
+dnl AIX have a very different syscall convention
+dnl
+AC_DEFUN(AC_KRB_SYS_AIX, [
+AC_MSG_CHECKING(for AIX)
+AC_CACHE_VAL(krb_cv_sys_aix,
+AC_EGREP_CPP(yes, 
+[#ifdef _AIX
+	yes
+#endif 
+], krb_cv_sys_aix=yes, krb_cv_sys_aix=no) )
+AC_MSG_RESULT($krb_cv_sys_aix)
+])
diff --git a/crypto/kerberosIV/cf/krb-sys-nextstep.m4 b/crypto/kerberosIV/cf/krb-sys-nextstep.m4
new file mode 100644
index 0000000..31dc907
--- /dev/null
+++ b/crypto/kerberosIV/cf/krb-sys-nextstep.m4
@@ -0,0 +1,21 @@
+dnl $Id: krb-sys-nextstep.m4,v 1.2 1998/06/03 23:48:40 joda Exp $
+dnl
+dnl
+dnl NEXTSTEP is not posix compliant by default,
+dnl you need a switch -posix to the compiler
+dnl
+
+AC_DEFUN(AC_KRB_SYS_NEXTSTEP, [
+AC_MSG_CHECKING(for NEXTSTEP)
+AC_CACHE_VAL(krb_cv_sys_nextstep,
+AC_EGREP_CPP(yes, 
+[#if defined(NeXT) && !defined(__APPLE__)
+	yes
+#endif 
+], krb_cv_sys_nextstep=yes, krb_cv_sys_nextstep=no) )
+if test "$krb_cv_sys_nextstep" = "yes"; then
+  CFLAGS="$CFLAGS -posix"
+  LIBS="$LIBS -posix"
+fi
+AC_MSG_RESULT($krb_cv_sys_nextstep)
+])
diff --git a/crypto/kerberosIV/cf/krb-version.m4 b/crypto/kerberosIV/cf/krb-version.m4
new file mode 100644
index 0000000..a4a1221
--- /dev/null
+++ b/crypto/kerberosIV/cf/krb-version.m4
@@ -0,0 +1,25 @@
+dnl $Id: krb-version.m4,v 1.1 1997/12/14 15:59:03 joda Exp $
+dnl
+dnl
+dnl output a C header-file with some version strings
+dnl
+AC_DEFUN(AC_KRB_VERSION,[
+dnl AC_OUTPUT_COMMANDS([
+cat > include/newversion.h.in <<FOOBAR
+char *${PACKAGE}_long_version = "@(#)\$Version: $PACKAGE-$VERSION by @USER@ on @HOST@ ($host) @DATE@ \$";
+char *${PACKAGE}_version = "$PACKAGE-$VERSION";
+FOOBAR
+
+if test -f include/version.h && cmp -s include/newversion.h.in include/version.h.in; then
+	echo "include/version.h is unchanged"
+	rm -f include/newversion.h.in
+else
+ 	echo "creating include/version.h"
+ 	User=${USER-${LOGNAME}}
+ 	Host=`(hostname || uname -n) 2>/dev/null | sed 1q`
+ 	Date=`date`
+	mv -f include/newversion.h.in include/version.h.in
+	sed -e "s/@USER@/$User/" -e "s/@HOST@/$Host/" -e "s/@DATE@/$Date/" include/version.h.in > include/version.h
+fi
+dnl ],host=$host PACKAGE=$PACKAGE VERSION=$VERSION)
+])
diff --git a/crypto/kerberosIV/cf/make-proto.pl b/crypto/kerberosIV/cf/make-proto.pl
new file mode 100644
index 0000000..9a47aed
--- /dev/null
+++ b/crypto/kerberosIV/cf/make-proto.pl
@@ -0,0 +1,199 @@
+# Make prototypes from .c files
+# $Id: make-proto.pl,v 1.11 1999/04/15 12:37:54 joda Exp $
+
+##use Getopt::Std;
+require 'getopts.pl';
+
+$brace = 0;
+$line = "";
+$debug = 0;
+
+do Getopts('o:p:d') || die "foo";
+
+if($opt_d) {
+    $debug = 1;
+}
+
+while(<>) {
+    print $brace, " ", $_ if($debug);
+    if(/^\#if 0/) {
+	$if_0 = 1;
+    }
+    if($if_0 && /^\#endif/) {
+	$if_0 = 0;
+    }
+    if($if_0) { next }
+    if(/^\s*\#/) {
+	next;
+    }
+    if(/^\s*$/) {
+	$line = "";
+	next;
+    }
+    if(/\{/){
+	$_ = $line;
+	while(s/\*\//\ca/){
+	    s/\/\*(.|\n)*\ca//;
+	}
+	s/^\s*//;
+	s/\s$//;
+	s/\s+/ /g;
+	if($line =~ /\)\s$/){
+	    if(!/^static/ && !/^PRIVATE/){
+		if(/(.*)(__attribute__\s?\(.*\))/) {
+		    $attr = $2;
+		    $_ = $1;
+		} else {
+		    $attr = "";
+		}
+		# remove outer ()
+		s/\s*\(/@/;
+		s/\)\s?$/@/;
+		# remove , within ()
+		while(s/\(([^()]*),(.*)\)/($1\$$2)/g){}
+		s/,\s*/,\n\t/g;
+		# fix removed ,
+		s/\$/,/g;
+		# match function name
+		/([a-zA-Z0-9_]+)\s*@/;
+		$f = $1;
+		# only add newline if more than one parameter
+		$LP = "((";  # XXX workaround for indentation bug in emacs
+		$RP = "))";
+		$P = "__P((";
+                if(/,/){ 
+		    s/@/ __P$LP\n\t/;
+		}else{
+		    s/@/ __P$LP/;
+		}
+		s/@/$RP/;
+		# insert newline before function name
+		s/(.*)\s([a-zA-Z0-9_]+ __P)/$1\n$2/;
+		if($attr ne "") {
+		    $_ .= "\n    $attr";
+		}
+		$_ = $_ . ";";
+		$funcs{$f} = $_;
+	    }
+	}
+	$line = "";
+	$brace++;
+    }
+    if(/\}/){
+	$brace--;
+    }
+    if(/^\}/){
+	$brace = 0;
+    }
+    if($brace == 0) {
+	$line = $line . " " . $_;
+    }
+}
+
+sub foo {
+    local ($arg) = @_;
+    $_ = $arg;
+    s/.*\/([^\/]*)/$1/;
+    s/[^a-zA-Z0-9]/_/g;
+    "__" . $_ . "__";
+}
+
+if($opt_o) {
+    open(OUT, ">$opt_o");
+    $block = &foo($opt_o);
+} else {
+    $block = "__public_h__";
+}
+
+if($opt_p) {
+    open(PRIV, ">$opt_p");
+    $private = &foo($opt_p);
+} else {
+    $private = "__private_h__";
+}
+
+$public_h = "";
+$private_h = "";
+
+$public_h_header = "/* This is a generated file */
+#ifndef $block
+#define $block
+
+#ifdef __STDC__
+#include <stdarg.h>
+#ifndef __P
+#define __P(x) x
+#endif
+#else
+#ifndef __P
+#define __P(x) ()
+#endif
+#endif
+
+";
+
+$private_h_header = "/* This is a generated file */
+#ifndef $private
+#define $private
+
+#ifdef __STDC__
+#include <stdarg.h>
+#ifndef __P
+#define __P(x) x
+#endif
+#else
+#ifndef __P
+#define __P(x) ()
+#endif
+#endif
+
+";
+
+foreach(sort keys %funcs){
+    if(/^(main)$/) { next }
+    if(/^_/) {
+	$private_h .= $funcs{$_} . "\n\n";
+	if($funcs{$_} =~ /__attribute__/) {
+	    $private_attribute_seen = 1;
+	}
+    } else {
+	$public_h .= $funcs{$_} . "\n\n";
+	if($funcs{$_} =~ /__attribute__/) {
+	    $public_attribute_seen = 1;
+	}
+    }
+}
+
+if ($public_attribute_seen) {
+    $public_h_header .= "#if !defined(__GNUC__) && !defined(__attribute__)
+#define __attribute__(x)
+#endif
+
+";
+}
+
+if ($private_attribute_seen) {
+    $private_h_header .= "#if !defined(__GNUC__) && !defined(__attribute__)
+#define __attribute__(x)
+#endif
+
+";
+}
+
+
+if ($public_h ne "") {
+    $public_h = $public_h_header . $public_h . "#endif /* $block */\n";
+}
+if ($private_h ne "") {
+    $private_h = $private_h_header . $private_h . "#endif /* $private */\n";
+}
+
+if($opt_o) {
+    print OUT $public_h;
+} 
+if($opt_p) {
+    print PRIV $private_h;
+} 
+
+close OUT;
+close PRIV;
diff --git a/crypto/kerberosIV/cf/mips-abi.m4 b/crypto/kerberosIV/cf/mips-abi.m4
new file mode 100644
index 0000000..c7b8815
--- /dev/null
+++ b/crypto/kerberosIV/cf/mips-abi.m4
@@ -0,0 +1,87 @@
+dnl $Id: mips-abi.m4,v 1.4 1998/05/16 20:44:15 joda Exp $
+dnl
+dnl
+dnl Check for MIPS/IRIX ABI flags. Sets $abi and $abilibdirext to some
+dnl value.
+
+AC_DEFUN(AC_MIPS_ABI, [
+AC_ARG_WITH(mips_abi,
+[  --with-mips-abi=abi     ABI to use for IRIX (32, n32, or 64)])
+
+case "$host_os" in
+irix*)
+with_mips_abi="${with_mips_abi:-yes}"
+if test -n "$GCC"; then
+
+# GCC < 2.8 only supports the O32 ABI. GCC >= 2.8 has a flag to select
+# which ABI to use, but only supports (as of 2.8.1) the N32 and 64 ABIs.
+#
+# Default to N32, but if GCC doesn't grok -mabi=n32, we assume an old
+# GCC and revert back to O32. The same goes if O32 is asked for - old
+# GCCs doesn't like the -mabi option, and new GCCs can't output O32.
+#
+# Don't you just love *all* the different SGI ABIs?
+
+case "${with_mips_abi}" in 
+        32|o32) abi='-mabi=32';  abilibdirext=''     ;;
+       n32|yes) abi='-mabi=n32'; abilibdirext='32'  ;;
+        64) abi='-mabi=64';  abilibdirext='64'   ;;
+	no) abi=''; abilibdirext='';;
+         *) AC_ERROR("Invalid ABI specified") ;;
+esac
+if test -n "$abi" ; then
+ac_foo=krb_cv_gcc_`echo $abi | tr =- __`
+dnl
+dnl can't use AC_CACHE_CHECK here, since it doesn't quote CACHE-ID to
+dnl AC_MSG_RESULT
+dnl
+AC_MSG_CHECKING([if $CC supports the $abi option])
+AC_CACHE_VAL($ac_foo, [
+save_CFLAGS="$CFLAGS"
+CFLAGS="$CFLAGS $abi"
+AC_TRY_COMPILE(,int x;, eval $ac_foo=yes, eval $ac_foo=no)
+CFLAGS="$save_CFLAGS"
+])
+ac_res=`eval echo \\\$$ac_foo`
+AC_MSG_RESULT($ac_res)
+if test $ac_res = no; then
+# Try to figure out why that failed...
+case $abi in
+	-mabi=32) 
+	save_CFLAGS="$CFLAGS"
+	CFLAGS="$CFLAGS -mabi=n32"
+	AC_TRY_COMPILE(,int x;, ac_res=yes, ac_res=no)
+	CLAGS="$save_CFLAGS"
+	if test $ac_res = yes; then
+		# New GCC
+		AC_ERROR([$CC does not support the $with_mips_abi ABI])
+	fi
+	# Old GCC
+	abi=''
+	abilibdirext=''
+	;;
+	-mabi=n32|-mabi=64)
+		if test $with_mips_abi = yes; then
+			# Old GCC, default to O32
+			abi=''
+			abilibdirext=''
+		else
+			# Some broken GCC
+			AC_ERROR([$CC does not support the $with_mips_abi ABI])
+		fi
+	;;
+esac
+fi #if test $ac_res = no; then
+fi #if test -n "$abi" ; then
+else
+case "${with_mips_abi}" in
+        32|o32) abi='-32'; abilibdirext=''     ;;
+       n32|yes) abi='-n32'; abilibdirext='32'  ;;
+        64) abi='-64'; abilibdirext='64'   ;;
+	no) abi=''; abilibdirext='';;
+         *) AC_ERROR("Invalid ABI specified") ;;
+esac
+fi #if test -n "$GCC"; then
+;;
+esac
+])
diff --git a/crypto/kerberosIV/cf/misc.m4 b/crypto/kerberosIV/cf/misc.m4
new file mode 100644
index 0000000..0be97a4
--- /dev/null
+++ b/crypto/kerberosIV/cf/misc.m4
@@ -0,0 +1,3 @@
+dnl $Id: misc.m4,v 1.1 1997/12/14 15:59:04 joda Exp $
+dnl
+define(upcase,`echo $1 | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`)dnl
diff --git a/crypto/kerberosIV/cf/need-proto.m4 b/crypto/kerberosIV/cf/need-proto.m4
new file mode 100644
index 0000000..8c8d1d3
--- /dev/null
+++ b/crypto/kerberosIV/cf/need-proto.m4
@@ -0,0 +1,25 @@
+dnl $Id: need-proto.m4,v 1.2 1999/03/01 09:52:24 joda Exp $
+dnl
+dnl
+dnl Check if we need the prototype for a function
+dnl
+
+dnl AC_NEED_PROTO(includes, function)
+
+AC_DEFUN(AC_NEED_PROTO, [
+if test "$ac_cv_func_$2+set" != set -o "$ac_cv_func_$2" = yes; then
+AC_CACHE_CHECK([if $2 needs a prototype], ac_cv_func_$2_noproto,
+AC_TRY_COMPILE([$1],
+[struct foo { int foo; } xx;
+extern int $2 (struct foo*);
+$2(&xx);
+],
+eval "ac_cv_func_$2_noproto=yes",
+eval "ac_cv_func_$2_noproto=no"))
+define([foo], [NEED_]translit($2, [a-z], [A-Z])[_PROTO])
+if test "$ac_cv_func_$2_noproto" = yes; then
+	AC_DEFINE(foo, 1, [define if the system is missing a prototype for $2()])
+fi
+undefine([foo])
+fi
+])
diff --git a/crypto/kerberosIV/cf/osfc2.m4 b/crypto/kerberosIV/cf/osfc2.m4
new file mode 100644
index 0000000..d8cb2e1
--- /dev/null
+++ b/crypto/kerberosIV/cf/osfc2.m4
@@ -0,0 +1,14 @@
+dnl $Id: osfc2.m4,v 1.2 1999/03/27 17:28:16 joda Exp $
+dnl
+dnl enable OSF C2 stuff
+
+AC_DEFUN(AC_CHECK_OSFC2,[
+AC_ARG_ENABLE(osfc2,
+[  --enable-osfc2          enable some OSF C2 support])
+LIB_security=
+if test "$enable_osfc2" = yes; then
+	AC_DEFINE(HAVE_OSFC2, 1, [Define to enable basic OSF C2 support.])
+	LIB_security=-lsecurity
+fi
+AC_SUBST(LIB_security)
+])
diff --git a/crypto/kerberosIV/cf/proto-compat.m4 b/crypto/kerberosIV/cf/proto-compat.m4
new file mode 100644
index 0000000..942f658
--- /dev/null
+++ b/crypto/kerberosIV/cf/proto-compat.m4
@@ -0,0 +1,22 @@
+dnl $Id: proto-compat.m4,v 1.3 1999/03/01 13:03:48 joda Exp $
+dnl
+dnl
+dnl Check if the prototype of a function is compatible with another one
+dnl
+
+dnl AC_PROTO_COMPAT(includes, function, prototype)
+
+AC_DEFUN(AC_PROTO_COMPAT, [
+AC_CACHE_CHECK([if $2 is compatible with system prototype],
+ac_cv_func_$2_proto_compat,
+AC_TRY_COMPILE([$1],
+[$3;],
+eval "ac_cv_func_$2_proto_compat=yes",
+eval "ac_cv_func_$2_proto_compat=no"))
+define([foo], translit($2, [a-z], [A-Z])[_PROTO_COMPATIBLE])
+if test "$ac_cv_func_$2_proto_compat" = yes; then
+	AC_DEFINE(foo, 1, [define if prototype of $2 is compatible with
+	$3])
+fi
+undefine([foo])
+])
\ No newline at end of file
diff --git a/crypto/kerberosIV/cf/shared-libs.m4 b/crypto/kerberosIV/cf/shared-libs.m4
new file mode 100644
index 0000000..283898f
--- /dev/null
+++ b/crypto/kerberosIV/cf/shared-libs.m4
@@ -0,0 +1,192 @@
+dnl
+dnl $Id: shared-libs.m4,v 1.4.14.3 2000/12/07 18:03:00 bg Exp $
+dnl
+dnl Shared library stuff has to be different everywhere
+dnl
+
+AC_DEFUN(AC_SHARED_LIBS, [
+
+dnl Check if we want to use shared libraries
+AC_ARG_ENABLE(shared,
+[  --enable-shared         create shared libraries for Kerberos])
+
+AC_SUBST(CFLAGS)dnl
+AC_SUBST(LDFLAGS)dnl
+
+case ${enable_shared} in
+  yes ) enable_shared=yes;;
+  no  ) enable_shared=no;;
+  *   ) enable_shared=no;;
+esac
+
+# NOTE: Building shared libraries may not work if you do not use gcc!
+#
+# OS		$SHLIBEXT
+# HP-UX		sl
+# Linux		so
+# NetBSD	so
+# FreeBSD	so
+# OSF		so
+# SunOS5	so
+# SunOS4	so.0.5
+# Irix		so
+#
+# LIBEXT is the extension we should build (.a or $SHLIBEXT)
+LINK='$(CC)'
+AC_SUBST(LINK)
+lib_deps=yes
+REAL_PICFLAGS="-fpic"
+LDSHARED='$(CC) $(PICFLAGS) -shared'
+LIBPREFIX=lib
+build_symlink_command=@true
+install_symlink_command=@true
+install_symlink_command2=@true
+REAL_SHLIBEXT=so
+changequote({,})dnl
+SHLIB_VERSION=`echo $VERSION | sed 's/\([0-9.]*\).*/\1/'`
+SHLIB_SONAME=`echo $VERSION | sed 's/\([0-9]*\).*/\1/'`
+changequote([,])dnl
+case "${host}" in
+*-*-hpux*)
+	REAL_SHLIBEXT=sl
+	REAL_LD_FLAGS='-Wl,+b$(libdir)'
+	if test -z "$GCC"; then
+		LDSHARED="ld -b"
+		REAL_PICFLAGS="+z"
+	fi
+	lib_deps=no
+	;;
+*-*-linux*)
+	LDSHARED='$(CC) -shared -Wl,-soname,$(LIBNAME).so.'"${SHLIB_SONAME}"
+	REAL_LD_FLAGS='-Wl,-rpath,$(libdir)'
+	REAL_SHLIBEXT=so.$SHLIB_VERSION
+	build_symlink_command='$(LN_S) -f [$][@] $(LIBNAME).so'
+	install_symlink_command='$(LN_S) -f $(LIB) $(DESTDIR)$(libdir)/$(LIBNAME).so.'"${SHLIB_SONAME}"';$(LN_S) -f $(LIB) $(DESTDIR)$(libdir)/$(LIBNAME).so'
+	install_symlink_command2='$(LN_S) -f $(LIB2) $(DESTDIR)$(libdir)/$(LIBNAME2).so.'"${SHLIB_SONAME}"';$(LN_S) -f $(LIB2) $(DESTDIR)$(libdir)/$(LIBNAME2).so'
+	;;
+changequote(,)dnl
+*-*-freebsd[345]* | *-*-freebsdelf[345]*)
+changequote([,])dnl
+	REAL_SHLIBEXT=so.$SHLIB_VERSION
+	REAL_LD_FLAGS='-Wl,-R$(libdir)'
+	build_symlink_command='$(LN_S) -f [$][@] $(LIBNAME).so'
+	install_symlink_command='$(LN_S) -f $(LIB) $(DESTDIR)$(libdir)/$(LIBNAME).so'
+	install_symlink_command2='$(LN_S) -f $(LIB2) $(DESTDIR)$(libdir)/$(LIBNAME2).so'
+	;;
+*-*-*bsd*)
+	REAL_SHLIBEXT=so.$SHLIB_VERSION
+	LDSHARED='ld -Bshareable'
+	REAL_LD_FLAGS='-Wl,-R$(libdir)'
+	;;
+*-*-osf*)
+	REAL_LD_FLAGS='-Wl,-rpath,$(libdir)'
+	REAL_PICFLAGS=
+	LDSHARED='ld -shared -expect_unresolved \*'
+	;;
+*-*-solaris2*)
+	LDSHARED='$(CC) -shared -Wl,-h$(LIBNAME).so.'"${SHLIB_SONAME}"
+	REAL_SHLIBEXT=so.$SHLIB_VERSION
+	build_symlink_command='$(LN_S) [$][@] $(LIBNAME).so'
+	install_symlink_command='$(LN_S) $(LIB) $(DESTDIR)$(libdir)/$(LIBNAME).so.'"${SHLIB_SONAME}"';$(LN_S) $(LIB) $(DESTDIR)$(libdir)/$(LIBNAME).so'
+	install_symlink_command2='$(LN_S) $(LIB2) $(DESTDIR)$(libdir)/$(LIBNAME2).so.'"${SHLIB_SONAME}"';$(LN_S) $(LIB2) $(DESTDIR)$(libdir)/$(LIBNAME2).so'
+	REAL_LD_FLAGS='-Wl,-R$(libdir)'
+	if test -z "$GCC"; then
+		LDSHARED='$(CC) -G -h$(LIBNAME).so.'"${SHLIB_SONAME}"
+		REAL_PICFLAGS="-Kpic"
+	fi
+	;;
+*-fujitsu-uxpv*)
+	REAL_LD_FLAGS='' # really: LD_RUN_PATH=$(libdir) cc -o ...
+	REAL_LINK='LD_RUN_PATH=$(libdir) $(CC)'
+	LDSHARED='$(CC) -G'
+	REAL_PICFLAGS="-Kpic"
+	lib_deps=no # fails in mysterious ways
+	;;
+*-*-sunos*)
+	REAL_SHLIBEXT=so.$SHLIB_VERSION
+	REAL_LD_FLAGS='-Wl,-L$(libdir)'
+	lib_deps=no
+	;;
+*-*-irix*)
+        libdir="${libdir}${abilibdirext}"
+        REAL_LD_FLAGS="${abi} -Wl,-rpath,\$(libdir)"
+        LD_FLAGS="${abi} -Wl,-rpath,\$(libdir)"
+	LDSHARED="\$(CC) -shared ${abi}"
+        REAL_PICFLAGS=
+        CFLAGS="${abi} ${CFLAGS}"
+	;;
+*-*-os2*)
+	LIBPREFIX=
+	EXECSUFFIX='.exe'
+	RANLIB=EMXOMF
+	LD_FLAGS=-Zcrtdll
+	REAL_SHLIBEXT=nobuild
+	;;
+*-*-cygwin32*)
+	EXECSUFFIX='.exe'
+	REAL_SHLIBEXT=nobuild
+	;;
+*)	REAL_SHLIBEXT=nobuild
+	REAL_PICFLAGS= 
+	;;
+esac
+
+if test "${enable_shared}" != "yes" ; then 
+ PICFLAGS=""
+ SHLIBEXT="nobuild"
+ LIBEXT="a"
+ build_symlink_command=@true
+ install_symlink_command=@true
+ install_symlink_command2=@true
+else
+ PICFLAGS="$REAL_PICFLAGS"
+ SHLIBEXT="$REAL_SHLIBEXT"
+ LIBEXT="$SHLIBEXT"
+ AC_MSG_CHECKING(whether to use -rpath)
+ case "$libdir" in
+   /lib | /usr/lib | /usr/local/lib)
+     AC_MSG_RESULT(no)
+     REAL_LD_FLAGS=
+     LD_FLAGS=
+     ;;
+   *)
+     LD_FLAGS="$REAL_LD_FLAGS"
+     test "$REAL_LINK" && LINK="$REAL_LINK"
+     AC_MSG_RESULT($LD_FLAGS)
+     ;;
+   esac
+fi
+
+if test "$lib_deps" = yes; then
+	lib_deps_yes=""
+	lib_deps_no="# "
+else
+	lib_deps_yes="# "
+	lib_deps_no=""
+fi
+AC_SUBST(lib_deps_yes)
+AC_SUBST(lib_deps_no)
+
+# use supplied ld-flags, or none if `no'
+if test "$with_ld_flags" = no; then
+	LD_FLAGS=
+elif test -n "$with_ld_flags"; then
+	LD_FLAGS="$with_ld_flags"
+fi
+
+AC_SUBST(REAL_PICFLAGS) dnl
+AC_SUBST(REAL_SHLIBEXT) dnl
+AC_SUBST(REAL_LD_FLAGS) dnl
+
+AC_SUBST(PICFLAGS) dnl
+AC_SUBST(SHLIBEXT) dnl
+AC_SUBST(LDSHARED) dnl
+AC_SUBST(LD_FLAGS) dnl
+AC_SUBST(LIBEXT) dnl
+AC_SUBST(LIBPREFIX) dnl
+AC_SUBST(EXECSUFFIX) dnl
+
+AC_SUBST(build_symlink_command)dnl
+AC_SUBST(install_symlink_command)dnl
+AC_SUBST(install_symlink_command2)dnl
+])
diff --git a/crypto/kerberosIV/cf/test-package.m4 b/crypto/kerberosIV/cf/test-package.m4
new file mode 100644
index 0000000..6bae158
--- /dev/null
+++ b/crypto/kerberosIV/cf/test-package.m4
@@ -0,0 +1,88 @@
+dnl $Id: test-package.m4,v 1.7 1999/04/19 13:33:05 assar Exp $
+dnl
+dnl AC_TEST_PACKAGE_NEW(package,headers,libraries,extra libs,default locations)
+
+AC_DEFUN(AC_TEST_PACKAGE,[AC_TEST_PACKAGE_NEW($1,[#include <$2>],$4,,$5)])
+
+AC_DEFUN(AC_TEST_PACKAGE_NEW,[
+AC_ARG_WITH($1,
+[  --with-$1=dir                use $1 in dir])
+AC_ARG_WITH($1-lib,
+[  --with-$1-lib=dir            use $1 libraries in dir],
+[if test "$withval" = "yes" -o "$withval" = "no"; then
+  AC_MSG_ERROR([No argument for --with-$1-lib])
+elif test "X$with_$1" = "X"; then
+  with_$1=yes
+fi])
+AC_ARG_WITH($1-include,
+[  --with-$1-include=dir        use $1 headers in dir],
+[if test "$withval" = "yes" -o "$withval" = "no"; then
+  AC_MSG_ERROR([No argument for --with-$1-include])
+elif test "X$with_$1" = "X"; then
+  with_$1=yes
+fi])
+
+AC_MSG_CHECKING(for $1)
+
+case "$with_$1" in
+yes)	;;
+no)	;;
+"")	;;
+*)	if test "$with_$1_include" = ""; then
+		with_$1_include="$with_$1/include"
+	fi
+	if test "$with_$1_lib" = ""; then
+		with_$1_lib="$with_$1/lib$abilibdirext"
+	fi
+	;;
+esac
+header_dirs=
+lib_dirs=
+d='$5'
+for i in $d; do
+	header_dirs="$header_dirs $i/include"
+	lib_dirs="$lib_dirs $i/lib$abilibdirext"
+done
+
+case "$with_$1_include" in
+yes) ;;
+no)  ;;
+*)   header_dirs="$with_$1_include $header_dirs";;
+esac
+case "$with_$1_lib" in
+yes) ;;
+no)  ;;
+*)   lib_dirs="$with_$1_lib $lib_dirs";;
+esac
+
+save_CFLAGS="$CFLAGS"
+save_LIBS="$LIBS"
+ires= lres=
+for i in $header_dirs; do
+	CFLAGS="-I$i $save_CFLAGS"
+	AC_TRY_COMPILE([$2],,ires=$i;break)
+done
+for i in $lib_dirs; do
+	LIBS="-L$i $3 $4 $save_LIBS"
+	AC_TRY_LINK([$2],,lres=$i;break)
+done
+CFLAGS="$save_CFLAGS"
+LIBS="$save_LIBS"
+
+if test "$ires" -a "$lres" -a "$with_$1" != "no"; then
+	$1_includedir="$ires"
+	$1_libdir="$lres"
+	INCLUDE_$1="-I$$1_includedir"
+	LIB_$1="-L$$1_libdir $3"
+	AC_DEFINE_UNQUOTED(upcase($1),1,[Define if you have the $1 package.])
+	with_$1=yes
+	AC_MSG_RESULT([headers $ires, libraries $lres])
+else
+	INCLUDE_$1=
+	LIB_$1=
+	with_$1=no
+	AC_MSG_RESULT($with_$1)
+fi
+AC_SUBST(INCLUDE_$1)
+AC_SUBST(LIB_$1)
+])
diff --git a/crypto/kerberosIV/cf/wflags.m4 b/crypto/kerberosIV/cf/wflags.m4
new file mode 100644
index 0000000..6d9e073
--- /dev/null
+++ b/crypto/kerberosIV/cf/wflags.m4
@@ -0,0 +1,21 @@
+dnl $Id: wflags.m4,v 1.3 1999/03/11 12:11:41 joda Exp $
+dnl
+dnl set WFLAGS
+
+AC_DEFUN(AC_WFLAGS,[
+WFLAGS_NOUNUSED=""
+WFLAGS_NOIMPLICITINT=""
+if test -z "$WFLAGS" -a "$GCC" = "yes"; then
+  # -Wno-implicit-int for broken X11 headers
+  # leave these out for now:
+  #   -Wcast-align doesn't work well on alpha osf/1
+  #   -Wmissing-prototypes -Wpointer-arith -Wbad-function-cast
+  #   -Wmissing-declarations -Wnested-externs
+  WFLAGS="ifelse($#, 0,-Wall, $1)"
+  WFLAGS_NOUNUSED="-Wno-unused"
+  WFLAGS_NOIMPLICITINT="-Wno-implicit-int"
+fi
+AC_SUBST(WFLAGS)dnl
+AC_SUBST(WFLAGS_NOUNUSED)dnl
+AC_SUBST(WFLAGS_NOIMPLICITINT)dnl
+])
diff --git a/crypto/kerberosIV/config.guess b/crypto/kerberosIV/config.guess
new file mode 100644
index 0000000..265ea69
--- /dev/null
+++ b/crypto/kerberosIV/config.guess
@@ -0,0 +1,1291 @@
+#! /bin/sh
+# Attempt to guess a canonical system name.
+#   Copyright (C) 1992, 1993, 1994, 1995, 1996, 1997, 1998, 1999, 2000
+#   Free Software Foundation, Inc.
+
+version='2000-09-05'
+
+# This file is free software; you can redistribute it and/or modify it
+# under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 2 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful, but
+# WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+# General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
+#
+# As a special exception to the GNU General Public License, if you
+# distribute this file as part of a program that contains a
+# configuration script generated by Autoconf, you may include it under
+# the same distribution terms that you use for the rest of that program.
+
+# Written by Per Bothner <bothner@cygnus.com>.
+# Please send patches to <config-patches@gnu.org>.
+#
+# This script attempts to guess a canonical system name similar to
+# config.sub.  If it succeeds, it prints the system name on stdout, and
+# exits with 0.  Otherwise, it exits with 1.
+#
+# The plan is that this can be called by configure scripts if you
+# don't specify an explicit system type (host/target name).
+#
+# Only a few systems have been added to this list; please add others
+# (but try to keep the structure clean).
+#
+
+me=`echo "$0" | sed -e 's,.*/,,'`
+
+usage="\
+Usage: $0 [OPTION]
+
+Output the configuration name of this system.
+
+Operation modes:
+  -h, --help               print this help, then exit
+  -V, --version            print version number, then exit"
+
+help="
+Try \`$me --help' for more information."
+
+# Parse command line
+while test $# -gt 0 ; do
+  case "$1" in
+    --version | --vers* | -V )
+       echo "$version" ; exit 0 ;;
+    --help | --h* | -h )
+       echo "$usage"; exit 0 ;;
+    -- )     # Stop option processing
+       shift; break ;;
+    - )	# Use stdin as input.
+       break ;;
+    -* )
+       exec >&2
+       echo "$me: invalid option $1"
+       echo "$help"
+       exit 1 ;;
+    * )
+       break ;;
+  esac
+done
+
+if test $# != 0; then
+  echo "$me: too many arguments$help" >&2
+  exit 1
+fi
+
+# Use $HOST_CC if defined. $CC may point to a cross-compiler
+if test x"$CC_FOR_BUILD" = x; then
+  if test x"$HOST_CC" != x; then
+    CC_FOR_BUILD="$HOST_CC"
+  else
+    if test x"$CC" != x; then
+      CC_FOR_BUILD="$CC"
+    else
+      CC_FOR_BUILD=cc
+    fi
+  fi
+fi
+
+
+# This is needed to find uname on a Pyramid OSx when run in the BSD universe.
+# (ghazi@noc.rutgers.edu 8/24/94.)
+if (test -f /.attbin/uname) >/dev/null 2>&1 ; then
+	PATH=$PATH:/.attbin ; export PATH
+fi
+
+UNAME_MACHINE=`(uname -m) 2>/dev/null` || UNAME_MACHINE=unknown
+UNAME_RELEASE=`(uname -r) 2>/dev/null` || UNAME_RELEASE=unknown
+UNAME_SYSTEM=`(uname -s) 2>/dev/null` || UNAME_SYSTEM=unknown
+UNAME_VERSION=`(uname -v) 2>/dev/null` || UNAME_VERSION=unknown
+
+dummy=dummy-$$
+trap 'rm -f $dummy.c $dummy.o $dummy; exit 1' 1 2 15
+
+# Note: order is significant - the case branches are not exclusive.
+
+case "${UNAME_MACHINE}:${UNAME_SYSTEM}:${UNAME_RELEASE}:${UNAME_VERSION}" in
+    *:NetBSD:*:*)
+	# Netbsd (nbsd) targets should (where applicable) match one or
+	# more of the tupples: *-*-netbsdelf*, *-*-netbsdaout*,
+	# *-*-netbsdecoff* and *-*-netbsd*.  For targets that recently
+	# switched to ELF, *-*-netbsd* would select the old
+	# object file format.  This provides both forward
+	# compatibility and a consistent mechanism for selecting the
+	# object file format.
+	# Determine the machine/vendor (is the vendor relevant).
+	case "${UNAME_MACHINE}" in
+	    amiga) machine=m68k-unknown ;;
+	    arm32) machine=arm-unknown ;;
+	    atari*) machine=m68k-atari ;;
+	    sun3*) machine=m68k-sun ;;
+	    mac68k) machine=m68k-apple ;;
+	    macppc) machine=powerpc-apple ;;
+	    hp3[0-9][05]) machine=m68k-hp ;;
+	    ibmrt|romp-ibm) machine=romp-ibm ;;
+	    *) machine=${UNAME_MACHINE}-unknown ;;
+	esac
+	# The Operating System including object format.
+	if echo __ELF__ | $CC_FOR_BUILD -E - 2>/dev/null \
+		| grep __ELF__ >/dev/null
+	then
+	    # Once all utilities can be ECOFF (netbsdecoff) or a.out (netbsdaout).
+	    # Return netbsd for either.  FIX?
+	    os=netbsd
+	else
+	    os=netbsdelf
+	fi
+	# The OS release
+	release=`echo ${UNAME_RELEASE}|sed -e 's/[-_].*/\./'`
+	# Since CPU_TYPE-MANUFACTURER-KERNEL-OPERATING_SYSTEM:
+	# contains redundant information, the shorter form:
+	# CPU_TYPE-MANUFACTURER-OPERATING_SYSTEM is used.
+	echo "${machine}-${os}${release}"
+	exit 0 ;;
+    alpha:OSF1:*:*)
+	if test $UNAME_RELEASE = "V4.0"; then
+		UNAME_RELEASE=`/usr/sbin/sizer -v | awk '{print $3}'`
+	fi
+	# A Vn.n version is a released version.
+	# A Tn.n version is a released field test version.
+	# A Xn.n version is an unreleased experimental baselevel.
+	# 1.2 uses "1.2" for uname -r.
+	cat <<EOF >$dummy.s
+	.data
+\$Lformat:
+	.byte 37,100,45,37,120,10,0	# "%d-%x\n"
+
+	.text
+	.globl main
+	.align 4
+	.ent main
+main:
+	.frame \$30,16,\$26,0
+	ldgp \$29,0(\$27)
+	.prologue 1
+	.long 0x47e03d80 # implver \$0
+	lda \$2,-1
+	.long 0x47e20c21 # amask \$2,\$1
+	lda \$16,\$Lformat
+	mov \$0,\$17
+	not \$1,\$18
+	jsr \$26,printf
+	ldgp \$29,0(\$26)
+	mov 0,\$16
+	jsr \$26,exit
+	.end main
+EOF
+	$CC_FOR_BUILD $dummy.s -o $dummy 2>/dev/null
+	if test "$?" = 0 ; then
+		case `./$dummy` in
+			0-0)
+				UNAME_MACHINE="alpha"
+				;;
+			1-0)
+				UNAME_MACHINE="alphaev5"
+				;;
+			1-1)
+				UNAME_MACHINE="alphaev56"
+				;;
+			1-101)
+				UNAME_MACHINE="alphapca56"
+				;;
+			2-303)
+				UNAME_MACHINE="alphaev6"
+				;;
+			2-307)
+				UNAME_MACHINE="alphaev67"
+				;;
+		esac
+	fi
+	rm -f $dummy.s $dummy
+	echo ${UNAME_MACHINE}-dec-osf`echo ${UNAME_RELEASE} | sed -e 's/^[VTX]//' | tr 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' 'abcdefghijklmnopqrstuvwxyz'`
+	exit 0 ;;
+    Alpha\ *:Windows_NT*:*)
+	# How do we know it's Interix rather than the generic POSIX subsystem?
+	# Should we change UNAME_MACHINE based on the output of uname instead
+	# of the specific Alpha model?
+	echo alpha-pc-interix
+	exit 0 ;;
+    21064:Windows_NT:50:3)
+	echo alpha-dec-winnt3.5
+	exit 0 ;;
+    Amiga*:UNIX_System_V:4.0:*)
+	echo m68k-unknown-sysv4
+	exit 0;;
+    amiga:OpenBSD:*:*)
+	echo m68k-unknown-openbsd${UNAME_RELEASE}
+	exit 0 ;;
+    *:[Aa]miga[Oo][Ss]:*:*)
+	echo ${UNAME_MACHINE}-unknown-amigaos
+	exit 0 ;;
+    arc64:OpenBSD:*:*)
+	echo mips64el-unknown-openbsd${UNAME_RELEASE}
+	exit 0 ;;
+    arc:OpenBSD:*:*)
+	echo mipsel-unknown-openbsd${UNAME_RELEASE}
+	exit 0 ;;
+    hkmips:OpenBSD:*:*)
+	echo mips-unknown-openbsd${UNAME_RELEASE}
+	exit 0 ;;
+    pmax:OpenBSD:*:*)
+	echo mipsel-unknown-openbsd${UNAME_RELEASE}
+	exit 0 ;;
+    sgi:OpenBSD:*:*)
+	echo mips-unknown-openbsd${UNAME_RELEASE}
+	exit 0 ;;
+    wgrisc:OpenBSD:*:*)
+	echo mipsel-unknown-openbsd${UNAME_RELEASE}
+	exit 0 ;;
+    *:OS/390:*:*)
+	echo i370-ibm-openedition
+	exit 0 ;;
+    arm:RISC*:1.[012]*:*|arm:riscix:1.[012]*:*)
+	echo arm-acorn-riscix${UNAME_RELEASE}
+	exit 0;;
+    SR2?01:HI-UX/MPP:*:*)
+	echo hppa1.1-hitachi-hiuxmpp
+	exit 0;;
+    Pyramid*:OSx*:*:* | MIS*:OSx*:*:* | MIS*:SMP_DC-OSx*:*:*)
+	# akee@wpdis03.wpafb.af.mil (Earle F. Ake) contributed MIS and NILE.
+	if test "`(/bin/universe) 2>/dev/null`" = att ; then
+		echo pyramid-pyramid-sysv3
+	else
+		echo pyramid-pyramid-bsd
+	fi
+	exit 0 ;;
+    NILE*:*:*:dcosx)
+	echo pyramid-pyramid-svr4
+	exit 0 ;;
+    sun4H:SunOS:5.*:*)
+	echo sparc-hal-solaris2`echo ${UNAME_RELEASE}|sed -e 's/[^.]*//'`
+	exit 0 ;;
+    sun4*:SunOS:5.*:* | tadpole*:SunOS:5.*:*)
+	echo sparc-sun-solaris2`echo ${UNAME_RELEASE}|sed -e 's/[^.]*//'`
+	exit 0 ;;
+    i86pc:SunOS:5.*:*)
+	echo i386-pc-solaris2`echo ${UNAME_RELEASE}|sed -e 's/[^.]*//'`
+	exit 0 ;;
+    sun4*:SunOS:6*:*)
+	# According to config.sub, this is the proper way to canonicalize
+	# SunOS6.  Hard to guess exactly what SunOS6 will be like, but
+	# it's likely to be more like Solaris than SunOS4.
+	echo sparc-sun-solaris3`echo ${UNAME_RELEASE}|sed -e 's/[^.]*//'`
+	exit 0 ;;
+    sun4*:SunOS:*:*)
+	case "`/usr/bin/arch -k`" in
+	    Series*|S4*)
+		UNAME_RELEASE=`uname -v`
+		;;
+	esac
+	# Japanese Language versions have a version number like `4.1.3-JL'.
+	echo sparc-sun-sunos`echo ${UNAME_RELEASE}|sed -e 's/-/_/'`
+	exit 0 ;;
+    sun3*:SunOS:*:*)
+	echo m68k-sun-sunos${UNAME_RELEASE}
+	exit 0 ;;
+    sun*:*:4.2BSD:*)
+	UNAME_RELEASE=`(head -1 /etc/motd | awk '{print substr($5,1,3)}') 2>/dev/null`
+	test "x${UNAME_RELEASE}" = "x" && UNAME_RELEASE=3
+	case "`/bin/arch`" in
+	    sun3)
+		echo m68k-sun-sunos${UNAME_RELEASE}
+		;;
+	    sun4)
+		echo sparc-sun-sunos${UNAME_RELEASE}
+		;;
+	esac
+	exit 0 ;;
+    aushp:SunOS:*:*)
+	echo sparc-auspex-sunos${UNAME_RELEASE}
+	exit 0 ;;
+    atari*:OpenBSD:*:*)
+	echo m68k-unknown-openbsd${UNAME_RELEASE}
+	exit 0 ;;
+    # The situation for MiNT is a little confusing.  The machine name
+    # can be virtually everything (everything which is not
+    # "atarist" or "atariste" at least should have a processor 
+    # > m68000).  The system name ranges from "MiNT" over "FreeMiNT"
+    # to the lowercase version "mint" (or "freemint").  Finally
+    # the system name "TOS" denotes a system which is actually not
+    # MiNT.  But MiNT is downward compatible to TOS, so this should
+    # be no problem.
+    atarist[e]:*MiNT:*:* | atarist[e]:*mint:*:* | atarist[e]:*TOS:*:*)
+        echo m68k-atari-mint${UNAME_RELEASE}
+	exit 0 ;;
+    atari*:*MiNT:*:* | atari*:*mint:*:* | atarist[e]:*TOS:*:*)
+	echo m68k-atari-mint${UNAME_RELEASE}
+        exit 0 ;;
+    *falcon*:*MiNT:*:* | *falcon*:*mint:*:* | *falcon*:*TOS:*:*)
+        echo m68k-atari-mint${UNAME_RELEASE}
+	exit 0 ;;
+    milan*:*MiNT:*:* | milan*:*mint:*:* | *milan*:*TOS:*:*)
+        echo m68k-milan-mint${UNAME_RELEASE}
+        exit 0 ;;
+    hades*:*MiNT:*:* | hades*:*mint:*:* | *hades*:*TOS:*:*)
+        echo m68k-hades-mint${UNAME_RELEASE}
+        exit 0 ;;
+    *:*MiNT:*:* | *:*mint:*:* | *:*TOS:*:*)
+        echo m68k-unknown-mint${UNAME_RELEASE}
+        exit 0 ;;
+    sun3*:OpenBSD:*:*)
+	echo m68k-unknown-openbsd${UNAME_RELEASE}
+	exit 0 ;;
+    mac68k:OpenBSD:*:*)
+	echo m68k-unknown-openbsd${UNAME_RELEASE}
+	exit 0 ;;
+    mvme68k:OpenBSD:*:*)
+	echo m68k-unknown-openbsd${UNAME_RELEASE}
+	exit 0 ;;
+    mvme88k:OpenBSD:*:*)
+	echo m88k-unknown-openbsd${UNAME_RELEASE}
+	exit 0 ;;
+    powerpc:machten:*:*)
+	echo powerpc-apple-machten${UNAME_RELEASE}
+	exit 0 ;;
+    RISC*:Mach:*:*)
+	echo mips-dec-mach_bsd4.3
+	exit 0 ;;
+    RISC*:ULTRIX:*:*)
+	echo mips-dec-ultrix${UNAME_RELEASE}
+	exit 0 ;;
+    VAX*:ULTRIX*:*:*)
+	echo vax-dec-ultrix${UNAME_RELEASE}
+	exit 0 ;;
+    2020:CLIX:*:* | 2430:CLIX:*:*)
+	echo clipper-intergraph-clix${UNAME_RELEASE}
+	exit 0 ;;
+    mips:*:*:UMIPS | mips:*:*:RISCos)
+	sed 's/^	//' << EOF >$dummy.c
+#ifdef __cplusplus
+#include <stdio.h>  /* for printf() prototype */
+	int main (int argc, char *argv[]) {
+#else
+	int main (argc, argv) int argc; char *argv[]; {
+#endif
+	#if defined (host_mips) && defined (MIPSEB)
+	#if defined (SYSTYPE_SYSV)
+	  printf ("mips-mips-riscos%ssysv\n", argv[1]); exit (0);
+	#endif
+	#if defined (SYSTYPE_SVR4)
+	  printf ("mips-mips-riscos%ssvr4\n", argv[1]); exit (0);
+	#endif
+	#if defined (SYSTYPE_BSD43) || defined(SYSTYPE_BSD)
+	  printf ("mips-mips-riscos%sbsd\n", argv[1]); exit (0);
+	#endif
+	#endif
+	  exit (-1);
+	}
+EOF
+	$CC_FOR_BUILD $dummy.c -o $dummy \
+	  && ./$dummy `echo "${UNAME_RELEASE}" | sed -n 's/\([0-9]*\).*/\1/p'` \
+	  && rm $dummy.c $dummy && exit 0
+	rm -f $dummy.c $dummy
+	echo mips-mips-riscos${UNAME_RELEASE}
+	exit 0 ;;
+    Night_Hawk:Power_UNIX:*:*)
+	echo powerpc-harris-powerunix
+	exit 0 ;;
+    m88k:CX/UX:7*:*)
+	echo m88k-harris-cxux7
+	exit 0 ;;
+    m88k:*:4*:R4*)
+	echo m88k-motorola-sysv4
+	exit 0 ;;
+    m88k:*:3*:R3*)
+	echo m88k-motorola-sysv3
+	exit 0 ;;
+    AViiON:dgux:*:*)
+        # DG/UX returns AViiON for all architectures
+        UNAME_PROCESSOR=`/usr/bin/uname -p`
+	if [ $UNAME_PROCESSOR = mc88100 ] || [ $UNAME_PROCESSOR = mc88110]
+	then
+	    if [ ${TARGET_BINARY_INTERFACE}x = m88kdguxelfx ] || \
+	       [ ${TARGET_BINARY_INTERFACE}x = x ]
+	    then
+		echo m88k-dg-dgux${UNAME_RELEASE}
+	    else
+		echo m88k-dg-dguxbcs${UNAME_RELEASE}
+	    fi
+	else
+	    echo i586-dg-dgux${UNAME_RELEASE}
+	fi
+ 	exit 0 ;;
+    M88*:DolphinOS:*:*)	# DolphinOS (SVR3)
+	echo m88k-dolphin-sysv3
+	exit 0 ;;
+    M88*:*:R3*:*)
+	# Delta 88k system running SVR3
+	echo m88k-motorola-sysv3
+	exit 0 ;;
+    XD88*:*:*:*) # Tektronix XD88 system running UTekV (SVR3)
+	echo m88k-tektronix-sysv3
+	exit 0 ;;
+    Tek43[0-9][0-9]:UTek:*:*) # Tektronix 4300 system running UTek (BSD)
+	echo m68k-tektronix-bsd
+	exit 0 ;;
+    *:IRIX*:*:*)
+	echo mips-sgi-irix`echo ${UNAME_RELEASE}|sed -e 's/-/_/g'`
+	exit 0 ;;
+    ????????:AIX?:[12].1:2)   # AIX 2.2.1 or AIX 2.1.1 is RT/PC AIX.
+	echo romp-ibm-aix      # uname -m gives an 8 hex-code CPU id
+	exit 0 ;;              # Note that: echo "'`uname -s`'" gives 'AIX '
+    i?86:AIX:*:*)
+	echo i386-ibm-aix
+	exit 0 ;;
+    *:AIX:2:3)
+	if grep bos325 /usr/include/stdio.h >/dev/null 2>&1; then
+		sed 's/^		//' << EOF >$dummy.c
+		#include <sys/systemcfg.h>
+
+		main()
+			{
+			if (!__power_pc())
+				exit(1);
+			puts("powerpc-ibm-aix3.2.5");
+			exit(0);
+			}
+EOF
+		$CC_FOR_BUILD $dummy.c -o $dummy && ./$dummy && rm $dummy.c $dummy && exit 0
+		rm -f $dummy.c $dummy
+		echo rs6000-ibm-aix3.2.5
+	elif grep bos324 /usr/include/stdio.h >/dev/null 2>&1; then
+		echo rs6000-ibm-aix3.2.4
+	else
+		echo rs6000-ibm-aix3.2
+	fi
+	exit 0 ;;
+    *:AIX:*:4)
+	IBM_CPU_ID=`/usr/sbin/lsdev -C -c processor -S available | head -1 | awk '{ print $1 }'`
+	if /usr/sbin/lsattr -EHl ${IBM_CPU_ID} | grep POWER >/dev/null 2>&1; then
+		IBM_ARCH=rs6000
+	else
+		IBM_ARCH=powerpc
+	fi
+	if [ -x /usr/bin/oslevel ] ; then
+		IBM_REV=`/usr/bin/oslevel`
+	else
+		IBM_REV=4.${UNAME_RELEASE}
+	fi
+	echo ${IBM_ARCH}-ibm-aix${IBM_REV}
+	exit 0 ;;
+    *:AIX:*:*)
+	echo rs6000-ibm-aix
+	exit 0 ;;
+    ibmrt:4.4BSD:*|romp-ibm:BSD:*)
+	echo romp-ibm-bsd4.4
+	exit 0 ;;
+    ibmrt:*BSD:*|romp-ibm:BSD:*)            # covers RT/PC BSD and
+	echo romp-ibm-bsd${UNAME_RELEASE}   # 4.3 with uname added to
+	exit 0 ;;                           # report: romp-ibm BSD 4.3
+    *:BOSX:*:*)
+	echo rs6000-bull-bosx
+	exit 0 ;;
+    DPX/2?00:B.O.S.:*:*)
+	echo m68k-bull-sysv3
+	exit 0 ;;
+    9000/[34]??:4.3bsd:1.*:*)
+	echo m68k-hp-bsd
+	exit 0 ;;
+    hp300:4.4BSD:*:* | 9000/[34]??:4.3bsd:2.*:*)
+	echo m68k-hp-bsd4.4
+	exit 0 ;;
+    9000/[34678]??:HP-UX:*:*)
+	case "${UNAME_MACHINE}" in
+	    9000/31? )            HP_ARCH=m68000 ;;
+	    9000/[34]?? )         HP_ARCH=m68k ;;
+	    9000/[678][0-9][0-9])
+              sed 's/^              //' << EOF >$dummy.c
+
+              #define _HPUX_SOURCE
+              #include <stdlib.h>
+              #include <unistd.h>
+
+              int main ()
+              {
+              #if defined(_SC_KERNEL_BITS)
+                  long bits = sysconf(_SC_KERNEL_BITS);
+              #endif
+                  long cpu  = sysconf (_SC_CPU_VERSION);
+
+                  switch (cpu)
+              	{
+              	case CPU_PA_RISC1_0: puts ("hppa1.0"); break;
+              	case CPU_PA_RISC1_1: puts ("hppa1.1"); break;
+              	case CPU_PA_RISC2_0:
+              #if defined(_SC_KERNEL_BITS)
+              	    switch (bits)
+              		{
+              		case 64: puts ("hppa2.0w"); break;
+              		case 32: puts ("hppa2.0n"); break;
+              		default: puts ("hppa2.0"); break;
+              		} break;
+              #else  /* !defined(_SC_KERNEL_BITS) */
+              	    puts ("hppa2.0"); break;
+              #endif
+              	default: puts ("hppa1.0"); break;
+              	}
+                  exit (0);
+              }
+EOF
+	(CCOPTS= $CC_FOR_BUILD $dummy.c -o $dummy 2>/dev/null ) && HP_ARCH=`./$dummy`
+	rm -f $dummy.c $dummy
+	esac
+	HPUX_REV=`echo ${UNAME_RELEASE}|sed -e 's/[^.]*.[0B]*//'`
+	echo ${HP_ARCH}-hp-hpux${HPUX_REV}
+	exit 0 ;;
+    3050*:HI-UX:*:*)
+	sed 's/^	//' << EOF >$dummy.c
+	#include <unistd.h>
+	int
+	main ()
+	{
+	  long cpu = sysconf (_SC_CPU_VERSION);
+	  /* The order matters, because CPU_IS_HP_MC68K erroneously returns
+	     true for CPU_PA_RISC1_0.  CPU_IS_PA_RISC returns correct
+	     results, however.  */
+	  if (CPU_IS_PA_RISC (cpu))
+	    {
+	      switch (cpu)
+		{
+		  case CPU_PA_RISC1_0: puts ("hppa1.0-hitachi-hiuxwe2"); break;
+		  case CPU_PA_RISC1_1: puts ("hppa1.1-hitachi-hiuxwe2"); break;
+		  case CPU_PA_RISC2_0: puts ("hppa2.0-hitachi-hiuxwe2"); break;
+		  default: puts ("hppa-hitachi-hiuxwe2"); break;
+		}
+	    }
+	  else if (CPU_IS_HP_MC68K (cpu))
+	    puts ("m68k-hitachi-hiuxwe2");
+	  else puts ("unknown-hitachi-hiuxwe2");
+	  exit (0);
+	}
+EOF
+	$CC_FOR_BUILD $dummy.c -o $dummy && ./$dummy && rm $dummy.c $dummy && exit 0
+	rm -f $dummy.c $dummy
+	echo unknown-hitachi-hiuxwe2
+	exit 0 ;;
+    9000/7??:4.3bsd:*:* | 9000/8?[79]:4.3bsd:*:* )
+	echo hppa1.1-hp-bsd
+	exit 0 ;;
+    9000/8??:4.3bsd:*:*)
+	echo hppa1.0-hp-bsd
+	exit 0 ;;
+    *9??*:MPE/iX:*:*)
+	echo hppa1.0-hp-mpeix
+	exit 0 ;;
+    hp7??:OSF1:*:* | hp8?[79]:OSF1:*:* )
+	echo hppa1.1-hp-osf
+	exit 0 ;;
+    hp8??:OSF1:*:*)
+	echo hppa1.0-hp-osf
+	exit 0 ;;
+    i?86:OSF1:*:*)
+	if [ -x /usr/sbin/sysversion ] ; then
+	    echo ${UNAME_MACHINE}-unknown-osf1mk
+	else
+	    echo ${UNAME_MACHINE}-unknown-osf1
+	fi
+	exit 0 ;;
+    parisc*:Lites*:*:*)
+	echo hppa1.1-hp-lites
+	exit 0 ;;
+    hppa*:OpenBSD:*:*)
+	echo hppa-unknown-openbsd
+	exit 0 ;;
+    C1*:ConvexOS:*:* | convex:ConvexOS:C1*:*)
+	echo c1-convex-bsd
+        exit 0 ;;
+    C2*:ConvexOS:*:* | convex:ConvexOS:C2*:*)
+	if getsysinfo -f scalar_acc
+	then echo c32-convex-bsd
+	else echo c2-convex-bsd
+	fi
+        exit 0 ;;
+    C34*:ConvexOS:*:* | convex:ConvexOS:C34*:*)
+	echo c34-convex-bsd
+        exit 0 ;;
+    C38*:ConvexOS:*:* | convex:ConvexOS:C38*:*)
+	echo c38-convex-bsd
+        exit 0 ;;
+    C4*:ConvexOS:*:* | convex:ConvexOS:C4*:*)
+	echo c4-convex-bsd
+        exit 0 ;;
+    CRAY*X-MP:*:*:*)
+	echo xmp-cray-unicos
+        exit 0 ;;
+    CRAY*Y-MP:*:*:*)
+	echo ymp-cray-unicos${UNAME_RELEASE}
+	exit 0 ;;
+    CRAY*[A-Z]90:*:*:*)
+	echo ${UNAME_MACHINE}-cray-unicos${UNAME_RELEASE} \
+	| sed -e 's/CRAY.*\([A-Z]90\)/\1/' \
+	      -e y/ABCDEFGHIJKLMNOPQRSTUVWXYZ/abcdefghijklmnopqrstuvwxyz/
+	exit 0 ;;
+    CRAY*TS:*:*:*)
+	echo t90-cray-unicos${UNAME_RELEASE} | sed -e 's/\.[^.]*$/.X/'
+	exit 0 ;;
+    CRAY*T3E:*:*:*)
+	echo alpha-cray-unicosmk${UNAME_RELEASE} | sed -e 's/\.[^.]*$/.X/'
+	exit 0 ;;
+    CRAY*SV1:*:*:*)
+	echo sv1-cray-unicos${UNAME_RELEASE} | sed -e 's/\.[^.]*$/.X/'    
+	exit 0 ;;
+    CRAY-2:*:*:*)
+	echo cray2-cray-unicos
+        exit 0 ;;
+    F300:UNIX_System_V:*:*)
+        FUJITSU_SYS=`uname -p | tr 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' 'abcdefghijklmnopqrstuvwxyz' | sed -e 's/\///'`
+        FUJITSU_REL=`echo ${UNAME_RELEASE} | sed -e 's/ /_/'`
+        echo "f300-fujitsu-${FUJITSU_SYS}${FUJITSU_REL}"
+        exit 0 ;;
+    F301:UNIX_System_V:*:*)
+       echo f301-fujitsu-uxpv`echo $UNAME_RELEASE | sed 's/ .*//'`
+       exit 0 ;;
+    hp300:OpenBSD:*:*)
+	echo m68k-unknown-openbsd${UNAME_RELEASE}
+	exit 0 ;;
+    i?86:BSD/386:*:* | i?86:BSD/OS:*:* | *:Ascend\ Embedded/OS:*:*)
+	echo ${UNAME_MACHINE}-pc-bsdi${UNAME_RELEASE}
+	exit 0 ;;
+    sparc*:BSD/OS:*:*)
+	echo sparc-unknown-bsdi${UNAME_RELEASE}
+	exit 0 ;;
+    *:BSD/OS:*:*)
+	echo ${UNAME_MACHINE}-unknown-bsdi${UNAME_RELEASE}
+	exit 0 ;;
+    *:FreeBSD:*:*)
+	echo ${UNAME_MACHINE}-unknown-freebsd`echo ${UNAME_RELEASE}|sed -e 's/[-(].*//'`
+	exit 0 ;;
+    *:OpenBSD:*:*)
+	echo ${UNAME_MACHINE}-unknown-openbsd`echo ${UNAME_RELEASE}|sed -e 's/[-_].*/\./'`
+	exit 0 ;;
+    i*:CYGWIN*:*)
+	echo ${UNAME_MACHINE}-pc-cygwin
+	exit 0 ;;
+    i*:MINGW*:*)
+	echo ${UNAME_MACHINE}-pc-mingw32
+	exit 0 ;;
+    i*:PW*:*)
+	echo ${UNAME_MACHINE}-pc-pw32
+	exit 0 ;;
+    i*:Windows_NT*:* | Pentium*:Windows_NT*:*)
+	# How do we know it's Interix rather than the generic POSIX subsystem?
+	# It also conflicts with pre-2.0 versions of AT&T UWIN. Should we
+	# UNAME_MACHINE based on the output of uname instead of i386?
+	echo i386-pc-interix
+	exit 0 ;;
+    i*:UWIN*:*)
+	echo ${UNAME_MACHINE}-pc-uwin
+	exit 0 ;;
+    p*:CYGWIN*:*)
+	echo powerpcle-unknown-cygwin
+	exit 0 ;;
+    prep*:SunOS:5.*:*)
+	echo powerpcle-unknown-solaris2`echo ${UNAME_RELEASE}|sed -e 's/[^.]*//'`
+	exit 0 ;;
+    *:GNU:*:*)
+	echo `echo ${UNAME_MACHINE}|sed -e 's,[-/].*$,,'`-unknown-gnu`echo ${UNAME_RELEASE}|sed -e 's,/.*$,,'`
+	exit 0 ;;
+    i*86:Minix:*:*)
+	echo ${UNAME_MACHINE}-pc-minix
+	exit 0 ;;
+    *:Linux:*:*)
+
+	# The BFD linker knows what the default object file format is, so
+	# first see if it will tell us. cd to the root directory to prevent
+	# problems with other programs or directories called `ld' in the path.
+	ld_help_string=`cd /; ld --help 2>&1`
+	ld_supported_emulations=`echo $ld_help_string \
+			 | sed -ne '/supported emulations:/!d
+				    s/[ 	][ 	]*/ /g
+				    s/.*supported emulations: *//
+				    s/ .*//
+				    p'`
+        case "$ld_supported_emulations" in
+	  *ia64)
+		echo "${UNAME_MACHINE}-unknown-linux"
+		exit 0
+		;;
+	  i?86linux)
+		echo "${UNAME_MACHINE}-pc-linux-gnuaout"
+		exit 0
+		;;
+	  elf_i?86)
+		TENTATIVE="${UNAME_MACHINE}-pc-linux-gnu"
+		;;
+	  i?86coff)
+		echo "${UNAME_MACHINE}-pc-linux-gnucoff"
+		exit 0
+		;;
+	  sparclinux)
+		echo "${UNAME_MACHINE}-unknown-linux-gnuaout"
+		exit 0
+		;;
+	  armlinux)
+		echo "${UNAME_MACHINE}-unknown-linux-gnuaout"
+		exit 0
+		;;
+	  elf32arm*)
+		echo "${UNAME_MACHINE}-unknown-linux-gnuoldld"
+		exit 0
+		;;
+	  armelf_linux*)
+		echo "${UNAME_MACHINE}-unknown-linux-gnu"
+		exit 0
+		;;
+	  m68klinux)
+		echo "${UNAME_MACHINE}-unknown-linux-gnuaout"
+		exit 0
+		;;
+	  elf32ppc | elf32ppclinux)
+		# Determine Lib Version
+		cat >$dummy.c <<EOF
+#include <features.h>
+#if defined(__GLIBC__)
+extern char __libc_version[];
+extern char __libc_release[];
+#endif
+main(argc, argv)
+     int argc;
+     char *argv[];
+{
+#if defined(__GLIBC__)
+  printf("%s %s\n", __libc_version, __libc_release);
+#else
+  printf("unkown\n");
+#endif
+  return 0;
+}
+EOF
+		LIBC=""
+		$CC_FOR_BUILD $dummy.c -o $dummy 2>/dev/null
+		if test "$?" = 0 ; then
+			./$dummy | grep 1\.99 > /dev/null
+			if test "$?" = 0 ; then
+				LIBC="libc1"
+			fi
+		fi	
+		rm -f $dummy.c $dummy
+		echo powerpc-unknown-linux-gnu${LIBC}
+		exit 0
+		;;
+	  shelf_linux)
+		echo "${UNAME_MACHINE}-unknown-linux-gnu"
+		exit 0
+		;;
+	esac
+
+	if test "${UNAME_MACHINE}" = "alpha" ; then
+		cat <<EOF >$dummy.s
+			.data
+		\$Lformat:
+			.byte 37,100,45,37,120,10,0	# "%d-%x\n"
+
+			.text
+			.globl main
+			.align 4
+			.ent main
+		main:
+			.frame \$30,16,\$26,0
+			ldgp \$29,0(\$27)
+			.prologue 1
+			.long 0x47e03d80 # implver \$0
+			lda \$2,-1
+			.long 0x47e20c21 # amask \$2,\$1
+			lda \$16,\$Lformat
+			mov \$0,\$17
+			not \$1,\$18
+			jsr \$26,printf
+			ldgp \$29,0(\$26)
+			mov 0,\$16
+			jsr \$26,exit
+			.end main
+EOF
+		LIBC=""
+		$CC_FOR_BUILD $dummy.s -o $dummy 2>/dev/null
+		if test "$?" = 0 ; then
+			case `./$dummy` in
+			0-0)
+				UNAME_MACHINE="alpha"
+				;;
+			1-0)
+				UNAME_MACHINE="alphaev5"
+				;;
+			1-1)
+				UNAME_MACHINE="alphaev56"
+				;;
+			1-101)
+				UNAME_MACHINE="alphapca56"
+				;;
+			2-303)
+				UNAME_MACHINE="alphaev6"
+				;;
+			2-307)
+				UNAME_MACHINE="alphaev67"
+				;;
+			esac
+
+			objdump --private-headers $dummy | \
+			  grep ld.so.1 > /dev/null
+			if test "$?" = 0 ; then
+				LIBC="libc1"
+			fi
+		fi
+		rm -f $dummy.s $dummy
+		echo ${UNAME_MACHINE}-unknown-linux-gnu${LIBC} ; exit 0
+	elif test "${UNAME_MACHINE}" = "mips" ; then
+	  cat >$dummy.c <<EOF
+#ifdef __cplusplus
+#include <stdio.h>  /* for printf() prototype */
+	int main (int argc, char *argv[]) {
+#else
+	int main (argc, argv) int argc; char *argv[]; {
+#endif
+#ifdef __MIPSEB__
+  printf ("%s-unknown-linux-gnu\n", argv[1]);
+#endif
+#ifdef __MIPSEL__
+  printf ("%sel-unknown-linux-gnu\n", argv[1]);
+#endif
+  return 0;
+}
+EOF
+	  $CC_FOR_BUILD $dummy.c -o $dummy 2>/dev/null && ./$dummy "${UNAME_MACHINE}" && rm $dummy.c $dummy && exit 0
+	  rm -f $dummy.c $dummy
+	elif test "${UNAME_MACHINE}" = "s390"; then
+	  echo s390-ibm-linux && exit 0
+	elif test "${UNAME_MACHINE}" = "x86_64"; then
+	  echo x86_64-unknown-linux-gnu && exit 0
+	else
+	  # Either a pre-BFD a.out linker (linux-gnuoldld)
+	  # or one that does not give us useful --help.
+	  # GCC wants to distinguish between linux-gnuoldld and linux-gnuaout.
+	  # If ld does not provide *any* "supported emulations:"
+	  # that means it is gnuoldld.
+	  echo "$ld_help_string" | grep >/dev/null 2>&1 "supported emulations:"
+	  test $? != 0 && echo "${UNAME_MACHINE}-pc-linux-gnuoldld" && exit 0
+
+	  case "${UNAME_MACHINE}" in
+	  i?86)
+	    VENDOR=pc;
+	    ;;
+	  *)
+	    VENDOR=unknown;
+	    ;;
+	  esac
+	  # Determine whether the default compiler is a.out or elf
+	  cat >$dummy.c <<EOF
+#include <features.h>
+#ifdef __cplusplus
+#include <stdio.h>  /* for printf() prototype */
+	int main (int argc, char *argv[]) {
+#else
+	int main (argc, argv) int argc; char *argv[]; {
+#endif
+#ifdef __ELF__
+# ifdef __GLIBC__
+#  if __GLIBC__ >= 2
+    printf ("%s-${VENDOR}-linux-gnu\n", argv[1]);
+#  else
+    printf ("%s-${VENDOR}-linux-gnulibc1\n", argv[1]);
+#  endif
+# else
+   printf ("%s-${VENDOR}-linux-gnulibc1\n", argv[1]);
+# endif
+#else
+  printf ("%s-${VENDOR}-linux-gnuaout\n", argv[1]);
+#endif
+  return 0;
+}
+EOF
+	  $CC_FOR_BUILD $dummy.c -o $dummy 2>/dev/null && ./$dummy "${UNAME_MACHINE}" && rm $dummy.c $dummy && exit 0
+	  rm -f $dummy.c $dummy
+	  test x"${TENTATIVE}" != x && echo "${TENTATIVE}" && exit 0
+	fi ;;
+# ptx 4.0 does uname -s correctly, with DYNIX/ptx in there.  earlier versions
+# are messed up and put the nodename in both sysname and nodename.
+    i?86:DYNIX/ptx:4*:*)
+	echo i386-sequent-sysv4
+	exit 0 ;;
+    i?86:UNIX_SV:4.2MP:2.*)
+        # Unixware is an offshoot of SVR4, but it has its own version
+        # number series starting with 2...
+        # I am not positive that other SVR4 systems won't match this,
+	# I just have to hope.  -- rms.
+        # Use sysv4.2uw... so that sysv4* matches it.
+	echo ${UNAME_MACHINE}-pc-sysv4.2uw${UNAME_VERSION}
+	exit 0 ;;
+    i?86:*:4.*:* | i?86:SYSTEM_V:4.*:*)
+	UNAME_REL=`echo ${UNAME_RELEASE} | sed 's/\/MP$//'`
+	if grep Novell /usr/include/link.h >/dev/null 2>/dev/null; then
+		echo ${UNAME_MACHINE}-univel-sysv${UNAME_REL}
+	else
+		echo ${UNAME_MACHINE}-pc-sysv${UNAME_REL}
+	fi
+	exit 0 ;;
+    i?86:*:5:7*)
+        # Fixed at (any) Pentium or better
+        UNAME_MACHINE=i586
+        if [ ${UNAME_SYSTEM} = "UnixWare" ] ; then
+	    echo ${UNAME_MACHINE}-sco-sysv${UNAME_RELEASE}uw${UNAME_VERSION}
+	else
+	    echo ${UNAME_MACHINE}-pc-sysv${UNAME_RELEASE}
+	fi
+	exit 0 ;;
+    i?86:*:3.2:*)
+	if test -f /usr/options/cb.name; then
+		UNAME_REL=`sed -n 's/.*Version //p' </usr/options/cb.name`
+		echo ${UNAME_MACHINE}-pc-isc$UNAME_REL
+	elif /bin/uname -X 2>/dev/null >/dev/null ; then
+		UNAME_REL=`(/bin/uname -X|egrep Release|sed -e 's/.*= //')`
+		(/bin/uname -X|egrep i80486 >/dev/null) && UNAME_MACHINE=i486
+		(/bin/uname -X|egrep '^Machine.*Pentium' >/dev/null) \
+			&& UNAME_MACHINE=i586
+		(/bin/uname -X|egrep '^Machine.*Pent ?II' >/dev/null) \
+			&& UNAME_MACHINE=i686
+		(/bin/uname -X|egrep '^Machine.*Pentium Pro' >/dev/null) \
+			&& UNAME_MACHINE=i686
+		echo ${UNAME_MACHINE}-pc-sco$UNAME_REL
+	else
+		echo ${UNAME_MACHINE}-pc-sysv32
+	fi
+	exit 0 ;;
+    i?86:*DOS:*:*)
+	echo ${UNAME_MACHINE}-pc-msdosdjgpp
+	exit 0 ;;
+    pc:*:*:*)
+	# Left here for compatibility:
+        # uname -m prints for DJGPP always 'pc', but it prints nothing about
+        # the processor, so we play safe by assuming i386.
+	echo i386-pc-msdosdjgpp
+        exit 0 ;;
+    Intel:Mach:3*:*)
+	echo i386-pc-mach3
+	exit 0 ;;
+    paragon:*:*:*)
+	echo i860-intel-osf1
+	exit 0 ;;
+    i860:*:4.*:*) # i860-SVR4
+	if grep Stardent /usr/include/sys/uadmin.h >/dev/null 2>&1 ; then
+	  echo i860-stardent-sysv${UNAME_RELEASE} # Stardent Vistra i860-SVR4
+	else # Add other i860-SVR4 vendors below as they are discovered.
+	  echo i860-unknown-sysv${UNAME_RELEASE}  # Unknown i860-SVR4
+	fi
+	exit 0 ;;
+    mini*:CTIX:SYS*5:*)
+	# "miniframe"
+	echo m68010-convergent-sysv
+	exit 0 ;;
+    M68*:*:R3V[567]*:*)
+	test -r /sysV68 && echo 'm68k-motorola-sysv' && exit 0 ;;
+    3[34]??:*:4.0:3.0 | 3[34]??,*:*:4.0:3.0 | 4850:*:4.0:3.0)
+	OS_REL=''
+	test -r /etc/.relid \
+	&& OS_REL=.`sed -n 's/[^ ]* [^ ]* \([0-9][0-9]\).*/\1/p' < /etc/.relid`
+	/bin/uname -p 2>/dev/null | grep 86 >/dev/null \
+	  && echo i486-ncr-sysv4.3${OS_REL} && exit 0
+	/bin/uname -p 2>/dev/null | /bin/grep entium >/dev/null \
+	  && echo i586-ncr-sysv4.3${OS_REL} && exit 0 ;;
+    3[34]??:*:4.0:* | 3[34]??,*:*:4.0:*)
+        /bin/uname -p 2>/dev/null | grep 86 >/dev/null \
+          && echo i486-ncr-sysv4 && exit 0 ;;
+    m68*:LynxOS:2.*:*)
+	echo m68k-unknown-lynxos${UNAME_RELEASE}
+	exit 0 ;;
+    mc68030:UNIX_System_V:4.*:*)
+	echo m68k-atari-sysv4
+	exit 0 ;;
+    i?86:LynxOS:2.*:* | i?86:LynxOS:3.[01]*:*)
+	echo i386-unknown-lynxos${UNAME_RELEASE}
+	exit 0 ;;
+    TSUNAMI:LynxOS:2.*:*)
+	echo sparc-unknown-lynxos${UNAME_RELEASE}
+	exit 0 ;;
+    rs6000:LynxOS:2.*:* | PowerPC:LynxOS:2.*:*)
+	echo rs6000-unknown-lynxos${UNAME_RELEASE}
+	exit 0 ;;
+    SM[BE]S:UNIX_SV:*:*)
+	echo mips-dde-sysv${UNAME_RELEASE}
+	exit 0 ;;
+    RM*:ReliantUNIX-*:*:*)
+	echo mips-sni-sysv4
+	exit 0 ;;
+    RM*:SINIX-*:*:*)
+	echo mips-sni-sysv4
+	exit 0 ;;
+    *:SINIX-*:*:*)
+	if uname -p 2>/dev/null >/dev/null ; then
+		UNAME_MACHINE=`(uname -p) 2>/dev/null`
+		echo ${UNAME_MACHINE}-sni-sysv4
+	else
+		echo ns32k-sni-sysv
+	fi
+	exit 0 ;;
+    PENTIUM:CPunix:4.0*:*) # Unisys `ClearPath HMP IX 4000' SVR4/MP effort
+                           # says <Richard.M.Bartel@ccMail.Census.GOV>
+        echo i586-unisys-sysv4
+        exit 0 ;;
+    *:UNIX_System_V:4*:FTX*)
+	# From Gerald Hewes <hewes@openmarket.com>.
+	# How about differentiating between stratus architectures? -djm
+	echo hppa1.1-stratus-sysv4
+	exit 0 ;;
+    *:*:*:FTX*)
+	# From seanf@swdc.stratus.com.
+	echo i860-stratus-sysv4
+	exit 0 ;;
+    mc68*:A/UX:*:*)
+	echo m68k-apple-aux${UNAME_RELEASE}
+	exit 0 ;;
+    news*:NEWS-OS:6*:*)
+	echo mips-sony-newsos6
+	exit 0 ;;
+    R[34]000:*System_V*:*:* | R4000:UNIX_SYSV:*:* | R*000:UNIX_SV:*:*)
+	if [ -d /usr/nec ]; then
+	        echo mips-nec-sysv${UNAME_RELEASE}
+	else
+	        echo mips-unknown-sysv${UNAME_RELEASE}
+	fi
+        exit 0 ;;
+    BeBox:BeOS:*:*)	# BeOS running on hardware made by Be, PPC only.
+	echo powerpc-be-beos
+	exit 0 ;;
+    BeMac:BeOS:*:*)	# BeOS running on Mac or Mac clone, PPC only.
+	echo powerpc-apple-beos
+	exit 0 ;;
+    BePC:BeOS:*:*)	# BeOS running on Intel PC compatible.
+	echo i586-pc-beos
+	exit 0 ;;
+    SX-4:SUPER-UX:*:*)
+	echo sx4-nec-superux${UNAME_RELEASE}
+	exit 0 ;;
+    SX-5:SUPER-UX:*:*)
+	echo sx5-nec-superux${UNAME_RELEASE}
+	exit 0 ;;
+    Power*:Rhapsody:*:*)
+	echo powerpc-apple-rhapsody${UNAME_RELEASE}
+	exit 0 ;;
+    *:Rhapsody:*:*)
+	echo ${UNAME_MACHINE}-apple-rhapsody${UNAME_RELEASE}
+	exit 0 ;;
+    *:Darwin:*:*)
+	echo `uname -p`-apple-darwin${UNAME_RELEASE}
+	exit 0 ;;
+    *:procnto*:*:* | *:QNX:[0123456789]*:*)
+	if test "${UNAME_MACHINE}" = "x86pc"; then
+		UNAME_MACHINE=pc
+	fi
+	echo `uname -p`-${UNAME_MACHINE}-nto-qnx
+	exit 0 ;;
+    *:QNX:*:4*)
+	echo i386-pc-qnx
+	exit 0 ;;
+    NSR-[KW]:NONSTOP_KERNEL:*:*)
+	echo nsr-tandem-nsk${UNAME_RELEASE}
+	exit 0 ;;
+    BS2000:POSIX*:*:*)
+	echo bs2000-siemens-sysv
+	exit 0 ;;
+    DS/*:UNIX_System_V:*:*)
+	echo ${UNAME_MACHINE}-${UNAME_SYSTEM}-${UNAME_RELEASE}
+	exit 0 ;;
+    *:Plan9:*:*)
+	# "uname -m" is not consistent, so use $cputype instead. 386
+	# is converted to i386 for consistency with other x86
+	# operating systems.
+	if test "$cputype" = "386"; then
+	    UNAME_MACHINE=i386
+	else
+	    UNAME_MACHINE="$cputype"
+	fi
+	echo ${UNAME_MACHINE}-unknown-plan9
+	exit 0 ;;
+    *:OS/2:*:*)
+	echo ${UNAME_MACHINE}-pc-os2_emx
+esac
+
+#echo '(No uname command or uname output not recognized.)' 1>&2
+#echo "${UNAME_MACHINE}:${UNAME_SYSTEM}:${UNAME_RELEASE}:${UNAME_VERSION}" 1>&2
+
+cat >$dummy.c <<EOF
+#ifdef _SEQUENT_
+# include <sys/types.h>
+# include <sys/utsname.h>
+#endif
+main ()
+{
+#if defined (sony)
+#if defined (MIPSEB)
+  /* BFD wants "bsd" instead of "newsos".  Perhaps BFD should be changed,
+     I don't know....  */
+  printf ("mips-sony-bsd\n"); exit (0);
+#else
+#include <sys/param.h>
+  printf ("m68k-sony-newsos%s\n",
+#ifdef NEWSOS4
+          "4"
+#else
+	  ""
+#endif
+         ); exit (0);
+#endif
+#endif
+
+#if defined (__arm) && defined (__acorn) && defined (__unix)
+  printf ("arm-acorn-riscix"); exit (0);
+#endif
+
+#if defined (hp300) && !defined (hpux)
+  printf ("m68k-hp-bsd\n"); exit (0);
+#endif
+
+#if defined (NeXT)
+#if !defined (__ARCHITECTURE__)
+#define __ARCHITECTURE__ "m68k"
+#endif
+  int version;
+  version=`(hostinfo | sed -n 's/.*NeXT Mach \([0-9]*\).*/\1/p') 2>/dev/null`;
+  if (version < 4)
+    printf ("%s-next-nextstep%d\n", __ARCHITECTURE__, version);
+  else
+    printf ("%s-next-openstep%d\n", __ARCHITECTURE__, version);
+  exit (0);
+#endif
+
+#if defined (MULTIMAX) || defined (n16)
+#if defined (UMAXV)
+  printf ("ns32k-encore-sysv\n"); exit (0);
+#else
+#if defined (CMU)
+  printf ("ns32k-encore-mach\n"); exit (0);
+#else
+  printf ("ns32k-encore-bsd\n"); exit (0);
+#endif
+#endif
+#endif
+
+#if defined (__386BSD__)
+  printf ("i386-pc-bsd\n"); exit (0);
+#endif
+
+#if defined (sequent)
+#if defined (i386)
+  printf ("i386-sequent-dynix\n"); exit (0);
+#endif
+#if defined (ns32000)
+  printf ("ns32k-sequent-dynix\n"); exit (0);
+#endif
+#endif
+
+#if defined (_SEQUENT_)
+    struct utsname un;
+
+    uname(&un);
+
+    if (strncmp(un.version, "V2", 2) == 0) {
+	printf ("i386-sequent-ptx2\n"); exit (0);
+    }
+    if (strncmp(un.version, "V1", 2) == 0) { /* XXX is V1 correct? */
+	printf ("i386-sequent-ptx1\n"); exit (0);
+    }
+    printf ("i386-sequent-ptx\n"); exit (0);
+
+#endif
+
+#if defined (vax)
+#if !defined (ultrix)
+  printf ("vax-dec-bsd\n"); exit (0);
+#else
+  printf ("vax-dec-ultrix\n"); exit (0);
+#endif
+#endif
+
+#if defined (alliant) && defined (i860)
+  printf ("i860-alliant-bsd\n"); exit (0);
+#endif
+
+  exit (1);
+}
+EOF
+
+$CC_FOR_BUILD $dummy.c -o $dummy 2>/dev/null && ./$dummy && rm $dummy.c $dummy && exit 0
+rm -f $dummy.c $dummy
+
+# Apollos put the system type in the environment.
+
+test -d /usr/apollo && { echo ${ISP}-apollo-${SYSTYPE}; exit 0; }
+
+# Convex versions that predate uname can use getsysinfo(1)
+
+if [ -x /usr/convex/getsysinfo ]
+then
+    case `getsysinfo -f cpu_type` in
+    c1*)
+	echo c1-convex-bsd
+	exit 0 ;;
+    c2*)
+	if getsysinfo -f scalar_acc
+	then echo c32-convex-bsd
+	else echo c2-convex-bsd
+	fi
+	exit 0 ;;
+    c34*)
+	echo c34-convex-bsd
+	exit 0 ;;
+    c38*)
+	echo c38-convex-bsd
+	exit 0 ;;
+    c4*)
+	echo c4-convex-bsd
+	exit 0 ;;
+    esac
+fi
+
+cat >&2 <<EOF
+$0: unable to guess system type
+
+The $version version of this script cannot recognize your system type.
+Please download the most up to date version of the config scripts:
+
+    ftp://ftp.gnu.org/pub/gnu/config/
+
+If the version you run ($0) is already up to date, please
+send the following data and any information you think might be
+pertinent to <config-patches@gnu.org> in order to provide the needed
+information to handle your system.
+
+config.guess version = $version
+
+uname -m = `(uname -m) 2>/dev/null || echo unknown`
+uname -r = `(uname -r) 2>/dev/null || echo unknown`
+uname -s = `(uname -s) 2>/dev/null || echo unknown`
+uname -v = `(uname -v) 2>/dev/null || echo unknown`
+
+/usr/bin/uname -p = `(/usr/bin/uname -p) 2>/dev/null`
+/bin/uname -X     = `(/bin/uname -X) 2>/dev/null`
+
+hostinfo               = `(hostinfo) 2>/dev/null`
+/bin/universe          = `(/bin/universe) 2>/dev/null`
+/usr/bin/arch -k       = `(/usr/bin/arch -k) 2>/dev/null`
+/bin/arch              = `(/bin/arch) 2>/dev/null`
+/usr/bin/oslevel       = `(/usr/bin/oslevel) 2>/dev/null`
+/usr/convex/getsysinfo = `(/usr/convex/getsysinfo) 2>/dev/null`
+
+UNAME_MACHINE = ${UNAME_MACHINE}
+UNAME_RELEASE = ${UNAME_RELEASE}
+UNAME_SYSTEM  = ${UNAME_SYSTEM}
+UNAME_VERSION = ${UNAME_VERSION}
+EOF
+
+exit 1
+
+# Local variables:
+# eval: (add-hook 'write-file-hooks 'time-stamp)
+# time-stamp-start: "version='"
+# time-stamp-format: "%:y-%02m-%02d"
+# time-stamp-end: "'"
+# End:
diff --git a/crypto/kerberosIV/config.sub b/crypto/kerberosIV/config.sub
new file mode 100644
index 0000000..42fc991
--- /dev/null
+++ b/crypto/kerberosIV/config.sub
@@ -0,0 +1,1328 @@
+#! /bin/sh
+# Configuration validation subroutine script, version 1.1.
+#   Copyright (C) 1992, 1993, 1994, 1995, 1996, 1997, 1998, 1999, 2000
+#   Free Software Foundation, Inc.
+
+version='2000-09-11'
+
+# This file is (in principle) common to ALL GNU software.
+# The presence of a machine in this file suggests that SOME GNU software
+# can handle that machine.  It does not imply ALL GNU software can.
+#
+# This file is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 2 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 59 Temple Place - Suite 330,
+# Boston, MA 02111-1307, USA.
+
+# As a special exception to the GNU General Public License, if you
+# distribute this file as part of a program that contains a
+# configuration script generated by Autoconf, you may include it under
+# the same distribution terms that you use for the rest of that program.
+
+# Please send patches to <config-patches@gnu.org>.
+#
+# Configuration subroutine to validate and canonicalize a configuration type.
+# Supply the specified configuration type as an argument.
+# If it is invalid, we print an error message on stderr and exit with code 1.
+# Otherwise, we print the canonical config type on stdout and succeed.
+
+# This file is supposed to be the same for all GNU packages
+# and recognize all the CPU types, system types and aliases
+# that are meaningful with *any* GNU software.
+# Each package is responsible for reporting which valid configurations
+# it does not support.  The user should be able to distinguish
+# a failure to support a valid configuration from a meaningless
+# configuration.
+
+# The goal of this file is to map all the various variations of a given
+# machine specification into a single specification in the form:
+#	CPU_TYPE-MANUFACTURER-OPERATING_SYSTEM
+# or in some cases, the newer four-part form:
+#	CPU_TYPE-MANUFACTURER-KERNEL-OPERATING_SYSTEM
+# It is wrong to echo any other type of specification.
+
+me=`echo "$0" | sed -e 's,.*/,,'`
+
+usage="\
+Usage: $0 [OPTION] CPU-MFR-OPSYS
+       $0 [OPTION] ALIAS
+
+Canonicalize a configuration name.
+
+Operation modes:
+  -h, --help               print this help, then exit
+  -V, --version            print version number, then exit"
+
+help="
+Try \`$me --help' for more information."
+
+# Parse command line
+while test $# -gt 0 ; do
+  case "$1" in
+    --version | --vers* | -V )
+       echo "$version" ; exit 0 ;;
+    --help | --h* | -h )
+       echo "$usage"; exit 0 ;;
+    -- )     # Stop option processing
+       shift; break ;;
+    - )	# Use stdin as input.
+       break ;;
+    -* )
+       exec >&2
+       echo "$me: invalid option $1"
+       echo "$help"
+       exit 1 ;;
+
+    *local*)
+       # First pass through any local machine types.
+       echo $1
+       exit 0;;
+
+    * )
+       break ;;
+  esac
+done
+
+case $# in
+ 0) echo "$me: missing argument$help" >&2
+    exit 1;;
+ 1) ;;
+ *) echo "$me: too many arguments$help" >&2
+    exit 1;;
+esac
+
+# Separate what the user gave into CPU-COMPANY and OS or KERNEL-OS (if any).
+# Here we must recognize all the valid KERNEL-OS combinations.
+maybe_os=`echo $1 | sed 's/^\(.*\)-\([^-]*-[^-]*\)$/\2/'`
+case $maybe_os in
+  nto-qnx* | linux-gnu*)
+    os=-$maybe_os
+    basic_machine=`echo $1 | sed 's/^\(.*\)-\([^-]*-[^-]*\)$/\1/'`
+    ;;
+  *)
+    basic_machine=`echo $1 | sed 's/-[^-]*$//'`
+    if [ $basic_machine != $1 ]
+    then os=`echo $1 | sed 's/.*-/-/'`
+    else os=; fi
+    ;;
+esac
+
+### Let's recognize common machines as not being operating systems so
+### that things like config.sub decstation-3100 work.  We also
+### recognize some manufacturers as not being operating systems, so we
+### can provide default operating systems below.
+case $os in
+	-sun*os*)
+		# Prevent following clause from handling this invalid input.
+		;;
+	-dec* | -mips* | -sequent* | -encore* | -pc532* | -sgi* | -sony* | \
+	-att* | -7300* | -3300* | -delta* | -motorola* | -sun[234]* | \
+	-unicom* | -ibm* | -next | -hp | -isi* | -apollo | -altos* | \
+	-convergent* | -ncr* | -news | -32* | -3600* | -3100* | -hitachi* |\
+	-c[123]* | -convex* | -sun | -crds | -omron* | -dg | -ultra | -tti* | \
+	-harris | -dolphin | -highlevel | -gould | -cbm | -ns | -masscomp | \
+	-apple | -axis)
+		os=
+		basic_machine=$1
+		;;
+	-sim | -cisco | -oki | -wec | -winbond)
+		os=
+		basic_machine=$1
+		;;
+	-scout)
+		;;
+	-wrs)
+		os=-vxworks
+		basic_machine=$1
+		;;
+	-hiux*)
+		os=-hiuxwe2
+		;;
+	-sco5)
+		os=-sco3.2v5
+		basic_machine=`echo $1 | sed -e 's/86-.*/86-pc/'`
+		;;
+	-sco4)
+		os=-sco3.2v4
+		basic_machine=`echo $1 | sed -e 's/86-.*/86-pc/'`
+		;;
+	-sco3.2.[4-9]*)
+		os=`echo $os | sed -e 's/sco3.2./sco3.2v/'`
+		basic_machine=`echo $1 | sed -e 's/86-.*/86-pc/'`
+		;;
+	-sco3.2v[4-9]*)
+		# Don't forget version if it is 3.2v4 or newer.
+		basic_machine=`echo $1 | sed -e 's/86-.*/86-pc/'`
+		;;
+	-sco*)
+		os=-sco3.2v2
+		basic_machine=`echo $1 | sed -e 's/86-.*/86-pc/'`
+		;;
+	-udk*)
+		basic_machine=`echo $1 | sed -e 's/86-.*/86-pc/'`
+		;;
+	-isc)
+		os=-isc2.2
+		basic_machine=`echo $1 | sed -e 's/86-.*/86-pc/'`
+		;;
+	-clix*)
+		basic_machine=clipper-intergraph
+		;;
+	-isc*)
+		basic_machine=`echo $1 | sed -e 's/86-.*/86-pc/'`
+		;;
+	-lynx*)
+		os=-lynxos
+		;;
+	-ptx*)
+		basic_machine=`echo $1 | sed -e 's/86-.*/86-sequent/'`
+		;;
+	-windowsnt*)
+		os=`echo $os | sed -e 's/windowsnt/winnt/'`
+		;;
+	-psos*)
+		os=-psos
+		;;
+	-mint | -mint[0-9]*)
+		basic_machine=m68k-atari
+		os=-mint
+		;;
+esac
+
+# Decode aliases for certain CPU-COMPANY combinations.
+case $basic_machine in
+	# Recognize the basic CPU types without company name.
+	# Some are omitted here because they have special meanings below.
+	tahoe | i860 | ia64 | m32r | m68k | m68000 | m88k | ns32k | arc | arm \
+		| arme[lb] | armv[2345] | armv[345][lb] | pyramid | mn10200 | mn10300 | tron | a29k \
+		| 580 | i960 | h8300 \
+		| x86 | ppcbe | mipsbe | mipsle | shbe | shle | armbe | armle \
+		| hppa | hppa1.0 | hppa1.1 | hppa2.0 | hppa2.0w | hppa2.0n \
+		| hppa64 \
+		| alpha | alphaev[4-8] | alphaev56 | alphapca5[67] \
+		| alphaev6[78] \
+		| we32k | ns16k | clipper | i370 | sh | sh[34] \
+		| powerpc | powerpcle \
+		| 1750a | dsp16xx | pdp11 | mips16 | mips64 | mipsel | mips64el \
+		| mips64orion | mips64orionel | mipstx39 | mipstx39el \
+		| mips64vr4300 | mips64vr4300el | mips64vr4100 | mips64vr4100el \
+		| mips64vr5000 | miprs64vr5000el | mcore \
+		| sparc | sparclet | sparclite | sparc64 | sparcv9 | v850 | c4x \
+		| thumb | d10v | d30v | fr30 | avr)
+		basic_machine=$basic_machine-unknown
+		;;
+	m6811 | m68hc11 | m6812 | m68hc12)
+		# Motorola 68HC11/12.
+		basic_machine=$basic_machine-unknown
+		os=-none
+		;;
+	m88110 | m680[12346]0 | m683?2 | m68360 | m5200 | z8k | v70 | h8500 | w65 | pj | pjl)
+		;;
+
+	# We use `pc' rather than `unknown'
+	# because (1) that's what they normally are, and
+	# (2) the word "unknown" tends to confuse beginning users.
+	i[234567]86 | x86_64)
+	  basic_machine=$basic_machine-pc
+	  ;;
+	# Object if more than one company name word.
+	*-*-*)
+		echo Invalid configuration \`$1\': machine \`$basic_machine\' not recognized 1>&2
+		exit 1
+		;;
+	# Recognize the basic CPU types with company name.
+	# FIXME: clean up the formatting here.
+	vax-* | tahoe-* | i[234567]86-* | i860-* | ia64-* | m32r-* | m68k-* | m68000-* \
+	      | m88k-* | sparc-* | ns32k-* | fx80-* | arc-* | arm-* | c[123]* \
+	      | mips-* | pyramid-* | tron-* | a29k-* | romp-* | rs6000-* \
+	      | power-* | none-* | 580-* | cray2-* | h8300-* | h8500-* | i960-* \
+	      | xmp-* | ymp-* \
+	      | x86-* | ppcbe-* | mipsbe-* | mipsle-* | shbe-* | shle-* | armbe-* | armle-* \
+	      | hppa-* | hppa1.0-* | hppa1.1-* | hppa2.0-* | hppa2.0w-* \
+	      | hppa2.0n-* | hppa64-* \
+	      | alpha-* | alphaev[4-8]-* | alphaev56-* | alphapca5[67]-* \
+	      | alphaev6[78]-* \
+	      | we32k-* | cydra-* | ns16k-* | pn-* | np1-* | xps100-* \
+	      | clipper-* | orion-* \
+	      | sparclite-* | pdp11-* | sh-* | powerpc-* | powerpcle-* \
+	      | sparc64-* | sparcv9-* | sparc86x-* | mips16-* | mips64-* | mipsel-* \
+	      | mips64el-* | mips64orion-* | mips64orionel-* \
+	      | mips64vr4100-* | mips64vr4100el-* | mips64vr4300-* | mips64vr4300el-* \
+	      | mipstx39-* | mipstx39el-* | mcore-* \
+	      | f301-* | armv*-* | s390-* | sv1-* | t3e-* \
+	      | m88110-* | m680[01234]0-* | m683?2-* | m68360-* | z8k-* | d10v-* \
+	      | thumb-* | v850-* | d30v-* | tic30-* | c30-* | fr30-* \
+	      | bs2000-* | tic54x-* | c54x-* | x86_64-*)
+		;;
+	# Recognize the various machine names and aliases which stand
+	# for a CPU type and a company and sometimes even an OS.
+	386bsd)
+		basic_machine=i386-unknown
+		os=-bsd
+		;;
+	3b1 | 7300 | 7300-att | att-7300 | pc7300 | safari | unixpc)
+		basic_machine=m68000-att
+		;;
+	3b*)
+		basic_machine=we32k-att
+		;;
+	a29khif)
+		basic_machine=a29k-amd
+		os=-udi
+		;;
+	adobe68k)
+		basic_machine=m68010-adobe
+		os=-scout
+		;;
+	alliant | fx80)
+		basic_machine=fx80-alliant
+		;;
+	altos | altos3068)
+		basic_machine=m68k-altos
+		;;
+	am29k)
+		basic_machine=a29k-none
+		os=-bsd
+		;;
+	amdahl)
+		basic_machine=580-amdahl
+		os=-sysv
+		;;
+	amiga | amiga-*)
+		basic_machine=m68k-unknown
+		;;
+	amigaos | amigados)
+		basic_machine=m68k-unknown
+		os=-amigaos
+		;;
+	amigaunix | amix)
+		basic_machine=m68k-unknown
+		os=-sysv4
+		;;
+	apollo68)
+		basic_machine=m68k-apollo
+		os=-sysv
+		;;
+	apollo68bsd)
+		basic_machine=m68k-apollo
+		os=-bsd
+		;;
+	aux)
+		basic_machine=m68k-apple
+		os=-aux
+		;;
+	balance)
+		basic_machine=ns32k-sequent
+		os=-dynix
+		;;
+	convex-c1)
+		basic_machine=c1-convex
+		os=-bsd
+		;;
+	convex-c2)
+		basic_machine=c2-convex
+		os=-bsd
+		;;
+	convex-c32)
+		basic_machine=c32-convex
+		os=-bsd
+		;;
+	convex-c34)
+		basic_machine=c34-convex
+		os=-bsd
+		;;
+	convex-c38)
+		basic_machine=c38-convex
+		os=-bsd
+		;;
+	cray | ymp)
+		basic_machine=ymp-cray
+		os=-unicos
+		;;
+	cray2)
+		basic_machine=cray2-cray
+		os=-unicos
+		;;
+	[ctj]90-cray)
+		basic_machine=c90-cray
+		os=-unicos
+		;;
+	crds | unos)
+		basic_machine=m68k-crds
+		;;
+	cris | cris-* | etrax*)
+		basic_machine=cris-axis
+		;;
+	da30 | da30-*)
+		basic_machine=m68k-da30
+		;;
+	decstation | decstation-3100 | pmax | pmax-* | pmin | dec3100 | decstatn)
+		basic_machine=mips-dec
+		;;
+	delta | 3300 | motorola-3300 | motorola-delta \
+	      | 3300-motorola | delta-motorola)
+		basic_machine=m68k-motorola
+		;;
+	delta88)
+		basic_machine=m88k-motorola
+		os=-sysv3
+		;;
+	dpx20 | dpx20-*)
+		basic_machine=rs6000-bull
+		os=-bosx
+		;;
+	dpx2* | dpx2*-bull)
+		basic_machine=m68k-bull
+		os=-sysv3
+		;;
+	ebmon29k)
+		basic_machine=a29k-amd
+		os=-ebmon
+		;;
+	elxsi)
+		basic_machine=elxsi-elxsi
+		os=-bsd
+		;;
+	encore | umax | mmax)
+		basic_machine=ns32k-encore
+		;;
+	es1800 | OSE68k | ose68k | ose | OSE)
+		basic_machine=m68k-ericsson
+		os=-ose
+		;;
+	fx2800)
+		basic_machine=i860-alliant
+		;;
+	genix)
+		basic_machine=ns32k-ns
+		;;
+	gmicro)
+		basic_machine=tron-gmicro
+		os=-sysv
+		;;
+	h3050r* | hiux*)
+		basic_machine=hppa1.1-hitachi
+		os=-hiuxwe2
+		;;
+	h8300hms)
+		basic_machine=h8300-hitachi
+		os=-hms
+		;;
+	h8300xray)
+		basic_machine=h8300-hitachi
+		os=-xray
+		;;
+	h8500hms)
+		basic_machine=h8500-hitachi
+		os=-hms
+		;;
+	harris)
+		basic_machine=m88k-harris
+		os=-sysv3
+		;;
+	hp300-*)
+		basic_machine=m68k-hp
+		;;
+	hp300bsd)
+		basic_machine=m68k-hp
+		os=-bsd
+		;;
+	hp300hpux)
+		basic_machine=m68k-hp
+		os=-hpux
+		;;
+	hp3k9[0-9][0-9] | hp9[0-9][0-9])
+		basic_machine=hppa1.0-hp
+		;;
+	hp9k2[0-9][0-9] | hp9k31[0-9])
+		basic_machine=m68000-hp
+		;;
+	hp9k3[2-9][0-9])
+		basic_machine=m68k-hp
+		;;
+	hp9k6[0-9][0-9] | hp6[0-9][0-9])
+		basic_machine=hppa1.0-hp
+		;;
+	hp9k7[0-79][0-9] | hp7[0-79][0-9])
+		basic_machine=hppa1.1-hp
+		;;
+	hp9k78[0-9] | hp78[0-9])
+		# FIXME: really hppa2.0-hp
+		basic_machine=hppa1.1-hp
+		;;
+	hp9k8[67]1 | hp8[67]1 | hp9k80[24] | hp80[24] | hp9k8[78]9 | hp8[78]9 | hp9k893 | hp893)
+		# FIXME: really hppa2.0-hp
+		basic_machine=hppa1.1-hp
+		;;
+	hp9k8[0-9][13679] | hp8[0-9][13679])
+		basic_machine=hppa1.1-hp
+		;;
+	hp9k8[0-9][0-9] | hp8[0-9][0-9])
+		basic_machine=hppa1.0-hp
+		;;
+	hppa-next)
+		os=-nextstep3
+		;;
+	hppaosf)
+		basic_machine=hppa1.1-hp
+		os=-osf
+		;;
+	hppro)
+		basic_machine=hppa1.1-hp
+		os=-proelf
+		;;
+	i370-ibm* | ibm*)
+		basic_machine=i370-ibm
+		;;
+# I'm not sure what "Sysv32" means.  Should this be sysv3.2?
+	i[34567]86v32)
+		basic_machine=`echo $1 | sed -e 's/86.*/86-pc/'`
+		os=-sysv32
+		;;
+	i[34567]86v4*)
+		basic_machine=`echo $1 | sed -e 's/86.*/86-pc/'`
+		os=-sysv4
+		;;
+	i[34567]86v)
+		basic_machine=`echo $1 | sed -e 's/86.*/86-pc/'`
+		os=-sysv
+		;;
+	i[34567]86sol2)
+		basic_machine=`echo $1 | sed -e 's/86.*/86-pc/'`
+		os=-solaris2
+		;;
+	i386mach)
+		basic_machine=i386-mach
+		os=-mach
+		;;
+	i386-vsta | vsta)
+		basic_machine=i386-unknown
+		os=-vsta
+		;;
+	i386-go32 | go32)
+		basic_machine=i386-unknown
+		os=-go32
+		;;
+	i386-mingw32 | mingw32)
+		basic_machine=i386-unknown
+		os=-mingw32
+		;;
+	i[34567]86-pw32 | pw32)
+		basic_machine=i586-unknown
+		os=-pw32
+		;;
+	iris | iris4d)
+		basic_machine=mips-sgi
+		case $os in
+		    -irix*)
+			;;
+		    *)
+			os=-irix4
+			;;
+		esac
+		;;
+	isi68 | isi)
+		basic_machine=m68k-isi
+		os=-sysv
+		;;
+	m88k-omron*)
+		basic_machine=m88k-omron
+		;;
+	magnum | m3230)
+		basic_machine=mips-mips
+		os=-sysv
+		;;
+	merlin)
+		basic_machine=ns32k-utek
+		os=-sysv
+		;;
+	miniframe)
+		basic_machine=m68000-convergent
+		;;
+	*mint | -mint[0-9]* | *MiNT | *MiNT[0-9]*)
+		basic_machine=m68k-atari
+		os=-mint
+		;;
+	mipsel*-linux*)
+		basic_machine=mipsel-unknown
+		os=-linux-gnu
+		;;
+	mips*-linux*)
+		basic_machine=mips-unknown
+		os=-linux-gnu
+		;;
+	mips3*-*)
+		basic_machine=`echo $basic_machine | sed -e 's/mips3/mips64/'`
+		;;
+	mips3*)
+		basic_machine=`echo $basic_machine | sed -e 's/mips3/mips64/'`-unknown
+		;;
+	mmix*)
+		basic_machine=mmix-knuth
+		os=-mmixware
+		;;
+	monitor)
+		basic_machine=m68k-rom68k
+		os=-coff
+		;;
+	msdos)
+		basic_machine=i386-unknown
+		os=-msdos
+		;;
+	mvs)
+		basic_machine=i370-ibm
+		os=-mvs
+		;;
+	ncr3000)
+		basic_machine=i486-ncr
+		os=-sysv4
+		;;
+	netbsd386)
+		basic_machine=i386-unknown
+		os=-netbsd
+		;;
+	netwinder)
+		basic_machine=armv4l-rebel
+		os=-linux
+		;;
+	news | news700 | news800 | news900)
+		basic_machine=m68k-sony
+		os=-newsos
+		;;
+	news1000)
+		basic_machine=m68030-sony
+		os=-newsos
+		;;
+	news-3600 | risc-news)
+		basic_machine=mips-sony
+		os=-newsos
+		;;
+	necv70)
+		basic_machine=v70-nec
+		os=-sysv
+		;;
+	next | m*-next )
+		basic_machine=m68k-next
+		case $os in
+		    -nextstep* )
+			;;
+		    -ns2*)
+		      os=-nextstep2
+			;;
+		    *)
+		      os=-nextstep3
+			;;
+		esac
+		;;
+	nh3000)
+		basic_machine=m68k-harris
+		os=-cxux
+		;;
+	nh[45]000)
+		basic_machine=m88k-harris
+		os=-cxux
+		;;
+	nindy960)
+		basic_machine=i960-intel
+		os=-nindy
+		;;
+	mon960)
+		basic_machine=i960-intel
+		os=-mon960
+		;;
+	np1)
+		basic_machine=np1-gould
+		;;
+	nsr-tandem)
+		basic_machine=nsr-tandem
+		;;
+	op50n-* | op60c-*)
+		basic_machine=hppa1.1-oki
+		os=-proelf
+		;;
+	OSE68000 | ose68000)
+		basic_machine=m68000-ericsson
+		os=-ose
+		;;
+	os68k)
+		basic_machine=m68k-none
+		os=-os68k
+		;;
+	pa-hitachi)
+		basic_machine=hppa1.1-hitachi
+		os=-hiuxwe2
+		;;
+	paragon)
+		basic_machine=i860-intel
+		os=-osf
+		;;
+	pbd)
+		basic_machine=sparc-tti
+		;;
+	pbb)
+		basic_machine=m68k-tti
+		;;
+        pc532 | pc532-*)
+		basic_machine=ns32k-pc532
+		;;
+	pentium | p5 | k5 | k6 | nexen)
+		basic_machine=i586-pc
+		;;
+	pentiumpro | p6 | 6x86 | athlon)
+		basic_machine=i686-pc
+		;;
+	pentiumii | pentium2)
+		basic_machine=i786-pc
+		;;
+	pentium-* | p5-* | k5-* | k6-* | nexen-*)
+		basic_machine=i586-`echo $basic_machine | sed 's/^[^-]*-//'`
+		;;
+	pentiumpro-* | p6-* | 6x86-* | athlon-*)
+		basic_machine=i686-`echo $basic_machine | sed 's/^[^-]*-//'`
+		;;
+	pentiumii-* | pentium2-*)
+		basic_machine=i786-`echo $basic_machine | sed 's/^[^-]*-//'`
+		;;
+	pn)
+		basic_machine=pn-gould
+		;;
+	power)	basic_machine=rs6000-ibm
+		;;
+	ppc)	basic_machine=powerpc-unknown
+	        ;;
+	ppc-*)	basic_machine=powerpc-`echo $basic_machine | sed 's/^[^-]*-//'`
+		;;
+	ppcle | powerpclittle | ppc-le | powerpc-little)
+		basic_machine=powerpcle-unknown
+	        ;;
+	ppcle-* | powerpclittle-*)
+		basic_machine=powerpcle-`echo $basic_machine | sed 's/^[^-]*-//'`
+		;;
+	ps2)
+		basic_machine=i386-ibm
+		;;
+	rom68k)
+		basic_machine=m68k-rom68k
+		os=-coff
+		;;
+	rm[46]00)
+		basic_machine=mips-siemens
+		;;
+	rtpc | rtpc-*)
+		basic_machine=romp-ibm
+		;;
+	sa29200)
+		basic_machine=a29k-amd
+		os=-udi
+		;;
+	sequent)
+		basic_machine=i386-sequent
+		;;
+	sh)
+		basic_machine=sh-hitachi
+		os=-hms
+		;;
+	sparclite-wrs)
+		basic_machine=sparclite-wrs
+		os=-vxworks
+		;;
+	sps7)
+		basic_machine=m68k-bull
+		os=-sysv2
+		;;
+	spur)
+		basic_machine=spur-unknown
+		;;
+	st2000)
+		basic_machine=m68k-tandem
+		;;
+	stratus)
+		basic_machine=i860-stratus
+		os=-sysv4
+		;;
+	sun2)
+		basic_machine=m68000-sun
+		;;
+	sun2os3)
+		basic_machine=m68000-sun
+		os=-sunos3
+		;;
+	sun2os4)
+		basic_machine=m68000-sun
+		os=-sunos4
+		;;
+	sun3os3)
+		basic_machine=m68k-sun
+		os=-sunos3
+		;;
+	sun3os4)
+		basic_machine=m68k-sun
+		os=-sunos4
+		;;
+	sun4os3)
+		basic_machine=sparc-sun
+		os=-sunos3
+		;;
+	sun4os4)
+		basic_machine=sparc-sun
+		os=-sunos4
+		;;
+	sun4sol2)
+		basic_machine=sparc-sun
+		os=-solaris2
+		;;
+	sun3 | sun3-*)
+		basic_machine=m68k-sun
+		;;
+	sun4)
+		basic_machine=sparc-sun
+		;;
+	sun386 | sun386i | roadrunner)
+		basic_machine=i386-sun
+		;;
+	sv1)
+		basic_machine=sv1-cray
+		os=-unicos
+		;;
+	symmetry)
+		basic_machine=i386-sequent
+		os=-dynix
+		;;
+	t3e)
+		basic_machine=t3e-cray
+		os=-unicos
+		;;
+	tic54x | c54x*)
+		basic_machine=tic54x-unknown
+		os=-coff
+		;;
+	tx39)
+		basic_machine=mipstx39-unknown
+		;;
+	tx39el)
+		basic_machine=mipstx39el-unknown
+		;;
+	tower | tower-32)
+		basic_machine=m68k-ncr
+		;;
+	udi29k)
+		basic_machine=a29k-amd
+		os=-udi
+		;;
+	ultra3)
+		basic_machine=a29k-nyu
+		os=-sym1
+		;;
+	v810 | necv810)
+		basic_machine=v810-nec
+		os=-none
+		;;
+	vaxv)
+		basic_machine=vax-dec
+		os=-sysv
+		;;
+	vms)
+		basic_machine=vax-dec
+		os=-vms
+		;;
+	vpp*|vx|vx-*)
+               basic_machine=f301-fujitsu
+               ;;
+	vxworks960)
+		basic_machine=i960-wrs
+		os=-vxworks
+		;;
+	vxworks68)
+		basic_machine=m68k-wrs
+		os=-vxworks
+		;;
+	vxworks29k)
+		basic_machine=a29k-wrs
+		os=-vxworks
+		;;
+	w65*)
+		basic_machine=w65-wdc
+		os=-none
+		;;
+	w89k-*)
+		basic_machine=hppa1.1-winbond
+		os=-proelf
+		;;
+	xmp)
+		basic_machine=xmp-cray
+		os=-unicos
+		;;
+        xps | xps100)
+		basic_machine=xps100-honeywell
+		;;
+	z8k-*-coff)
+		basic_machine=z8k-unknown
+		os=-sim
+		;;
+	none)
+		basic_machine=none-none
+		os=-none
+		;;
+
+# Here we handle the default manufacturer of certain CPU types.  It is in
+# some cases the only manufacturer, in others, it is the most popular.
+	w89k)
+		basic_machine=hppa1.1-winbond
+		;;
+	op50n)
+		basic_machine=hppa1.1-oki
+		;;
+	op60c)
+		basic_machine=hppa1.1-oki
+		;;
+	mips)
+		if [ x$os = x-linux-gnu ]; then
+			basic_machine=mips-unknown
+		else
+			basic_machine=mips-mips
+		fi
+		;;
+	romp)
+		basic_machine=romp-ibm
+		;;
+	rs6000)
+		basic_machine=rs6000-ibm
+		;;
+	vax)
+		basic_machine=vax-dec
+		;;
+	pdp11)
+		basic_machine=pdp11-dec
+		;;
+	we32k)
+		basic_machine=we32k-att
+		;;
+	sh3 | sh4)
+		base_machine=sh-unknown
+		;;
+	sparc | sparcv9)
+		basic_machine=sparc-sun
+		;;
+        cydra)
+		basic_machine=cydra-cydrome
+		;;
+	orion)
+		basic_machine=orion-highlevel
+		;;
+	orion105)
+		basic_machine=clipper-highlevel
+		;;
+	mac | mpw | mac-mpw)
+		basic_machine=m68k-apple
+		;;
+	pmac | pmac-mpw)
+		basic_machine=powerpc-apple
+		;;
+	c4x*)
+		basic_machine=c4x-none
+		os=-coff
+		;;
+	*)
+		echo Invalid configuration \`$1\': machine \`$basic_machine\' not recognized 1>&2
+		exit 1
+		;;
+esac
+
+# Here we canonicalize certain aliases for manufacturers.
+case $basic_machine in
+	*-digital*)
+		basic_machine=`echo $basic_machine | sed 's/digital.*/dec/'`
+		;;
+	*-commodore*)
+		basic_machine=`echo $basic_machine | sed 's/commodore.*/cbm/'`
+		;;
+	*)
+		;;
+esac
+
+# Decode manufacturer-specific aliases for certain operating systems.
+
+if [ x"$os" != x"" ]
+then
+case $os in
+        # First match some system type aliases
+        # that might get confused with valid system types.
+	# -solaris* is a basic system type, with this one exception.
+	-solaris1 | -solaris1.*)
+		os=`echo $os | sed -e 's|solaris1|sunos4|'`
+		;;
+	-solaris)
+		os=-solaris2
+		;;
+	-svr4*)
+		os=-sysv4
+		;;
+	-unixware*)
+		os=-sysv4.2uw
+		;;
+	-gnu/linux*)
+		os=`echo $os | sed -e 's|gnu/linux|linux-gnu|'`
+		;;
+	# First accept the basic system types.
+	# The portable systems comes first.
+	# Each alternative MUST END IN A *, to match a version number.
+	# -sysv* is not here because it comes later, after sysvr4.
+	-gnu* | -bsd* | -mach* | -minix* | -genix* | -ultrix* | -irix* \
+	      | -*vms* | -sco* | -esix* | -isc* | -aix* | -sunos | -sunos[34]*\
+	      | -hpux* | -unos* | -osf* | -luna* | -dgux* | -solaris* | -sym* \
+	      | -amigaos* | -amigados* | -msdos* | -newsos* | -unicos* | -aof* \
+	      | -aos* \
+	      | -nindy* | -vxsim* | -vxworks* | -ebmon* | -hms* | -mvs* \
+	      | -clix* | -riscos* | -uniplus* | -iris* | -rtu* | -xenix* \
+	      | -hiux* | -386bsd* | -netbsd* | -openbsd* | -freebsd* | -riscix* \
+	      | -lynxos* | -bosx* | -nextstep* | -cxux* | -aout* | -elf* | -oabi* \
+	      | -ptx* | -coff* | -ecoff* | -winnt* | -domain* | -vsta* \
+	      | -udi* | -eabi* | -lites* | -ieee* | -go32* | -aux* \
+	      | -cygwin* | -pe* | -psos* | -moss* | -proelf* | -rtems* \
+	      | -mingw32* | -linux-gnu* | -uxpv* | -beos* | -mpeix* | -udk* \
+	      | -interix* | -uwin* | -rhapsody* | -darwin* | -opened* \
+	      | -openstep* | -oskit* | -conix* | -pw32*)
+	# Remember, each alternative MUST END IN *, to match a version number.
+		;;
+	-qnx*)
+		case $basic_machine in
+		    x86-* | i[34567]86-*)
+			;;
+		    *)
+			os=-nto$os
+			;;
+		esac
+		;;
+	-nto*)
+		os=-nto-qnx
+		;;
+	-sim | -es1800* | -hms* | -xray | -os68k* | -none* | -v88r* \
+	      | -windows* | -osx | -abug | -netware* | -os9* | -beos* \
+	      | -macos* | -mpw* | -magic* | -mmixware* | -mon960* | -lnews*)
+		;;
+	-mac*)
+		os=`echo $os | sed -e 's|mac|macos|'`
+		;;
+	-linux*)
+		os=`echo $os | sed -e 's|linux|linux-gnu|'`
+		;;
+	-sunos5*)
+		os=`echo $os | sed -e 's|sunos5|solaris2|'`
+		;;
+	-sunos6*)
+		os=`echo $os | sed -e 's|sunos6|solaris3|'`
+		;;
+	-opened*)
+		os=-openedition
+		;;
+	-wince*)
+		os=-wince
+		;;
+	-osfrose*)
+		os=-osfrose
+		;;
+	-osf*)
+		os=-osf
+		;;
+	-utek*)
+		os=-bsd
+		;;
+	-dynix*)
+		os=-bsd
+		;;
+	-acis*)
+		os=-aos
+		;;
+	-386bsd)
+		os=-bsd
+		;;
+	-ctix* | -uts*)
+		os=-sysv
+		;;
+	-ns2 )
+	        os=-nextstep2
+		;;
+	-nsk*)
+		os=-nsk
+		;;
+	# Preserve the version number of sinix5.
+	-sinix5.*)
+		os=`echo $os | sed -e 's|sinix|sysv|'`
+		;;
+	-sinix*)
+		os=-sysv4
+		;;
+	-triton*)
+		os=-sysv3
+		;;
+	-oss*)
+		os=-sysv3
+		;;
+	-svr4)
+		os=-sysv4
+		;;
+	-svr3)
+		os=-sysv3
+		;;
+	-sysvr4)
+		os=-sysv4
+		;;
+	# This must come after -sysvr4.
+	-sysv*)
+		;;
+	-ose*)
+		os=-ose
+		;;
+	-es1800*)
+		os=-ose
+		;;
+	-xenix)
+		os=-xenix
+		;;
+        -*mint | -*MiNT)
+	        os=-mint
+		;;
+	-none)
+		;;
+	*)
+		# Get rid of the `-' at the beginning of $os.
+		os=`echo $os | sed 's/[^-]*-//'`
+		echo Invalid configuration \`$1\': system \`$os\' not recognized 1>&2
+		exit 1
+		;;
+esac
+else
+
+# Here we handle the default operating systems that come with various machines.
+# The value should be what the vendor currently ships out the door with their
+# machine or put another way, the most popular os provided with the machine.
+
+# Note that if you're going to try to match "-MANUFACTURER" here (say,
+# "-sun"), then you have to tell the case statement up towards the top
+# that MANUFACTURER isn't an operating system.  Otherwise, code above
+# will signal an error saying that MANUFACTURER isn't an operating
+# system, and we'll never get to this point.
+
+case $basic_machine in
+	*-acorn)
+		os=-riscix1.2
+		;;
+	arm*-rebel)
+		os=-linux
+		;;
+	arm*-semi)
+		os=-aout
+		;;
+        pdp11-*)
+		os=-none
+		;;
+	*-dec | vax-*)
+		os=-ultrix4.2
+		;;
+	m68*-apollo)
+		os=-domain
+		;;
+	i386-sun)
+		os=-sunos4.0.2
+		;;
+	m68000-sun)
+		os=-sunos3
+		# This also exists in the configure program, but was not the
+		# default.
+		# os=-sunos4
+		;;
+	m68*-cisco)
+		os=-aout
+		;;
+	mips*-cisco)
+		os=-elf
+		;;
+	mips*-*)
+		os=-elf
+		;;
+	*-tti)	# must be before sparc entry or we get the wrong os.
+		os=-sysv3
+		;;
+	sparc-* | *-sun)
+		os=-sunos4.1.1
+		;;
+	*-be)
+		os=-beos
+		;;
+	*-ibm)
+		os=-aix
+		;;
+	*-wec)
+		os=-proelf
+		;;
+	*-winbond)
+		os=-proelf
+		;;
+	*-oki)
+		os=-proelf
+		;;
+	*-hp)
+		os=-hpux
+		;;
+	*-hitachi)
+		os=-hiux
+		;;
+	i860-* | *-att | *-ncr | *-altos | *-motorola | *-convergent)
+		os=-sysv
+		;;
+	*-cbm)
+		os=-amigaos
+		;;
+	*-dg)
+		os=-dgux
+		;;
+	*-dolphin)
+		os=-sysv3
+		;;
+	m68k-ccur)
+		os=-rtu
+		;;
+	m88k-omron*)
+		os=-luna
+		;;
+	*-next )
+		os=-nextstep
+		;;
+	*-sequent)
+		os=-ptx
+		;;
+	*-crds)
+		os=-unos
+		;;
+	*-ns)
+		os=-genix
+		;;
+	i370-*)
+		os=-mvs
+		;;
+	*-next)
+		os=-nextstep3
+		;;
+        *-gould)
+		os=-sysv
+		;;
+        *-highlevel)
+		os=-bsd
+		;;
+	*-encore)
+		os=-bsd
+		;;
+        *-sgi)
+		os=-irix
+		;;
+        *-siemens)
+		os=-sysv4
+		;;
+	*-masscomp)
+		os=-rtu
+		;;
+	f301-fujitsu)
+		os=-uxpv
+		;;
+	*-rom68k)
+		os=-coff
+		;;
+	*-*bug)
+		os=-coff
+		;;
+	*-apple)
+		os=-macos
+		;;
+	*-atari*)
+		os=-mint
+		;;
+	*)
+		os=-none
+		;;
+esac
+fi
+
+# Here we handle the case where we know the os, and the CPU type, but not the
+# manufacturer.  We pick the logical manufacturer.
+vendor=unknown
+case $basic_machine in
+	*-unknown)
+		case $os in
+			-riscix*)
+				vendor=acorn
+				;;
+			-sunos*)
+				vendor=sun
+				;;
+			-aix*)
+				vendor=ibm
+				;;
+			-beos*)
+				vendor=be
+				;;
+			-hpux*)
+				vendor=hp
+				;;
+			-mpeix*)
+				vendor=hp
+				;;
+			-hiux*)
+				vendor=hitachi
+				;;
+			-unos*)
+				vendor=crds
+				;;
+			-dgux*)
+				vendor=dg
+				;;
+			-luna*)
+				vendor=omron
+				;;
+			-genix*)
+				vendor=ns
+				;;
+			-mvs* | -opened*)
+				vendor=ibm
+				;;
+			-ptx*)
+				vendor=sequent
+				;;
+			-vxsim* | -vxworks*)
+				vendor=wrs
+				;;
+			-aux*)
+				vendor=apple
+				;;
+			-hms*)
+				vendor=hitachi
+				;;
+			-mpw* | -macos*)
+				vendor=apple
+				;;
+			-*mint | -*MiNT)
+				vendor=atari
+				;;
+		esac
+		basic_machine=`echo $basic_machine | sed "s/unknown/$vendor/"`
+		;;
+esac
+
+echo $basic_machine$os
+exit 0
+
+# Local variables:
+# eval: (add-hook 'write-file-hooks 'time-stamp)
+# time-stamp-start: "version='"
+# time-stamp-format: "%:y-%02m-%02d"
+# time-stamp-end: "'"
+# End:
diff --git a/crypto/kerberosIV/configure b/crypto/kerberosIV/configure
new file mode 100644
index 0000000..0ee1b832b
--- /dev/null
+++ b/crypto/kerberosIV/configure
@@ -0,0 +1,11632 @@
+#! /bin/sh
+
+# From configure.in Revision: 1.432.2.14 
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+# Define a conditional.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+# Guess values for system-dependent variables and create Makefiles.
+# Generated automatically using autoconf version 2.13 
+# Copyright (C) 1992, 93, 94, 95, 96 Free Software Foundation, Inc.
+#
+# This configure script is free software; the Free Software Foundation
+# gives unlimited permission to copy, distribute and modify it.
+
+# Defaults:
+ac_help=
+ac_default_prefix=/usr/local
+# Any additions from configure.in:
+ac_default_prefix=/usr/athena
+ac_help="$ac_help
+  --with-socks=dir                use socks in dir"
+ac_help="$ac_help
+  --with-socks-lib=dir            use socks libraries in dir"
+ac_help="$ac_help
+  --with-socks-include=dir        use socks headers in dir"
+ac_help="$ac_help
+  --enable-legacy-kdestroy    kdestroy doesn't destroy tokens by default"
+ac_help="$ac_help
+  --enable-match-subdomains	match realm in subdomains"
+ac_help="$ac_help
+  --with-ld-flags=flags   what flags use when linking"
+ac_help="$ac_help
+  --with-cracklib=dir     use the cracklib.a in dir"
+ac_help="$ac_help
+  --with-dictpath=path    use this dictionary with cracklib
+"
+ac_help="$ac_help
+  --with-mailspool=dir    this is the mail spool directory
+"
+ac_help="$ac_help
+  --with-db-dir=dir	   this is the database directory (default /var/kerberos)"
+ac_help="$ac_help
+  --enable-random-mkey    use new code for master keys"
+ac_help="$ac_help
+  --with-mkey=file        where to put the master key"
+ac_help="$ac_help
+  --disable-otp           if you don't want OTP support"
+ac_help="$ac_help
+  --enable-osfc2          enable some OSF C2 support"
+ac_help="$ac_help
+  --disable-mmap          disable use of mmap"
+ac_help="$ac_help
+  --disable-dynamic-afs   don't use loaded AFS library with AIX"
+ac_help="$ac_help
+  --without-berkeley-db   if you don't want berkeley db"
+ac_help="$ac_help
+  --without-afs-support   if you don't want support for afs"
+ac_help="$ac_help
+  --with-des-quad-checksum=kind
+                           default checksum to use (new, old, or guess)"
+ac_help="$ac_help
+  --with-afsws=dir        use AFS includes and libraries from dir=/usr/afsws"
+ac_help="$ac_help
+  --enable-rxkad           build rxkad library"
+ac_help="$ac_help
+  --disable-cat-manpages   don't install any preformatted manpages"
+ac_help="$ac_help
+  --with-readline=dir                use readline in dir"
+ac_help="$ac_help
+  --with-readline-lib=dir            use readline libraries in dir"
+ac_help="$ac_help
+  --with-readline-include=dir        use readline headers in dir"
+ac_help="$ac_help
+  --with-mips-abi=abi     ABI to use for IRIX (32, n32, or 64)"
+ac_help="$ac_help
+  --with-hesiod=dir                use hesiod in dir"
+ac_help="$ac_help
+  --with-hesiod-lib=dir            use hesiod libraries in dir"
+ac_help="$ac_help
+  --with-hesiod-include=dir        use hesiod headers in dir"
+ac_help="$ac_help
+  --enable-shared         create shared libraries for Kerberos"
+ac_help="$ac_help
+  --with-x                use the X Window System"
+
+# Initialize some variables set by options.
+# The variables have the same names as the options, with
+# dashes changed to underlines.
+build=NONE
+cache_file=./config.cache
+exec_prefix=NONE
+host=NONE
+no_create=
+nonopt=NONE
+no_recursion=
+prefix=NONE
+program_prefix=NONE
+program_suffix=NONE
+program_transform_name=s,x,x,
+silent=
+site=
+srcdir=
+target=NONE
+verbose=
+x_includes=NONE
+x_libraries=NONE
+bindir='${exec_prefix}/bin'
+sbindir='${exec_prefix}/sbin'
+libexecdir='${exec_prefix}/libexec'
+datadir='${prefix}/share'
+sysconfdir='${prefix}/etc'
+sharedstatedir='${prefix}/com'
+localstatedir='${prefix}/var'
+libdir='${exec_prefix}/lib'
+includedir='${prefix}/include'
+oldincludedir='/usr/include'
+infodir='${prefix}/info'
+mandir='${prefix}/man'
+
+# Initialize some other variables.
+subdirs=
+MFLAGS= MAKEFLAGS=
+SHELL=${CONFIG_SHELL-/bin/sh}
+# Maximum number of lines to put in a shell here document.
+ac_max_here_lines=12
+
+ac_prev=
+for ac_option
+do
+
+  # If the previous option needs an argument, assign it.
+  if test -n "$ac_prev"; then
+    eval "$ac_prev=\$ac_option"
+    ac_prev=
+    continue
+  fi
+
+  case "$ac_option" in
+  -*=*) ac_optarg=`echo "$ac_option" | sed 's/[-_a-zA-Z0-9]*=//'` ;;
+  *) ac_optarg= ;;
+  esac
+
+  # Accept the important Cygnus configure options, so we can diagnose typos.
+
+  case "$ac_option" in
+
+  -bindir | --bindir | --bindi | --bind | --bin | --bi)
+    ac_prev=bindir ;;
+  -bindir=* | --bindir=* | --bindi=* | --bind=* | --bin=* | --bi=*)
+    bindir="$ac_optarg" ;;
+
+  -build | --build | --buil | --bui | --bu)
+    ac_prev=build ;;
+  -build=* | --build=* | --buil=* | --bui=* | --bu=*)
+    build="$ac_optarg" ;;
+
+  -cache-file | --cache-file | --cache-fil | --cache-fi \
+  | --cache-f | --cache- | --cache | --cach | --cac | --ca | --c)
+    ac_prev=cache_file ;;
+  -cache-file=* | --cache-file=* | --cache-fil=* | --cache-fi=* \
+  | --cache-f=* | --cache-=* | --cache=* | --cach=* | --cac=* | --ca=* | --c=*)
+    cache_file="$ac_optarg" ;;
+
+  -datadir | --datadir | --datadi | --datad | --data | --dat | --da)
+    ac_prev=datadir ;;
+  -datadir=* | --datadir=* | --datadi=* | --datad=* | --data=* | --dat=* \
+  | --da=*)
+    datadir="$ac_optarg" ;;
+
+  -disable-* | --disable-*)
+    ac_feature=`echo $ac_option|sed -e 's/-*disable-//'`
+    # Reject names that are not valid shell variable names.
+    if test -n "`echo $ac_feature| sed 's/[-a-zA-Z0-9_]//g'`"; then
+      { echo "configure: error: $ac_feature: invalid feature name" 1>&2; exit 1; }
+    fi
+    ac_feature=`echo $ac_feature| sed 's/-/_/g'`
+    eval "enable_${ac_feature}=no" ;;
+
+  -enable-* | --enable-*)
+    ac_feature=`echo $ac_option|sed -e 's/-*enable-//' -e 's/=.*//'`
+    # Reject names that are not valid shell variable names.
+    if test -n "`echo $ac_feature| sed 's/[-_a-zA-Z0-9]//g'`"; then
+      { echo "configure: error: $ac_feature: invalid feature name" 1>&2; exit 1; }
+    fi
+    ac_feature=`echo $ac_feature| sed 's/-/_/g'`
+    case "$ac_option" in
+      *=*) ;;
+      *) ac_optarg=yes ;;
+    esac
+    eval "enable_${ac_feature}='$ac_optarg'" ;;
+
+  -exec-prefix | --exec_prefix | --exec-prefix | --exec-prefi \
+  | --exec-pref | --exec-pre | --exec-pr | --exec-p | --exec- \
+  | --exec | --exe | --ex)
+    ac_prev=exec_prefix ;;
+  -exec-prefix=* | --exec_prefix=* | --exec-prefix=* | --exec-prefi=* \
+  | --exec-pref=* | --exec-pre=* | --exec-pr=* | --exec-p=* | --exec-=* \
+  | --exec=* | --exe=* | --ex=*)
+    exec_prefix="$ac_optarg" ;;
+
+  -gas | --gas | --ga | --g)
+    # Obsolete; use --with-gas.
+    with_gas=yes ;;
+
+  -help | --help | --hel | --he)
+    # Omit some internal or obsolete options to make the list less imposing.
+    # This message is too long to be a string in the A/UX 3.1 sh.
+    cat << EOF
+Usage: configure [options] [host]
+Options: [defaults in brackets after descriptions]
+Configuration:
+  --cache-file=FILE       cache test results in FILE
+  --help                  print this message
+  --no-create             do not create output files
+  --quiet, --silent       do not print \`checking...' messages
+  --version               print the version of autoconf that created configure
+Directory and file names:
+  --prefix=PREFIX         install architecture-independent files in PREFIX
+                          [$ac_default_prefix]
+  --exec-prefix=EPREFIX   install architecture-dependent files in EPREFIX
+                          [same as prefix]
+  --bindir=DIR            user executables in DIR [EPREFIX/bin]
+  --sbindir=DIR           system admin executables in DIR [EPREFIX/sbin]
+  --libexecdir=DIR        program executables in DIR [EPREFIX/libexec]
+  --datadir=DIR           read-only architecture-independent data in DIR
+                          [PREFIX/share]
+  --sysconfdir=DIR        read-only single-machine data in DIR [PREFIX/etc]
+  --sharedstatedir=DIR    modifiable architecture-independent data in DIR
+                          [PREFIX/com]
+  --localstatedir=DIR     modifiable single-machine data in DIR [PREFIX/var]
+  --libdir=DIR            object code libraries in DIR [EPREFIX/lib]
+  --includedir=DIR        C header files in DIR [PREFIX/include]
+  --oldincludedir=DIR     C header files for non-gcc in DIR [/usr/include]
+  --infodir=DIR           info documentation in DIR [PREFIX/info]
+  --mandir=DIR            man documentation in DIR [PREFIX/man]
+  --srcdir=DIR            find the sources in DIR [configure dir or ..]
+  --program-prefix=PREFIX prepend PREFIX to installed program names
+  --program-suffix=SUFFIX append SUFFIX to installed program names
+  --program-transform-name=PROGRAM
+                          run sed PROGRAM on installed program names
+EOF
+    cat << EOF
+Host type:
+  --build=BUILD           configure for building on BUILD [BUILD=HOST]
+  --host=HOST             configure for HOST [guessed]
+  --target=TARGET         configure for TARGET [TARGET=HOST]
+Features and packages:
+  --disable-FEATURE       do not include FEATURE (same as --enable-FEATURE=no)
+  --enable-FEATURE[=ARG]  include FEATURE [ARG=yes]
+  --with-PACKAGE[=ARG]    use PACKAGE [ARG=yes]
+  --without-PACKAGE       do not use PACKAGE (same as --with-PACKAGE=no)
+  --x-includes=DIR        X include files are in DIR
+  --x-libraries=DIR       X library files are in DIR
+EOF
+    if test -n "$ac_help"; then
+      echo "--enable and --with options recognized:$ac_help"
+    fi
+    exit 0 ;;
+
+  -host | --host | --hos | --ho)
+    ac_prev=host ;;
+  -host=* | --host=* | --hos=* | --ho=*)
+    host="$ac_optarg" ;;
+
+  -includedir | --includedir | --includedi | --included | --include \
+  | --includ | --inclu | --incl | --inc)
+    ac_prev=includedir ;;
+  -includedir=* | --includedir=* | --includedi=* | --included=* | --include=* \
+  | --includ=* | --inclu=* | --incl=* | --inc=*)
+    includedir="$ac_optarg" ;;
+
+  -infodir | --infodir | --infodi | --infod | --info | --inf)
+    ac_prev=infodir ;;
+  -infodir=* | --infodir=* | --infodi=* | --infod=* | --info=* | --inf=*)
+    infodir="$ac_optarg" ;;
+
+  -libdir | --libdir | --libdi | --libd)
+    ac_prev=libdir ;;
+  -libdir=* | --libdir=* | --libdi=* | --libd=*)
+    libdir="$ac_optarg" ;;
+
+  -libexecdir | --libexecdir | --libexecdi | --libexecd | --libexec \
+  | --libexe | --libex | --libe)
+    ac_prev=libexecdir ;;
+  -libexecdir=* | --libexecdir=* | --libexecdi=* | --libexecd=* | --libexec=* \
+  | --libexe=* | --libex=* | --libe=*)
+    libexecdir="$ac_optarg" ;;
+
+  -localstatedir | --localstatedir | --localstatedi | --localstated \
+  | --localstate | --localstat | --localsta | --localst \
+  | --locals | --local | --loca | --loc | --lo)
+    ac_prev=localstatedir ;;
+  -localstatedir=* | --localstatedir=* | --localstatedi=* | --localstated=* \
+  | --localstate=* | --localstat=* | --localsta=* | --localst=* \
+  | --locals=* | --local=* | --loca=* | --loc=* | --lo=*)
+    localstatedir="$ac_optarg" ;;
+
+  -mandir | --mandir | --mandi | --mand | --man | --ma | --m)
+    ac_prev=mandir ;;
+  -mandir=* | --mandir=* | --mandi=* | --mand=* | --man=* | --ma=* | --m=*)
+    mandir="$ac_optarg" ;;
+
+  -nfp | --nfp | --nf)
+    # Obsolete; use --without-fp.
+    with_fp=no ;;
+
+  -no-create | --no-create | --no-creat | --no-crea | --no-cre \
+  | --no-cr | --no-c)
+    no_create=yes ;;
+
+  -no-recursion | --no-recursion | --no-recursio | --no-recursi \
+  | --no-recurs | --no-recur | --no-recu | --no-rec | --no-re | --no-r)
+    no_recursion=yes ;;
+
+  -oldincludedir | --oldincludedir | --oldincludedi | --oldincluded \
+  | --oldinclude | --oldinclud | --oldinclu | --oldincl | --oldinc \
+  | --oldin | --oldi | --old | --ol | --o)
+    ac_prev=oldincludedir ;;
+  -oldincludedir=* | --oldincludedir=* | --oldincludedi=* | --oldincluded=* \
+  | --oldinclude=* | --oldinclud=* | --oldinclu=* | --oldincl=* | --oldinc=* \
+  | --oldin=* | --oldi=* | --old=* | --ol=* | --o=*)
+    oldincludedir="$ac_optarg" ;;
+
+  -prefix | --prefix | --prefi | --pref | --pre | --pr | --p)
+    ac_prev=prefix ;;
+  -prefix=* | --prefix=* | --prefi=* | --pref=* | --pre=* | --pr=* | --p=*)
+    prefix="$ac_optarg" ;;
+
+  -program-prefix | --program-prefix | --program-prefi | --program-pref \
+  | --program-pre | --program-pr | --program-p)
+    ac_prev=program_prefix ;;
+  -program-prefix=* | --program-prefix=* | --program-prefi=* \
+  | --program-pref=* | --program-pre=* | --program-pr=* | --program-p=*)
+    program_prefix="$ac_optarg" ;;
+
+  -program-suffix | --program-suffix | --program-suffi | --program-suff \
+  | --program-suf | --program-su | --program-s)
+    ac_prev=program_suffix ;;
+  -program-suffix=* | --program-suffix=* | --program-suffi=* \
+  | --program-suff=* | --program-suf=* | --program-su=* | --program-s=*)
+    program_suffix="$ac_optarg" ;;
+
+  -program-transform-name | --program-transform-name \
+  | --program-transform-nam | --program-transform-na \
+  | --program-transform-n | --program-transform- \
+  | --program-transform | --program-transfor \
+  | --program-transfo | --program-transf \
+  | --program-trans | --program-tran \
+  | --progr-tra | --program-tr | --program-t)
+    ac_prev=program_transform_name ;;
+  -program-transform-name=* | --program-transform-name=* \
+  | --program-transform-nam=* | --program-transform-na=* \
+  | --program-transform-n=* | --program-transform-=* \
+  | --program-transform=* | --program-transfor=* \
+  | --program-transfo=* | --program-transf=* \
+  | --program-trans=* | --program-tran=* \
+  | --progr-tra=* | --program-tr=* | --program-t=*)
+    program_transform_name="$ac_optarg" ;;
+
+  -q | -quiet | --quiet | --quie | --qui | --qu | --q \
+  | -silent | --silent | --silen | --sile | --sil)
+    silent=yes ;;
+
+  -sbindir | --sbindir | --sbindi | --sbind | --sbin | --sbi | --sb)
+    ac_prev=sbindir ;;
+  -sbindir=* | --sbindir=* | --sbindi=* | --sbind=* | --sbin=* \
+  | --sbi=* | --sb=*)
+    sbindir="$ac_optarg" ;;
+
+  -sharedstatedir | --sharedstatedir | --sharedstatedi \
+  | --sharedstated | --sharedstate | --sharedstat | --sharedsta \
+  | --sharedst | --shareds | --shared | --share | --shar \
+  | --sha | --sh)
+    ac_prev=sharedstatedir ;;
+  -sharedstatedir=* | --sharedstatedir=* | --sharedstatedi=* \
+  | --sharedstated=* | --sharedstate=* | --sharedstat=* | --sharedsta=* \
+  | --sharedst=* | --shareds=* | --shared=* | --share=* | --shar=* \
+  | --sha=* | --sh=*)
+    sharedstatedir="$ac_optarg" ;;
+
+  -site | --site | --sit)
+    ac_prev=site ;;
+  -site=* | --site=* | --sit=*)
+    site="$ac_optarg" ;;
+
+  -srcdir | --srcdir | --srcdi | --srcd | --src | --sr)
+    ac_prev=srcdir ;;
+  -srcdir=* | --srcdir=* | --srcdi=* | --srcd=* | --src=* | --sr=*)
+    srcdir="$ac_optarg" ;;
+
+  -sysconfdir | --sysconfdir | --sysconfdi | --sysconfd | --sysconf \
+  | --syscon | --sysco | --sysc | --sys | --sy)
+    ac_prev=sysconfdir ;;
+  -sysconfdir=* | --sysconfdir=* | --sysconfdi=* | --sysconfd=* | --sysconf=* \
+  | --syscon=* | --sysco=* | --sysc=* | --sys=* | --sy=*)
+    sysconfdir="$ac_optarg" ;;
+
+  -target | --target | --targe | --targ | --tar | --ta | --t)
+    ac_prev=target ;;
+  -target=* | --target=* | --targe=* | --targ=* | --tar=* | --ta=* | --t=*)
+    target="$ac_optarg" ;;
+
+  -v | -verbose | --verbose | --verbos | --verbo | --verb)
+    verbose=yes ;;
+
+  -version | --version | --versio | --versi | --vers)
+    echo "configure generated by autoconf version 2.13"
+    exit 0 ;;
+
+  -with-* | --with-*)
+    ac_package=`echo $ac_option|sed -e 's/-*with-//' -e 's/=.*//'`
+    # Reject names that are not valid shell variable names.
+    if test -n "`echo $ac_package| sed 's/[-_a-zA-Z0-9]//g'`"; then
+      { echo "configure: error: $ac_package: invalid package name" 1>&2; exit 1; }
+    fi
+    ac_package=`echo $ac_package| sed 's/-/_/g'`
+    case "$ac_option" in
+      *=*) ;;
+      *) ac_optarg=yes ;;
+    esac
+    eval "with_${ac_package}='$ac_optarg'" ;;
+
+  -without-* | --without-*)
+    ac_package=`echo $ac_option|sed -e 's/-*without-//'`
+    # Reject names that are not valid shell variable names.
+    if test -n "`echo $ac_package| sed 's/[-a-zA-Z0-9_]//g'`"; then
+      { echo "configure: error: $ac_package: invalid package name" 1>&2; exit 1; }
+    fi
+    ac_package=`echo $ac_package| sed 's/-/_/g'`
+    eval "with_${ac_package}=no" ;;
+
+  --x)
+    # Obsolete; use --with-x.
+    with_x=yes ;;
+
+  -x-includes | --x-includes | --x-include | --x-includ | --x-inclu \
+  | --x-incl | --x-inc | --x-in | --x-i)
+    ac_prev=x_includes ;;
+  -x-includes=* | --x-includes=* | --x-include=* | --x-includ=* | --x-inclu=* \
+  | --x-incl=* | --x-inc=* | --x-in=* | --x-i=*)
+    x_includes="$ac_optarg" ;;
+
+  -x-libraries | --x-libraries | --x-librarie | --x-librari \
+  | --x-librar | --x-libra | --x-libr | --x-lib | --x-li | --x-l)
+    ac_prev=x_libraries ;;
+  -x-libraries=* | --x-libraries=* | --x-librarie=* | --x-librari=* \
+  | --x-librar=* | --x-libra=* | --x-libr=* | --x-lib=* | --x-li=* | --x-l=*)
+    x_libraries="$ac_optarg" ;;
+
+  -*) { echo "configure: error: $ac_option: invalid option; use --help to show usage" 1>&2; exit 1; }
+    ;;
+
+  *)
+    if test -n "`echo $ac_option| sed 's/[-a-z0-9.]//g'`"; then
+      echo "configure: warning: $ac_option: invalid host type" 1>&2
+    fi
+    if test "x$nonopt" != xNONE; then
+      { echo "configure: error: can only configure for one host and one target at a time" 1>&2; exit 1; }
+    fi
+    nonopt="$ac_option"
+    ;;
+
+  esac
+done
+
+if test -n "$ac_prev"; then
+  { echo "configure: error: missing argument to --`echo $ac_prev | sed 's/_/-/g'`" 1>&2; exit 1; }
+fi
+
+trap 'rm -fr conftest* confdefs* core core.* *.core $ac_clean_files; exit 1' 1 2 15
+
+# File descriptor usage:
+# 0 standard input
+# 1 file creation
+# 2 errors and warnings
+# 3 some systems may open it to /dev/tty
+# 4 used on the Kubota Titan
+# 6 checking for... messages and results
+# 5 compiler messages saved in config.log
+if test "$silent" = yes; then
+  exec 6>/dev/null
+else
+  exec 6>&1
+fi
+exec 5>./config.log
+
+echo "\
+This file contains any messages produced by compilers while
+running configure, to aid debugging if configure makes a mistake.
+" 1>&5
+
+# Strip out --no-create and --no-recursion so they do not pile up.
+# Also quote any args containing shell metacharacters.
+ac_configure_args=
+for ac_arg
+do
+  case "$ac_arg" in
+  -no-create | --no-create | --no-creat | --no-crea | --no-cre \
+  | --no-cr | --no-c) ;;
+  -no-recursion | --no-recursion | --no-recursio | --no-recursi \
+  | --no-recurs | --no-recur | --no-recu | --no-rec | --no-re | --no-r) ;;
+  *" "*|*"	"*|*[\[\]\~\#\$\^\&\*\(\)\{\}\\\|\;\<\>\?]*)
+  ac_configure_args="$ac_configure_args '$ac_arg'" ;;
+  *) ac_configure_args="$ac_configure_args $ac_arg" ;;
+  esac
+done
+
+# NLS nuisances.
+# Only set these to C if already set.  These must not be set unconditionally
+# because not all systems understand e.g. LANG=C (notably SCO).
+# Fixing LC_MESSAGES prevents Solaris sh from translating var values in `set'!
+# Non-C LC_CTYPE values break the ctype check.
+if test "${LANG+set}"   = set; then LANG=C;   export LANG;   fi
+if test "${LC_ALL+set}" = set; then LC_ALL=C; export LC_ALL; fi
+if test "${LC_MESSAGES+set}" = set; then LC_MESSAGES=C; export LC_MESSAGES; fi
+if test "${LC_CTYPE+set}"    = set; then LC_CTYPE=C;    export LC_CTYPE;    fi
+
+# confdefs.h avoids OS command line length limits that DEFS can exceed.
+rm -rf conftest* confdefs.h
+# AIX cpp loses on an empty file, so make sure it contains at least a newline.
+echo > confdefs.h
+
+# A filename unique to this package, relative to the directory that
+# configure is in, which we can look for to find out if srcdir is correct.
+ac_unique_file=lib/krb/getrealm.c
+
+# Find the source files, if location was not specified.
+if test -z "$srcdir"; then
+  ac_srcdir_defaulted=yes
+  # Try the directory containing this script, then its parent.
+  ac_prog=$0
+  ac_confdir=`echo $ac_prog|sed 's%/[^/][^/]*$%%'`
+  test "x$ac_confdir" = "x$ac_prog" && ac_confdir=.
+  srcdir=$ac_confdir
+  if test ! -r $srcdir/$ac_unique_file; then
+    srcdir=..
+  fi
+else
+  ac_srcdir_defaulted=no
+fi
+if test ! -r $srcdir/$ac_unique_file; then
+  if test "$ac_srcdir_defaulted" = yes; then
+    { echo "configure: error: can not find sources in $ac_confdir or .." 1>&2; exit 1; }
+  else
+    { echo "configure: error: can not find sources in $srcdir" 1>&2; exit 1; }
+  fi
+fi
+srcdir=`echo "${srcdir}" | sed 's%\([^/]\)/*$%\1%'`
+
+# Prefer explicitly selected file to automatically selected ones.
+if test -z "$CONFIG_SITE"; then
+  if test "x$prefix" != xNONE; then
+    CONFIG_SITE="$prefix/share/config.site $prefix/etc/config.site"
+  else
+    CONFIG_SITE="$ac_default_prefix/share/config.site $ac_default_prefix/etc/config.site"
+  fi
+fi
+for ac_site_file in $CONFIG_SITE; do
+  if test -r "$ac_site_file"; then
+    echo "loading site script $ac_site_file"
+    . "$ac_site_file"
+  fi
+done
+
+if test -r "$cache_file"; then
+  echo "loading cache $cache_file"
+  . $cache_file
+else
+  echo "creating cache $cache_file"
+  > $cache_file
+fi
+
+ac_ext=c
+# CFLAGS is not in ac_cpp because -g, -O, etc. are not valid cpp options.
+ac_cpp='$CPP $CPPFLAGS'
+ac_compile='${CC-cc} -c $CFLAGS $CPPFLAGS conftest.$ac_ext 1>&5'
+ac_link='${CC-cc} -o conftest${ac_exeext} $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS 1>&5'
+cross_compiling=$ac_cv_prog_cc_cross
+
+ac_exeext=
+ac_objext=o
+if (echo "testing\c"; echo 1,2,3) | grep c >/dev/null; then
+  # Stardent Vistra SVR4 grep lacks -e, says ghazi@caip.rutgers.edu.
+  if (echo -n testing; echo 1,2,3) | sed s/-n/xn/ | grep xn >/dev/null; then
+    ac_n= ac_c='
+' ac_t='	'
+  else
+    ac_n=-n ac_c= ac_t=
+  fi
+else
+  ac_n= ac_c='\c' ac_t=
+fi
+
+
+
+
+
+PACKAGE=krb4
+VERSION=1.0.5
+cat >> confdefs.h <<EOF
+#define PACKAGE "$PACKAGE"
+EOF
+cat >> confdefs.h <<EOF
+#define VERSION "$VERSION"
+EOF
+
+# This may be overridden using --prefix=/usr to configure
+
+
+ac_aux_dir=
+for ac_dir in $srcdir $srcdir/.. $srcdir/../..; do
+  if test -f $ac_dir/install-sh; then
+    ac_aux_dir=$ac_dir
+    ac_install_sh="$ac_aux_dir/install-sh -c"
+    break
+  elif test -f $ac_dir/install.sh; then
+    ac_aux_dir=$ac_dir
+    ac_install_sh="$ac_aux_dir/install.sh -c"
+    break
+  fi
+done
+if test -z "$ac_aux_dir"; then
+  { echo "configure: error: can not find install-sh or install.sh in $srcdir $srcdir/.. $srcdir/../.." 1>&2; exit 1; }
+fi
+ac_config_guess=$ac_aux_dir/config.guess
+ac_config_sub=$ac_aux_dir/config.sub
+ac_configure=$ac_aux_dir/configure # This should be Cygnus configure.
+
+
+# Make sure we can run config.sub.
+if ${CONFIG_SHELL-/bin/sh} $ac_config_sub sun4 >/dev/null 2>&1; then :
+else { echo "configure: error: can not run $ac_config_sub" 1>&2; exit 1; }
+fi
+
+echo $ac_n "checking host system type""... $ac_c" 1>&6
+echo "configure:750: checking host system type" >&5
+
+host_alias=$host
+case "$host_alias" in
+NONE)
+  case $nonopt in
+  NONE)
+    if host_alias=`${CONFIG_SHELL-/bin/sh} $ac_config_guess`; then :
+    else { echo "configure: error: can not guess host type; you must specify one" 1>&2; exit 1; }
+    fi ;;
+  *) host_alias=$nonopt ;;
+  esac ;;
+esac
+
+host=`${CONFIG_SHELL-/bin/sh} $ac_config_sub $host_alias`
+host_cpu=`echo $host | sed 's/^\([^-]*\)-\([^-]*\)-\(.*\)$/\1/'`
+host_vendor=`echo $host | sed 's/^\([^-]*\)-\([^-]*\)-\(.*\)$/\2/'`
+host_os=`echo $host | sed 's/^\([^-]*\)-\([^-]*\)-\(.*\)$/\3/'`
+echo "$ac_t""$host" 1>&6
+
+CANONICAL_HOST=$host
+
+
+
+sunos=no
+case "$host" in 
+*-*-sunos4*)
+	sunos=40
+	;;
+*-*-solaris2.7)
+	sunos=57
+	;;
+*-*-solaris2.8)
+	sunos=58
+	;;
+*-*-solaris2*)
+	sunos=50
+	;;
+esac
+if test "$sunos" != no; then
+	cat >> confdefs.h <<EOF
+#define SunOS $sunos
+EOF
+
+fi
+
+echo $ac_n "checking whether ${MAKE-make} sets \${MAKE}""... $ac_c" 1>&6
+echo "configure:797: checking whether ${MAKE-make} sets \${MAKE}" >&5
+set dummy ${MAKE-make}; ac_make=`echo "$2" | sed 'y%./+-%__p_%'`
+if eval "test \"`echo '$''{'ac_cv_prog_make_${ac_make}_set'+set}'`\" = set"; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  cat > conftestmake <<\EOF
+all:
+	@echo 'ac_maketemp="${MAKE}"'
+EOF
+# GNU make sometimes prints "make[1]: Entering...", which would confuse us.
+eval `${MAKE-make} -f conftestmake 2>/dev/null | grep temp=`
+if test -n "$ac_maketemp"; then
+  eval ac_cv_prog_make_${ac_make}_set=yes
+else
+  eval ac_cv_prog_make_${ac_make}_set=no
+fi
+rm -f conftestmake
+fi
+if eval "test \"`echo '$ac_cv_prog_make_'${ac_make}_set`\" = yes"; then
+  echo "$ac_t""yes" 1>&6
+  SET_MAKE=
+else
+  echo "$ac_t""no" 1>&6
+  SET_MAKE="MAKE=${MAKE-make}"
+fi
+
+if test "$program_transform_name" = s,x,x,; then
+  program_transform_name=
+else
+  # Double any \ or $.  echo might interpret backslashes.
+  cat <<\EOF_SED > conftestsed
+s,\\,\\\\,g; s,\$,$$,g
+EOF_SED
+  program_transform_name="`echo $program_transform_name|sed -f conftestsed`"
+  rm -f conftestsed
+fi
+test "$program_prefix" != NONE &&
+  program_transform_name="s,^,${program_prefix},; $program_transform_name"
+# Use a double $ so make ignores it.
+test "$program_suffix" != NONE &&
+  program_transform_name="s,\$\$,${program_suffix},; $program_transform_name"
+
+# sed with no file args requires a program.
+test "$program_transform_name" = "" && program_transform_name="s,x,x,"
+
+
+# We want these before the checks, so the checks can modify their values.
+test -z "$LDFLAGS" && LDFLAGS=-g
+
+
+echo $ac_n "checking for ln -s or something else""... $ac_c" 1>&6
+echo "configure:848: checking for ln -s or something else" >&5
+if eval "test \"`echo '$''{'ac_cv_prog_LN_S'+set}'`\" = set"; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  rm -f conftestdata
+if ln -s X conftestdata 2>/dev/null
+then
+  rm -f conftestdata
+  ac_cv_prog_LN_S="ln -s"
+else
+  touch conftestdata1
+  if ln conftestdata1 conftestdata2; then
+    rm -f conftestdata*
+    ac_cv_prog_LN_S=ln
+  else
+    ac_cv_prog_LN_S=cp
+  fi
+fi
+fi
+LN_S="$ac_cv_prog_LN_S"
+echo "$ac_t""$ac_cv_prog_LN_S" 1>&6
+
+# Extract the first word of "gcc", so it can be a program name with args.
+set dummy gcc; ac_word=$2
+echo $ac_n "checking for $ac_word""... $ac_c" 1>&6
+echo "configure:873: checking for $ac_word" >&5
+if eval "test \"`echo '$''{'ac_cv_prog_CC'+set}'`\" = set"; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  if test -n "$CC"; then
+  ac_cv_prog_CC="$CC" # Let the user override the test.
+else
+  IFS="${IFS= 	}"; ac_save_ifs="$IFS"; IFS=":"
+  ac_dummy="$PATH"
+  for ac_dir in $ac_dummy; do
+    test -z "$ac_dir" && ac_dir=.
+    if test -f $ac_dir/$ac_word; then
+      ac_cv_prog_CC="gcc"
+      break
+    fi
+  done
+  IFS="$ac_save_ifs"
+fi
+fi
+CC="$ac_cv_prog_CC"
+if test -n "$CC"; then
+  echo "$ac_t""$CC" 1>&6
+else
+  echo "$ac_t""no" 1>&6
+fi
+
+if test -z "$CC"; then
+  # Extract the first word of "cc", so it can be a program name with args.
+set dummy cc; ac_word=$2
+echo $ac_n "checking for $ac_word""... $ac_c" 1>&6
+echo "configure:903: checking for $ac_word" >&5
+if eval "test \"`echo '$''{'ac_cv_prog_CC'+set}'`\" = set"; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  if test -n "$CC"; then
+  ac_cv_prog_CC="$CC" # Let the user override the test.
+else
+  IFS="${IFS= 	}"; ac_save_ifs="$IFS"; IFS=":"
+  ac_prog_rejected=no
+  ac_dummy="$PATH"
+  for ac_dir in $ac_dummy; do
+    test -z "$ac_dir" && ac_dir=.
+    if test -f $ac_dir/$ac_word; then
+      if test "$ac_dir/$ac_word" = "/usr/ucb/cc"; then
+        ac_prog_rejected=yes
+	continue
+      fi
+      ac_cv_prog_CC="cc"
+      break
+    fi
+  done
+  IFS="$ac_save_ifs"
+if test $ac_prog_rejected = yes; then
+  # We found a bogon in the path, so make sure we never use it.
+  set dummy $ac_cv_prog_CC
+  shift
+  if test $# -gt 0; then
+    # We chose a different compiler from the bogus one.
+    # However, it has the same basename, so the bogon will be chosen
+    # first if we set CC to just the basename; use the full file name.
+    shift
+    set dummy "$ac_dir/$ac_word" "$@"
+    shift
+    ac_cv_prog_CC="$@"
+  fi
+fi
+fi
+fi
+CC="$ac_cv_prog_CC"
+if test -n "$CC"; then
+  echo "$ac_t""$CC" 1>&6
+else
+  echo "$ac_t""no" 1>&6
+fi
+
+  if test -z "$CC"; then
+    case "`uname -s`" in
+    *win32* | *WIN32*)
+      # Extract the first word of "cl", so it can be a program name with args.
+set dummy cl; ac_word=$2
+echo $ac_n "checking for $ac_word""... $ac_c" 1>&6
+echo "configure:954: checking for $ac_word" >&5
+if eval "test \"`echo '$''{'ac_cv_prog_CC'+set}'`\" = set"; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  if test -n "$CC"; then
+  ac_cv_prog_CC="$CC" # Let the user override the test.
+else
+  IFS="${IFS= 	}"; ac_save_ifs="$IFS"; IFS=":"
+  ac_dummy="$PATH"
+  for ac_dir in $ac_dummy; do
+    test -z "$ac_dir" && ac_dir=.
+    if test -f $ac_dir/$ac_word; then
+      ac_cv_prog_CC="cl"
+      break
+    fi
+  done
+  IFS="$ac_save_ifs"
+fi
+fi
+CC="$ac_cv_prog_CC"
+if test -n "$CC"; then
+  echo "$ac_t""$CC" 1>&6
+else
+  echo "$ac_t""no" 1>&6
+fi
+ ;;
+    esac
+  fi
+  test -z "$CC" && { echo "configure: error: no acceptable cc found in \$PATH" 1>&2; exit 1; }
+fi
+
+echo $ac_n "checking whether the C compiler ($CC $CFLAGS $LDFLAGS) works""... $ac_c" 1>&6
+echo "configure:986: checking whether the C compiler ($CC $CFLAGS $LDFLAGS) works" >&5
+
+ac_ext=c
+# CFLAGS is not in ac_cpp because -g, -O, etc. are not valid cpp options.
+ac_cpp='$CPP $CPPFLAGS'
+ac_compile='${CC-cc} -c $CFLAGS $CPPFLAGS conftest.$ac_ext 1>&5'
+ac_link='${CC-cc} -o conftest${ac_exeext} $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS 1>&5'
+cross_compiling=$ac_cv_prog_cc_cross
+
+cat > conftest.$ac_ext << EOF
+
+#line 997 "configure"
+#include "confdefs.h"
+
+main(){return(0);}
+EOF
+if { (eval echo configure:1002: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+  ac_cv_prog_cc_works=yes
+  # If we can't run a trivial program, we are probably using a cross compiler.
+  if (./conftest; exit) 2>/dev/null; then
+    ac_cv_prog_cc_cross=no
+  else
+    ac_cv_prog_cc_cross=yes
+  fi
+else
+  echo "configure: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  ac_cv_prog_cc_works=no
+fi
+rm -fr conftest*
+ac_ext=c
+# CFLAGS is not in ac_cpp because -g, -O, etc. are not valid cpp options.
+ac_cpp='$CPP $CPPFLAGS'
+ac_compile='${CC-cc} -c $CFLAGS $CPPFLAGS conftest.$ac_ext 1>&5'
+ac_link='${CC-cc} -o conftest${ac_exeext} $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS 1>&5'
+cross_compiling=$ac_cv_prog_cc_cross
+
+echo "$ac_t""$ac_cv_prog_cc_works" 1>&6
+if test $ac_cv_prog_cc_works = no; then
+  { echo "configure: error: installation or configuration problem: C compiler cannot create executables." 1>&2; exit 1; }
+fi
+echo $ac_n "checking whether the C compiler ($CC $CFLAGS $LDFLAGS) is a cross-compiler""... $ac_c" 1>&6
+echo "configure:1028: checking whether the C compiler ($CC $CFLAGS $LDFLAGS) is a cross-compiler" >&5
+echo "$ac_t""$ac_cv_prog_cc_cross" 1>&6
+cross_compiling=$ac_cv_prog_cc_cross
+
+echo $ac_n "checking whether we are using GNU C""... $ac_c" 1>&6
+echo "configure:1033: checking whether we are using GNU C" >&5
+if eval "test \"`echo '$''{'ac_cv_prog_gcc'+set}'`\" = set"; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  cat > conftest.c <<EOF
+#ifdef __GNUC__
+  yes;
+#endif
+EOF
+if { ac_try='${CC-cc} -E conftest.c'; { (eval echo configure:1042: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; }; } | egrep yes >/dev/null 2>&1; then
+  ac_cv_prog_gcc=yes
+else
+  ac_cv_prog_gcc=no
+fi
+fi
+
+echo "$ac_t""$ac_cv_prog_gcc" 1>&6
+
+if test $ac_cv_prog_gcc = yes; then
+  GCC=yes
+else
+  GCC=
+fi
+
+ac_test_CFLAGS="${CFLAGS+set}"
+ac_save_CFLAGS="$CFLAGS"
+CFLAGS=
+echo $ac_n "checking whether ${CC-cc} accepts -g""... $ac_c" 1>&6
+echo "configure:1061: checking whether ${CC-cc} accepts -g" >&5
+if eval "test \"`echo '$''{'ac_cv_prog_cc_g'+set}'`\" = set"; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  echo 'void f(){}' > conftest.c
+if test -z "`${CC-cc} -g -c conftest.c 2>&1`"; then
+  ac_cv_prog_cc_g=yes
+else
+  ac_cv_prog_cc_g=no
+fi
+rm -f conftest*
+
+fi
+
+echo "$ac_t""$ac_cv_prog_cc_g" 1>&6
+if test "$ac_test_CFLAGS" = set; then
+  CFLAGS="$ac_save_CFLAGS"
+elif test $ac_cv_prog_cc_g = yes; then
+  if test "$GCC" = yes; then
+    CFLAGS="-g -O2"
+  else
+    CFLAGS="-g"
+  fi
+else
+  if test "$GCC" = yes; then
+    CFLAGS="-O2"
+  else
+    CFLAGS=
+  fi
+fi
+
+echo $ac_n "checking how to run the C preprocessor""... $ac_c" 1>&6
+echo "configure:1093: checking how to run the C preprocessor" >&5
+# On Suns, sometimes $CPP names a directory.
+if test -n "$CPP" && test -d "$CPP"; then
+  CPP=
+fi
+if test -z "$CPP"; then
+if eval "test \"`echo '$''{'ac_cv_prog_CPP'+set}'`\" = set"; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+    # This must be in double quotes, not single quotes, because CPP may get
+  # substituted into the Makefile and "${CC-cc}" will confuse make.
+  CPP="${CC-cc} -E"
+  # On the NeXT, cc -E runs the code through the compiler's parser,
+  # not just through cpp.
+  cat > conftest.$ac_ext <<EOF
+#line 1108 "configure"
+#include "confdefs.h"
+#include <assert.h>
+Syntax Error
+EOF
+ac_try="$ac_cpp conftest.$ac_ext >/dev/null 2>conftest.out"
+{ (eval echo configure:1114: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; }
+ac_err=`grep -v '^ *+' conftest.out | grep -v "^conftest.${ac_ext}\$"`
+if test -z "$ac_err"; then
+  :
+else
+  echo "$ac_err" >&5
+  echo "configure: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  rm -rf conftest*
+  CPP="${CC-cc} -E -traditional-cpp"
+  cat > conftest.$ac_ext <<EOF
+#line 1125 "configure"
+#include "confdefs.h"
+#include <assert.h>
+Syntax Error
+EOF
+ac_try="$ac_cpp conftest.$ac_ext >/dev/null 2>conftest.out"
+{ (eval echo configure:1131: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; }
+ac_err=`grep -v '^ *+' conftest.out | grep -v "^conftest.${ac_ext}\$"`
+if test -z "$ac_err"; then
+  :
+else
+  echo "$ac_err" >&5
+  echo "configure: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  rm -rf conftest*
+  CPP="${CC-cc} -nologo -E"
+  cat > conftest.$ac_ext <<EOF
+#line 1142 "configure"
+#include "confdefs.h"
+#include <assert.h>
+Syntax Error
+EOF
+ac_try="$ac_cpp conftest.$ac_ext >/dev/null 2>conftest.out"
+{ (eval echo configure:1148: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; }
+ac_err=`grep -v '^ *+' conftest.out | grep -v "^conftest.${ac_ext}\$"`
+if test -z "$ac_err"; then
+  :
+else
+  echo "$ac_err" >&5
+  echo "configure: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  rm -rf conftest*
+  CPP=/lib/cpp
+fi
+rm -f conftest*
+fi
+rm -f conftest*
+fi
+rm -f conftest*
+  ac_cv_prog_CPP="$CPP"
+fi
+  CPP="$ac_cv_prog_CPP"
+else
+  ac_cv_prog_CPP="$CPP"
+fi
+echo "$ac_t""$CPP" 1>&6
+
+echo $ac_n "checking for POSIXized ISC""... $ac_c" 1>&6
+echo "configure:1173: checking for POSIXized ISC" >&5
+if test -d /etc/conf/kconfig.d &&
+  grep _POSIX_VERSION /usr/include/sys/unistd.h >/dev/null 2>&1
+then
+  echo "$ac_t""yes" 1>&6
+  ISC=yes # If later tests want to check for ISC.
+  cat >> confdefs.h <<\EOF
+#define _POSIX_SOURCE 1
+EOF
+
+  if test "$GCC" = yes; then
+    CC="$CC -posix"
+  else
+    CC="$CC -Xp"
+  fi
+else
+  echo "$ac_t""no" 1>&6
+  ISC=
+fi
+
+for ac_prog in byacc yacc 'bison -y'
+do
+# Extract the first word of "$ac_prog", so it can be a program name with args.
+set dummy $ac_prog; ac_word=$2
+echo $ac_n "checking for $ac_word""... $ac_c" 1>&6
+echo "configure:1198: checking for $ac_word" >&5
+if eval "test \"`echo '$''{'ac_cv_prog_YACC'+set}'`\" = set"; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  if test -n "$YACC"; then
+  ac_cv_prog_YACC="$YACC" # Let the user override the test.
+else
+  IFS="${IFS= 	}"; ac_save_ifs="$IFS"; IFS=":"
+  ac_dummy="$PATH"
+  for ac_dir in $ac_dummy; do
+    test -z "$ac_dir" && ac_dir=.
+    if test -f $ac_dir/$ac_word; then
+      ac_cv_prog_YACC="$ac_prog"
+      break
+    fi
+  done
+  IFS="$ac_save_ifs"
+fi
+fi
+YACC="$ac_cv_prog_YACC"
+if test -n "$YACC"; then
+  echo "$ac_t""$YACC" 1>&6
+else
+  echo "$ac_t""no" 1>&6
+fi
+
+test -n "$YACC" && break
+done
+
+# Extract the first word of "flex", so it can be a program name with args.
+set dummy flex; ac_word=$2
+echo $ac_n "checking for $ac_word""... $ac_c" 1>&6
+echo "configure:1230: checking for $ac_word" >&5
+if eval "test \"`echo '$''{'ac_cv_prog_LEX'+set}'`\" = set"; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  if test -n "$LEX"; then
+  ac_cv_prog_LEX="$LEX" # Let the user override the test.
+else
+  IFS="${IFS= 	}"; ac_save_ifs="$IFS"; IFS=":"
+  ac_dummy="$PATH"
+  for ac_dir in $ac_dummy; do
+    test -z "$ac_dir" && ac_dir=.
+    if test -f $ac_dir/$ac_word; then
+      ac_cv_prog_LEX="flex"
+      break
+    fi
+  done
+  IFS="$ac_save_ifs"
+  test -z "$ac_cv_prog_LEX" && ac_cv_prog_LEX="lex"
+fi
+fi
+LEX="$ac_cv_prog_LEX"
+if test -n "$LEX"; then
+  echo "$ac_t""$LEX" 1>&6
+else
+  echo "$ac_t""no" 1>&6
+fi
+
+if test -z "$LEXLIB"
+then
+  case "$LEX" in
+  flex*) ac_lib=fl ;;
+  *) ac_lib=l ;;
+  esac
+  echo $ac_n "checking for yywrap in -l$ac_lib""... $ac_c" 1>&6
+echo "configure:1264: checking for yywrap in -l$ac_lib" >&5
+ac_lib_var=`echo $ac_lib'_'yywrap | sed 'y%./+-%__p_%'`
+if eval "test \"`echo '$''{'ac_cv_lib_$ac_lib_var'+set}'`\" = set"; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  ac_save_LIBS="$LIBS"
+LIBS="-l$ac_lib  $LIBS"
+cat > conftest.$ac_ext <<EOF
+#line 1272 "configure"
+#include "confdefs.h"
+/* Override any gcc2 internal prototype to avoid an error.  */
+/* We use char because int might match the return type of a gcc2
+    builtin and then its argument prototype would still apply.  */
+char yywrap();
+
+int main() {
+yywrap()
+; return 0; }
+EOF
+if { (eval echo configure:1283: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+  rm -rf conftest*
+  eval "ac_cv_lib_$ac_lib_var=yes"
+else
+  echo "configure: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  rm -rf conftest*
+  eval "ac_cv_lib_$ac_lib_var=no"
+fi
+rm -f conftest*
+LIBS="$ac_save_LIBS"
+
+fi
+if eval "test \"`echo '$ac_cv_lib_'$ac_lib_var`\" = yes"; then
+  echo "$ac_t""yes" 1>&6
+  LEXLIB="-l$ac_lib"
+else
+  echo "$ac_t""no" 1>&6
+fi
+
+fi
+
+# Extract the first word of "ranlib", so it can be a program name with args.
+set dummy ranlib; ac_word=$2
+echo $ac_n "checking for $ac_word""... $ac_c" 1>&6
+echo "configure:1308: checking for $ac_word" >&5
+if eval "test \"`echo '$''{'ac_cv_prog_RANLIB'+set}'`\" = set"; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  if test -n "$RANLIB"; then
+  ac_cv_prog_RANLIB="$RANLIB" # Let the user override the test.
+else
+  IFS="${IFS= 	}"; ac_save_ifs="$IFS"; IFS=":"
+  ac_dummy="$PATH"
+  for ac_dir in $ac_dummy; do
+    test -z "$ac_dir" && ac_dir=.
+    if test -f $ac_dir/$ac_word; then
+      ac_cv_prog_RANLIB="ranlib"
+      break
+    fi
+  done
+  IFS="$ac_save_ifs"
+  test -z "$ac_cv_prog_RANLIB" && ac_cv_prog_RANLIB=":"
+fi
+fi
+RANLIB="$ac_cv_prog_RANLIB"
+if test -n "$RANLIB"; then
+  echo "$ac_t""$RANLIB" 1>&6
+else
+  echo "$ac_t""no" 1>&6
+fi
+
+# Find a good install program.  We prefer a C program (faster),
+# so one script is as good as another.  But avoid the broken or
+# incompatible versions:
+# SysV /etc/install, /usr/sbin/install
+# SunOS /usr/etc/install
+# IRIX /sbin/install
+# AIX /bin/install
+# AIX 4 /usr/bin/installbsd, which doesn't work without a -g flag
+# AFS /usr/afsws/bin/install, which mishandles nonexistent args
+# SVR4 /usr/ucb/install, which tries to use the nonexistent group "staff"
+# ./install, which can be erroneously created by make from ./install.sh.
+echo $ac_n "checking for a BSD compatible install""... $ac_c" 1>&6
+echo "configure:1347: checking for a BSD compatible install" >&5
+if test -z "$INSTALL"; then
+if eval "test \"`echo '$''{'ac_cv_path_install'+set}'`\" = set"; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+    IFS="${IFS= 	}"; ac_save_IFS="$IFS"; IFS=":"
+  for ac_dir in $PATH; do
+    # Account for people who put trailing slashes in PATH elements.
+    case "$ac_dir/" in
+    /|./|.//|/etc/*|/usr/sbin/*|/usr/etc/*|/sbin/*|/usr/afsws/bin/*|/usr/ucb/*) ;;
+    *)
+      # OSF1 and SCO ODT 3.0 have their own names for install.
+      # Don't use installbsd from OSF since it installs stuff as root
+      # by default.
+      for ac_prog in ginstall scoinst install; do
+        if test -f $ac_dir/$ac_prog; then
+	  if test $ac_prog = install &&
+            grep dspmsg $ac_dir/$ac_prog >/dev/null 2>&1; then
+	    # AIX install.  It has an incompatible calling convention.
+	    :
+	  else
+	    ac_cv_path_install="$ac_dir/$ac_prog -c"
+	    break 2
+	  fi
+	fi
+      done
+      ;;
+    esac
+  done
+  IFS="$ac_save_IFS"
+
+fi
+  if test "${ac_cv_path_install+set}" = set; then
+    INSTALL="$ac_cv_path_install"
+  else
+    # As a last resort, use the slow shell script.  We don't cache a
+    # path for INSTALL within a source directory, because that will
+    # break other packages using the cache if that directory is
+    # removed, or if the path is relative.
+    INSTALL="$ac_install_sh"
+  fi
+fi
+echo "$ac_t""$INSTALL" 1>&6
+
+# Use test -z because SunOS4 sh mishandles braces in ${var-val}.
+# It thinks the first close brace ends the variable substitution.
+test -z "$INSTALL_PROGRAM" && INSTALL_PROGRAM='${INSTALL}'
+
+test -z "$INSTALL_SCRIPT" && INSTALL_SCRIPT='${INSTALL_PROGRAM}'
+
+test -z "$INSTALL_DATA" && INSTALL_DATA='${INSTALL} -m 644'
+
+for ac_prog in mawk gawk nawk awk
+do
+# Extract the first word of "$ac_prog", so it can be a program name with args.
+set dummy $ac_prog; ac_word=$2
+echo $ac_n "checking for $ac_word""... $ac_c" 1>&6
+echo "configure:1404: checking for $ac_word" >&5
+if eval "test \"`echo '$''{'ac_cv_prog_AWK'+set}'`\" = set"; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  if test -n "$AWK"; then
+  ac_cv_prog_AWK="$AWK" # Let the user override the test.
+else
+  IFS="${IFS= 	}"; ac_save_ifs="$IFS"; IFS=":"
+  ac_dummy="$PATH"
+  for ac_dir in $ac_dummy; do
+    test -z "$ac_dir" && ac_dir=.
+    if test -f $ac_dir/$ac_word; then
+      ac_cv_prog_AWK="$ac_prog"
+      break
+    fi
+  done
+  IFS="$ac_save_ifs"
+fi
+fi
+AWK="$ac_cv_prog_AWK"
+if test -n "$AWK"; then
+  echo "$ac_t""$AWK" 1>&6
+else
+  echo "$ac_t""no" 1>&6
+fi
+
+test -n "$AWK" && break
+done
+
+# Extract the first word of "makeinfo", so it can be a program name with args.
+set dummy makeinfo; ac_word=$2
+echo $ac_n "checking for $ac_word""... $ac_c" 1>&6
+echo "configure:1436: checking for $ac_word" >&5
+if eval "test \"`echo '$''{'ac_cv_prog_MAKEINFO'+set}'`\" = set"; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  if test -n "$MAKEINFO"; then
+  ac_cv_prog_MAKEINFO="$MAKEINFO" # Let the user override the test.
+else
+  IFS="${IFS= 	}"; ac_save_ifs="$IFS"; IFS=":"
+  ac_dummy="$PATH"
+  for ac_dir in $ac_dummy; do
+    test -z "$ac_dir" && ac_dir=.
+    if test -f $ac_dir/$ac_word; then
+      ac_cv_prog_MAKEINFO="makeinfo"
+      break
+    fi
+  done
+  IFS="$ac_save_ifs"
+  test -z "$ac_cv_prog_MAKEINFO" && ac_cv_prog_MAKEINFO=":"
+fi
+fi
+MAKEINFO="$ac_cv_prog_MAKEINFO"
+if test -n "$MAKEINFO"; then
+  echo "$ac_t""$MAKEINFO" 1>&6
+else
+  echo "$ac_t""no" 1>&6
+fi
+
+
+WFLAGS=""
+WFLAGS_NOUNUSED=""
+WFLAGS_NOIMPLICITINT=""
+   
+
+
+# Check whether --with-socks or --without-socks was given.
+if test "${with_socks+set}" = set; then
+  withval="$with_socks"
+  :
+fi
+
+# Check whether --with-socks-lib or --without-socks-lib was given.
+if test "${with_socks_lib+set}" = set; then
+  withval="$with_socks_lib"
+  if test "$withval" = "yes" -o "$withval" = "no"; then
+  { echo "configure: error: No argument for --with-socks-lib" 1>&2; exit 1; }
+elif test "X$with_socks" = "X"; then
+  with_socks=yes
+fi
+fi
+
+# Check whether --with-socks-include or --without-socks-include was given.
+if test "${with_socks_include+set}" = set; then
+  withval="$with_socks_include"
+  if test "$withval" = "yes" -o "$withval" = "no"; then
+  { echo "configure: error: No argument for --with-socks-include" 1>&2; exit 1; }
+elif test "X$with_socks" = "X"; then
+  with_socks=yes
+fi
+fi
+
+
+echo $ac_n "checking for socks""... $ac_c" 1>&6
+echo "configure:1498: checking for socks" >&5
+
+case "$with_socks" in
+yes)	;;
+no)	;;
+"")	;;
+*)	if test "$with_socks_include" = ""; then
+		with_socks_include="$with_socks/include"
+	fi
+	if test "$with_socks_lib" = ""; then
+		with_socks_lib="$with_socks/lib$abilibdirext"
+	fi
+	;;
+esac
+header_dirs=
+lib_dirs=
+d=''
+for i in $d; do
+	header_dirs="$header_dirs $i/include"
+	lib_dirs="$lib_dirs $i/lib$abilibdirext"
+done
+
+case "$with_socks_include" in
+yes) ;;
+no)  ;;
+*)   header_dirs="$with_socks_include $header_dirs";;
+esac
+case "$with_socks_lib" in
+yes) ;;
+no)  ;;
+*)   lib_dirs="$with_socks_lib $lib_dirs";;
+esac
+
+save_CFLAGS="$CFLAGS"
+save_LIBS="$LIBS"
+ires= lres=
+for i in $header_dirs; do
+	CFLAGS="-I$i $save_CFLAGS"
+	cat > conftest.$ac_ext <<EOF
+#line 1537 "configure"
+#include "confdefs.h"
+#include <socks.h>
+int main() {
+
+; return 0; }
+EOF
+if { (eval echo configure:1544: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
+  rm -rf conftest*
+  ires=$i;break
+else
+  echo "configure: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+fi
+rm -f conftest*
+done
+for i in $lib_dirs; do
+	LIBS="-L$i -lsocks5  $save_LIBS"
+	cat > conftest.$ac_ext <<EOF
+#line 1556 "configure"
+#include "confdefs.h"
+#include <socks.h>
+int main() {
+
+; return 0; }
+EOF
+if { (eval echo configure:1563: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+  rm -rf conftest*
+  lres=$i;break
+else
+  echo "configure: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+fi
+rm -f conftest*
+done
+CFLAGS="$save_CFLAGS"
+LIBS="$save_LIBS"
+
+if test "$ires" -a "$lres" -a "$with_socks" != "no"; then
+	socks_includedir="$ires"
+	socks_libdir="$lres"
+	INCLUDE_socks="-I$socks_includedir"
+	LIB_socks="-L$socks_libdir -lsocks5"
+	cat >> confdefs.h <<EOF
+#define `echo socks | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ` 1
+EOF
+
+	with_socks=yes
+	echo "$ac_t""headers $ires, libraries $lres" 1>&6
+else
+	INCLUDE_socks=
+	LIB_socks=
+	with_socks=no
+	echo "$ac_t""$with_socks" 1>&6
+fi
+
+
+
+CFLAGS="$INCLUDE_socks $CFLAGS"
+LIBS="$LIB_socks $LIBS"
+
+# Check whether --enable-legacy-kdestroy or --disable-legacy-kdestroy was given.
+if test "${enable_legacy_kdestroy+set}" = set; then
+  enableval="$enable_legacy_kdestroy"
+  
+if test "$enableval" = "yes"; then
+	cat >> confdefs.h <<\EOF
+#define LEGACY_KDESTROY 1
+EOF
+
+fi
+
+fi
+
+
+# Check whether --enable-match-subdomains or --disable-match-subdomains was given.
+if test "${enable_match_subdomains+set}" = set; then
+  enableval="$enable_match_subdomains"
+  if test "$enableval" = "yes"; then
+	cat >> confdefs.h <<\EOF
+#define MATCH_SUBDOMAINS 1
+EOF
+
+fi
+
+fi
+
+
+# Check whether --with-ld-flags or --without-ld-flags was given.
+if test "${with_ld_flags+set}" = set; then
+  withval="$with_ld_flags"
+  :
+fi
+
+
+# Check whether --with-cracklib or --without-cracklib was given.
+if test "${with_cracklib+set}" = set; then
+  withval="$with_cracklib"
+  :
+fi
+
+
+# Check whether --with-dictpath or --without-dictpath was given.
+if test "${with_dictpath+set}" = set; then
+  withval="$with_dictpath"
+  :
+fi
+
+
+(test -z "$with_cracklib" && test -n "$with_dictpath") ||
+(test -n "$with_cracklib" && test -z "$with_dictpath") &&
+{ echo "configure: error: --with-cracklib requires --with-dictpath and vice versa" 1>&2; exit 1; }
+test -n "$with_cracklib" &&
+CRACKLIB="-L$with_cracklib -lcrack" &&
+echo "$ac_t""Using cracklib in $with_cracklib" 1>&6
+test -n "$with_dictpath" &&
+echo "$ac_t""Using dictpath=$with_dictpath" 1>&6 &&
+cat >> confdefs.h <<EOF
+#define DICTPATH "$with_dictpath"
+EOF
+
+
+# Check whether --with-mailspool or --without-mailspool was given.
+if test "${with_mailspool+set}" = set; then
+  withval="$with_mailspool"
+  :
+fi
+
+
+test -n "$with_mailspool" &&
+cat >> confdefs.h <<EOF
+#define KRB4_MAILDIR "$with_mailspool"
+EOF
+
+
+# Check whether --with-db-dir or --without-db-dir was given.
+if test "${with_db_dir+set}" = set; then
+  withval="$with_db_dir"
+  :
+fi
+
+
+test -n "$with_db_dir" &&
+cat >> confdefs.h <<EOF
+#define DB_DIR "$with_db_dir"
+EOF
+
+
+# Check whether --enable-random-mkey or --disable-random-mkey was given.
+if test "${enable_random_mkey+set}" = set; then
+  enableval="$enable_random_mkey"
+  
+if test "$enableval" = "yes"; then
+	cat >> confdefs.h <<\EOF
+#define RANDOM_MKEY 1
+EOF
+
+fi
+
+fi
+
+
+# Check whether --with-mkey or --without-mkey was given.
+if test "${with_mkey+set}" = set; then
+  withval="$with_mkey"
+  
+if test -n "$withval"; then
+	cat >> confdefs.h <<EOF
+#define MKEYFILE "$withval"
+EOF
+
+fi
+
+fi
+
+
+otp=yes
+# Check whether --enable-otp or --disable-otp was given.
+if test "${enable_otp+set}" = set; then
+  enableval="$enable_otp"
+  
+if test "$enableval" = "no"; then
+	otp=no
+fi
+
+fi
+
+
+if test "$otp" = "yes"; then
+	cat >> confdefs.h <<\EOF
+#define OTP 1
+EOF
+
+	LIB_otp='-L$(top_builddir)/lib/otp -lotp'
+	OTP_dir=otp
+	LIB_SUBDIRS="$LIB_SUBDIRS otp"
+fi
+
+
+
+
+# Check whether --enable-osfc2 or --disable-osfc2 was given.
+if test "${enable_osfc2+set}" = set; then
+  enableval="$enable_osfc2"
+  :
+fi
+
+LIB_security=
+if test "$enable_osfc2" = yes; then
+	cat >> confdefs.h <<\EOF
+#define HAVE_OSFC2 1
+EOF
+
+	LIB_security=-lsecurity
+fi
+
+
+
+mmap=yes
+# Check whether --enable-mmap or --disable-mmap was given.
+if test "${enable_mmap+set}" = set; then
+  enableval="$enable_mmap"
+  
+if test "$enableval" = "no"; then
+	mmap=no
+fi
+
+fi
+
+if test "$mmap" = "no"; then
+	cat >> confdefs.h <<\EOF
+#define NO_MMAP 1
+EOF
+
+fi
+
+aix_dynamic_afs=yes
+# Check whether --enable-dynamic-afs or --disable-dynamic-afs was given.
+if test "${enable_dynamic_afs+set}" = set; then
+  enableval="$enable_dynamic_afs"
+  
+if test "$enableval" = "no"; then
+	aix_dynamic_afs=no
+fi
+
+fi
+
+
+berkeley_db=db
+# Check whether --with-berkeley-db or --without-berkeley-db was given.
+if test "${with_berkeley_db+set}" = set; then
+  withval="$with_berkeley_db"
+  
+if test "$withval" = no; then
+	berkeley_db=""
+fi
+
+fi
+
+
+afs_support=yes
+# Check whether --with-afs-support or --without-afs-support was given.
+if test "${with_afs_support+set}" = set; then
+  withval="$with_afs_support"
+  
+if test "$withval" = no; then
+	cat >> confdefs.h <<\EOF
+#define NO_AFS 1
+EOF
+
+	afs_support=no
+fi
+
+fi
+
+
+des_quad=guess
+# Check whether --with-des-quad-checksum or --without-des-quad-checksum was given.
+if test "${with_des_quad_checksum+set}" = set; then
+  withval="$with_des_quad_checksum"
+  
+des_quad="$withval"
+
+fi
+
+if test "$des_quad" = "new"; then
+	ac_x=DES_QUAD_NEW
+elif test "$des_quad" = "old"; then
+	ac_x=DES_QUAD_OLD
+else
+	ac_x=DES_QUAD_GUESS
+fi	
+cat >> confdefs.h <<EOF
+#define DES_QUAD_DEFAULT $ac_x
+EOF
+
+
+# Check whether --with-afsws or --without-afsws was given.
+if test "${with_afsws+set}" = set; then
+  withval="$with_afsws"
+  AFSWS=$withval
+else
+  AFSWS=/usr/afsws
+
+fi
+
+test "$AFSWS" = "yes" && AFSWS=/usr/afsws
+
+
+# Check whether --enable-rxkad or --disable-rxkad was given.
+if test "${enable_rxkad+set}" = set; then
+  enableval="$enable_rxkad"
+  :
+fi
+
+
+if test "$afs_support" = yes -a "$enable_rxkad" = yes; then
+	LIB_SUBDIRS="$LIB_SUBDIRS rxkad"
+fi
+
+
+# Check whether --enable-cat-manpages or --disable-cat-manpages was given.
+if test "${enable_cat_manpages+set}" = set; then
+  enableval="$enable_cat_manpages"
+  
+if test "$enableval" = "no"; then
+	disable_cat_manpages=yes
+fi
+
+fi
+
+
+
+
+# Check whether --with-readline or --without-readline was given.
+if test "${with_readline+set}" = set; then
+  withval="$with_readline"
+  :
+fi
+
+# Check whether --with-readline-lib or --without-readline-lib was given.
+if test "${with_readline_lib+set}" = set; then
+  withval="$with_readline_lib"
+  if test "$withval" = "yes" -o "$withval" = "no"; then
+  { echo "configure: error: No argument for --with-readline-lib" 1>&2; exit 1; }
+elif test "X$with_readline" = "X"; then
+  with_readline=yes
+fi
+fi
+
+# Check whether --with-readline-include or --without-readline-include was given.
+if test "${with_readline_include+set}" = set; then
+  withval="$with_readline_include"
+  if test "$withval" = "yes" -o "$withval" = "no"; then
+  { echo "configure: error: No argument for --with-readline-include" 1>&2; exit 1; }
+elif test "X$with_readline" = "X"; then
+  with_readline=yes
+fi
+fi
+
+
+echo $ac_n "checking for readline""... $ac_c" 1>&6
+echo "configure:1899: checking for readline" >&5
+
+case "$with_readline" in
+yes)	;;
+no)	;;
+"")	;;
+*)	if test "$with_readline_include" = ""; then
+		with_readline_include="$with_readline/include"
+	fi
+	if test "$with_readline_lib" = ""; then
+		with_readline_lib="$with_readline/lib$abilibdirext"
+	fi
+	;;
+esac
+header_dirs=
+lib_dirs=
+d=''
+for i in $d; do
+	header_dirs="$header_dirs $i/include"
+	lib_dirs="$lib_dirs $i/lib$abilibdirext"
+done
+
+case "$with_readline_include" in
+yes) ;;
+no)  ;;
+*)   header_dirs="$with_readline_include $header_dirs";;
+esac
+case "$with_readline_lib" in
+yes) ;;
+no)  ;;
+*)   lib_dirs="$with_readline_lib $lib_dirs";;
+esac
+
+save_CFLAGS="$CFLAGS"
+save_LIBS="$LIBS"
+ires= lres=
+for i in $header_dirs; do
+	CFLAGS="-I$i $save_CFLAGS"
+	cat > conftest.$ac_ext <<EOF
+#line 1938 "configure"
+#include "confdefs.h"
+
+#include <stdio.h>
+#include <readline.h>
+
+int main() {
+
+; return 0; }
+EOF
+if { (eval echo configure:1948: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
+  rm -rf conftest*
+  ires=$i;break
+else
+  echo "configure: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+fi
+rm -f conftest*
+done
+for i in $lib_dirs; do
+	LIBS="-L$i -lreadline  $save_LIBS"
+	cat > conftest.$ac_ext <<EOF
+#line 1960 "configure"
+#include "confdefs.h"
+
+#include <stdio.h>
+#include <readline.h>
+
+int main() {
+
+; return 0; }
+EOF
+if { (eval echo configure:1970: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+  rm -rf conftest*
+  lres=$i;break
+else
+  echo "configure: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+fi
+rm -f conftest*
+done
+CFLAGS="$save_CFLAGS"
+LIBS="$save_LIBS"
+
+if test "$ires" -a "$lres" -a "$with_readline" != "no"; then
+	readline_includedir="$ires"
+	readline_libdir="$lres"
+	INCLUDE_readline="-I$readline_includedir"
+	LIB_readline="-L$readline_libdir -lreadline"
+	cat >> confdefs.h <<EOF
+#define `echo readline | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ` 1
+EOF
+
+	with_readline=yes
+	echo "$ac_t""headers $ires, libraries $lres" 1>&6
+else
+	INCLUDE_readline=
+	LIB_readline=
+	with_readline=no
+	echo "$ac_t""$with_readline" 1>&6
+fi
+
+
+
+
+
+# Check whether --with-mips_abi or --without-mips_abi was given.
+if test "${with_mips_abi+set}" = set; then
+  withval="$with_mips_abi"
+  :
+fi
+
+
+case "$host_os" in
+irix*)
+with_mips_abi="${with_mips_abi:-yes}"
+if test -n "$GCC"; then
+
+# GCC < 2.8 only supports the O32 ABI. GCC >= 2.8 has a flag to select
+# which ABI to use, but only supports (as of 2.8.1) the N32 and 64 ABIs.
+#
+# Default to N32, but if GCC doesn't grok -mabi=n32, we assume an old
+# GCC and revert back to O32. The same goes if O32 is asked for - old
+# GCCs doesn't like the -mabi option, and new GCCs can't output O32.
+#
+# Don't you just love *all* the different SGI ABIs?
+
+case "${with_mips_abi}" in 
+        32|o32) abi='-mabi=32';  abilibdirext=''     ;;
+       n32|yes) abi='-mabi=n32'; abilibdirext='32'  ;;
+        64) abi='-mabi=64';  abilibdirext='64'   ;;
+	no) abi=''; abilibdirext='';;
+         *) { echo "configure: error: "Invalid ABI specified"" 1>&2; exit 1; } ;;
+esac
+if test -n "$abi" ; then
+ac_foo=krb_cv_gcc_`echo $abi | tr =- __`
+echo $ac_n "checking if $CC supports the $abi option""... $ac_c" 1>&6
+echo "configure:2035: checking if $CC supports the $abi option" >&5
+if eval "test \"`echo '$''{'$ac_foo'+set}'`\" = set"; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  
+save_CFLAGS="$CFLAGS"
+CFLAGS="$CFLAGS $abi"
+cat > conftest.$ac_ext <<EOF
+#line 2043 "configure"
+#include "confdefs.h"
+
+int main() {
+int x;
+; return 0; }
+EOF
+if { (eval echo configure:2050: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
+  rm -rf conftest*
+  eval $ac_foo=yes
+else
+  echo "configure: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  rm -rf conftest*
+  eval $ac_foo=no
+fi
+rm -f conftest*
+CFLAGS="$save_CFLAGS"
+
+fi
+
+ac_res=`eval echo \\\$$ac_foo`
+echo "$ac_t""$ac_res" 1>&6
+if test $ac_res = no; then
+# Try to figure out why that failed...
+case $abi in
+	-mabi=32) 
+	save_CFLAGS="$CFLAGS"
+	CFLAGS="$CFLAGS -mabi=n32"
+	cat > conftest.$ac_ext <<EOF
+#line 2073 "configure"
+#include "confdefs.h"
+
+int main() {
+int x;
+; return 0; }
+EOF
+if { (eval echo configure:2080: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
+  rm -rf conftest*
+  ac_res=yes
+else
+  echo "configure: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  rm -rf conftest*
+  ac_res=no
+fi
+rm -f conftest*
+	CLAGS="$save_CFLAGS"
+	if test $ac_res = yes; then
+		# New GCC
+		{ echo "configure: error: $CC does not support the $with_mips_abi ABI" 1>&2; exit 1; }
+	fi
+	# Old GCC
+	abi=''
+	abilibdirext=''
+	;;
+	-mabi=n32|-mabi=64)
+		if test $with_mips_abi = yes; then
+			# Old GCC, default to O32
+			abi=''
+			abilibdirext=''
+		else
+			# Some broken GCC
+			{ echo "configure: error: $CC does not support the $with_mips_abi ABI" 1>&2; exit 1; }
+		fi
+	;;
+esac
+fi #if test $ac_res = no; then
+fi #if test -n "$abi" ; then
+else
+case "${with_mips_abi}" in
+        32|o32) abi='-32'; abilibdirext=''     ;;
+       n32|yes) abi='-n32'; abilibdirext='32'  ;;
+        64) abi='-64'; abilibdirext='64'   ;;
+	no) abi=''; abilibdirext='';;
+         *) { echo "configure: error: "Invalid ABI specified"" 1>&2; exit 1; } ;;
+esac
+fi #if test -n "$GCC"; then
+;;
+esac
+
+
+
+# Check whether --with-hesiod or --without-hesiod was given.
+if test "${with_hesiod+set}" = set; then
+  withval="$with_hesiod"
+  :
+fi
+
+# Check whether --with-hesiod-lib or --without-hesiod-lib was given.
+if test "${with_hesiod_lib+set}" = set; then
+  withval="$with_hesiod_lib"
+  if test "$withval" = "yes" -o "$withval" = "no"; then
+  { echo "configure: error: No argument for --with-hesiod-lib" 1>&2; exit 1; }
+elif test "X$with_hesiod" = "X"; then
+  with_hesiod=yes
+fi
+fi
+
+# Check whether --with-hesiod-include or --without-hesiod-include was given.
+if test "${with_hesiod_include+set}" = set; then
+  withval="$with_hesiod_include"
+  if test "$withval" = "yes" -o "$withval" = "no"; then
+  { echo "configure: error: No argument for --with-hesiod-include" 1>&2; exit 1; }
+elif test "X$with_hesiod" = "X"; then
+  with_hesiod=yes
+fi
+fi
+
+
+echo $ac_n "checking for hesiod""... $ac_c" 1>&6
+echo "configure:2154: checking for hesiod" >&5
+
+case "$with_hesiod" in
+yes)	;;
+no)	;;
+"")	;;
+*)	if test "$with_hesiod_include" = ""; then
+		with_hesiod_include="$with_hesiod/include"
+	fi
+	if test "$with_hesiod_lib" = ""; then
+		with_hesiod_lib="$with_hesiod/lib$abilibdirext"
+	fi
+	;;
+esac
+header_dirs=
+lib_dirs=
+d=''
+for i in $d; do
+	header_dirs="$header_dirs $i/include"
+	lib_dirs="$lib_dirs $i/lib$abilibdirext"
+done
+
+case "$with_hesiod_include" in
+yes) ;;
+no)  ;;
+*)   header_dirs="$with_hesiod_include $header_dirs";;
+esac
+case "$with_hesiod_lib" in
+yes) ;;
+no)  ;;
+*)   lib_dirs="$with_hesiod_lib $lib_dirs";;
+esac
+
+save_CFLAGS="$CFLAGS"
+save_LIBS="$LIBS"
+ires= lres=
+for i in $header_dirs; do
+	CFLAGS="-I$i $save_CFLAGS"
+	cat > conftest.$ac_ext <<EOF
+#line 2193 "configure"
+#include "confdefs.h"
+#include <hesiod.h>
+int main() {
+
+; return 0; }
+EOF
+if { (eval echo configure:2200: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
+  rm -rf conftest*
+  ires=$i;break
+else
+  echo "configure: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+fi
+rm -f conftest*
+done
+for i in $lib_dirs; do
+	LIBS="-L$i -lhesiod  $save_LIBS"
+	cat > conftest.$ac_ext <<EOF
+#line 2212 "configure"
+#include "confdefs.h"
+#include <hesiod.h>
+int main() {
+
+; return 0; }
+EOF
+if { (eval echo configure:2219: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+  rm -rf conftest*
+  lres=$i;break
+else
+  echo "configure: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+fi
+rm -f conftest*
+done
+CFLAGS="$save_CFLAGS"
+LIBS="$save_LIBS"
+
+if test "$ires" -a "$lres" -a "$with_hesiod" != "no"; then
+	hesiod_includedir="$ires"
+	hesiod_libdir="$lres"
+	INCLUDE_hesiod="-I$hesiod_includedir"
+	LIB_hesiod="-L$hesiod_libdir -lhesiod"
+	cat >> confdefs.h <<EOF
+#define `echo hesiod | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ` 1
+EOF
+
+	with_hesiod=yes
+	echo "$ac_t""headers $ires, libraries $lres" 1>&6
+else
+	INCLUDE_hesiod=
+	LIB_hesiod=
+	with_hesiod=no
+	echo "$ac_t""$with_hesiod" 1>&6
+fi
+
+
+
+
+
+
+# Check whether --enable-shared or --disable-shared was given.
+if test "${enable_shared+set}" = set; then
+  enableval="$enable_shared"
+  :
+fi
+
+
+
+case ${enable_shared} in
+  yes ) enable_shared=yes;;
+  no  ) enable_shared=no;;
+  *   ) enable_shared=no;;
+esac
+
+# NOTE: Building shared libraries may not work if you do not use gcc!
+#
+# OS		$SHLIBEXT
+# HP-UX		sl
+# Linux		so
+# NetBSD	so
+# FreeBSD	so
+# OSF		so
+# SunOS5	so
+# SunOS4	so.0.5
+# Irix		so
+#
+# LIBEXT is the extension we should build (.a or $SHLIBEXT)
+LINK='$(CC)'
+
+lib_deps=yes
+REAL_PICFLAGS="-fpic"
+LDSHARED='$(CC) $(PICFLAGS) -shared'
+LIBPREFIX=lib
+build_symlink_command=@true
+install_symlink_command=@true
+install_symlink_command2=@true
+REAL_SHLIBEXT=so
+SHLIB_VERSION=`echo $VERSION | sed 's/\([0-9.]*\).*/\1/'`
+SHLIB_SONAME=`echo $VERSION | sed 's/\([0-9]*\).*/\1/'`
+case "${host}" in
+*-*-hpux*)
+	REAL_SHLIBEXT=sl
+	REAL_LD_FLAGS='-Wl,+b$(libdir)'
+	if test -z "$GCC"; then
+		LDSHARED="ld -b"
+		REAL_PICFLAGS="+z"
+	fi
+	lib_deps=no
+	;;
+*-*-linux*)
+	LDSHARED='$(CC) -shared -Wl,-soname,$(LIBNAME).so.'"${SHLIB_SONAME}"
+	REAL_LD_FLAGS='-Wl,-rpath,$(libdir)'
+	REAL_SHLIBEXT=so.$SHLIB_VERSION
+	build_symlink_command='$(LN_S) -f $@ $(LIBNAME).so'
+	install_symlink_command='$(LN_S) -f $(LIB) $(DESTDIR)$(libdir)/$(LIBNAME).so.'"${SHLIB_SONAME}"';$(LN_S) -f $(LIB) $(DESTDIR)$(libdir)/$(LIBNAME).so'
+	install_symlink_command2='$(LN_S) -f $(LIB2) $(DESTDIR)$(libdir)/$(LIBNAME2).so.'"${SHLIB_SONAME}"';$(LN_S) -f $(LIB2) $(DESTDIR)$(libdir)/$(LIBNAME2).so'
+	;;
+*-*-freebsd[345]* | *-*-freebsdelf[345]*)
+	REAL_SHLIBEXT=so.$SHLIB_VERSION
+	REAL_LD_FLAGS='-Wl,-R$(libdir)'
+	build_symlink_command='$(LN_S) -f $@ $(LIBNAME).so'
+	install_symlink_command='$(LN_S) -f $(LIB) $(DESTDIR)$(libdir)/$(LIBNAME).so'
+	install_symlink_command2='$(LN_S) -f $(LIB2) $(DESTDIR)$(libdir)/$(LIBNAME2).so'
+	;;
+*-*-*bsd*)
+	REAL_SHLIBEXT=so.$SHLIB_VERSION
+	LDSHARED='ld -Bshareable'
+	REAL_LD_FLAGS='-Wl,-R$(libdir)'
+	;;
+*-*-osf*)
+	REAL_LD_FLAGS='-Wl,-rpath,$(libdir)'
+	REAL_PICFLAGS=
+	LDSHARED='ld -shared -expect_unresolved \*'
+	;;
+*-*-solaris2*)
+	LDSHARED='$(CC) -shared -Wl,-h$(LIBNAME).so.'"${SHLIB_SONAME}"
+	REAL_SHLIBEXT=so.$SHLIB_VERSION
+	build_symlink_command='$(LN_S) $@ $(LIBNAME).so'
+	install_symlink_command='$(LN_S) $(LIB) $(DESTDIR)$(libdir)/$(LIBNAME).so.'"${SHLIB_SONAME}"';$(LN_S) $(LIB) $(DESTDIR)$(libdir)/$(LIBNAME).so'
+	install_symlink_command2='$(LN_S) $(LIB2) $(DESTDIR)$(libdir)/$(LIBNAME2).so.'"${SHLIB_SONAME}"';$(LN_S) $(LIB2) $(DESTDIR)$(libdir)/$(LIBNAME2).so'
+	REAL_LD_FLAGS='-Wl,-R$(libdir)'
+	if test -z "$GCC"; then
+		LDSHARED='$(CC) -G -h$(LIBNAME).so.'"${SHLIB_SONAME}"
+		REAL_PICFLAGS="-Kpic"
+	fi
+	;;
+*-fujitsu-uxpv*)
+	REAL_LD_FLAGS='' # really: LD_RUN_PATH=$(libdir) cc -o ...
+	REAL_LINK='LD_RUN_PATH=$(libdir) $(CC)'
+	LDSHARED='$(CC) -G'
+	REAL_PICFLAGS="-Kpic"
+	lib_deps=no # fails in mysterious ways
+	;;
+*-*-sunos*)
+	REAL_SHLIBEXT=so.$SHLIB_VERSION
+	REAL_LD_FLAGS='-Wl,-L$(libdir)'
+	lib_deps=no
+	;;
+*-*-irix*)
+        libdir="${libdir}${abilibdirext}"
+        REAL_LD_FLAGS="${abi} -Wl,-rpath,\$(libdir)"
+        LD_FLAGS="${abi} -Wl,-rpath,\$(libdir)"
+	LDSHARED="\$(CC) -shared ${abi}"
+        REAL_PICFLAGS=
+        CFLAGS="${abi} ${CFLAGS}"
+	;;
+*-*-os2*)
+	LIBPREFIX=
+	EXECSUFFIX='.exe'
+	RANLIB=EMXOMF
+	LD_FLAGS=-Zcrtdll
+	REAL_SHLIBEXT=nobuild
+	;;
+*-*-cygwin32*)
+	EXECSUFFIX='.exe'
+	REAL_SHLIBEXT=nobuild
+	;;
+*)	REAL_SHLIBEXT=nobuild
+	REAL_PICFLAGS= 
+	;;
+esac
+
+if test "${enable_shared}" != "yes" ; then 
+ PICFLAGS=""
+ SHLIBEXT="nobuild"
+ LIBEXT="a"
+ build_symlink_command=@true
+ install_symlink_command=@true
+ install_symlink_command2=@true
+else
+ PICFLAGS="$REAL_PICFLAGS"
+ SHLIBEXT="$REAL_SHLIBEXT"
+ LIBEXT="$SHLIBEXT"
+ echo $ac_n "checking whether to use -rpath""... $ac_c" 1>&6
+echo "configure:2388: checking whether to use -rpath" >&5
+ case "$libdir" in
+   /lib | /usr/lib | /usr/local/lib)
+     echo "$ac_t""no" 1>&6
+     REAL_LD_FLAGS=
+     LD_FLAGS=
+     ;;
+   *)
+     LD_FLAGS="$REAL_LD_FLAGS"
+     test "$REAL_LINK" && LINK="$REAL_LINK"
+     echo "$ac_t""$LD_FLAGS" 1>&6
+     ;;
+   esac
+fi
+
+if test "$lib_deps" = yes; then
+	lib_deps_yes=""
+	lib_deps_no="# "
+else
+	lib_deps_yes="# "
+	lib_deps_no=""
+fi
+
+
+
+# use supplied ld-flags, or none if `no'
+if test "$with_ld_flags" = no; then
+	LD_FLAGS=
+elif test -n "$with_ld_flags"; then
+	LD_FLAGS="$with_ld_flags"
+fi
+
+   
+       
+
+
+echo $ac_n "checking whether byte ordering is bigendian""... $ac_c" 1>&6
+echo "configure:2425: checking whether byte ordering is bigendian" >&5
+if eval "test \"`echo '$''{'ac_cv_c_bigendian'+set}'`\" = set"; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  ac_cv_c_bigendian=unknown
+# See if sys/param.h defines the BYTE_ORDER macro.
+cat > conftest.$ac_ext <<EOF
+#line 2432 "configure"
+#include "confdefs.h"
+#include <sys/types.h>
+#include <sys/param.h>
+int main() {
+
+#if !BYTE_ORDER || !BIG_ENDIAN || !LITTLE_ENDIAN
+ bogus endian macros
+#endif
+; return 0; }
+EOF
+if { (eval echo configure:2443: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
+  rm -rf conftest*
+  # It does; now see whether it defined to BIG_ENDIAN or not.
+cat > conftest.$ac_ext <<EOF
+#line 2447 "configure"
+#include "confdefs.h"
+#include <sys/types.h>
+#include <sys/param.h>
+int main() {
+
+#if BYTE_ORDER != BIG_ENDIAN
+ not big endian
+#endif
+; return 0; }
+EOF
+if { (eval echo configure:2458: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
+  rm -rf conftest*
+  ac_cv_c_bigendian=yes
+else
+  echo "configure: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  rm -rf conftest*
+  ac_cv_c_bigendian=no
+fi
+rm -f conftest*
+else
+  echo "configure: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+fi
+rm -f conftest*
+if test $ac_cv_c_bigendian = unknown; then
+if test "$cross_compiling" = yes; then
+    { echo "configure: error: can not run test program while cross compiling" 1>&2; exit 1; }
+else
+  cat > conftest.$ac_ext <<EOF
+#line 2478 "configure"
+#include "confdefs.h"
+main () {
+  /* Are we little or big endian?  From Harbison&Steele.  */
+  union
+  {
+    long l;
+    char c[sizeof (long)];
+  } u;
+  u.l = 1;
+  exit (u.c[sizeof (long) - 1] == 1);
+}
+EOF
+if { (eval echo configure:2491: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext} && (./conftest; exit) 2>/dev/null
+then
+  ac_cv_c_bigendian=no
+else
+  echo "configure: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  rm -fr conftest*
+  ac_cv_c_bigendian=yes
+fi
+rm -fr conftest*
+fi
+
+fi
+fi
+
+echo "$ac_t""$ac_cv_c_bigendian" 1>&6
+if test $ac_cv_c_bigendian = yes; then
+  cat >> confdefs.h <<\EOF
+#define WORDS_BIGENDIAN 1
+EOF
+
+fi
+
+
+echo $ac_n "checking for working const""... $ac_c" 1>&6
+echo "configure:2516: checking for working const" >&5
+if eval "test \"`echo '$''{'ac_cv_c_const'+set}'`\" = set"; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  cat > conftest.$ac_ext <<EOF
+#line 2521 "configure"
+#include "confdefs.h"
+
+int main() {
+
+/* Ultrix mips cc rejects this.  */
+typedef int charset[2]; const charset x;
+/* SunOS 4.1.1 cc rejects this.  */
+char const *const *ccp;
+char **p;
+/* NEC SVR4.0.2 mips cc rejects this.  */
+struct point {int x, y;};
+static struct point const zero = {0,0};
+/* AIX XL C 1.02.0.0 rejects this.
+   It does not let you subtract one const X* pointer from another in an arm
+   of an if-expression whose if-part is not a constant expression */
+const char *g = "string";
+ccp = &g + (g ? g-g : 0);
+/* HPUX 7.0 cc rejects these. */
+++ccp;
+p = (char**) ccp;
+ccp = (char const *const *) p;
+{ /* SCO 3.2v4 cc rejects this.  */
+  char *t;
+  char const *s = 0 ? (char *) 0 : (char const *) 0;
+
+  *t++ = 0;
+}
+{ /* Someone thinks the Sun supposedly-ANSI compiler will reject this.  */
+  int x[] = {25, 17};
+  const int *foo = &x[0];
+  ++foo;
+}
+{ /* Sun SC1.0 ANSI compiler rejects this -- but not the above. */
+  typedef const int *iptr;
+  iptr p = 0;
+  ++p;
+}
+{ /* AIX XL C 1.02.0.0 rejects this saying
+     "k.c", line 2.27: 1506-025 (S) Operand must be a modifiable lvalue. */
+  struct s { int j; const int *ap[3]; };
+  struct s *b; b->j = 5;
+}
+{ /* ULTRIX-32 V3.1 (Rev 9) vcc rejects this */
+  const int foo = 10;
+}
+
+; return 0; }
+EOF
+if { (eval echo configure:2570: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
+  rm -rf conftest*
+  ac_cv_c_const=yes
+else
+  echo "configure: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  rm -rf conftest*
+  ac_cv_c_const=no
+fi
+rm -f conftest*
+fi
+
+echo "$ac_t""$ac_cv_c_const" 1>&6
+if test $ac_cv_c_const = no; then
+  cat >> confdefs.h <<\EOF
+#define const 
+EOF
+
+fi
+
+
+echo $ac_n "checking for inline""... $ac_c" 1>&6
+echo "configure:2592: checking for inline" >&5
+if eval "test \"`echo '$''{'ac_cv_c_inline'+set}'`\" = set"; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  ac_cv_c_inline=no
+for ac_kw in inline __inline__ __inline; do
+  cat > conftest.$ac_ext <<EOF
+#line 2599 "configure"
+#include "confdefs.h"
+
+int main() {
+} $ac_kw foo() {
+; return 0; }
+EOF
+if { (eval echo configure:2606: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
+  rm -rf conftest*
+  ac_cv_c_inline=$ac_kw; break
+else
+  echo "configure: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+fi
+rm -f conftest*
+done
+
+fi
+
+echo "$ac_t""$ac_cv_c_inline" 1>&6
+case "$ac_cv_c_inline" in
+  inline | yes) ;;
+  no) cat >> confdefs.h <<\EOF
+#define inline 
+EOF
+ ;;
+  *)  cat >> confdefs.h <<EOF
+#define inline $ac_cv_c_inline
+EOF
+ ;;
+esac
+
+
+
+echo $ac_n "checking for __attribute__""... $ac_c" 1>&6
+echo "configure:2634: checking for __attribute__" >&5
+if eval "test \"`echo '$''{'ac_cv___attribute__'+set}'`\" = set"; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  
+cat > conftest.$ac_ext <<EOF
+#line 2640 "configure"
+#include "confdefs.h"
+
+#include <stdlib.h>
+
+int main() {
+
+static void foo(void) __attribute__ ((noreturn));
+
+static void
+foo(void)
+{
+  exit(1);
+}
+
+; return 0; }
+EOF
+if { (eval echo configure:2657: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
+  rm -rf conftest*
+  ac_cv___attribute__=yes
+else
+  echo "configure: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  rm -rf conftest*
+  ac_cv___attribute__=no
+fi
+rm -f conftest*
+fi
+
+if test "$ac_cv___attribute__" = "yes"; then
+  cat >> confdefs.h <<\EOF
+#define HAVE___ATTRIBUTE__ 1
+EOF
+
+fi
+echo "$ac_t""$ac_cv___attribute__" 1>&6
+
+
+
+
+echo $ac_n "checking for NEXTSTEP""... $ac_c" 1>&6
+echo "configure:2681: checking for NEXTSTEP" >&5
+if eval "test \"`echo '$''{'krb_cv_sys_nextstep'+set}'`\" = set"; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  cat > conftest.$ac_ext <<EOF
+#line 2686 "configure"
+#include "confdefs.h"
+#if defined(NeXT) && !defined(__APPLE__)
+	yes
+#endif 
+
+EOF
+if (eval "$ac_cpp conftest.$ac_ext") 2>&5 |
+  egrep "yes" >/dev/null 2>&1; then
+  rm -rf conftest*
+  krb_cv_sys_nextstep=yes
+else
+  rm -rf conftest*
+  krb_cv_sys_nextstep=no
+fi
+rm -f conftest*
+ 
+fi
+
+if test "$krb_cv_sys_nextstep" = "yes"; then
+  CFLAGS="$CFLAGS -posix"
+  LIBS="$LIBS -posix"
+fi
+echo "$ac_t""$krb_cv_sys_nextstep" 1>&6
+
+
+echo $ac_n "checking for AIX""... $ac_c" 1>&6
+echo "configure:2713: checking for AIX" >&5
+if eval "test \"`echo '$''{'krb_cv_sys_aix'+set}'`\" = set"; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  cat > conftest.$ac_ext <<EOF
+#line 2718 "configure"
+#include "confdefs.h"
+#ifdef _AIX
+	yes
+#endif 
+
+EOF
+if (eval "$ac_cpp conftest.$ac_ext") 2>&5 |
+  egrep "yes" >/dev/null 2>&1; then
+  rm -rf conftest*
+  krb_cv_sys_aix=yes
+else
+  rm -rf conftest*
+  krb_cv_sys_aix=no
+fi
+rm -f conftest*
+ 
+fi
+
+echo "$ac_t""$krb_cv_sys_aix" 1>&6
+
+
+if test "$krb_cv_sys_aix" = yes ;then
+	if test "$aix_dynamic_afs" = yes; then
+		AFS_EXTRA_OBJS=
+		AFS_EXTRA_LIBS=afslib.so
+		# this works differently in AIX <=3 and 4
+		if test `uname -v` = 4 ; then
+			AFS_EXTRA_LD="-bnoentry"
+		else
+			AFS_EXTRA_LD="-e _nostart"
+		fi
+		AFS_EXTRA_DEFS=
+		
+
+
+echo $ac_n "checking for dlopen""... $ac_c" 1>&6
+echo "configure:2755: checking for dlopen" >&5
+if eval "test \"`echo '$''{'ac_cv_funclib_dlopen'+set}'`\" = set"; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  
+if eval "test \"\$ac_cv_func_dlopen\" != yes" ; then
+	ac_save_LIBS="$LIBS"
+	for ac_lib in "" dl; do
+		if test -n "$ac_lib"; then 
+			ac_lib="-l$ac_lib"
+		else
+			ac_lib=""
+		fi
+		LIBS=" $ac_lib  $ac_save_LIBS"
+		cat > conftest.$ac_ext <<EOF
+#line 2770 "configure"
+#include "confdefs.h"
+
+int main() {
+dlopen()
+; return 0; }
+EOF
+if { (eval echo configure:2777: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+  rm -rf conftest*
+  eval "if test -n \"$ac_lib\";then ac_cv_funclib_dlopen=$ac_lib; else ac_cv_funclib_dlopen=yes; fi";break
+else
+  echo "configure: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+fi
+rm -f conftest*
+	done
+	eval "ac_cv_funclib_dlopen=\${ac_cv_funclib_dlopen-no}"
+	LIBS="$ac_save_LIBS"
+fi
+
+fi
+
+
+eval "ac_res=\$ac_cv_funclib_dlopen"
+
+: << END
+@@@funcs="$funcs dlopen"@@@
+@@@libs="$libs "" dl"@@@
+END
+
+# dlopen
+eval "ac_tr_func=HAVE_`echo dlopen | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`"
+eval "ac_tr_lib=HAVE_LIB`echo $ac_res | sed -e 's/-l//' | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`"
+eval "LIB_dlopen=$ac_res"
+
+case "$ac_res" in
+	yes)
+	eval "ac_cv_func_dlopen=yes"
+	eval "LIB_dlopen="
+	cat >> confdefs.h <<EOF
+#define $ac_tr_func 1
+EOF
+
+	echo "$ac_t""yes" 1>&6
+	;;
+	no)
+	eval "ac_cv_func_dlopen=no"
+	eval "LIB_dlopen="
+	echo "$ac_t""no" 1>&6
+	;;
+	*)
+	eval "ac_cv_func_dlopen=yes"
+	eval "ac_cv_lib_`echo "$ac_res" | sed 's/-l//'`=yes"
+	cat >> confdefs.h <<EOF
+#define $ac_tr_func 1
+EOF
+
+	cat >> confdefs.h <<EOF
+#define $ac_tr_lib 1
+EOF
+
+	echo "$ac_t""yes, in $ac_res" 1>&6
+	;;
+esac
+
+
+		if test "$ac_cv_funclib_dlopen" = yes; then
+			AIX_EXTRA_KAFS=
+		elif test "$ac_cv_funclib_dlopen" != no; then
+			AIX_EXTRA_KAFS="$ac_cv_funclib_dlopen"
+		else
+			AFS_EXTRA_OBJS="$AFS_EXTRA_OBJS dlfcn.o"
+			AIX_EXTRA_KAFS=-lld
+		fi
+	else
+		AFS_EXTRA_OBJS='$(srcdir)/afsl.exp afslib.o'
+		AFS_EXTRA_LIBS=
+		AFS_EXTRA_DEFS='-DSTATIC_AFS_SYSCALLS'
+		AIX_EXTRA_KAFS=
+	fi
+					fi
+
+#
+# AIX needs /lib/pse.exp for getmsg, but alas that file is broken in
+# AIX414
+#
+
+case "${host}" in
+*-*-aix4.1*)
+if test -f /lib/pse.exp ;then
+	LIBS="$LIBS -Wl,-bnolibpath -Wl,-bI:/lib/pse.exp"
+fi
+;;
+*-*-aix*)
+	LIBS="$LIBS -Wl,-bnolibpath"
+	;;
+esac
+
+
+echo $ac_n "checking for ANSI C header files""... $ac_c" 1>&6
+echo "configure:2870: checking for ANSI C header files" >&5
+if eval "test \"`echo '$''{'ac_cv_header_stdc'+set}'`\" = set"; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  cat > conftest.$ac_ext <<EOF
+#line 2875 "configure"
+#include "confdefs.h"
+#include <stdlib.h>
+#include <stdarg.h>
+#include <string.h>
+#include <float.h>
+EOF
+ac_try="$ac_cpp conftest.$ac_ext >/dev/null 2>conftest.out"
+{ (eval echo configure:2883: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; }
+ac_err=`grep -v '^ *+' conftest.out | grep -v "^conftest.${ac_ext}\$"`
+if test -z "$ac_err"; then
+  rm -rf conftest*
+  ac_cv_header_stdc=yes
+else
+  echo "$ac_err" >&5
+  echo "configure: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  rm -rf conftest*
+  ac_cv_header_stdc=no
+fi
+rm -f conftest*
+
+if test $ac_cv_header_stdc = yes; then
+  # SunOS 4.x string.h does not declare mem*, contrary to ANSI.
+cat > conftest.$ac_ext <<EOF
+#line 2900 "configure"
+#include "confdefs.h"
+#include <string.h>
+EOF
+if (eval "$ac_cpp conftest.$ac_ext") 2>&5 |
+  egrep "memchr" >/dev/null 2>&1; then
+  :
+else
+  rm -rf conftest*
+  ac_cv_header_stdc=no
+fi
+rm -f conftest*
+
+fi
+
+if test $ac_cv_header_stdc = yes; then
+  # ISC 2.0.2 stdlib.h does not declare free, contrary to ANSI.
+cat > conftest.$ac_ext <<EOF
+#line 2918 "configure"
+#include "confdefs.h"
+#include <stdlib.h>
+EOF
+if (eval "$ac_cpp conftest.$ac_ext") 2>&5 |
+  egrep "free" >/dev/null 2>&1; then
+  :
+else
+  rm -rf conftest*
+  ac_cv_header_stdc=no
+fi
+rm -f conftest*
+
+fi
+
+if test $ac_cv_header_stdc = yes; then
+  # /bin/cc in Irix-4.0.5 gets non-ANSI ctype macros unless using -ansi.
+if test "$cross_compiling" = yes; then
+  :
+else
+  cat > conftest.$ac_ext <<EOF
+#line 2939 "configure"
+#include "confdefs.h"
+#include <ctype.h>
+#define ISLOWER(c) ('a' <= (c) && (c) <= 'z')
+#define TOUPPER(c) (ISLOWER(c) ? 'A' + ((c) - 'a') : (c))
+#define XOR(e, f) (((e) && !(f)) || (!(e) && (f)))
+int main () { int i; for (i = 0; i < 256; i++)
+if (XOR (islower (i), ISLOWER (i)) || toupper (i) != TOUPPER (i)) exit(2);
+exit (0); }
+
+EOF
+if { (eval echo configure:2950: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext} && (./conftest; exit) 2>/dev/null
+then
+  :
+else
+  echo "configure: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  rm -fr conftest*
+  ac_cv_header_stdc=no
+fi
+rm -fr conftest*
+fi
+
+fi
+fi
+
+echo "$ac_t""$ac_cv_header_stdc" 1>&6
+if test $ac_cv_header_stdc = yes; then
+  cat >> confdefs.h <<\EOF
+#define STDC_HEADERS 1
+EOF
+
+fi
+
+
+for ac_hdr in arpa/ftp.h			\
+	arpa/inet.h				\
+	arpa/nameser.h				\
+	arpa/telnet.h				\
+	bsd/bsd.h				\
+	bsdsetjmp.h				\
+	capability.h				\
+	crypt.h					\
+	curses.h				\
+	db.h					\
+	dbm.h					\
+	dirent.h				\
+	err.h					\
+	errno.h					\
+	fcntl.h					\
+	fnmatch.h				\
+	gdbm/ndbm.h				\
+	grp.h					\
+	inttypes.h				\
+	io.h					\
+	lastlog.h				\
+	libutil.h				\
+	limits.h				\
+	login.h					\
+	maillock.h				\
+	ndbm.h					\
+	net/if.h				\
+	net/if_tun.h				\
+	net/if_var.h				\
+	netdb.h					\
+	netinet/in.h				\
+	netinet/in6_machtypes.h			\
+	netinet/in_systm.h			\
+	paths.h					\
+	pty.h					\
+	pwd.h					\
+	resolv.h				\
+	rpcsvc/dbm.h				\
+	rpcsvc/ypclnt.h				\
+	sac.h					\
+	security/pam_modules.h			\
+	shadow.h				\
+	siad.h					\
+	signal.h				\
+	stropts.h				\
+	sys/bitypes.h				\
+	sys/category.h				\
+	sys/file.h				\
+	sys/filio.h				\
+	sys/ioccom.h				\
+	sys/ioctl.h				\
+	sys/locking.h				\
+	sys/mman.h				\
+	sys/param.h				\
+	sys/proc.h				\
+	sys/pty.h				\
+	sys/ptyio.h				\
+	sys/ptyvar.h				\
+	sys/resource.h				\
+	sys/select.h				\
+	sys/socket.h				\
+	sys/sockio.h				\
+	sys/stat.h				\
+	sys/str_tty.h				\
+	sys/stream.h				\
+	sys/stropts.h				\
+	sys/strtty.h				\
+	sys/syscall.h				\
+	sys/sysctl.h				\
+	sys/termio.h				\
+	sys/time.h				\
+	sys/timeb.h				\
+	sys/times.h				\
+	sys/tty.h				\
+	sys/types.h				\
+	sys/uio.h				\
+	sys/un.h				\
+	sys/utsname.h				\
+	sys/wait.h				\
+	syslog.h				\
+	term.h					\
+	termcap.h				\
+	termio.h				\
+	termios.h				\
+	tmpdir.h				\
+	ttyent.h				\
+	udb.h					\
+	ulimit.h				\
+	unistd.h				\
+	userpw.h				\
+	usersec.h				\
+	util.h					\
+	utime.h					\
+	utmp.h					\
+	utmpx.h					\
+	wait.h
+do
+ac_safe=`echo "$ac_hdr" | sed 'y%./+-%__p_%'`
+echo $ac_n "checking for $ac_hdr""... $ac_c" 1>&6
+echo "configure:3073: checking for $ac_hdr" >&5
+if eval "test \"`echo '$''{'ac_cv_header_$ac_safe'+set}'`\" = set"; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  cat > conftest.$ac_ext <<EOF
+#line 3078 "configure"
+#include "confdefs.h"
+#include <$ac_hdr>
+EOF
+ac_try="$ac_cpp conftest.$ac_ext >/dev/null 2>conftest.out"
+{ (eval echo configure:3083: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; }
+ac_err=`grep -v '^ *+' conftest.out | grep -v "^conftest.${ac_ext}\$"`
+if test -z "$ac_err"; then
+  rm -rf conftest*
+  eval "ac_cv_header_$ac_safe=yes"
+else
+  echo "$ac_err" >&5
+  echo "configure: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  rm -rf conftest*
+  eval "ac_cv_header_$ac_safe=no"
+fi
+rm -f conftest*
+fi
+if eval "test \"`echo '$ac_cv_header_'$ac_safe`\" = yes"; then
+  echo "$ac_t""yes" 1>&6
+    ac_tr_hdr=HAVE_`echo $ac_hdr | sed 'y%abcdefghijklmnopqrstuvwxyz./-%ABCDEFGHIJKLMNOPQRSTUVWXYZ___%'`
+  cat >> confdefs.h <<EOF
+#define $ac_tr_hdr 1
+EOF
+ 
+else
+  echo "$ac_t""no" 1>&6
+fi
+done
+
+
+echo $ac_n "checking whether time.h and sys/time.h may both be included""... $ac_c" 1>&6
+echo "configure:3111: checking whether time.h and sys/time.h may both be included" >&5
+if eval "test \"`echo '$''{'ac_cv_header_time'+set}'`\" = set"; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  cat > conftest.$ac_ext <<EOF
+#line 3116 "configure"
+#include "confdefs.h"
+#include <sys/types.h>
+#include <sys/time.h>
+#include <time.h>
+int main() {
+struct tm *tp;
+; return 0; }
+EOF
+if { (eval echo configure:3125: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
+  rm -rf conftest*
+  ac_cv_header_time=yes
+else
+  echo "configure: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  rm -rf conftest*
+  ac_cv_header_time=no
+fi
+rm -f conftest*
+fi
+
+echo "$ac_t""$ac_cv_header_time" 1>&6
+if test $ac_cv_header_time = yes; then
+  cat >> confdefs.h <<\EOF
+#define TIME_WITH_SYS_TIME 1
+EOF
+
+fi
+
+echo $ac_n "checking for sys_siglist declaration in signal.h or unistd.h""... $ac_c" 1>&6
+echo "configure:3146: checking for sys_siglist declaration in signal.h or unistd.h" >&5
+if eval "test \"`echo '$''{'ac_cv_decl_sys_siglist'+set}'`\" = set"; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  cat > conftest.$ac_ext <<EOF
+#line 3151 "configure"
+#include "confdefs.h"
+#include <sys/types.h>
+#include <signal.h>
+/* NetBSD declares sys_siglist in unistd.h.  */
+#ifdef HAVE_UNISTD_H
+#include <unistd.h>
+#endif
+int main() {
+char *msg = *(sys_siglist + 1);
+; return 0; }
+EOF
+if { (eval echo configure:3163: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
+  rm -rf conftest*
+  ac_cv_decl_sys_siglist=yes
+else
+  echo "configure: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  rm -rf conftest*
+  ac_cv_decl_sys_siglist=no
+fi
+rm -f conftest*
+fi
+
+echo "$ac_t""$ac_cv_decl_sys_siglist" 1>&6
+if test $ac_cv_decl_sys_siglist = yes; then
+  cat >> confdefs.h <<\EOF
+#define SYS_SIGLIST_DECLARED 1
+EOF
+
+fi
+
+
+
+for ac_hdr in standards.h
+do
+ac_safe=`echo "$ac_hdr" | sed 'y%./+-%__p_%'`
+echo $ac_n "checking for $ac_hdr""... $ac_c" 1>&6
+echo "configure:3189: checking for $ac_hdr" >&5
+if eval "test \"`echo '$''{'ac_cv_header_$ac_safe'+set}'`\" = set"; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  cat > conftest.$ac_ext <<EOF
+#line 3194 "configure"
+#include "confdefs.h"
+#include <$ac_hdr>
+EOF
+ac_try="$ac_cpp conftest.$ac_ext >/dev/null 2>conftest.out"
+{ (eval echo configure:3199: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; }
+ac_err=`grep -v '^ *+' conftest.out | grep -v "^conftest.${ac_ext}\$"`
+if test -z "$ac_err"; then
+  rm -rf conftest*
+  eval "ac_cv_header_$ac_safe=yes"
+else
+  echo "$ac_err" >&5
+  echo "configure: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  rm -rf conftest*
+  eval "ac_cv_header_$ac_safe=no"
+fi
+rm -f conftest*
+fi
+if eval "test \"`echo '$ac_cv_header_'$ac_safe`\" = yes"; then
+  echo "$ac_t""yes" 1>&6
+    ac_tr_hdr=HAVE_`echo $ac_hdr | sed 'y%abcdefghijklmnopqrstuvwxyz./-%ABCDEFGHIJKLMNOPQRSTUVWXYZ___%'`
+  cat >> confdefs.h <<EOF
+#define $ac_tr_hdr 1
+EOF
+ 
+else
+  echo "$ac_t""no" 1>&6
+fi
+done
+
+for i in netinet/ip.h netinet/tcp.h; do
+
+cv=`echo "$i" | sed 'y%./+-%__p_%'`
+
+echo $ac_n "checking for $i""... $ac_c" 1>&6
+echo "configure:3230: checking for $i" >&5
+if eval "test \"`echo '$''{'ac_cv_header_$cv'+set}'`\" = set"; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  cat > conftest.$ac_ext <<EOF
+#line 3235 "configure"
+#include "confdefs.h"
+\
+#ifdef HAVE_STANDARDS_H
+#include <standards.h>
+#endif
+#include <$i>
+
+EOF
+ac_try="$ac_cpp conftest.$ac_ext >/dev/null 2>conftest.out"
+{ (eval echo configure:3245: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; }
+ac_err=`grep -v '^ *+' conftest.out | grep -v "^conftest.${ac_ext}\$"`
+if test -z "$ac_err"; then
+  rm -rf conftest*
+  eval "ac_cv_header_$cv=yes"
+else
+  echo "$ac_err" >&5
+  echo "configure: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  rm -rf conftest*
+  eval "ac_cv_header_$cv=no"
+fi
+rm -f conftest*
+fi
+
+echo "$ac_t""`eval echo \\$ac_cv_header_$cv`" 1>&6
+if test `eval echo \\$ac_cv_header_$cv` = yes; then
+  ac_tr_hdr=HAVE_`echo $i | sed 'y%abcdefghijklmnopqrstuvwxyz./-%ABCDEFGHIJKLMNOPQRSTUVWXYZ___%'`
+  cat >> confdefs.h <<EOF
+#define $ac_tr_hdr 1
+EOF
+
+fi
+done
+: << END
+@@@headers="$headers netinet/ip.h netinet/tcp.h"@@@
+END
+
+
+
+EXTRA_LOCL_HEADERS=
+EXTRA_HEADERS=
+if test "$ac_cv_header_err_h" != yes; then
+	EXTRA_HEADERS="$EXTRA_HEADERS err.h"
+fi
+if test "$ac_cv_header_fnmatch_h" != yes; then
+	EXTRA_LOCL_HEADERS="$EXTRA_LOCL_HEADERS fnmatch.h"
+fi
+
+
+
+
+for i in int8_t int16_t int32_t int64_t; do
+	echo $ac_n "checking for $i""... $ac_c" 1>&6
+echo "configure:3289: checking for $i" >&5
+	
+if eval "test \"`echo '$''{'ac_cv_type_$i'+set}'`\" = set"; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  cat > conftest.$ac_ext <<EOF
+#line 3295 "configure"
+#include "confdefs.h"
+
+#ifdef HAVE_INTTYPES_H
+#include <inttypes.h>
+#endif
+#ifdef HAVE_SYS_TYPES_H
+#include <sys/types.h>
+#endif
+#ifdef HAVE_SYS_BITYPES_H
+#include <sys/bitypes.h>
+#endif
+#ifdef HAVE_BIND_BITYPES_H
+#include <bind/bitypes.h>
+#endif
+#ifdef HAVE_NETINET_IN6_MACHTYPES_H
+#include <netinet/in6_machtypes.h>
+#endif
+
+int main() {
+$i x;
+
+; return 0; }
+EOF
+if { (eval echo configure:3319: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
+  rm -rf conftest*
+  eval ac_cv_type_$i=yes
+else
+  echo "configure: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  rm -rf conftest*
+  eval ac_cv_type_$i=no
+fi
+rm -f conftest*
+fi
+
+	eval ac_res=\$ac_cv_type_$i
+	if test "$ac_res" = yes; then
+		type=HAVE_`echo $i | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`
+		cat >> confdefs.h <<EOF
+#define $type 1
+EOF
+
+	fi
+	echo "$ac_t""$ac_res" 1>&6
+done
+
+
+for i in u_int8_t u_int16_t u_int32_t u_int64_t; do
+	echo $ac_n "checking for $i""... $ac_c" 1>&6
+echo "configure:3345: checking for $i" >&5
+	
+if eval "test \"`echo '$''{'ac_cv_type_$i'+set}'`\" = set"; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  cat > conftest.$ac_ext <<EOF
+#line 3351 "configure"
+#include "confdefs.h"
+
+#ifdef HAVE_INTTYPES_H
+#include <inttypes.h>
+#endif
+#ifdef HAVE_SYS_TYPES_H
+#include <sys/types.h>
+#endif
+#ifdef HAVE_SYS_BITYPES_H
+#include <sys/bitypes.h>
+#endif
+#ifdef HAVE_BIND_BITYPES_H
+#include <bind/bitypes.h>
+#endif
+#ifdef HAVE_NETINET_IN6_MACHTYPES_H
+#include <netinet/in6_machtypes.h>
+#endif
+
+int main() {
+$i x;
+
+; return 0; }
+EOF
+if { (eval echo configure:3375: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
+  rm -rf conftest*
+  eval ac_cv_type_$i=yes
+else
+  echo "configure: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  rm -rf conftest*
+  eval ac_cv_type_$i=no
+fi
+rm -f conftest*
+fi
+
+	eval ac_res=\$ac_cv_type_$i
+	if test "$ac_res" = yes; then
+		type=HAVE_`echo $i | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`
+		cat >> confdefs.h <<EOF
+#define $type 1
+EOF
+
+	fi
+	echo "$ac_t""$ac_res" 1>&6
+done
+
+
+echo $ac_n "checking for strange sys/bitypes.h""... $ac_c" 1>&6
+echo "configure:3400: checking for strange sys/bitypes.h" >&5
+if eval "test \"`echo '$''{'krb_cv_int8_t_ifdef'+set}'`\" = set"; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  
+cat > conftest.$ac_ext <<EOF
+#line 3406 "configure"
+#include "confdefs.h"
+
+#ifdef HAVE_SYS_TYPES_H
+#include <sys/types.h>
+#endif
+#ifdef HAVE_SYS_BITYPES_H
+#include <sys/bitypes.h>
+#endif
+#ifdef HAVE_NETINET_IN6_MACHTYPES_H
+#include <netinet/in6_machtypes.h>
+#endif
+
+int main() {
+int8_t x;
+
+; return 0; }
+EOF
+if { (eval echo configure:3424: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
+  rm -rf conftest*
+  krb_cv_int8_t_ifdef=no
+else
+  echo "configure: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  rm -rf conftest*
+  krb_cv_int8_t_ifdef=yes
+fi
+rm -f conftest*
+fi
+
+echo "$ac_t""$krb_cv_int8_t_ifdef" 1>&6
+if test "$krb_cv_int8_t_ifdef" = "yes"; then
+  cat >> confdefs.h <<\EOF
+#define HAVE_STRANGE_INT8_T 1
+EOF
+fi
+
+
+
+
+
+echo $ac_n "checking for crypt""... $ac_c" 1>&6
+echo "configure:3448: checking for crypt" >&5
+if eval "test \"`echo '$''{'ac_cv_funclib_crypt'+set}'`\" = set"; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  
+if eval "test \"\$ac_cv_func_crypt\" != yes" ; then
+	ac_save_LIBS="$LIBS"
+	for ac_lib in "" crypt; do
+		if test -n "$ac_lib"; then 
+			ac_lib="-l$ac_lib"
+		else
+			ac_lib=""
+		fi
+		LIBS=" $ac_lib  $ac_save_LIBS"
+		cat > conftest.$ac_ext <<EOF
+#line 3463 "configure"
+#include "confdefs.h"
+
+int main() {
+crypt()
+; return 0; }
+EOF
+if { (eval echo configure:3470: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+  rm -rf conftest*
+  eval "if test -n \"$ac_lib\";then ac_cv_funclib_crypt=$ac_lib; else ac_cv_funclib_crypt=yes; fi";break
+else
+  echo "configure: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+fi
+rm -f conftest*
+	done
+	eval "ac_cv_funclib_crypt=\${ac_cv_funclib_crypt-no}"
+	LIBS="$ac_save_LIBS"
+fi
+
+fi
+
+
+eval "ac_res=\$ac_cv_funclib_crypt"
+
+: << END
+@@@funcs="$funcs crypt"@@@
+@@@libs="$libs "" crypt"@@@
+END
+
+# crypt
+eval "ac_tr_func=HAVE_`echo crypt | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`"
+eval "ac_tr_lib=HAVE_LIB`echo $ac_res | sed -e 's/-l//' | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`"
+eval "LIB_crypt=$ac_res"
+
+case "$ac_res" in
+	yes)
+	eval "ac_cv_func_crypt=yes"
+	eval "LIB_crypt="
+	cat >> confdefs.h <<EOF
+#define $ac_tr_func 1
+EOF
+
+	echo "$ac_t""yes" 1>&6
+	;;
+	no)
+	eval "ac_cv_func_crypt=no"
+	eval "LIB_crypt="
+	echo "$ac_t""no" 1>&6
+	;;
+	*)
+	eval "ac_cv_func_crypt=yes"
+	eval "ac_cv_lib_`echo "$ac_res" | sed 's/-l//'`=yes"
+	cat >> confdefs.h <<EOF
+#define $ac_tr_func 1
+EOF
+
+	cat >> confdefs.h <<EOF
+#define $ac_tr_lib 1
+EOF
+
+	echo "$ac_t""yes, in $ac_res" 1>&6
+	;;
+esac
+
+
+
+
+
+
+
+echo $ac_n "checking for socket""... $ac_c" 1>&6
+echo "configure:3535: checking for socket" >&5
+if eval "test \"`echo '$''{'ac_cv_funclib_socket'+set}'`\" = set"; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  
+if eval "test \"\$ac_cv_func_socket\" != yes" ; then
+	ac_save_LIBS="$LIBS"
+	for ac_lib in "" socket; do
+		if test -n "$ac_lib"; then 
+			ac_lib="-l$ac_lib"
+		else
+			ac_lib=""
+		fi
+		LIBS=" $ac_lib  $ac_save_LIBS"
+		cat > conftest.$ac_ext <<EOF
+#line 3550 "configure"
+#include "confdefs.h"
+#ifdef HAVE_SYS_TYPES_H
+#include <sys/types.h>
+#endif
+#ifdef HAVE_SYS_SOCKET_H
+#include <sys/socket.h>
+#endif
+int main() {
+socket(0,0,0)
+; return 0; }
+EOF
+if { (eval echo configure:3562: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+  rm -rf conftest*
+  eval "if test -n \"$ac_lib\";then ac_cv_funclib_socket=$ac_lib; else ac_cv_funclib_socket=yes; fi";break
+else
+  echo "configure: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+fi
+rm -f conftest*
+	done
+	eval "ac_cv_funclib_socket=\${ac_cv_funclib_socket-no}"
+	LIBS="$ac_save_LIBS"
+fi
+
+fi
+
+
+eval "ac_res=\$ac_cv_funclib_socket"
+
+: << END
+@@@funcs="$funcs socket"@@@
+@@@libs="$libs "" socket"@@@
+END
+
+# socket
+eval "ac_tr_func=HAVE_`echo socket | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`"
+eval "ac_tr_lib=HAVE_LIB`echo $ac_res | sed -e 's/-l//' | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`"
+eval "LIB_socket=$ac_res"
+
+case "$ac_res" in
+	yes)
+	eval "ac_cv_func_socket=yes"
+	eval "LIB_socket="
+	cat >> confdefs.h <<EOF
+#define $ac_tr_func 1
+EOF
+
+	echo "$ac_t""yes" 1>&6
+	;;
+	no)
+	eval "ac_cv_func_socket=no"
+	eval "LIB_socket="
+	echo "$ac_t""no" 1>&6
+	;;
+	*)
+	eval "ac_cv_func_socket=yes"
+	eval "ac_cv_lib_`echo "$ac_res" | sed 's/-l//'`=yes"
+	cat >> confdefs.h <<EOF
+#define $ac_tr_func 1
+EOF
+
+	cat >> confdefs.h <<EOF
+#define $ac_tr_lib 1
+EOF
+
+	echo "$ac_t""yes, in $ac_res" 1>&6
+	;;
+esac
+
+
+if test -n "$LIB_socket"; then
+	LIBS="$LIB_socket $LIBS"
+fi
+
+
+
+
+
+echo $ac_n "checking for gethostbyname""... $ac_c" 1>&6
+echo "configure:3630: checking for gethostbyname" >&5
+if eval "test \"`echo '$''{'ac_cv_funclib_gethostbyname'+set}'`\" = set"; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  
+if eval "test \"\$ac_cv_func_gethostbyname\" != yes" ; then
+	ac_save_LIBS="$LIBS"
+	for ac_lib in "" nsl; do
+		if test -n "$ac_lib"; then 
+			ac_lib="-l$ac_lib"
+		else
+			ac_lib=""
+		fi
+		LIBS=" $ac_lib  $ac_save_LIBS"
+		cat > conftest.$ac_ext <<EOF
+#line 3645 "configure"
+#include "confdefs.h"
+#ifdef HAVE_SYS_TYPES_H
+#include <sys/types.h>
+#endif
+#ifdef HAVE_SYS_SOCKET_H
+#include <sys/socket.h>
+#endif
+int main() {
+gethostbyname("foo")
+; return 0; }
+EOF
+if { (eval echo configure:3657: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+  rm -rf conftest*
+  eval "if test -n \"$ac_lib\";then ac_cv_funclib_gethostbyname=$ac_lib; else ac_cv_funclib_gethostbyname=yes; fi";break
+else
+  echo "configure: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+fi
+rm -f conftest*
+	done
+	eval "ac_cv_funclib_gethostbyname=\${ac_cv_funclib_gethostbyname-no}"
+	LIBS="$ac_save_LIBS"
+fi
+
+fi
+
+
+eval "ac_res=\$ac_cv_funclib_gethostbyname"
+
+: << END
+@@@funcs="$funcs gethostbyname"@@@
+@@@libs="$libs "" nsl"@@@
+END
+
+# gethostbyname
+eval "ac_tr_func=HAVE_`echo gethostbyname | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`"
+eval "ac_tr_lib=HAVE_LIB`echo $ac_res | sed -e 's/-l//' | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`"
+eval "LIB_gethostbyname=$ac_res"
+
+case "$ac_res" in
+	yes)
+	eval "ac_cv_func_gethostbyname=yes"
+	eval "LIB_gethostbyname="
+	cat >> confdefs.h <<EOF
+#define $ac_tr_func 1
+EOF
+
+	echo "$ac_t""yes" 1>&6
+	;;
+	no)
+	eval "ac_cv_func_gethostbyname=no"
+	eval "LIB_gethostbyname="
+	echo "$ac_t""no" 1>&6
+	;;
+	*)
+	eval "ac_cv_func_gethostbyname=yes"
+	eval "ac_cv_lib_`echo "$ac_res" | sed 's/-l//'`=yes"
+	cat >> confdefs.h <<EOF
+#define $ac_tr_func 1
+EOF
+
+	cat >> confdefs.h <<EOF
+#define $ac_tr_lib 1
+EOF
+
+	echo "$ac_t""yes, in $ac_res" 1>&6
+	;;
+esac
+
+
+if test -n "$LIB_gethostbyname"; then
+	LIBS="$LIB_gethostbyname $LIBS"
+fi
+
+
+
+
+
+
+
+echo $ac_n "checking for odm_initialize""... $ac_c" 1>&6
+echo "configure:3727: checking for odm_initialize" >&5
+if eval "test \"`echo '$''{'ac_cv_funclib_odm_initialize'+set}'`\" = set"; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  
+if eval "test \"\$ac_cv_func_odm_initialize\" != yes" ; then
+	ac_save_LIBS="$LIBS"
+	for ac_lib in "" odm; do
+		if test -n "$ac_lib"; then 
+			ac_lib="-l$ac_lib"
+		else
+			ac_lib=""
+		fi
+		LIBS=" $ac_lib  $ac_save_LIBS"
+		cat > conftest.$ac_ext <<EOF
+#line 3742 "configure"
+#include "confdefs.h"
+
+int main() {
+odm_initialize()
+; return 0; }
+EOF
+if { (eval echo configure:3749: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+  rm -rf conftest*
+  eval "if test -n \"$ac_lib\";then ac_cv_funclib_odm_initialize=$ac_lib; else ac_cv_funclib_odm_initialize=yes; fi";break
+else
+  echo "configure: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+fi
+rm -f conftest*
+	done
+	eval "ac_cv_funclib_odm_initialize=\${ac_cv_funclib_odm_initialize-no}"
+	LIBS="$ac_save_LIBS"
+fi
+
+fi
+
+
+eval "ac_res=\$ac_cv_funclib_odm_initialize"
+
+: << END
+@@@funcs="$funcs odm_initialize"@@@
+@@@libs="$libs "" odm"@@@
+END
+
+# odm_initialize
+eval "ac_tr_func=HAVE_`echo odm_initialize | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`"
+eval "ac_tr_lib=HAVE_LIB`echo $ac_res | sed -e 's/-l//' | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`"
+eval "LIB_odm_initialize=$ac_res"
+
+case "$ac_res" in
+	yes)
+	eval "ac_cv_func_odm_initialize=yes"
+	eval "LIB_odm_initialize="
+	cat >> confdefs.h <<EOF
+#define $ac_tr_func 1
+EOF
+
+	echo "$ac_t""yes" 1>&6
+	;;
+	no)
+	eval "ac_cv_func_odm_initialize=no"
+	eval "LIB_odm_initialize="
+	echo "$ac_t""no" 1>&6
+	;;
+	*)
+	eval "ac_cv_func_odm_initialize=yes"
+	eval "ac_cv_lib_`echo "$ac_res" | sed 's/-l//'`=yes"
+	cat >> confdefs.h <<EOF
+#define $ac_tr_func 1
+EOF
+
+	cat >> confdefs.h <<EOF
+#define $ac_tr_lib 1
+EOF
+
+	echo "$ac_t""yes, in $ac_res" 1>&6
+	;;
+esac
+
+
+if test -n "$LIB_odm_initialize"; then
+	LIBS="$LIB_odm_initialize $LIBS"
+fi
+
+
+
+
+
+echo $ac_n "checking for getattr""... $ac_c" 1>&6
+echo "configure:3817: checking for getattr" >&5
+if eval "test \"`echo '$''{'ac_cv_funclib_getattr'+set}'`\" = set"; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  
+if eval "test \"\$ac_cv_func_getattr\" != yes" ; then
+	ac_save_LIBS="$LIBS"
+	for ac_lib in "" cfg; do
+		if test -n "$ac_lib"; then 
+			ac_lib="-l$ac_lib"
+		else
+			ac_lib=""
+		fi
+		LIBS=" $ac_lib  $ac_save_LIBS"
+		cat > conftest.$ac_ext <<EOF
+#line 3832 "configure"
+#include "confdefs.h"
+
+int main() {
+getattr()
+; return 0; }
+EOF
+if { (eval echo configure:3839: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+  rm -rf conftest*
+  eval "if test -n \"$ac_lib\";then ac_cv_funclib_getattr=$ac_lib; else ac_cv_funclib_getattr=yes; fi";break
+else
+  echo "configure: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+fi
+rm -f conftest*
+	done
+	eval "ac_cv_funclib_getattr=\${ac_cv_funclib_getattr-no}"
+	LIBS="$ac_save_LIBS"
+fi
+
+fi
+
+
+eval "ac_res=\$ac_cv_funclib_getattr"
+
+: << END
+@@@funcs="$funcs getattr"@@@
+@@@libs="$libs "" cfg"@@@
+END
+
+# getattr
+eval "ac_tr_func=HAVE_`echo getattr | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`"
+eval "ac_tr_lib=HAVE_LIB`echo $ac_res | sed -e 's/-l//' | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`"
+eval "LIB_getattr=$ac_res"
+
+case "$ac_res" in
+	yes)
+	eval "ac_cv_func_getattr=yes"
+	eval "LIB_getattr="
+	cat >> confdefs.h <<EOF
+#define $ac_tr_func 1
+EOF
+
+	echo "$ac_t""yes" 1>&6
+	;;
+	no)
+	eval "ac_cv_func_getattr=no"
+	eval "LIB_getattr="
+	echo "$ac_t""no" 1>&6
+	;;
+	*)
+	eval "ac_cv_func_getattr=yes"
+	eval "ac_cv_lib_`echo "$ac_res" | sed 's/-l//'`=yes"
+	cat >> confdefs.h <<EOF
+#define $ac_tr_func 1
+EOF
+
+	cat >> confdefs.h <<EOF
+#define $ac_tr_lib 1
+EOF
+
+	echo "$ac_t""yes, in $ac_res" 1>&6
+	;;
+esac
+
+
+if test -n "$LIB_getattr"; then
+	LIBS="$LIB_getattr $LIBS"
+fi
+
+
+
+
+
+echo $ac_n "checking for setpcred""... $ac_c" 1>&6
+echo "configure:3907: checking for setpcred" >&5
+if eval "test \"`echo '$''{'ac_cv_funclib_setpcred'+set}'`\" = set"; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  
+if eval "test \"\$ac_cv_func_setpcred\" != yes" ; then
+	ac_save_LIBS="$LIBS"
+	for ac_lib in "" s; do
+		if test -n "$ac_lib"; then 
+			ac_lib="-l$ac_lib"
+		else
+			ac_lib=""
+		fi
+		LIBS=" $ac_lib  $ac_save_LIBS"
+		cat > conftest.$ac_ext <<EOF
+#line 3922 "configure"
+#include "confdefs.h"
+
+int main() {
+setpcred()
+; return 0; }
+EOF
+if { (eval echo configure:3929: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+  rm -rf conftest*
+  eval "if test -n \"$ac_lib\";then ac_cv_funclib_setpcred=$ac_lib; else ac_cv_funclib_setpcred=yes; fi";break
+else
+  echo "configure: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+fi
+rm -f conftest*
+	done
+	eval "ac_cv_funclib_setpcred=\${ac_cv_funclib_setpcred-no}"
+	LIBS="$ac_save_LIBS"
+fi
+
+fi
+
+
+eval "ac_res=\$ac_cv_funclib_setpcred"
+
+: << END
+@@@funcs="$funcs setpcred"@@@
+@@@libs="$libs "" s"@@@
+END
+
+# setpcred
+eval "ac_tr_func=HAVE_`echo setpcred | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`"
+eval "ac_tr_lib=HAVE_LIB`echo $ac_res | sed -e 's/-l//' | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`"
+eval "LIB_setpcred=$ac_res"
+
+case "$ac_res" in
+	yes)
+	eval "ac_cv_func_setpcred=yes"
+	eval "LIB_setpcred="
+	cat >> confdefs.h <<EOF
+#define $ac_tr_func 1
+EOF
+
+	echo "$ac_t""yes" 1>&6
+	;;
+	no)
+	eval "ac_cv_func_setpcred=no"
+	eval "LIB_setpcred="
+	echo "$ac_t""no" 1>&6
+	;;
+	*)
+	eval "ac_cv_func_setpcred=yes"
+	eval "ac_cv_lib_`echo "$ac_res" | sed 's/-l//'`=yes"
+	cat >> confdefs.h <<EOF
+#define $ac_tr_func 1
+EOF
+
+	cat >> confdefs.h <<EOF
+#define $ac_tr_lib 1
+EOF
+
+	echo "$ac_t""yes, in $ac_res" 1>&6
+	;;
+esac
+
+
+if test -n "$LIB_setpcred"; then
+	LIBS="$LIB_setpcred $LIBS"
+fi
+
+
+
+
+
+echo $ac_n "checking for logwtmp""... $ac_c" 1>&6
+echo "configure:3997: checking for logwtmp" >&5
+if eval "test \"`echo '$''{'ac_cv_funclib_logwtmp'+set}'`\" = set"; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  
+if eval "test \"\$ac_cv_func_logwtmp\" != yes" ; then
+	ac_save_LIBS="$LIBS"
+	for ac_lib in "" util; do
+		if test -n "$ac_lib"; then 
+			ac_lib="-l$ac_lib"
+		else
+			ac_lib=""
+		fi
+		LIBS=" $ac_lib  $ac_save_LIBS"
+		cat > conftest.$ac_ext <<EOF
+#line 4012 "configure"
+#include "confdefs.h"
+
+int main() {
+logwtmp()
+; return 0; }
+EOF
+if { (eval echo configure:4019: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+  rm -rf conftest*
+  eval "if test -n \"$ac_lib\";then ac_cv_funclib_logwtmp=$ac_lib; else ac_cv_funclib_logwtmp=yes; fi";break
+else
+  echo "configure: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+fi
+rm -f conftest*
+	done
+	eval "ac_cv_funclib_logwtmp=\${ac_cv_funclib_logwtmp-no}"
+	LIBS="$ac_save_LIBS"
+fi
+
+fi
+
+
+eval "ac_res=\$ac_cv_funclib_logwtmp"
+
+: << END
+@@@funcs="$funcs logwtmp"@@@
+@@@libs="$libs "" util"@@@
+END
+
+# logwtmp
+eval "ac_tr_func=HAVE_`echo logwtmp | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`"
+eval "ac_tr_lib=HAVE_LIB`echo $ac_res | sed -e 's/-l//' | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`"
+eval "LIB_logwtmp=$ac_res"
+
+case "$ac_res" in
+	yes)
+	eval "ac_cv_func_logwtmp=yes"
+	eval "LIB_logwtmp="
+	cat >> confdefs.h <<EOF
+#define $ac_tr_func 1
+EOF
+
+	echo "$ac_t""yes" 1>&6
+	;;
+	no)
+	eval "ac_cv_func_logwtmp=no"
+	eval "LIB_logwtmp="
+	echo "$ac_t""no" 1>&6
+	;;
+	*)
+	eval "ac_cv_func_logwtmp=yes"
+	eval "ac_cv_lib_`echo "$ac_res" | sed 's/-l//'`=yes"
+	cat >> confdefs.h <<EOF
+#define $ac_tr_func 1
+EOF
+
+	cat >> confdefs.h <<EOF
+#define $ac_tr_lib 1
+EOF
+
+	echo "$ac_t""yes, in $ac_res" 1>&6
+	;;
+esac
+
+
+if test -n "$LIB_logwtmp"; then
+	LIBS="$LIB_logwtmp $LIBS"
+fi
+
+
+
+
+
+
+echo $ac_n "checking for logout""... $ac_c" 1>&6
+echo "configure:4088: checking for logout" >&5
+if eval "test \"`echo '$''{'ac_cv_funclib_logout'+set}'`\" = set"; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  
+if eval "test \"\$ac_cv_func_logout\" != yes" ; then
+	ac_save_LIBS="$LIBS"
+	for ac_lib in "" util; do
+		if test -n "$ac_lib"; then 
+			ac_lib="-l$ac_lib"
+		else
+			ac_lib=""
+		fi
+		LIBS=" $ac_lib  $ac_save_LIBS"
+		cat > conftest.$ac_ext <<EOF
+#line 4103 "configure"
+#include "confdefs.h"
+
+int main() {
+logout()
+; return 0; }
+EOF
+if { (eval echo configure:4110: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+  rm -rf conftest*
+  eval "if test -n \"$ac_lib\";then ac_cv_funclib_logout=$ac_lib; else ac_cv_funclib_logout=yes; fi";break
+else
+  echo "configure: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+fi
+rm -f conftest*
+	done
+	eval "ac_cv_funclib_logout=\${ac_cv_funclib_logout-no}"
+	LIBS="$ac_save_LIBS"
+fi
+
+fi
+
+
+eval "ac_res=\$ac_cv_funclib_logout"
+
+: << END
+@@@funcs="$funcs logout"@@@
+@@@libs="$libs "" util"@@@
+END
+
+# logout
+eval "ac_tr_func=HAVE_`echo logout | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`"
+eval "ac_tr_lib=HAVE_LIB`echo $ac_res | sed -e 's/-l//' | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`"
+eval "LIB_logout=$ac_res"
+
+case "$ac_res" in
+	yes)
+	eval "ac_cv_func_logout=yes"
+	eval "LIB_logout="
+	cat >> confdefs.h <<EOF
+#define $ac_tr_func 1
+EOF
+
+	echo "$ac_t""yes" 1>&6
+	;;
+	no)
+	eval "ac_cv_func_logout=no"
+	eval "LIB_logout="
+	echo "$ac_t""no" 1>&6
+	;;
+	*)
+	eval "ac_cv_func_logout=yes"
+	eval "ac_cv_lib_`echo "$ac_res" | sed 's/-l//'`=yes"
+	cat >> confdefs.h <<EOF
+#define $ac_tr_func 1
+EOF
+
+	cat >> confdefs.h <<EOF
+#define $ac_tr_lib 1
+EOF
+
+	echo "$ac_t""yes, in $ac_res" 1>&6
+	;;
+esac
+
+
+if test -n "$LIB_logout"; then
+	LIBS="$LIB_logout $LIBS"
+fi
+
+
+
+
+echo $ac_n "checking for tgetent""... $ac_c" 1>&6
+echo "configure:4177: checking for tgetent" >&5
+if eval "test \"`echo '$''{'ac_cv_funclib_tgetent'+set}'`\" = set"; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  
+if eval "test \"\$ac_cv_func_tgetent\" != yes" ; then
+	ac_save_LIBS="$LIBS"
+	for ac_lib in "" termcap ncurses curses; do
+		if test -n "$ac_lib"; then 
+			ac_lib="-l$ac_lib"
+		else
+			ac_lib=""
+		fi
+		LIBS=" $ac_lib  $ac_save_LIBS"
+		cat > conftest.$ac_ext <<EOF
+#line 4192 "configure"
+#include "confdefs.h"
+
+int main() {
+tgetent()
+; return 0; }
+EOF
+if { (eval echo configure:4199: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+  rm -rf conftest*
+  eval "if test -n \"$ac_lib\";then ac_cv_funclib_tgetent=$ac_lib; else ac_cv_funclib_tgetent=yes; fi";break
+else
+  echo "configure: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+fi
+rm -f conftest*
+	done
+	eval "ac_cv_funclib_tgetent=\${ac_cv_funclib_tgetent-no}"
+	LIBS="$ac_save_LIBS"
+fi
+
+fi
+
+
+eval "ac_res=\$ac_cv_funclib_tgetent"
+
+: << END
+@@@funcs="$funcs tgetent"@@@
+@@@libs="$libs "" termcap ncurses curses"@@@
+END
+
+# tgetent
+eval "ac_tr_func=HAVE_`echo tgetent | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`"
+eval "ac_tr_lib=HAVE_LIB`echo $ac_res | sed -e 's/-l//' | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`"
+eval "LIB_tgetent=$ac_res"
+
+case "$ac_res" in
+	yes)
+	eval "ac_cv_func_tgetent=yes"
+	eval "LIB_tgetent="
+	cat >> confdefs.h <<EOF
+#define $ac_tr_func 1
+EOF
+
+	echo "$ac_t""yes" 1>&6
+	;;
+	no)
+	eval "ac_cv_func_tgetent=no"
+	eval "LIB_tgetent="
+	echo "$ac_t""no" 1>&6
+	;;
+	*)
+	eval "ac_cv_func_tgetent=yes"
+	eval "ac_cv_lib_`echo "$ac_res" | sed 's/-l//'`=yes"
+	cat >> confdefs.h <<EOF
+#define $ac_tr_func 1
+EOF
+
+	cat >> confdefs.h <<EOF
+#define $ac_tr_lib 1
+EOF
+
+	echo "$ac_t""yes, in $ac_res" 1>&6
+	;;
+esac
+
+
+	
+# If we find X, set shell vars x_includes and x_libraries to the
+# paths, otherwise set no_x=yes.
+# Uses ac_ vars as temps to allow command line to override cache and checks.
+# --without-x overrides everything else, but does not touch the cache.
+echo $ac_n "checking for X""... $ac_c" 1>&6
+echo "configure:4264: checking for X" >&5
+
+# Check whether --with-x or --without-x was given.
+if test "${with_x+set}" = set; then
+  withval="$with_x"
+  :
+fi
+
+# $have_x is `yes', `no', `disabled', or empty when we do not yet know.
+if test "x$with_x" = xno; then
+  # The user explicitly disabled X.
+  have_x=disabled
+else
+  if test "x$x_includes" != xNONE && test "x$x_libraries" != xNONE; then
+    # Both variables are already set.
+    have_x=yes
+  else
+if eval "test \"`echo '$''{'ac_cv_have_x'+set}'`\" = set"; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  # One or both of the vars are not set, and there is no cached value.
+ac_x_includes=NO ac_x_libraries=NO
+rm -fr conftestdir
+if mkdir conftestdir; then
+  cd conftestdir
+  # Make sure to not put "make" in the Imakefile rules, since we grep it out.
+  cat > Imakefile <<'EOF'
+acfindx:
+	@echo 'ac_im_incroot="${INCROOT}"; ac_im_usrlibdir="${USRLIBDIR}"; ac_im_libdir="${LIBDIR}"'
+EOF
+  if (xmkmf) >/dev/null 2>/dev/null && test -f Makefile; then
+    # GNU make sometimes prints "make[1]: Entering...", which would confuse us.
+    eval `${MAKE-make} acfindx 2>/dev/null | grep -v make`
+    # Open Windows xmkmf reportedly sets LIBDIR instead of USRLIBDIR.
+    for ac_extension in a so sl; do
+      if test ! -f $ac_im_usrlibdir/libX11.$ac_extension &&
+        test -f $ac_im_libdir/libX11.$ac_extension; then
+        ac_im_usrlibdir=$ac_im_libdir; break
+      fi
+    done
+    # Screen out bogus values from the imake configuration.  They are
+    # bogus both because they are the default anyway, and because
+    # using them would break gcc on systems where it needs fixed includes.
+    case "$ac_im_incroot" in
+	/usr/include) ;;
+	*) test -f "$ac_im_incroot/X11/Xos.h" && ac_x_includes="$ac_im_incroot" ;;
+    esac
+    case "$ac_im_usrlibdir" in
+	/usr/lib | /lib) ;;
+	*) test -d "$ac_im_usrlibdir" && ac_x_libraries="$ac_im_usrlibdir" ;;
+    esac
+  fi
+  cd ..
+  rm -fr conftestdir
+fi
+
+if test "$ac_x_includes" = NO; then
+  # Guess where to find include files, by looking for this one X11 .h file.
+  test -z "$x_direct_test_include" && x_direct_test_include=X11/Intrinsic.h
+
+  # First, try using that file with no special directory specified.
+cat > conftest.$ac_ext <<EOF
+#line 4326 "configure"
+#include "confdefs.h"
+#include <$x_direct_test_include>
+EOF
+ac_try="$ac_cpp conftest.$ac_ext >/dev/null 2>conftest.out"
+{ (eval echo configure:4331: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; }
+ac_err=`grep -v '^ *+' conftest.out | grep -v "^conftest.${ac_ext}\$"`
+if test -z "$ac_err"; then
+  rm -rf conftest*
+  # We can compile using X headers with no special include directory.
+ac_x_includes=
+else
+  echo "$ac_err" >&5
+  echo "configure: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  rm -rf conftest*
+  # Look for the header file in a standard set of common directories.
+# Check X11 before X11Rn because it is often a symlink to the current release.
+  for ac_dir in               \
+    /usr/X11/include          \
+    /usr/X11R6/include        \
+    /usr/X11R5/include        \
+    /usr/X11R4/include        \
+                              \
+    /usr/include/X11          \
+    /usr/include/X11R6        \
+    /usr/include/X11R5        \
+    /usr/include/X11R4        \
+                              \
+    /usr/local/X11/include    \
+    /usr/local/X11R6/include  \
+    /usr/local/X11R5/include  \
+    /usr/local/X11R4/include  \
+                              \
+    /usr/local/include/X11    \
+    /usr/local/include/X11R6  \
+    /usr/local/include/X11R5  \
+    /usr/local/include/X11R4  \
+                              \
+    /usr/X386/include         \
+    /usr/x386/include         \
+    /usr/XFree86/include/X11  \
+                              \
+    /usr/include              \
+    /usr/local/include        \
+    /usr/unsupported/include  \
+    /usr/athena/include       \
+    /usr/local/x11r5/include  \
+    /usr/lpp/Xamples/include  \
+                              \
+    /usr/openwin/include      \
+    /usr/openwin/share/include \
+    ; \
+  do
+    if test -r "$ac_dir/$x_direct_test_include"; then
+      ac_x_includes=$ac_dir
+      break
+    fi
+  done
+fi
+rm -f conftest*
+fi # $ac_x_includes = NO
+
+if test "$ac_x_libraries" = NO; then
+  # Check for the libraries.
+
+  test -z "$x_direct_test_library" && x_direct_test_library=Xt
+  test -z "$x_direct_test_function" && x_direct_test_function=XtMalloc
+
+  # See if we find them without any special options.
+  # Don't add to $LIBS permanently.
+  ac_save_LIBS="$LIBS"
+  LIBS="-l$x_direct_test_library $LIBS"
+cat > conftest.$ac_ext <<EOF
+#line 4400 "configure"
+#include "confdefs.h"
+
+int main() {
+${x_direct_test_function}()
+; return 0; }
+EOF
+if { (eval echo configure:4407: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+  rm -rf conftest*
+  LIBS="$ac_save_LIBS"
+# We can link X programs with no special library path.
+ac_x_libraries=
+else
+  echo "configure: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  rm -rf conftest*
+  LIBS="$ac_save_LIBS"
+# First see if replacing the include by lib works.
+# Check X11 before X11Rn because it is often a symlink to the current release.
+for ac_dir in `echo "$ac_x_includes" | sed s/include/lib/` \
+    /usr/X11/lib          \
+    /usr/X11R6/lib        \
+    /usr/X11R5/lib        \
+    /usr/X11R4/lib        \
+                          \
+    /usr/lib/X11          \
+    /usr/lib/X11R6        \
+    /usr/lib/X11R5        \
+    /usr/lib/X11R4        \
+                          \
+    /usr/local/X11/lib    \
+    /usr/local/X11R6/lib  \
+    /usr/local/X11R5/lib  \
+    /usr/local/X11R4/lib  \
+                          \
+    /usr/local/lib/X11    \
+    /usr/local/lib/X11R6  \
+    /usr/local/lib/X11R5  \
+    /usr/local/lib/X11R4  \
+                          \
+    /usr/X386/lib         \
+    /usr/x386/lib         \
+    /usr/XFree86/lib/X11  \
+                          \
+    /usr/lib              \
+    /usr/local/lib        \
+    /usr/unsupported/lib  \
+    /usr/athena/lib       \
+    /usr/local/x11r5/lib  \
+    /usr/lpp/Xamples/lib  \
+    /lib/usr/lib/X11	  \
+                          \
+    /usr/openwin/lib      \
+    /usr/openwin/share/lib \
+    ; \
+do
+  for ac_extension in a so sl; do
+    if test -r $ac_dir/lib${x_direct_test_library}.$ac_extension; then
+      ac_x_libraries=$ac_dir
+      break 2
+    fi
+  done
+done
+fi
+rm -f conftest*
+fi # $ac_x_libraries = NO
+
+if test "$ac_x_includes" = NO || test "$ac_x_libraries" = NO; then
+  # Didn't find X anywhere.  Cache the known absence of X.
+  ac_cv_have_x="have_x=no"
+else
+  # Record where we found X for the cache.
+  ac_cv_have_x="have_x=yes \
+	        ac_x_includes=$ac_x_includes ac_x_libraries=$ac_x_libraries"
+fi
+fi
+  fi
+  eval "$ac_cv_have_x"
+fi # $with_x != no
+
+if test "$have_x" != yes; then
+  echo "$ac_t""$have_x" 1>&6
+  no_x=yes
+else
+  # If each of the values was on the command line, it overrides each guess.
+  test "x$x_includes" = xNONE && x_includes=$ac_x_includes
+  test "x$x_libraries" = xNONE && x_libraries=$ac_x_libraries
+  # Update the cache value to reflect the command line values.
+  ac_cv_have_x="have_x=yes \
+		ac_x_includes=$x_includes ac_x_libraries=$x_libraries"
+  echo "$ac_t""libraries $x_libraries, headers $x_includes" 1>&6
+fi
+
+
+if test "$no_x" = yes; then
+  # Not all programs may use this symbol, but it does not hurt to define it.
+  cat >> confdefs.h <<\EOF
+#define X_DISPLAY_MISSING 1
+EOF
+
+  X_CFLAGS= X_PRE_LIBS= X_LIBS= X_EXTRA_LIBS=
+else
+  if test -n "$x_includes"; then
+    X_CFLAGS="$X_CFLAGS -I$x_includes"
+  fi
+
+  # It would also be nice to do this for all -L options, not just this one.
+  if test -n "$x_libraries"; then
+    X_LIBS="$X_LIBS -L$x_libraries"
+    # For Solaris; some versions of Sun CC require a space after -R and
+    # others require no space.  Words are not sufficient . . . .
+    case "`(uname -sr) 2>/dev/null`" in
+    "SunOS 5"*)
+      echo $ac_n "checking whether -R must be followed by a space""... $ac_c" 1>&6
+echo "configure:4514: checking whether -R must be followed by a space" >&5
+      ac_xsave_LIBS="$LIBS"; LIBS="$LIBS -R$x_libraries"
+      cat > conftest.$ac_ext <<EOF
+#line 4517 "configure"
+#include "confdefs.h"
+
+int main() {
+
+; return 0; }
+EOF
+if { (eval echo configure:4524: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+  rm -rf conftest*
+  ac_R_nospace=yes
+else
+  echo "configure: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  rm -rf conftest*
+  ac_R_nospace=no
+fi
+rm -f conftest*
+      if test $ac_R_nospace = yes; then
+	echo "$ac_t""no" 1>&6
+	X_LIBS="$X_LIBS -R$x_libraries"
+      else
+	LIBS="$ac_xsave_LIBS -R $x_libraries"
+	cat > conftest.$ac_ext <<EOF
+#line 4540 "configure"
+#include "confdefs.h"
+
+int main() {
+
+; return 0; }
+EOF
+if { (eval echo configure:4547: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+  rm -rf conftest*
+  ac_R_space=yes
+else
+  echo "configure: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  rm -rf conftest*
+  ac_R_space=no
+fi
+rm -f conftest*
+	if test $ac_R_space = yes; then
+	  echo "$ac_t""yes" 1>&6
+	  X_LIBS="$X_LIBS -R $x_libraries"
+	else
+	  echo "$ac_t""neither works" 1>&6
+	fi
+      fi
+      LIBS="$ac_xsave_LIBS"
+    esac
+  fi
+
+  # Check for system-dependent libraries X programs must link with.
+  # Do this before checking for the system-independent R6 libraries
+  # (-lICE), since we may need -lsocket or whatever for X linking.
+
+  if test "$ISC" = yes; then
+    X_EXTRA_LIBS="$X_EXTRA_LIBS -lnsl_s -linet"
+  else
+    # Martyn.Johnson@cl.cam.ac.uk says this is needed for Ultrix, if the X
+    # libraries were built with DECnet support.  And karl@cs.umb.edu says
+    # the Alpha needs dnet_stub (dnet does not exist).
+    echo $ac_n "checking for dnet_ntoa in -ldnet""... $ac_c" 1>&6
+echo "configure:4579: checking for dnet_ntoa in -ldnet" >&5
+ac_lib_var=`echo dnet'_'dnet_ntoa | sed 'y%./+-%__p_%'`
+if eval "test \"`echo '$''{'ac_cv_lib_$ac_lib_var'+set}'`\" = set"; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  ac_save_LIBS="$LIBS"
+LIBS="-ldnet  $LIBS"
+cat > conftest.$ac_ext <<EOF
+#line 4587 "configure"
+#include "confdefs.h"
+/* Override any gcc2 internal prototype to avoid an error.  */
+/* We use char because int might match the return type of a gcc2
+    builtin and then its argument prototype would still apply.  */
+char dnet_ntoa();
+
+int main() {
+dnet_ntoa()
+; return 0; }
+EOF
+if { (eval echo configure:4598: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+  rm -rf conftest*
+  eval "ac_cv_lib_$ac_lib_var=yes"
+else
+  echo "configure: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  rm -rf conftest*
+  eval "ac_cv_lib_$ac_lib_var=no"
+fi
+rm -f conftest*
+LIBS="$ac_save_LIBS"
+
+fi
+if eval "test \"`echo '$ac_cv_lib_'$ac_lib_var`\" = yes"; then
+  echo "$ac_t""yes" 1>&6
+  X_EXTRA_LIBS="$X_EXTRA_LIBS -ldnet"
+else
+  echo "$ac_t""no" 1>&6
+fi
+
+    if test $ac_cv_lib_dnet_dnet_ntoa = no; then
+      echo $ac_n "checking for dnet_ntoa in -ldnet_stub""... $ac_c" 1>&6
+echo "configure:4620: checking for dnet_ntoa in -ldnet_stub" >&5
+ac_lib_var=`echo dnet_stub'_'dnet_ntoa | sed 'y%./+-%__p_%'`
+if eval "test \"`echo '$''{'ac_cv_lib_$ac_lib_var'+set}'`\" = set"; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  ac_save_LIBS="$LIBS"
+LIBS="-ldnet_stub  $LIBS"
+cat > conftest.$ac_ext <<EOF
+#line 4628 "configure"
+#include "confdefs.h"
+/* Override any gcc2 internal prototype to avoid an error.  */
+/* We use char because int might match the return type of a gcc2
+    builtin and then its argument prototype would still apply.  */
+char dnet_ntoa();
+
+int main() {
+dnet_ntoa()
+; return 0; }
+EOF
+if { (eval echo configure:4639: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+  rm -rf conftest*
+  eval "ac_cv_lib_$ac_lib_var=yes"
+else
+  echo "configure: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  rm -rf conftest*
+  eval "ac_cv_lib_$ac_lib_var=no"
+fi
+rm -f conftest*
+LIBS="$ac_save_LIBS"
+
+fi
+if eval "test \"`echo '$ac_cv_lib_'$ac_lib_var`\" = yes"; then
+  echo "$ac_t""yes" 1>&6
+  X_EXTRA_LIBS="$X_EXTRA_LIBS -ldnet_stub"
+else
+  echo "$ac_t""no" 1>&6
+fi
+
+    fi
+
+    # msh@cis.ufl.edu says -lnsl (and -lsocket) are needed for his 386/AT,
+    # to get the SysV transport functions.
+    # chad@anasazi.com says the Pyramis MIS-ES running DC/OSx (SVR4)
+    # needs -lnsl.
+    # The nsl library prevents programs from opening the X display
+    # on Irix 5.2, according to dickey@clark.net.
+    echo $ac_n "checking for gethostbyname""... $ac_c" 1>&6
+echo "configure:4668: checking for gethostbyname" >&5
+if eval "test \"`echo '$''{'ac_cv_func_gethostbyname'+set}'`\" = set"; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  cat > conftest.$ac_ext <<EOF
+#line 4673 "configure"
+#include "confdefs.h"
+/* System header to define __stub macros and hopefully few prototypes,
+    which can conflict with char gethostbyname(); below.  */
+#include <assert.h>
+/* Override any gcc2 internal prototype to avoid an error.  */
+/* We use char because int might match the return type of a gcc2
+    builtin and then its argument prototype would still apply.  */
+char gethostbyname();
+
+int main() {
+
+/* The GNU C library defines this for functions which it implements
+    to always fail with ENOSYS.  Some functions are actually named
+    something starting with __ and the normal name is an alias.  */
+#if defined (__stub_gethostbyname) || defined (__stub___gethostbyname)
+choke me
+#else
+gethostbyname();
+#endif
+
+; return 0; }
+EOF
+if { (eval echo configure:4696: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+  rm -rf conftest*
+  eval "ac_cv_func_gethostbyname=yes"
+else
+  echo "configure: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  rm -rf conftest*
+  eval "ac_cv_func_gethostbyname=no"
+fi
+rm -f conftest*
+fi
+
+if eval "test \"`echo '$ac_cv_func_'gethostbyname`\" = yes"; then
+  echo "$ac_t""yes" 1>&6
+  :
+else
+  echo "$ac_t""no" 1>&6
+fi
+
+    if test $ac_cv_func_gethostbyname = no; then
+      echo $ac_n "checking for gethostbyname in -lnsl""... $ac_c" 1>&6
+echo "configure:4717: checking for gethostbyname in -lnsl" >&5
+ac_lib_var=`echo nsl'_'gethostbyname | sed 'y%./+-%__p_%'`
+if eval "test \"`echo '$''{'ac_cv_lib_$ac_lib_var'+set}'`\" = set"; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  ac_save_LIBS="$LIBS"
+LIBS="-lnsl  $LIBS"
+cat > conftest.$ac_ext <<EOF
+#line 4725 "configure"
+#include "confdefs.h"
+/* Override any gcc2 internal prototype to avoid an error.  */
+/* We use char because int might match the return type of a gcc2
+    builtin and then its argument prototype would still apply.  */
+char gethostbyname();
+
+int main() {
+gethostbyname()
+; return 0; }
+EOF
+if { (eval echo configure:4736: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+  rm -rf conftest*
+  eval "ac_cv_lib_$ac_lib_var=yes"
+else
+  echo "configure: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  rm -rf conftest*
+  eval "ac_cv_lib_$ac_lib_var=no"
+fi
+rm -f conftest*
+LIBS="$ac_save_LIBS"
+
+fi
+if eval "test \"`echo '$ac_cv_lib_'$ac_lib_var`\" = yes"; then
+  echo "$ac_t""yes" 1>&6
+  X_EXTRA_LIBS="$X_EXTRA_LIBS -lnsl"
+else
+  echo "$ac_t""no" 1>&6
+fi
+
+    fi
+
+    # lieder@skyler.mavd.honeywell.com says without -lsocket,
+    # socket/setsockopt and other routines are undefined under SCO ODT
+    # 2.0.  But -lsocket is broken on IRIX 5.2 (and is not necessary
+    # on later versions), says simon@lia.di.epfl.ch: it contains
+    # gethostby* variants that don't use the nameserver (or something).
+    # -lsocket must be given before -lnsl if both are needed.
+    # We assume that if connect needs -lnsl, so does gethostbyname.
+    echo $ac_n "checking for connect""... $ac_c" 1>&6
+echo "configure:4766: checking for connect" >&5
+if eval "test \"`echo '$''{'ac_cv_func_connect'+set}'`\" = set"; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  cat > conftest.$ac_ext <<EOF
+#line 4771 "configure"
+#include "confdefs.h"
+/* System header to define __stub macros and hopefully few prototypes,
+    which can conflict with char connect(); below.  */
+#include <assert.h>
+/* Override any gcc2 internal prototype to avoid an error.  */
+/* We use char because int might match the return type of a gcc2
+    builtin and then its argument prototype would still apply.  */
+char connect();
+
+int main() {
+
+/* The GNU C library defines this for functions which it implements
+    to always fail with ENOSYS.  Some functions are actually named
+    something starting with __ and the normal name is an alias.  */
+#if defined (__stub_connect) || defined (__stub___connect)
+choke me
+#else
+connect();
+#endif
+
+; return 0; }
+EOF
+if { (eval echo configure:4794: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+  rm -rf conftest*
+  eval "ac_cv_func_connect=yes"
+else
+  echo "configure: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  rm -rf conftest*
+  eval "ac_cv_func_connect=no"
+fi
+rm -f conftest*
+fi
+
+if eval "test \"`echo '$ac_cv_func_'connect`\" = yes"; then
+  echo "$ac_t""yes" 1>&6
+  :
+else
+  echo "$ac_t""no" 1>&6
+fi
+
+    if test $ac_cv_func_connect = no; then
+      echo $ac_n "checking for connect in -lsocket""... $ac_c" 1>&6
+echo "configure:4815: checking for connect in -lsocket" >&5
+ac_lib_var=`echo socket'_'connect | sed 'y%./+-%__p_%'`
+if eval "test \"`echo '$''{'ac_cv_lib_$ac_lib_var'+set}'`\" = set"; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  ac_save_LIBS="$LIBS"
+LIBS="-lsocket $X_EXTRA_LIBS $LIBS"
+cat > conftest.$ac_ext <<EOF
+#line 4823 "configure"
+#include "confdefs.h"
+/* Override any gcc2 internal prototype to avoid an error.  */
+/* We use char because int might match the return type of a gcc2
+    builtin and then its argument prototype would still apply.  */
+char connect();
+
+int main() {
+connect()
+; return 0; }
+EOF
+if { (eval echo configure:4834: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+  rm -rf conftest*
+  eval "ac_cv_lib_$ac_lib_var=yes"
+else
+  echo "configure: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  rm -rf conftest*
+  eval "ac_cv_lib_$ac_lib_var=no"
+fi
+rm -f conftest*
+LIBS="$ac_save_LIBS"
+
+fi
+if eval "test \"`echo '$ac_cv_lib_'$ac_lib_var`\" = yes"; then
+  echo "$ac_t""yes" 1>&6
+  X_EXTRA_LIBS="-lsocket $X_EXTRA_LIBS"
+else
+  echo "$ac_t""no" 1>&6
+fi
+
+    fi
+
+    # gomez@mi.uni-erlangen.de says -lposix is necessary on A/UX.
+    echo $ac_n "checking for remove""... $ac_c" 1>&6
+echo "configure:4858: checking for remove" >&5
+if eval "test \"`echo '$''{'ac_cv_func_remove'+set}'`\" = set"; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  cat > conftest.$ac_ext <<EOF
+#line 4863 "configure"
+#include "confdefs.h"
+/* System header to define __stub macros and hopefully few prototypes,
+    which can conflict with char remove(); below.  */
+#include <assert.h>
+/* Override any gcc2 internal prototype to avoid an error.  */
+/* We use char because int might match the return type of a gcc2
+    builtin and then its argument prototype would still apply.  */
+char remove();
+
+int main() {
+
+/* The GNU C library defines this for functions which it implements
+    to always fail with ENOSYS.  Some functions are actually named
+    something starting with __ and the normal name is an alias.  */
+#if defined (__stub_remove) || defined (__stub___remove)
+choke me
+#else
+remove();
+#endif
+
+; return 0; }
+EOF
+if { (eval echo configure:4886: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+  rm -rf conftest*
+  eval "ac_cv_func_remove=yes"
+else
+  echo "configure: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  rm -rf conftest*
+  eval "ac_cv_func_remove=no"
+fi
+rm -f conftest*
+fi
+
+if eval "test \"`echo '$ac_cv_func_'remove`\" = yes"; then
+  echo "$ac_t""yes" 1>&6
+  :
+else
+  echo "$ac_t""no" 1>&6
+fi
+
+    if test $ac_cv_func_remove = no; then
+      echo $ac_n "checking for remove in -lposix""... $ac_c" 1>&6
+echo "configure:4907: checking for remove in -lposix" >&5
+ac_lib_var=`echo posix'_'remove | sed 'y%./+-%__p_%'`
+if eval "test \"`echo '$''{'ac_cv_lib_$ac_lib_var'+set}'`\" = set"; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  ac_save_LIBS="$LIBS"
+LIBS="-lposix  $LIBS"
+cat > conftest.$ac_ext <<EOF
+#line 4915 "configure"
+#include "confdefs.h"
+/* Override any gcc2 internal prototype to avoid an error.  */
+/* We use char because int might match the return type of a gcc2
+    builtin and then its argument prototype would still apply.  */
+char remove();
+
+int main() {
+remove()
+; return 0; }
+EOF
+if { (eval echo configure:4926: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+  rm -rf conftest*
+  eval "ac_cv_lib_$ac_lib_var=yes"
+else
+  echo "configure: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  rm -rf conftest*
+  eval "ac_cv_lib_$ac_lib_var=no"
+fi
+rm -f conftest*
+LIBS="$ac_save_LIBS"
+
+fi
+if eval "test \"`echo '$ac_cv_lib_'$ac_lib_var`\" = yes"; then
+  echo "$ac_t""yes" 1>&6
+  X_EXTRA_LIBS="$X_EXTRA_LIBS -lposix"
+else
+  echo "$ac_t""no" 1>&6
+fi
+
+    fi
+
+    # BSDI BSD/OS 2.1 needs -lipc for XOpenDisplay.
+    echo $ac_n "checking for shmat""... $ac_c" 1>&6
+echo "configure:4950: checking for shmat" >&5
+if eval "test \"`echo '$''{'ac_cv_func_shmat'+set}'`\" = set"; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  cat > conftest.$ac_ext <<EOF
+#line 4955 "configure"
+#include "confdefs.h"
+/* System header to define __stub macros and hopefully few prototypes,
+    which can conflict with char shmat(); below.  */
+#include <assert.h>
+/* Override any gcc2 internal prototype to avoid an error.  */
+/* We use char because int might match the return type of a gcc2
+    builtin and then its argument prototype would still apply.  */
+char shmat();
+
+int main() {
+
+/* The GNU C library defines this for functions which it implements
+    to always fail with ENOSYS.  Some functions are actually named
+    something starting with __ and the normal name is an alias.  */
+#if defined (__stub_shmat) || defined (__stub___shmat)
+choke me
+#else
+shmat();
+#endif
+
+; return 0; }
+EOF
+if { (eval echo configure:4978: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+  rm -rf conftest*
+  eval "ac_cv_func_shmat=yes"
+else
+  echo "configure: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  rm -rf conftest*
+  eval "ac_cv_func_shmat=no"
+fi
+rm -f conftest*
+fi
+
+if eval "test \"`echo '$ac_cv_func_'shmat`\" = yes"; then
+  echo "$ac_t""yes" 1>&6
+  :
+else
+  echo "$ac_t""no" 1>&6
+fi
+
+    if test $ac_cv_func_shmat = no; then
+      echo $ac_n "checking for shmat in -lipc""... $ac_c" 1>&6
+echo "configure:4999: checking for shmat in -lipc" >&5
+ac_lib_var=`echo ipc'_'shmat | sed 'y%./+-%__p_%'`
+if eval "test \"`echo '$''{'ac_cv_lib_$ac_lib_var'+set}'`\" = set"; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  ac_save_LIBS="$LIBS"
+LIBS="-lipc  $LIBS"
+cat > conftest.$ac_ext <<EOF
+#line 5007 "configure"
+#include "confdefs.h"
+/* Override any gcc2 internal prototype to avoid an error.  */
+/* We use char because int might match the return type of a gcc2
+    builtin and then its argument prototype would still apply.  */
+char shmat();
+
+int main() {
+shmat()
+; return 0; }
+EOF
+if { (eval echo configure:5018: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+  rm -rf conftest*
+  eval "ac_cv_lib_$ac_lib_var=yes"
+else
+  echo "configure: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  rm -rf conftest*
+  eval "ac_cv_lib_$ac_lib_var=no"
+fi
+rm -f conftest*
+LIBS="$ac_save_LIBS"
+
+fi
+if eval "test \"`echo '$ac_cv_lib_'$ac_lib_var`\" = yes"; then
+  echo "$ac_t""yes" 1>&6
+  X_EXTRA_LIBS="$X_EXTRA_LIBS -lipc"
+else
+  echo "$ac_t""no" 1>&6
+fi
+
+    fi
+  fi
+
+  # Check for libraries that X11R6 Xt/Xaw programs need.
+  ac_save_LDFLAGS="$LDFLAGS"
+  test -n "$x_libraries" && LDFLAGS="$LDFLAGS -L$x_libraries"
+  # SM needs ICE to (dynamically) link under SunOS 4.x (so we have to
+  # check for ICE first), but we must link in the order -lSM -lICE or
+  # we get undefined symbols.  So assume we have SM if we have ICE.
+  # These have to be linked with before -lX11, unlike the other
+  # libraries we check for below, so use a different variable.
+  #  --interran@uluru.Stanford.EDU, kb@cs.umb.edu.
+  echo $ac_n "checking for IceConnectionNumber in -lICE""... $ac_c" 1>&6
+echo "configure:5051: checking for IceConnectionNumber in -lICE" >&5
+ac_lib_var=`echo ICE'_'IceConnectionNumber | sed 'y%./+-%__p_%'`
+if eval "test \"`echo '$''{'ac_cv_lib_$ac_lib_var'+set}'`\" = set"; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  ac_save_LIBS="$LIBS"
+LIBS="-lICE $X_EXTRA_LIBS $LIBS"
+cat > conftest.$ac_ext <<EOF
+#line 5059 "configure"
+#include "confdefs.h"
+/* Override any gcc2 internal prototype to avoid an error.  */
+/* We use char because int might match the return type of a gcc2
+    builtin and then its argument prototype would still apply.  */
+char IceConnectionNumber();
+
+int main() {
+IceConnectionNumber()
+; return 0; }
+EOF
+if { (eval echo configure:5070: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+  rm -rf conftest*
+  eval "ac_cv_lib_$ac_lib_var=yes"
+else
+  echo "configure: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  rm -rf conftest*
+  eval "ac_cv_lib_$ac_lib_var=no"
+fi
+rm -f conftest*
+LIBS="$ac_save_LIBS"
+
+fi
+if eval "test \"`echo '$ac_cv_lib_'$ac_lib_var`\" = yes"; then
+  echo "$ac_t""yes" 1>&6
+  X_PRE_LIBS="$X_PRE_LIBS -lSM -lICE"
+else
+  echo "$ac_t""no" 1>&6
+fi
+
+  LDFLAGS="$ac_save_LDFLAGS"
+
+fi
+
+
+# try to figure out if we need any additional ld flags, like -R
+# and yes, the autoconf X test is utterly broken
+if test "$no_x" != yes; then
+	echo $ac_n "checking for special X linker flags""... $ac_c" 1>&6
+echo "configure:5099: checking for special X linker flags" >&5
+if eval "test \"`echo '$''{'krb_cv_sys_x_libs_rpath'+set}'`\" = set"; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  
+	ac_save_libs="$LIBS"
+	ac_save_cflags="$CFLAGS"
+	CFLAGS="$CFLAGS $X_CFLAGS"
+	krb_cv_sys_x_libs_rpath=""
+	krb_cv_sys_x_libs=""
+	for rflag in "" "-R" "-R " "-rpath "; do
+		if test "$rflag" = ""; then
+			foo="$X_LIBS"
+		else
+			foo=""
+			for flag in $X_LIBS; do
+			case $flag in
+			-L*)
+				foo="$foo $flag `echo $flag | sed \"s/-L/$rflag/\"`"
+				;;
+			*)
+				foo="$foo $flag"
+				;;
+			esac
+			done
+		fi
+		LIBS="$ac_save_libs $foo $X_PRE_LIBS -lX11 $X_EXTRA_LIBS"
+		if test "$cross_compiling" = yes; then
+    { echo "configure: error: can not run test program while cross compiling" 1>&2; exit 1; }
+else
+  cat > conftest.$ac_ext <<EOF
+#line 5130 "configure"
+#include "confdefs.h"
+
+		#include <X11/Xlib.h>
+		foo()
+		{
+		XOpenDisplay(NULL);
+		}
+		main()
+		{
+		return 0;
+		}
+		
+EOF
+if { (eval echo configure:5144: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext} && (./conftest; exit) 2>/dev/null
+then
+  krb_cv_sys_x_libs_rpath="$rflag"; krb_cv_sys_x_libs="$foo"; break
+else
+  echo "configure: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  rm -fr conftest*
+  :
+fi
+rm -fr conftest*
+fi
+
+	done
+	LIBS="$ac_save_libs"
+	CFLAGS="$ac_save_cflags"
+	
+fi
+
+echo "$ac_t""$krb_cv_sys_x_libs_rpath" 1>&6
+	X_LIBS="$krb_cv_sys_x_libs"
+fi
+
+if test "$no_x" = "yes" ; then
+	MAKE_X_PROGS_BIN=""
+	MAKE_X_SCRIPTS_BIN=""
+	MAKE_X_PROGS_LIBEXEC=""
+else
+	MAKE_X_PROGS_BIN='$(X_PROGS_BIN)'
+	MAKE_X_SCRIPTS_BIN='$(X_SCRIPTS_BIN)'
+	MAKE_X_PROGS_LIBEXEC='$(X_PROGS_LIBEXEC)'
+fi
+
+
+save_CFLAGS="$CFLAGS"
+CFLAGS="$X_CFLAGS $CFLAGS"
+save_LIBS="$LIBS"
+LIBS="$X_PRE_LIBS $X_EXTRA_LIBS $LIBS"
+save_LDFLAGS="$LDFLAGS"
+LDFLAGS="$LDFLAGS $X_LIBS"
+
+
+
+
+
+echo $ac_n "checking for XauWriteAuth""... $ac_c" 1>&6
+echo "configure:5189: checking for XauWriteAuth" >&5
+if eval "test \"`echo '$''{'ac_cv_funclib_XauWriteAuth'+set}'`\" = set"; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  
+if eval "test \"\$ac_cv_func_XauWriteAuth\" != yes" ; then
+	ac_save_LIBS="$LIBS"
+	for ac_lib in "" X11 Xau; do
+		if test -n "$ac_lib"; then 
+			ac_lib="-l$ac_lib"
+		else
+			ac_lib=""
+		fi
+		LIBS=" $ac_lib  $ac_save_LIBS"
+		cat > conftest.$ac_ext <<EOF
+#line 5204 "configure"
+#include "confdefs.h"
+
+int main() {
+XauWriteAuth()
+; return 0; }
+EOF
+if { (eval echo configure:5211: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+  rm -rf conftest*
+  eval "if test -n \"$ac_lib\";then ac_cv_funclib_XauWriteAuth=$ac_lib; else ac_cv_funclib_XauWriteAuth=yes; fi";break
+else
+  echo "configure: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+fi
+rm -f conftest*
+	done
+	eval "ac_cv_funclib_XauWriteAuth=\${ac_cv_funclib_XauWriteAuth-no}"
+	LIBS="$ac_save_LIBS"
+fi
+
+fi
+
+
+eval "ac_res=\$ac_cv_funclib_XauWriteAuth"
+
+: << END
+@@@funcs="$funcs XauWriteAuth"@@@
+@@@libs="$libs "" X11 Xau"@@@
+END
+
+# XauWriteAuth
+eval "ac_tr_func=HAVE_`echo XauWriteAuth | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`"
+eval "ac_tr_lib=HAVE_LIB`echo $ac_res | sed -e 's/-l//' | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`"
+eval "LIB_XauWriteAuth=$ac_res"
+
+case "$ac_res" in
+	yes)
+	eval "ac_cv_func_XauWriteAuth=yes"
+	eval "LIB_XauWriteAuth="
+	cat >> confdefs.h <<EOF
+#define $ac_tr_func 1
+EOF
+
+	echo "$ac_t""yes" 1>&6
+	;;
+	no)
+	eval "ac_cv_func_XauWriteAuth=no"
+	eval "LIB_XauWriteAuth="
+	echo "$ac_t""no" 1>&6
+	;;
+	*)
+	eval "ac_cv_func_XauWriteAuth=yes"
+	eval "ac_cv_lib_`echo "$ac_res" | sed 's/-l//'`=yes"
+	cat >> confdefs.h <<EOF
+#define $ac_tr_func 1
+EOF
+
+	cat >> confdefs.h <<EOF
+#define $ac_tr_lib 1
+EOF
+
+	echo "$ac_t""yes, in $ac_res" 1>&6
+	;;
+esac
+
+
+ac_xxx="$LIBS"
+LIBS="$LIB_XauWriteAuth $LIBS"
+
+
+
+echo $ac_n "checking for XauReadAuth""... $ac_c" 1>&6
+echo "configure:5276: checking for XauReadAuth" >&5
+if eval "test \"`echo '$''{'ac_cv_funclib_XauReadAuth'+set}'`\" = set"; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  
+if eval "test \"\$ac_cv_func_XauReadAuth\" != yes" ; then
+	ac_save_LIBS="$LIBS"
+	for ac_lib in "" X11 Xau; do
+		if test -n "$ac_lib"; then 
+			ac_lib="-l$ac_lib"
+		else
+			ac_lib=""
+		fi
+		LIBS=" $ac_lib  $ac_save_LIBS"
+		cat > conftest.$ac_ext <<EOF
+#line 5291 "configure"
+#include "confdefs.h"
+
+int main() {
+XauReadAuth()
+; return 0; }
+EOF
+if { (eval echo configure:5298: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+  rm -rf conftest*
+  eval "if test -n \"$ac_lib\";then ac_cv_funclib_XauReadAuth=$ac_lib; else ac_cv_funclib_XauReadAuth=yes; fi";break
+else
+  echo "configure: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+fi
+rm -f conftest*
+	done
+	eval "ac_cv_funclib_XauReadAuth=\${ac_cv_funclib_XauReadAuth-no}"
+	LIBS="$ac_save_LIBS"
+fi
+
+fi
+
+
+eval "ac_res=\$ac_cv_funclib_XauReadAuth"
+
+: << END
+@@@funcs="$funcs XauReadAuth"@@@
+@@@libs="$libs "" X11 Xau"@@@
+END
+
+# XauReadAuth
+eval "ac_tr_func=HAVE_`echo XauReadAuth | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`"
+eval "ac_tr_lib=HAVE_LIB`echo $ac_res | sed -e 's/-l//' | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`"
+eval "LIB_XauReadAuth=$ac_res"
+
+case "$ac_res" in
+	yes)
+	eval "ac_cv_func_XauReadAuth=yes"
+	eval "LIB_XauReadAuth="
+	cat >> confdefs.h <<EOF
+#define $ac_tr_func 1
+EOF
+
+	echo "$ac_t""yes" 1>&6
+	;;
+	no)
+	eval "ac_cv_func_XauReadAuth=no"
+	eval "LIB_XauReadAuth="
+	echo "$ac_t""no" 1>&6
+	;;
+	*)
+	eval "ac_cv_func_XauReadAuth=yes"
+	eval "ac_cv_lib_`echo "$ac_res" | sed 's/-l//'`=yes"
+	cat >> confdefs.h <<EOF
+#define $ac_tr_func 1
+EOF
+
+	cat >> confdefs.h <<EOF
+#define $ac_tr_lib 1
+EOF
+
+	echo "$ac_t""yes, in $ac_res" 1>&6
+	;;
+esac
+
+
+LIBS="$LIB_XauReadAauth $LIBS"
+
+
+
+echo $ac_n "checking for XauFileName""... $ac_c" 1>&6
+echo "configure:5362: checking for XauFileName" >&5
+if eval "test \"`echo '$''{'ac_cv_funclib_XauFileName'+set}'`\" = set"; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  
+if eval "test \"\$ac_cv_func_XauFileName\" != yes" ; then
+	ac_save_LIBS="$LIBS"
+	for ac_lib in "" X11 Xau; do
+		if test -n "$ac_lib"; then 
+			ac_lib="-l$ac_lib"
+		else
+			ac_lib=""
+		fi
+		LIBS=" $ac_lib  $ac_save_LIBS"
+		cat > conftest.$ac_ext <<EOF
+#line 5377 "configure"
+#include "confdefs.h"
+
+int main() {
+XauFileName()
+; return 0; }
+EOF
+if { (eval echo configure:5384: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+  rm -rf conftest*
+  eval "if test -n \"$ac_lib\";then ac_cv_funclib_XauFileName=$ac_lib; else ac_cv_funclib_XauFileName=yes; fi";break
+else
+  echo "configure: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+fi
+rm -f conftest*
+	done
+	eval "ac_cv_funclib_XauFileName=\${ac_cv_funclib_XauFileName-no}"
+	LIBS="$ac_save_LIBS"
+fi
+
+fi
+
+
+eval "ac_res=\$ac_cv_funclib_XauFileName"
+
+: << END
+@@@funcs="$funcs XauFileName"@@@
+@@@libs="$libs "" X11 Xau"@@@
+END
+
+# XauFileName
+eval "ac_tr_func=HAVE_`echo XauFileName | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`"
+eval "ac_tr_lib=HAVE_LIB`echo $ac_res | sed -e 's/-l//' | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`"
+eval "LIB_XauFileName=$ac_res"
+
+case "$ac_res" in
+	yes)
+	eval "ac_cv_func_XauFileName=yes"
+	eval "LIB_XauFileName="
+	cat >> confdefs.h <<EOF
+#define $ac_tr_func 1
+EOF
+
+	echo "$ac_t""yes" 1>&6
+	;;
+	no)
+	eval "ac_cv_func_XauFileName=no"
+	eval "LIB_XauFileName="
+	echo "$ac_t""no" 1>&6
+	;;
+	*)
+	eval "ac_cv_func_XauFileName=yes"
+	eval "ac_cv_lib_`echo "$ac_res" | sed 's/-l//'`=yes"
+	cat >> confdefs.h <<EOF
+#define $ac_tr_func 1
+EOF
+
+	cat >> confdefs.h <<EOF
+#define $ac_tr_lib 1
+EOF
+
+	echo "$ac_t""yes, in $ac_res" 1>&6
+	;;
+esac
+
+
+LIBS="$ac_xxx"
+
+case "$ac_cv_funclib_XauWriteAuth" in
+yes)	;;
+no)	;;
+*)	if test "$ac_cv_funclib_XauReadAuth" = yes; then
+		if test "$ac_cv_funclib_XauFileName" = yes; then
+			LIB_XauReadAuth="$LIB_XauWriteAuth"
+		else
+			LIB_XauReadAuth="$LIB_XauWriteAuth $LIB_XauFileName"
+		fi
+	else
+		if test "$ac_cv_funclib_XauFileName" = yes; then
+			LIB_XauReadAuth="$LIB_XauReadAuth $LIB_XauWriteAuth"
+		else
+			LIB_XauReadAuth="$LIB_XauReadAuth $LIB_XauWriteAuth $LIB_XauFileName"
+		fi
+	fi
+	;;
+esac
+
+if test "$AUTOMAKE" != ""; then
+	
+
+if test "$ac_cv_func_XauWriteAuth" != "yes"; then
+  NEED_WRITEAUTH_TRUE=
+  NEED_WRITEAUTH_FALSE='#'
+else
+  NEED_WRITEAUTH_TRUE='#'
+  NEED_WRITEAUTH_FALSE=
+fi
+else
+	
+	
+	if test "$ac_cv_func_XauWriteAuth" != "yes"; then
+		NEED_WRITEAUTH_TRUE=
+		NEED_WRITEAUTH_FALSE='#'
+	else
+		NEED_WRITEAUTH_TRUE='#'
+		NEED_WRITEAUTH_FALSE=
+	fi
+fi
+CFLAGS=$save_CFLAGS
+LIBS=$save_LIBS
+LDFLAGS=$save_LDFLAGS
+
+
+
+
+
+lib_dbm=no
+lib_db=no
+
+for i in "" $berkeley_db gdbm ndbm; do
+
+	if test "$i"; then
+		m="lib$i"
+		l="-l$i"
+	else
+		m="libc"
+		l=""
+	fi	
+
+	echo $ac_n "checking for dbm_open in $m""... $ac_c" 1>&6
+echo "configure:5507: checking for dbm_open in $m" >&5
+	if eval "test \"`echo '$''{'ac_cv_krb_dbm_open_$m'+set}'`\" = set"; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  
+
+	save_LIBS="$LIBS"
+	LIBS="$l $LIBS"
+	if test "$cross_compiling" = yes; then
+  ac_res=no
+else
+  cat > conftest.$ac_ext <<EOF
+#line 5519 "configure"
+#include "confdefs.h"
+
+#include <unistd.h>
+#include <fcntl.h>
+#if defined(HAVE_NDBM_H)
+#include <ndbm.h>
+#elif defined(HAVE_GDBM_NDBM_H)
+#include <gdbm/ndbm.h>
+#elif defined(HAVE_DBM_H)
+#include <dbm.h>
+#elif defined(HAVE_RPCSVC_DBM_H)
+#include <rpcsvc/dbm.h>
+#elif defined(HAVE_DB_H)
+#define DB_DBM_HSEARCH 1
+#include <db.h>
+#endif
+int main()
+{
+  DBM *d;
+
+  d = dbm_open("conftest", O_RDWR | O_CREAT, 0666);
+  if(d == NULL)
+    return 1;
+  dbm_close(d);
+  return 0;
+}
+EOF
+if { (eval echo configure:5547: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext} && (./conftest; exit) 2>/dev/null
+then
+  
+	if test -f conftest.db; then
+		ac_res=db
+	else
+		ac_res=dbm
+	fi
+else
+  echo "configure: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  rm -fr conftest*
+  ac_res=no
+fi
+rm -fr conftest*
+fi
+
+
+	LIBS="$save_LIBS"
+
+	eval ac_cv_krb_dbm_open_$m=$ac_res
+fi
+
+	eval ac_res=\$ac_cv_krb_dbm_open_$m
+	echo "$ac_t""$ac_res" 1>&6
+
+	if test "$lib_dbm" = no -a $ac_res = dbm; then
+		lib_dbm="$l"
+	elif test "$lib_db" = no -a $ac_res = db; then
+		lib_db="$l"
+		break
+	fi
+done
+
+echo $ac_n "checking for NDBM library""... $ac_c" 1>&6
+echo "configure:5582: checking for NDBM library" >&5
+ac_ndbm=no
+if test "$lib_db" != no; then
+	LIB_DBM="$lib_db"
+	ac_ndbm=yes
+	cat >> confdefs.h <<\EOF
+#define HAVE_NEW_DB 1
+EOF
+
+	if test "$LIB_DBM"; then
+		ac_res="yes, $LIB_DBM"
+	else
+		ac_res=yes
+	fi
+elif test "$lib_dbm" != no; then
+	LIB_DBM="$lib_dbm"
+	ac_ndbm=yes
+	if test "$LIB_DBM"; then
+		ac_res="yes, $LIB_DBM"
+	else
+		ac_res=yes
+	fi
+else
+	LIB_DBM=""
+	ac_res=no
+fi
+test "$ac_ndbm" = yes && cat >> confdefs.h <<\EOF
+#define NDBM 1
+EOF
+
+DBLIB="$LIB_DBM"
+
+echo "$ac_t""$ac_res" 1>&6
+
+
+
+
+
+
+
+echo $ac_n "checking for syslog""... $ac_c" 1>&6
+echo "configure:5623: checking for syslog" >&5
+if eval "test \"`echo '$''{'ac_cv_funclib_syslog'+set}'`\" = set"; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  
+if eval "test \"\$ac_cv_func_syslog\" != yes" ; then
+	ac_save_LIBS="$LIBS"
+	for ac_lib in "" syslog; do
+		if test -n "$ac_lib"; then 
+			ac_lib="-l$ac_lib"
+		else
+			ac_lib=""
+		fi
+		LIBS=" $ac_lib  $ac_save_LIBS"
+		cat > conftest.$ac_ext <<EOF
+#line 5638 "configure"
+#include "confdefs.h"
+
+int main() {
+syslog()
+; return 0; }
+EOF
+if { (eval echo configure:5645: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+  rm -rf conftest*
+  eval "if test -n \"$ac_lib\";then ac_cv_funclib_syslog=$ac_lib; else ac_cv_funclib_syslog=yes; fi";break
+else
+  echo "configure: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+fi
+rm -f conftest*
+	done
+	eval "ac_cv_funclib_syslog=\${ac_cv_funclib_syslog-no}"
+	LIBS="$ac_save_LIBS"
+fi
+
+fi
+
+
+eval "ac_res=\$ac_cv_funclib_syslog"
+
+: << END
+@@@funcs="$funcs syslog"@@@
+@@@libs="$libs "" syslog"@@@
+END
+
+# syslog
+eval "ac_tr_func=HAVE_`echo syslog | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`"
+eval "ac_tr_lib=HAVE_LIB`echo $ac_res | sed -e 's/-l//' | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`"
+eval "LIB_syslog=$ac_res"
+
+case "$ac_res" in
+	yes)
+	eval "ac_cv_func_syslog=yes"
+	eval "LIB_syslog="
+	cat >> confdefs.h <<EOF
+#define $ac_tr_func 1
+EOF
+
+	echo "$ac_t""yes" 1>&6
+	;;
+	no)
+	eval "ac_cv_func_syslog=no"
+	eval "LIB_syslog="
+	echo "$ac_t""no" 1>&6
+	;;
+	*)
+	eval "ac_cv_func_syslog=yes"
+	eval "ac_cv_lib_`echo "$ac_res" | sed 's/-l//'`=yes"
+	cat >> confdefs.h <<EOF
+#define $ac_tr_func 1
+EOF
+
+	cat >> confdefs.h <<EOF
+#define $ac_tr_lib 1
+EOF
+
+	echo "$ac_t""yes, in $ac_res" 1>&6
+	;;
+esac
+
+
+if test -n "$LIB_syslog"; then
+	LIBS="$LIB_syslog $LIBS"
+fi
+
+
+
+echo $ac_n "checking for working snprintf""... $ac_c" 1>&6
+echo "configure:5711: checking for working snprintf" >&5
+if eval "test \"`echo '$''{'ac_cv_func_snprintf_working'+set}'`\" = set"; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  ac_cv_func_snprintf_working=yes
+if test "$cross_compiling" = yes; then
+  :
+else
+  cat > conftest.$ac_ext <<EOF
+#line 5720 "configure"
+#include "confdefs.h"
+
+#include <stdio.h>
+#include <string.h>
+int main()
+{
+	char foo[3];
+	snprintf(foo, 2, "12");
+	return strcmp(foo, "1");
+}
+EOF
+if { (eval echo configure:5732: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext} && (./conftest; exit) 2>/dev/null
+then
+  :
+else
+  echo "configure: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  rm -fr conftest*
+  ac_cv_func_snprintf_working=no
+fi
+rm -fr conftest*
+fi
+
+fi
+
+echo "$ac_t""$ac_cv_func_snprintf_working" 1>&6
+
+if test "$ac_cv_func_snprintf_working" = yes; then
+	cat >> confdefs.h <<EOF
+#define HAVE_SNPRINTF 1
+EOF
+
+fi
+if test "$ac_cv_func_snprintf_working" = yes; then
+
+if test "$ac_cv_func_snprintf+set" != set -o "$ac_cv_func_snprintf" = yes; then
+echo $ac_n "checking if snprintf needs a prototype""... $ac_c" 1>&6
+echo "configure:5758: checking if snprintf needs a prototype" >&5
+if eval "test \"`echo '$''{'ac_cv_func_snprintf_noproto'+set}'`\" = set"; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  cat > conftest.$ac_ext <<EOF
+#line 5763 "configure"
+#include "confdefs.h"
+#include <stdio.h>
+int main() {
+struct foo { int foo; } xx;
+extern int snprintf (struct foo*);
+snprintf(&xx);
+
+; return 0; }
+EOF
+if { (eval echo configure:5773: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
+  rm -rf conftest*
+  eval "ac_cv_func_snprintf_noproto=yes"
+else
+  echo "configure: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  rm -rf conftest*
+  eval "ac_cv_func_snprintf_noproto=no"
+fi
+rm -f conftest*
+fi
+
+echo "$ac_t""$ac_cv_func_snprintf_noproto" 1>&6
+
+if test "$ac_cv_func_snprintf_noproto" = yes; then
+	cat >> confdefs.h <<\EOF
+#define NEED_SNPRINTF_PROTO 1
+EOF
+
+fi
+
+fi
+
+fi
+
+
+echo $ac_n "checking for working glob""... $ac_c" 1>&6
+echo "configure:5800: checking for working glob" >&5
+if eval "test \"`echo '$''{'ac_cv_func_glob_working'+set}'`\" = set"; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  ac_cv_func_glob_working=yes
+cat > conftest.$ac_ext <<EOF
+#line 5806 "configure"
+#include "confdefs.h"
+
+#include <stdio.h>
+#include <glob.h>
+int main() {
+
+glob(NULL, GLOB_BRACE|GLOB_NOCHECK|GLOB_QUOTE|GLOB_TILDE, NULL, NULL);
+
+; return 0; }
+EOF
+if { (eval echo configure:5817: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+  rm -rf conftest*
+  :
+else
+  echo "configure: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  rm -rf conftest*
+  ac_cv_func_glob_working=no
+fi
+rm -f conftest*
+fi
+
+echo "$ac_t""$ac_cv_func_glob_working" 1>&6
+
+if test "$ac_cv_func_glob_working" = yes; then
+	cat >> confdefs.h <<\EOF
+#define HAVE_GLOB 1
+EOF
+
+fi
+if test "$ac_cv_func_glob_working" = yes; then
+
+if test "$ac_cv_func_glob+set" != set -o "$ac_cv_func_glob" = yes; then
+echo $ac_n "checking if glob needs a prototype""... $ac_c" 1>&6
+echo "configure:5841: checking if glob needs a prototype" >&5
+if eval "test \"`echo '$''{'ac_cv_func_glob_noproto'+set}'`\" = set"; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  cat > conftest.$ac_ext <<EOF
+#line 5846 "configure"
+#include "confdefs.h"
+#include <stdio.h>
+#include <glob.h>
+int main() {
+struct foo { int foo; } xx;
+extern int glob (struct foo*);
+glob(&xx);
+
+; return 0; }
+EOF
+if { (eval echo configure:5857: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
+  rm -rf conftest*
+  eval "ac_cv_func_glob_noproto=yes"
+else
+  echo "configure: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  rm -rf conftest*
+  eval "ac_cv_func_glob_noproto=no"
+fi
+rm -f conftest*
+fi
+
+echo "$ac_t""$ac_cv_func_glob_noproto" 1>&6
+
+if test "$ac_cv_func_glob_noproto" = yes; then
+	cat >> confdefs.h <<\EOF
+#define NEED_GLOB_PROTO 1
+EOF
+
+fi
+
+fi
+
+fi
+
+
+if test "$ac_cv_func_glob_working" != yes; then
+	EXTRA_LOCL_HEADERS="$EXTRA_LOCL_HEADERS glob.h"
+	LIBOBJS="$LIBOBJS glob.o"
+fi
+
+for ac_func in 				\
+	_getpty					\
+	_scrsize				\
+	_setsid					\
+	_stricmp				\
+	asnprintf				\
+	asprintf				\
+	atexit					\
+	cgetent					\
+	chroot					\
+	fattach					\
+	fchmod					\
+	fcntl					\
+	forkpty					\
+	frevoke					\
+	getpriority				\
+	getrlimit				\
+	getservbyname				\
+	getspnam				\
+	gettimeofday				\
+	gettosbyname				\
+	getuid					\
+	grantpt					\
+	mktime					\
+	on_exit					\
+	parsetos				\
+	ptsname					\
+	rand					\
+	random					\
+	revoke					\
+	setitimer				\
+	setpgid					\
+	setpriority				\
+	setproctitle				\
+	setregid				\
+	setresgid				\
+	setresuid				\
+	setreuid				\
+	setsid					\
+	setutent				\
+	sigaction				\
+	sysconf					\
+	sysctl					\
+	ttyname					\
+	ttyslot					\
+	ulimit					\
+	uname					\
+	unlockpt				\
+	vasnprintf				\
+	vasprintf				\
+	vhangup					\
+	vsnprintf				\
+	yp_get_default_domain			\
+	
+do
+echo $ac_n "checking for $ac_func""... $ac_c" 1>&6
+echo "configure:5944: checking for $ac_func" >&5
+if eval "test \"`echo '$''{'ac_cv_func_$ac_func'+set}'`\" = set"; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  cat > conftest.$ac_ext <<EOF
+#line 5949 "configure"
+#include "confdefs.h"
+/* System header to define __stub macros and hopefully few prototypes,
+    which can conflict with char $ac_func(); below.  */
+#include <assert.h>
+/* Override any gcc2 internal prototype to avoid an error.  */
+/* We use char because int might match the return type of a gcc2
+    builtin and then its argument prototype would still apply.  */
+char $ac_func();
+
+int main() {
+
+/* The GNU C library defines this for functions which it implements
+    to always fail with ENOSYS.  Some functions are actually named
+    something starting with __ and the normal name is an alias.  */
+#if defined (__stub_$ac_func) || defined (__stub___$ac_func)
+choke me
+#else
+$ac_func();
+#endif
+
+; return 0; }
+EOF
+if { (eval echo configure:5972: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+  rm -rf conftest*
+  eval "ac_cv_func_$ac_func=yes"
+else
+  echo "configure: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  rm -rf conftest*
+  eval "ac_cv_func_$ac_func=no"
+fi
+rm -f conftest*
+fi
+
+if eval "test \"`echo '$ac_cv_func_'$ac_func`\" = yes"; then
+  echo "$ac_t""yes" 1>&6
+    ac_tr_func=HAVE_`echo $ac_func | tr 'abcdefghijklmnopqrstuvwxyz' 'ABCDEFGHIJKLMNOPQRSTUVWXYZ'`
+  cat >> confdefs.h <<EOF
+#define $ac_tr_func 1
+EOF
+ 
+else
+  echo "$ac_t""no" 1>&6
+fi
+done
+
+
+
+
+for ac_hdr in capability.h sys/capability.h
+do
+ac_safe=`echo "$ac_hdr" | sed 'y%./+-%__p_%'`
+echo $ac_n "checking for $ac_hdr""... $ac_c" 1>&6
+echo "configure:6003: checking for $ac_hdr" >&5
+if eval "test \"`echo '$''{'ac_cv_header_$ac_safe'+set}'`\" = set"; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  cat > conftest.$ac_ext <<EOF
+#line 6008 "configure"
+#include "confdefs.h"
+#include <$ac_hdr>
+EOF
+ac_try="$ac_cpp conftest.$ac_ext >/dev/null 2>conftest.out"
+{ (eval echo configure:6013: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; }
+ac_err=`grep -v '^ *+' conftest.out | grep -v "^conftest.${ac_ext}\$"`
+if test -z "$ac_err"; then
+  rm -rf conftest*
+  eval "ac_cv_header_$ac_safe=yes"
+else
+  echo "$ac_err" >&5
+  echo "configure: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  rm -rf conftest*
+  eval "ac_cv_header_$ac_safe=no"
+fi
+rm -f conftest*
+fi
+if eval "test \"`echo '$ac_cv_header_'$ac_safe`\" = yes"; then
+  echo "$ac_t""yes" 1>&6
+    ac_tr_hdr=HAVE_`echo $ac_hdr | sed 'y%abcdefghijklmnopqrstuvwxyz./-%ABCDEFGHIJKLMNOPQRSTUVWXYZ___%'`
+  cat >> confdefs.h <<EOF
+#define $ac_tr_hdr 1
+EOF
+ 
+else
+  echo "$ac_t""no" 1>&6
+fi
+done
+
+
+for ac_func in sgi_getcapabilitybyname cap_set_proc
+do
+echo $ac_n "checking for $ac_func""... $ac_c" 1>&6
+echo "configure:6043: checking for $ac_func" >&5
+if eval "test \"`echo '$''{'ac_cv_func_$ac_func'+set}'`\" = set"; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  cat > conftest.$ac_ext <<EOF
+#line 6048 "configure"
+#include "confdefs.h"
+/* System header to define __stub macros and hopefully few prototypes,
+    which can conflict with char $ac_func(); below.  */
+#include <assert.h>
+/* Override any gcc2 internal prototype to avoid an error.  */
+/* We use char because int might match the return type of a gcc2
+    builtin and then its argument prototype would still apply.  */
+char $ac_func();
+
+int main() {
+
+/* The GNU C library defines this for functions which it implements
+    to always fail with ENOSYS.  Some functions are actually named
+    something starting with __ and the normal name is an alias.  */
+#if defined (__stub_$ac_func) || defined (__stub___$ac_func)
+choke me
+#else
+$ac_func();
+#endif
+
+; return 0; }
+EOF
+if { (eval echo configure:6071: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+  rm -rf conftest*
+  eval "ac_cv_func_$ac_func=yes"
+else
+  echo "configure: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  rm -rf conftest*
+  eval "ac_cv_func_$ac_func=no"
+fi
+rm -f conftest*
+fi
+
+if eval "test \"`echo '$ac_cv_func_'$ac_func`\" = yes"; then
+  echo "$ac_t""yes" 1>&6
+    ac_tr_func=HAVE_`echo $ac_func | tr 'abcdefghijklmnopqrstuvwxyz' 'ABCDEFGHIJKLMNOPQRSTUVWXYZ'`
+  cat >> confdefs.h <<EOF
+#define $ac_tr_func 1
+EOF
+ 
+else
+  echo "$ac_t""no" 1>&6
+fi
+done
+
+
+
+
+
+
+
+echo $ac_n "checking for getpwnam_r""... $ac_c" 1>&6
+echo "configure:6102: checking for getpwnam_r" >&5
+if eval "test \"`echo '$''{'ac_cv_funclib_getpwnam_r'+set}'`\" = set"; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  
+if eval "test \"\$ac_cv_func_getpwnam_r\" != yes" ; then
+	ac_save_LIBS="$LIBS"
+	for ac_lib in "" c_r; do
+		if test -n "$ac_lib"; then 
+			ac_lib="-l$ac_lib"
+		else
+			ac_lib=""
+		fi
+		LIBS=" $ac_lib  $ac_save_LIBS"
+		cat > conftest.$ac_ext <<EOF
+#line 6117 "configure"
+#include "confdefs.h"
+
+int main() {
+getpwnam_r()
+; return 0; }
+EOF
+if { (eval echo configure:6124: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+  rm -rf conftest*
+  eval "if test -n \"$ac_lib\";then ac_cv_funclib_getpwnam_r=$ac_lib; else ac_cv_funclib_getpwnam_r=yes; fi";break
+else
+  echo "configure: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+fi
+rm -f conftest*
+	done
+	eval "ac_cv_funclib_getpwnam_r=\${ac_cv_funclib_getpwnam_r-no}"
+	LIBS="$ac_save_LIBS"
+fi
+
+fi
+
+
+eval "ac_res=\$ac_cv_funclib_getpwnam_r"
+
+: << END
+@@@funcs="$funcs getpwnam_r"@@@
+@@@libs="$libs "" c_r"@@@
+END
+
+# getpwnam_r
+eval "ac_tr_func=HAVE_`echo getpwnam_r | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`"
+eval "ac_tr_lib=HAVE_LIB`echo $ac_res | sed -e 's/-l//' | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`"
+eval "LIB_getpwnam_r=$ac_res"
+
+case "$ac_res" in
+	yes)
+	eval "ac_cv_func_getpwnam_r=yes"
+	eval "LIB_getpwnam_r="
+	cat >> confdefs.h <<EOF
+#define $ac_tr_func 1
+EOF
+
+	echo "$ac_t""yes" 1>&6
+	;;
+	no)
+	eval "ac_cv_func_getpwnam_r=no"
+	eval "LIB_getpwnam_r="
+	echo "$ac_t""no" 1>&6
+	;;
+	*)
+	eval "ac_cv_func_getpwnam_r=yes"
+	eval "ac_cv_lib_`echo "$ac_res" | sed 's/-l//'`=yes"
+	cat >> confdefs.h <<EOF
+#define $ac_tr_func 1
+EOF
+
+	cat >> confdefs.h <<EOF
+#define $ac_tr_lib 1
+EOF
+
+	echo "$ac_t""yes, in $ac_res" 1>&6
+	;;
+esac
+
+
+if test "$ac_cv_func_getpwnam_r" = yes; then
+	echo $ac_n "checking if getpwnam_r is posix""... $ac_c" 1>&6
+echo "configure:6185: checking if getpwnam_r is posix" >&5
+if eval "test \"`echo '$''{'ac_cv_func_getpwnam_r_posix'+set}'`\" = set"; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  ac_libs="$LIBS"
+	LIBS="$LIBS $LIB_getpwnam_r"
+	if test "$cross_compiling" = yes; then
+  :
+else
+  cat > conftest.$ac_ext <<EOF
+#line 6195 "configure"
+#include "confdefs.h"
+
+#include <pwd.h>
+int main()
+{
+	struct passwd pw, *pwd;
+	return getpwnam_r("", &pw, NULL, 0, &pwd) < 0;
+}
+
+EOF
+if { (eval echo configure:6206: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext} && (./conftest; exit) 2>/dev/null
+then
+  ac_cv_func_getpwnam_r_posix=yes
+else
+  echo "configure: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  rm -fr conftest*
+  ac_cv_func_getpwnam_r_posix=no
+fi
+rm -fr conftest*
+fi
+
+LIBS="$ac_libs"
+fi
+
+echo "$ac_t""$ac_cv_func_getpwnam_r_posix" 1>&6
+if test "$ac_cv_func_getpwnam_r_posix" = yes; then
+	cat >> confdefs.h <<\EOF
+#define POSIX_GETPWNAM_R 1
+EOF
+
+fi
+fi
+
+
+
+
+
+echo $ac_n "checking for getsockopt""... $ac_c" 1>&6
+echo "configure:6235: checking for getsockopt" >&5
+if eval "test \"`echo '$''{'ac_cv_funclib_getsockopt'+set}'`\" = set"; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  
+if eval "test \"\$ac_cv_func_getsockopt\" != yes" ; then
+	ac_save_LIBS="$LIBS"
+	for ac_lib in "" ; do
+		if test -n "$ac_lib"; then 
+			ac_lib="-l$ac_lib"
+		else
+			ac_lib=""
+		fi
+		LIBS=" $ac_lib  $ac_save_LIBS"
+		cat > conftest.$ac_ext <<EOF
+#line 6250 "configure"
+#include "confdefs.h"
+#ifdef HAVE_SYS_TYPES_H
+#include <sys/types.h>
+#endif
+#ifdef HAVE_SYS_SOCKET_H
+#include <sys/socket.h>
+#endif
+int main() {
+getsockopt(0,0,0,0,0)
+; return 0; }
+EOF
+if { (eval echo configure:6262: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+  rm -rf conftest*
+  eval "if test -n \"$ac_lib\";then ac_cv_funclib_getsockopt=$ac_lib; else ac_cv_funclib_getsockopt=yes; fi";break
+else
+  echo "configure: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+fi
+rm -f conftest*
+	done
+	eval "ac_cv_funclib_getsockopt=\${ac_cv_funclib_getsockopt-no}"
+	LIBS="$ac_save_LIBS"
+fi
+
+fi
+
+
+eval "ac_res=\$ac_cv_funclib_getsockopt"
+
+: << END
+@@@funcs="$funcs getsockopt"@@@
+@@@libs="$libs "" "@@@
+END
+
+# getsockopt
+eval "ac_tr_func=HAVE_`echo getsockopt | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`"
+eval "ac_tr_lib=HAVE_LIB`echo $ac_res | sed -e 's/-l//' | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`"
+eval "LIB_getsockopt=$ac_res"
+
+case "$ac_res" in
+	yes)
+	eval "ac_cv_func_getsockopt=yes"
+	eval "LIB_getsockopt="
+	cat >> confdefs.h <<EOF
+#define $ac_tr_func 1
+EOF
+
+	echo "$ac_t""yes" 1>&6
+	;;
+	no)
+	eval "ac_cv_func_getsockopt=no"
+	eval "LIB_getsockopt="
+	echo "$ac_t""no" 1>&6
+	;;
+	*)
+	eval "ac_cv_func_getsockopt=yes"
+	eval "ac_cv_lib_`echo "$ac_res" | sed 's/-l//'`=yes"
+	cat >> confdefs.h <<EOF
+#define $ac_tr_func 1
+EOF
+
+	cat >> confdefs.h <<EOF
+#define $ac_tr_lib 1
+EOF
+
+	echo "$ac_t""yes, in $ac_res" 1>&6
+	;;
+esac
+
+
+
+
+
+echo $ac_n "checking for setsockopt""... $ac_c" 1>&6
+echo "configure:6325: checking for setsockopt" >&5
+if eval "test \"`echo '$''{'ac_cv_funclib_setsockopt'+set}'`\" = set"; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  
+if eval "test \"\$ac_cv_func_setsockopt\" != yes" ; then
+	ac_save_LIBS="$LIBS"
+	for ac_lib in "" ; do
+		if test -n "$ac_lib"; then 
+			ac_lib="-l$ac_lib"
+		else
+			ac_lib=""
+		fi
+		LIBS=" $ac_lib  $ac_save_LIBS"
+		cat > conftest.$ac_ext <<EOF
+#line 6340 "configure"
+#include "confdefs.h"
+#ifdef HAVE_SYS_TYPES_H
+#include <sys/types.h>
+#endif
+#ifdef HAVE_SYS_SOCKET_H
+#include <sys/socket.h>
+#endif
+int main() {
+setsockopt(0,0,0,0,0)
+; return 0; }
+EOF
+if { (eval echo configure:6352: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+  rm -rf conftest*
+  eval "if test -n \"$ac_lib\";then ac_cv_funclib_setsockopt=$ac_lib; else ac_cv_funclib_setsockopt=yes; fi";break
+else
+  echo "configure: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+fi
+rm -f conftest*
+	done
+	eval "ac_cv_funclib_setsockopt=\${ac_cv_funclib_setsockopt-no}"
+	LIBS="$ac_save_LIBS"
+fi
+
+fi
+
+
+eval "ac_res=\$ac_cv_funclib_setsockopt"
+
+: << END
+@@@funcs="$funcs setsockopt"@@@
+@@@libs="$libs "" "@@@
+END
+
+# setsockopt
+eval "ac_tr_func=HAVE_`echo setsockopt | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`"
+eval "ac_tr_lib=HAVE_LIB`echo $ac_res | sed -e 's/-l//' | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`"
+eval "LIB_setsockopt=$ac_res"
+
+case "$ac_res" in
+	yes)
+	eval "ac_cv_func_setsockopt=yes"
+	eval "LIB_setsockopt="
+	cat >> confdefs.h <<EOF
+#define $ac_tr_func 1
+EOF
+
+	echo "$ac_t""yes" 1>&6
+	;;
+	no)
+	eval "ac_cv_func_setsockopt=no"
+	eval "LIB_setsockopt="
+	echo "$ac_t""no" 1>&6
+	;;
+	*)
+	eval "ac_cv_func_setsockopt=yes"
+	eval "ac_cv_lib_`echo "$ac_res" | sed 's/-l//'`=yes"
+	cat >> confdefs.h <<EOF
+#define $ac_tr_func 1
+EOF
+
+	cat >> confdefs.h <<EOF
+#define $ac_tr_lib 1
+EOF
+
+	echo "$ac_t""yes, in $ac_res" 1>&6
+	;;
+esac
+
+
+
+for ac_func in getudbnam setlim
+do
+echo $ac_n "checking for $ac_func""... $ac_c" 1>&6
+echo "configure:6415: checking for $ac_func" >&5
+if eval "test \"`echo '$''{'ac_cv_func_$ac_func'+set}'`\" = set"; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  cat > conftest.$ac_ext <<EOF
+#line 6420 "configure"
+#include "confdefs.h"
+/* System header to define __stub macros and hopefully few prototypes,
+    which can conflict with char $ac_func(); below.  */
+#include <assert.h>
+/* Override any gcc2 internal prototype to avoid an error.  */
+/* We use char because int might match the return type of a gcc2
+    builtin and then its argument prototype would still apply.  */
+char $ac_func();
+
+int main() {
+
+/* The GNU C library defines this for functions which it implements
+    to always fail with ENOSYS.  Some functions are actually named
+    something starting with __ and the normal name is an alias.  */
+#if defined (__stub_$ac_func) || defined (__stub___$ac_func)
+choke me
+#else
+$ac_func();
+#endif
+
+; return 0; }
+EOF
+if { (eval echo configure:6443: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+  rm -rf conftest*
+  eval "ac_cv_func_$ac_func=yes"
+else
+  echo "configure: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  rm -rf conftest*
+  eval "ac_cv_func_$ac_func=no"
+fi
+rm -f conftest*
+fi
+
+if eval "test \"`echo '$ac_cv_func_'$ac_func`\" = yes"; then
+  echo "$ac_t""yes" 1>&6
+    ac_tr_func=HAVE_`echo $ac_func | tr 'abcdefghijklmnopqrstuvwxyz' 'ABCDEFGHIJKLMNOPQRSTUVWXYZ'`
+  cat >> confdefs.h <<EOF
+#define $ac_tr_func 1
+EOF
+ 
+else
+  echo "$ac_t""no" 1>&6
+fi
+done
+
+
+
+
+
+
+echo $ac_n "checking for res_search""... $ac_c" 1>&6
+echo "configure:6473: checking for res_search" >&5
+if eval "test \"`echo '$''{'ac_cv_funclib_res_search'+set}'`\" = set"; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  
+if eval "test \"\$ac_cv_func_res_search\" != yes" ; then
+	ac_save_LIBS="$LIBS"
+	for ac_lib in "" resolv; do
+		if test -n "$ac_lib"; then 
+			ac_lib="-l$ac_lib"
+		else
+			ac_lib=""
+		fi
+		LIBS=" $ac_lib  $ac_save_LIBS"
+		cat > conftest.$ac_ext <<EOF
+#line 6488 "configure"
+#include "confdefs.h"
+
+#include <stdio.h>
+#ifdef HAVE_SYS_TYPES_H
+#include <sys/types.h>
+#endif
+#ifdef HAVE_NETINET_IN_H
+#include <netinet/in.h>
+#endif
+#ifdef HAVE_ARPA_NAMESER_H
+#include <arpa/nameser.h>
+#endif
+#ifdef HAVE_RESOLV_H
+#include <resolv.h>
+#endif
+
+int main() {
+res_search(0,0,0,0,0)
+; return 0; }
+EOF
+if { (eval echo configure:6509: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+  rm -rf conftest*
+  eval "if test -n \"$ac_lib\";then ac_cv_funclib_res_search=$ac_lib; else ac_cv_funclib_res_search=yes; fi";break
+else
+  echo "configure: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+fi
+rm -f conftest*
+	done
+	eval "ac_cv_funclib_res_search=\${ac_cv_funclib_res_search-no}"
+	LIBS="$ac_save_LIBS"
+fi
+
+fi
+
+
+eval "ac_res=\$ac_cv_funclib_res_search"
+
+: << END
+@@@funcs="$funcs res_search"@@@
+@@@libs="$libs "" resolv"@@@
+END
+
+# res_search
+eval "ac_tr_func=HAVE_`echo res_search | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`"
+eval "ac_tr_lib=HAVE_LIB`echo $ac_res | sed -e 's/-l//' | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`"
+eval "LIB_res_search=$ac_res"
+
+case "$ac_res" in
+	yes)
+	eval "ac_cv_func_res_search=yes"
+	eval "LIB_res_search="
+	cat >> confdefs.h <<EOF
+#define $ac_tr_func 1
+EOF
+
+	echo "$ac_t""yes" 1>&6
+	;;
+	no)
+	eval "ac_cv_func_res_search=no"
+	eval "LIB_res_search="
+	echo "$ac_t""no" 1>&6
+	;;
+	*)
+	eval "ac_cv_func_res_search=yes"
+	eval "ac_cv_lib_`echo "$ac_res" | sed 's/-l//'`=yes"
+	cat >> confdefs.h <<EOF
+#define $ac_tr_func 1
+EOF
+
+	cat >> confdefs.h <<EOF
+#define $ac_tr_lib 1
+EOF
+
+	echo "$ac_t""yes, in $ac_res" 1>&6
+	;;
+esac
+
+
+if test -n "$LIB_res_search"; then
+	LIBS="$LIB_res_search $LIBS"
+fi
+
+
+
+
+
+
+echo $ac_n "checking for dn_expand""... $ac_c" 1>&6
+echo "configure:6578: checking for dn_expand" >&5
+if eval "test \"`echo '$''{'ac_cv_funclib_dn_expand'+set}'`\" = set"; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  
+if eval "test \"\$ac_cv_func_dn_expand\" != yes" ; then
+	ac_save_LIBS="$LIBS"
+	for ac_lib in "" resolv; do
+		if test -n "$ac_lib"; then 
+			ac_lib="-l$ac_lib"
+		else
+			ac_lib=""
+		fi
+		LIBS=" $ac_lib  $ac_save_LIBS"
+		cat > conftest.$ac_ext <<EOF
+#line 6593 "configure"
+#include "confdefs.h"
+
+#include <stdio.h>
+#ifdef HAVE_SYS_TYPES_H
+#include <sys/types.h>
+#endif
+#ifdef HAVE_NETINET_IN_H
+#include <netinet/in.h>
+#endif
+#ifdef HAVE_ARPA_NAMESER_H
+#include <arpa/nameser.h>
+#endif
+#ifdef HAVE_RESOLV_H
+#include <resolv.h>
+#endif
+
+int main() {
+dn_expand(0,0,0,0,0)
+; return 0; }
+EOF
+if { (eval echo configure:6614: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+  rm -rf conftest*
+  eval "if test -n \"$ac_lib\";then ac_cv_funclib_dn_expand=$ac_lib; else ac_cv_funclib_dn_expand=yes; fi";break
+else
+  echo "configure: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+fi
+rm -f conftest*
+	done
+	eval "ac_cv_funclib_dn_expand=\${ac_cv_funclib_dn_expand-no}"
+	LIBS="$ac_save_LIBS"
+fi
+
+fi
+
+
+eval "ac_res=\$ac_cv_funclib_dn_expand"
+
+: << END
+@@@funcs="$funcs dn_expand"@@@
+@@@libs="$libs "" resolv"@@@
+END
+
+# dn_expand
+eval "ac_tr_func=HAVE_`echo dn_expand | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`"
+eval "ac_tr_lib=HAVE_LIB`echo $ac_res | sed -e 's/-l//' | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`"
+eval "LIB_dn_expand=$ac_res"
+
+case "$ac_res" in
+	yes)
+	eval "ac_cv_func_dn_expand=yes"
+	eval "LIB_dn_expand="
+	cat >> confdefs.h <<EOF
+#define $ac_tr_func 1
+EOF
+
+	echo "$ac_t""yes" 1>&6
+	;;
+	no)
+	eval "ac_cv_func_dn_expand=no"
+	eval "LIB_dn_expand="
+	echo "$ac_t""no" 1>&6
+	;;
+	*)
+	eval "ac_cv_func_dn_expand=yes"
+	eval "ac_cv_lib_`echo "$ac_res" | sed 's/-l//'`=yes"
+	cat >> confdefs.h <<EOF
+#define $ac_tr_func 1
+EOF
+
+	cat >> confdefs.h <<EOF
+#define $ac_tr_lib 1
+EOF
+
+	echo "$ac_t""yes, in $ac_res" 1>&6
+	;;
+esac
+
+
+if test -n "$LIB_dn_expand"; then
+	LIBS="$LIB_dn_expand $LIBS"
+fi
+
+
+
+for ac_hdr in unistd.h
+do
+ac_safe=`echo "$ac_hdr" | sed 'y%./+-%__p_%'`
+echo $ac_n "checking for $ac_hdr""... $ac_c" 1>&6
+echo "configure:6683: checking for $ac_hdr" >&5
+if eval "test \"`echo '$''{'ac_cv_header_$ac_safe'+set}'`\" = set"; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  cat > conftest.$ac_ext <<EOF
+#line 6688 "configure"
+#include "confdefs.h"
+#include <$ac_hdr>
+EOF
+ac_try="$ac_cpp conftest.$ac_ext >/dev/null 2>conftest.out"
+{ (eval echo configure:6693: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; }
+ac_err=`grep -v '^ *+' conftest.out | grep -v "^conftest.${ac_ext}\$"`
+if test -z "$ac_err"; then
+  rm -rf conftest*
+  eval "ac_cv_header_$ac_safe=yes"
+else
+  echo "$ac_err" >&5
+  echo "configure: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  rm -rf conftest*
+  eval "ac_cv_header_$ac_safe=no"
+fi
+rm -f conftest*
+fi
+if eval "test \"`echo '$ac_cv_header_'$ac_safe`\" = yes"; then
+  echo "$ac_t""yes" 1>&6
+    ac_tr_hdr=HAVE_`echo $ac_hdr | sed 'y%abcdefghijklmnopqrstuvwxyz./-%ABCDEFGHIJKLMNOPQRSTUVWXYZ___%'`
+  cat >> confdefs.h <<EOF
+#define $ac_tr_hdr 1
+EOF
+ 
+else
+  echo "$ac_t""no" 1>&6
+fi
+done
+
+for ac_func in getpagesize
+do
+echo $ac_n "checking for $ac_func""... $ac_c" 1>&6
+echo "configure:6722: checking for $ac_func" >&5
+if eval "test \"`echo '$''{'ac_cv_func_$ac_func'+set}'`\" = set"; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  cat > conftest.$ac_ext <<EOF
+#line 6727 "configure"
+#include "confdefs.h"
+/* System header to define __stub macros and hopefully few prototypes,
+    which can conflict with char $ac_func(); below.  */
+#include <assert.h>
+/* Override any gcc2 internal prototype to avoid an error.  */
+/* We use char because int might match the return type of a gcc2
+    builtin and then its argument prototype would still apply.  */
+char $ac_func();
+
+int main() {
+
+/* The GNU C library defines this for functions which it implements
+    to always fail with ENOSYS.  Some functions are actually named
+    something starting with __ and the normal name is an alias.  */
+#if defined (__stub_$ac_func) || defined (__stub___$ac_func)
+choke me
+#else
+$ac_func();
+#endif
+
+; return 0; }
+EOF
+if { (eval echo configure:6750: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+  rm -rf conftest*
+  eval "ac_cv_func_$ac_func=yes"
+else
+  echo "configure: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  rm -rf conftest*
+  eval "ac_cv_func_$ac_func=no"
+fi
+rm -f conftest*
+fi
+
+if eval "test \"`echo '$ac_cv_func_'$ac_func`\" = yes"; then
+  echo "$ac_t""yes" 1>&6
+    ac_tr_func=HAVE_`echo $ac_func | tr 'abcdefghijklmnopqrstuvwxyz' 'ABCDEFGHIJKLMNOPQRSTUVWXYZ'`
+  cat >> confdefs.h <<EOF
+#define $ac_tr_func 1
+EOF
+ 
+else
+  echo "$ac_t""no" 1>&6
+fi
+done
+
+echo $ac_n "checking for working mmap""... $ac_c" 1>&6
+echo "configure:6775: checking for working mmap" >&5
+if eval "test \"`echo '$''{'ac_cv_func_mmap_fixed_mapped'+set}'`\" = set"; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  if test "$cross_compiling" = yes; then
+  ac_cv_func_mmap_fixed_mapped=no
+else
+  cat > conftest.$ac_ext <<EOF
+#line 6783 "configure"
+#include "confdefs.h"
+
+/* Thanks to Mike Haertel and Jim Avera for this test.
+   Here is a matrix of mmap possibilities:
+	mmap private not fixed
+	mmap private fixed at somewhere currently unmapped
+	mmap private fixed at somewhere already mapped
+	mmap shared not fixed
+	mmap shared fixed at somewhere currently unmapped
+	mmap shared fixed at somewhere already mapped
+   For private mappings, we should verify that changes cannot be read()
+   back from the file, nor mmap's back from the file at a different
+   address.  (There have been systems where private was not correctly
+   implemented like the infamous i386 svr4.0, and systems where the
+   VM page cache was not coherent with the filesystem buffer cache
+   like early versions of FreeBSD and possibly contemporary NetBSD.)
+   For shared mappings, we should conversely verify that changes get
+   propogated back to all the places they're supposed to be.
+
+   Grep wants private fixed already mapped.
+   The main things grep needs to know about mmap are:
+   * does it exist and is it safe to write into the mmap'd area
+   * how to use it (BSD variants)  */
+#include <sys/types.h>
+#include <fcntl.h>
+#include <sys/mman.h>
+
+/* This mess was copied from the GNU getpagesize.h.  */
+#ifndef HAVE_GETPAGESIZE
+# ifdef HAVE_UNISTD_H
+#  include <unistd.h>
+# endif
+
+/* Assume that all systems that can run configure have sys/param.h.  */
+# ifndef HAVE_SYS_PARAM_H
+#  define HAVE_SYS_PARAM_H 1
+# endif
+
+# ifdef _SC_PAGESIZE
+#  define getpagesize() sysconf(_SC_PAGESIZE)
+# else /* no _SC_PAGESIZE */
+#  ifdef HAVE_SYS_PARAM_H
+#   include <sys/param.h>
+#   ifdef EXEC_PAGESIZE
+#    define getpagesize() EXEC_PAGESIZE
+#   else /* no EXEC_PAGESIZE */
+#    ifdef NBPG
+#     define getpagesize() NBPG * CLSIZE
+#     ifndef CLSIZE
+#      define CLSIZE 1
+#     endif /* no CLSIZE */
+#    else /* no NBPG */
+#     ifdef NBPC
+#      define getpagesize() NBPC
+#     else /* no NBPC */
+#      ifdef PAGESIZE
+#       define getpagesize() PAGESIZE
+#      endif /* PAGESIZE */
+#     endif /* no NBPC */
+#    endif /* no NBPG */
+#   endif /* no EXEC_PAGESIZE */
+#  else /* no HAVE_SYS_PARAM_H */
+#   define getpagesize() 8192	/* punt totally */
+#  endif /* no HAVE_SYS_PARAM_H */
+# endif /* no _SC_PAGESIZE */
+
+#endif /* no HAVE_GETPAGESIZE */
+
+#ifdef __cplusplus
+extern "C" { void *malloc(unsigned); }
+#else
+char *malloc();
+#endif
+
+int
+main()
+{
+	char *data, *data2, *data3;
+	int i, pagesize;
+	int fd;
+
+	pagesize = getpagesize();
+
+	/*
+	 * First, make a file with some known garbage in it.
+	 */
+	data = malloc(pagesize);
+	if (!data)
+		exit(1);
+	for (i = 0; i < pagesize; ++i)
+		*(data + i) = rand();
+	umask(0);
+	fd = creat("conftestmmap", 0600);
+	if (fd < 0)
+		exit(1);
+	if (write(fd, data, pagesize) != pagesize)
+		exit(1);
+	close(fd);
+
+	/*
+	 * Next, try to mmap the file at a fixed address which
+	 * already has something else allocated at it.  If we can,
+	 * also make sure that we see the same garbage.
+	 */
+	fd = open("conftestmmap", O_RDWR);
+	if (fd < 0)
+		exit(1);
+	data2 = malloc(2 * pagesize);
+	if (!data2)
+		exit(1);
+	data2 += (pagesize - ((int) data2 & (pagesize - 1))) & (pagesize - 1);
+	if (data2 != mmap(data2, pagesize, PROT_READ | PROT_WRITE,
+	    MAP_PRIVATE | MAP_FIXED, fd, 0L))
+		exit(1);
+	for (i = 0; i < pagesize; ++i)
+		if (*(data + i) != *(data2 + i))
+			exit(1);
+
+	/*
+	 * Finally, make sure that changes to the mapped area
+	 * do not percolate back to the file as seen by read().
+	 * (This is a bug on some variants of i386 svr4.0.)
+	 */
+	for (i = 0; i < pagesize; ++i)
+		*(data2 + i) = *(data2 + i) + 1;
+	data3 = malloc(pagesize);
+	if (!data3)
+		exit(1);
+	if (read(fd, data3, pagesize) != pagesize)
+		exit(1);
+	for (i = 0; i < pagesize; ++i)
+		if (*(data + i) != *(data3 + i))
+			exit(1);
+	close(fd);
+	unlink("conftestmmap");
+	exit(0);
+}
+
+EOF
+if { (eval echo configure:6923: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext} && (./conftest; exit) 2>/dev/null
+then
+  ac_cv_func_mmap_fixed_mapped=yes
+else
+  echo "configure: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  rm -fr conftest*
+  ac_cv_func_mmap_fixed_mapped=no
+fi
+rm -fr conftest*
+fi
+
+fi
+
+echo "$ac_t""$ac_cv_func_mmap_fixed_mapped" 1>&6
+if test $ac_cv_func_mmap_fixed_mapped = yes; then
+  cat >> confdefs.h <<\EOF
+#define HAVE_MMAP 1
+EOF
+
+fi
+
+# The Ultrix 4.2 mips builtin alloca declared by alloca.h only works
+# for constant arguments.  Useless!
+echo $ac_n "checking for working alloca.h""... $ac_c" 1>&6
+echo "configure:6948: checking for working alloca.h" >&5
+if eval "test \"`echo '$''{'ac_cv_header_alloca_h'+set}'`\" = set"; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  cat > conftest.$ac_ext <<EOF
+#line 6953 "configure"
+#include "confdefs.h"
+#include <alloca.h>
+int main() {
+char *p = alloca(2 * sizeof(int));
+; return 0; }
+EOF
+if { (eval echo configure:6960: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+  rm -rf conftest*
+  ac_cv_header_alloca_h=yes
+else
+  echo "configure: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  rm -rf conftest*
+  ac_cv_header_alloca_h=no
+fi
+rm -f conftest*
+fi
+
+echo "$ac_t""$ac_cv_header_alloca_h" 1>&6
+if test $ac_cv_header_alloca_h = yes; then
+  cat >> confdefs.h <<\EOF
+#define HAVE_ALLOCA_H 1
+EOF
+
+fi
+
+echo $ac_n "checking for alloca""... $ac_c" 1>&6
+echo "configure:6981: checking for alloca" >&5
+if eval "test \"`echo '$''{'ac_cv_func_alloca_works'+set}'`\" = set"; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  cat > conftest.$ac_ext <<EOF
+#line 6986 "configure"
+#include "confdefs.h"
+
+#ifdef __GNUC__
+# define alloca __builtin_alloca
+#else
+# ifdef _MSC_VER
+#  include <malloc.h>
+#  define alloca _alloca
+# else
+#  if HAVE_ALLOCA_H
+#   include <alloca.h>
+#  else
+#   ifdef _AIX
+ #pragma alloca
+#   else
+#    ifndef alloca /* predefined by HP cc +Olibcalls */
+char *alloca ();
+#    endif
+#   endif
+#  endif
+# endif
+#endif
+
+int main() {
+char *p = (char *) alloca(1);
+; return 0; }
+EOF
+if { (eval echo configure:7014: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+  rm -rf conftest*
+  ac_cv_func_alloca_works=yes
+else
+  echo "configure: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  rm -rf conftest*
+  ac_cv_func_alloca_works=no
+fi
+rm -f conftest*
+fi
+
+echo "$ac_t""$ac_cv_func_alloca_works" 1>&6
+if test $ac_cv_func_alloca_works = yes; then
+  cat >> confdefs.h <<\EOF
+#define HAVE_ALLOCA 1
+EOF
+
+fi
+
+if test $ac_cv_func_alloca_works = no; then
+  # The SVR3 libPW and SVR4 libucb both contain incompatible functions
+  # that cause trouble.  Some versions do not even contain alloca or
+  # contain a buggy version.  If you still want to use their alloca,
+  # use ar to extract alloca.o from them instead of compiling alloca.c.
+  ALLOCA=alloca.${ac_objext}
+  cat >> confdefs.h <<\EOF
+#define C_ALLOCA 1
+EOF
+
+
+echo $ac_n "checking whether alloca needs Cray hooks""... $ac_c" 1>&6
+echo "configure:7046: checking whether alloca needs Cray hooks" >&5
+if eval "test \"`echo '$''{'ac_cv_os_cray'+set}'`\" = set"; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  cat > conftest.$ac_ext <<EOF
+#line 7051 "configure"
+#include "confdefs.h"
+#if defined(CRAY) && ! defined(CRAY2)
+webecray
+#else
+wenotbecray
+#endif
+
+EOF
+if (eval "$ac_cpp conftest.$ac_ext") 2>&5 |
+  egrep "webecray" >/dev/null 2>&1; then
+  rm -rf conftest*
+  ac_cv_os_cray=yes
+else
+  rm -rf conftest*
+  ac_cv_os_cray=no
+fi
+rm -f conftest*
+
+fi
+
+echo "$ac_t""$ac_cv_os_cray" 1>&6
+if test $ac_cv_os_cray = yes; then
+for ac_func in _getb67 GETB67 getb67; do
+  echo $ac_n "checking for $ac_func""... $ac_c" 1>&6
+echo "configure:7076: checking for $ac_func" >&5
+if eval "test \"`echo '$''{'ac_cv_func_$ac_func'+set}'`\" = set"; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  cat > conftest.$ac_ext <<EOF
+#line 7081 "configure"
+#include "confdefs.h"
+/* System header to define __stub macros and hopefully few prototypes,
+    which can conflict with char $ac_func(); below.  */
+#include <assert.h>
+/* Override any gcc2 internal prototype to avoid an error.  */
+/* We use char because int might match the return type of a gcc2
+    builtin and then its argument prototype would still apply.  */
+char $ac_func();
+
+int main() {
+
+/* The GNU C library defines this for functions which it implements
+    to always fail with ENOSYS.  Some functions are actually named
+    something starting with __ and the normal name is an alias.  */
+#if defined (__stub_$ac_func) || defined (__stub___$ac_func)
+choke me
+#else
+$ac_func();
+#endif
+
+; return 0; }
+EOF
+if { (eval echo configure:7104: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+  rm -rf conftest*
+  eval "ac_cv_func_$ac_func=yes"
+else
+  echo "configure: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  rm -rf conftest*
+  eval "ac_cv_func_$ac_func=no"
+fi
+rm -f conftest*
+fi
+
+if eval "test \"`echo '$ac_cv_func_'$ac_func`\" = yes"; then
+  echo "$ac_t""yes" 1>&6
+  cat >> confdefs.h <<EOF
+#define CRAY_STACKSEG_END $ac_func
+EOF
+
+  break
+else
+  echo "$ac_t""no" 1>&6
+fi
+
+done
+fi
+
+echo $ac_n "checking stack direction for C alloca""... $ac_c" 1>&6
+echo "configure:7131: checking stack direction for C alloca" >&5
+if eval "test \"`echo '$''{'ac_cv_c_stack_direction'+set}'`\" = set"; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  if test "$cross_compiling" = yes; then
+  ac_cv_c_stack_direction=0
+else
+  cat > conftest.$ac_ext <<EOF
+#line 7139 "configure"
+#include "confdefs.h"
+find_stack_direction ()
+{
+  static char *addr = 0;
+  auto char dummy;
+  if (addr == 0)
+    {
+      addr = &dummy;
+      return find_stack_direction ();
+    }
+  else
+    return (&dummy > addr) ? 1 : -1;
+}
+main ()
+{
+  exit (find_stack_direction() < 0);
+}
+EOF
+if { (eval echo configure:7158: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext} && (./conftest; exit) 2>/dev/null
+then
+  ac_cv_c_stack_direction=1
+else
+  echo "configure: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  rm -fr conftest*
+  ac_cv_c_stack_direction=-1
+fi
+rm -fr conftest*
+fi
+
+fi
+
+echo "$ac_t""$ac_cv_c_stack_direction" 1>&6
+cat >> confdefs.h <<EOF
+#define STACK_DIRECTION $ac_cv_c_stack_direction
+EOF
+
+fi
+
+
+
+for ac_func in getlogin setlogin
+do
+echo $ac_n "checking for $ac_func""... $ac_c" 1>&6
+echo "configure:7184: checking for $ac_func" >&5
+if eval "test \"`echo '$''{'ac_cv_func_$ac_func'+set}'`\" = set"; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  cat > conftest.$ac_ext <<EOF
+#line 7189 "configure"
+#include "confdefs.h"
+/* System header to define __stub macros and hopefully few prototypes,
+    which can conflict with char $ac_func(); below.  */
+#include <assert.h>
+/* Override any gcc2 internal prototype to avoid an error.  */
+/* We use char because int might match the return type of a gcc2
+    builtin and then its argument prototype would still apply.  */
+char $ac_func();
+
+int main() {
+
+/* The GNU C library defines this for functions which it implements
+    to always fail with ENOSYS.  Some functions are actually named
+    something starting with __ and the normal name is an alias.  */
+#if defined (__stub_$ac_func) || defined (__stub___$ac_func)
+choke me
+#else
+$ac_func();
+#endif
+
+; return 0; }
+EOF
+if { (eval echo configure:7212: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+  rm -rf conftest*
+  eval "ac_cv_func_$ac_func=yes"
+else
+  echo "configure: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  rm -rf conftest*
+  eval "ac_cv_func_$ac_func=no"
+fi
+rm -f conftest*
+fi
+
+if eval "test \"`echo '$ac_cv_func_'$ac_func`\" = yes"; then
+  echo "$ac_t""yes" 1>&6
+    ac_tr_func=HAVE_`echo $ac_func | tr 'abcdefghijklmnopqrstuvwxyz' 'ABCDEFGHIJKLMNOPQRSTUVWXYZ'`
+  cat >> confdefs.h <<EOF
+#define $ac_tr_func 1
+EOF
+ 
+else
+  echo "$ac_t""no" 1>&6
+fi
+done
+
+if test "$ac_cv_func_getlogin" = yes; then
+echo $ac_n "checking if getlogin is posix""... $ac_c" 1>&6
+echo "configure:7238: checking if getlogin is posix" >&5
+if eval "test \"`echo '$''{'ac_cv_func_getlogin_posix'+set}'`\" = set"; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  
+if test "$ac_cv_func_getlogin" = yes -a "$ac_cv_func_setlogin" = yes; then
+	ac_cv_func_getlogin_posix=no
+else
+	ac_cv_func_getlogin_posix=yes
+fi
+
+fi
+
+echo "$ac_t""$ac_cv_func_getlogin_posix" 1>&6
+if test "$ac_cv_func_getlogin_posix" = yes; then
+	cat >> confdefs.h <<\EOF
+#define POSIX_GETLOGIN 1
+EOF
+
+fi
+fi
+
+
+
+
+
+
+echo $ac_n "checking for hstrerror""... $ac_c" 1>&6
+echo "configure:7266: checking for hstrerror" >&5
+if eval "test \"`echo '$''{'ac_cv_funclib_hstrerror'+set}'`\" = set"; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  
+if eval "test \"\$ac_cv_func_hstrerror\" != yes" ; then
+	ac_save_LIBS="$LIBS"
+	for ac_lib in "" resolv; do
+		if test -n "$ac_lib"; then 
+			ac_lib="-l$ac_lib"
+		else
+			ac_lib=""
+		fi
+		LIBS=" $ac_lib  $ac_save_LIBS"
+		cat > conftest.$ac_ext <<EOF
+#line 7281 "configure"
+#include "confdefs.h"
+#ifdef HAVE_NETDB_H
+#include <netdb.h>
+#endif
+int main() {
+hstrerror(17)
+; return 0; }
+EOF
+if { (eval echo configure:7290: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+  rm -rf conftest*
+  eval "if test -n \"$ac_lib\";then ac_cv_funclib_hstrerror=$ac_lib; else ac_cv_funclib_hstrerror=yes; fi";break
+else
+  echo "configure: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+fi
+rm -f conftest*
+	done
+	eval "ac_cv_funclib_hstrerror=\${ac_cv_funclib_hstrerror-no}"
+	LIBS="$ac_save_LIBS"
+fi
+
+fi
+
+
+eval "ac_res=\$ac_cv_funclib_hstrerror"
+
+: << END
+@@@funcs="$funcs hstrerror"@@@
+@@@libs="$libs "" resolv"@@@
+END
+
+# hstrerror
+eval "ac_tr_func=HAVE_`echo hstrerror | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`"
+eval "ac_tr_lib=HAVE_LIB`echo $ac_res | sed -e 's/-l//' | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`"
+eval "LIB_hstrerror=$ac_res"
+
+case "$ac_res" in
+	yes)
+	eval "ac_cv_func_hstrerror=yes"
+	eval "LIB_hstrerror="
+	cat >> confdefs.h <<EOF
+#define $ac_tr_func 1
+EOF
+
+	echo "$ac_t""yes" 1>&6
+	;;
+	no)
+	eval "ac_cv_func_hstrerror=no"
+	eval "LIB_hstrerror="
+	echo "$ac_t""no" 1>&6
+	;;
+	*)
+	eval "ac_cv_func_hstrerror=yes"
+	eval "ac_cv_lib_`echo "$ac_res" | sed 's/-l//'`=yes"
+	cat >> confdefs.h <<EOF
+#define $ac_tr_func 1
+EOF
+
+	cat >> confdefs.h <<EOF
+#define $ac_tr_lib 1
+EOF
+
+	echo "$ac_t""yes, in $ac_res" 1>&6
+	;;
+esac
+
+
+if test -n "$LIB_hstrerror"; then
+	LIBS="$LIB_hstrerror $LIBS"
+fi
+
+if eval "test \"$ac_cv_func_hstrerror\" != yes"; then
+LIBOBJS="$LIBOBJS hstrerror.o"
+fi
+
+if test "$ac_cv_func_hstrerror" = yes; then
+
+if test "$ac_cv_func_hstrerror+set" != set -o "$ac_cv_func_hstrerror" = yes; then
+echo $ac_n "checking if hstrerror needs a prototype""... $ac_c" 1>&6
+echo "configure:7361: checking if hstrerror needs a prototype" >&5
+if eval "test \"`echo '$''{'ac_cv_func_hstrerror_noproto'+set}'`\" = set"; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  cat > conftest.$ac_ext <<EOF
+#line 7366 "configure"
+#include "confdefs.h"
+
+#ifdef HAVE_NETDB_H
+#include <netdb.h>
+#endif
+int main() {
+struct foo { int foo; } xx;
+extern int hstrerror (struct foo*);
+hstrerror(&xx);
+
+; return 0; }
+EOF
+if { (eval echo configure:7379: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
+  rm -rf conftest*
+  eval "ac_cv_func_hstrerror_noproto=yes"
+else
+  echo "configure: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  rm -rf conftest*
+  eval "ac_cv_func_hstrerror_noproto=no"
+fi
+rm -f conftest*
+fi
+
+echo "$ac_t""$ac_cv_func_hstrerror_noproto" 1>&6
+
+if test "$ac_cv_func_hstrerror_noproto" = yes; then
+	cat >> confdefs.h <<\EOF
+#define NEED_HSTRERROR_PROTO 1
+EOF
+
+fi
+
+fi
+
+fi
+
+for ac_func in chown copyhostent daemon err errx fchown flock fnmatch freehostent
+do
+echo $ac_n "checking for $ac_func""... $ac_c" 1>&6
+echo "configure:7407: checking for $ac_func" >&5
+if eval "test \"`echo '$''{'ac_cv_func_$ac_func'+set}'`\" = set"; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  cat > conftest.$ac_ext <<EOF
+#line 7412 "configure"
+#include "confdefs.h"
+/* System header to define __stub macros and hopefully few prototypes,
+    which can conflict with char $ac_func(); below.  */
+#include <assert.h>
+/* Override any gcc2 internal prototype to avoid an error.  */
+/* We use char because int might match the return type of a gcc2
+    builtin and then its argument prototype would still apply.  */
+char $ac_func();
+
+int main() {
+
+/* The GNU C library defines this for functions which it implements
+    to always fail with ENOSYS.  Some functions are actually named
+    something starting with __ and the normal name is an alias.  */
+#if defined (__stub_$ac_func) || defined (__stub___$ac_func)
+choke me
+#else
+$ac_func();
+#endif
+
+; return 0; }
+EOF
+if { (eval echo configure:7435: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+  rm -rf conftest*
+  eval "ac_cv_func_$ac_func=yes"
+else
+  echo "configure: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  rm -rf conftest*
+  eval "ac_cv_func_$ac_func=no"
+fi
+rm -f conftest*
+fi
+
+if eval "test \"`echo '$ac_cv_func_'$ac_func`\" = yes"; then
+  echo "$ac_t""yes" 1>&6
+  
+ac_tr_func=HAVE_`echo $ac_func | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`
+cat >> confdefs.h <<EOF
+#define $ac_tr_func 1
+EOF
+
+else
+  echo "$ac_t""no" 1>&6
+LIBOBJS="$LIBOBJS ${ac_func}.o"
+fi
+
+: << END
+@@@funcs="$funcs chown copyhostent daemon err errx fchown flock fnmatch freehostent"@@@
+END
+done
+
+for ac_func in getcwd getdtablesize gethostname getipnodebyaddr getipnodebyname
+do
+echo $ac_n "checking for $ac_func""... $ac_c" 1>&6
+echo "configure:7468: checking for $ac_func" >&5
+if eval "test \"`echo '$''{'ac_cv_func_$ac_func'+set}'`\" = set"; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  cat > conftest.$ac_ext <<EOF
+#line 7473 "configure"
+#include "confdefs.h"
+/* System header to define __stub macros and hopefully few prototypes,
+    which can conflict with char $ac_func(); below.  */
+#include <assert.h>
+/* Override any gcc2 internal prototype to avoid an error.  */
+/* We use char because int might match the return type of a gcc2
+    builtin and then its argument prototype would still apply.  */
+char $ac_func();
+
+int main() {
+
+/* The GNU C library defines this for functions which it implements
+    to always fail with ENOSYS.  Some functions are actually named
+    something starting with __ and the normal name is an alias.  */
+#if defined (__stub_$ac_func) || defined (__stub___$ac_func)
+choke me
+#else
+$ac_func();
+#endif
+
+; return 0; }
+EOF
+if { (eval echo configure:7496: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+  rm -rf conftest*
+  eval "ac_cv_func_$ac_func=yes"
+else
+  echo "configure: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  rm -rf conftest*
+  eval "ac_cv_func_$ac_func=no"
+fi
+rm -f conftest*
+fi
+
+if eval "test \"`echo '$ac_cv_func_'$ac_func`\" = yes"; then
+  echo "$ac_t""yes" 1>&6
+  
+ac_tr_func=HAVE_`echo $ac_func | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`
+cat >> confdefs.h <<EOF
+#define $ac_tr_func 1
+EOF
+
+else
+  echo "$ac_t""no" 1>&6
+LIBOBJS="$LIBOBJS ${ac_func}.o"
+fi
+
+: << END
+@@@funcs="$funcs getcwd getdtablesize gethostname getipnodebyaddr getipnodebyname"@@@
+END
+done
+
+for ac_func in geteuid getgid getegid
+do
+echo $ac_n "checking for $ac_func""... $ac_c" 1>&6
+echo "configure:7529: checking for $ac_func" >&5
+if eval "test \"`echo '$''{'ac_cv_func_$ac_func'+set}'`\" = set"; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  cat > conftest.$ac_ext <<EOF
+#line 7534 "configure"
+#include "confdefs.h"
+/* System header to define __stub macros and hopefully few prototypes,
+    which can conflict with char $ac_func(); below.  */
+#include <assert.h>
+/* Override any gcc2 internal prototype to avoid an error.  */
+/* We use char because int might match the return type of a gcc2
+    builtin and then its argument prototype would still apply.  */
+char $ac_func();
+
+int main() {
+
+/* The GNU C library defines this for functions which it implements
+    to always fail with ENOSYS.  Some functions are actually named
+    something starting with __ and the normal name is an alias.  */
+#if defined (__stub_$ac_func) || defined (__stub___$ac_func)
+choke me
+#else
+$ac_func();
+#endif
+
+; return 0; }
+EOF
+if { (eval echo configure:7557: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+  rm -rf conftest*
+  eval "ac_cv_func_$ac_func=yes"
+else
+  echo "configure: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  rm -rf conftest*
+  eval "ac_cv_func_$ac_func=no"
+fi
+rm -f conftest*
+fi
+
+if eval "test \"`echo '$ac_cv_func_'$ac_func`\" = yes"; then
+  echo "$ac_t""yes" 1>&6
+  
+ac_tr_func=HAVE_`echo $ac_func | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`
+cat >> confdefs.h <<EOF
+#define $ac_tr_func 1
+EOF
+
+else
+  echo "$ac_t""no" 1>&6
+LIBOBJS="$LIBOBJS ${ac_func}.o"
+fi
+
+: << END
+@@@funcs="$funcs geteuid getgid getegid"@@@
+END
+done
+
+for ac_func in getopt getusershell
+do
+echo $ac_n "checking for $ac_func""... $ac_c" 1>&6
+echo "configure:7590: checking for $ac_func" >&5
+if eval "test \"`echo '$''{'ac_cv_func_$ac_func'+set}'`\" = set"; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  cat > conftest.$ac_ext <<EOF
+#line 7595 "configure"
+#include "confdefs.h"
+/* System header to define __stub macros and hopefully few prototypes,
+    which can conflict with char $ac_func(); below.  */
+#include <assert.h>
+/* Override any gcc2 internal prototype to avoid an error.  */
+/* We use char because int might match the return type of a gcc2
+    builtin and then its argument prototype would still apply.  */
+char $ac_func();
+
+int main() {
+
+/* The GNU C library defines this for functions which it implements
+    to always fail with ENOSYS.  Some functions are actually named
+    something starting with __ and the normal name is an alias.  */
+#if defined (__stub_$ac_func) || defined (__stub___$ac_func)
+choke me
+#else
+$ac_func();
+#endif
+
+; return 0; }
+EOF
+if { (eval echo configure:7618: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+  rm -rf conftest*
+  eval "ac_cv_func_$ac_func=yes"
+else
+  echo "configure: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  rm -rf conftest*
+  eval "ac_cv_func_$ac_func=no"
+fi
+rm -f conftest*
+fi
+
+if eval "test \"`echo '$ac_cv_func_'$ac_func`\" = yes"; then
+  echo "$ac_t""yes" 1>&6
+  
+ac_tr_func=HAVE_`echo $ac_func | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`
+cat >> confdefs.h <<EOF
+#define $ac_tr_func 1
+EOF
+
+else
+  echo "$ac_t""no" 1>&6
+LIBOBJS="$LIBOBJS ${ac_func}.o"
+fi
+
+: << END
+@@@funcs="$funcs getopt getusershell"@@@
+END
+done
+
+for ac_func in inet_aton inet_ntop inet_pton initgroups innetgr iruserok lstat
+do
+echo $ac_n "checking for $ac_func""... $ac_c" 1>&6
+echo "configure:7651: checking for $ac_func" >&5
+if eval "test \"`echo '$''{'ac_cv_func_$ac_func'+set}'`\" = set"; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  cat > conftest.$ac_ext <<EOF
+#line 7656 "configure"
+#include "confdefs.h"
+/* System header to define __stub macros and hopefully few prototypes,
+    which can conflict with char $ac_func(); below.  */
+#include <assert.h>
+/* Override any gcc2 internal prototype to avoid an error.  */
+/* We use char because int might match the return type of a gcc2
+    builtin and then its argument prototype would still apply.  */
+char $ac_func();
+
+int main() {
+
+/* The GNU C library defines this for functions which it implements
+    to always fail with ENOSYS.  Some functions are actually named
+    something starting with __ and the normal name is an alias.  */
+#if defined (__stub_$ac_func) || defined (__stub___$ac_func)
+choke me
+#else
+$ac_func();
+#endif
+
+; return 0; }
+EOF
+if { (eval echo configure:7679: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+  rm -rf conftest*
+  eval "ac_cv_func_$ac_func=yes"
+else
+  echo "configure: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  rm -rf conftest*
+  eval "ac_cv_func_$ac_func=no"
+fi
+rm -f conftest*
+fi
+
+if eval "test \"`echo '$ac_cv_func_'$ac_func`\" = yes"; then
+  echo "$ac_t""yes" 1>&6
+  
+ac_tr_func=HAVE_`echo $ac_func | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`
+cat >> confdefs.h <<EOF
+#define $ac_tr_func 1
+EOF
+
+else
+  echo "$ac_t""no" 1>&6
+LIBOBJS="$LIBOBJS ${ac_func}.o"
+fi
+
+: << END
+@@@funcs="$funcs inet_aton inet_ntop inet_pton initgroups innetgr iruserok lstat"@@@
+END
+done
+
+for ac_func in memmove
+do
+echo $ac_n "checking for $ac_func""... $ac_c" 1>&6
+echo "configure:7712: checking for $ac_func" >&5
+if eval "test \"`echo '$''{'ac_cv_func_$ac_func'+set}'`\" = set"; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  cat > conftest.$ac_ext <<EOF
+#line 7717 "configure"
+#include "confdefs.h"
+/* System header to define __stub macros and hopefully few prototypes,
+    which can conflict with char $ac_func(); below.  */
+#include <assert.h>
+/* Override any gcc2 internal prototype to avoid an error.  */
+/* We use char because int might match the return type of a gcc2
+    builtin and then its argument prototype would still apply.  */
+char $ac_func();
+
+int main() {
+
+/* The GNU C library defines this for functions which it implements
+    to always fail with ENOSYS.  Some functions are actually named
+    something starting with __ and the normal name is an alias.  */
+#if defined (__stub_$ac_func) || defined (__stub___$ac_func)
+choke me
+#else
+$ac_func();
+#endif
+
+; return 0; }
+EOF
+if { (eval echo configure:7740: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+  rm -rf conftest*
+  eval "ac_cv_func_$ac_func=yes"
+else
+  echo "configure: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  rm -rf conftest*
+  eval "ac_cv_func_$ac_func=no"
+fi
+rm -f conftest*
+fi
+
+if eval "test \"`echo '$ac_cv_func_'$ac_func`\" = yes"; then
+  echo "$ac_t""yes" 1>&6
+  
+ac_tr_func=HAVE_`echo $ac_func | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`
+cat >> confdefs.h <<EOF
+#define $ac_tr_func 1
+EOF
+
+else
+  echo "$ac_t""no" 1>&6
+LIBOBJS="$LIBOBJS ${ac_func}.o"
+fi
+
+: << END
+@@@funcs="$funcs memmove"@@@
+END
+done
+
+for ac_func in mkstemp putenv rcmd readv recvmsg sendmsg setegid setenv seteuid
+do
+echo $ac_n "checking for $ac_func""... $ac_c" 1>&6
+echo "configure:7773: checking for $ac_func" >&5
+if eval "test \"`echo '$''{'ac_cv_func_$ac_func'+set}'`\" = set"; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  cat > conftest.$ac_ext <<EOF
+#line 7778 "configure"
+#include "confdefs.h"
+/* System header to define __stub macros and hopefully few prototypes,
+    which can conflict with char $ac_func(); below.  */
+#include <assert.h>
+/* Override any gcc2 internal prototype to avoid an error.  */
+/* We use char because int might match the return type of a gcc2
+    builtin and then its argument prototype would still apply.  */
+char $ac_func();
+
+int main() {
+
+/* The GNU C library defines this for functions which it implements
+    to always fail with ENOSYS.  Some functions are actually named
+    something starting with __ and the normal name is an alias.  */
+#if defined (__stub_$ac_func) || defined (__stub___$ac_func)
+choke me
+#else
+$ac_func();
+#endif
+
+; return 0; }
+EOF
+if { (eval echo configure:7801: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+  rm -rf conftest*
+  eval "ac_cv_func_$ac_func=yes"
+else
+  echo "configure: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  rm -rf conftest*
+  eval "ac_cv_func_$ac_func=no"
+fi
+rm -f conftest*
+fi
+
+if eval "test \"`echo '$ac_cv_func_'$ac_func`\" = yes"; then
+  echo "$ac_t""yes" 1>&6
+  
+ac_tr_func=HAVE_`echo $ac_func | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`
+cat >> confdefs.h <<EOF
+#define $ac_tr_func 1
+EOF
+
+else
+  echo "$ac_t""no" 1>&6
+LIBOBJS="$LIBOBJS ${ac_func}.o"
+fi
+
+: << END
+@@@funcs="$funcs mkstemp putenv rcmd readv recvmsg sendmsg setegid setenv seteuid"@@@
+END
+done
+
+for ac_func in strcasecmp strncasecmp strdup strerror strftime
+do
+echo $ac_n "checking for $ac_func""... $ac_c" 1>&6
+echo "configure:7834: checking for $ac_func" >&5
+if eval "test \"`echo '$''{'ac_cv_func_$ac_func'+set}'`\" = set"; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  cat > conftest.$ac_ext <<EOF
+#line 7839 "configure"
+#include "confdefs.h"
+/* System header to define __stub macros and hopefully few prototypes,
+    which can conflict with char $ac_func(); below.  */
+#include <assert.h>
+/* Override any gcc2 internal prototype to avoid an error.  */
+/* We use char because int might match the return type of a gcc2
+    builtin and then its argument prototype would still apply.  */
+char $ac_func();
+
+int main() {
+
+/* The GNU C library defines this for functions which it implements
+    to always fail with ENOSYS.  Some functions are actually named
+    something starting with __ and the normal name is an alias.  */
+#if defined (__stub_$ac_func) || defined (__stub___$ac_func)
+choke me
+#else
+$ac_func();
+#endif
+
+; return 0; }
+EOF
+if { (eval echo configure:7862: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+  rm -rf conftest*
+  eval "ac_cv_func_$ac_func=yes"
+else
+  echo "configure: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  rm -rf conftest*
+  eval "ac_cv_func_$ac_func=no"
+fi
+rm -f conftest*
+fi
+
+if eval "test \"`echo '$ac_cv_func_'$ac_func`\" = yes"; then
+  echo "$ac_t""yes" 1>&6
+  
+ac_tr_func=HAVE_`echo $ac_func | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`
+cat >> confdefs.h <<EOF
+#define $ac_tr_func 1
+EOF
+
+else
+  echo "$ac_t""no" 1>&6
+LIBOBJS="$LIBOBJS ${ac_func}.o"
+fi
+
+: << END
+@@@funcs="$funcs strcasecmp strncasecmp strdup strerror strftime"@@@
+END
+done
+
+for ac_func in strlcat strlcpy strlwr
+do
+echo $ac_n "checking for $ac_func""... $ac_c" 1>&6
+echo "configure:7895: checking for $ac_func" >&5
+if eval "test \"`echo '$''{'ac_cv_func_$ac_func'+set}'`\" = set"; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  cat > conftest.$ac_ext <<EOF
+#line 7900 "configure"
+#include "confdefs.h"
+/* System header to define __stub macros and hopefully few prototypes,
+    which can conflict with char $ac_func(); below.  */
+#include <assert.h>
+/* Override any gcc2 internal prototype to avoid an error.  */
+/* We use char because int might match the return type of a gcc2
+    builtin and then its argument prototype would still apply.  */
+char $ac_func();
+
+int main() {
+
+/* The GNU C library defines this for functions which it implements
+    to always fail with ENOSYS.  Some functions are actually named
+    something starting with __ and the normal name is an alias.  */
+#if defined (__stub_$ac_func) || defined (__stub___$ac_func)
+choke me
+#else
+$ac_func();
+#endif
+
+; return 0; }
+EOF
+if { (eval echo configure:7923: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+  rm -rf conftest*
+  eval "ac_cv_func_$ac_func=yes"
+else
+  echo "configure: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  rm -rf conftest*
+  eval "ac_cv_func_$ac_func=no"
+fi
+rm -f conftest*
+fi
+
+if eval "test \"`echo '$ac_cv_func_'$ac_func`\" = yes"; then
+  echo "$ac_t""yes" 1>&6
+  
+ac_tr_func=HAVE_`echo $ac_func | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`
+cat >> confdefs.h <<EOF
+#define $ac_tr_func 1
+EOF
+
+else
+  echo "$ac_t""no" 1>&6
+LIBOBJS="$LIBOBJS ${ac_func}.o"
+fi
+
+: << END
+@@@funcs="$funcs strlcat strlcpy strlwr"@@@
+END
+done
+
+for ac_func in strndup strnlen strptime strsep strtok_r strupr
+do
+echo $ac_n "checking for $ac_func""... $ac_c" 1>&6
+echo "configure:7956: checking for $ac_func" >&5
+if eval "test \"`echo '$''{'ac_cv_func_$ac_func'+set}'`\" = set"; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  cat > conftest.$ac_ext <<EOF
+#line 7961 "configure"
+#include "confdefs.h"
+/* System header to define __stub macros and hopefully few prototypes,
+    which can conflict with char $ac_func(); below.  */
+#include <assert.h>
+/* Override any gcc2 internal prototype to avoid an error.  */
+/* We use char because int might match the return type of a gcc2
+    builtin and then its argument prototype would still apply.  */
+char $ac_func();
+
+int main() {
+
+/* The GNU C library defines this for functions which it implements
+    to always fail with ENOSYS.  Some functions are actually named
+    something starting with __ and the normal name is an alias.  */
+#if defined (__stub_$ac_func) || defined (__stub___$ac_func)
+choke me
+#else
+$ac_func();
+#endif
+
+; return 0; }
+EOF
+if { (eval echo configure:7984: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+  rm -rf conftest*
+  eval "ac_cv_func_$ac_func=yes"
+else
+  echo "configure: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  rm -rf conftest*
+  eval "ac_cv_func_$ac_func=no"
+fi
+rm -f conftest*
+fi
+
+if eval "test \"`echo '$ac_cv_func_'$ac_func`\" = yes"; then
+  echo "$ac_t""yes" 1>&6
+  
+ac_tr_func=HAVE_`echo $ac_func | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`
+cat >> confdefs.h <<EOF
+#define $ac_tr_func 1
+EOF
+
+else
+  echo "$ac_t""no" 1>&6
+LIBOBJS="$LIBOBJS ${ac_func}.o"
+fi
+
+: << END
+@@@funcs="$funcs strndup strnlen strptime strsep strtok_r strupr"@@@
+END
+done
+
+for ac_func in swab unsetenv verr verrx vsyslog
+do
+echo $ac_n "checking for $ac_func""... $ac_c" 1>&6
+echo "configure:8017: checking for $ac_func" >&5
+if eval "test \"`echo '$''{'ac_cv_func_$ac_func'+set}'`\" = set"; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  cat > conftest.$ac_ext <<EOF
+#line 8022 "configure"
+#include "confdefs.h"
+/* System header to define __stub macros and hopefully few prototypes,
+    which can conflict with char $ac_func(); below.  */
+#include <assert.h>
+/* Override any gcc2 internal prototype to avoid an error.  */
+/* We use char because int might match the return type of a gcc2
+    builtin and then its argument prototype would still apply.  */
+char $ac_func();
+
+int main() {
+
+/* The GNU C library defines this for functions which it implements
+    to always fail with ENOSYS.  Some functions are actually named
+    something starting with __ and the normal name is an alias.  */
+#if defined (__stub_$ac_func) || defined (__stub___$ac_func)
+choke me
+#else
+$ac_func();
+#endif
+
+; return 0; }
+EOF
+if { (eval echo configure:8045: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+  rm -rf conftest*
+  eval "ac_cv_func_$ac_func=yes"
+else
+  echo "configure: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  rm -rf conftest*
+  eval "ac_cv_func_$ac_func=no"
+fi
+rm -f conftest*
+fi
+
+if eval "test \"`echo '$ac_cv_func_'$ac_func`\" = yes"; then
+  echo "$ac_t""yes" 1>&6
+  
+ac_tr_func=HAVE_`echo $ac_func | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`
+cat >> confdefs.h <<EOF
+#define $ac_tr_func 1
+EOF
+
+else
+  echo "$ac_t""no" 1>&6
+LIBOBJS="$LIBOBJS ${ac_func}.o"
+fi
+
+: << END
+@@@funcs="$funcs swab unsetenv verr verrx vsyslog"@@@
+END
+done
+
+for ac_func in vwarn vwarnx warn warnx writev
+do
+echo $ac_n "checking for $ac_func""... $ac_c" 1>&6
+echo "configure:8078: checking for $ac_func" >&5
+if eval "test \"`echo '$''{'ac_cv_func_$ac_func'+set}'`\" = set"; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  cat > conftest.$ac_ext <<EOF
+#line 8083 "configure"
+#include "confdefs.h"
+/* System header to define __stub macros and hopefully few prototypes,
+    which can conflict with char $ac_func(); below.  */
+#include <assert.h>
+/* Override any gcc2 internal prototype to avoid an error.  */
+/* We use char because int might match the return type of a gcc2
+    builtin and then its argument prototype would still apply.  */
+char $ac_func();
+
+int main() {
+
+/* The GNU C library defines this for functions which it implements
+    to always fail with ENOSYS.  Some functions are actually named
+    something starting with __ and the normal name is an alias.  */
+#if defined (__stub_$ac_func) || defined (__stub___$ac_func)
+choke me
+#else
+$ac_func();
+#endif
+
+; return 0; }
+EOF
+if { (eval echo configure:8106: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+  rm -rf conftest*
+  eval "ac_cv_func_$ac_func=yes"
+else
+  echo "configure: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  rm -rf conftest*
+  eval "ac_cv_func_$ac_func=no"
+fi
+rm -f conftest*
+fi
+
+if eval "test \"`echo '$ac_cv_func_'$ac_func`\" = yes"; then
+  echo "$ac_t""yes" 1>&6
+  
+ac_tr_func=HAVE_`echo $ac_func | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`
+cat >> confdefs.h <<EOF
+#define $ac_tr_func 1
+EOF
+
+else
+  echo "$ac_t""no" 1>&6
+LIBOBJS="$LIBOBJS ${ac_func}.o"
+fi
+
+: << END
+@@@funcs="$funcs vwarn vwarnx warn warnx writev"@@@
+END
+done
+
+
+if test "$ac_cv_func_gethostname" = "yes"; then
+
+if test "$ac_cv_func_gethostname+set" != set -o "$ac_cv_func_gethostname" = yes; then
+echo $ac_n "checking if gethostname needs a prototype""... $ac_c" 1>&6
+echo "configure:8141: checking if gethostname needs a prototype" >&5
+if eval "test \"`echo '$''{'ac_cv_func_gethostname_noproto'+set}'`\" = set"; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  cat > conftest.$ac_ext <<EOF
+#line 8146 "configure"
+#include "confdefs.h"
+
+#include <unistd.h>
+int main() {
+struct foo { int foo; } xx;
+extern int gethostname (struct foo*);
+gethostname(&xx);
+
+; return 0; }
+EOF
+if { (eval echo configure:8157: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
+  rm -rf conftest*
+  eval "ac_cv_func_gethostname_noproto=yes"
+else
+  echo "configure: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  rm -rf conftest*
+  eval "ac_cv_func_gethostname_noproto=no"
+fi
+rm -f conftest*
+fi
+
+echo "$ac_t""$ac_cv_func_gethostname_noproto" 1>&6
+
+if test "$ac_cv_func_gethostname_noproto" = yes; then
+	cat >> confdefs.h <<\EOF
+#define NEED_GETHOSTNAME_PROTO 1
+EOF
+
+fi
+
+fi
+
+fi
+
+if test "$ac_cv_func_mkstemp" = "yes"; then
+
+if test "$ac_cv_func_mkstemp+set" != set -o "$ac_cv_func_mkstemp" = yes; then
+echo $ac_n "checking if mkstemp needs a prototype""... $ac_c" 1>&6
+echo "configure:8186: checking if mkstemp needs a prototype" >&5
+if eval "test \"`echo '$''{'ac_cv_func_mkstemp_noproto'+set}'`\" = set"; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  cat > conftest.$ac_ext <<EOF
+#line 8191 "configure"
+#include "confdefs.h"
+
+#include <unistd.h>
+int main() {
+struct foo { int foo; } xx;
+extern int mkstemp (struct foo*);
+mkstemp(&xx);
+
+; return 0; }
+EOF
+if { (eval echo configure:8202: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
+  rm -rf conftest*
+  eval "ac_cv_func_mkstemp_noproto=yes"
+else
+  echo "configure: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  rm -rf conftest*
+  eval "ac_cv_func_mkstemp_noproto=no"
+fi
+rm -f conftest*
+fi
+
+echo "$ac_t""$ac_cv_func_mkstemp_noproto" 1>&6
+
+if test "$ac_cv_func_mkstemp_noproto" = yes; then
+	cat >> confdefs.h <<\EOF
+#define NEED_MKSTEMP_PROTO 1
+EOF
+
+fi
+
+fi
+
+fi
+
+if test "$ac_cv_func_inet_aton" = "yes"; then
+
+if test "$ac_cv_func_inet_aton+set" != set -o "$ac_cv_func_inet_aton" = yes; then
+echo $ac_n "checking if inet_aton needs a prototype""... $ac_c" 1>&6
+echo "configure:8231: checking if inet_aton needs a prototype" >&5
+if eval "test \"`echo '$''{'ac_cv_func_inet_aton_noproto'+set}'`\" = set"; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  cat > conftest.$ac_ext <<EOF
+#line 8236 "configure"
+#include "confdefs.h"
+
+#ifdef HAVE_SYS_TYPES_H
+#include <sys/types.h>
+#endif
+#ifdef HAVE_SYS_SOCKET_H
+#include <sys/socket.h>
+#endif
+#ifdef HAVE_NETINET_IN_H
+#include <netinet/in.h>
+#endif
+#ifdef HAVE_ARPA_INET_H
+#include <arpa/inet.h>
+#endif
+int main() {
+struct foo { int foo; } xx;
+extern int inet_aton (struct foo*);
+inet_aton(&xx);
+
+; return 0; }
+EOF
+if { (eval echo configure:8258: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
+  rm -rf conftest*
+  eval "ac_cv_func_inet_aton_noproto=yes"
+else
+  echo "configure: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  rm -rf conftest*
+  eval "ac_cv_func_inet_aton_noproto=no"
+fi
+rm -f conftest*
+fi
+
+echo "$ac_t""$ac_cv_func_inet_aton_noproto" 1>&6
+
+if test "$ac_cv_func_inet_aton_noproto" = yes; then
+	cat >> confdefs.h <<\EOF
+#define NEED_INET_ATON_PROTO 1
+EOF
+
+fi
+
+fi
+
+fi
+
+echo $ac_n "checking if realloc is broken""... $ac_c" 1>&6
+echo "configure:8284: checking if realloc is broken" >&5
+if eval "test \"`echo '$''{'ac_cv_func_realloc_broken'+set}'`\" = set"; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  
+ac_cv_func_realloc_broken=no
+if test "$cross_compiling" = yes; then
+  :
+else
+  cat > conftest.$ac_ext <<EOF
+#line 8294 "configure"
+#include "confdefs.h"
+
+#include <stddef.h>
+#include <stdlib.h>
+
+int main()
+{
+	return realloc(NULL, 17) == NULL;
+}
+
+EOF
+if { (eval echo configure:8306: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext} && (./conftest; exit) 2>/dev/null
+then
+  :
+else
+  echo "configure: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  rm -fr conftest*
+  ac_cv_func_realloc_broken=yes
+fi
+rm -fr conftest*
+fi
+
+
+fi
+
+echo "$ac_t""$ac_cv_func_realloc_broken" 1>&6
+if test "$ac_cv_func_realloc_broken" = yes ; then
+	cat >> confdefs.h <<\EOF
+#define BROKEN_REALLOC 1
+EOF
+
+fi
+
+
+if test "$ac_cv_func_getcwd" = yes; then
+echo $ac_n "checking if getcwd is broken""... $ac_c" 1>&6
+echo "configure:8332: checking if getcwd is broken" >&5
+if eval "test \"`echo '$''{'ac_cv_func_getcwd_broken'+set}'`\" = set"; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  
+ac_cv_func_getcwd_broken=no
+
+if test "$cross_compiling" = yes; then
+  :
+else
+  cat > conftest.$ac_ext <<EOF
+#line 8343 "configure"
+#include "confdefs.h"
+
+#include <errno.h>
+char *getcwd(char*, int);
+
+void *popen(char *cmd, char *mode)
+{
+	errno = ENOTTY;
+	return 0;
+}
+
+int main()
+{
+	char *ret;
+	ret = getcwd(0, 1024);
+	if(ret == 0 && errno == ENOTTY)
+		return 0;
+	return 1;
+}
+
+EOF
+if { (eval echo configure:8365: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext} && (./conftest; exit) 2>/dev/null
+then
+  ac_cv_func_getcwd_broken=yes
+else
+  echo "configure: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  rm -fr conftest*
+  :
+fi
+rm -fr conftest*
+fi
+
+
+fi
+
+if test "$ac_cv_func_getcwd_broken" = yes; then
+	cat >> confdefs.h <<\EOF
+#define BROKEN_GETCWD 1
+EOF
+	LIBOBJS="$LIBOBJS getcwd.o"
+		echo "$ac_t""$ac_cv_func_getcwd_broken" 1>&6
+else
+	echo "$ac_t""seems ok" 1>&6
+fi
+fi
+
+
+
+echo $ac_n "checking which authentication modules should be built""... $ac_c" 1>&6
+echo "configure:8394: checking which authentication modules should be built" >&5
+
+LIB_AUTH_SUBDIRS=
+
+if test "$ac_cv_header_siad_h" = yes; then
+	LIB_AUTH_SUBDIRS="$LIB_AUTH_SUBDIRS sia"
+fi
+
+if test "$ac_cv_header_security_pam_modules_h" = yes -a "$enable_shared" = yes; then
+	LIB_AUTH_SUBDIRS="$LIB_AUTH_SUBDIRS pam"
+fi
+
+case "${host}" in
+*-*-irix[56]*) LIB_AUTH_SUBDIRS="$LIB_AUTH_SUBDIRS afskauthlib" ;;
+esac
+
+echo "$ac_t""$LIB_AUTH_SUBDIRS" 1>&6
+
+
+
+
+echo $ac_n "checking if gethostbyname is compatible with system prototype""... $ac_c" 1>&6
+echo "configure:8416: checking if gethostbyname is compatible with system prototype" >&5
+if eval "test \"`echo '$''{'ac_cv_func_gethostbyname_proto_compat'+set}'`\" = set"; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  cat > conftest.$ac_ext <<EOF
+#line 8421 "configure"
+#include "confdefs.h"
+
+#ifdef HAVE_SYS_TYPES_H
+#include <sys/types.h>
+#endif
+#ifdef HAVE_SYS_SOCKET_H
+#include <sys/socket.h>
+#endif
+#ifdef HAVE_NETINET_IN_H
+#include <netinet/in.h>
+#endif
+#ifdef HAVE_ARPA_INET_H
+#include <arpa/inet.h>
+#endif
+#ifdef HAVE_NETDB_H
+#include <netdb.h>
+#endif
+
+int main() {
+struct hostent *gethostbyname(const char *);
+; return 0; }
+EOF
+if { (eval echo configure:8444: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
+  rm -rf conftest*
+  eval "ac_cv_func_gethostbyname_proto_compat=yes"
+else
+  echo "configure: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  rm -rf conftest*
+  eval "ac_cv_func_gethostbyname_proto_compat=no"
+fi
+rm -f conftest*
+fi
+
+echo "$ac_t""$ac_cv_func_gethostbyname_proto_compat" 1>&6
+
+if test "$ac_cv_func_gethostbyname_proto_compat" = yes; then
+	cat >> confdefs.h <<\EOF
+#define GETHOSTBYNAME_PROTO_COMPATIBLE 1
+EOF
+
+fi
+
+
+
+
+echo $ac_n "checking if gethostbyaddr is compatible with system prototype""... $ac_c" 1>&6
+echo "configure:8469: checking if gethostbyaddr is compatible with system prototype" >&5
+if eval "test \"`echo '$''{'ac_cv_func_gethostbyaddr_proto_compat'+set}'`\" = set"; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  cat > conftest.$ac_ext <<EOF
+#line 8474 "configure"
+#include "confdefs.h"
+
+#ifdef HAVE_SYS_TYPES_H
+#include <sys/types.h>
+#endif
+#ifdef HAVE_SYS_SOCKET_H
+#include <sys/socket.h>
+#endif
+#ifdef HAVE_NETINET_IN_H
+#include <netinet/in.h>
+#endif
+#ifdef HAVE_ARPA_INET_H
+#include <arpa/inet.h>
+#endif
+#ifdef HAVE_NETDB_H
+#include <netdb.h>
+#endif
+
+int main() {
+struct hostent *gethostbyaddr(const void *, size_t, int);
+; return 0; }
+EOF
+if { (eval echo configure:8497: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
+  rm -rf conftest*
+  eval "ac_cv_func_gethostbyaddr_proto_compat=yes"
+else
+  echo "configure: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  rm -rf conftest*
+  eval "ac_cv_func_gethostbyaddr_proto_compat=no"
+fi
+rm -f conftest*
+fi
+
+echo "$ac_t""$ac_cv_func_gethostbyaddr_proto_compat" 1>&6
+
+if test "$ac_cv_func_gethostbyaddr_proto_compat" = yes; then
+	cat >> confdefs.h <<\EOF
+#define GETHOSTBYADDR_PROTO_COMPATIBLE 1
+EOF
+
+fi
+
+
+
+
+echo $ac_n "checking if getservbyname is compatible with system prototype""... $ac_c" 1>&6
+echo "configure:8522: checking if getservbyname is compatible with system prototype" >&5
+if eval "test \"`echo '$''{'ac_cv_func_getservbyname_proto_compat'+set}'`\" = set"; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  cat > conftest.$ac_ext <<EOF
+#line 8527 "configure"
+#include "confdefs.h"
+
+#ifdef HAVE_SYS_TYPES_H
+#include <sys/types.h>
+#endif
+#ifdef HAVE_SYS_SOCKET_H
+#include <sys/socket.h>
+#endif
+#ifdef HAVE_NETINET_IN_H
+#include <netinet/in.h>
+#endif
+#ifdef HAVE_ARPA_INET_H
+#include <arpa/inet.h>
+#endif
+#ifdef HAVE_NETDB_H
+#include <netdb.h>
+#endif
+
+int main() {
+struct servent *getservbyname(const char *, const char *);
+; return 0; }
+EOF
+if { (eval echo configure:8550: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
+  rm -rf conftest*
+  eval "ac_cv_func_getservbyname_proto_compat=yes"
+else
+  echo "configure: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  rm -rf conftest*
+  eval "ac_cv_func_getservbyname_proto_compat=no"
+fi
+rm -f conftest*
+fi
+
+echo "$ac_t""$ac_cv_func_getservbyname_proto_compat" 1>&6
+
+if test "$ac_cv_func_getservbyname_proto_compat" = yes; then
+	cat >> confdefs.h <<\EOF
+#define GETSERVBYNAME_PROTO_COMPATIBLE 1
+EOF
+
+fi
+
+
+
+
+echo $ac_n "checking if openlog is compatible with system prototype""... $ac_c" 1>&6
+echo "configure:8575: checking if openlog is compatible with system prototype" >&5
+if eval "test \"`echo '$''{'ac_cv_func_openlog_proto_compat'+set}'`\" = set"; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  cat > conftest.$ac_ext <<EOF
+#line 8580 "configure"
+#include "confdefs.h"
+
+#ifdef HAVE_SYSLOG_H
+#include <syslog.h>
+#endif
+
+int main() {
+void openlog(const char *, int, int);
+; return 0; }
+EOF
+if { (eval echo configure:8591: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
+  rm -rf conftest*
+  eval "ac_cv_func_openlog_proto_compat=yes"
+else
+  echo "configure: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  rm -rf conftest*
+  eval "ac_cv_func_openlog_proto_compat=no"
+fi
+rm -f conftest*
+fi
+
+echo "$ac_t""$ac_cv_func_openlog_proto_compat" 1>&6
+
+if test "$ac_cv_func_openlog_proto_compat" = yes; then
+	cat >> confdefs.h <<\EOF
+#define OPENLOG_PROTO_COMPATIBLE 1
+EOF
+
+fi
+
+
+
+
+if test "$ac_cv_func_crypt+set" != set -o "$ac_cv_func_crypt" = yes; then
+echo $ac_n "checking if crypt needs a prototype""... $ac_c" 1>&6
+echo "configure:8617: checking if crypt needs a prototype" >&5
+if eval "test \"`echo '$''{'ac_cv_func_crypt_noproto'+set}'`\" = set"; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  cat > conftest.$ac_ext <<EOF
+#line 8622 "configure"
+#include "confdefs.h"
+
+#ifdef HAVE_CRYPT_H
+#include <crypt.h>
+#endif
+#ifdef HAVE_UNISTD_H
+#include <unistd.h>
+#endif
+
+int main() {
+struct foo { int foo; } xx;
+extern int crypt (struct foo*);
+crypt(&xx);
+
+; return 0; }
+EOF
+if { (eval echo configure:8639: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
+  rm -rf conftest*
+  eval "ac_cv_func_crypt_noproto=yes"
+else
+  echo "configure: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  rm -rf conftest*
+  eval "ac_cv_func_crypt_noproto=no"
+fi
+rm -f conftest*
+fi
+
+echo "$ac_t""$ac_cv_func_crypt_noproto" 1>&6
+
+if test "$ac_cv_func_crypt_noproto" = yes; then
+	cat >> confdefs.h <<\EOF
+#define NEED_CRYPT_PROTO 1
+EOF
+
+fi
+
+fi
+
+
+
+if test "$ac_cv_func_fclose+set" != set -o "$ac_cv_func_fclose" = yes; then
+echo $ac_n "checking if fclose needs a prototype""... $ac_c" 1>&6
+echo "configure:8666: checking if fclose needs a prototype" >&5
+if eval "test \"`echo '$''{'ac_cv_func_fclose_noproto'+set}'`\" = set"; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  cat > conftest.$ac_ext <<EOF
+#line 8671 "configure"
+#include "confdefs.h"
+
+#include <stdio.h>
+
+int main() {
+struct foo { int foo; } xx;
+extern int fclose (struct foo*);
+fclose(&xx);
+
+; return 0; }
+EOF
+if { (eval echo configure:8683: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
+  rm -rf conftest*
+  eval "ac_cv_func_fclose_noproto=yes"
+else
+  echo "configure: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  rm -rf conftest*
+  eval "ac_cv_func_fclose_noproto=no"
+fi
+rm -f conftest*
+fi
+
+echo "$ac_t""$ac_cv_func_fclose_noproto" 1>&6
+
+if test "$ac_cv_func_fclose_noproto" = yes; then
+	cat >> confdefs.h <<\EOF
+#define NEED_FCLOSE_PROTO 1
+EOF
+
+fi
+
+fi
+
+
+
+if test "$ac_cv_func_strtok_r+set" != set -o "$ac_cv_func_strtok_r" = yes; then
+echo $ac_n "checking if strtok_r needs a prototype""... $ac_c" 1>&6
+echo "configure:8710: checking if strtok_r needs a prototype" >&5
+if eval "test \"`echo '$''{'ac_cv_func_strtok_r_noproto'+set}'`\" = set"; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  cat > conftest.$ac_ext <<EOF
+#line 8715 "configure"
+#include "confdefs.h"
+
+#include <string.h>
+
+int main() {
+struct foo { int foo; } xx;
+extern int strtok_r (struct foo*);
+strtok_r(&xx);
+
+; return 0; }
+EOF
+if { (eval echo configure:8727: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
+  rm -rf conftest*
+  eval "ac_cv_func_strtok_r_noproto=yes"
+else
+  echo "configure: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  rm -rf conftest*
+  eval "ac_cv_func_strtok_r_noproto=no"
+fi
+rm -f conftest*
+fi
+
+echo "$ac_t""$ac_cv_func_strtok_r_noproto" 1>&6
+
+if test "$ac_cv_func_strtok_r_noproto" = yes; then
+	cat >> confdefs.h <<\EOF
+#define NEED_STRTOK_R_PROTO 1
+EOF
+
+fi
+
+fi
+
+
+
+if test "$ac_cv_func_strsep+set" != set -o "$ac_cv_func_strsep" = yes; then
+echo $ac_n "checking if strsep needs a prototype""... $ac_c" 1>&6
+echo "configure:8754: checking if strsep needs a prototype" >&5
+if eval "test \"`echo '$''{'ac_cv_func_strsep_noproto'+set}'`\" = set"; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  cat > conftest.$ac_ext <<EOF
+#line 8759 "configure"
+#include "confdefs.h"
+
+#include <string.h>
+
+int main() {
+struct foo { int foo; } xx;
+extern int strsep (struct foo*);
+strsep(&xx);
+
+; return 0; }
+EOF
+if { (eval echo configure:8771: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
+  rm -rf conftest*
+  eval "ac_cv_func_strsep_noproto=yes"
+else
+  echo "configure: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  rm -rf conftest*
+  eval "ac_cv_func_strsep_noproto=no"
+fi
+rm -f conftest*
+fi
+
+echo "$ac_t""$ac_cv_func_strsep_noproto" 1>&6
+
+if test "$ac_cv_func_strsep_noproto" = yes; then
+	cat >> confdefs.h <<\EOF
+#define NEED_STRSEP_PROTO 1
+EOF
+
+fi
+
+fi
+
+
+
+if test "$ac_cv_func_getusershell+set" != set -o "$ac_cv_func_getusershell" = yes; then
+echo $ac_n "checking if getusershell needs a prototype""... $ac_c" 1>&6
+echo "configure:8798: checking if getusershell needs a prototype" >&5
+if eval "test \"`echo '$''{'ac_cv_func_getusershell_noproto'+set}'`\" = set"; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  cat > conftest.$ac_ext <<EOF
+#line 8803 "configure"
+#include "confdefs.h"
+
+#include <unistd.h>
+
+int main() {
+struct foo { int foo; } xx;
+extern int getusershell (struct foo*);
+getusershell(&xx);
+
+; return 0; }
+EOF
+if { (eval echo configure:8815: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
+  rm -rf conftest*
+  eval "ac_cv_func_getusershell_noproto=yes"
+else
+  echo "configure: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  rm -rf conftest*
+  eval "ac_cv_func_getusershell_noproto=no"
+fi
+rm -f conftest*
+fi
+
+echo "$ac_t""$ac_cv_func_getusershell_noproto" 1>&6
+
+if test "$ac_cv_func_getusershell_noproto" = yes; then
+	cat >> confdefs.h <<\EOF
+#define NEED_GETUSERSHELL_PROTO 1
+EOF
+
+fi
+
+fi
+
+
+
+if test "$ac_cv_func_utime+set" != set -o "$ac_cv_func_utime" = yes; then
+echo $ac_n "checking if utime needs a prototype""... $ac_c" 1>&6
+echo "configure:8842: checking if utime needs a prototype" >&5
+if eval "test \"`echo '$''{'ac_cv_func_utime_noproto'+set}'`\" = set"; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  cat > conftest.$ac_ext <<EOF
+#line 8847 "configure"
+#include "confdefs.h"
+
+#ifdef HAVE_UTIME_H
+#include <utime.h>
+#endif
+
+int main() {
+struct foo { int foo; } xx;
+extern int utime (struct foo*);
+utime(&xx);
+
+; return 0; }
+EOF
+if { (eval echo configure:8861: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
+  rm -rf conftest*
+  eval "ac_cv_func_utime_noproto=yes"
+else
+  echo "configure: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  rm -rf conftest*
+  eval "ac_cv_func_utime_noproto=no"
+fi
+rm -f conftest*
+fi
+
+echo "$ac_t""$ac_cv_func_utime_noproto" 1>&6
+
+if test "$ac_cv_func_utime_noproto" = yes; then
+	cat >> confdefs.h <<\EOF
+#define NEED_UTIME_PROTO 1
+EOF
+
+fi
+
+fi
+
+
+
+echo $ac_n "checking for h_errno""... $ac_c" 1>&6
+echo "configure:8887: checking for h_errno" >&5
+if eval "test \"`echo '$''{'ac_cv_var_h_errno'+set}'`\" = set"; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  
+cat > conftest.$ac_ext <<EOF
+#line 8893 "configure"
+#include "confdefs.h"
+extern int h_errno;
+int foo() { return h_errno; }
+int main() {
+foo()
+; return 0; }
+EOF
+if { (eval echo configure:8901: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+  rm -rf conftest*
+  ac_cv_var_h_errno=yes
+else
+  echo "configure: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  rm -rf conftest*
+  ac_cv_var_h_errno=no
+fi
+rm -f conftest*
+
+fi
+
+
+
+echo "$ac_t""`eval echo \\$ac_cv_var_h_errno`" 1>&6
+if test `eval echo \\$ac_cv_var_h_errno` = yes; then
+	cat >> confdefs.h <<EOF
+#define HAVE_H_ERRNO 1
+EOF
+
+	
+echo $ac_n "checking if h_errno is properly declared""... $ac_c" 1>&6
+echo "configure:8924: checking if h_errno is properly declared" >&5
+if eval "test \"`echo '$''{'ac_cv_var_h_errno_declaration'+set}'`\" = set"; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  
+cat > conftest.$ac_ext <<EOF
+#line 8930 "configure"
+#include "confdefs.h"
+#ifdef HAVE_SYS_TYPES_H
+#include <sys/types.h>
+#endif
+#ifdef HAVE_NETDB_H
+#include <netdb.h>
+#endif
+extern struct { int foo; } h_errno;
+int main() {
+h_errno.foo = 1;
+; return 0; }
+EOF
+if { (eval echo configure:8943: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
+  rm -rf conftest*
+  eval "ac_cv_var_h_errno_declaration=no"
+else
+  echo "configure: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  rm -rf conftest*
+  eval "ac_cv_var_h_errno_declaration=yes"
+fi
+rm -f conftest*
+
+fi
+
+
+
+
+echo "$ac_t""$ac_cv_var_h_errno_declaration" 1>&6
+if eval "test \"\$ac_cv_var_h_errno_declaration\" = yes"; then
+	cat >> confdefs.h <<\EOF
+#define HAVE_H_ERRNO_DECLARATION 1
+EOF
+
+fi
+
+
+fi
+
+
+
+
+echo $ac_n "checking for h_errlist""... $ac_c" 1>&6
+echo "configure:8974: checking for h_errlist" >&5
+if eval "test \"`echo '$''{'ac_cv_var_h_errlist'+set}'`\" = set"; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  
+cat > conftest.$ac_ext <<EOF
+#line 8980 "configure"
+#include "confdefs.h"
+extern int h_errlist;
+int foo() { return h_errlist; }
+int main() {
+foo()
+; return 0; }
+EOF
+if { (eval echo configure:8988: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+  rm -rf conftest*
+  ac_cv_var_h_errlist=yes
+else
+  echo "configure: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  rm -rf conftest*
+  ac_cv_var_h_errlist=no
+fi
+rm -f conftest*
+
+fi
+
+
+
+echo "$ac_t""`eval echo \\$ac_cv_var_h_errlist`" 1>&6
+if test `eval echo \\$ac_cv_var_h_errlist` = yes; then
+	cat >> confdefs.h <<EOF
+#define HAVE_H_ERRLIST 1
+EOF
+
+	
+echo $ac_n "checking if h_errlist is properly declared""... $ac_c" 1>&6
+echo "configure:9011: checking if h_errlist is properly declared" >&5
+if eval "test \"`echo '$''{'ac_cv_var_h_errlist_declaration'+set}'`\" = set"; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  
+cat > conftest.$ac_ext <<EOF
+#line 9017 "configure"
+#include "confdefs.h"
+#ifdef HAVE_NETDB_H
+#include <netdb.h>
+#endif
+extern struct { int foo; } h_errlist;
+int main() {
+h_errlist.foo = 1;
+; return 0; }
+EOF
+if { (eval echo configure:9027: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
+  rm -rf conftest*
+  eval "ac_cv_var_h_errlist_declaration=no"
+else
+  echo "configure: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  rm -rf conftest*
+  eval "ac_cv_var_h_errlist_declaration=yes"
+fi
+rm -f conftest*
+
+fi
+
+
+
+
+echo "$ac_t""$ac_cv_var_h_errlist_declaration" 1>&6
+if eval "test \"\$ac_cv_var_h_errlist_declaration\" = yes"; then
+	cat >> confdefs.h <<\EOF
+#define HAVE_H_ERRLIST_DECLARATION 1
+EOF
+
+fi
+
+
+fi
+
+
+
+
+echo $ac_n "checking for h_nerr""... $ac_c" 1>&6
+echo "configure:9058: checking for h_nerr" >&5
+if eval "test \"`echo '$''{'ac_cv_var_h_nerr'+set}'`\" = set"; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  
+cat > conftest.$ac_ext <<EOF
+#line 9064 "configure"
+#include "confdefs.h"
+extern int h_nerr;
+int foo() { return h_nerr; }
+int main() {
+foo()
+; return 0; }
+EOF
+if { (eval echo configure:9072: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+  rm -rf conftest*
+  ac_cv_var_h_nerr=yes
+else
+  echo "configure: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  rm -rf conftest*
+  ac_cv_var_h_nerr=no
+fi
+rm -f conftest*
+
+fi
+
+
+
+echo "$ac_t""`eval echo \\$ac_cv_var_h_nerr`" 1>&6
+if test `eval echo \\$ac_cv_var_h_nerr` = yes; then
+	cat >> confdefs.h <<EOF
+#define HAVE_H_NERR 1
+EOF
+
+	
+echo $ac_n "checking if h_nerr is properly declared""... $ac_c" 1>&6
+echo "configure:9095: checking if h_nerr is properly declared" >&5
+if eval "test \"`echo '$''{'ac_cv_var_h_nerr_declaration'+set}'`\" = set"; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  
+cat > conftest.$ac_ext <<EOF
+#line 9101 "configure"
+#include "confdefs.h"
+#ifdef HAVE_NETDB_H
+#include <netdb.h>
+#endif
+extern struct { int foo; } h_nerr;
+int main() {
+h_nerr.foo = 1;
+; return 0; }
+EOF
+if { (eval echo configure:9111: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
+  rm -rf conftest*
+  eval "ac_cv_var_h_nerr_declaration=no"
+else
+  echo "configure: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  rm -rf conftest*
+  eval "ac_cv_var_h_nerr_declaration=yes"
+fi
+rm -f conftest*
+
+fi
+
+
+
+
+echo "$ac_t""$ac_cv_var_h_nerr_declaration" 1>&6
+if eval "test \"\$ac_cv_var_h_nerr_declaration\" = yes"; then
+	cat >> confdefs.h <<\EOF
+#define HAVE_H_NERR_DECLARATION 1
+EOF
+
+fi
+
+
+fi
+
+
+
+
+echo $ac_n "checking for __progname""... $ac_c" 1>&6
+echo "configure:9142: checking for __progname" >&5
+if eval "test \"`echo '$''{'ac_cv_var___progname'+set}'`\" = set"; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  
+cat > conftest.$ac_ext <<EOF
+#line 9148 "configure"
+#include "confdefs.h"
+extern int __progname;
+int foo() { return __progname; }
+int main() {
+foo()
+; return 0; }
+EOF
+if { (eval echo configure:9156: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+  rm -rf conftest*
+  ac_cv_var___progname=yes
+else
+  echo "configure: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  rm -rf conftest*
+  ac_cv_var___progname=no
+fi
+rm -f conftest*
+
+fi
+
+
+
+echo "$ac_t""`eval echo \\$ac_cv_var___progname`" 1>&6
+if test `eval echo \\$ac_cv_var___progname` = yes; then
+	cat >> confdefs.h <<EOF
+#define HAVE___PROGNAME 1
+EOF
+
+	
+echo $ac_n "checking if __progname is properly declared""... $ac_c" 1>&6
+echo "configure:9179: checking if __progname is properly declared" >&5
+if eval "test \"`echo '$''{'ac_cv_var___progname_declaration'+set}'`\" = set"; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  
+cat > conftest.$ac_ext <<EOF
+#line 9185 "configure"
+#include "confdefs.h"
+#ifdef HAVE_ERR_H
+#include <err.h>
+#endif
+extern struct { int foo; } __progname;
+int main() {
+__progname.foo = 1;
+; return 0; }
+EOF
+if { (eval echo configure:9195: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
+  rm -rf conftest*
+  eval "ac_cv_var___progname_declaration=no"
+else
+  echo "configure: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  rm -rf conftest*
+  eval "ac_cv_var___progname_declaration=yes"
+fi
+rm -f conftest*
+
+fi
+
+
+
+
+echo "$ac_t""$ac_cv_var___progname_declaration" 1>&6
+if eval "test \"\$ac_cv_var___progname_declaration\" = yes"; then
+	cat >> confdefs.h <<\EOF
+#define HAVE___PROGNAME_DECLARATION 1
+EOF
+
+fi
+
+
+fi
+
+
+
+
+echo $ac_n "checking if optarg is properly declared""... $ac_c" 1>&6
+echo "configure:9226: checking if optarg is properly declared" >&5
+if eval "test \"`echo '$''{'ac_cv_var_optarg_declaration'+set}'`\" = set"; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  
+cat > conftest.$ac_ext <<EOF
+#line 9232 "configure"
+#include "confdefs.h"
+#include <stdlib.h>
+#ifdef HAVE_UNISTD_H
+#include <unistd.h>
+#endif
+extern struct { int foo; } optarg;
+int main() {
+optarg.foo = 1;
+; return 0; }
+EOF
+if { (eval echo configure:9243: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
+  rm -rf conftest*
+  eval "ac_cv_var_optarg_declaration=no"
+else
+  echo "configure: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  rm -rf conftest*
+  eval "ac_cv_var_optarg_declaration=yes"
+fi
+rm -f conftest*
+
+fi
+
+
+
+
+echo "$ac_t""$ac_cv_var_optarg_declaration" 1>&6
+if eval "test \"\$ac_cv_var_optarg_declaration\" = yes"; then
+	cat >> confdefs.h <<\EOF
+#define HAVE_OPTARG_DECLARATION 1
+EOF
+
+fi
+
+
+
+echo $ac_n "checking if optind is properly declared""... $ac_c" 1>&6
+echo "configure:9270: checking if optind is properly declared" >&5
+if eval "test \"`echo '$''{'ac_cv_var_optind_declaration'+set}'`\" = set"; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  
+cat > conftest.$ac_ext <<EOF
+#line 9276 "configure"
+#include "confdefs.h"
+#include <stdlib.h>
+#ifdef HAVE_UNISTD_H
+#include <unistd.h>
+#endif
+extern struct { int foo; } optind;
+int main() {
+optind.foo = 1;
+; return 0; }
+EOF
+if { (eval echo configure:9287: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
+  rm -rf conftest*
+  eval "ac_cv_var_optind_declaration=no"
+else
+  echo "configure: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  rm -rf conftest*
+  eval "ac_cv_var_optind_declaration=yes"
+fi
+rm -f conftest*
+
+fi
+
+
+
+
+echo "$ac_t""$ac_cv_var_optind_declaration" 1>&6
+if eval "test \"\$ac_cv_var_optind_declaration\" = yes"; then
+	cat >> confdefs.h <<\EOF
+#define HAVE_OPTIND_DECLARATION 1
+EOF
+
+fi
+
+
+
+echo $ac_n "checking if opterr is properly declared""... $ac_c" 1>&6
+echo "configure:9314: checking if opterr is properly declared" >&5
+if eval "test \"`echo '$''{'ac_cv_var_opterr_declaration'+set}'`\" = set"; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  
+cat > conftest.$ac_ext <<EOF
+#line 9320 "configure"
+#include "confdefs.h"
+#include <stdlib.h>
+#ifdef HAVE_UNISTD_H
+#include <unistd.h>
+#endif
+extern struct { int foo; } opterr;
+int main() {
+opterr.foo = 1;
+; return 0; }
+EOF
+if { (eval echo configure:9331: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
+  rm -rf conftest*
+  eval "ac_cv_var_opterr_declaration=no"
+else
+  echo "configure: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  rm -rf conftest*
+  eval "ac_cv_var_opterr_declaration=yes"
+fi
+rm -f conftest*
+
+fi
+
+
+
+
+echo "$ac_t""$ac_cv_var_opterr_declaration" 1>&6
+if eval "test \"\$ac_cv_var_opterr_declaration\" = yes"; then
+	cat >> confdefs.h <<\EOF
+#define HAVE_OPTERR_DECLARATION 1
+EOF
+
+fi
+
+
+
+echo $ac_n "checking if optopt is properly declared""... $ac_c" 1>&6
+echo "configure:9358: checking if optopt is properly declared" >&5
+if eval "test \"`echo '$''{'ac_cv_var_optopt_declaration'+set}'`\" = set"; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  
+cat > conftest.$ac_ext <<EOF
+#line 9364 "configure"
+#include "confdefs.h"
+#include <stdlib.h>
+#ifdef HAVE_UNISTD_H
+#include <unistd.h>
+#endif
+extern struct { int foo; } optopt;
+int main() {
+optopt.foo = 1;
+; return 0; }
+EOF
+if { (eval echo configure:9375: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
+  rm -rf conftest*
+  eval "ac_cv_var_optopt_declaration=no"
+else
+  echo "configure: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  rm -rf conftest*
+  eval "ac_cv_var_optopt_declaration=yes"
+fi
+rm -f conftest*
+
+fi
+
+
+
+
+echo "$ac_t""$ac_cv_var_optopt_declaration" 1>&6
+if eval "test \"\$ac_cv_var_optopt_declaration\" = yes"; then
+	cat >> confdefs.h <<\EOF
+#define HAVE_OPTOPT_DECLARATION 1
+EOF
+
+fi
+
+
+
+
+echo $ac_n "checking if environ is properly declared""... $ac_c" 1>&6
+echo "configure:9403: checking if environ is properly declared" >&5
+if eval "test \"`echo '$''{'ac_cv_var_environ_declaration'+set}'`\" = set"; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  
+cat > conftest.$ac_ext <<EOF
+#line 9409 "configure"
+#include "confdefs.h"
+#include <stdlib.h>
+extern struct { int foo; } environ;
+int main() {
+environ.foo = 1;
+; return 0; }
+EOF
+if { (eval echo configure:9417: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
+  rm -rf conftest*
+  eval "ac_cv_var_environ_declaration=no"
+else
+  echo "configure: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  rm -rf conftest*
+  eval "ac_cv_var_environ_declaration=yes"
+fi
+rm -f conftest*
+
+fi
+
+
+
+
+echo "$ac_t""$ac_cv_var_environ_declaration" 1>&6
+if eval "test \"\$ac_cv_var_environ_declaration\" = yes"; then
+	cat >> confdefs.h <<\EOF
+#define HAVE_ENVIRON_DECLARATION 1
+EOF
+
+fi
+
+
+
+echo $ac_n "checking return type of signal handlers""... $ac_c" 1>&6
+echo "configure:9444: checking return type of signal handlers" >&5
+if eval "test \"`echo '$''{'ac_cv_type_signal'+set}'`\" = set"; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  cat > conftest.$ac_ext <<EOF
+#line 9449 "configure"
+#include "confdefs.h"
+#include <sys/types.h>
+#include <signal.h>
+#ifdef signal
+#undef signal
+#endif
+#ifdef __cplusplus
+extern "C" void (*signal (int, void (*)(int)))(int);
+#else
+void (*signal ()) ();
+#endif
+
+int main() {
+int i;
+; return 0; }
+EOF
+if { (eval echo configure:9466: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
+  rm -rf conftest*
+  ac_cv_type_signal=void
+else
+  echo "configure: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  rm -rf conftest*
+  ac_cv_type_signal=int
+fi
+rm -f conftest*
+fi
+
+echo "$ac_t""$ac_cv_type_signal" 1>&6
+cat >> confdefs.h <<EOF
+#define RETSIGTYPE $ac_cv_type_signal
+EOF
+
+
+if test "$ac_cv_type_signal" = "void" ; then
+	cat >> confdefs.h <<\EOF
+#define VOID_RETSIGTYPE 1
+EOF
+
+fi
+
+
+
+
+echo $ac_n "checking for ut_addr in struct utmp""... $ac_c" 1>&6
+echo "configure:9495: checking for ut_addr in struct utmp" >&5
+if eval "test \"`echo '$''{'ac_cv_type_struct_utmp_ut_addr'+set}'`\" = set"; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  
+cat > conftest.$ac_ext <<EOF
+#line 9501 "configure"
+#include "confdefs.h"
+#include <sys/types.h>
+ #include <utmp.h>
+int main() {
+struct utmp x; x.ut_addr;
+; return 0; }
+EOF
+if { (eval echo configure:9509: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
+  rm -rf conftest*
+  ac_cv_type_struct_utmp_ut_addr=yes
+else
+  echo "configure: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  rm -rf conftest*
+  ac_cv_type_struct_utmp_ut_addr=no
+fi
+rm -f conftest*
+fi
+
+echo "$ac_t""$ac_cv_type_struct_utmp_ut_addr" 1>&6
+if test "$ac_cv_type_struct_utmp_ut_addr" = yes; then
+	
+	cat >> confdefs.h <<\EOF
+#define HAVE_STRUCT_UTMP_UT_ADDR 1
+EOF
+
+	
+fi
+
+
+
+
+echo $ac_n "checking for ut_host in struct utmp""... $ac_c" 1>&6
+echo "configure:9535: checking for ut_host in struct utmp" >&5
+if eval "test \"`echo '$''{'ac_cv_type_struct_utmp_ut_host'+set}'`\" = set"; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  
+cat > conftest.$ac_ext <<EOF
+#line 9541 "configure"
+#include "confdefs.h"
+#include <sys/types.h>
+ #include <utmp.h>
+int main() {
+struct utmp x; x.ut_host;
+; return 0; }
+EOF
+if { (eval echo configure:9549: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
+  rm -rf conftest*
+  ac_cv_type_struct_utmp_ut_host=yes
+else
+  echo "configure: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  rm -rf conftest*
+  ac_cv_type_struct_utmp_ut_host=no
+fi
+rm -f conftest*
+fi
+
+echo "$ac_t""$ac_cv_type_struct_utmp_ut_host" 1>&6
+if test "$ac_cv_type_struct_utmp_ut_host" = yes; then
+	
+	cat >> confdefs.h <<\EOF
+#define HAVE_STRUCT_UTMP_UT_HOST 1
+EOF
+
+	
+fi
+
+
+
+
+echo $ac_n "checking for ut_id in struct utmp""... $ac_c" 1>&6
+echo "configure:9575: checking for ut_id in struct utmp" >&5
+if eval "test \"`echo '$''{'ac_cv_type_struct_utmp_ut_id'+set}'`\" = set"; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  
+cat > conftest.$ac_ext <<EOF
+#line 9581 "configure"
+#include "confdefs.h"
+#include <sys/types.h>
+ #include <utmp.h>
+int main() {
+struct utmp x; x.ut_id;
+; return 0; }
+EOF
+if { (eval echo configure:9589: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
+  rm -rf conftest*
+  ac_cv_type_struct_utmp_ut_id=yes
+else
+  echo "configure: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  rm -rf conftest*
+  ac_cv_type_struct_utmp_ut_id=no
+fi
+rm -f conftest*
+fi
+
+echo "$ac_t""$ac_cv_type_struct_utmp_ut_id" 1>&6
+if test "$ac_cv_type_struct_utmp_ut_id" = yes; then
+	
+	cat >> confdefs.h <<\EOF
+#define HAVE_STRUCT_UTMP_UT_ID 1
+EOF
+
+	
+fi
+
+
+
+
+echo $ac_n "checking for ut_pid in struct utmp""... $ac_c" 1>&6
+echo "configure:9615: checking for ut_pid in struct utmp" >&5
+if eval "test \"`echo '$''{'ac_cv_type_struct_utmp_ut_pid'+set}'`\" = set"; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  
+cat > conftest.$ac_ext <<EOF
+#line 9621 "configure"
+#include "confdefs.h"
+#include <sys/types.h>
+ #include <utmp.h>
+int main() {
+struct utmp x; x.ut_pid;
+; return 0; }
+EOF
+if { (eval echo configure:9629: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
+  rm -rf conftest*
+  ac_cv_type_struct_utmp_ut_pid=yes
+else
+  echo "configure: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  rm -rf conftest*
+  ac_cv_type_struct_utmp_ut_pid=no
+fi
+rm -f conftest*
+fi
+
+echo "$ac_t""$ac_cv_type_struct_utmp_ut_pid" 1>&6
+if test "$ac_cv_type_struct_utmp_ut_pid" = yes; then
+	
+	cat >> confdefs.h <<\EOF
+#define HAVE_STRUCT_UTMP_UT_PID 1
+EOF
+
+	
+fi
+
+
+
+
+echo $ac_n "checking for ut_type in struct utmp""... $ac_c" 1>&6
+echo "configure:9655: checking for ut_type in struct utmp" >&5
+if eval "test \"`echo '$''{'ac_cv_type_struct_utmp_ut_type'+set}'`\" = set"; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  
+cat > conftest.$ac_ext <<EOF
+#line 9661 "configure"
+#include "confdefs.h"
+#include <sys/types.h>
+ #include <utmp.h>
+int main() {
+struct utmp x; x.ut_type;
+; return 0; }
+EOF
+if { (eval echo configure:9669: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
+  rm -rf conftest*
+  ac_cv_type_struct_utmp_ut_type=yes
+else
+  echo "configure: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  rm -rf conftest*
+  ac_cv_type_struct_utmp_ut_type=no
+fi
+rm -f conftest*
+fi
+
+echo "$ac_t""$ac_cv_type_struct_utmp_ut_type" 1>&6
+if test "$ac_cv_type_struct_utmp_ut_type" = yes; then
+	
+	cat >> confdefs.h <<\EOF
+#define HAVE_STRUCT_UTMP_UT_TYPE 1
+EOF
+
+	
+fi
+
+
+
+
+echo $ac_n "checking for ut_user in struct utmp""... $ac_c" 1>&6
+echo "configure:9695: checking for ut_user in struct utmp" >&5
+if eval "test \"`echo '$''{'ac_cv_type_struct_utmp_ut_user'+set}'`\" = set"; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  
+cat > conftest.$ac_ext <<EOF
+#line 9701 "configure"
+#include "confdefs.h"
+#include <sys/types.h>
+ #include <utmp.h>
+int main() {
+struct utmp x; x.ut_user;
+; return 0; }
+EOF
+if { (eval echo configure:9709: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
+  rm -rf conftest*
+  ac_cv_type_struct_utmp_ut_user=yes
+else
+  echo "configure: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  rm -rf conftest*
+  ac_cv_type_struct_utmp_ut_user=no
+fi
+rm -f conftest*
+fi
+
+echo "$ac_t""$ac_cv_type_struct_utmp_ut_user" 1>&6
+if test "$ac_cv_type_struct_utmp_ut_user" = yes; then
+	
+	cat >> confdefs.h <<\EOF
+#define HAVE_STRUCT_UTMP_UT_USER 1
+EOF
+
+	
+fi
+
+
+
+
+echo $ac_n "checking for ut_exit in struct utmpx""... $ac_c" 1>&6
+echo "configure:9735: checking for ut_exit in struct utmpx" >&5
+if eval "test \"`echo '$''{'ac_cv_type_struct_utmpx_ut_exit'+set}'`\" = set"; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  
+cat > conftest.$ac_ext <<EOF
+#line 9741 "configure"
+#include "confdefs.h"
+#include <sys/types.h>
+ #include <utmp.h>
+int main() {
+struct utmpx x; x.ut_exit;
+; return 0; }
+EOF
+if { (eval echo configure:9749: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
+  rm -rf conftest*
+  ac_cv_type_struct_utmpx_ut_exit=yes
+else
+  echo "configure: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  rm -rf conftest*
+  ac_cv_type_struct_utmpx_ut_exit=no
+fi
+rm -f conftest*
+fi
+
+echo "$ac_t""$ac_cv_type_struct_utmpx_ut_exit" 1>&6
+if test "$ac_cv_type_struct_utmpx_ut_exit" = yes; then
+	
+	cat >> confdefs.h <<\EOF
+#define HAVE_STRUCT_UTMPX_UT_EXIT 1
+EOF
+
+	
+fi
+
+
+
+
+echo $ac_n "checking for ut_syslen in struct utmpx""... $ac_c" 1>&6
+echo "configure:9775: checking for ut_syslen in struct utmpx" >&5
+if eval "test \"`echo '$''{'ac_cv_type_struct_utmpx_ut_syslen'+set}'`\" = set"; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  
+cat > conftest.$ac_ext <<EOF
+#line 9781 "configure"
+#include "confdefs.h"
+#include <sys/types.h>
+ #include <utmp.h>
+int main() {
+struct utmpx x; x.ut_syslen;
+; return 0; }
+EOF
+if { (eval echo configure:9789: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
+  rm -rf conftest*
+  ac_cv_type_struct_utmpx_ut_syslen=yes
+else
+  echo "configure: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  rm -rf conftest*
+  ac_cv_type_struct_utmpx_ut_syslen=no
+fi
+rm -f conftest*
+fi
+
+echo "$ac_t""$ac_cv_type_struct_utmpx_ut_syslen" 1>&6
+if test "$ac_cv_type_struct_utmpx_ut_syslen" = yes; then
+	
+	cat >> confdefs.h <<\EOF
+#define HAVE_STRUCT_UTMPX_UT_SYSLEN 1
+EOF
+
+	
+fi
+
+
+
+
+
+
+echo $ac_n "checking for tm_gmtoff in struct tm""... $ac_c" 1>&6
+echo "configure:9817: checking for tm_gmtoff in struct tm" >&5
+if eval "test \"`echo '$''{'ac_cv_type_struct_tm_tm_gmtoff'+set}'`\" = set"; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  
+cat > conftest.$ac_ext <<EOF
+#line 9823 "configure"
+#include "confdefs.h"
+#include <time.h>
+int main() {
+struct tm x; x.tm_gmtoff;
+; return 0; }
+EOF
+if { (eval echo configure:9830: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
+  rm -rf conftest*
+  ac_cv_type_struct_tm_tm_gmtoff=yes
+else
+  echo "configure: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  rm -rf conftest*
+  ac_cv_type_struct_tm_tm_gmtoff=no
+fi
+rm -f conftest*
+fi
+
+echo "$ac_t""$ac_cv_type_struct_tm_tm_gmtoff" 1>&6
+if test "$ac_cv_type_struct_tm_tm_gmtoff" = yes; then
+	
+	cat >> confdefs.h <<\EOF
+#define HAVE_STRUCT_TM_TM_GMTOFF 1
+EOF
+
+	
+fi
+
+
+
+
+echo $ac_n "checking for tm_zone in struct tm""... $ac_c" 1>&6
+echo "configure:9856: checking for tm_zone in struct tm" >&5
+if eval "test \"`echo '$''{'ac_cv_type_struct_tm_tm_zone'+set}'`\" = set"; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  
+cat > conftest.$ac_ext <<EOF
+#line 9862 "configure"
+#include "confdefs.h"
+#include <time.h>
+int main() {
+struct tm x; x.tm_zone;
+; return 0; }
+EOF
+if { (eval echo configure:9869: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
+  rm -rf conftest*
+  ac_cv_type_struct_tm_tm_zone=yes
+else
+  echo "configure: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  rm -rf conftest*
+  ac_cv_type_struct_tm_tm_zone=no
+fi
+rm -f conftest*
+fi
+
+echo "$ac_t""$ac_cv_type_struct_tm_tm_zone" 1>&6
+if test "$ac_cv_type_struct_tm_tm_zone" = yes; then
+	
+	cat >> confdefs.h <<\EOF
+#define HAVE_STRUCT_TM_TM_ZONE 1
+EOF
+
+	
+fi
+
+
+
+
+
+echo $ac_n "checking for timezone""... $ac_c" 1>&6
+echo "configure:9896: checking for timezone" >&5
+if eval "test \"`echo '$''{'ac_cv_var_timezone'+set}'`\" = set"; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  
+cat > conftest.$ac_ext <<EOF
+#line 9902 "configure"
+#include "confdefs.h"
+extern int timezone;
+int foo() { return timezone; }
+int main() {
+foo()
+; return 0; }
+EOF
+if { (eval echo configure:9910: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+  rm -rf conftest*
+  ac_cv_var_timezone=yes
+else
+  echo "configure: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  rm -rf conftest*
+  ac_cv_var_timezone=no
+fi
+rm -f conftest*
+
+fi
+
+
+
+echo "$ac_t""`eval echo \\$ac_cv_var_timezone`" 1>&6
+if test `eval echo \\$ac_cv_var_timezone` = yes; then
+	cat >> confdefs.h <<EOF
+#define HAVE_TIMEZONE 1
+EOF
+
+	
+echo $ac_n "checking if timezone is properly declared""... $ac_c" 1>&6
+echo "configure:9933: checking if timezone is properly declared" >&5
+if eval "test \"`echo '$''{'ac_cv_var_timezone_declaration'+set}'`\" = set"; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  
+cat > conftest.$ac_ext <<EOF
+#line 9939 "configure"
+#include "confdefs.h"
+#include <time.h>
+extern struct { int foo; } timezone;
+int main() {
+timezone.foo = 1;
+; return 0; }
+EOF
+if { (eval echo configure:9947: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
+  rm -rf conftest*
+  eval "ac_cv_var_timezone_declaration=no"
+else
+  echo "configure: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  rm -rf conftest*
+  eval "ac_cv_var_timezone_declaration=yes"
+fi
+rm -f conftest*
+
+fi
+
+
+
+
+echo "$ac_t""$ac_cv_var_timezone_declaration" 1>&6
+if eval "test \"\$ac_cv_var_timezone_declaration\" = yes"; then
+	cat >> confdefs.h <<\EOF
+#define HAVE_TIMEZONE_DECLARATION 1
+EOF
+
+fi
+
+
+fi
+
+
+
+
+cv=`echo "sa_family_t" | sed 'y%./+- %__p__%'`
+echo $ac_n "checking for sa_family_t""... $ac_c" 1>&6
+echo "configure:9979: checking for sa_family_t" >&5
+if eval "test \"`echo '$''{'ac_cv_type_$cv'+set}'`\" = set"; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  cat > conftest.$ac_ext <<EOF
+#line 9984 "configure"
+#include "confdefs.h"
+#include <sys/types.h>
+#if STDC_HEADERS
+#include <stdlib.h>
+#include <stddef.h>
+#endif
+#include <sys/socket.h>
+int main() {
+sa_family_t foo;
+; return 0; }
+EOF
+if { (eval echo configure:9996: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
+  rm -rf conftest*
+  eval "ac_cv_type_$cv=yes"
+else
+  echo "configure: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  rm -rf conftest*
+  eval "ac_cv_type_$cv=no"
+fi
+rm -f conftest*
+fi
+echo "$ac_t""`eval echo \\$ac_cv_type_$cv`" 1>&6
+if test `eval echo \\$ac_cv_type_$cv` = yes; then
+  ac_tr_hdr=HAVE_`echo sa_family_t | sed 'y%abcdefghijklmnopqrstuvwxyz./- %ABCDEFGHIJKLMNOPQRSTUVWXYZ____%'`
+
+: << END
+@@@funcs="$funcs sa_family_t"@@@
+END
+
+  cat >> confdefs.h <<EOF
+#define $ac_tr_hdr 1
+EOF
+
+fi
+
+
+
+cv=`echo "socklen_t" | sed 'y%./+- %__p__%'`
+echo $ac_n "checking for socklen_t""... $ac_c" 1>&6
+echo "configure:10025: checking for socklen_t" >&5
+if eval "test \"`echo '$''{'ac_cv_type_$cv'+set}'`\" = set"; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  cat > conftest.$ac_ext <<EOF
+#line 10030 "configure"
+#include "confdefs.h"
+#include <sys/types.h>
+#if STDC_HEADERS
+#include <stdlib.h>
+#include <stddef.h>
+#endif
+#include <sys/socket.h>
+int main() {
+socklen_t foo;
+; return 0; }
+EOF
+if { (eval echo configure:10042: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
+  rm -rf conftest*
+  eval "ac_cv_type_$cv=yes"
+else
+  echo "configure: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  rm -rf conftest*
+  eval "ac_cv_type_$cv=no"
+fi
+rm -f conftest*
+fi
+echo "$ac_t""`eval echo \\$ac_cv_type_$cv`" 1>&6
+if test `eval echo \\$ac_cv_type_$cv` = yes; then
+  ac_tr_hdr=HAVE_`echo socklen_t | sed 'y%abcdefghijklmnopqrstuvwxyz./- %ABCDEFGHIJKLMNOPQRSTUVWXYZ____%'`
+
+: << END
+@@@funcs="$funcs socklen_t"@@@
+END
+
+  cat >> confdefs.h <<EOF
+#define $ac_tr_hdr 1
+EOF
+
+fi
+
+ 
+
+cv=`echo "struct sockaddr_storage" | sed 'y%./+- %__p__%'`
+echo $ac_n "checking for struct sockaddr_storage""... $ac_c" 1>&6
+echo "configure:10071: checking for struct sockaddr_storage" >&5
+if eval "test \"`echo '$''{'ac_cv_type_$cv'+set}'`\" = set"; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  cat > conftest.$ac_ext <<EOF
+#line 10076 "configure"
+#include "confdefs.h"
+#include <sys/types.h>
+#if STDC_HEADERS
+#include <stdlib.h>
+#include <stddef.h>
+#endif
+#include <sys/socket.h>
+int main() {
+struct sockaddr_storage foo;
+; return 0; }
+EOF
+if { (eval echo configure:10088: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
+  rm -rf conftest*
+  eval "ac_cv_type_$cv=yes"
+else
+  echo "configure: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  rm -rf conftest*
+  eval "ac_cv_type_$cv=no"
+fi
+rm -f conftest*
+fi
+echo "$ac_t""`eval echo \\$ac_cv_type_$cv`" 1>&6
+if test `eval echo \\$ac_cv_type_$cv` = yes; then
+  ac_tr_hdr=HAVE_`echo struct sockaddr_storage | sed 'y%abcdefghijklmnopqrstuvwxyz./- %ABCDEFGHIJKLMNOPQRSTUVWXYZ____%'`
+
+: << END
+@@@funcs="$funcs struct_sockaddr_storage"@@@
+END
+
+  cat >> confdefs.h <<EOF
+#define $ac_tr_hdr 1
+EOF
+
+fi
+
+
+
+echo $ac_n "checking for struct spwd""... $ac_c" 1>&6
+echo "configure:10116: checking for struct spwd" >&5
+if eval "test \"`echo '$''{'ac_cv_struct_spwd'+set}'`\" = set"; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  
+cat > conftest.$ac_ext <<EOF
+#line 10122 "configure"
+#include "confdefs.h"
+#include <pwd.h>
+#ifdef HAVE_SHADOW_H
+#include <shadow.h>
+#endif
+int main() {
+struct spwd foo;
+; return 0; }
+EOF
+if { (eval echo configure:10132: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
+  rm -rf conftest*
+  ac_cv_struct_spwd=yes
+else
+  echo "configure: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  rm -rf conftest*
+  ac_cv_struct_spwd=no
+fi
+rm -f conftest*
+
+fi
+
+echo "$ac_t""$ac_cv_struct_spwd" 1>&6
+
+if test "$ac_cv_struct_spwd" = "yes"; then
+  cat >> confdefs.h <<\EOF
+#define HAVE_STRUCT_SPWD 1
+EOF
+
+fi
+
+
+echo $ac_n "checking for st_blksize in struct stat""... $ac_c" 1>&6
+echo "configure:10156: checking for st_blksize in struct stat" >&5
+if eval "test \"`echo '$''{'ac_cv_struct_st_blksize'+set}'`\" = set"; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  cat > conftest.$ac_ext <<EOF
+#line 10161 "configure"
+#include "confdefs.h"
+#include <sys/types.h>
+#include <sys/stat.h>
+int main() {
+struct stat s; s.st_blksize;
+; return 0; }
+EOF
+if { (eval echo configure:10169: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
+  rm -rf conftest*
+  ac_cv_struct_st_blksize=yes
+else
+  echo "configure: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  rm -rf conftest*
+  ac_cv_struct_st_blksize=no
+fi
+rm -f conftest*
+fi
+
+echo "$ac_t""$ac_cv_struct_st_blksize" 1>&6
+if test $ac_cv_struct_st_blksize = yes; then
+  cat >> confdefs.h <<\EOF
+#define HAVE_ST_BLKSIZE 1
+EOF
+
+fi
+
+
+
+
+echo $ac_n "checking for struct winsize""... $ac_c" 1>&6
+echo "configure:10193: checking for struct winsize" >&5
+if eval "test \"`echo '$''{'ac_cv_struct_winsize'+set}'`\" = set"; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  
+ac_cv_struct_winsize=no
+for i in sys/termios.h sys/ioctl.h; do
+cat > conftest.$ac_ext <<EOF
+#line 10201 "configure"
+#include "confdefs.h"
+#include <$i>
+EOF
+if (eval "$ac_cpp conftest.$ac_ext") 2>&5 |
+  egrep "struct[ 	]*winsize" >/dev/null 2>&1; then
+  rm -rf conftest*
+  ac_cv_struct_winsize=yes; break
+fi
+rm -f conftest*
+done
+
+fi
+
+if test "$ac_cv_struct_winsize" = "yes"; then
+  cat >> confdefs.h <<\EOF
+#define HAVE_STRUCT_WINSIZE 1
+EOF
+
+fi
+echo "$ac_t""$ac_cv_struct_winsize" 1>&6
+cat > conftest.$ac_ext <<EOF
+#line 10223 "configure"
+#include "confdefs.h"
+#include <termios.h>
+EOF
+if (eval "$ac_cpp conftest.$ac_ext") 2>&5 |
+  egrep "ws_xpixel" >/dev/null 2>&1; then
+  rm -rf conftest*
+  cat >> confdefs.h <<\EOF
+#define HAVE_WS_XPIXEL 1
+EOF
+
+fi
+rm -f conftest*
+
+cat > conftest.$ac_ext <<EOF
+#line 10238 "configure"
+#include "confdefs.h"
+#include <termios.h>
+EOF
+if (eval "$ac_cpp conftest.$ac_ext") 2>&5 |
+  egrep "ws_ypixel" >/dev/null 2>&1; then
+  rm -rf conftest*
+  cat >> confdefs.h <<\EOF
+#define HAVE_WS_YPIXEL 1
+EOF
+
+fi
+rm -f conftest*
+
+
+
+
+echo $ac_n "checking for pid_t""... $ac_c" 1>&6
+echo "configure:10256: checking for pid_t" >&5
+if eval "test \"`echo '$''{'ac_cv_type_pid_t'+set}'`\" = set"; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  cat > conftest.$ac_ext <<EOF
+#line 10261 "configure"
+#include "confdefs.h"
+#include <sys/types.h>
+#if STDC_HEADERS
+#include <stdlib.h>
+#include <stddef.h>
+#endif
+EOF
+if (eval "$ac_cpp conftest.$ac_ext") 2>&5 |
+  egrep "(^|[^a-zA-Z_0-9])pid_t[^a-zA-Z_0-9]" >/dev/null 2>&1; then
+  rm -rf conftest*
+  ac_cv_type_pid_t=yes
+else
+  rm -rf conftest*
+  ac_cv_type_pid_t=no
+fi
+rm -f conftest*
+
+fi
+echo "$ac_t""$ac_cv_type_pid_t" 1>&6
+if test $ac_cv_type_pid_t = no; then
+  cat >> confdefs.h <<\EOF
+#define pid_t int
+EOF
+
+fi
+
+echo $ac_n "checking for uid_t in sys/types.h""... $ac_c" 1>&6
+echo "configure:10289: checking for uid_t in sys/types.h" >&5
+if eval "test \"`echo '$''{'ac_cv_type_uid_t'+set}'`\" = set"; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  cat > conftest.$ac_ext <<EOF
+#line 10294 "configure"
+#include "confdefs.h"
+#include <sys/types.h>
+EOF
+if (eval "$ac_cpp conftest.$ac_ext") 2>&5 |
+  egrep "uid_t" >/dev/null 2>&1; then
+  rm -rf conftest*
+  ac_cv_type_uid_t=yes
+else
+  rm -rf conftest*
+  ac_cv_type_uid_t=no
+fi
+rm -f conftest*
+
+fi
+
+echo "$ac_t""$ac_cv_type_uid_t" 1>&6
+if test $ac_cv_type_uid_t = no; then
+  cat >> confdefs.h <<\EOF
+#define uid_t int
+EOF
+
+  cat >> confdefs.h <<\EOF
+#define gid_t int
+EOF
+
+fi
+
+echo $ac_n "checking for off_t""... $ac_c" 1>&6
+echo "configure:10323: checking for off_t" >&5
+if eval "test \"`echo '$''{'ac_cv_type_off_t'+set}'`\" = set"; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  cat > conftest.$ac_ext <<EOF
+#line 10328 "configure"
+#include "confdefs.h"
+#include <sys/types.h>
+#if STDC_HEADERS
+#include <stdlib.h>
+#include <stddef.h>
+#endif
+EOF
+if (eval "$ac_cpp conftest.$ac_ext") 2>&5 |
+  egrep "(^|[^a-zA-Z_0-9])off_t[^a-zA-Z_0-9]" >/dev/null 2>&1; then
+  rm -rf conftest*
+  ac_cv_type_off_t=yes
+else
+  rm -rf conftest*
+  ac_cv_type_off_t=no
+fi
+rm -f conftest*
+
+fi
+echo "$ac_t""$ac_cv_type_off_t" 1>&6
+if test $ac_cv_type_off_t = no; then
+  cat >> confdefs.h <<\EOF
+#define off_t long
+EOF
+
+fi
+
+echo $ac_n "checking for size_t""... $ac_c" 1>&6
+echo "configure:10356: checking for size_t" >&5
+if eval "test \"`echo '$''{'ac_cv_type_size_t'+set}'`\" = set"; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  cat > conftest.$ac_ext <<EOF
+#line 10361 "configure"
+#include "confdefs.h"
+#include <sys/types.h>
+#if STDC_HEADERS
+#include <stdlib.h>
+#include <stddef.h>
+#endif
+EOF
+if (eval "$ac_cpp conftest.$ac_ext") 2>&5 |
+  egrep "(^|[^a-zA-Z_0-9])size_t[^a-zA-Z_0-9]" >/dev/null 2>&1; then
+  rm -rf conftest*
+  ac_cv_type_size_t=yes
+else
+  rm -rf conftest*
+  ac_cv_type_size_t=no
+fi
+rm -f conftest*
+
+fi
+echo "$ac_t""$ac_cv_type_size_t" 1>&6
+if test $ac_cv_type_size_t = no; then
+  cat >> confdefs.h <<\EOF
+#define size_t unsigned
+EOF
+
+fi
+
+
+echo $ac_n "checking for ssize_t""... $ac_c" 1>&6
+echo "configure:10390: checking for ssize_t" >&5
+if eval "test \"`echo '$''{'ac_cv_type_ssize_t'+set}'`\" = set"; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  cat > conftest.$ac_ext <<EOF
+#line 10395 "configure"
+#include "confdefs.h"
+#include <sys/types.h>
+#if STDC_HEADERS
+#include <stdlib.h>
+#include <stddef.h>
+#endif
+
+#ifdef HAVE_UNISTD_H
+#include <unistd.h>
+#endif
+EOF
+if (eval "$ac_cpp conftest.$ac_ext") 2>&5 |
+  egrep "ssize_t[^a-zA-Z_0-9]" >/dev/null 2>&1; then
+  rm -rf conftest*
+  ac_cv_type_ssize_t=yes
+else
+  rm -rf conftest*
+  ac_cv_type_ssize_t=no
+fi
+rm -f conftest*
+
+fi
+echo "$ac_t""$ac_cv_type_ssize_t" 1>&6
+if test $ac_cv_type_ssize_t = no; then
+  cat >> confdefs.h <<\EOF
+#define ssize_t int
+EOF
+
+fi
+
+
+echo $ac_n "checking for sig_atomic_t""... $ac_c" 1>&6
+echo "configure:10428: checking for sig_atomic_t" >&5
+if eval "test \"`echo '$''{'ac_cv_type_sig_atomic_t'+set}'`\" = set"; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  cat > conftest.$ac_ext <<EOF
+#line 10433 "configure"
+#include "confdefs.h"
+#include <sys/types.h>
+#if STDC_HEADERS
+#include <stdlib.h>
+#include <stddef.h>
+#endif
+#include <signal.h>
+EOF
+if (eval "$ac_cpp conftest.$ac_ext") 2>&5 |
+  egrep "sig_atomic_t[^a-zA-Z_0-9]" >/dev/null 2>&1; then
+  rm -rf conftest*
+  ac_cv_type_sig_atomic_t=yes
+else
+  rm -rf conftest*
+  ac_cv_type_sig_atomic_t=no
+fi
+rm -f conftest*
+
+fi
+echo "$ac_t""$ac_cv_type_sig_atomic_t" 1>&6
+if test $ac_cv_type_sig_atomic_t = no; then
+  cat >> confdefs.h <<\EOF
+#define sig_atomic_t int
+EOF
+
+fi
+
+
+
+echo $ac_n "checking for broken sys/socket.h""... $ac_c" 1>&6
+echo "configure:10464: checking for broken sys/socket.h" >&5
+if eval "test \"`echo '$''{'krb_cv_header_sys_socket_h_broken'+set}'`\" = set"; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  
+cat > conftest.$ac_ext <<EOF
+#line 10470 "configure"
+#include "confdefs.h"
+#include <sys/types.h>
+#include <sys/socket.h>
+#include <sys/socket.h>
+int main() {
+
+; return 0; }
+EOF
+if { (eval echo configure:10479: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
+  rm -rf conftest*
+  krb_cv_header_sys_socket_h_broken=no
+else
+  echo "configure: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  rm -rf conftest*
+  krb_cv_header_sys_socket_h_broken=yes
+fi
+rm -f conftest*
+fi
+
+echo "$ac_t""$krb_cv_header_sys_socket_h_broken" 1>&6
+
+
+
+echo $ac_n "checking for broken netdb.h""... $ac_c" 1>&6
+echo "configure:10496: checking for broken netdb.h" >&5
+if eval "test \"`echo '$''{'krb_cv_header_netdb_h_broken'+set}'`\" = set"; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  
+cat > conftest.$ac_ext <<EOF
+#line 10502 "configure"
+#include "confdefs.h"
+#include <sys/types.h>
+#include <netdb.h>
+#include <netdb.h>
+int main() {
+
+; return 0; }
+EOF
+if { (eval echo configure:10511: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
+  rm -rf conftest*
+  krb_cv_header_netdb_h_broken=no
+else
+  echo "configure: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  rm -rf conftest*
+  krb_cv_header_netdb_h_broken=yes
+fi
+rm -f conftest*
+fi
+
+echo "$ac_t""$krb_cv_header_netdb_h_broken" 1>&6
+
+if test "$krb_cv_header_netdb_h_broken" = "yes"; then
+  EXTRA_HEADERS="$EXTRA_HEADERS netdb.h"
+fi
+
+
+
+
+echo $ac_n "checking for sa_len in struct sockaddr""... $ac_c" 1>&6
+echo "configure:10533: checking for sa_len in struct sockaddr" >&5
+if eval "test \"`echo '$''{'ac_cv_type_struct_sockaddr_sa_len'+set}'`\" = set"; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  
+cat > conftest.$ac_ext <<EOF
+#line 10539 "configure"
+#include "confdefs.h"
+#include <sys/types.h>
+#include <sys/socket.h>
+int main() {
+struct sockaddr x; x.sa_len;
+; return 0; }
+EOF
+if { (eval echo configure:10547: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
+  rm -rf conftest*
+  ac_cv_type_struct_sockaddr_sa_len=yes
+else
+  echo "configure: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  rm -rf conftest*
+  ac_cv_type_struct_sockaddr_sa_len=no
+fi
+rm -f conftest*
+fi
+
+echo "$ac_t""$ac_cv_type_struct_sockaddr_sa_len" 1>&6
+if test "$ac_cv_type_struct_sockaddr_sa_len" = yes; then
+	
+	cat >> confdefs.h <<\EOF
+#define HAVE_STRUCT_SOCKADDR_SA_LEN 1
+EOF
+
+	
+fi
+
+
+
+
+if test "$ac_cv_header_siad_h" = yes; then
+
+
+echo $ac_n "checking for ouid in SIAENTITY""... $ac_c" 1>&6
+echo "configure:10576: checking for ouid in SIAENTITY" >&5
+if eval "test \"`echo '$''{'ac_cv_type_siaentity_ouid'+set}'`\" = set"; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  
+cat > conftest.$ac_ext <<EOF
+#line 10582 "configure"
+#include "confdefs.h"
+#include <siad.h>
+int main() {
+SIAENTITY x; x.ouid;
+; return 0; }
+EOF
+if { (eval echo configure:10589: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
+  rm -rf conftest*
+  ac_cv_type_siaentity_ouid=yes
+else
+  echo "configure: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  rm -rf conftest*
+  ac_cv_type_siaentity_ouid=no
+fi
+rm -f conftest*
+fi
+
+echo "$ac_t""$ac_cv_type_siaentity_ouid" 1>&6
+if test "$ac_cv_type_siaentity_ouid" = yes; then
+	
+	cat >> confdefs.h <<\EOF
+#define HAVE_SIAENTITY_OUID 1
+EOF
+
+	
+fi
+
+
+fi
+
+
+echo $ac_n "checking for getmsg""... $ac_c" 1>&6
+echo "configure:10616: checking for getmsg" >&5
+if eval "test \"`echo '$''{'ac_cv_func_getmsg'+set}'`\" = set"; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  cat > conftest.$ac_ext <<EOF
+#line 10621 "configure"
+#include "confdefs.h"
+/* System header to define __stub macros and hopefully few prototypes,
+    which can conflict with char getmsg(); below.  */
+#include <assert.h>
+/* Override any gcc2 internal prototype to avoid an error.  */
+/* We use char because int might match the return type of a gcc2
+    builtin and then its argument prototype would still apply.  */
+char getmsg();
+
+int main() {
+
+/* The GNU C library defines this for functions which it implements
+    to always fail with ENOSYS.  Some functions are actually named
+    something starting with __ and the normal name is an alias.  */
+#if defined (__stub_getmsg) || defined (__stub___getmsg)
+choke me
+#else
+getmsg();
+#endif
+
+; return 0; }
+EOF
+if { (eval echo configure:10644: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+  rm -rf conftest*
+  eval "ac_cv_func_getmsg=yes"
+else
+  echo "configure: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  rm -rf conftest*
+  eval "ac_cv_func_getmsg=no"
+fi
+rm -f conftest*
+fi
+
+if eval "test \"`echo '$ac_cv_func_'getmsg`\" = yes"; then
+  echo "$ac_t""yes" 1>&6
+  :
+else
+  echo "$ac_t""no" 1>&6
+fi
+
+
+if test "$ac_cv_func_getmsg" = "yes"; then
+
+echo $ac_n "checking for working getmsg""... $ac_c" 1>&6
+echo "configure:10667: checking for working getmsg" >&5
+if eval "test \"`echo '$''{'ac_cv_func_getmsg_work'+set}'`\" = set"; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  if test "$cross_compiling" = yes; then
+  ac_cv_func_getmsg_work=no
+else
+  cat > conftest.$ac_ext <<EOF
+#line 10675 "configure"
+#include "confdefs.h"
+
+#include <stdio.h>
+#include <errno.h>
+
+int main()
+{
+  int ret;
+  ret = getmsg(open("/dev/null", 0), NULL, NULL, NULL);
+  if(ret < 0 && errno == ENOSYS)
+    return 1;
+  return 0;
+}
+
+EOF
+if { (eval echo configure:10691: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext} && (./conftest; exit) 2>/dev/null
+then
+  ac_cv_func_getmsg_work=yes
+else
+  echo "configure: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  rm -fr conftest*
+  ac_cv_func_getmsg_work=no
+fi
+rm -fr conftest*
+fi
+
+fi
+
+echo "$ac_t""$ac_cv_func_getmsg_work" 1>&6
+test "$ac_cv_func_getmsg_work" = "yes" &&
+cat >> confdefs.h <<\EOF
+#define HAVE_GETMSG 1
+EOF
+
+
+fi
+
+
+
+
+
+
+echo $ac_n "checking for el_init""... $ac_c" 1>&6
+echo "configure:10720: checking for el_init" >&5
+if eval "test \"`echo '$''{'ac_cv_funclib_el_init'+set}'`\" = set"; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  
+if eval "test \"\$ac_cv_func_el_init\" != yes" ; then
+	ac_save_LIBS="$LIBS"
+	for ac_lib in "" edit; do
+		if test -n "$ac_lib"; then 
+			ac_lib="-l$ac_lib"
+		else
+			ac_lib=""
+		fi
+		LIBS=" $ac_lib $LIB_tgetent $ac_save_LIBS"
+		cat > conftest.$ac_ext <<EOF
+#line 10735 "configure"
+#include "confdefs.h"
+
+int main() {
+el_init()
+; return 0; }
+EOF
+if { (eval echo configure:10742: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+  rm -rf conftest*
+  eval "if test -n \"$ac_lib\";then ac_cv_funclib_el_init=$ac_lib; else ac_cv_funclib_el_init=yes; fi";break
+else
+  echo "configure: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+fi
+rm -f conftest*
+	done
+	eval "ac_cv_funclib_el_init=\${ac_cv_funclib_el_init-no}"
+	LIBS="$ac_save_LIBS"
+fi
+
+fi
+
+
+eval "ac_res=\$ac_cv_funclib_el_init"
+
+: << END
+@@@funcs="$funcs el_init"@@@
+@@@libs="$libs "" edit"@@@
+END
+
+# el_init
+eval "ac_tr_func=HAVE_`echo el_init | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`"
+eval "ac_tr_lib=HAVE_LIB`echo $ac_res | sed -e 's/-l//' | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`"
+eval "LIB_el_init=$ac_res"
+
+case "$ac_res" in
+	yes)
+	eval "ac_cv_func_el_init=yes"
+	eval "LIB_el_init="
+	cat >> confdefs.h <<EOF
+#define $ac_tr_func 1
+EOF
+
+	echo "$ac_t""yes" 1>&6
+	;;
+	no)
+	eval "ac_cv_func_el_init=no"
+	eval "LIB_el_init="
+	echo "$ac_t""no" 1>&6
+	;;
+	*)
+	eval "ac_cv_func_el_init=yes"
+	eval "ac_cv_lib_`echo "$ac_res" | sed 's/-l//'`=yes"
+	cat >> confdefs.h <<EOF
+#define $ac_tr_func 1
+EOF
+
+	cat >> confdefs.h <<EOF
+#define $ac_tr_lib 1
+EOF
+
+	echo "$ac_t""yes, in $ac_res" 1>&6
+	;;
+esac
+
+
+if test "$ac_cv_func_el_init" = yes ; then
+	echo $ac_n "checking for four argument el_init""... $ac_c" 1>&6
+echo "configure:10803: checking for four argument el_init" >&5
+if eval "test \"`echo '$''{'ac_cv_func_el_init_four'+set}'`\" = set"; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  
+		cat > conftest.$ac_ext <<EOF
+#line 10809 "configure"
+#include "confdefs.h"
+#include <stdio.h>
+			#include <histedit.h>
+int main() {
+el_init("", NULL, NULL, NULL);
+; return 0; }
+EOF
+if { (eval echo configure:10817: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
+  rm -rf conftest*
+  ac_cv_func_el_init_four=yes
+else
+  echo "configure: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  rm -rf conftest*
+  ac_cv_func_el_init_four=no
+fi
+rm -f conftest*
+fi
+
+echo "$ac_t""$ac_cv_func_el_init_four" 1>&6
+	if test "$ac_cv_func_el_init_four" = yes; then
+		cat >> confdefs.h <<\EOF
+#define HAVE_FOUR_VALUED_EL_INIT 1
+EOF
+
+	fi
+fi
+
+
+save_LIBS="$LIBS"
+LIBS="$LIB_tgetent $LIBS"
+
+
+
+echo $ac_n "checking for readline""... $ac_c" 1>&6
+echo "configure:10845: checking for readline" >&5
+if eval "test \"`echo '$''{'ac_cv_funclib_readline'+set}'`\" = set"; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  
+if eval "test \"\$ac_cv_func_readline\" != yes" ; then
+	ac_save_LIBS="$LIBS"
+	for ac_lib in "" edit readline; do
+		if test -n "$ac_lib"; then 
+			ac_lib="-l$ac_lib"
+		else
+			ac_lib=""
+		fi
+		LIBS=" $ac_lib  $ac_save_LIBS"
+		cat > conftest.$ac_ext <<EOF
+#line 10860 "configure"
+#include "confdefs.h"
+
+int main() {
+readline()
+; return 0; }
+EOF
+if { (eval echo configure:10867: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+  rm -rf conftest*
+  eval "if test -n \"$ac_lib\";then ac_cv_funclib_readline=$ac_lib; else ac_cv_funclib_readline=yes; fi";break
+else
+  echo "configure: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+fi
+rm -f conftest*
+	done
+	eval "ac_cv_funclib_readline=\${ac_cv_funclib_readline-no}"
+	LIBS="$ac_save_LIBS"
+fi
+
+fi
+
+
+eval "ac_res=\$ac_cv_funclib_readline"
+
+: << END
+@@@funcs="$funcs readline"@@@
+@@@libs="$libs "" edit readline"@@@
+END
+
+# readline
+eval "ac_tr_func=HAVE_`echo readline | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`"
+eval "ac_tr_lib=HAVE_LIB`echo $ac_res | sed -e 's/-l//' | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`"
+eval "LIB_readline=$ac_res"
+
+case "$ac_res" in
+	yes)
+	eval "ac_cv_func_readline=yes"
+	eval "LIB_readline="
+	cat >> confdefs.h <<EOF
+#define $ac_tr_func 1
+EOF
+
+	echo "$ac_t""yes" 1>&6
+	;;
+	no)
+	eval "ac_cv_func_readline=no"
+	eval "LIB_readline="
+	echo "$ac_t""no" 1>&6
+	;;
+	*)
+	eval "ac_cv_func_readline=yes"
+	eval "ac_cv_lib_`echo "$ac_res" | sed 's/-l//'`=yes"
+	cat >> confdefs.h <<EOF
+#define $ac_tr_func 1
+EOF
+
+	cat >> confdefs.h <<EOF
+#define $ac_tr_lib 1
+EOF
+
+	echo "$ac_t""yes, in $ac_res" 1>&6
+	;;
+esac
+
+
+LIBS="$save_LIBS"
+el_yes="# "
+if test "$with_readline" -a "$with_readline" != "no"; then
+	:
+elif test "$ac_cv_func_readline" = yes; then
+	INCLUDE_readline=
+elif test "$ac_cv_func_el_init" = yes; then
+	el_yes=
+	LIB_readline="-L\$(top_builddir)/lib/editline -lel_compat $LIB_el_init"
+	INCLUDE_readline='-I$(top_srcdir)/lib/editline'
+else
+	LIB_readline='-L$(top_builddir)/lib/editline -leditline'
+	INCLUDE_readline='-I$(top_srcdir)/lib/editline'
+fi
+LIB_readline="$LIB_readline \$(LIB_tgetent)"
+cat >> confdefs.h <<\EOF
+#define HAVE_READLINE 1
+EOF
+
+
+
+
+
+cat >> confdefs.h <<\EOF
+#define AUTHENTICATION 1
+EOF
+cat >> confdefs.h <<\EOF
+#define KRB4 1
+EOF
+cat >> confdefs.h <<\EOF
+#define ENCRYPTION 1
+EOF
+cat >> confdefs.h <<\EOF
+#define DES_ENCRYPTION 1
+EOF
+cat >> confdefs.h <<\EOF
+#define DIAGNOSTICS 1
+EOF
+cat >> confdefs.h <<\EOF
+#define OLD_ENVIRON 1
+EOF
+
+# Simple test for streamspty, based on the existance of getmsg(), alas
+# this breaks on SunOS4 which have streams but BSD-like ptys
+#
+# And also something wierd has happend with dec-osf1, fallback to bsd-ptys
+
+echo $ac_n "checking for streamspty""... $ac_c" 1>&6
+echo "configure:10974: checking for streamspty" >&5
+case "`uname -sr`" in
+SunOS\ 4*|OSF1*|IRIX\ 4*|HP-UX\ ?.1[01].*)
+	krb_cv_sys_streamspty=no
+	;;
+AIX*)
+	os_rel=`uname -v`.`uname -r`
+	if expr "$os_rel" : "3*" >/dev/null 2>&1; then
+		krb_cv_sys_streamspty=no
+	else
+		krb_cv_sys_streamspty="$ac_cv_func_getmsg_work"
+	fi
+	;;
+*)
+	krb_cv_sys_streamspty="$ac_cv_func_getmsg_work"
+	;;
+esac
+if test "$krb_cv_sys_streamspty" = yes; then
+	cat >> confdefs.h <<\EOF
+#define STREAMSPTY 1
+EOF
+
+fi
+echo "$ac_t""$krb_cv_sys_streamspty" 1>&6
+
+echo $ac_n "checking if /bin/ls takes -A""... $ac_c" 1>&6
+echo "configure:11000: checking if /bin/ls takes -A" >&5
+if /bin/ls -A > /dev/null 2>&1 ;then
+	cat >> confdefs.h <<\EOF
+#define HAVE_LS_A 1
+EOF
+
+	krb_ls_a=yes
+else
+	krb_ls_a=no
+fi
+echo "$ac_t""$krb_ls_a" 1>&6
+	
+echo $ac_n "checking for suffix of preformatted manual pages""... $ac_c" 1>&6
+echo "configure:11013: checking for suffix of preformatted manual pages" >&5
+if eval "test \"`echo '$''{'krb_cv_sys_cat_suffix'+set}'`\" = set"; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  if grep _version /etc/man.conf > /dev/null 2>&1; then
+	krb_cv_sys_cat_suffix=0
+else
+	krb_cv_sys_cat_suffix=number
+fi
+fi
+
+echo "$ac_t""$krb_cv_sys_cat_suffix" 1>&6
+if test "$krb_cv_sys_cat_suffix" = number; then
+		CATSUFFIX='$$s'
+else
+		CATSUFFIX=0
+fi
+
+
+
+KRB_KAFS_LIB="-L\$(top_builddir)/lib/kafs -lkafs $AIX_EXTRA_KAFS"
+
+
+
+
+test "x$prefix" = xNONE && prefix=$ac_default_prefix
+test "x$exec_prefix" = xNONE && exec_prefix='${prefix}'
+
+for i in bin lib libexec sbin; do
+	i=${i}dir
+	foo=`echo $i | tr 'xindiscernible' 'XINDISCERNIBLE'`
+	x="\$${i}"
+	eval y="$x"
+	while test "x$y" != "x$x"; do
+		x="$y"
+		eval y="$x"
+	done
+	cat >> confdefs.h <<EOF
+#define $foo "$x"
+EOF
+
+done
+
+trap '' 1 2 15
+cat > confcache <<\EOF
+# This file is a shell script that caches the results of configure
+# tests run on this system so they can be shared between configure
+# scripts and configure runs.  It is not useful on other systems.
+# If it contains results you don't want to keep, you may remove or edit it.
+#
+# By default, configure uses ./config.cache as the cache file,
+# creating it if it does not exist already.  You can give configure
+# the --cache-file=FILE option to use a different cache file; that is
+# what configure does when it calls configure scripts in
+# subdirectories, so they share the cache.
+# Giving --cache-file=/dev/null disables caching, for debugging configure.
+# config.status only pays attention to the cache file if you give it the
+# --recheck option to rerun configure.
+#
+EOF
+# The following way of writing the cache mishandles newlines in values,
+# but we know of no workaround that is simple, portable, and efficient.
+# So, don't put newlines in cache variables' values.
+# Ultrix sh set writes to stderr and can't be redirected directly,
+# and sets the high bit in the cache file unless we assign to the vars.
+(set) 2>&1 |
+  case `(ac_space=' '; set | grep ac_space) 2>&1` in
+  *ac_space=\ *)
+    # `set' does not quote correctly, so add quotes (double-quote substitution
+    # turns \\\\ into \\, and sed turns \\ into \).
+    sed -n \
+      -e "s/'/'\\\\''/g" \
+      -e "s/^\\([a-zA-Z0-9_]*_cv_[a-zA-Z0-9_]*\\)=\\(.*\\)/\\1=\${\\1='\\2'}/p"
+    ;;
+  *)
+    # `set' quotes correctly as required by POSIX, so do not add quotes.
+    sed -n -e 's/^\([a-zA-Z0-9_]*_cv_[a-zA-Z0-9_]*\)=\(.*\)/\1=${\1=\2}/p'
+    ;;
+  esac >> confcache
+if cmp -s $cache_file confcache; then
+  :
+else
+  if test -w $cache_file; then
+    echo "updating cache $cache_file"
+    cat confcache > $cache_file
+  else
+    echo "not updating unwritable cache $cache_file"
+  fi
+fi
+rm -f confcache
+
+trap 'rm -fr conftest* confdefs* core core.* *.core $ac_clean_files; exit 1' 1 2 15
+
+test "x$prefix" = xNONE && prefix=$ac_default_prefix
+# Let make expand exec_prefix.
+test "x$exec_prefix" = xNONE && exec_prefix='${prefix}'
+
+# Any assignment to VPATH causes Sun make to only execute
+# the first set of double-colon rules, so remove it if not needed.
+# If there is a colon in the path, we need to keep it.
+if test "x$srcdir" = x.; then
+  ac_vpsub='/^[ 	]*VPATH[ 	]*=[^:]*$/d'
+fi
+
+trap 'rm -f $CONFIG_STATUS conftest*; exit 1' 1 2 15
+
+DEFS=-DHAVE_CONFIG_H
+
+# Without the "./", some shells look in PATH for config.status.
+: ${CONFIG_STATUS=./config.status}
+
+echo creating $CONFIG_STATUS
+rm -f $CONFIG_STATUS
+cat > $CONFIG_STATUS <<EOF
+#! /bin/sh
+# Generated automatically by configure.
+# Run this file to recreate the current configuration.
+# This directory was configured as follows,
+# on host `(hostname || uname -n) 2>/dev/null | sed 1q`:
+#
+# $0 $ac_configure_args
+#
+# Compiler output produced by configure, useful for debugging
+# configure, is in ./config.log if it exists.
+
+ac_cs_usage="Usage: $CONFIG_STATUS [--recheck] [--version] [--help]"
+for ac_option
+do
+  case "\$ac_option" in
+  -recheck | --recheck | --rechec | --reche | --rech | --rec | --re | --r)
+    echo "running \${CONFIG_SHELL-/bin/sh} $0 $ac_configure_args --no-create --no-recursion"
+    exec \${CONFIG_SHELL-/bin/sh} $0 $ac_configure_args --no-create --no-recursion ;;
+  -version | --version | --versio | --versi | --vers | --ver | --ve | --v)
+    echo "$CONFIG_STATUS generated by autoconf version 2.13"
+    exit 0 ;;
+  -help | --help | --hel | --he | --h)
+    echo "\$ac_cs_usage"; exit 0 ;;
+  *) echo "\$ac_cs_usage"; exit 1 ;;
+  esac
+done
+
+ac_given_srcdir=$srcdir
+ac_given_INSTALL="$INSTALL"
+
+trap 'rm -fr `echo "\
+Makefile 					\
+include/Makefile				\
+include/sys/Makefile				\
+						\
+man/Makefile					\
+						\
+lib/Makefile					\
+lib/com_err/Makefile				\
+lib/des/Makefile				\
+lib/krb/Makefile				\
+lib/kdb/Makefile				\
+lib/kadm/Makefile				\
+lib/acl/Makefile				\
+lib/kafs/Makefile				\
+lib/roken/Makefile				\
+lib/otp/Makefile				\
+lib/sl/Makefile					\
+lib/editline/Makefile				\
+lib/rxkad/Makefile				\
+lib/auth/Makefile				\
+lib/auth/pam/Makefile				\
+lib/auth/sia/Makefile				\
+lib/auth/afskauthlib/Makefile			\
+						\
+kuser/Makefile					\
+server/Makefile					\
+slave/Makefile					\
+admin/Makefile					\
+kadmin/Makefile					\
+						\
+appl/Makefile					\
+						\
+appl/afsutil/Makefile 				\
+appl/ftp/Makefile				\
+appl/ftp/common/Makefile			\
+appl/ftp/ftp/Makefile				\
+appl/ftp/ftpd/Makefile				\
+appl/telnet/Makefile				\
+appl/telnet/libtelnet/Makefile			\
+appl/telnet/telnet/Makefile			\
+appl/telnet/telnetd/Makefile			\
+appl/bsd/Makefile 				\
+appl/kauth/Makefile				\
+appl/popper/Makefile				\
+appl/movemail/Makefile				\
+appl/push/Makefile				\
+appl/sample/Makefile				\
+appl/xnlock/Makefile				\
+appl/kx/Makefile				\
+appl/kip/Makefile				\
+appl/otp/Makefile				\
+doc/Makefile					\
+etc/inetd.conf.changes				\
+ include/config.h" | sed "s/:[^ ]*//g"` conftest*; exit 1' 1 2 15
+EOF
+cat >> $CONFIG_STATUS <<EOF
+
+# Protect against being on the right side of a sed subst in config.status.
+sed 's/%@/@@/; s/@%/@@/; s/%g\$/@g/; /@g\$/s/[\\\\&%]/\\\\&/g;
+ s/@@/%@/; s/@@/@%/; s/@g\$/%g/' > conftest.subs <<\\CEOF
+$ac_vpsub
+$extrasub
+s%@SHELL@%$SHELL%g
+s%@CFLAGS@%$CFLAGS%g
+s%@CPPFLAGS@%$CPPFLAGS%g
+s%@CXXFLAGS@%$CXXFLAGS%g
+s%@FFLAGS@%$FFLAGS%g
+s%@DEFS@%$DEFS%g
+s%@LDFLAGS@%$LDFLAGS%g
+s%@LIBS@%$LIBS%g
+s%@exec_prefix@%$exec_prefix%g
+s%@prefix@%$prefix%g
+s%@program_transform_name@%$program_transform_name%g
+s%@bindir@%$bindir%g
+s%@sbindir@%$sbindir%g
+s%@libexecdir@%$libexecdir%g
+s%@datadir@%$datadir%g
+s%@sysconfdir@%$sysconfdir%g
+s%@sharedstatedir@%$sharedstatedir%g
+s%@localstatedir@%$localstatedir%g
+s%@libdir@%$libdir%g
+s%@includedir@%$includedir%g
+s%@oldincludedir@%$oldincludedir%g
+s%@infodir@%$infodir%g
+s%@mandir@%$mandir%g
+s%@PACKAGE@%$PACKAGE%g
+s%@VERSION@%$VERSION%g
+s%@host@%$host%g
+s%@host_alias@%$host_alias%g
+s%@host_cpu@%$host_cpu%g
+s%@host_vendor@%$host_vendor%g
+s%@host_os@%$host_os%g
+s%@CANONICAL_HOST@%$CANONICAL_HOST%g
+s%@SET_MAKE@%$SET_MAKE%g
+s%@LN_S@%$LN_S%g
+s%@CC@%$CC%g
+s%@CPP@%$CPP%g
+s%@YACC@%$YACC%g
+s%@LEX@%$LEX%g
+s%@LEXLIB@%$LEXLIB%g
+s%@RANLIB@%$RANLIB%g
+s%@INSTALL_PROGRAM@%$INSTALL_PROGRAM%g
+s%@INSTALL_SCRIPT@%$INSTALL_SCRIPT%g
+s%@INSTALL_DATA@%$INSTALL_DATA%g
+s%@AWK@%$AWK%g
+s%@MAKEINFO@%$MAKEINFO%g
+s%@WFLAGS@%$WFLAGS%g
+s%@WFLAGS_NOUNUSED@%$WFLAGS_NOUNUSED%g
+s%@WFLAGS_NOIMPLICITINT@%$WFLAGS_NOIMPLICITINT%g
+s%@INCLUDE_socks@%$INCLUDE_socks%g
+s%@LIB_socks@%$LIB_socks%g
+s%@CRACKLIB@%$CRACKLIB%g
+s%@LIB_otp@%$LIB_otp%g
+s%@OTP_dir@%$OTP_dir%g
+s%@LIB_security@%$LIB_security%g
+s%@AFSWS@%$AFSWS%g
+s%@LIB_SUBDIRS@%$LIB_SUBDIRS%g
+s%@disable_cat_manpages@%$disable_cat_manpages%g
+s%@INCLUDE_readline@%$INCLUDE_readline%g
+s%@LIB_readline@%$LIB_readline%g
+s%@INCLUDE_hesiod@%$INCLUDE_hesiod%g
+s%@LIB_hesiod@%$LIB_hesiod%g
+s%@LINK@%$LINK%g
+s%@lib_deps_yes@%$lib_deps_yes%g
+s%@lib_deps_no@%$lib_deps_no%g
+s%@REAL_PICFLAGS@%$REAL_PICFLAGS%g
+s%@REAL_SHLIBEXT@%$REAL_SHLIBEXT%g
+s%@REAL_LD_FLAGS@%$REAL_LD_FLAGS%g
+s%@PICFLAGS@%$PICFLAGS%g
+s%@SHLIBEXT@%$SHLIBEXT%g
+s%@LDSHARED@%$LDSHARED%g
+s%@LD_FLAGS@%$LD_FLAGS%g
+s%@LIBEXT@%$LIBEXT%g
+s%@LIBPREFIX@%$LIBPREFIX%g
+s%@EXECSUFFIX@%$EXECSUFFIX%g
+s%@build_symlink_command@%$build_symlink_command%g
+s%@install_symlink_command@%$install_symlink_command%g
+s%@install_symlink_command2@%$install_symlink_command2%g
+s%@LIB_dlopen@%$LIB_dlopen%g
+s%@AFS_EXTRA_OBJS@%$AFS_EXTRA_OBJS%g
+s%@AFS_EXTRA_LIBS@%$AFS_EXTRA_LIBS%g
+s%@AFS_EXTRA_LD@%$AFS_EXTRA_LD%g
+s%@AFS_EXTRA_DEFS@%$AFS_EXTRA_DEFS%g
+s%@AIX_EXTRA_KAFS@%$AIX_EXTRA_KAFS%g
+s%@EXTRA_HEADERS@%$EXTRA_HEADERS%g
+s%@EXTRA_LOCL_HEADERS@%$EXTRA_LOCL_HEADERS%g
+s%@LIB_crypt@%$LIB_crypt%g
+s%@LIB_socket@%$LIB_socket%g
+s%@LIB_gethostbyname@%$LIB_gethostbyname%g
+s%@LIB_odm_initialize@%$LIB_odm_initialize%g
+s%@LIB_getattr@%$LIB_getattr%g
+s%@LIB_setpcred@%$LIB_setpcred%g
+s%@LIB_logwtmp@%$LIB_logwtmp%g
+s%@LIB_logout@%$LIB_logout%g
+s%@LIB_tgetent@%$LIB_tgetent%g
+s%@X_CFLAGS@%$X_CFLAGS%g
+s%@X_PRE_LIBS@%$X_PRE_LIBS%g
+s%@X_LIBS@%$X_LIBS%g
+s%@X_EXTRA_LIBS@%$X_EXTRA_LIBS%g
+s%@MAKE_X_PROGS_BIN@%$MAKE_X_PROGS_BIN%g
+s%@MAKE_X_SCRIPTS_BIN@%$MAKE_X_SCRIPTS_BIN%g
+s%@MAKE_X_PROGS_LIBEXEC@%$MAKE_X_PROGS_LIBEXEC%g
+s%@LIB_XauWriteAuth@%$LIB_XauWriteAuth%g
+s%@LIB_XauReadAuth@%$LIB_XauReadAuth%g
+s%@LIB_XauFileName@%$LIB_XauFileName%g
+s%@NEED_WRITEAUTH_TRUE@%$NEED_WRITEAUTH_TRUE%g
+s%@NEED_WRITEAUTH_FALSE@%$NEED_WRITEAUTH_FALSE%g
+s%@LIB_DBM@%$LIB_DBM%g
+s%@DBLIB@%$DBLIB%g
+s%@LIB_syslog@%$LIB_syslog%g
+s%@LIB_getpwnam_r@%$LIB_getpwnam_r%g
+s%@LIB_getsockopt@%$LIB_getsockopt%g
+s%@LIB_setsockopt@%$LIB_setsockopt%g
+s%@LIB_res_search@%$LIB_res_search%g
+s%@LIB_dn_expand@%$LIB_dn_expand%g
+s%@ALLOCA@%$ALLOCA%g
+s%@LIB_hstrerror@%$LIB_hstrerror%g
+s%@LIBOBJS@%$LIBOBJS%g
+s%@LIB_AUTH_SUBDIRS@%$LIB_AUTH_SUBDIRS%g
+s%@krb_cv_header_sys_socket_h_broken@%$krb_cv_header_sys_socket_h_broken%g
+s%@krb_cv_header_netdb_h_broken@%$krb_cv_header_netdb_h_broken%g
+s%@LIB_el_init@%$LIB_el_init%g
+s%@el_yes@%$el_yes%g
+s%@CATSUFFIX@%$CATSUFFIX%g
+s%@KRB_KAFS_LIB@%$KRB_KAFS_LIB%g
+
+CEOF
+EOF
+
+cat >> $CONFIG_STATUS <<\EOF
+
+# Split the substitutions into bite-sized pieces for seds with
+# small command number limits, like on Digital OSF/1 and HP-UX.
+ac_max_sed_cmds=90 # Maximum number of lines to put in a sed script.
+ac_file=1 # Number of current file.
+ac_beg=1 # First line for current file.
+ac_end=$ac_max_sed_cmds # Line after last line for current file.
+ac_more_lines=:
+ac_sed_cmds=""
+while $ac_more_lines; do
+  if test $ac_beg -gt 1; then
+    sed "1,${ac_beg}d; ${ac_end}q" conftest.subs > conftest.s$ac_file
+  else
+    sed "${ac_end}q" conftest.subs > conftest.s$ac_file
+  fi
+  if test ! -s conftest.s$ac_file; then
+    ac_more_lines=false
+    rm -f conftest.s$ac_file
+  else
+    if test -z "$ac_sed_cmds"; then
+      ac_sed_cmds="sed -f conftest.s$ac_file"
+    else
+      ac_sed_cmds="$ac_sed_cmds | sed -f conftest.s$ac_file"
+    fi
+    ac_file=`expr $ac_file + 1`
+    ac_beg=$ac_end
+    ac_end=`expr $ac_end + $ac_max_sed_cmds`
+  fi
+done
+if test -z "$ac_sed_cmds"; then
+  ac_sed_cmds=cat
+fi
+EOF
+
+cat >> $CONFIG_STATUS <<EOF
+
+CONFIG_FILES=\${CONFIG_FILES-"\
+Makefile 					\
+include/Makefile				\
+include/sys/Makefile				\
+						\
+man/Makefile					\
+						\
+lib/Makefile					\
+lib/com_err/Makefile				\
+lib/des/Makefile				\
+lib/krb/Makefile				\
+lib/kdb/Makefile				\
+lib/kadm/Makefile				\
+lib/acl/Makefile				\
+lib/kafs/Makefile				\
+lib/roken/Makefile				\
+lib/otp/Makefile				\
+lib/sl/Makefile					\
+lib/editline/Makefile				\
+lib/rxkad/Makefile				\
+lib/auth/Makefile				\
+lib/auth/pam/Makefile				\
+lib/auth/sia/Makefile				\
+lib/auth/afskauthlib/Makefile			\
+						\
+kuser/Makefile					\
+server/Makefile					\
+slave/Makefile					\
+admin/Makefile					\
+kadmin/Makefile					\
+						\
+appl/Makefile					\
+						\
+appl/afsutil/Makefile 				\
+appl/ftp/Makefile				\
+appl/ftp/common/Makefile			\
+appl/ftp/ftp/Makefile				\
+appl/ftp/ftpd/Makefile				\
+appl/telnet/Makefile				\
+appl/telnet/libtelnet/Makefile			\
+appl/telnet/telnet/Makefile			\
+appl/telnet/telnetd/Makefile			\
+appl/bsd/Makefile 				\
+appl/kauth/Makefile				\
+appl/popper/Makefile				\
+appl/movemail/Makefile				\
+appl/push/Makefile				\
+appl/sample/Makefile				\
+appl/xnlock/Makefile				\
+appl/kx/Makefile				\
+appl/kip/Makefile				\
+appl/otp/Makefile				\
+doc/Makefile					\
+etc/inetd.conf.changes				\
+"}
+EOF
+cat >> $CONFIG_STATUS <<\EOF
+for ac_file in .. $CONFIG_FILES; do if test "x$ac_file" != x..; then
+  # Support "outfile[:infile[:infile...]]", defaulting infile="outfile.in".
+  case "$ac_file" in
+  *:*) ac_file_in=`echo "$ac_file"|sed 's%[^:]*:%%'`
+       ac_file=`echo "$ac_file"|sed 's%:.*%%'` ;;
+  *) ac_file_in="${ac_file}.in" ;;
+  esac
+
+  # Adjust a relative srcdir, top_srcdir, and INSTALL for subdirectories.
+
+  # Remove last slash and all that follows it.  Not all systems have dirname.
+  ac_dir=`echo $ac_file|sed 's%/[^/][^/]*$%%'`
+  if test "$ac_dir" != "$ac_file" && test "$ac_dir" != .; then
+    # The file is in a subdirectory.
+    test ! -d "$ac_dir" && mkdir "$ac_dir"
+    ac_dir_suffix="/`echo $ac_dir|sed 's%^\./%%'`"
+    # A "../" for each directory in $ac_dir_suffix.
+    ac_dots=`echo $ac_dir_suffix|sed 's%/[^/]*%../%g'`
+  else
+    ac_dir_suffix= ac_dots=
+  fi
+
+  case "$ac_given_srcdir" in
+  .)  srcdir=.
+      if test -z "$ac_dots"; then top_srcdir=.
+      else top_srcdir=`echo $ac_dots|sed 's%/$%%'`; fi ;;
+  /*) srcdir="$ac_given_srcdir$ac_dir_suffix"; top_srcdir="$ac_given_srcdir" ;;
+  *) # Relative path.
+    srcdir="$ac_dots$ac_given_srcdir$ac_dir_suffix"
+    top_srcdir="$ac_dots$ac_given_srcdir" ;;
+  esac
+
+  case "$ac_given_INSTALL" in
+  [/$]*) INSTALL="$ac_given_INSTALL" ;;
+  *) INSTALL="$ac_dots$ac_given_INSTALL" ;;
+  esac
+
+  echo creating "$ac_file"
+  rm -f "$ac_file"
+  configure_input="Generated automatically from `echo $ac_file_in|sed 's%.*/%%'` by configure."
+  case "$ac_file" in
+  *Makefile*) ac_comsub="1i\\
+# $configure_input" ;;
+  *) ac_comsub= ;;
+  esac
+
+  ac_file_inputs=`echo $ac_file_in|sed -e "s%^%$ac_given_srcdir/%" -e "s%:% $ac_given_srcdir/%g"`
+  sed -e "$ac_comsub
+s%@configure_input@%$configure_input%g
+s%@srcdir@%$srcdir%g
+s%@top_srcdir@%$top_srcdir%g
+s%@INSTALL@%$INSTALL%g
+" $ac_file_inputs | (eval "$ac_sed_cmds") > $ac_file
+fi; done
+rm -f conftest.s*
+
+# These sed commands are passed to sed as "A NAME B NAME C VALUE D", where
+# NAME is the cpp macro being defined and VALUE is the value it is being given.
+#
+# ac_d sets the value in "#define NAME VALUE" lines.
+ac_dA='s%^\([ 	]*\)#\([ 	]*define[ 	][ 	]*\)'
+ac_dB='\([ 	][ 	]*\)[^ 	]*%\1#\2'
+ac_dC='\3'
+ac_dD='%g'
+# ac_u turns "#undef NAME" with trailing blanks into "#define NAME VALUE".
+ac_uA='s%^\([ 	]*\)#\([ 	]*\)undef\([ 	][ 	]*\)'
+ac_uB='\([ 	]\)%\1#\2define\3'
+ac_uC=' '
+ac_uD='\4%g'
+# ac_e turns "#undef NAME" without trailing blanks into "#define NAME VALUE".
+ac_eA='s%^\([ 	]*\)#\([ 	]*\)undef\([ 	][ 	]*\)'
+ac_eB='$%\1#\2define\3'
+ac_eC=' '
+ac_eD='%g'
+
+if test "${CONFIG_HEADERS+set}" != set; then
+EOF
+cat >> $CONFIG_STATUS <<EOF
+  CONFIG_HEADERS="include/config.h"
+EOF
+cat >> $CONFIG_STATUS <<\EOF
+fi
+for ac_file in .. $CONFIG_HEADERS; do if test "x$ac_file" != x..; then
+  # Support "outfile[:infile[:infile...]]", defaulting infile="outfile.in".
+  case "$ac_file" in
+  *:*) ac_file_in=`echo "$ac_file"|sed 's%[^:]*:%%'`
+       ac_file=`echo "$ac_file"|sed 's%:.*%%'` ;;
+  *) ac_file_in="${ac_file}.in" ;;
+  esac
+
+  echo creating $ac_file
+
+  rm -f conftest.frag conftest.in conftest.out
+  ac_file_inputs=`echo $ac_file_in|sed -e "s%^%$ac_given_srcdir/%" -e "s%:% $ac_given_srcdir/%g"`
+  cat $ac_file_inputs > conftest.in
+
+EOF
+
+# Transform confdefs.h into a sed script conftest.vals that substitutes
+# the proper values into config.h.in to produce config.h.  And first:
+# Protect against being on the right side of a sed subst in config.status.
+# Protect against being in an unquoted here document in config.status.
+rm -f conftest.vals
+cat > conftest.hdr <<\EOF
+s/[\\&%]/\\&/g
+s%[\\$`]%\\&%g
+s%#define \([A-Za-z_][A-Za-z0-9_]*\) *\(.*\)%${ac_dA}\1${ac_dB}\1${ac_dC}\2${ac_dD}%gp
+s%ac_d%ac_u%gp
+s%ac_u%ac_e%gp
+EOF
+sed -n -f conftest.hdr confdefs.h > conftest.vals
+rm -f conftest.hdr
+
+# This sed command replaces #undef with comments.  This is necessary, for
+# example, in the case of _POSIX_SOURCE, which is predefined and required
+# on some systems where configure will not decide to define it.
+cat >> conftest.vals <<\EOF
+s%^[ 	]*#[ 	]*undef[ 	][ 	]*[a-zA-Z_][a-zA-Z_0-9]*%/* & */%
+EOF
+
+# Break up conftest.vals because some shells have a limit on
+# the size of here documents, and old seds have small limits too.
+
+rm -f conftest.tail
+while :
+do
+  ac_lines=`grep -c . conftest.vals`
+  # grep -c gives empty output for an empty file on some AIX systems.
+  if test -z "$ac_lines" || test "$ac_lines" -eq 0; then break; fi
+  # Write a limited-size here document to conftest.frag.
+  echo '  cat > conftest.frag <<CEOF' >> $CONFIG_STATUS
+  sed ${ac_max_here_lines}q conftest.vals >> $CONFIG_STATUS
+  echo 'CEOF
+  sed -f conftest.frag conftest.in > conftest.out
+  rm -f conftest.in
+  mv conftest.out conftest.in
+' >> $CONFIG_STATUS
+  sed 1,${ac_max_here_lines}d conftest.vals > conftest.tail
+  rm -f conftest.vals
+  mv conftest.tail conftest.vals
+done
+rm -f conftest.vals
+
+cat >> $CONFIG_STATUS <<\EOF
+  rm -f conftest.frag conftest.h
+  echo "/* $ac_file.  Generated automatically by configure.  */" > conftest.h
+  cat conftest.in >> conftest.h
+  rm -f conftest.in
+  if cmp -s $ac_file conftest.h 2>/dev/null; then
+    echo "$ac_file is unchanged"
+    rm -f conftest.h
+  else
+    # Remove last slash and all that follows it.  Not all systems have dirname.
+      ac_dir=`echo $ac_file|sed 's%/[^/][^/]*$%%'`
+      if test "$ac_dir" != "$ac_file" && test "$ac_dir" != .; then
+      # The file is in a subdirectory.
+      test ! -d "$ac_dir" && mkdir "$ac_dir"
+    fi
+    rm -f $ac_file
+    mv conftest.h $ac_file
+  fi
+fi; done
+
+EOF
+cat >> $CONFIG_STATUS <<EOF
+
+EOF
+cat >> $CONFIG_STATUS <<\EOF
+
+exit 0
+EOF
+chmod +x $CONFIG_STATUS
+rm -fr confdefs* $ac_clean_files
+test "$no_create" = yes || ${CONFIG_SHELL-/bin/sh} $CONFIG_STATUS || exit 1
+ 
+
+cat > include/newversion.h.in <<FOOBAR
+char *${PACKAGE}_long_version = "@(#)\$Version: $PACKAGE-$VERSION by @USER@ on @HOST@ ($host) @DATE@ \$";
+char *${PACKAGE}_version = "$PACKAGE-$VERSION";
+FOOBAR
+
+if test -f include/version.h && cmp -s include/newversion.h.in include/version.h.in; then
+	echo "include/version.h is unchanged"
+	rm -f include/newversion.h.in
+else
+ 	echo "creating include/version.h"
+ 	User=${USER-${LOGNAME}}
+ 	Host=`(hostname || uname -n) 2>/dev/null | sed 1q`
+ 	Date=`date`
+	mv -f include/newversion.h.in include/version.h.in
+	sed -e "s/@USER@/$User/" -e "s/@HOST@/$Host/" -e "s/@DATE@/$Date/" include/version.h.in > include/version.h
+fi
+
diff --git a/crypto/kerberosIV/configure.in b/crypto/kerberosIV/configure.in
new file mode 100644
index 0000000..ed1bfa4
--- /dev/null
+++ b/crypto/kerberosIV/configure.in
@@ -0,0 +1,1286 @@
+dnl
+dnl *** PLEASE NOTE ***
+dnl *** PLEASE NOTE ***
+dnl *** PLEASE NOTE ***
+dnl
+dnl Update $VERSION before making a new release
+dnl
+
+dnl Process this file with autoconf to produce a configure script.
+dnl
+AC_REVISION($Revision: 1.432.2.14 $)
+AC_INIT(lib/krb/getrealm.c)
+AC_CONFIG_HEADER(include/config.h)
+
+dnl
+dnl definitions
+dnl
+
+PACKAGE=krb4
+AC_SUBST(PACKAGE)dnl
+VERSION=1.0.5
+AC_SUBST(VERSION)dnl
+AC_DEFINE_UNQUOTED(PACKAGE, "$PACKAGE", [Name of package])dnl
+AC_DEFINE_UNQUOTED(VERSION, "$VERSION", [Version number of package])dnl
+
+# This may be overridden using --prefix=/usr to configure
+AC_PREFIX_DEFAULT(/usr/athena)
+
+AC_CANONICAL_HOST
+CANONICAL_HOST=$host
+AC_SUBST(CANONICAL_HOST)
+
+dnl OS specific defines
+
+sunos=no
+case "$host" in 
+*-*-sunos4*)
+	sunos=40
+	;;
+*-*-solaris2.7)
+	sunos=57
+	;;
+*-*-solaris2.8)
+	sunos=58
+	;;
+*-*-solaris2*)
+	sunos=50
+	;;
+esac
+if test "$sunos" != no; then
+	AC_DEFINE_UNQUOTED(SunOS, $sunos, 
+		[Define to what version of SunOS you are running.])
+fi
+
+AC_PROG_MAKE_SET
+AC_ARG_PROGRAM
+
+# We want these before the checks, so the checks can modify their values.
+test -z "$LDFLAGS" && LDFLAGS=-g
+
+dnl
+dnl check for programs
+dnl
+
+AC_KRB_PROG_LN_S
+AC_PROG_CC
+AC_PROG_CPP
+AC_ISC_POSIX
+AC_KRB_PROG_YACC
+AC_PROG_LEX
+AC_PROG_RANLIB
+AC_PROG_INSTALL
+AC_PROG_AWK
+AC_CHECK_PROG(MAKEINFO, makeinfo, makeinfo, :)
+
+dnl Use make Wall or make WFLAGS=".."
+WFLAGS=""
+WFLAGS_NOUNUSED=""
+WFLAGS_NOIMPLICITINT=""
+AC_SUBST(WFLAGS) dnl
+AC_SUBST(WFLAGS_NOUNUSED) dnl
+AC_SUBST(WFLAGS_NOIMPLICITINT) dnl
+
+dnl
+dnl check for build options
+dnl
+
+AC_TEST_PACKAGE_NEW(socks,[#include <socks.h>],-lsocks5)
+CFLAGS="$INCLUDE_socks $CFLAGS"
+LIBS="$LIB_socks $LIBS"
+
+AC_ARG_ENABLE(legacy-kdestroy,
+[  --enable-legacy-kdestroy    kdestroy doesn't destroy tokens by default],[
+if test "$enableval" = "yes"; then
+	AC_DEFINE(LEGACY_KDESTROY,1, [Define to enable old kdestroy behavior.])
+fi
+])
+
+AC_ARG_ENABLE(match-subdomains,
+[  --enable-match-subdomains	match realm in subdomains],
+[if test "$enableval" = "yes"; then
+	AC_DEFINE(MATCH_SUBDOMAINS,1, [Define if you want to match subdomains.])
+fi
+])
+
+AC_ARG_WITH(ld-flags,
+[  --with-ld-flags=flags   what flags use when linking])
+
+AC_ARG_WITH(cracklib,
+[  --with-cracklib=dir     use the cracklib.a in dir],
+)
+
+AC_ARG_WITH(dictpath,
+[  --with-dictpath=path    use this dictionary with cracklib]
+)
+
+(test -z "$with_cracklib" && test -n "$with_dictpath") ||
+(test -n "$with_cracklib" && test -z "$with_dictpath") &&
+AC_MSG_ERROR(--with-cracklib requires --with-dictpath and vice versa)
+test -n "$with_cracklib" &&
+CRACKLIB="-L$with_cracklib -lcrack" &&
+AC_MSG_RESULT(Using cracklib in $with_cracklib)
+AC_SUBST(CRACKLIB)dnl
+test -n "$with_dictpath" &&
+AC_MSG_RESULT(Using dictpath=$with_dictpath) &&
+AC_DEFINE_UNQUOTED(DICTPATH,"$with_dictpath", [Define this to be the directory where the 
+	dictionary for cracklib resides.])
+
+AC_ARG_WITH(mailspool,
+[  --with-mailspool=dir    this is the mail spool directory]
+)
+
+test -n "$with_mailspool" &&
+AC_DEFINE_UNQUOTED(KRB4_MAILDIR, "$with_mailspool", [Define this to the path of the mail spool directory.])
+
+AC_ARG_WITH(db-dir,
+[  --with-db-dir=dir	   this is the database directory (default /var/kerberos)])
+
+test -n "$with_db_dir" &&
+AC_DEFINE_UNQUOTED(DB_DIR, "$with_db_dir", [Define this to the kerberos database directory.])
+
+AC_ARG_ENABLE(random-mkey,
+[  --enable-random-mkey    use new code for master keys],[
+if test "$enableval" = "yes"; then
+	AC_DEFINE(RANDOM_MKEY,1, [Define to enable new master key code.])
+fi
+])
+
+AC_ARG_WITH(mkey,
+[  --with-mkey=file        where to put the master key],[
+if test -n "$withval"; then
+	AC_DEFINE_UNQUOTED(MKEYFILE,"$withval", [Define this to the location of the master key.])
+fi
+])
+
+otp=yes
+AC_ARG_ENABLE(otp,
+[  --disable-otp           if you don't want OTP support],
+[
+if test "$enableval" = "no"; then
+	otp=no
+fi
+])
+
+if test "$otp" = "yes"; then
+	AC_DEFINE(OTP)
+	LIB_otp='-L$(top_builddir)/lib/otp -lotp'
+	OTP_dir=otp
+	LIB_SUBDIRS="$LIB_SUBDIRS otp"
+fi
+AC_SUBST(LIB_otp)
+AC_SUBST(OTP_dir)
+
+AC_CHECK_OSFC2
+
+mmap=yes
+AC_ARG_ENABLE(mmap,
+[  --disable-mmap          disable use of mmap],
+[
+if test "$enableval" = "no"; then
+	mmap=no
+fi
+])
+if test "$mmap" = "no"; then
+	AC_DEFINE(NO_MMAP, 1, [Define if you don't want to use mmap.])
+fi
+
+aix_dynamic_afs=yes
+AC_ARG_ENABLE(dynamic-afs,
+[  --disable-dynamic-afs   don't use loaded AFS library with AIX],[
+if test "$enableval" = "no"; then
+	aix_dynamic_afs=no
+fi
+])
+
+berkeley_db=db
+AC_ARG_WITH(berkeley-db,
+[  --without-berkeley-db   if you don't want berkeley db],[
+if test "$withval" = no; then
+	berkeley_db=""
+fi
+])
+
+afs_support=yes
+AC_ARG_WITH(afs-support,
+[  --without-afs-support   if you don't want support for afs],[
+if test "$withval" = no; then
+	AC_DEFINE(NO_AFS, 1, [Define if you don't wan't support for AFS.])
+	afs_support=no
+fi
+])
+
+des_quad=guess
+AC_ARG_WITH(des-quad-checksum,
+[  --with-des-quad-checksum=kind
+                           default checksum to use (new, old, or guess)],[
+des_quad="$withval"
+])
+if test "$des_quad" = "new"; then
+	ac_x=DES_QUAD_NEW
+elif test "$des_quad" = "old"; then
+	ac_x=DES_QUAD_OLD
+else
+	ac_x=DES_QUAD_GUESS
+fi	
+AC_DEFINE_UNQUOTED(DES_QUAD_DEFAULT,$ac_x, 
+	[Set this to the type of des-quad-cheksum to use.])
+
+AC_ARG_WITH(afsws,
+[  --with-afsws=dir        use AFS includes and libraries from dir=/usr/afsws],
+AFSWS=$withval,
+AFSWS=/usr/afsws
+)
+test "$AFSWS" = "yes" && AFSWS=/usr/afsws
+AC_SUBST(AFSWS)
+
+AC_ARG_ENABLE(rxkad,
+[  --enable-rxkad           build rxkad library])
+
+if test "$afs_support" = yes -a "$enable_rxkad" = yes; then
+	LIB_SUBDIRS="$LIB_SUBDIRS rxkad"
+fi
+AC_SUBST(LIB_SUBDIRS)
+
+AC_ARG_ENABLE(cat-manpages,
+[  --disable-cat-manpages   don't install any preformatted manpages],
+[
+if test "$enableval" = "no"; then
+	disable_cat_manpages=yes
+fi
+])
+
+AC_SUBST(disable_cat_manpages)dnl
+
+AC_TEST_PACKAGE_NEW(readline,[
+#include <stdio.h>
+#include <readline.h>
+],-lreadline)
+
+AC_MIPS_ABI
+
+AC_TEST_PACKAGE_NEW(hesiod,[#include <hesiod.h>],-lhesiod)
+
+AC_SHARED_LIBS
+
+dnl
+dnl Check for endian-ness, this breaks cross compilation
+dnl
+AC_C_BIGENDIAN
+
+dnl
+dnl Check for constness
+dnl
+AC_C_CONST
+
+dnl
+dnl Check for inline keyword
+dnl
+AC_C_INLINE
+
+dnl
+dnl Check for __attribute__
+dnl
+AC_C___ATTRIBUTE__
+
+dnl
+dnl Check for strange operating systems that you need to handle differently
+dnl
+
+AC_KRB_SYS_NEXTSTEP
+AC_KRB_SYS_AIX
+
+if test "$krb_cv_sys_aix" = yes ;then
+	if test "$aix_dynamic_afs" = yes; then
+		AFS_EXTRA_OBJS=
+		AFS_EXTRA_LIBS=afslib.so
+		# this works differently in AIX <=3 and 4
+		if test `uname -v` = 4 ; then
+			AFS_EXTRA_LD="-bnoentry"
+		else
+			AFS_EXTRA_LD="-e _nostart"
+		fi
+		AFS_EXTRA_DEFS=
+		AC_FIND_FUNC_NO_LIBS(dlopen, dl)
+		if test "$ac_cv_funclib_dlopen" = yes; then
+			AIX_EXTRA_KAFS=
+		elif test "$ac_cv_funclib_dlopen" != no; then
+			AIX_EXTRA_KAFS="$ac_cv_funclib_dlopen"
+		else
+			AFS_EXTRA_OBJS="$AFS_EXTRA_OBJS dlfcn.o"
+			AIX_EXTRA_KAFS=-lld
+		fi
+	else
+		AFS_EXTRA_OBJS='$(srcdir)/afsl.exp afslib.o'
+		AFS_EXTRA_LIBS=
+		AFS_EXTRA_DEFS='-DSTATIC_AFS_SYSCALLS'
+		AIX_EXTRA_KAFS=
+	fi
+	AC_SUBST(AFS_EXTRA_OBJS)dnl
+	AC_SUBST(AFS_EXTRA_LIBS)dnl
+	AC_SUBST(AFS_EXTRA_LD)dnl
+	AC_SUBST(AFS_EXTRA_DEFS)dnl
+	AC_SUBST(AIX_EXTRA_KAFS)dnl
+fi
+
+#
+# AIX needs /lib/pse.exp for getmsg, but alas that file is broken in
+# AIX414
+#
+
+case "${host}" in
+*-*-aix4.1*)
+if test -f /lib/pse.exp ;then
+	LIBS="$LIBS -Wl,-bnolibpath -Wl,-bI:/lib/pse.exp"
+fi
+;;
+*-*-aix*)
+	LIBS="$LIBS -Wl,-bnolibpath"
+	;;
+esac
+
+dnl
+dnl Various checks for headers and their contents
+dnl
+
+AC_HEADER_STDC
+
+AC_CHECK_HEADERS([arpa/ftp.h			\
+	arpa/inet.h				\
+	arpa/nameser.h				\
+	arpa/telnet.h				\
+	bsd/bsd.h				\
+	bsdsetjmp.h				\
+	capability.h				\
+	crypt.h					\
+	curses.h				\
+	db.h					\
+	dbm.h					\
+	dirent.h				\
+	err.h					\
+	errno.h					\
+	fcntl.h					\
+	fnmatch.h				\
+	gdbm/ndbm.h				\
+	grp.h					\
+	inttypes.h				\
+	io.h					\
+	lastlog.h				\
+	libutil.h				\
+	limits.h				\
+	login.h					\
+	maillock.h				\
+	ndbm.h					\
+	net/if.h				\
+	net/if_tun.h				\
+	net/if_var.h				\
+	netdb.h					\
+	netinet/in.h				\
+	netinet/in6_machtypes.h			\
+	netinet/in_systm.h			\
+	paths.h					\
+	pty.h					\
+	pwd.h					\
+	resolv.h				\
+	rpcsvc/dbm.h				\
+	rpcsvc/ypclnt.h				\
+	sac.h					\
+	security/pam_modules.h			\
+	shadow.h				\
+	siad.h					\
+	signal.h				\
+	stropts.h				\
+	sys/bitypes.h				\
+	sys/category.h				\
+	sys/file.h				\
+	sys/filio.h				\
+	sys/ioccom.h				\
+	sys/ioctl.h				\
+	sys/locking.h				\
+	sys/mman.h				\
+	sys/param.h				\
+	sys/proc.h				\
+	sys/pty.h				\
+	sys/ptyio.h				\
+	sys/ptyvar.h				\
+	sys/resource.h				\
+	sys/select.h				\
+	sys/socket.h				\
+	sys/sockio.h				\
+	sys/stat.h				\
+	sys/str_tty.h				\
+	sys/stream.h				\
+	sys/stropts.h				\
+	sys/strtty.h				\
+	sys/syscall.h				\
+	sys/sysctl.h				\
+	sys/termio.h				\
+	sys/time.h				\
+	sys/timeb.h				\
+	sys/times.h				\
+	sys/tty.h				\
+	sys/types.h				\
+	sys/uio.h				\
+	sys/un.h				\
+	sys/utsname.h				\
+	sys/wait.h				\
+	syslog.h				\
+	term.h					\
+	termcap.h				\
+	termio.h				\
+	termios.h				\
+	tmpdir.h				\
+	ttyent.h				\
+	udb.h					\
+	ulimit.h				\
+	unistd.h				\
+	userpw.h				\
+	usersec.h				\
+	util.h					\
+	utime.h					\
+	utmp.h					\
+	utmpx.h					\
+	wait.h])
+
+AC_HEADER_TIME
+AC_DECL_SYS_SIGLIST
+
+CHECK_NETINET_IP_AND_TCP
+
+EXTRA_LOCL_HEADERS=
+EXTRA_HEADERS=
+if test "$ac_cv_header_err_h" != yes; then
+	EXTRA_HEADERS="$EXTRA_HEADERS err.h"
+fi
+if test "$ac_cv_header_fnmatch_h" != yes; then
+	EXTRA_LOCL_HEADERS="$EXTRA_LOCL_HEADERS fnmatch.h"
+fi
+AC_SUBST(EXTRA_HEADERS)
+AC_SUBST(EXTRA_LOCL_HEADERS)
+
+AC_GROK_TYPES(int8_t int16_t int32_t int64_t)
+AC_GROK_TYPES(u_int8_t u_int16_t u_int32_t u_int64_t)
+
+AC_MSG_CHECKING(for strange sys/bitypes.h)
+AC_CACHE_VAL(krb_cv_int8_t_ifdef, [
+AC_TRY_COMPILE([
+#ifdef HAVE_SYS_TYPES_H
+#include <sys/types.h>
+#endif
+#ifdef HAVE_SYS_BITYPES_H
+#include <sys/bitypes.h>
+#endif
+#ifdef HAVE_NETINET_IN6_MACHTYPES_H
+#include <netinet/in6_machtypes.h>
+#endif
+],
+int8_t x;
+,
+krb_cv_int8_t_ifdef=no,
+krb_cv_int8_t_ifdef=yes)])
+AC_MSG_RESULT($krb_cv_int8_t_ifdef)
+if test "$krb_cv_int8_t_ifdef" = "yes"; then
+  AC_DEFINE(HAVE_STRANGE_INT8_T, 1, [Huh?])dnl
+fi
+
+dnl
+dnl Various checks for libraries and their contents
+dnl
+
+AC_FIND_FUNC_NO_LIBS(crypt, crypt)dnl
+
+dnl
+dnl System V is have misplaced the socket routines, should really be in libc
+dnl
+
+AC_FIND_FUNC(socket, socket,
+[#ifdef HAVE_SYS_TYPES_H
+#include <sys/types.h>
+#endif
+#ifdef HAVE_SYS_SOCKET_H
+#include <sys/socket.h>
+#endif],
+[0,0,0])
+AC_FIND_FUNC(gethostbyname, nsl,
+[#ifdef HAVE_SYS_TYPES_H
+#include <sys/types.h>
+#endif
+#ifdef HAVE_SYS_SOCKET_H
+#include <sys/socket.h>
+#endif],
+"foo")
+
+dnl
+dnl Horror AIX needs -lodm -lcfg to link login
+dnl
+
+AC_FIND_FUNC(odm_initialize, odm)
+AC_FIND_FUNC(getattr, cfg)
+AC_FIND_FUNC(setpcred, s)
+AC_FIND_FUNC(logwtmp, util)
+
+AC_FIND_FUNC(logout, util)
+AC_FIND_FUNC_NO_LIBS(tgetent, termcap ncurses curses)
+	
+dnl 
+dnl See if there is any X11 present
+dnl
+KRB_CHECK_X
+if test "$no_x" = "yes" ; then
+	MAKE_X_PROGS_BIN=""
+	MAKE_X_SCRIPTS_BIN=""
+	MAKE_X_PROGS_LIBEXEC=""
+else
+	MAKE_X_PROGS_BIN='$(X_PROGS_BIN)'
+	MAKE_X_SCRIPTS_BIN='$(X_SCRIPTS_BIN)'
+	MAKE_X_PROGS_LIBEXEC='$(X_PROGS_LIBEXEC)'
+fi
+AC_SUBST(MAKE_X_PROGS_BIN)dnl
+AC_SUBST(MAKE_X_SCRIPTS_BIN)dnl
+AC_SUBST(MAKE_X_PROGS_LIBEXEC)dnl
+
+AC_CHECK_XAU
+
+dnl
+dnl Look for berkeley db, gdbm, and ndbm in that order.
+dnl
+
+KRB_FIND_DB("" $berkeley_db gdbm ndbm)
+
+AC_FIND_FUNC(syslog, syslog)
+
+AC_BROKEN_SNPRINTF
+AC_BROKEN_GLOB
+
+if test "$ac_cv_func_glob_working" != yes; then
+	EXTRA_LOCL_HEADERS="$EXTRA_LOCL_HEADERS glob.h"
+	LIBOBJS="$LIBOBJS glob.o"
+fi
+
+AC_CHECK_FUNCS([				\
+	_getpty					\
+	_scrsize				\
+	_setsid					\
+	_stricmp				\
+	asnprintf				\
+	asprintf				\
+	atexit					\
+	cgetent					\
+	chroot					\
+	fattach					\
+	fchmod					\
+	fcntl					\
+	forkpty					\
+	frevoke					\
+	getpriority				\
+	getrlimit				\
+	getservbyname				\
+	getspnam				\
+	gettimeofday				\
+	gettosbyname				\
+	getuid					\
+	grantpt					\
+	mktime					\
+	on_exit					\
+	parsetos				\
+	ptsname					\
+	rand					\
+	random					\
+	revoke					\
+	setitimer				\
+	setpgid					\
+	setpriority				\
+	setproctitle				\
+	setregid				\
+	setresgid				\
+	setresuid				\
+	setreuid				\
+	setsid					\
+	setutent				\
+	sigaction				\
+	sysconf					\
+	sysctl					\
+	ttyname					\
+	ttyslot					\
+	ulimit					\
+	uname					\
+	unlockpt				\
+	vasnprintf				\
+	vasprintf				\
+	vhangup					\
+	vsnprintf				\
+	yp_get_default_domain			\
+	])
+
+KRB_CAPABILITIES
+
+AC_CHECK_GETPWNAM_R_POSIX
+
+AC_FIND_FUNC_NO_LIBS(getsockopt,,
+[#ifdef HAVE_SYS_TYPES_H
+#include <sys/types.h>
+#endif
+#ifdef HAVE_SYS_SOCKET_H
+#include <sys/socket.h>
+#endif],
+[0,0,0,0,0])
+AC_FIND_FUNC_NO_LIBS(setsockopt,,
+[#ifdef HAVE_SYS_TYPES_H
+#include <sys/types.h>
+#endif
+#ifdef HAVE_SYS_SOCKET_H
+#include <sys/socket.h>
+#endif],
+[0,0,0,0,0])
+
+dnl Cray stuff
+AC_CHECK_FUNCS(getudbnam setlim)
+
+AC_FIND_FUNC(res_search, resolv,
+[
+#include <stdio.h>
+#ifdef HAVE_SYS_TYPES_H
+#include <sys/types.h>
+#endif
+#ifdef HAVE_NETINET_IN_H
+#include <netinet/in.h>
+#endif
+#ifdef HAVE_ARPA_NAMESER_H
+#include <arpa/nameser.h>
+#endif
+#ifdef HAVE_RESOLV_H
+#include <resolv.h>
+#endif
+],
+[0,0,0,0,0])
+
+AC_FIND_FUNC(dn_expand, resolv,
+[
+#include <stdio.h>
+#ifdef HAVE_SYS_TYPES_H
+#include <sys/types.h>
+#endif
+#ifdef HAVE_NETINET_IN_H
+#include <netinet/in.h>
+#endif
+#ifdef HAVE_ARPA_NAMESER_H
+#include <arpa/nameser.h>
+#endif
+#ifdef HAVE_RESOLV_H
+#include <resolv.h>
+#endif
+],
+[0,0,0,0,0])
+
+AC_SUBST(LIB_res_search)dnl
+AC_SUBST(LIB_dn_expand)dnl
+
+AC_FUNC_MMAP
+AC_FUNC_ALLOCA
+
+AC_FUNC_GETLOGIN
+
+AC_FIND_IF_NOT_BROKEN(hstrerror, resolv,
+[#ifdef HAVE_NETDB_H
+#include <netdb.h>
+#endif],
+17)
+if test "$ac_cv_func_hstrerror" = yes; then
+AC_NEED_PROTO([
+#ifdef HAVE_NETDB_H
+#include <netdb.h>
+#endif],
+hstrerror)
+fi
+
+AC_BROKEN(chown copyhostent daemon err errx fchown flock fnmatch freehostent)
+AC_BROKEN(getcwd getdtablesize gethostname getipnodebyaddr getipnodebyname)
+AC_BROKEN(geteuid getgid getegid)
+AC_BROKEN(getopt getusershell)
+AC_BROKEN(inet_aton inet_ntop inet_pton initgroups innetgr iruserok lstat)
+AC_BROKEN(memmove)
+AC_BROKEN(mkstemp putenv rcmd readv recvmsg sendmsg setegid setenv seteuid)
+AC_BROKEN(strcasecmp strncasecmp strdup strerror strftime)
+AC_BROKEN(strlcat strlcpy strlwr)
+AC_BROKEN(strndup strnlen strptime strsep strtok_r strupr)
+AC_BROKEN(swab unsetenv verr verrx vsyslog)
+AC_BROKEN(vwarn vwarnx warn warnx writev)
+
+if test "$ac_cv_func_gethostname" = "yes"; then
+AC_NEED_PROTO([
+#include <unistd.h>],
+gethostname)
+fi
+
+if test "$ac_cv_func_mkstemp" = "yes"; then
+AC_NEED_PROTO([
+#include <unistd.h>],
+mkstemp)
+fi
+
+if test "$ac_cv_func_inet_aton" = "yes"; then
+AC_NEED_PROTO([
+#ifdef HAVE_SYS_TYPES_H
+#include <sys/types.h>
+#endif
+#ifdef HAVE_SYS_SOCKET_H
+#include <sys/socket.h>
+#endif
+#ifdef HAVE_NETINET_IN_H
+#include <netinet/in.h>
+#endif
+#ifdef HAVE_ARPA_INET_H
+#include <arpa/inet.h>
+#endif],
+inet_aton)
+fi
+
+AC_CACHE_CHECK(if realloc is broken, ac_cv_func_realloc_broken, [
+ac_cv_func_realloc_broken=no
+AC_TRY_RUN([
+#include <stddef.h>
+#include <stdlib.h>
+
+int main()
+{
+	return realloc(NULL, 17) == NULL;
+}
+],:, ac_cv_func_realloc_broken=yes, :)
+])
+if test "$ac_cv_func_realloc_broken" = yes ; then
+	AC_DEFINE(BROKEN_REALLOC, 1, [Define if realloc(NULL, X) doesn't work.])
+fi
+
+AC_KRB_FUNC_GETCWD_BROKEN
+
+dnl
+dnl Figure what authentication modules should be built
+dnl
+
+AC_MSG_CHECKING(which authentication modules should be built)
+
+LIB_AUTH_SUBDIRS=
+
+if test "$ac_cv_header_siad_h" = yes; then
+	LIB_AUTH_SUBDIRS="$LIB_AUTH_SUBDIRS sia"
+fi
+
+if test "$ac_cv_header_security_pam_modules_h" = yes -a "$enable_shared" = yes; then
+	LIB_AUTH_SUBDIRS="$LIB_AUTH_SUBDIRS pam"
+fi
+
+case "${host}" in
+changequote(,)dnl
+*-*-irix[56]*) LIB_AUTH_SUBDIRS="$LIB_AUTH_SUBDIRS afskauthlib" ;;
+changequote([,])dnl
+esac
+
+AC_MSG_RESULT($LIB_AUTH_SUBDIRS)
+
+AC_SUBST(LIB_AUTH_SUBDIRS)dnl
+
+dnl
+dnl Checks for prototypes and declarations
+dnl
+
+AC_PROTO_COMPAT([
+#ifdef HAVE_SYS_TYPES_H
+#include <sys/types.h>
+#endif
+#ifdef HAVE_SYS_SOCKET_H
+#include <sys/socket.h>
+#endif
+#ifdef HAVE_NETINET_IN_H
+#include <netinet/in.h>
+#endif
+#ifdef HAVE_ARPA_INET_H
+#include <arpa/inet.h>
+#endif
+#ifdef HAVE_NETDB_H
+#include <netdb.h>
+#endif
+],
+gethostbyname, struct hostent *gethostbyname(const char *))
+
+AC_PROTO_COMPAT([
+#ifdef HAVE_SYS_TYPES_H
+#include <sys/types.h>
+#endif
+#ifdef HAVE_SYS_SOCKET_H
+#include <sys/socket.h>
+#endif
+#ifdef HAVE_NETINET_IN_H
+#include <netinet/in.h>
+#endif
+#ifdef HAVE_ARPA_INET_H
+#include <arpa/inet.h>
+#endif
+#ifdef HAVE_NETDB_H
+#include <netdb.h>
+#endif
+],
+gethostbyaddr, struct hostent *gethostbyaddr(const void *, size_t, int))
+
+AC_PROTO_COMPAT([
+#ifdef HAVE_SYS_TYPES_H
+#include <sys/types.h>
+#endif
+#ifdef HAVE_SYS_SOCKET_H
+#include <sys/socket.h>
+#endif
+#ifdef HAVE_NETINET_IN_H
+#include <netinet/in.h>
+#endif
+#ifdef HAVE_ARPA_INET_H
+#include <arpa/inet.h>
+#endif
+#ifdef HAVE_NETDB_H
+#include <netdb.h>
+#endif
+],
+getservbyname, struct servent *getservbyname(const char *, const char *))
+
+AC_PROTO_COMPAT([
+#ifdef HAVE_SYSLOG_H
+#include <syslog.h>
+#endif
+],
+openlog, void openlog(const char *, int, int))
+
+AC_NEED_PROTO([
+#ifdef HAVE_CRYPT_H
+#include <crypt.h>
+#endif
+#ifdef HAVE_UNISTD_H
+#include <unistd.h>
+#endif
+],
+crypt)
+
+AC_NEED_PROTO([
+#include <stdio.h>
+],
+fclose)
+
+AC_NEED_PROTO([
+#include <string.h>
+],
+strtok_r)
+
+AC_NEED_PROTO([
+#include <string.h>
+],
+strsep)
+
+AC_NEED_PROTO([
+#include <unistd.h>
+],
+getusershell)
+
+AC_NEED_PROTO([
+#ifdef HAVE_UTIME_H
+#include <utime.h>
+#endif
+],
+utime)
+
+AC_CHECK_VAR([#ifdef HAVE_SYS_TYPES_H
+#include <sys/types.h>
+#endif
+#ifdef HAVE_NETDB_H
+#include <netdb.h>
+#endif],
+h_errno)
+
+AC_CHECK_VAR([#ifdef HAVE_NETDB_H
+#include <netdb.h>
+#endif],
+h_errlist)
+
+AC_CHECK_VAR([#ifdef HAVE_NETDB_H
+#include <netdb.h>
+#endif],
+h_nerr)
+
+AC_CHECK_VAR([#ifdef HAVE_ERR_H
+#include <err.h>
+#endif],[__progname])
+
+AC_CHECK_DECLARATION([#include <stdlib.h>
+#ifdef HAVE_UNISTD_H
+#include <unistd.h>
+#endif], optarg)
+AC_CHECK_DECLARATION([#include <stdlib.h>
+#ifdef HAVE_UNISTD_H
+#include <unistd.h>
+#endif], optind)
+AC_CHECK_DECLARATION([#include <stdlib.h>
+#ifdef HAVE_UNISTD_H
+#include <unistd.h>
+#endif], opterr)
+AC_CHECK_DECLARATION([#include <stdlib.h>
+#ifdef HAVE_UNISTD_H
+#include <unistd.h>
+#endif], optopt)
+
+AC_CHECK_DECLARATION([#include <stdlib.h>], environ)
+
+dnl
+dnl According to ANSI you are explicitly allowed to cast to void,
+dnl but the standard fails to say what should happen. Some compilers
+dnl think this is illegal:
+dnl
+dnl void foo(void)
+dnl {
+dnl   return (void)0;
+dnl }
+dnl
+dnl Thus explicitly test for void
+dnl
+AC_TYPE_SIGNAL
+if test "$ac_cv_type_signal" = "void" ; then
+	AC_DEFINE(VOID_RETSIGTYPE, 1, [Define if RETSIGTYPE == void.])
+fi
+
+dnl
+dnl Check for fields in struct utmp
+dnl
+
+AC_HAVE_STRUCT_FIELD(struct utmp, ut_addr,
+[#include <sys/types.h>
+ #include <utmp.h>])
+AC_HAVE_STRUCT_FIELD(struct utmp, ut_host,
+[#include <sys/types.h>
+ #include <utmp.h>])
+AC_HAVE_STRUCT_FIELD(struct utmp, ut_id,
+[#include <sys/types.h>
+ #include <utmp.h>])
+AC_HAVE_STRUCT_FIELD(struct utmp, ut_pid,
+[#include <sys/types.h>
+ #include <utmp.h>])
+AC_HAVE_STRUCT_FIELD(struct utmp, ut_type,
+[#include <sys/types.h>
+ #include <utmp.h>])
+AC_HAVE_STRUCT_FIELD(struct utmp, ut_user,
+[#include <sys/types.h>
+ #include <utmp.h>])
+AC_HAVE_STRUCT_FIELD(struct utmpx, ut_exit,
+[#include <sys/types.h>
+ #include <utmp.h>])
+AC_HAVE_STRUCT_FIELD(struct utmpx, ut_syslen,
+[#include <sys/types.h>
+ #include <utmp.h>])
+
+dnl
+dnl Check for fields in struct tm
+dnl
+
+AC_HAVE_STRUCT_FIELD(struct tm, tm_gmtoff, [#include <time.h>])
+AC_HAVE_STRUCT_FIELD(struct tm, tm_zone, [#include <time.h>])
+
+dnl
+dnl or do we have a variable `timezone' ?
+dnl
+
+AC_CHECK_VAR(
+[#include <time.h>],
+timezone)
+
+AC_HAVE_TYPE([sa_family_t],[#include <sys/socket.h>])
+
+AC_HAVE_TYPE([socklen_t],[#include <sys/socket.h>])
+ 
+AC_HAVE_TYPE([struct sockaddr_storage], [#include <sys/socket.h>])
+
+AC_KRB_STRUCT_SPWD
+
+AC_STRUCT_ST_BLKSIZE
+
+dnl
+dnl Check for struct winsize
+dnl
+
+AC_KRB_STRUCT_WINSIZE
+
+dnl
+dnl Check for some common types
+dnl
+
+AC_TYPE_PID_T
+AC_TYPE_UID_T
+AC_TYPE_OFF_T
+AC_TYPE_SIZE_T
+
+AC_CHECK_TYPE_EXTRA(ssize_t, int, [
+#ifdef HAVE_UNISTD_H
+#include <unistd.h>
+#endif])
+
+AC_CHECK_TYPE_EXTRA(sig_atomic_t, int, [#include <signal.h>])
+
+dnl
+dnl Check for broken ultrix sys/socket.h
+dnl
+
+AC_MSG_CHECKING(for broken sys/socket.h)
+AC_CACHE_VAL(krb_cv_header_sys_socket_h_broken, [
+AC_TRY_COMPILE(
+[#include <sys/types.h>
+#include <sys/socket.h>
+#include <sys/socket.h>],[],
+krb_cv_header_sys_socket_h_broken=no,
+krb_cv_header_sys_socket_h_broken=yes)])
+AC_MSG_RESULT($krb_cv_header_sys_socket_h_broken)
+AC_SUBST(krb_cv_header_sys_socket_h_broken)
+
+dnl
+dnl Check for broken ultrix netdb.h
+dnl
+
+AC_MSG_CHECKING(for broken netdb.h)
+AC_CACHE_VAL(krb_cv_header_netdb_h_broken, [
+AC_TRY_COMPILE(
+[#include <sys/types.h>
+#include <netdb.h>
+#include <netdb.h>],[],
+krb_cv_header_netdb_h_broken=no,
+krb_cv_header_netdb_h_broken=yes)])
+AC_MSG_RESULT($krb_cv_header_netdb_h_broken)
+AC_SUBST(krb_cv_header_netdb_h_broken)
+if test "$krb_cv_header_netdb_h_broken" = "yes"; then
+  EXTRA_HEADERS="$EXTRA_HEADERS netdb.h"
+fi
+
+dnl
+dnl Check for sa_len in sys/socket.h
+dnl
+
+AC_HAVE_STRUCT_FIELD(struct sockaddr, sa_len, [#include <sys/types.h>
+#include <sys/socket.h>])
+
+dnl
+dnl Check for ouid in sys/siad.h
+dnl
+
+if test "$ac_cv_header_siad_h" = yes; then
+AC_HAVE_STRUCT_FIELD(SIAENTITY, ouid, [#include <siad.h>])
+fi
+
+dnl
+dnl you can link with getmsg on AIX 3.2 but you cannot run the program
+dnl
+
+AC_CHECK_FUNC(getmsg)
+
+if test "$ac_cv_func_getmsg" = "yes"; then
+
+AC_CACHE_CHECK(for working getmsg, ac_cv_func_getmsg_work,
+AC_TRY_RUN(
+[
+#include <stdio.h>
+#include <errno.h>
+
+int main()
+{
+  int ret;
+  ret = getmsg(open("/dev/null", 0), NULL, NULL, NULL);
+  if(ret < 0 && errno == ENOSYS)
+    return 1;
+  return 0;
+}
+], ac_cv_func_getmsg_work=yes, ac_cv_func_getmsg_work=no,
+ac_cv_func_getmsg_work=no))
+test "$ac_cv_func_getmsg_work" = "yes" &&
+AC_DEFINE(HAVE_GETMSG, 1, [Define if you have a working getmsg.])
+
+fi
+
+dnl
+dnl Tests for editline
+dnl
+
+dnl el_init
+
+AC_FIND_FUNC_NO_LIBS(el_init, edit, [], [], [$LIB_tgetent])
+if test "$ac_cv_func_el_init" = yes ; then
+	AC_CACHE_CHECK(for four argument el_init, ac_cv_func_el_init_four,[
+		AC_TRY_COMPILE([#include <stdio.h>
+			#include <histedit.h>],
+			[el_init("", NULL, NULL, NULL);],
+			ac_cv_func_el_init_four=yes,
+			ac_cv_func_el_init_four=no)])
+	if test "$ac_cv_func_el_init_four" = yes; then
+		AC_DEFINE(HAVE_FOUR_VALUED_EL_INIT, 1, [Define if el_init takes four arguments.])
+	fi
+fi
+
+dnl readline
+
+save_LIBS="$LIBS"
+LIBS="$LIB_tgetent $LIBS"
+AC_FIND_FUNC_NO_LIBS(readline, edit readline)
+LIBS="$save_LIBS"
+el_yes="# "
+if test "$with_readline" -a "$with_readline" != "no"; then
+	:
+elif test "$ac_cv_func_readline" = yes; then
+	INCLUDE_readline=
+elif test "$ac_cv_func_el_init" = yes; then
+	el_yes=
+	LIB_readline="-L\$(top_builddir)/lib/editline -lel_compat $LIB_el_init"
+	INCLUDE_readline='-I$(top_srcdir)/lib/editline'
+else
+	LIB_readline='-L$(top_builddir)/lib/editline -leditline'
+	INCLUDE_readline='-I$(top_srcdir)/lib/editline'
+fi
+LIB_readline="$LIB_readline \$(LIB_tgetent)"
+AC_DEFINE(HAVE_READLINE, 1, [Define if you have a readline function.])dnl XXX
+AC_SUBST(LIB_readline)
+AC_SUBST(INCLUDE_readline)
+AC_SUBST(el_yes)
+
+dnl telnet muck --------------------------------------------------
+
+AC_DEFINE(AUTHENTICATION)dnl
+AC_DEFINE(KRB4)dnl
+AC_DEFINE(ENCRYPTION)dnl
+AC_DEFINE(DES_ENCRYPTION)dnl
+AC_DEFINE(DIAGNOSTICS)dnl
+AC_DEFINE(OLD_ENVIRON)dnl
+
+# Simple test for streamspty, based on the existance of getmsg(), alas
+# this breaks on SunOS4 which have streams but BSD-like ptys
+#
+# And also something wierd has happend with dec-osf1, fallback to bsd-ptys
+
+AC_MSG_CHECKING(for streamspty)
+case "`uname -sr`" in
+SunOS\ 4*|OSF1*|IRIX\ 4*|HP-UX\ ?.1[[01]].*)
+	krb_cv_sys_streamspty=no
+	;;
+AIX*)
+	os_rel=`uname -v`.`uname -r`
+	if expr "$os_rel" : "3*" >/dev/null 2>&1; then
+		krb_cv_sys_streamspty=no
+	else
+		krb_cv_sys_streamspty="$ac_cv_func_getmsg_work"
+	fi
+	;;
+*)
+	krb_cv_sys_streamspty="$ac_cv_func_getmsg_work"
+	;;
+esac
+if test "$krb_cv_sys_streamspty" = yes; then
+	AC_DEFINE(STREAMSPTY, 1, [Define if you have working stream ptys.])
+fi
+dnl AC_SUBST(STREAMSPTY)
+AC_MSG_RESULT($krb_cv_sys_streamspty)
+
+AC_MSG_CHECKING([if /bin/ls takes -A])
+if /bin/ls -A > /dev/null 2>&1 ;then
+	AC_DEFINE(HAVE_LS_A, 1, [Define if /bin/ls has a \`-A' flag.])
+	krb_ls_a=yes
+else
+	krb_ls_a=no
+fi
+AC_MSG_RESULT($krb_ls_a)
+	
+dnl ------------------------------------------------------------
+AC_CACHE_CHECK(for suffix of preformatted manual pages, krb_cv_sys_cat_suffix,
+if grep _version /etc/man.conf > /dev/null 2>&1; then
+	krb_cv_sys_cat_suffix=0
+else
+	krb_cv_sys_cat_suffix=number
+fi)
+if test "$krb_cv_sys_cat_suffix" = number; then
+		CATSUFFIX='$$s'
+else
+		CATSUFFIX=0
+fi
+AC_SUBST(CATSUFFIX)
+
+dnl ------------------------------------------------------------
+
+KRB_KAFS_LIB="-L\$(top_builddir)/lib/kafs -lkafs $AIX_EXTRA_KAFS"
+AC_SUBST(KRB_KAFS_LIB)dnl
+
+dnl ------------------------------------------------------------
+
+
+dnl This is done by AC_OUTPUT but we need the result here.
+
+test "x$prefix" = xNONE && prefix=$ac_default_prefix
+test "x$exec_prefix" = xNONE && exec_prefix='${prefix}'
+
+for i in bin lib libexec sbin; do
+	i=${i}dir
+	foo=`echo $i | tr 'xindiscernible' 'XINDISCERNIBLE'`
+	x="\$${i}"
+	eval y="$x"
+	while test "x$y" != "x$x"; do
+		x="$y"
+		eval y="$x"
+	done
+	AC_DEFINE_UNQUOTED($foo,"$x")
+done
+
+dnl
+dnl We are all set to emit the Makefiles and config.h
+dnl
+AC_OUTPUT(					\
+Makefile 					\
+include/Makefile				\
+include/sys/Makefile				\
+						\
+man/Makefile					\
+						\
+lib/Makefile					\
+lib/com_err/Makefile				\
+lib/des/Makefile				\
+lib/krb/Makefile				\
+lib/kdb/Makefile				\
+lib/kadm/Makefile				\
+lib/acl/Makefile				\
+lib/kafs/Makefile				\
+lib/roken/Makefile				\
+lib/otp/Makefile				\
+lib/sl/Makefile					\
+lib/editline/Makefile				\
+lib/rxkad/Makefile				\
+lib/auth/Makefile				\
+lib/auth/pam/Makefile				\
+lib/auth/sia/Makefile				\
+lib/auth/afskauthlib/Makefile			\
+						\
+kuser/Makefile					\
+server/Makefile					\
+slave/Makefile					\
+admin/Makefile					\
+kadmin/Makefile					\
+						\
+appl/Makefile					\
+						\
+appl/afsutil/Makefile 				\
+appl/ftp/Makefile				\
+appl/ftp/common/Makefile			\
+appl/ftp/ftp/Makefile				\
+appl/ftp/ftpd/Makefile				\
+appl/telnet/Makefile				\
+appl/telnet/libtelnet/Makefile			\
+appl/telnet/telnet/Makefile			\
+appl/telnet/telnetd/Makefile			\
+appl/bsd/Makefile 				\
+appl/kauth/Makefile				\
+appl/popper/Makefile				\
+appl/movemail/Makefile				\
+appl/push/Makefile				\
+appl/sample/Makefile				\
+appl/xnlock/Makefile				\
+appl/kx/Makefile				\
+appl/kip/Makefile				\
+appl/otp/Makefile				\
+doc/Makefile					\
+etc/inetd.conf.changes				\
+) dnl end of AC_OUTPUT
+
+AC_KRB_VERSION
diff --git a/crypto/kerberosIV/doc/Makefile.in b/crypto/kerberosIV/doc/Makefile.in
new file mode 100644
index 0000000..bbf870e
--- /dev/null
+++ b/crypto/kerberosIV/doc/Makefile.in
@@ -0,0 +1,78 @@
+# $Id: Makefile.in,v 1.19 1999/09/28 12:35:11 assar Exp $
+
+SHELL = /bin/sh
+
+srcdir = @srcdir@
+VPATH = @srcdir@
+
+INSTALL = @INSTALL@
+INSTALL_DATA = @INSTALL_DATA@
+MKINSTALLDIRS = @top_srcdir@/mkinstalldirs
+MAKEINFO = @MAKEINFO@
+TEXI2DVI = texi2dvi
+TEXI2HTML = texi2html
+
+prefix = @prefix@
+infodir = @infodir@
+
+TEXI_SOURCES = ack.texi				\
+	index.texi				\
+	install.texi				\
+	intro.texi				\
+	kth-krb.texi				\
+	otp.texi				\
+	problems.texi				\
+	setup.texi				\
+	whatis.texi
+
+all: info
+
+install: all installdirs
+	if test -f kth-krb.info; then \
+	  $(INSTALL_DATA) kth-krb.info $(DESTDIR)$(infodir)/kth-krb.info; \
+	else \
+	  $(INSTALL_DATA) $(srcdir)/kth-krb.info $(DESTDIR)$(infodir)/kth-krb.info; \
+	fi
+	if test -f $(DESTDIR)$(infodir)/dir ; then :; else \
+		$(INSTALL_DATA) $(srcdir)/dir $(DESTDIR)$(infodir)/dir; \
+	fi
+	-if $(SHELL) -c 'install-info --version' >/dev/null 2>&1; then \
+	  install-info --dir-file=$(DESTDIR)$(infodir)/dir $(DESTDIR)$(infodir)/kth-krb.info; \
+	else \
+	  true; \
+	fi
+
+uninstall:
+	rm -f $(DESTDIR)$(infodir)/kth-krb.info
+
+installdirs:
+	$(MKINSTALLDIRS) $(DESTDIR)$(infodir)
+
+info: kth-krb.info
+
+kth-krb.info: $(TEXI_SOURCES)
+	$(MAKEINFO) --no-split -I$(srcdir) -o $@ $(srcdir)/kth-krb.texi
+
+dvi: kth-krb.dvi
+
+kth-krb.dvi: $(TEXI_SOURCES)
+	$(TEXI2DVI) $(srcdir)/kth-krb.texi
+
+html: kth-krb.html
+
+kth-krb.html: $(TEXI_SOURCES)
+	$(TEXI2HTML) $(srcdir)/kth-krb.texi
+
+clean:
+	rm -f *.aux *.cp *.cps *.dvi *.fn *.ky *.log *.pg *.toc *.tp *.vr
+
+distclean: clean
+
+mostlyclean: clean
+
+maintainer-clean: clean
+	rm -f *.info*
+
+check:
+
+.PHONY: all install uninstall installdirs info dvi html clean distclean mostlyclean maintainer-clean check
diff --git a/crypto/kerberosIV/doc/ack.texi b/crypto/kerberosIV/doc/ack.texi
new file mode 100644
index 0000000..327220c
--- /dev/null
+++ b/crypto/kerberosIV/doc/ack.texi
@@ -0,0 +1,106 @@
+@node  Acknowledgments, Index, Resolving frequent problems, Top
+@comment  node-name,  next,  previous,  up
+@appendix Acknowledgments
+
+People from the MIT Athena project wrote the original code that this is
+based on. @w{Kerberos 4} @w{patch-level 9} was stripped of both the
+encryption functions and the calls to them. This was exported from the
+US as the ``Bones'' release.  Eric Young put back the calls and hooked
+in his libdes, thereby creating the ``eBones'' release.
+@cindex Bones
+@cindex eBones
+
+The ``rcmd'' programs where initially developed at the University of
+California at Berkeley and then hacked on by the FreeBSD and NetBSD
+projects.
+
+Berkeley also wrote @code{ftp}, @code{ftpd}, @code{telnet}, and
+@code{telnetd}.  The authentication and encryption code of @code{telnet}
+and @code{telnetd} was added by David Borman (then of Cray Research,
+Inc).  The encryption code was removed when this was exported and then
+added back by Juha Eskelinen, @code{<esc@@magic.fi>}.
+
+The @code{popper} was also a Berkeley program initially.
+
+The @code{login} has the same origins but has received code written by
+Wietse Venema at Eindhoven University of Technology, The Netherlands.
+
+@code{movemail} was (at least partially) written by Jonathan Kamens,
+@code{<jik@@security.ov.com>}, and is Copyright @copyright{} 1986, 1991,
+1992, 1993, 1994 Free Software Foundation, Inc.
+
+@code{xnlock} was originally written by Dan Heller in 1985 for sunview.
+The X version was written by him in 1990.
+
+Some of the functions in @file{libroken} also come from Berkeley by the
+way of NetBSD/FreeBSD.
+
+The code to handle the dynamic loading of the AFS module for AIX is
+copyright @copyright{} 1992 HELIOS Software GmbH 30159 Hannover,
+Germany.
+
+@code{editline} was written by Simmule Turner and Rich Salz.
+
+Bugfixes and code has been contributed by:
+@table @asis
+@item Derrick J Brashear
+@code{<shadow@@dementia.org>}
+@item Anders Gertz
+@code{<gertz@@lysator.liu.se>}
+@item Dejan Ilic
+@code{<svedja@@lysator.liu.se>}
+@item Kent Engström
+@code{<kent@@lysator.liu.se>}
+@item Simon Josefsson
+@code{<jas@@pdc.kth.se>}
+@item Robert Malmgren
+@code{<rom@@incolumitas.se>}
+@item Fredrik Ljungberg
+@code{<flag@@astrogator.se>}
+@item Joakim Fallsjö
+@code{jfa@@pobox.se}
+@item Lars Malinowsky
+@code{<lama@@pdc.kth.se>}
+@item Fabien Coelho
+@code{<coelho@@cri.ensmp.fr>}
+@item Chris Chiappa
+@code{<griffon+@@cmu.edu>}
+@item Gregory S. Stark
+@code{<gsstark@@mit.edu>}
+@item Love Hörnquist-Åstrand
+@code{<lha@@stacken.kth.se>}
+@item Daniel Staaf
+@code{<d96-dst@@nada.kth.se>}
+@item Magnus Ahltorp
+@code{<map@@stacken.kth.se>}
+@item Robert Burgess
+@code{<rb@@stacken.kth.se>}
+@item Lars Arvestad
+@code{<arve@@nada.kth.se>}
+@item Jörgen Wahlsten
+@code{<wahlsten@@pathfinder.com>}
+@item Daniel Staaf
+@code{<d96-dst@@nada.kth.se>}
+@item R Lindsay Todd
+@code{<toddr@@rpi.edu>}
+@item Åke Sandgren
+@code{<ake@@cs.umu.se>}
+@item Thomas Nyström
+@code{<thn@@stacken.kth.se>}
+@item and we hope that those not mentioned here will forgive us.
+@end table
+
+Ian Marsh @code{<ianm@@sics.se>} removed the worst abuses of the English
+language from this text.
+
+Ilja Hallberg @code{<iha@@incolumitas.se>} is still promising to help us
+finish the documentation.
+
+This work was supported in part by SUNET and the Centre for Parallel
+Computers at KTH.
+
+The port to Windows 95/NT was supported by the Computer Council at KTH
+and done by Jörgen Karlsson @code{<d93-jka@@nada.kth.se>}.
+
+All the bugs were introduced by ourselves.
+
diff --git a/crypto/kerberosIV/doc/dir b/crypto/kerberosIV/doc/dir
new file mode 100644
index 0000000..911f622
--- /dev/null
+++ b/crypto/kerberosIV/doc/dir
@@ -0,0 +1,17 @@
+$Id: dir,v 1.1 1997/06/12 16:15:21 joda Exp $
+This is the file .../info/dir, which contains the topmost node of the
+Info hierarchy.  The first time you invoke Info you start off
+looking at that node, which is (dir)Top.
+
+File: dir	Node: Top	This is the top of the INFO tree
+
+  This (the Directory node) gives a menu of major topics. 
+  Typing "q" exits, "?" lists all Info commands, "d" returns here,
+  "h" gives a primer for first-timers,
+  "mEmacs<Return>" visits the Emacs topic, etc.
+
+  In Emacs, you can click mouse button 2 on a menu item or cross reference
+  to select it.
+
+* Menu: 
+
diff --git a/crypto/kerberosIV/doc/index.texi b/crypto/kerberosIV/doc/index.texi
new file mode 100644
index 0000000..ebe5d91
--- /dev/null
+++ b/crypto/kerberosIV/doc/index.texi
@@ -0,0 +1,6 @@
+@node Index, , Acknowledgments, Top
+@comment  node-name,  next,  previous,  up
+@unnumbered Index
+
+@printindex cp
+
diff --git a/crypto/kerberosIV/doc/install.texi b/crypto/kerberosIV/doc/install.texi
new file mode 100644
index 0000000..26d2abf
--- /dev/null
+++ b/crypto/kerberosIV/doc/install.texi
@@ -0,0 +1,496 @@
+@node Installing programs, How to set up a realm, What is Kerberos?, Top
+@chapter Installing programs
+
+You have a choise to either build the distribution from source code or
+to install binaries, if they are available for your machine.
+
+@c XXX
+
+We recommend building from sources, but using pre-compiled binaries
+might be easier.  If there are no binaries available for your machine or
+you want to do some specific configuration, you will have to compile
+from source.
+
+@menu
+* Installing from source::      
+* Installing a binary distribution::  
+* Finishing the installation::  
+* .klogin::
+* Authentication modules::      
+@end menu
+
+@node Installing from source, Installing a binary distribution, Installing programs, Installing programs
+@comment  node-name,  next,  previous,  up
+@section Installing from source
+
+To build this software un-tar the distribution and run the
+@code{configure} script.
+
+To compile successfully, you will need an ANSI C compiler, such as
+@code{gcc}. Other compilers might also work, but setting the ``ANSI
+compliance'' too high, might break in parts of the code, not to mention
+the standard include files.
+
+To build in a separate build tree, run @code{configure} in the directory
+where the tree should reside.  You will need a Make that understands
+VPATH correctly.  GNU Make works fine.
+
+After building everything (which will take anywhere from a few minutes
+to a long time), you can install everything in @file{/usr/athena} with
+@kbd{make install} (running as root). It is possible to install in some
+other place, but it isn't recommended. To do this you will have to run
+@code{configure} with @samp{--prefix=/my/path}.
+
+If you need to change the default behavior, configure understands the
+following options:
+
+@table @asis
+@item @kbd{--enable-shared}
+Create shared versions of the Kerberos libraries. Not really
+recommended and might not work on all systems.
+
+@item @kbd{--with-ld-flags=}@var{flags}
+This allows you to specify which extra flags to pass to @code{ld}. Since
+this @emph{overrides} any choices made by configure, you should only use
+this if you know what you are doing.
+
+@item @kbd{--with-cracklib=}@var{dir}
+Use cracklib for password quality control in 
+@pindex kadmind
+@code{kadmind}. This option requires 
+@cindex cracklib
+cracklib with the patch from
+@url{ftp://ftp.pdc.kth.se/pub/krb/src/cracklib.patch}.
+
+@item @kbd{--with-dictpath=}@var{dictpath}
+This is the dictionary that cracklib should use.
+
+@item @kbd{--with-socks=}@var{dir}
+@cindex firewall
+@cindex socks
+If you have to traverse a firewall and it uses the SocksV5 protocol
+(@cite{RFC 1928}), you can build with socks-support.  Point @var{dir} to
+the directory where you have socks5 installed.  For more information
+about socks see @url{http://www.socks.nec.com/}.
+
+@item @kbd{--with-readline=}@var{dir}
+@cindex readline
+To enable history/line editing in @code{ftp} and @code{kadmin}, any
+present version of readline will be used.  If you have readline
+installed but in a place where configure does not manage to find it,
+you can use this option.  The code also looks for @code{libedit}.  If
+there is no library at all, the bundled version of @code{editline} will
+be used.
+
+@item @kbd{--with-mailspool=}@var{dir}
+The configuration process tries to determine where your machine stores
+its incoming mail.  This is typically @file{/usr/spool/mail} or
+@file{/var/mail}.  If it does not work or you store your mail in some
+unusual directory, this option can be used to specify where the mail
+spool directory is located.  This directory is only accessed by
+@pindex popper
+@code{popper}, and the mail check in
+@pindex login
+@code{login}.
+
+@item @kbd{--with-hesiod=}@var{dir}
+@cindex Hesiod
+Enable the Hesiod support in
+@pindex push
+@code{push}.  With this option, it will try
+to use the hesiod library to locate the mail post-office for the user.
+
+@c @item @kbd{--enable-random-mkey}
+@c Do not use this option unless you think you know what you are doing.
+
+@item @kbd{--with-mkey=}@var{file}
+Put the master key here, the default is @file{/.k}.
+
+@item @kbd{--with-db-dir=}@var{dir}
+Where the kerberos database should be stored.  The default is
+@file{/var/kerberos}.
+
+@item @kbd{--without-berkeley-db}
+If you have
+@cindex Berkeley DB
+Berkeley DB installed, it is preferred over
+@c XXX
+dbm. If you already are running Kerberos this option might be useful,
+since there currently isn't an easy way to convert a dbm database to a
+db one (you have to dump the old database and then load it with the new
+binaries).
+
+@item @kbd{--without-afs-support}
+Do not include AFS support.
+
+@item @kbd{--with-afsws=}@var{dir}
+Where your AFS client installation resides.  The default is
+@file{/usr/afsws}.
+
+@item @kbd{--enable-rxkad}
+Build the rxkad library.  Normally automatically included if there is AFS.
+
+@item @kbd{--disable-dynamic-afs}
+The AFS support in AIX consists of a shared library that is loaded at
+runtime. This option disables this, and links with static system
+calls. Doing this will make the built binaries crash on a machine that
+doesn't have AFS in the kernel (for instance if the AFS module fails to
+load at boot).
+
+@item @kbd{--with-mips-api=}@var{api}
+This option enables creation of different types of binaries on Irix.
+The allowed values are @kbd{32}, @kbd{n32}, and @kbd{64}.
+
+@item @kbd{--enable-legacy-kdestroy}
+This compile-time option creates a @code{kdestroy} that does not destroy
+any AFS tokens.
+
+@item @kbd{--disable-otp}
+Do not build the OTP (@pxref{One-Time Passwords}) library and programs,
+and do not include OTP support in the application programs.
+
+@item @kbd{--enable-match-subdomains}
+Normally, the host @samp{host.domain} will be considered to be part of
+the realm @samp{DOMAIN}.  With this option will also enable hosts of the
+form @samp{host.sub.domain}, @samp{host.sub1.sub2.domain}, and so on to
+be considered part of the realm @samp{DOMAIN}.
+
+@item @kbd{--enable-osfc2}
+Enable the use of enhanced C2 security on OSF/1. @xref{Digital SIA}.
+
+@item @kbd{--disable-mmap}
+Do not use the mmap system call.  Normally, configure detects if there
+is a working mmap and it is only used if there is one.  Only try this
+option if it fails to work anyhow.
+
+@item @kbd{--disable-cat-manpages}
+Do not install preformatted man pages.
+
+@c --with-des-quad-checksum
+
+@end table
+
+@node Installing a binary distribution, Finishing the installation, Installing from source, Installing programs
+@comment  node-name,  next,  previous,  up
+@section Installing a binary distribution
+
+The binary distribution is supposed to be installed in
+@file{/usr/athena}, installing in some other place may work but is not
+recommended.  A symlink from @file{/usr/athena} to the install directory
+should be fine.
+
+@node Finishing the installation, .klogin, Installing a binary distribution, Installing programs
+@section Finishing the installation
+
+@pindex su
+The only program that needs to be installed setuid to root is @code{su}.
+
+If 
+@pindex rlogin
+@pindex rsh
+@code{rlogin} and @code{rsh} are setuid to root they will fall back to
+non-kerberised protocols if the kerberised ones fail for some
+reason. The old protocols use reserved ports as security, and therefore
+the programs have to be setuid to root. If you don't need this
+functionality consider turning off the setuid bit.
+
+@pindex login
+@code{login} does not have to be setuid, as it is always run by root
+(users should use @code{su} rather than @code{login}).  It will print a
+helpful message when not setuid to root and run by a user.
+
+The programs intended to be run by users are located in
+@file{/usr/athena/bin}.  Inform your users to include
+@file{/usr/athena/bin} in their paths, or copy or symlink the binaries
+to some good place.  The programs that you will want to use are:
+@code{kauth}/@code{kinit},
+@pindex kauth
+@pindex kinit
+@code{klist}, @code{kdestroy}, @code{kpasswd}, @code{ftp},
+@pindex klist
+@pindex kdestroy
+@pindex kpasswd
+@pindex ftp
+@code{telnet}, @code{rcp}, @code{rsh}, @code{rlogin}, @code{su},
+@pindex telnet
+@pindex rcp
+@pindex rsh
+@pindex rlogin
+@pindex su
+@pindex xnlock
+@pindex afslog
+@pindex pagsh
+@pindex rxtelnet
+@pindex tenletxr
+@pindex rxterm
+@code{rxtelnet}, @code{tenletxr}, @code{rxterm}, and
+@code{xnlock}. If you are using AFS, @code{afslog} and @code{pagsh}
+might also be useful.  Administrators will want to use @code{kadmin} and
+@code{ksrvutil}, which are located in @file{/usr/athena/sbin}.
+@pindex kadmin
+@pindex ksrvutil
+
+@code{telnetd} and @code{rlogind} assume that @code{login} is located in
+@file{/usr/athena/bin} (or whatever path you used as
+@samp{--prefix}). If for some reason you want to move @code{login}, you
+will have to specify the new location with the @samp{-L} switch when
+configuring
+@pindex telnetd
+telnetd
+and
+@pindex rlogind
+rlogind
+in @file{inetd.conf}.
+
+It should be possible to replace the system's default @code{login} with
+the kerberised @code{login}.  However some systems assume that login
+performs some serious amount of magic that our login might not do (although
+we've tried to do our best). So before replacing it on every machine,
+try and see what happens.  Another thing to try is to use one of the
+authentication modules (@pxref{Authentication modules}) supplied.
+
+The @code{login} program that we use was in an earlier life the standard
+login program from NetBSD. In order to use it with a lot of weird
+systems, it has been ``enhanced'' with features from many other logins
+(Solaris, SunOS, IRIX, AIX, and others).  Some of these features are
+actually useful and you might want to use them even on other systems.
+
+@table @file
+@item /etc/fbtab
+@pindex fbtab
+@itemx /etc/logindevperm
+@pindex logindevperm
+Allows you to chown some devices when a user logs in on a certain
+terminal.  Commonly used to change the ownership of @file{/dev/mouse},
+@file{/dev/kbd}, and other devices when someone logs in on
+@file{/dev/console}.
+
+@file{/etc/fbtab} is the SunOS file name and it is tried first.  If
+there is no such file then the Solaris file name
+@file{/etc/logindevperm} is tried.
+@item /etc/environment
+@pindex environment
+This file specifies what environment variables should be set when a user
+logs in. (AIX-style)
+@item /etc/default/login
+@pindex default/login
+Almost the same as @file{/etc/environment}, but the System V style.
+@item /etc/login.access
+@pindex login.access
+Can be used to control who is allowed to login from where and on what
+ttys. (From Wietse Venema)
+@end table
+
+@menu
+* .klogin::
+* Authentication modules::      
+@end menu
+
+@node .klogin, Authentication modules, Finishing the installation, Installing programs
+@comment  node-name,  next,  previous,  up
+
+Each user can have an authorization file @file{~@var{user}/.klogin}
+@pindex .klogin
+that
+determines what principals can login as that user.  It is similar to the
+@file{~user/.rhosts} except that it does not use IP and privileged-port
+based authentication.  If this file does not exist, the user herself
+@samp{user@@LOCALREALM} will be allowed to login.  Supplementary local
+realms (@pxref{Install the configuration files}) also apply here.  If the
+file exists, it should contain the additional principals that are to
+be allowed to login as the local user @var{user}.
+
+This file is consulted by most of the daemons (@code{rlogind},
+@code{rshd}, @code{ftpd}, @code{telnetd}, @code{popper}, @code{kauthd}, and
+@code{kxd})
+@pindex rlogind
+@pindex rshd
+@pindex ftpd
+@pindex telnetd
+@pindex popper
+@pindex kauthd
+@pindex kxd
+to determine if the
+principal requesting a service is allowed to receive it.  It is also
+used by
+@pindex su
+@code{su}, which is a good way of keeping an access control list (ACL)
+on who is allowed to become root.  Assuming that @file{~root/.klogin}
+contains:
+
+@example
+nisse.root@@FOO.SE
+lisa.root@@FOO.SE
+@end example
+
+both nisse and lisa will be able to su to root by entering the password
+of their root instance.  If that fails or if the user is not listed in
+@file{~root/.klogin}, @code{su} falls back to the normal policy of who
+is permitted to su.  Also note that that nisse and lisa can login
+with e.g. @code{telnet} as root provided that they have tickets for
+their root instance.
+
+@node  Authentication modules, , .klogin, Installing programs
+@comment  node-name,  next,  previous,  up
+@section Authentication modules
+The problem of having different authentication mechanisms has been
+recognised by several vendors, and several solutions has appeared. In
+most cases these solutions involve some kind of shared modules that are
+loaded at run-time.  Modules for some of these systems can be found in
+@file{lib/auth}.  Presently there are modules for Digital's SIA,
+Solaris' and Linux' PAM, and IRIX' @code{login} and @code{xdm} (in
+@file{lib/auth/afskauthlib}).
+
+@menu
+* Digital SIA::                 
+* IRIX::                        
+* PAM::                         
+@end menu
+
+@node Digital SIA, IRIX, Authentication modules, Authentication modules
+@subsection Digital SIA
+
+To install the SIA module you will have to do the following:
+
+@itemize @bullet
+
+@item
+Make sure @file{libsia_krb4.so} is available in
+@file{/usr/athena/lib}. If @file{/usr/athena} is not on local disk, you
+might want to put it in @file{/usr/shlib} or someplace else. If you do,
+you'll have to edit @file{krb4_matrix.conf} to reflect the new location
+(you will also have to do this if you installed in some other directory
+than @file{/usr/athena}). If you built with shared libraries, you will
+have to copy the shared @file{libkrb.so}, @file{libdes.so},
+@file{libkadm.so}, and @file{libkafs.so} to a place where the loader can
+find them (such as @file{/usr/shlib}).
+@item
+Copy (your possibly edited) @file{krb4_matrix.conf} to @file{/etc/sia}.
+@item
+Apply @file{security.patch} to @file{/sbin/init.d/security}.
+@item
+Turn on KRB4 security by issuing @kbd{rcmgr set SECURITY KRB4} and
+@kbd{rcmgr set KRB4_MATRIX_CONF krb4_matrix.conf}.
+@item
+Digital thinks you should reboot your machine, but that really shouldn't
+be necessary.  It's usually sufficient just to run
+@kbd{/sbin/init.d/security start} (and restart any applications that use
+SIA, like @code{xdm}.)
+@end itemize
+
+Users with local passwords (like @samp{root}) should be able to login
+safely.
+
+When using Digital's xdm the @samp{KRBTKFILE} environment variable isn't
+passed along as it should (since xdm zaps the environment). Instead you
+have to set @samp{KRBTKFILE} to the correct value in
+@file{/usr/lib/X11/xdm/Xsession}. Add a line similar to
+@example
+KRBTKFILE=/tmp/tkt`id -u`_`ps -o ppid= -p $$`; export KRBTKFILE
+@end example
+If you use CDE, @code{dtlogin} allows you to specify which additional
+environment variables it should export. To add @samp{KRBTKFILE} to this
+list, edit @file{/usr/dt/config/Xconfig}, and look for the definition of
+@samp{exportList}. You want to add something like:
+@example
+Dtlogin.exportList:     KRBTKFILE
+@end example
+
+@subsubheading Notes to users with Enhanced security
+
+Digital's @samp{ENHANCED} (C2) security, and Kerberos solves two
+different problems. C2 deals with local security, adds better control of
+who can do what, auditing, and similar things. Kerberos deals with
+network security.
+
+To make C2 security work with Kerberos you will have to do the
+following.
+
+@itemize @bullet
+@item
+Replace all occurencies of @file{krb4_matrix.conf} with
+@file{krb4+c2_matrix.conf} in the directions above.
+@item
+You must enable ``vouching'' in the @samp{default} database.  This will
+make the OSFC2 module trust other SIA modules, so you can login without
+giving your C2 password. To do this use @samp{edauth} to edit the
+default entry @kbd{/usr/tcb/bin/edauth -dd default}, and add a
+@samp{d_accept_alternate_vouching} capability, if not already present.
+@item
+For each user that does @emph{not} have a local C2 password, you should
+set the password expiration field to zero. You can do this for each
+user, or in the @samp{default} table. To do this use @samp{edauth} to
+set (or change) the @samp{u_exp} capability to @samp{u_exp#0}.
+@item
+You also need to be aware that the shipped @file{login}, @file{rcp}, and
+@file{rshd}, doesn't do any particular C2 magic (such as checking to
+various forms of disabled accounts), so if you rely on those features,
+you shouldn't use those programs. If you configure with
+@samp{--enable-osfc2}, these programs will, however, set the login
+UID. Still: use at your own risk.
+@end itemize
+
+At present @samp{su} does not accept the vouching flag, so it will not
+work as expected.
+
+Also, kerberised ftp will not work with C2 passwords. You can solve this
+by using both Digital's ftpd and our on different ports.
+
+@strong{Remember}, if you do these changes you will get a system that
+most certainly does @emph{not} fulfill the requirements of a C2
+system. If C2 is what you want, for instance if someone else is forcing
+you to use it, you're out of luck.  If you use enhanced security because
+you want a system that is more secure than it would otherwise be, you
+probably got an even more secure system. Passwords will not be sent in
+the clear, for instance.
+
+@node IRIX, PAM, Digital SIA, Authentication modules
+@subsection IRIX
+
+The IRIX support is a module that is compatible with Transarc's
+@file{afskauthlib.so}.  It should work with all programs that use this
+library, this should include @file{login} and @file{xdm}.
+
+The interface is not very documented but it seems that you have to copy
+@file{libkafs.so}, @file{libkrb.so}, and @file{libdes.so} to
+@file{/usr/lib}, or build your @file{afskauthlib.so} statically.
+
+The @file{afskauthlib.so} itself is able to reside in
+@file{/usr/vice/etc}, @file{/usr/afsws/lib}, or the current directory
+(wherever that is).
+
+IRIX 6.4 and newer seems to have all programs (including @file{xdm} and
+@file{login}) in the N32 object format, whereas in older versions they
+were O32. For it to work, the @file{afskauthlib.so} library has to be in
+the same object format as the program that tries to load it. This might
+require that you have to configure and build for O32 in addition to the
+default N32.
+
+Appart from this it should ``just work'', there are no configuration
+files.
+
+@node PAM,  , IRIX, Authentication modules
+@subsection PAM
+
+The PAM module was written more out of curiosity that anything else. It
+has not been updated for quite a while, but it seems to mostly work on
+both Linux and Solaris.
+
+To use this module you should:
+
+@itemize @bullet
+@item
+Make sure @file{pam_krb4.so} is available in @file{/usr/athena/lib}. You
+might actually want it on local disk, so @file{/lib/security} might be a
+better place if @file{/usr/athena} is not local.
+@item
+Look at @file{pam.conf.add} for examples of what to add to
+@file{/etc/pam.conf}.
+@end itemize
+
+There is currently no support for changing kerberos passwords. Use
+kpasswd instead.
+
+See also Derrick J Brashear's @code{<shadow@@dementia.org>} Kerberos PAM
+module at @* @url{ftp://ftp.dementia.org/pub/pam}. It has a lot more
+features, and it is also more in line with other PAM modules.
diff --git a/crypto/kerberosIV/doc/intro.texi b/crypto/kerberosIV/doc/intro.texi
new file mode 100644
index 0000000..7a28533
--- /dev/null
+++ b/crypto/kerberosIV/doc/intro.texi
@@ -0,0 +1,41 @@
+@node Introduction, What is Kerberos?, Top, Top
+@comment  node-name,  next,  previous,  up
+@chapter Introduction
+
+This is an attempt at documenting the Kerberos 4 distribution from
+Kungliga Tekniska Högskolan (the Royal Institute of Technology in
+Stockholm, Sweden). This distribution is based on eBones, but has been
+improved in many ways. It is more portable, and several new features
+have been added. It should run on any reasonably modern unix-like
+system.
+
+In addition, some part compile and work on:
+
+@itemize @bullet
+@item
+OS/2 with EMX
+@item
+Windows 95/NT with gnu-win32 (with the proper amount of magic the
+libraries should compile with Microsoft C as well)
+@end itemize
+
+It should work on anything that is almost POSIX, has an ANSI C
+compiler, a dbm library (for the server side), and BSD Sockets.
+
+A web-page is available at @url{http://www.pdc.kth.se/kth-krb/}.
+
+@heading Bug reports
+
+If you cannot build the programs or they do not behave as you think they
+should, please send us a bug report.  The bug report should be sent to
+@code{<kth-krb-bugs@@pdc.kth.se>}.  Please include information on what
+machine and operating system (including version) you are running, what
+you are trying to do, what happens, what you think should have happened,
+an example for us to repeat, the output you get when trying the example,
+and a patch for the problem if you have one.  Please make any patches
+with @code{diff -u} or @code{diff -c}.  The more detailed the bug report
+is, the easier it will be for us to reproduce, understand, and fix it.
+
+Suggestions, comments and other non bug reports are welcome.  Send them
+to @code{<kth-krb@@pdc.kth.se>}.
+
diff --git a/crypto/kerberosIV/doc/kth-krb.texi b/crypto/kerberosIV/doc/kth-krb.texi
new file mode 100644
index 0000000..7898dff
--- /dev/null
+++ b/crypto/kerberosIV/doc/kth-krb.texi
@@ -0,0 +1,303 @@
+\input texinfo @c -*- texinfo -*-
+@c %**start of header
+@c $Id: kth-krb.texi,v 1.80 1999/12/02 16:58:35 joda Exp $
+@c $FreeBSD$
+@setfilename kth-krb.info
+@settitle KTH-KRB
+@iftex
+@afourpaper
+@end iftex
+@c some sensible characters, please?
+@tex
+\input latin1.tex
+@end tex
+@setchapternewpage on
+@syncodeindex pg cp
+@c %**end of header
+
+@ifinfo
+@dircategory Kerberos
+@direntry
+* Kth-krb: (kth-krb).           The Kerberos IV distribution from KTH
+@end direntry
+@end ifinfo
+
+@c title page
+@titlepage
+@title KTH-KRB
+@subtitle Kerberos 4 from KTH
+@subtitle For release 0.10.
+@subtitle 1999
+@author Johan Danielsson
+@author Assar Westerlund
+@author last updated $Date: 1999/12/02 16:58:35 $
+
+@def@copynext{@vskip 20pt plus 1fil@penalty-1000}
+@def@copyrightstart{}
+@def@copyrightend{}
+@page
+@copyrightstart
+Copyright (c) 1995-1999 Kungliga Tekniska Högskolan 
+(Royal Institute of Technology, Stockholm, Sweden).
+All rights reserved.
+
+Redistribution and use in source and binary forms, with or without
+modification, are permitted provided that the following conditions
+are met:
+
+1. Redistributions of source code must retain the above copyright
+   notice, this list of conditions and the following disclaimer.
+
+2. Redistributions in binary form must reproduce the above copyright
+   notice, this list of conditions and the following disclaimer in the
+   documentation and/or other materials provided with the distribution.
+
+3. Neither the name of the Institute nor the names of its contributors
+   may be used to endorse or promote products derived from this software
+   without specific prior written permission.
+
+THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+SUCH DAMAGE.
+
+@copynext
+
+Copyright (C) 1995 Eric Young (eay@@mincom.oz.au)
+All rights reserved.
+
+Redistribution and use in source and binary forms, with or without
+modification, are permitted provided that the following conditions
+are met:
+
+1. Redistributions of source code must retain the copyright
+   notice, this list of conditions and the following disclaimer.
+
+2. Redistributions in binary form must reproduce the above copyright
+   notice, this list of conditions and the following disclaimer in the
+   documentation and/or other materials provided with the distribution.
+
+3. All advertising materials mentioning features or use of this software
+   must display the following acknowledgement:
+   This product includes software developed by Eric Young (eay@@mincom.oz.au)
+
+THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+SUCH DAMAGE.
+
+@copynext
+
+Copyright (c) 1983, 1990 The Regents of the University of California.
+All rights reserved.
+
+Redistribution and use in source and binary forms, with or without
+modification, are permitted provided that the following conditions
+are met:
+
+1. Redistributions of source code must retain the above copyright
+   notice, this list of conditions and the following disclaimer.
+
+2. Redistributions in binary form must reproduce the above copyright
+   notice, this list of conditions and the following disclaimer in the
+   documentation and/or other materials provided with the distribution.
+
+3. All advertising materials mentioning features or use of this software
+   must display the following acknowledgement:
+     This product includes software developed by the University of
+     California, Berkeley and its contributors.
+
+4. Neither the name of the University nor the names of its contributors
+   may be used to endorse or promote products derived from this software
+   without specific prior written permission.
+
+THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+SUCH DAMAGE.
+
+@copynext
+
+Copyright (C) 1990 by the Massachusetts Institute of Technology
+
+Export of this software from the United States of America is assumed
+to require a specific license from the United States Government.
+It is the responsibility of any person or organization contemplating
+export to obtain such a license before exporting.
+
+WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
+distribute this software and its documentation for any purpose and
+without fee is hereby granted, provided that the above copyright
+notice appear in all copies and that both that copyright notice and
+this permission notice appear in supporting documentation, and that
+the name of M.I.T. not be used in advertising or publicity pertaining
+to distribution of the software without specific, written prior
+permission.  M.I.T. makes no representations about the suitability of
+this software for any purpose.  It is provided "as is" without express
+or implied warranty.
+
+@copynext
+
+Copyright 1987, 1989 by the Student Information Processing Board
+	of the Massachusetts Institute of Technology
+
+Permission to use, copy, modify, and distribute this software
+and its documentation for any purpose and without fee is
+hereby granted, provided that the above copyright notice
+appear in all copies and that both that copyright notice and
+this permission notice appear in supporting documentation,
+and that the names of M.I.T. and the M.I.T. S.I.P.B. not be
+used in advertising or publicity pertaining to distribution
+of the software without specific, written prior permission.
+M.I.T. and the M.I.T. S.I.P.B. make no representations about
+the suitability of this software for any purpose.  It is
+provided "as is" without express or implied warranty.
+
+@copynext
+
+Copyright 1992 Simmule Turner and Rich Salz.  All rights reserved. 
+
+This software is not subject to any license of the American Telephone 
+and Telegraph Company or of the Regents of the University of California. 
+
+Permission is granted to anyone to use this software for any purpose on
+any computer system, and to alter it and redistribute it freely, subject
+to the following restrictions:
+
+1. The authors are not responsible for the consequences of use of this
+   software, no matter how awful, even if they arise from flaws in it.
+
+2. The origin of this software must not be misrepresented, either by
+   explicit claim or by omission.  Since few users ever read sources,
+   credits must appear in the documentation.
+
+3. Altered versions must be plainly marked as such, and must not be
+   misrepresented as being the original software.  Since few users
+   ever read sources, credits must appear in the documentation.
+
+4. This notice may not be removed or altered.
+
+@copyrightend
+@end titlepage
+
+@c Less filling! Tastes great!
+@iftex
+@parindent=0pt
+@global@parskip 6pt plus 1pt
+@global@chapheadingskip = 15pt plus 4pt minus 2pt 
+@global@secheadingskip = 12pt plus 3pt minus 2pt
+@global@subsecheadingskip = 9pt plus 2pt minus 2pt
+@end iftex
+@ifinfo
+@paragraphindent 0
+@end ifinfo
+
+@ifinfo
+@node Top, Introduction, (dir), (dir)
+@top KTH-krb
+@end ifinfo
+
+@menu
+* Introduction::                
+* What is Kerberos?::           
+* Installing programs::         
+* How to set up a realm::       
+* One-Time Passwords::          
+* Resolving frequent problems::  
+* Acknowledgments::             
+* Index::                       
+
+@detailmenu
+ --- The Detailed Node Listing ---
+
+Installing programs
+
+* Installing from source::      
+* Installing a binary distribution::  
+* Finishing the installation::  
+* Authentication modules::      
+
+Finishing the installation
+
+* Authentication modules::      
+
+Authentication modules
+
+* Digital SIA::                 
+* IRIX::                        
+* PAM::                         
+
+How to set up a realm
+
+* How to set up the kerberos server::  
+* Install the client programs::  
+* Install the kerberised services::  
+* Install a slave kerberos server::  
+* Cross-realm functionality ::  
+
+How to set up the kerberos server
+
+* Choose a realm name::         
+* Choose a kerberos server::    
+* Install the configuration files::  
+* Install the /etc/services::   
+* Install the kerberos server::  
+* Set up the server::           
+* Add a few important principals::  
+* Start the server::            
+* Try to get tickets::          
+* Create initial ACL for the admin server::  
+* Start the admin server::      
+* Add users to the database::   
+* Automate the startup of the servers::  
+
+One-Time Passwords
+
+* What are one time passwords?::  
+* When to use one time passwords?::  
+* Configuring OTPs::            
+
+Resolving frequent problems
+
+* Problems compiling Kerberos::  
+* Problems with firewalls::     
+* Common error messages::       
+* Is Kerberos year 2000 safe?::  
+
+@end detailmenu
+@end menu
+
+@include intro.texi
+@include whatis.texi
+@include install.texi
+@include setup.texi
+@include otp.texi
+@include problems.texi
+@include ack.texi
+@include index.texi
+
+@c @shortcontents
+@contents
+
+@bye
diff --git a/crypto/kerberosIV/doc/latin1.tex b/crypto/kerberosIV/doc/latin1.tex
new file mode 100644
index 0000000..e683dd2
--- /dev/null
+++ b/crypto/kerberosIV/doc/latin1.tex
@@ -0,0 +1,95 @@
+% ISO Latin 1 (ISO 8859/1) encoding for Computer Modern fonts.
+% Jan Michael Rynning <jmr@nada.kth.se> 1990-10-12
+\def\inmathmode#1{\relax\ifmmode#1\else$#1$\fi}
+\global\catcode`\^^a0=\active \global\let^^a0=~		% no-break space
+\global\catcode`\^^a1=\active \global\def^^a1{!`}		% inverted exclamation mark
+\global\catcode`\^^a2=\active \global\def^^a2{{\rm\rlap/c}}	% cent sign
+\global\catcode`\^^a3=\active \global\def^^a3{{\it\$}}	% pound sign
+% currency sign, yen sign, broken bar
+\global\catcode`\^^a7=\active \global\let^^a7=\S		% section sign
+\global\catcode`\^^a8=\active \global\def^^a8{\"{}}		% diaeresis
+\global\catcode`\^^a9=\active \global\let^^a9=\copyright	% copyright sign
+% feminine ordinal indicator, left angle quotation mark
+\global\catcode`\^^ac=\active \global\def^^ac{\inmathmode\neg}% not sign
+\global\catcode`\^^ad=\active \global\let^^ad=\-		% soft hyphen
+% registered trade mark sign
+\global\catcode`\^^af=\active \global\def^^af{\={}}		% macron
+% ...
+\global\catcode`\^^b1=\active \global\def^^b1{\inmathmode\pm}	% plus minus
+\global\catcode`\^^b2=\active \global\def^^b2{\inmathmode{{^2}}}
+\global\catcode`\^^b3=\active \global\def^^b3{\inmathmode{{^3}}}
+\global\catcode`\^^b4=\active \global\def^^b4{\'{}}		% acute accent
+\global\catcode`\^^b5=\active \global\def^^b5{\inmathmode\mu}	% mu
+\global\catcode`\^^b6=\active \global\let^^b6=\P		% pilcroy
+\global\catcode`\^^b7=\active \global\def^^b7{\inmathmode{{\cdot}}}
+\global\catcode`\^^b8=\active \global\def^^b8{\c{}}		% cedilla
+\global\catcode`\^^b9=\active \global\def^^b9{\inmathmode{{^1}}}
+% ...
+\global\catcode`\^^bc=\active \global\def^^bc{\inmathmode{{1\over4}}}
+\global\catcode`\^^bd=\active \global\def^^bd{\inmathmode{{1\over2}}}
+\global\catcode`\^^be=\active \global\def^^be{\inmathmode{{3\over4}}}
+\global\catcode`\^^bf=\active \global\def^^bf{?`}		% inverted question mark
+\global\catcode`\^^c0=\active \global\def^^c0{\`A}
+\global\catcode`\^^c1=\active \global\def^^c1{\'A}
+\global\catcode`\^^c2=\active \global\def^^c2{\^A}
+\global\catcode`\^^c3=\active \global\def^^c3{\~A}
+\global\catcode`\^^c4=\active \global\def^^c4{\"A}		% capital a with diaeresis
+\global\catcode`\^^c5=\active \global\let^^c5=\AA		% capital a with ring above
+\global\catcode`\^^c6=\active \global\let^^c6=\AE
+\global\catcode`\^^c7=\active \global\def^^c7{\c C}
+\global\catcode`\^^c8=\active \global\def^^c8{\`E}
+\global\catcode`\^^c9=\active \global\def^^c9{\'E}
+\global\catcode`\^^ca=\active \global\def^^ca{\^E}
+\global\catcode`\^^cb=\active \global\def^^cb{\"E}
+\global\catcode`\^^cc=\active \global\def^^cc{\`I}
+\global\catcode`\^^cd=\active \global\def^^cd{\'I}
+\global\catcode`\^^ce=\active \global\def^^ce{\^I}
+\global\catcode`\^^cf=\active \global\def^^cf{\"I}
+% capital eth
+\global\catcode`\^^d1=\active \global\def^^d1{\~N}
+\global\catcode`\^^d2=\active \global\def^^d2{\`O}
+\global\catcode`\^^d3=\active \global\def^^d3{\'O}
+\global\catcode`\^^d4=\active \global\def^^d4{\^O}
+\global\catcode`\^^d5=\active \global\def^^d5{\~O}
+\global\catcode`\^^d6=\active \global\def^^d6{\"O}		% capital o with diaeresis
+\global\catcode`\^^d7=\active \global\def^^d7{\inmathmode\times}% multiplication sign
+\global\catcode`\^^d8=\active \global\let^^d8=\O
+\global\catcode`\^^d9=\active \global\def^^d9{\`U}
+\global\catcode`\^^da=\active \global\def^^da{\'U}
+\global\catcode`\^^db=\active \global\def^^db{\^U}
+\global\catcode`\^^dc=\active \global\def^^dc{\"U}
+\global\catcode`\^^dd=\active \global\def^^dd{\'Y}
+% capital thorn
+\global\catcode`\^^df=\active \global\def^^df{\ss}
+\global\catcode`\^^e0=\active \global\def^^e0{\`a}
+\global\catcode`\^^e1=\active \global\def^^e1{\'a}
+\global\catcode`\^^e2=\active \global\def^^e2{\^a}
+\global\catcode`\^^e3=\active \global\def^^e3{\~a}
+\global\catcode`\^^e4=\active \global\def^^e4{\"a}		% small a with diaeresis
+\global\catcode`\^^e5=\active \global\let^^e5=\aa		% small a with ring above
+\global\catcode`\^^e6=\active \global\let^^e6=\ae
+\global\catcode`\^^e7=\active \global\def^^e7{\c c}
+\global\catcode`\^^e8=\active \global\def^^e8{\`e}
+\global\catcode`\^^e9=\active \global\def^^e9{\'e}
+\global\catcode`\^^ea=\active \global\def^^ea{\^e}
+\global\catcode`\^^eb=\active \global\def^^eb{\"e}
+\global\catcode`\^^ec=\active \global\def^^ec{\`\i}
+\global\catcode`\^^ed=\active \global\def^^ed{\'\i}
+\global\catcode`\^^ee=\active \global\def^^ee{\^\i}
+\global\catcode`\^^ef=\active \global\def^^ef{\"\i}
+% small eth
+\global\catcode`\^^f1=\active \global\def^^f1{\~n}
+\global\catcode`\^^f2=\active \global\def^^f2{\`o}
+\global\catcode`\^^f3=\active \global\def^^f3{\'o}
+\global\catcode`\^^f4=\active \global\def^^f4{\^o}
+\global\catcode`\^^f5=\active \global\def^^f5{\~o}
+\global\catcode`\^^f6=\active \global\def^^f6{\"o}		% small o with diaeresis
+\global\catcode`\^^f7=\active \global\def^^f7{\inmathmode\div}% division sign
+\global\catcode`\^^f8=\active \global\let^^f8=\o
+\global\catcode`\^^f9=\active \global\def^^f9{\`u}
+\global\catcode`\^^fa=\active \global\def^^fa{\'u}
+\global\catcode`\^^fb=\active \global\def^^fb{\^u}
+\global\catcode`\^^fc=\active \global\def^^fc{\"u}
+\global\catcode`\^^fd=\active \global\def^^fd{\'y}
+% capital thorn
+\global\catcode`\^^ff=\active \global\def^^ff{\"y}
diff --git a/crypto/kerberosIV/doc/problems.texi b/crypto/kerberosIV/doc/problems.texi
new file mode 100644
index 0000000..d7a525f
--- /dev/null
+++ b/crypto/kerberosIV/doc/problems.texi
@@ -0,0 +1,342 @@
+@node Resolving frequent problems, Acknowledgments, One-Time Passwords, Top
+@chapter Resolving frequent problems
+
+@menu
+* Problems compiling Kerberos::  
+* Problems with firewalls::     
+* Common error messages::       
+* Is Kerberos year 2000 safe?::  
+@end menu
+
+@node Problems compiling Kerberos, Problems with firewalls, Resolving frequent problems, Resolving frequent problems
+@section Problems compiling Kerberos
+
+Many compilers require a switch to become ANSI compliant. Since krb4
+is written in ANSI C it is necessary to specify the name of the compiler
+to be used and the required switch to make it ANSI compliant. This is
+most easily done when running configure using the @kbd{env} command. For
+instance to build under HP-UX using the native compiler do:
+
+@cartouche
+@example
+datan$ env CC="cc -Ae" ./configure
+@end example
+@end cartouche
+
+@cindex GCC
+In general @kbd{gcc} works. The following combinations have also been
+verified to successfully compile the distribution:
+
+@table @asis
+
+@item @samp{HP-UX}
+@kbd{cc -Ae}
+@item @samp{Digital UNIX}
+@kbd{cc -std1}
+@item @samp{AIX}
+@kbd{xlc}
+@item @samp{Solaris 2.x}
+@kbd{cc} (unbundled one)
+@item @samp{IRIX}
+@kbd{cc}
+
+@end table
+
+@subheading Linux problems
+
+The libc functions gethostby*() under RedHat4.2 can sometimes cause
+core dumps. If you experience these problems make sure that the file
+@file{/etc/nsswitch.conf} contains a hosts entry no more complex than
+the line
+
+@cartouche
+hosts: files dns
+@end cartouche
+
+Some systems have lost @file{/usr/include/ndbm.h} which is necessary to
+build krb4 correctly. There is a @file{ndbm.h.Linux} right next to
+the source distribution.
+
+@cindex Linux
+There has been reports of non-working @file{libdb} on some Linux
+distributions.  If that happens, use the @kbd{--without-berkeley-db}
+when configuring.
+
+@subheading SunOS 5 (aka Solaris 2) problems
+
+@cindex SunOS 5
+
+When building shared libraries and using some combinations of GNU gcc/ld
+you better set the environment variable RUN_PATH to /usr/athena/lib
+(your target libdir). If you don't, then you will have to set
+LD_LIBRARY_PATH during runtime and the PAM module will not work.
+
+@subheading HP-UX problems
+
+@cindex HP-UX
+The shared library @file{/usr/lib/libndbm.sl} doesn't exist on all
+systems.  To make problems even worse, there is never an archive version
+for static linking either. Therefore, when building ``truly portable''
+binaries first install GNU gdbm or Berkeley DB, and make sure that you
+are linking against that library.
+
+@subheading Cray problems
+
+@kbd{rlogind} won't work on Crays until @code{forkpty()} has been
+ported, in the mean time use @kbd{telnetd}.
+
+@subheading IRIX problems
+
+@cindex IRIX
+
+IRIX has three different ABI:s (Application Binary Interface), there's
+an old 32 bit interface (known as O32, or just 32), a new 32 bit
+interface (N32), and a 64 bit interface (64). O32 and N32 are both 32
+bits, but they have different calling conventions, and alignment
+constraints, and similar. The N32 format is the default format from IRIX
+6.4.
+
+You select ABI at compile time, and you can do this with the
+@samp{--with-mips-abi} configure option. The valid arguments are
+@samp{o32}, @samp{n32}, and @samp{64}, N32 is the default. Libraries for
+the three different ABI:s are normally installed installed in different
+directories (@samp{lib}, @samp{lib32}, and @samp{lib64}). If you want
+more than one set of libraries you have to reconfigure and recompile for
+each ABI, but you should probably install only N32 binaries.
+
+@cindex GCC
+GCC had had some known problems with the different ABI:s. Old GCC could
+only handle O32, newer GCC can handle N32, and 64, but not O32, but in
+some versions of GCC the structure alignment was broken in N32.
+
+This confusion with different ABI:s can cause some trouble. For
+instance, the @file{afskauthlib.so} library has to use the same ABI as
+@file{xdm}, and @file{login}. The easiest way to check what ABI to use
+is to run @samp{file} on @file{/usr/bin/X11/xdm}.
+
+@cindex AFS
+Another problem that you might encounter if you run AFS is that Transarc
+apparently doesn't support the 64-bit ABI, and because of this you can't
+get tokens with a 64 bit application. If you really need to do this,
+there is a kernel module that provides this functionality at
+@url{ftp://ftp.pdc.kth.se/home/joda/irix-afs64.tar.gz}.
+
+@subheading AIX problems
+
+@cindex GCC
+@kbd{gcc} version 2.7.2.* has a bug which makes it miscompile
+@file{appl/telnet/telnetd/sys_term.c} (and possibily
+@file{appl/bsd/forkpty.c}), if used with too much optimization.
+
+Some versions of the @kbd{xlc} preprocessor doesn't recognise the
+(undocumented) @samp{-qnolm} option. If this option is passed to the
+preprocessor (like via the configuration file @file{/etc/ibmcxx.cfg},
+configure will fail.
+
+The solution is to remove this option from the configuration file,
+either globally, or for just the preprocessor:
+
+@example
+$ cp /etc/ibmcxx.cfg /tmp
+$ed /tmp/ibmcxx.cfg
+8328
+/nolm
+        options   = -D_AIX,-D_AIX32,-D_AIX41,-D_AIX43,-D_IBMR2,-D_POWER,-bpT:0x10000000,-bpD:0x20000000,-qnolm
+s/,-qnolm//p 
+        options   = -D_AIX,-D_AIX32,-D_AIX41,-D_AIX43,-D_IBMR2,-D_POWER,-bpT:0x10000000,-bpD:0x20000000
+w
+8321
+q
+$ env CC=xlc CPP="xlc -E -F/tmp/ibmcxx.cfg" configure
+@end example
+
+There is a bug in AFS 3.4 version 5.38 for AIX 4.3 that causes the
+kernel to panic in some cases. There is a hack for this in @kbd{login},
+but other programs could be affected also. This seems to be fixed in
+version 5.55.
+
+@subheading C2 problems
+
+@cindex C2
+The programs that checks passwords works with @file{passwd}, OTP, and
+Kerberos paswords. This is problem if you use C2 security (or use some
+other password database), that normally keeps passwords in some obscure
+place. If you want to use Kerberos with C2 security you will have to
+think about what kind of changes are necessary. See also the discussion
+about Digital's SIA and C2 security, see @ref{Digital SIA}.
+
+@node Problems with firewalls, Common error messages, Problems compiling Kerberos, Resolving frequent problems
+@section Problems with firewalls
+
+@cindex firewall
+A firewall is a network device that filters out certain types of packets
+going from one side of the firewall to the other. A firewall is supposed
+to solve the same kinds of problems as Kerberos (basically hindering
+unauthorised network use). The difference is that Kerberos tries to
+authenticate users, while firewall splits the network in a `secure'
+inside, and an `insecure' outside. 
+
+Firewall people usually think that UDP is insecure, partly because many
+`insecure' protocols use UDP. Since Kerberos by default uses UDP to send
+and recieve packets, Kerberos and firewalls doesn't work very well
+together.
+
+The symptoms of trying to use Kerberos behind a firewall is that you
+can't get any tickets (@code{kinit} exits with the infamous @samp{Can't
+send request} error message).
+
+There are a few ways to solve these problems:
+
+@itemize @bullet
+@item 
+Convince your firewall administrator to open UDP port 750 or 88 for
+incoming packets. This usually turns out to be difficult.
+@item 
+Convince your firewall administrator to open TCP port 750 or 88 for
+outgoing connections. This can be a lot easier, and might already be
+enabled.
+@item 
+Use TCP connections over some non-standard port. This requires that you
+have to convince the administrator of the kerberos server to allow
+connections on this port.
+@item 
+@cindex HTTP
+Use HTTP to get tickets. Since web-stuff has become almost infinitely
+popular, many firewalls either has the HTTP port open, or has a HTTP
+proxy.
+@end itemize
+
+The last two methods might be considered to be offensive (since you are
+not sending the `right' type of data in each port). You probably do best
+in discussuing this with firewall administrator.
+
+For information on how to use other protocols when communication with
+KDC, see @ref{Install the configuration files}.
+
+It is often the case that the firewall hides addresses on the `inside',
+so it looks like all packets are coming from the firewall. Since address
+of the client host is encoded in the ticket, this can cause trouble. If
+you get errors like @samp{Incorrect network address}, when trying to use
+the ticket, the problem is usually becuase the server you are trying to
+talk to sees a different address than the KDC did. If you experience
+this kind of trouble, the easiest way to solve them is probably to try
+some other mechanism to fetch tickets. You might also be able to
+convince the administrator of the server that the two different
+addresses should be added to the @file{/etc/krb.equiv} file.
+
+@node Common error messages, Is Kerberos year 2000 safe?, Problems with firewalls, Resolving frequent problems
+@section Common error messages
+
+These are some of the more obscure error messages you might encounter:
+
+@table @asis
+
+@item @samp{Time is out of bounds}
+
+The time on your machine differs from the time on either the kerberos
+server or the machine you are trying to login to. If it isn't obvious
+that this is the case, remember that all times are compared in UTC.
+
+On unix systems you usually can find out what the local time is by doing
+@code{telnet machine daytime}. This time (again, usually is the keyword)
+is with correction for time-zone and daylight savings.
+
+If you have problem keeping your clocks synchronized, consider using a
+time keeping system such as NTP (see also the discussion in
+@ref{Install the client programs}).
+
+@item @samp{Ticket issue date too far in the future}
+
+The time on the kerberos server is more than five minutes ahead of the
+time on the server.
+
+@item @samp{Can't decode authenticator}
+
+This means that there is a mismatch between the service key in the
+kerberos server and the service key file on the specific machine.
+Either:
+@itemize @bullet
+@item
+the server couldn't find a service key matching the request
+@item
+the service key (or version number) does not match the key the packet
+was encrypted with
+@end itemize
+
+@item @samp{Incorrect network address}
+
+The address in the ticket does not match the address you sent the
+request from. This happens on systems with more than one network
+address, either physically or logically. You can list addresses which
+should be considered equal in @file{/etc/krb.equiv} on your servers. 
+
+A note to programmers: a server should not pass @samp{*} as the instance
+to @samp{krb_rd_req}. It should try to figure out on which interface the
+request was received, for instance by using @samp{k_getsockinst}.
+
+If you change addresses on your computer you invalidate any tickets you
+might have. The easiest way to fix this is to get new tickets with the
+new address.
+
+@item @samp{Message integrity error}
+
+The packet is broken in some way:
+@itemize @bullet
+@item
+the lengths does not match the size of the packet, or
+@item
+the checksum does not match the contents of the packet
+@end itemize
+
+@item @samp{Can't send request}
+There is some problem contacting the kerberos server. Either the server
+is down, or it is using the wrong port (compare the entries for
+@samp{kerberos-iv} in @file{/etc/services}). The client might also have
+failed to guess what kerberos server to talk to (check
+@file{/etc/krb.conf} and @file{/etc/krb.realms}).
+
+One reason you can't contact the kerberos server might be because you're
+behind a firewall that doesn't allow kerberos packets to pass. For
+possible solutions to this see the firewall section above.
+
+@item @samp{kerberos: socket: Unable to open socket...}
+
+The kerberos server has to open four sockets for each interface.  If you
+have a machine with lots of virtual interfaces, you run the risk of
+running out of file descriptors.  If that happens you will get this
+error message.
+
+@item @samp{ftp: User foo access denied}
+
+This usually happens because the user's shell is not listed in
+@file{/etc/shells}.  Note that @kbd{ftpd} checks this file even on
+systems where the system version does not and there is no
+@file{/etc/shells}.
+
+@item @samp{Generic kerberos error}
+This is a generic catch-all error message.
+
+@end table
+
+@node Is Kerberos year 2000 safe?,  , Common error messages, Resolving frequent problems
+@section Is Kerberos year 2000 safe?
+
+@cindex Year 2000
+
+Yes.
+
+A somewhat longer answer is that we can't think of anything that can
+break. The protocol itself doesn't use time stamps in textual form, the
+two-digit year problems in the original MIT code has been fixed (this
+was a problem mostly with log files). The FTP client had a bug in the
+command `newer' (which fetches a file if it's newer than what you
+already got).
+
+Another thing to look out for, but that isn't a Y2K problem per se, is
+the expiration date of old principals. The MIT code set the default
+expiration date for some new principals to 1999-12-31, so you might want
+to check your database for things like this.
+
+Now, the Y2038 problem is something completely different (but the
+authors should have retired by then, presumably growing rowanberrys in
+some nice and warm place).
diff --git a/crypto/kerberosIV/doc/setup.texi b/crypto/kerberosIV/doc/setup.texi
new file mode 100644
index 0000000..24a955d
--- /dev/null
+++ b/crypto/kerberosIV/doc/setup.texi
@@ -0,0 +1,905 @@
+@node How to set up a realm, One-Time Passwords, Installing programs, Top
+@chapter How to set up a realm
+
+@quotation
+@flushleft
+	Who willed you? or whose will stands but mine?
+	There's none protector of the realm but I.
+	Break up the gates, I'll be your warrantize.
+	Shall I be flouted thus by dunghill grooms?
+        --- King Henry VI, 6.1
+@end flushleft
+@end quotation
+
+@menu
+* How to set up the kerberos server::  
+* Install the client programs::  
+* Install the kerberised services::  
+* Install a slave kerberos server::  
+* Cross-realm functionality ::  
+@end menu
+
+@node How to set up the kerberos server, Install the client programs, How to set up a realm, How to set up a realm
+@section How to set up the kerberos server
+
+@menu
+* Choose a realm name::         
+* Choose a kerberos server::    
+* Install the configuration files::  
+* Install the /etc/services::   
+* Install the kerberos server::  
+* Set up the server::           
+* Add a few important principals::  
+* Start the server::            
+* Try to get tickets::          
+* Create initial ACL for the admin server::  
+* Start the admin server::      
+* Add users to the database::   
+* Automate the startup of the servers::  
+@end menu
+
+@node Choose a realm name, Choose a kerberos server, How to set up the kerberos server, How to set up the kerberos server
+@subsection Choose a realm name
+
+A 
+@cindex realm
+realm is an administrative domain.  Kerberos realms are usually
+written in uppercase and consist of a Internet domain
+name@footnote{Using lowercase characters in the realm name might break
+in mysterious ways. This really should have been fixed, but has not.}.
+Call your realm the same as your Internet domain name if you do not have
+strong reasons for not doing so.  It will make life easier for you and
+everyone else.
+
+@node Choose a kerberos server, Install the configuration files, Choose a realm name, How to set up the kerberos server
+@subsection Choose a kerberos server
+
+You need to choose a machine to run the 
+@pindex kerberos
+kerberos server program.  If the kerberos database residing on this host
+is compromised, your entire realm will be compromised.  Therefore, this
+machine must be as secure as possible.  Preferably it should not run any
+services other than Kerberos.  The secure-minded administrator might
+only allow logins on the console.
+
+This machine has also to be reliable.  If it is down, you will not be
+able to use any kerberised services unless you have also configured a
+slave server (@pxref{Install a slave kerberos server}).
+
+Running the kerberos server requires very little CPU power and a small
+amount of disk. An old PC with some hundreds of megabytes of free disk
+space should do fine. Most of the disk space will be used for various
+logs.
+
+@node Install the configuration files, Install the /etc/services, Choose a kerberos server, How to set up the kerberos server
+@subsection Install the configuration files
+
+There are two important configuration files: @file{/etc/krb.conf} and
+@file{/etc/krb.realms}.
+@pindex krb.conf
+@pindex krb.realms
+
+The @file{krb.conf} file determines which machines are servers for
+different realms.  The format of this file is:
+
+@example
+THIS.REALM
+SUPP.LOCAL.REALM
+THIS.REALM              kerberos.this.realm admin server
+THIS.REALM              kerberos-1.this.realm
+SUPP.LOCAL.REALM        kerberos.supp.local.realm admin server
+ANOTHER.REALM           kerberos.another.realm
+@end example
+
+The first line defines the name of the local realm. The next few lines
+optionally defines supplementary local realms. 
+@cindex supplementary local realms
+The rest of the file
+defines the names of the kerberos servers and the database
+administration servers for all known realms. You can define any number
+of kerberos slave servers similar to the one defined on line
+four. Clients will try to contact servers in listed order.
+
+The @samp{admin server} clause at the first entry states that this is
+the master server
+@cindex master server
+(the one to contact when modifying the database, such as changing
+passwords). There should be only one such entry for each realm.
+
+In the original MIT Kerberos 4 (as in most others), the server
+specification could only take the form of a host-name. To facilitate
+having kerberos servers in odd places (such as behind a firewall),
+support has been added for ports other than the default (750), and
+protocols other than UDP.
+
+The formal syntax for an entry is now
+@samp{[@var{proto}/]@var{host}[:@var{port}]}. @var{proto} is either
+@samp{UDP}, @samp{TCP}, or @samp{HTTP}, and @var{port} is the port to
+talk to. Default value for @var{proto} is @samp{UDP} and for @var{port}
+whatever @samp{kerberos-iv} is defined to be in @file{/etc/services} or
+750 if undefined. If @var{proto} is @samp{HTTP}, the default port is
+80. An @samp{http} entry may also be specified in URL format.
+
+If the information about a realm is missing from the @file{krb.conf}
+file, or if the information is wrong, the following methods will be
+tried in order.
+
+@enumerate
+@item
+If you have an SRV-record (@cite{RFC 2052}) for your realm it will be
+used. This record should be of the form
+@samp{kerberos-iv.@var{protocol}.@var{REALM}}, where @var{proto} is
+either @samp{UDP}, @samp{TCP}, or @samp{HTTP}. (Note: the current
+implementation does not look at priority or weight when deciding which
+server to talk to.)
+@item
+If there isn't any SRV-record, it tries to find a TXT-record for the
+same domain. The contents of the record should have the same format as the
+host specification in @file{krb.conf}. (Note: this is a temporary
+solution if your name server doesn't support SRV records. The clients
+should work fine with SRV records, so if your name server supports them,
+they are very much preferred.)
+@item
+If no valid kerberos server is found, it will try to talk UDP to the
+service @samp{kerberos-iv} with fall-back to port 750 with
+@samp{kerberos.@var{REALM}} (which is also assumed to be the master
+server), and then @samp{kerberos-1.@var{REALM}},
+@samp{kerberos-2.@var{REALM}}, and so on.
+@end enumerate
+
+SRV records have been supported in BIND since 4.9.5T2A.  An example
+would look like the following in the zone file:
+
+@example
+kerberos-iv.udp.foo.se.  1M IN SRV  1 0 750 kerberos-1.foo.se.
+kerberos-iv.udp.foo.se.  1M IN SRV  0 0 750 kerberos.foo.se.
+@end example
+
+We strongly recommend that you add a CNAME @samp{kerberos.@var{REALM}}
+pointing to your kerberos master server.
+
+The @file{krb.realms} file is used to find out what realm a particular
+host belongs to.  An example of this file could look like:
+
+@example
+this.realm            THIS.REALM
+.this.realm           THIS.REALM
+foo.com               SOME.OTHER.REALM
+www.foo.com           A.STRANGE.REALM
+.foo.com              FOO.REALM
+@end example
+
+Entries starting with a dot are taken as the name of a domain. Entries
+not starting with a dot are taken as a host-name. The first entry matched
+is used. The entry for @samp{this.realm} is only necessary if there is a
+host named @samp{this.realm}.
+
+If no matching realm is found in @file{krb.realms}, DNS is searched for
+the correct realm. For example, if we are looking for host @samp{a.b.c},
+@samp{krb4-realm.a.b.c} is first tried and then @samp{krb4-realm.b.c}
+and so on. The entry should be a TXT record containing the name of the
+realm, such as:
+
+@example
+krb4-realm.pdc.kth.se.  7200    TXT     "NADA.KTH.SE"
+@end example
+
+If this didn't help the domain name sans the first part in uppercase is
+tried.
+
+The plain vanilla version of Kerberos doesn't have any fancy methods of
+getting realms and servers so it is generally a good idea to keep
+@file{krb.conf} and @file{krb.realms} up to date.
+
+In addition to these commonly used files, @file{/etc/krb.extra}
+@pindex krb.extra
+holds some things that are not normally used. It consists of a number of
+@samp{@var{variable} = @var{value}} pairs, blank lines and lines
+beginning with a hash (#) are ignored.
+
+The currently defined variables are:
+
+@table @samp
+@item kdc_timeout
+@cindex kdc_timeout
+The time in seconds to wait for an answer from the KDC (the default is 4
+seconds).
+@item kdc_timesync
+@cindex kdc_timesync
+This flag enables storing of the time differential to the KDC when
+getting an initial ticket. This differential is used later on to compute
+the correct time. This can help if your machine doesn't have a working
+clock.
+@item firewall_address
+@cindex firewall_address
+The IP address that hosts outside the firewall see when connecting from
+within the firewall. If this is specified, the code will try to compute
+the value for @samp{reverse_lsb_test}.
+@item krb4_proxy
+@cindex krb4_proxy
+When getting tickets via HTTP, this specifies the proxy to use. The
+default is to speak directly to the KDC.
+@item krb_default_tkt_root
+@cindex krb_default_tkt_root
+The default prefix for ticket files.  The default is @file{/tmp/tkt}.
+Normally the uid or tty is appended to this prefix.
+@item krb_default_keyfile
+@cindex krb_default_keyfile
+The file where the server keys are stored, the default is @file{/etc/srvtab}.
+@item nat_in_use
+@cindex nat_in_use
+If the client is behind a Network Address Translator (NAT).
+@cindex Network Address Translator
+@cindex NAT
+@item reverse_lsb_test
+@cindex reverse_lsb_test
+Reverses the test used by @code{krb_mk_safe}, @code{krb_rd_safe},
+@code{krb_mk_priv}, and @code{krb_rd_priv} to compute the ordering of
+the communicating hosts. This test can cause truble when using
+firewalls.
+@end table
+
+@node Install the /etc/services, Install the kerberos server, Install the configuration files, How to set up the kerberos server
+@subsection Updating /etc/services
+
+You should append or merge the contents of @file{services.append} to
+your @file{/etc/services} files or NIS-map. Remove any unused factory
+installed kerberos port definitions to avoid possible conflicts.
+@pindex services
+
+Most of the programs will fall back to the default ports if the port
+numbers are not found in @file{/etc/services}, but it is convenient to
+have them there anyway.
+
+@node Install the kerberos server, Set up the server, Install the /etc/services, How to set up the kerberos server
+@subsection Install the kerberos server
+
+You should have already chosen the machine where you want to run the
+kerberos server and the realm name.  The machine should also be as
+secure as possible (@pxref{Choose a kerberos server}) before installing
+the kerberos server.  In this example, we will install a kerberos server
+for the realm @samp{FOO.SE} on a machine called @samp{hemlig.foo.se}.
+
+@node Set up the server, Add a few important principals, Install the kerberos server, How to set up the kerberos server
+@subsection Setup the server
+
+Login as root on the console of the kerberos server.  Add
+@file{/usr/athena/bin} and @file{/usr/athena/sbin} to your path.  Create
+the directory @file{/var/kerberos} (@kbd{mkdir /var/kerberos}), which is
+where the database will be stored.  Then, to create the database, run
+@kbd{kdb_init}:
+@pindex kdb_init
+
+@example
+@cartouche
+hemlig# mkdir /var/kerberos
+hemlig# kdb_init
+Realm name [default  FOO.SE ]: 
+You will be prompted for the database Master Password.
+It is important that you NOT FORGET this password.
+
+Enter Kerberos master password: 
+Verifying password 
+Enter Kerberos master password: 
+@end cartouche
+@end example
+
+If you have set up the configuration files correctly, @kbd{kdb_init}
+should choose the correct realm as the default, otherwise a (good) guess
+is made.  Enter the master password.
+
+This password will only be used for encrypting the kerberos database on
+disk and for generating new random keys.  You will not have to remember
+it, only to type it again when you run @kbd{kstash}.  Choose something
+long and random.  Now run @kbd{kstash} using the same password:
+@pindex kstash
+
+@example
+@cartouche
+hemlig# kstash
+
+Enter Kerberos master password: 
+
+Current Kerberos master key version is 1.
+
+Master key entered.  BEWARE!
+Wrote master key to /.k
+@end cartouche
+@end example
+
+After entering the same master password it will be saved in the file
+@file{/.k} and the kerberos server will read it when needed. Write down
+the master password and put it in a sealed envelope in a safe, you might
+need it if your disk crashes or should you want to set up a slave
+server.
+
+@code{kdb_init} initializes the database with a few entries:
+
+@table @samp
+@item krbtgt.@var{REALM}
+The key used for authenticating to the kerberos server.
+
+@item changepw.kerberos
+The key used for authenticating to the administrative server, i.e. when
+adding users, changing passwords, and so on.
+
+@item default
+This entry is copied to new items when these are added.  Enter here the
+values you want new entries to have, particularly the expiry date.
+
+@item K.M
+This is the master key and it is only used to verify that the master key
+that is saved un-encrypted in @file{/.k} is correct and corresponds to
+this database.
+
+@end table
+
+@code{kstash} only reads the master password and writes it to
+@file{/.k}.  This enables the kerberos server to start without you
+having to enter the master password.  This file (@file{/.k}) is only
+readable by root and resides on a ``secure'' machine.
+
+@node Add a few important principals, Start the server, Set up the server, How to set up the kerberos server
+@subsection Add a few important principals
+
+Now the kerberos database has been created, containing only a few
+principals.  The next step is to add a few more so that you can test
+that it works properly and so that you can administer your realm without
+having to use the console on the kerberos server.  Use @kbd{kdb_edit}
+to edit the kerberos database directly on the server.
+@pindex kdb_edit
+
+@code{kdb_edit} is intended as a bootstrapping and fall-back mechanism
+for editing the database.  For normal purposes, use the @code{kadmin}
+program (@pxref{Add users to the database}).
+
+The following example shows the adding of the principal
+@samp{nisse.admin} into the kerberos database.  This principal is used
+by @samp{nisse} when administrating the kerberos database.  Later on the
+normal principal for @samp{nisse} will be created.  Replace @samp{nisse}
+and @samp{password} with your own username and password.
+
+@example
+@cartouche
+hemlig# kdb_edit -n
+Opening database...
+Current Kerberos master key version is 1.
+
+Master key entered.  BEWARE!
+Previous or default values are in [brackets] ,
+enter return to leave the same, or new value.
+
+Principal name: <nisse>
+Instance: <admin>
+
+<Not found>, Create [y] ? <>
+
+Principal: nisse, Instance: admin, kdc_key_ver: 1
+New Password: <password>
+Verifying password 
+New Password: <password>
+
+Principal's new key version = 1
+Expiration date (enter yyyy-mm-dd) [ 2000-01-01 ] ? <>
+Max ticket lifetime (*5 minutes) [ 255 ] ? <>
+Attributes [ 0 ] ? <>
+Edit O.K.
+Principal name: <>
+@end cartouche
+@end example
+
+@code{kdb_edit} will loop until you hit the @kbd{return} key at the
+``Principal name'' prompt. Now you have added nisse as an administrator.
+
+@page
+
+@node Start the server, Try to get tickets, Add a few important principals, How to set up the kerberos server
+@subsection Start the server
+
+@pindex kerberos
+@example
+@cartouche
+hemlig# /usr/athena/libexec/kerberos &
+Kerberos server starting
+Sleep forever on error
+Log file is /var/log/kerberos.log
+Current Kerberos master key version is 1.
+
+Master key entered.  BEWARE!
+
+Current Kerberos master key version is 1
+Local realm: FOO.SE
+@end cartouche
+@end example
+
+@node  Try to get tickets, Create initial ACL for the admin server, Start the server, How to set up the kerberos server
+@subsection Try to get tickets
+
+You can now verify that these principals have been added and that the
+server is working correctly.
+
+@pindex kinit
+@example
+@cartouche
+hemlig# kinit
+eBones International (hemlig.foo.se)
+Kerberos Initialization
+Kerberos name: <nisse.admin>
+Password: <password>
+@end cartouche
+@end example
+
+If you do not get any error message from @code{kinit}, then everything
+is working (otherwise, see @ref{Common error messages}).  Use
+@code{klist} to verify the tickets you acquired with @code{kinit}:
+
+@pindex klist
+@example
+@cartouche
+hemlig# klist
+Ticket file:    /tmp/tkt0
+Principal:      nisse.admin@@FOO.SE
+
+Issued           Expires          Principal
+May 24 21:06:03  May 25 07:06:03  krbtgt.FOO.SE@@FOO.SE
+@end cartouche
+@end example
+
+@node Create initial ACL for the admin server, Start the admin server, Try to get tickets, How to set up the kerberos server
+@subsection Create initial ACL for the admin server
+
+The admin server, @code{kadmind}, uses a series of files to determine who has
+@pindex kadmind
+the right to perform certain operations.  The files are:
+@file{admin_acl.add}, @file{admin_acl.get}, @file{admin_acl.del}, and
+@file{admin_acl.mod}.  Create these with @samp{nisse.admin@@FOO.SE} as
+the contents.
+@pindex admin_acl.add
+@pindex admin_acl.get
+@pindex admin_acl.del
+@pindex admin_acl.mod
+
+@example
+@cartouche
+hemlig# echo "nisse.admin@@FOO.SE" >> /var/kerberos/admin_acl.add
+hemlig# echo "nisse.admin@@FOO.SE" >> /var/kerberos/admin_acl.get
+hemlig# echo "nisse.admin@@FOO.SE" >> /var/kerberos/admin_acl.mod
+hemlig# echo "nisse.admin@@FOO.SE" >> /var/kerberos/admin_acl.del
+@end cartouche
+@end example
+
+Later on you may wish to add more users with administration
+privileges. Make sure that you create both the administration principals
+and add them to the admin server ACL.
+
+@node Start the admin server, Add users to the database, Create initial ACL for the admin server, How to set up the kerberos server
+@subsection Start the admin server
+
+@pindex kadmind
+@example
+@cartouche
+hemlig# /usr/athena/libexec/kadmind &
+KADM Server KADM0.0A initializing
+Please do not use 'kill -9' to kill this job, use a
+regular kill instead
+
+Current Kerberos master key version is 1.
+
+Master key entered.  BEWARE!
+@end cartouche
+@end example
+
+@node Add users to the database, Automate the startup of the servers, Start the admin server, How to set up the kerberos server
+@subsection Add users to the database
+
+Use the @code{kadmin} client to add users to the database:
+@pindex kadmin
+
+@example
+@cartouche
+hemlig# kadmin -p nisse.admin -m
+Welcome to the Kerberos Administration Program, version 2
+Type "help" if you need it.
+admin:  <add nisse>
+Admin password: <nisse.admin's password>
+Maximum ticket lifetime?  (255)  [Forever]  
+Attributes?  [0x00]  
+Expiration date (enter yyyy-mm-dd) ?  [Sat Jan  1 05:59:00 2000]  
+Password for nisse:
+Verifying password Password for nisse:
+nisse added to database.
+@end cartouche
+@end example
+
+Add whatever other users you want to have in the same way.  Verify that
+a user is in the database and check the database entry for that user:
+
+@example
+@cartouche
+admin:  <get nisse>
+Info in Database for nisse.:
+Max Life: 255 (Forever)   Exp Date: Sat Jan  1 05:59:59 2000
+
+Attribs: 00  key: 0 0
+admin:  <^D>
+Cleaning up and exiting.
+@end cartouche
+@end example
+
+@node Automate the startup of the servers,  , Add users to the database, How to set up the kerberos server
+@subsection Automate the startup of the servers
+
+Add the lines that were used to start the kerberos server and the
+admin server to your startup scripts (@file{/etc/rc} or similar).
+@pindex rc
+
+@node Install the client programs, Install the kerberised services, How to set up the kerberos server, How to set up a realm
+@section Install the client programs
+
+Making a machine a kerberos client only requires a few steps.  First you
+might need to change the configuration files as with the kerberos
+server.  (@pxref{Install the configuration files} and @pxref{Install the
+/etc/services}.) Also you need to make the programs in
+@file{/usr/athena/bin} available.  This can be done by adding the
+@file{/usr/athena/bin} directory to the users' paths, by making symbolic
+links, or even by copying the programs.
+
+You should also verify that the local time on the client is synchronised
+with the time on the kerberos server by some means. The maximum allowed
+time difference between the participating servers and a client is 5
+minutes.
+@cindex NTP.
+One good way to synchronize the time is NTP (Network Time Protocol), see
+@url{http://www.eecis.udel.edu/~ntp/}.
+
+If you need to run the client programs on a machine where you do not
+have root-access, you can hopefully just use the binaries and no
+configuration will be needed.  The heuristics used are mentioned above
+(see @ref{Install the configuration files}).  If this is not the case
+and you need to have @file{krb.conf} and/or @file{krb.realms}, you can
+copy them into a directory of your choice and
+@pindex krb.conf
+@pindex krb.realms
+set the environment variable @var{KRBCONFDIR} to point at this
+@cindex KRBCONFDIR
+directory.
+
+To test the client functionality, run the @code{kinit} program:
+
+@example
+@cartouche
+foo$ kinit
+eBones International (foo.foo.se)
+Kerberos Initialization
+Kerberos name: <nisse>
+Password: <password>
+
+foo$ klist
+Ticket file:    /tmp/tkt4711
+Principal:      nisse@@FOO.SE
+
+Issued           Expires          Principal
+May 24 21:06:03  May 25 07:06:03  krbtgt.FOO.SE@@FOO.SE
+@end cartouche
+@end example
+
+@node Install the kerberised services, Install a slave kerberos server, Install the client programs, How to set up a realm
+@section Install the kerberised services
+
+These includes @code{rsh}, @code{rlogin}, @code{telnet}, @code{ftp},
+@code{rxtelnet}, and so on.
+@pindex rsh
+@pindex rlogin
+@pindex telnet
+@pindex ftp
+@pindex rxtelnet
+
+First follow the steps mentioned in the prior section to make it a
+client and verify its operation.  Change @file{inetd.conf} next to use
+the new daemons.  Look at the file
+@pindex inetd.conf
+@file{etc/inetd.conf.changes} to see the changes that we recommend you
+perform on @file{inetd.conf}.
+
+You should at this point decide what services you want to run on
+each machine.
+
+@subsection rsh, rlogin, and rcp
+@pindex rsh
+@pindex rlogin
+@pindex rcp
+
+These exist in kerberised versions and ``old-style'' versions.  The
+different versions use different port numbers, so you can choose none,
+one, or both.  If you do not want to use ``old-style'' r* services, you
+can let the programs output the text ``Remote host requires Kerberos
+authentication'' instead of just refusing connections to that port.
+This is enabled with the @samp{-v} option.  The kerberised services
+exist in encrypted and non-encrypted versions.  The encrypted services
+have an ``e'' prepended to the name and the programs take @samp{-x} as an
+option indicating encryption.
+
+Our recommendation is to only use the kerberised services and give
+explanation messages for the old ports.
+
+@subsection telnet
+@pindex telnet
+
+The telnet service always uses the same port and negotiates as to which
+authentication method should be used.  The @code{telnetd} program has
+@pindex telnetd
+an option ``-a user'' that only allows kerberised and authenticated
+connections.  If this is not included, it falls back to using clear text
+passwords.  For obvious reasons, we recommend that you enable this
+option.  If you want to use one-time passwords (@pxref{One-Time
+Passwords}) you can use the ``-a otp'' option which will allow OTPs or
+kerberised connections.
+
+@subsection ftp
+@pindex ftp
+
+The ftp service works as telnet does, with just one port being used.  By
+default only kerberos authenticated connections are allowed.  You can
+specify additional levels that are thus allowed with these options:
+
+@table @asis
+@item @kbd{-a otp}
+Allow one-time passwords (@pxref{One-Time Passwords}).
+@item @kbd{-a ftp}
+Allow anonymous login (as user ``ftp'' or ``anonymous'').
+@item @kbd{-a safe}
+The same as @kbd{-a ftp}, for backwards compatibility.
+@item @kbd{-a plain}
+Allow clear-text passwords.
+@item @kbd{-a none}
+The same as @kbd{-a ftp -a plain}.
+@item @kbd{-a user}
+A no-op, also there for backwards compatibility reasons.
+@end table
+
+When running anonymous ftp you should read the man page on @code{ftpd}
+which explains how to set it up.
+
+@subsection pop
+@pindex popper
+
+The Post Office Protocol (POP) is used to retrieve mail from the mail
+hub.  The @code{popper} program implements the standard POP3 protocol
+and the kerberised KPOP.  Use the @samp{-k} option to run the kerberos
+version of the protocol. This service should only be run on your mail
+hub.
+
+@subsection kx
+@pindex kx
+
+@code{kx} allows you to run X over a kerberos-authenticated and
+encrypted connection.  This program is used by @code{rxtelnet},
+@code{tenletxr}, and @code{rxterm}.
+
+If you have some strange kind of operating system with X libraries that
+do not allow you to use unix-sockets, you need to specify the @samp{-t}
+@pindex kxd
+option to @code{kxd}.  Otherwise it should be sufficient by adding the
+daemon in @file{inetd.conf}.
+
+@subsection kauth
+@pindex kauth
+
+This service allows you to create tickets on a remote host.  To
+enable it just insert the corresponding line in @file{inetd.conf}.
+
+@section srvtabs
+@pindex srvtab
+
+In the same way every user needs to have a password registered with
+the kerberos server, every service needs to have a shared key with the
+kerberos server.  The service keys are stored in a file, usually called
+@file{/etc/srvtab}.  This file should not be readable to anyone but
+root, in order to keep the key from being divulged.  The name of this principal
+in the kerberos database is usually the service name and the hostname.  Examples
+of such principals are @samp{pop.@var{hostname}} and
+@samp{rcmd.@var{hostname}}.  (rcmd comes from ``remote command''.)  Here
+is a list of the most commonly used srvtab types and what programs use them.
+
+@table @asis
+@item rcmd.@var{hostname}
+rsh, rcp, rlogin, telnet, kauth, su, kx
+@item rcmd.kerberos
+kprop
+@item pop.@var{hostname}
+popper, movemail, push
+@item sample.@var{hostname}
+sample_server, simple_server
+@item changepw.kerberos
+kadmin, kpasswd
+@item krbtgt.@var{realm}
+kerberos (not stored in any srvtab)
+@item ftp.@var{hostname}
+ftp (also tries with rcmd.@var{hostname})
+@item zephyr.zephyr
+Zephyr
+@item afs or afs.@var{cellname}
+Andrew File System
+@end table
+
+To create these keys you will use the the @code{ksrvutil} program.
+Perform the
+@pindex ksrvutil
+following:
+
+@example
+@cartouche
+bar# ksrvutil -p nisse.admin get
+Name [rcmd]: <>
+Instance [bar]: <>
+Realm [FOO.SE]: <>
+Is this correct? (y,n) [y] <>
+Add more keys? (y,n) [n] <>
+Password for nisse.admin@@FOO.SE: <nisse.admin's password>
+Written rcmd.bar
+rcmd.bar@@FOO.SE
+Old keyfile in /etc/srvtab.old.
+@end cartouche
+@end example
+
+@subsection Complete test of the kerberised services
+
+Obtain a ticket on one machine (@samp{foo}) and use it to login with a
+kerberised service to a second machine (@samp{bar}).  The test should
+look like this if successful:
+
+@example
+@cartouche
+foo$ kinit nisse
+eBones International (foo.foo.se)
+Kerberos Initialization for "nisse"
+Password: <nisse's password>
+foo$ klist
+Ticket file:    /tmp/tkt4711
+Principal:      nisse@@FOO.SE
+
+Issued           Expires          Principal
+May 30 13:48:03  May 30 23:48:03  krbtgt.FOO.SE@@FOO.SE
+foo$ telnet bar
+Trying 17.17.17.17...
+Connected to bar.foo.se
+Escape character is '^]'.
+[ Trying mutual KERBEROS4 ... ]
+[ Kerberos V4 accepts you ]
+[ Kerberos V4 challenge successful ]
+bar$
+@end cartouche
+@end example
+
+You can also try with @code{rsh}, @code{rcp}, @code{rlogin},
+@code{rlogin -x}, and some other commands to see that everything is
+working all right.
+
+@node Install a slave kerberos server, Cross-realm functionality , Install the kerberised services, How to set up a realm
+@section Install a slave kerberos server
+
+It is desirable to have at least one backup (slave) server in case the
+master server fails. It is possible to have any number of such slave
+servers but more than three usually doesn't buy much more redundancy.
+
+First select a good server machine.  (@pxref{Choose a kerberos
+server}). 
+
+On the master, add a @samp{rcmd.kerberos} (note, it should be literally
+``kerberos'') principal (using @samp{ksrvutil get}). The
+@pindex kprop
+@code{kprop} program, running on the master, will use this when
+authenticating to the
+@pindex kpropd
+@code{kpropd} daemons running on the slave servers.  The @code{kpropd}
+on the slave will use its @samp{rcmd.hostname} key for authenticating
+the connection from the master.  Therefore, the slave needs to have this
+key in its srvtab, and it of course also needs to have enough of the
+configuration files to act as a server.  See @ref{Install the kerberised
+services} for information on how to do this.
+
+To summarize, the master should have a key for @samp{rcmd.kerberos} and
+the slave one for @samp{rcmd.hostname}.
+
+The slave will need the same master key as you used at the master.
+
+On your master server, create a file, e.g. @file{/var/kerberos/slaves},
+that contains the hostnames of your kerberos slave servers.
+
+Start @code{kpropd} with @samp{kpropd -i} on your slave servers.
+
+On your master server, create a dump of the database and then propagate
+it.
+
+@example
+foo# kdb_util slave_dump /var/kerberos/slave_dump
+foo# kprop
+@end example
+
+You should now have copies of the database on your slave servers. You
+can verify this by issuing @samp{kdb_util dump @var{file}} on your
+slave servers, and comparing with the original file on the master
+server. Note that the entries will not be in the same order.
+
+This procedure should be automated with a script run regularly by cron,
+for instance once an hour.
+
+Since the master and slave servers will use copies of the same
+database, they need to use the same master key.  Add the master key on
+the slave with @code{kstash}. (@pxref{Set up the server})
+
+To start the kerberos server on slaves, you first have to copy the
+master key from the master server. You can do this either by remembering
+the master password and issuing @samp{kstash}, or you can just copy the
+keyfile. Remember that if you copy the file, do so on a safe media, not
+over the network. Good means include floppy or paper. Paper is better,
+since it is easier to swallow afterwards.
+
+The kerberos server should be started with @samp{-s} on the slave
+servers. This enables sanity checks, for example checking the time since
+the last update from the master.
+
+All changes to the database are made by @code{kadmind} at the master,
+and then propagated to the slaves, so you should @strong{not} run
+@code{kadmind} on the slaves.
+
+Finally add the slave servers to
+@file{/etc/krb.conf}. The clients will ask the servers in the order
+specified by that file.
+
+Consider adding CNAMEs to your slave servers, see @ref{Install the
+configuration files}.
+
+@node Cross-realm functionality ,  , Install a slave kerberos server, How to set up a realm
+@section Cross-realm functionality
+
+Suppose you are residing in the realm @samp{MY.REALM}, how do you
+authenticate to a server in @samp{OTHER.REALM}? Having valid tickets in
+@samp{MY.REALM} allows you to communicate with kerberised services in that
+realm. However, the computer in the other realm does not have a secret
+key shared with the kerberos server in your realm.
+
+It is possible to add a shared key between two realms that trust each
+other. When a client program, such as @code{telnet}, finds that the
+other computer is in a different realm, it will try to get a ticket
+granting ticket for that other realm, but from the local kerberos
+server. With that ticket granting ticket, it will then obtain service
+tickets from the kerberos server in the other realm.
+
+To add this functionality you have to add a principal to each realm. The
+principals should be @samp{krbtgt.OTHER.REALM} in @samp{MY.REALM}, and
+@samp{krbtgt.MY.REALM} in @samp{OTHER.REALM}. The two different
+principals should have the same key (and key version number).  Remember
+to transfer this key in a safe manner. This is all that is required.
+
+@page
+
+@example
+@cartouche
+blubb$ klist
+Ticket file:    /tmp/tkt3008
+Principal:      joda@@NADA.KTH.SE
+
+  Issued           Expires          Principal
+Jun  7 02:26:23  Jun  7 12:26:23  krbtgt.NADA.KTH.SE@@NADA.KTH.SE
+blubb$ telnet agat.e.kth.se
+Trying 130.237.48.12...
+Connected to agat.e.kth.se.
+Escape character is '^]'.
+[ Trying mutual KERBEROS4 ... ]
+[ Kerberos V4 accepts you ]
+[ Kerberos V4 challenge successful ]
+Last login: Sun Jun  2 20:51:50 from emma.pdc.kth.se
+
+agat$ exit
+Connection closed by foreign host.
+blubb$ klist
+Ticket file:    /tmp/tkt3008
+Principal:      joda@@NADA.KTH.SE
+
+  Issued           Expires          Principal
+Jun  7 02:26:23  Jun  7 12:26:23  krbtgt.NADA.KTH.SE@@NADA.KTH.SE
+Jun  7 02:26:50  Jun  7 12:26:50  krbtgt.E.KTH.SE@@NADA.KTH.SE
+Jun  7 02:26:51  Jun  7 12:26:51  rcmd.agat@@E.KTH.SE
+@end cartouche
+@end example
diff --git a/crypto/kerberosIV/doc/whatis.texi b/crypto/kerberosIV/doc/whatis.texi
new file mode 100644
index 0000000..6721c23
--- /dev/null
+++ b/crypto/kerberosIV/doc/whatis.texi
@@ -0,0 +1,137 @@
+@node What is Kerberos?, Installing programs, Introduction, Top
+@chapter What is Kerberos?
+
+@quotation
+@flushleft
+        Now this Cerberus had three heads of dogs,
+        the tail of a dragon, and on his back the
+        heads of all sorts of snakes.
+        --- Pseudo-Apollodorus Library 2.5.12
+@end flushleft
+@end quotation
+
+Kerberos is a system for authenticating users and services on a network.
+It is built upon the assumption that the network is ``unsafe''.  For
+example, data sent over the network can be eavesdropped and altered, and
+addresses can also be faked.  Therefore they cannot be used for
+authentication purposes.
+@cindex authentication
+
+Kerberos is a trusted third-party service.  That means that there is a
+third party (the kerberos server) that is trusted by all the entities on
+the network (users and services, usually called @dfn{principals}).  All
+principals share a secret password (or key) with the kerberos server and
+this enables principals to verify that the messages from the kerberos
+server are authentic.  Thus trusting the kerberos server, users and
+services can authenticate each other.
+
+@section Basic mechanism
+
+@ifinfo
+@macro sub{arg}
+<\arg\>
+@end macro
+@end ifinfo
+
+@tex
+@def@xsub#1{$_{#1}$}
+@global@let@sub=@xsub
+@end tex
+
+In Kerberos, principals use @dfn{tickets} to prove that they are who
+they claim to be. In the following example, @var{A} is the initiator of
+the authentication exchange, usually a user, and @var{B} is the service
+that @var{A} wishes to use.
+
+To obtain a ticket for a specific service, @var{A} sends a ticket
+request to the kerberos server. The request basically contains @var{A}'s
+and @var{B}'s names. The kerberos server checks that both @var{A} and
+@var{B} are valid principals.
+
+Having verified the validity of the principals, it creates a packet
+containing @var{A}'s and @var{B}'s names, @var{A}'s network address
+(@var{A@sub{addr}}), the current time (@var{t@sub{issue}}), the lifetime
+of the ticket (@var{life}), and a secret @dfn{session key}
+@cindex session key
+(@var{K@sub{AB}}). This packet is encrypted with @var{B}'s secret key
+(@var{K@sub{B}}).  The actual ticket (@var{T@sub{AB}}) looks like this:
+(@{@var{A}, @var{B}, @var{A@sub{addr}}, @var{t@sub{issue}}, @var{life},
+@var{K@sub{AB}}@}@var{K@sub{B}}).
+
+The reply to @var{A} consists of the ticket (@var{T@sub{AB}}), @var{B}'s
+name, the current time, the lifetime of the ticket, and the session key, all
+encrypted in @var{A}'s secret key (@{@var{B}, @var{t@sub{issue}},
+@var{life}, @var{K@sub{AB}}, @var{T@sub{AB}}@}@var{K@sub{A}}). @var{A}
+decrypts the reply and retains it for later use.
+
+@sp 1
+
+Before sending a message to @var{B}, @var{A} creates an authenticator
+consisting of @var{A}'s name, @var{A}'s address, the current time, and a
+``checksum'' chosen by @var{A}, all encrypted with the secret session
+key (@{@var{A}, @var{A@sub{addr}}, @var{t@sub{current}},
+@var{checksum}@}@var{K@sub{AB}}). This is sent together with the ticket
+received from the kerberos server to @var{B}.  Upon reception, @var{B}
+decrypts the ticket using @var{B}'s secret key.  Since the ticket
+contains the session key that the authenticator was encrypted with,
+@var{B} can now also decrypt the authenticator. To verify that @var{A}
+really is @var{A}, @var{B} now has to compare the contents of the ticket
+with that of the authenticator. If everything matches, @var{B} now
+considers @var{A} as properly authenticated.
+
+@c (here we should have some more explanations)
+
+@section Different attacks
+
+@subheading Impersonating A
+
+An impostor, @var{C} could steal the authenticator and the ticket as it
+is transmitted across the network, and use them to impersonate
+@var{A}. The address in the ticket and the authenticator was added to
+make it more difficult to perform this attack.  To succeed @var{C} will
+have to either use the same machine as @var{A} or fake the source
+addresses of the packets. By including the time stamp in the
+authenticator, @var{C} does not have much time in which to mount the
+attack.
+
+@subheading Impersonating B
+
+@var{C} can masquerade @var{B}'s network address, and when @var{A} sends
+her credentials, @var{C} just pretend to verify them. @var{C} can't
+be sure that she is talking to @var{A}.
+
+@section Defense strategies
+
+It would be possible to add a @dfn{replay cache}
+@cindex replay cache
+to the server side.  The idea is to save the authenticators sent during
+the last few minutes, so that @var{B} can detect when someone is trying
+to retransmit an already used message. This is somewhat impractical
+(mostly regarding efficiency), and is not part of Kerberos 4; MIT
+Kerberos 5 contains it.
+
+To authenticate @var{B}, @var{A} might request that @var{B} sends
+something back that proves that @var{B} has access to the session
+key. An example of this is the checksum that @var{A} sent as part of the
+authenticator. One typical procedure is to add one to the checksum,
+encrypt it with the session key and send it back to @var{A}.  This is
+called @dfn{mutual authentication}.
+
+The session key can also be used to add cryptographic checksums to the
+messages sent between @var{A} and @var{B} (known as @dfn{message
+integrity}).  Encryption can also be added (@dfn{message
+confidentiality}). This is probably the best approach in all cases.
+@cindex integrity
+@cindex confidentiality
+
+@section Further reading
+
+The original paper on Kerberos from 1988 is @cite{Kerberos: An
+Authentication Service for Open Network Systems}, by Jennifer Steiner,
+Clifford Neuman and Jeffrey I. Schiller.
+
+A less technical description can be found in @cite{Designing an
+Authentication System: a Dialogue in Four Scenes} by Bill Bryant, also
+from 1988.
+
+These and several other documents can be found on our web-page.
diff --git a/crypto/kerberosIV/eBones-p9.README b/crypto/kerberosIV/eBones-p9.README
new file mode 100644
index 0000000..8442985
--- /dev/null
+++ b/crypto/kerberosIV/eBones-p9.README
@@ -0,0 +1,26 @@
+The file eBones-p9.patch.Z is the compressed patch for Bones (patchlevel 9)
+that puts back the calls to the DES encryption libraries.
+
+eBones-p9-des.tar.Z is a compressed tar file of MIT compatible
+des encryption routines.  Install these routines in src/lib/des.
+The des_quad_cksum is not compatible with the MIT version
+but I should fix that when I have access to ultrix 4
+* [It has now been fixed and is the same as MIT's]
+(it has a binary copy of libdes.a)).  There are two extra routines,
+des_enc_read and des_enc_write.  These routines are used in the
+kerberos rcp, rlogin and rlogind to encrypt all network traffic.
+
+eBones-p9.tar.Z is a compressed tar file of Bones (patchlevel 9)
+with the eBones-p9.patch applied and eBones-p9-des.tar.Z installed.
+
+When applying the patch to Bones, don't do a
+find src -name "*.orig" -exec /bin/rm {} \;
+There is a file called src/util/ss/ss.h.orig that is needed and
+the above find will remove it.
+
+The Imakefile in src/lib/des assumes you have gcc.  If you don't,
+you will have to change the Imakefile.  Compile this directory with
+the maximum optimization your compiler has available.
+
+These modifications have been successfully unpacked and compiled
+on a microvax 3600.
diff --git a/crypto/kerberosIV/etc/README b/crypto/kerberosIV/etc/README
new file mode 100644
index 0000000..68865ec
--- /dev/null
+++ b/crypto/kerberosIV/etc/README
@@ -0,0 +1,41 @@
+
+	How to update your files in the /etc directory!
+
+/etc/services (all machines)
+
+  The contents of services.append can probably just be appended to
+your local file. If you use NIS (YP) you need to do this on the NIS
+master. Delete and duplicate definitions to prevent inconsistencies.
+
+/etc/krb.conf (all machines)
+
+  Create a krb.conf file by substituting MY.REALM.NAME with your
+domain name. If you create a domain name alias (CNAME) kerberos.domain
+pointing to your master server, unconfigured clients will have a
+chance to find your realm.
+
+  It is no longer necessary to put each and every realm in
+krb.{conf,realms}. If the domain name matches your realm name and you
+have a CNAME kerberos.REALMNAME pointing at your kerberos server other
+sites will find your realm even if it is not listed in krb.conf.  
+*** Please add this CNAME to your local DNS ***
+
+/etc/krb.realms (all machines)
+
+  Substitue MY.REALM.NAME in krb.realms with your domain name.
+  Not strictly necessary when domain and realm names match.
+
+/etc/inetd.conf (all machines supporting incoming telnet, rsh etc.)
+
+  Comment out the lines starting with shell, login and telnet and
+append inetd.conf.changes. Be carefull to check that there are no
+additional old entries of kshell, ekshell, klogin and eklogin left.
+
+  The -v option to rshd and rlogin turns off that service and echo
+an informational message to the user.
+
+/etc/srvtab
+
+  With 'ksrvutil get' you can add entries to the Kerberos database and
+put the service keys into your srvtab file.
+
diff --git a/crypto/kerberosIV/etc/default.login b/crypto/kerberosIV/etc/default.login
new file mode 100644
index 0000000..f01b2ee
--- /dev/null
+++ b/crypto/kerberosIV/etc/default.login
@@ -0,0 +1,47 @@
+#
+# Sample /etc/default/login file, read by the login program
+#
+# For more info consult SysV login(1)
+#
+# Most things are environment variables.
+# HZ and TZ are set only if they are still uninitialized.
+
+# This really variable TZ
+#TIMEZONE=EST5EDT
+
+#HZ=100
+
+# File size limit, se ulimit(2).
+# Note that the limit must be specified in units of 512-byte blocks.
+#ULIMIT=0
+
+# If CONSOLE is set, root can only login on that device.
+# When not set root can log in on any device.
+#CONSOLE=/dev/console
+
+# PASSREQ determines if login requires a password.
+PASSREQ=YES
+
+# ALTSHELL, really set SHELL=/bin/bash or other shell
+# Extension: when ALTSHELL=YES, we set the SHELL variable even if it is /bin/sh
+ALTSHELL=YES
+
+# Default PATH
+#PATH=/usr/bin:
+
+# Default PATH for root user
+#SUPATH=/usr/sbin:/usr/bin
+
+# TIMEOUT sets the number of seconds (between 0 and 900) to wait before
+# abandoning a login session.
+# 
+#TIMEOUT=300
+
+# Use this for default umask(2) value
+#UMASK=022
+
+# Sleeptime between failed logins
+# SLEEPTIME
+
+# Maximum number of failed login attempts, well the user can always reconnect
+# MAXTRYS
diff --git a/crypto/kerberosIV/etc/fbtab b/crypto/kerberosIV/etc/fbtab
new file mode 100644
index 0000000..3e21376
--- /dev/null
+++ b/crypto/kerberosIV/etc/fbtab
@@ -0,0 +1,15 @@
+# Sample /etc/fbtab file read by the login program
+# This file can also be called /etc/logindevperm.
+
+# Use this to give away devices to the console user. The group of the
+# devices is set to the owner's group specified in /etc/passwd.
+#
+# First column specifies the console device.
+#
+# Second the mode bits of the given away devices
+#
+# Third is a : separated list of devices to give away
+
+# console       mode    devices
+/dev/console	0600	/dev/console:/dev/mouse
+/dev/console	0600	/dev/floppy
diff --git a/crypto/kerberosIV/etc/hosts.equiv b/crypto/kerberosIV/etc/hosts.equiv
new file mode 100644
index 0000000..2fbb50c
--- /dev/null
+++ b/crypto/kerberosIV/etc/hosts.equiv
@@ -0,0 +1 @@
+localhost
diff --git a/crypto/kerberosIV/etc/inetd.conf.changes b/crypto/kerberosIV/etc/inetd.conf.changes
new file mode 100644
index 0000000..c0a88ca
--- /dev/null
+++ b/crypto/kerberosIV/etc/inetd.conf.changes
@@ -0,0 +1,33 @@
+#
+# $Id: inetd.conf.changes,v 1.13 1997/09/03 15:48:23 bg Exp $
+#
+# Turn off vanilla rshd and rlogind with an informational message.
+# If you really want this security problem remove the '-v' option!
+shell	stream	tcp nowait root	/usr/athena/libexec/rshd rshd -l -L -v
+login	stream	tcp nowait root /usr/athena/libexec/rlogind rlogind -l -v
+#
+# Kerberos rsh
+kshell	stream	tcp nowait root	/usr/athena/libexec/rshd rshd -L -k
+ekshell	stream	tcp nowait root	/usr/athena/libexec/rshd rshd -L -k -x
+ekshell2 stream	tcp nowait root	/usr/athena/libexec/rshd rshd -L -k -x
+#
+# Kerberos rlogin
+klogin	stream	tcp nowait root	/usr/athena/libexec/rlogind rlogind -k
+eklogin	stream	tcp nowait root	/usr/athena/libexec/rlogind rlogind -k -x
+#
+# Kerberized telnet and ftp, consider adding '-a user' to
+# disallow cleartext passwords to both telnetd and ftpd.
+telnet	stream	tcp nowait root /usr/athena/libexec/telnetd telnetd -a none
+ftp	stream	tcp nowait root	/usr/athena/libexec/ftpd ftpd -l -a none
+#
+# Kerberized POP. Server principal is pop.hostname, *not* rcmd.hostname!
+#kpop	stream	tcp nowait root	/usr/athena/libexec/popper popper -k
+#
+# Old POP3 with passwords in clear (not recommended, uses cleartext passwords)
+#pop3	stream	tcp nowait root	/usr/athena/libexec/popper popper
+#
+# Kauthd, support for putting tickets on other machines in a secure fashion.
+kauth	stream	tcp nowait root	/usr/athena/libexec/kauthd kauthd
+#
+# Encrypted X connections
+kx	stream	tcp nowait root	/usr/athena/libexec/kxd kxd
diff --git a/crypto/kerberosIV/etc/inetd.conf.changes.in b/crypto/kerberosIV/etc/inetd.conf.changes.in
new file mode 100644
index 0000000..2ccb8f5
--- /dev/null
+++ b/crypto/kerberosIV/etc/inetd.conf.changes.in
@@ -0,0 +1,33 @@
+#
+# $Id: inetd.conf.changes.in,v 1.14 1999/11/10 14:21:07 joda Exp $
+#
+# Turn off vanilla rshd and rlogind with an informational message.
+# If you really want this security problem remove the '-v' option!
+shell	stream	tcp nowait root	@prefix@/libexec/rshd rshd -l -L -v
+login	stream	tcp nowait root @prefix@/libexec/rlogind rlogind -l -v
+#
+# Kerberos rsh
+kshell	stream	tcp nowait root	@prefix@/libexec/rshd rshd -L -k
+ekshell	stream	tcp nowait root	@prefix@/libexec/rshd rshd -L -k -x
+ekshell2 stream	tcp nowait root	@prefix@/libexec/rshd rshd -L -k -x
+#
+# Kerberos rlogin
+klogin	stream	tcp nowait root	@prefix@/libexec/rlogind rlogind -k
+eklogin	stream	tcp nowait root	@prefix@/libexec/rlogind rlogind -k -x
+#
+# Kerberized telnet and ftp, consider adding '-a user' to
+# disallow cleartext passwords to both telnetd and ftpd.
+telnet	stream	tcp nowait root @prefix@/libexec/telnetd telnetd -a none
+ftp	stream	tcp nowait root	@prefix@/libexec/ftpd ftpd -l -a none
+#
+# Kerberized POP. Server principal is pop.hostname, *not* rcmd.hostname!
+#kpop	stream	tcp nowait root	@prefix@/libexec/popper popper -k
+#
+# Old POP3 with passwords in clear (not recommended, uses cleartext passwords)
+#pop3	stream	tcp nowait root	@prefix@/libexec/popper popper
+#
+# Kauthd, support for putting tickets on other machines in a secure fashion.
+kauth	stream	tcp nowait root	@prefix@/libexec/kauthd kauthd
+#
+# Encrypted X connections
+kx	stream	tcp nowait root	@prefix@/libexec/kxd kxd
diff --git a/crypto/kerberosIV/etc/krb.conf b/crypto/kerberosIV/etc/krb.conf
new file mode 100644
index 0000000..9c694b5
--- /dev/null
+++ b/crypto/kerberosIV/etc/krb.conf
@@ -0,0 +1,55 @@
+MY.REALM.NAME
+MY.REALM.NAME	kerberos.MY.REALM.NAME admin server
+SICS.SE		kerberos.sics.se admin server
+NADA.KTH.SE	kerberos.nada.kth.se admin server
+NADA.KTH.SE	sysman.nada.kth.se
+NADA.KTH.SE	server.nada.kth.se
+ADMIN.KTH.SE	ulysses.admin.kth.se admin server
+ADMIN.KTH.SE	graziano.admin.kth.se
+ADMIN.KTH.SE	montano.admin.kth.se
+BION.KTH.SE     chaplin.bion.kth.se admin server
+DSV.SU.SE	ssi.dsv.su.se admin server
+DSV.SU.SE	vall.dsv.su.se
+E.KTH.SE	kerberos.e.kth.se admin server
+E.KTH.SE        kerberos-1.e.kth.se
+E.KTH.SE        kerberos-2.e.kth.se
+IT.KTH.SE	kerberos.it.kth.se
+IT.KTH.SE	kerberos-1.it.kth.se
+IT.KTH.SE	kerberos-2.it.kth.se
+MECH.KTH.SE	kerberos.mech.kth.se admin server
+KTH.SE		kth.se admin server
+ML.KVA.SE	gustava.ml.kva.se admin server
+PI.SE		liszt.adm.pi.se admin server
+STACKEN.KTH.SE	kerberos.stacken.kth.se admin server
+SUNET.SE	kerberos.sunet.se admin server
+CYGNUS.COM kerberos.cygnus.com admin server
+CYGNUS.COM kerberos-1.cygnus.com
+CYGNUS.COM dumb.cygnus.com
+DEVO.CYGNUS.COM dumber.cygnus.com admin server
+MIRKWOOD.CYGNUS.COM mirkwood.cygnus.com admin server
+KITHRUP.COM KITHRUP.COM admin server
+ATHENA.MIT.EDU kerberos.mit.edu admin server
+ATHENA.MIT.EDU kerberos-1.mit.edu
+ATHENA.MIT.EDU kerberos-2.mit.edu
+ATHENA.MIT.EDU kerberos-3.mit.edu
+LCS.MIT.EDU kerberos.lcs.mit.edu admin server
+SMS_TEST.MIT.EDU dodo.mit.edu admin server
+LS.MIT.EDU ls.mit.edu admin server
+IFS.UMICH.EDU kerberos.ifs.umich.edu
+CS.WASHINGTON.EDU hawk.cs.washington.edu
+CS.WASHINGTON.EDU aspen.cs.washington.edu
+CS.BERKELEY.EDU okeeffe.berkeley.edu
+SOUP.MIT.EDU soup.mit.edu admin server
+TELECOM.MIT.EDU bitsy.mit.edu
+MEDIA.MIT.EDU kerberos.media.mit.edu
+NEAR.NET kerberos.near.net
+CATS.UCSC.EDU mehitabel.ucsc.edu admin server
+CATS.UCSC.EDU ucsch.ucsc.edu
+WATCH.MIT.EDU kerberos.watch.mit.edu admin server
+TELEBIT.COM napa.telebit.com. admin server
+ARMADILLO.COM monad.armadillo.com admin server
+TOAD.COM toad.com admin server
+ZEN.ORG zen.org admin server
+LLOYD.COM harry.lloyd.com admin server
+EPRI.COM kerberos.epri.com admin server
+EPRI.COM kerberos-2.epri.com
diff --git a/crypto/kerberosIV/etc/krb.equiv b/crypto/kerberosIV/etc/krb.equiv
new file mode 100644
index 0000000..6205c1f
--- /dev/null
+++ b/crypto/kerberosIV/etc/krb.equiv
@@ -0,0 +1,14 @@
+# List of host with multiple adresses.
+#
+193.10.156.253	130.237.232.44	193.10.156.252	# scws scws-fddi scws-2.
+193.10.156.250  130.237.232.15  		# salmon-sp salmon.
+#
+# new krb.equiv syntax for all of SP.
+#
+193.10.156.0/24	193.10.157.0/24	\	# syk-X.pdc.kth.se syk-X-hps.pdc.kth.se
+130.237.232.31	130.237.232.32	\	# syk-0101-fddi syk-0201-fddi
+130.237.232.38	130.237.232.39	\	# syk-0115-fddi syk-0116-fddi
+130.237.232.33	130.237.232.34	\	# syk-0301-fddi syk-0401-fddi
+130.237.232.35	130.237.232.36	\	# syk-0501-fddi syk-0601-fddi
+130.237.232.37	130.237.230.66	\	# syk-0602-fddi syk-0602-fcs
+130.237.230.36				# syk-0606-hippi.
diff --git a/crypto/kerberosIV/etc/krb.realms b/crypto/kerberosIV/etc/krb.realms
new file mode 100644
index 0000000..7498bf0
--- /dev/null
+++ b/crypto/kerberosIV/etc/krb.realms
@@ -0,0 +1,54 @@
+.MY.REALM.NAME	MY.REALM.NAME
+sics.se		SICS.SE
+.sics.se	SICS.SE
+nada.kth.se	NADA.KTH.SE
+pdc.kth.se	NADA.KTH.SE
+.hydro.kth.se	NADA.KTH.SE
+.mech.kth.se	MECH.KTH.SE
+.nada.kth.se	NADA.KTH.SE
+.pdc.kth.se	NADA.KTH.SE
+.sans.kth.se	NADA.KTH.SE
+.admin.kth.se	ADMIN.KTH.SE
+.e.kth.se	E.KTH.SE
+.s3.kth.se	E.KTH.SE
+.radio.kth.se	E.KTH.SE
+.ttt.kth.se	E.KTH.SE
+.electrum.kth.se	IT.KTH.SE
+.math.kth.se	MATH.KTH.SE
+.it.kth.se	IT.KTH.SE
+.sth.sunet.se	SUNET.SE
+.pilsnet.sunet.se	SUNET.SE
+.sunet.se	SUNET.SE
+.ml.kva.se	ML.KVA.SE
+pi.se		PI.SE
+.pi.se		PI.SE
+.adm.pi.se	PI.SE
+.stacken.kth.se	STACKEN.KTH.SE
+kth.se		KTH.SE
+.kth.se		KTH.SE
+.bion.kth.se	BION.KTH.SE
+.dsv.su.se	DSV.SU.SE
+.MIT.EDU ATHENA.MIT.EDU
+.MIT.EDU. ATHENA.MIT.EDU
+MIT.EDU ATHENA.MIT.EDU
+DODO.MIT.EDU SMS_TEST.MIT.EDU
+.UCSC.EDU CATS.UCSC.EDU
+.UCSC.EDU. CATS.UCSC.EDU
+CYGNUS.COM CYGNUS.COM
+.CYGNUS.COM CYGNUS.COM
+MIRKWOOD.CYGNUS.COM MIRKWOOD.CYGNUS.COM
+KITHRUP.COM KITHRUP.COM
+.KITHRUP.COM KITHRUP.COM
+.berkeley.edu   EECS.BERKELEY.EDU
+.CS.berkeley.edu        EECS.BERKELEY.EDU
+.MIT.EDU        ATHENA.MIT.EDU
+.mit.edu        ATHENA.MIT.EDU
+.BSDI.COM       BSDI.COM
+ARMADILLO.COM	ARMADILLO.COM
+.ARMADILLO.COM	ARMADILLO.COM
+ZEN.ORG		ZEN.ORG
+.ZEN.ORG	ZEN.ORG
+toad.com	TOAD.COM
+.toad.com	TOAD.COM
+lloyd.com	LLOYD.COM
+.lloyd.com	LLOYD.COM
diff --git a/crypto/kerberosIV/etc/login.access b/crypto/kerberosIV/etc/login.access
new file mode 100644
index 0000000..f811616
--- /dev/null
+++ b/crypto/kerberosIV/etc/login.access
@@ -0,0 +1,54 @@
+# Sample /etc/login.access file read by the login program
+#
+# Login access control table.
+# 
+# When someone logs in, the table is scanned for the first entry that
+# matches the (user, host) combination, or, in case of non-networked
+# logins, the first entry that matches the (user, tty) combination.  The
+# permissions field of that table entry determines whether the login will 
+# be accepted or refused.
+# 
+# Format of the login access control table is three fields separated by a
+# ":" character:
+# 
+# 	permission : users : origins
+# 
+# The first field should be a "+" (access granted) or "-" (access denied)
+# character. 
+#
+# The second field should be a list of one or more login names, group
+# names, or ALL (always matches). A pattern of the form user@host is
+# matched when the login name matches the "user" part, and when the
+# "host" part matches the local machine name.
+#
+# The third field should be a list of one or more tty names (for
+# non-networked logins), host names, domain names (begin with "."), host
+# addresses, internet network numbers (end with "."), ALL (always
+# matches) or LOCAL (matches any string that does not contain a "."
+# character).
+#
+# If you run NIS you can use @netgroupname in host or user patterns; this
+# even works for @usergroup@@hostgroup patterns. Weird.
+#
+# The EXCEPT operator makes it possible to write very compact rules.
+#
+# The group file is searched only when a name does not match that of the
+# logged-in user. Only groups are matched in which users are explicitly
+# listed: the program does not look at a user's primary group id value.
+#
+##############################################################################
+# 
+# Disallow console logins to all but a few accounts.
+#
+-:ALL EXCEPT wheel shutdown sync:console
+#
+# Disallow non-local logins to privileged accounts (group wheel).
+#
+-:wheel:ALL EXCEPT LOCAL .win.tue.nl
+#
+# Some accounts are not allowed to login from anywhere:
+#
+-:wsbscaro wsbsecr wsbspac wsbsym wscosor wstaiwde:ALL
+#
+# All other accounts are allowed to login from anywhere.
+#
diff --git a/crypto/kerberosIV/etc/services.append b/crypto/kerberosIV/etc/services.append
new file mode 100644
index 0000000..3b3ec61
--- /dev/null
+++ b/crypto/kerberosIV/etc/services.append
@@ -0,0 +1,26 @@
+#
+# $Id: services.append,v 1.13 1999/07/06 13:08:02 assar Exp $
+#
+# Kerberos services
+#
+kerberos-sec	88/udp				# Kerberos secondary port UDP
+kerberos-sec	88/tcp				# Kerberos secondary port TCP
+kpasswd		464/udp				# password changing
+kpasswd		464/tdp				# password changing
+klogin		543/tcp				# Kerberos authenticated rlogin
+kshell		544/tcp		krcmd		# and remote shell
+ekshell		545/tcp		      # Kerberos encrypted remote shell -kfall
+ekshell2	2106/tcp	      # What U of Colorado @ Boulder uses?
+kerberos-adm	749/udp				# v5 kadmin
+kerberos-adm	749/tcp				# v5 kadmin
+kerberos-iv	750/udp		kerberos kdc	# Kerberos authentication--udp
+kerberos-iv	750/tcp		kerberos kdc	# Kerberos authentication--tcp
+kerberos_master 751/udp				# v4 kadmin
+kerberos_master 751/tcp				# v4 kadmin
+krb_prop	754/tcp		hprop		# Kerberos slave propagation
+kpop		1109/tcp			# Pop with Kerberos
+eklogin		2105/tcp			# Kerberos encrypted rlogin
+rkinit		2108/tcp			# Kerberos remote kinit
+kx		2111/tcp			# X over kerberos
+kip		2112/tcp			# IP over kerberos
+kauth		2120/tcp			# Remote kauth
diff --git a/crypto/kerberosIV/include/Makefile.in b/crypto/kerberosIV/include/Makefile.in
new file mode 100644
index 0000000..eb29890
--- /dev/null
+++ b/crypto/kerberosIV/include/Makefile.in
@@ -0,0 +1,180 @@
+# $Id: Makefile.in,v 1.59.2.3 2000/12/13 14:41:37 assar Exp $
+
+srcdir		= @srcdir@
+VPATH		= @srcdir@
+
+SHELL		= /bin/sh
+
+CC		= @CC@
+LINK = @LINK@
+DEFS		= @DEFS@ -DHOST=\"@CANONICAL_HOST@\"
+CFLAGS		= @CFLAGS@ $(WFLAGS)
+WFLAGS		= @WFLAGS@
+LD_FLAGS	= @LD_FLAGS@
+
+INSTALL		= @INSTALL@
+INSTALL_DATA	= @INSTALL_DATA@
+MKINSTALLDIRS	= @top_srcdir@/mkinstalldirs
+LN_S		= @LN_S@
+EXECSUFFIX	= @EXECSUFFIX@
+
+prefix		= @prefix@
+exec_prefix	= @exec_prefix@
+includedir	= @includedir@
+libdir		= @libdir@
+
+@SET_MAKE@
+
+.c.o:
+	$(CC) -c $(DEFS) -I. -I$(srcdir) $(CFLAGS) $(CPPFLAGS) $(PICFLAGS) $<
+
+HEADERS = \
+	acl.h com_err.h com_right.h des.h kadm.h kafs.h kdc.h \
+	klog.h krb.h krb-protos.h krb-archaeology.h krb_db.h \
+	ktypes.h otp.h prot.h sl.h \
+	md4.h md5.h sha.h rc4.h @EXTRA_HEADERS@
+
+LOCL_HEADERS = \
+	     base64.h roken-common.h protos.h resolve.h xdbm.h	\
+	     krb_log.h getarg.h parse_time.h @EXTRA_LOCL_HEADERS@
+
+CLEAN_FILES = roken.h krb_err.h kadm_err.h
+
+BITS_OBJECTS = bits.o
+
+SOURCES = bits.c
+
+SUBDIRS		= sys
+
+all: stamp-headers
+	for i in $(SUBDIRS); \
+	do (cd $$i && $(MAKE) $(MFLAGS) all); done
+
+Wall:
+	$(MAKE) CFLAGS="-g -Wall -Wno-comment -Wmissing-prototypes -Wmissing-declarations -D__USE_FIXED_PROTOTYPES__"
+
+install: all
+	$(MKINSTALLDIRS) $(DESTDIR)$(includedir)
+	for x in $(HEADERS); \
+		do $(INSTALL_DATA) $$x $(DESTDIR)$(includedir)/$$x; done
+	for i in $(SUBDIRS); \
+	do (cd $$i && $(MAKE) $(MFLAGS) install); done
+
+uninstall:
+	for x in $(HEADERS); do \
+	  rm -f $(DESTDIR)$(includedir)/$$x; \
+	done
+	for i in $(SUBDIRS); \
+	do (cd $$i && $(MAKE) $(MFLAGS) uninstall); done
+
+clean:
+	rm -f $(HEADERS) $(LOCL_HEADERS) \
+		$(CLEAN_FILES) *.o bits stamp-headers
+	for i in $(SUBDIRS); \
+	do (cd $$i && $(MAKE) $(MFLAGS) clean); done
+
+mostlyclean:	clean
+
+distclean:
+	$(MAKE) clean
+	rm -f config.h version.h version.h.in
+	for i in $(SUBDIRS); \
+	do (cd $$i && $(MAKE) $(MFLAGS) distclean); done
+	rm -f Makefile config.status *~
+
+realclean:
+	for i in $(SUBDIRS); \
+	do (cd $$i && $(MAKE) $(MFLAGS) realclean); done
+
+acl.h:
+	$(LN_S) $(srcdir)/../lib/acl/acl.h .
+
+com_err.h:
+	$(LN_S) $(srcdir)/../lib/com_err/com_err.h .
+com_right.h:
+	$(LN_S) $(srcdir)/../lib/com_err/com_right.h .
+
+des.h:
+	$(LN_S) $(srcdir)/../lib/des/des.h .
+
+md4.h:
+	$(LN_S) $(srcdir)/../lib/des/md4.h .
+
+md5.h:
+	$(LN_S) $(srcdir)/../lib/des/md5.h .
+
+sha.h:
+	$(LN_S) $(srcdir)/../lib/des/sha.h .
+
+rc4.h:
+	$(LN_S) $(srcdir)/../lib/des/rc4.h .
+
+kadm.h:
+	$(LN_S) $(srcdir)/../lib/kadm/kadm.h .
+
+kafs.h:
+	$(LN_S) $(srcdir)/../lib/kafs/kafs.h .
+
+kdc.h:
+	$(LN_S) $(srcdir)/../lib/kdb/kdc.h .
+
+klog.h:
+	$(LN_S) $(srcdir)/../lib/krb/klog.h .
+krb-archaeology.h:
+	$(LN_S) $(srcdir)/../lib/krb/krb-archaeology.h .
+krb-protos.h:
+	$(LN_S) $(srcdir)/../lib/krb/krb-protos.h .
+krb.h:
+	$(LN_S) $(srcdir)/../lib/krb/krb.h .
+prot.h:
+	$(LN_S) $(srcdir)/../lib/krb/prot.h .
+
+krb_db.h:
+	$(LN_S) $(srcdir)/../lib/kdb/krb_db.h .
+krb_log.h:
+	$(LN_S) $(srcdir)/../lib/krb/krb_log.h .
+
+otp.h:
+	$(LN_S) $(srcdir)/../lib/otp/otp.h .
+
+base64.h:
+	$(LN_S) $(srcdir)/../lib/roken/base64.h .
+err.h:
+	$(LN_S) $(srcdir)/../lib/roken/err.h .
+fnmatch.h:
+	$(LN_S) $(srcdir)/../lib/roken/fnmatch.h .
+getarg.h:
+	$(LN_S) $(srcdir)/../lib/roken/getarg.h .
+glob.h:
+	$(LN_S) $(srcdir)/../lib/roken/glob.h .
+parse_time.h:
+	$(LN_S) $(srcdir)/../lib/roken/parse_time.h .
+resolve.h:
+	$(LN_S) $(srcdir)/../lib/roken/resolve.h .
+roken-common.h:
+	$(LN_S) $(srcdir)/../lib/roken/roken-common.h .
+xdbm.h:
+	$(LN_S) $(srcdir)/../lib/roken/xdbm.h .
+
+sl.h:
+	$(LN_S) $(srcdir)/../lib/sl/sl.h .
+
+protos.h:
+	$(LN_S) $(srcdir)/protos.hin protos.h
+
+netdb.h:
+	$(LN_S) $(srcdir)/netdb.x netdb.h
+
+bits$(EXECSUFFIX):	$(BITS_OBJECTS)
+	$(LINK) $(LD_FLAGS) $(LDFLAGS) -o $@ $(BITS_OBJECTS)
+
+bits.o: bits.c
+
+ktypes.h: bits$(EXECSUFFIX)
+	./bits$(EXECSUFFIX) $@
+
+stamp-headers: Makefile
+	$(MAKE) $(HEADERS) $(LOCL_HEADERS)
+	touch stamp-headers
+
+.PHONY: all Wall install uninstall clean mostlyclean distclean realclean
diff --git a/crypto/kerberosIV/include/bits.c b/crypto/kerberosIV/include/bits.c
new file mode 100644
index 0000000..a2c40bc
--- /dev/null
+++ b/crypto/kerberosIV/include/bits.c
@@ -0,0 +1,208 @@
+/*
+ * Copyright (c) 1997, 1998, 1999 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+RCSID("$Id: bits.c,v 1.6 1999/12/02 16:58:36 joda Exp $");
+#endif
+#include <stdio.h>
+#include <string.h>
+#include <stdlib.h>
+#include <ctype.h>
+
+#ifndef HAVE_STRUPR
+static void
+strupr(char *s)
+{
+    unsigned char *p = (unsigned char *)s;
+    while(*p){
+	if(islower(*p))
+	    *p = toupper(*p);
+	p++;
+    }
+}
+#endif /* HAVE_STRUPR */
+
+#define BITSIZE(TYPE)						\
+{								\
+    int b = 0; TYPE x = 1, zero = 0; char *pre = "u_";		\
+    char tmp[128], tmp2[128];					\
+    while(x){ x <<= 1; b++; if(x < zero) pre=""; }		\
+    if(b >= len){						\
+        int tabs;						\
+	sprintf(tmp, "%sint%d_t" , pre, len);			\
+	sprintf(tmp2, "typedef %s %s;", #TYPE, tmp);		\
+	strupr(tmp);						\
+	tabs = 5 - strlen(tmp2) / 8;				\
+        fprintf(f, "%s", tmp2);					\
+	while(tabs-- > 0) fprintf(f, "\t");			\
+	fprintf(f, "/* %2d bits */\n", b);			\
+        return;                                                 \
+    }								\
+}
+
+#ifndef HAVE___ATTRIBUTE__
+#define __attribute__(x)
+#endif
+
+static void
+try_signed(FILE *f, int len)  __attribute__ ((unused));
+
+static void
+try_unsigned(FILE *f, int len) __attribute__ ((unused));
+
+static void
+try_signed(FILE *f, int len)
+{
+    BITSIZE(signed char);
+    BITSIZE(short);
+    BITSIZE(int);
+    BITSIZE(long);
+#ifdef HAVE_LONG_LONG
+    BITSIZE(long long);
+#endif
+    fprintf(f, "/* There is no %d bit type */\n", len);
+}
+
+static void
+try_unsigned(FILE *f, int len)
+{
+    BITSIZE(unsigned char);
+    BITSIZE(unsigned short);
+    BITSIZE(unsigned int);
+    BITSIZE(unsigned long);
+#ifdef HAVE_LONG_LONG
+    BITSIZE(unsigned long long);
+#endif
+    fprintf(f, "/* There is no %d bit type */\n", len);
+}
+
+static int
+print_bt(FILE *f, int flag)
+{
+    if(flag == 0){
+	fprintf(f, "/* For compatibility with various type definitions */\n");
+	fprintf(f, "#ifndef __BIT_TYPES_DEFINED__\n");
+	fprintf(f, "#define __BIT_TYPES_DEFINED__\n");
+	fprintf(f, "\n");
+    }
+    return 1;
+}
+
+int main(int argc, char **argv)
+{
+    FILE *f;
+    int flag;
+    char *fn, *hb;
+    
+    if(argc < 2){
+	fn = "bits.h";
+	hb = "__BITS_H__";
+	f = stdout;
+    } else {
+	char *p;
+	fn = argv[1];
+	hb = malloc(strlen(fn) + 5);
+	sprintf(hb, "__%s__", fn);
+	for(p = hb; *p; p++){
+	    if(!isalnum((unsigned char)*p))
+		*p = '_';
+	}
+	f = fopen(argv[1], "w");
+    }
+    fprintf(f, "/* %s -- this file was generated for %s by\n", fn, HOST);
+    fprintf(f, "   %*s    %s */\n\n", (int)strlen(fn), "", 
+	    "$Id: bits.c,v 1.6 1999/12/02 16:58:36 joda Exp $");
+    fprintf(f, "#ifndef %s\n", hb);
+    fprintf(f, "#define %s\n", hb);
+    fprintf(f, "\n");
+#ifdef HAVE_SYS_TYPES_H
+    fprintf(f, "#include <sys/types.h>\n");
+#endif
+#ifdef HAVE_INTTYPES_H
+    fprintf(f, "#include <inttypes.h>\n");
+#endif
+#ifdef HAVE_SYS_BITYPES_H
+    fprintf(f, "#include <sys/bitypes.h>\n");
+#endif
+#ifdef HAVE_NETINET_IN6_MACHTYPES_H
+    fprintf(f, "#include <netinet/in6_machtypes.h>\n");
+#endif
+    fprintf(f, "\n");
+
+    flag = 0;
+#ifndef HAVE_INT8_T
+    flag = print_bt(f, flag);
+    try_signed (f, 8);
+#endif /* HAVE_INT8_T */
+#ifndef HAVE_INT16_T
+    flag = print_bt(f, flag);
+    try_signed (f, 16);
+#endif /* HAVE_INT16_T */
+#ifndef HAVE_INT32_T
+    flag = print_bt(f, flag);
+    try_signed (f, 32);
+#endif /* HAVE_INT32_T */
+#if 0
+#ifndef HAVE_INT64_T
+    flag = print_bt(f, flag);
+    try_signed (f, 64);
+#endif /* HAVE_INT64_T */
+#endif
+
+#ifndef HAVE_U_INT8_T
+    flag = print_bt(f, flag);
+    try_unsigned (f, 8);
+#endif /* HAVE_INT8_T */
+#ifndef HAVE_U_INT16_T
+    flag = print_bt(f, flag);
+    try_unsigned (f, 16);
+#endif /* HAVE_U_INT16_T */
+#ifndef HAVE_U_INT32_T
+    flag = print_bt(f, flag);
+    try_unsigned (f, 32);
+#endif /* HAVE_U_INT32_T */
+#if 0
+#ifndef HAVE_U_INT64_T
+    flag = print_bt(f, flag);
+    try_unsigned (f, 64);
+#endif /* HAVE_U_INT64_T */
+#endif
+
+    if(flag){
+	fprintf(f, "\n");
+	fprintf(f, "#endif /* __BIT_TYPES_DEFINED__ */\n\n");
+    }
+    fprintf(f, "#endif /* %s */\n", hb);
+    return 0;
+}
diff --git a/crypto/kerberosIV/include/config.h.in b/crypto/kerberosIV/include/config.h.in
new file mode 100644
index 0000000..4995c27
--- /dev/null
+++ b/crypto/kerberosIV/include/config.h.in
@@ -0,0 +1,1280 @@
+/* include/config.h.in.  Generated automatically from configure.in by autoheader.  */
+
+/* Define if using alloca.c.  */
+#undef C_ALLOCA
+
+/* Define to empty if the keyword does not work.  */
+#undef const
+
+/* Define to one of _getb67, GETB67, getb67 for Cray-2 and Cray-YMP systems.
+   This function is required for alloca.c support on those systems.  */
+#undef CRAY_STACKSEG_END
+
+/* Define to `int' if <sys/types.h> doesn't define.  */
+#undef gid_t
+
+/* Define if you have alloca, as a function or macro.  */
+#undef HAVE_ALLOCA
+
+/* Define if you have <alloca.h> and it should be used (not on Ultrix).  */
+#undef HAVE_ALLOCA_H
+
+/* Define if you have a working `mmap' system call.  */
+#undef HAVE_MMAP
+
+/* Define if your struct stat has st_blksize.  */
+#undef HAVE_ST_BLKSIZE
+
+/* Define as __inline if that's what the C compiler calls it.  */
+#undef inline
+
+/* Define to `long' if <sys/types.h> doesn't define.  */
+#undef off_t
+
+/* Define to `int' if <sys/types.h> doesn't define.  */
+#undef pid_t
+
+/* Define if you need to in order for stat and other things to work.  */
+#undef _POSIX_SOURCE
+
+/* Define as the return type of signal handlers (int or void).  */
+#undef RETSIGTYPE
+
+/* Define to `unsigned' if <sys/types.h> doesn't define.  */
+#undef size_t
+
+/* If using the C implementation of alloca, define if you know the
+   direction of stack growth for your system; otherwise it will be
+   automatically deduced at run-time.
+ STACK_DIRECTION > 0 => grows toward higher addresses
+ STACK_DIRECTION < 0 => grows toward lower addresses
+ STACK_DIRECTION = 0 => direction of growth unknown
+ */
+#undef STACK_DIRECTION
+
+/* Define if you have the ANSI C header files.  */
+#undef STDC_HEADERS
+
+/* Define if `sys_siglist' is declared by <signal.h>.  */
+#undef SYS_SIGLIST_DECLARED
+
+/* Define if you can safely include both <sys/time.h> and <time.h>.  */
+#undef TIME_WITH_SYS_TIME
+
+/* Define to `int' if <sys/types.h> doesn't define.  */
+#undef uid_t
+
+/* Define if your processor stores words with the most significant
+   byte first (like Motorola and SPARC, unlike Intel and VAX).  */
+#undef WORDS_BIGENDIAN
+
+/* Define if the X Window System is missing or not being used.  */
+#undef X_DISPLAY_MISSING
+
+/* Define if you have the XauFileName function.  */
+#undef HAVE_XAUFILENAME
+
+/* Define if you have the XauReadAuth function.  */
+#undef HAVE_XAUREADAUTH
+
+/* Define if you have the XauWriteAuth function.  */
+#undef HAVE_XAUWRITEAUTH
+
+/* Define if you have the _getpty function.  */
+#undef HAVE__GETPTY
+
+/* Define if you have the _scrsize function.  */
+#undef HAVE__SCRSIZE
+
+/* Define if you have the _setsid function.  */
+#undef HAVE__SETSID
+
+/* Define if you have the _stricmp function.  */
+#undef HAVE__STRICMP
+
+/* Define if you have the asnprintf function.  */
+#undef HAVE_ASNPRINTF
+
+/* Define if you have the asprintf function.  */
+#undef HAVE_ASPRINTF
+
+/* Define if you have the atexit function.  */
+#undef HAVE_ATEXIT
+
+/* Define if you have the cap_set_proc function.  */
+#undef HAVE_CAP_SET_PROC
+
+/* Define if you have the cgetent function.  */
+#undef HAVE_CGETENT
+
+/* Define if you have the chown function.  */
+#undef HAVE_CHOWN
+
+/* Define if you have the chroot function.  */
+#undef HAVE_CHROOT
+
+/* Define if you have the copyhostent function.  */
+#undef HAVE_COPYHOSTENT
+
+/* Define if you have the crypt function.  */
+#undef HAVE_CRYPT
+
+/* Define if you have the daemon function.  */
+#undef HAVE_DAEMON
+
+/* Define if you have the dlopen function.  */
+#undef HAVE_DLOPEN
+
+/* Define if you have the dn_expand function.  */
+#undef HAVE_DN_EXPAND
+
+/* Define if you have the el_init function.  */
+#undef HAVE_EL_INIT
+
+/* Define if you have the err function.  */
+#undef HAVE_ERR
+
+/* Define if you have the errx function.  */
+#undef HAVE_ERRX
+
+/* Define if you have the fattach function.  */
+#undef HAVE_FATTACH
+
+/* Define if you have the fchmod function.  */
+#undef HAVE_FCHMOD
+
+/* Define if you have the fchown function.  */
+#undef HAVE_FCHOWN
+
+/* Define if you have the fcntl function.  */
+#undef HAVE_FCNTL
+
+/* Define if you have the flock function.  */
+#undef HAVE_FLOCK
+
+/* Define if you have the fnmatch function.  */
+#undef HAVE_FNMATCH
+
+/* Define if you have the forkpty function.  */
+#undef HAVE_FORKPTY
+
+/* Define if you have the freehostent function.  */
+#undef HAVE_FREEHOSTENT
+
+/* Define if you have the frevoke function.  */
+#undef HAVE_FREVOKE
+
+/* Define if you have the getattr function.  */
+#undef HAVE_GETATTR
+
+/* Define if you have the getcwd function.  */
+#undef HAVE_GETCWD
+
+/* Define if you have the getdtablesize function.  */
+#undef HAVE_GETDTABLESIZE
+
+/* Define if you have the getegid function.  */
+#undef HAVE_GETEGID
+
+/* Define if you have the geteuid function.  */
+#undef HAVE_GETEUID
+
+/* Define if you have the getgid function.  */
+#undef HAVE_GETGID
+
+/* Define if you have the gethostbyname function.  */
+#undef HAVE_GETHOSTBYNAME
+
+/* Define if you have the gethostname function.  */
+#undef HAVE_GETHOSTNAME
+
+/* Define if you have the getipnodebyaddr function.  */
+#undef HAVE_GETIPNODEBYADDR
+
+/* Define if you have the getipnodebyname function.  */
+#undef HAVE_GETIPNODEBYNAME
+
+/* Define if you have the getlogin function.  */
+#undef HAVE_GETLOGIN
+
+/* Define if you have the getopt function.  */
+#undef HAVE_GETOPT
+
+/* Define if you have the getpagesize function.  */
+#undef HAVE_GETPAGESIZE
+
+/* Define if you have the getpriority function.  */
+#undef HAVE_GETPRIORITY
+
+/* Define if you have the getpwnam_r function.  */
+#undef HAVE_GETPWNAM_R
+
+/* Define if you have the getrlimit function.  */
+#undef HAVE_GETRLIMIT
+
+/* Define if you have the getservbyname function.  */
+#undef HAVE_GETSERVBYNAME
+
+/* Define if you have the getsockopt function.  */
+#undef HAVE_GETSOCKOPT
+
+/* Define if you have the getspnam function.  */
+#undef HAVE_GETSPNAM
+
+/* Define if you have the gettimeofday function.  */
+#undef HAVE_GETTIMEOFDAY
+
+/* Define if you have the gettosbyname function.  */
+#undef HAVE_GETTOSBYNAME
+
+/* Define if you have the getudbnam function.  */
+#undef HAVE_GETUDBNAM
+
+/* Define if you have the getuid function.  */
+#undef HAVE_GETUID
+
+/* Define if you have the getusershell function.  */
+#undef HAVE_GETUSERSHELL
+
+/* Define if you have the grantpt function.  */
+#undef HAVE_GRANTPT
+
+/* Define if you have the hstrerror function.  */
+#undef HAVE_HSTRERROR
+
+/* Define if you have the inet_aton function.  */
+#undef HAVE_INET_ATON
+
+/* Define if you have the inet_ntop function.  */
+#undef HAVE_INET_NTOP
+
+/* Define if you have the inet_pton function.  */
+#undef HAVE_INET_PTON
+
+/* Define if you have the initgroups function.  */
+#undef HAVE_INITGROUPS
+
+/* Define if you have the innetgr function.  */
+#undef HAVE_INNETGR
+
+/* Define if you have the iruserok function.  */
+#undef HAVE_IRUSEROK
+
+/* Define if you have the logout function.  */
+#undef HAVE_LOGOUT
+
+/* Define if you have the logwtmp function.  */
+#undef HAVE_LOGWTMP
+
+/* Define if you have the lstat function.  */
+#undef HAVE_LSTAT
+
+/* Define if you have the memmove function.  */
+#undef HAVE_MEMMOVE
+
+/* Define if you have the mkstemp function.  */
+#undef HAVE_MKSTEMP
+
+/* Define if you have the mktime function.  */
+#undef HAVE_MKTIME
+
+/* Define if you have the odm_initialize function.  */
+#undef HAVE_ODM_INITIALIZE
+
+/* Define if you have the on_exit function.  */
+#undef HAVE_ON_EXIT
+
+/* Define if you have the parsetos function.  */
+#undef HAVE_PARSETOS
+
+/* Define if you have the ptsname function.  */
+#undef HAVE_PTSNAME
+
+/* Define if you have the putenv function.  */
+#undef HAVE_PUTENV
+
+/* Define if you have the rand function.  */
+#undef HAVE_RAND
+
+/* Define if you have the random function.  */
+#undef HAVE_RANDOM
+
+/* Define if you have the rcmd function.  */
+#undef HAVE_RCMD
+
+/* Define if you have the readline function.  */
+#undef HAVE_READLINE
+
+/* Define if you have the readv function.  */
+#undef HAVE_READV
+
+/* Define if you have the recvmsg function.  */
+#undef HAVE_RECVMSG
+
+/* Define if you have the res_search function.  */
+#undef HAVE_RES_SEARCH
+
+/* Define if you have the revoke function.  */
+#undef HAVE_REVOKE
+
+/* Define if you have the sa_family_t function.  */
+#undef HAVE_SA_FAMILY_T
+
+/* Define if you have the sendmsg function.  */
+#undef HAVE_SENDMSG
+
+/* Define if you have the setegid function.  */
+#undef HAVE_SETEGID
+
+/* Define if you have the setenv function.  */
+#undef HAVE_SETENV
+
+/* Define if you have the seteuid function.  */
+#undef HAVE_SETEUID
+
+/* Define if you have the setitimer function.  */
+#undef HAVE_SETITIMER
+
+/* Define if you have the setlim function.  */
+#undef HAVE_SETLIM
+
+/* Define if you have the setlogin function.  */
+#undef HAVE_SETLOGIN
+
+/* Define if you have the setpcred function.  */
+#undef HAVE_SETPCRED
+
+/* Define if you have the setpgid function.  */
+#undef HAVE_SETPGID
+
+/* Define if you have the setpriority function.  */
+#undef HAVE_SETPRIORITY
+
+/* Define if you have the setproctitle function.  */
+#undef HAVE_SETPROCTITLE
+
+/* Define if you have the setregid function.  */
+#undef HAVE_SETREGID
+
+/* Define if you have the setresgid function.  */
+#undef HAVE_SETRESGID
+
+/* Define if you have the setresuid function.  */
+#undef HAVE_SETRESUID
+
+/* Define if you have the setreuid function.  */
+#undef HAVE_SETREUID
+
+/* Define if you have the setsid function.  */
+#undef HAVE_SETSID
+
+/* Define if you have the setsockopt function.  */
+#undef HAVE_SETSOCKOPT
+
+/* Define if you have the setutent function.  */
+#undef HAVE_SETUTENT
+
+/* Define if you have the sgi_getcapabilitybyname function.  */
+#undef HAVE_SGI_GETCAPABILITYBYNAME
+
+/* Define if you have the sigaction function.  */
+#undef HAVE_SIGACTION
+
+/* Define if you have the socket function.  */
+#undef HAVE_SOCKET
+
+/* Define if you have the socklen_t function.  */
+#undef HAVE_SOCKLEN_T
+
+/* Define if you have the strcasecmp function.  */
+#undef HAVE_STRCASECMP
+
+/* Define if you have the strdup function.  */
+#undef HAVE_STRDUP
+
+/* Define if you have the strerror function.  */
+#undef HAVE_STRERROR
+
+/* Define if you have the strftime function.  */
+#undef HAVE_STRFTIME
+
+/* Define if you have the strlcat function.  */
+#undef HAVE_STRLCAT
+
+/* Define if you have the strlcpy function.  */
+#undef HAVE_STRLCPY
+
+/* Define if you have the strlwr function.  */
+#undef HAVE_STRLWR
+
+/* Define if you have the strncasecmp function.  */
+#undef HAVE_STRNCASECMP
+
+/* Define if you have the strndup function.  */
+#undef HAVE_STRNDUP
+
+/* Define if you have the strnlen function.  */
+#undef HAVE_STRNLEN
+
+/* Define if you have the strptime function.  */
+#undef HAVE_STRPTIME
+
+/* Define if you have the strsep function.  */
+#undef HAVE_STRSEP
+
+/* Define if you have the strtok_r function.  */
+#undef HAVE_STRTOK_R
+
+/* Define if you have the struct_sockaddr_storage function.  */
+#undef HAVE_STRUCT_SOCKADDR_STORAGE
+
+/* Define if you have the strupr function.  */
+#undef HAVE_STRUPR
+
+/* Define if you have the swab function.  */
+#undef HAVE_SWAB
+
+/* Define if you have the sysconf function.  */
+#undef HAVE_SYSCONF
+
+/* Define if you have the sysctl function.  */
+#undef HAVE_SYSCTL
+
+/* Define if you have the syslog function.  */
+#undef HAVE_SYSLOG
+
+/* Define if you have the tgetent function.  */
+#undef HAVE_TGETENT
+
+/* Define if you have the ttyname function.  */
+#undef HAVE_TTYNAME
+
+/* Define if you have the ttyslot function.  */
+#undef HAVE_TTYSLOT
+
+/* Define if you have the ulimit function.  */
+#undef HAVE_ULIMIT
+
+/* Define if you have the uname function.  */
+#undef HAVE_UNAME
+
+/* Define if you have the unlockpt function.  */
+#undef HAVE_UNLOCKPT
+
+/* Define if you have the unsetenv function.  */
+#undef HAVE_UNSETENV
+
+/* Define if you have the vasnprintf function.  */
+#undef HAVE_VASNPRINTF
+
+/* Define if you have the vasprintf function.  */
+#undef HAVE_VASPRINTF
+
+/* Define if you have the verr function.  */
+#undef HAVE_VERR
+
+/* Define if you have the verrx function.  */
+#undef HAVE_VERRX
+
+/* Define if you have the vhangup function.  */
+#undef HAVE_VHANGUP
+
+/* Define if you have the vsnprintf function.  */
+#undef HAVE_VSNPRINTF
+
+/* Define if you have the vsyslog function.  */
+#undef HAVE_VSYSLOG
+
+/* Define if you have the vwarn function.  */
+#undef HAVE_VWARN
+
+/* Define if you have the vwarnx function.  */
+#undef HAVE_VWARNX
+
+/* Define if you have the warn function.  */
+#undef HAVE_WARN
+
+/* Define if you have the warnx function.  */
+#undef HAVE_WARNX
+
+/* Define if you have the writev function.  */
+#undef HAVE_WRITEV
+
+/* Define if you have the yp_get_default_domain function.  */
+#undef HAVE_YP_GET_DEFAULT_DOMAIN
+
+/* Define if you have the <arpa/ftp.h> header file.  */
+#undef HAVE_ARPA_FTP_H
+
+/* Define if you have the <arpa/inet.h> header file.  */
+#undef HAVE_ARPA_INET_H
+
+/* Define if you have the <arpa/nameser.h> header file.  */
+#undef HAVE_ARPA_NAMESER_H
+
+/* Define if you have the <arpa/telnet.h> header file.  */
+#undef HAVE_ARPA_TELNET_H
+
+/* Define if you have the <bsd/bsd.h> header file.  */
+#undef HAVE_BSD_BSD_H
+
+/* Define if you have the <bsdsetjmp.h> header file.  */
+#undef HAVE_BSDSETJMP_H
+
+/* Define if you have the <capability.h> header file.  */
+#undef HAVE_CAPABILITY_H
+
+/* Define if you have the <crypt.h> header file.  */
+#undef HAVE_CRYPT_H
+
+/* Define if you have the <curses.h> header file.  */
+#undef HAVE_CURSES_H
+
+/* Define if you have the <db.h> header file.  */
+#undef HAVE_DB_H
+
+/* Define if you have the <dbm.h> header file.  */
+#undef HAVE_DBM_H
+
+/* Define if you have the <dirent.h> header file.  */
+#undef HAVE_DIRENT_H
+
+/* Define if you have the <err.h> header file.  */
+#undef HAVE_ERR_H
+
+/* Define if you have the <errno.h> header file.  */
+#undef HAVE_ERRNO_H
+
+/* Define if you have the <fcntl.h> header file.  */
+#undef HAVE_FCNTL_H
+
+/* Define if you have the <fnmatch.h> header file.  */
+#undef HAVE_FNMATCH_H
+
+/* Define if you have the <gdbm/ndbm.h> header file.  */
+#undef HAVE_GDBM_NDBM_H
+
+/* Define if you have the <grp.h> header file.  */
+#undef HAVE_GRP_H
+
+/* Define if you have the <inttypes.h> header file.  */
+#undef HAVE_INTTYPES_H
+
+/* Define if you have the <io.h> header file.  */
+#undef HAVE_IO_H
+
+/* Define if you have the <lastlog.h> header file.  */
+#undef HAVE_LASTLOG_H
+
+/* Define if you have the <libutil.h> header file.  */
+#undef HAVE_LIBUTIL_H
+
+/* Define if you have the <limits.h> header file.  */
+#undef HAVE_LIMITS_H
+
+/* Define if you have the <login.h> header file.  */
+#undef HAVE_LOGIN_H
+
+/* Define if you have the <maillock.h> header file.  */
+#undef HAVE_MAILLOCK_H
+
+/* Define if you have the <ndbm.h> header file.  */
+#undef HAVE_NDBM_H
+
+/* Define if you have the <net/if.h> header file.  */
+#undef HAVE_NET_IF_H
+
+/* Define if you have the <net/if_tun.h> header file.  */
+#undef HAVE_NET_IF_TUN_H
+
+/* Define if you have the <net/if_var.h> header file.  */
+#undef HAVE_NET_IF_VAR_H
+
+/* Define if you have the <netdb.h> header file.  */
+#undef HAVE_NETDB_H
+
+/* Define if you have the <netinet/in.h> header file.  */
+#undef HAVE_NETINET_IN_H
+
+/* Define if you have the <netinet/in6_machtypes.h> header file.  */
+#undef HAVE_NETINET_IN6_MACHTYPES_H
+
+/* Define if you have the <netinet/in_systm.h> header file.  */
+#undef HAVE_NETINET_IN_SYSTM_H
+
+/* Define if you have the <netinet/ip.h> header file.  */
+#undef HAVE_NETINET_IP_H
+
+/* Define if you have the <netinet/tcp.h> header file.  */
+#undef HAVE_NETINET_TCP_H
+
+/* Define if you have the <paths.h> header file.  */
+#undef HAVE_PATHS_H
+
+/* Define if you have the <pty.h> header file.  */
+#undef HAVE_PTY_H
+
+/* Define if you have the <pwd.h> header file.  */
+#undef HAVE_PWD_H
+
+/* Define if you have the <resolv.h> header file.  */
+#undef HAVE_RESOLV_H
+
+/* Define if you have the <rpcsvc/dbm.h> header file.  */
+#undef HAVE_RPCSVC_DBM_H
+
+/* Define if you have the <rpcsvc/ypclnt.h> header file.  */
+#undef HAVE_RPCSVC_YPCLNT_H
+
+/* Define if you have the <sac.h> header file.  */
+#undef HAVE_SAC_H
+
+/* Define if you have the <security/pam_modules.h> header file.  */
+#undef HAVE_SECURITY_PAM_MODULES_H
+
+/* Define if you have the <shadow.h> header file.  */
+#undef HAVE_SHADOW_H
+
+/* Define if you have the <siad.h> header file.  */
+#undef HAVE_SIAD_H
+
+/* Define if you have the <signal.h> header file.  */
+#undef HAVE_SIGNAL_H
+
+/* Define if you have the <standards.h> header file.  */
+#undef HAVE_STANDARDS_H
+
+/* Define if you have the <stropts.h> header file.  */
+#undef HAVE_STROPTS_H
+
+/* Define if you have the <sys/bitypes.h> header file.  */
+#undef HAVE_SYS_BITYPES_H
+
+/* Define if you have the <sys/capability.h> header file.  */
+#undef HAVE_SYS_CAPABILITY_H
+
+/* Define if you have the <sys/category.h> header file.  */
+#undef HAVE_SYS_CATEGORY_H
+
+/* Define if you have the <sys/file.h> header file.  */
+#undef HAVE_SYS_FILE_H
+
+/* Define if you have the <sys/filio.h> header file.  */
+#undef HAVE_SYS_FILIO_H
+
+/* Define if you have the <sys/ioccom.h> header file.  */
+#undef HAVE_SYS_IOCCOM_H
+
+/* Define if you have the <sys/ioctl.h> header file.  */
+#undef HAVE_SYS_IOCTL_H
+
+/* Define if you have the <sys/locking.h> header file.  */
+#undef HAVE_SYS_LOCKING_H
+
+/* Define if you have the <sys/mman.h> header file.  */
+#undef HAVE_SYS_MMAN_H
+
+/* Define if you have the <sys/param.h> header file.  */
+#undef HAVE_SYS_PARAM_H
+
+/* Define if you have the <sys/proc.h> header file.  */
+#undef HAVE_SYS_PROC_H
+
+/* Define if you have the <sys/pty.h> header file.  */
+#undef HAVE_SYS_PTY_H
+
+/* Define if you have the <sys/ptyio.h> header file.  */
+#undef HAVE_SYS_PTYIO_H
+
+/* Define if you have the <sys/ptyvar.h> header file.  */
+#undef HAVE_SYS_PTYVAR_H
+
+/* Define if you have the <sys/resource.h> header file.  */
+#undef HAVE_SYS_RESOURCE_H
+
+/* Define if you have the <sys/select.h> header file.  */
+#undef HAVE_SYS_SELECT_H
+
+/* Define if you have the <sys/socket.h> header file.  */
+#undef HAVE_SYS_SOCKET_H
+
+/* Define if you have the <sys/sockio.h> header file.  */
+#undef HAVE_SYS_SOCKIO_H
+
+/* Define if you have the <sys/stat.h> header file.  */
+#undef HAVE_SYS_STAT_H
+
+/* Define if you have the <sys/str_tty.h> header file.  */
+#undef HAVE_SYS_STR_TTY_H
+
+/* Define if you have the <sys/stream.h> header file.  */
+#undef HAVE_SYS_STREAM_H
+
+/* Define if you have the <sys/stropts.h> header file.  */
+#undef HAVE_SYS_STROPTS_H
+
+/* Define if you have the <sys/strtty.h> header file.  */
+#undef HAVE_SYS_STRTTY_H
+
+/* Define if you have the <sys/syscall.h> header file.  */
+#undef HAVE_SYS_SYSCALL_H
+
+/* Define if you have the <sys/sysctl.h> header file.  */
+#undef HAVE_SYS_SYSCTL_H
+
+/* Define if you have the <sys/termio.h> header file.  */
+#undef HAVE_SYS_TERMIO_H
+
+/* Define if you have the <sys/time.h> header file.  */
+#undef HAVE_SYS_TIME_H
+
+/* Define if you have the <sys/timeb.h> header file.  */
+#undef HAVE_SYS_TIMEB_H
+
+/* Define if you have the <sys/times.h> header file.  */
+#undef HAVE_SYS_TIMES_H
+
+/* Define if you have the <sys/tty.h> header file.  */
+#undef HAVE_SYS_TTY_H
+
+/* Define if you have the <sys/types.h> header file.  */
+#undef HAVE_SYS_TYPES_H
+
+/* Define if you have the <sys/uio.h> header file.  */
+#undef HAVE_SYS_UIO_H
+
+/* Define if you have the <sys/un.h> header file.  */
+#undef HAVE_SYS_UN_H
+
+/* Define if you have the <sys/utsname.h> header file.  */
+#undef HAVE_SYS_UTSNAME_H
+
+/* Define if you have the <sys/wait.h> header file.  */
+#undef HAVE_SYS_WAIT_H
+
+/* Define if you have the <syslog.h> header file.  */
+#undef HAVE_SYSLOG_H
+
+/* Define if you have the <term.h> header file.  */
+#undef HAVE_TERM_H
+
+/* Define if you have the <termcap.h> header file.  */
+#undef HAVE_TERMCAP_H
+
+/* Define if you have the <termio.h> header file.  */
+#undef HAVE_TERMIO_H
+
+/* Define if you have the <termios.h> header file.  */
+#undef HAVE_TERMIOS_H
+
+/* Define if you have the <tmpdir.h> header file.  */
+#undef HAVE_TMPDIR_H
+
+/* Define if you have the <ttyent.h> header file.  */
+#undef HAVE_TTYENT_H
+
+/* Define if you have the <udb.h> header file.  */
+#undef HAVE_UDB_H
+
+/* Define if you have the <ulimit.h> header file.  */
+#undef HAVE_ULIMIT_H
+
+/* Define if you have the <unistd.h> header file.  */
+#undef HAVE_UNISTD_H
+
+/* Define if you have the <userpw.h> header file.  */
+#undef HAVE_USERPW_H
+
+/* Define if you have the <usersec.h> header file.  */
+#undef HAVE_USERSEC_H
+
+/* Define if you have the <util.h> header file.  */
+#undef HAVE_UTIL_H
+
+/* Define if you have the <utime.h> header file.  */
+#undef HAVE_UTIME_H
+
+/* Define if you have the <utmp.h> header file.  */
+#undef HAVE_UTMP_H
+
+/* Define if you have the <utmpx.h> header file.  */
+#undef HAVE_UTMPX_H
+
+/* Define if you have the <wait.h> header file.  */
+#undef HAVE_WAIT_H
+
+/* Define if you have the X11 library (-lX11).  */
+#undef HAVE_LIBX11
+
+/* Define if you have the Xau library (-lXau).  */
+#undef HAVE_LIBXAU
+
+/* Define if you have the c_r library (-lc_r).  */
+#undef HAVE_LIBC_R
+
+/* Define if you have the cfg library (-lcfg).  */
+#undef HAVE_LIBCFG
+
+/* Define if you have the crypt library (-lcrypt).  */
+#undef HAVE_LIBCRYPT
+
+/* Define if you have the curses library (-lcurses).  */
+#undef HAVE_LIBCURSES
+
+/* Define if you have the dl library (-ldl).  */
+#undef HAVE_LIBDL
+
+/* Define if you have the edit library (-ledit).  */
+#undef HAVE_LIBEDIT
+
+/* Define if you have the ncurses library (-lncurses).  */
+#undef HAVE_LIBNCURSES
+
+/* Define if you have the nsl library (-lnsl).  */
+#undef HAVE_LIBNSL
+
+/* Define if you have the odm library (-lodm).  */
+#undef HAVE_LIBODM
+
+/* Define if you have the readline library (-lreadline).  */
+#undef HAVE_LIBREADLINE
+
+/* Define if you have the resolv library (-lresolv).  */
+#undef HAVE_LIBRESOLV
+
+/* Define if you have the s library (-ls).  */
+#undef HAVE_LIBS
+
+/* Define if you have the socket library (-lsocket).  */
+#undef HAVE_LIBSOCKET
+
+/* Define if you have the syslog library (-lsyslog).  */
+#undef HAVE_LIBSYSLOG
+
+/* Define if you have the termcap library (-ltermcap).  */
+#undef HAVE_LIBTERMCAP
+
+/* Define if you have the util library (-lutil).  */
+#undef HAVE_LIBUTIL
+
+/* Name of package */
+#undef PACKAGE
+
+/* Version number of package */
+#undef VERSION
+
+/* Define to what version of SunOS you are running. */
+#undef SunOS
+
+/* Define if you have the socks package. */
+#undef SOCKS
+
+/* Define to enable old kdestroy behavior. */
+#undef LEGACY_KDESTROY
+
+/* Define if you want to match subdomains. */
+#undef MATCH_SUBDOMAINS
+
+/* Define this to be the directory where the 
+	dictionary for cracklib resides. */
+#undef DICTPATH
+
+/* Define this to the path of the mail spool directory. */
+#undef KRB4_MAILDIR
+
+/* Define this to the kerberos database directory. */
+#undef DB_DIR
+
+/* Define to enable new master key code. */
+#undef RANDOM_MKEY
+
+/* Define this to the location of the master key. */
+#undef MKEYFILE
+
+/* Define to enable basic OSF C2 support. */
+#undef HAVE_OSFC2
+
+/* Define if you don't want to use mmap. */
+#undef NO_MMAP
+
+/* Define if you don't wan't support for AFS. */
+#undef NO_AFS
+
+/* Set this to the type of des-quad-cheksum to use. */
+#undef DES_QUAD_DEFAULT
+
+/* Define if you have the readline package. */
+#undef READLINE
+
+/* Define if you have the hesiod package. */
+#undef HESIOD
+
+/* define if your compiler has __attribute__ */
+#undef HAVE___ATTRIBUTE__
+
+/* Huh? */
+#undef HAVE_STRANGE_INT8_T
+
+/* Define if NDBM really is DB (creates files ending in .db). */
+#undef HAVE_NEW_DB
+
+/* Define if you have NDBM (and not DBM) */
+#undef NDBM
+
+/* define if you have a working snprintf */
+#undef HAVE_SNPRINTF
+
+/* define if the system is missing a prototype for snprintf() */
+#undef NEED_SNPRINTF_PROTO
+
+/* define if you have a glob() that groks 
+	GLOB_BRACE, GLOB_NOCHECK, GLOB_QUOTE, and GLOB_TILDE */
+#undef HAVE_GLOB
+
+/* define if the system is missing a prototype for glob() */
+#undef NEED_GLOB_PROTO
+
+/* Define if getpwnam_r has POSIX flavour. */
+#undef POSIX_GETPWNAM_R
+
+/* Define if getlogin has POSIX flavour (and not BSD). */
+#undef POSIX_GETLOGIN
+
+/* define if the system is missing a prototype for hstrerror() */
+#undef NEED_HSTRERROR_PROTO
+
+/* define if the system is missing a prototype for gethostname() */
+#undef NEED_GETHOSTNAME_PROTO
+
+/* define if the system is missing a prototype for mkstemp() */
+#undef NEED_MKSTEMP_PROTO
+
+/* define if the system is missing a prototype for inet_aton() */
+#undef NEED_INET_ATON_PROTO
+
+/* Define if realloc(NULL, X) doesn't work. */
+#undef BROKEN_REALLOC
+
+/* Define if getcwd is broken (like in SunOS 4). */
+#undef BROKEN_GETCWD
+
+/* define if prototype of gethostbyname is compatible with
+	struct hostent *gethostbyname(const char *) */
+#undef GETHOSTBYNAME_PROTO_COMPATIBLE
+
+/* define if prototype of gethostbyaddr is compatible with
+	struct hostent *gethostbyaddr(const void *, size_t, int) */
+#undef GETHOSTBYADDR_PROTO_COMPATIBLE
+
+/* define if prototype of getservbyname is compatible with
+	struct servent *getservbyname(const char *, const char *) */
+#undef GETSERVBYNAME_PROTO_COMPATIBLE
+
+/* define if prototype of openlog is compatible with
+	void openlog(const char *, int, int) */
+#undef OPENLOG_PROTO_COMPATIBLE
+
+/* define if the system is missing a prototype for crypt() */
+#undef NEED_CRYPT_PROTO
+
+/* define if the system is missing a prototype for fclose() */
+#undef NEED_FCLOSE_PROTO
+
+/* define if the system is missing a prototype for strtok_r() */
+#undef NEED_STRTOK_R_PROTO
+
+/* define if the system is missing a prototype for strsep() */
+#undef NEED_STRSEP_PROTO
+
+/* define if the system is missing a prototype for getusershell() */
+#undef NEED_GETUSERSHELL_PROTO
+
+/* define if the system is missing a prototype for utime() */
+#undef NEED_UTIME_PROTO
+
+/* define if you have h_errno */
+#undef HAVE_H_ERRNO
+
+/* define if your system declares h_errno */
+#undef HAVE_H_ERRNO_DECLARATION
+
+/* define if you have h_errlist */
+#undef HAVE_H_ERRLIST
+
+/* define if your system declares h_errlist */
+#undef HAVE_H_ERRLIST_DECLARATION
+
+/* define if you have h_nerr */
+#undef HAVE_H_NERR
+
+/* define if your system declares h_nerr */
+#undef HAVE_H_NERR_DECLARATION
+
+/* define if you have __progname */
+#undef HAVE___PROGNAME
+
+/* define if your system declares __progname */
+#undef HAVE___PROGNAME_DECLARATION
+
+/* define if your system declares optarg */
+#undef HAVE_OPTARG_DECLARATION
+
+/* define if your system declares optind */
+#undef HAVE_OPTIND_DECLARATION
+
+/* define if your system declares opterr */
+#undef HAVE_OPTERR_DECLARATION
+
+/* define if your system declares optopt */
+#undef HAVE_OPTOPT_DECLARATION
+
+/* define if your system declares environ */
+#undef HAVE_ENVIRON_DECLARATION
+
+/* Define if RETSIGTYPE == void. */
+#undef VOID_RETSIGTYPE
+
+/* Define if struct utmp has field ut_addr. */
+#undef HAVE_STRUCT_UTMP_UT_ADDR
+
+/* Define if struct utmp has field ut_host. */
+#undef HAVE_STRUCT_UTMP_UT_HOST
+
+/* Define if struct utmp has field ut_id. */
+#undef HAVE_STRUCT_UTMP_UT_ID
+
+/* Define if struct utmp has field ut_pid. */
+#undef HAVE_STRUCT_UTMP_UT_PID
+
+/* Define if struct utmp has field ut_type. */
+#undef HAVE_STRUCT_UTMP_UT_TYPE
+
+/* Define if struct utmp has field ut_user. */
+#undef HAVE_STRUCT_UTMP_UT_USER
+
+/* Define if struct utmpx has field ut_exit. */
+#undef HAVE_STRUCT_UTMPX_UT_EXIT
+
+/* Define if struct utmpx has field ut_syslen. */
+#undef HAVE_STRUCT_UTMPX_UT_SYSLEN
+
+/* Define if struct tm has field tm_gmtoff. */
+#undef HAVE_STRUCT_TM_TM_GMTOFF
+
+/* Define if struct tm has field tm_zone. */
+#undef HAVE_STRUCT_TM_TM_ZONE
+
+/* define if you have timezone */
+#undef HAVE_TIMEZONE
+
+/* define if your system declares timezone */
+#undef HAVE_TIMEZONE_DECLARATION
+
+/* define if you have struct spwd */
+#undef HAVE_STRUCT_SPWD
+
+/* define if struct winsize is declared in sys/termios.h */
+#undef HAVE_STRUCT_WINSIZE
+
+/* define if struct winsize has ws_xpixel */
+#undef HAVE_WS_XPIXEL
+
+/* define if struct winsize has ws_ypixel */
+#undef HAVE_WS_YPIXEL
+
+/* Define this to what the type ssize_t should be. */
+#undef ssize_t
+
+/* Define this to what the type sig_atomic_t should be. */
+#undef sig_atomic_t
+
+/* Define if struct sockaddr has field sa_len. */
+#undef HAVE_STRUCT_SOCKADDR_SA_LEN
+
+/* Define if SIAENTITY has field ouid. */
+#undef HAVE_SIAENTITY_OUID
+
+/* Define if you have a working getmsg. */
+#undef HAVE_GETMSG
+
+/* Define if el_init takes four arguments. */
+#undef HAVE_FOUR_VALUED_EL_INIT
+
+/* Define if you have a readline function. */
+#undef HAVE_READLINE
+
+/* Define if you have working stream ptys. */
+#undef STREAMSPTY
+
+/* Define if /bin/ls has a `-A' flag. */
+#undef HAVE_LS_A
+
+
+#undef HAVE_INT8_T
+#undef HAVE_INT16_T
+#undef HAVE_INT32_T
+#undef HAVE_INT64_T
+#undef HAVE_U_INT8_T
+#undef HAVE_U_INT16_T
+#undef HAVE_U_INT32_T
+#undef HAVE_U_INT64_T
+
+/* This for compat with heimdal (or something) */
+#define KRB_PUT_INT(f, t, l, s) krb_put_int((f), (t), (l), (s))
+
+#define HAVE_KRB_ENABLE_DEBUG 1
+
+#define HAVE_KRB_DISABLE_DEBUG 1
+
+#define HAVE_KRB_GET_OUR_IP_FOR_REALM 1
+
+#define RCSID(msg) \
+static /**/const char *const rcsid[] = { (char *)rcsid, "\100(#)" msg }
+
+/*
+ * Set ORGANIZATION to be the desired organization string printed
+ * by the 'kinit' program.  It may have spaces.
+ */
+#define ORGANIZATION "eBones International"
+
+#if 0
+#undef BINDIR 
+#undef LIBDIR
+#undef LIBEXECDIR
+#undef SBINDIR
+#endif
+
+#if 0
+#define KRB_CNF_FILES	{ "/etc/krb.conf",   "/etc/kerberosIV/krb.conf", 0}
+#define KRB_RLM_FILES	{ "/etc/krb.realms", "/etc/kerberosIV/krb.realms", 0}
+#define KRB_EQUIV	"/etc/krb.equiv"
+
+#define KEYFILE		"/etc/srvtab"
+
+#define KRBDIR		"/var/kerberos"
+#define DBM_FILE	KRBDIR "/principal"
+#define DEFAULT_ACL_DIR	KRBDIR
+
+#define KRBLOG		"/var/log/kerberos.log"	/* master server  */
+#define KRBSLAVELOG	"/var/log/kerberos_slave.log" /* slave server  */
+#define KADM_SYSLOG	"/var/log/admin_server.syslog"
+#define K_LOGFIL	"/var/log/kpropd.log"
+#endif
+
+/* Maximum values on all known systems */
+#define MaxHostNameLen (64+4)
+#define MaxPathLen (1024+4)
+
+/* ftp stuff -------------------------------------------------- */
+
+#define KERBEROS
+
+/* telnet stuff ----------------------------------------------- */
+
+/* define this for OTP support */
+#undef OTP
+
+/* define this if you have kerberos 4 */
+#undef KRB4
+
+/* define this if you want encryption */
+#undef ENCRYPTION
+
+/* define this if you want authentication */
+#undef AUTHENTICATION
+
+#if defined(ENCRYPTION) && !defined(AUTHENTICATION)
+#define AUTHENTICATION 1
+#endif
+
+/* Set this if you want des encryption */
+#undef DES_ENCRYPTION
+
+/* Set this to the default system lead string for telnetd 
+ * can contain %-escapes: %s=sysname, %m=machine, %r=os-release
+ * %v=os-version, %t=tty, %h=hostname, %d=date and time
+ */
+#undef USE_IM
+
+/* define this if you want diagnostics in telnetd */
+#undef DIAGNOSTICS
+
+/* define this if you want support for broken ENV_{VALUE,VAR} systems  */
+#undef ENV_HACK
+
+/*  */
+#undef OLD_ENVIRON
+
+/* Used with login -p */
+#undef LOGIN_ARGS
+
+/* set this to a sensible login */
+#ifndef LOGIN_PATH
+#define LOGIN_PATH BINDIR "/login"
+#endif
+
+
+/* ------------------------------------------------------------ */
+
+#ifdef BROKEN_REALLOC
+#define realloc(X, Y) isoc_realloc((X), (Y))
+#define isoc_realloc(X, Y) ((X) ? realloc((X), (Y)) : malloc(Y))
+#endif
+
+#ifdef VOID_RETSIGTYPE
+#define SIGRETURN(x) return
+#else
+#define SIGRETURN(x) return (RETSIGTYPE)(x)
+#endif
+
+/* Temporary fixes for krb_{rd,mk}_safe */
+#define DES_QUAD_GUESS 0
+#define DES_QUAD_NEW 1
+#define DES_QUAD_OLD 2
+
+/*
+ * All these are system-specific defines that I would rather not have at all.
+ */
+
+/*
+ * AIX braindamage!
+ */
+#if _AIX
+#define _ALL_SOURCE
+/* XXX this is gross, but kills about a gazillion warnings */
+struct ether_addr;
+struct sockaddr;
+struct sockaddr_dl;
+struct sockaddr_in;
+#endif
+
+#if defined(__sgi) || defined(sgi)
+#if defined(__SYSTYPE_SVR4) || defined(_SYSTYPE_SVR4)
+#define IRIX 5
+#else
+#define IRIX 4
+#endif
+#endif
+
+/* IRIX 4 braindamage */
+#if IRIX == 4 && !defined(__STDC__)
+#define __STDC__ 0
+#endif
+
+/*
+ * Defining this enables lots of useful (and used) extensions on
+ * glibc-based systems such as Linux
+ */
+
+#define _GNU_SOURCE
+
+/* some strange OS/2 stuff.  From <d96-mst@nada.kth.se> */
+
+#ifdef __EMX__
+#define _EMX_TCPIP
+#define MAIL_USE_SYSTEM_LOCK
+#endif
+
+#ifdef ROKEN_RENAME
+#include "roken_rename.h"
+#endif
diff --git a/crypto/kerberosIV/include/netdb.x b/crypto/kerberosIV/include/netdb.x
new file mode 100644
index 0000000..7055918
--- /dev/null
+++ b/crypto/kerberosIV/include/netdb.x
@@ -0,0 +1,7 @@
+/* fix for broken ultrix netdb.h. */
+#ifndef __NETDB_H__
+#define __NETDB_H__
+
+#include "/usr/include/netdb.h"
+
+#endif /* __NETDB_H__ */
diff --git a/crypto/kerberosIV/include/protos.H b/crypto/kerberosIV/include/protos.H
new file mode 100644
index 0000000..faf911e
--- /dev/null
+++ b/crypto/kerberosIV/include/protos.H
@@ -0,0 +1,277 @@
+/* -*- C -*-
+ * Copyright (c) 1995, 1996, 1997 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+/*
+ * Add here functions that don't have a prototype on your system.
+ *
+ * $Id: protos.H,v 1.46 1999/12/02 16:58:36 joda Exp $
+ */
+
+#ifdef NEED_CRYPT_PROTO
+char *crypt(const char*, const char*);
+#endif
+
+#ifdef NEED_STRTOK_R_PROTO
+char *strtok_r (char *s1, const char *s2, char **lasts);
+#endif
+
+#ifndef HAVE_OPTARG_DECLARATION
+extern char *optarg;
+#endif
+#ifndef HAVE_OPTERR_DECLARATION
+extern int opterr;
+#endif
+#ifndef HAVE_OPTIND_DECLARATION
+extern int optind;
+#endif
+#ifndef HAVE_OPTOPT_DECLARATION
+extern int optopt;
+#endif
+
+#if defined(__GNUC__) && SunOS == 4
+
+/* To get type fd_set */
+#include <sys/types.h>
+#include <sys/time.h>
+
+/* To get struct sockaddr, struct in_addr and struct hostent */
+#include <sys/socket.h>
+#include <netinet/in.h>
+#include <netdb.h>
+
+/* To get struct stat */
+#include <sys/stat.h>
+
+/* To get struct utimbuf */
+#include <utime.h>
+
+#if !defined(HAVE_ATEXIT) && defined(HAVE_ON_EXIT)
+#define atexit(X) on_exit(X, NULL)
+#define HAVE_ATEXIT 1
+#endif
+#ifdef NEED_UTIME_PROTO
+int utime(const char *, const struct utimbuf *);
+#endif
+int syscall(int, ...);
+pid_t getpid(void);
+int ftruncate(int, off_t);
+int fchmod(int, mode_t);
+int fchown(int fd, int owner, int group);
+int fsync(int);
+int seteuid(uid_t);
+int setreuid(int, int);
+int flock(int, int);
+int gettimeofday(struct timeval *tp, struct timezone *tzp);
+int lstat(const char *, struct stat *);
+int ioctl(int, int, void *); 
+int getpriority(int which, int who);
+int setpriority(int which, int who, int priority);
+int getdtablesize(void);
+int initgroups(const char *name, int basegid);
+long ulimit(int cmd, long newlimit);
+int vhangup(void);
+
+int sigblock(int);
+int sigsetmask(int);
+int setitimer(int which, struct itimerval *value, struct itimerval *ovalue);
+
+int munmap(caddr_t addr, int len);
+
+int socket(int, int, int);
+int setsockopt(int, int, int, void *, int);
+int bind(int, void *, int);
+int getsockname(int, struct sockaddr *, int *);
+int accept(int, struct sockaddr *, int *);
+int connect(int, struct sockaddr *, int);
+int listen(int, int);
+int recv(int s, void *buf, int len, int flags);
+int recvfrom(int, char *, int, int, void *, int *);
+int sendto(int, const char *, int, int, void *, int);
+int select(int, fd_set *, fd_set *, fd_set *, struct timeval *);
+int shutdown(int, int);
+int getpeername(int, struct sockaddr *, int *);
+int getsockopt(int, int, int, void *, int *);
+int send(int s, const void *msg, int len, int flags);
+struct strbuf;
+int getmsg(int fd, struct strbuf *ctlptr, struct strbuf *dataptr, int *flags);
+
+char *inet_ntoa(struct in_addr in);
+unsigned long inet_addr(const char *cp);
+int gethostname(char *, int);
+struct hostent *gethostbyname(const char *);
+int dn_expand(const u_char *msg,
+	      const u_char *eomorig,
+	      const u_char *comp_dn,
+	      char *exp_dn,
+	      int length);
+int res_search(const char *dname,
+	       int class,
+	       int type,
+	       u_char *answer,
+	       int anslen);
+
+int yp_get_default_domain (char **outdomain);
+int innetgr(const char *netgroup, const char *machine,
+	    const char *user, const char *domain);
+
+char *getwd(char *pathname);
+
+void bzero(char *b, int length);
+int strcasecmp(const char *, const char *);
+void swab(const char *, char *, int);
+int atoi(const char *str);
+char *mktemp(char *);
+void srandom(int seed);
+int random(void);
+
+int rcmd(char **, unsigned short, char *, char *, char *, int *);
+int rresvport(int *);
+int openlog(const char *ident, int logopt, int facility);
+int syslog(int priority, const char *message, ...);
+int ttyslot(void);
+
+char *getpass(const char *);
+
+char *getusershell(void);
+void setpwent();
+void endpwent();
+
+#include <stdio.h>
+int fclose(FILE *);
+
+#endif /* SunOS4 */
+
+#if SunOS == 5
+
+#include <sys/types.h>
+#include <sys/resource.h>
+
+char *getusershell(void);
+char *strtok_r(char *, const char *, char **);
+int getpriority (int which, id_t who);
+int setpriority (int which, id_t who, int prio);
+int getdtablesize (void);
+char *getusershell(void);
+void setusershell(void);
+void endusershell(void);
+
+#if defined(__GNUC__)
+
+int syscall(int, ...);
+int gethostname(char *, int);
+
+struct timeval;
+int gettimeofday(struct timeval *tp, void *);
+
+#endif
+#endif
+
+#if defined(__osf__) /* OSF/1 */
+
+#if 0
+/* To get type fd_set */
+#include <sys/types.h>
+#include <sys/time.h>
+
+int select(int, fd_set *, fd_set *, fd_set *, struct timeval *);
+int fsync(int fildes);
+int gethostname(char *address, int address_len);
+int setreuid(int ruid, int euid);
+int ioctl(int d, unsigned long request, void * arg);
+#endif
+int flock(int fildes, int operation);
+int syscall(int, ...);
+
+unsigned short htons(unsigned short hostshort);
+unsigned int   htonl(unsigned int hostint);
+unsigned short ntohs(unsigned short netshort);
+unsigned int   ntohl(unsigned int netint);
+
+char *mktemp(char *template);
+char *getusershell(void);
+
+int rcmd(char **, unsigned short, char *, char *, char *, int *);
+int rresvport (int *port);
+
+#endif /* OSF/1 */
+
+#if defined(__sgi)
+#include <sys/types.h>
+
+char *ptsname(int fd);
+struct spwd *getspuid(uid_t);
+#endif /* IRIX */
+
+#if defined(__GNUC__) && defined(_AIX) /* AIX */
+
+struct timeval;
+struct timezone;
+int gettimeofday (struct timeval *Tp, void *Tzp);
+
+#endif /* AIX */
+
+#if defined(__GNUC__) && defined(__hpux) /* HP-UX */
+
+int syscall(int, ...);
+
+int vhangup(void);
+
+char *ptsname(int fildes);
+
+void utmpname(const char *file);
+
+int innetgr(const char *netgroup, const char *machine,
+	    const char *user, const char *domain);
+
+int dn_comp(char *exp_dn, char *comp_dn, int length,
+	    char **dnptrs, char **lastdnptr);
+
+int res_query(char *dname, int class, int type,
+	      unsigned char *answer, int anslen);
+
+int dn_expand(char *msg, char *eomorig, char *comp_dn,
+	      char *exp_dn, int length);
+
+int res_search(char *dname, int class, int type,
+	       unsigned char *answer, int anslen);
+
+#endif /* HP-UX */
+
+#if defined(WIN32)	/* Visual C++ 4.0 (Windows95/NT) */
+
+int open(const char *, int, ...);
+int close(int);
+int	read(int, void *, unsigned int);
+int write(int, const void *, unsigned int);
+
+#endif /* WIN32 */
diff --git a/crypto/kerberosIV/include/protos.hin b/crypto/kerberosIV/include/protos.hin
new file mode 100644
index 0000000..c908f34
--- /dev/null
+++ b/crypto/kerberosIV/include/protos.hin
@@ -0,0 +1,277 @@
+/* -*- C -*-
+ * Copyright (c) 1995, 1996, 1997 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+/*
+ * Add here functions that don't have a prototype on your system.
+ *
+ * $Id: protos.hin,v 1.46.2.1 2000/12/13 14:41:38 assar Exp $
+ */
+
+#ifdef NEED_CRYPT_PROTO
+char *crypt(const char*, const char*);
+#endif
+
+#ifdef NEED_STRTOK_R_PROTO
+char *strtok_r (char *s1, const char *s2, char **lasts);
+#endif
+
+#ifndef HAVE_OPTARG_DECLARATION
+extern char *optarg;
+#endif
+#ifndef HAVE_OPTERR_DECLARATION
+extern int opterr;
+#endif
+#ifndef HAVE_OPTIND_DECLARATION
+extern int optind;
+#endif
+#ifndef HAVE_OPTOPT_DECLARATION
+extern int optopt;
+#endif
+
+#if defined(__GNUC__) && SunOS == 4
+
+/* To get type fd_set */
+#include <sys/types.h>
+#include <sys/time.h>
+
+/* To get struct sockaddr, struct in_addr and struct hostent */
+#include <sys/socket.h>
+#include <netinet/in.h>
+#include <netdb.h>
+
+/* To get struct stat */
+#include <sys/stat.h>
+
+/* To get struct utimbuf */
+#include <utime.h>
+
+#if !defined(HAVE_ATEXIT) && defined(HAVE_ON_EXIT)
+#define atexit(X) on_exit(X, NULL)
+#define HAVE_ATEXIT 1
+#endif
+#ifdef NEED_UTIME_PROTO
+int utime(const char *, const struct utimbuf *);
+#endif
+int syscall(int, ...);
+pid_t getpid(void);
+int ftruncate(int, off_t);
+int fchmod(int, mode_t);
+int fchown(int fd, int owner, int group);
+int fsync(int);
+int seteuid(uid_t);
+int setreuid(int, int);
+int flock(int, int);
+int gettimeofday(struct timeval *tp, struct timezone *tzp);
+int lstat(const char *, struct stat *);
+int ioctl(int, int, void *); 
+int getpriority(int which, int who);
+int setpriority(int which, int who, int priority);
+int getdtablesize(void);
+int initgroups(const char *name, int basegid);
+long ulimit(int cmd, long newlimit);
+int vhangup(void);
+
+int sigblock(int);
+int sigsetmask(int);
+int setitimer(int which, struct itimerval *value, struct itimerval *ovalue);
+
+int munmap(caddr_t addr, int len);
+
+int socket(int, int, int);
+int setsockopt(int, int, int, void *, int);
+int bind(int, void *, int);
+int getsockname(int, struct sockaddr *, int *);
+int accept(int, struct sockaddr *, int *);
+int connect(int, struct sockaddr *, int);
+int listen(int, int);
+int recv(int s, void *buf, int len, int flags);
+int recvfrom(int, char *, int, int, void *, int *);
+int sendto(int, const char *, int, int, void *, int);
+int select(int, fd_set *, fd_set *, fd_set *, struct timeval *);
+int shutdown(int, int);
+int getpeername(int, struct sockaddr *, int *);
+int getsockopt(int, int, int, void *, int *);
+int send(int s, const void *msg, int len, int flags);
+struct strbuf;
+int getmsg(int fd, struct strbuf *ctlptr, struct strbuf *dataptr, int *flags);
+
+char *inet_ntoa(struct in_addr in);
+unsigned long inet_addr(const char *cp);
+int gethostname(char *, int);
+struct hostent *gethostbyname(const char *);
+int dn_expand(const u_char *msg,
+	      const u_char *eomorig,
+	      const u_char *comp_dn,
+	      char *exp_dn,
+	      int length);
+int res_search(const char *dname,
+	       int class,
+	       int type,
+	       u_char *answer,
+	       int anslen);
+
+int yp_get_default_domain (char **outdomain);
+int innetgr(const char *netgroup, const char *machine,
+	    const char *user, const char *domain);
+
+char *getwd(char *pathname);
+
+void bzero(char *b, int length);
+int strcasecmp(const char *, const char *);
+void swab(const char *, char *, int);
+int atoi(const char *str);
+char *mktemp(char *);
+void srandom(int seed);
+int random(void);
+
+int rcmd(char **, unsigned short, char *, char *, char *, int *);
+int rresvport(int *);
+int openlog(const char *ident, int logopt, int facility);
+int syslog(int priority, const char *message, ...);
+int ttyslot(void);
+
+char *getpass(const char *);
+
+char *getusershell(void);
+void setpwent();
+void endpwent();
+
+#include <stdio.h>
+int fclose(FILE *);
+
+#endif /* SunOS4 */
+
+#if SunOS == 5
+
+#include <sys/types.h>
+#include <sys/resource.h>
+
+char *getusershell(void);
+char *strtok_r(char *, const char *, char **);
+int getpriority (int which, id_t who);
+int setpriority (int which, id_t who, int prio);
+int getdtablesize (void);
+char *getusershell(void);
+void setusershell(void);
+void endusershell(void);
+
+#if defined(__GNUC__)
+
+int syscall(int, ...);
+int gethostname(char *, int);
+
+struct timeval;
+int gettimeofday(struct timeval *tp, void *);
+
+#endif
+#endif
+
+#if defined(__osf__) /* OSF/1 */
+
+#if 0
+/* To get type fd_set */
+#include <sys/types.h>
+#include <sys/time.h>
+
+int select(int, fd_set *, fd_set *, fd_set *, struct timeval *);
+int fsync(int fildes);
+int gethostname(char *address, int address_len);
+int setreuid(int ruid, int euid);
+int ioctl(int d, unsigned long request, void * arg);
+#endif
+int flock(int fildes, int operation);
+int syscall(int, ...);
+
+unsigned short htons(unsigned short hostshort);
+unsigned int   htonl(unsigned int hostint);
+unsigned short ntohs(unsigned short netshort);
+unsigned int   ntohl(unsigned int netint);
+
+char *mktemp(char *template);
+char *getusershell(void);
+
+int rcmd(char **, unsigned short, char *, char *, char *, int *);
+int rresvport (int *port);
+
+#endif /* OSF/1 */
+
+#if defined(__sgi)
+#include <sys/types.h>
+
+char *ptsname(int fd);
+struct spwd *getspuid(uid_t);
+#endif /* IRIX */
+
+#if defined(__GNUC__) && defined(_AIX) /* AIX */
+
+struct timeval;
+struct timezone;
+int gettimeofday (struct timeval *Tp, void *Tzp);
+
+#endif /* AIX */
+
+#if defined(__GNUC__) && defined(__hpux) /* HP-UX */
+
+int syscall(int, ...);
+
+int vhangup(void);
+
+char *ptsname(int fildes);
+
+void utmpname(const char *file);
+
+int innetgr(const char *netgroup, const char *machine,
+	    const char *user, const char *domain);
+
+int dn_comp(char *exp_dn, char *comp_dn, int length,
+	    char **dnptrs, char **lastdnptr);
+
+int res_query(char *dname, int class, int type,
+	      unsigned char *answer, int anslen);
+
+int dn_expand(char *msg, char *eomorig, char *comp_dn,
+	      char *exp_dn, int length);
+
+int res_search(char *dname, int class, int type,
+	       unsigned char *answer, int anslen);
+
+#endif /* HP-UX */
+
+#if defined(WIN32)	/* Visual C++ 4.0 (Windows95/NT) */
+
+int open(const char *, int, ...);
+int close(int);
+int	read(int, void *, unsigned int);
+int write(int, const void *, unsigned int);
+
+#endif /* WIN32 */
diff --git a/crypto/kerberosIV/include/sys/Makefile.in b/crypto/kerberosIV/include/sys/Makefile.in
new file mode 100644
index 0000000..cee60af
--- /dev/null
+++ b/crypto/kerberosIV/include/sys/Makefile.in
@@ -0,0 +1,48 @@
+# $Id: Makefile.in,v 1.22 1998/03/15 05:57:53 assar Exp $
+
+srcdir		= @srcdir@
+VPATH		= @srcdir@
+
+SHELL		= /bin/sh
+
+LN_S		= @LN_S@
+INSTALL		= @INSTALL@
+INSTALL_DATA	= @INSTALL_DATA@
+MKINSTALLDIRS = @top_srcdir@/mkinstalldirs
+
+prefix		= @prefix@
+includedir	= @includedir@
+BROKEN_SOCKET_H	= @krb_cv_header_sys_socket_h_broken@
+
+@SET_MAKE@
+
+HEADERS = socket.h
+
+all: stamp-headers
+
+Wall:
+	$(MAKE) CFLAGS="-g -Wall -Wno-comment -Wmissing-prototypes -Wmissing-declarations -D__USE_FIXED_PROTOTYPES__"
+
+install: all
+
+uninstall:
+
+clean:
+	rm -f $(HEADERS) stamp-headers
+
+mostlyclean:	clean
+distclean:	clean
+	rm -f Makefile config.status *~
+
+realclean:	clean
+
+socket.h:
+	if test "$(BROKEN_SOCKET_H)" = yes; then \
+	  $(LN_S) $(srcdir)/socket.x socket.h; \
+	fi || true
+
+stamp-headers:
+	$(MAKE) $(HEADERS)
+	touch stamp-headers
+
+.PHONY: all Wall install uninstall clean mostlyclean distclean realclean
diff --git a/crypto/kerberosIV/include/sys/socket.x b/crypto/kerberosIV/include/sys/socket.x
new file mode 100644
index 0000000..d5678c8
--- /dev/null
+++ b/crypto/kerberosIV/include/sys/socket.x
@@ -0,0 +1,7 @@
+/* fix for broken ultrix sys/socket.h. */
+#ifndef __SOCKET_H__
+#define __SOCKET_H__
+
+#include "/usr/include/sys/socket.h"
+
+#endif /* __SOCKET_H__ */
diff --git a/crypto/kerberosIV/include/win32/config.h b/crypto/kerberosIV/include/win32/config.h
new file mode 100644
index 0000000..199961e
--- /dev/null
+++ b/crypto/kerberosIV/include/win32/config.h
@@ -0,0 +1,1185 @@
+/* include/config.h.in.  Generated automatically from configure.in by autoheader.  */
+
+/* Define if using alloca.c.  */
+#undef C_ALLOCA
+
+/* Define to empty if the keyword does not work.  */
+#undef const
+
+/* Define to one of _getb67, GETB67, getb67 for Cray-2 and Cray-YMP systems.
+   This function is required for alloca.c support on those systems.  */
+#undef CRAY_STACKSEG_END
+
+/* Define to `int' if <sys/types.h> doesn't define.  */
+#define gid_t int
+
+/* Define if you have alloca, as a function or macro.  */
+#undef HAVE_ALLOCA
+
+/* Define if you have <alloca.h> and it should be used (not on Ultrix).  */
+#undef HAVE_ALLOCA_H
+
+/* Define if you have a working `mmap' system call.  */
+#undef HAVE_MMAP
+
+/* Define if your struct stat has st_blksize.  */
+#undef HAVE_ST_BLKSIZE
+
+/* Define as __inline if that's what the C compiler calls it.  */
+#undef inline
+
+/* Define to `long' if <sys/types.h> doesn't define.  */
+#undef off_t
+
+/* Define to `int' if <sys/types.h> doesn't define.  */
+#undef pid_t
+
+/* Define if you need to in order for stat and other things to work.  */
+#undef _POSIX_SOURCE
+
+/* Define as the return type of signal handlers (int or void).  */
+#undef RETSIGTYPE
+
+/* Define to `unsigned' if <sys/types.h> doesn't define.  */
+#undef size_t
+
+/* If using the C implementation of alloca, define if you know the
+   direction of stack growth for your system; otherwise it will be
+   automatically deduced at run-time.
+ STACK_DIRECTION > 0 => grows toward higher addresses
+ STACK_DIRECTION < 0 => grows toward lower addresses
+ STACK_DIRECTION = 0 => direction of growth unknown
+ */
+#undef STACK_DIRECTION
+
+/* Define if you have the ANSI C header files.  */
+#define STDC_HEADERS 1
+
+/* Define if `sys_siglist' is declared by <signal.h>.  */
+#undef SYS_SIGLIST_DECLARED
+
+/* Define if you can safely include both <sys/time.h> and <time.h>.  */
+#undef TIME_WITH_SYS_TIME
+
+/* Define to `int' if <sys/types.h> doesn't define.  */
+#define uid_t int
+
+/* Define if your processor stores words with the most significant
+   byte first (like Motorola and SPARC, unlike Intel and VAX).  */
+#undef WORDS_BIGENDIAN
+
+/* Define if the X Window System is missing or not being used.  */
+#undef X_DISPLAY_MISSING
+
+/* Define if you have the _getpty function.  */
+#undef HAVE__GETPTY
+
+/* Define if you have the _scrsize function.  */
+#undef HAVE__SCRSIZE
+
+/* Define if you have the _setsid function.  */
+#undef HAVE__SETSID
+
+/* Define if you have the _stricmp function.  */
+#define HAVE__STRICMP 1
+
+/* Define if you have the asnprintf function.  */
+#undef HAVE_ASNPRINTF
+
+/* Define if you have the asprintf function.  */
+#undef HAVE_ASPRINTF
+
+/* Define if you have the atexit function.  */
+#undef HAVE_ATEXIT
+
+/* Define if you have the chown function.  */
+#undef HAVE_CHOWN
+
+/* Define if you have the chroot function.  */
+#undef HAVE_CHROOT
+
+/* Define if you have the crypt function.  */
+#undef HAVE_CRYPT
+
+/* Define if you have the daemon function.  */
+#undef HAVE_DAEMON
+
+/* Define if you have the dlopen function.  */
+#undef HAVE_DLOPEN
+
+/* Define if you have the dn_expand function.  */
+#undef HAVE_DN_EXPAND
+
+/* Define if you have the el_init function.  */
+#undef HAVE_EL_INIT
+
+/* Define if you have the err function.  */
+#undef HAVE_ERR
+
+/* Define if you have the errx function.  */
+#undef HAVE_ERRX
+
+/* Define if you have the fattach function.  */
+#undef HAVE_FATTACH
+
+/* Define if you have the fchmod function.  */
+#undef HAVE_FCHMOD
+
+/* Define if you have the fchown function.  */
+#undef HAVE_FCHOWN
+
+/* Define if you have the fcntl function.  */
+#undef HAVE_FCNTL
+
+/* Define if you have the flock function.  */
+#undef HAVE_FLOCK
+
+/* Define if you have the fnmatch function.  */
+#undef HAVE_FNMATCH
+
+/* Define if you have the forkpty function.  */
+#undef HAVE_FORKPTY
+
+/* Define if you have the frevoke function.  */
+#undef HAVE_FREVOKE
+
+/* Define if you have the getattr function.  */
+#undef HAVE_GETATTR
+
+/* Define if you have the getcwd function.  */
+#undef HAVE_GETCWD
+
+/* Define if you have the getdtablesize function.  */
+#undef HAVE_GETDTABLESIZE
+
+/* Define if you have the getegid function.  */
+#undef HAVE_GETEGID
+
+/* Define if you have the geteuid function.  */
+#undef HAVE_GETEUID
+
+/* Define if you have the getgid function.  */
+#undef HAVE_GETGID
+
+/* Define if you have the gethostbyname function.  */
+#define HAVE_GETHOSTBYNAME 1
+
+/* Define if you have the gethostname function.  */
+#define HAVE_GETHOSTNAME 1
+
+/* Define if you have the getlogin function.  */
+#undef HAVE_GETLOGIN
+
+/* Define if you have the getopt function.  */
+#undef HAVE_GETOPT
+
+/* Define if you have the getpagesize function.  */
+#undef HAVE_GETPAGESIZE
+
+/* Define if you have the getpriority function.  */
+#undef HAVE_GETPRIORITY
+
+/* Define if you have the getpwnam_r function.  */
+#undef HAVE_GETPWNAM_R
+
+/* Define if you have the getrlimit function.  */
+#undef HAVE_GETRLIMIT
+
+/* Define if you have the getservbyname function.  */
+#define HAVE_GETSERVBYNAME 1
+
+/* Define if you have the getsockopt function.  */
+#define HAVE_GETSOCKOPT 1
+
+/* Define if you have the getspnam function.  */
+#undef HAVE_GETSPNAM
+
+/* Define if you have the getspuid function.  */
+#undef HAVE_GETSPUID
+
+/* Define if you have the gettimeofday function.  */
+#undef HAVE_GETTIMEOFDAY
+
+/* Define if you have the gettosbyname function.  */
+#undef HAVE_GETTOSBYNAME
+
+/* Define if you have the getudbnam function.  */
+#undef HAVE_GETUDBNAM
+
+/* Define if you have the getuid function.  */
+#undef HAVE_GETUID
+
+/* Define if you have the getusershell function.  */
+#undef HAVE_GETUSERSHELL
+
+/* Define if you have the grantpt function.  */
+#undef HAVE_GRANTPT
+
+/* Define if you have the hstrerror function.  */
+#undef HAVE_HSTRERROR
+
+/* Define if you have the inet_aton function.  */
+#undef HAVE_INET_ATON
+
+/* Define if you have the initgroups function.  */
+#undef HAVE_INITGROUPS
+
+/* Define if you have the innetgr function.  */
+#undef HAVE_INNETGR
+
+/* Define if you have the iruserok function.  */
+#undef HAVE_IRUSEROK
+
+/* Define if you have the logout function.  */
+#undef HAVE_LOGOUT
+
+/* Define if you have the logwtmp function.  */
+#undef HAVE_LOGWTMP
+
+/* Define if you have the lstat function.  */
+#undef HAVE_LSTAT
+
+/* Define if you have the memmove function.  */
+#define HAVE_MEMMOVE 1
+
+/* Define if you have the mkstemp function.  */
+#undef HAVE_MKSTEMP
+
+/* Define if you have the mktime function.  */
+#define HAVE_MKTIME 1
+
+/* Define if you have the odm_initialize function.  */
+#undef HAVE_ODM_INITIALIZE
+
+/* Define if you have the on_exit function.  */
+#undef HAVE_ON_EXIT
+
+/* Define if you have the parsetos function.  */
+#undef HAVE_PARSETOS
+
+/* Define if you have the ptsname function.  */
+#undef HAVE_PTSNAME
+
+/* Define if you have the putenv function.  */
+#undef HAVE_PUTENV
+
+/* Define if you have the rand function.  */
+#define HAVE_RAND 1
+
+/* Define if you have the random function.  */
+#undef HAVE_RANDOM
+
+/* Define if you have the rcmd function.  */
+#undef HAVE_RCMD
+
+/* Define if you have the readline function.  */
+#undef HAVE_READLINE
+
+/* Define if you have the readv function.  */
+#undef HAVE_READV
+
+/* Define if you have the res_search function.  */
+#undef HAVE_RES_SEARCH
+
+/* Define if you have the revoke function.  */
+#undef HAVE_REVOKE
+
+/* Define if you have the setegid function.  */
+#undef HAVE_SETEGID
+
+/* Define if you have the setenv function.  */
+#undef HAVE_SETENV
+
+/* Define if you have the seteuid function.  */
+#undef HAVE_SETEUID
+
+/* Define if you have the setitimer function.  */
+#undef HAVE_SETITIMER
+
+/* Define if you have the setlim function.  */
+#undef HAVE_SETLIM
+
+/* Define if you have the setlogin function.  */
+#undef HAVE_SETLOGIN
+
+/* Define if you have the setpcred function.  */
+#undef HAVE_SETPCRED
+
+/* Define if you have the setpgid function.  */
+#undef HAVE_SETPGID
+
+/* Define if you have the setpriority function.  */
+#undef HAVE_SETPRIORITY
+
+/* Define if you have the setproctitle function.  */
+#undef HAVE_SETPROCTITLE
+
+/* Define if you have the setregid function.  */
+#undef HAVE_SETREGID
+
+/* Define if you have the setresgid function.  */
+#undef HAVE_SETRESGID
+
+/* Define if you have the setresuid function.  */
+#undef HAVE_SETRESUID
+
+/* Define if you have the setreuid function.  */
+#undef HAVE_SETREUID
+
+/* Define if you have the setsid function.  */
+#undef HAVE_SETSID
+
+/* Define if you have the setsockopt function.  */
+#define HAVE_SETSOCKOPT 1
+
+/* Define if you have the setutent function.  */
+#undef HAVE_SETUTENT
+
+/* Define if you have the sigaction function.  */
+#undef HAVE_SIGACTION
+
+/* Define if you have the socket function.  */
+#define HAVE_SOCKET 1
+
+/* Define if you have the strcasecmp function.  */
+#undef HAVE_STRCASECMP
+
+/* Define if you have the strdup function.  */
+#define HAVE_STRDUP 1
+
+/* Define if you have the strerror function.  */
+#undef HAVE_STRERROR
+
+/* Define if you have the strftime function.  */
+#define HAVE_STRFTIME 1
+
+/* Define if you have the strlwr function.  */
+#define HAVE_STRLWR 1
+
+/* Define if you have the strncasecmp function.  */
+#undef HAVE_STRNCASECMP
+
+/* Define if you have the strnlen function.  */
+#undef HAVE_STRNLEN
+
+/* Define if you have the strsep function.  */
+#undef HAVE_STRSEP
+
+/* Define if you have the strtok_r function.  */
+#undef HAVE_STRTOK_R
+
+/* Define if you have the strupr function.  */
+#define HAVE_STRUPR 1
+
+/* Define if you have the swab function.  */
+#define HAVE_SWAB 1
+
+/* Define if you have the sysconf function.  */
+#undef HAVE_SYSCONF
+
+/* Define if you have the sysctl function.  */
+#undef HAVE_SYSCTL
+
+/* Define if you have the syslog function.  */
+#undef HAVE_SYSLOG
+
+/* Define if you have the tgetent function.  */
+#undef HAVE_TGETENT
+
+/* Define if you have the ttyname function.  */
+#undef HAVE_TTYNAME
+
+/* Define if you have the ttyslot function.  */
+#undef HAVE_TTYSLOT
+
+/* Define if you have the ulimit function.  */
+#undef HAVE_ULIMIT
+
+/* Define if you have the uname function.  */
+#undef HAVE_UNAME
+
+/* Define if you have the unlockpt function.  */
+#undef HAVE_UNLOCKPT
+
+/* Define if you have the unsetenv function.  */
+#undef HAVE_UNSETENV
+
+/* Define if you have the vasnprintf function.  */
+#undef HAVE_VASNPRINTF
+
+/* Define if you have the vasprintf function.  */
+#undef HAVE_VASPRINTF
+
+/* Define if you have the verr function.  */
+#undef HAVE_VERR
+
+/* Define if you have the verrx function.  */
+#undef HAVE_VERRX
+
+/* Define if you have the vhangup function.  */
+#undef HAVE_VHANGUP
+
+/* Define if you have the vsnprintf function.  */
+#undef HAVE_VSNPRINTF
+
+/* Define if you have the vsyslog function.  */
+#undef HAVE_VSYSLOG
+
+/* Define if you have the vwarn function.  */
+#undef HAVE_VWARN
+
+/* Define if you have the vwarnx function.  */
+#undef HAVE_VWARNX
+
+/* Define if you have the warn function.  */
+#undef HAVE_WARN
+
+/* Define if you have the warnx function.  */
+#undef HAVE_WARNX
+
+/* Define if you have the writev function.  */
+#undef HAVE_WRITEV
+
+/* Define if you have the XauReadAuth function.  */
+#undef HAVE_XAUREADAUTH
+
+/* Define if you have the XauWriteAuth function.  */
+#undef HAVE_XAUWRITEAUTH
+
+/* Define if you have the yp_get_default_domain function.  */
+#undef HAVE_YP_GET_DEFAULT_DOMAIN
+
+/* Define if you have the <arpa/ftp.h> header file.  */
+#undef HAVE_ARPA_FTP_H
+
+/* Define if you have the <arpa/inet.h> header file.  */
+#undef HAVE_ARPA_INET_H
+
+/* Define if you have the <arpa/nameser.h> header file.  */
+#undef HAVE_ARPA_NAMESER_H
+
+/* Define if you have the <arpa/telnet.h> header file.  */
+#undef HAVE_ARPA_TELNET_H
+
+/* Define if you have the <bsd/bsd.h> header file.  */
+#undef HAVE_BSD_BSD_H
+
+/* Define if you have the <bsdsetjmp.h> header file.  */
+#undef HAVE_BSDSETJMP_H
+
+/* Define if you have the <crypt.h> header file.  */
+#undef HAVE_CRYPT_H
+
+/* Define if you have the <curses.h> header file.  */
+#undef HAVE_CURSES_H
+
+/* Define if you have the <dbm.h> header file.  */
+#undef HAVE_DBM_H
+
+/* Define if you have the <dirent.h> header file.  */
+#undef HAVE_DIRENT_H
+
+/* Define if you have the <err.h> header file.  */
+#undef HAVE_ERR_H
+
+/* Define if you have the <errno.h> header file.  */
+#undef HAVE_ERRNO_H
+
+/* Define if you have the <fcntl.h> header file.  */
+#define HAVE_FCNTL_H 1
+
+/* Define if you have the <fnmatch.h> header file.  */
+#undef HAVE_FNMATCH_H
+
+/* Define if you have the <grp.h> header file.  */
+#undef HAVE_GRP_H
+
+/* Define if you have the <inttypes.h> header file.  */
+#undef HAVE_INTTYPES_H
+
+/* Define if you have the <io.h> header file.  */
+#define HAVE_IO_H 1
+
+/* Define if you have the <lastlog.h> header file.  */
+#undef HAVE_LASTLOG_H
+
+/* Define if you have the <libutil.h> header file.  */
+#undef HAVE_LIBUTIL_H
+
+/* Define if you have the <limits.h> header file.  */
+#undef HAVE_LIMITS_H
+
+/* Define if you have the <login.h> header file.  */
+#undef HAVE_LOGIN_H
+
+/* Define if you have the <maillock.h> header file.  */
+#undef HAVE_MAILLOCK_H
+
+/* Define if you have the <ndbm.h> header file.  */
+#undef HAVE_NDBM_H
+
+/* Define if you have the <net/if.h> header file.  */
+#undef HAVE_NET_IF_H
+
+/* Define if you have the <net/if_tun.h> header file.  */
+#undef HAVE_NET_IF_TUN_H
+
+/* Define if you have the <net/if_var.h> header file.  */
+#undef HAVE_NET_IF_VAR_H
+
+/* Define if you have the <netdb.h> header file.  */
+#undef HAVE_NETDB_H
+
+/* Define if you have the <netinet/in.h> header file.  */
+#undef HAVE_NETINET_IN_H
+
+/* Define if you have the <netinet/in6_machtypes.h> header file.  */
+#undef HAVE_NETINET_IN6_MACHTYPES_H
+
+/* Define if you have the <netinet/in_systm.h> header file.  */
+#undef HAVE_NETINET_IN_SYSTM_H
+
+/* Define if you have the <netinet/ip.h> header file.  */
+#undef HAVE_NETINET_IP_H
+
+/* Define if you have the <netinet/tcp.h> header file.  */
+#undef HAVE_NETINET_TCP_H
+
+/* Define if you have the <paths.h> header file.  */
+#undef HAVE_PATHS_H
+
+/* Define if you have the <pty.h> header file.  */
+#undef HAVE_PTY_H
+
+/* Define if you have the <pwd.h> header file.  */
+#undef HAVE_PWD_H
+
+/* Define if you have the <resolv.h> header file.  */
+#undef HAVE_RESOLV_H
+
+/* Define if you have the <rpcsvc/dbm.h> header file.  */
+#undef HAVE_RPCSVC_DBM_H
+
+/* Define if you have the <rpcsvc/ypclnt.h> header file.  */
+#undef HAVE_RPCSVC_YPCLNT_H
+
+/* Define if you have the <sac.h> header file.  */
+#undef HAVE_SAC_H
+
+/* Define if you have the <security/pam_modules.h> header file.  */
+#undef HAVE_SECURITY_PAM_MODULES_H
+
+/* Define if you have the <shadow.h> header file.  */
+#undef HAVE_SHADOW_H
+
+/* Define if you have the <siad.h> header file.  */
+#undef HAVE_SIAD_H
+
+/* Define if you have the <signal.h> header file.  */
+#define HAVE_SIGNAL_H 1
+
+/* Define if you have the <stropts.h> header file.  */
+#undef HAVE_STROPTS_H
+
+/* Define if you have the <sys/bitypes.h> header file.  */
+#undef HAVE_SYS_BITYPES_H
+
+/* Define if you have the <sys/category.h> header file.  */
+#undef HAVE_SYS_CATEGORY_H
+
+/* Define if you have the <sys/file.h> header file.  */
+#undef HAVE_SYS_FILE_H
+
+/* Define if you have the <sys/filio.h> header file.  */
+#undef HAVE_SYS_FILIO_H
+
+/* Define if you have the <sys/ioccom.h> header file.  */
+#undef HAVE_SYS_IOCCOM_H
+
+/* Define if you have the <sys/ioctl.h> header file.  */
+#undef HAVE_SYS_IOCTL_H
+
+/* Define if you have the <sys/locking.h> header file.  */
+#define HAVE_SYS_LOCKING_H 1
+
+/* Define if you have the <sys/mman.h> header file.  */
+#undef HAVE_SYS_MMAN_H
+
+/* Define if you have the <sys/param.h> header file.  */
+#undef HAVE_SYS_PARAM_H
+
+/* Define if you have the <sys/proc.h> header file.  */
+#undef HAVE_SYS_PROC_H
+
+/* Define if you have the <sys/pty.h> header file.  */
+#undef HAVE_SYS_PTY_H
+
+/* Define if you have the <sys/ptyio.h> header file.  */
+#undef HAVE_SYS_PTYIO_H
+
+/* Define if you have the <sys/ptyvar.h> header file.  */
+#undef HAVE_SYS_PTYVAR_H
+
+/* Define if you have the <sys/resource.h> header file.  */
+#undef HAVE_SYS_RESOURCE_H
+
+/* Define if you have the <sys/select.h> header file.  */
+#undef HAVE_SYS_SELECT_H
+
+/* Define if you have the <sys/socket.h> header file.  */
+#undef HAVE_SYS_SOCKET_H
+
+/* Define if you have the <sys/sockio.h> header file.  */
+#undef HAVE_SYS_SOCKIO_H
+
+/* Define if you have the <sys/stat.h> header file.  */
+#define HAVE_SYS_STAT_H 1
+
+/* Define if you have the <sys/str_tty.h> header file.  */
+#undef HAVE_SYS_STR_TTY_H
+
+/* Define if you have the <sys/stream.h> header file.  */
+#undef HAVE_SYS_STREAM_H
+
+/* Define if you have the <sys/stropts.h> header file.  */
+#undef HAVE_SYS_STROPTS_H
+
+/* Define if you have the <sys/strtty.h> header file.  */
+#undef HAVE_SYS_STRTTY_H
+
+/* Define if you have the <sys/syscall.h> header file.  */
+#undef HAVE_SYS_SYSCALL_H
+
+/* Define if you have the <sys/sysctl.h> header file.  */
+#undef HAVE_SYS_SYSCTL_H
+
+/* Define if you have the <sys/termio.h> header file.  */
+#undef HAVE_SYS_TERMIO_H
+
+/* Define if you have the <sys/time.h> header file.  */
+#undef HAVE_SYS_TIME_H
+
+/* Define if you have the <sys/timeb.h> header file.  */
+#define HAVE_SYS_TIMEB_H 1
+
+/* Define if you have the <sys/times.h> header file.  */
+#undef HAVE_SYS_TIMES_H
+
+/* Define if you have the <sys/tty.h> header file.  */
+#undef HAVE_SYS_TTY_H
+
+/* Define if you have the <sys/types.h> header file.  */
+#define HAVE_SYS_TYPES_H 1
+
+/* Define if you have the <sys/uio.h> header file.  */
+#undef HAVE_SYS_UIO_H
+
+/* Define if you have the <sys/un.h> header file.  */
+#undef HAVE_SYS_UN_H
+
+/* Define if you have the <sys/utsname.h> header file.  */
+#undef HAVE_SYS_UTSNAME_H
+
+/* Define if you have the <sys/wait.h> header file.  */
+#undef HAVE_SYS_WAIT_H
+
+/* Define if you have the <syslog.h> header file.  */
+#undef HAVE_SYSLOG_H
+
+/* Define if you have the <term.h> header file.  */
+#undef HAVE_TERM_H
+
+/* Define if you have the <termcap.h> header file.  */
+#undef HAVE_TERMCAP_H
+
+/* Define if you have the <termio.h> header file.  */
+#undef HAVE_TERMIO_H
+
+/* Define if you have the <termios.h> header file.  */
+#undef HAVE_TERMIOS_H
+
+/* Define if you have the <tmpdir.h> header file.  */
+#undef HAVE_TMPDIR_H
+
+/* Define if you have the <ttyent.h> header file.  */
+#undef HAVE_TTYENT_H
+
+/* Define if you have the <udb.h> header file.  */
+#undef HAVE_UDB_H
+
+/* Define if you have the <ulimit.h> header file.  */
+#undef HAVE_ULIMIT_H
+
+/* Define if you have the <unistd.h> header file.  */
+#undef HAVE_UNISTD_H
+
+/* Define if you have the <userpw.h> header file.  */
+#undef HAVE_USERPW_H
+
+/* Define if you have the <usersec.h> header file.  */
+#undef HAVE_USERSEC_H
+
+/* Define if you have the <util.h> header file.  */
+#undef HAVE_UTIL_H
+
+/* Define if you have the <utime.h> header file.  */
+#undef HAVE_UTIME_H
+
+/* Define if you have the <utmp.h> header file.  */
+#undef HAVE_UTMP_H
+
+/* Define if you have the <utmpx.h> header file.  */
+#undef HAVE_UTMPX_H
+
+/* Define if you have the <wait.h> header file.  */
+#undef HAVE_WAIT_H
+
+/* Define if you have the c_r library (-lc_r).  */
+#undef HAVE_LIBC_R
+
+/* Define if you have the cfg library (-lcfg).  */
+#undef HAVE_LIBCFG
+
+/* Define if you have the crypt library (-lcrypt).  */
+#undef HAVE_LIBCRYPT
+
+/* Define if you have the curses library (-lcurses).  */
+#undef HAVE_LIBCURSES
+
+/* Define if you have the dl library (-ldl).  */
+#undef HAVE_LIBDL
+
+/* Define if you have the edit library (-ledit).  */
+#undef HAVE_LIBEDIT
+
+/* Define if you have the ncurses library (-lncurses).  */
+#undef HAVE_LIBNCURSES
+
+/* Define if you have the nsl library (-lnsl).  */
+#undef HAVE_LIBNSL
+
+/* Define if you have the odm library (-lodm).  */
+#undef HAVE_LIBODM
+
+/* Define if you have the readline library (-lreadline).  */
+#undef HAVE_LIBREADLINE
+
+/* Define if you have the resolv library (-lresolv).  */
+#undef HAVE_LIBRESOLV
+
+/* Define if you have the s library (-ls).  */
+#undef HAVE_LIBS
+
+/* Define if you have the socket library (-lsocket).  */
+#undef HAVE_LIBSOCKET
+
+/* Define if you have the syslog library (-lsyslog).  */
+#undef HAVE_LIBSYSLOG
+
+/* Define if you have the termcap library (-ltermcap).  */
+#undef HAVE_LIBTERMCAP
+
+/* Define if you have the util library (-lutil).  */
+#undef HAVE_LIBUTIL
+
+/* Define if you have the X11 library (-lX11).  */
+#undef HAVE_LIBX11
+
+/* Define if you have the Xau library (-lXau).  */
+#undef HAVE_LIBXAU
+
+/* Name of package */
+#undef PACKAGE
+
+/* Version number of package */
+#undef VERSION
+
+/* Define if you have the socks package */
+#undef SOCKS
+
+/* Define to enable old kdestroy behavior. */
+#undef LEGACY_KDESTROY
+
+/* Define if you want to match subdomains. */
+#undef MATCH_SUBDOMAINS
+
+/* Define this to be the directory where the 
+	dictionary for cracklib resides. */
+#undef DICTPATH
+
+/* Define this to the path of the mail spool directory. */
+#undef KRB4_MAILDIR
+
+/* Define this to the kerberos database directory. */
+#undef DB_DIR
+
+/* Define to enable new master key code. */
+#undef RANDOM_MKEY
+
+/* Define this to the location of the master key. */
+#undef MKEYFILE
+
+/* Define to enable basic OSF C2 support. */
+#undef HAVE_OSFC2
+
+/* Define if you don't want to use mmap. */
+#undef NO_MMAP
+
+/* Define if you don't wan't support for AFS. */
+#undef NO_AFS
+
+/* Set this to the type of des-quad-cheksum to use. */
+#define DES_QUAD_DEFAULT DES_QUAD_GUESS
+
+/* Define if you have the readline package */
+#undef READLINE
+
+/* Define if you have the hesiod package */
+#undef HESIOD
+
+/* define if your compiler has __attribute__ */
+#undef HAVE___ATTRIBUTE__
+
+/* Huh? */
+#undef HAVE_STRANGE_INT8_T
+
+/* Define if NDBM really is DB (creates files ending in .db). */
+#undef HAVE_NEW_DB
+
+/* Define if you have NDBM (and not DBM) */
+#undef NDBM
+
+/* define if you have a working snprintf */
+#undef HAVE_SNPRINTF
+
+/* define if the system is missing a prototype for snprintf() */
+#undef NEED_SNPRINTF_PROTO
+
+/* define if you have a glob() that groks 
+	GLOB_BRACE, GLOB_NOCHECK, GLOB_QUOTE, and GLOB_TILDE */
+#undef HAVE_GLOB
+
+/* define if the system is missing a prototype for glob() */
+#undef NEED_GLOB_PROTO
+
+/* Define if getpwnam_r has POSIX flavour. */
+#undef POSIX_GETPWNAM_R
+
+/* Define if getlogin has POSIX flavour (and not BSD). */
+#undef POSIX_GETLOGIN
+
+/* define if the system is missing a prototype for hstrerror() */
+#undef NEED_HSTRERROR_PROTO
+
+/* define if the system is missing a prototype for gethostname() */
+#undef NEED_GETHOSTNAME_PROTO
+
+/* define if the system is missing a prototype for mkstemp() */
+#undef NEED_MKSTEMP_PROTO
+
+/* define if the system is missing a prototype for inet_aton() */
+#undef NEED_INET_ATON_PROTO
+
+/* Define if realloc(NULL, X) doesn't work. */
+#undef BROKEN_REALLOC
+
+/* Define if getcwd is broken (like in SunOS 4). */
+#undef BROKEN_GETCWD
+
+/* define if prototype of gethostbyname is compatible with
+	struct hostent *gethostbyname(const char *) */
+#undef GETHOSTBYNAME_PROTO_COMPATIBLE
+
+/* define if prototype of gethostbyaddr is compatible with
+	struct hostent *gethostbyaddr(const void *, size_t, int) */
+#undef GETHOSTBYADDR_PROTO_COMPATIBLE
+
+/* define if prototype of getservbyname is compatible with
+	struct servent *getservbyname(const char *, const char *) */
+#undef GETSERVBYNAME_PROTO_COMPATIBLE
+
+/* define if prototype of openlog is compatible with
+	void openlog(const char *, int, int) */
+#undef OPENLOG_PROTO_COMPATIBLE
+
+/* define if the system is missing a prototype for crypt() */
+#undef NEED_CRYPT_PROTO
+
+/* define if the system is missing a prototype for fclose() */
+#undef NEED_FCLOSE_PROTO
+
+/* define if the system is missing a prototype for strtok_r() */
+#undef NEED_STRTOK_R_PROTO
+
+/* define if the system is missing a prototype for getusershell() */
+#undef NEED_GETUSERSHELL_PROTO
+
+/* define if the system is missing a prototype for utime() */
+#undef NEED_UTIME_PROTO
+
+/* define if you have h_errno */
+#define HAVE_H_ERRNO 1
+
+/* define if your system declares h_errno */
+#define HAVE_H_ERRNO_DECLARATION 1
+
+/* define if you have h_errlist */
+#undef HAVE_H_ERRLIST
+
+/* define if your system declares h_errlist */
+#undef HAVE_H_ERRLIST_DECLARATION
+
+/* define if you have h_nerr */
+#undef HAVE_H_NERR
+
+/* define if your system declares h_nerr */
+#undef HAVE_H_NERR_DECLARATION
+
+/* define if you have __progname */
+#undef HAVE___PROGNAME
+
+/* define if your system declares __progname */
+#undef HAVE___PROGNAME_DECLARATION
+
+/* define if your system declares optarg */
+#undef HAVE_OPTARG_DECLARATION
+
+/* define if your system declares optind */
+#undef HAVE_OPTIND_DECLARATION
+
+/* define if your system declares opterr */
+#undef HAVE_OPTERR_DECLARATION
+
+/* define if your system declares optopt */
+#undef HAVE_OPTOPT_DECLARATION
+
+/* define if your system declares environ */
+#undef HAVE_ENVIRON_DECLARATION
+
+/* Define if RETSIGTYPE == void. */
+#define VOID_RETSIGTYPE 1
+
+/* Define if struct utmp has field ut_addr. */
+#undef HAVE_STRUCT_UTMP_UT_ADDR
+
+/* Define if struct utmp has field ut_host. */
+#undef HAVE_STRUCT_UTMP_UT_HOST
+
+/* Define if struct utmp has field ut_id. */
+#undef HAVE_STRUCT_UTMP_UT_ID
+
+/* Define if struct utmp has field ut_pid. */
+#undef HAVE_STRUCT_UTMP_UT_PID
+
+/* Define if struct utmp has field ut_type. */
+#undef HAVE_STRUCT_UTMP_UT_TYPE
+
+/* Define if struct utmp has field ut_user. */
+#undef HAVE_STRUCT_UTMP_UT_USER
+
+/* Define if struct utmpx has field ut_exit. */
+#undef HAVE_STRUCT_UTMPX_UT_EXIT
+
+/* Define if struct utmpx has field ut_syslen. */
+#undef HAVE_STRUCT_UTMPX_UT_SYSLEN
+
+/* define if you have struct spwd */
+#undef HAVE_STRUCT_SPWD
+
+/* define if struct winsize is declared in sys/termios.h */
+#undef HAVE_STRUCT_WINSIZE
+
+/* define if struct winsize has ws_xpixel */
+#undef HAVE_WS_XPIXEL
+
+/* define if struct winsize has ws_ypixel */
+#undef HAVE_WS_YPIXEL
+
+/* Define this to what the type ssize_t should be. */
+#define ssize_t int
+
+/* Define if struct sockaddr has field sa_len. */
+#undef HAVE_STRUCT_SOCKADDR_SA_LEN
+
+/* Define if SIAENTITY has field ouid. */
+#undef HAVE_SIAENTITY_OUID
+
+/* Define if you have a working getmsg. */
+#undef HAVE_GETMSG
+
+/* Define if you have a readline function. */
+#undef HAVE_READLINE
+
+/* Define if you have working stream ptys. */
+#undef STREAMSPTY
+
+/* Define if /bin/ls has a `-A' flag. */
+#undef HAVE_LS_A
+
+
+#undef HAVE_INT8_T
+#undef HAVE_INT16_T
+#undef HAVE_INT32_T
+#undef HAVE_INT64_T
+#undef HAVE_U_INT8_T
+#undef HAVE_U_INT16_T
+#undef HAVE_U_INT32_T
+#undef HAVE_U_INT64_T
+
+/* This for compat with heimdal (or something) */
+#define KRB_PUT_INT(f, t, l, s) krb_put_int((f), (t), (l), (s))
+
+#define RCSID(msg) \
+static /**/const char *const rcsid[] = { (char *)rcsid, "\100(#)" msg }
+
+/*
+ * Set ORGANIZATION to be the desired organization string printed
+ * by the 'kinit' program.  It may have spaces.
+ */
+#define ORGANIZATION "eBones International"
+
+#if 0
+#undef BINDIR 
+#undef LIBDIR
+#undef LIBEXECDIR
+#undef SBINDIR
+#endif
+
+#if 0
+#define KRB_CNF_FILES	{ "/etc/krb.conf",   "/etc/kerberosIV/krb.conf", 0}
+#define KRB_RLM_FILES	{ "/etc/krb.realms", "/etc/kerberosIV/krb.realms", 0}
+#define KRB_EQUIV	"/etc/krb.equiv"
+
+#define KEYFILE		"/etc/srvtab"
+
+#define KRBDIR		"/var/kerberos"
+#define DBM_FILE	KRBDIR "/principal"
+#define DEFAULT_ACL_DIR	KRBDIR
+
+#define KRBLOG		"/var/log/kerberos.log"	/* master server  */
+#define KRBSLAVELOG	"/var/log/kerberos_slave.log" /* slave server  */
+#define KADM_SYSLOG	"/var/log/admin_server.syslog"
+#define K_LOGFIL	"/var/log/kpropd.log"
+#endif
+
+/* Maximum values on all known systems */
+#define MaxHostNameLen (64+4)
+#define MaxPathLen (1024+4)
+
+/* ftp stuff -------------------------------------------------- */
+
+#define KERBEROS
+
+/* telnet stuff ----------------------------------------------- */
+
+/* define this for OTP support */
+#undef OTP
+
+/* define this if you have kerberos 4 */
+#define KRB4 1
+
+/* define this if you want encryption */
+#undef ENCRYPTION
+
+/* define this if you want authentication */
+#undef AUTHENTICATION
+
+#if defined(ENCRYPTION) && !defined(AUTHENTICATION)
+#define AUTHENTICATION 1
+#endif
+
+/* Set this if you want des encryption */
+#undef DES_ENCRYPTION
+
+/* Set this to the default system lead string for telnetd 
+ * can contain %-escapes: %s=sysname, %m=machine, %r=os-release
+ * %v=os-version, %t=tty, %h=hostname, %d=date and time
+ */
+#undef USE_IM
+
+/* define this if you want diagnostics in telnetd */
+#undef DIAGNOSTICS
+
+/* define this if you want support for broken ENV_{VALUE,VAR} systems  */
+#undef ENV_HACK
+
+/*  */
+#undef OLD_ENVIRON
+
+/* Used with login -p */
+#undef LOGIN_ARGS
+
+/* set this to a sensible login */
+#ifndef LOGIN_PATH
+#define LOGIN_PATH BINDIR "/login"
+#endif
+
+
+/* ------------------------------------------------------------ */
+
+#ifdef BROKEN_REALLOC
+#define realloc(X, Y) isoc_realloc((X), (Y))
+#define isoc_realloc(X, Y) ((X) ? realloc((X), (Y)) : malloc(Y))
+#endif
+
+#ifdef VOID_RETSIGTYPE
+#define SIGRETURN(x) return
+#else
+#define SIGRETURN(x) return (RETSIGTYPE)(x)
+#endif
+
+/* Temporary fixes for krb_{rd,mk}_safe */
+#define DES_QUAD_GUESS 0
+#define DES_QUAD_NEW 1
+#define DES_QUAD_OLD 2
+
+/*
+ * All these are system-specific defines that I would rather not have at all.
+ */
+
+/*
+ * AIX braindamage!
+ */
+#if _AIX
+#define _ALL_SOURCE
+/* XXX this is gross, but kills about a gazillion warnings */
+struct ether_addr;
+struct sockaddr;
+struct sockaddr_dl;
+struct sockaddr_in;
+#endif
+
+/*
+ * SunOS braindamage! (Sun include files are generally braindead)
+ */
+#if (defined(sun) || defined(__sun))
+#if defined(__svr4__) || defined(__SVR4)
+#define SunOS 5
+#else
+#define SunOS 4
+#endif
+#endif
+
+#if defined(__sgi) || defined(sgi)
+#if defined(__SYSTYPE_SVR4) || defined(_SYSTYPE_SVR4)
+#define IRIX 5
+#else
+#define IRIX 4
+#endif
+#endif
+
+/* IRIX 4 braindamage */
+#if IRIX == 4 && !defined(__STDC__)
+#define __STDC__ 0
+#endif
+
+/* some strange OS/2 stuff.  From <d96-mst@nada.kth.se> */
+
+#ifdef __EMX__
+#define _EMX_TCPIP
+#define MAIL_USE_SYSTEM_LOCK
+#endif
+
+#ifdef ROKEN_RENAME
+#include "roken_rename.h"
+#endif
diff --git a/crypto/kerberosIV/include/win32/ktypes.h b/crypto/kerberosIV/include/win32/ktypes.h
new file mode 100644
index 0000000..3d4af11
--- /dev/null
+++ b/crypto/kerberosIV/include/win32/ktypes.h
@@ -0,0 +1,11 @@
+#ifndef __KTYPES_H__
+#define __KTYPES_H__
+
+typedef signed char int8_t;
+typedef unsigned char u_int8_t;
+typedef short int16_t;
+typedef unsigned short u_int16_t;
+typedef int int32_t;
+typedef unsigned int u_int32_t;
+
+#endif /*  __KTYPES_H__ */
diff --git a/crypto/kerberosIV/include/win32/roken.h b/crypto/kerberosIV/include/win32/roken.h
new file mode 100644
index 0000000..9a3117f
--- /dev/null
+++ b/crypto/kerberosIV/include/win32/roken.h
@@ -0,0 +1,214 @@
+/* This is (as usual) a generated file,
+   it is also machine dependent */
+
+#ifndef __ROKEN_H__
+#define __ROKEN_H__
+
+/* -*- C -*- */
+/*
+ * Copyright (c) 1995, 1996, 1997, 1998, 1999 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+/* $Id: roken.h,v 1.8 1999/12/02 16:58:36 joda Exp $ */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <stdarg.h>
+#include <string.h>
+#include <signal.h>
+#include <time.h>
+
+
+
+#define ROKEN_LIB_FUNCTION
+
+#include <roken-common.h>
+
+
+int putenv(const char *string);
+
+int setenv(const char *var, const char *val, int rewrite);
+
+void unsetenv(const char *name);
+
+char *getusershell(void);
+void endusershell(void);
+
+int snprintf (char *str, size_t sz, const char *format, ...)
+     __attribute__ ((format (printf, 3, 4)));
+
+int vsnprintf (char *str, size_t sz, const char *format, va_list ap)
+     __attribute__((format (printf, 3, 0)));
+
+int asprintf (char **ret, const char *format, ...)
+     __attribute__ ((format (printf, 2, 3)));
+
+int vasprintf (char **ret, const char *format, va_list ap)
+     __attribute__((format (printf, 2, 0)));
+
+int asnprintf (char **ret, size_t max_sz, const char *format, ...)
+     __attribute__ ((format (printf, 3, 4)));
+
+int vasnprintf (char **ret, size_t max_sz, const char *format, va_list ap)
+     __attribute__((format (printf, 3, 0)));
+
+char * strdup(const char *old);
+
+char * strlwr(char *);
+
+int strnlen(char*, int);
+
+char *strsep(char**, const char*);
+
+int strcasecmp(const char *s1, const char *s2);
+
+
+
+char * strupr(char *);
+
+size_t strlcpy (char *dst, const char *src, size_t dst_sz);
+
+size_t strlcat (char *dst, const char *src, size_t dst_sz);
+
+int getdtablesize(void);
+
+char *strerror(int eno);
+
+/* This causes a fatal error under Psoriasis */
+const char *hstrerror(int herr);
+
+extern int h_errno;
+
+int inet_aton(const char *cp, struct in_addr *adr);
+
+char* getcwd(char *path, size_t size);
+
+
+int seteuid(uid_t euid);
+
+int setegid(gid_t egid);
+
+int lstat(const char *path, struct stat *buf);
+
+int mkstemp(char *);
+
+int initgroups(const char *name, gid_t basegid);
+
+int fchown(int fd, uid_t owner, gid_t group);
+
+int daemon(int nochdir, int noclose);
+
+int innetgr(const char *netgroup, const char *machine, 
+	    const char *user, const char *domain);
+
+int chown(const char *path, uid_t owner, gid_t group);
+
+int rcmd(char **ahost, unsigned short inport, const char *locuser,
+	 const char *remuser, const char *cmd, int *fd2p);
+
+int innetgr(const char*, const char*, const char*, const char*);
+
+int iruserok(unsigned raddr, int superuser, const char *ruser,
+	     const char *luser);
+
+int gethostname(char *name, int namelen);
+
+ssize_t
+writev(int d, const struct iovec *iov, int iovcnt);
+
+ssize_t
+readv(int d, const struct iovec *iov, int iovcnt);
+
+int
+mkstemp(char *template);
+
+#define LOCK_SH   1		/* Shared lock */
+#define LOCK_EX   2		/* Exclusive lock */
+#define LOCK_NB   4		/* Don't block when locking */
+#define LOCK_UN   8		/* Unlock */
+
+int flock(int fd, int operation);
+
+time_t tm2time (struct tm tm, int local);
+
+int unix_verify_user(char *user, char *password);
+
+void inaddr2str(struct in_addr addr, char *s, size_t len);
+
+void mini_inetd (int port);
+
+int roken_concat (char *s, size_t len, ...);
+
+size_t roken_mconcat (char **s, size_t max_len, ...);
+
+int roken_vconcat (char *s, size_t len, va_list args);
+
+size_t roken_vmconcat (char **s, size_t max_len, va_list args);
+
+ssize_t net_write (int fd, const void *buf, size_t nbytes);
+
+ssize_t net_read (int fd, void *buf, size_t nbytes);
+
+int issuid(void);
+
+struct winsize {
+	unsigned short ws_row, ws_col;
+	unsigned short ws_xpixel, ws_ypixel;
+};
+
+int get_window_size(int fd, struct winsize *);
+
+void vsyslog(int pri, const char *fmt, va_list ap);
+
+extern char *optarg;
+extern int optind;
+extern int opterr;
+
+extern const char *__progname;
+
+extern char **environ;
+
+/*
+ * kludges and such
+ */
+
+int roken_gethostby_setup(const char*, const char*);
+struct hostent* roken_gethostbyname(const char*);
+struct hostent* roken_gethostbyaddr(const void*, size_t, int);
+
+#define roken_getservbyname(x,y) getservbyname((char *)x, (char *)y)
+
+#define roken_openlog(a,b,c) openlog((char *)a,b,c)
+
+void set_progname(char *argv0);
+
+#endif /* __ROKEN_H__ */
diff --git a/crypto/kerberosIV/include/win32/version.h b/crypto/kerberosIV/include/win32/version.h
new file mode 100644
index 0000000..07fe2eb
--- /dev/null
+++ b/crypto/kerberosIV/include/win32/version.h
@@ -0,0 +1,2 @@
+char *krb4_long_version = "krb4-0.9.7 on Windows NT";
+char *krb4_version = "0.9.7";
diff --git a/crypto/kerberosIV/include/win32/winconf.sh b/crypto/kerberosIV/include/win32/winconf.sh
new file mode 100644
index 0000000..a7d5f28
--- /dev/null
+++ b/crypto/kerberosIV/include/win32/winconf.sh
@@ -0,0 +1,37 @@
+#!/bin/sh
+
+# $Id: winconf.sh,v 1.1 1997/11/09 14:35:15 joda Exp $
+
+cat ../config.h.in | sed '
+s%#undef gid_t$%#define gid_t int%
+s%#undef STDC_HEADERS$%#define STDC_HEADERS 1%
+s%#undef uid_t$%#define uid_t int%
+s%#undef ssize_t$%#define ssize_t int%
+s%#undef VOID_RETSIGTYPE$%#define VOID_RETSIGTYPE 1%
+s%#undef HAVE_H_ERRNO$%#define HAVE_H_ERRNO 1%
+s%#undef HAVE_H_ERRNO_DECLARATION$%#define HAVE_H_ERRNO_DECLARATION 1%
+s%#undef HAVE__STRICMP$%#define HAVE__STRICMP 1%
+s%#undef HAVE_GETHOSTBYNAME$%#define HAVE_GETHOSTBYNAME 1%
+s%#undef HAVE_GETHOSTNAME$%#define HAVE_GETHOSTNAME 1%
+s%#undef HAVE_GETSERVBYNAME$%#define HAVE_GETSERVBYNAME 1%
+s%#undef HAVE_GETSOCKOPT$%#define HAVE_GETSOCKOPT 1%
+s%#undef HAVE_MEMMOVE$%#define HAVE_MEMMOVE 1%
+s%#undef HAVE_MKTIME$%#define HAVE_MKTIME 1%
+s%#undef HAVE_RAND$%#define HAVE_RAND 1%
+s%#undef HAVE_SETSOCKOPT$%#define HAVE_SETSOCKOPT 1%
+s%#undef HAVE_SOCKET$%#define HAVE_SOCKET 1%
+s%#undef HAVE_STRDUP$%#define HAVE_STRDUP 1%
+s%#undef HAVE_STRFTIME$%#define HAVE_STRFTIME 1%
+s%#undef HAVE_STRLWR$%#define HAVE_STRLWR 1%
+s%#undef HAVE_STRUPR$%#define HAVE_STRUPR 1%
+s%#undef HAVE_SWAB$%#define HAVE_SWAB 1%
+s%#undef HAVE_FCNTL_H$%#define HAVE_FCNTL_H 1%
+s%#undef HAVE_IO_H$%#define HAVE_IO_H 1%
+s%#undef HAVE_SIGNAL_H$%#define HAVE_SIGNAL_H 1%
+s%#undef HAVE_SYS_LOCKING_H$%#define HAVE_SYS_LOCKING_H 1%
+s%#undef HAVE_SYS_STAT_H$%#define HAVE_SYS_STAT_H 1%
+s%#undef HAVE_SYS_TIMEB_H$%#define HAVE_SYS_TIMEB_H 1%
+s%#undef HAVE_SYS_TYPES_H$%#define HAVE_SYS_TYPES_H 1%
+s%#undef HAVE_WINSOCK_H$%#define HAVE_WINSOCK_H 1%
+s%#undef KRB4$%#define KRB4 1%
+s%#undef DES_QUAD_DEFAULT$%#define DES_QUAD_DEFAULT DES_QUAD_GUESS%' > config.h
diff --git a/crypto/kerberosIV/install-sh b/crypto/kerberosIV/install-sh
new file mode 100644
index 0000000..ebc6691
--- /dev/null
+++ b/crypto/kerberosIV/install-sh
@@ -0,0 +1,250 @@
+#! /bin/sh
+#
+# install - install a program, script, or datafile
+# This comes from X11R5 (mit/util/scripts/install.sh).
+#
+# Copyright 1991 by the Massachusetts Institute of Technology
+#
+# Permission to use, copy, modify, distribute, and sell this software and its
+# documentation for any purpose is hereby granted without fee, provided that
+# the above copyright notice appear in all copies and that both that
+# copyright notice and this permission notice appear in supporting
+# documentation, and that the name of M.I.T. not be used in advertising or
+# publicity pertaining to distribution of the software without specific,
+# written prior permission.  M.I.T. makes no representations about the
+# suitability of this software for any purpose.  It is provided "as is"
+# without express or implied warranty.
+#
+# Calling this script install-sh is preferred over install.sh, to prevent
+# `make' implicit rules from creating a file called install from it
+# when there is no Makefile.
+#
+# This script is compatible with the BSD install script, but was written
+# from scratch.  It can only install one file at a time, a restriction
+# shared with many OS's install programs.
+
+
+# set DOITPROG to echo to test this script
+
+# Don't use :- since 4.3BSD and earlier shells don't like it.
+doit="${DOITPROG-}"
+
+
+# put in absolute paths if you don't have them in your path; or use env. vars.
+
+mvprog="${MVPROG-mv}"
+cpprog="${CPPROG-cp}"
+chmodprog="${CHMODPROG-chmod}"
+chownprog="${CHOWNPROG-chown}"
+chgrpprog="${CHGRPPROG-chgrp}"
+stripprog="${STRIPPROG-strip}"
+rmprog="${RMPROG-rm}"
+mkdirprog="${MKDIRPROG-mkdir}"
+
+transformbasename=""
+transform_arg=""
+instcmd="$mvprog"
+chmodcmd="$chmodprog 0755"
+chowncmd=""
+chgrpcmd=""
+stripcmd=""
+rmcmd="$rmprog -f"
+mvcmd="$mvprog"
+src=""
+dst=""
+dir_arg=""
+
+while [ x"$1" != x ]; do
+    case $1 in
+	-c) instcmd="$cpprog"
+	    shift
+	    continue;;
+
+	-d) dir_arg=true
+	    shift
+	    continue;;
+
+	-m) chmodcmd="$chmodprog $2"
+	    shift
+	    shift
+	    continue;;
+
+	-o) chowncmd="$chownprog $2"
+	    shift
+	    shift
+	    continue;;
+
+	-g) chgrpcmd="$chgrpprog $2"
+	    shift
+	    shift
+	    continue;;
+
+	-s) stripcmd="$stripprog"
+	    shift
+	    continue;;
+
+	-t=*) transformarg=`echo $1 | sed 's/-t=//'`
+	    shift
+	    continue;;
+
+	-b=*) transformbasename=`echo $1 | sed 's/-b=//'`
+	    shift
+	    continue;;
+
+	*)  if [ x"$src" = x ]
+	    then
+		src=$1
+	    else
+		# this colon is to work around a 386BSD /bin/sh bug
+		:
+		dst=$1
+	    fi
+	    shift
+	    continue;;
+    esac
+done
+
+if [ x"$src" = x ]
+then
+	echo "install:	no input file specified"
+	exit 1
+else
+	true
+fi
+
+if [ x"$dir_arg" != x ]; then
+	dst=$src
+	src=""
+	
+	if [ -d $dst ]; then
+		instcmd=:
+	else
+		instcmd=mkdir
+	fi
+else
+
+# Waiting for this to be detected by the "$instcmd $src $dsttmp" command
+# might cause directories to be created, which would be especially bad 
+# if $src (and thus $dsttmp) contains '*'.
+
+	if [ -f $src -o -d $src ]
+	then
+		true
+	else
+		echo "install:  $src does not exist"
+		exit 1
+	fi
+	
+	if [ x"$dst" = x ]
+	then
+		echo "install:	no destination specified"
+		exit 1
+	else
+		true
+	fi
+
+# If destination is a directory, append the input filename; if your system
+# does not like double slashes in filenames, you may need to add some logic
+
+	if [ -d $dst ]
+	then
+		dst="$dst"/`basename $src`
+	else
+		true
+	fi
+fi
+
+## this sed command emulates the dirname command
+dstdir=`echo $dst | sed -e 's,[^/]*$,,;s,/$,,;s,^$,.,'`
+
+# Make sure that the destination directory exists.
+#  this part is taken from Noah Friedman's mkinstalldirs script
+
+# Skip lots of stat calls in the usual case.
+if [ ! -d "$dstdir" ]; then
+defaultIFS='	
+'
+IFS="${IFS-${defaultIFS}}"
+
+oIFS="${IFS}"
+# Some sh's can't handle IFS=/ for some reason.
+IFS='%'
+set - `echo ${dstdir} | sed -e 's@/@%@g' -e 's@^%@/@'`
+IFS="${oIFS}"
+
+pathcomp=''
+
+while [ $# -ne 0 ] ; do
+	pathcomp="${pathcomp}${1}"
+	shift
+
+	if [ ! -d "${pathcomp}" ] ;
+        then
+		$mkdirprog "${pathcomp}"
+	else
+		true
+	fi
+
+	pathcomp="${pathcomp}/"
+done
+fi
+
+if [ x"$dir_arg" != x ]
+then
+	$doit $instcmd $dst &&
+
+	if [ x"$chowncmd" != x ]; then $doit $chowncmd $dst; else true ; fi &&
+	if [ x"$chgrpcmd" != x ]; then $doit $chgrpcmd $dst; else true ; fi &&
+	if [ x"$stripcmd" != x ]; then $doit $stripcmd $dst; else true ; fi &&
+	if [ x"$chmodcmd" != x ]; then $doit $chmodcmd $dst; else true ; fi
+else
+
+# If we're going to rename the final executable, determine the name now.
+
+	if [ x"$transformarg" = x ] 
+	then
+		dstfile=`basename $dst`
+	else
+		dstfile=`basename $dst $transformbasename | 
+			sed $transformarg`$transformbasename
+	fi
+
+# don't allow the sed command to completely eliminate the filename
+
+	if [ x"$dstfile" = x ] 
+	then
+		dstfile=`basename $dst`
+	else
+		true
+	fi
+
+# Make a temp file name in the proper directory.
+
+	dsttmp=$dstdir/#inst.$$#
+
+# Move or copy the file name to the temp name
+
+	$doit $instcmd $src $dsttmp &&
+
+	trap "rm -f ${dsttmp}" 0 &&
+
+# and set any options; do chmod last to preserve setuid bits
+
+# If any of these fail, we abort the whole thing.  If we want to
+# ignore errors from any of these, just make sure not to ignore
+# errors from the above "$doit $instcmd $src $dsttmp" command.
+
+	if [ x"$chowncmd" != x ]; then $doit $chowncmd $dsttmp; else true;fi &&
+	if [ x"$chgrpcmd" != x ]; then $doit $chgrpcmd $dsttmp; else true;fi &&
+	if [ x"$stripcmd" != x ]; then $doit $stripcmd $dsttmp; else true;fi &&
+	if [ x"$chmodcmd" != x ]; then $doit $chmodcmd $dsttmp; else true;fi &&
+
+# Now rename the file to the real destination.
+
+	$doit $rmcmd -f $dstdir/$dstfile &&
+	$doit $mvcmd $dsttmp $dstdir/$dstfile 
+
+fi &&
+
+
+exit 0
diff --git a/crypto/kerberosIV/kadmin/Design.txt b/crypto/kerberosIV/kadmin/Design.txt
new file mode 100644
index 0000000..7763a04
--- /dev/null
+++ b/crypto/kerberosIV/kadmin/Design.txt
@@ -0,0 +1,23 @@
+// This file attempts to present the internal functioning of the new kerberos
+// admin server and interface..
+
+//
+// The calling side
+//
+
+// Outer interface (programmers interface)
+kadm_mod_entry(vals *old_dat, vals *new_dat) returns (vals *cur_dat)
+    // sends a command telling the server to change all entries which match
+    //   old_dat to entries matching new_dat
+    // returns in cur_dat the actual current values of the modified records
+    // implemented with calls to _vals_to_stream, _send_out, _take_in, and
+    //   _stream_to_vals, _interpret_ret
+
+// Inner calls
+_vals_to_stream (vals *, unsigned char *)
+    // converts a vals structure to a byte stream for transmission over the net
+
+_stream_to_vals (unsigned char *, vals *)
+    // converts a byte stream recieved into a vals structure
+
+
diff --git a/crypto/kerberosIV/kadmin/Makefile.in b/crypto/kerberosIV/kadmin/Makefile.in
new file mode 100644
index 0000000..0227ad6
--- /dev/null
+++ b/crypto/kerberosIV/kadmin/Makefile.in
@@ -0,0 +1,125 @@
+# $Id: Makefile.in,v 1.47 1999/03/10 19:01:13 joda Exp $
+
+SHELL = /bin/sh
+
+srcdir = @srcdir@
+VPATH = @srcdir@
+
+top_builddir=..
+
+CC = @CC@
+LINK = @LINK@
+AR = ar
+RANLIB = @RANLIB@
+LN_S = @LN_S@
+DEFS = @DEFS@
+CFLAGS = @CFLAGS@ $(WFLAGS)
+WFLAGS = @WFLAGS@
+LD_FLAGS = @LD_FLAGS@
+
+LIB_tgetent = @LIB_tgetent@
+LIB_readline = @LIB_readline@
+LIB_DBM = @LIB_DBM@
+LIBS = @LIBS@
+
+INSTALL = @INSTALL@
+INSTALL_PROGRAM = @INSTALL_PROGRAM@
+MKINSTALLDIRS = @top_srcdir@/mkinstalldirs
+
+CRACKLIB = @CRACKLIB@
+
+prefix = @prefix@
+exec_prefix = @exec_prefix@
+libdir = @libdir@
+libexecdir = @libexecdir@
+bindir = @bindir@
+sbindir = @sbindir@
+transform=@program_transform_name@
+EXECSUFFIX=@EXECSUFFIX@
+
+PROG_BIN	= kpasswd$(EXECSUFFIX) \
+		  kadmin$(EXECSUFFIX)
+PROG_SBIN	= ksrvutil$(EXECSUFFIX)
+PROG_LIBEXEC	= kadmind$(EXECSUFFIX)
+PROGS = $(PROG_BIN) $(PROG_SBIN) $(PROG_LIBEXEC)
+
+SOURCES = kpasswd.c kadmin.c kadm_server.c kadm_funcs.c pw_check.c \
+          admin_server.c kadm_ser_wrap.c ksrvutil.c ksrvutil_get.c \
+	  new_pwd.c random_password.c
+
+OBJECTS = kpasswd.o kadmin.o kadm_server.o kadm_funcs.o \
+          admin_server.o kadm_ser_wrap.o ksrvutil.o ksrvutil_get.o \
+	  new_pwd.o random_password.o
+
+all: $(PROGS)
+
+Wall:
+	make CFLAGS="-g -Wall -Wno-comment -Wmissing-prototypes -Wmissing-declarations -D__USE_FIXED_PROTOTYPES__"
+
+.c.o:
+	$(CC) -c $(DEFS) -I../include -I$(srcdir) $(CFLAGS) $(CPPFLAGS) $<
+
+install: all
+	$(MKINSTALLDIRS) $(DESTDIR)$(bindir)
+	for x in $(PROG_BIN); do \
+	  $(INSTALL_PROGRAM) $$x $(DESTDIR)$(bindir)/`echo $$x | sed '$(transform)'`; \
+	done
+	$(MKINSTALLDIRS) $(DESTDIR)$(sbindir)
+	for x in $(PROG_SBIN); do \
+	  $(INSTALL_PROGRAM) $$x $(DESTDIR)$(sbindir)/`echo $$x | sed '$(transform)'`; \
+	done
+	$(MKINSTALLDIRS) $(DESTDIR)$(libexecdir)
+	for x in $(PROG_LIBEXEC); do \
+	  $(INSTALL_PROGRAM) $$x $(DESTDIR)$(libexecdir)/`echo $$x | sed '$(transform)'`; \
+	done
+	@rm -f $(prefix)/sbin/kadmin
+
+uninstall:
+	for x in $(PROG_BIN); do \
+	  rm -f $(DESTDIR)$(bindir)/`echo $$x | sed '$(transform)'`; \
+	done
+	for x in $(PROG_SBIN); do \
+	  rm -f $(DESTDIR)$(sbindir)/`echo $$x | sed '$(transform)'`; \
+	done
+	for x in $(PROG_LIBEXEC); do \
+	  rm -f $(DESTDIR)$(libexecdir)/`echo $$x | sed '$(transform)'`; \
+	done
+
+TAGS: $(SOURCES)
+	etags $(SOURCES)
+
+check:
+
+clean:
+	rm -f *.a *.o $(PROGS)
+
+mostlyclean: clean
+
+distclean: clean
+	rm -f Makefile *.tab.c *~
+
+realclean: distclean
+	rm -f TAGS
+
+KLIB=-L../lib/kadm -lkadm -L../lib/krb -lkrb -L../lib/des -ldes -L../lib/com_err -lcom_err
+LIBROKEN=-L../lib/roken -lroken
+
+kpasswd$(EXECSUFFIX): kpasswd.o new_pwd.o
+	$(LINK) $(LD_FLAGS) $(LDFLAGS) -o $@ kpasswd.o new_pwd.o $(KLIB) $(LIBROKEN) $(LIBS) $(LIBROKEN)
+
+kadmin_OBJECTS = kadmin.o new_pwd.o random_password.o
+
+kadmin$(EXECSUFFIX): $(kadmin_OBJECTS)
+	$(LINK) $(LD_FLAGS) $(LDFLAGS) -o $@ $(kadmin_OBJECTS) $(KLIB) -L../lib/sl -lsl $(LIBROKEN) $(LIBS) $(LIB_readline) $(LIBROKEN)
+
+KADMIND_OBJECTS=kadm_server.o kadm_funcs.o admin_server.o kadm_ser_wrap.o pw_check.o
+
+kadmind$(EXECSUFFIX): $(KADMIND_OBJECTS)
+	$(LINK) $(LD_FLAGS) $(LDFLAGS) -o $@ $(KADMIND_OBJECTS) -L../lib/kdb -lkdb -L../lib/acl -lacl $(KLIB) $(CRACKLIB) $(LIBROKEN) $(LIB_DBM) $(LIBS)
+
+ksrvutil$(EXECSUFFIX): ksrvutil.o ksrvutil_get.o
+	$(LINK) $(LD_FLAGS) $(LDFLAGS) -o $@ ksrvutil.o ksrvutil_get.o $(KLIB) $(LIBROKEN) $(LIBS)
+
+$(OBJECTS): ../include/config.h
+
+.PHONY: all Wall install uninstall check clean mostlyclean distclean realclean
diff --git a/crypto/kerberosIV/kadmin/admin_server.c b/crypto/kerberosIV/kadmin/admin_server.c
new file mode 100644
index 0000000..14347fd
--- /dev/null
+++ b/crypto/kerberosIV/kadmin/admin_server.c
@@ -0,0 +1,610 @@
+/*
+  Copyright (C) 1989 by the Massachusetts Institute of Technology
+
+   Export of this software from the United States of America is assumed
+   to require a specific license from the United States Government.
+   It is the responsibility of any person or organization contemplating
+   export to obtain such a license before exporting.
+
+WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
+distribute this software and its documentation for any purpose and
+without fee is hereby granted, provided that the above copyright
+notice appear in all copies and that both that copyright notice and
+this permission notice appear in supporting documentation, and that
+the name of M.I.T. not be used in advertising or publicity pertaining
+to distribution of the software without specific, written prior
+permission.  M.I.T. makes no representations about the suitability of
+this software for any purpose.  It is provided "as is" without express
+or implied warranty.
+
+  */
+
+/*
+ * Top-level loop of the kerberos Administration server
+ */
+
+/*
+  admin_server.c
+  this holds the main loop and initialization and cleanup code for the server
+*/
+
+#include "kadm_locl.h"
+
+RCSID("$Id: admin_server.c,v 1.49.2.2 2000/10/18 20:24:57 assar Exp $");
+
+/* Almost all procs and such need this, so it is global */
+admin_params prm;		/* The command line parameters struct */
+
+/* GLOBAL */
+char *acldir = DEFAULT_ACL_DIR;
+static char krbrlm[REALM_SZ];
+
+#define MAXCHILDREN 100
+
+struct child {
+    pid_t pid;
+    int pipe_fd;
+    int authenticated;
+};
+
+static unsigned nchildren = 0;
+static struct child children[MAXCHILDREN];
+
+static int exit_now = 0;
+
+static
+RETSIGTYPE
+doexit(int sig)
+{
+    exit_now = 1;
+    SIGRETURN(0);
+}
+   
+static sig_atomic_t do_wait;
+
+static
+RETSIGTYPE
+do_child(int sig)
+{
+    do_wait = 1;
+    SIGRETURN(0);
+}
+
+
+static void
+kill_children(void)
+{
+    int i;
+
+    for (i = 0; i < nchildren; i++) {
+	kill(children[i].pid, SIGINT);
+	close (children[i].pipe_fd);
+	krb_log("killing child %d", children[i].pid);
+    }
+}
+
+/* close the system log file */
+static void
+close_syslog(void)
+{
+   krb_log("Shutting down admin server");
+}
+
+static void
+byebye(void)			/* say goodnight gracie */
+{
+   printf("Admin Server (kadm server) has completed operation.\n");
+}
+
+static void
+clear_secrets(void)
+{
+    memset(server_parm.master_key, 0, sizeof(server_parm.master_key));
+    memset(server_parm.master_key_schedule, 0,
+	  sizeof(server_parm.master_key_schedule));
+    server_parm.master_key_version = 0L;
+}
+
+static void
+cleanexit(int val)
+{
+    kerb_fini();
+    clear_secrets();
+    exit(val);
+}
+
+static RETSIGTYPE
+sigalrm(int sig)
+{
+    cleanexit(1);
+}
+
+/*
+ * handle the client on the socket `fd' from `who'
+ * `signal_fd' is a pipe on which to signal when the user has been
+ * authenticated
+ */
+
+static void
+process_client(int fd, struct sockaddr_in *who, int signal_fd)
+{
+    u_char *dat;
+    int dat_len;
+    u_short dlen;
+    int retval;
+    Principal service;
+    des_cblock skey;
+    int more;
+    int status;
+    int authenticated = 0;
+
+    /* make this connection time-out after 1 second if the user has
+       not managed one transaction succesfully in kadm_ser_in */
+
+    signal(SIGALRM, sigalrm);
+    alarm(2);
+
+#if defined(SO_KEEPALIVE) && defined(HAVE_SETSOCKOPT)
+    {
+	int on = 1;
+	    
+	if (setsockopt(fd, SOL_SOCKET, SO_KEEPALIVE,
+		       (void *)&on, sizeof(on)) < 0)
+	    krb_log("setsockopt keepalive: %d",errno);
+    }
+#endif
+
+    server_parm.recv_addr = *who;
+
+    if (kerb_init()) {			/* Open as client */
+	krb_log("can't open krb db");
+	cleanexit(1);
+    }
+    /* need to set service key to changepw.KRB_MASTER */
+
+    status = kerb_get_principal(server_parm.sname, server_parm.sinst, &service,
+				1, &more);
+    if (status == -1) {
+      /* db locked */
+      char *pdat;
+      
+      dat_len = KADM_VERSIZE + 4;
+      dat = (u_char *) malloc(dat_len);
+      if (dat == NULL) {
+	  krb_log("malloc failed");
+	  cleanexit(4);
+      }
+      pdat = (char *) dat;
+      memcpy(pdat, KADM_ULOSE, KADM_VERSIZE);
+      krb_put_int (KADM_DB_INUSE, pdat + KADM_VERSIZE, 4, 4);
+      goto out;
+    } else if (!status) {
+      krb_log("no service %s.%s",server_parm.sname, server_parm.sinst);
+      cleanexit(2);
+    }
+
+    copy_to_key(&service.key_low, &service.key_high, skey);
+    memset(&service, 0, sizeof(service));
+    kdb_encrypt_key (&skey, &skey, &server_parm.master_key,
+		     server_parm.master_key_schedule, DES_DECRYPT);
+    krb_set_key(skey, 0); /* if error, will show up when
+					    rd_req fails */
+    memset(skey, 0, sizeof(skey));
+
+    while (1) {
+	void *errpkt;
+
+	errpkt = malloc(KADM_VERSIZE + 4);
+	if (errpkt == NULL) {
+	    krb_log("malloc: no memory");
+	    close(fd);
+	    cleanexit(4);
+	}
+
+	if ((retval = krb_net_read(fd, &dlen, sizeof(u_short))) !=
+	    sizeof(u_short)) {
+	    if (retval < 0)
+		krb_log("dlen read: %s",error_message(errno));
+	    else if (retval)
+		krb_log("short dlen read: %d",retval);
+	    close(fd);
+	    cleanexit(retval ? 3 : 0);
+	}
+	if (exit_now) {
+	    cleanexit(0);
+	}
+	dat_len = ntohs(dlen);
+	dat = (u_char *) malloc(dat_len);
+	if (dat == NULL) {
+	    krb_log("malloc: No memory");
+	    close(fd);
+	    cleanexit(4);
+	}
+	if ((retval = krb_net_read(fd, dat, dat_len)) != dat_len) {
+	    if (retval < 0)
+		krb_log("data read: %s",error_message(errno));
+	    else
+		krb_log("short read: %d vs. %d", dat_len, retval);
+	    close(fd);
+	    cleanexit(5);
+	}
+    	if (exit_now) {
+	    cleanexit(0);
+	}
+	retval = kadm_ser_in(&dat, &dat_len, errpkt);
+
+	if (retval == KADM_SUCCESS) {
+	    if (!authenticated) {
+		unsigned char one = 1;
+
+		authenticated = 1;
+		alarm (0);
+		write (signal_fd, &one, 1);
+	    }
+	} else {
+	    krb_log("processing request: %s", error_message(retval));
+	}
+    
+	/* kadm_ser_in did the processing and returned stuff in
+	   dat & dat_len , return the appropriate data */
+    
+    out:
+	dlen = htons(dat_len);
+    
+	if (krb_net_write(fd, &dlen, sizeof(u_short)) < 0) {
+	    krb_log("writing dlen to client: %s",error_message(errno));
+	    close(fd);
+	    cleanexit(6);
+	}
+    
+	if (krb_net_write(fd, dat, dat_len) < 0) {
+	    krb_log("writing to client: %s", error_message(errno));
+	    close(fd);
+	    cleanexit(7);
+	}
+	free(dat);
+    }
+    /*NOTREACHED*/
+}
+
+static void
+accept_client (int admin_fd)
+{
+    int pipe_fd[2];
+    int addrlen;
+    struct sockaddr_in peer;
+    pid_t pid;
+    int peer_fd;
+
+    /* using up the maximum number of children, try to get rid
+       of one unauthenticated one */
+
+    if (nchildren >= MAXCHILDREN) {
+	int i, nunauth = 0;
+	int victim;
+
+	for (;;) {
+	    for (i = 0; i < nchildren; ++i)
+		if (children[i].authenticated == 0)
+		    ++nunauth;
+	    if (nunauth == 0)
+		return;
+
+	    victim = rand() % nchildren;
+	    if (children[victim].authenticated == 0) {
+		kill(children[victim].pid, SIGINT);
+		close(children[victim].pipe_fd);
+		for (i = victim; i < nchildren; ++i)
+		    children[i] = children[i + 1];
+		--nchildren;
+		break;
+	    }
+	}
+    }
+
+    /* accept the conn */
+    addrlen = sizeof(peer);
+    peer_fd = accept(admin_fd, (struct sockaddr *)&peer, &addrlen);
+    if (peer_fd < 0) {
+	krb_log("accept: %s",error_message(errno));
+	return;
+    }
+    if (pipe (pipe_fd) < 0) {
+	krb_log ("pipe: %s", error_message(errno));
+	return;
+    }
+
+    if (pipe_fd[0] >= FD_SETSIZE
+	|| pipe_fd[1] >= FD_SETSIZE) {
+	krb_log ("pipe fds too large");
+	close (pipe_fd[0]);
+	close (pipe_fd[1]);
+	return;
+    }
+
+    pid = fork ();
+
+    if (pid < 0) {
+	krb_log ("fork: %s", error_message(errno));
+	close (pipe_fd[0]);
+	close (pipe_fd[1]);
+	return;
+    }
+
+    if (pid != 0) {
+	/* parent */
+	/* fork succeded: keep tabs on child */
+	close(peer_fd);
+	children[nchildren].pid     = pid;
+	children[nchildren].pipe_fd = pipe_fd[0];
+	children[nchildren].authenticated = 0;
+	++nchildren;
+	close (pipe_fd[1]);
+
+    } else {
+	int i;
+
+	/* child */
+	close(admin_fd);
+	close(pipe_fd[0]);
+
+	for (i = 0; i < nchildren; ++i)
+	    close (children[i].pipe_fd);
+
+	/*
+	 * If we are multihomed we need to figure out which
+	 * local address that is used this time since it is
+	 * used in "direction" comparison.
+	 */
+	getsockname(peer_fd,
+		    (struct sockaddr *)&server_parm.admin_addr,
+		    &addrlen);
+	/* do stuff */
+	process_client (peer_fd, &peer, pipe_fd[1]);
+    }
+}
+
+/*
+ * handle data signaled from child `child' kadmind
+ */
+
+static void
+handle_child_signal (int child)
+{
+    int ret;
+    unsigned char data[1];
+
+    ret = read (children[child].pipe_fd, data, 1);
+    if (ret < 0) {
+	if (errno != EINTR)
+	    krb_log ("read from child %d: %s", child,
+		     error_message(errno));
+	return;
+    }
+    if (ret == 0) {
+	close (children[child].pipe_fd);
+	children[child].pipe_fd = -1;
+	return;
+    }
+    if (data)
+	children[child].authenticated = 1;
+}
+
+/*
+ * handle dead children
+ */
+
+static void
+handle_sigchld (void)
+{
+    pid_t pid;
+    int status;
+    int i, j;
+
+    for (;;) {
+	int found = 0;
+
+	pid = waitpid(-1, &status, WNOHANG|WUNTRACED);
+	if (pid == 0 || (pid < 0 && errno == ECHILD))
+	    break;
+	if (pid < 0) {
+	    krb_log("waitpid: %s", error_message(errno));
+	    break;
+	}
+	for (i = 0; i < nchildren; i++)
+	    if (children[i].pid == pid) {
+		/* found it */
+		close(children[i].pipe_fd);
+		for (j = i; j < nchildren; j++)
+		    /* copy others down */
+		    children[j] = children[j+1];
+		--nchildren;
+#if 0
+		if ((WIFEXITED(status) && WEXITSTATUS(status) != 0)
+		    || WIFSIGNALED(status))
+		    krb_log("child %d: termsig %d, retcode %d", pid,
+			    WTERMSIG(status), WEXITSTATUS(status));
+#endif
+		found = 1;
+	    }
+#if 0
+	if (!found)
+	    krb_log("child %d not in list: termsig %d, retcode %d", pid,
+		    WTERMSIG(status), WEXITSTATUS(status));
+#endif
+    }
+    do_wait = 0;
+}
+
+/*
+kadm_listen
+listen on the admin servers port for a request
+*/
+static int
+kadm_listen(void)
+{
+    int found;
+    int admin_fd;
+    fd_set readfds;
+
+    signal(SIGINT, doexit);
+    signal(SIGTERM, doexit);
+    signal(SIGHUP, doexit);
+    signal(SIGQUIT, doexit);
+    signal(SIGPIPE, SIG_IGN); /* get errors on write() */
+    signal(SIGALRM, doexit);
+    signal(SIGCHLD, do_child);
+    if (setsid() < 0)
+        krb_log("setsid() failed");
+
+    if ((admin_fd = socket(AF_INET, SOCK_STREAM, 0)) < 0)
+	return KADM_NO_SOCK;
+
+    if (admin_fd >= FD_SETSIZE) {
+	krb_log("admin_fd too big");
+	return KADM_NO_BIND;
+    }
+	
+#if defined(SO_REUSEADDR) && defined(HAVE_SETSOCKOPT)
+    {
+      int one = 1;
+      setsockopt(admin_fd, SOL_SOCKET, SO_REUSEADDR, (void *)&one,
+		 sizeof(one));
+    }
+#endif
+    if (bind(admin_fd, (struct sockaddr *)&server_parm.admin_addr,
+	     sizeof(struct sockaddr_in)) < 0)
+	return KADM_NO_BIND;
+    if (listen(admin_fd, SOMAXCONN) < 0)
+	return KADM_NO_BIND;
+
+    for (;;) {				/* loop nearly forever */
+	int i;
+	int maxfd = -1;
+
+	if (exit_now) {
+	    clear_secrets();
+	    kill_children();
+	    return(0);
+	}
+	if (do_wait)
+	    handle_sigchld ();
+
+	FD_ZERO(&readfds);
+	FD_SET(admin_fd, &readfds);
+	maxfd = max(maxfd, admin_fd);
+	for (i = 0; i < nchildren; ++i)
+	    if (children[i].pipe_fd >= 0) {
+		FD_SET(children[i].pipe_fd, &readfds);
+		maxfd = max(maxfd, children[i].pipe_fd);
+	    }
+
+	found = select(maxfd + 1, &readfds, NULL, NULL, NULL);
+	if (found < 0) {
+	    if (errno != EINTR)
+		krb_log("select: %s",error_message(errno));
+	    continue;
+	}
+	if (FD_ISSET(admin_fd, &readfds)) 
+	    accept_client (admin_fd);
+	for (i = 0; i < nchildren; ++i)
+	    if (children[i].pipe_fd >= 0
+		&& FD_ISSET(children[i].pipe_fd, &readfds)) {
+		handle_child_signal (i);
+	    }
+    }
+    /*NOTREACHED*/
+}
+
+/*
+** Main does the logical thing, it sets up the database and RPC interface,
+**  as well as handling the creation and maintenance of the syslog file...
+*/
+int
+main(int argc, char **argv)		/* admin_server main routine */
+{
+    int errval;
+    int c;
+    struct in_addr i_addr;
+
+    set_progname (argv[0]);
+
+    umask(077);		/* Create protected files */
+
+    i_addr.s_addr = INADDR_ANY;
+    /* initialize the admin_params structure */
+    prm.sysfile = KADM_SYSLOG;		/* default file name */
+    prm.inter = 0;
+
+    memset(krbrlm, 0, sizeof(krbrlm));
+
+    while ((c = getopt(argc, argv, "f:hmnd:a:r:i:")) != -1)
+	switch(c) {
+	case 'f':			/* Syslog file name change */
+	    prm.sysfile = optarg;
+	    break;
+	case 'n':
+	    prm.inter = 0;
+	    break;
+	case 'm':
+	    prm.inter = 1;
+	    break;
+	case 'a':			/* new acl directory */
+	    acldir = optarg;
+	    break;
+	case 'd':
+	    /* put code to deal with alt database place */
+	    if ((errval = kerb_db_set_name(optarg)))
+		errx (1, "opening database %s: %s",
+		      optarg, error_message(errval));
+	    break;
+	case 'r':
+	    strlcpy (krbrlm, optarg, sizeof(krbrlm));
+	    break;
+	case 'i':
+	    /* Only listen on this address */
+	    if(inet_aton (optarg, &i_addr) == 0) {
+		fprintf (stderr, "Bad address: %s\n", optarg);
+		exit (1);
+	    }
+	    break;
+	case 'h':			/* get help on using admin_server */
+	default:
+	    errx(1, "Usage: kadmind [-h] [-n] [-m] [-r realm] [-d dbname] [-f filename] [-a acldir] [-i address_to_listen_on]");
+	}
+
+    if (krbrlm[0] == 0)
+	if (krb_get_lrealm(krbrlm, 1) != KSUCCESS)
+	    errx (1, "Unable to get local realm.  Fix krb.conf or use -r.");
+
+    printf("KADM Server %s initializing\n",KADM_VERSTR);
+    printf("Please do not use 'kill -9' to kill this job, use a\n");
+    printf("regular kill instead\n\n");
+
+    kset_logfile(prm.sysfile);
+    krb_log("Admin server starting");
+
+    kerb_db_set_lockmode(KERB_DBL_NONBLOCKING);
+    errval = kerb_init();		/* Open the Kerberos database */
+    if (errval) {
+	warnx ("error: kerb_init() failed");
+	close_syslog();
+	byebye();
+    }
+    /* set up the server_parm struct */
+    if ((errval = kadm_ser_init(prm.inter, krbrlm, i_addr))==KADM_SUCCESS) {
+	kerb_fini();			/* Close the Kerberos database--
+					   will re-open later */
+	errval = kadm_listen();		/* listen for calls to server from
+					   clients */
+    }
+    if (errval != KADM_SUCCESS) {
+	warnx("error:  %s",error_message(errval));
+	kerb_fini();			/* Close if error */
+    }
+    close_syslog();			/* Close syslog file, print
+					   closing note */
+    byebye();				/* Say bye bye on the terminal
+					   in use */
+    exit(1);
+}					/* procedure main */
diff --git a/crypto/kerberosIV/kadmin/kadm_funcs.c b/crypto/kerberosIV/kadmin/kadm_funcs.c
new file mode 100644
index 0000000..8ae8a41
--- /dev/null
+++ b/crypto/kerberosIV/kadmin/kadm_funcs.c
@@ -0,0 +1,437 @@
+/* 
+  Copyright (C) 1989 by the Massachusetts Institute of Technology
+
+   Export of this software from the United States of America is assumed
+   to require a specific license from the United States Government.
+   It is the responsibility of any person or organization contemplating
+   export to obtain such a license before exporting.
+
+WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
+distribute this software and its documentation for any purpose and
+without fee is hereby granted, provided that the above copyright
+notice appear in all copies and that both that copyright notice and
+this permission notice appear in supporting documentation, and that
+the name of M.I.T. not be used in advertising or publicity pertaining
+to distribution of the software without specific, written prior
+permission.  M.I.T. makes no representations about the suitability of
+this software for any purpose.  It is provided "as is" without express
+or implied warranty.
+
+*/
+
+/*
+ * Kerberos administration server-side database manipulation routines
+ */
+
+/*
+ * kadm_funcs.c
+ * the actual database manipulation code
+ */
+
+#include "kadm_locl.h"
+
+RCSID("$Id: kadm_funcs.c,v 1.18 1999/09/16 20:41:40 assar Exp $");
+
+static int
+check_access(char *pname, char *pinst, char *prealm, enum acl_types acltype)
+{
+    char checkname[MAX_K_NAME_SZ];
+    char filename[MaxPathLen];
+
+    snprintf(checkname, sizeof(checkname), "%s.%s@%s", pname, pinst, prealm);
+    
+    switch (acltype) {
+    case ADDACL:
+	snprintf(filename, sizeof(filename), "%s%s", acldir, ADD_ACL_FILE);
+	break;
+    case GETACL:
+	snprintf(filename, sizeof(filename), "%s%s", acldir, GET_ACL_FILE);
+	break;
+    case MODACL:
+	snprintf(filename, sizeof(filename), "%s%s", acldir, MOD_ACL_FILE);
+	break;
+    case DELACL:
+	snprintf(filename, sizeof(filename), "%s%s", acldir, DEL_ACL_FILE);
+	break;
+    default:
+	krb_log("WARNING in check_access: default case in switch");
+	return 0;
+    }
+    return(acl_check(filename, checkname));
+}
+
+static int
+wildcard(char *str)
+{
+    if (!strcmp(str, WILDCARD_STR))
+	return(1);
+    return(0);
+}
+
+static int
+fail(int code, char *oper, char *princ)
+{
+    krb_log("ERROR: %s: %s (%s)", oper, princ, error_message(code));
+    return code;
+}
+
+#define failadd(code) { fail(code, "ADD", victim); return code; }
+#define faildelete(code) { fail(code, "DELETE", victim); return code; }
+#define failget(code) { fail(code, "GET", victim); return code; }
+#define failmod(code) { fail(code, "MOD", victim); return code; }
+#define failchange(code) { fail(code, "CHANGE", admin); return code; }
+
+int
+kadm_add_entry (char *rname, char *rinstance, char *rrealm, 
+		Kadm_vals *valsin, Kadm_vals *valsout)
+{
+    long numfound;		/* check how many we get written */
+    int more;			/* pointer to more grabbed records */
+    Principal data_i, data_o;		/* temporary principal */
+    u_char flags[4];
+    des_cblock newpw;
+    Principal default_princ;
+  
+    char admin[MAX_K_NAME_SZ], victim[MAX_K_NAME_SZ];
+
+    strlcpy(admin,
+		    krb_unparse_name_long(rname, rinstance, rrealm),
+		    sizeof(admin));
+    strlcpy(victim,
+		    krb_unparse_name_long(valsin->name,
+					  valsin->instance,
+					  NULL),
+		    sizeof(victim));
+
+    krb_log("ADD: %s by %s", victim, admin);
+
+    if (!check_access(rname, rinstance, rrealm, ADDACL)) {
+	krb_log("WARNING: ADD: %s permission denied", admin);
+	return KADM_UNAUTH;
+    }
+  
+    /* Need to check here for "legal" name and instance */
+    if (wildcard(valsin->name) || wildcard(valsin->instance)) {
+	failadd(KADM_ILL_WILDCARD);
+    }
+
+    numfound = kerb_get_principal(KERB_DEFAULT_NAME, KERB_DEFAULT_INST,
+				  &default_princ, 1, &more);
+    if (numfound == -1) {
+	failadd(KADM_DB_INUSE);
+    } else if (numfound != 1) {
+	failadd(KADM_UK_RERROR);
+    }
+
+    kadm_vals_to_prin(valsin->fields, &data_i, valsin);
+    strlcpy(data_i.name, valsin->name, ANAME_SZ);
+    strlcpy(data_i.instance, valsin->instance, INST_SZ);
+
+    if (!IS_FIELD(KADM_EXPDATE,valsin->fields))
+	data_i.exp_date = default_princ.exp_date;
+    if (!IS_FIELD(KADM_ATTR,valsin->fields))
+	data_i.attributes = default_princ.attributes;
+    if (!IS_FIELD(KADM_MAXLIFE,valsin->fields))
+	data_i.max_life = default_princ.max_life; 
+
+    memset(&default_princ, 0, sizeof(default_princ));
+
+    /* convert to host order */
+    data_i.key_low = ntohl(data_i.key_low);
+    data_i.key_high = ntohl(data_i.key_high);
+
+
+    copy_to_key(&data_i.key_low, &data_i.key_high, newpw);
+
+    /* encrypt new key in master key */
+    kdb_encrypt_key (&newpw, &newpw, &server_parm.master_key,
+		     server_parm.master_key_schedule, DES_ENCRYPT);
+    copy_from_key(newpw, &data_i.key_low, &data_i.key_high);
+    memset(newpw, 0, sizeof(newpw));
+
+    data_o = data_i;
+    numfound = kerb_get_principal(valsin->name, valsin->instance, 
+				  &data_o, 1, &more);
+    if (numfound == -1) {
+	failadd(KADM_DB_INUSE);
+    } else if (numfound) {
+	failadd(KADM_INUSE);
+    } else {
+	data_i.key_version++;
+	data_i.kdc_key_ver = server_parm.master_key_version;
+	strlcpy(data_i.mod_name, rname, sizeof(data_i.mod_name));
+	strlcpy(data_i.mod_instance, rinstance,
+			sizeof(data_i.mod_instance));
+
+	numfound = kerb_put_principal(&data_i, 1);
+	if (numfound == -1) {
+	    failadd(KADM_DB_INUSE);
+	} else if (numfound) {
+	    failadd(KADM_UK_SERROR);
+	} else {
+	    numfound = kerb_get_principal(valsin->name, valsin->instance, 
+					  &data_o, 1, &more);
+	    if ((numfound!=1) || (more!=0)) {
+		failadd(KADM_UK_RERROR);
+	    }
+	    memset(flags, 0, sizeof(flags));
+	    SET_FIELD(KADM_NAME,flags);
+	    SET_FIELD(KADM_INST,flags);
+	    SET_FIELD(KADM_EXPDATE,flags);
+	    SET_FIELD(KADM_ATTR,flags);
+	    SET_FIELD(KADM_MAXLIFE,flags);
+	    kadm_prin_to_vals(flags, valsout, &data_o);
+	    krb_log("ADD: %s added", victim);
+	    return KADM_DATA;		/* Set all the appropriate fields */
+	}
+    }
+}
+
+int
+kadm_delete_entry (char *rname, char *rinstance, char *rrealm, 
+		   Kadm_vals *valsin)
+{
+    int ret;
+
+    char admin[MAX_K_NAME_SZ], victim[MAX_K_NAME_SZ];
+    
+    strlcpy(admin,
+		    krb_unparse_name_long(rname, rinstance, rrealm),
+		    sizeof(admin));
+    strlcpy(victim,
+		    krb_unparse_name_long(valsin->name,
+					  valsin->instance,
+					  NULL),
+		    sizeof(victim));
+
+    krb_log("DELETE: %s by %s", victim, admin);
+
+    if (!check_access(rname, rinstance, rrealm, DELACL)) {
+	krb_log("WARNING: DELETE: %s permission denied", admin);
+	return KADM_UNAUTH;
+    }
+    
+    /* Need to check here for "legal" name and instance */
+    if (wildcard(valsin->name) || wildcard(valsin->instance)) {
+	faildelete(KADM_ILL_WILDCARD);
+    }
+  
+#define EQ(V,N,I) (strcmp((V)->name, (N)) == 0 && strcmp((V)->instance, (I)) == 0)
+
+    if(EQ(valsin, PWSERV_NAME, KRB_MASTER) ||
+       EQ(valsin, "K", "M") ||
+       EQ(valsin, "default", "") ||
+       EQ(valsin, KRB_TICKET_GRANTING_TICKET, server_parm.krbrlm)){
+	krb_log("WARNING: DELETE: %s is immutable", victim);
+	return KADM_IMMUTABLE; /* XXX */
+    }
+    
+    ret = kerb_delete_principal(valsin->name, valsin->instance);
+    if(ret == -1)
+	return KADM_DB_INUSE; /* XXX */
+    krb_log("DELETE: %s removed.", victim);
+    return KADM_SUCCESS;
+}
+
+
+int
+kadm_get_entry (char *rname, char *rinstance, char *rrealm, 
+		Kadm_vals *valsin, u_char *flags, Kadm_vals *valsout)
+{
+    long numfound;		/* check how many were returned */
+    int more;			/* To point to more name.instances */
+    Principal data_o;		/* Data object to hold Principal */
+    
+    char admin[MAX_K_NAME_SZ], victim[MAX_K_NAME_SZ];
+    
+    strlcpy(admin,
+		    krb_unparse_name_long(rname, rinstance, rrealm),
+		    sizeof(admin));
+    strlcpy(victim,
+		    krb_unparse_name_long(valsin->name,
+					  valsin->instance,
+					  NULL),
+		    sizeof(victim));
+    
+    krb_log("GET: %s by %s", victim, admin);
+
+    if (!check_access(rname, rinstance, rrealm, GETACL)) {
+	krb_log("WARNING: GET: %s permission denied", admin);
+	return KADM_UNAUTH;
+    }
+  
+    if (wildcard(valsin->name) || wildcard(valsin->instance)) {
+	failget(KADM_ILL_WILDCARD);
+    }
+
+    /* Look up the record in the database */
+    numfound = kerb_get_principal(valsin->name, valsin->instance, 
+				  &data_o, 1, &more);
+    if (numfound == -1) {
+	failget(KADM_DB_INUSE);
+    }  else if (numfound) {	/* We got the record, let's return it */
+	kadm_prin_to_vals(flags, valsout, &data_o);
+	krb_log("GET: %s retrieved", victim);
+	return KADM_DATA; /* Set all the appropriate fields */
+    } else {
+	failget(KADM_NOENTRY);	/* Else whimper and moan */
+    }
+}
+
+int
+kadm_mod_entry (char *rname, char *rinstance, char *rrealm, 
+		Kadm_vals *valsin, Kadm_vals *valsin2, Kadm_vals *valsout)
+{
+    long numfound;
+    int more;
+    Principal data_o, temp_key;
+    u_char fields[4];
+    des_cblock newpw;
+
+    char admin[MAX_K_NAME_SZ], victim[MAX_K_NAME_SZ];
+    
+    strlcpy(admin,
+		    krb_unparse_name_long(rname, rinstance, rrealm),
+		    sizeof(admin));
+    strlcpy(victim,
+		    krb_unparse_name_long(valsin->name,
+					  valsin->instance,
+					  NULL),
+		    sizeof(victim));
+    
+    krb_log("MOD: %s by %s", victim, admin);
+
+    if (wildcard(valsin->name) || wildcard(valsin->instance)) {
+	failmod(KADM_ILL_WILDCARD);
+    }
+  
+    if (!check_access(rname, rinstance, rrealm, MODACL)) {
+	krb_log("WARNING: MOD: %s permission denied", admin);
+	return KADM_UNAUTH;
+    }
+    
+    numfound = kerb_get_principal(valsin->name, valsin->instance, 
+				  &data_o, 1, &more);
+    if (numfound == -1) {
+	failmod(KADM_DB_INUSE);
+    } else if (numfound) {
+	kadm_vals_to_prin(valsin2->fields, &temp_key, valsin2);
+	strlcpy(data_o.name, valsin->name, ANAME_SZ);
+	strlcpy(data_o.instance, valsin->instance, INST_SZ);
+	if (IS_FIELD(KADM_EXPDATE,valsin2->fields))
+	    data_o.exp_date = temp_key.exp_date;
+	if (IS_FIELD(KADM_ATTR,valsin2->fields))
+	    data_o.attributes = temp_key.attributes;
+	if (IS_FIELD(KADM_MAXLIFE,valsin2->fields))
+	    data_o.max_life = temp_key.max_life; 
+	if (IS_FIELD(KADM_DESKEY,valsin2->fields)) {
+	    data_o.key_version++;
+	    data_o.kdc_key_ver = server_parm.master_key_version;
+
+
+	    /* convert to host order */
+	    temp_key.key_low = ntohl(temp_key.key_low);
+	    temp_key.key_high = ntohl(temp_key.key_high);
+
+
+	    copy_to_key(&temp_key.key_low, &temp_key.key_high, newpw);
+
+	    /* encrypt new key in master key */
+	    kdb_encrypt_key (&newpw, &newpw, &server_parm.master_key,
+			     server_parm.master_key_schedule, DES_ENCRYPT);
+	    copy_from_key(newpw, &data_o.key_low, &data_o.key_high);
+	    memset(newpw, 0, sizeof(newpw));
+	}
+	memset(&temp_key, 0, sizeof(temp_key));
+
+	strlcpy(data_o.mod_name, rname, sizeof(data_o.mod_name));
+	strlcpy(data_o.mod_instance, rinstance,
+			sizeof(data_o.mod_instance));
+	more = kerb_put_principal(&data_o, 1);
+
+	memset(&data_o, 0, sizeof(data_o));
+
+	if (more == -1) {
+	    failmod(KADM_DB_INUSE);
+	} else if (more) {
+	    failmod(KADM_UK_SERROR);
+	} else {
+	    numfound = kerb_get_principal(valsin->name, valsin->instance, 
+					  &data_o, 1, &more);
+	    if ((more!=0)||(numfound!=1)) {
+		failmod(KADM_UK_RERROR);
+	    }
+	    memset(fields, 0, sizeof(fields));
+	    SET_FIELD(KADM_NAME,fields);
+	    SET_FIELD(KADM_INST,fields);
+	    SET_FIELD(KADM_EXPDATE,fields);
+	    SET_FIELD(KADM_ATTR,fields);
+	    SET_FIELD(KADM_MAXLIFE,fields);
+	    kadm_prin_to_vals(fields, valsout, &data_o);
+	    krb_log("MOD: %s modified", victim);
+	    return KADM_DATA;		/* Set all the appropriate fields */
+	}
+    }
+    else {
+	failmod(KADM_NOENTRY);
+    }
+}
+
+int
+kadm_change (char *rname, char *rinstance, char *rrealm, unsigned char *newpw)
+{
+    long numfound;
+    int more;
+    Principal data_o;
+    des_cblock local_pw;
+
+    char admin[MAX_K_NAME_SZ];
+    
+    strlcpy(admin,
+		    krb_unparse_name_long(rname, rinstance, rrealm),
+		    sizeof(admin));
+    
+    krb_log("CHANGE: %s", admin);
+
+    if (strcmp(server_parm.krbrlm, rrealm)) {
+	krb_log("ERROR: CHANGE: request from wrong realm %s", rrealm);
+	return(KADM_WRONG_REALM);
+    }
+
+    if (wildcard(rname) || wildcard(rinstance)) {
+	failchange(KADM_ILL_WILDCARD);
+    }
+
+    memcpy(local_pw, newpw, sizeof(local_pw));
+  
+    /* encrypt new key in master key */
+    kdb_encrypt_key (&local_pw, &local_pw, &server_parm.master_key,
+		     server_parm.master_key_schedule, DES_ENCRYPT);
+
+    numfound = kerb_get_principal(rname, rinstance, 
+				  &data_o, 1, &more);
+    if (numfound == -1) {
+	failchange(KADM_DB_INUSE);
+    } else if (numfound) {
+	copy_from_key(local_pw, &data_o.key_low, &data_o.key_high);
+	data_o.key_version++;
+	data_o.kdc_key_ver = server_parm.master_key_version;
+	strlcpy(data_o.mod_name, rname, sizeof(data_o.mod_name));
+	strlcpy(data_o.mod_instance, rinstance,
+			sizeof(data_o.mod_instance));
+	more = kerb_put_principal(&data_o, 1);
+	memset(local_pw, 0, sizeof(local_pw));
+	memset(&data_o, 0, sizeof(data_o));
+	if (more == -1) {
+	    failchange(KADM_DB_INUSE);
+	} else if (more) {
+	    failchange(KADM_UK_SERROR);
+	} else {
+	    krb_log("CHANGE: %s's password changed", admin);
+	    return KADM_SUCCESS;
+	}
+    }
+    else {
+	failchange(KADM_NOENTRY);
+    }
+}
diff --git a/crypto/kerberosIV/kadmin/kadm_locl.h b/crypto/kerberosIV/kadmin/kadm_locl.h
new file mode 100644
index 0000000..98d07ae
--- /dev/null
+++ b/crypto/kerberosIV/kadmin/kadm_locl.h
@@ -0,0 +1,155 @@
+/*
+ * Copyright (c) 1995, 1996, 1997, 1998 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+/* $Id: kadm_locl.h,v 1.31 1999/12/02 16:58:36 joda Exp $ */
+/* $FreeBSD$ */
+
+#include "config.h"
+#include "protos.h"
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <ctype.h>
+#include <string.h>
+
+#ifdef HAVE_SYS_TYPES_H
+#include <sys/types.h>
+#endif
+
+#ifdef TIME_WITH_SYS_TIME
+#include <sys/time.h>
+#include <time.h>
+#elif defined(HAVE_SYS_TIME_H)
+#include <sys/time.h>
+#else
+#include <time.h>
+#endif
+
+#ifdef HAVE_SYS_STAT_H
+#include <sys/stat.h>
+#endif
+#ifdef HAVE_SYS_SELECT_H
+#include <sys/select.h>
+#endif
+#ifdef HAVE_FCNTL_H
+#include <fcntl.h>
+#endif
+
+#include <errno.h>
+#include <signal.h>
+#ifdef HAVE_UNISTD_H
+#include <unistd.h>
+#endif
+
+#ifdef HAVE_SYS_RESOURCE_H
+#include <sys/resource.h>
+#endif /* HAVE_SYS_RESOURCE_H */
+#ifdef HAVE_SYS_WAIT_H
+#include <sys/wait.h>
+#endif
+#ifdef HAVE_PWD_H
+#include <pwd.h>
+#endif
+
+#ifdef HAVE_SYS_SOCKET_H
+#include <sys/socket.h>
+#endif
+#ifdef HAVE_NETINET_IN_H
+#include <netinet/in.h>
+#endif
+#ifdef HAVE_NETDB_H
+#include <netdb.h>
+#endif
+#ifdef HAVE_ARPA_INET_H
+#include <arpa/inet.h>
+#endif
+
+#ifdef HAVE_SYSLOG_H
+#include <syslog.h>
+#endif
+
+#include <err.h>
+
+#ifdef SOCKS
+#include <socks.h>
+/* This doesn't belong here. */
+struct tm *localtime(const time_t *);
+struct hostent  *gethostbyname(const char *);
+#endif
+
+#include <roken.h>
+
+#include <com_err.h>
+#include <sl.h>
+
+#include <openssl/des.h>
+#include <krb.h>
+#include <krb_err.h>
+#include <krb_db.h>
+#include <kadm.h>
+#include <kadm_err.h>
+#include <acl.h>
+
+#include <krb_log.h>
+
+#include "kadm_server.h"
+#include "pw_check.h"
+
+/* from libacl */
+/* int acl_check(char *acl, char *principal); */
+
+/* GLOBALS */
+extern char *acldir;
+extern Kadm_Server server_parm;
+
+/* Utils */
+int kadm_change (char *, char *, char *, des_cblock);
+int kadm_add_entry (char *, char *, char *, Kadm_vals *, Kadm_vals *);
+int kadm_mod_entry (char *, char *, char *, Kadm_vals *, Kadm_vals *, Kadm_vals *);
+int kadm_get_entry (char *, char *, char *, Kadm_vals *, u_char *, Kadm_vals *);
+int kadm_delete_entry (char *, char *, char *, Kadm_vals *);
+int kadm_ser_cpw (u_char *, int, AUTH_DAT *, u_char **, int *);
+int kadm_ser_add (u_char *, int, AUTH_DAT *, u_char **, int *);
+int kadm_ser_mod (u_char *, int, AUTH_DAT *, u_char **, int *);
+int kadm_ser_get (u_char *, int, AUTH_DAT *, u_char **, int *);
+int kadm_ser_delete (u_char *, int, AUTH_DAT *, u_char **, int *);
+int kadm_ser_init (int inter, char realm[], struct in_addr);
+int kadm_ser_in (u_char **, int *, u_char *);
+
+int get_pw_new_pwd  (char *pword, int pwlen, krb_principal *pr, int print_realm);
+
+/* cracklib */
+char *FascistCheck (char *password, char *path, char **strings);
+
+void
+random_password(char *pw, size_t len, u_int32_t *low, u_int32_t *high);
diff --git a/crypto/kerberosIV/kadmin/kadm_ser_wrap.c b/crypto/kerberosIV/kadmin/kadm_ser_wrap.c
new file mode 100644
index 0000000..196a89c
--- /dev/null
+++ b/crypto/kerberosIV/kadmin/kadm_ser_wrap.c
@@ -0,0 +1,225 @@
+/* 
+  Copyright (C) 1989 by the Massachusetts Institute of Technology
+
+   Export of this software from the United States of America is assumed
+   to require a specific license from the United States Government.
+   It is the responsibility of any person or organization contemplating
+   export to obtain such a license before exporting.
+
+WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
+distribute this software and its documentation for any purpose and
+without fee is hereby granted, provided that the above copyright
+notice appear in all copies and that both that copyright notice and
+this permission notice appear in supporting documentation, and that
+the name of M.I.T. not be used in advertising or publicity pertaining
+to distribution of the software without specific, written prior
+permission.  M.I.T. makes no representations about the suitability of
+this software for any purpose.  It is provided "as is" without express
+or implied warranty.
+
+  */
+
+/*
+ * Kerberos administration server-side support functions
+ */
+
+/* 
+kadm_ser_wrap.c
+unwraps wrapped packets and calls the appropriate server subroutine
+*/
+
+#include "kadm_locl.h"
+
+RCSID("$Id: kadm_ser_wrap.c,v 1.25 1999/09/16 20:41:41 assar Exp $");
+
+/* GLOBAL */
+Kadm_Server server_parm;
+
+/* 
+kadm_ser_init
+set up the server_parm structure
+*/
+int
+kadm_ser_init(int inter,	/* interactive or from file */
+	      char *realm,
+	      struct in_addr addr)
+{
+  struct hostent *hp;
+  char hostname[MaxHostNameLen];
+
+  init_kadm_err_tbl();
+  init_krb_err_tbl();
+  if (gethostname(hostname, sizeof(hostname)))
+      return KADM_NO_HOSTNAME;
+
+  strlcpy(server_parm.sname,
+		  PWSERV_NAME,
+		  sizeof(server_parm.sname));
+  strlcpy(server_parm.sinst,
+		  KRB_MASTER,
+		  sizeof(server_parm.sinst));
+  strlcpy(server_parm.krbrlm,
+		  realm,
+		  sizeof(server_parm.krbrlm));
+
+  server_parm.admin_fd = -1;
+  /* setting up the addrs */
+  memset(&server_parm.admin_addr,0, sizeof(server_parm.admin_addr));
+
+  server_parm.admin_addr.sin_port = k_getportbyname (KADM_SNAME,
+						     "tcp",
+						     htons(751));
+  server_parm.admin_addr.sin_family = AF_INET;
+  if ((hp = gethostbyname(hostname)) == NULL)
+      return KADM_NO_HOSTNAME;
+  server_parm.admin_addr.sin_addr = addr;
+				/* setting up the database */
+  if (kdb_get_master_key((inter==1), &server_parm.master_key,
+			 server_parm.master_key_schedule) != 0)
+    return KADM_NO_MAST;
+  if ((server_parm.master_key_version =
+       kdb_verify_master_key(&server_parm.master_key,
+			     server_parm.master_key_schedule,stderr))<0)
+      return KADM_NO_VERI;
+  return KADM_SUCCESS;
+}
+
+/*
+ *
+ */
+
+static void
+errpkt(u_char *errdat, u_char **dat, int *dat_len, int code)
+{
+    free(*dat);			/* free up req */
+    *dat_len = KADM_VERSIZE + 4;
+    memcpy(errdat, KADM_ULOSE, KADM_VERSIZE);
+    krb_put_int (code, errdat + KADM_VERSIZE, 4, 4);
+    *dat = errdat;
+}
+
+/*
+kadm_ser_in
+unwrap the data stored in dat, process, and return it.
+*/
+int
+kadm_ser_in(u_char **dat, int *dat_len, u_char *errdat)
+{
+    u_char *in_st;			/* pointer into the sent packet */
+    int in_len,retc;			/* where in packet we are, for
+					   returns */
+    u_int32_t r_len;			/* length of the actual packet */
+    KTEXT_ST authent;			/* the authenticator */
+    AUTH_DAT ad;			/* who is this, klink */
+    u_int32_t ncksum;			/* checksum of encrypted data */
+    des_key_schedule sess_sched;	/* our schedule */
+    MSG_DAT msg_st;
+    u_char *retdat, *tmpdat;
+    int retval, retlen;
+
+    if (strncmp(KADM_VERSTR, (char *)*dat, KADM_VERSIZE)) {
+	errpkt(errdat, dat, dat_len, KADM_BAD_VER);
+	return KADM_BAD_VER;
+    }
+    in_len = KADM_VERSIZE;
+    /* get the length */
+    if ((retc = stv_long(*dat, &r_len, in_len, *dat_len)) < 0)
+	return KADM_LENGTH_ERROR;
+    in_len += retc;
+    authent.length = *dat_len - r_len - KADM_VERSIZE - sizeof(u_int32_t);
+    memcpy(authent.dat, (char *)(*dat) + in_len, authent.length);
+    authent.mbz = 0;
+    /* service key should be set before here */
+    if ((retc = krb_rd_req(&authent, server_parm.sname, server_parm.sinst,
+			  server_parm.recv_addr.sin_addr.s_addr, &ad, NULL)))
+    {
+	errpkt(errdat, dat, dat_len, retc + krb_err_base);
+	return retc + krb_err_base;
+    }
+
+#define clr_cli_secrets() {memset(sess_sched, 0, sizeof(sess_sched)); memset(ad.session, 0,sizeof(ad.session));}
+
+    in_st = *dat + *dat_len - r_len;
+#ifdef NOENCRYPTION
+    ncksum = 0;
+#else
+    ncksum = des_quad_cksum((des_cblock *)in_st, (des_cblock *)0, (long) r_len, 0, &ad.session);
+#endif
+    if (ncksum!=ad.checksum) {		/* yow, are we correct yet */
+	clr_cli_secrets();
+	errpkt(errdat, dat, dat_len, KADM_BAD_CHK);
+	return KADM_BAD_CHK;
+    }
+#ifdef NOENCRYPTION
+    memset(sess_sched, 0, sizeof(sess_sched));
+#else
+    des_key_sched(&ad.session, sess_sched);
+#endif
+    if ((retc = (int) krb_rd_priv(in_st, r_len, sess_sched, &ad.session, 
+				 &server_parm.recv_addr,
+				 &server_parm.admin_addr, &msg_st))) {
+	clr_cli_secrets();
+	errpkt(errdat, dat, dat_len, retc + krb_err_base);
+	return retc + krb_err_base;
+    }
+    switch (msg_st.app_data[0]) {
+    case CHANGE_PW:
+	retval = kadm_ser_cpw(msg_st.app_data+1,(int) msg_st.app_length - 1,
+			      &ad, &retdat, &retlen);
+	break;
+    case ADD_ENT:
+	retval = kadm_ser_add(msg_st.app_data+1,(int) msg_st.app_length - 1,
+			      &ad, &retdat, &retlen);
+	break;
+    case GET_ENT:
+	retval = kadm_ser_get(msg_st.app_data+1,(int) msg_st.app_length - 1,
+			      &ad, &retdat, &retlen);
+	break;
+    case MOD_ENT:
+	retval = kadm_ser_mod(msg_st.app_data+1,(int) msg_st.app_length - 1,
+			      &ad, &retdat, &retlen);
+	break;
+    case DEL_ENT:
+	retval = kadm_ser_delete(msg_st.app_data + 1, msg_st.app_length - 1, 
+				 &ad, &retdat, &retlen);
+	break;
+    default:
+	clr_cli_secrets();
+	errpkt(errdat, dat, dat_len, KADM_NO_OPCODE);
+	return KADM_NO_OPCODE;
+    }
+    /* Now seal the response back into a priv msg */
+    tmpdat = (u_char *) malloc(retlen + KADM_VERSIZE + 4);
+    if (tmpdat == NULL) {
+	clr_cli_secrets();
+	errpkt(errdat, dat, dat_len, KADM_NOMEM);
+	return KADM_NOMEM;
+    }
+    free(*dat);
+    memcpy(tmpdat, KADM_VERSTR, KADM_VERSIZE);
+    krb_put_int(retval, tmpdat + KADM_VERSIZE, 4, 4);
+    if (retlen) {
+        memcpy(tmpdat + KADM_VERSIZE + 4, retdat, retlen);
+	free(retdat);
+    }
+    /* slop for mk_priv stuff */
+    *dat = (u_char *) malloc(retlen + KADM_VERSIZE +
+			     sizeof(u_int32_t) + 200);
+    if (*dat == NULL) {
+	clr_cli_secrets();
+	errpkt(errdat, dat, dat_len, KADM_NOMEM);
+	return KADM_NOMEM;
+    }
+    if ((*dat_len = krb_mk_priv(tmpdat, *dat,
+				(u_int32_t) (retlen + KADM_VERSIZE +
+					  sizeof(u_int32_t)),
+				sess_sched,
+				&ad.session, &server_parm.admin_addr,
+				&server_parm.recv_addr)) < 0) {
+	clr_cli_secrets();
+	errpkt(errdat, dat, dat_len, KADM_NO_ENCRYPT);
+	return KADM_NO_ENCRYPT;
+    }
+    clr_cli_secrets();
+    return KADM_SUCCESS;
+}
diff --git a/crypto/kerberosIV/kadmin/kadm_server.c b/crypto/kerberosIV/kadmin/kadm_server.c
new file mode 100644
index 0000000..1006f20
--- /dev/null
+++ b/crypto/kerberosIV/kadmin/kadm_server.c
@@ -0,0 +1,198 @@
+/* 
+  Copyright (C) 1989 by the Massachusetts Institute of Technology
+
+   Export of this software from the United States of America is assumed
+   to require a specific license from the United States Government.
+   It is the responsibility of any person or organization contemplating
+   export to obtain such a license before exporting.
+
+WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
+distribute this software and its documentation for any purpose and
+without fee is hereby granted, provided that the above copyright
+notice appear in all copies and that both that copyright notice and
+this permission notice appear in supporting documentation, and that
+the name of M.I.T. not be used in advertising or publicity pertaining
+to distribution of the software without specific, written prior
+permission.  M.I.T. makes no representations about the suitability of
+this software for any purpose.  It is provided "as is" without express
+or implied warranty.
+
+  */
+
+/*
+ * Kerberos administration server-side subroutines
+ */
+
+#include "kadm_locl.h"
+
+RCSID("$Id: kadm_server.c,v 1.9 1997/05/02 10:29:08 joda Exp $");
+
+/* 
+kadm_ser_cpw - the server side of the change_password routine
+  recieves    : KTEXT, {key}
+  returns     : CKSUM, RETCODE
+  acl         : caller can change only own password
+
+Replaces the password (i.e. des key) of the caller with that specified in key.
+Returns no actual data from the master server, since this is called by a user
+*/
+int
+kadm_ser_cpw(u_char *dat, int len, AUTH_DAT *ad, u_char **datout, int *outlen)
+{
+    u_int32_t keylow, keyhigh;
+    des_cblock newkey;
+    int status;
+    int stvlen=0;
+    char *pw_msg;
+    char pword[MAX_KPW_LEN];
+    char *strings[4];
+
+    /* take key off the stream, and change the database */
+
+    if ((status = stv_long(dat, &keyhigh, 0, len)) < 0)
+	return(KADM_LENGTH_ERROR);
+    stvlen=status;
+    if ((status = stv_long(dat, &keylow, stvlen, len)) < 0)
+	return(KADM_LENGTH_ERROR);
+    stvlen+=status;
+
+    if((status = stv_string(dat, pword, stvlen, sizeof(pword), len))<0)
+      pword[0]=0;
+
+    keylow = ntohl(keylow);
+    keyhigh = ntohl(keyhigh);
+    memcpy(((char *)newkey) + 4, &keyhigh, 4);
+    memcpy(newkey, &keylow, 4);
+
+    strings[0] = ad->pname;
+    strings[1] = ad->pinst;
+    strings[2] = ad->prealm;
+    strings[3] = NULL;
+    status = kadm_pw_check(pword, &newkey, &pw_msg, strings);
+    
+    memset(pword, 0, sizeof(pword));
+    memset(dat, 0, len);
+
+    if(status != KADM_SUCCESS){
+      *datout=malloc(0);
+      *outlen=vts_string(pw_msg, datout, 0);
+      return status;
+    }
+    *datout=0;
+    *outlen=0;
+
+    return(kadm_change(ad->pname, ad->pinst, ad->prealm, newkey));
+}
+
+
+/*
+kadm_ser_add - the server side of the add_entry routine
+  recieves    : KTEXT, {values}
+  returns     : CKSUM, RETCODE, {values}
+  acl         : su, sms (as alloc)
+
+Adds and entry containing values to the database
+returns the values of the entry, so if you leave certain fields blank you will
+   be able to determine the default values they are set to
+*/
+int
+kadm_ser_add(u_char *dat, int len, AUTH_DAT *ad, u_char **datout, int *outlen)
+{
+  Kadm_vals values, retvals;
+  long status;
+
+  if ((status = stream_to_vals(dat, &values, len)) < 0)
+      return(KADM_LENGTH_ERROR);
+  if ((status = kadm_add_entry(ad->pname, ad->pinst, ad->prealm,
+			      &values, &retvals)) == KADM_DATA) {
+      *outlen = vals_to_stream(&retvals,datout);
+      return KADM_SUCCESS;
+  } else {
+      *outlen = 0;
+      return status;
+  }
+}
+
+/*
+kadm_ser_mod - the server side of the mod_entry routine
+  recieves    : KTEXT, {values, values}
+  returns     : CKSUM, RETCODE, {values}
+  acl         : su, sms (as register or dealloc)
+
+Modifies all entries corresponding to the first values so they match the
+   second values.
+returns the values for the changed entries
+*/
+int
+kadm_ser_mod(u_char *dat, int len, AUTH_DAT *ad, u_char **datout, int *outlen)
+{
+  Kadm_vals vals1, vals2, retvals;
+  int wh;
+  long status;
+
+  if ((wh = stream_to_vals(dat, &vals1, len)) < 0)
+      return KADM_LENGTH_ERROR;
+  if ((status = stream_to_vals(dat+wh,&vals2, len-wh)) < 0)
+      return KADM_LENGTH_ERROR;
+  if ((status = kadm_mod_entry(ad->pname, ad->pinst, ad->prealm, &vals1,
+			       &vals2, &retvals)) == KADM_DATA) {
+      *outlen = vals_to_stream(&retvals,datout);
+      return KADM_SUCCESS;
+  } else {
+      *outlen = 0;
+      return status;
+  }
+}
+
+int
+kadm_ser_delete(u_char *dat, int len, AUTH_DAT *ad, 
+		u_char **datout, int *outlen)
+{
+    Kadm_vals values;
+    int wh;
+    int status;
+    
+    if((wh = stream_to_vals(dat, &values, len)) < 0)
+	return KADM_LENGTH_ERROR;
+    if(wh != len)
+	return KADM_LENGTH_ERROR;
+    status = kadm_delete_entry(ad->pname, ad->pinst, ad->prealm, 
+			       &values);
+    *outlen = 0;
+    return status;
+}
+
+/*
+kadm_ser_get
+  recieves   : KTEXT, {values, flags}
+  returns    : CKSUM, RETCODE, {count, values, values, values}
+  acl        : su
+
+gets the fields requested by flags from all entries matching values
+returns this data for each matching recipient, after a count of how many such
+  matches there were
+*/
+int
+kadm_ser_get(u_char *dat, int len, AUTH_DAT *ad, u_char **datout, int *outlen)
+{
+  Kadm_vals values, retvals;
+  u_char fl[FLDSZ];
+  int loop,wh;
+  long status;
+
+  if ((wh = stream_to_vals(dat, &values, len)) < 0)
+      return KADM_LENGTH_ERROR;
+  if (wh + FLDSZ > len)
+      return KADM_LENGTH_ERROR;
+  for (loop=FLDSZ-1; loop>=0; loop--)
+    fl[loop] = dat[wh++];
+  if ((status = kadm_get_entry(ad->pname, ad->pinst, ad->prealm,
+			      &values, fl, &retvals)) == KADM_DATA) {
+      *outlen = vals_to_stream(&retvals,datout);
+      return KADM_SUCCESS;
+  } else {
+      *outlen = 0;
+      return status;
+  }
+}
+
diff --git a/crypto/kerberosIV/kadmin/kadm_server.h b/crypto/kerberosIV/kadmin/kadm_server.h
new file mode 100644
index 0000000..c730574
--- /dev/null
+++ b/crypto/kerberosIV/kadmin/kadm_server.h
@@ -0,0 +1,66 @@
+/* 
+  Copyright (C) 1989 by the Massachusetts Institute of Technology
+
+   Export of this software from the United States of America is assumed
+   to require a specific license from the United States Government.
+   It is the responsibility of any person or organization contemplating
+   export to obtain such a license before exporting.
+
+WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
+distribute this software and its documentation for any purpose and
+without fee is hereby granted, provided that the above copyright
+notice appear in all copies and that both that copyright notice and
+this permission notice appear in supporting documentation, and that
+the name of M.I.T. not be used in advertising or publicity pertaining
+to distribution of the software without specific, written prior
+permission.  M.I.T. makes no representations about the suitability of
+this software for any purpose.  It is provided "as is" without express
+or implied warranty.
+
+  */
+
+/* $Id: kadm_server.h,v 1.10 1997/05/11 04:08:26 assar Exp $ */
+
+/*
+ * Definitions for Kerberos administration server & client
+ */
+
+#ifndef KADM_SERVER_DEFS
+#define KADM_SERVER_DEFS
+
+/*
+ * kadm_server.h
+ * Header file for the fourth attempt at an admin server
+ * Doug Church, December 28, 1989, MIT Project Athena
+ *    ps. Yes that means this code belongs to athena etc...
+ *        as part of our ongoing attempt to copyright all greek names
+ */
+
+typedef struct {
+  struct sockaddr_in admin_addr;
+  struct sockaddr_in recv_addr;
+  int recv_addr_len;
+  int admin_fd;			/* our link to clients */
+  char sname[ANAME_SZ];
+  char sinst[INST_SZ];
+  char krbrlm[REALM_SZ];
+  des_cblock master_key;
+  des_cblock session_key;
+  des_key_schedule master_key_schedule;
+  long master_key_version;
+} Kadm_Server;
+
+/* the default syslog file */
+#ifndef KADM_SYSLOG
+#define KADM_SYSLOG  "/var/log/admin_server.syslog"
+#endif /* KADM_SYSLOG */
+
+#ifndef DEFAULT_ACL_DIR
+#define DEFAULT_ACL_DIR	"/var/kerberos"
+#endif /* DEFAULT_ACL_DIR */
+#define	ADD_ACL_FILE	"/admin_acl.add"
+#define	GET_ACL_FILE	"/admin_acl.get"
+#define	MOD_ACL_FILE	"/admin_acl.mod"
+#define	DEL_ACL_FILE	"/admin_acl.del"
+
+#endif /* KADM_SERVER_DEFS */
diff --git a/crypto/kerberosIV/kadmin/kadmin.c b/crypto/kerberosIV/kadmin/kadmin.c
new file mode 100644
index 0000000..76abda5
--- /dev/null
+++ b/crypto/kerberosIV/kadmin/kadmin.c
@@ -0,0 +1,1145 @@
+/* 
+  Copyright (C) 1989 by the Massachusetts Institute of Technology
+
+   Export of this software from the United States of America is assumed
+   to require a specific license from the United States Government.
+   It is the responsibility of any person or organization contemplating
+   export to obtain such a license before exporting.
+
+WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
+distribute this software and its documentation for any purpose and
+without fee is hereby granted, provided that the above copyright
+notice appear in all copies and that both that copyright notice and
+this permission notice appear in supporting documentation, and that
+the name of M.I.T. not be used in advertising or publicity pertaining
+to distribution of the software without specific, written prior
+permission.  M.I.T. makes no representations about the suitability of
+this software for any purpose.  It is provided "as is" without express
+or implied warranty.
+
+  */
+
+/*
+ * Kerberos database administrator's tool.  
+ * 
+ * The default behavior of kadmin is if the -m option is given 
+ * on the commandline, multiple requests are allowed to be given
+ * with one entry of the admin password (until the tickets expire).
+ */
+
+#include "kadm_locl.h"
+#include "getarg.h"
+#include "parse_time.h"
+
+RCSID("$Id: kadmin.c,v 1.62 1999/11/02 17:02:14 bg Exp $");
+
+static int change_password(int argc, char **argv);
+static int change_key(int argc, char **argv);
+static int change_admin_password(int argc, char **argv);
+static int add_new_key(int argc, char **argv);
+static int del_entry(int argc, char **argv);
+static int get_entry(int argc, char **argv);
+static int mod_entry(int argc, char **argv);
+static int help(int argc, char **argv);
+static int clean_up_cmd(int argc, char **argv);
+static int quit_cmd(int argc, char **argv);
+static int set_timeout_cmd(int argc, char **argv);
+
+static int set_timeout(const char *);
+
+static SL_cmd cmds[] = {
+  {"change_password", change_password, "Change a user's password"},
+  {"cpw"},
+  {"passwd"},
+  {"change_key", change_key, "Change a user's password as a DES binary key"},
+  {"ckey"},
+  {"change_admin_password", change_admin_password,
+   "Change your admin password"},
+  {"cap"},
+  {"add_new_key", add_new_key, "Add new user to kerberos database"},
+  {"ank"},
+  {"del_entry", del_entry, "Delete entry from database"},
+  {"del"},
+  {"delete"},
+  {"get_entry", get_entry, "Get entry from kerberos database"},
+  {"mod_entry", mod_entry, "Modify entry in kerberos database"},
+  {"destroy_tickets", clean_up_cmd, "Destroy admin tickets"},
+  {"set_timeout", set_timeout_cmd, "Set ticket timeout"},
+  {"timeout" },
+  {"exit", quit_cmd, "Exit program"},
+  {"quit"},
+  {"help", help, "Help"},
+  {"?"},
+  {NULL}
+};
+
+#define BAD_PW 1
+#define GOOD_PW 0
+#define FUDGE_VALUE 15		/* for ticket expiration time */
+#define PE_NO 0
+#define PE_YES 1
+#define PE_UNSURE 2
+
+/* for get_password, whether it should do the swapping...necessary for
+   using vals structure, unnecessary for change_pw requests */
+#define DONTSWAP 0
+#define SWAP 1
+
+static krb_principal pr;
+static char default_realm[REALM_SZ]; /* default kerberos realm */
+static char krbrlm[REALM_SZ];	/* current realm being administered */
+
+#ifdef NOENCRYPTION
+#define read_long_pw_string placebo_read_pw_string
+#else
+#define read_long_pw_string des_read_pw_string
+#endif
+
+static void
+get_maxlife(Kadm_vals *vals)
+{
+    char buff[BUFSIZ];
+    time_t life;
+    int l;
+
+    do {
+	printf("Maximum ticket lifetime?  (%d)  [%s]  ",
+ 	     vals->max_life, krb_life_to_atime(vals->max_life));
+	fflush(stdout);
+	if (fgets(buff, sizeof(buff), stdin) == NULL || *buff == '\n') {
+	    clearerr(stdin);
+	    return;
+	}
+	life = krb_atime_to_life(buff);
+    } while (life <= 0);
+
+    l = strlen(buff);
+    if (buff[l-2] == 'm')
+	life = krb_time_to_life(0L, life*60);
+    if (buff[l-2] == 'h')
+	life = krb_time_to_life(0L, life*60*60);
+
+    vals->max_life = life;
+    SET_FIELD(KADM_MAXLIFE,vals->fields);
+}
+
+static void
+get_attr(Kadm_vals *vals)
+{
+    char buff[BUFSIZ], *out;
+    int attr;
+
+    do {
+	printf("Attributes?  [0x%.2x]  ", vals->attributes);
+	fflush(stdout);
+	if (fgets(buff, sizeof(buff), stdin) == NULL || *buff == '\n') {
+	    clearerr(stdin);
+	    return;
+	}
+        attr = strtol(buff, &out, 0);
+	if (attr == 0 && out == buff)
+	  attr = -1;
+    } while (attr < 0 || attr > 0xffff);
+
+    vals->attributes = attr;
+    SET_FIELD(KADM_ATTR,vals->fields);
+}
+
+static time_t
+parse_expdate(const char *str)
+{
+    struct tm edate;
+
+    memset(&edate, 0, sizeof(edate));
+    if (sscanf(str, "%d-%d-%d",
+	       &edate.tm_year, &edate.tm_mon, &edate.tm_mday) == 3) {
+	edate.tm_mon--;     /* January is 0, not 1 */
+	edate.tm_hour = 23; /* nearly midnight at the end of the */
+	edate.tm_min = 59;  /* specified day */
+    }
+    if(krb_check_tm (edate))
+	return -1;
+    edate.tm_year -= 1900;
+    return tm2time (edate, 1);
+}
+
+static void
+get_expdate(Kadm_vals *vals)
+{
+    char buff[BUFSIZ];
+    time_t t;
+
+    do {
+	strftime(buff, sizeof(buff), "%Y-%m-%d", k_localtime(&vals->exp_date));
+        printf("Expiration date (enter yyyy-mm-dd) ?  [%s]  ", buff);
+        fflush(stdout);
+        if (fgets(buff, sizeof(buff), stdin) == NULL || *buff == '\n') {
+            clearerr(stdin);
+            return;
+        }
+	t = parse_expdate(buff);
+    }while(t < 0);
+    vals->exp_date = t;
+    SET_FIELD(KADM_EXPDATE,vals->fields);
+}
+
+static int
+princ_exists(char *name, char *instance, char *realm)
+{
+    int status;
+
+    int old = krb_use_admin_server(1);
+    status = krb_get_pw_in_tkt(name, instance, realm,
+			       KRB_TICKET_GRANTING_TICKET,
+			       realm, 1, "");
+    krb_use_admin_server(old);
+
+    if ((status == KSUCCESS) || (status == INTK_BADPW))
+	return(PE_YES);
+    else if (status == KDC_PR_UNKNOWN)
+	return(PE_NO);
+    else
+	return(PE_UNSURE);
+}
+
+static void
+passwd_to_lowhigh(u_int32_t *low, u_int32_t *high, char *password, int byteswap)
+{
+    des_cblock newkey;
+
+    if (strlen(password) == 0) {
+    	printf("Using random password.\n");
+#ifdef NOENCRYPTION
+	memset(newkey, 0, sizeof(newkey));
+#else
+	des_new_random_key(&newkey);
+#endif
+    } else {
+#ifdef NOENCRYPTION
+      memset(newkey, 0, sizeof(newkey));
+#else
+      des_string_to_key(password, &newkey);
+#endif
+    }
+
+    memcpy(low, newkey, 4);
+    memcpy(high, ((char *)newkey) + 4, 4);
+
+    memset(newkey, 0, sizeof(newkey));
+
+#ifdef NOENCRYPTION
+    *low = 1;
+#endif
+
+    if (byteswap != DONTSWAP) {
+	*low = htonl(*low);
+	*high = htonl(*high);
+    }
+}
+
+static int
+get_password(u_int32_t *low, u_int32_t *high, char *prompt, int byteswap)
+{
+    char new_passwd[MAX_KPW_LEN];	/* new password */
+
+    if (read_long_pw_string(new_passwd, sizeof(new_passwd)-1, prompt, 1))
+    	return(BAD_PW);
+    passwd_to_lowhigh (low, high, new_passwd, byteswap);
+    memset (new_passwd, 0, sizeof(new_passwd));
+    return(GOOD_PW);
+}
+
+static int
+get_admin_password(void)
+{
+    int status;
+    char admin_passwd[MAX_KPW_LEN];	/* Admin's password */
+    int ticket_life = 1;	/* minimum ticket lifetime */
+    CREDENTIALS c;
+
+    alarm(0);
+    /* If admin tickets exist and are valid, just exit. */
+    memset(&c, 0, sizeof(c));
+    if (krb_get_cred(PWSERV_NAME, KADM_SINST, krbrlm, &c) == KSUCCESS)
+	/* 
+	 * If time is less than lifetime - FUDGE_VALUE after issue date,
+	 * tickets will probably last long enough for the next 
+	 * transaction.
+	 */
+	if (time(0) < (c.issue_date + (5 * 60 * c.lifetime) - FUDGE_VALUE))
+	    return(KADM_SUCCESS);
+    ticket_life = DEFAULT_TKT_LIFE;
+    
+    if (princ_exists(pr.name, pr.instance, pr.realm) != PE_NO) {
+        char prompt[256];
+	snprintf(prompt, sizeof(prompt), "%s's Password: ", 
+		 krb_unparse_name(&pr));
+	if (read_long_pw_string(admin_passwd,
+				sizeof(admin_passwd)-1,
+				prompt, 0)) {
+	    warnx ("Error reading admin password.");
+	    goto bad;
+	}
+	status = krb_get_pw_in_tkt(pr.name, pr.instance, pr.realm,
+				   PWSERV_NAME, KADM_SINST,
+				   ticket_life, admin_passwd);
+	memset(admin_passwd, 0, sizeof(admin_passwd));
+	
+	/* Initialize non shared random sequence from session key. */
+	memset(&c, 0, sizeof(c));
+	krb_get_cred(PWSERV_NAME, KADM_SINST, krbrlm, &c);
+	des_init_random_number_generator(&c.session);
+    }
+    else
+	status = KDC_PR_UNKNOWN;
+
+    switch(status) {
+    case GT_PW_OK:
+	return(GOOD_PW);
+    case KDC_PR_UNKNOWN:
+	printf("Principal %s does not exist.\n", krb_unparse_name(&pr));
+	goto bad;
+    case GT_PW_BADPW:
+	printf("Incorrect admin password.\n");
+	goto bad;
+    default:
+	com_err("kadmin", status+krb_err_base,
+		"while getting password tickets");
+	goto bad;
+    }
+    
+ bad:
+    memset(admin_passwd, 0, sizeof(admin_passwd));
+    dest_tkt();
+    return(BAD_PW);
+}
+
+static char *principal;
+static char *username;
+static char *realm;
+static char *timeout;
+static int tflag; /* use existing tickets */
+static int mflag; /* compatibility */
+static int version_flag;
+static int help_flag;
+
+static time_t destroy_timeout = 5 * 60;
+
+struct getargs args[] = {
+    { NULL,	'p',	arg_string, &principal, 
+      "principal to authenticate as"},
+    { NULL,	'u',	arg_string, &username, 
+      "username, other than default" },
+    { NULL,	'r',	arg_string, &realm, "local realm" },
+    { NULL,	'm',	arg_flag, &mflag, "disable ticket timeout" },
+    { NULL,	'T',	arg_string, &timeout, "default ticket timeout" },
+    { NULL,	't',	arg_flag, &tflag, "use existing tickets" },
+    { "version",0,	arg_flag, &version_flag },
+    { "help",	'h',	arg_flag, &help_flag },
+};
+
+static int num_args = sizeof(args) / sizeof(args[0]);
+
+static int
+clean_up()
+{
+    if(!tflag)
+	return dest_tkt() == KSUCCESS;
+    return 0; 
+}
+
+static int
+clean_up_cmd (int argc, char **argv)
+{
+    clean_up();
+    return 0;
+}
+
+static int
+quit_cmd (int argc, char **argv)
+{
+    return 1;
+}
+
+static void 
+usage(int code)
+{
+    arg_printusage(args, num_args, NULL, "[command]");
+    exit(code);
+}
+
+static int
+do_init(int argc, char **argv)
+{
+    int optind = 0;
+    int ret;
+
+    set_progname (argv[0]);
+    
+    if(getarg(args, num_args, argc, argv, &optind) < 0)
+	usage(1);
+    if(help_flag)
+	usage(0);
+    if(version_flag) {
+	print_version(NULL);
+	exit(0);
+    }
+
+    memset(&pr, 0, sizeof(pr));
+    ret = krb_get_default_principal(pr.name, pr.instance, default_realm);
+    if(ret < 0)
+	errx(1, "Can't figure out default principal");
+    if(pr.instance[0] == '\0')
+	strlcpy(pr.instance, "admin", sizeof(pr.instance));
+    if(principal) {
+	if(username)
+	    warnx("Ignoring username when principal is given");
+	ret = krb_parse_name(principal, &pr);
+	if(ret)
+	    errx(1, "%s: %s", principal, krb_get_err_text(ret));
+	if(pr.realm[0] != '\0')
+	    strlcpy(default_realm, pr.realm, sizeof(default_realm));
+    } else if(username) {
+	strlcpy(pr.name, username, sizeof(pr.name));
+	strlcpy(pr.instance, "admin", sizeof(pr.instance));
+    } 
+    
+    if(realm)
+	strlcpy(default_realm, realm, sizeof(default_realm));
+    
+    strlcpy(krbrlm, default_realm, sizeof(krbrlm));
+
+    if(pr.realm[0] == '\0')
+	strlcpy(pr.realm, krbrlm, sizeof(pr.realm));
+
+    if (kadm_init_link(PWSERV_NAME, KRB_MASTER, krbrlm) != KADM_SUCCESS)
+	*krbrlm = '\0';
+    
+    if(timeout) {
+	if(set_timeout(timeout) == -1)
+	    warnx("bad timespecification `%s'", timeout);
+    } else if(mflag)
+	destroy_timeout = 0;
+
+    if (tflag)
+	destroy_timeout = 0; /* disable timeout */
+    else{
+	char tktstring[128];
+	snprintf(tktstring, sizeof(tktstring), "%s_adm_%d",
+		 TKT_ROOT, (int)getpid());
+	krb_set_tkt_string(tktstring);
+    }
+    return optind;
+}
+
+static void
+sigalrm(int sig)
+{
+    if(clean_up())
+	printf("\nTickets destroyed.\n");
+}
+
+int
+main(int argc, char **argv)
+{
+    int optind = do_init(argc, argv);
+    if(argc > optind)
+	sl_command(cmds, argc - optind, argv + optind);
+    else {
+	void *data = NULL;
+	signal(SIGALRM, sigalrm);
+	while(sl_command_loop(cmds, "kadmin: ", &data) == 0)
+	    alarm(destroy_timeout);
+    }
+    clean_up();
+    exit(0);
+}
+
+static int
+setvals(Kadm_vals *vals, char *string)
+{
+    char realm[REALM_SZ];
+    int status = KADM_SUCCESS;
+
+    memset(vals, 0, sizeof(*vals));
+    memset(realm, 0, sizeof(realm));
+
+    SET_FIELD(KADM_NAME,vals->fields);
+    SET_FIELD(KADM_INST,vals->fields);
+    if ((status = kname_parse(vals->name, vals->instance, realm, string))) {
+	printf("kerberos error: %s\n", krb_get_err_text(status));
+	return status;
+    }
+    if (!realm[0])
+	strlcpy(realm, default_realm, sizeof(realm));
+    if (strcmp(realm, krbrlm)) {
+	strlcpy(krbrlm, realm, sizeof(krbrlm));
+	if ((status = kadm_init_link(PWSERV_NAME, KRB_MASTER, krbrlm)) 
+	    != KADM_SUCCESS)
+	    printf("kadm error for realm %s: %s\n", 
+		   krbrlm, error_message(status));
+    }
+    if (status) 
+	return 1;
+    else
+	return KADM_SUCCESS;
+}    
+
+static int 
+set_timeout(const char *timespec)
+{
+    int t = parse_time(timespec, "s");
+    if(t == -1)
+	return -1;
+    destroy_timeout = t;
+    return 0;
+}
+
+static int
+set_timeout_cmd(int argc, char **argv)
+{
+    char ts[128];
+    if (argc > 2) {
+	printf("Usage: set_timeout [timeout]\n");
+	return 0;
+    }
+    if(argc == 2) {
+	if(set_timeout(argv[1]) == -1){
+	    printf("Bad time specification `%s'\n", argv[1]);
+	    return 0;
+	}
+    }
+    if(destroy_timeout == 0)
+	printf("Timeout disabled.\n");
+    else{
+	unparse_time(destroy_timeout, ts, sizeof(ts));
+	printf("Timeout after %s.\n", ts);
+    }
+    return 0;
+}
+
+static int 
+change_password(int argc, char **argv)
+{
+    Kadm_vals old, new;
+    int status;
+    char pw_prompt[BUFSIZ];
+
+    char pw[32];
+    int generate_password = 0;
+    int i;
+    int optind = 0;
+    char *user = NULL;
+
+    struct getargs cpw_args[] = {
+	{ "random", 'r', arg_flag, NULL, "generate random password" },
+    };
+    i = 0;
+    cpw_args[i++].value = &generate_password;
+
+    if(getarg(cpw_args, sizeof(cpw_args) / sizeof(cpw_args[0]), 
+	      argc, argv, &optind)){
+	arg_printusage(cpw_args, 
+		       sizeof(cpw_args) / sizeof(cpw_args[0]), 
+		       "cpw",
+		       "principal");
+	return 0;
+    }
+
+    argc -= optind;
+    argv += optind;
+
+    if (argc != 1) {
+	printf("Usage: change_password [options] principal\n");
+	return 0;
+    }
+
+    user = argv[0];
+
+    if (setvals(&old, user) != KADM_SUCCESS)
+	return 0;
+
+    new = old;
+
+    SET_FIELD(KADM_DESKEY,new.fields);
+
+    if (princ_exists(old.name, old.instance, krbrlm) != PE_NO) {
+	/* get the admin's password */
+        if (get_admin_password() != GOOD_PW)
+	    return 0;
+
+
+	if (generate_password) {
+	    random_password(pw, sizeof(pw), &new.key_low, &new.key_high);
+	} else {
+	    /* get the new password */
+	    snprintf(pw_prompt, sizeof(pw_prompt), 
+		     "New password for %s:", user);
+	
+	    if (get_password(&new.key_low, &new.key_high,
+			     pw_prompt, SWAP) != GOOD_PW) {
+		printf("Error reading password; password unchanged\n");
+		return 0;
+	    }
+	}
+
+	status = kadm_mod(&old, &new);
+	if (status == KADM_SUCCESS) {
+	    printf("Password changed for %s.\n", user);
+	    if (generate_password)
+		printf("Password is: %s\n", pw);
+	} else {
+	    printf("kadmin: %s\nwhile changing password for %s",
+		   error_message(status), user);
+	}
+
+	memset(pw, 0, sizeof(pw));
+	memset(&new, 0, sizeof(new));
+    } else 
+	printf("kadmin: Principal %s does not exist.\n",
+	       krb_unparse_name_long (old.name, old.instance, krbrlm));
+    return 0;
+}
+
+static int
+getkey(unsigned char *k)
+{
+    int i, c;
+    for (i = 0; i < 8; i++)
+	{
+	    c = getchar();
+	    if (c == EOF)
+		return 0;
+	    else if (c == '\\')
+		{
+		    int oct = -1;
+		    scanf("%03o", &oct);
+		    if (oct < 0 || oct > 255)
+			return 0;
+		    k[i] = oct;
+		}
+	    else if (!isalpha(c))
+		return 0;
+	    else
+		k[i] = c;
+	}
+    c = getchar();
+    if (c != '\n')
+	return 0;
+    return 1;			/* Success */
+}
+
+static void
+printkey(unsigned char *tkey)
+{
+    int j;
+    for(j = 0; j < 8; j++)
+	if(tkey[j] != '\\' && isalpha(tkey[j]) != 0)
+	    printf("%c", tkey[j]);
+	else
+	    printf("\\%03o",(unsigned char)tkey[j]);
+    printf("\n");
+}
+
+static int 
+change_key(int argc, char **argv)
+{
+    Kadm_vals old, new;
+    unsigned char newkey[8];
+    int status;
+
+    if (argc != 2) {
+	printf("Usage: change_key principal-name\n");
+	return 0;
+    }
+
+    if (setvals(&old, argv[1]) != KADM_SUCCESS)
+	return 0;
+
+    new = old;
+
+    SET_FIELD(KADM_DESKEY,new.fields);
+
+    if (princ_exists(old.name, old.instance, krbrlm) != PE_NO) {
+	/* get the admin's password */
+        if (get_admin_password() != GOOD_PW)
+	    return 0;
+
+	/* get the new password */
+	printf("New DES key for %s: ", argv[1]);
+	
+	if (getkey(newkey)) {
+	    memcpy(&new.key_low, newkey, 4);
+	    memcpy(&new.key_high, ((char *)newkey) + 4, 4);
+	    printf("Entered key for %s: ", argv[1]);
+	    printkey(newkey);
+	    memset(newkey, 0, sizeof(newkey));
+
+	    status = kadm_mod(&old, &new);
+	    if (status == KADM_SUCCESS) {
+		printf("Key changed for %s.\n", argv[1]);
+	    } else {
+		printf("kadmin: %s\nwhile changing key for %s",
+		       error_message(status), argv[1]);
+	    }
+	} else
+	    printf("Error reading key; key unchanged\n");
+	memset(&new, 0, sizeof(new));
+    }
+    else 
+	printf("kadmin: Principal %s does not exist.\n",
+	       krb_unparse_name_long (old.name, old.instance, krbrlm));
+    return 0;
+}
+
+static int 
+change_admin_password(int argc, char **argv)
+{
+    des_cblock newkey;
+    int status;
+    char pword[MAX_KPW_LEN];
+    char *pw_msg;
+
+    alarm(0);
+    if (argc != 1) {
+	printf("Usage: change_admin_password\n");
+	return 0;
+    }
+    if (get_pw_new_pwd(pword, sizeof(pword), &pr, 1) == 0) {
+	 des_string_to_key(pword, &newkey);
+	 status = kadm_change_pw_plain(newkey, pword, &pw_msg);
+	 if(status == KADM_INSECURE_PW)
+	      printf("Insecure password: %s\n", pw_msg);
+	 else if (status == KADM_SUCCESS)
+	      printf("Admin password changed\n");
+	 else
+	      printf("kadm error: %s\n",error_message(status));
+	 memset(newkey, 0, sizeof(newkey));
+	 memset(pword, 0, sizeof(pword));
+    }
+    return 0;
+}
+
+void random_password(char*, size_t, u_int32_t*, u_int32_t*);
+
+static int 
+add_new_key(int argc, char **argv)
+{
+    int i;
+    char pw_prompt[BUFSIZ];
+    int status;
+    int generate_password = 0;
+    char *password = NULL;
+
+    char *expiration_string = NULL;
+    time_t default_expiration = 0;
+    int expiration_set = 0;
+
+    char *life_string = NULL;
+    time_t default_life = 0;
+    int life_set = 0;
+
+    int attributes = -1;
+    int default_attributes = 0;
+    int attributes_set = 0;
+
+    int optind = 0;
+
+    /* XXX remember to update value assignments below */
+    struct getargs add_args[] = {
+	{ "random", 'r', arg_flag, NULL, "generate random password" },
+	{ "password", 'p', arg_string, NULL },
+	{ "life", 'l', arg_string, NULL, "max ticket life" },
+	{ "expiration", 'e', arg_string, NULL, "principal expiration" },
+	{ "attributes", 'a', arg_integer, NULL }
+    };
+    i = 0;
+    add_args[i++].value = &generate_password;
+    add_args[i++].value = &password;
+    add_args[i++].value = &life_string;
+    add_args[i++].value = &expiration_string;
+    add_args[i++].value = &attributes;
+
+
+    if(getarg(add_args, sizeof(add_args) / sizeof(add_args[0]), 
+	      argc, argv, &optind)){
+	arg_printusage(add_args, 
+		       sizeof(add_args) / sizeof(add_args[0]), 
+		       "add",
+		       "principal ...");
+	return 0;
+    }
+
+    if(expiration_string) {
+	default_expiration = parse_expdate(expiration_string);
+	if(default_expiration < 0)
+	    warnx("Unknown expiration date `%s'", expiration_string);
+	else
+	    expiration_set = 1;
+    }
+    if(life_string) {
+	time_t t = parse_time(life_string, "hour");
+	if(t == -1) 
+	    warnx("Unknown lifetime `%s'", life_string);
+	else {
+	    default_life = krb_time_to_life(0, t);
+	    life_set = 1;
+	}
+    }
+    if(attributes != -1) {
+	default_attributes = attributes;
+	attributes_set = 1;
+    }
+
+
+    {
+	char default_name[ANAME_SZ + INST_SZ + 1];
+	char old_default[INST_SZ + 1] = "";
+	Kadm_vals new, default_vals;
+	char pw[32];
+	u_char fields[4];
+
+	for(i = optind; i < argc; i++) {
+	    if (setvals(&new, argv[i]) != KADM_SUCCESS)
+		return 0;
+	    SET_FIELD(KADM_EXPDATE, new.fields);
+	    SET_FIELD(KADM_ATTR, new.fields);
+	    SET_FIELD(KADM_MAXLIFE, new.fields);
+	    SET_FIELD(KADM_DESKEY, new.fields);
+
+	    if (princ_exists(new.name, new.instance, krbrlm) == PE_YES) {
+		printf("kadmin: Principal %s already exists.\n", argv[i]);
+		continue;
+	    }
+	    /* get the admin's password */
+	    if (get_admin_password() != GOOD_PW)
+		return 0;
+	
+	    snprintf (default_name, sizeof(default_name), 
+		      "default.%s", new.instance);
+	    if(strcmp(old_default, default_name) != 0) {
+		memset(fields, 0, sizeof(fields));
+		SET_FIELD(KADM_NAME, fields);
+		SET_FIELD(KADM_INST, fields);
+		SET_FIELD(KADM_EXPDATE, fields);
+		SET_FIELD(KADM_ATTR, fields);
+		SET_FIELD(KADM_MAXLIFE, fields);
+		if (setvals(&default_vals, default_name) != KADM_SUCCESS)
+		    return 0;
+	
+		if (kadm_get(&default_vals, fields) != KADM_SUCCESS) {
+		    /* no such entry, try just `default' */
+		    if (setvals(&default_vals, "default") != KADM_SUCCESS)
+			continue;
+		    if ((status = kadm_get(&default_vals, fields)) != KADM_SUCCESS) {
+			warnx ("kadm error: %s", error_message(status));
+			break; /* no point in continuing */
+		    }
+		}
+
+		if (default_vals.max_life == 255) /* Defaults not set! */ {
+		    /* This is the default maximum lifetime for new principals. */
+		    if (strcmp(new.instance, "admin") == 0)
+			default_vals.max_life = 1 + (CLOCK_SKEW/(5*60)); /* 5+5 minutes */
+		    else if (strcmp(new.instance, "root") == 0)
+			default_vals.max_life = 96;    /* 8 hours */
+		    else if (krb_life_to_time(0, 162) >= 24*60*60)
+			default_vals.max_life = 162;     /* ca 100 hours */
+		    else
+			default_vals.max_life = 255;     /* ca 21 hours (maximum) */
+		
+		    /* Also fix expiration date. */
+		    {
+			time_t now;
+			struct tm tm;
+
+			now = time(0);
+			tm = *gmtime(&now);
+			if (strcmp(new.name, "rcmd") == 0 ||
+			    strcmp(new.name, "ftp")  == 0 ||
+			    strcmp(new.name, "pop")  == 0)
+			    tm.tm_year += 5;
+			else
+			    tm.tm_year += 2;
+			default_vals.exp_date = mktime(&tm);
+		    }		
+		    default_vals.attributes = default_vals.attributes;
+		}
+		if(!life_set)
+		    default_life = default_vals.max_life;
+		if(!expiration_set)
+		    default_expiration = default_vals.exp_date;
+		if(!attributes_set)
+		    default_attributes = default_vals.attributes;
+	    }
+
+	    new.max_life = default_life;
+	    new.exp_date = default_expiration;
+	    new.attributes = default_attributes;
+	    if(!life_set)
+		get_maxlife(&new);
+	    if(!attributes_set)
+		get_attr(&new);
+	    if(!expiration_set)
+		get_expdate(&new);
+
+	    if(generate_password) {
+		random_password(pw, sizeof(pw), &new.key_low, &new.key_high);
+	    } else if (password == NULL) {
+		/* get the new password */
+		snprintf(pw_prompt, sizeof(pw_prompt), "Password for %s:", 
+			 argv[i]);
+	
+		if (get_password(&new.key_low, &new.key_high,
+				 pw_prompt, SWAP) != GOOD_PW) {
+		    printf("Error reading password: %s not added\n", argv[i]);
+		    memset(&new, 0, sizeof(new));
+		    return 0;
+		}
+	    } else {
+		passwd_to_lowhigh (&new.key_low, &new.key_high, password, SWAP);
+		memset (password, 0, strlen(password));
+	    }
+
+	    status = kadm_add(&new);
+	    if (status == KADM_SUCCESS) {
+		printf("%s added to database", argv[i]);
+		if (generate_password)
+		    printf (" with password `%s'", pw);
+		printf (".\n");
+	    } else 
+		printf("kadm error: %s\n",error_message(status));
+		
+	    memset(pw, 0, sizeof(pw));
+	    memset(&new, 0, sizeof(new));
+	}
+    }
+    
+    return 0;
+}
+
+static int 
+del_entry(int argc, char **argv)
+{
+    int status;
+    Kadm_vals vals;
+    int i;
+
+    if (argc < 2) {
+	printf("Usage: delete principal...\n");
+	return 0;
+    }
+
+    for(i = 1; i < argc; i++) {
+	if (setvals(&vals, argv[i]) != KADM_SUCCESS)
+	    return 0;
+	
+	if (princ_exists(vals.name, vals.instance, krbrlm) != PE_NO) {
+	    /* get the admin's password */
+	    if (get_admin_password() != GOOD_PW)
+		return 0;
+	    
+	    if ((status = kadm_del(&vals)) == KADM_SUCCESS)
+		printf("%s removed from database.\n", argv[i]);
+	    else 
+		printf("kadm error: %s\n",error_message(status));
+	}
+	else
+	    printf("kadmin: Principal %s does not exist.\n",
+		   krb_unparse_name_long (vals.name, vals.instance, krbrlm));
+    }
+    return 0;
+}
+
+static int 
+get_entry(int argc, char **argv)
+{
+    int status;
+    u_char fields[4];
+    Kadm_vals vals;
+
+    if (argc != 2) {
+	printf("Usage: get_entry username\n");
+	return 0;
+    }
+
+    memset(fields, 0, sizeof(fields));
+
+    SET_FIELD(KADM_NAME,fields);
+    SET_FIELD(KADM_INST,fields);
+    SET_FIELD(KADM_EXPDATE,fields);
+    SET_FIELD(KADM_ATTR,fields);
+    SET_FIELD(KADM_MAXLIFE,fields);
+#if 0
+    SET_FIELD(KADM_DESKEY,fields); 
+#endif
+#ifdef EXTENDED_KADM
+    SET_FIELD(KADM_MODDATE, fields);
+    SET_FIELD(KADM_MODNAME, fields);
+    SET_FIELD(KADM_MODINST, fields);
+    SET_FIELD(KADM_KVNO, fields);
+#endif
+
+    if (setvals(&vals, argv[1]) != KADM_SUCCESS)
+	return 0;
+
+
+    if (princ_exists(vals.name, vals.instance, krbrlm) != PE_NO) {
+	/* get the admin's password */
+	if (get_admin_password() != GOOD_PW)
+	    return 0;
+	
+	if ((status = kadm_get(&vals, fields)) == KADM_SUCCESS)
+	    prin_vals(&vals);
+	else
+	    printf("kadm error: %s\n",error_message(status));
+    }
+    else
+	printf("kadmin: Principal %s does not exist.\n",
+	       krb_unparse_name_long (vals.name, vals.instance, krbrlm));
+    return 0;
+}
+
+static int 
+mod_entry(int argc, char **argv)
+{
+    int status;
+    u_char fields[4];
+    Kadm_vals ovals, nvals;
+    int i;
+
+    char *expiration_string = NULL;
+    time_t default_expiration = 0;
+    int expiration_set = 0;
+
+    char *life_string = NULL;
+    time_t default_life = 0;
+    int life_set = 0;
+
+    int attributes = -1;
+    int default_attributes = 0;
+    int attributes_set = 0;
+
+    int optind = 0;
+
+    /* XXX remember to update value assignments below */
+    struct getargs mod_args[] = {
+	{ "life", 'l', arg_string, NULL, "max ticket life" },
+	{ "expiration", 'e', arg_string, NULL, "principal expiration" },
+	{ "attributes", 'a', arg_integer, NULL }
+    };
+    i = 0;
+    mod_args[i++].value = &life_string;
+    mod_args[i++].value = &expiration_string;
+    mod_args[i++].value = &attributes;
+
+
+    if(getarg(mod_args, sizeof(mod_args) / sizeof(mod_args[0]), 
+	      argc, argv, &optind)){
+	arg_printusage(mod_args, 
+		       sizeof(mod_args) / sizeof(mod_args[0]), 
+		       "mod",
+		       "principal ...");
+	return 0;
+    }
+
+    if(expiration_string) {
+	default_expiration = parse_expdate(expiration_string);
+	if(default_expiration < 0)
+	    warnx("Unknown expiration date `%s'", expiration_string);
+	else
+	    expiration_set = 1;
+    }
+    if(life_string) {
+	time_t t = parse_time(life_string, "hour");
+	if(t == -1) 
+	    warnx("Unknown lifetime `%s'", life_string);
+	else {
+	    default_life = krb_time_to_life(0, t);
+	    life_set = 1;
+	}
+    }
+    if(attributes != -1) {
+	default_attributes = attributes;
+	attributes_set = 1;
+    }
+
+
+    for(i = optind; i < argc; i++) {
+
+	memset(fields, 0, sizeof(fields));
+
+	SET_FIELD(KADM_NAME,fields);
+	SET_FIELD(KADM_INST,fields);
+	SET_FIELD(KADM_EXPDATE,fields);
+	SET_FIELD(KADM_ATTR,fields);
+	SET_FIELD(KADM_MAXLIFE,fields);
+
+	if (setvals(&ovals, argv[i]) != KADM_SUCCESS)
+	    return 0;
+
+	nvals = ovals;
+
+	if (princ_exists(ovals.name, ovals.instance, krbrlm) == PE_NO) {
+	    printf("kadmin: Principal %s does not exist.\n",
+		   krb_unparse_name_long (ovals.name, ovals.instance, krbrlm));
+	    return 0;
+	}
+
+	/* get the admin's password */
+	if (get_admin_password() != GOOD_PW)
+	    return 0;
+	
+	if ((status = kadm_get(&ovals, fields)) != KADM_SUCCESS) {
+	    printf("[ unable to retrieve current settings: %s ]\n",
+		   error_message(status));
+	    nvals.max_life = DEFAULT_TKT_LIFE;
+	    nvals.exp_date = 0;
+	    nvals.attributes = 0;
+	} else {
+	    nvals.max_life = ovals.max_life;
+	    nvals.exp_date = ovals.exp_date;
+	    nvals.attributes = ovals.attributes;
+    }
+
+	if(life_set) {
+	    nvals.max_life = default_life;
+	    SET_FIELD(KADM_MAXLIFE, nvals.fields);
+	} else
+	    get_maxlife(&nvals);
+	if(attributes_set) {
+	    nvals.attributes = default_attributes;
+	    SET_FIELD(KADM_ATTR, nvals.fields);
+	} else
+	    get_attr(&nvals);
+	if(expiration_set) {
+	    nvals.exp_date = default_expiration;
+	    SET_FIELD(KADM_EXPDATE, nvals.fields);
+	} else
+	    get_expdate(&nvals);
+    
+	if (IS_FIELD(KADM_MAXLIFE, nvals.fields) ||
+	    IS_FIELD(KADM_ATTR, nvals.fields) ||
+	    IS_FIELD(KADM_EXPDATE, nvals.fields)) {
+	    if ((status = kadm_mod(&ovals, &nvals)) != KADM_SUCCESS) {
+		printf("kadm error: %s\n",error_message(status));
+		goto out;
+	    }
+	    if ((status = kadm_get(&ovals, fields)) != KADM_SUCCESS) {
+		printf("kadm error: %s\n",error_message(status));
+		goto out;
+	    }
+	}
+	prin_vals(&ovals);
+    }
+    
+out:
+    return 0;
+}
+
+static int
+help(int argc, char **argv)
+{
+    sl_help (cmds, argc, argv);
+    return 0;
+}
diff --git a/crypto/kerberosIV/kadmin/kpasswd.c b/crypto/kerberosIV/kadmin/kpasswd.c
new file mode 100644
index 0000000..d0d35be
--- /dev/null
+++ b/crypto/kerberosIV/kadmin/kpasswd.c
@@ -0,0 +1,177 @@
+/* 
+  Copyright (C) 1989 by the Massachusetts Institute of Technology
+
+   Export of this software from the United States of America is assumed
+   to require a specific license from the United States Government.
+   It is the responsibility of any person or organization contemplating
+   export to obtain such a license before exporting.
+
+WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
+distribute this software and its documentation for any purpose and
+without fee is hereby granted, provided that the above copyright
+notice appear in all copies and that both that copyright notice and
+this permission notice appear in supporting documentation, and that
+the name of M.I.T. not be used in advertising or publicity pertaining
+to distribution of the software without specific, written prior
+permission.  M.I.T. makes no representations about the suitability of
+this software for any purpose.  It is provided "as is" without express
+or implied warranty.
+
+  */
+
+/*
+ * change your password with kerberos
+ */
+
+#include "kadm_locl.h"
+
+RCSID("$Id: kpasswd.c,v 1.29 1999/11/13 06:33:20 assar Exp $");
+
+static void
+usage(int value)
+{
+    fprintf(stderr, "Usage: ");
+    fprintf(stderr, "kpasswd [-h ] [-n user] [-i instance] [-r realm] ");
+    fprintf(stderr, "[-u fullname]\n");
+    exit(value);
+}
+
+int
+main(int argc, char **argv)
+{
+    krb_principal principal;
+    krb_principal default_principal;
+    int realm_given = 0;	/* True if realm was give on cmdline */
+    int use_default = 1;	/* True if we should use default name */
+    int status;			/* return code */
+    char pword[MAX_KPW_LEN];
+    int c;
+    char tktstring[MaxPathLen];
+    
+    set_progname (argv[0]);
+
+    memset (&principal, 0, sizeof(principal));
+    memset (&default_principal, 0, sizeof(default_principal));
+    
+    krb_get_default_principal (default_principal.name,
+			       default_principal.instance,
+			       default_principal.realm);
+
+    while ((c = getopt(argc, argv, "u:n:i:r:h")) != -1) {
+	switch (c) {
+	case 'u':
+	    status = krb_parse_name (optarg, &principal);
+	    if (status != KSUCCESS)
+		errx (2, "%s", krb_get_err_text(status));
+	    if (principal.realm[0])
+		realm_given++;
+	    else if (krb_get_lrealm(principal.realm, 1) != KSUCCESS)
+		errx (1, "Could not find default realm!");
+	    break;
+	case 'n':
+	    if (k_isname(optarg))
+		strlcpy(principal.name,
+				optarg,
+				sizeof(principal.name));
+	    else {
+		warnx("Bad name: %s", optarg);
+		usage(1);
+	    }
+	    break;
+	case 'i':
+	    if (k_isinst(optarg))
+		strlcpy(principal.instance,
+				optarg,
+				sizeof(principal.instance));
+	    else {
+		warnx("Bad instance: %s", optarg);
+		usage(1);
+	    }
+	    break;
+	case 'r':
+	    if (k_isrealm(optarg)) {
+		strlcpy(principal.realm,
+				optarg,
+				sizeof(principal.realm));
+		realm_given++; 
+	    } else {
+		warnx("Bad realm: %s", optarg);
+		usage(1);
+	    }
+	    break;
+	case 'h':
+	    usage(0);
+	    break;
+	default:
+	    usage(1);
+	    break;
+	}
+	use_default = 0;
+    }
+    if (optind < argc) {
+	use_default = 0;
+	status = krb_parse_name (argv[optind], &principal);
+	if(status != KSUCCESS)
+	    errx (1, "%s", krb_get_err_text (status));
+    }
+
+    if (use_default) {
+	strlcpy(principal.name,
+			default_principal.name,
+			sizeof(principal.name));
+	strlcpy(principal.instance,
+			default_principal.instance,
+			sizeof(principal.instance));
+	strlcpy(principal.realm,
+			default_principal.realm,
+			sizeof(principal.realm));
+    } else {
+	if (!principal.name[0])
+	    strlcpy(principal.name,
+			    default_principal.name,
+			    sizeof(principal.name));
+	if (!principal.realm[0])
+	    strlcpy(principal.realm,
+			    default_principal.realm,
+			    sizeof(principal.realm));
+    }
+
+    snprintf(tktstring, sizeof(tktstring), "%s_cpw_%u",
+	     TKT_ROOT, (unsigned)getpid());
+    krb_set_tkt_string(tktstring);
+    
+    if (get_pw_new_pwd(pword, sizeof(pword), &principal,
+		       realm_given)) {
+	dest_tkt ();
+	exit(1);
+    }
+    
+    status = kadm_init_link (PWSERV_NAME, KRB_MASTER, principal.realm);
+    if (status != KADM_SUCCESS) 
+	com_err(argv[0], status, "while initializing");
+    else {
+	des_cblock newkey;
+	char *pw_msg; /* message from server */
+
+	des_string_to_key(pword, &newkey);
+	status = kadm_change_pw_plain((unsigned char*)&newkey, pword, &pw_msg);
+	memset(newkey, 0, sizeof(newkey));
+      
+	if (status == KADM_INSECURE_PW)
+	    warnx ("Insecure password: %s", pw_msg);
+	else if (status != KADM_SUCCESS)
+	    com_err(argv[0], status, " attempting to change password.");
+    }
+    memset(pword, 0, sizeof(pword));
+
+    if (status != KADM_SUCCESS)
+	fprintf(stderr,"Password NOT changed.\n");
+    else
+	printf("Password changed.\n");
+
+    dest_tkt();
+    if (status)
+	return 2;
+    else 
+	return 0;
+}
diff --git a/crypto/kerberosIV/kadmin/kpasswd_standalone.c b/crypto/kerberosIV/kadmin/kpasswd_standalone.c
new file mode 100644
index 0000000..7e072ba
--- /dev/null
+++ b/crypto/kerberosIV/kadmin/kpasswd_standalone.c
@@ -0,0 +1,228 @@
+/*
+ * Copyright 1988 by the Massachusetts Institute of Technology.
+ *
+ * For copying and distribution information, please see the file
+ * Copyright.MIT.
+ *
+ * change your password with kerberos
+ */
+
+#ifndef	lint
+#if 0
+static char rcsid_kpasswd_c[] =
+    "BonesHeader: /afs/athena.mit.edu/astaff/project/kerberos/src/kadmin/RCS/kpasswd.c,v 4.3 89/09/26 09:33:02 jtkohl Exp ";
+#endif
+static const char rcsid[] =
+ "$FreeBSD$";
+#endif	lint
+
+/*
+ * kpasswd
+ * change your password with kerberos
+ */
+
+#include <stdio.h>
+#include <sys/types.h>
+#include <sys/param.h>
+#include <netinet/in.h>
+#include <com_err.h>
+#include <err.h>
+#include <krb.h>
+#include <string.h>
+#include <pwd.h>
+#include <unistd.h>
+#include "kadm.h"
+
+#include "extern.h"
+
+extern void krb_set_tkt_string();
+static void go_home(char *, int);
+
+
+int krb_passwd(char *uname, char *iflag, char *rflag, char *uflag)
+{
+    char name[ANAME_SZ];	/* name of user */
+    char inst[INST_SZ];		/* instance of user */
+    char realm[REALM_SZ];	/* realm of user */
+    char default_name[ANAME_SZ];
+    char default_inst[INST_SZ];
+    char default_realm[REALM_SZ];
+    int realm_given = 0;	/* True if realm was give on cmdline */
+    int use_default = 1;	/* True if we should use default name */
+    struct passwd *pw;
+    int status;			/* return code */
+    des_cblock new_key;
+    extern char *optarg;
+    extern int optind;
+    char tktstring[MAXPATHLEN];
+
+    void get_pw_new_key();
+
+#ifdef NOENCRYPTION
+#define read_long_pw_string placebo_read_pw_string
+#else
+#define read_long_pw_string des_read_pw_string
+#endif
+    int read_long_pw_string();
+
+    bzero(name, sizeof(name));
+    bzero(inst, sizeof(inst));
+    bzero(realm, sizeof(realm));
+
+    if (krb_get_tf_fullname(TKT_FILE, default_name, default_inst,
+			    default_realm) != KSUCCESS) {
+	pw = getpwuid((int) getuid());
+	if (pw) {
+		strcpy(default_name, pw->pw_name);
+	} else {
+	    /* seems like a null name is kinda silly */
+		strcpy(default_name, "");
+	}
+	strcpy(default_inst, "");
+	if (krb_get_lrealm(default_realm, 1) != KSUCCESS)
+	    strcpy(default_realm, KRB_REALM);
+    }
+
+    if(uflag) {
+	    if ((status = kname_parse(name, inst, realm, uflag))) {
+		    errx(2, "Kerberos error: %s", krb_err_txt[status]);
+	    }
+	    if (realm[0])
+		realm_given++;
+	    else
+		if (krb_get_lrealm(realm, 1) != KSUCCESS)
+		    strcpy(realm, KRB_REALM);
+    }
+
+    if(uname) {
+	    if (k_isname(uname)) {
+		    strncpy(name, uname, sizeof(name) - 1);
+	    } else {
+		    errx(1, "bad name: %s", uname);
+	    }
+    }
+
+    if(iflag) {
+	    if (k_isinst(iflag)) {
+		    strncpy(inst, iflag, sizeof(inst) - 1);
+	    } else {
+		    errx(1, "bad instance: %s", iflag);
+	    }
+    }
+
+    if(rflag) {
+	    if (k_isrealm(rflag)) {
+		    strncpy(realm, rflag, sizeof(realm) - 1);
+		    realm_given++;
+	    } else {
+		    errx(1, "bad realm: %s", rflag);
+	    }
+    }
+
+    if(uname || iflag || rflag || uflag) use_default = 0;
+
+    if (use_default) {
+	strcpy(name, default_name);
+	strcpy(inst, default_inst);
+	strcpy(realm, default_realm);
+    } else {
+	if (!name[0])
+	    strcpy(name, default_name);
+	if (!realm[0])
+	    strcpy(realm, default_realm);
+    }
+
+    (void) sprintf(tktstring, "/tmp/tkt_cpw_%d",getpid());
+    krb_set_tkt_string(tktstring);
+
+    get_pw_new_key(new_key, name, inst, realm, realm_given);
+
+    if ((status = kadm_init_link("changepw", KRB_MASTER, realm))
+	!= KADM_SUCCESS)
+	com_err("kpasswd", status, "while initializing");
+    else if ((status = kadm_change_pw(new_key)) != KADM_SUCCESS)
+	com_err("kpasswd", status, " attempting to change password.");
+
+    if (status != KADM_SUCCESS)
+	fprintf(stderr,"Password NOT changed.\n");
+    else
+	printf("Password changed.\n");
+
+    (void) dest_tkt();
+    if (status)
+	exit(2);
+    else
+	exit(0);
+}
+
+void get_pw_new_key(new_key, name, inst, realm, print_realm)
+  des_cblock new_key;
+  char *name;
+  char *inst;
+  char *realm;
+  int print_realm;		/* True if realm was give on cmdline */
+{
+    char ppromp[40+ANAME_SZ+INST_SZ+REALM_SZ]; /* for the password prompt */
+    char pword[MAX_KPW_LEN];	               /* storage for the password */
+    char npromp[40+ANAME_SZ+INST_SZ+REALM_SZ]; /* for the password prompt */
+
+    char local_realm[REALM_SZ];
+    int status;
+
+    /*
+     * We don't care about failure; this is to determine whether or
+     * not to print the realm in the prompt for a new password.
+     */
+    (void) krb_get_lrealm(local_realm, 1);
+
+    if (strcmp(local_realm, realm))
+	print_realm++;
+
+    (void) sprintf(ppromp,"Old password for %s%s%s%s%s:",
+		   name, *inst ? "." : "", inst,
+		   print_realm ? "@" : "", print_realm ? realm : "");
+    if (read_long_pw_string(pword, sizeof(pword)-1, ppromp, 0)) {
+	fprintf(stderr, "Error reading old password.\n");
+	exit(1);
+    }
+
+    if ((status = krb_get_pw_in_tkt(name, inst, realm, PWSERV_NAME,
+				    KADM_SINST, 1, pword)) != KSUCCESS) {
+	if (status == INTK_BADPW) {
+	    printf("Incorrect old password.\n");
+	    exit(0);
+	}
+	else {
+	    fprintf(stderr, "Kerberos error: %s\n", krb_err_txt[status]);
+	    exit(1);
+	}
+    }
+    bzero(pword, sizeof(pword));
+    do {
+	(void) sprintf(npromp,"New Password for %s%s%s%s%s:",
+		       name, *inst ? "." : "", inst,
+		       print_realm ? "@" : "", print_realm ? realm : "");
+	if (read_long_pw_string(pword, sizeof(pword)-1, npromp, 1))
+	    go_home("Error reading new password, password unchanged.\n",0);
+	if (strlen(pword) == 0)
+	    printf("Null passwords are not allowed; try again.\n");
+    } while (strlen(pword) == 0);
+
+#ifdef NOENCRYPTION
+    bzero((char *) new_key, sizeof(des_cblock));
+    new_key[0] = (unsigned char) 1;
+#else
+    (void) des_string_to_key(pword, (des_cblock *)new_key);
+#endif
+    bzero(pword, sizeof(pword));
+}
+
+static void
+go_home(str,x)
+  char *str;
+  int x;
+{
+    fprintf(stderr, str, x);
+    (void) dest_tkt();
+    exit(1);
+}
diff --git a/crypto/kerberosIV/kadmin/ksrvutil.c b/crypto/kerberosIV/kadmin/ksrvutil.c
new file mode 100644
index 0000000..38722a0
--- /dev/null
+++ b/crypto/kerberosIV/kadmin/ksrvutil.c
@@ -0,0 +1,638 @@
+/* 
+  Copyright (C) 1989 by the Massachusetts Institute of Technology
+
+   Export of this software from the United States of America is assumed
+   to require a specific license from the United States Government.
+   It is the responsibility of any person or organization contemplating
+   export to obtain such a license before exporting.
+
+WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
+distribute this software and its documentation for any purpose and
+without fee is hereby granted, provided that the above copyright
+notice appear in all copies and that both that copyright notice and
+this permission notice appear in supporting documentation, and that
+the name of M.I.T. not be used in advertising or publicity pertaining
+to distribution of the software without specific, written prior
+permission.  M.I.T. makes no representations about the suitability of
+this software for any purpose.  It is provided "as is" without express
+or implied warranty.
+
+  */
+
+/*
+ * list and update contents of srvtab files
+ */
+
+/*
+ * ksrvutil
+ * list and update the contents of srvtab files
+ */
+
+#include "kadm_locl.h"
+
+RCSID("$Id: ksrvutil.c,v 1.50 1999/11/13 06:33:59 assar Exp $");
+
+#include "ksrvutil.h"
+
+#ifdef NOENCRYPTION
+#define read_long_pw_string placebo_read_pw_string
+#else /* NOENCRYPTION */
+#define read_long_pw_string des_read_pw_string
+#endif /* NOENCRYPTION */
+
+#define SRVTAB_MODE 0600	/* rw------- */
+#define PAD "  "
+#define VNO_HEADER "Version"
+#define VNO_FORMAT "%4d   "
+#define KEY_HEADER "       Key       " /* 17 characters long */
+#define PRINC_HEADER "  Principal\n"
+#define PRINC_FORMAT "%s"
+
+char u_name[ANAME_SZ];
+char u_inst[INST_SZ];
+char u_realm[REALM_SZ];
+
+int destroyp = FALSE;		/* Should the ticket file be destroyed? */
+
+static unsigned short
+get_mode(char *filename)
+{
+    struct stat statbuf;
+    unsigned short mode;
+
+    memset(&statbuf, 0, sizeof(statbuf));
+    
+    if (stat(filename, &statbuf) < 0) 
+	mode = SRVTAB_MODE;
+    else
+	mode = statbuf.st_mode;
+
+    return(mode);
+}
+
+static void
+copy_keyfile(char *keyfile, char *backup_keyfile)
+{
+    int keyfile_fd;
+    int backup_keyfile_fd;
+    int keyfile_mode;
+    char buf[BUFSIZ];		/* for copying keyfiles */
+    int rcount;			/* for copying keyfiles */
+    int try_again;
+    
+    memset(buf, 0, sizeof(buf));
+    
+    do {
+	try_again = FALSE;
+	if ((keyfile_fd = open(keyfile, O_RDONLY, 0)) < 0) {
+	    if (errno != ENOENT)
+	      err (1, "open %s", keyfile);
+	    else {
+		try_again = TRUE;
+		if ((keyfile_fd = 
+		     open(keyfile, 
+			  O_WRONLY | O_TRUNC | O_CREAT, SRVTAB_MODE)) < 0)
+		  err(1, "create %s", keyfile);
+		else
+		    if (close(keyfile_fd) < 0)
+		      err (1, "close %s", keyfile);
+	    }
+	}
+    } while(try_again);
+
+    keyfile_mode = get_mode(keyfile);
+
+    if ((backup_keyfile_fd = 
+	 open(backup_keyfile, O_WRONLY | O_TRUNC | O_CREAT, 
+	      keyfile_mode)) < 0)
+	err (1, "open %s", backup_keyfile);
+    do {
+	if ((rcount = read(keyfile_fd, buf, sizeof(buf))) < 0)
+	    err (1, "read %s", keyfile);
+	if (rcount && (write(backup_keyfile_fd, buf, rcount) != rcount))
+	    err (1, "write %s", backup_keyfile);
+    } while (rcount);
+    if (close(backup_keyfile_fd) < 0)
+	err(1, "close %s", backup_keyfile);
+    if (close(keyfile_fd) < 0)
+	err(1, "close %s", keyfile);
+}
+
+void
+leave(char *str, int x)
+{
+    if (str)
+	fprintf(stderr, "%s\n", str);
+    if (destroyp)
+	 dest_tkt();
+    exit(x);
+}
+
+void
+safe_read_stdin(char *prompt, char *buf, size_t size)
+{
+    printf("%s", prompt);
+    fflush(stdout);
+    memset(buf, 0, size);
+    if (read(0, buf, size - 1) < 0) {
+	warn("read stdin");
+	leave(NULL, 1);
+    }
+    buf[strlen(buf)-1] = 0;
+}
+
+void
+safe_write(char *filename, int fd, void *buf, size_t len)
+{
+    if (write(fd, buf, len) != len) {
+	warn("write %s", filename);
+	close(fd);
+	leave("In progress srvtab in this file.", 1);
+    }
+}
+
+static int
+yes_no(char *string, int dflt)
+{
+  char ynbuf[5];
+  
+  printf("%s (y,n) [%c]", string, dflt?'y':'n');
+  for (;;) {
+    safe_read_stdin("", ynbuf, sizeof(ynbuf));
+    
+    if ((ynbuf[0] == 'n') || (ynbuf[0] == 'N'))
+      return(0);
+    else if ((ynbuf[0] == 'y') || (ynbuf[0] == 'Y'))
+      return(1);
+    else if(ynbuf[0] == 0)
+      return dflt;
+    else {
+      printf("Please enter 'y' or 'n': ");
+      fflush(stdout);
+    }
+  }
+}
+
+int yn(char *string)
+{
+  return yes_no(string, 1);
+}
+
+int ny(char *string)
+{
+  return yes_no(string, 0);
+}
+
+static void
+append_srvtab(char *filename, int fd, char *sname, char *sinst, char *srealm,
+	      unsigned char key_vno, unsigned char *key)
+{
+  /* Add one to append null */
+    safe_write(filename, fd, sname, strlen(sname) + 1);
+    safe_write(filename, fd, sinst, strlen(sinst) + 1);
+    safe_write(filename, fd, srealm, strlen(srealm) + 1);
+    safe_write(filename, fd, &key_vno, 1);
+    safe_write(filename, fd, key, sizeof(des_cblock));
+    fsync(fd);
+}    
+
+static void
+print_key(unsigned char *key)
+{
+    int i;
+
+    for (i = 0; i < 4; i++)
+	printf("%02x", key[i]);
+    printf(" ");
+    for (i = 4; i < 8; i++)
+	printf("%02x", key[i]);
+}
+
+static void
+print_name(char *name, char *inst, char *realm)
+{
+    printf("%s", krb_unparse_name_long(name, inst, realm));
+}
+
+static int
+get_svc_new_key(des_cblock *new_key, char *sname, char *sinst,
+		char *srealm, char *keyfile)
+{
+    int status = KADM_SUCCESS;
+
+    if (((status = krb_get_svc_in_tkt(sname, sinst, srealm, PWSERV_NAME,
+				      KADM_SINST, 1, keyfile)) == KSUCCESS) &&
+	((status = kadm_init_link(PWSERV_NAME, KRB_MASTER, srealm)) == 
+	 KADM_SUCCESS)) {
+#ifdef NOENCRYPTION
+	memset(new_key, 0, sizeof(des_cblock));
+	(*new_key)[0] = (unsigned char) 1;
+#else /* NOENCRYPTION */
+	des_new_random_key(new_key);
+#endif /* NOENCRYPTION */
+	return(KADM_SUCCESS);
+    }
+    
+    return(status);
+}
+
+static void
+get_key_from_password(des_cblock (*key), char *cellname)
+{
+    char password[MAX_KPW_LEN];	/* storage for the password */
+
+    if (read_long_pw_string(password, sizeof(password)-1, "Password: ", 1))
+	leave("Error reading password.", 1);
+
+#ifdef NOENCRYPTION
+    memset(key, 0, sizeof(des_cblock));
+    (*key)[0] = (unsigned char) 1;
+#else /* NOENCRYPTION */
+    if (strlen(cellname) == 0)
+      des_string_to_key(password, key);
+    else
+      afs_string_to_key(password, cellname, key);
+#endif /* NOENCRYPTION */
+    memset(password, 0, sizeof(password));
+}    
+
+static void
+usage(void)
+{
+    fprintf(stderr, "Usage: ksrvutil [-f keyfile] [-i] [-k] ");
+    fprintf(stderr, "[-p principal] [-r realm] [-u]");
+    fprintf(stderr, "[-c AFS cellname] ");
+    fprintf(stderr, "{list | change | add | get | delete}\n");
+    fprintf(stderr, "   -i causes the program to ask for "
+	    "confirmation before changing keys.\n");
+    fprintf(stderr, "   -k causes the key to printed for list or change.\n");
+    fprintf(stderr, "   -u creates one keyfile for each principal "
+	    "(only used with `get')\n");
+    exit(1);
+}
+
+int
+main(int argc, char **argv)
+{
+    char sname[ANAME_SZ];	/* name of service */
+    char sinst[INST_SZ];	/* instance of service */
+    char srealm[REALM_SZ];	/* realm of service */
+    unsigned char key_vno;	/* key version number */
+    int status;			/* general purpose error status */
+    des_cblock new_key;
+    des_cblock old_key;
+    char change_tkt[MaxPathLen]; /* Ticket to use for key change */
+    char keyfile[MaxPathLen];	/* Original keyfile */
+    char work_keyfile[MaxPathLen]; /* Working copy of keyfile */
+    char backup_keyfile[MaxPathLen]; /* Backup copy of keyfile */
+    unsigned short keyfile_mode; /* Protections on keyfile */
+    int work_keyfile_fd = -1;	/* Initialize so that */
+    int backup_keyfile_fd = -1;	/* compiler doesn't complain */
+    char local_realm[REALM_SZ];	/* local kerberos realm */
+    char cellname[1024];         /* AFS cell name */
+    int c;
+    int interactive = FALSE;
+    int list = FALSE;
+    int change = FALSE;
+    int unique_filename = FALSE;
+    int add = FALSE;
+    int delete = FALSE;
+    int get = FALSE;
+    int key = FALSE;		/* do we show keys? */
+    int arg_entered = FALSE;
+    int change_this_key = FALSE;
+    char databuf[BUFSIZ];
+    int first_printed = FALSE;	/* have we printed the first item? */
+    
+    memset(sname, 0, sizeof(sname));
+    memset(sinst, 0, sizeof(sinst));
+    memset(srealm, 0, sizeof(srealm));
+    	  
+    memset(change_tkt, 0, sizeof(change_tkt));
+    memset(keyfile, 0, sizeof(keyfile));
+    memset(work_keyfile, 0, sizeof(work_keyfile));
+    memset(backup_keyfile, 0, sizeof(backup_keyfile));
+    memset(local_realm, 0, sizeof(local_realm));
+    memset(cellname, 0, sizeof(cellname));
+    
+    set_progname (argv[0]);
+
+    if (krb_get_default_principal(u_name, u_inst, u_realm) < 0)
+	errx (1, "could not get default principal");
+
+    /* This is used only as a default for adding keys */
+    if (krb_get_lrealm(local_realm, 1) != KSUCCESS)
+	strlcpy(local_realm,
+			KRB_REALM,
+			sizeof(local_realm));
+    
+    while((c = getopt(argc, argv, "ikc:f:p:r:u")) != -1) {
+	switch (c) {
+	case 'i':
+	    interactive++;
+	    break;
+	case 'k':
+	    key++;
+	    break;
+	case 'c':
+	    strlcpy(cellname, optarg, sizeof(cellname));
+	    break;
+	case 'f':
+	    strlcpy(keyfile, optarg, sizeof(keyfile));
+	    break;
+	case 'p':
+	    if((status = kname_parse (u_name, u_inst, u_realm, optarg)) !=
+	       KSUCCESS)
+		errx (1, "principal %s: %s", optarg,
+		      krb_get_err_text(status));
+	    break;
+	case 'r':
+	    strlcpy(u_realm, optarg, sizeof(u_realm));
+	    break;
+	case 'u':
+	    unique_filename = 1;
+	    break;
+	case '?':
+	    usage();
+	}
+    }
+    if (optind >= argc)
+	usage();
+    if (*u_realm == '\0')
+	 strlcpy (u_realm, local_realm, sizeof(u_realm));
+    if (strcmp(argv[optind], "list") == 0) {
+	if (arg_entered)
+	    usage();
+	else {
+	    arg_entered++;
+	    list++;
+	}
+    }
+    else if (strcmp(argv[optind], "change") == 0) {
+	if (arg_entered)
+	    usage();
+	else {
+	    arg_entered++;
+	    change++;
+	}
+    }
+    else if (strcmp(argv[optind], "add") == 0) {
+	if (arg_entered)
+	    usage();
+	else {
+	    arg_entered++;
+	    add++;
+	}
+    }
+    else if (strcmp(argv[optind], "get") == 0) {
+	if (arg_entered)
+	    usage();
+	else {
+	    arg_entered++;
+	    get++;
+	}
+    }
+    else if (strcmp(argv[optind], "delete") == 0) {
+	if (arg_entered)
+	    usage();
+	else {
+	    arg_entered++;
+	    delete++;
+	}
+    }
+    else
+	usage();
+    ++optind;
+    
+    if (!arg_entered)
+	usage();
+
+    if(unique_filename && !get)
+	warnx("`-u' flag is only used with `get'");
+
+    if (!keyfile[0])
+	strlcpy(keyfile, KEYFILE, sizeof(keyfile));
+
+    strlcpy(work_keyfile, keyfile, sizeof(work_keyfile));
+    strlcpy(backup_keyfile, keyfile, sizeof(backup_keyfile));
+    
+    if (change || add || (get && !unique_filename) || delete) {
+	snprintf(work_keyfile, sizeof(work_keyfile), "%s.work", keyfile);
+	snprintf(backup_keyfile, sizeof(backup_keyfile), "%s.old", keyfile);
+	copy_keyfile(keyfile, backup_keyfile);
+    }
+    
+    if (add || (get && !unique_filename))
+	copy_keyfile(backup_keyfile, work_keyfile);
+
+    keyfile_mode = get_mode(keyfile);
+
+    if (change || list || delete)
+	if ((backup_keyfile_fd = open(backup_keyfile, O_RDONLY, 0)) < 0)
+	    err (1, "open %s", backup_keyfile);
+
+    if (change || delete) {
+	if ((work_keyfile_fd = 
+	     open(work_keyfile, O_WRONLY | O_CREAT | O_TRUNC, 
+		  SRVTAB_MODE)) < 0)
+	    err (1, "creat %s", work_keyfile);
+    }
+    else if (add) {
+	if ((work_keyfile_fd =
+	     open(work_keyfile, O_APPEND | O_WRONLY, SRVTAB_MODE)) < 0)
+	    err (1, "open with append %s", work_keyfile );
+    }
+    else if (get && !unique_filename) {
+	if ((work_keyfile_fd =
+	     open(work_keyfile, O_RDWR | O_CREAT, SRVTAB_MODE)) < 0)
+	    err (1, "open for writing %s", work_keyfile);
+    }
+    
+    if (change || list || delete) {
+	while ((getst(backup_keyfile_fd, sname, SNAME_SZ) > 0) &&
+	       (getst(backup_keyfile_fd, sinst, INST_SZ) > 0) &&
+	       (getst(backup_keyfile_fd, srealm, REALM_SZ) > 0) &&
+	       (read(backup_keyfile_fd, &key_vno, 1) > 0) &&
+	       (read(backup_keyfile_fd, old_key, sizeof(old_key)) > 0)) {
+	    if (list) {
+		if (!first_printed) {
+		    printf(VNO_HEADER);
+		    printf(PAD);
+		    if (key) {
+			printf(KEY_HEADER);
+			printf(PAD);
+		    }
+		    printf(PRINC_HEADER);
+		    first_printed = 1;
+		}
+		printf(VNO_FORMAT, key_vno);
+		printf(PAD);
+		if (key) {
+		    print_key(old_key);
+		    printf(PAD);
+		}
+		print_name(sname, sinst, srealm);
+		printf("\n");
+	    }
+	    else if (change) {
+		snprintf(change_tkt, sizeof(change_tkt), "%s_ksrvutil.%u",
+			 TKT_ROOT, (unsigned)getpid());
+		krb_set_tkt_string(change_tkt);
+		destroyp = TRUE;
+
+		printf("\nPrincipal: ");
+		print_name(sname, sinst, srealm);
+		printf("; version %d\n", key_vno);
+		if (interactive)
+		    change_this_key = yn("Change this key?");
+		else
+		    change_this_key = 1;
+		
+		if (change_this_key)
+		    printf("Changing to version %d.\n", key_vno + 1);
+		else if (change)
+		    printf("Not changing this key.\n");
+		
+		if (change_this_key) {
+		    /*
+		     * This is not a good choice of seed when/if the
+		     * key has been compromised so we also use a
+		     * random sequence number!
+		     */
+		    des_init_random_number_generator(&old_key);
+		    {
+		        des_cblock seqnum;
+			des_generate_random_block(&seqnum);
+			des_set_sequence_number((unsigned char *)&seqnum);
+		    }
+		    /* 
+		     * Pick a new key and determine whether or not
+		     * it is safe to change
+		     */
+		    if ((status = 
+			 get_svc_new_key(&new_key, sname, sinst, 
+					 srealm, keyfile)) == KADM_SUCCESS)
+			key_vno++;
+		    else {
+		        memcpy(new_key, old_key, sizeof(new_key));
+			warnx ("Key NOT changed: %s\n",
+			       krb_get_err_text(status));
+			change_this_key = FALSE;
+		    }
+		}
+		else 
+		    memcpy(new_key, old_key, sizeof(new_key));
+		append_srvtab(work_keyfile, work_keyfile_fd, 
+			      sname, sinst, srealm, key_vno, new_key);
+		if (key && change_this_key) {
+		    printf("Old key: ");
+		    print_key(old_key);
+		    printf("; new key: ");
+		    print_key(new_key);
+		    printf("\n");
+		}
+		if (change_this_key) {
+		    if ((status = kadm_change_pw(new_key)) == KADM_SUCCESS) {
+			printf("Key changed.\n");
+			dest_tkt();
+		    }
+		    else {
+			com_err(__progname, status, 
+				" attempting to change password.");
+			dest_tkt();
+			/* XXX This knows the format of a keyfile */
+			if (lseek(work_keyfile_fd, -9, SEEK_CUR) >= 0) {
+			    key_vno--;
+			    safe_write(work_keyfile,
+				       work_keyfile_fd, &key_vno, 1);
+			    safe_write(work_keyfile, work_keyfile_fd,
+				       old_key, sizeof(des_cblock));
+			    fsync(work_keyfile_fd);
+			    fprintf(stderr,"Key NOT changed.\n");
+			} else {
+			    warn ("Unable to revert keyfile");
+			    leave("", 1);
+			}
+		    }
+		}
+	    } else if(delete) {
+		int delete_this_key;
+		printf("\nPrincipal: ");
+		print_name(sname, sinst, srealm);
+		printf("; version %d\n", key_vno);
+		delete_this_key = yn("Delete this key?");
+		
+		if (delete_this_key)
+		    printf("Deleting this key.\n");
+		
+		if (!delete_this_key) {
+		    append_srvtab(work_keyfile, work_keyfile_fd, 
+				  sname, sinst, srealm, key_vno, old_key);
+		}
+	    }
+	    memset(old_key, 0, sizeof(des_cblock));
+	    memset(new_key, 0, sizeof(des_cblock));
+	}
+    }
+    else if (add) {
+	do {
+	    do {
+		char *p;
+
+		safe_read_stdin("Name: ", databuf, sizeof(databuf));
+		p = strchr(databuf, '.');
+		if (p != NULL) {
+		    *p++ = '\0';
+		    strlcpy (sname, databuf, sizeof(sname));
+		    strlcpy (sinst, p, sizeof(sinst));
+		} else {
+		    strlcpy (sname, databuf, sizeof(sname));
+		    safe_read_stdin("Instance: ", databuf, sizeof(databuf));
+		    strlcpy (sinst, databuf, sizeof(databuf));
+		}
+
+		safe_read_stdin("Realm: ", databuf, sizeof(databuf));
+		if (databuf[0] != '\0')
+		    strlcpy (srealm, databuf, sizeof(srealm));
+		else
+		    strlcpy (srealm, local_realm, sizeof(srealm));
+
+		safe_read_stdin("Version number: ", databuf, sizeof(databuf));
+		key_vno = atoi(databuf);
+		if (!srealm[0])
+		    strlcpy(srealm, local_realm, sizeof(srealm));
+		printf("New principal: ");
+		print_name(sname, sinst, srealm);
+		printf("; version %d\n", key_vno);
+	    } while (!yn("Is this correct?"));
+	    get_key_from_password(&new_key, cellname);
+	    if (key) {
+		printf("Key: ");
+		print_key(new_key);
+		printf("\n");
+	    }
+	    append_srvtab(work_keyfile, work_keyfile_fd, 
+			  sname, sinst, srealm, key_vno, new_key);
+	    printf("Key successfully added.\n");
+	} while (yn("Would you like to add another key?"));
+    }
+    else if (get) {
+        ksrvutil_get(unique_filename, work_keyfile_fd, work_keyfile,
+		     argc - optind, argv + optind);
+    }
+
+    if (change || list || delete) 
+	if (close(backup_keyfile_fd) < 0)
+	    warn ("close %s", backup_keyfile);
+    
+    if (change || add || (get && !unique_filename) || delete) {
+	if (close(work_keyfile_fd) < 0)
+	    err (1, "close %s", work_keyfile);
+	if (rename(work_keyfile, keyfile) < 0)
+	    err (1, "rename(%s, %s)", work_keyfile, keyfile);
+	chmod(backup_keyfile, keyfile_mode);
+	chmod(keyfile, keyfile_mode);
+	printf("Old keyfile in %s.\n", backup_keyfile);
+    }
+    return 0;
+}
diff --git a/crypto/kerberosIV/kadmin/ksrvutil.h b/crypto/kerberosIV/kadmin/ksrvutil.h
new file mode 100644
index 0000000..2b562ac
--- /dev/null
+++ b/crypto/kerberosIV/kadmin/ksrvutil.h
@@ -0,0 +1,50 @@
+/*
+ * Copyright (c) 1995, 1996, 1997, 1998 Kungliga Tekniska Högskolan 
+ * (Royal Institute of Technology, Stockholm, Sweden).  
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+/*
+ * $Id: ksrvutil.h,v 1.10 1999/12/02 16:58:36 joda Exp $
+ *
+ */
+
+extern char u_name[], u_inst[], u_realm[];
+extern int destroyp;
+
+void leave(char *str, int x);
+void safe_read_stdin(char *prompt, char *buf, size_t size);
+void safe_write(char *filename, int fd, void *buf, size_t len);
+
+int yn(char *string);
+int ny(char *string);
+
+void ksrvutil_get(int unique_filename, int fd, 
+		  char *filename, int argc, char **argv);
diff --git a/crypto/kerberosIV/kadmin/ksrvutil_get.c b/crypto/kerberosIV/kadmin/ksrvutil_get.c
new file mode 100644
index 0000000..a08b10d
--- /dev/null
+++ b/crypto/kerberosIV/kadmin/ksrvutil_get.c
@@ -0,0 +1,434 @@
+/*
+ * Copyright (c) 1995, 1996, 1997, 1998, 1999 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#include "kadm_locl.h"
+#include "ksrvutil.h"
+
+RCSID("$Id: ksrvutil_get.c,v 1.43 1999/12/02 16:58:36 joda Exp $");
+
+#define BAD_PW 1
+#define GOOD_PW 0
+#define FUDGE_VALUE 15		/* for ticket expiration time */
+#define PE_NO 0
+#define PE_YES 1
+#define PE_UNSURE 2
+
+static char tktstring[MaxPathLen];
+
+static int
+princ_exists(char *name, char *instance, char *realm)
+{
+    int status;
+
+    status = krb_get_pw_in_tkt(name, instance, realm,
+			       KRB_TICKET_GRANTING_TICKET,
+			       realm, 1, "");
+
+    if ((status == KSUCCESS) || (status == INTK_BADPW))
+	return(PE_YES);
+    else if (status == KDC_PR_UNKNOWN)
+	return(PE_NO);
+    else
+	return(PE_UNSURE);
+}
+
+static int
+get_admin_password(char *myname, char *myinst, char *myrealm)
+{
+  int status;
+  char admin_passwd[MAX_KPW_LEN];	/* Admin's password */
+  int ticket_life = 1;	/* minimum ticket lifetime */
+  char buf[1024];
+  CREDENTIALS c;
+
+  if (princ_exists(myname, myinst, myrealm) != PE_NO) {
+    snprintf(buf, sizeof(buf), "Password for %s: ",
+	    krb_unparse_name_long (myname, myinst, myrealm));
+    if (des_read_pw_string(admin_passwd, sizeof(admin_passwd)-1,
+			    buf, 0)) {
+      fprintf(stderr, "Error reading admin password.\n");
+      goto bad;
+    }
+    status = krb_get_pw_in_tkt(myname, myinst, myrealm, PWSERV_NAME, 
+			       KADM_SINST, ticket_life, admin_passwd);
+    memset(admin_passwd, 0, sizeof(admin_passwd));
+    
+    /* Initialize non shared random sequence from session key. */
+    memset(&c, 0, sizeof(c));
+    krb_get_cred(PWSERV_NAME, KADM_SINST, myrealm, &c);
+    des_init_random_number_generator(&c.session);
+  } else
+    status = KDC_PR_UNKNOWN;
+  
+  switch(status) {
+  case GT_PW_OK:
+    return(GOOD_PW);
+  case KDC_PR_UNKNOWN:
+    printf("Principal %s does not exist.\n",
+	   krb_unparse_name_long(myname, myinst, myrealm));
+    goto bad;
+  case GT_PW_BADPW:
+    printf("Incorrect admin password.\n");
+    goto bad;
+  default:
+    com_err("kadmin", status+krb_err_base,
+	    "while getting password tickets");
+    goto bad;
+  }
+  
+bad:
+  memset(admin_passwd, 0, sizeof(admin_passwd));
+  dest_tkt();
+  return(BAD_PW);
+}
+
+static void
+srvtab_put_key (int fd, char *filename, char *name, char *inst, char *realm,
+		int8_t kvno, des_cblock key)
+{
+  char sname[ANAME_SZ];		/* name of service */
+  char sinst[INST_SZ];		/* instance of service */
+  char srealm[REALM_SZ];	/* realm of service */
+  int8_t skvno;
+  des_cblock skey;
+
+  lseek(fd, 0, SEEK_SET);
+
+  while(getst(fd, sname,  SNAME_SZ) > 0 &&
+	getst(fd, sinst,  INST_SZ) > 0  &&
+	getst(fd, srealm, REALM_SZ) > 0 &&
+	read(fd, &skvno,  sizeof(skvno)) > 0 &&
+	read(fd, skey,    sizeof(skey)) > 0) {
+    if(strcmp(name,  sname)  == 0 &&
+       strcmp(inst,  sinst)  == 0 &&
+       strcmp(realm, srealm) == 0) {
+      lseek(fd, lseek(fd,0,SEEK_CUR)-(sizeof(skvno) + sizeof(skey)), SEEK_SET);
+      safe_write(filename, fd, &kvno, sizeof(kvno));
+      safe_write(filename, fd, key,   sizeof(des_cblock));
+      return;
+    }
+  }
+  safe_write(filename, fd, name,  strlen(name) + 1);
+  safe_write(filename, fd, inst,  strlen(inst) + 1);
+  safe_write(filename, fd, realm, strlen(realm) + 1);
+  safe_write(filename, fd, &kvno, sizeof(kvno));
+  safe_write(filename, fd, key,   sizeof(des_cblock));
+}
+
+/* 
+ * node list of services 
+ */
+
+struct srv_ent{
+  char name[SNAME_SZ];
+  char inst[INST_SZ];
+  char realm[REALM_SZ];
+  struct srv_ent *next;
+};
+
+static int
+key_to_key(const char *user,
+	   char *instance,
+	   const char *realm,
+	   const void *arg,
+	   des_cblock *key)
+{
+  memcpy(key, arg, sizeof(des_cblock));
+  return 0;
+}
+
+static void
+get_srvtab_ent(int unique_filename, int fd, char *filename, 
+	       char *name, char *inst, char *realm)
+{
+    char chname[128];
+    des_cblock newkey;
+    char old_tktfile[MaxPathLen], new_tktfile[MaxPathLen];
+    char garbage_name[ANAME_SZ];
+    char garbage_inst[ANAME_SZ];
+    CREDENTIALS c;
+    u_int8_t kvno;
+    Kadm_vals values;
+    int ret;
+
+    strlcpy(chname, krb_get_phost(inst), sizeof(chname));
+    if(strcmp(inst, chname))
+	fprintf(stderr, 
+		"Warning: Are you sure `%s' should not be `%s'?\n",
+		inst, chname);
+    
+    memset(&values, 0, sizeof(values));
+    strlcpy(values.name, name, sizeof(values.name));
+    strlcpy(values.instance, inst, sizeof(values.instance));
+    des_new_random_key(&newkey);
+    values.key_low = (newkey[0] << 24) | (newkey[1] << 16)
+	| (newkey[2] << 8) | (newkey[3] << 0);
+    values.key_high = (newkey[4] << 24) | (newkey[5] << 16)
+	| (newkey[6] << 8) | (newkey[7] << 0);
+
+    SET_FIELD(KADM_NAME,values.fields);
+    SET_FIELD(KADM_INST,values.fields);
+    SET_FIELD(KADM_DESKEY,values.fields);
+
+    ret = kadm_mod(&values, &values);
+    if(ret == KADM_NOENTRY)
+	ret = kadm_add(&values);
+    if (ret != KSUCCESS) {
+	warnx ("Couldn't get srvtab entry for %s.%s: %s",
+	       name, inst, error_message(ret));
+	return;
+    }
+  
+    values.key_low = values.key_high = 0;
+
+    /* get the key version number */
+    { 
+	int old = krb_use_admin_server(1);
+
+	strlcpy(old_tktfile, tkt_string(), sizeof(old_tktfile));
+	snprintf(new_tktfile, sizeof(new_tktfile), "%s_ksrvutil-get.%u",
+		 TKT_ROOT, (unsigned)getpid());
+	krb_set_tkt_string(new_tktfile);
+      
+	ret = krb_get_in_tkt(name, inst, realm, name, inst,
+			     1, key_to_key, NULL, &newkey);
+	krb_use_admin_server(old);
+ 	if (ret) {
+	    warnx ("getting tickets for %s: %s", 
+		   krb_unparse_name_long(name, inst, realm),
+		   krb_get_err_text(ret));
+	    return;
+  	}
+    }
+      
+    if (ret == KSUCCESS &&
+	(ret = tf_init(tkt_string(), R_TKT_FIL)) == KSUCCESS &&
+	(ret = tf_get_pname(garbage_name)) == KSUCCESS &&
+	(ret = tf_get_pinst(garbage_inst)) == KSUCCESS &&
+	(ret = tf_get_cred(&c)) == KSUCCESS)
+	kvno = c.kvno;
+    else {
+	warnx ("Could not find the cred in the ticket file: %s",
+	       krb_get_err_text(ret));
+	return;
+    }
+
+    tf_close();
+    krb_set_tkt_string(old_tktfile);
+    unlink(new_tktfile);
+    
+    if(ret != KSUCCESS) {
+	memset(&newkey, 0, sizeof(newkey));
+	warnx ("Could not get a ticket for %s: %s\n",
+	       krb_unparse_name_long(name, inst, realm),
+	       krb_get_err_text(ret));
+	return;
+    }
+
+    /* Write the new key & c:o to the srvtab file */
+
+    if(unique_filename){
+	char *fn;
+	asprintf(&fn, "%s-%s", filename, 
+		 krb_unparse_name_long(name, inst, realm));
+	if(fn == NULL){
+	    warnx("Out of memory");
+	    leave(NULL, 1);
+	}
+	fd = open(fn, O_RDWR | O_CREAT | O_TRUNC, 0600); /* XXX flags, mode? */
+	if(fd < 0){
+	    warn("%s", fn);
+	    leave(NULL, 1);
+	}
+	srvtab_put_key (fd, fn, name, inst, realm, kvno, newkey);
+	close(fd);
+	fprintf (stderr, "Created %s\n", fn);
+	free(fn);
+    }else{
+	srvtab_put_key (fd, filename, name, inst, realm, kvno, newkey);
+	fprintf (stderr, "Added %s\n", 
+		 krb_unparse_name_long (name, inst, realm));
+    }
+    memset(&newkey, 0, sizeof(newkey));
+}
+
+static void
+ksrvutil_kadm(int unique_filename, int fd, char *filename, struct srv_ent *p)
+{
+  int ret;
+  CREDENTIALS c;
+  
+  ret = kadm_init_link(PWSERV_NAME, KADM_SINST, u_realm);
+  if (ret != KADM_SUCCESS) {
+    warnx("Couldn't initialize kadmin link: %s", error_message(ret));
+    leave(NULL, 1);
+  }
+  
+  ret = krb_get_cred (PWSERV_NAME, KADM_SINST, u_realm, &c);
+  if (ret == KSUCCESS)
+    des_init_random_number_generator (&c.session);
+  else {
+    umask(077);
+       
+    /*
+     *  create ticket file and get admin tickets
+     */
+    snprintf(tktstring, sizeof(tktstring), "%s_ksrvutil_%d",
+	     TKT_ROOT, (int)getpid());
+    krb_set_tkt_string(tktstring);
+    destroyp = TRUE;
+       
+    ret = get_admin_password(u_name, u_inst, u_realm);
+    if (ret) {
+      warnx("Couldn't get admin password.");
+      leave(NULL, 1);
+    }
+  }  
+  for(;p;){
+    get_srvtab_ent(unique_filename, fd, filename, p->name, p->inst, p->realm);
+    p=p->next;
+  }
+  unlink(tktstring);
+}
+
+static void
+parseinput (char *result, size_t sz, char *val, char *def)
+{
+  char *lim;
+  int inq;
+
+  if (val[0] == '\0') {
+    strlcpy (result, def, sz);
+    return;
+  }
+  lim = result + sz - 1;
+  inq = 0;
+  while(*val && result < lim) {
+    switch(*val) {
+    case '\'' :
+      inq = !inq;
+      ++val;
+      break;
+    case '\\' :
+      if(!inq)
+	val++;
+    default:
+      *result++ = *val++;
+      break;
+    }
+  }
+  *result = '\0';
+}
+
+void
+ksrvutil_get(int unique_filename, int fd, char *filename, int argc, char **argv)
+{
+  char sname[ANAME_SZ];		/* name of service */
+  char sinst[INST_SZ];		/* instance of service */
+  char srealm[REALM_SZ];	/* realm of service */
+  char databuf[BUFSIZ];
+  char local_hostname[100];
+  char prompt[100];
+  struct srv_ent *head=NULL;
+  int i;
+
+  gethostname(local_hostname, sizeof(local_hostname));
+  strlcpy(local_hostname,
+		  krb_get_phost(local_hostname),
+		  sizeof(local_hostname));
+
+  if (argc)
+    for(i=0; i < argc; ++i) {
+      struct srv_ent *p=malloc(sizeof(*p));
+
+      if(p == NULL) {
+	warnx ("out of memory in malloc");
+	leave(NULL,1);
+      }
+      p->next = head;
+      strlcpy (p->realm, u_realm, sizeof(p->realm));
+      if (kname_parse (p->name, p->inst, p->realm, argv[i]) !=
+	  KSUCCESS) {
+	warnx ("parse error on '%s'\n", argv[i]);
+	free(p);
+	continue;
+      }
+      if (p->name[0] == '\0')
+	strlcpy(p->name, "rcmd", sizeof(p->name));
+      if (p->inst[0] == '\0')
+	strlcpy(p->inst, local_hostname, sizeof(p->inst));
+      if (p->realm[0] == '\0')
+	strlcpy(p->realm, u_realm, sizeof(p->realm));
+      head = p;
+    }
+
+  else
+    do{
+      safe_read_stdin("Name [rcmd]: ", databuf, sizeof(databuf));
+      parseinput (sname, sizeof(sname), databuf, "rcmd");
+    
+      snprintf(prompt, sizeof(prompt), "Instance [%s]: ", local_hostname);
+      safe_read_stdin(prompt, databuf, sizeof(databuf));
+      parseinput (sinst, sizeof(sinst), databuf, local_hostname);
+    
+      snprintf(prompt, sizeof(prompt), "Realm [%s]: ", u_realm);
+      safe_read_stdin(prompt, databuf, sizeof(databuf));
+      parseinput (srealm, sizeof(srealm), databuf, u_realm);
+
+      if(yn("Is this correct?")){
+	struct srv_ent *p=(struct srv_ent*)malloc(sizeof(struct srv_ent));
+	if (p == NULL) {
+	    warnx ("out of memory in malloc");
+	    leave(NULL,1);
+	}
+	p->next=head;
+	head=p;
+	strlcpy(p->name, sname, sizeof(p->name));
+	strlcpy(p->inst, sinst, sizeof(p->inst));
+	strlcpy(p->realm, srealm, sizeof(p->realm));
+      }
+    }while(ny("Add more keys?"));
+  
+  
+  ksrvutil_kadm(unique_filename, fd, filename, head);
+
+  {
+    struct srv_ent *p=head, *q;
+    while(p){
+      q=p;
+      p=p->next;
+      free(q);
+    }
+  }
+
+}
diff --git a/crypto/kerberosIV/kadmin/new_pwd.c b/crypto/kerberosIV/kadmin/new_pwd.c
new file mode 100644
index 0000000..cfeb095
--- /dev/null
+++ b/crypto/kerberosIV/kadmin/new_pwd.c
@@ -0,0 +1,140 @@
+/*
+ * Copyright (c) 1995, 1996, 1997, 1998 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#include "kadm_locl.h"
+
+RCSID("$Id: new_pwd.c,v 1.14 1999/12/02 16:58:36 joda Exp $");
+
+#ifdef NOENCRYPTION
+#define read_long_pw_string placebo_read_pw_string
+#else
+#define read_long_pw_string des_read_pw_string
+#endif
+
+static char *
+check_pw (char *pword)
+{
+    int ret = kadm_check_pw(pword);
+    switch(ret) {
+    case 0:
+	return NULL;
+    case KADM_PASS_Q_NULL:
+	return "Null passwords are not allowed - "
+	    "Please enter a longer password.";
+    case KADM_PASS_Q_TOOSHORT:
+	return "Password is to short - Please enter a longer password.";
+    case KADM_PASS_Q_CLASS:
+	/* XXX */
+	return "Please don't use an all-lower case password.\n"
+	    "\tUnusual capitalization, delimiter characters or "
+	    "digits are suggested.";
+    }
+    return "Password is insecure"; /* XXX this shouldn't happen */
+}
+
+int
+get_pw_new_pwd(char *pword, int pwlen, krb_principal *pr, int print_realm)
+{
+    char ppromp[40+ANAME_SZ+INST_SZ+REALM_SZ]; /* for the password prompt */
+    char npromp[40+ANAME_SZ+INST_SZ+REALM_SZ]; /* for the password prompt */
+    
+    char p[MAX_K_NAME_SZ];
+    
+    char local_realm[REALM_SZ];
+    int status;
+    char *expl;
+    
+    /*
+     * We don't care about failure; this is to determine whether or
+     * not to print the realm in the prompt for a new password. 
+     */
+    krb_get_lrealm(local_realm, 1);
+    
+    if (strcmp(local_realm, pr->realm))
+	print_realm++;
+    
+    {
+	char *q;
+	krb_unparse_name_r(pr, p);
+	if(print_realm == 0 && (q = strrchr(p, '@')))
+	    *q = 0;
+    }
+
+    snprintf(ppromp, sizeof(ppromp), "Old password for %s:", p);
+    if (read_long_pw_string(pword, pwlen-1, ppromp, 0)) {
+	fprintf(stderr, "Error reading old password.\n");
+	return -1;
+    }
+
+    status = krb_get_pw_in_tkt(pr->name, pr->instance, pr->realm, 
+			       PWSERV_NAME, KADM_SINST, 1, pword);
+    if (status != KSUCCESS) {
+	if (status == INTK_BADPW) {
+	    printf("Incorrect old password.\n");
+	    return -1;
+	}
+	else {
+	    fprintf(stderr, "Kerberos error: %s\n", krb_get_err_text(status));
+	    return -1;
+	}
+    }
+    memset(pword, 0, pwlen);
+    
+    do {
+	char verify[MAX_KPW_LEN];
+
+	snprintf(npromp, sizeof(npromp), "New Password for %s:",p);
+	if (read_long_pw_string(pword, pwlen-1, npromp, 0)) {
+	    fprintf(stderr,
+		    "Error reading new password, password unchanged.\n");
+	    return -1;
+        }
+	expl = check_pw (pword);
+	if (expl) {
+	    printf("\n\t%s\n\n", expl);
+	    continue;
+	}
+	/* Now we got an ok password, verify it. */
+	snprintf(npromp, sizeof(npromp), "Verifying New Password for %s:", p);
+	if (read_long_pw_string(verify, MAX_KPW_LEN-1, npromp, 0)) {
+	    fprintf(stderr,
+		    "Error reading new password, password unchanged.\n");
+	    return -1;
+        }
+	if (strcmp(pword, verify) != 0) {
+	    printf("Verify failure - try again\n");
+	    expl = "";		/* continue */
+	}
+    } while (expl);
+    return 0;
+}
diff --git a/crypto/kerberosIV/kadmin/pw_check.c b/crypto/kerberosIV/kadmin/pw_check.c
new file mode 100644
index 0000000..448ad37
--- /dev/null
+++ b/crypto/kerberosIV/kadmin/pw_check.c
@@ -0,0 +1,82 @@
+/*
+ * Copyright (c) 1995, 1996, 1997 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#include "kadm_locl.h"
+
+RCSID("$Id: pw_check.c,v 1.14 1999/12/02 16:58:36 joda Exp $");
+
+/*
+ * kadm_pw_check
+ *
+ * pw		: new password or "" if none passed
+ * newkey	: key for pw as passed from client
+ * strings	: interesting strings to check for
+ *
+ * returns NULL if pw is ok, else an explanatory string
+ */
+int
+kadm_pw_check(char *pw, des_cblock *newkey, char **pw_msg, 
+	      char **strings)
+{
+  des_cblock pwkey;
+  int status=KADM_SUCCESS;
+  
+  if (pw == NULL || *pw == '\0')
+    return status;		/* XXX - Change this later */
+
+#ifndef NO_PW_CHECK
+  *pw_msg = NULL;
+  des_string_to_key(pw, &pwkey); /* Check AFS string to key also! */
+  if (memcmp(pwkey, *newkey, sizeof(pwkey)) != 0)
+    {
+      /* no password or bad key */
+      status=KADM_PW_MISMATCH;
+      *pw_msg = "Password doesn't match supplied DES key";
+    }
+  else if (strlen(pw) < MIN_KPW_LEN)
+    {
+      status = KADM_INSECURE_PW;
+      *pw_msg="Password is too short";
+    }
+  
+#ifdef DICTPATH
+  *pw_msg = FascistCheck(pw, DICTPATH, strings);
+  if (*pw_msg)
+    return KADM_INSECURE_PW;
+#endif
+
+  memset(pwkey, 0, sizeof(pwkey));
+#endif
+
+  return status;
+}
diff --git a/crypto/kerberosIV/kadmin/pw_check.h b/crypto/kerberosIV/kadmin/pw_check.h
new file mode 100644
index 0000000..8b717f8
--- /dev/null
+++ b/crypto/kerberosIV/kadmin/pw_check.h
@@ -0,0 +1,40 @@
+/*
+ * Copyright (c) 1995, 1996, 1997 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+/*
+ * $Id: pw_check.h,v 1.7 1999/12/02 16:58:36 joda Exp $ 
+ */
+
+int kadm_pw_check(char *pw, des_cblock *newkey, 
+		  char **pw_msg, char **strings);
+
diff --git a/crypto/kerberosIV/kadmin/random_password.c b/crypto/kerberosIV/kadmin/random_password.c
new file mode 100644
index 0000000..ec8309e
--- /dev/null
+++ b/crypto/kerberosIV/kadmin/random_password.c
@@ -0,0 +1,160 @@
+/*
+ * Copyright (c) 1998 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "kadm_locl.h"
+
+RCSID("$Id: random_password.c,v 1.4 1999/12/02 16:58:36 joda Exp $");
+
+/* This file defines some a function that generates a random password,
+   that can be used when creating a large amount of principals (such
+   as for a batch of students). Since this is a political matter, you
+   should think about how secure generated passwords has to be.
+   
+   Both methods defined here will give you at least 55 bits of
+   entropy.
+   */
+
+/* If you want OTP-style passwords, define OTP_STYLE */
+
+#ifdef OTP_STYLE
+#include <otp.h>
+#else
+static void generate_password(char **pw, int num_classes, ...);
+#endif
+
+void
+random_password(char *pw, size_t len, u_int32_t *low, u_int32_t *high)
+{
+    des_cblock newkey;
+#ifdef OTP_STYLE
+    des_new_random_key(&newkey);
+    otp_print_stddict (newkey, pw, len);
+    strlwr(pw);
+#else
+    char *pass;
+    generate_password(&pass, 3, 
+		      "abcdefghijklmnopqrstuvwxyz", 7, 
+		      "ABCDEFGHIJKLMNOPQRSTUVWXYZ", 2, 
+		      "@$%&*()-+=:,/<>1234567890", 1);
+    strlcpy(pw, pass, len);
+    memset(pass, 0, strlen(pass));
+    free(pass);
+#endif
+    des_string_to_key(pw, &newkey);
+    memcpy(low, newkey, 4);
+    memcpy(high, ((char *)newkey) + 4, 4);
+    memset(newkey, 0, sizeof(newkey));
+
+    *low = htonl(*low);
+    *high = htonl(*high);
+}
+
+/* some helper functions */
+
+#ifndef OTP_STYLE
+/* return a random value in range 0-127 */
+static int
+RND(des_cblock *key, int *left)
+{
+    if(*left == 0){
+	des_new_random_key(key);
+	*left = 8;
+    }
+    (*left)--;
+    return ((unsigned char*)key)[*left];
+}
+
+/* This a helper function that generates a random password with a
+   number of characters from a set of character classes.
+
+   If there are n classes, and the size of each class is Pi, and the
+   number of characters from each class is Ni, the number of possible
+   passwords are (given that the character classes are disjoint):
+
+     n             n
+   -----        /  ----  \
+   |   |  Ni    |  \     |
+   |   | Pi     |   \  Ni| !
+   |   | ---- * |   /    |
+   |   | Ni!    |  /___  |
+    i=1          \  i=1  /
+   
+    Since it uses the RND function above, neither the size of each
+    class, nor the total length of the generated password should be
+    larger than 127 (without fixing RND).
+   
+   */
+static void
+generate_password(char **pw, int num_classes, ...)
+{
+    struct {
+	const char *str;
+	int len;
+	int freq;
+    } *classes;
+    va_list ap;
+    int len, i;
+    des_cblock rbuf; /* random buffer */
+    int rleft = 0;
+
+    classes = malloc(num_classes * sizeof(*classes));
+    va_start(ap, num_classes);
+    len = 0;
+    for(i = 0; i < num_classes; i++){
+	classes[i].str = va_arg(ap, const char*);
+	classes[i].len = strlen(classes[i].str);
+	classes[i].freq = va_arg(ap, int);
+	len += classes[i].freq;
+    }
+    va_end(ap);
+    *pw = malloc(len + 1);
+    if(*pw == NULL)
+	return;
+    for(i = 0; i < len; i++) {
+	int j;
+	int x = RND(&rbuf, &rleft) % (len - i);
+	int t = 0;
+	for(j = 0; j < num_classes; j++) {
+	    if(x < t + classes[j].freq) {
+		(*pw)[i] = classes[j].str[RND(&rbuf, &rleft) % classes[j].len];
+		classes[j].freq--;
+		break;
+	    }
+	    t += classes[j].freq;
+	}
+    }
+    (*pw)[len] = '\0';
+    memset(rbuf, 0, sizeof(rbuf));
+    free(classes);
+}
+#endif
diff --git a/crypto/kerberosIV/kuser/Makefile.in b/crypto/kerberosIV/kuser/Makefile.in
new file mode 100644
index 0000000..9047bdd
--- /dev/null
+++ b/crypto/kerberosIV/kuser/Makefile.in
@@ -0,0 +1,90 @@
+# $Id: Makefile.in,v 1.30 1999/03/10 19:01:14 joda Exp $
+
+SHELL	= /bin/sh
+
+srcdir	= @srcdir@
+VPATH	= @srcdir@
+
+top_builddir	= ..
+
+CC		= @CC@
+LINK		= @LINK@
+AR		= ar
+RANLIB		= @RANLIB@
+DEFS		= @DEFS@
+CFLAGS		= @CFLAGS@ $(WFLAGS)
+WFLAGS		= @WFLAGS@
+LD_FLAGS	= @LD_FLAGS@
+INSTALL		= @INSTALL@
+INSTALL_PROGRAM = @INSTALL_PROGRAM@
+LIBS		= @LIBS@
+KRB_KAFS_LIB	= @KRB_KAFS_LIB@
+MKINSTALLDIRS	= @top_srcdir@/mkinstalldirs
+
+prefix = @prefix@
+exec_prefix = @exec_prefix@
+bindir = @bindir@
+libdir = @libdir@
+transform=@program_transform_name@
+EXECSUFFIX=@EXECSUFFIX@
+
+PROGS = kinit$(EXECSUFFIX) \
+	kdestroy$(EXECSUFFIX) \
+	klist$(EXECSUFFIX)
+
+SOURCES = kinit.c kdestroy.c klist.c
+
+OBJECTS = kinit.o kdestroy.o klist.o
+
+all: $(PROGS)
+
+Wall:
+	make CFLAGS="-g -Wall -Wno-comment -Wmissing-prototypes -Wmissing-declarations -D__USE_FIXED_PROTOTYPES__"
+
+.c.o:
+	$(CC) -c $(DEFS) -I../include -I$(srcdir) $(CFLAGS) $(CPPFLAGS) $<
+
+install: all
+	$(MKINSTALLDIRS) $(DESTDIR)$(bindir)
+	for x in $(PROGS); do \
+	  $(INSTALL_PROGRAM) $$x $(DESTDIR)$(bindir)/`echo $$x | sed '$(transform)'`; \
+	done
+
+uninstall:
+	for x in $(PROGS); do \
+	  rm -f $(DESTDIR)$(bindir)/`echo $$x | sed '$(transform)'`; \
+	done
+
+TAGS: $(SOURCES)
+	etags $(SOURCES)
+
+check:
+
+clean:
+	rm -f *.a *.o $(PROGS)
+
+mostlyclean: clean
+
+distclean: clean
+	rm -f Makefile *.tab.c *~
+
+realclean: distclean
+	rm -f TAGS
+
+KLIB=-L../lib/krb -lkrb -L../lib/des -ldes
+LIBROKEN=-L../lib/roken -lroken
+
+kinit$(EXECSUFFIX): kinit.o
+	$(LINK) $(LD_FLAGS) $(LDFLAGS) -o $@ kinit.o $(KLIB) $(LIBROKEN) $(LIBS) $(LIBROKEN)
+
+kdestroy$(EXECSUFFIX): kdestroy.o
+	$(LINK) $(LD_FLAGS) $(LDFLAGS) -o $@ kdestroy.o $(KRB_KAFS_LIB) $(KLIB) $(LIBROKEN) $(LIBS) $(LIBROKEN)
+
+klist$(EXECSUFFIX): klist.o
+	$(LINK) $(LD_FLAGS) $(LDFLAGS) -o $@ klist.o $(KRB_KAFS_LIB) $(KLIB) $(LIBROKEN) $(LIBS) $(LIBROKEN)
+
+# su move to appl/bsd
+
+$(OBJECTS): ../include/config.h
+
+.PHONY: all Wall install uninstall check clean mostlyclean distclean realclean
diff --git a/crypto/kerberosIV/kuser/kdestroy.c b/crypto/kerberosIV/kuser/kdestroy.c
new file mode 100644
index 0000000..93e3a66
--- /dev/null
+++ b/crypto/kerberosIV/kuser/kdestroy.c
@@ -0,0 +1,113 @@
+/*
+ * Copyright (c) 1998, 1999 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "kuser_locl.h"
+#include <kafs.h>
+#include <getarg.h>
+
+RCSID("$Id: kdestroy.c,v 1.17 1999/12/02 16:58:36 joda Exp $");
+
+#ifdef LEGACY_KDESTROY
+int ticket_flag = 1;
+int unlog_flag  = 0;
+#else
+int ticket_flag = -1;
+int unlog_flag  = -1;
+#endif
+int quiet_flag;
+int help_flag;
+int version_flag;
+
+struct getargs args[] = {
+    { "quiet", 		'q',	arg_flag, 	&quiet_flag, 
+      "don't print any messages" },
+    { NULL, 		'f',	arg_flag, 	&quiet_flag },
+    { "tickets",	't',	arg_flag,       &ticket_flag,
+    "destroy tickets" },
+    { "unlog",          'u',    arg_flag,       &unlog_flag,
+      "destroy AFS tokens" },
+    { "version", 	0,	arg_flag,	&version_flag },
+    { "help",		'h',	arg_flag,	&help_flag }
+};
+
+int num_args = sizeof(args) / sizeof(args[0]);
+
+static void
+usage(int code)
+{
+    arg_printusage(args, num_args, NULL, "");
+    exit(code);
+}
+
+int
+main(int argc, char **argv)
+{
+    int optind = 0;
+    int ret = RET_TKFIL;
+
+    set_progname(argv[0]);
+    if(getarg(args, num_args, argc, argv, &optind))
+	usage(1);
+
+    if(help_flag)
+	usage(0);
+
+    if(version_flag) {
+	print_version(NULL);
+	exit(0);
+    }
+    
+    if (unlog_flag == -1 && ticket_flag == -1)
+        unlog_flag = ticket_flag = 1;
+
+    if (ticket_flag)
+        ret = dest_tkt();
+
+    if (unlog_flag && k_hasafs())
+	k_unlog();
+
+    if (!quiet_flag) {
+	if (ret == KSUCCESS)
+	    printf("Tickets destroyed.\n");
+	else if (ret == RET_TKFIL)
+	    printf("No tickets to destroy.\n");
+	else {
+	    printf("Tickets NOT destroyed.\n");
+	}
+    }
+
+    if (ret == KSUCCESS || ret == RET_TKFIL)
+	return 0;
+    else
+	return 1;
+}
diff --git a/crypto/kerberosIV/kuser/kinit.c b/crypto/kerberosIV/kuser/kinit.c
new file mode 100644
index 0000000..96c0e4f
--- /dev/null
+++ b/crypto/kerberosIV/kuser/kinit.c
@@ -0,0 +1,159 @@
+/*
+ * Copyright 1987, 1988 by the Massachusetts Institute of Technology. 
+ *
+ * For copying and distribution information, please see the file
+ * <mit-copyright.h>. 
+ *
+ * Routine to initialize user to Kerberos.  Prompts optionally for
+ * user, instance and realm.  Authenticates user and gets a ticket
+ * for the Kerberos ticket-granting service for future use. 
+ *
+ * Options are: 
+ *
+ *   -i[instance]
+ *   -r[realm]
+ *   -v[erbose]
+ *   -l[ifetime]
+ *   -p
+ *
+ * $FreeBSD$
+ */
+
+#include "kuser_locl.h"
+
+RCSID("$Id: kinit.c,v 1.17 1997/12/12 04:48:44 assar Exp $");
+
+#define	LIFE	DEFAULT_TKT_LIFE /* lifetime of ticket in 5-minute units */
+#define CHPASSLIFE 2
+
+static void
+get_input(char *s, int size, FILE *stream)
+{
+    char *p;
+
+    if (fgets(s, size, stream) == NULL)
+	exit(1);
+    if ( (p = strchr(s, '\n')) != NULL)
+	*p = '\0';
+}
+
+
+static void
+usage(void)
+{
+    fprintf(stderr, "Usage: %s [-irvlp] [name]\n", __progname);
+    exit(1);
+}
+
+int
+main(int argc, char **argv)
+{
+    char    aname[ANAME_SZ];
+    char    inst[INST_SZ];
+    char    realm[REALM_SZ];
+    char    buf[MaxHostNameLen];
+    char    name[MAX_K_NAME_SZ];
+    char   *username = NULL;
+    int     iflag, rflag, vflag, lflag, pflag, lifetime, k_errno;
+    int	    i;
+
+    set_progname (argv[0]);
+
+    *inst = *realm = '\0';
+    iflag = rflag = vflag = lflag = pflag = 0;
+    lifetime = LIFE;
+
+    while (--argc) {
+	if ((*++argv)[0] != '-') {
+	    if (username)
+		usage();
+	    username = *argv;
+	    continue;
+	}
+	for (i = 1; (*argv)[i] != '\0'; i++)
+	    switch ((*argv)[i]) {
+	    case 'i':		/* Instance */
+		++iflag;
+		continue;
+	    case 'r':		/* Realm */
+		++rflag;
+		continue;
+	    case 'v':		/* Verbose */
+		++vflag;
+		continue;
+	    case 'l':
+		++lflag;
+		continue;
+	    case 'p':
+		++pflag;	/* chpass-tickets */
+		lifetime = CHPASSLIFE;
+		break;
+	    default:
+		usage();
+	    }
+    }
+    if (username &&
+	(k_errno = kname_parse(aname, inst, realm, username)) != KSUCCESS) {
+	warnx("%s", krb_get_err_text(k_errno));
+	iflag = rflag = 1;
+	username = NULL;
+    }
+    if (gethostname(buf, MaxHostNameLen)) 
+	err(1, "gethostname failed");
+    printf("%s (%s)\n", ORGANIZATION, buf);
+    if (username) {
+	printf("Kerberos Initialization for \"%s", aname);
+	if (*inst)
+	    printf(".%s", inst);
+	if (*realm)
+	    printf("@%s", realm);
+	printf("\"\n");
+    } else {
+	printf("Kerberos Initialization\n");
+	printf("Kerberos name: ");
+	get_input(name, sizeof(name), stdin);
+	if (!*name)
+	    return 0;
+	if ((k_errno = kname_parse(aname, inst, realm, name)) != KSUCCESS )
+	    errx(1, "%s", krb_get_err_text(k_errno));
+    }
+    /* optional instance */
+    if (iflag) {
+	printf("Kerberos instance: ");
+	get_input(inst, sizeof(inst), stdin);
+	if (!k_isinst(inst))
+	    errx(1, "bad Kerberos instance format");
+    }
+    if (rflag) {
+	printf("Kerberos realm: ");
+	get_input(realm, sizeof(realm), stdin);
+	if (!k_isrealm(realm))
+	    errx(1, "bad Kerberos realm format");
+    }
+    if (lflag) {
+	 printf("Kerberos ticket lifetime (minutes): ");
+	 get_input(buf, sizeof(buf), stdin);
+	 lifetime = atoi(buf);
+	 if (lifetime < 5)
+	      lifetime = 1;
+	 else
+	      lifetime = krb_time_to_life(0, lifetime*60);
+	 /* This should be changed if the maximum ticket lifetime */
+	 /* changes */
+	 if (lifetime > 255)
+	      lifetime = 255;
+    }
+    if (!*realm && krb_get_lrealm(realm, 1))
+	errx(1, "krb_get_lrealm failed");
+    k_errno = krb_get_pw_in_tkt(aname, inst, realm,
+				pflag ? PWSERV_NAME : 
+				KRB_TICKET_GRANTING_TICKET,
+				pflag ? KADM_SINST  : realm,
+				lifetime, 0);
+    if (vflag) {
+	printf("Kerberos realm %s:\n", realm);
+	printf("%s\n", krb_get_err_text(k_errno));
+    } else if (k_errno)
+	errx(1, "%s", krb_get_err_text(k_errno));
+    exit(0);
+}
diff --git a/crypto/kerberosIV/kuser/klist.c b/crypto/kerberosIV/kuser/klist.c
new file mode 100644
index 0000000..591ebd0
--- /dev/null
+++ b/crypto/kerberosIV/kuser/klist.c
@@ -0,0 +1,395 @@
+/*
+ * Copyright 1987, 1988 by the Massachusetts Institute of Technology. 
+ *
+ * For copying and distribution information, please see the file
+ * <mit-copyright.h>. 
+ *
+ * Lists your current Kerberos tickets.
+ * Written by Bill Sommerfeld, MIT Project Athena.
+ */
+
+#include "kuser_locl.h"
+
+#if defined(HAVE_SYS_IOCTL_H) && SunOS != 40
+#include <sys/ioctl.h>
+#endif
+
+#ifdef HAVE_SYS_IOCCOM_H
+#include <sys/ioccom.h>
+#endif
+
+#include <kafs.h>
+
+#include <parse_time.h>
+
+RCSID("$Id: klist.c,v 1.44.2.3 2000/10/18 20:38:29 assar Exp $");
+
+static int option_verbose = 0;
+
+static char *
+short_date(int32_t dp)
+{
+    char *cp;
+    time_t t = (time_t)dp;
+
+    if (t == (time_t)(-1L)) return "***  Never  *** ";
+    cp = ctime(&t) + 4;
+    cp[15] = '\0';
+    return (cp);
+}
+
+/* prints the approximate kdc time differential as something human
+   readable */
+
+static void
+print_time_diff(void)
+{
+    int d = abs(krb_get_kdc_time_diff());
+    char buf[80];
+
+    if ((option_verbose && d > 0) || d > 60) {
+	unparse_time_approx (d, buf, sizeof(buf));
+	printf ("Time diff:\t%s\n", buf);
+    }
+}
+
+static
+int
+display_tktfile(char *file, int tgt_test, int long_form)
+{
+    krb_principal pr;
+    char    buf1[20], buf2[20];
+    int     k_errno;
+    CREDENTIALS c;
+    int     header = 1;
+
+    if ((file == NULL) && ((file = getenv("KRBTKFILE")) == NULL))
+	file = TKT_FILE;
+
+    if (long_form)
+	printf("Ticket file:	%s\n", file);
+
+    /* 
+     * Since krb_get_tf_realm will return a ticket_file error, 
+     * we will call tf_init and tf_close first to filter out
+     * things like no ticket file.  Otherwise, the error that 
+     * the user would see would be 
+     * klist: can't find realm of ticket file: No ticket file (tf_util)
+     * instead of
+     * klist: No ticket file (tf_util)
+     */
+
+    /* Open ticket file */
+    if ((k_errno = tf_init(file, R_TKT_FIL))) {
+	if (!tgt_test)
+	    warnx("%s", krb_get_err_text(k_errno));
+	return 1;
+    }
+    /* Close ticket file */
+    tf_close();
+
+    /* 
+     * We must find the realm of the ticket file here before calling
+     * tf_init because since the realm of the ticket file is not
+     * really stored in the principal section of the file, the
+     * routine we use must itself call tf_init and tf_close.
+     */
+    if ((k_errno = krb_get_tf_realm(file, pr.realm)) != KSUCCESS) {
+	if (!tgt_test)
+	    warnx("can't find realm of ticket file: %s", 
+		  krb_get_err_text(k_errno));
+	return 1;
+    }
+
+    /* Open ticket file */
+    if ((k_errno = tf_init(file, R_TKT_FIL))) {
+	if (!tgt_test)
+	    warnx("%s", krb_get_err_text(k_errno));
+	return 1;
+    }
+    /* Get principal name and instance */
+    if ((k_errno = tf_get_pname(pr.name)) ||
+	(k_errno = tf_get_pinst(pr.instance))) {
+	if (!tgt_test)
+	    warnx("%s", krb_get_err_text(k_errno));
+	return 1;
+    }
+
+    /* 
+     * You may think that this is the obvious place to get the
+     * realm of the ticket file, but it can't be done here as the
+     * routine to do this must open the ticket file.  This is why 
+     * it was done before tf_init.
+     */
+       
+    if (!tgt_test && long_form) {
+	printf("Principal:\t%s\n", krb_unparse_name(&pr));
+	print_time_diff();
+	printf("\n");
+    }
+    while ((k_errno = tf_get_cred(&c)) == KSUCCESS) {
+	if (!tgt_test && long_form && header) {
+	    printf("%-15s  %-15s  %s%s\n",
+		   "  Issued", "  Expires", "  Principal", 
+		   option_verbose ? " (kvno)" : "");
+	    header = 0;
+	}
+	if (tgt_test) {
+	    c.issue_date = krb_life_to_time(c.issue_date, c.lifetime);
+	    if (!strcmp(c.service, KRB_TICKET_GRANTING_TICKET) &&
+		!strcmp(c.instance, pr.realm)) {
+		if (time(0) < c.issue_date)
+		    return 0;		/* tgt hasn't expired */
+		else
+		    return 1;		/* has expired */
+	    }
+	    continue;			/* not a tgt */
+	}
+	if (long_form) {
+	    struct timeval tv;
+	    strlcpy(buf1,
+		    short_date(c.issue_date),
+		    sizeof(buf1));
+	    c.issue_date = krb_life_to_time(c.issue_date, c.lifetime);
+	    krb_kdctimeofday(&tv);
+	    if (option_verbose || tv.tv_sec < (unsigned long) c.issue_date)
+	        strlcpy(buf2,
+			short_date(c.issue_date),
+			sizeof(buf2));
+	    else
+	        strlcpy(buf2,
+			">>> Expired <<<",
+			sizeof(buf2));
+	    printf("%s  %s  ", buf1, buf2);
+	}
+	printf("%s", krb_unparse_name_long(c.service, c.instance, c.realm));
+	if(long_form && option_verbose)
+	    printf(" (%d)", c.kvno);
+	printf("\n");
+    }
+    if (tgt_test)
+	return 1;			/* no tgt found */
+    if (header && long_form && k_errno == EOF) {
+	printf("No tickets in file.\n");
+    }
+    tf_close();
+ 
+    if (long_form && krb_get_config_bool("nat_in_use")) {
+	char realm[REALM_SZ];
+	struct in_addr addr;
+ 
+	printf("-----\nNAT addresses\n");
+ 
+	/* Open ticket file (again) */
+	if ((k_errno = tf_init(file, R_TKT_FIL))) {
+	    if (!tgt_test)
+		warnx("%s", krb_get_err_text(k_errno));
+	    return 1;
+	}
+ 
+	/* Get principal name and instance */
+	if ((k_errno = tf_get_pname(pr.name)) ||
+	    (k_errno = tf_get_pinst(pr.instance))) {
+	    if (!tgt_test)
+		warnx("%s", krb_get_err_text(k_errno));
+	    return 1;
+	}
+ 
+	while ((k_errno = tf_get_cred_addr(realm, sizeof(realm),
+					   &addr)) == KSUCCESS) {
+	    printf("%s: %s\n", realm, inet_ntoa(addr));
+	}
+	tf_close();
+    }
+ 
+    return 0;
+}
+
+/* adapted from getst() in librkb */
+/*
+ * ok_getst() takes a file descriptor, a string and a count.  It reads
+ * from the file until either it has read "count" characters, or until
+ * it reads a null byte.  When finished, what has been read exists in
+ * the given string "s".  If "count" characters were actually read, the
+ * last is changed to a null, so the returned string is always null-
+ * terminated.  ok_getst() returns the number of characters read, including
+ * the null terminator.
+ *
+ * If there is a read error, it returns -1 (like the read(2) system call)
+ */
+
+static int
+ok_getst(int fd, char *s, int n)
+{
+    int count = n;
+    int err;
+    while ((err = read(fd, s, 1)) > 0 && --count)
+        if (*s++ == '\0')
+            return (n - count);
+    if (err < 0)
+	return(-1);
+    *s = '\0';
+    return (n - count);
+}
+
+static void
+display_tokens(void)
+{
+    u_int32_t i;
+    unsigned char t[128];
+    struct ViceIoctl parms;
+
+    parms.in = (void *)&i;
+    parms.in_size = sizeof(i);
+    parms.out = (void *)t;
+    parms.out_size = sizeof(t);
+
+    for (i = 0; k_pioctl(NULL, VIOCGETTOK, &parms, 0) == 0; i++) {
+        int32_t size_secret_tok, size_public_tok;
+        const char *cell;
+	struct ClearToken ct;
+	const unsigned char *r = t;
+	struct timeval tv;
+	char buf1[20], buf2[20];
+
+	memcpy(&size_secret_tok, r, sizeof(size_secret_tok));
+	/* dont bother about the secret token */
+	r += size_secret_tok + sizeof(size_secret_tok);
+	memcpy(&size_public_tok, r, sizeof(size_public_tok));
+	r += sizeof(size_public_tok);
+	memcpy(&ct, r, size_public_tok);
+	r += size_public_tok;
+	/* there is a int32_t with length of cellname, but we dont read it */
+	r += sizeof(int32_t);
+	cell = (const char *)r;
+
+	krb_kdctimeofday (&tv);
+	strlcpy (buf1, short_date(ct.BeginTimestamp), sizeof(buf1));
+	if (option_verbose || tv.tv_sec < ct.EndTimestamp)
+	    strlcpy (buf2, short_date(ct.EndTimestamp), sizeof(buf2));
+	else
+	    strlcpy (buf2, ">>> Expired <<<", sizeof(buf2));
+
+	printf("%s  %s  ", buf1, buf2);
+
+	if ((ct.EndTimestamp - ct.BeginTimestamp) & 1)
+	  printf("User's (AFS ID %d) tokens for %s", ct.ViceId, cell);
+	else
+	  printf("Tokens for %s", cell);
+	if (option_verbose)
+	    printf(" (%d)", ct.AuthHandle);
+	putchar('\n');
+    }
+}
+
+static void
+display_srvtab(char *file)
+{
+    int stab;
+    char serv[SNAME_SZ];
+    char inst[INST_SZ];
+    char rlm[REALM_SZ];
+    unsigned char key[8];
+    unsigned char vno;
+    int count;
+
+    printf("Server key file:   %s\n", file);
+	
+    if ((stab = open(file, O_RDONLY, 0400)) < 0) {
+	perror(file);
+	exit(1);
+    }
+    printf("%-15s %-15s %-10s %s\n","Service","Instance","Realm",
+	   "Key Version");
+    printf("------------------------------------------------------\n");
+
+    /* argh. getst doesn't return error codes, it silently fails */
+    while (((count = ok_getst(stab, serv, SNAME_SZ)) > 0)
+	   && ((count = ok_getst(stab, inst, INST_SZ)) > 0)
+	   && ((count = ok_getst(stab, rlm, REALM_SZ)) > 0)) {
+	if (((count = read(stab,  &vno,1)) != 1) ||
+	     ((count = read(stab, key,8)) != 8)) {
+	    if (count < 0)
+		err(1, "reading from key file");
+	    else
+		errx(1, "key file truncated");
+	}
+	printf("%-15s %-15s %-15s %d\n",serv,inst,rlm,vno);
+    }
+    if (count < 0)
+	warn("%s", file);
+    close(stab);
+}
+
+static void
+usage(void)
+{
+    fprintf(stderr,
+	    "Usage: %s [ -v | -s | -t ] [ -f filename ] [-tokens] [-srvtab ]\n",
+	    __progname);
+    exit(1);
+}
+
+/* ARGSUSED */
+int
+main(int argc, char **argv)
+{
+    int     long_form = 1;
+    int     tgt_test = 0;
+    int     do_srvtab = 0;
+    int     do_tokens = 0;
+    char   *tkt_file = NULL;
+    int     eval;
+
+    set_progname(argv[0]);
+
+    while (*(++argv)) {
+	if (!strcmp(*argv, "-v")) {
+	    option_verbose = 1;
+	    continue;
+	}
+	if (!strcmp(*argv, "-s")) {
+	    long_form = 0;
+	    continue;
+	}
+	if (!strcmp(*argv, "-t")) {
+	    tgt_test = 1;
+	    long_form = 0;
+	    continue;
+	}
+	if (strcmp(*argv, "-tokens") == 0
+	    || strcmp(*argv, "-T") == 0) {
+	    do_tokens = k_hasafs();
+	    continue;
+	}
+	if (!strcmp(*argv, "-l")) {	/* now default */
+	    continue;
+	}
+	if (!strncmp(*argv, "-f", 2)) {
+	    if (*(++argv)) {
+		tkt_file = *argv;
+		continue;
+	    } else
+		usage();
+	}
+	if (!strcmp(*argv, "-srvtab")) {
+		if (tkt_file == NULL)	/* if no other file spec'ed,
+					   set file to default srvtab */
+		    tkt_file = (char *)KEYFILE;
+		do_srvtab = 1;
+		continue;
+	}
+	usage();
+    }
+
+    eval = 0;
+    if (do_srvtab)
+	display_srvtab(tkt_file);
+    else
+	eval = display_tktfile(tkt_file, tgt_test, long_form);
+    if (long_form && do_tokens){
+	printf("\nAFS tokens:\n");
+	display_tokens();
+    }
+    exit(eval);
+}
diff --git a/crypto/kerberosIV/kuser/kuser_locl.h b/crypto/kerberosIV/kuser/kuser_locl.h
new file mode 100644
index 0000000..970ad6b
--- /dev/null
+++ b/crypto/kerberosIV/kuser/kuser_locl.h
@@ -0,0 +1,81 @@
+/*
+ * Copyright (c) 1995, 1996, 1997 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+/* $Id: kuser_locl.h,v 1.11 1999/12/02 16:58:37 joda Exp $ */
+
+#include "config.h"
+#include "protos.h"
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+
+#ifdef HAVE_SYS_TYPES_H
+#include <sys/types.h>
+#endif
+#ifdef HAVE_UNISTD_H
+#include <unistd.h>
+#endif
+#ifdef HAVE_SYS_STAT_H
+#include <sys/stat.h>
+#endif
+#ifdef HAVE_FCNTL_H
+#include <fcntl.h>
+#endif
+#include <time.h>
+#ifdef HAVE_SYS_FILE_H
+#include <sys/file.h>
+#endif
+#ifdef HAVE_SYS_SOCKET_H
+#include <sys/socket.h>
+#endif
+#ifdef HAVE_NETINET_IN_H
+#include <netinet/in.h>
+#endif
+
+#ifdef HAVE_PWD_H
+#include <pwd.h>
+#endif
+
+#ifdef SOCKS
+#include <socks.h>
+#endif
+
+#include <roken.h>
+
+#include <err.h>
+
+#include <krb.h>
+#include <krb_db.h>
+#include <kadm.h>
+#include <prot.h>
diff --git a/crypto/kerberosIV/lib/Makefile.in b/crypto/kerberosIV/lib/Makefile.in
new file mode 100644
index 0000000..44a8918
--- /dev/null
+++ b/crypto/kerberosIV/lib/Makefile.in
@@ -0,0 +1,48 @@
+#
+# $Id: Makefile.in,v 1.27 1998/04/05 10:27:59 assar Exp $
+#
+
+srcdir		= @srcdir@
+VPATH		= @srcdir@
+
+SHELL		= /bin/sh
+
+@SET_MAKE@
+
+SUBDIRS		= roken com_err des krb kdb kadm acl kafs auth editline sl @LIB_SUBDIRS@
+
+all:
+		for i in $(SUBDIRS); \
+		do (cd $$i && $(MAKE) $(MFLAGS) all); done
+
+Wall:
+		make CFLAGS="-g -Wall -Wno-comment -Wmissing-prototypes -Wmissing-declarations -D__USE_FIXED_PROTOTYPES__"
+
+install:
+		for i in $(SUBDIRS); \
+		do (cd $$i && $(MAKE) $(MFLAGS) install); done
+
+uninstall:
+		for i in $(SUBDIRS); \
+		do (cd $$i && $(MAKE) $(MFLAGS) uninstall); done
+
+check:		all
+		for i in $(SUBDIRS); \
+		do (cd $$i && $(MAKE) $(MFLAGS) check); done
+
+clean:
+		for i in $(SUBDIRS); \
+		do (cd $$i && $(MAKE) $(MFLAGS) clean); done
+
+mostlyclean:	clean
+
+distclean:
+		for i in $(SUBDIRS); \
+		do (cd $$i && $(MAKE) $(MFLAGS) distclean); done
+		rm -f Makefile config.status *~
+
+realclean:
+		for i in $(SUBDIRS); \
+		do (cd $$i && $(MAKE) $(MFLAGS) realclean); done
+
+.PHONY: all Wall install uninstall check clean mostlyclean distclean realclean
diff --git a/crypto/kerberosIV/lib/acl/Makefile.in b/crypto/kerberosIV/lib/acl/Makefile.in
new file mode 100644
index 0000000..96d7424
--- /dev/null
+++ b/crypto/kerberosIV/lib/acl/Makefile.in
@@ -0,0 +1,86 @@
+#
+# $Id: Makefile.in,v 1.29.4.1 2000/06/23 03:20:00 assar Exp $
+#
+
+SHELL = /bin/sh
+
+srcdir = @srcdir@
+VPATH = @srcdir@
+
+CC = @CC@
+LINK = @LINK@
+AR = ar
+LN_S = @LN_S@
+RANLIB = @RANLIB@
+DEFS = @DEFS@ -DROKEN_RENAME
+CFLAGS = @CFLAGS@ $(WFLAGS)
+WFLAGS = @WFLAGS@
+
+INSTALL = @INSTALL@
+INSTALL_DATA	= @INSTALL_DATA@
+MKINSTALLDIRS = @top_srcdir@/mkinstalldirs
+
+prefix = @prefix@
+exec_prefix = @exec_prefix@
+libdir = @libdir@
+
+PICFLAGS = # @PICFLAGS@
+
+LIBNAME = $(LIBPREFIX)acl
+#LIBEXT = @LIBEXT@ Always build archive library!
+LIBEXT = a
+LIBPREFIX = @LIBPREFIX@
+SHLIBEXT = @SHLIBEXT@
+LDSHARED = @LDSHARED@
+LIB = $(LIBNAME).$(LIBEXT)
+
+SOURCES = acl_files.c
+
+OBJECTS = acl_files.o
+
+all: $(LIB)
+
+Wall:
+	make CFLAGS="-g -Wall -Wno-comment -Wmissing-prototypes -Wmissing-declarations -D__USE_FIXED_PROTOTYPES__"
+
+.c.o:
+	$(CC) -c $(DEFS) -I../../include -I$(srcdir) -I. $(CFLAGS) $(PICFLAGS) $(CPPFLAGS) $<
+
+install: all
+	$(MKINSTALLDIRS) $(DESTDIR)$(libdir)
+	$(INSTALL_DATA) $(LIB) $(DESTDIR)$(libdir)/$(LIB)
+
+uninstall:
+	rm -f $(DESTDIR)$(libdir)/$(LIB)
+
+TAGS: $(SOURCES)
+	etags $(SOURCES)
+
+check:
+
+clean:
+	rm -f $(LIB) *.o *.a
+
+mostlyclean: clean
+
+distclean: clean
+	rm -f Makefile *.tab.c *~ roken_rename.h
+
+realclean: distclean
+	rm -f TAGS
+
+$(LIBNAME).a: $(OBJECTS)
+	rm -f $@
+	$(AR) cr $@ $(OBJECTS)
+	-$(RANLIB) $@
+
+$(LIBNAME).$(SHLIBEXT): $(OBJECTS)
+	rm -f $@
+	$(LDSHARED) -o $@ $(OBJECTS)
+
+$(OBJECTS): ../../include/config.h roken_rename.h
+
+roken_rename.h:
+	$(LN_S) $(srcdir)/../krb/roken_rename.h .
+
+.PHONY: all Wall install uninstall check clean mostlyclean distclean realclean
diff --git a/crypto/kerberosIV/lib/acl/acl.h b/crypto/kerberosIV/lib/acl/acl.h
new file mode 100644
index 0000000..a92bbdd
--- /dev/null
+++ b/crypto/kerberosIV/lib/acl/acl.h
@@ -0,0 +1,46 @@
+/*
+ * Copyright (c) 1995, 1996, 1997 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+/* $Id: acl.h,v 1.7 1999/12/02 16:58:37 joda Exp $ */
+
+#ifndef __ACL_H
+#define __ACL_H
+
+void acl_canonicalize_principal __P((char *principal, char *canon));
+int acl_initialize __P((char *acl_file, int perm));
+int acl_exact_match __P((char *acl, char *principal));
+int acl_check __P((char *acl, char *principal));
+int acl_add __P((char *acl, char *principal));
+int acl_delete __P((char *acl, char *principal));
+
+#endif /* __ACL_H */
diff --git a/crypto/kerberosIV/lib/acl/acl_files.c b/crypto/kerberosIV/lib/acl/acl_files.c
new file mode 100644
index 0000000..5501075
--- /dev/null
+++ b/crypto/kerberosIV/lib/acl/acl_files.c
@@ -0,0 +1,510 @@
+/* 
+  Copyright (C) 1989 by the Massachusetts Institute of Technology
+
+   Export of this software from the United States of America is assumed
+   to require a specific license from the United States Government.
+   It is the responsibility of any person or organization contemplating
+   export to obtain such a license before exporting.
+
+WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
+distribute this software and its documentation for any purpose and
+without fee is hereby granted, provided that the above copyright
+notice appear in all copies and that both that copyright notice and
+this permission notice appear in supporting documentation, and that
+the name of M.I.T. not be used in advertising or publicity pertaining
+to distribution of the software without specific, written prior
+permission.  M.I.T. makes no representations about the suitability of
+this software for any purpose.  It is provided "as is" without express
+or implied warranty.
+
+  */
+
+#include "config.h"
+#include "protos.h"
+
+RCSID("$Id: acl_files.c,v 1.14 1999/09/16 20:41:43 assar Exp $");
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+
+#ifdef HAVE_UNISTD_H
+#include <unistd.h>
+#endif
+#ifdef HAVE_SYS_TYPES_H
+#include <sys/types.h>
+#endif
+#include <time.h>
+#ifdef HAVE_FCNTL_H
+#include <fcntl.h>
+#endif
+#ifdef HAVE_SYS_FILE_H
+#include <sys/file.h>
+#endif
+#ifdef HAVE_SYS_STAT_H
+#include <sys/stat.h>
+#endif
+
+#include <errno.h>
+#include <ctype.h>
+
+#include <roken.h>
+
+#include <krb.h>
+#include <acl.h>
+
+/*** Routines for manipulating access control list files ***/
+
+/* "aname.inst@realm" */
+#define MAX_PRINCIPAL_SIZE  (ANAME_SZ + INST_SZ + REALM_SZ + 3)
+#define INST_SEP '.'
+#define REALM_SEP '@'
+
+#define LINESIZE 2048		/* Maximum line length in an acl file */
+
+#define NEW_FILE "%s.~NEWACL~"	/* Format for name of altered acl file */
+#define WAIT_TIME 300		/* Maximum time allowed write acl file */
+
+#define CACHED_ACLS 8		/* How many acls to cache */
+				/* Each acl costs 1 open file descriptor */
+#define ACL_LEN 16		/* Twice a reasonable acl length */
+
+#define COR(a,b) ((a!=NULL)?(a):(b))
+
+/*
+ * Canonicalize a principal name.
+ * If instance is missing, it becomes ""
+ * If realm is missing, it becomes the local realm
+ * Canonicalized form is put in canon, which must be big enough to
+ * hold MAX_PRINCIPAL_SIZE characters
+ *
+ */
+
+void
+acl_canonicalize_principal(char *principal, char *canon)
+{
+    krb_principal princ;
+    int ret;
+    ret = krb_parse_name(principal, &princ);
+    if(ret) { /* ? */
+	*canon = '\0';
+	return;
+    }
+    if(princ.realm[0] == '\0')
+	krb_get_lrealm(princ.realm, 1);
+    krb_unparse_name_r(&princ, canon);
+}
+	    
+/* Get a lock to modify acl_file */
+/* Return new FILE pointer */
+/* or NULL if file cannot be modified */
+/* REQUIRES WRITE PERMISSION TO CONTAINING DIRECTORY */
+static
+FILE *acl_lock_file(char *acl_file)
+{
+    struct stat s;
+    char new[LINESIZE];
+    int nfd;
+    FILE *nf;
+    int mode;
+
+    if(stat(acl_file, &s) < 0) return(NULL);
+    mode = s.st_mode;
+    snprintf(new, sizeof(new), NEW_FILE, acl_file);
+    for(;;) {
+	/* Open the new file */
+	if((nfd = open(new, O_WRONLY|O_CREAT|O_EXCL, mode)) < 0) {
+	    if(errno == EEXIST) {
+		/* Maybe somebody got here already, maybe it's just old */
+		if(stat(new, &s) < 0) return(NULL);
+		if(time(0) - s.st_ctime > WAIT_TIME) {
+		    /* File is stale, kill it */
+		    unlink(new);
+		    continue;
+		} else {
+		    /* Wait and try again */
+		    sleep(1);
+		    continue;
+		}
+	    } else {
+		/* Some other error, we lose */
+		return(NULL);
+	    }
+	}
+
+	/* If we got to here, the lock file is ours and ok */
+	/* Reopen it under stdio */
+	if((nf = fdopen(nfd, "w")) == NULL) {
+	    /* Oops, clean up */
+	    unlink(new);
+	}
+	return(nf);
+    }
+}
+
+/* Abort changes to acl_file written onto FILE *f */
+/* Returns 0 if successful, < 0 otherwise */
+/* Closes f */
+static int
+acl_abort(char *acl_file, FILE *f)
+{
+    char new[LINESIZE];
+    int ret;
+    struct stat s;
+
+    /* make sure we aren't nuking someone else's file */
+    if(fstat(fileno(f), &s) < 0
+       || s.st_nlink == 0) {
+	   fclose(f);
+	   return(-1);
+       } else {
+	   snprintf(new, sizeof(new), NEW_FILE, acl_file);
+	   ret = unlink(new);
+	   fclose(f);
+	   return(ret);
+       }
+}
+
+/* Commit changes to acl_file written onto FILE *f */
+/* Returns zero if successful */
+/* Returns > 0 if lock was broken */
+/* Returns < 0 if some other error occurs */
+/* Closes f */
+static int
+acl_commit(char *acl_file, FILE *f)
+{
+    char new[LINESIZE];
+    int ret;
+    struct stat s;
+
+    snprintf(new, sizeof(new), NEW_FILE, acl_file);
+    if(fflush(f) < 0
+       || fstat(fileno(f), &s) < 0
+       || s.st_nlink == 0) {
+	acl_abort(acl_file, f);
+	return(-1);
+    }
+
+    ret = rename(new, acl_file);
+    fclose(f);
+    return(ret);
+}
+
+/* Initialize an acl_file */
+/* Creates the file with permissions perm if it does not exist */
+/* Erases it if it does */
+/* Returns return value of acl_commit */
+int
+acl_initialize(char *acl_file, int perm)
+{
+    FILE *new;
+    int fd;
+
+    /* Check if the file exists already */
+    if((new = acl_lock_file(acl_file)) != NULL) {
+	return(acl_commit(acl_file, new));
+    } else {
+	/* File must be readable and writable by owner */
+	if((fd = open(acl_file, O_CREAT|O_EXCL, perm|0600)) < 0) {
+	    return(-1);
+	} else {
+	    close(fd);
+	    return(0);
+	}
+    }
+}
+
+/* Eliminate all whitespace character in buf */
+/* Modifies its argument */
+static void
+nuke_whitespace(char *buf)
+{
+    unsigned char *pin, *pout;
+
+    for(pin = pout = (unsigned char *)buf; *pin != '\0'; pin++)
+	if(!isspace(*pin))
+	    *pout++ = *pin;
+    *pout = '\0';		/* Terminate the string */
+}
+
+/* Hash table stuff */
+
+struct hashtbl {
+    int size;			/* Max number of entries */
+    int entries;		/* Actual number of entries */
+    char **tbl;			/* Pointer to start of table */
+};
+
+/* Make an empty hash table of size s */
+static struct hashtbl *
+make_hash(int size)
+{
+    struct hashtbl *h;
+
+    if(size < 1) size = 1;
+    h = (struct hashtbl *) malloc(sizeof(struct hashtbl));
+    if (h == NULL)
+	return NULL;
+    h->size = size;
+    h->entries = 0;
+    h->tbl = (char **) calloc(size, sizeof(char *));
+    if (h->tbl == NULL) {
+	free (h);
+	return NULL;
+    }
+    return(h);
+}
+
+/* Destroy a hash table */
+static void
+destroy_hash(struct hashtbl *h)
+{
+    int i;
+
+    for(i = 0; i < h->size; i++) {
+	if(h->tbl[i] != NULL) free(h->tbl[i]);
+    }
+    free(h->tbl);
+    free(h);
+}
+
+/* Compute hash value for a string */
+static unsigned int
+hashval(char *s)
+{
+    unsigned hv;
+
+    for(hv = 0; *s != '\0'; s++) {
+	hv ^= ((hv << 3) ^ *s);
+    }
+    return(hv);
+}
+
+/* Add an element to a hash table */
+static void
+add_hash(struct hashtbl *h, char *el)
+{
+    unsigned hv;
+    char *s;
+    char **old;
+    int i;
+
+    /* Make space if it isn't there already */
+    if(h->entries + 1 > (h->size >> 1)) {
+	old = h->tbl;
+	h->tbl = (char **) calloc(h->size << 1, sizeof(char *));
+	for(i = 0; i < h->size; i++) {
+	    if(old[i] != NULL) {
+		hv = hashval(old[i]) % (h->size << 1);
+		while(h->tbl[hv] != NULL) hv = (hv+1) % (h->size << 1);
+		h->tbl[hv] = old[i];
+	    }
+	}
+	h->size = h->size << 1;
+	free(old);
+    }
+
+    hv = hashval(el) % h->size;
+    while(h->tbl[hv] != NULL && strcmp(h->tbl[hv], el)) hv = (hv+1) % h->size;
+    s = strdup(el);
+    if (s != NULL) {
+	h->tbl[hv] = s;
+	h->entries++;
+    }
+}
+
+/* Returns nonzero if el is in h */
+static int
+check_hash(struct hashtbl *h, char *el)
+{
+    unsigned hv;
+
+    for(hv = hashval(el) % h->size;
+	h->tbl[hv] != NULL;
+	hv = (hv + 1) % h->size) {
+	    if(!strcmp(h->tbl[hv], el)) return(1);
+	}
+    return(0);
+}
+
+struct acl {
+    char filename[LINESIZE];	/* Name of acl file */
+    int fd;			/* File descriptor for acl file */
+    struct stat status;		/* File status at last read */
+    struct hashtbl *acl;	/* Acl entries */
+};
+
+static struct acl acl_cache[CACHED_ACLS];
+
+static int acl_cache_count = 0;
+static int acl_cache_next = 0;
+
+/* Returns < 0 if unsuccessful in loading acl */
+/* Returns index into acl_cache otherwise */
+/* Note that if acl is already loaded, this is just a lookup */
+static int
+acl_load(char *name)
+{
+    int i;
+    FILE *f;
+    struct stat s;
+    char buf[MAX_PRINCIPAL_SIZE];
+    char canon[MAX_PRINCIPAL_SIZE];
+
+    /* See if it's there already */
+    for(i = 0; i < acl_cache_count; i++) {
+	if(!strcmp(acl_cache[i].filename, name)
+	   && acl_cache[i].fd >= 0) goto got_it;
+    }
+
+    /* It isn't, load it in */
+    /* maybe there's still room */
+    if(acl_cache_count < CACHED_ACLS) {
+	i = acl_cache_count++;
+    } else {
+	/* No room, clean one out */
+	i = acl_cache_next;
+	acl_cache_next = (acl_cache_next + 1) % CACHED_ACLS;
+	close(acl_cache[i].fd);
+	if(acl_cache[i].acl) {
+	    destroy_hash(acl_cache[i].acl);
+	    acl_cache[i].acl = (struct hashtbl *) 0;
+	}
+    }
+
+    /* Set up the acl */
+    strlcpy(acl_cache[i].filename, name, LINESIZE);
+    if((acl_cache[i].fd = open(name, O_RDONLY, 0)) < 0) return(-1);
+    /* Force reload */
+    acl_cache[i].acl = (struct hashtbl *) 0;
+
+ got_it:
+    /*
+     * See if the stat matches
+     *
+     * Use stat(), not fstat(), as the file may have been re-created by
+     * acl_add or acl_delete.  If this happens, the old inode will have
+     * no changes in the mod-time and the following test will fail.
+     */
+    if(stat(acl_cache[i].filename, &s) < 0) return(-1);
+    if(acl_cache[i].acl == (struct hashtbl *) 0
+       || s.st_nlink != acl_cache[i].status.st_nlink
+       || s.st_mtime != acl_cache[i].status.st_mtime
+       || s.st_ctime != acl_cache[i].status.st_ctime) {
+	   /* Gotta reload */
+	   if(acl_cache[i].fd >= 0) close(acl_cache[i].fd);
+	   if((acl_cache[i].fd = open(name, O_RDONLY, 0)) < 0) return(-1);
+	   if((f = fdopen(acl_cache[i].fd, "r")) == NULL) return(-1);
+	   if(acl_cache[i].acl) destroy_hash(acl_cache[i].acl);
+	   acl_cache[i].acl = make_hash(ACL_LEN);
+	   while(fgets(buf, sizeof(buf), f) != NULL) {
+	       nuke_whitespace(buf);
+	       acl_canonicalize_principal(buf, canon);
+	       add_hash(acl_cache[i].acl, canon);
+	   }
+	   fclose(f);
+	   acl_cache[i].status = s;
+       }
+    return(i);
+}
+
+/* Returns nonzero if it can be determined that acl contains principal */
+/* Principal is not canonicalized, and no wildcarding is done */
+int
+acl_exact_match(char *acl, char *principal)
+{
+    int idx;
+
+    return((idx = acl_load(acl)) >= 0
+	   && check_hash(acl_cache[idx].acl, principal));
+}
+
+/* Returns nonzero if it can be determined that acl contains principal */
+/* Recognizes wildcards in acl of the form
+   name.*@realm, *.*@realm, and *.*@* */
+int
+acl_check(char *acl, char *principal)
+{
+    char buf[MAX_PRINCIPAL_SIZE];
+    char canon[MAX_PRINCIPAL_SIZE];
+    char *realm;
+
+    acl_canonicalize_principal(principal, canon);
+
+    /* Is it there? */
+    if(acl_exact_match(acl, canon)) return(1);
+
+    /* Try the wildcards */
+    realm = strchr(canon, REALM_SEP);
+    *strchr(canon, INST_SEP) = '\0';	/* Chuck the instance */
+
+    snprintf(buf, sizeof(buf), "%s.*%s", canon, realm);
+    if(acl_exact_match(acl, buf)) return(1);
+
+    snprintf(buf, sizeof(buf), "*.*%s", realm);
+    if(acl_exact_match(acl, buf) || acl_exact_match(acl, "*.*@*")) return(1);
+       
+    return(0);
+}
+
+/* Adds principal to acl */
+/* Wildcards are interpreted literally */
+int
+acl_add(char *acl, char *principal)
+{
+    int idx;
+    int i;
+    FILE *new;
+    char canon[MAX_PRINCIPAL_SIZE];
+
+    acl_canonicalize_principal(principal, canon);
+
+    if((new = acl_lock_file(acl)) == NULL) return(-1);
+    if((acl_exact_match(acl, canon))
+       || (idx = acl_load(acl)) < 0) {
+	   acl_abort(acl, new);
+	   return(-1);
+       }
+    /* It isn't there yet, copy the file and put it in */
+    for(i = 0; i < acl_cache[idx].acl->size; i++) {
+	if(acl_cache[idx].acl->tbl[i] != NULL) {
+	    if(fputs(acl_cache[idx].acl->tbl[i], new) == EOF
+	       || putc('\n', new) != '\n') {
+		   acl_abort(acl, new);
+		   return(-1);
+	       }
+	}
+    }
+    fputs(canon, new);
+    putc('\n', new);
+    return(acl_commit(acl, new));
+}
+
+/* Removes principal from acl */
+/* Wildcards are interpreted literally */
+int
+acl_delete(char *acl, char *principal)
+{
+    int idx;
+    int i;
+    FILE *new;
+    char canon[MAX_PRINCIPAL_SIZE];
+
+    acl_canonicalize_principal(principal, canon);
+
+    if((new = acl_lock_file(acl)) == NULL) return(-1);
+    if((!acl_exact_match(acl, canon))
+       || (idx = acl_load(acl)) < 0) {
+	   acl_abort(acl, new);
+	   return(-1);
+       }
+    /* It isn't there yet, copy the file and put it in */
+    for(i = 0; i < acl_cache[idx].acl->size; i++) {
+	if(acl_cache[idx].acl->tbl[i] != NULL
+	   && strcmp(acl_cache[idx].acl->tbl[i], canon)) {
+	       fputs(acl_cache[idx].acl->tbl[i], new);
+	       putc('\n', new);
+	}
+    }
+    return(acl_commit(acl, new));
+}
diff --git a/crypto/kerberosIV/lib/acl/acl_files.doc b/crypto/kerberosIV/lib/acl/acl_files.doc
new file mode 100644
index 0000000..78c448a
--- /dev/null
+++ b/crypto/kerberosIV/lib/acl/acl_files.doc
@@ -0,0 +1,107 @@
+PROTOTYPE ACL LIBRARY
+
+Introduction
+	
+An access control list (ACL) is a list of principals, where each
+principal is is represented by a text string which cannot contain
+whitespace.  The library allows application programs to refer to named
+access control lists to test membership and to atomically add and
+delete principals using a natural and intuitive interface.  At
+present, the names of access control lists are required to be Unix
+filenames, and refer to human-readable Unix files; in the future, when
+a networked ACL server is implemented, the names may refer to a
+different namespace specific to the ACL service.
+
+
+Usage
+
+cc <files> -lacl -lkrb.
+
+
+
+Principal Names
+
+Principal names have the form
+
+<name>[.<instance>][@<realm>]
+
+e.g.
+
+asp
+asp.root
+asp@ATHENA.MIT.EDU
+asp.@ATHENA.MIT.EDU
+asp.root@ATHENA.MIT.EDU
+
+It is possible for principals to be underspecified.  If instance is
+missing, it is assumed to be "".  If realm is missing, it is assumed
+to be local_realm.  The canonical form contains all of name, instance,
+and realm; the acl_add and acl_delete routines will always
+leave the file in that form.  Note that the canonical form of
+asp@ATHENA.MIT.EDU is actually asp.@ATHENA.MIT.EDU.
+
+
+Routines
+
+acl_canonicalize_principal(principal, buf)
+char *principal;
+char *buf;  	/*RETVAL*/
+
+Store the canonical form of principal in buf.  Buf must contain enough
+space to store a principal, given the limits on the sizes of name,
+instance, and realm specified in /usr/include/krb.h.
+
+acl_check(acl, principal)
+char *acl;
+char *principal;
+
+Returns nonzero if principal appears in acl.  Returns 0 if principal
+does not appear in acl, or if an error occurs.  Canonicalizes
+principal before checking, and allows the ACL to contain wildcards.
+
+acl_exact_match(acl, principal)
+char *acl;
+char *principal;
+
+Like acl_check, but does no canonicalization or wildcarding.
+
+acl_add(acl, principal)
+char *acl;
+char *principal;
+
+Atomically adds principal to acl.  Returns 0 if successful, nonzero
+otherwise.  It is considered a failure if principal is already in acl.
+This routine will canonicalize principal, but will treat wildcards
+literally.
+
+acl_delete(acl, principal)
+char *acl;
+char *principal;
+
+Atomically deletes principal from acl.  Returns 0 if successful,
+nonzero otherwise.  It is consider a failure if principal is not
+already in acl.  This routine will canonicalize principal, but will
+treat wildcards literally.
+
+acl_initialize(acl, mode)
+char *acl;
+int mode;
+
+Initialize acl.  If acl file does not exist, creates it with mode
+mode.  If acl exists, removes all members.  Returns 0 if successful,
+nonzero otherwise.  WARNING: Mode argument is likely to change with
+the eventual introduction of an ACL service.  
+
+
+Known problems
+
+In the presence of concurrency, there is a very small chance that
+acl_add or acl_delete could report success even though it would have
+had no effect.  This is a necessary side effect of using lock files
+for concurrency control rather than flock(2), which is not supported
+by NFS.
+
+The current implementation caches ACLs in memory in a hash-table
+format for increased efficiency in checking membership; one effect of
+the caching scheme is that one file descriptor will be kept open for
+each ACL cached, up to a maximum of 8.
diff --git a/crypto/kerberosIV/lib/auth/ChangeLog b/crypto/kerberosIV/lib/auth/ChangeLog
new file mode 100644
index 0000000..f9c948c
--- /dev/null
+++ b/crypto/kerberosIV/lib/auth/ChangeLog
@@ -0,0 +1,65 @@
+1999-11-15  Assar Westerlund  <assar@sics.se>
+
+	* */lib/Makefile.in: set LIBNAME.  From Enrico Scholz
+ 	<Enrico.Scholz@informatik.tu-chemnitz.de>
+
+1999-10-17  Assar Westerlund  <assar@sics.se>
+
+	* afskauthlib/verify.c (verify_krb5): need realm for v5 -> v4
+
+1999-10-03  Assar Westerlund  <assar@sics.se>
+
+	* afskauthlib/verify.c (verify_krb5): update to new
+ 	krb524_convert_creds_kdc
+
+1999-09-28  Assar Westerlund  <assar@sics.se>
+
+	* sia/sia.c (doauth): use krb5_get_local_realms and
+ 	krb5_verify_user_lrealm
+
+	* afskauthlib/verify.c (verify_krb5): remove krb5_kuserok.  use
+ 	krb5_verify_user_lrealm
+
+1999-08-11  Johan Danielsson  <joda@pdc.kth.se>
+
+	* afskauthlib/verify.c: make this compile w/o krb4
+
+1999-08-04  Assar Westerlund  <assar@sics.se>
+
+	* afskauthlib/verify.c: incorporate patches from Miroslav Ruda
+ 	<ruda@ics.muni.cz>
+
+Thu Apr  8 14:35:34 1999  Johan Danielsson  <joda@hella.pdc.kth.se>
+
+	* sia/sia.c: remove definition of KRB_VERIFY_USER (moved to
+ 	config.h)
+
+	* sia/Makefile.am: make it build w/o krb4
+
+	* afskauthlib/verify.c: add krb5 support
+
+	* afskauthlib/Makefile.am: build afskauthlib.so
+
+Wed Apr  7 14:06:22 1999  Johan Danielsson  <joda@hella.pdc.kth.se>
+
+	* sia/sia.c: make it compile w/o krb4
+
+	* sia/Makefile.am: make it compile w/o krb4
+
+Thu Apr  1 18:09:23 1999  Johan Danielsson  <joda@hella.pdc.kth.se>
+
+	* sia/sia_locl.h: POSIX_GETPWNAM_R is defined in config.h
+
+Sun Mar 21 14:08:30 1999  Johan Danielsson  <joda@hella.pdc.kth.se>
+
+	* sia/Makefile.in: add posix_getpw.c
+	  
+	* sia/Makefile.am: makefile for sia
+	  
+	* sia/posix_getpw.c: move from sia.c
+	  
+	* sia/sia_locl.h: merge with krb5 version
+	  
+	* sia/sia.c: merge with krb5 version
+	  
+	* sia/sia5.c: remove unused variables
diff --git a/crypto/kerberosIV/lib/auth/Makefile.am b/crypto/kerberosIV/lib/auth/Makefile.am
new file mode 100644
index 0000000..0310dc3
--- /dev/null
+++ b/crypto/kerberosIV/lib/auth/Makefile.am
@@ -0,0 +1,6 @@
+# $Id: Makefile.am,v 1.2 1999/03/21 17:11:08 joda Exp $
+
+include $(top_srcdir)/Makefile.am.common
+
+SUBDIRS = @LIB_AUTH_SUBDIRS@
+DIST_SUBDIRS = afskauthlib pam sia
diff --git a/crypto/kerberosIV/lib/auth/Makefile.in b/crypto/kerberosIV/lib/auth/Makefile.in
new file mode 100644
index 0000000..53fde5f
--- /dev/null
+++ b/crypto/kerberosIV/lib/auth/Makefile.in
@@ -0,0 +1,55 @@
+#
+# $Id: Makefile.in,v 1.12 1998/03/15 05:58:10 assar Exp $
+#
+
+srcdir		= @srcdir@
+VPATH		= @srcdir@
+
+SHELL		= /bin/sh
+
+@SET_MAKE@
+
+SUBDIRS		= @LIB_AUTH_SUBDIRS@
+
+all:
+		SUBDIRS='$(SUBDIRS)'; \
+		for i in $$SUBDIRS; \
+		do (cd $$i && $(MAKE) $(MFLAGS) all); done
+
+Wall:
+		make CFLAGS="-g -Wall -Wno-comment -Wmissing-prototypes -Wmissing-declarations -D__USE_FIXED_PROTOTYPES__"
+
+install:
+		SUBDIRS=$(SUBDIRS); \
+		for i in $$SUBDIRS; \
+		do (cd $$i && $(MAKE) $(MFLAGS) install); done
+
+uninstall:
+		SUBDIRS=$(SUBDIRS); \
+		for i in $$SUBDIRS; \
+		do (cd $$i && $(MAKE) $(MFLAGS) uninstall); done
+
+check:
+		SUBDIRS=$(SUBDIRS); \
+		for i in $$SUBDIRS; \
+		do (cd $$i && $(MAKE) $(MFLAGS) check); done
+
+clean:
+		SUBDIRS=$(SUBDIRS); \
+		for i in $$SUBDIRS; \
+		do (cd $$i && $(MAKE) $(MFLAGS) clean); done
+
+mostlyclean:	clean
+
+distclean:
+		SUBDIRS=$(SUBDIRS); \
+		for i in $$SUBDIRS; \
+		do (cd $$i && $(MAKE) $(MFLAGS) distclean); done
+		rm -f Makefile *~
+
+realclean:
+		SUBDIRS=$(SUBDIRS); \
+		for i in $$SUBDIRS; \
+		do (cd $$i && $(MAKE) $(MFLAGS) realclean); done
+
+.PHONY: all Wall install uninstall check clean mostlyclean distclean realclean
diff --git a/crypto/kerberosIV/lib/auth/afskauthlib/Makefile.am b/crypto/kerberosIV/lib/auth/afskauthlib/Makefile.am
new file mode 100644
index 0000000..7dd6d52
--- /dev/null
+++ b/crypto/kerberosIV/lib/auth/afskauthlib/Makefile.am
@@ -0,0 +1,38 @@
+# $Id: Makefile.am,v 1.3 1999/04/08 12:35:33 joda Exp $
+
+include $(top_srcdir)/Makefile.am.common
+
+INCLUDES += $(INCLUDE_krb4)
+
+DEFS = @DEFS@
+
+foodir = $(libdir)
+foo_DATA = afskauthlib.so
+
+SUFFIXES += .c .o
+
+SRCS = verify.c
+OBJS = verify.o
+
+CLEANFILES = $(foo_DATA) $(OBJS) so_locations
+
+afskauthlib.so: $(OBJS)
+	$(LD) -shared -o $@ $(LDFLAGS) $(OBJS) $(L)
+
+.c.o:
+	$(COMPILE) -c $<
+
+if KRB4
+KAFS = $(top_builddir)/lib/kafs/.libs/libkafs.a
+endif
+
+L = \
+	$(KAFS)	\
+	$(top_builddir)/lib/krb5/.libs/libkrb5.a	\
+	$(top_builddir)/lib/asn1/.libs/libasn1.a	\
+	$(LIB_krb4)					\
+	$(top_builddir)/lib/des/.libs/libdes.a		\
+	$(top_builddir)/lib/roken/.libs/libroken.a	\
+	-lc
+
+$(OBJS): $(top_builddir)/include/config.h
diff --git a/crypto/kerberosIV/lib/auth/afskauthlib/Makefile.in b/crypto/kerberosIV/lib/auth/afskauthlib/Makefile.in
new file mode 100644
index 0000000..5e073af
--- /dev/null
+++ b/crypto/kerberosIV/lib/auth/afskauthlib/Makefile.in
@@ -0,0 +1,87 @@
+#
+# $Id: Makefile.in,v 1.25.2.1 2000/06/23 03:20:05 assar Exp $
+#
+
+SHELL = /bin/sh
+
+srcdir = @srcdir@
+VPATH = @srcdir@
+
+CC = @CC@
+LINK = @LINK@
+AR = ar
+LN_S = @LN_S@
+RANLIB = @RANLIB@
+DEFS = @DEFS@
+CFLAGS = @CFLAGS@ $(WFLAGS)
+WFLAGS = @WFLAGS@
+
+INSTALL = @INSTALL@
+INSTALL_DATA	= @INSTALL_DATA@
+MKINSTALLDIRS = @top_srcdir@/mkinstalldirs
+
+prefix = @prefix@
+exec_prefix = @exec_prefix@
+libdir = @libdir@
+
+@lib_deps_yes@LIB_DEPS = -L../../kafs -lkafs			\
+@lib_deps_yes@	   -L../../krb -lkrb			\
+@lib_deps_yes@	   -L../../des -ldes			\
+@lib_deps_yes@	   -L../../roken -lroken		\
+@lib_deps_yes@	   -lc
+@lib_deps_no@LIB_DEPS =
+
+PICFLAGS = @REAL_PICFLAGS@
+LDSHARED = @LDSHARED@
+SHLIBEXT = @REAL_SHLIBEXT@
+LD_FLAGS = @REAL_LD_FLAGS@
+ 
+LIBNAME = afskauthlib
+LIB = $(LIBNAME).$(SHLIBEXT)
+
+SOURCES = verify.c
+
+OBJECTS = verify.o
+
+all: $(LIB)
+
+Wall:
+	make CFLAGS="-g -Wall -Wno-comment -Wmissing-prototypes -Wmissing-declarations -D__USE_FIXED_PROTOTYPES__"
+
+.c.o:
+	$(CC) -c $(DEFS) -I../../../include -I$(srcdir) $(CFLAGS) $(CPPFLAGS) $(PICFLAGS) $<
+
+install: all
+	$(MKINSTALLDIRS) $(DESTDIR)$(libdir)
+	-if test "$(LIB)" != ""; then \
+	 $(INSTALL_DATA) $(LIB) $(DESTDIR)$(libdir)/$(LIB) ; \
+	fi
+
+uninstall:
+	-if test "$(LIB)" != ""; then \
+	 rm -f $(DESTDIR)$(libdir)/$(LIB) ; \
+	fi
+
+TAGS: $(SOURCES)
+	etags $(SOURCES)
+
+check:
+
+clean:
+	rm -f $(LIB) *.o
+
+mostlyclean: clean
+
+distclean: clean
+	rm -f Makefile *.tab.c *~
+
+realclean: distclean
+	rm -f TAGS
+
+$(OBJECTS): ../../../include/config.h
+
+$(LIB): $(OBJECTS)
+	rm -f $@
+	$(LDSHARED) $(CFLAGS) -o $@ $(OBJECTS) $(LD_FLAGS) $(LIB_DEPS)
+
+.PHONY: all Wall install uninstall check clean mostlyclean distclean realclean
diff --git a/crypto/kerberosIV/lib/auth/afskauthlib/README b/crypto/kerberosIV/lib/auth/afskauthlib/README
new file mode 100644
index 0000000..6052a26
--- /dev/null
+++ b/crypto/kerberosIV/lib/auth/afskauthlib/README
@@ -0,0 +1,25 @@
+
+IRIX
+----
+
+The IRIX support is a module that is compatible with Transarc's
+`afskauthlib.so'.  It should work with all programs that use this
+library, this should include `login' and `xdm'.
+
+The interface is not very documented but it seems that you have to copy
+`libkafs.so', `libkrb.so', and `libdes.so' to `/usr/lib', or build your
+`afskauthlib.so' statically.
+
+The `afskauthlib.so' itself is able to reside in `/usr/vice/etc',
+`/usr/afsws/lib', or the current directory (wherever that is).
+
+IRIX 6.4 and newer seems to have all programs (including `xdm' and
+`login') in the N32 object format, whereas in older versions they were
+O32. For it to work, the `afskauthlib.so' library has to be in the same
+object format as the program that tries to load it. This might require
+that you have to configure and build for O32 in addition to the default
+N32.
+
+Appart from this it should "just work", there are no configuration
+files.
+
diff --git a/crypto/kerberosIV/lib/auth/afskauthlib/verify.c b/crypto/kerberosIV/lib/auth/afskauthlib/verify.c
new file mode 100644
index 0000000..1c23119
--- /dev/null
+++ b/crypto/kerberosIV/lib/auth/afskauthlib/verify.c
@@ -0,0 +1,288 @@
+/*
+ * Copyright (c) 1995-1999 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+RCSID("$Id: verify.c,v 1.20 1999/12/02 16:58:37 joda Exp $");
+#endif
+#include <unistd.h>
+#include <sys/types.h>
+#include <pwd.h>
+#ifdef KRB5
+#include <krb5.h>
+#endif
+#ifdef KRB4
+#include <krb.h>
+#include <kafs.h>
+#endif
+#include <roken.h>
+
+#ifdef KRB5
+static char krb5ccname[128];
+#endif
+#ifdef KRB4
+static char krbtkfile[128];
+#endif
+
+/* 
+   In some cases is afs_gettktstring called twice (once before
+   afs_verify and once after afs_verify).
+   In some cases (rlogin with access allowed via .rhosts) 
+   afs_verify is not called!
+   So we can't rely on correct value in krbtkfile in some
+   cases!
+*/
+
+static int correct_tkfilename=0;
+static int pag_set=0;
+
+#ifdef KRB4
+static void
+set_krbtkfile(uid_t uid)
+{
+    snprintf (krbtkfile, sizeof(krbtkfile), "%s%d", TKT_ROOT, (unsigned)uid);
+    krb_set_tkt_string (krbtkfile);
+    correct_tkfilename = 1;
+}
+#endif
+
+/* XXX this has to be the default cache name, since the KRB5CCNAME
+ * environment variable isn't exported by login/xdm
+ */
+
+#ifdef KRB5
+static void
+set_krb5ccname(uid_t uid)
+{
+    snprintf (krb5ccname, sizeof(krb5ccname), "FILE:/tmp/krb5cc_%d", uid);
+#ifdef KRB4
+    snprintf (krbtkfile, sizeof(krbtkfile), "%s%d", TKT_ROOT, (unsigned)uid);
+#endif
+    correct_tkfilename = 1;
+}
+#endif
+
+static void
+set_spec_krbtkfile(void)
+{
+    int fd;
+#ifdef KRB4
+    snprintf (krbtkfile, sizeof(krbtkfile), "%s_XXXXXX", TKT_ROOT);
+    fd = mkstemp(krbtkfile);
+    close(fd);
+    unlink(krbtkfile); 
+    krb_set_tkt_string (krbtkfile);
+#endif
+#ifdef KRB5
+    snprintf(krb5ccname, sizeof(krb5ccname),"FILE:/tmp/krb5cc_XXXXXX");
+    fd=mkstemp(krb5ccname+5);
+    close(fd);
+    unlink(krb5ccname+5);
+#endif
+}
+
+#ifdef KRB5
+static int
+verify_krb5(struct passwd *pwd,
+	    char *password,
+	    int32_t *exp,
+	    int quiet)
+{
+    krb5_context context;
+    krb5_error_code ret;
+    krb5_ccache ccache;
+    krb5_principal principal;
+    
+    krb5_init_context(&context);
+
+    ret = krb5_parse_name (context, pwd->pw_name, &principal);
+    if (ret) {
+	syslog(LOG_AUTH|LOG_DEBUG, "krb5_parse_name: %s", 
+	       krb5_get_err_text(context, ret));
+	goto out;
+    }
+
+    set_krb5ccname(pwd->pw_uid);
+    ret = krb5_cc_resolve(context, krb5ccname, &ccache);
+    if(ret) {
+	syslog(LOG_AUTH|LOG_DEBUG, "krb5_cc_resolve: %s", 
+	       krb5_get_err_text(context, ret));
+	goto out;
+    }
+
+    ret = krb5_verify_user_lrealm(context,
+				  principal,
+				  ccache,
+				  password,
+				  TRUE,
+				  NULL);
+    if(ret) {
+	syslog(LOG_AUTH|LOG_DEBUG, "krb5_verify_user: %s", 
+	       krb5_get_err_text(context, ret));
+	goto out;
+    }
+
+    if(chown(krb5_cc_get_name(context, ccache), pwd->pw_uid, pwd->pw_gid)) {
+	syslog(LOG_AUTH|LOG_DEBUG, "chown: %s", 
+	       krb5_get_err_text(context, errno));
+	goto out;
+    }
+
+#ifdef KRB4
+    if (krb5_config_get_bool(context, NULL,
+			     "libdefaults",
+			     "krb4_get_tickets",
+			     NULL)) {
+	CREDENTIALS c;
+	krb5_creds mcred, cred;
+        krb5_realm realm;
+
+        krb5_get_default_realm(context, &realm);
+	krb5_make_principal(context, &mcred.server, realm,
+			    "krbtgt",
+			    realm,
+			    NULL);
+	free (realm);
+	ret = krb5_cc_retrieve_cred(context, ccache, 0, &mcred, &cred);
+	if(ret == 0) {
+	    ret = krb524_convert_creds_kdc(context, ccache, &cred, &c);
+	    if(ret)
+		krb5_warn(context, ret, "converting creds");
+	    else {
+		set_krbtkfile(pwd->pw_uid);
+		tf_setup(&c, c.pname, c.pinst); 
+	    }
+	    memset(&c, 0, sizeof(c));
+	    krb5_free_creds_contents(context, &cred);
+	} else
+	    syslog(LOG_AUTH|LOG_DEBUG, "krb5_cc_retrieve_cred: %s", 
+		   krb5_get_err_text(context, ret));
+	    
+	krb5_free_principal(context, mcred.server);
+    }
+    if (!pag_set && k_hasafs()) {
+	k_setpag();
+	pag_set = 1;
+	krb5_afslog_uid_home(context, ccache, NULL, NULL, 
+			     pwd->pw_uid, pwd->pw_dir);
+    }
+#endif
+out:
+    if(ret && !quiet)
+	printf ("%s\n", krb5_get_err_text (context, ret));
+    return ret;
+}
+#endif
+
+#ifdef KRB4
+static int
+verify_krb4(struct passwd *pwd,
+	    char *password,
+	    int32_t *exp,
+	    int quiet)
+{
+    int ret = 1;
+    char lrealm[REALM_SZ];
+    
+    if (krb_get_lrealm (lrealm, 1) != KFAILURE) {
+	set_krbtkfile(pwd->pw_uid);
+	ret = krb_verify_user (pwd->pw_name, "", lrealm, password,
+			       KRB_VERIFY_SECURE, NULL);
+	if (ret == KSUCCESS) {
+	    if (!pag_set && k_hasafs()) {
+		k_setpag ();
+		pag_set = 1;
+		krb_afslog_uid_home (0, 0, pwd->pw_uid, pwd->pw_dir);
+	    }
+	} else if (!quiet)
+	    printf ("%s\n", krb_get_err_text (ret));
+    }
+    return ret;
+}
+#endif
+
+int
+afs_verify(char *name,
+	   char *password,
+	   int32_t *exp,
+	   int quiet)
+{
+    int ret = 1;
+    struct passwd *pwd = k_getpwnam (name);
+
+    if(pwd == NULL)
+	return 1;
+    if (ret)
+	ret = unix_verify_user (name, password);
+#ifdef KRB5
+    if (ret)
+	ret = verify_krb5(pwd, password, exp, quiet);
+#endif
+#ifdef KRB4
+    if(ret)
+	ret = verify_krb4(pwd, password, exp, quiet);
+#endif
+    return ret;
+}
+
+char *
+afs_gettktstring (void)
+{
+    char *ptr;
+    struct passwd *pwd;
+
+    if (!correct_tkfilename) {
+	ptr = getenv("LOGNAME"); 
+	if (ptr != NULL && ((pwd = getpwnam(ptr)) != NULL)) {
+	    set_krb5ccname(pwd->pw_uid);
+#ifdef KRB4
+	    set_krbtkfile(pwd->pw_uid);
+	    if (!pag_set && k_hasafs()) {
+                k_setpag();
+                pag_set=1;
+	    }
+#endif
+	} else {
+	    set_spec_krbtkfile();
+	}
+    }
+#ifdef KRB5
+    setenv("KRB5CCNAME",krb5ccname,1);
+#endif
+#ifdef KRB4
+    setenv("KRBTKFILE",krbtkfile,1);
+    return krbtkfile;
+#else
+    return "";
+#endif
+}
diff --git a/crypto/kerberosIV/lib/auth/pam/Makefile.am b/crypto/kerberosIV/lib/auth/pam/Makefile.am
new file mode 100644
index 0000000..abde2d9
--- /dev/null
+++ b/crypto/kerberosIV/lib/auth/pam/Makefile.am
@@ -0,0 +1,3 @@
+# $Id: Makefile.am,v 1.2 1999/04/01 14:57:04 joda Exp $
+
+include $(top_srcdir)/Makefile.am.common
diff --git a/crypto/kerberosIV/lib/auth/pam/Makefile.in b/crypto/kerberosIV/lib/auth/pam/Makefile.in
new file mode 100644
index 0000000..4369532
--- /dev/null
+++ b/crypto/kerberosIV/lib/auth/pam/Makefile.in
@@ -0,0 +1,87 @@
+#
+# $Id: Makefile.in,v 1.25.2.2 2000/12/07 16:44:11 assar Exp $
+#
+
+SHELL = /bin/sh
+
+srcdir = @srcdir@
+VPATH = @srcdir@
+
+CC = @CC@
+LINK = @LINK@
+AR = ar
+RANLIB = @RANLIB@
+DEFS = @DEFS@
+CFLAGS = @CFLAGS@ $(WFLAGS)
+WFLAGS = @WFLAGS@
+
+INSTALL = @INSTALL@
+INSTALL_DATA	= @INSTALL_DATA@
+MKINSTALLDIRS = @top_srcdir@/mkinstalldirs
+
+prefix = @prefix@
+exec_prefix = @exec_prefix@
+libdir = @libdir@
+
+PICFLAGS = @REAL_PICFLAGS@
+LDSHARED = @LDSHARED@
+SHLIBEXT = @REAL_SHLIBEXT@
+LD_FLAGS = @REAL_LD_FLAGS@
+
+LIB_res_search = @LIB_res_search@
+LIB_dn_expand = @LIB_dn_expand@
+ 
+@lib_deps_yes@LIB_DEPS = ../../kafs/libkafs_pic.a \
+@lib_deps_yes@	         ../../krb/libkrb_pic.a ../../des/libdes_pic.a \
+@lib_deps_yes@     $(LIB_res_search) $(LIB_dn_expand) -lpam -lc
+@lib_deps_no@LIB_DEPS =
+
+LIBNAME = pam_krb4
+LIB = $(LIBNAME).$(SHLIBEXT)
+
+SOURCES = pam.c
+
+OBJECTS = pam.o
+
+all: $(LIB)
+
+Wall:
+	make CFLAGS="-g -Wall -Wno-comment -Wmissing-prototypes -Wmissing-declarations -D__USE_FIXED_PROTOTYPES__"
+
+.c.o:
+	$(CC) -c $(DEFS) -I../../../include -I$(srcdir) $(CFLAGS) $(CPPFLAGS) $(PICFLAGS) $<
+
+install: all
+	$(MKINSTALLDIRS) $(DESTDIR)$(libdir)
+	-if test "$(LIB)" != ""; then \
+	  $(INSTALL_DATA) $(LIB) $(DESTDIR)$(libdir)/$(LIB) ; \
+	fi
+
+uninstall:
+	-if test "$(LIB)" != ""; then \
+	  rm -f $(DESTDIR)$(libdir)/$(LIB) ; \
+	fi
+
+TAGS: $(SOURCES)
+	etags $(SOURCES)
+
+check:
+
+clean:
+	rm -f $(LIB) *.o
+
+mostlyclean: clean
+
+distclean: clean
+	rm -f Makefile *.tab.c *~
+
+realclean: distclean
+	rm -f TAGS
+
+$(OBJECTS): ../../../include/config.h
+
+$(LIB): $(OBJECTS)
+	rm -f $@
+	$(LDSHARED) -Wl,-Bsymbolic -o $@ $(OBJECTS) $(LD_FLAGS) $(LIB_DEPS)
+
+.PHONY: all Wall install uninstall check clean mostlyclean distclean realclean
diff --git a/crypto/kerberosIV/lib/auth/pam/README b/crypto/kerberosIV/lib/auth/pam/README
new file mode 100644
index 0000000..2c45a53
--- /dev/null
+++ b/crypto/kerberosIV/lib/auth/pam/README
@@ -0,0 +1,25 @@
+
+PAM
+---
+
+The PAM module was written more out of curiosity that anything else. It
+has not been updated for quite a while, but it seems to mostly work on
+both Linux and Solaris.
+
+To use this module you should:
+
+   * Make sure `pam_krb4.so' is available in `/usr/athena/lib'. You
+     might actually want it on local disk, so `/lib/security' might be a
+     better place if `/usr/athena' is not local.
+
+   * Look at `pam.conf.add' for examples of what to add to
+     `/etc/pam.conf'.
+
+There is currently no support for changing kerberos passwords. Use
+kpasswd instead.
+
+See also Derrick J Brashear's `<shadow@dementia.org>' Kerberos PAM
+module at
+<ftp://ftp.dementia.org/pub/pam>. It has a lot more features, and it is
+also more in line with other PAM modules.
+
diff --git a/crypto/kerberosIV/lib/auth/pam/pam.c b/crypto/kerberosIV/lib/auth/pam/pam.c
new file mode 100644
index 0000000..22dfc74
--- /dev/null
+++ b/crypto/kerberosIV/lib/auth/pam/pam.c
@@ -0,0 +1,443 @@
+/*
+ * Copyright (c) 1995 - 2000 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#ifdef HAVE_CONFIG_H
+#include<config.h>
+RCSID("$Id: pam.c,v 1.22.2.2 2000/10/13 15:41:09 assar Exp $");
+#endif
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <pwd.h>
+#include <unistd.h>
+#include <sys/types.h>
+#include <syslog.h>
+
+#include <security/pam_appl.h>
+#include <security/pam_modules.h>
+#ifndef PAM_AUTHTOK_RECOVERY_ERR /* Fix linsux typo. */
+#define PAM_AUTHTOK_RECOVERY_ERR PAM_AUTHTOK_RECOVER_ERR
+#endif
+
+#include <netinet/in.h>
+#include <krb.h>
+#include <kafs.h>
+
+#if 0
+/* Debugging PAM modules is a royal pain, truss helps. */
+#define DEBUG(msg) (access(msg " at line", __LINE__))
+#endif
+
+static void
+psyslog(int level, const char *format, ...)
+{
+  va_list args;
+  va_start(args, format);
+  openlog("pam_krb4", LOG_CONS|LOG_PID, LOG_AUTH);
+  vsyslog(level, format, args);
+  va_end(args);
+  closelog();
+}
+
+enum {
+  KRB4_DEBUG,
+  KRB4_USE_FIRST_PASS,
+  KRB4_TRY_FIRST_PASS,
+  KRB4_IGNORE_ROOT,
+  KRB4_NO_VERIFY,
+  KRB4_REAFSLOG,
+  KRB4_CTRLS			/* Number of ctrl arguments defined. */
+};
+
+#define KRB4_DEFAULTS  0
+
+static int ctrl_flags = KRB4_DEFAULTS;
+#define ctrl_on(x)  (krb4_args[x].flag & ctrl_flags)
+#define ctrl_off(x) (!ctrl_on(x))
+
+typedef struct
+{
+  const char *token;
+  unsigned int flag;
+} krb4_ctrls_t;
+
+static krb4_ctrls_t krb4_args[KRB4_CTRLS] =
+{
+  /* KRB4_DEBUG          */ { "debug",          0x01 },
+  /* KRB4_USE_FIRST_PASS */ { "use_first_pass", 0x02 },
+  /* KRB4_TRY_FIRST_PASS */ { "try_first_pass", 0x04 },
+  /* KRB4_IGNORE_ROOT    */ { "ignore_root",    0x08 },
+  /* KRB4_NO_VERIFY      */ { "no_verify",      0x10 },
+  /* KRB4_REAFSLOG       */ { "reafslog",       0x20 },
+};
+
+static void
+parse_ctrl(int argc, const char **argv)
+{
+  int i, j;
+
+  ctrl_flags = KRB4_DEFAULTS;
+  for (i = 0; i < argc; i++)
+    {
+      for (j = 0; j < KRB4_CTRLS; j++)
+	if (strcmp(argv[i], krb4_args[j].token) == 0)
+	  break;
+    
+      if (j >= KRB4_CTRLS)
+	psyslog(LOG_ALERT, "unrecognized option [%s]", *argv);
+      else
+	ctrl_flags |= krb4_args[j].flag;
+    }
+}
+
+static void
+pdeb(const char *format, ...)
+{
+  va_list args;
+  if (ctrl_off(KRB4_DEBUG))
+    return;
+  va_start(args, format);
+  openlog("pam_krb4", LOG_CONS|LOG_PID, LOG_AUTH);
+  vsyslog(LOG_DEBUG, format, args);
+  va_end(args);
+  closelog();
+}
+
+#define ENTRY(func) pdeb("%s() flags = %d ruid = %d euid = %d", func, flags, getuid(), geteuid())
+
+static void
+set_tkt_string(uid_t uid)
+{
+  char buf[128];
+
+  snprintf(buf, sizeof(buf), "%s%u", TKT_ROOT, (unsigned)uid);
+  krb_set_tkt_string(buf);
+
+#if 0
+  /* pam_set_data+pam_get_data are not guaranteed to work, grr. */
+  pam_set_data(pamh, "KRBTKFILE", strdup(t), cleanup);
+  if (pam_get_data(pamh, "KRBTKFILE", (const void**)&tkt) == PAM_SUCCESS)
+    {
+      pam_putenv(pamh, var);
+    }
+#endif
+
+  /* We don't want to inherit this variable.
+   * If we still do, it must have a sane value. */
+  if (getenv("KRBTKFILE") != 0)
+    {
+      char *var = malloc(sizeof(buf));
+      snprintf(var, sizeof(buf), "KRBTKFILE=%s", tkt_string());
+      putenv(var);
+      /* free(var); XXX */
+    }
+}
+
+static int
+verify_pass(pam_handle_t *pamh,
+	    const char *name,
+	    const char *inst,
+	    const char *pass)
+{
+  char realm[REALM_SZ];
+  int ret, krb_verify, old_euid, old_ruid;
+
+  krb_get_lrealm(realm, 1);
+  if (ctrl_on(KRB4_NO_VERIFY))
+    krb_verify = KRB_VERIFY_SECURE_FAIL;
+  else
+    krb_verify = KRB_VERIFY_SECURE;
+  old_ruid = getuid();
+  old_euid = geteuid();
+  setreuid(0, 0);
+  ret = krb_verify_user(name, inst, realm, pass, krb_verify, NULL);
+  pdeb("krb_verify_user(`%s', `%s', `%s', pw, %d, NULL) returns %s",
+       name, inst, realm, krb_verify,
+       krb_get_err_text(ret));
+  setreuid(old_ruid, old_euid);
+  if (getuid() != old_ruid || geteuid() != old_euid)
+    {
+      psyslog(LOG_ALERT , "setreuid(%d, %d) failed at line %d",
+	      old_ruid, old_euid, __LINE__);
+      exit(1);
+    }
+    
+  switch(ret) {
+  case KSUCCESS:
+    return PAM_SUCCESS;
+  case KDC_PR_UNKNOWN:
+    return PAM_USER_UNKNOWN;
+  case SKDC_CANT:
+  case SKDC_RETRY:
+  case RD_AP_TIME:
+    return PAM_AUTHINFO_UNAVAIL;
+  default:
+    return PAM_AUTH_ERR;
+  }
+}
+
+static int
+krb4_auth(pam_handle_t *pamh,
+	  int flags,
+	  const char *name,
+	  const char *inst,
+	  struct pam_conv *conv)
+{
+  struct pam_response *resp;
+  char prompt[128];
+  struct pam_message msg, *pmsg = &msg;
+  int ret;
+
+  if (ctrl_on(KRB4_TRY_FIRST_PASS) || ctrl_on(KRB4_USE_FIRST_PASS))
+    {
+      char *pass = 0;
+      ret = pam_get_item(pamh, PAM_AUTHTOK, (void **) &pass);
+      if (ret != PAM_SUCCESS)
+        {
+          psyslog(LOG_ERR , "pam_get_item returned error to get-password");
+          return ret;
+        }
+      else if (pass != 0 && verify_pass(pamh, name, inst, pass) == PAM_SUCCESS)
+	return PAM_SUCCESS;
+      else if (ctrl_on(KRB4_USE_FIRST_PASS))
+	return PAM_AUTHTOK_RECOVERY_ERR;       /* Wrong password! */
+      else
+	/* We tried the first password but it didn't work, cont. */;
+    }
+
+  msg.msg_style = PAM_PROMPT_ECHO_OFF;
+  if (*inst == 0)
+    snprintf(prompt, sizeof(prompt), "%s's Password: ", name);
+  else
+    snprintf(prompt, sizeof(prompt), "%s.%s's Password: ", name, inst);
+  msg.msg = prompt;
+
+  ret = conv->conv(1, &pmsg, &resp, conv->appdata_ptr);
+  if (ret != PAM_SUCCESS)
+    return ret;
+
+  ret = verify_pass(pamh, name, inst, resp->resp);
+  if (ret == PAM_SUCCESS)
+    {
+      memset(resp->resp, 0, strlen(resp->resp)); /* Erase password! */
+      free(resp->resp);
+      free(resp);
+    }
+  else
+    {
+      pam_set_item(pamh, PAM_AUTHTOK, resp->resp); /* Save password. */
+      /* free(resp->resp); XXX */
+      /* free(resp); XXX */
+    }
+  
+  return ret;
+}
+
+int
+pam_sm_authenticate(pam_handle_t *pamh,
+		    int flags,
+		    int argc,
+		    const char **argv)
+{
+  char *user;
+  int ret;
+  struct pam_conv *conv;
+  struct passwd *pw;
+  uid_t uid = -1;
+  const char *name, *inst;
+  char realm[REALM_SZ];
+  realm[0] = 0;
+
+  parse_ctrl(argc, argv);
+  ENTRY("pam_sm_authenticate");
+
+  ret = pam_get_user(pamh, &user, "login: ");
+  if (ret != PAM_SUCCESS)
+    return ret;
+
+  if (ctrl_on(KRB4_IGNORE_ROOT) && strcmp(user, "root") == 0)
+    return PAM_AUTHINFO_UNAVAIL;
+
+  ret = pam_get_item(pamh, PAM_CONV, (void*)&conv);
+  if (ret != PAM_SUCCESS)
+    return ret;
+
+  pw = getpwnam(user);
+  if (pw != 0)
+    {
+      uid = pw->pw_uid;
+      set_tkt_string(uid);
+    }
+    
+  if (strcmp(user, "root") == 0 && getuid() != 0)
+    {
+      pw = getpwuid(getuid());
+      if (pw != 0)
+	{
+	  name = strdup(pw->pw_name);
+	  inst = "root";
+	}
+    }
+  else
+    {
+      name = user;
+      inst = "";
+    }
+
+  ret = krb4_auth(pamh, flags, name, inst, conv);
+
+  /*
+   * The realm was lost inside krb_verify_user() so we can't simply do
+   * a krb_kuserok() when inst != "".
+   */
+  if (ret == PAM_SUCCESS && inst[0] != 0)
+    {
+      uid_t old_euid = geteuid();
+      uid_t old_ruid = getuid();
+
+      setreuid(0, 0);		/* To read ticket file. */
+      if (krb_get_tf_fullname(tkt_string(), 0, 0, realm) != KSUCCESS)
+	ret = PAM_SERVICE_ERR;
+      else if (krb_kuserok(name, inst, realm, user) != KSUCCESS)
+	{
+	  setreuid(0, uid);	/*  To read ~/.klogin. */
+	  if (krb_kuserok(name, inst, realm, user) != KSUCCESS)
+	    ret = PAM_PERM_DENIED;
+	}
+
+      if (ret != PAM_SUCCESS)
+	{
+	  dest_tkt();		/* Passwd known, ok to kill ticket. */
+	  psyslog(LOG_NOTICE,
+		  "%s.%s@%s is not allowed to log in as %s",
+		  name, inst, realm, user);
+	}
+
+      setreuid(old_ruid, old_euid);
+      if (getuid() != old_ruid || geteuid() != old_euid)
+	{
+	  psyslog(LOG_ALERT , "setreuid(%d, %d) failed at line %d",
+		  old_ruid, old_euid, __LINE__);
+	  exit(1);
+	}
+    }
+
+  if (ret == PAM_SUCCESS)
+    {
+      psyslog(LOG_INFO,
+	      "%s.%s@%s authenticated as user %s",
+	      name, inst, realm, user);
+      if (chown(tkt_string(), uid, -1) == -1)
+	{
+	  dest_tkt();
+	  psyslog(LOG_ALERT , "chown(%s, %d, -1) failed", tkt_string(), uid);
+	  exit(1);
+	}
+    }
+
+  /*
+   * Kludge alert!!! Sun dtlogin unlock screen fails to call
+   * pam_setcred(3) with PAM_REFRESH_CRED after a successful
+   * authentication attempt, sic.
+   *
+   * This hack is designed as a workaround to that problem.
+   */
+  if (ctrl_on(KRB4_REAFSLOG))
+    if (ret == PAM_SUCCESS)
+      pam_sm_setcred(pamh, PAM_REFRESH_CRED, argc, argv);
+  
+  return ret;
+}
+
+int 
+pam_sm_setcred(pam_handle_t *pamh, int flags, int argc, const char **argv)
+{
+  parse_ctrl(argc, argv);
+  ENTRY("pam_sm_setcred");
+
+  switch (flags & ~PAM_SILENT) {
+  case 0:
+  case PAM_ESTABLISH_CRED:
+    if (k_hasafs())
+      k_setpag();
+    /* Fall through, fill PAG with credentials below. */
+  case PAM_REINITIALIZE_CRED:
+  case PAM_REFRESH_CRED:
+    if (k_hasafs())
+      {
+	void *user = 0;
+
+	if (pam_get_item(pamh, PAM_USER, &user) == PAM_SUCCESS)
+	  {
+	    struct passwd *pw = getpwnam((char *)user);
+	    if (pw != 0)
+	      krb_afslog_uid_home(/*cell*/ 0,/*realm_hint*/ 0,
+				  pw->pw_uid, pw->pw_dir);
+	  }
+      }
+    break;
+  case PAM_DELETE_CRED:
+    dest_tkt();
+    if (k_hasafs())
+      k_unlog();
+    break;
+  default:
+    psyslog(LOG_ALERT , "pam_sm_setcred: unknown flags 0x%x", flags);
+    break;
+  }
+  
+  return PAM_SUCCESS;
+}
+
+int
+pam_sm_open_session(pam_handle_t *pamh, int flags, int argc, const char **argv)
+{
+  parse_ctrl(argc, argv);
+  ENTRY("pam_sm_open_session");
+
+  return PAM_SUCCESS;
+}
+
+
+int
+pam_sm_close_session(pam_handle_t *pamh, int flags, int argc, const char**argv)
+{
+  parse_ctrl(argc, argv);
+  ENTRY("pam_sm_close_session");
+
+  /* This isn't really kosher, but it's handy. */
+  pam_sm_setcred(pamh, PAM_DELETE_CRED, argc, argv);
+
+  return PAM_SUCCESS;
+}
diff --git a/crypto/kerberosIV/lib/auth/pam/pam.conf.add b/crypto/kerberosIV/lib/auth/pam/pam.conf.add
new file mode 100644
index 0000000..64a4915
--- /dev/null
+++ b/crypto/kerberosIV/lib/auth/pam/pam.conf.add
@@ -0,0 +1,81 @@
+To enable PAM in dtlogin and /bin/login under SunOS 5.6 apply this patch:
+
+--- /etc/pam.conf.DIST	Mon Jul 20 15:37:46 1998
++++ /etc/pam.conf	Tue Feb 15 19:39:12 2000
+@@ -4,15 +4,19 @@
+ #
+ # Authentication management
+ #
++login	auth sufficient	/usr/athena/lib/pam_krb4.so
+ login	auth required 	/usr/lib/security/pam_unix.so.1 
+ login	auth required 	/usr/lib/security/pam_dial_auth.so.1 
+ #
+ rlogin  auth sufficient /usr/lib/security/pam_rhosts_auth.so.1
+ rlogin	auth required 	/usr/lib/security/pam_unix.so.1
+ #
++dtlogin	auth sufficient	/usr/athena/lib/pam_krb4.so
+ dtlogin	auth required 	/usr/lib/security/pam_unix.so.1 
+ #
+ rsh	auth required	/usr/lib/security/pam_rhosts_auth.so.1
++# Reafslog is for dtlogin lock display
++other	auth sufficient	/usr/athena/lib/pam_krb4.so reafslog
+ other	auth required	/usr/lib/security/pam_unix.so.1
+ #
+ # Account management
+@@ -24,6 +28,8 @@
+ #
+ # Session management
+ #
++dtlogin	session required	/usr/athena/lib/pam_krb4.so
++login	session required	/usr/athena/lib/pam_krb4.so
+ other	session required	/usr/lib/security/pam_unix.so.1 
+ #
+ # Password management
+---------------------------------------------------------------------------
+To enable PAM in /bin/login and xdm under Red Hat 6.1 apply these patches:
+
+--- /etc/pam.d/login~   Thu Jul  8 00:14:02 1999
++++ /etc/pam.d/login    Mon Aug 30 14:33:12 1999
+@@ -1,9 +1,12 @@
+ #%PAM-1.0
++# Updated to work with kerberos
++auth       sufficient   /lib/security/pam_krb4.so
+ auth       required    /lib/security/pam_securetty.so
+ auth       required    /lib/security/pam_pwdb.so shadow nullok
+ auth       required    /lib/security/pam_nologin.so
+ account    required    /lib/security/pam_pwdb.so
+ password   required    /lib/security/pam_cracklib.so
+ password   required    /lib/security/pam_pwdb.so nullok use_authtok shadow
++session    required     /lib/security/pam_krb4.so
+ session    required    /lib/security/pam_pwdb.so
+ session    optional    /lib/security/pam_console.so
+--- /etc/pam.d/xdm~     Mon Jun 14 17:39:05 1999
++++ /etc/pam.d/xdm      Mon Aug 30 14:54:51 1999
+@@ -1,8 +1,10 @@
+ #%PAM-1.0
++auth       sufficient   /lib/security/pam_krb4.so
+ auth       required    /lib/security/pam_pwdb.so shadow nullok
+ auth       required    /lib/security/pam_nologin.so
+ account    required    /lib/security/pam_pwdb.so
+ password   required    /lib/security/pam_cracklib.so
+ password   required    /lib/security/pam_pwdb.so shadow nullok use_authtok
++session    required     /lib/security/pam_krb4.so
+ session    required    /lib/security/pam_pwdb.so
+ session    optional     /lib/security/pam_console.so
+--------------------------------------------------------------------------
+
+This stuff may work under some other system.
+
+# To get this to work, you will have to add entries to /etc/pam.conf
+#
+# To make login kerberos-aware, you might change pam.conf to look
+# like:
+
+# login authorization
+login   auth       sufficient   /lib/security/pam_krb4.so
+login   auth       required     /lib/security/pam_securetty.so
+login   auth       required     /lib/security/pam_unix_auth.so
+login   account    required     /lib/security/pam_unix_acct.so
+login   password   required     /lib/security/pam_unix_passwd.so
+login   session    required     /lib/security/pam_krb4.so
+login   session    required     /lib/security/pam_unix_session.so
diff --git a/crypto/kerberosIV/lib/auth/sia/Makefile.am b/crypto/kerberosIV/lib/auth/sia/Makefile.am
new file mode 100644
index 0000000..5a58cb7
--- /dev/null
+++ b/crypto/kerberosIV/lib/auth/sia/Makefile.am
@@ -0,0 +1,48 @@
+# $Id: Makefile.am,v 1.4 1999/04/08 12:36:40 joda Exp $
+
+include $(top_srcdir)/Makefile.am.common
+
+INCLUDES += $(INCLUDE_krb4)
+
+WFLAGS += $(WFLAGS_NOIMPLICITINT)
+
+DEFS = @DEFS@
+
+## this is horribly ugly, but automake/libtool doesn't allow us to
+## unconditionally build shared libraries, and it does not allow us to
+## link with non-installed libraries
+
+if KRB4
+KAFS=$(top_builddir)/lib/kafs/.libs/libkafs.a
+endif
+
+L = \
+	$(KAFS)						\
+	$(top_builddir)/lib/krb5/.libs/libkrb5.a	\
+	$(top_builddir)/lib/asn1/.libs/libasn1.a	\
+	$(LIB_krb4)					\
+	$(top_builddir)/lib/des/.libs/libdes.a		\
+	$(top_builddir)/lib/com_err/.libs/libcom_err.a	\
+	$(top_builddir)/lib/roken/.libs/libroken.a	\
+	$(LIB_getpwnam_r)				\
+	-lc
+
+EXTRA_DIST = sia.c krb5_matrix.conf krb5+c2_matrix.conf security.patch
+
+foodir = $(libdir)
+foo_DATA = libsia_krb5.so
+
+LDFLAGS = -rpath $(libdir) -hidden -exported_symbol siad_\* 
+
+OBJS = sia.o posix_getpw.o
+
+libsia_krb5.so: $(OBJS)
+	ld -shared -o $@ $(LDFLAGS) $(OBJS) $(L)
+	ostrip -x -z $@
+
+CLEANFILES = libsia_krb5.so $(OBJS) so_locations
+
+SUFFIXES += .c .o
+
+.c.o:
+	$(COMPILE) -c $<
diff --git a/crypto/kerberosIV/lib/auth/sia/Makefile.in b/crypto/kerberosIV/lib/auth/sia/Makefile.in
new file mode 100644
index 0000000..a17c341
--- /dev/null
+++ b/crypto/kerberosIV/lib/auth/sia/Makefile.in
@@ -0,0 +1,90 @@
+#
+# $Id: Makefile.in,v 1.30.2.1 2000/06/23 03:20:06 assar Exp $
+#
+
+SHELL = /bin/sh
+
+srcdir = @srcdir@
+VPATH = @srcdir@
+
+CC = @CC@
+LINK = @LINK@
+AR = ar
+RANLIB = @RANLIB@
+DEFS = @DEFS@
+CFLAGS = @CFLAGS@ $(WFLAGS)
+WFLAGS = @WFLAGS@
+
+INSTALL = @INSTALL@
+INSTALL_DATA	= @INSTALL_DATA@
+MKINSTALLDIRS = @top_srcdir@/mkinstalldirs
+
+prefix = @prefix@
+exec_prefix = @exec_prefix@
+libdir = @libdir@
+
+PICFLAGS = @REAL_PICFLAGS@
+SHARED = @SHARED@
+LDSHARED = @LDSHARED@
+SHLIBEXT = @REAL_SHLIBEXT@
+LD_FLAGS = @REAL_LD_FLAGS@
+ 
+@lib_deps_yes@LIB_DEPS = -L../../kafs -lkafs		\
+@lib_deps_yes@	   -L../../kadm -lkadm			\
+@lib_deps_yes@	   -L../../krb -lkrb			\
+@lib_deps_yes@	   -L../../des -ldes			\
+@lib_deps_yes@	   -L../../com_err -lcom_err		\
+@lib_deps_yes@	   -L../../roken -lroken		\
+@lib_deps_yes@	   @LIB_getpwnam_r@			\
+@lib_deps_yes@	   -lc
+@lib_deps_no@LIB_DEPS =
+
+LIBNAME = libsia_krb4
+LIB = $(LIBNAME).$(SHLIBEXT)
+
+SOURCES = sia.c posix_getpw.c
+
+OBJECTS = sia.o posix_getpw.o
+
+all: $(LIB)
+
+Wall:
+	make CFLAGS="-g -Wall -Wno-comment -Wmissing-prototypes -Wmissing-declarations -D__USE_FIXED_PROTOTYPES__"
+
+.c.o:
+	$(CC) -c $(DEFS) -I../../../include -I$(srcdir) $(CFLAGS) $(CPPFLAGS) $(PICFLAGS) $<
+
+install: all
+	$(MKINSTALLDIRS) $(DESTDIR)$(libdir)
+	-if test "$(LIB)" != ""; then \
+	  $(INSTALL_DATA) $(LIB) $(DESTDIR)$(libdir)/$(LIB) ; \
+	fi
+
+uninstall:
+	-if test "$(LIB)" != ""; then \
+	  rm -f $(DESTDIR)$(libdir)/$(LIB) ; \
+	fi
+
+TAGS: $(SOURCES)
+	etags $(SOURCES)
+
+check:
+
+clean:
+	rm -f $(LIB) *.o
+
+mostlyclean: clean
+
+distclean: clean
+	rm -f Makefile *.tab.c *~
+
+realclean: distclean
+	rm -f TAGS
+
+$(OBJECTS): ../../../include/config.h
+
+$(LIB): $(OBJECTS)
+	rm -f $@
+	$(LDSHARED) -shared -o $@ -rpath $(libdir) -hidden -exported_symbol siad_\* $(OBJECTS) $(LIB_DEPS)
+
+.PHONY: all Wall install uninstall check clean mostlyclean distclean realclean
diff --git a/crypto/kerberosIV/lib/auth/sia/README b/crypto/kerberosIV/lib/auth/sia/README
new file mode 100644
index 0000000..6595734
--- /dev/null
+++ b/crypto/kerberosIV/lib/auth/sia/README
@@ -0,0 +1,87 @@
+
+Digital SIA
+-----------
+
+To install the SIA module you will have to do the following:
+
+   * Make sure `libsia_krb4.so' is available in `/usr/athena/lib'. If
+     `/usr/athena' is not on local disk, you might want to put it in
+     `/usr/shlib' or someplace else. If you do, you'll have to edit
+     `krb4_matrix.conf' to reflect the new location (you will also have
+     to do this if you installed in some other directory than
+     `/usr/athena'). If you built with shared libraries, you will have
+     to copy the shared `libkrb.so', `libdes.so', `libkadm.so', and
+     `libkafs.so' to a place where the loader can find them (such as
+     `/usr/shlib').
+
+   * Copy (your possibly edited) `krb4_matrix.conf' to `/etc/sia'.
+
+   * Apply `security.patch' to `/sbin/init.d/security'.
+
+   * Turn on KRB4 security by issuing `rcmgr set SECURITY KRB4' and
+     `rcmgr set KRB4_MATRIX_CONF krb4_matrix.conf'.
+
+   * Digital thinks you should reboot your machine, but that really
+     shouldn't be necessary.  It's usually sufficient just to run
+     `/sbin/init.d/security start' (and restart any applications that
+     use SIA, like `xdm'.)
+
+Users with local passwords (like `root') should be able to login safely.
+
+When using Digital's xdm the `KRBTKFILE' environment variable isn't
+passed along as it should (since xdm zaps the environment). Instead you
+have to set `KRBTKFILE' to the correct value in
+`/usr/lib/X11/xdm/Xsession'. Add a line similar to
+     KRBTKFILE=/tmp/tkt`id -u`_`ps -o ppid= -p $$`; export KRBTKFILE
+If you use CDE, `dtlogin' allows you to specify which additional
+environment variables it should export. To add `KRBTKFILE' to this
+list, edit `/usr/dt/config/Xconfig', and look for the definition of
+`exportList'. You want to add something like:
+     Dtlogin.exportList:     KRBTKFILE
+
+Notes to users with Enhanced security
+.....................................
+
+Digital's `ENHANCED' (C2) security, and Kerberos solves two different
+problems. C2 deals with local security, adds better control of who can
+do what, auditing, and similar things. Kerberos deals with network
+security.
+
+To make C2 security work with Kerberos you will have to do the
+following.
+
+   * Replace all occurencies of `krb4_matrix.conf' with
+     `krb4+c2_matrix.conf' in the directions above.
+
+   * You must enable "vouching" in the `default' database.  This will
+     make the OSFC2 module trust other SIA modules, so you can login
+     without giving your C2 password. To do this use `edauth' to edit
+     the default entry `/usr/tcb/bin/edauth -dd default', and add a
+     `d_accept_alternate_vouching' capability, if not already present.
+
+   * For each user that does _not_ have a local C2 password, you should
+     set the password expiration field to zero. You can do this for each
+     user, or in the `default' table. To do this use `edauth' to set
+     (or change) the `u_exp' capability to `u_exp#0'.
+
+   * You also need to be aware that the shipped `login', `rcp', and
+     `rshd', doesn't do any particular C2 magic (such as checking to
+     various forms of disabled accounts), so if you rely on those
+     features, you shouldn't use those programs. If you configure with
+     `--enable-osfc2', these programs will, however, set the login UID.
+     Still: use at your own risk.
+
+At present `su' does not accept the vouching flag, so it will not work
+as expected.
+
+Also, kerberised ftp will not work with C2 passwords. You can solve this
+by using both Digital's ftpd and our on different ports.
+
+*Remember*, if you do these changes you will get a system that most
+certainly does _not_ fulfill the requirements of a C2 system. If C2 is
+what you want, for instance if someone else is forcing you to use it,
+you're out of luck.  If you use enhanced security because you want a
+system that is more secure than it would otherwise be, you probably got
+an even more secure system. Passwords will not be sent in the clear,
+for instance.
+
diff --git a/crypto/kerberosIV/lib/auth/sia/krb4+c2_matrix.conf b/crypto/kerberosIV/lib/auth/sia/krb4+c2_matrix.conf
new file mode 100644
index 0000000..4b90e02
--- /dev/null
+++ b/crypto/kerberosIV/lib/auth/sia/krb4+c2_matrix.conf
@@ -0,0 +1,58 @@
+# Copyright (c) 1998 Kungliga Tekniska Högskolan
+# (Royal Institute of Technology, Stockholm, Sweden). 
+# All rights reserved. 
+#
+# Redistribution and use in source and binary forms, with or without 
+# modification, are permitted provided that the following conditions 
+# are met: 
+#
+# 1. Redistributions of source code must retain the above copyright 
+#    notice, this list of conditions and the following disclaimer. 
+#
+# 2. Redistributions in binary form must reproduce the above copyright 
+#    notice, this list of conditions and the following disclaimer in the 
+#    documentation and/or other materials provided with the distribution. 
+#
+# 3. Neither the name of the Institute nor the names of its contributors 
+#    may be used to endorse or promote products derived from this software 
+#    without specific prior written permission. 
+#
+# THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+# ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+# SUCH DAMAGE. 
+
+# $Id: krb4+c2_matrix.conf,v 1.4 1999/12/02 16:58:37 joda Exp $
+
+# sia matrix configuration file (Kerberos 4 + C2)
+
+siad_init=(KRB4,/usr/athena/lib/libsia_krb4.so)(BSD,libc.so)
+siad_chk_invoker=(KRB4,/usr/athena/lib/libsia_krb4.so)(OSFC2,/usr/shlib/libsecurity.so)
+siad_ses_init=(KRB4,/usr/athena/lib/libsia_krb4.so)(OSFC2,/usr/shlib/libsecurity.so)
+siad_ses_authent=(KRB4,/usr/athena/lib/libsia_krb4.so)(OSFC2,/usr/shlib/libsecurity.so)
+siad_ses_estab=(KRB4,/usr/athena/lib/libsia_krb4.so)(OSFC2,/usr/shlib/libsecurity.so)
+siad_ses_launch=(KRB4,/usr/athena/lib/libsia_krb4.so)(OSFC2,/usr/shlib/libsecurity.so)
+siad_ses_suauthent=(KRB4,/usr/athena/lib/libsia_krb4.so)(OSFC2,/usr/shlib/libsecurity.so)
+siad_ses_reauthent=(KRB4,/usr/athena/lib/libsia_krb4.so)(OSFC2,/usr/shlib/libsecurity.so)
+siad_chg_finger=(KRB4,/usr/athena/lib/libsia_krb4.so)(OSFC2,/usr/shlib/libsecurity.so)
+siad_chg_password=(KRB4,/usr/athena/lib/libsia_krb4.so)(OSFC2,/usr/shlib/libsecurity.so)
+siad_chg_shell=(KRB4,/usr/athena/lib/libsia_krb4.so)(OSFC2,/usr/shlib/libsecurity.so)
+siad_getpwent=(BSD,libc.so)
+siad_getpwuid=(BSD,libc.so)
+siad_getpwnam=(BSD,libc.so)
+siad_setpwent=(BSD,libc.so)
+siad_endpwent=(BSD,libc.so)
+siad_getgrent=(BSD,libc.so)
+siad_getgrgid=(BSD,libc.so)
+siad_getgrnam=(BSD,libc.so)
+siad_setgrent=(BSD,libc.so)
+siad_endgrent=(BSD,libc.so)
+siad_ses_release=(KRB4,/usr/athena/lib/libsia_krb4.so)(OSFC2,/usr/shlib/libsecurity.so)
+siad_chk_user=(KRB4,/usr/athena/lib/libsia_krb4.so)(OSFC2,/usr/shlib/libsecurity.so)
diff --git a/crypto/kerberosIV/lib/auth/sia/krb4_matrix.conf b/crypto/kerberosIV/lib/auth/sia/krb4_matrix.conf
new file mode 100644
index 0000000..4f55a81
--- /dev/null
+++ b/crypto/kerberosIV/lib/auth/sia/krb4_matrix.conf
@@ -0,0 +1,59 @@
+# Copyright (c) 1998 Kungliga Tekniska Högskolan
+# (Royal Institute of Technology, Stockholm, Sweden). 
+# All rights reserved. 
+#
+# Redistribution and use in source and binary forms, with or without 
+# modification, are permitted provided that the following conditions 
+# are met: 
+#
+# 1. Redistributions of source code must retain the above copyright 
+#    notice, this list of conditions and the following disclaimer. 
+#
+# 2. Redistributions in binary form must reproduce the above copyright 
+#    notice, this list of conditions and the following disclaimer in the 
+#    documentation and/or other materials provided with the distribution. 
+#
+# 3. Neither the name of the Institute nor the names of its contributors 
+#    may be used to endorse or promote products derived from this software 
+#    without specific prior written permission. 
+#
+# THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+# ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+# SUCH DAMAGE. 
+
+# $Id: krb4_matrix.conf,v 1.6 1999/12/02 16:58:37 joda Exp $
+
+# sia matrix configuration file (Kerberos 4 + BSD)
+
+siad_init=(KRB4,/usr/athena/lib/libsia_krb4.so)(BSD,libc.so) 
+siad_chk_invoker=(BSD,libc.so)
+siad_ses_init=(KRB4,/usr/athena/lib/libsia_krb4.so)
+siad_ses_authent=(KRB4,/usr/athena/lib/libsia_krb4.so)(BSD,libc.so)
+siad_ses_estab=(BSD,libc.so)
+siad_ses_launch=(KRB4,/usr/athena/lib/libsia_krb4.so)(BSD,libc.so)
+siad_ses_suauthent=(KRB4,/usr/athena/lib/libsia_krb4.so)(BSD,libc.so)
+siad_ses_reauthent=(KRB4,/usr/athena/lib/libsia_krb4.so)(BSD,libc.so)
+siad_chg_finger=(BSD,libc.so)
+siad_chg_password=(KRB4,/usr/athena/lib/libsia_krb4.so)(BSD,libc.so)
+siad_chg_shell=(BSD,libc.so)
+siad_getpwent=(BSD,libc.so)
+siad_getpwuid=(BSD,libc.so)
+siad_getpwnam=(BSD,libc.so)
+siad_setpwent=(BSD,libc.so)
+siad_endpwent=(BSD,libc.so)
+siad_getgrent=(BSD,libc.so)
+siad_getgrgid=(BSD,libc.so)
+siad_getgrnam=(BSD,libc.so)
+siad_setgrent=(BSD,libc.so)
+siad_endgrent=(BSD,libc.so)
+siad_ses_release=(KRB4,/usr/athena/lib/libsia_krb4.so)(BSD,libc.so)
+siad_chk_user=(KRB4,/usr/athena/lib/libsia_krb4.so)(BSD,libc.so)
+
diff --git a/crypto/kerberosIV/lib/auth/sia/krb5+c2_matrix.conf b/crypto/kerberosIV/lib/auth/sia/krb5+c2_matrix.conf
new file mode 100644
index 0000000..c2952e2
--- /dev/null
+++ b/crypto/kerberosIV/lib/auth/sia/krb5+c2_matrix.conf
@@ -0,0 +1,27 @@
+# $Id: krb5+c2_matrix.conf,v 1.2 1998/11/26 20:58:18 assar Exp $
+
+# sia matrix configuration file (Kerberos 5 + C2)
+
+siad_init=(KRB5,/usr/athena/lib/libsia_krb5.so)(BSD,libc.so)
+siad_chk_invoker=(OSFC2,/usr/shlib/libsecurity.so)
+siad_ses_init=(KRB5,/usr/athena/lib/libsia_krb5.so)(OSFC2,/usr/shlib/libsecurity.so)
+siad_ses_authent=(KRB5,/usr/athena/lib/libsia_krb5.so)(OSFC2,/usr/shlib/libsecurity.so)
+siad_ses_estab=(KRB5,/usr/athena/lib/libsia_krb5.so)(OSFC2,/usr/shlib/libsecurity.so)
+siad_ses_launch=(KRB5,/usr/athena/lib/libsia_krb5.so)(OSFC2,/usr/shlib/libsecurity.so)
+siad_ses_suauthent=(KRB5,/usr/athena/lib/libsia_krb5.so)(OSFC2,/usr/shlib/libsecurity.so)
+siad_ses_reauthent=(KRB5,/usr/athena/lib/libsia_krb5.so)(OSFC2,/usr/shlib/libsecurity.so)
+siad_chg_finger=(KRB5,/usr/athena/lib/libsia_krb5.so)(OSFC2,/usr/shlib/libsecurity.so)
+siad_chg_password=(KRB5,/usr/athena/lib/libsia_krb5.so)(OSFC2,/usr/shlib/libsecurity.so)
+siad_chg_shell=(KRB5,/usr/athena/lib/libsia_krb5.so)(OSFC2,/usr/shlib/libsecurity.so)
+siad_getpwent=(BSD,libc.so)
+siad_getpwuid=(BSD,libc.so)
+siad_getpwnam=(BSD,libc.so)
+siad_setpwent=(BSD,libc.so)
+siad_endpwent=(BSD,libc.so)
+siad_getgrent=(BSD,libc.so)
+siad_getgrgid=(BSD,libc.so)
+siad_getgrnam=(BSD,libc.so)
+siad_setgrent=(BSD,libc.so)
+siad_endgrent=(BSD,libc.so)
+siad_ses_release=(KRB5,/usr/athena/lib/libsia_krb5.so)(OSFC2,/usr/shlib/libsecurity.so)
+siad_chk_user=(KRB5,/usr/athena/lib/libsia_krb5.so)(OSFC2,/usr/shlib/libsecurity.so)
diff --git a/crypto/kerberosIV/lib/auth/sia/krb5_matrix.conf b/crypto/kerberosIV/lib/auth/sia/krb5_matrix.conf
new file mode 100644
index 0000000..e49366a
--- /dev/null
+++ b/crypto/kerberosIV/lib/auth/sia/krb5_matrix.conf
@@ -0,0 +1,27 @@
+# $Id: krb5_matrix.conf,v 1.1 1997/05/15 18:34:18 joda Exp $
+
+# sia matrix configuration file (Kerberos 5 + BSD)
+
+siad_init=(KRB5,/usr/athena/lib/libsia_krb5.so)(BSD,libc.so) 
+siad_chk_invoker=(BSD,libc.so)
+siad_ses_init=(KRB5,/usr/athena/lib/libsia_krb5.so)
+siad_ses_authent=(KRB5,/usr/athena/lib/libsia_krb5.so)(BSD,libc.so)
+siad_ses_estab=(BSD,libc.so)
+siad_ses_launch=(KRB5,/usr/athena/lib/libsia_krb5.so)(BSD,libc.so)
+siad_ses_suauthent=(KRB5,/usr/athena/lib/libsia_krb5.so)(BSD,libc.so)
+siad_ses_reauthent=(BSD,libc.so)
+siad_chg_finger=(BSD,libc.so)
+siad_chg_password=(BSD,libc.so)
+siad_chg_shell=(BSD,libc.so)
+siad_getpwent=(BSD,libc.so)
+siad_getpwuid=(BSD,libc.so)
+siad_getpwnam=(BSD,libc.so)
+siad_setpwent=(BSD,libc.so)
+siad_endpwent=(BSD,libc.so)
+siad_getgrent=(BSD,libc.so)
+siad_getgrgid=(BSD,libc.so)
+siad_getgrnam=(BSD,libc.so)
+siad_setgrent=(BSD,libc.so)
+siad_endgrent=(BSD,libc.so)
+siad_ses_release=(KRB5,/usr/athena/lib/libsia_krb5.so)(BSD,libc.so)
+siad_chk_user=(BSD,libc.so)
diff --git a/crypto/kerberosIV/lib/auth/sia/posix_getpw.c b/crypto/kerberosIV/lib/auth/sia/posix_getpw.c
new file mode 100644
index 0000000..c5961dc
--- /dev/null
+++ b/crypto/kerberosIV/lib/auth/sia/posix_getpw.c
@@ -0,0 +1,78 @@
+/*
+ * Copyright (c) 1999 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of KTH nor the names of its contributors may be
+ *    used to endorse or promote products derived from this software without
+ *    specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY KTH AND ITS CONTRIBUTORS ``AS IS'' AND ANY
+ * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL KTH OR ITS CONTRIBUTORS BE
+ * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+ * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+ * WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
+ * OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
+ * ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */
+
+#include "sia_locl.h"
+
+RCSID("$Id: posix_getpw.c,v 1.1 1999/03/21 17:07:02 joda Exp $");
+
+#ifndef POSIX_GETPWNAM_R
+/* 
+ * These functions translate from the old Digital UNIX 3.x interface
+ * to POSIX.1c.
+ */
+
+int
+posix_getpwnam_r(const char *name, struct passwd *pwd, 
+		 char *buffer, int len, struct passwd **result)
+{
+    int ret = getpwnam_r(name, pwd, buffer, len);
+    if(ret == 0)
+	*result = pwd;
+    else{
+	*result = NULL;
+	ret = _Geterrno();
+	if(ret == 0){
+	    ret = ERANGE;
+	    _Seterrno(ret);
+	}
+    }
+    return ret;
+}
+
+int
+posix_getpwuid_r(uid_t uid, struct passwd *pwd, 
+		 char *buffer, int len, struct passwd **result)
+{
+    int ret = getpwuid_r(uid, pwd, buffer, len);
+    if(ret == 0)
+	*result = pwd;
+    else{
+	*result = NULL;
+	ret = _Geterrno();
+	if(ret == 0){
+	    ret = ERANGE;
+	    _Seterrno(ret);
+	}
+    }
+    return ret;
+}
+#endif /* POSIX_GETPWNAM_R */
diff --git a/crypto/kerberosIV/lib/auth/sia/security.patch b/crypto/kerberosIV/lib/auth/sia/security.patch
new file mode 100644
index 0000000..c407876
--- /dev/null
+++ b/crypto/kerberosIV/lib/auth/sia/security.patch
@@ -0,0 +1,11 @@
+--- /sbin/init.d/security~      Tue Aug 20 22:44:09 1996
++++ /sbin/init.d/security       Fri Nov  1 14:52:56 1996
+@@ -49,7 +49,7 @@
+                    SECURITY=BASE
+                fi
+                ;;
+-       BASE)
++       BASE|KRB4)
+                ;;
+        *)
+                echo "security configuration set to default (BASE)."
diff --git a/crypto/kerberosIV/lib/auth/sia/sia.c b/crypto/kerberosIV/lib/auth/sia/sia.c
new file mode 100644
index 0000000..979bb58
--- /dev/null
+++ b/crypto/kerberosIV/lib/auth/sia/sia.c
@@ -0,0 +1,672 @@
+/*
+ * Copyright (c) 1995-1999 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#include "sia_locl.h"
+
+RCSID("$Id: sia.c,v 1.32.2.1 1999/12/20 09:49:30 joda Exp $");
+
+int 
+siad_init(void)
+{
+    return SIADSUCCESS;
+}
+
+int 
+siad_chk_invoker(void)
+{
+    SIA_DEBUG(("DEBUG", "siad_chk_invoker"));
+    return SIADFAIL;
+}
+
+int 
+siad_ses_init(SIAENTITY *entity, int pkgind)
+{
+    struct state *s = malloc(sizeof(*s));
+    SIA_DEBUG(("DEBUG", "siad_ses_init"));
+    if(s == NULL)
+	return SIADFAIL;
+    memset(s, 0, sizeof(*s));
+#ifdef SIA_KRB5
+    krb5_init_context(&s->context);
+#endif
+    entity->mech[pkgind] = (int*)s;
+    return SIADSUCCESS;
+}
+
+static int
+setup_name(SIAENTITY *e, prompt_t *p)
+{
+    SIA_DEBUG(("DEBUG", "setup_name"));
+    e->name = malloc(SIANAMEMIN + 1);
+    if(e->name == NULL){
+	SIA_DEBUG(("DEBUG", "failed to malloc %u bytes", SIANAMEMIN+1));
+	return SIADFAIL;
+    }
+    p->prompt = (unsigned char*)"login: ";
+    p->result = (unsigned char*)e->name;
+    p->min_result_length = 1;
+    p->max_result_length = SIANAMEMIN;
+    p->control_flags = 0;
+    return SIADSUCCESS;
+}
+
+static int
+setup_password(SIAENTITY *e, prompt_t *p)
+{
+    SIA_DEBUG(("DEBUG", "setup_password"));
+    e->password = malloc(SIAMXPASSWORD + 1);
+    if(e->password == NULL){
+	SIA_DEBUG(("DEBUG", "failed to malloc %u bytes", SIAMXPASSWORD+1));
+	return SIADFAIL;
+    }
+    p->prompt = (unsigned char*)"Password: ";
+    p->result = (unsigned char*)e->password;
+    p->min_result_length = 0;
+    p->max_result_length = SIAMXPASSWORD;
+    p->control_flags = SIARESINVIS;
+    return SIADSUCCESS;
+}
+
+
+static int
+doauth(SIAENTITY *entity, int pkgind, char *name)
+{
+    struct passwd pw, *pwd;
+    char pwbuf[1024];
+    struct state *s = (struct state*)entity->mech[pkgind];
+#ifdef SIA_KRB5
+    krb5_realm *realms, *r;
+    krb5_principal principal;
+    krb5_ccache ccache;
+    krb5_error_code ret;
+#endif
+#ifdef SIA_KRB4
+    char realm[REALM_SZ];
+    char *toname, *toinst;
+    int ret;
+    struct passwd fpw, *fpwd;
+    char fpwbuf[1024];
+    int secure;
+#endif
+	
+    if(getpwnam_r(name, &pw, pwbuf, sizeof(pwbuf), &pwd) != 0){
+	SIA_DEBUG(("DEBUG", "failed to getpwnam(%s)", name));
+	return SIADFAIL;
+    }
+
+#ifdef SIA_KRB5
+    ret = krb5_get_default_realms(s->context, &realms);
+
+    for (r = realms; *r != NULL; ++r) {
+	krb5_make_principal (s->context, &principal, *r, entity->name, NULL);
+
+	if(krb5_kuserok(s->context, principal, entity->name))
+	    break;
+    }
+    krb5_free_host_realm (s->context, realms);
+    if (*r == NULL)
+	return SIADFAIL;
+
+    sprintf(s->ticket, "FILE:/tmp/krb5_cc%d_%d", pwd->pw_uid, getpid());
+    ret = krb5_cc_resolve(s->context, s->ticket, &ccache);
+    if(ret)
+	return SIADFAIL;
+#endif
+	
+#ifdef SIA_KRB4
+    snprintf(s->ticket, sizeof(s->ticket),
+	     "%s%u_%u", TKT_ROOT, (unsigned)pwd->pw_uid, (unsigned)getpid());
+    krb_get_lrealm(realm, 1);
+    toname = name;
+    toinst = "";
+    if(entity->authtype == SIA_A_SUAUTH){
+	uid_t ouid;
+#ifdef HAVE_SIAENTITY_OUID
+	ouid = entity->ouid;
+#else
+	ouid = getuid();
+#endif
+	if(getpwuid_r(ouid, &fpw, fpwbuf, sizeof(fpwbuf), &fpwd) != 0){
+	    SIA_DEBUG(("DEBUG", "failed to getpwuid(%u)", ouid));
+	    return SIADFAIL;
+	}
+	snprintf(s->ticket, sizeof(s->ticket), "%s_%s_to_%s_%d", 
+		 TKT_ROOT, fpwd->pw_name, pwd->pw_name, getpid());
+	if(strcmp(pwd->pw_name, "root") == 0){
+	    toname = fpwd->pw_name;
+	    toinst = pwd->pw_name;
+	}
+    }
+    if(entity->authtype == SIA_A_REAUTH) 
+	snprintf(s->ticket, sizeof(s->ticket), "%s", tkt_string());
+    
+    krb_set_tkt_string(s->ticket);
+	
+    setuid(0); /* XXX fix for fix in tf_util.c */
+    if(krb_kuserok(toname, toinst, realm, name)){
+	SIA_DEBUG(("DEBUG", "%s.%s@%s is not allowed to login as %s", 
+		   toname, toinst, realm, name));
+	return SIADFAIL;
+    }
+#endif
+#ifdef SIA_KRB5
+    ret = krb5_verify_user_lrealm(s->context, principal, ccache,
+				  entity->password, 1, NULL);
+    if(ret){
+	/* if this is most likely a local user (such as
+	   root), just silently return failure when the
+	   principal doesn't exist */
+	if(ret != KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN && 
+	   ret != KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN)
+	    SIALOG("WARNING", "krb5_verify_user(%s): %s", 
+		   entity->name, error_message(ret));
+	return SIADFAIL;
+    }
+#endif
+#ifdef SIA_KRB4
+    if (getuid () == 0)
+	secure = KRB_VERIFY_SECURE;
+    else
+	secure = KRB_VERIFY_NOT_SECURE;
+	
+    ret = krb_verify_user(toname, toinst, realm,
+			  entity->password, secure, NULL);
+    if(ret){
+	SIA_DEBUG(("DEBUG", "krb_verify_user: %s", krb_get_err_text(ret)));
+	if(ret != KDC_PR_UNKNOWN)
+	    /* since this is most likely a local user (such as
+	       root), just silently return failure when the
+	       principal doesn't exist */
+	    SIALOG("WARNING", "krb_verify_user(%s.%s): %s", 
+		   toname, toinst, krb_get_err_text(ret));
+	return SIADFAIL;
+    }
+#endif
+    if(sia_make_entity_pwd(pwd, entity) == SIAFAIL)
+	return SIADFAIL;
+    s->valid = 1;
+    return SIADSUCCESS;
+}
+
+
+static int 
+common_auth(sia_collect_func_t *collect, 
+	    SIAENTITY *entity, 
+	    int siastat,
+	    int pkgind)
+{
+    prompt_t prompts[2], *pr;
+    char *name;
+
+    SIA_DEBUG(("DEBUG", "common_auth"));
+    if((siastat == SIADSUCCESS) && (geteuid() == 0))
+	return SIADSUCCESS;
+    if(entity == NULL) {
+	SIA_DEBUG(("DEBUG", "entity == NULL"));
+	return SIADFAIL | SIADSTOP;
+    }
+    name = entity->name;
+    if(entity->acctname)
+	name = entity->acctname;
+    
+    if((collect != NULL) && entity->colinput) {
+	int num;
+	pr = prompts;
+	if(name == NULL){
+	    if(setup_name(entity, pr) != SIADSUCCESS)
+		return SIADFAIL;
+	    pr++;
+	}
+	if(entity->password == NULL){
+	    if(setup_password(entity, pr) != SIADSUCCESS)
+		return SIADFAIL;
+	    pr++;
+	}
+	num = pr - prompts;
+	if(num == 1){
+	    if((*collect)(240, SIAONELINER, (unsigned char*)"", num, 
+			  prompts) != SIACOLSUCCESS){
+		SIA_DEBUG(("DEBUG", "collect failed"));
+		return SIADFAIL | SIADSTOP;
+	    }
+	} else if(num > 0){
+	    if((*collect)(0, SIAFORM, (unsigned char*)"", num, 
+			  prompts) != SIACOLSUCCESS){
+		SIA_DEBUG(("DEBUG", "collect failed"));
+		return SIADFAIL | SIADSTOP;
+	    }
+	}
+    }
+    if(name == NULL)
+	name = entity->name;
+    if(name == NULL || name[0] == '\0'){
+	SIA_DEBUG(("DEBUG", "name is null"));
+	return SIADFAIL;
+    }
+
+    if(entity->password == NULL || strlen(entity->password) > SIAMXPASSWORD){
+	SIA_DEBUG(("DEBUG", "entity->password is null"));
+	return SIADFAIL;
+    }
+    
+    return doauth(entity, pkgind, name);
+}
+
+
+int 
+siad_ses_authent(sia_collect_func_t *collect, 
+		 SIAENTITY *entity, 
+		 int siastat,
+		 int pkgind)
+{
+    SIA_DEBUG(("DEBUG", "siad_ses_authent"));
+    return common_auth(collect, entity, siastat, pkgind);
+}
+
+int 
+siad_ses_estab(sia_collect_func_t *collect, 
+	       SIAENTITY *entity, int pkgind)
+{
+    SIA_DEBUG(("DEBUG", "siad_ses_estab"));
+    return SIADFAIL;
+}
+
+int 
+siad_ses_launch(sia_collect_func_t *collect,
+		SIAENTITY *entity,
+		int pkgind)
+{
+    static char env[MaxPathLen];
+    struct state *s = (struct state*)entity->mech[pkgind];
+    SIA_DEBUG(("DEBUG", "siad_ses_launch"));
+    if(s->valid){
+#ifdef SIA_KRB5
+	chown(s->ticket + sizeof("FILE:") - 1, 
+	      entity->pwd->pw_uid, 
+	      entity->pwd->pw_gid);
+	snprintf(env, sizeof(env), "KRB5CCNAME=%s", s->ticket);
+#endif
+#ifdef SIA_KRB4
+	chown(s->ticket, entity->pwd->pw_uid, entity->pwd->pw_gid);
+	snprintf(env, sizeof(env), "KRBTKFILE=%s", s->ticket);
+#endif
+	putenv(env);
+    }
+#ifdef KRB4
+    if (k_hasafs()) {
+	char cell[64];
+	k_setpag();
+	if(k_afs_cell_of_file(entity->pwd->pw_dir, cell, sizeof(cell)) == 0)
+	    krb_afslog(cell, 0);
+	krb_afslog_home(0, 0, entity->pwd->pw_dir);
+    }
+#endif
+    return SIADSUCCESS;
+}
+
+int 
+siad_ses_release(SIAENTITY *entity, int pkgind)
+{
+    SIA_DEBUG(("DEBUG", "siad_ses_release"));
+    if(entity->mech[pkgind]){
+#ifdef SIA_KRB5
+	struct state *s = (struct state*)entity->mech[pkgind];
+	krb5_free_context(s->context);
+#endif
+	free(entity->mech[pkgind]);
+    }
+    return SIADSUCCESS;
+}
+
+int 
+siad_ses_suauthent(sia_collect_func_t *collect,
+		   SIAENTITY *entity,
+		   int siastat,
+		   int pkgind)
+{
+    SIA_DEBUG(("DEBUG", "siad_ses_suauth"));
+    if(geteuid() != 0)
+	return SIADFAIL;
+    if(entity->name == NULL)
+	return SIADFAIL;
+    if(entity->name[0] == '\0') {
+	free(entity->name);
+	entity->name = strdup("root");
+	if (entity->name == NULL)
+	    return SIADFAIL;
+    }
+    return common_auth(collect, entity, siastat, pkgind);
+}
+
+int
+siad_ses_reauthent (sia_collect_func_t *collect,
+		    SIAENTITY *entity,
+		    int siastat,
+		    int pkgind)
+{
+    int ret;
+    SIA_DEBUG(("DEBUG", "siad_ses_reauthent"));
+    if(entity == NULL || entity->name == NULL)
+	return SIADFAIL;
+    ret = common_auth(collect, entity, siastat, pkgind);
+    if((ret & SIADSUCCESS)){
+	/* launch isn't (always?) called when doing reauth, so we must
+           duplicate some code here... */
+	struct state *s = (struct state*)entity->mech[pkgind];
+	chown(s->ticket, entity->pwd->pw_uid, entity->pwd->pw_gid);
+#ifdef KRB4
+	if(k_hasafs()) {
+	    char cell[64];
+	    if(k_afs_cell_of_file(entity->pwd->pw_dir, 
+				  cell, sizeof(cell)) == 0)
+		krb_afslog(cell, 0);
+	    krb_afslog_home(0, 0, entity->pwd->pw_dir);
+	}
+#endif
+    }
+    return ret;
+}
+
+int
+siad_chg_finger (sia_collect_func_t *collect,
+		     const char *username, 
+		     int argc, 
+		     char *argv[])
+{
+    SIA_DEBUG(("DEBUG", "siad_chg_finger"));
+    return SIADFAIL;
+}
+
+#ifdef SIA_KRB5
+int
+siad_chg_password (sia_collect_func_t *collect,
+		     const char *username, 
+		     int argc, 
+		     char *argv[])
+{
+    return SIADFAIL;
+}
+#endif
+
+#ifdef SIA_KRB4
+static void
+sia_message(sia_collect_func_t *collect, int rendition, 
+	    const char *title, const char *message)
+{
+    prompt_t prompt;
+    prompt.prompt = (unsigned char*)message;
+    (*collect)(0, rendition, (unsigned char*)title, 1, &prompt);
+}
+
+static int
+init_change(sia_collect_func_t *collect, krb_principal *princ)
+{
+    prompt_t prompt;
+    char old_pw[MAX_KPW_LEN+1];
+    char *msg;
+    char tktstring[128];
+    int ret;
+    
+    SIA_DEBUG(("DEBUG", "init_change"));
+    prompt.prompt = (unsigned char*)"Old password: ";
+    prompt.result = (unsigned char*)old_pw;
+    prompt.min_result_length = 0;
+    prompt.max_result_length = sizeof(old_pw) - 1;
+    prompt.control_flags = SIARESINVIS;
+    asprintf(&msg, "Changing password for %s", krb_unparse_name(princ));
+    if(msg == NULL){
+	SIA_DEBUG(("DEBUG", "out of memory"));
+	return SIADFAIL;
+    }
+    ret = (*collect)(60, SIAONELINER, (unsigned char*)msg, 1, &prompt);
+    free(msg);
+    SIA_DEBUG(("DEBUG", "ret = %d", ret));
+    if(ret != SIACOLSUCCESS)
+	return SIADFAIL;
+    snprintf(tktstring, sizeof(tktstring), 
+	     "%s_cpw_%u", TKT_ROOT, (unsigned)getpid());
+    krb_set_tkt_string(tktstring);
+    
+    ret = krb_get_pw_in_tkt(princ->name, princ->instance, princ->realm, 
+			    PWSERV_NAME, KADM_SINST, 1, old_pw);
+    if (ret != KSUCCESS) {
+	SIA_DEBUG(("DEBUG", "krb_get_pw_in_tkt: %s", krb_get_err_text(ret)));
+	if (ret == INTK_BADPW)
+	    sia_message(collect, SIAWARNING, "", "Incorrect old password.");
+	else
+	    sia_message(collect, SIAWARNING, "", "Kerberos error.");
+	memset(old_pw, 0, sizeof(old_pw));
+	return SIADFAIL;
+    }
+    if(chown(tktstring, getuid(), -1) < 0){
+	dest_tkt();
+	return SIADFAIL;
+    }
+    memset(old_pw, 0, sizeof(old_pw));
+    return SIADSUCCESS;
+}
+
+int
+siad_chg_password (sia_collect_func_t *collect,
+		   const char *username, 
+		   int argc, 
+		   char *argv[])
+{
+    prompt_t prompts[2];
+    krb_principal princ;
+    int ret;
+    char new_pw1[MAX_KPW_LEN+1];
+    char new_pw2[MAX_KPW_LEN+1];
+    static struct et_list *et_list;
+
+    set_progname(argv[0]);
+
+    SIA_DEBUG(("DEBUG", "siad_chg_password"));
+    if(collect == NULL)
+	return SIADFAIL;
+
+    if(username == NULL)
+	username = getlogin();
+
+    ret = krb_parse_name(username, &princ);
+    if(ret)
+	return SIADFAIL;
+    if(princ.realm[0] == '\0')
+	krb_get_lrealm(princ.realm, 1);
+
+    if(et_list == NULL) {
+	initialize_kadm_error_table_r(&et_list);
+	initialize_krb_error_table_r(&et_list);
+    }
+
+    ret = init_change(collect, &princ);
+    if(ret != SIADSUCCESS)
+	return ret;
+
+again:
+    prompts[0].prompt = (unsigned char*)"New password: ";
+    prompts[0].result = (unsigned char*)new_pw1;
+    prompts[0].min_result_length = MIN_KPW_LEN;
+    prompts[0].max_result_length = sizeof(new_pw1) - 1;
+    prompts[0].control_flags = SIARESINVIS;
+    prompts[1].prompt = (unsigned char*)"Verify new password: ";
+    prompts[1].result = (unsigned char*)new_pw2;
+    prompts[1].min_result_length = MIN_KPW_LEN;
+    prompts[1].max_result_length = sizeof(new_pw2) - 1;
+    prompts[1].control_flags = SIARESINVIS;
+    if((*collect)(120, SIAFORM, (unsigned char*)"", 2, prompts) != 
+       SIACOLSUCCESS) {
+	dest_tkt();
+	return SIADFAIL;
+    }
+    if(strcmp(new_pw1, new_pw2) != 0){
+	sia_message(collect, SIAWARNING, "", "Password mismatch.");
+	goto again;
+    }
+    ret = kadm_check_pw(new_pw1);
+    if(ret) {
+	sia_message(collect, SIAWARNING, "", com_right(et_list, ret));
+	goto again;
+    }
+    
+    memset(new_pw2, 0, sizeof(new_pw2));
+    ret = kadm_init_link (PWSERV_NAME, KRB_MASTER, princ.realm);
+    if (ret != KADM_SUCCESS)
+	sia_message(collect, SIAWARNING, "Error initing kadmin connection", 
+		    com_right(et_list, ret));
+    else {
+	des_cblock newkey;
+	char *pw_msg; /* message from server */
+
+	des_string_to_key(new_pw1, &newkey);
+	ret = kadm_change_pw_plain((unsigned char*)&newkey, new_pw1, &pw_msg);
+	memset(newkey, 0, sizeof(newkey));
+      
+	if (ret == KADM_INSECURE_PW)
+	    sia_message(collect, SIAWARNING, "Insecure password", pw_msg);
+	else if (ret != KADM_SUCCESS)
+	    sia_message(collect, SIAWARNING, "Error changing password", 
+			com_right(et_list, ret));
+    }
+    memset(new_pw1, 0, sizeof(new_pw1));
+
+    if (ret != KADM_SUCCESS)
+	sia_message(collect, SIAWARNING, "", "Password NOT changed.");
+    else
+	sia_message(collect, SIAINFO, "", "Password changed.");
+    
+    dest_tkt();
+    if(ret)
+	return SIADFAIL;
+    return SIADSUCCESS;
+}
+#endif
+
+int
+siad_chg_shell (sia_collect_func_t *collect,
+		     const char *username, 
+		     int argc, 
+		     char *argv[])
+{
+    return SIADFAIL;
+}
+
+int
+siad_getpwent(struct passwd *result, 
+	      char *buf, 
+	      int bufsize, 
+	      struct sia_context *context)
+{
+    return SIADFAIL;
+}
+
+int
+siad_getpwuid (uid_t uid, 
+	       struct passwd *result, 
+	       char *buf, 
+	       int bufsize, 
+	       struct sia_context *context)
+{
+    return SIADFAIL;
+}
+
+int
+siad_getpwnam (const char *name, 
+	       struct passwd *result, 
+	       char *buf, 
+	       int bufsize, 
+	       struct sia_context *context)
+{
+    return SIADFAIL;
+}
+
+int
+siad_setpwent (struct sia_context *context)
+{
+    return SIADFAIL;
+}
+
+int
+siad_endpwent (struct sia_context *context)
+{
+    return SIADFAIL;
+}
+
+int
+siad_getgrent(struct group *result, 
+	      char *buf, 
+	      int bufsize, 
+	      struct sia_context *context)
+{
+    return SIADFAIL;
+}
+
+int
+siad_getgrgid (gid_t gid, 
+	       struct group *result, 
+	       char *buf, 
+	       int bufsize, 
+	       struct sia_context *context)
+{
+    return SIADFAIL;
+}
+
+int
+siad_getgrnam (const char *name, 
+	       struct group *result, 
+	       char *buf, 
+	       int bufsize, 
+	       struct sia_context *context)
+{
+    return SIADFAIL;
+}
+
+int
+siad_setgrent (struct sia_context *context)
+{
+    return SIADFAIL;
+}
+
+int
+siad_endgrent (struct sia_context *context)
+{
+    return SIADFAIL;
+}
+
+int
+siad_chk_user (const char *logname, int checkflag)
+{
+    if(checkflag != CHGPASSWD)
+	return SIADFAIL;
+    return SIADSUCCESS;
+}
diff --git a/crypto/kerberosIV/lib/auth/sia/sia_locl.h b/crypto/kerberosIV/lib/auth/sia/sia_locl.h
new file mode 100644
index 0000000..0f3f74d
--- /dev/null
+++ b/crypto/kerberosIV/lib/auth/sia/sia_locl.h
@@ -0,0 +1,94 @@
+/*
+ * Copyright (c) 1999 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of KTH nor the names of its contributors may be
+ *    used to endorse or promote products derived from this software without
+ *    specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY KTH AND ITS CONTRIBUTORS ``AS IS'' AND ANY
+ * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL KTH OR ITS CONTRIBUTORS BE
+ * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+ * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+ * WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
+ * OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
+ * ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */
+
+/* $Id: sia_locl.h,v 1.2 1999/04/01 16:09:22 joda Exp $ */
+
+#ifndef __sia_locl_h__
+#define __sia_locl_h__
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+#endif
+#include <ctype.h>
+#include <stdio.h>
+#include <string.h>
+#include <siad.h>
+#include <pwd.h>
+#include <sys/types.h>
+#include <sys/socket.h>
+#include <netinet/in.h>
+
+#ifdef KRB5
+#define SIA_KRB5
+#elif defined(KRB4)
+#define SIA_KRB4
+#endif
+
+#ifdef SIA_KRB5
+#include <krb5.h>
+#include <com_err.h>
+#endif
+#ifdef SIA_KRB4
+#include <krb.h>
+#include <krb_err.h>
+#include <kadm.h>
+#include <kadm_err.h>
+#endif
+#ifdef KRB4
+#include <kafs.h>
+#endif
+
+#include <roken.h>
+
+#ifndef POSIX_GETPWNAM_R
+
+#define getpwnam_r posix_getpwnam_r
+#define getpwuid_r posix_getpwuid_r
+
+#endif /* POSIX_GETPWNAM_R */
+
+#ifndef DEBUG
+#define SIA_DEBUG(X)
+#else
+#define SIA_DEBUG(X) SIALOG X
+#endif
+
+struct state{
+#ifdef SIA_KRB5
+    krb5_context context;
+    krb5_auth_context auth_context;
+#endif
+    char ticket[MaxPathLen];
+    int valid;
+};
+
+#endif /* __sia_locl_h__ */
diff --git a/crypto/kerberosIV/lib/com_err/ChangeLog b/crypto/kerberosIV/lib/com_err/ChangeLog
new file mode 100644
index 0000000..ea7a5f6
--- /dev/null
+++ b/crypto/kerberosIV/lib/com_err/ChangeLog
@@ -0,0 +1,106 @@
+1999-07-03  Assar Westerlund  <assar@sics.se>
+
+	* parse.y (statement): use asprintf
+
+1999-06-13  Assar Westerlund  <assar@sics.se>
+
+	* Makefile.in: make it solaris make vpath-safe
+
+Thu Apr  1 11:13:53 1999  Johan Danielsson  <joda@hella.pdc.kth.se>
+
+	* compile_et.c: use getargs
+
+Sat Mar 20 00:16:30 1999  Assar Westerlund  <assar@sics.se>
+
+	* compile_et.c: static-ize
+
+Thu Mar 18 11:22:13 1999  Johan Danielsson  <joda@hella.pdc.kth.se>
+
+	* Makefile.am: include Makefile.am.common
+
+Tue Mar 16 22:30:05 1999  Assar Westerlund  <assar@sics.se>
+
+	* parse.y: use YYACCEPT instead of return
+
+Sat Mar 13 22:22:56 1999  Assar Westerlund  <assar@sics.se>
+
+	* compile_et.c (generate_h): cast when calling is* to get rid of a
+ 	warning
+
+Thu Mar 11 15:00:51 1999  Johan Danielsson  <joda@hella.pdc.kth.se>
+
+	* parse.y: prototype for error_message
+
+Sun Nov 22 10:39:02 1998  Assar Westerlund  <assar@sics.se>
+
+	* compile_et.h: include ctype and roken
+
+	* compile_et.c: include err.h
+	(generate_h): remove unused variable
+
+	* Makefile.in (WFLAGS): set
+
+Fri Nov 20 06:58:59 1998  Assar Westerlund  <assar@sics.se>
+
+	* lex.l: undef ECHO to work around AIX lex bug
+
+Sun Sep 27 02:23:59 1998  Johan Danielsson  <joda@hella.pdc.kth.se>
+
+	* com_err.c (error_message): try to pass code to strerror, to see
+ 	if it might be an errno code (this if broken, but some MIT code
+ 	seems to expect this behaviour)
+
+Sat Sep 26 17:42:39 1998  Johan Danielsson  <joda@hella.pdc.kth.se>
+
+	* compile_et.c: <foo_err.h> -> "foo_err.h"
+
+Tue Jun 30 17:17:36 1998  Assar Westerlund  <assar@sics.se>
+
+	* Makefile.in: add str{cpy,cat}_truncate
+
+Mon May 25 05:24:39 1998  Assar Westerlund  <assar@sics.se>
+
+	* Makefile.in (clean): try to remove shared library debris
+
+Sun Apr 19 09:50:17 1998  Assar Westerlund  <assar@sics.se>
+
+	* Makefile.in: add symlink magic for linux
+
+Sun Apr  5 09:22:11 1998  Assar Westerlund  <assar@sics.se>
+
+	* parse.y: define alloca to malloc in case we're using bison but
+ 	don't have alloca
+
+Tue Mar 24 05:13:01 1998  Assar Westerlund  <assar@sics.se>
+
+	* Makefile.in: link with snprintf (From Derrick J Brashear
+ 	<shadow@dementia.org>)
+
+Fri Feb 27 05:01:42 1998  Assar Westerlund  <assar@sics.se>
+
+	* parse.y: initialize ec->next
+
+Thu Feb 26 02:22:25 1998  Assar Westerlund  <assar@sics.se>
+
+	* Makefile.am: @LEXLIB@
+
+Sat Feb 21 15:18:54 1998  assar westerlund  <assar@sics.se>
+
+	* Makefile.in: set YACC and LEX
+
+Tue Feb 17 22:20:27 1998  Bjoern Groenvall  <bg@sics.se>
+
+	* com_right.h: Change typedefs so that one may mix MIT compile_et
+ 	generated code with krb4 dito.
+
+Tue Feb 17 16:30:55 1998  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* compile_et.c (generate): Always return a value.
+
+	* parse.y: Files don't have to end with `end'.
+
+Mon Feb 16 16:09:20 1998  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* lex.l (getstring): Replace getc() with input().
+
+	* Makefile.am: Fixes for new compile_et.
diff --git a/crypto/kerberosIV/lib/com_err/Makefile.am b/crypto/kerberosIV/lib/com_err/Makefile.am
new file mode 100644
index 0000000..2c7525b
--- /dev/null
+++ b/crypto/kerberosIV/lib/com_err/Makefile.am
@@ -0,0 +1,24 @@
+# $Id: Makefile.am,v 1.23 1999/04/09 18:26:55 assar Exp $
+
+include $(top_srcdir)/Makefile.am.common
+
+YFLAGS = -d
+
+lib_LTLIBRARIES = libcom_err.la
+libcom_err_la_LDFLAGS = -version-info 1:0:0
+
+bin_PROGRAMS = compile_et
+
+include_HEADERS = com_err.h com_right.h
+
+compile_et_SOURCES = compile_et.c compile_et.h parse.y lex.l
+
+libcom_err_la_SOURCES = error.c com_err.c roken_rename.h
+
+CLEANFILES = lex.c parse.c parse.h
+
+$(compile_et_OBJECTS): parse.h
+
+compile_et_LDADD = \
+	$(LIB_roken) \
+	$(LEXLIB)
diff --git a/crypto/kerberosIV/lib/com_err/Makefile.in b/crypto/kerberosIV/lib/com_err/Makefile.in
new file mode 100644
index 0000000..883b522
--- /dev/null
+++ b/crypto/kerberosIV/lib/com_err/Makefile.in
@@ -0,0 +1,151 @@
+#
+# $Id: Makefile.in,v 1.30.2.1 2000/10/10 14:34:33 assar Exp $
+#
+
+SHELL = /bin/sh
+
+srcdir = @srcdir@
+VPATH = @srcdir@
+
+CC = @CC@
+LINK = @LINK@
+AR = ar
+RANLIB = @RANLIB@
+LN_S = @LN_S@
+DEFS = @DEFS@ -DROKEN_RENAME
+CFLAGS = @CFLAGS@ $(WFLAGS)
+WFLAGS = @WFLAGS@
+LD_FLAGS = @LD_FLAGS@
+EXECSUFFIX=@EXECSUFFIX@
+
+YACC = @YACC@
+LEX = @LEX@
+
+INSTALL = @INSTALL@
+INSTALL_DATA	= @INSTALL_DATA@
+MKINSTALLDIRS = @top_srcdir@/mkinstalldirs
+
+prefix = @prefix@
+exec_prefix = @exec_prefix@
+libdir = @libdir@
+bindir = @bindir@
+includedir = @includedir@
+
+PICFLAGS = @PICFLAGS@
+ 
+LIB_DEPS = @lib_deps_yes@ -lc
+build_symlink_command   = @build_symlink_command@
+#install_symlink_command = @install_symlink_command@
+install_symlink_command = @true
+
+LIBNAME = $(LIBPREFIX)com_err
+#LIBEXT = @LIBEXT@ Always build archive library!
+LIBEXT = a
+SHLIBEXT = @SHLIBEXT@
+LIBPREFIX = @LIBPREFIX@
+LDSHARED = @LDSHARED@
+LIB = $(LIBNAME).$(LIBEXT)
+lib_LIBRARIES = $(LIBNAME).$(LIBEXT)
+bin_PROGRAMS = compile_et$(EXECSUFFIX)
+include_HEADERS = com_right.h com_err.h
+
+SOURCES = error.c com_err.c compile_et.c
+OBJECTS = error.o com_err.o $(LIBADD)
+EXTRA_SOURCES =
+LIBADD =
+
+all: $(lib_LIBRARIES) $(bin_PROGRAMS) $(include_HEADERS)
+
+Wall:
+	make CFLAGS="-g -Wall -Wno-comment -Wmissing-prototypes -Wmissing-declarations -D__USE_FIXED_PROTOTYPES__"
+
+.c.o:
+	$(CC) -c $(DEFS) -I../../include -I. -I$(srcdir) $(CFLAGS) $(CPPFLAGS) $(PICFLAGS) $<
+
+install: all
+	$(MKINSTALLDIRS) $(DESTDIR)$(includedir)
+	@for i in $(include_HEADERS); do \
+	f=`basename $$i`; \
+	if test -f "$(srcdir)/$$f" ; then x="$(srcdir)/$$f"; \
+	else x="$$f"; fi ;\
+	echo "$(INSTALL_DATA) $$x $(DESTDIR)$(includedir)/$$f" ;\
+	$(INSTALL_DATA) $$x $(DESTDIR)$(includedir)/$$f ; done
+
+	$(MKINSTALLDIRS) $(DESTDIR)$(libdir)
+	@for i in $(lib_LIBRARIES); do \
+	echo "$(INSTALL) -m 0555 $$i $(DESTDIR)$(libdir)/$$i" ;\
+	$(INSTALL) -m 0555 $$i $(DESTDIR)$(libdir)/$$i ; done
+	@install_symlink_command@
+
+	$(MKINSTALLDIRS) $(DESTDIR)$(bindir)
+	@for i in $(bin_PROGRAMS); do \
+	echo "$(INSTALL) -m 0555 $$i $(DESTDIR)$(bindir)/$$i" ;\
+	$(INSTALL) -m 0555 $$i $(DESTDIR)$(bindir)/$$i ; done
+
+uninstall:
+	@for i in $(include_HEADERS); do \
+	f=`basename $$i`; \
+	echo "rm -f $(DESTDIR)$(includedir)/$$f" ;\
+	rm -f $(DESTDIR)$(includedir)/$$f ; done
+
+	@for i in $(lib_LIBRARIES); do \
+	echo "rm -f $(DESTDIR)$(libdir)/$$i" ;\
+	rm -f $(DESTDIR)$(libdir)/$$i ; done
+
+	@for i in $(bin_PROGRAMS); do \
+	echo "rm -f $(DESTDIR)$(bindir)/$$i" ;\
+	rm -f $(DESTDIR)$(bindir)/$$i ; done
+
+TAGS: $(SOURCES)
+	etags $(SOURCES)
+
+clean:
+	rm -f $(LIB) *.o *.a *.so *.so.* so_locations \
+	krb_err.c krb_err.h parse.h parse.c lex.c \
+	$(lib_LIBRARIES) $(bin_PROGRAMS) $(EXTRA_SOURCES)
+
+mostlyclean: clean
+
+distclean: clean
+	rm -f Makefile *.tab.c *~
+
+realclean: distclean
+	rm -f TAGS
+
+$(LIBNAME).a: $(OBJECTS)
+	rm -f $@
+	$(AR) cr $@ $(OBJECTS)
+	-$(RANLIB) $@
+
+$(LIBNAME).$(SHLIBEXT): $(OBJECTS)
+	rm -f $@
+	$(LDSHARED) -o $@ $(OBJECTS) $(LIB_DEPS)
+	@build_symlink_command@
+
+COBJ = compile_et.o parse.o lex.o
+
+$(COBJ): parse.h
+
+compile_et$(EXECSUFFIX): $(COBJ)
+	$(LINK) $(CFLAGS) -o $@ $(COBJ) -L../roken -lroken
+
+parse.c: parse.h
+parse.h: $(srcdir)/parse.y
+	$(YACC) -d $(srcdir)/parse.y
+	mv -f y.tab.h parse.h
+	mv -f y.tab.c parse.c
+
+lex.c: $(srcdir)/lex.l
+	$(LEX) $(srcdir)/lex.l
+	mv -f lex.yy.c lex.c
+
+snprintf.c:
+	$(LN_S) $(srcdir)/../roken/snprintf.c .
+
+strlcat.c:
+	$(LN_S) $(srcdir)/../roken/strlcat.c .
+
+strlcpy.c:
+	$(LN_S) $(srcdir)/../roken/strlcpy.c .
+
+.PHONY: all Wall install uninstall clean mostlyclean distclean realclean
diff --git a/crypto/kerberosIV/lib/com_err/com_err.c b/crypto/kerberosIV/lib/com_err/com_err.c
new file mode 100644
index 0000000..d945d12
--- /dev/null
+++ b/crypto/kerberosIV/lib/com_err/com_err.c
@@ -0,0 +1,151 @@
+/*
+ * Copyright (c) 1997 - 2000 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+RCSID("$Id: com_err.c,v 1.14.2.1 2000/06/23 03:22:13 assar Exp $");
+#endif
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <roken.h>
+#include "com_err.h"
+
+struct et_list *_et_list = NULL;
+
+
+const char *
+error_message (long code)
+{
+    static char msg[128];
+    const char *p = com_right(_et_list, code);
+    if (p == NULL)
+	p = strerror(code);
+    if (p != NULL && *p != '\0') {
+	strncpy(msg, p, sizeof(msg) - 1);
+	msg[sizeof(msg) - 1] = 0;
+    } else 
+	sprintf(msg, "Unknown error %ld", code);
+    return msg;
+}
+
+int
+init_error_table(const char **msgs, long base, int count)
+{
+    initialize_error_table_r(&_et_list, msgs, count, base);
+    return 0;
+}
+
+static void
+default_proc (const char *whoami, long code, const char *fmt, va_list args)
+{
+    if (whoami)
+      fprintf(stderr, "%s: ", whoami);
+    if (code)
+      fprintf(stderr, "%s ", error_message(code));
+    if (fmt)
+      vfprintf(stderr, fmt, args);
+    fprintf(stderr, "\r\n");	/* ??? */
+}
+
+static errf com_err_hook = default_proc;
+
+void 
+com_err_va (const char *whoami, 
+	    long code, 
+	    const char *fmt, 
+	    va_list args)
+{
+    (*com_err_hook) (whoami, code, fmt, args);
+}
+
+void
+com_err (const char *whoami,
+	 long code,
+	 const char *fmt, 
+	 ...)
+{
+    va_list ap;
+    va_start(ap, fmt);
+    com_err_va (whoami, code, fmt, ap);
+    va_end(ap);
+}
+
+errf
+set_com_err_hook (errf new)
+{
+    errf old = com_err_hook;
+
+    if (new)
+	com_err_hook = new;
+    else
+	com_err_hook = default_proc;
+    
+    return old;
+}
+
+errf
+reset_com_err_hook (void) 
+{
+    return set_com_err_hook(NULL);
+}
+
+#define ERRCODE_RANGE   8       /* # of bits to shift table number */
+#define BITS_PER_CHAR   6       /* # bits to shift per character in name */
+
+static const char char_set[] =
+        "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789_";
+
+static char buf[6];
+
+const char *
+error_table_name(int num)
+{
+    int ch;
+    int i;
+    char *p;
+
+    /* num = aa aaa abb bbb bcc ccc cdd ddd d?? ??? ??? */
+    p = buf;
+    num >>= ERRCODE_RANGE;
+    /* num = ?? ??? ??? aaa aaa bbb bbb ccc ccc ddd ddd */
+    num &= 077777777;
+    /* num = 00 000 000 aaa aaa bbb bbb ccc ccc ddd ddd */
+    for (i = 4; i >= 0; i--) {
+        ch = (num >> BITS_PER_CHAR * i) & ((1 << BITS_PER_CHAR) - 1);
+        if (ch != 0)
+            *p++ = char_set[ch-1];
+    }
+    *p = '\0';
+    return(buf);
+}
diff --git a/crypto/kerberosIV/lib/com_err/com_err.h b/crypto/kerberosIV/lib/com_err/com_err.h
new file mode 100644
index 0000000..06373de
--- /dev/null
+++ b/crypto/kerberosIV/lib/com_err/com_err.h
@@ -0,0 +1,56 @@
+/*
+ * Copyright (c) 1997 - 2000 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+/* $Id: com_err.h,v 1.4.2.1 2000/06/23 03:23:05 assar Exp $ */
+
+/* MIT compatible com_err library */
+
+#ifndef __COM_ERR_H__
+#define __COM_ERR_H__
+
+#include <com_right.h>
+
+typedef void (*errf) __P((const char *, long, const char *, va_list));
+
+const char * error_message __P((long));
+int init_error_table __P((const char**, long, int));
+
+void com_err_va __P((const char *, long, const char *, va_list));
+void com_err __P((const char *, long, const char *, ...));
+
+errf set_com_err_hook __P((errf));
+errf reset_com_err_hook __P((void));
+
+const char *error_table_name  __P((int num));
+
+#endif /* __COM_ERR_H__ */
diff --git a/crypto/kerberosIV/lib/com_err/com_right.h b/crypto/kerberosIV/lib/com_err/com_right.h
new file mode 100644
index 0000000..e8c7488
--- /dev/null
+++ b/crypto/kerberosIV/lib/com_err/com_right.h
@@ -0,0 +1,66 @@
+/*
+ * Copyright (c) 1997 - 2000 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+/* $Id: com_right.h,v 1.9.2.1 2000/06/23 03:23:44 assar Exp $ */
+
+#ifndef __COM_RIGHT_H__
+#define __COM_RIGHT_H__
+
+#ifdef __STDC__
+#include <stdarg.h>
+#endif
+
+#ifndef __P
+#ifdef __STDC__
+#define __P(X) X
+#else
+#define __P(X) ()
+#endif
+#endif
+
+struct error_table {
+    char const * const * msgs;
+    long base;
+    int n_msgs;
+};
+struct et_list {
+    struct et_list *next;
+    struct error_table *table;
+};
+extern struct et_list *_et_list;
+
+const char *com_right __P((struct et_list *list, long code));
+void initialize_error_table_r __P((struct et_list **, const char **, int, long);)
+void free_error_table __P((struct et_list *));
+
+#endif /* __COM_RIGHT_H__ */
diff --git a/crypto/kerberosIV/lib/com_err/compile_et.c b/crypto/kerberosIV/lib/com_err/compile_et.c
new file mode 100644
index 0000000..f982dcd
--- /dev/null
+++ b/crypto/kerberosIV/lib/com_err/compile_et.c
@@ -0,0 +1,235 @@
+/*
+ * Copyright (c) 1998, 1999 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#undef ROKEN_RENAME
+#include "compile_et.h"
+#include <getarg.h>
+
+RCSID("$Id: compile_et.c,v 1.13 1999/12/02 16:58:38 joda Exp $");
+
+#include <roken.h>
+#include <err.h>
+#include "parse.h"
+
+int numerror;
+extern FILE *yyin;
+
+extern void yyparse(void);
+
+long base;
+int number;
+char *prefix;
+char *id_str;
+
+char name[128];
+char Basename[128];
+
+#ifdef YYDEBUG
+extern int yydebug = 1;
+#endif
+
+char *filename;
+char hfn[128];
+char cfn[128];
+
+struct error_code *codes = NULL;
+
+static int
+generate_c(void)
+{
+    int n;
+    struct error_code *ec;
+
+    FILE *c_file = fopen(cfn, "w");
+    if(c_file == NULL)
+	return 1;
+
+    fprintf(c_file, "/* Generated from %s */\n", filename);
+    if(id_str) 
+	fprintf(c_file, "/* %s */\n", id_str);
+    fprintf(c_file, "\n");
+    fprintf(c_file, "#include <stddef.h>\n");
+    fprintf(c_file, "#include <com_err.h>\n");
+    fprintf(c_file, "#include \"%s\"\n", hfn);
+    fprintf(c_file, "\n");
+
+    fprintf(c_file, "static const char *text[] = {\n");
+
+    for(ec = codes, n = 0; ec; ec = ec->next, n++) {
+	while(n < ec->number) {
+	    fprintf(c_file, "\t/* %03d */ \"Reserved %s error (%d)\",\n",
+		    n, name, n);
+	    n++;
+	    
+	}
+	fprintf(c_file, "\t/* %03d */ \"%s\",\n", ec->number, ec->string);
+    }
+
+    fprintf(c_file, "\tNULL\n");
+    fprintf(c_file, "};\n");
+    fprintf(c_file, "\n");
+    fprintf(c_file, 
+	    "void initialize_%s_error_table_r(struct et_list **list)\n", 
+	    name);
+    fprintf(c_file, "{\n");
+    fprintf(c_file, 
+	    "    initialize_error_table_r(list, text, "
+	    "%s_num_errors, ERROR_TABLE_BASE_%s);\n", name, name);
+    fprintf(c_file, "}\n");
+    fprintf(c_file, "\n");
+    fprintf(c_file, "void initialize_%s_error_table(void)\n", name);
+    fprintf(c_file, "{\n");
+    fprintf(c_file,
+	    "    init_error_table(text, ERROR_TABLE_BASE_%s, "
+	    "%s_num_errors);\n", name, name);
+    fprintf(c_file, "}\n");
+
+    fclose(c_file);
+    return 0;
+}
+
+static int
+generate_h(void)
+{
+    struct error_code *ec;
+    char fn[128];
+    FILE *h_file = fopen(hfn, "w");
+    char *p;
+
+    if(h_file == NULL)
+	return 1;
+
+    snprintf(fn, sizeof(fn), "__%s__", hfn);
+    for(p = fn; *p; p++)
+	if(!isalnum((unsigned char)*p))
+	    *p = '_';
+    
+    fprintf(h_file, "/* Generated from %s */\n", filename);
+    if(id_str) 
+	fprintf(h_file, "/* %s */\n", id_str);
+    fprintf(h_file, "\n");
+    fprintf(h_file, "#ifndef %s\n", fn);
+    fprintf(h_file, "#define %s\n", fn);
+    fprintf(h_file, "\n");
+    fprintf(h_file, "#include <com_right.h>\n");
+    fprintf(h_file, "\n");
+    fprintf(h_file, 
+	    "void initialize_%s_error_table_r(struct et_list **);\n",
+	    name);
+    fprintf(h_file, "\n");
+    fprintf(h_file, "void initialize_%s_error_table(void);\n", name);
+    fprintf(h_file, "#define init_%s_err_tbl initialize_%s_error_table\n", 
+	    name, name);
+    fprintf(h_file, "\n");
+    fprintf(h_file, "typedef enum %s_error_number{\n", name);
+    fprintf(h_file, "\tERROR_TABLE_BASE_%s = %ld,\n", name, base);
+    fprintf(h_file, "\t%s_err_base = %ld,\n", name, base);
+
+    for(ec = codes; ec; ec = ec->next) {
+	fprintf(h_file, "\t%s = %ld,\n", ec->name, base + ec->number);
+    }
+
+    fprintf(h_file, "\t%s_num_errors = %d\n", name, number);
+    fprintf(h_file, "} %s_error_number;\n", name);
+    fprintf(h_file, "\n");
+    fprintf(h_file, "#endif /* %s */\n", fn);
+
+
+    fclose(h_file);
+    return 0;
+}
+
+static int
+generate(void)
+{
+    return generate_c() || generate_h();
+}
+
+int version_flag;
+int help_flag;
+struct getargs args[] = {
+    { "version", 0, arg_flag, &version_flag },
+    { "help", 0, arg_flag, &help_flag }
+};
+int num_args = sizeof(args) / sizeof(args[0]);
+
+static void
+usage(int code)
+{
+    arg_printusage(args, num_args, NULL, "error-table");
+    exit(code);
+}
+
+int
+main(int argc, char **argv)
+{
+    char *p;
+    int optind = 0;
+
+    set_progname(argv[0]);
+    if(getarg(args, num_args, argc, argv, &optind))
+	usage(1);
+    if(help_flag)
+	usage(0);
+    if(version_flag) {
+	print_version(NULL);
+	exit(0);
+    }
+
+    if(optind == argc) 
+	usage(1);
+    filename = argv[optind];
+    yyin = fopen(filename, "r");
+    if(yyin == NULL)
+	err(1, "%s", filename);
+	
+    
+    p = strrchr(filename, '/');
+    if(p)
+	p++;
+    else
+	p = filename;
+    strncpy(Basename, p, sizeof(Basename));
+    Basename[sizeof(Basename) - 1] = '\0';
+    
+    Basename[strcspn(Basename, ".")] = '\0';
+    
+    snprintf(hfn, sizeof(hfn), "%s.h", Basename);
+    snprintf(cfn, sizeof(cfn), "%s.c", Basename);
+    
+    yyparse();
+    if(numerror)
+	return 1;
+
+    return generate();
+}
diff --git a/crypto/kerberosIV/lib/com_err/compile_et.h b/crypto/kerberosIV/lib/com_err/compile_et.h
new file mode 100644
index 0000000..e9c5e7b
--- /dev/null
+++ b/crypto/kerberosIV/lib/com_err/compile_et.h
@@ -0,0 +1,80 @@
+/*
+ * Copyright (c) 1998 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+/* $Id: compile_et.h,v 1.4 1999/12/02 16:58:38 joda Exp $ */
+
+#ifndef __COMPILE_ET_H__
+#define __COMPILE_ET_H__
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+#endif
+
+#include <stdio.h>
+#include <string.h>
+#include <stdlib.h>
+#include <stdarg.h>
+#include <ctype.h>
+
+#include <roken.h>
+
+extern long base;
+extern int number;
+extern char *prefix;
+extern char name[128];
+extern char *id_str;
+extern char *filename;
+extern int numerror;
+
+struct error_code {
+    unsigned number;
+    char *name;
+    char *string;
+    struct error_code *next, **tail;
+};
+
+extern struct error_code *codes;
+
+#define APPEND(L, V) 				\
+do {						\
+    if((L) == NULL) {				\
+	(L) = (V);				\
+	(L)->tail = &(V)->next;			\
+	(L)->next = NULL;			\
+    }else{					\
+	*(L)->tail = (V);			\
+	(L)->tail = &(V)->next;			\
+    }						\
+}while(0)
+
+#endif /* __COMPILE_ET_H__ */
diff --git a/crypto/kerberosIV/lib/com_err/error.c b/crypto/kerberosIV/lib/com_err/error.c
new file mode 100644
index 0000000..d122007
--- /dev/null
+++ b/crypto/kerberosIV/lib/com_err/error.c
@@ -0,0 +1,91 @@
+/*
+ * Copyright (c) 1997, 1998 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+RCSID("$Id: error.c,v 1.14 1999/12/02 16:58:38 joda Exp $");
+#endif
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <com_right.h>
+
+const char *
+com_right(struct et_list *list, long code)
+{
+    struct et_list *p;
+    for (p = list; p; p = p->next) {
+	if (code >= p->table->base && code < p->table->base + p->table->n_msgs)
+	    return p->table->msgs[code - p->table->base];
+    }
+    return NULL;
+}
+
+struct foobar {
+    struct et_list etl;
+    struct error_table et;
+};
+
+void
+initialize_error_table_r(struct et_list **list, 
+			 const char **messages, 
+			 int num_errors,
+			 long base)
+{
+    struct et_list *et;
+    struct foobar *f;
+    for (et = *list; et; et = et->next)
+        if (et->table->msgs == messages)
+            return;
+    f = malloc(sizeof(*f));
+    if (f == NULL)
+        return;
+    et = &f->etl;
+    et->table = &f->et;
+    et->table->msgs = messages;
+    et->table->n_msgs = num_errors;
+    et->table->base = base;
+    et->next = *list;
+    *list = et;
+}
+			
+
+void
+free_error_table(struct et_list *et)
+{
+    while(et){
+	struct et_list *p = et;
+	et = et->next;
+	free(p);
+    }
+}
diff --git a/crypto/kerberosIV/lib/com_err/lex.l b/crypto/kerberosIV/lib/com_err/lex.l
new file mode 100644
index 0000000..f5ee60c
--- /dev/null
+++ b/crypto/kerberosIV/lib/com_err/lex.l
@@ -0,0 +1,122 @@
+%{
+/*
+ * Copyright (c) 1998 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+/*
+ * This is to handle the definition of this symbol in some AIX
+ * headers, which will conflict with the definition that lex will
+ * generate for it.  It's only a problem for AIX lex.
+ */
+
+#undef ECHO
+
+#include "compile_et.h"
+#include "parse.h"
+
+RCSID("$Id: lex.l,v 1.5 1999/12/02 16:58:38 joda Exp $");
+
+static unsigned lineno = 1;
+void error_message(char *, ...);
+int getstring(void);
+
+%}
+
+
+%%
+et			{ return ET; }
+error_table		{ return ET; }
+ec			{ return EC; }
+error_code		{ return EC; }
+prefix			{ return PREFIX; }
+index			{ return INDEX; }
+id			{ return ID; }
+end			{ return END; }
+[0-9]+			{ yylval.number = atoi(yytext); return NUMBER; }
+#[^\n]*			;
+[ \t]			;
+\n			{ lineno++; }
+\"			{ return getstring(); }
+[a-zA-Z0-9_]+		{ yylval.string = strdup(yytext); return STRING; }
+.			{ return *yytext; }
+%%
+
+#ifndef yywrap /* XXX */
+int
+yywrap () 
+{
+     return 1;
+}
+#endif
+
+int
+getstring(void)
+{
+    char x[128];
+    int i = 0;
+    int c;
+    int quote = 0;
+    while((c = input()) != EOF){
+	if(quote) {
+	    x[i++] = c;
+	    quote = 0;
+	    continue;
+	}
+	if(c == '\n'){
+	    error_message("unterminated string");
+	    lineno++;
+	    break;
+	}
+	if(c == '\\'){
+	    quote++;
+	    continue;
+	}
+	if(c == '\"')
+	    break;
+	x[i++] = c;
+    }
+    x[i] = '\0';
+    yylval.string = strdup(x);
+    return STRING;
+}
+
+void
+error_message (char *format, ...)
+{
+     va_list args;
+
+     va_start (args, format);
+     fprintf (stderr, "%s:%d:", filename, lineno);
+     vfprintf (stderr, format, args);
+     va_end (args);
+     numerror++;
+}
diff --git a/crypto/kerberosIV/lib/com_err/parse.y b/crypto/kerberosIV/lib/com_err/parse.y
new file mode 100644
index 0000000..addf772
--- /dev/null
+++ b/crypto/kerberosIV/lib/com_err/parse.y
@@ -0,0 +1,166 @@
+%{
+/*
+ * Copyright (c) 1998, 1999 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "compile_et.h"
+RCSID("$Id: parse.y,v 1.10 1999/12/02 16:58:38 joda Exp $");
+
+void yyerror (char *s);
+long name2number(const char *str);
+void error_message(char *, ...);
+
+extern char *yytext;
+
+/* This is for bison */
+
+#if !defined(alloca) && !defined(HAVE_ALLOCA)
+#define alloca(x) malloc(x)
+#endif
+
+%}
+
+%union {
+  char *string;
+  int number;
+}
+
+%token ET INDEX PREFIX EC ID END
+%token <string> STRING
+%token <number> NUMBER
+
+%%
+
+file		: /* */ 
+		| header statements
+		;
+
+header		: id et
+		| et
+		;
+
+id		: ID STRING
+		{
+		    id_str = $2;
+		}
+		;
+
+et		: ET STRING
+		{
+		    base = name2number($2);
+		    strncpy(name, $2, sizeof(name));
+		    name[sizeof(name) - 1] = '\0';
+		    free($2);
+		}
+		| ET STRING STRING
+		{
+		    base = name2number($2);
+		    strncpy(name, $3, sizeof(name));
+		    name[sizeof(name) - 1] = '\0';
+		    free($2);
+		    free($3);
+		}
+		;
+
+statements	: statement
+		| statements statement
+		;
+
+statement	: INDEX NUMBER 
+		{
+			number = $2;
+		}
+		| PREFIX STRING
+		{
+		    prefix = realloc(prefix, strlen($2) + 2);
+		    strcpy(prefix, $2);
+		    strcat(prefix, "_");
+		    free($2);
+		}
+		| PREFIX
+		{
+		    prefix = realloc(prefix, 1);
+		    *prefix = '\0';
+		}
+		| EC STRING ',' STRING
+		{
+		    struct error_code *ec = malloc(sizeof(*ec));
+
+		    ec->next = NULL;
+		    ec->number = number;
+		    if(prefix && *prefix != '\0') {
+			asprintf (&ec->name, "%s%s", prefix, $2);
+			free($2);
+		    } else
+			ec->name = $2;
+		    ec->string = $4;
+		    APPEND(codes, ec);
+		    number++;
+		}
+		| END
+		{
+			YYACCEPT;
+		}
+		;
+
+%%
+
+long
+name2number(const char *str)
+{
+    const char *p;
+    long base = 0;
+    const char *x = "ABCDEFGHIJKLMNOPQRSTUVWXYZ"
+	"abcdefghijklmnopqrstuvwxyz0123456789_";
+    if(strlen(str) > 4) {
+	yyerror("table name too long");
+	return 0;
+    }
+    for(p = str; *p; p++){
+	char *q = strchr(x, *p);
+	if(q == NULL) {
+	    yyerror("invalid character in table name");
+	    return 0;
+	}
+	base = (base << 6) + (q - x) + 1;
+    }
+    base <<= 8;
+    if(base > 0x7fffffff)
+	base = -(0xffffffff - base + 1);
+    return base;
+}
+
+void
+yyerror (char *s)
+{
+     error_message ("%s\n", s);
+}
diff --git a/crypto/kerberosIV/lib/com_err/roken_rename.h b/crypto/kerberosIV/lib/com_err/roken_rename.h
new file mode 100644
index 0000000..173c9a7
--- /dev/null
+++ b/crypto/kerberosIV/lib/com_err/roken_rename.h
@@ -0,0 +1,39 @@
+/*
+ * Copyright (c) 1998 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+/* $Id: roken_rename.h,v 1.3 1999/12/02 16:58:38 joda Exp $ */
+
+#ifndef __roken_rename_h__
+#define __roken_rename_h__
+
+#endif /* __roken_rename_h__ */
diff --git a/crypto/kerberosIV/lib/kadm/Makefile.in b/crypto/kerberosIV/lib/kadm/Makefile.in
new file mode 100644
index 0000000..7f610c0
--- /dev/null
+++ b/crypto/kerberosIV/lib/kadm/Makefile.in
@@ -0,0 +1,126 @@
+#
+# $Id: Makefile.in,v 1.47.4.1 2000/06/23 03:20:01 assar Exp $
+#
+
+SHELL = /bin/sh
+
+srcdir = @srcdir@
+VPATH = @srcdir@
+
+CC = @CC@
+LINK = @LINK@
+AR = ar
+RANLIB = @RANLIB@
+CP = cp
+LN_S = @LN_S@
+DEFS = @DEFS@ -DROKEN_RENAME
+CFLAGS = @CFLAGS@ $(WFLAGS)
+WFLAGS = @WFLAGS@
+
+INSTALL = @INSTALL@
+INSTALL_DATA	= @INSTALL_DATA@
+MKINSTALLDIRS = @top_srcdir@/mkinstalldirs
+
+COMPILE_ET = ../com_err/compile_et
+
+prefix = @prefix@
+exec_prefix = @exec_prefix@
+libdir = @libdir@
+
+top_builddir = ../..
+
+includedir = @includedir@
+
+incdir = $(includedir)
+inc_DATA = kadm_err.h
+idir = $(top_builddir)/include
+
+PICFLAGS = @PICFLAGS@
+
+@lib_deps_yes@LIB_DEPS = -L../krb -lkrb \
+@lib_deps_yes@	   -L../des -ldes \
+@lib_deps_yes@	   -lc
+@lib_deps_no@LIB_DEPS = 
+
+build_symlink_command   = @build_symlink_command@
+install_symlink_command = @install_symlink_command@
+
+LIBNAME = $(LIBPREFIX)kadm
+LIBEXT = @LIBEXT@
+LIBPREFIX = @LIBPREFIX@
+EXECSUFFIX = @EXECSUFFIX@
+SHLIBEXT = @SHLIBEXT@
+LDSHARED = @LDSHARED@
+LIB = $(LIBNAME).$(LIBEXT)
+
+SOURCES = kadm_cli_wrap.c kadm_err.c kadm_stream.c kadm_supp.c check_password.c
+
+OBJECTS = kadm_cli_wrap.o kadm_err.o kadm_stream.o kadm_supp.o check_password.o
+
+all: $(LIB) all-local
+
+Wall:
+	make CFLAGS="-g -Wall -Wno-comment -Wmissing-prototypes -Wmissing-declarations -D__USE_FIXED_PROTOTYPES__"
+
+.c.o:
+	$(CC) -c $(DEFS) -I. -I../../include -I$(srcdir) $(CFLAGS) $(CPPFLAGS) $(PICFLAGS) $<
+
+install: all
+	$(MKINSTALLDIRS) $(DESTDIR)$(libdir)
+	$(INSTALL_DATA)  $(LIB) $(DESTDIR)$(libdir)/$(LIB)
+	@install_symlink_command@
+	$(MKINSTALLDIRS) $(DESTDIR)$(includedir)
+	@for i in $(inc_DATA); do \
+	echo "  $(INSTALL_DATA) $$i $(DESTDIR)$(incdir)/$$i";\
+	$(INSTALL_DATA) $$i $(DESTDIR)$(incdir)/$$i; done
+
+uninstall:
+	rm -f $(DESTDIR)$(libdir)/$(LIB)
+	@for i in $(inc_DATA); do \
+	echo "  rm -f $(DESTDIR)$(incdir)/$$i";\
+	rm -f $(DESTDIR)$(incdir)/$$i; done
+
+TAGS: $(SOURCES)
+	etags $(SOURCES)
+
+check:
+
+clean:
+	rm -f $(LIB) *.o *.a *.so *.so.* so_locations kadm_err.c kadm_err.h
+
+mostlyclean: clean
+
+distclean: clean
+	rm -f Makefile *.tab.c *~ roken_rename.h
+
+realclean: distclean
+	rm -f TAGS
+
+$(LIBNAME).a: $(OBJECTS)
+	rm -f $@
+	$(AR) cr $@ $(OBJECTS)
+	-$(RANLIB) $@
+
+$(LIBNAME).$(SHLIBEXT): $(OBJECTS)
+	rm -f $@
+	$(LDSHARED) -o $@ $(OBJECTS) $(LIB_DEPS)
+	@build_symlink_command@
+
+kadm_err.c kadm_err.h: $(srcdir)/kadm_err.et
+	$(COMPILE_ET) $(srcdir)/kadm_err.et
+
+$(OBJECTS): ../../include/config.h roken_rename.h
+$(OBJECTS): kadm_err.h kadm_locl.h
+
+roken_rename.h:
+	$(LN_S) $(srcdir)/../krb/roken_rename.h .
+
+all-local: $(inc_DATA)
+	@for i in $(inc_DATA); do \
+		if cmp -s  $$i $(idir)/$$i 2> /dev/null ; then :; else\
+			echo " $(CP) $$i $(idir)/$$i"; \
+			$(CP) $$i $(idir)/$$i; \
+		fi ; \
+	done
+
+.PHONY: all Wall install uninstall check clean mostlyclean distclean realclean all-local
diff --git a/crypto/kerberosIV/lib/kadm/check_password.c b/crypto/kerberosIV/lib/kadm/check_password.c
new file mode 100644
index 0000000..ba6ba48
--- /dev/null
+++ b/crypto/kerberosIV/lib/kadm/check_password.c
@@ -0,0 +1,55 @@
+/*
+ * Copyright (c) 1998, 1999 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "kadm_locl.h"
+RCSID("$Id: check_password.c,v 1.3 1999/12/02 16:58:39 joda Exp $");
+
+/* This is a client side password check. Should perhaps be merged with
+   kadmind version that lives in pw_check.c */
+
+int
+kadm_check_pw (const char *password)
+{
+    const char *t;
+    if (strlen(password) == 0)
+	return KADM_PASS_Q_NULL;
+    if (strlen(password) < MIN_KPW_LEN)
+	return KADM_PASS_Q_TOOSHORT;
+    
+    /* Don't allow all lower case passwords regardless of length */
+    for (t = password; *t && islower((unsigned char)*t); t++)
+	;
+    if (*t == '\0')
+	return KADM_PASS_Q_CLASS;
+    return 0;
+}
diff --git a/crypto/kerberosIV/lib/kadm/kadm.h b/crypto/kerberosIV/lib/kadm/kadm.h
new file mode 100644
index 0000000..fd3d75b
--- /dev/null
+++ b/crypto/kerberosIV/lib/kadm/kadm.h
@@ -0,0 +1,156 @@
+/*
+ * $Id: kadm.h,v 1.17 1998/10/23 14:25:55 joda Exp $
+ *
+ * Copyright 1988 by the Massachusetts Institute of Technology.
+ *
+ * For copying and distribution information, please see the file
+ * <mit-copyright.h>.
+ *
+ * Definitions for Kerberos administration server & client
+ */
+
+#ifndef KADM_DEFS
+#define KADM_DEFS
+
+/*
+ * kadm.h
+ * Header file for the fourth attempt at an admin server
+ * Doug Church, December 28, 1989, MIT Project Athena
+ */
+
+#include <krb_db.h>
+
+/* The global structures for the client and server */
+typedef struct {
+  struct sockaddr_in admin_addr;
+  struct sockaddr_in my_addr;
+  int my_addr_len;
+  int admin_fd;			/* file descriptor for link to admin server */
+  char sname[ANAME_SZ];		/* the service name */
+  char sinst[INST_SZ];		/* the services instance */
+  char krbrlm[REALM_SZ];
+} Kadm_Client;
+
+typedef struct {		/* status of the server, i.e the parameters */
+   int inter;			/* Space for command line flags */
+   char *sysfile;		/* filename of server */
+} admin_params;			/* Well... it's the admin's parameters */
+
+/* Largest password length to be supported */
+#define MAX_KPW_LEN	128
+/* Minimum allowed password length */
+#define MIN_KPW_LEN	6
+
+/* Largest packet the admin server will ever allow itself to return */
+#define KADM_RET_MAX 2048
+
+/* That's right, versions are 8 byte strings */
+#define KADM_VERSTR	"KADM0.0A"
+#define KADM_ULOSE	"KYOULOSE"	/* sent back when server can't
+					   decrypt client's msg */
+#define KADM_VERSIZE strlen(KADM_VERSTR)
+
+/* the lookups for the server instances */
+#define PWSERV_NAME  "changepw"
+#define KADM_SNAME   "kerberos_master"
+#define KADM_PORT    751
+#define KADM_SINST   "kerberos"
+
+/* Attributes fields constants and macros */
+#define ALLOC        2
+#define RESERVED     3
+#define DEALLOC      4
+#define DEACTIVATED  5
+#define ACTIVE       6
+
+/* Kadm_vals structure for passing db fields into the server routines */
+#define FLDSZ        4
+
+/* XXX enable new extended kadm fields */
+#define EXTENDED_KADM 1
+
+typedef struct {
+    u_int8_t	fields[FLDSZ];     /* The active fields in this struct */
+    char	name[ANAME_SZ];
+    char	instance[INST_SZ];
+    u_int32_t	key_low;
+    u_int32_t	key_high;
+    u_int32_t	exp_date;
+    u_int16_t	attributes;
+    u_int8_t	max_life;
+#ifdef EXTENDED_KADM
+    u_int32_t	mod_date;
+    char	mod_name[ANAME_SZ];
+    char	mod_instance[INST_SZ];
+    u_int8_t	key_version;
+#endif
+} Kadm_vals;                    /* The basic values structure in Kadm */
+
+/* Need to define fields types here */
+#define KADM_NAME       31
+#define KADM_INST       30
+#define KADM_EXPDATE    29
+#define KADM_ATTR       28
+#define KADM_MAXLIFE    27
+#define KADM_DESKEY     26
+
+#ifdef EXTENDED_KADM
+#define KADM_MODDATE	25
+#define KADM_MODNAME	24
+#define KADM_MODINST	23
+#define KADM_KVNO	22
+#endif
+
+/* To set a field entry f in a fields structure d */
+#define SET_FIELD(f,d)  (d[3-(f/8)]|=(1<<(f%8)))
+
+/* To set a field entry f in a fields structure d */
+#define CLEAR_FIELD(f,d)  (d[3-(f/8)]&=(~(1<<(f%8))))
+
+/* Is field f in fields structure d */
+#define IS_FIELD(f,d)   (d[3-(f/8)]&(1<<(f%8)))
+
+/* Various return codes */
+#define KADM_SUCCESS    0
+
+#define WILDCARD_STR "*"
+
+enum acl_types {
+ADDACL,
+GETACL,
+MODACL,
+STABACL, /* not used */
+DELACL
+};
+
+/* Various opcodes for the admin server's functions */
+#define CHANGE_PW    2
+#define ADD_ENT      3
+#define MOD_ENT      4
+#define GET_ENT      5
+#define CHECK_PW     6 /* not used */
+#define CHG_STAB     7 /* not used */
+#define DEL_ENT	     8
+
+void prin_vals __P((Kadm_vals *));
+int stv_long __P((u_char *, u_int32_t *, int, int));
+int vts_long __P((u_int32_t, u_char **, int));
+int vts_string __P((char *, u_char **, int));
+int stv_string __P((u_char *, char *, int, int, int));
+
+int stream_to_vals __P((u_char *, Kadm_vals *, int));
+int vals_to_stream __P((Kadm_vals *, u_char **));
+
+int kadm_init_link __P((char *, char *, char *));
+int kadm_change_pw __P((unsigned char *));
+int kadm_change_pw_plain __P((unsigned char *, char *, char**));
+int kadm_change_pw2 __P((unsigned char *, char *, char**));
+int kadm_mod __P((Kadm_vals *, Kadm_vals *));
+int kadm_get __P((Kadm_vals *, u_char *));
+int kadm_add __P((Kadm_vals *));
+int kadm_del __P((Kadm_vals *));
+void kadm_vals_to_prin __P((u_char *, Principal *, Kadm_vals *));
+void kadm_prin_to_vals __P((u_char *, Kadm_vals *, Principal *));
+int kadm_check_pw __P((const char*));
+
+#endif /* KADM_DEFS */
diff --git a/crypto/kerberosIV/lib/kadm/kadm_cli_wrap.c b/crypto/kerberosIV/lib/kadm/kadm_cli_wrap.c
new file mode 100644
index 0000000..2c7f006
--- /dev/null
+++ b/crypto/kerberosIV/lib/kadm/kadm_cli_wrap.c
@@ -0,0 +1,632 @@
+/* 
+  Copyright (C) 1989 by the Massachusetts Institute of Technology
+
+   Export of this software from the United States of America is assumed
+   to require a specific license from the United States Government.
+   It is the responsibility of any person or organization contemplating
+   export to obtain such a license before exporting.
+
+WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
+distribute this software and its documentation for any purpose and
+without fee is hereby granted, provided that the above copyright
+notice appear in all copies and that both that copyright notice and
+this permission notice appear in supporting documentation, and that
+the name of M.I.T. not be used in advertising or publicity pertaining
+to distribution of the software without specific, written prior
+permission.  M.I.T. makes no representations about the suitability of
+this software for any purpose.  It is provided "as is" without express
+or implied warranty.
+
+  */
+
+/*
+ * Kerberos administration server client-side routines
+ */
+
+/*
+ * kadm_cli_wrap.c the client side wrapping of the calls to the admin server 
+ */
+
+#include "kadm_locl.h"
+
+/* RCSID("$Id: kadm_cli_wrap.c,v 1.27 1999/09/16 20:41:46 assar Exp $");*/
+RCSID("$FreeBSD$");
+
+static Kadm_Client client_parm;
+
+/* Macros for use in returning data... used in kadm_cli_send */
+#define RET_N_FREE(r) {clear_secrets(); free(act_st); free(priv_pak); return r;}
+
+/* Keys for use in the transactions */
+static des_cblock sess_key;	       /* to be filled in by kadm_cli_keyd */
+static des_key_schedule sess_sched;
+
+static void
+clear_secrets(void)
+{
+	memset(sess_key, 0, sizeof(sess_key));
+	memset(sess_sched, 0, sizeof(sess_sched));
+}
+
+static RETSIGTYPE (*opipe)();
+
+static void
+kadm_cli_disconn(void)
+{
+    close(client_parm.admin_fd);
+    signal(SIGPIPE, opipe);
+}
+
+/*
+ * kadm_init_link
+ *	receives    : name, inst, realm
+ *
+ * initializes client parm, the Kadm_Client structure which holds the 
+ * data about the connection between the server and client, the services 
+ * used, the locations and other fun things 
+ */
+
+int
+kadm_init_link(char *n, char *i, char *r)
+{
+	struct hostent *hop;	       /* host we will talk to */
+	char adm_hostname[MaxHostNameLen];
+
+	init_kadm_err_tbl();
+	init_krb_err_tbl();
+	strlcpy(client_parm.sname, n, ANAME_SZ);
+	strlcpy(client_parm.sinst, i, INST_SZ);
+	strlcpy(client_parm.krbrlm, r, REALM_SZ);
+	client_parm.admin_fd = -1;
+
+	/* set up the admin_addr - fetch name of admin host */
+	if (krb_get_admhst(adm_hostname, client_parm.krbrlm, 1) != KSUCCESS)
+		return KADM_NO_HOST;
+	if ((hop = gethostbyname(adm_hostname)) == NULL)
+		return KADM_UNK_HOST;
+	memset(&client_parm.admin_addr, 0, sizeof(client_parm.admin_addr));
+	client_parm.admin_addr.sin_port = 
+	  k_getportbyname(KADM_SNAME, "tcp", htons(KADM_PORT));
+	client_parm.admin_addr.sin_family = hop->h_addrtype;
+	memcpy(&client_parm.admin_addr.sin_addr, hop->h_addr,
+	       sizeof(client_parm.admin_addr.sin_addr));
+
+	return KADM_SUCCESS;
+}
+
+static int
+kadm_cli_conn(void)
+{					/* this connects and sets my_addr */
+    client_parm.admin_fd =
+	socket(client_parm.admin_addr.sin_family, SOCK_STREAM, 0);
+
+    if (client_parm.admin_fd < 0)
+	return KADM_NO_SOCK;		/* couldn't create the socket */
+    if (connect(client_parm.admin_fd,
+		(struct sockaddr *) & client_parm.admin_addr,
+		sizeof(client_parm.admin_addr))) {
+	close(client_parm.admin_fd);
+	client_parm.admin_fd = -1;
+	return KADM_NO_CONN;		/* couldn't get the connect */
+    }
+    opipe = signal(SIGPIPE, SIG_IGN);
+    client_parm.my_addr_len = sizeof(client_parm.my_addr);
+    if (getsockname(client_parm.admin_fd,
+		    (struct sockaddr *) & client_parm.my_addr,
+		    &client_parm.my_addr_len) < 0) {
+	close(client_parm.admin_fd);
+	client_parm.admin_fd = -1;
+	signal(SIGPIPE, opipe);
+	return KADM_NO_HERE;		/* couldn't find out who we are */
+    }
+#if defined(SO_KEEPALIVE) && defined(HAVE_SETSOCKOPT)
+    {
+	int on = 1;
+
+	if (setsockopt(client_parm.admin_fd, SOL_SOCKET, SO_KEEPALIVE,
+		       (void *)&on,
+		       sizeof(on)) < 0) {
+	    close(client_parm.admin_fd);
+	    client_parm.admin_fd = -1;
+	    signal(SIGPIPE, opipe);
+	    return KADM_NO_CONN;		/* XXX */
+	}
+    }
+#endif
+    return KADM_SUCCESS;
+}
+
+/* takes in the sess_key and key_schedule and sets them appropriately */
+static int
+kadm_cli_keyd(des_cblock (*s_k), /* session key */
+	      struct des_ks_struct *s_s) /* session key schedule */
+{
+	CREDENTIALS cred;	       /* to get key data */
+	int stat;
+
+	/* want .sname and .sinst here.... */
+	if ((stat = krb_get_cred(client_parm.sname, client_parm.sinst,
+				 client_parm.krbrlm, &cred)))
+		return stat + krb_err_base;
+	memcpy(s_k, cred.session, sizeof(des_cblock));
+	memset(cred.session, 0, sizeof(des_cblock));
+#ifdef NOENCRYPTION
+	memset(s_s, 0, sizeof(des_key_schedule));
+#else
+	if ((stat = des_key_sched(s_k,s_s)))
+		return stat+krb_err_base;
+#endif
+	return KADM_SUCCESS;
+}				       /* This code "works" */
+
+static int
+kadm_cli_out(u_char *dat, int dat_len, u_char **ret_dat, int *ret_siz)
+{
+	u_int16_t dlen;
+	int retval;
+	char tmp[4];
+
+	*ret_dat = NULL;
+	*ret_siz = 0;
+	dlen = (u_int16_t) dat_len;
+
+	if (dat_len != (int)dlen)
+		return (KADM_NO_ROOM);
+
+	tmp[0] = (dlen >> 8) & 0xff;
+	tmp[1] = dlen & 0xff;
+	if (krb_net_write(client_parm.admin_fd, tmp, 2) != 2)
+	    return (errno);	       /* XXX */
+
+	if (krb_net_write(client_parm.admin_fd, dat, dat_len) < 0)
+		return (errno);	       /* XXX */
+
+	
+	if ((retval = krb_net_read(client_parm.admin_fd, tmp, 2)) != 2){
+	    if (retval < 0)
+		return(errno);		/* XXX */
+	    else
+		return(EPIPE);		/* short read ! */
+	}
+	dlen = (tmp[0] << 8) | tmp[1];
+
+	*ret_dat = malloc(dlen);
+	if (*ret_dat == NULL)
+	    return(KADM_NOMEM);
+
+	if ((retval = krb_net_read(client_parm.admin_fd,  *ret_dat,
+				   dlen) != dlen)) {
+	    free(*ret_dat);
+	    *ret_dat = NULL;
+	    if (retval < 0)
+		return(errno);		/* XXX */
+	    else
+		return(EPIPE);		/* short read ! */
+	}
+	*ret_siz = (int) dlen;
+	return KADM_SUCCESS;
+}
+
+/*
+ * kadm_cli_send
+ *	recieves   : opcode, packet, packet length, serv_name, serv_inst
+ *	returns    : return code from the packet build, the server, or
+ *			 something else 
+ *
+ * It assembles a packet as follows:
+ *	 8 bytes    : VERSION STRING
+ *	 4 bytes    : LENGTH OF MESSAGE DATA and OPCODE
+ *		    : KTEXT
+ *		    : OPCODE       \
+ *		    : DATA          > Encrypted (with make priv)
+ *		    : ......       / 
+ *
+ * If it builds the packet and it is small enough, then it attempts to open the
+ * connection to the admin server.  If the connection is succesfully open
+ * then it sends the data and waits for a reply. 
+ */
+static int
+kadm_cli_send(u_char *st_dat,	/* the actual data */
+	      int st_siz,	/* length of said data */
+	      u_char **ret_dat,	/* to give return info */
+	      int *ret_siz)	/* length of returned info */
+{
+	int act_len, retdat;	/* current offset into packet, return
+				 * data */
+	KTEXT_ST authent;	/* the authenticator we will build */
+	u_char *act_st;		/* the pointer to the complete packet */
+	u_char *priv_pak;	/* private version of the packet */
+	int priv_len;		/* length of private packet */
+	u_int32_t cksum;	/* checksum of the packet */
+	MSG_DAT mdat;
+	u_char *return_dat;
+	int tmp;
+	void *tmp_ptr;
+
+	*ret_dat = NULL;
+	*ret_siz = 0;
+
+	act_st = malloc(KADM_VERSIZE); /* verstr stored first */
+	if (act_st == NULL) {
+	    clear_secrets ();
+	    return KADM_NOMEM;
+	}
+	memcpy(act_st, KADM_VERSTR, KADM_VERSIZE);
+	act_len = KADM_VERSIZE;
+
+	if ((retdat = kadm_cli_keyd(&sess_key, sess_sched)) != KADM_SUCCESS) {
+		free(act_st);
+		clear_secrets();
+		return retdat;	       /* couldnt get key working */
+	}
+	priv_pak = malloc(st_siz + 200);
+	/* 200 bytes for extra info case */
+	if (priv_pak == NULL) {
+	    free(act_st);
+	    clear_secrets ();
+	    return KADM_NOMEM;
+	}
+	priv_len = krb_mk_priv(st_dat, priv_pak, st_siz,
+			       sess_sched, &sess_key, &client_parm.my_addr,
+			       &client_parm.admin_addr);
+
+	if (priv_len < 0)
+		RET_N_FREE(KADM_NO_ENCRYPT);	/* whoops... we got a lose
+						 * here */
+	/* here is the length of priv data.  receiver calcs
+	 size of authenticator by subtracting vno size, priv size, and
+	 sizeof(u_int32_t) (for the size indication) from total size */
+
+	tmp = vts_long(priv_len, &act_st, act_len);
+	if (tmp < 0)
+	    RET_N_FREE(KADM_NOMEM);
+	act_len += tmp;
+#ifdef NOENCRYPTION
+	cksum = 0;
+#else
+	cksum = des_quad_cksum((des_cblock *)priv_pak,
+			       (des_cblock *)0, priv_len, 0,
+			       &sess_key);
+#endif
+	
+	retdat = krb_mk_req(&authent, client_parm.sname, client_parm.sinst,
+			    client_parm.krbrlm, cksum);
+
+	if (retdat) {
+	    /* authenticator? */
+	    RET_N_FREE(retdat + krb_err_base);
+	}
+
+	tmp_ptr = realloc(act_st,
+			  act_len + authent.length + priv_len);
+	if (tmp_ptr == NULL) {
+	    clear_secrets();
+	    free (priv_pak);
+	    free (act_st);
+	    return KADM_NOMEM;
+	}
+	act_st = tmp_ptr;
+	memcpy(act_st + act_len, authent.dat, authent.length);
+	memcpy(act_st + act_len + authent.length, priv_pak, priv_len);
+	free(priv_pak);
+	retdat = kadm_cli_out(act_st,
+			      act_len + authent.length + priv_len,
+			      ret_dat, ret_siz);
+	free(act_st);
+	if (retdat != KADM_SUCCESS) {
+	    clear_secrets();
+	    return retdat;
+	}
+#define RET_N_FREE2(r) {free(*ret_dat); *ret_dat = NULL; clear_secrets(); return(r);}
+
+	/* first see if it's a YOULOUSE */
+	if ((*ret_siz >= KADM_VERSIZE) &&
+	    !strncmp(KADM_ULOSE, (char *)*ret_dat, KADM_VERSIZE)) {
+	    unsigned char *p;
+	    /* it's a youlose packet */
+	    if (*ret_siz < KADM_VERSIZE + 4)
+		RET_N_FREE2(KADM_BAD_VER);
+	    p = (*ret_dat)+KADM_VERSIZE;
+	    retdat = (p[0] << 24) | (p[1] << 16) | (p[2] << 8) | p[3];
+	    RET_N_FREE2(retdat);
+	}
+	/* need to decode the ret_dat */
+	retdat = krb_rd_priv(*ret_dat, (u_int32_t)*ret_siz, sess_sched,
+			     &sess_key, &client_parm.admin_addr,
+			     &client_parm.my_addr, &mdat);
+	if (retdat)
+	    RET_N_FREE2(retdat+krb_err_base);
+	if (mdat.app_length < KADM_VERSIZE + 4)
+	    /* too short! */
+	    RET_N_FREE2(KADM_BAD_VER);
+	if (strncmp((char *)mdat.app_data, KADM_VERSTR, KADM_VERSIZE))
+	    /* bad version */
+	    RET_N_FREE2(KADM_BAD_VER);
+	{
+	    unsigned char *p = mdat.app_data+KADM_VERSIZE;
+	    retdat = (p[0] << 24) | (p[1] << 16) | (p[2] << 8) | p[3];
+	}
+	{
+	  int s = mdat.app_length - KADM_VERSIZE - 4;
+
+	  if(s <= 0)
+	      s=1;
+	  return_dat = malloc(s);
+	  if (return_dat == NULL)
+	      RET_N_FREE2(KADM_NOMEM);
+	}
+	memcpy(return_dat,
+	       (char *) mdat.app_data + KADM_VERSIZE + 4,
+	       mdat.app_length - KADM_VERSIZE - 4);
+	free(*ret_dat);
+	clear_secrets();
+	*ret_dat = return_dat;
+	*ret_siz = mdat.app_length - KADM_VERSIZE - 4;
+	return retdat;
+}
+
+
+
+/* 
+ * kadm_change_pw_plain
+ *
+ * see kadm_change_pw
+ *
+ */
+int kadm_change_pw_plain(unsigned char *newkey, char *password, char **pw_msg)
+{
+	int stsize, retc;	       /* stream size and return code */
+	u_char *send_st;	       /* send stream */
+	u_char *ret_st;
+	int ret_sz;
+	int status;
+	static char msg[128];
+
+	/* possible problem with vts_long on a non-multiple of four boundary */
+
+	stsize = 0;		       /* start of our output packet */
+	send_st = malloc(9);
+	if (send_st == NULL)
+	    return KADM_NOMEM;
+	send_st[stsize++] = (u_char) CHANGE_PW;
+	memcpy(send_st + stsize + 4, newkey, 4); /* yes, this is backwards */
+	memcpy(send_st + stsize, newkey + 4, 4);
+	stsize += 8;
+
+	/* change key to stream */
+
+	if(password && *password) {
+	    int tmp = vts_string(password, &send_st, stsize);
+
+	    if (tmp < 0) {
+		free(send_st);
+		return KADM_NOMEM;
+	    }
+	    stsize += tmp;
+	}
+
+	if ((retc = kadm_cli_conn()) != KADM_SUCCESS) {
+	    free(send_st);
+	    return(retc);
+	}
+	retc = kadm_cli_send(send_st, stsize, &ret_st, &ret_sz);
+	free(send_st);
+	
+	if(retc != KADM_SUCCESS){
+	  status = stv_string(ret_st, msg, 0, sizeof(msg), ret_sz);
+	  if(status<0)
+	    msg[0]=0;
+	  *pw_msg=msg;
+	}
+	free(ret_st);
+	
+	kadm_cli_disconn();
+	return(retc);
+}
+
+/*
+ * This function is here for compatibility with CNS
+ */
+
+int kadm_change_pw2(unsigned char *newkey, char *password, char **pw_msg)
+{
+    return kadm_change_pw_plain (newkey, password, pw_msg);
+}
+
+
+/*
+ * kadm_change_pw
+ * recieves    : key 
+ *
+ * Replaces the password (i.e. des key) of the caller with that specified in
+ * key. Returns no actual data from the master server, since this is called
+ * by a user 
+ */
+
+int kadm_change_pw(unsigned char *newkey)
+{
+  char *pw_msg;
+  return kadm_change_pw_plain(newkey, "", &pw_msg);
+}
+
+/*
+ * kadm_add
+ * 	receives    : vals
+ * 	returns     : vals 
+ *
+ * Adds and entry containing values to the database returns the values of the
+ * entry, so if you leave certain fields blank you will be able to determine
+ * the default values they are set to 
+ */
+int
+kadm_add(Kadm_vals *vals)
+{
+	u_char *st, *st2;	       /* st will hold the stream of values */
+	int st_len;		       /* st2 the final stream with opcode */
+	int retc;		       /* return code from call */
+	u_char *ret_st;
+	int ret_sz;
+
+	st_len = vals_to_stream(vals, &st);
+	st2 = malloc(1 + st_len);
+	if (st2 == NULL) {
+	    free(st);
+	    return KADM_NOMEM;
+	}
+	*st2 = (u_char) ADD_ENT;       /* here's the opcode */
+	memcpy((char *) st2 + 1, st, st_len);	/* append st on */
+	free(st);
+
+	if ((retc = kadm_cli_conn()) != KADM_SUCCESS) {
+	    free(st2);
+	    return(retc);
+	}
+	retc = kadm_cli_send(st2, st_len + 1, &ret_st, &ret_sz);
+	free(st2);
+	if (retc == KADM_SUCCESS) {
+	    /* ret_st has vals */
+	    if (stream_to_vals(ret_st, vals, ret_sz) < 0)
+		retc = KADM_LENGTH_ERROR;
+	}
+	free(ret_st);
+	kadm_cli_disconn();
+	return(retc);
+}
+
+/*
+ * kadm_mod
+ * 	receives    : KTEXT, {values, values}
+ *	returns     : CKSUM,  RETCODE, {values} 
+ *	acl         : su, sms (as register or dealloc) 
+ *
+ * Modifies all entries corresponding to the first values so they match the
+ * second values. returns the values for the changed entries in vals2
+ */
+int
+kadm_mod(Kadm_vals *vals1, Kadm_vals *vals2)
+{
+	u_char *st, *st2;	       /* st will hold the stream of values */
+	int st_len, nlen;	       /* st2 the final stream with opcode */
+	u_char *ret_st;
+	int ret_sz;
+	void *tmp_ptr;
+
+	/* nlen is the length of second vals */
+	int retc;		       /* return code from call */
+
+	st_len = vals_to_stream(vals1, &st);
+	st2 = malloc(1 + st_len);
+	if (st2 == NULL) {
+	    free(st);
+	    return KADM_NOMEM;
+	}
+	*st2 = (u_char) MOD_ENT;       /* here's the opcode */
+	memcpy((char *)st2 + 1, st, st_len++); /* append st on */
+	free(st);
+	nlen = vals_to_stream(vals2, &st);
+	tmp_ptr = realloc(st2, st_len + nlen);
+	if (tmp_ptr == NULL) {
+	    free(st);
+	    free(st2);
+	    return KADM_NOMEM;
+	}
+	st2 = tmp_ptr;
+	memcpy((char *) st2 + st_len, st, nlen); /* append st on */
+	free(st);
+
+	if ((retc = kadm_cli_conn()) != KADM_SUCCESS) {
+	    free(st2);
+	    return(retc);
+	}
+
+	retc = kadm_cli_send(st2, st_len + nlen, &ret_st, &ret_sz);
+	free(st2);
+	if (retc == KADM_SUCCESS) {
+	    /* ret_st has vals */
+	    if (stream_to_vals(ret_st, vals2, ret_sz) < 0)
+		retc = KADM_LENGTH_ERROR;
+	}
+	free(ret_st);
+	kadm_cli_disconn();
+	return(retc);
+}
+
+
+int
+kadm_del(Kadm_vals *vals)
+{
+    unsigned char *st, *st2;	       /* st will hold the stream of values */
+    int st_len;		       /* st2 the final stream with opcode */
+    int retc;		       /* return code from call */
+    u_char *ret_st;
+    int ret_sz;
+    
+    st_len = vals_to_stream(vals, &st);
+    st2 = malloc(st_len + 1);
+    if (st2 == NULL) {
+	free(st);
+	return KADM_NOMEM;
+    }
+    *st2 = DEL_ENT;       /* here's the opcode */
+    memcpy(st2 + 1, st, st_len);	/* append st on */
+    free (st);
+
+    if ((retc = kadm_cli_conn()) != KADM_SUCCESS) {
+	free(st2);
+	return(retc);
+    }
+    retc = kadm_cli_send(st2, st_len + 1, &ret_st, &ret_sz);
+    free(st2);
+    free(ret_st);
+    kadm_cli_disconn();
+    return(retc);
+}
+
+
+/*
+ * kadm_get
+ * 	receives   : KTEXT, {values, flags} 
+ *	returns    : CKSUM, RETCODE, {count, values, values, values}
+ *	acl        : su 
+ *
+ * gets the fields requested by flags from all entries matching values returns
+ * this data for each matching recipient, after a count of how many such
+ * matches there were 
+ */
+int
+kadm_get(Kadm_vals *vals, u_char *fl)
+{
+	int loop;		       /* for copying the fields data */
+	u_char *st, *st2;	       /* st will hold the stream of values */
+	int st_len;		       /* st2 the final stream with opcode */
+	int retc;		       /* return code from call */
+	u_char *ret_st;
+	int ret_sz;
+
+	st_len = vals_to_stream(vals, &st);
+	st2 = malloc(1 + st_len + FLDSZ);
+	if (st2 == NULL) {
+	    free(st);
+	    return KADM_NOMEM;
+	}
+	*st2 = (u_char) GET_ENT;       /* here's the opcode */
+	memcpy((char *)st2 + 1, st, st_len); /* append st on */
+	free(st);
+	for (loop = FLDSZ - 1; loop >= 0; loop--)
+		*(st2 + st_len + FLDSZ - loop) = fl[loop]; /* append the flags */
+
+	if ((retc = kadm_cli_conn()) != KADM_SUCCESS) {
+	    free(st2);
+	    return(retc);
+	}
+	retc = kadm_cli_send(st2, st_len + 1 + FLDSZ,  &ret_st, &ret_sz);
+	free(st2);
+	if (retc == KADM_SUCCESS) {
+	    /* ret_st has vals */
+	    if (stream_to_vals(ret_st, vals, ret_sz) < 0)
+		retc = KADM_LENGTH_ERROR;
+	}
+	free(ret_st);
+	kadm_cli_disconn();
+	return(retc);
+}
diff --git a/crypto/kerberosIV/lib/kadm/kadm_err.et b/crypto/kerberosIV/lib/kadm/kadm_err.et
new file mode 100644
index 0000000..097e87c
--- /dev/null
+++ b/crypto/kerberosIV/lib/kadm/kadm_err.et
@@ -0,0 +1,67 @@
+# $Id: kadm_err.et,v 1.5 1998/01/16 23:11:27 joda Exp $
+#
+# Copyright 1988 by the Massachusetts Institute of Technology.
+#
+# For copying and distribution information, please see the file
+# <mit-copyright.h>.
+#
+# Kerberos administration server error table
+#
+# $FreeBSD$
+#
+	et	kadm
+
+# KADM_SUCCESS, as all success codes should be, is zero
+
+ec KADM_RCSID,		"$Id: kadm_err.et,v 1.5 1998/01/16 23:11:27 joda Exp $"
+# /* Building and unbuilding the packet errors */
+ec KADM_NO_REALM,	"Cannot fetch local realm"
+ec KADM_NO_CRED,	"Unable to fetch credentials"
+ec KADM_BAD_KEY,	"Bad key supplied"
+ec KADM_NO_ENCRYPT,	"Can't encrypt data"
+ec KADM_NO_AUTH,	"Cannot encode/decode authentication info"
+ec KADM_WRONG_REALM,	"Principal attemping change is in wrong realm"
+ec KADM_NO_ROOM,	"Packet is too large"
+ec KADM_BAD_VER,	"Version number is incorrect"
+ec KADM_BAD_CHK,	"Checksum does not match"
+ec KADM_NO_READ,	"Unsealing private data failed"
+ec KADM_NO_OPCODE,	"Unsupported operation"
+ec KADM_NO_HOST,	"Could not find administrating host"
+ec KADM_UNK_HOST,	"Administrating host name is unknown"
+ec KADM_NO_SERV,	"Could not find service name in services database"
+ec KADM_NO_SOCK,	"Could not create socket"
+ec KADM_NO_CONN,	"Could not connect to server"
+ec KADM_NO_HERE,	"Could not fetch local socket address"
+ec KADM_NO_MAST,	"Could not fetch master key"
+ec KADM_NO_VERI,	"Could not verify master key"
+
+# /* From the server side routines */
+ec KADM_INUSE,		"Entry already exists in database"
+ec KADM_UK_SERROR,	"Database store error"
+ec KADM_UK_RERROR,	"Database read error"
+ec KADM_UNAUTH,		"Insufficient access to perform requested operation"
+# KADM_DATA isn't really an error, but...
+ec KADM_DATA,		"Data is available for return to client"
+ec KADM_NOENTRY,	"No such entry in the database"
+
+ec KADM_NOMEM,		"Memory exhausted"
+ec KADM_NO_HOSTNAME,	"Could not fetch system hostname"
+ec KADM_NO_BIND,	"Could not bind port"
+ec KADM_LENGTH_ERROR,	"Length mismatch problem"
+ec KADM_ILL_WILDCARD,	"Illegal use of wildcard"
+
+ec KADM_DB_INUSE,	"Database is locked or in use--try again later"
+
+ec KADM_INSECURE_PW,    "Insecure password rejected"
+ec KADM_PW_MISMATCH,    "Cleartext password and DES key did not match"
+
+ec KADM_NOT_SERV_PRINC, "Invalid principal for change srvtab request"
+ec KADM_IMMUTABLE,	"Attempt do delete immutable principal"
+# password quality basically stolen from OV libkadm5
+index 64
+prefix KADM_PASS_Q
+ec NULL,		"Null passwords are not allowed"
+ec TOOSHORT,		"Password is too short"
+ec CLASS,		"Too few character classes in password"
+ec DICT,		"Password is in the password dictionary"
+end
diff --git a/crypto/kerberosIV/lib/kadm/kadm_locl.h b/crypto/kerberosIV/lib/kadm/kadm_locl.h
new file mode 100644
index 0000000..6740709
--- /dev/null
+++ b/crypto/kerberosIV/lib/kadm/kadm_locl.h
@@ -0,0 +1,90 @@
+/*
+ * Copyright (c) 1995, 1996, 1997, 1998 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+/* $Id: kadm_locl.h,v 1.12 1999/12/02 16:58:39 joda Exp $ */
+/* $FreeBSD$ */
+
+#include "config.h"
+#include "protos.h"
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <ctype.h>
+#ifdef HAVE_UNISTD_H
+#include <unistd.h>
+#endif
+#include <signal.h>
+#include <time.h>
+#include <errno.h>
+
+#ifdef HAVE_SYS_TYPES_H
+#include <sys/types.h>
+#endif
+#ifdef HAVE_SYS_SOCKET_H
+#include <sys/socket.h>
+#endif
+#ifdef HAVE_NETINET_IN_H
+#include <netinet/in.h>
+#endif
+#ifdef HAVE_NETDB_H
+#include <netdb.h>
+#endif
+
+#ifdef SOCKS
+#include <socks.h>
+/* This doesn't belong here. */
+struct tm *localtime(const time_t *);
+struct hostent  *gethostbyname(const char *);
+#endif
+
+#include <roken.h>
+
+#include <openssl/des.h>
+#include <krb.h>
+#include <krb_err.h>
+#include <krb_db.h>
+#include <kadm.h>
+#include <kadm_err.h>
+
+int vts_long __P((u_int32_t, u_char **, int));
+int vals_to_stream __P((Kadm_vals *, u_char **));
+int stream_to_vals __P((u_char *, Kadm_vals *, int));
+
+int kadm_init_link __P((char n[], char i[], char r[]));
+int kadm_change_pw __P((des_cblock));
+int kadm_add __P((Kadm_vals *));
+int kadm_mod __P((Kadm_vals *, Kadm_vals *));
+int kadm_get __P((Kadm_vals *, u_char fl[4]));
+
+
diff --git a/crypto/kerberosIV/lib/kadm/kadm_stream.c b/crypto/kerberosIV/lib/kadm/kadm_stream.c
new file mode 100644
index 0000000..d890164
--- /dev/null
+++ b/crypto/kerberosIV/lib/kadm/kadm_stream.c
@@ -0,0 +1,353 @@
+/* 
+  Copyright (C) 1989 by the Massachusetts Institute of Technology
+
+   Export of this software from the United States of America is assumed
+   to require a specific license from the United States Government.
+   It is the responsibility of any person or organization contemplating
+   export to obtain such a license before exporting.
+
+WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
+distribute this software and its documentation for any purpose and
+without fee is hereby granted, provided that the above copyright
+notice appear in all copies and that both that copyright notice and
+this permission notice appear in supporting documentation, and that
+the name of M.I.T. not be used in advertising or publicity pertaining
+to distribution of the software without specific, written prior
+permission.  M.I.T. makes no representations about the suitability of
+this software for any purpose.  It is provided "as is" without express
+or implied warranty.
+
+  */
+
+/*
+ * Stream conversion functions for Kerberos administration server
+ */
+
+/*
+  kadm_stream.c
+  this holds the stream support routines for the kerberos administration server
+
+    vals_to_stream: converts a vals struct to a stream for transmission
+       internals build_field_header, vts_[string, char, long, short]
+    stream_to_vals: converts a stream to a vals struct
+       internals check_field_header, stv_[string, char, long, short]
+    error: prints out a kadm error message, returns
+    fatal: prints out a kadm fatal error message, exits
+*/
+
+#include "kadm_locl.h"
+
+RCSID("$Id: kadm_stream.c,v 1.13 1998/10/22 15:38:01 joda Exp $");
+
+static int
+build_field_header(u_char *cont, /* container for fields data */
+		   u_char **st)	/* stream */
+{
+  *st = malloc (4);
+  if (*st == NULL)
+      return -1;
+  memcpy(*st, cont, 4);
+  return 4;			/* return pointer to current stream location */
+}
+
+static int
+check_field_header(u_char *st,	/* stream */
+		   u_char *cont, /* container for fields data */
+		   int maxlen)
+{
+  if (4 > maxlen)
+      return(-1);
+  memcpy(cont, st, 4);
+  return 4;			/* return pointer to current stream location */
+}
+
+int
+vts_string(char *dat,		/* a string to put on the stream */
+	   u_char **st,		/* base pointer to the stream */
+	   int loc)		/* offset into the stream for current data */
+{
+  void *tmp;
+
+  tmp = realloc(*st, loc + strlen(dat) + 1);
+  if(tmp == NULL)
+    return -1;
+  memcpy((char *)tmp + loc, dat, strlen(dat)+1);
+  *st = tmp;
+  return strlen(dat)+1;
+}
+
+
+static int
+vts_short(u_int16_t dat,	/* the attributes field */
+	  u_char **st,		/* a base pointer to the stream */
+	  int loc)		/* offset into the stream for current data */
+{
+    unsigned char *p;
+
+    p = realloc(*st, loc + 2);
+    if(p == NULL)
+	return -1;
+    p[loc] = (dat >> 8) & 0xff;
+    p[loc+1] = dat & 0xff;
+    *st = p;
+    return 2;
+}
+
+static int
+vts_char(u_char dat,		/* the attributes field */
+	 u_char **st,		/* a base pointer to the stream */
+	 int loc)		/* offset into the stream for current data */
+{
+    unsigned char *p;
+
+    p = realloc(*st, loc + 1);
+
+    if(p == NULL)
+	return -1;
+    p[loc] = dat;
+    *st = p;
+    return 1;
+}
+
+int
+vts_long(u_int32_t dat,		/* the attributes field */
+	 u_char **st,		/* a base pointer to the stream */
+	 int loc)		/* offset into the stream for current data */
+{
+    unsigned char *p;
+
+    p = realloc(*st, loc + 4);
+    if(p == NULL)
+	return -1;
+    p[loc] = (dat >> 24) & 0xff;
+    p[loc+1] = (dat >> 16) & 0xff;
+    p[loc+2] = (dat >> 8) & 0xff;
+    p[loc+3] = dat & 0xff;
+    *st = p;
+    return 4;
+}
+    
+int
+stv_string(u_char *st,		/* base pointer to the stream */
+	   char *dat,		/* a string to read from the stream */
+	   int loc,		/* offset into the stream for current data */
+	   int stlen,		/* max length of string to copy in */
+	   int maxlen)		/* max length of input stream */
+{
+  int maxcount;				/* max count of chars to copy */
+  int len;
+
+  maxcount = min(maxlen - loc, stlen);
+
+  if(maxcount <= 0)
+      return -1;
+
+  len = strnlen ((char *)st + loc, maxlen - loc);
+
+  if (len >= stlen)
+      return -1;
+
+  memcpy(dat, st + loc, len);
+  dat[len] = '\0';
+  return len + 1;
+}
+
+static int
+stv_short(u_char *st,		/* a base pointer to the stream */
+	  u_int16_t *dat,	/* the attributes field */
+	  int loc,		/* offset into the stream for current data */
+	  int maxlen)
+{
+  if (maxlen - loc < 2)
+      return -1;
+  
+  *dat = (st[loc] << 8) | st[loc + 1];
+  return 2;
+}
+
+int
+stv_long(u_char *st,		/* a base pointer to the stream */
+	 u_int32_t *dat,	/* the attributes field */
+	 int loc,		/* offset into the stream for current data */
+	 int maxlen)		/* maximum length of st */
+{
+  if (maxlen - loc < 4)
+      return -1;
+  
+  *dat = (st[loc] << 24) | (st[loc+1] << 16) | (st[loc+2] << 8) | st[loc+3];
+  return 4;
+}
+    
+static int
+stv_char(u_char *st,		/* a base pointer to the stream */
+	 u_char *dat,		/* the attributes field */
+	 int loc,		/* offset into the stream for current data */
+	 int maxlen)
+{
+  if (maxlen - loc < 1)
+      return -1;
+  
+  *dat = st[loc];
+  return 1;
+}
+
+/* 
+vals_to_stream
+  recieves    : kadm_vals *, u_char *
+  returns     : a realloced and filled in u_char *
+     
+this function creates a byte-stream representation of the kadm_vals structure
+*/
+int
+vals_to_stream(Kadm_vals *dt_in, u_char **dt_out)
+{
+  int vsloop, stsize;		/* loop counter, stream size */
+
+  stsize = build_field_header(dt_in->fields, dt_out);
+  if (stsize < 0)
+      return stsize;
+  for (vsloop=31; vsloop>=0; vsloop--)
+    if (IS_FIELD(vsloop,dt_in->fields)) {
+      int tmp = 0;
+
+      switch (vsloop) {
+      case KADM_NAME:
+	  tmp = vts_string(dt_in->name, dt_out, stsize);
+	  break;
+      case KADM_INST:
+	  tmp = vts_string(dt_in->instance, dt_out, stsize);
+	  break;
+      case KADM_EXPDATE:
+	  tmp = vts_long(dt_in->exp_date, dt_out, stsize);
+	  break;
+      case KADM_ATTR:
+	  tmp = vts_short(dt_in->attributes, dt_out, stsize);
+	  break;
+      case KADM_MAXLIFE:
+	  tmp = vts_char(dt_in->max_life, dt_out, stsize);
+	  break;
+      case KADM_DESKEY: 
+	  tmp = vts_long(dt_in->key_high, dt_out, stsize);
+	  if(tmp > 0)
+	      tmp += vts_long(dt_in->key_low, dt_out, stsize + tmp);
+	  break;
+#ifdef EXTENDED_KADM
+      case KADM_MODDATE:
+	  tmp = vts_long(dt_in->mod_date, dt_out, stsize);
+	  break;
+      case KADM_MODNAME:
+	  tmp = vts_string(dt_in->mod_name, dt_out, stsize);
+	  break;
+      case KADM_MODINST:
+	  tmp = vts_string(dt_in->mod_instance, dt_out, stsize);
+	  break;
+      case KADM_KVNO:
+	  tmp = vts_char(dt_in->key_version, dt_out, stsize);
+	  break;
+#endif
+      default:
+	  break;
+      }
+      if (tmp < 0) {
+	  free(*dt_out);
+	  return tmp;
+      }
+      stsize += tmp;
+    }
+  return(stsize);
+}  
+
+/* 
+stream_to_vals
+  recieves    : u_char *, kadm_vals *
+  returns     : a kadm_vals filled in according to u_char *
+     
+this decodes a byte stream represntation of a vals struct into kadm_vals
+*/
+int
+stream_to_vals(u_char *dt_in,
+	       Kadm_vals *dt_out,
+	       int maxlen)	/* max length to use */
+{
+    int vsloop, stsize;		/* loop counter, stream size */
+    int status;
+
+    memset(dt_out, 0, sizeof(*dt_out));
+
+    stsize = check_field_header(dt_in, dt_out->fields, maxlen);
+    if (stsize < 0)
+	return(-1);
+    for (vsloop=31; vsloop>=0; vsloop--)
+	if (IS_FIELD(vsloop,dt_out->fields))
+	    switch (vsloop) {
+	    case KADM_NAME:
+		if ((status = stv_string(dt_in, dt_out->name, stsize,
+					 sizeof(dt_out->name), maxlen)) < 0)
+		    return(-1);
+		stsize += status;
+		break;
+	    case KADM_INST:
+		if ((status = stv_string(dt_in, dt_out->instance, stsize,
+					 sizeof(dt_out->instance), maxlen)) < 0)
+		    return(-1);
+		stsize += status;
+		break;
+	    case KADM_EXPDATE:
+		if ((status = stv_long(dt_in, &dt_out->exp_date, stsize,
+				       maxlen)) < 0)
+		    return(-1);
+		stsize += status;
+		break;
+	    case KADM_ATTR:
+		if ((status = stv_short(dt_in, &dt_out->attributes, stsize,
+					maxlen)) < 0)
+		    return(-1);
+		stsize += status;
+		break;
+	    case KADM_MAXLIFE:
+		if ((status = stv_char(dt_in, &dt_out->max_life, stsize,
+				       maxlen)) < 0)
+		    return(-1);
+		stsize += status;
+		break;
+	    case KADM_DESKEY:
+		if ((status = stv_long(dt_in, &dt_out->key_high, stsize,
+				       maxlen)) < 0)
+		    return(-1);
+		stsize += status;
+		if ((status = stv_long(dt_in, &dt_out->key_low, stsize,
+				       maxlen)) < 0)
+		    return(-1);
+		stsize += status;
+		break;
+#ifdef EXTENDED_KADM
+	    case KADM_MODDATE:
+		if ((status = stv_long(dt_in, &dt_out->mod_date, stsize,
+				       maxlen)) < 0)
+		    return(-1);
+		stsize += status;
+		break;
+	    case KADM_MODNAME:
+		if ((status = stv_string(dt_in, dt_out->mod_name, stsize,
+					 sizeof(dt_out->mod_name), maxlen)) < 0)
+		    return(-1);
+		stsize += status;
+		break;
+	    case KADM_MODINST:
+		if ((status = stv_string(dt_in, dt_out->mod_instance, stsize,
+					 sizeof(dt_out->mod_instance), maxlen)) < 0)
+		    return(-1);
+		stsize += status;
+		break;
+	    case KADM_KVNO:
+		if ((status = stv_char(dt_in, &dt_out->key_version, stsize,
+				       maxlen)) < 0)
+		    return(-1);
+		stsize += status;
+		break;
+#endif
+	    default:
+		break;
+	    }
+    return stsize;
+}  
diff --git a/crypto/kerberosIV/lib/kadm/kadm_supp.c b/crypto/kerberosIV/lib/kadm/kadm_supp.c
new file mode 100644
index 0000000..2a19cae
--- /dev/null
+++ b/crypto/kerberosIV/lib/kadm/kadm_supp.c
@@ -0,0 +1,188 @@
+/* 
+  Copyright (C) 1989 by the Massachusetts Institute of Technology
+
+   Export of this software from the United States of America is assumed
+   to require a specific license from the United States Government.
+   It is the responsibility of any person or organization contemplating
+   export to obtain such a license before exporting.
+
+WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
+distribute this software and its documentation for any purpose and
+without fee is hereby granted, provided that the above copyright
+notice appear in all copies and that both that copyright notice and
+this permission notice appear in supporting documentation, and that
+the name of M.I.T. not be used in advertising or publicity pertaining
+to distribution of the software without specific, written prior
+permission.  M.I.T. makes no representations about the suitability of
+this software for any purpose.  It is provided "as is" without express
+or implied warranty.
+
+  */
+
+/*
+ * Support functions for Kerberos administration server & clients
+ */
+
+/*
+  kadm_supp.c
+  this holds the support routines for the kerberos administration server
+
+    error: prints out a kadm error message, returns
+    fatal: prints out a kadm fatal error message, exits
+    prin_vals: prints out data associated with a Principal in the vals
+           structure
+*/
+
+#include "kadm_locl.h"
+    
+RCSID("$Id: kadm_supp.c,v 1.14 1999/09/16 20:41:46 assar Exp $");
+
+static void
+time2str(char *buf, size_t len, time_t t)
+{
+    strftime(buf, len, "%Y-%m-%d %H:%M:%S", localtime(&t));
+}
+
+/*
+prin_vals:
+  recieves    : a vals structure
+*/
+void
+prin_vals(Kadm_vals *vals)
+{
+    char date[32];
+    if(IS_FIELD(KADM_NAME, vals->fields) && IS_FIELD(KADM_INST, vals->fields))
+	printf("%20s: %s\n", "Principal", 
+	       krb_unparse_name_long(vals->name, vals->instance, NULL));
+    else {
+	printf("Dump of funny entry:\n");
+	if(IS_FIELD(KADM_NAME, vals->fields))
+	    printf("%20s: %s\n", "Name", vals->name);
+	if(IS_FIELD(KADM_INST, vals->fields))
+	    printf("%20s: %s\n", "Instance", vals->instance);
+    }
+    if(IS_FIELD(KADM_MAXLIFE, vals->fields))
+	printf("%20s: %d (%s)\n", "Max ticket life", 
+	       vals->max_life, 
+	       krb_life_to_atime(vals->max_life));
+    if(IS_FIELD(KADM_EXPDATE, vals->fields)) {
+	time2str(date, sizeof(date), vals->exp_date);
+	printf("%20s: %s\n", "Expiration date", date);
+    }
+    if(IS_FIELD(KADM_ATTR, vals->fields))
+	printf("%20s: %d\n", "Attributes",
+	       vals->attributes);
+    if(IS_FIELD(KADM_DESKEY, vals->fields))
+	printf("%20s: %#lx %#lx\n", "Key",
+	       (unsigned long)vals->key_low,
+	       (unsigned long)vals->key_high);
+
+#ifdef EXTENDED_KADM
+    if (IS_FIELD(KADM_MODDATE,vals->fields)) {
+	time2str(date, sizeof(date), vals->mod_date);
+	printf("%20s: %s\n", "Modification date", date);
+    }
+    if (IS_FIELD(KADM_MODNAME,vals->fields) && 
+	IS_FIELD(KADM_MODINST,vals->fields))
+	printf("%20s: %s\n", "Modifier", 
+	       krb_unparse_name_long(vals->mod_name, vals->mod_instance, NULL));
+    if (IS_FIELD(KADM_KVNO,vals->fields))
+	printf("%20s: %d\n", "Key version", vals->key_version);
+#endif
+
+#if 0
+    printf("Info in Database for %s.%s:\n", vals->name, vals->instance);
+    printf("   Max Life: %d (%s)   Exp Date: %s\n",
+	   vals->max_life,
+	   krb_life_to_atime(vals->max_life), 
+	   asctime(k_localtime(&vals->exp_date)));
+    printf("   Attribs: %.2x  key: %#lx %#lx\n",
+	   vals->attributes,
+	   (unsigned long)vals->key_low,
+	   (unsigned long)vals->key_high);
+#endif
+}
+
+/* kadm_prin_to_vals takes a fields arguments, a Kadm_vals and a Principal,
+   it copies the fields in Principal specified by fields into Kadm_vals, 
+   i.e from old to new */
+
+void
+kadm_prin_to_vals(u_char *fields, Kadm_vals *new, Principal *old)
+{
+    memset(new, 0, sizeof(*new));
+    if (IS_FIELD(KADM_NAME,fields)) {
+	strlcpy(new->name, old->name, ANAME_SZ); 
+	SET_FIELD(KADM_NAME, new->fields);
+    }
+    if (IS_FIELD(KADM_INST,fields)) {
+	strlcpy(new->instance, old->instance, INST_SZ); 
+	SET_FIELD(KADM_INST, new->fields);
+    }      
+    if (IS_FIELD(KADM_EXPDATE,fields)) {
+	new->exp_date   = old->exp_date; 
+	SET_FIELD(KADM_EXPDATE, new->fields);
+    }      
+    if (IS_FIELD(KADM_ATTR,fields)) {
+	new->attributes = old->attributes; 
+	SET_FIELD(KADM_ATTR, new->fields);
+    }      
+    if (IS_FIELD(KADM_MAXLIFE,fields)) {
+	new->max_life   = old->max_life; 
+	SET_FIELD(KADM_MAXLIFE, new->fields);
+    }      
+    if (IS_FIELD(KADM_DESKEY,fields)) {
+	new->key_low    = old->key_low; 
+	new->key_high   = old->key_high; 
+	SET_FIELD(KADM_DESKEY, new->fields);
+    }
+#ifdef EXTENDED_KADM
+    if (IS_FIELD(KADM_MODDATE,fields)) {
+	new->mod_date = old->mod_date;
+	SET_FIELD(KADM_MODDATE, new->fields);
+    }
+    if (IS_FIELD(KADM_MODNAME,fields)) {
+	strlcpy(new->mod_name, old->mod_name, ANAME_SZ);
+	SET_FIELD(KADM_MODNAME, new->fields);
+    }
+    if (IS_FIELD(KADM_MODINST,fields)) {
+	strlcpy(new->mod_instance, old->mod_instance, ANAME_SZ);
+	SET_FIELD(KADM_MODINST, new->fields);
+    }
+    if (IS_FIELD(KADM_KVNO,fields)) {
+	new->key_version = old->key_version;
+	SET_FIELD(KADM_KVNO, new->fields);
+    }
+#endif
+}
+
+void
+kadm_vals_to_prin(u_char *fields, Principal *new, Kadm_vals *old)
+{
+
+    memset(new, 0, sizeof(*new));
+    if (IS_FIELD(KADM_NAME,fields))
+	strlcpy(new->name, old->name, ANAME_SZ); 
+    if (IS_FIELD(KADM_INST,fields))
+	strlcpy(new->instance, old->instance, INST_SZ); 
+    if (IS_FIELD(KADM_EXPDATE,fields))
+	new->exp_date   = old->exp_date; 
+    if (IS_FIELD(KADM_ATTR,fields))
+	new->attributes = old->attributes; 
+    if (IS_FIELD(KADM_MAXLIFE,fields))
+	new->max_life   = old->max_life; 
+    if (IS_FIELD(KADM_DESKEY,fields)) {
+	new->key_low    = old->key_low; 
+	new->key_high   = old->key_high; 
+    }
+#ifdef EXTENDED_KADM
+    if (IS_FIELD(KADM_MODDATE,fields))
+	new->mod_date = old->mod_date;
+    if (IS_FIELD(KADM_MODNAME,fields))
+	strlcpy(new->mod_name, old->mod_name, ANAME_SZ);
+    if (IS_FIELD(KADM_MODINST,fields))
+	strlcpy(new->mod_instance, old->mod_instance, ANAME_SZ);
+    if (IS_FIELD(KADM_KVNO,fields))
+	new->key_version = old->key_version;
+#endif
+}
diff --git a/crypto/kerberosIV/lib/kafs/ChangeLog b/crypto/kerberosIV/lib/kafs/ChangeLog
new file mode 100644
index 0000000..43e93f6
--- /dev/null
+++ b/crypto/kerberosIV/lib/kafs/ChangeLog
@@ -0,0 +1,175 @@
+2000-03-20  Assar Westerlund  <assar@sics.se>
+
+	* afssysdefs.h: make versions later than 5.7 of solaris also use
+	73
+
+2000-03-13  Assar Westerlund  <assar@sics.se>
+
+	* afssysdefs.h: add 230 for MacOS X per information from
+	<warner.c@apple.com>
+
+1999-11-22  Assar Westerlund  <assar@sics.se>
+
+	* afskrb5.c (afslog_uid_int): handle d->realm == NULL
+	
+1999-11-17  Assar Westerlund  <assar@sics.se>
+
+	* afskrb5.c (afslog_uid_int): don't look at the local realm at
+ 	all.  just use the realm from the ticket file.
+
+1999-10-20  Assar Westerlund  <assar@sics.se>
+
+	* Makefile.am: set version to 1:1:1
+
+	* afskrb5.c (get_cred): always request a DES key
+
+Mon Oct 18 17:40:21 1999  Bjoern Groenvall  <bg@mummel.sics.se>
+
+	* common.c (find_cells): Trim trailing whitespace from
+ 	cellname. Lines starting with # are regarded as comments.
+
+Fri Oct  8 18:17:22 1999  Bjoern Groenvall  <bg@mummel.sics.se>
+
+	* afskrb.c, common.c : Change code to make a clear distinction
+ 	between hinted realm and ticket realm.
+
+	* kafs_locl.h: Added argument realm_hint.
+
+	* common.c (_kafs_get_cred): Change code to acquire the ``best''
+ 	possible ticket. Use cross-cell authentication only as method of
+ 	last resort.
+
+	* afskrb.c (afslog_uid_int): Add realm_hint argument and extract
+ 	realm from ticket file.
+
+	* afskrb5.c (afslog_uid_int): Added argument realm_hint.
+
+1999-10-03  Assar Westerlund  <assar@sics.se>
+
+	* afskrb5.c (get_cred): update to new krb524_convert_creds_kdc
+
+1999-08-12  Johan Danielsson  <joda@pdc.kth.se>
+
+	* Makefile.am: ignore the comlicated aix construct if !krb4
+
+1999-07-26  Assar Westerlund  <assar@sics.se>
+
+	* Makefile.am: set version to 1:0:1
+
+1999-07-22  Assar Westerlund  <assar@sics.se>
+
+	* afssysdefs.h: define AFS_SYSCALL to 73 for Solaris 2.7
+
+1999-07-07  Assar Westerlund  <assar@sics.se>
+
+	* afskrb5.c (krb5_realm_of_cell): new function
+
+	* afskrb.c (krb_realm_of_cell): new function
+	(afslog_uid_int): call krb_get_lrealm correctly
+
+1999-06-15  Assar Westerlund  <assar@sics.se>
+
+	* common.c (realm_of_cell): rename to _kafs_realm_of_cell and
+ 	un-staticize
+
+Fri Mar 19 14:52:29 1999  Johan Danielsson  <joda@hella.pdc.kth.se>
+
+	* Makefile.am: add version-info
+
+Thu Mar 18 11:24:02 1999  Johan Danielsson  <joda@hella.pdc.kth.se>
+
+	* Makefile.am: include Makefile.am.common
+
+Sat Feb 27 19:46:21 1999  Johan Danielsson  <joda@hella.pdc.kth.se>
+
+	* Makefile.am: remove EXTRA_DATA (as of autoconf 2.13/automake
+ 	1.4)
+
+Thu Feb 11 22:57:37 1999  Johan Danielsson  <joda@hella.pdc.kth.se>
+
+	* Makefile.am: set AIX_SRC also if !AIX
+
+Tue Dec  1 14:45:15 1998  Johan Danielsson  <joda@hella.pdc.kth.se>
+
+	* Makefile.am: fix AIX linkage
+
+Sun Nov 22 10:40:44 1998  Assar Westerlund  <assar@sics.se>
+
+	* Makefile.in (WFLAGS): set
+
+Sat Nov 21 16:55:19 1998  Johan Danielsson  <joda@hella.pdc.kth.se>
+
+	* afskrb5.c: add homedir support
+
+Sun Sep  6 20:16:27 1998  Assar Westerlund  <assar@sics.se>
+
+	* add new functionality for specifying the homedir to krb_afslog
+ 	et al
+
+Thu Jul 16 01:27:19 1998  Assar Westerlund  <assar@sics.se>
+
+	* afssys.c: reorganize order of definitions.
+	(try_one, try_two): conditionalize
+
+Thu Jul  9 18:31:52 1998  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* common.c (realm_of_cell): make the dns fallback work
+
+Wed Jul  8 01:39:44 1998  Assar Westerlund  <assar@sics.se>
+
+	* afssys.c (map_syscall_name_to_number): new function for finding
+ 	the number of a syscall given the name on solaris
+	(k_hasafs): try using map_syscall_name_to_number
+
+Tue Jun 30 17:19:00 1998  Assar Westerlund  <assar@sics.se>
+
+	* afssys.c: rewrite and add support for environment variable
+ 	AFS_SYSCALL
+
+	* Makefile.in (distclean): don't remove roken_rename.h
+
+Fri May 29 19:03:20 1998  Assar Westerlund  <assar@sics.se>
+
+	* Makefile.in (roken_rename.h): remove dependency
+
+Mon May 25 05:25:54 1998  Assar Westerlund  <assar@sics.se>
+
+	* Makefile.in (clean): try to remove shared library debris
+
+Sun Apr 19 09:58:40 1998  Assar Westerlund  <assar@sics.se>
+
+	* Makefile.in: add symlink magic for linux
+
+Sat Apr  4 15:08:48 1998  Assar Westerlund  <assar@sics.se>
+
+	* kafs.h: add arla paths
+
+	* common.c (_kafs_afslog_all_local_cells): Try _PATH_ARLA_*
+	(_realm_of_cell): Try _PATH_ARLA_CELLSERVDB
+
+Thu Feb 19 14:50:22 1998  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* common.c: Don't store expired tokens (this broke when using
+ 	pag-less rsh-sessions, and `non-standard' ticket files).
+
+Thu Feb 12 11:20:15 1998  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* Makefile.in: Install/uninstall one library at a time.
+
+Thu Feb 12 05:38:58 1998  Assar Westerlund  <assar@sics.se>
+
+	* Makefile.in (install): one library at a time.
+
+Mon Feb  9 23:40:32 1998  Assar Westerlund  <assar@sics.se>
+
+	* common.c (find_cells): ignore empty lines
+
+Tue Jan  6 04:25:58 1998  Assar Westerlund  <assar@sics.se>
+
+	* afssysdefs.h (AFS_SYSCALL): add FreeBSD
+
+Fri Jan  2 17:08:24 1998  Assar Westerlund  <assar@sics.se>
+
+	* kafs.h: new VICEIOCTL's.  From <rb@stacken.kth.se>
+
+	* afssysdefs.h: Add OpenBSD
diff --git a/crypto/kerberosIV/lib/kafs/Makefile.am b/crypto/kerberosIV/lib/kafs/Makefile.am
new file mode 100644
index 0000000..2333221
--- /dev/null
+++ b/crypto/kerberosIV/lib/kafs/Makefile.am
@@ -0,0 +1,70 @@
+# $Id: Makefile.am,v 1.17 1999/10/19 23:54:05 assar Exp $
+
+include $(top_srcdir)/Makefile.am.common
+
+INCLUDES += $(INCLUDE_krb4) $(AFS_EXTRA_DEFS)
+
+if KRB4
+AFSLIBS = libkafs.la
+
+if AIX
+AFSL_EXP = $(srcdir)/afsl.exp
+
+if AIX4
+AFS_EXTRA_LD = -bnoentry
+else
+AFS_EXTRA_LD = -e _nostart
+endif
+
+if AIX_DYNAMIC_AFS
+if HAVE_DLOPEN
+AIX_SRC = 
+else
+AIX_SRC = dlfcn.c
+endif
+AFS_EXTRA_LIBS = afslib.so
+AFS_EXTRA_DEFS =
+else
+AIX_SRC = afslib.c
+AFS_EXTRA_LIBS = 
+AFS_EXTRA_DEFS = -DSTATIC_AFS
+endif
+
+else
+AFSL_EXP =
+AIX_SRC =
+endif # AIX
+
+else
+AFSLIBS = 
+endif # KRB4
+
+
+lib_LTLIBRARIES = $(AFSLIBS)
+libkafs_la_LDFLAGS = -version-info 1:1:1
+foodir = $(libdir)
+foo_DATA = $(AFS_EXTRA_LIBS)
+# EXTRA_DATA = afslib.so
+
+CLEANFILES= $(AFS_EXTRA_LIBS)
+
+include_HEADERS = kafs.h
+
+if KRB5
+afskrb5_c = afskrb5.c
+endif
+
+libkafs_la_SOURCES = afssys.c afskrb.c $(afskrb5_c) common.c $(AIX_SRC) kafs_locl.h afssysdefs.h
+#afslib_so_SOURCES = afslib.c
+
+EXTRA_libkafs_la_SOURCES = afskrb5.c dlfcn.c afslib.c dlfcn.h
+
+EXTRA_DIST = README.dlfcn afsl.exp afslib.exp
+
+
+# AIX: this almost works with gcc, but somehow it fails to use the
+# correct ld, use ld instead
+afslib.so: afslib.o
+	ld -o $@ -bM:SRE -bI:$(srcdir)/afsl.exp -bE:$(srcdir)/afslib.exp $(AFS_EXTRA_LD) afslib.o -lc
+
+$(OBJECTS): ../../include/config.h
diff --git a/crypto/kerberosIV/lib/kafs/Makefile.in b/crypto/kerberosIV/lib/kafs/Makefile.in
new file mode 100644
index 0000000..1a60bf7
--- /dev/null
+++ b/crypto/kerberosIV/lib/kafs/Makefile.in
@@ -0,0 +1,121 @@
+#
+# $Id: Makefile.in,v 1.50.2.2 2000/12/07 16:44:12 assar Exp $
+#
+
+SHELL = /bin/sh
+
+srcdir = @srcdir@
+VPATH = @srcdir@
+
+CC = @CC@
+LINK = @LINK@
+AR = ar
+RANLIB = @RANLIB@
+LN_S = @LN_S@
+DEFS = @DEFS@ -DROKEN_RENAME -DLIBDIR='"$(libdir)"' @AFS_EXTRA_DEFS@
+CFLAGS = @CFLAGS@ $(WFLAGS)
+WFLAGS = @WFLAGS@
+
+INSTALL = @INSTALL@
+INSTALL_DATA	= @INSTALL_DATA@
+MKINSTALLDIRS = @top_srcdir@/mkinstalldirs
+
+prefix = @prefix@
+exec_prefix = @exec_prefix@
+libdir = @libdir@
+
+PICFLAGS = @PICFLAGS@
+ 
+LIB_DEPS = @lib_deps_yes@ -lc
+build_symlink_command   = @build_symlink_command@
+install_symlink_command = @install_symlink_command@
+
+LIBNAME = $(LIBPREFIX)kafs
+LIBEXT = @LIBEXT@
+SHLIBEXT = @SHLIBEXT@
+LIBPREFIX = @LIBPREFIX@
+LDSHARED = @LDSHARED@
+AFS_EXTRA_OBJS	= @AFS_EXTRA_OBJS@
+AFS_EXTRA_LIBS	= @AFS_EXTRA_LIBS@
+LIB = $(LIBNAME).$(LIBEXT) $(AFS_EXTRA_LIBS)
+
+SOURCES = afssys.c afskrb.c common.c afslib.c
+
+EXTRA_SOURCE = issuid.c strlcpy.c strlcat.c
+
+EXTRA_OBJECT = issuid.o strlcpy.o strlcat.o
+
+OBJECTS = afssys.o afskrb.o common.o $(EXTRA_OBJECT) $(AFS_EXTRA_OBJS)
+
+all: $(LIB)
+
+Wall:
+	make CFLAGS="-g -Wall -Wno-comment -Wmissing-prototypes -Wmissing-declarations -D__USE_FIXED_PROTOTYPES__"
+
+.c.o:
+	$(CC) -c $(DEFS) -I../../include -I$(srcdir) -I. $(CFLAGS) $(CPPFLAGS) $(PICFLAGS) $<
+
+install: all
+	$(MKINSTALLDIRS) $(DESTDIR)$(libdir)
+	@for i in $(LIB); do \
+	echo "$(INSTALL)  $$i $(DESTDIR)$(libdir)/$$i" ;\
+	$(INSTALL)  $$i $(DESTDIR)$(libdir)/$$i ; done
+	@install_symlink_command@
+
+uninstall:
+	@for i in $(LIB); do \
+	echo "rm -f $(DESTDIR)$(libdir)/$$i" ;\
+	rm -f $(DESTDIR)$(libdir)/$$i ; done
+
+TAGS: $(SOURCES)
+	etags $(SOURCES)
+
+check:
+
+clean:
+	rm -f $(LIB) *.o *.a *.so *.so.* so_locations $(EXTRA_SOURCE)
+
+mostlyclean: clean
+
+distclean: clean
+	rm -f Makefile *.tab.c *~ roken_rename.h
+
+realclean: distclean
+	rm -f TAGS
+
+$(LIBNAME)_pic.a: $(OBJECTS)
+	rm -f $@
+	$(AR) cr $@ $(OBJECTS)
+	-$(RANLIB) $@
+
+$(LIBNAME).a: $(OBJECTS)
+	rm -f $@
+	$(AR) cr $@ $(OBJECTS)
+	-$(RANLIB) $@
+
+$(LIBNAME).$(SHLIBEXT): $(OBJECTS) $(LIBNAME)_pic.a
+	rm -f $@
+	$(LDSHARED) -o $@ $(OBJECTS) $(LIB_DEPS)
+	@build_symlink_command@
+
+# AIX: this almost works with gcc, but somehow it fails to use the
+# correct ld, use ld instead
+afslib.so: afslib.o
+	ld -o $@ -bM:SRE -bI:$(srcdir)/afsl.exp -bE:$(srcdir)/afslib.exp @AFS_EXTRA_LD@ afslib.o -lc
+
+$(OBJECTS): ../../include/config.h roken_rename.h
+
+roken_rename.h:
+	$(LN_S) $(srcdir)/../krb/roken_rename.h .
+
+.PHONY: all Wall install uninstall check clean mostlyclean distclean realclean
+
+issuid.c:
+	$(LN_S) $(srcdir)/../roken/issuid.c .
+
+strlcat.c:
+	$(LN_S) $(srcdir)/../roken/strlcat.c .
+
+strlcpy.c:
+	$(LN_S) $(srcdir)/../roken/strlcpy.c .
+
diff --git a/crypto/kerberosIV/lib/kafs/README.dlfcn b/crypto/kerberosIV/lib/kafs/README.dlfcn
new file mode 100644
index 0000000..cee1b75
--- /dev/null
+++ b/crypto/kerberosIV/lib/kafs/README.dlfcn
@@ -0,0 +1,246 @@
+Copyright (c) 1992,1993,1995,1996, Jens-Uwe Mager, Helios Software GmbH
+Not derived from licensed software.
+
+Permission is granted to freely use, copy, modify, and redistribute
+this software, provided that the author is not construed to be liable
+for any results of using the software, alterations are clearly marked
+as such, and this notice is not modified.
+
+libdl.a
+-------
+
+This is an emulation library to emulate the SunOS/System V.4 functions
+to access the runtime linker. The functions are emulated by using the
+AIX load() function and by reading the .loader section of the loaded
+module to find the exports. The to be loaded module should be linked as
+follows (if using AIX 3):
+
+	cc -o module.so -bM:SRE -bE:module.exp -e _nostart $(OBJS)
+
+For AIX 4:
+
+	cc -o module.so -bM:SRE -bE:module.exp -bnoentry $(OBJS)
+
+If you want to reference symbols from the main part of the program in a
+loaded module, you will have to link against the export file of the
+main part:
+
+	cc -o main -bE:main.exp $(MAIN_OBJS)
+	cc -o module.so -bM:SRE -bI:main.exp -bE:module.exp -bnoentry $(OBJS)
+
+Note that you explicitely have to specify what functions are supposed
+to be accessible from your loaded modules, this is different from
+SunOS/System V.4 where any global is automatically exported. If you
+want to export all globals, the following script might be of help:
+
+#!/bin/sh
+/usr/ucb/nm -g $* | awk '$2 == "B" || $2 == "D" { print $3 }'
+
+The module export file contains the symbols to be exported. Because
+this library uses the loader section, the final module.so file can be
+stripped. C++ users should build their shared objects using the script
+makeC++SharedLib (part of the IBM C++ compiler), this will make sure
+that constructors and destructors for static and global objects will be
+called upon loading and unloading the module. GNU C++ users should use
+the -shared option to g++ to link the shared object:
+
+	g++ -o module.so -shared $(OBJS)
+
+If the shared object does have permissions for anybody, the shared
+object will be loaded into the shared library segment and it will stay
+there even if the main application terminates. If you rebuild your
+shared object after a bugfix and you want to make sure that you really
+get the newest version you will have to use the "slibclean" command
+before starting the application again to garbage collect the shared
+library segment. If the performance utilities (bosperf) are installed
+you can use the following command to see what shared objects are
+loaded:
+
+/usr/lpp/bosperf/genkld | sort | uniq
+
+For easier debugging you can avoid loading the shared object into the
+shared library segment alltogether by removing permissions for others
+from the module.so file:
+
+chmod o-rwx module.so
+
+This will ensure you get a fresh copy of the shared object for every
+dlopen() call which is loaded into the application's data segment.
+
+Usage
+-----
+
+void *dlopen(const char *path, int mode);
+
+This routine loads the module pointed to by path and reads its export
+table. If the path does not contain a '/' character, dlopen will search
+for the module using the LIBPATH environment variable. It returns an
+opaque handle to the module or NULL on error. The mode parameter can be
+either RTLD_LAZY (for lazy function binding) or RTLD_NOW for immediate
+function binding. The AIX implementation currently does treat RTLD_NOW
+the same as RTLD_LAZY. The flag RTLD_GLOBAL might be or'ed into the
+mode parameter to allow loaded modules to bind to global variables or
+functions in other loaded modules loaded by dlopen(). If RTLD_GLOBAL is
+not specified, only globals from the main part of the executable or
+shared libraries are used to look for undefined symbols in loaded
+modules.
+
+
+void *dlsym(void *handle, const char *symbol);
+
+This routine searches for the symbol in the module referred to by
+handle and returns its address. If the symbol could not be found, the
+function returns NULL. The return value must be casted to a proper
+function pointer before it can be used. SunOS/System V.4 allows handle
+to be a NULL pointer to refer to the module the call is made from, this
+is not implemented.
+
+int dlclose(void *handle);
+
+This routine unloads the module referred to by the handle and disposes
+of any local storage. this function returns -1 on failure. Any function
+pointers obtained through dlsym() should be considered invalid after
+closing a module.
+
+As AIX caches shared objects in the shared library segment, function
+pointers obtained through dlsym() might still work even though the
+module has been unloaded. This can introduce subtle bugs that will
+segment fault later if AIX garbage collects or immediatly on
+SunOS/System V.4 as the text segment is unmapped.
+
+char *dlerror(void);
+
+This routine can be used to retrieve a text message describing the most
+recent error that occured on on of the above routines. This function
+returns NULL if there is no error information.
+
+Initialization and termination handlers
+---------------------------------------
+
+The emulation provides for an initialization and a termination
+handler.  The dlfcn.h file contains a structure declaration named
+dl_info with following members:
+
+	void (*init)(void);
+	void (*fini)(void);
+
+The init function is called upon first referencing the library. The
+fini function is called at dlclose() time or when the process exits.
+The module should declare a variable named dl_info that contains this
+structure which must be exported.  These functions correspond to the
+documented _init() and _fini() functions of SunOS 4.x, but these are
+appearently not implemented in SunOS.  When using SunOS 5.0, these
+correspond to #pragma init and #pragma fini respectively. At the same
+time any static or global C++ object's constructors or destructors will
+be called.
+
+BUGS
+----
+
+Please note that there is currently a problem with implicitely loaded
+shared C++ libaries: if you refer to a shared C++ library from a loaded
+module that is not yet used by the main program, the dlopen() emulator
+does not notice this and does not call the static constructors for the
+implicitely loaded library. This can be easily demonstrated by
+referencing the C++ standard streams from a loaded module if the main
+program is a plain C program.
+
+Jens-Uwe Mager
+
+HELIOS Software GmbH
+Lavesstr. 80
+30159 Hannover
+Germany
+
+Phone:		+49 511 36482-0
+FAX:		+49 511 36482-69
+AppleLink:	helios.de/jum
+Internet:	jum@helios.de
+
+Revison History
+---------------
+
+SCCS/s.dlfcn.h:
+
+D 1.4 95/04/25 09:36:52 jum 4 3	00018/00004/00028
+MRs:
+COMMENTS:
+added RTLD_GLOBAL, include and C++ guards
+
+D 1.3 92/12/27 20:58:32 jum 3 2	00001/00001/00031
+MRs:
+COMMENTS:
+we always have prototypes on RS/6000
+
+D 1.2 92/08/16 17:45:11 jum 2 1	00009/00000/00023
+MRs:
+COMMENTS:
+added dl_info structure to implement initialize and terminate functions
+
+D 1.1 92/08/02 18:08:45 jum 1 0	00023/00000/00000
+MRs:
+COMMENTS:
+Erstellungsdatum und -uhrzeit 92/08/02 18:08:45 von jum
+
+SCCS/s.dlfcn.c:
+
+D 1.11 96/04/10 20:12:51 jum 13 12	00037/00000/00533
+MRs:
+COMMENTS:
+Integrated the changes from John W. Eaton <jwe@bevo.che.wisc.edu> to initialize
+g++ generated shared objects.
+
+D 1.10 96/02/15 17:42:44 jum 12 10	00012/00007/00521
+MRs:
+COMMENTS:
+the C++ constructor and destructor chains are now called properly for either
+xlC 2 or xlC 3 (CSet++).
+
+D 1.9 95/09/22 11:09:38 markus 10 9	00001/00008/00527
+MRs:
+COMMENTS:
+Fix version number
+
+D 1.8 95/09/22 10:14:34 markus 9 8	00008/00001/00527
+MRs:
+COMMENTS:
+Added version number for dl lib
+
+D 1.7 95/08/14 19:08:38 jum 8 6	00026/00004/00502
+MRs:
+COMMENTS:
+Integrated the fixes from Kirk Benell (kirk@rsinc.com) to allow loading of
+shared objects generated under AIX 4. Fixed bug that symbols with exactly
+8 characters would use garbage characters from the following symbol value.
+
+D 1.6 95/04/25 09:38:03 jum 6 5	00046/00006/00460
+MRs:
+COMMENTS:
+added handling of C++ static constructors and destructors, added RTLD_GLOBAL to bind against other loaded modules
+
+D 1.5 93/02/14 20:14:17 jum 5 4	00002/00000/00464
+MRs:
+COMMENTS:
+added path to dlopen error message to make clear where there error occured.
+
+D 1.4 93/01/03 19:13:56 jum 4 3	00061/00005/00403
+MRs:
+COMMENTS:
+to allow calling symbols in the main module call load with L_NOAUTODEFER and 
+do a loadbind later with the main module.
+
+D 1.3 92/12/27 20:59:55 jum 3 2	00066/00008/00342
+MRs:
+COMMENTS:
+added search by L_GETINFO if module got loaded by LIBPATH
+
+D 1.2 92/08/16 17:45:43 jum 2 1	00074/00006/00276
+MRs:
+COMMENTS:
+implemented initialize and terminate functions, added reference counting to avoid multiple loads of the same library
+
+D 1.1 92/08/02 18:08:45 jum 1 0	00282/00000/00000
+MRs:
+COMMENTS:
+Erstellungsdatum und -uhrzeit 92/08/02 18:08:45 von jum
+
diff --git a/crypto/kerberosIV/lib/kafs/afskrb.c b/crypto/kerberosIV/lib/kafs/afskrb.c
new file mode 100644
index 0000000..ccfecb7
--- /dev/null
+++ b/crypto/kerberosIV/lib/kafs/afskrb.c
@@ -0,0 +1,135 @@
+/*
+ * Copyright (c) 1995 - 2000 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#include "kafs_locl.h"
+
+RCSID("$Id: afskrb.c,v 1.13.2.1 2000/06/23 03:26:53 assar Exp $");
+
+struct krb_kafs_data {
+    const char *realm;
+};
+
+static int
+get_cred(kafs_data *data, const char *name, const char *inst, 
+	 const char *realm, CREDENTIALS *c)
+{
+    KTEXT_ST tkt;
+    int ret = krb_get_cred((char*)name, (char*)inst, (char*)realm, c);
+    
+    if (ret) {
+	ret = krb_mk_req(&tkt, (char*)name, (char*)inst, (char*)realm, 0);
+	if (ret == KSUCCESS)
+	    ret = krb_get_cred((char*)name, (char*)inst, (char*)realm, c);
+    }
+    return ret;
+}
+
+static int
+afslog_uid_int(kafs_data *data,
+	       const char *cell,
+	       const char *realm_hint,
+	       uid_t uid,
+	       const char *homedir)
+{
+    int ret;
+    CREDENTIALS c;
+    char realm[REALM_SZ];
+    
+    if (cell == 0 || cell[0] == 0)
+	return _kafs_afslog_all_local_cells (data, uid, homedir);
+
+    /* Extract realm from ticket file. */
+    ret = krb_get_tf_fullname(tkt_string(), NULL, NULL, realm);
+    if (ret != KSUCCESS)
+	return ret;
+
+    ret = _kafs_get_cred(data, cell, realm_hint, realm, &c);
+    
+    if (ret == 0)
+	ret = kafs_settoken(cell, uid, &c);
+    return ret;
+}
+
+static char *
+get_realm(kafs_data *data, const char *host)
+{
+    char *r = krb_realmofhost(host);
+    if(r != NULL)
+	return strdup(r);
+    else
+	return NULL;
+}
+
+int
+krb_afslog_uid_home(const char *cell, const char *realm_hint, uid_t uid,
+		    const char *homedir)
+{
+    kafs_data kd;
+
+    kd.afslog_uid = afslog_uid_int;
+    kd.get_cred = get_cred;
+    kd.get_realm = get_realm;
+    kd.data = 0;
+    return afslog_uid_int(&kd, cell, realm_hint, uid, homedir);
+}
+
+int
+krb_afslog_uid(const char *cell, const char *realm_hint, uid_t uid)
+{
+    return krb_afslog_uid_home(cell, realm_hint, uid, NULL);
+}
+
+int
+krb_afslog(const char *cell, const char *realm_hint)
+{
+    return krb_afslog_uid(cell, realm_hint, getuid());
+}
+
+int
+krb_afslog_home(const char *cell, const char *realm_hint, const char *homedir)
+{
+    return krb_afslog_uid_home(cell, realm_hint, getuid(), homedir);
+}
+
+/*
+ *
+ */
+
+int
+krb_realm_of_cell(const char *cell, char **realm)
+{
+    kafs_data kd;
+
+    kd.get_realm = get_realm;
+    return _kafs_realm_of_cell(&kd, cell, realm);
+}
diff --git a/crypto/kerberosIV/lib/kafs/afskrb5.c b/crypto/kerberosIV/lib/kafs/afskrb5.c
new file mode 100644
index 0000000..4c35ea7
--- /dev/null
+++ b/crypto/kerberosIV/lib/kafs/afskrb5.c
@@ -0,0 +1,179 @@
+/*
+ * Copyright (c) 1995, 1996, 1997, 1998, 1999 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#include "kafs_locl.h"
+
+RCSID("$Id: afskrb5.c,v 1.13 1999/12/02 16:58:39 joda Exp $");
+
+struct krb5_kafs_data {
+    krb5_context context;
+    krb5_ccache id;
+    krb5_const_realm realm;
+};
+
+static int
+get_cred(kafs_data *data, const char *name, const char *inst, 
+	 const char *realm, CREDENTIALS *c)
+{
+    krb5_error_code ret;
+    krb5_creds in_creds, *out_creds;
+    struct krb5_kafs_data *d = data->data;
+
+    memset(&in_creds, 0, sizeof(in_creds));
+    ret = krb5_425_conv_principal(d->context, name, inst, realm, 
+				  &in_creds.server);
+    if(ret)
+	return ret;
+    ret = krb5_cc_get_principal(d->context, d->id, &in_creds.client);
+    if(ret){
+	krb5_free_principal(d->context, in_creds.server);
+	return ret;
+    }
+    in_creds.session.keytype = KEYTYPE_DES;
+    ret = krb5_get_credentials(d->context, 0, d->id, &in_creds, &out_creds);
+    krb5_free_principal(d->context, in_creds.server);
+    krb5_free_principal(d->context, in_creds.client);
+    if(ret)
+	return ret;
+    ret = krb524_convert_creds_kdc(d->context, d->id, out_creds, c);
+    krb5_free_creds(d->context, out_creds);
+    return ret;
+}
+
+static krb5_error_code
+afslog_uid_int(kafs_data *data, const char *cell, const char *rh, uid_t uid,
+	       const char *homedir)
+{
+    krb5_error_code ret;
+    CREDENTIALS c;
+    krb5_principal princ;
+    krb5_realm *trealm; /* ticket realm */
+    struct krb5_kafs_data *d = data->data;
+    
+    if (cell == 0 || cell[0] == 0)
+	return _kafs_afslog_all_local_cells (data, uid, homedir);
+
+    ret = krb5_cc_get_principal (d->context, d->id, &princ);
+    if (ret)
+	return ret;
+
+    trealm = krb5_princ_realm (d->context, princ);
+
+    if (d->realm != NULL && strcmp (d->realm, *trealm) == 0) {
+	trealm = NULL;
+	krb5_free_principal (d->context, princ);
+    }
+
+    ret = _kafs_get_cred(data, cell, d->realm, *trealm, &c);
+    if(trealm)
+	krb5_free_principal (d->context, princ);
+    
+    if(ret == 0)
+	ret = kafs_settoken(cell, uid, &c);
+    return ret;
+}
+
+static char *
+get_realm(kafs_data *data, const char *host)
+{
+    struct krb5_kafs_data *d = data->data;
+    krb5_realm *realms;
+    char *r;
+    if(krb5_get_host_realm(d->context, host, &realms))
+	return NULL;
+    r = strdup(realms[0]);
+    krb5_free_host_realm(d->context, realms);
+    return r;
+}
+
+krb5_error_code
+krb5_afslog_uid_home(krb5_context context,
+		     krb5_ccache id,
+		     const char *cell,
+		     krb5_const_realm realm,
+		     uid_t uid,
+		     const char *homedir)
+{
+    kafs_data kd;
+    struct krb5_kafs_data d;
+    kd.afslog_uid = afslog_uid_int;
+    kd.get_cred = get_cred;
+    kd.get_realm = get_realm;
+    kd.data = &d;
+    d.context = context;
+    d.id = id;
+    d.realm = realm;
+    return afslog_uid_int(&kd, cell, 0, uid, homedir);
+}
+
+krb5_error_code
+krb5_afslog_uid(krb5_context context,
+		krb5_ccache id,
+		const char *cell,
+		krb5_const_realm realm,
+		uid_t uid)
+{
+    return krb5_afslog_uid_home (context, id, cell, realm, uid, NULL);
+}
+
+krb5_error_code
+krb5_afslog(krb5_context context,
+	    krb5_ccache id, 
+	    const char *cell,
+	    krb5_const_realm realm)
+{
+    return krb5_afslog_uid (context, id, cell, realm, getuid());
+}
+
+krb5_error_code
+krb5_afslog_home(krb5_context context,
+		 krb5_ccache id, 
+		 const char *cell,
+		 krb5_const_realm realm,
+		 const char *homedir)
+{
+    return krb5_afslog_uid_home (context, id, cell, realm, getuid(), homedir);
+}
+
+/*
+ *
+ */
+
+krb5_error_code
+krb5_realm_of_cell(const char *cell, char **realm)
+{
+    kafs_data kd;
+
+    kd.get_realm = get_realm;
+    return _kafs_realm_of_cell(&kd, cell, realm);
+}
diff --git a/crypto/kerberosIV/lib/kafs/afsl.exp b/crypto/kerberosIV/lib/kafs/afsl.exp
new file mode 100644
index 0000000..4d2b00e
--- /dev/null
+++ b/crypto/kerberosIV/lib/kafs/afsl.exp
@@ -0,0 +1,6 @@
+#!/unix
+
+* This mumbo jumbo creates entry points to syscalls in _AIX
+
+lpioctl	syscall
+lsetpag	syscall
diff --git a/crypto/kerberosIV/lib/kafs/afslib.c b/crypto/kerberosIV/lib/kafs/afslib.c
new file mode 100644
index 0000000..ae3b5a5
--- /dev/null
+++ b/crypto/kerberosIV/lib/kafs/afslib.c
@@ -0,0 +1,55 @@
+/*
+ * Copyright (c) 1995, 1996, 1997 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+/* 
+ * This file is only used with AIX 
+ */
+
+#include "kafs_locl.h"
+
+RCSID("$Id: afslib.c,v 1.6 1999/12/02 16:58:40 joda Exp $");
+
+int
+aix_pioctl(char *a_path,
+	   int o_opcode,
+	   struct ViceIoctl *a_paramsP,
+	   int a_followSymlinks)
+{
+    return lpioctl(a_path, o_opcode, a_paramsP, a_followSymlinks);
+}
+
+int
+aix_setpag(void)
+{
+    return lsetpag();
+}
diff --git a/crypto/kerberosIV/lib/kafs/afslib.exp b/crypto/kerberosIV/lib/kafs/afslib.exp
new file mode 100644
index 0000000..f288717
--- /dev/null
+++ b/crypto/kerberosIV/lib/kafs/afslib.exp
@@ -0,0 +1,3 @@
+#!
+aix_pioctl
+aix_setpag
diff --git a/crypto/kerberosIV/lib/kafs/afssys.c b/crypto/kerberosIV/lib/kafs/afssys.c
new file mode 100644
index 0000000..a45f445
--- /dev/null
+++ b/crypto/kerberosIV/lib/kafs/afssys.c
@@ -0,0 +1,398 @@
+/*
+ * Copyright (c) 1995, 1996, 1997, 1998, 1999 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#include "kafs_locl.h"
+
+RCSID("$Id: afssys.c,v 1.65.2.1 2000/06/23 03:27:23 assar Exp $");
+
+int _kafs_debug; /* this should be done in a better way */
+
+#define NO_ENTRY_POINT		0
+#define SINGLE_ENTRY_POINT	1
+#define MULTIPLE_ENTRY_POINT	2
+#define SINGLE_ENTRY_POINT2	3
+#define SINGLE_ENTRY_POINT3	4
+#define AIX_ENTRY_POINTS	5
+#define UNKNOWN_ENTRY_POINT	6
+static int afs_entry_point = UNKNOWN_ENTRY_POINT;
+static int afs_syscalls[2];
+
+/* Magic to get AIX syscalls to work */
+#ifdef _AIX
+
+static int (*Pioctl)(char*, int, struct ViceIoctl*, int);
+static int (*Setpag)(void);
+
+#include "dlfcn.h"
+
+/*
+ *
+ */
+
+static int
+try_aix(void)
+{
+#ifdef STATIC_AFS_SYSCALLS
+    Pioctl = aix_pioctl;
+    Setpag = aix_setpag;
+#else
+    void *ptr;
+    char path[MaxPathLen], *p;
+    /*
+     * If we are root or running setuid don't trust AFSLIBPATH!
+     */
+    if (getuid() != 0 && !issuid() && (p = getenv("AFSLIBPATH")) != NULL)
+	strlcpy(path, p, sizeof(path));
+    else
+	snprintf(path, sizeof(path), "%s/afslib.so", LIBDIR);
+	
+    ptr = dlopen(path, RTLD_NOW);
+    if(ptr == NULL) {
+	if(_kafs_debug) {
+	    if(errno == ENOEXEC && (p = dlerror()) != NULL)
+		fprintf(stderr, "dlopen(%s): %s\n", path, p);
+	    else if (errno != ENOENT)
+		fprintf(stderr, "dlopen(%s): %s\n", path, strerror(errno));
+	}
+	return 1;
+    }
+    Setpag = (int (*)(void))dlsym(ptr, "aix_setpag");
+    Pioctl = (int (*)(char*, int, 
+		      struct ViceIoctl*, int))dlsym(ptr, "aix_pioctl");
+#endif
+    afs_entry_point = AIX_ENTRY_POINTS;
+    return 0;
+}
+#endif /* _AIX */
+
+/* 
+ * This probably only works under Solaris and could get confused if
+ * there's a /etc/name_to_sysnum file.  
+ */
+
+#define _PATH_ETC_NAME_TO_SYSNUM "/etc/name_to_sysnum"
+
+static int
+map_syscall_name_to_number (const char *str, int *res)
+{
+    FILE *f;
+    char buf[256];
+    size_t str_len = strlen (str);
+
+    f = fopen (_PATH_ETC_NAME_TO_SYSNUM, "r");
+    if (f == NULL)
+	return -1;
+    while (fgets (buf, sizeof(buf), f) != NULL) {
+	if (buf[0] == '#')
+	    continue;
+
+	if (strncmp (str, buf, str_len) == 0) {
+	    char *begptr = buf + str_len;
+	    char *endptr;
+	    long val = strtol (begptr, &endptr, 0);
+
+	    if (val != 0 && endptr != begptr) {
+		fclose (f);
+		*res = val;
+		return 0;
+	    }
+	}
+    }
+    fclose (f);
+    return -1;
+}
+
+int
+k_pioctl(char *a_path,
+	 int o_opcode,
+	 struct ViceIoctl *a_paramsP,
+	 int a_followSymlinks)
+{
+#ifndef NO_AFS
+    switch(afs_entry_point){
+#if defined(AFS_SYSCALL) || defined(AFS_SYSCALL2) || defined(AFS_SYSCALL3)
+    case SINGLE_ENTRY_POINT:
+    case SINGLE_ENTRY_POINT2:
+    case SINGLE_ENTRY_POINT3:
+	return syscall(afs_syscalls[0], AFSCALL_PIOCTL,
+		       a_path, o_opcode, a_paramsP, a_followSymlinks);
+#endif
+#if defined(AFS_PIOCTL)
+    case MULTIPLE_ENTRY_POINT:
+	return syscall(afs_syscalls[0],
+		       a_path, o_opcode, a_paramsP, a_followSymlinks);
+#endif
+#ifdef _AIX
+    case AIX_ENTRY_POINTS:
+	return Pioctl(a_path, o_opcode, a_paramsP, a_followSymlinks);
+#endif
+    }
+    
+    errno = ENOSYS;
+#ifdef SIGSYS
+    kill(getpid(), SIGSYS);	/* You loose! */
+#endif
+#endif /* NO_AFS */
+    return -1;
+}
+
+int
+k_afs_cell_of_file(const char *path, char *cell, int len)
+{
+    struct ViceIoctl parms;
+    parms.in = NULL;
+    parms.in_size = 0;
+    parms.out = cell;
+    parms.out_size = len;
+    return k_pioctl((char*)path, VIOC_FILE_CELL_NAME, &parms, 1);
+}
+
+int
+k_unlog(void)
+{
+    struct ViceIoctl parms;
+    memset(&parms, 0, sizeof(parms));
+    return k_pioctl(0, VIOCUNLOG, &parms, 0);
+}
+
+int
+k_setpag(void)
+{
+#ifndef NO_AFS
+    switch(afs_entry_point){
+#if defined(AFS_SYSCALL) || defined(AFS_SYSCALL2) || defined(AFS_SYSCALL3)
+    case SINGLE_ENTRY_POINT:
+    case SINGLE_ENTRY_POINT2:
+    case SINGLE_ENTRY_POINT3:
+	return syscall(afs_syscalls[0], AFSCALL_SETPAG);
+#endif
+#if defined(AFS_PIOCTL)
+    case MULTIPLE_ENTRY_POINT:
+	return syscall(afs_syscalls[1]);
+#endif
+#ifdef _AIX
+    case AIX_ENTRY_POINTS:
+	return Setpag();
+#endif
+    }
+    
+    errno = ENOSYS;
+#ifdef SIGSYS
+    kill(getpid(), SIGSYS);	/* You loose! */
+#endif
+#endif /* NO_AFS */
+    return -1;
+}
+
+static jmp_buf catch_SIGSYS;
+
+#ifdef SIGSYS
+
+static RETSIGTYPE
+SIGSYS_handler(int sig)
+{
+    errno = 0;
+    signal(SIGSYS, SIGSYS_handler); /* Need to reinstall handler on SYSV */
+    longjmp(catch_SIGSYS, 1);
+}
+
+#endif
+
+/*
+ * Try to see if `syscall' is a pioctl.  Return 0 iff succesful.
+ */
+
+#if defined(AFS_SYSCALL) || defined(AFS_SYSCALL2) || defined(AFS_SYSCALL3)
+static int
+try_one (int syscall_num)
+{
+    struct ViceIoctl parms;
+    memset(&parms, 0, sizeof(parms));
+
+    if (setjmp(catch_SIGSYS) == 0) {
+	syscall(syscall_num, AFSCALL_PIOCTL,
+		0, VIOCSETTOK, &parms, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0);
+	if (errno == EINVAL) {
+	    afs_entry_point = SINGLE_ENTRY_POINT;
+	    afs_syscalls[0] = syscall_num;
+	    return 0;
+	}
+    }
+    return 1;
+}
+#endif
+
+/*
+ * Try to see if `syscall_pioctl' is a pioctl syscall.  Return 0 iff
+ * succesful.
+ *
+ */
+
+#ifdef AFS_PIOCTL
+static int
+try_two (int syscall_pioctl, int syscall_setpag)
+{
+    struct ViceIoctl parms;
+    memset(&parms, 0, sizeof(parms));
+
+    if (setjmp(catch_SIGSYS) == 0) {
+	syscall(syscall_pioctl,
+		0, VIOCSETTOK, &parms, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0);
+	if (errno == EINVAL) {
+	    afs_entry_point = MULTIPLE_ENTRY_POINT;
+	    afs_syscalls[0] = syscall_pioctl;
+	    afs_syscalls[1] = syscall_setpag;
+	    return 0;
+	}
+    }
+    return 1;
+}
+#endif
+
+int
+k_hasafs(void)
+{
+#if !defined(NO_AFS) && defined(SIGSYS)
+    RETSIGTYPE (*saved_func)();
+#endif
+    int saved_errno;
+    char *env = getenv ("AFS_SYSCALL");
+  
+    /*
+     * Already checked presence of AFS syscalls?
+     */
+    if (afs_entry_point != UNKNOWN_ENTRY_POINT)
+	return afs_entry_point != NO_ENTRY_POINT;
+
+    /*
+     * Probe kernel for AFS specific syscalls,
+     * they (currently) come in two flavors.
+     * If the syscall is absent we recive a SIGSYS.
+     */
+    afs_entry_point = NO_ENTRY_POINT;
+  
+    saved_errno = errno;
+#ifndef NO_AFS
+#ifdef SIGSYS
+    saved_func = signal(SIGSYS, SIGSYS_handler);
+#endif
+
+#if defined(AFS_SYSCALL) || defined(AFS_SYSCALL2) || defined(AFS_SYSCALL3)
+    {
+	int tmp;
+
+	if (env != NULL) {
+	    if (sscanf (env, "%d", &tmp) == 1) {
+		if (try_one (tmp) == 0)
+		    goto done;
+	    } else {
+		char *end = NULL;
+		char *p;
+		char *s = strdup (env);
+
+		if (s != NULL) {
+		    for (p = strtok_r (s, ",", &end);
+			 p != NULL;
+			 p = strtok_r (NULL, ",", &end)) {
+			if (map_syscall_name_to_number (p, &tmp) == 0)
+			    if (try_one (tmp) == 0) {
+				free (s);
+				goto done;
+			    }
+		    }
+		    free (s);
+		}
+	    }
+	}
+    }
+#endif /* AFS_SYSCALL || AFS_SYSCALL2 || AFS_SYSCALL3 */
+
+#ifdef AFS_SYSCALL
+    if (try_one (AFS_SYSCALL) == 0)
+	goto done;
+#endif /* AFS_SYSCALL */
+
+#ifdef AFS_PIOCTL
+    {
+	int tmp[2];
+
+	if (env != NULL && sscanf (env, "%d%d", &tmp[0], &tmp[1]) == 2)
+	    if (try_two (tmp[0], tmp[1]) == 2)
+		goto done;
+    }
+#endif /* AFS_PIOCTL */
+
+#ifdef AFS_PIOCTL
+    if (try_two (AFS_PIOCTL, AFS_SETPAG) == 0)
+	goto done;
+#endif /* AFS_PIOCTL */
+
+#ifdef AFS_SYSCALL2
+    if (try_one (AFS_SYSCALL2) == 0)
+	goto done;
+#endif /* AFS_SYSCALL2 */
+
+#ifdef AFS_SYSCALL3
+    if (try_one (AFS_SYSCALL3) == 0)
+	goto done;
+#endif /* AFS_SYSCALL3 */
+
+#ifdef _AIX
+#if 0
+    if (env != NULL) {
+	char *pos = NULL;
+	char *pioctl_name;
+	char *setpag_name;
+
+	pioctl_name = strtok_r (env, ", \t", &pos);
+	if (pioctl_name != NULL) {
+	    setpag_name = strtok_r (NULL, ", \t", &pos);
+	    if (setpag_name != NULL)
+		if (try_aix (pioctl_name, setpag_name) == 0)
+		    goto done;
+	}
+    }
+#endif
+
+    if(try_aix() == 0)
+	goto done;
+#endif
+
+done:
+#ifdef SIGSYS
+    signal(SIGSYS, saved_func);
+#endif
+#endif /* NO_AFS */
+    errno = saved_errno;
+    return afs_entry_point != NO_ENTRY_POINT;
+}
diff --git a/crypto/kerberosIV/lib/kafs/afssysdefs.h b/crypto/kerberosIV/lib/kafs/afssysdefs.h
new file mode 100644
index 0000000..685e375
--- /dev/null
+++ b/crypto/kerberosIV/lib/kafs/afssysdefs.h
@@ -0,0 +1,91 @@
+/*
+ * Copyright (c) 1995 - 2000 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+/* $Id: afssysdefs.h,v 1.21.2.2 2000/03/26 20:10:11 assar Exp $ */
+
+/*
+ * This section is for machines using single entry point AFS syscalls!
+ * and/or
+ * This section is for machines using multiple entry point AFS syscalls!
+ *
+ * SunOS 4 is an example of single entry point and sgi of multiple
+ * entry point syscalls.
+ */
+
+#if SunOS == 40
+#define AFS_SYSCALL	31
+#endif
+
+#if SunOS >= 50 && SunOS < 57
+#define AFS_SYSCALL	105
+#endif
+
+#if SunOS >= 57
+#define AFS_SYSCALL	73
+#endif
+
+#if defined(__hpux)
+#define AFS_SYSCALL	50
+#define AFS_SYSCALL2	49
+#define AFS_SYSCALL3	48
+#endif
+
+#if defined(_AIX)
+/* _AIX is too weird */
+#endif
+
+#if defined(__sgi)
+#define AFS_PIOCTL      (64+1000)
+#define AFS_SETPAG      (65+1000)
+#endif
+
+#if defined(__osf__)
+#define AFS_SYSCALL	232
+#define AFS_SYSCALL2	258
+#endif
+
+#if defined(__ultrix)
+#define AFS_SYSCALL	31
+#endif
+
+#if defined(__FreeBSD__) || defined(__NetBSD__) || defined(__OpenBSD__)
+#define AFS_SYSCALL 210
+#endif
+
+#ifdef __APPLE__		/* MacOS X */
+#define AFS_SYSCALL 230
+#endif
+
+#ifdef SYS_afs_syscall
+#define AFS_SYSCALL3	SYS_afs_syscall
+#endif
diff --git a/crypto/kerberosIV/lib/kafs/common.c b/crypto/kerberosIV/lib/kafs/common.c
new file mode 100644
index 0000000..207b9b6
--- /dev/null
+++ b/crypto/kerberosIV/lib/kafs/common.c
@@ -0,0 +1,396 @@
+/*
+ * Copyright (c) 1997, 1998, 1999 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "kafs_locl.h"
+
+RCSID("$Id: common.c,v 1.19 1999/12/02 16:58:40 joda Exp $");
+
+#define AUTH_SUPERUSER "afs"
+
+/*
+ * Here only ASCII characters are relevant.
+ */
+
+#define IsAsciiLower(c) ('a' <= (c) && (c) <= 'z')
+
+#define ToAsciiUpper(c) ((c) - 'a' + 'A')
+
+static void
+foldup(char *a, const char *b)
+{
+  for (; *b; a++, b++)
+    if (IsAsciiLower(*b))
+      *a = ToAsciiUpper(*b);
+    else
+      *a = *b;
+  *a = '\0';
+}
+
+int
+kafs_settoken(const char *cell, uid_t uid, CREDENTIALS *c)
+{
+    struct ViceIoctl parms;
+    struct ClearToken ct;
+    int32_t sizeof_x;
+    char buf[2048], *t;
+    int ret;
+    
+    /*
+     * Build a struct ClearToken
+     */
+    ct.AuthHandle = c->kvno;
+    memcpy (ct.HandShakeKey, c->session, sizeof(c->session));
+    ct.ViceId = uid;
+    ct.BeginTimestamp = c->issue_date;
+    ct.EndTimestamp = krb_life_to_time(c->issue_date, c->lifetime);
+    if(ct.EndTimestamp < time(NULL))
+	return 0; /* don't store tokens that has expired (and possibly
+		     overwriting valid tokens)*/
+
+#define ODD(x) ((x) & 1)
+    /* According to Transarc conventions ViceId is valid iff
+     * (EndTimestamp - BeginTimestamp) is odd. By decrementing EndTime
+     * the transformations:
+     *
+     * (issue_date, life) -> (StartTime, EndTime) -> (issue_date, life)
+     * preserves the original values.
+     */
+    if (uid != 0)		/* valid ViceId */
+      {
+	if (!ODD(ct.EndTimestamp - ct.BeginTimestamp))
+	  ct.EndTimestamp--;
+      }
+    else			/* not valid ViceId */
+      {
+	if (ODD(ct.EndTimestamp - ct.BeginTimestamp))
+	  ct.EndTimestamp--;
+      }
+
+    t = buf;
+    /*
+     * length of secret token followed by secret token
+     */
+    sizeof_x = c->ticket_st.length;
+    memcpy(t, &sizeof_x, sizeof(sizeof_x));
+    t += sizeof(sizeof_x);
+    memcpy(t, c->ticket_st.dat, sizeof_x);
+    t += sizeof_x;
+    /*
+     * length of clear token followed by clear token
+     */
+    sizeof_x = sizeof(ct);
+    memcpy(t, &sizeof_x, sizeof(sizeof_x));
+    t += sizeof(sizeof_x);
+    memcpy(t, &ct, sizeof_x);
+    t += sizeof_x;
+
+    /*
+     * do *not* mark as primary cell
+     */
+    sizeof_x = 0;
+    memcpy(t, &sizeof_x, sizeof(sizeof_x));
+    t += sizeof(sizeof_x);
+    /*
+     * follow with cell name
+     */
+    sizeof_x = strlen(cell) + 1;
+    memcpy(t, cell, sizeof_x);
+    t += sizeof_x;
+
+    /*
+     * Build argument block
+     */
+    parms.in = buf;
+    parms.in_size = t - buf;
+    parms.out = 0;
+    parms.out_size = 0;
+    ret = k_pioctl(0, VIOCSETTOK, &parms, 0);
+    return ret;
+}
+
+/* Try to get a db-server for an AFS cell from a AFSDB record */
+
+static int
+dns_find_cell(const char *cell, char *dbserver, size_t len)
+{
+    struct dns_reply *r;
+    int ok = -1;
+    r = dns_lookup(cell, "afsdb");
+    if(r){
+	struct resource_record *rr = r->head;
+	while(rr){
+	    if(rr->type == T_AFSDB && rr->u.afsdb->preference == 1){
+		strlcpy(dbserver,
+				rr->u.afsdb->domain,
+				len);
+		ok = 0;
+		break;
+	    }
+	    rr = rr->next;
+	}
+	dns_free_data(r);
+    }
+    return ok;
+}
+
+
+/*
+ * Try to find the cells we should try to klog to in "file".
+ */
+static void
+find_cells(char *file, char ***cells, int *index)
+{
+    FILE *f;
+    char cell[64];
+    int i;
+    int ind = *index;
+
+    f = fopen(file, "r");
+    if (f == NULL)
+	return;
+    while (fgets(cell, sizeof(cell), f)) {
+	char *t;
+	t = cell + strlen(cell);
+	for (; t >= cell; t--)
+	  if (*t == '\n' || *t == '\t' || *t == ' ')
+	    *t = 0;
+	if (cell[0] == '\0' || cell[0] == '#')
+	    continue;
+	for(i = 0; i < ind; i++)
+	    if(strcmp((*cells)[i], cell) == 0)
+		break;
+	if(i == ind){
+	    char **tmp;
+
+	    tmp = realloc(*cells, (ind + 1) * sizeof(**cells));
+	    if (tmp == NULL)
+		break;
+	    *cells = tmp;
+	    (*cells)[ind] = strdup(cell);
+	    if ((*cells)[ind] == NULL)
+		break;
+	    ++ind;
+	}
+    }
+    fclose(f);
+    *index = ind;
+}
+
+/*
+ * Get tokens for all cells[]
+ */
+static int
+afslog_cells(kafs_data *data, char **cells, int max, uid_t uid,
+	     const char *homedir)
+{
+    int ret = 0;
+    int i;
+    for (i = 0; i < max; i++) {
+        int er = (*data->afslog_uid)(data, cells[i], 0, uid, homedir);
+	if (er)
+	    ret = er;
+    }
+    return ret;
+}
+
+int
+_kafs_afslog_all_local_cells(kafs_data *data, uid_t uid, const char *homedir)
+{
+    int ret;
+    char **cells = NULL;
+    int index = 0;
+
+    if (homedir == NULL)
+	homedir = getenv("HOME");
+    if (homedir != NULL) {
+	char home[MaxPathLen];
+	snprintf(home, sizeof(home), "%s/.TheseCells", homedir);
+	find_cells(home, &cells, &index);
+    }
+    find_cells(_PATH_THESECELLS, &cells, &index);
+    find_cells(_PATH_THISCELL, &cells, &index);
+    find_cells(_PATH_ARLA_THESECELLS, &cells, &index);
+    find_cells(_PATH_ARLA_THISCELL, &cells, &index);
+    
+    ret = afslog_cells(data, cells, index, uid, homedir);
+    while(index > 0)
+	free(cells[--index]);
+    free(cells);
+    return ret;
+}
+
+
+/* Find the realm associated with cell. Do this by opening
+   /usr/vice/etc/CellServDB and getting the realm-of-host for the
+   first VL-server for the cell.
+
+   This does not work when the VL-server is living in one realm, but
+   the cell it is serving is living in another realm.
+
+   Return 0 on success, -1 otherwise.
+   */
+
+int
+_kafs_realm_of_cell(kafs_data *data, const char *cell, char **realm)
+{
+    FILE *F;
+    char buf[1024];
+    char *p;
+    int ret = -1;
+
+    if ((F = fopen(_PATH_CELLSERVDB, "r"))
+	|| (F = fopen(_PATH_ARLA_CELLSERVDB, "r"))) {
+	while (fgets(buf, sizeof(buf), F)) {
+	    if (buf[0] != '>')
+		continue; /* Not a cell name line, try next line */
+	    if (strncmp(buf + 1, cell, strlen(cell)) == 0) {
+		/*
+		 * We found the cell name we're looking for.
+		 * Read next line on the form ip-address '#' hostname
+		 */
+		if (fgets(buf, sizeof(buf), F) == NULL)
+		    break;	/* Read failed, give up */
+		p = strchr(buf, '#');
+		if (p == NULL)
+		    break;	/* No '#', give up */
+		p++;
+		if (buf[strlen(buf) - 1] == '\n')
+		    buf[strlen(buf) - 1] = '\0';
+		*realm = (*data->get_realm)(data, p);
+		if (*realm && **realm != '\0')
+		    ret = 0;
+		break;		/* Won't try any more */
+	    }
+	}
+	fclose(F);
+    }
+    if (*realm == NULL && dns_find_cell(cell, buf, sizeof(buf)) == 0) {
+	*realm = strdup(krb_realmofhost(buf));
+	if(*realm != NULL)
+	    ret = 0;
+    }
+    return ret;
+}
+
+int
+_kafs_get_cred(kafs_data *data,
+	      const char *cell, 
+	      const char *realm_hint,
+	      const char *realm,
+	      CREDENTIALS *c)
+{
+    int ret = -1;
+    char *vl_realm;
+    char CELL[64];
+
+    /* We're about to find the the realm that holds the key for afs in
+     * the specified cell. The problem is that null-instance
+     * afs-principals are common and that hitting the wrong realm might
+     * yield the wrong afs key. The following assumptions were made.
+     *
+     * Any realm passed to us is preferred.
+     *
+     * If there is a realm with the same name as the cell, it is most
+     * likely the correct realm to talk to.
+     *
+     * In most (maybe even all) cases the database servers of the cell
+     * will live in the realm we are looking for.
+     *
+     * Try the local realm, but if the previous cases fail, this is
+     * really a long shot.
+     *
+     */
+  
+    /* comments on the ordering of these tests */
+
+    /* If the user passes a realm, she probably knows something we don't
+     * know and we should try afs@realm_hint (otherwise we're talking with a
+     * blondino and she might as well have it.)
+     */
+  
+    if (realm_hint) {
+	ret = (*data->get_cred)(data, AUTH_SUPERUSER, cell, realm_hint, c);
+	if (ret == 0) return 0;
+	ret = (*data->get_cred)(data, AUTH_SUPERUSER, "", realm_hint, c);
+	if (ret == 0) return 0;
+    }
+
+    foldup(CELL, cell);
+
+    /*
+     * If cell == realm we don't need no cross-cell authentication.
+     * Try afs@REALM.
+     */
+    if (strcmp(CELL, realm) == 0) {
+        ret = (*data->get_cred)(data, AUTH_SUPERUSER, "", realm, c);
+	if (ret == 0) return 0;
+	/* Try afs.cell@REALM below. */
+    }
+
+    /*
+     * If the AFS servers have a file /usr/afs/etc/krb.conf containing
+     * REALM we still don't have to resort to cross-cell authentication.
+     * Try afs.cell@REALM.
+     */
+    ret = (*data->get_cred)(data, AUTH_SUPERUSER, cell, realm, c);
+    if (ret == 0) return 0;
+
+    /*
+     * We failed to get ``first class tickets'' for afs,
+     * fall back to cross-cell authentication.
+     * Try afs@CELL.
+     * Try afs.cell@CELL.
+     */
+    ret = (*data->get_cred)(data, AUTH_SUPERUSER, "", CELL, c);
+    if (ret == 0) return 0;
+    ret = (*data->get_cred)(data, AUTH_SUPERUSER, cell, CELL, c);
+    if (ret == 0) return 0;
+
+    /*
+     * Perhaps the cell doesn't correspond to any realm?
+     * Use realm of first volume location DB server.
+     * Try afs.cell@VL_REALM.
+     * Try afs@VL_REALM???
+     */
+    if (_kafs_realm_of_cell(data, cell, &vl_realm) == 0
+	&& strcmp(vl_realm, realm) != 0
+	&& strcmp(vl_realm, CELL) != 0) {
+	ret = (*data->get_cred)(data, AUTH_SUPERUSER, cell, vl_realm, c);
+	if (ret)
+	    ret = (*data->get_cred)(data, AUTH_SUPERUSER, "", vl_realm, c);
+	free(vl_realm);
+	if (ret == 0) return 0;
+    }
+
+    return ret;
+}
diff --git a/crypto/kerberosIV/lib/kafs/dlfcn.c b/crypto/kerberosIV/lib/kafs/dlfcn.c
new file mode 100644
index 0000000..728cf5c
--- /dev/null
+++ b/crypto/kerberosIV/lib/kafs/dlfcn.c
@@ -0,0 +1,581 @@
+/*
+ * @(#)dlfcn.c	1.11 revision of 96/04/10  20:12:51
+ * This is an unpublished work copyright (c) 1992 HELIOS Software GmbH
+ * 30159 Hannover, Germany
+ */
+
+/*
+ * Changes marked with `--jwe' were made on April 7 1996 by John W. Eaton
+ * <jwe@bevo.che.wisc.edu> to support g++ and/or use with Octave.
+ */
+
+/*
+ * This makes my life easier with Octave.  --jwe
+ */
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+#endif
+
+#include <stdio.h>
+#include <errno.h>
+#include <string.h>
+#include <stdlib.h>
+#include <sys/types.h>
+#include <sys/ldr.h>
+#include <a.out.h>
+#include <ldfcn.h>
+#include "dlfcn.h"
+
+/*
+ * We simulate dlopen() et al. through a call to load. Because AIX has
+ * no call to find an exported symbol we read the loader section of the
+ * loaded module and build a list of exported symbols and their virtual
+ * address.
+ */
+
+typedef struct {
+	char		*name;		/* the symbols's name */
+	void		*addr;		/* its relocated virtual address */
+} Export, *ExportPtr;
+
+/*
+ * xlC uses the following structure to list its constructors and
+ * destructors. This is gleaned from the output of munch.
+ */
+typedef struct {
+	void (*init)(void);		/* call static constructors */
+	void (*term)(void);		/* call static destructors */
+} Cdtor, *CdtorPtr;
+
+typedef void (*GccCDtorPtr)(void);
+
+/*
+ * The void * handle returned from dlopen is actually a ModulePtr.
+ */
+typedef struct Module {
+	struct Module	*next;
+	char		*name;		/* module name for refcounting */
+	int		refCnt;		/* the number of references */
+	void		*entry;		/* entry point from load */
+	struct dl_info	*info;		/* optional init/terminate functions */
+	CdtorPtr	cdtors;		/* optional C++ constructors */
+	GccCDtorPtr	gcc_ctor;	/* g++ constructors  --jwe */
+	GccCDtorPtr	gcc_dtor;	/* g++ destructors  --jwe */
+	int		nExports;	/* the number of exports found */
+	ExportPtr	exports;	/* the array of exports */
+} Module, *ModulePtr;
+
+/*
+ * We keep a list of all loaded modules to be able to call the fini
+ * handlers and destructors at atexit() time.
+ */
+static ModulePtr modList;
+
+/*
+ * The last error from one of the dl* routines is kept in static
+ * variables here. Each error is returned only once to the caller.
+ */
+static char errbuf[BUFSIZ];
+static int errvalid;
+
+/*
+ * The `fixed' gcc header files on AIX 3.2.5 provide a prototype for
+ * strdup().  --jwe
+ */
+#ifndef HAVE_STRDUP
+extern char *strdup(const char *);
+#endif
+static void caterr(char *);
+static int readExports(ModulePtr);
+static void terminate(void);
+static void *findMain(void);
+
+void *dlopen(const char *path, int mode)
+{
+	ModulePtr mp;
+	static void *mainModule;
+
+	/*
+	 * Upon the first call register a terminate handler that will
+	 * close all libraries. Also get a reference to the main module
+	 * for use with loadbind.
+	 */
+	if (!mainModule) {
+		if ((mainModule = findMain()) == NULL)
+			return NULL;
+		atexit(terminate);
+	}
+	/*
+	 * Scan the list of modules if we have the module already loaded.
+	 */
+	for (mp = modList; mp; mp = mp->next)
+		if (strcmp(mp->name, path) == 0) {
+			mp->refCnt++;
+			return mp;
+		}
+	if ((mp = (ModulePtr)calloc(1, sizeof(*mp))) == NULL) {
+		errvalid++;
+		snprintf (errbuf, sizeof(errbuf), "calloc: %s", strerror(errno));
+		return NULL;
+	}
+	if ((mp->name = strdup(path)) == NULL) {
+		errvalid++;
+		snprintf (errbuf, sizeof(errbuf), "strdup: %s", strerror(errno));
+		free(mp);
+		return NULL;
+	}
+	/*
+	 * load should be declared load(const char *...). Thus we
+	 * cast the path to a normal char *. Ugly.
+	 */
+	if ((mp->entry = (void *)load((char *)path, L_NOAUTODEFER, NULL)) == NULL) {
+		free(mp->name);
+		free(mp);
+		errvalid++;
+		snprintf (errbuf, sizeof(errbuf),
+			  "dlopen: %s: ", path);
+		/*
+		 * If AIX says the file is not executable, the error
+		 * can be further described by querying the loader about
+		 * the last error.
+		 */
+		if (errno == ENOEXEC) {
+			char *tmp[BUFSIZ/sizeof(char *)];
+			if (loadquery(L_GETMESSAGES, tmp, sizeof(tmp)) == -1)
+				strlcpy(errbuf,
+						strerror(errno),
+						sizeof(errbuf));
+			else {
+				char **p;
+				for (p = tmp; *p; p++)
+					caterr(*p);
+			}
+		} else
+			strlcat(errbuf,
+					strerror(errno),
+					sizeof(errbuf));
+		return NULL;
+	}
+	mp->refCnt = 1;
+	mp->next = modList;
+	modList = mp;
+	if (loadbind(0, mainModule, mp->entry) == -1) {
+		dlclose(mp);
+		errvalid++;
+		snprintf (errbuf, sizeof(errbuf),
+			  "loadbind: %s", strerror(errno));
+		return NULL;
+	}
+	/*
+	 * If the user wants global binding, loadbind against all other
+	 * loaded modules.
+	 */
+	if (mode & RTLD_GLOBAL) {
+		ModulePtr mp1;
+		for (mp1 = mp->next; mp1; mp1 = mp1->next)
+			if (loadbind(0, mp1->entry, mp->entry) == -1) {
+				dlclose(mp);
+				errvalid++;
+				snprintf (errbuf, sizeof(errbuf),
+					  "loadbind: %s",
+					  strerror(errno));
+				return NULL;
+			}
+	}
+	if (readExports(mp) == -1) {
+		dlclose(mp);
+		return NULL;
+	}
+	/*
+	 * If there is a dl_info structure, call the init function.
+	 */
+	if (mp->info = (struct dl_info *)dlsym(mp, "dl_info")) {
+		if (mp->info->init)
+			(*mp->info->init)();
+	} else
+		errvalid = 0;
+	/*
+	 * If the shared object was compiled using xlC we will need
+	 * to call static constructors (and later on dlclose destructors).
+	 */
+	if (mp->cdtors = (CdtorPtr)dlsym(mp, "__cdtors")) {
+		CdtorPtr cp = mp->cdtors;
+		while (cp->init || cp->term) {
+			if (cp->init && cp->init != (void (*)(void))0xffffffff)
+				(*cp->init)();
+			cp++;
+		}
+	/*
+	 * If the shared object was compiled using g++, we will need
+	 * to call global constructors using the _GLOBAL__DI function,
+	 * and later, global destructors using the _GLOBAL_DD
+	 * funciton.  --jwe
+	 */
+	} else if (mp->gcc_ctor = (GccCDtorPtr)dlsym(mp, "_GLOBAL__DI")) {
+		(*mp->gcc_ctor)();
+		mp->gcc_dtor = (GccCDtorPtr)dlsym(mp, "_GLOBAL__DD"); 
+	} else
+		errvalid = 0;
+	return mp;
+}
+
+/*
+ * Attempt to decipher an AIX loader error message and append it
+ * to our static error message buffer.
+ */
+static void caterr(char *s)
+{
+	char *p = s;
+
+	while (*p >= '0' && *p <= '9')
+		p++;
+	switch(atoi(s)) {
+	case L_ERROR_TOOMANY:
+		strlcat(errbuf, "to many errors", sizeof(errbuf));
+		break;
+	case L_ERROR_NOLIB:
+		strlcat(errbuf, "can't load library", sizeof(errbuf));
+		strlcat(errbuf, p, sizeof(errbuf));
+		break;
+	case L_ERROR_UNDEF:
+		strlcat(errbuf, "can't find symbol", sizeof(errbuf));
+		strlcat(errbuf, p, sizeof(errbuf));
+		break;
+	case L_ERROR_RLDBAD:
+		strlcat(errbuf, "bad RLD", sizeof(errbuf));
+		strlcat(errbuf, p, sizeof(errbuf));
+		break;
+	case L_ERROR_FORMAT:
+		strlcat(errbuf, "bad exec format in", sizeof(errbuf));
+		strlcat(errbuf, p, sizeof(errbuf));
+		break;
+	case L_ERROR_ERRNO:
+		strlcat(errbuf, strerror(atoi(++p)), sizeof(errbuf));
+		break;
+	default:
+		strlcat(errbuf, s, sizeof(errbuf));
+		break;
+	}
+}
+
+void *dlsym(void *handle, const char *symbol)
+{
+	ModulePtr mp = (ModulePtr)handle;
+	ExportPtr ep;
+	int i;
+
+	/*
+	 * Could speed up the search, but I assume that one assigns
+	 * the result to function pointers anyways.
+	 */
+	for (ep = mp->exports, i = mp->nExports; i; i--, ep++)
+		if (strcmp(ep->name, symbol) == 0)
+			return ep->addr;
+	errvalid++;
+	snprintf (errbuf, sizeof(errbuf),
+		  "dlsym: undefined symbol %s", symbol);		  
+	return NULL;
+}
+
+char *dlerror(void)
+{
+	if (errvalid) {
+		errvalid = 0;
+		return errbuf;
+	}
+	return NULL;
+}
+
+int dlclose(void *handle)
+{
+	ModulePtr mp = (ModulePtr)handle;
+	int result;
+	ModulePtr mp1;
+
+	if (--mp->refCnt > 0)
+		return 0;
+	if (mp->info && mp->info->fini)
+		(*mp->info->fini)();
+	if (mp->cdtors) {
+		CdtorPtr cp = mp->cdtors;
+		while (cp->init || cp->term) {
+			if (cp->term && cp->init != (void (*)(void))0xffffffff)
+				(*cp->term)();
+			cp++;
+		}
+	/*
+	 * If the function to handle global destructors for g++
+	 * exists, call it.  --jwe
+	 */
+	} else if (mp->gcc_dtor) {
+	        (*mp->gcc_dtor)();
+	}
+	result = unload(mp->entry);
+	if (result == -1) {
+		errvalid++;
+		snprintf (errbuf, sizeof(errbuf),
+			  "%s", strerror(errno));
+	}
+	if (mp->exports) {
+		ExportPtr ep;
+		int i;
+		for (ep = mp->exports, i = mp->nExports; i; i--, ep++)
+			if (ep->name)
+				free(ep->name);
+		free(mp->exports);
+	}
+	if (mp == modList)
+		modList = mp->next;
+	else {
+		for (mp1 = modList; mp1; mp1 = mp1->next)
+			if (mp1->next == mp) {
+				mp1->next = mp->next;
+				break;
+			}
+	}
+	free(mp->name);
+	free(mp);
+	return result;
+}
+
+static void terminate(void)
+{
+	while (modList)
+		dlclose(modList);
+}
+
+/*
+ * Build the export table from the XCOFF .loader section.
+ */
+static int readExports(ModulePtr mp)
+{
+	LDFILE *ldp = NULL;
+	SCNHDR sh, shdata;
+	LDHDR *lhp;
+	char *ldbuf;
+	LDSYM *ls;
+	int i;
+	ExportPtr ep;
+
+	if ((ldp = ldopen(mp->name, ldp)) == NULL) {
+		struct ld_info *lp;
+		char *buf;
+		int size = 4*1024;
+		if (errno != ENOENT) {
+			errvalid++;
+			snprintf(errbuf, sizeof(errbuf),
+				 "readExports: %s",
+				 strerror(errno));
+			return -1;
+		}
+		/*
+		 * The module might be loaded due to the LIBPATH
+		 * environment variable. Search for the loaded
+		 * module using L_GETINFO.
+		 */
+		if ((buf = malloc(size)) == NULL) {
+			errvalid++;
+			snprintf(errbuf, sizeof(errbuf),
+				 "readExports: %s",
+				 strerror(errno));
+			return -1;
+		}
+		while ((i = loadquery(L_GETINFO, buf, size)) == -1 && errno == ENOMEM) {
+			free(buf);
+			size += 4*1024;
+			if ((buf = malloc(size)) == NULL) {
+				errvalid++;
+				snprintf(errbuf, sizeof(errbuf),
+					 "readExports: %s",
+					 strerror(errno));
+				return -1;
+			}
+		}
+		if (i == -1) {
+			errvalid++;
+			snprintf(errbuf, sizeof(errbuf),
+				 "readExports: %s",
+				 strerror(errno));
+			free(buf);
+			return -1;
+		}
+		/*
+		 * Traverse the list of loaded modules. The entry point
+		 * returned by load() does actually point to the data
+		 * segment origin.
+		 */
+		lp = (struct ld_info *)buf;
+		while (lp) {
+			if (lp->ldinfo_dataorg == mp->entry) {
+				ldp = ldopen(lp->ldinfo_filename, ldp);
+				break;
+			}
+			if (lp->ldinfo_next == 0)
+				lp = NULL;
+			else
+				lp = (struct ld_info *)((char *)lp + lp->ldinfo_next);
+		}
+		free(buf);
+		if (!ldp) {
+			errvalid++;
+			snprintf (errbuf, sizeof(errbuf),
+				  "readExports: %s", strerror(errno));
+			return -1;
+		}
+	}
+	if (TYPE(ldp) != U802TOCMAGIC) {
+		errvalid++;
+		snprintf(errbuf, sizeof(errbuf), "readExports: bad magic");
+		while(ldclose(ldp) == FAILURE)
+			;
+		return -1;
+	}
+	/*
+	 * Get the padding for the data section. This is needed for
+	 * AIX 4.1 compilers. This is used when building the final
+	 * function pointer to the exported symbol.
+	 */
+	if (ldnshread(ldp, _DATA, &shdata) != SUCCESS) {
+		errvalid++;
+		snprintf(errbuf, sizeof(errbuf),
+			 "readExports: cannot read data section header");
+		while(ldclose(ldp) == FAILURE)
+			;
+		return -1;
+	}
+	if (ldnshread(ldp, _LOADER, &sh) != SUCCESS) {
+		errvalid++;
+		snprintf(errbuf, sizeof(errbuf),
+			 "readExports: cannot read loader section header");
+		while(ldclose(ldp) == FAILURE)
+			;
+		return -1;
+	}
+	/*
+	 * We read the complete loader section in one chunk, this makes
+	 * finding long symbol names residing in the string table easier.
+	 */
+	if ((ldbuf = (char *)malloc(sh.s_size)) == NULL) {
+		errvalid++;
+		snprintf (errbuf, sizeof(errbuf),
+			  "readExports: %s", strerror(errno));
+		while(ldclose(ldp) == FAILURE)
+			;
+		return -1;
+	}
+	if (FSEEK(ldp, sh.s_scnptr, BEGINNING) != OKFSEEK) {
+		errvalid++;
+		snprintf(errbuf, sizeof(errbuf),
+			 "readExports: cannot seek to loader section");
+		free(ldbuf);
+		while(ldclose(ldp) == FAILURE)
+			;
+		return -1;
+	}
+	if (FREAD(ldbuf, sh.s_size, 1, ldp) != 1) {
+		errvalid++;
+		snprintf(errbuf, sizeof(errbuf),
+			 "readExports: cannot read loader section");
+		free(ldbuf);
+		while(ldclose(ldp) == FAILURE)
+			;
+		return -1;
+	}
+	lhp = (LDHDR *)ldbuf;
+	ls = (LDSYM *)(ldbuf+LDHDRSZ);
+	/*
+	 * Count the number of exports to include in our export table.
+	 */
+	for (i = lhp->l_nsyms; i; i--, ls++) {
+		if (!LDR_EXPORT(*ls))
+			continue;
+		mp->nExports++;
+	}
+	if ((mp->exports = (ExportPtr)calloc(mp->nExports, sizeof(*mp->exports))) == NULL) {
+		errvalid++;
+		snprintf (errbuf, sizeof(errbuf),
+			  "readExports: %s", strerror(errno));
+		free(ldbuf);
+		while(ldclose(ldp) == FAILURE)
+			;
+		return -1;
+	}
+	/*
+	 * Fill in the export table. All entries are relative to
+	 * the entry point we got from load.
+	 */
+	ep = mp->exports;
+	ls = (LDSYM *)(ldbuf+LDHDRSZ);
+	for (i = lhp->l_nsyms; i; i--, ls++) {
+		char *symname;
+		char tmpsym[SYMNMLEN+1];
+		if (!LDR_EXPORT(*ls))
+			continue;
+		if (ls->l_zeroes == 0)
+			symname = ls->l_offset+lhp->l_stoff+ldbuf;
+		else {
+			/*
+			 * The l_name member is not zero terminated, we
+			 * must copy the first SYMNMLEN chars and make
+			 * sure we have a zero byte at the end.
+			 */
+		        strlcpy (tmpsym, ls->l_name,
+					 SYMNMLEN + 1);
+			symname = tmpsym;
+		}
+		ep->name = strdup(symname);
+		ep->addr = (void *)((unsigned long)mp->entry +
+					ls->l_value - shdata.s_vaddr);
+		ep++;
+	}
+	free(ldbuf);
+	while(ldclose(ldp) == FAILURE)
+		;
+	return 0;
+}
+
+/*
+ * Find the main modules entry point. This is used as export pointer
+ * for loadbind() to be able to resolve references to the main part.
+ */
+static void * findMain(void)
+{
+	struct ld_info *lp;
+	char *buf;
+	int size = 4*1024;
+	int i;
+	void *ret;
+
+	if ((buf = malloc(size)) == NULL) {
+		errvalid++;
+		snprintf (errbuf, sizeof(errbuf),
+			  "findMail: %s", strerror(errno));
+		return NULL;
+	}
+	while ((i = loadquery(L_GETINFO, buf, size)) == -1 && errno == ENOMEM) {
+		free(buf);
+		size += 4*1024;
+		if ((buf = malloc(size)) == NULL) {
+			errvalid++;
+			snprintf (errbuf, sizeof(errbuf),
+				  "findMail: %s", strerror(errno));
+			return NULL;
+		}
+	}
+	if (i == -1) {
+		errvalid++;
+		snprintf (errbuf, sizeof(errbuf),
+			  "findMail: %s", strerror(errno));
+		free(buf);
+		return NULL;
+	}
+	/*
+	 * The first entry is the main module. The entry point
+	 * returned by load() does actually point to the data
+	 * segment origin.
+	 */
+	lp = (struct ld_info *)buf;
+	ret = lp->ldinfo_dataorg;
+	free(buf);
+	return ret;
+}
diff --git a/crypto/kerberosIV/lib/kafs/dlfcn.h b/crypto/kerberosIV/lib/kafs/dlfcn.h
new file mode 100644
index 0000000..5671e9c
--- /dev/null
+++ b/crypto/kerberosIV/lib/kafs/dlfcn.h
@@ -0,0 +1,46 @@
+/*
+ * @(#)dlfcn.h	1.4 revision of 95/04/25  09:36:52
+ * This is an unpublished work copyright (c) 1992 HELIOS Software GmbH
+ * 30159 Hannover, Germany
+ */
+
+#ifndef __dlfcn_h__
+#define __dlfcn_h__
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/*
+ * Mode flags for the dlopen routine.
+ */
+#define RTLD_LAZY	1	/* lazy function call binding */
+#define RTLD_NOW	2	/* immediate function call binding */
+#define RTLD_GLOBAL	0x100	/* allow symbols to be global */
+
+/*
+ * To be able to intialize, a library may provide a dl_info structure
+ * that contains functions to be called to initialize and terminate.
+ */
+struct dl_info {
+	void (*init)(void);
+	void (*fini)(void);
+};
+
+#if __STDC__ || defined(_IBMR2)
+void *dlopen(const char *path, int mode);
+void *dlsym(void *handle, const char *symbol);
+char *dlerror(void);
+int dlclose(void *handle);
+#else
+void *dlopen();
+void *dlsym();
+char *dlerror();
+int dlclose();
+#endif
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* __dlfcn_h__ */
diff --git a/crypto/kerberosIV/lib/kafs/kafs.h b/crypto/kerberosIV/lib/kafs/kafs.h
new file mode 100644
index 0000000..cb4b000
--- /dev/null
+++ b/crypto/kerberosIV/lib/kafs/kafs.h
@@ -0,0 +1,192 @@
+/*
+ * Copyright (c) 1995, 1996, 1997, 1998, 1999 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+/* $Id: kafs.h,v 1.32 1999/12/02 16:58:40 joda Exp $ */
+/* $FreeBSD$ */
+
+#ifndef __KAFS_H
+#define __KAFS_H
+
+/* XXX must include krb5.h or krb.h */
+
+/* sys/ioctl.h must be included manually before kafs.h */
+
+/*
+ */
+#define AFSCALL_PIOCTL 20
+#define AFSCALL_SETPAG 21
+
+#ifndef _VICEIOCTL
+#define _VICEIOCTL(id)  ((unsigned int ) _IOW('V', id, struct ViceIoctl))
+#endif /* _VICEIOCTL */
+
+#define VIOCSETAL		_VICEIOCTL(1)
+#define VIOCGETAL		_VICEIOCTL(2)
+#define VIOCSETTOK		_VICEIOCTL(3)
+#define VIOCGETVOLSTAT		_VICEIOCTL(4)
+#define VIOCSETVOLSTAT		_VICEIOCTL(5)
+#define VIOCFLUSH		_VICEIOCTL(6)
+#define VIOCGETTOK		_VICEIOCTL(8)
+#define VIOCUNLOG		_VICEIOCTL(9)
+#define VIOCCKSERV		_VICEIOCTL(10)
+#define VIOCCKBACK		_VICEIOCTL(11)
+#define VIOCCKCONN		_VICEIOCTL(12)
+#define VIOCWHEREIS		_VICEIOCTL(14)
+#define VIOCACCESS		_VICEIOCTL(20)
+#define VIOCUNPAG		_VICEIOCTL(21)
+#define VIOCGETFID		_VICEIOCTL(22)
+#define VIOCSETCACHESIZE	_VICEIOCTL(24)
+#define VIOCFLUSHCB		_VICEIOCTL(25)
+#define VIOCNEWCELL		_VICEIOCTL(26)
+#define VIOCGETCELL		_VICEIOCTL(27)
+#define VIOC_AFS_DELETE_MT_PT	_VICEIOCTL(28)
+#define VIOC_AFS_STAT_MT_PT	_VICEIOCTL(29)
+#define VIOC_FILE_CELL_NAME	_VICEIOCTL(30)
+#define VIOC_GET_WS_CELL	_VICEIOCTL(31)
+#define VIOC_AFS_MARINER_HOST	_VICEIOCTL(32)
+#define VIOC_GET_PRIMARY_CELL	_VICEIOCTL(33)
+#define VIOC_VENUSLOG		_VICEIOCTL(34)
+#define VIOC_GETCELLSTATUS	_VICEIOCTL(35)
+#define VIOC_SETCELLSTATUS	_VICEIOCTL(36)
+#define VIOC_FLUSHVOLUME	_VICEIOCTL(37)
+#define VIOC_AFS_SYSNAME	_VICEIOCTL(38)
+#define VIOC_EXPORTAFS		_VICEIOCTL(39)
+#define VIOCGETCACHEPARAMS	_VICEIOCTL(40)
+#define VIOC_GCPAGS		_VICEIOCTL(48) 
+
+struct ViceIoctl {
+  caddr_t in, out;
+  short in_size;
+  short out_size;
+};
+
+struct ClearToken {
+  int32_t AuthHandle;
+  char HandShakeKey[8];
+  int32_t ViceId;
+  int32_t BeginTimestamp;
+  int32_t EndTimestamp;
+};
+
+#ifdef __STDC__
+#ifndef __P
+#define __P(x) x
+#endif
+#else
+#ifndef __P
+#define __P(x) ()
+#endif
+#endif
+
+/* Use k_hasafs() to probe if the machine supports AFS syscalls.
+   The other functions will generate a SIGSYS if AFS is not supported */
+
+int k_hasafs __P((void));
+
+int krb_afslog __P((const char *cell, const char *realm));
+int krb_afslog_uid __P((const char *cell, const char *realm, uid_t uid));
+int krb_afslog_home __P((const char *cell, const char *realm,
+			 const char *homedir));
+int krb_afslog_uid_home __P((const char *cell, const char *realm, uid_t uid,
+			     const char *homedir));
+
+int krb_realm_of_cell __P((const char *cell, char **realm));
+
+/* compat */
+#define k_afsklog krb_afslog
+#define k_afsklog_uid krb_afslog_uid
+
+int k_pioctl __P((char *a_path,
+		  int o_opcode,
+		  struct ViceIoctl *a_paramsP,
+		  int a_followSymlinks));
+int k_unlog __P((void));
+int k_setpag __P((void));
+int k_afs_cell_of_file __P((const char *path, char *cell, int len));
+
+
+
+/* XXX */
+#ifdef KFAILURE
+#define KRB_H_INCLUDED
+#endif
+
+#ifdef KRB5_RECVAUTH_IGNORE_VERSION
+#define KRB5_H_INCLUDED
+#endif
+
+#ifdef KRB_H_INCLUDED
+int kafs_settoken __P((const char*, uid_t, CREDENTIALS*));
+#endif
+
+#ifdef KRB5_H_INCLUDED
+krb5_error_code krb5_afslog_uid __P((krb5_context context,
+				     krb5_ccache id,
+				     const char *cell,
+				     krb5_const_realm realm,
+				     uid_t uid));
+krb5_error_code krb5_afslog __P((krb5_context context,
+				 krb5_ccache id, 
+				 const char *cell,
+				 krb5_const_realm realm));
+krb5_error_code krb5_afslog_uid_home __P((krb5_context context,
+					  krb5_ccache id,
+					  const char *cell,
+					  krb5_const_realm realm,
+					  uid_t uid,
+					  const char *homedir));
+
+krb5_error_code krb5_afslog_home __P((krb5_context context,
+				      krb5_ccache id,
+				      const char *cell,
+				      krb5_const_realm realm,
+				      const char *homedir));
+
+krb5_error_code krb5_realm_of_cell __P((const char *cell, char **realm));
+
+#endif
+
+
+#define _PATH_VICE		"/usr/vice/etc/"
+#define _PATH_THISCELL 		_PATH_VICE "ThisCell"
+#define _PATH_CELLSERVDB 	_PATH_VICE "CellServDB"
+#define _PATH_THESECELLS	_PATH_VICE "TheseCells"
+
+#define _PATH_ARLA_VICE		"/usr/arla/etc/"
+#define _PATH_ARLA_THISCELL	_PATH_ARLA_VICE "ThisCell"
+#define _PATH_ARLA_CELLSERVDB 	_PATH_ARLA_VICE "CellServDB"
+#define _PATH_ARLA_THESECELLS	_PATH_ARLA_VICE "TheseCells"
+
+extern int _kafs_debug;
+
+#endif /* __KAFS_H */
diff --git a/crypto/kerberosIV/lib/kafs/kafs_locl.h b/crypto/kerberosIV/lib/kafs/kafs_locl.h
new file mode 100644
index 0000000..ac1c2f6
--- /dev/null
+++ b/crypto/kerberosIV/lib/kafs/kafs_locl.h
@@ -0,0 +1,135 @@
+/*
+ * Copyright (c) 1995, 1996, 1997, 1998, 1999 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+/* $Id: kafs_locl.h,v 1.15 1999/12/02 16:58:40 joda Exp $ */
+
+#ifndef __KAFS_LOCL_H__
+#define __KAFS_LOCL_H__
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+#endif
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <signal.h>
+#include <setjmp.h>
+#include <errno.h>
+
+#ifdef HAVE_SYS_TYPES_H
+#include <sys/types.h>
+#endif
+#ifdef HAVE_UNISTD_H
+#include <unistd.h>
+#endif
+#if defined(HAVE_SYS_IOCTL_H) && SunOS != 40
+#include <sys/ioctl.h>
+#endif
+#ifdef HAVE_SYS_FILIO_H
+#include <sys/filio.h>
+#endif
+
+#ifdef HAVE_SYS_SYSCALL_H
+#include <sys/syscall.h>
+#endif
+#ifdef HAVE_SYS_SOCKET_H
+#include <sys/socket.h>
+#endif
+#ifdef HAVE_NETINET_IN_H
+#include <netinet/in.h>
+#endif
+#ifdef HAVE_NETINET_IN6_H
+#include <netinet/in6.h>
+#endif
+#ifdef HAVE_NETINET6_IN6_H
+#include <netinet6/in6.h>
+#endif
+
+#ifdef HAVE_NETDB_H
+#include <netdb.h>
+#endif
+
+#ifdef HAVE_ARPA_NAMESER_H
+#include <arpa/nameser.h>
+#endif
+#ifdef HAVE_RESOLV_H
+#include <resolv.h>
+#endif
+#include <roken.h>
+
+#ifdef KRB5
+#include <krb5.h>
+#endif
+#ifdef KRB4
+#include <krb.h>
+#endif
+#include <kafs.h>
+
+#include <resolve.h>
+
+#include "afssysdefs.h"
+
+struct kafs_data;
+typedef int (*afslog_uid_func_t)(struct kafs_data *,
+				 const char *cell,
+				 const char *realm_hint,
+				 uid_t,
+				 const char *homedir);
+
+typedef int (*get_cred_func_t)(struct kafs_data*, const char*, const char*, 
+				    const char*, CREDENTIALS*);
+
+typedef char* (*get_realm_func_t)(struct kafs_data*, const char*);
+
+typedef struct kafs_data {
+    afslog_uid_func_t afslog_uid;
+    get_cred_func_t get_cred;
+    get_realm_func_t get_realm;
+    void *data;
+} kafs_data;
+
+int _kafs_afslog_all_local_cells(kafs_data*, uid_t, const char*);
+
+int _kafs_get_cred(kafs_data*, const char*, const char*, const char *, 
+		  CREDENTIALS*);
+
+int
+_kafs_realm_of_cell(kafs_data *data, const char *cell, char **realm);
+
+#ifdef _AIX
+int aix_pioctl(char*, int, struct ViceIoctl*, int);
+int aix_setpag(void);
+#endif
+
+#endif /* __KAFS_LOCL_H__ */
diff --git a/crypto/kerberosIV/lib/kclient/KClient.c b/crypto/kerberosIV/lib/kclient/KClient.c
new file mode 100644
index 0000000..6d4ed60
--- /dev/null
+++ b/crypto/kerberosIV/lib/kclient/KClient.c
@@ -0,0 +1,440 @@
+/*
+ * Copyright (c) 1995, 1996, 1997, 1998 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+/* KClient.c - KClient glue to krb4.dll
+ * Author: Jörgen Karlsson - d93-jka@nada.kth.se
+ * Date: June 1996
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+RCSID("$Id: KClient.c,v 1.14 1999/12/02 16:58:40 joda Exp $");
+#endif
+
+#ifdef WIN32	/* Visual C++ 4.0 (Windows95/NT) */
+#include <Windows.h>
+#endif /* WIN32 */
+
+//#include <string.h>
+#include <winsock.h>
+#include "passwd_dlg.h"
+#include "KClient.h"
+#include "krb.h"
+
+char guser[64];
+
+void
+msg(char *text)
+{
+    HWND wnd = GetActiveWindow();
+    MessageBox(wnd, text, "KClient message", MB_OK|MB_APPLMODAL);
+}
+ 
+BOOL
+SendTicketForService(LPSTR service, LPSTR version, int fd)
+{
+    KTEXT_ST ticket;
+    MSG_DAT mdat;
+    CREDENTIALS cred;
+    des_key_schedule schedule;
+    char name[SNAME_SZ], inst[INST_SZ], realm[REALM_SZ];
+    int ret;
+    static KClientSessionInfo foo;
+    KClientKey key;
+
+    kname_parse(name, inst, realm, service);
+    strlcpy(foo.realm, realm, sizeof(foo.realm));
+
+    if(KClientStatus(&foo) == KClientNotLoggedIn)
+	KClientLogin(&foo, &key);
+
+    ret = krb_sendauth (0, fd, &ticket,
+			name, inst, realm, 17, &mdat,
+			&cred, &schedule, NULL, NULL, version);
+    if(ret)
+	return FALSE;
+    return TRUE;
+}
+
+BOOL WINAPI
+DllMain(HANDLE hInst, ULONG reason, LPVOID lpReserved)
+{
+    WORD wVersionRequested;
+    WSADATA wsaData;
+    int err;
+
+    switch(reason){
+    case DLL_PROCESS_ATTACH:
+	wVersionRequested = MAKEWORD(1, 1);
+
+	err = WSAStartup(wVersionRequested, &wsaData);
+
+	if (err != 0)
+	{
+	    /* Tell the user that we couldn't find a useable */
+	    /* winsock.dll.     */
+	    msg("Cannot find winsock.dll");
+	    return FALSE;
+	}
+	break;
+    case DLL_PROCESS_DETACH:
+	WSACleanup();
+    }
+
+    return TRUE;
+}
+
+Kerr
+KClientMessage(char *text, Kerr error)
+{
+    msg(text);
+    return error;
+}
+
+/* KClientInitSession
+ * You need to call this routine before calling most other routines.
+ * It initializes a KClientSessionInfo structure.
+ * The local and remote addresses are for use in KClientEncrypt,
+ * KClientDecrypt, KClientMakeSendAuth and KClientVerifySendAuth.
+ * If you don't use any of these routines it's perfectly OK to do the following...
+ * err = KClientInitSession(session,0,0,0,0);
+ */
+Kerr
+KClientInitSession(KClientSessionInfo *session,
+		   unsigned long lAddr,
+		   unsigned short lPort,
+		   unsigned long fAddr,
+		   unsigned short fPort)
+{
+    session->lAddr = lAddr;
+    session->lPort = lPort;
+    session->fAddr = fAddr;
+    session->fPort = fPort;
+    if(tf_get_pname(session->user) != KSUCCESS)
+	*(session->user) = '\0';
+    if(tf_get_pinst(session->inst) != KSUCCESS)
+	*(session->inst) = '\0';
+    krb_get_lrealm (session->realm, 1);
+    if(*(session->user))
+	strlcpy(guser, session->user, sizeof(guser));
+    else
+	*guser ='\0';
+    
+    return 0;
+}
+
+
+/* KClientGetTicketForService
+ * This routine gets an authenticator to be passed to a service.
+ * If the user isn't already logged in the user is prompted for a password.
+ */
+Kerr
+KClientGetTicketForService(KClientSessionInfo *session,
+			   char *service,
+			   void *buf,
+			   unsigned long *buflen)
+{
+    CREDENTIALS c;
+    KClientKey k;
+    KTEXT_ST ticket;
+    char serv[255], inst[255], realm[255];
+    Kerr err;
+
+    //	KClientSetUserName(session->user);
+    err = kname_parse(serv,inst,realm,service);
+    if(*realm)
+	strlcpy(session->realm, realm, sizeof(session->realm));
+    else
+	strlcpy(realm, session->realm, sizeof(realm));
+    if(KClientStatus(session) == KClientNotLoggedIn)
+	if((err = KClientLogin(session, &k)) != KSUCCESS)
+	    return err;
+
+    if((err = krb_mk_req(&ticket, serv, inst, realm, 0)) != KSUCCESS)
+	return KClientMessage(KClientErrorText(err,0),err);
+    if((err = krb_get_cred(serv, inst, realm, &c)) != KSUCCESS)
+	return KClientMessage(KClientErrorText(err,0),err);
+
+    if(*buflen >= ticket.length)
+    {
+	*buflen = ticket.length + sizeof(unsigned long);
+	CopyMemory(buf, &ticket, *buflen);
+	CopyMemory(session->key, c.session, sizeof(session->key));
+    }
+    else
+	err = -1;
+    return err;
+}
+
+
+/* KClientLogin
+ * This routine "logs in" by getting a ticket granting ticket from kerberos.
+ * It returns the user's private key which can be used to automate login at
+ * a later time with KClientKeyLogin.
+ */
+
+Kerr
+KClientLogin(KClientSessionInfo *session,
+	     KClientKey *privateKey)
+{
+    CREDENTIALS c;
+    Kerr err;
+    char passwd[100];
+	
+    if((err = pwd_dialog(guser, passwd)))
+	return err;
+    if(KClientStatus(session) == KClientNotLoggedIn)
+    {
+
+	if((err = krb_get_pw_in_tkt(guser, session->inst, session->realm,
+				    "krbtgt", session->realm,
+				    DEFAULT_TKT_LIFE, passwd)) != KSUCCESS)
+	    return KClientMessage(KClientErrorText(err,0),err);
+    }
+    if((err = krb_get_cred("krbtgt", session->realm,
+			   session->realm, &c)) == KSUCCESS)
+	CopyMemory(privateKey, c.session, sizeof(*privateKey));
+    return err;
+}
+
+
+/* KClientPasswordLogin
+ * This routine is similiar to KClientLogin but instead of prompting the user
+ * for a password it uses the password supplied to establish login.
+ */
+Kerr
+KClientPasswordLogin(KClientSessionInfo *session,
+		     char *password,
+		     KClientKey *privateKey)
+{
+    return krb_get_pw_in_tkt(guser, session->inst, session->realm,
+			     "krbtgt",
+			     session->realm,
+			     DEFAULT_TKT_LIFE,
+			     password);
+}
+
+
+static key_proc_t
+key_proc(void *arg)
+{
+	return arg;
+}
+
+/* KClientKeyLogin
+ * This routine is similiar to KClientLogin but instead of prompting the user
+ * for a password it uses the private key supplied to establish login.
+ */
+Kerr
+KClientKeyLogin(KClientSessionInfo *session,
+		KClientKey *privateKey)
+{
+    return krb_get_in_tkt(guser, session->inst, session->realm,
+			  "krbtgt",
+			  session->realm,
+			  DEFAULT_TKT_LIFE,
+			  key_proc,
+			  0,
+			  privateKey);
+}
+
+/* KClientLogout
+ * This routine destroys all credentials stored in the credential cache
+ * effectively logging the user out.
+ */
+Kerr
+KClientLogout(void)
+{
+    return 0;
+}
+
+
+/* KClientStatus
+ * This routine returns the user's login status which can be
+ * KClientLoggedIn or KClientNotLoggedIn.
+ */
+short
+KClientStatus(KClientSessionInfo *session)
+{
+    CREDENTIALS c;
+    if(krb_get_cred("krbtgt",
+		    session->realm,
+		    session->realm, &c) == KSUCCESS)
+	return KClientLoggedIn;
+    else
+	return KClientNotLoggedIn;
+}
+
+
+/* KClientGetUserName
+ * This routine returns the name the user supplied in the login dialog.
+ * No name is returned if the user is not logged in.
+ */
+Kerr
+KClientGetUserName(char *user)
+{
+    strcpy(user, guser);
+    return 0;
+}
+
+
+/* KClientSetUserName
+ * This routine sets the name that will come up in the login dialog
+ * the next time the user is prompted for a password.
+ */
+Kerr
+KClientSetUserName(char *user)
+{
+    strlcpy(guser, user, sizeof(guser));
+    return 0;
+}
+
+
+/* KClientCacheInitialTicket
+ * This routine is used to obtain a ticket for the password changing service.
+ */
+Kerr
+KClientCacheInitialTicket(KClientSessionInfo *session,
+			  char *service)
+{
+    return 0;
+}
+
+
+/* KClientGetSessionKey
+ * This routine can be used to obtain the session key which is stored
+ * in the KClientSessionInfo record. The session key has no usefullness
+ * with any KClient calls but it can be used to with the MIT kerberos API.
+ */
+Kerr
+KClientGetSessionKey(KClientSessionInfo *session,
+		     KClientKey *sessionKey)
+{
+    CopyMemory(sessionKey, session->key, sizeof(*sessionKey));
+    return 0;
+}
+
+
+/* KClientMakeSendAuth
+ * This routine is used to create an authenticator that is the same as those
+ * created by the kerberos routine SendAuth.
+ */
+Kerr
+KClientMakeSendAuth(KClientSessionInfo *session,
+		    char *service,
+		    void *buf,
+		    unsigned long *buflen,
+		    long checksum,
+		    char *applicationVersion)
+{
+    return 0;
+}
+
+
+/* KClientVerifySendAuth
+ * This routine is used to verify a response made by a server doing RecvAuth.
+ * The two routines KClientMakeSendAuth and KClientVerifySendAuth together
+ * provide the functionality of SendAuth minus the transmission of authenticators
+ * between client->server->client.
+ */
+Kerr
+KClientVerifySendAuth(KClientSessionInfo *session,
+		      void *buf,
+		      unsigned long *buflen)
+{
+    return 0;
+}
+
+
+/* KClientEncrypt
+ * This routine encrypts a series a bytes for transmission to the remote host.
+ * For this to work properly you must be logged in and you must have specified
+ * the remote and local addresses in KClientInitSession. The unencrypted
+ * message pointed to by buf and of length buflen is returned encrypted
+ * in encryptBuf of length encryptLength.
+ * The encrypted buffer must be at least 26 bytes longer the buf.
+ */
+Kerr
+KClientEncrypt(KClientSessionInfo *session,
+	       void *buf,
+	       unsigned long buflen,
+	       void *encryptBuf,
+	       unsigned long *encryptLength)
+{
+    int num = 64;
+    des_cfb64_encrypt(buf, encryptBuf, buflen,
+		      (struct des_ks_struct*) session->key,
+		      0, &num, 1);
+    return 0;
+}
+
+
+/* KClientDecrypt
+ * This routine decrypts a series of bytes received from the remote host.
+
+ * NOTE: this routine will not reverse a KClientEncrypt call.
+ * It can only decrypt messages sent from the remote host.
+
+ * Instead of copying the decrypted message to an out buffer,
+ * the message is decrypted in place and you are returned
+ * an offset into the buffer where the decrypted message begins.
+ */
+Kerr
+KClientDecrypt(KClientSessionInfo *session,
+	       void *buf,
+	       unsigned long buflen,
+	       unsigned long *decryptOffset,
+	       unsigned long *decryptLength)
+{
+    int num;
+    des_cfb64_encrypt(buf, buf, buflen,
+		      (struct des_ks_struct*)session->key, 0, &num, 0);
+    *decryptOffset = 0;
+    *decryptLength = buflen;
+    return 0;
+}
+
+
+/* KClientErrorText
+ * This routine returns a text description of errors returned by any of
+ * the calls in this library.
+ */
+char *
+KClientErrorText(Kerr err,
+		 char *text)
+{
+    char *t = krb_get_err_text(err);
+    if(text)
+	strcpy(text, t);
+    return t;
+}
diff --git a/crypto/kerberosIV/lib/kclient/KClient.def b/crypto/kerberosIV/lib/kclient/KClient.def
new file mode 100644
index 0000000..9b55b2c
--- /dev/null
+++ b/crypto/kerberosIV/lib/kclient/KClient.def
@@ -0,0 +1,19 @@
+LIBRARY kclnt32
+EXPORTS
+	KClientInitSession
+	KClientGetTicketForService
+	KClientLogin
+	KClientPasswordLogin
+	KClientKeyLogin
+	KClientLogout
+	KClientStatus
+	KClientGetUserName
+	KClientSetUserName
+	KClientCacheInitialTicket
+	KClientGetSessionKey
+	KClientMakeSendAuth
+	KClientVerifySendAuth
+	KClientEncrypt
+	KClientDecrypt
+	KClientErrorText
+	SendTicketForService
diff --git a/crypto/kerberosIV/lib/kclient/KClient.dsp b/crypto/kerberosIV/lib/kclient/KClient.dsp
new file mode 100644
index 0000000..de4dde2
--- /dev/null
+++ b/crypto/kerberosIV/lib/kclient/KClient.dsp
@@ -0,0 +1,127 @@
+# Microsoft Developer Studio Project File - Name="kclient" - Package Owner=<4>
+# Microsoft Developer Studio Generated Build File, Format Version 5.00
+# ** DO NOT EDIT **
+
+# TARGTYPE "Win32 (x86) Dynamic-Link Library" 0x0102
+
+CFG=kclient - Win32 Release
+!MESSAGE This is not a valid makefile. To build this project using NMAKE,
+!MESSAGE use the Export Makefile command and run
+!MESSAGE 
+!MESSAGE NMAKE /f "KClient.mak".
+!MESSAGE 
+!MESSAGE You can specify a configuration when running NMAKE
+!MESSAGE by defining the macro CFG on the command line. For example:
+!MESSAGE 
+!MESSAGE NMAKE /f "KClient.mak" CFG="kclient - Win32 Release"
+!MESSAGE 
+!MESSAGE Possible choices for configuration are:
+!MESSAGE 
+!MESSAGE "kclient - Win32 Release" (based on\
+ "Win32 (x86) Dynamic-Link Library")
+!MESSAGE "kclient - Win32 Debug" (based on "Win32 (x86) Dynamic-Link Library")
+!MESSAGE 
+
+# Begin Project
+# PROP Scc_ProjName ""
+# PROP Scc_LocalPath ""
+CPP=cl.exe
+MTL=midl.exe
+RSC=rc.exe
+
+!IF  "$(CFG)" == "kclient - Win32 Release"
+
+# PROP BASE Use_MFC 0
+# PROP BASE Use_Debug_Libraries 0
+# PROP BASE Output_Dir ".\Release"
+# PROP BASE Intermediate_Dir ".\Release"
+# PROP BASE Target_Dir ""
+# PROP Use_MFC 0
+# PROP Use_Debug_Libraries 0
+# PROP Output_Dir ".\Release"
+# PROP Intermediate_Dir ".\Release"
+# PROP Ignore_Export_Lib 0
+# PROP Target_Dir ""
+# ADD BASE CPP /nologo /MT /W3 /GX /O2 /D "WIN32" /D "NDEBUG" /D "_WINDOWS" /YX /c
+# ADD CPP /nologo /MT /W3 /GX /O2 /I "." /I "..\krb" /I "..\..\include" /I "..\..\include\win32" /I "..\des" /D "NDEBUG" /D "WIN32" /D "_WINDOWS" /D "HAVE_CONFIG_H" /YX /FD /c
+# ADD BASE MTL /nologo /D "NDEBUG" /win32
+# ADD MTL /nologo /D "NDEBUG" /mktyplib203 /win32
+# ADD BASE RSC /l 0x409 /d "NDEBUG"
+# ADD RSC /l 0x409 /d "NDEBUG"
+BSC32=bscmake.exe
+# ADD BASE BSC32 /nologo
+# ADD BSC32 /nologo
+LINK32=link.exe
+# ADD BASE LINK32 kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /subsystem:windows /dll /machine:I386
+# ADD LINK32 ..\krb\Release\krb.lib ..\des\Release\des.lib wsock32.lib kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib /nologo /base:"0x1320000" /subsystem:windows /dll /machine:I386 /out:".\Release/kclnt32.dll"
+
+!ELSEIF  "$(CFG)" == "kclient - Win32 Debug"
+
+# PROP BASE Use_MFC 0
+# PROP BASE Use_Debug_Libraries 1
+# PROP BASE Output_Dir ".\Debug"
+# PROP BASE Intermediate_Dir ".\Debug"
+# PROP BASE Target_Dir ""
+# PROP Use_MFC 0
+# PROP Use_Debug_Libraries 1
+# PROP Output_Dir ".\Debug"
+# PROP Intermediate_Dir ".\Debug"
+# PROP Ignore_Export_Lib 0
+# PROP Target_Dir ""
+# ADD BASE CPP /nologo /MTd /W3 /Gm /GX /Zi /Od /D "WIN32" /D "_DEBUG" /D "_WINDOWS" /YX /c
+# ADD CPP /nologo /MDd /W3 /Gm /GX /Zi /Od /I "." /I "..\krb" /I "..\..\include" /I "..\..\include\win32" /I "..\des" /D "_DEBUG" /D "WIN32" /D "_WINDOWS" /D "HAVE_CONFIG_H" /YX /FD /c
+# ADD BASE MTL /nologo /D "_DEBUG" /win32
+# ADD MTL /nologo /D "_DEBUG" /mktyplib203 /win32
+# ADD BASE RSC /l 0x409 /d "_DEBUG"
+# ADD RSC /l 0x409 /d "_DEBUG"
+BSC32=bscmake.exe
+# ADD BASE BSC32 /nologo
+# ADD BSC32 /nologo
+LINK32=link.exe
+# ADD BASE LINK32 kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /subsystem:windows /dll /debug /machine:I386
+# ADD LINK32 ..\krb\Debug\krb.lib ..\des\Debug\des.lib wsock32.lib kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib /nologo /base:"0x1320000" /subsystem:windows /dll /debug /machine:I386 /out:".\Debug/kclnt32.dll"
+
+!ENDIF 
+
+# Begin Target
+
+# Name "kclient - Win32 Release"
+# Name "kclient - Win32 Debug"
+# Begin Group "Source Files"
+
+# PROP Default_Filter "cpp;c;cxx;rc;def;r;odl;hpj;bat;for;f90"
+# Begin Source File
+
+SOURCE=.\KClient.c
+# End Source File
+# Begin Source File
+
+SOURCE=.\KClient.def
+# End Source File
+# Begin Source File
+
+SOURCE=.\passwd_dialog.rc
+# End Source File
+# Begin Source File
+
+SOURCE=.\passwd_dlg.c
+# End Source File
+# End Group
+# Begin Group "Header Files"
+
+# PROP Default_Filter "h;hpp;hxx;hm;inl;fi;fd"
+# Begin Source File
+
+SOURCE=.\KClient.h
+# End Source File
+# Begin Source File
+
+SOURCE=.\passwd_dlg.h
+# End Source File
+# End Group
+# Begin Group "Resource Files"
+
+# PROP Default_Filter "ico;cur;bmp;dlg;rc2;rct;bin;cnt;rtf;gif;jpg;jpeg;jpe"
+# End Group
+# End Target
+# End Project
diff --git a/crypto/kerberosIV/lib/kclient/KClient.h b/crypto/kerberosIV/lib/kclient/KClient.h
new file mode 100644
index 0000000..d8916c5
--- /dev/null
+++ b/crypto/kerberosIV/lib/kclient/KClient.h
@@ -0,0 +1,160 @@
+/*
+ * Copyright (c) 1995, 1996, 1997 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+/* KClient.h - KClient glue to krb4.dll
+ * Author: Jörgen Karlsson - d93-jka@nada.kth.se
+ * Date: June 1996
+ */
+
+/* $Id: KClient.h,v 1.8 1999/12/02 16:58:40 joda Exp $ */
+
+#ifndef	KCLIENT_H
+#define	KCLIENT_H
+
+#ifdef MacOS
+#include <Types.h>
+typedef OSerr Kerr;
+#endif /* MacOS */
+
+#ifdef WIN32	/* Visual C++ 4.0 (Windows95/NT) */
+typedef int Kerr;
+#endif /* WIN32 */
+
+enum { KClientLoggedIn, KClientNotLoggedIn };
+
+struct _KClientKey
+{
+    unsigned char keyBytes[8];
+};
+typedef struct _KClientKey KClientKey;
+
+struct _KClientSessionInfo
+{
+    unsigned long lAddr;
+    unsigned short lPort;
+    unsigned long fAddr;
+    unsigned short fPort;
+    char user[32];
+    char inst[32];
+    char realm[32];
+    char key[8];
+};
+typedef struct _KClientSessionInfo KClientSessionInfo;
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+Kerr KClientMessage(char *text, Kerr error);
+
+/* KClientInitSession */
+Kerr KClientInitSession(KClientSessionInfo *session,
+			unsigned long lAddr,
+			unsigned short lPort,
+			unsigned long fAddr,
+			unsigned short fPort);
+
+/* KClientGetTicketForService */
+Kerr KClientGetTicketForService(KClientSessionInfo *session,
+				char *service,
+				void *buf,
+				unsigned long *buflen);
+
+
+/* KClientLogin	*/
+Kerr KClientLogin(KClientSessionInfo *session,
+		  KClientKey *privateKey );
+
+/* KClientPasswordLogin */
+Kerr KClientPasswordLogin(KClientSessionInfo *session,
+			  char *password,
+			  KClientKey *privateKey);
+
+/* KClientKeyLogin */
+Kerr KClientKeyLogin(KClientSessionInfo *session, KClientKey *privateKey);
+
+/* KClientLogout */
+Kerr KClientLogout(void);
+
+/* KClientStatus */
+short KClientStatus(KClientSessionInfo *session);
+
+/* KClientGetUserName */
+Kerr KClientGetUserName(char *user);
+
+/* KClientSetUserName */
+Kerr KClientSetUserName(char *user);
+
+/* KClientCacheInitialTicket */
+Kerr KClientCacheInitialTicket(KClientSessionInfo *session,
+			       char *service);
+
+/* KClientGetSessionKey */
+Kerr KClientGetSessionKey(KClientSessionInfo *session,
+			  KClientKey *sessionKey);
+
+/* KClientMakeSendAuth */
+Kerr KClientMakeSendAuth(KClientSessionInfo *session,
+			 char *service,
+			 void *buf,
+			 unsigned long *buflen,
+			 long checksum,
+			 char *applicationVersion);
+
+/* KClientVerifySendAuth */
+Kerr KClientVerifySendAuth(KClientSessionInfo *session,
+			   void *buf,
+			   unsigned long *buflen);
+
+/* KClientEncrypt */
+Kerr KClientEncrypt(KClientSessionInfo *session,
+		    void *buf,
+		    unsigned long buflen,
+		    void *encryptBuf,
+		    unsigned long *encryptLength);
+
+/* KClientDecrypt */
+Kerr KClientDecrypt(KClientSessionInfo *session,
+		    void *buf,
+		    unsigned long buflen,
+		    unsigned long *decryptOffset,
+		    unsigned long *decryptLength);
+
+/* KClientErrorText */
+char *KClientErrorText(Kerr err, char *text);
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* KCLIENT_H */
diff --git a/crypto/kerberosIV/lib/kclient/KClient.mak b/crypto/kerberosIV/lib/kclient/KClient.mak
new file mode 100644
index 0000000..40d4ab8
--- /dev/null
+++ b/crypto/kerberosIV/lib/kclient/KClient.mak
@@ -0,0 +1,297 @@
+# Microsoft Developer Studio Generated NMAKE File, Based on KClient.dsp
+!IF "$(CFG)" == ""
+CFG=kclient - Win32 Release
+!MESSAGE No configuration specified. Defaulting to kclient - Win32 Release.
+!ENDIF 
+
+!IF "$(CFG)" != "kclient - Win32 Release" && "$(CFG)" !=\
+ "kclient - Win32 Debug"
+!MESSAGE Invalid configuration "$(CFG)" specified.
+!MESSAGE You can specify a configuration when running NMAKE
+!MESSAGE by defining the macro CFG on the command line.  For example:
+!MESSAGE 
+!MESSAGE NMAKE /f "KClient.mak" CFG="kclient - Win32 Release"
+!MESSAGE 
+!MESSAGE Possible choices for configuration are:
+!MESSAGE 
+!MESSAGE "kclient - Win32 Release" (based on\
+ "Win32 (x86) Dynamic-Link Library")
+!MESSAGE "kclient - Win32 Debug" (based on "Win32 (x86) Dynamic-Link Library")
+!MESSAGE 
+!ERROR An invalid configuration is specified.
+!ENDIF 
+
+!IF "$(OS)" == "Windows_NT"
+NULL=
+!ELSE 
+NULL=nul
+!ENDIF 
+
+!IF  "$(CFG)" == "kclient - Win32 Release"
+
+OUTDIR=.\Release
+INTDIR=.\Release
+# Begin Custom Macros
+OutDir=.\.\Release
+# End Custom Macros
+
+!IF "$(RECURSE)" == "0" 
+
+ALL : "$(OUTDIR)\kclnt32.dll"
+
+!ELSE 
+
+ALL : "krb - Win32 Release" "$(OUTDIR)\kclnt32.dll"
+
+!ENDIF 
+
+!IF "$(RECURSE)" == "1" 
+CLEAN :"krb - Win32 ReleaseCLEAN" 
+!ELSE 
+CLEAN : 
+!ENDIF 
+	-@erase "$(INTDIR)\KClient.obj"
+	-@erase "$(INTDIR)\passwd_dialog.res"
+	-@erase "$(INTDIR)\passwd_dlg.obj"
+	-@erase "$(INTDIR)\vc50.idb"
+	-@erase "$(OUTDIR)\kclnt32.dll"
+	-@erase "$(OUTDIR)\kclnt32.exp"
+	-@erase "$(OUTDIR)\kclnt32.lib"
+
+"$(OUTDIR)" :
+    if not exist "$(OUTDIR)/$(NULL)" mkdir "$(OUTDIR)"
+
+CPP=cl.exe
+CPP_PROJ=/nologo /MT /W3 /GX /O2 /I "." /I "..\krb" /I "..\..\include" /I\
+ "..\..\include\win32" /I "..\des" /D "NDEBUG" /D "WIN32" /D "_WINDOWS" /D\
+ "HAVE_CONFIG_H" /Fp"$(INTDIR)\KClient.pch" /YX /Fo"$(INTDIR)\\"\
+ /Fd"$(INTDIR)\\" /FD /c 
+CPP_OBJS=.\Release/
+CPP_SBRS=.
+
+.c{$(CPP_OBJS)}.obj::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+.cpp{$(CPP_OBJS)}.obj::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+.cxx{$(CPP_OBJS)}.obj::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+.c{$(CPP_SBRS)}.sbr::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+.cpp{$(CPP_SBRS)}.sbr::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+.cxx{$(CPP_SBRS)}.sbr::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+MTL=midl.exe
+MTL_PROJ=/nologo /D "NDEBUG" /mktyplib203 /win32 
+RSC=rc.exe
+RSC_PROJ=/l 0x409 /fo"$(INTDIR)\passwd_dialog.res" /d "NDEBUG" 
+BSC32=bscmake.exe
+BSC32_FLAGS=/nologo /o"$(OUTDIR)\KClient.bsc" 
+BSC32_SBRS= \
+	
+LINK32=link.exe
+LINK32_FLAGS=..\krb\Release\krb.lib ..\des\Release\des.lib wsock32.lib\
+ kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib\
+ shell32.lib ole32.lib oleaut32.lib uuid.lib /nologo /base:"0x1320000"\
+ /subsystem:windows /dll /incremental:no /pdb:"$(OUTDIR)\kclnt32.pdb"\
+ /machine:I386 /def:".\KClient.def" /out:"$(OUTDIR)\kclnt32.dll"\
+ /implib:"$(OUTDIR)\kclnt32.lib" 
+DEF_FILE= \
+	".\KClient.def"
+LINK32_OBJS= \
+	"$(INTDIR)\KClient.obj" \
+	"$(INTDIR)\passwd_dialog.res" \
+	"$(INTDIR)\passwd_dlg.obj" \
+	"..\krb\Release\krb.lib"
+
+"$(OUTDIR)\kclnt32.dll" : "$(OUTDIR)" $(DEF_FILE) $(LINK32_OBJS)
+    $(LINK32) @<<
+  $(LINK32_FLAGS) $(LINK32_OBJS)
+<<
+
+!ELSEIF  "$(CFG)" == "kclient - Win32 Debug"
+
+OUTDIR=.\Debug
+INTDIR=.\Debug
+# Begin Custom Macros
+OutDir=.\.\Debug
+# End Custom Macros
+
+!IF "$(RECURSE)" == "0" 
+
+ALL : "$(OUTDIR)\kclnt32.dll"
+
+!ELSE 
+
+ALL : "krb - Win32 Debug" "$(OUTDIR)\kclnt32.dll"
+
+!ENDIF 
+
+!IF "$(RECURSE)" == "1" 
+CLEAN :"krb - Win32 DebugCLEAN" 
+!ELSE 
+CLEAN : 
+!ENDIF 
+	-@erase "$(INTDIR)\KClient.obj"
+	-@erase "$(INTDIR)\passwd_dialog.res"
+	-@erase "$(INTDIR)\passwd_dlg.obj"
+	-@erase "$(INTDIR)\vc50.idb"
+	-@erase "$(INTDIR)\vc50.pdb"
+	-@erase "$(OUTDIR)\kclnt32.dll"
+	-@erase "$(OUTDIR)\kclnt32.exp"
+	-@erase "$(OUTDIR)\kclnt32.ilk"
+	-@erase "$(OUTDIR)\kclnt32.lib"
+	-@erase "$(OUTDIR)\kclnt32.pdb"
+
+"$(OUTDIR)" :
+    if not exist "$(OUTDIR)/$(NULL)" mkdir "$(OUTDIR)"
+
+CPP=cl.exe
+CPP_PROJ=/nologo /MDd /W3 /Gm /GX /Zi /Od /I "." /I "..\krb" /I "..\..\include"\
+ /I "..\..\include\win32" /I "..\des" /D "_DEBUG" /D "WIN32" /D "_WINDOWS" /D\
+ "HAVE_CONFIG_H" /Fp"$(INTDIR)\KClient.pch" /YX /Fo"$(INTDIR)\\"\
+ /Fd"$(INTDIR)\\" /FD /c 
+CPP_OBJS=.\Debug/
+CPP_SBRS=.
+
+.c{$(CPP_OBJS)}.obj::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+.cpp{$(CPP_OBJS)}.obj::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+.cxx{$(CPP_OBJS)}.obj::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+.c{$(CPP_SBRS)}.sbr::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+.cpp{$(CPP_SBRS)}.sbr::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+.cxx{$(CPP_SBRS)}.sbr::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+MTL=midl.exe
+MTL_PROJ=/nologo /D "_DEBUG" /mktyplib203 /win32 
+RSC=rc.exe
+RSC_PROJ=/l 0x409 /fo"$(INTDIR)\passwd_dialog.res" /d "_DEBUG" 
+BSC32=bscmake.exe
+BSC32_FLAGS=/nologo /o"$(OUTDIR)\KClient.bsc" 
+BSC32_SBRS= \
+	
+LINK32=link.exe
+LINK32_FLAGS=..\krb\Debug\krb.lib ..\des\Debug\des.lib wsock32.lib kernel32.lib\
+ user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib\
+ ole32.lib oleaut32.lib uuid.lib /nologo /base:"0x1320000" /subsystem:windows\
+ /dll /incremental:yes /pdb:"$(OUTDIR)\kclnt32.pdb" /debug /machine:I386\
+ /def:".\KClient.def" /out:"$(OUTDIR)\kclnt32.dll"\
+ /implib:"$(OUTDIR)\kclnt32.lib" 
+DEF_FILE= \
+	".\KClient.def"
+LINK32_OBJS= \
+	"$(INTDIR)\KClient.obj" \
+	"$(INTDIR)\passwd_dialog.res" \
+	"$(INTDIR)\passwd_dlg.obj" \
+	"..\krb\Debug\krb.lib"
+
+"$(OUTDIR)\kclnt32.dll" : "$(OUTDIR)" $(DEF_FILE) $(LINK32_OBJS)
+    $(LINK32) @<<
+  $(LINK32_FLAGS) $(LINK32_OBJS)
+<<
+
+!ENDIF 
+
+
+!IF "$(CFG)" == "kclient - Win32 Release" || "$(CFG)" ==\
+ "kclient - Win32 Debug"
+SOURCE=.\KClient.c
+DEP_CPP_KCLIE=\
+	"..\..\include\win32\config.h"\
+	"..\..\include\win32\ktypes.h"\
+	"..\des\des.h"\
+	"..\krb\krb-protos.h"\
+	"..\krb\krb.h"\
+	".\KClient.h"\
+	".\passwd_dlg.h"\
+
+
+"$(INTDIR)\KClient.obj" : $(SOURCE) $(DEP_CPP_KCLIE) "$(INTDIR)"
+
+
+SOURCE=.\passwd_dialog.rc
+
+"$(INTDIR)\passwd_dialog.res" : $(SOURCE) "$(INTDIR)"
+	$(RSC) $(RSC_PROJ) $(SOURCE)
+
+
+SOURCE=.\passwd_dlg.c
+DEP_CPP_PASSW=\
+	"..\..\include\win32\config.h"\
+	".\passwd_dlg.h"\
+	
+
+"$(INTDIR)\passwd_dlg.obj" : $(SOURCE) $(DEP_CPP_PASSW) "$(INTDIR)"
+
+
+!IF  "$(CFG)" == "kclient - Win32 Release"
+	
+"krb - Win32 Release" : 
+   cd "\tmp\wirus-krb\krb4-pre-0.9.9\lib\krb"
+   $(MAKE) /$(MAKEFLAGS) /F ".\krb.mak" CFG="krb - Win32 Release" 
+   cd "..\kclient"
+
+"krb - Win32 ReleaseCLEAN" : 
+   cd "\tmp\wirus-krb\krb4-pre-0.9.9\lib\krb"
+   $(MAKE) /$(MAKEFLAGS) CLEAN /F ".\krb.mak" CFG="krb - Win32 Release"\
+ RECURSE=1 
+   cd "..\kclient"
+
+!ELSEIF  "$(CFG)" == "kclient - Win32 Debug"
+
+"krb - Win32 Debug" : 
+   cd "\tmp\wirus-krb\krb4-pre-0.9.9\lib\krb"
+   $(MAKE) /$(MAKEFLAGS) /F ".\krb.mak" CFG="krb - Win32 Debug" 
+   cd "..\kclient"
+
+"krb - Win32 DebugCLEAN" : 
+   cd "\tmp\wirus-krb\krb4-pre-0.9.9\lib\krb"
+   $(MAKE) /$(MAKEFLAGS) CLEAN /F ".\krb.mak" CFG="krb - Win32 Debug" RECURSE=1\
+
+   cd "..\kclient"
+
+!ENDIF 
+
+
+!ENDIF 
+
diff --git a/crypto/kerberosIV/lib/kclient/passwd_dialog.rc b/crypto/kerberosIV/lib/kclient/passwd_dialog.rc
new file mode 100644
index 0000000..6478e5f
--- /dev/null
+++ b/crypto/kerberosIV/lib/kclient/passwd_dialog.rc
@@ -0,0 +1,143 @@
+//Microsoft Developer Studio generated resource script.
+//
+#include "resource.h"
+
+#define APSTUDIO_READONLY_SYMBOLS
+/////////////////////////////////////////////////////////////////////////////
+//
+// Generated from the TEXTINCLUDE 2 resource.
+//
+#include "afxres.h"
+
+/////////////////////////////////////////////////////////////////////////////
+#undef APSTUDIO_READONLY_SYMBOLS
+
+/////////////////////////////////////////////////////////////////////////////
+// Swedish resources
+
+#if !defined(AFX_RESOURCE_DLL) || defined(AFX_TARG_SVE)
+#ifdef _WIN32
+LANGUAGE LANG_SWEDISH, SUBLANG_DEFAULT
+#pragma code_page(1252)
+#endif //_WIN32
+
+/////////////////////////////////////////////////////////////////////////////
+//
+// Dialog
+//
+
+IDD_DIALOG1 DIALOG DISCARDABLE  0, 0, 186, 95
+STYLE DS_ABSALIGN | DS_MODALFRAME | DS_CENTER | WS_POPUP | WS_CAPTION
+CAPTION "User data"
+FONT 8, "MS Sans Serif"
+BEGIN
+    EDITTEXT        IDC_EDIT1,71,19,40,14,ES_AUTOHSCROLL
+    EDITTEXT        IDC_EDIT2,71,36,40,14,ES_PASSWORD | ES_AUTOHSCROLL
+    DEFPUSHBUTTON   "OK",IDOK,31,74,50,14
+    PUSHBUTTON      "Cancel",IDCANCEL,105,74,50,14
+    LTEXT           "User name:",IDC_STATIC,27,23,37,8,NOT WS_GROUP
+    LTEXT           "Password:",IDC_STATIC,27,39,34,8,NOT WS_GROUP
+END
+
+
+/////////////////////////////////////////////////////////////////////////////
+//
+// DESIGNINFO
+//
+
+#ifdef APSTUDIO_INVOKED
+GUIDELINES DESIGNINFO DISCARDABLE 
+BEGIN
+    IDD_DIALOG1, DIALOG
+    BEGIN
+        LEFTMARGIN, 7
+        RIGHTMARGIN, 179
+        TOPMARGIN, 7
+        BOTTOMMARGIN, 88
+    END
+END
+#endif    // APSTUDIO_INVOKED
+
+
+#ifdef APSTUDIO_INVOKED
+/////////////////////////////////////////////////////////////////////////////
+//
+// TEXTINCLUDE
+//
+
+1 TEXTINCLUDE DISCARDABLE 
+BEGIN
+    "resource.h\0"
+END
+
+2 TEXTINCLUDE DISCARDABLE 
+BEGIN
+    "#include ""afxres.h""\r\n"
+    "\0"
+END
+
+3 TEXTINCLUDE DISCARDABLE 
+BEGIN
+    "\r\n"
+    "\0"
+END
+
+#endif    // APSTUDIO_INVOKED
+
+

+#ifndef _MAC

+/////////////////////////////////////////////////////////////////////////////

+//

+// Version

+//

+

+VS_VERSION_INFO VERSIONINFO

+ FILEVERSION 1,0,0,1

+ PRODUCTVERSION 1,0,0,1

+ FILEFLAGSMASK 0x3fL

+#ifdef _DEBUG

+ FILEFLAGS 0x1L

+#else

+ FILEFLAGS 0x0L

+#endif

+ FILEOS 0x40004L

+ FILETYPE 0x2L

+ FILESUBTYPE 0x0L

+BEGIN

+    BLOCK "StringFileInfo"

+    BEGIN

+        BLOCK "040904b0"

+        BEGIN

+            VALUE "CompanyName", "Royal Institute of Technology (KTH)\0"

+            VALUE "FileDescription", "kclient\0"

+            VALUE "FileVersion", "4, 0, 9, 9\0"

+            VALUE "InternalName", "kclient\0"

+            VALUE "LegalCopyright", "Copyright © 1996 - 1998  Royal Institute of Technology (KTH)\0"

+            VALUE "OriginalFilename", "kclnt32.dll\0"

+            VALUE "ProductName", "KTH Kerberos\0"

+            VALUE "ProductVersion", "4,0,9,9\0"

+        END

+    END

+    BLOCK "VarFileInfo"

+    BEGIN

+        VALUE "Translation", 0x409, 1200

+    END

+END

+

+#endif    // !_MAC

+

+#endif    // Swedish resources
+/////////////////////////////////////////////////////////////////////////////
+
+
+
+#ifndef APSTUDIO_INVOKED
+/////////////////////////////////////////////////////////////////////////////
+//
+// Generated from the TEXTINCLUDE 3 resource.
+//
+
+
+/////////////////////////////////////////////////////////////////////////////
+#endif    // not APSTUDIO_INVOKED
+
diff --git a/crypto/kerberosIV/lib/kclient/passwd_dialog.res b/crypto/kerberosIV/lib/kclient/passwd_dialog.res
new file mode 100644
index 0000000..fc4556f
--- /dev/null
+++ b/crypto/kerberosIV/lib/kclient/passwd_dialog.res
diff --git a/crypto/kerberosIV/lib/kclient/passwd_dlg.c b/crypto/kerberosIV/lib/kclient/passwd_dlg.c
new file mode 100644
index 0000000..fb2f468
--- /dev/null
+++ b/crypto/kerberosIV/lib/kclient/passwd_dlg.c
@@ -0,0 +1,109 @@
+/*
+ * Copyright (c) 1995, 1996, 1997, 1998 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+/* passwd_dlg.c - Dialog boxes for Windows95/NT
+ * Author:	Jörgen Karlsson - d93-jka@nada.kth.se
+ * Date:	June 1996
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+RCSID("$Id: passwd_dlg.c,v 1.11 1999/12/02 16:58:40 joda Exp $");
+#endif
+
+#ifdef WIN32	/* Visual C++ 4.0 (Windows95/NT) */
+#include <Windows.h>
+#include "passwd_dlg.h"
+#include "Resource.h"
+#define passwdBufSZ 64
+#define usr_nameSZ 64
+
+static char user_name[usr_nameSZ];
+static char passwd[passwdBufSZ];
+
+BOOL CALLBACK
+pwd_dialog_proc(HWND hwndDlg,
+		UINT uMsg,
+		WPARAM wParam,
+		LPARAM lParam)
+{
+    switch(uMsg)
+    {
+    case WM_INITDIALOG:
+	SetDlgItemText(hwndDlg, IDC_EDIT1, user_name);
+	return TRUE;
+	break;
+
+    case WM_COMMAND: 
+	switch(wParam)
+	{
+	case IDOK:
+	    if(!GetDlgItemText(hwndDlg,IDC_EDIT1, user_name, usr_nameSZ))
+		EndDialog(hwndDlg, IDCANCEL);
+	    if(!GetDlgItemText(hwndDlg,IDC_EDIT2, passwd, passwdBufSZ))
+		EndDialog(hwndDlg, IDCANCEL);
+	case IDCANCEL:
+	    EndDialog(hwndDlg, wParam);
+	    return TRUE;
+	}
+	break;
+    }
+    return FALSE;
+}
+
+
+/* return 0 if ok, 1 otherwise */
+int
+pwd_dialog(char *user, size_t user_sz,
+	   char *password, size_t password_sz)
+{
+    int i;
+    HWND wnd = GetActiveWindow();
+    HANDLE hInst = GetModuleHandle("kclnt32");
+
+    strlcpy(user_name, user, sizeof(user_name));
+    switch(DialogBox(hInst,MAKEINTRESOURCE(IDD_DIALOG1),wnd,pwd_dialog_proc))
+    {
+    case IDOK:
+	strlcpy(user, user_name, user_sz);
+	strlcpy(password, passwd, password_sz);
+	memset (passwd, 0, sizeof(passwd));
+	return 0;
+    case IDCANCEL:
+    default:
+	memset (passwd, 0, sizeof(passwd));
+	return 1;
+    }
+}
+
+#endif /* WIN32 */
diff --git a/crypto/kerberosIV/lib/kclient/passwd_dlg.h b/crypto/kerberosIV/lib/kclient/passwd_dlg.h
new file mode 100644
index 0000000..543a560
--- /dev/null
+++ b/crypto/kerberosIV/lib/kclient/passwd_dlg.h
@@ -0,0 +1,47 @@
+/*
+ * Copyright (c) 1995, 1996, 1997, 1998 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+/* passwd_dlg.h - Dialog boxes for Windows95/NT
+ * Author:	Jörgen Karlsson - d93-jka@nada.kth.se
+ * Date:	June 1996
+ */
+
+/* $Id: passwd_dlg.h,v 1.7 1999/12/02 16:58:40 joda Exp $ */
+
+#ifndef PASSWD_DLG_H
+#define PASSWD_DLG_H
+
+int pwd_dialog(char *user, size_t user_sz,
+	       char *password, size_t password_sz);
+
+#endif /* PASSWD_DLG_H */
diff --git a/crypto/kerberosIV/lib/kclient/resource.h b/crypto/kerberosIV/lib/kclient/resource.h
new file mode 100644
index 0000000..76a6eb5
--- /dev/null
+++ b/crypto/kerberosIV/lib/kclient/resource.h
@@ -0,0 +1,18 @@
+//{{NO_DEPENDENCIES}}
+// Microsoft Developer Studio generated include file.
+// Used by passwd_dialog.rc
+//
+#define IDD_DIALOG1                     101
+#define IDC_EDIT1                       1000
+#define IDC_EDIT2                       1001
+
+// Next default values for new objects
+// 
+#ifdef APSTUDIO_INVOKED
+#ifndef APSTUDIO_READONLY_SYMBOLS
+#define _APS_NEXT_RESOURCE_VALUE        103
+#define _APS_NEXT_COMMAND_VALUE         40001
+#define _APS_NEXT_CONTROL_VALUE         1002
+#define _APS_NEXT_SYMED_VALUE           101
+#endif
+#endif
diff --git a/crypto/kerberosIV/lib/kdb/Makefile.in b/crypto/kerberosIV/lib/kdb/Makefile.in
new file mode 100644
index 0000000..119ff6b
--- /dev/null
+++ b/crypto/kerberosIV/lib/kdb/Makefile.in
@@ -0,0 +1,94 @@
+#
+# $Id: Makefile.in,v 1.40.4.1 2000/06/23 03:20:00 assar Exp $
+#
+
+SHELL = /bin/sh
+
+srcdir = @srcdir@
+VPATH = @srcdir@
+
+CC = @CC@
+LINK = @LINK@
+AR = ar
+RANLIB = @RANLIB@
+LN_S = @LN_S@
+DEFS = @DEFS@ -DROKEN_RENAME
+CFLAGS = @CFLAGS@ $(WFLAGS)
+WFLAGS = @WFLAGS@
+
+INSTALL = @INSTALL@
+INSTALL_DATA	= @INSTALL_DATA@
+MKINSTALLDIRS = @top_srcdir@/mkinstalldirs
+
+prefix = @prefix@
+exec_prefix = @exec_prefix@
+libdir = @libdir@
+
+PICFLAGS = @PICFLAGS@
+ 
+LIB_DBM  = @LIB_DBM@
+LIB_DEPS = @lib_deps_yes@ $(LIB_DBM) -lc
+build_symlink_command   = @build_symlink_command@
+install_symlink_command = @install_symlink_command@
+
+LIBNAME = $(LIBPREFIX)kdb
+LIBEXT = @LIBEXT@
+SHLIBEXT = @SHLIBEXT@
+LIBPREFIX = @LIBPREFIX@
+LDSHARED = @LDSHARED@
+LIB = $(LIBNAME).$(LIBEXT)
+
+SOURCES = krb_cache.c krb_kdb_utils.c copykey.c krb_lib.c \
+	krb_dbm.c print_princ.c
+
+OBJECTS = krb_cache.o krb_kdb_utils.o copykey.o krb_lib.o \
+	krb_dbm.o print_princ.o
+
+all: $(LIB)
+
+Wall:
+		make CFLAGS="-g -Wall -Wno-comment -Wmissing-prototypes -Wmissing-declarations -D__USE_FIXED_PROTOTYPES__"
+
+.c.o:
+	$(CC) -c $(DEFS) -I../../include -I$(srcdir) -I. $(CFLAGS) $(CPPFLAGS) $(PICFLAGS) $<
+
+install: all
+	$(MKINSTALLDIRS) $(DESTDIR)$(libdir)
+	$(INSTALL_DATA)  $(LIB) $(DESTDIR)$(libdir)/$(LIB)
+	@install_symlink_command@
+
+uninstall:
+	rm -f $(DESTDIR)$(libdir)/$(LIB)
+
+TAGS: $(SOURCES)
+	etags $(SOURCES)
+
+check:
+
+clean:
+	rm -f $(LIB) *.o *.a *.so *.so.* so_locations
+
+mostlyclean: clean
+
+distclean: clean
+	rm -f Makefile *.tab.c *~ roken_rename.h
+
+realclean: distclean
+	rm -f TAGS
+
+$(LIBNAME).a: $(OBJECTS)
+	rm -f $@
+	$(AR) cr $@ $(OBJECTS)
+	-$(RANLIB) $@
+
+$(LIBNAME).$(SHLIBEXT): $(OBJECTS)
+	rm -f $@
+	$(LDSHARED) -o $@ $(OBJECTS) $(LIB_DEPS)
+	@build_symlink_command@
+
+$(OBJECTS): ../../include/config.h roken_rename.h
+
+roken_rename.h:
+	$(LN_S) $(srcdir)/../krb/roken_rename.h .
+
+.PHONY: all Wall install uninstall check clean mostlyclean distclean realclean
diff --git a/crypto/kerberosIV/lib/kdb/copykey.c b/crypto/kerberosIV/lib/kdb/copykey.c
new file mode 100644
index 0000000..72b2b69
--- /dev/null
+++ b/crypto/kerberosIV/lib/kdb/copykey.c
@@ -0,0 +1,50 @@
+/*
+ * Copyright (c) 1995, 1996, 1997 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#include "kdb_locl.h"
+
+RCSID("$Id: copykey.c,v 1.11 1999/12/02 16:58:40 joda Exp $");
+
+void
+copy_from_key(des_cblock in, u_int32_t *lo, u_int32_t *hi)
+{
+    memcpy(lo, ((char *) in) + 0, 4);
+    memcpy(hi, ((char *) in) + 4, 4);
+}
+
+void
+copy_to_key(u_int32_t *lo, u_int32_t *hi, des_cblock out)
+{
+    memcpy(((char *)out) + 0, lo, 4);
+    memcpy(((char *)out) + 4, hi, 4);
+}
diff --git a/crypto/kerberosIV/lib/kdb/kdb_locl.h b/crypto/kerberosIV/lib/kdb/kdb_locl.h
new file mode 100644
index 0000000..2478f64
--- /dev/null
+++ b/crypto/kerberosIV/lib/kdb/kdb_locl.h
@@ -0,0 +1,93 @@
+/*
+ * Copyright (c) 1995, 1996, 1997 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+/* $Id: kdb_locl.h,v 1.10 1999/12/02 16:58:40 joda Exp $ */
+
+#ifndef __kdb_locl_h
+#define __kdb_locl_h
+
+#include "config.h"
+#include "protos.h"
+
+#include "base64.h"
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+
+#include <unistd.h>
+#include <errno.h>
+
+#include <sys/types.h>
+
+#ifdef TIME_WITH_SYS_TIME
+#include <sys/time.h>
+#include <time.h>
+#elif defined(HAVE_SYS_TIME_H)
+#include <sys/time.h>
+#else
+#include <time.h>
+#endif
+
+#include <sys/stat.h>
+#include <fcntl.h>
+#include <utime.h>
+#include <sys/file.h>
+#include <roken.h>
+
+#include <krb.h>
+#include <krb_db.h>
+
+/* --- */
+
+/* Globals! */
+
+/* Utils */
+
+int kerb_db_set_lockmode __P((int));
+void kerb_db_fini __P((void));
+int kerb_db_init __P((void));
+int kerb_db_get_principal __P((char *name, char *, Principal *, unsigned int, int *));
+int kerb_db_get_dba __P((char *, char *, Dba *, unsigned int, int *));
+
+void delta_stat __P((DB_stat *, DB_stat *, DB_stat *));
+
+int kerb_cache_init __P((void));
+int kerb_cache_get_principal __P((char *name, char *, Principal *, unsigned int));
+int kerb_cache_put_principal __P((Principal *, unsigned int));
+int kerb_cache_get_dba __P((char *, char *, Dba *, unsigned int));
+int kerb_cache_put_dba __P((Dba *, unsigned int));
+
+void krb_print_principal __P((Principal *));
+
+#endif /*  __kdb_locl_h */
diff --git a/crypto/kerberosIV/lib/kdb/kdc.h b/crypto/kerberosIV/lib/kdb/kdc.h
new file mode 100644
index 0000000..968775d
--- /dev/null
+++ b/crypto/kerberosIV/lib/kdb/kdc.h
@@ -0,0 +1,35 @@
+/*
+ * $Id: kdc.h,v 1.8 1997/04/01 03:59:05 assar Exp $
+ * $FreeBSD$
+ *
+ * Copyright 1987, 1988 by the Massachusetts Institute of Technology. 
+ *
+ * For copying and distribution information, please see the file
+ * <mit-copyright.h>. 
+ *
+ * Include file for the Kerberos Key Distribution Center. 
+ */
+
+#ifndef KDC_DEFS
+#define KDC_DEFS
+
+/* Don't depend on this! */
+#ifndef MKEYFILE
+#if 1
+#define MKEYFILE	"/etc/kerberosIV/master-key"
+#else
+#define MKEYFILE	"/.k"
+#endif
+#endif
+#ifndef K_LOGFIL
+#define K_LOGFIL	"/var/log/kpropd.log"
+#endif
+
+#define ONE_MINUTE	60
+#define FIVE_MINUTES	(5 * ONE_MINUTE)
+#define ONE_HOUR	(60 * ONE_MINUTE)
+#define ONE_DAY		(24 * ONE_HOUR)
+#define THREE_DAYS	(3 * ONE_DAY)
+
+#endif /* KDC_DEFS */
+
diff --git a/crypto/kerberosIV/lib/kdb/krb_cache.c b/crypto/kerberosIV/lib/kdb/krb_cache.c
new file mode 100644
index 0000000..bd8da50
--- /dev/null
+++ b/crypto/kerberosIV/lib/kdb/krb_cache.c
@@ -0,0 +1,183 @@
+/* 
+  Copyright (C) 1989 by the Massachusetts Institute of Technology
+
+   Export of this software from the United States of America is assumed
+   to require a specific license from the United States Government.
+   It is the responsibility of any person or organization contemplating
+   export to obtain such a license before exporting.
+
+WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
+distribute this software and its documentation for any purpose and
+without fee is hereby granted, provided that the above copyright
+notice appear in all copies and that both that copyright notice and
+this permission notice appear in supporting documentation, and that
+the name of M.I.T. not be used in advertising or publicity pertaining
+to distribution of the software without specific, written prior
+permission.  M.I.T. makes no representations about the suitability of
+this software for any purpose.  It is provided "as is" without express
+or implied warranty.
+
+  */
+
+/*
+ * This is where a cache would be implemented, if it were necessary.
+ */
+
+#include "kdb_locl.h"
+
+RCSID("$Id: krb_cache.c,v 1.7 1998/06/09 19:25:14 joda Exp $");
+
+#ifdef DEBUG
+extern int debug;
+extern long kerb_debug;
+#endif
+static int init = 0;
+
+/*
+ * initialization routine for cache 
+ */
+
+int
+kerb_cache_init(void)
+{
+    init = 1;
+    return (0);
+}
+
+/*
+ * look up a principal in the cache returns number of principals found 
+ */
+
+int
+kerb_cache_get_principal(char *serv, /* could have wild card */
+			 char *inst, /* could have wild card */
+			 Principal *principal,
+			 unsigned int max) /* max number of name structs to return */
+{
+    int     found = 0;
+
+    if (!init)
+	kerb_cache_init();
+#ifdef DEBUG
+    if (kerb_debug & 2)
+	fprintf(stderr, "cache_get_principal for %s %s max = %d\n",
+	    serv, inst, max);
+#endif /* DEBUG */
+    
+#ifdef DEBUG
+    if (kerb_debug & 2) {
+	if (found) {
+	    fprintf(stderr, "cache get %s %s found %s %s sid = %d\n",
+		serv, inst, principal->name, principal->instance);
+	} else {
+	    fprintf(stderr, "cache %s %s not found\n", serv,
+		inst);
+	}
+    }
+#endif
+    return (found);
+}
+
+/*
+ * insert/replace a principal in the cache returns number of principals
+ * inserted 
+ */
+
+int
+kerb_cache_put_principal(Principal *principal,
+			 unsigned int max)
+                     		/* max number of principal structs to
+				 * insert */
+{
+    u_long  i;
+    int     count = 0;
+
+    if (!init)
+	kerb_cache_init();
+
+#ifdef DEBUG
+    if (kerb_debug & 2) {
+	fprintf(stderr, "kerb_cache_put_principal  max = %d",
+	    max);
+    }
+#endif
+    
+    for (i = 0; i < max; i++) {
+#ifdef DEBUG
+	if (kerb_debug & 2)
+	    fprintf(stderr, "\n %s %s",
+		    principal->name, principal->instance);
+#endif	
+	/* DO IT */
+	count++;
+	principal++;
+    }
+    return count;
+}
+
+/*
+ * look up a dba in the cache returns number of dbas found 
+ */
+
+int
+kerb_cache_get_dba(char *serv,	/* could have wild card */
+		   char *inst,	/* could have wild card */
+		   Dba *dba,
+		   unsigned int max) /* max number of name structs to return */
+{
+    int     found = 0;
+
+    if (!init)
+	kerb_cache_init();
+
+#ifdef DEBUG
+    if (kerb_debug & 2)
+	fprintf(stderr, "cache_get_dba for %s %s max = %d\n",
+	    serv, inst, max);
+#endif
+
+#ifdef DEBUG
+    if (kerb_debug & 2) {
+	if (found) {
+	    fprintf(stderr, "cache get %s %s found %s %s sid = %d\n",
+		serv, inst, dba->name, dba->instance);
+	} else {
+	    fprintf(stderr, "cache %s %s not found\n", serv, inst);
+	}
+    }
+#endif
+    return (found);
+}
+
+/*
+ * insert/replace a dba in the cache returns number of dbas inserted 
+ */
+
+int
+kerb_cache_put_dba(Dba *dba,
+		   unsigned int max)
+                     		/* max number of dba structs to insert */
+{
+    u_long  i;
+    int     count = 0;
+
+    if (!init)
+	kerb_cache_init();
+#ifdef DEBUG
+    if (kerb_debug & 2) {
+	fprintf(stderr, "kerb_cache_put_dba  max = %d", max);
+    }
+#endif
+    for (i = 0; i < max; i++) {
+#ifdef DEBUG
+	if (kerb_debug & 2)
+	    fprintf(stderr, "\n %s %s",
+		    dba->name, dba->instance);
+#endif	
+	/* DO IT */
+	count++;
+	dba++;
+    }
+    return count;
+}
+
diff --git a/crypto/kerberosIV/lib/kdb/krb_db.h b/crypto/kerberosIV/lib/kdb/krb_db.h
new file mode 100644
index 0000000..d0fc260
--- /dev/null
+++ b/crypto/kerberosIV/lib/kdb/krb_db.h
@@ -0,0 +1,138 @@
+/*
+ * $Id: krb_db.h,v 1.15 1996/12/17 20:34:32 assar Exp $ 
+ * $FreeBSD$ 
+ *
+ * Copyright 1987, 1988 by the Massachusetts Institute of Technology. 
+ *
+ * For copying and distribution information, please see the file
+ * <mit-copyright.h>. 
+ *
+ * spm		Project Athena  8/85 
+ *
+ * This file defines data structures for the kerberos
+ * authentication/authorization database. 
+ *
+ * They MUST correspond to those defined in *.rel 
+ */
+
+#ifndef KRB_DB_DEFS
+#define KRB_DB_DEFS
+
+#include <stdio.h>
+
+#define KERB_M_NAME		"K"	/* Kerberos */
+#define KERB_M_INST		"M"	/* Master */
+#define KERB_DEFAULT_NAME	"default"
+#define KERB_DEFAULT_INST	""
+#ifndef DB_DIR
+#define DB_DIR			"/var/db/kerberos"
+#endif
+#ifndef DBM_FILE
+#define	DBM_FILE		DB_DIR "/principal"
+#endif
+
+/* this also defines the number of queue headers */
+#define KERB_DB_HASH_MODULO 64
+
+
+/* Arguments to kerb_dbl_lock() */
+
+#define KERB_DBL_EXCLUSIVE 1
+#define KERB_DBL_SHARED 0
+
+/* arguments to kerb_db_set_lockmode() */
+
+#define KERB_DBL_BLOCKING 0
+#define KERB_DBL_NONBLOCKING 1
+
+/* arguments to kdb_get_master_key */
+
+#define KDB_GET_PROMPT 1
+#define KDB_GET_TWICE  2
+
+/* Principal defines the structure of a principal's name */
+
+typedef struct {
+    char    name[ANAME_SZ];
+    char    instance[INST_SZ];
+
+    u_int32_t key_low;
+    u_int32_t key_high;
+    u_int32_t exp_date;
+    char    exp_date_txt[DATE_SZ];
+    u_int32_t mod_date;
+    char    mod_date_txt[DATE_SZ];
+    u_int16_t attributes;
+    u_int8_t max_life;
+    u_int8_t kdc_key_ver;
+    u_int8_t key_version;
+
+    char    mod_name[ANAME_SZ];
+    char    mod_instance[INST_SZ];
+    char   *old;		/* cast to (Principal *); not in db,
+				 * ptr to old vals */
+} Principal;
+
+typedef struct {
+    int32_t    cpu;
+    int32_t    elapsed;
+    int32_t    dio;
+    int32_t    pfault;
+    int32_t    t_stamp;
+    int32_t    n_retrieve;
+    int32_t    n_replace;
+    int32_t    n_append;
+    int32_t    n_get_stat;
+    int32_t    n_put_stat;
+} DB_stat;
+
+/* Dba defines the structure of a database administrator */
+
+typedef struct {
+    char    name[ANAME_SZ];
+    char    instance[INST_SZ];
+    u_int16_t attributes;
+    u_int32_t exp_date;
+    char    exp_date_txt[DATE_SZ];
+    char   *old;	/*
+			 * cast to (Dba *); not in db, ptr to
+			 * old vals
+			 */
+} Dba;
+
+typedef int (*k_iter_proc_t)(void*, Principal*);
+
+void copy_from_key __P((des_cblock in, u_int32_t *lo, u_int32_t *hi));
+void copy_to_key __P((u_int32_t *lo, u_int32_t *hi, des_cblock out));
+
+void kdb_encrypt_key __P((des_cblock *, des_cblock *, des_cblock *,
+			  des_key_schedule, int));
+int kdb_get_master_key __P((int prompt, des_cblock *master_key,
+			    des_key_schedule master_key_sched));
+int kdb_get_new_master_key __P((des_cblock *, des_key_schedule, int));
+int kdb_kstash __P((des_cblock *, char *));
+int kdb_new_get_master_key __P((des_cblock *, des_key_schedule));
+int kdb_new_get_new_master_key __P((des_cblock *key, des_key_schedule schedule, int verify));
+long kdb_verify_master_key __P((des_cblock *, des_key_schedule, FILE *));
+long *kerb_db_begin_update __P((void));
+int kerb_db_create __P((char *db_name));
+int kerb_db_delete_principal (char *name, char *inst);
+void kerb_db_end_update __P((long *db));
+int kerb_db_get_dba __P((char *, char *, Dba *, unsigned, int *));
+void kerb_db_get_stat __P((DB_stat *));
+int kerb_db_iterate __P((k_iter_proc_t, void*));
+int kerb_db_put_principal __P((Principal *, unsigned int));
+void kerb_db_put_stat __P((DB_stat *));
+int kerb_db_rename __P((char *, char *));
+int kerb_db_set_lockmode __P((int));
+int kerb_db_set_name __P((char *));
+int kerb_db_update __P((long *db, Principal *principal, unsigned int max));
+int kerb_delete_principal __P((char *name, char *inst));
+void kerb_fini __P((void));
+int kerb_get_dba __P((char *, char *, Dba *, unsigned int, int *));
+time_t kerb_get_db_age __P((void));
+int kerb_get_principal __P((char *, char *, Principal *, unsigned int, int *));
+int kerb_init __P((void));
+int kerb_put_principal __P((Principal *, unsigned int));
+
+#endif /* KRB_DB_DEFS */
diff --git a/crypto/kerberosIV/lib/kdb/krb_dbm.c b/crypto/kerberosIV/lib/kdb/krb_dbm.c
new file mode 100644
index 0000000..7265e20
--- /dev/null
+++ b/crypto/kerberosIV/lib/kdb/krb_dbm.c
@@ -0,0 +1,768 @@
+/* 
+  Copyright (C) 1989 by the Massachusetts Institute of Technology
+
+   Export of this software from the United States of America is assumed
+   to require a specific license from the United States Government.
+   It is the responsibility of any person or organization contemplating
+   export to obtain such a license before exporting.
+
+WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
+distribute this software and its documentation for any purpose and
+without fee is hereby granted, provided that the above copyright
+notice appear in all copies and that both that copyright notice and
+this permission notice appear in supporting documentation, and that
+the name of M.I.T. not be used in advertising or publicity pertaining
+to distribution of the software without specific, written prior
+permission.  M.I.T. makes no representations about the suitability of
+this software for any purpose.  It is provided "as is" without express
+or implied warranty.
+
+  */
+
+#include "kdb_locl.h"
+
+RCSID("$Id: krb_dbm.c,v 1.37 1999/09/16 20:41:49 assar Exp $");
+
+#include <xdbm.h>
+
+#define KERB_DB_MAX_RETRY 5
+
+#ifdef DEBUG
+extern int debug;
+extern long kerb_debug;
+extern char *progname;
+#endif
+
+static int init = 0;
+static char default_db_name[] = DBM_FILE;
+static char *current_db_name = default_db_name;
+
+static struct timeval timestamp;/* current time of request */
+static int non_blocking = 0;
+
+/*
+ * This module contains all of the code which directly interfaces to
+ * the underlying representation of the Kerberos database; this
+ * implementation uses a DBM or NDBM indexed "file" (actually
+ * implemented as two separate files) to store the relations, plus a
+ * third file as a semaphore to allow the database to be replaced out
+ * from underneath the KDC server.
+ */
+
+/*
+ * Locking:
+ * 
+ * There are two distinct locking protocols used.  One is designed to
+ * lock against processes (the admin_server, for one) which make
+ * incremental changes to the database; the other is designed to lock
+ * against utilities (kdb_util, kpropd) which replace the entire
+ * database in one fell swoop.
+ *
+ * The first locking protocol is implemented using flock() in the 
+ * krb_dbl_lock() and krb_dbl_unlock routines.
+ *
+ * The second locking protocol is necessary because DBM "files" are
+ * actually implemented as two separate files, and it is impossible to
+ * atomically rename two files simultaneously.  It assumes that the
+ * database is replaced only very infrequently in comparison to the time
+ * needed to do a database read operation.
+ *
+ * A third file is used as a "version" semaphore; the modification
+ * time of this file is the "version number" of the database.
+ * At the start of a read operation, the reader checks the version
+ * number; at the end of the read operation, it checks again.  If the
+ * version number changed, or if the semaphore was nonexistant at
+ * either time, the reader sleeps for a second to let things
+ * stabilize, and then tries again; if it does not succeed after
+ * KERB_DB_MAX_RETRY attempts, it gives up.
+ * 
+ * On update, the semaphore file is deleted (if it exists) before any
+ * update takes place; at the end of the update, it is replaced, with
+ * a version number strictly greater than the version number which
+ * existed at the start of the update.
+ * 
+ * If the system crashes in the middle of an update, the semaphore
+ * file is not automatically created on reboot; this is a feature, not
+ * a bug, since the database may be inconsistant.  Note that the
+ * absence of a semaphore file does not prevent another _update_ from
+ * taking place later.  Database replacements take place automatically
+ * only on slave servers; a crash in the middle of an update will be
+ * fixed by the next slave propagation.  A crash in the middle of an
+ * update on the master would be somewhat more serious, but this would
+ * likely be noticed by an administrator, who could fix the problem and
+ * retry the operation.
+ */
+
+
+/*
+ * Utility routine: generate name of database file.
+ */
+
+static char *
+gen_dbsuffix(char *db_name, char *sfx)
+{
+    char *dbsuffix;
+    
+    if (sfx == NULL)
+	sfx = ".ok";
+
+    asprintf (&dbsuffix, "%s%s", db_name, sfx);
+    if (dbsuffix == NULL) {
+	fprintf (stderr, "gen_dbsuffix: out of memory\n");
+	exit(1);
+    }
+    return dbsuffix;
+}
+
+static void
+decode_princ_key(datum *key, char *name, char *instance)
+{
+    strlcpy (name, key->dptr, ANAME_SZ);
+    strlcpy (instance, (char *)key->dptr + ANAME_SZ, INST_SZ);
+}
+
+static void
+encode_princ_contents(datum *contents, Principal *principal)
+{
+    contents->dsize = sizeof(*principal);
+    contents->dptr = (char *) principal;
+}
+
+static void
+decode_princ_contents (datum *contents, Principal *principal)
+{
+    memcpy(principal, contents->dptr, sizeof(*principal));
+}
+
+static void
+encode_princ_key (datum *key, char *name, char *instance)
+{
+    static char keystring[ANAME_SZ + INST_SZ];
+
+    memset(keystring, 0, ANAME_SZ + INST_SZ);
+    strncpy(keystring, name, ANAME_SZ);
+    strncpy(&keystring[ANAME_SZ], instance, INST_SZ);
+    key->dptr = keystring;
+    key->dsize = ANAME_SZ + INST_SZ;
+}
+
+static int dblfd = -1;		/* db LOCK fd */
+static int mylock = 0;
+static int inited = 0;
+
+static int
+kerb_dbl_init(void)
+{
+    if (!inited) {
+	char *filename = gen_dbsuffix (current_db_name, ".ok");
+	if ((dblfd = open(filename, O_RDWR)) < 0) {
+	    fprintf(stderr, "kerb_dbl_init: couldn't open %s\n", filename);
+	    fflush(stderr);
+	    perror("open");
+	    exit(1);
+	}
+	free(filename);
+	inited++;
+    }
+    return (0);
+}
+
+static void
+kerb_dbl_fini(void)
+{
+    close(dblfd);
+    dblfd = -1;
+    inited = 0;
+    mylock = 0;
+}
+
+static int
+kerb_dbl_lock(int mode)
+{
+    int flock_mode;
+    
+    if (!inited)
+	kerb_dbl_init();
+    if (mylock) {		/* Detect lock call when lock already
+				 * locked */
+	fprintf(stderr, "Kerberos locking error (mylock)\n");
+	fflush(stderr);
+	exit(1);
+    }
+    switch (mode) {
+    case KERB_DBL_EXCLUSIVE:
+	flock_mode = LOCK_EX;
+	break;
+    case KERB_DBL_SHARED:
+	flock_mode = LOCK_SH;
+	break;
+    default:
+	fprintf(stderr, "invalid lock mode %d\n", mode);
+	abort();
+    }
+    if (non_blocking)
+	flock_mode |= LOCK_NB;
+    
+    if (flock(dblfd, flock_mode) < 0) 
+	return errno;
+    mylock++;
+    return 0;
+}
+
+static void
+kerb_dbl_unlock(void)
+{
+    if (!mylock) {		/* lock already unlocked */
+	fprintf(stderr, "Kerberos database lock not locked when unlocking.\n");
+	fflush(stderr);
+	exit(1);
+    }
+    if (flock(dblfd, LOCK_UN) < 0) {
+	fprintf(stderr, "Kerberos database lock error. (unlocking)\n");
+	fflush(stderr);
+	perror("flock");
+	exit(1);
+    }
+    mylock = 0;
+}
+
+int
+kerb_db_set_lockmode(int mode)
+{
+    int old = non_blocking;
+    non_blocking = mode;
+    return old;
+}
+
+/*
+ * initialization for data base routines.
+ */
+
+int
+kerb_db_init(void)
+{
+    init = 1;
+    return (0);
+}
+
+/*
+ * gracefully shut down database--must be called by ANY program that does
+ * a kerb_db_init 
+ */
+
+void
+kerb_db_fini(void)
+{
+}
+
+/*
+ * Set the "name" of the current database to some alternate value.
+ *
+ * Passing a null pointer as "name" will set back to the default.
+ * If the alternate database doesn't exist, nothing is changed.
+ */
+
+int
+kerb_db_set_name(char *name)
+{
+    DBM *db;
+
+    if (name == NULL)
+	name = default_db_name;
+    db = dbm_open(name, 0, 0);
+    if (db == NULL)
+	return errno;
+    dbm_close(db);
+    kerb_dbl_fini();
+    current_db_name = name;
+    return 0;
+}
+
+/*
+ * Return the last modification time of the database.
+ */
+
+time_t
+kerb_get_db_age(void)
+{
+    struct stat st;
+    char *okname;
+    time_t age;
+    
+    okname = gen_dbsuffix(current_db_name, ".ok");
+
+    if (stat (okname, &st) < 0)
+	age = 0;
+    else
+	age = st.st_mtime;
+
+    free (okname);
+    return age;
+}
+
+/*
+ * Remove the semaphore file; indicates that database is currently
+ * under renovation.
+ *
+ * This is only for use when moving the database out from underneath
+ * the server (for example, during slave updates).
+ */
+
+static time_t
+kerb_start_update(char *db_name)
+{
+    char *okname = gen_dbsuffix(db_name, ".ok");
+    time_t age = kerb_get_db_age();
+    
+    if (unlink(okname) < 0
+	&& errno != ENOENT) {
+	    age = -1;
+    }
+    free (okname);
+    return age;
+}
+
+static int
+kerb_end_update(char *db_name, time_t age)
+{
+    int fd;
+    int retval = 0;
+    char *new_okname = gen_dbsuffix(db_name, ".ok#");
+    char *okname = gen_dbsuffix(db_name, ".ok");
+    
+    fd = open (new_okname, O_CREAT|O_RDWR|O_TRUNC, 0600);
+    if (fd < 0)
+	retval = errno;
+    else {
+	struct stat st;
+	struct utimbuf tv;
+	/* make sure that semaphore is "after" previous value. */
+	if (fstat (fd, &st) == 0
+	    && st.st_mtime <= age) {
+	    tv.actime = st.st_atime;
+	    tv.modtime = age;
+	    /* set times.. */
+	    utime (new_okname, &tv);
+	    fsync(fd);
+	}
+	close(fd);
+	if (rename (new_okname, okname) < 0)
+	    retval = errno;
+    }
+
+    free (new_okname);
+    free (okname);
+
+    return retval;
+}
+
+static time_t
+kerb_start_read(void)
+{
+    return kerb_get_db_age();
+}
+
+static int
+kerb_end_read(time_t age)
+{
+    if (kerb_get_db_age() != age || age == -1) {
+	return -1;
+    }
+    return 0;
+}
+
+/*
+ * Create the database, assuming it's not there.
+ */
+int
+kerb_db_create(char *db_name)
+{
+    char *okname = gen_dbsuffix(db_name, ".ok");
+    int fd;
+    int ret = 0;
+#ifdef NDBM
+    DBM *db;
+
+    db = dbm_open(db_name, O_RDWR|O_CREAT|O_EXCL, 0600);
+    if (db == NULL)
+	ret = errno;
+    else
+	dbm_close(db);
+#else
+    char *dirname = gen_dbsuffix(db_name, ".dir");
+    char *pagname = gen_dbsuffix(db_name, ".pag");
+
+    fd = open(dirname, O_RDWR|O_CREAT|O_EXCL, 0600);
+    if (fd < 0)
+	ret = errno;
+    else {
+	close(fd);
+	fd = open (pagname, O_RDWR|O_CREAT|O_EXCL, 0600);
+	if (fd < 0)
+	    ret = errno;
+	else
+	    close(fd);
+    }
+    if (dbminit(db_name) < 0)
+	ret = errno;
+#endif
+    if (ret == 0) {
+	fd = open (okname, O_CREAT|O_RDWR|O_TRUNC, 0600);
+	if (fd < 0)
+	    ret = errno;
+	close(fd);
+    }
+    return ret;
+}
+
+/*
+ * "Atomically" rename the database in a way that locks out read
+ * access in the middle of the rename.
+ *
+ * Not perfect; if we crash in the middle of an update, we don't
+ * necessarily know to complete the transaction the rename, but...
+ */
+
+int
+kerb_db_rename(char *from, char *to)
+{
+#ifdef HAVE_NEW_DB
+    char *fromdb = gen_dbsuffix (from, ".db");
+    char *todb = gen_dbsuffix (to, ".db");
+#else
+    char *fromdir = gen_dbsuffix (from, ".dir");
+    char *todir = gen_dbsuffix (to, ".dir");
+    char *frompag = gen_dbsuffix (from , ".pag");
+    char *topag = gen_dbsuffix (to, ".pag");
+#endif
+    char *fromok = gen_dbsuffix(from, ".ok");
+    long trans = kerb_start_update(to);
+    int ok = 0;
+    
+#ifdef HAVE_NEW_DB
+    if (rename (fromdb, todb) == 0) {
+	unlink (fromok);
+	ok = 1;
+    }
+    free (fromdb);
+    free (todb);
+#else
+    if ((rename (fromdir, todir) == 0)
+	&& (rename (frompag, topag) == 0)) {
+	unlink (fromok);
+	ok = 1;
+    }
+    free (fromdir);
+    free (todir);
+    free (frompag);
+    free (topag);
+#endif
+    free (fromok);
+    if (ok)
+	return kerb_end_update(to, trans);
+    else
+	return -1;
+}
+
+int
+kerb_db_delete_principal (char *name, char *inst)
+{
+    DBM *db;
+    int try;
+    int done = 0;
+    int code;
+    datum key;
+    
+    if(!init)
+	kerb_db_init();
+    
+    for(try = 0; try < KERB_DB_MAX_RETRY; try++){
+	if((code = kerb_dbl_lock(KERB_DBL_EXCLUSIVE)) != 0)
+	    return -1;
+	
+	db = dbm_open(current_db_name, O_RDWR, 0600);
+	if(db == NULL)
+	    return -1;
+	encode_princ_key(&key, name, inst);
+	if(dbm_delete(db, key) == 0)
+	    done = 1;
+	
+	dbm_close(db);
+	kerb_dbl_unlock();
+	if(done)
+	    break;
+	if(!non_blocking)
+	    sleep(1);
+    }
+    if(!done)
+	return -1;
+    return 0;
+}
+
+
+/*
+ * look up a principal in the data base returns number of principals
+ * found , and whether there were more than requested. 
+ */
+
+int
+kerb_db_get_principal (char *name, char *inst, Principal *principal, 
+		       unsigned int max, int *more)
+{
+    int     found = 0, code;
+    int     wildp, wildi;
+    datum   key, contents;
+    char    testname[ANAME_SZ], testinst[INST_SZ];
+    u_long trans;
+    int try;
+    DBM    *db;
+
+    if (!init)
+	kerb_db_init();		/* initialize database routines */
+
+    for (try = 0; try < KERB_DB_MAX_RETRY; try++) {
+	trans = kerb_start_read();
+
+	if ((code = kerb_dbl_lock(KERB_DBL_SHARED)) != 0)
+	    return -1;
+
+	db = dbm_open(current_db_name, O_RDONLY, 0600);
+	if (db == NULL)
+	    return -1;
+
+	*more = 0;
+
+#ifdef DEBUG
+	if (kerb_debug & 2)
+	    fprintf(stderr,
+		    "%s: db_get_principal for %s %s max = %d",
+		    progname, name, inst, max);
+#endif
+
+	wildp = !strcmp(name, "*");
+	wildi = !strcmp(inst, "*");
+
+	if (!wildi && !wildp) {	/* nothing's wild */
+	    encode_princ_key(&key, name, inst);
+	    contents = dbm_fetch(db, key);
+	    if (contents.dptr == NULL) {
+		found = 0;
+		goto done;
+	    }
+	    decode_princ_contents(&contents, principal);
+#ifdef DEBUG
+	    if (kerb_debug & 1) {
+		fprintf(stderr, "\t found %s %s p_n length %d t_n length %d\n",
+			principal->name, principal->instance,
+			strlen(principal->name),
+			strlen(principal->instance));
+	    }
+#endif
+	    found = 1;
+	    goto done;
+	}
+	/* process wild cards by looping through entire database */
+
+	for (key = dbm_firstkey(db); key.dptr != NULL;
+	     key = dbm_next(db, key)) {
+	    decode_princ_key(&key, testname, testinst);
+	    if ((wildp || !strcmp(testname, name)) &&
+		(wildi || !strcmp(testinst, inst))) { /* have a match */
+		if (found >= max) {
+		    *more = 1;
+		    goto done;
+		} else {
+		    found++;
+		    contents = dbm_fetch(db, key);
+		    decode_princ_contents(&contents, principal);
+#ifdef DEBUG
+		    if (kerb_debug & 1) {
+			fprintf(stderr,
+				"\tfound %s %s p_n length %d t_n length %d\n",
+				principal->name, principal->instance,
+				strlen(principal->name),
+				strlen(principal->instance));
+		    }
+#endif
+		    principal++; /* point to next */
+		}
+	    }
+	}
+
+    done:
+	kerb_dbl_unlock();	/* unlock read lock */
+	dbm_close(db);
+	if (kerb_end_read(trans) == 0)
+	    break;
+	found = -1;
+	if (!non_blocking)
+	    sleep(1);
+    }
+    return (found);
+}
+
+/* Use long * rather than DBM * so that the database structure is private */
+
+long *
+kerb_db_begin_update(void)
+{
+    int code;
+
+    gettimeofday(&timestamp, NULL);
+
+    if (!init)
+	kerb_db_init();
+
+    if ((code = kerb_dbl_lock(KERB_DBL_EXCLUSIVE)) != 0)
+	return 0;
+
+    return (long *) dbm_open(current_db_name, O_RDWR, 0600);
+}
+
+void
+kerb_db_end_update(long *db)
+{
+    dbm_close((DBM *)db);
+    kerb_dbl_unlock();		/* unlock database */
+}
+
+int
+kerb_db_update(long *db, Principal *principal, unsigned int max)
+{
+    int     found = 0;
+    u_long  i;
+    datum   key, contents;
+
+#ifdef DEBUG
+    if (kerb_debug & 2)
+	fprintf(stderr, "%s: kerb_db_put_principal  max = %d",
+	    progname, max);
+#endif
+
+    /* for each one, stuff temps, and do replace/append */
+    for (i = 0; i < max; i++) {
+	encode_princ_contents(&contents, principal);
+	encode_princ_key(&key, principal->name, principal->instance);
+	if(dbm_store((DBM *)db, key, contents, DBM_REPLACE) < 0)
+	    return found; /* XXX some better mechanism to report
+			     failure should exist */
+#ifdef DEBUG
+	if (kerb_debug & 1) {
+	    fprintf(stderr, "\n put %s %s\n",
+		principal->name, principal->instance);
+	}
+#endif
+	found++;
+	principal++;		/* bump to next struct			   */
+    }
+    return found;
+}
+
+/*
+ * Update a name in the data base.  Returns number of names
+ * successfully updated.
+ */
+
+int
+kerb_db_put_principal(Principal *principal,
+		      unsigned max)
+
+{
+    int found;
+    long    *db;
+
+    db = kerb_db_begin_update();
+    if (db == 0)
+	return -1;
+
+    found = kerb_db_update(db, principal, max);
+
+    kerb_db_end_update(db);
+    return (found);
+}
+
+void
+kerb_db_get_stat(DB_stat *s)
+{
+    gettimeofday(&timestamp, NULL);
+
+    s->cpu = 0;
+    s->elapsed = 0;
+    s->dio = 0;
+    s->pfault = 0;
+    s->t_stamp = timestamp.tv_sec;
+    s->n_retrieve = 0;
+    s->n_replace = 0;
+    s->n_append = 0;
+    s->n_get_stat = 0;
+    s->n_put_stat = 0;
+    /* update local copy too */
+}
+
+void
+kerb_db_put_stat(DB_stat *s)
+{
+}
+
+void
+delta_stat(DB_stat *a, DB_stat *b, DB_stat *c)
+{
+    /* c = a - b then b = a for the next time */
+
+    c->cpu = a->cpu - b->cpu;
+    c->elapsed = a->elapsed - b->elapsed;
+    c->dio = a->dio - b->dio;
+    c->pfault = a->pfault - b->pfault;
+    c->t_stamp = a->t_stamp - b->t_stamp;
+    c->n_retrieve = a->n_retrieve - b->n_retrieve;
+    c->n_replace = a->n_replace - b->n_replace;
+    c->n_append = a->n_append - b->n_append;
+    c->n_get_stat = a->n_get_stat - b->n_get_stat;
+    c->n_put_stat = a->n_put_stat - b->n_put_stat;
+
+    memcpy(b, a, sizeof(DB_stat));
+}
+
+/*
+ * look up a dba in the data base returns number of dbas found , and
+ * whether there were more than requested. 
+ */
+
+int
+kerb_db_get_dba(char *dba_name,	/* could have wild card */
+		char *dba_inst,	/* could have wild card */
+		Dba *dba,
+		unsigned max,	/* max number of name structs to return */
+		int *more)	/* where there more than 'max' tuples? */
+{
+    *more = 0;
+    return (0);
+}
+
+int
+kerb_db_iterate (k_iter_proc_t func, void *arg)
+{
+    datum key, contents;
+    Principal *principal;
+    int code;
+    DBM *db;
+    
+    kerb_db_init();		/* initialize and open the database */
+    if ((code = kerb_dbl_lock(KERB_DBL_SHARED)) != 0)
+	return code;
+
+    db = dbm_open(current_db_name, O_RDONLY, 0600);
+    if (db == NULL)
+	return errno;
+
+    for (key = dbm_firstkey (db); key.dptr != NULL; key = dbm_next(db, key)) {
+	contents = dbm_fetch (db, key);
+	/* XXX may not be properly aligned */
+	principal = (Principal *) contents.dptr;
+	if ((code = (*func)(arg, principal)) != 0)
+	    return code;
+    }
+    dbm_close(db);
+    kerb_dbl_unlock();
+    return 0;
+}
diff --git a/crypto/kerberosIV/lib/kdb/krb_kdb_utils.c b/crypto/kerberosIV/lib/kdb/krb_kdb_utils.c
new file mode 100644
index 0000000..af941dc
--- /dev/null
+++ b/crypto/kerberosIV/lib/kdb/krb_kdb_utils.c
@@ -0,0 +1,267 @@
+/* 
+  Copyright (C) 1989 by the Massachusetts Institute of Technology
+
+   Export of this software from the United States of America is assumed
+   to require a specific license from the United States Government.
+   It is the responsibility of any person or organization contemplating
+   export to obtain such a license before exporting.
+
+WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
+distribute this software and its documentation for any purpose and
+without fee is hereby granted, provided that the above copyright
+notice appear in all copies and that both that copyright notice and
+this permission notice appear in supporting documentation, and that
+the name of M.I.T. not be used in advertising or publicity pertaining
+to distribution of the software without specific, written prior
+permission.  M.I.T. makes no representations about the suitability of
+this software for any purpose.  It is provided "as is" without express
+or implied warranty.
+
+  */
+
+/*
+ * Utility routines for Kerberos programs which directly access
+ * the database.  This code was duplicated in too many places
+ * before I gathered it here.
+ *
+ * Jon Rochlis, MIT Telecom, March 1988
+ */
+
+#include "kdb_locl.h"
+
+#include <kdc.h>
+
+RCSID("$Id: krb_kdb_utils.c,v 1.25 1999/03/13 21:24:21 assar Exp $");
+
+/* always try /.k for backwards compatibility */
+static char *master_key_files[] = { MKEYFILE, "/.k", NULL };
+
+#ifdef HAVE_STRERROR
+#define k_strerror(e) strerror(e)
+#else
+static
+char *
+k_strerror(int eno)
+{
+  extern int sys_nerr;
+  extern char *sys_errlist[];
+
+  static char emsg[128];
+
+  if (eno < 0 || eno >= sys_nerr)
+    snprintf(emsg, sizeof(emsg), "Error %d occurred.", eno);
+  else
+    return sys_errlist[eno];
+
+  return emsg;
+}
+#endif
+
+int
+kdb_new_get_master_key(des_cblock *key, des_key_schedule schedule)
+{
+  int kfile = -1;
+  int i;
+  char buf[1024];
+
+  char **mkey;
+
+  for(mkey = master_key_files; *mkey; mkey++){
+      kfile = open(*mkey, O_RDONLY);
+      if(kfile < 0 && errno != ENOENT)
+	  fprintf(stderr, "Failed to open master key file \"%s\": %s\n", 
+		  *mkey,
+		  k_strerror(errno));
+      if(kfile >= 0)
+	  break;
+  }
+  if(*mkey){
+      int bytes;
+      bytes = read(kfile, (char*)key, sizeof(des_cblock));
+      close(kfile);
+      if(bytes == sizeof(des_cblock)){
+	  des_key_sched(key, schedule);
+	  return 0;
+      }
+      fprintf(stderr, "Could only read %d bytes from master key file %s\n", 
+	      bytes, *mkey);
+  }else{
+      fprintf(stderr, "No master key file found.\n");
+  }
+
+  
+  i=0;
+  while(i < 3){
+      if(des_read_pw_string(buf, sizeof(buf), "Enter master password: ", 0))
+	  break;
+
+      /* buffer now contains either an old format master key password or a
+       * new format base64 encoded master key
+       */
+      
+      /* try to verify as old password */
+      des_string_to_key(buf, key);
+      des_key_sched(key, schedule);
+      
+      if(kdb_verify_master_key(key, schedule, NULL) != -1){
+	  memset(buf, 0, sizeof(buf));
+	  return 0;
+      }
+      
+      /* failed test, so must be base64 encoded */
+      
+      if(base64_decode(buf, key) == 8){
+	  des_key_sched(key, schedule);
+	  if(kdb_verify_master_key(key, schedule, NULL) != -1){
+	      memset(buf, 0, sizeof(buf));
+	      return 0;
+	  }
+      }
+      
+      memset(buf, 0, sizeof(buf));
+      fprintf(stderr, "Failed to verify master key.\n");
+      i++;
+  }
+  
+  /* life sucks */
+  fprintf(stderr, "You loose.\n");
+  exit(1);
+}
+
+int
+kdb_new_get_new_master_key(des_cblock *key,
+			   des_key_schedule schedule, 
+			   int verify)
+{
+#ifndef RANDOM_MKEY
+  des_read_password(key, "\nEnter Kerberos master password: ", verify);
+  printf ("\n");
+#else
+  char buf[1024];
+  des_generate_random_block (key);
+  des_key_sched(key, schedule);
+  
+  des_read_pw_string(buf, sizeof(buf), "Enter master key seed: ", 0);
+  des_cbc_cksum((des_cblock*)buf, key, sizeof(buf), schedule, key);
+  memset(buf, 0, sizeof(buf));
+#endif
+  des_key_sched(key, schedule);
+  return 0;
+}
+
+int
+kdb_get_master_key(int prompt,
+		   des_cblock *master_key, 
+		   des_key_schedule master_key_sched)
+{
+  int ask = (prompt == KDB_GET_TWICE);
+#ifndef RANDOM_MKEY
+  ask |= (prompt == KDB_GET_PROMPT);
+#endif
+  
+  if(ask)
+    kdb_new_get_new_master_key(master_key, master_key_sched, 
+			       prompt == KDB_GET_TWICE);
+  else
+    kdb_new_get_master_key(master_key, master_key_sched);
+  return 0;
+}
+
+int
+kdb_kstash(des_cblock *master_key, char *file)
+{
+  int kfile;
+
+  kfile = open(file, O_TRUNC | O_RDWR | O_CREAT, 0600);
+  if (kfile < 0) {
+    return -1;
+  }
+  if (write(kfile, master_key, sizeof(des_cblock)) != sizeof(des_cblock)) {
+    close(kfile);
+    return -1;
+  }
+  close(kfile);
+  return 0;
+}
+
+/* The old algorithm used the key schedule as the initial vector which
+   was byte order depedent ... */
+
+void
+kdb_encrypt_key (des_cblock (*in), des_cblock (*out),
+		 des_cblock (*master_key),
+		 des_key_schedule master_key_sched, int e_d_flag)
+{
+
+#ifdef NOENCRYPTION
+  memcpy(out, in, sizeof(des_cblock));
+#else
+  des_pcbc_encrypt(in,out,(long)sizeof(des_cblock),master_key_sched,master_key,
+		   e_d_flag);
+#endif
+}
+
+/* The caller is reasponsible for cleaning up the master key and sched,
+   even if we can't verify the master key */
+
+/* Returns master key version if successful, otherwise -1 */
+
+long 
+kdb_verify_master_key (des_cblock *master_key,
+		       des_key_schedule master_key_sched,
+		       FILE *out) /* NULL -> no output */
+{
+  des_cblock key_from_db;
+  Principal principal_data[1];
+  int n, more = 0;
+  long master_key_version;
+
+  /* lookup the master key version */
+  n = kerb_get_principal(KERB_M_NAME, KERB_M_INST, principal_data,
+			 1 /* only one please */, &more);
+  if ((n != 1) || more) {
+    if (out != NULL) 
+      fprintf(out,
+	      "verify_master_key: %s, %d found.\n",
+	      "Kerberos error on master key version lookup",
+	      n);
+    return (-1);
+  }
+
+  master_key_version = (long) principal_data[0].key_version;
+
+  /* set up the master key */
+  if (out != NULL)  /* should we punt this? */
+    fprintf(out, "Current Kerberos master key version is %d.\n",
+	    principal_data[0].kdc_key_ver);
+
+  /*
+   * now use the master key to decrypt the key in the db, had better
+   * be the same! 
+   */
+  copy_to_key(&principal_data[0].key_low,
+	      &principal_data[0].key_high,
+	      key_from_db);
+  kdb_encrypt_key (&key_from_db, &key_from_db, 
+		   master_key, master_key_sched, DES_DECRYPT);
+
+  /* the decrypted database key had better equal the master key */
+  n = memcmp(master_key, key_from_db, sizeof(master_key));
+  /* this used to zero the master key here! */
+  memset(key_from_db, 0, sizeof(key_from_db));
+  memset(principal_data, 0, sizeof (principal_data));
+
+  if (n && (out != NULL)) {
+    fprintf(out, "\n\07\07verify_master_key: Invalid master key; ");
+    fprintf(out, "does not match database.\n");
+  }
+  if(n)
+    return (-1);
+
+  if (out != (FILE *) NULL) {
+    fprintf(out, "\nMaster key entered.  BEWARE!\07\07\n");
+    fflush(out);
+  }
+
+  return (master_key_version);
+}
diff --git a/crypto/kerberosIV/lib/kdb/krb_lib.c b/crypto/kerberosIV/lib/kdb/krb_lib.c
new file mode 100644
index 0000000..59949f9
--- /dev/null
+++ b/crypto/kerberosIV/lib/kdb/krb_lib.c
@@ -0,0 +1,252 @@
+/* 
+  Copyright (C) 1989 by the Massachusetts Institute of Technology
+
+   Export of this software from the United States of America is assumed
+   to require a specific license from the United States Government.
+   It is the responsibility of any person or organization contemplating
+   export to obtain such a license before exporting.
+
+WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
+distribute this software and its documentation for any purpose and
+without fee is hereby granted, provided that the above copyright
+notice appear in all copies and that both that copyright notice and
+this permission notice appear in supporting documentation, and that
+the name of M.I.T. not be used in advertising or publicity pertaining
+to distribution of the software without specific, written prior
+permission.  M.I.T. makes no representations about the suitability of
+this software for any purpose.  It is provided "as is" without express
+or implied warranty.
+
+  */
+
+#include "kdb_locl.h"
+
+RCSID("$Id: krb_lib.c,v 1.13 1998/11/22 09:41:43 assar Exp $");
+
+#ifdef DEBUG
+extern int debug;
+extern char *progname;
+long    kerb_debug;
+#endif
+
+static int init = 0;
+
+/*
+ * initialization routine for data base 
+ */
+
+int
+kerb_init(void)
+{
+#ifdef DEBUG
+    if (!init) {
+	char *dbg = getenv("KERB_DBG");
+	if (dbg)
+	    sscanf(dbg, "%d", &kerb_debug);
+	init = 1;
+    }
+#endif
+    kerb_db_init();
+
+#ifdef CACHE
+    kerb_cache_init();
+#endif
+
+    /* successful init, return 0, else errcode */
+    return (0);
+}
+
+/*
+ * finalization routine for database -- NOTE: MUST be called by any
+ * program using kerb_init.  ALSO will have to be modified to finalize
+ * caches, if they're ever really implemented. 
+ */
+
+void
+kerb_fini(void)
+{
+    kerb_db_fini();
+}
+
+
+int
+kerb_delete_principal(char *name, char *inst)
+{
+    int ret;
+    
+    if (!init)
+	kerb_init();
+
+    ret = kerb_db_delete_principal(name, inst);
+#ifdef CACHE
+    if(ret == 0){
+	kerb_cache_delete_principal(name, inst);
+    }
+#endif
+    return ret;
+}
+
+
+/*
+ * look up a principal in the cache or data base returns number of
+ * principals found 
+ */
+
+int
+kerb_get_principal(char *name,	/* could have wild card */
+		   char *inst,	/* could have wild card */
+		   Principal *principal,
+		   unsigned int max, /* max number of name structs to return */
+		   int *more)	/* more tuples than room for */
+{
+    int     found = 0;
+#ifdef CACHE
+    static int wild = 0;
+#endif
+    if (!init)
+	kerb_init();
+
+#ifdef DEBUG
+    if (kerb_debug & 1)
+	fprintf(stderr, "\n%s: kerb_get_principal for %s %s max = %d\n",
+	    progname, name, inst, max);
+#endif
+    
+    /*
+     * if this is a request including a wild card, have to go to db
+     * since the cache may not be exhaustive. 
+     */
+
+    /* clear the principal area */
+    memset(principal, 0, max * sizeof(Principal));
+
+#ifdef CACHE
+    /*
+     * so check to see if the name contains a wildcard "*" or "?", not
+     * preceeded by a backslash. 
+     */
+    wild = 0;
+    if (index(name, '*') || index(name, '?') ||
+	index(inst, '*') || index(inst, '?'))
+	wild = 1;
+
+    if (!wild) {
+	/* try the cache first */
+	found = kerb_cache_get_principal(name, inst, principal, max, more);
+	if (found)
+	    return (found);
+    }
+#endif
+    /* If we didn't try cache, or it wasn't there, try db */
+    found = kerb_db_get_principal(name, inst, principal, max, more);
+    /* try to insert principal(s) into cache if it was found */
+#ifdef CACHE
+    if (found > 0) {
+	kerb_cache_put_principal(principal, found);
+    }
+#endif
+    return (found);
+}
+
+/* principals */
+int
+kerb_put_principal(Principal *principal,
+		   unsigned int n)                         
+                   		/* number of principal structs to write */
+{
+    /* set mod date */
+    principal->mod_date = time((time_t *)0);
+    /* and mod date string */
+
+    strftime(principal->mod_date_txt, 
+	     sizeof(principal->mod_date_txt), 
+	     "%Y-%m-%d", k_localtime(&principal->mod_date));
+    strftime(principal->exp_date_txt, 
+	     sizeof(principal->exp_date_txt), 
+	     "%Y-%m-%d", k_localtime(&principal->exp_date));
+#ifdef DEBUG
+    if (kerb_debug & 1) {
+	int i;
+	fprintf(stderr, "\nkerb_put_principal...");
+	for (i = 0; i < n; i++) {
+	    krb_print_principal(&principal[i]);
+	}
+    }
+#endif
+    /* write database */
+    if (kerb_db_put_principal(principal, n) < 0) {
+#ifdef DEBUG
+	if (kerb_debug & 1)
+	    fprintf(stderr, "\n%s: kerb_db_put_principal err", progname);
+	/* watch out for cache */
+#endif
+	return -1;
+    }
+#ifdef CACHE
+    /* write cache */
+    if (!kerb_cache_put_principal(principal, n)) {
+#ifdef DEBUG
+	if (kerb_debug & 1)
+	    fprintf(stderr, "\n%s: kerb_cache_put_principal err", progname);
+#endif
+	return -1;
+    }
+#endif
+    return 0;
+}
+
+int
+kerb_get_dba(char *name,	/* could have wild card */
+	     char *inst,	/* could have wild card */
+	     Dba *dba,
+	     unsigned int max,	/* max number of name structs to return */
+	     int *more)		/* more tuples than room for */
+{
+    int     found = 0;
+#ifdef CACHE
+    static int wild = 0;
+#endif
+    if (!init)
+	kerb_init();
+
+#ifdef DEBUG
+    if (kerb_debug & 1)
+	fprintf(stderr, "\n%s: kerb_get_dba for %s %s max = %d\n",
+	    progname, name, inst, max);
+#endif
+    /*
+     * if this is a request including a wild card, have to go to db
+     * since the cache may not be exhaustive. 
+     */
+
+    /* clear the dba area */
+    memset(dba, 0, max * sizeof(Dba));
+
+#ifdef CACHE
+    /*
+     * so check to see if the name contains a wildcard "*" or "?", not
+     * preceeded by a backslash. 
+     */
+
+    wild = 0;
+    if (index(name, '*') || index(name, '?') ||
+	index(inst, '*') || index(inst, '?'))
+	wild = 1;
+
+    if (!wild) {
+	/* try the cache first */
+	found = kerb_cache_get_dba(name, inst, dba, max, more);
+	if (found)
+	    return (found);
+    }
+#endif
+    /* If we didn't try cache, or it wasn't there, try db */
+    found = kerb_db_get_dba(name, inst, dba, max, more);
+#ifdef CACHE
+    /* try to insert dba(s) into cache if it was found */
+    if (found) {
+	kerb_cache_put_dba(dba, found);
+    }
+#endif
+    return (found);
+}
diff --git a/crypto/kerberosIV/lib/kdb/print_princ.c b/crypto/kerberosIV/lib/kdb/print_princ.c
new file mode 100644
index 0000000..786c5a9
--- /dev/null
+++ b/crypto/kerberosIV/lib/kdb/print_princ.c
@@ -0,0 +1,48 @@
+/* 
+  Copyright (C) 1989 by the Massachusetts Institute of Technology
+
+   Export of this software from the United States of America is assumed
+   to require a specific license from the United States Government.
+   It is the responsibility of any person or organization contemplating
+   export to obtain such a license before exporting.
+
+WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
+distribute this software and its documentation for any purpose and
+without fee is hereby granted, provided that the above copyright
+notice appear in all copies and that both that copyright notice and
+this permission notice appear in supporting documentation, and that
+the name of M.I.T. not be used in advertising or publicity pertaining
+to distribution of the software without specific, written prior
+permission.  M.I.T. makes no representations about the suitability of
+this software for any purpose.  It is provided "as is" without express
+or implied warranty.
+
+  */
+
+#include "kdb_locl.h"
+
+RCSID("$Id: print_princ.c,v 1.5 1997/05/07 01:37:13 assar Exp $");
+
+void
+krb_print_principal(Principal *a_n)
+{
+    struct tm *time_p;
+
+    /* run-time database does not contain string versions */
+    time_p = k_localtime(&(a_n->exp_date));
+
+    fprintf(stderr,
+    "\n%s %s expires %4d-%2d-%2d %2d:%2d, max_life %d*5 = %d min  attr 0x%02x",
+    a_n->name, a_n->instance,
+    time_p->tm_year + 1900,
+    time_p->tm_mon + 1, time_p->tm_mday,
+    time_p->tm_hour, time_p->tm_min,
+    a_n->max_life, 5 * a_n->max_life, a_n->attributes);
+
+    fprintf(stderr,
+    "\n\tkey_ver %d  k_low 0x%08lx  k_high 0x%08lx  akv %d  exists %ld\n",
+    a_n->key_version, (long)a_n->key_low, (long)a_n->key_high,
+    a_n->kdc_key_ver, (long)a_n->old);
+
+    fflush(stderr);
+}
diff --git a/crypto/kerberosIV/lib/krb/Makefile.in b/crypto/kerberosIV/lib/krb/Makefile.in
new file mode 100644
index 0000000..2196db2
--- /dev/null
+++ b/crypto/kerberosIV/lib/krb/Makefile.in
@@ -0,0 +1,373 @@
+#
+# $Id: Makefile.in,v 1.113.2.2 2000/12/07 16:44:12 assar Exp $
+#
+SHELL = /bin/sh
+
+srcdir = @srcdir@
+VPATH = @srcdir@
+
+CC = @CC@
+LINK = @LINK@
+AR = ar
+RANLIB = @RANLIB@
+CP = cp
+LN_S = @LN_S@
+DEFS = @DEFS@ -DROKEN_RENAME
+CFLAGS = @CFLAGS@ $(WFLAGS)
+WFLAGS = @WFLAGS@
+LD_FLAGS = @LD_FLAGS@
+EXECSUFFIX=@EXECSUFFIX@
+
+INSTALL = @INSTALL@
+INSTALL_DATA	= @INSTALL_DATA@
+MKINSTALLDIRS = @top_srcdir@/mkinstalldirs
+top_builddir = ../..
+
+COMPILE_ET = ../com_err/compile_et
+
+prefix = @prefix@
+exec_prefix = @exec_prefix@
+libdir = @libdir@
+
+includedir = @includedir@
+
+incdir = $(includedir)
+inc_DATA = krb_err.h
+idir = $(top_builddir)/include
+
+PICFLAGS = @PICFLAGS@
+
+# Under SunOS-5.x it is necessary to link with -ldes to be binary compatible.
+
+LIBDES=`test -r /usr/lib/libkrb.so.1 && echo "@LD_FLAGS@ -L../des -ldes"; true`
+
+LIB_DEPS = @lib_deps_yes@ `echo @LIB_res_search@ @LIB_dn_expand@ | sort | uniq` $(LIBDES) -lc
+build_symlink_command   = @build_symlink_command@
+install_symlink_command = @install_symlink_command@
+ 
+PROGS = sizetest$(EXECSUFFIX)
+LIBNAME = $(LIBPREFIX)krb
+LIBEXT = @LIBEXT@
+SHLIBEXT = @SHLIBEXT@
+LIBPREFIX = @LIBPREFIX@
+LDSHARED = @LDSHARED@
+LIB = $(LIBNAME).$(LIBEXT)
+
+SOURCES = \
+	check_time.c \
+	cr_err_reply.c \
+	create_auth_reply.c \
+	create_ciph.c \
+	create_death_packet.c \
+	create_ticket.c \
+	debug_decl.c \
+	decomp_ticket.c \
+	defaults.c \
+	dest_tkt.c \
+	encrypt_ktext.c \
+	extra.c \
+	get_ad_tkt.c \
+	getfile.c \
+	get_cred.c \
+	get_default_principal.c \
+	get_host.c \
+	get_in_tkt.c \
+	get_krbrlm.c \
+	get_svc_in_tkt.c \
+	get_tf_fullname.c \
+	get_tf_realm.c \
+	getaddrs.c \
+	getrealm.c \
+	getst.c \
+	k_getport.c \
+	k_getsockinst.c \
+	k_localtime.c \
+	kdc_reply.c \
+	kntoln.c \
+	krb_check_auth.c \
+	krb_equiv.c \
+	krb_err.c \
+	krb_err_txt.c \
+	krb_get_in_tkt.c \
+	kuserok.c \
+	lifetime.c \
+	logging.c \
+	lsb_addr_comp.c \
+	mk_auth.c \
+	mk_err.c \
+	mk_priv.c \
+	mk_req.c \
+	mk_safe.c \
+	month_sname.c \
+	name2name.c \
+	krb_net_read.c \
+	krb_net_write.c \
+	one.c \
+	parse_name.c \
+	rd_err.c \
+	rd_priv.c \
+	rd_req.c \
+	rd_safe.c \
+	read_service_key.c \
+	realm_parse.c \
+	recvauth.c \
+	rw.c \
+	save_credentials.c \
+	send_to_kdc.c \
+	sendauth.c \
+	solaris_compat.c \
+	stime.c \
+	str2key.c \
+	tf_util.c \
+	time.c \
+	tkt_string.c \
+	unparse_name.c \
+	verify_user.c \
+	krb_ip_realm.c
+
+# these files reside in ../roken or ../com_err/
+EXTRA_SOURCE = \
+	base64.c \
+	concat.c \
+	flock.c \
+	gethostname.c \
+	gettimeofday.c \
+	getuid.c \
+	resolve.c \
+	snprintf.c \
+	strcasecmp.c \
+	strlcat.c \
+	strlcpy.c \
+	strdup.c \
+	strncasecmp.c \
+	strnlen.c \
+	strtok_r.c \
+	swab.c
+
+SHLIB_EXTRA_SOURCE = \
+	com_err.c \
+	error.c
+  
+OBJECTS = \
+	check_time.o \
+	cr_err_reply.o \
+	create_auth_reply.o \
+	create_ciph.o \
+	create_death_packet.o \
+	create_ticket.o \
+	debug_decl.o \
+	decomp_ticket.o \
+	defaults.o \
+	dest_tkt.o \
+	encrypt_ktext.o \
+	extra.o \
+	get_ad_tkt.o \
+	getfile.o \
+	get_cred.o \
+	get_default_principal.o \
+	get_host.o \
+	get_in_tkt.o \
+	get_krbrlm.o \
+	get_svc_in_tkt.o \
+	get_tf_fullname.o \
+	get_tf_realm.o \
+	getaddrs.o \
+	getrealm.o \
+	getst.o \
+	k_getport.o \
+	k_getsockinst.o \
+	k_localtime.o \
+	kdc_reply.o \
+	kntoln.o \
+	krb_check_auth.o \
+	krb_equiv.o \
+	krb_err.o \
+	krb_err_txt.o \
+	krb_get_in_tkt.o \
+	kuserok.o \
+	lifetime.o \
+	logging.o \
+	lsb_addr_comp.o \
+	mk_auth.o \
+	mk_err.o \
+	mk_priv.o \
+	mk_req.o \
+	mk_safe.o \
+	month_sname.o \
+	name2name.o \
+	krb_net_read.o \
+	krb_net_write.o \
+	one.o \
+	parse_name.o \
+	rd_err.o \
+	rd_priv.o \
+	rd_req.o \
+	rd_safe.o \
+	read_service_key.o \
+	realm_parse.o \
+	recvauth.o \
+	rw.o \
+	save_credentials.o \
+	send_to_kdc.o \
+	sendauth.o \
+	solaris_compat.o \
+	stime.o \
+	str2key.o \
+	tf_util.o \
+	time.o \
+	tkt_string.o \
+	unparse_name.o \
+	verify_user.o \
+	krb_ip_realm.o \
+	$(LIBADD)
+
+LIBADD = \
+	base64.o \
+	concat.o \
+	flock.o \
+	gethostname.o \
+	gettimeofday.o \
+	getuid.o \
+	net_read.o \
+	net_write.o \
+	resolve.o \
+	snprintf.o \
+	strcasecmp.o \
+	strlcat.o \
+	strlcpy.o \
+	strdup.o \
+	strncasecmp.o \
+	strnlen.o \
+	strtok_r.o \
+	swab.o
+
+SHLIB_LIBADD = \
+	com_err.o \
+	error.o
+
+all: $(LIB) $(PROGS) all-local
+
+Wall:
+	make CFLAGS="-g -Wall -Wno-comment -Wmissing-prototypes -Wmissing-declarations -D__USE_FIXED_PROTOTYPES__"
+
+.c.o:
+	$(CC) -c $(DEFS) -I. -I../../include -I$(srcdir) $(CFLAGS) $(CPPFLAGS) $(PICFLAGS) $<
+
+install: all
+	$(MKINSTALLDIRS) $(DESTDIR)$(libdir)
+	$(INSTALL_DATA)  $(LIB) $(DESTDIR)$(libdir)/$(LIB)
+	@install_symlink_command@
+	$(MKINSTALLDIRS) $(DESTDIR)$(includedir)
+	@for i in $(inc_DATA); do \
+	echo "  $(INSTALL_DATA) $$i $(DESTDIR)$(incdir)/$$i";\
+	$(INSTALL_DATA) $$i $(DESTDIR)$(incdir)/$$i; done
+
+uninstall:
+	rm -f $(DESTDIR)$(libdir)/$(LIB)
+	@for i in $(inc_DATA); do \
+	echo "  rm -f $(DESTDIR)$(incdir)/$$i";\
+	rm -f $(DESTDIR)$(incdir)/$$i; done
+
+TAGS: $(SOURCES)
+	etags $(SOURCES)
+
+sizetest.o: sizetest.c
+	$(CC) -c $(CPPFLAGS) $(DEFS) -I../../include -I$(srcdir) $(CFLAGS) $<
+
+sizetest$(EXECSUFFIX): sizetest.o
+	$(LINK) $(LD_FLAGS) $(LDFLAGS) -o $@ sizetest.o
+
+check: sizetest$(EXECSUFFIX)
+	./sizetest$(EXECSUFFIX)
+
+clean:
+	rm -f $(LIB) *.o *.a *.so *.so.* so_locations \
+	 krb_err.c krb_err.h $(PROGS)  $(EXTRA_SOURCE) $(SHLIB_EXTRA_SOURCE)
+
+mostlyclean: clean
+
+distclean: clean
+	rm -f Makefile *.tab.c *~
+
+realclean: distclean
+	rm -f TAGS
+
+$(LIBNAME)_pic.a: $(OBJECTS) $(SHLIB_LIBADD)
+	rm -f $@
+	$(AR) cr $@ $(OBJECTS) $(SHLIB_LIBADD)
+	-$(RANLIB) $@
+
+$(LIBNAME).a: $(OBJECTS)
+	rm -f $@
+	$(AR) cr $@ $(OBJECTS)
+	-$(RANLIB) $@
+
+$(LIBNAME).$(SHLIBEXT): $(OBJECTS) $(SHLIB_LIBADD) $(LIBNAME)_pic.a
+	rm -f $@
+	$(LDSHARED) -o $@ $(OBJECTS) $(SHLIB_LIBADD) $(LIB_DEPS)
+	@build_symlink_command@
+
+krb_err.c krb_err.h: krb_err.et
+	$(COMPILE_ET) $(srcdir)/krb_err.et
+
+# this doesn't work with parallel makes
+#$(EXTRA_SOURCE):
+#	for i in $(EXTRA_SOURCE); do \
+#	  test -f $$i || $(LN_S) $(srcdir)/../roken/$$i .; \
+#	done
+
+base64.c:
+	$(LN_S) $(srcdir)/../roken/base64.c .
+concat.c:
+	$(LN_S) $(srcdir)/../roken/concat.c .
+flock.c:
+	$(LN_S) $(srcdir)/../roken/flock.c .
+gethostname.c:
+	$(LN_S) $(srcdir)/../roken/gethostname.c .
+gettimeofday.c:
+	$(LN_S) $(srcdir)/../roken/gettimeofday.c .
+getuid.c:
+	$(LN_S) $(srcdir)/../roken/getuid.c .
+snprintf.c:
+	$(LN_S) $(srcdir)/../roken/snprintf.c .
+strcasecmp.c:
+	$(LN_S) $(srcdir)/../roken/strcasecmp.c .
+strlcat.c:
+	$(LN_S) $(srcdir)/../roken/strlcat.c .
+strlcpy.c:
+	$(LN_S) $(srcdir)/../roken/strlcpy.c .
+strncasecmp.c:
+	$(LN_S) $(srcdir)/../roken/strncasecmp.c .
+strnlen.c:
+	$(LN_S) $(srcdir)/../roken/strnlen.c .
+strdup.c:
+	$(LN_S) $(srcdir)/../roken/strdup.c .
+strtok_r.c:
+	$(LN_S) $(srcdir)/../roken/strtok_r.c .
+swab.c:
+	$(LN_S) $(srcdir)/../roken/swab.c .
+resolve.c:
+	$(LN_S) $(srcdir)/../roken/resolve.c .
+net_read.c:
+	$(LN_S) $(srcdir)/../roken/net_read.c .
+net_write.c:
+	$(LN_S) $(srcdir)/../roken/net_write.c .
+com_err.c:
+	$(LN_S) $(srcdir)/../com_err/com_err.c .
+error.c:
+	$(LN_S) $(srcdir)/../com_err/error.c .
+
+
+$(OBJECTS): ../../include/config.h
+$(OBJECTS): krb_locl.h krb.h
+rw.o: ../../include/version.h
+
+all-local: $(inc_DATA)
+	@for i in $(inc_DATA); do \
+		if cmp -s  $$i $(idir)/$$i 2> /dev/null ; then :; else\
+			echo " $(CP) $$i $(idir)/$$i"; \
+			$(CP) $$i $(idir)/$$i; \
+		fi ; \
+	done
+
+.PHONY: all Wall install uninstall check clean mostlyclean distclean realclean all-local
diff --git a/crypto/kerberosIV/lib/krb/check_time.c b/crypto/kerberosIV/lib/krb/check_time.c
new file mode 100644
index 0000000..be028fa
--- /dev/null
+++ b/crypto/kerberosIV/lib/krb/check_time.c
@@ -0,0 +1,51 @@
+/*
+ * Copyright (c) 1995, 1996, 1997 Kungliga Tekniska Högskolan 
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#include "krb_locl.h"
+
+RCSID("$Id: check_time.c,v 1.5 1999/12/02 16:58:40 joda Exp $");
+
+int
+krb_check_tm (struct tm tm)
+{
+     return  tm.tm_mon < 0
+	  || tm.tm_mon > 11
+	  || tm.tm_hour < 0
+	  || tm.tm_hour > 23
+	  || tm.tm_min < 0
+	  || tm.tm_min > 59
+	  || tm.tm_sec < 0
+	  || tm.tm_sec > 59
+	  || tm.tm_year < 1901
+	  || tm.tm_year > 2038;
+}
diff --git a/crypto/kerberosIV/lib/krb/cr_err_reply.c b/crypto/kerberosIV/lib/krb/cr_err_reply.c
new file mode 100644
index 0000000..3308529
--- /dev/null
+++ b/crypto/kerberosIV/lib/krb/cr_err_reply.c
@@ -0,0 +1,122 @@
+/*
+ * Copyright (c) 1995, 1996, 1997, 1998 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#include "krb_locl.h"
+
+RCSID("$Id: cr_err_reply.c,v 1.11 1999/12/02 16:58:41 joda Exp $");
+
+/*
+ * This routine is used by the Kerberos authentication server to
+ * create an error reply packet to send back to its client.
+ *
+ * It takes a pointer to the packet to be built, the name, instance,
+ * and realm of the principal, the client's timestamp, an error code
+ * and an error string as arguments.  Its return value is undefined.
+ *
+ * The packet is built in the following format:
+ * 
+ * type			variable	   data
+ *			or constant
+ * ----			-----------	   ----
+ *
+ * unsigned char	req_ack_vno	   protocol version number
+ * 
+ * unsigned char	AUTH_MSG_ERR_REPLY protocol message type
+ * 
+ * [least significant	HOST_BYTE_ORDER	   sender's (server's) byte
+ * bit of above field]			   order
+ * 
+ * string		pname		   principal's name
+ * 
+ * string		pinst		   principal's instance
+ * 
+ * string		prealm		   principal's realm
+ * 
+ * unsigned long	time_ws		   client's timestamp
+ * 
+ * unsigned long	e		   error code
+ * 
+ * string		e_string	   error text
+ */
+
+int
+cr_err_reply(KTEXT pkt, char *pname, char *pinst, char *prealm, 
+	     u_int32_t time_ws, u_int32_t e, char *e_string)
+{
+    unsigned char *p = pkt->dat;
+    int tmp;
+    size_t rem = sizeof(pkt->dat);
+
+    tmp = krb_put_int(KRB_PROT_VERSION, p, rem, 1);
+    if (tmp < 0)
+	return -1;
+    p += tmp;
+    rem -= tmp;
+
+    tmp = krb_put_int(AUTH_MSG_ERR_REPLY, p, rem, 1);
+    if (tmp < 0)
+	return -1;
+    p += tmp;
+    rem -= tmp;
+
+    if (pname == NULL) pname = "";
+    if (pinst == NULL) pinst = "";
+    if (prealm == NULL) prealm = "";
+
+    tmp = krb_put_nir(pname, pinst, prealm, p, rem);
+    if (tmp < 0)
+	return -1;
+    p += tmp;
+    rem -= tmp;
+
+    tmp = krb_put_int(time_ws, p, rem, 4);
+    if (tmp < 0)
+	return -1;
+    p += tmp;
+    rem -= tmp;
+
+    tmp = krb_put_int(e, p, rem, 4);
+    if (tmp < 0)
+	return -1;
+    p += tmp;
+    rem -= tmp;
+
+    tmp = krb_put_string(e_string, p, rem);
+    if (tmp < 0)
+	return -1;
+    p += tmp;
+    rem -= tmp;
+
+    pkt->length = p - pkt->dat;
+    return 0;
+}
diff --git a/crypto/kerberosIV/lib/krb/create_auth_reply.c b/crypto/kerberosIV/lib/krb/create_auth_reply.c
new file mode 100644
index 0000000..7f6cf46
--- /dev/null
+++ b/crypto/kerberosIV/lib/krb/create_auth_reply.c
@@ -0,0 +1,159 @@
+/*
+ * Copyright (c) 1995, 1996, 1997 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#include "krb_locl.h"
+
+RCSID("$Id: create_auth_reply.c,v 1.15 1999/12/02 16:58:41 joda Exp $");
+
+/*
+ * This routine is called by the Kerberos authentication server
+ * to create a reply to an authentication request.  The routine
+ * takes the user's name, instance, and realm, the client's
+ * timestamp, the number of tickets, the user's key version
+ * number and the ciphertext containing the tickets themselves.
+ * It constructs a packet and returns a pointer to it.
+ *
+ * Notes: The packet returned by this routine is static.  Thus, if you
+ * intend to keep the result beyond the next call to this routine, you
+ * must copy it elsewhere.
+ *
+ * The packet is built in the following format:
+ * 
+ * 			variable
+ * type			or constant	   data
+ * ----			-----------	   ----
+ * 
+ * unsigned char	KRB_PROT_VERSION   protocol version number
+ * 
+ * unsigned char	AUTH_MSG_KDC_REPLY protocol message type
+ * 
+ * [least significant	HOST_BYTE_ORDER	   sender's (server's) byte
+ *  bit of above field]			   order
+ * 
+ * string		pname		   principal's name
+ * 
+ * string		pinst		   principal's instance
+ * 
+ * string		prealm		   principal's realm
+ * 
+ * unsigned long	time_ws		   client's timestamp
+ * 
+ * unsigned char	n		   number of tickets
+ * 
+ * unsigned long	x_date		   expiration date
+ * 
+ * unsigned char	kvno		   master key version
+ * 
+ * short		w_1		   cipher length
+ * 
+ * ---			cipher->dat	   cipher data
+ */
+
+KTEXT
+create_auth_reply(char *pname,	/* Principal's name */
+		  char *pinst,	/* Principal's instance */
+		  char *prealm,	/* Principal's authentication domain */
+		  int32_t time_ws, /* Workstation time */
+		  int n,	/* Number of tickets */
+		  u_int32_t x_date, /* Principal's expiration date */
+		  int kvno,	/* Principal's key version number */
+		  KTEXT cipher)	/* Cipher text with tickets and session keys */
+{
+    static  KTEXT_ST pkt_st;
+    KTEXT pkt = &pkt_st;
+    
+    unsigned char *p = pkt->dat;
+    int tmp;
+    size_t rem = sizeof(pkt->dat);
+
+    if(n != 0)
+	return NULL;
+    
+    tmp = krb_put_int(KRB_PROT_VERSION, p, rem, 1);
+    if (tmp < 0)
+	return NULL;
+    p += tmp;
+    rem -= tmp;
+
+    tmp = krb_put_int(AUTH_MSG_KDC_REPLY, p, rem, 1);
+    if (tmp < 0)
+	return NULL;
+    p += tmp;
+    rem -= tmp;
+
+    tmp = krb_put_nir(pname, pinst, prealm, p, rem);
+    if (tmp < 0)
+	return NULL;
+    p += tmp;
+    rem -= tmp;
+
+    tmp = krb_put_int(time_ws, p, rem, 4);
+    if (tmp < 0)
+	return NULL;
+    p += tmp;
+    rem -= tmp;
+    
+    tmp = krb_put_int(n, p, rem, 1);
+    if (tmp < 0)
+	return NULL;
+    p += tmp;
+    rem -= tmp;
+    
+    tmp = krb_put_int(x_date, p, rem, 4);
+    if (tmp < 0)
+	return NULL;
+    p += tmp;
+    rem -= tmp;
+    
+    tmp = krb_put_int(kvno, p, rem, 1);
+    if (tmp < 0)
+	return NULL;
+    p += tmp;
+    rem -= tmp;
+    
+    tmp = krb_put_int(cipher->length, p, rem, 2);
+    if (tmp < 0)
+	return NULL;
+    p += tmp;
+    rem -= tmp;
+    
+    if (rem < cipher->length)
+	return NULL;
+    memcpy(p, cipher->dat, cipher->length);
+    p += cipher->length;
+    rem -= cipher->length;
+
+    pkt->length = p - pkt->dat;
+
+    return pkt;
+}
diff --git a/crypto/kerberosIV/lib/krb/create_ciph.c b/crypto/kerberosIV/lib/krb/create_ciph.c
new file mode 100644
index 0000000..f73e8d7
--- /dev/null
+++ b/crypto/kerberosIV/lib/krb/create_ciph.c
@@ -0,0 +1,142 @@
+/*
+ * Copyright (c) 1995, 1996, 1997, 1998 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#include "krb_locl.h"
+
+RCSID("$Id: create_ciph.c,v 1.13 1999/12/02 16:58:41 joda Exp $");
+
+/*
+ * This routine is used by the authentication server to create
+ * a packet for its client, containing a ticket for the requested
+ * service (given in "tkt"), and some information about the ticket,
+ *
+ * Returns KSUCCESS no matter what.
+ *
+ * The length of the cipher is stored in c->length; the format of
+ * c->dat is as follows:
+ *
+ * 			variable
+ * type			or constant	   data
+ * ----			-----------	   ----
+ * 
+ * 
+ * 8 bytes		session		session key for client, service
+ * 
+ * string		service		service name
+ * 
+ * string		instance	service instance
+ * 
+ * string		realm		KDC realm
+ * 
+ * unsigned char	life		ticket lifetime
+ * 
+ * unsigned char	kvno		service key version number
+ * 
+ * unsigned char	tkt->length	length of following ticket
+ * 
+ * data			tkt->dat	ticket for service
+ * 
+ * 4 bytes		kdc_time	KDC's timestamp
+ *
+ * <=7 bytes		null		   null pad to 8 byte multiple
+ *
+ */
+
+int
+create_ciph(KTEXT c,		/* Text block to hold ciphertext */
+	    unsigned char *session, /* Session key to send to user */
+	    char *service,	/* Service name on ticket */
+	    char *instance,	/* Instance name on ticket */
+	    char *realm,	/* Realm of this KDC */
+	    u_int32_t life,	/* Lifetime of the ticket */
+	    int kvno,		/* Key version number for service */
+	    KTEXT tkt,		/* The ticket for the service */
+	    u_int32_t kdc_time,	/* KDC time */
+	    des_cblock *key)	/* Key to encrypt ciphertext with */
+
+{
+    unsigned char *p = c->dat;
+    size_t rem = sizeof(c->dat);
+    int tmp;
+
+    memset(c, 0, sizeof(KTEXT_ST));
+
+    if (rem < 8)
+	return KFAILURE;
+    memcpy(p, session, 8);
+    p += 8;
+    rem -= 8;
+    
+    tmp = krb_put_nir(service, instance, realm, p, rem);
+    if (tmp < 0)
+	return KFAILURE;
+    p += tmp;
+    rem -= tmp;
+
+    
+    tmp = krb_put_int(life, p, rem, 1);
+    if (tmp < 0)
+	return KFAILURE;
+    p += tmp;
+    rem -= tmp;
+
+    tmp = krb_put_int(kvno, p, rem, 1);
+    if (tmp < 0)
+	return KFAILURE;
+    p += tmp;
+    rem -= tmp;
+
+    tmp = krb_put_int(tkt->length, p, rem, 1);
+    if (tmp < 0)
+	return KFAILURE;
+    p += tmp;
+    rem -= tmp;
+
+    if (rem < tkt->length)
+	return KFAILURE;
+    memcpy(p, tkt->dat, tkt->length);
+    p += tkt->length;
+    rem -= tkt->length;
+
+    tmp = krb_put_int(kdc_time, p, rem, 4);
+    if (tmp < 0)
+	return KFAILURE;
+    p += tmp;
+    rem -= tmp;
+
+    /* multiple of eight bytes */
+    c->length = (p - c->dat + 7) & ~7;
+
+    encrypt_ktext(c, key, DES_ENCRYPT);
+    return KSUCCESS;
+}
diff --git a/crypto/kerberosIV/lib/krb/create_death_packet.c b/crypto/kerberosIV/lib/krb/create_death_packet.c
new file mode 100644
index 0000000..15e0267
--- /dev/null
+++ b/crypto/kerberosIV/lib/krb/create_death_packet.c
@@ -0,0 +1,98 @@
+/*
+ * Copyright (c) 1995, 1996, 1997 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#include "krb_locl.h"
+
+RCSID("$Id: create_death_packet.c,v 1.10 1999/12/02 16:58:41 joda Exp $");
+
+/*
+ * This routine creates a packet to type AUTH_MSG_DIE which is sent to
+ * the Kerberos server to make it shut down.  It is used only in the
+ * development environment.
+ *
+ * It takes a string "a_name" which is sent in the packet.  A pointer
+ * to the packet is returned.
+ *
+ * The format of the killer packet is:
+ *
+ * type			variable		data
+ *			or constant
+ * ----			-----------		----
+ *
+ * unsigned char	KRB_PROT_VERSION	protocol version number
+ * 
+ * unsigned char	AUTH_MSG_DIE		message type
+ * 
+ * [least significant	HOST_BYTE_ORDER		byte order of sender
+ *  bit of above field]
+ * 
+ * string		a_name			presumably, name of
+ * 						principal sending killer
+ * 						packet
+ */
+
+#ifdef DEBUG
+KTEXT
+krb_create_death_packet(char *a_name)
+{
+    static KTEXT_ST pkt_st;
+    KTEXT pkt = &pkt_st;
+
+    unsigned char *p = pkt->dat;
+    int tmp;
+    int rem = sizeof(pkt->dat);
+
+    pkt->length = 0;
+
+    tmp = krb_put_int(KRB_PROT_VERSION, p, rem, 1);
+    if (tmp < 0)
+	return NULL;
+    p += tmp;
+    rem -= tmp;
+
+    tmp = krb_put_int(AUTH_MSG_DIE, p, rem, 1);
+    if (tmp < 0)
+	return NULL;
+    p += tmp;
+    rem -= tmp;
+
+    tmp = krb_put_string(a_name, p, rem);
+    if (tmp < 0)
+	return NULL;
+    p += tmp;
+    rem -= tmp;
+
+    pkt->length = p - pkt->dat;
+    return pkt;
+}
+#endif /* DEBUG */
diff --git a/crypto/kerberosIV/lib/krb/create_ticket.c b/crypto/kerberosIV/lib/krb/create_ticket.c
new file mode 100644
index 0000000..32cb0a0
--- /dev/null
+++ b/crypto/kerberosIV/lib/krb/create_ticket.c
@@ -0,0 +1,160 @@
+/*
+ * Copyright (c) 1995, 1996, 1997 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#include "krb_locl.h"
+
+RCSID("$Id: create_ticket.c,v 1.14 1999/12/02 16:58:41 joda Exp $");
+
+/*
+ * Create ticket takes as arguments information that should be in a
+ * ticket, and the KTEXT object in which the ticket should be
+ * constructed.  It then constructs a ticket and returns, leaving the
+ * newly created ticket in tkt.
+ * The length of the ticket is a multiple of
+ * eight bytes and is in tkt->length.
+ *
+ * If the ticket is too long, the ticket will contain nulls.
+ *
+ * The corresponding routine to extract information from a ticket it
+ * decomp_ticket.  When changes are made to this routine, the
+ * corresponding changes should also be made to that file.
+ *
+ * The packet is built in the following format:
+ * 
+ * 			variable
+ * type			or constant	   data
+ * ----			-----------	   ----
+ *
+ * tkt->length		length of ticket (multiple of 8 bytes)
+ * 
+ * tkt->dat:
+ * 
+ * unsigned char	flags		   namely, HOST_BYTE_ORDER
+ * 
+ * string		pname		   client's name
+ * 
+ * string		pinstance	   client's instance
+ * 
+ * string		prealm		   client's realm
+ * 
+ * 4 bytes		paddress	   client's address
+ * 
+ * 8 bytes		session		   session key
+ * 
+ * 1 byte		life		   ticket lifetime
+ * 
+ * 4 bytes		time_sec	   KDC timestamp
+ * 
+ * string		sname		   service's name
+ * 
+ * string		sinstance	   service's instance
+ * 
+ * <=7 bytes		null		   null pad to 8 byte multiple
+ *
+ */
+
+int
+krb_create_ticket(KTEXT tkt,	/* Gets filled in by the ticket */
+		  unsigned char flags, /* Various Kerberos flags */
+		  char *pname,	/* Principal's name */
+		  char *pinstance, /* Principal's instance */
+		  char *prealm, /* Principal's authentication domain */
+		  int32_t paddress, /* Net address of requesting entity */
+		  void *session, /* Session key inserted in ticket */
+		  int16_t life,	/* Lifetime of the ticket */
+		  int32_t time_sec, /* Issue time and date */
+		  char *sname,	/* Service Name */
+		  char *sinstance, /* Instance Name */
+		  des_cblock *key) /* Service's secret key */
+{
+    unsigned char *p = tkt->dat;
+    int tmp;
+    size_t rem = sizeof(tkt->dat);
+
+    memset(tkt, 0, sizeof(KTEXT_ST));
+
+    tmp = krb_put_int(flags, p, rem, 1);
+    if (tmp < 0)
+	return KFAILURE;
+    p += tmp;
+    rem -= tmp;
+
+    tmp = krb_put_nir(pname, pinstance, prealm, p, rem);
+    if (tmp < 0)
+	return KFAILURE;
+    p += tmp;
+    rem -= tmp;
+    
+    tmp = krb_put_address(paddress, p, rem);
+    if (tmp < 0)
+	return KFAILURE;
+    p += tmp;
+    rem -= tmp;
+    
+    if (rem < 8)
+	return KFAILURE;
+    memcpy(p, session, 8);
+    p += 8;
+    rem -= 8;
+
+    tmp = krb_put_int(life, p, rem, 1);
+    if (tmp < 0)
+	return KFAILURE;
+    p += tmp;
+    rem -= tmp;
+
+    tmp = krb_put_int(time_sec, p, rem, 4);
+    if (tmp < 0)
+	return KFAILURE;
+    p += tmp;
+    rem -= tmp;
+
+    tmp = krb_put_nir(sname, sinstance, NULL, p, rem);
+    if (tmp < 0)
+	return KFAILURE;
+    p += tmp;
+    rem -= tmp;
+
+    /* multiple of eight bytes */
+    tkt->length = (p - tkt->dat + 7) & ~7;
+
+    /* Check length of ticket */
+    if (tkt->length > (sizeof(KTEXT_ST) - 7)) {
+        memset(tkt->dat, 0, tkt->length);
+        tkt->length = 0;
+        return KFAILURE /* XXX */;
+    }
+
+    encrypt_ktext(tkt, key, DES_ENCRYPT);
+    return KSUCCESS;
+}
diff --git a/crypto/kerberosIV/lib/krb/debug_decl.c b/crypto/kerberosIV/lib/krb/debug_decl.c
new file mode 100644
index 0000000..5cbab77
--- /dev/null
+++ b/crypto/kerberosIV/lib/krb/debug_decl.c
@@ -0,0 +1,44 @@
+/* 
+  Copyright (C) 1989 by the Massachusetts Institute of Technology
+
+   Export of this software from the United States of America is assumed
+   to require a specific license from the United States Government.
+   It is the responsibility of any person or organization contemplating
+   export to obtain such a license before exporting.
+
+WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
+distribute this software and its documentation for any purpose and
+without fee is hereby granted, provided that the above copyright
+notice appear in all copies and that both that copyright notice and
+this permission notice appear in supporting documentation, and that
+the name of M.I.T. not be used in advertising or publicity pertaining
+to distribution of the software without specific, written prior
+permission.  M.I.T. makes no representations about the suitability of
+this software for any purpose.  It is provided "as is" without express
+or implied warranty.
+
+  */
+
+#include "krb_locl.h"
+
+RCSID("$Id: debug_decl.c,v 1.10 1999/06/16 15:10:38 joda Exp $");
+
+/* Declare global debugging variables. */
+
+int krb_ap_req_debug = 0;
+int krb_debug = 0;
+int krb_dns_debug = 0;
+
+int
+krb_enable_debug(void)
+{
+    krb_ap_req_debug = krb_debug = krb_dns_debug = 1;
+    return 0;
+}
+
+int
+krb_disable_debug(void)
+{
+    krb_ap_req_debug = krb_debug = krb_dns_debug = 0;
+    return 0;
+}
diff --git a/crypto/kerberosIV/lib/krb/decomp_ticket.c b/crypto/kerberosIV/lib/krb/decomp_ticket.c
new file mode 100644
index 0000000..12bdf44
--- /dev/null
+++ b/crypto/kerberosIV/lib/krb/decomp_ticket.c
@@ -0,0 +1,117 @@
+/*
+ * Copyright (c) 1995, 1996, 1997, 1998 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#include "krb_locl.h"
+
+RCSID("$Id: decomp_ticket.c,v 1.20 1999/12/02 16:58:41 joda Exp $");
+
+/*
+ * This routine takes a ticket and pointers to the variables that
+ * should be filled in based on the information in the ticket.  It
+ * fills in values for its arguments.
+ *
+ * The routine returns KFAILURE if any of the "pname", "pinstance",
+ * or "prealm" fields is too big, otherwise it returns KSUCCESS.
+ *
+ * The corresponding routine to generate tickets is create_ticket.
+ * When changes are made to this routine, the corresponding changes
+ * should also be made to that file.
+ *
+ * See create_ticket.c for the format of the ticket packet.
+ */
+
+int
+decomp_ticket(KTEXT tkt,	/* The ticket to be decoded */
+	      unsigned char *flags, /* Kerberos ticket flags */
+	      char *pname,	/* Authentication name */
+	      char *pinstance,	/* Principal's instance */
+	      char *prealm,	/* Principal's authentication domain */
+	      u_int32_t *paddress,/* Net address of entity requesting ticket */
+	      unsigned char *session, /* Session key inserted in ticket */
+	      int *life,	/* Lifetime of the ticket */
+	      u_int32_t *time_sec, /* Issue time and date */
+	      char *sname,	/* Service name */
+	      char *sinstance,	/* Service instance */
+	      des_cblock *key,	/* Service's secret key (to decrypt the ticket) */
+	      des_key_schedule schedule) /* The precomputed key schedule */
+
+{
+    unsigned char *p = tkt->dat;
+    
+    int little_endian;
+
+    des_pcbc_encrypt((des_cblock *)tkt->dat, (des_cblock *)tkt->dat,
+		     tkt->length, schedule, key, DES_DECRYPT);
+
+    tkt->mbz = 0;
+
+    *flags = *p++;
+
+    little_endian = *flags & 1;
+
+    if(strlen((char*)p) > ANAME_SZ)
+	return KFAILURE;
+    p += krb_get_string(p, pname, ANAME_SZ);
+
+    if(strlen((char*)p) > INST_SZ)
+	return KFAILURE;
+    p += krb_get_string(p, pinstance, INST_SZ);
+
+    if(strlen((char*)p) > REALM_SZ)
+	return KFAILURE;
+    p += krb_get_string(p, prealm, REALM_SZ);
+
+    if (*prealm == '\0')
+	krb_get_lrealm (prealm, 1);
+
+    if(tkt->length - (p - tkt->dat) < 8 + 1 + 4)
+	return KFAILURE;
+    p += krb_get_address(p, paddress);
+
+    memcpy(session, p, 8);
+    p += 8;
+
+    *life = *p++;
+    
+    p += krb_get_int(p, time_sec, 4, little_endian);
+
+    if(strlen((char*)p) > SNAME_SZ)
+	return KFAILURE;
+    p += krb_get_string(p, sname, SNAME_SZ);
+
+    if(strlen((char*)p) > INST_SZ)
+	return KFAILURE;
+    p += krb_get_string(p, sinstance, INST_SZ);
+
+    return KSUCCESS;
+}
diff --git a/crypto/kerberosIV/lib/krb/defaults.c b/crypto/kerberosIV/lib/krb/defaults.c
new file mode 100644
index 0000000..e4fe027
--- /dev/null
+++ b/crypto/kerberosIV/lib/krb/defaults.c
@@ -0,0 +1,58 @@
+/*
+ * Copyright (c) 1999 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "krb_locl.h"
+
+RCSID("$Id: defaults.c,v 1.3 1999/12/02 16:58:41 joda Exp $");
+
+const
+char *
+krb_get_default_tkt_root(void)
+{
+  const char *t = krb_get_config_string("krb_default_tkt_root");
+  if (t)
+    return t;
+  else
+    return "/tmp/tkt";
+}
+
+const
+char *
+krb_get_default_keyfile(void)
+{
+  const char *t = krb_get_config_string("krb_default_keyfile");
+  if (t)
+    return t;
+  else
+    return "/etc/srvtab";
+}
diff --git a/crypto/kerberosIV/lib/krb/dest_tkt.c b/crypto/kerberosIV/lib/krb/dest_tkt.c
new file mode 100644
index 0000000..4330df2
--- /dev/null
+++ b/crypto/kerberosIV/lib/krb/dest_tkt.c
@@ -0,0 +1,108 @@
+/* 
+  Copyright (C) 1989 by the Massachusetts Institute of Technology
+
+   Export of this software from the United States of America is assumed
+   to require a specific license from the United States Government.
+   It is the responsibility of any person or organization contemplating
+   export to obtain such a license before exporting.
+
+WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
+distribute this software and its documentation for any purpose and
+without fee is hereby granted, provided that the above copyright
+notice appear in all copies and that both that copyright notice and
+this permission notice appear in supporting documentation, and that
+the name of M.I.T. not be used in advertising or publicity pertaining
+to distribution of the software without specific, written prior
+permission.  M.I.T. makes no representations about the suitability of
+this software for any purpose.  It is provided "as is" without express
+or implied warranty.
+
+  */
+
+#include "krb_locl.h"
+
+RCSID("$Id: dest_tkt.c,v 1.11.14.2 2000/10/18 20:26:42 assar Exp $");
+
+#ifndef O_BINARY
+#define O_BINARY 0
+#endif
+
+/*
+ * dest_tkt() is used to destroy the ticket store upon logout.
+ * If the ticket file does not exist, dest_tkt() returns RET_TKFIL.
+ * Otherwise the function returns RET_OK on success, KFAILURE on
+ * failure.
+ *
+ * The ticket file (TKT_FILE) is defined in "krb.h".
+ */
+
+int
+dest_tkt(void)
+{
+    const char *filename = TKT_FILE;
+    int i, fd;
+    struct stat sb1, sb2;
+    char buf[BUFSIZ];
+    int error = 0;
+
+    if (lstat (filename, &sb1) < 0) {
+	error = errno;
+	goto out;
+    }
+
+    fd = open (filename, O_RDWR | O_BINARY);
+    if (fd < 0) {
+	error = errno;
+	goto out;
+    }
+
+    if (unlink (filename) < 0) {
+	error = errno;
+	close(fd);
+	goto out;
+    }
+
+    if (fstat (fd, &sb2) < 0) {
+	error = errno;
+	close(fd);
+	goto out;
+    }
+
+    if (sb1.st_dev != sb2.st_dev || sb1.st_ino != sb2.st_ino) {
+	close (fd);
+	error = EPERM;
+	goto out;
+    }
+
+    if (sb2.st_nlink != 0) {
+	close (fd);
+	error = EPERM;
+	goto out;
+    }
+
+    for (i = 0; i < sb2.st_size; i += sizeof(buf)) {
+	int ret;
+	
+	ret = write(fd, buf, sizeof(buf));
+	if (ret != sizeof(buf)) {
+	    if (ret < 0)
+		error = errno;
+	    else
+		error = EINVAL;
+	    fsync(fd);
+	    close(fd);
+	    goto out;
+	}
+    }
+
+    fsync(fd);
+    close(fd);
+    
+out:
+    if (error == ENOENT)
+	return RET_TKFIL;
+    else if (error != 0)
+	return KFAILURE;
+    else
+	return(KSUCCESS);
+}
diff --git a/crypto/kerberosIV/lib/krb/dllmain.c b/crypto/kerberosIV/lib/krb/dllmain.c
new file mode 100644
index 0000000..4e22e9a
--- /dev/null
+++ b/crypto/kerberosIV/lib/krb/dllmain.c
@@ -0,0 +1,139 @@
+/*
+ * Copyright (c) 1995, 1996, 1997, 1998 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+/* dllmain.c - main function to krb4.dll
+ * Author:	J Karlsson <d93-jka@nada.kth.se>
+ * Date:	June 1996
+ */
+
+#include "krb_locl.h"
+#include "ticket_memory.h"
+#include <Windows.h>
+
+RCSID("$Id: dllmain.c,v 1.9 1999/12/02 16:58:41 joda Exp $");
+
+void
+msg(char *text, int error)
+{
+    char *buf;
+
+    asprintf (&buf, "%s\nAn error of type: %d", text, error);
+
+    MessageBox(GetActiveWindow(),
+	       buf ? buf : "Out of memory!",
+	       "kerberos message",
+	       MB_OK|MB_APPLMODAL);
+    free (buf);
+}
+
+void
+PostUpdateMessage(void)
+{
+	HWND		hWnd;
+	static UINT km_message;
+	
+    if(km_message == 0)
+        km_message = RegisterWindowMessage("krb4-update-cache");
+
+	hWnd = FindWindow("KrbManagerWndClass", NULL);
+	if (hWnd == NULL)
+		hWnd = HWND_BROADCAST;
+	PostMessage(hWnd, km_message, 0, 0);
+}
+
+
+BOOL WINAPI
+DllMain (HANDLE hInst, 
+	 ULONG reason,
+	 LPVOID lpReserved)
+{
+    WORD wVersionRequested; 
+    WSADATA wsaData; 
+    PROCESS_INFORMATION p;	
+    int err; 
+
+    switch(reason){
+    case DLL_PROCESS_ATTACH:
+	wVersionRequested = MAKEWORD(1, 1); 
+	err = WSAStartup(wVersionRequested, &wsaData); 
+	if (err != 0) 
+	{
+	    /* Tell the user that we couldn't find a useable */ 
+	    /* winsock.dll.     */ 
+	    msg("Cannot find winsock.dll", err);
+	    return FALSE;
+	}
+	if(newTktMem(0) != KSUCCESS)
+	{
+	    /* Tell the user that we couldn't alloc shared memory. */ 
+	    msg("Cannot allocate shared ticket memory", GetLastError());
+	    return FALSE;
+	}
+	if(GetLastError() != ERROR_ALREADY_EXISTS)
+	{
+	    STARTUPINFO s = {
+		sizeof(s),
+		NULL,
+		NULL,
+		NULL,
+		0,0,
+		0,0,
+		0,0,
+		0,
+		STARTF_USESHOWWINDOW,
+		SW_SHOWMINNOACTIVE,
+		0, NULL,
+		NULL, NULL, NULL
+	    };
+
+	    if(!CreateProcess(0,"krbmanager",
+			      0,0,FALSE,0,0,
+			      0,&s, &p)) {
+#if 0
+		msg("Unable to create Kerberos manager process.\n"
+		    "Make sure krbmanager.exe is in your PATH.",
+		    GetLastError());
+		return FALSE;
+#endif
+	    }
+	}
+	break;
+    case DLL_PROCESS_DETACH:
+	/* should this really be done here? */
+	freeTktMem(0);
+	WSACleanup();
+	break;
+    }
+
+    return TRUE;
+}
diff --git a/crypto/kerberosIV/lib/krb/encrypt_ktext.c b/crypto/kerberosIV/lib/krb/encrypt_ktext.c
new file mode 100644
index 0000000..dc5c60d
--- /dev/null
+++ b/crypto/kerberosIV/lib/krb/encrypt_ktext.c
@@ -0,0 +1,46 @@
+/*
+ * Copyright (c) 1995, 1996, 1997 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#include "krb_locl.h"
+
+RCSID("$Id: encrypt_ktext.c,v 1.5 1999/12/02 16:58:41 joda Exp $");
+
+void
+encrypt_ktext(KTEXT cip, des_cblock *key, int encrypt)
+{
+    des_key_schedule schedule;
+    des_set_key(key, schedule);
+    des_pcbc_encrypt((des_cblock*)cip->dat, (des_cblock*)cip->dat, 
+		     cip->length, schedule, key, encrypt);
+    memset(schedule, 0, sizeof(des_key_schedule));
+}
diff --git a/crypto/kerberosIV/lib/krb/extra.c b/crypto/kerberosIV/lib/krb/extra.c
new file mode 100644
index 0000000..17193a4
--- /dev/null
+++ b/crypto/kerberosIV/lib/krb/extra.c
@@ -0,0 +1,177 @@
+/*
+ * Copyright (c) 1998 - 2000 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "krb_locl.h"
+
+RCSID("$Id: extra.c,v 1.7.2.1 2000/12/07 16:06:09 assar Exp $");
+
+struct value {
+    char *variable;
+    char *value;
+    struct value *next;
+};
+
+static struct value *_extra_values;
+
+static int _krb_extra_read = 0;
+
+static int
+define_variable(const char *variable, const char *value)
+{
+    struct value *e;
+    e = malloc(sizeof(*e));
+    if(e == NULL)
+	return ENOMEM;
+    e->variable = strdup(variable);
+    if(e->variable == NULL) {
+	free(e);
+	return ENOMEM;
+    }
+    e->value = strdup(value);
+    if(e->value == NULL) {
+	free(e->variable);
+	free(e);
+	return ENOMEM;
+    }
+    e->next = _extra_values;
+    _extra_values = e;
+    return 0;
+}
+
+#ifndef WIN32
+
+static int
+read_extra_file(void)
+{
+    int i = 0;
+    char file[128];
+    char line[1024];
+    if(_krb_extra_read)
+	return 0;
+    _krb_extra_read = 1;
+    while(krb_get_krbextra(i++, file, sizeof(file)) == 0) {
+	FILE *f = fopen(file, "r");
+	if(f == NULL)
+	    continue;
+	while(fgets(line, sizeof(line), f)) {
+	    char *var, *tmp, *val;
+
+	    /* skip initial whitespace */
+	    var = line + strspn(line, " \t");
+	    /* skip non-whitespace */
+	    tmp = var + strcspn(var, " \t=");
+	    /* skip whitespace */
+	    val = tmp + strspn(tmp, " \t=");
+	    *tmp = '\0';
+	    tmp = val + strcspn(val, " \t\n");
+	    *tmp = '\0';
+	    if(*var == '\0' || *var == '#' || *val == '\0')
+		continue;
+	    if(krb_debug)
+		krb_warning("%s: setting `%s' to `%s'\n", file, var, val);
+	    define_variable(var, val);
+	}
+	fclose(f);
+	return 0;
+    }
+    return ENOENT;
+}
+
+#else /* WIN32 */
+
+static int
+read_extra_file(void)
+{
+    char name[1024], data[1024];
+    DWORD name_sz, data_sz;
+    DWORD type;
+    int num = 0;
+    HKEY reg_key;
+
+    if(_krb_extra_read)
+	return 0;
+    _krb_extra_read = 1;
+
+    if(RegCreateKey(HKEY_CURRENT_USER, "krb4", &reg_key) != 0)
+	return -1;
+	
+
+    while(1) {
+	name_sz = sizeof(name);
+	data_sz = sizeof(data);
+	if(RegEnumValue(reg_key,
+			num++,
+			name,
+			&name_sz,
+			NULL,
+			&type,
+			data,
+			&data_sz) != 0)
+	    break;
+	if(type == REG_SZ)
+	    define_variable(name, data);
+    }
+    RegCloseKey(reg_key);
+    return 0;
+}
+
+#endif
+
+static const char*
+find_variable(const char *variable)
+{
+    struct value *e;
+    for(e = _extra_values; e; e = e->next) {
+	if(strcasecmp(variable, e->variable) == 0)
+	    return e->value;
+    }
+    return NULL;
+}
+
+const char *
+krb_get_config_string(const char *variable)
+{
+    read_extra_file();
+    return find_variable(variable);
+}
+
+int
+krb_get_config_bool(const char *variable)
+{
+    const char *value = krb_get_config_string(variable);
+    if(value == NULL)
+	return 0;
+    return strcasecmp(value, "yes") == 0 || 
+	strcasecmp(value, "true") == 0 ||
+	atoi(value);
+}
diff --git a/crypto/kerberosIV/lib/krb/get_ad_tkt.c b/crypto/kerberosIV/lib/krb/get_ad_tkt.c
new file mode 100644
index 0000000..56d7d56
--- /dev/null
+++ b/crypto/kerberosIV/lib/krb/get_ad_tkt.c
@@ -0,0 +1,203 @@
+/*
+ * Copyright (c) 1995, 1996, 1997 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#include "krb_locl.h"
+
+RCSID("$Id: get_ad_tkt.c,v 1.22 1999/12/02 16:58:41 joda Exp $");
+
+/*
+ * get_ad_tkt obtains a new service ticket from Kerberos, using
+ * the ticket-granting ticket which must be in the ticket file.
+ * It is typically called by krb_mk_req() when the client side
+ * of an application is creating authentication information to be
+ * sent to the server side.
+ *
+ * get_ad_tkt takes four arguments: three pointers to strings which
+ * contain the name, instance, and realm of the service for which the
+ * ticket is to be obtained; and an integer indicating the desired
+ * lifetime of the ticket.
+ *
+ * It returns an error status if the ticket couldn't be obtained,
+ * or AD_OK if all went well.  The ticket is stored in the ticket
+ * cache.
+ *
+ * The request sent to the Kerberos ticket-granting service looks
+ * like this:
+ *
+ * pkt->dat
+ *
+ * TEXT			original contents of	authenticator+ticket
+ *			pkt->dat		built in krb_mk_req call
+ * 
+ * 4 bytes		time_ws			always 0 (?)
+ * char			lifetime		lifetime argument passed
+ * string		service			service name argument
+ * string		sinstance		service instance arg.
+ *
+ * See "prot.h" for the reply packet layout and definitions of the
+ * extraction macros like pkt_version(), pkt_msg_type(), etc.
+ */
+
+int
+get_ad_tkt(char *service, char *sinstance, char *realm, int lifetime)
+{
+    static KTEXT_ST pkt_st;
+    KTEXT pkt = & pkt_st;	/* Packet to KDC */
+    static KTEXT_ST rpkt_st;
+    KTEXT rpkt = &rpkt_st;	/* Returned packet */
+
+    CREDENTIALS cr;
+    char lrealm[REALM_SZ];
+    u_int32_t time_ws = 0;
+    int kerror;
+    unsigned char *p;
+    size_t rem;
+    int tmp;
+
+    /*
+     * First check if we have a "real" TGT for the corresponding
+     * realm, if we don't, use ordinary inter-realm authentication.
+     */
+
+    kerror = krb_get_cred(KRB_TICKET_GRANTING_TICKET, realm, realm, &cr);
+    if (kerror == KSUCCESS) {
+      strlcpy(lrealm, realm, REALM_SZ);
+    } else
+      kerror = krb_get_tf_realm(TKT_FILE, lrealm);
+    
+    if (kerror != KSUCCESS)
+	return(kerror);
+
+    /*
+     * Look for the session key (and other stuff we don't need)
+     * in the ticket file for krbtgt.realm@lrealm where "realm" 
+     * is the service's realm (passed in "realm" argument) and 
+     * lrealm is the realm of our initial ticket.  If we don't 
+     * have this, we will try to get it.
+     */
+    
+    if ((kerror = krb_get_cred(KRB_TICKET_GRANTING_TICKET,
+			       realm, lrealm, &cr)) != KSUCCESS) {
+	/*
+	 * If realm == lrealm, we have no hope, so let's not even try.
+	 */
+	if ((strncmp(realm, lrealm, REALM_SZ)) == 0)
+	    return(AD_NOTGT);
+	else{
+	    if ((kerror = 
+		 get_ad_tkt(KRB_TICKET_GRANTING_TICKET,
+			    realm, lrealm, lifetime)) != KSUCCESS) {
+		if (kerror == KDC_PR_UNKNOWN)
+		  return(AD_INTR_RLM_NOTGT);
+		else
+		  return(kerror);
+	    }
+	    if ((kerror = krb_get_cred(KRB_TICKET_GRANTING_TICKET,
+				       realm, lrealm, &cr)) != KSUCCESS)
+		return(kerror);
+	}
+    }
+    
+    /*
+     * Make up a request packet to the "krbtgt.realm@lrealm".
+     * Start by calling krb_mk_req() which puts ticket+authenticator
+     * into "pkt".  Then tack other stuff on the end.
+     */
+    
+    kerror = krb_mk_req(pkt,
+			KRB_TICKET_GRANTING_TICKET,
+			realm,lrealm,0L);
+
+    if (kerror)
+	return(AD_NOTGT);
+
+    p = pkt->dat + pkt->length;
+    rem = sizeof(pkt->dat) - pkt->length;
+
+    tmp = krb_put_int(time_ws, p, rem, 4);
+    if (tmp < 0)
+	return KFAILURE;
+    p += tmp;
+    rem -= tmp;
+
+    tmp = krb_put_int(lifetime, p, rem, 1);
+    if (tmp < 0)
+	return KFAILURE;
+    p += tmp;
+    rem -= tmp;
+
+    tmp = krb_put_nir(service, sinstance, NULL, p, rem);
+    if (tmp < 0)
+	return KFAILURE;
+    p += tmp;
+    rem -= tmp;
+    
+    pkt->length = p - pkt->dat;
+    rpkt->length = 0;
+    
+    /* Send the request to the local ticket-granting server */
+    if ((kerror = send_to_kdc(pkt, rpkt, realm))) return(kerror);
+
+    /* check packet version of the returned packet */
+
+    {
+	KTEXT_ST cip;
+	CREDENTIALS cred;
+	struct timeval tv;
+
+	kerror = kdc_reply_cipher(rpkt, &cip);
+	if(kerror != KSUCCESS)
+	    return kerror;
+	
+	encrypt_ktext(&cip, &cr.session, DES_DECRYPT);
+
+	kerror = kdc_reply_cred(&cip, &cred);
+	if(kerror != KSUCCESS)
+	    return kerror;
+
+	if (strcmp(cred.service, service) || strcmp(cred.instance, sinstance) ||
+	    strcmp(cred.realm, realm))	/* not what we asked for */
+	    return INTK_ERR;	/* we need a better code here XXX */
+	
+	krb_kdctimeofday(&tv);
+	if (abs((int)(tv.tv_sec - cred.issue_date)) > CLOCK_SKEW) {
+	    return RD_AP_TIME; /* XXX should probably be better code */
+	}
+	
+
+	kerror = save_credentials(cred.service, cred.instance, cred.realm, 
+				  cred.session, cred.lifetime, cred.kvno, 
+				  &cred.ticket_st, tv.tv_sec);
+	return kerror;
+    }
+}
diff --git a/crypto/kerberosIV/lib/krb/get_cred.c b/crypto/kerberosIV/lib/krb/get_cred.c
new file mode 100644
index 0000000..085184b
--- /dev/null
+++ b/crypto/kerberosIV/lib/krb/get_cred.c
@@ -0,0 +1,70 @@
+/* 
+  Copyright (C) 1989 by the Massachusetts Institute of Technology
+
+   Export of this software from the United States of America is assumed
+   to require a specific license from the United States Government.
+   It is the responsibility of any person or organization contemplating
+   export to obtain such a license before exporting.
+
+WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
+distribute this software and its documentation for any purpose and
+without fee is hereby granted, provided that the above copyright
+notice appear in all copies and that both that copyright notice and
+this permission notice appear in supporting documentation, and that
+the name of M.I.T. not be used in advertising or publicity pertaining
+to distribution of the software without specific, written prior
+permission.  M.I.T. makes no representations about the suitability of
+this software for any purpose.  It is provided "as is" without express
+or implied warranty.
+
+  */
+
+#include "krb_locl.h"
+
+RCSID("$Id: get_cred.c,v 1.7 1997/12/15 17:12:55 assar Exp $");
+
+/*
+ * krb_get_cred takes a service name, instance, and realm, and a
+ * structure of type CREDENTIALS to be filled in with ticket
+ * information.  It then searches the ticket file for the appropriate
+ * ticket and fills in the structure with the corresponding
+ * information from the file.  If successful, it returns KSUCCESS.
+ * On failure it returns a Kerberos error code.
+ */
+
+int
+krb_get_cred(char *service,	/* Service name */
+	     char *instance,	/* Instance */
+	     char *realm,	/* Auth domain */
+	     CREDENTIALS *c)	/* Credentials struct */
+{
+    int tf_status;              /* return value of tf function calls */
+    CREDENTIALS cr;
+
+    if (c == NULL)
+        c = &cr;
+
+    /* Open ticket file and lock it for shared reading */
+    if ((tf_status = tf_init(TKT_FILE, R_TKT_FIL)) != KSUCCESS)
+	return(tf_status);
+
+    /* Copy principal's name and instance into the CREDENTIALS struc c */
+
+    if ( (tf_status = tf_get_pname(c->pname)) != KSUCCESS ||
+    	 (tf_status = tf_get_pinst(c->pinst)) != KSUCCESS )
+	return (tf_status);
+
+    /* Search for requested service credentials and copy into c */
+       
+    while ((tf_status = tf_get_cred(c)) == KSUCCESS) {
+	if ((strcmp(c->service,service) == 0) &&
+           (strcmp(c->instance,instance) == 0) &&
+           (strcmp(c->realm,realm) == 0))
+		   break;
+    }
+    tf_close();
+
+    if (tf_status == EOF)
+	return (GC_NOTKT);
+    return(tf_status);
+}
diff --git a/crypto/kerberosIV/lib/krb/get_default_principal.c b/crypto/kerberosIV/lib/krb/get_default_principal.c
new file mode 100644
index 0000000..860f237
--- /dev/null
+++ b/crypto/kerberosIV/lib/krb/get_default_principal.c
@@ -0,0 +1,86 @@
+/*
+ * Copyright (c) 1995, 1996, 1997, 1998, 1999 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#include "krb_locl.h"
+
+RCSID("$Id: get_default_principal.c,v 1.14.2.1 2000/06/23 03:29:10 assar Exp $");
+
+int
+krb_get_default_principal(char *name, char *instance, char *realm)
+{
+  char *file;
+  int ret;
+  char *p;
+
+  file = tkt_string ();
+  
+  ret = krb_get_tf_fullname(file, name, instance, realm);
+  if(ret == KSUCCESS)
+      return 0;
+
+  p = getenv("KRB4PRINCIPAL");
+  if(p && kname_parse(name, instance, realm, p) == KSUCCESS)
+      return 1;
+
+#ifdef HAVE_PWD_H
+  {
+    struct passwd *pw;
+    pw = getpwuid(getuid());
+    if(pw == NULL){
+      return -1;
+    }
+
+    strlcpy (name, pw->pw_name, ANAME_SZ);
+    strlcpy (instance, "", INST_SZ);
+    krb_get_lrealm(realm, 1);
+
+    if(strcmp(name, "root") == 0) {
+      p = NULL;
+#if defined(HAVE_GETLOGIN) && !defined(POSIX_GETLOGIN)
+      p = getlogin();
+#endif
+      if(p == NULL)
+	p = getenv("USER");
+      if(p == NULL)
+	p = getenv("LOGNAME");
+      if(p){
+	  strlcpy (name, p, ANAME_SZ);
+	  strlcpy (instance, "root", INST_SZ);
+      }
+    }
+    return 1;
+  }
+#else
+  return -1;
+#endif
+}
diff --git a/crypto/kerberosIV/lib/krb/get_host.c b/crypto/kerberosIV/lib/krb/get_host.c
new file mode 100644
index 0000000..0eb2224
--- /dev/null
+++ b/crypto/kerberosIV/lib/krb/get_host.c
@@ -0,0 +1,387 @@
+/*
+ * Copyright (c) 1995, 1996, 1997, 1998, 1999 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#include "krb_locl.h"
+
+RCSID("$Id: get_host.c,v 1.48 1999/12/02 16:58:41 joda Exp $");
+
+static struct host_list {
+    struct krb_host *this;
+    struct host_list *next;
+} *hosts;
+
+static int krb_port = 0;
+
+static void
+free_hosts(struct host_list *h)
+{
+    struct host_list *t;
+    while(h){
+	if(h->this->realm)
+	    free(h->this->realm);
+	if(h->this->host)
+	    free(h->this->host);
+	t = h;
+	h = h->next;
+	free(t);
+    }
+}
+
+static int
+parse_address(char *address, enum krb_host_proto *proto,
+	      char **host, int *port)
+{
+    char *p, *q;
+    int default_port = krb_port;
+    *proto = PROTO_UDP;
+    if(strncmp(address, "http://", 7) == 0){
+	p = address + 7;
+	*proto = PROTO_HTTP;
+	default_port = 80;
+    }else{
+	p = strchr(address, '/');
+	if(p){
+	    char prot[32];
+	    strlcpy (prot, address,
+			     min(p - address + 1, sizeof(prot)));
+	    if(strcasecmp(prot, "udp") == 0) 
+		*proto = PROTO_UDP;
+	    else if(strcasecmp(prot, "tcp") == 0)
+		*proto = PROTO_TCP;
+	    else if(strcasecmp(prot, "http") == 0) {
+		*proto = PROTO_HTTP;
+		default_port = 80;
+	    } else
+		krb_warning("Unknown protocol `%s', Using default `udp'.\n", 
+			    prot);
+	    p++;
+	}else
+	    p = address;
+    }
+    q = strchr(p, ':');
+    if(q) {
+	*host = malloc(q - p + 1);
+	if (*host == NULL)
+	    return -1;
+	strlcpy (*host, p, q - p + 1);
+	q++;
+	{
+	    struct servent *sp = getservbyname(q, NULL);
+	    if(sp)
+		*port = ntohs(sp->s_port);
+	    else
+		if(sscanf(q, "%d", port) != 1){
+		    krb_warning("Bad port specification `%s', using port %d.", 
+				q, krb_port);
+		    *port = krb_port;
+		}
+	}
+    } else {
+	*port = default_port;
+	q = strchr(p, '/');
+	if (q) {
+	    *host = malloc(q - p + 1);
+	    if (*host == NULL)
+		return -1;
+	    strlcpy (*host, p, q - p + 1);
+	} else {
+	    *host = strdup(p);
+	    if(*host == NULL)
+		return -1;
+	}
+    }
+    return 0;
+}
+
+static int
+add_host(const char *realm, char *address, int admin, int validate)
+{
+    struct krb_host *host;
+    struct host_list *p, **last = &hosts;
+
+    host = (struct krb_host*)malloc(sizeof(struct krb_host));
+    if (host == NULL)
+	return 1;
+    if(parse_address(address, &host->proto, &host->host, &host->port) < 0) {
+	free(host);
+	return 1;
+    }
+    if (validate) {
+	if (krb_dns_debug)
+	    krb_warning("Getting host entry for %s...", host->host);
+	if (gethostbyname(host->host) == NULL) {
+	    if (krb_dns_debug)
+		krb_warning("Didn't get it.\n");
+	    free(host->host);
+	    free(host);
+	    return 1;
+	}
+	else if (krb_dns_debug)
+	    krb_warning("Got it.\n");
+    }
+    host->admin = admin;
+    for(p = hosts; p; p = p->next){
+	if(strcmp(realm, p->this->realm) == 0 &&
+	   strcmp(host->host, p->this->host) == 0 && 
+	   host->proto == p->this->proto &&
+	   host->port == p->this->port){
+	    free(host->host);
+	    free(host);
+	    return 1;
+	}
+	last = &p->next;
+    }
+    host->realm = strdup(realm);
+    if (host->realm == NULL) {
+	free(host->host);
+	free(host);
+	return 1;
+    }
+    p = (struct host_list*)malloc(sizeof(struct host_list));
+    if (p == NULL) {
+	free(host->realm);
+	free(host->host);
+	free(host);
+	return 1;
+    }
+    p->this = host;
+    p->next = NULL;
+    *last = p;
+    return 0;
+}
+
+static int
+read_file(const char *filename, const char *r)
+{
+    char line[1024];
+    int nhosts = 0;
+    FILE *f = fopen(filename, "r");
+
+    if(f == NULL)
+	return -1;
+    while(fgets(line, sizeof(line), f) != NULL) {
+	char *realm, *address, *admin;
+	char *save;
+	
+	realm = strtok_r (line, " \t\n\r", &save);
+	if (realm == NULL)
+	    continue;
+	if (strcmp(realm, r))
+	    continue;
+	address = strtok_r (NULL, " \t\n\r", &save);
+	if (address == NULL)
+	    continue;
+	admin = strtok_r (NULL, " \t\n\r", &save);
+	if (add_host(realm,
+		     address,
+		     admin != NULL && strcasecmp(admin, "admin") == 0,
+		     0) == 0)
+	    ++nhosts;
+    }
+    fclose(f);
+    return nhosts;
+}
+
+#if 0
+static int
+read_cellservdb (const char *filename, const char *realm)
+{
+    char line[1024];
+    FILE *f = fopen (filename, "r");
+    int nhosts = 0;
+
+    if (f == NULL)
+	return -1;
+    while (fgets (line, sizeof(line), f) != NULL) {
+	if (line[0] == '>'
+	    && strncasecmp (line + 1, realm, strlen(realm)) == 0) {
+	    while (fgets (line, sizeof(line), f) != NULL && *line != '>') {
+		char *hash;
+
+		if (line [strlen(line) - 1] == '\n')
+		    line [strlen(line) - 1] = '\0';
+
+		hash = strchr (line, '#');
+
+		if (hash != NULL
+		    && add_host (realm, hash + 1, 0, 0) == 0)
+		    ++nhosts;
+	    }
+	    break;
+	}
+    }
+    fclose (f);
+    return nhosts;
+}
+#endif
+
+static int
+init_hosts(char *realm)
+{
+    int i, j, ret = 0;
+    char file[MaxPathLen];
+    
+    /*
+     * proto should really be NULL, but there are libraries out there
+     * that don't like that so we use "udp" instead.
+     */
+
+    krb_port = ntohs(k_getportbyname (KRB_SERVICE, "udp", htons(KRB_PORT)));
+    for(i = 0; krb_get_krbconf(i, file, sizeof(file)) == 0; i++) {
+      j = read_file(file, realm);
+      if (j > 0) ret += j;
+    }
+    return ret;
+}
+
+static void
+srv_find_realm(char *realm, char *proto, char *service)
+{
+    char *domain;
+    struct dns_reply *r;
+    struct resource_record *rr;
+    
+    roken_mconcat(&domain, 1024, service, ".", proto, ".", realm, ".", NULL);
+    
+    if(domain == NULL)
+	return;
+    
+    r = dns_lookup(domain, "srv");
+    if(r == NULL)
+	r = dns_lookup(domain, "txt");
+    if(r == NULL){
+	free(domain);
+	return;
+    }
+    for(rr = r->head; rr; rr = rr->next){
+	if(rr->type == T_SRV){
+	    char buf[1024];
+
+	    if (snprintf (buf,
+			  sizeof(buf),
+			  "%s/%s:%u",
+			  proto,
+			  rr->u.srv->target,
+			  rr->u.srv->port) < sizeof(buf))
+		add_host(realm, buf, 0, 0);
+	}else if(rr->type == T_TXT)
+	    add_host(realm, rr->u.txt, 0, 0);
+    }
+    dns_free_data(r);
+    free(domain);
+}
+
+struct krb_host*
+krb_get_host(int nth, const char *realm, int admin)
+{
+    struct host_list *p;
+    static char orealm[REALM_SZ];
+
+    if(orealm[0] == 0 || strcmp(realm, orealm)){
+	/* quick optimization */
+	if(realm && realm[0]){
+	    strlcpy (orealm, realm, sizeof(orealm));
+	}else{
+	    int ret = krb_get_lrealm(orealm, 1);
+	    if(ret != KSUCCESS)
+		return NULL;
+	}
+	
+	if(hosts){
+	    free_hosts(hosts);
+	    hosts = NULL;
+	}
+	
+	if (init_hosts(orealm) < nth) {
+	  srv_find_realm(orealm, "udp", KRB_SERVICE);
+	  srv_find_realm(orealm, "tcp", KRB_SERVICE);
+	  srv_find_realm(orealm, "http", KRB_SERVICE);
+	
+	  {
+	    char *host;
+	    int i = 0;
+
+	    asprintf(&host, "kerberos.%s.", orealm);
+	    if (host == NULL) {
+		free_hosts(hosts);
+		hosts = NULL;
+		return NULL;
+	    }
+	    add_host(orealm, host, 1, 1);
+	    do {
+		i++;
+		free(host);
+		asprintf(&host, "kerberos-%d.%s.", i, orealm);
+	    } while(host != NULL
+		   && i < 100000
+		   && add_host(orealm, host, 0, 1) == 0);
+	    free(host);
+	  }
+	}
+#if 0
+	read_cellservdb ("/usr/vice/etc/CellServDB", orealm);
+	read_cellservdb ("/usr/arla/etc/CellServDB", orealm);
+#endif
+    }
+    
+    for(p = hosts; p; p = p->next){
+	if(strcmp(orealm, p->this->realm) == 0 &&
+	   (!admin || p->this->admin)) {
+	    if(nth == 1)
+		return p->this;
+	    else
+		nth--;
+	}
+    }
+    return NULL;
+}
+
+int
+krb_get_krbhst(char *host, char *realm, int nth)
+{
+    struct krb_host *p = krb_get_host(nth, realm, 0);
+    if(p == NULL)
+	return KFAILURE;
+    strlcpy (host, p->host, MaxHostNameLen);
+    return KSUCCESS;
+}
+
+int
+krb_get_admhst(char *host, char *realm, int nth)
+{
+    struct krb_host *p = krb_get_host(nth, realm, 1);
+    if(p == NULL)
+	return KFAILURE;
+    strlcpy (host, p->host, MaxHostNameLen);
+    return KSUCCESS;
+}
diff --git a/crypto/kerberosIV/lib/krb/get_in_tkt.c b/crypto/kerberosIV/lib/krb/get_in_tkt.c
new file mode 100644
index 0000000..9b40508
--- /dev/null
+++ b/crypto/kerberosIV/lib/krb/get_in_tkt.c
@@ -0,0 +1,188 @@
+/* 
+  Copyright (C) 1989 by the Massachusetts Institute of Technology
+
+   Export of this software from the United States of America is assumed
+   to require a specific license from the United States Government.
+   It is the responsibility of any person or organization contemplating
+   export to obtain such a license before exporting.
+
+WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
+distribute this software and its documentation for any purpose and
+without fee is hereby granted, provided that the above copyright
+notice appear in all copies and that both that copyright notice and
+this permission notice appear in supporting documentation, and that
+the name of M.I.T. not be used in advertising or publicity pertaining
+to distribution of the software without specific, written prior
+permission.  M.I.T. makes no representations about the suitability of
+this software for any purpose.  It is provided "as is" without express
+or implied warranty.
+
+  */
+
+#include "krb_locl.h"
+
+RCSID("$Id: get_in_tkt.c,v 1.24 1999/11/25 05:22:43 assar Exp $");
+
+/*
+ * This file contains three routines: passwd_to_key() and
+ * passwd_to_afskey() converts a password into a DES key, using the
+ * normal strinttokey and the AFS one, respectively, and
+ * krb_get_pw_in_tkt() gets an initial ticket for a user.  
+ */
+
+/*
+ * passwd_to_key() and passwd_to_afskey: given a password, return a DES key.
+ */
+
+int
+passwd_to_key(const char *user,
+	      const char *instance,
+	      const char *realm,
+	      const void *passwd,
+	      des_cblock *key)
+{
+#ifndef NOENCRYPTION
+    des_string_to_key((char *)passwd, key);
+#endif
+    return 0;
+}
+
+int
+passwd_to_5key(const char *user,
+	       const char *instance,
+	       const char *realm,
+	       const void *passwd, 
+	       des_cblock *key)
+{
+    char *p;
+    size_t len;
+    len = roken_mconcat (&p, 512, passwd, realm, user, instance, NULL);
+    if(len == 0)
+	return  -1;
+    des_string_to_key(p, key);
+    memset(p, 0, len);
+    free(p);
+    return 0;
+}
+
+
+int
+passwd_to_afskey(const char *user,
+		 const char *instance,
+		 const char *realm,
+		 const void *passwd,
+		 des_cblock *key)
+{
+#ifndef NOENCRYPTION
+    afs_string_to_key(passwd, realm, key);
+#endif
+    return (0);
+}
+
+/*
+ * krb_get_pw_in_tkt() takes the name of the server for which the initial
+ * ticket is to be obtained, the name of the principal the ticket is
+ * for, the desired lifetime of the ticket, and the user's password.
+ * It passes its arguments on to krb_get_in_tkt(), which contacts
+ * Kerberos to get the ticket, decrypts it using the password provided,
+ * and stores it away for future use.
+ *
+ * krb_get_pw_in_tkt() passes two additional arguments to krb_get_in_tkt():
+ * the name of a routine (passwd_to_key()) to be used to get the
+ * password in case the "password" argument is null and NULL for the
+ * decryption procedure indicating that krb_get_in_tkt should use the 
+ * default method of decrypting the response from the KDC.
+ *
+ * The result of the call to krb_get_in_tkt() is returned.
+ */
+
+typedef int (*const_key_proc_t) __P((const char *name,
+				     const char *instance, /* IN parameter */
+				     const char *realm,
+				     const void *password,
+				     des_cblock *key));
+
+int
+krb_get_pw_in_tkt2(const char *user,
+		   const char *instance,
+		   const char *realm,
+		   const char *service,
+		   const char *sinstance,
+		   int life,
+		   const char *password,
+		   des_cblock *key)
+{
+    char pword[100];		/* storage for the password */
+    int code;
+
+    /* Only request password once! */
+    if (!password) {
+        if (des_read_pw_string(pword, sizeof(pword)-1, "Password: ", 0)){
+	    memset(pword, 0, sizeof(pword));
+	    return INTK_BADPW;
+	}
+        password = pword;
+    }
+
+    {
+	KTEXT_ST as_rep;
+	CREDENTIALS cred;
+	int ret = 0;
+	const_key_proc_t key_procs[] = { passwd_to_key,
+					 passwd_to_afskey, 
+					 passwd_to_5key,
+					 NULL };
+	const_key_proc_t *kp;
+	
+	code = krb_mk_as_req(user, instance, realm,
+			     service, sinstance, life, &as_rep);
+	if(code)
+	    return code;
+	for(kp = key_procs; *kp; kp++){
+	    KTEXT_ST tmp;
+	    memcpy(&tmp, &as_rep, sizeof(as_rep));
+	    code = krb_decode_as_rep(user,
+				     (char *)instance, /* const_key_proc_t */
+				     realm,
+				     service,
+				     sinstance, 
+				     (key_proc_t)*kp, /* const_key_proc_t */
+				     NULL,
+				     password,
+				     &tmp,
+				     &cred);
+	    if(code == 0){
+		if(key)
+		    (**kp)(user, instance, realm, password, key);
+		break;
+	    }
+	    if(code != INTK_BADPW)
+		ret = code; /* this is probably a better code than
+			       what code gets after this loop */
+	}
+	if(code)
+	    return ret ? ret : code;
+
+	code = tf_setup(&cred, user, instance);
+	if (code == KSUCCESS) {
+	  if (krb_get_config_bool("nat_in_use"))
+	    krb_add_our_ip_for_realm(user, instance, realm, password);
+	}
+    }
+    if (password == pword)
+        memset(pword, 0, sizeof(pword));
+    return(code);
+}
+
+int
+krb_get_pw_in_tkt(const char *user,
+		  const char *instance,
+		  const char *realm,
+		  const char *service,
+		  const char *sinstance,
+		  int life,
+		  const char *password)
+{
+    return krb_get_pw_in_tkt2(user, instance, realm, 
+			      service, sinstance, life, password, NULL);
+}
diff --git a/crypto/kerberosIV/lib/krb/get_krbrlm.c b/crypto/kerberosIV/lib/krb/get_krbrlm.c
new file mode 100644
index 0000000..a6b0ba9
--- /dev/null
+++ b/crypto/kerberosIV/lib/krb/get_krbrlm.c
@@ -0,0 +1,137 @@
+/*
+ * Copyright (c) 1995, 1996, 1997, 1998 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "krb_locl.h"
+
+RCSID("$Id: get_krbrlm.c,v 1.25 1999/12/02 16:58:41 joda Exp $");
+
+/*
+ * krb_get_lrealm takes a pointer to a string, and a number, n.  It fills
+ * in the string, r, with the name of the nth realm specified on the
+ * first line of the kerberos config file (KRB_CONF, defined in "krb.h").
+ * It returns 0 (KSUCCESS) on success, and KFAILURE on failure.  If the
+ * config file does not exist, and if n=1, a successful return will occur
+ * with r = KRB_REALM (also defined in "krb.h").
+ *
+ * For the format of the KRB_CONF file, see comments describing the routine
+ * krb_get_krbhst().
+ */
+
+static int
+krb_get_lrealm_f(char *r, int n, const char *fname)
+{
+    char buf[1024];
+    char *p;
+    int nchar;
+    FILE *f;
+    int ret = KFAILURE;
+
+    if (n < 0)
+        return KFAILURE;
+    if(n == 0)
+	n = 1;
+
+    f = fopen(fname, "r");
+    if (f == 0)
+        return KFAILURE;
+
+    for (; n > 0; n--)
+        if (fgets(buf, sizeof(buf), f) == 0)
+            goto done;
+
+    /* We now have the n:th line, remove initial white space. */
+    p = buf + strspn(buf, " \t");
+
+    /* Collect realmname. */
+    nchar    = strcspn(p, " \t\n");
+    if (nchar == 0 || nchar > REALM_SZ)
+        goto done;		/* No realmname */
+    strncpy(r, p, nchar);
+    r[nchar] = 0;
+
+    /* Does more junk follow? */
+    p += nchar;
+    nchar = strspn(p, " \t\n");
+    if (p[nchar] == 0)
+        ret = KSUCCESS;		/* This was a realm name only line. */
+
+  done:
+    fclose(f);
+    return ret;
+}
+
+static const char *no_default_realm = "NO.DEFAULT.REALM";
+
+int
+krb_get_lrealm(char *r, int n)
+{
+    int i;
+    char file[MaxPathLen];
+
+    for (i = 0; krb_get_krbconf(i, file, sizeof(file)) == 0; i++)
+	if (krb_get_lrealm_f(r, n, file) == KSUCCESS)
+	    return KSUCCESS;
+
+    /* When nothing else works try default realm */
+    if (n == 1) {
+      char *t = krb_get_default_realm();
+
+      if (strcmp(t, no_default_realm) == 0)
+	return KFAILURE;	/* Can't figure out default realm */
+
+      strcpy(r, t);
+      return KSUCCESS;
+    }
+    else
+	return(KFAILURE);
+}
+
+/* Returns local realm if that can be figured out else NO.DEFAULT.REALM */
+char *
+krb_get_default_realm(void)
+{
+    static char local_realm[REALM_SZ]; /* Local kerberos realm */
+    
+    if (local_realm[0] == 0) {
+	char *t, hostname[MaxHostNameLen];
+
+	strlcpy(local_realm, no_default_realm, 
+			sizeof(local_realm)); /* Provide default */
+
+	gethostname(hostname, sizeof(hostname));
+	t = krb_realmofhost(hostname);
+	if (t && strcmp(t, no_default_realm) != 0)
+	    strlcpy(local_realm, t, sizeof(local_realm));
+    }
+    return local_realm;
+}
diff --git a/crypto/kerberosIV/lib/krb/get_svc_in_tkt.c b/crypto/kerberosIV/lib/krb/get_svc_in_tkt.c
new file mode 100644
index 0000000..daf7ae1
--- /dev/null
+++ b/crypto/kerberosIV/lib/krb/get_svc_in_tkt.c
@@ -0,0 +1,79 @@
+/* 
+  Copyright (C) 1989 by the Massachusetts Institute of Technology
+
+   Export of this software from the United States of America is assumed
+   to require a specific license from the United States Government.
+   It is the responsibility of any person or organization contemplating
+   export to obtain such a license before exporting.
+
+WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
+distribute this software and its documentation for any purpose and
+without fee is hereby granted, provided that the above copyright
+notice appear in all copies and that both that copyright notice and
+this permission notice appear in supporting documentation, and that
+the name of M.I.T. not be used in advertising or publicity pertaining
+to distribution of the software without specific, written prior
+permission.  M.I.T. makes no representations about the suitability of
+this software for any purpose.  It is provided "as is" without express
+or implied warranty.
+
+  */
+
+#include "krb_locl.h"
+
+RCSID("$Id: get_svc_in_tkt.c,v 1.9 1999/06/29 21:18:04 bg Exp $");
+
+/*
+ * This file contains two routines: srvtab_to_key(), which gets
+ * a server's key from a srvtab file, and krb_get_svc_in_tkt() which
+ * gets an initial ticket for a server.
+ */
+
+/*
+ * srvtab_to_key(): given a "srvtab" file (where the keys for the
+ * service on a host are stored), return the private key of the
+ * given service (user.instance@realm).
+ *
+ * srvtab_to_key() passes its arguments on to read_service_key(),
+ * plus one additional argument, the key version number.
+ * (Currently, the key version number is always 0; this value
+ * is treated as a wildcard by read_service_key().)
+ *
+ * If the "srvtab" argument is null, KEYFILE (defined in "krb.h")
+ * is passed in its place.
+ *
+ * It returns the return value of the read_service_key() call.
+ * The service key is placed in "key".
+ */
+
+int 
+srvtab_to_key(const char *user,
+	      char *instance,
+	      const char *realm,
+	      const void *srvtab,
+	      des_cblock *key)
+{
+    if (!srvtab)
+        srvtab = KEYFILE;
+
+    return(read_service_key(user, instance, realm, 0, (char *)srvtab,
+                            (char *)key));
+}
+
+/*
+ * krb_get_svc_in_tkt() passes its arguments on to krb_get_in_tkt(),
+ * plus two additional arguments: a pointer to the srvtab_to_key()
+ * function to be used to get the key from the key file and a NULL
+ * for the decryption procedure indicating that krb_get_in_tkt should 
+ * use the default method of decrypting the response from the KDC.
+ *
+ * It returns the return value of the krb_get_in_tkt() call.
+ */
+
+int
+krb_get_svc_in_tkt(char *user, char *instance, char *realm, char *service,
+		   char *sinstance, int life, char *srvtab)
+{
+    return(krb_get_in_tkt(user, instance, realm, service, sinstance,
+                          life, srvtab_to_key, NULL, srvtab));
+}
diff --git a/crypto/kerberosIV/lib/krb/get_tf_fullname.c b/crypto/kerberosIV/lib/krb/get_tf_fullname.c
new file mode 100644
index 0000000..75688b0
--- /dev/null
+++ b/crypto/kerberosIV/lib/krb/get_tf_fullname.c
@@ -0,0 +1,70 @@
+/* 
+  Copyright (C) 1989 by the Massachusetts Institute of Technology
+
+   Export of this software from the United States of America is assumed
+   to require a specific license from the United States Government.
+   It is the responsibility of any person or organization contemplating
+   export to obtain such a license before exporting.
+
+WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
+distribute this software and its documentation for any purpose and
+without fee is hereby granted, provided that the above copyright
+notice appear in all copies and that both that copyright notice and
+this permission notice appear in supporting documentation, and that
+the name of M.I.T. not be used in advertising or publicity pertaining
+to distribution of the software without specific, written prior
+permission.  M.I.T. makes no representations about the suitability of
+this software for any purpose.  It is provided "as is" without express
+or implied warranty.
+
+  */
+
+#include "krb_locl.h"
+
+RCSID("$Id: get_tf_fullname.c,v 1.8 1999/09/16 20:41:51 assar Exp $");
+
+/*
+ * This file contains a routine to extract the fullname of a user
+ * from the ticket file.
+ */
+
+/*
+ * krb_get_tf_fullname() takes four arguments: the name of the 
+ * ticket file, and variables for name, instance, and realm to be
+ * returned in.  Since the realm of a ticket file is not really fully 
+ * supported, the realm used will be that of the the first ticket in 
+ * the file as this is the one that was obtained with a password by
+ * krb_get_in_tkt().
+ */
+
+int
+krb_get_tf_fullname(char *ticket_file, char *name, char *instance, char *realm)
+{
+    int tf_status;
+    CREDENTIALS c;
+
+    if ((tf_status = tf_init(ticket_file, R_TKT_FIL)) != KSUCCESS)
+	return(tf_status);
+
+    if (((tf_status = tf_get_pname(c.pname)) != KSUCCESS) ||
+	((tf_status = tf_get_pinst(c.pinst)) != KSUCCESS))
+	return (tf_status);
+    
+    if (name)
+	strlcpy (name, c.pname, ANAME_SZ);
+    if (instance)
+	strlcpy (instance, c.pinst, INST_SZ);
+    if ((tf_status = tf_get_cred(&c)) == KSUCCESS) {
+	if (realm)
+	    strlcpy (realm, c.realm, REALM_SZ);
+    }
+    else {
+	if (tf_status == EOF)
+	    return(KFAILURE);
+	else
+	    return(tf_status);
+    }    
+    tf_close();
+    
+    return(tf_status);
+}
diff --git a/crypto/kerberosIV/lib/krb/get_tf_realm.c b/crypto/kerberosIV/lib/krb/get_tf_realm.c
new file mode 100644
index 0000000..1a3c7d1
--- /dev/null
+++ b/crypto/kerberosIV/lib/krb/get_tf_realm.c
@@ -0,0 +1,41 @@
+/* 
+  Copyright (C) 1989 by the Massachusetts Institute of Technology
+
+   Export of this software from the United States of America is assumed
+   to require a specific license from the United States Government.
+   It is the responsibility of any person or organization contemplating
+   export to obtain such a license before exporting.
+
+WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
+distribute this software and its documentation for any purpose and
+without fee is hereby granted, provided that the above copyright
+notice appear in all copies and that both that copyright notice and
+this permission notice appear in supporting documentation, and that
+the name of M.I.T. not be used in advertising or publicity pertaining
+to distribution of the software without specific, written prior
+permission.  M.I.T. makes no representations about the suitability of
+this software for any purpose.  It is provided "as is" without express
+or implied warranty.
+
+  */
+
+#include "krb_locl.h"
+
+RCSID("$Id: get_tf_realm.c,v 1.5 1997/03/23 03:53:10 joda Exp $");
+
+/*
+ * This file contains a routine to extract the realm of a kerberos
+ * ticket file.
+ */
+
+/*
+ * krb_get_tf_realm() takes two arguments: the name of a ticket 
+ * and a variable to store the name of the realm in.
+ * 
+ */
+
+int
+krb_get_tf_realm(char *ticket_file, char *realm)
+{
+    return(krb_get_tf_fullname(ticket_file, 0, 0, realm));
+}
diff --git a/crypto/kerberosIV/lib/krb/getaddrs.c b/crypto/kerberosIV/lib/krb/getaddrs.c
new file mode 100644
index 0000000..c4ee6ad
--- /dev/null
+++ b/crypto/kerberosIV/lib/krb/getaddrs.c
@@ -0,0 +1,156 @@
+/*
+ * Copyright (c) 1995 - 2000 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * $FreeBSD$
+ */
+
+#include "krb_locl.h"
+
+RCSID("$Id: getaddrs.c,v 1.28.2.1 2000/06/23 03:29:53 assar Exp $");
+
+#if defined(HAVE_SYS_IOCTL_H) && SunOS != 40
+#include <sys/ioctl.h>
+#endif
+#ifdef HAVE_NET_IF_H
+#ifdef __osf__
+struct rtentry;
+struct mbuf;
+#endif
+#ifdef _AIX
+#undef __P /* XXX hack for AIX 4.3 */
+#endif
+#include <net/if.h>
+#endif
+
+#ifdef HAVE_SYS_SOCKIO_H
+#include <sys/sockio.h>
+#endif /* HAVE_SYS_SOCKIO_H */
+
+/*
+ * Return number and list of all local adresses.
+ */
+
+int
+k_get_all_addrs (struct in_addr **l)
+{
+#if !defined(SIOCGIFCONF) || !defined(SIOCGIFFLAGS) || !defined(SIOCGIFADDR)
+     char name[MaxHostNameLen];
+     struct hostent *he;
+
+     if (gethostname(name, sizeof(name)) < 0)
+	  return -1;
+     he = gethostbyname (name);
+     if (he == NULL)
+	  return -1;
+     *l = malloc(sizeof(**l));
+     if (*l == NULL)
+	  return -1;
+     memcpy (*l, he->h_addr_list[0], sizeof(*l));
+     return 1;
+#else
+     int fd;
+     char *inbuf = NULL;
+     size_t in_len = 8192;
+     struct ifreq ifreq;
+     struct ifconf ifconf;
+     int num, j;
+     char *p;
+     size_t sz;
+
+     *l = NULL;
+     fd = socket(AF_INET, SOCK_DGRAM, 0);
+     if (fd < 0)
+	  return -1;
+
+     for(;;) {
+	 void *tmp;
+
+	 tmp = realloc (inbuf, in_len);
+	 if (tmp == NULL)
+	     goto fail;
+	 inbuf = tmp;
+
+	 ifconf.ifc_len = in_len;
+	 ifconf.ifc_buf = inbuf;
+
+	 /*
+	  * Solaris returns EINVAL when the buffer is too small.
+	  */
+
+	 if(ioctl(fd, SIOCGIFCONF, &ifconf) < 0 && errno != EINVAL)
+	     goto fail;
+	 if(ifconf.ifc_len + sizeof(ifreq) < in_len)
+	     break;
+	 in_len *= 2;
+     }
+     num = ifconf.ifc_len / sizeof(struct ifreq);
+     *l = malloc(num * sizeof(struct in_addr));
+     if(*l == NULL)
+	 goto fail;
+
+     j = 0;
+     ifreq.ifr_name[0] = '\0';
+     for (p = ifconf.ifc_buf; p < ifconf.ifc_buf + ifconf.ifc_len; p += sz) {
+          struct ifreq *ifr = (struct ifreq *)p;
+	  sz = sizeof(*ifr);
+#ifdef HAVE_STRUCT_SOCKADDR_SA_LEN
+	  sz = max(sz, sizeof(ifr->ifr_name) + ifr->ifr_addr.sa_len);
+#endif
+
+	  if(strncmp(ifreq.ifr_name, ifr->ifr_name, sizeof(ifr->ifr_name))) {
+	      if(ioctl(fd, SIOCGIFFLAGS, ifr) < 0)
+		  continue;
+	      if (ifr->ifr_flags & IFF_UP) {
+		  if(ioctl(fd, SIOCGIFADDR, ifr) < 0) 
+		      continue;
+		  (*l)[j++] = ((struct sockaddr_in *)&ifr->ifr_addr)->sin_addr;
+	       }
+	      memcpy(&ifreq, ifr, sizeof(ifreq));
+	  }
+     }
+     if (j != num) {
+	 void *tmp;
+	 tmp = realloc (*l, j * sizeof(struct in_addr));
+	 if(tmp == NULL)
+	     goto fail;
+	 *l = tmp;
+     }
+     close (fd);
+     free(inbuf);
+     return j;
+fail:
+     close(fd);
+     free(inbuf);
+     free(*l);
+     return -1;
+#endif /* SIOCGIFCONF */
+}
diff --git a/crypto/kerberosIV/lib/krb/getfile.c b/crypto/kerberosIV/lib/krb/getfile.c
new file mode 100644
index 0000000..7684aee
--- /dev/null
+++ b/crypto/kerberosIV/lib/krb/getfile.c
@@ -0,0 +1,91 @@
+/*
+ * Copyright (c) 1995 - 2000 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#include "krb_locl.h"
+
+RCSID("$Id: getfile.c,v 1.5.2.1 2000/12/07 17:04:48 assar Exp $");
+
+static int
+is_suid(void)
+{
+    int ret = 0;
+#ifdef HAVE_GETUID
+    ret |= getuid() != geteuid();
+#endif
+#ifdef HAVE_GETGID
+    ret |= getgid() != getegid();
+#endif
+    return ret;
+}
+
+static int
+get_file(const char **files, int num, const char *file, char *buf, size_t len)
+{
+    const char *p, **q;
+    int i = 0;
+    if(getuid() != 0 && !is_suid() && (p = getenv("KRBCONFDIR"))){
+	if(num == i){
+	    snprintf(buf, len, "%s/%s", p, file);
+	    return 0;
+	}
+	i++;
+    }
+    for(q = files; *q; q++, i++){
+	if(num == i){
+	    snprintf(buf, len, "%s", *q);
+	    return 0;
+	}
+    }
+    return -1;
+}
+
+int
+krb_get_krbconf(int num, char *buf, size_t len)
+{
+    const char *files[] = KRB_CNF_FILES;
+    return get_file(files, num, "krb.conf", buf, len);
+}
+
+int
+krb_get_krbrealms(int num, char *buf, size_t len)
+{
+    const char *files[] = KRB_RLM_FILES;
+    return get_file(files, num, "krb.realms", buf, len);
+}
+
+int
+krb_get_krbextra(int num, char *buf, size_t len)
+{
+    const char *files[] = { "/etc/krb.extra", NULL };
+    return get_file(files, num, "krb.extra", buf, len);
+}
diff --git a/crypto/kerberosIV/lib/krb/getrealm.c b/crypto/kerberosIV/lib/krb/getrealm.c
new file mode 100644
index 0000000..2dcb4cf
--- /dev/null
+++ b/crypto/kerberosIV/lib/krb/getrealm.c
@@ -0,0 +1,185 @@
+/* 
+  Copyright (C) 1989 by the Massachusetts Institute of Technology
+
+   Export of this software from the United States of America is assumed
+   to require a specific license from the United States Government.
+   It is the responsibility of any person or organization contemplating
+   export to obtain such a license before exporting.
+
+WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
+distribute this software and its documentation for any purpose and
+without fee is hereby granted, provided that the above copyright
+notice appear in all copies and that both that copyright notice and
+this permission notice appear in supporting documentation, and that
+the name of M.I.T. not be used in advertising or publicity pertaining
+to distribution of the software without specific, written prior
+permission.  M.I.T. makes no representations about the suitability of
+this software for any purpose.  It is provided "as is" without express
+or implied warranty.
+
+  */
+
+#include "krb_locl.h"
+
+RCSID("$Id: getrealm.c,v 1.36 1999/09/16 20:41:51 assar Exp $");
+
+#ifndef MATCH_SUBDOMAINS
+#define MATCH_SUBDOMAINS 0
+#endif
+
+/*
+ * krb_realmofhost.
+ * Given a fully-qualified domain-style primary host name,
+ * return the name of the Kerberos realm for the host.
+ * If the hostname contains no discernable domain, or an error occurs,
+ * return the local realm name, as supplied by get_krbrlm().
+ * If the hostname contains a domain, but no translation is found,
+ * the hostname's domain is converted to upper-case and returned.
+ *
+ * The format of each line of the translation file is:
+ * domain_name kerberos_realm
+ * -or-
+ * host_name kerberos_realm
+ *
+ * domain_name should be of the form .XXX.YYY (e.g. .LCS.MIT.EDU)
+ * host names should be in the usual form (e.g. FOO.BAR.BAZ)
+ */
+
+/* To automagically find the correct realm of a host (without
+ * krb.realms) add a text record for your domain with the name of your
+ * realm, like this:
+ *
+ * krb4-realm	IN	TXT	FOO.SE
+ *
+ * The search is recursive, so you can also add entries for specific
+ * hosts. To find the realm of host a.b.c, it first tries
+ * krb4-realm.a.b.c, then krb4-realm.b.c and so on.
+ */
+
+static int
+dns_find_realm(char *hostname, char *realm)
+{
+    char domain[MaxHostNameLen + sizeof("krb4-realm..")];
+    char *p;
+    int level = 0;
+    struct dns_reply *r;
+    
+    p = hostname;
+
+    while(1){
+	snprintf(domain, sizeof(domain), "krb4-realm.%s.", p);
+	p = strchr(p, '.');
+	if(p == NULL)
+	    break;
+	p++;
+	r = dns_lookup(domain, "TXT");
+	if(r){
+	    struct resource_record *rr = r->head;
+	    while(rr){
+		if(rr->type == T_TXT){
+		    strlcpy(realm, rr->u.txt, REALM_SZ);
+		    dns_free_data(r);
+		    return level;
+		}
+		rr = rr->next;
+	    }
+	    dns_free_data(r);
+	}
+	level++;
+    }
+    return -1;
+}
+
+
+static FILE *
+open_krb_realms(void)
+{
+    int i;
+    char file[MaxPathLen];
+    FILE *res;
+
+    for(i = 0; krb_get_krbrealms(i, file, sizeof(file)) == 0; i++)
+	if ((res = fopen(file, "r")) != NULL)
+	    return res;
+  return NULL;
+}
+
+static int
+file_find_realm(const char *phost, const char *domain,
+		char *ret_realm, size_t ret_realm_sz)
+{
+    FILE *trans_file;
+    char buf[1024];
+    int ret = -1;
+    
+    if ((trans_file = open_krb_realms()) == NULL)
+	return -1;
+
+    while (fgets(buf, sizeof(buf), trans_file) != NULL) {
+	char *save = NULL;
+	char *tok;
+	char *tmp_host;
+	char *tmp_realm;
+
+	tok = strtok_r(buf, " \t\r\n", &save);
+	if(tok == NULL)
+	    continue;
+	tmp_host = tok;
+	tok = strtok_r(NULL, " \t\r\n", &save);
+	if(tok == NULL)
+	    continue;
+	tmp_realm = tok;
+	if (strcasecmp(tmp_host, phost) == 0) {
+	    /* exact match of hostname, so return the realm */
+	    strlcpy(ret_realm, tmp_realm, ret_realm_sz);
+	    ret = 0;
+	    break;
+	}
+	if ((tmp_host[0] == '.') && domain) { 
+	    const char *cp = domain;
+	    do {
+		if(strcasecmp(tmp_host, cp) == 0){
+		    /* domain match, save for later */ 
+		    strlcpy(ret_realm, tmp_realm, ret_realm_sz);
+		    ret = 0;
+		    break;
+		}
+		cp = strchr(cp + 1, '.');
+	    } while(MATCH_SUBDOMAINS && cp);
+	}
+	if (ret == 0)
+	    break;
+    }
+    fclose(trans_file);
+    return ret;
+}
+
+char *
+krb_realmofhost(const char *host)
+{
+    static char ret_realm[REALM_SZ];
+    char *domain;
+    char phost[MaxHostNameLen];
+	
+    krb_name_to_name(host, phost, sizeof(phost));
+	
+    domain = strchr(phost, '.');
+
+    if(file_find_realm(phost, domain, ret_realm, sizeof ret_realm) == 0)
+	return ret_realm;
+
+    if(dns_find_realm(phost, ret_realm) >= 0)
+	return ret_realm;
+  
+    if (domain) {
+	char *cp;
+	  
+	strlcpy(ret_realm, &domain[1], REALM_SZ);
+	/* Upper-case realm */
+	for (cp = ret_realm; *cp; cp++)
+	    *cp = toupper(*cp);
+    } else {
+	strncpy(ret_realm, krb_get_default_realm(), REALM_SZ); /* Wild guess */
+    }
+    return ret_realm;
+}
diff --git a/crypto/kerberosIV/lib/krb/getst.c b/crypto/kerberosIV/lib/krb/getst.c
new file mode 100644
index 0000000..de99962
--- /dev/null
+++ b/crypto/kerberosIV/lib/krb/getst.c
@@ -0,0 +1,45 @@
+/* 
+  Copyright (C) 1989 by the Massachusetts Institute of Technology
+
+   Export of this software from the United States of America is assumed
+   to require a specific license from the United States Government.
+   It is the responsibility of any person or organization contemplating
+   export to obtain such a license before exporting.
+
+WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
+distribute this software and its documentation for any purpose and
+without fee is hereby granted, provided that the above copyright
+notice appear in all copies and that both that copyright notice and
+this permission notice appear in supporting documentation, and that
+the name of M.I.T. not be used in advertising or publicity pertaining
+to distribution of the software without specific, written prior
+permission.  M.I.T. makes no representations about the suitability of
+this software for any purpose.  It is provided "as is" without express
+or implied warranty.
+
+  */
+
+#include "krb_locl.h"
+
+RCSID("$Id: getst.c,v 1.6 1997/03/23 03:53:11 joda Exp $");
+
+/*
+ * getst() takes a file descriptor, a string and a count.  It reads
+ * from the file until either it has read "count" characters, or until
+ * it reads a null byte.  When finished, what has been read exists in
+ * the given string "s".  If "count" characters were actually read, the
+ * last is changed to a null, so the returned string is always null-
+ * terminated.  getst() returns the number of characters read, including
+ * the null terminator.
+ */
+
+int
+getst(int fd, char *s, int n)
+{
+    int count = n;
+    while (read(fd, s, 1) > 0 && --count)
+        if (*s++ == '\0')
+            return (n - count);
+    *s = '\0';
+    return (n - count);
+}
diff --git a/crypto/kerberosIV/lib/krb/k_getport.c b/crypto/kerberosIV/lib/krb/k_getport.c
new file mode 100644
index 0000000..063a0b2
--- /dev/null
+++ b/crypto/kerberosIV/lib/krb/k_getport.c
@@ -0,0 +1,52 @@
+/*
+ * Copyright (c) 1995, 1996, 1997 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#include "krb_locl.h"
+
+RCSID("$Id: k_getport.c,v 1.11 1999/12/02 16:58:42 joda Exp $");
+
+int
+k_getportbyname (const char *service, const char *proto, int default_port)
+{
+#ifdef HAVE_GETSERVBYNAME  
+    struct servent *sp;
+    
+    sp = getservbyname(service, proto);
+    if(sp != NULL)
+	return sp->s_port;
+    
+    krb_warning ("%s/%s unknown service, using default port %d\n", 
+		 service, proto ? proto : "*", ntohs(default_port));
+#endif
+    return default_port;
+}
diff --git a/crypto/kerberosIV/lib/krb/k_getsockinst.c b/crypto/kerberosIV/lib/krb/k_getsockinst.c
new file mode 100644
index 0000000..2b0453c
--- /dev/null
+++ b/crypto/kerberosIV/lib/krb/k_getsockinst.c
@@ -0,0 +1,67 @@
+/*
+ * Copyright (c) 1995, 1996, 1997 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#include "krb_locl.h"
+
+RCSID("$Id: k_getsockinst.c,v 1.13 1999/12/02 16:58:42 joda Exp $");
+
+/*
+ * Return in inst the name of the local interface bound to socket
+ * fd. On Failure return the 'wildcard' instance "*".
+ */
+
+int
+k_getsockinst(int fd, char *inst, size_t inst_size)
+{
+  struct sockaddr_in addr;
+  int len = sizeof(addr);
+  struct hostent *hnam;
+
+  if (getsockname(fd, (struct sockaddr *)&addr, &len) < 0)
+    goto fail;
+
+  hnam = gethostbyaddr((char *)&addr.sin_addr,
+		       sizeof(addr.sin_addr),
+		       addr.sin_family);
+  if (hnam == 0)
+    goto fail;
+
+  strlcpy (inst, hnam->h_name, inst_size);
+  k_ricercar(inst); /* Canonicalize name */
+  return 0;			/* Success */
+
+ fail:
+  inst[0] = '*';
+  inst[1] = 0;
+  return -1;
+}
diff --git a/crypto/kerberosIV/lib/krb/k_localtime.c b/crypto/kerberosIV/lib/krb/k_localtime.c
new file mode 100644
index 0000000..e8cbdd6
--- /dev/null
+++ b/crypto/kerberosIV/lib/krb/k_localtime.c
@@ -0,0 +1,43 @@
+/*
+ * Copyright (c) 1995, 1996, 1997 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#include "krb_locl.h"
+
+RCSID("$Id: k_localtime.c,v 1.8 1999/12/02 16:58:42 joda Exp $");
+
+struct tm *k_localtime(u_int32_t *tp)
+{
+  time_t t;
+  t = *tp;
+  return localtime(&t);
+}
diff --git a/crypto/kerberosIV/lib/krb/kdc_reply.c b/crypto/kerberosIV/lib/krb/kdc_reply.c
new file mode 100644
index 0000000..888ab16
--- /dev/null
+++ b/crypto/kerberosIV/lib/krb/kdc_reply.c
@@ -0,0 +1,135 @@
+/*
+ * Copyright (c) 1995 - 2000 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#include "krb_locl.h"
+
+RCSID("$Id: kdc_reply.c,v 1.12.2.2 2000/12/04 14:34:28 assar Exp $");
+
+static int little_endian; /* XXX ugly */
+
+int
+kdc_reply_cred(KTEXT cip, CREDENTIALS *cred)
+{
+    unsigned char *p = cip->dat;
+    
+    memcpy(cred->session, p, 8);
+    p += 8;
+    
+    if(p + strlen((char*)p) > cip->dat + cip->length)
+	return INTK_BADPW;
+    p += krb_get_string(p, cred->service, sizeof(cred->service));
+    
+    if(p + strlen((char*)p) > cip->dat + cip->length)
+	return INTK_BADPW;
+    p += krb_get_string(p, cred->instance, sizeof(cred->instance));
+    
+    if(p + strlen((char*)p) > cip->dat + cip->length)
+	return INTK_BADPW;
+    p += krb_get_string(p, cred->realm, sizeof(cred->realm));
+    
+    if(p + 3 > cip->dat + cip->length)
+	return INTK_BADPW;
+    cred->lifetime = *p++;
+    cred->kvno = *p++;
+    cred->ticket_st.length = *p++;
+    
+    if(p + cred->ticket_st.length + 4 > cip->dat + cip->length)
+	return INTK_BADPW;
+    memcpy(cred->ticket_st.dat, p, cred->ticket_st.length);
+    p += cred->ticket_st.length;
+    
+    p += krb_get_int(p, (u_int32_t *)&cred->issue_date, 4, little_endian);
+    
+    return KSUCCESS;
+}
+
+int
+kdc_reply_cipher(KTEXT reply, KTEXT cip)
+{
+    unsigned char *p;
+    unsigned char pvno;
+    unsigned char type;
+
+    char aname[ANAME_SZ];
+    char inst[INST_SZ];
+    char realm[REALM_SZ];
+    
+    u_int32_t kdc_time;
+    u_int32_t exp_date;
+    u_int32_t clen;
+
+    p = reply->dat;
+
+    pvno = *p++;
+
+    if (pvno != KRB_PROT_VERSION )
+        return INTK_PROT;
+    
+    type = *p++;
+    little_endian = type & 1;
+    
+    type &= ~1;
+
+    if(type == AUTH_MSG_ERR_REPLY){
+	u_int32_t code;
+	/* skip these fields */
+	p += strlen((char*)p) + 1; /* name */
+	p += strlen((char*)p) + 1; /* instance */
+	p += strlen((char*)p) + 1; /* realm */
+	p += 4; /* time */
+	p += krb_get_int(p, &code, 4, little_endian);
+	if(code == 0)
+	    code = KFAILURE; /* things will go bad otherwise */
+	return code;
+    }
+    if(type != AUTH_MSG_KDC_REPLY)
+	return INTK_PROT;
+
+    p += krb_get_nir(p,
+		     aname, sizeof(aname),
+		     inst, sizeof(inst),
+		     realm, sizeof(realm));
+    p += krb_get_int(p, &kdc_time, 4, little_endian);
+    p++; /* number of tickets */
+    p += krb_get_int(p, &exp_date, 4, little_endian);
+    p++; /* master key version number */
+    p += krb_get_int(p, &clen, 2, little_endian);
+    if (reply->length - (p - reply->dat) < clen)
+	return INTK_PROT;
+
+    cip->length = clen;
+    memcpy(cip->dat, p, clen);
+    p += clen;
+    
+    return KSUCCESS;
+}
diff --git a/crypto/kerberosIV/lib/krb/klog.h b/crypto/kerberosIV/lib/krb/klog.h
new file mode 100644
index 0000000..cee92d9
--- /dev/null
+++ b/crypto/kerberosIV/lib/krb/klog.h
@@ -0,0 +1,47 @@
+/*
+ * $Id: klog.h,v 1.5 1997/05/11 11:05:28 assar Exp $
+ *
+ * Copyright 1988 by the Massachusetts Institute of Technology.
+ *
+ * For copying and distribution information, please see the file
+ * <mit-copyright.h>.
+ *
+ * This file defines the types of log messages logged by klog.  Each
+ * type of message may be selectively turned on or off. 
+ */
+
+#ifndef KLOG_DEFS
+#define KLOG_DEFS
+
+#ifndef KRBLOG
+#define KRBLOG 		"/var/log/kerberos.log"  /* master server  */
+#endif
+#ifndef KRBSLAVELOG
+#define KRBSLAVELOG	"/var/log/kerberos_slave.log"  /* slave server  */
+#endif
+#define	NLOGTYPE	100	/* Maximum number of log msg types  */
+
+#define L_NET_ERR	  1	/* Error in network code	    */
+#define L_NET_INFO	  2	/* Info on network activity	    */
+#define L_KRB_PERR	  3	/* Kerberos protocol errors	    */
+#define L_KRB_PINFO	  4	/* Kerberos protocol info	    */
+#define L_INI_REQ	  5	/* Request for initial ticket	    */
+#define L_NTGT_INTK       6	/* Initial request not for TGT	    */
+#define L_DEATH_REQ       7	/* Request for server death	    */
+#define L_TKT_REQ	  8	/* All ticket requests using a tgt  */
+#define L_ERR_SEXP	  9	/* Service expired		    */
+#define L_ERR_MKV	 10	/* Master key version incorrect     */
+#define L_ERR_NKY	 11	/* User's key is null		    */
+#define L_ERR_NUN	 12	/* Principal not unique		    */
+#define L_ERR_UNK	 13	/* Principal Unknown		    */
+#define L_ALL_REQ	 14	/* All requests			    */
+#define L_APPL_REQ	 15	/* Application requests (using tgt) */
+#define L_KRB_PWARN      16	/* Protocol warning messages	    */
+
+char * klog __P((int type, const char *format, ...))
+#ifdef __GNUC__
+__attribute__ ((format (printf, 2, 3)))
+#endif
+;
+
+#endif /* KLOG_DEFS */
diff --git a/crypto/kerberosIV/lib/krb/kntoln.c b/crypto/kerberosIV/lib/krb/kntoln.c
new file mode 100644
index 0000000..86e5205
--- /dev/null
+++ b/crypto/kerberosIV/lib/krb/kntoln.c
@@ -0,0 +1,177 @@
+/* 
+  Copyright (C) 1989 by the Massachusetts Institute of Technology
+
+   Export of this software from the United States of America is assumed
+   to require a specific license from the United States Government.
+   It is the responsibility of any person or organization contemplating
+   export to obtain such a license before exporting.
+
+WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
+distribute this software and its documentation for any purpose and
+without fee is hereby granted, provided that the above copyright
+notice appear in all copies and that both that copyright notice and
+this permission notice appear in supporting documentation, and that
+the name of M.I.T. not be used in advertising or publicity pertaining
+to distribution of the software without specific, written prior
+permission.  M.I.T. makes no representations about the suitability of
+this software for any purpose.  It is provided "as is" without express
+or implied warranty.
+
+  */
+
+/*
+ * krb_kntoln converts an auth name into a local name by looking up
+ * the auth name in the /etc/aname file.  The format of the aname
+ * file is:
+ *
+ * +-----+-----+-----+-----+------+----------+-------+-------+
+ * | anl | inl | rll | lnl | name | instance | realm | lname |
+ * +-----+-----+-----+-----+------+----------+-------+-------+
+ * | 1by | 1by | 1by | 1by | name | instance | realm | lname |
+ * +-----+-----+-----+-----+------+----------+-------+-------+
+ *
+ * If the /etc/aname file can not be opened it will set the
+ * local name to the auth name.  Thus, in this case it performs as
+ * the identity function.
+ *
+ * The name instance and realm are passed to krb_kntoln through
+ * the AUTH_DAT structure (ad).
+ *
+ * Now here's what it *really* does:
+ *
+ * Given a Kerberos name in an AUTH_DAT structure, check that the
+ * instance is null, and that the realm is the same as the local
+ * realm, and return the principal's name in "lname".  Return
+ * KSUCCESS if all goes well, otherwise KFAILURE.
+ */
+
+#include "krb_locl.h"
+
+RCSID("$Id: kntoln.c,v 1.10 1998/06/09 19:25:21 joda Exp $");
+
+int
+krb_kntoln(AUTH_DAT *ad, char *lname)
+{
+    static char lrealm[REALM_SZ] = "";
+
+    if (!(*lrealm) && (krb_get_lrealm(lrealm,1) == KFAILURE))
+        return(KFAILURE);
+
+    if (strcmp(ad->pinst, ""))
+        return(KFAILURE);
+    if (strcmp(ad->prealm, lrealm))
+        return(KFAILURE);
+    strcpy(lname, ad->pname);
+    return(KSUCCESS);
+}
+
+#if 0
+/* Posted to usenet by "Derrick J. Brashear" <shadow+@andrew.cmu.edu> */
+
+#include <krb.h>
+#include <ndbm.h>
+#include <stdio.h>
+#include <sys/file.h>
+#include <strings.h>
+#include <sys/syslog.h>
+#include <sys/errno.h>
+
+extern int errno;
+/*
+ * antoln converts an authentication name into a local name by looking up
+ * the authentication name in the /etc/aname dbm database.
+ * 
+ * If the /etc/aname file can not be opened it will set the 
+ * local name to the principal name.  Thus, in this case it performs as 
+ * the identity function.
+ * 
+ * The name instance and realm are passed to antoln through
+ * the AUTH_DAT structure (ad).
+ */
+
+static char     lrealm[REALM_SZ] = "";
+
+int
+an_to_ln(AUTH_DAT *ad, char *lname)
+{
+    static DBM *aname = NULL;
+    char keyname[ANAME_SZ+INST_SZ+REALM_SZ+2];
+
+    if(!(*lrealm) && (krb_get_lrealm(lrealm,1) == KFAILURE))
+	return(KFAILURE);
+
+    if((strcmp(ad->pinst,"") && strcmp(ad->pinst,"root")) ||
+       strcmp(ad->prealm,lrealm)) {
+	datum val;
+	datum key;
+	/*
+	 * Non-local name (or) non-null and non-root instance.
+	 * Look up in dbm file.
+	 */
+	if (!aname) {
+	    if ((aname = dbm_open("/etc/aname", O_RDONLY, 0))
+		== NULL) return (KFAILURE);
+	}
+	/* Construct dbm lookup key. */
+	an_to_a(ad, keyname);
+	key.dptr = keyname;
+	key.dsize = strlen(keyname)+1;
+	flock(dbm_dirfno(aname), LOCK_SH);
+	val = dbm_fetch(aname, key);
+	flock(dbm_dirfno(aname), LOCK_UN);
+	if (!val.dptr) {
+	    dbm_close(aname);
+	    return(KFAILURE);
+	}
+	/* Got it! */
+	strcpy(lname,val.dptr);
+	return(KSUCCESS);
+    } else strcpy(lname,ad->pname);
+    return(KSUCCESS);
+}
+
+void
+an_to_a(AUTH_DAT *ad, char *str)
+{
+    strcpy(str, ad->pname);
+    if(*ad->pinst) {
+	strcat(str, ".");
+	strcat(str, ad->pinst);
+    }
+    strcat(str, "@");
+    strcat(str, ad->prealm);
+}
+
+/*
+ * Parse a string of the form "user[.instance][@realm]" 
+ * into a struct AUTH_DAT.
+ */
+
+int
+a_to_an(char *str, AUTH_DAT *ad)
+{
+    char *buf = (char *)malloc(strlen(str)+1);
+    char *rlm, *inst, *princ;
+
+    if(!(*lrealm) && (krb_get_lrealm(lrealm,1) == KFAILURE)) {
+	free(buf);
+	return(KFAILURE);
+    }
+    /* destructive string hacking is more fun.. */
+    strcpy(buf, str);
+
+    if (rlm = index(buf, '@')) {
+	*rlm++ = '\0';
+    }
+    if (inst = index(buf, '.')) {
+	*inst++ = '\0';
+    }
+    strcpy(ad->pname, buf);
+    if(inst) strcpy(ad->pinst, inst);
+    else *ad->pinst = '\0';
+    if (rlm) strcpy(ad->prealm, rlm);
+    else strcpy(ad->prealm, lrealm);
+    free(buf);
+    return(KSUCCESS);
+}
+#endif
diff --git a/crypto/kerberosIV/lib/krb/krb-archaeology.h b/crypto/kerberosIV/lib/krb/krb-archaeology.h
new file mode 100644
index 0000000..0757996
--- /dev/null
+++ b/crypto/kerberosIV/lib/krb/krb-archaeology.h
@@ -0,0 +1,131 @@
+/*
+ * $Id: krb-archaeology.h,v 1.2 1997/12/05 02:04:44 joda Exp $
+ *
+ * Most of the cruft in this file is probably:
+ *
+ * Copyright 1985, 1986, 1987, 1988 by the Massachusetts Institute
+ * of Technology.
+ *
+ * For copying and distribution information, please see the file
+ * <mit-copyright.h>.
+ */
+
+#ifndef __KRB_ARCHAEOLOGY_H__
+#define __KRB_ARCHAEOLOGY_H__
+
+/* Compare x and y in VAX byte order, result is -1, 0 or 1. */
+
+#define krb_lsb_antinet_ulong_less(x, y) (((x) == (y)) ? 0 :  krb_lsb_antinet_ulong_cmp(x, y))
+
+#define krb_lsb_antinet_ushort_less(x, y) (((x) == (y)) ? 0 : krb_lsb_antinet_ushort_cmp(x, y))
+
+int krb_lsb_antinet_ulong_cmp(u_int32_t x, u_int32_t y);
+int krb_lsb_antinet_ushort_cmp(u_int16_t x, u_int16_t y);
+u_int32_t lsb_time(time_t t, struct sockaddr_in *src, struct sockaddr_in *dst);
+
+/* Macro's to obtain various fields from a packet */
+
+#define pkt_version(packet)  (unsigned int) *(packet->dat)
+#define pkt_msg_type(packet) (unsigned int) *(packet->dat+1)
+#define pkt_a_name(packet)   (packet->dat+2)
+#define pkt_a_inst(packet)   \
+	(packet->dat+3+strlen((char *)pkt_a_name(packet)))
+#define pkt_a_realm(packet)  \
+	(pkt_a_inst(packet)+1+strlen((char *)pkt_a_inst(packet)))
+
+/* Macro to obtain realm from application request */
+#define apreq_realm(auth)     (auth->dat + 3)
+
+#define pkt_time_ws(packet) (char *) \
+        (packet->dat+5+strlen((char *)pkt_a_name(packet)) + \
+	 strlen((char *)pkt_a_inst(packet)) + \
+	 strlen((char *)pkt_a_realm(packet)))
+
+#define pkt_no_req(packet) (unsigned short) \
+        *(packet->dat+9+strlen((char *)pkt_a_name(packet)) + \
+	  strlen((char *)pkt_a_inst(packet)) + \
+	  strlen((char *)pkt_a_realm(packet)))
+#define pkt_x_date(packet) (char *) \
+        (packet->dat+10+strlen((char *)pkt_a_name(packet)) + \
+	 strlen((char *)pkt_a_inst(packet)) + \
+	 strlen((char *)pkt_a_realm(packet)))
+#define pkt_err_code(packet) ( (char *) \
+        (packet->dat+9+strlen((char *)pkt_a_name(packet)) + \
+	 strlen((char *)pkt_a_inst(packet)) + \
+	 strlen((char *)pkt_a_realm(packet))))
+#define pkt_err_text(packet) \
+        (packet->dat+13+strlen((char *)pkt_a_name(packet)) + \
+	 strlen((char *)pkt_a_inst(packet)) + \
+	 strlen((char *)pkt_a_realm(packet)))
+
+/*
+ * macros for byte swapping; also scratch space
+ * u_quad  0-->7, 1-->6, 2-->5, 3-->4, 4-->3, 5-->2, 6-->1, 7-->0
+ * u_int32_t  0-->3, 1-->2, 2-->1, 3-->0
+ * u_int16_t 0-->1, 1-->0
+ */
+
+#define     swap_u_16(x) {\
+ u_int32_t   _krb_swap_tmp[4];\
+ swab(((char *) x) +0, ((char *)  _krb_swap_tmp) +14 ,2); \
+ swab(((char *) x) +2, ((char *)  _krb_swap_tmp) +12 ,2); \
+ swab(((char *) x) +4, ((char *)  _krb_swap_tmp) +10 ,2); \
+ swab(((char *) x) +6, ((char *)  _krb_swap_tmp) +8  ,2); \
+ swab(((char *) x) +8, ((char *)  _krb_swap_tmp) +6 ,2); \
+ swab(((char *) x) +10,((char *)  _krb_swap_tmp) +4 ,2); \
+ swab(((char *) x) +12,((char *)  _krb_swap_tmp) +2 ,2); \
+ swab(((char *) x) +14,((char *)  _krb_swap_tmp) +0 ,2); \
+ memcpy(x, _krb_swap_tmp, 16);\
+                            }
+
+#define     swap_u_12(x) {\
+ u_int32_t   _krb_swap_tmp[4];\
+ swab(( char *) x,     ((char *)  _krb_swap_tmp) +10 ,2); \
+ swab(((char *) x) +2, ((char *)  _krb_swap_tmp) +8 ,2); \
+ swab(((char *) x) +4, ((char *)  _krb_swap_tmp) +6 ,2); \
+ swab(((char *) x) +6, ((char *)  _krb_swap_tmp) +4 ,2); \
+ swab(((char *) x) +8, ((char *)  _krb_swap_tmp) +2 ,2); \
+ swab(((char *) x) +10,((char *)  _krb_swap_tmp) +0 ,2); \
+ memcpy(x, _krb_swap_tmp, 12);\
+                            }
+
+#define     swap_C_Block(x) {\
+ u_int32_t   _krb_swap_tmp[4];\
+ swab(( char *) x,    ((char *)  _krb_swap_tmp) +6 ,2); \
+ swab(((char *) x) +2,((char *)  _krb_swap_tmp) +4 ,2); \
+ swab(((char *) x) +4,((char *)  _krb_swap_tmp) +2 ,2); \
+ swab(((char *) x) +6,((char *)  _krb_swap_tmp)    ,2); \
+ memcpy(x, _krb_swap_tmp, 8);\
+                            }
+#define     swap_u_quad(x) {\
+ u_int32_t   _krb_swap_tmp[4];\
+ swab(( char *) &x,    ((char *)  _krb_swap_tmp) +6 ,2); \
+ swab(((char *) &x) +2,((char *)  _krb_swap_tmp) +4 ,2); \
+ swab(((char *) &x) +4,((char *)  _krb_swap_tmp) +2 ,2); \
+ swab(((char *) &x) +6,((char *)  _krb_swap_tmp)    ,2); \
+ memcpy(x, _krb_swap_tmp, 8);\
+                            }
+
+#define     swap_u_long(x) {\
+ u_int32_t   _krb_swap_tmp[4];\
+ swab((char *)  &x,    ((char *)  _krb_swap_tmp) +2 ,2); \
+ swab(((char *) &x) +2,((char *)  _krb_swap_tmp),2); \
+ x = _krb_swap_tmp[0];   \
+                           }
+
+#define     swap_u_short(x) {\
+ u_int16_t	_krb_swap_sh_tmp; \
+ swab((char *)  &x,    ( &_krb_swap_sh_tmp) ,2); \
+ x = (u_int16_t) _krb_swap_sh_tmp; \
+                            }
+/* Kerberos ticket flag field bit definitions */
+#define K_FLAG_ORDER    0       /* bit 0 --> lsb */
+#define K_FLAG_1                /* reserved */
+#define K_FLAG_2                /* reserved */
+#define K_FLAG_3                /* reserved */
+#define K_FLAG_4                /* reserved */
+#define K_FLAG_5                /* reserved */
+#define K_FLAG_6                /* reserved */
+#define K_FLAG_7                /* reserved, bit 7 --> msb */
+
+#endif /* __KRB_ARCHAEOLOGY_H__ */
diff --git a/crypto/kerberosIV/lib/krb/krb-protos.h b/crypto/kerberosIV/lib/krb/krb-protos.h
new file mode 100644
index 0000000..0fbf46a
--- /dev/null
+++ b/crypto/kerberosIV/lib/krb/krb-protos.h
@@ -0,0 +1,789 @@
+/*
+ * Copyright (c) 1997, 1998, 1999 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+/* $Id: krb-protos.h,v 1.24.2.1 2000/06/23 03:32:04 assar Exp $ */
+
+#ifndef __krb_protos_h__
+#define __krb_protos_h__
+
+#if defined (__STDC__) || defined (_MSC_VER)
+#include <stdarg.h>
+#ifndef __P
+#define __P(x) x
+#endif
+#else
+#ifndef __P
+#define __P(x) ()
+#endif
+#endif
+
+#ifdef __STDC__
+struct in_addr;
+struct sockaddr_in;
+struct timeval;
+#endif
+
+#ifndef KRB_LIB_FUNCTION
+#if defined(__BORLANDC__)
+#define KRB_LIB_FUNCTION /* not-ready-definition-yet */
+#elif defined(_MSC_VER)
+#define KRB_LIB_FUNCTION /* not-ready-definition-yet2 */
+#else
+#define KRB_LIB_FUNCTION
+#endif
+#endif
+
+void KRB_LIB_FUNCTION
+afs_string_to_key __P((
+	const char *str,
+	const char *cell,
+	des_cblock *key));
+
+int KRB_LIB_FUNCTION
+create_ciph __P((
+	KTEXT c,
+	unsigned char *session,
+	char *service,
+	char *instance,
+	char *realm,
+	u_int32_t life,
+	int kvno,
+	KTEXT tkt,
+	u_int32_t kdc_time,
+	des_cblock *key));
+
+int KRB_LIB_FUNCTION
+cr_err_reply __P((
+	KTEXT pkt,
+	char *pname,
+	char *pinst,
+	char *prealm,
+	u_int32_t time_ws,
+	u_int32_t e,
+	char *e_string));
+
+int KRB_LIB_FUNCTION
+decomp_ticket __P((
+	KTEXT tkt,
+	unsigned char *flags,
+	char *pname,
+	char *pinstance,
+	char *prealm,
+	u_int32_t *paddress,
+	unsigned char *session,
+	int *life,
+	u_int32_t *time_sec,
+	char *sname,
+	char *sinstance,
+	des_cblock *key,
+	des_key_schedule schedule));
+
+int KRB_LIB_FUNCTION
+dest_tkt __P((void));
+
+int KRB_LIB_FUNCTION
+get_ad_tkt __P((
+	char *service,
+	char *sinstance,
+	char *realm,
+	int lifetime));
+
+int KRB_LIB_FUNCTION
+getst __P((
+	int fd,
+	char *s,
+	int n));
+
+int KRB_LIB_FUNCTION
+in_tkt __P((
+	char *pname,
+	char *pinst));
+
+int KRB_LIB_FUNCTION
+k_get_all_addrs __P((struct in_addr **l));
+
+int KRB_LIB_FUNCTION
+k_gethostname __P((
+	char *name,
+	int namelen));
+
+int KRB_LIB_FUNCTION
+k_getportbyname __P((
+	const char *service,
+	const char *proto,
+	int default_port));
+
+int KRB_LIB_FUNCTION
+k_getsockinst __P((
+	int fd,
+	char *inst,
+	size_t inst_size));
+
+int KRB_LIB_FUNCTION
+k_isinst __P((char *s));
+
+int KRB_LIB_FUNCTION
+k_isname __P((char *s));
+
+int KRB_LIB_FUNCTION
+k_isrealm __P((char *s));
+
+struct tm * KRB_LIB_FUNCTION
+k_localtime __P((u_int32_t *tp));
+
+int KRB_LIB_FUNCTION
+kname_parse __P((
+	char *np,
+	char *ip,
+	char *rp,
+	char *fullname));
+
+int KRB_LIB_FUNCTION
+krb_atime_to_life __P((char *atime));
+
+int KRB_LIB_FUNCTION
+krb_check_auth __P((
+	KTEXT packet,
+	u_int32_t checksum,
+	MSG_DAT *msg_data,
+	des_cblock *session,
+	struct des_ks_struct *schedule,
+	struct sockaddr_in *laddr,
+	struct sockaddr_in *faddr));
+
+int KRB_LIB_FUNCTION
+krb_check_tm __P((struct tm tm));
+
+KTEXT KRB_LIB_FUNCTION
+krb_create_death_packet __P((char *a_name));
+
+int KRB_LIB_FUNCTION
+krb_create_ticket __P((
+	KTEXT tkt,
+	unsigned char flags,
+	char *pname,
+	char *pinstance,
+	char *prealm,
+	int32_t paddress,
+	void *session,
+	int16_t life,
+	int32_t time_sec,
+	char *sname,
+	char *sinstance,
+	des_cblock *key));
+
+int KRB_LIB_FUNCTION
+krb_decode_as_rep __P((
+	const char *user,
+	char *instance,		/* INOUT parameter */
+	const char *realm,
+	const char *service,
+	const char *sinstance,
+	key_proc_t key_proc,
+	decrypt_proc_t decrypt_proc,
+	const void *arg,
+	KTEXT as_rep,
+	CREDENTIALS *cred));
+
+int KRB_LIB_FUNCTION
+krb_disable_debug __P((void));
+
+int KRB_LIB_FUNCTION
+krb_enable_debug __P((void));
+
+int KRB_LIB_FUNCTION
+krb_equiv __P((
+	u_int32_t a,
+	u_int32_t b));
+
+int KRB_LIB_FUNCTION
+krb_get_address __P((
+	void *from,
+	u_int32_t *to));
+
+int KRB_LIB_FUNCTION
+krb_get_admhst __P((
+	char *host,
+	char *realm,
+	int nth));
+
+int KRB_LIB_FUNCTION
+krb_get_config_bool __P((const char *variable));
+
+const char * KRB_LIB_FUNCTION
+krb_get_config_string __P((const char *variable));
+
+int KRB_LIB_FUNCTION
+krb_get_cred __P((
+        char *service,
+        char *instance,
+        char *realm,
+        CREDENTIALS *c));
+
+int KRB_LIB_FUNCTION
+krb_get_default_principal __P((
+	char *name,
+	char *instance,
+	char *realm));
+
+char * KRB_LIB_FUNCTION
+krb_get_default_realm __P((void));
+
+const char * KRB_LIB_FUNCTION
+krb_get_default_tkt_root __P((void));
+
+const char * KRB_LIB_FUNCTION
+krb_get_default_keyfile __P((void));
+
+const char * KRB_LIB_FUNCTION
+krb_get_err_text __P((int code));
+
+struct krb_host* KRB_LIB_FUNCTION
+krb_get_host __P((
+	int nth,
+	const char *realm,
+	int admin));
+
+int KRB_LIB_FUNCTION
+krb_get_in_tkt __P((
+	char *user,
+	char *instance,
+	char *realm,
+	char *service,
+	char *sinstance,
+	int life,
+	key_proc_t key_proc,
+	decrypt_proc_t decrypt_proc,
+	void *arg));
+
+int KRB_LIB_FUNCTION
+krb_get_int __P((
+	void *f,
+	u_int32_t *to,
+	int size,
+	int lsb));
+
+int KRB_LIB_FUNCTION
+krb_get_kdc_time_diff __P((void));
+
+int KRB_LIB_FUNCTION
+krb_get_krbconf __P((
+	int num,
+	char *buf,
+	size_t len));
+
+int KRB_LIB_FUNCTION
+krb_get_krbextra __P((
+	int num,
+	char *buf,
+	size_t len));
+
+int KRB_LIB_FUNCTION
+krb_get_krbhst __P((
+	char *host,
+	char *realm,
+	int nth));
+
+int KRB_LIB_FUNCTION
+krb_get_krbrealms __P((
+	int num,
+	char *buf,
+	size_t len));
+
+int KRB_LIB_FUNCTION
+krb_get_lrealm __P((
+	char *r,
+	int n));
+
+int KRB_LIB_FUNCTION
+krb_get_nir __P((
+	void *from,
+	char *name, size_t name_len,
+	char *instance, size_t instance_len,
+	char *realm, size_t realm_len));
+
+char * KRB_LIB_FUNCTION
+krb_get_phost __P((const char *alias));
+
+int KRB_LIB_FUNCTION
+krb_get_pw_in_tkt __P((
+	const char *user,
+	const char *instance,
+	const char *realm,
+	const char *service,
+	const char *sinstance,
+	int life,
+	const char *password));
+
+int KRB_LIB_FUNCTION
+krb_get_pw_in_tkt2 __P((
+	const char *user,
+	const char *instance,
+	const char *realm,
+	const char *service,
+	const char *sinstance,
+	int life,
+	const char *password,
+	des_cblock *key));
+
+int KRB_LIB_FUNCTION
+krb_get_string __P((
+	void *from,
+	char *to,
+	size_t to_size));
+
+int KRB_LIB_FUNCTION
+krb_get_svc_in_tkt __P((
+	char *user,
+	char *instance,
+	char *realm,
+	char *service,
+	char *sinstance,
+	int life,
+	char *srvtab));
+
+int KRB_LIB_FUNCTION
+krb_get_tf_fullname __P((
+	char *ticket_file,
+	char *name,
+	char *instance,
+	char *realm));
+
+int KRB_LIB_FUNCTION
+krb_get_tf_realm __P((
+	char *ticket_file,
+	char *realm));
+
+void KRB_LIB_FUNCTION
+krb_kdctimeofday __P((struct timeval *tv));
+
+int KRB_LIB_FUNCTION
+krb_kntoln __P((
+	AUTH_DAT *ad,
+	char *lname));
+
+int KRB_LIB_FUNCTION
+krb_kuserok __P((
+	char *name,
+	char *instance,
+	char *realm,
+	char *luser));
+
+char * KRB_LIB_FUNCTION
+krb_life_to_atime __P((int life));
+
+u_int32_t KRB_LIB_FUNCTION
+krb_life_to_time __P((
+	u_int32_t start,
+	int life_));
+
+int KRB_LIB_FUNCTION
+krb_lsb_antinet_ulong_cmp __P((
+	u_int32_t x,
+	u_int32_t y));
+
+int KRB_LIB_FUNCTION
+krb_lsb_antinet_ushort_cmp __P((
+	u_int16_t x,
+	u_int16_t y));
+
+int KRB_LIB_FUNCTION
+krb_mk_as_req __P((
+	const char *user,
+	const char *instance,
+	const char *realm,
+	const char *service,
+	const char *sinstance,
+	int life,
+	KTEXT cip));
+
+int KRB_LIB_FUNCTION
+krb_mk_auth __P((
+	int32_t options,
+	KTEXT ticket,
+	char *service,
+	char *instance,
+	char *realm,
+	u_int32_t checksum,
+	char *version,
+	KTEXT buf));
+
+int32_t KRB_LIB_FUNCTION
+krb_mk_err __P((
+	u_char *p,
+	int32_t e,
+	char *e_string));
+
+int32_t KRB_LIB_FUNCTION
+krb_mk_priv __P((
+	void *in,
+	void *out,
+	u_int32_t length,
+	struct des_ks_struct *schedule,
+	des_cblock *key,
+	struct sockaddr_in *sender,
+	struct sockaddr_in *receiver));
+
+int KRB_LIB_FUNCTION
+krb_mk_req __P((
+	KTEXT authent,
+	char *service,
+	char *instance,
+	char *realm,
+	int32_t checksum));
+
+int32_t KRB_LIB_FUNCTION
+krb_mk_safe __P((
+	void *in,
+	void *out,
+	u_int32_t length,
+	des_cblock *key,
+	struct sockaddr_in *sender,
+	struct sockaddr_in *receiver));
+
+int KRB_LIB_FUNCTION
+krb_net_read __P((
+	int fd,
+	void *v,
+	size_t len));
+
+int KRB_LIB_FUNCTION
+krb_net_write __P((
+	int fd,
+	const void *v,
+	size_t len));
+
+int KRB_LIB_FUNCTION
+krb_parse_name __P((
+	const char *fullname,
+	krb_principal *principal));
+
+int KRB_LIB_FUNCTION
+krb_put_address __P((
+	u_int32_t addr,
+	void *to,
+	size_t rem));
+
+int KRB_LIB_FUNCTION
+krb_put_int __P((
+	u_int32_t from,
+	void *to,
+	size_t rem,
+	int size));
+
+int KRB_LIB_FUNCTION
+krb_put_nir __P((
+	const char *name,
+	const char *instance,
+	const char *realm,
+	void *to,
+	size_t rem));
+
+int KRB_LIB_FUNCTION
+krb_put_string __P((
+	const char *from,
+	void *to,
+	size_t rem));
+
+int KRB_LIB_FUNCTION
+krb_rd_err __P((
+	u_char *in,
+	u_int32_t in_length,
+	int32_t *code,
+	MSG_DAT *m_data));
+
+int32_t KRB_LIB_FUNCTION
+krb_rd_priv __P((
+	void *in,
+	u_int32_t in_length,
+	struct des_ks_struct *schedule,
+	des_cblock *key,
+	struct sockaddr_in *sender,
+	struct sockaddr_in *receiver,
+	MSG_DAT *m_data));
+
+int KRB_LIB_FUNCTION
+krb_rd_req __P((
+	KTEXT authent,
+	char *service,
+	char *instance,
+	int32_t from_addr,
+	AUTH_DAT *ad,
+	char *fn));
+
+int32_t KRB_LIB_FUNCTION
+krb_rd_safe __P((
+	void *in,
+	u_int32_t in_length,
+	des_cblock *key,
+	struct sockaddr_in *sender,
+	struct sockaddr_in *receiver,
+	MSG_DAT *m_data));
+
+int KRB_LIB_FUNCTION
+krb_realm_parse __P((
+	char *realm,
+	int length));
+
+char * KRB_LIB_FUNCTION
+krb_realmofhost __P((const char *host));
+
+int KRB_LIB_FUNCTION
+krb_recvauth __P((
+	int32_t options,
+	int fd,
+	KTEXT ticket,
+	char *service,
+	char *instance,
+	struct sockaddr_in *faddr,
+	struct sockaddr_in *laddr,
+	AUTH_DAT *kdata,
+	char *filename,
+	struct des_ks_struct *schedule,
+	char *version));
+
+int KRB_LIB_FUNCTION
+krb_sendauth __P((
+	int32_t options,
+	int fd,
+	KTEXT ticket,
+	char *service,
+	char *instance,
+	char *realm,
+	u_int32_t checksum,
+	MSG_DAT *msg_data,
+	CREDENTIALS *cred,
+	struct des_ks_struct *schedule,
+	struct sockaddr_in *laddr,
+	struct sockaddr_in *faddr,
+	char *version));
+
+void KRB_LIB_FUNCTION
+krb_set_kdc_time_diff __P((int diff));
+
+int KRB_LIB_FUNCTION
+krb_set_key __P((
+	void *key,
+	int cvt));
+
+int KRB_LIB_FUNCTION
+krb_set_lifetime __P((int newval));
+
+void KRB_LIB_FUNCTION
+krb_set_tkt_string __P((const char *val));
+
+const char * KRB_LIB_FUNCTION
+krb_stime __P((time_t *t));
+
+int KRB_LIB_FUNCTION
+krb_time_to_life __P((
+	u_int32_t start,
+	u_int32_t end));
+
+char * KRB_LIB_FUNCTION
+krb_unparse_name __P((krb_principal *pr));
+
+char * KRB_LIB_FUNCTION
+krb_unparse_name_long __P((
+	char *name,
+	char *instance,
+	char *realm));
+
+char * KRB_LIB_FUNCTION
+krb_unparse_name_long_r __P((
+	char *name,
+	char *instance,
+	char *realm,
+	char *fullname));
+
+char * KRB_LIB_FUNCTION
+krb_unparse_name_r __P((
+	krb_principal *pr,
+	char *fullname));
+
+int KRB_LIB_FUNCTION
+krb_use_admin_server __P((int flag));
+
+int KRB_LIB_FUNCTION
+krb_verify_user __P((
+	char *name,
+	char *instance,
+	char *realm,
+	char *password,
+	int secure,
+	char *linstance));
+
+int KRB_LIB_FUNCTION
+krb_verify_user_srvtab __P((
+	char *name,
+	char *instance,
+	char *realm,
+	char *password,
+	int secure,
+	char *linstance,
+	char *srvtab));
+
+int KRB_LIB_FUNCTION
+kuserok __P((
+	AUTH_DAT *auth,
+	char *luser));
+
+u_int32_t KRB_LIB_FUNCTION
+lsb_time __P((
+	time_t t,
+	struct sockaddr_in *src,
+	struct sockaddr_in *dst));
+
+const char * KRB_LIB_FUNCTION
+month_sname __P((int n));
+
+int KRB_LIB_FUNCTION
+passwd_to_5key __P((
+	const char *user,
+	const char *instance,
+	const char *realm,
+	const void *passwd,
+	des_cblock *key));
+
+int KRB_LIB_FUNCTION
+passwd_to_afskey __P((
+	const char *user,
+	const char *instance,
+	const char *realm,
+	const void *passwd,
+	des_cblock *key));
+
+int KRB_LIB_FUNCTION
+passwd_to_key __P((
+	const char *user,
+	const char *instance,
+	const char *realm,
+	const void *passwd,
+	des_cblock *key));
+
+int KRB_LIB_FUNCTION
+read_service_key __P((
+	const char *service,
+	char *instance,
+	const char *realm,
+	int kvno,
+	const char *file,
+	void *key));
+
+int KRB_LIB_FUNCTION
+save_credentials __P((
+	char *service,
+	char *instance,
+	char *realm,
+	unsigned char *session,
+	int lifetime,
+	int kvno,
+	KTEXT ticket,
+	int32_t issue_date));
+
+int KRB_LIB_FUNCTION
+send_to_kdc __P((
+	KTEXT pkt,
+	KTEXT rpkt,
+	const char *realm));
+
+int KRB_LIB_FUNCTION
+srvtab_to_key __P((
+	const char *user,
+	char *instance,		/* INOUT parameter */
+	const char *realm,
+	const void *srvtab,
+	des_cblock *key));
+
+void KRB_LIB_FUNCTION
+tf_close __P((void));
+
+int KRB_LIB_FUNCTION
+tf_create __P((char *tf_name));
+
+int KRB_LIB_FUNCTION
+tf_get_cred __P((CREDENTIALS *c));
+
+int KRB_LIB_FUNCTION
+tf_get_cred_addr __P((char *realm, size_t realm_sz, struct in_addr *addr));
+
+int KRB_LIB_FUNCTION
+tf_get_pinst __P((char *inst));
+
+int KRB_LIB_FUNCTION
+tf_get_pname __P((char *p));
+
+int KRB_LIB_FUNCTION
+tf_init __P((
+	char *tf_name,
+	int rw));
+
+int KRB_LIB_FUNCTION
+tf_put_pinst __P((const char *inst));
+
+int KRB_LIB_FUNCTION
+tf_put_pname __P((const char *p));
+
+int KRB_LIB_FUNCTION
+tf_save_cred __P((
+	char *service,
+	char *instance,
+	char *realm,
+	unsigned char *session,
+	int lifetime,
+	int kvno,
+	KTEXT ticket,
+	u_int32_t issue_date));
+
+int KRB_LIB_FUNCTION
+tf_setup __P((
+	CREDENTIALS *cred,
+	const char *pname,
+	const char *pinst));
+
+int KRB_LIB_FUNCTION
+tf_get_addr __P((
+	const char *realm,
+	struct in_addr *addr));
+
+int KRB_LIB_FUNCTION
+tf_store_addr __P((const char *realm, struct in_addr *addr));
+
+char * KRB_LIB_FUNCTION
+tkt_string __P((void));
+
+int KRB_LIB_FUNCTION
+krb_add_our_ip_for_realm __P((const char *user, const char *instance,
+			      const char *realm, const char *password));
+
+#endif /* __krb_protos_h__ */
diff --git a/crypto/kerberosIV/lib/krb/krb.def b/crypto/kerberosIV/lib/krb/krb.def
new file mode 100644
index 0000000..1158e60
--- /dev/null
+++ b/crypto/kerberosIV/lib/krb/krb.def
@@ -0,0 +1,96 @@
+LIBRARY	krb	BASE=0x07000000
+EXPORTS
+	krb_get_err_text
+	
+	newTktMem
+	getTktMem
+	firstCred
+	nextCredIndex
+	currCredIndex
+	nextFreeIndex
+	
+	k_localtime
+	k_getsockinst
+	k_getportbyname
+	k_get_all_addrs
+	
+	krb_set_kdc_time_diff
+	krb_get_kdc_time_diff
+
+	krb_get_config_bool
+	krb_get_config_string
+
+	krb_equiv
+
+	afs_string_to_key
+
+	krb_life_to_time
+	krb_time_to_life
+	krb_life_to_atime
+	krb_atime_to_life
+
+	tf_get_cred
+	tf_get_pinst
+	tf_get_pname
+	tf_put_pinst
+	tf_put_pname
+	tf_init
+	tf_create
+	tf_save_cred
+	tf_close
+
+	krb_mk_priv
+	krb_rd_priv
+
+	create_auth_reply
+	krb_get_phost
+	krb_realmofhost
+	tkt_string
+	create_ciph
+	decomp_ticket
+	dest_tkt
+	get_ad_tkt
+	in_tkt
+	k_gethostname
+	k_isinst
+	k_isname
+	k_isrealm
+	kname_parse
+	krb_parse_name
+	krb_unparse_name
+	krb_unparse_name_long
+	krb_create_ticket
+	krb_get_admhst
+	krb_get_cred
+	krb_get_in_tkt
+	krb_get_krbhst
+	krb_get_lrealm
+	krb_get_default_realm
+	krb_get_pw_in_tkt
+	krb_get_svc_in_tkt
+	krb_get_tf_fullname
+	krb_get_tf_realm
+	krb_kntoln
+	krb_mk_req
+	krb_net_read
+	krb_net_write
+	krb_rd_err
+	krb_rd_req
+	krb_recvauth
+	krb_sendauth
+	krb_set_key
+	krb_set_lifetime 
+	read_service_key
+	save_credentials
+	send_to_kdc
+	krb_mk_err
+	krb_mk_safe
+	krb_rd_safe
+	ad_print
+	cr_err_reply
+	krb_set_tkt_string
+	krb_get_default_principal
+	krb_realm_parse
+	krb_verify_user
+	kset_logfile
+	getst
diff --git a/crypto/kerberosIV/lib/krb/krb.dsp b/crypto/kerberosIV/lib/krb/krb.dsp
new file mode 100644
index 0000000..efec3b2
--- /dev/null
+++ b/crypto/kerberosIV/lib/krb/krb.dsp
@@ -0,0 +1,398 @@
+# Microsoft Developer Studio Project File - Name="krb" - Package Owner=<4>
+# Microsoft Developer Studio Generated Build File, Format Version 5.00
+# ** DO NOT EDIT **
+
+# TARGTYPE "Win32 (x86) Dynamic-Link Library" 0x0102
+
+CFG=krb - Win32 Release
+!MESSAGE This is not a valid makefile. To build this project using NMAKE,
+!MESSAGE use the Export Makefile command and run
+!MESSAGE 
+!MESSAGE NMAKE /f "krb.mak".
+!MESSAGE 
+!MESSAGE You can specify a configuration when running NMAKE
+!MESSAGE by defining the macro CFG on the command line. For example:
+!MESSAGE 
+!MESSAGE NMAKE /f "krb.mak" CFG="krb - Win32 Release"
+!MESSAGE 
+!MESSAGE Possible choices for configuration are:
+!MESSAGE 
+!MESSAGE "krb - Win32 Release" (based on "Win32 (x86) Dynamic-Link Library")
+!MESSAGE "krb - Win32 Debug" (based on "Win32 (x86) Dynamic-Link Library")
+!MESSAGE 
+
+# Begin Project
+# PROP Scc_ProjName ""
+# PROP Scc_LocalPath ""
+CPP=cl.exe
+MTL=midl.exe
+RSC=rc.exe
+
+!IF  "$(CFG)" == "krb - Win32 Release"
+
+# PROP BASE Use_MFC 0
+# PROP BASE Use_Debug_Libraries 0
+# PROP BASE Output_Dir ".\Release"
+# PROP BASE Intermediate_Dir ".\Release"
+# PROP BASE Target_Dir ""
+# PROP Use_MFC 0
+# PROP Use_Debug_Libraries 0
+# PROP Output_Dir ".\Release"
+# PROP Intermediate_Dir ".\Release"
+# PROP Ignore_Export_Lib 0
+# PROP Target_Dir ""
+# ADD BASE CPP /nologo /MT /W3 /GX /O2 /D "WIN32" /D "NDEBUG" /D "_WINDOWS" /YX /c
+# ADD CPP /nologo /MT /W3 /GX /O2 /I "." /I "..\..\include" /I "..\..\include\win32" /I "..\des" /I "..\roken" /D "NDEBUG" /D "WIN32" /D "_WINDOWS" /D "HAVE_CONFIG_H" /YX /FD /c
+# ADD BASE MTL /nologo /D "NDEBUG" /win32
+# ADD MTL /nologo /D "NDEBUG" /mktyplib203 /win32
+# ADD BASE RSC /l 0x409 /d "NDEBUG"
+# ADD RSC /l 0x409 /d "NDEBUG"
+BSC32=bscmake.exe
+# ADD BASE BSC32 /nologo
+# ADD BSC32 /nologo
+LINK32=link.exe
+# ADD BASE LINK32 kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /subsystem:windows /dll /machine:I386
+# ADD LINK32 ..\roken\Release\roken.lib ..\des\Release\des.lib wsock32.lib kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib /nologo /subsystem:windows /dll /machine:I386
+
+!ELSEIF  "$(CFG)" == "krb - Win32 Debug"
+
+# PROP BASE Use_MFC 0
+# PROP BASE Use_Debug_Libraries 1
+# PROP BASE Output_Dir ".\Debug"
+# PROP BASE Intermediate_Dir ".\Debug"
+# PROP BASE Target_Dir ""
+# PROP Use_MFC 0
+# PROP Use_Debug_Libraries 1
+# PROP Output_Dir ".\Debug"
+# PROP Intermediate_Dir ".\Debug"
+# PROP Ignore_Export_Lib 0
+# PROP Target_Dir ""
+# ADD BASE CPP /nologo /MTd /W3 /Gm /GX /Zi /Od /D "WIN32" /D "_DEBUG" /D "_WINDOWS" /YX /c
+# ADD CPP /nologo /MDd /W3 /Gm /GX /Zi /Od /I "." /I "..\..\include" /I "..\..\include\win32" /I "..\des" /I "..\roken" /D "_DEBUG" /D "WIN32" /D "_WINDOWS" /D "HAVE_CONFIG_H" /YX /FD /c
+# ADD BASE MTL /nologo /D "_DEBUG" /win32
+# ADD MTL /nologo /D "_DEBUG" /mktyplib203 /win32
+# ADD BASE RSC /l 0x409 /d "_DEBUG"
+# ADD RSC /l 0x409 /d "_DEBUG"
+BSC32=bscmake.exe
+# ADD BASE BSC32 /nologo
+# ADD BSC32 /nologo
+LINK32=link.exe
+# ADD BASE LINK32 kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /subsystem:windows /dll /debug /machine:I386
+# ADD LINK32 ..\roken\Debug\roken.lib ..\des\Debug\des.lib wsock32.lib kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib /nologo /subsystem:windows /dll /debug /machine:I386
+
+!ENDIF 
+
+# Begin Target
+
+# Name "krb - Win32 Release"
+# Name "krb - Win32 Debug"
+# Begin Group "Source Files"
+
+# PROP Default_Filter "cpp;c;cxx;rc;def;r;odl;hpj;bat;for;f90"
+# Begin Source File
+
+SOURCE=.\cr_err_reply.c
+# End Source File
+# Begin Source File
+
+SOURCE=.\create_auth_reply.c
+# End Source File
+# Begin Source File
+
+SOURCE=.\create_ciph.c
+# End Source File
+# Begin Source File
+
+SOURCE=.\create_ticket.c
+# End Source File
+# Begin Source File
+
+SOURCE=.\debug_decl.c
+# End Source File
+# Begin Source File
+
+SOURCE=.\decomp_ticket.c
+# End Source File
+# Begin Source File
+
+SOURCE=.\dllmain.c
+# End Source File
+# Begin Source File
+
+SOURCE=.\encrypt_ktext.c
+# End Source File
+# Begin Source File
+
+SOURCE=.\extra.c
+# End Source File
+# Begin Source File
+
+SOURCE=.\get_ad_tkt.c
+# End Source File
+# Begin Source File
+
+SOURCE=.\get_cred.c
+# End Source File
+# Begin Source File
+
+SOURCE=.\get_default_principal.c
+# End Source File
+# Begin Source File
+
+SOURCE=.\get_host.c
+# End Source File
+# Begin Source File
+
+SOURCE=.\get_in_tkt.c
+# End Source File
+# Begin Source File
+
+SOURCE=.\get_krbrlm.c
+# End Source File
+# Begin Source File
+
+SOURCE=.\get_svc_in_tkt.c
+# End Source File
+# Begin Source File
+
+SOURCE=.\get_tf_fullname.c
+# End Source File
+# Begin Source File
+
+SOURCE=.\get_tf_realm.c
+# End Source File
+# Begin Source File
+
+SOURCE=.\getaddrs.c
+# End Source File
+# Begin Source File
+
+SOURCE=.\getfile.c
+# End Source File
+# Begin Source File
+
+SOURCE=.\getrealm.c
+# End Source File
+# Begin Source File
+
+SOURCE=.\getst.c
+# End Source File
+# Begin Source File
+
+SOURCE=.\k_gethostname.c
+# End Source File
+# Begin Source File
+
+SOURCE=.\k_getport.c
+# End Source File
+# Begin Source File
+
+SOURCE=.\k_getsockinst.c
+# End Source File
+# Begin Source File
+
+SOURCE=.\k_localtime.c
+# End Source File
+# Begin Source File
+
+SOURCE=.\kdc_reply.c
+# End Source File
+# Begin Source File
+
+SOURCE=.\kntoln.c
+# End Source File
+# Begin Source File
+
+SOURCE=.\krb.def
+# End Source File
+# Begin Source File
+
+SOURCE=.\krb_check_auth.c
+# End Source File
+# Begin Source File
+
+SOURCE=.\krb_equiv.c
+# End Source File
+# Begin Source File
+
+SOURCE=.\krb_err_txt.c
+# End Source File
+# Begin Source File
+
+SOURCE=.\krb_get_in_tkt.c
+# End Source File
+# Begin Source File
+
+SOURCE=.\lifetime.c
+# End Source File
+# Begin Source File
+
+SOURCE=.\logging.c
+# End Source File
+# Begin Source File
+
+SOURCE=.\lsb_addr_comp.c
+# End Source File
+# Begin Source File
+
+SOURCE=.\mk_auth.c
+# End Source File
+# Begin Source File
+
+SOURCE=.\mk_err.c
+# End Source File
+# Begin Source File
+
+SOURCE=.\mk_priv.c
+# End Source File
+# Begin Source File
+
+SOURCE=.\mk_req.c
+# End Source File
+# Begin Source File
+
+SOURCE=.\mk_safe.c
+# End Source File
+# Begin Source File
+
+SOURCE=.\month_sname.c
+# End Source File
+# Begin Source File
+
+SOURCE=.\name2name.c
+# End Source File
+# Begin Source File
+
+SOURCE=.\netread.c
+# End Source File
+# Begin Source File
+
+SOURCE=.\netwrite.c
+# End Source File
+# Begin Source File
+
+SOURCE=.\one.c
+# End Source File
+# Begin Source File
+
+SOURCE=.\parse_name.c
+# End Source File
+# Begin Source File
+
+SOURCE=.\rd_err.c
+# End Source File
+# Begin Source File
+
+SOURCE=.\rd_priv.c
+# End Source File
+# Begin Source File
+
+SOURCE=.\rd_req.c
+# End Source File
+# Begin Source File
+
+SOURCE=.\rd_safe.c
+# End Source File
+# Begin Source File
+
+SOURCE=.\read_service_key.c
+# End Source File
+# Begin Source File
+
+SOURCE=.\realm_parse.c
+# End Source File
+# Begin Source File
+
+SOURCE=.\recvauth.c
+# End Source File
+# Begin Source File
+
+SOURCE=.\rw.c
+# End Source File
+# Begin Source File
+
+SOURCE=.\save_credentials.c
+# End Source File
+# Begin Source File
+
+SOURCE=.\send_to_kdc.c
+# End Source File
+# Begin Source File
+
+SOURCE=.\sendauth.c
+# End Source File
+# Begin Source File
+
+SOURCE=.\stime.c
+# End Source File
+# Begin Source File
+
+SOURCE=.\str2key.c
+# End Source File
+# Begin Source File
+
+SOURCE=.\ticket_memory.c
+# End Source File
+# Begin Source File
+
+SOURCE=.\time.c
+# End Source File
+# Begin Source File
+
+SOURCE=.\tkt_string.c
+# End Source File
+# Begin Source File
+
+SOURCE=.\unparse_name.c
+# End Source File
+# Begin Source File
+
+SOURCE=.\util.c
+# End Source File
+# Begin Source File
+
+SOURCE=.\verify_user.c
+# End Source File
+# End Group
+# Begin Group "Header Files"
+
+# PROP Default_Filter "h;hpp;hxx;hm;inl;fi;fd"
+# Begin Source File
+
+SOURCE=.\klog.h
+# End Source File
+# Begin Source File
+
+SOURCE=".\krb-protos.h"
+# End Source File
+# Begin Source File
+
+SOURCE=.\krb.h
+# End Source File
+# Begin Source File
+
+SOURCE=.\krb_locl.h
+# End Source File
+# Begin Source File
+
+SOURCE=.\krb_log.h
+# End Source File
+# Begin Source File
+
+SOURCE=.\prot.h
+# End Source File
+# Begin Source File
+
+SOURCE=.\ticket_memory.h
+# End Source File
+# End Group
+# Begin Group "Resource Files"
+
+# PROP Default_Filter "ico;cur;bmp;dlg;rc2;rct;bin;cnt;rtf;gif;jpg;jpeg;jpe"
+# Begin Source File
+
+SOURCE=.\krb.rc
+# End Source File
+# End Group
+# End Target
+# End Project
diff --git a/crypto/kerberosIV/lib/krb/krb.h b/crypto/kerberosIV/lib/krb/krb.h
new file mode 100644
index 0000000..6f7386f
--- /dev/null
+++ b/crypto/kerberosIV/lib/krb/krb.h
@@ -0,0 +1,359 @@
+/*
+ * $Id: krb.h,v 1.99 1999/11/16 14:02:47 bg Exp $
+ * $FreeBSD$
+ *
+ * Copyright 1987, 1988 by the Massachusetts Institute of Technology. 
+ *
+ * For copying and distribution information, please see the file
+ * <mit-copyright.h>. 
+ *
+ * Include file for the Kerberos library. 
+ */
+
+#if !defined (__STDC__) && !defined(_MSC_VER)
+#define const
+#define signed
+#endif
+
+#include <sys/types.h>
+#include <time.h>
+
+#ifndef __KRB_H__
+#define __KRB_H__
+
+/* XXX */
+#ifndef __BEGIN_DECLS
+#if defined(__cplusplus)
+#define	__BEGIN_DECLS	extern "C" {
+#define	__END_DECLS	};
+#else
+#define	__BEGIN_DECLS
+#define	__END_DECLS
+#endif
+#endif
+
+#if defined (__STDC__) || defined (_MSC_VER)
+#ifndef __P
+#define __P(x) x
+#endif
+#else
+#ifndef __P
+#define __P(x) ()
+#endif
+#endif
+
+__BEGIN_DECLS
+
+/* Need some defs from des.h	 */
+#if !defined(NOPROTO) && !defined(__STDC__)
+#define NOPROTO
+#endif
+#include <openssl/des.h>
+
+/* CNS compatibility ahead! */
+#ifndef KRB_INT32
+#define KRB_INT32 int32_t
+#endif
+#ifndef KRB_UINT32
+#define KRB_UINT32 u_int32_t
+#endif
+
+/* Global library variables. */
+extern int krb_ignore_ip_address; /* To turn off IP address comparison */
+extern int krb_no_long_lifetimes; /* To disable AFS compatible lifetimes */
+extern int krbONE;
+#define         HOST_BYTE_ORDER (* (char *) &krbONE)
+/* Debug variables */
+extern int krb_debug;
+extern int krb_ap_req_debug;
+extern int krb_dns_debug;
+
+
+/* Text describing error codes */
+#define		MAX_KRB_ERRORS	256
+extern const char *krb_err_txt[MAX_KRB_ERRORS];
+
+/* General definitions */
+#define		KSUCCESS	0
+#define		KFAILURE	255
+
+/*
+ * Kerberos specific definitions 
+ *
+ * KRBLOG is the log file for the kerberos master server. KRB_CONF is
+ * the configuration file where different host machines running master
+ * and slave servers can be found. KRB_MASTER is the name of the
+ * machine with the master database.  The admin_server runs on this
+ * machine, and all changes to the db (as opposed to read-only
+ * requests, which can go to slaves) must go to it. KRB_HOST is the
+ * default machine * when looking for a kerberos slave server.  Other
+ * possibilities are * in the KRB_CONF file. KRB_REALM is the name of
+ * the realm. 
+ */
+
+/* /etc/kerberosIV is only for backwards compatibility, don't use it! */
+#ifndef KRB_CONF
+#define KRB_CONF	"/etc/kerberosIV/krb.conf"
+#endif
+#ifndef KRB_RLM_TRANS
+#define KRB_RLM_TRANS   "/etc/kerberosIV/krb.realms"
+#endif
+#ifndef KRB_CNF_FILES
+#define KRB_CNF_FILES	{ KRB_CONF,   "/etc/krb.conf", 0}
+#endif
+#ifndef KRB_RLM_FILES
+#define KRB_RLM_FILES	{ KRB_RLM_TRANS, "/etc/krb.realms", 0}
+#endif
+#ifndef KRB_EQUIV
+#define KRB_EQUIV	"/etc/kerberosIV/krb.equiv"
+#endif
+#define KRB_MASTER	"kerberos"
+#ifndef KRB_REALM
+#define KRB_REALM	(krb_get_default_realm())
+#endif
+
+/* The maximum sizes for aname, realm, sname, and instance +1 */
+#define 	ANAME_SZ	40
+#define		REALM_SZ	40
+#define		SNAME_SZ	40
+#define		INST_SZ		40
+/* Leave space for quoting */
+#define		MAX_K_NAME_SZ	(2*ANAME_SZ + 2*INST_SZ + 2*REALM_SZ - 3)
+#define		KKEY_SZ		100
+#define		VERSION_SZ	1
+#define		MSG_TYPE_SZ	1
+#define		DATE_SZ		26	/* RTI date output */
+
+#define MAX_HSTNM 100 /* for compatibility */
+
+typedef struct krb_principal{
+    char name[ANAME_SZ];
+    char instance[INST_SZ];
+    char realm[REALM_SZ];
+}krb_principal;
+
+#ifndef DEFAULT_TKT_LIFE	/* allow compile-time override */
+/* default lifetime for krb_mk_req & co., 10 hrs */
+#define	DEFAULT_TKT_LIFE 120
+#endif
+
+#define		KRB_TICKET_GRANTING_TICKET	"krbtgt"
+
+/* Definition of text structure used to pass text around */
+#define		MAX_KTXT_LEN	1250
+
+struct ktext {
+    unsigned int length;		/* Length of the text */
+    unsigned char dat[MAX_KTXT_LEN];	/* The data itself */
+    u_int32_t mbz;		/* zero to catch runaway strings */
+};
+
+typedef struct ktext *KTEXT;
+typedef struct ktext KTEXT_ST;
+
+
+/* Definitions for send_to_kdc */
+#define	CLIENT_KRB_TIMEOUT	4	/* default time between retries */
+#define CLIENT_KRB_RETRY	5	/* retry this many times */
+#define	CLIENT_KRB_BUFLEN	512	/* max unfragmented packet */
+
+/* Definitions for ticket file utilities */
+#define	R_TKT_FIL	0
+#define	W_TKT_FIL	1
+
+/* Parameters for rd_ap_req */
+/* Maximum alloable clock skew in seconds */
+#define 	CLOCK_SKEW	5*60
+/* Filename for readservkey */
+#ifndef		KEYFILE
+#define		KEYFILE		(krb_get_default_keyfile())
+#endif
+
+/* Structure definition for rd_ap_req */
+
+struct auth_dat {
+    unsigned char k_flags;	/* Flags from ticket */
+    char    pname[ANAME_SZ];	/* Principal's name */
+    char    pinst[INST_SZ];	/* His Instance */
+    char    prealm[REALM_SZ];	/* His Realm */
+    u_int32_t checksum;		/* Data checksum (opt) */
+    des_cblock session;		/* Session Key */
+    int     life;		/* Life of ticket */
+    u_int32_t time_sec;		/* Time ticket issued */
+    u_int32_t address;		/* Address in ticket */
+    KTEXT_ST reply;		/* Auth reply (opt) */
+};
+
+typedef struct auth_dat AUTH_DAT;
+
+/* Structure definition for credentials returned by get_cred */
+
+struct credentials {
+    char    service[ANAME_SZ];	/* Service name */
+    char    instance[INST_SZ];	/* Instance */
+    char    realm[REALM_SZ];	/* Auth domain */
+    des_cblock session;		/* Session key */
+    int     lifetime;		/* Lifetime */
+    int     kvno;		/* Key version number */
+    KTEXT_ST ticket_st;		/* The ticket itself */
+    int32_t    issue_date;	/* The issue time */
+    char    pname[ANAME_SZ];	/* Principal's name */
+    char    pinst[INST_SZ];	/* Principal's instance */
+};
+
+typedef struct credentials CREDENTIALS;
+
+/* Structure definition for rd_private_msg and rd_safe_msg */
+
+struct msg_dat {
+    unsigned char *app_data;	/* pointer to appl data */
+    u_int32_t app_length;	/* length of appl data */
+    u_int32_t hash;		/* hash to lookup replay */
+    int     swap;		/* swap bytes? */
+    int32_t    time_sec;		/* msg timestamp seconds */
+    unsigned char time_5ms;	/* msg timestamp 5ms units */
+};
+
+typedef struct msg_dat MSG_DAT;
+
+struct krb_host {
+    char *realm;
+    char *host;
+    enum krb_host_proto { PROTO_UDP, PROTO_TCP, PROTO_HTTP } proto;
+    int port;
+    int admin;
+};
+
+/* Location of ticket file for save_cred and get_cred */
+#define TKT_FILE        tkt_string()
+#ifndef TKT_ROOT
+#define TKT_ROOT        (krb_get_default_tkt_root())
+#endif
+
+/* Error codes returned from the KDC */
+#define		KDC_OK		0	/* Request OK */
+#define		KDC_NAME_EXP	1	/* Principal expired */
+#define		KDC_SERVICE_EXP	2	/* Service expired */
+#define		KDC_AUTH_EXP	3	/* Auth expired */
+#define		KDC_PKT_VER	4	/* Protocol version unknown */
+#define		KDC_P_MKEY_VER	5	/* Wrong master key version */
+#define		KDC_S_MKEY_VER 	6	/* Wrong master key version */
+#define		KDC_BYTE_ORDER	7	/* Byte order unknown */
+#define		KDC_PR_UNKNOWN	8	/* Principal unknown */
+#define		KDC_PR_N_UNIQUE 9	/* Principal not unique */
+#define		KDC_NULL_KEY   10	/* Principal has null key */
+#define		KDC_GEN_ERR    20	/* Generic error from KDC */
+
+
+/* Values returned by get_credentials */
+#define		GC_OK		0	/* Retrieve OK */
+#define		RET_OK		0	/* Retrieve OK */
+#define		GC_TKFIL       21	/* Can't read ticket file */
+#define		RET_TKFIL      21	/* Can't read ticket file */
+#define		GC_NOTKT       22	/* Can't find ticket or TGT */
+#define		RET_NOTKT      22	/* Can't find ticket or TGT */
+
+
+/* Values returned by mk_ap_req	 */
+#define		MK_AP_OK	0	/* Success */
+#define		MK_AP_TGTEXP   26	/* TGT Expired */
+
+/* Values returned by rd_ap_req */
+#define		RD_AP_OK	0	/* Request authentic */
+#define		RD_AP_UNDEC    31	/* Can't decode authenticator */
+#define		RD_AP_EXP      32	/* Ticket expired */
+#define		RD_AP_NYV      33	/* Ticket not yet valid */
+#define		RD_AP_REPEAT   34	/* Repeated request */
+#define		RD_AP_NOT_US   35	/* The ticket isn't for us */
+#define		RD_AP_INCON    36	/* Request is inconsistent */
+#define		RD_AP_TIME     37	/* delta_t too big */
+#define		RD_AP_BADD     38	/* Incorrect net address */
+#define		RD_AP_VERSION  39	/* protocol version mismatch */
+#define		RD_AP_MSG_TYPE 40	/* invalid msg type */
+#define		RD_AP_MODIFIED 41	/* message stream modified */
+#define		RD_AP_ORDER    42	/* message out of order */
+#define		RD_AP_UNAUTHOR 43	/* unauthorized request */
+
+/* Values returned by get_pw_tkt */
+#define		GT_PW_OK	0	/* Got password changing tkt */
+#define		GT_PW_NULL     51	/* Current PW is null */
+#define		GT_PW_BADPW    52	/* Incorrect current password */
+#define		GT_PW_PROT     53	/* Protocol Error */
+#define		GT_PW_KDCERR   54	/* Error returned by KDC */
+#define		GT_PW_NULLTKT  55	/* Null tkt returned by KDC */
+
+
+/* Values returned by send_to_kdc */
+#define		SKDC_OK		0	/* Response received */
+#define		SKDC_RETRY     56	/* Retry count exceeded */
+#define		SKDC_CANT      57	/* Can't send request */
+
+/*
+ * Values returned by get_intkt
+ * (can also return SKDC_* and KDC errors)
+ */
+
+#define		INTK_OK		0	/* Ticket obtained */
+#define		INTK_W_NOTALL  61	/* Not ALL tickets returned */
+#define		INTK_BADPW     62	/* Incorrect password */
+#define		INTK_PROT      63	/* Protocol Error */
+#define		INTK_ERR       70	/* Other error */
+
+/* Values returned by get_adtkt */
+#define         AD_OK           0	/* Ticket Obtained */
+#define         AD_NOTGT       71	/* Don't have tgt */
+#define         AD_INTR_RLM_NOTGT 72	/* Can't get inter-realm tgt */
+
+/* Error codes returned by ticket file utilities */
+#define		NO_TKT_FIL	76	/* No ticket file found */
+#define		TKT_FIL_ACC	77	/* Couldn't access tkt file */
+#define		TKT_FIL_LCK	78	/* Couldn't lock ticket file */
+#define		TKT_FIL_FMT	79	/* Bad ticket file format */
+#define		TKT_FIL_INI	80	/* tf_init not called first */
+
+/* Error code returned by kparse_name */
+#define		KNAME_FMT	81	/* Bad Kerberos name format */
+
+/* Error code returned by krb_mk_safe */
+#define		SAFE_PRIV_ERROR	-1	/* syscall error */
+
+/* Defines for krb_sendauth and krb_recvauth */
+
+#define	KOPT_DONT_MK_REQ 0x00000001 /* don't call krb_mk_req */
+#define	KOPT_DO_MUTUAL   0x00000002 /* do mutual auth */
+
+#define	KOPT_DONT_CANON  0x00000004 /*
+				     * don't canonicalize inst as
+				     * a hostname
+				     */
+
+#define KOPT_IGNORE_PROTOCOL 0x0008
+
+#define	KRB_SENDAUTH_VLEN 8	    /* length for version strings */
+
+
+/* flags for krb_verify_user() */
+#define KRB_VERIFY_NOT_SECURE	0
+#define KRB_VERIFY_SECURE	1
+#define KRB_VERIFY_SECURE_FAIL	2
+
+extern char *krb4_version;
+
+typedef int (*key_proc_t) __P((const char *name,
+			       char *instance, /* INOUT parameter */
+			       const char *realm,
+			       const void *password,
+			       des_cblock *key));
+
+typedef int (*decrypt_proc_t) __P((const char *name,
+				   const char *instance,
+				   const char *realm,
+				   const void *arg, 
+				   key_proc_t,
+				   KTEXT *));
+
+#include "krb-protos.h"
+
+__END_DECLS
+
+#endif /* __KRB_H__ */
diff --git a/crypto/kerberosIV/lib/krb/krb.mak b/crypto/kerberosIV/lib/krb/krb.mak
new file mode 100644
index 0000000..e9d5690
--- /dev/null
+++ b/crypto/kerberosIV/lib/krb/krb.mak
@@ -0,0 +1,1902 @@
+# Microsoft Developer Studio Generated NMAKE File, Based on krb.dsp
+!IF "$(CFG)" == ""
+CFG=krb - Win32 Release
+!MESSAGE No configuration specified. Defaulting to krb - Win32 Release.
+!ENDIF 
+
+!IF "$(CFG)" != "krb - Win32 Release" && "$(CFG)" != "krb - Win32 Debug"
+!MESSAGE Invalid configuration "$(CFG)" specified.
+!MESSAGE You can specify a configuration when running NMAKE
+!MESSAGE by defining the macro CFG on the command line.  For example:
+!MESSAGE 
+!MESSAGE NMAKE /f "krb.mak" CFG="krb - Win32 Release"
+!MESSAGE 
+!MESSAGE Possible choices for configuration are:
+!MESSAGE 
+!MESSAGE "krb - Win32 Release" (based on "Win32 (x86) Dynamic-Link Library")
+!MESSAGE "krb - Win32 Debug" (based on "Win32 (x86) Dynamic-Link Library")
+!MESSAGE 
+!ERROR An invalid configuration is specified.
+!ENDIF 
+
+!IF "$(OS)" == "Windows_NT"
+NULL=
+!ELSE 
+NULL=nul
+!ENDIF 
+
+!IF  "$(CFG)" == "krb - Win32 Release"
+
+OUTDIR=.\Release
+INTDIR=.\Release
+# Begin Custom Macros
+OutDir=.\.\Release
+# End Custom Macros
+
+!IF "$(RECURSE)" == "0" 
+
+ALL : "$(OUTDIR)\krb.dll"
+
+!ELSE 
+
+ALL : "des - Win32 Release" "$(OUTDIR)\krb.dll"
+
+!ENDIF 
+
+!IF "$(RECURSE)" == "1" 
+CLEAN :"des - Win32 ReleaseCLEAN" 
+!ELSE 
+CLEAN : 
+!ENDIF 
+	-@erase "$(INTDIR)\cr_err_reply.obj"
+	-@erase "$(INTDIR)\create_auth_reply.obj"
+	-@erase "$(INTDIR)\create_ciph.obj"
+	-@erase "$(INTDIR)\create_ticket.obj"
+	-@erase "$(INTDIR)\debug_decl.obj"
+	-@erase "$(INTDIR)\decomp_ticket.obj"
+	-@erase "$(INTDIR)\dllmain.obj"
+	-@erase "$(INTDIR)\encrypt_ktext.obj"
+	-@erase "$(INTDIR)\get_ad_tkt.obj"
+	-@erase "$(INTDIR)\get_cred.obj"
+	-@erase "$(INTDIR)\get_default_principal.obj"
+	-@erase "$(INTDIR)\get_host.obj"
+	-@erase "$(INTDIR)\get_in_tkt.obj"
+	-@erase "$(INTDIR)\get_krbrlm.obj"
+	-@erase "$(INTDIR)\get_svc_in_tkt.obj"
+	-@erase "$(INTDIR)\get_tf_fullname.obj"
+	-@erase "$(INTDIR)\get_tf_realm.obj"
+	-@erase "$(INTDIR)\getaddrs.obj"
+	-@erase "$(INTDIR)\getfile.obj"
+	-@erase "$(INTDIR)\getrealm.obj"
+	-@erase "$(INTDIR)\getst.obj"
+	-@erase "$(INTDIR)\k_flock.obj"
+	-@erase "$(INTDIR)\k_gethostname.obj"
+	-@erase "$(INTDIR)\k_getport.obj"
+	-@erase "$(INTDIR)\k_getsockinst.obj"
+	-@erase "$(INTDIR)\k_localtime.obj"
+	-@erase "$(INTDIR)\kdc_reply.obj"
+	-@erase "$(INTDIR)\kntoln.obj"
+	-@erase "$(INTDIR)\krb.res"
+	-@erase "$(INTDIR)\krb_check_auth.obj"
+	-@erase "$(INTDIR)\krb_equiv.obj"
+	-@erase "$(INTDIR)\krb_err_txt.obj"
+	-@erase "$(INTDIR)\krb_get_in_tkt.obj"
+	-@erase "$(INTDIR)\lifetime.obj"
+	-@erase "$(INTDIR)\logging.obj"
+	-@erase "$(INTDIR)\lsb_addr_comp.obj"
+	-@erase "$(INTDIR)\mk_auth.obj"
+	-@erase "$(INTDIR)\mk_err.obj"
+	-@erase "$(INTDIR)\mk_priv.obj"
+	-@erase "$(INTDIR)\mk_req.obj"
+	-@erase "$(INTDIR)\mk_safe.obj"
+	-@erase "$(INTDIR)\month_sname.obj"
+	-@erase "$(INTDIR)\name2name.obj"
+	-@erase "$(INTDIR)\netread.obj"
+	-@erase "$(INTDIR)\netwrite.obj"
+	-@erase "$(INTDIR)\one.obj"
+	-@erase "$(INTDIR)\parse_name.obj"
+	-@erase "$(INTDIR)\rd_err.obj"
+	-@erase "$(INTDIR)\rd_priv.obj"
+	-@erase "$(INTDIR)\rd_req.obj"
+	-@erase "$(INTDIR)\rd_safe.obj"
+	-@erase "$(INTDIR)\read_service_key.obj"
+	-@erase "$(INTDIR)\realm_parse.obj"
+	-@erase "$(INTDIR)\recvauth.obj"
+	-@erase "$(INTDIR)\rw.obj"
+	-@erase "$(INTDIR)\save_credentials.obj"
+	-@erase "$(INTDIR)\send_to_kdc.obj"
+	-@erase "$(INTDIR)\sendauth.obj"
+	-@erase "$(INTDIR)\stime.obj"
+	-@erase "$(INTDIR)\str2key.obj"
+	-@erase "$(INTDIR)\ticket_memory.obj"
+	-@erase "$(INTDIR)\time.obj"
+	-@erase "$(INTDIR)\tkt_string.obj"
+	-@erase "$(INTDIR)\unparse_name.obj"
+	-@erase "$(INTDIR)\util.obj"
+	-@erase "$(INTDIR)\vc50.idb"
+	-@erase "$(INTDIR)\verify_user.obj"
+	-@erase "$(OUTDIR)\krb.dll"
+	-@erase "$(OUTDIR)\krb.exp"
+	-@erase "$(OUTDIR)\krb.lib"
+
+"$(OUTDIR)" :
+    if not exist "$(OUTDIR)/$(NULL)" mkdir "$(OUTDIR)"
+
+CPP=cl.exe
+CPP_PROJ=/nologo /MT /W3 /GX /O2 /I "." /I "..\..\include" /I\
+ "..\..\include\win32" /I "..\des" /I "..\roken" /D "NDEBUG" /D "WIN32" /D\
+ "_WINDOWS" /D "HAVE_CONFIG_H" /Fp"$(INTDIR)\krb.pch" /YX /Fo"$(INTDIR)\\"\
+ /Fd"$(INTDIR)\\" /FD /c 
+CPP_OBJS=.\Release/
+CPP_SBRS=.
+
+.c{$(CPP_OBJS)}.obj::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+.cpp{$(CPP_OBJS)}.obj::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+.cxx{$(CPP_OBJS)}.obj::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+.c{$(CPP_SBRS)}.sbr::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+.cpp{$(CPP_SBRS)}.sbr::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+.cxx{$(CPP_SBRS)}.sbr::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+MTL=midl.exe
+MTL_PROJ=/nologo /D "NDEBUG" /mktyplib203 /win32 
+RSC=rc.exe
+RSC_PROJ=/l 0x409 /fo"$(INTDIR)\krb.res" /d "NDEBUG" 
+BSC32=bscmake.exe
+BSC32_FLAGS=/nologo /o"$(OUTDIR)\krb.bsc" 
+BSC32_SBRS= \
+	
+LINK32=link.exe
+LINK32_FLAGS=..\roken\Release\roken.lib ..\des\Release\des.lib wsock32.lib\
+ kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib\
+ shell32.lib ole32.lib oleaut32.lib uuid.lib /nologo /subsystem:windows /dll\
+ /incremental:no /pdb:"$(OUTDIR)\krb.pdb" /machine:I386 /def:".\krb.def"\
+ /out:"$(OUTDIR)\krb.dll" /implib:"$(OUTDIR)\krb.lib" 
+DEF_FILE= \
+	".\krb.def"
+LINK32_OBJS= \
+	"$(INTDIR)\cr_err_reply.obj" \
+	"$(INTDIR)\create_auth_reply.obj" \
+	"$(INTDIR)\create_ciph.obj" \
+	"$(INTDIR)\create_ticket.obj" \
+	"$(INTDIR)\debug_decl.obj" \
+	"$(INTDIR)\decomp_ticket.obj" \
+	"$(INTDIR)\dllmain.obj" \
+	"$(INTDIR)\encrypt_ktext.obj" \
+	"$(INTDIR)\get_ad_tkt.obj" \
+	"$(INTDIR)\get_cred.obj" \
+	"$(INTDIR)\get_default_principal.obj" \
+	"$(INTDIR)\get_host.obj" \
+	"$(INTDIR)\get_in_tkt.obj" \
+	"$(INTDIR)\get_krbrlm.obj" \
+	"$(INTDIR)\get_svc_in_tkt.obj" \
+	"$(INTDIR)\get_tf_fullname.obj" \
+	"$(INTDIR)\get_tf_realm.obj" \
+	"$(INTDIR)\getaddrs.obj" \
+	"$(INTDIR)\getfile.obj" \
+	"$(INTDIR)\getrealm.obj" \
+	"$(INTDIR)\getst.obj" \
+	"$(INTDIR)\k_flock.obj" \
+	"$(INTDIR)\k_gethostname.obj" \
+	"$(INTDIR)\k_getport.obj" \
+	"$(INTDIR)\k_getsockinst.obj" \
+	"$(INTDIR)\k_localtime.obj" \
+	"$(INTDIR)\kdc_reply.obj" \
+	"$(INTDIR)\kntoln.obj" \
+	"$(INTDIR)\krb.res" \
+	"$(INTDIR)\krb_check_auth.obj" \
+	"$(INTDIR)\krb_equiv.obj" \
+	"$(INTDIR)\krb_err_txt.obj" \
+	"$(INTDIR)\krb_get_in_tkt.obj" \
+	"$(INTDIR)\lifetime.obj" \
+	"$(INTDIR)\logging.obj" \
+	"$(INTDIR)\lsb_addr_comp.obj" \
+	"$(INTDIR)\mk_auth.obj" \
+	"$(INTDIR)\mk_err.obj" \
+	"$(INTDIR)\mk_priv.obj" \
+	"$(INTDIR)\mk_req.obj" \
+	"$(INTDIR)\mk_safe.obj" \
+	"$(INTDIR)\month_sname.obj" \
+	"$(INTDIR)\name2name.obj" \
+	"$(INTDIR)\netread.obj" \
+	"$(INTDIR)\netwrite.obj" \
+	"$(INTDIR)\one.obj" \
+	"$(INTDIR)\parse_name.obj" \
+	"$(INTDIR)\rd_err.obj" \
+	"$(INTDIR)\rd_priv.obj" \
+	"$(INTDIR)\rd_req.obj" \
+	"$(INTDIR)\rd_safe.obj" \
+	"$(INTDIR)\read_service_key.obj" \
+	"$(INTDIR)\realm_parse.obj" \
+	"$(INTDIR)\recvauth.obj" \
+	"$(INTDIR)\rw.obj" \
+	"$(INTDIR)\save_credentials.obj" \
+	"$(INTDIR)\send_to_kdc.obj" \
+	"$(INTDIR)\sendauth.obj" \
+	"$(INTDIR)\stime.obj" \
+	"$(INTDIR)\str2key.obj" \
+	"$(INTDIR)\ticket_memory.obj" \
+	"$(INTDIR)\time.obj" \
+	"$(INTDIR)\tkt_string.obj" \
+	"$(INTDIR)\unparse_name.obj" \
+	"$(INTDIR)\util.obj" \
+	"$(INTDIR)\verify_user.obj" \
+	"..\des\Release\des.lib"
+
+"$(OUTDIR)\krb.dll" : "$(OUTDIR)" $(DEF_FILE) $(LINK32_OBJS)
+    $(LINK32) @<<
+  $(LINK32_FLAGS) $(LINK32_OBJS)
+<<
+
+!ELSEIF  "$(CFG)" == "krb - Win32 Debug"
+
+OUTDIR=.\Debug
+INTDIR=.\Debug
+# Begin Custom Macros
+OutDir=.\.\Debug
+# End Custom Macros
+
+!IF "$(RECURSE)" == "0" 
+
+ALL : "$(OUTDIR)\krb.dll"
+
+!ELSE 
+
+ALL : "des - Win32 Debug" "$(OUTDIR)\krb.dll"
+
+!ENDIF 
+
+!IF "$(RECURSE)" == "1" 
+CLEAN :"des - Win32 DebugCLEAN" 
+!ELSE 
+CLEAN : 
+!ENDIF 
+	-@erase "$(INTDIR)\cr_err_reply.obj"
+	-@erase "$(INTDIR)\create_auth_reply.obj"
+	-@erase "$(INTDIR)\create_ciph.obj"
+	-@erase "$(INTDIR)\create_ticket.obj"
+	-@erase "$(INTDIR)\debug_decl.obj"
+	-@erase "$(INTDIR)\decomp_ticket.obj"
+	-@erase "$(INTDIR)\dllmain.obj"
+	-@erase "$(INTDIR)\encrypt_ktext.obj"
+	-@erase "$(INTDIR)\get_ad_tkt.obj"
+	-@erase "$(INTDIR)\get_cred.obj"
+	-@erase "$(INTDIR)\get_default_principal.obj"
+	-@erase "$(INTDIR)\get_host.obj"
+	-@erase "$(INTDIR)\get_in_tkt.obj"
+	-@erase "$(INTDIR)\get_krbrlm.obj"
+	-@erase "$(INTDIR)\get_svc_in_tkt.obj"
+	-@erase "$(INTDIR)\get_tf_fullname.obj"
+	-@erase "$(INTDIR)\get_tf_realm.obj"
+	-@erase "$(INTDIR)\getaddrs.obj"
+	-@erase "$(INTDIR)\getfile.obj"
+	-@erase "$(INTDIR)\getrealm.obj"
+	-@erase "$(INTDIR)\getst.obj"
+	-@erase "$(INTDIR)\k_flock.obj"
+	-@erase "$(INTDIR)\k_gethostname.obj"
+	-@erase "$(INTDIR)\k_getport.obj"
+	-@erase "$(INTDIR)\k_getsockinst.obj"
+	-@erase "$(INTDIR)\k_localtime.obj"
+	-@erase "$(INTDIR)\kdc_reply.obj"
+	-@erase "$(INTDIR)\kntoln.obj"
+	-@erase "$(INTDIR)\krb.res"
+	-@erase "$(INTDIR)\krb_check_auth.obj"
+	-@erase "$(INTDIR)\krb_equiv.obj"
+	-@erase "$(INTDIR)\krb_err_txt.obj"
+	-@erase "$(INTDIR)\krb_get_in_tkt.obj"
+	-@erase "$(INTDIR)\lifetime.obj"
+	-@erase "$(INTDIR)\logging.obj"
+	-@erase "$(INTDIR)\lsb_addr_comp.obj"
+	-@erase "$(INTDIR)\mk_auth.obj"
+	-@erase "$(INTDIR)\mk_err.obj"
+	-@erase "$(INTDIR)\mk_priv.obj"
+	-@erase "$(INTDIR)\mk_req.obj"
+	-@erase "$(INTDIR)\mk_safe.obj"
+	-@erase "$(INTDIR)\month_sname.obj"
+	-@erase "$(INTDIR)\name2name.obj"
+	-@erase "$(INTDIR)\netread.obj"
+	-@erase "$(INTDIR)\netwrite.obj"
+	-@erase "$(INTDIR)\one.obj"
+	-@erase "$(INTDIR)\parse_name.obj"
+	-@erase "$(INTDIR)\rd_err.obj"
+	-@erase "$(INTDIR)\rd_priv.obj"
+	-@erase "$(INTDIR)\rd_req.obj"
+	-@erase "$(INTDIR)\rd_safe.obj"
+	-@erase "$(INTDIR)\read_service_key.obj"
+	-@erase "$(INTDIR)\realm_parse.obj"
+	-@erase "$(INTDIR)\recvauth.obj"
+	-@erase "$(INTDIR)\rw.obj"
+	-@erase "$(INTDIR)\save_credentials.obj"
+	-@erase "$(INTDIR)\send_to_kdc.obj"
+	-@erase "$(INTDIR)\sendauth.obj"
+	-@erase "$(INTDIR)\stime.obj"
+	-@erase "$(INTDIR)\str2key.obj"
+	-@erase "$(INTDIR)\ticket_memory.obj"
+	-@erase "$(INTDIR)\time.obj"
+	-@erase "$(INTDIR)\tkt_string.obj"
+	-@erase "$(INTDIR)\unparse_name.obj"
+	-@erase "$(INTDIR)\util.obj"
+	-@erase "$(INTDIR)\vc50.idb"
+	-@erase "$(INTDIR)\vc50.pdb"
+	-@erase "$(INTDIR)\verify_user.obj"
+	-@erase "$(OUTDIR)\krb.dll"
+	-@erase "$(OUTDIR)\krb.exp"
+	-@erase "$(OUTDIR)\krb.ilk"
+	-@erase "$(OUTDIR)\krb.lib"
+	-@erase "$(OUTDIR)\krb.pdb"
+
+"$(OUTDIR)" :
+    if not exist "$(OUTDIR)/$(NULL)" mkdir "$(OUTDIR)"
+
+CPP=cl.exe
+CPP_PROJ=/nologo /MDd /W3 /Gm /GX /Zi /Od /I "." /I "..\..\include" /I\
+ "..\..\include\win32" /I "..\des" /I "..\roken" /D "_DEBUG" /D "WIN32" /D\
+ "_WINDOWS" /D "HAVE_CONFIG_H" /Fp"$(INTDIR)\krb.pch" /YX /Fo"$(INTDIR)\\"\
+ /Fd"$(INTDIR)\\" /FD /c 
+CPP_OBJS=.\Debug/
+CPP_SBRS=.
+
+.c{$(CPP_OBJS)}.obj::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+.cpp{$(CPP_OBJS)}.obj::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+.cxx{$(CPP_OBJS)}.obj::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+.c{$(CPP_SBRS)}.sbr::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+.cpp{$(CPP_SBRS)}.sbr::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+.cxx{$(CPP_SBRS)}.sbr::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+MTL=midl.exe
+MTL_PROJ=/nologo /D "_DEBUG" /mktyplib203 /win32 
+RSC=rc.exe
+RSC_PROJ=/l 0x409 /fo"$(INTDIR)\krb.res" /d "_DEBUG" 
+BSC32=bscmake.exe
+BSC32_FLAGS=/nologo /o"$(OUTDIR)\krb.bsc" 
+BSC32_SBRS= \
+	
+LINK32=link.exe
+LINK32_FLAGS=..\roken\Debug\roken.lib ..\des\Debug\des.lib wsock32.lib\
+ kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib\
+ shell32.lib ole32.lib oleaut32.lib uuid.lib /nologo /subsystem:windows /dll\
+ /incremental:yes /pdb:"$(OUTDIR)\krb.pdb" /debug /machine:I386 /def:".\krb.def"\
+ /out:"$(OUTDIR)\krb.dll" /implib:"$(OUTDIR)\krb.lib" 
+DEF_FILE= \
+	".\krb.def"
+LINK32_OBJS= \
+	"$(INTDIR)\cr_err_reply.obj" \
+	"$(INTDIR)\create_auth_reply.obj" \
+	"$(INTDIR)\create_ciph.obj" \
+	"$(INTDIR)\create_ticket.obj" \
+	"$(INTDIR)\debug_decl.obj" \
+	"$(INTDIR)\decomp_ticket.obj" \
+	"$(INTDIR)\dllmain.obj" \
+	"$(INTDIR)\encrypt_ktext.obj" \
+	"$(INTDIR)\get_ad_tkt.obj" \
+	"$(INTDIR)\get_cred.obj" \
+	"$(INTDIR)\get_default_principal.obj" \
+	"$(INTDIR)\get_host.obj" \
+	"$(INTDIR)\get_in_tkt.obj" \
+	"$(INTDIR)\get_krbrlm.obj" \
+	"$(INTDIR)\get_svc_in_tkt.obj" \
+	"$(INTDIR)\get_tf_fullname.obj" \
+	"$(INTDIR)\get_tf_realm.obj" \
+	"$(INTDIR)\getaddrs.obj" \
+	"$(INTDIR)\getfile.obj" \
+	"$(INTDIR)\getrealm.obj" \
+	"$(INTDIR)\getst.obj" \
+	"$(INTDIR)\k_flock.obj" \
+	"$(INTDIR)\k_gethostname.obj" \
+	"$(INTDIR)\k_getport.obj" \
+	"$(INTDIR)\k_getsockinst.obj" \
+	"$(INTDIR)\k_localtime.obj" \
+	"$(INTDIR)\kdc_reply.obj" \
+	"$(INTDIR)\kntoln.obj" \
+	"$(INTDIR)\krb.res" \
+	"$(INTDIR)\krb_check_auth.obj" \
+	"$(INTDIR)\krb_equiv.obj" \
+	"$(INTDIR)\krb_err_txt.obj" \
+	"$(INTDIR)\krb_get_in_tkt.obj" \
+	"$(INTDIR)\lifetime.obj" \
+	"$(INTDIR)\logging.obj" \
+	"$(INTDIR)\lsb_addr_comp.obj" \
+	"$(INTDIR)\mk_auth.obj" \
+	"$(INTDIR)\mk_err.obj" \
+	"$(INTDIR)\mk_priv.obj" \
+	"$(INTDIR)\mk_req.obj" \
+	"$(INTDIR)\mk_safe.obj" \
+	"$(INTDIR)\month_sname.obj" \
+	"$(INTDIR)\name2name.obj" \
+	"$(INTDIR)\netread.obj" \
+	"$(INTDIR)\netwrite.obj" \
+	"$(INTDIR)\one.obj" \
+	"$(INTDIR)\parse_name.obj" \
+	"$(INTDIR)\rd_err.obj" \
+	"$(INTDIR)\rd_priv.obj" \
+	"$(INTDIR)\rd_req.obj" \
+	"$(INTDIR)\rd_safe.obj" \
+	"$(INTDIR)\read_service_key.obj" \
+	"$(INTDIR)\realm_parse.obj" \
+	"$(INTDIR)\recvauth.obj" \
+	"$(INTDIR)\rw.obj" \
+	"$(INTDIR)\save_credentials.obj" \
+	"$(INTDIR)\send_to_kdc.obj" \
+	"$(INTDIR)\sendauth.obj" \
+	"$(INTDIR)\stime.obj" \
+	"$(INTDIR)\str2key.obj" \
+	"$(INTDIR)\ticket_memory.obj" \
+	"$(INTDIR)\time.obj" \
+	"$(INTDIR)\tkt_string.obj" \
+	"$(INTDIR)\unparse_name.obj" \
+	"$(INTDIR)\util.obj" \
+	"$(INTDIR)\verify_user.obj" \
+	"..\des\Debug\des.lib"
+
+"$(OUTDIR)\krb.dll" : "$(OUTDIR)" $(DEF_FILE) $(LINK32_OBJS)
+    $(LINK32) @<<
+  $(LINK32_FLAGS) $(LINK32_OBJS)
+<<
+
+!ENDIF 
+
+
+!IF "$(CFG)" == "krb - Win32 Release" || "$(CFG)" == "krb - Win32 Debug"
+SOURCE=.\cr_err_reply.c
+DEP_CPP_CR_ER=\
+	"..\..\include\protos.h"\
+	"..\..\include\win32\config.h"\
+	"..\..\include\win32\ktypes.h"\
+	"..\..\include\win32\roken.h"\
+	"..\des\des.h"\
+	"..\roken\err.h"\
+	"..\roken\roken-common.h"\
+	".\krb-protos.h"\
+	".\krb.h"\
+	".\krb_locl.h"\
+	".\krb_log.h"\
+	".\prot.h"\
+	{$(INCLUDE)}"sys\stat.h"\
+	{$(INCLUDE)}"sys\types.h"\
+	
+
+"$(INTDIR)\cr_err_reply.obj" : $(SOURCE) $(DEP_CPP_CR_ER) "$(INTDIR)"
+
+
+SOURCE=.\create_auth_reply.c
+DEP_CPP_CREAT=\
+	"..\..\include\protos.h"\
+	"..\..\include\win32\config.h"\
+	"..\..\include\win32\ktypes.h"\
+	"..\..\include\win32\roken.h"\
+	"..\des\des.h"\
+	"..\roken\err.h"\
+	"..\roken\roken-common.h"\
+	".\krb-protos.h"\
+	".\krb.h"\
+	".\krb_locl.h"\
+	".\krb_log.h"\
+	".\prot.h"\
+	{$(INCLUDE)}"sys\stat.h"\
+	{$(INCLUDE)}"sys\types.h"\
+	
+
+"$(INTDIR)\create_auth_reply.obj" : $(SOURCE) $(DEP_CPP_CREAT) "$(INTDIR)"
+
+
+SOURCE=.\create_ciph.c
+DEP_CPP_CREATE=\
+	"..\..\include\protos.h"\
+	"..\..\include\win32\config.h"\
+	"..\..\include\win32\ktypes.h"\
+	"..\..\include\win32\roken.h"\
+	"..\des\des.h"\
+	"..\roken\err.h"\
+	"..\roken\roken-common.h"\
+	".\krb-protos.h"\
+	".\krb.h"\
+	".\krb_locl.h"\
+	".\krb_log.h"\
+	".\prot.h"\
+	{$(INCLUDE)}"sys\stat.h"\
+	{$(INCLUDE)}"sys\types.h"\
+	
+
+"$(INTDIR)\create_ciph.obj" : $(SOURCE) $(DEP_CPP_CREATE) "$(INTDIR)"
+
+
+SOURCE=.\create_ticket.c
+DEP_CPP_CREATE_=\
+	"..\..\include\protos.h"\
+	"..\..\include\win32\config.h"\
+	"..\..\include\win32\ktypes.h"\
+	"..\..\include\win32\roken.h"\
+	"..\des\des.h"\
+	"..\roken\err.h"\
+	"..\roken\roken-common.h"\
+	".\krb-protos.h"\
+	".\krb.h"\
+	".\krb_locl.h"\
+	".\krb_log.h"\
+	".\prot.h"\
+	{$(INCLUDE)}"sys\stat.h"\
+	{$(INCLUDE)}"sys\types.h"\
+	
+
+"$(INTDIR)\create_ticket.obj" : $(SOURCE) $(DEP_CPP_CREATE_) "$(INTDIR)"
+
+
+SOURCE=.\debug_decl.c
+DEP_CPP_DEBUG=\
+	"..\..\include\protos.h"\
+	"..\..\include\win32\config.h"\
+	"..\..\include\win32\ktypes.h"\
+	"..\..\include\win32\roken.h"\
+	"..\des\des.h"\
+	"..\roken\err.h"\
+	"..\roken\roken-common.h"\
+	".\krb-protos.h"\
+	".\krb.h"\
+	".\krb_locl.h"\
+	".\krb_log.h"\
+	".\prot.h"\
+	{$(INCLUDE)}"sys\stat.h"\
+	{$(INCLUDE)}"sys\types.h"\
+	
+
+"$(INTDIR)\debug_decl.obj" : $(SOURCE) $(DEP_CPP_DEBUG) "$(INTDIR)"
+
+
+SOURCE=.\decomp_ticket.c
+DEP_CPP_DECOM=\
+	"..\..\include\protos.h"\
+	"..\..\include\win32\config.h"\
+	"..\..\include\win32\ktypes.h"\
+	"..\..\include\win32\roken.h"\
+	"..\des\des.h"\
+	"..\roken\err.h"\
+	"..\roken\roken-common.h"\
+	".\krb-protos.h"\
+	".\krb.h"\
+	".\krb_locl.h"\
+	".\krb_log.h"\
+	".\prot.h"\
+	{$(INCLUDE)}"sys\stat.h"\
+	{$(INCLUDE)}"sys\types.h"\
+	
+
+"$(INTDIR)\decomp_ticket.obj" : $(SOURCE) $(DEP_CPP_DECOM) "$(INTDIR)"
+
+
+SOURCE=.\dllmain.c
+DEP_CPP_DLLMA=\
+	"..\..\include\protos.h"\
+	"..\..\include\win32\config.h"\
+	"..\..\include\win32\ktypes.h"\
+	"..\..\include\win32\roken.h"\
+	"..\des\des.h"\
+	"..\roken\err.h"\
+	"..\roken\roken-common.h"\
+	".\krb-protos.h"\
+	".\krb.h"\
+	".\krb_locl.h"\
+	".\krb_log.h"\
+	".\prot.h"\
+	".\ticket_memory.h"\
+	{$(INCLUDE)}"sys\stat.h"\
+	{$(INCLUDE)}"sys\types.h"\
+	
+
+"$(INTDIR)\dllmain.obj" : $(SOURCE) $(DEP_CPP_DLLMA) "$(INTDIR)"
+
+
+SOURCE=.\encrypt_ktext.c
+DEP_CPP_ENCRY=\
+	"..\..\include\protos.h"\
+	"..\..\include\win32\config.h"\
+	"..\..\include\win32\ktypes.h"\
+	"..\..\include\win32\roken.h"\
+	"..\des\des.h"\
+	"..\roken\err.h"\
+	"..\roken\roken-common.h"\
+	".\krb-protos.h"\
+	".\krb.h"\
+	".\krb_locl.h"\
+	".\krb_log.h"\
+	".\prot.h"\
+	{$(INCLUDE)}"sys\stat.h"\
+	{$(INCLUDE)}"sys\types.h"\
+	
+
+"$(INTDIR)\encrypt_ktext.obj" : $(SOURCE) $(DEP_CPP_ENCRY) "$(INTDIR)"
+
+
+SOURCE=.\get_ad_tkt.c
+DEP_CPP_GET_A=\
+	"..\..\include\protos.h"\
+	"..\..\include\win32\config.h"\
+	"..\..\include\win32\ktypes.h"\
+	"..\..\include\win32\roken.h"\
+	"..\des\des.h"\
+	"..\roken\err.h"\
+	"..\roken\roken-common.h"\
+	".\krb-protos.h"\
+	".\krb.h"\
+	".\krb_locl.h"\
+	".\krb_log.h"\
+	".\prot.h"\
+	{$(INCLUDE)}"sys\stat.h"\
+	{$(INCLUDE)}"sys\types.h"\
+	
+
+"$(INTDIR)\get_ad_tkt.obj" : $(SOURCE) $(DEP_CPP_GET_A) "$(INTDIR)"
+
+
+SOURCE=.\get_cred.c
+DEP_CPP_GET_C=\
+	"..\..\include\protos.h"\
+	"..\..\include\win32\config.h"\
+	"..\..\include\win32\ktypes.h"\
+	"..\..\include\win32\roken.h"\
+	"..\des\des.h"\
+	"..\roken\err.h"\
+	"..\roken\roken-common.h"\
+	".\krb-protos.h"\
+	".\krb.h"\
+	".\krb_locl.h"\
+	".\krb_log.h"\
+	".\prot.h"\
+	{$(INCLUDE)}"sys\stat.h"\
+	{$(INCLUDE)}"sys\types.h"\
+	
+
+"$(INTDIR)\get_cred.obj" : $(SOURCE) $(DEP_CPP_GET_C) "$(INTDIR)"
+
+
+SOURCE=.\get_default_principal.c
+DEP_CPP_GET_D=\
+	"..\..\include\protos.h"\
+	"..\..\include\win32\config.h"\
+	"..\..\include\win32\ktypes.h"\
+	"..\..\include\win32\roken.h"\
+	"..\des\des.h"\
+	"..\roken\err.h"\
+	"..\roken\roken-common.h"\
+	".\krb-protos.h"\
+	".\krb.h"\
+	".\krb_locl.h"\
+	".\krb_log.h"\
+	".\prot.h"\
+	{$(INCLUDE)}"sys\stat.h"\
+	{$(INCLUDE)}"sys\types.h"\
+	
+
+"$(INTDIR)\get_default_principal.obj" : $(SOURCE) $(DEP_CPP_GET_D) "$(INTDIR)"
+
+
+SOURCE=.\get_host.c
+DEP_CPP_GET_H=\
+	"..\..\include\protos.h"\
+	"..\..\include\win32\config.h"\
+	"..\..\include\win32\ktypes.h"\
+	"..\..\include\win32\roken.h"\
+	"..\des\des.h"\
+	"..\roken\err.h"\
+	"..\roken\roken-common.h"\
+	".\krb-protos.h"\
+	".\krb.h"\
+	".\krb_locl.h"\
+	".\krb_log.h"\
+	".\prot.h"\
+	{$(INCLUDE)}"sys\stat.h"\
+	{$(INCLUDE)}"sys\types.h"\
+	
+
+"$(INTDIR)\get_host.obj" : $(SOURCE) $(DEP_CPP_GET_H) "$(INTDIR)"
+
+
+SOURCE=.\get_in_tkt.c
+DEP_CPP_GET_I=\
+	"..\..\include\protos.h"\
+	"..\..\include\win32\config.h"\
+	"..\..\include\win32\ktypes.h"\
+	"..\..\include\win32\roken.h"\
+	"..\des\des.h"\
+	"..\roken\err.h"\
+	"..\roken\roken-common.h"\
+	".\krb-protos.h"\
+	".\krb.h"\
+	".\krb_locl.h"\
+	".\krb_log.h"\
+	".\prot.h"\
+	{$(INCLUDE)}"sys\stat.h"\
+	{$(INCLUDE)}"sys\types.h"\
+	
+
+"$(INTDIR)\get_in_tkt.obj" : $(SOURCE) $(DEP_CPP_GET_I) "$(INTDIR)"
+
+
+SOURCE=.\get_krbrlm.c
+DEP_CPP_GET_K=\
+	"..\..\include\protos.h"\
+	"..\..\include\win32\config.h"\
+	"..\..\include\win32\ktypes.h"\
+	"..\..\include\win32\roken.h"\
+	"..\des\des.h"\
+	"..\roken\err.h"\
+	"..\roken\roken-common.h"\
+	".\krb-protos.h"\
+	".\krb.h"\
+	".\krb_locl.h"\
+	".\krb_log.h"\
+	".\prot.h"\
+	{$(INCLUDE)}"sys\stat.h"\
+	{$(INCLUDE)}"sys\types.h"\
+	
+
+"$(INTDIR)\get_krbrlm.obj" : $(SOURCE) $(DEP_CPP_GET_K) "$(INTDIR)"
+
+
+SOURCE=.\get_svc_in_tkt.c
+DEP_CPP_GET_S=\
+	"..\..\include\protos.h"\
+	"..\..\include\win32\config.h"\
+	"..\..\include\win32\ktypes.h"\
+	"..\..\include\win32\roken.h"\
+	"..\des\des.h"\
+	"..\roken\err.h"\
+	"..\roken\roken-common.h"\
+	".\krb-protos.h"\
+	".\krb.h"\
+	".\krb_locl.h"\
+	".\krb_log.h"\
+	".\prot.h"\
+	{$(INCLUDE)}"sys\stat.h"\
+	{$(INCLUDE)}"sys\types.h"\
+	
+
+"$(INTDIR)\get_svc_in_tkt.obj" : $(SOURCE) $(DEP_CPP_GET_S) "$(INTDIR)"
+
+
+SOURCE=.\get_tf_fullname.c
+DEP_CPP_GET_T=\
+	"..\..\include\protos.h"\
+	"..\..\include\win32\config.h"\
+	"..\..\include\win32\ktypes.h"\
+	"..\..\include\win32\roken.h"\
+	"..\des\des.h"\
+	"..\roken\err.h"\
+	"..\roken\roken-common.h"\
+	".\krb-protos.h"\
+	".\krb.h"\
+	".\krb_locl.h"\
+	".\krb_log.h"\
+	".\prot.h"\
+	{$(INCLUDE)}"sys\stat.h"\
+	{$(INCLUDE)}"sys\types.h"\
+	
+
+"$(INTDIR)\get_tf_fullname.obj" : $(SOURCE) $(DEP_CPP_GET_T) "$(INTDIR)"
+
+
+SOURCE=.\get_tf_realm.c
+DEP_CPP_GET_TF=\
+	"..\..\include\protos.h"\
+	"..\..\include\win32\config.h"\
+	"..\..\include\win32\ktypes.h"\
+	"..\..\include\win32\roken.h"\
+	"..\des\des.h"\
+	"..\roken\err.h"\
+	"..\roken\roken-common.h"\
+	".\krb-protos.h"\
+	".\krb.h"\
+	".\krb_locl.h"\
+	".\krb_log.h"\
+	".\prot.h"\
+	{$(INCLUDE)}"sys\stat.h"\
+	{$(INCLUDE)}"sys\types.h"\
+	
+
+"$(INTDIR)\get_tf_realm.obj" : $(SOURCE) $(DEP_CPP_GET_TF) "$(INTDIR)"
+
+
+SOURCE=.\getaddrs.c
+DEP_CPP_GETAD=\
+	"..\..\include\protos.h"\
+	"..\..\include\win32\config.h"\
+	"..\..\include\win32\ktypes.h"\
+	"..\..\include\win32\roken.h"\
+	"..\des\des.h"\
+	"..\roken\err.h"\
+	"..\roken\roken-common.h"\
+	".\krb-protos.h"\
+	".\krb.h"\
+	".\krb_locl.h"\
+	".\krb_log.h"\
+	".\prot.h"\
+	{$(INCLUDE)}"sys\stat.h"\
+	{$(INCLUDE)}"sys\types.h"\
+	
+
+"$(INTDIR)\getaddrs.obj" : $(SOURCE) $(DEP_CPP_GETAD) "$(INTDIR)"
+
+
+SOURCE=.\getfile.c
+DEP_CPP_GETFI=\
+	"..\..\include\protos.h"\
+	"..\..\include\win32\config.h"\
+	"..\..\include\win32\ktypes.h"\
+	"..\..\include\win32\roken.h"\
+	"..\des\des.h"\
+	"..\roken\err.h"\
+	"..\roken\roken-common.h"\
+	".\krb-protos.h"\
+	".\krb.h"\
+	".\krb_locl.h"\
+	".\krb_log.h"\
+	".\prot.h"\
+	{$(INCLUDE)}"sys\stat.h"\
+	{$(INCLUDE)}"sys\types.h"\
+	
+
+"$(INTDIR)\getfile.obj" : $(SOURCE) $(DEP_CPP_GETFI) "$(INTDIR)"
+
+
+SOURCE=.\getrealm.c
+DEP_CPP_GETRE=\
+	"..\..\include\protos.h"\
+	"..\..\include\win32\config.h"\
+	"..\..\include\win32\ktypes.h"\
+	"..\..\include\win32\roken.h"\
+	"..\des\des.h"\
+	"..\roken\err.h"\
+	"..\roken\roken-common.h"\
+	".\krb-protos.h"\
+	".\krb.h"\
+	".\krb_locl.h"\
+	".\krb_log.h"\
+	".\prot.h"\
+	".\resolve.h"\
+	{$(INCLUDE)}"sys\stat.h"\
+	{$(INCLUDE)}"sys\types.h"\
+	
+
+"$(INTDIR)\getrealm.obj" : $(SOURCE) $(DEP_CPP_GETRE) "$(INTDIR)"
+
+
+SOURCE=.\getst.c
+DEP_CPP_GETST=\
+	"..\..\include\protos.h"\
+	"..\..\include\win32\config.h"\
+	"..\..\include\win32\ktypes.h"\
+	"..\..\include\win32\roken.h"\
+	"..\des\des.h"\
+	"..\roken\err.h"\
+	"..\roken\roken-common.h"\
+	".\krb-protos.h"\
+	".\krb.h"\
+	".\krb_locl.h"\
+	".\krb_log.h"\
+	".\prot.h"\
+	{$(INCLUDE)}"sys\stat.h"\
+	{$(INCLUDE)}"sys\types.h"\
+	
+
+"$(INTDIR)\getst.obj" : $(SOURCE) $(DEP_CPP_GETST) "$(INTDIR)"
+
+
+SOURCE=.\k_flock.c
+DEP_CPP_K_FLO=\
+	"..\..\include\protos.h"\
+	"..\..\include\win32\config.h"\
+	"..\..\include\win32\ktypes.h"\
+	"..\..\include\win32\roken.h"\
+	"..\des\des.h"\
+	"..\roken\err.h"\
+	"..\roken\roken-common.h"\
+	".\krb-protos.h"\
+	".\krb.h"\
+	".\krb_locl.h"\
+	".\krb_log.h"\
+	".\prot.h"\
+	{$(INCLUDE)}"sys\stat.h"\
+	{$(INCLUDE)}"sys\types.h"\
+	
+
+"$(INTDIR)\k_flock.obj" : $(SOURCE) $(DEP_CPP_K_FLO) "$(INTDIR)"
+
+
+SOURCE=.\k_gethostname.c
+DEP_CPP_K_GET=\
+	"..\..\include\protos.h"\
+	"..\..\include\win32\config.h"\
+	"..\..\include\win32\ktypes.h"\
+	"..\..\include\win32\roken.h"\
+	"..\des\des.h"\
+	"..\roken\err.h"\
+	"..\roken\roken-common.h"\
+	".\krb-protos.h"\
+	".\krb.h"\
+	".\krb_locl.h"\
+	".\krb_log.h"\
+	".\prot.h"\
+	{$(INCLUDE)}"sys\stat.h"\
+	{$(INCLUDE)}"sys\types.h"\
+	
+
+"$(INTDIR)\k_gethostname.obj" : $(SOURCE) $(DEP_CPP_K_GET) "$(INTDIR)"
+
+
+SOURCE=.\k_getport.c
+DEP_CPP_K_GETP=\
+	"..\..\include\protos.h"\
+	"..\..\include\win32\config.h"\
+	"..\..\include\win32\ktypes.h"\
+	"..\..\include\win32\roken.h"\
+	"..\des\des.h"\
+	"..\roken\err.h"\
+	"..\roken\roken-common.h"\
+	".\krb-protos.h"\
+	".\krb.h"\
+	".\krb_locl.h"\
+	".\krb_log.h"\
+	".\prot.h"\
+	{$(INCLUDE)}"sys\stat.h"\
+	{$(INCLUDE)}"sys\types.h"\
+	
+
+"$(INTDIR)\k_getport.obj" : $(SOURCE) $(DEP_CPP_K_GETP) "$(INTDIR)"
+
+
+SOURCE=.\k_getsockinst.c
+DEP_CPP_K_GETS=\
+	"..\..\include\protos.h"\
+	"..\..\include\win32\config.h"\
+	"..\..\include\win32\ktypes.h"\
+	"..\..\include\win32\roken.h"\
+	"..\des\des.h"\
+	"..\roken\err.h"\
+	"..\roken\roken-common.h"\
+	".\krb-protos.h"\
+	".\krb.h"\
+	".\krb_locl.h"\
+	".\krb_log.h"\
+	".\prot.h"\
+	{$(INCLUDE)}"sys\stat.h"\
+	{$(INCLUDE)}"sys\types.h"\
+	
+
+"$(INTDIR)\k_getsockinst.obj" : $(SOURCE) $(DEP_CPP_K_GETS) "$(INTDIR)"
+
+
+SOURCE=.\k_localtime.c
+DEP_CPP_K_LOC=\
+	"..\..\include\protos.h"\
+	"..\..\include\win32\config.h"\
+	"..\..\include\win32\ktypes.h"\
+	"..\..\include\win32\roken.h"\
+	"..\des\des.h"\
+	"..\roken\err.h"\
+	"..\roken\roken-common.h"\
+	".\krb-protos.h"\
+	".\krb.h"\
+	".\krb_locl.h"\
+	".\krb_log.h"\
+	".\prot.h"\
+	{$(INCLUDE)}"sys\stat.h"\
+	{$(INCLUDE)}"sys\types.h"\
+	
+
+"$(INTDIR)\k_localtime.obj" : $(SOURCE) $(DEP_CPP_K_LOC) "$(INTDIR)"
+
+
+SOURCE=.\kdc_reply.c
+DEP_CPP_KDC_R=\
+	"..\..\include\protos.h"\
+	"..\..\include\win32\config.h"\
+	"..\..\include\win32\ktypes.h"\
+	"..\..\include\win32\roken.h"\
+	"..\des\des.h"\
+	"..\roken\err.h"\
+	"..\roken\roken-common.h"\
+	".\krb-protos.h"\
+	".\krb.h"\
+	".\krb_locl.h"\
+	".\krb_log.h"\
+	".\prot.h"\
+	{$(INCLUDE)}"sys\stat.h"\
+	{$(INCLUDE)}"sys\types.h"\
+	
+
+"$(INTDIR)\kdc_reply.obj" : $(SOURCE) $(DEP_CPP_KDC_R) "$(INTDIR)"
+
+
+SOURCE=.\kntoln.c
+DEP_CPP_KNTOL=\
+	"..\..\include\protos.h"\
+	"..\..\include\win32\config.h"\
+	"..\..\include\win32\ktypes.h"\
+	"..\..\include\win32\roken.h"\
+	"..\des\des.h"\
+	"..\roken\err.h"\
+	"..\roken\roken-common.h"\
+	".\krb-protos.h"\
+	".\krb.h"\
+	".\krb_locl.h"\
+	".\krb_log.h"\
+	".\prot.h"\
+	{$(INCLUDE)}"sys\stat.h"\
+	{$(INCLUDE)}"sys\types.h"\
+	
+
+"$(INTDIR)\kntoln.obj" : $(SOURCE) $(DEP_CPP_KNTOL) "$(INTDIR)"
+
+
+SOURCE=.\krb_check_auth.c
+DEP_CPP_KRB_C=\
+	"..\..\include\protos.h"\
+	"..\..\include\win32\config.h"\
+	"..\..\include\win32\ktypes.h"\
+	"..\..\include\win32\roken.h"\
+	"..\des\des.h"\
+	"..\roken\err.h"\
+	"..\roken\roken-common.h"\
+	".\krb-protos.h"\
+	".\krb.h"\
+	".\krb_locl.h"\
+	".\krb_log.h"\
+	".\prot.h"\
+	{$(INCLUDE)}"sys\stat.h"\
+	{$(INCLUDE)}"sys\types.h"\
+	
+
+"$(INTDIR)\krb_check_auth.obj" : $(SOURCE) $(DEP_CPP_KRB_C) "$(INTDIR)"
+
+
+SOURCE=.\krb_equiv.c
+DEP_CPP_KRB_E=\
+	"..\..\include\protos.h"\
+	"..\..\include\win32\config.h"\
+	"..\..\include\win32\ktypes.h"\
+	"..\..\include\win32\roken.h"\
+	"..\des\des.h"\
+	"..\roken\err.h"\
+	"..\roken\roken-common.h"\
+	".\krb-protos.h"\
+	".\krb.h"\
+	".\krb_locl.h"\
+	".\krb_log.h"\
+	".\prot.h"\
+	{$(INCLUDE)}"sys\stat.h"\
+	{$(INCLUDE)}"sys\types.h"\
+
+
+"$(INTDIR)\krb_equiv.obj" : $(SOURCE) $(DEP_CPP_KRB_E) "$(INTDIR)"
+
+
+SOURCE=.\krb_err_txt.c
+DEP_CPP_KRB_ER=\
+	"..\..\include\protos.h"\
+	"..\..\include\win32\config.h"\
+	"..\..\include\win32\ktypes.h"\
+	"..\..\include\win32\roken.h"\
+	"..\des\des.h"\
+	"..\roken\err.h"\
+	"..\roken\roken-common.h"\
+	".\krb-protos.h"\
+	".\krb.h"\
+	".\krb_locl.h"\
+	".\krb_log.h"\
+	".\prot.h"\
+	{$(INCLUDE)}"sys\stat.h"\
+	{$(INCLUDE)}"sys\types.h"\
+	
+
+"$(INTDIR)\krb_err_txt.obj" : $(SOURCE) $(DEP_CPP_KRB_ER) "$(INTDIR)"
+
+
+SOURCE=.\krb_get_in_tkt.c
+DEP_CPP_KRB_G=\
+	"..\..\include\protos.h"\
+	"..\..\include\win32\config.h"\
+	"..\..\include\win32\ktypes.h"\
+	"..\..\include\win32\roken.h"\
+	"..\des\des.h"\
+	"..\roken\err.h"\
+	"..\roken\roken-common.h"\
+	".\krb-protos.h"\
+	".\krb.h"\
+	".\krb_locl.h"\
+	".\krb_log.h"\
+	".\prot.h"\
+	{$(INCLUDE)}"sys\stat.h"\
+	{$(INCLUDE)}"sys\types.h"\
+	
+
+"$(INTDIR)\krb_get_in_tkt.obj" : $(SOURCE) $(DEP_CPP_KRB_G) "$(INTDIR)"
+
+
+SOURCE=.\lifetime.c
+DEP_CPP_LIFET=\
+	"..\..\include\protos.h"\
+	"..\..\include\win32\config.h"\
+	"..\..\include\win32\ktypes.h"\
+	"..\..\include\win32\roken.h"\
+	"..\des\des.h"\
+	"..\roken\err.h"\
+	"..\roken\roken-common.h"\
+	".\krb-protos.h"\
+	".\krb.h"\
+	".\krb_locl.h"\
+	".\krb_log.h"\
+	".\prot.h"\
+	{$(INCLUDE)}"sys\stat.h"\
+	{$(INCLUDE)}"sys\types.h"\
+	
+
+"$(INTDIR)\lifetime.obj" : $(SOURCE) $(DEP_CPP_LIFET) "$(INTDIR)"
+
+
+SOURCE=.\logging.c
+DEP_CPP_LOGGI=\
+	"..\..\include\protos.h"\
+	"..\..\include\win32\config.h"\
+	"..\..\include\win32\ktypes.h"\
+	"..\..\include\win32\roken.h"\
+	"..\des\des.h"\
+	"..\roken\err.h"\
+	"..\roken\roken-common.h"\
+	".\klog.h"\
+	".\krb-protos.h"\
+	".\krb.h"\
+	".\krb_locl.h"\
+	".\krb_log.h"\
+	".\prot.h"\
+	{$(INCLUDE)}"sys\stat.h"\
+	{$(INCLUDE)}"sys\types.h"\
+	
+
+"$(INTDIR)\logging.obj" : $(SOURCE) $(DEP_CPP_LOGGI) "$(INTDIR)"
+
+
+SOURCE=.\lsb_addr_comp.c
+DEP_CPP_LSB_A=\
+	"..\..\include\protos.h"\
+	"..\..\include\win32\config.h"\
+	"..\..\include\win32\ktypes.h"\
+	"..\..\include\win32\roken.h"\
+	"..\des\des.h"\
+	"..\roken\err.h"\
+	"..\roken\roken-common.h"\
+	".\krb-archaeology.h"\
+	".\krb-protos.h"\
+	".\krb.h"\
+	".\krb_locl.h"\
+	".\krb_log.h"\
+	".\prot.h"\
+	{$(INCLUDE)}"sys\stat.h"\
+	{$(INCLUDE)}"sys\types.h"\
+	
+
+"$(INTDIR)\lsb_addr_comp.obj" : $(SOURCE) $(DEP_CPP_LSB_A) "$(INTDIR)"
+
+
+SOURCE=.\mk_auth.c
+DEP_CPP_MK_AU=\
+	"..\..\include\protos.h"\
+	"..\..\include\win32\config.h"\
+	"..\..\include\win32\ktypes.h"\
+	"..\..\include\win32\roken.h"\
+	"..\des\des.h"\
+	"..\roken\err.h"\
+	"..\roken\roken-common.h"\
+	".\krb-protos.h"\
+	".\krb.h"\
+	".\krb_locl.h"\
+	".\krb_log.h"\
+	".\prot.h"\
+	{$(INCLUDE)}"sys\stat.h"\
+	{$(INCLUDE)}"sys\types.h"\
+	
+
+"$(INTDIR)\mk_auth.obj" : $(SOURCE) $(DEP_CPP_MK_AU) "$(INTDIR)"
+
+
+SOURCE=.\mk_err.c
+DEP_CPP_MK_ER=\
+	"..\..\include\protos.h"\
+	"..\..\include\win32\config.h"\
+	"..\..\include\win32\ktypes.h"\
+	"..\..\include\win32\roken.h"\
+	"..\des\des.h"\
+	"..\roken\err.h"\
+	"..\roken\roken-common.h"\
+	".\krb-protos.h"\
+	".\krb.h"\
+	".\krb_locl.h"\
+	".\krb_log.h"\
+	".\prot.h"\
+	{$(INCLUDE)}"sys\stat.h"\
+	{$(INCLUDE)}"sys\types.h"\
+	
+
+"$(INTDIR)\mk_err.obj" : $(SOURCE) $(DEP_CPP_MK_ER) "$(INTDIR)"
+
+
+SOURCE=.\mk_priv.c
+DEP_CPP_MK_PR=\
+	"..\..\include\protos.h"\
+	"..\..\include\win32\config.h"\
+	"..\..\include\win32\ktypes.h"\
+	"..\..\include\win32\roken.h"\
+	"..\des\des.h"\
+	"..\roken\err.h"\
+	"..\roken\roken-common.h"\
+	".\krb-archaeology.h"\
+	".\krb-protos.h"\
+	".\krb.h"\
+	".\krb_locl.h"\
+	".\krb_log.h"\
+	".\prot.h"\
+	{$(INCLUDE)}"sys\stat.h"\
+	{$(INCLUDE)}"sys\types.h"\
+	
+
+"$(INTDIR)\mk_priv.obj" : $(SOURCE) $(DEP_CPP_MK_PR) "$(INTDIR)"
+
+
+SOURCE=.\mk_req.c
+DEP_CPP_MK_RE=\
+	"..\..\include\protos.h"\
+	"..\..\include\win32\config.h"\
+	"..\..\include\win32\ktypes.h"\
+	"..\..\include\win32\roken.h"\
+	"..\des\des.h"\
+	"..\roken\err.h"\
+	"..\roken\roken-common.h"\
+	".\krb-protos.h"\
+	".\krb.h"\
+	".\krb_locl.h"\
+	".\krb_log.h"\
+	".\prot.h"\
+	{$(INCLUDE)}"sys\stat.h"\
+	{$(INCLUDE)}"sys\types.h"\
+	
+
+"$(INTDIR)\mk_req.obj" : $(SOURCE) $(DEP_CPP_MK_RE) "$(INTDIR)"
+
+
+SOURCE=.\mk_safe.c
+DEP_CPP_MK_SA=\
+	"..\..\include\protos.h"\
+	"..\..\include\win32\config.h"\
+	"..\..\include\win32\ktypes.h"\
+	"..\..\include\win32\roken.h"\
+	"..\des\des.h"\
+	"..\roken\err.h"\
+	"..\roken\roken-common.h"\
+	".\krb-archaeology.h"\
+	".\krb-protos.h"\
+	".\krb.h"\
+	".\krb_locl.h"\
+	".\krb_log.h"\
+	".\prot.h"\
+	{$(INCLUDE)}"sys\stat.h"\
+	{$(INCLUDE)}"sys\types.h"\
+	
+
+"$(INTDIR)\mk_safe.obj" : $(SOURCE) $(DEP_CPP_MK_SA) "$(INTDIR)"
+
+
+SOURCE=.\month_sname.c
+DEP_CPP_MONTH=\
+	"..\..\include\protos.h"\
+	"..\..\include\win32\config.h"\
+	"..\..\include\win32\ktypes.h"\
+	"..\..\include\win32\roken.h"\
+	"..\des\des.h"\
+	"..\roken\err.h"\
+	"..\roken\roken-common.h"\
+	".\krb-protos.h"\
+	".\krb.h"\
+	".\krb_locl.h"\
+	".\krb_log.h"\
+	".\prot.h"\
+	{$(INCLUDE)}"sys\stat.h"\
+	{$(INCLUDE)}"sys\types.h"\
+	
+
+"$(INTDIR)\month_sname.obj" : $(SOURCE) $(DEP_CPP_MONTH) "$(INTDIR)"
+
+
+SOURCE=.\name2name.c
+DEP_CPP_NAME2=\
+	"..\..\include\protos.h"\
+	"..\..\include\win32\config.h"\
+	"..\..\include\win32\ktypes.h"\
+	"..\..\include\win32\roken.h"\
+	"..\des\des.h"\
+	"..\roken\err.h"\
+	"..\roken\roken-common.h"\
+	".\krb-protos.h"\
+	".\krb.h"\
+	".\krb_locl.h"\
+	".\krb_log.h"\
+	".\prot.h"\
+	{$(INCLUDE)}"sys\stat.h"\
+	{$(INCLUDE)}"sys\types.h"\
+	
+
+"$(INTDIR)\name2name.obj" : $(SOURCE) $(DEP_CPP_NAME2) "$(INTDIR)"
+
+
+SOURCE=.\netread.c
+DEP_CPP_NETRE=\
+	"..\..\include\protos.h"\
+	"..\..\include\win32\config.h"\
+	"..\..\include\win32\ktypes.h"\
+	"..\..\include\win32\roken.h"\
+	"..\des\des.h"\
+	"..\roken\err.h"\
+	"..\roken\roken-common.h"\
+	".\krb-protos.h"\
+	".\krb.h"\
+	".\krb_locl.h"\
+	".\krb_log.h"\
+	".\prot.h"\
+	{$(INCLUDE)}"sys\stat.h"\
+	{$(INCLUDE)}"sys\types.h"\
+	
+
+"$(INTDIR)\netread.obj" : $(SOURCE) $(DEP_CPP_NETRE) "$(INTDIR)"
+
+
+SOURCE=.\netwrite.c
+DEP_CPP_NETWR=\
+	"..\..\include\protos.h"\
+	"..\..\include\win32\config.h"\
+	"..\..\include\win32\ktypes.h"\
+	"..\..\include\win32\roken.h"\
+	"..\des\des.h"\
+	"..\roken\err.h"\
+	"..\roken\roken-common.h"\
+	".\krb-protos.h"\
+	".\krb.h"\
+	".\krb_locl.h"\
+	".\krb_log.h"\
+	".\prot.h"\
+	{$(INCLUDE)}"sys\stat.h"\
+	{$(INCLUDE)}"sys\types.h"\
+	
+
+"$(INTDIR)\netwrite.obj" : $(SOURCE) $(DEP_CPP_NETWR) "$(INTDIR)"
+
+
+SOURCE=.\one.c
+
+"$(INTDIR)\one.obj" : $(SOURCE) "$(INTDIR)"
+
+
+SOURCE=.\parse_name.c
+DEP_CPP_PARSE=\
+	"..\..\include\protos.h"\
+	"..\..\include\win32\config.h"\
+	"..\..\include\win32\ktypes.h"\
+	"..\..\include\win32\roken.h"\
+	"..\des\des.h"\
+	"..\roken\err.h"\
+	"..\roken\roken-common.h"\
+	".\krb-protos.h"\
+	".\krb.h"\
+	".\krb_locl.h"\
+	".\krb_log.h"\
+	".\prot.h"\
+	{$(INCLUDE)}"sys\stat.h"\
+	{$(INCLUDE)}"sys\types.h"\
+	
+
+"$(INTDIR)\parse_name.obj" : $(SOURCE) $(DEP_CPP_PARSE) "$(INTDIR)"
+
+
+SOURCE=.\rd_err.c
+DEP_CPP_RD_ER=\
+	"..\..\include\protos.h"\
+	"..\..\include\win32\config.h"\
+	"..\..\include\win32\ktypes.h"\
+	"..\..\include\win32\roken.h"\
+	"..\des\des.h"\
+	"..\roken\err.h"\
+	"..\roken\roken-common.h"\
+	".\krb-protos.h"\
+	".\krb.h"\
+	".\krb_locl.h"\
+	".\krb_log.h"\
+	".\prot.h"\
+	{$(INCLUDE)}"sys\stat.h"\
+	{$(INCLUDE)}"sys\types.h"\
+	
+
+"$(INTDIR)\rd_err.obj" : $(SOURCE) $(DEP_CPP_RD_ER) "$(INTDIR)"
+
+
+SOURCE=.\rd_priv.c
+DEP_CPP_RD_PR=\
+	"..\..\include\protos.h"\
+	"..\..\include\win32\config.h"\
+	"..\..\include\win32\ktypes.h"\
+	"..\..\include\win32\roken.h"\
+	"..\des\des.h"\
+	"..\roken\err.h"\
+	"..\roken\roken-common.h"\
+	".\krb-archaeology.h"\
+	".\krb-protos.h"\
+	".\krb.h"\
+	".\krb_locl.h"\
+	".\krb_log.h"\
+	".\prot.h"\
+	{$(INCLUDE)}"sys\stat.h"\
+	{$(INCLUDE)}"sys\types.h"\
+	
+
+"$(INTDIR)\rd_priv.obj" : $(SOURCE) $(DEP_CPP_RD_PR) "$(INTDIR)"
+
+
+SOURCE=.\rd_req.c
+DEP_CPP_RD_RE=\
+	"..\..\include\protos.h"\
+	"..\..\include\win32\config.h"\
+	"..\..\include\win32\ktypes.h"\
+	"..\..\include\win32\roken.h"\
+	"..\des\des.h"\
+	"..\roken\err.h"\
+	"..\roken\roken-common.h"\
+	".\krb-protos.h"\
+	".\krb.h"\
+	".\krb_locl.h"\
+	".\krb_log.h"\
+	".\prot.h"\
+	{$(INCLUDE)}"sys\stat.h"\
+	{$(INCLUDE)}"sys\types.h"\
+	
+
+"$(INTDIR)\rd_req.obj" : $(SOURCE) $(DEP_CPP_RD_RE) "$(INTDIR)"
+
+
+SOURCE=.\rd_safe.c
+DEP_CPP_RD_SA=\
+	"..\..\include\protos.h"\
+	"..\..\include\win32\config.h"\
+	"..\..\include\win32\ktypes.h"\
+	"..\..\include\win32\roken.h"\
+	"..\des\des.h"\
+	"..\roken\err.h"\
+	"..\roken\roken-common.h"\
+	".\krb-archaeology.h"\
+	".\krb-protos.h"\
+	".\krb.h"\
+	".\krb_locl.h"\
+	".\krb_log.h"\
+	".\prot.h"\
+	{$(INCLUDE)}"sys\stat.h"\
+	{$(INCLUDE)}"sys\types.h"\
+
+
+"$(INTDIR)\rd_safe.obj" : $(SOURCE) $(DEP_CPP_RD_SA) "$(INTDIR)"
+
+
+SOURCE=.\read_service_key.c
+DEP_CPP_READ_=\
+	"..\..\include\protos.h"\
+	"..\..\include\win32\config.h"\
+	"..\..\include\win32\ktypes.h"\
+	"..\..\include\win32\roken.h"\
+	"..\des\des.h"\
+	"..\roken\err.h"\
+	"..\roken\roken-common.h"\
+	".\krb-protos.h"\
+	".\krb.h"\
+	".\krb_locl.h"\
+	".\krb_log.h"\
+	".\prot.h"\
+	{$(INCLUDE)}"sys\stat.h"\
+	{$(INCLUDE)}"sys\types.h"\
+	
+
+"$(INTDIR)\read_service_key.obj" : $(SOURCE) $(DEP_CPP_READ_) "$(INTDIR)"
+
+
+SOURCE=.\realm_parse.c
+DEP_CPP_REALM=\
+	"..\..\include\protos.h"\
+	"..\..\include\win32\config.h"\
+	"..\..\include\win32\ktypes.h"\
+	"..\..\include\win32\roken.h"\
+	"..\des\des.h"\
+	"..\roken\err.h"\
+	"..\roken\roken-common.h"\
+	".\krb-protos.h"\
+	".\krb.h"\
+	".\krb_locl.h"\
+	".\krb_log.h"\
+	".\prot.h"\
+	{$(INCLUDE)}"sys\stat.h"\
+	{$(INCLUDE)}"sys\types.h"\
+	
+
+"$(INTDIR)\realm_parse.obj" : $(SOURCE) $(DEP_CPP_REALM) "$(INTDIR)"
+
+
+SOURCE=.\recvauth.c
+DEP_CPP_RECVA=\
+	"..\..\include\protos.h"\
+	"..\..\include\win32\config.h"\
+	"..\..\include\win32\ktypes.h"\
+	"..\..\include\win32\roken.h"\
+	"..\des\des.h"\
+	"..\roken\err.h"\
+	"..\roken\roken-common.h"\
+	".\krb-protos.h"\
+	".\krb.h"\
+	".\krb_locl.h"\
+	".\krb_log.h"\
+	".\prot.h"\
+	{$(INCLUDE)}"sys\stat.h"\
+	{$(INCLUDE)}"sys\types.h"\
+	
+
+"$(INTDIR)\recvauth.obj" : $(SOURCE) $(DEP_CPP_RECVA) "$(INTDIR)"
+
+
+SOURCE=.\resolve.c
+DEP_CPP_RESOL=\
+	"..\..\include\protos.h"\
+	"..\..\include\win32\config.h"\
+	"..\..\include\win32\ktypes.h"\
+	"..\..\include\win32\roken.h"\
+	"..\des\des.h"\
+	"..\roken\err.h"\
+	"..\roken\roken-common.h"\
+	".\krb-protos.h"\
+	".\krb.h"\
+	".\krb_locl.h"\
+	".\krb_log.h"\
+	".\prot.h"\
+	{$(INCLUDE)}"sys\stat.h"\
+	{$(INCLUDE)}"sys\types.h"\
+	
+
+"$(INTDIR)\resolve.obj" : $(SOURCE) $(DEP_CPP_RESOL) "$(INTDIR)"
+
+
+SOURCE=.\rw.c
+DEP_CPP_RW_C6a=\
+	"..\..\include\protos.h"\
+	"..\..\include\win32\config.h"\
+	"..\..\include\win32\ktypes.h"\
+	"..\..\include\win32\roken.h"\
+	"..\..\include\win32\version.h"\
+	"..\des\des.h"\
+	"..\roken\err.h"\
+	"..\roken\roken-common.h"\
+	".\krb-protos.h"\
+	".\krb.h"\
+	".\krb_locl.h"\
+	".\krb_log.h"\
+	".\prot.h"\
+	{$(INCLUDE)}"sys\stat.h"\
+	{$(INCLUDE)}"sys\types.h"\
+
+
+"$(INTDIR)\rw.obj" : $(SOURCE) $(DEP_CPP_RW_C6a) "$(INTDIR)"
+
+
+SOURCE=.\save_credentials.c
+DEP_CPP_SAVE_=\
+	"..\..\include\protos.h"\
+	"..\..\include\win32\config.h"\
+	"..\..\include\win32\ktypes.h"\
+	"..\..\include\win32\roken.h"\
+	"..\des\des.h"\
+	"..\roken\err.h"\
+	"..\roken\roken-common.h"\
+	".\krb-protos.h"\
+	".\krb.h"\
+	".\krb_locl.h"\
+	".\krb_log.h"\
+	".\prot.h"\
+	{$(INCLUDE)}"sys\stat.h"\
+	{$(INCLUDE)}"sys\types.h"\
+	
+
+"$(INTDIR)\save_credentials.obj" : $(SOURCE) $(DEP_CPP_SAVE_) "$(INTDIR)"
+
+
+SOURCE=.\send_to_kdc.c
+DEP_CPP_SEND_=\
+	"..\..\include\protos.h"\
+	"..\..\include\win32\config.h"\
+	"..\..\include\win32\ktypes.h"\
+	"..\..\include\win32\roken.h"\
+	"..\des\des.h"\
+	"..\roken\base64.h"\
+	"..\roken\err.h"\
+	"..\roken\roken-common.h"\
+	".\krb-protos.h"\
+	".\krb.h"\
+	".\krb_locl.h"\
+	".\krb_log.h"\
+	".\prot.h"\
+	{$(INCLUDE)}"sys\stat.h"\
+	{$(INCLUDE)}"sys\types.h"\
+	
+
+"$(INTDIR)\send_to_kdc.obj" : $(SOURCE) $(DEP_CPP_SEND_) "$(INTDIR)"
+
+
+SOURCE=.\sendauth.c
+DEP_CPP_SENDA=\
+	"..\..\include\protos.h"\
+	"..\..\include\win32\config.h"\
+	"..\..\include\win32\ktypes.h"\
+	"..\..\include\win32\roken.h"\
+	"..\des\des.h"\
+	"..\roken\err.h"\
+	"..\roken\roken-common.h"\
+	".\krb-protos.h"\
+	".\krb.h"\
+	".\krb_locl.h"\
+	".\krb_log.h"\
+	".\prot.h"\
+	{$(INCLUDE)}"sys\stat.h"\
+	{$(INCLUDE)}"sys\types.h"\
+	
+
+"$(INTDIR)\sendauth.obj" : $(SOURCE) $(DEP_CPP_SENDA) "$(INTDIR)"
+
+
+SOURCE=.\stime.c
+DEP_CPP_STIME=\
+	"..\..\include\protos.h"\
+	"..\..\include\win32\config.h"\
+	"..\..\include\win32\ktypes.h"\
+	"..\..\include\win32\roken.h"\
+	"..\des\des.h"\
+	"..\roken\err.h"\
+	"..\roken\roken-common.h"\
+	".\krb-protos.h"\
+	".\krb.h"\
+	".\krb_locl.h"\
+	".\krb_log.h"\
+	".\prot.h"\
+	{$(INCLUDE)}"sys\stat.h"\
+	{$(INCLUDE)}"sys\types.h"\
+	
+
+"$(INTDIR)\stime.obj" : $(SOURCE) $(DEP_CPP_STIME) "$(INTDIR)"
+
+
+SOURCE=.\str2key.c
+DEP_CPP_STR2K=\
+	"..\..\include\protos.h"\
+	"..\..\include\win32\config.h"\
+	"..\..\include\win32\ktypes.h"\
+	"..\..\include\win32\roken.h"\
+	"..\des\des.h"\
+	"..\roken\err.h"\
+	"..\roken\roken-common.h"\
+	".\krb-protos.h"\
+	".\krb.h"\
+	".\krb_locl.h"\
+	".\krb_log.h"\
+	".\prot.h"\
+	{$(INCLUDE)}"sys\stat.h"\
+	{$(INCLUDE)}"sys\types.h"\
+
+
+"$(INTDIR)\str2key.obj" : $(SOURCE) $(DEP_CPP_STR2K) "$(INTDIR)"
+
+
+SOURCE=.\ticket_memory.c
+DEP_CPP_TICKE=\
+	"..\..\include\protos.h"\
+	"..\..\include\win32\config.h"\
+	"..\..\include\win32\ktypes.h"\
+	"..\..\include\win32\roken.h"\
+	"..\des\des.h"\
+	"..\roken\err.h"\
+	"..\roken\roken-common.h"\
+	".\krb-protos.h"\
+	".\krb.h"\
+	".\krb_locl.h"\
+	".\krb_log.h"\
+	".\prot.h"\
+	".\ticket_memory.h"\
+	{$(INCLUDE)}"sys\stat.h"\
+	{$(INCLUDE)}"sys\types.h"\
+	
+
+"$(INTDIR)\ticket_memory.obj" : $(SOURCE) $(DEP_CPP_TICKE) "$(INTDIR)"
+
+
+SOURCE=.\time.c
+DEP_CPP_TIME_=\
+	"..\..\include\protos.h"\
+	"..\..\include\win32\config.h"\
+	"..\..\include\win32\ktypes.h"\
+	"..\..\include\win32\roken.h"\
+	"..\des\des.h"\
+	"..\roken\err.h"\
+	"..\roken\roken-common.h"\
+	".\krb-protos.h"\
+	".\krb.h"\
+	".\krb_locl.h"\
+	".\krb_log.h"\
+	".\prot.h"\
+	{$(INCLUDE)}"sys\stat.h"\
+	{$(INCLUDE)}"sys\types.h"\
+
+
+"$(INTDIR)\time.obj" : $(SOURCE) $(DEP_CPP_TIME_) "$(INTDIR)"
+
+
+SOURCE=.\tkt_string.c
+DEP_CPP_TKT_S=\
+	"..\..\include\protos.h"\
+	"..\..\include\win32\config.h"\
+	"..\..\include\win32\ktypes.h"\
+	"..\..\include\win32\roken.h"\
+	"..\des\des.h"\
+	"..\roken\err.h"\
+	"..\roken\roken-common.h"\
+	".\krb-protos.h"\
+	".\krb.h"\
+	".\krb_locl.h"\
+	".\krb_log.h"\
+	".\prot.h"\
+	{$(INCLUDE)}"sys\stat.h"\
+	{$(INCLUDE)}"sys\types.h"\
+	
+
+"$(INTDIR)\tkt_string.obj" : $(SOURCE) $(DEP_CPP_TKT_S) "$(INTDIR)"
+
+
+SOURCE=.\unparse_name.c
+DEP_CPP_UNPAR=\
+	"..\..\include\protos.h"\
+	"..\..\include\win32\config.h"\
+	"..\..\include\win32\ktypes.h"\
+	"..\..\include\win32\roken.h"\
+	"..\des\des.h"\
+	"..\roken\err.h"\
+	"..\roken\roken-common.h"\
+	".\krb-protos.h"\
+	".\krb.h"\
+	".\krb_locl.h"\
+	".\krb_log.h"\
+	".\prot.h"\
+	{$(INCLUDE)}"sys\stat.h"\
+	{$(INCLUDE)}"sys\types.h"\
+	
+
+"$(INTDIR)\unparse_name.obj" : $(SOURCE) $(DEP_CPP_UNPAR) "$(INTDIR)"
+
+
+SOURCE=.\util.c
+DEP_CPP_UTIL_=\
+	"..\..\include\protos.h"\
+	"..\..\include\win32\config.h"\
+	"..\..\include\win32\ktypes.h"\
+	"..\..\include\win32\roken.h"\
+	"..\des\des.h"\
+	"..\roken\err.h"\
+	"..\roken\roken-common.h"\
+	".\krb-protos.h"\
+	".\krb.h"\
+	".\krb_locl.h"\
+	".\krb_log.h"\
+	".\prot.h"\
+	{$(INCLUDE)}"sys\stat.h"\
+	{$(INCLUDE)}"sys\types.h"\
+	
+
+"$(INTDIR)\util.obj" : $(SOURCE) $(DEP_CPP_UTIL_) "$(INTDIR)"
+
+
+SOURCE=.\verify_user.c
+DEP_CPP_VERIF=\
+	"..\..\include\protos.h"\
+	"..\..\include\win32\config.h"\
+	"..\..\include\win32\ktypes.h"\
+	"..\..\include\win32\roken.h"\
+	"..\des\des.h"\
+	"..\roken\err.h"\
+	"..\roken\roken-common.h"\
+	".\krb-protos.h"\
+	".\krb.h"\
+	".\krb_locl.h"\
+	".\krb_log.h"\
+	".\prot.h"\
+	{$(INCLUDE)}"sys\stat.h"\
+	{$(INCLUDE)}"sys\types.h"\
+	
+
+"$(INTDIR)\verify_user.obj" : $(SOURCE) $(DEP_CPP_VERIF) "$(INTDIR)"
+
+
+SOURCE=.\krb.rc
+
+"$(INTDIR)\krb.res" : $(SOURCE) "$(INTDIR)"
+	$(RSC) $(RSC_PROJ) $(SOURCE)
+	
+
+!IF  "$(CFG)" == "krb - Win32 Release"
+
+"des - Win32 Release" : 
+   cd "\tmp\wirus-krb\krb4-pre-0.9.9\lib\des"
+   $(MAKE) /$(MAKEFLAGS) /F ".\des.mak" CFG="des - Win32 Release" 
+   cd "..\krb"
+
+"des - Win32 ReleaseCLEAN" : 
+   cd "\tmp\wirus-krb\krb4-pre-0.9.9\lib\des"
+   $(MAKE) /$(MAKEFLAGS) CLEAN /F ".\des.mak" CFG="des - Win32 Release"\
+ RECURSE=1 
+   cd "..\krb"
+
+!ELSEIF  "$(CFG)" == "krb - Win32 Debug"
+
+"des - Win32 Debug" : 
+   cd "\tmp\wirus-krb\krb4-pre-0.9.9\lib\des"
+   $(MAKE) /$(MAKEFLAGS) /F ".\des.mak" CFG="des - Win32 Debug" 
+   cd "..\krb"
+
+"des - Win32 DebugCLEAN" : 
+   cd "\tmp\wirus-krb\krb4-pre-0.9.9\lib\des"
+   $(MAKE) /$(MAKEFLAGS) CLEAN /F ".\des.mak" CFG="des - Win32 Debug" RECURSE=1\
+	
+   cd "..\krb"
+
+!ENDIF 
+
+
+!ENDIF 
+
diff --git a/crypto/kerberosIV/lib/krb/krb.rc b/crypto/kerberosIV/lib/krb/krb.rc
new file mode 100644
index 0000000..413e706
--- /dev/null
+++ b/crypto/kerberosIV/lib/krb/krb.rc
@@ -0,0 +1,105 @@
+//Microsoft Developer Studio generated resource script.
+//
+#include "resource.h"
+
+#define APSTUDIO_READONLY_SYMBOLS
+/////////////////////////////////////////////////////////////////////////////
+//
+// Generated from the TEXTINCLUDE 2 resource.
+//
+#include "afxres.h"
+
+/////////////////////////////////////////////////////////////////////////////
+#undef APSTUDIO_READONLY_SYMBOLS
+
+/////////////////////////////////////////////////////////////////////////////
+// Swedish resources
+
+#if !defined(AFX_RESOURCE_DLL) || defined(AFX_TARG_SVE)
+#ifdef _WIN32
+LANGUAGE LANG_SWEDISH, SUBLANG_DEFAULT
+#pragma code_page(1252)
+#endif //_WIN32
+
+#ifdef APSTUDIO_INVOKED
+/////////////////////////////////////////////////////////////////////////////
+//
+// TEXTINCLUDE
+//
+
+1 TEXTINCLUDE DISCARDABLE 
+BEGIN
+    "resource.h\0"
+END
+
+2 TEXTINCLUDE DISCARDABLE 
+BEGIN
+    "#include ""afxres.h""\r\n"
+    "\0"
+END
+
+3 TEXTINCLUDE DISCARDABLE 
+BEGIN
+    "\r\n"
+    "\0"
+END
+
+#endif    // APSTUDIO_INVOKED
+
+
+#ifndef _MAC
+/////////////////////////////////////////////////////////////////////////////
+//
+// Version
+//
+
+VS_VERSION_INFO VERSIONINFO
+ FILEVERSION 1,0,0,1
+ PRODUCTVERSION 1,0,0,1
+ FILEFLAGSMASK 0x3fL
+#ifdef _DEBUG
+ FILEFLAGS 0x1L
+#else
+ FILEFLAGS 0x0L
+#endif
+ FILEOS 0x40004L
+ FILETYPE 0x2L
+ FILESUBTYPE 0x0L
+BEGIN
+    BLOCK "StringFileInfo"
+    BEGIN
+        BLOCK "040904b0"
+        BEGIN
+            VALUE "CompanyName", "Royal Institute of Technology (KTH)\0"
+            VALUE "FileDescription", "krb\0"
+            VALUE "FileVersion", "4, 0, 9, 9\0"
+            VALUE "InternalName", "krb\0"
+            VALUE "LegalCopyright", "Copyright © 1996 - 1998  Royal Institute of Technology (KTH)\0"
+            VALUE "OriginalFilename", "krb.dll\0"
+            VALUE "ProductName", "KTH Kerberos\0"
+            VALUE "ProductVersion", "4,0,9,9\0"
+        END
+    END
+    BLOCK "VarFileInfo"
+    BEGIN
+        VALUE "Translation", 0x409, 1200
+    END
+END
+
+#endif    // !_MAC
+
+#endif    // Swedish resources
+/////////////////////////////////////////////////////////////////////////////
+
+
+
+#ifndef APSTUDIO_INVOKED
+/////////////////////////////////////////////////////////////////////////////
+//
+// Generated from the TEXTINCLUDE 3 resource.
+//
+
+
+/////////////////////////////////////////////////////////////////////////////
+#endif    // not APSTUDIO_INVOKED
+
diff --git a/crypto/kerberosIV/lib/krb/krb_check_auth.c b/crypto/kerberosIV/lib/krb/krb_check_auth.c
new file mode 100644
index 0000000..f20b5c2
--- /dev/null
+++ b/crypto/kerberosIV/lib/krb/krb_check_auth.c
@@ -0,0 +1,71 @@
+/*
+ * Copyright (c) 1995, 1996, 1997 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#include "krb_locl.h"
+
+RCSID("$Id: krb_check_auth.c,v 1.5 1999/12/02 16:58:42 joda Exp $");
+
+/*
+ *
+ * Receive an mutual-authenticator for a server in `packet', with
+ * `checksum', `session', and `schedule' having the appropriate values
+ * and return the data in `msg_data'.
+ *
+ * Return KSUCCESS if the received checksum is correct.
+ *
+ */
+
+int
+krb_check_auth(KTEXT packet,
+	       u_int32_t checksum,
+	       MSG_DAT *msg_data,
+	       des_cblock *session,
+	       struct des_ks_struct *schedule,
+	       struct sockaddr_in *laddr,
+	       struct sockaddr_in *faddr)
+{
+  int ret;
+  u_int32_t checksum2;
+
+  ret = krb_rd_priv (packet->dat, packet->length, schedule, session, faddr,
+		     laddr, msg_data);
+  if (ret != RD_AP_OK)
+    return ret;
+  if (msg_data->app_length != 4)
+    return KFAILURE;
+  krb_get_int (msg_data->app_data, &checksum2, 4, 0);
+  if (checksum2 == checksum + 1)
+    return KSUCCESS;
+  else
+    return KFAILURE;
+}
diff --git a/crypto/kerberosIV/lib/krb/krb_equiv.c b/crypto/kerberosIV/lib/krb/krb_equiv.c
new file mode 100644
index 0000000..271d422
--- /dev/null
+++ b/crypto/kerberosIV/lib/krb/krb_equiv.c
@@ -0,0 +1,140 @@
+/*
+ * Copyright (c) 1995, 1996, 1997, 1998, 1999 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+/*
+ * int krb_equiv(u_int32_t ipaddr_a, u_int32_t ipaddr_b);
+ *
+ * Given two IP adresses return true if they match
+ * or are considered to belong to the same host.
+ *
+ * For example if /etc/krb.equiv looks like
+ *
+ *    130.237.223.3   192.16.126.3    # alv alv1
+ *    130.237.223.4   192.16.126.4    # byse byse1
+ *    130.237.228.152 192.16.126.9    # topsy topsy1
+ *
+ * krb_equiv(alv, alv1) would return true but
+ * krb_equiv(alv, byse1) would not.
+ *
+ * A comment starts with an '#' and ends with '\n'.
+ *
+ */
+#include "krb_locl.h"
+
+RCSID("$Id: krb_equiv.c,v 1.15 1999/12/02 16:58:42 joda Exp $");
+
+int krb_ignore_ip_address = 0;
+
+int
+krb_equiv(u_int32_t a, u_int32_t b)
+{
+  FILE *fil;
+  char line[256];
+  int hit_a, hit_b;
+  int iscomment;
+  
+  if (a == b)			/* trivial match, also the common case */
+    return 1;
+  
+  if (krb_ignore_ip_address)
+    return 1;			/* if we have decided not to compare */
+
+  a = ntohl(a);
+  b = ntohl(b);
+
+  fil = fopen(KRB_EQUIV, "r");
+  if (fil == NULL)		/* open failed */
+    return 0;
+  
+  hit_a = hit_b = 0;
+  iscomment = 0;
+  while (fgets(line, sizeof(line)-1, fil) != NULL) /* for each line */
+    {
+      char *t = line;
+      int len = strlen(t);
+      
+      /* for each item on this line */
+      while (*t != 0)		/* more addresses on this line? */
+	if (*t == '\n') {
+	  iscomment = hit_a = hit_b = 0;
+	  break;
+	} else if (iscomment)
+	  t = line + len - 1;
+	else if (*t == '#') {		/* rest is comment */
+	  iscomment = 1;
+	  ++t;
+	} else if (*t == '\\' ) /* continuation */
+	  break;
+	else if (isspace((unsigned char)*t))	/* skip space */
+	  t++;
+	else if (isdigit((unsigned char)*t))	/* an address? */
+	  {
+	    u_int32_t tmp;
+	    u_int32_t tmpa, tmpb, tmpc, tmpd;
+	    
+	    sscanf(t, "%d.%d.%d.%d", &tmpa, &tmpb, &tmpc, &tmpd);
+	    tmp = (tmpa << 24) | (tmpb << 16) | (tmpc << 8) | tmpd;
+
+	    /* done with this address */
+	    while (*t == '.' || isdigit((unsigned char)*t))
+	      t++;
+
+	    if (tmp != -1) {	/* an address (and not broadcast) */
+	      u_int32_t mask = (u_int32_t)~0;
+
+	      if (*t == '/') {
+		++t;
+		mask <<= 32 - atoi(t);
+
+		while(isdigit((unsigned char)*t))
+		  ++t;
+	      }
+
+	      if ((tmp & mask) == (a & mask))
+		hit_a = 1;
+	      if ((tmp & mask) == (b & mask))
+		hit_b = 1;
+	      if (hit_a && hit_b) {
+		fclose(fil);
+		return 1;
+	      }
+	    }
+	  }
+	else
+	  ++t;		/* garbage on this line, skip it */
+
+    }
+
+  fclose(fil);
+  return 0;
+}
diff --git a/crypto/kerberosIV/lib/krb/krb_err.et b/crypto/kerberosIV/lib/krb/krb_err.et
new file mode 100644
index 0000000..9dce192
--- /dev/null
+++ b/crypto/kerberosIV/lib/krb/krb_err.et
@@ -0,0 +1,65 @@
+#	Copyright 1987,1988 Massachusetts Institute of Technology
+#
+#	For copying and distribution information, see the file
+#	"mit-copyright.h".
+# 
+# This might look like a com_err file, but is not
+#
+id "$Id: krb_err.et,v 1.7 1998/03/29 14:19:52 bg Exp $"
+
+error_table krb
+
+prefix KRBET
+ec KSUCCESS,		"Kerberos successful"
+ec KDC_NAME_EXP,	"Kerberos principal expired"
+ec KDC_SERVICE_EXP,	"Kerberos service expired"
+ec KDC_AUTH_EXP,	"Kerberos auth expired"
+ec KDC_PKT_VER,		"Incorrect kerberos master key version"
+ec KDC_P_MKEY_VER,	"Incorrect kerberos master key version"
+ec KDC_S_MKEY_VER,	"Incorrect kerberos master key version"
+ec KDC_BYTE_ORDER,	"Kerberos error: byte order unknown"
+ec KDC_PR_UNKNOWN,	"Kerberos principal unknown"
+ec KDC_PR_N_UNIQUE,	"Kerberos principal not unique"
+ec KDC_NULL_KEY,	"Kerberos principal has null key"
+index 20
+ec KDC_GEN_ERR,		"Generic error from Kerberos KDC"
+ec GC_TKFIL,		"Can't read Kerberos ticket file"
+ec GC_NOTKT,		"Can't find Kerberos ticket or TGT"
+index 26
+ec MK_AP_TGTEXP,	"Kerberos TGT Expired"
+index 31
+ec RD_AP_UNDEC,		"Kerberos error: Can't decode authenticator"
+ec RD_AP_EXP,		"Kerberos ticket expired"
+ec RD_AP_NYV,		"Kerberos ticket not yet valid"
+ec RD_AP_REPEAT,	"Kerberos error: Repeated request"
+ec RD_AP_NOT_US,	"The kerberos ticket isn't for us"
+ec RD_AP_INCON,		"Kerberos request inconsistent"
+ec RD_AP_TIME,		"Kerberos error: delta_t too big"
+ec RD_AP_BADD,		"Kerberos error: incorrect net address"
+ec RD_AP_VERSION,	"Kerberos protocol version mismatch"
+ec RD_AP_MSG_TYPE,	"Kerberos error: invalid msg type"
+ec RD_AP_MODIFIED,	"Kerberos error: message stream modified"
+ec RD_AP_ORDER,		"Kerberos error: message out of order"
+ec RD_AP_UNAUTHOR,	"Kerberos error: unauthorized request"
+index 51
+ec GT_PW_NULL,		"Kerberos error: current PW is null"
+ec GT_PW_BADPW,		"Kerberos error: Incorrect current password"
+ec GT_PW_PROT,		"Kerberos protocol error"
+ec GT_PW_KDCERR,	"Error returned by Kerberos KDC"
+ec GT_PW_NULLTKT,	"Null Kerberos ticket returned by KDC"
+ec SKDC_RETRY,		"Kerberos error: Retry count exceeded"
+ec SKDC_CANT,		"Kerberos error: Can't send request"
+index 61
+ec INTK_W_NOTALL,	"Kerberos error: not all tickets returned"
+ec INTK_BADPW,		"Kerberos error: incorrect password"
+ec INTK_PROT,		"Kerberos error: Protocol Error"
+index 70
+ec INTK_ERR,		"Other error"
+ec AD_NOTGT,		"Don't have Kerberos ticket-granting ticket"
+index 76
+ec NO_TKT_FIL,		"No ticket file found"
+ec TKT_FIL_ACC,		"Couldn't access ticket file"
+ec TKT_FIL_LCK,		"Couldn't lock ticket file"
+ec TKT_FIL_FMT,		"Bad ticket file format"
+ec TKT_FIL_INI,		"tf_init not called first"
+ec KNAME_FMT,		"Bad Kerberos name format"
diff --git a/crypto/kerberosIV/lib/krb/krb_err_txt.c b/crypto/kerberosIV/lib/krb/krb_err_txt.c
new file mode 100644
index 0000000..cb6cd13
--- /dev/null
+++ b/crypto/kerberosIV/lib/krb/krb_err_txt.c
@@ -0,0 +1,299 @@
+/* 
+  Copyright (C) 1989 by the Massachusetts Institute of Technology
+
+   Export of this software from the United States of America is assumed
+   to require a specific license from the United States Government.
+   It is the responsibility of any person or organization contemplating
+   export to obtain such a license before exporting.
+
+WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
+distribute this software and its documentation for any purpose and
+without fee is hereby granted, provided that the above copyright
+notice appear in all copies and that both that copyright notice and
+this permission notice appear in supporting documentation, and that
+the name of M.I.T. not be used in advertising or publicity pertaining
+to distribution of the software without specific, written prior
+permission.  M.I.T. makes no representations about the suitability of
+this software for any purpose.  It is provided "as is" without express
+or implied warranty.
+
+  */
+
+#include "krb_locl.h"
+
+RCSID("$Id: krb_err_txt.c,v 1.13 1998/01/31 08:11:52 joda Exp $");
+
+/*
+ * This file contains an array of error text strings.
+ * The associated error codes (which are defined in "krb.h")
+ * follow the string in the comments at the end of each line.
+ */
+
+const char *krb_err_txt[256] = {
+  "OK",							/* 000 */
+  "Principal expired (kerberos)",			/* 001 */
+  "Service expired (kerberos)",				/* 002 */
+  "Authentication expired (kerberos)",			/* 003 */
+  "Unknown protocol version number (kerberos)", 	/* 004 */
+  "Principal: Incorrect master key version (kerberos)", /* 005 */
+  "Service: Incorrect master key version (kerberos)",   /* 006 */
+  "Bad byte order (kerberos)",				/* 007 */
+  "Principal unknown (kerberos)",			/* 008 */
+  "Principal not unique (kerberos)",			/* 009 */
+  "Principal has null key (kerberos)",			/* 010 */
+  "Timeout in request (kerberos)",			/* 011 */
+  "Reserved error message 12 (kerberos)",		/* 012 */
+  "Reserved error message 13 (kerberos)",		/* 013 */
+  "Reserved error message 14 (kerberos)",		/* 014 */
+  "Reserved error message 15 (kerberos)",		/* 015 */
+  "Reserved error message 16 (kerberos)",		/* 016 */
+  "Reserved error message 17 (kerberos)",		/* 017 */
+  "Reserved error message 18 (kerberos)",		/* 018 */
+  "Reserved error message 19 (kerberos)",		/* 019 */
+  "Permission Denied (kerberos)",			/* 020 */
+  "Can't read ticket file (krb_get_cred)",		/* 021 */
+  "Can't find ticket (krb_get_cred)",			/* 022 */
+  "Reserved error message 23 (krb_get_cred)",		/* 023 */
+  "Reserved error message 24 (krb_get_cred)",		/* 024 */
+  "Reserved error message 25 (krb_get_cred)",		/* 025 */
+  "Ticket granting ticket expired (krb_mk_req)",	/* 026 */
+  "Reserved error message 27 (krb_mk_req)",		/* 027 */
+  "Reserved error message 28 (krb_mk_req)",		/* 028 */
+  "Reserved error message 29 (krb_mk_req)",		/* 029 */
+  "Reserved error message 30 (krb_mk_req)",		/* 030 */
+  "Can't decode authenticator (krb_rd_req)",		/* 031 */
+  "Ticket expired (krb_rd_req)",			/* 032 */
+  "Ticket issue date too far in the future (krb_rd_req)",/* 033 */
+  "Repeat request (krb_rd_req)",			/* 034 */
+  "Ticket for wrong server (krb_rd_req)",		/* 035 */
+  "Request inconsistent (krb_rd_req)",			/* 036 */
+  "Time is out of bounds (krb_rd_req)",			/* 037 */
+  "Incorrect network address (krb_rd_req)",		/* 038 */
+  "Protocol version mismatch (krb_rd_req)",		/* 039 */
+  "Invalid message type (krb_rd_req)",			/* 040 */
+  "Message integrity error (krb_rd_req)",		/* 041 */
+  "Message duplicate or out of order (krb_rd_req)",	/* 042 */
+  "Unauthorized request (krb_rd_req)",			/* 043 */
+  "Reserved error message 44 (krb_rd_req)",		/* 044 */
+  "Reserved error message 45 (krb_rd_req)",		/* 045 */
+  "Reserved error message 46 (krb_rd_req)",		/* 046 */
+  "Reserved error message 47 (krb_rd_req)",		/* 047 */
+  "Reserved error message 48 (krb_rd_req)",		/* 048 */
+  "Reserved error message 49 (krb_rd_req)",		/* 049 */
+  "Reserved error message 50 (krb_rd_req)",		/* 050 */
+  "Current password is NULL (get_pw_tkt)",		/* 051 */
+  "Current password incorrect (get_pw_tkt)",		/* 052 */
+  "Protocol error (gt_pw_tkt)",				/* 053 */
+  "Error returned by KDC (gt_pw_tkt)",			/* 054 */
+  "Null ticket returned by KDC (gt_pw_tkt)",		/* 055 */
+  "Retry count exceeded (send_to_kdc)",			/* 056 */
+  "Can't send request (send_to_kdc)",			/* 057 */
+  "Reserved error message 58 (send_to_kdc)",		/* 058 */
+  "Reserved error message 59 (send_to_kdc)",		/* 059 */
+  "Reserved error message 60 (send_to_kdc)",		/* 060 */
+  "Warning: Not ALL tickets returned",			/* 061 */
+  "Password incorrect",					/* 062 */
+  "Protocol error (get_in_tkt)",			/* 063 */
+  "Reserved error message 64 (get_in_tkt)",		/* 064 */
+  "Reserved error message 65 (get_in_tkt)",		/* 065 */
+  "Reserved error message 66 (get_in_tkt)",		/* 066 */
+  "Reserved error message 67 (get_in_tkt)",		/* 067 */
+  "Reserved error message 68 (get_in_tkt)",		/* 068 */
+  "Reserved error message 69 (get_in_tkt)",		/* 069 */
+  "Generic error (get_in_tkt)(can't write ticket file)", /* 070 */
+  "Don't have ticket granting ticket (get_ad_tkt)",	/* 071 */
+  "Can't get inter-realm ticket granting ticket (get_ad_tkt)",	/* 072 */
+  "Reserved error message 73 (get_ad_tkt)",		/* 073 */
+  "Reserved error message 74 (get_ad_tkt)",		/* 074 */
+  "Reserved error message 75 (get_ad_tkt)",		/* 075 */
+  "No ticket file (tf_util)",				/* 076 */
+  "Can't access ticket file (tf_util)",			/* 077 */
+  "Can't lock ticket file; try later (tf_util)",	/* 078 */
+  "Bad ticket file format (tf_util)",			/* 079 */
+  "Read ticket file before tf_init (tf_util)",		/* 080 */
+  "Bad Kerberos name format (kname_parse)",		/* 081 */
+  "(reserved)",
+  "(reserved)",
+  "(reserved)",
+  "(reserved)",
+  "(reserved)",
+  "(reserved)",
+  "(reserved)",
+  "(reserved)",
+  "(reserved)",
+  "(reserved)",
+  "(reserved)",
+  "(reserved)",
+  "(reserved)",
+  "(reserved)",
+  "(reserved)",
+  "(reserved)",
+  "(reserved)",
+  "(reserved)",
+  "(reserved)",
+  "(reserved)",
+  "(reserved)",
+  "(reserved)",
+  "(reserved)",
+  "(reserved)",
+  "(reserved)",
+  "(reserved)",
+  "(reserved)",
+  "(reserved)",
+  "(reserved)",
+  "(reserved)",
+  "(reserved)",
+  "(reserved)",
+  "(reserved)",
+  "(reserved)",
+  "(reserved)",
+  "(reserved)",
+  "(reserved)",
+  "(reserved)",
+  "(reserved)",
+  "(reserved)",
+  "(reserved)",
+  "(reserved)",
+  "(reserved)",
+  "(reserved)",
+  "(reserved)",
+  "(reserved)",
+  "(reserved)",
+  "(reserved)",
+  "(reserved)",
+  "(reserved)",
+  "(reserved)",
+  "(reserved)",
+  "(reserved)",
+  "(reserved)",
+  "(reserved)",
+  "(reserved)",
+  "(reserved)",
+  "(reserved)",
+  "(reserved)",
+  "(reserved)",
+  "(reserved)",
+  "(reserved)",
+  "(reserved)",
+  "(reserved)",
+  "(reserved)",
+  "(reserved)",
+  "(reserved)",
+  "(reserved)",
+  "(reserved)",
+  "(reserved)",
+  "(reserved)",
+  "(reserved)",
+  "(reserved)",
+  "(reserved)",
+  "(reserved)",
+  "(reserved)",
+  "(reserved)",
+  "(reserved)",
+  "(reserved)",
+  "(reserved)",
+  "(reserved)",
+  "(reserved)",
+  "(reserved)",
+  "(reserved)",
+  "(reserved)",
+  "(reserved)",
+  "(reserved)",
+  "(reserved)",
+  "(reserved)",
+  "(reserved)",
+  "(reserved)",
+  "(reserved)",
+  "(reserved)",
+  "(reserved)",
+  "(reserved)",
+  "(reserved)",
+  "(reserved)",
+  "(reserved)",
+  "(reserved)",
+  "(reserved)",
+  "(reserved)",
+  "(reserved)",
+  "(reserved)",
+  "(reserved)",
+  "(reserved)",
+  "(reserved)",
+  "(reserved)",
+  "(reserved)",
+  "(reserved)",
+  "(reserved)",
+  "(reserved)",
+  "(reserved)",
+  "(reserved)",
+  "(reserved)",
+  "(reserved)",
+  "(reserved)",
+  "(reserved)",
+  "(reserved)",
+  "(reserved)",
+  "(reserved)",
+  "(reserved)",
+  "(reserved)",
+  "(reserved)",
+  "(reserved)",
+  "(reserved)",
+  "(reserved)",
+  "(reserved)",
+  "(reserved)",
+  "(reserved)",
+  "(reserved)",
+  "(reserved)",
+  "(reserved)",
+  "(reserved)",
+  "(reserved)",
+  "(reserved)",
+  "(reserved)",
+  "(reserved)",
+  "(reserved)",
+  "(reserved)",
+  "(reserved)",
+  "(reserved)",
+  "(reserved)",
+  "(reserved)",
+  "(reserved)",
+  "(reserved)",
+  "(reserved)",
+  "(reserved)",
+  "(reserved)",
+  "(reserved)",
+  "(reserved)",
+  "(reserved)",
+  "(reserved)",
+  "(reserved)",
+  "(reserved)",
+  "(reserved)",
+  "(reserved)",
+  "(reserved)",
+  "(reserved)",
+  "(reserved)",
+  "(reserved)",
+  "(reserved)",
+  "(reserved)",
+  "(reserved)",
+  "(reserved)",
+  "(reserved)",
+  "(reserved)",
+  "(reserved)",
+  "(reserved)",
+  "(reserved)",
+  "(reserved)",
+  "(reserved)",
+  "(reserved)",
+  "(reserved)",
+  "Generic kerberos error (kfailure)",			/* 255 */
+};
+
+static const char err_failure[] = "Unknown error code passed (krb_get_err_text)";
+
+const char *
+krb_get_err_text(int code)
+{
+  if(code < 0 || code >= MAX_KRB_ERRORS)
+    return err_failure;
+  return krb_err_txt[code];
+}
diff --git a/crypto/kerberosIV/lib/krb/krb_get_in_tkt.c b/crypto/kerberosIV/lib/krb/krb_get_in_tkt.c
new file mode 100644
index 0000000..46de59f
--- /dev/null
+++ b/crypto/kerberosIV/lib/krb/krb_get_in_tkt.c
@@ -0,0 +1,235 @@
+/*
+ * Copyright (c) 1995, 1996, 1997, 1998 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#include "krb_locl.h"
+
+RCSID("$Id: krb_get_in_tkt.c,v 1.30 1999/12/02 16:58:42 joda Exp $");
+
+/*
+ * decrypt_tkt(): Given user, instance, realm, passwd, key_proc
+ * and the cipher text sent from the KDC, decrypt the cipher text
+ * using the key returned by key_proc.
+ */
+
+static int
+decrypt_tkt(const char *user,
+	    char *instance,
+	    const char *realm,
+	    const void *arg,
+	    key_proc_t key_proc,
+	    KTEXT *cip)
+{
+    des_cblock key;		/* Key for decrypting cipher */
+    int ret;
+
+    ret = key_proc(user, instance, realm, arg, &key);
+    if (ret != 0)
+	return ret;
+    
+    encrypt_ktext(*cip, &key, DES_DECRYPT);
+
+    memset(&key, 0, sizeof(key));
+    return 0;
+}
+
+/*
+ * krb_get_in_tkt() gets a ticket for a given principal to use a given
+ * service and stores the returned ticket and session key for future
+ * use.
+ *
+ * The "user", "instance", and "realm" arguments give the identity of
+ * the client who will use the ticket.  The "service" and "sinstance"
+ * arguments give the identity of the server that the client wishes
+ * to use.  (The realm of the server is the same as the Kerberos server
+ * to whom the request is sent.)  The "life" argument indicates the
+ * desired lifetime of the ticket; the "key_proc" argument is a pointer
+ * to the routine used for getting the client's private key to decrypt
+ * the reply from Kerberos.  The "decrypt_proc" argument is a pointer
+ * to the routine used to decrypt the reply from Kerberos; and "arg"
+ * is an argument to be passed on to the "key_proc" routine.
+ *
+ * If all goes well, krb_get_in_tkt() returns INTK_OK, otherwise it
+ * returns an error code:  If an AUTH_MSG_ERR_REPLY packet is returned
+ * by Kerberos, then the error code it contains is returned.  Other
+ * error codes returned by this routine include INTK_PROT to indicate
+ * wrong protocol version, INTK_BADPW to indicate bad password (if
+ * decrypted ticket didn't make sense), INTK_ERR if the ticket was for
+ * the wrong server or the ticket store couldn't be initialized.
+ *
+ * The format of the message sent to Kerberos is as follows:
+ *
+ * Size			Variable		Field
+ * ----			--------		-----
+ *
+ * 1 byte		KRB_PROT_VERSION	protocol version number
+ * 1 byte		AUTH_MSG_KDC_REQUEST |	message type
+ *			HOST_BYTE_ORDER		local byte order in lsb
+ * string		user			client's name
+ * string		instance		client's instance
+ * string		realm			client's realm
+ * 4 bytes		tlocal.tv_sec		timestamp in seconds
+ * 1 byte		life			desired lifetime
+ * string		service			service's name
+ * string		sinstance		service's instance
+ */
+
+int
+krb_mk_as_req(const char *user,
+	      const char *instance,
+	      const char *realm, 
+	      const char *service,
+	      const char *sinstance,
+	      int life,
+	      KTEXT cip)
+{
+    KTEXT_ST pkt_st;
+    KTEXT pkt = &pkt_st;	/* Packet to KDC */
+    KTEXT_ST rpkt_st;
+    KTEXT rpkt = &rpkt_st;	/* Reply from KDC */
+    
+    int kerror;
+    struct timeval tv;
+
+    /* BUILD REQUEST PACKET */
+
+    unsigned char *p = pkt->dat;
+    int tmp;
+    size_t rem = sizeof(pkt->dat);
+    
+    tmp = krb_put_int(KRB_PROT_VERSION, p, rem, 1);
+    if (tmp < 0)
+	return KFAILURE;
+    p += tmp;
+    rem -= tmp;
+
+    tmp = krb_put_int(AUTH_MSG_KDC_REQUEST, p, rem, 1);
+    if (tmp < 0)
+	return KFAILURE;
+    p += tmp;
+    rem -= tmp;
+
+    tmp = krb_put_nir(user, instance, realm, p, rem);
+    if (tmp < 0)
+	return KFAILURE;
+    p += tmp;
+    rem -= tmp;
+
+    gettimeofday(&tv, NULL);
+    tmp = krb_put_int(tv.tv_sec, p, rem, 4);
+    if (tmp < 0)
+	return KFAILURE;
+    p += tmp;
+    rem -= tmp;
+
+    tmp = krb_put_int(life, p, rem, 1);
+    if (tmp < 0)
+	return KFAILURE;
+    p += tmp;
+    rem -= tmp;
+
+    tmp = krb_put_nir(service, sinstance, NULL, p, rem);
+    if (tmp < 0)
+	return KFAILURE;
+    p += tmp;
+    rem -= tmp;
+
+    pkt->length = p - pkt->dat;
+
+    rpkt->length = 0;
+
+    /* SEND THE REQUEST AND RECEIVE THE RETURN PACKET */
+
+    kerror = send_to_kdc(pkt, rpkt, realm);
+    if(kerror) return kerror;
+    kerror = kdc_reply_cipher(rpkt, cip);
+    return kerror;
+}
+
+int
+krb_decode_as_rep(const char *user,
+		  char *instance,
+		  const char *realm,
+		  const char *service,
+		  const char *sinstance, 
+		  key_proc_t key_proc,
+		  decrypt_proc_t decrypt_proc,
+		  const void *arg,
+		  KTEXT as_rep,
+		  CREDENTIALS *cred)
+{
+    int kerror;
+    time_t now;
+    
+    if (decrypt_proc == NULL)
+        decrypt_tkt(user, instance, realm, arg, key_proc, &as_rep);
+    else
+        (*decrypt_proc)(user, instance, realm, arg, key_proc, &as_rep);
+
+    kerror = kdc_reply_cred(as_rep, cred);
+    if(kerror != KSUCCESS)
+	return kerror;
+	
+    if (strcmp(cred->service, service) || 
+	strcmp(cred->instance, sinstance) ||
+	strcmp(cred->realm, realm))	/* not what we asked for */
+	return INTK_ERR;	/* we need a better code here XXX */
+
+    now = time(NULL);
+    if(krb_get_config_bool("kdc_timesync"))
+	krb_set_kdc_time_diff(cred->issue_date - now);
+    else if (abs((int)(now - cred->issue_date)) > CLOCK_SKEW)
+	return RD_AP_TIME; /* XXX should probably be better code */
+
+    return 0;
+}
+
+int
+krb_get_in_tkt(char *user, char *instance, char *realm, 
+	       char *service, char *sinstance, int life,
+	       key_proc_t key_proc, decrypt_proc_t decrypt_proc, void *arg)
+{
+    KTEXT_ST as_rep;
+    CREDENTIALS cred;
+    int ret;
+
+    ret = krb_mk_as_req(user, instance, realm, 
+			service, sinstance, life, &as_rep);
+    if(ret)
+	return ret;
+    ret = krb_decode_as_rep(user, instance, realm, service, sinstance, 
+			    key_proc, decrypt_proc, arg, &as_rep, &cred);
+    if(ret)
+	return ret;
+
+    return tf_setup(&cred, user, instance);
+}
diff --git a/crypto/kerberosIV/lib/krb/krb_ip_realm.c b/crypto/kerberosIV/lib/krb/krb_ip_realm.c
new file mode 100644
index 0000000..a9581f1
--- /dev/null
+++ b/crypto/kerberosIV/lib/krb/krb_ip_realm.c
@@ -0,0 +1,104 @@
+/*
+ * Copyright (c) 1999 Thomas Nyström and Stacken Computer Club
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#include "krb_locl.h"
+
+RCSID("$Id: krb_ip_realm.c,v 1.2.2.1 1999/12/06 23:01:12 assar Exp $");
+
+/*
+ * Obtain a ticket for ourselves (`user.instance') in REALM and decrypt
+ * it using `password' to verify the address that the KDC got our
+ * request from.
+ * Store in the ticket cache.
+ */
+
+int
+krb_add_our_ip_for_realm(const char *user, const char *instance,
+			 const char *realm, const char *password)
+{
+    des_cblock newkey;
+    des_key_schedule schedule;
+    char scrapbuf[1024];
+    struct in_addr myAddr;
+    KTEXT_ST ticket;
+    CREDENTIALS c;
+    int err;
+    u_int32_t addr;
+
+    if ((err = krb_mk_req(&ticket, (char *)user, (char *)instance,
+			  (char *)realm, 0)) != KSUCCESS)
+	return err;
+
+    if ((err = krb_get_cred((char *)user, (char *)instance, (char *)realm,
+			    &c)) != KSUCCESS)
+	return err;
+
+    des_string_to_key((char *)password, &newkey);
+    des_set_key(&newkey, schedule);
+    err = decomp_ticket(&c.ticket_st,
+			(unsigned char *)scrapbuf, /* Flags */
+			scrapbuf,	/* Authentication name */
+			scrapbuf,	/* Principal's instance */
+			scrapbuf,	/* Principal's authentication domain */
+			/* The Address Of Me That Servers Sees */
+			(u_int32_t *)&addr,
+			(unsigned char *)scrapbuf, /* Session key in ticket */
+			(int *)scrapbuf, /* Lifetime of ticket */
+			(u_int32_t *)scrapbuf, /* Issue time and date */
+			scrapbuf,	/* Service name */
+			scrapbuf,	/* Service instance */
+			&newkey,	/* Secret key */
+			schedule	/* Precomp. key schedule */
+	);
+	
+    if (err != KSUCCESS) {
+	memset(newkey, 0, sizeof(newkey));
+	memset(schedule, 0, sizeof(schedule));
+	return err;
+    }
+
+    myAddr.s_addr = addr;
+
+    err = tf_store_addr(realm, &myAddr);
+
+    memset(newkey, 0, sizeof(newkey));
+    memset(schedule, 0, sizeof(schedule));
+
+    return err;
+}
+
+int
+krb_get_our_ip_for_realm(const char *realm, struct in_addr *ip_addr)
+{
+    return tf_get_addr(realm, ip_addr);
+}
diff --git a/crypto/kerberosIV/lib/krb/krb_locl.h b/crypto/kerberosIV/lib/krb/krb_locl.h
new file mode 100644
index 0000000..02e7fa2
--- /dev/null
+++ b/crypto/kerberosIV/lib/krb/krb_locl.h
@@ -0,0 +1,175 @@
+/*
+ * Copyright (c) 1995, 1996, 1997 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+/* $Id: krb_locl.h,v 1.50 1999/12/02 16:58:42 joda Exp $ */
+
+#ifndef __krb_locl_h
+#define __krb_locl_h
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+#endif
+
+#include "protos.h"
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <ctype.h>
+#include <assert.h>
+#include <stdarg.h>
+
+#include <errno.h>
+
+#ifdef HAVE_PWD_H
+#include <pwd.h>
+#endif
+#ifdef HAVE_UNISTD_H
+#include <unistd.h>
+#endif
+#ifdef HAVE_SYS_TYPES_H
+#include <sys/types.h>
+#endif
+
+#ifdef HAVE_IO_H
+#include <io.h>
+#endif
+
+#ifdef TIME_WITH_SYS_TIME
+#include <sys/time.h>
+#include <time.h>
+#elif defined(HAVE_SYS_TIME_H)
+#include <sys/time.h>
+#else
+#include <time.h>
+#endif
+
+#ifdef HAVE_SYS_STAT_H
+#include <sys/stat.h>
+#endif
+#ifdef HAVE_FCNTL_H
+#include <fcntl.h>
+#endif
+#ifdef HAVE_SYS_FILE_H
+#include <sys/file.h>
+#endif
+#ifdef HAVE_SYS_SELECT_H
+#include <sys/select.h>
+#endif
+
+#ifdef HAVE_SYS_SOCKET_H
+#include <sys/socket.h>
+#endif
+#ifdef HAVE_NETINET_IN_H
+#include <netinet/in.h>
+#endif
+
+#ifdef HAVE_WINSOCK_H
+#include <winsock.h>
+#endif
+
+#ifdef HAVE_ARPA_INET_H
+#include <arpa/inet.h>
+#endif
+#ifdef HAVE_NETDB_H
+#include <netdb.h>
+#endif
+
+#ifdef HAVE_ARPA_NAMESER_H
+#include <arpa/nameser.h>
+#endif
+#ifdef HAVE_RESOLV_H
+#include <resolv.h>
+#endif
+
+#ifdef SOCKS
+#include <socks.h>
+
+/* This doesn't belong here. */
+struct tm *localtime(const time_t *);
+struct hostent  *gethostbyname(const char *);
+
+#endif
+
+#include <roken.h>
+
+#include <krb.h>
+#include <prot.h>
+
+#include "resolve.h"
+#include "krb_log.h"
+
+/* --- */
+
+/* Utils */
+int
+krb_name_to_name __P((
+	const char *host,
+	char *phost,
+	size_t phost_size));
+
+void
+encrypt_ktext __P((
+	KTEXT cip,
+	des_cblock *key,
+	int encrypt));
+
+int
+kdc_reply_cipher __P((
+	KTEXT reply,
+	KTEXT cip));
+
+int
+kdc_reply_cred __P((
+	KTEXT cip,
+	CREDENTIALS *cred));
+
+void
+k_ricercar __P((char *name));
+
+
+/* used in rd_safe.c and mk_safe.c */
+
+void
+fixup_quad_cksum __P((
+	void *start,
+	size_t len,
+	des_cblock *key,
+	void *new_checksum,
+	void *old_checksum,
+	int little));
+
+void
+krb_kdctimeofday __P((struct timeval *tv));
+
+#endif /*  __krb_locl_h */
diff --git a/crypto/kerberosIV/lib/krb/krb_log.h b/crypto/kerberosIV/lib/krb/krb_log.h
new file mode 100644
index 0000000..5155bc7
--- /dev/null
+++ b/crypto/kerberosIV/lib/krb/krb_log.h
@@ -0,0 +1,74 @@
+/*
+ * Copyright (c) 1995, 1996, 1997 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+/* $Id: krb_log.h,v 1.3 1999/12/02 16:58:42 joda Exp $ */
+
+#include <krb.h>
+
+#ifndef __KRB_LOG_H__
+#define __KRB_LOG_H__
+
+#if !defined(__GNUC__) && !defined(__attribute__)
+#define __attribute__(X)
+#endif
+
+__BEGIN_DECLS
+
+/* logging.c */
+
+typedef int (*krb_log_func_t) __P((FILE *, const char *, va_list));
+
+typedef krb_log_func_t krb_warnfn_t;
+
+struct krb_log_facility;
+
+int krb_vlogger __P((struct krb_log_facility*, const char *, va_list)) 
+	__attribute__ ((format (printf, 2, 0)));
+int krb_logger __P((struct krb_log_facility*, const char *, ...))
+	__attribute__ ((format (printf, 2, 3)));
+int krb_openlog __P((struct krb_log_facility*, char*, FILE*, krb_log_func_t));
+
+void krb_set_warnfn  __P((krb_warnfn_t));
+krb_warnfn_t krb_get_warnfn  __P((void));
+void krb_warning  __P((const char*, ...))
+	__attribute__ ((format (printf, 1, 2)));
+
+void kset_logfile __P((char*));
+void krb_log __P((const char*, ...))
+	__attribute__ ((format (printf, 1, 2)));
+char *klog __P((int, const char*, ...))
+	__attribute__ ((format (printf, 2, 3)));
+
+__END_DECLS
+
+#endif /* __KRB_LOG_H__ */
diff --git a/crypto/kerberosIV/lib/krb/krb_net_read.c b/crypto/kerberosIV/lib/krb/krb_net_read.c
new file mode 100644
index 0000000..3830cf9
--- /dev/null
+++ b/crypto/kerberosIV/lib/krb/krb_net_read.c
@@ -0,0 +1,42 @@
+/*
+ * Copyright (c) 1998 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "krb_locl.h"
+
+RCSID("$Id: krb_net_read.c,v 1.3 1999/12/02 16:58:42 joda Exp $");
+
+int
+krb_net_read (int fd, void *buf, size_t nbytes)
+{
+    return net_read (fd, buf, nbytes);
+}
diff --git a/crypto/kerberosIV/lib/krb/krb_net_write.c b/crypto/kerberosIV/lib/krb/krb_net_write.c
new file mode 100644
index 0000000..0473685
--- /dev/null
+++ b/crypto/kerberosIV/lib/krb/krb_net_write.c
@@ -0,0 +1,42 @@
+/*
+ * Copyright (c) 1998 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "krb_locl.h"
+
+RCSID("$Id: krb_net_write.c,v 1.3 1999/12/02 16:58:42 joda Exp $");
+
+int
+krb_net_write (int fd, const void *buf, size_t nbytes)
+{
+    return net_write (fd, buf, nbytes);
+}
diff --git a/crypto/kerberosIV/lib/krb/kuserok.c b/crypto/kerberosIV/lib/krb/kuserok.c
new file mode 100644
index 0000000..4913eaf
--- /dev/null
+++ b/crypto/kerberosIV/lib/krb/kuserok.c
@@ -0,0 +1,169 @@
+/*
+ * Copyright (c) 1995 - 1999 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#include "krb_locl.h"
+
+RCSID("$Id: kuserok.c,v 1.25 1999/12/02 16:58:42 joda Exp $");
+
+#define OK 0
+#define NOTOK 1
+#define MAX_USERNAME 10
+
+/*
+ * Return OK if `r' is one of the local realms, else NOTOK
+ */
+
+static int
+is_local_realm (const char *r)
+{
+    char lrealm[REALM_SZ];
+    int n;
+
+    for (n = 1; krb_get_lrealm(lrealm, n) == KSUCCESS; ++n) {
+	if (strcmp (r, lrealm) == 0)
+	    return OK;
+    }
+    return NOTOK;
+}
+
+/* 
+ * Given a Kerberos principal and a local username, determine whether
+ * user is authorized to login according to the authorization file
+ * ("~luser/.klogin" by default).  Returns OK if authorized, NOTOK if
+ * not authorized.
+ *
+ * IMPORTANT CHANGE: To eliminate the need of making a distinction
+ * between the 3 cases:
+ *
+ * 1. We can't verify that a .klogin file doesn't exist (no home dir).
+ * 2. It's there but we aren't allowed to read it.
+ * 3. We can read it and ~luser@LOCALREALM is (not) included.
+ *
+ * We instead make the assumption that luser@LOCALREALM is *always*
+ * included. Thus it is impossible to have an empty .klogin file and
+ * also to exclude luser@LOCALREALM from it. Root is treated differently
+ * since it's home should always be available.
+ *
+ * OLD STRATEGY:
+ * If there is no account for "luser" on the local machine, returns
+ * NOTOK.  If there is no authorization file, and the given Kerberos
+ * name "kdata" translates to the same name as "luser" (using
+ * krb_kntoln()), returns OK.  Otherwise, if the authorization file
+ * can't be accessed, returns NOTOK.  Otherwise, the file is read for
+ * a matching principal name, instance, and realm.  If one is found,
+ * returns OK, if none is found, returns NOTOK.
+ *
+ * The file entries are in the format:
+ *
+ *	name.instance@realm
+ *
+ * one entry per line.
+ *
+ */
+
+int
+krb_kuserok(char *name, char *instance, char *realm, char *luser)
+{
+    struct passwd *pwd;
+    FILE *f;
+    char line[1024];
+    char file[MaxPathLen];
+    struct stat st;
+
+    pwd = getpwnam(luser);
+    if(pwd == NULL)
+	return NOTOK;
+    if (pwd->pw_uid != 0
+	&& strcmp (name, luser) == 0
+	&& strcmp (instance, "") == 0
+	&& is_local_realm (realm) == OK)
+	return OK;
+
+    snprintf(file, sizeof(file), "%s/.klogin", pwd->pw_dir);
+
+    f = fopen(file, "r");
+    if(f == NULL)
+	return NOTOK;
+    
+    /* this is not a working test in filesystems like AFS and DFS */
+    if(fstat(fileno(f), &st) < 0){
+	fclose(f);
+	return NOTOK;
+    }
+    
+    if(st.st_uid != pwd->pw_uid){
+	fclose(f);
+	return NOTOK;
+    }
+    
+    while(fgets(line, sizeof(line), f)){
+	char fname[ANAME_SZ], finst[INST_SZ], frealm[REALM_SZ];
+	if(line[strlen(line) - 1] != '\n')
+	    /* read till end of line */
+	    while(1){
+		int c = fgetc(f);
+		if(c == '\n' || c == EOF)
+		    break;
+	    }
+	else
+	    line[strlen(line) - 1] = 0;
+	
+	if(kname_parse(fname, finst, frealm, line))
+	    continue;
+	if(strcmp(name, fname))
+	    continue;
+	if(strcmp(instance, finst))
+	    continue;
+#if 0 /* don't support principals without realm any longer */
+	if(frealm[0] == 0) {
+	    if (is_local_realm (realm) != OK)
+		continue;
+	} else
+#endif
+	if (strcmp (realm, frealm))
+	    continue;
+
+	fclose(f);
+	return OK;
+    }
+    fclose(f);
+    return NOTOK;
+}
+
+/* compatibility interface */
+
+int
+kuserok(AUTH_DAT *auth, char *luser)
+{
+    return krb_kuserok(auth->pname, auth->pinst, auth->prealm, luser);
+}
diff --git a/crypto/kerberosIV/lib/krb/lifetime.c b/crypto/kerberosIV/lib/krb/lifetime.c
new file mode 100644
index 0000000..1866996
--- /dev/null
+++ b/crypto/kerberosIV/lib/krb/lifetime.c
@@ -0,0 +1,213 @@
+/*
+ * Ticket lifetime.  This defines the table used to lookup lifetime
+ * for the fixed part of rande of the one byte lifetime field.  Values
+ * less than 0x80 are intrpreted as the number of 5 minute intervals.
+ * Values from 0x80 to 0xBF should be looked up in this table.  The
+ * value of 0x80 is the same using both methods: 10 and two-thirds
+ * hours .  The lifetime of 0xBF is 30 days.  The intervening values
+ * of have a fixed ratio of roughly 1.06914.  The value 0xFF is
+ * defined to mean a ticket has no expiration time.  This should be
+ * used advisedly since individual servers may impose defacto
+ * upperbounds on ticket lifetimes.
+ */
+
+#include "krb_locl.h"
+
+RCSID("$Id: lifetime.c,v 1.9 1997/05/02 14:29:18 assar Exp $");
+
+/* If you want to disable this feature */
+int krb_no_long_lifetimes = 0;
+
+#define TKTLIFENUMFIXED 64
+#define TKTLIFEMINFIXED 0x80
+#define TKTLIFEMAXFIXED 0xBF
+#define TKTLIFENOEXPIRE 0xFF
+#define MAXTKTLIFETIME	(30*24*3600)	/* 30 days */
+#ifndef NEVERDATE
+#define NEVERDATE ((unsigned long)0x7fffffffL)
+#endif
+
+static const int tkt_lifetimes[TKTLIFENUMFIXED] = {
+    38400,				/* 10.67 hours, 0.44 days */ 
+    41055,				/* 11.40 hours, 0.48 days */ 
+    43894,				/* 12.19 hours, 0.51 days */ 
+    46929,				/* 13.04 hours, 0.54 days */ 
+    50174,				/* 13.94 hours, 0.58 days */ 
+    53643,				/* 14.90 hours, 0.62 days */ 
+    57352,				/* 15.93 hours, 0.66 days */ 
+    61318,				/* 17.03 hours, 0.71 days */ 
+    65558,				/* 18.21 hours, 0.76 days */ 
+    70091,				/* 19.47 hours, 0.81 days */ 
+    74937,				/* 20.82 hours, 0.87 days */ 
+    80119,				/* 22.26 hours, 0.93 days */ 
+    85658,				/* 23.79 hours, 0.99 days */ 
+    91581,				/* 25.44 hours, 1.06 days */ 
+    97914,				/* 27.20 hours, 1.13 days */ 
+    104684,				/* 29.08 hours, 1.21 days */ 
+    111922,				/* 31.09 hours, 1.30 days */ 
+    119661,				/* 33.24 hours, 1.38 days */ 
+    127935,				/* 35.54 hours, 1.48 days */ 
+    136781,				/* 37.99 hours, 1.58 days */ 
+    146239,				/* 40.62 hours, 1.69 days */ 
+    156350,				/* 43.43 hours, 1.81 days */ 
+    167161,				/* 46.43 hours, 1.93 days */ 
+    178720,				/* 49.64 hours, 2.07 days */ 
+    191077,				/* 53.08 hours, 2.21 days */ 
+    204289,				/* 56.75 hours, 2.36 days */ 
+    218415,				/* 60.67 hours, 2.53 days */ 
+    233517,				/* 64.87 hours, 2.70 days */ 
+    249664,				/* 69.35 hours, 2.89 days */ 
+    266926,				/* 74.15 hours, 3.09 days */ 
+    285383,				/* 79.27 hours, 3.30 days */ 
+    305116,				/* 84.75 hours, 3.53 days */ 
+    326213,				/* 90.61 hours, 3.78 days */ 
+    348769,				/* 96.88 hours, 4.04 days */ 
+    372885,				/* 103.58 hours, 4.32 days */ 
+    398668,				/* 110.74 hours, 4.61 days */ 
+    426234,				/* 118.40 hours, 4.93 days */ 
+    455705,				/* 126.58 hours, 5.27 days */ 
+    487215,				/* 135.34 hours, 5.64 days */ 
+    520904,				/* 144.70 hours, 6.03 days */ 
+    556921,				/* 154.70 hours, 6.45 days */ 
+    595430,				/* 165.40 hours, 6.89 days */ 
+    636601,				/* 176.83 hours, 7.37 days */ 
+    680618,				/* 189.06 hours, 7.88 days */ 
+    727680,				/* 202.13 hours, 8.42 days */ 
+    777995,				/* 216.11 hours, 9.00 days */ 
+    831789,				/* 231.05 hours, 9.63 days */ 
+    889303,				/* 247.03 hours, 10.29 days */ 
+    950794,				/* 264.11 hours, 11.00 days */ 
+    1016537,				/* 282.37 hours, 11.77 days */ 
+    1086825,				/* 301.90 hours, 12.58 days */ 
+    1161973,				/* 322.77 hours, 13.45 days */ 
+    1242318,				/* 345.09 hours, 14.38 days */ 
+    1328218,				/* 368.95 hours, 15.37 days */ 
+    1420057,				/* 394.46 hours, 16.44 days */ 
+    1518247,				/* 421.74 hours, 17.57 days */ 
+    1623226,				/* 450.90 hours, 18.79 days */ 
+    1735464,				/* 482.07 hours, 20.09 days */ 
+    1855462,				/* 515.41 hours, 21.48 days */ 
+    1983758,				/* 551.04 hours, 22.96 days */ 
+    2120925,				/* 589.15 hours, 24.55 days */ 
+    2267576,				/* 629.88 hours, 26.25 days */ 
+    2424367,				/* 673.44 hours, 28.06 days */ 
+    2592000};				/* 720.00 hours, 30.00 days */ 
+
+/*
+ * krb_life_to_time - takes a start time and a Kerberos standard
+ * lifetime char and returns the corresponding end time.  There are
+ * four simple cases to be handled.  The first is a life of 0xff,
+ * meaning no expiration, and results in an end time of 0xffffffff.
+ * The second is when life is less than the values covered by the
+ * table.  In this case, the end time is the start time plus the
+ * number of 5 minute intervals specified by life.  The third case
+ * returns start plus the MAXTKTLIFETIME if life is greater than
+ * TKTLIFEMAXFIXED.  The last case, uses the life value (minus
+ * TKTLIFEMINFIXED) as an index into the table to extract the lifetime
+ * in seconds, which is added to start to produce the end time.
+ */
+u_int32_t
+krb_life_to_time(u_int32_t start, int life_)
+{
+    unsigned char life = (unsigned char) life_;
+
+    if (krb_no_long_lifetimes) return start + life*5*60;
+
+    if (life == TKTLIFENOEXPIRE) return NEVERDATE;
+    if (life < TKTLIFEMINFIXED) return start + life*5*60;
+    if (life > TKTLIFEMAXFIXED) return start + MAXTKTLIFETIME;
+    return start + tkt_lifetimes[life - TKTLIFEMINFIXED];
+}
+
+/*
+ * krb_time_to_life - takes start and end times for the ticket and
+ * returns a Kerberos standard lifetime char, possibily using the
+ * tkt_lifetimes table for lifetimes above 127*5 minutes.  First, the
+ * special case of (end == NEVERDATE) is handled to mean no
+ * expiration.  Then negative lifetimes and those greater than the
+ * maximum ticket lifetime are rejected.  Then lifetimes less than the
+ * first table entry are handled by rounding the requested lifetime
+ * *up* to the next 5 minute interval.  The final step is to search
+ * the table for the smallest entry *greater than or equal* to the
+ * requested entry.
+ */
+int krb_time_to_life(u_int32_t start, u_int32_t end)
+{
+    int i;
+    long lifetime = end - start;
+
+    if (krb_no_long_lifetimes) return (lifetime + 5*60 - 1)/(5*60);
+
+    if (end >= NEVERDATE) return TKTLIFENOEXPIRE;
+    if (lifetime > MAXTKTLIFETIME || lifetime <= 0) return 0;
+    if (lifetime < tkt_lifetimes[0]) return (lifetime + 5*60 - 1)/(5*60);
+    for (i=0; i<TKTLIFENUMFIXED; i++) {
+	if (lifetime <= tkt_lifetimes[i]) {
+	    return i+TKTLIFEMINFIXED;
+	}
+    }
+    return 0;
+}
+
+char *
+krb_life_to_atime(int life)
+{
+    static char atime[11+1+2+1+2+1+2+1];
+    unsigned long when;
+    int secs, mins, hours;
+
+    if (life == TKTLIFENOEXPIRE && !krb_no_long_lifetimes)
+	return("Forever");
+    when = krb_life_to_time(0, life);
+    secs = when%60;
+    when /= 60;
+    mins = when%60;
+    when /= 60;
+    hours = when%24;
+    when /= 24;
+    snprintf(atime, sizeof(atime), "%d+%02d:%02d:%02d", (int)when, hours, mins, secs);
+    return(atime);
+}
+
+int
+krb_atime_to_life(char *atime)
+{
+    unsigned long when = 0;
+    char *cp;
+    int colon = 0, plus = 0;
+    int n = 0;
+
+    if (strcasecmp(atime, "forever") == 0)
+	return(TKTLIFENOEXPIRE);
+    
+    for (cp=atime; *cp; cp++) {
+	switch(*cp) {
+	    case '0': case '1': case '2': case '3': case '4':
+	    case '5': case '6': case '7': case '8': case '9':
+		n = n*10 + *cp-'0';
+		break;
+	    case '+':
+		plus++;
+		when += n;
+		when *= 24;
+		n = 0;
+		break;
+	    case ':':
+		colon++;
+		when += n;
+		when *= 60;
+		n = 0;
+		break;
+	    default:
+		break;
+	}
+    }
+    when += n;
+    if (plus == 0 && colon == 0)
+	return((unsigned char)when);
+    while (colon < 2) {
+	when *= 60;
+	colon++;
+    }
+    return(krb_time_to_life(0,when));
+}
diff --git a/crypto/kerberosIV/lib/krb/logging.c b/crypto/kerberosIV/lib/krb/logging.c
new file mode 100644
index 0000000..1044fac
--- /dev/null
+++ b/crypto/kerberosIV/lib/krb/logging.c
@@ -0,0 +1,238 @@
+/*
+ * Copyright (c) 1995, 1996, 1997 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#include "krb_locl.h"
+#include <klog.h>
+
+RCSID("$Id: logging.c,v 1.18.2.1 2000/10/13 15:57:34 assar Exp $");
+
+struct krb_log_facility {
+    char filename[MaxPathLen]; 
+    FILE *file; 
+    krb_log_func_t func;
+};
+
+int
+krb_vlogger(struct krb_log_facility *f, const char *format, va_list args)
+{
+    FILE *file = NULL;
+    int ret;
+
+    if (f->file != NULL)
+	file = f->file;
+    else if (f->filename && f->filename[0])
+	file = fopen(f->filename, "a");
+
+    if (file == NULL)
+      return KFAILURE;
+
+    ret = f->func(file, format, args);
+
+    if (file != f->file)
+	fclose(file);
+    return ret;
+}
+
+int
+krb_logger(struct krb_log_facility *f, const char *format, ...)
+{
+    va_list args;
+    int ret;
+    va_start(args, format);
+    ret = krb_vlogger(f, format, args);
+    va_end(args);
+    return ret;
+}
+
+/*
+ * If FILE * is given log to it, otherwise, log to filename. When
+ * given a file name the file is opened and closed for each log
+ * record.
+ */
+int
+krb_openlog(struct krb_log_facility *f,
+	    char *filename,
+	    FILE *file,
+	    krb_log_func_t func)
+{
+    strlcpy(f->filename, filename, MaxPathLen);
+    f->file = file;
+    f->func = func;
+    return KSUCCESS;
+}
+
+/* ------------------------------------------------------------
+   Compatibility functions from warning.c
+   ------------------------------------------------------------ */
+
+static int
+log_tty(FILE *f, const char *format,  va_list args)
+{
+    if (f != NULL && isatty(fileno(f)))
+	vfprintf(f, format, args);
+    return KSUCCESS;
+}
+
+/* stderr */
+static struct krb_log_facility std_log = { "/dev/tty", NULL, log_tty };
+
+static void
+init_std_log (void)
+{
+  static int done = 0;
+
+  if (!done) {
+    std_log.file = stderr;
+    done = 1;
+  }
+}
+
+/*
+ *
+ */
+void
+krb_set_warnfn (krb_warnfn_t newfunc)
+{
+    init_std_log ();
+    std_log.func =  newfunc;
+}
+
+/*
+ *
+ */
+krb_warnfn_t
+krb_get_warnfn (void)
+{
+    init_std_log ();
+    return std_log.func;
+}
+
+/*
+ * Log warnings to stderr if it's a tty.
+ */
+void
+krb_warning (const char *format, ...)
+{
+    va_list args;
+    
+    init_std_log ();
+    va_start(args, format);
+    krb_vlogger(&std_log, format, args);
+    va_end(args);
+}
+
+/* ------------------------------------------------------------
+   Compatibility functions from klog.c and log.c
+   ------------------------------------------------------------ */
+
+/*
+ * Used by kerberos and kadmind daemons and in libkrb (rd_req.c).
+ *
+ * By default they log to the kerberos server log-file (KRBLOG) to be
+ * backwards compatible.
+ */
+
+static int
+log_with_timestamp_and_nl(FILE *file, const char *format, va_list args)
+{
+    time_t now;
+    if(file == NULL)
+	return KFAILURE;
+    time(&now);
+    fputs(krb_stime(&now), file);
+    fputs(": ", file);
+    vfprintf(file, format, args);
+    fputs("\n", file);
+    fflush(file);
+    return KSUCCESS;
+}
+
+static struct krb_log_facility
+file_log = { KRBLOG, NULL, log_with_timestamp_and_nl };
+
+/*
+ * kset_logfile() changes the name of the file to which
+ * messages are logged.  If kset_logfile() is not called,
+ * the logfile defaults to KRBLOG, defined in "krb.h".
+ */
+
+void
+kset_logfile(char *filename)
+{
+    krb_openlog(&file_log, filename, NULL, log_with_timestamp_and_nl);
+}
+
+/*
+ * krb_log() and klog() is used to add entries to the logfile.
+ *
+ * The log entry consists of a timestamp and the given arguments
+ * printed according to the given "format" string.
+ *
+ * The log file is opened and closed for each log entry.
+ *
+ * If the given log type "type" is unknown, or if the log file
+ * cannot be opened, no entry is made to the log file.
+ *
+ * CHANGE: the type is always ignored
+ *
+ * The return value of klog() is always a pointer to the formatted log
+ * text string "logtxt".
+ */
+
+/* Used in kerberos.c only. */
+char *
+klog(int type, const char *format, ...)
+{
+    static char logtxt[1024];
+
+    va_list ap;
+
+    va_start(ap, format);
+    vsnprintf(logtxt, sizeof(logtxt), format, ap);
+    va_end(ap);
+    
+    krb_logger(&file_log, "%s", logtxt);
+    
+    return logtxt;
+}
+
+/* Used in kadmind and rd_req.c */
+void
+krb_log(const char *format, ...)
+{
+    va_list args;
+
+    va_start(args, format);
+    krb_vlogger(&file_log, format, args);
+    va_end(args);
+}
diff --git a/crypto/kerberosIV/lib/krb/lsb_addr_comp.c b/crypto/kerberosIV/lib/krb/lsb_addr_comp.c
new file mode 100644
index 0000000..e74614d
--- /dev/null
+++ b/crypto/kerberosIV/lib/krb/lsb_addr_comp.c
@@ -0,0 +1,134 @@
+/*
+ * Copyright (c) 1995, 1996, 1997 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#include "krb_locl.h"
+
+RCSID("$Id: lsb_addr_comp.c,v 1.16 1999/12/02 16:58:42 joda Exp $");
+
+#include "krb-archaeology.h"
+
+int
+krb_lsb_antinet_ulong_cmp(u_int32_t x, u_int32_t y)
+{
+    int i;
+    u_int32_t a = 0, b = 0;
+    u_int8_t *p = (u_int8_t*) &x;
+    u_int8_t *q = (u_int8_t*) &y;
+
+    for(i = sizeof(u_int32_t) - 1; i >= 0; i--){
+	a = (a << 8) | p[i];
+	b = (b << 8) | q[i];
+    }
+    if(a > b)
+	return 1;
+    if(a < b)
+	return -1;
+    return 0;
+}
+
+int
+krb_lsb_antinet_ushort_cmp(u_int16_t x, u_int16_t y)
+{
+    int i;
+    u_int16_t a = 0, b = 0;
+    u_int8_t *p = (u_int8_t*) &x;
+    u_int8_t *q = (u_int8_t*) &y;
+
+    for(i = sizeof(u_int16_t) - 1; i >= 0; i--){
+	a = (a << 8) | p[i];
+	b = (b << 8) | q[i];
+    }
+    if(a > b)
+	return 1;
+    if(a < b)
+	return -1;
+    return 0;
+}
+
+u_int32_t
+lsb_time(time_t t, struct sockaddr_in *src, struct sockaddr_in *dst)
+{
+    int dir = 1;
+    const char *fw;
+
+    /*
+     * direction bit is the sign bit of the timestamp.  Ok until
+     * 2038??
+     */
+    if(krb_debug) {
+	krb_warning("lsb_time: src = %s:%u\n", 
+		    inet_ntoa(src->sin_addr), ntohs(src->sin_port));
+	krb_warning("lsb_time: dst = %s:%u\n", 
+		    inet_ntoa(dst->sin_addr), ntohs(dst->sin_port));
+    }
+
+    /* For compatibility with broken old code, compares are done in VAX 
+       byte order (LSBFIRST) */ 
+    if (krb_lsb_antinet_ulong_less(src->sin_addr.s_addr, /* src < recv */ 
+				   dst->sin_addr.s_addr) < 0) 
+        dir = -1;
+    else if (krb_lsb_antinet_ulong_less(src->sin_addr.s_addr, 
+					dst->sin_addr.s_addr)==0) 
+        if (krb_lsb_antinet_ushort_less(src->sin_port, dst->sin_port) < 0)
+            dir = -1;
+    /*
+     * all that for one tiny bit!  Heaven help those that talk to
+     * themselves.
+     */
+    if(krb_get_config_bool("reverse_lsb_test")) {
+	if(krb_debug) 
+	    krb_warning("lsb_time: reversing direction: %d -> %d\n", dir, -dir);
+	dir = -dir;
+    }else if((fw = krb_get_config_string("firewall_address"))) {
+	struct in_addr fw_addr;
+	fw_addr.s_addr = inet_addr(fw);
+	if(fw_addr.s_addr != INADDR_NONE) {
+	    int s_lt_d, d_lt_f;
+	    krb_warning("lsb_time: fw = %s\n", inet_ntoa(fw_addr));
+	    /* negate if src < dst < fw || fw < dst < src */
+	    s_lt_d = (krb_lsb_antinet_ulong_less(src->sin_addr.s_addr,
+						 dst->sin_addr.s_addr) == -1);
+	    d_lt_f = (krb_lsb_antinet_ulong_less(fw_addr.s_addr,
+						 dst->sin_addr.s_addr) == 1);
+	    if((s_lt_d ^ d_lt_f) == 0) {
+		if(krb_debug) 
+		    krb_warning("lsb_time: reversing direction: %d -> %d\n", 
+				dir, -dir);
+		dir = -dir;
+	    }
+	}
+    }
+    t = t * dir;
+    t = t & 0xffffffff;
+    return t;
+}
diff --git a/crypto/kerberosIV/lib/krb/mk_auth.c b/crypto/kerberosIV/lib/krb/mk_auth.c
new file mode 100644
index 0000000..65354a9
--- /dev/null
+++ b/crypto/kerberosIV/lib/krb/mk_auth.c
@@ -0,0 +1,113 @@
+/*
+ * Copyright (c) 1995, 1996, 1997, 1998 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#include "krb_locl.h"
+
+RCSID("$Id: mk_auth.c,v 1.8 1999/12/02 16:58:43 joda Exp $");
+
+/*
+ * Generate an authenticator for service.instance@realm.
+ * instance is canonicalized by `krb_get_phost'
+ * realm is set to the local realm if realm == NULL
+ * The ticket acquired by `krb_mk_req' is returned in `ticket' and the
+ * authenticator in `buf'.  
+ * Options control the behaviour (see krb_sendauth).
+ */
+
+int
+krb_mk_auth(int32_t options,
+	    KTEXT ticket,
+	    char *service,
+	    char *instance,
+	    char *realm,
+	    u_int32_t checksum,
+	    char *version,
+	    KTEXT buf)
+{
+  char realinst[INST_SZ];
+  char realrealm[REALM_SZ];
+  int ret;
+  char *tmp;
+
+  if (options & KOPT_DONT_CANON)
+    tmp = instance;
+  else
+    tmp = krb_get_phost (instance);
+
+  strlcpy(realinst, tmp, sizeof(realinst));
+
+  if (realm == NULL) {
+    ret = krb_get_lrealm (realrealm, 1);
+    if (ret != KSUCCESS)
+      return ret;
+    realm = realrealm;
+  }
+  
+  if(!(options & KOPT_DONT_MK_REQ)) {
+    ret = krb_mk_req (ticket, service, realinst, realm, checksum);
+    if (ret != KSUCCESS)
+      return ret;
+  }
+    
+  {
+      int tmp;
+      size_t rem = sizeof(buf->dat);
+      unsigned char *p = buf->dat;
+
+      p = buf->dat;
+
+      if (rem < 2 * KRB_SENDAUTH_VLEN)
+	  return KFAILURE;
+      memcpy (p, KRB_SENDAUTH_VERS, KRB_SENDAUTH_VLEN);
+      p += KRB_SENDAUTH_VLEN;
+      rem -= KRB_SENDAUTH_VLEN;
+
+      memcpy (p, version, KRB_SENDAUTH_VLEN);
+      p += KRB_SENDAUTH_VLEN;
+      rem -= KRB_SENDAUTH_VLEN;
+
+      tmp = krb_put_int(ticket->length, p, rem, 4);
+      if (tmp < 0)
+	  return KFAILURE;
+      p += tmp;
+      rem -= tmp;
+
+      if (rem < ticket->length)
+	  return KFAILURE;
+      memcpy(p, ticket->dat, ticket->length);
+      p += ticket->length;
+      rem -= ticket->length;
+      buf->length = p - buf->dat;
+  }
+  return KSUCCESS;
+}
diff --git a/crypto/kerberosIV/lib/krb/mk_err.c b/crypto/kerberosIV/lib/krb/mk_err.c
new file mode 100644
index 0000000..11fc059
--- /dev/null
+++ b/crypto/kerberosIV/lib/krb/mk_err.c
@@ -0,0 +1,57 @@
+/* 
+  Copyright (C) 1989 by the Massachusetts Institute of Technology
+
+   Export of this software from the United States of America is assumed
+   to require a specific license from the United States Government.
+   It is the responsibility of any person or organization contemplating
+   export to obtain such a license before exporting.
+
+WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
+distribute this software and its documentation for any purpose and
+without fee is hereby granted, provided that the above copyright
+notice appear in all copies and that both that copyright notice and
+this permission notice appear in supporting documentation, and that
+the name of M.I.T. not be used in advertising or publicity pertaining
+to distribution of the software without specific, written prior
+permission.  M.I.T. makes no representations about the suitability of
+this software for any purpose.  It is provided "as is" without express
+or implied warranty.
+
+  */
+
+#include "krb_locl.h"
+
+RCSID("$Id: mk_err.c,v 1.7 1998/06/09 19:25:22 joda Exp $");
+
+/*
+ * This routine creates a general purpose error reply message.  It
+ * doesn't use KTEXT because application protocol may have long
+ * messages, and may want this part of buffer contiguous to other
+ * stuff.
+ *
+ * The error reply is built in "p", using the error code "e" and
+ * error text "e_string" given.  The length of the error reply is
+ * returned.
+ *
+ * The error reply is in the following format:
+ *
+ * unsigned char	KRB_PROT_VERSION	protocol version no.
+ * unsigned char	AUTH_MSG_APPL_ERR	message type
+ * (least significant
+ * bit of above)	HOST_BYTE_ORDER		local byte order
+ * 4 bytes		e			given error code
+ * string		e_string		given error text
+ */
+
+int32_t
+krb_mk_err(u_char *p, int32_t e, char *e_string)
+{
+    unsigned char *start = p;
+    
+    p += krb_put_int(KRB_PROT_VERSION, p, 1, 1);
+    p += krb_put_int(AUTH_MSG_APPL_ERR, p, 1, 1);
+    
+    p += krb_put_int(e, p, 4, 4);
+    p += krb_put_string(e_string, p, strlen(e_string) + 1);
+    return p - start;
+}
diff --git a/crypto/kerberosIV/lib/krb/mk_priv.c b/crypto/kerberosIV/lib/krb/mk_priv.c
new file mode 100644
index 0000000..a72b732
--- /dev/null
+++ b/crypto/kerberosIV/lib/krb/mk_priv.c
@@ -0,0 +1,120 @@
+/*
+ * Copyright (c) 1995, 1996, 1997, 1998 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#include "krb_locl.h"
+
+RCSID("$Id: mk_priv.c,v 1.22 1999/12/02 16:58:43 joda Exp $");
+
+/* application include files */
+#include "krb-archaeology.h"
+
+/*
+ * krb_mk_priv() constructs an AUTH_MSG_PRIVATE message.  It takes
+ * some user data "in" of "length" bytes and creates a packet in "out"
+ * consisting of the user data, a timestamp, and the sender's network
+ * address.
+ * The packet is encrypted by pcbc_encrypt(), using the given
+ * "key" and "schedule".
+ * The length of the resulting packet "out" is
+ * returned.
+ *
+ * It is similar to krb_mk_safe() except for the additional key
+ * schedule argument "schedule" and the fact that the data is encrypted
+ * rather than appended with a checksum.  The protocol version is
+ * KRB_PROT_VERSION, defined in "krb.h".
+ *
+ * The "out" packet consists of:
+ *
+ * Size			Variable		Field
+ * ----			--------		-----
+ *
+ * 1 byte		KRB_PROT_VERSION	protocol version number
+ * 1 byte		AUTH_MSG_PRIVATE |	message type plus local
+ *			HOST_BYTE_ORDER		byte order in low bit
+ *
+ * 4 bytes		c_length		length of data
+ * we encrypt from here with pcbc_encrypt
+ * 
+ * 4 bytes		length			length of user data
+ * length		in			user data
+ * 1 byte		msg_time_5ms		timestamp milliseconds
+ * 4 bytes		sender->sin.addr.s_addr	sender's IP address
+ *
+ * 4 bytes		msg_time_sec or		timestamp seconds with
+ *			-msg_time_sec		direction in sign bit
+ *
+ * 0<=n<=7  bytes	pad to 8 byte multiple	zeroes
+ */
+
+int32_t
+krb_mk_priv(void *in, void *out, u_int32_t length, 
+	    struct des_ks_struct *schedule, des_cblock *key, 
+	    struct sockaddr_in *sender, struct sockaddr_in *receiver)
+{
+    unsigned char *p = (unsigned char*)out;
+    unsigned char *cipher;
+
+    struct timeval tv;
+    u_int32_t src_addr;
+    u_int32_t len;
+
+    p += krb_put_int(KRB_PROT_VERSION, p, 1, 1);
+    p += krb_put_int(AUTH_MSG_PRIVATE, p, 1, 1);
+
+    len = 4 + length + 1 + 4 + 4;
+    len = (len + 7) & ~7;
+    p += krb_put_int(len, p, 4, 4);
+    
+    cipher = p;
+
+    p += krb_put_int(length, p, 4, 4);
+    
+    memcpy(p, in, length);
+    p += length;
+    
+    krb_kdctimeofday(&tv);
+
+    *p++ =tv.tv_usec / 5000;
+    
+    src_addr = sender->sin_addr.s_addr;
+    p += krb_put_address(src_addr, p, 4);
+
+    p += krb_put_int(lsb_time(tv.tv_sec, sender, receiver), p, 4, 4);
+    
+    memset(p, 0, 7);
+
+    des_pcbc_encrypt((des_cblock *)cipher, (des_cblock *)cipher,
+		     len, schedule, key, DES_ENCRYPT);
+
+    return  (cipher - (unsigned char*)out) + len;
+}
diff --git a/crypto/kerberosIV/lib/krb/mk_req.c b/crypto/kerberosIV/lib/krb/mk_req.c
new file mode 100644
index 0000000..5e72e22
--- /dev/null
+++ b/crypto/kerberosIV/lib/krb/mk_req.c
@@ -0,0 +1,258 @@
+/*
+ * Copyright (c) 1995, 1996, 1997, 1998 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#include "krb_locl.h"
+
+RCSID("$Id: mk_req.c,v 1.22 1999/12/02 16:58:43 joda Exp $");
+
+static int lifetime = 255;	/* But no longer than TGT says. */
+
+
+static int
+build_request(KTEXT req, char *name, char *inst, char *realm, 
+	      u_int32_t checksum)
+{
+    struct timeval tv;
+    unsigned char *p = req->dat;
+    int tmp;
+    size_t rem = sizeof(req->dat);
+
+    tmp = krb_put_nir(name, inst, realm, p, rem);
+    if (tmp < 0)
+	return KFAILURE;
+    p += tmp;
+    rem -= tmp;
+
+    tmp = krb_put_int(checksum, p, rem, 4);
+    if (tmp < 0)
+	return KFAILURE;
+    p += tmp;
+    rem -= tmp;
+
+    /* Fill in the times on the request id */
+    krb_kdctimeofday(&tv);
+
+    if (rem < 1)
+	return KFAILURE;
+
+    *p++ = tv.tv_usec / 5000; /* 5ms */
+    --rem;
+    
+    tmp = krb_put_int(tv.tv_sec, p, rem, 4);
+    if (tmp < 0)
+	return KFAILURE;
+    p += tmp;
+    rem -= tmp;
+
+    /* Fill to a multiple of 8 bytes for DES */
+    req->length = ((p - req->dat + 7)/8) * 8;
+    return 0;
+}
+
+
+/*
+ * krb_mk_req takes a text structure in which an authenticator is to
+ * be built, the name of a service, an instance, a realm,
+ * and a checksum.  It then retrieves a ticket for
+ * the desired service and creates an authenticator in the text
+ * structure passed as the first argument.  krb_mk_req returns
+ * KSUCCESS on success and a Kerberos error code on failure.
+ *
+ * The peer procedure on the other end is krb_rd_req.  When making
+ * any changes to this routine it is important to make corresponding
+ * changes to krb_rd_req.
+ *
+ * The authenticator consists of the following:
+ *
+ * authent->dat
+ *
+ * unsigned char	KRB_PROT_VERSION	protocol version no.
+ * unsigned char	AUTH_MSG_APPL_REQUEST	message type
+ * (least significant
+ * bit of above)	HOST_BYTE_ORDER		local byte ordering
+ * unsigned char	kvno from ticket	server's key version
+ * string		realm			server's realm
+ * unsigned char	tl			ticket length
+ * unsigned char	idl			request id length
+ * text			ticket->dat		ticket for server
+ * text			req_id->dat		request id
+ *
+ * The ticket information is retrieved from the ticket cache or
+ * fetched from Kerberos.  The request id (called the "authenticator"
+ * in the papers on Kerberos) contains the following:
+ *
+ * req_id->dat
+ *
+ * string		cr.pname		{name, instance, and
+ * string		cr.pinst		realm of principal
+ * string		myrealm			making this request}
+ * 4 bytes		checksum		checksum argument given
+ * unsigned char	tv_local.tf_usec	time (milliseconds)
+ * 4 bytes		tv_local.tv_sec		time (seconds)
+ *
+ * req_id->length = 3 strings + 3 terminating nulls + 5 bytes for time,
+ *                  all rounded up to multiple of 8.
+ */
+
+int
+krb_mk_req(KTEXT authent, char *service, char *instance, char *realm, 
+	   int32_t checksum)
+{
+    KTEXT_ST req_st;
+    KTEXT req_id = &req_st;
+
+    CREDENTIALS cr;             /* Credentials used by retr */
+    KTEXT ticket = &(cr.ticket_st); /* Pointer to tkt_st */
+    int retval;                 /* Returned by krb_get_cred */
+
+    char myrealm[REALM_SZ];
+
+    unsigned char *p = authent->dat;
+    int rem = sizeof(authent->dat);
+    int tmp;
+
+    tmp = krb_put_int(KRB_PROT_VERSION, p, rem, 1);
+    if (tmp < 0)
+	return KFAILURE;
+    p += tmp;
+    rem -= tmp;
+
+    tmp = krb_put_int(AUTH_MSG_APPL_REQUEST, p, rem, 1);
+    if (tmp < 0)
+	return KFAILURE;
+    p += tmp;
+    rem -= tmp;
+
+    /* Get the ticket and move it into the authenticator */
+    if (krb_ap_req_debug)
+        krb_warning("Realm: %s\n", realm);
+
+    retval = krb_get_cred(service,instance,realm,&cr);
+
+    if (retval == RET_NOTKT) {
+	retval = get_ad_tkt(service, instance, realm, lifetime);
+	if (retval == KSUCCESS)
+	    retval = krb_get_cred(service, instance, realm, &cr);
+    }
+
+    if (retval != KSUCCESS)
+	return retval;
+
+
+    /*
+     * With multi realm ticket files either find a matching TGT or
+     * else use the first TGT for inter-realm authentication.
+     *
+     * In myrealm hold the realm of the principal "owning" the
+     * corresponding ticket-granting-ticket.
+     */
+
+    retval = krb_get_cred(KRB_TICKET_GRANTING_TICKET, realm, realm, 0);
+    if (retval == KSUCCESS) {
+      strlcpy(myrealm, realm, REALM_SZ);
+    } else
+      retval = krb_get_tf_realm(TKT_FILE, myrealm);
+    
+    if (retval != KSUCCESS)
+	return retval;
+    
+    if (krb_ap_req_debug)
+        krb_warning("serv=%s.%s@%s princ=%s.%s@%s\n", service, instance, realm,
+		    cr.pname, cr.pinst, myrealm);
+
+    tmp = krb_put_int(cr.kvno, p, rem, 1);
+    if (tmp < 0)
+	return KFAILURE;
+    p += tmp;
+    rem -= tmp;
+
+    tmp = krb_put_string(realm, p, rem);
+    if (tmp < 0)
+	return KFAILURE;
+    p += tmp;
+    rem -= tmp;
+
+    tmp = krb_put_int(ticket->length, p, rem, 1);
+    if (tmp < 0)
+	return KFAILURE;
+    p += tmp;
+    rem -= tmp;
+
+    retval = build_request(req_id, cr.pname, cr.pinst, myrealm, checksum);
+    if (retval != KSUCCESS)
+	return retval;
+    
+    encrypt_ktext(req_id, &cr.session, DES_ENCRYPT);
+
+    tmp = krb_put_int(req_id->length, p, rem, 1);
+    if (tmp < 0)
+	return KFAILURE;
+    p += tmp;
+    rem -= tmp;
+
+    if (rem < ticket->length + req_id->length)
+	return KFAILURE;
+
+    memcpy(p, ticket->dat, ticket->length);
+    p += ticket->length;
+    rem -= ticket->length;
+    memcpy(p, req_id->dat, req_id->length);
+    p += req_id->length;
+    rem -= req_id->length;
+
+    authent->length = p - authent->dat;
+    
+    memset(&cr, 0, sizeof(cr));
+    memset(&req_st, 0, sizeof(req_st));
+
+    if (krb_ap_req_debug)
+        krb_warning("Authent->length = %d\n", authent->length);
+
+    return KSUCCESS;
+}
+
+/* 
+ * krb_set_lifetime sets the default lifetime for additional tickets
+ * obtained via krb_mk_req().
+ * 
+ * It returns the previous value of the default lifetime.
+ */
+
+int
+krb_set_lifetime(int newval)
+{
+    int olife = lifetime;
+
+    lifetime = newval;
+    return(olife);
+}
diff --git a/crypto/kerberosIV/lib/krb/mk_safe.c b/crypto/kerberosIV/lib/krb/mk_safe.c
new file mode 100644
index 0000000..c0bbc9a
--- /dev/null
+++ b/crypto/kerberosIV/lib/krb/mk_safe.c
@@ -0,0 +1,135 @@
+/*
+ * Copyright (c) 1995 - 2000 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#include "krb_locl.h"
+
+RCSID("$Id: mk_safe.c,v 1.25.2.1 2000/10/10 13:19:25 assar Exp $");
+
+/* application include files */
+#include "krb-archaeology.h"
+
+#ifndef DES_QUAD_GUESS
+/* Temporary fixes for krb_{rd,mk}_safe */
+#define DES_QUAD_GUESS 0
+#define DES_QUAD_NEW 1
+#define DES_QUAD_OLD 2
+
+#define DES_QUAD_DEFAULT DES_QUAD_GUESS
+
+#endif /* DES_QUAD_GUESS */
+
+/* from rd_safe.c */
+extern int dqc_type;
+void fixup_quad_cksum(void*, size_t, des_cblock*, void*, void*, int);
+
+/*
+ * krb_mk_safe() constructs an AUTH_MSG_SAFE message.  It takes some
+ * user data "in" of "length" bytes and creates a packet in "out"
+ * consisting of the user data, a timestamp, and the sender's network
+ * address, followed by a checksum computed on the above, using the
+ * given "key".  The length of the resulting packet is returned.
+ *
+ * The "out" packet consists of:
+ *
+ * Size			Variable		Field
+ * ----			--------		-----
+ *
+ * 1 byte		KRB_PROT_VERSION	protocol version number
+ * 1 byte		AUTH_MSG_SAFE |		message type plus local
+ *			HOST_BYTE_ORDER		byte order in low bit
+ *
+ * ===================== begin checksum ================================
+ * 
+ * 4 bytes		length			length of user data
+ * length		in			user data
+ * 1 byte		msg_time_5ms		timestamp milliseconds
+ * 4 bytes		sender->sin.addr.s_addr	sender's IP address
+ *
+ * 4 bytes		msg_time_sec or		timestamp seconds with
+ *			-msg_time_sec		direction in sign bit
+ *
+ * ======================= end checksum ================================
+ *
+ * 16 bytes		big_cksum		quadratic checksum of
+ *						above using "key"
+ */
+
+int32_t
+krb_mk_safe(void *in, void *out, u_int32_t length, des_cblock *key, 
+	    struct sockaddr_in *sender, struct sockaddr_in *receiver)
+{
+    unsigned char * p = (unsigned char*)out;
+    struct timeval tv;
+    unsigned char *start;
+    u_int32_t src_addr;
+
+    p += krb_put_int(KRB_PROT_VERSION, p, 1, 1);
+    p += krb_put_int(AUTH_MSG_SAFE, p, 1, 1);
+    
+    start = p;
+
+    p += krb_put_int(length, p, 4, 4);
+
+    memcpy(p, in, length);
+    p += length;
+    
+    krb_kdctimeofday(&tv);
+
+    *p++ = tv.tv_usec/5000; /* 5ms */
+    
+    src_addr = sender->sin_addr.s_addr;
+    p += krb_put_address(src_addr, p, 4);
+
+    p += krb_put_int(lsb_time(tv.tv_sec, sender, receiver), p, 4, 4);
+
+    {
+	/* We are faking big endian mode, so we need to fix the
+	 * checksum (that is byte order dependent). We always send a
+	 * checksum of the new type, unless we know that we are
+	 * talking to an old client (this requires a call to
+	 * krb_rd_safe first).  
+	 */
+	unsigned char new_checksum[16];
+	unsigned char old_checksum[16];
+	fixup_quad_cksum(start, p - start, key, new_checksum, old_checksum, 0);
+	
+	if((dqc_type == DES_QUAD_GUESS && DES_QUAD_DEFAULT == DES_QUAD_OLD) || 
+	   dqc_type == DES_QUAD_OLD)
+	    memcpy(p, old_checksum, 16);
+	else
+	    memcpy(p, new_checksum, 16);
+    }
+    p += 16;
+
+    return p - (unsigned char*)out;
+}
diff --git a/crypto/kerberosIV/lib/krb/month_sname.c b/crypto/kerberosIV/lib/krb/month_sname.c
new file mode 100644
index 0000000..aaceee5
--- /dev/null
+++ b/crypto/kerberosIV/lib/krb/month_sname.c
@@ -0,0 +1,39 @@
+/* 
+  Copyright (C) 1989 by the Massachusetts Institute of Technology
+
+   Export of this software from the United States of America is assumed
+   to require a specific license from the United States Government.
+   It is the responsibility of any person or organization contemplating
+   export to obtain such a license before exporting.
+
+WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
+distribute this software and its documentation for any purpose and
+without fee is hereby granted, provided that the above copyright
+notice appear in all copies and that both that copyright notice and
+this permission notice appear in supporting documentation, and that
+the name of M.I.T. not be used in advertising or publicity pertaining
+to distribution of the software without specific, written prior
+permission.  M.I.T. makes no representations about the suitability of
+this software for any purpose.  It is provided "as is" without express
+or implied warranty.
+
+  */
+
+#include "krb_locl.h"
+
+RCSID("$Id: month_sname.c,v 1.5 1997/03/23 03:53:14 joda Exp $");
+
+/*
+ * Given an integer 1-12, month_sname() returns a string
+ * containing the first three letters of the corresponding
+ * month.  Returns 0 if the argument is out of range.
+ */
+
+const char *month_sname(int n)
+{
+    static const char *name[] = {
+        "Jan","Feb","Mar","Apr","May","Jun",
+        "Jul","Aug","Sep","Oct","Nov","Dec"
+    };
+    return((n < 1 || n > 12) ? 0 : name [n-1]);
+}
diff --git a/crypto/kerberosIV/lib/krb/name2name.c b/crypto/kerberosIV/lib/krb/name2name.c
new file mode 100644
index 0000000..49e457d
--- /dev/null
+++ b/crypto/kerberosIV/lib/krb/name2name.c
@@ -0,0 +1,108 @@
+/*
+ * Copyright (c) 1995, 1996, 1997, 1998, 1999 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#include "krb_locl.h"
+
+RCSID("$Id: name2name.c,v 1.22 1999/12/02 16:58:43 joda Exp $");
+
+/* convert host to a more fully qualified domain name, returns 0 if
+ * phost is the same as host, 1 otherwise. phost should be
+ * phost_size bytes long.
+ */
+
+int
+krb_name_to_name(const char *host, char *phost, size_t phost_size)
+{
+    struct hostent *hp;
+    struct in_addr adr;
+    const char *tmp;
+    
+    adr.s_addr = inet_addr(host);
+    if (adr.s_addr != INADDR_NONE)
+	hp = gethostbyaddr((char *)&adr, sizeof(adr), AF_INET);
+    else
+	hp = gethostbyname(host);
+    if (hp == NULL)
+	tmp = host;
+    else {
+	tmp = hp->h_name;
+	/*
+	 * Broken SunOS 5.4 sometimes keeps the official name as the
+	 * 1:st alias.
+	 */
+        if (strchr(tmp, '.') == NULL
+	    && hp->h_aliases != NULL
+	    && hp->h_aliases[0] != NULL
+	    && strchr (hp->h_aliases[0], '.') != NULL)
+		tmp = hp->h_aliases[0];
+    }
+    strlcpy (phost, tmp, phost_size);
+
+    if (strcmp(phost, host) == 0)
+	return 0;
+    else
+	return 1;
+}
+
+/* lowercase and truncate */
+
+void
+k_ricercar(char *name)
+{
+    unsigned char *p = (unsigned char *)name;
+
+    while(*p && *p != '.'){
+	if(isupper(*p))
+	    *p = tolower(*p);
+	p++;
+    }
+    if(*p == '.')
+	*p = 0;
+}
+
+/*
+ * This routine takes an alias for a host name and returns the first
+ * field, in lower case, of its domain name.
+ *
+ * Example: "fOo.BAR.com" -> "foo"
+ */
+
+char *
+krb_get_phost(const char *alias)
+{
+    static char phost[MaxHostNameLen];
+    
+    krb_name_to_name(alias, phost, sizeof(phost));
+    k_ricercar(phost);
+    return phost;
+}
diff --git a/crypto/kerberosIV/lib/krb/one.c b/crypto/kerberosIV/lib/krb/one.c
new file mode 100644
index 0000000..d43b284
--- /dev/null
+++ b/crypto/kerberosIV/lib/krb/one.c
@@ -0,0 +1,27 @@
+/* 
+  Copyright (C) 1989 by the Massachusetts Institute of Technology
+
+  Export of this software from the United States of America is assumed
+  to require a specific license from the United States Government.
+  It is the responsibility of any person or organization contemplating
+  export to obtain such a license before exporting.
+  
+  WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
+  distribute this software and its documentation for any purpose and
+  without fee is hereby granted, provided that the above copyright
+  notice appear in all copies and that both that copyright notice and
+  this permission notice appear in supporting documentation, and that
+  the name of M.I.T. not be used in advertising or publicity pertaining
+  to distribution of the software without specific, written prior
+  permission.  M.I.T. makes no representations about the suitability of
+  this software for any purpose.  It is provided "as is" without express
+  or implied warranty.
+  
+  */
+
+/*
+ * definition of variable set to 1.
+ * used in krb_conf.h to determine host byte order.
+ */
+
+int krbONE = 1;
diff --git a/crypto/kerberosIV/lib/krb/parse_name.c b/crypto/kerberosIV/lib/krb/parse_name.c
new file mode 100644
index 0000000..fcb3394
--- /dev/null
+++ b/crypto/kerberosIV/lib/krb/parse_name.c
@@ -0,0 +1,194 @@
+/*
+ * Copyright (c) 1995, 1996, 1997 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#include "krb_locl.h"
+
+RCSID("$Id: parse_name.c,v 1.7 1999/12/02 16:58:43 joda Exp $");
+
+int
+krb_parse_name(const char *fullname, krb_principal *principal)
+{
+    const char *p;
+    char *ns, *np;
+    enum {n, i, r} pos = n;
+    int quote = 0;
+    ns = np = principal->name;
+
+    principal->name[0] = 0;
+    principal->instance[0] = 0;
+    principal->realm[0] = 0;
+
+    for(p = fullname; *p; p++){
+	if(np - ns == ANAME_SZ - 1) /* XXX they have the same size */
+	    return KNAME_FMT;
+	if(quote){
+	    *np++ = *p;
+	    quote = 0;
+	    continue;
+	}
+	if(*p == '\\')
+	    quote = 1;
+	else if(*p == '.' && pos == n){
+	    *np = 0;
+	    ns = np = principal->instance;
+	    pos = i;
+	}else if(*p == '@' && (pos == n || pos == i)){
+	    *np = 0;
+	    ns = np = principal->realm;
+	    pos = r;
+	}else
+	    *np++ = *p;
+    }
+    *np = 0;
+    if(quote || principal->name[0] == 0)
+	return KNAME_FMT;
+    return KSUCCESS;
+}
+
+int
+kname_parse(char *np, char *ip, char *rp, char *fullname)
+{
+    krb_principal p;
+    int ret;
+    if((ret = krb_parse_name(fullname, &p)) == 0){
+	strlcpy (np, p.name, ANAME_SZ);
+	strlcpy (ip, p.instance, INST_SZ);
+	if(p.realm[0])
+	    strlcpy (rp, p.realm, REALM_SZ);
+    }
+    return ret;
+}
+/*
+ * k_isname() returns 1 if the given name is a syntactically legitimate
+ * Kerberos name; returns 0 if it's not.
+ */
+
+int
+k_isname(char *s)
+{
+    char c;
+    int backslash = 0;
+
+    if (!*s)
+        return 0;
+    if (strlen(s) > ANAME_SZ - 1)
+        return 0;
+    while ((c = *s++)) {
+        if (backslash) {
+            backslash = 0;
+            continue;
+        }
+        switch(c) {
+        case '\\':
+            backslash = 1;
+            break;
+        case '.':
+            return 0;
+            /* break; */
+        case '@':
+            return 0;
+            /* break; */
+        }
+    }
+    return 1;
+}
+
+
+/*
+ * k_isinst() returns 1 if the given name is a syntactically legitimate
+ * Kerberos instance; returns 0 if it's not.
+ */
+
+int
+k_isinst(char *s)
+{
+    char c;
+    int backslash = 0;
+
+    if (strlen(s) > INST_SZ - 1)
+        return 0;
+    while ((c = *s++)) {
+        if (backslash) {
+            backslash = 0;
+            continue;
+        }
+        switch(c) {
+        case '\\':
+            backslash = 1;
+            break;
+        case '.':
+#if     INSTANCE_DOTS_OK
+            break;
+#else   /* INSTANCE_DOTS_OK */
+            return 0; 
+#endif  /* INSTANCE_DOTS_OK */
+            /* break; */
+        case '@':
+            return 0;
+            /* break; */
+        }
+    }
+    return 1;
+}
+
+/*
+ * k_isrealm() returns 1 if the given name is a syntactically legitimate
+ * Kerberos realm; returns 0 if it's not.
+ */
+
+int
+k_isrealm(char *s)
+{
+    char c;
+    int backslash = 0;
+
+    if (!*s)
+        return 0;
+    if (strlen(s) > REALM_SZ - 1)
+        return 0;
+    while ((c = *s++)) {
+        if (backslash) {
+            backslash = 0;
+            continue;
+        }
+        switch(c) {
+        case '\\':
+            backslash = 1;
+            break;
+        case '@':
+            return 0;
+            /* break; */
+        }
+    }
+    return 1;
+}
diff --git a/crypto/kerberosIV/lib/krb/prot.h b/crypto/kerberosIV/lib/krb/prot.h
new file mode 100644
index 0000000..e207881
--- /dev/null
+++ b/crypto/kerberosIV/lib/krb/prot.h
@@ -0,0 +1,72 @@
+/*
+ * $Id: prot.h,v 1.9 1999/11/30 18:57:46 bg Exp $
+ *
+ * Copyright 1985, 1986, 1987, 1988 by the Massachusetts Institute
+ * of Technology.
+ *
+ * For copying and distribution information, please see the file
+ * <mit-copyright.h>.
+ *
+ * Include file with authentication protocol information.
+ */
+
+#ifndef PROT_DEFS
+#define PROT_DEFS
+
+#include <krb.h>
+
+#define		KRB_SERVICE		"kerberos-iv"
+#define		KRB_PORT		750	/* PC's don't have
+						 * /etc/services */
+#define		KRB_PROT_VERSION 	4
+#define 	MAX_PKT_LEN		1000
+#define		MAX_TXT_LEN		1000
+
+/* Routines to create and read packets may be found in prot.c */
+
+KTEXT create_auth_reply(char *pname, char *pinst, char *prealm, 
+			int32_t time_ws, int n, u_int32_t x_date, 
+			int kvno, KTEXT cipher);
+#ifdef DEBUG
+KTEXT krb_create_death_packet(char *a_name);
+#endif
+
+/* Message types , always leave lsb for byte order */
+
+#define		AUTH_MSG_KDC_REQUEST			 (1<<1)
+#define 	AUTH_MSG_KDC_REPLY			 (2<<1)
+#define		AUTH_MSG_APPL_REQUEST			 (3<<1)
+#define		AUTH_MSG_APPL_REQUEST_MUTUAL		 (4<<1)
+#define		AUTH_MSG_ERR_REPLY			 (5<<1)
+#define		AUTH_MSG_PRIVATE			 (6<<1)
+#define		AUTH_MSG_SAFE				 (7<<1)
+#define		AUTH_MSG_APPL_ERR			 (8<<1)
+#define		AUTH_MSG_KDC_FORWARD			 (9<<1)
+#define		AUTH_MSG_KDC_RENEW			(10<<1)
+#define 	AUTH_MSG_DIE				(63<<1)
+
+/* values for kerb error codes */
+
+#define		KERB_ERR_OK				 0
+#define		KERB_ERR_NAME_EXP			 1
+#define		KERB_ERR_SERVICE_EXP			 2
+#define		KERB_ERR_AUTH_EXP			 3
+#define		KERB_ERR_PKT_VER			 4
+#define		KERB_ERR_NAME_MAST_KEY_VER		 5
+#define		KERB_ERR_SERV_MAST_KEY_VER		 6
+#define		KERB_ERR_BYTE_ORDER			 7
+#define		KERB_ERR_PRINCIPAL_UNKNOWN		 8
+#define		KERB_ERR_PRINCIPAL_NOT_UNIQUE		 9
+#define		KERB_ERR_NULL_KEY			10
+#define		KERB_ERR_TIMEOUT			11
+
+/* sendauth - recvauth */
+
+/*
+ * If the protocol changes, you will need to change the version string
+ * be sure to support old versions of krb_sendauth!
+ */
+
+#define	KRB_SENDAUTH_VERS "AUTHV0.1" /* MUST be KRB_SENDAUTH_VLEN chars */
+
+#endif /* PROT_DEFS */
diff --git a/crypto/kerberosIV/lib/krb/rd_err.c b/crypto/kerberosIV/lib/krb/rd_err.c
new file mode 100644
index 0000000..76544f1
--- /dev/null
+++ b/crypto/kerberosIV/lib/krb/rd_err.c
@@ -0,0 +1,77 @@
+/*
+ * Copyright (c) 1995, 1996, 1997 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#include "krb_locl.h"
+
+RCSID("$Id: rd_err.c,v 1.9 1999/12/02 16:58:43 joda Exp $");
+
+/*
+ * Given an AUTH_MSG_APPL_ERR message, "in" and its length "in_length",
+ * return the error code from the message in "code" and the text in
+ * "m_data" as follows:
+ *
+ *	m_data->app_data	points to the error text
+ *	m_data->app_length	points to the length of the error text
+ *
+ * If all goes well, return RD_AP_OK.  If the version number
+ * is wrong, return RD_AP_VERSION, and if it's not an AUTH_MSG_APPL_ERR
+ * type message, return RD_AP_MSG_TYPE.
+ *
+ * The AUTH_MSG_APPL_ERR message format can be found in mk_err.c
+ */
+
+int
+krb_rd_err(u_char *in, u_int32_t in_length, int32_t *code, MSG_DAT *m_data)
+{
+    unsigned char *p = (unsigned char*)in;
+    
+    unsigned char pvno, type;
+    int little_endian;
+
+    pvno = *p++;
+    if(pvno != KRB_PROT_VERSION)
+	return RD_AP_VERSION;
+    
+    type = *p++;
+    little_endian = type & 1;
+    type &= ~1;
+    
+    if(type != AUTH_MSG_APPL_ERR)
+	return RD_AP_MSG_TYPE;
+    
+    p += krb_get_int(p, (u_int32_t *)&code, 4, little_endian);
+    
+    m_data->app_data = p;
+    m_data->app_length = in_length; /* XXX is this correct? */
+    return KSUCCESS;
+}
diff --git a/crypto/kerberosIV/lib/krb/rd_priv.c b/crypto/kerberosIV/lib/krb/rd_priv.c
new file mode 100644
index 0000000..0bb0a40
--- /dev/null
+++ b/crypto/kerberosIV/lib/krb/rd_priv.c
@@ -0,0 +1,124 @@
+/*
+ * Copyright (c) 1995, 1996, 1997 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#include "krb_locl.h"
+
+RCSID("$Id: rd_priv.c,v 1.27 1999/12/02 16:58:43 joda Exp $");
+
+/* application include files */
+#include "krb-archaeology.h"
+
+/*
+ * krb_rd_priv() decrypts and checks the integrity of an
+ * AUTH_MSG_PRIVATE message.  Given the message received, "in",
+ * the length of that message, "in_length", the key "schedule"
+ * and "key", and the network addresses of the
+ * "sender" and "receiver" of the message, krb_rd_safe() returns
+ * RD_AP_OK if the message is okay, otherwise some error code.
+ *
+ * The message data retrieved from "in" are returned in the structure
+ * "m_data".  The pointer to the application data
+ * (m_data->app_data) refers back to the appropriate place in "in".
+ *
+ * See the file "mk_priv.c" for the format of the AUTH_MSG_PRIVATE
+ * message.  The structure containing the extracted message
+ * information, MSG_DAT, is defined in "krb.h".
+ */
+
+int32_t
+krb_rd_priv(void *in, u_int32_t in_length, 
+	    struct des_ks_struct *schedule, des_cblock *key, 
+	    struct sockaddr_in *sender, struct sockaddr_in *receiver, 
+	    MSG_DAT *m_data)
+{
+    unsigned char *p = (unsigned char*)in;
+    int little_endian;
+    u_int32_t clen;
+    struct timeval tv;
+    u_int32_t src_addr;
+    int delta_t;
+
+    unsigned char pvno, type;
+
+    pvno = *p++;
+    if(pvno != KRB_PROT_VERSION)
+	return RD_AP_VERSION;
+    
+    type = *p++;
+    little_endian = type & 1;
+    type &= ~1;
+
+    p += krb_get_int(p, &clen, 4, little_endian);
+    
+    if(clen + 2 > in_length)
+	return RD_AP_MODIFIED;
+
+    des_pcbc_encrypt((des_cblock*)p, (des_cblock*)p, clen, 
+		     schedule, key, DES_DECRYPT);
+    
+    p += krb_get_int(p, &m_data->app_length, 4, little_endian);
+    if(m_data->app_length + 17 > in_length)
+	return RD_AP_MODIFIED;
+
+    m_data->app_data = p;
+    p += m_data->app_length;
+    
+    m_data->time_5ms = *p++;
+
+    p += krb_get_address(p, &src_addr);
+
+    if (!krb_equiv(src_addr, sender->sin_addr.s_addr))
+	return RD_AP_BADD;
+
+    p += krb_get_int(p, (u_int32_t *)&m_data->time_sec, 4, little_endian);
+
+    m_data->time_sec = lsb_time(m_data->time_sec, sender, receiver);
+    
+    gettimeofday(&tv, NULL);
+
+    /* check the time integrity of the msg */
+    delta_t = abs((int)((long) tv.tv_sec - m_data->time_sec));
+    if (delta_t > CLOCK_SKEW)
+	return RD_AP_TIME;
+    if (krb_debug)
+	krb_warning("delta_t = %d\n", (int) delta_t);
+
+    /*
+     * caller must check timestamps for proper order and
+     * replays, since server might have multiple clients
+     * each with its own timestamps and we don't assume
+     * tightly synchronized clocks.
+     */
+
+    return KSUCCESS;
+}
diff --git a/crypto/kerberosIV/lib/krb/rd_req.c b/crypto/kerberosIV/lib/krb/rd_req.c
new file mode 100644
index 0000000..4dca78e
--- /dev/null
+++ b/crypto/kerberosIV/lib/krb/rd_req.c
@@ -0,0 +1,324 @@
+/*
+ * Copyright (c) 1995, 1996, 1997, 1998 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#include "krb_locl.h"
+
+RCSID("$Id: rd_req.c,v 1.27.2.2 2000/06/23 04:00:20 assar Exp $");
+
+static struct timeval t_local = { 0, 0 };
+
+/*
+ * Keep the following information around for subsequent calls
+ * to this routine by the same server using the same key.
+ */
+
+static des_key_schedule serv_key;	/* Key sched to decrypt ticket */
+static des_cblock ky;              /* Initialization vector */
+static int st_kvno;		/* version number for this key */
+static char st_rlm[REALM_SZ];	/* server's realm */
+static char st_nam[ANAME_SZ];	/* service name */
+static char st_inst[INST_SZ];	/* server's instance */
+
+/*
+ * This file contains two functions.  krb_set_key() takes a DES
+ * key or password string and returns a DES key (either the original
+ * key, or the password converted into a DES key) and a key schedule
+ * for it.
+ *
+ * krb_rd_req() reads an authentication request and returns information
+ * about the identity of the requestor, or an indication that the
+ * identity information was not authentic.
+ */
+
+/*
+ * krb_set_key() takes as its first argument either a DES key or a
+ * password string.  The "cvt" argument indicates how the first
+ * argument "key" is to be interpreted: if "cvt" is null, "key" is
+ * taken to be a DES key; if "cvt" is non-null, "key" is taken to
+ * be a password string, and is converted into a DES key using
+ * string_to_key().  In either case, the resulting key is returned
+ * in the external static variable "ky".  A key schedule is
+ * generated for "ky" and returned in the external static variable
+ * "serv_key".
+ *
+ * This routine returns the return value of des_key_sched.
+ *
+ * krb_set_key() needs to be in the same .o file as krb_rd_req() so that
+ * the key set by krb_set_key() is available in private storage for
+ * krb_rd_req().
+ */
+
+int
+krb_set_key(void *key, int cvt)
+{
+#ifdef NOENCRYPTION
+    memset(ky, 0, sizeof(ky));
+    return KSUCCESS;
+#else /* Encrypt */
+    if (cvt)
+        des_string_to_key((char*)key, &ky);
+    else
+        memcpy((char*)ky, key, 8);
+    return(des_key_sched(&ky, serv_key));
+#endif /* NOENCRYPTION */
+}
+
+
+/*
+ * krb_rd_req() takes an AUTH_MSG_APPL_REQUEST or
+ * AUTH_MSG_APPL_REQUEST_MUTUAL message created by krb_mk_req(),
+ * checks its integrity and returns a judgement as to the requestor's
+ * identity.
+ *
+ * The "authent" argument is a pointer to the received message.
+ * The "service" and "instance" arguments name the receiving server,
+ * and are used to get the service's ticket to decrypt the ticket
+ * in the message, and to compare against the server name inside the
+ * ticket.  "from_addr" is the network address of the host from which
+ * the message was received; this is checked against the network
+ * address in the ticket.  If "from_addr" is zero, the check is not
+ * performed.  "ad" is an AUTH_DAT structure which is
+ * filled in with information about the sender's identity according
+ * to the authenticator and ticket sent in the message.  Finally,
+ * "fn" contains the name of the file containing the server's key.
+ * (If "fn" is NULL, the server's key is assumed to have been set
+ * by krb_set_key().  If "fn" is the null string ("") the default
+ * file KEYFILE, defined in "krb.h", is used.)
+ *
+ * krb_rd_req() returns RD_AP_OK if the authentication information
+ * was genuine, or one of the following error codes (defined in
+ * "krb.h"):
+ *
+ *	RD_AP_VERSION		- wrong protocol version number
+ *	RD_AP_MSG_TYPE		- wrong message type
+ *	RD_AP_UNDEC		- couldn't decipher the message
+ *	RD_AP_INCON		- inconsistencies found
+ *	RD_AP_BADD		- wrong network address
+ *	RD_AP_TIME		- client time (in authenticator)
+ *				  too far off server time
+ *	RD_AP_NYV		- Kerberos time (in ticket) too
+ *				  far off server time
+ *	RD_AP_EXP		- ticket expired
+ *
+ * For the message format, see krb_mk_req().
+ *
+ * Mutual authentication is not implemented.
+ */
+
+int
+krb_rd_req(KTEXT authent,	/* The received message */
+	   char *service,	/* Service name */
+	   char *instance,	/* Service instance */
+	   int32_t from_addr,	/* Net address of originating host */
+	   AUTH_DAT *ad,	/* Structure to be filled in */
+	   char *a_fn)		/* Filename to get keys from */
+{
+    static KTEXT_ST ticket;     /* Temp storage for ticket */
+    static KTEXT tkt = &ticket;
+    static KTEXT_ST req_id_st;  /* Temp storage for authenticator */
+    KTEXT req_id = &req_id_st;
+
+    char realm[REALM_SZ];	/* Realm of issuing kerberos */
+
+    unsigned char skey[KKEY_SZ]; /* Session key from ticket */
+    char sname[SNAME_SZ];	/* Service name from ticket */
+    char iname[INST_SZ];	/* Instance name from ticket */
+    char r_aname[ANAME_SZ];	/* Client name from authenticator */
+    char r_inst[INST_SZ];	/* Client instance from authenticator */
+    char r_realm[REALM_SZ];	/* Client realm from authenticator */
+    u_int32_t r_time_sec;	/* Coarse time from authenticator */
+    unsigned long delta_t;      /* Time in authenticator - local time */
+    long tkt_age;		/* Age of ticket */
+    static unsigned char s_kvno;/* Version number of the server's key
+				 * Kerberos used to encrypt ticket */
+
+    struct timeval tv;
+    int status;
+
+    int pvno;
+    int type;
+    int little_endian;
+
+    const char *fn = a_fn;
+
+    unsigned char *p;
+
+    if (authent->length <= 0)
+	return(RD_AP_MODIFIED);
+
+    p = authent->dat;
+
+    /* get msg version, type and byte order, and server key version */
+
+    pvno = *p++;
+
+    if(pvno != KRB_PROT_VERSION)
+	return RD_AP_VERSION;
+    
+    type = *p++;
+    
+    little_endian = type & 1;
+    type &= ~1;
+    
+    if(type != AUTH_MSG_APPL_REQUEST && type != AUTH_MSG_APPL_REQUEST_MUTUAL)
+	return RD_AP_MSG_TYPE;
+
+    s_kvno = *p++;
+
+    p += krb_get_string(p, realm, sizeof(realm));
+
+    /*
+     * If "fn" is NULL, key info should already be set; don't
+     * bother with ticket file.  Otherwise, check to see if we
+     * already have key info for the given server and key version
+     * (saved in the static st_* variables).  If not, go get it
+     * from the ticket file.  If "fn" is the null string, use the
+     * default ticket file.
+     */
+    if (fn && (strcmp(st_nam,service) || strcmp(st_inst,instance) ||
+               strcmp(st_rlm,realm) || (st_kvno != s_kvno))) {
+        if (*fn == 0) fn = (char *)KEYFILE;
+        st_kvno = s_kvno;
+        if (read_service_key(service, instance, realm, s_kvno,
+			     fn, (char *)skey))
+            return(RD_AP_UNDEC);
+        if ((status = krb_set_key((char*)skey, 0)))
+	    return(status);
+        strlcpy (st_rlm, realm, REALM_SZ);
+        strlcpy (st_nam, service, SNAME_SZ);
+        strlcpy (st_inst, instance, INST_SZ);
+    }
+
+    tkt->length = *p++;
+
+    req_id->length = *p++;
+
+    if(tkt->length + (p - authent->dat) > authent->length)
+	return RD_AP_MODIFIED;
+
+    memcpy(tkt->dat, p, tkt->length);
+    p += tkt->length;
+
+    if (krb_ap_req_debug)
+        krb_log("ticket->length: %d",tkt->length);
+
+    /* Decrypt and take apart ticket */
+    if (decomp_ticket(tkt, &ad->k_flags, ad->pname, ad->pinst, ad->prealm,
+                      &ad->address, ad->session, &ad->life,
+                      &ad->time_sec, sname, iname, &ky, serv_key))
+        return RD_AP_UNDEC;
+    
+    if (krb_ap_req_debug) {
+        krb_log("Ticket Contents.");
+        krb_log(" Aname:   %s.%s",ad->pname, ad->prealm);
+        krb_log(" Service: %s", krb_unparse_name_long(sname, iname, NULL));
+    }
+
+    /* Extract the authenticator */
+    
+    if(req_id->length + (p - authent->dat) > authent->length)
+	return RD_AP_MODIFIED;
+
+    memcpy(req_id->dat, p, req_id->length);
+    p = req_id->dat;
+    
+#ifndef NOENCRYPTION
+    /* And decrypt it with the session key from the ticket */
+    if (krb_ap_req_debug) krb_log("About to decrypt authenticator");
+
+    encrypt_ktext(req_id, &ad->session, DES_DECRYPT);
+
+    if (krb_ap_req_debug) krb_log("Done.");
+#endif /* NOENCRYPTION */
+
+    /* cast req_id->length to int? */
+#define check_ptr() if ((ptr - (char *) req_id->dat) > req_id->length) return(RD_AP_MODIFIED);
+
+    p += krb_get_nir(p,
+		     r_aname, sizeof(r_aname),
+		     r_inst, sizeof(r_inst),
+		     r_realm, sizeof(r_realm));
+
+    p += krb_get_int(p, &ad->checksum, 4, little_endian);
+
+    p++; /* time_5ms is not used */
+
+    p += krb_get_int(p, &r_time_sec, 4, little_endian);
+
+    /* Check for authenticity of the request */
+    if (krb_ap_req_debug)
+        krb_log("Principal: %s.%s@%s / %s.%s@%s",ad->pname,ad->pinst, ad->prealm, 
+	      r_aname, r_inst, r_realm);
+    if (strcmp(ad->pname, r_aname) != 0 ||
+	strcmp(ad->pinst, r_inst) != 0 ||
+	strcmp(ad->prealm, r_realm) != 0)
+	return RD_AP_INCON;
+    
+    if (krb_ap_req_debug)
+        krb_log("Address: %x %x", ad->address, from_addr);
+
+    if (from_addr && (!krb_equiv(ad->address, from_addr)))
+        return RD_AP_BADD;
+
+    gettimeofday(&tv, NULL);
+    delta_t = abs((int)(tv.tv_sec - r_time_sec));
+    if (delta_t > CLOCK_SKEW) {
+        if (krb_ap_req_debug)
+            krb_log("Time out of range: %lu - %lu = %lu",
+		    (unsigned long)t_local.tv_sec,
+		    (unsigned long)r_time_sec,
+		    (unsigned long)delta_t);
+        return RD_AP_TIME;
+    }
+
+    /* Now check for expiration of ticket */
+
+    tkt_age = tv.tv_sec - ad->time_sec;
+    if (krb_ap_req_debug)
+        krb_log("Time: %ld Issue Date: %lu Diff: %ld Life %x",
+		(long)tv.tv_sec,
+		(unsigned long)ad->time_sec,
+		tkt_age,
+		ad->life);
+    
+    if ((tkt_age < 0) && (-tkt_age > CLOCK_SKEW))
+	return RD_AP_NYV;
+
+    if (tv.tv_sec > krb_life_to_time(ad->time_sec, ad->life))
+        return RD_AP_EXP;
+
+    /* All seems OK */
+    ad->reply.length = 0;
+
+    return(RD_AP_OK);
+}
diff --git a/crypto/kerberosIV/lib/krb/rd_safe.c b/crypto/kerberosIV/lib/krb/rd_safe.c
new file mode 100644
index 0000000..1d536ab
--- /dev/null
+++ b/crypto/kerberosIV/lib/krb/rd_safe.c
@@ -0,0 +1,183 @@
+/*
+ * Copyright (c) 1995 - 2000 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#include "krb_locl.h"
+
+RCSID("$Id: rd_safe.c,v 1.26.2.1 2000/10/10 13:20:36 assar Exp $");
+
+/* application include files */
+#include "krb-archaeology.h"
+
+#ifndef DES_QUAD_GUESS
+/* Temporary fixes for krb_{rd,mk}_safe */
+#define DES_QUAD_GUESS 0
+#define DES_QUAD_NEW 1
+#define DES_QUAD_OLD 2
+
+#define DES_QUAD_DEFAULT DES_QUAD_GUESS
+
+#endif /* DES_QUAD_GUESS */
+
+/* Generate two checksums in the given byteorder of the data, one
+ * new-form and one old-form. It has to be done this way to be
+ * compatible with the old version of des_quad_cksum.
+ */
+
+/* des_quad_chsum-type; 0 == unknown, 1 == new PL10++, 2 == old */
+int dqc_type = DES_QUAD_DEFAULT;
+
+void
+fixup_quad_cksum(void *start, size_t len, des_cblock *key, 
+		 void *new_checksum, void *old_checksum, int little)
+{
+    des_quad_cksum((des_cblock*)start, (des_cblock*)new_checksum, len, 2, key);
+    if(HOST_BYTE_ORDER){
+	if(little){
+	    memcpy(old_checksum, new_checksum, 16);
+	}else{
+	    u_int32_t *tmp = (u_int32_t*)new_checksum;
+	    memcpy(old_checksum, new_checksum, 16);
+	    swap_u_16(old_checksum);
+	    swap_u_long(tmp[0]);
+	    swap_u_long(tmp[1]);
+	    swap_u_long(tmp[2]);
+	    swap_u_long(tmp[3]);
+	}
+    }else{
+	if(little){
+	    u_int32_t *tmp = (u_int32_t*)new_checksum;
+	    swap_u_long(tmp[0]);
+	    swap_u_long(tmp[1]);
+	    swap_u_long(tmp[2]);
+	    swap_u_long(tmp[3]);
+	    memcpy(old_checksum, new_checksum, 16);
+	}else{
+	    u_int32_t tmp[4];
+	    tmp[0] = ((u_int32_t*)new_checksum)[3];
+	    tmp[1] = ((u_int32_t*)new_checksum)[2];
+	    tmp[2] = ((u_int32_t*)new_checksum)[1];
+	    tmp[3] = ((u_int32_t*)new_checksum)[0];
+	    memcpy(old_checksum, tmp, 16);
+	}
+    }
+}
+
+/*
+ * krb_rd_safe() checks the integrity of an AUTH_MSG_SAFE message.
+ * Given the message received, "in", the length of that message,
+ * "in_length", the "key" to compute the checksum with, and the
+ * network addresses of the "sender" and "receiver" of the message,
+ * krb_rd_safe() returns RD_AP_OK if message is okay, otherwise
+ * some error code.
+ *
+ * The message data retrieved from "in" is returned in the structure
+ * "m_data".  The pointer to the application data (m_data->app_data)
+ * refers back to the appropriate place in "in".
+ *
+ * See the file "mk_safe.c" for the format of the AUTH_MSG_SAFE
+ * message.  The structure containing the extracted message
+ * information, MSG_DAT, is defined in "krb.h".
+ */
+
+int32_t
+krb_rd_safe(void *in, u_int32_t in_length, des_cblock *key, 
+	    struct sockaddr_in *sender, struct sockaddr_in *receiver, 
+	    MSG_DAT *m_data)
+{
+    unsigned char *p = (unsigned char*)in, *start;
+
+    unsigned char pvno, type;
+    int little_endian;
+    struct timeval tv;
+    u_int32_t src_addr;
+    int delta_t;
+    
+
+    pvno = *p++;
+    if(pvno != KRB_PROT_VERSION)
+	return RD_AP_VERSION;
+    
+    type = *p++;
+    little_endian = type & 1;
+    type &= ~1;
+    if(type != AUTH_MSG_SAFE)
+	return RD_AP_MSG_TYPE;
+
+    start = p;
+    
+    p += krb_get_int(p, &m_data->app_length, 4, little_endian);
+    
+    if(m_data->app_length + 31 > in_length)
+	return RD_AP_MODIFIED;
+    
+    m_data->app_data = p;
+
+    p += m_data->app_length;
+
+    m_data->time_5ms = *p++;
+
+    p += krb_get_address(p, &src_addr);
+
+    if (!krb_equiv(src_addr, sender->sin_addr.s_addr))
+        return RD_AP_BADD;
+
+    p += krb_get_int(p, (u_int32_t *)&m_data->time_sec, 4, little_endian);
+    m_data->time_sec = lsb_time(m_data->time_sec, sender, receiver);
+    
+    gettimeofday(&tv, NULL);
+
+    delta_t = abs((int)((long) tv.tv_sec - m_data->time_sec));
+    if (delta_t > CLOCK_SKEW) return RD_AP_TIME;
+
+    /*
+     * caller must check timestamps for proper order and replays, since
+     * server might have multiple clients each with its own timestamps
+     * and we don't assume tightly synchronized clocks.
+     */
+
+    {
+	unsigned char new_checksum[16];
+	unsigned char old_checksum[16];
+	fixup_quad_cksum(start, p - start, key, 
+			 new_checksum, old_checksum, little_endian);
+	if((dqc_type == DES_QUAD_GUESS || dqc_type == DES_QUAD_NEW) && 
+	   memcmp(new_checksum, p, 16) == 0)
+	    dqc_type = DES_QUAD_NEW;
+	else if((dqc_type == DES_QUAD_GUESS || dqc_type == DES_QUAD_OLD) && 
+		memcmp(old_checksum, p, 16) == 0)
+	    dqc_type = DES_QUAD_OLD;
+	else
+	    return RD_AP_MODIFIED;
+    }
+    return KSUCCESS;
+}
diff --git a/crypto/kerberosIV/lib/krb/read_service_key.c b/crypto/kerberosIV/lib/krb/read_service_key.c
new file mode 100644
index 0000000..55fb98d
--- /dev/null
+++ b/crypto/kerberosIV/lib/krb/read_service_key.c
@@ -0,0 +1,117 @@
+/* 
+  Copyright (C) 1989 by the Massachusetts Institute of Technology
+
+   Export of this software from the United States of America is assumed
+   to require a specific license from the United States Government.
+   It is the responsibility of any person or organization contemplating
+   export to obtain such a license before exporting.
+
+WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
+distribute this software and its documentation for any purpose and
+without fee is hereby granted, provided that the above copyright
+notice appear in all copies and that both that copyright notice and
+this permission notice appear in supporting documentation, and that
+the name of M.I.T. not be used in advertising or publicity pertaining
+to distribution of the software without specific, written prior
+permission.  M.I.T. makes no representations about the suitability of
+this software for any purpose.  It is provided "as is" without express
+or implied warranty.
+
+  */
+
+#include "krb_locl.h"
+
+RCSID("$Id: read_service_key.c,v 1.12 1999/09/16 20:41:54 assar Exp $");
+
+/*
+ * The private keys for servers on a given host are stored in a
+ * "srvtab" file (typically "/etc/srvtab").  This routine extracts
+ * a given server's key from the file.
+ *
+ * read_service_key() takes the server's name ("service"), "instance",
+ * and "realm" and a key version number "kvno", and looks in the given
+ * "file" for the corresponding entry, and if found, returns the entry's
+ * key field in "key".
+ * 
+ * If "instance" contains the string "*", then it will match
+ * any instance, and the chosen instance will be copied to that
+ * string.  For this reason it is important that the there is enough
+ * space beyond the "*" to receive the entry.
+ *
+ * If "kvno" is 0, it is treated as a wild card and the first
+ * matching entry regardless of the "vno" field is returned.
+ *
+ * This routine returns KSUCCESS on success, otherwise KFAILURE.
+ *
+ * The format of each "srvtab" entry is as follows:
+ *
+ * Size			Variable		Field in file
+ * ----			--------		-------------
+ * string		serv			server name
+ * string		inst			server instance
+ * string		realm			server realm
+ * 1 byte		vno			server key version #
+ * 8 bytes		key			server's key
+ * ...			...			...
+ */
+
+
+int
+read_service_key(const char *service,	/* Service Name */
+		 char *instance, /* Instance name or "*" */
+		 const char *realm,	/* Realm */
+		 int kvno,	/* Key version number */
+		 const char *file,	/* Filename */
+		 void *key)	/* Pointer to key to be filled in */
+{
+    char serv[SNAME_SZ];
+    char inst[INST_SZ];
+    char rlm[REALM_SZ];
+    unsigned char vno;          /* Key version number */
+    int wcard;
+
+    int stab;
+
+    if ((stab = open(file, O_RDONLY, 0)) < 0)
+        return(KFAILURE);
+
+    wcard = (instance[0] == '*') && (instance[1] == '\0');
+
+    while (getst(stab,serv,SNAME_SZ) > 0) { /* Read sname */
+        getst(stab,inst,INST_SZ); /* Instance */
+        getst(stab,rlm,REALM_SZ); /* Realm */
+        /* Vers number */
+        if (read(stab, &vno, 1) != 1) {
+	    close(stab);
+            return(KFAILURE);
+	}
+        /* Key */
+        if (read(stab,key,8) != 8) {
+	    close(stab);
+            return(KFAILURE);
+	}
+        /* Is this the right service */
+        if (strcmp(serv,service))
+            continue;
+        /* How about instance */
+        if (!wcard && strcmp(inst,instance))
+            continue;
+        if (wcard) {
+	    strlcpy (instance, inst, INST_SZ);
+	}
+        /* Is this the right realm */
+        if (strcmp(rlm,realm)) 
+	    continue;
+
+        /* How about the key version number */
+        if (kvno && kvno != (int) vno)
+            continue;
+
+        close(stab);
+        return(KSUCCESS);
+    }
+
+    /* Can't find the requested service */
+    close(stab);
+    return(KFAILURE);
+}
diff --git a/crypto/kerberosIV/lib/krb/realm_parse.c b/crypto/kerberosIV/lib/krb/realm_parse.c
new file mode 100644
index 0000000..a4f0e7f
--- /dev/null
+++ b/crypto/kerberosIV/lib/krb/realm_parse.c
@@ -0,0 +1,71 @@
+/*
+ * Copyright (c) 1995, 1996, 1997 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#include "krb_locl.h"
+
+RCSID("$Id: realm_parse.c,v 1.17 1999/12/02 16:58:43 joda Exp $");
+
+static int
+realm_parse(char *realm, int length, const char *file)
+{
+    FILE *F;
+    char tr[128];
+    char *p;
+    
+    if ((F = fopen(file,"r")) == NULL)
+	return -1;
+    
+    while(fgets(tr, sizeof(tr), F)){
+	char *unused = NULL;
+	p = strtok_r(tr, " \t\n\r", &unused);
+	if(p && strcasecmp(p, realm) == 0){
+	    fclose(F);
+	    strlcpy (realm, p, length);
+	    return 0;
+	}
+    }
+    fclose(F);
+    return -1;
+}
+
+int
+krb_realm_parse(char *realm, int length)
+{
+    int i;
+    char file[MaxPathLen];
+
+    for(i = 0; krb_get_krbconf(i, file, sizeof(file)) == 0; i++)
+	if (realm_parse(realm, length, file) == 0)
+	    return 0;
+    return -1;
+}
diff --git a/crypto/kerberosIV/lib/krb/recvauth.c b/crypto/kerberosIV/lib/krb/recvauth.c
new file mode 100644
index 0000000..f164b2b
--- /dev/null
+++ b/crypto/kerberosIV/lib/krb/recvauth.c
@@ -0,0 +1,192 @@
+/* 
+  Copyright (C) 1989 by the Massachusetts Institute of Technology
+
+   Export of this software from the United States of America is assumed
+   to require a specific license from the United States Government.
+   It is the responsibility of any person or organization contemplating
+   export to obtain such a license before exporting.
+
+WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
+distribute this software and its documentation for any purpose and
+without fee is hereby granted, provided that the above copyright
+notice appear in all copies and that both that copyright notice and
+this permission notice appear in supporting documentation, and that
+the name of M.I.T. not be used in advertising or publicity pertaining
+to distribution of the software without specific, written prior
+permission.  M.I.T. makes no representations about the suitability of
+this software for any purpose.  It is provided "as is" without express
+or implied warranty.
+
+  */
+
+#include "krb_locl.h"
+
+RCSID("$Id: recvauth.c,v 1.19 1998/06/09 19:25:25 joda Exp $");
+
+/*
+ * krb_recvauth() reads (and optionally responds to) a message sent
+ * using krb_sendauth().  The "options" argument is a bit-field of
+ * selected options (see "sendauth.c" for options description).
+ * The only option relevant to krb_recvauth() is KOPT_DO_MUTUAL
+ * (mutual authentication requested).  The "fd" argument supplies
+ * a file descriptor to read from (and write to, if mutual authenti-
+ * cation is requested).
+ *
+ * Part of the received message will be a Kerberos ticket sent by the
+ * client; this is read into the "ticket" argument.  The "service" and
+ * "instance" arguments supply the server's Kerberos name.  If the
+ * "instance" argument is the string "*", it is treated as a wild card
+ * and filled in during the krb_rd_req() call (see read_service_key()).
+ *
+ * The "faddr" and "laddr" give the sending (client) and receiving
+ * (local server) network addresses.  ("laddr" may be left NULL unless
+ * mutual authentication is requested, in which case it must be set.)
+ *
+ * The authentication information extracted from the message is returned
+ * in "kdata".  The "filename" argument indicates the file where the
+ * server's key can be found.  (It is passed on to krb_rd_req().)  If
+ * left null, the default "/etc/srvtab" will be used.
+ *
+ * If mutual authentication is requested, the session key schedule must
+ * be computed in order to reply; this schedule is returned in the
+ * "schedule" argument.  A string containing the application version
+ * number from the received message is returned in "version", which
+ * should be large enough to hold a KRB_SENDAUTH_VLEN-character string.
+ *
+ * See krb_sendauth() for the format of the received client message.
+ *
+ * krb_recvauth() first reads the protocol version string from the
+ * given file descriptor.  If it doesn't match the current protocol
+ * version (KRB_SENDAUTH_VERS), the old-style format is assumed.  In
+ * that case, the string of characters up to the first space is read
+ * and interpreted as the ticket length, then the ticket is read.
+ *
+ * If the first string did match KRB_SENDAUTH_VERS, krb_recvauth()
+ * next reads the application protocol version string.  Then the
+ * ticket length and ticket itself are read.
+ *
+ * The ticket is decrypted and checked by the call to krb_rd_req().
+ * If no mutual authentication is required, the result of the
+ * krb_rd_req() call is retured by this routine.  If mutual authenti-
+ * cation is required, a message in the following format is returned
+ * on "fd":
+ *
+ * Size			Variable		Field
+ * ----			--------		-----
+ *
+ * 4 bytes		tkt_len			length of ticket or -1
+ *						if error occurred
+ *
+ * priv_len		tmp_buf			"private" message created
+ *						by krb_mk_priv() which
+ *						contains the incremented
+ *						checksum sent by the client
+ *						encrypted in the session
+ *						key.  (This field is not
+ *						present in case of error.)
+ *
+ * If all goes well, KSUCCESS is returned; otherwise KFAILURE or some
+ * other error code is returned.
+ */
+
+static int
+send_error_reply(int fd)
+{
+    unsigned char tmp[4] = { 255, 255, 255, 255 };
+    if(krb_net_write(fd, tmp, sizeof(tmp)) != sizeof(tmp))
+	return -1;
+    return 0;
+}
+
+int
+krb_recvauth(int32_t options,	/* bit-pattern of options */
+	     int fd,		/* file descr. to read from */
+	     KTEXT ticket,	/* storage for client's ticket */
+	     char *service,	/* service expected */
+	     char *instance,	/* inst expected (may be filled in) */
+	     struct sockaddr_in *faddr,	/* address of foreign host on fd */
+	     struct sockaddr_in *laddr,	/* local address */
+	     AUTH_DAT *kdata,	/* kerberos data (returned) */
+	     char *filename,	/* name of file with service keys */
+	     struct des_ks_struct *schedule, /* key schedule (return) */
+	     char *version)	/* version string (filled in) */
+{
+    int cc;
+    char krb_vers[KRB_SENDAUTH_VLEN + 1]; /* + 1 for the null terminator */
+    int rem;
+    int32_t priv_len;
+    u_char tmp_buf[MAX_KTXT_LEN+max(KRB_SENDAUTH_VLEN+1,21)];
+
+    if (!(options & KOPT_IGNORE_PROTOCOL)) {
+	/* read the protocol version number */
+	if (krb_net_read(fd, krb_vers, KRB_SENDAUTH_VLEN) != KRB_SENDAUTH_VLEN)
+	    return(errno);
+	krb_vers[KRB_SENDAUTH_VLEN] = '\0';
+    }
+
+    /* read the application version string */
+    if (krb_net_read(fd, version, KRB_SENDAUTH_VLEN) != KRB_SENDAUTH_VLEN)
+	return(errno);
+    version[KRB_SENDAUTH_VLEN] = '\0';
+
+    /* get the length of the ticket */
+    {
+	char tmp[4];
+	if (krb_net_read(fd, tmp, 4) != 4)
+	    return -1;
+	krb_get_int(tmp, &ticket->length, 4, 0);
+    }
+    
+    /* sanity check */
+    if (ticket->length <= 0 || ticket->length > MAX_KTXT_LEN) {
+	if (options & KOPT_DO_MUTUAL) {
+	    if(send_error_reply(fd))
+		return -1;
+	    return KFAILURE;
+	} else
+	    return KFAILURE; /* XXX there may still be junk on the fd? */
+    }
+
+    /* read the ticket */
+    if (krb_net_read(fd, ticket->dat, ticket->length) != ticket->length)
+	return -1;
+    /*
+     * now have the ticket.  decrypt it to get the authenticated
+     * data.
+     */
+    rem = krb_rd_req(ticket, service, instance, faddr->sin_addr.s_addr,
+		     kdata, filename);
+
+    /* if we are doing mutual auth, compose a response */
+    if (options & KOPT_DO_MUTUAL) {
+	if (rem != KSUCCESS){
+	    /* the krb_rd_req failed */
+	    if(send_error_reply(fd))
+		return -1;
+	    return rem;
+	}
+	
+	/* add one to the (formerly) sealed checksum, and re-seal it
+	   for return to the client */
+	{ 
+	    unsigned char cs[4];
+	    krb_put_int(kdata->checksum + 1, cs, sizeof(cs), 4);
+#ifndef NOENCRYPTION
+	    des_key_sched(&kdata->session,schedule);
+#endif
+	    priv_len = krb_mk_priv(cs, 
+				   tmp_buf+4, 
+				   4,
+				   schedule,
+				   &kdata->session,
+				   laddr,
+				   faddr);
+	}
+	/* mk_priv will never fail */
+	priv_len += krb_put_int(priv_len, tmp_buf, 4, 4);
+	
+	if((cc = krb_net_write(fd, tmp_buf, priv_len)) != priv_len)
+	    return -1;
+    }
+    return rem;
+}
diff --git a/crypto/kerberosIV/lib/krb/resource.h b/crypto/kerberosIV/lib/krb/resource.h
new file mode 100644
index 0000000..d50551f
--- /dev/null
+++ b/crypto/kerberosIV/lib/krb/resource.h
@@ -0,0 +1,15 @@
+//{{NO_DEPENDENCIES}}

+// Microsoft Developer Studio generated include file.

+// Used by krb.rc

+//

+

+// Next default values for new objects

+// 

+#ifdef APSTUDIO_INVOKED

+#ifndef APSTUDIO_READONLY_SYMBOLS

+#define _APS_NEXT_RESOURCE_VALUE        101

+#define _APS_NEXT_COMMAND_VALUE         40001

+#define _APS_NEXT_CONTROL_VALUE         1000

+#define _APS_NEXT_SYMED_VALUE           101

+#endif

+#endif

diff --git a/crypto/kerberosIV/lib/krb/roken_rename.h b/crypto/kerberosIV/lib/krb/roken_rename.h
new file mode 100644
index 0000000..7bd86e2
--- /dev/null
+++ b/crypto/kerberosIV/lib/krb/roken_rename.h
@@ -0,0 +1,107 @@
+/*
+ * Copyright (c) 1998 - 2000 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+/* $Id: roken_rename.h,v 1.8.2.1 2000/06/23 03:35:31 assar Exp $ */
+
+#ifndef __roken_rename_h__
+#define __roken_rename_h__
+
+/*
+ * Libroken routines that are added libkrb
+ */
+
+#define base64_decode _krb_base64_decode
+#define base64_encode _krb_base64_encode
+
+#define net_write roken_net_write
+#define net_read  roken_net_read
+
+#ifndef HAVE_FLOCK
+#define flock _krb_flock
+#endif
+#ifndef HAVE_GETHOSTNAME
+#define gethostname _krb_gethostname
+#endif
+#ifndef HAVE_GETTIMEOFDAY
+#define gettimeofday _krb_gettimeofday
+#endif
+#ifndef HAVE_GETUID
+#define getuid _krb_getuid
+#endif
+#ifndef HAVE_SNPRINTF
+#define snprintf _krb_snprintf
+#endif
+#ifndef HAVE_ASPRINTF
+#define asprintf _krb_asprintf
+#endif
+#ifndef HAVE_ASNPRINTF
+#define asnprintf _krb_asnprintf
+#endif
+#ifndef HAVE_VASPRINTF
+#define vasprintf _krb_vasprintf
+#endif
+#ifndef HAVE_VASNPRINTF
+#define vasnprintf _krb_vasnprintf
+#endif
+#ifndef HAVE_VSNPRINTF
+#define vsnprintf _krb_vsnprintf
+#endif
+#ifndef HAVE_STRCASECMP
+#define strcasecmp _krb_strcasecmp
+#endif
+#ifndef HAVE_STRNCASECMP
+#define strncasecmp _krb_strncasecmp
+#endif
+#ifndef HAVE_STRDUP
+#define strdup _krb_strdup
+#endif
+#ifndef HAVE_STRLCAT
+#define strlcat _krb_strlcat
+#endif
+#ifndef HAVE_STRLCPY
+#define strlcpy _krb_strlcpy
+#endif
+#ifndef HAVE_STRNLEN
+#define strnlen _krb_strnlen
+#endif
+#ifndef HAVE_SWAB
+#define swab _krb_swab
+#endif
+#ifndef HAVE_STRTOK_R
+#define strtok_r _krb_strtok_r
+#endif
+
+#define dns_free_data _krb_dns_free_data
+#define dns_lookup _krb_dns_lookup
+
+#endif /* __roken_rename_h__ */
diff --git a/crypto/kerberosIV/lib/krb/rw.c b/crypto/kerberosIV/lib/krb/rw.c
new file mode 100644
index 0000000..5064a6f
--- /dev/null
+++ b/crypto/kerberosIV/lib/krb/rw.c
@@ -0,0 +1,156 @@
+/*
+ * Copyright (c) 1995 - 2000 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+/* Almost all programs use these routines (implicitly) so it's a good
+ * place to put the version string. */
+
+#include "version.h"
+
+#include "krb_locl.h"
+
+RCSID("$Id: rw.c,v 1.12.2.1 2000/06/23 03:37:33 assar Exp $");
+
+int
+krb_get_int(void *f, u_int32_t *to, int size, int lsb)
+{
+    int i;
+    unsigned char *from = (unsigned char *)f;
+
+    *to = 0;
+    if(lsb){
+	for(i = size-1; i >= 0; i--)
+	    *to = (*to << 8) | from[i];
+    }else{
+	for(i = 0; i < size; i++)
+	    *to = (*to << 8) | from[i];
+    }
+    return size;
+}
+
+int
+krb_put_int(u_int32_t from, void *to, size_t rem, int size)
+{
+    int i;
+    unsigned char *p = (unsigned char *)to;
+
+    if (rem < size)
+	return -1;
+
+    for(i = size - 1; i >= 0; i--){
+	p[i] = from & 0xff;
+	from >>= 8;
+    }
+    return size;
+}
+
+
+/* addresses are always sent in network byte order */
+
+int
+krb_get_address(void *from, u_int32_t *to)
+{
+    unsigned char *p = (unsigned char*)from;
+    *to = htonl((p[0] << 24) | (p[1] << 16) | (p[2] << 8) | p[3]);
+    return 4;
+}
+
+int
+krb_put_address(u_int32_t addr, void *to, size_t rem)
+{
+    return krb_put_int(ntohl(addr), to, rem, 4);
+}
+
+int
+krb_put_string(const char *from, void *to, size_t rem)
+{
+    size_t len = strlen(from) + 1;
+
+    if (rem < len)
+	return -1;
+    memcpy(to, from, len);
+    return len;
+}
+
+int
+krb_get_string(void *from, char *to, size_t to_size)
+{
+    strlcpy (to, (char *)from, to_size);
+    return strlen((char *)from) + 1;
+}
+
+int
+krb_get_nir(void *from,
+	    char *name, size_t name_len,
+	    char *instance, size_t instance_len,
+	    char *realm, size_t realm_len)
+{
+    char *p = (char *)from;
+
+    p += krb_get_string(p, name, name_len);
+    p += krb_get_string(p, instance, instance_len);
+    if(realm)
+	p += krb_get_string(p, realm, realm_len);
+    return p - (char *)from;
+}
+
+int
+krb_put_nir(const char *name,
+	    const char *instance,
+	    const char *realm,
+	    void *to,
+	    size_t rem)
+{
+    char *p = (char *)to;
+    int tmp;
+    
+    tmp = krb_put_string(name, p, rem);
+    if (tmp < 0)
+	return tmp;
+    p += tmp;
+    rem -= tmp;
+
+    tmp = krb_put_string(instance, p, rem);
+    if (tmp < 0)
+	return tmp;
+    p += tmp;
+    rem -= tmp;
+    
+    if (realm) {
+	tmp = krb_put_string(realm, p, rem);
+	if (tmp < 0)
+	    return tmp;
+	p += tmp;
+	rem -= tmp;
+    }
+    return p - (char *)to;
+}
diff --git a/crypto/kerberosIV/lib/krb/save_credentials.c b/crypto/kerberosIV/lib/krb/save_credentials.c
new file mode 100644
index 0000000..cfd6c07
--- /dev/null
+++ b/crypto/kerberosIV/lib/krb/save_credentials.c
@@ -0,0 +1,59 @@
+/* 
+  Copyright (C) 1989 by the Massachusetts Institute of Technology
+
+   Export of this software from the United States of America is assumed
+   to require a specific license from the United States Government.
+   It is the responsibility of any person or organization contemplating
+   export to obtain such a license before exporting.
+
+WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
+distribute this software and its documentation for any purpose and
+without fee is hereby granted, provided that the above copyright
+notice appear in all copies and that both that copyright notice and
+this permission notice appear in supporting documentation, and that
+the name of M.I.T. not be used in advertising or publicity pertaining
+to distribution of the software without specific, written prior
+permission.  M.I.T. makes no representations about the suitability of
+this software for any purpose.  It is provided "as is" without express
+or implied warranty.
+
+  */
+
+#include "krb_locl.h"
+
+RCSID("$Id: save_credentials.c,v 1.5 1997/03/23 03:53:17 joda Exp $");
+
+/*
+ * This routine takes a ticket and associated info and calls
+ * tf_save_cred() to store them in the ticket cache.  The peer
+ * routine for extracting a ticket and associated info from the
+ * ticket cache is krb_get_cred().  When changes are made to
+ * this routine, the corresponding changes should be made
+ * in krb_get_cred() as well.
+ *
+ * Returns KSUCCESS if all goes well, otherwise an error returned
+ * by the tf_init() or tf_save_cred() routines.
+ */
+
+int
+save_credentials(char *service,	/* Service name */
+		 char *instance, /* Instance */
+		 char *realm,	/* Auth domain */
+		 unsigned char *session, /* Session key */
+		 int lifetime,	/* Lifetime */
+		 int kvno,	/* Key version number */
+		 KTEXT ticket,	/* The ticket itself */
+		 int32_t issue_date) /* The issue time */
+{
+    int tf_status;   /* return values of the tf_util calls */
+
+    /* Open and lock the ticket file for writing */
+    if ((tf_status = tf_init(TKT_FILE, W_TKT_FIL)) != KSUCCESS)
+	return(tf_status);
+
+    /* Save credentials by appending to the ticket file */
+    tf_status = tf_save_cred(service, instance, realm, session,
+			     lifetime, kvno, ticket, issue_date);
+    tf_close();
+    return (tf_status);
+}
diff --git a/crypto/kerberosIV/lib/krb/send_to_kdc.c b/crypto/kerberosIV/lib/krb/send_to_kdc.c
new file mode 100644
index 0000000..4fc2c95
--- /dev/null
+++ b/crypto/kerberosIV/lib/krb/send_to_kdc.c
@@ -0,0 +1,533 @@
+/* 
+  Copyright (C) 1989 by the Massachusetts Institute of Technology
+
+   Export of this software from the United States of America is assumed
+   to require a specific license from the United States Government.
+   It is the responsibility of any person or organization contemplating
+   export to obtain such a license before exporting.
+
+WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
+distribute this software and its documentation for any purpose and
+without fee is hereby granted, provided that the above copyright
+notice appear in all copies and that both that copyright notice and
+this permission notice appear in supporting documentation, and that
+the name of M.I.T. not be used in advertising or publicity pertaining
+to distribution of the software without specific, written prior
+permission.  M.I.T. makes no representations about the suitability of
+this software for any purpose.  It is provided "as is" without express
+or implied warranty.
+
+  */
+
+#include "krb_locl.h"
+#include <base64.h>
+
+RCSID("$Id: send_to_kdc.c,v 1.71.2.1 2000/10/10 12:47:21 assar Exp $");
+
+struct host {
+    struct sockaddr_in addr;
+    const char *hostname;
+    enum krb_host_proto proto;
+};
+
+static int send_recv(KTEXT pkt, KTEXT rpkt, struct host *host);
+
+/*
+ * send_to_kdc() sends a message to the Kerberos authentication
+ * server(s) in the given realm and returns the reply message.
+ * The "pkt" argument points to the message to be sent to Kerberos;
+ * the "rpkt" argument will be filled in with Kerberos' reply.
+ * The "realm" argument indicates the realm of the Kerberos server(s)
+ * to transact with.  If the realm is null, the local realm is used.
+ *
+ * If more than one Kerberos server is known for a given realm,
+ * different servers will be queried until one of them replies.
+ * Several attempts (retries) are made for each server before
+ * giving up entirely.
+ *
+ * If an answer was received from a Kerberos host, KSUCCESS is
+ * returned.  The following errors can be returned:
+ *
+ * SKDC_CANT    - can't get local realm
+ *              - can't find "kerberos" in /etc/services database
+ *              - can't open socket
+ *              - can't bind socket
+ *              - all ports in use
+ *              - couldn't find any Kerberos host
+ *
+ * SKDC_RETRY   - couldn't get an answer from any Kerberos server,
+ *		  after several retries
+ */
+
+/* always use the admin server */
+static int krb_use_admin_server_flag = 0;
+
+static int client_timeout = -1;
+
+int
+krb_use_admin_server(int flag)
+{
+    int old = krb_use_admin_server_flag;
+    krb_use_admin_server_flag = flag;
+    return old;
+}
+
+#define PROXY_VAR "krb4_proxy"
+
+static int
+expand (struct host **ptr, size_t sz)
+{
+    void *tmp;
+
+    tmp = realloc (*ptr, sz) ;
+    if (tmp == NULL)
+	return SKDC_CANT;
+    *ptr = tmp;
+    return 0;
+}
+
+int
+send_to_kdc(KTEXT pkt, KTEXT rpkt, const char *realm)
+{
+    int i;
+    int no_host; /* was a kerberos host found? */
+    int retry;
+    int n_hosts;
+    int retval;
+    struct hostent *host;
+    char lrealm[REALM_SZ];
+    struct krb_host *k_host;
+    struct host *hosts = malloc(sizeof(*hosts));
+    const char *proxy = krb_get_config_string (PROXY_VAR);
+
+    if (hosts == NULL)
+	return SKDC_CANT;
+
+    if (client_timeout == -1) {
+	const char *to;
+
+	client_timeout = CLIENT_KRB_TIMEOUT;
+	to = krb_get_config_string ("kdc_timeout");
+	if (to != NULL) {
+	    int tmp;
+	    char *end;
+
+	    tmp = strtol (to, &end, 0);
+	    if (end != to)
+		client_timeout = tmp;
+	}
+    }
+
+    /*
+     * If "realm" is non-null, use that, otherwise get the
+     * local realm.
+     */
+    if (realm == NULL) {
+	if (krb_get_lrealm(lrealm,1)) {
+	    if (krb_debug)
+		krb_warning("send_to_kdc: can't get local realm\n");
+	    return(SKDC_CANT);
+	}
+	realm = lrealm;
+    }
+    if (krb_debug)
+	krb_warning("lrealm is %s\n", realm);
+
+    no_host = 1;
+    /* get an initial allocation */
+    n_hosts = 0;
+    for (i = 1;
+	 (k_host = krb_get_host(i, realm, krb_use_admin_server_flag)); 
+	 ++i) {
+	char *p;
+	char **addr_list;
+	int j;
+	int n_addrs;
+	struct host *tmp;
+
+	if (k_host->proto == PROTO_HTTP && proxy != NULL) {
+	    n_addrs = 1;
+	    no_host = 0;
+
+	    retval = expand (&hosts, (n_hosts + n_addrs) * sizeof(*hosts));
+	    if (retval)
+		goto rtn;
+
+	    memset (&hosts[n_hosts].addr, 0, sizeof(struct sockaddr_in));
+	    hosts[n_hosts].addr.sin_port = htons(k_host->port);
+	    hosts[n_hosts].proto         = k_host->proto;
+	    hosts[n_hosts].hostname      = k_host->host;
+	} else {
+	    if (krb_debug)
+		krb_warning("Getting host entry for %s...", k_host->host);
+	    host = gethostbyname(k_host->host);
+	    if (krb_debug) {
+		krb_warning("%s.\n",
+			    host ? "Got it" : "Didn't get it");
+	    }
+	    if (host == NULL)
+		continue;
+	    no_host = 0;    /* found at least one */
+
+	    n_addrs = 0;
+	    for (addr_list = host->h_addr_list;
+		 *addr_list != NULL;
+		 ++addr_list)
+		++n_addrs;
+
+	    retval = expand (&hosts, (n_hosts + n_addrs) * sizeof(*hosts));
+	    if (retval)
+		goto rtn;
+
+	    for (addr_list = host->h_addr_list, j = 0;
+		 (p = *addr_list) != NULL;
+		 ++addr_list, ++j) {
+		memset (&hosts[n_hosts + j].addr, 0,
+			sizeof(struct sockaddr_in));
+		hosts[n_hosts + j].addr.sin_family = host->h_addrtype;
+		hosts[n_hosts + j].addr.sin_port   = htons(k_host->port);
+		hosts[n_hosts + j].proto           = k_host->proto;
+		hosts[n_hosts + j].hostname        = k_host->host;
+		memcpy(&hosts[n_hosts + j].addr.sin_addr, p,
+		       sizeof(struct in_addr));
+	    }
+	}
+
+	for (j = 0; j < n_addrs; ++j) {
+	    if (send_recv(pkt, rpkt, &hosts[n_hosts + j])) {
+		retval = KSUCCESS;
+		goto rtn;
+	    }
+	    if (krb_debug) {
+		krb_warning("Timeout, error, or wrong descriptor\n");
+	    }
+	}
+	n_hosts += j;
+    }
+    if (no_host) {
+	if (krb_debug)
+	    krb_warning("send_to_kdc: can't find any Kerberos host.\n");
+        retval = SKDC_CANT;
+        goto rtn;
+    }
+    /* retry each host in sequence */
+    for (retry = 0; retry < CLIENT_KRB_RETRY; ++retry) {
+	for (i = 0; i < n_hosts; ++i) {
+	    if (send_recv(pkt, rpkt, &hosts[i])) {
+		retval = KSUCCESS;
+		goto rtn;
+	    }
+        }
+    }
+    retval = SKDC_RETRY;
+rtn:
+    free(hosts);
+    return(retval);
+}
+
+static int
+udp_socket(void)
+{
+    return socket(AF_INET, SOCK_DGRAM, 0);
+}
+
+static int
+udp_connect(int s, struct host *host)
+{
+    if(krb_debug) {
+	krb_warning("connecting to %s (%s) udp, port %d\n", 
+		    host->hostname,
+		    inet_ntoa(host->addr.sin_addr),
+		    ntohs(host->addr.sin_port));
+    }
+    return connect(s, (struct sockaddr*)&host->addr, sizeof(host->addr));
+}
+
+static int
+udp_send(int s, struct host *host, KTEXT pkt)
+{
+    if(krb_debug) {
+	krb_warning("sending %d bytes to %s (%s), udp port %d\n", 
+		    pkt->length,
+		    host->hostname,
+		    inet_ntoa(host->addr.sin_addr), 
+		    ntohs(host->addr.sin_port));
+    }
+    return send(s, pkt->dat, pkt->length, 0);
+}
+
+static int
+tcp_socket(void)
+{
+    return socket(AF_INET, SOCK_STREAM, 0);
+}
+
+static int
+tcp_connect(int s, struct host *host)
+{
+    if(krb_debug) {
+	krb_warning("connecting to %s (%s), tcp port %d\n", 
+		    host->hostname,
+		    inet_ntoa(host->addr.sin_addr), 
+		    ntohs(host->addr.sin_port));
+    }
+    return connect(s, (struct sockaddr*)&host->addr, sizeof(host->addr));
+}
+
+static int
+tcp_send(int s, struct host *host, KTEXT pkt)
+{
+    unsigned char len[4];
+
+    if(krb_debug) {
+	krb_warning("sending %d bytes to %s (%s), tcp port %d\n", 
+		    pkt->length,
+		    host->hostname,
+		    inet_ntoa(host->addr.sin_addr), 
+		    ntohs(host->addr.sin_port));
+    }
+    krb_put_int(pkt->length, len, sizeof(len), 4);
+    if(send(s, len, sizeof(len), 0) != sizeof(len))
+	return -1;
+    return send(s, pkt->dat, pkt->length, 0);
+}
+
+static int
+udptcp_recv(void *buf, size_t len, KTEXT rpkt)
+{
+    int pktlen = min(len, MAX_KTXT_LEN);
+
+    if(krb_debug)
+	krb_warning("recieved %lu bytes on udp/tcp socket\n", 
+		    (unsigned long)len);
+    memcpy(rpkt->dat, buf, pktlen);
+    rpkt->length = pktlen;
+    return 0;
+}
+
+static int
+url_parse(const char *url, char *host, size_t len, short *port)
+{
+    const char *p;
+    size_t n;
+
+    if(strncmp(url, "http://", 7))
+	return -1;
+    url += 7;
+    p = strchr(url, ':');
+    if(p) {
+	char *end;
+
+	*port = htons(strtol(p + 1, &end, 0));
+	if (end == p + 1)
+	    return -1;
+	n = p - url;
+    } else {
+	*port = k_getportbyname ("http", "tcp", htons(80));
+	p = strchr(url, '/');
+	if (p)
+	    n = p - url;
+	else
+	    n = strlen(url);
+    }
+    if (n >= len)
+	return -1;
+    memcpy(host, url, n);
+    host[n] = '\0';
+    return 0;
+}
+
+static int
+http_connect(int s, struct host *host)
+{
+    const char *proxy = krb_get_config_string(PROXY_VAR);
+    char proxy_host[MaxHostNameLen];
+    short port;
+    struct hostent *hp;
+    struct sockaddr_in sin;
+
+    if(proxy == NULL) {
+	if(krb_debug)
+	    krb_warning("Not using proxy.\n");
+	return tcp_connect(s, host);
+    }
+    if(url_parse(proxy, proxy_host, sizeof(proxy_host), &port) < 0)
+	return -1;
+    hp = gethostbyname(proxy_host);
+    if(hp == NULL)
+	return -1;
+    memset(&sin, 0, sizeof(sin));
+    sin.sin_family = AF_INET;
+    memcpy(&sin.sin_addr, hp->h_addr, sizeof(sin.sin_addr));
+    sin.sin_port = port;
+    if(krb_debug) {
+	krb_warning("connecting to proxy on %s (%s) port %d\n", 
+		    proxy_host, inet_ntoa(sin.sin_addr), ntohs(port));
+    }
+    return connect(s, (struct sockaddr*)&sin, sizeof(sin));
+}
+
+static int
+http_send(int s, struct host *host, KTEXT pkt)
+{
+    const char *proxy = krb_get_config_string (PROXY_VAR);
+    char *str;
+    char *msg;
+
+    if(base64_encode(pkt->dat, pkt->length, &str) < 0)
+	return -1;
+    if(proxy != NULL) {
+	if(krb_debug) {
+	    krb_warning("sending %d bytes to %s, tcp port %d (via proxy)\n", 
+			pkt->length,
+			host->hostname,
+			ntohs(host->addr.sin_port));
+	}
+	asprintf(&msg, "GET http://%s:%d/%s HTTP/1.0\r\n\r\n",
+		 host->hostname,
+		 ntohs(host->addr.sin_port),
+		 str);
+    } else {
+	if(krb_debug) {
+	    krb_warning("sending %d bytes to %s (%s), http port %d\n", 
+			pkt->length,
+			host->hostname,
+			inet_ntoa(host->addr.sin_addr), 
+			ntohs(host->addr.sin_port));
+	}
+	asprintf(&msg, "GET %s HTTP/1.0\r\n\r\n", str);
+    }
+    free(str);
+
+    if (msg == NULL)
+	return -1;
+	
+    if(send(s, msg, strlen(msg), 0) != strlen(msg)){
+	free(msg);
+	return -1;
+    }
+    free(msg);
+    return 0;
+}
+
+static int
+http_recv(void *buf, size_t len, KTEXT rpkt)
+{
+    char *p;
+    char *tmp = malloc(len + 1);
+
+    if (tmp == NULL)
+	return -1;
+    memcpy(tmp, buf, len);
+    tmp[len] = 0;
+    p = strstr(tmp, "\r\n\r\n");
+    if(p == NULL){
+	free(tmp);
+	return -1;
+    }
+    p += 4;
+    if(krb_debug)
+	krb_warning("recieved %lu bytes on http socket\n", 
+		    (unsigned long)((tmp + len) - p));
+    if((tmp + len) - p > MAX_KTXT_LEN) {
+	free(tmp);
+	return -1;
+    }
+    if (strncasecmp (tmp, "HTTP/1.0 2", 10) != 0
+	&& strncasecmp (tmp, "HTTP/1.1 2", 10) != 0) {
+	free (tmp);
+	return -1;
+    }
+    memcpy(rpkt->dat, p, (tmp + len) - p);
+    rpkt->length = (tmp + len) - p;
+    free(tmp);
+    return 0;
+}
+
+static struct proto_descr {
+    int proto;
+    int stream_flag;
+    int (*socket)(void);
+    int (*connect)(int, struct host *host);
+    int (*send)(int, struct host *host, KTEXT);
+    int (*recv)(void*, size_t, KTEXT);
+} protos[] = {
+    { PROTO_UDP, 0, udp_socket, udp_connect, udp_send, udptcp_recv },
+    { PROTO_TCP, 1, tcp_socket, tcp_connect, tcp_send, udptcp_recv },
+    { PROTO_HTTP, 1, tcp_socket, http_connect, http_send, http_recv }
+};
+
+static int
+send_recv(KTEXT pkt, KTEXT rpkt, struct host *host)
+{
+    int i;
+    int s;
+    unsigned char buf[MAX_KTXT_LEN];
+    int offset = 0;
+    
+    for(i = 0; i < sizeof(protos) / sizeof(protos[0]); i++){
+	if(protos[i].proto == host->proto)
+	    break;
+    }
+    if(i == sizeof(protos) / sizeof(protos[0]))
+	return FALSE;
+    if((s = (*protos[i].socket)()) < 0)
+	return FALSE;
+    if((*protos[i].connect)(s, host) < 0) {
+	close(s);
+	return FALSE;
+    }
+    if((*protos[i].send)(s, host, pkt) < 0) {
+	close(s);
+	return FALSE;
+    }
+    do{
+	fd_set readfds;
+	struct timeval timeout;
+	int len;
+	timeout.tv_sec = client_timeout;
+	timeout.tv_usec = 0;
+	FD_ZERO(&readfds);
+	if (s >= FD_SETSIZE) {
+	    if (krb_debug)
+		krb_warning("fd too large\n");
+	    close (s);
+	    return FALSE;
+	}
+	FD_SET(s, &readfds);
+	
+	/* select - either recv is ready, or timeout */
+	/* see if timeout or error or wrong descriptor */
+	if(select(s + 1, &readfds, 0, 0, &timeout) < 1 
+	   || !FD_ISSET(s, &readfds)) {
+	    if (krb_debug)
+		krb_warning("select failed: errno = %d\n", errno);
+	    close(s);
+	    return FALSE;
+	}
+	len = recv(s, buf + offset, sizeof(buf) - offset, 0);
+	if (len < 0) {
+	    close(s);
+	    return FALSE;
+	}
+	if(len == 0)
+	    break;
+	offset += len;
+    } while(protos[i].stream_flag);
+    close(s);
+    if((*protos[i].recv)(buf, offset, rpkt) < 0)
+	return FALSE;
+    return TRUE;
+}
+
+/* The configuration line "hosts: dns files" in /etc/nsswitch.conf is
+ * rumored to avoid triggering this bug. */
+#if defined(linux) && defined(HAVE__DNS_GETHOSTBYNAME) && 0
+/* Linux libc 5.3 is broken probably somewhere in nsw_hosts.o,
+ * for now keep this kludge. */
+static
+struct hostent *gethostbyname(const char *name)
+{
+  return (void *)_dns_gethostbyname(name);
+}
+#endif
diff --git a/crypto/kerberosIV/lib/krb/sendauth.c b/crypto/kerberosIV/lib/krb/sendauth.c
new file mode 100644
index 0000000..201b388
--- /dev/null
+++ b/crypto/kerberosIV/lib/krb/sendauth.c
@@ -0,0 +1,165 @@
+/* 
+  Copyright (C) 1989 by the Massachusetts Institute of Technology
+
+   Export of this software from the United States of America is assumed
+   to require a specific license from the United States Government.
+   It is the responsibility of any person or organization contemplating
+   export to obtain such a license before exporting.
+
+WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
+distribute this software and its documentation for any purpose and
+without fee is hereby granted, provided that the above copyright
+notice appear in all copies and that both that copyright notice and
+this permission notice appear in supporting documentation, and that
+the name of M.I.T. not be used in advertising or publicity pertaining
+to distribution of the software without specific, written prior
+permission.  M.I.T. makes no representations about the suitability of
+this software for any purpose.  It is provided "as is" without express
+or implied warranty.
+
+  */
+
+#include "krb_locl.h"
+
+RCSID("$Id: sendauth.c,v 1.18 1999/09/16 20:41:55 assar Exp $");
+
+/*
+ * krb_sendauth() transmits a ticket over a file descriptor for a
+ * desired service, instance, and realm, doing mutual authentication
+ * with the server if desired.
+ */
+
+/*
+ * The first argument to krb_sendauth() contains a bitfield of
+ * options (the options are defined in "krb.h"):
+ *
+ * KOPT_DONT_CANON	Don't canonicalize instance as a hostname.
+ *			(If this option is not chosen, krb_get_phost()
+ *			is called to canonicalize it.)
+ *
+ * KOPT_DONT_MK_REQ 	Don't request server ticket from Kerberos.
+ *			A ticket must be supplied in the "ticket"
+ *			argument.
+ *			(If this option is not chosen, and there
+ *			is no ticket for the given server in the
+ *			ticket cache, one will be fetched using
+ *			krb_mk_req() and returned in "ticket".)
+ *
+ * KOPT_DO_MUTUAL	Do mutual authentication, requiring that the
+ * 			receiving server return the checksum+1 encrypted
+ *			in the session key.  The mutual authentication
+ *			is done using krb_mk_priv() on the other side
+ *			(see "recvauth.c") and krb_rd_priv() on this
+ *			side.
+ *
+ * The "fd" argument is a file descriptor to write to the remote
+ * server on.  The "ticket" argument is used to store the new ticket
+ * from the krb_mk_req() call. If the KOPT_DONT_MK_REQ options is
+ * chosen, the ticket must be supplied in the "ticket" argument.
+ * The "service", "inst", and "realm" arguments identify the ticket.
+ * If "realm" is null, the local realm is used.
+ *
+ * The following arguments are only needed if the KOPT_DO_MUTUAL option
+ * is chosen:
+ *
+ *   The "checksum" argument is a number that the server will add 1 to
+ *   to authenticate itself back to the client; the "msg_data" argument
+ *   holds the returned mutual-authentication message from the server
+ *   (i.e., the checksum+1); the "cred" structure is used to hold the
+ *   session key of the server, extracted from the ticket file, for use
+ *   in decrypting the mutual authentication message from the server;
+ *   and "schedule" holds the key schedule for that decryption.  The
+ *   the local and server addresses are given in "laddr" and "faddr".
+ *
+ * The application protocol version number (of up to KRB_SENDAUTH_VLEN
+ * characters) is passed in "version".
+ *
+ * If all goes well, KSUCCESS is returned, otherwise some error code.
+ *
+ * The format of the message sent to the server is:
+ *
+ * Size			Variable		Field
+ * ----			--------		-----
+ *
+ * KRB_SENDAUTH_VLEN	KRB_SENDAUTH_VER	sendauth protocol
+ * bytes					version number
+ *
+ * KRB_SENDAUTH_VLEN	version			application protocol
+ * bytes					version number
+ *
+ * 4 bytes		ticket->length		length of ticket
+ *
+ * ticket->length	ticket->dat		ticket itself
+ */
+
+int
+krb_sendauth(int32_t options,	/* bit-pattern of options */
+	     int fd,		/* file descriptor to write onto */
+	     KTEXT ticket,	/* where to put ticket (return); or
+				 * supplied in case of KOPT_DONT_MK_REQ */
+	     char *service,	/* service name, instance, realm */
+	     char *instance,
+	     char *realm,
+	     u_int32_t checksum, /* checksum to include in request */
+	     MSG_DAT *msg_data,	/* mutual auth MSG_DAT (return) */
+	     CREDENTIALS *cred,	/* credentials (return) */
+	     struct des_ks_struct *schedule, /* key schedule (return) */
+	     struct sockaddr_in *laddr, /* local address */
+	     struct sockaddr_in *faddr,	/* address of foreign host on fd */
+	     char *version)	/* version string */
+{
+    int ret;
+    KTEXT_ST buf;
+    char realrealm[REALM_SZ];
+
+    if (realm == NULL) {
+	ret = krb_get_lrealm (realrealm, 1);
+	if (ret != KSUCCESS)
+	    return ret;
+	realm = realrealm;
+    }
+    ret = krb_mk_auth (options, ticket, service, instance, realm, checksum,
+		       version, &buf);
+    if (ret != KSUCCESS)
+	return ret;
+    ret = krb_net_write(fd, buf.dat, buf.length);
+    if(ret < 0)
+	return -1;
+      
+    if (options & KOPT_DO_MUTUAL) {
+	char tmp[4];
+	u_int32_t len;
+	char inst[INST_SZ];
+	char *i;
+
+	ret = krb_net_read (fd, tmp, 4);
+	if (ret < 0)
+	    return -1;
+
+	krb_get_int (tmp, &len, 4, 0);
+	if (len == 0xFFFFFFFF || len > sizeof(buf.dat))
+	    return KFAILURE;
+	buf.length = len;
+	ret = krb_net_read (fd, buf.dat, len);
+	if (ret < 0)
+	    return -1;
+
+	if (options & KOPT_DONT_CANON)
+	    i = instance;
+	else
+	    i = krb_get_phost(instance);
+	strlcpy (inst, i, sizeof(inst));
+
+	ret = krb_get_cred (service, inst, realm, cred);
+	if (ret != KSUCCESS)
+	    return ret;
+
+	des_key_sched(&cred->session, schedule);
+
+	ret = krb_check_auth (&buf, checksum, msg_data, &cred->session, 
+			      schedule, laddr, faddr);
+	if (ret != KSUCCESS)
+	    return ret;
+    }
+    return KSUCCESS;
+}
diff --git a/crypto/kerberosIV/lib/krb/sizetest.c b/crypto/kerberosIV/lib/krb/sizetest.c
new file mode 100644
index 0000000..e683416
--- /dev/null
+++ b/crypto/kerberosIV/lib/krb/sizetest.c
@@ -0,0 +1,40 @@
+#include "krb_locl.h"
+
+RCSID("$Id: sizetest.c,v 1.6 1998/01/01 22:29:04 assar Exp $");
+
+static void
+fatal(const char *msg)
+{
+  fputs(msg, stderr);
+  exit(1);
+}
+
+int
+main(void)
+{
+  if (sizeof(u_int8_t) < 1)
+    fatal("sizeof(u_int8_t) is smaller than 1 byte\n");
+  if (sizeof(u_int16_t) < 2)
+    fatal("sizeof(u_int16_t) is smaller than 2 bytes\n");
+  if (sizeof(u_int32_t) < 4)
+    fatal("sizeof(u_int32_t) is smaller than 4 bytes\n");
+
+  if (sizeof(u_int8_t) > 1)
+    fputs("warning: sizeof(u_int8_t) is larger than 1 byte, "
+	  "some stuff may not work properly!\n", stderr);
+
+  {
+    u_int8_t u = 1;
+    int i;
+    for (i = 0; u != 0 && i < 100; i++)
+      u <<= 1;
+
+    if (i < 8)
+      fatal("u_int8_t is smaller than 8 bits\n");
+    else if (i > 8)
+      fputs("warning: u_int8_t is larger than 8 bits, "
+	    "some stuff may not work properly!\n", stderr);
+  }
+
+  exit(0);
+}
diff --git a/crypto/kerberosIV/lib/krb/solaris_compat.c b/crypto/kerberosIV/lib/krb/solaris_compat.c
new file mode 100644
index 0000000..ff31e4b
--- /dev/null
+++ b/crypto/kerberosIV/lib/krb/solaris_compat.c
@@ -0,0 +1,89 @@
+/*
+ * Copyright (c) 1995, 1996, 1997, 1998, 1999 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#include "krb_locl.h"
+
+RCSID("$Id: solaris_compat.c,v 1.4 1999/12/02 16:58:44 joda Exp $");
+
+#if (SunOS + 0) >= 50
+/*
+ * Compatibility with solaris' libkrb.
+ */
+
+int32_t
+_C0095C2A(void *in, void *out, u_int32_t length, 
+	  struct des_ks_struct *schedule, des_cblock *key, 
+	  struct sockaddr_in *sender, struct sockaddr_in *receiver)
+{
+    return krb_mk_priv (in, out, length, schedule, key, sender, receiver);
+}
+
+int32_t
+_C0095C2B(void *in, u_int32_t in_length, 
+	  struct des_ks_struct *schedule, des_cblock *key, 
+	  struct sockaddr_in *sender, struct sockaddr_in *receiver, 
+	  MSG_DAT *m_data)
+{
+    return krb_rd_priv (in, in_length, schedule, key,
+			sender, receiver, m_data);
+}
+
+void
+_C0095B2B(des_cblock *input,des_cblock *output,
+	  des_key_schedule ks,int enc)
+{
+    des_ecb_encrypt(input, output, ks, enc);
+}
+
+void
+_C0095B2A(des_cblock (*input),
+	  des_cblock (*output),
+	  long length,
+	  des_key_schedule schedule,
+	  des_cblock (*ivec),
+	  int encrypt)
+{
+  des_cbc_encrypt(input, output, length, schedule, ivec, encrypt);
+}
+
+void
+_C0095B2C(des_cblock (*input),
+	  des_cblock (*output),
+	  long length,
+	  des_key_schedule schedule,
+	  des_cblock (*ivec),
+	  int encrypt)
+{
+  des_pcbc_encrypt(input, output, length, schedule, ivec, encrypt);
+}
+#endif /* (SunOS-0) >= 50 */
diff --git a/crypto/kerberosIV/lib/krb/stime.c b/crypto/kerberosIV/lib/krb/stime.c
new file mode 100644
index 0000000..ec57d8f
--- /dev/null
+++ b/crypto/kerberosIV/lib/krb/stime.c
@@ -0,0 +1,35 @@
+/*
+ * $Id: stime.c,v 1.6 1997/05/02 14:29:20 assar Exp $
+ *
+ * Copyright 1985, 1986, 1987, 1988 by the Massachusetts Institute
+ * of Technology.
+ *
+ * For copying and distribution information, please see the file
+ * <mit-copyright.h>.
+ */
+
+#include "krb_locl.h"
+
+RCSID("$Id: stime.c,v 1.6 1997/05/02 14:29:20 assar Exp $");
+
+/*
+ * Given a pointer to a long containing the number of seconds
+ * since the beginning of time (midnight 1 Jan 1970 GMT), return
+ * a string containing the local time in the form:
+ *
+ * "25-Jan-1988 10:17:56"
+ */
+
+const char *
+krb_stime(time_t *t)
+{
+    static char st[40];
+    struct tm *tm;
+
+    tm = localtime(t);
+    snprintf(st, sizeof(st),
+	     "%2d-%s-%04d %02d:%02d:%02d",tm->tm_mday,
+	     month_sname(tm->tm_mon + 1),tm->tm_year + 1900,
+	     tm->tm_hour, tm->tm_min, tm->tm_sec);
+    return st;
+}
diff --git a/crypto/kerberosIV/lib/krb/str2key.c b/crypto/kerberosIV/lib/krb/str2key.c
new file mode 100644
index 0000000..4ef4c57
--- /dev/null
+++ b/crypto/kerberosIV/lib/krb/str2key.c
@@ -0,0 +1,105 @@
+/*
+ * Copyright (c) 1999 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "krb_locl.h"
+
+RCSID("$Id: str2key.c,v 1.17 1999/12/02 16:58:44 joda Exp $");
+
+#define lowcase(c) (('A' <= (c) && (c) <= 'Z') ? ((c) - 'A' + 'a') : (c))
+
+/*
+ * The string to key function used by Transarc AFS.
+ */
+void
+afs_string_to_key(const char *pass, const char *cell, des_cblock *key)
+{
+  if (strlen(pass) <= 8)	/* Short passwords. */
+    {
+      char buf[8 + 1], *s;
+      int i;
+
+      /*
+       * XOR cell and password and pad (or fill) with 'X' to length 8,
+       * then use crypt(3) to create DES key.
+       */
+      for (i = 0; i < 8; i++)
+	{
+	  buf[i] = *pass ^ lowcase(*cell);
+	  if (buf[i] == 0)
+	    buf[i] = 'X';
+	  if (*pass != 0)
+	    pass++;
+	  if (*cell != 0)
+	    cell++;
+	}
+      buf[8] = 0;
+
+      s = crypt(buf, "p1");	/* Result from crypt is 7bit chars. */
+      s = s + 2;		/* Skip 2 chars of salt. */
+      for (i = 0; i < 8; i++)
+	((char *) key)[i] = s[i] << 1; /* High bit is always zero */
+      des_fixup_key_parity(key); /*       Low  bit is parity */
+    }
+  else				/* Long passwords */
+    {
+      int plen, clen;
+      char *buf, *t;
+      des_key_schedule sched;
+      des_cblock ivec;
+
+      /*
+       * Concatenate password with cell name,
+       * then checksum twice to create DES key.
+       */
+      plen = strlen(pass);
+      clen = strlen(cell);
+      buf = malloc(plen + clen + 1);
+      memcpy(buf, pass, plen);
+      for (t = buf + plen; *cell != 0; t++, cell++)
+	*t = lowcase(*cell);
+
+      memcpy(&ivec, "kerberos", 8);
+      memcpy(key, "kdsbdsns", 8);
+      des_key_sched(key, sched);
+      /* Beware, ivec is passed twice */
+      des_cbc_cksum((des_cblock *)buf, &ivec, plen + clen, sched, &ivec);
+
+      memcpy(key, &ivec, 8);
+      des_fixup_key_parity(key);
+      des_key_sched(key, sched);
+      /* Beware, ivec is passed twice */
+      des_cbc_cksum((des_cblock *)buf, key, plen + clen, sched, &ivec);
+      free(buf);
+      des_fixup_key_parity(key);
+    }
+}
diff --git a/crypto/kerberosIV/lib/krb/tf_util.c b/crypto/kerberosIV/lib/krb/tf_util.c
new file mode 100644
index 0000000..0d5361f
--- /dev/null
+++ b/crypto/kerberosIV/lib/krb/tf_util.c
@@ -0,0 +1,791 @@
+/* 
+  Copyright (C) 1989 by the Massachusetts Institute of Technology
+
+   Export of this software from the United States of America is assumed
+   to require a specific license from the United States Government.
+   It is the responsibility of any person or organization contemplating
+   export to obtain such a license before exporting.
+
+WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
+distribute this software and its documentation for any purpose and
+without fee is hereby granted, provided that the above copyright
+notice appear in all copies and that both that copyright notice and
+this permission notice appear in supporting documentation, and that
+the name of M.I.T. not be used in advertising or publicity pertaining
+to distribution of the software without specific, written prior
+permission.  M.I.T. makes no representations about the suitability of
+this software for any purpose.  It is provided "as is" without express
+or implied warranty.
+
+  */
+        
+#include "krb_locl.h"
+
+RCSID("$Id: tf_util.c,v 1.39.2.2 2000/06/23 04:03:58 assar Exp $");
+
+
+#define TOO_BIG -1
+#define TF_LCK_RETRY ((unsigned)2)	/* seconds to sleep before
+					 * retry if ticket file is
+					 * locked */
+#define	TF_LCK_RETRY_COUNT	(50)	/* number of retries	*/
+
+#ifndef O_BINARY
+#define O_BINARY 0
+#endif
+
+#define MAGIC_TICKET_NAME "magic"
+#define MAGIC_TICKET_TIME_DIFF_INST "time-diff"
+#define MAGIC_TICKET_ADDR_INST "our-address"
+
+/*
+ * fd must be initialized to something that won't ever occur as a real
+ * file descriptor. Since open(2) returns only non-negative numbers as
+ * valid file descriptors, and tf_init always stuffs the return value
+ * from open in here even if it is an error flag, we must
+ * 	a. Initialize fd to a negative number, to indicate that it is
+ * 	   not initially valid.
+ *	b. When checking for a valid fd, assume that negative values
+ *	   are invalid (ie. when deciding whether tf_init has been
+ *	   called.)
+ *	c. In tf_close, be sure it gets reinitialized to a negative
+ *	   number. 
+ */
+static  int fd = -1;
+static	int curpos;				/* Position in tfbfr */
+static	int lastpos;			/* End of tfbfr */
+static	char tfbfr[BUFSIZ];		/* Buffer for ticket data */
+
+static int tf_gets(char *s, int n);
+static int tf_read(void *s, int n);
+
+/*
+ * This file contains routines for manipulating the ticket cache file.
+ *
+ * The ticket file is in the following format:
+ *
+ *      principal's name        (null-terminated string)
+ *      principal's instance    (null-terminated string)
+ *      CREDENTIAL_1
+ *      CREDENTIAL_2
+ *      ...
+ *      CREDENTIAL_n
+ *      EOF
+ *
+ *      Where "CREDENTIAL_x" consists of the following fixed-length
+ *      fields from the CREDENTIALS structure (see "krb.h"):
+ *
+ *              char            service[ANAME_SZ]
+ *              char            instance[INST_SZ]
+ *              char            realm[REALM_SZ]
+ *              C_Block         session
+ *              int             lifetime
+ *              int             kvno
+ *              KTEXT_ST        ticket_st
+ *              u_int32_t            issue_date
+ *
+ * Short description of routines:
+ *
+ * tf_init() opens the ticket file and locks it.
+ *
+ * tf_get_pname() returns the principal's name.
+ *
+ * tf_put_pname() writes the principal's name to the ticket file.
+ *
+ * tf_get_pinst() returns the principal's instance (may be null).
+ *
+ * tf_put_pinst() writes the instance.
+ *
+ * tf_get_cred() returns the next CREDENTIALS record.
+ *
+ * tf_save_cred() appends a new CREDENTIAL record to the ticket file.
+ *
+ * tf_close() closes the ticket file and releases the lock.
+ *
+ * tf_gets() returns the next null-terminated string.  It's an internal
+ * routine used by tf_get_pname(), tf_get_pinst(), and tf_get_cred().
+ *
+ * tf_read() reads a given number of bytes.  It's an internal routine
+ * used by tf_get_cred().
+ */
+
+/*
+ * tf_init() should be called before the other ticket file routines.
+ * It takes the name of the ticket file to use, "tf_name", and a
+ * read/write flag "rw" as arguments. 
+ *
+ * It tries to open the ticket file, checks the mode, and if everything
+ * is okay, locks the file.  If it's opened for reading, the lock is
+ * shared.  If it's opened for writing, the lock is exclusive. 
+ *
+ * Returns KSUCCESS if all went well, otherwise one of the following: 
+ *
+ * NO_TKT_FIL   - file wasn't there
+ * TKT_FIL_ACC  - file was in wrong mode, etc.
+ * TKT_FIL_LCK  - couldn't lock the file, even after a retry
+ */
+
+#ifdef _NO_LOCKING
+#undef flock
+#define flock(F, M) 0
+#endif
+
+int
+tf_init(char *tf_name, int rw)
+{
+  /* Unix implementation */
+  int wflag;
+  struct stat stat_buf;
+  int i_retry;
+
+  switch (rw) {
+  case R_TKT_FIL:
+    wflag = 0;
+    break;
+  case W_TKT_FIL:
+    wflag = 1;
+    break;
+  default:
+    if (krb_debug)
+      krb_warning("tf_init: illegal parameter\n");
+    return TKT_FIL_ACC;
+  }
+  if (lstat(tf_name, &stat_buf) < 0)
+    switch (errno) {
+    case ENOENT:
+      return NO_TKT_FIL;
+    default:
+      return TKT_FIL_ACC;
+    }
+  if (!S_ISREG(stat_buf.st_mode))
+    return TKT_FIL_ACC;
+
+  /* The code tries to guess when the calling program is running
+   * set-uid and prevent unauthorized access.
+   *
+   * All library functions now assume that the right set of userids
+   * are set upon entry, therefore it's not strictly necessary to
+   * perform these test for programs adhering to these assumptions.
+   *
+   * This doesn't work on cygwin because getuid() returns a different
+   * uid than the owner of files that are created.
+   */
+#ifndef __CYGWIN__
+  {
+    uid_t me = getuid();
+    if (stat_buf.st_uid != me && me != 0)
+      return TKT_FIL_ACC;
+  }
+#endif
+
+  /*
+   * If "wflag" is set, open the ticket file in append-writeonly mode
+   * and lock the ticket file in exclusive mode.  If unable to lock
+   * the file, sleep and try again.  If we fail again, return with the
+   * proper error message. 
+   */
+
+  curpos = sizeof(tfbfr);
+
+    
+  if (wflag) {
+    fd = open(tf_name, O_RDWR | O_BINARY, 0600);
+    if (fd < 0) {
+      return TKT_FIL_ACC;
+    }
+    for (i_retry = 0; i_retry < TF_LCK_RETRY_COUNT; i_retry++) {
+      if (flock(fd, LOCK_EX | LOCK_NB) < 0) {
+	if (krb_debug)
+	  krb_warning("tf_init: retry %d of write lock of `%s'.\n",
+		      i_retry, tf_name);
+	sleep (TF_LCK_RETRY);
+      } else {
+	return KSUCCESS;		/* all done */
+      }
+    }
+    close (fd);
+    fd = -1;
+    return TKT_FIL_LCK;
+  }
+  /*
+   * Otherwise "wflag" is not set and the ticket file should be opened
+   * for read-only operations and locked for shared access. 
+   */
+
+  fd = open(tf_name, O_RDONLY | O_BINARY, 0600);
+  if (fd < 0) {
+    return TKT_FIL_ACC;
+  }
+
+  for (i_retry = 0; i_retry < TF_LCK_RETRY_COUNT; i_retry++) {
+    if (flock(fd, LOCK_SH | LOCK_NB) < 0) {
+      if (krb_debug)
+	krb_warning("tf_init: retry %d of read lock of `%s'.\n",
+		    i_retry, tf_name);
+      sleep (TF_LCK_RETRY);
+    } else {
+      return KSUCCESS;		/* all done */
+    }
+  }
+  /* failure */
+  close(fd);
+  fd = -1;
+  return TKT_FIL_LCK;
+}
+
+/*
+ * tf_create() should be called when creating a new ticket file.
+ * The only argument is the name of the ticket file.
+ * After calling this, it should be possible to use other tf_* functions.
+ *
+ * New algoritm for creating ticket file:
+ * 1. try to erase contents of existing file.
+ * 2. try to remove old file.
+ * 3. try to open with O_CREAT and O_EXCL
+ * 4. if this fails, someone has created a file in between 1 and 2 and
+ *    we should fail.  Otherwise, all is wonderful.
+ */
+
+int
+tf_create(char *tf_name)
+{
+  if (unlink (tf_name) && errno != ENOENT)
+    return TKT_FIL_ACC;
+
+  fd = open(tf_name, O_RDWR | O_CREAT | O_EXCL | O_BINARY, 0600);
+  if (fd < 0)
+    return TKT_FIL_ACC;
+  if (flock(fd, LOCK_EX | LOCK_NB) < 0) {
+    sleep(TF_LCK_RETRY);
+    if (flock(fd, LOCK_EX | LOCK_NB) < 0) {
+      close(fd);
+      fd = -1;
+      return TKT_FIL_LCK;
+    }
+  }
+  return KSUCCESS;
+}
+
+/*
+ * tf_get_pname() reads the principal's name from the ticket file. It
+ * should only be called after tf_init() has been called.  The
+ * principal's name is filled into the "p" parameter.  If all goes well,
+ * KSUCCESS is returned.  If tf_init() wasn't called, TKT_FIL_INI is
+ * returned.  If the name was null, or EOF was encountered, or the name
+ * was longer than ANAME_SZ, TKT_FIL_FMT is returned. 
+ */
+
+int
+tf_get_pname(char *p)
+{
+  if (fd < 0) {
+    if (krb_debug)
+      krb_warning("tf_get_pname called before tf_init.\n");
+    return TKT_FIL_INI;
+  }
+  if (tf_gets(p, ANAME_SZ) < 2)	/* can't be just a null */
+    {
+      if (krb_debug) 
+	krb_warning ("tf_get_pname: pname < 2.\n");
+      return TKT_FIL_FMT;
+    }
+  return KSUCCESS;
+}
+
+/*
+ * tf_put_pname() sets the principal's name in the ticket file. Call
+ * after tf_create().
+ */
+
+int
+tf_put_pname(const char *p)
+{
+  unsigned count;
+
+  if (fd < 0) {
+    if (krb_debug)
+      krb_warning("tf_put_pname called before tf_create.\n");
+    return TKT_FIL_INI;
+  }
+  count = strlen(p)+1;
+  if (write(fd,p,count) != count)
+    return(KFAILURE);
+  return KSUCCESS;
+}
+
+/*
+ * tf_get_pinst() reads the principal's instance from a ticket file.
+ * It should only be called after tf_init() and tf_get_pname() have been
+ * called.  The instance is filled into the "inst" parameter.  If all
+ * goes well, KSUCCESS is returned.  If tf_init() wasn't called,
+ * TKT_FIL_INI is returned.  If EOF was encountered, or the instance
+ * was longer than ANAME_SZ, TKT_FIL_FMT is returned.  Note that the
+ * instance may be null. 
+ */
+
+int
+tf_get_pinst(char *inst)
+{
+  if (fd < 0) {
+    if (krb_debug)
+      krb_warning("tf_get_pinst called before tf_init.\n");
+    return TKT_FIL_INI;
+  }
+  if (tf_gets(inst, INST_SZ) < 1)
+    {
+      if (krb_debug)
+	krb_warning("tf_get_pinst: inst_sz < 1.\n");
+      return TKT_FIL_FMT;
+    }
+  return KSUCCESS;
+}
+
+/*
+ * tf_put_pinst writes the principal's instance to the ticket file.
+ * Call after tf_create.
+ */
+
+int
+tf_put_pinst(const char *inst)
+{
+  unsigned count;
+
+  if (fd < 0) {
+    if (krb_debug)
+      krb_warning("tf_put_pinst called before tf_create.\n");
+    return TKT_FIL_INI;
+  }
+  count = strlen(inst)+1;
+  if (write(fd,inst,count) != count)
+    return(KFAILURE);
+  return KSUCCESS;
+}
+
+/*
+ * tf_get_cred() reads a CREDENTIALS record from a ticket file and fills
+ * in the given structure "c".  It should only be called after tf_init(),
+ * tf_get_pname(), and tf_get_pinst() have been called. If all goes well,
+ * KSUCCESS is returned.  Possible error codes are: 
+ *
+ * TKT_FIL_INI  - tf_init wasn't called first
+ * TKT_FIL_FMT  - bad format
+ * EOF          - end of file encountered
+ */
+
+static int
+real_tf_get_cred(CREDENTIALS *c)
+{
+  KTEXT   ticket = &c->ticket_st;	/* pointer to ticket */
+  int     k_errno;
+
+  if (fd < 0) {
+    if (krb_debug)
+      krb_warning ("tf_get_cred called before tf_init.\n");
+    return TKT_FIL_INI;
+  }
+  if ((k_errno = tf_gets(c->service, SNAME_SZ)) < 2)
+    switch (k_errno) {
+    case TOO_BIG:
+      if (krb_debug)
+	krb_warning("tf_get_cred: too big service cred.\n");
+    case 1:		/* can't be just a null */
+      tf_close();
+      if (krb_debug)
+	krb_warning("tf_get_cred: null service cred.\n");
+      return TKT_FIL_FMT;
+    case 0:
+      return EOF;
+    }
+  if ((k_errno = tf_gets(c->instance, INST_SZ)) < 1)
+    switch (k_errno) {
+    case TOO_BIG:
+      if (krb_debug)
+	krb_warning ("tf_get_cred: too big instance cred.\n");
+      return TKT_FIL_FMT;
+    case 0:
+      return EOF;
+    }
+  if ((k_errno = tf_gets(c->realm, REALM_SZ)) < 2)
+    switch (k_errno) {
+    case TOO_BIG:
+      if (krb_debug)
+	krb_warning ("tf_get_cred: too big realm cred.\n");
+    case 1:		/* can't be just a null */
+      tf_close();
+      if (krb_debug)
+	krb_warning ("tf_get_cred: null realm cred.\n");
+      return TKT_FIL_FMT;
+    case 0:
+      return EOF;
+    }
+  if (
+      tf_read((c->session), DES_KEY_SZ) < 1 ||
+      tf_read(&(c->lifetime), sizeof(c->lifetime)) < 1 ||
+      tf_read(&(c->kvno), sizeof(c->kvno)) < 1 ||
+      tf_read(&(ticket->length), sizeof(ticket->length))
+      < 1 ||
+      /* don't try to read a silly amount into ticket->dat */
+      ticket->length > MAX_KTXT_LEN ||
+      tf_read((ticket->dat), ticket->length) < 1 ||
+      tf_read(&(c->issue_date), sizeof(c->issue_date)) < 1
+      ) {
+    tf_close();
+    if (krb_debug)
+      krb_warning ("tf_get_cred: failed tf_read.\n");
+    return TKT_FIL_FMT;
+  }
+  return KSUCCESS;
+}
+
+int
+tf_get_cred(CREDENTIALS *c)
+{
+  int ret;
+  int fake;
+
+  do {
+    fake = 0;
+
+    ret = real_tf_get_cred (c);
+    if (ret)
+      return ret;
+
+    if(strcmp(c->service, MAGIC_TICKET_NAME) == 0) {
+      if(strcmp(c->instance, MAGIC_TICKET_TIME_DIFF_INST) == 0) {
+	/* we found the magic `time diff' ticket; update the kdc time
+         differential, and then get the next ticket */
+	u_int32_t d;
+
+	krb_get_int(c->ticket_st.dat, &d, 4, 0);
+	krb_set_kdc_time_diff(d);
+	fake = 1;
+      } else if (strcmp(c->instance, MAGIC_TICKET_ADDR_INST) == 0) {
+	fake = 1;
+      }
+    }
+  } while (fake);
+  return ret;
+}
+
+int
+tf_get_cred_addr(char *realm, size_t realm_sz, struct in_addr *addr)
+{
+  int ret;
+  int fake;
+  CREDENTIALS cred;
+
+  do {
+    fake = 1;
+
+    ret = real_tf_get_cred (&cred);
+    if (ret)
+      return ret;
+
+    if(strcmp(cred.service, MAGIC_TICKET_NAME) == 0) {
+      if(strcmp(cred.instance, MAGIC_TICKET_TIME_DIFF_INST) == 0) {
+	/* we found the magic `time diff' ticket; update the kdc time
+         differential, and then get the next ticket */
+	u_int32_t d;
+
+	krb_get_int(cred.ticket_st.dat, &d, 4, 0);
+	krb_set_kdc_time_diff(d);
+      } else if (strcmp(cred.instance, MAGIC_TICKET_ADDR_INST) == 0) {
+	strlcpy(realm, cred.realm, realm_sz);
+	memcpy (addr, cred.ticket_st.dat, sizeof(*addr));
+	fake = 0;
+      }
+    }
+  } while (fake);
+  return ret;
+}
+
+/*
+ * tf_close() closes the ticket file and sets "fd" to -1. If "fd" is
+ * not a valid file descriptor, it just returns.  It also clears the
+ * buffer used to read tickets.
+ *
+ * The return value is not defined.
+ */
+
+void
+tf_close(void)
+{
+  if (!(fd < 0)) {
+    flock(fd, LOCK_UN);
+    close(fd);
+    fd = -1;		/* see declaration of fd above */
+  }
+  memset(tfbfr, 0, sizeof(tfbfr));
+}
+
+/*
+ * tf_gets() is an internal routine.  It takes a string "s" and a count
+ * "n", and reads from the file until either it has read "n" characters,
+ * or until it reads a null byte. When finished, what has been read exists
+ * in "s". If it encounters EOF or an error, it closes the ticket file. 
+ *
+ * Possible return values are:
+ *
+ * n            the number of bytes read (including null terminator)
+ *              when all goes well
+ *
+ * 0            end of file or read error
+ *
+ * TOO_BIG      if "count" characters are read and no null is
+ *		encountered. This is an indication that the ticket
+ *		file is seriously ill.
+ */
+
+static int
+tf_gets(char *s, int n)
+{
+  int count;
+
+  if (fd < 0) {
+    if (krb_debug)
+      krb_warning ("tf_gets called before tf_init.\n");
+    return TKT_FIL_INI;
+  }
+  for (count = n - 1; count > 0; --count) {
+    if (curpos >= sizeof(tfbfr)) {
+      lastpos = read(fd, tfbfr, sizeof(tfbfr));
+      curpos = 0;
+    }
+    if (curpos == lastpos) {
+      tf_close();
+      return 0;
+    }
+    *s = tfbfr[curpos++];
+    if (*s++ == '\0')
+      return (n - count);
+  }
+  tf_close();
+  return TOO_BIG;
+}
+
+/*
+ * tf_read() is an internal routine.  It takes a string "s" and a count
+ * "n", and reads from the file until "n" bytes have been read.  When
+ * finished, what has been read exists in "s".  If it encounters EOF or
+ * an error, it closes the ticket file.
+ *
+ * Possible return values are:
+ *
+ * n		the number of bytes read when all goes well
+ *
+ * 0		on end of file or read error
+ */
+
+static int
+tf_read(void *v, int n)
+{
+  char *s = (char *)v;
+  int count;
+    
+  for (count = n; count > 0; --count) {
+    if (curpos >= sizeof(tfbfr)) {
+      lastpos = read(fd, tfbfr, sizeof(tfbfr));
+      curpos = 0;
+    }
+    if (curpos == lastpos) {
+      tf_close();
+      return 0;
+    }
+    *s++ = tfbfr[curpos++];
+  }
+  return n;
+}
+     
+/*
+ * tf_save_cred() appends an incoming ticket to the end of the ticket
+ * file.  You must call tf_init() before calling tf_save_cred().
+ *
+ * The "service", "instance", and "realm" arguments specify the
+ * server's name; "session" contains the session key to be used with
+ * the ticket; "kvno" is the server key version number in which the
+ * ticket is encrypted, "ticket" contains the actual ticket, and
+ * "issue_date" is the time the ticket was requested (local host's time).
+ *
+ * Returns KSUCCESS if all goes well, TKT_FIL_INI if tf_init() wasn't
+ * called previously, and KFAILURE for anything else that went wrong.
+ */
+ 
+int
+tf_save_cred(char *service,	/* Service name */
+	     char *instance,	/* Instance */
+	     char *realm,	/* Auth domain */
+	     unsigned char *session, /* Session key */
+	     int lifetime,	/* Lifetime */
+	     int kvno,		/* Key version number */
+	     KTEXT ticket,	/* The ticket itself */
+	     u_int32_t issue_date) /* The issue time */
+{
+  int count;			/* count for write */
+
+  if (fd < 0) {			/* fd is ticket file as set by tf_init */
+    if (krb_debug)
+      krb_warning ("tf_save_cred called before tf_init.\n");
+    return TKT_FIL_INI;
+  }
+  /* Find the end of the ticket file */
+  lseek(fd, 0L, SEEK_END);
+
+  /* Write the ticket and associated data */
+  /* Service */
+  count = strlen(service) + 1;
+  if (write(fd, service, count) != count)
+    goto bad;
+  /* Instance */
+  count = strlen(instance) + 1;
+  if (write(fd, instance, count) != count)
+    goto bad;
+  /* Realm */
+  count = strlen(realm) + 1;
+  if (write(fd, realm, count) != count)
+    goto bad;
+  /* Session key */
+  if (write(fd, session, 8) != 8)
+    goto bad;
+  /* Lifetime */
+  if (write(fd, &lifetime, sizeof(int)) != sizeof(int))
+    goto bad;
+  /* Key vno */
+  if (write(fd, &kvno, sizeof(int)) != sizeof(int))
+    goto bad;
+  /* Tkt length */
+  if (write(fd, &(ticket->length), sizeof(int)) !=
+      sizeof(int))
+    goto bad;
+  /* Ticket */
+  count = ticket->length;
+  if (write(fd, ticket->dat, count) != count)
+    goto bad;
+  /* Issue date */
+  if (write(fd, &issue_date, sizeof(issue_date)) != sizeof(issue_date))
+    goto bad;
+
+  return (KSUCCESS);
+bad:
+  return (KFAILURE);
+}
+
+int
+tf_setup(CREDENTIALS *cred, const char *pname, const char *pinst)
+{
+    int ret;
+    ret = tf_create(tkt_string());
+    if (ret != KSUCCESS)
+	return ret;
+
+    if (tf_put_pname(pname) != KSUCCESS ||
+	tf_put_pinst(pinst) != KSUCCESS) {
+	tf_close();
+	return INTK_ERR;
+    }
+    
+    if(krb_get_kdc_time_diff() != 0) {
+	/* Add an extra magic ticket containing the time differential
+           to the kdc. The first ticket defines which realm we belong
+           to, but since this ticket gets the same realm as the tgt,
+           this shouldn't be a problem */
+	des_cblock s = { 0, 0, 0, 0, 0, 0, 0, 0 };
+	KTEXT_ST t;
+	int d = krb_get_kdc_time_diff();
+	krb_put_int(d, t.dat, sizeof(t.dat), 4);
+	t.length = 4;
+	tf_save_cred(MAGIC_TICKET_NAME, MAGIC_TICKET_TIME_DIFF_INST,
+		     cred->realm, s, 
+		     cred->lifetime, 0, &t, cred->issue_date);
+    }
+    ret = tf_save_cred(cred->service, cred->instance, cred->realm, 
+		       cred->session, cred->lifetime, cred->kvno,
+		       &cred->ticket_st, cred->issue_date);
+    tf_close();
+    return ret;
+}
+
+int
+in_tkt(char *pname, char *pinst)
+{
+  int ret;
+  
+  ret = tf_create (tkt_string());
+  if (ret != KSUCCESS)
+    return ret;
+
+    if (tf_put_pname(pname) != KSUCCESS ||
+	tf_put_pinst(pinst) != KSUCCESS) {
+	tf_close();
+	return INTK_ERR;
+    }
+
+    tf_close();
+    return KSUCCESS;
+}
+
+/*
+ * If there's a magic ticket with an address for realm `realm' in
+ * ticket file, return it in `addr'.
+ * realm == NULL means any realm.
+ */
+
+int
+tf_get_addr (const char *realm, struct in_addr *addr)
+{
+  CREDENTIALS cred;
+  krb_principal princ;
+  int ret;
+
+  ret = tf_init (tkt_string (), R_TKT_FIL);
+  if (ret)
+    return ret;
+
+  ret = tf_get_pname (princ.name);
+  if (ret)
+    goto out;
+  ret = tf_get_pinst (princ.name);
+  if (ret)
+    goto out;
+  while ((ret = real_tf_get_cred (&cred)) == KSUCCESS) {
+    if (strcmp (cred.service, MAGIC_TICKET_NAME) == 0
+	&& strcmp (cred.instance, MAGIC_TICKET_ADDR_INST) == 0
+	&& (realm == NULL
+	    || strcmp (cred.realm, realm) == 0)) {
+      memcpy (addr, cred.ticket_st.dat, sizeof(*addr));
+      goto out;
+    }
+  }
+  ret = KFAILURE;
+
+out:
+  tf_close ();
+  return ret;
+}
+
+/*
+ * Store `realm, addr' as a magic ticket.
+ */
+
+int
+tf_store_addr (const char *realm, struct in_addr *addr)
+{
+  CREDENTIALS c;
+  krb_principal princ;
+  int ret;
+  des_cblock s = { 0, 0, 0, 0, 0, 0, 0, 0 };
+  KTEXT_ST t;
+
+  ret = tf_init (tkt_string (), W_TKT_FIL);
+  if (ret)
+    return ret;
+
+  t.length = sizeof(*addr);
+  memcpy (t.dat, addr, sizeof(*addr));
+
+  ret = tf_save_cred (MAGIC_TICKET_NAME, MAGIC_TICKET_ADDR_INST,
+		      (char *)realm, s, 0, /* lifetime */ 
+		      0, /* kvno */
+		      &t, time(NULL));
+  tf_close ();
+  return ret;
+}
diff --git a/crypto/kerberosIV/lib/krb/ticket_memory.c b/crypto/kerberosIV/lib/krb/ticket_memory.c
new file mode 100644
index 0000000..f694190
--- /dev/null
+++ b/crypto/kerberosIV/lib/krb/ticket_memory.c
@@ -0,0 +1,435 @@
+/*
+ * Copyright (c) 1995, 1996, 1997, 1998 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+/* ticket_memory.c - Storage for tickets in memory
+ * Author: d93-jka@nada.kth.se - June 1996
+ */
+
+#define WIN32_LEAN_AND_MEAN
+#include <Windows.h>
+#include "krb_locl.h"
+#include "ticket_memory.h"
+
+RCSID("$Id: ticket_memory.c,v 1.15 1999/12/02 16:58:44 joda Exp $");
+
+void msg(char *text, int error);
+
+/* Global variables for memory mapping. */
+HANDLE	SharedMemoryHandle;
+tktmem	*SharedMemory;
+
+static int CredIndex = -1;
+
+void PostUpdateMessage(void);
+
+int
+newTktMem(const char *tf_name)
+{
+    if(!SharedMemory){
+	SharedMemoryHandle = CreateFileMapping((HANDLE)-1, 0,
+					       PAGE_READWRITE,
+					       sizeof(tktmem) >> 16,
+					       sizeof(tktmem) & 0xffff,
+					       "krb_memory");
+	
+	if(!SharedMemoryHandle){
+	    msg("Could not create shared memory.", GetLastError());
+	    return KFAILURE;
+	}
+		
+	SharedMemory = MapViewOfFile(SharedMemoryHandle,
+				     FILE_MAP_WRITE, 0, 0, 0);
+	if(!SharedMemory){
+	    msg("Unable to alloc shared memory.", GetLastError());
+	    return KFAILURE;
+	}
+	if(GetLastError() != ERROR_ALREADY_EXISTS) {
+            memset(SharedMemory, 0, sizeof(*SharedMemory));
+	    if(tf_name)
+		strlcpy(SharedMemory->tmname,
+				tf_name, sizeof(SharedMemory->tmname));
+	}
+    }
+    CredIndex = 0;
+    return KSUCCESS;
+}
+
+int
+freeTktMem(const char *tf_name)
+{
+    if(SharedMemory) {
+	UnmapViewOfFile(SharedMemory);
+	CloseHandle(SharedMemoryHandle);
+    }
+    return KSUCCESS;
+}
+
+
+
+tktmem *
+getTktMem(const char *tf_name)
+{
+    return SharedMemory;
+}
+
+void
+firstCred(void)
+{
+    if(getTktMem(0)->last_cred_no > 0)
+	CredIndex = 0;
+    else
+	CredIndex = -1;
+}
+	
+int
+nextCredIndex(void)
+{
+    const tktmem *mem;
+    int last;
+    mem = getTktMem(0);
+    last = mem->last_cred_no;
+    if(CredIndex >= 0 && CredIndex < last )
+	return CredIndex++;
+    else
+	return CredIndex = -1;
+}
+
+int
+currCredIndex(void)
+{
+    const tktmem *mem;
+    int last;
+    mem = getTktMem(0);
+    last = mem->last_cred_no;
+    if(CredIndex >= 0 && CredIndex < last)
+	return CredIndex;
+    else
+	return CredIndex = -1;
+}
+
+int
+nextFreeIndex(void)
+{
+    tktmem *mem = getTktMem(0);
+    if(mem->last_cred_no > CRED_VEC_SZ)
+	return -1;
+    else
+	return mem->last_cred_no++;
+}
+
+/*
+ * in_tkt() is used to initialize the ticket store.  It creates the
+ * file to contain the tickets and writes the given user's name "pname"
+ * and instance "pinst" in the file.  in_tkt() returns KSUCCESS on
+ * success, or KFAILURE if something goes wrong.
+ */
+
+int
+in_tkt(char *pname, char *pinst)
+{
+    /* Here goes code to initialize shared memory, to store tickets in. */
+    /* Implemented somewhere else. */
+    return KFAILURE;
+}
+
+/*
+ * dest_tkt() is used to destroy the ticket store upon logout.
+ * If the ticket file does not exist, dest_tkt() returns RET_TKFIL.
+ * Otherwise the function returns RET_OK on success, KFAILURE on
+ * failure.
+ *
+ * The ticket file (TKT_FILE) is defined in "krb.h".
+ */
+
+int
+dest_tkt(void)
+{
+    memset(getTktMem(0), 0, sizeof(tktmem));
+    return 0;
+}
+
+/* Short description of routines:
+ *
+ * tf_init() opens the ticket file and locks it.
+ *
+ * tf_get_pname() returns the principal's name.
+ *
+ * tf_put_pname() writes the principal's name to the ticket file.
+ *
+ * tf_get_pinst() returns the principal's instance (may be null).
+ *
+ * tf_put_pinst() writes the instance.
+ *
+ * tf_get_cred() returns the next CREDENTIALS record.
+ *
+ * tf_save_cred() appends a new CREDENTIAL record to the ticket file.
+ *
+ * tf_close() closes the ticket file and releases the lock.
+ *
+ * tf_gets() returns the next null-terminated string.  It's an internal
+ * routine used by tf_get_pname(), tf_get_pinst(), and tf_get_cred().
+ *
+ * tf_read() reads a given number of bytes.  It's an internal routine
+ * used by tf_get_cred().
+ */
+
+/*
+ * tf_init() should be called before the other ticket file routines.
+ * It takes the name of the ticket file to use, "tf_name", and a
+ * read/write flag "rw" as arguments. 
+ *
+ * Returns KSUCCESS if all went well, otherwise one of the following: 
+ *
+ * NO_TKT_FIL   - file wasn't there
+ * TKT_FIL_ACC  - file was in wrong mode, etc.
+ * TKT_FIL_LCK  - couldn't lock the file, even after a retry
+ */
+
+int
+tf_init(char *tf_name, int rw)
+{
+    if(!getTktMem(tf_name))
+	return NO_TKT_FIL;
+    firstCred();
+    return KSUCCESS;
+}
+
+/*
+ * tf_create() should be called when creating a new ticket file.
+ * The only argument is the name of the ticket file.
+ * After calling this, it should be possible to use other tf_* functions.
+ */
+
+int
+tf_create(char *tf_name)
+{
+    if(newTktMem(tf_name) != KSUCCESS)
+	return NO_TKT_FIL;
+    return KSUCCESS;
+}
+
+/*
+ * tf_get_pname() reads the principal's name from the ticket file. It
+ * should only be called after tf_init() has been called.  The
+ * principal's name is filled into the "p" parameter.  If all goes well,
+ * KSUCCESS is returned.  If tf_init() wasn't called, TKT_FIL_INI is
+ * returned.  If the name was null, or EOF was encountered, or the name
+ * was longer than ANAME_SZ, TKT_FIL_FMT is returned. 
+ */
+
+int
+tf_get_pname(char *p)
+{
+    tktmem *TktStore;
+
+    if(!(TktStore =  getTktMem(0)))
+	return KFAILURE;
+    if(!TktStore->pname[0])
+	return KFAILURE;
+    strlcpy(p, TktStore->pname, ANAME_SZ);
+    return KSUCCESS;
+}
+
+/*
+ * tf_put_pname() sets the principal's name in the ticket file. Call
+ * after tf_create().
+ */
+
+int
+tf_put_pname(char *p)
+{
+    tktmem *TktStore;
+
+    if(!(TktStore =  getTktMem(0)))
+	return KFAILURE;
+    strlcpy(TktStore->pname, p, sizeof(TktStore->pname));
+    return KSUCCESS;
+}
+
+/*
+ * tf_get_pinst() reads the principal's instance from a ticket file.
+ * It should only be called after tf_init() and tf_get_pname() have been
+ * called.  The instance is filled into the "inst" parameter.  If all
+ * goes well, KSUCCESS is returned.  If tf_init() wasn't called,
+ * TKT_FIL_INI is returned.  If EOF was encountered, or the instance
+ * was longer than ANAME_SZ, TKT_FIL_FMT is returned.  Note that the
+ * instance may be null. 
+ */
+
+int
+tf_get_pinst(char *inst)
+{
+    tktmem *TktStore;
+
+    if(!(TktStore =  getTktMem(0)))
+	return KFAILURE;
+    strlcpy(inst, TktStore->pinst, INST_SZ);
+    return KSUCCESS;
+}
+
+/*
+ * tf_put_pinst writes the principal's instance to the ticket file.
+ * Call after tf_create.
+ */
+
+int
+tf_put_pinst(char *inst)
+{
+    tktmem *TktStore;
+
+    if(!(TktStore =  getTktMem(0)))
+	return KFAILURE;
+    strlcpy(TktStore->pinst, inst, sizeof(TktStore->pinst));
+    return KSUCCESS;
+}
+
+/*
+ * tf_get_cred() reads a CREDENTIALS record from a ticket file and fills
+ * in the given structure "c".  It should only be called after tf_init(),
+ * tf_get_pname(), and tf_get_pinst() have been called. If all goes well,
+ * KSUCCESS is returned.  Possible error codes are: 
+ *
+ * TKT_FIL_INI  - tf_init wasn't called first
+ * TKT_FIL_FMT  - bad format
+ * EOF          - end of file encountered
+ */
+
+int
+tf_get_cred(CREDENTIALS *c)
+{
+    int index;
+    CREDENTIALS *cred;
+    tktmem *TktStore;
+
+    if(!(TktStore =  getTktMem(0)))
+	return KFAILURE;
+    krb_set_kdc_time_diff(TktStore->kdc_diff);
+    if((index = nextCredIndex()) == -1)
+	return EOF;
+    if(!(cred = TktStore->cred_vec+index))
+	return KFAILURE;
+    if(!c)
+	return KFAILURE;
+    memcpy(c, cred, sizeof(*c));
+    return KSUCCESS;
+}
+
+/*
+ * tf_close() closes the ticket file and sets "fd" to -1. If "fd" is
+ * not a valid file descriptor, it just returns.  It also clears the
+ * buffer used to read tickets.
+ */
+
+void
+tf_close(void)
+{
+}
+
+/*
+ * tf_save_cred() appends an incoming ticket to the end of the ticket
+ * file.  You must call tf_init() before calling tf_save_cred().
+ *
+ * The "service", "instance", and "realm" arguments specify the
+ * server's name; "session" contains the session key to be used with
+ * the ticket; "kvno" is the server key version number in which the
+ * ticket is encrypted, "ticket" contains the actual ticket, and
+ * "issue_date" is the time the ticket was requested (local host's time).
+ *
+ * Returns KSUCCESS if all goes well, TKT_FIL_INI if tf_init() wasn't
+ * called previously, and KFAILURE for anything else that went wrong.
+ */
+ 
+int
+tf_save_cred(char *service,	/* Service name */
+	     char *instance,	/* Instance */
+	     char *realm,	/* Auth domain */
+	     unsigned char *session, /* Session key */
+	     int lifetime,	/* Lifetime */
+	     int kvno,		/* Key version number */
+	     KTEXT ticket,	/* The ticket itself */
+	     u_int32_t issue_date) /* The issue time */
+{
+    CREDENTIALS *cred;
+    tktmem *mem =  getTktMem(0);
+    int last = nextFreeIndex();
+
+    if(last == -1)
+	return KFAILURE;
+    cred = mem->cred_vec+last;
+    strlcpy(cred->service, service, sizeof(cred->service));
+    strlcpy(cred->instance, instance, sizeof(cred->instance));
+    strlcpy(cred->realm, realm, sizeof(cred->realm));
+    memcpy(cred->session, session, sizeof(cred->session));
+    cred->lifetime = lifetime;
+    cred->kvno = kvno;
+    memcpy(&(cred->ticket_st), ticket, sizeof(*ticket));
+    cred->issue_date = issue_date;
+    strlcpy(cred->pname, mem->pname, sizeof(cred->pname));
+    strlcpy(cred->pinst, mem->pinst, sizeof(cred->pinst));
+    PostUpdateMessage();
+    return KSUCCESS;
+}
+
+
+static void
+set_time_diff(time_t diff)
+{
+    tktmem *TktStore = getTktMem(0);
+    if(TktStore == NULL)
+	return;
+    TktStore->kdc_diff = diff;
+}
+
+
+int
+tf_setup(CREDENTIALS *cred, char *pname, char *pinst)
+{
+    int ret;
+    ret = tf_create(tkt_string());
+    if (ret != KSUCCESS)
+	return ret;
+
+    if (tf_put_pname(pname) != KSUCCESS ||
+	tf_put_pinst(pinst) != KSUCCESS) {
+	tf_close();
+	return INTK_ERR;
+    }
+
+    set_time_diff(krb_get_kdc_time_diff());
+
+    ret = tf_save_cred(cred->service, cred->instance, cred->realm, 
+		       cred->session, cred->lifetime, cred->kvno,
+		       &cred->ticket_st, cred->issue_date);
+    tf_close();
+    return ret;
+}
diff --git a/crypto/kerberosIV/lib/krb/ticket_memory.h b/crypto/kerberosIV/lib/krb/ticket_memory.h
new file mode 100644
index 0000000..72fb686
--- /dev/null
+++ b/crypto/kerberosIV/lib/krb/ticket_memory.h
@@ -0,0 +1,65 @@
+/*
+ * Copyright (c) 1995, 1996, 1997 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+/* ticket_memory.h - Storage for tickets in memory
+ * Author: d93-jka@nada.kth.se - June 1996
+ */
+
+/* $Id: ticket_memory.h,v 1.8 1999/12/02 16:58:44 joda Exp $ */
+
+#ifndef	TICKET_MEMORY_H
+#define TICKET_MEMORY_H
+
+#include "krb_locl.h"
+
+#define CRED_VEC_SZ	20
+
+typedef struct _tktmem
+{
+  char tmname[64];
+  char pname[ANAME_SZ];	/* Principal's name */
+  char pinst[INST_SZ];	/* Principal's instance */
+  int last_cred_no;
+  CREDENTIALS cred_vec[CRED_VEC_SZ];
+  time_t kdc_diff;
+} tktmem;
+
+int newTktMem(const char *tf_name);
+int freeTktMem(const char *tf_name);
+tktmem *getTktMem(const char *tf_name);
+void firstCred(void);
+int nextCredIndex(void);
+int currCredIndex(void);
+int nextFreeIndex(void);
+
+#endif /* TICKET_MEMORY_H */
diff --git a/crypto/kerberosIV/lib/krb/time.c b/crypto/kerberosIV/lib/krb/time.c
new file mode 100644
index 0000000..015259b
--- /dev/null
+++ b/crypto/kerberosIV/lib/krb/time.c
@@ -0,0 +1,71 @@
+/*
+ * Copyright (c) 1998 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "krb_locl.h"
+
+RCSID("$Id: time.c,v 1.4 1999/12/02 16:58:44 joda Exp $");
+
+/* number of seconds the kdc clock is ahead of us */
+static int time_diff;
+
+void
+krb_set_kdc_time_diff(int diff)
+{
+    time_diff = diff;
+    if(krb_debug) 
+	krb_warning("Setting time diff to %d\n", diff);
+}
+
+int
+krb_get_kdc_time_diff(void)
+{
+    return time_diff;
+}
+
+/* return the time at the kdc (local time corrected with a time
+   differential) */
+void
+krb_kdctimeofday(struct timeval *tv)
+{
+    time_t t;
+
+    gettimeofday(tv, NULL);
+    t = tv->tv_sec;
+
+    if(krb_debug) 
+	krb_warning("Machine time: %s", ctime(&t));
+    t += krb_get_kdc_time_diff();
+    if(krb_debug) 
+	krb_warning("Correcting to %s", ctime(&t));
+    tv->tv_sec = t;
+}
diff --git a/crypto/kerberosIV/lib/krb/tkt_string.c b/crypto/kerberosIV/lib/krb/tkt_string.c
new file mode 100644
index 0000000..0aa787c
--- /dev/null
+++ b/crypto/kerberosIV/lib/krb/tkt_string.c
@@ -0,0 +1,75 @@
+/* 
+  Copyright (C) 1989 by the Massachusetts Institute of Technology
+
+   Export of this software from the United States of America is assumed
+   to require a specific license from the United States Government.
+   It is the responsibility of any person or organization contemplating
+   export to obtain such a license before exporting.
+
+WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
+distribute this software and its documentation for any purpose and
+without fee is hereby granted, provided that the above copyright
+notice appear in all copies and that both that copyright notice and
+this permission notice appear in supporting documentation, and that
+the name of M.I.T. not be used in advertising or publicity pertaining
+to distribution of the software without specific, written prior
+permission.  M.I.T. makes no representations about the suitability of
+this software for any purpose.  It is provided "as is" without express
+or implied warranty.
+
+  */
+
+#include "krb_locl.h"
+
+RCSID("$Id: tkt_string.c,v 1.15 1999/09/16 20:41:55 assar Exp $");
+
+/*
+ * This routine is used to generate the name of the file that holds
+ * the user's cache of server tickets and associated session keys.
+ *
+ * If it is set, krb_ticket_string contains the ticket file name.
+ * Otherwise, the filename is constructed as follows:
+ *
+ * If it is set, the environment variable "KRBTKFILE" will be used as
+ * the ticket file name.  Otherwise TKT_ROOT (defined in "krb.h") and
+ * the user's uid are concatenated to produce the ticket file name
+ * (e.g., "/tmp/tkt123").  A pointer to the string containing the ticket
+ * file name is returned.
+ */
+
+static char krb_ticket_string[MaxPathLen] = "";
+
+char *
+tkt_string(void)
+{
+    char *env;
+
+    if (!*krb_ticket_string) {
+        if ((env = getenv("KRBTKFILE"))) {
+	    strlcpy (krb_ticket_string,
+			     env,
+			     sizeof(krb_ticket_string));
+	} else {
+	    snprintf(krb_ticket_string, sizeof(krb_ticket_string),
+		     "%s%u",TKT_ROOT, (unsigned)getuid());
+        }
+    }
+    return krb_ticket_string;
+}
+
+/*
+ * This routine is used to set the name of the file that holds the user's
+ * cache of server tickets and associated session keys.
+ *
+ * The value passed in is copied into local storage.
+ *
+ * NOTE:  This routine should be called during initialization, before other
+ * Kerberos routines are called; otherwise tkt_string() above may be called
+ * and return an undesired ticket file name until this routine is called.
+ */
+
+void
+krb_set_tkt_string(const char *val)
+{
+    strlcpy (krb_ticket_string, val, sizeof(krb_ticket_string));
+}
diff --git a/crypto/kerberosIV/lib/krb/unparse_name.c b/crypto/kerberosIV/lib/krb/unparse_name.c
new file mode 100644
index 0000000..36f0a71
--- /dev/null
+++ b/crypto/kerberosIV/lib/krb/unparse_name.c
@@ -0,0 +1,102 @@
+/*
+ * Copyright (c) 1995, 1996, 1997, 1998 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#include "krb_locl.h"
+
+RCSID("$Id: unparse_name.c,v 1.10 1999/12/02 16:58:44 joda Exp $");
+
+static void
+quote_string(char *quote, char *from, char *to)
+{
+    while(*from){
+	if(strchr(quote, *from))
+	    *to++ = '\\';
+	*to++ = *from++;
+    }
+    *to = 0;
+}
+
+/* To be compatible with old functions, we quote differently in each
+   part of the principal*/
+
+char *
+krb_unparse_name_r(krb_principal *pr, char *fullname)
+{
+    quote_string("'@\\", pr->name, fullname);
+    if(pr->instance[0]){
+	strcat(fullname, ".");
+	quote_string("@\\", pr->instance, fullname + strlen(fullname));
+    }
+    if(pr->realm[0]){
+	strcat(fullname, "@");
+	quote_string("\\", pr->realm, fullname + strlen(fullname));
+    }
+    return fullname;
+}
+
+char *
+krb_unparse_name_long_r(char *name, char *instance, char *realm,
+			char *fullname)
+{
+    krb_principal pr;
+
+    memset(&pr, 0, sizeof(pr));
+    strlcpy(pr.name, name, sizeof(pr.name));
+    if(instance)
+	strlcpy(pr.instance, instance, sizeof(pr.instance));
+    if(realm)
+	strlcpy(pr.realm, realm, sizeof(pr.realm));
+    return krb_unparse_name_r(&pr, fullname);
+}
+
+char *
+krb_unparse_name(krb_principal *pr)
+{
+    static char principal[MAX_K_NAME_SZ];
+    krb_unparse_name_r(pr, principal);
+    return principal;
+}
+
+char *
+krb_unparse_name_long(char *name, char *instance, char *realm)
+{
+    krb_principal pr;
+
+    memset(&pr, 0, sizeof(pr));
+    strlcpy(pr.name, name, sizeof(pr.name));
+    if(instance)
+	strlcpy(pr.instance, instance, sizeof(pr.instance));
+    if(realm)
+	strlcpy(pr.realm, realm, sizeof(pr.realm));
+    return krb_unparse_name(&pr);
+}
diff --git a/crypto/kerberosIV/lib/krb/verify_user.c b/crypto/kerberosIV/lib/krb/verify_user.c
new file mode 100644
index 0000000..24138e2
--- /dev/null
+++ b/crypto/kerberosIV/lib/krb/verify_user.c
@@ -0,0 +1,184 @@
+/*
+ * Copyright (c) 1995 - 2000 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#include "krb_locl.h"
+
+RCSID("$Id: verify_user.c,v 1.17.2.2 2000/12/15 14:43:37 assar Exp $");
+
+/*
+ * Verify user (name.instance@realm) with `password'.
+ *
+ * If secure, also verify against local
+ * service key (`linstance'.hostname) (or rcmd if linstance == NULL),
+ * this can (usually) only be done by root.
+ *
+ * If secure == KRB_VERIFY_SECURE, fail if there's no key.
+ * If secure == KRB_VERIFY_SECURE_FAIL, don't fail if there's no such
+ * key in the srvtab.
+ *
+ * As a side effect, fresh tickets are obtained.
+ *
+ * srvtab is where the key is found.
+ * 
+ * Returns zero if ok, a positive kerberos error or -1 for system
+ * errors.
+ */
+
+static int
+krb_verify_user_srvtab_exact(char *name,
+			     char *instance,
+			     char *realm,
+			     char *password, 
+			     int secure,
+			     char *linstance,
+			     char *srvtab)
+{
+    int ret;
+
+    ret = krb_get_pw_in_tkt(name, instance, realm,
+			    KRB_TICKET_GRANTING_TICKET,
+			    realm,
+			    DEFAULT_TKT_LIFE, password);
+    if(ret != KSUCCESS)
+	return ret;
+
+    if(secure == KRB_VERIFY_SECURE || secure == KRB_VERIFY_SECURE_FAIL){
+	struct hostent *hp;
+	int32_t addr;
+	
+	KTEXT_ST ticket;
+	AUTH_DAT auth;
+	int n;
+
+	char lrealm[REALM_SZ];
+	char hostname[MaxHostNameLen];
+	char *phost;
+
+	if (gethostname(hostname, sizeof(hostname)) == -1) {
+	    dest_tkt();
+	    return -1;
+	}
+
+	hp = gethostbyname(hostname);
+	if(hp == NULL){
+	    dest_tkt();
+	    return -1;
+	}
+	memcpy(&addr, hp->h_addr, sizeof(addr));
+	phost = krb_get_phost(hostname);
+	if (linstance == NULL)
+	    linstance = "rcmd";
+
+	ret = KFAILURE;
+
+	for (n = 1; krb_get_lrealm(lrealm, n) == KSUCCESS; ++n) {
+	    if(secure == KRB_VERIFY_SECURE_FAIL) {
+		des_cblock key;
+		ret = read_service_key(linstance, phost, lrealm, 0, srvtab,
+				       &key);
+		memset(key, 0, sizeof(key));
+		if(ret == KFAILURE)
+		    continue;
+	    }
+
+	    ret = krb_mk_req(&ticket, linstance, phost, lrealm, 0);
+	    if(ret == KSUCCESS) {
+		ret = krb_rd_req(&ticket, linstance, phost, addr, &auth,
+				 srvtab);
+		if (ret == KSUCCESS)
+		    break;
+	    }
+	}
+	if (ret != KSUCCESS) {
+	    dest_tkt();
+	    return ret;
+	}
+    }
+    return 0;
+}
+		
+/*
+ * Try to verify the user and password against all the local realms.
+ */
+
+int
+krb_verify_user_srvtab(char *name,
+		       char *instance,
+		       char *realm,
+		       char *password, 
+		       int secure,
+		       char *linstance,
+		       char *srvtab)
+{
+  int ret;
+  int n;
+  char rlm[256];
+
+  /* First try to verify against the supplied realm. */
+  ret = krb_verify_user_srvtab_exact(name, instance, realm, password,
+				     secure, linstance, srvtab);
+  if (ret == KSUCCESS)
+    return KSUCCESS;
+
+  /* Verify all local realms, except the supplied realm. */
+  for (n = 1; krb_get_lrealm(rlm, n) == KSUCCESS; n++)
+    if (strcmp(rlm, realm) != 0) {
+      ret = krb_verify_user_srvtab_exact(name, instance, rlm, password,
+					 secure, linstance, srvtab);
+      if (ret == KSUCCESS)
+	return KSUCCESS;
+    }
+
+  return ret;
+}
+
+/*
+ * Compat function without srvtab.
+ */
+
+int
+krb_verify_user(char *name,
+		char *instance,
+		char *realm,
+		char *password, 
+		int secure,
+		char *linstance)
+{
+    return krb_verify_user_srvtab (name,
+				   instance,
+				   realm,
+				   password,
+				   secure,
+				   linstance,
+				   (char *)KEYFILE);
+}
diff --git a/crypto/kerberosIV/lib/roken/ChangeLog b/crypto/kerberosIV/lib/roken/ChangeLog
new file mode 100644
index 0000000..116fdbd
--- /dev/null
+++ b/crypto/kerberosIV/lib/roken/ChangeLog
@@ -0,0 +1,614 @@
+1999-11-25  Assar Westerlund  <assar@sics.se>
+
+	* getopt.c (getopt): return -1 instead of EOF.  From
+	<art@stacken.kth.se>
+
+1999-11-13  Assar Westerlund  <assar@sics.se>
+
+	* strftime.c (strftime): handle `%z' and `%Z' in a tm_gmtoff-less
+	world
+
+	* getcap.c: make sure to use db only if we have both the library
+	and the header file
+	
+1999-11-12  Assar Westerlund  <assar@sics.se>
+
+	* getarg.h: add arg_counter
+	* getarg.c: add a new type of argument: `arg_counter' re-organize
+	the code somewhat
+	
+	* Makefile.am: add strptime and strpftime-test
+	
+	* snprintf.c (xyzprintf): try to do the right thing with an % at
+	the end of the format string
+	
+	* strptime.c (strptime): implement '%U', '%V', '%W'
+	* strftime.c (strftime): implement '%U', '%V', '%W', '%z'
+	
+	* strftime.c (strftime): correct %E and %O handling.  do something
+ 	reasonable with "...%"
+
+	* strftime.c: replace the BSD implementation by one of our own
+	coding
+
+	* strptime.c : new file
+	* strpftime-test.c: new file
+
+1999-11-07  Assar Westerlund  <assar@sics.se>
+
+	* parse_bytes-test.c: new file
+
+	* Makefile.am: add parse_bytes-test
+
+	* parse_units.c (parse_something): try to handle the case of no
+ 	value specified a little bit better
+
+1999-11-04  Assar Westerlund  <assar@sics.se>
+
+	* Makefile.am: bump version to 3:2:0
+
+1999-10-30  Assar Westerlund  <assar@sics.se>
+
+	* snprintf.c (PARSE_INT_FORMAT): add redundant casts to work
+ 	around a gcc-bug that manifests itself on Linux-PPC.  From Tom
+ 	Rini <trini@kernel.crashing.org>
+
+1999-10-28  Assar Westerlund  <assar@sics.se>
+
+	* Makefile.am: bump version to 3:1:0
+
+	* roken.h.in: use `unsigned char' instead of `u_int8_t' to avoid
+ 	having to have that definition.  this is the easy way out instead
+ 	of getting the definition here where it's needed.  flame me.
+
+Fri Oct 22 15:39:31 1999  Bjoern Groenvall  <bg@sics.se>
+
+	* k_getpwuid.c (k_getpwuid): getspuid() does not exist (even
+ 	though it should), use getspnam().
+
+1999-10-20  Assar Westerlund  <assar@sics.se>
+
+	* Makefile.am: set version to 3:0:0
+
+1999-10-18  Johan Danielsson  <joda@pdc.kth.se>
+
+	* getarg.3: document arg_collect
+
+	* getarg.c: change the way arg_collect works; it's still quite
+	horrible though
+
+	* getarg.h: change type of the collect function
+
+1999-10-17  Assar Westerlund  <assar@sics.se>
+
+	* xdbm.h: undo last commit
+
+	* xdbm.h: reorder db includes
+
+1999-10-10  Assar Westerlund  <assar@sics.se>
+
+	* socket.c: const-ize and comment
+
+	* net_write.c: const-ize
+
+	* base64.c: const-ize
+
+1999-10-06  Assar Westerlund  <assar@sics.se>
+
+	* getarg.c (getarg): also set optind when returning error
+
+1999-09-26  Assar Westerlund  <assar@sics.se>
+
+	* Makefile.am: add parse_bytes.[ch]
+
+1999-09-24  Johan Danielsson  <joda@pdc.kth.se>
+
+	* getarg.3: getarg manpage
+
+	* getarg.{c,h}: add a callback type to do more complicated processing
+
+	* getarg.{c,h}: add floating point support
+
+1999-09-16  Assar Westerlund  <assar@sics.se>
+
+	* strlcat.c (strlcat): call strlcpy
+
+	* strlcpy.c: update name and prototype
+
+	* strlcat.c: update name and prototype
+
+	* roken.h.in: rename strc{py,at}_truncate to strlc{py,at}
+
+	* Makefile.am: rename strc{py,at}_truncate -> strlc{py,at}
+
+	* Makefile.in: rename strc{py,at}_truncate -> strlc{py,at}
+
+ 	* strcpy_truncate.c (strcpy_truncate): change return value to be
+ 	the length of `src'
+
+1999-08-16  Assar Westerlund  <assar@sics.se>
+
+	* getcap.c: try to make this work on systems with DB
+
+1999-08-16  Johan Danielsson  <joda@pdc.kth.se>
+
+	* getcap.c: protect from db-less systems
+
+1999-08-09  Johan Danielsson  <joda@pdc.kth.se>
+
+	* simple_exec.c: add simple_exec{ve,le}
+
+	* getcap.c: getcap from NetBSD
+
+1999-08-06  Assar Westerlund  <assar@sics.se>
+
+	* roken.h.in (sockaddr_storage): cater for those that have
+ 	v6-support also
+
+1999-08-05  Assar Westerlund  <assar@sics.se>
+
+	* inet_ntop.c (inet_ntop_v4): remember to call ntohl
+
+1999-08-04  Assar Westerlund  <assar@sics.se>
+
+	* roken-common.h: add shutdown constants
+
+	* mini_inetd.c (listen_v4, listen_v6): handle the case of the
+ 	protocol not being supported
+
+1999-08-01  Assar Westerlund  <assar@sics.se>
+
+	* mini_inetd.c (socket_set_reuseaddr): remove duplicate
+
+1999-07-29  Assar Westerlund  <assar@sics.se>
+
+	* mini_inetd.c (mini_inetd): fix my stupid bugs
+
+1999-07-28  Assar Westerlund  <assar@sics.se>
+
+	* roken-common.h: add socket* functions
+
+	* Makefile.am (libroken_la_SOURCES): add socket.c
+
+	* socket.c: new file, originally from appl/ftp/common
+
+	* Makefile.am: set version to 2:0:2
+
+	* roken.h.in (inet_pton): add prototype
+
+	* Makefile.am (EXTRA_libroken_la_SOURCES): add inet_pton
+
+	* inet_pton.c: new file
+
+	* getipnodebyname.c (getipnodebyname): try gethostbyname2 if we
+ 	have it
+
+1999-07-27  Assar Westerlund  <assar@sics.se>
+
+	* mini_inetd.c: support IPv6
+
+1999-07-26  Assar Westerlund  <assar@sics.se>
+
+	* Makefile.am: set version to 1:0:1
+
+	* roken.h.in (inet_ntop): add prototype
+
+ 	* roken-common.h: (INET{,6}_ADDRSTRLEN): add
+
+	* inet_ntop.c: new file
+
+	* Makefile.am (EXTRA_libroken_la_SOURCES): add inet_ntop.c
+
+	* Makefile.am: move some files from libroken_la_SOURCES to
+ 	EXTRA_libroken_la_SOURCES
+
+	* snprintf.c: some signed vs unsigned casts
+	
+1999-07-24  Assar Westerlund  <assar@sics.se>
+
+	* roken.h.in (struct sockaddr_storage): define it needed
+
+1999-07-19  Assar Westerlund  <assar@sics.se>
+
+	* Makefile.am (libroken_la_SOURCES): add copyhostent.c,
+ 	freehostent.c, getipnodebyname.c, getipnodebyaddr.c
+	
+	* roken.h.in: <netdb.h>: include
+	(copyhostent, freehostent, getipnodebyname, getipnodebyaddr): add
+	prototypes
+
+	* roken-common.h: new constants for getipnodeby*
+
+	* Makefile.in (SOURCES): add freehostent, copyhostent,
+ 	getipnodebyname, getipnodebyaddr
+
+	* freehostent.c: new file
+
+	* copyhostent.c: new file
+
+	* getipnodebyaddr.c: new file
+
+	* getipnodebyname.c: new file
+
+1999-07-13  Assar Westerlund  <assar@sics.se>
+
+	* roken.h.in (k_getpwnam): update prototype
+
+	* k_getpwnam.c (k_getpwnam): const-ize
+
+	* get_default_username.c (get_default_username): a better way of
+ 	guessing when the user has su:ed
+
+1999-07-08  Johan Danielsson  <joda@pdc.kth.se>
+
+	* roken.awk: use puts, as suggested by Jeffrey Hutzelman
+	<jhutz+@cmu.edu>
+
+1999-07-06  Assar Westerlund  <assar@sics.se>
+
+	* readv.c (readv): typo
+
+1999-07-03  Assar Westerlund  <assar@sics.se>
+
+	* writev.c (writev): error check malloc properly
+
+	* sendmsg.c (sendmsg): error check malloc properly
+
+	* resolve.c (parse_reply): error check malloc properly
+
+	* recvmsg.c (recvmsg): error check malloc properly
+
+	* readv.c (readv): error check malloc properly
+
+1999-06-23  Assar Westerlund  <assar@sics.se>
+
+	* parse_units.c (acc_units): move the special case of 0 -> 1 to
+ 	parse_something to avoid having it happen at the end of the string
+
+1999-06-15  Assar Westerlund  <assar@sics.se>
+
+	* Makefile.in: add get_default_username
+
+	* get_default_username.c: new file
+
+	* roken.h.in (get_default_username): add prototype
+
+	* Makefile.am: add get_default_username
+
+1999-05-08  Assar Westerlund  <assar@sics.se>
+
+	* xdbm.h: also try <db.h> with DB_DBM_HSEARCH == 1
+
+	* strnlen.c (strnlen): update prototype
+
+	* Makefile.am: strndup.c: add
+
+	* Makefile.in: strndup.c: add
+
+	* roken.h.in (strndup): add
+	(strnlen): update prototype
+
+	* strndup.c: new file
+
+Fri Apr 16 17:59:30 1999  Assar Westerlund  <assar@sics.se>
+
+	* roken.h.in: include strsep prototype if needed
+
+Thu Apr 15 14:04:03 1999  Johan Danielsson  <joda@hella.pdc.kth.se>
+
+	* Makefile.am: make make-print-version.o depend on version.h
+
+Wed Apr  7 14:11:00 1999  Johan Danielsson  <joda@hella.pdc.kth.se>
+
+	* Makefile.am: make it compile w/o krb4
+
+Sat Mar 27 17:33:03 1999  Johan Danielsson  <joda@blubb.pdc.kth.se>
+
+	* snprintf.c (vasnprintf): correct check if realloc returns NULL
+
+Sat Mar 27 12:37:55 1999  Johan Danielsson  <joda@hella.pdc.kth.se>
+
+	* Makefile.am: link print_version with -ldes to avoid unresolved
+ 	references if -lkrb is shared
+
+Sat Mar 20 03:42:30 1999  Assar Westerlund  <assar@sics.se>
+
+	* roken-common.h (eread, ewrite): add
+
+	* simple_exec.c: add <roken.h>
+
+Fri Mar 19 21:29:58 1999  Assar Westerlund  <assar@sics.se>
+
+	* Makefile.in: add eread, ewrite
+
+	* eread.c, ewrite.c: new files
+
+	* Makefile.am (libroken_la_SOURCES): add eread and ewrite
+
+Fri Mar 19 14:52:57 1999  Johan Danielsson  <joda@hella.pdc.kth.se>
+
+	* Makefile.am: add version-info
+
+Thu Mar 18 12:53:32 1999  Johan Danielsson  <joda@hella.pdc.kth.se>
+
+	* Makefile.am: remove include_dir hack
+
+	* Makefile.am: parse_units.h
+
+	* Makefile.am: include Makefile.am.common
+
+Sat Mar 13 23:31:35 1999  Assar Westerlund  <assar@sics.se>
+
+	* Makefile.in (SOURCES): add glob.c
+
+Thu Mar 11 15:02:21 1999  Johan Danielsson  <joda@hella.pdc.kth.se>
+
+	* iruserok.c: move innetgr() to separate file
+
+	* innetgr.c: move innetgr() to separate file
+
+	* hstrerror.c (hstrerror): add const to return type
+
+	* erealloc.c: fix types in format string
+
+	* emalloc.c: fix types in format string
+
+Wed Mar 10 16:36:55 1999  Johan Danielsson  <joda@hella.pdc.kth.se>
+
+	* resolve.c: ugly fix for crays
+
+Mon Mar  8 11:52:20 1999  Johan Danielsson  <joda@hella.pdc.kth.se>
+
+	* roken.h.in: protos for {un,}setenv
+
+1999-02-16  Assar Westerlund  <assar@sics.se>
+
+	* Makefile.in (SOURCES): add fnmatch
+
+	* roken-common.h (abs): add
+
+Sat Feb 13 17:12:53 1999  Assar Westerlund  <assar@sics.se>
+
+	* emalloc.c, erealloc.c, estrup.c: new files
+
+	* roken.h.in (mkstemp, gethostname): also includes prototypes if
+ 	they are needed.
+
+1998-12-23  Assar Westerlund  <assar@sics.se>
+
+	* roken.h.in: mkstemp: add prototype
+
+1998-12-20  Assar Westerlund  <assar@sics.se>
+
+	* snprintf.c, iruserok.c, parse-units.c: unsigned char-correctness
+
+	* roken.h.in (inet_aton): also chedk NEED_INET_ATON_PROTO
+
+	* roken-common.h: __attribute__: check for autoconf'd
+	HAVE___ATTRIBUTE__ instead of GNUC
+
+Sun Dec  6 19:53:21 1998  Assar Westerlund  <assar@sics.se>
+
+	* parse_units.c (parse_something): func is called with val == 0 if
+ 	no unit was given
+	(acc_flags, acc_units): update to new standard
+
+Fri Nov 27 03:09:42 1998  Assar Westerlund  <assar@sics.se>
+
+	* resolve.c (stot): constify
+	(type_to_string): always declare
+	(dns_lookup_int): correct debug output
+
+Thu Nov 26 23:43:55 1998  Assar Westerlund  <assar@sics.se>
+
+	* resolve.c (dns_lookup_int): send rr_class to res_search
+
+Thu Nov 26 17:09:47 1998  Johan Danielsson  <joda@hella.pdc.kth.se>
+
+	* resolve.c: some cleanup
+
+	* resolve.h: add T_NAPTR
+
+Sun Nov 22 10:23:07 1998  Assar Westerlund  <assar@sics.se>
+
+	* Makefile.in (WFLAGS): set
+
+	* k_getpwnam.c (k_getpwnam): check for `struct spwd'
+
+	* k_getpwuid.c (k_getpwuid): check for `struct spwd'
+
+Tue Sep  8 05:18:31 1998  Assar Westerlund  <assar@sics.se>
+
+	* recvmsg.c (recvmsg): patch from bpreece@unity.ncsu.edu
+
+Fri Sep  4 16:29:27 1998  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* vsyslog.c: asprintf -> vasprintf
+
+Tue Aug 18 22:25:52 1998  Assar Westerlund  <assar@sics.se>
+
+	* getarg.h (arg_printusage): new signature
+
+	* getarg.c (arg_printusage): new parameter `progname'.  NULL means
+ 	__progname.
+
+Sun Aug  9 14:53:44 1998  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* Makefile.am: net_{read,write}.c
+
+Fri Jul 24 21:56:02 1998  Assar Westerlund  <assar@sics.se>
+
+	* simple_exec.c (simple_execvp): loop around waitpid when errno ==
+ 	EINTR
+
+Thu Jul 23 20:24:35 1998  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* Makefile.am: net_{read,write}.c
+
+Wed Jul 22 21:38:35 1998  Assar Westerlund  <assar@sics.se>
+
+	* simple_exec.c (simple_execlp): initialize `argv'
+
+Mon Jul 13 23:01:22 1998  Assar Westerlund  <assar@sics.se>
+
+	* inaddr2str.c (inaddr2str): don't advance hostent->h_addr_list,
+ 	use a copy instead
+
+Fri Jul 10 01:20:08 1998  Assar Westerlund  <assar@sics.se>
+
+	* roken.h.in (net_write, net_read): add prototypes
+
+	* Makefile.in: net_{read,write}.c: add
+
+	* net_{read,write}.c: new files
+
+Tue Jun 30 17:29:09 1998  Assar Westerlund  <assar@sics.se>
+
+	* roken.h.in (issuid): add
+
+	* get_window_size.c: fix misspelling of TIOCGWINSZ and bad use of
+ 	fields
+
+Sun May 31 03:24:34 1998  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* getarg.c (mandoc_template): Put short and long options in
+ 	SYNOPSIS within the same [ ] pair.
+
+Sat May 30 00:13:01 1998  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* getarg.c (arg_printusage): try to keep options shorter than
+ 	column width
+
+	* get_window_size.c (get_window_size): check COLUMNS and LINES
+
+Fri May 29 00:05:04 1998  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* getarg.c (mandoc_template): Put short and long options in
+ 	DESCRIPTION on the same line.
+
+	* getarg.c (arg_match_long): make sure you only get an exact match
+ 	if the strings are the same length
+
+Thu May 14 02:23:40 1998  Assar Westerlund  <assar@sics.se>
+
+	* roken.awk: stupid cray awk wants \#
+
+Fri May  1 01:29:36 1998  Assar Westerlund  <assar@sics.se>
+
+	* print_version.c (print_version): according to ISO/ANSI C the
+ 	elements of `arg' are not constant and therefore not settable at
+ 	compile-time.  Set the at run-time instead.
+
+Sun Apr 19 10:00:06 1998  Assar Westerlund  <assar@sics.se>
+
+	* roken.h.in: include paths.h
+
+Sun Apr  5 12:30:49 1998  Assar Westerlund  <assar@sics.se>
+
+	* Makefile.in (SOURCES): add roken_gethostby.c to make solaris
+ 	make happy
+
+Thu Mar 19 20:41:25 1998  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* simple_exec.c: Simple fork+exec system() replacement.
+
+Fri Mar  6 00:21:53 1998  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* roken_gethostby.c: Make `roken_gethostby_setup' take url-like
+ 	specification instead of split up versions. Makes it easier for
+ 	calling applications.
+
+	* roken_gethostby.c: Another miracle of the 20th century:
+ 	gethostby* over HTTP.
+
+Sat Feb 21 15:18:36 1998  assar westerlund  <assar@sics.se>
+
+	* parse_time.c (unparse_time_approx): new function that calls
+ 	`unparse_units_approx'
+
+	* parse_units.c (unparse_units_approx): new function that will
+ 	only print the first unit.
+
+	* Makefile.in: include parse_{time,units}
+
+Thu Feb 12 03:30:08 1998  Assar Westerlund  <assar@sics.se>
+
+	* parse_time.c (print_time_table): don't return a void value.
+
+Tue Feb  3 11:06:24 1998  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* getarg.c (mandoc_template): Change date format to full month
+ 	name, and day of month without leading zero.
+
+Thu Jan 22 21:23:23 1998  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* getarg.c: Fix long form of negative flags.
+
+Mon Dec 29 23:31:10 1997  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* roken.h.in: Include <err.h>, to get linux __progname.
+
+Sun Dec 21 09:45:18 1997  Assar Westerlund  <assar@sics.se>
+
+	* parse_time.c (print_time_table): new function
+
+	* parse_units.c (print_flags_table, print_units_table): new
+ 	functions.
+
+Thu Dec  4 02:51:46 1997  Assar Westerlund  <assar@sics.se>
+
+	* iruserok.c: moved here.
+
+	* snprintf.c (sn_append_char): don't write any terminating zero.
+	(as_reserve): don't loop.  better heuristic for how much space to
+ 	realloc.
+	(vasnprintf): simplify initializing to one.
+
+Sun Nov 30 14:56:59 1997  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* getarg.c: Add mandoc help back-end to getarg.
+
+Wed Nov 12 01:09:17 1997  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* verr.c, verrx.c: Fix warnings by moving exit from.
+
+Tue Nov 11 21:12:09 1997  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* parse_units.c: Change the list of separating characters (between
+ 	units) to comma, space, and tab, removing digits. Having digits in
+ 	this list makes a flag like `T42 generate a parse error. This
+ 	change makes `17m3s' an invalid time-spec (you need a space).
+
+Tue Nov 11 02:38:44 1997  Assar Westerlund  <assar@sics.se>
+
+	* roken.h: add <sys/socket.h>
+
+Sun Nov  9 04:48:46 1997  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* fnmatch.c: Add fnmatch from NetBSD
+
+Sun Nov  9 02:00:08 1997  Assar Westerlund  <assar@sics.se>
+
+	* parse_units.c (parse_something): ignore white-space and ','
+
+Mon Nov  3 22:38:32 1997  Assar Westerlund  <assar@sics.se>
+	
+	* roken.h: fclose prototype
+
+	* roken.h: add prototype for vsyslog
+
+	* Makefile.in: add some more source files to make soriasis make
+ 	happy
+
+Sat Nov  1 00:19:21 1997  Assar Westerlund  <assar@sics.se>
+
+	* roken.h: include <sys/uio.h> and <errno.h>.
+	prototypes for readv and writev
+
+	* readv.c, writev.c: new files
+
+Wed Oct 29 02:21:38 1997  Assar Westerlund  <assar@sics.se>
+
+	* roken.h: Add ugly macros for openlog, gethostbyname,
+ 	gethostbyaddr, and getservbyname for the benefit of Crays.  Add
+ 	default definition of MAXPATHLEN
diff --git a/crypto/kerberosIV/lib/roken/Makefile.am b/crypto/kerberosIV/lib/roken/Makefile.am
new file mode 100644
index 0000000..e680230
--- /dev/null
+++ b/crypto/kerberosIV/lib/roken/Makefile.am
@@ -0,0 +1,177 @@
+# $Id: Makefile.am,v 1.54 1999/12/03 04:04:13 assar Exp $
+
+include $(top_srcdir)/Makefile.am.common
+
+CLEANFILES = roken.h make-roken.c print_version.h
+
+lib_LTLIBRARIES = libroken.la
+libroken_la_LDFLAGS = -version-info 3:2:0
+
+noinst_PROGRAMS = make-roken make-print-version
+
+check_PROGRAMS = parse_bytes-test strpftime-test getaddrinfo-test
+TESTS = $(check_PROGRAMS)
+
+getaddrinfo_test_LDADD = libroken.la
+parse_bytes_test_LDADD = libroken.la
+strpftime_test_LDADD = strftime.o strptime.o
+
+if KRB4
+if KRB5
+## need to link with des here; otherwise, if krb4 is shared the link
+## will fail with unresolved references
+make_print_version_LDADD += $(LIB_krb4) -ldes
+endif
+endif
+
+libroken_la_SOURCES =		\
+	base64.c		\
+	concat.c		\
+	emalloc.c		\
+	eread.c			\
+	erealloc.c		\
+	estrdup.c		\
+	ewrite.c		\
+	get_default_username.c	\
+	get_window_size.c	\
+	getarg.c		\
+	inaddr2str.c		\
+	issuid.c		\
+	k_getpwnam.c		\
+	k_getpwuid.c		\
+	mini_inetd.c		\
+	net_read.c		\
+	net_write.c		\
+	parse_bytes.c		\
+	parse_time.c		\
+	parse_units.c		\
+	print_version.c		\
+	resolve.c		\
+	roken_gethostby.c	\
+	signal.c		\
+	simple_exec.c		\
+	snprintf.c		\
+	socket.c		\
+	tm2time.c		\
+	verify.c		\
+	warnerr.c		\
+	xdbm.h
+
+EXTRA_libroken_la_SOURCES =	\
+	chown.c			\
+	copyhostent.c		\
+	daemon.c		\
+	err.c			\
+	err.h			\
+	errx.c			\
+	fchown.c		\
+	flock.c			\
+	fnmatch.c		\
+	fnmatch.h		\
+	freeaddrinfo.c		\
+	freehostent.c		\
+	gai_strerror.c		\
+	getaddrinfo.c		\
+	getdtablesize.c		\
+	getegid.c		\
+	geteuid.c		\
+	getgid.c		\
+	gethostname.c		\
+	getipnodebyaddr.c	\
+	getipnodebyname.c	\
+	getnameinfo.c		\
+	getopt.c		\
+	gettimeofday.c		\
+	getuid.c		\
+	getusershell.c		\
+	glob.h			\
+	hstrerror.c		\
+	inet_aton.c		\
+	inet_ntop.c		\
+	inet_pton.c		\
+	initgroups.c		\
+	innetgr.c		\
+	iruserok.c		\
+	lstat.c			\
+	memmove.c		\
+	mkstemp.c		\
+	putenv.c		\
+	rcmd.c			\
+	readv.c			\
+	recvmsg.c		\
+	sendmsg.c		\
+	setegid.c		\
+	setenv.c		\
+	seteuid.c		\
+	strcasecmp.c		\
+	strdup.c		\
+	strerror.c		\
+	strftime.c		\
+	strlcat.c		\
+	strlcpy.c		\
+	strlwr.c		\
+	strncasecmp.c		\
+	strndup.c		\
+	strnlen.c		\
+	strptime.c		\
+	strsep.c		\
+	strtok_r.c		\
+	strupr.c		\
+	swab.c			\
+	unsetenv.c		\
+	verr.c			\
+	verrx.c			\
+	vsyslog.c		\
+	vwarn.c			\
+	vwarnx.c		\
+	warn.c			\
+	warnx.c			\
+	writev.c
+
+EXTRA_DIST = resource.h roken.awk roken.def roken.dsp roken.h.in \
+	roken.mak roken.rc
+
+
+
+libroken_la_LIBADD = @LTLIBOBJS@
+
+$(LTLIBOBJS) $(libroken_la_OBJECTS): roken.h
+
+include_HEADERS = $(err_h) base64.h getarg.h \
+	parse_bytes.h parse_time.h parse_units.h \
+	resolve.h roken.h roken-common.h
+
+build_HEADERZ = $(err_h) $(fnmatch_h) $(glob_h) xdbm.h
+
+if have_err_h
+err_h =
+else
+err_h = err.h
+endif
+
+if have_fnmatch_h
+fnmatch_h =
+else
+fnmatch_h = fnmatch.h
+endif
+
+if have_glob_h
+glob_h =
+else
+glob_h = glob.h
+endif
+
+roken.h: make-roken
+	@./make-roken > tmp.h ;\
+	if [ -f roken.h ] && cmp -s tmp.h roken.h ; then rm -f tmp.h ; \
+	else rm -f roken.h; mv tmp.h roken.h; fi
+
+make-roken.c: roken.h.in roken.awk
+	$(AWK) -f $(srcdir)/roken.awk $(srcdir)/roken.h.in > make-roken.c
+
+print_version.lo: print_version.h
+
+print_version.h: make-print-version
+	./make-print-version print_version.h
+
+make-print-version.o: $(top_builddir)/include/version.h
diff --git a/crypto/kerberosIV/lib/roken/Makefile.in b/crypto/kerberosIV/lib/roken/Makefile.in
new file mode 100644
index 0000000..e3afbae
--- /dev/null
+++ b/crypto/kerberosIV/lib/roken/Makefile.in
@@ -0,0 +1,223 @@
+#
+# $Id: Makefile.in,v 1.73.2.1 2000/06/23 04:37:43 assar Exp $
+#
+
+SHELL = /bin/sh
+
+srcdir = @srcdir@
+VPATH = @srcdir@
+
+CC	= @CC@
+LINK = @LINK@
+CPP	= @CPP@
+AR	= ar
+RANLIB	= @RANLIB@
+DEFS	= @DEFS@
+CFLAGS	= @CFLAGS@ $(WFLAGS)
+WFLAGS	= @WFLAGS@
+AWK	= @AWK@
+
+INSTALL = @INSTALL@
+INSTALL_DATA	= @INSTALL_DATA@
+MKINSTALLDIRS = @top_srcdir@/mkinstalldirs
+
+prefix = @prefix@
+exec_prefix = @exec_prefix@
+libdir = @libdir@
+EXECSUFFIX = @EXECSUFFIX@
+PICFLAGS = # @PICFLAGS@
+ 
+LIBNAME = $(LIBPREFIX)roken
+#LIBEXT = @LIBEXT@ Always build archive library and don't install!
+LIBEXT = a
+LIBPREFIX = @LIBPREFIX@
+SHLIBEXT = @SHLIBEXT@
+LDSHARED = @LDSHARED@
+LIB = $(LIBNAME).$(LIBEXT)
+
+SOURCES = \
+	base64.c \
+	chown.c \
+	concat.c \
+	copyhostent.c \
+	daemon.c \
+	emalloc.c \
+	erealloc.c \
+	estrdup.c \
+	eread.c \
+	err.c \
+	errx.c \
+	ewrite.c \
+	fchown.c \
+	flock.c \
+	fnmatch.c \
+	freehostent.c \
+	get_window_size.c \
+	getarg.c \
+	getcwd.c \
+	get_default_username.c \
+	getdtablesize.c \
+	gethostname.c \
+	getipnodebyaddr.c \
+	getipnodebyname.c \
+	getopt.c \
+	getusershell.c \
+	glob.c \
+	hstrerror.c \
+	inaddr2str.c \
+	inet_aton.c \
+	inet_ntop.c \
+	initgroups.c \
+	iruserok.c \
+	issuid.c \
+	k_getpwnam.c \
+	k_getpwuid.c \
+	lstat.c \
+	memmove.c \
+	mini_inetd.c \
+	mkstemp.c \
+	net_read.c \
+	net_write.c \
+	parse_time.c \
+	parse_units.c \
+	print_version.c \
+	putenv.c \
+	resolve.c \
+	rcmd.c \
+	roken_gethostby.c \
+	readv.c \
+	setegid.c \
+	setenv.c \
+	seteuid.c \
+	signal.c \
+	simple_exec.c \
+	snprintf.c \
+	socket.c \
+	strcasecmp.c \
+	strcollect.c \
+	strdup.c \
+	strerror.c \
+	strftime.c \
+	strlcat.c \
+	strlcpy.c \
+	strlwr.c \
+	strncasecmp.c \
+	strndup.c \
+	strnlen.c \
+	strsep.c \
+	strtok_r.c \
+	strupr.c \
+	tm2time.c \
+	unsetenv.c \
+	verify.c \
+	verr.c \
+	verrx.c \
+	vsyslog.c \
+	vwarn.c \
+	vwarnx.c \
+	warn.c \
+	warnerr.c \
+	warnx.c
+
+EXTRA_SOURCES = \
+	make-print-version.c
+
+OBJECTS = \
+	base64.o \
+	concat.o \
+	emalloc.o \
+	eread.o \
+	erealloc.o \
+	estrdup.o \
+	ewrite.o \
+	get_default_username.o \
+	get_window_size.o \
+	getarg.o \
+	inaddr2str.o \
+	issuid.o \
+	k_getpwnam.o \
+	k_getpwuid.o \
+	mini_inetd.o \
+	net_read.o \
+	net_write.o \
+	parse_time.o \
+	parse_units.o \
+	print_version.o \
+	resolve.o \
+	roken_gethostby.o \
+	signal.o \
+	simple_exec.o \
+	snprintf.o \
+	socket.o \
+	strcollect.o \
+	tm2time.o \
+	verify.o \
+	warnerr.o \
+	@LIBOBJS@
+
+all: $(LIB) install-roken-h
+
+Wall:
+	make CFLAGS="-g -Wall -Wno-comment -Wmissing-prototypes -Wmissing-declarations -D__USE_FIXED_PROTOTYPES__"
+
+.c.o:
+	$(CC) -c $(DEFS) -I. -I../../include -I$(srcdir) $(CFLAGS) $(CPPFLAGS) $(PICFLAGS) $<
+
+install: all
+
+uninstall:
+
+TAGS: $(SOURCES) $(EXTRA_SOURCES)
+	etags $(SOURCES) $(EXTRA_SOURCES)
+
+check:
+
+clean:
+	rm -f $(LIB) *.o *.a roken.h make-roken$(EXECSUFFIX) make-roken.c \
+		make-print-version$(EXECSUFFIX) print_version.h
+
+mostlyclean: clean
+
+distclean: clean
+	rm -f Makefile *.tab.c *~
+
+realclean: distclean
+	rm -f TAGS
+
+$(LIBNAME).a: $(OBJECTS)
+	rm -f $@
+	$(AR) cr $@ $(OBJECTS)
+	-$(RANLIB) $@
+
+$(LIBNAME).$(SHLIBEXT): $(OBJECTS)
+	rm -f $@
+	$(LDSHARED) -o $@ $(OBJECTS)
+
+roken.h: make-roken$(EXECSUFFIX)
+	@./make-roken > tmp.h ;\
+	if [ -f roken.h ] && cmp -s tmp.h roken.h ; then rm -f tmp.h ; \
+	else rm -f roken.h; mv tmp.h roken.h; fi
+
+make-roken$(EXECSUFFIX): make-roken.o
+	$(LINK) $(CFLAGS) -o $@ make-roken.o
+
+make-roken.c: roken.h.in roken.awk
+	$(AWK) -f $(srcdir)/roken.awk $(srcdir)/roken.h.in > make-roken.c
+
+print_version.o: print_version.h
+
+print_version.h: make-print-version$(EXECSUFFIX)
+	@./make-print-version$(EXECSUFFIX) print_version.h
+
+make-print-version$(EXECSUFFIX): make-print-version.o
+	$(LINK) $(CFLAGS) -o $@ make-print-version.o
+
+install-roken-h: roken.h
+	@if [ -f ../../include/roken.h ] && cmp -s ../../include/roken.h roken.h ; \
+	then :; else \
+	echo "  $(INSTALL) roken.h ../../include/roken.h"; \
+	$(INSTALL) roken.h ../../include/roken.h; fi
+
+$(OBJECTS): ../../include/config.h roken.h
+
+.PHONY: all Wall install uninstall check clean mostlyclean distclean realclean install-roken-h
diff --git a/crypto/kerberosIV/lib/roken/base64.c b/crypto/kerberosIV/lib/roken/base64.c
new file mode 100644
index 0000000..daed869
--- /dev/null
+++ b/crypto/kerberosIV/lib/roken/base64.c
@@ -0,0 +1,146 @@
+/*
+ * Copyright (c) 1995 - 1999 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+RCSID("$Id: base64.c,v 1.4 1999/12/02 16:58:45 joda Exp $");
+#endif
+#include <stdlib.h>
+#include <string.h>
+#include "base64.h"
+
+static char base64[] = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/";
+
+static int pos(char c)
+{
+  char *p;
+  for(p = base64; *p; p++)
+    if(*p == c)
+      return p - base64;
+  return -1;
+}
+
+int base64_encode(const void *data, int size, char **str)
+{
+  char *s, *p;
+  int i;
+  int c;
+  const unsigned char *q;
+
+  p = s = (char*)malloc(size*4/3+4);
+  if (p == NULL)
+      return -1;
+  q = (const unsigned char*)data;
+  i=0;
+  for(i = 0; i < size;){
+    c=q[i++];
+    c*=256;
+    if(i < size)
+      c+=q[i];
+    i++;
+    c*=256;
+    if(i < size)
+      c+=q[i];
+    i++;
+    p[0]=base64[(c&0x00fc0000) >> 18];
+    p[1]=base64[(c&0x0003f000) >> 12];
+    p[2]=base64[(c&0x00000fc0) >> 6];
+    p[3]=base64[(c&0x0000003f) >> 0];
+    if(i > size)
+      p[3]='=';
+    if(i > size+1)
+      p[2]='=';
+    p+=4;
+  }
+  *p=0;
+  *str = s;
+  return strlen(s);
+}
+
+int base64_decode(const char *str, void *data)
+{
+  const char *p;
+  unsigned char *q;
+  int c;
+  int x;
+  int done = 0;
+  q=(unsigned char*)data;
+  for(p=str; *p && !done; p+=4){
+    x = pos(p[0]);
+    if(x >= 0)
+      c = x;
+    else{
+      done = 3;
+      break;
+    }
+    c*=64;
+    
+    x = pos(p[1]);
+    if(x >= 0)
+      c += x;
+    else
+      return -1;
+    c*=64;
+    
+    if(p[2] == '=')
+      done++;
+    else{
+      x = pos(p[2]);
+      if(x >= 0)
+	c += x;
+      else
+	return -1;
+    }
+    c*=64;
+    
+    if(p[3] == '=')
+      done++;
+    else{
+      if(done)
+	return -1;
+      x = pos(p[3]);
+      if(x >= 0)
+	c += x;
+      else
+	return -1;
+    }
+    if(done < 3)
+      *q++=(c&0x00ff0000)>>16;
+      
+    if(done < 2)
+      *q++=(c&0x0000ff00)>>8;
+    if(done < 1)
+      *q++=(c&0x000000ff)>>0;
+  }
+  return q - (unsigned char*)data;
+}
diff --git a/crypto/kerberosIV/lib/roken/base64.h b/crypto/kerberosIV/lib/roken/base64.h
new file mode 100644
index 0000000..5ad1e3b
--- /dev/null
+++ b/crypto/kerberosIV/lib/roken/base64.h
@@ -0,0 +1,42 @@
+/*
+ * Copyright (c) 1995, 1996, 1997 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+/* $Id: base64.h,v 1.2 1999/12/02 16:58:45 joda Exp $ */
+
+#ifndef _BASE64_H_
+#define _BASE64_H_
+
+int base64_encode(const void *data, int size, char **str);
+int base64_decode(const char *str, void *data);
+
+#endif
diff --git a/crypto/kerberosIV/lib/roken/chown.c b/crypto/kerberosIV/lib/roken/chown.c
new file mode 100644
index 0000000..f3d34e3
--- /dev/null
+++ b/crypto/kerberosIV/lib/roken/chown.c
@@ -0,0 +1,45 @@
+/*
+ * Copyright (c) 1995, 1996, 1997 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+RCSID("$Id: chown.c,v 1.3 1999/12/02 16:58:45 joda Exp $");
+#endif
+
+#include "roken.h"
+
+int
+chown(const char *path, uid_t owner, gid_t group)
+{
+  return 0;
+}
diff --git a/crypto/kerberosIV/lib/roken/concat.c b/crypto/kerberosIV/lib/roken/concat.c
new file mode 100644
index 0000000..ca295c0
--- /dev/null
+++ b/crypto/kerberosIV/lib/roken/concat.c
@@ -0,0 +1,112 @@
+/*
+ * Copyright (c) 1995, 1996, 1997 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+RCSID("$Id: concat.c,v 1.4 1999/12/02 16:58:45 joda Exp $");
+#endif
+#include "roken.h"
+
+int
+roken_concat (char *s, size_t len, ...)
+{
+    int ret;
+    va_list args;
+
+    va_start(args, len);
+    ret = roken_vconcat (s, len, args);
+    va_end(args);
+    return ret;
+}
+
+int
+roken_vconcat (char *s, size_t len, va_list args)
+{
+    const char *a;
+
+    while ((a = va_arg(args, const char*))) {
+	size_t n = strlen (a);
+
+	if (n >= len)
+	    return -1;
+	memcpy (s, a, n);
+	s += n;
+	len -= n;
+    }
+    *s = '\0';
+    return 0;
+}
+
+size_t
+roken_vmconcat (char **s, size_t max_len, va_list args)
+{
+    const char *a;
+    char *p, *q;
+    size_t len = 0;
+    *s = NULL;
+    p = malloc(1);
+    if(p == NULL)
+	return 0;
+    len = 1;
+    while ((a = va_arg(args, const char*))) {
+	size_t n = strlen (a);
+	
+	if(max_len && len + n > max_len){
+	    free(p);
+	    return 0;
+	}
+	q = realloc(p, len + n);
+	if(q == NULL){
+	    free(p);
+	    return 0;
+	}
+	p = q;
+	memcpy (p + len - 1, a, n);
+	len += n;
+    }
+    p[len - 1] = '\0';
+    *s = p;
+    return len;
+}
+
+size_t
+roken_mconcat (char **s, size_t max_len, ...)
+{
+    int ret;
+    va_list args;
+
+    va_start(args, max_len);
+    ret = roken_vmconcat (s, max_len, args);
+    va_end(args);
+    return ret;
+}
diff --git a/crypto/kerberosIV/lib/roken/copyhostent.c b/crypto/kerberosIV/lib/roken/copyhostent.c
new file mode 100644
index 0000000..a3be6db
--- /dev/null
+++ b/crypto/kerberosIV/lib/roken/copyhostent.c
@@ -0,0 +1,102 @@
+/*
+ * Copyright (c) 1999 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+RCSID("$Id: copyhostent.c,v 1.2 1999/12/02 16:58:45 joda Exp $");
+#endif
+
+#include "roken.h"
+
+/*
+ * return a malloced copy of `h'
+ */
+
+struct hostent *
+copyhostent (const struct hostent *h)
+{
+    struct hostent *res;
+    char **p;
+    int i, n;
+
+    res = malloc (sizeof (*res));
+    if (res == NULL)
+	return NULL;
+    res->h_name      = NULL;
+    res->h_aliases   = NULL;
+    res->h_addrtype  = h->h_addrtype;
+    res->h_length    = h->h_length;
+    res->h_addr_list = NULL;
+    res->h_name = strdup (h->h_name);
+    if (res->h_name == NULL) {
+	freehostent (res);
+	return NULL;
+    }
+    for (n = 0, p = h->h_aliases; *p != NULL; ++p)
+	++n;
+    res->h_aliases = malloc ((n + 1) * sizeof(*res->h_aliases));
+    if (res->h_aliases == NULL) {
+	freehostent (res);
+	return NULL;
+    }
+    for (i = 0; i < n + 1; ++i)
+	res->h_aliases[i] = NULL;
+    for (i = 0; i < n; ++i) {
+	res->h_aliases[i] = strdup (h->h_aliases[i]);
+	if (res->h_aliases[i] == NULL) {
+	    freehostent (res);
+	    return NULL;
+	}
+    }
+
+    for (n = 0, p = h->h_addr_list; *p != NULL; ++p)
+	++n;
+    res->h_addr_list = malloc ((n + 1) * sizeof(*res->h_addr_list));
+    if (res->h_addr_list == NULL) {
+	freehostent (res);
+	return NULL;
+    }
+    for (i = 0; i < n + 1; ++i) {
+	res->h_addr_list[i] = NULL;
+    }
+    for (i = 0; i < n; ++i) {
+	res->h_addr_list[i] = malloc (h->h_length);
+	if (res->h_addr_list[i] == NULL) {
+	    freehostent (res);
+	    return NULL;
+	}
+	memcpy (res->h_addr_list[i], h->h_addr_list[i], h->h_length);
+    }
+    return res;
+}
+
diff --git a/crypto/kerberosIV/lib/roken/daemon.c b/crypto/kerberosIV/lib/roken/daemon.c
new file mode 100644
index 0000000..758856c
--- /dev/null
+++ b/crypto/kerberosIV/lib/roken/daemon.c
@@ -0,0 +1,88 @@
+/*-
+ * Copyright (c) 1990, 1993
+ *	The Regents of the University of California.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *	This product includes software developed by the University of
+ *	California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#if defined(LIBC_SCCS) && !defined(lint)
+static char sccsid[] = "@(#)daemon.c	8.1 (Berkeley) 6/4/93";
+#endif /* LIBC_SCCS and not lint */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+#endif
+
+RCSID("$Id: daemon.c,v 1.3 1997/10/04 21:55:48 joda Exp $");
+
+#ifndef HAVE_DAEMON
+
+#ifdef HAVE_FCNTL_H
+#include <fcntl.h>
+#endif
+#ifdef HAVE_PATHS_H
+#include <paths.h>
+#endif
+#ifdef HAVE_UNISTD_H
+#include <unistd.h>
+#endif
+
+#include "roken.h"
+
+int
+daemon(int nochdir, int noclose)
+{
+    int fd;
+
+    switch (fork()) {
+    case -1:
+	return (-1);
+    case 0:
+	break;
+    default:
+	_exit(0);
+    }
+
+    if (setsid() == -1)
+	return (-1);
+
+    if (!nochdir)
+	chdir("/");
+
+    if (!noclose && (fd = open(_PATH_DEVNULL, O_RDWR, 0)) != -1) {
+	dup2(fd, STDIN_FILENO);
+	dup2(fd, STDOUT_FILENO);
+	dup2(fd, STDERR_FILENO);
+	if (fd > 2)
+	    close (fd);
+    }
+    return (0);
+}
+
+#endif /* HAVE_DAEMON */
diff --git a/crypto/kerberosIV/lib/roken/emalloc.c b/crypto/kerberosIV/lib/roken/emalloc.c
new file mode 100644
index 0000000..bbea1e0
--- /dev/null
+++ b/crypto/kerberosIV/lib/roken/emalloc.c
@@ -0,0 +1,56 @@
+/*
+ * Copyright (c) 1999 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+RCSID("$Id: emalloc.c,v 1.4 1999/12/02 16:58:45 joda Exp $");
+#endif
+
+#include <stdlib.h>
+#include <err.h>
+
+#include <roken.h>
+
+/*
+ * Like malloc but never fails.
+ */
+
+void *
+emalloc (size_t sz)
+{
+    void *tmp = malloc (sz);
+
+    if (tmp == NULL && sz != 0)
+	err (1, "malloc %lu", (unsigned long)sz);
+    return tmp;
+}
diff --git a/crypto/kerberosIV/lib/roken/eread.c b/crypto/kerberosIV/lib/roken/eread.c
new file mode 100644
index 0000000..9a1b24b
--- /dev/null
+++ b/crypto/kerberosIV/lib/roken/eread.c
@@ -0,0 +1,57 @@
+/*
+ * Copyright (c) 1999 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+RCSID("$Id: eread.c,v 1.2 1999/12/02 16:58:45 joda Exp $");
+#endif
+
+#include <unistd.h>
+#include <err.h>
+
+#include <roken.h>
+
+/*
+ * Like read but never fails (and never returns partial data).
+ */
+
+ssize_t
+eread (int fd, void *buf, size_t nbytes)
+{
+    ssize_t ret;
+
+    ret = net_read (fd, buf, nbytes);
+    if (ret < 0)
+	err (1, "read");
+    return ret;
+}
diff --git a/crypto/kerberosIV/lib/roken/erealloc.c b/crypto/kerberosIV/lib/roken/erealloc.c
new file mode 100644
index 0000000..8afa8f3
--- /dev/null
+++ b/crypto/kerberosIV/lib/roken/erealloc.c
@@ -0,0 +1,56 @@
+/*
+ * Copyright (c) 1999 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+RCSID("$Id: erealloc.c,v 1.4 1999/12/02 16:58:45 joda Exp $");
+#endif
+
+#include <stdlib.h>
+#include <err.h>
+
+#include <roken.h>
+
+/*
+ * Like realloc but never fails.
+ */
+
+void *
+erealloc (void *ptr, size_t sz)
+{
+    void *tmp = realloc (ptr, sz);
+
+    if (tmp == NULL && sz != 0)
+	err (1, "realloc %lu", (unsigned long)sz);
+    return tmp;
+}
diff --git a/crypto/kerberosIV/lib/roken/err.c b/crypto/kerberosIV/lib/roken/err.c
new file mode 100644
index 0000000..29b1f7b
--- /dev/null
+++ b/crypto/kerberosIV/lib/roken/err.c
@@ -0,0 +1,48 @@
+/*
+ * Copyright (c) 1995, 1996, 1997 Kungliga Tekniska Högskolan 
+ * (Royal Institute of Technology, Stockholm, Sweden).  
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+RCSID("$Id: err.c,v 1.6 1999/12/02 16:58:45 joda Exp $");
+#endif
+
+#include "err.h"
+
+void
+err(int eval, const char *fmt, ...)
+{
+  va_list ap;
+  va_start(ap, fmt);
+  verr(eval, fmt, ap);
+  va_end(ap);
+}
diff --git a/crypto/kerberosIV/lib/roken/err.h b/crypto/kerberosIV/lib/roken/err.h
new file mode 100644
index 0000000..b0b649f
--- /dev/null
+++ b/crypto/kerberosIV/lib/roken/err.h
@@ -0,0 +1,71 @@
+/*
+ * Copyright (c) 1995, 1996, 1997 Kungliga Tekniska Högskolan 
+ * (Royal Institute of Technology, Stockholm, Sweden).  
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+/* $Id: err.h,v 1.15 1999/12/02 16:58:45 joda Exp $ */
+
+#ifndef __ERR_H__
+#define __ERR_H__
+
+#include <errno.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <stdarg.h>
+
+extern const char *__progname;
+
+#if !defined(__GNUC__) && !defined(__attribute__)
+#define __attribute__(x)
+#endif
+
+void warnerr(int doerrno, const char *fmt, va_list ap)
+     __attribute__ ((format (printf, 2, 0)));
+
+void verr(int eval, const char *fmt, va_list ap)
+     __attribute__ ((noreturn, format (printf, 2, 0)));
+void err(int eval, const char *fmt, ...)
+     __attribute__ ((noreturn, format (printf, 2, 3)));
+void verrx(int eval, const char *fmt, va_list ap)
+     __attribute__ ((noreturn, format (printf, 2, 0)));
+void errx(int eval, const char *fmt, ...)
+     __attribute__ ((noreturn, format (printf, 2, 3)));
+void vwarn(const char *fmt, va_list ap)
+     __attribute__ ((format (printf, 1, 0)));
+void warn(const char *fmt, ...)
+     __attribute__ ((format (printf, 1, 2)));
+void vwarnx(const char *fmt, va_list ap)
+     __attribute__ ((format (printf, 1, 0)));
+void warnx(const char *fmt, ...)
+     __attribute__ ((format (printf, 1, 2)));
+
+#endif /* __ERR_H__ */
diff --git a/crypto/kerberosIV/lib/roken/errx.c b/crypto/kerberosIV/lib/roken/errx.c
new file mode 100644
index 0000000..2f8ec18
--- /dev/null
+++ b/crypto/kerberosIV/lib/roken/errx.c
@@ -0,0 +1,48 @@
+/*
+ * Copyright (c) 1995, 1996, 1997 Kungliga Tekniska Högskolan 
+ * (Royal Institute of Technology, Stockholm, Sweden).  
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+RCSID("$Id: errx.c,v 1.6 1999/12/02 16:58:45 joda Exp $");
+#endif
+
+#include "err.h"
+
+void
+errx(int eval, const char *fmt, ...)
+{
+  va_list ap;
+  va_start(ap, fmt);
+  verrx(eval, fmt, ap);
+  va_end(ap);
+}
diff --git a/crypto/kerberosIV/lib/roken/estrdup.c b/crypto/kerberosIV/lib/roken/estrdup.c
new file mode 100644
index 0000000..8c0d9a7
--- /dev/null
+++ b/crypto/kerberosIV/lib/roken/estrdup.c
@@ -0,0 +1,56 @@
+/*
+ * Copyright (c) 1999 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+RCSID("$Id: estrdup.c,v 1.2 1999/12/02 16:58:45 joda Exp $");
+#endif
+
+#include <stdlib.h>
+#include <err.h>
+
+#include <roken.h>
+
+/*
+ * Like strdup but never fails.
+ */
+
+char *
+estrdup (const char *str)
+{
+    char *tmp = strdup (str);
+
+    if (tmp == NULL)
+	err (1, "strdup");
+    return tmp;
+}
diff --git a/crypto/kerberosIV/lib/roken/ewrite.c b/crypto/kerberosIV/lib/roken/ewrite.c
new file mode 100644
index 0000000..b2c43de
--- /dev/null
+++ b/crypto/kerberosIV/lib/roken/ewrite.c
@@ -0,0 +1,57 @@
+/*
+ * Copyright (c) 1999 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+RCSID("$Id: ewrite.c,v 1.2 1999/12/02 16:58:45 joda Exp $");
+#endif
+
+#include <unistd.h>
+#include <err.h>
+
+#include <roken.h>
+
+/*
+ * Like write but never fails (and never returns partial data).
+ */
+
+ssize_t
+ewrite (int fd, const void *buf, size_t nbytes)
+{
+    ssize_t ret;
+
+    ret = net_write (fd, buf, nbytes);
+    if (ret < 0)
+	err (1, "write");
+    return ret;
+}
diff --git a/crypto/kerberosIV/lib/roken/fchown.c b/crypto/kerberosIV/lib/roken/fchown.c
new file mode 100644
index 0000000..61e8546
--- /dev/null
+++ b/crypto/kerberosIV/lib/roken/fchown.c
@@ -0,0 +1,45 @@
+/*
+ * Copyright (c) 1995, 1996, 1997 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+RCSID("$Id: fchown.c,v 1.3 1999/12/02 16:58:46 joda Exp $");
+#endif
+
+#include "roken.h"
+
+int
+fchown(int fd, uid_t owner, gid_t group)
+{
+  return 0;
+}
diff --git a/crypto/kerberosIV/lib/roken/flock.c b/crypto/kerberosIV/lib/roken/flock.c
new file mode 100644
index 0000000..13da4f4
--- /dev/null
+++ b/crypto/kerberosIV/lib/roken/flock.c
@@ -0,0 +1,87 @@
+/*
+ * Copyright (c) 1995, 1996, 1997 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+#endif
+
+#ifndef HAVE_FLOCK
+RCSID("$Id: flock.c,v 1.4 1999/12/02 16:58:46 joda Exp $");
+
+#include "roken.h"
+
+
+#define OP_MASK (LOCK_SH | LOCK_EX | LOCK_UN)
+
+int
+flock(int fd, int operation)
+{
+#if defined(HAVE_FCNTL) && defined(F_SETLK)
+  struct flock arg;
+  int code, cmd;
+  
+  arg.l_whence = SEEK_SET;
+  arg.l_start = 0;
+  arg.l_len = 0;		/* means to EOF */
+
+  if (operation & LOCK_NB)
+    cmd = F_SETLK;
+  else
+    cmd = F_SETLKW;		/* Blocking */
+
+  switch (operation & OP_MASK) {
+  case LOCK_UN:
+    arg.l_type = F_UNLCK;
+    code = fcntl(fd, F_SETLK, &arg);
+    break;
+  case LOCK_SH:
+    arg.l_type = F_RDLCK;
+    code = fcntl(fd, cmd, &arg);
+    break;
+  case LOCK_EX:
+    arg.l_type = F_WRLCK;
+    code = fcntl(fd, cmd, &arg);
+    break;
+  default:
+    errno = EINVAL;
+    code = -1;
+    break;
+  }
+  return code;
+#else
+  return -1;
+#endif
+}
+
+#endif
+
diff --git a/crypto/kerberosIV/lib/roken/fnmatch.c b/crypto/kerberosIV/lib/roken/fnmatch.c
new file mode 100644
index 0000000..dc01d6e
--- /dev/null
+++ b/crypto/kerberosIV/lib/roken/fnmatch.c
@@ -0,0 +1,173 @@
+/*	$NetBSD: fnmatch.c,v 1.11 1995/02/27 03:43:06 cgd Exp $	*/
+
+/*
+ * Copyright (c) 1989, 1993, 1994
+ *	The Regents of the University of California.  All rights reserved.
+ *
+ * This code is derived from software contributed to Berkeley by
+ * Guido van Rossum.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *	This product includes software developed by the University of
+ *	California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#if defined(LIBC_SCCS) && !defined(lint)
+#if 0
+static char sccsid[] = "@(#)fnmatch.c	8.2 (Berkeley) 4/16/94";
+#else
+static char rcsid[] = "$NetBSD: fnmatch.c,v 1.11 1995/02/27 03:43:06 cgd Exp $";
+#endif
+#endif /* LIBC_SCCS and not lint */
+
+/*
+ * Function fnmatch() as specified in POSIX 1003.2-1992, section B.6.
+ * Compares a filename or pathname to a pattern.
+ */
+
+#include <fnmatch.h>
+#include <string.h>
+
+#define	EOS	'\0'
+
+static const char *rangematch (const char *, int, int);
+
+int
+fnmatch(const char *pattern, const char *string, int flags)
+{
+	const char *stringstart;
+	char c, test;
+
+	for (stringstart = string;;)
+		switch (c = *pattern++) {
+		case EOS:
+			return (*string == EOS ? 0 : FNM_NOMATCH);
+		case '?':
+			if (*string == EOS)
+				return (FNM_NOMATCH);
+			if (*string == '/' && (flags & FNM_PATHNAME))
+				return (FNM_NOMATCH);
+			if (*string == '.' && (flags & FNM_PERIOD) &&
+			    (string == stringstart ||
+			    ((flags & FNM_PATHNAME) && *(string - 1) == '/')))
+				return (FNM_NOMATCH);
+			++string;
+			break;
+		case '*':
+			c = *pattern;
+			/* Collapse multiple stars. */
+			while (c == '*')
+				c = *++pattern;
+
+			if (*string == '.' && (flags & FNM_PERIOD) &&
+			    (string == stringstart ||
+			    ((flags & FNM_PATHNAME) && *(string - 1) == '/')))
+				return (FNM_NOMATCH);
+
+			/* Optimize for pattern with * at end or before /. */
+			if (c == EOS)
+				if (flags & FNM_PATHNAME)
+					return (strchr(string, '/') == NULL ?
+					    0 : FNM_NOMATCH);
+				else
+					return (0);
+			else if (c == '/' && flags & FNM_PATHNAME) {
+				if ((string = strchr(string, '/')) == NULL)
+					return (FNM_NOMATCH);
+				break;
+			}
+
+			/* General case, use recursion. */
+			while ((test = *string) != EOS) {
+				if (!fnmatch(pattern, string, flags & ~FNM_PERIOD))
+					return (0);
+				if (test == '/' && flags & FNM_PATHNAME)
+					break;
+				++string;
+			}
+			return (FNM_NOMATCH);
+		case '[':
+			if (*string == EOS)
+				return (FNM_NOMATCH);
+			if (*string == '/' && flags & FNM_PATHNAME)
+				return (FNM_NOMATCH);
+			if ((pattern =
+			    rangematch(pattern, *string, flags)) == NULL)
+				return (FNM_NOMATCH);
+			++string;
+			break;
+		case '\\':
+			if (!(flags & FNM_NOESCAPE)) {
+				if ((c = *pattern++) == EOS) {
+					c = '\\';
+					--pattern;
+				}
+			}
+			/* FALLTHROUGH */
+		default:
+			if (c != *string++)
+				return (FNM_NOMATCH);
+			break;
+		}
+	/* NOTREACHED */
+}
+
+static const char *
+rangematch(const char *pattern, int test, int flags)
+{
+	int negate, ok;
+	char c, c2;
+
+	/*
+	 * A bracket expression starting with an unquoted circumflex
+	 * character produces unspecified results (IEEE 1003.2-1992,
+	 * 3.13.2).  This implementation treats it like '!', for
+	 * consistency with the regular expression syntax.
+	 * J.T. Conklin (conklin@ngai.kaleida.com)
+	 */
+	if (negate = (*pattern == '!' || *pattern == '^'))
+		++pattern;
+	
+	for (ok = 0; (c = *pattern++) != ']';) {
+		if (c == '\\' && !(flags & FNM_NOESCAPE))
+			c = *pattern++;
+		if (c == EOS)
+			return (NULL);
+		if (*pattern == '-' 
+		    && (c2 = *(pattern+1)) != EOS && c2 != ']') {
+			pattern += 2;
+			if (c2 == '\\' && !(flags & FNM_NOESCAPE))
+				c2 = *pattern++;
+			if (c2 == EOS)
+				return (NULL);
+			if (c <= test && test <= c2)
+				ok = 1;
+		} else if (c == test)
+			ok = 1;
+	}
+	return (ok == negate ? NULL : pattern);
+}
diff --git a/crypto/kerberosIV/lib/roken/fnmatch.h b/crypto/kerberosIV/lib/roken/fnmatch.h
new file mode 100644
index 0000000..95c91d6
--- /dev/null
+++ b/crypto/kerberosIV/lib/roken/fnmatch.h
@@ -0,0 +1,49 @@
+/*	$NetBSD: fnmatch.h,v 1.5 1994/10/26 00:55:53 cgd Exp $	*/
+
+/*-
+ * Copyright (c) 1992, 1993
+ *	The Regents of the University of California.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *	This product includes software developed by the University of
+ *	California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ *	@(#)fnmatch.h	8.1 (Berkeley) 6/2/93
+ */
+
+#ifndef	_FNMATCH_H_
+#define	_FNMATCH_H_
+
+#define	FNM_NOMATCH	1	/* Match failed. */
+
+#define	FNM_NOESCAPE	0x01	/* Disable backslash escaping. */
+#define	FNM_PATHNAME	0x02	/* Slash must be matched by slash. */
+#define	FNM_PERIOD	0x04	/* Period must be matched by period. */
+
+int	 fnmatch (const char *, const char *, int);
+
+#endif /* !_FNMATCH_H_ */
diff --git a/crypto/kerberosIV/lib/roken/freehostent.c b/crypto/kerberosIV/lib/roken/freehostent.c
new file mode 100644
index 0000000..0cd92cd
--- /dev/null
+++ b/crypto/kerberosIV/lib/roken/freehostent.c
@@ -0,0 +1,62 @@
+/*
+ * Copyright (c) 1999 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+RCSID("$Id: freehostent.c,v 1.2 1999/12/02 16:58:46 joda Exp $");
+#endif
+
+#include "roken.h"
+
+/*
+ * free a malloced hostent
+ */
+
+void
+freehostent (struct hostent *h)
+{
+    char **p;
+
+    free (h->h_name);
+    if (h->h_aliases != NULL) {
+	for (p = h->h_aliases; *p != NULL; ++p)
+	    free (*p);
+	free (h->h_aliases);
+    }
+    if (h->h_addr_list != NULL) {
+	for (p = h->h_addr_list; *p != NULL; ++p)
+	    free (*p);
+	free (h->h_addr_list);
+    }
+    free (h);
+}
diff --git a/crypto/kerberosIV/lib/roken/get_default_username.c b/crypto/kerberosIV/lib/roken/get_default_username.c
new file mode 100644
index 0000000..10b0863
--- /dev/null
+++ b/crypto/kerberosIV/lib/roken/get_default_username.c
@@ -0,0 +1,80 @@
+/*
+ * Copyright (c) 1997 - 1999 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+RCSID("$Id: get_default_username.c,v 1.3 1999/12/02 16:58:46 joda Exp $");
+#endif /* HAVE_CONFIG_H */
+
+#include "roken.h"
+
+/*
+ * Try to return what should be considered the default username or
+ * NULL if we can't guess at all.
+ */
+
+const char *
+get_default_username (void)
+{
+    const char *user;
+
+    user = getenv ("USER");
+    if (user == NULL)
+	user = getenv ("LOGNAME");
+    if (user == NULL)
+	user = getenv ("USERNAME");
+
+#if defined(HAVE_GETLOGIN) && !defined(POSIX_GETLOGIN)
+    if (user == NULL) {
+	user = (const char *)getlogin ();
+	if (user != NULL)
+	    return user;
+    }
+#endif
+#ifdef HAVE_PWD_H
+    {
+	uid_t uid = getuid ();
+	struct passwd *pwd;
+
+	if (user != NULL) {
+	    pwd = k_getpwnam (user);
+	    if (pwd != NULL && pwd->pw_uid == uid)
+		return user;
+	}
+	pwd = k_getpwuid (uid);
+	if (pwd != NULL)
+	    return pwd->pw_name;
+    }
+#endif
+    return user;
+}
diff --git a/crypto/kerberosIV/lib/roken/get_window_size.c b/crypto/kerberosIV/lib/roken/get_window_size.c
new file mode 100644
index 0000000..4eff8d2
--- /dev/null
+++ b/crypto/kerberosIV/lib/roken/get_window_size.c
@@ -0,0 +1,102 @@
+/*
+ * Copyright (c) 1995, 1996, 1997, 1998 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+RCSID("$Id: get_window_size.c,v 1.9 1999/12/02 16:58:46 joda Exp $");
+#endif
+
+#include <stdlib.h>
+#ifdef HAVE_UNISTD_H
+#include <unistd.h>
+#endif
+#ifdef HAVE_SYS_TYPES_H
+#include <sys/types.h>
+#endif
+
+#if 0 /* Where were those needed? /confused */
+#ifdef HAVE_SYS_PROC_H
+#include <sys/proc.h>
+#endif
+
+#ifdef HAVE_SYS_TTY_H
+#include <sys/tty.h>
+#endif
+#endif
+
+#ifdef HAVE_TERMIOS_H
+#include <termios.h>
+#endif
+
+#include <roken.h>
+
+int
+get_window_size(int fd, struct winsize *wp)
+{
+    int ret = -1;
+    
+    memset(wp, 0, sizeof(*wp));
+
+#if defined(TIOCGWINSZ)
+    ret = ioctl(fd, TIOCGWINSZ, wp);
+#elif defined(TIOCGSIZE)
+    {
+	struct ttysize ts;
+	
+	ret = ioctl(fd, TIOCGSIZE, &ts);
+	if(ret == 0) {
+	    wp->ws_row = ts.ts_lines;
+	    wp->ws_col = ts.ts_cols;
+	}
+    }
+#elif defined(HAVE__SCRSIZE)
+    {
+	int dst[2];
+	
+	_scrsize(dst);
+	wp->ws_row = dst[1];
+	wp->ws_col = dst[0];
+	ret = 0;
+    }
+#endif
+    if (ret != 0) {
+        char *s;
+        if((s = getenv("COLUMNS")))
+	    wp->ws_col = atoi(s);
+	if((s = getenv("LINES")))
+	    wp->ws_row = atoi(s);
+	if(wp->ws_col > 0 && wp->ws_row > 0)
+	    ret = 0;
+    }
+    return ret;
+}
diff --git a/crypto/kerberosIV/lib/roken/getarg.3 b/crypto/kerberosIV/lib/roken/getarg.3
new file mode 100644
index 0000000..fc4ca83c
--- /dev/null
+++ b/crypto/kerberosIV/lib/roken/getarg.3
@@ -0,0 +1,311 @@
+.\" Copyright (c) 1999 Kungliga Tekniska Högskolan
+.\" $Id: getarg.3,v 1.2 1999/10/18 17:14:31 joda Exp $
+.Dd September 24, 1999
+.Dt GETARG 3
+.Os ROKEN
+.Sh NAME
+.Nm getarg , 
+.Nm arg_printusage
+.Nd collect command line options
+.Sh SYNOPSIS
+.Fd #include <getarg.h>
+.Ft int
+.Fn getarg "struct getargs *args" "size_t num_args" "int argc" "char **argv" "int *optind"
+.Ft void
+.Fn arg_printusage "struct getargs *args" "size_t num_args" "const char *progname" "const char *extra_string"
+.Sh DESCRIPTION
+.Fn getarg
+collects any command line options given to a program in an easily used way. 
+.Fn arg_printusage 
+pretty-prints the available options, with a short help text.
+.Pp
+.Fa args
+is the option specification to use, and it's an array of 
+.Fa struct getargs
+elements.
+.Fa num_args
+is the size of
+.Fa args
+(in elements).
+.Fa argc
+and
+.Fa argv
+are the argument count and argument vector to extract option from.
+.Fa optind
+is a pointer to an integer where the index to the last processed
+argument is stored, it must be initialised to the first index (minus
+one) to process (normally 0) before the first call.
+.Pp
+.Fa arg_printusage
+take the same
+.Fa args
+and
+.Fa num_args
+as getarg;
+.Fa progname
+is the name of the program (to be used in the help text), and 
+.Fa extra_string
+is a string to print after the actual options to indicate more
+arguments. The usefulness of this function is realised only be people
+who has used programs that has help strings that doesn't match what
+the code does.
+.Pp
+The
+.Fa getargs
+struct has the following elements.
+.Bd -literal
+struct getargs{
+    const char *long_name;
+    char short_name;
+    enum { arg_integer, 
+	   arg_string, 
+	   arg_flag, 
+	   arg_negative_flag, 
+	   arg_strings,
+	   arg_double,
+           arg_collect
+    } type;
+    void *value;
+    const char *help;
+    const char *arg_help;
+};
+.Ed
+.Pp
+.Fa long_name
+is the long name of the option, it can be 
+.Dv NULL ,
+if you don't want a long name.
+.Fa short_name 
+is the characted to use as short option, it can be zero. If the option
+has a value the
+.Fa value
+field gets filled in with that value interpreted as specified by the 
+.Fa type
+field.
+.Fa help
+is a longer help string for the option as a whole, if it's
+.Dv NULL
+the help text for the option is omitted (but it's still displayed in
+the synopsis).
+.Fa arg_help
+is a description of the argument, if
+.Dv NULL
+a default value will be used, depending on the type of the option:
+.Pp
+.Bl -hang -width arg_negative_flag
+.It arg_integer
+the argument is a signed integer, and
+.Fa value
+should point to an
+.Fa int .
+.It Fa arg_string
+the argument is a string, and
+.Fa value
+should point to a
+.Fa char* .
+.It Fa arg_flag
+the argument is a flag, and
+.Fa value
+should point to a
+.Fa int . 
+It gets filled in with either zero or one, depending on how the option
+is given, the normal case beeing one. Note that if the option isn't
+given, the value isn't altered, so it should be initialised to some
+useful default.
+.It Fa arg_negative_flag
+this is the same as 
+.Fa arg_flag
+but it reverses the meaning of the flag (a given short option clears
+the flag), and the synopsis of a long option is negated.
+.It Fa arg_strings
+the argument can be given multiple times, and the values are collected
+in an array;
+.Fa value
+should be a pointer to a 
+.Fa struct getarg_strings
+structure, which holds a length and a string pointer.
+.It Fa arg_double
+argument is a double precision floating point value, and
+.Fa value
+should point to a
+.Fa double .
+.It Fa arg_collect
+allows more fine-grained control of the option parsing process.
+.Fa value
+should be a pointer to a 
+.Fa getarg_collect_info
+structure:
+.Bd -literal
+typedef int (*getarg_collect_func)(int short_opt,
+				   int argc,
+				   char **argv,
+				   int *optind,
+				   int *optarg,
+				   void *data);
+
+typedef struct getarg_collect_info {
+    getarg_collect_func func;
+    void *data;
+} getarg_collect_info;
+.Ed
+.Pp
+With the
+.Fa func
+member set to a function to call, and 
+.Fa data
+to some application specific data. The parameters to the collect function are:
+.Bl -inset
+.It Fa short_flag
+non-zero if this call is via a short option flag, zero otherwise
+.It Fa argc , argv
+the whole argument list
+.It Fa optind
+pointer to the index in argv where the flag is
+.It Fa optarg
+pointer to the index in argv[*optind] where the flag name starts
+.It Fa data
+application specific data
+.El
+.Pp
+You can modify
+.Fa *optind ,
+and 
+.Fa *optarg ,
+but to do this correct you (more or less) have to know about the inner
+workings of getarg.
+.Pp 
+You can skip parts of arguments by increasing
+.Fa *optarg
+(you could
+implement the 
+.Fl z Ns Ar 3
+set of flags from
+.Nm gzip
+with this), or whole argument strings by increasing
+.Fa *optind
+(let's say you want a flag 
+.Fl c Ar x y z
+to specify a coordinate); if you also have to set
+.Fa *optarg
+to a sane value.
+.Pp
+The collect function should return one of 
+.Dv ARG_ERR_NO_MATCH , ARG_ERR_BAD_ARG , ARG_ERR_NO_ARG
+on error, zero otherwise.
+.Pp
+For your convenience there is a function,
+.Fn getarg_optarg ,
+that returns the traditional argument string, and you pass it all
+arguments, sans data, that where given to the collection function.
+.Pp
+Don't use this more this unless you absolutely have to.
+.El
+.Pp
+Option parsing is similar to what 
+.Xr getopt
+uses. Short options without arguments can be compressed
+.Pf ( Fl xyz
+is the same as
+.Fl x y z ) ,
+and short
+options with arguments take these as either the rest of the
+argv-string or as the next option
+.Pf ( Fl o Ns Ar foo ,
+or
+.Fl o Ar foo ) .
+.Pp
+Long option names are prefixed with -- (double dash), and the value
+with a = (equal),
+.Fl -foo= Ns Ar bar .
+Long option flags can either be specified as they are 
+.Pf ( Fl -help ) ,
+or with an (boolean parsable) option
+.Pf ( Fl -help= Ns Ar yes ,
+.Fl -help= Ns Ar true ,
+or similar), or they can also be negated 
+.Pf ( Fl -no-help
+is the same as 
+.Fl -help= Ns no ) ,
+and if you're really confused you can do it multiple times
+.Pf ( Fl -no-no-help= Ns Ar false ,
+or even 
+.Fl -no-no-help= Ns Ar maybe ) .
+.Sh EXAMPLE
+.Bd -literal
+#include <stdio.h>
+#include <string.h>
+#include <getarg.h>
+
+char *source = "Ouagadougou";
+char *destination;
+int weight;
+int include_catalog = 1;
+int help_flag;
+
+struct getargs args[] = {
+    { "source",      's', arg_string,  &source, 
+      "source of shippment", "city" },
+    { "destination", 'd', arg_string,  &destination, 
+      "destination of shippment", "city" },
+    { "weight",      'w', arg_integer, &weight, 
+      "weight of shippment", "tons" },
+    { "catalog",     'c', arg_negative_flag, &include_catalog, 
+      "include product catalog" },
+    { "help",        'h', arg_flag, &help_flag }
+};
+
+int num_args = sizeof(args) / sizeof(args[0]); /* number of elements in args */
+
+const char *progname = "ship++";
+
+int
+main(int argc, char **argv)
+{
+    int optind = 0;
+    if (getarg(args, num_args, argc, argv, &optind)) {
+	arg_printusage(args, num_args, progname, "stuff...");
+	exit (1);
+    }
+    if (help_flag) {
+	arg_printusage(args, num_args, progname, "stuff...");
+	exit (0);
+    }
+    if (destination == NULL) {
+	fprintf(stderr, "%s: must specify destination\en", progname);
+	exit(1);
+    }
+    if (strcmp(source, destination) == 0) {
+	fprintf(stderr, "%s: destination must be different from source\en");
+	exit(1);
+    }
+    /* include more stuff here ... */
+    exit(2);
+}
+.Ed
+.Pp
+The output help output from this program looks like this:
+.Bd -literal
+$ ship++ --help                                            
+Usage: ship++ [--source=city] [-s city] [--destination=city] [-d city]
+   [--weight=tons] [-w tons] [--no-catalog] [-c] [--help] [-h] stuff...
+-s city, --source=city      source of shippment
+-d city, --destination=city destination of shippment
+-w tons, --weight=tons      weight of shippment
+-c, --no-catalog            include product catalog
+.Ed
+.Sh BUGS
+It should be more flexible, so it would be possible to use other more
+complicated option syntaxes, such as what
+.Xr ps 1 ,
+and 
+.Xr tar 1 ,
+uses, or the AFS model where you can skip the flag names as long as
+the options come in the correct order.
+.Pp
+Options with multiple arguments should be handled better.
+.Pp
+Should be integreated with SL.
+.Pp
+It's very confusing that the struct you pass in is called getargS.
+.Sh SEE ALSO
+.Xr getopt 3
diff --git a/crypto/kerberosIV/lib/roken/getarg.c b/crypto/kerberosIV/lib/roken/getarg.c
new file mode 100644
index 0000000..505e418
--- /dev/null
+++ b/crypto/kerberosIV/lib/roken/getarg.c
@@ -0,0 +1,547 @@
+/*
+ * Copyright (c) 1997, 1998, 1999 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+RCSID("$Id: getarg.c,v 1.32 1999/12/02 16:58:46 joda Exp $");
+#endif
+
+#include <stdio.h>
+#include <roken.h>
+#include "getarg.h"
+
+#define ISFLAG(X) ((X).type == arg_flag || (X).type == arg_negative_flag)
+
+static size_t
+print_arg (char *string, size_t len, int mdoc, int longp, struct getargs *arg)
+{
+    const char *s;
+
+    *string = '\0';
+
+    if (ISFLAG(*arg) || (!longp && arg->type == arg_counter))
+	return 0;
+
+    if(mdoc){
+	if(longp)
+	    strlcat(string, "= Ns", len);
+	strlcat(string, " Ar ", len);
+    }else
+	if (longp)
+	    strlcat (string, "=", len);
+	else
+	    strlcat (string, " ", len);
+
+    if (arg->arg_help)
+	s = arg->arg_help;
+    else if (arg->type == arg_integer || arg->type == arg_counter)
+	s = "integer";
+    else if (arg->type == arg_string)
+	s = "string";
+    else if (arg->type == arg_double)
+	s = "float";
+    else
+	s = "<undefined>";
+
+    strlcat(string, s, len);
+    return 1 + strlen(s);
+}
+
+static void
+mandoc_template(struct getargs *args,
+		size_t num_args,
+		const char *progname,
+		const char *extra_string)
+{
+    int i;
+    char timestr[64], cmd[64];
+    char buf[128];
+    const char *p;
+    time_t t;
+
+    printf(".\\\" Things to fix:\n");
+    printf(".\\\"   * correct section, and operating system\n");
+    printf(".\\\"   * remove Op from mandatory flags\n");
+    printf(".\\\"   * use better macros for arguments (like .Pa for files)\n");
+    printf(".\\\"\n");
+    t = time(NULL);
+    strftime(timestr, sizeof(timestr), "%B %e, %Y", localtime(&t));
+    printf(".Dd %s\n", timestr);
+    p = strrchr(progname, '/');
+    if(p) p++; else p = progname;
+    strlcpy(cmd, p, sizeof(cmd));
+    strupr(cmd);
+       
+    printf(".Dt %s SECTION\n", cmd);
+    printf(".Os OPERATING_SYSTEM\n");
+    printf(".Sh NAME\n");
+    printf(".Nm %s\n", p);
+    printf(".Nd\n");
+    printf("in search of a description\n");
+    printf(".Sh SYNOPSIS\n");
+    printf(".Nm\n");
+    for(i = 0; i < num_args; i++){
+	/* we seem to hit a limit on number of arguments if doing
+           short and long flags with arguments -- split on two lines */
+	if(ISFLAG(args[i]) || 
+	   args[i].short_name == 0 || args[i].long_name == NULL) {
+	    printf(".Op ");
+
+	    if(args[i].short_name) {
+		print_arg(buf, sizeof(buf), 1, 0, args + i);
+		printf("Fl %c%s", args[i].short_name, buf);
+		if(args[i].long_name)
+		    printf(" | ");
+	    }
+	    if(args[i].long_name) {
+		print_arg(buf, sizeof(buf), 1, 1, args + i);
+		printf("Fl -%s%s", args[i].long_name, buf);
+	    }
+	    printf("\n");
+	} else {
+	    print_arg(buf, sizeof(buf), 1, 0, args + i);
+	    printf(".Oo Fl %c%s \\*(Ba Xo\n", args[i].short_name, buf);
+	    print_arg(buf, sizeof(buf), 1, 1, args + i);
+	    printf(".Fl -%s%s Oc\n.Xc\n", args[i].long_name, buf);
+	}
+    /*
+	    if(args[i].type == arg_strings)
+		fprintf (stderr, "...");
+		*/
+    }
+    if (extra_string && *extra_string)
+	printf (".Ar %s\n", extra_string);
+    printf(".Sh DESCRIPTION\n");
+    printf("Supported options:\n");
+    printf(".Bl -tag -width Ds\n");
+    for(i = 0; i < num_args; i++){
+	printf(".It Xo\n");
+	if(args[i].short_name){
+	    printf(".Fl %c", args[i].short_name);
+	    print_arg(buf, sizeof(buf), 1, 0, args + i);
+	    printf("%s", buf);
+	    if(args[i].long_name)
+		printf(" Ns ,");
+	    printf("\n");
+	}
+	if(args[i].long_name){
+	    printf(".Fl -%s", args[i].long_name);
+	    print_arg(buf, sizeof(buf), 1, 1, args + i);
+	    printf("%s\n", buf);
+	}
+	printf(".Xc\n");
+	if(args[i].help)
+	    printf("%s\n", args[i].help);
+    /*
+	    if(args[i].type == arg_strings)
+		fprintf (stderr, "...");
+		*/
+    }
+    printf(".El\n");
+    printf(".\\\".Sh ENVIRONMENT\n");
+    printf(".\\\".Sh FILES\n");
+    printf(".\\\".Sh EXAMPLES\n");
+    printf(".\\\".Sh DIAGNOSTICS\n");
+    printf(".\\\".Sh SEE ALSO\n");
+    printf(".\\\".Sh STANDARDS\n");
+    printf(".\\\".Sh HISTORY\n");
+    printf(".\\\".Sh AUTHORS\n");
+    printf(".\\\".Sh BUGS\n");
+}
+
+static int
+check_column(FILE *f, int col, int len, int columns)
+{
+    if(col + len > columns) {
+	fprintf(f, "\n");
+	col = fprintf(f, "  ");
+    }
+    return col;
+}
+
+void
+arg_printusage (struct getargs *args,
+		size_t num_args,
+		const char *progname,
+		const char *extra_string)
+{
+    int i;
+    size_t max_len = 0;
+    char buf[128];
+    int col = 0, columns;
+    struct winsize ws;
+
+    if (progname == NULL)
+	progname = __progname;
+
+    if(getenv("GETARGMANDOC")){
+	mandoc_template(args, num_args, progname, extra_string);
+	return;
+    }
+    if(get_window_size(2, &ws) == 0)
+	columns = ws.ws_col;
+    else
+	columns = 80;
+    col = 0;
+    col += fprintf (stderr, "Usage: %s", progname);
+    for (i = 0; i < num_args; ++i) {
+	size_t len = 0;
+
+	if (args[i].long_name) {
+	    buf[0] = '\0';
+	    strlcat(buf, "[--", sizeof(buf));
+	    len += 2;
+	    if(args[i].type == arg_negative_flag) {
+		strlcat(buf, "no-", sizeof(buf));
+		len += 3;
+	    }
+	    strlcat(buf, args[i].long_name, sizeof(buf));
+	    len += strlen(args[i].long_name);
+	    len += print_arg(buf + strlen(buf), sizeof(buf) - strlen(buf), 
+			     0, 1, &args[i]);
+	    strlcat(buf, "]", sizeof(buf));
+	    if(args[i].type == arg_strings)
+		strlcat(buf, "...", sizeof(buf));
+	    col = check_column(stderr, col, strlen(buf) + 1, columns);
+	    col += fprintf(stderr, " %s", buf);
+	}
+	if (args[i].short_name) {
+	    snprintf(buf, sizeof(buf), "[-%c", args[i].short_name);
+	    len += 2;
+	    len += print_arg(buf + strlen(buf), sizeof(buf) - strlen(buf), 
+			     0, 0, &args[i]);
+	    strlcat(buf, "]", sizeof(buf));
+	    if(args[i].type == arg_strings)
+		strlcat(buf, "...", sizeof(buf));
+	    col = check_column(stderr, col, strlen(buf) + 1, columns);
+	    col += fprintf(stderr, " %s", buf);
+	}
+	if (args[i].long_name && args[i].short_name)
+	    len += 2; /* ", " */
+	max_len = max(max_len, len);
+    }
+    if (extra_string) {
+	col = check_column(stderr, col, strlen(extra_string) + 1, columns);
+	fprintf (stderr, " %s\n", extra_string);
+    } else
+	fprintf (stderr, "\n");
+    for (i = 0; i < num_args; ++i) {
+	if (args[i].help) {
+	    size_t count = 0;
+
+	    if (args[i].short_name) {
+		count += fprintf (stderr, "-%c", args[i].short_name);
+		print_arg (buf, sizeof(buf), 0, 0, &args[i]);
+		count += fprintf(stderr, "%s", buf);
+	    }
+	    if (args[i].short_name && args[i].long_name)
+		count += fprintf (stderr, ", ");
+	    if (args[i].long_name) {
+		count += fprintf (stderr, "--");
+		if (args[i].type == arg_negative_flag)
+		    count += fprintf (stderr, "no-");
+		count += fprintf (stderr, "%s", args[i].long_name);
+		print_arg (buf, sizeof(buf), 0, 1, &args[i]);
+		count += fprintf(stderr, "%s", buf);
+	    }
+	    while(count++ <= max_len)
+		putc (' ', stderr);
+	    fprintf (stderr, "%s\n", args[i].help);
+	}
+    }
+}
+
+static void
+add_string(getarg_strings *s, char *value)
+{
+    s->strings = realloc(s->strings, (s->num_strings + 1) * sizeof(*s->strings));
+    s->strings[s->num_strings] = value;
+    s->num_strings++;
+}
+
+static int
+arg_match_long(struct getargs *args, size_t num_args,
+	       char *argv, int argc, char **rargv, int *optind)
+{
+    int i;
+    char *optarg = NULL;
+    int negate = 0;
+    int partial_match = 0;
+    struct getargs *partial = NULL;
+    struct getargs *current = NULL;
+    int argv_len;
+    char *p;
+
+    argv_len = strlen(argv);
+    p = strchr (argv, '=');
+    if (p != NULL)
+	argv_len = p - argv;
+
+    for (i = 0; i < num_args; ++i) {
+	if(args[i].long_name) {
+	    int len = strlen(args[i].long_name);
+	    char *p = argv;
+	    int p_len = argv_len;
+	    negate = 0;
+
+	    for (;;) {
+		if (strncmp (args[i].long_name, p, p_len) == 0) {
+		    if(p_len == len)
+			current = &args[i];
+		    else {
+			++partial_match;
+			partial = &args[i];
+		    }
+		    optarg  = p + p_len;
+		} else if (ISFLAG(args[i]) && strncmp (p, "no-", 3) == 0) {
+		    negate = !negate;
+		    p += 3;
+		    p_len -= 3;
+		    continue;
+		}
+		break;
+	    }
+	    if (current)
+		break;
+	}
+    }
+    if (current == NULL) {
+	if (partial_match == 1)
+	    current = partial;
+	else
+	    return ARG_ERR_NO_MATCH;
+    }
+    
+    if(*optarg == '\0'
+       && !ISFLAG(*current)
+       && current->type != arg_collect
+       && current->type != arg_counter)
+	return ARG_ERR_NO_MATCH;
+    switch(current->type){
+    case arg_integer:
+    {
+	int tmp;
+	if(sscanf(optarg + 1, "%d", &tmp) != 1)
+	    return ARG_ERR_BAD_ARG;
+	*(int*)current->value = tmp;
+	return 0;
+    }
+    case arg_string:
+    {
+	*(char**)current->value = optarg + 1;
+	return 0;
+    }
+    case arg_strings:
+    {
+	add_string((getarg_strings*)current->value, optarg + 1);
+	return 0;
+    }
+    case arg_flag:
+    case arg_negative_flag:
+    {
+	int *flag = current->value;
+	if(*optarg == '\0' ||
+	   strcmp(optarg + 1, "yes") == 0 || 
+	   strcmp(optarg + 1, "true") == 0){
+	    *flag = !negate;
+	    return 0;
+	} else if (*optarg && strcmp(optarg + 1, "maybe") == 0) {
+	    *flag = rand() & 1;
+	} else {
+	    *flag = negate;
+	    return 0;
+	}
+	return ARG_ERR_BAD_ARG;
+    }
+    case arg_counter :
+    {
+	int val;
+
+	if (*optarg == '\0')
+	    val = 1;
+	else {
+	    char *endstr;
+
+	    val = strtol (optarg, &endstr, 0);
+	    if (endstr == optarg)
+		return ARG_ERR_BAD_ARG;
+	}
+	*(int *)current->value += val;
+	return 0;
+    }
+    case arg_double:
+    {
+	double tmp;
+	if(sscanf(optarg + 1, "%lf", &tmp) != 1)
+	    return ARG_ERR_BAD_ARG;
+	*(double*)current->value = tmp;
+	return 0;
+    }
+    case arg_collect:{
+	struct getarg_collect_info *c = current->value;
+	int o = argv - rargv[*optind];
+	return (*c->func)(FALSE, argc, rargv, optind, &o, c->data);
+    }
+
+    default:
+	abort ();
+    }
+}
+
+static int
+arg_match_short (struct getargs *args, size_t num_args,
+		 char *argv, int argc, char **rargv, int *optind)
+{
+    int j, k;
+
+    for(j = 1; j > 0 && j < strlen(rargv[*optind]); j++) {
+	for(k = 0; k < num_args; k++) {
+	    char *optarg;
+
+	    if(args[k].short_name == 0)
+		continue;
+	    if(argv[j] == args[k].short_name) {
+		if(args[k].type == arg_flag) {
+		    *(int*)args[k].value = 1;
+		    break;
+		}
+		if(args[k].type == arg_negative_flag) {
+		    *(int*)args[k].value = 0;
+		    break;
+		} 
+		if(args[k].type == arg_counter) {
+		    ++*(int *)args[k].value;
+		    break;
+		}
+		if(args[k].type == arg_collect) {
+		    struct getarg_collect_info *c = args[k].value;
+
+		    if((*c->func)(TRUE, argc, rargv, optind, &j, c->data))
+			return ARG_ERR_BAD_ARG;
+		    break;
+		}
+
+		if(argv[j + 1])
+		    optarg = &argv[j + 1];
+		else {
+		    ++*optind;
+		    optarg = rargv[*optind];
+		}
+		if(optarg == NULL)
+		    return ARG_ERR_NO_ARG;
+		if(args[k].type == arg_integer) {
+		    int tmp;
+		    if(sscanf(optarg, "%d", &tmp) != 1)
+			return ARG_ERR_BAD_ARG;
+		    *(int*)args[k].value = tmp;
+		    return 0;
+		} else if(args[k].type == arg_string) {
+		    *(char**)args[k].value = optarg;
+		    return 0;
+		} else if(args[k].type == arg_strings) {
+		    add_string((getarg_strings*)args[k].value, optarg);
+		    return 0;
+		} else if(args[k].type == arg_double) {
+		    double tmp;
+		    if(sscanf(optarg, "%lf", &tmp) != 1)
+			return ARG_ERR_BAD_ARG;
+		    *(double*)args[k].value = tmp;
+		    return 0;
+		}
+		return ARG_ERR_BAD_ARG;
+	    }
+	}
+	if (k == num_args)
+	    return ARG_ERR_NO_MATCH;
+    }
+    return 0;
+}
+
+int
+getarg(struct getargs *args, size_t num_args, 
+       int argc, char **argv, int *optind)
+{
+    int i;
+    int ret = 0;
+
+    srand (time(NULL));
+    (*optind)++;
+    for(i = *optind; i < argc; i++) {
+	if(argv[i][0] != '-')
+	    break;
+	if(argv[i][1] == '-'){
+	    if(argv[i][2] == 0){
+		i++;
+		break;
+	    }
+	    ret = arg_match_long (args, num_args, argv[i] + 2, 
+				  argc, argv, &i);
+	} else {
+	    ret = arg_match_short (args, num_args, argv[i],
+				   argc, argv, &i);
+	}
+	if(ret)
+	    break;
+    }
+    *optind = i;
+    return ret;
+}
+
+#if TEST
+int foo_flag = 2;
+int flag1 = 0;
+int flag2 = 0;
+int bar_int;
+char *baz_string;
+
+struct getargs args[] = {
+    { NULL, '1', arg_flag, &flag1, "one", NULL },
+    { NULL, '2', arg_flag, &flag2, "two", NULL },
+    { "foo", 'f', arg_negative_flag, &foo_flag, "foo", NULL },
+    { "bar", 'b', arg_integer, &bar_int, "bar", "seconds"},
+    { "baz", 'x', arg_string, &baz_string, "baz", "name" },
+};
+
+int main(int argc, char **argv)
+{
+    int optind = 0;
+    while(getarg(args, 5, argc, argv, &optind))
+	printf("Bad arg: %s\n", argv[optind]);
+    printf("flag1 = %d\n", flag1);  
+    printf("flag2 = %d\n", flag2);  
+    printf("foo_flag = %d\n", foo_flag);  
+    printf("bar_int = %d\n", bar_int);
+    printf("baz_flag = %s\n", baz_string);
+    arg_printusage (args, 5, argv[0], "nothing here");
+}
+#endif
diff --git a/crypto/kerberosIV/lib/roken/getarg.h b/crypto/kerberosIV/lib/roken/getarg.h
new file mode 100644
index 0000000..7fd374b
--- /dev/null
+++ b/crypto/kerberosIV/lib/roken/getarg.h
@@ -0,0 +1,89 @@
+/*
+ * Copyright (c) 1997, 1999 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+/* $Id: getarg.h,v 1.10 1999/12/02 16:58:46 joda Exp $ */
+
+#ifndef __GETARG_H__
+#define __GETARG_H__
+
+#include <stddef.h>
+
+struct getargs{
+    const char *long_name;
+    char short_name;
+    enum { arg_integer, 
+	   arg_string, 
+	   arg_flag, 
+	   arg_negative_flag, 
+	   arg_strings,
+	   arg_double,
+	   arg_collect,
+	   arg_counter
+    } type;
+    void *value;
+    const char *help;
+    const char *arg_help;
+};
+
+enum {
+    ARG_ERR_NO_MATCH  = 1,
+    ARG_ERR_BAD_ARG,
+    ARG_ERR_NO_ARG
+};
+
+typedef struct getarg_strings {
+    int num_strings;
+    char **strings;
+} getarg_strings;
+
+typedef int (*getarg_collect_func)(int short_opt,
+				   int argc,
+				   char **argv,
+				   int *optind,
+				   int *optarg,
+				   void *data);
+
+typedef struct getarg_collect_info {
+    getarg_collect_func func;
+    void *data;
+} getarg_collect_info;
+
+int getarg(struct getargs *args, size_t num_args, 
+	   int argc, char **argv, int *optind);
+
+void arg_printusage (struct getargs *args,
+		     size_t num_args,
+		     const char *progname,
+		     const char *extra_string);
+
+#endif /* __GETARG_H__ */
diff --git a/crypto/kerberosIV/lib/roken/getcap.c b/crypto/kerberosIV/lib/roken/getcap.c
new file mode 100644
index 0000000..997fabf
--- /dev/null
+++ b/crypto/kerberosIV/lib/roken/getcap.c
@@ -0,0 +1,1118 @@
+/*	$NetBSD: getcap.c,v 1.29 1999/03/29 09:27:29 abs Exp $	*/
+
+/*-
+ * Copyright (c) 1992, 1993
+ *	The Regents of the University of California.  All rights reserved.
+ *
+ * This code is derived from software contributed to Berkeley by
+ * Casey Leedom of Lawrence Livermore National Laboratory.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *	This product includes software developed by the University of
+ *	California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+#endif
+#include "roken.h"
+RCSID("$Id: getcap.c,v 1.7 1999/11/17 21:11:58 assar Exp $");
+
+#include <sys/types.h>
+#include <ctype.h>
+#if defined(HAVE_DB_185_H)
+#include <db_185.h>
+#elif defined(HAVE_DB_H)
+#include <db.h>
+#endif
+#include <errno.h>	
+#include <fcntl.h>
+#include <limits.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+
+#define	BFRAG		1024
+#if 0
+#define	BSIZE		1024
+#endif
+#define	ESC		('[' & 037)	/* ASCII ESC */
+#define	MAX_RECURSION	32		/* maximum getent recursion */
+#define	SFRAG		100		/* cgetstr mallocs in SFRAG chunks */
+
+#define RECOK	(char)0
+#define TCERR	(char)1
+#define	SHADOW	(char)2
+
+static size_t	 topreclen;	/* toprec length */
+static char	*toprec;	/* Additional record specified by cgetset() */
+static int	 gottoprec;	/* Flag indicating retrieval of toprecord */
+
+#if defined(HAVE_DBOPEN) && defined(HAVE_DB_H)
+#define USE_DB
+#endif
+
+#ifdef USE_DB
+static int	cdbget (DB *, char **, const char *);
+#endif
+static int 	getent (char **, size_t *, char **, int, const char *, int, char *);
+static int	nfcmp (char *, char *);
+
+
+int cgetset(const char *ent);
+char *cgetcap(char *buf, const char *cap, int type);
+int cgetent(char **buf, char **db_array, const char *name);
+int cgetmatch(const char *buf, const char *name);
+int cgetclose(void);
+#if 0
+int cgetfirst(char **buf, char **db_array);
+int cgetnext(char **bp, char **db_array);
+#endif
+int cgetstr(char *buf, const char *cap, char **str);
+int cgetustr(char *buf, const char *cap, char **str);
+int cgetnum(char *buf, const char *cap, long *num);
+/*
+ * Cgetset() allows the addition of a user specified buffer to be added
+ * to the database array, in effect "pushing" the buffer on top of the
+ * virtual database. 0 is returned on success, -1 on failure.
+ */
+int
+cgetset(const char *ent)
+{
+    const char *source, *check;
+    char *dest;
+
+    if (ent == NULL) {
+	if (toprec)
+	    free(toprec);
+	toprec = NULL;
+	topreclen = 0;
+	return (0);
+    }
+    topreclen = strlen(ent);
+    if ((toprec = malloc (topreclen + 1)) == NULL) {
+	errno = ENOMEM;
+	return (-1);
+    }
+    gottoprec = 0;
+
+    source=ent;
+    dest=toprec;
+    while (*source) { /* Strip whitespace */
+	*dest++ = *source++; /* Do not check first field */
+	while (*source == ':') {
+	    check=source+1;
+	    while (*check && (isspace((unsigned char)*check) ||
+			      (*check=='\\' && isspace((unsigned char)check[1]))))
+		++check;
+	    if( *check == ':' )
+		source=check;
+	    else
+		break;
+
+	}
+    }
+    *dest=0;
+
+    return (0);
+}
+
+/*
+ * Cgetcap searches the capability record buf for the capability cap with
+ * type `type'.  A pointer to the value of cap is returned on success, NULL
+ * if the requested capability couldn't be found.
+ *
+ * Specifying a type of ':' means that nothing should follow cap (:cap:).
+ * In this case a pointer to the terminating ':' or NUL will be returned if
+ * cap is found.
+ *
+ * If (cap, '@') or (cap, terminator, '@') is found before (cap, terminator)
+ * return NULL.
+ */
+char *
+cgetcap(char *buf, const char *cap, int type)
+{
+    char *bp;
+    const char *cp;
+
+    bp = buf;
+    for (;;) {
+	/*
+	 * Skip past the current capability field - it's either the
+	 * name field if this is the first time through the loop, or
+	 * the remainder of a field whose name failed to match cap.
+	 */
+	for (;;)
+	    if (*bp == '\0')
+		return (NULL);
+	    else
+		if (*bp++ == ':')
+		    break;
+
+	/*
+	 * Try to match (cap, type) in buf.
+	 */
+	for (cp = cap; *cp == *bp && *bp != '\0'; cp++, bp++)
+	    continue;
+	if (*cp != '\0')
+	    continue;
+	if (*bp == '@')
+	    return (NULL);
+	if (type == ':') {
+	    if (*bp != '\0' && *bp != ':')
+		continue;
+	    return(bp);
+	}
+	if (*bp != type)
+	    continue;
+	bp++;
+	return (*bp == '@' ? NULL : bp);
+    }
+    /* NOTREACHED */
+}
+
+/*
+ * Cgetent extracts the capability record name from the NULL terminated file
+ * array db_array and returns a pointer to a malloc'd copy of it in buf.
+ * Buf must be retained through all subsequent calls to cgetcap, cgetnum,
+ * cgetflag, and cgetstr, but may then be free'd.  0 is returned on success,
+ * -1 if the requested record couldn't be found, -2 if a system error was
+ * encountered (couldn't open/read a file, etc.), and -3 if a potential
+ * reference loop is detected.
+ */
+int
+cgetent(char **buf, char **db_array, const char *name)
+{
+    size_t dummy;
+
+    return (getent(buf, &dummy, db_array, -1, name, 0, NULL));
+}
+
+/*
+ * Getent implements the functions of cgetent.  If fd is non-negative,
+ * *db_array has already been opened and fd is the open file descriptor.  We
+ * do this to save time and avoid using up file descriptors for tc=
+ * recursions.
+ *
+ * Getent returns the same success/failure codes as cgetent.  On success, a
+ * pointer to a malloc'ed capability record with all tc= capabilities fully
+ * expanded and its length (not including trailing ASCII NUL) are left in
+ * *cap and *len.
+ *
+ * Basic algorithm:
+ *	+ Allocate memory incrementally as needed in chunks of size BFRAG
+ *	  for capability buffer.
+ *	+ Recurse for each tc=name and interpolate result.  Stop when all
+ *	  names interpolated, a name can't be found, or depth exceeds
+ *	  MAX_RECURSION.
+ */
+static int
+getent(char **cap, size_t *len, char **db_array, int fd, 
+       const char *name, int depth, char *nfield)
+{
+    char *r_end, *rp = NULL, **db_p;	/* pacify gcc */
+    int myfd = 0, eof, foundit;
+    char *record;
+    int tc_not_resolved;
+	
+    /*
+     * Return with ``loop detected'' error if we've recursed more than
+     * MAX_RECURSION times.
+     */
+    if (depth > MAX_RECURSION)
+	return (-3);
+
+    /*
+     * Check if we have a top record from cgetset().
+     */
+    if (depth == 0 && toprec != NULL && cgetmatch(toprec, name) == 0) {
+	if ((record = malloc (topreclen + BFRAG)) == NULL) {
+	    errno = ENOMEM;
+	    return (-2);
+	}
+	(void)strcpy(record, toprec);	/* XXX: strcpy is safe */
+	db_p = db_array;
+	rp = record + topreclen + 1;
+	r_end = rp + BFRAG;
+	goto tc_exp;
+    }
+    /*
+     * Allocate first chunk of memory.
+     */
+    if ((record = malloc(BFRAG)) == NULL) {
+	errno = ENOMEM;
+	return (-2);
+    }
+    r_end = record + BFRAG;
+    foundit = 0;
+    /*
+     * Loop through database array until finding the record.
+     */
+
+    for (db_p = db_array; *db_p != NULL; db_p++) {
+	eof = 0;
+
+	/*
+	 * Open database if not already open.
+	 */
+
+	if (fd >= 0) {
+	    (void)lseek(fd, (off_t)0, SEEK_SET);
+	} else {
+#ifdef USE_DB
+	    char pbuf[_POSIX_PATH_MAX];
+	    char *cbuf;
+	    size_t clen;
+	    int retval;
+	    DB *capdbp;
+
+	    (void)snprintf(pbuf, sizeof(pbuf), "%s.db", *db_p);
+	    if ((capdbp = dbopen(pbuf, O_RDONLY, 0, DB_HASH, 0))
+		!= NULL) {
+		free(record);
+		retval = cdbget(capdbp, &record, name);
+		if (retval < 0) {
+		    /* no record available */
+		    (void)capdbp->close(capdbp);
+		    return (retval);
+		}
+				/* save the data; close frees it */
+		clen = strlen(record);
+		cbuf = malloc(clen + 1);
+		memmove(cbuf, record, clen + 1);
+		if (capdbp->close(capdbp) < 0) {
+		    free(cbuf);
+		    return (-2);
+		}
+		*len = clen;
+		*cap = cbuf;
+		return (retval);
+	    } else
+#endif
+	    {
+		fd = open(*db_p, O_RDONLY, 0);
+		if (fd < 0) {
+		    /* No error on unfound file. */
+		    continue;
+		}
+		myfd = 1;
+	    }
+	}
+	/*
+	 * Find the requested capability record ...
+	 */
+	{
+	    char buf[BUFSIZ];
+	    char *b_end, *bp, *cp;
+	    int c, slash;
+
+	    /*
+	     * Loop invariants:
+	     *	There is always room for one more character in record.
+	     *	R_end always points just past end of record.
+	     *	Rp always points just past last character in record.
+	     *	B_end always points just past last character in buf.
+	     *	Bp always points at next character in buf.
+	     *	Cp remembers where the last colon was.
+	     */
+	    b_end = buf;
+	    bp = buf;
+	    cp = 0;
+	    slash = 0;
+	    for (;;) {
+
+		/*
+		 * Read in a line implementing (\, newline)
+		 * line continuation.
+		 */
+		rp = record;
+		for (;;) {
+		    if (bp >= b_end) {
+			int n;
+		
+			n = read(fd, buf, sizeof(buf));
+			if (n <= 0) {
+			    if (myfd)
+				(void)close(fd);
+			    if (n < 0) {
+				free(record);
+				return (-2);
+			    } else {
+				fd = -1;
+				eof = 1;
+				break;
+			    }
+			}
+			b_end = buf+n;
+			bp = buf;
+		    }
+	
+		    c = *bp++;
+		    if (c == '\n') {
+			if (slash) {
+			    slash = 0;
+			    rp--;
+			    continue;
+			} else
+			    break;
+		    }
+		    if (slash) {
+			slash = 0;
+			cp = 0;
+		    }
+		    if (c == ':') {
+			/*
+			 * If the field was `empty' (i.e.
+			 * contained only white space), back up
+			 * to the colon (eliminating the
+			 * field).
+			 */
+			if (cp)
+			    rp = cp;
+			else
+			    cp = rp;
+		    } else if (c == '\\') {
+			slash = 1;
+		    } else if (c != ' ' && c != '\t') {
+			/*
+			 * Forget where the colon was, as this
+			 * is not an empty field.
+			 */
+			cp = 0;
+		    }
+		    *rp++ = c;
+
+				/*
+				 * Enforce loop invariant: if no room 
+				 * left in record buffer, try to get
+				 * some more.
+				 */
+		    if (rp >= r_end) {
+			u_int pos;
+			size_t newsize;
+
+			pos = rp - record;
+			newsize = r_end - record + BFRAG;
+			record = realloc(record, newsize);
+			if (record == NULL) {
+			    errno = ENOMEM;
+			    if (myfd)
+				(void)close(fd);
+			    return (-2);
+			}
+			r_end = record + newsize;
+			rp = record + pos;
+		    }
+		}
+		/* Eliminate any white space after the last colon. */
+		if (cp)
+		    rp = cp + 1;
+		/* Loop invariant lets us do this. */
+		*rp++ = '\0';
+
+		/*
+		 * If encountered eof check next file.
+		 */
+		if (eof)
+		    break;
+				
+		/*
+		 * Toss blank lines and comments.
+		 */
+		if (*record == '\0' || *record == '#')
+		    continue;
+	
+		/*
+		 * See if this is the record we want ...
+		 */
+		if (cgetmatch(record, name) == 0) {
+		    if (nfield == NULL || !nfcmp(nfield, record)) {
+			foundit = 1;
+			break;	/* found it! */
+		    }
+		}
+	    }
+	}
+	if (foundit)
+	    break;
+    }
+
+    if (!foundit)
+	return (-1);
+
+    /*
+     * Got the capability record, but now we have to expand all tc=name
+     * references in it ...
+     */
+ tc_exp:	{
+	char *newicap, *s;
+	size_t ilen, newilen;
+	int diff, iret, tclen;
+	char *icap, *scan, *tc, *tcstart, *tcend;
+
+	/*
+	 * Loop invariants:
+	 *	There is room for one more character in record.
+	 *	R_end points just past end of record.
+	 *	Rp points just past last character in record.
+	 *	Scan points at remainder of record that needs to be
+	 *	scanned for tc=name constructs.
+	 */
+	scan = record;
+	tc_not_resolved = 0;
+	for (;;) {
+	    if ((tc = cgetcap(scan, "tc", '=')) == NULL)
+		break;
+
+	    /*
+	     * Find end of tc=name and stomp on the trailing `:'
+	     * (if present) so we can use it to call ourselves.
+	     */
+	    s = tc;
+	    for (;;)
+		if (*s == '\0')
+		    break;
+		else
+		    if (*s++ == ':') {
+			*(s - 1) = '\0';
+			break;
+		    }
+	    tcstart = tc - 3;
+	    tclen = s - tcstart;
+	    tcend = s;
+
+	    iret = getent(&icap, &ilen, db_p, fd, tc, depth+1, 
+			  NULL);
+	    newicap = icap;		/* Put into a register. */
+	    newilen = ilen;
+	    if (iret != 0) {
+				/* an error */
+		if (iret < -1) {
+		    if (myfd)
+			(void)close(fd);
+		    free(record);
+		    return (iret);
+		}
+		if (iret == 1)
+		    tc_not_resolved = 1;
+				/* couldn't resolve tc */
+		if (iret == -1) {
+		    *(s - 1) = ':';			
+		    scan = s - 1;
+		    tc_not_resolved = 1;
+		    continue;
+					
+		}
+	    }
+	    /* not interested in name field of tc'ed record */
+	    s = newicap;
+	    for (;;)
+		if (*s == '\0')
+		    break;
+		else
+		    if (*s++ == ':')
+			break;
+	    newilen -= s - newicap;
+	    newicap = s;
+
+	    /* make sure interpolated record is `:'-terminated */
+	    s += newilen;
+	    if (*(s-1) != ':') {
+		*s = ':';	/* overwrite NUL with : */
+		newilen++;
+	    }
+
+	    /*
+	     * Make sure there's enough room to insert the
+	     * new record.
+	     */
+	    diff = newilen - tclen;
+	    if (diff >= r_end - rp) {
+		u_int pos, tcpos, tcposend;
+		size_t newsize;
+
+		pos = rp - record;
+		newsize = r_end - record + diff + BFRAG;
+		tcpos = tcstart - record;
+		tcposend = tcend - record;
+		record = realloc(record, newsize);
+		if (record == NULL) {
+		    errno = ENOMEM;
+		    if (myfd)
+			(void)close(fd);
+		    free(icap);
+		    return (-2);
+		}
+		r_end = record + newsize;
+		rp = record + pos;
+		tcstart = record + tcpos;
+		tcend = record + tcposend;
+	    }
+
+	    /*
+	     * Insert tc'ed record into our record.
+	     */
+	    s = tcstart + newilen;
+	    memmove(s, tcend,  (size_t)(rp - tcend));
+	    memmove(tcstart, newicap, newilen);
+	    rp += diff;
+	    free(icap);
+
+	    /*
+	     * Start scan on `:' so next cgetcap works properly
+	     * (cgetcap always skips first field).
+	     */
+	    scan = s-1;
+	}
+	
+    }
+    /*
+     * Close file (if we opened it), give back any extra memory, and
+     * return capability, length and success.
+     */
+    if (myfd)
+	(void)close(fd);
+    *len = rp - record - 1;	/* don't count NUL */
+    if (r_end > rp)
+	if ((record = 
+	     realloc(record, (size_t)(rp - record))) == NULL) {
+	    errno = ENOMEM;
+	    return (-2);
+	}
+		
+    *cap = record;
+    if (tc_not_resolved)
+	return (1);
+    return (0);
+}	
+
+#ifdef USE_DB
+static int
+cdbget(DB *capdbp, char **bp, const char *name)
+{
+	DBT key;
+	DBT data;
+
+	/* LINTED key is not modified */
+	key.data = (char *)name;
+	key.size = strlen(name);
+
+	for (;;) {
+		/* Get the reference. */
+		switch(capdbp->get(capdbp, &key, &data, 0)) {
+		case -1:
+			return (-2);
+		case 1:
+			return (-1);
+		}
+
+		/* If not an index to another record, leave. */
+		if (((char *)data.data)[0] != SHADOW)
+			break;
+
+		key.data = (char *)data.data + 1;
+		key.size = data.size - 1;
+	}
+	
+	*bp = (char *)data.data + 1;
+	return (((char *)(data.data))[0] == TCERR ? 1 : 0);
+}
+#endif /* USE_DB */
+
+/*
+ * Cgetmatch will return 0 if name is one of the names of the capability
+ * record buf, -1 if not.
+ */
+int
+cgetmatch(const char *buf, const char *name)
+{
+    const char *np, *bp;
+
+    /*
+     * Start search at beginning of record.
+     */
+    bp = buf;
+    for (;;) {
+	/*
+	 * Try to match a record name.
+	 */
+	np = name;
+	for (;;)
+	    if (*np == '\0') {
+		if (*bp == '|' || *bp == ':' || *bp == '\0')
+		    return (0);
+		else
+		    break;
+	    } else
+		if (*bp++ != *np++)
+		    break;
+
+	/*
+	 * Match failed, skip to next name in record.
+	 */
+	bp--;	/* a '|' or ':' may have stopped the match */
+	for (;;)
+	    if (*bp == '\0' || *bp == ':')
+		return (-1);	/* match failed totally */
+	    else
+		if (*bp++ == '|')
+		    break;	/* found next name */
+    }
+}
+
+#if 0
+int
+cgetfirst(char **buf, char **db_array)
+{
+    (void)cgetclose();
+    return (cgetnext(buf, db_array));
+}
+#endif
+
+static FILE *pfp;
+static int slash;
+static char **dbp;
+
+int
+cgetclose(void)
+{
+    if (pfp != NULL) {
+	(void)fclose(pfp);
+	pfp = NULL;
+    }
+    dbp = NULL;
+    gottoprec = 0;
+    slash = 0;
+    return(0);
+}
+
+#if 0
+/*
+ * Cgetnext() gets either the first or next entry in the logical database 
+ * specified by db_array.  It returns 0 upon completion of the database, 1
+ * upon returning an entry with more remaining, and -1 if an error occurs.
+ */
+int
+cgetnext(char **bp, char **db_array)
+{
+    size_t len;
+    int status, done;
+    char *cp, *line, *rp, *np, buf[BSIZE], nbuf[BSIZE];
+    size_t dummy;
+
+    if (dbp == NULL)
+	dbp = db_array;
+
+    if (pfp == NULL && (pfp = fopen(*dbp, "r")) == NULL) {
+	(void)cgetclose();
+	return (-1);
+    }
+    for(;;) {
+	if (toprec && !gottoprec) {
+	    gottoprec = 1;
+	    line = toprec;
+	} else {
+	    line = fgetln(pfp, &len);
+	    if (line == NULL && pfp) {
+		if (ferror(pfp)) {
+		    (void)cgetclose();
+		    return (-1);
+		} else {
+		    (void)fclose(pfp);
+		    pfp = NULL;
+		    if (*++dbp == NULL) {
+			(void)cgetclose();
+			return (0);
+		    } else if ((pfp =
+				fopen(*dbp, "r")) == NULL) {
+			(void)cgetclose();
+			return (-1);
+		    } else
+			continue;
+		}
+	    } else
+		line[len - 1] = '\0';
+	    if (len == 1) {
+		slash = 0;
+		continue;
+	    }
+	    if (isspace((unsigned char)*line) ||
+		*line == ':' || *line == '#' || slash) {
+		if (line[len - 2] == '\\')
+		    slash = 1;
+		else
+		    slash = 0;
+		continue;
+	    }
+	    if (line[len - 2] == '\\')
+		slash = 1;
+	    else
+		slash = 0;
+	}			
+
+
+	/* 
+	 * Line points to a name line.
+	 */
+	done = 0;
+	np = nbuf;
+	for (;;) {
+	    for (cp = line; *cp != '\0'; cp++) {
+		if (*cp == ':') {
+		    *np++ = ':';
+		    done = 1;
+		    break;
+		}
+		if (*cp == '\\')
+		    break;
+		*np++ = *cp;
+	    }
+	    if (done) {
+		*np = '\0';
+		break;
+	    } else { /* name field extends beyond the line */
+		line = fgetln(pfp, &len);
+		if (line == NULL && pfp) {
+		    if (ferror(pfp)) {
+			(void)cgetclose();
+			return (-1);
+		    }
+		    (void)fclose(pfp);
+		    pfp = NULL;
+		    *np = '\0';
+		    break;
+		} else
+		    line[len - 1] = '\0';
+	    }
+	}
+	rp = buf;
+	for(cp = nbuf; *cp != '\0'; cp++)
+	    if (*cp == '|' || *cp == ':')
+		break;
+	    else
+		*rp++ = *cp;
+
+	*rp = '\0';
+	/* 
+	 * XXX 
+	 * Last argument of getent here should be nbuf if we want true
+	 * sequential access in the case of duplicates.  
+	 * With NULL, getent will return the first entry found
+	 * rather than the duplicate entry record.  This is a 
+	 * matter of semantics that should be resolved.
+	 */
+	status = getent(bp, &dummy, db_array, -1, buf, 0, NULL);
+	if (status == -2 || status == -3)
+	    (void)cgetclose();
+
+	return (status + 1);
+    }
+    /* NOTREACHED */
+}
+#endif
+
+/*
+ * Cgetstr retrieves the value of the string capability cap from the
+ * capability record pointed to by buf.  A pointer to a decoded, NUL
+ * terminated, malloc'd copy of the string is returned in the char *
+ * pointed to by str.  The length of the string not including the trailing
+ * NUL is returned on success, -1 if the requested string capability
+ * couldn't be found, -2 if a system error was encountered (storage
+ * allocation failure).
+ */
+int
+cgetstr(char *buf, const char *cap, char **str)
+{
+    u_int m_room;
+    const char *bp;
+    char *mp;
+    int len;
+    char *mem;
+
+    /*
+     * Find string capability cap
+     */
+    bp = cgetcap(buf, cap, '=');
+    if (bp == NULL)
+	return (-1);
+
+    /*
+     * Conversion / storage allocation loop ...  Allocate memory in
+     * chunks SFRAG in size.
+     */
+    if ((mem = malloc(SFRAG)) == NULL) {
+	errno = ENOMEM;
+	return (-2);	/* couldn't even allocate the first fragment */
+    }
+    m_room = SFRAG;
+    mp = mem;
+
+    while (*bp != ':' && *bp != '\0') {
+	/*
+	 * Loop invariants:
+	 *	There is always room for one more character in mem.
+	 *	Mp always points just past last character in mem.
+	 *	Bp always points at next character in buf.
+	 */
+	if (*bp == '^') {
+	    bp++;
+	    if (*bp == ':' || *bp == '\0')
+		break;	/* drop unfinished escape */
+	    *mp++ = *bp++ & 037;
+	} else if (*bp == '\\') {
+	    bp++;
+	    if (*bp == ':' || *bp == '\0')
+		break;	/* drop unfinished escape */
+	    if ('0' <= *bp && *bp <= '7') {
+		int n, i;
+
+		n = 0;
+		i = 3;	/* maximum of three octal digits */
+		do {
+		    n = n * 8 + (*bp++ - '0');
+		} while (--i && '0' <= *bp && *bp <= '7');
+		*mp++ = n;
+	    }
+	    else switch (*bp++) {
+	    case 'b': case 'B':
+		*mp++ = '\b';
+		break;
+	    case 't': case 'T':
+		*mp++ = '\t';
+		break;
+	    case 'n': case 'N':
+		*mp++ = '\n';
+		break;
+	    case 'f': case 'F':
+		*mp++ = '\f';
+		break;
+	    case 'r': case 'R':
+		*mp++ = '\r';
+		break;
+	    case 'e': case 'E':
+		*mp++ = ESC;
+		break;
+	    case 'c': case 'C':
+		*mp++ = ':';
+		break;
+	    default:
+		/*
+		 * Catches '\', '^', and
+		 *  everything else.
+		 */
+		*mp++ = *(bp-1);
+		break;
+	    }
+	} else
+	    *mp++ = *bp++;
+	m_room--;
+
+	/*
+	 * Enforce loop invariant: if no room left in current
+	 * buffer, try to get some more.
+	 */
+	if (m_room == 0) {
+	    size_t size = mp - mem;
+
+	    if ((mem = realloc(mem, size + SFRAG)) == NULL)
+		return (-2);
+	    m_room = SFRAG;
+	    mp = mem + size;
+	}
+    }
+    *mp++ = '\0';	/* loop invariant let's us do this */
+    m_room--;
+    len = mp - mem - 1;
+
+    /*
+     * Give back any extra memory and return value and success.
+     */
+    if (m_room != 0)
+	if ((mem = realloc(mem, (size_t)(mp - mem))) == NULL)
+	    return (-2);
+    *str = mem;
+    return (len);
+}
+
+/*
+ * Cgetustr retrieves the value of the string capability cap from the
+ * capability record pointed to by buf.  The difference between cgetustr()
+ * and cgetstr() is that cgetustr does not decode escapes but rather treats
+ * all characters literally.  A pointer to a  NUL terminated malloc'd 
+ * copy of the string is returned in the char pointed to by str.  The 
+ * length of the string not including the trailing NUL is returned on success,
+ * -1 if the requested string capability couldn't be found, -2 if a system 
+ * error was encountered (storage allocation failure).
+ */
+int
+cgetustr(char *buf, const char *cap, char **str)
+{
+    u_int m_room;
+    const char *bp;
+    char *mp;
+    int len;
+    char *mem;
+
+    /*
+     * Find string capability cap
+     */
+    if ((bp = cgetcap(buf, cap, '=')) == NULL)
+	return (-1);
+
+    /*
+     * Conversion / storage allocation loop ...  Allocate memory in
+     * chunks SFRAG in size.
+     */
+    if ((mem = malloc(SFRAG)) == NULL) {
+	errno = ENOMEM;
+	return (-2);	/* couldn't even allocate the first fragment */
+    }
+    m_room = SFRAG;
+    mp = mem;
+
+    while (*bp != ':' && *bp != '\0') {
+	/*
+	 * Loop invariants:
+	 *	There is always room for one more character in mem.
+	 *	Mp always points just past last character in mem.
+	 *	Bp always points at next character in buf.
+	 */
+	*mp++ = *bp++;
+	m_room--;
+
+	/*
+	 * Enforce loop invariant: if no room left in current
+	 * buffer, try to get some more.
+	 */
+	if (m_room == 0) {
+	    size_t size = mp - mem;
+
+	    if ((mem = realloc(mem, size + SFRAG)) == NULL)
+		return (-2);
+	    m_room = SFRAG;
+	    mp = mem + size;
+	}
+    }
+    *mp++ = '\0';	/* loop invariant let's us do this */
+    m_room--;
+    len = mp - mem - 1;
+
+    /*
+     * Give back any extra memory and return value and success.
+     */
+    if (m_room != 0)
+	if ((mem = realloc(mem, (size_t)(mp - mem))) == NULL)
+	    return (-2);
+    *str = mem;
+    return (len);
+}
+
+/*
+ * Cgetnum retrieves the value of the numeric capability cap from the
+ * capability record pointed to by buf.  The numeric value is returned in
+ * the long pointed to by num.  0 is returned on success, -1 if the requested
+ * numeric capability couldn't be found.
+ */
+int
+cgetnum(char *buf, const char *cap, long *num)
+{
+    long n;
+    int base, digit;
+    const char *bp;
+
+    /*
+     * Find numeric capability cap
+     */
+    bp = cgetcap(buf, cap, '#');
+    if (bp == NULL)
+	return (-1);
+
+    /*
+     * Look at value and determine numeric base:
+     *	0x... or 0X...	hexadecimal,
+     * else	0...		octal,
+     * else			decimal.
+     */
+    if (*bp == '0') {
+	bp++;
+	if (*bp == 'x' || *bp == 'X') {
+	    bp++;
+	    base = 16;
+	} else
+	    base = 8;
+    } else
+	base = 10;
+
+    /*
+     * Conversion loop ...
+     */
+    n = 0;
+    for (;;) {
+	if ('0' <= *bp && *bp <= '9')
+	    digit = *bp - '0';
+	else if ('a' <= *bp && *bp <= 'f')
+	    digit = 10 + *bp - 'a';
+	else if ('A' <= *bp && *bp <= 'F')
+	    digit = 10 + *bp - 'A';
+	else
+	    break;
+
+	if (digit >= base)
+	    break;
+
+	n = n * base + digit;
+	bp++;
+    }
+
+    /*
+     * Return value and success.
+     */
+    *num = n;
+    return (0);
+}
+
+
+/*
+ * Compare name field of record.
+ */
+static int
+nfcmp(char *nf, char *rec)
+{
+    char *cp, tmp;
+    int ret;
+	
+    for (cp = rec; *cp != ':'; cp++)
+	;
+	
+    tmp = *(cp + 1);
+    *(cp + 1) = '\0';
+    ret = strcmp(nf, rec);
+    *(cp + 1) = tmp;
+
+    return (ret);
+}
diff --git a/crypto/kerberosIV/lib/roken/getcwd.c b/crypto/kerberosIV/lib/roken/getcwd.c
new file mode 100644
index 0000000..c1f2610
--- /dev/null
+++ b/crypto/kerberosIV/lib/roken/getcwd.c
@@ -0,0 +1,57 @@
+/*
+ * Copyright (c) 1995, 1996, 1997 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+RCSID("$Id: getcwd.c,v 1.12 1999/12/02 16:58:46 joda Exp $");
+#endif
+
+#ifdef HAVE_UNISTD_H
+#include <unistd.h>
+#endif
+#ifdef HAVE_SYS_PARAM_H
+#include <sys/param.h>
+#endif
+
+#include "roken.h"
+
+char*
+getcwd(char *path, size_t size)
+{
+    char xxx[MaxPathLen];
+    char *ret;
+    ret = getwd(xxx);
+    if(ret)
+	strlcpy(path, xxx, size);
+    return ret;
+}
diff --git a/crypto/kerberosIV/lib/roken/getdtablesize.c b/crypto/kerberosIV/lib/roken/getdtablesize.c
new file mode 100644
index 0000000..9f9c74b
--- /dev/null
+++ b/crypto/kerberosIV/lib/roken/getdtablesize.c
@@ -0,0 +1,101 @@
+/*
+ * Copyright (c) 1995, 1996, 1997 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+RCSID("$Id: getdtablesize.c,v 1.10 1999/12/02 16:58:46 joda Exp $");
+#endif
+
+#include "roken.h"
+
+#ifdef HAVE_SYS_TYPES_H
+#include <sys/types.h>
+#endif
+#ifdef TIME_WITH_SYS_TIME
+#include <sys/time.h>
+#include <time.h>
+#elif defined(HAVE_SYS_TIME_H)
+#include <sys/time.h>
+#else
+#include <time.h>
+#endif
+#ifdef HAVE_SYS_PARAM_H
+#include <sys/param.h>
+#endif
+#ifdef HAVE_UNISTD_H
+#include <unistd.h>
+#endif
+
+#ifdef HAVE_SYS_RESOURCE_H
+#include <sys/resource.h>
+#endif
+
+#ifdef HAVE_SYS_SYSCTL_H
+#include <sys/sysctl.h>
+#endif
+
+int getdtablesize(void)
+{
+  int files = -1;
+#if defined(HAVE_SYSCONF) && defined(_SC_OPEN_MAX)
+  files = sysconf(_SC_OPEN_MAX);
+#else /* !defined(HAVE_SYSCONF) */
+#if defined(HAVE_GETRLIMIT) && defined(RLIMIT_NOFILE)
+  struct rlimit res;
+  if (getrlimit(RLIMIT_NOFILE, &res) == 0)
+    files = res.rlim_cur;
+#else /* !definded(HAVE_GETRLIMIT) */
+#if defined(HAVE_SYSCTL) && defined(CTL_KERN) && defined(KERN_MAXFILES)
+  int mib[2];
+  size_t len;
+    
+  mib[0] = CTL_KERN;
+  mib[1] = KERN_MAXFILES;
+  len = sizeof(files);
+  sysctl(&mib, 2, &files, sizeof(nfil), NULL, 0);
+#endif /* defined(HAVE_SYSCTL) */
+#endif /* !definded(HAVE_GETRLIMIT) */
+#endif /* !defined(HAVE_SYSCONF) */
+
+#ifdef OPEN_MAX
+  if (files < 0)
+    files = OPEN_MAX;
+#endif
+
+#ifdef NOFILE
+  if (files < 0)
+    files = NOFILE;
+#endif    
+    
+  return files;
+}
diff --git a/crypto/kerberosIV/lib/roken/getegid.c b/crypto/kerberosIV/lib/roken/getegid.c
new file mode 100644
index 0000000..b6eab85
--- /dev/null
+++ b/crypto/kerberosIV/lib/roken/getegid.c
@@ -0,0 +1,48 @@
+/*
+ * Copyright (c) 1995, 1996, 1997 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+#endif
+#include "roken.h"
+
+#ifndef HAVE_GETEGID
+
+RCSID("$Id: getegid.c,v 1.2 1999/12/02 16:58:46 joda Exp $");
+
+int getegid(void)
+{
+    return getgid();
+}
+
+#endif
diff --git a/crypto/kerberosIV/lib/roken/geteuid.c b/crypto/kerberosIV/lib/roken/geteuid.c
new file mode 100644
index 0000000..4bdf531
--- /dev/null
+++ b/crypto/kerberosIV/lib/roken/geteuid.c
@@ -0,0 +1,48 @@
+/*
+ * Copyright (c) 1995, 1996, 1997 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+#endif
+#include "roken.h"
+
+#ifndef HAVE_GETEUID
+
+RCSID("$Id: geteuid.c,v 1.2 1999/12/02 16:58:46 joda Exp $");
+
+int geteuid(void)
+{
+    return getuid();
+}
+
+#endif
diff --git a/crypto/kerberosIV/lib/roken/getgid.c b/crypto/kerberosIV/lib/roken/getgid.c
new file mode 100644
index 0000000..f2ca01a
--- /dev/null
+++ b/crypto/kerberosIV/lib/roken/getgid.c
@@ -0,0 +1,48 @@
+/*
+ * Copyright (c) 1995, 1996, 1997 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+#endif
+#include "roken.h"
+
+#ifndef HAVE_GETGID
+
+RCSID("$Id: getgid.c,v 1.2 1999/12/02 16:58:46 joda Exp $");
+
+int getgid(void)
+{
+    return 17;
+}
+
+#endif
diff --git a/crypto/kerberosIV/lib/roken/gethostname.c b/crypto/kerberosIV/lib/roken/gethostname.c
new file mode 100644
index 0000000..753ba9f
--- /dev/null
+++ b/crypto/kerberosIV/lib/roken/gethostname.c
@@ -0,0 +1,72 @@
+/*
+ * Copyright (c) 1995, 1996, 1997 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+#endif
+#include "roken.h"
+
+#ifndef HAVE_GETHOSTNAME
+
+#ifdef HAVE_SYS_UTSNAME_H
+#include <sys/utsname.h>
+#endif
+
+/*
+ * Return the local host's name in "name", up to "namelen" characters.
+ * "name" will be null-terminated if "namelen" is big enough.
+ * The return code is 0 on success, -1 on failure.  (The calling
+ * interface is identical to gethostname(2).)
+ */
+
+int
+gethostname(char *name, int namelen)
+{
+#if defined(HAVE_UNAME)
+    {
+	struct utsname utsname;
+	int ret;
+
+	ret = uname (&utsname);
+	if (ret < 0)
+	    return ret;
+	strlcpy (name, utsname.nodename, namelen);
+	return 0;
+    }
+#else
+    strlcpy (name, "some.random.host", namelen);
+    return 0;
+#endif
+}
+
+#endif /* GETHOSTNAME */
diff --git a/crypto/kerberosIV/lib/roken/getipnodebyaddr.c b/crypto/kerberosIV/lib/roken/getipnodebyaddr.c
new file mode 100644
index 0000000..f22aad7
--- /dev/null
+++ b/crypto/kerberosIV/lib/roken/getipnodebyaddr.c
@@ -0,0 +1,74 @@
+/*
+ * Copyright (c) 1999 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+RCSID("$Id: getipnodebyaddr.c,v 1.2 1999/12/02 16:58:46 joda Exp $");
+#endif
+
+#include "roken.h"
+
+/*
+ * lookup `src, len' (address family `af') in DNS and return a pointer
+ * to a malloced struct hostent or NULL.
+ */
+
+struct hostent *
+getipnodebyaddr (const void *src, size_t len, int af, int *error_num)
+{
+    struct hostent *tmp;
+
+    tmp = gethostbyaddr (src, len, af);
+    if (tmp == NULL) {
+	switch (h_errno) {
+	case HOST_NOT_FOUND :
+	case TRY_AGAIN :
+	case NO_RECOVERY :
+	    *error_num = h_errno;
+	    break;
+	case NO_DATA :
+	    *error_num = NO_ADDRESS;
+	    break;
+	default :
+	    *error_num = NO_RECOVERY;
+	    break;
+	}
+	return NULL;
+    }
+    tmp = copyhostent (tmp);
+    if (tmp == NULL) {
+	*error_num = TRY_AGAIN;
+	return NULL;
+    }
+    return tmp;
+}
diff --git a/crypto/kerberosIV/lib/roken/getipnodebyname.c b/crypto/kerberosIV/lib/roken/getipnodebyname.c
new file mode 100644
index 0000000..576feef
--- /dev/null
+++ b/crypto/kerberosIV/lib/roken/getipnodebyname.c
@@ -0,0 +1,86 @@
+/*
+ * Copyright (c) 1999 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+RCSID("$Id: getipnodebyname.c,v 1.3 1999/12/02 16:58:46 joda Exp $");
+#endif
+
+#include "roken.h"
+
+#ifndef HAVE_H_ERRNO
+static int h_errno = NO_RECOVERY;
+#endif
+
+/*
+ * lookup `name' (address family `af') in DNS and return a pointer
+ * to a malloced struct hostent or NULL.
+ */
+
+struct hostent *
+getipnodebyname (const char *name, int af, int flags, int *error_num)
+{
+    struct hostent *tmp;
+
+#ifdef HAVE_GETHOSTBYNAME2
+    tmp = gethostbyname2 (name, af);
+#else
+    if (af != AF_INET) {
+	*error_num = NO_ADDRESS;
+	return NULL;
+    }
+    tmp = gethostbyname (name);
+#endif
+    if (tmp == NULL) {
+	switch (h_errno) {
+	case HOST_NOT_FOUND :
+	case TRY_AGAIN :
+	case NO_RECOVERY :
+	    *error_num = h_errno;
+	    break;
+	case NO_DATA :
+	    *error_num = NO_ADDRESS;
+	    break;
+	default :
+	    *error_num = NO_RECOVERY;
+	    break;
+	}
+	return NULL;
+    }
+    tmp = copyhostent (tmp);
+    if (tmp == NULL) {
+	*error_num = TRY_AGAIN;
+	return NULL;
+    }
+    return tmp;
+}
diff --git a/crypto/kerberosIV/lib/roken/getopt.c b/crypto/kerberosIV/lib/roken/getopt.c
new file mode 100644
index 0000000..45fc350
--- /dev/null
+++ b/crypto/kerberosIV/lib/roken/getopt.c
@@ -0,0 +1,128 @@
+/*
+ * Copyright (c) 1987, 1993
+ *	The Regents of the University of California.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *	This product includes software developed by the University of
+ *	California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#if defined(LIBC_SCCS) && !defined(lint)
+static char sccsid[] = "@(#)getopt.c	8.1 (Berkeley) 6/4/93";
+#endif /* LIBC_SCCS and not lint */
+
+#ifndef __STDC__
+#define const
+#endif
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+
+/*
+ * get option letter from argument vector
+ */
+int	opterr = 1,		/* if error message should be printed */
+	optind = 1,		/* index into parent argv vector */
+	optopt,			/* character checked for validity */
+	optreset;		/* reset getopt */
+char	*optarg;		/* argument associated with option */
+
+#define	BADCH	(int)'?'
+#define	BADARG	(int)':'
+#define	EMSG	""
+
+int
+getopt(nargc, nargv, ostr)
+	int nargc;
+	char * const *nargv;
+	const char *ostr;
+{
+	static char *place = EMSG;		/* option letter processing */
+	char *oli;			/* option letter list index */
+	char *p;
+
+	if (optreset || !*place) {		/* update scanning pointer */
+		optreset = 0;
+		if (optind >= nargc || *(place = nargv[optind]) != '-') {
+			place = EMSG;
+			return(-1);
+		}
+		if (place[1] && *++place == '-') {	/* found "--" */
+			++optind;
+			place = EMSG;
+			return(-1);
+		}
+	}					/* option letter okay? */
+	if ((optopt = (int)*place++) == (int)':' ||
+	    !(oli = strchr(ostr, optopt))) {
+		/*
+		 * if the user didn't specify '-' as an option,
+		 * assume it means -1 (EOF).
+		 */
+		if (optopt == (int)'-')
+			return(-1);
+		if (!*place)
+			++optind;
+		if (opterr && *ostr != ':') {
+			if (!(p = strrchr(*nargv, '/')))
+				p = *nargv;
+			else
+				++p;
+			fprintf(stderr, "%s: illegal option -- %c\n",
+			    p, optopt);
+		}
+		return(BADCH);
+	}
+	if (*++oli != ':') {			/* don't need argument */
+		optarg = NULL;
+		if (!*place)
+			++optind;
+	}
+	else {					/* need an argument */
+		if (*place)			/* no white space */
+			optarg = place;
+		else if (nargc <= ++optind) {	/* no arg */
+			place = EMSG;
+			if (!(p = strrchr(*nargv, '/')))
+				p = *nargv;
+			else
+				++p;
+			if (*ostr == ':')
+				return(BADARG);
+			if (opterr)
+				fprintf(stderr,
+				    "%s: option requires an argument -- %c\n",
+				    p, optopt);
+			return(BADCH);
+		}
+	 	else				/* white space */
+			optarg = nargv[optind];
+		place = EMSG;
+		++optind;
+	}
+	return(optopt);				/* dump back option letter */
+}
diff --git a/crypto/kerberosIV/lib/roken/gettimeofday.c b/crypto/kerberosIV/lib/roken/gettimeofday.c
new file mode 100644
index 0000000..ec8b62f
--- /dev/null
+++ b/crypto/kerberosIV/lib/roken/gettimeofday.c
@@ -0,0 +1,55 @@
+/*
+ * Copyright (c) 1995, 1996, 1997 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+#endif
+#include "roken.h"
+#ifndef HAVE_GETTIMEOFDAY
+
+RCSID("$Id: gettimeofday.c,v 1.8 1999/12/02 16:58:46 joda Exp $");
+
+/*
+ * Simple gettimeofday that only returns seconds.
+ */
+int
+gettimeofday (struct timeval *tp, void *ignore)
+{
+     time_t t;
+
+     t = time(NULL);
+     tp->tv_sec  = t;
+     tp->tv_usec = 0;
+     return 0;
+}
+#endif
diff --git a/crypto/kerberosIV/lib/roken/getuid.c b/crypto/kerberosIV/lib/roken/getuid.c
new file mode 100644
index 0000000..6ebce0a
--- /dev/null
+++ b/crypto/kerberosIV/lib/roken/getuid.c
@@ -0,0 +1,48 @@
+/*
+ * Copyright (c) 1995, 1996, 1997 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+#endif
+#include "roken.h"
+
+#ifndef HAVE_GETUID
+
+RCSID("$Id: getuid.c,v 1.3 1999/12/02 16:58:46 joda Exp $");
+
+int getuid(void)
+{
+    return 17;
+}
+
+#endif
diff --git a/crypto/kerberosIV/lib/roken/getusershell.c b/crypto/kerberosIV/lib/roken/getusershell.c
new file mode 100644
index 0000000..87a48ec
--- /dev/null
+++ b/crypto/kerberosIV/lib/roken/getusershell.c
@@ -0,0 +1,160 @@
+/*
+ * Copyright (c) 1985, 1993
+ *	The Regents of the University of California.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *	This product includes software developed by the University of
+ *	California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+#endif
+
+RCSID("$Id: getusershell.c,v 1.8 1997/04/20 06:18:03 assar Exp $");
+
+#ifndef HAVE_GETUSERSHELL
+
+#include <stdio.h>
+#include <stdlib.h>
+#ifdef HAVE_PATHS_H
+#include <paths.h>
+#endif
+#ifdef HAVE_SYS_TYPES_H
+#include <sys/types.h>
+#endif
+#ifdef HAVE_SYS_STAT_H
+#include <sys/stat.h>
+#endif
+#ifdef HAVE_SYS_PARAM_H
+#include <sys/param.h>
+#endif
+
+#ifndef _PATH_SHELLS
+#define _PATH_SHELLS "/etc/shells"
+#endif
+
+#ifndef _PATH_BSHELL
+#define _PATH_BSHELL "/bin/sh"
+#endif
+
+#ifndef _PATH_CSHELL
+#define _PATH_CSHELL "/bin/csh"
+#endif
+
+/*
+ * Local shells should NOT be added here.  They should be added in
+ * /etc/shells.
+ */
+
+static char *okshells[] = { _PATH_BSHELL, _PATH_CSHELL, NULL };
+static char **curshell, **shells, *strings;
+static char **initshells (void);
+
+/*
+ * Get a list of shells from _PATH_SHELLS, if it exists.
+ */
+char *
+getusershell()
+{
+	char *ret;
+
+	if (curshell == NULL)
+		curshell = initshells();
+	ret = *curshell;
+	if (ret != NULL)
+		curshell++;
+	return (ret);
+}
+
+void
+endusershell()
+{
+	
+	if (shells != NULL)
+		free(shells);
+	shells = NULL;
+	if (strings != NULL)
+		free(strings);
+	strings = NULL;
+	curshell = NULL;
+}
+
+void
+setusershell()
+{
+
+	curshell = initshells();
+}
+
+static char **
+initshells()
+{
+	char **sp, *cp;
+	FILE *fp;
+	struct stat statb;
+
+	if (shells != NULL)
+		free(shells);
+	shells = NULL;
+	if (strings != NULL)
+		free(strings);
+	strings = NULL;
+	if ((fp = fopen(_PATH_SHELLS, "r")) == NULL)
+		return (okshells);
+	if (fstat(fileno(fp), &statb) == -1) {
+		fclose(fp);
+		return (okshells);
+	}
+	if ((strings = malloc((u_int)statb.st_size)) == NULL) {
+		fclose(fp);
+		return (okshells);
+	}
+	shells = calloc((unsigned)statb.st_size / 3, sizeof (char *));
+	if (shells == NULL) {
+		fclose(fp);
+		free(strings);
+		strings = NULL;
+		return (okshells);
+	}
+	sp = shells;
+	cp = strings;
+	while (fgets(cp, MaxPathLen + 1, fp) != NULL) {
+		while (*cp != '#' && *cp != '/' && *cp != '\0')
+			cp++;
+		if (*cp == '#' || *cp == '\0')
+			continue;
+		*sp++ = cp;
+		while (!isspace(*cp) && *cp != '#' && *cp != '\0')
+			cp++;
+		*cp++ = '\0';
+	}
+	*sp = NULL;
+	fclose(fp);
+	return (shells);
+}
+#endif /* HAVE_GETUSERSHELL */
diff --git a/crypto/kerberosIV/lib/roken/glob.c b/crypto/kerberosIV/lib/roken/glob.c
new file mode 100644
index 0000000..66e8ec6
--- /dev/null
+++ b/crypto/kerberosIV/lib/roken/glob.c
@@ -0,0 +1,835 @@
+/*
+ * Copyright (c) 1989, 1993
+ *	The Regents of the University of California.  All rights reserved.
+ *
+ * This code is derived from software contributed to Berkeley by
+ * Guido van Rossum.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *	This product includes software developed by the University of
+ *	California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+/*
+ * glob(3) -- a superset of the one defined in POSIX 1003.2.
+ *
+ * The [!...] convention to negate a range is supported (SysV, Posix, ksh).
+ *
+ * Optional extra services, controlled by flags not defined by POSIX:
+ *
+ * GLOB_QUOTE:
+ *	Escaping convention: \ inhibits any special meaning the following
+ *	character might have (except \ at end of string is retained).
+ * GLOB_MAGCHAR:
+ *	Set in gl_flags if pattern contained a globbing character.
+ * GLOB_NOMAGIC:
+ *	Same as GLOB_NOCHECK, but it will only append pattern if it did
+ *	not contain any magic characters.  [Used in csh style globbing]
+ * GLOB_ALTDIRFUNC:
+ *	Use alternately specified directory access functions.
+ * GLOB_TILDE:
+ *	expand ~user/foo to the /home/dir/of/user/foo
+ * GLOB_BRACE:
+ *	expand {1,2}{a,b} to 1a 1b 2a 2b 
+ * gl_matchc:
+ *	Number of matches in the current invocation of glob.
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+#endif
+
+#ifdef HAVE_SYS_PARAM_H
+#include <sys/param.h>
+#endif
+#ifdef HAVE_SYS_TYPES_H
+#include <sys/types.h>
+#endif
+#ifdef HAVE_SYS_STAT_H
+#include <sys/stat.h>
+#endif
+
+#include <ctype.h>
+#ifdef HAVE_DIRENT_H
+#include <dirent.h>
+#endif
+#include <errno.h>
+#ifdef HAVE_PWD_H
+#include <pwd.h>
+#endif
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#ifdef HAVE_UNISTD_H
+#include <unistd.h>
+#endif
+
+#include "glob.h"
+#include "roken.h"
+
+#define	CHAR_DOLLAR		'$'
+#define	CHAR_DOT		'.'
+#define	CHAR_EOS		'\0'
+#define	CHAR_LBRACKET		'['
+#define	CHAR_NOT		'!'
+#define	CHAR_QUESTION		'?'
+#define	CHAR_QUOTE		'\\'
+#define	CHAR_RANGE		'-'
+#define	CHAR_RBRACKET		']'
+#define	CHAR_SEP		'/'
+#define	CHAR_STAR		'*'
+#define	CHAR_TILDE		'~'
+#define	CHAR_UNDERSCORE		'_'
+#define	CHAR_LBRACE		'{'
+#define	CHAR_RBRACE		'}'
+#define	CHAR_SLASH		'/'
+#define	CHAR_COMMA		','
+
+#ifndef DEBUG
+
+#define	M_QUOTE		0x8000
+#define	M_PROTECT	0x4000
+#define	M_MASK		0xffff
+#define	M_ASCII		0x00ff
+
+typedef u_short Char;
+
+#else
+
+#define	M_QUOTE		0x80
+#define	M_PROTECT	0x40
+#define	M_MASK		0xff
+#define	M_ASCII		0x7f
+
+typedef char Char;
+
+#endif
+
+
+#define	CHAR(c)		((Char)((c)&M_ASCII))
+#define	META(c)		((Char)((c)|M_QUOTE))
+#define	M_ALL		META('*')
+#define	M_END		META(']')
+#define	M_NOT		META('!')
+#define	M_ONE		META('?')
+#define	M_RNG		META('-')
+#define	M_SET		META('[')
+#define	ismeta(c)	(((c)&M_QUOTE) != 0)
+
+
+static int	 compare (const void *, const void *);
+static void	 g_Ctoc (const Char *, char *);
+static int	 g_lstat (Char *, struct stat *, glob_t *);
+static DIR	*g_opendir (Char *, glob_t *);
+static Char	*g_strchr (Char *, int);
+#ifdef notdef
+static Char	*g_strcat (Char *, const Char *);
+#endif
+static int	 g_stat (Char *, struct stat *, glob_t *);
+static int	 glob0 (const Char *, glob_t *);
+static int	 glob1 (Char *, glob_t *);
+static int	 glob2 (Char *, Char *, Char *, glob_t *);
+static int	 glob3 (Char *, Char *, Char *, Char *, glob_t *);
+static int	 globextend (const Char *, glob_t *);
+static const Char *	 globtilde (const Char *, Char *, glob_t *);
+static int	 globexp1 (const Char *, glob_t *);
+static int	 globexp2 (const Char *, const Char *, glob_t *, int *);
+static int	 match (Char *, Char *, Char *);
+#ifdef DEBUG
+static void	 qprintf (const char *, Char *);
+#endif
+
+int
+glob(const char *pattern, 
+     int flags, 
+     int (*errfunc)(const char *, int), 
+     glob_t *pglob)
+{
+	const u_char *patnext;
+	int c;
+	Char *bufnext, *bufend, patbuf[MaxPathLen+1];
+
+	patnext = (u_char *) pattern;
+	if (!(flags & GLOB_APPEND)) {
+		pglob->gl_pathc = 0;
+		pglob->gl_pathv = NULL;
+		if (!(flags & GLOB_DOOFFS))
+			pglob->gl_offs = 0;
+	}
+	pglob->gl_flags = flags & ~GLOB_MAGCHAR;
+	pglob->gl_errfunc = errfunc;
+	pglob->gl_matchc = 0;
+
+	bufnext = patbuf;
+	bufend = bufnext + MaxPathLen;
+	if (flags & GLOB_QUOTE) {
+		/* Protect the quoted characters. */
+		while (bufnext < bufend && (c = *patnext++) != CHAR_EOS) 
+			if (c == CHAR_QUOTE) {
+				if ((c = *patnext++) == CHAR_EOS) {
+					c = CHAR_QUOTE;
+					--patnext;
+				}
+				*bufnext++ = c | M_PROTECT;
+			}
+			else
+				*bufnext++ = c;
+	}
+	else 
+	    while (bufnext < bufend && (c = *patnext++) != CHAR_EOS) 
+		    *bufnext++ = c;
+	*bufnext = CHAR_EOS;
+
+	if (flags & GLOB_BRACE)
+	    return globexp1(patbuf, pglob);
+	else
+	    return glob0(patbuf, pglob);
+}
+
+/*
+ * Expand recursively a glob {} pattern. When there is no more expansion
+ * invoke the standard globbing routine to glob the rest of the magic
+ * characters
+ */
+static int globexp1(const Char *pattern, glob_t *pglob)
+{
+	const Char* ptr = pattern;
+	int rv;
+
+	/* Protect a single {}, for find(1), like csh */
+	if (pattern[0] == CHAR_LBRACE && pattern[1] == CHAR_RBRACE && pattern[2] == CHAR_EOS)
+		return glob0(pattern, pglob);
+
+	while ((ptr = (const Char *) g_strchr((Char *) ptr, CHAR_LBRACE)) != NULL)
+		if (!globexp2(ptr, pattern, pglob, &rv))
+			return rv;
+
+	return glob0(pattern, pglob);
+}
+
+
+/*
+ * Recursive brace globbing helper. Tries to expand a single brace.
+ * If it succeeds then it invokes globexp1 with the new pattern.
+ * If it fails then it tries to glob the rest of the pattern and returns.
+ */
+static int globexp2(const Char *ptr, const Char *pattern, 
+		    glob_t *pglob, int *rv)
+{
+	int     i;
+	Char   *lm, *ls;
+	const Char *pe, *pm, *pl;
+	Char    patbuf[MaxPathLen + 1];
+
+	/* copy part up to the brace */
+	for (lm = patbuf, pm = pattern; pm != ptr; *lm++ = *pm++)
+		continue;
+	ls = lm;
+
+	/* Find the balanced brace */
+	for (i = 0, pe = ++ptr; *pe; pe++)
+		if (*pe == CHAR_LBRACKET) {
+			/* Ignore everything between [] */
+			for (pm = pe++; *pe != CHAR_RBRACKET && *pe != CHAR_EOS; pe++)
+				continue;
+			if (*pe == CHAR_EOS) {
+				/* 
+				 * We could not find a matching CHAR_RBRACKET.
+				 * Ignore and just look for CHAR_RBRACE
+				 */
+				pe = pm;
+			}
+		}
+		else if (*pe == CHAR_LBRACE)
+			i++;
+		else if (*pe == CHAR_RBRACE) {
+			if (i == 0)
+				break;
+			i--;
+		}
+
+	/* Non matching braces; just glob the pattern */
+	if (i != 0 || *pe == CHAR_EOS) {
+		*rv = glob0(patbuf, pglob);
+		return 0;
+	}
+
+	for (i = 0, pl = pm = ptr; pm <= pe; pm++)
+		switch (*pm) {
+		case CHAR_LBRACKET:
+			/* Ignore everything between [] */
+			for (pl = pm++; *pm != CHAR_RBRACKET && *pm != CHAR_EOS; pm++)
+				continue;
+			if (*pm == CHAR_EOS) {
+				/* 
+				 * We could not find a matching CHAR_RBRACKET.
+				 * Ignore and just look for CHAR_RBRACE
+				 */
+				pm = pl;
+			}
+			break;
+
+		case CHAR_LBRACE:
+			i++;
+			break;
+
+		case CHAR_RBRACE:
+			if (i) {
+			    i--;
+			    break;
+			}
+			/* FALLTHROUGH */
+		case CHAR_COMMA:
+			if (i && *pm == CHAR_COMMA)
+				break;
+			else {
+				/* Append the current string */
+				for (lm = ls; (pl < pm); *lm++ = *pl++)
+					continue;
+				/* 
+				 * Append the rest of the pattern after the
+				 * closing brace
+				 */
+				for (pl = pe + 1; (*lm++ = *pl++) != CHAR_EOS;)
+					continue;
+
+				/* Expand the current pattern */
+#ifdef DEBUG
+				qprintf("globexp2:", patbuf);
+#endif
+				*rv = globexp1(patbuf, pglob);
+
+				/* move after the comma, to the next string */
+				pl = pm + 1;
+			}
+			break;
+
+		default:
+			break;
+		}
+	*rv = 0;
+	return 0;
+}
+
+
+
+/*
+ * expand tilde from the passwd file.
+ */
+static const Char *
+globtilde(const Char *pattern, Char *patbuf, glob_t *pglob)
+{
+	struct passwd *pwd;
+	char *h;
+	const Char *p;
+	Char *b;
+
+	if (*pattern != CHAR_TILDE || !(pglob->gl_flags & GLOB_TILDE))
+		return pattern;
+
+	/* Copy up to the end of the string or / */
+	for (p = pattern + 1, h = (char *) patbuf; *p && *p != CHAR_SLASH; 
+	     *h++ = *p++)
+		continue;
+
+	*h = CHAR_EOS;
+
+	if (((char *) patbuf)[0] == CHAR_EOS) {
+		/* 
+		 * handle a plain ~ or ~/ by expanding $HOME 
+		 * first and then trying the password file
+		 */
+		if ((h = getenv("HOME")) == NULL) {
+			if ((pwd = k_getpwuid(getuid())) == NULL)
+				return pattern;
+			else
+				h = pwd->pw_dir;
+		}
+	}
+	else {
+		/*
+		 * Expand a ~user
+		 */
+		if ((pwd = k_getpwnam((char*) patbuf)) == NULL)
+			return pattern;
+		else
+			h = pwd->pw_dir;
+	}
+
+	/* Copy the home directory */
+	for (b = patbuf; *h; *b++ = *h++)
+		continue;
+	
+	/* Append the rest of the pattern */
+	while ((*b++ = *p++) != CHAR_EOS)
+		continue;
+
+	return patbuf;
+}
+	
+
+/*
+ * The main glob() routine: compiles the pattern (optionally processing
+ * quotes), calls glob1() to do the real pattern matching, and finally
+ * sorts the list (unless unsorted operation is requested).  Returns 0
+ * if things went well, nonzero if errors occurred.  It is not an error
+ * to find no matches.
+ */
+static int
+glob0(const Char *pattern, glob_t *pglob)
+{
+	const Char *qpatnext;
+	int c, err, oldpathc;
+	Char *bufnext, patbuf[MaxPathLen+1];
+
+	qpatnext = globtilde(pattern, patbuf, pglob);
+	oldpathc = pglob->gl_pathc;
+	bufnext = patbuf;
+
+	/* We don't need to check for buffer overflow any more. */
+	while ((c = *qpatnext++) != CHAR_EOS) {
+		switch (c) {
+		case CHAR_LBRACKET:
+			c = *qpatnext;
+			if (c == CHAR_NOT)
+				++qpatnext;
+			if (*qpatnext == CHAR_EOS ||
+			    g_strchr((Char *) qpatnext+1, CHAR_RBRACKET) == NULL) {
+				*bufnext++ = CHAR_LBRACKET;
+				if (c == CHAR_NOT)
+					--qpatnext;
+				break;
+			}
+			*bufnext++ = M_SET;
+			if (c == CHAR_NOT)
+				*bufnext++ = M_NOT;
+			c = *qpatnext++;
+			do {
+				*bufnext++ = CHAR(c);
+				if (*qpatnext == CHAR_RANGE &&
+				    (c = qpatnext[1]) != CHAR_RBRACKET) {
+					*bufnext++ = M_RNG;
+					*bufnext++ = CHAR(c);
+					qpatnext += 2;
+				}
+			} while ((c = *qpatnext++) != CHAR_RBRACKET);
+			pglob->gl_flags |= GLOB_MAGCHAR;
+			*bufnext++ = M_END;
+			break;
+		case CHAR_QUESTION:
+			pglob->gl_flags |= GLOB_MAGCHAR;
+			*bufnext++ = M_ONE;
+			break;
+		case CHAR_STAR:
+			pglob->gl_flags |= GLOB_MAGCHAR;
+			/* collapse adjacent stars to one, 
+			 * to avoid exponential behavior
+			 */
+			if (bufnext == patbuf || bufnext[-1] != M_ALL)
+			    *bufnext++ = M_ALL;
+			break;
+		default:
+			*bufnext++ = CHAR(c);
+			break;
+		}
+	}
+	*bufnext = CHAR_EOS;
+#ifdef DEBUG
+	qprintf("glob0:", patbuf);
+#endif
+
+	if ((err = glob1(patbuf, pglob)) != 0)
+		return(err);
+
+	/*
+	 * If there was no match we are going to append the pattern 
+	 * if GLOB_NOCHECK was specified or if GLOB_NOMAGIC was specified
+	 * and the pattern did not contain any magic characters
+	 * GLOB_NOMAGIC is there just for compatibility with csh.
+	 */
+	if (pglob->gl_pathc == oldpathc && 
+	    ((pglob->gl_flags & GLOB_NOCHECK) || 
+	      ((pglob->gl_flags & GLOB_NOMAGIC) &&
+	       !(pglob->gl_flags & GLOB_MAGCHAR))))
+		return(globextend(pattern, pglob));
+	else if (!(pglob->gl_flags & GLOB_NOSORT)) 
+		qsort(pglob->gl_pathv + pglob->gl_offs + oldpathc,
+		    pglob->gl_pathc - oldpathc, sizeof(char *), compare);
+	return(0);
+}
+
+static int
+compare(const void *p, const void *q)
+{
+	return(strcmp(*(char **)p, *(char **)q));
+}
+
+static int
+glob1(Char *pattern, glob_t *pglob)
+{
+	Char pathbuf[MaxPathLen+1];
+
+	/* A null pathname is invalid -- POSIX 1003.1 sect. 2.4. */
+	if (*pattern == CHAR_EOS)
+		return(0);
+	return(glob2(pathbuf, pathbuf, pattern, pglob));
+}
+
+/*
+ * The functions glob2 and glob3 are mutually recursive; there is one level
+ * of recursion for each segment in the pattern that contains one or more
+ * meta characters.
+ */
+
+#ifndef S_ISLNK
+#if defined(S_IFLNK) && defined(S_IFMT)
+#define S_ISLNK(mode) (((mode) & S_IFMT) == S_IFLNK)
+#else
+#define S_ISLNK(mode) 0
+#endif
+#endif
+
+static int
+glob2(Char *pathbuf, Char *pathend, Char *pattern, glob_t *pglob)
+{
+	struct stat sb;
+	Char *p, *q;
+	int anymeta;
+
+	/*
+	 * Loop over pattern segments until end of pattern or until
+	 * segment with meta character found.
+	 */
+	for (anymeta = 0;;) {
+		if (*pattern == CHAR_EOS) {		/* End of pattern? */
+			*pathend = CHAR_EOS;
+			if (g_lstat(pathbuf, &sb, pglob))
+				return(0);
+		
+			if (((pglob->gl_flags & GLOB_MARK) &&
+			    pathend[-1] != CHAR_SEP) && (S_ISDIR(sb.st_mode)
+			    || (S_ISLNK(sb.st_mode) &&
+			    (g_stat(pathbuf, &sb, pglob) == 0) &&
+			    S_ISDIR(sb.st_mode)))) {
+				*pathend++ = CHAR_SEP;
+				*pathend = CHAR_EOS;
+			}
+			++pglob->gl_matchc;
+			return(globextend(pathbuf, pglob));
+		}
+
+		/* Find end of next segment, copy tentatively to pathend. */
+		q = pathend;
+		p = pattern;
+		while (*p != CHAR_EOS && *p != CHAR_SEP) {
+			if (ismeta(*p))
+				anymeta = 1;
+			*q++ = *p++;
+		}
+
+		if (!anymeta) {		/* No expansion, do next segment. */
+			pathend = q;
+			pattern = p;
+			while (*pattern == CHAR_SEP)
+				*pathend++ = *pattern++;
+		} else			/* Need expansion, recurse. */
+			return(glob3(pathbuf, pathend, pattern, p, pglob));
+	}
+	/* CHAR_NOTREACHED */
+}
+
+static int
+glob3(Char *pathbuf, Char *pathend, Char *pattern, Char *restpattern, 
+      glob_t *pglob)
+{
+	struct dirent *dp;
+	DIR *dirp;
+	int err;
+	char buf[MaxPathLen];
+
+	/*
+	 * The readdirfunc declaration can't be prototyped, because it is
+	 * assigned, below, to two functions which are prototyped in glob.h
+	 * and dirent.h as taking pointers to differently typed opaque
+	 * structures.
+	 */
+	struct dirent *(*readdirfunc)(void *);
+
+	*pathend = CHAR_EOS;
+	errno = 0;
+	    
+	if ((dirp = g_opendir(pathbuf, pglob)) == NULL) {
+		/* TODO: don't call for ENOENT or ENOTDIR? */
+		if (pglob->gl_errfunc) {
+			g_Ctoc(pathbuf, buf);
+			if (pglob->gl_errfunc(buf, errno) ||
+			    pglob->gl_flags & GLOB_ERR)
+				return (GLOB_ABEND);
+		}
+		return(0);
+	}
+
+	err = 0;
+
+	/* Search directory for matching names. */
+	if (pglob->gl_flags & GLOB_ALTDIRFUNC)
+		readdirfunc = pglob->gl_readdir;
+	else
+		readdirfunc = (struct dirent *(*)(void *))readdir;
+	while ((dp = (*readdirfunc)(dirp))) {
+		u_char *sc;
+		Char *dc;
+
+		/* Initial CHAR_DOT must be matched literally. */
+		if (dp->d_name[0] == CHAR_DOT && *pattern != CHAR_DOT)
+			continue;
+		for (sc = (u_char *) dp->d_name, dc = pathend; 
+		     (*dc++ = *sc++) != CHAR_EOS;)
+			continue;
+		if (!match(pathend, pattern, restpattern)) {
+			*pathend = CHAR_EOS;
+			continue;
+		}
+		err = glob2(pathbuf, --dc, restpattern, pglob);
+		if (err)
+			break;
+	}
+
+	if (pglob->gl_flags & GLOB_ALTDIRFUNC)
+		(*pglob->gl_closedir)(dirp);
+	else
+		closedir(dirp);
+	return(err);
+}
+
+
+/*
+ * Extend the gl_pathv member of a glob_t structure to accomodate a new item,
+ * add the new item, and update gl_pathc.
+ *
+ * This assumes the BSD realloc, which only copies the block when its size
+ * crosses a power-of-two boundary; for v7 realloc, this would cause quadratic
+ * behavior.
+ *
+ * Return 0 if new item added, error code if memory couldn't be allocated.
+ *
+ * Invariant of the glob_t structure:
+ *	Either gl_pathc is zero and gl_pathv is NULL; or gl_pathc > 0 and
+ *	gl_pathv points to (gl_offs + gl_pathc + 1) items.
+ */
+static int
+globextend(const Char *path, glob_t *pglob)
+{
+	char **pathv;
+	int i;
+	u_int newsize;
+	char *copy;
+	const Char *p;
+
+	newsize = sizeof(*pathv) * (2 + pglob->gl_pathc + pglob->gl_offs);
+	pathv = pglob->gl_pathv ? 
+		    realloc(pglob->gl_pathv, newsize) :
+		    malloc(newsize);
+	if (pathv == NULL)
+		return(GLOB_NOSPACE);
+
+	if (pglob->gl_pathv == NULL && pglob->gl_offs > 0) {
+		/* first time around -- clear initial gl_offs items */
+		pathv += pglob->gl_offs;
+		for (i = pglob->gl_offs; --i >= 0; )
+			*--pathv = NULL;
+	}
+	pglob->gl_pathv = pathv;
+
+	for (p = path; *p++;)
+		continue;
+	if ((copy = malloc(p - path)) != NULL) {
+		g_Ctoc(path, copy);
+		pathv[pglob->gl_offs + pglob->gl_pathc++] = copy;
+	}
+	pathv[pglob->gl_offs + pglob->gl_pathc] = NULL;
+	return(copy == NULL ? GLOB_NOSPACE : 0);
+}
+
+
+/*
+ * pattern matching function for filenames.  Each occurrence of the *
+ * pattern causes a recursion level.
+ */
+static int
+match(Char *name, Char *pat, Char *patend)
+{
+	int ok, negate_range;
+	Char c, k;
+
+	while (pat < patend) {
+		c = *pat++;
+		switch (c & M_MASK) {
+		case M_ALL:
+			if (pat == patend)
+				return(1);
+			do 
+			    if (match(name, pat, patend))
+				    return(1);
+			while (*name++ != CHAR_EOS);
+			return(0);
+		case M_ONE:
+			if (*name++ == CHAR_EOS)
+				return(0);
+			break;
+		case M_SET:
+			ok = 0;
+			if ((k = *name++) == CHAR_EOS)
+				return(0);
+			if ((negate_range = ((*pat & M_MASK) == M_NOT)) != CHAR_EOS)
+				++pat;
+			while (((c = *pat++) & M_MASK) != M_END)
+				if ((*pat & M_MASK) == M_RNG) {
+					if (c <= k && k <= pat[1])
+						ok = 1;
+					pat += 2;
+				} else if (c == k)
+					ok = 1;
+			if (ok == negate_range)
+				return(0);
+			break;
+		default:
+			if (*name++ != c)
+				return(0);
+			break;
+		}
+	}
+	return(*name == CHAR_EOS);
+}
+
+/* Free allocated data belonging to a glob_t structure. */
+void
+globfree(glob_t *pglob)
+{
+	int i;
+	char **pp;
+
+	if (pglob->gl_pathv != NULL) {
+		pp = pglob->gl_pathv + pglob->gl_offs;
+		for (i = pglob->gl_pathc; i--; ++pp)
+			if (*pp)
+				free(*pp);
+		free(pglob->gl_pathv);
+	}
+}
+
+static DIR *
+g_opendir(Char *str, glob_t *pglob)
+{
+	char buf[MaxPathLen];
+
+	if (!*str)
+		strlcpy(buf, ".", sizeof(buf));
+	else
+		g_Ctoc(str, buf);
+
+	if (pglob->gl_flags & GLOB_ALTDIRFUNC)
+		return((*pglob->gl_opendir)(buf));
+
+	return(opendir(buf));
+}
+
+static int
+g_lstat(Char *fn, struct stat *sb, glob_t *pglob)
+{
+	char buf[MaxPathLen];
+
+	g_Ctoc(fn, buf);
+	if (pglob->gl_flags & GLOB_ALTDIRFUNC)
+		return((*pglob->gl_lstat)(buf, sb));
+	return(lstat(buf, sb));
+}
+
+static int
+g_stat(Char *fn, struct stat *sb, glob_t *pglob)
+{
+	char buf[MaxPathLen];
+
+	g_Ctoc(fn, buf);
+	if (pglob->gl_flags & GLOB_ALTDIRFUNC)
+		return((*pglob->gl_stat)(buf, sb));
+	return(stat(buf, sb));
+}
+
+static Char *
+g_strchr(Char *str, int ch)
+{
+	do {
+		if (*str == ch)
+			return (str);
+	} while (*str++);
+	return (NULL);
+}
+
+#ifdef notdef
+static Char *
+g_strcat(Char *dst, const Char *src)
+{
+	Char *sdst = dst;
+
+	while (*dst++)
+		continue;
+	--dst;
+	while((*dst++ = *src++) != CHAR_EOS)
+	    continue;
+
+	return (sdst);
+}
+#endif
+
+static void
+g_Ctoc(const Char *str, char *buf)
+{
+	char *dc;
+
+	for (dc = buf; (*dc++ = *str++) != CHAR_EOS;)
+		continue;
+}
+
+#ifdef DEBUG
+static void 
+qprintf(const Char *str, Char *s)
+{
+	Char *p;
+
+	printf("%s:\n", str);
+	for (p = s; *p; p++)
+		printf("%c", CHAR(*p));
+	printf("\n");
+	for (p = s; *p; p++)
+		printf("%c", *p & M_PROTECT ? '"' : ' ');
+	printf("\n");
+	for (p = s; *p; p++)
+		printf("%c", ismeta(*p) ? '_' : ' ');
+	printf("\n");
+}
+#endif
diff --git a/crypto/kerberosIV/lib/roken/glob.h b/crypto/kerberosIV/lib/roken/glob.h
new file mode 100644
index 0000000..bece48a
--- /dev/null
+++ b/crypto/kerberosIV/lib/roken/glob.h
@@ -0,0 +1,84 @@
+/*
+ * Copyright (c) 1989, 1993
+ *	The Regents of the University of California.  All rights reserved.
+ *
+ * This code is derived from software contributed to Berkeley by
+ * Guido van Rossum.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *	This product includes software developed by the University of
+ *	California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ *	@(#)glob.h	8.1 (Berkeley) 6/2/93
+ */
+
+#ifndef _GLOB_H_
+#define	_GLOB_H_
+
+struct stat;
+typedef struct {
+	int gl_pathc;		/* Count of total paths so far. */
+	int gl_matchc;		/* Count of paths matching pattern. */
+	int gl_offs;		/* Reserved at beginning of gl_pathv. */
+	int gl_flags;		/* Copy of flags parameter to glob. */
+	char **gl_pathv;	/* List of paths matching pattern. */
+				/* Copy of errfunc parameter to glob. */
+	int (*gl_errfunc) (const char *, int);
+
+	/*
+	 * Alternate filesystem access methods for glob; replacement
+	 * versions of closedir(3), readdir(3), opendir(3), stat(2)
+	 * and lstat(2).
+	 */
+	void (*gl_closedir) (void *);
+	struct dirent *(*gl_readdir) (void *);	
+	void *(*gl_opendir) (const char *);
+	int (*gl_lstat) (const char *, struct stat *);
+	int (*gl_stat) (const char *, struct stat *);
+} glob_t;
+
+#define	GLOB_APPEND	0x0001	/* Append to output from previous call. */
+#define	GLOB_DOOFFS	0x0002	/* Use gl_offs. */
+#define	GLOB_ERR	0x0004	/* Return on error. */
+#define	GLOB_MARK	0x0008	/* Append / to matching directories. */
+#define	GLOB_NOCHECK	0x0010	/* Return pattern itself if nothing matches. */
+#define	GLOB_NOSORT	0x0020	/* Don't sort. */
+
+#define	GLOB_ALTDIRFUNC	0x0040	/* Use alternately specified directory funcs. */
+#define	GLOB_BRACE	0x0080	/* Expand braces ala csh. */
+#define	GLOB_MAGCHAR	0x0100	/* Pattern had globbing characters. */
+#define	GLOB_NOMAGIC	0x0200	/* GLOB_NOCHECK without magic chars (csh). */
+#define	GLOB_QUOTE	0x0400	/* Quote special chars with \. */
+#define	GLOB_TILDE	0x0800	/* Expand tilde names from the passwd file. */
+
+#define	GLOB_NOSPACE	(-1)	/* Malloc call failed. */
+#define	GLOB_ABEND	(-2)	/* Unignored error. */
+
+int	glob (const char *, int, int (*)(const char *, int), glob_t *);
+void	globfree (glob_t *);
+
+#endif /* !_GLOB_H_ */
diff --git a/crypto/kerberosIV/lib/roken/hstrerror.c b/crypto/kerberosIV/lib/roken/hstrerror.c
new file mode 100644
index 0000000..522de52
--- /dev/null
+++ b/crypto/kerberosIV/lib/roken/hstrerror.c
@@ -0,0 +1,89 @@
+/*
+ * Copyright (c) 1995 - 1999 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+RCSID("$Id: hstrerror.c,v 1.22 1999/12/02 16:58:46 joda Exp $");
+#endif
+
+#ifndef HAVE_HSTRERROR
+
+#include "roken.h"
+
+#include <stdio.h>
+
+#ifdef HAVE_NETDB_H
+#if (defined(SunOS) && (SunOS >= 50))
+#define hstrerror broken_proto
+#endif
+#include <netdb.h>
+#undef hstrerror
+#endif
+
+#ifndef HAVE_H_ERRNO
+int h_errno = -17; /* Some magic number */
+#endif
+
+#if !(defined(HAVE_H_ERRLIST) && defined(HAVE_H_NERR))
+static const char *const h_errlist[] = {
+    "Resolver Error 0 (no error)",
+    "Unknown host",		/* 1 HOST_NOT_FOUND */
+    "Host name lookup failure",	/* 2 TRY_AGAIN */
+    "Unknown server error",	/* 3 NO_RECOVERY */
+    "No address associated with name", /* 4 NO_ADDRESS */
+};
+
+static
+const
+int h_nerr = { sizeof h_errlist / sizeof h_errlist[0] };
+#else
+
+#ifndef HAVE_H_ERRLIST_DECLARATION
+extern const char *h_errlist[];
+extern int h_nerr;
+#endif
+
+#endif
+
+const char *
+hstrerror(int herr)
+{
+    if (0 <= herr && herr < h_nerr)
+	return h_errlist[herr];
+    else if(herr == -17)
+	return "unknown error";
+    else
+	return "Error number out of range (hstrerror)";
+}
+
+#endif
diff --git a/crypto/kerberosIV/lib/roken/inaddr2str.c b/crypto/kerberosIV/lib/roken/inaddr2str.c
new file mode 100644
index 0000000..5a1ab56
--- /dev/null
+++ b/crypto/kerberosIV/lib/roken/inaddr2str.c
@@ -0,0 +1,90 @@
+/*
+ * Copyright (c) 1995, 1996, 1997, 1998 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+RCSID("$Id: inaddr2str.c,v 1.12 1999/12/02 16:58:46 joda Exp $");
+#endif
+
+#include <stdlib.h>
+#include <string.h>
+#ifdef HAVE_SYS_TYPES_H
+#include <sys/types.h>
+#endif
+#ifdef HAVE_SYS_SOCKET_H
+#include <sys/socket.h>
+#endif
+#ifdef HAVE_NETINET_IN_H
+#include <netinet/in.h>
+#endif
+#ifdef HAVE_NETINET_IN6_H
+#include <netinet/in6.h>
+#endif
+#ifdef HAVE_NETINET6_IN6_H
+#include <netinet6/in6.h>
+#endif
+
+#ifdef HAVE_ARPA_INET_H
+#include <arpa/inet.h>
+#endif
+#ifdef HAVE_NETDB_H
+#include <netdb.h>
+#endif
+#include "roken.h"
+
+/*
+ * Get a verified name for `addr'.
+ * If unable to find it in the DNS, return x.y.z.a
+ */
+
+void
+inaddr2str(struct in_addr addr, char *s, size_t len)
+{
+  struct hostent *h;
+  char **p;
+
+  h = roken_gethostbyaddr ((const char *)&addr, sizeof(addr), AF_INET);
+  if (h) {
+    h = roken_gethostbyname (h->h_name);
+    if(h)
+      for(p = h->h_addr_list;
+	  *p;
+	  ++p)
+	if (memcmp (*p, &addr, sizeof(addr)) == 0) {
+	  strlcpy (s, h->h_name, len);
+	  return;
+	}
+  }
+  strlcpy (s, inet_ntoa (addr), len);
+  return;
+}
diff --git a/crypto/kerberosIV/lib/roken/inet_aton.c b/crypto/kerberosIV/lib/roken/inet_aton.c
new file mode 100644
index 0000000..755e426
--- /dev/null
+++ b/crypto/kerberosIV/lib/roken/inet_aton.c
@@ -0,0 +1,70 @@
+/*
+ * Copyright (c) 1995, 1996, 1997 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+RCSID("$Id: inet_aton.c,v 1.12 1999/12/02 16:58:47 joda Exp $");
+#endif
+
+#include "roken.h"
+
+#include <stdio.h>
+#ifdef HAVE_SYS_TYPES_H
+#include <sys/types.h>
+#endif
+#ifdef HAVE_NETINET_IN_H
+#include <netinet/in.h>
+#endif
+#ifdef HAVE_NETINET_IN6_H
+#include <netinet/in6.h>
+#endif
+#ifdef HAVE_NETINET6_IN6_H
+#include <netinet6/in6.h>
+#endif
+
+#ifdef HAVE_NETDB_H
+#include <netdb.h>
+#endif
+#ifdef HAVE_ARPA_INET_H
+#include <arpa/inet.h>
+#endif
+
+/* Minimal implementation of inet_aton.
+ * Cannot distinguish between failure and a local broadcast address. */
+
+int
+inet_aton(const char *cp, struct in_addr *addr)
+{
+  addr->s_addr = inet_addr(cp);
+  return (addr->s_addr == INADDR_NONE) ? 0 : 1;
+}
diff --git a/crypto/kerberosIV/lib/roken/inet_ntop.c b/crypto/kerberosIV/lib/roken/inet_ntop.c
new file mode 100644
index 0000000..f79a35e
--- /dev/null
+++ b/crypto/kerberosIV/lib/roken/inet_ntop.c
@@ -0,0 +1,153 @@
+/*
+ * Copyright (c) 1999 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+RCSID("$Id: inet_ntop.c,v 1.3 1999/12/02 16:58:47 joda Exp $");
+#endif
+
+#include <errno.h>
+#ifdef HAVE_SYS_TYPES_H
+#include <sys/types.h>
+#endif
+#ifdef HAVE_SYS_SOCKET_H
+#include <sys/socket.h>
+#endif
+#ifdef HAVE_NETINET_IN_H
+#include <netinet/in.h>
+#endif
+#ifdef HAVE_NETINET_IN6_H
+#include <netinet/in6.h>
+#endif
+#ifdef HAVE_NETINET6_IN6_H
+#include <netinet6/in6.h>
+#endif
+
+#include <roken.h>
+
+/*
+ *
+ */
+
+static const char *
+inet_ntop_v4 (const void *src, char *dst, size_t size)
+{
+    const char digits[] = "0123456789";
+    int i;
+    struct in_addr *addr = (struct in_addr *)src;
+    u_long a = ntohl(addr->s_addr);
+    const char *orig_dst = dst;
+
+    if (size < INET_ADDRSTRLEN) {
+	errno = ENOSPC;
+	return NULL;
+    }
+    for (i = 0; i < 4; ++i) {
+	int n = (a >> (24 - i * 8)) & 0xFF;
+	int non_zerop = 0;
+
+	if (non_zerop || n / 100 > 0) {
+	    *dst++ = digits[n / 100];
+	    n %= 100;
+	    non_zerop = 1;
+	}
+	if (non_zerop || n / 10 > 0) {
+	    *dst++ = digits[n / 10];
+	    n %= 10;
+	    non_zerop = 1;
+	}
+	*dst++ = digits[n];
+	if (i != 3)
+	    *dst++ = '.';
+    }
+    *dst++ = '\0';
+    return orig_dst;
+}
+
+#ifdef HAVE_IPV6
+static const char *
+inet_ntop_v6 (const void *src, char *dst, size_t size)
+{
+    const char xdigits[] = "0123456789abcdef";
+    int i;
+    const struct in6_addr *addr = (struct in6_addr *)src;
+    const u_char *ptr = addr->s6_addr;
+    const char *orig_dst = dst;
+
+    if (size < INET6_ADDRSTRLEN) {
+	errno = ENOSPC;
+	return NULL;
+    }
+    for (i = 0; i < 8; ++i) {
+	int non_zerop = 1;
+
+	if (non_zerop || (ptr[0] >> 4)) {
+	    *dst++ = xdigits[ptr[0] >> 4];
+	    non_zerop = 1;
+	}
+	if (non_zerop || (ptr[0] & 0x0F)) {
+	    *dst++ = xdigits[ptr[0] & 0x0F];
+	    non_zerop = 1;
+	}
+	if (non_zerop || (ptr[1] >> 4)) {
+	    *dst++ = xdigits[ptr[1] >> 4];
+	    non_zerop = 1;
+	}
+	if (non_zerop || (ptr[1] & 0x0F)) {
+	    *dst++ = xdigits[ptr[1] & 0x0F];
+	    non_zerop = 1;
+	}
+	if (i != 7)
+	    *dst++ = ':';
+	ptr += 2;
+    }
+    *dst++ = '\0';
+    return orig_dst;
+}
+#endif /* HAVE_IPV6 */
+
+const char *
+inet_ntop(int af, const void *src, char *dst, size_t size)
+{
+    switch (af) {
+    case AF_INET :
+	return inet_ntop_v4 (src, dst, size);
+#ifdef HAVE_IPV6
+    case AF_INET6 :
+	return inet_ntop_v6 (src, dst, size);
+#endif
+    default :
+	errno = EAFNOSUPPORT;
+	return NULL;
+    }
+}
diff --git a/crypto/kerberosIV/lib/roken/inet_pton.c b/crypto/kerberosIV/lib/roken/inet_pton.c
new file mode 100644
index 0000000..9b195c2
--- /dev/null
+++ b/crypto/kerberosIV/lib/roken/inet_pton.c
@@ -0,0 +1,66 @@
+/*
+ * Copyright (c) 1999 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+RCSID("$Id: inet_pton.c,v 1.2 1999/12/02 16:58:47 joda Exp $");
+#endif
+
+#include <errno.h>
+#ifdef HAVE_SYS_TYPES_H
+#include <sys/types.h>
+#endif
+#ifdef HAVE_SYS_SOCKET_H
+#include <sys/socket.h>
+#endif
+#ifdef HAVE_NETINET_IN_H
+#include <netinet/in.h>
+#endif
+#ifdef HAVE_NETINET_IN6_H
+#include <netinet/in6.h>
+#endif
+#ifdef HAVE_NETINET6_IN6_H
+#include <netinet6/in6.h>
+#endif
+
+#include <roken.h>
+
+int
+inet_pton(int af, const char *src, void *dst)
+{
+    if (af != AF_INET) {
+	errno = EAFNOSUPPORT;
+	return -1;
+    }
+    return inet_aton (src, dst);
+}
diff --git a/crypto/kerberosIV/lib/roken/initgroups.c b/crypto/kerberosIV/lib/roken/initgroups.c
new file mode 100644
index 0000000..dcf1d08
--- /dev/null
+++ b/crypto/kerberosIV/lib/roken/initgroups.c
@@ -0,0 +1,45 @@
+/*
+ * Copyright (c) 1995, 1996, 1997 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+RCSID("$Id: initgroups.c,v 1.3 1999/12/02 16:58:47 joda Exp $");
+#endif
+
+#include "roken.h"
+
+int
+initgroups(const char *name, gid_t basegid)
+{
+  return 0;
+}
diff --git a/crypto/kerberosIV/lib/roken/innetgr.c b/crypto/kerberosIV/lib/roken/innetgr.c
new file mode 100644
index 0000000..4bc57f9
--- /dev/null
+++ b/crypto/kerberosIV/lib/roken/innetgr.c
@@ -0,0 +1,49 @@
+/*
+ * Copyright (c) 1999 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of KTH nor the names of its contributors may be
+ *    used to endorse or promote products derived from this software without
+ *    specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY KTH AND ITS CONTRIBUTORS ``AS IS'' AND ANY
+ * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL KTH OR ITS CONTRIBUTORS BE
+ * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+ * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+ * WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
+ * OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
+ * ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+#endif
+#include "roken.h"
+
+#ifndef HAVE_INNETGR
+
+RCSID("$Id: innetgr.c,v 1.1 1999/03/11 14:04:01 joda Exp $");
+
+int
+innetgr(const char *netgroup, const char *machine, 
+	const char *user, const char *domain)
+{
+    return 0;
+}
+#endif
+
diff --git a/crypto/kerberosIV/lib/roken/iruserok.c b/crypto/kerberosIV/lib/roken/iruserok.c
new file mode 100644
index 0000000..7cac29f
--- /dev/null
+++ b/crypto/kerberosIV/lib/roken/iruserok.c
@@ -0,0 +1,294 @@
+/*
+ * Copyright (c) 1983, 1993, 1994
+ *	The Regents of the University of California.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *	This product includes software developed by the University of
+ *	California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+RCSID("$Id: iruserok.c,v 1.22 1999/09/16 20:06:06 assar Exp $");
+#endif
+
+#include <stdio.h>
+#include <ctype.h>
+#ifdef HAVE_SYS_TYPES_H
+#include <sys/types.h>
+#endif
+#ifdef HAVE_NETINET_IN_H
+#include <netinet/in.h>
+#endif
+#ifdef HAVE_NETINET_IN6_H
+#include <netinet/in6.h>
+#endif
+#ifdef HAVE_NETINET6_IN6_H
+#include <netinet6/in6.h>
+#endif
+#ifdef HAVE_RPCSVC_YPCLNT_H
+#include <rpcsvc/ypclnt.h>
+#endif
+
+#ifdef HAVE_NETDB_H
+#include <netdb.h>
+#endif
+#ifdef HAVE_ARPA_INET_H
+#include <arpa/inet.h>
+#endif
+
+#include "roken.h"
+
+int     __check_rhosts_file = 1;
+char    *__rcmd_errstr = 0;
+
+/*
+ * Returns "true" if match, 0 if no match.
+ */
+static
+int
+__icheckhost(unsigned raddr, const char *lhost)
+{
+	struct hostent *hp;
+	u_long laddr;
+	char **pp;
+
+	/* Try for raw ip address first. */
+	if (isdigit((unsigned char)*lhost)
+	    && (long)(laddr = inet_addr(lhost)) != -1)
+		return (raddr == laddr);
+
+	/* Better be a hostname. */
+	if ((hp = gethostbyname(lhost)) == NULL)
+		return (0);
+
+	/* Spin through ip addresses. */
+	for (pp = hp->h_addr_list; *pp; ++pp)
+	        if (memcmp(&raddr, *pp, sizeof(u_long)) == 0)
+			return (1);
+
+	/* No match. */
+	return (0);
+}
+
+/*
+ * Returns 0 if ok, -1 if not ok.
+ */
+static
+int
+__ivaliduser(FILE *hostf, unsigned raddr, const char *luser,
+	     const char *ruser)
+{
+	char *user, *p;
+	int ch;
+	char buf[MaxHostNameLen + 128];		/* host + login */
+	char hname[MaxHostNameLen];
+	struct hostent *hp;
+	/* Presumed guilty until proven innocent. */
+	int userok = 0, hostok = 0;
+#ifdef HAVE_YP_GET_DEFAULT_DOMAIN
+	char *ypdomain;
+
+	if (yp_get_default_domain(&ypdomain))
+		ypdomain = NULL;
+#else
+#define	ypdomain NULL
+#endif
+	/* We need to get the damn hostname back for netgroup matching. */
+	if ((hp = gethostbyaddr((char *)&raddr,
+				sizeof(u_long),
+				AF_INET)) == NULL)
+		return (-1);
+	strlcpy(hname, hp->h_name, sizeof(hname));
+
+	while (fgets(buf, sizeof(buf), hostf)) {
+		p = buf;
+		/* Skip lines that are too long. */
+		if (strchr(p, '\n') == NULL) {
+			while ((ch = getc(hostf)) != '\n' && ch != EOF);
+			continue;
+		}
+		if (*p == '\n' || *p == '#') {
+			/* comment... */
+			continue;
+		}
+		while (*p != '\n' && *p != ' ' && *p != '\t' && *p != '\0') {
+		        if (isupper((unsigned char)*p))
+			    *p = tolower((unsigned char)*p);
+			p++;
+		}
+		if (*p == ' ' || *p == '\t') {
+			*p++ = '\0';
+			while (*p == ' ' || *p == '\t')
+				p++;
+			user = p;
+			while (*p != '\n' && *p != ' ' &&
+			    *p != '\t' && *p != '\0')
+				p++;
+		} else
+			user = p;
+		*p = '\0';
+		/*
+		 * Do +/- and +@/-@ checking. This looks really nasty,
+		 * but it matches SunOS's behavior so far as I can tell.
+		 */
+		switch(buf[0]) {
+		case '+':
+			if (!buf[1]) {     /* '+' matches all hosts */
+				hostok = 1;
+				break;
+			}
+			if (buf[1] == '@')  /* match a host by netgroup */
+				hostok = innetgr((char *)&buf[2],
+					(char *)&hname, NULL, ypdomain);
+			else		/* match a host by addr */
+				hostok = __icheckhost(raddr,(char *)&buf[1]);
+			break;
+		case '-':     /* reject '-' hosts and all their users */
+			if (buf[1] == '@') {
+				if (innetgr((char *)&buf[2],
+					      (char *)&hname, NULL, ypdomain))
+					return(-1);
+			} else {
+				if (__icheckhost(raddr,(char *)&buf[1]))
+					return(-1);
+			}
+			break;
+		default:  /* if no '+' or '-', do a simple match */
+			hostok = __icheckhost(raddr, buf);
+			break;
+		}
+		switch(*user) {
+		case '+':
+			if (!*(user+1)) {      /* '+' matches all users */
+				userok = 1;
+				break;
+			}
+			if (*(user+1) == '@')  /* match a user by netgroup */
+				userok = innetgr(user+2, NULL, (char *)ruser,
+						 ypdomain);
+			else	   /* match a user by direct specification */
+				userok = !(strcmp(ruser, user+1));
+			break;
+		case '-': 		/* if we matched a hostname, */
+			if (hostok) {   /* check for user field rejections */
+				if (!*(user+1))
+					return(-1);
+				if (*(user+1) == '@') {
+					if (innetgr(user+2, NULL,
+						    (char *)ruser, ypdomain))
+						return(-1);
+				} else {
+					if (!strcmp(ruser, user+1))
+						return(-1);
+				}
+			}
+			break;
+		default:	/* no rejections: try to match the user */
+			if (hostok)
+				userok = !(strcmp(ruser,*user ? user : luser));
+			break;
+		}
+		if (hostok && userok)
+			return(0);
+	}
+	return (-1);
+}
+
+/*
+ * New .rhosts strategy: We are passed an ip address. We spin through
+ * hosts.equiv and .rhosts looking for a match. When the .rhosts only
+ * has ip addresses, we don't have to trust a nameserver.  When it
+ * contains hostnames, we spin through the list of addresses the nameserver
+ * gives us and look for a match.
+ *
+ * Returns 0 if ok, -1 if not ok.
+ */
+int
+iruserok(unsigned raddr, int superuser, const char *ruser, const char *luser)
+{
+	char *cp;
+	struct stat sbuf;
+	struct passwd *pwd;
+	FILE *hostf;
+	uid_t uid;
+	int first;
+	char pbuf[MaxPathLen];
+
+	first = 1;
+	hostf = superuser ? NULL : fopen(_PATH_HEQUIV, "r");
+again:
+	if (hostf) {
+		if (__ivaliduser(hostf, raddr, luser, ruser) == 0) {
+			fclose(hostf);
+			return (0);
+		}
+		fclose(hostf);
+	}
+	if (first == 1 && (__check_rhosts_file || superuser)) {
+		first = 0;
+		if ((pwd = k_getpwnam((char*)luser)) == NULL)
+			return (-1);
+		snprintf (pbuf, sizeof(pbuf), "%s/.rhosts", pwd->pw_dir);
+
+		/*
+		 * Change effective uid while opening .rhosts.  If root and
+		 * reading an NFS mounted file system, can't read files that
+		 * are protected read/write owner only.
+		 */
+		uid = geteuid();
+		seteuid(pwd->pw_uid);
+		hostf = fopen(pbuf, "r");
+		seteuid(uid);
+
+		if (hostf == NULL)
+			return (-1);
+		/*
+		 * If not a regular file, or is owned by someone other than
+		 * user or root or if writeable by anyone but the owner, quit.
+		 */
+		cp = NULL;
+		if (lstat(pbuf, &sbuf) < 0)
+			cp = ".rhosts lstat failed";
+		else if (!S_ISREG(sbuf.st_mode))
+			cp = ".rhosts not regular file";
+		else if (fstat(fileno(hostf), &sbuf) < 0)
+			cp = ".rhosts fstat failed";
+		else if (sbuf.st_uid && sbuf.st_uid != pwd->pw_uid)
+			cp = "bad .rhosts owner";
+		else if (sbuf.st_mode & (S_IWGRP|S_IWOTH))
+			cp = ".rhosts writeable by other than owner";
+		/* If there were any problems, quit. */
+		if (cp) {
+			__rcmd_errstr = cp;
+			fclose(hostf);
+			return (-1);
+		}
+		goto again;
+	}
+	return (-1);
+}
diff --git a/crypto/kerberosIV/lib/roken/issuid.c b/crypto/kerberosIV/lib/roken/issuid.c
new file mode 100644
index 0000000..af2aae5
--- /dev/null
+++ b/crypto/kerberosIV/lib/roken/issuid.c
@@ -0,0 +1,53 @@
+/*
+ * Copyright (c) 1998 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+RCSID("$Id: issuid.c,v 1.3 1999/12/02 16:58:47 joda Exp $");
+#endif
+
+#include "roken.h"
+
+int
+issuid(void)
+{
+#if defined(HAVE_GETUID) && defined(HAVE_GETEUID)
+    if(getuid() != geteuid())
+	return 1;
+#endif
+#if defined(HAVE_GETGID) && defined(HAVE_GETEGID)
+    if(getgid() != getegid())
+	return 2;
+#endif
+    return 0;
+}
diff --git a/crypto/kerberosIV/lib/roken/k_getpwnam.c b/crypto/kerberosIV/lib/roken/k_getpwnam.c
new file mode 100644
index 0000000..40681cd
--- /dev/null
+++ b/crypto/kerberosIV/lib/roken/k_getpwnam.c
@@ -0,0 +1,64 @@
+/*
+ * Copyright (c) 1995, 1996, 1997, 1998, 1999 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+RCSID("$Id: k_getpwnam.c,v 1.9 1999/12/02 16:58:47 joda Exp $");
+#endif /* HAVE_CONFIG_H */
+
+#include "roken.h"
+#ifdef HAVE_SHADOW_H
+#include <shadow.h>
+#endif
+
+struct passwd *
+k_getpwnam (const char *user)
+{
+     struct passwd *p;
+
+     p = getpwnam (user);
+#if defined(HAVE_GETSPNAM) && defined(HAVE_STRUCT_SPWD)
+     if(p)
+     {
+	  struct spwd *spwd;
+
+	  spwd = getspnam (user);
+	  if (spwd)
+	       p->pw_passwd = spwd->sp_pwdp;
+	  endspent ();
+     }
+#else
+     endpwent ();
+#endif
+     return p;
+}
diff --git a/crypto/kerberosIV/lib/roken/k_getpwuid.c b/crypto/kerberosIV/lib/roken/k_getpwuid.c
new file mode 100644
index 0000000..1e2ca54
--- /dev/null
+++ b/crypto/kerberosIV/lib/roken/k_getpwuid.c
@@ -0,0 +1,64 @@
+/*
+ * Copyright (c) 1995, 1996, 1997, 1998 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+RCSID("$Id: k_getpwuid.c,v 1.9 1999/12/02 16:58:47 joda Exp $");
+#endif /* HAVE_CONFIG_H */
+
+#include "roken.h"
+#ifdef HAVE_SHADOW_H
+#include <shadow.h>
+#endif
+
+struct passwd *
+k_getpwuid (uid_t uid)
+{
+     struct passwd *p;
+
+     p = getpwuid (uid);
+#if defined(HAVE_GETSPNAM) && defined(HAVE_STRUCT_SPWD)
+     if (p)
+     {
+	  struct spwd *spwd;
+
+	  spwd = getspnam (p->pw_name);
+	  if (spwd)
+	       p->pw_passwd = spwd->sp_pwdp;
+	  endspent ();
+     }
+#else
+     endpwent ();
+#endif
+     return p;
+}
diff --git a/crypto/kerberosIV/lib/roken/lstat.c b/crypto/kerberosIV/lib/roken/lstat.c
new file mode 100644
index 0000000..2f03e19
--- /dev/null
+++ b/crypto/kerberosIV/lib/roken/lstat.c
@@ -0,0 +1,45 @@
+/*
+ * Copyright (c) 1995, 1996, 1997 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+RCSID("$Id: lstat.c,v 1.4 1999/12/02 16:58:51 joda Exp $");
+#endif
+
+#include "roken.h"
+
+int
+lstat(const char *path, struct stat *buf)
+{
+  return stat(path, buf);
+}
diff --git a/crypto/kerberosIV/lib/roken/make-print-version.c b/crypto/kerberosIV/lib/roken/make-print-version.c
new file mode 100644
index 0000000..d08e023
--- /dev/null
+++ b/crypto/kerberosIV/lib/roken/make-print-version.c
@@ -0,0 +1,68 @@
+/*
+ * Copyright (c) 1998 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+RCSID("$Id: make-print-version.c,v 1.2 1999/12/02 16:58:51 joda Exp $");
+#endif
+
+#include <stdio.h>
+
+#ifdef KRB5
+extern char *heimdal_version;
+#endif
+#ifdef KRB4
+extern char *krb4_version;
+#endif
+#include <version.h>
+
+int
+main(int argc, char **argv)
+{
+    FILE *f;
+    if(argc != 2)
+	return 1;
+    f = fopen(argv[1], "w");
+    if(f == NULL)
+	return 1;
+    fprintf(f, "#define VERSIONLIST { ");
+#ifdef KRB5
+    fprintf(f, "\"%s\", ", heimdal_version);
+#endif
+#ifdef KRB4
+    fprintf(f, "\"%s\", ", krb4_version);
+#endif
+    fprintf(f, "}\n");
+    fclose(f);
+    return 0;
+}
diff --git a/crypto/kerberosIV/lib/roken/memmove.c b/crypto/kerberosIV/lib/roken/memmove.c
new file mode 100644
index 0000000..b77d56a
--- /dev/null
+++ b/crypto/kerberosIV/lib/roken/memmove.c
@@ -0,0 +1,64 @@
+/*
+ * Copyright (c) 1995, 1996, 1997 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+RCSID("$Id: memmove.c,v 1.7 1999/12/02 16:58:51 joda Exp $");
+#endif
+
+/* 
+ * memmove for systems that doesn't have it 
+ */
+
+#ifdef HAVE_SYS_TYPES_H
+#include <sys/types.h>
+#endif
+
+void* memmove(void *s1, const void *s2, size_t n)
+{
+  char *s=(char*)s2, *d=(char*)s1;
+
+  if(d > s){
+    s+=n-1;
+    d+=n-1;
+    while(n){
+      *d--=*s--;
+      n--;
+    }
+  }else if(d < s)
+    while(n){
+      *d++=*s++;
+      n--;
+    }
+  return s1;
+}
diff --git a/crypto/kerberosIV/lib/roken/mini_inetd.c b/crypto/kerberosIV/lib/roken/mini_inetd.c
new file mode 100644
index 0000000..0d3b3b6
--- /dev/null
+++ b/crypto/kerberosIV/lib/roken/mini_inetd.c
@@ -0,0 +1,198 @@
+/*
+ * Copyright (c) 1995 - 2000 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+RCSID("$Id: mini_inetd.c,v 1.18.2.1 2000/10/10 13:22:33 assar Exp $");
+#endif
+
+#include <stdio.h>
+
+#ifdef HAVE_UNISTD_H
+#include <unistd.h>
+#endif
+#ifdef HAVE_SYS_TYPES_H
+#include <sys/types.h>
+#endif
+#ifdef HAVE_SYS_TIME_H
+#include <sys/time.h>
+#endif
+#ifdef HAVE_SYS_SOCKET_H
+#include <sys/socket.h>
+#endif
+#ifdef HAVE_NETINET_IN_H
+#include <netinet/in.h>
+#endif
+#ifdef HAVE_NETINET_IN6_H
+#include <netinet/in6.h>
+#endif
+#ifdef HAVE_NETINET6_IN6_H
+#include <netinet6/in6.h>
+#endif
+
+
+#include <roken.h>
+
+static int
+listen_v4 (int port)
+{
+     struct sockaddr_in sa;
+     int s;
+
+     s = socket(AF_INET, SOCK_STREAM, 0);
+     if(s < 0) {
+	 if (errno == ENOSYS)
+	     return -1;
+	  perror("socket");
+	  exit(1);
+     }
+     socket_set_reuseaddr (s, 1);
+     memset(&sa, 0, sizeof(sa));
+     sa.sin_family      = AF_INET;
+     sa.sin_port        = port;
+     sa.sin_addr.s_addr = INADDR_ANY;
+     if(bind(s, (struct sockaddr*)&sa, sizeof(sa)) < 0){
+	  perror("bind");
+	  exit(1);
+     }
+     if(listen(s, SOMAXCONN) < 0){
+	  perror("listen");
+	  exit(1);
+     }
+     return s;
+}
+
+#ifdef HAVE_IPV6
+static int
+listen_v6 (int port)
+{
+     struct sockaddr_in6 sa;
+     int s;
+
+     s = socket(AF_INET6, SOCK_STREAM, 0);
+     if(s < 0) {
+	 if (errno == ENOSYS)
+	     return -1;
+	 perror("socket");
+	 exit(1);
+     }
+     socket_set_reuseaddr (s, 1);
+     memset(&sa, 0, sizeof(sa));
+     sa.sin6_family = AF_INET6;
+     sa.sin6_port   = port;
+     sa.sin6_addr   = in6addr_any;
+     if(bind(s, (struct sockaddr*)&sa, sizeof(sa)) < 0){
+	  perror("bind");
+	  exit(1);
+     }
+     if(listen(s, SOMAXCONN) < 0){
+	  perror("listen");
+	  exit(1);
+     }
+     return s;
+}
+#endif /* HAVE_IPV6 */
+
+/*
+ * accept a connection on `s' and pretend it's served by inetd.
+ */
+
+static void
+accept_it (int s)
+{
+    int s2;
+
+    s2 = accept(s, NULL, 0);
+    if(s2 < 0){
+	perror("accept");
+	exit(1);
+    }
+    close(s);
+    dup2(s2, STDIN_FILENO);
+    dup2(s2, STDOUT_FILENO);
+    /* dup2(s2, STDERR_FILENO); */
+    close(s2);
+}
+
+/*
+ * Listen on `port' emulating inetd.
+ */
+
+void
+mini_inetd (int port)
+{
+    int ret;
+    int max_fd = -1;
+    int sock_v4 = -1;
+    int sock_v6 = -1;
+    fd_set orig_read_set, read_set;
+
+    FD_ZERO(&orig_read_set);
+
+    sock_v4 = listen_v4 (port);
+    if (sock_v4 >= 0) {
+	max_fd  = max(max_fd, sock_v4);
+	if (max_fd >= FD_SETSIZE)
+	    errx (1, "fd too large");
+	FD_SET(sock_v4, &orig_read_set);
+    }
+#ifdef HAVE_IPV6
+    sock_v6 = listen_v6 (port);
+    if (sock_v6 >= 0) {
+	max_fd  = max(max_fd, sock_v6);
+	if (max_fd >= FD_SETSIZE)
+	    errx (1, "fd too large");
+	FD_SET(sock_v6, &orig_read_set);
+    }
+#endif    
+
+    do {
+	read_set = orig_read_set;
+
+	ret = select (max_fd + 1, &read_set, NULL, NULL, NULL);
+	if (ret < 0 && ret != EINTR) {
+	    perror ("select");
+	    exit (1);
+	}
+    } while (ret <= 0);
+
+    if (sock_v4 > 0 && FD_ISSET (sock_v4, &read_set)) {
+	accept_it (sock_v4);
+	return;
+    }
+    if (sock_v6 > 0 && FD_ISSET (sock_v6, &read_set)) {
+	accept_it (sock_v6);
+	return;
+    }
+    abort ();
+}
diff --git a/crypto/kerberosIV/lib/roken/mkstemp.c b/crypto/kerberosIV/lib/roken/mkstemp.c
new file mode 100644
index 0000000..350f4cb
--- /dev/null
+++ b/crypto/kerberosIV/lib/roken/mkstemp.c
@@ -0,0 +1,84 @@
+/*
+ * Copyright (c) 1995, 1996, 1997 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+#endif
+
+#include <string.h>
+#ifdef HAVE_UNISTD_H
+#include <unistd.h>
+#endif
+#ifdef HAVE_FCNTL_H
+#include <fcntl.h>
+#endif
+#include <errno.h>
+
+RCSID("$Id: mkstemp.c,v 1.3 1999/12/02 16:58:51 joda Exp $");
+
+#ifndef HAVE_MKSTEMP
+
+int
+mkstemp(char *template)
+{
+    int start, i;
+    pid_t val;
+    val = getpid();
+    start = strlen(template) - 1;
+    while(template[start] == 'X') {
+	template[start] = '0' + val % 10;
+	val /= 10;
+	start--;
+    }
+    
+    do{
+	int fd;
+	fd = open(template, O_RDWR | O_CREAT | O_EXCL, 0600);
+	if(fd >= 0 || errno != EEXIST)
+	    return fd;
+	i = start + 1;
+	do{
+	    if(template[i] == 0)
+		return -1;
+	    template[i]++;
+	    if(template[i] == '9' + 1)
+		template[i] = 'a';
+	    if(template[i] <= 'z')
+		break;
+	    template[i] = 'a';
+	    i++;
+	}while(1);
+    }while(1);
+}
+
+#endif
diff --git a/crypto/kerberosIV/lib/roken/net_read.c b/crypto/kerberosIV/lib/roken/net_read.c
new file mode 100644
index 0000000..6d45bfa
--- /dev/null
+++ b/crypto/kerberosIV/lib/roken/net_read.c
@@ -0,0 +1,74 @@
+/*
+ * Copyright (c) 1995, 1996, 1997, 1998 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+RCSID("$Id: net_read.c,v 1.3 1999/12/02 16:58:51 joda Exp $");
+#endif
+
+#include <sys/types.h>
+#include <unistd.h>
+#include <errno.h>
+
+#include <roken.h>
+
+/*
+ * Like read but never return partial data.
+ */
+
+ssize_t
+net_read (int fd, void *buf, size_t nbytes)
+{
+    char *cbuf = (char *)buf;
+    ssize_t count;
+    size_t rem = nbytes;
+
+    while (rem > 0) {
+#ifdef WIN32
+	count = recv (fd, cbuf, rem, 0);
+#else
+	count = read (fd, cbuf, rem);
+#endif
+	if (count < 0) {
+	    if (errno == EINTR)
+		continue;
+	    else
+		return count;
+	} else if (count == 0) {
+	    return count;
+	}
+	cbuf += count;
+	rem -= count;
+    }
+    return nbytes;
+}
diff --git a/crypto/kerberosIV/lib/roken/net_write.c b/crypto/kerberosIV/lib/roken/net_write.c
new file mode 100644
index 0000000..2f63dbe
--- /dev/null
+++ b/crypto/kerberosIV/lib/roken/net_write.c
@@ -0,0 +1,72 @@
+/*
+ * Copyright (c) 1995, 1996, 1997, 1998 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+RCSID("$Id: net_write.c,v 1.4 1999/12/02 16:58:51 joda Exp $");
+#endif
+
+#include <sys/types.h>
+#include <unistd.h>
+#include <errno.h>
+
+#include <roken.h>
+
+/*
+ * Like write but never return partial data.
+ */
+
+ssize_t
+net_write (int fd, const void *buf, size_t nbytes)
+{
+    const char *cbuf = (const char *)buf;
+    ssize_t count;
+    size_t rem = nbytes;
+
+    while (rem > 0) {
+#ifdef WIN32
+	count = send (fd, cbuf, rem, 0);
+#else
+	count = write (fd, cbuf, rem);
+#endif
+	if (count < 0) {
+	    if (errno == EINTR)
+		continue;
+	    else
+		return count;
+	}
+	cbuf += count;
+	rem -= count;
+    }
+    return nbytes;
+}
diff --git a/crypto/kerberosIV/lib/roken/parse_bytes-test.c b/crypto/kerberosIV/lib/roken/parse_bytes-test.c
new file mode 100644
index 0000000..499d942
--- /dev/null
+++ b/crypto/kerberosIV/lib/roken/parse_bytes-test.c
@@ -0,0 +1,92 @@
+/*
+ * Copyright (c) 1999 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+RCSID("$Id: parse_bytes-test.c,v 1.2 1999/12/02 16:58:51 joda Exp $");
+#endif
+
+#include "roken.h"
+#include "parse_bytes.h"
+
+static struct testcase {
+    int canonicalp;
+    int val;
+    const char *def_unit;
+    const char *str;
+} tests[] = {
+    {0, 0, NULL, "0 bytes"},
+    {1, 0, NULL, "0"},
+    {0, 1, NULL, "1"},
+    {1, 1, NULL, "1 byte"},
+    {0, 0, "kilobyte", "0"},
+    {0, 1024, "kilobyte", "1"},
+    {1, 1024, "kilobyte", "1 kilobyte"},
+    {1, 1024 * 1024, NULL, "1 megabyte"},
+    {0, 1025, NULL, "1 kilobyte 1"},
+    {1, 1025, NULL, "1 kilobyte 1 byte"},
+};
+
+int
+main(int argc, char **argv)
+{
+    int i;
+    int ret = 0;
+
+    for (i = 0; i < sizeof(tests)/sizeof(tests[0]); ++i) {
+	char buf[256];
+	int val = parse_bytes (tests[i].str, tests[i].def_unit);
+	size_t len;
+
+	if (val != tests[i].val) {
+	    printf ("parse_bytes (%s, %s) = %d != %d\n",
+		    tests[i].str,
+		    tests[i].def_unit ? tests[i].def_unit : "none",
+		    val, tests[i].val);
+	    ++ret;
+	}
+	if (tests[i].canonicalp) {
+	    len = unparse_bytes (tests[i].val, buf, sizeof(buf));
+	    if (strcmp (tests[i].str, buf) != 0) {
+		printf ("unparse_bytes (%d) = \"%s\" != \"%s\"\n",
+			tests[i].val, buf, tests[i].str);
+		++ret;
+	    }
+	}    
+    }
+    if (ret) {
+	printf ("%d errors\n", ret);
+	return 1;
+    } else
+	return 0;
+}
diff --git a/crypto/kerberosIV/lib/roken/parse_bytes.c b/crypto/kerberosIV/lib/roken/parse_bytes.c
new file mode 100644
index 0000000..f3c514f
--- /dev/null
+++ b/crypto/kerberosIV/lib/roken/parse_bytes.c
@@ -0,0 +1,78 @@
+/*
+ * Copyright (c) 1999 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+RCSID("$Id: parse_bytes.c,v 1.2 1999/12/02 16:58:51 joda Exp $");
+#endif
+
+#include <parse_units.h>
+#include "parse_bytes.h"
+
+static units bytes_units[] = {
+    { "gigabyte", 1024 * 1024 * 1024 },
+    { "gbyte", 1024 * 1024 * 1024 },
+    { "GB", 1024 * 1024 * 1024 },
+    { "megabyte", 1024 * 1024 },
+    { "mbyte", 1024 * 1024 },
+    { "MB", 1024 * 1024 },
+    { "kilobyte", 1024 },
+    { "KB", 1024 },
+    { "byte", 1 },
+    { NULL, 0 }
+};
+
+static units bytes_short_units[] = {
+    { "GB", 1024 * 1024 * 1024 },
+    { "MB", 1024 * 1024 },
+    { "KB", 1024 },
+    { NULL, 0 }
+};
+
+int
+parse_bytes (const char *s, const char *def_unit)
+{
+    return parse_units (s, bytes_units, def_unit);
+}
+
+size_t
+unparse_bytes (int t, char *s, size_t len)
+{
+    return unparse_units (t, bytes_units, s, len);
+}
+
+size_t
+unparse_bytes_short (int t, char *s, size_t len)
+{
+    return unparse_units_approx (t, bytes_short_units, s, len);
+}
diff --git a/crypto/kerberosIV/lib/roken/parse_bytes.h b/crypto/kerberosIV/lib/roken/parse_bytes.h
new file mode 100644
index 0000000..8116c1c
--- /dev/null
+++ b/crypto/kerberosIV/lib/roken/parse_bytes.h
@@ -0,0 +1,48 @@
+/*
+ * Copyright (c) 1999 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+/* $Id: parse_bytes.h,v 1.2 1999/12/02 16:58:51 joda Exp $ */
+
+#ifndef __PARSE_BYTES_H__
+#define __PARSE_BYTES_H__
+
+int
+parse_bytes (const char *s, const char *def_unit);
+
+size_t
+unparse_bytes (int t, char *s, size_t len);
+
+size_t
+unparse_bytes_short (int t, char *s, size_t len);
+
+#endif /* __PARSE_BYTES_H__ */
diff --git a/crypto/kerberosIV/lib/roken/parse_time.c b/crypto/kerberosIV/lib/roken/parse_time.c
new file mode 100644
index 0000000..a09ded7
--- /dev/null
+++ b/crypto/kerberosIV/lib/roken/parse_time.c
@@ -0,0 +1,78 @@
+/*
+ * Copyright (c) 1997, 1998 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+RCSID("$Id: parse_time.c,v 1.5 1999/12/02 16:58:51 joda Exp $");
+#endif
+
+#include <parse_units.h>
+#include "parse_time.h"
+
+static units time_units[] = {
+    {"year",	365 * 24 * 60 * 60},
+    {"month",	30 * 24 * 60 * 60},
+    {"week",	7 * 24 * 60 * 60},
+    {"day",	24 * 60 * 60},
+    {"hour",	60 * 60},
+    {"h",	60 * 60},
+    {"minute",	60},
+    {"m",	60},
+    {"second",	1},
+    {"s",	1},
+    {NULL, 0},
+};
+
+int
+parse_time (const char *s, const char *def_unit)
+{
+    return parse_units (s, time_units, def_unit);
+}
+
+size_t
+unparse_time (int t, char *s, size_t len)
+{
+    return unparse_units (t, time_units, s, len);
+}
+
+size_t
+unparse_time_approx (int t, char *s, size_t len)
+{
+    return unparse_units_approx (t, time_units, s, len);
+}
+
+void
+print_time_table (FILE *f)
+{
+    print_units_table (time_units, f);
+}
diff --git a/crypto/kerberosIV/lib/roken/parse_time.h b/crypto/kerberosIV/lib/roken/parse_time.h
new file mode 100644
index 0000000..55de505
--- /dev/null
+++ b/crypto/kerberosIV/lib/roken/parse_time.h
@@ -0,0 +1,51 @@
+/*
+ * Copyright (c) 1997 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+/* $Id: parse_time.h,v 1.4 1999/12/02 16:58:51 joda Exp $ */
+
+#ifndef __PARSE_TIME_H__
+#define __PARSE_TIME_H__
+
+int
+parse_time (const char *s, const char *def_unit);
+
+size_t
+unparse_time (int t, char *s, size_t len);
+
+size_t
+unparse_time_approx (int t, char *s, size_t len);
+
+void
+print_time_table (FILE *f);
+
+#endif /* __PARSE_TIME_H__ */
diff --git a/crypto/kerberosIV/lib/roken/parse_units.c b/crypto/kerberosIV/lib/roken/parse_units.c
new file mode 100644
index 0000000..34c5030
--- /dev/null
+++ b/crypto/kerberosIV/lib/roken/parse_units.c
@@ -0,0 +1,324 @@
+/*
+ * Copyright (c) 1997, 1998, 1999 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+RCSID("$Id: parse_units.c,v 1.12 1999/12/02 16:58:51 joda Exp $");
+#endif
+
+#include <stdio.h>
+#include <ctype.h>
+#include <string.h>
+#include <roken.h>
+#include "parse_units.h"
+
+/*
+ * Parse string in `s' according to `units' and return value.
+ * def_unit defines the default unit.
+ */
+
+static int
+parse_something (const char *s, const struct units *units,
+		 const char *def_unit,
+		 int (*func)(int res, int val, unsigned mult),
+		 int init,
+		 int accept_no_val_p)
+{
+    const char *p;
+    int res = init;
+    unsigned def_mult = 1;
+
+    if (def_unit != NULL) {
+	const struct units *u;
+
+	for (u = units; u->name; ++u) {
+	    if (strcasecmp (u->name, def_unit) == 0) {
+		def_mult = u->mult;
+		break;
+	    }
+	}
+	if (u->name == NULL)
+	    return -1;
+    }
+
+    p = s;
+    while (*p) {
+	double val;
+	char *next;
+	const struct units *u, *partial_unit;
+	size_t u_len;
+	unsigned partial;
+	int no_val_p = 0;
+
+	while(isspace((unsigned char)*p) || *p == ',')
+	    ++p;
+
+	val = strtod (p, &next); /* strtol(p, &next, 0); */
+	if (val == 0 && p == next) {
+	    if(!accept_no_val_p)
+		return -1;
+	    no_val_p = 1;
+	}
+	p = next;
+	while (isspace((unsigned char)*p))
+	    ++p;
+	if (*p == '\0') {
+	    res = (*func)(res, val, def_mult);
+	    if (res < 0)
+		return res;
+	    break;
+	} else if (*p == '+') {
+	    ++p;
+	    val = 1;
+	} else if (*p == '-') {
+	    ++p;
+	    val = -1;
+	}
+	if (no_val_p && val == 0)
+	    val = 1;
+	u_len = strcspn (p, ", \t");
+	partial = 0;
+	partial_unit = NULL;
+	if (u_len > 1 && p[u_len - 1] == 's')
+	    --u_len;
+	for (u = units; u->name; ++u) {
+	    if (strncasecmp (p, u->name, u_len) == 0) {
+		if (u_len == strlen (u->name)) {
+		    p += u_len;
+		    res = (*func)(res, val, u->mult);
+		    if (res < 0)
+			return res;
+		    break;
+		} else {
+		    ++partial;
+		    partial_unit = u;
+		}
+	    }
+	}
+	if (u->name == NULL) {
+	    if (partial == 1) {
+		p += u_len;
+		res = (*func)(res, val, partial_unit->mult);
+		if (res < 0)
+		    return res;
+	    } else {
+		return -1;
+	    }
+	}
+	if (*p == 's')
+	    ++p;
+    }
+    return res;
+}
+
+/*
+ * The string consists of a sequence of `n unit'
+ */
+
+static int
+acc_units(int res, int val, unsigned mult)
+{
+    return res + val * mult;
+}
+
+int
+parse_units (const char *s, const struct units *units,
+	     const char *def_unit)
+{
+    return parse_something (s, units, def_unit, acc_units, 0, 0);
+}
+
+/*
+ * The string consists of a sequence of `[+-]flag'.  `orig' consists
+ * the original set of flags, those are then modified and returned as
+ * the function value.
+ */
+
+static int
+acc_flags(int res, int val, unsigned mult)
+{
+    if(val == 1)
+	return res | mult;
+    else if(val == -1)
+	return res & ~mult;
+    else if (val == 0)
+	return mult;
+    else
+	return -1;
+}
+
+int
+parse_flags (const char *s, const struct units *units,
+	     int orig)
+{
+    return parse_something (s, units, NULL, acc_flags, orig, 1);
+}
+
+/*
+ * Return a string representation according to `units' of `num' in `s'
+ * with maximum length `len'.  The actual length is the function value.
+ */
+
+static size_t
+unparse_something (int num, const struct units *units, char *s, size_t len,
+		   int (*print) (char *s, size_t len, int div,
+				const char *name, int rem),
+		   int (*update) (int in, unsigned mult),
+		   const char *zero_string)
+{
+    const struct units *u;
+    size_t ret = 0, tmp;
+
+    if (num == 0)
+	return snprintf (s, len, "%s", zero_string);
+
+    for (u = units; num > 0 && u->name; ++u) {
+	int div;
+
+	div = num / u->mult;
+	if (div) {
+	    num = (*update) (num, u->mult);
+	    tmp = (*print) (s, len, div, u->name, num);
+
+	    len -= tmp;
+	    s += tmp;
+	    ret += tmp;
+	}
+    }
+    return ret;
+}
+
+static int
+print_unit (char *s, size_t len, int div, const char *name, int rem)
+{
+    return snprintf (s, len, "%u %s%s%s",
+		     div, name,
+		     div == 1 ? "" : "s",
+		     rem > 0 ? " " : "");
+}
+
+static int
+update_unit (int in, unsigned mult)
+{
+    return in % mult;
+}
+
+static int
+update_unit_approx (int in, unsigned mult)
+{
+    if (in / mult > 0)
+	return 0;
+    else
+	return update_unit (in, mult);
+}
+
+size_t
+unparse_units (int num, const struct units *units, char *s, size_t len)
+{
+    return unparse_something (num, units, s, len,
+			      print_unit,
+			      update_unit,
+			      "0");
+}
+
+size_t
+unparse_units_approx (int num, const struct units *units, char *s, size_t len)
+{
+    return unparse_something (num, units, s, len,
+			      print_unit,
+			      update_unit_approx,
+			      "0");
+}
+
+void
+print_units_table (const struct units *units, FILE *f)
+{
+    const struct units *u, *u2;
+    unsigned max_sz = 0;
+
+    for (u = units; u->name; ++u) {
+	max_sz = max(max_sz, strlen(u->name));
+    }
+
+    for (u = units; u->name;) {
+	char buf[1024];
+	const struct units *next;
+
+	for (next = u + 1; next->name && next->mult == u->mult; ++next)
+	    ;
+
+	if (next->name) {
+	    for (u2 = next;
+		 u2->name && u->mult % u2->mult != 0;
+		 ++u2)
+		;
+	    if (u2->name == NULL)
+		--u2;
+	    unparse_units (u->mult, u2, buf, sizeof(buf));
+	    fprintf (f, "1 %*s = %s\n", max_sz, u->name, buf);
+	} else {
+	    fprintf (f, "1 %s\n", u->name);
+	}
+	u = next;
+    }
+}
+
+static int
+print_flag (char *s, size_t len, int div, const char *name, int rem)
+{
+    return snprintf (s, len, "%s%s", name, rem > 0 ? ", " : "");
+}
+
+static int
+update_flag (int in, unsigned mult)
+{
+    return in - mult;
+}
+
+size_t
+unparse_flags (int num, const struct units *units, char *s, size_t len)
+{
+    return unparse_something (num, units, s, len,
+			      print_flag,
+			      update_flag,
+			      "");
+}
+
+void
+print_flags_table (const struct units *units, FILE *f)
+{
+    const struct units *u;
+
+    for(u = units; u->name; ++u)
+	fprintf(f, "%s%s", u->name, (u+1)->name ? ", " : "\n");
+}
diff --git a/crypto/kerberosIV/lib/roken/parse_units.h b/crypto/kerberosIV/lib/roken/parse_units.h
new file mode 100644
index 0000000..f159d30
--- /dev/null
+++ b/crypto/kerberosIV/lib/roken/parse_units.h
@@ -0,0 +1,73 @@
+/*
+ * Copyright (c) 1997 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+/* $Id: parse_units.h,v 1.6 1999/12/02 16:58:51 joda Exp $ */
+
+#ifndef __PARSE_UNITS_H__
+#define __PARSE_UNITS_H__
+
+#include <stdio.h>
+#include <stddef.h>
+
+struct units {
+    const char *name;
+    unsigned mult;
+};
+
+typedef struct units units;
+
+int
+parse_units (const char *s, const struct units *units,
+	     const char *def_unit);
+
+void
+print_units_table (const struct units *units, FILE *f);
+
+int
+parse_flags (const char *s, const struct units *units,
+	     int orig);
+
+size_t
+unparse_units (int num, const struct units *units, char *s, size_t len);
+
+size_t
+unparse_units_approx (int num, const struct units *units, char *s,
+		      size_t len);
+
+size_t
+unparse_flags (int num, const struct units *units, char *s, size_t len);
+
+void
+print_flags_table (const struct units *units, FILE *f);
+
+#endif /* __PARSE_UNITS_H__ */
diff --git a/crypto/kerberosIV/lib/roken/print_version.c b/crypto/kerberosIV/lib/roken/print_version.c
new file mode 100644
index 0000000..57f6bd2
--- /dev/null
+++ b/crypto/kerberosIV/lib/roken/print_version.c
@@ -0,0 +1,78 @@
+/*
+ * Copyright (c) 1998 - 2000 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+RCSID("$Id: print_version.c,v 1.5.2.1 2000/10/10 13:23:43 assar Exp $");
+#endif
+#include "roken.h"
+
+#include "print_version.h"
+
+void
+print_version(const char *progname)
+{
+    const char *arg[] = VERSIONLIST;
+    const int num_args = sizeof(arg) / sizeof(arg[0]);
+    char *msg;
+    size_t len = 0;
+    int i;
+    
+    if(progname == NULL)
+	progname = __progname;
+    
+    if(num_args == 0)
+	msg = "no version information";
+    else {
+	for(i = 0; i < num_args; i++) {
+	    if(i > 0)
+		len += 2;
+	    len += strlen(arg[i]);
+	}
+	msg = malloc(len + 1);
+	if(msg == NULL) {
+	    fprintf(stderr, "%s: out of memory\n", progname);
+	    return;
+	}
+	msg[0] = '\0';
+	for(i = 0; i < num_args; i++) {
+	    if(i > 0)
+		strcat(msg, ", ");
+	    strcat(msg, arg[i]);
+	}
+    }
+    fprintf(stderr, "%s (%s)\n", progname, msg);
+    fprintf(stderr, "Copyright (c) 1999 - 2000 Kungliga Tekniska Högskolan\n");
+    if(num_args != 0)
+	free(msg);
+}
diff --git a/crypto/kerberosIV/lib/roken/putenv.c b/crypto/kerberosIV/lib/roken/putenv.c
new file mode 100644
index 0000000..80951d1
--- /dev/null
+++ b/crypto/kerberosIV/lib/roken/putenv.c
@@ -0,0 +1,76 @@
+/*
+ * Copyright (c) 1995, 1996, 1997 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+RCSID("$Id: putenv.c,v 1.6 1999/12/02 16:58:51 joda Exp $");
+#endif
+
+#include <stdlib.h>
+
+extern char **environ;
+
+/*
+ * putenv --
+ *	String points to a string of the form name=value.
+ *
+ *      Makes the value of the environment variable name equal to
+ *      value by altering an existing variable or creating a new one.
+ */
+int putenv(const char *string)
+{
+    int i;
+    int len;
+    
+    len = string - strchr(string, '=') + 1;
+
+    if(environ == NULL){
+	environ = malloc(sizeof(char*));
+	if(environ == NULL)
+	    return 1;
+	environ[0] = NULL;
+    }
+
+    for(i = 0; environ[i]; i++)
+	if(strncmp(string, environ[i], len)){
+	    environ[len] = string;
+	    return 0;
+	}
+    environ = realloc(environ, sizeof(char*) * (i + 1));
+    if(environ == NULL)
+	return 1;
+    environ[i] = string;
+    environ[i+1] = NULL;
+    return 0;
+}
+
diff --git a/crypto/kerberosIV/lib/roken/rcmd.c b/crypto/kerberosIV/lib/roken/rcmd.c
new file mode 100644
index 0000000..4117948
--- /dev/null
+++ b/crypto/kerberosIV/lib/roken/rcmd.c
@@ -0,0 +1,52 @@
+/*
+ * Copyright (c) 1995, 1996, 1997 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+RCSID("$Id: rcmd.c,v 1.3 1999/12/02 16:58:51 joda Exp $");
+#endif
+
+#include "roken.h"
+#include <stdio.h>
+
+int
+rcmd(char **ahost,
+     unsigned short inport,
+     const char *locuser,
+     const char *remuser,
+     const char *cmd,
+     int *fd2p)
+{
+  fprintf(stderr, "Only kerberized services are implemented\n");
+  return -1;
+}
diff --git a/crypto/kerberosIV/lib/roken/readv.c b/crypto/kerberosIV/lib/roken/readv.c
new file mode 100644
index 0000000..de2f9ea
--- /dev/null
+++ b/crypto/kerberosIV/lib/roken/readv.c
@@ -0,0 +1,67 @@
+/*
+ * Copyright (c) 1995, 1996, 1997, 1998, 1999 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+RCSID("$Id: readv.c,v 1.5 1999/12/02 16:58:52 joda Exp $");
+#endif
+
+#include "roken.h"
+
+ssize_t
+readv(int d, const struct iovec *iov, int iovcnt)
+{
+    ssize_t ret, nb;
+    size_t tot = 0;
+    int i;
+    char *buf, *p;
+
+    for(i = 0; i < iovcnt; ++i)
+	tot += iov[i].iov_len;
+    buf = malloc(tot);
+    if (tot != 0 && buf == NULL) {
+	errno = ENOMEM;
+	return -1;
+    }
+    nb = ret = read (d, buf, tot);
+    p = buf;
+    while (nb > 0) {
+	ssize_t cnt = min(nb, iov->iov_len);
+
+	memcpy (iov->iov_base, p, cnt);
+	p += cnt;
+	nb -= cnt;
+    }
+    free(buf);
+    return ret;
+}
diff --git a/crypto/kerberosIV/lib/roken/recvmsg.c b/crypto/kerberosIV/lib/roken/recvmsg.c
new file mode 100644
index 0000000..e94ad68
--- /dev/null
+++ b/crypto/kerberosIV/lib/roken/recvmsg.c
@@ -0,0 +1,69 @@
+/*
+ * Copyright (c) 1995, 1996, 1997, 1998, 1999 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+RCSID("$Id: recvmsg.c,v 1.5 1999/12/02 16:58:52 joda Exp $");
+#endif
+
+#include "roken.h"
+
+ssize_t
+recvmsg(int s, struct msghdr *msg, int flags)
+{
+    ssize_t ret, nb;
+    size_t tot = 0;
+    int i;
+    char *buf, *p;
+    struct iovec *iov = msg->msg_iov;
+
+    for(i = 0; i < msg->msg_iovlen; ++i)
+	tot += iov[i].iov_len;
+    buf = malloc(tot);
+    if (tot != 0 && buf == NULL) {
+	errno = ENOMEM;
+	return -1;
+    }
+    nb = ret = recvfrom (s, buf, tot, flags, msg->msg_name, &msg->msg_namelen);
+    p = buf;
+    while (nb > 0) {
+	ssize_t cnt = min(nb, iov->iov_len);
+
+	memcpy (iov->iov_base, p, cnt);
+	p += cnt;
+	nb -= cnt;
+	++iov;
+    }
+    free(buf);
+    return ret;
+}
diff --git a/crypto/kerberosIV/lib/roken/resolve.c b/crypto/kerberosIV/lib/roken/resolve.c
new file mode 100644
index 0000000..8840740
--- /dev/null
+++ b/crypto/kerberosIV/lib/roken/resolve.c
@@ -0,0 +1,353 @@
+/*
+ * Copyright (c) 1995, 1996, 1997, 1998, 1999 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+#endif
+#include "roken.h"
+#ifdef HAVE_ARPA_NAMESER_H
+#include <arpa/nameser.h>
+#endif
+#ifdef HAVE_RESOLV_H
+#include <resolv.h>
+#endif
+#include "resolve.h"
+
+RCSID("$Id: resolve.c,v 1.22 1999/12/02 16:58:52 joda Exp $");
+
+#if defined(HAVE_RES_SEARCH) && defined(HAVE_DN_EXPAND)
+
+#define DECL(X) {#X, T_##X}
+
+static struct stot{
+    const char *name;
+    int type;
+}stot[] = {
+    DECL(A),
+    DECL(NS),
+    DECL(CNAME),
+    DECL(PTR),
+    DECL(MX),
+    DECL(TXT),
+    DECL(AFSDB),
+    DECL(SRV),
+    {NULL, 	0}
+};
+
+int _resolve_debug;
+
+static int
+string_to_type(const char *name)
+{
+    struct stot *p = stot;
+    for(p = stot; p->name; p++)
+	if(strcasecmp(name, p->name) == 0)
+	    return p->type;
+    return -1;
+}
+
+static const char *
+type_to_string(int type)
+{
+    struct stot *p = stot;
+    for(p = stot; p->name; p++)
+	if(type == p->type)
+	    return p->name;
+    return NULL;
+}
+
+void
+dns_free_data(struct dns_reply *r)
+{
+    struct resource_record *rr;
+    if(r->q.domain)
+	free(r->q.domain);
+    for(rr = r->head; rr;){
+	struct resource_record *tmp = rr;
+	if(rr->domain)
+	    free(rr->domain);
+	if(rr->u.data)
+	    free(rr->u.data);
+	rr = rr->next;
+	free(tmp);
+    }
+    free (r);
+}
+
+static struct dns_reply*
+parse_reply(unsigned char *data, int len)
+{
+    unsigned char *p;
+    char host[128];
+    int status;
+    
+    struct dns_reply *r;
+    struct resource_record **rr;
+    
+    r = calloc(1, sizeof(*r));
+    if (r == NULL)
+	return NULL;
+
+    p = data;
+#if 0
+    /* doesn't work on Crays */
+    memcpy(&r->h, p, sizeof(HEADER));
+    p += sizeof(HEADER);
+#else
+    memcpy(&r->h, p, 12); /* XXX this will probably be mostly garbage */
+    p += 12;
+#endif
+    status = dn_expand(data, data + len, p, host, sizeof(host));
+    if(status < 0){
+	dns_free_data(r);
+	return NULL;
+    }
+    r->q.domain = strdup(host);
+    if(r->q.domain == NULL) {
+	dns_free_data(r);
+	return NULL;
+    }
+    p += status;
+    r->q.type = (p[0] << 8 | p[1]);
+    p += 2;
+    r->q.class = (p[0] << 8 | p[1]);
+    p += 2;
+    rr = &r->head;
+    while(p < data + len){
+	int type, class, ttl, size;
+	status = dn_expand(data, data + len, p, host, sizeof(host));
+	if(status < 0){
+	    dns_free_data(r);
+	    return NULL;
+	}
+	p += status;
+	type = (p[0] << 8) | p[1];
+	p += 2;
+	class = (p[0] << 8) | p[1];
+	p += 2;
+	ttl = (p[0] << 24) | (p[1] << 16) | (p[2] << 8) | p[3];
+	p += 4;
+	size = (p[0] << 8) | p[1];
+	p += 2;
+	*rr = (struct resource_record*)calloc(1, 
+					      sizeof(struct resource_record));
+	if(*rr == NULL) {
+	    dns_free_data(r);
+	    return NULL;
+	}
+	(*rr)->domain = strdup(host);
+	if((*rr)->domain == NULL) {
+	    dns_free_data(r);
+	    return NULL;
+	}
+	(*rr)->type = type;
+	(*rr)->class = class;
+	(*rr)->ttl = ttl;
+	(*rr)->size = size;
+	switch(type){
+	case T_NS:
+	case T_CNAME:
+	case T_PTR:
+	    status = dn_expand(data, data + len, p, host, sizeof(host));
+	    if(status < 0){
+		dns_free_data(r);
+		return NULL;
+	    }
+	    (*rr)->u.txt = strdup(host);
+	    if((*rr)->u.txt == NULL) {
+		dns_free_data(r);
+		return NULL;
+	    }
+	    break;
+	case T_MX:
+	case T_AFSDB:{
+	    status = dn_expand(data, data + len, p + 2, host, sizeof(host));
+	    if(status < 0){
+		dns_free_data(r);
+		return NULL;
+	    }
+	    (*rr)->u.mx = (struct mx_record*)malloc(sizeof(struct mx_record) + 
+						    strlen(host));
+	    if((*rr)->u.mx == NULL) {
+		dns_free_data(r);
+		return NULL;
+	    }
+	    (*rr)->u.mx->preference = (p[0] << 8) | p[1];
+	    strcpy((*rr)->u.mx->domain, host);
+	    break;
+	}
+	case T_SRV:{
+	    status = dn_expand(data, data + len, p + 6, host, sizeof(host));
+	    if(status < 0){
+		dns_free_data(r);
+		return NULL;
+	    }
+	    (*rr)->u.srv = 
+		(struct srv_record*)malloc(sizeof(struct srv_record) + 
+					   strlen(host));
+	    if((*rr)->u.srv == NULL) {
+		dns_free_data(r);
+		return NULL;
+	    }
+	    (*rr)->u.srv->priority = (p[0] << 8) | p[1];
+	    (*rr)->u.srv->weight = (p[2] << 8) | p[3];
+	    (*rr)->u.srv->port = (p[4] << 8) | p[5];
+	    strcpy((*rr)->u.srv->target, host);
+	    break;
+	}
+	case T_TXT:{
+	    (*rr)->u.txt = (char*)malloc(size + 1);
+	    if((*rr)->u.txt == NULL) {
+		dns_free_data(r);
+		return NULL;
+	    }
+	    strncpy((*rr)->u.txt, (char*)p + 1, *p);
+	    (*rr)->u.txt[*p] = 0;
+	    break;
+	}
+	    
+	default:
+	    (*rr)->u.data = (unsigned char*)malloc(size);
+	    if(size != 0 && (*rr)->u.data == NULL) {
+		dns_free_data(r);
+		return NULL;
+	    }
+	    memcpy((*rr)->u.data, p, size);
+	}
+	p += size;
+	rr = &(*rr)->next;
+    }
+    *rr = NULL;
+    return r;
+}
+
+static struct dns_reply *
+dns_lookup_int(const char *domain, int rr_class, int rr_type)
+{
+    unsigned char reply[1024];
+    int len;
+    struct dns_reply *r = NULL;
+    u_long old_options = 0;
+    
+    if (_resolve_debug) {
+        old_options = _res.options;
+	_res.options |= RES_DEBUG;
+	fprintf(stderr, "dns_lookup(%s, %d, %s)\n", domain,
+		rr_class, type_to_string(rr_type));
+    }
+    len = res_search(domain, rr_class, rr_type, reply, sizeof(reply));
+    if (_resolve_debug) {
+        _res.options = old_options;
+	fprintf(stderr, "dns_lookup(%s, %d, %s) --> %d\n",
+		domain, rr_class, type_to_string(rr_type), len);
+    }
+    if (len >= 0)
+	r = parse_reply(reply, len);
+    return r;
+}
+
+struct dns_reply *
+dns_lookup(const char *domain, const char *type_name)
+{
+    int type;
+    
+    type = string_to_type(type_name);
+    if(type == -1) {
+	if(_resolve_debug)
+	    fprintf(stderr, "dns_lookup: unknown resource type: `%s'\n", 
+		    type_name);
+	return NULL;
+    }
+    return dns_lookup_int(domain, C_IN, type);
+}
+
+#else /* NOT defined(HAVE_RES_SEARCH) && defined(HAVE_DN_EXPAND) */
+
+struct dns_reply *
+dns_lookup(const char *domain, const char *type_name)
+{
+    return NULL;
+}
+
+void
+dns_free_data(struct dns_reply *r)
+{
+}
+
+#endif
+
+#ifdef TEST
+int 
+main(int argc, char **argv)
+{
+    struct dns_reply *r;
+    struct resource_record *rr;
+    r = dns_lookup(argv[1], argv[2]);
+    if(r == NULL){
+	printf("No reply.\n");
+	return 1;
+    }
+    for(rr = r->head; rr;rr=rr->next){
+	printf("%s %s %d ", rr->domain, type_to_string(rr->type), rr->ttl);
+	switch(rr->type){
+	case T_NS:
+	    printf("%s\n", (char*)rr->u.data);
+	    break;
+	case T_A:
+	    printf("%d.%d.%d.%d\n", 
+		   ((unsigned char*)rr->u.data)[0],
+		   ((unsigned char*)rr->u.data)[1],
+		   ((unsigned char*)rr->u.data)[2],
+		   ((unsigned char*)rr->u.data)[3]);
+	    break;
+	case T_MX:
+	case T_AFSDB:{
+	    struct mx_record *mx = (struct mx_record*)rr->u.data;
+	    printf("%d %s\n", mx->preference, mx->domain);
+	    break;
+	}
+	case T_SRV:{
+	    struct srv_record *srv = (struct srv_record*)rr->u.data;
+	    printf("%d %d %d %s\n", srv->priority, srv->weight, 
+		   srv->port, srv->target);
+	    break;
+	}
+	default:
+	    printf("\n");
+	    break;
+	}
+    }
+    
+    return 0;
+}
+#endif
diff --git a/crypto/kerberosIV/lib/roken/resolve.h b/crypto/kerberosIV/lib/roken/resolve.h
new file mode 100644
index 0000000..c90f6b5
--- /dev/null
+++ b/crypto/kerberosIV/lib/roken/resolve.h
@@ -0,0 +1,103 @@
+/*
+ * Copyright (c) 1995, 1996, 1997, 1998 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+/* $Id: resolve.h,v 1.8 1999/12/02 16:58:52 joda Exp $ */
+
+#ifndef __RESOLVE_H__
+#define __RESOLVE_H__
+
+/* We use these, but they are not always present in <arpa/nameser.h> */
+
+#ifndef T_TXT
+#define T_TXT		16
+#endif
+#ifndef T_AFSDB
+#define T_AFSDB		18
+#endif
+#ifndef T_SRV
+#define T_SRV		33
+#endif
+#ifndef T_NAPTR
+#define T_NAPTR		35
+#endif
+
+struct dns_query{
+    char *domain;
+    unsigned type;
+    unsigned class;
+};
+
+struct mx_record{
+    unsigned  preference;
+    char domain[1];
+};
+
+struct srv_record{
+    unsigned priority;
+    unsigned weight;
+    unsigned port;
+    char target[1];
+};
+
+struct resource_record{
+    char *domain;
+    unsigned type;
+    unsigned class;
+    unsigned ttl;
+    unsigned size;
+    union {
+	void *data;
+	struct mx_record *mx;
+	struct mx_record *afsdb; /* mx and afsdb are identical */
+	struct srv_record *srv;
+	struct in_addr *a;
+	char *txt;
+    }u;
+    struct resource_record *next;
+};
+
+#ifndef T_A /* XXX if <arpa/nameser.h> isn't included */
+typedef int HEADER; /* will never be used */
+#endif
+
+struct dns_reply{
+    HEADER h;
+    struct dns_query q;
+    struct resource_record *head;
+};
+
+
+struct dns_reply* dns_lookup(const char *, const char *);
+void dns_free_data(struct dns_reply *);
+
+#endif /* __RESOLVE_H__ */
diff --git a/crypto/kerberosIV/lib/roken/resource.h b/crypto/kerberosIV/lib/roken/resource.h
new file mode 100644
index 0000000..01cd01d
--- /dev/null
+++ b/crypto/kerberosIV/lib/roken/resource.h
@@ -0,0 +1,15 @@
+//{{NO_DEPENDENCIES}}

+// Microsoft Developer Studio generated include file.

+// Used by roken.rc

+//

+

+// Next default values for new objects

+// 

+#ifdef APSTUDIO_INVOKED

+#ifndef APSTUDIO_READONLY_SYMBOLS

+#define _APS_NEXT_RESOURCE_VALUE        101

+#define _APS_NEXT_COMMAND_VALUE         40001

+#define _APS_NEXT_CONTROL_VALUE         1000

+#define _APS_NEXT_SYMED_VALUE           101

+#endif

+#endif

diff --git a/crypto/kerberosIV/lib/roken/roken-common.h b/crypto/kerberosIV/lib/roken/roken-common.h
new file mode 100644
index 0000000..a57f54d
--- /dev/null
+++ b/crypto/kerberosIV/lib/roken/roken-common.h
@@ -0,0 +1,265 @@
+/*
+ * Copyright (c) 1995, 1996, 1997, 1998, 1999 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+/* $Id: roken-common.h,v 1.19.2.2 2000/08/16 03:37:26 assar Exp $ */
+
+#ifndef __ROKEN_COMMON_H__
+#define __ROKEN_COMMON_H__
+
+#ifndef INADDR_NONE
+#define INADDR_NONE 0xffffffff
+#endif
+
+#ifndef SOMAXCONN
+#define SOMAXCONN 5
+#endif
+
+#ifndef STDIN_FILENO
+#define STDIN_FILENO 0
+#endif
+
+#ifndef STDOUT_FILENO
+#define STDOUT_FILENO 1
+#endif
+
+#ifndef STDERR_FILENO
+#define STDERR_FILENO 2
+#endif
+
+#ifndef max
+#define max(a,b) (((a)>(b))?(a):(b))
+#endif
+
+#ifndef min
+#define min(a,b) (((a)<(b))?(a):(b))
+#endif
+
+#ifndef TRUE
+#define TRUE 1
+#endif
+
+#ifndef FALSE
+#define FALSE 0
+#endif
+
+#ifndef LOG_DAEMON
+#define openlog(id,option,facility) openlog((id),(option))
+#define	LOG_DAEMON	0
+#endif
+#ifndef LOG_ODELAY
+#define LOG_ODELAY 0
+#endif
+#ifndef LOG_NDELAY
+#define LOG_NDELAY 0x08
+#endif
+#ifndef LOG_CONS
+#define LOG_CONS 0
+#endif
+#ifndef LOG_AUTH
+#define LOG_AUTH 0
+#endif
+#ifndef LOG_AUTHPRIV
+#define LOG_AUTHPRIV LOG_AUTH
+#endif
+
+#ifndef F_OK
+#define F_OK 0
+#endif
+
+#ifndef O_ACCMODE
+#define O_ACCMODE	003
+#endif
+
+#ifndef _PATH_DEV
+#define _PATH_DEV "/dev/"
+#endif
+
+#ifndef _PATH_DEVNULL
+#define _PATH_DEVNULL "/dev/null"
+#endif
+
+#ifndef _PATH_HEQUIV
+#define _PATH_HEQUIV "/etc/hosts.equiv"
+#endif
+
+#ifndef MAXPATHLEN
+#define MAXPATHLEN (1024+4)
+#endif
+
+#ifndef SIG_ERR
+#define SIG_ERR ((RETSIGTYPE (*)())-1)
+#endif
+
+#ifndef HOST_NOT_FOUND
+#define HOST_NOT_FOUND 1
+#endif
+
+#ifndef TRY_AGAIN
+#define TRY_AGAIN 2
+#endif
+
+#ifndef NO_RECOVERY
+#define NO_RECOVERY 3
+#endif
+
+#ifndef NO_DATA
+#define NO_DATA 4
+#endif
+
+#ifndef NO_ADDRESS
+#define NO_ADDRESS NO_DATA
+#endif
+
+#if 0
+
+struct addrinfo {
+    int    ai_flags;
+    int    ai_family;
+    int    ai_socktype;
+    int    ai_protocol;
+    size_t ai_addrlen;
+    char  *ai_canonname;
+    struct sockaddr *ai_addr;
+    struct addrinfo *ai_next;
+};
+
+#define EAI_ADDRFAMILY	1	/* address family for nodename not supported */
+#define EAI_AGAIN	2	/* temporary failure in name resolution */
+#define EAI_BADFLAGS	3	/* invalid value for ai_flags */
+#define EAI_FAIL	4	/* non-recoverable failure in name resolution */
+#define EAI_FAMILY	5	/* ai_family not supported */
+#define EAI_MEMORY	6	/* memory allocation failure */
+#define EAI_NODATA	7	/* no address associated with nodename */
+#define EAI_NONAME	8	/* nodename nor servname provided, or not known */
+#define EAI_SERVICE	9	/* servname not supported for ai_socktype */
+#define EAI_SOCKTYPE   10	/* ai_socktype not supported */
+#define EAI_SYSTEM     11	/* system error returned in errno */
+
+/* flags for getaddrinfo() */
+
+#define AI_PASSIVE	0x01
+#define AI_CANONNAME	0x02
+#define AI_NUMERICHOST	0x04
+
+#endif
+
+/*
+ * constants for inet_ntop
+ */
+
+#ifndef INET_ADDRSTRLEN
+#define INET_ADDRSTRLEN    16
+#endif
+
+#ifndef INET6_ADDRSTRLEN
+#define INET6_ADDRSTRLEN   46
+#endif
+
+/*
+ * for shutdown(2)
+ */
+
+#ifndef SHUT_RD
+#define SHUT_RD 0
+#endif
+
+#ifndef SHUT_WR
+#define SHUT_WR 1
+#endif
+
+#ifndef SHUT_RDWR
+#define SHUT_RDWR 2
+#endif
+
+#ifndef HAVE___ATTRIBUTE__
+#define __attribute__(x)
+#endif
+
+#if IRIX != 4 /* fix for compiler bug */
+#ifdef RETSIGTYPE
+typedef RETSIGTYPE (*SigAction)(/* int??? */);
+SigAction signal(int iSig, SigAction pAction); /* BSD compatible */
+#endif
+#endif
+
+int ROKEN_LIB_FUNCTION simple_execve(const char*, char*const[], char*const[]);
+int ROKEN_LIB_FUNCTION simple_execvp(const char*, char *const[]);
+int ROKEN_LIB_FUNCTION simple_execlp(const char*, ...);
+int ROKEN_LIB_FUNCTION simple_execle(const char*, ...);
+
+void ROKEN_LIB_FUNCTION print_version(const char *);
+
+void *ROKEN_LIB_FUNCTION emalloc (size_t);
+void *ROKEN_LIB_FUNCTION erealloc (void *, size_t);
+char *ROKEN_LIB_FUNCTION estrdup (const char *);
+
+ssize_t ROKEN_LIB_FUNCTION eread (int fd, void *buf, size_t nbytes);
+ssize_t ROKEN_LIB_FUNCTION ewrite (int fd, const void *buf, size_t nbytes);
+
+void
+socket_set_address_and_port (struct sockaddr *sa, const void *ptr, int port);
+
+size_t
+socket_addr_size (const struct sockaddr *sa);
+
+void
+socket_set_any (struct sockaddr *sa, int af);
+
+size_t
+socket_sockaddr_size (const struct sockaddr *sa);
+
+void *
+socket_get_address (struct sockaddr *sa);
+
+int
+socket_get_port (const struct sockaddr *sa);
+
+void
+socket_set_port (struct sockaddr *sa, int port);
+
+void
+socket_set_debug (int sock);
+
+void
+socket_set_tos (int sock, int tos);
+
+void
+socket_set_reuseaddr (int sock, int val);
+
+char **
+vstrcollect(va_list *ap);
+
+char **
+strcollect(char *first, ...);
+ 
+#endif /* __ROKEN_COMMON_H__ */
diff --git a/crypto/kerberosIV/lib/roken/roken.awk b/crypto/kerberosIV/lib/roken/roken.awk
new file mode 100644
index 0000000..626fae5
--- /dev/null
+++ b/crypto/kerberosIV/lib/roken/roken.awk
@@ -0,0 +1,35 @@
+BEGIN {
+	print "#include <stdio.h>"
+	print "#ifdef HAVE_CONFIG_H"
+	print "#include <config.h>"
+	print "#endif"
+	print ""
+	print "int main()"
+	print "{"
+	    print "puts(\"/* This is an OS dependent, generated file */\");"
+	print "puts(\"\\n\");"
+	print "puts(\"#ifndef __ROKEN_H__\");"
+	print "puts(\"#define __ROKEN_H__\");"
+	print "puts(\"\");"
+}
+END {
+	print "puts(\"#endif /* __ROKEN_H__ */\");"
+	print "exit(0);"
+	print "}"
+}
+
+$1 == "\#ifdef" || $1 == "\#ifndef" || $1 == "\#if" || $1 == "\#else" || $1 == "\#elif" || $1 == "\#endif" || $1 == "#ifdef" || $1 == "#ifndef" || $1 == "#if" || $1 == "#else" || $1 == "#elif" || $1 == "#endif" {
+	print $0;
+	next
+}
+
+{
+	s = ""
+	for(i = 1; i <= length; i++){
+		x = substr($0, i, 1)
+		if(x == "\"" || x == "\\")
+			s = s "\\";
+		s = s x;
+	}
+	print "puts(\"" s "\");"
+}
diff --git a/crypto/kerberosIV/lib/roken/roken.def b/crypto/kerberosIV/lib/roken/roken.def
new file mode 100644
index 0000000..f9b0369
--- /dev/null
+++ b/crypto/kerberosIV/lib/roken/roken.def
@@ -0,0 +1,17 @@
+LIBRARY roken BASE=0x68f0000
+EXPORTS
+	gettimeofday
+	strcasecmp
+	strtok_r
+	snprintf
+	asprintf
+	vsnprintf
+	base64_decode
+	base64_encode
+	roken_concat
+	roken_vconcat
+	roken_vmconcat
+	roken_mconcat
+	getuid
+	dns_free_data
+	dns_lookup
diff --git a/crypto/kerberosIV/lib/roken/roken.dsp b/crypto/kerberosIV/lib/roken/roken.dsp
new file mode 100644
index 0000000..d84854e
--- /dev/null
+++ b/crypto/kerberosIV/lib/roken/roken.dsp
@@ -0,0 +1,156 @@
+# Microsoft Developer Studio Project File - Name="roken" - Package Owner=<4>
+# Microsoft Developer Studio Generated Build File, Format Version 5.00
+# ** DO NOT EDIT **
+
+# TARGTYPE "Win32 (x86) Dynamic-Link Library" 0x0102
+
+CFG=roken - Win32 Release
+!MESSAGE This is not a valid makefile. To build this project using NMAKE,
+!MESSAGE use the Export Makefile command and run
+!MESSAGE 
+!MESSAGE NMAKE /f "roken.mak".
+!MESSAGE 
+!MESSAGE You can specify a configuration when running NMAKE
+!MESSAGE by defining the macro CFG on the command line. For example:
+!MESSAGE 
+!MESSAGE NMAKE /f "roken.mak" CFG="roken - Win32 Release"
+!MESSAGE 
+!MESSAGE Possible choices for configuration are:
+!MESSAGE 
+!MESSAGE "roken - Win32 Release" (based on "Win32 (x86) Dynamic-Link Library")
+!MESSAGE "roken - Win32 Debug" (based on "Win32 (x86) Dynamic-Link Library")
+!MESSAGE 
+
+# Begin Project
+# PROP Scc_ProjName ""
+# PROP Scc_LocalPath ""
+CPP=cl.exe
+MTL=midl.exe
+RSC=rc.exe
+
+!IF  "$(CFG)" == "roken - Win32 Release"
+
+# PROP BASE Use_MFC 0
+# PROP BASE Use_Debug_Libraries 0
+# PROP BASE Output_Dir ".\Release"
+# PROP BASE Intermediate_Dir ".\Release"
+# PROP BASE Target_Dir ""
+# PROP Use_MFC 0
+# PROP Use_Debug_Libraries 0
+# PROP Output_Dir ".\Release"
+# PROP Intermediate_Dir ".\Release"
+# PROP Ignore_Export_Lib 0
+# PROP Target_Dir ""
+# ADD BASE CPP /nologo /MT /W3 /GX /O2 /D "WIN32" /D "NDEBUG" /D "_WINDOWS" /YX /c
+# ADD CPP /nologo /MT /GX /O2 /I "..\krb" /I "..\des" /I "..\..\include" /I "..\..\include\win32" /I "." /D "NDEBUG" /D "WIN32" /D "_WINDOWS" /D "HAVE_CONFIG_H" /YX /FD /c
+# ADD BASE MTL /nologo /D "NDEBUG" /win32
+# ADD MTL /nologo /D "NDEBUG" /mktyplib203 /win32
+# ADD BASE RSC /l 0x409 /d "NDEBUG"
+# ADD RSC /l 0x409 /d "NDEBUG"
+BSC32=bscmake.exe
+# ADD BASE BSC32 /nologo
+# ADD BSC32 /nologo
+LINK32=link.exe
+# ADD BASE LINK32 kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /subsystem:windows /dll /machine:I386
+# ADD LINK32 kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib /nologo /base:"0x68e7780" /subsystem:windows /dll /machine:I386
+
+!ELSEIF  "$(CFG)" == "roken - Win32 Debug"
+
+# PROP BASE Use_MFC 0
+# PROP BASE Use_Debug_Libraries 1
+# PROP BASE Output_Dir ".\Debug"
+# PROP BASE Intermediate_Dir ".\Debug"
+# PROP BASE Target_Dir ""
+# PROP Use_MFC 0
+# PROP Use_Debug_Libraries 1
+# PROP Output_Dir ".\Debug"
+# PROP Intermediate_Dir ".\Debug"
+# PROP Ignore_Export_Lib 0
+# PROP Target_Dir ""
+# ADD BASE CPP /nologo /MTd /W3 /Gm /GX /Zi /Od /D "WIN32" /D "_DEBUG" /D "_WINDOWS" /YX /c
+# ADD CPP /nologo /MDd /Gm /GX /Zi /Od /I "..\krb" /I "..\des" /I "..\..\include" /I "..\..\include\win32" /I "." /D "_DEBUG" /D "WIN32" /D "_WINDOWS" /D "HAVE_CONFIG_H" /YX /FD /c
+# ADD BASE MTL /nologo /D "_DEBUG" /win32
+# ADD MTL /nologo /D "_DEBUG" /mktyplib203 /win32
+# ADD BASE RSC /l 0x409 /d "_DEBUG"
+# ADD RSC /l 0x409 /d "_DEBUG"
+BSC32=bscmake.exe
+# ADD BASE BSC32 /nologo
+# ADD BSC32 /nologo
+LINK32=link.exe
+# ADD BASE LINK32 kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /subsystem:windows /dll /debug /machine:I386
+# ADD LINK32 kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib /nologo /subsystem:windows /dll /debug /machine:I386 /def:".\roken.def"
+# SUBTRACT LINK32 /pdb:none
+
+!ENDIF 
+
+# Begin Target
+
+# Name "roken - Win32 Release"
+# Name "roken - Win32 Debug"
+# Begin Group "Source Files"
+
+# PROP Default_Filter "cpp;c;cxx;rc;def;r;odl;hpj;bat;for;f90"
+# Begin Source File
+
+SOURCE=.\base64.c
+# End Source File
+# Begin Source File
+
+SOURCE=.\concat.c
+# End Source File
+# Begin Source File
+
+SOURCE=.\gettimeofday.c
+# End Source File
+# Begin Source File
+
+SOURCE=.\getuid.c
+# End Source File
+# Begin Source File
+
+SOURCE=.\resolve.c
+# End Source File
+# Begin Source File
+
+SOURCE=.\roken.def
+
+!IF  "$(CFG)" == "roken - Win32 Release"
+
+!ELSEIF  "$(CFG)" == "roken - Win32 Debug"
+
+# PROP Exclude_From_Build 1
+
+!ENDIF 
+
+# End Source File
+# Begin Source File
+
+SOURCE=.\snprintf.c
+# End Source File
+# Begin Source File
+
+SOURCE=.\strcasecmp.c
+# End Source File
+# Begin Source File
+
+SOURCE=.\strtok_r.c
+# End Source File
+# End Group
+# Begin Group "Header Files"
+
+# PROP Default_Filter "h;hpp;hxx;hm;inl;fi;fd"
+# Begin Source File
+
+SOURCE=.\resolve.h
+# End Source File
+# End Group
+# Begin Group "Resource Files"
+
+# PROP Default_Filter "ico;cur;bmp;dlg;rc2;rct;bin;cnt;rtf;gif;jpg;jpeg;jpe"
+# Begin Source File
+
+SOURCE=.\roken.rc
+# End Source File
+# End Group
+# End Target
+# End Project
diff --git a/crypto/kerberosIV/lib/roken/roken.h.in b/crypto/kerberosIV/lib/roken/roken.h.in
new file mode 100644
index 0000000..be0774e
--- /dev/null
+++ b/crypto/kerberosIV/lib/roken/roken.h.in
@@ -0,0 +1,520 @@
+/* -*- C -*- */
+/*
+ * Copyright (c) 1995 - 2000 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+/* $Id: roken.h.in,v 1.125.2.4 2000/03/12 20:32:51 assar Exp $ */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <stdarg.h>
+#include <string.h>
+#include <signal.h>
+#ifdef HAVE_SYS_PARAM_H
+#include <sys/param.h>
+#endif
+#ifdef HAVE_SYS_TYPES_H
+#include <sys/types.h>
+#endif
+#ifdef HAVE_UNISTD_H
+#include <unistd.h>
+#endif
+#ifdef HAVE_SYS_SOCKET_H
+#include <sys/socket.h>
+#endif
+#ifdef HAVE_SYS_UIO_H
+#include <sys/uio.h>
+#endif
+#ifdef HAVE_GRP_H
+#include <grp.h>
+#endif
+#ifdef HAVE_SYS_STAT_H
+#include <sys/stat.h>
+#endif
+#ifdef HAVE_NETINET_IN_H
+#include <netinet/in.h>
+#endif
+#ifdef HAVE_NETINET_IN6_H
+#include <netinet/in6.h>
+#endif
+#ifdef HAVE_NETINET6_IN6_H
+#include <netinet6/in6.h>
+#endif
+#ifdef HAVE_ARPA_INET_H
+#include <arpa/inet.h>
+#endif
+#ifdef HAVE_NETDB_H
+#include <netdb.h>
+#endif
+#ifdef HAVE_SYSLOG_H
+#include <syslog.h>
+#endif
+#ifdef HAVE_WINSOCK_H
+#include <winsock.h>
+#endif
+#ifdef HAVE_FCNTL_H
+#include <fcntl.h>
+#endif
+#ifdef HAVE_ERRNO_H
+#include <errno.h>
+#endif
+#ifdef HAVE_ERR_H
+#include <err.h>
+#endif
+#ifdef HAVE_TERMIOS_H
+#include <termios.h>
+#endif
+#if defined(HAVE_SYS_IOCTL_H) && SunOS != 40
+#include <sys/ioctl.h>
+#endif
+#ifdef TIME_WITH_SYS_TIME
+#include <sys/time.h>
+#include <time.h>
+#elif defined(HAVE_SYS_TIME_H)
+#include <sys/time.h>
+#else
+#include <time.h>
+#endif
+
+#ifdef HAVE_PATHS_H
+#include <paths.h>
+#endif
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+#ifndef ROKEN_LIB_FUNCTION
+#if defined(__BORLANDC__)
+#define ROKEN_LIB_FUNCTION /* not-ready-definition-yet */
+#elif defined(_MSC_VER)
+#define ROKEN_LIB_FUNCTION /* not-ready-definition-yet2 */
+#else
+#define ROKEN_LIB_FUNCTION
+#endif
+#endif
+
+#include <roken-common.h>
+
+#if !defined(HAVE_SETSID) && defined(HAVE__SETSID)
+#define setsid _setsid
+#endif
+
+#ifndef HAVE_PUTENV
+int putenv(const char *string);
+#endif
+
+#if !defined(HAVE_SETENV) || defined(NEED_SETENV_PROTO)
+int setenv(const char *var, const char *val, int rewrite);
+#endif
+
+#if !defined(HAVE_UNSETENV) || defined(NEED_UNSETENV_PROTO)
+void unsetenv(const char *name);
+#endif
+
+#if !defined(HAVE_GETUSERSHELL) || defined(NEED_GETUSERSHELL_PROTO)
+char *getusershell(void);
+void endusershell(void);
+#endif
+
+#if !defined(HAVE_SNPRINTF) || defined(NEED_SNPRINTF_PROTO)
+int snprintf (char *str, size_t sz, const char *format, ...)
+     __attribute__ ((format (printf, 3, 4)));
+#endif
+
+#if !defined(HAVE_VSNPRINTF) || defined(NEED_VSNPRINTF_PROTO)
+int vsnprintf (char *str, size_t sz, const char *format, va_list ap)
+     __attribute__((format (printf, 3, 0)));
+#endif
+
+#if !defined(HAVE_ASPRINTF) || defined(NEED_ASPRINTF_PROTO)
+int asprintf (char **ret, const char *format, ...)
+     __attribute__ ((format (printf, 2, 3)));
+#endif
+
+#if !defined(HAVE_VASPRINTF) || defined(NEED_VASPRINTF_PROTO)
+int vasprintf (char **ret, const char *format, va_list ap)
+     __attribute__((format (printf, 2, 0)));
+#endif
+
+#if !defined(HAVE_ASNPRINTF) || defined(NEED_ASNPRINTF_PROTO)
+int asnprintf (char **ret, size_t max_sz, const char *format, ...)
+     __attribute__ ((format (printf, 3, 4)));
+#endif
+
+#if !defined(HAVE_VASNPRINTF) || defined(NEED_VASNPRINTF_PROTO)
+int vasnprintf (char **ret, size_t max_sz, const char *format, va_list ap)
+     __attribute__((format (printf, 3, 0)));
+#endif
+
+#ifndef HAVE_STRDUP
+char * strdup(const char *old);
+#endif
+
+#ifndef HAVE_STRNDUP
+char * strndup(const char *old, size_t sz);
+#endif
+
+#ifndef HAVE_STRLWR
+char * strlwr(char *);
+#endif
+
+#ifndef HAVE_STRNLEN
+size_t strnlen(const char*, size_t);
+#endif
+
+#if !defined(HAVE_STRSEP) || defined(NEED_STRSEP_PROTO)
+char *strsep(char**, const char*);
+#endif
+
+#ifndef HAVE_STRCASECMP
+int strcasecmp(const char *s1, const char *s2);
+#endif
+
+#ifdef NEED_FCLOSE_PROTO
+int fclose(FILE *);
+#endif
+
+#ifdef NEED_STRTOK_R_PROTO
+char *strtok_r(char *s1, const char *s2, char **lasts);
+#endif
+
+#ifndef HAVE_STRUPR
+char * strupr(char *);
+#endif
+
+#ifndef HAVE_STRLCPY
+size_t strlcpy (char *dst, const char *src, size_t dst_sz);
+#endif
+
+#ifndef HAVE_STRLCAT
+size_t strlcat (char *dst, const char *src, size_t dst_sz);
+#endif
+
+#ifndef HAVE_GETDTABLESIZE
+int getdtablesize(void);
+#endif
+
+#if !defined(HAVE_STRERROR) && !defined(strerror)
+char *strerror(int eno);
+#endif
+
+#if !defined(HAVE_HSTRERROR) || defined(NEED_HSTRERROR_PROTO)
+/* This causes a fatal error under Psoriasis */
+#if !(defined(SunOS) && (SunOS >= 50))
+const char *hstrerror(int herr);
+#endif
+#endif
+
+#ifndef HAVE_H_ERRNO_DECLARATION
+extern int h_errno;
+#endif
+
+#if !defined(HAVE_INET_ATON) || defined(NEED_INET_ATON_PROTO)
+int inet_aton(const char *cp, struct in_addr *adr);
+#endif
+
+#ifndef HAVE_INET_NTOP
+const char *
+inet_ntop(int af, const void *src, char *dst, size_t size);
+#endif
+
+#ifndef HAVE_INET_PTON
+int
+inet_pton(int af, const char *src, void *dst);
+#endif
+
+#if !defined(HAVE_GETCWD)
+char* getcwd(char *path, size_t size);
+#endif
+
+#ifdef HAVE_PWD_H
+#include <pwd.h>
+struct passwd *k_getpwnam (const char *user);
+struct passwd *k_getpwuid (uid_t uid);
+#endif
+
+const char *get_default_username (void);
+
+#ifndef HAVE_SETEUID
+int seteuid(uid_t euid);
+#endif
+
+#ifndef HAVE_SETEGID
+int setegid(gid_t egid);
+#endif
+
+#ifndef HAVE_LSTAT
+int lstat(const char *path, struct stat *buf);
+#endif
+
+#if !defined(HAVE_MKSTEMP) || defined(NEED_MKSTEMP_PROTO)
+int mkstemp(char *);
+#endif
+
+#ifndef HAVE_CGETENT
+int cgetent(char **buf, char **db_array, const char *name);
+int cgetstr(char *buf, const char *cap, char **str);
+#endif
+
+#ifndef HAVE_INITGROUPS
+int initgroups(const char *name, gid_t basegid);
+#endif
+
+#ifndef HAVE_FCHOWN
+int fchown(int fd, uid_t owner, gid_t group);
+#endif
+
+#ifndef HAVE_DAEMON
+int daemon(int nochdir, int noclose);
+#endif
+
+#ifndef HAVE_INNETGR
+int innetgr(const char *netgroup, const char *machine, 
+	    const char *user, const char *domain);
+#endif
+
+#ifndef HAVE_CHOWN
+int chown(const char *path, uid_t owner, gid_t group);
+#endif
+
+#ifndef HAVE_RCMD
+int rcmd(char **ahost, unsigned short inport, const char *locuser,
+	 const char *remuser, const char *cmd, int *fd2p);
+#endif
+
+#if !defined(HAVE_INNETGR) || defined(NEED_INNETGR_PROTO)
+int innetgr(const char*, const char*, const char*, const char*);
+#endif
+
+#ifndef HAVE_IRUSEROK
+int iruserok(unsigned raddr, int superuser, const char *ruser,
+	     const char *luser);
+#endif
+
+#if !defined(HAVE_GETHOSTNAME) || defined(NEED_GETHOSTNAME_PROTO)
+int gethostname(char *name, int namelen);
+#endif
+
+#ifndef HAVE_WRITEV
+ssize_t
+writev(int d, const struct iovec *iov, int iovcnt);
+#endif
+
+#ifndef HAVE_READV
+ssize_t
+readv(int d, const struct iovec *iov, int iovcnt);
+#endif
+
+#ifndef HAVE_MKSTEMP
+int
+mkstemp(char *template);
+#endif
+
+#ifndef HAVE_FLOCK
+#ifndef LOCK_SH
+#define LOCK_SH   1		/* Shared lock */
+#endif
+#ifndef	LOCK_EX
+#define LOCK_EX   2		/* Exclusive lock */
+#endif
+#ifndef LOCK_NB
+#define LOCK_NB   4		/* Don't block when locking */
+#endif
+#ifndef LOCK_UN
+#define LOCK_UN   8		/* Unlock */
+#endif
+
+int flock(int fd, int operation);
+#endif /* HAVE_FLOCK */
+
+time_t tm2time (struct tm tm, int local);
+
+int unix_verify_user(char *user, char *password);
+
+void inaddr2str(struct in_addr addr, char *s, size_t len);
+
+void mini_inetd (int port);
+
+int roken_concat (char *s, size_t len, ...);
+
+size_t roken_mconcat (char **s, size_t max_len, ...);
+
+int roken_vconcat (char *s, size_t len, va_list args);
+
+size_t roken_vmconcat (char **s, size_t max_len, va_list args);
+
+ssize_t net_write (int fd, const void *buf, size_t nbytes);
+
+ssize_t net_read (int fd, void *buf, size_t nbytes);
+
+int issuid(void);
+
+#ifndef HAVE_STRUCT_WINSIZE
+struct winsize {
+	unsigned short ws_row, ws_col;
+	unsigned short ws_xpixel, ws_ypixel;
+};
+#endif
+
+int get_window_size(int fd, struct winsize *);
+
+#ifndef HAVE_VSYSLOG
+void vsyslog(int pri, const char *fmt, va_list ap);
+#endif
+
+#ifndef HAVE_OPTARG_DECLARATION
+extern char *optarg;
+#endif
+#ifndef HAVE_OPTIND_DECLARATION
+extern int optind;
+#endif
+#ifndef HAVE_OPTERR_DECLARATION
+extern int opterr;
+#endif
+
+#ifndef HAVE___PROGNAME_DECLARATION
+extern const char *__progname;
+#endif
+
+#ifndef HAVE_ENVIRON_DECLARATION
+extern char **environ;
+#endif
+
+#ifndef HAVE_GETIPNODEBYNAME
+struct hostent *
+getipnodebyname (const char *name, int af, int flags, int *error_num);
+#endif
+
+#ifndef HAVE_GETIPNODEBYADDR
+struct hostent *
+getipnodebyaddr (const void *src, size_t len, int af, int *error_num);
+#endif
+
+#ifndef HAVE_FREEHOSTENT
+void
+freehostent (struct hostent *h);
+#endif
+
+#ifndef HAVE_COPYHOSTENT
+struct hostent *
+copyhostent (const struct hostent *h);
+#endif
+
+#ifndef HAVE_SOCKLEN_T
+typedef int socklen_t;
+#endif
+
+#ifndef HAVE_STRUCT_SOCKADDR_STORAGE
+
+#ifndef HAVE_SA_FAMILY_T
+typedef unsigned short sa_family_t;
+#endif
+
+#ifdef HAVE_IPV6
+#define _SS_MAXSIZE sizeof(struct sockaddr_in6)
+#else
+#define _SS_MAXSIZE sizeof(struct sockaddr_in)
+#endif
+
+#define _SS_ALIGNSIZE	sizeof(unsigned long)
+
+#if HAVE_STRUCT_SOCKADDR_SA_LEN
+
+typedef unsigned char roken_sa_family_t;
+
+#define _SS_PAD1SIZE   ((2 * _SS_ALIGNSIZE - sizeof (roken_sa_family_t) - sizeof(unsigned char)) % _SS_ALIGNSIZE)
+#define _SS_PAD2SIZE   (_SS_MAXSIZE - (sizeof (roken_sa_family_t) + sizeof(unsigned char) + _SS_PAD1SIZE + _SS_ALIGNSIZE))
+
+struct sockaddr_storage {
+    unsigned char	__ss_len;
+    roken_sa_family_t	__ss_family;
+    char		__ss_pad1[_SS_PAD1SIZE];
+    unsigned long	__ss_align[_SS_PAD2SIZE / sizeof(unsigned long) + 1];
+};
+
+#else /* !HAVE_STRUCT_SOCKADDR_SA_LEN */
+
+typedef unsigned short roken_sa_family_t;
+
+#define _SS_PAD1SIZE   ((2 * _SS_ALIGNSIZE - sizeof (roken_sa_family_t)) % _SS_ALIGNSIZE)
+#define _SS_PAD2SIZE   (_SS_MAXSIZE - (sizeof (roken_sa_family_t) + _SS_PAD1SIZE + _SS_ALIGNSIZE))
+
+struct sockaddr_storage {
+    roken_sa_family_t	__ss_family;
+    char		__ss_pad1[_SS_PAD1SIZE];
+    unsigned long	__ss_align[_SS_PAD2SIZE / sizeof(unsigned long) + 1];
+};
+
+#endif /* HAVE_STRUCT_SOCKADDR_SA_LEN */
+
+#endif /* HAVE_STRUCT_SOCKADDR_STORAGE */
+
+/*
+ * kludges and such
+ */
+
+#if 1
+int roken_gethostby_setup(const char*, const char*);
+struct hostent* roken_gethostbyname(const char*);
+struct hostent* roken_gethostbyaddr(const void*, size_t, int);
+#else
+#ifdef GETHOSTBYNAME_PROTO_COMPATIBLE
+#define roken_gethostbyname(x) gethostbyname(x)
+#else
+#define roken_gethostbyname(x) gethostbyname((char *)x)
+#endif
+
+#ifdef GETHOSTBYADDR_PROTO_COMPATIBLE
+#define roken_gethostbyaddr(a, l, t) gethostbyaddr(a, l, t)
+#else
+#define roken_gethostbyaddr(a, l, t) gethostbyaddr((char *)a, l, t)
+#endif
+#endif
+
+#ifdef GETSERVBYNAME_PROTO_COMPATIBLE
+#define roken_getservbyname(x,y) getservbyname(x,y)
+#else
+#define roken_getservbyname(x,y) getservbyname((char *)x, (char *)y)
+#endif
+
+#ifdef OPENLOG_PROTO_COMPATIBLE
+#define roken_openlog(a,b,c) openlog(a,b,c)
+#else
+#define roken_openlog(a,b,c) openlog((char *)a,b,c)
+#endif
+
+void set_progname(char *argv0);
+
+#ifdef __cplusplus
+}
+#endif
diff --git a/crypto/kerberosIV/lib/roken/roken.mak b/crypto/kerberosIV/lib/roken/roken.mak
new file mode 100644
index 0000000..da9a834
--- /dev/null
+++ b/crypto/kerberosIV/lib/roken/roken.mak
@@ -0,0 +1,316 @@
+# Microsoft Developer Studio Generated NMAKE File, Based on roken.dsp
+!IF "$(CFG)" == ""
+CFG=roken - Win32 Release
+!MESSAGE No configuration specified. Defaulting to roken - Win32 Release.
+!ENDIF 
+
+!IF "$(CFG)" != "roken - Win32 Release" && "$(CFG)" != "roken - Win32 Debug"
+!MESSAGE Invalid configuration "$(CFG)" specified.
+!MESSAGE You can specify a configuration when running NMAKE
+!MESSAGE by defining the macro CFG on the command line.  For example:
+!MESSAGE 
+!MESSAGE NMAKE /f "roken.mak" CFG="roken - Win32 Release"
+!MESSAGE 
+!MESSAGE Possible choices for configuration are:
+!MESSAGE 
+!MESSAGE "roken - Win32 Release" (based on "Win32 (x86) Dynamic-Link Library")
+!MESSAGE "roken - Win32 Debug" (based on "Win32 (x86) Dynamic-Link Library")
+!MESSAGE 
+!ERROR An invalid configuration is specified.
+!ENDIF 
+
+!IF "$(OS)" == "Windows_NT"
+NULL=
+!ELSE 
+NULL=nul
+!ENDIF 
+
+CPP=cl.exe
+MTL=midl.exe
+RSC=rc.exe
+
+!IF  "$(CFG)" == "roken - Win32 Release"
+
+OUTDIR=.\Release
+INTDIR=.\Release
+# Begin Custom Macros
+OutDir=.\.\Release
+# End Custom Macros
+
+!IF "$(RECURSE)" == "0" 
+
+ALL : "$(OUTDIR)\roken.dll"
+
+!ELSE 
+
+ALL : "$(OUTDIR)\roken.dll"
+
+!ENDIF 
+
+CLEAN : 
+	-@erase "$(INTDIR)\base64.obj"
+	-@erase "$(INTDIR)\concat.obj"
+	-@erase "$(INTDIR)\gettimeofday.obj"
+	-@erase "$(INTDIR)\getuid.obj"
+	-@erase "$(INTDIR)\resolve.obj"
+	-@erase "$(INTDIR)\roken.res"
+	-@erase "$(INTDIR)\snprintf.obj"
+	-@erase "$(INTDIR)\strcasecmp.obj"
+	-@erase "$(INTDIR)\strtok_r.obj"
+	-@erase "$(INTDIR)\vc50.idb"
+	-@erase "$(OUTDIR)\roken.dll"
+	-@erase "$(OUTDIR)\roken.exp"
+	-@erase "$(OUTDIR)\roken.lib"
+
+"$(OUTDIR)" :
+    if not exist "$(OUTDIR)/$(NULL)" mkdir "$(OUTDIR)"
+
+CPP_PROJ=/nologo /MT /GX /O2 /I "..\krb" /I "..\des" /I "..\..\include" /I\
+ "..\..\include\win32" /I "." /D "NDEBUG" /D "WIN32" /D "_WINDOWS" /D\
+ "HAVE_CONFIG_H" /Fp"$(INTDIR)\roken.pch" /YX /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\"\
+ /FD /c 
+CPP_OBJS=.\Release/
+CPP_SBRS=.
+MTL_PROJ=/nologo /D "NDEBUG" /mktyplib203 /win32 
+RSC_PROJ=/l 0x409 /fo"$(INTDIR)\roken.res" /d "NDEBUG" 
+BSC32=bscmake.exe
+BSC32_FLAGS=/nologo /o"$(OUTDIR)\roken.bsc" 
+BSC32_SBRS= \
+	
+LINK32=link.exe
+LINK32_FLAGS=kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib\
+ advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib /nologo\
+ /base:"0x68e7780" /subsystem:windows /dll /incremental:no\
+ /pdb:"$(OUTDIR)\roken.pdb" /machine:I386 /def:".\roken.def"\
+ /out:"$(OUTDIR)\roken.dll" /implib:"$(OUTDIR)\roken.lib" 
+DEF_FILE= \
+	".\roken.def"
+LINK32_OBJS= \
+	"$(INTDIR)\base64.obj" \
+	"$(INTDIR)\concat.obj" \
+	"$(INTDIR)\gettimeofday.obj" \
+	"$(INTDIR)\getuid.obj" \
+	"$(INTDIR)\resolve.obj" \
+	"$(INTDIR)\roken.res" \
+	"$(INTDIR)\snprintf.obj" \
+	"$(INTDIR)\strcasecmp.obj" \
+	"$(INTDIR)\strtok_r.obj"
+
+"$(OUTDIR)\roken.dll" : "$(OUTDIR)" $(DEF_FILE) $(LINK32_OBJS)
+    $(LINK32) @<<
+  $(LINK32_FLAGS) $(LINK32_OBJS)
+<<
+
+!ELSEIF  "$(CFG)" == "roken - Win32 Debug"
+
+OUTDIR=.\Debug
+INTDIR=.\Debug
+# Begin Custom Macros
+OutDir=.\.\Debug
+# End Custom Macros
+
+!IF "$(RECURSE)" == "0" 
+
+ALL : "$(OUTDIR)\roken.dll"
+
+!ELSE 
+
+ALL : "$(OUTDIR)\roken.dll"
+
+!ENDIF 
+
+CLEAN : 
+	-@erase "$(INTDIR)\base64.obj"
+	-@erase "$(INTDIR)\concat.obj"
+	-@erase "$(INTDIR)\gettimeofday.obj"
+	-@erase "$(INTDIR)\getuid.obj"
+	-@erase "$(INTDIR)\resolve.obj"
+	-@erase "$(INTDIR)\roken.res"
+	-@erase "$(INTDIR)\snprintf.obj"
+	-@erase "$(INTDIR)\strcasecmp.obj"
+	-@erase "$(INTDIR)\strtok_r.obj"
+	-@erase "$(INTDIR)\vc50.idb"
+	-@erase "$(INTDIR)\vc50.pdb"
+	-@erase "$(OUTDIR)\roken.dll"
+	-@erase "$(OUTDIR)\roken.exp"
+	-@erase "$(OUTDIR)\roken.ilk"
+	-@erase "$(OUTDIR)\roken.lib"
+	-@erase "$(OUTDIR)\roken.pdb"
+
+"$(OUTDIR)" :
+    if not exist "$(OUTDIR)/$(NULL)" mkdir "$(OUTDIR)"
+
+CPP_PROJ=/nologo /MDd /Gm /GX /Zi /Od /I "..\krb" /I "..\des" /I\
+ "..\..\include" /I "..\..\include\win32" /I "." /D "_DEBUG" /D "WIN32" /D\
+ "_WINDOWS" /D "HAVE_CONFIG_H" /Fp"$(INTDIR)\roken.pch" /YX /Fo"$(INTDIR)\\"\
+ /Fd"$(INTDIR)\\" /FD /c 
+CPP_OBJS=.\Debug/
+CPP_SBRS=.
+MTL_PROJ=/nologo /D "_DEBUG" /mktyplib203 /win32 
+RSC_PROJ=/l 0x409 /fo"$(INTDIR)\roken.res" /d "_DEBUG" 
+BSC32=bscmake.exe
+BSC32_FLAGS=/nologo /o"$(OUTDIR)\roken.bsc" 
+BSC32_SBRS= \
+	
+LINK32=link.exe
+LINK32_FLAGS=kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib\
+ advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib /nologo\
+ /subsystem:windows /dll /incremental:yes /pdb:"$(OUTDIR)\roken.pdb" /debug\
+ /machine:I386 /def:".\roken.def" /out:"$(OUTDIR)\roken.dll"\
+ /implib:"$(OUTDIR)\roken.lib" 
+LINK32_OBJS= \
+	"$(INTDIR)\base64.obj" \
+	"$(INTDIR)\concat.obj" \
+	"$(INTDIR)\gettimeofday.obj" \
+	"$(INTDIR)\getuid.obj" \
+	"$(INTDIR)\resolve.obj" \
+	"$(INTDIR)\roken.res" \
+	"$(INTDIR)\snprintf.obj" \
+	"$(INTDIR)\strcasecmp.obj" \
+	"$(INTDIR)\strtok_r.obj"
+
+"$(OUTDIR)\roken.dll" : "$(OUTDIR)" $(DEF_FILE) $(LINK32_OBJS)
+    $(LINK32) @<<
+  $(LINK32_FLAGS) $(LINK32_OBJS)
+<<
+
+!ENDIF 
+
+.c{$(CPP_OBJS)}.obj::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+.cpp{$(CPP_OBJS)}.obj::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+.cxx{$(CPP_OBJS)}.obj::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+.c{$(CPP_SBRS)}.sbr::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+.cpp{$(CPP_SBRS)}.sbr::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+.cxx{$(CPP_SBRS)}.sbr::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+
+!IF "$(CFG)" == "roken - Win32 Release" || "$(CFG)" == "roken - Win32 Debug"
+SOURCE=.\base64.c
+DEP_CPP_BASE6=\
+	"..\..\include\win32\config.h"\
+	".\base64.h"\
+
+
+"$(INTDIR)\base64.obj" : $(SOURCE) $(DEP_CPP_BASE6) "$(INTDIR)"
+
+
+SOURCE=.\concat.c
+DEP_CPP_CONCA=\
+	"..\..\include\win32\config.h"\
+	"..\..\include\win32\roken.h"\
+	".\err.h"\
+	".\roken-common.h"\
+	{$(INCLUDE)}"sys\stat.h"\
+	{$(INCLUDE)}"sys\types.h"\
+	
+
+"$(INTDIR)\concat.obj" : $(SOURCE) $(DEP_CPP_CONCA) "$(INTDIR)"
+
+
+SOURCE=.\gettimeofday.c
+DEP_CPP_GETTI=\
+	"..\..\include\win32\config.h"\
+	"..\..\include\win32\roken.h"\
+	".\err.h"\
+	".\roken-common.h"\
+	{$(INCLUDE)}"sys\stat.h"\
+	{$(INCLUDE)}"sys\types.h"\
+	
+
+"$(INTDIR)\gettimeofday.obj" : $(SOURCE) $(DEP_CPP_GETTI) "$(INTDIR)"
+
+
+SOURCE=.\getuid.c
+DEP_CPP_GETUI=\
+	"..\..\include\win32\config.h"\
+	"..\..\include\win32\roken.h"\
+	".\err.h"\
+	".\roken-common.h"\
+	{$(INCLUDE)}"sys\stat.h"\
+	{$(INCLUDE)}"sys\types.h"\
+	
+
+"$(INTDIR)\getuid.obj" : $(SOURCE) $(DEP_CPP_GETUI) "$(INTDIR)"
+
+
+SOURCE=.\resolve.c
+DEP_CPP_RESOL=\
+	"..\..\include\win32\config.h"\
+	"..\..\include\win32\roken.h"\
+	".\err.h"\
+	".\resolve.h"\
+	".\roken-common.h"\
+	{$(INCLUDE)}"sys\stat.h"\
+	{$(INCLUDE)}"sys\types.h"\
+	
+
+"$(INTDIR)\resolve.obj" : $(SOURCE) $(DEP_CPP_RESOL) "$(INTDIR)"
+
+
+SOURCE=.\snprintf.c
+DEP_CPP_SNPRI=\
+	"..\..\include\win32\config.h"\
+	"..\..\include\win32\roken.h"\
+	".\err.h"\
+	".\roken-common.h"\
+	{$(INCLUDE)}"sys\stat.h"\
+	{$(INCLUDE)}"sys\types.h"\
+	
+
+"$(INTDIR)\snprintf.obj" : $(SOURCE) $(DEP_CPP_SNPRI) "$(INTDIR)"
+
+
+SOURCE=.\strcasecmp.c
+DEP_CPP_STRCA=\
+	"..\..\include\win32\config.h"\
+	{$(INCLUDE)}"sys\types.h"\
+	
+
+"$(INTDIR)\strcasecmp.obj" : $(SOURCE) $(DEP_CPP_STRCA) "$(INTDIR)"
+
+
+SOURCE=.\strtok_r.c
+DEP_CPP_STRTO=\
+	"..\..\include\win32\config.h"\
+	"..\..\include\win32\roken.h"\
+	".\err.h"\
+	".\roken-common.h"\
+	{$(INCLUDE)}"sys\stat.h"\
+	{$(INCLUDE)}"sys\types.h"\
+	
+
+"$(INTDIR)\strtok_r.obj" : $(SOURCE) $(DEP_CPP_STRTO) "$(INTDIR)"
+
+
+SOURCE=.\roken.rc
+
+"$(INTDIR)\roken.res" : $(SOURCE) "$(INTDIR)"
+	$(RSC) $(RSC_PROJ) $(SOURCE)
+	
+
+
+!ENDIF 
+
diff --git a/crypto/kerberosIV/lib/roken/roken.rc b/crypto/kerberosIV/lib/roken/roken.rc
new file mode 100644
index 0000000..e7e2f3e
--- /dev/null
+++ b/crypto/kerberosIV/lib/roken/roken.rc
@@ -0,0 +1,105 @@
+//Microsoft Developer Studio generated resource script.
+//
+#include "resource.h"
+
+#define APSTUDIO_READONLY_SYMBOLS
+/////////////////////////////////////////////////////////////////////////////
+//
+// Generated from the TEXTINCLUDE 2 resource.
+//
+#include "afxres.h"
+
+/////////////////////////////////////////////////////////////////////////////
+#undef APSTUDIO_READONLY_SYMBOLS
+
+/////////////////////////////////////////////////////////////////////////////
+// Swedish resources
+
+#if !defined(AFX_RESOURCE_DLL) || defined(AFX_TARG_SVE)
+#ifdef _WIN32
+LANGUAGE LANG_SWEDISH, SUBLANG_DEFAULT
+#pragma code_page(1252)
+#endif //_WIN32
+
+#ifdef APSTUDIO_INVOKED
+/////////////////////////////////////////////////////////////////////////////
+//
+// TEXTINCLUDE
+//
+
+1 TEXTINCLUDE DISCARDABLE 
+BEGIN
+    "resource.h\0"
+END
+
+2 TEXTINCLUDE DISCARDABLE 
+BEGIN
+    "#include ""afxres.h""\r\n"
+    "\0"
+END
+
+3 TEXTINCLUDE DISCARDABLE 
+BEGIN
+    "\r\n"
+    "\0"
+END
+
+#endif    // APSTUDIO_INVOKED
+
+
+#ifndef _MAC
+/////////////////////////////////////////////////////////////////////////////
+//
+// Version
+//
+
+VS_VERSION_INFO VERSIONINFO
+ FILEVERSION 1,0,0,1
+ PRODUCTVERSION 1,0,0,1
+ FILEFLAGSMASK 0x3fL
+#ifdef _DEBUG
+ FILEFLAGS 0x1L
+#else
+ FILEFLAGS 0x0L
+#endif
+ FILEOS 0x40004L
+ FILETYPE 0x2L
+ FILESUBTYPE 0x0L
+BEGIN
+    BLOCK "StringFileInfo"
+    BEGIN
+        BLOCK "040904b0"
+        BEGIN
+            VALUE "CompanyName", "Royal Institute of Technology (KTH)\0"
+            VALUE "FileDescription", "roken\0"
+            VALUE "FileVersion", "4, 0, 9, 9\0"
+            VALUE "InternalName", "roken\0"
+            VALUE "LegalCopyright", "Copyright © 1996 - 1998  Royal Institute of Technology (KTH)\0"
+            VALUE "OriginalFilename", "roken.dll\0"
+            VALUE "ProductName", "KTH Kerberos\0"
+            VALUE "ProductVersion", "4,0,9,9\0"
+        END
+    END
+    BLOCK "VarFileInfo"
+    BEGIN
+        VALUE "Translation", 0x409, 1200
+    END
+END
+
+#endif    // !_MAC
+
+#endif    // Swedish resources
+/////////////////////////////////////////////////////////////////////////////
+
+
+
+#ifndef APSTUDIO_INVOKED
+/////////////////////////////////////////////////////////////////////////////
+//
+// Generated from the TEXTINCLUDE 3 resource.
+//
+
+
+/////////////////////////////////////////////////////////////////////////////
+#endif    // not APSTUDIO_INVOKED
+
diff --git a/crypto/kerberosIV/lib/roken/roken_gethostby.c b/crypto/kerberosIV/lib/roken/roken_gethostby.c
new file mode 100644
index 0000000..8eb2325
--- /dev/null
+++ b/crypto/kerberosIV/lib/roken/roken_gethostby.c
@@ -0,0 +1,280 @@
+/*
+ * Copyright (c) 1998 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+RCSID("$Id: roken_gethostby.c,v 1.4 1999/12/02 16:58:52 joda Exp $");
+#endif
+
+#include <roken.h>
+#ifdef HAVE_NETDB_H
+#include <netdb.h>
+#endif
+#ifdef HAVE_ARPA_INET_H
+#include <arpa/inet.h>
+#endif
+
+#undef roken_gethostbyname
+#undef roken_gethostbyaddr
+
+static struct sockaddr_in dns_addr;
+static char *dns_req;
+
+static int
+make_address(const char *address, struct in_addr *ip)
+{
+    if(inet_aton(address, ip) == 0){
+	/* try to resolve as hostname, it might work if the address we
+           are trying to lookup is local, for instance a web proxy */
+	struct hostent *he = gethostbyname(address);
+	if(he) {
+	    unsigned char *p = (unsigned char*)he->h_addr;
+	    ip->s_addr = (p[0] << 24) | (p[1] << 16) | (p[2] << 8) | p[3];
+	} else {
+	    return -1;
+	}
+    }
+    return 0;
+}
+
+static int
+setup_int(const char *proxy_host, short proxy_port,
+	  const char *dns_host, short dns_port,
+	  const char *dns_path)
+{
+    memset(&dns_addr, 0, sizeof(dns_addr));
+    if(dns_req)
+	free(dns_req);
+    if(proxy_host) {
+	if(make_address(proxy_host, &dns_addr.sin_addr) != 0)
+	    return -1;
+	dns_addr.sin_port = htons(proxy_port);
+	asprintf(&dns_req, "http://%s:%d%s", dns_host, dns_port, dns_path);
+    } else {
+	if(make_address(dns_host, &dns_addr.sin_addr) != 0)
+	    return -1;
+	dns_addr.sin_port = htons(dns_port);
+	asprintf(&dns_req, "%s", dns_path);
+    }
+    dns_addr.sin_family = AF_INET;
+    return 0;
+}
+
+static void
+split_spec(const char *spec, char **host, int *port, char **path, int def_port)
+{
+    char *p;
+    *host = strdup(spec);
+    p = strchr(*host, ':');
+    if(p) {
+	*p++ = '\0';
+	if(sscanf(p, "%d", port) != 1)
+	    *port = def_port;
+    } else
+	*port = def_port;
+    p = strchr(p ? p : *host, '/');
+    if(p) {
+	if(path) 
+	    *path = strdup(p);
+	*p = '\0';
+    }else
+	if(path) 
+	    *path = NULL;
+}
+
+
+int
+roken_gethostby_setup(const char *proxy_spec, const char *dns_spec)
+{
+    char *proxy_host = NULL;
+    int proxy_port;
+    char *dns_host, *dns_path;
+    int dns_port;
+    
+    int ret = -1;
+    
+    split_spec(dns_spec, &dns_host, &dns_port, &dns_path, 80);
+    if(dns_path == NULL)
+	goto out;
+    if(proxy_spec)
+	split_spec(proxy_spec, &proxy_host, &proxy_port, NULL, 80);
+    ret = setup_int(proxy_host, proxy_port, dns_host, dns_port, dns_path);
+out:
+    free(proxy_host);
+    free(dns_host);
+    free(dns_path);
+    return ret;
+}
+    
+
+/* Try to lookup a name or an ip-address using http as transport
+   mechanism. See the end of this file for an example program. */
+static struct hostent*
+roken_gethostby(const char *hostname)
+{
+    int s;
+    struct sockaddr_in sin;
+    char *request;
+    char buf[1024];
+    int offset = 0;
+    int n;
+    char *p, *foo;
+    
+    if(dns_addr.sin_family == 0)
+	return NULL; /* no configured host */
+    sin = dns_addr;
+    asprintf(&request, "GET %s?%s HTTP/1.0\r\n\r\n", dns_req, hostname);
+    if(request == NULL)
+	return NULL;
+    s  = socket(AF_INET, SOCK_STREAM, 0);
+    if(s < 0) {
+	free(request);
+	return NULL;
+    }
+    if(connect(s, (struct sockaddr*)&sin, sizeof(sin)) < 0) {
+	close(s);
+	free(request);
+	return NULL;
+    }
+    if(write(s, request, strlen(request)) != strlen(request)) {
+	close(s);
+	free(request);
+	return NULL;
+    }
+    free(request);
+    while(1) {
+	n = read(s, buf + offset, sizeof(buf) - offset);
+	if(n <= 0)
+	    break;
+	offset += n;
+    }
+    buf[offset] = '\0';
+    close(s);
+    p = strstr(buf, "\r\n\r\n"); /* find end of header */
+    if(p) p += 4;
+    else return NULL;
+    foo = NULL;
+    p = strtok_r(p, " \t\r\n", &foo);
+    if(p == NULL)
+	return NULL;
+    {
+	/* make a hostent to return */
+#define MAX_ADDRS 16
+	static struct hostent he;
+	static char addrs[4 * MAX_ADDRS];
+	static char *addr_list[MAX_ADDRS];
+	int num_addrs = 0;
+	
+	he.h_name = p;
+	he.h_aliases = NULL;
+	he.h_addrtype = AF_INET;
+	he.h_length = 4;
+	
+	while((p = strtok_r(NULL, " \t\r\n", &foo)) && num_addrs < MAX_ADDRS) {
+	    struct in_addr ip;
+	    inet_aton(p, &ip);
+	    ip.s_addr = ntohl(ip.s_addr);
+	    addr_list[num_addrs] = &addrs[num_addrs * 4];
+	    addrs[num_addrs * 4 + 0] = (ip.s_addr >> 24) & 0xff;
+	    addrs[num_addrs * 4 + 1] = (ip.s_addr >> 16) & 0xff;
+	    addrs[num_addrs * 4 + 2] = (ip.s_addr >> 8) & 0xff;
+	    addrs[num_addrs * 4 + 3] = (ip.s_addr >> 0) & 0xff;
+	    addr_list[++num_addrs] = NULL;
+	}
+	he.h_addr_list = addr_list;
+	return &he;
+    }
+}
+
+struct hostent*
+roken_gethostbyname(const char *hostname)
+{
+    struct hostent *he;
+    he = gethostbyname(hostname);
+    if(he)
+	return he;
+    return roken_gethostby(hostname);
+}
+
+struct hostent*
+roken_gethostbyaddr(const void *addr, size_t len, int type)
+{
+    struct in_addr a;
+    const char *p;
+    struct hostent *he;
+    he = gethostbyaddr(addr, len, type);
+    if(he)
+	return he;
+    if(type != AF_INET || len != 4)
+	return NULL;
+    p = addr;
+    a.s_addr = htonl((p[0] << 24) | (p[1] << 16) | (p[2] << 8) | p[3]);
+    return roken_gethostby(inet_ntoa(a));
+}
+
+#if 0
+
+/* this program can be used as a cgi `script' to lookup names and
+   ip-addresses */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <netdb.h>
+#include <sys/param.h>
+
+int
+main(int argc, char **argv)
+{
+    char *query = getenv("QUERY_STRING");
+    char host[MAXHOSTNAMELEN];
+    int i;
+    struct hostent *he;
+    
+    printf("Content-type: text/plain\n\n");
+    if(query == NULL)
+	exit(0);
+    he = gethostbyname(query);
+    strncpy(host, he->h_name, sizeof(host));
+    host[sizeof(host) - 1] = '\0';
+    he = gethostbyaddr(he->h_addr, he->h_length, AF_INET);
+    printf("%s\n", he->h_name);
+    for(i = 0; he->h_addr_list[i]; i++) {
+	struct in_addr ip;
+	unsigned char *p = (unsigned char*)he->h_addr_list[i];
+	ip.s_addr = htonl((p[0] << 24) | (p[1] << 16) | (p[2] << 8) | p[3]);
+	printf("%s\n", inet_ntoa(ip));
+    }
+    exit(0);
+}
+
+#endif
diff --git a/crypto/kerberosIV/lib/roken/sendmsg.c b/crypto/kerberosIV/lib/roken/sendmsg.c
new file mode 100644
index 0000000..7075bf2
--- /dev/null
+++ b/crypto/kerberosIV/lib/roken/sendmsg.c
@@ -0,0 +1,65 @@
+/*
+ * Copyright (c) 1995, 1996, 1997, 1998, 1999 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+RCSID("$Id: sendmsg.c,v 1.4 1999/12/02 16:58:52 joda Exp $");
+#endif
+
+#include "roken.h"
+
+ssize_t
+sendmsg(int s, const struct msghdr *msg, int flags)
+{
+    ssize_t ret;
+    size_t tot = 0;
+    int i;
+    char *buf, *p;
+    struct iovec *iov = msg->msg_iov;
+
+    for(i = 0; i < msg->msg_iovlen; ++i)
+	tot += iov[i].iov_len;
+    buf = malloc(tot);
+    if (tot != 0 && buf == NULL) {
+	errno = ENOMEM;
+	return -1;
+    }
+    p = buf;
+    for (i = 0; i < msg->msg_iovlen; ++i) {
+	memcpy (p, iov[i].iov_base, iov[i].iov_len);
+	p += iov[i].iov_len;
+    }
+    ret = sendto (s, buf, tot, flags, msg->msg_name, msg->msg_namelen);
+    free (buf);
+    return ret;
+}
diff --git a/crypto/kerberosIV/lib/roken/setegid.c b/crypto/kerberosIV/lib/roken/setegid.c
new file mode 100644
index 0000000..2f46fe4
--- /dev/null
+++ b/crypto/kerberosIV/lib/roken/setegid.c
@@ -0,0 +1,57 @@
+/*
+ * Copyright (c) 1995, 1996, 1997 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+RCSID("$Id: setegid.c,v 1.9 1999/12/02 16:58:52 joda Exp $");
+#endif
+
+#ifdef HAVE_UNISTD_H
+#include <unistd.h>
+#endif
+
+#include "roken.h"
+
+int
+setegid(gid_t egid)
+{
+#ifdef HAVE_SETREGID
+    return setregid(-1, egid);
+#endif
+
+#ifdef HAVE_SETRESGID
+    return setresgid(-1, egid, -1);
+#endif
+
+    return -1;
+}
diff --git a/crypto/kerberosIV/lib/roken/setenv.c b/crypto/kerberosIV/lib/roken/setenv.c
new file mode 100644
index 0000000..15b5811
--- /dev/null
+++ b/crypto/kerberosIV/lib/roken/setenv.c
@@ -0,0 +1,66 @@
+/*
+ * Copyright (c) 1995, 1996, 1997 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+RCSID("$Id: setenv.c,v 1.9 1999/12/02 16:58:52 joda Exp $");
+#endif
+
+#include "roken.h"
+
+#include <stdlib.h>
+#include <string.h>
+
+/*
+ * This is the easy way out, use putenv to implement setenv. We might
+ * leak some memory but that is ok since we are usally about to exec
+ * anyway.
+ */
+
+int
+setenv(const char *var, const char *val, int rewrite)
+{
+    char *t;
+
+    if (!rewrite && getenv(var) != 0)
+	return 0;
+  
+    asprintf (&t, "%s=%s", var, val);
+    if (t == NULL)
+	return -1;
+
+    if (putenv(t) == 0)
+	return 0;
+    else
+	return -1;
+}
diff --git a/crypto/kerberosIV/lib/roken/seteuid.c b/crypto/kerberosIV/lib/roken/seteuid.c
new file mode 100644
index 0000000..ee68ba7
--- /dev/null
+++ b/crypto/kerberosIV/lib/roken/seteuid.c
@@ -0,0 +1,57 @@
+/*
+ * Copyright (c) 1995, 1996, 1997 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+RCSID("$Id: seteuid.c,v 1.10 1999/12/02 16:58:52 joda Exp $");
+#endif
+
+#ifdef HAVE_UNISTD_H
+#include <unistd.h>
+#endif
+
+#include "roken.h"
+
+int
+seteuid(uid_t euid)
+{
+#ifdef HAVE_SETREUID
+    return setreuid(-1, euid);
+#endif
+
+#ifdef HAVE_SETRESUID
+    return setresuid(-1, euid, -1);
+#endif
+
+    return -1;
+}
diff --git a/crypto/kerberosIV/lib/roken/signal.c b/crypto/kerberosIV/lib/roken/signal.c
new file mode 100644
index 0000000..7f2ba29
--- /dev/null
+++ b/crypto/kerberosIV/lib/roken/signal.c
@@ -0,0 +1,81 @@
+/*
+ * Copyright (c) 1995, 1996, 1997 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+RCSID("$Id: signal.c,v 1.9.2.1 2000/03/12 19:36:16 assar Exp $");
+#endif
+
+#include <signal.h>
+
+/*
+ * We would like to always use this signal but there is a link error
+ * on NEXTSTEP
+ */
+#if !defined(NeXT) && !defined(__APPLE__)
+/*
+ * Bugs:
+ *
+ * Do we need any extra hacks for SIGCLD and/or SIGCHLD?
+ */
+
+typedef RETSIGTYPE (*SigAction)(/* int??? */);
+
+SigAction
+signal(int iSig, SigAction pAction)
+{
+    struct sigaction saNew, saOld;
+
+    saNew.sa_handler = pAction;
+    sigemptyset(&saNew.sa_mask);
+    saNew.sa_flags = 0;
+
+    if (iSig == SIGALRM)
+	{
+#ifdef SA_INTERRUPT
+	    saNew.sa_flags |= SA_INTERRUPT;
+#endif
+	}
+    else
+	{
+#ifdef SA_RESTART
+	    saNew.sa_flags |= SA_RESTART;
+#endif
+	}
+
+    if (sigaction(iSig, &saNew, &saOld) < 0)
+	return(SIG_ERR);
+
+    return(saOld.sa_handler);
+}
+#endif
diff --git a/crypto/kerberosIV/lib/roken/simple_exec.c b/crypto/kerberosIV/lib/roken/simple_exec.c
new file mode 100644
index 0000000..426f494
--- /dev/null
+++ b/crypto/kerberosIV/lib/roken/simple_exec.c
@@ -0,0 +1,171 @@
+/*
+ * Copyright (c) 1998, 1999 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+RCSID("$Id: simple_exec.c,v 1.6 1999/12/02 16:58:52 joda Exp $");
+#endif
+
+#include <stdarg.h>
+#include <stdlib.h>
+#ifdef HAVE_SYS_TYPES_H
+#include <sys/types.h>
+#endif
+#ifdef HAVE_SYS_WAIT_H
+#include <sys/wait.h>
+#endif
+#ifdef HAVE_UNISTD_H
+#include <unistd.h>
+#endif
+#include <errno.h>
+
+#include <roken.h>
+
+#define EX_NOEXEC	126
+#define EX_NOTFOUND	127
+
+/* return values:
+   -1   on `unspecified' system errors
+   -2   on fork failures
+   -3   on waitpid errors
+   0-   is return value from subprocess
+   126  if the program couldn't be executed
+   127  if the program couldn't be found
+   128- is 128 + signal that killed subprocess
+   */
+
+static int
+check_status(pid_t pid)
+{
+    while(1) {
+	int status;
+
+	while(waitpid(pid, &status, 0) < 0)
+	    if (errno != EINTR)
+		return -3;
+	if(WIFSTOPPED(status))
+	    continue;
+	if(WIFEXITED(status))
+	    return WEXITSTATUS(status);
+	if(WIFSIGNALED(status))
+	    return WTERMSIG(status) + 128;
+    }
+}
+
+int
+simple_execvp(const char *file, char *const args[])
+{
+    pid_t pid = fork();
+    switch(pid){
+    case -1:
+	return -2;
+    case 0:
+	execvp(file, args);
+	exit((errno == ENOENT) ? EX_NOTFOUND : EX_NOEXEC);
+    default: 
+	return check_status(pid);
+    }
+}
+
+/* gee, I'd like a execvpe */
+int
+simple_execve(const char *file, char *const args[], char *const envp[])
+{
+    pid_t pid = fork();
+    switch(pid){
+    case -1:
+	return -2;
+    case 0:
+	execve(file, args, envp);
+	exit((errno == ENOENT) ? EX_NOTFOUND : EX_NOEXEC);
+    default: 
+	return check_status(pid);
+    }
+}
+
+static char **
+collect_args(va_list *ap)
+{
+    char **argv = NULL;
+    int argc = 0, i = 0;
+    do {
+	if(i == argc) {
+	    /* realloc argv */
+	    char **tmp = realloc(argv, (argc + 5) * sizeof(*argv));
+	    if(tmp == NULL) {
+		errno = ENOMEM;
+		return NULL;
+	    }
+	    argv = tmp;
+	    argc += 5;
+	}
+	argv[i++] = va_arg(*ap, char*);
+    } while(argv[i - 1] != NULL);
+    return argv;
+}
+
+int
+simple_execlp(const char *file, ...)
+{
+    va_list ap;
+    char **argv;
+    int ret;
+
+    va_start(ap, file);
+    argv = collect_args(&ap);
+    va_end(ap);
+    if(argv == NULL)
+	return -1;
+    ret = simple_execvp(file, argv);
+    free(argv);
+    return ret;
+}
+
+int
+simple_execle(const char *file, ... /* ,char *const envp[] */)
+{
+    va_list ap;
+    char **argv;
+    char *const* envp;
+    int ret;
+
+    va_start(ap, file);
+    argv = collect_args(&ap);
+    envp = va_arg(ap, char **);
+    va_end(ap);
+    if(argv == NULL)
+	return -1;
+    ret = simple_execve(file, argv, envp);
+    free(argv);
+    return ret;
+}
diff --git a/crypto/kerberosIV/lib/roken/snprintf.c b/crypto/kerberosIV/lib/roken/snprintf.c
new file mode 100644
index 0000000..8450e8b
--- /dev/null
+++ b/crypto/kerberosIV/lib/roken/snprintf.c
@@ -0,0 +1,619 @@
+/*
+ * Copyright (c) 1995-2000 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+RCSID("$Id: snprintf.c,v 1.24.2.1 2000/06/14 07:26:49 joda Exp $");
+#endif
+#include <stdio.h>
+#include <stdarg.h>
+#include <stdlib.h>
+#include <string.h>
+#include <ctype.h>
+#include <roken.h>
+
+enum format_flags {
+    minus_flag     =  1,
+    plus_flag      =  2,
+    space_flag     =  4,
+    alternate_flag =  8,
+    zero_flag      = 16
+};
+
+/*
+ * Common state
+ */
+
+struct state {
+  unsigned char *str;
+  unsigned char *s;
+  unsigned char *theend;
+  size_t sz;
+  size_t max_sz;
+  int (*append_char)(struct state *, unsigned char);
+  int (*reserve)(struct state *, size_t);
+  /* XXX - methods */
+};
+
+#ifndef HAVE_VSNPRINTF
+static int
+sn_reserve (struct state *state, size_t n)
+{
+  return state->s + n > state->theend;
+}
+
+static int
+sn_append_char (struct state *state, unsigned char c)
+{
+  if (sn_reserve (state, 1)) {
+    return 1;
+  } else {
+    *state->s++ = c;
+    return 0;
+  }
+}
+#endif
+
+static int
+as_reserve (struct state *state, size_t n)
+{
+  if (state->s + n > state->theend) {
+    int off = state->s - state->str;
+    unsigned char *tmp;
+
+    if (state->max_sz && state->sz >= state->max_sz)
+      return 1;
+
+    state->sz = max(state->sz * 2, state->sz + n);
+    if (state->max_sz)
+      state->sz = min(state->sz, state->max_sz);
+    tmp = realloc (state->str, state->sz);
+    if (tmp == NULL)
+      return 1;
+    state->str = tmp;
+    state->s = state->str + off;
+    state->theend = state->str + state->sz - 1;
+  }
+  return 0;
+}
+
+static int
+as_append_char (struct state *state, unsigned char c)
+{
+  if(as_reserve (state, 1))
+    return 1;
+  else {
+    *state->s++ = c;
+    return 0;
+  }
+}
+
+static int
+append_number(struct state *state,
+	      unsigned long num, unsigned base, char *rep,
+	      int width, int prec, int flags, int minusp)
+{
+  int len = 0;
+  int i;
+
+  /* given precision, ignore zero flag */
+  if(prec != -1)
+    flags &= ~zero_flag;
+  else
+    prec = 1;
+  /* zero value with zero precision -> "" */
+  if(prec == 0 && num == 0)
+    return 0;
+  do{
+    if((*state->append_char)(state, rep[num % base]))
+      return 1;
+    len++;
+    num /= base;
+  }while(num);
+  prec -= len;
+  /* pad with prec zeros */
+  while(prec-- > 0){
+    if((*state->append_char)(state, '0'))
+      return 1;
+    len++;
+  }
+  /* add length of alternate prefix (added later) to len */
+  if(flags & alternate_flag && (base == 16 || base == 8))
+    len += base / 8;
+  /* pad with zeros */
+  if(flags & zero_flag){
+    width -= len;
+    if(minusp || (flags & space_flag) || (flags & plus_flag))
+      width--;
+    while(width-- > 0){
+      if((*state->append_char)(state, '0'))
+	return 1;
+      len++;
+    }
+  }
+  /* add alternate prefix */
+  if(flags & alternate_flag && (base == 16 || base == 8)){
+    if(base == 16)
+      if((*state->append_char)(state, rep[10] + 23)) /* XXX */
+	return 1;
+    if((*state->append_char)(state, '0'))
+      return 1;
+  }
+  /* add sign */
+  if(minusp){
+    if((*state->append_char)(state, '-'))
+      return 1;
+    len++;
+  } else if(flags & plus_flag) {
+    if((*state->append_char)(state, '+'))
+      return 1;
+    len++;
+  } else if(flags & space_flag) {
+    if((*state->append_char)(state, ' '))
+      return 1;
+    len++;
+  }
+  if(flags & minus_flag)
+    /* swap before padding with spaces */
+    for(i = 0; i < len / 2; i++){
+      char c = state->s[-i-1];
+      state->s[-i-1] = state->s[-len+i];
+      state->s[-len+i] = c;
+    }
+  width -= len;
+  while(width-- > 0){
+    if((*state->append_char)(state,  ' '))
+      return 1;
+    len++;
+  }
+  if(!(flags & minus_flag))
+    /* swap after padding with spaces */
+    for(i = 0; i < len / 2; i++){
+      char c = state->s[-i-1];
+      state->s[-i-1] = state->s[-len+i];
+      state->s[-len+i] = c;
+    }
+    
+  return 0;
+}
+
+static int
+append_string (struct state *state,
+	       unsigned char *arg,
+	       int width,
+	       int prec,
+	       int flags)
+{
+  if(prec != -1)
+    width -= prec;
+  else
+    width -= strlen((char *)arg);
+  if(!(flags & minus_flag))
+    while(width-- > 0)
+      if((*state->append_char) (state, ' '))
+	return 1;
+  if (prec != -1) {
+    while (*arg && prec--)
+      if ((*state->append_char) (state, *arg++))
+	return 1;
+  } else {
+    while (*arg)
+      if ((*state->append_char) (state, *arg++))
+	return 1;
+  }
+  if(flags & minus_flag)
+    while(width-- > 0)
+      if((*state->append_char) (state, ' '))
+	return 1;
+  return 0;
+}
+
+static int
+append_char(struct state *state,
+	    unsigned char arg,
+	    int width,
+	    int flags)
+{
+  while(!(flags & minus_flag) && --width > 0)
+    if((*state->append_char) (state, ' '))
+      return 1;
+    
+  if((*state->append_char) (state, arg))
+    return 1;
+  while((flags & minus_flag) && --width > 0)
+    if((*state->append_char) (state, ' '))
+      return 1;
+    
+  return 0;
+}
+
+/*
+ * This can't be made into a function...
+ */
+
+#define PARSE_INT_FORMAT(res, arg, unsig) \
+if (long_flag) \
+     res = (unsig long)va_arg(arg, unsig long); \
+else if (short_flag) \
+     res = (unsig short)va_arg(arg, unsig int); \
+else \
+     res = (unsig int)va_arg(arg, unsig int)
+
+/*
+ * zyxprintf - return 0 or -1
+ */
+
+static int
+xyzprintf (struct state *state, const char *char_format, va_list ap)
+{
+  const unsigned char *format = (const unsigned char *)char_format;
+  unsigned char c;
+
+  while((c = *format++)) {
+    if (c == '%') {
+      int flags      = 0;
+      int width      = 0;
+      int prec       = -1;
+      int long_flag  = 0;
+      int short_flag = 0;
+
+      /* flags */
+      while((c = *format++)){
+	if(c == '-')
+	  flags |= minus_flag;
+	else if(c == '+')
+	  flags |= plus_flag;
+	else if(c == ' ')
+	  flags |= space_flag;
+	else if(c == '#')
+	  flags |= alternate_flag;
+	else if(c == '0')
+	  flags |= zero_flag;
+	else
+	  break;
+      }
+      
+      if((flags & space_flag) && (flags & plus_flag))
+	flags ^= space_flag;
+
+      if((flags & minus_flag) && (flags & zero_flag))
+	flags ^= zero_flag;
+
+      /* width */
+      if (isdigit(c))
+	do {
+	  width = width * 10 + c - '0';
+	  c = *format++;
+	} while(isdigit(c));
+      else if(c == '*') {
+	width = va_arg(ap, int);
+	c = *format++;
+      }
+
+      /* precision */
+      if (c == '.') {
+	prec = 0;
+	c = *format++;
+	if (isdigit(c))
+	  do {
+	    prec = prec * 10 + c - '0';
+	    c = *format++;
+	  } while(isdigit(c));
+	else if (c == '*') {
+	  prec = va_arg(ap, int);
+	  c = *format++;
+	}
+      }
+
+      /* size */
+
+      if (c == 'h') {
+	short_flag = 1;
+	c = *format++;
+      } else if (c == 'l') {
+	long_flag = 1;
+	c = *format++;
+      }
+
+      switch (c) {
+      case 'c' :
+	if(append_char(state, va_arg(ap, int), width, flags))
+	  return -1;
+	break;
+      case 's' :
+	if (append_string(state,
+			  va_arg(ap, unsigned char*),
+			  width,
+			  prec, 
+			  flags))
+	  return -1;
+	break;
+      case 'd' :
+      case 'i' : {
+	long arg;
+	unsigned long num;
+	int minusp = 0;
+
+	PARSE_INT_FORMAT(arg, ap, signed);
+
+	if (arg < 0) {
+	  minusp = 1;
+	  num = -arg;
+	} else
+	  num = arg;
+
+	if (append_number (state, num, 10, "0123456789",
+			   width, prec, flags, minusp))
+	  return -1;
+	break;
+      }
+      case 'u' : {
+	unsigned long arg;
+
+	PARSE_INT_FORMAT(arg, ap, unsigned);
+
+	if (append_number (state, arg, 10, "0123456789",
+			   width, prec, flags, 0))
+	  return -1;
+	break;
+      }
+      case 'o' : {
+	unsigned long arg;
+
+	PARSE_INT_FORMAT(arg, ap, unsigned);
+
+	if (append_number (state, arg, 010, "01234567",
+			   width, prec, flags, 0))
+	  return -1;
+	break;
+      }
+      case 'x' : {
+	unsigned long arg;
+
+	PARSE_INT_FORMAT(arg, ap, unsigned);
+
+	if (append_number (state, arg, 0x10, "0123456789abcdef",
+			   width, prec, flags, 0))
+	  return -1;
+	break;
+      }
+      case 'X' :{
+	unsigned long arg;
+
+	PARSE_INT_FORMAT(arg, ap, unsigned);
+
+	if (append_number (state, arg, 0x10, "0123456789ABCDEF",
+			   width, prec, flags, 0))
+	  return -1;
+	break;
+      }
+      case 'p' : {
+	unsigned long arg = (unsigned long)va_arg(ap, void*);
+
+	if (append_number (state, arg, 0x10, "0123456789ABCDEF",
+			   width, prec, flags, 0))
+	  return -1;
+	break;
+      }
+      case 'n' : {
+	int *arg = va_arg(ap, int*);
+	*arg = state->s - state->str;
+	break;
+      }
+      case '\0' :
+	  --format;
+	  /* FALLTHROUGH */
+      case '%' :
+	if ((*state->append_char)(state, c))
+	  return -1;
+	break;
+      default :
+	if (   (*state->append_char)(state, '%')
+	    || (*state->append_char)(state, c))
+	  return -1;
+	break;
+      }
+    } else
+      if ((*state->append_char) (state, c))
+	return -1;
+  }
+  return 0;
+}
+
+#ifndef HAVE_SNPRINTF
+int
+snprintf (char *str, size_t sz, const char *format, ...)
+{
+  va_list args;
+  int ret;
+
+  va_start(args, format);
+  ret = vsnprintf (str, sz, format, args);
+
+#ifdef PARANOIA
+  {
+    int ret2;
+    char *tmp;
+
+    tmp = malloc (sz);
+    if (tmp == NULL)
+      abort ();
+
+    ret2 = vsprintf (tmp, format, args);
+    if (ret != ret2 || strcmp(str, tmp))
+      abort ();
+    free (tmp);
+  }
+#endif
+
+  va_end(args);
+  return ret;
+}
+#endif
+
+#ifndef HAVE_ASPRINTF
+int
+asprintf (char **ret, const char *format, ...)
+{
+  va_list args;
+  int val;
+
+  va_start(args, format);
+  val = vasprintf (ret, format, args);
+
+#ifdef PARANOIA
+  {
+    int ret2;
+    char *tmp;
+    tmp = malloc (val + 1);
+    if (tmp == NULL)
+      abort ();
+
+    ret2 = vsprintf (tmp, format, args);
+    if (val != ret2 || strcmp(*ret, tmp))
+      abort ();
+    free (tmp);
+  }
+#endif
+
+  va_end(args);
+  return val;
+}
+#endif
+
+#ifndef HAVE_ASNPRINTF
+int
+asnprintf (char **ret, size_t max_sz, const char *format, ...)
+{
+  va_list args;
+  int val;
+
+  va_start(args, format);
+  val = vasnprintf (ret, max_sz, format, args);
+
+#ifdef PARANOIA
+  {
+    int ret2;
+    char *tmp;
+    tmp = malloc (val + 1);
+    if (tmp == NULL)
+      abort ();
+
+    ret2 = vsprintf (tmp, format, args);
+    if (val != ret2 || strcmp(*ret, tmp))
+      abort ();
+    free (tmp);
+  }
+#endif
+
+  va_end(args);
+  return val;
+}
+#endif
+
+#ifndef HAVE_VASPRINTF
+int
+vasprintf (char **ret, const char *format, va_list args)
+{
+  return vasnprintf (ret, 0, format, args);
+}
+#endif
+
+
+#ifndef HAVE_VASNPRINTF
+int
+vasnprintf (char **ret, size_t max_sz, const char *format, va_list args)
+{
+  int st;
+  size_t len;
+  struct state state;
+
+  state.max_sz = max_sz;
+  state.sz     = 1;
+  state.str    = malloc(state.sz);
+  if (state.str == NULL) {
+    *ret = NULL;
+    return -1;
+  }
+  state.s = state.str;
+  state.theend = state.s + state.sz - 1;
+  state.append_char = as_append_char;
+  state.reserve     = as_reserve;
+
+  st = xyzprintf (&state, format, args);
+  if (st) {
+    free (state.str);
+    *ret = NULL;
+    return -1;
+  } else {
+    char *tmp;
+
+    *state.s = '\0';
+    len = state.s - state.str;
+    tmp = realloc (state.str, len+1);
+    if (tmp == NULL) {
+      free (state.str);
+      *ret = NULL;
+      return -1;
+    }
+    *ret = tmp;
+    return len;
+  }
+}
+#endif
+
+#ifndef HAVE_VSNPRINTF
+int
+vsnprintf (char *str, size_t sz, const char *format, va_list args)
+{
+  struct state state;
+  int ret;
+  unsigned char *ustr = (unsigned char *)str;
+
+  state.max_sz = 0;
+  state.sz     = sz;
+  state.str    = ustr;
+  state.s      = ustr;
+  state.theend = ustr + sz - 1;
+  state.append_char = sn_append_char;
+  state.reserve     = sn_reserve;
+
+  ret = xyzprintf (&state, format, args);
+  *state.s = '\0';
+  if (ret)
+    return sz;
+  else
+    return state.s - state.str;
+}
+#endif
+
diff --git a/crypto/kerberosIV/lib/roken/socket.c b/crypto/kerberosIV/lib/roken/socket.c
new file mode 100644
index 0000000..6e9c3df
--- /dev/null
+++ b/crypto/kerberosIV/lib/roken/socket.c
@@ -0,0 +1,282 @@
+/*
+ * Copyright (c) 1999 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+RCSID("$Id: socket.c,v 1.3 1999/12/02 16:58:52 joda Exp $");
+#endif
+
+#include <string.h>
+#ifdef HAVE_SYS_TYPES_H
+#include <sys/types.h>
+#endif
+#ifdef HAVE_SYS_SOCKET_H
+#include <sys/socket.h>
+#endif
+#ifdef HAVE_NETINET_IN_H
+#include <netinet/in.h>
+#endif
+#ifdef HAVE_NETINET_IN_SYSTM_H
+#include <netinet/in_systm.h>
+#endif
+#ifdef HAVE_NETINET_IP_H
+#include <netinet/ip.h>
+#endif
+
+#include <roken.h>
+
+#include <err.h>
+
+/*
+ * Set `sa' to the unitialized address of address family `af'
+ */
+
+void
+socket_set_any (struct sockaddr *sa, int af)
+{
+    switch (af) {
+    case AF_INET : {
+	struct sockaddr_in *sin = (struct sockaddr_in *)sa;
+
+	memset (sin, 0, sizeof(*sin));
+	sin->sin_family = AF_INET;
+	sin->sin_port   = 0;
+	sin->sin_addr.s_addr = INADDR_ANY;
+	break;
+    }
+#ifdef HAVE_IPV6
+    case AF_INET6 : {
+	struct sockaddr_in6 *sin6 = (struct sockaddr_in6 *)sa;
+
+	memset (sin6, 0, sizeof(*sin6));
+	sin6->sin6_family = AF_INET6;
+	sin6->sin6_port   = 0;
+	sin6->sin6_addr   = in6addr_any;
+	break;
+    }
+#endif
+    default :
+	errx (1, "unknown address family %d", sa->sa_family);
+	break;
+    }
+}
+
+/*
+ * set `sa' to (`ptr', `port')
+ */
+
+void
+socket_set_address_and_port (struct sockaddr *sa, const void *ptr, int port)
+{
+    switch (sa->sa_family) {
+    case AF_INET : {
+	struct sockaddr_in *sin = (struct sockaddr_in *)sa;
+
+	memset (sin, 0, sizeof(*sin));
+	sin->sin_family = AF_INET;
+	sin->sin_port   = port;
+	memcpy (&sin->sin_addr, ptr, sizeof(struct in_addr));
+	break;
+    }
+#ifdef HAVE_IPV6
+    case AF_INET6 : {
+	struct sockaddr_in6 *sin6 = (struct sockaddr_in6 *)sa;
+
+	memset (sin6, 0, sizeof(*sin6));
+	sin6->sin6_family = AF_INET6;
+	sin6->sin6_port   = port;
+	memcpy (&sin6->sin6_addr, ptr, sizeof(struct in6_addr));
+	break;
+    }
+#endif
+    default :
+	errx (1, "unknown address family %d", sa->sa_family);
+	break;
+    }
+}
+
+/*
+ * Return the size of an address of the type in `sa'
+ */
+
+size_t
+socket_addr_size (const struct sockaddr *sa)
+{
+    switch (sa->sa_family) {
+    case AF_INET :
+	return sizeof(struct in_addr);
+#ifdef HAVE_IPV6
+    case AF_INET6 :
+	return sizeof(struct in6_addr);
+#endif
+    default :
+	errx (1, "unknown address family %d", sa->sa_family);
+	break;
+    }
+}
+
+/*
+ * Return the size of a `struct sockaddr' in `sa'.
+ */
+
+size_t
+socket_sockaddr_size (const struct sockaddr *sa)
+{
+    switch (sa->sa_family) {
+    case AF_INET :
+	return sizeof(struct sockaddr_in);
+#ifdef HAVE_IPV6
+    case AF_INET6 :
+	return sizeof(struct sockaddr_in6);
+#endif
+    default :
+	errx (1, "unknown address family %d", sa->sa_family);
+	break;
+    }
+}
+
+/*
+ * Return the binary address of `sa'.
+ */
+
+void *
+socket_get_address (struct sockaddr *sa)
+{
+    switch (sa->sa_family) {
+    case AF_INET : {
+	struct sockaddr_in *sin = (struct sockaddr_in *)sa;
+	return &sin->sin_addr;
+    }
+#ifdef HAVE_IPV6
+    case AF_INET6 : {
+	struct sockaddr_in6 *sin6 = (struct sockaddr_in6 *)sa;
+	return &sin6->sin6_addr;
+    }
+#endif
+    default :
+	errx (1, "unknown address family %d", sa->sa_family);
+	break;
+    }
+}
+
+/*
+ * Return the port number from `sa'.
+ */
+
+int
+socket_get_port (const struct sockaddr *sa)
+{
+    switch (sa->sa_family) {
+    case AF_INET : {
+	const struct sockaddr_in *sin = (const struct sockaddr_in *)sa;
+	return sin->sin_port;
+    }
+#ifdef HAVE_IPV6
+    case AF_INET6 : {
+	const struct sockaddr_in6 *sin6 = (const struct sockaddr_in6 *)sa;
+	return sin6->sin6_port;
+    }
+#endif
+    default :
+	errx (1, "unknown address family %d", sa->sa_family);
+	break;
+    }
+}
+
+/*
+ * Set the port in `sa' to `port'.
+ */
+
+void
+socket_set_port (struct sockaddr *sa, int port)
+{
+    switch (sa->sa_family) {
+    case AF_INET : {
+	struct sockaddr_in *sin = (struct sockaddr_in *)sa;
+	sin->sin_port = port;
+	break;
+    }
+#ifdef HAVE_IPV6
+    case AF_INET6 : {
+	struct sockaddr_in6 *sin6 = (struct sockaddr_in6 *)sa;
+	sin6->sin6_port = port;
+	break;
+    }
+#endif
+    default :
+	errx (1, "unknown address family %d", sa->sa_family);
+	break;
+    }
+}
+
+/*
+ * Enable debug on `sock'.
+ */
+
+void
+socket_set_debug (int sock)
+{
+    int on = 1;
+
+#if defined(SO_DEBUG) && defined(HAVE_SETSOCKOPT)
+    if (setsockopt (sock, SOL_SOCKET, SO_DEBUG, (void *) &on, sizeof (on)) < 0)
+	warn ("setsockopt SO_DEBUG (ignored)");
+#endif
+}
+
+/*
+ * Set the type-of-service of `sock' to `tos'.
+ */
+
+void
+socket_set_tos (int sock, int tos)
+{
+#if defined(IP_TOS) && defined(HAVE_SETSOCKOPT)
+    if (setsockopt (sock, IPPROTO_IP, IP_TOS, (void *) &tos, sizeof (int)) < 0)
+	warn ("setsockopt TOS (ignored)");
+#endif
+}
+
+/*
+ * set the reuse of addresses on `sock' to `val'.
+ */
+
+void
+socket_set_reuseaddr (int sock, int val)
+{
+#if defined(SO_REUSEADDR) && defined(HAVE_SETSOCKOPT)
+    if(setsockopt(sock, SOL_SOCKET, SO_REUSEADDR, (void *)&val,
+		  sizeof(val)) < 0)
+	err (1, "setsockopt SO_REUSEADDR");
+#endif
+}
diff --git a/crypto/kerberosIV/lib/roken/strcasecmp.c b/crypto/kerberosIV/lib/roken/strcasecmp.c
new file mode 100644
index 0000000..b5e20e7
--- /dev/null
+++ b/crypto/kerberosIV/lib/roken/strcasecmp.c
@@ -0,0 +1,58 @@
+/*
+ * Copyright (c) 1998 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+RCSID("$Id: strcasecmp.c,v 1.9 1999/12/02 16:58:52 joda Exp $");
+#endif
+
+#include <string.h>
+#include <ctype.h>
+#include <stddef.h>
+#include "roken.h"
+
+#ifndef HAVE_STRCASECMP
+
+int
+strcasecmp(const char *s1, const char *s2)
+{
+    while(toupper(*s1) == toupper(*s2)) {
+	if(*s1 == '\0')
+	    return 0;
+	s1++;
+	s2++;
+    }
+    return toupper(*s1) - toupper(*s2);
+}
+
+#endif
diff --git a/crypto/kerberosIV/lib/roken/strcat_truncate.c b/crypto/kerberosIV/lib/roken/strcat_truncate.c
new file mode 100644
index 0000000..bbd808d
--- /dev/null
+++ b/crypto/kerberosIV/lib/roken/strcat_truncate.c
@@ -0,0 +1,55 @@
+/*
+ * Copyright (c) 1995, 1996, 1997 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *      This product includes software developed by the Kungliga Tekniska
+ *      Högskolan and its contributors.
+ * 
+ * 4. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+#endif
+#include "roken.h"
+
+RCSID("$Id: strcat_truncate.c,v 1.2 1998/05/29 18:25:06 joda Exp $");
+
+#ifndef HAVE_STRCAT_TRUNCATE
+
+int
+strcat_truncate (char *dst, const char *src, size_t dst_sz)
+{
+    int len = strlen(dst);
+
+    return len + strcpy_truncate (dst + len, src, dst_sz - len);
+}
+#endif
diff --git a/crypto/kerberosIV/lib/roken/strcollect.c b/crypto/kerberosIV/lib/roken/strcollect.c
new file mode 100644
index 0000000..a42f904
--- /dev/null
+++ b/crypto/kerberosIV/lib/roken/strcollect.c
@@ -0,0 +1,96 @@
+/*
+ * Copyright (c) 1998, 1999 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+RCSID("$Id: strcollect.c,v 1.1.8.1 2000/06/23 04:37:44 assar Exp $");
+#endif
+
+#include <stdarg.h>
+#include <stdlib.h>
+#include <string.h>
+#include <errno.h>
+#include <roken.h>
+
+enum { initial = 10, increment = 5 };
+
+static char **
+sub (char **argv, int i, int argc, va_list *ap)
+{
+    do {
+	if(i == argc) {
+	    /* realloc argv */
+	    char **tmp = realloc(argv, (argc + increment) * sizeof(*argv));
+	    if(tmp == NULL) {
+		free(argv);
+		errno = ENOMEM;
+		return NULL;
+	    }
+	    argv  = tmp;
+	    argc += increment;
+	}
+	argv[i++] = va_arg(*ap, char*);
+    } while(argv[i - 1] != NULL);
+    return argv;
+}
+
+/*
+ * return a malloced vector of pointers to the strings in `ap'
+ * terminated by NULL.
+ */
+
+char **
+vstrcollect(va_list *ap)
+{
+    return sub (NULL, 0, 0, ap);
+}
+
+/*
+ *
+ */
+
+char **
+strcollect(char *first, ...)
+{
+    va_list ap;
+    char **ret = malloc (initial * sizeof(char *));
+
+    if (ret == NULL)
+	return ret;
+
+    ret[0] = first;
+    va_start(ap, first);
+    ret = sub (ret, 1, initial, &ap);
+    va_end(ap);
+    return ret;
+}
diff --git a/crypto/kerberosIV/lib/roken/strcpy_truncate.c b/crypto/kerberosIV/lib/roken/strcpy_truncate.c
new file mode 100644
index 0000000..ba3668b
--- /dev/null
+++ b/crypto/kerberosIV/lib/roken/strcpy_truncate.c
@@ -0,0 +1,65 @@
+/*
+ * Copyright (c) 1995, 1996, 1997 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *      This product includes software developed by the Kungliga Tekniska
+ *      Högskolan and its contributors.
+ * 
+ * 4. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+#endif
+#include "roken.h"
+
+RCSID("$Id: strcpy_truncate.c,v 1.2 1998/06/09 19:25:38 joda Exp $");
+
+#ifndef HAVE_STRCPY_TRUNCATE
+
+int
+strcpy_truncate (char *dst, const char *src, size_t dst_sz)
+{
+    int n;
+    char *p;
+
+    for (p = dst, n = 0;
+	 n + 1 < dst_sz && *src != '\0';
+	 ++p, ++src, ++n)
+	*p = *src;
+    *p = '\0';
+    if (*src == '\0')
+	return n;
+    else
+	return dst_sz;
+}
+
+#endif
diff --git a/crypto/kerberosIV/lib/roken/strdup.c b/crypto/kerberosIV/lib/roken/strdup.c
new file mode 100644
index 0000000..87fb43e
--- /dev/null
+++ b/crypto/kerberosIV/lib/roken/strdup.c
@@ -0,0 +1,50 @@
+/*
+ * Copyright (c) 1995, 1996, 1997 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+RCSID("$Id: strdup.c,v 1.10 1999/12/02 16:58:53 joda Exp $");
+#endif
+#include <stdlib.h>
+#include <string.h>
+
+#ifndef HAVE_STRDUP
+char *
+strdup(const char *old)
+{
+	char *t = malloc(strlen(old)+1);
+	if (t != 0)
+		strcpy(t, old);
+	return t;
+}
+#endif
diff --git a/crypto/kerberosIV/lib/roken/strerror.c b/crypto/kerberosIV/lib/roken/strerror.c
new file mode 100644
index 0000000..21936d7
--- /dev/null
+++ b/crypto/kerberosIV/lib/roken/strerror.c
@@ -0,0 +1,57 @@
+/*
+ * Copyright (c) 1995, 1996, 1997, 1998 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+RCSID("$Id: strerror.c,v 1.10 1999/12/02 16:58:53 joda Exp $");
+#endif
+
+#include <stdio.h>
+#include <string.h>
+#include <errno.h>
+
+extern int sys_nerr;
+extern char *sys_errlist[];
+
+char*
+strerror(int eno)
+{
+    static char emsg[1024];
+
+    if(eno < 0 || eno >= sys_nerr)
+	snprintf(emsg, sizeof(emsg), "Error %d occurred.", eno);
+    else
+	snprintf(emsg, sizeof(emsg), "%s", sys_errlist[eno]);
+
+    return emsg;
+}
diff --git a/crypto/kerberosIV/lib/roken/strftime.c b/crypto/kerberosIV/lib/roken/strftime.c
new file mode 100644
index 0000000..b90614b
--- /dev/null
+++ b/crypto/kerberosIV/lib/roken/strftime.c
@@ -0,0 +1,396 @@
+/*
+ * Copyright (c) 1999 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of KTH nor the names of its contributors may be
+ *    used to endorse or promote products derived from this software without
+ *    specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY KTH AND ITS CONTRIBUTORS ``AS IS'' AND ANY
+ * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL KTH OR ITS CONTRIBUTORS BE
+ * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+ * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+ * WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
+ * OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
+ * ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+#endif
+#include "roken.h"
+
+RCSID("$Id: strftime.c,v 1.10 1999/11/13 04:18:33 assar Exp $");
+
+static const char *abb_weekdays[] = {
+    "Sun",
+    "Mon",
+    "Tue",
+    "Wed",
+    "Thu",
+    "Fri",
+    "Sat",
+};
+
+static const char *full_weekdays[] = {
+    "Sunday",
+    "Monday",
+    "Tuesday",
+    "Wednesday",
+    "Thursday",
+    "Friday",
+    "Saturday",
+};
+
+static const char *abb_month[] = {
+    "Jan",
+    "Feb",
+    "Mar",
+    "Apr",
+    "May",
+    "Jun",
+    "Jul",
+    "Aug",
+    "Sep",
+    "Oct",
+    "Nov",
+    "Dec"
+};
+
+static const char *full_month[] = {
+    "January",
+    "February",
+    "Mars",
+    "April",
+    "May",
+    "June",
+    "July",
+    "August",
+    "September",
+    "October",
+    "November",
+    "December"
+};
+
+static const char *ampm[] = {
+    "AM",
+    "PM"
+};
+
+/*
+ * Convert hour in [0, 24] to [12 1 - 11 12 1 - 11 12]
+ */
+
+static int
+hour_24to12 (int hour)
+{
+    int ret = hour % 12;
+
+    if (ret == 0)
+	ret = 12;
+    return ret;
+}
+
+/*
+ * Return AM or PM for `hour'
+ */
+
+static const char *
+hour_to_ampm (int hour)
+{
+    return ampm[hour / 12];
+}
+
+/*
+ * Return the week number of `tm' (Sunday being the first day of the week)
+ * as [0, 53]
+ */
+
+static int
+week_number_sun (const struct tm *tm)
+{
+    return (tm->tm_yday + 7 - (tm->tm_yday % 7 - tm->tm_wday + 7) % 7) / 7;
+}
+
+/*
+ * Return the week number of `tm' (Monday being the first day of the week)
+ * as [0, 53]
+ */
+
+static int
+week_number_mon (const struct tm *tm)
+{
+    int wday = (tm->tm_wday + 6) % 7;
+
+    return (tm->tm_yday + 7 - (tm->tm_yday % 7 - wday + 7) % 7) / 7;
+}
+
+/*
+ * Return the week number of `tm' (Monday being the first day of the
+ * week) as [01, 53].  Week number one is the one that has four or more
+ * days in that year.
+ */
+
+static int
+week_number_mon4 (const struct tm *tm)
+{
+    int wday  = (tm->tm_wday + 6) % 7;
+    int w1day = (wday - tm->tm_yday % 7 + 7) % 7;
+    int ret;
+    
+    ret = (tm->tm_yday + w1day) / 7;
+    if (w1day >= 4)
+	--ret;
+    if (ret == -1)
+	ret = 53;
+    else
+	++ret;
+    return ret;
+}
+
+/*
+ *
+ */
+
+size_t
+strftime (char *buf, size_t maxsize, const char *format,
+	  const struct tm *tm)
+{
+    size_t n = 0;
+    size_t ret;
+
+    while (*format != '\0' && n < maxsize) {
+	if (*format == '%') {
+	    ++format;
+	    if(*format == 'E' || *format == 'O')
+		++format;
+	    switch (*format) {
+	    case 'a' :
+		ret = snprintf (buf, maxsize - n,
+				"%s", abb_weekdays[tm->tm_wday]);
+		break;
+	    case 'A' :
+		ret = snprintf (buf, maxsize - n,
+				"%s", full_weekdays[tm->tm_wday]);
+		break;
+	    case 'h' :
+	    case 'b' :
+		ret = snprintf (buf, maxsize - n,
+				"%s", abb_month[tm->tm_mon]);
+		break;
+	    case 'B' :
+		ret = snprintf (buf, maxsize - n,
+				"%s", full_month[tm->tm_mon]);
+		break;
+	    case 'c' :
+		ret = snprintf (buf, maxsize - n,
+				"%d:%02d:%02d %02d:%02d:%02d",
+				tm->tm_year,
+				tm->tm_mon + 1,
+				tm->tm_mday,
+				tm->tm_hour,
+				tm->tm_min,
+				tm->tm_sec);
+		break;
+	    case 'C' :
+		ret = snprintf (buf, maxsize - n,
+				"%02d", (tm->tm_year + 1900) / 100);
+		break;
+	    case 'd' :
+		ret = snprintf (buf, maxsize - n,
+				"%02d", tm->tm_mday);
+		break;
+	    case 'D' :
+		ret = snprintf (buf, maxsize - n,
+				"%02d/%02d/%02d",
+				tm->tm_mon + 1,
+				tm->tm_mday,
+				(tm->tm_year + 1900) % 100);
+		break;
+	    case 'e' :
+		ret = snprintf (buf, maxsize - n,
+				"%2d", tm->tm_mday);
+		break;
+	    case 'F':
+		ret = snprintf (buf, maxsize - n,
+				"%04d-%02d-%02d", tm->tm_year + 1900,
+				tm->tm_mon + 1, tm->tm_mday);
+		break;
+	    case 'g':
+		/* last two digits of week-based year */
+		abort();
+	    case 'G':
+		/* week-based year */
+		abort();
+	    case 'H' :
+		ret = snprintf (buf, maxsize - n,
+				"%02d", tm->tm_hour);
+		break;
+	    case 'I' :
+		ret = snprintf (buf, maxsize - n,
+				"%02d",
+				hour_24to12 (tm->tm_hour));
+		break;
+	    case 'j' :
+		ret = snprintf (buf, maxsize - n,
+				"%03d", tm->tm_yday + 1);
+		break;
+	    case 'k' :
+		ret = snprintf (buf, maxsize - n,
+				"%2d", tm->tm_hour);
+		break;
+	    case 'l' :
+		ret = snprintf (buf, maxsize - n,
+				"%2d",
+				hour_24to12 (tm->tm_hour));
+		break;
+	    case 'm' :
+		ret = snprintf (buf, maxsize - n,
+				"%02d", tm->tm_mon + 1);
+		break;
+	    case 'M' :
+		ret = snprintf (buf, maxsize - n,
+				"%02d", tm->tm_min);
+		break;
+	    case 'n' :
+		ret = snprintf (buf, maxsize - n, "\n");
+		break;
+	    case 'p' :
+		ret = snprintf (buf, maxsize - n, "%s",
+				hour_to_ampm (tm->tm_hour));
+		break;
+	    case 'r' :
+		ret = snprintf (buf, maxsize - n,
+				"%02d:%02d:%02d %s",
+				hour_24to12 (tm->tm_hour),
+				tm->tm_min,
+				tm->tm_sec,
+				hour_to_ampm (tm->tm_hour));
+		break;
+	    case 'R' :
+		ret = snprintf (buf, maxsize - n,
+				"%02d:%02d",
+				tm->tm_hour,
+				tm->tm_min);
+		    
+	    case 's' :
+		ret = snprintf (buf, maxsize - n,
+				"%d", (int)mktime((struct tm *)tm));
+		break;
+	    case 'S' :
+		ret = snprintf (buf, maxsize - n,
+				"%02d", tm->tm_sec);
+		break;
+	    case 't' :
+		ret = snprintf (buf, maxsize - n, "\t");
+		break;
+	    case 'T' :
+	    case 'X' :
+		ret = snprintf (buf, maxsize - n,
+				"%02d:%02d:%02d",
+				tm->tm_hour,
+				tm->tm_min,
+				tm->tm_sec);
+		break;
+	    case 'u' :
+		ret = snprintf (buf, maxsize - n,
+				"%d", (tm->tm_wday == 0) ? 7 : tm->tm_wday);
+		break;
+	    case 'U' :
+		ret = snprintf (buf, maxsize - n,
+				"%02d", week_number_sun (tm));
+		break;
+	    case 'V' :
+		ret = snprintf (buf, maxsize - n,
+				"%02d", week_number_mon4 (tm));
+		break;
+	    case 'w' :
+		ret = snprintf (buf, maxsize - n,
+				"%d", tm->tm_wday);
+		break;
+	    case 'W' :
+		ret = snprintf (buf, maxsize - n,
+				"%02d", week_number_mon (tm));
+		break;
+	    case 'x' :
+		ret = snprintf (buf, maxsize - n,
+				"%d:%02d:%02d",
+				tm->tm_year,
+				tm->tm_mon + 1,
+				tm->tm_mday);
+		break;
+	    case 'y' :
+		ret = snprintf (buf, maxsize - n,
+				"%02d", (tm->tm_year + 1900) % 100);
+		break;
+	    case 'Y' :
+		ret = snprintf (buf, maxsize - n,
+				"%d", tm->tm_year + 1900);
+		break;
+	    case 'z':
+		ret = snprintf (buf, maxsize - n,
+				"%ld",
+#if defined(HAVE_STRUCT_TM_TM_GMTOFF)
+				(long)tm->tm_gmtoff
+#elif defined(HAVE_TIMEZONE)
+				tm->tm_isdst ?
+				(long)altzone :
+				(long)timezone
+#else
+#error Where in timezone chaos are you?
+#endif    
+				);
+		break;
+	    case 'Z' :
+		ret = snprintf (buf, maxsize - n,
+				"%s",
+
+#if defined(HAVE_STRUCT_TM_TM_ZONE)
+				tm->tm_zone
+#elif defined(HAVE_TIMEZONE)
+				tzname[tm->tm_isdst]
+#else
+#error what?
+#endif
+		    );
+		break;
+	    case '\0' :
+		--format;
+		/* FALLTHROUGH */
+	    case '%' :
+		ret = snprintf (buf, maxsize - n,
+				"%%");
+		break;
+	    default :
+		ret = snprintf (buf, maxsize - n,
+				"%%%c", *format);
+		break;
+	    }
+	    if (ret >= maxsize - n)
+		return 0;
+	    n   += ret;
+	    buf += ret;
+	    ++format;
+	} else {
+	    *buf++ = *format++;
+	    ++n;
+	}
+    }
+    *buf++ = '\0';
+    return n;
+}
diff --git a/crypto/kerberosIV/lib/roken/strlcat.c b/crypto/kerberosIV/lib/roken/strlcat.c
new file mode 100644
index 0000000..d3c8baa
--- /dev/null
+++ b/crypto/kerberosIV/lib/roken/strlcat.c
@@ -0,0 +1,50 @@
+/*
+ * Copyright (c) 1995 - 1999 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+#endif
+#include "roken.h"
+
+RCSID("$Id: strlcat.c,v 1.5 1999/12/02 16:58:53 joda Exp $");
+
+#ifndef HAVE_STRLCAT
+
+size_t
+strlcat (char *dst, const char *src, size_t dst_sz)
+{
+    size_t len = strlen(dst);
+
+    return len + strlcpy (dst + len, src, dst_sz - len);
+}
+#endif
diff --git a/crypto/kerberosIV/lib/roken/strlcpy.c b/crypto/kerberosIV/lib/roken/strlcpy.c
new file mode 100644
index 0000000..33cd9cb
--- /dev/null
+++ b/crypto/kerberosIV/lib/roken/strlcpy.c
@@ -0,0 +1,60 @@
+/*
+ * Copyright (c) 1995 - 1999 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+#endif
+#include "roken.h"
+
+RCSID("$Id: strlcpy.c,v 1.5 1999/12/02 16:58:53 joda Exp $");
+
+#ifndef HAVE_STRLCPY
+
+size_t
+strlcpy (char *dst, const char *src, size_t dst_sz)
+{
+    size_t n;
+    char *p;
+
+    for (p = dst, n = 0;
+	 n + 1 < dst_sz && *src != '\0';
+	 ++p, ++src, ++n)
+	*p = *src;
+    *p = '\0';
+    if (*src == '\0')
+	return n;
+    else
+	return n + strlen (src);
+}
+
+#endif
diff --git a/crypto/kerberosIV/lib/roken/strlwr.c b/crypto/kerberosIV/lib/roken/strlwr.c
new file mode 100644
index 0000000..cb36789
--- /dev/null
+++ b/crypto/kerberosIV/lib/roken/strlwr.c
@@ -0,0 +1,53 @@
+/*
+ * Copyright (c) 1995, 1996, 1997 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+RCSID("$Id: strlwr.c,v 1.4 1999/12/02 16:58:53 joda Exp $");
+#endif
+#include <string.h>
+#include <ctype.h>
+
+#include <roken.h>
+
+#ifndef HAVE_STRLWR
+char *
+strlwr(char *str)
+{
+  char *s;
+
+  for(s = str; *s; s++)
+    *s = tolower(*s);
+  return str;
+}
+#endif
diff --git a/crypto/kerberosIV/lib/roken/strncasecmp.c b/crypto/kerberosIV/lib/roken/strncasecmp.c
new file mode 100644
index 0000000..7c6474f
--- /dev/null
+++ b/crypto/kerberosIV/lib/roken/strncasecmp.c
@@ -0,0 +1,60 @@
+/*
+ * Copyright (c) 1998 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+RCSID("$Id: strncasecmp.c,v 1.2 1999/12/02 16:58:53 joda Exp $");
+#endif
+
+#include <string.h>
+#include <ctype.h>
+#include <stddef.h>
+
+#ifndef HAVE_STRNCASECMP
+
+int
+strncasecmp(const char *s1, const char *s2, size_t n)
+{
+    while(n > 0 && toupper(*s1) == toupper(*s2)) {
+	if(*s1 == '\0')
+	    return 0;
+	s1++;
+	s2++;
+	n--;
+    }
+    if(n == 0)
+	return 0;
+    return toupper(*s1) - toupper(*s2);
+}
+
+#endif
diff --git a/crypto/kerberosIV/lib/roken/strndup.c b/crypto/kerberosIV/lib/roken/strndup.c
new file mode 100644
index 0000000..31e7e9f
--- /dev/null
+++ b/crypto/kerberosIV/lib/roken/strndup.c
@@ -0,0 +1,56 @@
+/*
+ * Copyright (c) 1995 - 1999 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+RCSID("$Id: strndup.c,v 1.2 1999/12/02 16:58:53 joda Exp $");
+#endif
+#include <stdlib.h>
+#include <string.h>
+
+#include <roken.h>
+
+#ifndef HAVE_STRNDUP
+char *
+strndup(const char *old, size_t sz)
+{
+    size_t len = strnlen (old, sz);
+    char *t    = malloc(len + 1);
+
+    if (t != NULL) {
+	memcpy (t, old, len);
+	t[len] = '\0';
+    }
+    return t;
+}
+#endif /* HAVE_STRNDUP */
diff --git a/crypto/kerberosIV/lib/roken/strnlen.c b/crypto/kerberosIV/lib/roken/strnlen.c
new file mode 100644
index 0000000..fffb3b7
--- /dev/null
+++ b/crypto/kerberosIV/lib/roken/strnlen.c
@@ -0,0 +1,49 @@
+/*
+ * Copyright (c) 1995 - 1999 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+RCSID("$Id: strnlen.c,v 1.7 1999/12/02 16:58:53 joda Exp $");
+#endif
+
+#include "roken.h"
+
+size_t
+strnlen(const char *s, size_t len)
+{
+    size_t i;
+
+    for(i = 0; i < len && s[i]; i++)
+	;
+    return i;
+}
diff --git a/crypto/kerberosIV/lib/roken/strpftime-test.c b/crypto/kerberosIV/lib/roken/strpftime-test.c
new file mode 100644
index 0000000..7eb8fb8
--- /dev/null
+++ b/crypto/kerberosIV/lib/roken/strpftime-test.c
@@ -0,0 +1,287 @@
+/*
+ * Copyright (c) 1999 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of KTH nor the names of its contributors may be
+ *    used to endorse or promote products derived from this software without
+ *    specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY KTH AND ITS CONTRIBUTORS ``AS IS'' AND ANY
+ * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL KTH OR ITS CONTRIBUTORS BE
+ * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+ * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+ * WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
+ * OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
+ * ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+#endif
+#include "roken.h"
+
+RCSID("$Id: strpftime-test.c,v 1.2 1999/11/12 15:29:55 assar Exp $");
+
+enum { MAXSIZE = 26 };
+
+static struct testcase {
+    time_t t;
+    struct {
+	const char *format;
+	const char *result;
+    } vals[MAXSIZE];
+} tests[] = {
+    {0,
+     {
+	 {"%A", "Thursday"},
+	 {"%a", "Thu"},
+	 {"%B", "January"},
+	 {"%b", "Jan"},
+	 {"%C", "19"},
+	 {"%d", "01"},
+	 {"%e", " 1"},
+	 {"%H", "00"},
+	 {"%I", "12"},
+	 {"%j", "001"},
+	 {"%k", " 0"},
+	 {"%l", "12"},
+	 {"%M", "00"},
+	 {"%m", "01"},
+	 {"%n", "\n"},
+	 {"%p", "AM"},
+	 {"%S", "00"},
+	 {"%t", "\t"},
+	 {"%w", "4"},
+	 {"%Y", "1970"},
+	 {"%y", "70"},
+	 {"%U", "00"},
+	 {"%W", "00"},
+	 {"%V", "01"},
+	 {"%%", "%"},
+	 {NULL, NULL}}
+    },
+    {90000,
+     {
+	 {"%A", "Friday"},
+	 {"%a", "Fri"},
+	 {"%B", "January"},
+	 {"%b", "Jan"},
+	 {"%C", "19"},
+	 {"%d", "02"},
+	 {"%e", " 2"},
+	 {"%H", "01"},
+	 {"%I", "01"},
+	 {"%j", "002"},
+	 {"%k", " 1"},
+	 {"%l", " 1"},
+	 {"%M", "00"},
+	 {"%m", "01"},
+	 {"%n", "\n"},
+	 {"%p", "AM"},
+	 {"%S", "00"},
+	 {"%t", "\t"},
+	 {"%w", "5"},
+	 {"%Y", "1970"},
+	 {"%y", "70"},
+	 {"%U", "00"},
+	 {"%W", "00"},
+	 {"%V", "01"},
+	 {"%%", "%"},
+	 {NULL, NULL}
+     }
+    },
+    {216306,
+     {
+	 {"%A", "Saturday"},
+	 {"%a", "Sat"},
+	 {"%B", "January"},
+	 {"%b", "Jan"},
+	 {"%C", "19"},
+	 {"%d", "03"},
+	 {"%e", " 3"},
+	 {"%H", "12"},
+	 {"%I", "12"},
+	 {"%j", "003"},
+	 {"%k", "12"},
+	 {"%l", "12"},
+	 {"%M", "05"},
+	 {"%m", "01"},
+	 {"%n", "\n"},
+	 {"%p", "PM"},
+	 {"%S", "06"},
+	 {"%t", "\t"},
+	 {"%w", "6"},
+	 {"%Y", "1970"},
+	 {"%y", "70"},
+	 {"%U", "00"},
+	 {"%W", "00"},
+	 {"%V", "01"},
+	 {"%%", "%"},
+	 {NULL, NULL}
+     }
+    },
+    {259200,
+     {
+	 {"%A", "Sunday"},
+	 {"%a", "Sun"},
+	 {"%B", "January"},
+	 {"%b", "Jan"},
+	 {"%C", "19"},
+	 {"%d", "04"},
+	 {"%e", " 4"},
+	 {"%H", "00"},
+	 {"%I", "12"},
+	 {"%j", "004"},
+	 {"%k", " 0"},
+	 {"%l", "12"},
+	 {"%M", "00"},
+	 {"%m", "01"},
+	 {"%n", "\n"},
+	 {"%p", "AM"},
+	 {"%S", "00"},
+	 {"%t", "\t"},
+	 {"%w", "0"},
+	 {"%Y", "1970"},
+	 {"%y", "70"},
+	 {"%U", "01"},
+	 {"%W", "00"},
+	 {"%V", "01"},
+	 {"%%", "%"},
+	 {NULL, NULL}
+     }
+    },
+    {915148800,
+     {
+	 {"%A", "Friday"},
+	 {"%a", "Fri"},
+	 {"%B", "January"},
+	 {"%b", "Jan"},
+	 {"%C", "19"},
+	 {"%d", "01"},
+	 {"%e", " 1"},
+	 {"%H", "00"},
+	 {"%I", "12"},
+	 {"%j", "001"},
+	 {"%k", " 0"},
+	 {"%l", "12"},
+	 {"%M", "00"},
+	 {"%m", "01"},
+	 {"%n", "\n"},
+	 {"%p", "AM"},
+	 {"%S", "00"},
+	 {"%t", "\t"},
+	 {"%w", "5"},
+	 {"%Y", "1999"},
+	 {"%y", "99"},
+	 {"%U", "00"},
+	 {"%W", "00"},
+	 {"%V", "53"},
+	 {"%%", "%"},
+	 {NULL, NULL}}
+    },
+    {942161105,
+     {
+
+	 {"%A", "Tuesday"},
+	 {"%a", "Tue"},
+	 {"%B", "November"},
+	 {"%b", "Nov"},
+	 {"%C", "19"},
+	 {"%d", "09"},
+	 {"%e", " 9"},
+	 {"%H", "15"},
+	 {"%I", "03"},
+	 {"%j", "313"},
+	 {"%k", "15"},
+	 {"%l", " 3"},
+	 {"%M", "25"},
+	 {"%m", "11"},
+	 {"%n", "\n"},
+	 {"%p", "PM"},
+	 {"%S", "05"},
+	 {"%t", "\t"},
+	 {"%w", "2"},
+	 {"%Y", "1999"},
+	 {"%y", "99"},
+	 {"%U", "45"},
+	 {"%W", "45"},
+	 {"%V", "45"},
+	 {"%%", "%"},
+	 {NULL, NULL}
+     }
+    }
+};
+
+int
+main(int argc, char **argv)
+{
+    int i, j;
+    int ret = 0;
+
+    for (i = 0; i < sizeof(tests)/sizeof(tests[0]); ++i) {
+	struct tm *tm;
+
+	tm = gmtime (&tests[i].t);
+
+	for (j = 0; tests[i].vals[j].format != NULL; ++j) {
+	    char buf[128];
+	    size_t len;
+	    struct tm tm2;
+	    char *ptr;
+
+	    len = strftime (buf, sizeof(buf), tests[i].vals[j].format, tm);
+	    if (len != strlen (buf)) {
+		printf ("length of strftime(\"%s\") = %d (\"%s\")\n",
+			tests[i].vals[j].format, len,
+			buf);
+		++ret;
+		continue;
+	    }
+	    if (strcmp (buf, tests[i].vals[j].result) != 0) {
+		printf ("result of strftime(\"%s\") = \"%s\" != \"%s\"\n",
+			tests[i].vals[j].format, buf,
+			tests[i].vals[j].result);
+		++ret;
+		continue;
+	    }
+	    memset (&tm2, 0, sizeof(tm2));
+	    ptr = strptime (tests[i].vals[j].result,
+			    tests[i].vals[j].format,
+			    &tm2);
+	    if (ptr == NULL || *ptr != '\0') {
+		printf ("bad return value from strptime("
+			"\"%s\", \"%s\")\n",
+			tests[i].vals[j].result,
+			tests[i].vals[j].format);
+		++ret;
+	    }
+	    strftime (buf, sizeof(buf), tests[i].vals[j].format, &tm2);
+	    if (strcmp (buf, tests[i].vals[j].result) != 0) {
+		printf ("reverse of \"%s\" failed: \"%s\" vs \"%s\"\n",
+			tests[i].vals[j].format,
+			buf, tests[i].vals[j].result);
+		++ret;
+	    }
+	}
+    }
+    if (ret) {
+	printf ("%d errors\n", ret);
+	return 1;
+    } else
+	return 0;
+}
diff --git a/crypto/kerberosIV/lib/roken/strptime.c b/crypto/kerberosIV/lib/roken/strptime.c
new file mode 100644
index 0000000..36f0822
--- /dev/null
+++ b/crypto/kerberosIV/lib/roken/strptime.c
@@ -0,0 +1,444 @@
+/*
+ * Copyright (c) 1999 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of KTH nor the names of its contributors may be
+ *    used to endorse or promote products derived from this software without
+ *    specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY KTH AND ITS CONTRIBUTORS ``AS IS'' AND ANY
+ * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL KTH OR ITS CONTRIBUTORS BE
+ * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+ * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+ * WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
+ * OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
+ * ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+#endif
+#include <ctype.h>
+#include "roken.h"
+
+RCSID("$Id: strptime.c,v 1.2 1999/11/12 15:29:55 assar Exp $");
+
+static const char *abb_weekdays[] = {
+    "Sun",
+    "Mon",
+    "Tue",
+    "Wed",
+    "Thu",
+    "Fri",
+    "Sat",
+    NULL
+};
+
+static const char *full_weekdays[] = {
+    "Sunday",
+    "Monday",
+    "Tuesday",
+    "Wednesday",
+    "Thursday",
+    "Friday",
+    "Saturday",
+    NULL
+};
+
+static const char *abb_month[] = {
+    "Jan",
+    "Feb",
+    "Mar",
+    "Apr",
+    "May",
+    "Jun",
+    "Jul",
+    "Aug",
+    "Sep",
+    "Oct",
+    "Nov",
+    "Dec",
+    NULL
+};
+
+static const char *full_month[] = {
+    "January",
+    "February",
+    "Mars",
+    "April",
+    "May",
+    "June",
+    "July",
+    "August",
+    "September",
+    "October",
+    "November",
+    "December",
+    NULL,
+};
+
+static const char *ampm[] = {
+    "am",
+    "pm",
+    NULL
+};
+
+/*
+ * Try to match `*buf' to one of the strings in `strs'.  Return the
+ * index of the matching string (or -1 if none).  Also advance buf.
+ */
+
+static int
+match_string (const char **buf, const char **strs)
+{
+    int i = 0;
+
+    for (i = 0; strs[i] != NULL; ++i) {
+	int len = strlen (strs[i]);
+
+	if (strncasecmp (*buf, strs[i], len) == 0) {
+	    *buf += len;
+	    return i;
+	}
+    }
+    return -1;
+}
+
+/*
+ * tm_year is relative this year */
+
+const int tm_year_base = 1900;
+
+/*
+ * Return TRUE iff `year' was a leap year.
+ */
+
+static int
+is_leap_year (int year)
+{
+    return (year % 4) == 0 && ((year % 100) != 0 || (year % 400) == 0);
+}
+
+/*
+ * Return the weekday [0,6] (0 = Sunday) of the first day of `year'
+ */
+
+static int
+first_day (int year)
+{
+    int ret = 4;
+
+    for (; year > 1970; --year)
+	ret = (ret + 365 + is_leap_year (year) ? 1 : 0) % 7;
+    return ret;
+}
+
+/*
+ * Set `timeptr' given `wnum' (week number [0, 53])
+ */
+
+static void
+set_week_number_sun (struct tm *timeptr, int wnum)
+{
+    int fday = first_day (timeptr->tm_year + tm_year_base);
+
+    timeptr->tm_yday = wnum * 7 + timeptr->tm_wday - fday;
+    if (timeptr->tm_yday < 0) {
+	timeptr->tm_wday = fday;
+	timeptr->tm_yday = 0;
+    }
+}
+
+/*
+ * Set `timeptr' given `wnum' (week number [0, 53])
+ */
+
+static void
+set_week_number_mon (struct tm *timeptr, int wnum)
+{
+    int fday = (first_day (timeptr->tm_year + tm_year_base) + 6) % 7;
+
+    timeptr->tm_yday = wnum * 7 + (timeptr->tm_wday + 6) % 7 - fday;
+    if (timeptr->tm_yday < 0) {
+	timeptr->tm_wday = (fday + 1) % 7;
+	timeptr->tm_yday = 0;
+    }
+}
+
+/*
+ * Set `timeptr' given `wnum' (week number [0, 53])
+ */
+
+static void
+set_week_number_mon4 (struct tm *timeptr, int wnum)
+{
+    int fday = (first_day (timeptr->tm_year + tm_year_base) + 6) % 7;
+    int offset = 0;
+
+    if (fday < 4)
+	offset += 7;
+
+    timeptr->tm_yday = offset + (wnum - 1) * 7 + timeptr->tm_wday - fday;
+    if (timeptr->tm_yday < 0) {
+	timeptr->tm_wday = fday;
+	timeptr->tm_yday = 0;
+    }
+}
+
+/*
+ *
+ */
+
+char *
+strptime (const char *buf, const char *format, struct tm *timeptr)
+{
+    char c;
+
+    for (; (c = *format) != '\0'; ++format) {
+	char *s;
+	int ret;
+
+	if (isspace (c)) {
+	    while (isspace (*buf))
+		++buf;
+	} else if (c == '%' && format[1] != '\0') {
+	    c = *++format;
+	    if (c == 'E' || c == 'O')
+		c = *++format;
+	    switch (c) {
+	    case 'A' :
+		ret = match_string (&buf, full_weekdays);
+		if (ret < 0)
+		    return NULL;
+		timeptr->tm_wday = ret;
+		break;
+	    case 'a' :
+		ret = match_string (&buf, abb_weekdays);
+		if (ret < 0)
+		    return NULL;
+		timeptr->tm_wday = ret;
+		break;
+	    case 'B' :
+		ret = match_string (&buf, full_month);
+		if (ret < 0)
+		    return NULL;
+		timeptr->tm_mon = ret;
+		break;
+	    case 'b' :
+	    case 'h' :
+		ret = match_string (&buf, abb_month);
+		if (ret < 0)
+		    return NULL;
+		timeptr->tm_mon = ret;
+		break;
+	    case 'C' :
+		ret = strtol (buf, &s, 10);
+		if (s == buf)
+		    return NULL;
+		timeptr->tm_year = (ret * 100) - tm_year_base;
+		buf = s;
+		break;
+	    case 'c' :
+		abort ();
+	    case 'D' :		/* %m/%d/%y */
+		s = strptime (buf, "%m/%d/%y", timeptr);
+		if (s == NULL)
+		    return NULL;
+		buf = s;
+		break;
+	    case 'd' :
+	    case 'e' :
+		ret = strtol (buf, &s, 10);
+		if (s == buf)
+		    return NULL;
+		timeptr->tm_mday = ret;
+		buf = s;
+		break;
+	    case 'H' :
+	    case 'k' :
+		ret = strtol (buf, &s, 10);
+		if (s == buf)
+		    return NULL;
+		timeptr->tm_hour = ret;
+		buf = s;
+		break;
+	    case 'I' :
+	    case 'l' :
+		ret = strtol (buf, &s, 10);
+		if (s == buf)
+		    return NULL;
+		if (ret == 12)
+		    timeptr->tm_hour = 0;
+		else
+		    timeptr->tm_hour = ret;
+		buf = s;
+		break;
+	    case 'j' :
+		ret = strtol (buf, &s, 10);
+		if (s == buf)
+		    return NULL;
+		timeptr->tm_yday = ret - 1;
+		buf = s;
+		break;
+	    case 'm' :
+		ret = strtol (buf, &s, 10);
+		if (s == buf)
+		    return NULL;
+		timeptr->tm_mon = ret - 1;
+		buf = s;
+		break;
+	    case 'M' :
+		ret = strtol (buf, &s, 10);
+		if (s == buf)
+		    return NULL;
+		timeptr->tm_min = ret;
+		buf = s;
+		break;
+	    case 'n' :
+		if (*buf == '\n')
+		    ++buf;
+		else
+		    return NULL;
+		break;
+	    case 'p' :
+		ret = match_string (&buf, ampm);
+		if (ret < 0)
+		    return NULL;
+		if (timeptr->tm_hour == 0) {
+		    if (ret == 1)
+			timeptr->tm_hour = 12;
+		} else
+		    timeptr->tm_hour += 12;
+		break;
+	    case 'r' :		/* %I:%M:%S %p */
+		s = strptime (buf, "%I:%M:%S %p", timeptr);
+		if (s == NULL)
+		    return NULL;
+		buf = s;
+		break;
+	    case 'R' :		/* %H:%M */
+		s = strptime (buf, "%H:%M", timeptr);
+		if (s == NULL)
+		    return NULL;
+		buf = s;
+		break;
+	    case 'S' :
+		ret = strtol (buf, &s, 10);
+		if (s == buf)
+		    return NULL;
+		timeptr->tm_sec = ret;
+		buf = s;
+		break;
+	    case 't' :
+		if (*buf == '\t')
+		    ++buf;
+		else
+		    return NULL;
+		break;
+	    case 'T' :		/* %H:%M:%S */
+	    case 'X' :
+		s = strptime (buf, "%H:%M:%S", timeptr);
+		if (s == NULL)
+		    return NULL;
+		buf = s;
+		break;
+	    case 'u' :
+		ret = strtol (buf, &s, 10);
+		if (s == buf)
+		    return NULL;
+		timeptr->tm_wday = ret - 1;
+		buf = s;
+		break;
+	    case 'w' :
+		ret = strtol (buf, &s, 10);
+		if (s == buf)
+		    return NULL;
+		timeptr->tm_wday = ret;
+		buf = s;
+		break;
+	    case 'U' :
+		ret = strtol (buf, &s, 10);
+		if (s == buf)
+		    return NULL;
+		set_week_number_sun (timeptr, ret);
+		buf = s;
+		break;
+	    case 'V' :
+		ret = strtol (buf, &s, 10);
+		if (s == buf)
+		    return NULL;
+		set_week_number_mon4 (timeptr, ret);
+		buf = s;
+		break;
+	    case 'W' :
+		ret = strtol (buf, &s, 10);
+		if (s == buf)
+		    return NULL;
+		set_week_number_mon (timeptr, ret);
+		buf = s;
+		break;
+	    case 'x' :
+		s = strptime (buf, "%Y:%m:%d", timeptr);
+		if (s == NULL)
+		    return NULL;
+		buf = s;
+		break;
+	    case 'y' :
+		ret = strtol (buf, &s, 10);
+		if (s == buf)
+		    return NULL;
+		if (ret < 70)
+		    timeptr->tm_year = 100 + ret;
+		else
+		    timeptr->tm_year = ret;
+		buf = s;
+		break;
+	    case 'Y' :
+		ret = strtol (buf, &s, 10);
+		if (s == buf)
+		    return NULL;
+		timeptr->tm_year = ret - tm_year_base;
+		buf = s;
+		break;
+	    case 'Z' :
+		abort ();
+	    case '\0' :
+		--format;
+		/* FALLTHROUGH */
+	    case '%' :
+		if (*buf == '%')
+		    ++buf;
+		else
+		    return NULL;
+		break;
+	    default :
+		if (*buf == '%' || *++buf == c)
+		    ++buf;
+		else
+		    return NULL;
+		break;
+	    }
+	} else {
+	    if (*buf == c)
+		++buf;
+	    else
+		return NULL;
+	}
+    }
+    return (char *)buf;
+}
diff --git a/crypto/kerberosIV/lib/roken/strsep.c b/crypto/kerberosIV/lib/roken/strsep.c
new file mode 100644
index 0000000..efc714a
--- /dev/null
+++ b/crypto/kerberosIV/lib/roken/strsep.c
@@ -0,0 +1,61 @@
+/*
+ * Copyright (c) 1997 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+RCSID("$Id: strsep.c,v 1.3 1999/12/02 16:58:53 joda Exp $");
+#endif
+
+#include <string.h>
+
+#include "roken.h"
+
+#ifndef HAVE_STRSEP
+
+char *
+strsep(char **str, const char *delim)
+{
+    char *save = *str;
+    if(*str == NULL)
+	return NULL;
+    *str = *str + strcspn(*str, delim);
+    if(**str == 0)
+	*str = NULL;
+    else{
+	**str = 0;
+	(*str)++;
+    }
+    return save;
+}
+
+#endif
diff --git a/crypto/kerberosIV/lib/roken/strtok_r.c b/crypto/kerberosIV/lib/roken/strtok_r.c
new file mode 100644
index 0000000..45b036a
--- /dev/null
+++ b/crypto/kerberosIV/lib/roken/strtok_r.c
@@ -0,0 +1,65 @@
+/*
+ * Copyright (c) 1995, 1996, 1997 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+RCSID("$Id: strtok_r.c,v 1.5 1999/12/02 16:58:53 joda Exp $");
+#endif
+
+#include <string.h>
+
+#include "roken.h"
+
+#ifndef HAVE_STRTOK_R
+
+char *
+strtok_r(char *s1, const char *s2, char **lasts)
+{
+  char *ret;
+
+  if (s1 == NULL)
+    s1 = *lasts;
+  while(*s1 && strchr(s2, *s1))
+    ++s1;
+  if(*s1 == '\0')
+    return NULL;
+  ret = s1;
+  while(*s1 && !strchr(s2, *s1))
+    ++s1;
+  if(*s1)
+    *s1++ = '\0';
+  *lasts = s1;
+  return ret;
+}
+
+#endif /* HAVE_STRTOK_R */
diff --git a/crypto/kerberosIV/lib/roken/strupr.c b/crypto/kerberosIV/lib/roken/strupr.c
new file mode 100644
index 0000000..96dd042
--- /dev/null
+++ b/crypto/kerberosIV/lib/roken/strupr.c
@@ -0,0 +1,53 @@
+/*
+ * Copyright (c) 1995, 1996, 1997 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+RCSID("$Id: strupr.c,v 1.4 1999/12/02 16:58:53 joda Exp $");
+#endif
+#include <string.h>
+#include <ctype.h>
+
+#include <roken.h>
+
+#ifndef HAVE_STRUPR
+char *
+strupr(char *str)
+{
+  char *s;
+
+  for(s = str; *s; s++)
+    *s = toupper(*s);
+  return str;
+}
+#endif
diff --git a/crypto/kerberosIV/lib/roken/swab.c b/crypto/kerberosIV/lib/roken/swab.c
new file mode 100644
index 0000000..c623bd0
--- /dev/null
+++ b/crypto/kerberosIV/lib/roken/swab.c
@@ -0,0 +1,54 @@
+/*
+ * Copyright (c) 1995, 1996, 1997 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+#endif
+#include "roken.h"
+
+#ifndef HAVE_SWAB
+
+RCSID("$Id: swab.c,v 1.7 1999/12/02 16:58:53 joda Exp $");
+
+void
+swab (char *from, char *to, int nbytes)
+{
+     while(nbytes >= 2) {
+	  *(to + 1) = *from;
+	  *to = *(from + 1);
+	  to += 2;
+	  from += 2;
+	  nbytes -= 2;
+     }
+}
+#endif
diff --git a/crypto/kerberosIV/lib/roken/tm2time.c b/crypto/kerberosIV/lib/roken/tm2time.c
new file mode 100644
index 0000000..b912e32
--- /dev/null
+++ b/crypto/kerberosIV/lib/roken/tm2time.c
@@ -0,0 +1,61 @@
+/*
+ * Copyright (c) 1995, 1996, 1997 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+RCSID("$Id: tm2time.c,v 1.7 1999/12/02 16:58:53 joda Exp $");
+#endif
+
+#ifdef TIME_WITH_SYS_TIME
+#include <sys/time.h>
+#include <time.h>
+#elif defined(HAVE_SYS_TIME_H)
+#include <sys/time.h>
+#else
+#include <time.h>
+#endif
+#include "roken.h"
+
+time_t
+tm2time (struct tm tm, int local)
+{
+     time_t t;
+
+     tm.tm_isdst = -1;
+
+     t = mktime (&tm);
+
+     if (!local)
+       t += t - mktime (gmtime (&t));
+     return t;
+}
diff --git a/crypto/kerberosIV/lib/roken/unsetenv.c b/crypto/kerberosIV/lib/roken/unsetenv.c
new file mode 100644
index 0000000..6d95a51
--- /dev/null
+++ b/crypto/kerberosIV/lib/roken/unsetenv.c
@@ -0,0 +1,70 @@
+/*
+ * Copyright (c) 1995, 1996, 1997 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+RCSID("$Id: unsetenv.c,v 1.7 1999/12/02 16:58:53 joda Exp $");
+#endif
+
+#include <stdlib.h>
+#include <string.h>
+
+#include "roken.h"
+
+extern char **environ;
+
+/*
+ * unsetenv --
+ */
+void
+unsetenv(const char *name)
+{
+  int len;
+  const char *np;
+  char **p;
+
+  if (name == 0 || environ == 0)
+    return;
+
+  for (np = name; *np && *np != '='; np++)
+    /* nop */;
+  len = np - name;
+  
+  for (p = environ; *p != 0; p++)
+    if (strncmp(*p, name, len) == 0 && (*p)[len] == '=')
+      break;
+
+  for (; *p != 0; p++)
+    *p = *(p + 1);
+}
+
diff --git a/crypto/kerberosIV/lib/roken/verify.c b/crypto/kerberosIV/lib/roken/verify.c
new file mode 100644
index 0000000..842fa9a
--- /dev/null
+++ b/crypto/kerberosIV/lib/roken/verify.c
@@ -0,0 +1,62 @@
+/*
+ * Copyright (c) 1995, 1996, 1997 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+RCSID("$Id: verify.c,v 1.13 1999/12/02 16:58:53 joda Exp $");
+#endif
+
+#include <stdio.h>
+#ifdef HAVE_UNISTD_H
+#include <unistd.h>
+#endif
+#ifdef HAVE_CRYPT_H
+#include <crypt.h>
+#endif
+#include "roken.h"
+
+int
+unix_verify_user(char *user, char *password)
+{
+    struct passwd *pw;
+    
+    pw = k_getpwnam(user);
+    if(pw == NULL)
+	return -1;
+    if(strlen(pw->pw_passwd) == 0 && strlen(password) == 0)
+	return 0;
+    if(strcmp(crypt(password, pw->pw_passwd), pw->pw_passwd) == 0)
+        return 0;
+    return -1;
+}
+
diff --git a/crypto/kerberosIV/lib/roken/verr.c b/crypto/kerberosIV/lib/roken/verr.c
new file mode 100644
index 0000000..511e640
--- /dev/null
+++ b/crypto/kerberosIV/lib/roken/verr.c
@@ -0,0 +1,46 @@
+/*
+ * Copyright (c) 1995, 1996, 1997 Kungliga Tekniska Högskolan 
+ * (Royal Institute of Technology, Stockholm, Sweden).  
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+RCSID("$Id: verr.c,v 1.8 1999/12/02 16:58:53 joda Exp $");
+#endif
+
+#include "err.h"
+
+void
+verr(int eval, const char *fmt, va_list ap)
+{
+    warnerr(1, fmt, ap);
+    exit(eval);
+}
diff --git a/crypto/kerberosIV/lib/roken/verrx.c b/crypto/kerberosIV/lib/roken/verrx.c
new file mode 100644
index 0000000..f4578d3
--- /dev/null
+++ b/crypto/kerberosIV/lib/roken/verrx.c
@@ -0,0 +1,46 @@
+/*
+ * Copyright (c) 1995, 1996, 1997 Kungliga Tekniska Högskolan 
+ * (Royal Institute of Technology, Stockholm, Sweden).  
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+RCSID("$Id: verrx.c,v 1.8 1999/12/02 16:58:53 joda Exp $");
+#endif
+
+#include "err.h"
+
+void
+verrx(int eval, const char *fmt, va_list ap)
+{
+    warnerr(0, fmt, ap);
+    exit(eval);
+}
diff --git a/crypto/kerberosIV/lib/roken/vsyslog.c b/crypto/kerberosIV/lib/roken/vsyslog.c
new file mode 100644
index 0000000..22e6a35
--- /dev/null
+++ b/crypto/kerberosIV/lib/roken/vsyslog.c
@@ -0,0 +1,57 @@
+/*
+ * Copyright (c) 1995, 1996, 1997 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+RCSID("$Id: vsyslog.c,v 1.3 1999/12/02 16:58:54 joda Exp $");
+#endif
+
+#ifndef HAVE_VSYSLOG
+
+#include <stdio.h>
+#include <syslog.h>
+#include <stdarg.h>
+
+#include "roken.h"
+
+void
+vsyslog(int pri, const char *fmt, va_list ap)
+{
+    char *p;
+
+    vasprintf (&p, fmt, ap);
+    syslog (pri, "%s", p);
+    free (p);
+}
+
+#endif
diff --git a/crypto/kerberosIV/lib/roken/vwarn.c b/crypto/kerberosIV/lib/roken/vwarn.c
new file mode 100644
index 0000000..15f9a38
--- /dev/null
+++ b/crypto/kerberosIV/lib/roken/vwarn.c
@@ -0,0 +1,45 @@
+/*
+ * Copyright (c) 1995, 1996, 1997 Kungliga Tekniska Högskolan 
+ * (Royal Institute of Technology, Stockholm, Sweden).  
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+RCSID("$Id: vwarn.c,v 1.8 1999/12/02 16:58:54 joda Exp $");
+#endif
+
+#include "err.h"
+
+void
+vwarn(const char *fmt, va_list ap)
+{
+    warnerr(1, fmt, ap);
+}
diff --git a/crypto/kerberosIV/lib/roken/vwarnx.c b/crypto/kerberosIV/lib/roken/vwarnx.c
new file mode 100644
index 0000000..48f1ffd
--- /dev/null
+++ b/crypto/kerberosIV/lib/roken/vwarnx.c
@@ -0,0 +1,46 @@
+/*
+ * Copyright (c) 1995, 1996, 1997 Kungliga Tekniska Högskolan 
+ * (Royal Institute of Technology, Stockholm, Sweden).  
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+RCSID("$Id: vwarnx.c,v 1.8 1999/12/02 16:58:54 joda Exp $");
+#endif
+
+#include "err.h"
+
+void
+vwarnx(const char *fmt, va_list ap)
+{
+    warnerr(0, fmt, ap);
+}
+
diff --git a/crypto/kerberosIV/lib/roken/warn.c b/crypto/kerberosIV/lib/roken/warn.c
new file mode 100644
index 0000000..d8ee335
--- /dev/null
+++ b/crypto/kerberosIV/lib/roken/warn.c
@@ -0,0 +1,48 @@
+/*
+ * Copyright (c) 1995, 1996, 1997 Kungliga Tekniska Högskolan 
+ * (Royal Institute of Technology, Stockholm, Sweden).  
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+RCSID("$Id: warn.c,v 1.6 1999/12/02 16:58:54 joda Exp $");
+#endif
+
+#include "err.h"
+
+void
+warn(const char *fmt, ...)
+{
+  va_list ap;
+  va_start(ap, fmt);
+  vwarn(fmt, ap);
+  va_end(ap);
+}
diff --git a/crypto/kerberosIV/lib/roken/warnerr.c b/crypto/kerberosIV/lib/roken/warnerr.c
new file mode 100644
index 0000000..4df375d
--- /dev/null
+++ b/crypto/kerberosIV/lib/roken/warnerr.c
@@ -0,0 +1,79 @@
+/*
+ * Copyright (c) 1995, 1996, 1997 Kungliga Tekniska Högskolan 
+ * (Royal Institute of Technology, Stockholm, Sweden).  
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+RCSID("$Id: warnerr.c,v 1.8 1999/12/02 16:58:54 joda Exp $");
+#endif
+
+#include "roken.h"
+#include "err.h"
+
+#ifndef HAVE___PROGNAME
+const char *__progname;
+#endif
+
+void
+set_progname(char *argv0)
+{
+#ifndef HAVE___PROGNAME
+    char *p;
+    if(argv0 == NULL)
+	return;
+    p = strrchr(argv0, '/');
+    if(p == NULL)
+	p = argv0;
+    else
+	p++;
+    __progname = p;
+#endif
+}
+
+void
+warnerr(int doerrno, const char *fmt, va_list ap)
+{
+    int sverrno = errno;
+    if(__progname != NULL){
+	fprintf(stderr, "%s", __progname);
+	if(fmt != NULL || doerrno)
+	    fprintf(stderr, ": ");
+    }
+    if (fmt != NULL){
+	vfprintf(stderr, fmt, ap);
+	if(doerrno)
+	    fprintf(stderr, ": ");
+    }
+    if(doerrno)
+	fprintf(stderr, "%s", strerror(sverrno));
+    fprintf(stderr, "\n");
+}
diff --git a/crypto/kerberosIV/lib/roken/warnx.c b/crypto/kerberosIV/lib/roken/warnx.c
new file mode 100644
index 0000000..c991176
--- /dev/null
+++ b/crypto/kerberosIV/lib/roken/warnx.c
@@ -0,0 +1,48 @@
+/*
+ * Copyright (c) 1995, 1996, 1997 Kungliga Tekniska Högskolan 
+ * (Royal Institute of Technology, Stockholm, Sweden).  
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+RCSID("$Id: warnx.c,v 1.6 1999/12/02 16:58:54 joda Exp $");
+#endif
+
+#include "err.h"
+
+void
+warnx(const char *fmt, ...)
+{
+  va_list ap;
+  va_start(ap, fmt);
+  vwarnx(fmt, ap);
+  va_end(ap);
+}
diff --git a/crypto/kerberosIV/lib/roken/writev.c b/crypto/kerberosIV/lib/roken/writev.c
new file mode 100644
index 0000000..e3859bf
--- /dev/null
+++ b/crypto/kerberosIV/lib/roken/writev.c
@@ -0,0 +1,64 @@
+/*
+ * Copyright (c) 1995, 1996, 1997, 1998, 1999 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+RCSID("$Id: writev.c,v 1.3 1999/12/02 16:58:54 joda Exp $");
+#endif
+
+#include "roken.h"
+
+ssize_t
+writev(int d, const struct iovec *iov, int iovcnt)
+{
+    ssize_t ret;
+    size_t tot = 0;
+    int i;
+    char *buf, *p;
+
+    for(i = 0; i < iovcnt; ++i)
+	tot += iov[i].iov_len;
+    buf = malloc(tot);
+    if (tot != 0 && buf == NULL) {
+	errno = ENOMEM;
+	return -1;
+    }
+    p = buf;
+    for (i = 0; i < iovcnt; ++i) {
+	memcpy (p, iov[i].iov_base, iov[i].iov_len);
+	p += iov[i].iov_len;
+    }
+    ret = write (d, buf, tot);
+    free (buf);
+    return ret;
+}
diff --git a/crypto/kerberosIV/lib/roken/xdbm.h b/crypto/kerberosIV/lib/roken/xdbm.h
new file mode 100644
index 0000000..ebfb7d7
--- /dev/null
+++ b/crypto/kerberosIV/lib/roken/xdbm.h
@@ -0,0 +1,75 @@
+/*
+ * Copyright (c) 1995 - 1999 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+/* $Id: xdbm.h,v 1.6.2.1 2000/08/16 04:11:29 assar Exp $ */
+
+/* Generic *dbm include file */
+
+#ifndef __XDBM_H__
+#define __XDBM_H__
+
+#ifdef HAVE_NDBM_H
+#include <ndbm.h>
+#elif defined(HAVE_GDBM_NDBM_H)
+#include <gdbm/ndbm.h>
+#elif defined(HAVE_DBM_H)
+#include <dbm.h>
+#elif defined(HAVE_RPCSVC_DBM_H)
+#include <rpcsvc/dbm.h>
+#elif defined(HAVE_DB_H)
+#define DB_DBM_HSEARCH 1
+#include <db.h>
+#endif
+
+/* Macros to convert ndbm names to dbm names.
+ * Note that dbm_nextkey() cannot be simply converted using a macro, since
+ * it is invoked giving the database, and nextkey() needs the previous key.
+ *
+ * Instead, all routines call "dbm_next" instead.
+ */
+
+#ifndef NDBM
+typedef char DBM;
+
+#define dbm_open(file, flags, mode) ((dbminit(file) == 0)?"":((char *)0))
+#define dbm_fetch(db, key) fetch(key)
+#define dbm_store(db, key, content, flag) store(key, content)
+#define dbm_delete(db, key) delete(key)
+#define dbm_firstkey(db) firstkey()
+#define dbm_next(db,key) nextkey(key)
+#define dbm_close(db) dbmclose()
+#else
+#define dbm_next(db,key) dbm_nextkey(db)
+#endif
+
+#endif /* __XDBM_H__ */
diff --git a/crypto/kerberosIV/lib/sl/ChangeLog b/crypto/kerberosIV/lib/sl/ChangeLog
new file mode 100644
index 0000000..a8647de
--- /dev/null
+++ b/crypto/kerberosIV/lib/sl/ChangeLog
@@ -0,0 +1,112 @@
+Thu Apr  1 17:03:59 1999  Johan Danielsson  <joda@hella.pdc.kth.se>
+
+	* make_cmds.c: use getarg
+
+Tue Mar 23 14:36:21 1999  Johan Danielsson  <joda@hella.pdc.kth.se>
+
+	* Makefile.am: don't rename
+
+Sun Mar 21 14:13:29 1999  Johan Danielsson  <joda@hella.pdc.kth.se>
+
+	* Makefile.am: don't roken-rename
+
+Sat Mar 20 03:43:30 1999  Assar Westerlund  <assar@sics.se>
+
+	* parse.y: replace return with YYACCEPT
+
+Fri Mar 19 14:53:20 1999  Johan Danielsson  <joda@hella.pdc.kth.se>
+
+	* Makefile.am: add libss; add version-info
+
+Thu Mar 18 15:07:06 1999  Johan Danielsson  <joda@hella.pdc.kth.se>
+
+	* Makefile.am: clean lex.c parse.c parse.h
+
+	* Makefile.am: install ss.h
+
+	* Makefile.am: include Makefile.am.common
+
+Thu Mar 11 15:01:01 1999  Johan Danielsson  <joda@hella.pdc.kth.se>
+
+	* parse.y: prototype for error_message
+
+Tue Feb  9 23:45:37 1999  Johan Danielsson  <joda@hella.pdc.kth.se>
+
+	* Makefile.in: add snprintf.o to make_cmds
+
+Sun Nov 22 10:46:23 1998  Assar Westerlund  <assar@sics.se>
+
+	* sl.c (sl_command_loop): remove unused variable
+
+	* ss.c (ss_error): remove unused variable
+
+	* make_cmds.c: include err.h
+	(main): remove unused variable
+
+	* Makefile.in (WFLAGS): set
+
+Sun Sep 27 01:28:21 1998  Assar Westerlund  <assar@sics.se>
+
+	* make_cmds.c: clean-up and simplification
+
+Mon May 25 02:54:13 1998  Assar Westerlund  <assar@sics.se>
+
+	* Makefile.in (clean): try to remove shared library debris
+
+	* Makefile.in: make symlink magic work
+
+Sun Apr 19 10:00:26 1998  Assar Westerlund  <assar@sics.se>
+
+	* Makefile.in: add symlink magic for linux
+
+Sun Apr  5 09:21:43 1998  Assar Westerlund  <assar@sics.se>
+
+	* parse.y: define alloca to malloc in case we're using bison but
+ 	don't have alloca
+
+Sat Mar 28 11:39:00 1998  Assar Westerlund  <assar@sics.se>
+
+	* sl.c (sl_loop): s/2/1
+
+Sat Mar 21 00:46:51 1998  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* sl.c (sl_loop): check that there is at least one argument before
+ 	calling sl_command
+
+Sun Mar  1 05:14:37 1998  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* sl.c (sl_loop): Fix general broken-ness.
+
+	* sl.c: Cleanup printing of help strings.
+
+Thu Feb 26 02:22:02 1998  Assar Westerlund  <assar@sics.se>
+
+	* Makefile.am: @LEXLIB@
+
+Sat Feb 21 15:18:21 1998  assar westerlund  <assar@sics.se>
+
+	* Makefile.in: set YACC and LEX
+
+Mon Feb 16 16:08:25 1998  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* Makefile.am: Some fixes for ss/mk_cmds.
+
+Sun Feb 15 05:12:11 1998  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* Makefile.in: Install libsl under the `libss' name too. Install
+ 	mk_cmds, and ss.h.
+
+	* make_cmds.c: A mk_cmds clone that creates SL structures.
+
+	* ss.c: SS compatibility functions.
+
+	* sl.c: Move command line split to function `sl_make_argv'.
+
+Tue Feb  3 16:45:44 1998  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* sl.c: Add sl_command_loop, that is the loop body of sl_loop.
+
+Mon Oct 20 01:13:21 1997  Assar Westerlund  <assar@sics.se>
+
+	* sl.c (sl_help): actually use the `help' field of `SL_cmd'
+
diff --git a/crypto/kerberosIV/lib/sl/Makefile.am b/crypto/kerberosIV/lib/sl/Makefile.am
new file mode 100644
index 0000000..54bc75b
--- /dev/null
+++ b/crypto/kerberosIV/lib/sl/Makefile.am
@@ -0,0 +1,44 @@
+# $Id: Makefile.am,v 1.14 1999/04/09 18:28:29 assar Exp $
+
+include $(top_srcdir)/Makefile.am.common
+
+YFLAGS = -d
+
+include_HEADERS = sl.h
+
+lib_LTLIBRARIES = libsl.la libss.la
+libsl_la_LDFLAGS = -version-info 0:0:0
+libss_la_LDFLAGS = -version-info 0:0:0
+
+RENAME_SRC = roken_rename.h strtok_r.c snprintf.c
+
+libsl_la_SOURCES = sl_locl.h sl.c
+libss_la_SOURCES = $(libsl_la_SOURCES) ss.c ss.h
+
+EXTRA_libsl_la_SOURCES = strtok_r.c snprintf.c roken_rename.h
+
+# install these?
+
+noinst_PROGRAMS = mk_cmds
+
+mk_cmds_SOURCES = make_cmds.c make_cmds.h parse.y lex.l
+
+RENAME_mk_cmds_SRC = roken_rename.h snprintf.c
+
+EXTRA_mk_cmds_SOURCES = snprintf.c roken_rename.h
+
+ssincludedir = $(includedir)/ss
+ssinclude_HEADERS = ss.h
+
+CLEANFILES = lex.c parse.c parse.h snprintf.c strtok_r.c
+
+$(mk_cmds_OBJECTS): parse.h
+
+LDADD = \
+	$(LIB_roken) \
+	$(LEXLIB)
+
+strtok_r.c:
+	$(LN_S) $(srcdir)/../roken/strtok_r.c .
+snprintf.c:
+	$(LN_S) $(srcdir)/../roken/snprintf.c .
diff --git a/crypto/kerberosIV/lib/sl/Makefile.in b/crypto/kerberosIV/lib/sl/Makefile.in
new file mode 100644
index 0000000..3d605b0
--- /dev/null
+++ b/crypto/kerberosIV/lib/sl/Makefile.in
@@ -0,0 +1,142 @@
+#
+# $Id: Makefile.in,v 1.31.16.2 2000/06/23 03:20:04 assar Exp $
+#
+
+SHELL = /bin/sh
+
+srcdir = @srcdir@
+VPATH = @srcdir@
+
+top_builddir=../..
+
+CC = @CC@
+LINK = @LINK@
+AR = ar
+RANLIB = @RANLIB@
+LN_S = @LN_S@
+DEFS = @DEFS@ -DROKEN_RENAME
+CFLAGS = @CFLAGS@ $(WFLAGS)
+WFLAGS = @WFLAGS@
+LD_FLAGS = @LD_FLAGS@
+YACC = @YACC@
+LEX = @LEX@
+
+INSTALL = @INSTALL@
+INSTALL_DATA	= @INSTALL_DATA@
+MKINSTALLDIRS = @top_srcdir@/mkinstalldirs
+
+prefix = @prefix@
+exec_prefix = @exec_prefix@
+libdir = @libdir@
+bindir = @bindir@
+includedir = @includedir@
+
+LIB_tgetent = @LIB_tgetent@
+LIB_DEPS = @lib_deps_yes@ @LIB_readline@ -lc
+build_symlink_command   = @build_symlink_command@
+install_symlink_command = @install_symlink_command@
+install_symlink_command2 = @install_symlink_command2@
+
+PICFLAGS = @PICFLAGS@
+EXECSUFFIX = @EXECSUFFIX@
+ 
+LIBEXT = @LIBEXT@
+SHLIBEXT = @SHLIBEXT@
+LIBPREFIX = @LIBPREFIX@
+LIBNAME = $(LIBPREFIX)sl
+sl_LIB = $(LIBNAME).$(LIBEXT)
+LIB = $(sl_LIB)
+LIBNAME2 = $(LIBPREFIX)ss
+ss_LIB = $(LIBNAME2).$(LIBEXT)
+LIB2 = $(ss_LIB)
+LDSHARED = @LDSHARED@
+PROGS = mk_cmds$(EXECSUFFIX)
+
+LIB_SOURCES = sl.c ss.c
+EXTRA_SOURCES = strtok_r.c snprintf.c strupr.c
+
+SOURCES = $(LIB_SOURCES) make_cmds.c $(EXTRA_SOURCES)
+
+LIBADD = strtok_r.o snprintf.o strupr.o
+
+LIB_OBJECTS = sl.o ss.o $(LIBADD)
+
+mk_cmds_OBJECTS = make_cmds.o parse.o lex.o snprintf.o
+
+OBJECTS = $(LIB_OBJECTS) $(mk_cmds_OBJECTS)
+
+all: $(sl_LIB) $(PROGS)
+
+Wall:
+	make CFLAGS="-g -Wall -Wno-comment -Wmissing-prototypes -Wmissing-declarations -D__USE_FIXED_PROTOTYPES__"
+
+.c.o:
+	$(CC) -c $(DEFS) -I../../include -I. -I$(srcdir) -I$(srcdir)/../des $(CFLAGS) $(CPPFLAGS) $(PICFLAGS) $<
+
+install: all
+	$(MKINSTALLDIRS) $(DESTDIR)$(includedir)/ss
+	$(INSTALL_DATA) $(srcdir)/ss.h $(DESTDIR)$(includedir)/ss/ss.h
+	$(MKINSTALLDIRS) $(DESTDIR)$(libdir)
+	$(INSTALL) -m 555 $(sl_LIB) $(DESTDIR)$(libdir)/$(sl_LIB)
+	$(INSTALL) -m 555 $(sl_LIB) $(DESTDIR)$(libdir)/$(ss_LIB)
+	@install_symlink_command@
+	@install_symlink_command2@
+	$(MKINSTALLDIRS) $(DESTDIR)$(bindir)
+	$(INSTALL)  $(PROGS) $(DESTDIR)$(bindir)/$(PROGS)
+
+uninstall:
+	rm -f $(DESTDIR)$(includedir)/ss/ss.h
+	rm -f $(DESTDIR)$(libdir)/$(sl_LIB) $(DESTDIR)$(libdir)/$(ss_LIB)
+	rm -f $(DESTDIR)$(bindir)/$(PROGS)
+
+TAGS: $(SOURCES)
+	etags $(SOURCES)
+
+check:
+
+clean:
+	rm -f $(sl_LIB) $(PROGS) lex.c parse.c parse.h *.o *.a *.so *.so.* so_locations
+
+mostlyclean: clean
+
+distclean: clean
+	rm -f Makefile *~
+
+realclean: distclean
+	rm -f TAGS
+
+$(LIBNAME).a: $(LIB_OBJECTS)
+	rm -f $@
+	$(AR) cr $@ $(LIB_OBJECTS)
+	-$(RANLIB) $@
+
+$(LIBNAME).$(SHLIBEXT): $(LIB_OBJECTS)
+	rm -f $@
+	$(LDSHARED) -o $@ $(LIB_OBJECTS) $(LIB_DEPS)
+	@build_symlink_command@
+
+$(OBJECTS): ../../include/config.h
+
+$(mk_cmds_OBJECTS): parse.h
+
+mk_cmds$(EXECSUFFIX): $(mk_cmds_OBJECTS)
+	$(LINK) $(CFLAGS) -o $@ $(mk_cmds_OBJECTS) -L../roken -lroken
+
+parse.c: parse.h
+parse.h: $(srcdir)/parse.y
+	$(YACC) -d $(srcdir)/parse.y
+	mv -f y.tab.h parse.h
+	mv -f y.tab.c parse.c
+
+lex.c: $(srcdir)/lex.l
+	$(LEX) $(srcdir)/lex.l
+	mv -f lex.yy.c lex.c
+
+strtok_r.c:
+	$(LN_S) $(srcdir)/../roken/strtok_r.c .
+snprintf.c:
+	$(LN_S) $(srcdir)/../roken/snprintf.c .
+strupr.c:
+	$(LN_S) $(srcdir)/../roken/strupr.c .
+
+.PHONY: all Wall install uninstall check clean mostlyclean distclean realclean
diff --git a/crypto/kerberosIV/lib/sl/lex.l b/crypto/kerberosIV/lib/sl/lex.l
new file mode 100644
index 0000000..b7c1c44
--- /dev/null
+++ b/crypto/kerberosIV/lib/sl/lex.l
@@ -0,0 +1,114 @@
+%{
+/*
+ * Copyright (c) 1998 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "make_cmds.h"
+#include "parse.h"
+
+RCSID("$Id: lex.l,v 1.3 1999/12/02 16:58:55 joda Exp $");
+
+static unsigned lineno = 1;
+void error_message(char *, ...);
+int getstring(void);
+
+%}
+
+
+%%
+command_table		{ return TABLE; }
+request			{ return REQUEST; }
+unknown			{ return UNKNOWN; }
+unimplemented		{ return UNIMPLEMENTED; }
+end			{ return END; }
+#[^\n]*			;
+[ \t]			;
+\n			{ lineno++; }
+\"			{ return getstring(); }
+[a-zA-Z0-9_]+		{ yylval.string = strdup(yytext); return STRING; }
+.			{ return *yytext; }
+%%
+
+#ifndef yywrap /* XXX */
+int
+yywrap () 
+{
+     return 1;
+}
+#endif
+
+int
+getstring(void)
+{
+    char x[128];
+    int i = 0;
+    int c;
+    int backslash = 0;
+    while((c = input()) != EOF){
+	if(backslash) {
+	    if(c == 'n')
+		c = '\n';
+	    else if(c == 't')
+		c = '\t';
+	    x[i++] = c;
+	    backslash = 0;
+	    continue;
+	}
+	if(c == '\n'){
+	    error_message("unterminated string");
+	    lineno++;
+	    break;
+	}
+	if(c == '\\'){
+	    backslash++;
+	    continue;
+	}
+	if(c == '\"')
+	    break;
+	x[i++] = c;
+    }
+    x[i] = '\0';
+    yylval.string = strdup(x);
+    return STRING;
+}
+
+void
+error_message (char *format, ...)
+{
+     va_list args;
+
+     va_start (args, format);
+     fprintf (stderr, "%s:%d: ", filename, lineno);
+     vfprintf (stderr, format, args);
+     va_end (args);
+     numerror++;
+}
diff --git a/crypto/kerberosIV/lib/sl/make_cmds.c b/crypto/kerberosIV/lib/sl/make_cmds.c
new file mode 100644
index 0000000..492e9e6
--- /dev/null
+++ b/crypto/kerberosIV/lib/sl/make_cmds.c
@@ -0,0 +1,240 @@
+/*
+ * Copyright (c) 1998-1999 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "make_cmds.h"
+#include <getarg.h>
+
+RCSID("$Id: make_cmds.c,v 1.6 1999/12/02 16:58:55 joda Exp $");
+
+#include <roken.h>
+#include <err.h>
+#include "parse.h"
+
+int numerror;
+extern FILE *yyin;
+FILE *c_file;
+
+extern void yyparse(void);
+
+#ifdef YYDEBUG
+extern int yydebug = 1;
+#endif
+
+char *filename;
+char *table_name;
+
+static struct command_list *commands;
+
+void
+add_command(char *function, 
+	    char *help, 
+	    struct string_list *aliases, 
+	    unsigned flags)
+{
+    struct command_list *cl = malloc(sizeof(*cl));
+
+    if (cl == NULL)
+	err (1, "malloc");
+    cl->function = function;
+    cl->help = help;
+    cl->aliases = aliases;
+    cl->flags = flags;
+    cl->next = NULL;
+    if(commands) {
+	*commands->tail = cl;
+	commands->tail = &cl->next;
+	return;
+    }
+    cl->tail = &cl->next;
+    commands = cl;
+}
+
+static char *
+quote(const char *str)
+{
+    char buf[1024]; /* XXX */
+    const char *p;
+    char *q;
+    q = buf;
+    
+    *q++ = '\"';
+    for(p = str; *p != '\0'; p++) {
+	if(*p == '\n') {
+	    *q++ = '\\';
+	    *q++ = 'n';
+	    continue;
+	}
+	if(*p == '\t') {
+	    *q++ = '\\';
+	    *q++ = 't';
+	    continue;
+	}
+	if(*p == '\"' || *p == '\\')
+	    *q++ = '\\';
+	*q++ = *p;
+    }
+    *q++ = '\"';
+    *q++ = '\0';
+    return strdup(buf);
+}
+
+static void
+generate_commands(void)
+{
+    char *base;
+    char *cfn;
+    char *p;
+
+    p = strrchr(table_name, '/');
+    if(p == NULL)
+	p = table_name;
+    else
+	p++;
+
+    base = strdup (p);
+    if (base == NULL)
+	err (1, "strdup");
+
+    p = strrchr(base, '.');
+    if(p)
+	*p = '\0';
+    
+    asprintf(&cfn, "%s.c", base);
+    if (cfn == NULL)
+	err (1, "asprintf");
+
+    c_file = fopen(cfn, "w");
+    if (c_file == NULL)
+	err (1, "cannot fopen %s", cfn);
+    
+    fprintf(c_file, "/* Generated from %s */\n", filename);
+    fprintf(c_file, "\n");
+    fprintf(c_file, "#include <stddef.h>\n");
+    fprintf(c_file, "#include <sl.h>\n");
+    fprintf(c_file, "\n");
+
+    {
+	struct command_list *cl, *xl;
+	char *p, *q;
+
+	for(cl = commands; cl; cl = cl->next) {
+	    for(xl = commands; xl != cl; xl = xl->next)
+		if(strcmp(cl->function, xl->function) == 0)
+		    break;
+	    if(xl != cl)
+		continue;
+	    /* XXX hack for ss_quit */
+	    if(strcmp(cl->function, "ss_quit") == 0) {
+		fprintf(c_file, "int %s (int, char**);\n", cl->function);
+		fprintf(c_file, "#define _ss_quit_wrap ss_quit\n\n"); 
+		continue;
+	    }
+	    fprintf(c_file, "void %s (int, char**);\n", cl->function);
+	    fprintf(c_file, "static int _%s_wrap (int argc, char **argv)\n", 
+		    cl->function);
+	    fprintf(c_file, "{\n");
+	    fprintf(c_file, "  %s (argc, argv);\n", cl->function);
+	    fprintf(c_file, "  return 0;\n");
+	    fprintf(c_file, "}\n\n");
+	}
+
+	fprintf(c_file, "SL_cmd %s[] = {\n", table_name);
+	for(cl = commands; cl; cl = cl->next) {
+	    struct string_list *sl;
+	    sl = cl->aliases;
+	    p = quote(sl->string);
+	    q = quote(cl->help);
+	    fprintf(c_file, "  { %s, _%s_wrap, %s },\n", p, cl->function, q);
+	    free(p);
+	    free(q);
+    
+	    for(sl = sl->next; sl; sl = sl->next) {
+		p = quote(sl->string);
+		fprintf(c_file, "  { %s },\n", p);
+		free(p);
+	    }
+	}
+	fprintf(c_file, "  { NULL },\n");
+	fprintf(c_file, "};\n");
+	fprintf(c_file, "\n");
+    }
+    fclose(c_file);
+    free(base);
+    free(cfn);
+}
+
+int version_flag;
+int help_flag;
+struct getargs args[] = {
+    { "version", 0, arg_flag, &version_flag },
+    { "help", 0, arg_flag, &help_flag }
+};
+int num_args = sizeof(args) / sizeof(args[0]);
+
+static void
+usage(int code)
+{
+    arg_printusage(args, num_args, NULL, "command-table");
+    exit(code);
+}
+
+int
+main(int argc, char **argv)
+{
+    int optind = 0;
+
+    set_progname(argv[0]);
+    if(getarg(args, num_args, argc, argv, &optind))
+	usage(1);
+    if(help_flag)
+	usage(0);
+    if(version_flag) {
+	print_version(NULL);
+	exit(0);
+    }
+    
+    if(argc == optind)
+	usage(1);
+    filename = argv[optind];
+    yyin = fopen(filename, "r");
+    if(yyin == NULL)
+	err(1, "%s", filename);
+    
+    yyparse();
+    
+    generate_commands();
+
+    if(numerror)
+	return 1;
+    return 0;
+}
diff --git a/crypto/kerberosIV/lib/sl/make_cmds.h b/crypto/kerberosIV/lib/sl/make_cmds.h
new file mode 100644
index 0000000..24dbd60
--- /dev/null
+++ b/crypto/kerberosIV/lib/sl/make_cmds.h
@@ -0,0 +1,69 @@
+/*
+ * Copyright (c) 1998 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+/* $Id: make_cmds.h,v 1.2 1999/12/02 16:58:55 joda Exp $ */
+
+#ifndef __MAKE_CMDS_H__
+#define __MAKE_CMDS_H__
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+#endif
+
+#include <stdio.h>
+#include <string.h>
+#include <stdlib.h>
+#include <stdarg.h>
+
+extern char *filename;
+extern char *table_name;
+extern int numerror;
+
+struct command_list {
+    char *function;
+    char *help;
+    struct string_list *aliases;
+    unsigned flags;
+    struct command_list *next;
+    struct command_list **tail;
+};
+
+struct string_list {
+    char *string;
+    struct string_list *next;
+    struct string_list **tail;
+};
+
+void add_command(char*, char*, struct string_list*, unsigned);
+
+#endif /* __MAKE_CMDS_H__ */
diff --git a/crypto/kerberosIV/lib/sl/parse.y b/crypto/kerberosIV/lib/sl/parse.y
new file mode 100644
index 0000000..b8b2d63
--- /dev/null
+++ b/crypto/kerberosIV/lib/sl/parse.y
@@ -0,0 +1,194 @@
+%{
+/*
+ * Copyright (c) 1998, 1999 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "make_cmds.h"
+RCSID("$Id: parse.y,v 1.5 1999/12/02 16:58:55 joda Exp $");
+
+void yyerror (char *s);
+long name2number(const char *str);
+void error_message(char *, ...);
+
+struct string_list* append_string(struct string_list*, char*);
+void free_string_list(struct string_list *list);
+unsigned string_to_flag(const char *);
+
+/* This is for bison */
+
+#if !defined(alloca) && !defined(HAVE_ALLOCA)
+#define alloca(x) malloc(x)
+#endif
+
+%}
+
+%union {
+  char *string;
+  unsigned number;
+  struct string_list *list;
+}
+
+%token TABLE REQUEST UNKNOWN UNIMPLEMENTED END
+%token <string> STRING
+%type <number> flag flags
+%type <list> aliases
+
+%%
+
+file		: /* */ 
+		| statements
+		;
+
+statements	: statement
+		| statements statement
+		;
+
+statement	: TABLE STRING ';'
+		{
+		    table_name = $2;
+		}
+		| REQUEST STRING ',' STRING ',' aliases ',' '(' flags ')' ';'
+		{
+		    add_command($2, $4, $6, $9);
+		}
+		| REQUEST STRING ',' STRING ',' aliases ';'
+		{
+		    add_command($2, $4, $6, 0);
+		}
+		| UNIMPLEMENTED STRING ',' STRING ',' aliases ';'
+		{
+		    free($2);
+		    free($4);
+		    free_string_list($6);
+		}
+		| UNKNOWN aliases ';'
+		{
+		    free_string_list($2);
+		}
+		| END ';'
+		{
+		    YYACCEPT;
+		}
+		;
+
+aliases		: STRING
+		{
+		    $$ = append_string(NULL, $1);
+		}
+		| aliases ',' STRING
+		{
+		    $$ = append_string($1, $3);
+		}
+		;
+
+flags		: flag
+		{
+		    $$ = $1;
+		}
+		| flags ',' flag
+		{
+		    $$ = $1 | $3;
+		}
+		;
+flag		: STRING
+		{
+		    $$ = string_to_flag($1);
+		    free($1);
+		}
+		;
+
+
+
+%%
+
+long
+name2number(const char *str)
+{
+    const char *p;
+    long base = 0;
+    const char *x = "ABCDEFGHIJKLMNOPQRSTUVWXYZ"
+	"abcdefghijklmnopqrstuvwxyz0123456789_";
+    if(strlen(str) > 4) {
+	yyerror("table name too long");
+	return 0;
+    }
+    for(p = str; *p; p++){
+	char *q = strchr(x, *p);
+	if(q == NULL) {
+	    yyerror("invalid character in table name");
+	    return 0;
+	}
+	base = (base << 6) + (q - x) + 1;
+    }
+    base <<= 8;
+    if(base > 0x7fffffff)
+	base = -(0xffffffff - base + 1);
+    return base;
+}
+
+void
+yyerror (char *s)
+{
+    error_message ("%s\n", s);
+}
+
+struct string_list*
+append_string(struct string_list *list, char *str)
+{
+    struct string_list *sl = malloc(sizeof(*sl));
+    sl->string = str;
+    sl->next = NULL;
+    if(list) {
+	*list->tail = sl;
+	list->tail = &sl->next;
+	return list;
+    }
+    sl->tail = &sl->next;
+    return sl;
+}
+
+void
+free_string_list(struct string_list *list)
+{
+    while(list) {
+	struct string_list *sl = list->next;
+	free(list->string);
+	free(list);
+	list = sl;
+    }
+}
+
+unsigned
+string_to_flag(const char *string)
+{
+    return 0;
+}
diff --git a/crypto/kerberosIV/lib/sl/roken_rename.h b/crypto/kerberosIV/lib/sl/roken_rename.h
new file mode 100644
index 0000000..c668802
--- /dev/null
+++ b/crypto/kerberosIV/lib/sl/roken_rename.h
@@ -0,0 +1,61 @@
+/*
+ * Copyright (c) 1998 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+/* $Id: roken_rename.h,v 1.3 1999/12/02 16:58:55 joda Exp $ */
+
+#ifndef __roken_rename_h__
+#define __roken_rename_h__
+
+#ifndef HAVE_STRTOK_R
+#define strtok_r _sl_strtok_r
+#endif
+#ifndef HAVE_SNPRINTF
+#define snprintf _sl_snprintf
+#endif
+#ifndef HAVE_ASPRINTF
+#define asprintf _sl_asprintf
+#endif
+#ifndef HAVE_ASNPRINTF
+#define asnprintf _sl_asnprintf
+#endif
+#ifndef HAVE_VASPRINTF
+#define vasprintf _sl_vasprintf
+#endif
+#ifndef HAVE_VASNPRINTF
+#define vasnprintf _sl_vasnprintf
+#endif
+#ifndef HAVE_VSNPRINTF
+#define vsnprintf _sl_vsnprintf
+#endif
+
+#endif /* __roken_rename_h__ */
diff --git a/crypto/kerberosIV/lib/sl/sl.c b/crypto/kerberosIV/lib/sl/sl.c
new file mode 100644
index 0000000..688ca8b
--- /dev/null
+++ b/crypto/kerberosIV/lib/sl/sl.c
@@ -0,0 +1,223 @@
+/*
+ * Copyright (c) 1995, 1996, 1997, 1998 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+RCSID("$Id: sl.c,v 1.25 1999/12/02 16:58:55 joda Exp $");
+#endif
+
+#include "sl_locl.h"
+
+static SL_cmd *
+sl_match (SL_cmd *cmds, char *cmd, int exactp)
+{
+    SL_cmd *c, *current = NULL, *partial_cmd = NULL;
+    int partial_match = 0;
+
+    for (c = cmds; c->name; ++c) {
+	if (c->func)
+	    current = c;
+	if (strcmp (cmd, c->name) == 0)
+	    return current;
+	else if (strncmp (cmd, c->name, strlen(cmd)) == 0 &&
+		 partial_cmd != current) {
+	    ++partial_match;
+	    partial_cmd = current;
+	}
+    }
+    if (partial_match == 1 && !exactp)
+	return partial_cmd;
+    else
+	return NULL;
+}
+
+void
+sl_help (SL_cmd *cmds, int argc, char **argv)
+{
+    SL_cmd *c, *prev_c;
+
+    if (argc == 1) {
+	prev_c = NULL;
+	for (c = cmds; c->name; ++c) {
+	    if (c->func) {
+		if(prev_c)
+		    printf ("\n\t%s%s", prev_c->usage ? prev_c->usage : "",
+			    prev_c->usage ? "\n" : "");
+		prev_c = c;
+		printf ("%s", c->name);
+	    } else
+		printf (", %s", c->name);
+	}
+	if(prev_c)
+	    printf ("\n\t%s%s", prev_c->usage ? prev_c->usage : "",
+		    prev_c->usage ? "\n" : "");
+    } else { 
+	c = sl_match (cmds, argv[1], 0);
+	if (c == NULL)
+	    printf ("No such command: %s. "
+		    "Try \"help\" for a list of all commands\n",
+		    argv[1]);
+	else {
+	    printf ("%s\t%s\n", c->name, c->usage);
+	    if(c->help && *c->help)
+		printf ("%s\n", c->help);
+	    if((++c)->name && c->func == NULL) {
+		printf ("Synonyms:");
+		while (c->name && c->func == NULL)
+		    printf ("\t%s", (c++)->name);
+		printf ("\n");
+	    }
+	}
+    }
+}
+
+#ifdef HAVE_READLINE
+
+char *readline(char *prompt);
+void add_history(char *p);
+
+#else
+
+static char *
+readline(char *prompt)
+{
+    char buf[BUFSIZ];
+    printf ("%s", prompt);
+    fflush (stdout);
+    if(fgets(buf, sizeof(buf), stdin) == NULL)
+	return NULL;
+    if (buf[strlen(buf) - 1] == '\n')
+	buf[strlen(buf) - 1] = '\0';
+    return strdup(buf);
+}
+
+static void
+add_history(char *p)
+{
+}
+
+#endif
+
+int
+sl_command(SL_cmd *cmds, int argc, char **argv)
+{
+    SL_cmd *c;
+    c = sl_match (cmds, argv[0], 0);
+    if (c == NULL)
+	return -1;
+    return (*c->func)(argc, argv);
+}
+
+struct sl_data {
+    int max_count;
+    char **ptr;
+};
+
+int
+sl_make_argv(char *line, int *ret_argc, char ***ret_argv)
+{
+    char *foo = NULL;
+    char *p;
+    int argc, nargv;
+    char **argv;
+    
+    nargv = 10;
+    argv = malloc(nargv * sizeof(*argv));
+    if(argv == NULL)
+	return ENOMEM;
+    argc = 0;
+
+    for(p = strtok_r (line, " \t", &foo);
+	p;
+	p = strtok_r (NULL, " \t", &foo)) {
+	if(argc == nargv - 1) {
+	    char **tmp;
+	    nargv *= 2;
+	    tmp = realloc (argv, nargv * sizeof(*argv));
+	    if (tmp == NULL) {
+		free(argv);
+		return ENOMEM;
+	    }
+	    argv = tmp;
+	}
+	argv[argc++] = p;
+    }
+    argv[argc] = NULL;
+    *ret_argc = argc;
+    *ret_argv = argv;
+    return 0;
+}
+
+/* return values: 0 on success, -1 on fatal error, or return value of command */
+int
+sl_command_loop(SL_cmd *cmds, char *prompt, void **data)
+{
+    int ret = 0;
+    char *buf;
+    int argc;
+    char **argv;
+	
+    ret = 0;
+    buf = readline(prompt);
+    if(buf == NULL)
+	return 1;
+
+    if(*buf)
+	add_history(buf);
+    ret = sl_make_argv(buf, &argc, &argv);
+    if(ret) {
+	fprintf(stderr, "sl_loop: out of memory\n");
+	free(buf);
+	return -1;
+    }
+    if (argc >= 1) {
+	ret = sl_command(cmds, argc, argv);
+	if(ret == -1) {
+	    printf ("Unrecognized command: %s\n", argv[0]);
+	    ret = 0;
+	}
+    }
+    free(buf);
+    free(argv);
+    return ret;
+}
+
+int 
+sl_loop(SL_cmd *cmds, char *prompt)
+{
+    void *data = NULL;
+    int ret;
+    while((ret = sl_command_loop(cmds, prompt, &data)) == 0)
+	;
+    return ret;
+}
diff --git a/crypto/kerberosIV/lib/sl/sl.h b/crypto/kerberosIV/lib/sl/sl.h
new file mode 100644
index 0000000..1a6d3fa
--- /dev/null
+++ b/crypto/kerberosIV/lib/sl/sl.h
@@ -0,0 +1,57 @@
+/*
+ * Copyright (c) 1995, 1996, 1997, 1998 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+/* $Id: sl.h,v 1.7 1999/12/02 16:58:55 joda Exp $ */
+
+#ifndef _SL_H
+#define _SL_H
+
+typedef int (*cmd_func)(int, char **);
+
+struct sl_cmd {
+  char *name;
+  cmd_func func;
+  char *usage;
+  char *help;
+};
+
+typedef struct sl_cmd SL_cmd;
+
+void sl_help (SL_cmd *, int argc, char **argv);
+int  sl_loop (SL_cmd *, char *prompt);
+int  sl_command_loop (SL_cmd *cmds, char *prompt, void **data);
+int  sl_command (SL_cmd *cmds, int argc, char **argv);
+int sl_make_argv(char*, int*, char***);
+
+
+#endif /* _SL_H */
diff --git a/crypto/kerberosIV/lib/sl/sl_locl.h b/crypto/kerberosIV/lib/sl/sl_locl.h
new file mode 100644
index 0000000..4bd9660
--- /dev/null
+++ b/crypto/kerberosIV/lib/sl/sl_locl.h
@@ -0,0 +1,46 @@
+/*
+ * Copyright (c) 1995, 1996, 1997, 1998 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+/* $Id: sl_locl.h,v 1.6 1999/12/02 16:58:55 joda Exp $ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+#endif
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <stdarg.h>
+
+#include <roken.h>
+
+#include <sl.h>
diff --git a/crypto/kerberosIV/lib/sl/ss.c b/crypto/kerberosIV/lib/sl/ss.c
new file mode 100644
index 0000000..f3c0546
--- /dev/null
+++ b/crypto/kerberosIV/lib/sl/ss.c
@@ -0,0 +1,133 @@
+/*
+ * Copyright (c) 1998 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "sl_locl.h"
+#include <com_err.h>
+#include "ss.h"
+
+RCSID("$Id: ss.c,v 1.4 1999/12/02 16:58:55 joda Exp $");
+
+struct ss_subst {
+    char *name;
+    char *version;
+    char *info;
+    ss_request_table *table;
+};
+
+static struct ss_subst subsystems[2];
+static int num_subsystems;
+
+int
+ss_create_invocation(const char *subsystem, 
+		     const char *version, 
+		     const char *info, 
+		     ss_request_table *table, 
+		     int *code)
+{
+    struct ss_subst *ss;
+    if(num_subsystems >= sizeof(subsystems) / sizeof(subsystems[0])) {
+	*code = 17;
+	return 0;
+    }
+    ss = &subsystems[num_subsystems];
+    ss->name = subsystem ? strdup(subsystem) : NULL;
+    ss->version = version ? strdup(version) : NULL;
+    ss->info = info ? strdup(info) : NULL;
+    ss->table = table;
+    *code = 0;
+    return num_subsystems++;
+}
+
+void
+ss_error (int index, long code, const char *fmt, ...)
+{
+    va_list ap;
+    va_start(ap, fmt);
+    com_err_va (subsystems[index].name, code, fmt, ap);
+    va_end(ap);
+}
+
+void
+ss_perror (int index, long code, const char *msg)
+{
+    ss_error(index, code, "%s", msg);
+}
+
+int
+ss_execute_command(int index, char **argv)
+{
+    int argc = 0;
+    while(argv[argc++]);
+    sl_command(subsystems[index].table, argc, argv);
+    return 0;
+}
+
+int
+ss_execute_line (int index, const char *line)
+{
+    char *buf = strdup(line);
+    int argc;
+    char **argv;
+    
+    sl_make_argv(buf, &argc, &argv);
+    sl_command(subsystems[index].table, argc, argv);
+    free(buf);
+    return 0;
+}
+
+int
+ss_listen (int index)
+{
+    char *prompt = malloc(strlen(subsystems[index].name) + 3);
+    if(prompt == NULL) {
+	abort();
+    }
+    strcpy(prompt, subsystems[index].name);
+    strcat(prompt, ": ");
+    sl_loop(subsystems[index].table, prompt);
+    free(prompt);
+    return 0;
+}
+
+int
+ss_list_requests(int argc, char **argv /* , int index, void *info */)
+{
+    sl_help(subsystems[0 /* index */].table, argc, argv);
+    return 0;
+}
+
+int
+ss_quit(int argc, char **argv)
+{
+    return 1;
+}
diff --git a/crypto/kerberosIV/lib/sl/ss.h b/crypto/kerberosIV/lib/sl/ss.h
new file mode 100644
index 0000000..0d9d297
--- /dev/null
+++ b/crypto/kerberosIV/lib/sl/ss.h
@@ -0,0 +1,55 @@
+/*
+ * Copyright (c) 1998 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+/* $Id: ss.h,v 1.2 1999/12/02 16:58:55 joda Exp $ */
+
+/* SS compatibility for SL */
+
+#ifndef __ss_h__
+#define __ss_h__
+
+#include <sl.h>
+
+typedef SL_cmd ss_request_table;
+
+int ss_create_invocation (const char *, const char *, const char*, 
+			  ss_request_table*, int*);
+
+void ss_error (int, long, const char*, ...);
+int ss_execute_command (int, char**);
+int ss_execute_line (int, const char*);
+int ss_list_requests (int argc, char**);
+int ss_listen (int);
+void ss_perror (int, long, const char*);
+int ss_quit (int argc, char**);
+
+#endif /* __ss_h__ */
diff --git a/crypto/kerberosIV/man/Makefile b/crypto/kerberosIV/man/Makefile
new file mode 100644
index 0000000..6e6442a
--- /dev/null
+++ b/crypto/kerberosIV/man/Makefile
@@ -0,0 +1,11 @@
+#
+# *** THIS FILE IS NORMALLY OVERWRITTEN BY CONFIGURE ***
+#
+#
+# $Id: Makefile,v 1.3 1997/09/09 15:06:35 bg Exp $
+
+all:
+	$(MAKE) -f Makefile.in cat
+
+clean:
+	rm -f *.cat[1358] *~
diff --git a/crypto/kerberosIV/man/Makefile.in b/crypto/kerberosIV/man/Makefile.in
new file mode 100644
index 0000000..c4941b1
--- /dev/null
+++ b/crypto/kerberosIV/man/Makefile.in
@@ -0,0 +1,153 @@
+# Makefile.in,v 1.2 1994/05/13 05:02:46 assar Exp
+
+srcdir		= @srcdir@
+VPATH		= @srcdir@
+
+SHELL		= /bin/sh
+
+INSTALL		= @INSTALL@
+INSTALL_DATA	= @INSTALL_DATA@
+MKINSTALLDIRS	= @top_srcdir@/mkinstalldirs
+
+prefix		= @prefix@
+mandir		= @mandir@
+transform	= @program_transform_name@
+
+disable_cat_manpages = @disable_cat_manpages@
+
+# You need a BSD44 system or groff to create the manpages
+NROFF_MAN = groff -mandoc -Tascii
+#NROFF_MAN = nroff -man
+.SUFFIXES: .1 .cat1 .3 .cat3 .5 .cat5 .8 .cat8
+.1.cat1: ; $(NROFF_MAN) $< > $@
+.3.cat3: ; $(NROFF_MAN) $< > $@
+.5.cat5: ; $(NROFF_MAN) $< > $@
+.8.cat8: ; $(NROFF_MAN) $< > $@
+
+
+MANRX = \(.*\)\.\([0-9]\)
+CATRX = \(.*\)\.cat\([0-9]\)
+CATSUFFIX=@CATSUFFIX@
+
+MAN1 = afslog.1 des.1 ftp.1 kauth.1 kdestroy.1 \
+       kerberos.1 kinit.1 klist.1 kpasswd.1 ksrvtgt.1 \
+       kx.1 login.1 movemail.1 otp.1 otpprint.1 pagsh.1 \
+       rcp.1 rlogin.1 rsh.1 rxtelnet.1 rxterm.1 su.1 \
+       telnet.1 tenletxr.1
+
+CAT1 = afslog.cat1 des.cat1 ftp.cat1 kauth.cat1 kdestroy.cat1 \
+       kerberos.cat1 kinit.cat1 klist.cat1 kpasswd.cat1 ksrvtgt.cat1 \
+       kx.cat1 login.cat1 movemail.cat1 otp.cat1 otpprint.cat1 pagsh.cat1 \
+       rcp.cat1 rlogin.cat1 rsh.cat1 rxtelnet.cat1 rxterm.cat1 su.cat1 \
+       telnet.cat1 tenletxr.cat1
+
+MAN3 = acl_check.3 des_crypt.3 kafs.3 \
+       kerberos.3 krb_realmofhost.3 krb_sendauth.3 \
+       krb_set_tkt_string.3 kuserok.3 tf_util.3 \
+       ../lib/editline/editline.3
+
+# getusershell.3 
+
+CAT3 = acl_check.cat3 des_crypt.cat3 kafs.cat3 \
+       kerberos.cat3 krb_realmofhost.cat3 krb_sendauth.cat3 \
+       krb_set_tkt_string.cat3 kuserok.cat3 tf_util.cat3 \
+       ../lib/editline/editline.cat3
+
+# getusershell.cat3 
+
+MAN5 = ftpusers.5 krb.conf.5 krb.equiv.5 krb.extra.5 \
+       krb.realms.5 login.access.5
+
+CAT5 = ftpusers.cat5 krb.conf.cat5 krb.equiv.cat5 \
+       krb.realms.cat5 login.access.cat5
+
+MAN8 = ext_srvtab.8 ftpd.8 kadmin.8 kadmind.8 kauthd.8 \
+       kdb_destroy.8 kdb_edit.8 kdb_init.8 kdb_util.8 \
+       kerberos.8 kprop.8 kpropd.8 ksrvutil.8 kstash.8 \
+       kxd.8 popper.8 rlogind.8 rshd.8 telnetd.8 \
+       ../appl/push/push.8
+
+CAT8 = ext_srvtab.cat8 ftpd.cat8 kadmin.cat8 kadmind.cat8 kauthd.cat8 \
+       kdb_destroy.cat8 kdb_edit.cat8 kdb_init.cat8 kdb_util.cat8 \
+       kerberos.cat8 kprop.cat8 kpropd.cat8 ksrvutil.cat8 kstash.cat8 \
+       kxd.cat8 popper.cat8 rlogind.cat8 rshd.cat8 telnetd.cat8 \
+       ../appl/push/push.cat8
+
+all: 
+
+cat: $(CAT1) $(CAT3) $(CAT5) $(CAT8)
+
+Wall:
+
+install: all
+		for x in man1 man3 man5 man8; do \
+			$(MKINSTALLDIRS) $(DESTDIR)$(mandir)/$$x; done
+		if test "$(disable_cat_manpages)" != "yes"; then \
+		for x in cat1 cat3 cat5 cat8; do \
+			$(MKINSTALLDIRS) $(DESTDIR)$(mandir)/$$x; done \
+		fi
+		@(cd $(srcdir); \
+			for x in $(MAN1) $(MAN8); do \
+				f=`basename $$x`; \
+				b=`echo $$f | sed 's!$(MANRX)!\1!'`; \
+				s=`echo $$x | sed 's!$(MANRX)!\2!'` ; \
+				m=`echo $$b | sed '$(transform)'`.$$s; \
+				echo "$(INSTALL_DATA) $$x $(DESTDIR)$(mandir)/man$$s/$$m";\
+				$(INSTALL_DATA) $$x $(DESTDIR)$(mandir)/man$$s/$$m; done ;\
+			for x in $(MAN3) $(MAN5); do \
+				f=`basename $$x`; \
+				s=`echo $$f | sed 's!$(MANRX)!\2!'` ; \
+				echo "$(INSTALL_DATA) $$x $(DESTDIR)$(mandir)/man$$s/$$f";\
+				$(INSTALL_DATA) $$x $(DESTDIR)$(mandir)/man$$s/$$f; done ;\
+			if test "$(disable_cat_manpages)" != "yes"; then \
+			for x in $(CAT1) $(CAT8); do \
+				if test -f $$x; then \
+				f=`basename $$x`; \
+				b=`echo $$f | sed 's!$(CATRX)!\1!'`; \
+				s=`echo $$x | sed 's!$(CATRX)!\2!'`; \
+				m=`echo $$b | sed '$(transform)'`; \
+				echo "$(INSTALL_DATA) $$x $(DESTDIR)$(mandir)/cat$$s/$$m.$(CATSUFFIX)";\
+			$(INSTALL_DATA) $$x $(DESTDIR)$(mandir)/cat$$s/$$m.$(CATSUFFIX);\
+			 fi; done ;\
+			for x in $(CAT3) $(CAT5); do \
+				if test -f $$x; then \
+				f=`basename $$x`; \
+				s=`echo $$f |  sed 's!$(CATRX)!\2!'`; \
+				b=`echo $$f |  sed 's!$(CATRX)!\1!'`; \
+			echo "$(INSTALL_DATA) $$x $(DESTDIR)$(mandir)/cat$$s/$$b.$(CATSUFFIX)";\
+			$(INSTALL_DATA) $$x $(DESTDIR)$(mandir)/cat$$s/$$b.$(CATSUFFIX);\
+			 fi; done; fi )
+
+uninstall:
+		for x in $(MAN1) $(MAN8); do \
+			f=`basename $$x`; \
+			b=`echo $$f | sed 's!$(MANRX)!\1!'`; \
+			s=`echo $$x | sed 's!$(MANRX)!\2!'` ; \
+			m=`echo $$b | sed '$(transform)'`.$$s; \
+			rm -f $(DESTDIR)$(mandir)/man$$s/$$m; done
+		for x in $(MAN3) $(MAN5); do \
+			f=`basename $$x`; \
+			s=`echo $$f | sed 's!$(MANRX)!\2!'` ; \
+			rm -f $(DESTDIR)$(mandir)/man$$s/$$f; done
+		for x in $(CAT1) $(CAT8); do \
+			f=`basename $$x`; \
+			b=`echo $$f | sed 's!$(CATRX)!\1!'`; \
+			s=`echo $$x | sed 's!$(CATRX)!\2!'`; \
+			m=`echo $$b | sed '$(transform)'`; \
+			rm -f $(DESTDIR)$(mandir)/cat$$s/$$m.$(CATSUFFIX); done
+		for x in $(CAT3) $(CAT5); do \
+			f=`basename $$x`; \
+			s=`echo $$f | sed 's!$(CATRX)!\2!'`; \
+			b=`echo $$x | sed 's!$(CATRX)!\1!'`; \
+			rm -f $(DESTDIR)$(mandir)/cat$$s/$$b.$(CATSUFFIX); done
+
+clean:
+
+mostlyclean:	clean
+
+distclean:
+	rm -f Makefile *~
+
+realclean:	distclean
+
+.PHONY: all cat Wall install uninstall clean mostlyclean distclean realclean
diff --git a/crypto/kerberosIV/man/acl_check.3 b/crypto/kerberosIV/man/acl_check.3
new file mode 100644
index 0000000..53bb7c8
--- /dev/null
+++ b/crypto/kerberosIV/man/acl_check.3
@@ -0,0 +1,182 @@
+.\" $Id: acl_check.3,v 1.2 1996/06/12 21:29:08 bg Exp $
+.\" Copyright 1989 by the Massachusetts Institute of Technology.
+.\"
+.\" For copying and distribution information,
+.\" please see the file <mit-copyright.h>.
+.\"
+.TH ACL_CHECK 3 "Kerberos Version 4.0" "MIT Project Athena"
+.SH NAME
+acl_canonicalize_principal, acl_check, acl_exact_match, acl_add,
+acl_delete, acl_initialize \- Access control list routines
+.SH SYNOPSIS
+.nf
+.nj
+.ft B
+cc <files> \-lacl \-lkrb
+.PP
+.ft B
+#include <krb.h>
+.PP
+.ft B
+acl_canonicalize_principal(principal, buf)
+char *principal;
+char *buf;
+.PP
+.ft B
+acl_check(acl, principal)
+char *acl;
+char *principal;
+.PP
+.ft B
+acl_exact_match(acl, principal)
+char *acl;
+char *principal;
+.PP
+.ft B
+acl_add(acl, principal)
+char *acl;
+char *principal;
+.PP
+.ft B
+acl_delete(acl, principal)
+char *acl;
+char *principal;
+.PP
+.ft B
+acl_initialize(acl_file, mode)
+char *acl_file;
+int mode;
+.fi
+.ft R
+.SH DESCRIPTION
+.SS Introduction
+.PP
+An access control list (ACL) is a list of principals, where each
+principal is represented by a text string which cannot contain
+whitespace.  The library allows application programs to refer to named
+access control lists to test membership and to atomically add and
+delete principals using a natural and intuitive interface.  At
+present, the names of access control lists are required to be Unix
+filenames, and refer to human-readable Unix files; in the future, when
+a networked ACL server is implemented, the names may refer to a
+different namespace specific to the ACL service.
+.PP
+.SS Principal Names
+.PP
+Principal names have the form
+.nf
+.in +5n
+<name>[.<instance>][@<realm>]
+.in -5n
+e.g.:
+.in +5n
+asp
+asp.root
+asp@ATHENA.MIT.EDU
+asp.@ATHENA.MIT.EDU
+asp.root@ATHENA.MIT.EDU
+.in -5n
+.fi
+It is possible for principals to be underspecified.  If an instance is
+missing, it is assumed to be "".  If realm is missing, it is assumed
+to be the local realm as determined by
+.IR krb_get_lrealm (3).
+The canonical form contains all of name, instance,
+and realm; the acl_add and acl_delete routines will always
+leave the file in that form.  Note that the canonical form of
+asp@ATHENA.MIT.EDU is actually asp.@ATHENA.MIT.EDU.
+.SS Routines
+.PP
+.I acl_canonicalize_principal
+stores the canonical form of 
+.I principal
+in 
+.IR buf .
+.I Buf
+must contain enough
+space to store a principal, given the limits on the sizes of name,
+instance, and realm specified as ANAME_SZ, INST_SZ, and REALM_SZ,
+respectively, in
+.IR /usr/include/krb.h .
+.PP
+.I acl_check
+returns nonzero if
+.I principal
+appears in 
+.IR acl .
+Returns 0 if principal
+does not appear in acl, or if an error occurs.  Canonicalizes
+principal before checking, and allows the ACL to contain wildcards.  The
+only supported wildcards are entries of the form
+name.*@realm, *.*@realm, and *.*@*.  An asterisk matches any value for the
+its component field.  For example, "jtkohl.*@*" would match principal
+jtkohl, with any instance and any realm.
+.PP
+.I acl_exact_match
+performs like 
+.IR acl_check ,
+but does no canonicalization or wildcard matching.
+.PP
+.I acl_add
+atomically adds 
+.I principal
+to 
+.IR acl .
+Returns 0 if successful, nonzero otherwise.  It is considered a failure
+if
+.I principal
+is already in 
+.IR acl .
+This routine will canonicalize
+.IR principal ,
+but will treat wildcards literally.
+.PP
+.I acl_delete
+atomically deletes 
+.I principal
+from 
+.IR acl .
+Returns 0 if successful,
+nonzero otherwise.  It is considered a failure if 
+.I principal
+is not
+already in 
+.IR acl .
+This routine will canonicalize 
+.IR principal ,
+but will treat wildcards literally.
+.PP
+.I acl_initialize
+initializes
+.IR acl_file .
+If the file 
+.I acl_file
+does not exist,
+.I acl_initialize
+creates it with mode
+.IR mode .
+If the file
+.I acl_file
+exists,
+.I acl_initialize
+removes all members.  Returns 0 if successful,
+nonzero otherwise.  WARNING: Mode argument is likely to change with
+the eventual introduction of an ACL service.  
+.SH NOTES
+In the presence of concurrency, there is a very small chance that
+.I acl_add
+or
+.I acl_delete
+could report success even though it would have
+had no effect.  This is a necessary side effect of using lock files
+for concurrency control rather than flock(2), which is not supported
+by NFS.
+.PP
+The current implementation caches ACLs in memory in a hash-table
+format for increased efficiency in checking membership; one effect of
+the caching scheme is that one file descriptor will be kept open for
+each ACL cached, up to a maximum of 8.
+.SH SEE ALSO
+kerberos(3), krb_get_lrealm(3)
+.SH AUTHOR
+James Aspnes (MIT Project Athena)
diff --git a/crypto/kerberosIV/man/afslog.1 b/crypto/kerberosIV/man/afslog.1
new file mode 100644
index 0000000..5202a71
--- /dev/null
+++ b/crypto/kerberosIV/man/afslog.1
@@ -0,0 +1,71 @@
+.\" $Id: afslog.1,v 1.3 1998/06/30 15:28:48 assar Exp $
+.\"
+.Dd April 27, 1996
+.Dt AFSLOG 1
+.Os KTH-KRB
+.Sh NAME
+.Nm afslog
+.Nd "obtains AFS tokens for specified cells"
+.Sh SYNOPSIS
+.Nm
+.Op Fl d
+.Op Fl c Ar cell
+.Op Fl k Ar realm
+.Op Fl p Pa path
+.Op Fl unlog
+.Op Fl createuser
+.Op Ar args
+.Sh DESCRIPTION
+The
+.Nm
+command obtains AFS tokens, 
+.Ar args
+are either a name of a cell or a pathnames of a file in the cell to
+get tokens for. If an argument is 
+.Li .
+or 
+.Li ..
+or contains a slash it is assumed to be a pathname. Otherwise it is
+assumed to be a name of a cell or a prefix thereof.
+.Pp
+The
+.Fl c
+and
+.Fl p
+flags can be used to resolve ambiguities.
+.Pp
+.Nm
+might fail to guess the Kerberos realm to get tickets for (for
+instance if the volume location servers of the cell does not reside in
+the kerberos realm that holds the AFS service key, and the correct
+realm isn't the same as the cell name or the local realm (I didn't say
+this was a common problem)). Anyway, the
+.Fl k
+can be used to give a hint. It should not be used unless there is a
+problem, since all tickets will be taken from the specified realm and
+this is not (usually) what you want.
+.Pp
+.Fl createuser
+means that
+.Nm
+should try to run
+.Nm pts
+to create a remote user principal in another cell.
+.Fl d
+can be used for debugging.
+.Pp
+If the
+.Fl unlog
+flag is given any tokens are removed and all other arguments are ignored.
+.Sh SEE ALSO
+.Xr kauth 1 ,
+.Xr kafs 3
+.Sh BUGS
+It should be able to handle the MIT Athena
+.Nm aklog
+flags
+.Fl hosts , 
+.Fl zsubs , 
+and
+.Fl noprdb ,
+but does not.
diff --git a/crypto/kerberosIV/man/ext_srvtab.8 b/crypto/kerberosIV/man/ext_srvtab.8
new file mode 100644
index 0000000..4f2c120
--- /dev/null
+++ b/crypto/kerberosIV/man/ext_srvtab.8
@@ -0,0 +1,62 @@
+.\" $Id: ext_srvtab.8,v 1.3 1997/04/02 21:09:51 assar Exp $
+.\" Copyright 1989 by the Massachusetts Institute of Technology.
+.\"
+.\" For copying and distribution information,
+.\" please see the file <mit-copyright.h>.
+.\"
+.TH EXT_SRVTAB 8 "Kerberos Version 4.0" "MIT Project Athena"
+.SH NAME
+ext_srvtab \- extract service key files from Kerberos key distribution center database
+.SH SYNOPSIS
+ext_srvtab [
+.B \-n
+] [
+.B \-r realm
+] [
+.B hostname ...
+]
+.SH DESCRIPTION
+.I ext_srvtab
+extracts service key files from the Kerberos key distribution center
+(KDC) database.
+.PP
+Upon execution, it prompts the user to enter the master key string for
+the database.  If the
+.B \-n
+option is specified, the master key is instead fetched from the master
+key cache file.
+.PP
+For each
+.I hostname
+specified on the command line, 
+.I ext_srvtab
+creates the service key file
+.IR hostname -new-srvtab,
+containing all the entries in the database with an instance field of
+.I hostname.
+This new file contains all the keys registered for Kerberos-mediated
+service providing programs which use the 
+.IR krb_get_phost (3)
+principal and instance conventions to run on the host
+.IR hostname .
+If the
+.B \-r
+option is specified, the realm fields in the extracted file will
+match the given realm rather than the local realm.
+.SH DIAGNOSTICS
+.TP 20n
+"verify_master_key: Invalid master key, does not match database."
+The master key string entered was incorrect.
+.SH FILES
+.TP 20n
+.IR hostname -new-srvtab
+Service key file generated for
+.I hostname
+.TP
+/var/kerberos/principal.pag, /var/kerberos/principal.dir
+DBM files containing database
+.TP
+/.k
+Master key cache file.
+.SH SEE ALSO
+read_service_key(3), krb_get_phost(3)
diff --git a/crypto/kerberosIV/man/ftp.1 b/crypto/kerberosIV/man/ftp.1
new file mode 100644
index 0000000..9ad7f4c
--- /dev/null
+++ b/crypto/kerberosIV/man/ftp.1
@@ -0,0 +1,1193 @@
+.\" 	$NetBSD: ftp.1,v 1.11 1995/09/08 01:06:24 tls Exp $
+.\"
+.\" Copyright (c) 1985, 1989, 1990, 1993
+.\"	The Regents of the University of California.  All rights reserved.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\" 1. Redistributions of source code must retain the above copyright
+.\"    notice, this list of conditions and the following disclaimer.
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\"    notice, this list of conditions and the following disclaimer in the
+.\"    documentation and/or other materials provided with the distribution.
+.\" 3. All advertising materials mentioning features or use of this software
+.\"    must display the following acknowledgement:
+.\"	This product includes software developed by the University of
+.\"	California, Berkeley and its contributors.
+.\" 4. Neither the name of the University nor the names of its contributors
+.\"    may be used to endorse or promote products derived from this software
+.\"    without specific prior written permission.
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+.\" SUCH DAMAGE.
+.\"
+.\"	@(#)ftp.1	8.3 (Berkeley) 10/9/94
+.\"
+.Dd April 27, 1996
+.Dt FTP 1
+.Os BSD 4.2
+.Sh NAME
+.Nm ftp
+.Nd
+.Tn ARPANET
+file transfer program
+.Sh SYNOPSIS
+.Nm ftp
+.Op Fl t
+.Op Fl v
+.Op Fl d
+.Op Fl i
+.Op Fl n
+.Op Fl g
+.Op Fl p
+.Op Ar host
+.Sh DESCRIPTION
+.Nm Ftp
+is the user interface to the
+.Tn ARPANET
+standard File Transfer Protocol.
+The program allows a user to transfer files to and from a
+remote network site.
+.Pp
+Modifications has been made so that it almost follows the ftpsec
+Internet draft.
+.Pp
+Options may be specified at the command line, or to the
+command interpreter.
+.Bl -tag -width flag
+.It Fl t
+Enables packet tracing.
+.It Fl v
+Verbose option forces
+.Nm ftp
+to show all responses from the remote server, as well
+as report on data transfer statistics.
+.It Fl n
+Restrains
+.Nm ftp
+from attempting \*(Lqauto-login\*(Rq upon initial connection.
+If auto-login is enabled,
+.Nm ftp
+will check the
+.Pa .netrc
+(see below) file in the user's home directory for an entry describing
+an account on the remote machine.
+If no entry exists,
+.Nm ftp
+will prompt for the remote machine login name (default is the user
+identity on the local machine), and, if necessary, prompt for a password
+and an account with which to login.
+.It Fl i
+Turns off interactive prompting during
+multiple file transfers.
+.It Fl p
+Turn on passive mode.
+.It Fl d
+Enables debugging.
+.It Fl g
+Disables file name globbing.
+.El
+.Pp
+The client host with which
+.Nm ftp
+is to communicate may be specified on the command line.
+If this is done,
+.Nm ftp
+will immediately attempt to establish a connection to an
+.Tn FTP
+server on that host; otherwise,
+.Nm ftp
+will enter its command interpreter and await instructions
+from the user.
+When
+.Nm ftp
+is awaiting commands from the user the prompt
+.Ql ftp>
+is provided to the user.
+The following commands are recognized
+by
+.Nm ftp  :
+.Bl -tag -width Fl
+.It Ic \&! Op Ar command Op Ar args
+Invoke an interactive shell on the local machine.
+If there are arguments, the first is taken to be a command to execute
+directly, with the rest of the arguments as its arguments.
+.It Ic \&$ Ar macro-name Op Ar args
+Execute the macro
+.Ar macro-name
+that was defined with the
+.Ic macdef
+command.
+Arguments are passed to the macro unglobbed.
+.It Ic account Op Ar passwd
+Supply a supplemental password required by a remote system for access
+to resources once a login has been successfully completed.
+If no argument is included, the user will be prompted for an account
+password in a non-echoing input mode.
+.It Ic append Ar local-file Op Ar remote-file
+Append a local file to a file on the remote machine.
+If
+.Ar remote-file
+is left unspecified, the local file name is used in naming the
+remote file after being altered by any
+.Ic ntrans
+or
+.Ic nmap
+setting.
+File transfer uses the current settings for
+.Ic type  ,
+.Ic format ,
+.Ic mode  ,
+and
+.Ic structure .
+.It Ic ascii
+Set the file transfer
+.Ic type
+to network
+.Tn ASCII .
+This is the default type.
+.It Ic bell
+Arrange that a bell be sounded after each file transfer
+command is completed.
+.It Ic binary
+Set the file transfer
+.Ic type
+to support binary image transfer.
+.It Ic bye
+Terminate the
+.Tn FTP
+session with the remote server
+and exit
+.Nm ftp  .
+An end of file will also terminate the session and exit.
+.It Ic case
+Toggle remote computer file name case mapping during
+.Ic mget
+commands.
+When
+.Ic case
+is on (default is off), remote computer file names with all letters in
+upper case are written in the local directory with the letters mapped
+to lower case.
+.It Ic \&cd Ar remote-directory
+Change the working directory on the remote machine
+to
+.Ar remote-directory  .
+.It Ic cdup
+Change the remote machine working directory to the parent of the
+current remote machine working directory.
+.It Ic chmod Ar mode file-name
+Change the permission modes of the file
+.Ar file-name
+on the remote
+sytem to
+.Ar mode  .
+.It Ic close
+Terminate the
+.Tn FTP
+session with the remote server, and
+return to the command interpreter.
+Any defined macros are erased.
+.It Ic \&cr
+Toggle carriage return stripping during
+ascii type file retrieval.
+Records are denoted by a carriage return/linefeed sequence
+during ascii type file transfer.
+When
+.Ic \&cr
+is on (the default), carriage returns are stripped from this
+sequence to conform with the
+.Ux
+single linefeed record
+delimiter.
+Records on
+.Pf non\- Ns Ux
+remote systems may contain single linefeeds;
+when an ascii type transfer is made, these linefeeds may be
+distinguished from a record delimiter only when
+.Ic \&cr
+is off.
+.It Ic delete Ar remote-file
+Delete the file
+.Ar remote-file
+on the remote machine.
+.It Ic debug Op Ar debug-value
+Toggle debugging mode.
+If an optional
+.Ar debug-value
+is specified it is used to set the debugging level.
+When debugging is on,
+.Nm ftp
+prints each command sent to the remote machine, preceded
+by the string
+.Ql \-\->
+.It Xo
+.Ic dir
+.Op Ar remote-directory
+.Op Ar local-file
+.Xc
+Print a listing of the directory contents in the
+directory,
+.Ar remote-directory  ,
+and, optionally, placing the output in
+.Ar local-file  .
+If interactive prompting is on,
+.Nm ftp
+will prompt the user to verify that the last argument is indeed the
+target local file for receiving
+.Ic dir
+output.
+If no directory is specified, the current working
+directory on the remote machine is used.
+If no local
+file is specified, or
+.Ar local-file
+is
+.Fl  ,
+output comes to the terminal.
+.It Ic disconnect
+A synonym for
+.Ar close  .
+.It Ic form Ar format
+Set the file transfer
+.Ic form
+to
+.Ar format  .
+The default format is \*(Lqfile\*(Rq.
+.It Ic get Ar remote-file Op Ar local-file
+Retrieve the
+.Ar remote-file
+and store it on the local machine.
+If the local
+file name is not specified, it is given the same
+name it has on the remote machine, subject to
+alteration by the current
+.Ic case  ,
+.Ic ntrans ,
+and
+.Ic nmap
+settings.
+The current settings for
+.Ic type  ,
+.Ic form ,
+.Ic mode  ,
+and
+.Ic structure
+are used while transferring the file.
+.It Ic glob
+Toggle filename expansion for
+.Ic mdelete  ,
+.Ic mget
+and
+.Ic mput  .
+If globbing is turned off with
+.Ic glob  ,
+the file name arguments
+are taken literally and not expanded.
+Globbing for
+.Ic mput
+is done as in
+.Xr csh 1 .
+For
+.Ic mdelete
+and
+.Ic mget  ,
+each remote file name is expanded
+separately on the remote machine and the lists are not merged.
+Expansion of a directory name is likely to be
+different from expansion of the name of an ordinary file:
+the exact result depends on the foreign operating system and ftp server,
+and can be previewed by doing
+.Ql mls remote-files \- .
+As a security measure, remotely globbed files that starts with
+.Sq /
+or contains
+.Sq ../ ,
+will not be automatically received. If you have interactive prompting
+turned off, these filenames will be ignored.  Note:
+.Ic mget
+and
+.Ic mput
+are not meant to transfer
+entire directory subtrees of files.
+That can be done by
+transferring a
+.Xr tar 1
+archive of the subtree (in binary mode).
+.It Ic hash
+Toggle hash-sign (``#'') printing for each data block
+transferred.
+The size of a data block is 1024 bytes.
+.It Ic help Op Ar command
+Print an informative message about the meaning of
+.Ar command  .
+If no argument is given,
+.Nm ftp
+prints a list of the known commands.
+.It Ic idle Op Ar seconds
+Set the inactivity timer on the remote server to
+.Ar seconds
+seconds.
+If
+.Ar seconds
+is omitted, the current inactivity timer is printed.
+.It Ic lcd Op Ar directory
+Change the working directory on the local machine.
+If
+no
+.Ar directory
+is specified, the user's home directory is used.
+.It Xo
+.Ic \&ls
+.Op Ar remote-directory
+.Op Ar local-file
+.Xc
+Print a listing of the contents of a
+directory on the remote machine.
+The listing includes any system-dependent information that the server
+chooses to include; for example, most
+.Ux
+systems will produce
+output from the command
+.Ql ls \-l .
+(See also
+.Ic nlist . )
+If
+.Ar remote-directory
+is left unspecified, the current working directory is used.
+If interactive prompting is on,
+.Nm ftp
+will prompt the user to verify that the last argument is indeed the
+target local file for receiving
+.Ic \&ls
+output.
+If no local file is specified, or if
+.Ar local-file
+is
+.Sq Fl ,
+the output is sent to the terminal.
+.It Ic macdef Ar macro-name
+Define a macro.
+Subsequent lines are stored as the macro
+.Ar macro-name  ;
+a null line (consecutive newline characters
+in a file or
+carriage returns from the terminal) terminates macro input mode.
+There is a limit of 16 macros and 4096 total characters in all
+defined macros.
+Macros remain defined until a
+.Ic close
+command is executed.
+The macro processor interprets `$' and `\e' as special characters.
+A `$' followed by a number (or numbers) is replaced by the
+corresponding argument on the macro invocation command line.
+A `$' followed by an `i' signals that macro processor that the
+executing macro is to be looped.
+On the first pass `$i' is
+replaced by the first argument on the macro invocation command line,
+on the second pass it is replaced by the second argument, and so on.
+A `\e' followed by any character is replaced by that character.
+Use the `\e' to prevent special treatment of the `$'.
+.It Ic mdelete Op Ar remote-files
+Delete the
+.Ar remote-files
+on the remote machine.
+.It Ic mdir Ar remote-files local-file
+Like
+.Ic dir  ,
+except multiple remote files may be specified.
+If interactive prompting is on,
+.Nm ftp
+will prompt the user to verify that the last argument is indeed the
+target local file for receiving
+.Ic mdir
+output.
+.It Ic mget Ar remote-files
+Expand the
+.Ar remote-files
+on the remote machine
+and do a
+.Ic get
+for each file name thus produced.
+See
+.Ic glob
+for details on the filename expansion.
+Resulting file names will then be processed according to
+.Ic case  ,
+.Ic ntrans ,
+and
+.Ic nmap
+settings.
+Files are transferred into the local working directory,
+which can be changed with
+.Ql lcd directory ;
+new local directories can be created with
+.Ql "\&! mkdir directory" .
+.It Ic mkdir Ar directory-name
+Make a directory on the remote machine.
+.It Ic mls Ar remote-files local-file
+Like
+.Ic nlist  ,
+except multiple remote files may be specified,
+and the
+.Ar local-file
+must be specified.
+If interactive prompting is on,
+.Nm ftp
+will prompt the user to verify that the last argument is indeed the
+target local file for receiving
+.Ic mls
+output.
+.It Ic mode Op Ar mode-name
+Set the file transfer
+.Ic mode
+to
+.Ar mode-name  .
+The default mode is \*(Lqstream\*(Rq mode.
+.It Ic modtime Ar file-name
+Show the last modification time of the file on the remote machine.
+.It Ic mput Ar local-files
+Expand wild cards in the list of local files given as arguments
+and do a
+.Ic put
+for each file in the resulting list.
+See
+.Ic glob
+for details of filename expansion.
+Resulting file names will then be processed according to
+.Ic ntrans
+and
+.Ic nmap
+settings.
+.It Ic newer Ar file-name
+Get the file only if the modification time of the remote file is more
+recent that the file on the current system.
+If the file does not
+exist on the current system, the remote file is considered
+.Ic newer  .
+Otherwise, this command is identical to
+.Ar get  .
+.It Xo
+.Ic nlist
+.Op Ar remote-directory
+.Op Ar local-file
+.Xc
+Print a  list of the files in a
+directory on the remote machine.
+If
+.Ar remote-directory
+is left unspecified, the current working directory is used.
+If interactive prompting is on,
+.Nm ftp
+will prompt the user to verify that the last argument is indeed the
+target local file for receiving
+.Ic nlist
+output.
+If no local file is specified, or if
+.Ar local-file
+is
+.Fl  ,
+the output is sent to the terminal.
+.It Ic nmap Op Ar inpattern outpattern
+Set or unset the filename mapping mechanism.
+If no arguments are specified, the filename mapping mechanism is unset.
+If arguments are specified, remote filenames are mapped during
+.Ic mput
+commands and
+.Ic put
+commands issued without a specified remote target filename.
+If arguments are specified, local filenames are mapped during
+.Ic mget
+commands and
+.Ic get
+commands issued without a specified local target filename.
+This command is useful when connecting to a
+.No non\- Ns Ux
+remote computer
+with different file naming conventions or practices.
+The mapping follows the pattern set by
+.Ar inpattern
+and
+.Ar outpattern  .
+.Op Ar Inpattern
+is a template for incoming filenames (which may have already been
+processed according to the
+.Ic ntrans
+and
+.Ic case
+settings).
+Variable templating is accomplished by including the
+sequences `$1', `$2', ..., `$9' in
+.Ar inpattern  .
+Use `\\' to prevent this special treatment of the `$' character.
+All other characters are treated literally, and are used to determine the
+.Ic nmap
+.Op Ar inpattern
+variable values.
+For example, given
+.Ar inpattern
+$1.$2 and the remote file name "mydata.data", $1 would have the value
+"mydata", and $2 would have the value "data".
+The
+.Ar outpattern
+determines the resulting mapped filename.
+The sequences `$1', `$2', ...., `$9' are replaced by any value resulting
+from the
+.Ar inpattern
+template.
+The sequence `$0' is replace by the original filename.
+Additionally, the sequence
+.Ql Op Ar seq1 , Ar seq2
+is replaced by
+.Op Ar seq1
+if
+.Ar seq1
+is not a null string; otherwise it is replaced by
+.Ar seq2 .
+For example, the command
+.Pp
+.Bd -literal -offset indent -compact
+nmap $1.$2.$3 [$1,$2].[$2,file]
+.Ed
+.Pp
+would yield
+the output filename "myfile.data" for input filenames "myfile.data" and
+"myfile.data.old", "myfile.file" for the input filename "myfile", and
+"myfile.myfile" for the input filename ".myfile".
+Spaces may be included in
+.Ar outpattern  ,
+as in the example: `nmap $1 sed "s/  *$//" > $1' .
+Use the `\e' character to prevent special treatment
+of the `$','[','[', and `,' characters.
+.It Ic ntrans Op Ar inchars Op Ar outchars
+Set or unset the filename character translation mechanism.
+If no arguments are specified, the filename character
+translation mechanism is unset.
+If arguments are specified, characters in
+remote filenames are translated during
+.Ic mput
+commands and
+.Ic put
+commands issued without a specified remote target filename.
+If arguments are specified, characters in
+local filenames are translated during
+.Ic mget
+commands and
+.Ic get
+commands issued without a specified local target filename.
+This command is useful when connecting to a
+.No non\- Ns Ux
+remote computer
+with different file naming conventions or practices.
+Characters in a filename matching a character in
+.Ar inchars
+are replaced with the corresponding character in
+.Ar outchars  .
+If the character's position in
+.Ar inchars
+is longer than the length of
+.Ar outchars  ,
+the character is deleted from the file name.
+.It Ic open Ar host Op Ar port
+Establish a connection to the specified
+.Ar host
+.Tn FTP
+server.
+An optional port number may be supplied,
+in which case,
+.Nm ftp
+will attempt to contact an
+.Tn FTP
+server at that port.
+If the
+.Ic auto-login
+option is on (default),
+.Nm ftp
+will also attempt to automatically log the user in to
+the
+.Tn FTP
+server (see below).
+.It Ic passive
+Toggle passive mode.  If passive mode is turned on
+(default is off), the ftp client will
+send a
+.Dv PASV
+command for all data connections instead of the usual
+.Dv PORT
+command.  The
+.Dv PASV
+command requests that the remote server open a port for the data connection
+and return the address of that port.  The remote server listens on that
+port and the client connects to it.  When using the more traditional
+.Dv PORT
+command, the client listens on a port and sends that address to the remote
+server, who connects back to it.  Passive mode is useful when using
+.Nm ftp
+through a gateway router or host that controls the directionality of
+traffic.
+(Note that though ftp servers are required to support the
+.Dv PASV
+command by RFC 1123, some do not.)
+.It Ic prompt
+Toggle interactive prompting.
+Interactive prompting
+occurs during multiple file transfers to allow the
+user to selectively retrieve or store files.
+If prompting is turned off (default is on), any
+.Ic mget
+or
+.Ic mput
+will transfer all files, and any
+.Ic mdelete
+will delete all files.
+.It Ic proxy Ar ftp-command
+Execute an ftp command on a secondary control connection.
+This command allows simultaneous connection to two remote ftp
+servers for transferring files between the two servers.
+The first
+.Ic proxy
+command should be an
+.Ic open  ,
+to establish the secondary control connection.
+Enter the command "proxy ?" to see other ftp commands executable on the
+secondary connection.
+The following commands behave differently when prefaced by
+.Ic proxy  :
+.Ic open
+will not define new macros during the auto-login process,
+.Ic close
+will not erase existing macro definitions,
+.Ic get
+and
+.Ic mget
+transfer files from the host on the primary control connection
+to the host on the secondary control connection, and
+.Ic put  ,
+.Ic mput ,
+and
+.Ic append
+transfer files from the host on the secondary control connection
+to the host on the primary control connection.
+Third party file transfers depend upon support of the ftp protocol
+.Dv PASV
+command by the server on the secondary control connection.
+.It Ic put Ar local-file Op Ar remote-file
+Store a local file on the remote machine.
+If
+.Ar remote-file
+is left unspecified, the local file name is used
+after processing according to any
+.Ic ntrans
+or
+.Ic nmap
+settings
+in naming the remote file.
+File transfer uses the
+current settings for
+.Ic type  ,
+.Ic format ,
+.Ic mode  ,
+and
+.Ic structure  .
+.It Ic pwd
+Print the name of the current working directory on the remote
+machine.
+.It Ic quit
+A synonym for
+.Ic bye  .
+.It Ic quote Ar arg1 arg2 ...
+The arguments specified are sent, verbatim, to the remote
+.Tn FTP
+server.
+.It Ic recv Ar remote-file Op Ar local-file
+A synonym for get.
+.It Ic reget Ar remote-file Op Ar local-file
+Reget acts like get, except that if
+.Ar local-file
+exists and is
+smaller than
+.Ar remote-file  ,
+.Ar local-file
+is presumed to be
+a partially transferred copy of
+.Ar remote-file
+and the transfer
+is continued from the apparent point of failure.
+This command
+is useful when transferring very large files over networks that
+are prone to dropping connections.
+.It Ic remotehelp Op Ar command-name
+Request help from the remote
+.Tn FTP
+server.
+If a
+.Ar command-name
+is specified it is supplied to the server as well.
+.It Ic remotestatus Op Ar file-name
+With no arguments, show status of remote machine.
+If
+.Ar file-name
+is specified, show status of
+.Ar file-name
+on remote machine.
+.It Xo
+.Ic rename
+.Op Ar from
+.Op Ar to
+.Xc
+Rename the file
+.Ar from
+on the remote machine, to the file
+.Ar to  .
+.It Ic reset
+Clear reply queue.
+This command re-synchronizes command/reply sequencing with the remote
+ftp server.
+Resynchronization may be necessary following a violation of the ftp protocol
+by the remote server.
+.It Ic restart Ar marker
+Restart the immediately following
+.Ic get
+or
+.Ic put
+at the
+indicated
+.Ar marker  .
+On
+.Ux
+systems, marker is usually a byte
+offset into the file.
+.It Ic rmdir Ar directory-name
+Delete a directory on the remote machine.
+.It Ic runique
+Toggle storing of files on the local system with unique filenames.
+If a file already exists with a name equal to the target
+local filename for a
+.Ic get
+or
+.Ic mget
+command, a ".1" is appended to the name.
+If the resulting name matches another existing file,
+a ".2" is appended to the original name.
+If this process continues up to ".99", an error
+message is printed, and the transfer does not take place.
+The generated unique filename will be reported.
+Note that
+.Ic runique
+will not affect local files generated from a shell command
+(see below).
+The default value is off.
+.It Ic send Ar local-file Op Ar remote-file
+A synonym for put.
+.It Ic sendport
+Toggle the use of
+.Dv PORT
+commands.
+By default,
+.Nm ftp
+will attempt to use a
+.Dv PORT
+command when establishing
+a connection for each data transfer.
+The use of
+.Dv PORT
+commands can prevent delays
+when performing multiple file transfers.
+If the
+.Dv PORT
+command fails,
+.Nm ftp
+will use the default data port.
+When the use of
+.Dv PORT
+commands is disabled, no attempt will be made to use
+.Dv PORT
+commands for each data transfer.
+This is useful
+for certain
+.Tn FTP
+implementations which do ignore
+.Dv PORT
+commands but, incorrectly, indicate they've been accepted.
+.It Ic site Ar arg1 arg2 ...
+The arguments specified are sent, verbatim, to the remote
+.Tn FTP
+server as a
+.Dv SITE
+command.
+.It Ic size Ar file-name
+Return size of
+.Ar file-name
+on remote machine.
+.It Ic status
+Show the current status of
+.Nm ftp  .
+.It Ic struct Op Ar struct-name
+Set the file transfer
+.Ar structure
+to
+.Ar struct-name .
+By default \*(Lqstream\*(Rq structure is used.
+.It Ic sunique
+Toggle storing of files on remote machine under unique file names.
+Remote ftp server must support ftp protocol
+.Dv STOU
+command for
+successful completion.
+The remote server will report unique name.
+Default value is off.
+.It Ic system
+Show the type of operating system running on the remote machine.
+.It Ic tenex
+Set the file transfer type to that needed to
+talk to
+.Tn TENEX
+machines.
+.It Ic trace
+Toggle packet tracing.
+.It Ic type Op Ar type-name
+Set the file transfer
+.Ic type
+to
+.Ar type-name  .
+If no type is specified, the current type
+is printed.
+The default type is network
+.Tn ASCII .
+.It Ic umask Op Ar newmask
+Set the default umask on the remote server to
+.Ar newmask  .
+If
+.Ar newmask
+is omitted, the current umask is printed.
+.It Xo
+.Ic user Ar user-name
+.Op Ar password
+.Op Ar account
+.Xc
+Identify yourself to the remote
+.Tn FTP
+server.
+If the
+.Ar password
+is not specified and the server requires it,
+.Nm ftp
+will prompt the user for it (after disabling local echo).
+If an
+.Ar account
+field is not specified, and the
+.Tn FTP
+server
+requires it, the user will be prompted for it.
+If an
+.Ar account
+field is specified, an account command will
+be relayed to the remote server after the login sequence
+is completed if the remote server did not require it
+for logging in.
+Unless
+.Nm ftp
+is invoked with \*(Lqauto-login\*(Rq disabled, this
+process is done automatically on initial connection to
+the
+.Tn FTP
+server.
+.It Ic verbose
+Toggle verbose mode.
+In verbose mode, all responses from
+the
+.Tn FTP
+server are displayed to the user.
+In addition,
+if verbose is on, when a file transfer completes, statistics
+regarding the efficiency of the transfer are reported.
+By default,
+verbose is on.
+.It Ic \&? Op Ar command
+A synonym for help.
+.El
+.Pp
+The following command can be used with ftpsec-aware servers.
+.Bl -tag -width Fl
+.It Xo
+.Ic prot 
+.Ar clear | 
+.Ar safe | 
+.Ar confidential | 
+.Ar private
+.Xc
+Set the data protection level to the requested level.
+.El
+.Pp
+The following command can be used with ftp servers that has
+implemented the KAUTH site command.
+.Bl -tag -width Fl
+.It Ic kauth Op Ar principal
+Obtain remote tickets.
+.El
+.Pp
+Command arguments which have embedded spaces may be quoted with
+quote `"' marks.
+.Sh ABORTING A FILE TRANSFER
+To abort a file transfer, use the terminal interrupt key
+(usually Ctrl-C).
+Sending transfers will be immediately halted.
+Receiving transfers will be halted by sending a ftp protocol
+.Dv ABOR
+command to the remote server, and discarding any further data received.
+The speed at which this is accomplished depends upon the remote
+server's support for
+.Dv ABOR
+processing.
+If the remote server does not support the
+.Dv ABOR
+command, an
+.Ql ftp>
+prompt will not appear until the remote server has completed
+sending the requested file.
+.Pp
+The terminal interrupt key sequence will be ignored when
+.Nm ftp
+has completed any local processing and is awaiting a reply
+from the remote server.
+A long delay in this mode may result from the ABOR processing described
+above, or from unexpected behavior by the remote server, including
+violations of the ftp protocol.
+If the delay results from unexpected remote server behavior, the local
+.Nm ftp
+program must be killed by hand.
+.Sh FILE NAMING CONVENTIONS
+Files specified as arguments to
+.Nm ftp
+commands are processed according to the following rules.
+.Bl -enum
+.It
+If the file name
+.Sq Fl
+is specified, the
+.Ar stdin
+(for reading) or
+.Ar stdout
+(for writing) is used.
+.It
+If the first character of the file name is
+.Sq \&| ,
+the
+remainder of the argument is interpreted as a shell command.
+.Nm Ftp
+then forks a shell, using
+.Xr popen 3
+with the argument supplied, and reads (writes) from the stdout
+(stdin).
+If the shell command includes spaces, the argument
+must be quoted; e.g.
+\*(Lq" ls -lt"\*(Rq.
+A particularly
+useful example of this mechanism is: \*(Lqdir more\*(Rq.
+.It
+Failing the above checks, if ``globbing'' is enabled,
+local file names are expanded
+according to the rules used in the
+.Xr csh  1  ;
+c.f. the
+.Ic glob
+command.
+If the
+.Nm ftp
+command expects a single local file (.e.g.
+.Ic put  ) ,
+only the first filename generated by the "globbing" operation is used.
+.It
+For
+.Ic mget
+commands and
+.Ic get
+commands with unspecified local file names, the local filename is
+the remote filename, which may be altered by a
+.Ic case  ,
+.Ic ntrans ,
+or
+.Ic nmap
+setting.
+The resulting filename may then be altered if
+.Ic runique
+is on.
+.It
+For
+.Ic mput
+commands and
+.Ic put
+commands with unspecified remote file names, the remote filename is
+the local filename, which may be altered by a
+.Ic ntrans
+or
+.Ic nmap
+setting.
+The resulting filename may then be altered by the remote server if
+.Ic sunique
+is on.
+.El
+.Sh FILE TRANSFER PARAMETERS
+The FTP specification specifies many parameters which may
+affect a file transfer.
+The
+.Ic type
+may be one of \*(Lqascii\*(Rq, \*(Lqimage\*(Rq (binary),
+\*(Lqebcdic\*(Rq, and \*(Lqlocal byte size\*(Rq (for
+.Tn PDP Ns -10's
+and
+.Tn PDP Ns -20's
+mostly).
+.Nm Ftp
+supports the ascii and image types of file transfer,
+plus local byte size 8 for
+.Ic tenex
+mode transfers.
+.Pp
+.Nm Ftp
+supports only the default values for the remaining
+file transfer parameters:
+.Ic mode  ,
+.Ic form ,
+and
+.Ic struct  .
+.Sh THE .netrc FILE
+The
+.Pa .netrc
+file contains login and initialization information
+used by the auto-login process.
+It resides in the user's home directory.
+The following tokens are recognized; they may be separated by spaces,
+tabs, or new-lines:
+.Bl -tag -width password
+.It Ic machine Ar name
+Identify a remote machine
+.Ar name .
+The auto-login process searches the
+.Pa .netrc
+file for a
+.Ic machine
+token that matches the remote machine specified on the
+.Nm ftp
+command line or as an
+.Ic open
+command argument.
+Once a match is made, the subsequent
+.Pa .netrc
+tokens are processed,
+stopping when the end of file is reached or another
+.Ic machine
+or a
+.Ic default
+token is encountered.
+.It Ic default
+This is the same as
+.Ic machine
+.Ar name
+except that
+.Ic default
+matches any name.
+There can be only one
+.Ic default
+token, and it must be after all
+.Ic machine
+tokens.
+This is normally used as:
+.Pp
+.Dl default login anonymous password user@site
+.Pp
+thereby giving the user
+.Ar automatic
+anonymous ftp login to
+machines not specified in
+.Pa .netrc .
+This can be overridden
+by using the
+.Fl n
+flag to disable auto-login.
+.It Ic login Ar name
+Identify a user on the remote machine.
+If this token is present, the auto-login process will initiate
+a login using the specified
+.Ar name .
+.It Ic password Ar string
+Supply a password.
+If this token is present, the auto-login process will supply the
+specified string if the remote server requires a password as part
+of the login process.
+Note that if this token is present in the
+.Pa .netrc
+file for any user other
+than
+.Ar anonymous  ,
+.Nm ftp
+will abort the auto-login process if the
+.Pa .netrc
+is readable by
+anyone besides the user.
+.It Ic account Ar string
+Supply an additional account password.
+If this token is present, the auto-login process will supply the
+specified string if the remote server requires an additional
+account password, or the auto-login process will initiate an
+.Dv ACCT
+command if it does not.
+.It Ic macdef Ar name
+Define a macro.
+This token functions like the
+.Nm ftp
+.Ic macdef
+command functions.
+A macro is defined with the specified name; its contents begin with the
+next
+.Pa .netrc
+line and continue until a null line (consecutive new-line
+characters) is encountered.
+If a macro named
+.Ic init
+is defined, it is automatically executed as the last step in the
+auto-login process.
+.El
+.Sh ENVIRONMENT
+.Nm Ftp
+utilizes the following environment variables.
+.Bl -tag -width Fl
+.It Ev HOME
+For default location of a
+.Pa .netrc
+file, if one exists.
+.It Ev SHELL
+For default shell.
+.El
+.Sh SEE ALSO
+.Xr ftpd 8 ,
+.%T RFC2228
+.Sh HISTORY
+The
+.Nm ftp
+command appeared in
+.Bx 4.2 .
+.Sh BUGS
+Correct execution of many commands depends upon proper behavior
+by the remote server.
+.Pp
+An error in the treatment of carriage returns
+in the
+.Bx 4.2
+ascii-mode transfer code
+has been corrected.
+This correction may result in incorrect transfers of binary files
+to and from
+.Bx 4.2
+servers using the ascii type.
+Avoid this problem by using the binary image type.
diff --git a/crypto/kerberosIV/man/ftpd.8 b/crypto/kerberosIV/man/ftpd.8
new file mode 100644
index 0000000..745090c
--- /dev/null
+++ b/crypto/kerberosIV/man/ftpd.8
@@ -0,0 +1,473 @@
+.\"	$NetBSD: ftpd.8,v 1.7 1995/04/11 02:44:53 cgd Exp $
+.\"
+.\" Copyright (c) 1985, 1988, 1991, 1993
+.\"	The Regents of the University of California.  All rights reserved.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\" 1. Redistributions of source code must retain the above copyright
+.\"    notice, this list of conditions and the following disclaimer.
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\"    notice, this list of conditions and the following disclaimer in the
+.\"    documentation and/or other materials provided with the distribution.
+.\" 3. All advertising materials mentioning features or use of this software
+.\"    must display the following acknowledgement:
+.\"	This product includes software developed by the University of
+.\"	California, Berkeley and its contributors.
+.\" 4. Neither the name of the University nor the names of its contributors
+.\"    may be used to endorse or promote products derived from this software
+.\"    without specific prior written permission.
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+.\" SUCH DAMAGE.
+.\"
+.\"     @(#)ftpd.8	8.2 (Berkeley) 4/19/94
+.\"
+.Dd April 19, 1997
+.Dt FTPD 8
+.Os BSD 4.2
+.Sh NAME
+.Nm ftpd
+.Nd Internet File Transfer Protocol server
+.Sh SYNOPSIS
+.Nm ftpd
+.Op Fl a Ar authmode
+.Op Fl dilv
+.Op Fl g Ar umask
+.Op Fl p Ar port 
+.Op Fl T Ar maxtimeout
+.Op Fl t Ar timeout
+.Op Fl u Ar default umask
+.Sh DESCRIPTION
+.Nm Ftpd
+is the
+Internet File Transfer Protocol
+server process.  The server uses the
+.Tn TCP
+protocol
+and listens at the port specified in the
+.Dq ftp
+service specification; see
+.Xr services 5 .
+.Pp
+Available options:
+.Bl -tag -width Ds
+.It Fl a
+Select the level of authentication required.  Kerberised login can not
+be turned off. The default is to only allow kerberised login.  Other
+possibilities can be turned on by giving a string of comma separated
+flags as argument to
+.Fl a .
+Recognised flags are:
+.Bl -tag -width plain
+.It Ar plain
+Allow logging in with plaintext password. The password can be a(n) OTP
+or an ordinary password.
+.It Ar otp
+Same as
+.Ar plain ,
+but only OTP is allowed.
+.It Ar ftp
+Allow anonymous login.
+.El
+.Pp
+The following combination modes exists for backwards compatibility:
+.Bl -tag -width plain
+.It Ar none
+Same as
+.Ar plain,ftp .
+.It Ar safe
+Same as 
+.Ar ftp .
+.It Ar user
+Ignored.
+.El
+.It Fl d
+Debugging information is written to the syslog using LOG_FTP.
+.It Fl g
+Anonymous users will get a umask of
+.Ar umask .
+.It Fl i
+Open a socket and wait for a connection. This is mainly used for
+debugging when ftpd isn't started by inetd.
+.It Fl l
+Each successful and failed 
+.Xr ftp 1
+session is logged using syslog with a facility of LOG_FTP.
+If this option is specified twice, the retrieve (get), store (put), append,
+delete, make directory, remove directory and rename operations and
+their filename arguments are also logged.
+.It Fl p
+Use
+.Ar port
+(a service name or number) instead of the default 
+.Ar ftp/tcp .
+.It Fl T
+A client may also request a different timeout period;
+the maximum period allowed may be set to
+.Ar timeout
+seconds with the
+.Fl T
+option.
+The default limit is 2 hours.
+.It Fl t
+The inactivity timeout period is set to
+.Ar timeout
+seconds (the default is 15 minutes).
+.It Fl u
+Set the initial umask to something else than the default 027.
+.It Fl v
+Verbose mode.
+.El
+.Pp
+The file
+.Pa /etc/nologin
+can be used to disable ftp access.
+If the file exists,
+.Nm
+displays it and exits.
+If the file
+.Pa /etc/ftpwelcome
+exists,
+.Nm
+prints it before issuing the 
+.Dq ready
+message.
+If the file
+.Pa /etc/motd
+exists,
+.Nm
+prints it after a successful login.
+.Pp
+The ftp server currently supports the following ftp requests.
+The case of the requests is ignored.
+.Bl -column "Request" -offset indent
+.It Request Ta "Description"
+.It ABOR Ta "abort previous command"
+.It ACCT Ta "specify account (ignored)"
+.It ALLO Ta "allocate storage (vacuously)"
+.It APPE Ta "append to a file"
+.It CDUP Ta "change to parent of current working directory"
+.It CWD Ta "change working directory"
+.It DELE Ta "delete a file"
+.It HELP Ta "give help information"
+.It LIST Ta "give list files in a directory" Pq Dq Li "ls -lgA"
+.It MKD Ta "make a directory"
+.It MDTM Ta "show last modification time of file"
+.It MODE Ta "specify data transfer" Em mode
+.It NLST Ta "give name list of files in directory"
+.It NOOP Ta "do nothing"
+.It PASS Ta "specify password"
+.It PASV Ta "prepare for server-to-server transfer"
+.It PORT Ta "specify data connection port"
+.It PWD Ta "print the current working directory"
+.It QUIT Ta "terminate session"
+.It REST Ta "restart incomplete transfer"
+.It RETR Ta "retrieve a file"
+.It RMD Ta "remove a directory"
+.It RNFR Ta "specify rename-from file name"
+.It RNTO Ta "specify rename-to file name"
+.It SITE Ta "non-standard commands (see next section)"
+.It SIZE Ta "return size of file"
+.It STAT Ta "return status of server"
+.It STOR Ta "store a file"
+.It STOU Ta "store a file with a unique name"
+.It STRU Ta "specify data transfer" Em structure
+.It SYST Ta "show operating system type of server system"
+.It TYPE Ta "specify data transfer" Em type
+.It USER Ta "specify user name"
+.It XCUP Ta "change to parent of current working directory (deprecated)"
+.It XCWD Ta "change working directory (deprecated)"
+.It XMKD Ta "make a directory (deprecated)"
+.It XPWD Ta "print the current working directory (deprecated)"
+.It XRMD Ta "remove a directory (deprecated)"
+.El
+.Pp
+The following commands are specified by RFC2228.
+.Bl -column Request -offset indent
+.It AUTH Ta "authentication/security mechanism"
+.It ADAT Ta "authentication/security data"
+.It PROT Ta "data channel protection level"
+.It PBSZ Ta "protection buffer size"
+.It MIC Ta "integrity protected command"
+.It CONF Ta "confidentiality protected command"
+.It ENC Ta "privacy protected command"
+.It CCC Ta "clear command channel"
+.El
+.Pp
+The following non-standard or
+.Tn UNIX
+specific commands are supported
+by the
+SITE request.
+.Pp
+.Bl -column Request -offset indent
+.It UMASK Ta change umask, (e.g. 
+.Ic "SITE UMASK 002" )
+.It IDLE Ta set idle-timer, (e.g. 
+.Ic "SITE IDLE 60" )
+.It CHMOD Ta change mode of a file (e.g. 
+.Ic "SITE CHMOD 755 filename" )
+.It FIND Ta quickly find a specific file with GNU 
+.Xr locate 1 .
+.It HELP Ta give help information.
+.El
+.Pp
+The following Kerberos related site commands are understood.
+.Bl -column Request -offset indent
+.It KAUTH Ta obtain remote tickets.
+.It KLIST Ta show remote tickets
+.El
+.Pp
+The remaining ftp requests specified in Internet RFC 959
+are
+recognized, but not implemented.
+MDTM and SIZE are not specified in RFC 959, but will appear in the
+next updated FTP RFC.
+.Pp
+The ftp server will abort an active file transfer only when the
+ABOR
+command is preceded by a Telnet "Interrupt Process" (IP)
+signal and a Telnet "Synch" signal in the command Telnet stream,
+as described in Internet RFC 959.
+If a
+STAT
+command is received during a data transfer, preceded by a Telnet IP
+and Synch, transfer status will be returned.
+.Pp
+.Nm Ftpd
+interprets file names according to the
+.Dq globbing
+conventions used by
+.Xr csh 1 .
+This allows users to utilize the metacharacters
+.Dq Li \&*?[]{}~ .
+.Pp
+.Nm Ftpd
+authenticates users according to these rules. 
+.Pp
+.Bl -enum -offset indent
+.It
+If Kerberos authentication is used, the user must pass valid tickets
+and the principal must be allowed to login as the remote user.
+.It
+The login name must be in the password data base, and not have a null
+password (if kerberos is used the password field is not checked).  In
+this case a password must be provided by the client before any file
+operations may be performed.  If the user has an OTP key, the response
+from a successful USER command will include an OTP challenge. The
+client may choose to respond with a PASS command giving either a
+standard password or an OTP one-time password. The server will
+automatically determine which type of password it has been given and
+attempt to authenticate accordingly. See
+.Xr otp 1
+for more information on OTP authentication.
+.It
+The login name must not appear in the file
+.Pa /etc/ftpusers .
+.It
+The user must have a standard shell returned by 
+.Xr getusershell 3 .
+.It
+If the user name appears in the file
+.Pa /etc/ftpchroot
+the session's root will be changed to the user's login directory by
+.Xr chroot 2
+as for an
+.Dq anonymous
+or
+.Dq ftp
+account (see next item).  However, the user must still supply a password.
+This feature is intended as a compromise between a fully anonymous account 
+and a fully privileged account.  The account should also be set up as for an
+anonymous account.
+.It
+If the user name is
+.Dq anonymous
+or
+.Dq ftp ,
+an
+anonymous ftp account must be present in the password
+file (user
+.Dq ftp ) .
+In this case the user is allowed
+to log in by specifying any password (by convention an email address for
+the user should be used as the password).
+.El
+.Pp
+In the last case, 
+.Nm ftpd
+takes special measures to restrict the client's access privileges.
+The server performs a 
+.Xr chroot 2
+to the home directory of the
+.Dq ftp
+user.
+In order that system security is not breached, it is recommended
+that the
+.Dq ftp
+subtree be constructed with care, consider following these guidelines
+for anonymous ftp.
+.Pp
+In general all files should be owned by
+.Dq root ,
+and have non-write permissions (644 or 755 depending on the kind of
+file). No files should be owned or writable by
+.Dq ftp
+(possibly with exception for the
+.Pa ~ftp/incoming ,
+as specified below).
+.Bl -tag -width "~ftp/pub" -offset indent
+.It Pa ~ftp
+The 
+.Dq ftp
+homedirectory should be owned by root.
+.It Pa ~ftp/bin
+The directory for external programs (such as 
+.Xr ls 1 ) .
+These programs must either be statically linked, or you must setup an
+environment for dynamic linking when running chrooted.  
+These programs will be used if present:
+.Bl -tag -width "locate" -offset indent
+.It ls
+Used when listing files.
+.It compress
+When retrieving a filename that ends in
+.Pa .Z ,
+and that file isn't present,
+.Nm
+will try to find the filename without
+.Pa .Z
+and compress it on the fly.
+.It gzip
+Same as compress, just with files ending in
+.Pa .gz .
+.It gtar
+Enables retrieval of whole directories as files ending in
+.Pa .tar .
+Can also be combined with compression. You must use GNU Tar (or some
+other that supports the
+.Fl z 
+and
+.Fl Z
+flags).
+.It locate
+Will enable ``fast find'' with the 
+.Ic SITE FIND
+command. You must also create a 
+.Pa locatedb
+file in 
+.Pa ~ftp/etc .
+.El
+.It Pa ~ftp/etc
+If you put copies of the
+.Xr passwd 5
+and 
+.Xr group 5
+files here, ls will be able to produce owner names rather than
+numbers. Remember to remove any passwords from these files.  
+.Pp
+The file
+.Pa motd ,
+if present, will be printed after a successful login.
+.It Pa ~ftp/dev 
+Put a copy of
+.Xr /dev/null 7
+here.
+.It Pa ~ftp/pub
+Traditional place to put whatever you want to make public.
+.El
+.Pp
+If you want guests to be able to upload files, create a
+.Pa ~ftp/incoming
+directory owned by 
+.Dq root ,
+and group
+.Dq ftp
+with mode 730 (make sure 
+.Dq ftp 
+is member of group
+.Dq ftp ) .
+The following restrictions apply to anonymous users:
+.Bl -bullet
+.It
+Directories created will have mode 700.
+.It
+Uploaded files will be created with an umask of 777, if not changed
+with the
+.Fl g
+option.
+.It
+These command are not accessible: 
+.Ic DELE , RMD , RNTO , RNFR , 
+.Ic SITE UMASK ,
+and
+.Ic SITE CHMOD .
+.It
+Filenames must start with an alpha-numeric character, and consist of
+alpha-numeric characters or any of the following: 
+.Li \&+  
+(plus),
+.Li \&-  
+(minus),
+.Li \&=  
+(equal),
+.Li \&_  
+(underscore),
+.Li \&.  
+(period), and
+.Li \&,  
+(comma).
+.El
+.Sh FILES
+.Bl -tag -width /etc/ftpwelcome -compact
+.It Pa /etc/ftpusers
+Access list for users.
+.It Pa /etc/ftpchroot
+List of normal users who should be chroot'd.
+.It Pa /etc/ftpwelcome
+Welcome notice.
+.It Pa /etc/motd
+Welcome notice after login.
+.It Pa /etc/nologin
+Displayed and access refused.
+.It Pa ~/.klogin
+Login access for Kerberos.
+.El
+.Sh SEE ALSO
+.Xr ftp 1 ,
+.Xr otp 1 ,
+.Xr getusershell 3 ,
+.Xr ftpusers 5 ,
+.Xr syslogd 8 ,
+.Sh STANDARDS
+.Bl -tag -compact -width "RFC 1938"
+.It Cm RFC 959
+FTP PROTOCOL SPECIFICATION
+.It Cm RFC 1938
+OTP Specification
+.It Cm RFC 2228
+FTP Security Extensions.
+.El
+.Sh BUGS
+The server must run as the super-user
+to create sockets with privileged port numbers.  It maintains
+an effective user id of the logged in user, reverting to
+the super-user only when binding addresses to sockets.  The
+possible security holes have been extensively
+scrutinized, but are possibly incomplete.
+.Sh HISTORY
+The
+.Nm
+command appeared in
+.Bx 4.2 .
diff --git a/crypto/kerberosIV/man/ftpusers.5 b/crypto/kerberosIV/man/ftpusers.5
new file mode 100644
index 0000000..c1960d1
--- /dev/null
+++ b/crypto/kerberosIV/man/ftpusers.5
@@ -0,0 +1,37 @@
+.\"	$Id: ftpusers.5,v 1.2 1997/05/07 20:11:11 joda Exp $
+.\"
+.Dd May 7, 1997
+.Dt FTPUSERS 5
+.Os KTH-KRB
+.Sh NAME
+.Pa /etc/ftpusers
+.Nd FTP access list file
+.Sh DESCRIPTION
+.Pa /etc/ftpusers
+contains a list of users that should be allowed or denied FTP
+access. Each line contains a user, optionally followed by
+.Dq allow 
+(anything but
+.Dq allow
+is ignored).  The semi-user
+.Dq *
+matches any user.  Users that has an explicit
+.Dq allow ,
+or that does not match any line, are allowed access. Anyone else is
+denied access.
+.Pp
+Note that this is compatible with the old format, where this file
+contained a list of users that should be denied access.
+.Sh EXAMPLES
+This will deny anyone but
+.Dq foo
+and
+.Dq bar
+to use FTP:
+.Bd -literal
+foo allow
+bar allow
+*
+.Ed
+.Sh SEE ALSO
+.Xr ftpd 8
diff --git a/crypto/kerberosIV/man/getusershell.3 b/crypto/kerberosIV/man/getusershell.3
new file mode 100644
index 0000000..84dc3ad
--- /dev/null
+++ b/crypto/kerberosIV/man/getusershell.3
@@ -0,0 +1,99 @@
+.\"	$NetBSD: getusershell.3,v 1.3 1995/02/27 04:13:24 cgd Exp $
+.\"
+.\" Copyright (c) 1985, 1991, 1993
+.\"	The Regents of the University of California.  All rights reserved.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\" 1. Redistributions of source code must retain the above copyright
+.\"    notice, this list of conditions and the following disclaimer.
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\"    notice, this list of conditions and the following disclaimer in the
+.\"    documentation and/or other materials provided with the distribution.
+.\" 3. All advertising materials mentioning features or use of this software
+.\"    must display the following acknowledgement:
+.\"	This product includes software developed by the University of
+.\"	California, Berkeley and its contributors.
+.\" 4. Neither the name of the University nor the names of its contributors
+.\"    may be used to endorse or promote products derived from this software
+.\"    without specific prior written permission.
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+.\" SUCH DAMAGE.
+.\"
+.\"     @(#)getusershell.3	8.1 (Berkeley) 6/4/93
+.\"
+.Dd June 4, 1993
+.Dt GETUSERSHELL 3
+.Os BSD 4.3
+.Sh NAME
+.Nm getusershell ,
+.Nm setusershell ,
+.Nm endusershell
+.Nd get legal user shells
+.Sh SYNOPSIS
+.Ft char *
+.Fn getusershell void
+.Ft void
+.Fn setusershell void
+.Ft void
+.Fn endusershell void
+.Sh DESCRIPTION
+The
+.Fn getusershell
+function
+returns a pointer to a legal user shell as defined by the
+system manager in the file 
+.Pa /etc/shells .
+If 
+.Pa /etc/shells
+is unreadable or does not exist,
+.Fn getusershell
+behaves as if
+.Pa /bin/sh
+and
+.Pa /bin/csh
+were listed in the file.
+.Pp
+The
+.Fn getusershell
+function
+reads the next
+line (opening the file if necessary);
+.Fn setusershell
+rewinds the file;
+.Fn endusershell
+closes it.
+.Sh FILES
+.Bl -tag -width /etc/shells -compact
+.It Pa /etc/shells
+.El
+.Sh DIAGNOSTICS
+The routine
+.Fn getusershell
+returns a null pointer (0) on
+.Dv EOF .
+.Sh SEE ALSO
+.Xr shells 5
+.Sh HISTORY
+The
+.Fn getusershell
+function appeared in 
+.Bx 4.3 .
+.Sh BUGS
+The
+.Fn getusershell
+function leaves its result in an internal static object and returns
+a pointer to that object. Subsequent calls to
+.Fn getusershell
+will modify the same object.
diff --git a/crypto/kerberosIV/man/kadmin.8 b/crypto/kerberosIV/man/kadmin.8
new file mode 100644
index 0000000..bc2f43b
--- /dev/null
+++ b/crypto/kerberosIV/man/kadmin.8
@@ -0,0 +1,138 @@
+.\" $Id: kadmin.8,v 1.6 1998/12/18 16:56:29 assar Exp $
+.\" Copyright 1989 by the Massachusetts Institute of Technology.
+.\"
+.\" For copying and distribution information,
+.\" please see the file <mit-copyright.h>.
+.\"
+.Dd February  3, 1998
+.Dt KADMIN 8
+.Os "KTH-KRB"
+.Sh NAME
+.Nm kadmin
+.Nd "network utility for Kerberos database administration"
+.Sh SYNOPSIS
+.Nm
+.Op Fl p Ar principal
+.Op Fl u Ar username
+.Op Fl r Ar realm
+.Op Fl m
+.Op Fl T Ar timeout
+.Op Fl t
+.Op Fl -version
+.Op Fl h
+.Op Fl -help
+.Op Ar command
+.Sh DESCRIPTION
+This utility provides a unified administration interface to the
+Kerberos master database.  Kerberos administrators use
+.Nm
+to register new users and services to the master database, and to
+change information about existing database entries, such as changing a
+user's Kerberos password. A Kerberos administrator is a user with an
+.Dq admin
+instance whose name appears on one of the Kerberos administration
+access control lists.
+.Pp
+Supported options:
+.Bl -tag -width Ds
+.It Fl p Ar principal
+This is the adminstrator principal to use when talking to the Kadmin
+server. The default is taken from the users environment.
+.It Fl r Ar realm
+This is the default realm to use for transactions. Default is the
+local realm.
+.It Fl u Ar username
+This is similar to 
+.Fl p ,
+but specifies a name, that gets appended with a
+.Dq admin
+instance.
+.It Fl T Ar timeout
+To prevent someone from walking up to an unguarded terminal and doing
+malicious things, administrator tickets are destroyed after a period
+of inactivity. This flag changes the timeout from the default of one
+minute. A timeout of zero seconds disables this functionality.
+.It Fl m
+Historically
+.Nm
+destroyed tickets after every command; this flag used to stop this
+behaviour (only destroying tickets upon exit). Now it's just a synonym
+for
+.Fl T Ar 0 .
+.It Fl t
+Use existing tickets (if any are available), this also disbles
+timeout, and doesn't destroy any tickets upon exit.
+.Pp
+These tickets have to be for the changepw.kerberos service.  Use
+.Nm kinit -p
+to acquire them.
+.El
+.Pp
+The
+.Nm
+program communicates over the network with the
+.Nm kadmind
+program, which runs on the machine housing the Kerberos master
+database, and does the actual modifications to the database.
+.Pp
+When you enter the
+.Nm
+command, the program displays a message that welcomes you and explains
+how to ask for help.  Then
+.Nm
+waits for you to enter commands (which are described below).  It then
+asks you for your administrator's password before accessing the
+database.
+.Pp
+All commands can be abbreviated as long as they are unique.  Some
+short versions of the commands are also recognized for backwards
+compatibility.
+.Pp
+Recognised commands:
+.Bl -tag -width Ds
+.It add_new_key Ar principal
+Creates a new principal in the Kerberos database. You give the name of
+the new principal as an argument. You will then be asked for a maximum
+ticket lifetime, attributes, the expiration date of the principal, and
+finally the password of the principal.
+.It change_password Ar principal
+Changes a principal's password. You will be prompted for the new
+password.
+.It change_key Ar principal
+This is the same as change_password, but the password is given as a
+raw DES key (for the few occations when you need this).
+.It change_admin_password
+Changes your own admin password. It will prompt you for you old and
+new passwords.
+.It del_entry Ar principal
+Removes principal from the database.
+.It get_entry Ar principal
+Show various information for the given principal. Note that the key is
+shown as zeros.
+.It mod_entry Ar principal
+Modifies a particular entry, for instance to change the expiration
+date.  
+.It destroy_tickets
+Destroys your admin tickets explicitly.
+.It quit
+Obvious.
+.El
+.\".Sh ENVIRONMENT
+.\".Sh FILES
+.\".Sh EXAMPLES
+.\".Sh DIAGNOSTICS
+.Sh SEE ALSO
+.Xr kerberos 1 ,
+.Xr kadmind 8 ,
+.Xr kpasswd 1 ,
+.Xr kinit 1 ,
+.Xr ksrvutil 8
+.\".Sh STANDARDS
+.\".Sh HISTORY
+.Sh AUTHORS
+Jeffrey I. Schiller, MIT Project Athena
+.Pp
+Emanuel Jay Berkenbilt, MIT Project Athena
+.Sh BUGS
+The user interface is primitive, and the command names could be
+better.
diff --git a/crypto/kerberosIV/man/kadmind.8 b/crypto/kerberosIV/man/kadmind.8
new file mode 100644
index 0000000..71660fa
--- /dev/null
+++ b/crypto/kerberosIV/man/kadmind.8
@@ -0,0 +1,134 @@
+.\" $Id: kadmind.8,v 1.6 1999/09/15 15:10:08 assar Exp $
+.\" Copyright 1989 by the Massachusetts Institute of Technology.
+.\"
+.\" For copying and distribution information,
+.\" please see the file <mit-copyright.h>.
+.\"
+.TH KADMIND 8 "Kerberos Version 4.0" "MIT Project Athena"
+.SH NAME
+kadmind \- network daemon for Kerberos database administration
+.SH SYNOPSIS
+.B kadmind
+[
+.B \-n
+] [
+.B \-m
+] [
+.B \-h
+] [
+.B \-r realm
+] [
+.B \-f filename
+] [
+.B \-d dbname
+] [
+.B \-a acldir
+] [
+.B \-i address
+]
+.SH DESCRIPTION
+.I kadmind
+is the network database server for the Kerberos password-changing and
+administration tools.
+.PP
+Upon execution, it fetches the master key from the key cache file.
+.PP
+If the
+.B \-m
+option is specified, it instead prompts the user to enter the master
+key string for the database.
+.PP
+The
+.B \-n
+option is a no-op and is left for compatibility reasons.
+.PP
+If the
+.B \-r
+.I realm
+option is specified, the admin server will pretend that its
+local realm is 
+.I realm
+instead of the actual local realm of the host it is running on.
+This makes it possible to run a server for a foreign kerberos
+realm.
+.PP
+If the
+.B \-f
+.I filename
+option is specified, then that file is used to hold the log information
+instead of the default.
+.PP
+If the
+.B \-d
+.I dbname
+option is specified, then that file is used as the database name instead
+of the default.
+.PP
+If the
+.B \-a
+.I acldir
+option is specified, then
+.I acldir
+is used as the directory in which to search for access control lists
+instead of the default.
+.PP
+If the
+.B \-h
+option is specified,
+.I kadmind
+prints out a short summary of the permissible control arguments, and
+then exits.
+.PP
+If the
+.B \-i
+option is specified,
+.I kadmind
+will only listen on that particular address and not on all configured
+addresses of the host, which is the default.
+.PP
+When performing requests on behalf of clients,
+.I kadmind
+checks access control lists (ACLs) to determine the authorization of the client
+to perform the requested action.
+Currently four distinct access types are supported:
+.TP 1i
+Addition
+(.add ACL file).  If a principal is on this list, it may add new
+principals to the database.
+.TP
+Retrieval
+(.get ACL file).  If a principal is on this list, it may retrieve
+database entries.  NOTE:  A principal's private key is never returned by
+the get functions.
+.TP
+Modification
+(.mod ACL file).  If a principal is on this list, it may modify entries
+in the database.
+.TP
+Deletions
+(.del ACL file).  If a principal is on this list, if may delete
+entries from the database.
+.PP
+A principal is always granted authorization to change its own password.
+.SH FILES
+.TP 20n
+/var/log/admin_server.syslog
+Default log file.
+.TP 
+/var/kerberos
+Default access control list directory.
+.TP
+admin_acl.{add,get,mod}
+Access control list files (within the directory)
+.TP
+/var/kerberos/principal.pag, /var/kerberos/principal.dir
+Default DBM files containing database
+.TP
+/.k
+Master key cache file.
+.SH "SEE ALSO"
+kerberos(1), kpasswd(1), kadmin(8), acl_check(3)
+.SH AUTHORS
+Douglas A. Church, MIT Project Athena
+.br
+John T. Kohl, Project Athena/Digital Equipment Corporation
diff --git a/crypto/kerberosIV/man/kafs.3 b/crypto/kerberosIV/man/kafs.3
new file mode 100644
index 0000000..9afac16
--- /dev/null
+++ b/crypto/kerberosIV/man/kafs.3
@@ -0,0 +1,157 @@
+.\"	$Id: kafs.3,v 1.3 1998/06/30 15:41:52 assar Exp $
+.\"
+.Dd May 7, 1997
+.Os KTH-KRB
+.Dt KAFS 3
+.Sh NAME
+.Nm k_hasafs ,
+.Nm k_pioctl ,
+.Nm k_unlog ,
+.Nm k_setpag ,
+.Nm k_afs_cell_of_file ,
+.Nm krb_afslog ,
+.Nm krb_afslog_uid
+.\" .Nm krb5_afslog ,
+.\" .Nm krb5_afslog_uid
+.Nd AFS library
+.Sh SYNOPSIS
+.Fd #include <kafs.h>
+.Ft int
+.Fn k_afs_cell_of_file "const char *path" "char *cell" "int len"
+.Ft int
+.Fn k_hasafs
+.Ft int
+.Fn k_pioctl "char *a_path" "int o_opcode" "struct ViceIoctl *a_paramsP" "int a_followSymlinks"
+.Ft int
+.Fn k_setpag
+.Ft int
+.Fn k_unlog
+.Ft int
+.Fn krb_afslog "char *cell" "char *realm"
+.Ft int
+.Fn krb_afslog_uid "char *cell" "char *realm" "uid_t uid"
+.\" .Ft krb5_error_code
+.\" .Fn krb5_afslog_uid "krb5_context context" "krb5_ccache id" "const char *cell" "krb5_const_realm realm" "uid_t uid"
+.\" .Ft krb5_error_code
+.\" .Fn krb5_afslog "krb5_context context" "krb5_ccache id" "const char *cell" "krb5_const_realm realm"
+.Sh DESCRIPTION
+.Fn k_hasafs
+initializes some library internal structures, and tests for the
+presense of AFS in the kernel, none of the other functions should be
+called before 
+.Fn k_hasafs
+is called, or if it fails.
+.Pp
+.Fn krb_afslog ,
+and
+.Fn krb_afslog_uid
+obtains new tokens (and possibly tickets) for the specified
+.Fa cell
+and
+.Fa realm .
+If 
+.Fa cell
+is 
+.Dv NULL ,
+the local cell is used. If 
+.Fa realm 
+is
+.Dv NULL ,
+the function tries to guess what realm to use. Unless you  have some good knowledge of what cell or realm to use, you should pass
+.Dv NULL . 
+.Fn krb_afslog 
+will use the real user-id for the
+.Dv ViceId
+field in the token, 
+.Fn krb_afslog_uid
+will use
+.Fa uid .
+.Pp
+.\" .Fn krb5_afslog ,
+.\" and 
+.\" .Fn krb5_afslog_uid
+.\" are the Kerberos 5 equivalents of
+.\" .Fn krb_afslog ,
+.\" and
+.\" .Fn krb_afslog_uid .
+.\" The extra arguments are the ubiquitous context, and the cache id where
+.\" to store any obtained tickets. Since AFS servers normally can't handle
+.\" Kerberos 5 tickets directly, these functions will first obtain version
+.\" 5 tickets for the requested cells, and then convert them to version 4
+.\" tickets, that can be stashed in the kernel. To convert tickets the
+.\" .Fn krb524_convert_creds_kdc
+.\" function will be used.
+.\" .Pp
+.Fn k_afs_cell_of_file
+will in 
+.Fa cell
+return the cell of a specified file, no more than
+.Fa len
+characters is put in 
+.Fa cell .
+.Pp
+.Fn k_pioctl
+does a 
+.Fn pioctl
+syscall with the specified arguments. This function is equivalent to
+.Fn lpioctl .
+.Pp
+.Fn k_setpag
+initializes a new PAG.
+.Pp
+.Fn k_unlog
+removes destroys all tokens in the current PAG.
+.Sh ENVIRONMENT
+The following environment variable affect the mode of operation of
+.Nm kafs :
+.Bl -tag -width AFS_SYSCALL
+.It Ev AFS_SYSCALL
+Normally,
+.Nm kafs
+will try to figure out the correct system call(s) that are used by AFS
+by itself.  If it does not manage to do that, or does it incorrectly,
+you can set this variable to the system call number or list of system
+call numbers that should be used.
+.El
+.Sh RETURN VALUES
+.Fn k_hasafs
+returns 1 if AFS is present in the kernel, 0 otherwise.
+.Fn krb_afslog
+and
+.Fn krb_afslog_uid
+returns 0 on success, or a kerberos error number on failure.
+.Fn k_afs_cell_of_file ,
+.Fn k_pioctl , 
+.Fn k_setpag ,
+and
+.Fn k_unlog
+all return the value of the underlaying system call, 0 on success.
+.Sh EXAMPLES
+The following code from
+.Nm login 
+will obtain a new PAG and tokens for the local cell and the cell of
+the users home directory.
+.Bd -literal
+if (k_hasafs()) {
+	char cell[64];
+	k_setpag();
+	if(k_afs_cell_of_file(pwd->pw_dir, cell, sizeof(cell)) == 0)
+		krb_afslog(cell, NULL);
+	krb_afslog(NULL, NULL);
+}
+.Ed
+.Sh ERRORS
+If any of these functions (appart from 
+.Fn k_hasafs )
+is called without AFS beeing present in the kernel, the process will
+usually (depending on the operating system) receive a SIGSYS signal.
+.Sh SEE ALSO
+.Rs
+.%A Transarc Corporation
+.%J AFS-3 Programmer's Reference
+.%T File Server/Cache Manager Interface
+.%D 1991
+.Re
+.Sh BUGS
+.Ev AFS_SYSCALL
+has no effect under AIX.
diff --git a/crypto/kerberosIV/man/kauth.1 b/crypto/kerberosIV/man/kauth.1
new file mode 100644
index 0000000..72146e6
--- /dev/null
+++ b/crypto/kerberosIV/man/kauth.1
@@ -0,0 +1,66 @@
+.\" $Id: kauth.1,v 1.3 1998/06/30 15:29:17 assar Exp $
+.\"
+.Dd May 4, 1996
+.Dt KAUTH 1
+.Os KTH-KRB
+.Sh NAME
+.Nm kauth
+.Nd overworked Kerberos login program
+.Sh SYNOPSIS
+.Nm
+.Op Fl n Ar name
+.Op Fl r Ar remote user
+.Op Fl t Pa remote ticket file
+.Op Fl h Ar hosts...
+.Op Fl l Ar lifetime
+.Op Fl f Pa srvtab
+.Op Fl c Ar cell
+.Op Ar command ...
+.Sh DESCRIPTION
+The
+.Nm
+command obtains ticket granting tickets as well as AFS ticket and
+tokens. It also does a whole lot of other stuff.
+.Pp
+The following flags are supported:
+.Bl -tag -width xxxx
+.It Fl n
+Principal to get tickets for. If no other arguments are present this
+can be given without the
+.Fl n
+flag.
+.It Fl h
+Remote hosts to obtain tickets for. This works similar to the MIT
+Athena Kerberos 4 patchlevel 10 command
+.Xr rkinit 1 ,
+however not in a compatible way. It requires that the remote host runs
+the
+.Xr kauthd 8 ,
+server. The 
+.Fl r
+and
+.Fl t
+flags are useful only with this option.
+.It Fl r
+User on the remote host that should own the ticket file.
+.It Fl t 
+Ticket file on remote host.
+.It Fl l
+Lifetime of tickets in minutes. A value of -1 is used for maximum
+ticket lifetime.
+.It Fl f
+Srvtab to get service keys from. Default is 
+.Pa /etc/srvtab .
+This is mainly used with batch services that need to run
+authenticated. If any command is given, it will be executed in an
+authenticated fashion and when the program exits the tickets are
+destroyed. For long running jobs the tickets will be renewed.
+.It Fl c
+AFS cell to get tokens for, default is your local cell.
+.El
+.Sh SEE ALSO
+.Xr kinit 1 ,
+.Xr kauthd 8 ,
+.Xr kafs 3
+.Sh BUGS
+There is no help-switch.
diff --git a/crypto/kerberosIV/man/kauthd.8 b/crypto/kerberosIV/man/kauthd.8
new file mode 100644
index 0000000..541e696
--- /dev/null
+++ b/crypto/kerberosIV/man/kauthd.8
@@ -0,0 +1,26 @@
+.\" $Id: kauthd.8,v 1.2 1996/09/28 22:04:48 assar Exp $
+.\"
+.Dd September 27, 1996
+.Dt KAUTHD 8
+.Os KTH-KRB
+.Sh NAME
+.Nm kauthd
+.Nd remote Kerberos login daemon
+.Sh SYNOPSIS
+.Nm
+.Sh DESCRIPTION
+Daemon for the
+.Xr kauth 1
+command.
+.Pp
+Options supported by
+.Nm kauthd :
+.Bl -tag -width Ds
+.It Fl i
+Interactive.  Do not expect to be started by
+.Nm inetd ,
+but allocate and listen to the socket yourself.  Handy for testing
+and debugging.
+.El
+.Sh SEE ALSO
+.Xr kauth 1
diff --git a/crypto/kerberosIV/man/kdb_destroy.8 b/crypto/kerberosIV/man/kdb_destroy.8
new file mode 100644
index 0000000..c6e4739
--- /dev/null
+++ b/crypto/kerberosIV/man/kdb_destroy.8
@@ -0,0 +1,32 @@
+.\" $Id: kdb_destroy.8,v 1.3 1997/04/02 21:09:54 assar Exp $
+.\" Copyright 1989 by the Massachusetts Institute of Technology.
+.\"
+.\" For copying and distribution information,
+.\" please see the file <mit-copyright.h>.
+.\"
+.TH KDB_DESTROY 8 "Kerberos Version 4.0" "MIT Project Athena"
+.SH NAME
+kdb_destroy \- destroy Kerberos key distribution center database
+.SH SYNOPSIS
+kdb_destroy
+.SH DESCRIPTION
+.I kdb_destroy
+deletes a Kerberos key distribution center database.
+.PP
+The user is prompted to verify that the database should be destroyed.  A
+response beginning with `y' or `Y' confirms deletion.
+Any other response aborts deletion.
+.SH DIAGNOSTICS
+.TP 20n
+"Database cannot be deleted at /var/kerberos/principal"
+The attempt to delete the database failed (probably due to a system or
+access permission error).
+.TP
+"Database not deleted."
+The user aborted the deletion.
+.SH FILES
+.TP 20n
+/var/kerberos/principal.pag, /var/kerberos/principal.dir
+DBM files containing database
+.SH SEE ALSO
+kdb_init(8)
diff --git a/crypto/kerberosIV/man/kdb_edit.8 b/crypto/kerberosIV/man/kdb_edit.8
new file mode 100644
index 0000000..14f7e92
--- /dev/null
+++ b/crypto/kerberosIV/man/kdb_edit.8
@@ -0,0 +1,54 @@
+.\" $Id: kdb_edit.8,v 1.3 1997/04/02 21:09:54 assar Exp $
+.\" Copyright 1989 by the Massachusetts Institute of Technology.
+.\"
+.\" For copying and distribution information,
+.\" please see the file <mit-copyright.h>.
+.\"
+.TH KDB_EDIT 8 "Kerberos Version 4.0" "MIT Project Athena"
+.SH NAME
+kdb_edit \-  Kerberos key distribution center database editing utility
+.SH SYNOPSIS
+kdb_edit [
+.B \-n
+]
+.SH DESCRIPTION
+.I kdb_edit
+is used to create or change principals stored in the Kerberos key
+distribution center (KDC) database.
+.PP
+When executed,
+.I kdb_edit
+prompts for the master key string and verifies that it matches the
+master key stored in the database.
+If the
+.B \-n
+option is specified, the master key is instead fetched from the master
+key cache file.
+.PP
+Once the master key has been verified,
+.I kdb_edit
+begins a prompt loop.  The user is prompted for the principal and
+instance to be modified.  If the entry is not found the user may create
+it.
+Once an entry is found or created, the user may set the password,
+expiration date, maximum ticket lifetime, and attributes.
+Default expiration dates, maximum ticket lifetimes, and attributes are
+presented in brackets; if the user presses return the default is selected.
+There is no default password.
+The password RANDOM is interpreted specially, and if entered
+the user may have the program select a random DES key for the
+principal.
+.PP
+Upon successfully creating or changing the entry, ``Edit O.K.'' is
+printed.
+.SH DIAGNOSTICS
+.TP 20n
+"verify_master_key: Invalid master key, does not match database."
+The master key string entered was incorrect.
+.SH FILES
+.TP 20n
+/var/kerberos/principal.pag, /var/kerberos/principal.dir
+DBM files containing database
+.TP
+/.k
+Master key cache file.
diff --git a/crypto/kerberosIV/man/kdb_init.8 b/crypto/kerberosIV/man/kdb_init.8
new file mode 100644
index 0000000..f019dd4
--- /dev/null
+++ b/crypto/kerberosIV/man/kdb_init.8
@@ -0,0 +1,37 @@
+.\" $Id: kdb_init.8,v 1.3 1997/04/02 21:09:54 assar Exp $
+.\" Copyright 1989 by the Massachusetts Institute of Technology.
+.\"
+.\" For copying and distribution information,
+.\" please see the file <mit-copyright.h>.
+.\"
+.TH KDB_INIT 8 "Kerberos Version 4.0" "MIT Project Athena"
+.SH NAME
+kdb_init \- Initialize Kerberos key distribution center database
+.SH SYNOPSIS
+kdb_init [ 
+.B realm
+]
+.SH DESCRIPTION
+.I kdb_init
+initializes a Kerberos key distribution center database, creating the
+necessary principals.
+.PP
+If the optional
+.I realm
+argument is not present,
+.I kdb_init
+prompts for a realm name.
+After determining the realm to be created, it prompts for
+a master key password.  The master key password is used to encrypt
+every encryption key stored in the database.
+.SH DIAGNOSTICS
+.TP 20n
+"/var/kerberos/principal: File exists"
+An attempt was made to create a database on a machine which already had
+an existing database.
+.SH FILES
+.TP 20n
+/var/kerberos/principal.pag, /var/kerberos/principal.dir
+DBM files containing database
+.SH SEE ALSO
+kdb_destroy(8)
diff --git a/crypto/kerberosIV/man/kdb_util.8 b/crypto/kerberosIV/man/kdb_util.8
new file mode 100644
index 0000000..0e3c201
--- /dev/null
+++ b/crypto/kerberosIV/man/kdb_util.8
@@ -0,0 +1,68 @@
+.\" $Id: kdb_util.8,v 1.3 1997/04/02 20:45:38 assar Exp $
+.\" Copyright 1989 by the Massachusetts Institute of Technology.
+.\"
+.\" For copying and distribution information,
+.\" please see the file <mit-copyright.h>.
+.\"
+.TH KDB_UTIL 8 "Kerberos Version 4.0" "MIT Project Athena"
+.SH NAME
+kdb_util \-  Kerberos key distribution center database utility
+.SH SYNOPSIS
+kdb_util 
+.B operation filename
+.SH DESCRIPTION
+.I kdb_util
+allows the Kerberos key distribution center (KDC) database administrator to
+perform utility functions on the database.
+.PP
+.I Operation
+must be one of the following:
+.TP 10n
+.I load
+initializes the KDC database with the records described by the
+text contained in the file
+.IR filename .
+Any existing database is overwritten.
+.TP
+.I dump
+dumps the KDC database into a text representation in the file
+.IR filename .
+.TP
+.I slave_dump
+performs a database dump like the
+.I dump
+operation, and additionally creates a semaphore file signalling the
+propagation software that an update is available for distribution to
+slave KDC databases.
+.TP
+.I merge
+merges in the entries from
+.IR filename
+into the database.
+.TP
+.I new_master_key
+prompts for the old and new master key strings, and then dumps the KDC
+database into a text representation in the file
+.IR filename .
+The keys in the text representation are encrypted in the new master key.
+.TP
+.I convert_old_db
+prompts for the master key string, and then dumps the KDC database into
+a text representation in the file
+.IR filename .
+The existing database is assumed to be encrypted using the old format
+(encrypted by the key schedule of the master key); the dumped database
+is encrypted using the new format (encrypted directly with master key).
+.PP
+.SH DIAGNOSTICS
+.TP 20n
+"verify_master_key: Invalid master key, does not match database."
+The master key string entered was incorrect.
+.SH FILES
+.TP 20n
+/kerberos/principal.pag, /kerberos/principal.dir
+DBM files containing database
+.TP
+.IR filename .ok
+semaphore file created by
+.IR slave_dump.
diff --git a/crypto/kerberosIV/man/kdestroy.1 b/crypto/kerberosIV/man/kdestroy.1
new file mode 100644
index 0000000..c7797c0
--- /dev/null
+++ b/crypto/kerberosIV/man/kdestroy.1
@@ -0,0 +1,96 @@
+.\" $Id: kdestroy.1,v 1.4 1999/06/15 13:29:32 bg Exp $
+.\" Copyright 1989 by the Massachusetts Institute of Technology.
+.\"
+.\" For copying and distribution information,
+.\" please see the file <mit-copyright.h>.
+.\"
+.TH KDESTROY 1 "Kerberos Version 4.0" "MIT Project Athena"
+.SH NAME
+kdestroy \- destroy Kerberos tickets
+.SH SYNOPSIS
+.B kdestroy
+[
+.B \-f
+]
+[
+.B \-q
+]
+[
+.B \-t
+]
+.SH DESCRIPTION
+The
+.I kdestroy
+utility destroys the user's active
+Kerberos
+authorization tickets by writing zeros to the file that contains them.
+If the ticket file does not exist,
+.I kdestroy
+displays a message to that effect.
+.PP
+After overwriting the file,
+.I kdestroy
+removes the file from the system.
+The utility
+displays a message indicating the success or failure of the
+operation.
+If
+.I kdestroy
+is unable to destroy the ticket file,
+the utility will warn you by making your terminal beep.
+.PP
+In the Athena workstation environment,
+the
+.I toehold
+service automatically destroys your tickets when you
+end a workstation session.
+If your site does not provide a similar ticket-destroying mechanism,
+you can place the
+.I kdestroy
+command in your
+.I .logout
+file so that your tickets are destroyed automatically
+when you logout.
+.PP
+The options to
+.I kdestroy
+are as follows:
+.TP 7
+.B \-f
+.I kdestroy
+runs without displaying the status message.
+.TP
+.B \-q
+.I kdestroy
+will not make your terminal beep if it fails to destroy the tickets.
+.TP
+.B \-t
+destroy tickets only and keep all AFS tokens.
+.TP
+.B \-u
+unlog, i.e remove any AFS tokens associated with the current PAG
+but leave the ticket file alone.
+.PP
+If neither
+.B \-t
+nor 
+.B \-u
+is given, both tickets and AFS tokens are destroyed.
+.SH FILES
+KRBTKFILE environment variable if set, otherwise
+.br
+/tmp/tkt[uid]
+.SH SEE ALSO
+kerberos(1), kinit(1), klist(1)
+.SH BUGS
+.PP
+Only the tickets in the user's current ticket file are destroyed.
+Separate ticket files are used to hold root instance and password
+changing tickets.  These files should probably be destroyed too, or
+all of a user's tickets kept in a single ticket file.
+.SH AUTHORS
+Steve Miller, MIT Project Athena/Digital Equipment Corporation
+.br
+Clifford Neuman, MIT Project Athena
+.br
+Bill Sommerfeld, MIT Project Athena
diff --git a/crypto/kerberosIV/man/kerberos.1 b/crypto/kerberosIV/man/kerberos.1
new file mode 100644
index 0000000..4968822
--- /dev/null
+++ b/crypto/kerberosIV/man/kerberos.1
@@ -0,0 +1,258 @@
+.\" $Id: kerberos.1,v 1.3 1997/11/07 12:37:34 bg Exp $
+.\" Copyright 1989 by the Massachusetts Institute of Technology.
+.\"
+.\" For copying and distribution information,
+.\" please see the file <mit-copyright.h>.
+.\"
+.TH KERBEROS 1 "Kerberos Version 4.0" "MIT Project Athena"
+.SH NAME
+kerberos \- introduction to the Kerberos system
+
+.SH DESCRIPTION
+The
+Kerberos
+system authenticates
+individual users in a network environment.
+After authenticating yourself to
+Kerberos,
+you can use network utilities such as
+.IR rlogin ,
+.IR rcp ,
+and
+.IR rsh
+without
+having to present passwords to remote hosts and without having to bother
+with
+.I \.rhosts
+files.
+Note that these utilities will work without passwords only if
+the remote machines you deal with
+support the
+Kerberos
+system.
+All Athena timesharing machines and public workstations support
+Kerberos.
+.PP
+Before you can use
+Kerberos,
+you must register as an Athena user,
+and you must make sure you have been added to
+the
+Kerberos
+database.
+You can use the
+.I kinit
+command to find out.
+This command
+tries to log you into the
+Kerberos
+system.
+.I kinit
+will prompt you for a username and password.
+Enter your username and password.
+If the utility lets you login without giving you a message,
+you have already been registered.
+.PP
+If you enter your username and
+.I kinit
+responds with this message:
+.nf
+
+Principal unknown (kerberos)
+
+.fi
+you haven't been registered as a
+Kerberos
+user.
+See your system administrator.
+.PP
+A Kerberos name contains three parts.
+The first is the
+.I principal name,
+which is usually a user's or service's name.
+The second is the
+.I instance,
+which in the case of a user is usually null.
+Some users may have privileged instances, however,
+such as ``root'' or ``admin''.
+In the case of a service, the instance is the
+name of the machine on which it runs; i.e. there
+can be an
+.I rlogin
+service running on the machine ABC, which
+is different from the rlogin service running on
+the machine XYZ.
+The third part of a Kerberos name
+is the
+.I realm.
+The realm corresponds to the Kerberos service providing
+authentication for the principal.
+For example, at MIT there is a Kerberos running at the
+Laboratory for Computer Science and one running at
+Project Athena.
+.PP
+When writing a Kerberos name, the principal name is
+separated from the instance (if not null) by a period,
+and the realm (if not the local realm) follows, preceded by
+an ``@'' sign.
+The following are examples of valid Kerberos names:
+.sp
+.nf
+.in +8
+billb
+jis.admin
+srz@lcs.mit.edu
+treese.root@athena.mit.edu
+.in -8
+.fi
+.PP
+When you authenticate yourself with
+Kerberos,
+through either the workstation
+.I toehold
+system or the
+.I kinit
+command,
+Kerberos
+gives you an initial
+Kerberos
+.IR ticket .
+(A
+Kerberos
+ticket
+is an encrypted protocol message that provides authentication.)
+Kerberos
+uses this ticket for network utilities
+such as
+.I rlogin
+and
+.IR rcp .
+The ticket transactions are done transparently,
+so you don't have to worry about their management.
+.PP
+Note, however, that tickets expire.
+Privileged tickets, such as root instance tickets,
+expire in a few minutes, while tickets that carry more ordinary
+privileges may be good for several hours or a day, depending on the
+installation's policy.
+If your login session extends beyond the time limit,
+you will have to re-authenticate yourself to
+Kerberos
+to get new tickets.
+Use the
+.IR kinit
+command to re-authenticate yourself.
+.PP
+If you use the
+.I kinit
+command to get your tickets,
+make sure you use the
+.I kdestroy
+command
+to destroy your tickets before you end your login session.
+You should probably put the
+.I kdestroy
+command in your
+.I \.logout
+file so that your tickets will be destroyed automatically when you logout.
+For more information about the
+.I kinit
+and
+.I kdestroy
+commands,
+see the
+.I kinit(1)
+and
+.I kdestroy(1)
+manual pages.
+.PP
+Currently,
+Kerberos
+supports the following network services:
+.IR rlogin ,
+.IR rsh ,
+.IR rcp ,
+.IR pop ,
+.IR ftp ,
+.IR telnet ,
+.IR AFS
+and
+.IR NFS.
+
+.SH "SEE ALSO"
+kdestroy(1), kinit(1), klist(1), kpasswd(1), des_crypt(3), kerberos(3),
+kadmin(8)
+.SH BUGS
+Kerberos
+will not do authentication forwarding.
+In other words,
+if you use
+.I rlogin
+to login to a remote host,
+you cannot use
+Kerberos
+services from that host
+until you authenticate yourself explicitly on that host.
+Although you may need to authenticate yourself on the remote
+host,
+be aware that when you do so,
+.I rlogin
+sends your password across the network in clear text.
+
+.SH AUTHORS
+Steve Miller, MIT Project Athena/Digital Equipment Corporation
+.br
+Clifford Neuman, MIT Project Athena
+
+The following people helped out on various aspects of the system:
+
+Jeff Schiller designed and wrote the administration server and its
+user interface, kadmin.
+He also wrote the dbm version of the database management system.
+
+Mark Colan developed the
+Kerberos
+versions of
+.IR rlogin ,
+.IR rsh ,
+and
+.IR rcp ,
+as well as contributing work on the servers.
+
+John Ostlund developed the
+Kerberos
+versions of
+.I passwd
+and
+.IR userreg .
+
+Stan Zanarotti pioneered Kerberos in a foreign realm (LCS),
+and made many contributions based on that experience.
+
+Many people contributed code and/or useful ideas, including
+Jim Aspnes,
+Bob Baldwin,
+John Barba,
+Richard Basch,
+Jim Bloom,
+Bill Bryant,
+Rob French,
+Dan Geer,
+David Jedlinsky,
+John Kohl,
+John Kubiatowicz,
+Bob McKie,
+Brian Murphy,
+Ken Raeburn,
+Chris Reed,
+Jon Rochlis,
+Mike Shanzer,
+Bill Sommerfeld,
+Jennifer Steiner,
+Ted Ts'o,
+and
+Win Treese.
+
+.SH RESTRICTIONS
+
+COPYRIGHT 1985,1986 Massachusetts Institute of Technology
diff --git a/crypto/kerberosIV/man/kerberos.3 b/crypto/kerberosIV/man/kerberos.3
new file mode 100644
index 0000000..deff91d
--- /dev/null
+++ b/crypto/kerberosIV/man/kerberos.3
@@ -0,0 +1,461 @@
+.\" $Id: kerberos.3,v 1.2 1996/06/12 21:29:18 bg Exp $
+.\" $FreeBSD$
+.\" Copyright 1989 by the Massachusetts Institute of Technology.
+.\"
+.\" For copying and distribution information,
+.\" please see the file <mit-copyright.h>.
+.\"
+.TH KERBEROS 3 "Kerberos Version 4.0" "MIT Project Athena"
+.SH NAME
+krb_mk_req, krb_rd_req, krb_kntoln, krb_set_key, krb_get_cred,
+krb_mk_priv, krb_rd_priv, krb_mk_safe, krb_rd_safe, krb_mk_err,
+krb_rd_err, krb_ck_repl \- Kerberos authentication library
+.SH SYNOPSIS
+.nf
+.nj
+.ft B
+#include <openssl/des.h>
+#include <krb.h>
+.PP
+.ft B
+extern char *krb_err_txt[];
+.PP
+.ft B
+int krb_mk_req(authent,service,instance,realm,checksum)
+KTEXT authent;
+char *service;
+char *instance;
+char *realm;
+u_long checksum;
+.PP
+.ft B
+int krb_rd_req(authent,service,instance,from_addr,ad,fn)
+KTEXT authent;
+char *service;
+char *instance;
+u_long from_addr;
+AUTH_DAT *ad;
+char *fn;
+.PP
+.ft B
+int krb_kntoln(ad,lname)
+AUTH_DAT *ad;
+char *lname;
+.PP
+.ft B
+int krb_set_key(key,cvt)
+char *key;
+int cvt;
+.PP
+.ft B
+int krb_get_cred(service,instance,realm,c)
+char *service;
+char *instance;
+char *realm;
+CREDENTIALS *c;
+.PP
+.ft B
+long krb_mk_priv(in,out,in_length,schedule,key,sender,receiver)
+u_char *in;
+u_char *out;
+u_long in_length;
+des_cblock key;
+des_key_schedule schedule;
+struct sockaddr_in *sender;
+struct sockaddr_in *receiver;
+.PP
+.ft B
+long krb_rd_priv(in,in_length,schedule,key,sender,receiver,msg_data)
+u_char *in;
+u_long in_length;
+Key_schedule schedule;
+des_cblock key;
+struct sockaddr_in *sender;
+struct sockaddr_in *receiver;
+MSG_DAT *msg_data;
+.PP
+.ft B
+long krb_mk_safe(in,out,in_length,key,sender,receiver)
+u_char *in;
+u_char *out;
+u_long in_length;
+des_cblock key;
+struct sockaddr_in *sender;
+struct sockaddr_in *receiver;
+.PP
+.ft B
+long krb_rd_safe(in,length,key,sender,receiver,msg_data)
+u_char *in;
+u_long length;
+des_cblock key;
+struct sockaddr_in *sender;
+struct sockaddr_in *receiver;
+MSG_DAT *msg_data;
+.PP
+.ft B
+long krb_mk_err(out,code,string)
+u_char *out;
+long code;
+char *string;
+.PP
+.ft B
+long krb_rd_err(in,length,code,msg_data)
+u_char *in;
+u_long length;
+long code;
+MSG_DAT *msg_data;
+.fi
+.ft R
+.SH DESCRIPTION
+This library supports network authentication and various related
+operations.  The library contains many routines beyond those described
+in this man page, but they are not intended to be used directly.
+Instead, they are called by the routines that are described, the
+authentication server and the login program.
+.PP
+.I krb_err_txt[]
+contains text string descriptions of various Kerberos error codes returned
+by some of the routines below.
+.PP
+.I krb_mk_req
+takes a pointer to a text structure in which an authenticator is to be
+built.  It also takes the name, instance, and realm of the service to be
+used and an optional checksum.  It is up to the application to decide
+how to generate the checksum.
+.I krb_mk_req
+then retrieves a ticket for the desired service and creates an
+authenticator.  The authenticator is built in
+.I authent
+and is accessible
+to the calling procedure.
+.PP
+It is up to the application to get the authenticator to the service
+where it will be read by
+.I krb_rd_req.
+Unless an attacker posesses the session key contained in the ticket, it
+will be unable to modify the authenticator.  Thus, the checksum can be
+used to verify the authenticity of the other data that will pass through
+a connection.
+.PP
+.I krb_rd_req
+takes an authenticator of type
+.B KTEXT,
+a service name, an instance, the address of the
+host originating the request, and a pointer to a structure of type
+.B AUTH_DAT
+which is filled in with information obtained from the authenticator.
+It also optionally takes the name of the file in which it will find the
+secret key(s) for the service.
+If the supplied
+.I instance
+contains "*", then the first service key with the same service name
+found in the service key file will be used, and the
+.I instance
+argument will be filled in with the chosen instance.  This means that
+the caller must provide space for such an instance name.
+.PP
+It is used to find out information about the principal when a request
+has been made to a service.  It is up to the application protocol to get
+the authenticator from the client to the service.  The authenticator is
+then passed to
+.I krb_rd_req
+to extract the desired information.
+.PP
+.I krb_rd_req
+returns zero (RD_AP_OK) upon successful authentication.  If a packet was
+forged, modified, or replayed, authentication will fail.  If the
+authentication fails, a non-zero value is returned indicating the
+particular problem encountered.  See
+.I krb.h
+for the list of error codes.
+.PP
+If the last argument is the null string (""), krb_rd_req will use the
+file /etc/srvtab to find its keys.  If the last argument is NULL, it
+will assume that the key has been set by
+.I krb_set_key
+and will not bother looking further.
+.PP
+.I krb_kntoln
+converts a Kerberos name to a local name.  It takes a structure
+of type AUTH_DAT and uses the name and instance to look in the database
+/etc/aname to find the corresponding local name.  The local name is
+returned and can be used by an application to change uids, directories,
+or other parameters.  It is not an integral part of Kerberos, but is
+instead provided to support the use of Kerberos in existing utilities.
+.PP
+.I krb_set_key
+takes as an argument a des key.  It then creates
+a key schedule from it and saves the original key to be used as an
+initialization vector.
+It is used to set the server's key which
+must be used to decrypt tickets.
+.PP
+If called with a non-zero second argument,
+.I krb_set_key
+will first convert the input from a string of arbitrary length to a DES
+key by encrypting it with a one-way function.
+.PP
+In most cases it should not be necessary to call
+.I krb_set_key.
+The necessary keys will usually be obtained and set inside
+.I krb_rd_req.  krb_set_key
+is provided for those applications that do not wish to place the
+application keys on disk.
+.PP
+.I krb_get_cred
+searches the caller's ticket file for a ticket for the given service, instance,
+and realm; and, if a ticket is found, fills in the given CREDENTIALS structure
+with the ticket information.
+.PP
+If the ticket was found,
+.I krb_get_cred
+returns GC_OK.
+If the ticket file can't be found, can't be read, doesn't belong to
+the user (other than root), isn't a regular file, or is in the wrong
+mode, the error GC_TKFIL is returned.
+.PP
+.I krb_mk_priv
+creates an encrypted, authenticated
+message from any arbitrary application data, pointed to by
+.I in
+and
+.I in_length
+bytes long.
+The private session key, pointed to by
+.I key
+and the key schedule,
+.I schedule,
+are used to encrypt the data and some header information using
+.I pcbc_encrypt.
+.I sender
+and
+.I receiver
+point to the Internet address of the two parties.
+In addition to providing privacy, this protocol message protects
+against modifications, insertions or replays.  The encapsulated message and
+header are placed in the area pointed to by
+.I out
+and the routine returns the length of the output, or -1 indicating
+an error.
+.PP
+.I krb_rd_priv
+decrypts and authenticates a received
+.I krb_mk_priv
+message.
+.I in
+points to the beginning of the received message, whose length
+is specified in
+.I in_length.
+The private session key, pointed to by
+.I key,
+and the key schedule,
+.I schedule,
+are used to decrypt and verify the received message.
+.I msg_data
+is a pointer to a
+.I MSG_DAT
+struct, defined in
+.I krb.h.
+The routine fills in the
+.I app_data
+field with a pointer to the decrypted application data,
+.I app_length
+with the length of the
+.I app_data
+field,
+.I time_sec
+and
+.I time_5ms
+with the timestamps in the message, and
+.I swap
+with a 1 if the byte order of the receiver is different than that of
+the sender.  (The application must still determine if it is appropriate
+to byte-swap application data; the Kerberos protocol fields are already taken
+care of).  The
+.I hash
+field returns a value useful as input to the
+.I krb_ck_repl
+routine.
+
+The routine returns zero if ok, or a Kerberos error code. Modified messages
+and old messages cause errors, but it is up to the caller to
+check the time sequence of messages, and to check against recently replayed
+messages using
+.I krb_ck_repl
+if so desired.
+.PP
+.I krb_mk_safe
+creates an authenticated, but unencrypted message from any arbitrary
+application data,
+pointed to by
+.I in
+and
+.I in_length
+bytes long.
+The private session key, pointed to by
+.I key,
+is used to seed the
+.I quad_cksum()
+checksum algorithm used as part of the authentication.
+.I sender
+and
+.I receiver
+point to the Internet address of the two parties.
+This message does not provide privacy, but does protect (via detection)
+against modifications, insertions or replays.  The encapsulated message and
+header are placed in the area pointed to by
+.I out
+and the routine returns the length of the output, or -1 indicating
+an error.
+The authentication provided by this routine is not as strong as that
+provided by
+.I krb_mk_priv
+or by computing the checksum using
+.I cbc_cksum
+instead, both of which authenticate via DES.
+.PP
+
+.I krb_rd_safe
+authenticates a received
+.I krb_mk_safe
+message.
+.I in
+points to the beginning of the received message, whose length
+is specified in
+.I in_length.
+The private session key, pointed to by
+.I key,
+is used to seed the quad_cksum() routine as part of the authentication.
+.I msg_data
+is a pointer to a
+.I MSG_DAT
+struct, defined in
+.I krb.h .
+The routine fills in these
+.I MSG_DAT
+fields:
+the
+.I app_data
+field with a pointer to the application data,
+.I app_length
+with the length of the
+.I app_data
+field,
+.I time_sec
+and
+.I time_5ms
+with the timestamps in the message, and
+.I swap
+with a 1 if the byte order of the receiver is different than that of
+the sender.
+(The application must still determine if it is appropriate
+to byte-swap application data; the Kerberos protocol fields are already taken
+care of).  The
+.I hash
+field returns a value useful as input to the
+.I krb_ck_repl
+routine.
+
+The routine returns zero if ok, or a Kerberos error code. Modified messages
+and old messages cause errors, but it is up to the caller to
+check the time sequence of messages, and to check against recently replayed
+messages using
+.I krb_ck_repl
+if so desired.
+.PP
+.I krb_mk_err
+constructs an application level error message that may be used along
+with
+.I krb_mk_priv
+or
+.I krb_mk_safe.
+.I out
+is a pointer to the output buffer,
+.I code
+is an application specific error code, and
+.I string
+is an application specific error string.
+
+.PP
+.I krb_rd_err
+unpacks a received
+.I krb_mk_err
+message.
+.I in
+points to the beginning of the received message, whose length
+is specified in
+.I in_length.
+.I code
+is a pointer to a value to be filled in with the error
+value provided by the application.
+.I msg_data
+is a pointer to a
+.I MSG_DAT
+struct, defined in
+.I krb.h .
+The routine fills in these
+.I MSG_DAT
+fields: the
+.I app_data
+field with a pointer to the application error text,
+.I app_length
+with the length of the
+.I app_data
+field, and
+.I swap
+with a 1 if the byte order of the receiver is different than that of
+the sender.  (The application must still determine if it is appropriate
+to byte-swap application data; the Kerberos protocol fields are already taken
+care of).
+
+The routine returns zero if the error message has been successfully received,
+or a Kerberos error code.
+.PP
+The
+.I KTEXT
+structure is used to pass around text of varying lengths.  It consists
+of a buffer for the data, and a length.  krb_rd_req takes an argument of this
+type containing the authenticator, and krb_mk_req returns the
+authenticator in a structure of this type.  KTEXT itself is really a
+pointer to the structure.   The actual structure is of type KTEXT_ST.
+.PP
+The
+.I AUTH_DAT
+structure is filled in by krb_rd_req.  It must be allocated before
+calling krb_rd_req, and a pointer to it is passed.  The structure is
+filled in with data obtained from Kerberos.
+.I MSG_DAT
+structure is filled in by either krb_rd_priv, krb_rd_safe, or
+krb_rd_err.  It must be allocated before the call and a pointer to it
+is passed.  The structure is
+filled in with data obtained from Kerberos.
+.PP
+.SH FILES
+/usr/include/krb.h
+.br
+/usr/lib/libkrb.a
+.br
+/usr/include/des.h
+.br
+/usr/lib/libdes.a
+.br
+/etc/aname
+.br
+/etc/srvtab
+.br
+/tmp/tkt[uid]
+.SH "SEE ALSO"
+kerberos(1), des_crypt(3)
+.SH DIAGNOSTICS
+.SH BUGS
+The caller of
+.I krb_rd_req, krb_rd_priv, and krb_rd_safe
+must check time order and for replay attempts.
+.I krb_ck_repl
+is not implemented yet.
+.SH AUTHORS
+Clifford Neuman, MIT Project Athena
+.br
+Steve Miller, MIT Project Athena/Digital Equipment Corporation
+.SH RESTRICTIONS
+COPYRIGHT 1985,1986,1989 Massachusetts Institute of Technology
diff --git a/crypto/kerberosIV/man/kerberos.8 b/crypto/kerberosIV/man/kerberos.8
new file mode 100644
index 0000000..0ad1a4a
--- /dev/null
+++ b/crypto/kerberosIV/man/kerberos.8
@@ -0,0 +1,189 @@
+.\" $Id: kerberos.8,v 1.4 1997/09/26 17:55:23 joda Exp $
+.\"
+.Dd September 26, 1997
+.Dt KERBEROS 8
+.Os KTH-KRB
+.Sh NAME
+.Nm kerberos
+.Nd the kerberos daemon
+.Sh SYNPOSIS
+.Nm
+.Op Fl mns
+.Op Fl a Ar max age
+.Op Fl i Ar address
+.Op Fl l Ar log
+.Op Fl p Ar pause
+.Op Fl P Ar portspec
+.Op Fl r Ar realm
+.Op Ar database
+.Sh DESCRIPTION
+This is the
+.Nm
+daemon.
+.Pp
+Options:
+.Bl -tag -width -ident
+.It Fl a
+Set the
+.Ar max age
+before the database is considered stale.
+.It Fl i
+Only listen on 
+.Ar address .
+Normally, the kerberos server listens on all addresses of all
+interfaces.
+.It Fl l
+Write the log to
+.Ar log
+.It Fl m
+Run manually and prompt for master key.
+.It Fl n
+Do not check max age. 
+.It Fl p
+Pause for
+.Ar pause
+before dying.
+.It Fl P
+Listen to the ports specified by
+.Ar portspec .
+This should be a white-space separated list of port specificatios. A
+port specification follows the format:
+.Ar port Ns Op / Ns Ar protocol .
+The
+.Ar port
+can be either a symbolic port name (from
+.Pa /etc/services ) ,
+or a number;
+.Ar protocol can be either 
+.Li udp ,
+or
+.Li tcp . 
+If left out, the KDC will listen to both UDP and TCP sockets on the
+specified port.
+.br
+The special string
+.Li +
+mean that the default set of ports (TCP and UDP on ports 88 and 750)
+should be included.
+.It Fl r
+Run as a server for realm
+.Ar realm
+.It Fl s
+Set slave parameters.  This will enable check to see if data is
+getting too stale relative to the master.
+.El
+.Pp
+If no 
+.Ar database
+is given a default datbase will be used, normally
+.Pa /var/kerberos/principal .
+.Sh DIAGNOSTICS
+The server logs several messages in a log file
+.Pf ( Pa /var/run/kerberos.log
+by default).  The logging mechanism opens and closes the log file for
+each message, so you can safely rename the log file when the server is
+running.
+.Ss Operational messages
+These are normal messages that you will see in the log. They might be
+followed by some error message.
+.Bl -tag -width xxxxx
+.It Li Getting key for Ar REALM
+The server fetched the key for 
+.Sq krbtgt.REALM
+for the specific
+realm. You will see this at startup, and for every attempt to use
+cross realm authentication.
+.It Xo Li Starting Kerberos for
+.Ar REALM 
+.Li (kvno Ar kvno )
+.Xc
+You will see this also if you start with
+.Fl m .
+.It Xo Li AS REQ 
+.Ar name.instance@REALM 
+.Li for 
+.Ar sname.sinstance 
+.Li from 
+.Ar ip-number
+.Xc
+An initial (password authenticated) request was received.
+.It Xo Li APPL REQ 
+.Ar name.instance@REALM
+.Li for 
+.Ar sname.sinstance
+.Li from Ar ip-number
+.Xc
+A tgt-based request for a ticket was made.
+.El
+.Ss Error messages
+These messages reflects misconfigured clients, invalid requests, or
+possibly attepted attacks.
+.Bl -tag -width xxxxx
+.It Li UNKNOWN Ar name.instance
+The server received a request with an unknown principal. This is most
+likely because someone typed the wrong name at a login prompt. It
+could also be someone trying to get a list of possible users.
+.It Xo Li Unknown realm Ar REALM 
+.Li from Ar ip-number
+.Xc
+There isn't a principal for 
+.Sq krbtgt.REALM
+in the database.
+.It Xo Li Can't hop realms: Ar REALM1 
+.Li -> Ar REALM2
+.Xc 
+There was a request for a ticket for another realm.  This might be
+because of a misconfigured client.
+.It Li Principal not unique Ar name.instance
+There is more than one entry for this principal in the database. This
+is not very good.
+.It Li Null key Ar name.instance
+Someone tried to use a principal that for some reason doesn't have a
+key.
+.It Xo Li Incorrect master key version for 
+.Ar name.instance
+.Li : Ar number 
+.Li (should be Ar number )
+.Xc
+The principal has it's key encrypted with the wrong master key.
+.It Xo Li Principal Ar name.instance 
+.Li expired at Ar date
+.Xc
+The principal's key has expired.
+.It Li krb_rd_req from Ar ip-number : error-message
+The message couldn't be decoded properly. The error message will give
+you further hints. You will see this if someone is trying to use
+expired tickets.
+.It Xo Li Unknown message type: Ar number 
+.Li from Ar ip-number
+.Xc
+The message received was not one that is understood by this server.
+.It Li Can't authorize password changed based on TGT
+Someone tried to get a 
+.Sq changepw.kerberos
+via a tgt exchange. This is
+because of a broken client, or possibly an attack.
+.It Li KRB protocol version mismatch ( Ar number )
+The server received a request with an unknown version number.
+.El
+.Ss Fatal error messages
+The following messages indicate problems when starting the server.
+.Bl -tag -width xxxxx
+.It Li Database unavailable!
+There was some problem reading the database.
+.It Li Database currently being updated!
+Someone is currently updating the database (possibly via krop).
+.It Li Database out of date!
+The database is older than the maximum age specified.
+.It Li Couldn't get master key.
+The master key file wasn't found or the file is damaged.
+.It Li Can't verify master key.
+The key in the keyfile doesn't match the current databse.
+.It Li Ticket granting ticket service unknown
+The database doesn't contain a 
+.Sq krbtgt.REALM
+for the local realm.
+.El
+.Sh SEE ALSO
+.Xr kprop 8 ,
+.Xr kpropd 8
diff --git a/crypto/kerberosIV/man/kinit.1 b/crypto/kerberosIV/man/kinit.1
new file mode 100644
index 0000000..f27f240
--- /dev/null
+++ b/crypto/kerberosIV/man/kinit.1
@@ -0,0 +1,131 @@
+.\" $Id: kinit.1,v 1.4 1998/12/18 16:57:29 assar Exp $
+.\" $FreeBSD$
+.\" Copyright 1989 by the Massachusetts Institute of Technology.
+.\"
+.\" For copying and distribution information,
+.\" please see the file <mit-copyright.h>.
+.\"
+.TH KINIT 1 "Kerberos Version 4.0" "MIT Project Athena"
+.SH NAME
+kinit \- Kerberos login utility
+.SH SYNOPSIS
+.B kinit
+[
+.B \-irvlp
+]
+.SH DESCRIPTION
+The
+.I kinit
+command is used to login to the
+Kerberos
+authentication and authorization system.
+Note that only registered
+Kerberos
+users can use the
+Kerberos
+system.
+For information about registering as a
+Kerberos
+user,
+see the
+.I kerberos(1)
+manual page.
+.PP
+If you are using a replaced
+.I login
+that already fetches tickets for you, you do not have to use
+.I kinit.
+You will need to use
+.I kinit
+only in those situations in which
+your original tickets have expired.
+(Tickets expire in about a day.)
+Note as well that the modified
+.I login
+will automatically destroy your tickets when you logout from the workstation.
+.PP
+When you use
+.I kinit
+without options,
+the utility
+prompts for your username and Kerberos password,
+and tries to authenticate your login with the local
+Kerberos
+server.
+.PP
+If
+Kerberos
+authenticates the login attempt,
+.I kinit
+retrieves your initial ticket and puts it in the ticket file specified by
+your KRBTKFILE environment variable.
+If this variable is undefined,
+your ticket will be stored in the
+.IR /tmp
+directory,
+in the file
+.I tktuid ,
+where
+.I uid
+specifies your user identification number.
+.PP
+If you have logged in to
+Kerberos
+without the benefit of the modified
+.I login
+program,
+make sure you use the
+.I kdestroy
+command to destroy any active tickets before you end your login session.
+You may want to put the
+.I kdestroy
+command in your
+.I \.logout
+file so that your tickets will be destroyed automatically when you logout.
+.PP
+The options to
+.I kinit
+are as follows:
+.TP 7
+.B \-i
+.I kinit
+prompts you for a
+Kerberos
+instance.
+.TP
+.B \-r
+.I kinit
+prompts you for a
+Kerberos
+realm.
+This option lets you authenticate yourself with a remote
+Kerberos
+server.
+.TP
+.B \-v
+Verbose mode.
+.I kinit
+prints the name of the ticket file used, and
+a status message indicating the success or failure of
+your login attempt.
+.TP
+.B \-l
+.I kinit
+prompts you for a ticket lifetime in minutes.  Due to protocol
+restrictions in Kerberos Version 4, this value must be between 5 and
+1275 minutes.
+.TP
+.B \-p
+.I kinit
+will acquires a ticket for changepw.kerberos.
+.SH SEE ALSO
+.PP
+kerberos(1), kdestroy(1), klist(1), login(1)
+.SH BUGS
+The
+.B \-r
+option has not been fully implemented.
+.SH AUTHORS
+Steve Miller, MIT Project Athena/Digital Equipment Corporation
+.br
+Clifford Neuman, MIT Project Athena
diff --git a/crypto/kerberosIV/man/klist.1 b/crypto/kerberosIV/man/klist.1
new file mode 100644
index 0000000..76dec02
--- /dev/null
+++ b/crypto/kerberosIV/man/klist.1
@@ -0,0 +1,83 @@
+.\" $Id: klist.1,v 1.2 1996/06/12 21:29:19 bg Exp $
+.\" Copyright 1989 by the Massachusetts Institute of Technology.
+.\"
+.\" For copying and distribution information,
+.\" please see the file <mit-copyright.h>.
+.\"
+.TH KLIST 1 "Kerberos Version 4.0" "MIT Project Athena"
+.SH NAME
+klist \- list currently held Kerberos tickets
+.SH SYNOPSIS
+.B klist
+[
+\fB\-s \fR|\fB \-t\fR
+] [
+.B \-file
+name ] [
+.B \-srvtab
+]
+.br
+.SH DESCRIPTION
+.I klist
+prints the name of the tickets file and the
+identity of the principal the tickets are for (as listed in the
+tickets file), and 
+lists the principal names of all Kerberos tickets currently held by
+the user, along with the issue and expire time for each authenticator.
+Principal names are listed in the form
+.I name.instance@realm,
+with the '.' omitted if the instance is null,
+and the '@' omitted if the realm is null.
+
+If given the
+.B \-s
+option,
+.I klist
+does not print the issue and expire times, the name of the tickets file,
+or the identity of the principal.
+
+If given the
+.B \-t
+option, 
+.B klist
+checks for the existence of a non-expired ticket-granting-ticket in the
+ticket file.  If one is present, it exits with status 0, else it exits
+with status 1.  No output is generated when this option is specified. 
+
+If given the
+.B \-file
+option, the following argument is used as the ticket file.
+Otherwise, if the
+.B KRBTKFILE
+environment variable is set, it is used.
+If this environment variable
+is not set, the file
+.B /tmp/tkt[uid]
+is used, where
+.B uid
+is the current user-id of the user.
+
+If given the
+.B \-srvtab
+option, the file is treated as a service key file, and the names of the
+keys contained therein are printed.  If no file is
+specified with a
+.B \-file
+option, the default is
+.IR /etc/srvtab .
+.SH FILES
+.TP 2i
+/etc/krb.conf
+to get the name of the local realm
+.TP
+/tmp/tkt[uid]
+as the default ticket file ([uid] is the decimal UID of the user).
+.TP
+/etc/srvtab
+as the default service key file
+.SH SEE ALSO
+.PP
+kerberos(1), kinit(1), kdestroy(1)
+.SH BUGS
+When reading a file as a service key file, very little sanity or error
+checking is performed.
diff --git a/crypto/kerberosIV/man/kpasswd.1 b/crypto/kerberosIV/man/kpasswd.1
new file mode 100644
index 0000000..ad0c858
--- /dev/null
+++ b/crypto/kerberosIV/man/kpasswd.1
@@ -0,0 +1,85 @@
+.\" $Id: kpasswd.1,v 1.2 1996/06/12 21:29:21 bg Exp $
+.\" Copyright 1989 by the Massachusetts Institute of Technology.
+.\"
+.\" For copying and distribution information,
+.\" please see the file <mit-copyright.h>.
+.\"
+.TH KPASSWD 1 "Kerberos Version 4.0" "MIT Project Athena"
+.FM mit
+.SH NAME
+kpasswd \- change a user's Kerberos password
+.SH SYNOPSIS
+.B kpasswd
+[
+.B \-h
+] [
+.B \-n
+.I name
+] [
+.B \-i
+.I instance
+] [
+.B \-r
+.I realm
+] [
+\-u
+.IR username[.instance][@realm] ]
+.SH DESCRIPTION
+The
+.I kpasswd
+command is used to change a Kerberos principal's password.
+.PP
+If the
+.I \-h
+option is specified, a brief summary of the options is printed, and 
+.I kpasswd
+then exits.
+.PP
+If the
+.I \-n
+option is specified, 
+.I name
+is used as the principal name rather than the username of the user
+running
+.IR kpasswd .
+(This is determined from the ticket file if it exists;
+otherwise, it is determined from the unix user id.)
+.PP
+If the
+.I \-i
+option is specified,
+.I instance
+is used as the instance rather than a null instance.
+.PP
+If the
+.I \-r
+option is specified,
+.I realm
+is used as the realm rather than the local realm.
+.PP
+If the 
+.I \-u 
+option is specified, a fully qualified kerberos
+principal can be given.
+.PP
+
+The utility prompts for the current Kerberos password (printing
+the name of the principal for which it intends to change the password),
+which is verified by the Kerberos server.  If the old password is
+correct, the user is prompted twice for the new password.  A message is
+printed indicating the success or failure of the password changing
+operation.
+
+.SH BUGS
+
+.I kpasswd
+does not handle names, instances, or realms with special
+characters in them when the -n, -i, or -r options are used.  Any
+valid fullname is accepted, however, if the -u option is used.
+
+If the principal whose password you are trying to change does
+not exist, you will not be told until after you have entered the
+old password.
+
+.SH SEE ALSO
+kerberos(1), kinit(1), passwd(1), kadmin(8)
diff --git a/crypto/kerberosIV/man/kprop.8 b/crypto/kerberosIV/man/kprop.8
new file mode 100644
index 0000000..ef45ad3
--- /dev/null
+++ b/crypto/kerberosIV/man/kprop.8
@@ -0,0 +1,56 @@
+.\" $Id: kprop.8,v 1.2 1996/06/15 17:03:22 assar Exp $
+.\" $FreeBSD$
+.\"
+.Dd June 7, 1996
+.Dt KPROP 8
+.Os KTH-KRB
+.Sh NAME
+.Nm kprop
+.Nd "the kerberos slave server update client"
+.Sh SYNOPSIS
+.Nm
+.Op Fl force
+.Op Fl realm Ar realm
+.Op Ar dump-file
+.Op Ar slave-file
+.Sh DESCRIPTION
+Changes to the database, such as changed passwords, are only made to
+the master server through the
+.Nm kadmind
+service. To propagate these changes to the slave servers, 
+.Nm 
+should be run regularly on the master server.
+.Pp
+The following options are recognised.
+.Bl -tag -width -force
+.It Fl force
+Propagate even if there hasn't been an update to the dump file since
+last time.
+.It Fl realm
+Realm if other than the default.
+.It dump-file
+is a file created with 
+.Ic kdb_util slave_dump ,
+default is
+.Pa /var/kerberos/slave_dump .
+.It slave-file
+Contains the names of the slave servers. Default is
+.Pa /var/kerberos/slaves .
+.El
+.Pp
+.Nm
+will use the principal 
+.Nm rcmd.kerberos
+to authenticate to the master servers. This principal has to be added
+to the database, and it should also be put into the service key file
+on the master server.
+.Sh FILES
+.Bl -tag -width indent -compact
+.It Pa /var/kerberos/slave_dump
+.It Pa /var/kerberos/slaves
+.It Pa /etc/srvtab
+.El
+.Sh SEE ALSO
+.Xr kpropd 8 ,
+.Xr kerberos 8 ,
+.Xr kadmind 8
diff --git a/crypto/kerberosIV/man/kpropd.8 b/crypto/kerberosIV/man/kpropd.8
new file mode 100644
index 0000000..1ca0944
--- /dev/null
+++ b/crypto/kerberosIV/man/kpropd.8
@@ -0,0 +1,62 @@
+.\" $Id: kpropd.8,v 1.2 1997/02/07 22:04:55 assar Exp $
+.\" $FreeBSD$
+.\"
+.Dd June 7, 1996
+.Dt KPROPD 8
+.Os KTH-KRB
+.Sh NAME
+.Nm kpropd
+.Nd "the kerberos slave server update facility"
+.Sh SYNOPSIS
+.Nm
+.Op Fl i
+.Op Fl d Ar database
+.Op Fl l Ar logfile
+.Op Fl m
+.Op Fl p Ar kdb_util
+.Op Fl r Ar realm
+.Op Fl s Ar srvtab
+.Sh DESCRIPTION
+The
+.Nm
+responds to database update requests from the
+.Nm kprop
+command. It can either be started from
+.Nm inetd
+or as an ordinary program.
+.Pp
+The following options are recognised:
+.Bl -tag -width xxxx
+.It Fl i
+Run stand-alone.  If this flag is not given, it is assumed to have
+been started by
+.Nm inetd .
+.It Fl d
+What database file to use, default is
+.Pa /var/kerberos/principal .
+.It Fl l
+Logfile to use, default is
+.Pa /var/log/kpropd.log .
+.It Fl m
+Treat data as changes to the database rather than a complete database.
+.It Fl p
+The path to
+.Nm kdb_util ,
+default is
+.Pa /usr/athena/sbin/kdb_util .
+.It Fl r
+Realm if other than the default realm.
+.It Fl s
+Srvtab if other than
+.Pa /etc/kerberosIV/srvtab .
+.El
+.Sh FILES
+.Bl -tag -width indent -compact
+.It Pa /var/db/kerberos/principal.{db,dir,pag}
+.It Pa /var/log/kpropd.log
+.It Pa /etc/srvtab
+.El
+.Sh SEE ALSO
+.Xr kprop 8 ,
+.Xr kerberos 8 ,
+.Xr kadmind 8
diff --git a/crypto/kerberosIV/man/krb.conf.5 b/crypto/kerberosIV/man/krb.conf.5
new file mode 100644
index 0000000..8ffa9af
--- /dev/null
+++ b/crypto/kerberosIV/man/krb.conf.5
@@ -0,0 +1,42 @@
+.\" $Id: krb.conf.5,v 1.4 1999/08/02 16:09:57 bg Exp $
+.\" Copyright 1989 by the Massachusetts Institute of Technology.
+.\"
+.\" For copying and distribution information,
+.\" please see the file <mit-copyright.h>.
+.\"
+.TH KRB.CONF 5 "Kerberos Version 4.0" "MIT Project Athena"
+.SH NAME
+/etc/krb.conf \- Kerberos configuration file
+.SH DESCRIPTION
+.I krb.conf
+contains configuration information describing the Kerberos realm(s) and the
+Kerberos key distribution center (KDC) servers for known realms.
+.PP
+.I krb.conf
+starts with a definition of the local realm on the first line, this is
+followed by any number lines defining supplementary local realms.  The
+rest of the file consists of lines indicating realm/host entries. The
+first token is a realm name, and the second is a server specification
+of a host running a KDC for that realm. The words "admin server"
+following the hostname indicate that the host also provides an
+administrative database server.
+
+To be able to communicate with the KDC through a firewall it is
+sometimes necessary to tunnel requests over HTTP or TCP. Tunnel
+protocols and port numbers are specified in the server specification
+using the syntax [(UDP|TCP|HTTP)/]hostname[:port].
+
+For example:
+.nf
+.in +1i
+SICS.SE
+NADA.KTH.SE
+SICS.SE     TCP/kerberos.sics.se:88 admin server
+NADA.KTH.SE kerberos.nada.kth.se    admin server
+NADA.KTH.SE kerberos-1.nada.kth.se
+NADA.KTH.SE kerberos-2.nada.kth.se
+NADA.KTH.SE HTTP/kerberos-3.nada.kth.se
+KTH.SE      kerberos.kth.se         admin server
+.in -1i
+.SH SEE ALSO
+krb.realms(5), krb_get_krbhst(3), krb_get_lrealm(3)
diff --git a/crypto/kerberosIV/man/krb.equiv.5 b/crypto/kerberosIV/man/krb.equiv.5
new file mode 100644
index 0000000..511dbf0
--- /dev/null
+++ b/crypto/kerberosIV/man/krb.equiv.5
@@ -0,0 +1,27 @@
+.\"	$Id: krb.equiv.5,v 1.3 1996/06/18 16:26:20 joda Exp $
+.\"
+.Dd June 18, 1996
+.Dt KRB.EQUIV 5
+.Os KTH-KRB
+.Sh NAME
+.Nm krb.equiv
+.Nd Kerberos equivalent hosts file
+.Sh DESCRIPTION
+.Nm
+contains a list of IP addresses that is to be considered being the
+same host for Kerberos purposes. Plain addresses match a single
+host. Addresses followed by a slash (/) and a number is taken as a
+sub-network that should be considered equal.
+.Pp
+Hash (#) starts a comment. Backslash (\\) is a continuation character.
+.Sh EXAMPLES
+.Bd -literal
+# A machine with two interfaces.
+130.237.232.113 130.237.221.42  # emma emma-ether
+# A machine with *many* interfaces
+193.10.156.0/24 193.10.157.0/24 # syk-* syk-*-hps
+.Ed
+.Sh SEE ALSO
+.Xr krb_equiv 3 ,
+.Xr krb.conf 5 ,
+.Xr krb.realms 5
diff --git a/crypto/kerberosIV/man/krb.extra.5 b/crypto/kerberosIV/man/krb.extra.5
new file mode 100644
index 0000000..5652323
--- /dev/null
+++ b/crypto/kerberosIV/man/krb.extra.5
@@ -0,0 +1,50 @@
+.\" $Id: krb.extra.5,v 1.4 1999/11/25 05:30:42 assar Exp $
+.\"
+.Dd June 24, 1999
+.Dt KRB.EXTRA 5
+.Os KTH-KRB
+.Sh NAME
+.Nm krb.extra
+.Nd Kerberos misc configuration file
+.Sh DESCRIPTION
+.Nm
+contains a number of settings that are used by the kerberos library,
+or directly by applications. Each line in the file consists of a
+variable, an equal sign, and a value. Lines beginning with hash are
+ignored.
+.Pp
+Currently defined variables are:
+.Bl -tag -width foo
+.It kdc_timeout
+time in seconds to wait for an answer from the KDC (default is 4
+seconds)
+.It kdc_timesync
+if this is enabled, the time differential between the client and the
+KDC will be stored, and used later on when computing the correct time;
+this is useful if the client's clock is drifting
+.It firewall_address
+the outside address of the firewall; this is used in some places to
+compute a direction bit, and this might break if the server has a
+different idea about which address to use then the client
+.It krb4_proxy
+address of a web-proxy to use when connecting to the KDC via HTTP
+.It krb_default_tkt_root
+the default prefix for ticket files. E.g, if your uid is 42 and the
+prefix is /tmp/tkt then your default ticket file will be /tmp/tkt42
+.It krb_default_keyfile
+the default kefile, normally /etc/srvtab
+.It nat_in_use
+if a Network Address Translator (NAT) is being used.
+.El
+.Sh EXAMPLES
+.Bd -literal
+# this is a comment
+krb_default_tkt_root = /tkt/tkt_
+kdc_timesync = yes
+firewall_address = 10.0.0.1
+krb_default_keyfile = /etc/kerberosIV/srvtab
+.Ed
+.Sh SEE ALSO
+.Xr krb.equiv 5 ,
+.Xr krb.conf 5 ,
+.Xr krb.realms 5
diff --git a/crypto/kerberosIV/man/krb.realms.5 b/crypto/kerberosIV/man/krb.realms.5
new file mode 100644
index 0000000..427c455
--- /dev/null
+++ b/crypto/kerberosIV/man/krb.realms.5
@@ -0,0 +1,38 @@
+.\" $Id: krb.realms.5,v 1.2 1996/06/12 21:29:22 bg Exp $
+.\" Copyright 1989 by the Massachusetts Institute of Technology.
+.\"
+.\" For copying and distribution information,
+.\" please see the file <mit-copyright.h>.
+.\"
+.TH KRB.REALMS 5 "Kerberos Version 4.0" "MIT Project Athena"
+.SH NAME
+/etc/krb.realms \- host to Kerberos realm translation file
+.SH DESCRIPTION
+.I krb.realms
+provides a translation from a hostname to the Kerberos realm name for
+the services provided by that host.
+.PP
+Each line of the translation file is in one of the following forms
+(domain_name should be of the form .XXX.YYY, e.g. .LCS.MIT.EDU):
+.nf
+.in +5n
+host_name kerberos_realm
+domain_name kerberos_realm
+.in -5n
+.fi
+If a hostname exactly matches the 
+.I host_name
+field in a line of the first
+form, the corresponding realm is the realm of the host.
+If a hostname does not match any 
+.I host_name
+in the file, but its
+domain exactly matches the 
+.I domain_name
+field in a line of the second
+form, the corresponding realm is the realm of the host.
+.PP
+If no translation entry applies, the host's realm is considered to be
+the hostname's domain portion converted to upper case.
+.SH SEE ALSO
+krb_realmofhost(3)
diff --git a/crypto/kerberosIV/man/krb_realmofhost.3 b/crypto/kerberosIV/man/krb_realmofhost.3
new file mode 100644
index 0000000..d7c0ea6
--- /dev/null
+++ b/crypto/kerberosIV/man/krb_realmofhost.3
@@ -0,0 +1,161 @@
+.\" $Id: krb_realmofhost.3,v 1.2 1996/06/12 21:29:23 bg Exp $
+.\" $FreeBSD$
+.\" Copyright 1989 by the Massachusetts Institute of Technology.
+.\"
+.\" For copying and distribution information,
+.\" please see the file <mit-copyright.h>.
+.\"
+.TH KRB_REALMOFHOST 3 "Kerberos Version 4.0" "MIT Project Athena"
+.SH NAME
+krb_realmofhost, krb_get_phost, krb_get_krbhst, krb_get_admhst,
+krb_get_lrealm \- additional Kerberos utility routines
+.SH SYNOPSIS
+.nf
+.nj
+.ft B
+#include <krb.h>
+#include <openssl/des.h>
+#include <netinet/in.h>
+.PP
+.ft B
+char *krb_realmofhost(host)
+char *host;
+.PP
+.ft B
+char *krb_get_phost(alias)
+char *alias;
+.PP
+.ft B
+krb_get_krbhst(host,realm,n)
+char *host;
+char *realm;
+int n;
+.PP
+.ft B
+krb_get_admhst(host,realm,n)
+char *host;
+char *realm;
+int n;
+.PP
+.ft B
+krb_get_lrealm(realm,n)
+char *realm;
+int n;
+.fi
+.ft R
+.SH DESCRIPTION
+.I krb_realmofhost
+returns the Kerberos realm of the host
+.IR host ,
+as determined by the translation table
+.IR /etc/krb.realms .
+.I host
+should be the fully-qualified domain-style primary host name of the host
+in question.  In order to prevent certain security attacks, this routine
+must either have 
+.I a priori
+knowledge of a host's realm, or obtain such information securely.
+.PP
+The format of the translation file is described by 
+.IR krb.realms (5).
+If
+.I host
+exactly matches a host_name line, the corresponding realm
+is returned.
+Otherwise, if the domain portion of
+.I host
+matches a domain_name line, the corresponding realm
+is returned.
+If
+.I host
+contains a domain, but no translation is found,
+.IR host 's
+domain is converted to upper-case and returned.
+If 
+.I host
+contains no discernable domain, or an error occurs,
+the local realm name, as supplied by 
+.IR krb_get_lrealm (3),
+is returned.
+.PP
+.I krb_get_phost
+converts the hostname
+.I alias
+(which can be either an official name or an alias) into the instance
+name to be used in obtaining Kerberos tickets for most services,
+including the Berkeley rcmd suite (rlogin, rcp, rsh).
+.br
+The current convention is to return the first segment of the official
+domain-style name after conversion to lower case.
+.PP
+.I krb_get_krbhst
+fills in
+.I host
+with the hostname of the
+.IR n th
+host running a Kerberos key distribution center (KDC)
+for realm
+.IR realm ,
+as specified in the configuration file (\fI/etc/krb.conf\fR).
+The configuration file is described by 
+.IR krb.conf (5).
+If the host is successfully filled in, the routine
+returns KSUCCESS.
+If the file cannot be opened, and
+.I n
+equals 1, then the value of KRB_HOST as defined in
+.I <krb.h>
+is filled in, and KSUCCESS is returned.  If there are fewer than
+.I n
+hosts running a Kerberos KDC for the requested realm, or the
+configuration file is malformed, the routine
+returns KFAILURE.
+.PP
+.I krb_get_admhst
+fills in
+.I host
+with the hostname of the
+.IR n th
+host running a Kerberos KDC database administration server
+for realm
+.IR realm ,
+as specified in the configuration file (\fI/etc/krb.conf\fR).
+If the file cannot be opened or is malformed, or there are fewer than
+.I n
+hosts running a Kerberos KDC database administration server,
+the routine returns KFAILURE.
+.PP
+The character arrays used as return values for
+.IR krb_get_krbhst ,
+.IR krb_get_admhst ,
+should be large enough to
+hold any hostname (MAXHOSTNAMELEN from <sys/param.h>).
+.PP
+.I krb_get_lrealm
+fills in
+.I realm
+with the
+.IR n th
+realm of the local host, as specified in the configuration file.
+.I realm
+should be at least REALM_SZ (from
+.IR <krb.h>) characters long.
+.PP
+.SH SEE ALSO
+kerberos(3), krb.conf(5), krb.realms(5)
+.SH FILES
+.TP 20n
+/etc/krb.realms
+translation file for host-to-realm mapping.
+.TP
+/etc/krb.conf
+local realm-name and realm/server configuration file.
+.SH BUGS
+The current convention for instance names is too limited; the full
+domain name should be used.
+.PP
+.I krb_get_lrealm
+currently only supports 
+.I n
+= 1.  It should really consult the user's ticket cache to determine the
+user's current realm, rather than consulting a file on the host.
diff --git a/crypto/kerberosIV/man/krb_sendauth.3 b/crypto/kerberosIV/man/krb_sendauth.3
new file mode 100644
index 0000000..cc99d4e
--- /dev/null
+++ b/crypto/kerberosIV/man/krb_sendauth.3
@@ -0,0 +1,348 @@
+.\" $Id: krb_sendauth.3,v 1.2 1996/06/12 21:29:24 bg Exp $
+.\" $FreeBSD$
+.\" Copyright 1988 by the Massachusetts Institute of Technology.
+.\"
+.\" For copying and distribution information,
+.\" please see the file <mit-copyright.h>.
+.\"
+.TH KRB_SENDAUTH 3 "Kerberos Version 4.0" "MIT Project Athena"
+.SH NAME
+krb_sendauth, krb_recvauth, krb_net_write, krb_net_read \-
+Kerberos routines for sending authentication via network stream sockets
+.SH SYNOPSIS
+.nf
+.nj
+.ft B
+#include <krb.h>
+#include <openssl/des.h>
+#include <netinet/in.h>
+.PP
+.fi
+.HP 1i
+.ft B
+int krb_sendauth(options, fd, ktext, service, inst, realm, checksum,
+msg_data, cred, schedule, laddr, faddr, version)
+.nf
+.RS 0
+.ft B
+long options;
+int fd;
+KTEXT ktext;
+char *service, *inst, *realm;
+u_long checksum;
+MSG_DAT *msg_data;
+CREDENTIALS *cred;
+Key_schedule schedule;
+struct sockaddr_in *laddr, *faddr;
+char *version;
+.PP
+.fi
+.HP 1i
+.ft B
+int krb_recvauth(options, fd, ktext, service, inst, faddr, laddr,
+auth_data, filename, schedule, version)
+.nf
+.RS 0
+.ft B
+long options;
+int fd;
+KTEXT ktext;
+char *service, *inst;
+struct sockaddr_in *faddr, *laddr;
+AUTH_DAT *auth_data;
+char *filename;
+Key_schedule schedule;
+char *version;			
+.PP
+.ft B
+int krb_net_write(fd, buf, len)
+int fd;
+char *buf;
+int len;
+.PP
+.ft B
+int krb_net_read(fd, buf, len)
+int fd;
+char *buf;
+int len;
+.fi
+.SH DESCRIPTION
+.PP
+These functions,
+which are built on top of the core Kerberos library,
+provide a convenient means for client and server
+programs to send authentication messages
+to one another through network connections.
+The
+.I krb_sendauth
+function sends an authenticated ticket from the client program to
+the server program by writing the ticket to a network socket.
+The
+.I krb_recvauth
+function receives the ticket from the client by
+reading from a network socket.
+
+.SH KRB_SENDAUTH
+.PP
+This function writes the ticket to
+the network socket specified by the
+file descriptor
+.IR fd,
+returning KSUCCESS if the write proceeds successfully,
+and an error code if it does not.
+
+The
+.I ktext
+argument should point to an allocated KTEXT_ST structure.
+The
+.IR service,
+.IR inst,
+and
+.IR realm
+arguments specify the server program's Kerberos principal name,
+instance, and realm.
+If you are writing a client that uses the local realm exclusively,
+you can set the
+.I realm
+argument to NULL.
+
+The
+.I version
+argument allows the client program to pass an application-specific
+version string that the server program can then match against
+its own version string.
+The
+.I version
+string can be up to KSEND_VNO_LEN (see 
+.IR <krb.h> )
+characters in length.
+
+The
+.I checksum
+argument can be used to pass checksum information to the
+server program.
+The client program is responsible for specifying this information.
+This checksum information is difficult to corrupt because
+.I krb_sendauth
+passes it over the network in encrypted form.
+The
+.I checksum
+argument is passed as the checksum argument to
+.IR krb_mk_req .
+
+You can set
+.IR krb_sendauth's
+other arguments to NULL unless you want the
+client and server programs to mutually authenticate
+themselves.
+In the case of mutual authentication,
+the client authenticates itself to the server program,
+and demands that the server in turn authenticate itself to
+the client.
+
+.SH KRB_SENDAUTH AND MUTUAL AUTHENTICATION
+.PP
+If you want mutual authentication,
+make sure that you read all pending data from the local socket
+before calling
+.IR krb_sendauth.
+Set
+.IR krb_sendauth's
+.I options
+argument to
+.BR KOPT_DO_MUTUAL
+(this macro is defined in the
+.IR krb.h
+file);
+make sure that the
+.I laddr
+argument points to
+the address of the local socket,
+and that
+.I faddr
+points to the foreign socket's network address.
+
+.I Krb_sendauth
+fills in the other arguments--
+.IR msg_data ,
+.IR cred ,
+and
+.IR schedule --before
+sending the ticket to the server program.
+You must, however, allocate space for these arguments
+before calling the function.
+
+.I Krb_sendauth
+supports two other options:
+.BR KOPT_DONT_MK_REQ,
+and
+.BR KOPT_DONT_CANON.
+If called with
+.I options
+set as KOPT_DONT_MK_REQ,
+.I krb_sendauth
+will not use the
+.I krb_mk_req
+function to retrieve the ticket from the Kerberos server.
+The
+.I ktext
+argument must point to an existing ticket and authenticator (such as
+would be created by 
+.IR krb_mk_req ),
+and the
+.IR service,
+.IR inst,
+and
+.IR realm
+arguments can be set to NULL.
+
+If called with
+.I options
+set as KOPT_DONT_CANON,
+.I krb_sendauth
+will not convert the service's instance to canonical form using 
+.IR krb_get_phost (3).
+
+If you want to call
+.I krb_sendauth
+with a multiple
+.I options
+specification,
+construct
+.I options
+as a bitwise-OR of the options you want to specify.
+
+.SH KRB_RECVAUTH
+.PP
+The
+.I krb_recvauth
+function
+reads a ticket/authenticator pair from the socket pointed to by the
+.I fd
+argument.
+Set the
+.I options
+argument
+as a bitwise-OR of the options desired.
+Currently only KOPT_DO_MUTUAL is useful to the receiver.
+
+The
+.I ktext
+argument
+should point to an allocated KTEXT_ST structure.
+.I Krb_recvauth
+fills
+.I ktext
+with the
+ticket/authenticator pair read from
+.IR fd ,
+then passes it to
+.IR krb_rd_req .
+
+The
+.I service
+and
+.I inst
+arguments
+specify the expected service and instance for which the ticket was
+generated.  They are also passed to
+.IR krb_rd_req.
+The
+.I inst
+argument may be set to "*" if the caller wishes
+.I krb_mk_req
+to fill in the instance used (note that there must be space in the
+.I inst
+argument to hold a full instance name, see 
+.IR krb_mk_req (3)).
+
+The
+.I faddr
+argument
+should point to the address of the peer which is presenting the ticket.
+It is also passed to
+.IR krb_rd_req .
+
+If the client and server plan to mutually authenticate
+one another,
+the
+.I laddr
+argument
+should point to the local address of the file descriptor.
+Otherwise you can set this argument to NULL.
+
+The
+.I auth_data
+argument
+should point to an allocated AUTH_DAT area.
+It is passed to and filled in by
+.IR krb_rd_req .
+The checksum passed to the corresponding
+.I krb_sendauth
+is available as part of the filled-in AUTH_DAT area.
+
+The
+.I filename
+argument
+specifies the filename
+which the service program should use to obtain its service key.
+.I Krb_recvauth
+passes
+.I filename
+to the
+.I krb_rd_req
+function.
+If you set this argument to "",
+.I krb_rd_req
+looks for the service key in the file
+.IR /etc/srvtab.
+
+If the client and server are performing mutual authenication,
+the
+.I schedule
+argument
+should point to an allocated Key_schedule.
+Otherwise it is ignored and may be NULL.
+
+The
+.I version
+argument should point to a character array of at least KSEND_VNO_LEN
+characters.  It is filled in with the version string passed by the client to
+.IR krb_sendauth.
+.PP
+.SH KRB_NET_WRITE AND KRB_NET_READ
+.PP
+The
+.I krb_net_write
+function
+emulates the write(2) system call, but guarantees that all data
+specified is written to
+.I fd
+before returning, unless an error condition occurs.
+.PP
+The
+.I krb_net_read
+function
+emulates the read(2) system call, but guarantees that the requested
+amount of data is read from
+.I fd
+before returning, unless an error condition occurs.
+.PP
+.SH BUGS
+.IR krb_sendauth,
+.IR krb_recvauth,
+.IR krb_net_write,
+and
+.IR krb_net_read
+will not work properly on sockets set to non-blocking I/O mode.
+
+.SH SEE ALSO
+
+krb_mk_req(3), krb_rd_req(3), krb_get_phost(3)
+
+.SH AUTHOR
+John T. Kohl, MIT Project Athena
+.SH RESTRICTIONS
+Copyright 1988, Massachusetts Instititute of Technology.
+For copying and distribution information,
+please see the file <mit-copyright.h>.
diff --git a/crypto/kerberosIV/man/krb_set_tkt_string.3 b/crypto/kerberosIV/man/krb_set_tkt_string.3
new file mode 100644
index 0000000..9d94143
--- /dev/null
+++ b/crypto/kerberosIV/man/krb_set_tkt_string.3
@@ -0,0 +1,42 @@
+.\" $Id: krb_set_tkt_string.3,v 1.2 1996/06/12 21:29:24 bg Exp $
+.\" Copyright 1989 by the Massachusetts Institute of Technology.
+.\"
+.\" For copying and distribution information,
+.\" please see the file <mit-copyright.h>.
+.\"
+.TH KRB_SET_TKT_STRING 3 "Kerberos Version 4.0" "MIT Project Athena"
+.SH NAME
+krb_set_tkt_string \- set Kerberos ticket cache file name
+.SH SYNOPSIS
+.nf
+.nj
+.ft B
+#include <krb.h>
+.PP
+.ft B
+void krb_set_tkt_string(filename)
+char *filename;
+.fi
+.ft R
+.SH DESCRIPTION
+.I krb_set_tkt_string
+sets the name of the file that holds the user's
+cache of Kerberos server tickets and associated session keys.
+.PP
+The string 
+.I filename
+passed in is copied into local storage.
+Only MAXPATHLEN-1 (see <sys/param.h>) characters of the filename are
+copied in for use as the cache file name.
+.PP
+This routine should be called during initialization, before other
+Kerberos routines are called; otherwise the routines which fetch the
+ticket cache file name may be called and return an undesired ticket file
+name until this routine is called.
+.SH FILES
+.TP 20n
+/tmp/tkt[uid]
+default ticket file name, unless the environment variable KRBTKFILE is set.
+[uid] denotes the user's uid, in decimal.
+.SH SEE ALSO
+kerberos(3), setenv(3)
diff --git a/crypto/kerberosIV/man/ksrvtgt.1 b/crypto/kerberosIV/man/ksrvtgt.1
new file mode 100644
index 0000000..ff8563c
--- /dev/null
+++ b/crypto/kerberosIV/man/ksrvtgt.1
@@ -0,0 +1,50 @@
+.\" $Id: ksrvtgt.1,v 1.2 1996/06/12 21:29:26 bg Exp $
+.\" Copyright 1989 by the Massachusetts Institute of Technology.
+.\"
+.\" For copying and distribution information,
+.\" please see the file <mit-copyright.h>.
+.\"
+.TH KSRVTGT 1 "Kerberos Version 4.0" "MIT Project Athena"
+.SH NAME
+ksrvtgt \- fetch and store Kerberos ticket-granting-ticket using a
+service key
+.SH SYNOPSIS
+.B ksrvtgt
+name instance [[realm] srvtab]
+.SH DESCRIPTION
+.I ksrvtgt
+retrieves a ticket-granting ticket with a lifetime of five (5) minutes
+for the principal
+.I name.instance@realm
+(or 
+.I name.instance@localrealm
+if
+.I realm
+is not supplied on the command line), decrypts the response using
+the service key found in
+.I srvtab
+(or in 
+.B /etc/srvtab
+if
+.I srvtab
+is not specified on the command line), and stores the ticket in the
+standard ticket cache.
+.PP
+This command is intended primarily for use in shell scripts and other
+batch-type facilities.
+.SH DIAGNOSTICS
+"Generic kerberos failure (kfailure)" can indicate a whole range of
+problems, the most common of which is the inability to read the service
+key file.
+.SH FILES
+.TP 2i
+/etc/krb.conf
+to get the name of the local realm.
+.TP
+/tmp/tkt[uid]
+The default ticket file.
+.TP
+/etc/srvtab
+The default service key file.
+.SH SEE ALSO
+kerberos(1), kinit(1), kdestroy(1)
diff --git a/crypto/kerberosIV/man/ksrvutil.8 b/crypto/kerberosIV/man/ksrvutil.8
new file mode 100644
index 0000000..d2bfa8e
--- /dev/null
+++ b/crypto/kerberosIV/man/ksrvutil.8
@@ -0,0 +1,100 @@
+.\" $Id: ksrvutil.8,v 1.3 1996/06/12 21:29:27 bg Exp $
+.\" $FreeBSD$
+.\" Copyright 1989 by the Massachusetts Institute of Technology.
+.\"
+.\" For copying and distribution information,
+.\" please see the file <mit-copyright.h>.
+.\"
+.Dd May 4, 1996
+.Dt KSRVUTIL 8
+.Os KTH-KRB
+.Sh NAME
+.Nm ksrvutil 
+.Nd "host kerberos keyfile (srvtab) manipulation utility"
+.Sh SYNOPSIS
+.Nm
+.Op Fl f Pa keyfile
+.Op Fl i
+.Op Fl k 
+.Op Fl p Ar principal
+.Op Fl r Ar realm
+.Ar operation
+.Sh DESCRIPTION
+.Nm
+allows a system manager to list or change keys currently in his
+keyfile or to add new keys to the keyfile.
+.Pp
+Operation must be one of the following:
+.Bl -tag -width indent
+.It list
+lists the keys in a keyfile showing version number and principal name.
+If the
+.Fl k
+option is given, keys will also be shown.
+.It change
+changes all the keys in the keyfile by using the regular admin
+protocol.  If the
+.Fl i
+flag is given,
+.Nm ksrvutil
+will prompt for yes or no before changing each key.  If the 
+.Fl k
+option is used, the old and new keys will be displayed.
+.It add
+allows the user to add a key.
+add
+prompts for name, instance, realm, and key version number, asks
+for confirmation, and then asks for a password.  
+.Nm
+then converts the password to a key and appends the keyfile with the
+new information.  If the
+.Fl k
+option is used, the key is displayed.
+.It get
+gets a service from the Kerberos server, possibly creating the
+principal. Names, instances and realms for the service keys to get are
+prompted for. The default principal used in the kadmin transcation is
+your root instance. This can be changed with the
+.Fl p
+option.
+.El
+.Pp
+In all cases, the default file used is KEY_FILE as defined in krb.h
+unless this is overridden by the
+.Fl f
+option.
+.Pp
+A good use for
+.Nm
+would be for adding keys to a keyfile.  A system manager could
+ask a kerberos administrator to create a new service key with 
+.Xr kadmin 8
+and could supply an initial password.  Then, he could use 
+.Nm
+to add the key to the keyfile and then to change the key so that it
+will be random and unknown to either the system manager or the
+kerberos administrator.
+.Pp
+.Nm
+always makes a backup copy of the keyfile before making any changes.
+.Sh DIAGNOSTICS
+If 
+.Nm
+should exit on an error condition at any time during a change or add,
+a copy of the original keyfile can be found in
+.Pa filename Ns .old
+where 
+.Pa filename
+is the name of the keyfile, and a copy of the file with all new
+keys changed or added so far can be found in 
+.Pa filename Ns .work .
+The original keyfile is left unmodified until the program exits at
+which point it is removed and replaced it with the workfile.
+Appending the workfile to the backup copy and replacing the keyfile
+with the result should always give a usable keyfile, although the
+resulting keyfile will have some out of date keys in it.
+.Sh SEE ALSO
+.Xr kadmin 8 ,
+.Xr ksrvtgt 1
+.Sh AUTHOR
+Emanuel Jay Berkenbilt, MIT Project Athena
diff --git a/crypto/kerberosIV/man/kstash.8 b/crypto/kerberosIV/man/kstash.8
new file mode 100644
index 0000000..0197a3d
--- /dev/null
+++ b/crypto/kerberosIV/man/kstash.8
@@ -0,0 +1,40 @@
+.\" $Id: kstash.8,v 1.3 1997/04/02 21:09:56 assar Exp $
+.\" Copyright 1989 by the Massachusetts Institute of Technology.
+.\"
+.\" For copying and distribution information,
+.\" please see the file <mit-copyright.h>.
+.\"
+.TH KSTASH 8 "Kerberos Version 4.0" "MIT Project Athena"
+.SH NAME
+kstash \- stash Kerberos key distribution center database master key
+.SH SYNOPSIS
+kstash
+.SH DESCRIPTION
+.I kstash
+saves the Kerberos key distribution center (KDC) database master key in
+the master key cache file.
+.PP
+The user is prompted to enter the key, to verify the authenticity of the
+key and the authorization to store the key in the file.
+.SH DIAGNOSTICS
+.TP 20n
+"verify_master_key: Invalid master key, does not match database."
+The master key string entered was incorrect.
+.TP
+"kstash: Unable to open master key file"
+The attempt to open the cache file for writing failed (probably due to a
+system or access permission error).
+.TP
+"kstash: Write I/O error on master key file"
+The 
+.BR write (2)
+system call returned an error while
+.I kstash
+was attempting to write the key to the file.
+.SH FILES
+.TP 20n
+/var/kerberos/principal.pag, /var/kerberos/principal.dir
+DBM files containing database
+.TP
+/.k
+Master key cache file.
diff --git a/crypto/kerberosIV/man/kuserok.3 b/crypto/kerberosIV/man/kuserok.3
new file mode 100644
index 0000000..0987308
--- /dev/null
+++ b/crypto/kerberosIV/man/kuserok.3
@@ -0,0 +1,66 @@
+.\" $Id: kuserok.3,v 1.3 1996/10/13 17:51:18 bg Exp $
+.\" Copyright 1989 by the Massachusetts Institute of Technology.
+.\"
+.\" For copying and distribution information,
+.\" please see the file <mit-copyright.h>.
+.\"
+.TH KUSEROK 3 "Kerberos Version 4.0" "MIT Project Athena"
+.SH NAME
+kuserok \- Kerberos version of ruserok
+.SH SYNOPSIS
+.nf
+.nj
+.ft B
+#include <krb.h>
+.PP
+.ft B
+kuserok(kdata, localuser)
+AUTH_DAT *auth_data;
+char   *localuser;
+.fi
+.ft R
+.SH DESCRIPTION
+.I kuserok
+determines whether a Kerberos principal described by the structure
+.I auth_data
+is authorized to login as user
+.I localuser
+according to the authorization file
+("~\fIlocaluser\fR/.klogin" by default).  It returns 0 (zero) if authorized,
+1 (one) if not authorized.
+.PP
+If there is no account for 
+.I localuser
+on the local machine, authorization is not granted.
+If there is no authorization file, and the Kerberos principal described
+by 
+.I auth_data
+translates to 
+.I localuser
+(using 
+.IR krb_kntoln (3)),
+authorization is granted.
+If the authorization file
+can't be accessed, or the file is not owned by
+.IR localuser,
+authorization is denied.  Otherwise, the file is searched for
+a matching principal name, instance, and realm.  If a match is found,
+authorization is granted, else authorization is denied.
+.PP
+The file entries are in the format:
+.nf
+.in +5n
+	name.instance@realm
+.in -5n
+.fi
+with one entry per line.
+
+For convenience ~localuser@LOCALREALM is
+always considered to be an entry in the file even when there is no
+file or the file is unreadable.
+.SH SEE ALSO
+kerberos(3), ruserok(3), krb_kntoln(3)
+.SH FILES
+.TP 20n
+~\fIlocaluser\fR/.klogin
+authorization list
diff --git a/crypto/kerberosIV/man/login.1 b/crypto/kerberosIV/man/login.1
new file mode 100644
index 0000000..dcdc919
--- /dev/null
+++ b/crypto/kerberosIV/man/login.1
@@ -0,0 +1,160 @@
+.\" Copyright (c) 1980, 1990, 1993
+.\"	The Regents of the University of California.  All rights reserved.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\" 1. Redistributions of source code must retain the above copyright
+.\"    notice, this list of conditions and the following disclaimer.
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\"    notice, this list of conditions and the following disclaimer in the
+.\"    documentation and/or other materials provided with the distribution.
+.\" 3. All advertising materials mentioning features or use of this software
+.\"    must display the following acknowledgement:
+.\"	This product includes software developed by the University of
+.\"	California, Berkeley and its contributors.
+.\" 4. Neither the name of the University nor the names of its contributors
+.\"    may be used to endorse or promote products derived from this software
+.\"    without specific prior written permission.
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+.\" SUCH DAMAGE.
+.\"
+.\"	@(#)login.1	8.1 (Berkeley) 6/9/93
+.\"
+.Dd June 9, 1993
+.Dt LOGIN 1
+.Os BSD 4
+.Sh NAME
+.Nm login
+.Nd log into the computer
+.Sh SYNOPSIS
+.Nm login
+.Op Fl fp
+.Op Fl h Ar hostname
+.Op Ar user
+.Sh DESCRIPTION
+.Sy Note :
+this manual page describes the original login program for
+NetBSD. Everything in here might not be true.
+.Pp
+The
+.Nm login
+utility logs users (and pseudo-users) into the computer system.
+.Pp
+If no user is specified, or if a user is specified and authentication
+of the user fails,
+.Nm login
+prompts for a user name.
+Authentication of users is done via passwords.
+.Pp
+The options are as follows:
+.Bl -tag -width Ds
+.It Fl f
+The
+.Fl f
+option is used when a user name is specified to indicate that proper
+authentication has already been done and that no password need be
+requested.
+This option may only be used by the super-user or when an already
+logged in user is logging in as themselves.
+.It Fl h
+The
+.Fl h
+option specifies the host from which the connection was received.
+It is used by various daemons such as
+.Xr telnetd  8 .
+This option may only be used by the super-user.
+.It Fl p
+By default,
+.Nm login
+discards any previous environment.
+The
+.Fl p
+option disables this behavior.
+.El
+.Pp
+If the file
+.Pa /etc/nologin
+exists,
+.Nm login
+dislays its contents to the user and exits.
+This is used by
+.Xr shutdown  8
+to prevent users from logging in when the system is about to go down.
+.Pp
+If the file
+.Pa /etc/fbtab
+exists,
+.Nm login
+changes the protection and ownership of certain devices specified in this
+file.
+.Pp
+Immediately after logging a user in,
+.Nm login
+displays the system copyright notice, the date and time the user last
+logged in, the message of the day as well as other information.
+If the file
+.Dq Pa .hushlogin
+exists in the user's home directory, all of these messages are suppressed.
+This is to simplify logins for non-human users, such as
+.Xr uucp 1 .
+.Nm Login
+then records an entry in the
+.Xr wtmp 5
+and
+.Xr utmp 5
+files and executes the user's command interpretor.
+.Pp
+Login enters information into the environment (see
+.Xr environ 7 )
+specifying the user's home directory (HOME), command interpreter (SHELL),
+search path (PATH), terminal type (TERM) and user name (both LOGNAME and
+USER).
+.Pp
+The standard shells,
+.Xr csh 1
+and
+.Xr sh 1 ,
+do not fork before executing the
+.Nm login
+utility.
+.Sh FILES
+.Bl -tag -width /var/mail/userXXX -compact
+.It Pa /etc/fbtab
+changes device protections
+.It Pa /etc/motd
+message-of-the-day
+.It Pa /etc/nologin
+disallows logins
+.It Pa /var/run/utmp
+current logins
+.It Pa /var/log/wtmp
+login account records
+.It Pa /var/mail/user
+system mailboxes
+.It Pa \&.hushlogin
+makes login quieter
+.El
+.Sh SEE ALSO
+.Xr chpass 1 ,
+.Xr passwd 1 ,
+.Xr rlogin 1 ,
+.Xr getpass 3 ,
+.Xr fbtab 5 ,
+.Xr utmp 5 ,
+.Xr environ 7
+.Sh HISTORY
+A
+.Nm login
+appeared in
+.At v6 .
diff --git a/crypto/kerberosIV/man/login.access.5 b/crypto/kerberosIV/man/login.access.5
new file mode 100644
index 0000000..da93b9d
--- /dev/null
+++ b/crypto/kerberosIV/man/login.access.5
@@ -0,0 +1,50 @@
+.\" this is comment
+.Dd April 30, 1994
+.Dt SKEY.ACCESS 5
+.Os FreeBSD
+.Sh NAME
+.Nm login.access
+.Nd login access control table
+.Sh DESCRIPTION
+The
+.Nm login.access
+file specifies (user, host) combinations and/or (user, tty) 
+combinations for which a login will be either accepted or refused.
+.Pp
+When someone logs in, the 
+.Nm login.access
+is scanned for the first entry that
+matches the (user, host) combination, or, in case of non-networked
+logins, the first entry that matches the (user, tty) combination.  The
+permissions field of that table entry determines whether the login will 
+be accepted or refused.
+.Pp
+Each line of the login access control table has three fields separated by a
+":" character:	  permission : users : origins
+.Pp
+The first field should be a "+" (access granted) or "-" (access denied)
+character. The second field should be a list of one or more login names,
+group names, or ALL (always matches).  The third field should be a list
+of one or more tty names (for non-networked logins), host names, domain
+names (begin with "."), host addresses, internet network numbers (end
+with "."), ALL (always matches) or LOCAL (matches any string that does
+not contain a "." character). If you run NIS you can use @netgroupname
+in host or user patterns.
+.Pp
+The EXCEPT operator makes it possible to write very compact rules.
+.Pp
+The group file is searched only when a name does not match that of the
+logged-in user. Only groups are matched in which users are explicitly
+listed: the program does not look at a user's primary group id value.
+.Sh FILES
+.Bl -tag -width /etc/login.access -compact
+.It Pa /etc/login.access
+The
+.Nm login.access
+file resides in
+.Pa /etc .
+.El
+.Sh SEE ALSO
+.Xr login 1
+.Sh AUTHOR
+Guido van Rooij
diff --git a/crypto/kerberosIV/man/pagsh.1 b/crypto/kerberosIV/man/pagsh.1
new file mode 100644
index 0000000..2208fc8
--- /dev/null
+++ b/crypto/kerberosIV/man/pagsh.1
@@ -0,0 +1,25 @@
+.\" $Id: pagsh.1,v 1.1 1996/04/27 23:03:35 d91-jda Exp $
+.\"
+.Dd April 27, 1996
+.Dt PAGSH 1
+.Os KTH-KRB
+.Sh NAME
+.Nm pagsh
+.Nd execute a command without authentication
+.Sh SYNOPSIS
+.Nm pagsh
+.Oo
+.Op Fl c
+.Ar command Ar args
+.Oc
+.Sh DESCRIPTION
+Starts a new subprocess that is detached from any Kerberos ticket
+cache and AFS tokens.
+Without
+.Ar command
+a new shell is started.
+.Sh ENVIRONMENT
+.Bl -tag -width $SHELL
+.It Ev $SHELL
+Default shell.
+.El
diff --git a/crypto/kerberosIV/man/rcp.1 b/crypto/kerberosIV/man/rcp.1
new file mode 100644
index 0000000..c52258e
--- /dev/null
+++ b/crypto/kerberosIV/man/rcp.1
@@ -0,0 +1,161 @@
+.\"	$NetBSD: rcp.1,v 1.5 1995/03/21 08:19:04 cgd Exp $
+.\"
+.\" Copyright (c) 1983, 1990, 1993
+.\"	The Regents of the University of California.  All rights reserved.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\" 1. Redistributions of source code must retain the above copyright
+.\"    notice, this list of conditions and the following disclaimer.
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\"    notice, this list of conditions and the following disclaimer in the
+.\"    documentation and/or other materials provided with the distribution.
+.\" 3. All advertising materials mentioning features or use of this software
+.\"    must display the following acknowledgement:
+.\"	This product includes software developed by the University of
+.\"	California, Berkeley and its contributors.
+.\" 4. Neither the name of the University nor the names of its contributors
+.\"    may be used to endorse or promote products derived from this software
+.\"    without specific prior written permission.
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+.\" SUCH DAMAGE.
+.\"
+.\"	@(#)rcp.1	8.1 (Berkeley) 5/31/93
+.\"
+.Dd May 31, 1993
+.Dt RCP 1
+.Os BSD 4.3r
+.Sh NAME
+.Nm rcp
+.Nd remote file copy
+.Sh SYNOPSIS
+.Nm rcp
+.Op Fl Kpx
+.Op Fl k Ar realm
+.Ar file1 file2
+.Nm rcp
+.Op Fl Kprx
+.Op Fl k Ar realm
+.Ar
+.Ar directory
+.Sh DESCRIPTION
+.Nm Rcp
+copies files between machines.  Each
+.Ar file
+or
+.Ar directory
+argument is either a remote file name of the
+form ``rname@rhost:path'', or a local file name (containing no `:' characters,
+or a `/' before any `:'s).
+.Pp
+.Bl -tag -width flag
+.It Fl K
+The
+.Fl K
+option turns off all Kerberos authentication.
+.It Fl k
+The
+.Fl k
+option requests
+.Nm rcp
+to obtain tickets
+for the remote host in realm
+.Ar realm
+instead of the remote host's realm as determined by
+.Xr krb_realmofhost  3  .
+.It Fl p
+The
+.Fl p
+option causes
+.Nm rcp
+to attempt to preserve (duplicate) in its copies the modification
+times and modes of the source files, ignoring the
+.Ar umask  .
+By default, the mode and owner of
+.Ar file2
+are preserved if it already existed; otherwise the mode of the source file
+modified by the
+.Xr umask  2
+on the destination host is used.
+.It Fl r
+If any of the source files are directories,
+.Nm rcp
+copies each subtree rooted at that name; in this case
+the destination must be a directory.
+.It Fl x
+The
+.Fl x
+option turns on
+.Tn DES
+encryption for all data passed by
+.Nm rcp .
+This may impact response time and
+.Tn CPU
+utilization, but provides
+increased security.
+.El
+.Pp
+If
+.Ar path
+is not a full path name, it is interpreted relative to
+the login directory of the specified user
+.Ar ruser
+on
+.Ar rhost  ,
+or your current user name if no other remote user name is specified.
+A
+.Ar path
+on a remote host may be quoted (using \e, ", or \(aa)
+so that the metacharacters are interpreted remotely.
+.Pp
+.Nm Rcp
+does not prompt for passwords; it performs remote execution
+via
+.Xr rsh  1  ,
+and requires the same authorization.
+.Pp
+.Nm Rcp
+handles third party copies, where neither source nor target files
+are on the current machine.
+.Sh SEE ALSO
+.Xr cp 1 ,
+.Xr ftp 1 ,
+.Xr rsh 1 ,
+.Xr rlogin 1
+.Sh HISTORY
+The
+.Nm rcp
+command appeared in
+.Bx 4.2 .
+The version of
+.Nm rcp
+described here
+has been reimplemented with Kerberos in
+.Bx 4.3 Reno .
+.Sh BUGS
+Doesn't detect all cases where the target of a copy might
+be a file in cases where only a directory should be legal.
+.Pp
+Is confused by any output generated by commands in a
+.Pa \&.login ,
+.Pa \&.profile ,
+or
+.Pa \&.cshrc
+file on the remote host.
+.Pp
+The destination user and hostname may have to be specified as
+``rhost.rname'' when the destination machine is running the
+.Bx 4.2
+version of
+.Nm rcp  .
diff --git a/crypto/kerberosIV/man/rlogin.1 b/crypto/kerberosIV/man/rlogin.1
new file mode 100644
index 0000000..c2d8b77
--- /dev/null
+++ b/crypto/kerberosIV/man/rlogin.1
@@ -0,0 +1,190 @@
+.\"	$NetBSD: rlogin.1,v 1.3 1995/03/21 07:58:37 cgd Exp $
+.\"
+.\" Copyright (c) 1983, 1990, 1993
+.\"	The Regents of the University of California.  All rights reserved.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\" 1. Redistributions of source code must retain the above copyright
+.\"    notice, this list of conditions and the following disclaimer.
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\"    notice, this list of conditions and the following disclaimer in the
+.\"    documentation and/or other materials provided with the distribution.
+.\" 3. All advertising materials mentioning features or use of this software
+.\"    must display the following acknowledgement:
+.\"	This product includes software developed by the University of
+.\"	California, Berkeley and its contributors.
+.\" 4. Neither the name of the University nor the names of its contributors
+.\"    may be used to endorse or promote products derived from this software
+.\"    without specific prior written permission.
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+.\" SUCH DAMAGE.
+.\"
+.\"	@(#)rlogin.1	8.1 (Berkeley) 6/6/93
+.\"
+.Dd June 6, 1993
+.Dt RLOGIN 1
+.Os BSD 4.2
+.Sh NAME
+.Nm rlogin
+.Nd remote login
+.Sh SYNOPSIS
+.Ar rlogin
+.Op Fl 8EKLdx
+.Op Fl e Ar char
+.Op Fl k Ar realm
+.Op Fl l Ar username
+.Op Fl p Ar portnumber
+.Ar host
+.Sh DESCRIPTION
+.Nm Rlogin
+starts a terminal session on a remote host
+.Ar host  .
+.Pp
+.Nm Rlogin
+first attempts to use the Kerberos authorization mechanism, described below.
+If the remote host does not supporting Kerberos the standard Berkeley
+.Pa rhosts
+authorization mechanism is used.
+The options are as follows:
+.Bl -tag -width flag
+.It Fl 8
+The
+.Fl 8
+option allows an eight-bit input data path at all times; otherwise
+parity bits are stripped except when the remote side's stop and start
+characters are other than
+^S/^Q .
+.It Fl E
+The
+.Fl E
+option stops any character from being recognized as an escape character.
+When used with the
+.Fl 8
+option, this provides a completely transparent connection.
+.It Fl K
+The
+.Fl K
+option turns off all Kerberos authentication.
+.It Fl L
+The
+.Fl L
+option allows the rlogin session to be run in ``litout'' (see
+.Xr tty 4 )
+mode.
+.It Fl d
+The
+.Fl d
+option turns on socket debugging (see
+.Xr setsockopt 2 )
+on the TCP sockets used for communication with the remote host.
+.It Fl e
+The
+.Fl e
+option allows user specification of the escape character, which is
+``~'' by default.
+This specification may be as a literal character, or as an octal
+value in the form \ennn.
+.It Fl k
+The
+.Fl k
+option requests rlogin to obtain tickets for the remote host
+in realm
+.Ar realm
+instead of the remote host's realm as determined by
+.Xr krb_realmofhost  3  .
+.It Fl x
+The
+.Fl x
+option turns on
+.Tn DES
+encryption for all data passed via the
+rlogin session.
+This may impact response time and
+.Tn CPU
+utilization, but provides
+increased security.
+.It Fl D
+Use the TCP nodelay option (see setsockopt(2)).
+.It Fl p portnumber
+Specifies the port number to connect to on the remote host.
+.El
+.Pp
+A line of the form ``<escape char>.'' disconnects from the remote host.
+Similarly, the line ``<escape char>^Z'' will suspend the
+.Nm rlogin
+session, and ``<escape char><delayed-suspend char>'' suspends the
+send portion of the rlogin, but allows output from the remote system.
+By default, the tilde (``~'') character is the escape character, and
+normally control-Y (``^Y'') is the delayed-suspend character.
+.Pp
+All echoing takes place at the remote site, so that (except for delays)
+the
+.Nm rlogin
+is transparent.
+Flow control via ^S/^Q and flushing of input and output on interrupts
+are handled properly.
+.Sh KERBEROS AUTHENTICATION
+Each user may have a private authorization list in the file
+.Pa .klogin
+in their home directory.
+Each line in this file should contain a Kerberos principal name of the
+form
+.Ar principal.instance@realm  .
+If the originating user is authenticated to one of the principals named
+in
+.Pa .klogin ,
+access is granted to the account.
+The principal
+.Ar accountname.@localrealm
+is granted access if
+there is no
+.Pa .klogin
+file.
+Otherwise a login and password will be prompted for on the remote machine
+as in
+.Xr login  1  .
+To avoid certain security problems, the
+.Pa .klogin
+file must be owned by
+the remote user.
+.Pp
+If Kerberos authentication fails, a warning message is printed and the
+standard Berkeley
+.Nm rlogin
+is used instead.
+.Sh ENVIRONMENT
+The following environment variable is utilized by
+.Nm rlogin :
+.Bl -tag -width TERM
+.It Ev TERM
+Determines the user's terminal type.
+.El
+.Sh SEE ALSO
+.Xr rsh 1 ,
+.Xr kerberos 3 ,
+.Xr krb_sendauth 3 ,
+.Xr krb_realmofhost 3
+.Sh HISTORY
+The
+.Nm rlogin
+command appeared in
+.Bx 4.2 .
+.Sh BUGS
+.Nm Rlogin
+will be replaced by
+.Xr telnet  1
+in the near future.
+.Pp
+More of the environment should be propagated.
diff --git a/crypto/kerberosIV/man/rlogind.8 b/crypto/kerberosIV/man/rlogind.8
new file mode 100644
index 0000000..bc99529
--- /dev/null
+++ b/crypto/kerberosIV/man/rlogind.8
@@ -0,0 +1,178 @@
+.\" Copyright (c) 1983, 1989, 1991, 1993
+.\"	The Regents of the University of California.  All rights reserved.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\" 1. Redistributions of source code must retain the above copyright
+.\"    notice, this list of conditions and the following disclaimer.
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\"    notice, this list of conditions and the following disclaimer in the
+.\"    documentation and/or other materials provided with the distribution.
+.\" 3. All advertising materials mentioning features or use of this software
+.\"    must display the following acknowledgement:
+.\"	This product includes software developed by the University of
+.\"	California, Berkeley and its contributors.
+.\" 4. Neither the name of the University nor the names of its contributors
+.\"    may be used to endorse or promote products derived from this software
+.\"    without specific prior written permission.
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+.\" SUCH DAMAGE.
+.\"
+.\"     @(#)rlogind.8	8.1 (Berkeley) 6/4/93
+.\"
+.Dd August 25, 1996
+.Dt RLOGIND 8
+.Os BSD 4.2
+.Sh NAME
+.Nm rlogind
+.Nd remote login server
+.Sh SYNOPSIS
+.Nm rlogind
+.Op Fl ailnkvxD
+.Op Fl p Ar portnumber
+.Op Fl L Ar /bin/login
+.Sh DESCRIPTION
+.Nm Rlogind
+is the server for the 
+.Xr rlogin 1
+program.  The server provides a remote login facility with
+kerberos-based authentication or traditional pseudo-authentication with
+privileged port numbers from trusted hosts.
+.Pp
+Options supported by
+.Nm rlogind :
+.Bl -tag -width Ds
+.It Fl a
+No-op.  For backwards compatibility.  Hostnames are always verified.
+.It Fl l
+Prevent any authentication based on the user's
+.Dq Pa .rhosts
+file, unless the user is logging in as the superuser.
+.It Fl n
+Disable keep-alive messages.
+.It Fl k
+Enable kerberos authentication.
+.It Fl i
+Do not expect to be spawned by inetd and create a socket and listen on
+it yourself.
+.It Fl p portnumber
+Specifies the port number it should listen on in case the
+.It Fl i
+flag has been given.
+.It Fl v
+Vacuous, echo "Remote host requires Kerberos authentication" and exit.
+.It Fl x
+Provides an encrypted communications channel.  This options requires the
+.Fl k
+flag.
+.It Fl L pathname
+Specify pathname to an alternative login program.
+.It Fl D
+Use the TCP nodelay option (see setsockopt(2)).
+.El
+.Pp
+When a service request is received,
+.Nm rlogind
+verifies the kerberos ticket supplied by the user.
+.Pp
+For non-kerberised connections, the following protocol is initiated:
+.Bl -enum
+.It
+The server checks the client's source port.
+If the port is not in the range 512-1023, the server
+aborts the connection.
+.It
+The server checks the client's source address
+and requests the corresponding host name (see
+.Xr gethostbyaddr 3 ,
+.Xr hosts 5
+and
+.Xr named 8 ) .
+If the hostname cannot be determined,
+the dot-notation representation of the host address is used.
+The addresses for the hostname are requested,
+verifying that the name and address correspond.
+Normal authentication is bypassed if the address verification fails.
+.El
+.Pp
+Once the source port and address have been checked, 
+.Nm rlogind
+proceeds with the authentication process described in
+.Xr rshd 8 .
+.Pp
+It then allocates a pseudo terminal (see 
+.Xr pty 4 ) ,
+and manipulates file descriptors so that the slave
+half of the pseudo terminal becomes the 
+.Em stdin ,
+.Em stdout ,
+and
+.Em stderr
+for a login process.
+The login process is an instance of the
+.Xr login 1
+program, invoked with the
+.Fl f
+option if authentication has succeeded.
+If automatic authentication fails, the user is
+prompted to log in as if on a standard terminal line.
+.Pp
+The parent of the login process manipulates the master side of
+the pseudo terminal, operating as an intermediary
+between the login process and the client instance of the
+.Xr rlogin
+program.  In normal operation, the packet protocol described
+in
+.Xr pty 4
+is invoked to provide
+.Ql ^S/^Q
+type facilities and propagate
+interrupt signals to the remote programs.  The login process
+propagates the client terminal's baud rate and terminal type,
+as found in the environment variable,
+.Ql Ev TERM ;
+see
+.Xr environ 7 .
+The screen or window size of the terminal is requested from the client,
+and window size changes from the client are propagated to the pseudo terminal.
+.Pp
+Transport-level keepalive messages are enabled unless the
+.Fl n
+option is present.
+The use of keepalive messages allows sessions to be timed out
+if the client crashes or becomes unreachable.
+.Sh DIAGNOSTICS
+All initial diagnostic messages are indicated
+by a leading byte with a value of 1,
+after which any network connections are closed.
+If there are no errors before
+.Xr login
+is invoked, a null byte is returned as in indication of success.
+.Bl -tag -width Ds
+.It Sy Try again.
+A
+.Xr fork
+by the server failed.
+.El
+.Sh SEE ALSO
+.Xr login 1 ,
+.Xr ruserok 3 ,
+.Xr rshd 8
+.Sh BUGS
+A more extensible protocol should be used.
+.Sh HISTORY
+The
+.Nm
+command appeared in
+.Bx 4.2 .
diff --git a/crypto/kerberosIV/man/rsh.1 b/crypto/kerberosIV/man/rsh.1
new file mode 100644
index 0000000..5d79faf
--- /dev/null
+++ b/crypto/kerberosIV/man/rsh.1
@@ -0,0 +1,182 @@
+.\" Copyright (c) 1983, 1990 The Regents of the University of California.
+.\" All rights reserved.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\" 1. Redistributions of source code must retain the above copyright
+.\"    notice, this list of conditions and the following disclaimer.
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\"    notice, this list of conditions and the following disclaimer in the
+.\"    documentation and/or other materials provided with the distribution.
+.\" 3. All advertising materials mentioning features or use of this software
+.\"    must display the following acknowledgement:
+.\"	This product includes software developed by the University of
+.\"	California, Berkeley and its contributors.
+.\" 4. Neither the name of the University nor the names of its contributors
+.\"    may be used to endorse or promote products derived from this software
+.\"    without specific prior written permission.
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+.\" SUCH DAMAGE.
+.\"
+.\"	from: @(#)rsh.1	6.10 (Berkeley) 7/24/91
+.\"	$Id: rsh.1,v 1.1.1.1 1995/10/23 11:20:27 d91-jda Exp $
+.\"
+.Dd July 24, 1991
+.Dt RSH 1
+.Os BSD 4.2
+.Sh NAME
+.Nm rsh
+.Nd remote shell
+.Sh SYNOPSIS
+.Nm rsh
+.Op Fl Kdnx
+.Op Fl k Ar realm
+.Op Fl l Ar username
+.Ar host
+.Op command
+.Sh DESCRIPTION
+.Nm Rsh
+executes
+.Ar command
+on
+.Ar host  .
+.Pp
+.Nm Rsh
+copies its standard input to the remote command, the standard
+output of the remote command to its standard output, and the
+standard error of the remote command to its standard error.
+Interrupt, quit and terminate signals are propagated to the remote
+command;
+.Nm rsh
+normally terminates when the remote command does.
+The options are as follows:
+.Bl -tag -width flag
+.It Fl K
+The
+.Fl K
+option turns off all Kerberos authentication.
+.It Fl d
+The
+.Fl d
+option turns on socket debugging (using
+.Xr setsockopt  2  )
+on the
+.Tn TCP
+sockets used for communication with the remote host.
+.It Fl k
+The
+.Fl k
+option causes
+.Nm rsh
+to obtain tickets for the remote host in
+.Ar realm
+instead of the remote host's realm as determined by
+.Xr krb_realmofhost  3  .
+.It Fl l
+By default, the remote username is the same as the local username.
+The
+.Fl l
+option allows the remote name to be specified.
+Kerberos authentication is used, and authorization is determined
+as in
+.Xr rlogin  1  .
+.It Fl n
+The
+.Fl n
+option redirects input from the special device
+.Pa /dev/null
+(see the
+.Sx BUGS
+section of this manual page).
+.It Fl x
+The
+.Fl x
+option turns on
+.Tn DES
+encryption for all data exchange.
+This may introduce a significant delay in response time.
+.El
+.Pp
+If no
+.Ar command
+is specified, you will be logged in on the remote host using
+.Xr rlogin  1  .
+.Pp
+Shell metacharacters which are not quoted are interpreted on local machine,
+while quoted metacharacters are interpreted on the remote machine.
+For example, the command
+.Pp
+.Dl rsh otherhost cat remotefile >> localfile
+.Pp
+appends the remote file
+.Ar remotefile
+to the local file
+.Ar localfile ,
+while
+.Pp
+.Dl rsh otherhost cat remotefile \&">>\&" other_remotefile
+.Pp
+appends
+.Ar remotefile
+to
+.Ar other_remotefile .
+.\" .Pp
+.\" Many sites specify a large number of host names as commands in the
+.\" directory /usr/hosts.
+.\" If this directory is included in your search path, you can use the
+.\" shorthand ``host command'' for the longer form ``rsh host command''.
+.Sh FILES
+.Bl -tag -width /etc/hosts -compact
+.It Pa /etc/hosts
+.El
+.Sh SEE ALSO
+.Xr rlogin 1 ,
+.Xr kerberos 3 ,
+.Xr krb_sendauth 3 ,
+.Xr krb_realmofhost 3
+.Sh HISTORY
+The
+.Nm rsh
+command appeared in
+.Bx 4.2 .
+.Sh BUGS
+If you are using
+.Xr csh  1
+and put a
+.Nm rsh
+in the background without redirecting its input away from the terminal,
+it will block even if no reads are posted by the remote command.
+If no input is desired you should redirect the input of
+.Nm rsh
+to
+.Pa /dev/null
+using the
+.Fl n
+option.
+.Pp
+You cannot run an interactive command
+(like
+.Xr rogue  6
+or
+.Xr vi  1  )
+using
+.Nm rsh  ;
+use
+.Xr rlogin  1
+instead.
+.Pp
+Stop signals stop the local
+.Nm rsh
+process only; this is arguably wrong, but currently hard to fix for reasons
+too complicated to explain here.
diff --git a/crypto/kerberosIV/man/rshd.8 b/crypto/kerberosIV/man/rshd.8
new file mode 100644
index 0000000..8bd661f
--- /dev/null
+++ b/crypto/kerberosIV/man/rshd.8
@@ -0,0 +1,221 @@
+.\" Copyright (c) 1983, 1989, 1991, 1993
+.\"	The Regents of the University of California.  All rights reserved.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\" 1. Redistributions of source code must retain the above copyright
+.\"    notice, this list of conditions and the following disclaimer.
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\"    notice, this list of conditions and the following disclaimer in the
+.\"    documentation and/or other materials provided with the distribution.
+.\" 3. All advertising materials mentioning features or use of this software
+.\"    must display the following acknowledgement:
+.\"	This product includes software developed by the University of
+.\"	California, Berkeley and its contributors.
+.\" 4. Neither the name of the University nor the names of its contributors
+.\"    may be used to endorse or promote products derived from this software
+.\"    without specific prior written permission.
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+.\" SUCH DAMAGE.
+.\"
+.\"     @(#)rshd.8	8.1 (Berkeley) 6/4/93
+.\"
+.Dd August 25, 1996
+.Dt RSHD 8
+.Os BSD 4.2
+.Sh NAME
+.Nm rshd
+.Nd remote shell server
+.Sh SYNOPSIS
+.Nm rshd
+.Op Fl ailnkvxLP
+.Op Fl p Ar portnumber
+.Sh DESCRIPTION
+The
+.Nm rshd
+server
+is the server for the 
+.Xr rcmd 3
+routine and, consequently, for the
+.Xr rsh 1
+program.  The server provides remote execution facilities with
+kerberos-based authentication or traditional pseudo-authentication
+with privileged port numbers from trusted hosts.
+.Pp
+The
+.Nm rshd
+server
+listens for service requests at the port indicated in
+the ``cmd'' service specification; see
+.Xr services 5 .
+When a service request is received
+.Nm rshd
+verifies the kerberos ticket supplied by the user.
+.Pp
+For non-kerberised connections, the following protocol is initiated:
+.Bl -enum
+.It
+The server checks the client's source port.
+If the port is not in the range 512-1023, the server
+aborts the connection.
+.It
+The server reads characters from the socket up
+to a null (`\e0') byte.  The resultant string is
+interpreted as an
+.Tn ASCII
+number, base 10.
+.It
+If the number received in step 2 is non-zero,
+it is interpreted as the port number of a secondary
+stream to be used for the 
+.Em stderr .
+A second connection is then created to the specified
+port on the client's machine.  The source port of this
+second connection is also in the range 512-1023.
+.It
+The server checks the client's source address
+and requests the corresponding host name (see
+.Xr gethostbyaddr 3 ,
+.Xr hosts 5
+and
+.Xr named 8 ) .
+If the hostname cannot be determined,
+the dot-notation representation of the host address is used.
+The addresses for the hostname are requested,
+verifying that the name and address correspond.
+If address verification fails, the connection is aborted
+with the message, ``Host address mismatch.''
+.It
+A null terminated user name of at most 16 characters
+is retrieved on the initial socket.  This user name
+is interpreted as the user identity on the
+.Em client Ns 's
+machine.
+.It
+A null terminated user name of at most 16 characters
+is retrieved on the initial socket.  This user name
+is interpreted as a user identity to use on the
+.Sy server Ns 's
+machine.
+.It
+A null terminated command to be passed to a
+shell is retrieved on the initial socket.  The length of
+the command is limited by the upper bound on the size of
+the system's argument list.  
+.It
+.Nm Rshd
+then validates the user using
+.Xr ruserok 3 ,
+which uses the file
+.Pa /etc/hosts.equiv
+and the
+.Pa .rhosts
+file found in the user's home directory.  The
+.Fl l
+option prevents
+.Xr ruserok 3
+from doing any validation based on the user's ``.rhosts'' file,
+unless the user is the superuser.
+.It
+If the file 
+.Pa /etc/nologin
+exists and the user is not the superuser,
+the connection is closed.
+.It
+A null byte is returned on the initial socket
+and the command line is passed to the normal login
+shell of the user.  The
+shell inherits the network connections established
+by
+.Nm rshd .
+.El
+.Pp
+Transport-level keepalive messages are enabled unless the
+.Fl n
+option is present.
+The use of keepalive messages allows sessions to be timed out
+if the client crashes or becomes unreachable.
+.Pp
+The
+.Fl L
+option causes all successful accesses to be logged to
+.Xr syslogd 8
+as
+.Li auth.info
+messages.
+.Bl -tag -width Ds
+.It Fl k
+Enable kerberos authentication.
+.It Fl i
+Do not expect to be spawned by inetd and create a socket and listen on
+it yourself.
+.It Fl p portnumber
+Specifies the port number it should listen on in case the
+.It Fl i
+flag has been given.
+.It Fl v
+Vacuous, echo "Remote host requires Kerberos authentication" and exit.
+.It Fl x
+Provides an encrypted communications channel. This option requires the
+.Fl k
+flag.
+.It Fl P
+AFS only! Doesn't put the remote proccess in a new PAG.
+.El
+.Sh DIAGNOSTICS
+Except for the last one listed below,
+all diagnostic messages
+are returned on the initial socket,
+after which any network connections are closed.
+An error is indicated by a leading byte with a value of
+1 (0 is returned in step 10 above upon successful completion
+of all the steps prior to the execution of the login shell).
+.Bl -tag -width indent
+.It Sy Locuser too long.
+The name of the user on the client's machine is
+longer than 16 characters.
+.It Sy Ruser too long.
+The name of the user on the remote machine is
+longer than 16 characters.
+.It Sy Command too long  .
+The command line passed exceeds the size of the argument
+list (as configured into the system).
+.It Sy Login incorrect.
+No password file entry for the user name existed.
+.It Sy Remote directory.
+The 
+.Xr chdir
+command to the home directory failed.
+.It Sy Permission denied.
+The authentication procedure described above failed.
+.It Sy Can't make pipe.
+The pipe needed for the 
+.Em stderr ,
+wasn't created.
+.It Sy Can't fork; try again. 
+A
+.Xr fork
+by the server failed.
+.It Sy <shellname>: ...
+The user's login shell could not be started.  This message is returned
+on the connection associated with the
+.Em stderr ,
+and is not preceded by a flag byte.
+.El
+.Sh SEE ALSO
+.Xr rsh 1 ,
+.Xr rcmd 3 ,
+.Xr ruserok 3
+.Sh BUGS
+A more extensible protocol (such as Telnet) should be used.
diff --git a/crypto/kerberosIV/man/su.1 b/crypto/kerberosIV/man/su.1
new file mode 100644
index 0000000..78d5c8d
--- /dev/null
+++ b/crypto/kerberosIV/man/su.1
@@ -0,0 +1,189 @@
+.\" Copyright (c) 1988, 1990 The Regents of the University of California.
+.\" All rights reserved.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\" 1. Redistributions of source code must retain the above copyright
+.\"    notice, this list of conditions and the following disclaimer.
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\"    notice, this list of conditions and the following disclaimer in the
+.\"    documentation and/or other materials provided with the distribution.
+.\" 3. All advertising materials mentioning features or use of this software
+.\"    must display the following acknowledgement:
+.\"	This product includes software developed by the University of
+.\"	California, Berkeley and its contributors.
+.\" 4. Neither the name of the University nor the names of its contributors
+.\"    may be used to endorse or promote products derived from this software
+.\"    without specific prior written permission.
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+.\" SUCH DAMAGE.
+.\"
+.\"	from: @(#)su.1	6.12 (Berkeley) 7/29/91
+.\"	$Id: su.1,v 1.3 1996/02/11 23:56:09 d91-jda Exp $
+.\"
+.Dd July 29, 1991
+.Dt SU 1
+.Os
+.Sh NAME
+.Nm su
+.Nd substitute user identity
+.Sh SYNOPSIS
+.Nm su
+.Op Fl Kflmi
+.Op Ar login Op Ar "shell arguments"
+.Sh DESCRIPTION
+.Nm Su
+requests the Kerberos password for
+.Ar login
+(or for
+.Dq Ar login Ns .root ,
+if no login is provided), and switches to
+that user and group ID after obtaining a Kerberos ticket granting ticket.
+A shell is then executed, and any additional
+.Ar "shell arguments"
+after the login name
+are passed to the shell.
+.Nm Su
+will resort to the local password file to find the password for
+.Ar login
+if there is a Kerberos error.
+If
+.Nm su
+is executed by root, no password is requested and a shell
+with the appropriate user ID is executed; no additional Kerberos tickets
+are obtained.
+.Pp
+Alternately, if the user enters the password "s/key", they will be
+authenticated using the S/Key one-time password system as described in
+.Xr skey 1 .
+S/Key is a Trademark of Bellcore.
+.Pp
+By default, the environment is unmodified with the exception of
+.Ev USER ,
+.Ev HOME ,
+and
+.Ev SHELL .
+.Ev HOME
+and
+.Ev SHELL
+are set to the target login's default values.
+.Ev USER
+is set to the target login, unless the target login has a user ID of 0,
+in which case it is unmodified.
+The invoked shell is the target login's.
+This is the traditional behavior of
+.Nm su .
+.Pp
+The options are as follows:
+.Bl -tag -width Ds
+.It Fl K
+Do not attempt to use Kerberos to authenticate the user.
+.It Fl f
+If the invoked shell is
+.Xr csh 1 ,
+this option prevents it from reading the
+.Dq Pa .cshrc
+file.
+.It Fl l
+Simulate a full login.
+The environment is discarded except for
+.Ev HOME ,
+.Ev SHELL ,
+.Ev PATH ,
+.Ev TERM ,
+and
+.Ev USER .
+.Ev HOME
+and
+.Ev SHELL
+are modified as above.
+.Ev USER
+is set to the target login.
+.Ev PATH
+is set to
+.Dq Pa /bin:/usr/bin .
+.Ev TERM
+is imported from your current environment.
+The invoked shell is the target login's, and
+.Nm su
+will change directory to the target login's home directory.
+.It Fl m
+Leave the environment unmodified.
+The invoked shell is your login shell, and no directory changes are made.
+As a security precaution, if the target user's shell is a non-standard
+shell (as defined by
+.Xr getusershell 3 )
+and the caller's real uid is
+non-zero,
+.Nm su
+will fail.
+.It Fl i
+If the kerberos root instance is not root any other value can be passed
+using this switch.
+.El
+.Pp
+The
+.Fl l
+and
+.Fl m
+options are mutually exclusive; the last one specified
+overrides any previous ones.
+.Pp
+Only users mentioned in
+.Dq Pa ~root/.klogin
+(or in group 0 when not doing kerberos) can
+.Nm su
+to
+.Dq root .
+.Pp
+By default (unless the prompt is reset by a startup file) the super-user
+prompt is set to
+.Dq Sy \&#
+to remind one of its awesome power.
+.Sh SEE ALSO
+.Xr csh 1 ,
+.Xr login 1 ,
+.Xr sh 1 ,
+.Xr skey 1 ,
+.Xr kinit 1 ,
+.Xr kerberos 1 ,
+.Xr passwd 5 ,
+.Xr group 5 ,
+.Xr environ 7
+.Sh ENVIRONMENT
+Environment variables used by
+.Nm su :
+.Bl -tag -width HOME
+.It Ev HOME
+Default home directory of real user ID unless modified as
+specified above.
+.It Ev PATH
+Default search path of real user ID unless modified as specified above.
+.It Ev TERM
+Provides terminal type which may be retained for the substituted
+user ID.
+.It Ev USER
+The user ID is always the effective ID (the target user ID) after an
+.Nm su
+unless the user ID is 0 (root).
+.El
+.Sh HISTORY
+A
+.Nm
+command appeared in
+.At v7 .
+The version described
+here is an adaptation of the
+.Tn MIT
+Athena Kerberos command.
diff --git a/crypto/kerberosIV/man/telnet.1 b/crypto/kerberosIV/man/telnet.1
new file mode 100644
index 0000000..962783f
--- /dev/null
+++ b/crypto/kerberosIV/man/telnet.1
@@ -0,0 +1,1373 @@
+.\" Copyright (c) 1983, 1990, 1993
+.\"	The Regents of the University of California.  All rights reserved.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\" 1. Redistributions of source code must retain the above copyright
+.\"    notice, this list of conditions and the following disclaimer.
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\"    notice, this list of conditions and the following disclaimer in the
+.\"    documentation and/or other materials provided with the distribution.
+.\" 3. All advertising materials mentioning features or use of this software
+.\"    must display the following acknowledgement:
+.\"	This product includes software developed by the University of
+.\"	California, Berkeley and its contributors.
+.\" 4. Neither the name of the University nor the names of its contributors
+.\"    may be used to endorse or promote products derived from this software
+.\"    without specific prior written permission.
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+.\" SUCH DAMAGE.
+.\"
+.\"	@(#)telnet.1	8.6 (Berkeley) 6/1/94
+.\"
+.Dd June 1, 1994
+.Dt TELNET 1
+.Os BSD 4.2
+.Sh NAME
+.Nm telnet
+.Nd user interface to the 
+.Tn TELNET
+protocol
+.Sh SYNOPSIS
+.Nm telnet
+.Op Fl 78EFKLacdfrx
+.Op Fl S Ar tos
+.Op Fl X Ar authtype
+.Op Fl e Ar escapechar
+.Op Fl k Ar realm
+.Op Fl l Ar user
+.Op Fl n Ar tracefile
+.Oo
+.Ar host
+.Op port
+.Oc
+.Sh DESCRIPTION
+The
+.Nm telnet
+command
+is used to communicate with another host using the 
+.Tn TELNET
+protocol.
+If
+.Nm telnet
+is invoked without the
+.Ar host
+argument, it enters command mode,
+indicated by its prompt
+.Pq Nm telnet\&> .
+In this mode, it accepts and executes the commands listed below.
+If it is invoked with arguments, it performs an
+.Ic open
+command with those arguments.
+.Pp
+Options:
+.Bl -tag -width indent
+.It Fl 8
+Specifies an 8-bit data path.  This causes an attempt to
+negotiate the
+.Dv TELNET BINARY
+option on both input and output.
+.It Fl 7
+Do not try to negotiate
+.Dv TELNET BINARY
+option.
+.It Fl E
+Stops any character from being recognized as an escape character.
+.It Fl F
+If Kerberos V5 authentication is being used, the
+.Fl F
+option allows the local credentials to be forwarded
+to the remote system, including any credentials that
+have already been forwarded into the local environment.
+.It Fl K
+Specifies no automatic login to the remote system.
+.It Fl L
+Specifies an 8-bit data path on output.  This causes the
+BINARY option to be negotiated on output.
+.It Fl S Ar tos
+Sets the IP type-of-service (TOS) option for the telnet
+connection to the value
+.Ar tos ,
+which can be a numeric TOS value
+or, on systems that support it, a symbolic
+TOS name found in the /etc/iptos file.
+.It Fl X Ar atype 
+Disables the
+.Ar atype
+type of authentication.
+.It Fl a
+Attempt automatic login.
+Currently, this sends the user name via the
+.Ev USER
+variable
+of the
+.Ev ENVIRON
+option if supported by the remote system.
+The name used is that of the current user as returned by
+.Xr getlogin 2
+if it agrees with the current user ID,
+otherwise it is the name associated with the user ID.
+.It Fl c
+Disables the reading of the user's
+.Pa \&.telnetrc
+file.  (See the
+.Ic toggle skiprc
+command on this man page.)
+.It Fl d
+Sets the initial value of the
+.Ic debug
+toggle to
+.Dv TRUE
+.It Fl e Ar escape char 
+Sets the initial
+.Nm
+.Nm telnet
+escape character to
+.Ar escape char .
+If
+.Ar escape char
+is omitted, then
+there will be no escape character.
+.It Fl f
+If Kerberos V5 authentication is being used, the
+.Fl f
+option allows the local credentials to be forwarded to the remote system.
+.ne 1i
+.It Fl k Ar realm
+If Kerberos authentication is being used, the
+.Fl k
+option requests that telnet obtain tickets for the remote host in
+realm realm instead of the remote host's realm, as determined
+by
+.Xr krb_realmofhost 3 .
+.It Fl l Ar user 
+When connecting to the remote system, if the remote system
+understands the
+.Ev ENVIRON
+option, then
+.Ar user
+will be sent to the remote system as the value for the variable USER.
+This option implies the
+.Fl a
+option.
+This option may also be used with the
+.Ic open
+command.
+.It Fl n Ar tracefile 
+Opens
+.Ar tracefile
+for recording trace information.
+See the
+.Ic set tracefile
+command below.
+.It Fl r
+Specifies a user interface similar to
+.Xr rlogin 1 .
+In this
+mode, the escape character is set to the tilde (~) character,
+unless modified by the -e option.
+.It Fl x
+Turns on encryption of the data stream if possible. This is 
+currently the default and when it fails a warning is issued.
+.It Ar host
+Indicates the official name, an alias, or the Internet address
+of a remote host.
+.It Ar port
+Indicates a port number (address of an application).  If a number is
+not specified, the default
+.Nm telnet
+port is used.
+.El
+.Pp
+When in rlogin mode, a line of the form ~.  disconnects from the
+remote host; ~ is the telnet escape character.
+Similarly, the line ~^Z suspends the telnet session.
+The line ~^] escapes to the normal telnet escape prompt.
+.Pp
+Once a connection has been opened,
+.Nm telnet
+will attempt to enable the
+.Dv TELNET LINEMODE
+option.
+If this fails, then
+.Nm telnet
+will revert to one of two input modes:
+either \*(Lqcharacter at a time\*(Rq
+or \*(Lqold line by line\*(Rq
+depending on what the remote system supports.
+.Pp
+When 
+.Dv LINEMODE
+is enabled, character processing is done on the
+local system, under the control of the remote system.  When input
+editing or character echoing is to be disabled, the remote system
+will relay that information.  The remote system will also relay
+changes to any special characters that happen on the remote
+system, so that they can take effect on the local system.
+.Pp
+In \*(Lqcharacter at a time\*(Rq mode, most
+text typed is immediately sent to the remote host for processing.
+.Pp
+In \*(Lqold line by line\*(Rq mode, all text is echoed locally,
+and (normally) only completed lines are sent to the remote host.
+The \*(Lqlocal echo character\*(Rq (initially \*(Lq^E\*(Rq) may be used
+to turn off and on the local echo
+(this would mostly be used to enter passwords
+without the password being echoed).
+.Pp
+If the 
+.Dv LINEMODE
+option is enabled, or if the
+.Ic localchars
+toggle is
+.Dv TRUE
+(the default for \*(Lqold line by line\*(Lq; see below),
+the user's
+.Ic quit  ,
+.Ic intr ,
+and
+.Ic flush
+characters are trapped locally, and sent as
+.Tn TELNET
+protocol sequences to the remote side.
+If 
+.Dv LINEMODE
+has ever been enabled, then the user's
+.Ic susp
+and
+.Ic eof
+are also sent as
+.Tn TELNET
+protocol sequences,
+and
+.Ic quit
+is sent as a 
+.Dv TELNET ABORT
+instead of 
+.Dv BREAK
+There are options (see
+.Ic toggle
+.Ic autoflush
+and
+.Ic toggle
+.Ic autosynch
+below)
+which cause this action to flush subsequent output to the terminal
+(until the remote host acknowledges the
+.Tn TELNET
+sequence) and flush previous terminal input
+(in the case of
+.Ic quit
+and
+.Ic intr  ) .
+.Pp
+While connected to a remote host,
+.Nm telnet
+command mode may be entered by typing the
+.Nm telnet
+\*(Lqescape character\*(Rq (initially \*(Lq^]\*(Rq).
+When in command mode, the normal terminal editing conventions are available.
+.Pp
+The following
+.Nm telnet
+commands are available.
+Only enough of each command to uniquely identify it need be typed
+(this is also true for arguments to the
+.Ic mode  ,
+.Ic set ,
+.Ic toggle  ,
+.Ic unset ,
+.Ic slc  ,
+.Ic environ ,
+and
+.Ic display
+commands).
+.Pp
+.Bl -tag -width "mode type"
+.It Ic auth Ar argument ... 
+The auth command manipulates the information sent through the
+.Dv TELNET AUTHENTICATE
+option.  Valid arguments for the
+auth command are as follows:
+.Bl -tag -width "disable type"
+.It Ic disable Ar type
+Disables the specified type of authentication.  To
+obtain a list of available types, use the
+.Ic auth disable ?\&
+command.
+.It Ic enable Ar type
+Enables the specified type of authentication.  To
+obtain a list of available types, use the
+.Ic auth enable ?\&
+command.
+.It Ic status
+Lists the current status of the various types of
+authentication.
+.El
+.It Ic close
+Close a
+.Tn TELNET
+session and return to command mode.
+.It Ic display Ar argument ... 
+Displays all, or some, of the
+.Ic set
+and
+.Ic toggle
+values (see below).
+.It Ic encrypt Ar argument ...
+The encrypt command manipulates the information sent through the
+.Dv TELNET ENCRYPT
+option.
+.Pp
+Note:  Because of export controls, the
+.Dv TELNET ENCRYPT
+option is not supported outside of the United States and Canada.
+.Pp
+Valid arguments for the encrypt command are as follows:
+.Bl -tag -width Ar
+.It Ic disable Ar type Xo
+.Op Cm input | output
+.Xc
+Disables the specified type of encryption.  If you
+omit the input and output, both input and output
+are disabled.  To obtain a list of available
+types, use the
+.Ic encrypt disable ?\&
+command.
+.It Ic enable Ar type Xo
+.Op Cm input | output
+.Xc
+Enables the specified type of encryption.  If you
+omit input and output, both input and output are
+enabled.  To obtain a list of available types, use the
+.Ic encrypt enable ?\&
+command.
+.It Ic input
+This is the same as the
+.Ic encrypt start input
+command.
+.It Ic -input
+This is the same as the
+.Ic encrypt stop input
+command.
+.It Ic output
+This is the same as the
+.Ic encrypt start output
+command.
+.It Ic -output
+This is the same as the
+.Ic encrypt stop output
+command.
+.It Ic start Op Cm input | output
+Attempts to start encryption.  If you omit
+.Ic input
+and
+.Ic output ,
+both input and output are enabled.  To
+obtain a list of available types, use the
+.Ic encrypt enable ?\&
+command.
+.It Ic status
+Lists the current status of encryption.
+.It Ic stop Op Cm input | output
+Stops encryption.  If you omit input and output,
+encryption is on both input and output.
+.It Ic type Ar type
+Sets the default type of encryption to be used
+with later
+.Ic encrypt start
+or
+.Ic encrypt stop
+commands.
+.El
+.It Ic environ Ar arguments ...
+The
+.Ic environ
+command is used to manipulate the
+the variables that my be sent through the
+.Dv TELNET ENVIRON
+option.
+The initial set of variables is taken from the users
+environment, with only the
+.Ev DISPLAY
+and
+.Ev PRINTER
+variables being exported by default.
+The
+.Ev USER
+variable is also exported if the
+.Fl a
+or
+.Fl l
+options are used.
+.br
+Valid arguments for the
+.Ic environ
+command are:
+.Bl -tag -width Fl
+.It Ic define Ar variable value 
+Define the variable
+.Ar variable
+to have a value of
+.Ar value .
+Any variables defined by this command are automatically exported.
+The
+.Ar value
+may be enclosed in single or double quotes so
+that tabs and spaces may be included.
+.It Ic undefine Ar variable 
+Remove
+.Ar variable
+from the list of environment variables.
+.It Ic export Ar variable 
+Mark the variable
+.Ar variable
+to be exported to the remote side.
+.It Ic unexport Ar variable 
+Mark the variable
+.Ar variable
+to not be exported unless
+explicitly asked for by the remote side.
+.It Ic list
+List the current set of environment variables.
+Those marked with a
+.Cm *
+will be sent automatically,
+other variables will only be sent if explicitly requested.
+.It Ic ?\&
+Prints out help information for the
+.Ic environ
+command.
+.El
+.It Ic logout
+Sends the
+.Dv TELNET LOGOUT
+option to the remote side.
+This command is similar to a
+.Ic close
+command; however, if the remote side does not support the
+.Dv LOGOUT
+option, nothing happens.
+If, however, the remote side does support the
+.Dv LOGOUT
+option, this command should cause the remote side to close the
+.Tn TELNET
+connection.
+If the remote side also supports the concept of
+suspending a user's session for later reattachment,
+the logout argument indicates that you
+should terminate the session immediately.
+.It Ic mode Ar type 
+.Ar Type
+is one of several options, depending on the state of the
+.Tn TELNET
+session.
+The remote host is asked for permission to go into the requested mode.
+If the remote host is capable of entering that mode, the requested
+mode will be entered.
+.Bl -tag -width Ar
+.It Ic character
+Disable the
+.Dv TELNET LINEMODE
+option, or, if the remote side does not understand the
+.Dv LINEMODE
+option, then enter \*(Lqcharacter at a time\*(Lq mode.
+.It Ic line
+Enable the
+.Dv TELNET LINEMODE
+option, or, if the remote side does not understand the
+.Dv LINEMODE
+option, then attempt to enter \*(Lqold-line-by-line\*(Lq mode.
+.It Ic isig Pq Ic \-isig 
+Attempt to enable (disable) the 
+.Dv TRAPSIG
+mode of the 
+.Dv LINEMODE
+option.
+This requires that the 
+.Dv LINEMODE
+option be enabled.
+.It Ic edit Pq Ic \-edit 
+Attempt to enable (disable) the 
+.Dv EDIT
+mode of the 
+.Dv LINEMODE
+option.
+This requires that the 
+.Dv LINEMODE
+option be enabled.
+.It Ic softtabs Pq Ic \-softtabs 
+Attempt to enable (disable) the 
+.Dv SOFT_TAB
+mode of the 
+.Dv LINEMODE
+option.
+This requires that the 
+.Dv LINEMODE
+option be enabled.
+.ne 1i
+.It Ic litecho Pq Ic \-litecho 
+Attempt to enable (disable) the 
+.Dv LIT_ECHO
+mode of the 
+.Dv LINEMODE
+option.
+This requires that the 
+.Dv LINEMODE
+option be enabled.
+.It Ic ?\&
+Prints out help information for the
+.Ic mode
+command.
+.El
+.It Xo
+.Ic open Ar host
+.Op Fl l Ar user
+.Op Oo Fl Oc Ns Ar port
+.Xc
+Open a connection to the named host.
+If no port number
+is specified,
+.Nm telnet
+will attempt to contact a
+.Tn TELNET
+server at the default port.
+The host specification may be either a host name (see
+.Xr hosts  5  )
+or an Internet address specified in the \*(Lqdot notation\*(Rq (see
+.Xr inet 3 ) .
+The
+.Op Fl l
+option may be used to specify the user name
+to be passed to the remote system via the
+.Ev ENVIRON
+option.
+When connecting to a non-standard port,
+.Nm telnet
+omits any automatic initiation of
+.Tn TELNET
+options.  When the port number is preceded by a minus sign,
+the initial option negotiation is done.
+After establishing a connection, the file
+.Pa \&.telnetrc
+in the
+users home directory is opened.  Lines beginning with a # are
+comment lines.  Blank lines are ignored.  Lines that begin
+without white space are the start of a machine entry.  The
+first thing on the line is the name of the machine that is
+being connected to.  The rest of the line, and successive
+lines that begin with white space are assumed to be
+.Nm telnet
+commands and are processed as if they had been typed
+in manually to the
+.Nm telnet
+command prompt.
+.It Ic quit
+Close any open
+.Tn TELNET
+session and exit
+.Nm telnet  .
+An end of file (in command mode) will also close a session and exit.
+.It Ic send Ar arguments 
+Sends one or more special character sequences to the remote host.
+The following are the arguments which may be specified
+(more than one argument may be specified at a time):
+.Pp
+.Bl -tag -width escape
+.It Ic abort
+Sends the
+.Dv TELNET ABORT
+(Abort
+processes)
+sequence.
+.It Ic ao
+Sends the
+.Dv TELNET AO
+(Abort Output) sequence, which should cause the remote system to flush
+all output
+.Em from
+the remote system
+.Em to
+the user's terminal.
+.It Ic ayt
+Sends the
+.Dv TELNET AYT
+(Are You There)
+sequence, to which the remote system may or may not choose to respond.
+.It Ic brk
+Sends the
+.Dv TELNET BRK
+(Break) sequence, which may have significance to the remote
+system.
+.It Ic ec
+Sends the
+.Dv TELNET EC
+(Erase Character)
+sequence, which should cause the remote system to erase the last character
+entered.
+.It Ic el
+Sends the
+.Dv TELNET EL
+(Erase Line)
+sequence, which should cause the remote system to erase the line currently
+being entered.
+.It Ic eof
+Sends the
+.Dv TELNET EOF
+(End Of File)
+sequence.
+.It Ic eor
+Sends the
+.Dv TELNET EOR
+(End of Record)
+sequence.
+.It Ic escape
+Sends the current
+.Nm telnet
+escape character (initially \*(Lq^\*(Rq).
+.It Ic ga
+Sends the
+.Dv TELNET GA
+(Go Ahead)
+sequence, which likely has no significance to the remote system.
+.It Ic getstatus
+If the remote side supports the
+.Dv TELNET STATUS
+command,
+.Ic getstatus
+will send the subnegotiation to request that the server send
+its current option status.
+.ne 1i
+.It Ic ip
+Sends the
+.Dv TELNET IP
+(Interrupt Process) sequence, which should cause the remote
+system to abort the currently running process.
+.It Ic nop
+Sends the
+.Dv TELNET NOP
+(No OPeration)
+sequence.
+.It Ic susp
+Sends the
+.Dv TELNET SUSP
+(SUSPend process)
+sequence.
+.It Ic synch
+Sends the
+.Dv TELNET SYNCH
+sequence.
+This sequence causes the remote system to discard all previously typed
+(but not yet read) input.
+This sequence is sent as
+.Tn TCP
+urgent
+data (and may not work if the remote system is a
+.Bx 4.2
+system -- if
+it doesn't work, a lower case \*(Lqr\*(Rq may be echoed on the terminal).
+.It Ic do Ar cmd
+.It Ic dont Ar cmd
+.It Ic will Ar cmd
+.It Ic wont Ar cmd
+Sends the
+.Dv TELNET DO
+.Ar cmd
+sequence.
+.Ar Cmd
+can be either a decimal number between 0 and 255,
+or a symbolic name for a specific
+.Dv TELNET
+command.
+.Ar Cmd
+can also be either
+.Ic help
+or
+.Ic ?\&
+to print out help information, including
+a list of known symbolic names.
+.It Ic ?\&
+Prints out help information for the
+.Ic send
+command.
+.El
+.It Ic set Ar argument value 
+.It Ic unset Ar argument value 
+The
+.Ic set
+command will set any one of a number of
+.Nm telnet
+variables to a specific value or to
+.Dv TRUE .
+The special value
+.Ic off
+turns off the function associated with
+the variable, this is equivalent to using the
+.Ic unset
+command.
+The
+.Ic unset
+command will disable or set to
+.Dv FALSE
+any of the specified functions.
+The values of variables may be interrogated with the
+.Ic display
+command.
+The variables which may be set or unset, but not toggled, are
+listed here.  In addition, any of the variables for the
+.Ic toggle
+command may be explicitly set or unset using
+the
+.Ic set
+and
+.Ic unset
+commands.
+.Bl -tag -width escape
+.It Ic ayt
+If
+.Tn TELNET
+is in localchars mode, or
+.Dv LINEMODE
+is enabled, and the status character is typed, a
+.Dv TELNET AYT
+sequence (see
+.Ic send ayt
+preceding) is sent to the
+remote host.  The initial value for the "Are You There"
+character is the terminal's status character.
+.It Ic echo
+This is the value (initially \*(Lq^E\*(Rq) which, when in
+\*(Lqline by line\*(Rq mode, toggles between doing local echoing
+of entered characters (for normal processing), and suppressing
+echoing of entered characters (for entering, say, a password).
+.It Ic eof
+If
+.Nm telnet
+is operating in
+.Dv LINEMODE
+or \*(Lqold line by line\*(Rq mode, entering this character
+as the first character on a line will cause this character to be
+sent to the remote system.
+The initial value of the eof character is taken to be the terminal's
+.Ic eof
+character.
+.It Ic erase
+If
+.Nm telnet
+is in
+.Ic localchars
+mode (see
+.Ic toggle
+.Ic localchars
+below),
+.Sy and
+if
+.Nm telnet
+is operating in \*(Lqcharacter at a time\*(Rq mode, then when this
+character is typed, a
+.Dv TELNET EC
+sequence (see
+.Ic send
+.Ic ec
+above)
+is sent to the remote system.
+The initial value for the erase character is taken to be
+the terminal's
+.Ic erase
+character.
+.It Ic escape
+This is the
+.Nm telnet
+escape character (initially \*(Lq^[\*(Rq) which causes entry
+into
+.Nm telnet
+command mode (when connected to a remote system).
+.It Ic flushoutput
+If
+.Nm telnet
+is in
+.Ic localchars
+mode (see
+.Ic toggle
+.Ic localchars
+below)
+and the
+.Ic flushoutput
+character is typed, a
+.Dv TELNET AO
+sequence (see
+.Ic send
+.Ic ao
+above)
+is sent to the remote host.
+The initial value for the flush character is taken to be
+the terminal's
+.Ic flush
+character.
+.It Ic forw1
+.It Ic forw2
+If
+.Tn TELNET
+is operating in
+.Dv LINEMODE ,
+these are the
+characters that, when typed, cause partial lines to be
+forwarded to the remote system.  The initial value for
+the forwarding characters are taken from the terminal's
+eol and eol2 characters.
+.It Ic interrupt
+If
+.Nm telnet
+is in
+.Ic localchars
+mode (see
+.Ic toggle
+.Ic localchars
+below)
+and the
+.Ic interrupt
+character is typed, a
+.Dv TELNET IP
+sequence (see
+.Ic send
+.Ic ip
+above)
+is sent to the remote host.
+The initial value for the interrupt character is taken to be
+the terminal's
+.Ic intr
+character.
+.It Ic kill
+If
+.Nm telnet
+is in
+.Ic localchars
+mode (see
+.Ic toggle
+.Ic localchars
+below),
+.Ic and
+if
+.Nm telnet
+is operating in \*(Lqcharacter at a time\*(Rq mode, then when this
+character is typed, a
+.Dv TELNET EL
+sequence (see
+.Ic send
+.Ic el
+above)
+is sent to the remote system.
+The initial value for the kill character is taken to be
+the terminal's
+.Ic kill
+character.
+.It Ic lnext
+If
+.Nm telnet
+is operating in
+.Dv LINEMODE
+or \*(Lqold line by line\*(Lq mode, then this character is taken to
+be the terminal's
+.Ic lnext
+character.
+The initial value for the lnext character is taken to be
+the terminal's
+.Ic lnext
+character.
+.It Ic quit
+If
+.Nm telnet
+is in
+.Ic localchars
+mode (see
+.Ic toggle
+.Ic localchars
+below)
+and the
+.Ic quit
+character is typed, a
+.Dv TELNET BRK
+sequence (see
+.Ic send
+.Ic brk
+above)
+is sent to the remote host.
+The initial value for the quit character is taken to be
+the terminal's
+.Ic quit
+character.
+.It Ic reprint
+If
+.Nm telnet
+is operating in
+.Dv LINEMODE
+or \*(Lqold line by line\*(Lq mode, then this character is taken to
+be the terminal's
+.Ic reprint
+character.
+The initial value for the reprint character is taken to be
+the terminal's
+.Ic reprint
+character.
+.It Ic rlogin
+This is the rlogin escape character.
+If set, the normal
+.Tn TELNET
+escape character is ignored unless it is
+preceded by this character at the beginning of a line.
+This character, at the beginning of a line followed by
+a "."  closes the connection; when followed by a ^Z it
+suspends the telnet command.  The initial state is to
+disable the rlogin escape character.
+.It Ic start
+If the
+.Dv TELNET TOGGLE-FLOW-CONTROL
+option has been enabled,
+then this character is taken to
+be the terminal's
+.Ic start
+character.
+The initial value for the kill character is taken to be
+the terminal's
+.Ic start
+character.
+.It Ic stop
+If the
+.Dv TELNET TOGGLE-FLOW-CONTROL
+option has been enabled,
+then this character is taken to
+be the terminal's
+.Ic stop
+character.
+The initial value for the kill character is taken to be
+the terminal's
+.Ic stop
+character.
+.It Ic susp
+If
+.Nm telnet
+is in
+.Ic localchars
+mode, or
+.Dv LINEMODE
+is enabled, and the
+.Ic suspend
+character is typed, a
+.Dv TELNET SUSP
+sequence (see
+.Ic send
+.Ic susp
+above)
+is sent to the remote host.
+The initial value for the suspend character is taken to be
+the terminal's
+.Ic suspend
+character.
+.ne 1i
+.It Ic tracefile
+This is the file to which the output, caused by
+.Ic netdata
+or
+.Ic option
+tracing being
+.Dv TRUE ,
+will be written.  If it is set to
+.Dq Fl ,
+then tracing information will be written to standard output (the default).
+.It Ic worderase
+If
+.Nm telnet
+is operating in
+.Dv LINEMODE
+or \*(Lqold line by line\*(Lq mode, then this character is taken to
+be the terminal's
+.Ic worderase
+character.
+The initial value for the worderase character is taken to be
+the terminal's
+.Ic worderase
+character.
+.It Ic ?\&
+Displays the legal
+.Ic set
+.Pq Ic unset
+commands.
+.El
+.It Ic slc Ar state 
+The
+.Ic slc
+command (Set Local Characters) is used to set
+or change the state of the the special
+characters when the 
+.Dv TELNET LINEMODE
+option has
+been enabled.  Special characters are characters that get
+mapped to 
+.Tn TELNET
+commands sequences (like
+.Ic ip
+or
+.Ic quit  )
+or line editing characters (like
+.Ic erase
+and
+.Ic kill  ) .
+By default, the local special characters are exported.
+.Bl -tag -width Fl
+.It Ic check
+Verify the current settings for the current special characters.
+The remote side is requested to send all the current special
+character settings, and if there are any discrepancies with
+the local side, the local side will switch to the remote value.
+.It Ic export
+Switch to the local defaults for the special characters.  The
+local default characters are those of the local terminal at
+the time when
+.Nm telnet
+was started.
+.It Ic import
+Switch to the remote defaults for the special characters.
+The remote default characters are those of the remote system
+at the time when the 
+.Tn TELNET
+connection was established.
+.It Ic ?\&
+Prints out help information for the
+.Ic slc
+command.
+.El
+.It Ic status
+Show the current status of
+.Nm telnet  .
+This includes the peer one is connected to, as well
+as the current mode.
+.It Ic toggle Ar arguments ... 
+Toggle (between
+.Dv TRUE
+and
+.Dv FALSE )
+various flags that control how
+.Nm telnet
+responds to events.
+These flags may be set explicitly to
+.Dv TRUE
+or
+.Dv FALSE
+using the
+.Ic set
+and
+.Ic unset
+commands listed above.
+More than one argument may be specified.
+The state of these flags may be interrogated with the
+.Ic display
+command.
+Valid arguments are:
+.Bl -tag -width Ar
+.It Ic authdebug
+Turns on debugging information for the authentication code.
+.It Ic autoflush
+If
+.Ic autoflush
+and
+.Ic localchars
+are both
+.Dv TRUE ,
+then when the
+.Ic ao  ,
+or
+.Ic quit
+characters are recognized (and transformed into
+.Tn TELNET
+sequences; see
+.Ic set
+above for details),
+.Nm telnet
+refuses to display any data on the user's terminal
+until the remote system acknowledges (via a
+.Dv TELNET TIMING MARK
+option)
+that it has processed those
+.Tn TELNET
+sequences.
+The initial value for this toggle is
+.Dv TRUE
+if the terminal user had not
+done an "stty noflsh", otherwise
+.Dv FALSE
+(see
+.Xr stty  1  ) .
+.It Ic autodecrypt
+When the
+.Dv TELNET ENCRYPT
+option is negotiated, by
+default the actual encryption (decryption) of the data
+stream does not start automatically.  The autoencrypt
+(autodecrypt) command states that encryption of the
+output (input) stream should be enabled as soon as
+possible.
+.sp
+.Pp
+Note:  Because of export controls, the
+.Dv TELNET ENCRYPT
+option is not supported outside the United States and Canada.
+.It Ic autologin
+If the remote side supports the
+.Dv TELNET AUTHENTICATION
+option
+.Tn TELNET
+attempts to use it to perform automatic authentication.  If the
+.Dv AUTHENTICATION
+option is not supported, the user's login
+name are propagated through the
+.Dv TELNET ENVIRON
+option.
+This command is the same as specifying
+.Ar a
+option on the
+.Ic open
+command.
+.It Ic autosynch
+If
+.Ic autosynch
+and
+.Ic localchars
+are both
+.Dv TRUE ,
+then when either the
+.Ic intr
+or
+.Ic quit
+characters is typed (see
+.Ic set
+above for descriptions of the
+.Ic intr
+and
+.Ic quit
+characters), the resulting
+.Tn TELNET
+sequence sent is followed by the
+.Dv TELNET SYNCH
+sequence.
+This procedure
+.Ic should
+cause the remote system to begin throwing away all previously
+typed input until both of the
+.Tn TELNET
+sequences have been read and acted upon.
+The initial value of this toggle is
+.Dv FALSE .
+.It Ic binary
+Enable or disable the
+.Dv TELNET BINARY
+option on both input and output.
+.It Ic inbinary
+Enable or disable the
+.Dv TELNET BINARY
+option on input.
+.It Ic outbinary
+Enable or disable the
+.Dv TELNET BINARY
+option on output.
+.It Ic crlf
+If this is
+.Dv TRUE ,
+then carriage returns will be sent as
+.Li <CR><LF> .
+If this is
+.Dv FALSE ,
+then carriage returns will be send as
+.Li <CR><NUL> .
+The initial value for this toggle is
+.Dv FALSE .
+.It Ic crmod
+Toggle carriage return mode.
+When this mode is enabled, most carriage return characters received from
+the remote host will be mapped into a carriage return followed by
+a line feed.
+This mode does not affect those characters typed by the user, only
+those received from the remote host.
+This mode is not very useful unless the remote host
+only sends carriage return, but never line feed.
+The initial value for this toggle is
+.Dv FALSE .
+.It Ic debug
+Toggles socket level debugging (useful only to the
+.Ic super user  ) .
+The initial value for this toggle is
+.Dv FALSE .
+.It Ic encdebug
+Turns on debugging information for the encryption code.
+.It Ic localchars
+If this is
+.Dv TRUE ,
+then the
+.Ic flush  ,
+.Ic interrupt ,
+.Ic quit  ,
+.Ic erase ,
+and
+.Ic kill
+characters (see
+.Ic set
+above) are recognized locally, and transformed into (hopefully) appropriate
+.Tn TELNET
+control sequences
+(respectively
+.Ic ao  ,
+.Ic ip ,
+.Ic brk  ,
+.Ic ec ,
+and
+.Ic el  ;
+see
+.Ic send
+above).
+The initial value for this toggle is
+.Dv TRUE
+in \*(Lqold line by line\*(Rq mode,
+and
+.Dv FALSE
+in \*(Lqcharacter at a time\*(Rq mode.
+When the
+.Dv LINEMODE
+option is enabled, the value of
+.Ic localchars
+is ignored, and assumed to always be
+.Dv TRUE .
+If
+.Dv LINEMODE
+has ever been enabled, then
+.Ic quit
+is sent as
+.Ic abort  ,
+and
+.Ic eof
+and
+.Ic suspend
+are sent as
+.Ic eof
+and
+.Ic susp ,
+see
+.Ic send
+above).
+.It Ic netdata
+Toggles the display of all network data (in hexadecimal format).
+The initial value for this toggle is
+.Dv FALSE .
+.It Ic options
+Toggles the display of some internal
+.Nm telnet
+protocol processing (having to do with
+.Tn TELNET
+options).
+The initial value for this toggle is
+.Dv FALSE .
+.ne 1i
+.It Ic prettydump
+When the
+.Ic netdata
+toggle is enabled, if
+.Ic prettydump
+is enabled the output from the
+.Ic netdata
+command will be formatted in a more user readable format.
+Spaces are put between each character in the output, and the
+beginning of any
+.Tn TELNET
+escape sequence is preceded by a '*' to aid in locating them.
+.It Ic skiprc
+When the skiprc toggle is
+.Dv TRUE ,
+.Tn TELNET
+skips the reading of the
+.Pa \&.telnetrc
+file in the users home
+directory when connections are opened.  The initial
+value for this toggle is
+.Dv FALSE .
+.It Ic termdata
+Toggles the display of all terminal data (in hexadecimal format).
+The initial value for this toggle is
+.Dv FALSE .
+.It Ic verbose_encrypt
+When the
+.Ic verbose_encrypt
+toggle is
+.Dv TRUE ,
+.Tn TELNET
+prints out a message each time encryption is enabled or
+disabled.  The initial value for this toggle is
+.Dv FALSE .
+Note:  Because of export controls, data encryption
+is not supported outside of the United States and Canada.
+.It Ic \&?
+Displays the legal
+.Ic toggle
+commands.
+.El
+.It Ic z
+Suspend
+.Nm telnet  .
+This command only works when the user is using the
+.Xr csh  1  .
+.It Ic \&! Op Ar command 
+Execute a single command in a subshell on the local
+system.  If
+.Ic command
+is omitted, then an interactive
+subshell is invoked.
+.It Ic ?\& Op Ar command 
+Get help.  With no arguments,
+.Nm telnet
+prints a help summary.
+If a command is specified,
+.Nm telnet
+will print the help information for just that command.
+.El
+.Sh ENVIRONMENT
+.Nm Telnet
+uses at least the
+.Ev HOME ,
+.Ev SHELL ,
+.Ev DISPLAY ,
+and
+.Ev TERM
+environment variables.
+Other environment variables may be propagated
+to the other side via the
+.Dv TELNET ENVIRON
+option.
+.Sh FILES
+.Bl -tag -width ~/.telnetrc -compact
+.It Pa ~/.telnetrc
+user customized telnet startup values
+.El
+.Sh HISTORY
+The
+.Nm Telnet
+command appeared in
+.Bx 4.2 .
+.Sh NOTES
+.Pp
+On some remote systems, echo has to be turned off manually when in
+\*(Lqold line by line\*(Rq mode.
+.Pp
+In \*(Lqold line by line\*(Rq mode or 
+.Dv LINEMODE
+the terminal's
+.Ic eof
+character is only recognized (and sent to the remote system)
+when it is the first character on a line.
diff --git a/crypto/kerberosIV/man/telnetd.8 b/crypto/kerberosIV/man/telnetd.8
new file mode 100644
index 0000000..6609a48
--- /dev/null
+++ b/crypto/kerberosIV/man/telnetd.8
@@ -0,0 +1,531 @@
+.\" Copyright (c) 1983, 1993
+.\"	The Regents of the University of California.  All rights reserved.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\" 1. Redistributions of source code must retain the above copyright
+.\"    notice, this list of conditions and the following disclaimer.
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\"    notice, this list of conditions and the following disclaimer in the
+.\"    documentation and/or other materials provided with the distribution.
+.\" 3. All advertising materials mentioning features or use of this software
+.\"    must display the following acknowledgement:
+.\"	This product includes software developed by the University of
+.\"	California, Berkeley and its contributors.
+.\" 4. Neither the name of the University nor the names of its contributors
+.\"    may be used to endorse or promote products derived from this software
+.\"    without specific prior written permission.
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+.\" SUCH DAMAGE.
+.\"
+.\"	@(#)telnetd.8	8.4 (Berkeley) 6/1/94
+.\"
+.Dd June 1, 1994
+.Dt TELNETD 8
+.Os BSD 4.2
+.Sh NAME
+.Nm telnetd
+.Nd DARPA
+.Tn TELNET
+protocol server
+.Sh SYNOPSIS
+.Nm telnetd
+.Op Fl BUhkln
+.Op Fl D Ar debugmode
+.Op Fl S Ar tos
+.Op Fl X Ar authtype
+.Op Fl a Ar authmode
+.Op Fl r Ns Ar lowpty-highpty
+.Op Fl u Ar len
+.Op Fl debug
+.Op Fl L Ar /bin/login
+.Op Ar port
+.Sh DESCRIPTION
+The
+.Nm telnetd
+command is a server which supports the
+.Tn DARPA
+standard
+.Tn TELNET
+virtual terminal protocol.
+.Nm Telnetd
+is normally invoked by the internet server (see
+.Xr inetd 8 )
+for requests to connect to the
+.Tn TELNET
+port as indicated by the
+.Pa /etc/services
+file (see
+.Xr services 5 ) .
+The
+.Fl debug
+option may be used to start up
+.Nm telnetd
+manually, instead of through
+.Xr inetd 8 .
+If started up this way, 
+.Ar port
+may be specified to run
+.Nm telnetd
+on an alternate
+.Tn TCP
+port number.
+.Pp
+The
+.Nm telnetd
+command accepts the following options:
+.Bl -tag -width "-a authmode"
+.It Fl a Ar authmode
+This option may be used for specifying what mode should
+be used for authentication.
+Note that this option is only useful if
+.Nm telnetd
+has been compiled with support for the
+.Dv AUTHENTICATION
+option.
+There are several valid values for
+.Ar authmode :
+.Bl -tag -width debug
+.It debug
+Turns on authentication debugging code.
+.It user
+Only allow connections when the remote user
+can provide valid authentication information
+to identify the remote user,
+and is allowed access to the specified account
+without providing a password.
+.It valid
+Only allow connections when the remote user
+can provide valid authentication information
+to identify the remote user.
+The
+.Xr login 1
+command will provide any additional user verification
+needed if the remote user is not allowed automatic
+access to the specified account.
+.It other
+Only allow connections that supply some authentication information.
+This option is currently not supported
+by any of the existing authentication mechanisms,
+and is thus the same as specifying
+.Fl a
+.Cm valid .
+.It otp
+Only allow authenticated connections (as with
+.Fl a
+.Cm user )
+and also logins with one-time passwords (OTPs).  This option will call
+login with an option so that only OTPs are accepted.  The user can of
+course still type secret information at the prompt.
+.It none
+This is the default state.
+Authentication information is not required.
+If no or insufficient authentication information
+is provided, then the
+.Xr login 1
+program will provide the necessary user
+verification.
+.It off
+This disables the authentication code.
+All user verification will happen through the
+.Xr login 1
+program.
+.El
+.It Fl B
+Ignored.
+.It Fl D Ar debugmode
+This option may be used for debugging purposes.
+This allows
+.Nm telnetd
+to print out debugging information
+to the connection, allowing the user to see what
+.Nm telnetd
+is doing.
+There are several possible values for 
+.Ar debugmode :
+.Bl -tag -width exercise
+.It Cm options
+Prints information about the negotiation of
+.Tn TELNET
+options.
+.It Cm report
+Prints the 
+.Cm options
+information, plus some additional information
+about what processing is going on.
+.It Cm netdata
+Displays the data stream received by
+.Nm telnetd .
+.It Cm ptydata
+Displays data written to the pty.
+.It Cm exercise
+Has not been implemented yet.
+.El
+.It Fl h
+Disables the printing of host-specific information before
+login has been completed.
+.It Fl k
+.It Fl l
+Ignored.
+.It Fl n
+Disable
+.Dv TCP
+keep-alives.  Normally
+.Nm telnetd
+enables the
+.Tn TCP
+keep-alive mechanism to probe connections that
+have been idle for some period of time to determine
+if the client is still there, so that idle connections
+from machines that have crashed or can no longer
+be reached may be cleaned up.
+.It Fl r Ar lowpty-highpty
+This option is only enabled when
+.Nm telnetd
+is compiled for
+.Dv UNICOS .
+It specifies an inclusive range of pseudo-terminal devices to
+use.  If the system has sysconf variable
+.Dv _SC_CRAY_NPTY
+configured, the default pty search range is 0 to
+.Dv _SC_CRAY_NPTY ;
+otherwise, the default range is 0 to 128.  Either
+.Ar lowpty
+or
+.Ar highpty
+may be omitted to allow changing
+either end of the search range.  If
+.Ar lowpty
+is omitted, the - character is still required so that
+.Nm telnetd
+can differentiate
+.Ar highpty
+from
+.Ar lowpty .
+.It Fl S Ar tos
+.It Fl u Ar len
+This option is used to specify the size of the field
+in the
+.Dv utmp
+structure that holds the remote host name.
+If the resolved host name is longer than
+.Ar len ,
+the dotted decimal value will be used instead.
+This allows hosts with very long host names that
+overflow this field to still be uniquely identified.
+Specifying
+.Fl u0
+indicates that only dotted decimal addresses
+should be put into the
+.Pa utmp
+file.
+.ne 1i
+.It Fl U
+This option causes
+.Nm telnetd
+to refuse connections from addresses that
+cannot be mapped back into a symbolic name
+via the
+.Xr gethostbyaddr 3
+routine.
+.It Fl X Ar authtype
+This option is only valid if
+.Nm telnetd
+has been built with support for the authentication option.
+It disables the use of
+.Ar authtype
+authentication, and
+can be used to temporarily disable
+a specific authentication type without having to recompile
+.Nm telnetd .
+.It Fl L pathname
+Specify pathname to an alternative login program.
+.El
+.Pp
+.Nm Telnetd
+operates by allocating a pseudo-terminal device (see
+.Xr pty 4 )
+for a client, then creating a login process which has
+the slave side of the pseudo-terminal as 
+.Dv stdin ,
+.Dv stdout
+and
+.Dv stderr .
+.Nm Telnetd
+manipulates the master side of the pseudo-terminal,
+implementing the
+.Tn TELNET
+protocol and passing characters
+between the remote client and the login process.
+.Pp
+When a
+.Tn TELNET
+session is started up, 
+.Nm telnetd
+sends
+.Tn TELNET
+options to the client side indicating
+a willingness to do the
+following
+.Tn TELNET
+options, which are described in more detail below:
+.Bd -literal -offset indent
+DO AUTHENTICATION
+WILL ENCRYPT
+DO TERMINAL TYPE
+DO TSPEED
+DO XDISPLOC
+DO NEW-ENVIRON
+DO ENVIRON
+WILL SUPPRESS GO AHEAD
+DO ECHO
+DO LINEMODE
+DO NAWS
+WILL STATUS
+DO LFLOW
+DO TIMING-MARK
+.Ed
+.Pp
+The pseudo-terminal allocated to the client is configured
+to operate in
+.Dq cooked
+mode, and with
+.Dv XTABS and
+.Dv CRMOD
+enabled (see
+.Xr tty 4 ) .
+.Pp
+.Nm Telnetd
+has support for enabling locally the following
+.Tn TELNET
+options:
+.Bl -tag -width "DO AUTHENTICATION"
+.It "WILL ECHO"
+When the
+.Dv LINEMODE
+option is enabled, a
+.Dv WILL ECHO
+or
+.Dv WONT ECHO
+will be sent to the client to indicate the
+current state of terminal echoing.
+When terminal echo is not desired, a
+.Dv WILL ECHO
+is sent to indicate that
+.Tn telnetd
+will take care of echoing any data that needs to be
+echoed to the terminal, and then nothing is echoed.
+When terminal echo is desired, a
+.Dv WONT ECHO
+is sent to indicate that
+.Tn telnetd
+will not be doing any terminal echoing, so the
+client should do any terminal echoing that is needed.
+.It "WILL BINARY"
+Indicates that the client is willing to send a
+8 bits of data, rather than the normal 7 bits
+of the Network Virtual Terminal.
+.It "WILL SGA"
+Indicates that it will not be sending
+.Dv IAC GA ,
+go ahead, commands.
+.It "WILL STATUS"
+Indicates a willingness to send the client, upon
+request, of the current status of all
+.Tn TELNET
+options.
+.It "WILL TIMING-MARK"
+Whenever a
+.Dv DO TIMING-MARK
+command is received, it is always responded
+to with a
+.Dv WILL TIMING-MARK
+.ne 1i
+.It "WILL LOGOUT"
+When a
+.Dv DO LOGOUT
+is received, a
+.Dv WILL LOGOUT
+is sent in response, and the
+.Tn TELNET
+session is shut down.
+.It "WILL ENCRYPT"
+Only sent if
+.Nm telnetd
+is compiled with support for data encryption, and
+indicates a willingness to decrypt
+the data stream.
+.El
+.Pp
+.Nm Telnetd
+has support for enabling remotely the following
+.Tn TELNET
+options:
+.Bl -tag -width "DO AUTHENTICATION"
+.It "DO BINARY"
+Sent to indicate that
+.Tn telnetd
+is willing to receive an 8 bit data stream.
+.It "DO LFLOW"
+Requests that the client handle flow control
+characters remotely.
+.It "DO ECHO"
+This is not really supported, but is sent to identify a 4.2BSD
+.Xr telnet 1
+client, which will improperly respond with
+.Dv WILL ECHO .
+If a
+.Dv WILL ECHO
+is received, a
+.Dv DONT ECHO
+will be sent in response.
+.It "DO TERMINAL-TYPE"
+Indicates a desire to be able to request the
+name of the type of terminal that is attached
+to the client side of the connection.
+.It "DO SGA"
+Indicates that it does not need to receive
+.Dv IAC GA ,
+the go ahead command.
+.It "DO NAWS"
+Requests that the client inform the server when
+the window (display) size changes.
+.It "DO TERMINAL-SPEED"
+Indicates a desire to be able to request information
+about the speed of the serial line to which
+the client is attached.
+.It "DO XDISPLOC"
+Indicates a desire to be able to request the name
+of the X windows display that is associated with
+the telnet client.
+.It "DO NEW-ENVIRON"
+Indicates a desire to be able to request environment
+variable information, as described in RFC 1572.
+.It "DO ENVIRON"
+Indicates a desire to be able to request environment
+variable information, as described in RFC 1408.
+.It "DO LINEMODE"
+Only sent if
+.Nm telnetd
+is compiled with support for linemode, and
+requests that the client do line by line processing.
+.It "DO TIMING-MARK"
+Only sent if
+.Nm telnetd
+is compiled with support for both linemode and
+kludge linemode, and the client responded with
+.Dv WONT LINEMODE .
+If the client responds with
+.Dv WILL TM ,
+the it is assumed that the client supports
+kludge linemode.
+Note that the
+.Op Fl k
+option can be used to disable this.
+.It "DO AUTHENTICATION"
+Only sent if
+.Nm telnetd
+is compiled with support for authentication, and
+indicates a willingness to receive authentication
+information for automatic login.
+.It "DO ENCRYPT"
+Only sent if
+.Nm telnetd
+is compiled with support for data encryption, and
+indicates a willingness to decrypt
+the data stream.
+.El
+.Sh ENVIRONMENT
+.Sh FILES
+.Pa /etc/services
+.br
+.Pa /etc/inittab
+(UNICOS systems only)
+.br
+.Pa /etc/iptos
+(if supported)
+.br
+.Sh "SEE ALSO"
+.Xr telnet 1 ,
+.Xr login 1
+.Sh STANDARDS
+.Bl -tag -compact -width RFC-1572
+.It Cm RFC-854
+.Tn TELNET
+PROTOCOL SPECIFICATION
+.It Cm RFC-855
+TELNET OPTION SPECIFICATIONS
+.It Cm RFC-856
+TELNET BINARY TRANSMISSION
+.It Cm RFC-857
+TELNET ECHO OPTION
+.It Cm RFC-858
+TELNET SUPPRESS GO AHEAD OPTION
+.It Cm RFC-859
+TELNET STATUS OPTION
+.It Cm RFC-860
+TELNET TIMING MARK OPTION
+.It Cm RFC-861
+TELNET EXTENDED OPTIONS - LIST OPTION
+.It Cm RFC-885
+TELNET END OF RECORD OPTION
+.It Cm RFC-1073
+Telnet Window Size Option
+.It Cm RFC-1079
+Telnet Terminal Speed Option
+.It Cm RFC-1091
+Telnet Terminal-Type Option
+.It Cm RFC-1096
+Telnet X Display Location Option
+.It Cm RFC-1123
+Requirements for Internet Hosts -- Application and Support
+.It Cm RFC-1184
+Telnet Linemode Option
+.It Cm RFC-1372
+Telnet Remote Flow Control Option
+.It Cm RFC-1416
+Telnet Authentication Option
+.It Cm RFC-1411
+Telnet Authentication: Kerberos Version 4
+.It Cm RFC-1412
+Telnet Authentication: SPX
+.It Cm RFC-1571
+Telnet Environment Option Interoperability Issues
+.It Cm RFC-1572
+Telnet Environment Option
+.El
+.Sh BUGS
+Some
+.Tn TELNET
+commands are only partially implemented.
+.Pp
+Because of bugs in the original 4.2 BSD
+.Xr telnet 1 ,
+.Nm telnetd
+performs some dubious protocol exchanges to try to discover if the remote
+client is, in fact, a 4.2 BSD
+.Xr telnet 1 .
+.Pp
+Binary mode
+has no common interpretation except between similar operating systems
+(Unix in this case).
+.Pp
+The terminal type name received from the remote client is converted to
+lower case.
+.Pp
+.Nm Telnetd
+never sends
+.Tn TELNET
+.Dv IAC GA
+(go ahead) commands.
diff --git a/crypto/kerberosIV/man/tf_util.3 b/crypto/kerberosIV/man/tf_util.3
new file mode 100644
index 0000000..3f98321
--- /dev/null
+++ b/crypto/kerberosIV/man/tf_util.3
@@ -0,0 +1,150 @@
+.\" $Id: tf_util.3,v 1.2 1996/06/12 21:29:29 bg Exp $
+.\" Copyright 1989 by the Massachusetts Institute of Technology.
+.\"
+.\" For copying and distribution information,
+.\" please see the file <mit-copyright.h>.
+.\"
+.TH TF_UTIL 3 "Kerberos Version 4.0" "MIT Project Athena"
+.SH NAME
+tf_init, tf_get_pname, tf_get_pinst, tf_get_cred, tf_close \
+\- Routines for manipulating a Kerberos ticket file
+.SH SYNOPSIS
+.nf
+.nj
+.ft B
+#include <krb.h>
+.PP
+.ft B
+extern char *krb_err_txt[];
+.PP
+.ft B
+tf_init(tf_name, rw)
+char *tf_name;
+int rw;
+.PP
+.ft B
+tf_get_pname(pname)
+char *pname;
+.PP
+.ft B
+tf_get_pinst(pinst)
+char *pinst;
+.PP
+.ft B
+tf_get_cred(c)
+CREDENTIALS *c;
+.PP
+.ft B
+tf_close()
+.PP
+.fi
+.SH DESCRIPTION
+This group of routines are provided to manipulate the Kerberos tickets
+file.  A ticket file has the following format:
+.nf
+.in +4
+.sp
+principal's name          (null-terminated string)
+principal's instance      (null-terminated string)
+CREDENTIAL_1
+CREDENTIAL_2
+  ...
+CREDENTIAL_n
+EOF
+.sp
+.in -4
+.LP
+Where "CREDENTIAL_x" consists of the following fixed-length
+fields from the CREDENTIALS structure (defined in <krb.h>):
+.nf
+.sp
+.in +4
+	char		service[ANAME_SZ]
+	char		instance[INST_SZ]
+	char		realm[REALM_SZ]
+	des_cblock	session
+	int		lifetime
+	int		kvno
+	KTEXT_ST	ticket_st
+	long		issue_date
+.in -4
+.sp
+.fi
+.PP
+.I tf_init
+must be called before the other ticket file
+routines.
+It takes the name of the ticket file to use,
+and a read/write flag as arguments.
+It tries to open the ticket file, checks the mode and if
+everything is okay, locks the file.  If it's opened for
+reading, the lock is shared.  If it's opened for writing,
+the lock is exclusive.
+KSUCCESS is returned if all went well, otherwise one of the
+following:
+.nf
+.sp
+NO_TKT_FIL	- file wasn't there
+TKT_FIL_ACC	- file was in wrong mode, etc.
+TKT_FIL_LCK	- couldn't lock the file, even after a retry
+.sp
+.fi
+.PP
+The
+.I tf_get_pname
+reads the principal's name from a ticket file.
+It should only be called after tf_init has been called.  The
+principal's name is filled into the 
+.I pname
+parameter.  If all goes
+well, KSUCCESS is returned.
+If tf_init wasn't called, TKT_FIL_INI
+is returned.
+If the principal's name was null, or EOF was encountered, or the
+name was longer than ANAME_SZ, TKT_FIL_FMT is returned.
+.PP
+The
+.I tf_get_pinst
+reads the principal's instance from a ticket file.
+It should only be called after tf_init and tf_get_pname
+have been called.
+The principal's instance is filled into the 
+.I pinst
+parameter.
+If all goes
+well, KSUCCESS is returned.
+If tf_init wasn't called, TKT_FIL_INI
+is returned.
+If EOF was encountered, or the
+name was longer than INST_SZ, TKT_FIL_FMT is returned.
+Note that, unlike the principal name, the instance name may be null.
+.PP
+The
+.I tf_get_cred
+routine reads a CREDENTIALS record from a ticket file and
+fills in the given structure.
+It should only be called after
+tf_init, tf_get_pname, and tf_get_pinst have been called.
+If all goes well, KSUCCESS is returned.  Possible error codes
+are:
+.nf
+.sp
+TKT_FIL_INI	- tf_init wasn't called first
+TKT_FIL_FMT	- bad format
+EOF		- end of file encountered
+.sp
+.fi
+.PP
+.I tf_close
+closes the ticket file and releases the lock on it.
+.SH "SEE ALSO"
+krb(3)
+.SH DIAGNOSTICS
+.SH BUGS
+The ticket file routines have to be called in a certain order.
+.SH AUTHORS
+Jennifer Steiner, MIT Project Athena
+.br
+Bill Bryant, MIT Project Athena
+.SH RESTRICTIONS
+Copyright 1987 Massachusetts Institute of Technology
diff --git a/crypto/kerberosIV/mkinstalldirs b/crypto/kerberosIV/mkinstalldirs
new file mode 100644
index 0000000..1c13a50
--- /dev/null
+++ b/crypto/kerberosIV/mkinstalldirs
@@ -0,0 +1,40 @@
+#! /bin/sh
+# mkinstalldirs --- make directory hierarchy
+# Author: Noah Friedman <friedman@prep.ai.mit.edu>
+# Created: 1993-05-16
+# Public domain
+
+# $Id: mkinstalldirs,v 1.1 1996/06/27 01:12:51 joda Exp $
+
+errstatus=0
+
+for file
+do
+   set fnord `echo ":$file" | sed -ne 's/^:\//#/;s/^://;s/\// /g;s/^#/\//;p'`
+   shift
+
+   pathcomp=
+   for d
+   do
+     pathcomp="$pathcomp$d"
+     case "$pathcomp" in
+       -* ) pathcomp=./$pathcomp ;;
+     esac
+
+     if test ! -d "$pathcomp"; then
+        echo "mkdir $pathcomp" 1>&2
+
+        mkdir "$pathcomp" || lasterr=$?
+
+        if test ! -d "$pathcomp"; then
+  	  errstatus=$lasterr
+        fi
+     fi
+
+     pathcomp="$pathcomp/"
+   done
+done
+
+exit $errstatus
+
+# mkinstalldirs ends here
diff --git a/crypto/kerberosIV/server/Makefile.in b/crypto/kerberosIV/server/Makefile.in
new file mode 100644
index 0000000..42bfaff
--- /dev/null
+++ b/crypto/kerberosIV/server/Makefile.in
@@ -0,0 +1,77 @@
+# $Id: Makefile.in,v 1.30 1999/03/10 19:01:17 joda Exp $
+
+SHELL = /bin/sh
+
+srcdir = @srcdir@
+VPATH = @srcdir@
+
+CC = @CC@
+LINK = @LINK@
+AR = ar
+RANLIB = @RANLIB@
+DEFS = @DEFS@
+CFLAGS = @CFLAGS@ $(WFLAGS)
+WFLAGS = @WFLAGS@
+LD_FLAGS = @LD_FLAGS@
+
+INSTALL = @INSTALL@
+INSTALL_PROGRAM = @INSTALL_PROGRAM@
+MKINSTALLDIRS = @top_srcdir@/mkinstalldirs
+
+LIBS = @LIBS@
+LIB_DBM = @LIB_DBM@
+
+prefix = @prefix@
+exec_prefix = @exec_prefix@
+libdir = @libdir@
+libexecdir = @libexecdir@
+transform=@program_transform_name@
+EXECSUFFIX=@EXECSUFFIX@
+
+PROGS = kerberos$(EXECSUFFIX)
+
+SOURCES = kerberos.c
+
+OBJECTS = kerberos.o
+
+all: $(PROGS)
+
+Wall:
+	make CFLAGS="-g -Wall -Wno-comment -Wmissing-prototypes -Wmissing-declarations -D__USE_FIXED_PROTOTYPES__"
+
+.c.o:
+	$(CC) -c $(DEFS) -I../include -I$(srcdir) $(CPPFLAGS) $(CFLAGS) $<
+
+install: all
+	$(MKINSTALLDIRS) $(DESTDIR)$(libexecdir)
+	for x in $(PROGS); do \
+	  $(INSTALL_PROGRAM) $$x $(DESTDIR)$(libexecdir)/`echo $$x | sed '$(transform)'`; \
+	done
+
+uninstall:
+	for x in $(PROGS); do \
+	  rm -f $(DESTDIR)$(libexecdir)/`echo $$x | sed '$(transform)'`; \
+	done
+
+TAGS: $(SOURCES)
+	etags $(SOURCES)
+
+check:
+
+clean:
+	rm -f *.a *.o $(PROGS)
+
+mostlyclean: clean
+
+distclean: clean
+	rm -f Makefile *.tab.c *~
+
+realclean: distclean
+	rm -f TAGS
+
+kerberos$(EXECSUFFIX): kerberos.o
+	$(LINK) $(LD_FLAGS) $(LDFLAGS) -o $@ kerberos.o -L../lib/kdb -lkdb -L../lib/krb -lkrb -L../lib/des -ldes -L../lib/roken -lroken $(LIB_DBM) $(LIBS) -lroken
+
+$(OBJECTS): ../include/config.h
+
+.PHONY: all Wall install uninstall check clean mostlyclean distclean realclean
diff --git a/crypto/kerberosIV/server/kerberos.c b/crypto/kerberosIV/server/kerberos.c
new file mode 100644
index 0000000..09a65df
--- /dev/null
+++ b/crypto/kerberosIV/server/kerberos.c
@@ -0,0 +1,1089 @@
+/*
+ * Copyright 1985, 1986, 1987, 1988 by the Massachusetts Institute
+ * of Technology.
+ *
+ * For copying and distribution information, please see the file
+ * <mit-copyright.h>.
+ */
+/* $FreeBSD$ */
+
+#include "config.h"
+#include "protos.h"
+
+RCSID("$Id: kerberos.c,v 1.87.2.3 2000/10/18 20:24:13 assar Exp $");
+
+/*
+ * If support for really large numbers of network interfaces is
+ * desired, define FD_SETSIZE to some suitable value.
+ */
+#define FD_SETSIZE (4*1024)
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <ctype.h>
+
+#ifdef HAVE_SYS_TYPES_H
+#include <sys/types.h>
+#endif
+
+#ifdef TIME_WITH_SYS_TIME
+#include <sys/time.h>
+#include <time.h>
+#elif defined(HAVE_SYS_TIME_H)
+#include <sys/time.h>
+#else
+#include <time.h>
+#endif
+
+#ifdef HAVE_SYS_SELECT_H
+#include <sys/select.h>
+#endif
+
+#include <errno.h>
+#ifdef HAVE_UNISTD_H
+#include <unistd.h>
+#endif
+
+#ifdef HAVE_SYS_SOCKET_H
+#include <sys/socket.h>
+#endif
+#ifdef HAVE_NETINET_IN_H
+#include <netinet/in.h>
+#endif
+#ifdef HAVE_ARPA_INET_H
+#include <arpa/inet.h>
+#endif
+
+#ifdef HAVE_SYS_STAT_H
+#include <sys/stat.h>
+#endif
+#ifdef HAVE_FCNTL_H
+#include <fcntl.h>
+#endif
+#if defined(HAVE_SYS_IOCTL_H) && SunOS != 40
+#include <sys/ioctl.h>
+#endif
+#ifdef HAVE_SYS_FILIO_H
+#include <sys/filio.h>
+#endif /* HAVE_SYS_FILIO_H */
+
+#ifdef HAVE_NETDB_H
+#include <netdb.h>
+#endif
+#include <err.h>
+
+#ifdef SOCKS
+#include <socks.h>
+#endif
+
+#include <roken.h>
+#include <base64.h>
+
+#include <openssl/des.h>
+#include <krb.h>
+#include <krb_db.h>
+#include <prot.h>
+#include <klog.h>
+
+#include <krb_log.h>
+
+#include <kdc.h>
+
+static des_key_schedule master_key_schedule;
+static des_cblock master_key;
+
+static struct timeval kerb_time;
+static u_char master_key_version;
+static char *lt;
+static int more;
+
+static int mflag;		/* Are we invoked manually? */
+static char *log_file = KRBLOG;	/* name of alt. log file */
+static int nflag;		/* don't check max age */
+static int rflag;		/* alternate realm specified */
+
+/* fields within the received request packet */
+static char *req_name_ptr;
+static char *req_inst_ptr;
+static char *req_realm_ptr;
+static u_int32_t req_time_ws;
+
+static char local_realm[REALM_SZ];
+
+/* options */
+static int max_age = -1;
+static int pause_int = -1;
+
+/*
+ * Print usage message and exit.
+ */
+static void
+usage(void)
+{
+    fprintf(stderr, "Usage: %s [-s] [-m] [-n] [-p pause_seconds]"
+	    " [-a max_age] [-l log_file] [-i address_to_listen_on]"
+	    " [-r realm] [database_pathname]\n",
+	    __progname);
+    exit(1);
+}
+
+/*
+ * kerb_err_reply creates an error reply packet and sends it to the
+ * client. 
+ */
+
+static void
+kerb_err_reply(int f, struct sockaddr_in *client, int err, char *string)
+{
+    static KTEXT_ST e_pkt_st;
+    KTEXT   e_pkt = &e_pkt_st;
+    static char e_msg[128];
+
+    snprintf (e_msg, sizeof(e_msg),
+	      "\nKerberos error -- %s", string);
+    cr_err_reply(e_pkt, req_name_ptr, req_inst_ptr, req_realm_ptr,
+		 req_time_ws, err, e_msg);
+    sendto(f, (char*)e_pkt->dat, e_pkt->length, 0, (struct sockaddr *)client,
+	   sizeof(*client));
+}
+
+static void
+hang(void)
+{
+    if (pause_int == -1) {
+	klog(L_KRB_PERR, "Kerberos will pause so as not to loop init");
+	for (;;)
+	    pause();
+    } else {
+	char buf[256];
+	snprintf(buf, sizeof(buf),
+		 "Kerberos will wait %d seconds before dying so as not to loop init",
+		 pause_int);
+	klog(L_KRB_PERR, buf);
+	sleep(pause_int);
+	klog(L_KRB_PERR, "Do svedania....\n");
+	exit(1);
+    }
+}
+
+static int
+check_princ(char *p_name, char *instance, unsigned int lifetime, Principal *p)
+{
+    static int n;
+    static int more;
+
+    n = kerb_get_principal(p_name, instance, p, 1, &more);
+    
+    if (n < 0) {
+	lt = klog(L_KRB_PERR, "Database unavailable!");
+	hang();
+    }
+    
+    /*
+     * if more than one p_name, pick one, randomly create a session key,
+     * compute maximum lifetime, lookup authorizations if applicable,
+     * and stuff into cipher. 
+     */
+    if (n == 0) {
+	/* service unknown, log error, skip to next request */
+	lt = klog(L_ERR_UNK, "UNKNOWN %s.%s", p_name, instance);
+	return KERB_ERR_PRINCIPAL_UNKNOWN;
+    }
+    if (more) {
+	/* not unique, log error */
+	lt = klog(L_ERR_NUN, "Principal not unique %s.%s", p_name, instance);
+	return KERB_ERR_PRINCIPAL_NOT_UNIQUE;
+    }
+    /* If the user's key is null, we want to return an error */
+    if ((p->key_low == 0) && (p->key_high == 0)) {
+	/* User has a null key */
+	lt = klog(L_ERR_NKY, "Null key %s.%s", p_name, instance);
+	return KERB_ERR_NULL_KEY;
+    }
+    if (master_key_version != p->kdc_key_ver) {
+	/* log error reply */
+	lt = klog(L_ERR_MKV,
+		  "Incorrect master key version for %s.%s: %d (should be %d)",
+		  p->name, p->instance, p->kdc_key_ver, master_key_version);
+	return KERB_ERR_NAME_MAST_KEY_VER;
+    }
+    /* make sure the service hasn't expired */
+    if ((u_int32_t) p->exp_date < (u_int32_t) kerb_time.tv_sec) {
+	/* service did expire, log it */
+	time_t t = p->exp_date;
+	lt = klog(L_ERR_SEXP,
+		  "Principal %s.%s expired at %s", p->name, p->instance,
+		  krb_stime(&t));
+	return KERB_ERR_NAME_EXP;
+    }
+    /* ok is zero */
+    return 0;
+}
+
+static void
+unseal(des_cblock *key)
+{
+    kdb_encrypt_key(key, key, &master_key, master_key_schedule, DES_DECRYPT);
+}
+
+
+/* Set the key for krb_rd_req so we can check tgt */
+static int
+set_tgtkey(char *r)
+              			/* Realm for desired key */
+{
+    int     n;
+    static char lastrealm[REALM_SZ];
+    Principal p_st;
+    Principal *p = &p_st;
+    des_cblock key;
+
+    if (!strcmp(lastrealm, r))
+	return (KSUCCESS);
+
+    klog(L_ALL_REQ, "Getting key for %s", r);
+
+    n = kerb_get_principal(KRB_TICKET_GRANTING_TICKET, r, p, 1, &more);
+    if (n == 0)
+	return (KFAILURE);
+
+    /* unseal tgt key from master key */
+    copy_to_key(&p->key_low, &p->key_high, key);
+    unseal(&key);
+    krb_set_key(key, 0);
+    strlcpy (lastrealm, r, REALM_SZ);
+    return (KSUCCESS);
+}
+
+
+static int
+kerberos(unsigned char *buf, int len,
+	 char *proto, struct sockaddr_in *client,
+	 struct sockaddr_in *server,
+	 KTEXT rpkt)
+{
+    int pvno;
+    int msg_type;
+    int lsb;
+    int life;
+    int flags = 0;
+    char name[ANAME_SZ], inst[INST_SZ], realm[REALM_SZ];
+    char service[SNAME_SZ], sinst[INST_SZ];
+    u_int32_t req_time;
+    static KTEXT_ST ticket, cipher, adat;
+    KTEXT tk = &ticket, ciph = &cipher, auth = &adat;
+    AUTH_DAT ad;
+    des_cblock session, key;
+    int err;
+    Principal a_name, s_name;
+    
+    char *msg;
+    
+    
+    unsigned char *p = buf;
+    if(len < 2){
+	strlcpy((char*)rpkt->dat,
+			"Packet too short",
+			sizeof(rpkt->dat));
+	return KFAILURE;
+    }
+
+    gettimeofday(&kerb_time, NULL);
+
+    pvno = *p++;
+    if(pvno != KRB_PROT_VERSION){
+	msg = klog(L_KRB_PERR, "KRB protocol version mismatch (%d)", pvno);
+	strlcpy((char*)rpkt->dat,
+			msg,
+			sizeof(rpkt->dat));
+	return KERB_ERR_PKT_VER;
+    }
+    msg_type = *p++;
+    lsb = msg_type & 1;
+    msg_type &= ~1;
+    switch(msg_type){
+    case AUTH_MSG_KDC_REQUEST:
+	/* XXX range check */
+	p += krb_get_nir(p, name, sizeof(name),
+			 inst, sizeof(inst),
+			 realm, sizeof(realm));
+	p += krb_get_int(p, &req_time, 4, lsb);
+	life = *p++;
+	p += krb_get_nir(p, service, sizeof(service),
+			 sinst, sizeof(sinst), NULL, 0);
+	klog(L_INI_REQ,
+	     "AS REQ %s.%s@%s for %s.%s from %s (%s/%u)", 
+	     name, inst, realm, service, sinst,
+	     inet_ntoa(client->sin_addr),
+	     proto, ntohs(server->sin_port));
+	if((err = check_princ(name, inst, 0, &a_name))){
+	    strlcpy((char*)rpkt->dat,
+			    krb_get_err_text(err),
+			    sizeof(rpkt->dat));
+	    return err;
+	}
+	tk->length = 0;
+	if((err = check_princ(service, sinst, 0, &s_name))){
+	    strlcpy((char*)rpkt->dat,
+			    krb_get_err_text(err),
+			    sizeof(rpkt->dat));
+	    return err;
+	}
+	life = min(life, s_name.max_life);
+	life = min(life, a_name.max_life);
+    
+	des_new_random_key(&session);
+	copy_to_key(&s_name.key_low, &s_name.key_high, key);
+	unseal(&key);
+	krb_create_ticket(tk, flags, a_name.name, a_name.instance, 
+			  local_realm, client->sin_addr.s_addr,
+			  session, 
+			  life, kerb_time.tv_sec, 
+			  s_name.name, s_name.instance, &key);
+	copy_to_key(&a_name.key_low, &a_name.key_high, key);
+	unseal(&key);
+	create_ciph(ciph, session, s_name.name, s_name.instance,
+		    local_realm, life, s_name.key_version, tk, 
+		    kerb_time.tv_sec, &key);
+	memset(&session, 0, sizeof(session));
+	memset(&key, 0, sizeof(key));
+	{
+	    KTEXT r;
+	    r = create_auth_reply(name, inst, realm, req_time, 0, 
+				  a_name.exp_date, a_name.key_version, ciph);
+	    memcpy(rpkt, r, sizeof(*rpkt));
+	}
+	return 0;
+    case AUTH_MSG_APPL_REQUEST:
+	strlcpy(realm, (char*)buf + 3, REALM_SZ);
+	if((err = set_tgtkey(realm))){
+	    msg = klog(L_ERR_UNK,
+		       "Unknown realm %s from %s (%s/%u)", 
+		       realm, inet_ntoa(client->sin_addr),
+		       proto, ntohs(server->sin_port));
+	    strlcpy((char*)rpkt->dat,
+			    msg,
+			    sizeof(rpkt->dat));
+	    return err;
+	}
+	p = buf + strlen(realm) + 4;
+	p = p + p[0] + p[1] + 2;
+	auth->length = p - buf;
+	memcpy(auth->dat, buf, auth->length);
+	err = krb_rd_req(auth, KRB_TICKET_GRANTING_TICKET,
+			 realm, client->sin_addr.s_addr, &ad, 0);
+	if(err){
+	    msg = klog(L_ERR_UNK,
+		       "krb_rd_req from %s (%s/%u): %s", 
+		       inet_ntoa(client->sin_addr),
+		       proto,
+		       ntohs(server->sin_port),
+		       krb_get_err_text(err));
+	    strlcpy((char*)rpkt->dat,
+			    msg,
+			    sizeof(rpkt->dat));
+	    return err;
+	}
+	p += krb_get_int(p, &req_time, 4, lsb);
+	life = *p++;
+	p += krb_get_nir(p, service, sizeof(service),
+			 sinst, sizeof(sinst), NULL, 0);
+	klog(L_APPL_REQ,
+	     "APPL REQ %s.%s@%s for %s.%s from %s (%s/%u)",
+	     ad.pname, ad.pinst, ad.prealm,
+	     service, sinst,
+	     inet_ntoa(client->sin_addr),
+	     proto,
+	     ntohs(server->sin_port));
+
+	if(strcmp(ad.prealm, realm)){
+	    msg = klog(L_ERR_UNK, "Can't hop realms: %s -> %s", 
+		       realm, ad.prealm);
+	    strlcpy((char*)rpkt->dat,
+			    msg,
+			    sizeof(rpkt->dat));
+	    return KERB_ERR_PRINCIPAL_UNKNOWN;
+	}
+
+	if(!strcmp(service, "changepw")){
+	    strlcpy((char*)rpkt->dat, 
+			    "Can't authorize password changed based on TGT",
+			    sizeof(rpkt->dat));
+	    return KERB_ERR_PRINCIPAL_UNKNOWN;
+	}
+
+	err = check_princ(service, sinst, life, &s_name);
+	if(err){
+	    strlcpy((char*)rpkt->dat,
+			    krb_get_err_text(err),
+			    sizeof(rpkt->dat));
+	    return err;
+	}
+	life = min(life, 
+		   krb_time_to_life(kerb_time.tv_sec, 
+				    krb_life_to_time(ad.time_sec, 
+						     ad.life)));
+	life = min(life, s_name.max_life);
+	copy_to_key(&s_name.key_low, &s_name.key_high, key);
+	unseal(&key);
+	des_new_random_key(&session);
+	krb_create_ticket(tk, flags, ad.pname, ad.pinst, ad.prealm,
+			  client->sin_addr.s_addr, &session,
+			  life, kerb_time.tv_sec,
+			  s_name.name, s_name.instance,
+			  &key);
+	
+	memset(&key, 0, sizeof(key));
+
+	create_ciph(ciph, session, service, sinst, local_realm,
+		    life, s_name.key_version, tk,
+		    kerb_time.tv_sec, &ad.session);
+
+	memset(&session, 0, sizeof(session));
+	memset(ad.session, 0, sizeof(ad.session));
+	{
+	    KTEXT r;
+	    r =create_auth_reply(ad.pname, ad.pinst, ad.prealm, 
+				 req_time, 0, 0, 0, ciph);
+	    memcpy(rpkt, r, sizeof(*rpkt));
+	}
+	memset(&s_name, 0, sizeof(s_name));
+	return 0;
+	
+    case AUTH_MSG_ERR_REPLY:
+	return -1;
+    default:
+	msg = klog(L_KRB_PERR,
+		   "Unknown message type: %d from %s (%s/%u)", 
+		   msg_type,
+		   inet_ntoa(client->sin_addr),
+		   proto,
+		   ntohs(server->sin_port));
+	strlcpy((char*)rpkt->dat,
+			msg,
+			sizeof(rpkt->dat));
+	return KFAILURE;
+    }
+}
+
+
+static void
+kerberos_wrap(int s, KTEXT data, char *proto, struct sockaddr_in *client, 
+	      struct sockaddr_in *server)
+{
+    KTEXT_ST pkt;
+    int http_flag = strcmp(proto, "http") == 0;
+    int err = kerberos(data->dat, data->length, proto, client, server, &pkt);
+    if(err == -1)
+	return;
+    if(http_flag){
+	const char *msg = 
+	    "HTTP/1.1 200 OK\r\n"
+	    "Server: KTH-KRB/1\r\n"
+	    "Content-type: application/octet-stream\r\n"
+	    "Content-transfer-encoding: binary\r\n\r\n";
+	sendto(s, msg, strlen(msg), 0, (struct sockaddr *)client,
+	       sizeof(*client));
+    }
+    if(err){
+	kerb_err_reply(s, client, err, (char*)pkt.dat);
+	return;
+    }
+    sendto(s, pkt.dat, pkt.length, 0, (struct sockaddr *)client,
+	   sizeof(*client));
+}
+
+
+/*
+ * setup_disc 
+ *
+ * disconnect all descriptors, remove ourself from the process
+ * group that spawned us. 
+ */
+
+static void
+setup_disc(void)
+{
+    int     s;
+
+    for (s = 0; s < 3; s++) {
+	close(s);
+    }
+
+    open("/dev/null", 0);
+    dup2(0, 1);
+    dup2(0, 2);
+
+    setsid();
+
+    chdir("/tmp");
+    return;
+}
+
+/*
+ * Make sure that database isn't stale.
+ *
+ * Exit if it is; we don't want to tell lies.
+ */
+
+static void
+check_db_age(void)
+{
+    long age;
+    
+    if (max_age != -1) {
+	/* Requires existance of kerb_get_db_age() */
+	gettimeofday(&kerb_time, 0);
+	age = kerb_get_db_age();
+	if (age == 0) {
+	    klog(L_KRB_PERR, "Database currently being updated!");
+	    hang();
+	}
+	if ((age + max_age) < kerb_time.tv_sec) {
+	    klog(L_KRB_PERR, "Database out of date!");
+	    hang();
+	    /* NOTREACHED */
+	}
+    }
+}
+
+struct descr{
+    int s;
+    KTEXT_ST buf;
+    int type;
+    int timeout;
+    struct sockaddr_in addr;
+};
+
+static void
+mksocket(struct descr *d, struct in_addr addr, int type, 
+	 const char *service, int port)
+{
+    int     on = 1;
+    int sock;
+
+    memset(d, 0, sizeof(struct descr));
+    if ((sock = socket(AF_INET, type, 0)) < 0)
+	err (1, "socket");
+    if (sock >= FD_SETSIZE) {
+        errno = EMFILE;
+	errx(1, "Aborting: too many descriptors");
+    }
+#if defined(SO_REUSEADDR) && defined(HAVE_SETSOCKOPT)
+    if (setsockopt(sock, SOL_SOCKET, SO_REUSEADDR, (void *)&on,
+		   sizeof(on)) < 0)
+	warn ("setsockopt (SO_REUSEADDR)");
+#endif
+    memset(&d->addr, 0, sizeof(d->addr));
+    d->addr.sin_family = AF_INET;
+    d->addr.sin_port   = port;
+    d->addr.sin_addr   = addr;
+    if (bind(sock, (struct sockaddr *)&d->addr, sizeof(d->addr)) < 0)
+	err (1, "bind '%s/%s' (%d)",
+	     service, (type == SOCK_DGRAM) ? "udp" : "tcp",
+	     ntohs(d->addr.sin_port));
+    
+    if(type == SOCK_STREAM)
+	listen(sock, SOMAXCONN);
+    d->s = sock;
+    d->type = type;
+}
+
+
+static void loop(struct descr *fds, int maxfd);
+
+struct port_spec {
+    int port;
+    int type;
+};
+
+static int
+add_port(struct port_spec **ports, int *num_ports, int port, int type)
+{
+    struct port_spec *tmp;
+    tmp = realloc(*ports, (*num_ports + 1) * sizeof(*tmp));
+    if(tmp == NULL)
+	return ENOMEM;
+    *ports = tmp;
+    tmp[*num_ports].port = port;
+    tmp[*num_ports].type = type;
+    (*num_ports)++;
+    return 0;
+}
+
+static void
+make_sockets(const char *port_spec, struct in_addr *i_addr, 
+	     struct descr **fds, int *nfds)
+{
+    int tp;
+    struct in_addr *a;
+    char *p, *q, *pos = NULL;
+    struct servent *sp;
+    struct port_spec *ports = NULL;
+    int num_ports = 0;
+    int i, j;
+    char *port_spec_copy = strdup (port_spec);
+
+    if (port_spec_copy == NULL)
+	err (1, "strdup");
+
+    for(p = strtok_r(port_spec_copy, ", \t", &pos); 
+	p; 
+	p = strtok_r(NULL, ", \t", &pos)){
+	if(strcmp(p, "+") == 0){
+	    add_port(&ports, &num_ports, 88, SOCK_DGRAM);
+	    add_port(&ports, &num_ports, 88, SOCK_STREAM);
+	    add_port(&ports, &num_ports, 750, SOCK_DGRAM);
+	    add_port(&ports, &num_ports, 750, SOCK_STREAM);
+	}else{
+	    q = strchr(p, '/');
+	    if(q){
+		*q = 0;
+		q++;
+	    }
+	    sp = getservbyname(p, q);
+	    if(sp)
+		tp = ntohs(sp->s_port);
+	    else if(sscanf(p, "%d", &tp) != 1) {
+		warnx("Unknown port: %s%s%s", p, q ? "/" : "", q ? q : "");
+		continue;
+	    }
+	    if(q){
+		if(strcasecmp(q, "tcp") == 0)
+		    add_port(&ports, &num_ports, tp, SOCK_STREAM);
+		else if(strcasecmp(q, "udp") == 0)
+		    add_port(&ports, &num_ports, tp, SOCK_DGRAM);
+		else
+		    warnx("Unknown protocol type: %s", q);
+	    }else{
+		add_port(&ports, &num_ports, tp, SOCK_DGRAM);
+		add_port(&ports, &num_ports, tp, SOCK_STREAM);
+	    }
+	}
+    }
+    free (port_spec_copy);
+
+    if(num_ports == 0)
+	errx(1, "No valid ports specified!");
+    
+    if (i_addr) {
+	*nfds = 1;
+	a = malloc(sizeof(*a) * *nfds);
+	if (a == NULL)
+	    errx (1, "Failed to allocate %lu bytes",
+		  (unsigned long)(sizeof(*a) * *nfds));
+	memcpy(a, i_addr, sizeof(struct in_addr));
+    } else
+	*nfds = k_get_all_addrs (&a);
+    if (*nfds < 0) {
+	struct in_addr any;
+
+	any.s_addr = INADDR_ANY;
+
+	warnx ("Could not get local addresses, binding to INADDR_ANY");
+	*nfds = 1;
+	a = malloc(sizeof(*a) * *nfds);
+	if (a == NULL)
+	    errx (1, "Failed to allocate %lu bytes",
+		  (unsigned long)(sizeof(*a) * *nfds));
+	memcpy(a, &any, sizeof(struct in_addr));
+    }
+    *fds = malloc(*nfds * num_ports * sizeof(**fds));
+    if (*fds == NULL)
+	errx (1, "Failed to allocate %lu bytes",
+	      (unsigned long)(*nfds * num_ports * sizeof(**fds)));
+    for (i = 0; i < *nfds; i++) {
+	for(j = 0; j < num_ports; j++) {
+	    mksocket(*fds + num_ports * i + j, a[i], 
+		     ports[j].type, "", htons(ports[j].port));
+	}
+    }
+    *nfds *= num_ports;
+    free(ports);
+    free (a);
+}
+
+
+int
+main(int argc, char **argv)
+{
+    int     child;
+    int c;
+    struct descr *fds;
+    int nfds;
+    int n;
+    int     kerror;
+    int i_flag = 0;
+    struct in_addr i_addr;
+    char *port_spec = "+";
+
+    umask(077);		/* Create protected files */
+
+    set_progname (argv[0]);
+
+    while ((c = getopt(argc, argv, "snmp:P:a:l:r:i:")) != -1) {
+	switch(c) {
+	case 's':
+	    /*
+	     * Set parameters to slave server defaults.
+	     */
+	    if (max_age == -1 && !nflag)
+		max_age = THREE_DAYS;	/* Survive weekend */
+	    if (pause_int == -1)
+		pause_int = FIVE_MINUTES; /* 5 minutes */
+	    break;
+	case 'n':
+	    max_age = -1;	/* don't check max age. */
+	    nflag++;
+	    break;
+	case 'm':
+	    mflag++;		/* running manually; prompt for master key */
+	    break;
+	case 'p': {
+	    /* Set pause interval. */
+	    char *tmp;
+
+	    pause_int = strtol (optarg, &tmp, 0);
+	    if (pause_int == 0 && tmp == optarg) {
+		fprintf(stderr, "pause_int `%s' not a number\n", optarg);
+		usage ();
+	    }
+
+	    if ((pause_int < 5) ||  (pause_int > ONE_HOUR)) {
+		fprintf(stderr, "pause_int must be between 5 and 3600 seconds.\n");
+		usage();
+	    }
+	    break;
+	}
+	case 'P':
+	    port_spec = optarg;
+	    break;
+	case 'a': {
+	    /* Set max age. */
+	    char *tmp;
+
+	    max_age = strtol (optarg, &tmp, 0);
+	    if (max_age == 0 && tmp == optarg) {
+		fprintf (stderr, "max_age `%s' not a number\n", optarg);
+		usage ();
+	    }
+	    if ((max_age < ONE_HOUR) || (max_age > THREE_DAYS)) {
+		fprintf(stderr, "max_age must be between one hour and "
+			"three days, in seconds\n");
+		usage();
+	    }
+	    break;
+	}
+	case 'l':
+	    /* Set alternate log file */
+	    log_file = optarg;
+	    break;
+	case 'r':
+	    /* Set realm name */
+	    rflag++;
+	    strlcpy(local_realm, optarg, sizeof(local_realm));
+	    break;
+	case 'i':
+	    /* Only listen on this address */
+	    if(inet_aton (optarg, &i_addr) == 0) {
+		fprintf (stderr, "Bad address: %s\n", optarg);
+		exit (1);
+	    }
+	    ++i_flag;
+	    break;
+	default:
+	    usage();
+	    break;
+	}
+    }
+    
+    if (optind == (argc-1)) {
+	if (kerb_db_set_name(argv[optind]) != 0) {
+	    fprintf(stderr, "Could not set alternate database name\n");
+	    exit(1);
+	}
+	optind++;
+    }
+
+    if (optind != argc)
+	usage();
+	
+    printf("Kerberos server starting\n");
+    
+    if ((!nflag) && (max_age != -1))
+	printf("\tMaximum database age: %d seconds\n", max_age);
+    if (pause_int != -1)
+	printf("\tSleep for %d seconds on error\n", pause_int);
+    else
+	printf("\tSleep forever on error\n");
+    if (mflag)
+	printf("\tMaster key will be entered manually\n");
+    
+    printf("\tLog file is %s\n", log_file);
+
+    kset_logfile(log_file);
+    
+    make_sockets(port_spec, i_flag ? &i_addr : NULL, &fds, &nfds);
+
+    /* do all the database and cache inits */
+    if ((n = kerb_init())) {
+	if (mflag) {
+	    printf("Kerberos db and cache init ");
+	    printf("failed = %d ...exiting\n", n);
+	    exit (1);
+	} else {
+	    klog(L_KRB_PERR,
+	    "Kerberos db and cache init failed = %d ...exiting", n);
+	    hang();
+	}
+    }
+
+    /* Make sure database isn't stale */
+    check_db_age();
+    
+    /* setup master key */
+    if (kdb_get_master_key (mflag, &master_key, master_key_schedule) != 0) {
+      klog (L_KRB_PERR, "kerberos: couldn't get master key.");
+      exit (1);
+    }
+    kerror = kdb_verify_master_key (&master_key, master_key_schedule, stdout);
+    if (kerror < 0) {
+      klog (L_KRB_PERR, "Can't verify master key.");
+      memset(master_key, 0, sizeof (master_key));
+      memset (master_key_schedule, 0, sizeof (master_key_schedule));
+      exit (1);
+    }
+
+    master_key_version = (u_char) kerror;
+
+    fprintf(stdout, "\nCurrent Kerberos master key version is %d\n",
+	    master_key_version);
+    des_init_random_number_generator(&master_key);
+
+    if (!rflag) {
+	/* Look up our local realm */
+	krb_get_lrealm(local_realm, 1);
+    }
+    fprintf(stdout, "Local realm: %s\n", local_realm);
+    fflush(stdout);
+
+    if (set_tgtkey(local_realm)) {
+	/* Ticket granting service unknown */
+	klog(L_KRB_PERR, "Ticket granting ticket service unknown");
+	fprintf(stderr, "Ticket granting ticket service unknown\n");
+	exit(1);
+    }
+    if (mflag) {
+	if ((child = fork()) != 0) {
+	    printf("Kerberos started, PID=%d\n", child);
+	    exit(0);
+	}
+	setup_disc();
+    }
+    
+    klog(L_ALL_REQ, "Starting Kerberos for %s (kvno %d)", 
+	 local_realm, master_key_version);
+    
+    /* receive loop */
+    loop(fds, nfds);
+    exit(1);
+}
+
+
+static void
+read_socket(struct descr *n)
+{
+    int b;
+    struct sockaddr_in from;
+    int fromlen = sizeof(from);
+    b = recvfrom(n->s, n->buf.dat + n->buf.length, 
+		 MAX_PKT_LEN - n->buf.length, 0, 
+		 (struct sockaddr *)&from, &fromlen);
+    if(b < 0){
+	if(n->type == SOCK_STREAM){
+	    close(n->s);
+	    n->s = -1;
+	}
+	n->buf.length = 0;
+	return;
+    }
+    n->buf.length += b;
+    if(n->type == SOCK_STREAM){
+	char *proto = "tcp";
+	if(n->buf.length > 4 && 
+	   strncmp((char *)n->buf.dat, "GET ", 4) == 0 &&
+	   strncmp((char *)n->buf.dat + n->buf.length - 4, 
+		   "\r\n\r\n", 4) == 0){
+	    char *p;
+	    char *save = NULL;
+
+	    n->buf.dat[n->buf.length - 1] = 0;
+	    strtok_r((char *)n->buf.dat, " \t\r\n", &save);
+	    p = strtok_r(NULL, " \t\r\n", &save);
+	    if(p == NULL)
+		p = "";
+	    if(*p == '/') p++;
+	    n->buf.length = base64_decode(p, n->buf.dat);
+	    if(n->buf.length <= 0){
+		const char *msg = 
+		    "HTTP/1.1 404 Not found\r\n"
+		    "Server: KTH-KRB/1\r\n"
+		    "Content-type: text/html\r\n"
+		    "Content-transfer-encoding: 8bit\r\n\r\n"
+		    "<TITLE>404 Not found</TITLE>\r\n"
+		    "<H1>404 Not found</H1>\r\n"
+		    "That page does not exist. Information about "
+		    "<A HREF=\"http://www.pdc.kth.se/kth-krb\">KTH-KRB</A> "
+		    "is available elsewhere.\r\n";
+		fromlen = sizeof(from);
+		if(getpeername(n->s,(struct sockaddr*)&from, &fromlen) == 0)
+		    klog(L_KRB_PERR, "Unknown HTTP request from %s", 
+			 inet_ntoa(from.sin_addr));
+		else
+		    klog(L_KRB_PERR, "Unknown HTTP request from <unknown>");
+		write(n->s, msg, strlen(msg));
+		close(n->s);
+		n->s = -1;
+		n->buf.length = 0;
+		return;
+	    }
+	    proto = "http";
+	    b = 0;
+	}
+	else if(n->buf.length >= 4 && n->buf.dat[0] == 0){
+	    /* if this is a new type of packet (with
+	       the length attached to the head of the
+	       packet), and there is no more data to
+	       be read, fake an old packet, so the
+	       code below will work */
+	    u_int32_t len;
+	    krb_get_int(n->buf.dat, &len, 4, 0);
+	    if(n->buf.length == len + 4){
+		memmove(n->buf.dat, n->buf.dat + 4, len);
+		b = 0;
+	    }
+	}
+	if(b == 0){
+	    /* handle request if there are 
+	       no more bytes to read */
+	    fromlen = sizeof(from);
+	    getpeername(n->s,(struct sockaddr*)&from, &fromlen);
+	    kerberos_wrap(n->s, &n->buf, proto, &from,
+			  &n->addr);
+	    n->buf.length = 0;
+	    close(n->s);
+	    n->s = -1;
+	}
+    }else{
+	/* udp packets are atomic */
+	kerberos_wrap(n->s, &n->buf, "udp", &from,
+		      &n->addr);
+	n->buf.length = 0;
+    }
+}
+
+static fd_set readfds;
+
+static void
+loop(struct descr *fds, int base_nfds)
+{
+    int nfds = base_nfds;
+    int max_tcp = min(FD_SETSIZE, getdtablesize()) - fds[base_nfds - 1].s;
+    if (max_tcp <= 10) {
+        errno = EMFILE;
+ 	errx(1, "Aborting: too many descriptors");
+    }
+    max_tcp -= 10;		/* We need a few extra for DB, logs, etc. */
+    if (max_tcp > 100) max_tcp = 100; /* Keep to some sane limit. */
+
+    for (;;) {
+	int ret;
+	struct timeval tv;
+	int next_timeout = 10;	/* In seconds */
+	int maxfd = 0;
+	struct descr *n, *minfree;
+	int accepted; /* accept at most one socket per `round' */
+	
+	FD_ZERO(&readfds);
+	gettimeofday(&tv, NULL);
+	maxfd = 0;
+	minfree = NULL;
+	/* Remove expired TCP sockets, and add all other 
+	   to the set we are selecting on */
+	for(n = fds; n < fds + nfds; n++){
+	    if(n->s >= 0 && n->timeout && tv.tv_sec > n->timeout){
+		kerb_err_reply(n->s, NULL, KERB_ERR_TIMEOUT, "Timeout");
+		close(n->s);
+		n->s = -1;
+	    }
+	    if(n->s < 0){
+		if(minfree == NULL) minfree = n;
+		continue;
+	    }
+	    FD_SET(n->s, &readfds);
+	    maxfd = max(maxfd, n->s);
+	    next_timeout = min(next_timeout, tv.tv_sec - n->timeout);
+	}
+	/* add more space for sockets */
+	if (minfree == NULL && nfds < base_nfds + max_tcp) {
+	    int i = nfds;
+	    struct descr *new;
+	    nfds *=2;
+	    if (nfds > base_nfds + max_tcp)
+	        nfds = base_nfds + max_tcp;
+	    new = realloc(fds, sizeof(struct descr) * nfds);
+	    if(new){
+		fds = new;
+		minfree = fds + i;
+		for(; i < nfds; i++) fds[i].s = -1;
+	    }
+	}
+	if (minfree == NULL) {
+	    /*
+	     * We are possibly the subject of a DOS attack, pick a TCP
+	     * connection at random and drop it.
+	     */
+	    int r = rand() % (nfds - base_nfds);
+	    r = r + base_nfds;
+	    FD_CLR(fds[r].s, &readfds);
+	    close(fds[r].s);
+	    fds[r].s = -1;
+	    minfree = &fds[r];
+	}
+	if (next_timeout < 0) next_timeout = 0;
+	tv.tv_sec = next_timeout;
+	tv.tv_usec = 0;
+	ret = select(maxfd + 1, &readfds, 0, 0, &tv);
+	if (ret < 0) {
+	    if (errno != EINTR)
+	        klog(L_KRB_PERR, "select: %s", strerror(errno));
+	  continue;
+	}
+	accepted = 0;
+	for (n = fds; n < fds + nfds; n++){
+	    if(n->s < 0) continue;
+	    if (FD_ISSET(n->s, &readfds)){
+		if(n->type == SOCK_STREAM && n->timeout == 0){
+		    /* add accepted socket to list of sockets we are
+                       selecting on */
+		    int s;
+		    if(accepted) continue;
+		    accepted = 1;
+		    s = accept(n->s, NULL, 0);
+		    if (minfree == NULL || s >= FD_SETSIZE) {
+			close(s);
+		    }else{
+			minfree->s = s;
+			minfree->type = SOCK_STREAM;
+			gettimeofday(&tv, NULL);
+			minfree->timeout = tv.tv_sec + 4; /* XXX */
+			minfree->buf.length = 0;
+			memcpy(&minfree->addr, &n->addr, sizeof(minfree->addr));
+		    }
+		}else
+		    read_socket(n);
+	    }
+	}
+    }
+}
diff --git a/crypto/kerberosIV/slave/Makefile.in b/crypto/kerberosIV/slave/Makefile.in
new file mode 100644
index 0000000..938e61c
--- /dev/null
+++ b/crypto/kerberosIV/slave/Makefile.in
@@ -0,0 +1,80 @@
+# $Id: Makefile.in,v 1.33 1999/03/10 19:01:17 joda Exp $
+
+SHELL = /bin/sh
+
+srcdir = @srcdir@
+VPATH = @srcdir@
+
+CC = @CC@
+LINK = @LINK@
+AR = ar
+RANLIB = @RANLIB@
+DEFS = @DEFS@ -DSBINDIR=\"$(sbindir)\"
+CFLAGS = @CFLAGS@ $(WFLAGS)
+WFLAGS = @WFLAGS@
+LD_FLAGS = @LD_FLAGS@
+
+INSTALL = @INSTALL@
+INSTALL_PROGRAM = @INSTALL_PROGRAM@
+LIBS = @LIBS@
+MKINSTALLDIRS = @top_srcdir@/mkinstalldirs
+
+prefix = @prefix@
+exec_prefix = @exec_prefix@
+libdir = @libdir@
+libexecdir = @libexecdir@
+sbindir = @sbindir@
+transform=@program_transform_name@
+EXECSUFFIX=@EXECSUFFIX@
+
+PROGS = kpropd$(EXECSUFFIX) \
+	kprop$(EXECSUFFIX)
+
+SOURCES = kpropd.c kprop.c
+
+OBJECTS = kpropd.o kprop.o
+
+all: $(PROGS)
+
+Wall:
+	make CFLAGS="-g -Wall -Wno-comment -Wmissing-prototypes -Wmissing-declarations -D__USE_FIXED_PROTOTYPES__"
+
+.c.o:
+	$(CC) -c $(DEFS) -I../include -I$(srcdir) $(CPPFLAGS) $(CFLAGS) $<
+
+install: all
+	$(MKINSTALLDIRS) $(DESTDIR)$(libexecdir)
+	for x in $(PROGS); do \
+	  $(INSTALL_PROGRAM) $$x $(DESTDIR)$(libexecdir)/`echo $$x | sed '$(transform)'`; \
+	done
+
+uninstall:
+	for x in $(PROGS); do \
+	  rm -f $(DESTDIR)$(libexecdir)/`echo $$x | sed '$(transform)'`; \
+	done
+
+TAGS: $(SOURCES)
+	etags $(SOURCES)
+
+check:
+
+clean:
+	rm -f *.a *.o $(PROGS)
+
+mostlyclean: clean
+
+distclean: clean
+	rm -f Makefile *.tab.c *~
+
+realclean: distclean
+	rm -f TAGS
+
+kprop$(EXECSUFFIX): kprop.o
+	$(LINK) $(LD_FLAGS) $(LDFLAGS) -o $@ kprop.o -L../lib/krb -lkrb -L../lib/des -ldes -L../lib/roken -lroken $(LIBS) -lroken
+
+kpropd$(EXECSUFFIX): kpropd.o
+	$(LINK) $(LD_FLAGS) $(LDFLAGS) -o $@ kpropd.o -L../lib/krb -lkrb -L../lib/des -ldes -L../lib/roken -lroken $(LIBS) -lroken
+
+$(OBJECTS): ../include/config.h
+
+.PHONY: all Wall install uninstall check clean mostlyclean distclean realclean
diff --git a/crypto/kerberosIV/slave/kprop.c b/crypto/kerberosIV/slave/kprop.c
new file mode 100644
index 0000000..2cb1aee
--- /dev/null
+++ b/crypto/kerberosIV/slave/kprop.c
@@ -0,0 +1,543 @@
+/*
+
+Copyright 1987, 1988 by the Student Information Processing Board
+	of the Massachusetts Institute of Technology
+
+Permission to use, copy, modify, and distribute this software
+and its documentation for any purpose and without fee is
+hereby granted, provided that the above copyright notice
+appear in all copies and that both that copyright notice and
+this permission notice appear in supporting documentation,
+and that the names of M.I.T. and the M.I.T. S.I.P.B. not be
+used in advertising or publicity pertaining to distribution
+of the software without specific, written prior permission.
+M.I.T. and the M.I.T. S.I.P.B. make no representations about
+the suitability of this software for any purpose.  It is
+provided "as is" without express or implied warranty.
+
+*/
+
+#include "slav_locl.h"
+
+RCSID("$Id: kprop.c,v 1.37 1999/09/16 20:41:59 assar Exp $");
+
+#include "kprop.h"
+
+static char kprop_version[KPROP_PROT_VERSION_LEN] = KPROP_PROT_VERSION;
+
+int     debug = 0;
+
+char    my_realm[REALM_SZ];
+int     princ_data_size = 3 * sizeof(int32_t) + 3 * sizeof(unsigned char);
+short   transfer_mode, net_transfer_mode;
+int force_flag;
+static char ok[] = ".dump_ok";
+
+struct slave_host {
+    u_int32_t  net_addr;
+    char   *name;
+    char   *instance;
+    char   *realm;
+    int	   not_time_yet;
+    int    succeeded;
+    struct slave_host *next;
+};
+
+static int
+get_slaves(struct slave_host **psl,
+	   const char *dir_path,
+	   const char *file,
+	   time_t ok_mtime)
+{
+    FILE   *fin;
+    char    namebuf[128], *inst;
+    char   *pc;
+    struct hostent *host;
+    struct slave_host **th;
+    char   *last_prop_path;
+    struct stat stbuf;
+
+    if ((fin = fopen(file, "r")) == NULL)
+	err (1, "open(%s)", file);
+
+    th = psl;
+    while(fgets(namebuf, sizeof(namebuf), fin)){
+	if ((pc = strchr(namebuf, '\n'))) {
+	    *pc = '\0';
+	} else {
+	    if(strlen(namebuf) == sizeof(namebuf) - 1){
+		warnx ("Hostname too long (>= %d chars) in '%s'.",
+		       (int) sizeof(namebuf), file);
+		do{
+		    if(fgets(namebuf, sizeof(namebuf), fin) == NULL)
+			break;
+		}while(strchr(namebuf, '\n') == NULL);
+		continue;
+	    }
+	}
+	if(namebuf[0] == 0 || namebuf[0] == '#')
+	    continue;
+	host = gethostbyname(namebuf);
+	if (host == NULL) {
+	    warnx ("Ignoring host '%s' in '%s': %s", 
+		   namebuf, file,
+		   hstrerror(h_errno));
+	    continue;
+	}
+	(*th) = (struct slave_host *) malloc(sizeof(struct slave_host));
+	if (!*th)
+	    errx (1, "No memory reading host list from '%s'.",
+		    file);
+	memset(*th, 0, sizeof(struct slave_host));
+	(*th)->name = strdup(namebuf);
+	if ((*th)->name == NULL)
+	    errx (1, "No memory reading host list from '%s'.",
+		  file);
+	/* get kerberos cannonical instance name */
+	inst = krb_get_phost ((*th)->name);
+	(*th)->instance = strdup(inst);
+	if ((*th)->instance == NULL)
+	    errx (1, "No memory reading host list from '%s'.",
+		  file);
+	/* what a concept, slave servers in different realms! */
+	(*th)->realm = my_realm;
+	memcpy(&(*th)->net_addr, host->h_addr, sizeof((*th)->net_addr));
+	(*th)->not_time_yet = 0;
+	(*th)->succeeded = 0;
+	(*th)->next = NULL;
+	asprintf(&last_prop_path, "%s%s-last-prop", dir_path, (*th)->name);
+	if (last_prop_path == NULL)
+	    errx (1, "malloc failed");
+	if (!force_flag
+	    && !stat(last_prop_path, &stbuf)
+	    && stbuf.st_mtime > ok_mtime) {
+	    (*th)->not_time_yet = 1;
+	    (*th)->succeeded = 1;	/* no change since last success */
+	}
+	free(last_prop_path);
+	th = &(*th)->next;
+    }
+    fclose(fin);
+    return (1);
+}
+
+/* The master -> slave protocol looks like this:
+     1) 8 byte version string
+     2) 2 bytes of "transfer mode" (net byte order of course)
+     3) ticket/authentication send by sendauth
+     4) 4 bytes of "block" length (u_int32_t)
+     5) data
+
+     4 and 5 repeat til EOF ...
+*/
+
+static int
+prop_to_slaves(struct slave_host *sl,
+	       int fd,
+	       const char *dir_path,
+	       const char *fslv)
+{
+    u_char buf[KPROP_BUFSIZ];
+    u_char obuf[KPROP_BUFSIZ + 64]; /* leave room for private msg overhead */
+    struct sockaddr_in sin, my_sin;
+    int     i, n, s;
+    struct slave_host *cs;	/* current slave */
+    char   my_host_name[MaxHostNameLen], *p_my_host_name;
+    char   kprop_service_instance[INST_SZ];
+    u_int32_t cksum;
+    u_int32_t length, nlength;
+    long   kerror;
+    KTEXT_ST     ticket;
+    CREDENTIALS  cred;
+    MSG_DAT msg_dat;
+    static char tkstring[] = "/tmp/kproptktXXXXXX";
+    des_key_schedule session_sched;
+    char   *last_prop_path;
+
+    close(mkstemp(tkstring));
+    krb_set_tkt_string(tkstring);
+    
+    memset(&sin, 0, sizeof sin);
+    sin.sin_family = AF_INET;
+    sin.sin_port = k_getportbyname ("krb_prop", "tcp", htons(KPROP_PORT));
+    sin.sin_addr.s_addr = INADDR_ANY;
+
+    for (i = 0; i < 5; i++) {	/* try each slave five times max */
+	for (cs = sl; cs; cs = cs->next) {
+	    if (!cs->succeeded) {
+		if ((s = socket(AF_INET, SOCK_STREAM, 0)) < 0)
+		    err (1, "socket");
+		memcpy(&sin.sin_addr, &cs->net_addr, 
+		      sizeof cs->net_addr);
+
+		if (connect(s, (struct sockaddr *) &sin, sizeof sin) < 0) {
+		    warn ("connect(%s)", cs->name);
+		    close(s);
+		    continue;	/*** NEXT SLAVE ***/
+		}
+		
+		/* for krb_mk_{priv, safe} */
+		memset(&my_sin, 0, sizeof my_sin);
+		n = sizeof my_sin;
+		if (getsockname (s, (struct sockaddr *) &my_sin, &n) != 0) {
+		    warn ("getsockname(%s)", cs->name);
+		    close (s);
+		    continue;	/*** NEXT SLAVE ***/
+		}
+		if (n != sizeof (my_sin)) {
+		    warnx ("can't get socketname %s length", cs->name);
+		    close (s);
+		    continue;	/*** NEXT SLAVE ***/
+		}
+		
+		/* Get ticket */
+		kerror = krb_mk_req (&ticket, KPROP_SERVICE_NAME, 
+				     cs->instance, cs->realm, (u_int32_t) 0);
+		/* if ticket has expired try to get a new one, but
+		 * first get a TGT ...
+		 */
+		if (kerror != MK_AP_OK) {
+		    if (gethostname (my_host_name, sizeof(my_host_name)) != 0) {
+			warnx ("gethostname(%s): %s",
+			       my_host_name,
+			       hstrerror(h_errno));
+			close (s);
+			break;	/* next one can't work either! */
+		    }
+		    /* get canonical kerberos service instance name */
+		    p_my_host_name = krb_get_phost (my_host_name);
+		    /* copy it to make sure gethostbyname static doesn't
+		     * screw us. */
+		    strlcpy (kprop_service_instance,
+				     p_my_host_name,
+				     INST_SZ);
+		    kerror = krb_get_svc_in_tkt (KPROP_SERVICE_NAME, 
+#if 0
+						 kprop_service_instance,
+#else
+						 KRB_MASTER,
+#endif
+						 my_realm,
+						 KRB_TICKET_GRANTING_TICKET,
+						 my_realm,
+						 96,
+						 KPROP_SRVTAB);
+		    if (kerror != INTK_OK) {
+			warnx ("%s: %s.  While getting initial ticket\n",
+			       cs->name, krb_get_err_text(kerror));
+			close (s);
+			goto punt;
+		    }
+		    kerror = krb_mk_req (&ticket, KPROP_SERVICE_NAME, 
+					 cs->instance, cs->realm,
+					 (u_int32_t) 0);
+		}
+		if (kerror != MK_AP_OK) {
+		    warnx ("%s: krb_mk_req: %s",
+			   cs->name, krb_get_err_text(kerror));
+		    close (s);
+		    continue;	/*** NEXT SLAVE ***/
+		}		    
+
+		if (write(s, kprop_version, sizeof(kprop_version))
+		    != sizeof(kprop_version)) {
+		    warn ("%s", cs->name);
+		    close (s);
+		    continue;	/*** NEXT SLAVE ***/
+		}
+
+		net_transfer_mode = htons (transfer_mode);
+		if (write(s, &net_transfer_mode, sizeof(net_transfer_mode))
+		    != sizeof(net_transfer_mode)) {
+		    warn ("write(%s)", cs->name);
+		    close (s);
+		    continue;	/*** NEXT SLAVE ***/
+		}
+
+		kerror = krb_get_cred (KPROP_SERVICE_NAME, cs->instance,
+				       cs->realm, &cred);
+		if (kerror != KSUCCESS) {
+		    warnx ("%s: %s.  Getting session key.", 
+			   cs->name, krb_get_err_text(kerror));
+		    close (s);
+		    continue;	/*** NEXT SLAVE ***/
+		}
+#ifdef NOENCRYPTION
+		memset(session_sched, 0, sizeof(session_sched));
+#else
+		if (des_key_sched (&cred.session, session_sched)) {
+		    warnx ("%s: can't make key schedule.",
+			   cs->name);
+		    close (s);
+		    continue;	/*** NEXT SLAVE ***/
+		}
+#endif
+		/* SAFE (quad_cksum) and CLEAR are just not good enough */
+		cksum = 0;
+#ifdef not_working_yet
+		if (transfer_mode != KPROP_TRANSFER_PRIVATE) {
+		    cksum = get_data_checksum(fd, session_sched);
+		    lseek(fd, 0L, 0);
+		}
+		else
+#endif
+           	{
+		    struct stat st;
+		    fstat (fd, &st);
+		    cksum = st.st_size;
+	        }
+		kerror = krb_sendauth(KOPT_DO_MUTUAL,
+				      s,
+				      &ticket,
+				      KPROP_SERVICE_NAME,
+				      cs->instance,
+				      cs->realm,
+				      cksum,
+				      &msg_dat,
+				      &cred,
+				      session_sched,
+				      &my_sin,
+				      &sin,
+				      KPROP_PROT_VERSION);
+		if (kerror != KSUCCESS) {
+		    warnx ("%s: krb_sendauth: %s.",
+			   cs->name, krb_get_err_text(kerror));
+		    close (s);
+		    continue;	/*** NEXT SLAVE ***/
+		}
+
+		lseek(fd, 0L, SEEK_SET); /* Rewind file before rereading it. */
+		while ((n = read(fd, buf, sizeof buf))) {
+		    if (n < 0)
+			err (1, "read");
+		    switch (transfer_mode) {
+		    case KPROP_TRANSFER_PRIVATE:
+		    case KPROP_TRANSFER_SAFE:
+			if (transfer_mode == KPROP_TRANSFER_PRIVATE)
+			    length = krb_mk_priv (buf, obuf, n, 
+						  session_sched, &cred.session,
+						  &my_sin, &sin);
+			else
+			    length = krb_mk_safe (buf, obuf, n,
+						  &cred.session,
+						  &my_sin, &sin);
+			if (length == -1) {
+			    warnx ("%s: %s failed.",
+				   cs->name,
+				   (transfer_mode == KPROP_TRANSFER_PRIVATE) 
+				   ? "krb_rd_priv" : "krb_rd_safe");
+			    close (s);
+			    continue; /*** NEXT SLAVE ***/
+			}
+			nlength = htonl(length);
+			if (write(s, &nlength, sizeof nlength)
+			    != sizeof nlength) {
+			    warn ("write(%s)", cs->name);
+			    close (s);
+			    continue; /*** NEXT SLAVE ***/
+			}
+			if (write(s, obuf, length) != length) {
+			    warn ("write(%s)", cs->name);
+			    close(s);
+			    continue; /*** NEXT SLAVE ***/
+			}
+			break;
+		    case KPROP_TRANSFER_CLEAR:
+			if (write(s, buf, n) != n) {
+			    warn ("write(%s)", cs->name);
+			    close(s);
+			    continue; /*** NEXT SLAVE ***/
+			}
+			break;
+		    }
+		}
+		close(s);
+		cs->succeeded = 1;
+		printf("%s: success.\n", cs->name);
+
+		asprintf(&last_prop_path,
+			 "%s%s-last-prop",
+			 dir_path,
+			 cs->name);
+		if (last_prop_path == NULL)
+		    errx (1, "malloc failed");
+
+		unlink(last_prop_path);
+		close(creat(last_prop_path, 0600));
+	    }
+	}
+    }
+punt:
+    
+    dest_tkt();
+    for (cs = sl; cs; cs = cs->next) {
+	if (!cs->succeeded)
+	    return (0);		/* didn't get this slave */
+    }
+    return (1);
+}
+
+static void
+usage(void)
+{
+    /* already got floc and fslv, what is this? */
+    fprintf(stderr,
+	    "\nUsage: kprop [-force] [-realm realm] [-private"
+#ifdef not_safe_yet
+	    "|-safe|-clear"
+#endif
+	    "] [data_file [slaves_file]]\n\n");
+    exit(1);
+}
+
+
+int
+main(int argc, char **argv)
+{
+    int     fd, i;
+    char   *floc, *floc_ok;
+    char   *fslv;
+    char   *dir_path;
+    struct stat stbuf, stbuf_ok;
+    time_t   l_init, l_final;
+    char   *pc;
+    int    l_diff;
+    static struct slave_host *slave_host_list = NULL;
+    struct slave_host *sh;
+
+    set_progname (argv[0]);
+
+    transfer_mode = KPROP_TRANSFER_PRIVATE;
+
+    time(&l_init);
+    pc = ctime(&l_init);
+    pc[strlen(pc) - 1] = '\0';
+    printf("\nStart slave propagation: %s\n", pc);
+ 
+    floc = NULL;
+    fslv = NULL;
+
+    if (krb_get_lrealm(my_realm,1) != KSUCCESS)
+      errx (1, "Getting my kerberos realm.  Check krb.conf");
+
+    for (i = 1; i < argc; i++) 
+      switch (argv[i][0]) {
+      case '-':
+	if (strcmp (argv[i], "-private") == 0) 
+	  transfer_mode = KPROP_TRANSFER_PRIVATE;
+#ifdef not_safe_yet
+	else if (strcmp (argv[i], "-safe") == 0) 
+	  transfer_mode = KPROP_TRANSFER_SAFE;
+	else if (strcmp (argv[i], "-clear") == 0) 
+	  transfer_mode = KPROP_TRANSFER_CLEAR;
+#endif
+	else if (strcmp (argv[i], "-realm") == 0) {
+	    i++;
+	    if (i < argc)
+		strlcpy(my_realm, argv[i], REALM_SZ);
+	    else
+		usage();
+	} else if (strcmp (argv[i], "-force") == 0)
+	    force_flag++;
+	else {
+	    warnx("unknown control argument %s.", argv[i]);
+	    usage ();
+	}
+	break;
+      default:
+	/* positional arguments are marginal at best ... */
+	if (floc == NULL)
+	  floc = argv[i];
+	else {
+	  if (fslv == NULL)
+	    fslv = argv[i];
+	  else 
+	      usage();
+	}
+      }
+    if(floc == NULL)
+	floc = DB_DIR "/slave_dump";
+    if(fslv == NULL)
+	fslv = DB_DIR "/slaves";
+	
+    asprintf (&floc_ok, "%s%s", floc, ok);
+    if (floc_ok == NULL)
+	errx (1, "out of memory in copying %s", floc);
+
+    dir_path = strdup(fslv);
+    if(dir_path == NULL)
+	errx (1, "malloc failed");
+    pc = strrchr(dir_path, '/');
+    if (pc != NULL)
+	++pc;
+    else
+	pc = dir_path;
+    *pc = '\0';
+
+    if ((fd = open(floc, O_RDONLY)) < 0)
+	err (1, "open(%s)", floc);
+    if (flock(fd, LOCK_SH | LOCK_NB))
+	err (1, "flock(%s)", floc);
+    if (stat(floc, &stbuf))
+	err (1, "stat(%s)", floc);
+    if (stat(floc_ok, &stbuf_ok))
+	err (1, "stat(%s)", floc_ok);
+    if (stbuf.st_mtime > stbuf_ok.st_mtime)
+	errx (1, "'%s' more recent than '%s'.", floc, floc_ok);
+    if (!get_slaves(&slave_host_list, dir_path, fslv, stbuf_ok.st_mtime))
+	errx (1, "can't read slave host file '%s'.", fslv);
+#ifdef KPROP_DBG
+    {
+	struct slave_host *sh;
+	int     i;
+	fprintf(stderr, "\n\n");
+	fflush(stderr);
+	for (sh = slave_host_list; sh; sh = sh->next) {
+	    fprintf(stderr, "slave %d: %s, %s", i++, sh->name,
+		    inet_ntoa(sh->net_addr));
+	    fflush(stderr);
+	}
+    }
+#endif				/* KPROP_DBG */
+
+    if (!prop_to_slaves(slave_host_list, fd, dir_path, fslv))
+	errx (1, "propagation failed.");
+    if (flock(fd, LOCK_UN))
+	err (1, "flock(%s, LOCK_UN)", floc);
+    printf("\n\n");
+    for (sh = slave_host_list; sh; sh = sh->next) {
+        if (sh->not_time_yet)
+	    printf(         "%s:\t\tNot time yet\n", sh->name);
+	else if (sh->succeeded)
+	    printf(         "%s:\t\tSucceeded\n", sh->name);
+	else
+	    fprintf(stderr, "%s:\t\tFAILED\n", sh->name);
+	fflush(stdout);
+    }
+
+    time(&l_final);
+    l_diff = l_final - l_init;
+    printf("propagation finished, %d:%02d:%02d elapsed\n",
+	   l_diff / 3600, (l_diff % 3600) / 60, l_diff % 60);
+
+    exit(0);
+}
+
+#ifdef doesnt_work_yet
+u_long get_data_checksum(fd, key_sched)
+     int fd;
+     des_key_schedule key_sched;
+{
+	u_int32_t cksum = 0;
+	int n;
+	char buf[BUFSIZ];
+	u_int32_t obuf[2];
+
+	while (n = read(fd, buf, sizeof buf)) {
+	    if (n < 0)
+		err (1, "read");
+	    cksum = cbc_cksum(buf, obuf, n, key_sched, key_sched);
+	}
+	return cksum;
+}
+#endif
diff --git a/crypto/kerberosIV/slave/kprop.h b/crypto/kerberosIV/slave/kprop.h
new file mode 100644
index 0000000..d66f63f
--- /dev/null
+++ b/crypto/kerberosIV/slave/kprop.h
@@ -0,0 +1,19 @@
+/* 
+ * Copyright 1987 by the Massachusetts Institute of Technology.
+ *
+ * For copying and distribution information,
+ * please see the file <mit-copyright.h>.
+ *
+ * $Id: kprop.h,v 1.5 1997/02/07 21:39:52 assar Exp $
+ *
+ */
+
+#define KPROP_SERVICE_NAME "rcmd"
+#define KPROP_SRVTAB "/etc/srvtab"
+#define KPROP_PROT_VERSION_LEN 8
+#define KPROP_PROT_VERSION "kprop01"
+#define KPROP_TRANSFER_PRIVATE 1
+#define KPROP_TRANSFER_SAFE 2
+#define KPROP_TRANSFER_CLEAR 3
+#define KPROP_BUFSIZ 32768
+#define KPROP_PORT 754
diff --git a/crypto/kerberosIV/slave/kpropd.c b/crypto/kerberosIV/slave/kpropd.c
new file mode 100644
index 0000000..db74509
--- /dev/null
+++ b/crypto/kerberosIV/slave/kpropd.c
@@ -0,0 +1,318 @@
+/*
+ * Copyright (c) 1995, 1996, 1997, 1998 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#include "slav_locl.h"
+
+#include "kprop.h"
+
+RCSID("$Id: kpropd.c,v 2.32 1999/12/02 16:58:56 joda Exp $");
+
+#ifndef SBINDIR
+#define SBINDIR "/usr/athena/sbin"
+#endif
+
+struct sockaddr_in master, slave;
+
+char *database = DBM_FILE;
+
+char *lockfile = DB_DIR "/slave_propagation";
+
+char *logfile = K_LOGFIL;
+
+char *kdb_util = SBINDIR "/kdb_util";
+
+char *kdb_util_command = "load";
+
+char *srvtab = "";
+
+char realm[REALM_SZ];
+
+static
+int
+copy_data(int from, int to, des_cblock *session, des_key_schedule schedule)
+{
+    unsigned char tmp[4];
+    char buf[KPROP_BUFSIZ + 26];
+    u_int32_t length;
+    int n;
+    
+    int kerr;
+    MSG_DAT m;
+
+    while(1){
+	n = krb_net_read(from, tmp, 4);
+	if(n == 0)
+	    break;
+	if(n < 0){
+	    klog(L_KRB_PERR, "krb_net_read: %s", strerror(errno));
+	    return -1;
+	}
+	if(n != 4){
+	    klog(L_KRB_PERR, "Premature end of data");
+	    return -1;
+	}
+	length = (tmp[0] << 24) | (tmp[1] << 16) | (tmp[2] << 8) | tmp[3];
+	if(length > sizeof(buf)){
+	    klog(L_KRB_PERR, "Giant packet received: %d", length);
+	    return -1;
+	}
+	if(krb_net_read(from, buf, length) != length){
+	    klog(L_KRB_PERR, "Premature end of data");
+	    return -1;
+	}
+	kerr = krb_rd_priv (buf, length, schedule, session,
+			    &master, &slave, &m);
+	if(kerr != KSUCCESS){
+	    klog(L_KRB_PERR, "Kerberos error: %s", krb_get_err_text(kerr));
+	    return -1;
+	}
+	write(to, m.app_data, m.app_length);
+    }
+    return 0;
+}
+
+
+static
+int
+kprop(int s)
+{
+    char buf[128];
+    int n;
+    KTEXT_ST ticket;
+    AUTH_DAT ad;
+    char sinst[INST_SZ];
+    des_key_schedule schedule;
+    int mode;
+    int kerr;
+    int lock;
+    
+    n = sizeof(master);
+    if(getpeername(s, (struct sockaddr*)&master, &n) < 0){
+	klog(L_KRB_PERR, "getpeername: %s", strerror(errno));
+	return 1;
+    }
+    
+    n = sizeof(slave);
+    if(getsockname(s, (struct sockaddr*)&slave, &n) < 0){
+	klog(L_KRB_PERR, "getsockname: %s", strerror(errno));
+	return 1;
+    }
+
+    klog(L_KRB_PERR, "Connection from %s", inet_ntoa(master.sin_addr));
+
+    n = krb_net_read(s, buf, KPROP_PROT_VERSION_LEN + 2);
+    if(n < KPROP_PROT_VERSION_LEN + 2){
+	klog(L_KRB_PERR, "Premature end of data");
+	return 1;
+    }
+    if(memcmp(buf, KPROP_PROT_VERSION, KPROP_PROT_VERSION_LEN) != 0){
+	klog(L_KRB_PERR, "Bad protocol version string received");
+	return 1;
+    }
+    mode = (buf[n-2] << 8) | buf[n-1];
+    if(mode != KPROP_TRANSFER_PRIVATE){
+	klog(L_KRB_PERR, "Bad transfer mode received: %d", mode);
+	return 1;
+    }
+    k_getsockinst(s, sinst, sizeof(sinst));
+    kerr = krb_recvauth(KOPT_DO_MUTUAL, s, &ticket,
+			KPROP_SERVICE_NAME, sinst,
+			&master, &slave,
+			&ad, srvtab, schedule, 
+			buf);
+    if(kerr != KSUCCESS){
+	klog(L_KRB_PERR, "Kerberos error: %s", krb_get_err_text(kerr));
+	return 1;
+    }
+
+    if(strcmp(ad.pname, KPROP_SERVICE_NAME) ||
+#if 0
+       strcmp(ad.pinst, /* XXX remote host */) ||
+#else
+       strcmp(ad.pinst, KRB_MASTER) ||
+#endif
+       strcmp(ad.prealm, realm)){
+	klog(L_KRB_PERR, "Connection from unauthorized client: %s", 
+	     krb_unparse_name_long(ad.pname, ad.pinst, ad.prealm));
+	return 1;
+    }
+
+    des_set_key(&ad.session, schedule);
+    
+    lock = open(lockfile, O_WRONLY|O_CREAT, 0600);
+    if(lock < 0){
+	klog(L_KRB_PERR, "Failed to open file: %s", strerror(errno));
+	return 1;
+    }
+    if(flock(lock, LOCK_EX | LOCK_NB)){
+	close(lock);
+	klog(L_KRB_PERR, "Failed to lock file: %s", strerror(errno));
+	return 1;
+    }
+    
+    if(ftruncate(lock, 0) < 0){
+	close(lock);
+	klog(L_KRB_PERR, "Failed to lock file: %s", strerror(errno));
+	return 1;
+    }
+
+    if(copy_data(s, lock, &ad.session, schedule)){
+	close(lock);
+	return 1;
+    }
+    close(lock);
+    
+    if(simple_execlp(kdb_util, "kdb_util", kdb_util_command, 
+		     lockfile, database, NULL) != 0) {
+	klog(L_KRB_PERR, "*** Propagation failed ***");
+	return 1;
+    }else{
+	klog(L_KRB_PERR, "Propagation finished successfully");
+	return 0;
+    }
+}
+
+static int
+doit(void)
+{
+    return kprop(0);
+}
+
+static int
+doit_interactive(void)
+{
+    struct sockaddr_in sa;
+    int salen;
+    int s, s2;
+    int ret;
+
+    s = socket(AF_INET, SOCK_STREAM, 0);
+    if(s < 0){
+      klog(L_KRB_PERR, "socket: %s", strerror(errno));
+      return 1;
+    }
+    memset(&sa, 0, sizeof(sa));
+    sa.sin_family = AF_INET;
+    sa.sin_port = k_getportbyname ("krb_prop", "tcp", htons(KPROP_PORT));
+    ret = bind(s, (struct sockaddr*)&sa, sizeof(sa));
+    if (ret < 0) {
+      klog(L_KRB_PERR, "bind: %s", strerror(errno));
+      return 1;
+    }
+    ret = listen(s, SOMAXCONN);
+    if (ret < 0) {
+      klog(L_KRB_PERR, "listen: %s", strerror(errno));
+      return 1;
+    }
+    for(;;) {
+      salen = sizeof(sa);
+      s2 = accept(s, (struct sockaddr*)&sa, &salen);
+      switch(fork()){
+      case -1:
+	klog(L_KRB_PERR, "fork: %s", strerror(errno));
+	return 1;
+      case 0:
+	close(s);
+	kprop(s2);
+	return 1;
+      default: {
+	  int status;
+	  close(s2);
+	  wait(&status);
+	}
+      }
+    }
+}
+
+static void
+usage (void)
+{
+     fprintf (stderr, 
+	      "Usage: kpropd [-i] [-d database] [-l log] [-m] [-[p|P] program]"
+	      " [-r realm] [-s srvtab]\n");
+     exit (1);
+}
+
+int
+main(int argc, char **argv)
+{
+    int opt;
+    int interactive = 0;
+
+    krb_get_lrealm(realm, 1);
+    
+    while((opt = getopt(argc, argv, ":d:l:mp:P:r:s:i")) >= 0){
+	switch(opt){
+	case 'd':
+	    database = optarg;
+	    break;
+	case 'l':
+	    logfile = optarg;
+	    break;
+	case 'm':
+	    kdb_util_command = "merge";
+	    break;
+	case 'p':
+	case 'P':
+	    kdb_util = optarg;
+	    break;
+	case 'r':
+	    strlcpy(realm, optarg, REALM_SZ);
+	    break;
+	case 's':
+	    srvtab = optarg;
+	    break;
+	case 'i':
+	    interactive = 1;
+	    break;
+	default:
+	    klog(L_KRB_PERR, "Bad option: -%c", optopt);
+	    usage ();
+	    exit(1);
+	}
+    }
+    if (!interactive) {
+      /* Use logfile as stderr so we don't lose error messages. */
+      int fd = open(logfile, O_CREAT | O_WRONLY | O_APPEND, 0600);
+      if (fd == -1)
+	klog(L_KRB_PERR, "Can't open logfile %s: %s", logfile,strerror(errno));
+      else
+	dup2(fd, 2);
+      close(fd);
+    }
+    kset_logfile(logfile);
+    if (interactive)
+      return doit_interactive ();
+    else
+      return doit ();
+}
diff --git a/crypto/kerberosIV/slave/slav_locl.h b/crypto/kerberosIV/slave/slav_locl.h
new file mode 100644
index 0000000..2772ed9
--- /dev/null
+++ b/crypto/kerberosIV/slave/slav_locl.h
@@ -0,0 +1,101 @@
+/*
+ * Copyright (c) 1995, 1996, 1997 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+/* $Id: slav_locl.h,v 1.14 1999/12/02 16:58:56 joda Exp $ */
+
+#ifndef __slav_locl_h
+#define __slav_locl_h
+
+#include "config.h"
+#include "protos.h"
+
+#include <stdio.h>
+#include <stdarg.h>
+#include <stdlib.h>
+#include <string.h>
+#include <ctype.h>
+
+#include <errno.h>
+#include <unistd.h>
+
+#ifdef HAVE_SYS_TYPES_H
+#include <sys/types.h>
+#endif
+#ifdef HAVE_SYS_STAT_H
+#include <sys/stat.h>
+#endif
+#ifdef HAVE_FCNTL_H
+#include <fcntl.h>
+#endif
+#include <time.h>
+#ifdef HAVE_SYS_FILE_H
+#include <sys/file.h>
+#endif
+#ifdef HAVE_SYS_WAIT_H
+#include <sys/wait.h>
+#endif
+
+#ifdef HAVE_NETINET_IN_H
+#include <netinet/in.h>
+#endif
+#ifdef HAVE_ARPA_INET_H
+#include <arpa/inet.h>
+#endif
+#ifdef HAVE_SYS_SOCKET_H
+#include <sys/socket.h>
+#endif
+#ifdef HAVE_NETDB_H
+#include <netdb.h>
+#endif
+#include <err.h>
+
+#ifdef SOCKS
+#include <socks.h>
+/* This doesn't belong here. */
+struct tm *localtime(const time_t *);
+struct hostent  *gethostbyname(const char *);
+#endif
+
+#include <roken.h>
+
+#include <krb.h>
+#include <krb_db.h>
+#include <klog.h>
+#include <prot.h>
+#include <kdc.h>
+
+#include <krb_log.h>
+
+#include "kprop.h"
+
+#endif /*  __slav_locl_h */
diff --git a/crypto/openssh/LICENCE b/crypto/openssh/LICENCE
new file mode 100644
index 0000000..f60f502
--- /dev/null
+++ b/crypto/openssh/LICENCE
@@ -0,0 +1,136 @@
+This file is part of the OpenSSH software.
+
+The licences which components of this software fall under are as
+follows.  First, we will summarize and say that all components
+are under a BSD licence, or a licence more free than that.
+
+OpenSSH contains no GPL code.
+
+1)
+     * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
+     *                    All rights reserved
+     *
+     * As far as I am concerned, the code I have written for this software
+     * can be used freely for any purpose.  Any derived versions of this
+     * software must be clearly marked as such, and if the derived work is
+     * incompatible with the protocol description in the RFC file, it must be
+     * called by a name other than "ssh" or "Secure Shell".
+
+    [Tatu continues]
+     *  However, I am not implying to give any licenses to any patents or
+     * copyrights held by third parties, and the software includes parts that
+     * are not under my direct control.  As far as I know, all included
+     * source code is used in accordance with the relevant license agreements
+     * and can be used freely for any purpose (the GNU license being the most
+     * restrictive); see below for details.
+
+    [However, none of that term is relevant at this point in time.  All of
+    these restrictively licenced software components which he talks about
+    have been removed from OpenSSH, ie.
+
+     - RSA is no longer included, found in the OpenSSL library
+     - IDEA is no longer included, its use is deprecated
+     - DES is now external, in the OpenSSL library
+     - GMP is no longer used, and instead we call BN code from OpenSSL
+     - Zlib is now external, in a library
+     - The make-ssh-known-hosts script is no longer included
+     - TSS has been removed
+     - MD5 is now external, in the OpenSSL library
+     - RC4 support has been replaced with ARC4 support from OpenSSL
+     - Blowfish is now external, in the OpenSSL library
+
+    [The licence continues]
+
+    Note that any information and cryptographic algorithms used in this
+    software are publicly available on the Internet and at any major
+    bookstore, scientific library, and patent office worldwide.  More
+    information can be found e.g. at "http://www.cs.hut.fi/crypto".
+    
+    The legal status of this program is some combination of all these
+    permissions and restrictions.  Use only at your own responsibility.
+    You will be responsible for any legal consequences yourself; I am not
+    making any claims whether possessing or using this is legal or not in
+    your country, and I am not taking any responsibility on your behalf.
+    
+    
+    			    NO WARRANTY
+    
+    BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY
+    FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW.  EXCEPT WHEN
+    OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES
+    PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED
+    OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+    MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.  THE ENTIRE RISK AS
+    TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU.  SHOULD THE
+    PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING,
+    REPAIR OR CORRECTION.
+    
+    IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING
+    WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR
+    REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES,
+    INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING
+    OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED
+    TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY
+    YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER
+    PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE
+    POSSIBILITY OF SUCH DAMAGES.
+
+2)
+    The 32-bit CRC implementation in crc32.c is due to Gary S. Brown.
+    Comments in the file indicate it may be used for any purpose without
+    restrictions:
+
+     * COPYRIGHT (C) 1986 Gary S. Brown.  You may use this program, or
+     * code or tables extracted from it, as desired without restriction.
+
+3)
+    The 32-bit CRC compensation attack detector in deattack.c was
+    contributed by CORE SDI S.A. under a BSD-style license. See
+    http://www.core-sdi.com/english/ssh/ for details.
+
+     * Cryptographic attack detector for ssh - source code
+     *
+     * Copyright (c) 1998 CORE SDI S.A., Buenos Aires, Argentina.
+     *
+     * All rights reserved. Redistribution and use in source and binary
+     * forms, with or without modification, are permitted provided that
+     * this copyright notice is retained.
+     *
+     * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED
+     * WARRANTIES ARE DISCLAIMED. IN NO EVENT SHALL CORE SDI S.A. BE
+     * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY OR
+     * CONSEQUENTIAL DAMAGES RESULTING FROM THE USE OR MISUSE OF THIS
+     * SOFTWARE.
+     *
+     * Ariel Futoransky <futo@core-sdi.com>
+     * <http://www.core-sdi.com>
+    
+4)
+    Remaining components of the software are provided under a standard
+    2-term BSD licence with the following names as copyright holders:
+
+	Markus Friedl
+	Theo de Raadt
+	Niels Provos
+	Dug Song
+	Aaron Campbell
+
+     * Redistribution and use in source and binary forms, with or without
+     * modification, are permitted provided that the following conditions
+     * are met:
+     * 1. Redistributions of source code must retain the above copyright
+     *    notice, this list of conditions and the following disclaimer.
+     * 2. Redistributions in binary form must reproduce the above copyright
+     *    notice, this list of conditions and the following disclaimer in the
+     *    documentation and/or other materials provided with the distribution.
+     *
+     * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
+     * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+     * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+     * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
+     * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+     * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+     * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+     * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+     * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+     * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
diff --git a/crypto/openssh/Makefile b/crypto/openssh/Makefile
new file mode 100644
index 0000000..eea6f14
--- /dev/null
+++ b/crypto/openssh/Makefile
@@ -0,0 +1,14 @@
+#	$OpenBSD: Makefile,v 1.8 2001/02/04 11:11:53 djm Exp $
+
+.include <bsd.own.mk>
+
+SUBDIR=	lib ssh sshd ssh-add ssh-keygen ssh-agent scp sftp-server \
+	ssh-keyscan sftp
+
+distribution:
+	install -C -o root -g wheel -m 0644 ${.CURDIR}/ssh_config \
+	    ${DESTDIR}/etc/ssh_config
+	install -C -o root -g wheel -m 0644 ${.CURDIR}/sshd_config \
+	    ${DESTDIR}/etc/sshd_config
+
+.include <bsd.subdir.mk>
diff --git a/crypto/openssh/Makefile.inc b/crypto/openssh/Makefile.inc
new file mode 100644
index 0000000..89fdf43
--- /dev/null
+++ b/crypto/openssh/Makefile.inc
@@ -0,0 +1,15 @@
+#	$OpenBSD: Makefile.inc,v 1.13 2001/01/29 01:58:14 niklas Exp $
+
+CFLAGS+=	-I${.CURDIR}/..
+
+CFLAGS+=	-Wall
+
+.include <bsd.obj.mk>
+
+.if exists(${.CURDIR}/../lib/${__objdir})
+LDADD+=         -L${.CURDIR}/../lib/${__objdir} -lssh
+DPADD+=         ${.CURDIR}/../lib/${__objdir}/libssh.a
+.else
+LDADD+=         -L${.CURDIR}/../lib -lssh
+DPADD+=         ${.CURDIR}/../lib/libssh.a
+.endif
diff --git a/crypto/openssh/OVERVIEW b/crypto/openssh/OVERVIEW
new file mode 100644
index 0000000..7f34ac4
--- /dev/null
+++ b/crypto/openssh/OVERVIEW
@@ -0,0 +1,164 @@
+This document is intended for those who wish to read the ssh source
+code.  This tries to give an overview of the structure of the code.
+      
+Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>
+Updated 17 Nov 1995.
+Updated 19 Oct 1999 for OpenSSH-1.2
+
+The software consists of ssh (client), sshd (server), scp, sdist, and
+the auxiliary programs ssh-keygen, ssh-agent, ssh-add, and
+make-ssh-known-hosts.  The main program for each of these is in a .c
+file with the same name.
+
+There are some subsystems/abstractions that are used by a number of
+these programs.
+
+  Buffer manipulation routines
+      
+    - These provide an arbitrary size buffer, where data can be appended.
+      Data can be consumed from either end.  The code is used heavily
+      throughout ssh.  The basic buffer manipulation functions are in
+      buffer.c (header buffer.h), and additional code to manipulate specific
+      data types is in bufaux.c.
+
+  Compression Library
+  
+    - Ssh uses the GNU GZIP compression library (ZLIB).
+
+  Encryption/Decryption
+
+    - Ssh contains several encryption algorithms.  These are all
+      accessed through the cipher.h interface.  The interface code is
+      in cipher.c, and the implementations are in libc.
+
+  Multiple Precision Integer Library
+
+    - Uses the SSLeay BIGNUM sublibrary.
+    - Some auxiliary functions for mp-int manipulation are in mpaux.c.
+
+  Random Numbers
+
+    - Uses arc4random() and such.
+
+  RSA key generation, encryption, decryption
+
+    - Ssh uses the RSA routines in libssl.
+
+  RSA key files
+
+    - RSA keys are stored in files with a special format.  The code to
+      read/write these files is in authfile.c.  The files are normally
+      encrypted with a passphrase.  The functions to read passphrases
+      are in readpass.c (the same code is used to read passwords).
+
+  Binary packet protocol
+
+    - The ssh binary packet protocol is implemented in packet.c.  The
+      code in packet.c does not concern itself with packet types or their
+      execution; it contains code to build packets, to receive them and
+      extract data from them, and the code to compress and/or encrypt
+      packets.  CRC code comes from crc32.c.
+
+    - The code in packet.c calls the buffer manipulation routines
+      (buffer.c, bufaux.c), compression routines (compress.c, zlib),
+      and the encryption routines.
+
+  X11, TCP/IP, and Agent forwarding
+
+    - Code for various types of channel forwarding is in channels.c.
+      The file defines a generic framework for arbitrary communication
+      channels inside the secure channel, and uses this framework to
+      implement X11 forwarding, TCP/IP forwarding, and authentication
+      agent forwarding.
+      The new, Protocol 1.5, channel close implementation is in nchan.c
+
+  Authentication agent
+
+    - Code to communicate with the authentication agent is in authfd.c.
+
+  Authentication methods
+
+    - Code for various authentication methods resides in auth-*.c
+      (auth-passwd.c, auth-rh-rsa.c, auth-rhosts.c, auth-rsa.c).  This
+      code is linked into the server.  The routines also manipulate
+      known hosts files using code in hostfile.c.  Code in canohost.c
+      is used to retrieve the canonical host name of the remote host.
+      Code in match.c is used to match host names.  
+
+    - In the client end, authentication code is in sshconnect.c.  It
+      reads Passwords/passphrases using code in readpass.c.  It reads
+      RSA key files with authfile.c.  It communicates the
+      authentication agent using authfd.c.
+
+  The ssh client
+
+    - The client main program is in ssh.c.  It first parses arguments
+      and reads configuration (readconf.c), then calls ssh_connect (in
+      sshconnect.c) to open a connection to the server (possibly via a
+      proxy), and performs authentication (ssh_login in sshconnect.c).
+      It then makes any pty, forwarding, etc. requests.  It may call
+      code in ttymodes.c to encode current tty modes.  Finally it
+      calls client_loop in clientloop.c.  This does the real work for
+      the session.
+
+    - The client is suid root.  It tries to temporarily give up this
+      rights while reading the configuration data.  The root
+      privileges are only used to make the connection (from a
+      privileged socket).  Any extra privileges are dropped before
+      calling ssh_login.
+
+  Pseudo-tty manipulation and tty modes
+
+    - Code to allocate and use a pseudo tty is in pty.c.  Code to
+      encode and set terminal modes is in ttymodes.c.
+
+  Logging in (updating utmp, lastlog, etc.)
+
+    - The code to do things that are done when a user logs in are in
+      login.c.  This includes things such as updating the utmp, wtmp,
+      and lastlog files.  Some of the code is in sshd.c.
+
+  Writing to the system log and terminal
+
+    - The programs use the functions fatal(), log(), debug(), error()
+      in many places to write messages to system log or user's
+      terminal.  The implementation that logs to system log is in
+      log-server.c; it is used in the server program.  The other
+      programs use an implementation that sends output to stderr; it
+      is in log-client.c.  The definitions are in ssh.h.
+
+  The sshd server (daemon)
+
+    - The sshd daemon starts by processing arguments and reading the
+      configuration file (servconf.c).  It then reads the host key,
+      starts listening for connections, and generates the server key.
+      The server key will be regenerated every hour by an alarm.
+
+    - When the server receives a connection, it forks, disables the
+      regeneration alarm, and starts communicating with the client.
+      They first perform identification string exchange, then
+      negotiate encryption, then perform authentication, preparatory
+      operations, and finally the server enters the normal session
+      mode by calling server_loop in serverloop.c.  This does the real
+      work, calling functions in other modules.
+      
+    - The code for the server is in sshd.c.  It contains a lot of
+      stuff, including:
+        - server main program
+	- waiting for connections
+	- processing new connection
+	- authentication
+	- preparatory operations
+	- building up the execution environment for the user program
+	- starting the user program.
+
+  Auxiliary files
+
+    - There are several other files in the distribution that contain
+      various auxiliary routines:
+        ssh.h	     the main header file for ssh (various definitions)
+        getput.h     byte-order independent storage of integers
+        includes.h   includes most system headers.  Lots of #ifdefs.
+	tildexpand.c expand tilde in file names
+	uidswap.c    uid-swapping
+	xmalloc.c    "safe" malloc routines
diff --git a/crypto/openssh/README b/crypto/openssh/README
new file mode 100644
index 0000000..4e75d624
--- /dev/null
+++ b/crypto/openssh/README
@@ -0,0 +1,25 @@
+This release of OpenSSH is for OpenBSD systems only.
+
+Please read
+        http://www.openssh.com/portable.html
+if you want to install OpenSSH on other operating systems.
+
+To extract and install this release on your OpenBSD system use:
+
+      # cd /usr/src/usr.bin
+      # tar xvfz .../openssh-x.y.tgz
+      # cd ssh
+      # make obj
+      # make cleandir
+      # make depend
+      # make
+      # make install
+      # cp ssh_config sshd_config /etc
+
+OpenSSH is a derivative of the original and free ssh 1.2.12 release
+by Tatu Ylonen.  Aaron Campbell, Bob Beck, Markus Friedl, Niels
+Provos, Theo de Raadt and Dug Song removed many bugs, re-added newer
+features and created OpenSSH.  Markus Friedl contributed the support
+for SSH protocol versions 1.5 and 2.0.
+
+See http://www.openssh.com/ for more information.
diff --git a/crypto/openssh/RFC.nroff b/crypto/openssh/RFC.nroff
new file mode 100644
index 0000000..bf7146a
--- /dev/null
+++ b/crypto/openssh/RFC.nroff
@@ -0,0 +1,1780 @@
+.\" -*- nroff -*-
+.\"
+.\" $OpenBSD: RFC.nroff,v 1.2 2000/10/16 09:38:44 djm Exp $
+.\"
+.pl 10.0i
+.po 0
+.ll 7.2i
+.lt 7.2i
+.nr LL 7.2i
+.nr LT 7.2i
+.ds LF Ylonen
+.ds RF FORMFEED[Page %]
+.ds CF
+.ds LH Internet-Draft
+.ds RH 15 November 1995
+.ds CH SSH (Secure Shell) Remote Login Protocol
+.na
+.hy 0
+.in 0
+Network Working Group					       T. Ylonen
+Internet-Draft			       Helsinki University of Technology
+draft-ylonen-ssh-protocol-00.txt			15 November 1995
+Expires: 15 May 1996
+
+.in 3
+
+.ce
+The SSH (Secure Shell) Remote Login Protocol
+
+.ti 0
+Status of This Memo
+
+This document is an Internet-Draft.   Internet-Drafts  are  working
+documents of the Internet Engineering Task Force (IETF), its areas,
+and its working groups.  Note that other groups may also distribute
+working documents as Internet-Drafts.
+
+Internet-Drafts are draft documents valid  for  a  maximum  of  six
+months  and  may  be updated, replaced, or obsoleted by other docu-
+ments at any time.  It is inappropriate to use  Internet-Drafts  as
+reference  material  or  to  cite them other than as ``work in pro-
+gress.''
+
+To learn the current status of any Internet-Draft, please check the
+``1id-abstracts.txt'' listing contained in the Internet- Drafts Shadow
+Directories on ftp.is.co.za (Africa), nic.nordu.net (Europe),
+munnari.oz.au (Pacific Rim), ds.internic.net (US East Coast), or
+ftp.isi.edu (US West Coast).
+
+The distribution of  this  memo  is  unlimited.
+
+.ti 0
+Introduction
+
+SSH (Secure Shell) is a program to log into another computer over a
+network, to execute commands in a remote machine, and to move files
+from one machine to another.  It provides strong authentication and
+secure communications over insecure networks.  Its features include
+the following:
+.IP o
+Closes several security holes (e.g., IP, routing, and DNS spoofing).
+New authentication methods: .rhosts together with RSA [RSA] based host
+authentication, and pure RSA authentication.
+.IP o
+All communications are automatically and transparently encrypted.
+Encryption is also used to protect integrity.
+.IP o
+X11 connection forwarding provides secure X11 sessions.
+.IP o
+Arbitrary TCP/IP ports can be redirected over the encrypted channel
+in both directions.
+.IP o
+Client RSA-authenticates the server machine in the beginning of every
+connection to prevent trojan horses (by routing or DNS spoofing) and
+man-in-the-middle attacks, and the server RSA-authenticates the client
+machine before accepting .rhosts or /etc/hosts.equiv authentication
+(to prevent DNS, routing, or IP spoofing).
+.IP o
+An authentication agent, running in the user's local workstation or
+laptop, can be used to hold the user's RSA authentication keys.
+.RT
+
+The goal has been to make the software as easy to use as possible for
+ordinary users.  The protocol has been designed to be as secure as
+possible while making it possible to create implementations that
+are easy to use and install.  The sample implementation has a number
+of convenient features that are not described in this document as they
+are not relevant for the protocol.
+
+
+.ti 0
+Overview of the Protocol
+
+The software consists of a server program running on a server machine,
+and a client program running on a client machine (plus a few auxiliary
+programs).  The machines are connected by an insecure IP [RFC0791]
+network (that can be monitored, tampered with, and spoofed by hostile
+parties).
+
+A connection is always initiated by the client side.  The server
+listens on a specific port waiting for connections.  Many clients may
+connect to the same server machine.
+
+The client and the server are connected via a TCP/IP [RFC0793] socket
+that is used for bidirectional communication.  Other types of
+transport can be used but are currently not defined.
+
+When the client connects the server, the server accepts the connection
+and responds by sending back its version identification string.  The
+client parses the server's identification, and sends its own
+identification.  The purpose of the identification strings is to
+validate that the connection was to the correct port, declare the
+protocol version number used, and to declare the software version used
+on each side (for debugging purposes).  The identification strings are
+human-readable.  If either side fails to understand or support the
+other side's version, it closes the connection.
+
+After the protocol identification phase, both sides switch to a packet
+based binary protocol.  The server starts by sending its host key
+(every host has an RSA key used to authenticate the host), server key
+(an RSA key regenerated every hour), and other information to the
+client.  The client then generates a 256 bit session key, encrypts it
+using both RSA keys (see below for details), and sends the encrypted
+session key and selected cipher type to the server.  Both sides then
+turn on encryption using the selected algorithm and key.  The server
+sends an encrypted confirmation message to the client.
+
+The client then authenticates itself using any of a number of
+authentication methods.  The currently supported authentication
+methods are .rhosts or /etc/hosts.equiv authentication (disabled by
+default), the same with RSA-based host authentication, RSA
+authentication, and password authentication.
+
+After successful authentication, the client makes a number of requests
+to prepare for the session.  Typical requests include allocating a
+pseudo tty, starting X11 [X11] or TCP/IP port forwarding, starting
+authentication agent forwarding, and executing the shell or a command.
+
+When a shell or command is executed, the connection enters interactive
+session mode.  In this mode, data is passed in both directions, 
+new forwarded connections may be opened, etc.  The interactive session
+normally terminates when the server sends the exit status of the
+program to the client.
+
+
+The protocol makes several reservations for future extensibility.
+First of all, the initial protocol identification messages include the
+protocol version number.  Second, the first packet by both sides
+includes a protocol flags field, which can be used to agree on
+extensions in a compatible manner.  Third, the authentication and
+session preparation phases work so that the client sends requests to
+the server, and the server responds with success or failure.  If the
+client sends a request that the server does not support, the server
+simply returns failure for it.  This permits compatible addition of
+new authentication methods and preparation operations.  The
+interactive session phase, on the other hand, works asynchronously and
+does not permit the use of any extensions (because there is no easy
+and reliable way to signal rejection to the other side and problems
+would be hard to debug).  Any compatible extensions to this phase must
+be agreed upon during any of the earlier phases.
+
+.ti 0
+The Binary Packet Protocol
+
+After the protocol identification strings, both sides only send
+specially formatted packets.  The packet layout is as follows:
+.IP o
+Packet length: 32 bit unsigned integer, coded as four 8-bit bytes, msb
+first.  Gives the length of the packet, not including the length field
+and padding.  The maximum length of a packet (not including the length
+field and padding) is 262144 bytes.
+.IP o
+Padding: 1-8 bytes of random data (or zeroes if not encrypting).  The
+amount of padding is (8 - (length % 8)) bytes (where % stands for the
+modulo operator).  The rationale for always having some random padding
+at the beginning of each packet is to make known plaintext attacks
+more difficult.
+.IP o
+Packet type: 8-bit unsigned byte.  The value 255 is reserved for
+future extension.
+.IP o
+Data: binary data bytes, depending on the packet type.  The number of
+data bytes is the "length" field minus 5.
+.IP o
+Check bytes: 32-bit crc, four 8-bit bytes, msb first.  The crc is the
+Cyclic Redundancy Check, with the polynomial 0xedb88320, of the
+Padding, Packet type, and Data fields.  The crc is computed before
+any encryption.
+.RT
+
+The packet, except for the length field, may be encrypted using any of
+a number of algorithms.  The length of the encrypted part (Padding +
+Type + Data + Check) is always a multiple of 8 bytes.  Typically the
+cipher is used in a chained mode, with all packets chained together as
+if it was a single data stream (the length field is never included in
+the encryption process).  Details of encryption are described below.
+
+When the session starts, encryption is turned off.  Encryption is
+enabled after the client has sent the session key.  The encryption
+algorithm to use is selected by the client.
+
+
+.ti 0
+Packet Compression
+
+If compression is supported (it is an optional feature, see
+SSH_CMSG_REQUEST_COMPRESSION below), the packet type and data fields
+of the packet are compressed using the gzip deflate algorithm [GZIP].
+If compression is in effect, the packet length field indicates the
+length of the compressed data, plus 4 for the crc.  The amount of
+padding is computed from the compressed data, so that the amount of
+data to be encrypted becomes a multiple of 8 bytes.
+
+When compressing, the packets (type + data portions) in each direction
+are compressed as if they formed a continuous data stream, with only the
+current compression block flushed between packets.  This corresponds
+to the GNU ZLIB library Z_PARTIAL_FLUSH option.  The compression
+dictionary is not flushed between packets.  The two directions are
+compressed independently of each other.
+
+
+.ti 0
+Packet Encryption
+
+The protocol supports several encryption methods.  During session
+initialization, the server sends a bitmask of all encryption methods
+that it supports, and the client selects one of these methods.  The
+client also generates a 256-bit random session key (32 8-bit bytes) and
+sends it to the server.
+
+The encryption methods supported by the current implementation, and
+their codes are:
+.TS
+center;
+l r l.
+SSH_CIPHER_NONE	0	   No encryption
+SSH_CIPHER_IDEA	1	   IDEA in CFB mode
+SSH_CIPHER_DES	2	   DES in CBC mode
+SSH_CIPHER_3DES	3	   Triple-DES in CBC mode
+SSH_CIPHER_TSS	4	   An experimental stream cipher
+SSH_CIPHER_RC4	5	   RC4
+.TE
+
+All implementations are required to support SSH_CIPHER_DES and
+SSH_CIPHER_3DES.  Supporting SSH_CIPHER_IDEA, SSH_CIPHER_RC4, and
+SSH_CIPHER_NONE is recommended.  Support for SSH_CIPHER_TSS is
+optional (and it is not described in this document).  Other ciphers
+may be added at a later time; support for them is optional.
+
+For encryption, the encrypted portion of the packet is considered a
+linear byte stream.  The length of the stream is always a multiple of
+8.  The encrypted portions of consecutive packets (in the same
+direction) are encrypted as if they were a continuous buffer (that is,
+any initialization vectors are passed from the previous packet to the
+next packet).  Data in each direction is encrypted independently.
+.IP SSH_CIPHER_DES
+The key is taken from the first 8 bytes of the session key.  The least
+significant bit of each byte is ignored.  This results in 56 bits of
+key data.  DES [DES] is used in CBC mode.  The iv (initialization vector) is
+initialized to all zeroes.
+.IP SSH_CIPHER_3DES
+The variant of triple-DES used here works as follows: there are three
+independent DES-CBC ciphers, with independent initialization vectors.
+The data (the whole encrypted data stream) is first encrypted with the
+first cipher, then decrypted with the second cipher, and finally
+encrypted with the third cipher.  All these operations are performed
+in CBC mode.
+
+The key for the first cipher is taken from the first 8 bytes of the
+session key; the key for the next cipher from the next 8 bytes, and
+the key for the third cipher from the following 8 bytes.  All three
+initialization vectors are initialized to zero.
+
+(Note: the variant of 3DES used here differs from some other
+descriptions.)
+.IP SSH_CIPHER_IDEA
+The key is taken from the first 16 bytes of the session key.  IDEA
+[IDEA] is used in CFB mode.  The initialization vector is initialized
+to all zeroes.
+.IP SSH_CIPHER_TSS
+All 32 bytes of the session key are used as the key.
+
+There is no reference available for the TSS algorithm; it is currently
+only documented in the sample implementation source code.  The
+security of this cipher is unknown (but it is quite fast).  The cipher
+is basically a stream cipher that uses MD5 as a random number
+generator and takes feedback from the data.
+.IP SSH_CIPHER_RC4
+The first 16 bytes of the session key are used as the key for the
+server to client direction.  The remaining 16 bytes are used as the
+key for the client to server direction.  This gives independent
+128-bit keys for each direction.
+
+This algorithm is the alleged RC4 cipher posted to the Usenet in 1995.
+It is widely believed to be equivalent with the original RSADSI RC4
+cipher.  This is a very fast algorithm.
+.RT
+
+
+.ti 0
+Data Type Encodings
+
+The Data field of each packet contains data encoded as described in
+this section.  There may be several data items; each item is coded as
+described here, and their representations are concatenated together
+(without any alignment or padding).
+
+Each data type is stored as follows:
+.IP "8-bit byte"
+The byte is stored directly as a single byte.
+.IP "32-bit unsigned integer"
+Stored in 4 bytes, msb first.
+.IP "Arbitrary length binary string"
+First 4 bytes are the length of the string, msb first (not including
+the length itself).  The following "length" bytes are the string
+value.  There are no terminating null characters.
+.IP "Multiple-precision integer"
+First 2 bytes are the number of bits in the integer, msb first (for
+example, the value 0x00012345 would have 17 bits).  The value zero has
+zero bits.  It is permissible that the number of bits be larger than the
+real number of bits.
+
+The number of bits is followed by (bits + 7) / 8 bytes of binary data,
+msb first, giving the value of the integer.
+.RT
+
+
+.ti 0
+TCP/IP Port Number and Other Options
+
+The server listens for connections on TCP/IP port 22.
+
+The client may connect the server from any port.  However, if the
+client wishes to use any form of .rhosts or /etc/hosts.equiv
+authentication, it must connect from a privileged port (less than
+1024).
+
+For the IP Type of Service field [RFC0791], it is recommended that
+interactive sessions (those having a user terminal or forwarding X11
+connections) use the IPTOS_LOWDELAY, and non-interactive connections
+use IPTOS_THROUGHPUT.
+
+It is recommended that keepalives are used, because otherwise programs
+on the server may never notice if the other end of the connection is
+rebooted.
+
+
+.ti 0
+Protocol Version Identification
+
+After the socket is opened, the server sends an identification string,
+which is of the form
+"SSH-<protocolmajor>.<protocolminor>-<version>\\n", where
+<protocolmajor> and <protocolminor> are integers and specify the
+protocol version number (not software distribution version).
+<version> is server side software version string (max 40 characters);
+it is not interpreted by the remote side but may be useful for
+debugging.
+
+The client parses the server's string, and sends a corresponding
+string with its own information in response.  If the server has lower
+version number, and the client contains special code to emulate it,
+the client responds with the lower number; otherwise it responds with
+its own number.  The server then compares the version number the
+client sent with its own, and determines whether they can work
+together.  The server either disconnects, or sends the first packet
+using the binary packet protocol and both sides start working
+according to the lower of the protocol versions.
+
+By convention, changes which keep the protocol compatible with
+previous versions keep the same major protocol version; changes that
+are not compatible increment the major version (which will hopefully
+never happen).  The version described in this document is 1.3.
+
+The client will 
+
+.ti 0
+Key Exchange and Server Host Authentication
+
+The first message sent by the server using the packet protocol is
+SSH_SMSG_PUBLIC_KEY.  It declares the server's host key, server public
+key, supported ciphers, supported authentication methods, and flags
+for protocol extensions.  It also contains a 64-bit random number
+(cookie) that must be returned in the client's reply (to make IP
+spoofing more difficult).  No encryption is used for this message.
+
+Both sides compute a session id as follows.  The modulus of the server
+key is interpreted as a byte string (without explicit length field,
+with minimum length able to hold the whole value), most significant
+byte first.  This string is concatenated with the server host key
+interpreted the same way.  Additionally, the cookie is concatenated
+with this.  Both sides compute MD5 of the resulting string.  The
+resulting 16 bytes (128 bits) are stored by both parties and are
+called the session id.
+
+The client responds with a SSH_CMSG_SESSION_KEY message, which
+contains the selected cipher type, a copy of the 64-bit cookie sent by
+the server, client's protocol flags, and a session key encrypted
+with both the server's host key and server key.  No encryption is used
+for this message.
+
+The session key is 32 8-bit bytes (a total of 256 random bits
+generated by the client).  The client first xors the 16 bytes of the
+session id with the first 16 bytes of the session key.  The resulting
+string is then encrypted using the smaller key (one with smaller
+modulus), and the result is then encrypted using the other key.  The
+number of bits in the public modulus of the two keys must differ by at
+least 128 bits.
+
+At each encryption step, a multiple-precision integer is constructed
+from the data to be encrypted as follows (the integer is here
+interpreted as a sequence of bytes, msb first; the number of bytes is
+the number of bytes needed to represent the modulus).
+
+The most significant byte (which is only partial as the value must be
+less than the public modulus, which is never a power of two) is zero.
+
+The next byte contains the value 2 (which stands for public-key
+encrypted data in the PKCS standard [PKCS#1]).  Then, there are
+non-zero random bytes to fill any unused space, a zero byte, and the
+data to be encrypted in the least significant bytes, the last byte of
+the data in the least significant byte.
+
+This algorithm is used twice.  First, it is used to encrypt the 32
+random bytes generated by the client to be used as the session key
+(xored by the session id).  This value is converted to an integer as
+described above, and encrypted with RSA using the key with the smaller
+modulus.  The resulting integer is converted to a byte stream, msb
+first.  This byte stream is padded and encrypted identically using the
+key with the larger modulus.
+
+After the client has sent the session key, it starts to use the
+selected algorithm and key for decrypting any received packets, and
+for encrypting any sent packets.  Separate ciphers are used for
+different directions (that is, both directions have separate
+initialization vectors or other state for the ciphers).
+
+When the server has received the session key message, and has turned
+on encryption, it sends a SSH_SMSG_SUCCESS message to the client.
+
+The recommended size of the host key is 1024 bits, and 768 bits for
+the server key.  The minimum size is 512 bits for the smaller key.
+
+
+.ti 0
+Declaring the User Name
+
+The client then sends a SSH_CMSG_USER message to the server.  This
+message specifies the user name to log in as.
+
+The server validates that such a user exists, checks whether
+authentication is needed, and responds with either SSH_SMSG_SUCCESS or
+SSH_SMSG_FAILURE.  SSH_SMSG_SUCCESS indicates that no authentication
+is needed for this user (no password), and authentication phase has
+now been completed.  SSH_SMSG_FAILURE indicates that authentication is
+needed (or the user does not exist).
+
+If the user does not exist, it is recommended that this returns
+failure, but the server keeps reading messages from the client, and
+responds to any messages (except SSH_MSG_DISCONNECT, SSH_MSG_IGNORE,
+and SSH_MSG_DEBUG) with SSH_SMSG_FAILURE.  This way the client cannot
+be certain whether the user exists.
+
+
+.ti 0
+Authentication Phase
+
+Provided the server didn't immediately accept the login, an
+authentication exchange begins.  The client sends messages to the
+server requesting different types of authentication in arbitrary order as
+many times as desired (however, the server may close the connection
+after a timeout).  The server always responds with SSH_SMSG_SUCCESS if
+it has accepted the authentication, and with SSH_SMSG_FAILURE if it has
+denied authentication with the requested method or it does not
+recognize the message.  Some authentication methods cause an exchange
+of further messages before the final result is sent.  The
+authentication phase ends when the server responds with success.
+
+The recommended value for the authentication timeout (timeout before
+disconnecting if no successful authentication has been made) is 5
+minutes.
+
+The following authentication methods are currently supported:
+.TS
+center;
+l r l.
+SSH_AUTH_RHOSTS	1	.rhosts or /etc/hosts.equiv
+SSH_AUTH_RSA	2	pure RSA authentication
+SSH_AUTH_PASSWORD	3	password authentication
+SSH_AUTH_RHOSTS_RSA	4	.rhosts with RSA host authentication
+.TE
+.IP SSH_AUTH_RHOSTS
+
+This is the authentication method used by rlogin and rsh [RFC1282].
+
+The client sends SSH_CMSG_AUTH_RHOSTS with the client-side user name
+as an argument.
+
+The server checks whether to permit authentication.  On UNIX systems,
+this is usually done by checking /etc/hosts.equiv, and .rhosts in the
+user's home directory.  The connection must come from a privileged
+port.
+
+It is recommended that the server checks that there are no IP options
+(such as source routing) specified for the socket before accepting
+this type of authentication.  The client host name should be
+reverse-mapped and then forward mapped to ensure that it has the
+proper IP-address.
+
+This authentication method trusts the remote host (root on the remote
+host can pretend to be any other user on that host), the name
+services, and partially the network: anyone who can see packets coming
+out from the server machine can do IP-spoofing and pretend to be any
+machine; however, the protocol prevents blind IP-spoofing (which used
+to be possible with rlogin).
+
+Many sites probably want to disable this authentication method because
+of the fundamental insecurity of conventional .rhosts or
+/etc/hosts.equiv authentication when faced with spoofing.  It is
+recommended that this method not be supported by the server by
+default.
+.IP SSH_AUTH_RHOSTS_RSA
+
+In addition to conventional .rhosts and hosts.equiv authentication,
+this method additionally requires that the client host be
+authenticated using RSA.
+
+The client sends SSH_CMSG_AUTH_RHOSTS_RSA specifying the client-side
+user name, and the public host key of the client host.
+
+The server first checks if normal .rhosts or /etc/hosts.equiv
+authentication would be accepted, and if not, responds with
+SSH_SMSG_FAILURE.  Otherwise, it checks whether it knows the host key
+for the client machine (using the same name for the host that was used
+for checking the .rhosts and /etc/hosts.equiv files).  If it does not
+know the RSA key for the client, access is denied and SSH_SMSG_FAILURE
+is sent.
+
+If the server knows the host key of the client machine, it verifies
+that the given host key matches that known for the client.  If not,
+access is denied and SSH_SMSG_FAILURE is sent.
+
+The server then sends a SSH_SMSG_AUTH_RSA_CHALLENGE message containing
+an encrypted challenge for the client.  The challenge is 32 8-bit
+random bytes (256 bits).  When encrypted, the highest (partial) byte
+is left as zero, the next byte contains the value 2, the following are
+non-zero random bytes, followed by a zero byte, and the challenge put
+in the remaining bytes.  This is then encrypted using RSA with the
+client host's public key.  (The padding and encryption algorithm is
+the same as that used for the session key.)
+
+The client decrypts the challenge using its private host key,
+concatenates this with the session id, and computes an MD5 checksum
+of the resulting 48 bytes.  The MD5 output is returned as 16 bytes in
+a SSH_CMSG_AUTH_RSA_RESPONSE message.  (MD5 is used to deter chosen
+plaintext attacks against RSA; the session id binds it to a specific
+session).
+
+The server verifies that the MD5 of the decrypted challenge returned by
+the client matches that of the original value, and sends SSH_SMSG_SUCCESS if
+so.  Otherwise it sends SSH_SMSG_FAILURE and refuses the
+authentication attempt.
+
+This authentication method trusts the client side machine in that root
+on that machine can pretend to be any user on that machine.
+Additionally, it trusts the client host key.  The name and/or IP
+address of the client host is only used to select the public host key.
+The same host name is used when scanning .rhosts or /etc/hosts.equiv
+and when selecting the host key.  It would in principle be possible to
+eliminate the host name entirely and substitute it directly by the
+host key.  IP and/or DNS [RFC1034] spoofing can only be used
+to pretend to be a host for which the attacker has the private host
+key.
+.IP SSH_AUTH_RSA
+
+The idea behind RSA authentication is that the server recognizes the
+public key offered by the client, generates a random challenge, and
+encrypts the challenge with the public key.  The client must then
+prove that it has the corresponding private key by decrypting the
+challenge.
+
+The client sends SSH_CMSG_AUTH_RSA with public key modulus (n) as an
+argument.
+
+The server may respond immediately with SSH_SMSG_FAILURE if it does
+not permit authentication with this key.  Otherwise it generates a
+challenge, encrypts it using the user's public key (stored on the
+server and identified using the modulus), and sends
+SSH_SMSG_AUTH_RSA_CHALLENGE with the challenge (mp-int) as an
+argument.
+
+The challenge is 32 8-bit random bytes (256 bits).  When encrypted,
+the highest (partial) byte is left as zero, the next byte contains the
+value 2, the following are non-zero random bytes, followed by a zero
+byte, and the challenge put in the remaining bytes.  This is then
+encrypted with the public key.  (The padding and encryption algorithm
+is the same as that used for the session key.)
+
+The client decrypts the challenge using its private key, concatenates
+it with the session id, and computes an MD5 checksum of the resulting
+48 bytes.  The MD5 output is returned as 16 bytes in a
+SSH_CMSG_AUTH_RSA_RESPONSE message.  (Note that the MD5 is necessary
+to avoid chosen plaintext attacks against RSA; the session id binds it
+to a specific session.)
+
+The server verifies that the MD5 of the decrypted challenge returned
+by the client matches that of the original value, and sends
+SSH_SMSG_SUCCESS if so.  Otherwise it sends SSH_SMSG_FAILURE and
+refuses the authentication attempt.
+
+This authentication method does not trust the remote host, the
+network, name services, or anything else.  Authentication is based
+solely on the possession of the private identification keys.  Anyone
+in possession of the private keys can log in, but nobody else.
+
+The server may have additional requirements for a successful
+authentiation.  For example, to limit damage due to a compromised RSA
+key, a server might restrict access to a limited set of hosts.
+.IP SSH_AUTH_PASSWORD
+
+The client sends a SSH_CMSG_AUTH_PASSWORD message with the plain text
+password.  (Note that even though the password is plain text inside
+the message, it is normally encrypted by the packet mechanism.)
+
+The server verifies the password, and sends SSH_SMSG_SUCCESS if
+authentication was accepted and SSH_SMSG_FAILURE otherwise.
+
+Note that the password is read from the user by the client; the user
+never interacts with a login program.
+
+This authentication method does not trust the remote host, the
+network, name services or anything else.  Authentication is based
+solely on the possession of the password.  Anyone in possession of the
+password can log in, but nobody else.
+.RT
+
+.ti 0
+Preparatory Operations
+
+After successful authentication, the server waits for a request from
+the client, processes the request, and responds with SSH_SMSG_SUCCESS
+whenever a request has been successfully processed.  If it receives a
+message that it does not recognize or it fails to honor a request, it
+returns SSH_SMSG_FAILURE.  It is expected that new message types might
+be added to this phase in future.
+
+The following messages are currently defined for this phase.
+.IP SSH_CMSG_REQUEST_COMPRESSION
+Requests that compression be enabled for this session.  A
+gzip-compatible compression level (1-9) is passed as an argument.
+.IP SSH_CMSG_REQUEST_PTY
+Requests that a pseudo terminal device be allocated for this session.
+The user terminal type and terminal modes are supplied as arguments.
+.IP SSH_CMSG_X11_REQUEST_FORWARDING
+Requests forwarding of X11 connections from the remote machine to the
+local machine over the secure channel.  Causes an internet-domain
+socket to be allocated and the DISPLAY variable to be set on the server.
+X11 authentication data is automatically passed to the server, and the
+client may implement spoofing of authentication data for added
+security.  The authentication data is passed as arguments.
+.IP SSH_CMSG_PORT_FORWARD_REQUEST
+Requests forwarding of a TCP/IP port on the server host over the
+secure channel.  What happens is that whenever a connection is made to
+the port on the server, a connection will be made from the client end
+to the specified host/port.  Any user can forward unprivileged ports;
+only the root can forward privileged ports (as determined by
+authentication done earlier).
+.IP SSH_CMSG_AGENT_REQUEST_FORWARDING
+Requests forwarding of the connection to the authentication agent.
+.IP SSH_CMSG_EXEC_SHELL
+Starts a shell (command interpreter) for the user, and moves into
+interactive session mode.
+.IP SSH_CMSG_EXEC_CMD
+Executes the given command (actually "<shell> -c <command>" or
+equivalent) for the user, and moves into interactive session mode.
+.RT
+
+
+.ti 0
+Interactive Session and Exchange of Data
+
+During the interactive session, any data written by the shell or
+command running on the server machine is forwarded to stdin or
+stderr on the client machine, and any input available from stdin on
+the client machine is forwarded to the program on the server machine.
+
+All exchange is asynchronous; either side can send at any time, and
+there are no acknowledgements (TCP/IP already provides reliable
+transport, and the packet protocol protects against tampering or IP
+spoofing).
+
+When the client receives EOF from its standard input, it will send
+SSH_CMSG_EOF; however, this in no way terminates the exchange.  The
+exchange terminates and interactive mode is left when the server sends
+SSH_SMSG_EXITSTATUS to indicate that the client program has
+terminated.  Alternatively, either side may disconnect at any time by
+sending SSH_MSG_DISCONNECT or closing the connection.
+
+The server may send any of the following messages:
+.IP SSH_SMSG_STDOUT_DATA
+Data written to stdout by the program running on the server.  The data
+is passed as a string argument.  The client writes this data to
+stdout.
+.IP SSH_SMSG_STDERR_DATA
+Data written to stderr by the program running on the server.  The data
+is passed as a string argument.  The client writes this data to
+stderr.  (Note that if the program is running on a tty, it is not
+possible to separate stdout and stderr data, and all data will be sent
+as stdout data.)
+.IP SSH_SMSG_EXITSTATUS
+Indicates that the shell or command has exited.  Exit status is passed
+as an integer argument.  This message causes termination of the
+interactive session.
+.IP SSH_SMSG_AGENT_OPEN
+Indicates that someone on the server side is requesting a connection
+to the authentication agent.  The server-side channel number is passed
+as an argument.  The client must respond with either
+SSH_CHANNEL_OPEN_CONFIRMATION or SSH_CHANNEL_OPEN_FAILURE.
+.IP SSH_SMSG_X11_OPEN
+Indicates that a connection has been made to the X11 socket on the
+server side and should be forwarded to the real X server.  An integer
+argument indicates the channel number allocated for this connection on
+the server side.  The client should send back either
+SSH_MSG_CHANNEL_OPEN_CONFIRMATION or SSH_MSG_CHANNEL_OPEN_FAILURE with
+the same server side channel number.
+.IP SSH_MSG_PORT_OPEN
+Indicates that a connection has been made to a port on the server side
+for which forwarding has been requested.  Arguments are server side
+channel number, host name to connect to, and port to connect to.  The
+client should send back either
+SSH_MSG_CHANNEL_OPEN_CONFIRMATION or SSH_MSG_CHANNEL_OPEN_FAILURE with
+the same server side channel number.
+.IP SSH_MSG_CHANNEL_OPEN_CONFIRMATION
+This is sent by the server to indicate that it has opened a connection
+as requested in a previous message.  The first argument indicates the
+client side channel number, and the second argument is the channel number
+that the server has allocated for this connection.
+.IP SSH_MSG_CHANNEL_OPEN_FAILURE
+This is sent by the server to indicate that it failed to open a
+connection as requested in a previous message.  The client-side
+channel number is passed as an argument.  The client will close the
+descriptor associated with the channel and free the channel.
+.IP SSH_MSG_CHANNEL_DATA
+This packet contains data for a channel from the server.  The first
+argument is the client-side channel number, and the second argument (a
+string) is the data.
+.IP SSH_MSG_CHANNEL_CLOSE
+This is sent by the server to indicate that whoever was in the other
+end of the channel has closed it.  The argument is the client side channel
+number.  The client will let all buffered data in the channel to
+drain, and when ready, will close the socket, free the channel, and
+send the server a SSH_MSG_CHANNEL_CLOSE_CONFIRMATION message for the
+channel.
+.IP SSH_MSG_CHANNEL_CLOSE_CONFIRMATION
+This is send by the server to indicate that a channel previously
+closed by the client has now been closed on the server side as well.
+The argument indicates the client channel number.  The client frees
+the channel.
+.RT
+
+The client may send any of the following messages:
+.IP SSH_CMSG_STDIN_DATA
+This is data to be sent as input to the program running on the server.
+The data is passed as a string.
+.IP SSH_CMSG_EOF
+Indicates that the client has encountered EOF while reading standard
+input.  The server will allow any buffered input data to drain, and
+will then close the input to the program.
+.IP SSH_CMSG_WINDOW_SIZE
+Indicates that window size on the client has been changed.  The server
+updates the window size of the tty and causes SIGWINCH to be sent to
+the program.  The new window size is passed as four integer arguments:
+row, col, xpixel, ypixel.
+.IP SSH_MSG_PORT_OPEN
+Indicates that a connection has been made to a port on the client side
+for which forwarding has been requested.  Arguments are client side
+channel number, host name to connect to, and port to connect to.  The
+server should send back either SSH_MSG_CHANNEL_OPEN_CONFIRMATION or
+SSH_MSG_CHANNEL_OPEN_FAILURE with the same client side channel number.
+.IP SSH_MSG_CHANNEL_OPEN_CONFIRMATION
+This is sent by the client to indicate that it has opened a connection
+as requested in a previous message.  The first argument indicates the
+server side channel number, and the second argument is the channel
+number that the client has allocated for this connection.
+.IP SSH_MSG_CHANNEL_OPEN_FAILURE
+This is sent by the client to indicate that it failed to open a
+connection as requested in a previous message.  The server side
+channel number is passed as an argument.  The server will close the
+descriptor associated with the channel and free the channel.
+.IP SSH_MSG_CHANNEL_DATA
+This packet contains data for a channel from the client.  The first
+argument is the server side channel number, and the second argument (a
+string) is the data.
+.IP SSH_MSG_CHANNEL_CLOSE
+This is sent by the client to indicate that whoever was in the other
+end of the channel has closed it.  The argument is the server channel
+number.  The server will allow buffered data to drain, and when ready,
+will close the socket, free the channel, and send the client a
+SSH_MSG_CHANNEL_CLOSE_CONFIRMATION message for the channel.
+.IP SSH_MSG_CHANNEL_CLOSE_CONFIRMATION
+This is send by the client to indicate that a channel previously
+closed by the server has now been closed on the client side as well.
+The argument indicates the server channel number.  The server frees
+the channel.
+.RT
+
+Any unsupported messages during interactive mode cause the connection
+to be terminated with SSH_MSG_DISCONNECT and an error message.
+Compatible protocol upgrades should agree about any extensions during
+the preparation phase or earlier.
+
+
+.ti 0
+Termination of the Connection
+
+Normal termination of the connection is always initiated by the server
+by sending SSH_SMSG_EXITSTATUS after the program has exited.  The
+client responds to this message by sending SSH_CMSG_EXIT_CONFIRMATION
+and closes the socket; the server then closes the socket.  There are
+two purposes for the confirmation: some systems may lose previously
+sent data when the socket is closed, and closing the client side first
+causes any TCP/IP TIME_WAIT [RFC0793] waits to occur on the client side, not
+consuming server resources.
+
+If the program terminates due to a signal, the server will send
+SSH_MSG_DISCONNECT with an appropriate message.  If the connection is
+closed, all file descriptors to the program will be closed and the
+server will exit.  If the program runs on a tty, the kernel sends it
+the SIGHUP signal when the pty master side is closed.
+
+.ti 0
+Protocol Flags
+
+Both the server and the client pass 32 bits of protocol flags to the
+other side.  The flags are intended for compatible protocol extension;
+the server first announces which added capabilities it supports, and
+the client then sends the capabilities that it supports.
+
+The following flags are currently defined (the values are bit masks):
+.IP "1 SSH_PROTOFLAG_SCREEN_NUMBER"
+This flag can only be sent by the client.  It indicates that the X11
+forwarding requests it sends will include the screen number.
+.IP "2 SSH_PROTOFLAG_HOST_IN_FWD_OPEN"
+If both sides specify this flag, SSH_SMSG_X11_OPEN and
+SSH_MSG_PORT_OPEN messages will contain an additional field containing
+a description of the host at the other end of the connection.
+.RT
+
+.ti 0
+Detailed Description of Packet Types and Formats
+
+The supported packet types and the corresponding message numbers are
+given in the following table.  Messages with _MSG_ in their name may
+be sent by either side.  Messages with _CMSG_ are only sent by the
+client, and messages with _SMSG_ only by the server.
+
+A packet may contain additional data after the arguments specified
+below.  Any such data should be ignored by the receiver.  However, it
+is recommended that no such data be stored without good reason.  (This
+helps build compatible extensions.)
+.IP "0 SSH_MSG_NONE"
+This code is reserved.  This message type is never sent.
+.IP "1 SSH_MSG_DISCONNECT"
+.TS
+;
+l l.
+string	Cause of disconnection
+.TE
+This message may be sent by either party at any time.  It causes the
+immediate disconnection of the connection.  The message is intended to
+be displayed to a human, and describes the reason for disconnection.
+.IP "2 SSH_SMSG_PUBLIC_KEY"
+.TS
+;
+l l.
+8 bytes	anti_spoofing_cookie
+32-bit int	server_key_bits
+mp-int	server_key_public_exponent
+mp-int	server_key_public_modulus
+32-bit int	host_key_bits
+mp-int	host_key_public_exponent
+mp-int	host_key_public_modulus
+32-bit int	protocol_flags
+32-bit int	supported_ciphers_mask
+32-bit int	supported_authentications_mask
+.TE
+Sent as the first message by the server.  This message gives the
+server's host key, server key, protocol flags (intended for compatible
+protocol extension), supported_ciphers_mask (which is the
+bitwise or of (1 << cipher_number), where << is the left shift
+operator, for all supported ciphers), and
+supported_authentications_mask (which is the bitwise or of (1 <<
+authentication_type) for all supported authentication types).  The
+anti_spoofing_cookie is 64 random bytes, and must be sent back
+verbatim by the client in its reply.  It is used to make IP-spoofing
+more difficult (encryption and host keys are the real defense against
+spoofing).
+.IP "3 SSH_CMSG_SESSION_KEY"
+.TS
+;
+l l.
+1 byte	cipher_type (must be one of the supported values)
+8 bytes	anti_spoofing_cookie (must match data sent by the server)
+mp-int	double-encrypted session key
+32-bit int	protocol_flags
+.TE
+Sent by the client as the first message in the session.  Selects the
+cipher to use, and sends the encrypted session key to the server.  The
+anti_spoofing_cookie must be the same bytes that were sent by the
+server.  Protocol_flags is intended for negotiating compatible
+protocol extensions.
+.IP "4 SSH_CMSG_USER"
+.TS
+;
+l l.
+string	user login name on server
+.TE
+Sent by the client to begin authentication.  Specifies the user name
+on the server to log in as.  The server responds with SSH_SMSG_SUCCESS
+if no authentication is needed for this user, or SSH_SMSG_FAILURE if
+authentication is needed (or the user does not exist).  [Note to the
+implementator: the user name is of arbitrary size.  The implementation
+must be careful not to overflow internal buffers.]
+.IP "5 SSH_CMSG_AUTH_RHOSTS"
+.TS
+;
+l l.
+string	client-side user name
+.TE
+Requests authentication using /etc/hosts.equiv and .rhosts (or
+equivalent mechanisms).  This authentication method is normally
+disabled in the server because it is not secure (but this is the
+method used by rsh and rlogin).  The server responds with
+SSH_SMSG_SUCCESS if authentication was successful, and
+SSH_SMSG_FAILURE if access was not granted.  The server should check
+that the client side port number is less than 1024 (a privileged
+port), and immediately reject authentication if it is not.  Supporting
+this authentication method is optional.  This method should normally
+not be enabled in the server because it is not safe.  (However, not
+enabling this only helps if rlogind and rshd are disabled.)
+.IP "6 SSH_CMSG_AUTH_RSA"
+.TS
+;
+l l.
+mp-int	identity_public_modulus
+.TE
+Requests authentication using pure RSA authentication.  The server
+checks if the given key is permitted to log in, and if so, responds
+with SSH_SMSG_AUTH_RSA_CHALLENGE.  Otherwise, it responds with
+SSH_SMSG_FAILURE.  The client often tries several different keys in
+sequence until one supported by the server is found.  Authentication
+is accepted if the client gives the correct response to the challenge.
+The server is free to add other criteria for authentication, such as a
+requirement that the connection must come from a certain host.  Such
+additions are not visible at the protocol level.  Supporting this
+authentication method is optional but recommended.
+.IP "7 SSH_SMSG_AUTH_RSA_CHALLENGE"
+.TS
+;
+l l.
+mp-int	encrypted challenge
+.TE
+Presents an RSA authentication challenge to the client.  The challenge
+is a 256-bit random value encrypted as described elsewhere in this
+document.  The client must decrypt the challenge using the RSA private
+key, compute MD5 of the challenge plus session id, and send back the
+resulting 16 bytes using SSH_CMSG_AUTH_RSA_RESPONSE.
+.IP "8 SSH_CMSG_AUTH_RSA_RESPONSE"
+.TS
+;
+l l.
+16 bytes	MD5 of decrypted challenge
+.TE
+This message is sent by the client in response to an RSA challenge.
+The MD5 checksum is returned instead of the decrypted challenge to
+deter known-plaintext attacks against the RSA key.  The server
+responds to this message with either SSH_SMSG_SUCCESS or
+SSH_SMSG_FAILURE.
+.IP "9 SSH_CMSG_AUTH_PASSWORD"
+.TS
+;
+l l.
+string	plain text password
+.TE
+Requests password authentication using the given password.  Note that
+even though the password is plain text inside the packet, the whole
+packet is normally encrypted by the packet layer.  It would not be
+possible for the client to perform password encryption/hashing,
+because it cannot know which kind of encryption/hashing, if any, the
+server uses.  The server responds to this message with
+SSH_SMSG_SUCCESS or SSH_SMSG_FAILURE.
+.IP "10 SSH_CMSG_REQUEST_PTY"
+.TS
+;
+l l.
+string	TERM environment variable value (e.g. vt100)
+32-bit int	terminal height, rows (e.g., 24)
+32-bit int	terminal width, columns (e.g., 80)
+32-bit int	terminal width, pixels (0 if no graphics) (e.g., 480)
+32-bit int	terminal height, pixels (0 if no graphics) (e.g., 640)
+n bytes	tty modes encoded in binary
+.TE
+Requests a pseudo-terminal to be allocated for this command.  This
+message can be used regardless of whether the session will later
+execute the shell or a command.  If a pty has been requested with this
+message, the shell or command will run on a pty.  Otherwise it will
+communicate with the server using pipes, sockets or some other similar
+mechanism.
+
+The terminal type gives the type of the user's terminal.  In the UNIX
+environment it is passed to the shell or command in the TERM
+environment variable.
+
+The width and height values give the initial size of the user's
+terminal or window.  All values can be zero if not supported by the
+operating system.  The server will pass these values to the kernel if
+supported.
+
+Terminal modes are encoded into a byte stream in a portable format.
+The exact format is described later in this document.
+
+The server responds to the request with either SSH_SMSG_SUCCESS or
+SSH_SMSG_FAILURE.  If the server does not have the concept of pseudo
+terminals, it should return success if it is possible to execute a
+shell or a command so that it looks to the client as if it was running
+on a pseudo terminal.
+.IP "11 SSH_CMSG_WINDOW_SIZE"
+.TS
+;
+l l.
+32-bit int	terminal height, rows
+32-bit int	terminal width, columns
+32-bit int	terminal width, pixels
+32-bit int	terminal height, pixels
+.TE
+This message can only be sent by the client during the interactive
+session.  This indicates that the size of the user's window has
+changed, and provides the new size.  The server will update the
+kernel's notion of the window size, and a SIGWINCH signal or
+equivalent will be sent to the shell or command (if supported by the
+operating system).
+.IP "12 SSH_CMSG_EXEC_SHELL"
+
+(no arguments)
+
+Starts a shell (command interpreter), and enters interactive session
+mode.
+.IP "13 SSH_CMSG_EXEC_CMD"
+.TS
+;
+l l.
+string	command to execute
+.TE
+Starts executing the given command, and enters interactive session
+mode.  On UNIX, the command is run as "<shell> -c <command>", where
+<shell> is the user's login shell.
+.IP "14 SSH_SMSG_SUCCESS"
+
+(no arguments)
+
+This message is sent by the server in response to the session key, a
+successful authentication request, and a successfully completed
+preparatory operation.
+.IP "15 SSH_SMSG_FAILURE"
+
+(no arguments)
+
+This message is sent by the server in response to a failed
+authentication operation to indicate that the user has not yet been
+successfully authenticated, and in response to a failed preparatory
+operation.  This is also sent in response to an authentication or
+preparatory operation request that is not recognized or supported.
+.IP "16 SSH_CMSG_STDIN_DATA"
+.TS
+;
+l l.
+string	data
+.TE
+Delivers data from the client to be supplied as input to the shell or
+program running on the server side.  This message can only be used in
+the interactive session mode.  No acknowledgement is sent for this
+message.
+.IP "17 SSH_SMSG_STDOUT_DATA"
+.TS
+;
+l l.
+string	data
+.TE
+Delivers data from the server that was read from the standard output of
+the shell or program running on the server side.  This message can
+only be used in the interactive session mode.  No acknowledgement is
+sent for this message.
+.IP "18 SSH_SMSG_STDERR_DATA"
+.TS
+;
+l l.
+string	data
+.TE
+Delivers data from the server that was read from the standard error of
+the shell or program running on the server side.  This message can
+only be used in the interactive session mode.  No acknowledgement is
+sent for this message.
+.IP "19 SSH_CMSG_EOF"
+
+(no arguments)
+
+This message is sent by the client to indicate that EOF has been
+reached on the input.  Upon receiving this message, and after all
+buffered input data has been sent to the shell or program, the server
+will close the input file descriptor to the program.  This message can
+only be used in the interactive session mode.  No acknowledgement is
+sent for this message.
+.IP "20 SSH_SMSG_EXITSTATUS"
+.TS
+;
+l l.
+32-bit int	exit status of the command
+.TE
+Returns the exit status of the shell or program after it has exited.
+The client should respond with SSH_CMSG_EXIT_CONFIRMATION when it has
+received this message.  This will be the last message sent by the
+server.  If the program being executed dies with a signal instead of
+exiting normally, the server should terminate the session with
+SSH_MSG_DISCONNECT (which can be used to pass a human-readable string
+indicating that the program died due to a signal) instead of using
+this message.
+.IP "21 SSH_MSG_CHANNEL_OPEN_CONFIRMATION"
+.TS
+;
+l l.
+32-bit int	remote_channel
+32-bit int	local_channel
+.TE
+This is sent in response to any channel open request if the channel
+has been successfully opened.  Remote_channel is the channel number
+received in the initial open request; local_channel is the channel
+number the side sending this message has allocated for the channel.
+Data can be transmitted on the channel after this message.
+.IP "22 SSH_MSG_CHANNEL_OPEN_FAILURE"
+.TS
+;
+l l.
+32-bit int	remote_channel
+.TE
+This message indicates that an earlier channel open request by the
+other side has failed or has been denied.  Remote_channel is the
+channel number given in the original request.
+.IP "23 SSH_MSG_CHANNEL_DATA"
+.TS
+;
+l l.
+32-bit int	remote_channel
+string	data
+.TE
+Data is transmitted in a channel in these messages.  A channel is
+bidirectional, and both sides can send these messages.  There is no
+acknowledgement for these messages.  It is possible that either side
+receives these messages after it has sent SSH_MSG_CHANNEL_CLOSE for
+the channel.  These messages cannot be received after the party has
+sent or received SSH_MSG_CHANNEL_CLOSE_CONFIRMATION.
+.IP "24 SSH_MSG_CHANNEL_CLOSE"
+.TS
+;
+l l.
+32-bit int	remote_channel
+.TE
+When a channel is closed at one end of the connection, that side sends
+this message.  Upon receiving this message, the channel should be
+closed.  When this message is received, if the channel is already
+closed (the receiving side has sent this message for the same channel
+earlier), the channel is freed and no further action is taken;
+otherwise the channel is freed and SSH_MSG_CHANNEL_CLOSE_CONFIRMATION
+is sent in response.  (It is possible that the channel is closed
+simultaneously at both ends.)
+.IP "25 SSH_MSG_CHANNEL_CLOSE_CONFIRMATION"
+.TS
+;
+l l.
+32-bit int	remote_channel
+.TE
+This message is sent in response to SSH_MSG_CHANNEL_CLOSE unless the
+channel was already closed.  When this message is sent or received,
+the channel is freed.
+.IP "26 (OBSOLETED; was unix-domain X11 forwarding)
+.IP "27 SSH_SMSG_X11_OPEN"
+.TS
+;
+l l.
+32-bit int	local_channel
+string	originator_string (see below)
+.TE
+This message can be sent by the server during the interactive session
+mode to indicate that a client has connected the fake X server.
+Local_channel is the channel number that the server has allocated for
+the connection.  The client should try to open a connection to the
+real X server, and respond with SSH_MSG_CHANNEL_OPEN_CONFIRMATION or
+SSH_MSG_CHANNEL_OPEN_FAILURE.
+
+The field originator_string is present if both sides
+specified SSH_PROTOFLAG_HOST_IN_FWD_OPEN in the protocol flags.  It
+contains a description of the host originating the connection.
+.IP "28 SSH_CMSG_PORT_FORWARD_REQUEST"
+.TS
+;
+l l.
+32-bit int	server_port
+string	host_to_connect
+32-bit int	port_to_connect
+.TE
+Sent by the client in the preparatory phase, this message requests
+that server_port on the server machine be forwarded over the secure
+channel to the client machine, and from there to the specified host
+and port.  The server should start listening on the port, and send
+SSH_MSG_PORT_OPEN whenever a connection is made to it.  Supporting
+this message is optional, and the server is free to reject any forward
+request.  For example, it is highly recommended that unless the user
+has been authenticated as root, forwarding any privileged port numbers
+(below 1024) is denied.
+.IP "29 SSH_MSG_PORT_OPEN"
+.TS
+;
+l l.
+32-bit int	local_channel
+string	host_name
+32-bit int	port
+string	originator_string (see below)
+.TE
+Sent by either party in interactive session mode, this message
+indicates that a connection has been opened to a forwarded TCP/IP
+port.  Local_channel is the channel number that the sending party has
+allocated for the connection.  Host_name is the host the connection
+should be be forwarded to, and the port is the port on that host to
+connect.  The receiving party should open the connection, and respond
+with SSH_MSG_CHANNEL_OPEN_CONFIRMATION or
+SSH_MSG_CHANNEL_OPEN_FAILURE.  It is recommended that the receiving
+side check the host_name and port for validity to avoid compromising
+local security by compromised remote side software.  Particularly, it
+is recommended that the client permit connections only to those ports
+for which it has requested forwarding with SSH_CMSG_PORT_FORWARD_REQUEST.
+
+The field originator_string is present if both sides
+specified SSH_PROTOFLAG_HOST_IN_FWD_OPEN in the protocol flags.  It
+contains a description of the host originating the connection.
+.IP "30 SSH_CMSG_AGENT_REQUEST_FORWARDING"
+
+(no arguments)
+
+Requests that the connection to the authentication agent be forwarded
+over the secure channel.  The method used by clients to contact the
+authentication agent within each machine is implementation and machine
+dependent.  If the server accepts this request, it should arrange that
+any clients run from this session will actually contact the server
+program when they try to contact the authentication agent.  The server
+should then send a SSH_SMSG_AGENT_OPEN to open a channel to the agent,
+and the client should forward the connection to the real
+authentication agent.  Supporting this message is optional.
+.IP "31 SSH_SMSG_AGENT_OPEN"
+.TS
+;
+l l.
+32-bit int	local_channel
+.TE
+Sent by the server in interactive session mode, this message requests
+opening a channel to the authentication agent.  The client should open
+a channel, and respond with either SSH_MSG_CHANNEL_OPEN_CONFIRMATION
+or SSH_MSG_CHANNEL_OPEN_FAILURE.
+.IP "32 SSH_MSG_IGNORE"
+.TS
+;
+l l.
+string	data
+.TE
+Either party may send this message at any time.  This message, and the
+argument string, is silently ignored.  This message might be used in
+some implementations to make traffic analysis more difficult.  This
+message is not currently sent by the implementation, but all
+implementations are required to recognize and ignore it.
+.IP "33 SSH_CMSG_EXIT_CONFIRMATION"
+
+(no arguments)
+
+Sent by the client in response to SSH_SMSG_EXITSTATUS.  This is the
+last message sent by the client.
+.IP "34 SSH_CMSG_X11_REQUEST_FORWARDING"
+.TS
+;
+l l.
+string	x11_authentication_protocol
+string	x11_authentication_data
+32-bit int	screen number (if SSH_PROTOFLAG_SCREEN_NUMBER)
+.TE
+Sent by the client during the preparatory phase, this message requests
+that the server create a fake X11 display and set the DISPLAY
+environment variable accordingly.  An internet-domain display is
+preferable.  The given authentication protocol and the associated data
+should be recorded by the server so that it is used as authentication
+on connections (e.g., in .Xauthority).  The authentication protocol
+must be one of the supported X11 authentication protocols, e.g.,
+"MIT-MAGIC-COOKIE-1".  Authentication data must be a lowercase hex
+string of even length.  Its interpretation is protocol dependent.
+The data is in a format that can be used with e.g. the xauth program.
+Supporting this message is optional.
+
+The client is permitted (and recommended) to generate fake
+authentication information and send fake information to the server.
+This way, a corrupt server will not have access to the user's terminal
+after the connection has terminated.  The correct authorization codes
+will also not be left hanging around in files on the server (many
+users keep the same X session for months, thus protecting the
+authorization data becomes important).
+
+X11 authentication spoofing works by initially sending fake (random)
+authentication data to the server, and interpreting the first packet
+sent by the X11 client after the connection has been opened.  The
+first packet contains the client's authentication.  If the packet
+contains the correct fake data, it is replaced by the client by the
+correct authentication data, and then sent to the X server.
+.IP "35 SSH_CMSG_AUTH_RHOSTS_RSA"
+.TS
+;
+l l.
+string	clint-side user name
+32-bit int	client_host_key_bits
+mp-int	client_host_key_public_exponent
+mp-int	client_host_key_public_modulus
+.TE
+Requests authentication using /etc/hosts.equiv and .rhosts (or
+equivalent) together with RSA host authentication.  The server should
+check that the client side port number is less than 1024 (a privileged
+port), and immediately reject authentication if it is not.  The server
+responds with SSH_SMSG_FAILURE or SSH_SMSG_AUTH_RSA_CHALLENGE.  The
+client must respond to the challenge with the proper
+SSH_CMSG_AUTH_RSA_RESPONSE.  The server then responds with success if
+access was granted, or failure if the client gave a wrong response.
+Supporting this authentication method is optional but recommended in
+most environments.
+.IP "36 SSH_MSG_DEBUG"
+.TS
+;
+l l.
+string	debugging message sent to the other side
+.TE
+This message may be sent by either party at any time.  It is used to
+send debugging messages that may be informative to the user in
+solving various problems.  For example, if authentication fails
+because of some configuration error (e.g., incorrect permissions for
+some file), it can be very helpful for the user to make the cause of
+failure available.  On the other hand, one should not make too much
+information available for security reasons.  It is recommended that
+the client provides an option to display the debugging information
+sent by the sender (the user probably does not want to see it by default).
+The server can log debugging data sent by the client (if any).  Either
+party is free to ignore any received debugging data.  Every
+implementation must be able to receive this message, but no
+implementation is required to send these.
+.IP "37 SSH_CMSG_REQUEST_COMPRESSION"
+.TS
+;
+l l.
+32-bit int	gzip compression level (1-9)
+.TE
+This message can be sent by the client in the preparatory operations
+phase.  The server responds with SSH_SMSG_FAILURE if it does not
+support compression or does not want to compress; it responds with
+SSH_SMSG_SUCCESS if it accepted the compression request.  In the
+latter case the response to this packet will still be uncompressed,
+but all further packets in either direction will be compressed by gzip.
+.RT
+
+
+.ti 0
+Encoding of Terminal Modes
+
+Terminal modes (as passed in SSH_CMSG_REQUEST_PTY) are encoded into a
+byte stream.  It is intended that the coding be portable across
+different environments.
+
+The tty mode description is a stream of bytes.  The stream consists of
+opcode-argument pairs.  It is terminated by opcode TTY_OP_END (0).
+Opcodes 1-127 have one-byte arguments.  Opcodes 128-159 have 32-bit
+integer arguments (stored msb first).  Opcodes 160-255 are not yet
+defined, and cause parsing to stop (they should only be used after any
+other data).
+
+The client puts in the stream any modes it knows about, and the server
+ignores any modes it does not know about.  This allows some degree of
+machine-independence, at least between systems that use a POSIX-like
+[POSIX] tty interface.  The protocol can support other systems as
+well, but the client may need to fill reasonable values for a number
+of parameters so the server pty gets set to a reasonable mode (the
+server leaves all unspecified mode bits in their default values, and
+only some combinations make sense).
+
+The following opcodes have been defined.  The naming of opcodes mostly
+follows the POSIX terminal mode flags.
+.IP "0 TTY_OP_END"
+Indicates end of options.
+.IP "1 VINTR"
+Interrupt character; 255 if none.  Similarly for the other characters.
+Not all of these characters are supported on all systems.
+.IP "2 VQUIT"
+The quit character (sends SIGQUIT signal on UNIX systems).
+.IP "3 VERASE"
+Erase the character to left of the cursor.
+.IP "4 VKILL"
+Kill the current input line.
+.IP "5 VEOF "
+End-of-file character (sends EOF from the terminal).
+.IP "6 VEOL "
+End-of-line character in addition to carriage return and/or linefeed.
+.IP "7 VEOL2"
+Additional end-of-line character.
+.IP "8 VSTART"
+Continues paused output (normally ^Q).
+.IP "9 VSTOP"
+Pauses output (^S).
+.IP "10 VSUSP"
+Suspends the current program.
+.IP "11 VDSUSP"
+Another suspend character.
+.IP "12 VREPRINT"
+Reprints the current input line.
+.IP "13 VWERASE"
+Erases a word left of cursor.
+.IP "14 VLNEXT"
+More special input characters; these are probably not supported on
+most systems.
+.IP "15 VFLUSH"
+.IP "16 VSWTCH"
+.IP "17 VSTATUS"
+.IP "18 VDISCARD"
+
+.IP "30 IGNPAR"
+The ignore parity flag.  The next byte should be 0 if this flag is not
+set, and 1 if it is set.
+.IP "31 PARMRK"
+More flags.  The exact definitions can be found in the POSIX standard.
+.IP "32 INPCK"
+.IP "33 ISTRIP"
+.IP "34 INLCR"
+.IP "35 IGNCR"
+.IP "36 ICRNL"
+.IP "37 IUCLC"
+.IP "38 IXON"
+.IP "39 IXANY"
+.IP "40 IXOFF"
+.IP "41 IMAXBEL"
+
+.IP "50 ISIG"
+.IP "51 ICANON"
+.IP "52 XCASE"
+.IP "53 ECHO"
+.IP "54 ECHOE"
+.IP "55 ECHOK"
+.IP "56 ECHONL"
+.IP "57 NOFLSH"
+.IP "58 TOSTOP"
+.IP "59 IEXTEN"
+.IP "60 ECHOCTL"
+.IP "61 ECHOKE"
+.IP "62 PENDIN"
+
+.IP "70 OPOST"
+.IP "71 OLCUC"
+.IP "72 ONLCR"
+.IP "73 OCRNL"
+.IP "74 ONOCR"
+.IP "75 ONLRET"
+
+.IP "90 CS7"
+.IP "91 CS8"
+.IP "92 PARENB"
+.IP "93 PARODD"
+
+.IP "192 TTY_OP_ISPEED"
+Specifies the input baud rate in bits per second.
+.IP "193 TTY_OP_OSPEED"
+Specifies the output baud rate in bits per second.
+.RT
+
+
+.ti 0
+The Authentication Agent Protocol
+
+The authentication agent is a program that can be used to hold RSA
+authentication keys for the user (in future, it might hold data for
+other authentication types as well).  An authorized program can send
+requests to the agent to generate a proper response to an RSA
+challenge.  How the connection is made to the agent (or its
+representative) inside a host and how access control is done inside a
+host is implementation-dependent; however, how it is forwarded and how
+one interacts with it is specified in this protocol.  The connection
+to the agent is normally automatically forwarded over the secure
+channel.
+
+A program that wishes to use the agent first opens a connection to its
+local representative (typically, the agent itself or an SSH server).
+It then writes a request to the connection, and waits for response.
+It is recommended that at least five minutes of timeout are provided
+waiting for the agent to respond to an authentication challenge (this
+gives sufficient time for the user to cut-and-paste the challenge to a
+separate machine, perform the computation there, and cut-and-paste the
+result back if so desired).
+
+Messages sent to and by the agent are in the following format:
+.TS
+;
+l l.
+4 bytes	Length, msb first.  Does not include length itself.
+1 byte	Packet type.  The value 255 is reserved for future extensions.
+data	Any data, depending on packet type.  Encoding as in the ssh packet
+protocol.
+.TE
+
+The following message types are currently defined:
+.IP "1 SSH_AGENTC_REQUEST_RSA_IDENTITIES"
+
+(no arguments)
+
+Requests the agent to send a list of all RSA keys for which it can
+answer a challenge.
+.IP "2 SSH_AGENT_RSA_IDENTITIES_ANSWER"
+.TS
+;
+l l.
+32-bit int	howmany
+howmany times:
+32-bit int	bits
+mp-int	public exponent
+mp-int	public modulus
+string	comment
+.TE
+The agent sends this message in response to the to
+SSH_AGENTC_REQUEST_RSA_IDENTITIES.  The answer lists all RSA keys for
+which the agent can answer a challenge.  The comment field is intended
+to help identify each key; it may be printed by an application to
+indicate which key is being used.  If the agent is not holding any
+keys, howmany will be zero.
+.IP "3 SSH_AGENTC_RSA_CHALLENGE
+.TS
+;
+l l.
+32-bit int	bits
+mp-int	public exponent
+mp-int	public modulus
+mp-int	challenge
+16 bytes	session_id
+32-bit int	response_type
+.TE
+Requests RSA decryption of random challenge to authenticate the other
+side.  The challenge will be decrypted with the RSA private key
+corresponding to the given public key.
+
+The decrypted challenge must contain a zero in the highest (partial)
+byte, 2 in the next byte, followed by non-zero random bytes, a zero
+byte, and then the real challenge value in the lowermost bytes.  The
+real challenge must be 32 8-bit bytes (256 bits).
+
+Response_type indicates the format of the response to be returned.
+Currently the only supported value is 1, which means to compute MD5 of
+the real challenge plus session id, and return the resulting 16 bytes
+in a SSH_AGENT_RSA_RESPONSE message.
+.IP "4 SSH_AGENT_RSA_RESPONSE"
+.TS
+;
+l l.
+16 bytes	MD5 of decrypted challenge
+.TE
+Answers an RSA authentication challenge.  The response is 16 bytes:
+the MD5 checksum of the 32-byte challenge.
+.IP "5 SSH_AGENT_FAILURE"
+
+(no arguments)
+
+This message is sent whenever the agent fails to answer a request
+properly.  For example, if the agent cannot answer a challenge (e.g.,
+no longer has the proper key), it can respond with this.  The agent
+also responds with this message if it receives a message it does not
+recognize.
+.IP "6 SSH_AGENT_SUCCESS"
+
+(no arguments)
+
+This message is sent by the agent as a response to certain requests
+that do not otherwise cause a message be sent.  Currently, this is
+only sent in response to SSH_AGENTC_ADD_RSA_IDENTITY and
+SSH_AGENTC_REMOVE_RSA_IDENTITY.
+.IP "7 SSH_AGENTC_ADD_RSA_IDENTITY"
+.TS
+;
+l l.
+32-bit int	bits
+mp-int	public modulus
+mp-int	public exponent
+mp-int	private exponent
+mp-int	multiplicative inverse of p mod q
+mp-int	p
+mp-int	q
+string	comment
+.TE
+Registers an RSA key with the agent.  After this request, the agent can
+use this RSA key to answer requests.  The agent responds with
+SSH_AGENT_SUCCESS or SSH_AGENT_FAILURE.
+.IP "8 SSH_AGENT_REMOVE_RSA_IDENTITY"
+.TS
+;
+l l.
+32-bit int	bits
+mp-int	public exponent
+mp-int	public modulus
+.TE
+Removes an RSA key from the agent.  The agent will no longer accept
+challenges for this key and will not list it as a supported identity.
+The agent responds with SSH_AGENT_SUCCESS or SSH_AGENT_FAILURE.
+.RT
+
+If the agent receives a message that it does not understand, it
+responds with SSH_AGENT_FAILURE.  This permits compatible future
+extensions.
+
+It is possible that several clients have a connection open to the
+authentication agent simultaneously.  Each client will use a separate
+connection (thus, any SSH connection can have multiple agent
+connections active simultaneously).
+
+
+.ti 0
+References
+
+.IP "[DES] "
+FIPS PUB 46-1: Data Encryption Standard.  National Bureau of
+Standards, January 1988.  FIPS PUB 81: DES Modes of Operation.
+National Bureau of Standards, December 1980.  Bruce Schneier: Applied
+Cryptography.  John Wiley & Sons, 1994.  J. Seberry and J. Pieprzyk:
+Cryptography: An Introduction to Computer Security.  Prentice-Hall,
+1989.
+.IP "[GZIP] "
+The GNU GZIP program; available for anonymous ftp at prep.ai.mit.edu.
+Please let me know if you know a paper describing the algorithm.
+.IP "[IDEA] "
+Xuejia Lai: On the Design and Security of Block Ciphers, ETH Series in
+Information Processing, vol. 1, Hartung-Gorre Verlag, Konstanz,
+Switzerland, 1992.  Bruce Schneier: Applied Cryptography, John Wiley &
+Sons, 1994.  See also the following patents: PCT/CH91/00117, EP 0 482
+154 B1, US Pat. 5,214,703.
+.IP [PKCS#1]
+PKCS #1: RSA Encryption Standard.  Version 1.5, RSA Laboratories,
+November 1993.  Available for anonymous ftp at ftp.rsa.com.
+.IP [POSIX]
+Portable Operating System Interface (POSIX) - Part 1: Application
+Program Interface (API) [C language], ISO/IEC 9945-1, IEEE Std 1003.1,
+1990.
+.IP [RFC0791]
+J. Postel: Internet Protocol, RFC 791, USC/ISI, September 1981.
+.IP [RFC0793]
+J. Postel: Transmission Control Protocol, RFC 793, USC/ISI, September
+1981.
+.IP [RFC1034]
+P. Mockapetris: Domain Names - Concepts and Facilities, RFC 1034,
+USC/ISI, November 1987.
+.IP [RFC1282]
+B. Kantor: BSD Rlogin, RFC 1258, UCSD, December 1991.
+.IP "[RSA] "
+Bruce Schneier: Applied Cryptography.  John Wiley & Sons, 1994.  See
+also R. Rivest, A. Shamir, and L. M. Adleman: Cryptographic
+Communications System and Method.  US Patent 4,405,829, 1983.
+.IP "[X11] "
+R. Scheifler: X Window System Protocol, X Consortium Standard, Version
+11, Release 6.  Massachusetts Institute of Technology, Laboratory of
+Computer Science, 1994.
+.RT
+
+
+.ti 0
+Security Considerations
+
+This protocol deals with the very issue of user authentication and
+security.
+
+First of all, as an implementation issue, the server program will have
+to run as root (or equivalent) on the server machine.  This is because
+the server program will need be able to change to an arbitrary user
+id.  The server must also be able to create a privileged TCP/IP port.
+
+The client program will need to run as root if any variant of .rhosts
+authentication is to be used.  This is because the client program will
+need to create a privileged port.  The client host key is also usually
+stored in a file which is readable by root only.  The client needs the
+host key in .rhosts authentication only.  Root privileges can be
+dropped as soon as the privileged port has been created and the host
+key has been read.
+
+The SSH protocol offers major security advantages over existing telnet
+and rlogin protocols.
+.IP o
+IP spoofing is restricted to closing a connection (by encryption, host
+keys, and the special random cookie).  If encryption is not used, IP
+spoofing is possible for those who can hear packets going out from the
+server.
+.IP o
+DNS spoofing is made ineffective (by host keys).
+.IP o
+Routing spoofing is made ineffective (by host keys).
+.IP o
+All data is encrypted with strong algorithms to make eavesdropping as
+difficult as possible.  This includes encrypting any authentication
+information such as passwords.  The information for decrypting session
+keys is destroyed every hour.
+.IP o
+Strong authentication methods: .rhosts combined with RSA host
+authentication, and pure RSA authentication.
+.IP o
+X11 connections and arbitrary TCP/IP ports can be forwarded securely.
+.IP o
+Man-in-the-middle attacks are deterred by using the server host key to
+encrypt the session key.
+.IP o
+Trojan horses to catch a password by routing manipulation are deterred
+by checking that the host key of the server machine matches that
+stored on the client host.
+.RT
+
+The security of SSH against man-in-the-middle attacks and the security
+of the new form of .rhosts authentication, as well as server host
+validation, depends on the integrity of the host key and the files
+containing known host keys.
+
+The host key is normally stored in a root-readable file.  If the host
+key is compromised, it permits attackers to use IP, DNS and routing
+spoofing as with current rlogin and rsh.  It should never be any worse
+than the current situation.
+
+The files containing known host keys are not sensitive.  However, if an
+attacker gets to modify the known host key files, it has the same
+consequences as a compromised host key, because the attacker can then
+change the recorded host key.
+
+The security improvements obtained by this protocol for X11 are of
+particular significance.  Previously, there has been no way to protect
+data communicated between an X server and a client running on a remote
+machine.  By creating a fake display on the server, and forwarding all
+X11 requests over the secure channel, SSH can be used to run any X11
+applications securely without any cooperation with the vendors of the
+X server or the application.
+
+Finally, the security of this program relies on the strength of the
+underlying cryptographic algorithms.  The RSA algorithm is used for
+authentication key exchange.  It is widely believed to be secure.  Of
+the algorithms used to encrypt the session, DES has a rather small key
+these days, probably permitting governments and organized criminals to
+break it in very short time with specialized hardware.  3DES is
+probably safe (but slower).  IDEA is widely believed to be secure.
+People have varying degrees of confidence in the other algorithms.
+This program is not secure if used with no encryption at all.
+
+
+.ti 0
+Additional Information
+
+Additional information (especially on the implementation and mailing
+lists) is available via WWW at http://www.cs.hut.fi/ssh.
+
+Comments should be sent to Tatu Ylonen <ylo@cs.hut.fi> or the SSH
+Mailing List <ssh@clinet.fi>.
+
+.ti 0
+Author's Address
+
+.TS
+;
+l.
+Tatu Ylonen
+Helsinki University of Technology
+Otakaari 1
+FIN-02150 Espoo, Finland
+
+Phone: +358-0-451-3374
+Fax: +358-0-451-3293
+EMail: ylo@cs.hut.fi
+.TE
diff --git a/crypto/openssh/atomicio.c b/crypto/openssh/atomicio.c
new file mode 100644
index 0000000..8e17b58
--- /dev/null
+++ b/crypto/openssh/atomicio.c
@@ -0,0 +1,58 @@
+/*
+ * Copyright (c) 1995,1999 Theo de Raadt.  All rights reserved.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include "includes.h"
+RCSID("$OpenBSD: atomicio.c,v 1.9 2001/03/02 18:54:30 deraadt Exp $");
+
+#include "xmalloc.h"
+#include "atomicio.h"
+
+/*
+ * ensure all of data on socket comes through. f==read || f==write
+ */
+ssize_t
+atomicio(f, fd, _s, n)
+	ssize_t (*f) ();
+	int fd;
+	void *_s;
+	size_t n;
+{
+	char *s = _s;
+	ssize_t res, pos = 0;
+
+	while (n > pos) {
+		res = (f) (fd, s + pos, n - pos);
+		switch (res) {
+		case -1:
+			if (errno == EINTR || errno == EAGAIN)
+				continue;
+		case 0:
+			return (res);
+		default:
+			pos += res;
+		}
+	}
+	return (pos);
+}
diff --git a/crypto/openssh/atomicio.h b/crypto/openssh/atomicio.h
new file mode 100644
index 0000000..d878687
--- /dev/null
+++ b/crypto/openssh/atomicio.h
@@ -0,0 +1,31 @@
+/*	$OpenBSD: atomicio.h,v 1.3 2001/03/02 18:54:30 deraadt Exp $	*/
+
+/*
+ * Copyright (c) 1995,1999 Theo de Raadt.  All rights reserved.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+/*
+ * Ensure all of data on socket comes through. f==read || f==write
+ */
+ssize_t	atomicio(ssize_t (*f)(), int fd, void *s, size_t n);
diff --git a/crypto/openssh/auth-chall.c b/crypto/openssh/auth-chall.c
new file mode 100644
index 0000000..a87799b
--- /dev/null
+++ b/crypto/openssh/auth-chall.c
@@ -0,0 +1,105 @@
+/*
+ * Copyright (c) 2001 Markus Friedl.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include "includes.h"
+RCSID("$OpenBSD: auth-chall.c,v 1.7 2001/04/05 10:42:47 markus Exp $");
+RCSID("$FreeBSD$");
+
+#include "auth.h"
+#include "log.h"
+
+#ifdef BSD_AUTH
+char *
+get_challenge(Authctxt *authctxt, char *devs)
+{
+	char *challenge;
+
+	if (authctxt->as != NULL) {
+		debug2("try reuse session");
+		challenge = auth_getitem(authctxt->as, AUTHV_CHALLENGE);
+		if (challenge != NULL) {
+			debug2("reuse bsd auth session");
+			return challenge;
+		}
+		auth_close(authctxt->as);
+		authctxt->as = NULL;
+	}
+	debug2("new bsd auth session");
+	if (devs == NULL || strlen(devs) == 0)
+		devs = authctxt->style;
+	debug3("bsd auth: devs %s", devs ? devs : "<default>");
+	authctxt->as = auth_userchallenge(authctxt->user, devs, "auth-ssh",
+	    &challenge);
+	if (authctxt->as == NULL)
+		return NULL;
+	debug2("get_challenge: <%s>", challenge ? challenge : "EMPTY");
+	return challenge;
+}
+int
+verify_response(Authctxt *authctxt, char *response)
+{
+	int authok;
+
+	if (authctxt->as == 0)
+		error("verify_response: no bsd auth session");
+	authok = auth_userresponse(authctxt->as, response, 0);
+	authctxt->as = NULL;
+	debug("verify_response: <%s> = <%d>", response, authok);
+	return authok != 0;
+}
+#else
+#ifdef SKEY
+#include <opie.h>
+
+char *
+get_challenge(Authctxt *authctxt, char *devs)
+{
+	static char challenge[1024];
+	struct opie opie;
+	if (opiechallenge(&opie, authctxt->user, challenge) == -1)
+		return NULL;
+	strlcat(challenge, "\nS/Key Password: ", sizeof challenge);
+	return challenge;
+}
+int
+verify_response(Authctxt *authctxt, char *response)
+{
+	return (authctxt->valid &&
+	    opie_haskey(authctxt->pw->pw_name) == 0 &&
+	    opie_passverify(authctxt->pw->pw_name, response) != -1);
+}
+#else
+/* not available */
+char *
+get_challenge(Authctxt *authctxt, char *devs)
+{
+	return NULL;
+}
+int
+verify_response(Authctxt *authctxt, char *response)
+{
+	return 0;
+}
+#endif
+#endif
diff --git a/crypto/openssh/auth-krb4.c b/crypto/openssh/auth-krb4.c
new file mode 100644
index 0000000..bf63720
--- /dev/null
+++ b/crypto/openssh/auth-krb4.c
@@ -0,0 +1,392 @@
+/*
+ * Copyright (c) 1999 Dug Song.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include "includes.h"
+RCSID("$OpenBSD: auth-krb4.c,v 1.23 2001/01/22 08:15:00 markus Exp $");
+RCSID("$FreeBSD$");
+
+#include "ssh.h"
+#include "ssh1.h"
+#include "packet.h"
+#include "xmalloc.h"
+#include "log.h"
+#include "servconf.h"
+#include "auth.h"
+
+#ifdef AFS
+#include "radix.h"
+#endif
+
+#ifdef KRB4
+char *ticket = NULL;
+
+extern ServerOptions options;
+
+/*
+ * try krb4 authentication,
+ * return 1 on success, 0 on failure, -1 if krb4 is not available
+ */
+
+int
+auth_krb4_password(struct passwd * pw, const char *password)
+{
+	AUTH_DAT adata;
+	KTEXT_ST tkt;
+	struct hostent *hp;
+	u_long faddr;
+	char localhost[MAXHOSTNAMELEN];
+	char phost[INST_SZ];
+	char realm[REALM_SZ];
+	int r;
+
+	/*
+	 * Try Kerberos password authentication only for non-root
+	 * users and only if Kerberos is installed.
+	 */
+	if (pw->pw_uid != 0 && krb_get_lrealm(realm, 1) == KSUCCESS) {
+
+		/* Set up our ticket file. */
+		if (!krb4_init(pw->pw_uid)) {
+			log("Couldn't initialize Kerberos ticket file for %s!",
+			    pw->pw_name);
+			goto kerberos_auth_failure;
+		}
+		/* Try to get TGT using our password. */
+		r = krb_get_pw_in_tkt((char *) pw->pw_name, "",
+		    realm, "krbtgt", realm,
+		    DEFAULT_TKT_LIFE, (char *) password);
+		if (r != INTK_OK) {
+			packet_send_debug("Kerberos V4 password "
+			    "authentication for %s failed: %s",
+			    pw->pw_name, krb_err_txt[r]);
+			goto kerberos_auth_failure;
+		}
+		/* Successful authentication. */
+		chown(tkt_string(), pw->pw_uid, pw->pw_gid);
+
+		/*
+		 * Now that we have a TGT, try to get a local
+		 * "rcmd" ticket to ensure that we are not talking
+		 * to a bogus Kerberos server.
+		 */
+		(void) gethostname(localhost, sizeof(localhost));
+		(void) strlcpy(phost, (char *) krb_get_phost(localhost),
+		    INST_SZ);
+		r = krb_mk_req(&tkt, KRB4_SERVICE_NAME, phost, realm, 33);
+
+		if (r == KSUCCESS) {
+			if (!(hp = gethostbyname(localhost))) {
+				log("Couldn't get local host address!");
+				goto kerberos_auth_failure;
+			}
+			memmove((void *) &faddr, (void *) hp->h_addr,
+			    sizeof(faddr));
+
+			/* Verify our "rcmd" ticket. */
+			r = krb_rd_req(&tkt, KRB4_SERVICE_NAME, phost,
+			    faddr, &adata, "");
+			if (r == RD_AP_UNDEC) {
+				/*
+				 * Probably didn't have a srvtab on
+				 * localhost. Disallow login.
+				 */
+				log("Kerberos V4 TGT for %s unverifiable, "
+				    "no srvtab installed? krb_rd_req: %s",
+				    pw->pw_name, krb_err_txt[r]);
+				goto kerberos_auth_failure;
+			} else if (r != KSUCCESS) {
+				log("Kerberos V4 %s ticket unverifiable: %s",
+				    KRB4_SERVICE_NAME, krb_err_txt[r]);
+				goto kerberos_auth_failure;
+			}
+		} else if (r == KDC_PR_UNKNOWN) {
+			/*
+			 * Disallow login if no rcmd service exists, and
+			 * log the error.
+			 */
+			log("Kerberos V4 TGT for %s unverifiable: %s; %s.%s "
+			    "not registered, or srvtab is wrong?", pw->pw_name,
+			krb_err_txt[r], KRB4_SERVICE_NAME, phost);
+			goto kerberos_auth_failure;
+		} else {
+			/*
+			 * TGT is bad, forget it. Possibly spoofed!
+			 */
+			packet_send_debug("WARNING: Kerberos V4 TGT "
+			    "possibly spoofed for %s: %s",
+			    pw->pw_name, krb_err_txt[r]);
+			goto kerberos_auth_failure;
+		}
+
+		/* Authentication succeeded. */
+		return 1;
+
+kerberos_auth_failure:
+		krb4_cleanup_proc(NULL);
+
+		if (!options.krb4_or_local_passwd)
+			return 0;
+	} else {
+		/* Logging in as root or no local Kerberos realm. */
+		packet_send_debug("Unable to authenticate to Kerberos.");
+	}
+	/* Fall back to ordinary passwd authentication. */
+	return -1;
+}
+
+void
+krb4_cleanup_proc(void *ignore)
+{
+	debug("krb4_cleanup_proc called");
+	if (ticket) {
+		(void) dest_tkt();
+		xfree(ticket);
+		ticket = NULL;
+	}
+}
+
+int
+krb4_init(uid_t uid)
+{
+	static int cleanup_registered = 0;
+	const char *tkt_root = TKT_ROOT;
+	struct stat st;
+	int fd;
+
+	if (!ticket) {
+		/* Set unique ticket string manually since we're still root. */
+		ticket = xmalloc(MAXPATHLEN);
+#ifdef AFS
+		if (lstat("/ticket", &st) != -1)
+			tkt_root = "/ticket/";
+#endif /* AFS */
+		snprintf(ticket, MAXPATHLEN, "%s%u_%d", tkt_root, uid, getpid());
+		(void) krb_set_tkt_string(ticket);
+	}
+	/* Register ticket cleanup in case of fatal error. */
+	if (!cleanup_registered) {
+		fatal_add_cleanup(krb4_cleanup_proc, NULL);
+		cleanup_registered = 1;
+	}
+	/* Try to create our ticket file. */
+	if ((fd = mkstemp(ticket)) != -1) {
+		close(fd);
+		return 1;
+	}
+	/* Ticket file exists - make sure user owns it (just passed ticket). */
+	if (lstat(ticket, &st) != -1) {
+		if (st.st_mode == (S_IFREG | S_IRUSR | S_IWUSR) &&
+		    st.st_uid == uid)
+			return 1;
+	}
+	/* Failure - cancel cleanup function, leaving bad ticket for inspection. */
+	log("WARNING: bad ticket file %s", ticket);
+	fatal_remove_cleanup(krb4_cleanup_proc, NULL);
+	cleanup_registered = 0;
+	xfree(ticket);
+	ticket = NULL;
+
+	return 0;
+}
+
+int
+auth_krb4(const char *server_user, KTEXT auth, char **client)
+{
+	AUTH_DAT adat = {0};
+	KTEXT_ST reply;
+	char instance[INST_SZ];
+	int r, s;
+	socklen_t slen;
+	u_int cksum;
+	Key_schedule schedule;
+	struct sockaddr_in local, foreign;
+
+	s = packet_get_connection_in();
+
+	slen = sizeof(local);
+	memset(&local, 0, sizeof(local));
+	if (getsockname(s, (struct sockaddr *) & local, &slen) < 0)
+		debug("getsockname failed: %.100s", strerror(errno));
+	slen = sizeof(foreign);
+	memset(&foreign, 0, sizeof(foreign));
+	if (getpeername(s, (struct sockaddr *) & foreign, &slen) < 0) {
+		debug("getpeername failed: %.100s", strerror(errno));
+		fatal_cleanup();
+	}
+	instance[0] = '*';
+	instance[1] = 0;
+
+	/* Get the encrypted request, challenge, and session key. */
+	if ((r = krb_rd_req(auth, KRB4_SERVICE_NAME, instance, 0, &adat, ""))) {
+		packet_send_debug("Kerberos V4 krb_rd_req: %.100s", krb_err_txt[r]);
+		return 0;
+	}
+	des_key_sched((des_cblock *) adat.session, schedule);
+
+	*client = xmalloc(MAX_K_NAME_SZ);
+	(void) snprintf(*client, MAX_K_NAME_SZ, "%s%s%s@%s", adat.pname,
+	    *adat.pinst ? "." : "", adat.pinst, adat.prealm);
+
+	/* Check ~/.klogin authorization now. */
+	if (kuserok(&adat, (char *) server_user) != KSUCCESS) {
+		packet_send_debug("Kerberos V4 .klogin authorization failed!");
+		log("Kerberos V4 .klogin authorization failed for %s to account %s",
+		    *client, server_user);
+		xfree(*client);
+		return 0;
+	}
+	/* Increment the checksum, and return it encrypted with the
+	   session key. */
+	cksum = adat.checksum + 1;
+	cksum = htonl(cksum);
+
+	/* If we can't successfully encrypt the checksum, we send back an
+	   empty message, admitting our failure. */
+	if ((r = krb_mk_priv((u_char *) & cksum, reply.dat, sizeof(cksum) + 1,
+	    schedule, &adat.session, &local, &foreign)) < 0) {
+		packet_send_debug("Kerberos V4 mk_priv: (%d) %s", r, krb_err_txt[r]);
+		reply.dat[0] = 0;
+		reply.length = 0;
+	} else
+		reply.length = r;
+
+	/* Clear session key. */
+	memset(&adat.session, 0, sizeof(&adat.session));
+
+	packet_start(SSH_SMSG_AUTH_KERBEROS_RESPONSE);
+	packet_put_string((char *) reply.dat, reply.length);
+	packet_send();
+	packet_write_wait();
+	return 1;
+}
+#endif /* KRB4 */
+
+#ifdef AFS
+int
+auth_krb4_tgt(struct passwd *pw, const char *string)
+{
+	CREDENTIALS creds;
+
+	if (pw == NULL)
+		goto auth_kerberos_tgt_failure;
+	if (!radix_to_creds(string, &creds)) {
+		log("Protocol error decoding Kerberos V4 tgt");
+		packet_send_debug("Protocol error decoding Kerberos V4 tgt");
+		goto auth_kerberos_tgt_failure;
+	}
+	if (strncmp(creds.service, "", 1) == 0)	/* backward compatibility */
+		strlcpy(creds.service, "krbtgt", sizeof creds.service);
+
+	if (strcmp(creds.service, "krbtgt")) {
+		log("Kerberos V4 tgt (%s%s%s@%s) rejected for %s", creds.pname,
+		    creds.pinst[0] ? "." : "", creds.pinst, creds.realm,
+		    pw->pw_name);
+		packet_send_debug("Kerberos V4 tgt (%s%s%s@%s) rejected for %s",
+		    creds.pname, creds.pinst[0] ? "." : "", creds.pinst,
+		    creds.realm, pw->pw_name);
+		goto auth_kerberos_tgt_failure;
+	}
+	if (!krb4_init(pw->pw_uid))
+		goto auth_kerberos_tgt_failure;
+
+	if (in_tkt(creds.pname, creds.pinst) != KSUCCESS)
+		goto auth_kerberos_tgt_failure;
+
+	if (save_credentials(creds.service, creds.instance, creds.realm,
+	    creds.session, creds.lifetime, creds.kvno,
+	    &creds.ticket_st, creds.issue_date) != KSUCCESS) {
+		packet_send_debug("Kerberos V4 tgt refused: couldn't save credentials");
+		goto auth_kerberos_tgt_failure;
+	}
+	/* Successful authentication, passed all checks. */
+	chown(tkt_string(), pw->pw_uid, pw->pw_gid);
+
+	packet_send_debug("Kerberos V4 tgt accepted (%s.%s@%s, %s%s%s@%s)",
+	    creds.service, creds.instance, creds.realm, creds.pname,
+	    creds.pinst[0] ? "." : "", creds.pinst, creds.realm);
+	memset(&creds, 0, sizeof(creds));
+	packet_start(SSH_SMSG_SUCCESS);
+	packet_send();
+	packet_write_wait();
+	return 1;
+
+auth_kerberos_tgt_failure:
+	krb4_cleanup_proc(NULL);
+	memset(&creds, 0, sizeof(creds));
+	packet_start(SSH_SMSG_FAILURE);
+	packet_send();
+	packet_write_wait();
+	return 0;
+}
+
+int
+auth_afs_token(struct passwd *pw, const char *token_string)
+{
+	CREDENTIALS creds;
+	uid_t uid;
+
+	if (pw == NULL) {
+		/* XXX fake protocol error */
+		packet_send_debug("Protocol error decoding AFS token");
+		packet_start(SSH_SMSG_FAILURE);
+		packet_send();
+		packet_write_wait();
+		return 0;
+	}
+	if (!radix_to_creds(token_string, &creds)) {
+		log("Protocol error decoding AFS token");
+		packet_send_debug("Protocol error decoding AFS token");
+		packet_start(SSH_SMSG_FAILURE);
+		packet_send();
+		packet_write_wait();
+		return 0;
+	}
+	if (strncmp(creds.service, "", 1) == 0)	/* backward compatibility */
+		strlcpy(creds.service, "afs", sizeof creds.service);
+
+	if (strncmp(creds.pname, "AFS ID ", 7) == 0)
+		uid = atoi(creds.pname + 7);
+	else
+		uid = pw->pw_uid;
+
+	if (kafs_settoken(creds.realm, uid, &creds)) {
+		log("AFS token (%s@%s) rejected for %s", creds.pname, creds.realm,
+		    pw->pw_name);
+		packet_send_debug("AFS token (%s@%s) rejected for %s", creds.pname,
+		    creds.realm, pw->pw_name);
+		memset(&creds, 0, sizeof(creds));
+		packet_start(SSH_SMSG_FAILURE);
+		packet_send();
+		packet_write_wait();
+		return 0;
+	}
+	packet_send_debug("AFS token accepted (%s@%s, %s@%s)", creds.service,
+	    creds.realm, creds.pname, creds.realm);
+	memset(&creds, 0, sizeof(creds));
+	packet_start(SSH_SMSG_SUCCESS);
+	packet_send();
+	packet_write_wait();
+	return 1;
+}
+#endif /* AFS */
diff --git a/crypto/openssh/auth-krb5.c b/crypto/openssh/auth-krb5.c
new file mode 100644
index 0000000..efe9376
--- /dev/null
+++ b/crypto/openssh/auth-krb5.c
@@ -0,0 +1,250 @@
+/*
+ *    Kerberos v5 authentication and ticket-passing routines.
+ * 
+ * $FreeBSD$
+ */
+
+#include "includes.h"
+#include "ssh.h"
+#include "ssh1.h"
+#include "packet.h"
+#include "xmalloc.h"
+
+#ifdef KRB5
+
+krb5_context ssh_context = NULL;
+krb5_auth_context auth_context;
+krb5_ccache mem_ccache = NULL; /* Credential cache for acquired ticket */
+
+/* Try krb5 authentication. server_user is passed for logging purposes only,
+   in auth is received ticket, in client is returned principal from the
+   ticket */
+int 
+auth_krb5(const char* server_user, krb5_data *auth, krb5_principal *client)
+{
+	krb5_error_code problem;
+	krb5_principal server = NULL;
+	krb5_principal tkt_client = NULL;
+	krb5_data reply;
+	krb5_ticket *ticket = NULL;
+	int fd;
+	int ret;
+	
+	reply.length = 0;
+	
+	problem = krb5_init();
+	if (problem) 
+	   return 0;
+	
+	problem = krb5_auth_con_init(ssh_context, &auth_context);
+	if (problem) {
+	  log("Kerberos v5 authentication failed: %.100s",
+	       krb5_get_err_text(ssh_context, problem));
+
+	  return 0;
+	}
+	
+       fd = packet_get_connection_in();
+       problem = krb5_auth_con_setaddrs_from_fd(ssh_context, auth_context, &fd);
+       if (problem) {
+	 ret = 0;
+	 goto err; 
+       }
+	
+	problem = krb5_sname_to_principal(ssh_context,  NULL, NULL ,
+	    KRB5_NT_SRV_HST, &server);
+	if (problem) {
+	    ret = 0;
+	    goto err;
+	}
+	
+	problem = krb5_rd_req(ssh_context, &auth_context, auth, server, NULL,
+	    NULL, &ticket);
+	if (problem) {
+	  ret = 0;
+	  goto err;
+	}
+	
+	problem = krb5_copy_principal(ssh_context, ticket->client, &tkt_client);
+	if (problem) {
+	  ret = 0;
+	  goto err;
+	}
+	
+	/* if client wants mutual auth */
+	problem = krb5_mk_rep(ssh_context, auth_context, &reply);
+	if (problem) {
+	  ret = 0;
+	  goto err;
+	}
+	
+	*client = tkt_client;
+	
+	packet_start(SSH_SMSG_AUTH_KERBEROS_RESPONSE);
+	packet_put_string((char *) reply.data, reply.length);
+	packet_send();
+	packet_write_wait();
+	ret = 1;
+	  
+err:
+	if (server)
+	  krb5_free_principal(ssh_context, server);
+	if (ticket)
+	  krb5_free_ticket(ssh_context, ticket);
+	if (reply.length)
+	  xfree(reply.data);
+	return ret;
+}
+
+int
+auth_krb5_tgt(char *server_user, krb5_data *tgt, krb5_principal tkt_client)
+{
+  krb5_error_code problem;
+  krb5_ccache ccache = NULL;
+  
+  if (ssh_context == NULL) {
+     goto fail;
+  }
+  
+  problem = krb5_cc_gen_new(ssh_context, &krb5_mcc_ops, &ccache);
+  if (problem) {
+     goto fail;
+  }
+  
+  problem = krb5_cc_initialize(ssh_context, ccache, tkt_client);
+  if (problem) {
+     goto fail;
+  }
+    
+  problem = krb5_rd_cred2(ssh_context, auth_context, ccache, tgt);
+  if (problem) {
+     goto fail;
+  }
+  
+  mem_ccache = ccache;
+  ccache = NULL;
+  
+  /*
+  problem = krb5_cc_copy_cache(ssh_context, ccache, mem_ccache);
+  if (problem) {
+     mem_ccache = NULL;
+     goto fail; 
+  }
+  
+  
+  problem = krb5_cc_destroy(ssh_context, ccache);
+  if (problem)
+     goto fail;
+     */
+  
+#if 0
+  packet_start(SSH_SMSG_SUCCESS);
+  packet_send();
+  packet_write_wait();
+#endif 
+  return 1;
+  
+fail:
+  if (ccache)
+     krb5_cc_destroy(ssh_context, ccache);
+#if 0
+  packet_start(SSH_SMSG_FAILURE);
+  packet_send();
+  packet_write_wait();
+#endif
+  return 0;
+}
+
+int
+auth_krb5_password(struct passwd *pw, const char *password)
+{
+  krb5_error_code problem;
+  krb5_ccache ccache = NULL;
+  krb5_principal client = NULL; 
+  int ret;
+  
+  problem = krb5_init();
+  if (problem)
+     return 0;
+  
+  problem = krb5_parse_name(ssh_context, pw->pw_name, &client);
+  if (problem) { 
+     ret = 0;
+     goto out;
+  }
+
+  problem = krb5_cc_gen_new(ssh_context, &krb5_mcc_ops, &ccache);
+  if (problem) { 
+     ret = 0;
+     goto out;
+  }
+ 
+  problem = krb5_cc_initialize(ssh_context, ccache, client);
+  if (problem) { 
+     ret = 0;
+     goto out;
+  }
+  
+  problem = krb5_verify_user(ssh_context, client, ccache, password, 1, NULL);
+  if (problem) { 
+     ret = 0;
+     goto out;
+  }
+  
+/*
+  problem = krb5_cc_copy_cache(ssh_context, ccache, mem_ccache);
+  if (problem) { 
+     ret = 0;
+     mem_ccache = NULL;
+     goto out;
+  }
+  */
+  mem_ccache = ccache;
+  ccache = NULL;
+  
+  ret = 1;
+out:
+  if (client != NULL)
+     krb5_free_principal(ssh_context, client);
+  if (ccache != NULL)
+     krb5_cc_destroy(ssh_context, ccache);
+  return ret;
+}
+
+void
+krb5_cleanup_proc(void *ignore)
+{
+   extern krb5_principal tkt_client;
+   
+   debug("krb5_cleanup_proc() called");
+   if (mem_ccache)
+      krb5_cc_destroy(ssh_context, mem_ccache);
+   if (tkt_client)
+      krb5_free_principal(ssh_context, tkt_client);
+   if (auth_context)
+      krb5_auth_con_free(ssh_context, auth_context);
+   if (ssh_context)
+      krb5_free_context(ssh_context);
+}
+ 
+int
+krb5_init(void)
+{  
+   krb5_error_code problem;
+   static cleanup_registered = 0;
+   
+   if (ssh_context == NULL) {
+      problem = krb5_init_context(&ssh_context);
+      if (problem)
+	 return problem;
+      krb5_init_ets(ssh_context);
+   }
+  
+   if (!cleanup_registered) {
+      fatal_add_cleanup(krb5_cleanup_proc, NULL);
+     cleanup_registered = 1;
+   }
+   return 0;
+}
+   
+#endif /* KRB5 */
diff --git a/crypto/openssh/auth-options.c b/crypto/openssh/auth-options.c
new file mode 100644
index 0000000..443f541
--- /dev/null
+++ b/crypto/openssh/auth-options.c
@@ -0,0 +1,300 @@
+/*
+ * Author: Tatu Ylonen <ylo@cs.hut.fi>
+ * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
+ *                    All rights reserved
+ * As far as I am concerned, the code I have written for this software
+ * can be used freely for any purpose.  Any derived versions of this
+ * software must be clearly marked as such, and if the derived work is
+ * incompatible with the protocol description in the RFC file, it must be
+ * called by a name other than "ssh" or "Secure Shell".
+ */
+
+#include "includes.h"
+RCSID("$OpenBSD: auth-options.c,v 1.16 2001/03/18 12:07:52 markus Exp $");
+
+#include "packet.h"
+#include "xmalloc.h"
+#include "match.h"
+#include "log.h"
+#include "canohost.h"
+#include "channels.h"
+#include "auth-options.h"
+#include "servconf.h"
+
+/* Flags set authorized_keys flags */
+int no_port_forwarding_flag = 0;
+int no_agent_forwarding_flag = 0;
+int no_x11_forwarding_flag = 0;
+int no_pty_flag = 0;
+
+/* "command=" option. */
+char *forced_command = NULL;
+
+/* "environment=" options. */
+struct envstring *custom_environment = NULL;
+
+extern ServerOptions options;
+
+void
+auth_clear_options(void)
+{
+	no_agent_forwarding_flag = 0;
+	no_port_forwarding_flag = 0;
+	no_pty_flag = 0;
+	no_x11_forwarding_flag = 0;
+	while (custom_environment) {
+		struct envstring *ce = custom_environment;
+		custom_environment = ce->next;
+		xfree(ce->s);
+		xfree(ce);
+	}
+	if (forced_command) {
+		xfree(forced_command);
+		forced_command = NULL;
+	}
+	channel_clear_permitted_opens();
+}
+
+/*
+ * return 1 if access is granted, 0 if not.
+ * side effect: sets key option flags
+ */
+int
+auth_parse_options(struct passwd *pw, char *opts, char *file, u_long linenum)
+{
+	const char *cp;
+	int i;
+
+	/* reset options */
+	auth_clear_options();
+
+	if (!opts)
+		return 1;
+
+	while (*opts && *opts != ' ' && *opts != '\t') {
+		cp = "no-port-forwarding";
+		if (strncasecmp(opts, cp, strlen(cp)) == 0) {
+			packet_send_debug("Port forwarding disabled.");
+			no_port_forwarding_flag = 1;
+			opts += strlen(cp);
+			goto next_option;
+		}
+		cp = "no-agent-forwarding";
+		if (strncasecmp(opts, cp, strlen(cp)) == 0) {
+			packet_send_debug("Agent forwarding disabled.");
+			no_agent_forwarding_flag = 1;
+			opts += strlen(cp);
+			goto next_option;
+		}
+		cp = "no-X11-forwarding";
+		if (strncasecmp(opts, cp, strlen(cp)) == 0) {
+			packet_send_debug("X11 forwarding disabled.");
+			no_x11_forwarding_flag = 1;
+			opts += strlen(cp);
+			goto next_option;
+		}
+		cp = "no-pty";
+		if (strncasecmp(opts, cp, strlen(cp)) == 0) {
+			packet_send_debug("Pty allocation disabled.");
+			no_pty_flag = 1;
+			opts += strlen(cp);
+			goto next_option;
+		}
+		cp = "command=\"";
+		if (strncasecmp(opts, cp, strlen(cp)) == 0) {
+			opts += strlen(cp);
+			forced_command = xmalloc(strlen(opts) + 1);
+			i = 0;
+			while (*opts) {
+				if (*opts == '"')
+					break;
+				if (*opts == '\\' && opts[1] == '"') {
+					opts += 2;
+					forced_command[i++] = '"';
+					continue;
+				}
+				forced_command[i++] = *opts++;
+			}
+			if (!*opts) {
+				debug("%.100s, line %lu: missing end quote",
+				    file, linenum);
+				packet_send_debug("%.100s, line %lu: missing end quote",
+				    file, linenum);
+				xfree(forced_command);
+				forced_command = NULL;
+				goto bad_option;
+			}
+			forced_command[i] = 0;
+			packet_send_debug("Forced command: %.900s", forced_command);
+			opts++;
+			goto next_option;
+		}
+		cp = "environment=\"";
+		if (strncasecmp(opts, cp, strlen(cp)) == 0) {
+			char *s;
+			struct envstring *new_envstring;
+
+			opts += strlen(cp);
+			s = xmalloc(strlen(opts) + 1);
+			i = 0;
+			while (*opts) {
+				if (*opts == '"')
+					break;
+				if (*opts == '\\' && opts[1] == '"') {
+					opts += 2;
+					s[i++] = '"';
+					continue;
+				}
+				s[i++] = *opts++;
+			}
+			if (!*opts) {
+				debug("%.100s, line %lu: missing end quote",
+				    file, linenum);
+				packet_send_debug("%.100s, line %lu: missing end quote",
+				    file, linenum);
+				xfree(s);
+				goto bad_option;
+			}
+			s[i] = 0;
+			packet_send_debug("Adding to environment: %.900s", s);
+			debug("Adding to environment: %.900s", s);
+			opts++;
+			new_envstring = xmalloc(sizeof(struct envstring));
+			new_envstring->s = s;
+			new_envstring->next = custom_environment;
+			custom_environment = new_envstring;
+			goto next_option;
+		}
+		cp = "from=\"";
+		if (strncasecmp(opts, cp, strlen(cp)) == 0) {
+			int mname, mip;
+			const char *remote_ip = get_remote_ipaddr();
+			const char *remote_host = get_canonical_hostname(
+			    options.reverse_mapping_check);
+			char *patterns = xmalloc(strlen(opts) + 1);
+
+			opts += strlen(cp);
+			i = 0;
+			while (*opts) {
+				if (*opts == '"')
+					break;
+				if (*opts == '\\' && opts[1] == '"') {
+					opts += 2;
+					patterns[i++] = '"';
+					continue;
+				}
+				patterns[i++] = *opts++;
+			}
+			if (!*opts) {
+				debug("%.100s, line %lu: missing end quote",
+				    file, linenum);
+				packet_send_debug("%.100s, line %lu: missing end quote",
+				    file, linenum);
+				xfree(patterns);
+				goto bad_option;
+			}
+			patterns[i] = 0;
+			opts++;
+			/*
+			 * Deny access if we get a negative
+			 * match for the hostname or the ip
+			 * or if we get not match at all
+			 */
+			mname = match_hostname(remote_host, patterns,
+			    strlen(patterns));
+			mip = match_hostname(remote_ip, patterns,
+			    strlen(patterns));
+			xfree(patterns);
+			if (mname == -1 || mip == -1 ||
+			    (mname != 1 && mip != 1)) {
+				log("Authentication tried for %.100s with "
+				    "correct key but not from a permitted "
+				    "host (host=%.200s, ip=%.200s).",
+				    pw->pw_name, remote_host, remote_ip);
+				packet_send_debug("Your host '%.200s' is not "
+				    "permitted to use this key for login.",
+				    remote_host);
+				/* deny access */
+				return 0;
+			}
+			/* Host name matches. */
+			goto next_option;
+		}
+		cp = "permitopen=\"";
+		if (strncasecmp(opts, cp, strlen(cp)) == 0) {
+			u_short port;
+			char *c, *ep;
+			char *patterns = xmalloc(strlen(opts) + 1);
+
+			opts += strlen(cp);
+			i = 0;
+			while (*opts) {
+				if (*opts == '"')
+					break;
+				if (*opts == '\\' && opts[1] == '"') {
+					opts += 2;
+					patterns[i++] = '"';
+					continue;
+				}
+				patterns[i++] = *opts++;
+			}
+			if (!*opts) {
+				debug("%.100s, line %lu: missing end quote",
+				    file, linenum);
+				packet_send_debug("%.100s, line %lu: missing end quote",
+				    file, linenum);
+				xfree(patterns);
+				goto bad_option;
+			}
+			patterns[i] = 0;
+			opts++;
+			c = strchr(patterns, ':');
+			if (c == NULL) {
+				debug("%.100s, line %lu: permitopen: missing colon <%.100s>",
+				    file, linenum, patterns);
+				packet_send_debug("%.100s, line %lu: missing colon",
+				    file, linenum);
+				xfree(patterns);
+				goto bad_option;
+			}
+			*c = 0;
+			c++;
+			port = strtol(c, &ep, 0);
+			if (c == ep) {
+				debug("%.100s, line %lu: permitopen: missing port <%.100s>",
+				    file, linenum, patterns);
+				packet_send_debug("%.100s, line %lu: missing port",
+				    file, linenum);
+				xfree(patterns);
+				goto bad_option;
+			}
+			if (options.allow_tcp_forwarding)
+				channel_add_permitted_opens(patterns, port);
+			xfree(patterns);
+			goto next_option;
+		}
+next_option:
+		/*
+		 * Skip the comma, and move to the next option
+		 * (or break out if there are no more).
+		 */
+		if (!*opts)
+			fatal("Bugs in auth-options.c option processing.");
+		if (*opts == ' ' || *opts == '\t')
+			break;		/* End of options. */
+		if (*opts != ',')
+			goto bad_option;
+		opts++;
+		/* Process the next option. */
+	}
+	/* grant access */
+	return 1;
+
+bad_option:
+	log("Bad options in %.100s file, line %lu: %.50s",
+	    file, linenum, opts);
+	packet_send_debug("Bad options in %.100s file, line %lu: %.50s",
+	    file, linenum, opts);
+	/* deny access */
+	return 0;
+}
diff --git a/crypto/openssh/auth-options.h b/crypto/openssh/auth-options.h
new file mode 100644
index 0000000..8ee2694
--- /dev/null
+++ b/crypto/openssh/auth-options.h
@@ -0,0 +1,44 @@
+/*
+ * Author: Tatu Ylonen <ylo@cs.hut.fi>
+ * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
+ *                    All rights reserved
+ * Functions to interface with the SSH_AUTHENTICATION_FD socket.
+ *
+ * As far as I am concerned, the code I have written for this software
+ * can be used freely for any purpose.  Any derived versions of this
+ * software must be clearly marked as such, and if the derived work is
+ * incompatible with the protocol description in the RFC file, it must be
+ * called by a name other than "ssh" or "Secure Shell".
+ */
+
+/* $OpenBSD: auth-options.h,v 1.8 2001/01/21 19:05:42 markus Exp $ */
+
+#ifndef AUTH_OPTIONS_H
+#define AUTH_OPTIONS_H
+
+/* Linked list of custom environment strings */
+struct envstring {
+	struct envstring *next;
+	char   *s;
+};
+
+/* Flags that may be set in authorized_keys options. */
+extern int no_port_forwarding_flag;
+extern int no_agent_forwarding_flag;
+extern int no_x11_forwarding_flag;
+extern int no_pty_flag;
+extern char *forced_command;
+extern struct envstring *custom_environment;
+
+/*
+ * return 1 if access is granted, 0 if not.
+ * side effect: sets key option flags
+ */
+int
+auth_parse_options(struct passwd *pw, char *options, char *file,
+    u_long linenum);
+
+/* reset options flags */
+void	auth_clear_options(void);
+
+#endif
diff --git a/crypto/openssh/auth-pam.c b/crypto/openssh/auth-pam.c
new file mode 100644
index 0000000..16d5ac7
--- /dev/null
+++ b/crypto/openssh/auth-pam.c
@@ -0,0 +1,818 @@
+/*
+ * Copyright (c) 2000 Damien Miller.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include "includes.h"
+
+#ifdef USE_PAM
+#include <security/pam_appl.h>
+#include "ssh.h"
+#include "xmalloc.h"
+#include "log.h"
+#include "servconf.h"
+#include "readpass.h"
+#include "canohost.h"
+
+RCSID("$FreeBSD$");
+
+#define NEW_AUTHTOK_MSG \
+	"Warning: Your password has expired, please change it now"
+
+#define SSHD_PAM_SERVICE "sshd"
+#define PAM_STRERROR(a, b) pam_strerror((a), (b))
+
+/* Callbacks */
+static int do_pam_conversation(int num_msg, const struct pam_message **msg,
+	  struct pam_response **resp, void *appdata_ptr);
+void do_pam_cleanup_proc(void *context);
+void pam_msg_cat(const char *msg);
+
+/* module-local variables */
+static struct pam_conv conv = {
+	do_pam_conversation,
+	NULL
+};
+static pam_handle_t *pamh = NULL;
+static const char *pampasswd = NULL;
+static char *pam_msg = NULL;
+extern ServerOptions options;
+
+/* states for do_pam_conversation() */
+typedef enum { INITIAL_LOGIN, OTHER } pamstates;
+static pamstates pamstate = INITIAL_LOGIN;
+/* remember whether pam_acct_mgmt() returned PAM_NEWAUTHTOK_REQD */
+static int password_change_required = 0;
+/* remember whether the last pam_authenticate() succeeded or not */
+static int was_authenticated = 0;
+
+/* Remember what has been initialised */
+static int session_opened = 0;
+static int creds_set = 0;
+
+/*
+ * accessor which allows us to switch conversation structs according to
+ * the authentication method being used
+ */
+void do_pam_set_conv(struct pam_conv *conv)
+{
+	pam_set_item(pamh, PAM_CONV, conv);
+}
+
+/*
+ * PAM conversation function.
+ * There are two states this can run in.
+ *
+ * INITIAL_LOGIN mode simply feeds the password from the client into
+ * PAM in response to PAM_PROMPT_ECHO_OFF, and collects output
+ * messages with pam_msg_cat().  This is used during initial
+ * authentication to bypass the normal PAM password prompt.
+ *
+ * OTHER mode handles PAM_PROMPT_ECHO_OFF with read_passphrase(prompt, 1)
+ * and outputs messages to stderr. This mode is used if pam_chauthtok()
+ * is called to update expired passwords.
+ */
+static int do_pam_conversation(int num_msg, const struct pam_message **msg,
+	struct pam_response **resp, void *appdata_ptr)
+{
+	struct pam_response *reply;
+	int count;
+	char buf[1024];
+
+	/* PAM will free this later */
+	reply = malloc(num_msg * sizeof(*reply));
+	if (reply == NULL)
+		return PAM_CONV_ERR; 
+
+	for (count = 0; count < num_msg; count++) {
+		switch ((*msg)[count].msg_style) {
+			case PAM_PROMPT_ECHO_ON:
+				if (pamstate == INITIAL_LOGIN) {
+					free(reply);
+					return PAM_CONV_ERR;
+				} else {
+					fputs((*msg)[count].msg, stderr);
+					fgets(buf, sizeof(buf), stdin);
+					reply[count].resp = xstrdup(buf);
+					reply[count].resp_retcode = PAM_SUCCESS;
+					break;
+				}
+			case PAM_PROMPT_ECHO_OFF:
+				if (pamstate == INITIAL_LOGIN) {
+					if (pampasswd == NULL) {
+						free(reply);
+						return PAM_CONV_ERR;
+					}
+					reply[count].resp = xstrdup(pampasswd);
+				} else {
+					reply[count].resp = 
+						xstrdup(read_passphrase((*msg)[count].msg, 1));
+				}
+				reply[count].resp_retcode = PAM_SUCCESS;
+				break;
+			case PAM_ERROR_MSG:
+			case PAM_TEXT_INFO:
+				if ((*msg)[count].msg != NULL) {
+					if (pamstate == INITIAL_LOGIN)
+						pam_msg_cat((*msg)[count].msg);
+					else {
+						fputs((*msg)[count].msg, stderr);
+						fputs("\n", stderr);
+					}
+				}
+				reply[count].resp = xstrdup("");
+				reply[count].resp_retcode = PAM_SUCCESS;
+				break;
+			default:
+				free(reply);
+				return PAM_CONV_ERR;
+		}
+	}
+
+	*resp = reply;
+
+	return PAM_SUCCESS;
+}
+
+/* Called at exit to cleanly shutdown PAM */
+void do_pam_cleanup_proc(void *context)
+{
+	int pam_retval;
+
+	if (pamh != NULL && session_opened) {
+		pam_retval = pam_close_session(pamh, 0);
+		if (pam_retval != PAM_SUCCESS) {
+			log("Cannot close PAM session[%d]: %.200s", 
+				pam_retval, PAM_STRERROR(pamh, pam_retval));
+		}
+	}
+
+	if (pamh != NULL && creds_set) {
+		pam_retval = pam_setcred(pamh, PAM_DELETE_CRED);
+		if (pam_retval != PAM_SUCCESS) {
+			debug("Cannot delete credentials[%d]: %.200s", 
+				pam_retval, PAM_STRERROR(pamh, pam_retval));
+		}
+	}
+
+	if (pamh != NULL) {
+		pam_retval = pam_end(pamh, pam_retval);
+		if (pam_retval != PAM_SUCCESS) {
+			log("Cannot release PAM authentication[%d]: %.200s", 
+				pam_retval, PAM_STRERROR(pamh, pam_retval));
+		}
+	}
+}
+
+/* Attempt password authentation using PAM */
+int auth_pam_password(Authctxt *authctxt, const char *password)
+{
+	struct passwd *pw = authctxt->pw;
+	int pam_retval;
+
+	do_pam_set_conv(&conv);
+
+	/* deny if no user. */
+	if (pw == NULL)
+		return 0;
+	if (pw->pw_uid == 0 && options.permit_root_login == 2)
+		return 0;
+	if (*password == '\0' && options.permit_empty_passwd == 0)
+		return 0;
+
+	pampasswd = password;
+	
+	pamstate = INITIAL_LOGIN;
+	pam_retval = pam_authenticate(pamh, 0);
+	was_authenticated = (pam_retval == PAM_SUCCESS);
+	if (pam_retval == PAM_SUCCESS) {
+		debug("PAM Password authentication accepted for user \"%.100s\"", 
+			pw->pw_name);
+		return 1;
+	} else {
+		debug("PAM Password authentication for \"%.100s\" failed[%d]: %s", 
+			pw->pw_name, pam_retval, PAM_STRERROR(pamh, pam_retval));
+		return 0;
+	}
+}
+
+/* Do account management using PAM */
+int do_pam_account(char *username, char *remote_user)
+{
+	int pam_retval;
+
+	do_pam_set_conv(&conv);
+	
+	debug("PAM setting rhost to \"%.200s\"", 
+	    get_canonical_hostname(options.reverse_mapping_check));
+	pam_retval = pam_set_item(pamh, PAM_RHOST, 
+		get_canonical_hostname(options.reverse_mapping_check));
+	if (pam_retval != PAM_SUCCESS) {
+		fatal("PAM set rhost failed[%d]: %.200s", 
+			pam_retval, PAM_STRERROR(pamh, pam_retval));
+	}
+
+	if (remote_user != NULL) {
+		debug("PAM setting ruser to \"%.200s\"", remote_user);
+		pam_retval = pam_set_item(pamh, PAM_RUSER, remote_user);
+		if (pam_retval != PAM_SUCCESS) {
+			fatal("PAM set ruser failed[%d]: %.200s", 
+				pam_retval, PAM_STRERROR(pamh, pam_retval));
+		}
+	}
+
+	pam_retval = pam_acct_mgmt(pamh, 0);
+	switch (pam_retval) {
+		case PAM_SUCCESS:
+			/* This is what we want */
+			break;
+		case PAM_NEW_AUTHTOK_REQD:
+			pam_msg_cat(NEW_AUTHTOK_MSG);
+			/* flag that password change is necessary */
+			password_change_required = 1;
+			break;
+		default:
+			log("PAM rejected by account configuration[%d]: %.200s", 
+				pam_retval, PAM_STRERROR(pamh, pam_retval));
+			return(0);
+	}
+	
+	return(1);
+}
+
+/* Do PAM-specific session initialisation */
+void do_pam_session(char *username, const char *ttyname)
+{
+	int pam_retval;
+
+	do_pam_set_conv(&conv);
+
+	if (ttyname != NULL) {
+		debug("PAM setting tty to \"%.200s\"", ttyname);
+		pam_retval = pam_set_item(pamh, PAM_TTY, ttyname);
+		if (pam_retval != PAM_SUCCESS) {
+			fatal("PAM set tty failed[%d]: %.200s", 
+				pam_retval, PAM_STRERROR(pamh, pam_retval));
+		}
+	}
+
+	debug("do_pam_session: euid %u, uid %u", geteuid(), getuid());
+	pam_retval = pam_open_session(pamh, 0);
+	if (pam_retval != PAM_SUCCESS) {
+		fatal("PAM session setup failed[%d]: %.200s", 
+			pam_retval, PAM_STRERROR(pamh, pam_retval));
+	}
+
+	session_opened = 1;
+}
+
+/* Set PAM credentials */ 
+void do_pam_setcred(void)
+{
+	int pam_retval;
+
+	do_pam_set_conv(&conv);
+ 
+	debug("PAM establishing creds");
+	pam_retval = pam_setcred(pamh, PAM_ESTABLISH_CRED);
+	if (pam_retval != PAM_SUCCESS) {
+		if (was_authenticated)
+			fatal("PAM setcred failed[%d]: %.200s",
+			      pam_retval, PAM_STRERROR(pamh, pam_retval));
+		else
+			debug("PAM setcred failed[%d]: %.200s",
+			      pam_retval, PAM_STRERROR(pamh, pam_retval));
+	} else
+		creds_set = 1;
+}
+
+/* accessor function for file scope static variable */
+int pam_password_change_required(void)
+{
+	return password_change_required;
+}
+
+/* 
+ * Have user change authentication token if pam_acct_mgmt() indicated
+ * it was expired.  This needs to be called after an interactive
+ * session is established and the user's pty is connected to
+ * stdin/stout/stderr.
+ */
+void do_pam_chauthtok(void)
+{
+	int pam_retval;
+
+	do_pam_set_conv(&conv);
+
+	if (password_change_required) {
+		pamstate = OTHER;
+		/*
+		 * XXX: should we really loop forever?
+		 */
+		do {
+			pam_retval = pam_chauthtok(pamh, PAM_CHANGE_EXPIRED_AUTHTOK);
+			if (pam_retval != PAM_SUCCESS) {
+				log("PAM pam_chauthtok failed[%d]: %.200s", 
+					pam_retval, PAM_STRERROR(pamh, pam_retval));
+			}
+		} while (pam_retval != PAM_SUCCESS);
+	}
+}
+
+/* Cleanly shutdown PAM */
+void finish_pam(void)
+{
+	do_pam_cleanup_proc(NULL);
+	fatal_remove_cleanup(&do_pam_cleanup_proc, NULL);
+}
+
+/* Start PAM authentication for specified account */
+void start_pam(struct passwd *pw)
+{
+	int pam_retval;
+
+	debug("Starting up PAM with username \"%.200s\"", pw->pw_name);
+
+	pam_retval = pam_start(SSHD_PAM_SERVICE, pw->pw_name, &conv, &pamh);
+
+	if (pam_retval != PAM_SUCCESS) {
+		fatal("PAM initialisation failed[%d]: %.200s", 
+			pam_retval, PAM_STRERROR(pamh, pam_retval));
+	}
+
+#ifdef PAM_TTY_KLUDGE
+	/*
+	 * Some PAM modules (e.g. pam_time) require a TTY to operate,
+	 * and will fail in various stupid ways if they don't get one. 
+	 * sshd doesn't set the tty until too late in the auth process and may
+	 * not even need one (for tty-less connections)
+	 * Kludge: Set a fake PAM_TTY 
+	 */
+	pam_retval = pam_set_item(pamh, PAM_TTY, "ssh");
+	if (pam_retval != PAM_SUCCESS) {
+		fatal("PAM set tty failed[%d]: %.200s", 
+			pam_retval, PAM_STRERROR(pamh, pam_retval));
+	}
+#endif /* PAM_TTY_KLUDGE */
+
+	fatal_add_cleanup(&do_pam_cleanup_proc, NULL);
+}
+
+/* Return list of PAM enviornment strings */
+char **fetch_pam_environment(void)
+{
+#ifdef HAVE_PAM_GETENVLIST
+	return(pam_getenvlist(pamh));
+#else /* HAVE_PAM_GETENVLIST */
+	return(NULL);
+#endif /* HAVE_PAM_GETENVLIST */
+}
+
+/* Print any messages that have been generated during authentication */
+/* or account checking to stderr */
+void print_pam_messages(void)
+{
+	if (pam_msg != NULL)
+		fputs(pam_msg, stderr);
+}
+
+/* Append a message to the PAM message buffer */
+void pam_msg_cat(const char *msg)
+{
+	char *p;
+	size_t new_msg_len;
+	size_t pam_msg_len;
+	
+	new_msg_len = strlen(msg);
+	
+	if (pam_msg) {
+		pam_msg_len = strlen(pam_msg);
+		pam_msg = xrealloc(pam_msg, new_msg_len + pam_msg_len + 2);
+		p = pam_msg + pam_msg_len;
+	} else {
+		pam_msg = p = xmalloc(new_msg_len + 2);
+	}
+
+	memcpy(p, msg, new_msg_len);
+	p[new_msg_len] = '\n';
+	p[new_msg_len + 1] = '\0';
+}
+
+struct inverted_pam_userdata {
+    /*
+     * Pipe for telling whether we are doing conversation or sending
+     * authentication results.
+     */
+    int statefd[2];
+    int challengefd[2];
+    int responsefd[2];
+
+    /* Whether we have sent off our challenge */
+    int state;
+};
+
+#define STATE_CONV	1
+#define STATE_AUTH_OK	2
+#define STATE_AUTH_FAIL	3
+
+int
+ssh_conv(int num_msg, const struct pam_message **msg, struct pam_response **resp,
+	 void *userdata) {
+	int i;
+	FILE *reader;
+	char buf[1024];
+	struct pam_response *reply = NULL;
+	char state_to_write = STATE_CONV; /* One char to write */
+	struct inverted_pam_userdata *ud = userdata;
+	char *response = NULL;
+	
+	/* The stdio functions are more convenient for the read half */
+	reader = fdopen(ud->responsefd[0], "rb");
+	if (reader == NULL)
+		goto protocol_failure;
+
+	reply = malloc(num_msg * sizeof(struct pam_response));
+	if (reply == NULL)
+		return PAM_CONV_ERR;
+
+	if (write(ud->statefd[1], &state_to_write, 1) != 1)
+		goto protocol_failure;
+	
+	/*
+	 * Re-package our data and send it off to our better half (the actual SSH
+	 * process)
+	 */
+	if (write(ud->challengefd[1], buf,
+		  sprintf(buf, "%d\n", num_msg)) == -1)
+		goto protocol_failure;
+	for (i = 0; i < num_msg; i++) {
+		if (write(ud->challengefd[1], buf,
+			  sprintf(buf, "%d\n", msg[i]->msg_style)) == -1)
+			goto protocol_failure;
+		if (write(ud->challengefd[1], buf,
+			  sprintf(buf, "%d\n", strlen(msg[i]->msg))) == -1)
+			goto protocol_failure;
+		if (write(ud->challengefd[1], msg[i]->msg,
+			  strlen(msg[i]->msg)) == -1)
+			goto protocol_failure;
+	}
+	/*
+	 * Read back responses.  These may not be as nice as we want, as the SSH
+	 * protocol isn't exactly a perfect fit with PAM.
+	 */
+
+	for (i = 0; i < num_msg; i++) {
+		char buf[1024];
+		char *endptr;
+		size_t len;	/* Length of the response */
+
+		switch (msg[i]->msg_style) {
+		case PAM_PROMPT_ECHO_OFF:
+		case PAM_PROMPT_ECHO_ON:
+			if (fgets(buf, sizeof(buf), reader) == NULL)
+				goto protocol_failure;
+			len = (size_t)strtoul(buf, &endptr, 10);
+			/* The length is supposed to stand on a line by itself */
+			if (endptr == NULL || *endptr != '\n')
+				goto protocol_failure;
+			response = malloc(len+1);
+			if (response == NULL)
+				goto protocol_failure;
+			if (fread(response, len, 1, reader) != 1)
+				goto protocol_failure;
+			response[len] = '\0';
+			reply[i].resp = response;
+			response = NULL;
+			break;
+		default:
+			reply[i].resp = NULL;
+			break;
+		}
+	}
+	*resp = reply;
+	return PAM_SUCCESS;
+ protocol_failure:
+	free(reply);
+	return PAM_CONV_ERR;
+}
+
+void
+ipam_free_cookie(struct inverted_pam_cookie *cookie) {
+	struct inverted_pam_userdata *ud;
+	int i;
+
+	if (cookie == NULL)
+		return;
+	ud = cookie->userdata;
+	cookie->userdata = NULL;
+	/* Free userdata if allocated */
+	if (ud) {
+		/* Close any opened file descriptors */
+		if (ud->statefd[0] != -1)
+			close(ud->statefd[0]);
+		if (ud->statefd[1] != -1)
+			close(ud->statefd[1]);
+		if (ud->challengefd[0] != -1)
+			close(ud->challengefd[0]);
+		if (ud->challengefd[1] != -1)
+			close(ud->challengefd[1]);
+		if (ud->responsefd[0] != -1)
+			close(ud->responsefd[0]);
+		if (ud->responsefd[1] != -1)
+			close(ud->responsefd[1]);
+		free(ud);
+		ud = NULL;
+	}
+	/* Now free the normal cookie */
+	if (cookie->pid != 0 && cookie->pid != -1) {
+		int status;
+
+		/* XXX Use different signal? */
+		kill(cookie->pid, SIGKILL);
+		waitpid(cookie->pid, &status, 0);
+	}
+	for (i = 0; i < cookie->num_msg; i++) {
+		if (cookie->resp && cookie->resp[i]) {
+			free(cookie->resp[i]->resp);
+			free(cookie->resp[i]);
+		}
+		if (cookie->msg && cookie->msg[i]) {
+			free((void *)cookie->msg[i]->msg);
+			free(cookie->msg[i]);
+		}
+	}
+	free(cookie->msg);
+	free(cookie->resp);
+	free(cookie);
+}
+
+/*
+ * Do first half of PAM authentication - this comes to the point where
+ * you get a message to send to the user.
+ */
+struct inverted_pam_cookie *
+ipam_start_auth(const char *service, const char *username) {
+	struct inverted_pam_cookie *cookie;
+	struct inverted_pam_userdata *ud;
+	static struct pam_conv conv = {
+		ssh_conv,
+		NULL
+	};
+
+	cookie = malloc(sizeof(*cookie));
+	if (cookie == NULL)
+		return NULL;
+	cookie->state = 0;
+	/* Set up the cookie so ipam_freecookie can be used on it */
+	cookie->num_msg = 0;
+	cookie->msg = NULL;
+	cookie->resp = NULL;
+	cookie->pid = -1;
+
+	ud = calloc(sizeof(*ud), 1);
+	if (ud == NULL) {
+		free(cookie);
+		return NULL;
+	}
+	cookie->userdata = ud;
+	ud->statefd[0] = ud->statefd[1] = -1;
+	ud->challengefd[0] = ud->challengefd[1] = -1;
+	ud->responsefd[0] = ud->responsefd[1] = -1;
+
+	if (pipe(ud->statefd) != 0) {
+		ud->statefd[0] = ud->statefd[1] = -1;
+		ipam_free_cookie(cookie);
+		return NULL;
+	}
+	if (pipe(ud->challengefd) != 0) {
+		ud->challengefd[0] = ud->challengefd[1] = -1;
+		ipam_free_cookie(cookie);
+		return NULL;
+	}
+	if (pipe(ud->responsefd) != 0) {
+		ud->responsefd[0] = ud->responsefd[1] = -1;
+		ipam_free_cookie(cookie);
+		return NULL;
+	}
+	cookie->pid = fork();
+	if (cookie->pid == -1) {
+		ipam_free_cookie(cookie);
+		return NULL;
+	} else if (cookie->pid != 0) {
+		int num_msgs;	/* Number of messages from PAM */
+		char *endptr;
+		char buf[1024];
+		FILE *reader;
+		size_t num_msg;
+		int i;
+		char state;	/* Which state did the connection just enter? */
+
+		/* We are the parent - wait for a call to the communications
+		   function to turn up, or the challenge to be finished */
+		if (read(ud->statefd[0], &state, 1) != 1) {
+			ipam_free_cookie(cookie);
+			return NULL;
+		}
+		cookie->state = state;
+		switch (state) {
+		case STATE_CONV:
+			/* We are running the conversation function */
+			/* The stdio functions are more convenient for read */
+			reader = fdopen(ud->challengefd[0], "r");
+			if (reader == NULL) {
+				ipam_free_cookie(cookie);
+				return NULL;
+			}
+			if (fgets(buf, 4, reader) == NULL) {
+				fclose(reader);
+				ipam_free_cookie(cookie);
+				return NULL;
+			}
+			num_msg = (size_t)strtoul(buf, &endptr, 10);
+			/* The length is supposed to stand on a line by itself */
+			if (endptr == NULL || *endptr != '\n') {
+				fclose(reader);
+				ipam_free_cookie(cookie);
+				return NULL;
+			}
+			cookie->msg =
+				malloc(sizeof(struct pam_message *) * num_msg);
+			cookie->resp =
+				malloc(sizeof(struct pam_response *) * num_msg);
+			if (cookie->msg == NULL || cookie->resp == NULL) {
+				fclose(reader);
+				ipam_free_cookie(cookie);
+				return NULL;
+			}
+			for (i = 0; i < num_msg; i++) {
+				cookie->msg[i] =
+					malloc(sizeof(struct pam_message));
+				cookie->resp[i] =
+					malloc(sizeof(struct pam_response));
+				if (cookie->msg[i] == NULL ||
+				    cookie->resp[i] == NULL) {
+					for (;;) {
+						free(cookie->msg[i]);
+						free(cookie->resp[i]);
+						if (i == 0)
+							break;
+						i--;
+					}
+					fclose(reader);
+					ipam_free_cookie(cookie);
+					return NULL;
+				}
+				cookie->msg[i]->msg = NULL;
+				cookie->resp[i]->resp = NULL;
+				cookie->resp[i]->resp_retcode = 0;
+			}
+			/* Set up so the above will be freed on failure */
+			cookie->num_msg = num_msg;
+			/*
+			 * We have a an allocated response and message for
+			 * each of the entries in the PAM structure - transfer
+			 * the data sent to the conversation function over.
+			 */
+			for (i = 0; i < num_msg; i++) {
+				size_t len;
+			
+				if (fgets(buf, sizeof(buf), reader) == NULL) {
+					fclose(reader);
+					ipam_free_cookie(cookie);
+					return NULL;
+				}
+				cookie->msg[i]->msg_style =
+					(size_t)strtoul(buf, &endptr, 10);
+				if (endptr == NULL || *endptr != '\n') {
+					fclose(reader);
+					ipam_free_cookie(cookie);
+					return NULL;
+				}
+				if (fgets(buf, sizeof(buf), reader) == NULL) {
+					fclose(reader);
+					ipam_free_cookie(cookie);
+					return NULL;
+				}
+				len = (size_t)strtoul(buf, &endptr, 10);
+				if (endptr == NULL || *endptr != '\n') {
+					fclose(reader);
+					ipam_free_cookie(cookie);
+					return NULL;
+				}
+				cookie->msg[i]->msg = malloc(len + 1);
+				if (cookie->msg[i]->msg == NULL) {
+					fclose(reader);
+					ipam_free_cookie(cookie);
+					return NULL;
+				}
+				if (fread((char *)cookie->msg[i]->msg, len, 1, reader) !=
+				    1) {
+					fclose(reader);
+					ipam_free_cookie(cookie);
+					return NULL;
+				}
+				*(char *)&(cookie->msg[i]->msg[len]) = '\0';
+			}
+			break;
+		case STATE_AUTH_OK:
+		case STATE_AUTH_FAIL:
+			break;
+		default:
+			/* Internal failure, somehow */
+			fclose(reader);
+			ipam_free_cookie(cookie);
+			return NULL;
+		}
+		return cookie;
+	} else {
+		/* We are the child */
+		pam_handle_t *pamh=NULL;
+		int retval;
+		char state;
+
+		conv.appdata_ptr = ud;
+		retval = pam_start(service, username, &conv, &pamh);
+		/* Is user really user? */
+		if (retval == PAM_SUCCESS)
+			retval = pam_authenticate(pamh, 0);
+		/* permitted access? */
+		if (retval == PAM_SUCCESS)
+			retval = pam_acct_mgmt(pamh, 0);
+		/* This is where we have been authorized or not. */
+
+		/* Be conservative - flag as auth failure if we can't close */
+		/*
+		 * XXX This is based on example code from Linux-PAM -
+		 * but can it really be correct to pam_end if
+		 * pam_start failed?
+		 */
+		if (pam_end(pamh, retval) != PAM_SUCCESS)
+			retval = PAM_AUTH_ERR;
+
+		/* Message to parent */
+		state = retval == PAM_SUCCESS ? STATE_AUTH_OK : STATE_AUTH_FAIL;
+		if (write(ud->statefd[1], &state, 1) != 1) {
+			_exit(1);
+		}
+		/* FDs will be closed, so further communication will stop */
+		_exit(0);
+	}
+}
+
+/*
+ * Do second half of PAM authentication - cookie should now be filled
+ * in with the response to the challenge.
+ */
+
+int
+ipam_complete_auth(struct inverted_pam_cookie *cookie) {
+    int i;
+    char buf[1024];
+    struct inverted_pam_userdata *ud = cookie->userdata;
+    char state;
+
+    /* Send over our responses */
+    for (i = 0; i < cookie->num_msg; i++) {
+	if (cookie->msg[i]->msg_style != PAM_PROMPT_ECHO_ON &&
+	    cookie->msg[i]->msg_style != PAM_PROMPT_ECHO_OFF)
+	    continue;
+	if (write(ud->responsefd[1], buf,
+		  sprintf(buf, "%d\n", strlen(cookie->resp[i]->resp))) == -1) {
+	    ipam_free_cookie(cookie);
+	    return 0;
+	}
+	if (write(ud->responsefd[1], cookie->resp[i]->resp,
+		  strlen(cookie->resp[i]->resp)) == -1) {
+	    ipam_free_cookie(cookie);
+	    return 0;
+	}
+    }
+    /* Find out what state we are changing to */
+    if (read(ud->statefd[0], &state, 1) != 1) {
+	ipam_free_cookie(cookie);
+	return 0;
+    }
+    
+    return state == STATE_AUTH_OK ? 1 : 0;
+}
+
+#endif /* USE_PAM */
diff --git a/crypto/openssh/auth-pam.h b/crypto/openssh/auth-pam.h
new file mode 100644
index 0000000..f1128b8
--- /dev/null
+++ b/crypto/openssh/auth-pam.h
@@ -0,0 +1,39 @@
+/*
+ * OpenSSH PAM authentication support.
+ *
+ * $FreeBSD$
+ */
+#ifndef AUTH_PAM_H
+#define AUTH_PAM_H
+#include "includes.h"
+#ifdef USE_PAM
+
+#include "auth.h"
+#include <pwd.h> /* For struct passwd */
+
+void start_pam(struct passwd *pw);
+void finish_pam(void);
+int auth_pam_password(Authctxt *authctxt, const char *password);
+char **fetch_pam_environment(void);
+int do_pam_account(char *username, char *remote_user);
+void do_pam_session(char *username, const char *ttyname);
+void do_pam_setcred(void);
+void print_pam_messages(void);
+int pam_password_change_required(void);
+void do_pam_chauthtok(void);
+
+struct inverted_pam_cookie {
+    int state;			/* Which state have we reached? */
+    pid_t pid;			/* PID of child process */
+
+    /* Only valid in state STATE_CONV */
+    int num_msg;		/* Number of messages */
+    struct pam_message **msg;	/* Message structures */
+    struct pam_response **resp;	/* Response structures */
+    struct inverted_pam_userdata *userdata;
+};
+void ipam_free_cookie(struct inverted_pam_cookie *cookie);
+struct inverted_pam_cookie *ipam_start_auth(const char *, const char *);
+
+#endif /* USE_PAM */
+#endif /* AUTH_PAM_H */
diff --git a/crypto/openssh/auth-passwd.c b/crypto/openssh/auth-passwd.c
new file mode 100644
index 0000000..1ca7fa9
--- /dev/null
+++ b/crypto/openssh/auth-passwd.c
@@ -0,0 +1,101 @@
+/*
+ * Author: Tatu Ylonen <ylo@cs.hut.fi>
+ * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
+ *                    All rights reserved
+ * Password authentication.  This file contains the functions to check whether
+ * the password is valid for the user.
+ *
+ * As far as I am concerned, the code I have written for this software
+ * can be used freely for any purpose.  Any derived versions of this
+ * software must be clearly marked as such, and if the derived work is
+ * incompatible with the protocol description in the RFC file, it must be
+ * called by a name other than "ssh" or "Secure Shell".
+ *
+ * Copyright (c) 1999 Dug Song.  All rights reserved.
+ * Copyright (c) 2000 Markus Friedl.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include "includes.h"
+RCSID("$OpenBSD: auth-passwd.c,v 1.22 2001/03/20 18:57:04 markus Exp $");
+RCSID("$FreeBSD$");
+
+#include "packet.h"
+#include "xmalloc.h"
+#include "log.h"
+#include "servconf.h"
+#include "auth.h"
+
+
+extern ServerOptions options;
+
+/*
+ * Tries to authenticate the user using password.  Returns true if
+ * authentication succeeds.
+ */
+int
+auth_password(Authctxt *authctxt, const char *password)
+{
+	struct passwd * pw = authctxt->pw;
+	char *encrypted_password;
+
+	/* deny if no user. */
+	if (pw == NULL)
+		return 0;
+	if (pw->pw_uid == 0 && options.permit_root_login != PERMIT_YES)
+		return 0;
+	if (*password == '\0' && options.permit_empty_passwd == 0)
+		return 0;
+#ifdef BSD_AUTH
+	if (auth_userokay(pw->pw_name, authctxt->style, "auth-ssh",
+	    (char *)password) == 0)
+		return 0;
+	else
+		return 1;
+#endif
+#ifdef KRB5
+	if (options.kerberos_authentication == 1) {
+	  	if (auth_krb5_password(pw, password))
+		  	return 1;
+		/* Fall back to ordinary passwd authentication. */
+	}
+
+#endif /* KRB5 */
+#ifdef KRB4
+	if (options.kerberos_authentication == 1) {
+		int ret = auth_krb4_password(pw, password);
+		if (ret == 1 || ret == 0)
+			return ret;
+		/* Fall back to ordinary passwd authentication. */
+	}
+#endif
+
+	/* Check for users with no password. */
+	if (strcmp(password, "") == 0 && strcmp(pw->pw_passwd, "") == 0)
+		return 1;
+	/* Encrypt the candidate password using the proper salt. */
+	encrypted_password = crypt(password,
+	    (pw->pw_passwd[0] && pw->pw_passwd[1]) ? pw->pw_passwd : "xx");
+
+	/* Authentication is accepted if the encrypted passwords are identical. */
+	return (strcmp(encrypted_password, pw->pw_passwd) == 0);
+}
diff --git a/crypto/openssh/auth-rh-rsa.c b/crypto/openssh/auth-rh-rsa.c
new file mode 100644
index 0000000..596a7bb
--- /dev/null
+++ b/crypto/openssh/auth-rh-rsa.c
@@ -0,0 +1,116 @@
+/*
+ * Author: Tatu Ylonen <ylo@cs.hut.fi>
+ * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
+ *                    All rights reserved
+ * Rhosts or /etc/hosts.equiv authentication combined with RSA host
+ * authentication.
+ *
+ * As far as I am concerned, the code I have written for this software
+ * can be used freely for any purpose.  Any derived versions of this
+ * software must be clearly marked as such, and if the derived work is
+ * incompatible with the protocol description in the RFC file, it must be
+ * called by a name other than "ssh" or "Secure Shell".
+ */
+
+#include "includes.h"
+RCSID("$OpenBSD: auth-rh-rsa.c,v 1.23 2001/04/06 21:00:04 markus Exp $");
+RCSID("$FreeBSD$");
+
+#include "packet.h"
+#include "xmalloc.h"
+#include "uidswap.h"
+#include "log.h"
+#include "servconf.h"
+#include "key.h"
+#include "hostfile.h"
+#include "pathnames.h"
+#include "auth.h"
+#include "tildexpand.h"
+#include "canohost.h"
+
+/*
+ * Tries to authenticate the user using the .rhosts file and the host using
+ * its host key.  Returns true if authentication succeeds.
+ */
+
+int
+auth_rhosts_rsa(struct passwd *pw, const char *client_user, RSA *client_host_key)
+{
+	extern ServerOptions options;
+	const char *canonical_hostname;
+	HostStatus host_status;
+	Key *client_key, *found;
+
+	debug("Trying rhosts with RSA host authentication for client user %.100s", client_user);
+
+	if (pw == NULL || client_host_key == NULL)
+		return 0;
+
+	/* Check if we would accept it using rhosts authentication. */
+	if (!auth_rhosts(pw, client_user))
+		return 0;
+
+	canonical_hostname = get_canonical_hostname(
+	    options.reverse_mapping_check);
+
+	debug("Rhosts RSA authentication: canonical host %.900s", canonical_hostname);
+
+	/* wrap the RSA key into a 'generic' key */
+	client_key = key_new(KEY_RSA1);
+	BN_copy(client_key->rsa->e, client_host_key->e);
+	BN_copy(client_key->rsa->n, client_host_key->n);
+	found = key_new(KEY_RSA1);
+
+	/* Check if we know the host and its host key. */
+	host_status = check_host_in_hostfile(_PATH_SSH_SYSTEM_HOSTFILE, canonical_hostname,
+	    client_key, found, NULL);
+
+	/* Check user host file unless ignored. */
+	if (host_status != HOST_OK && !options.ignore_user_known_hosts) {
+		struct stat st;
+		char *user_hostfile = tilde_expand_filename(_PATH_SSH_USER_HOSTFILE, pw->pw_uid);
+		/*
+		 * Check file permissions of _PATH_SSH_USER_HOSTFILE, auth_rsa()
+		 * did already check pw->pw_dir, but there is a race XXX
+		 */
+		if (options.strict_modes &&
+		    (stat(user_hostfile, &st) == 0) &&
+		    ((st.st_uid != 0 && st.st_uid != pw->pw_uid) ||
+		     (st.st_mode & 022) != 0)) {
+			log("Rhosts RSA authentication refused for %.100s: bad owner or modes for %.200s",
+			    pw->pw_name, user_hostfile);
+		} else {
+			/* XXX race between stat and the following open() */
+			temporarily_use_uid(pw);
+			host_status = check_host_in_hostfile(user_hostfile, canonical_hostname,
+			    client_key, found, NULL);
+			restore_uid();
+		}
+		xfree(user_hostfile);
+	}
+	key_free(client_key);
+	key_free(found);
+
+	if (host_status != HOST_OK) {
+		debug("Rhosts with RSA host authentication denied: unknown or invalid host key");
+		packet_send_debug("Your host key cannot be verified: unknown or invalid host key.");
+		return 0;
+	}
+	/* A matching host key was found and is known. */
+
+	/* Perform the challenge-response dialog with the client for the host key. */
+	if (!auth_rsa_challenge_dialog(client_host_key)) {
+		log("Client on %.800s failed to respond correctly to host authentication.",
+		    canonical_hostname);
+		return 0;
+	}
+	/*
+	 * We have authenticated the user using .rhosts or /etc/hosts.equiv,
+	 * and the host using RSA. We accept the authentication.
+	 */
+
+	verbose("Rhosts with RSA host authentication accepted for %.100s, %.100s on %.700s.",
+	   pw->pw_name, client_user, canonical_hostname);
+	packet_send_debug("Rhosts with RSA host authentication accepted.");
+	return 1;
+}
diff --git a/crypto/openssh/auth-rhosts.c b/crypto/openssh/auth-rhosts.c
new file mode 100644
index 0000000..324a0f9
--- /dev/null
+++ b/crypto/openssh/auth-rhosts.c
@@ -0,0 +1,285 @@
+/*
+ * Author: Tatu Ylonen <ylo@cs.hut.fi>
+ * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
+ *                    All rights reserved
+ * Rhosts authentication.  This file contains code to check whether to admit
+ * the login based on rhosts authentication.  This file also processes
+ * /etc/hosts.equiv.
+ *
+ * As far as I am concerned, the code I have written for this software
+ * can be used freely for any purpose.  Any derived versions of this
+ * software must be clearly marked as such, and if the derived work is
+ * incompatible with the protocol description in the RFC file, it must be
+ * called by a name other than "ssh" or "Secure Shell".
+ */
+
+#include "includes.h"
+RCSID("$OpenBSD: auth-rhosts.c,v 1.23 2001/04/12 19:15:24 markus Exp $");
+
+#include "packet.h"
+#include "xmalloc.h"
+#include "uidswap.h"
+#include "pathnames.h"
+#include "log.h"
+#include "servconf.h"
+#include "canohost.h"
+#include "auth.h"
+
+/* import */
+extern ServerOptions options;
+
+/*
+ * This function processes an rhosts-style file (.rhosts, .shosts, or
+ * /etc/hosts.equiv).  This returns true if authentication can be granted
+ * based on the file, and returns zero otherwise.
+ */
+
+int
+check_rhosts_file(const char *filename, const char *hostname,
+		  const char *ipaddr, const char *client_user,
+		  const char *server_user)
+{
+	FILE *f;
+	char buf[1024];	/* Must not be larger than host, user, dummy below. */
+
+	/* Open the .rhosts file, deny if unreadable */
+	f = fopen(filename, "r");
+	if (!f)
+		return 0;
+
+	while (fgets(buf, sizeof(buf), f)) {
+		/* All three must be at least as big as buf to avoid overflows. */
+		char hostbuf[1024], userbuf[1024], dummy[1024], *host, *user, *cp;
+		int negated;
+
+		for (cp = buf; *cp == ' ' || *cp == '\t'; cp++)
+			;
+		if (*cp == '#' || *cp == '\n' || !*cp)
+			continue;
+
+		/*
+		 * NO_PLUS is supported at least on OSF/1.  We skip it (we
+		 * don't ever support the plus syntax).
+		 */
+		if (strncmp(cp, "NO_PLUS", 7) == 0)
+			continue;
+
+		/*
+		 * This should be safe because each buffer is as big as the
+		 * whole string, and thus cannot be overwritten.
+		 */
+		switch (sscanf(buf, "%s %s %s", hostbuf, userbuf, dummy)) {
+		case 0:
+			packet_send_debug("Found empty line in %.100s.", filename);
+			continue;
+		case 1:
+			/* Host name only. */
+			strlcpy(userbuf, server_user, sizeof(userbuf));
+			break;
+		case 2:
+			/* Got both host and user name. */
+			break;
+		case 3:
+			packet_send_debug("Found garbage in %.100s.", filename);
+			continue;
+		default:
+			/* Weird... */
+			continue;
+		}
+
+		host = hostbuf;
+		user = userbuf;
+		negated = 0;
+
+		/* Process negated host names, or positive netgroups. */
+		if (host[0] == '-') {
+			negated = 1;
+			host++;
+		} else if (host[0] == '+')
+			host++;
+
+		if (user[0] == '-') {
+			negated = 1;
+			user++;
+		} else if (user[0] == '+')
+			user++;
+
+		/* Check for empty host/user names (particularly '+'). */
+		if (!host[0] || !user[0]) {
+			/* We come here if either was '+' or '-'. */
+			packet_send_debug("Ignoring wild host/user names in %.100s.",
+					  filename);
+			continue;
+		}
+		/* Verify that host name matches. */
+		if (host[0] == '@') {
+			if (!innetgr(host + 1, hostname, NULL, NULL) &&
+			    !innetgr(host + 1, ipaddr, NULL, NULL))
+				continue;
+		} else if (strcasecmp(host, hostname) && strcmp(host, ipaddr) != 0)
+			continue;	/* Different hostname. */
+
+		/* Verify that user name matches. */
+		if (user[0] == '@') {
+			if (!innetgr(user + 1, NULL, client_user, NULL))
+				continue;
+		} else if (strcmp(user, client_user) != 0)
+			continue;	/* Different username. */
+
+		/* Found the user and host. */
+		fclose(f);
+
+		/* If the entry was negated, deny access. */
+		if (negated) {
+			packet_send_debug("Matched negative entry in %.100s.",
+					  filename);
+			return 0;
+		}
+		/* Accept authentication. */
+		return 1;
+	}
+
+	/* Authentication using this file denied. */
+	fclose(f);
+	return 0;
+}
+
+/*
+ * Tries to authenticate the user using the .shosts or .rhosts file. Returns
+ * true if authentication succeeds.  If ignore_rhosts is true, only
+ * /etc/hosts.equiv will be considered (.rhosts and .shosts are ignored).
+ */
+
+int
+auth_rhosts(struct passwd *pw, const char *client_user)
+{
+	const char *hostname, *ipaddr;
+	int ret;
+
+	hostname = get_canonical_hostname(options.reverse_mapping_check);
+	ipaddr = get_remote_ipaddr();
+	ret = auth_rhosts2(pw, client_user, hostname, ipaddr);
+	return ret;
+}
+
+int
+auth_rhosts2(struct passwd *pw, const char *client_user, const char *hostname,
+    const char *ipaddr)
+{
+	char buf[1024];
+	struct stat st;
+	static const char *rhosts_files[] = {".shosts", ".rhosts", NULL};
+	u_int rhosts_file_index;
+
+	debug2("auth_rhosts2: clientuser %s hostname %s ipaddr %s",
+	    client_user, hostname, ipaddr);
+
+	/* no user given */
+	if (pw == NULL)
+		return 0;
+
+	/* Switch to the user's uid. */
+	temporarily_use_uid(pw);
+	/*
+	 * Quick check: if the user has no .shosts or .rhosts files, return
+	 * failure immediately without doing costly lookups from name
+	 * servers.
+	 */
+	for (rhosts_file_index = 0; rhosts_files[rhosts_file_index];
+	     rhosts_file_index++) {
+		/* Check users .rhosts or .shosts. */
+		snprintf(buf, sizeof buf, "%.500s/%.100s",
+			 pw->pw_dir, rhosts_files[rhosts_file_index]);
+		if (stat(buf, &st) >= 0)
+			break;
+	}
+	/* Switch back to privileged uid. */
+	restore_uid();
+
+	/* Deny if The user has no .shosts or .rhosts file and there are no system-wide files. */
+	if (!rhosts_files[rhosts_file_index] &&
+	    stat(_PATH_RHOSTS_EQUIV, &st) < 0 &&
+	    stat(_PATH_SSH_HOSTS_EQUIV, &st) < 0)
+		return 0;
+
+	/* If not logging in as superuser, try /etc/hosts.equiv and shosts.equiv. */
+	if (pw->pw_uid != 0) {
+		if (check_rhosts_file(_PATH_RHOSTS_EQUIV, hostname, ipaddr, client_user,
+				      pw->pw_name)) {
+			packet_send_debug("Accepted for %.100s [%.100s] by /etc/hosts.equiv.",
+					  hostname, ipaddr);
+			return 1;
+		}
+		if (check_rhosts_file(_PATH_SSH_HOSTS_EQUIV, hostname, ipaddr, client_user,
+				      pw->pw_name)) {
+			packet_send_debug("Accepted for %.100s [%.100s] by %.100s.",
+				      hostname, ipaddr, _PATH_SSH_HOSTS_EQUIV);
+			return 1;
+		}
+	}
+	/*
+	 * Check that the home directory is owned by root or the user, and is
+	 * not group or world writable.
+	 */
+	if (stat(pw->pw_dir, &st) < 0) {
+		log("Rhosts authentication refused for %.100s: no home directory %.200s",
+		    pw->pw_name, pw->pw_dir);
+		packet_send_debug("Rhosts authentication refused for %.100s: no home directory %.200s",
+				  pw->pw_name, pw->pw_dir);
+		return 0;
+	}
+	if (options.strict_modes &&
+	    ((st.st_uid != 0 && st.st_uid != pw->pw_uid) ||
+	     (st.st_mode & 022) != 0)) {
+		log("Rhosts authentication refused for %.100s: bad ownership or modes for home directory.",
+		    pw->pw_name);
+		packet_send_debug("Rhosts authentication refused for %.100s: bad ownership or modes for home directory.",
+				  pw->pw_name);
+		return 0;
+	}
+	/* Temporarily use the user's uid. */
+	temporarily_use_uid(pw);
+
+	/* Check all .rhosts files (currently .shosts and .rhosts). */
+	for (rhosts_file_index = 0; rhosts_files[rhosts_file_index];
+	     rhosts_file_index++) {
+		/* Check users .rhosts or .shosts. */
+		snprintf(buf, sizeof buf, "%.500s/%.100s",
+			 pw->pw_dir, rhosts_files[rhosts_file_index]);
+		if (stat(buf, &st) < 0)
+			continue;
+
+		/*
+		 * Make sure that the file is either owned by the user or by
+		 * root, and make sure it is not writable by anyone but the
+		 * owner.  This is to help avoid novices accidentally
+		 * allowing access to their account by anyone.
+		 */
+		if (options.strict_modes &&
+		    ((st.st_uid != 0 && st.st_uid != pw->pw_uid) ||
+		     (st.st_mode & 022) != 0)) {
+			log("Rhosts authentication refused for %.100s: bad modes for %.200s",
+			    pw->pw_name, buf);
+			packet_send_debug("Bad file modes for %.200s", buf);
+			continue;
+		}
+		/* Check if we have been configured to ignore .rhosts and .shosts files. */
+		if (options.ignore_rhosts) {
+			packet_send_debug("Server has been configured to ignore %.100s.",
+					  rhosts_files[rhosts_file_index]);
+			continue;
+		}
+		/* Check if authentication is permitted by the file. */
+		if (check_rhosts_file(buf, hostname, ipaddr, client_user, pw->pw_name)) {
+			packet_send_debug("Accepted by %.100s.",
+					  rhosts_files[rhosts_file_index]);
+			/* Restore the privileged uid. */
+			restore_uid();
+			return 1;
+		}
+	}
+
+	/* Restore the privileged uid. */
+	restore_uid();
+	return 0;
+}
diff --git a/crypto/openssh/auth-rsa.c b/crypto/openssh/auth-rsa.c
new file mode 100644
index 0000000..a7e0625
--- /dev/null
+++ b/crypto/openssh/auth-rsa.c
@@ -0,0 +1,300 @@
+/*
+ * Author: Tatu Ylonen <ylo@cs.hut.fi>
+ * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
+ *                    All rights reserved
+ * RSA-based authentication.  This code determines whether to admit a login
+ * based on RSA authentication.  This file also contains functions to check
+ * validity of the host key.
+ *
+ * As far as I am concerned, the code I have written for this software
+ * can be used freely for any purpose.  Any derived versions of this
+ * software must be clearly marked as such, and if the derived work is
+ * incompatible with the protocol description in the RFC file, it must be
+ * called by a name other than "ssh" or "Secure Shell".
+ */
+
+#include "includes.h"
+RCSID("$OpenBSD: auth-rsa.c,v 1.40 2001/04/06 21:00:07 markus Exp $");
+RCSID("$FreeBSD$");
+
+#include <openssl/rsa.h>
+#include <openssl/md5.h>
+
+#include "rsa.h"
+#include "packet.h"
+#include "xmalloc.h"
+#include "ssh1.h"
+#include "mpaux.h"
+#include "uidswap.h"
+#include "match.h"
+#include "auth-options.h"
+#include "pathnames.h"
+#include "log.h"
+#include "servconf.h"
+#include "auth.h"
+
+/* import */
+extern ServerOptions options;
+
+/*
+ * Session identifier that is used to bind key exchange and authentication
+ * responses to a particular session.
+ */
+extern u_char session_id[16];
+
+/*
+ * The .ssh/authorized_keys file contains public keys, one per line, in the
+ * following format:
+ *   options bits e n comment
+ * where bits, e and n are decimal numbers,
+ * and comment is any string of characters up to newline.  The maximum
+ * length of a line is 8000 characters.  See the documentation for a
+ * description of the options.
+ */
+
+/*
+ * Performs the RSA authentication challenge-response dialog with the client,
+ * and returns true (non-zero) if the client gave the correct answer to
+ * our challenge; returns zero if the client gives a wrong answer.
+ */
+
+int
+auth_rsa_challenge_dialog(RSA *pk)
+{
+	BIGNUM *challenge, *encrypted_challenge;
+	BN_CTX *ctx;
+	u_char buf[32], mdbuf[16], response[16];
+	MD5_CTX md;
+	u_int i;
+	int plen, len;
+
+	encrypted_challenge = BN_new();
+	challenge = BN_new();
+
+	/* Generate a random challenge. */
+	BN_rand(challenge, 256, 0, 0);
+	ctx = BN_CTX_new();
+	BN_mod(challenge, challenge, pk->n, ctx);
+	BN_CTX_free(ctx);
+
+	/* Encrypt the challenge with the public key. */
+	rsa_public_encrypt(encrypted_challenge, challenge, pk);
+
+	/* Send the encrypted challenge to the client. */
+	packet_start(SSH_SMSG_AUTH_RSA_CHALLENGE);
+	packet_put_bignum(encrypted_challenge);
+	packet_send();
+	BN_clear_free(encrypted_challenge);
+	packet_write_wait();
+
+	/* Wait for a response. */
+	packet_read_expect(&plen, SSH_CMSG_AUTH_RSA_RESPONSE);
+	packet_integrity_check(plen, 16, SSH_CMSG_AUTH_RSA_RESPONSE);
+	for (i = 0; i < 16; i++)
+		response[i] = packet_get_char();
+
+	/* The response is MD5 of decrypted challenge plus session id. */
+	len = BN_num_bytes(challenge);
+	if (len <= 0 || len > 32)
+		fatal("auth_rsa_challenge_dialog: bad challenge length %d", len);
+	memset(buf, 0, 32);
+	BN_bn2bin(challenge, buf + 32 - len);
+	MD5_Init(&md);
+	MD5_Update(&md, buf, 32);
+	MD5_Update(&md, session_id, 16);
+	MD5_Final(mdbuf, &md);
+	BN_clear_free(challenge);
+
+	/* Verify that the response is the original challenge. */
+	if (memcmp(response, mdbuf, 16) != 0) {
+		/* Wrong answer. */
+		return 0;
+	}
+	/* Correct answer. */
+	return 1;
+}
+
+/*
+ * Performs the RSA authentication dialog with the client.  This returns
+ * 0 if the client could not be authenticated, and 1 if authentication was
+ * successful.  This may exit if there is a serious protocol violation.
+ */
+
+int
+auth_rsa(struct passwd *pw, BIGNUM *client_n)
+{
+	char line[8192], file[MAXPATHLEN];
+	int authenticated;
+	u_int bits;
+	FILE *f;
+	u_long linenum = 0;
+	struct stat st;
+	RSA *pk;
+
+	/* no user given */
+	if (pw == NULL)
+		return 0;
+
+	/* Temporarily use the user's uid. */
+	temporarily_use_uid(pw);
+
+	/* The authorized keys. */
+	snprintf(file, sizeof file, "%.500s/%.100s", pw->pw_dir,
+		 _PATH_SSH_USER_PERMITTED_KEYS);
+
+	/* Fail quietly if file does not exist */
+	if (stat(file, &st) < 0) {
+		/* Restore the privileged uid. */
+		restore_uid();
+		return 0;
+	}
+	/* Open the file containing the authorized keys. */
+	f = fopen(file, "r");
+	if (!f) {
+		/* Restore the privileged uid. */
+		restore_uid();
+		packet_send_debug("Could not open %.900s for reading.", file);
+		packet_send_debug("If your home is on an NFS volume, it may need to be world-readable.");
+		return 0;
+	}
+	if (options.strict_modes) {
+		int fail = 0;
+		char buf[1024];
+		/* Check open file in order to avoid open/stat races */
+		if (fstat(fileno(f), &st) < 0 ||
+		    (st.st_uid != 0 && st.st_uid != pw->pw_uid) ||
+		    (st.st_mode & 022) != 0) {
+			snprintf(buf, sizeof buf, "RSA authentication refused for %.100s: "
+				 "bad ownership or modes for '%s'.", pw->pw_name, file);
+			fail = 1;
+		} else {
+			/* Check path to _PATH_SSH_USER_PERMITTED_KEYS */
+			int i;
+			static const char *check[] = {
+				"", _PATH_SSH_USER_DIR, NULL
+			};
+			for (i = 0; check[i]; i++) {
+				snprintf(line, sizeof line, "%.500s/%.100s", pw->pw_dir, check[i]);
+				if (stat(line, &st) < 0 ||
+				    (st.st_uid != 0 && st.st_uid != pw->pw_uid) ||
+				    (st.st_mode & 022) != 0) {
+					snprintf(buf, sizeof buf, "RSA authentication refused for %.100s: "
+						 "bad ownership or modes for '%s'.", pw->pw_name, line);
+					fail = 1;
+					break;
+				}
+			}
+		}
+		if (fail) {
+			fclose(f);
+			log("%s", buf);
+			packet_send_debug("%s", buf);
+			restore_uid();
+			return 0;
+		}
+	}
+	/* Flag indicating whether authentication has succeeded. */
+	authenticated = 0;
+
+	pk = RSA_new();
+	pk->e = BN_new();
+	pk->n = BN_new();
+
+	/*
+	 * Go though the accepted keys, looking for the current key.  If
+	 * found, perform a challenge-response dialog to verify that the
+	 * user really has the corresponding private key.
+	 */
+	while (fgets(line, sizeof(line), f)) {
+		char *cp;
+		char *options;
+
+		linenum++;
+
+		/* Skip leading whitespace, empty and comment lines. */
+		for (cp = line; *cp == ' ' || *cp == '\t'; cp++)
+			;
+		if (!*cp || *cp == '\n' || *cp == '#')
+			continue;
+
+		/*
+		 * Check if there are options for this key, and if so,
+		 * save their starting address and skip the option part
+		 * for now.  If there are no options, set the starting
+		 * address to NULL.
+		 */
+		if (*cp < '0' || *cp > '9') {
+			int quoted = 0;
+			options = cp;
+			for (; *cp && (quoted || (*cp != ' ' && *cp != '\t')); cp++) {
+				if (*cp == '\\' && cp[1] == '"')
+					cp++;	/* Skip both */
+				else if (*cp == '"')
+					quoted = !quoted;
+			}
+		} else
+			options = NULL;
+
+		/* Parse the key from the line. */
+		if (!auth_rsa_read_key(&cp, &bits, pk->e, pk->n)) {
+			debug("%.100s, line %lu: bad key syntax",
+			    file, linenum);
+			packet_send_debug("%.100s, line %lu: bad key syntax",
+			    file, linenum);
+			continue;
+		}
+		/* cp now points to the comment part. */
+
+		/* Check if the we have found the desired key (identified by its modulus). */
+		if (BN_cmp(pk->n, client_n) != 0)
+			continue;
+
+		/* check the real bits  */
+		if (bits != BN_num_bits(pk->n))
+			log("Warning: %s, line %ld: keysize mismatch: "
+			    "actual %d vs. announced %d.",
+			    file, linenum, BN_num_bits(pk->n), bits);
+
+		/* We have found the desired key. */
+		/*
+		 * If our options do not allow this key to be used,
+		 * do not send challenge.
+		 */
+		if (!auth_parse_options(pw, options, file, linenum))
+			continue;
+
+		/* Perform the challenge-response dialog for this key. */
+		if (!auth_rsa_challenge_dialog(pk)) {
+			/* Wrong response. */
+			verbose("Wrong response to RSA authentication challenge.");
+			packet_send_debug("Wrong response to RSA authentication challenge.");
+			continue;
+		}
+		/*
+		 * Correct response.  The client has been successfully
+		 * authenticated. Note that we have not yet processed the
+		 * options; this will be reset if the options cause the
+		 * authentication to be rejected.
+		 * Break out of the loop if authentication was successful;
+		 * otherwise continue searching.
+		 */
+		authenticated = 1;
+		break;
+	}
+
+	/* Restore the privileged uid. */
+	restore_uid();
+
+	/* Close the file. */
+	fclose(f);
+
+	RSA_free(pk);
+
+	if (authenticated)
+		packet_send_debug("RSA authentication accepted.");
+	else
+		auth_clear_options();
+
+	/* Return authentication result. */
+	return authenticated;
+}
diff --git a/crypto/openssh/auth.c b/crypto/openssh/auth.c
new file mode 100644
index 0000000..df945e0
--- /dev/null
+++ b/crypto/openssh/auth.c
@@ -0,0 +1,175 @@
+/*
+ * Copyright (c) 2000 Markus Friedl.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include "includes.h"
+RCSID("$OpenBSD: auth.c,v 1.21 2001/03/19 17:07:23 markus Exp $");
+RCSID("$FreeBSD$");
+
+#include "xmalloc.h"
+#include "match.h"
+#include "groupaccess.h"
+#include "log.h"
+#include "servconf.h"
+#include "auth.h"
+#include "auth-options.h"
+#include "canohost.h"
+
+/* import */
+extern ServerOptions options;
+
+/*
+ * Check if the user is allowed to log in via ssh. If user is listed
+ * in DenyUsers or one of user's groups is listed in DenyGroups, false
+ * will be returned. If AllowUsers isn't empty and user isn't listed
+ * there, or if AllowGroups isn't empty and one of user's groups isn't
+ * listed there, false will be returned.
+ * If the user's shell is not executable, false will be returned.
+ * Otherwise true is returned.
+ */
+int
+allowed_user(struct passwd * pw)
+{
+	struct stat st;
+	char *shell;
+	int i;
+
+	/* Shouldn't be called if pw is NULL, but better safe than sorry... */
+	if (!pw || !pw->pw_name)
+		return 0;
+
+	/*
+	 * Get the shell from the password data.  An empty shell field is
+	 * legal, and means /bin/sh.
+	 */
+	shell = (pw->pw_shell[0] == '\0') ? _PATH_BSHELL : pw->pw_shell;
+
+	/* deny if shell does not exists or is not executable */
+	if (stat(shell, &st) != 0)
+		return 0;
+	if (!((st.st_mode & S_IFREG) && (st.st_mode & (S_IXOTH|S_IXUSR|S_IXGRP))))
+		return 0;
+
+	/* Return false if user is listed in DenyUsers */
+	if (options.num_deny_users > 0) {
+		for (i = 0; i < options.num_deny_users; i++)
+			if (match_pattern(pw->pw_name, options.deny_users[i]))
+				return 0;
+	}
+	/* Return false if AllowUsers isn't empty and user isn't listed there */
+	if (options.num_allow_users > 0) {
+		for (i = 0; i < options.num_allow_users; i++)
+			if (match_pattern(pw->pw_name, options.allow_users[i]))
+				break;
+		/* i < options.num_allow_users iff we break for loop */
+		if (i >= options.num_allow_users)
+			return 0;
+	}
+	if (options.num_deny_groups > 0 || options.num_allow_groups > 0) {
+		/* Get the user's group access list (primary and supplementary) */
+		if (ga_init(pw->pw_name, pw->pw_gid) == 0)
+			return 0;
+
+		/* Return false if one of user's groups is listed in DenyGroups */
+		if (options.num_deny_groups > 0)
+			if (ga_match(options.deny_groups,
+			    options.num_deny_groups)) {
+				ga_free();
+				return 0;
+			}
+		/*
+		 * Return false if AllowGroups isn't empty and one of user's groups
+		 * isn't listed there
+		 */
+		if (options.num_allow_groups > 0)
+			if (!ga_match(options.allow_groups,
+			    options.num_allow_groups)) {
+				ga_free();
+				return 0;
+			}
+		ga_free();
+	}
+	/* We found no reason not to let this user try to log on... */
+	return 1;
+}
+
+Authctxt *
+authctxt_new(void)
+{
+	Authctxt *authctxt = xmalloc(sizeof(*authctxt));
+	memset(authctxt, 0, sizeof(*authctxt));
+	return authctxt;
+}
+
+void
+auth_log(Authctxt *authctxt, int authenticated, char *method, char *info)
+{
+	void (*authlog) (const char *fmt,...) = verbose;
+	char *authmsg;
+
+	/* Raise logging level */
+	if (authenticated == 1 ||
+	    !authctxt->valid ||
+	    authctxt->failures >= AUTH_FAIL_LOG ||
+	    strcmp(method, "password") == 0)
+		authlog = log;
+
+	if (authctxt->postponed)
+		authmsg = "Postponed";
+	else
+		authmsg = authenticated ? "Accepted" : "Failed";
+
+	authlog("%s %s for %s%.100s from %.200s port %d%s",
+	    authmsg,
+	    method,
+	    authctxt->valid ? "" : "illegal user ",
+	    authctxt->valid && authctxt->pw->pw_uid == 0 ? "ROOT" : authctxt->user,
+	    get_remote_ipaddr(),
+	    get_remote_port(),
+	    info);
+}
+
+/*
+ * Check whether root logins are disallowed.
+ */
+int
+auth_root_allowed(char *method)
+{
+	switch (options.permit_root_login) {
+	case PERMIT_YES:
+		return 1;
+		break;
+	case PERMIT_NO_PASSWD:
+		if (strcmp(method, "password") != 0)
+			return 1;
+		break;
+	case PERMIT_FORCED_ONLY:
+		if (forced_command) {
+			log("Root login accepted for forced command.");
+			return 1;
+		}
+		break;
+	}
+	log("ROOT LOGIN REFUSED FROM %.200s", get_remote_ipaddr());
+	return 0;
+}
diff --git a/crypto/openssh/auth.h b/crypto/openssh/auth.h
new file mode 100644
index 0000000..3385c9b
--- /dev/null
+++ b/crypto/openssh/auth.h
@@ -0,0 +1,155 @@
+/*
+ * Copyright (c) 2000 Markus Friedl.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ *
+ * $OpenBSD: auth.h,v 1.15 2001/04/12 19:15:24 markus Exp $
+ * $FreeBSD$
+ */
+#ifndef AUTH_H
+#define AUTH_H
+
+#include <openssl/rsa.h>
+
+#ifdef HAVE_LOGIN_CAP
+#include <login_cap.h>
+#endif
+#ifdef BSD_AUTH
+#include <bsd_auth.h>
+#endif
+
+typedef struct Authctxt Authctxt;
+struct Authctxt {
+	int success;
+	int postponed;
+	int valid;
+	int attempt;
+	int failures;
+	char *user;
+	char *service;
+	struct passwd *pw;
+	char *style;
+#ifdef BSD_AUTH
+	auth_session_t *as;
+#endif
+};
+
+/*
+ * Tries to authenticate the user using the .rhosts file.  Returns true if
+ * authentication succeeds.  If ignore_rhosts is non-zero, this will not
+ * consider .rhosts and .shosts (/etc/hosts.equiv will still be used).
+ */
+int     auth_rhosts(struct passwd * pw, const char *client_user);
+
+/* extended interface similar to auth_rhosts() */
+int
+auth_rhosts2(struct passwd *pw, const char *client_user, const char *hostname,
+    const char *ipaddr);
+
+/*
+ * Tries to authenticate the user using the .rhosts file and the host using
+ * its host key.  Returns true if authentication succeeds.
+ */
+int
+auth_rhosts_rsa(struct passwd * pw, const char *client_user, RSA* client_host_key);
+
+/*
+ * Tries to authenticate the user using password.  Returns true if
+ * authentication succeeds.
+ */
+int     auth_password(Authctxt *authctxt, const char *password);
+
+/*
+ * Performs the RSA authentication dialog with the client.  This returns 0 if
+ * the client could not be authenticated, and 1 if authentication was
+ * successful.  This may exit if there is a serious protocol violation.
+ */
+int     auth_rsa(struct passwd * pw, BIGNUM * client_n);
+
+/*
+ * Parses an RSA key (number of bits, e, n) from a string.  Moves the pointer
+ * over the key.  Skips any whitespace at the beginning and at end.
+ */
+int     auth_rsa_read_key(char **cpp, u_int *bitsp, BIGNUM * e, BIGNUM * n);
+
+/*
+ * Performs the RSA authentication challenge-response dialog with the client,
+ * and returns true (non-zero) if the client gave the correct answer to our
+ * challenge; returns zero if the client gives a wrong answer.
+ */
+int     auth_rsa_challenge_dialog(RSA *pk);
+
+#ifdef KRB4
+#include <krb.h>
+#endif /* KRB4 */
+#ifdef KRB5
+#include <krb5.h>
+int auth_krb5();  /* XXX Doplnit prototypy */
+int auth_krb5_tgt();
+int krb5_init();
+void    krb5_cleanup_proc(void *ignore);
+int auth_krb5_password(struct passwd *pw, const char *password);
+#endif /* KRB5 */
+
+#ifdef KRB4
+#include <krb.h>
+/*
+ * Performs Kerberos v4 mutual authentication with the client. This returns 0
+ * if the client could not be authenticated, and 1 if authentication was
+ * successful.  This may exit if there is a serious protocol violation.
+ */
+int     auth_krb4(const char *server_user, KTEXT auth, char **client);
+int     krb4_init(uid_t uid);
+void    krb4_cleanup_proc(void *ignore);
+int	auth_krb4_password(struct passwd * pw, const char *password);
+
+#ifdef AFS
+#include <kafs.h>
+
+/* Accept passed Kerberos v4 ticket-granting ticket and AFS tokens. */
+int     auth_kerberos_tgt(struct passwd * pw, const char *string);
+int     auth_afs_token(struct passwd * pw, const char *token_string);
+#endif				/* AFS */
+
+#endif				/* KRB4 */
+
+void	do_authentication(void);
+void	do_authentication2(void);
+
+Authctxt *authctxt_new(void);
+void	auth_log(Authctxt *authctxt, int authenticated, char *method, char *info);
+void	userauth_finish(Authctxt *authctxt, int authenticated, char *method);
+int	auth_root_allowed(char *method);
+
+int	auth2_challenge(Authctxt *authctxt, char *devs);
+
+int	allowed_user(struct passwd * pw);
+
+char	*get_challenge(Authctxt *authctxt, char *devs);
+int	verify_response(Authctxt *authctxt, char *response);
+
+struct passwd * auth_get_user(void);
+
+#define AUTH_FAIL_MAX 6
+#define AUTH_FAIL_LOG (AUTH_FAIL_MAX/2)
+#define AUTH_FAIL_MSG "Too many authentication failures for %.100s"
+
+#endif
diff --git a/crypto/openssh/auth1.c b/crypto/openssh/auth1.c
new file mode 100644
index 0000000..d5eb4d8
--- /dev/null
+++ b/crypto/openssh/auth1.c
@@ -0,0 +1,574 @@
+/*
+ * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
+ *                    All rights reserved
+ *
+ * As far as I am concerned, the code I have written for this software
+ * can be used freely for any purpose.  Any derived versions of this
+ * software must be clearly marked as such, and if the derived work is
+ * incompatible with the protocol description in the RFC file, it must be
+ * called by a name other than "ssh" or "Secure Shell".
+ */
+
+#include "includes.h"
+RCSID("$OpenBSD: auth1.c,v 1.22 2001/03/23 12:02:49 markus Exp $");
+RCSID("$FreeBSD$");
+
+#include "xmalloc.h"
+#include "rsa.h"
+#include "ssh1.h"
+#include "packet.h"
+#include "buffer.h"
+#include "mpaux.h"
+#include "log.h"
+#include "servconf.h"
+#include "compat.h"
+#include "auth.h"
+#include "auth-pam.h"
+#include "session.h"
+#include "canohost.h"
+#include "misc.h"
+#include <login_cap.h>
+#include <security/pam_appl.h>
+
+#ifdef KRB5
+extern krb5_context ssh_context;
+krb5_principal tkt_client = NULL;    /* Principal from the received ticket. 
+Also is used as an indication of succesful krb5 authentization. */
+#endif
+
+/* import */
+extern ServerOptions options;
+
+/*
+ * convert ssh auth msg type into description
+ */
+char *
+get_authname(int type)
+{
+	static char buf[1024];
+	switch (type) {
+	case SSH_CMSG_AUTH_PASSWORD:
+		return "password";
+	case SSH_CMSG_AUTH_RSA:
+		return "rsa";
+	case SSH_CMSG_AUTH_RHOSTS_RSA:
+		return "rhosts-rsa";
+	case SSH_CMSG_AUTH_RHOSTS:
+		return "rhosts";
+	case SSH_CMSG_AUTH_TIS:
+	case SSH_CMSG_AUTH_TIS_RESPONSE:
+		return "challenge-response";
+#if defined(KRB4) || defined(KRB5)
+	case SSH_CMSG_AUTH_KERBEROS:
+		return "kerberos";
+#endif
+	}
+	snprintf(buf, sizeof buf, "bad-auth-msg-%d", type);
+	return buf;
+}
+
+/*
+ * read packets, try to authenticate the user and
+ * return only if authentication is successful
+ */
+void
+do_authloop(Authctxt *authctxt)
+{
+	int authenticated = 0;
+	u_int bits;
+	RSA *client_host_key;
+	BIGNUM *n;
+	char *client_user, *password;
+	char info[1024];
+	u_int dlen;
+	int plen, nlen, elen;
+	u_int ulen;
+	int type = 0;
+	struct passwd *pw = authctxt->pw;
+	void (*authlog) (const char *fmt,...) = verbose;
+#ifdef HAVE_LOGIN_CAP
+	login_cap_t *lc;
+#endif /* HAVE_LOGIN_CAP */
+#ifdef USE_PAM
+	struct inverted_pam_cookie *pam_cookie;
+#endif /* USE_PAM */
+#if defined(HAVE_LOGIN_CAP) || defined(LOGIN_ACCESS)
+	const char *from_host, *from_ip;
+
+	from_host = get_canonical_hostname(options.reverse_mapping_check);
+	from_ip = get_remote_ipaddr();
+#endif /* HAVE_LOGIN_CAP || LOGIN_ACCESS */
+#if 0
+#ifdef KRB5
+	{
+	  	krb5_error_code ret;
+		
+		ret = krb5_init_context(&ssh_context);
+		if (ret)
+		 	verbose("Error while initializing Kerberos V5."); 
+		krb5_init_ets(ssh_context);
+		
+	}
+#endif /* KRB5 */
+#endif
+
+	debug("Attempting authentication for %s%.100s.",
+	     authctxt->valid ? "" : "illegal user ", authctxt->user);
+
+	/* If the user has no password, accept authentication immediately. */
+	if (options.password_authentication &&
+#if defined(KRB4) || defined(KRB5)
+	    (!options.kerberos_authentication
+#if defined(KRB4)
+	    || options.krb4_or_local_passwd
+#endif
+	    ) &&
+#endif
+#ifdef USE_PAM
+	    auth_pam_password(authctxt, "")
+#else
+	    auth_password(authctxt, "")
+#endif
+		) {
+		auth_log(authctxt, 1, "without authentication", "");
+		return;
+	}
+
+	/* Indicate that authentication is needed. */
+	packet_start(SSH_SMSG_FAILURE);
+	packet_send();
+	packet_write_wait();
+
+	client_user = NULL;
+
+	for (;;) {
+		/* default to fail */
+		authenticated = 0;
+
+		info[0] = '\0';
+
+		/* Get a packet from the client. */
+		type = packet_read(&plen);
+
+		/* Process the packet. */
+		switch (type) {
+#ifdef AFS
+#ifndef KRB5
+		case SSH_CMSG_HAVE_KRB4_TGT:
+			if (!options.krb4_tgt_passing) {
+				/* packet_get_all(); */
+				verbose("Kerberos v4 tgt passing disabled.");
+				break;
+			} else {
+				/* Accept Kerberos v4 tgt. */
+				char *tgt = packet_get_string(&dlen);
+				packet_integrity_check(plen, 4 + dlen, type);
+				if (!auth_krb4_tgt(pw, tgt))
+					verbose("Kerberos v4 tgt REFUSED for %.100ss", authctxt->user);
+				xfree(tgt);
+			}
+			continue;
+#endif /* !KRB5 */
+		case SSH_CMSG_HAVE_AFS_TOKEN:
+			if (!options.afs_token_passing || !k_hasafs()) {
+				verbose("AFS token passing disabled.");
+				break;
+			} else {
+				/* Accept AFS token. */
+				char *token_string = packet_get_string(&dlen);
+				packet_integrity_check(plen, 4 + dlen, type);
+				if (!auth_afs_token(pw, token_string))
+					verbose("AFS token REFUSED for %.100s", authctxt->user);
+				xfree(token_string);
+			}
+			continue;
+#endif /* AFS */
+#if defined(KRB4) || defined(KRB5)
+		case SSH_CMSG_AUTH_KERBEROS:
+			if (!options.kerberos_authentication) {
+				verbose("Kerberos authentication disabled.");
+				break;
+			} else {
+				/* Try Kerberos authentication. */
+				u_int len;
+				char *tkt_user = NULL;
+				char *kdata = packet_get_string(&len);
+				packet_integrity_check(plen, 4 + len, type);
+
+				if (!authctxt->valid) {
+					/* Do nothing. */
+				} else if (kdata[0] == 4) {	/* 4 == KRB_PROT_VERSION */
+#ifdef KRB4
+					KTEXT_ST auth;
+
+					auth.length = len;
+					if (auth.length < MAX_KTXT_LEN)
+						memcpy(auth.dat, kdata, auth.length);
+					authenticated = auth_krb4(pw->pw_name, &auth, &tkt_user);
+
+					if (authenticated) {
+						snprintf(info, sizeof info,
+						    " tktuser %.100s", tkt_user);
+						xfree(tkt_user);
+					}
+#else
+					verbose("Kerberos v4 authentication disabled.");
+#endif /* KRB4 */
+				} else {
+#ifndef KRB5
+					verbose("Kerberos v5 authentication disabled.");
+#else
+				  	krb5_data k5data; 
+					k5data.length = len;
+					k5data.data = kdata;
+  #if 0	
+					if (krb5_init_context(&ssh_context)) {
+						verbose("Error while initializing Kerberos V5.");
+						break;
+					}
+					krb5_init_ets(ssh_context);
+  #endif
+					/* pw->name is passed just for logging purposes */
+					if (auth_krb5(pw->pw_name, &k5data, &tkt_client)) {
+					  	/* authorize client against .k5login */
+					  	if (krb5_kuserok(ssh_context,
+						      tkt_client,
+						      pw->pw_name))
+						  	authenticated = 1;
+					}
+#endif /* KRB5 */
+  				}
+				xfree(kdata);
+  			}
+  			break;
+#endif /* KRB4 || KRB5 */
+
+		case SSH_CMSG_AUTH_RHOSTS:
+			if (!options.rhosts_authentication) {
+				verbose("Rhosts authentication disabled.");
+				break;
+			}
+			/*
+			 * Get client user name.  Note that we just have to
+			 * trust the client; this is one reason why rhosts
+			 * authentication is insecure. (Another is
+			 * IP-spoofing on a local network.)
+			 */
+			client_user = packet_get_string(&ulen);
+			packet_integrity_check(plen, 4 + ulen, type);
+
+			/* Try to authenticate using /etc/hosts.equiv and .rhosts. */
+			authenticated = auth_rhosts(pw, client_user);
+
+			snprintf(info, sizeof info, " ruser %.100s", client_user);
+			break;
+
+		case SSH_CMSG_AUTH_RHOSTS_RSA:
+			if (!options.rhosts_rsa_authentication) {
+				verbose("Rhosts with RSA authentication disabled.");
+				break;
+			}
+			/*
+			 * Get client user name.  Note that we just have to
+			 * trust the client; root on the client machine can
+			 * claim to be any user.
+			 */
+			client_user = packet_get_string(&ulen);
+
+			/* Get the client host key. */
+			client_host_key = RSA_new();
+			if (client_host_key == NULL)
+				fatal("RSA_new failed");
+			client_host_key->e = BN_new();
+			client_host_key->n = BN_new();
+			if (client_host_key->e == NULL || client_host_key->n == NULL)
+				fatal("BN_new failed");
+			bits = packet_get_int();
+			packet_get_bignum(client_host_key->e, &elen);
+			packet_get_bignum(client_host_key->n, &nlen);
+
+			if (bits != BN_num_bits(client_host_key->n))
+				verbose("Warning: keysize mismatch for client_host_key: "
+				    "actual %d, announced %d", BN_num_bits(client_host_key->n), bits);
+			packet_integrity_check(plen, (4 + ulen) + 4 + elen + nlen, type);
+
+			authenticated = auth_rhosts_rsa(pw, client_user, client_host_key);
+			RSA_free(client_host_key);
+
+			snprintf(info, sizeof info, " ruser %.100s", client_user);
+			break;
+
+		case SSH_CMSG_AUTH_RSA:
+			if (!options.rsa_authentication) {
+				verbose("RSA authentication disabled.");
+				break;
+			}
+			/* RSA authentication requested. */
+			n = BN_new();
+			packet_get_bignum(n, &nlen);
+			packet_integrity_check(plen, nlen, type);
+			authenticated = auth_rsa(pw, n);
+			BN_clear_free(n);
+			break;
+
+		case SSH_CMSG_AUTH_PASSWORD:
+			if (!options.password_authentication) {
+				verbose("Password authentication disabled.");
+				break;
+			}
+			/*
+			 * Read user password.  It is in plain text, but was
+			 * transmitted over the encrypted channel so it is
+			 * not visible to an outside observer.
+			 */
+			password = packet_get_string(&dlen);
+			packet_integrity_check(plen, 4 + dlen, type);
+
+#ifdef USE_PAM
+			/* Do PAM auth with password */
+			authenticated = auth_pam_password(authctxt, password);
+#else /* !USE_PAM */
+ 			/* Try authentication with the password. */
+			authenticated = auth_password(authctxt, password);
+#endif /* USE_PAM */
+
+			memset(password, 0, strlen(password));
+			xfree(password);
+			break;
+
+#ifdef USE_PAM
+		case SSH_CMSG_AUTH_TIS:
+			debug("rcvd SSH_CMSG_AUTH_TIS: Trying PAM");
+			pam_cookie = ipam_start_auth("csshd", pw->pw_name);
+			/* We now have data available to send as a challenge */
+			if (pam_cookie->num_msg != 1 ||
+			    (pam_cookie->msg[0]->msg_style != PAM_PROMPT_ECHO_OFF &&
+			     pam_cookie->msg[0]->msg_style != PAM_PROMPT_ECHO_ON)) {
+			    /* We got several challenges or an unknown challenge type */
+			    ipam_free_cookie(pam_cookie);
+			    pam_cookie = NULL;
+			    break;
+			}
+			packet_start(SSH_SMSG_AUTH_TIS_CHALLENGE);
+			packet_put_string(pam_cookie->msg[0]->msg, strlen(pam_cookie->msg[0]->msg));
+			packet_send();
+			packet_write_wait();
+			continue;
+		case SSH_CMSG_AUTH_TIS_RESPONSE:
+			debug("rcvd SSH_CMSG_AUTH_TIS_RESPONSE");
+			if (pam_cookie == NULL)
+			    break;
+			{
+			    char *response = packet_get_string(&dlen);
+			    
+			    packet_integrity_check(plen, 4 + dlen, type);
+			    pam_cookie->resp[0]->resp = strdup(response);
+			    xfree(response);
+			    authenticated = ipam_complete_auth(pam_cookie);
+			    ipam_free_cookie(pam_cookie);
+			    pam_cookie = NULL;
+			}
+			break;
+#elif defined(SKEY)
+		case SSH_CMSG_AUTH_TIS:
+			debug("rcvd SSH_CMSG_AUTH_TIS");
+			if (options.challenge_reponse_authentication == 1) {
+				char *challenge = get_challenge(authctxt, authctxt->style);
+				if (challenge != NULL) {
+					debug("sending challenge '%s'", challenge);
+					packet_start(SSH_SMSG_AUTH_TIS_CHALLENGE);
+					packet_put_cstring(challenge);
+					packet_send();
+					packet_write_wait();
+					continue;
+				}
+			}
+			break;
+		case SSH_CMSG_AUTH_TIS_RESPONSE:
+			debug("rcvd SSH_CMSG_AUTH_TIS_RESPONSE");
+			if (options.challenge_reponse_authentication == 1) {
+				char *response = packet_get_string(&dlen);
+				debug("got response '%s'", response);
+				packet_integrity_check(plen, 4 + dlen, type);
+				authenticated = verify_response(authctxt, response);
+				memset(response, 'r', dlen);
+				xfree(response);
+			}
+			break;
+#else
+		case SSH_CMSG_AUTH_TIS:
+			/* TIS Authentication is unsupported */
+			log("TIS authentication unsupported.");
+			break;
+#endif
+#ifdef KRB5
+		case SSH_CMSG_HAVE_KERBEROS_TGT:
+			/* Passing krb5 ticket */
+			if (!options.krb5_tgt_passing 
+                            /*|| !options.krb5_authentication */) {
+
+			}
+			
+			if (tkt_client == NULL) {
+			  /* passing tgt without krb5 authentication */
+			}
+			
+			{
+			  krb5_data tgt;
+			  u_int tgtlen;
+			  tgt.data = packet_get_string(&tgtlen);
+			  tgt.length = tgtlen;
+			  
+			  if (!auth_krb5_tgt(pw->pw_name, &tgt, tkt_client))
+			    verbose ("Kerberos V5 TGT refused for %.100s", pw->pw_name);
+			  xfree(tgt.data);
+			      
+			  break;
+			}
+#endif /* KRB5 */
+
+		default:
+			/*
+			 * Any unknown messages will be ignored (and failure
+			 * returned) during authentication.
+			 */
+			log("Unknown message during authentication: type %d", type);
+			break;
+		}
+
+#ifdef HAVE_LOGIN_CAP
+		if (pw != NULL) {
+		  lc = login_getpwclass(pw);
+		  if (lc == NULL)
+			lc = login_getclassbyname(NULL, pw);
+		  if (!auth_hostok(lc, from_host, from_ip)) {
+			log("Denied connection for %.200s from %.200s [%.200s].",
+		      pw->pw_name, from_host, from_ip);
+			packet_disconnect("Sorry, you are not allowed to connect.");
+		  }
+		  if (!auth_timeok(lc, time(NULL))) {
+			log("LOGIN %.200s REFUSED (TIME) FROM %.200s",
+		      pw->pw_name, from_host);
+			packet_disconnect("Logins not available right now.");
+		  }
+		  login_close(lc);
+		  lc = NULL;
+		}
+#endif  /* HAVE_LOGIN_CAP */
+#ifdef LOGIN_ACCESS
+		if (pw != NULL && !login_access(pw->pw_name, from_host)) {
+		  log("Denied connection for %.200s from %.200s [%.200s].",
+		      pw->pw_name, from_host, from_ip);
+		  packet_disconnect("Sorry, you are not allowed to connect.");
+		}
+#endif /* LOGIN_ACCESS */
+#ifdef BSD_AUTH
+		if (authctxt->as) {
+			auth_close(authctxt->as);
+			authctxt->as = NULL;
+		}
+#endif
+		if (!authctxt->valid && authenticated)
+			fatal("INTERNAL ERROR: authenticated invalid user %s",
+			    authctxt->user);
+
+		/* Special handling for root */
+		if (authenticated && authctxt->pw->pw_uid == 0 &&
+		    !auth_root_allowed(get_authname(type)))
+			authenticated = 0;
+
+		if (pw != NULL && pw->pw_uid == 0)
+		  log("ROOT LOGIN as '%.100s' from %.100s",
+		      pw->pw_name,
+			  get_canonical_hostname(options.reverse_mapping_check));
+
+		/* Log before sending the reply */
+		auth_log(authctxt, authenticated, get_authname(type), info);
+
+#ifdef USE_PAM
+		if (authenticated && !do_pam_account(pw->pw_name, client_user))
+			authenticated = 0;
+#endif
+
+		if (client_user != NULL) {
+			xfree(client_user);
+			client_user = NULL;
+		}
+
+		if (authenticated)
+			return;
+
+		if (authctxt->failures++ > AUTH_FAIL_MAX)
+			packet_disconnect(AUTH_FAIL_MSG, authctxt->user);
+
+		packet_start(SSH_SMSG_FAILURE);
+		packet_send();
+		packet_write_wait();
+	}
+}
+
+/*
+ * Performs authentication of an incoming connection.  Session key has already
+ * been exchanged and encryption is enabled.
+ */
+void
+do_authentication()
+{
+	Authctxt *authctxt;
+	struct passwd *pw;
+	int plen;
+	u_int ulen;
+	char *user, *style = NULL;
+
+	/* Get the name of the user that we wish to log in as. */
+	packet_read_expect(&plen, SSH_CMSG_USER);
+
+	/* Get the user name. */
+	user = packet_get_string(&ulen);
+	packet_integrity_check(plen, (4 + ulen), SSH_CMSG_USER);
+
+	if ((style = strchr(user, ':')) != NULL)
+		*style++ = 0;
+
+	authctxt = authctxt_new();
+	authctxt->user = user;
+	authctxt->style = style;
+
+	/* Verify that the user is a valid user. */
+	pw = getpwnam(user);
+	if (pw && allowed_user(pw)) {
+		authctxt->valid = 1;
+		pw = pwcopy(pw);
+	} else {
+		debug("do_authentication: illegal user %s", user);
+		pw = NULL;
+	}
+	authctxt->pw = pw;
+
+#ifdef USE_PAM
+	if (pw != NULL)
+		start_pam(pw);
+#endif
+	setproctitle("%s", pw ? user : "unknown");
+
+	/*
+	 * If we are not running as root, the user must have the same uid as
+	 * the server.
+	 */
+	if (getuid() != 0 && pw && pw->pw_uid != getuid())
+		packet_disconnect("Cannot change user when server not running as root.");
+
+	/*
+	 * Loop until the user has been authenticated or the connection is
+	 * closed, do_authloop() returns only if authentication is successful
+	 */
+	do_authloop(authctxt);
+
+	/* The user has been authenticated and accepted. */
+	packet_start(SSH_SMSG_SUCCESS);
+	packet_send();
+	packet_write_wait();
+
+	/* Perform session preparation. */
+	do_authenticated(authctxt);
+}
diff --git a/crypto/openssh/auth2-chall.c b/crypto/openssh/auth2-chall.c
new file mode 100644
index 0000000..5af60e4
--- /dev/null
+++ b/crypto/openssh/auth2-chall.c
@@ -0,0 +1,112 @@
+/*
+ * Copyright (c) 2001 Markus Friedl.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+#include "includes.h"
+RCSID("$OpenBSD: auth2-chall.c,v 1.4 2001/03/28 22:43:31 markus Exp $");
+
+#include "ssh2.h"
+#include "auth.h"
+#include "packet.h"
+#include "xmalloc.h"
+#include "dispatch.h"
+#include "log.h"
+
+void send_userauth_into_request(Authctxt *authctxt, char *challenge, int echo);
+void input_userauth_info_response(int type, int plen, void *ctxt);
+
+/*
+ * try challenge-reponse, return -1 (= postponed) if we have to
+ * wait for the response.
+ */
+int
+auth2_challenge(Authctxt *authctxt, char *devs)
+{
+	char *challenge;
+
+	if (!authctxt->valid || authctxt->user == NULL)
+		return 0;
+	if ((challenge = get_challenge(authctxt, devs)) == NULL)
+		return 0;
+	send_userauth_into_request(authctxt, challenge, 0);
+	dispatch_set(SSH2_MSG_USERAUTH_INFO_RESPONSE,
+	    &input_userauth_info_response);
+	authctxt->postponed = 1;
+	return 0;
+}
+
+void
+send_userauth_into_request(Authctxt *authctxt, char *challenge, int echo)
+{
+	int nprompts = 1;
+
+	packet_start(SSH2_MSG_USERAUTH_INFO_REQUEST);
+	/* name, instruction and language are unused */
+	packet_put_cstring("");
+	packet_put_cstring("");
+	packet_put_cstring("");
+	packet_put_int(nprompts);
+	packet_put_cstring(challenge);
+	packet_put_char(echo);
+	packet_send();
+	packet_write_wait();
+}
+
+void
+input_userauth_info_response(int type, int plen, void *ctxt)
+{
+	Authctxt *authctxt = ctxt;
+	int authenticated = 0;
+	u_int nresp, rlen;
+	char *response, *method = "challenge-reponse";
+
+	if (authctxt == NULL)
+		fatal("input_userauth_info_response: no authctxt");
+
+	authctxt->postponed = 0;	/* reset */
+	nresp = packet_get_int();
+	if (nresp == 1) {
+		response = packet_get_string(&rlen);
+		packet_done();
+		if (strlen(response) == 0) {
+			/*
+			 * if we received an empty response, resend challenge
+			 * with echo enabled
+			 */
+			char *challenge = get_challenge(authctxt, NULL);
+			if (challenge != NULL) {
+				send_userauth_into_request(authctxt,
+				    challenge, 1);
+				authctxt->postponed = 1;
+			}
+		} else if (authctxt->valid) {
+			authenticated = verify_response(authctxt, response);
+			memset(response, 'r', rlen);
+		}
+		xfree(response);
+	}
+	/* unregister callback */
+	if (!authctxt->postponed)
+		dispatch_set(SSH2_MSG_USERAUTH_INFO_RESPONSE, NULL);
+
+	userauth_finish(authctxt, authenticated, method);
+}
diff --git a/crypto/openssh/auth2.c b/crypto/openssh/auth2.c
new file mode 100644
index 0000000..5b8ea1a
--- /dev/null
+++ b/crypto/openssh/auth2.c
@@ -0,0 +1,854 @@
+/*
+ * Copyright (c) 2000 Markus Friedl.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include "includes.h"
+RCSID("$OpenBSD: auth2.c,v 1.56 2001/04/19 00:05:11 markus Exp $");
+RCSID("$FreeBSD$");
+
+#include <openssl/evp.h>
+
+#include "ssh2.h"
+#include "xmalloc.h"
+#include "rsa.h"
+#include "sshpty.h"
+#include "packet.h"
+#include "buffer.h"
+#include "log.h"
+#include "servconf.h"
+#include "compat.h"
+#include "channels.h"
+#include "bufaux.h"
+#include "auth.h"
+#include "session.h"
+#include "dispatch.h"
+#include "key.h"
+#include "cipher.h"
+#include "kex.h"
+#include "pathnames.h"
+#include "uidswap.h"
+#include "auth-options.h"
+#include "misc.h"
+#include "hostfile.h"
+#include "canohost.h"
+#include "tildexpand.h"
+
+#ifdef HAVE_LOGIN_CAP
+#include <login_cap.h>
+#endif /* HAVE_LOGIN_CAP */
+
+/* import */
+extern ServerOptions options;
+extern u_char *session_id2;
+extern int session_id2_len;
+
+static Authctxt	*x_authctxt = NULL;
+static int one = 1;
+
+typedef struct Authmethod Authmethod;
+struct Authmethod {
+	char	*name;
+	int	(*userauth)(Authctxt *authctxt);
+	int	*enabled;
+};
+
+/* protocol */
+
+void	input_service_request(int type, int plen, void *ctxt);
+void	input_userauth_request(int type, int plen, void *ctxt);
+void	protocol_error(int type, int plen, void *ctxt);
+
+/* helper */
+Authmethod	*authmethod_lookup(const char *name);
+char	*authmethods_get(void);
+int	user_key_allowed(struct passwd *pw, Key *key);
+int
+hostbased_key_allowed(struct passwd *pw, const char *cuser, char *chost,
+    Key *key);
+
+/* auth */
+void	userauth_banner(void);
+void	userauth_reply(Authctxt *authctxt, int authenticated);
+int	userauth_none(Authctxt *authctxt);
+int	userauth_passwd(Authctxt *authctxt);
+int	userauth_pubkey(Authctxt *authctxt);
+int	userauth_hostbased(Authctxt *authctxt);
+int	userauth_kbdint(Authctxt *authctxt);
+
+Authmethod authmethods[] = {
+	{"none",
+		userauth_none,
+		&one},
+	{"publickey",
+		userauth_pubkey,
+		&options.pubkey_authentication},
+	{"password",
+		userauth_passwd,
+		&options.password_authentication},
+	{"keyboard-interactive",
+		userauth_kbdint,
+		&options.kbd_interactive_authentication},
+	{"hostbased",
+		userauth_hostbased,
+		&options.hostbased_authentication},
+	{NULL, NULL, NULL}
+};
+
+/*
+ * loop until authctxt->success == TRUE
+ */
+
+void
+do_authentication2()
+{
+	Authctxt *authctxt = authctxt_new();
+
+	x_authctxt = authctxt;		/*XXX*/
+
+#if defined(KRB4) || defined(KRB5)
+	/* turn off kerberos, not supported by SSH2 */
+	options.kerberos_authentication = 0;
+#endif
+	/* challenge-reponse is implemented via keyboard interactive */
+	if (options.challenge_reponse_authentication)
+		options.kbd_interactive_authentication = 1;
+
+	dispatch_init(&protocol_error);
+	dispatch_set(SSH2_MSG_SERVICE_REQUEST, &input_service_request);
+	dispatch_run(DISPATCH_BLOCK, &authctxt->success, authctxt);
+	do_authenticated(authctxt);
+}
+
+void
+protocol_error(int type, int plen, void *ctxt)
+{
+	log("auth: protocol error: type %d plen %d", type, plen);
+	packet_start(SSH2_MSG_UNIMPLEMENTED);
+	packet_put_int(0);
+	packet_send();
+	packet_write_wait();
+}
+
+void
+input_service_request(int type, int plen, void *ctxt)
+{
+	Authctxt *authctxt = ctxt;
+	u_int len;
+	int accept = 0;
+	char *service = packet_get_string(&len);
+	packet_done();
+
+	if (authctxt == NULL)
+		fatal("input_service_request: no authctxt");
+
+	if (strcmp(service, "ssh-userauth") == 0) {
+		if (!authctxt->success) {
+			accept = 1;
+			/* now we can handle user-auth requests */
+			dispatch_set(SSH2_MSG_USERAUTH_REQUEST, &input_userauth_request);
+		}
+	}
+	/* XXX all other service requests are denied */
+
+	if (accept) {
+		packet_start(SSH2_MSG_SERVICE_ACCEPT);
+		packet_put_cstring(service);
+		packet_send();
+		packet_write_wait();
+	} else {
+		debug("bad service request %s", service);
+		packet_disconnect("bad service request %s", service);
+	}
+	xfree(service);
+}
+
+void
+input_userauth_request(int type, int plen, void *ctxt)
+{
+	Authctxt *authctxt = ctxt;
+	Authmethod *m = NULL;
+	char *user, *service, *method, *style = NULL;
+	int authenticated = 0;
+#ifdef HAVE_LOGIN_CAP
+	login_cap_t *lc;
+#endif /* HAVE_LOGIN_CAP */
+#if defined(HAVE_LOGIN_CAP) || defined(LOGIN_ACCESS)
+	const char *from_host, *from_ip;
+
+	from_host = get_canonical_hostname(options.reverse_mapping_check);
+	from_ip = get_remote_ipaddr();
+#endif /* HAVE_LOGIN_CAP || LOGIN_ACCESS */
+
+	if (authctxt == NULL)
+		fatal("input_userauth_request: no authctxt");
+
+	user = packet_get_string(NULL);
+	service = packet_get_string(NULL);
+	method = packet_get_string(NULL);
+	debug("userauth-request for user %s service %s method %s", user, service, method);
+	debug("attempt %d failures %d", authctxt->attempt, authctxt->failures);
+
+	if ((style = strchr(user, ':')) != NULL)
+		*style++ = 0;
+
+	if (authctxt->attempt++ == 0) {
+		/* setup auth context */
+		struct passwd *pw = NULL;
+		pw = getpwnam(user);
+		if (pw && allowed_user(pw) && strcmp(service, "ssh-connection")==0) {
+			authctxt->pw = pwcopy(pw);
+			authctxt->valid = 1;
+			debug2("input_userauth_request: setting up authctxt for %s", user);
+#ifdef USE_PAM
+			start_pam(pw);
+#endif
+		} else {
+			log("input_userauth_request: illegal user %s", user);
+			authctxt->pw = NULL;
+		}
+		setproctitle("%s", pw ? user : "unknown");
+		authctxt->user = xstrdup(user);
+		authctxt->service = xstrdup(service);
+		authctxt->style = style ? xstrdup(style) : NULL; /* currently unused */
+	} else if (authctxt->valid) {
+		if (strcmp(user, authctxt->user) != 0 ||
+		    strcmp(service, authctxt->service) != 0) {
+			log("input_userauth_request: mismatch: (%s,%s)!=(%s,%s)",
+			    user, service, authctxt->user, authctxt->service);
+			authctxt->valid = 0;
+		}
+	}
+
+#ifdef HAVE_LOGIN_CAP
+	if (authctxt->pw != NULL) {
+		lc = login_getpwclass(authctxt->pw);
+		if (lc == NULL)
+			lc = login_getclassbyname(NULL, authctxt->pw);
+		if (!auth_hostok(lc, from_host, from_ip)) {
+			log("Denied connection for %.200s from %.200s [%.200s].",
+			    authctxt->pw->pw_name, from_host, from_ip);
+			packet_disconnect("Sorry, you are not allowed to connect.");
+		}
+		if (!auth_timeok(lc, time(NULL))) {
+			log("LOGIN %.200s REFUSED (TIME) FROM %.200s",
+			    authctxt->pw->pw_name, from_host);
+			packet_disconnect("Logins not available right now.");
+		}
+		login_close(lc);
+		lc = NULL;
+	}
+#endif  /* HAVE_LOGIN_CAP */
+#ifdef LOGIN_ACCESS
+	if (authctxt->pw != NULL &&
+	    !login_access(authctxt->pw->pw_name, from_host)) {
+		log("Denied connection for %.200s from %.200s [%.200s].",
+		    authctxt->pw->pw_name, from_host, from_ip);
+		packet_disconnect("Sorry, you are not allowed to connect.");
+	}
+#endif /* LOGIN_ACCESS */
+	/* reset state */
+	dispatch_set(SSH2_MSG_USERAUTH_INFO_RESPONSE, &protocol_error);
+	authctxt->postponed = 0;
+#ifdef BSD_AUTH
+	if (authctxt->as) {
+		auth_close(authctxt->as);
+		authctxt->as = NULL;
+	}
+#endif
+
+	/* try to authenticate user */
+	m = authmethod_lookup(method);
+	if (m != NULL) {
+		debug2("input_userauth_request: try method %s", method);
+		authenticated =	m->userauth(authctxt);
+	}
+#ifdef USE_PAM
+	if (authenticated && authctxt->user && !do_pam_account(authctxt->user, NULL))
+		authenticated = 0;
+#endif /* USE_PAM */
+	userauth_finish(authctxt, authenticated, method);
+
+	xfree(service);
+	xfree(user);
+	xfree(method);
+}
+
+void
+userauth_finish(Authctxt *authctxt, int authenticated, char *method)
+{
+	if (!authctxt->valid && authenticated)
+		fatal("INTERNAL ERROR: authenticated invalid user %s",
+		    authctxt->user);
+
+	/* Special handling for root */
+	if (authenticated && authctxt->pw->pw_uid == 0 &&
+	    !auth_root_allowed(method))
+		authenticated = 0;
+
+	/* Log before sending the reply */
+	auth_log(authctxt, authenticated, method, " ssh2");
+
+	if (!authctxt->postponed)
+		userauth_reply(authctxt, authenticated);
+}
+
+void
+userauth_banner(void)
+{
+	struct stat st;
+	char *banner = NULL;
+	off_t len, n;
+	int fd;
+
+	if (options.banner == NULL || (datafellows & SSH_BUG_BANNER))
+		return;
+	if ((fd = open(options.banner, O_RDONLY)) < 0)
+		return;
+	if (fstat(fd, &st) < 0)
+		goto done;
+	len = st.st_size;
+	banner = xmalloc(len + 1);
+	if ((n = read(fd, banner, len)) < 0)
+		goto done;
+	banner[n] = '\0';
+	packet_start(SSH2_MSG_USERAUTH_BANNER);
+	packet_put_cstring(banner);
+	packet_put_cstring("");		/* language, unused */
+	packet_send();
+	debug("userauth_banner: sent");
+done:
+	if (banner)
+		xfree(banner);
+	close(fd);
+	return;
+}
+
+void
+userauth_reply(Authctxt *authctxt, int authenticated)
+{
+	char *methods;
+
+	/* XXX todo: check if multiple auth methods are needed */
+	if (authenticated == 1) {
+		/* turn off userauth */
+		dispatch_set(SSH2_MSG_USERAUTH_REQUEST, &protocol_error);
+		packet_start(SSH2_MSG_USERAUTH_SUCCESS);
+		packet_send();
+		packet_write_wait();
+		/* now we can break out */
+		authctxt->success = 1;
+	} else {
+		if (authctxt->failures++ > AUTH_FAIL_MAX)
+			packet_disconnect(AUTH_FAIL_MSG, authctxt->user);
+		methods = authmethods_get();
+		packet_start(SSH2_MSG_USERAUTH_FAILURE);
+		packet_put_cstring(methods);
+		packet_put_char(0);	/* XXX partial success, unused */
+		packet_send();
+		packet_write_wait();
+		xfree(methods);
+	}
+}
+
+int
+userauth_none(Authctxt *authctxt)
+{
+	/* disable method "none", only allowed one time */
+	Authmethod *m = authmethod_lookup("none");
+	if (m != NULL)
+		m->enabled = NULL;
+	packet_done();
+	userauth_banner();
+#ifdef USE_PAM
+	return authctxt->valid ? auth_pam_password(authctxt, "") : 0;
+#else /* !USE_PAM */
+	return authctxt->valid ? auth_password(authctxt, "") : 0;
+#endif /* USE_PAM */
+}
+
+int
+userauth_passwd(Authctxt *authctxt)
+{
+	char *password;
+	int authenticated = 0;
+	int change;
+	u_int len;
+	change = packet_get_char();
+	if (change)
+		log("password change not supported");
+	password = packet_get_string(&len);
+	packet_done();
+	if (authctxt->valid &&
+#ifdef USE_PAM
+	    auth_pam_password(authctxt, password) == 1
+#else
+	    auth_password(authctxt, password) == 1
+#endif
+	    )
+		authenticated = 1;
+	memset(password, 0, len);
+	xfree(password);
+	return authenticated;
+}
+
+int
+userauth_kbdint(Authctxt *authctxt)
+{
+	int authenticated = 0;
+	char *lang = NULL;
+	char *devs = NULL;
+
+	lang = packet_get_string(NULL);
+	devs = packet_get_string(NULL);
+	packet_done();
+
+	debug("keyboard-interactive language %s devs %s", lang, devs);
+
+	if (options.challenge_reponse_authentication)
+		authenticated = auth2_challenge(authctxt, devs);
+
+	xfree(lang);
+	xfree(devs);
+	return authenticated;
+}
+
+int
+userauth_pubkey(Authctxt *authctxt)
+{
+	Buffer b;
+	Key *key;
+	char *pkalg, *pkblob, *sig;
+	u_int alen, blen, slen;
+	int have_sig, pktype;
+	int authenticated = 0;
+
+	if (!authctxt->valid) {
+		debug2("userauth_pubkey: disabled because of invalid user");
+		return 0;
+	}
+	have_sig = packet_get_char();
+	if (datafellows & SSH_BUG_PKAUTH) {
+		debug2("userauth_pubkey: SSH_BUG_PKAUTH");
+		/* no explicit pkalg given */
+		pkblob = packet_get_string(&blen);
+		buffer_init(&b);
+		buffer_append(&b, pkblob, blen);
+		/* so we have to extract the pkalg from the pkblob */
+		pkalg = buffer_get_string(&b, &alen);
+		buffer_free(&b);
+	} else {
+		pkalg = packet_get_string(&alen);
+		pkblob = packet_get_string(&blen);
+	}
+	pktype = key_type_from_name(pkalg);
+	if (pktype == KEY_UNSPEC) {
+		/* this is perfectly legal */
+		log("userauth_pubkey: unsupported public key algorithm: %s", pkalg);
+		xfree(pkalg);
+		xfree(pkblob);
+		return 0;
+	}
+	key = key_from_blob(pkblob, blen);
+	if (key != NULL) {
+		if (have_sig) {
+			sig = packet_get_string(&slen);
+			packet_done();
+			buffer_init(&b);
+			if (datafellows & SSH_OLD_SESSIONID) {
+				buffer_append(&b, session_id2, session_id2_len);
+			} else {
+				buffer_put_string(&b, session_id2, session_id2_len);
+			}
+			/* reconstruct packet */
+			buffer_put_char(&b, SSH2_MSG_USERAUTH_REQUEST);
+			buffer_put_cstring(&b, authctxt->user);
+			buffer_put_cstring(&b,
+			    datafellows & SSH_BUG_PKSERVICE ?
+			    "ssh-userauth" :
+			    authctxt->service);
+			if (datafellows & SSH_BUG_PKAUTH) {
+				buffer_put_char(&b, have_sig);
+			} else {
+				buffer_put_cstring(&b, "publickey");
+				buffer_put_char(&b, have_sig);
+				buffer_put_cstring(&b, pkalg);
+			}
+			buffer_put_string(&b, pkblob, blen);
+#ifdef DEBUG_PK
+			buffer_dump(&b);
+#endif
+			/* test for correct signature */
+			if (user_key_allowed(authctxt->pw, key) &&
+			    key_verify(key, sig, slen, buffer_ptr(&b), buffer_len(&b)) == 1)
+				authenticated = 1;
+			buffer_clear(&b);
+			xfree(sig);
+		} else {
+			debug("test whether pkalg/pkblob are acceptable");
+			packet_done();
+
+			/* XXX fake reply and always send PK_OK ? */
+			/*
+			 * XXX this allows testing whether a user is allowed
+			 * to login: if you happen to have a valid pubkey this
+			 * message is sent. the message is NEVER sent at all
+			 * if a user is not allowed to login. is this an
+			 * issue? -markus
+			 */
+			if (user_key_allowed(authctxt->pw, key)) {
+				packet_start(SSH2_MSG_USERAUTH_PK_OK);
+				packet_put_string(pkalg, alen);
+				packet_put_string(pkblob, blen);
+				packet_send();
+				packet_write_wait();
+				authctxt->postponed = 1;
+			}
+		}
+		if (authenticated != 1)
+			auth_clear_options();
+		key_free(key);
+	}
+	debug2("userauth_pubkey: authenticated %d pkalg %s", authenticated, pkalg);
+	xfree(pkalg);
+	xfree(pkblob);
+	return authenticated;
+}
+
+int
+userauth_hostbased(Authctxt *authctxt)
+{
+	Buffer b;
+	Key *key;
+	char *pkalg, *pkblob, *sig, *cuser, *chost, *service;
+	u_int alen, blen, slen;
+	int pktype;
+	int authenticated = 0;
+
+	if (!authctxt->valid) {
+		debug2("userauth_hostbased: disabled because of invalid user");
+		return 0;
+	}
+	pkalg = packet_get_string(&alen);
+	pkblob = packet_get_string(&blen);
+	chost = packet_get_string(NULL);
+	cuser = packet_get_string(NULL);
+	sig = packet_get_string(&slen);
+
+	debug("userauth_hostbased: cuser %s chost %s pkalg %s slen %d",
+	    cuser, chost, pkalg, slen);
+#ifdef DEBUG_PK
+	debug("signature:");
+	buffer_init(&b);
+	buffer_append(&b, sig, slen);
+	buffer_dump(&b);
+	buffer_free(&b);
+#endif
+	pktype = key_type_from_name(pkalg);
+	if (pktype == KEY_UNSPEC) {
+		/* this is perfectly legal */
+		log("userauth_hostbased: unsupported "
+		    "public key algorithm: %s", pkalg);
+		goto done;
+	}
+	key = key_from_blob(pkblob, blen);
+	if (key == NULL) {
+		debug("userauth_hostbased: cannot decode key: %s", pkalg);
+		goto done;
+	}
+	service = datafellows & SSH_BUG_HBSERVICE ? "ssh-userauth" :
+	    authctxt->service;
+	buffer_init(&b);
+	buffer_put_string(&b, session_id2, session_id2_len);
+	/* reconstruct packet */
+	buffer_put_char(&b, SSH2_MSG_USERAUTH_REQUEST);
+	buffer_put_cstring(&b, authctxt->user);
+	buffer_put_cstring(&b, service);
+	buffer_put_cstring(&b, "hostbased");
+	buffer_put_string(&b, pkalg, alen);
+	buffer_put_string(&b, pkblob, blen);
+	buffer_put_cstring(&b, chost);
+	buffer_put_cstring(&b, cuser);
+#ifdef DEBUG_PK
+	buffer_dump(&b);
+#endif
+	/* test for allowed key and correct signature */
+	if (hostbased_key_allowed(authctxt->pw, cuser, chost, key) &&
+	    key_verify(key, sig, slen, buffer_ptr(&b), buffer_len(&b)) == 1)
+		authenticated = 1;
+
+	buffer_clear(&b);
+	key_free(key);
+
+done:
+	debug2("userauth_hostbased: authenticated %d", authenticated);
+	xfree(pkalg);
+	xfree(pkblob);
+	xfree(cuser);
+	xfree(chost);
+	xfree(sig);
+	return authenticated;
+}
+
+/* get current user */
+
+struct passwd*
+auth_get_user(void)
+{
+	return (x_authctxt != NULL && x_authctxt->valid) ? x_authctxt->pw : NULL;
+}
+
+#define	DELIM	","
+
+char *
+authmethods_get(void)
+{
+	Authmethod *method = NULL;
+	u_int size = 0;
+	char *list;
+
+	for (method = authmethods; method->name != NULL; method++) {
+		if (strcmp(method->name, "none") == 0)
+			continue;
+		if (method->enabled != NULL && *(method->enabled) != 0) {
+			if (size != 0)
+				size += strlen(DELIM);
+			size += strlen(method->name);
+		}
+	}
+	size++;			/* trailing '\0' */
+	list = xmalloc(size);
+	list[0] = '\0';
+
+	for (method = authmethods; method->name != NULL; method++) {
+		if (strcmp(method->name, "none") == 0)
+			continue;
+		if (method->enabled != NULL && *(method->enabled) != 0) {
+			if (list[0] != '\0')
+				strlcat(list, DELIM, size);
+			strlcat(list, method->name, size);
+		}
+	}
+	return list;
+}
+
+Authmethod *
+authmethod_lookup(const char *name)
+{
+	Authmethod *method = NULL;
+	if (name != NULL)
+		for (method = authmethods; method->name != NULL; method++)
+			if (method->enabled != NULL &&
+			    *(method->enabled) != 0 &&
+			    strcmp(name, method->name) == 0)
+				return method;
+	debug2("Unrecognized authentication method name: %s", name ? name : "NULL");
+	return NULL;
+}
+
+/* return 1 if user allows given key */
+int
+user_key_allowed(struct passwd *pw, Key *key)
+{
+	char line[8192], file[MAXPATHLEN];
+	int found_key = 0;
+	FILE *f;
+	u_long linenum = 0;
+	struct stat st;
+	Key *found;
+
+	if (pw == NULL)
+		return 0;
+
+	/* Temporarily use the user's uid. */
+	temporarily_use_uid(pw);
+
+	/* The authorized keys. */
+	snprintf(file, sizeof file, "%.500s/%.100s", pw->pw_dir,
+	    _PATH_SSH_USER_PERMITTED_KEYS2);
+
+	/* Fail quietly if file does not exist */
+	if (stat(file, &st) < 0) {
+		/* Restore the privileged uid. */
+		restore_uid();
+		return 0;
+	}
+	/* Open the file containing the authorized keys. */
+	f = fopen(file, "r");
+	if (!f) {
+		/* Restore the privileged uid. */
+		restore_uid();
+		return 0;
+	}
+	if (options.strict_modes) {
+		int fail = 0;
+		char buf[1024];
+		/* Check open file in order to avoid open/stat races */
+		if (fstat(fileno(f), &st) < 0 ||
+		    (st.st_uid != 0 && st.st_uid != pw->pw_uid) ||
+		    (st.st_mode & 022) != 0) {
+			snprintf(buf, sizeof buf,
+			    "%s authentication refused for %.100s: "
+			    "bad ownership or modes for '%s'.",
+			    key_type(key), pw->pw_name, file);
+			fail = 1;
+		} else {
+			/* Check path to _PATH_SSH_USER_PERMITTED_KEYS */
+			int i;
+			static const char *check[] = {
+				"", _PATH_SSH_USER_DIR, NULL
+			};
+			for (i = 0; check[i]; i++) {
+				snprintf(line, sizeof line, "%.500s/%.100s",
+				    pw->pw_dir, check[i]);
+				if (stat(line, &st) < 0 ||
+				    (st.st_uid != 0 && st.st_uid != pw->pw_uid) ||
+				    (st.st_mode & 022) != 0) {
+					snprintf(buf, sizeof buf,
+					    "%s authentication refused for %.100s: "
+					    "bad ownership or modes for '%s'.",
+					    key_type(key), pw->pw_name, line);
+					fail = 1;
+					break;
+				}
+			}
+		}
+		if (fail) {
+			fclose(f);
+			log("%s", buf);
+			restore_uid();
+			return 0;
+		}
+	}
+	found_key = 0;
+	found = key_new(key->type);
+
+	while (fgets(line, sizeof(line), f)) {
+		char *cp, *options = NULL;
+		linenum++;
+		/* Skip leading whitespace, empty and comment lines. */
+		for (cp = line; *cp == ' ' || *cp == '\t'; cp++)
+			;
+		if (!*cp || *cp == '\n' || *cp == '#')
+			continue;
+
+		if (key_read(found, &cp) == -1) {
+			/* no key?  check if there are options for this key */
+			int quoted = 0;
+			debug2("user_key_allowed: check options: '%s'", cp);
+			options = cp;
+			for (; *cp && (quoted || (*cp != ' ' && *cp != '\t')); cp++) {
+				if (*cp == '\\' && cp[1] == '"')
+					cp++;	/* Skip both */
+				else if (*cp == '"')
+					quoted = !quoted;
+			}
+			/* Skip remaining whitespace. */
+			for (; *cp == ' ' || *cp == '\t'; cp++)
+				;
+			if (key_read(found, &cp) == -1) {
+				debug2("user_key_allowed: advance: '%s'", cp);
+				/* still no key?  advance to next line*/
+				continue;
+			}
+		}
+		if (key_equal(found, key) &&
+		    auth_parse_options(pw, options, file, linenum) == 1) {
+			found_key = 1;
+			debug("matching key found: file %s, line %ld",
+			    file, linenum);
+			break;
+		}
+	}
+	restore_uid();
+	fclose(f);
+	key_free(found);
+	if (!found_key)
+		debug2("key not found");
+	return found_key;
+}
+
+/* return 1 if given hostkey is allowed */
+int
+hostbased_key_allowed(struct passwd *pw, const char *cuser, char *chost,
+    Key *key)
+{
+	Key *found;
+	const char *resolvedname, *ipaddr, *lookup;
+	struct stat st;
+	char *user_hostfile;
+	int host_status, len;
+
+	resolvedname = get_canonical_hostname(options.reverse_mapping_check);
+	ipaddr = get_remote_ipaddr();
+
+	debug2("userauth_hostbased: chost %s resolvedname %s ipaddr %s",
+	    chost, resolvedname, ipaddr);
+
+	if (options.hostbased_uses_name_from_packet_only) {
+		if (auth_rhosts2(pw, cuser, chost, chost) == 0)
+			return 0;
+		lookup = chost;
+	} else {
+		if (((len = strlen(chost)) > 0) && chost[len - 1] == '.') {
+			debug2("stripping trailing dot from chost %s", chost);
+			chost[len - 1] = '\0';
+		}
+		if (strcasecmp(resolvedname, chost) != 0)
+			log("userauth_hostbased mismatch: "
+			    "client sends %s, but we resolve %s to %s",
+			    chost, ipaddr, resolvedname);
+		if (auth_rhosts2(pw, cuser, resolvedname, ipaddr) == 0)
+			return 0;
+		lookup = resolvedname;
+	}
+	debug2("userauth_hostbased: access allowed by auth_rhosts2");
+
+	/* XXX this is copied from auth-rh-rsa.c and should be shared */
+	found = key_new(key->type);
+	host_status = check_host_in_hostfile(_PATH_SSH_SYSTEM_HOSTFILE2, lookup,
+	    key, found, NULL);
+
+	if (host_status != HOST_OK && !options.ignore_user_known_hosts) {
+		user_hostfile = tilde_expand_filename(_PATH_SSH_USER_HOSTFILE2,
+		    pw->pw_uid);
+		if (options.strict_modes &&
+		    (stat(user_hostfile, &st) == 0) &&
+		    ((st.st_uid != 0 && st.st_uid != pw->pw_uid) ||
+		     (st.st_mode & 022) != 0)) {
+			log("Hostbased authentication refused for %.100s: "
+			    "bad owner or modes for %.200s",
+			    pw->pw_name, user_hostfile);
+		} else {
+			temporarily_use_uid(pw);
+			host_status = check_host_in_hostfile(user_hostfile,
+			    lookup, key, found, NULL);
+			restore_uid();
+		}
+		xfree(user_hostfile);
+	}
+	key_free(found);
+
+	debug2("userauth_hostbased: key %s for %s", host_status == HOST_OK ?
+	    "ok" : "not found", lookup);
+	return (host_status == HOST_OK);
+}
diff --git a/crypto/openssh/authfd.c b/crypto/openssh/authfd.c
new file mode 100644
index 0000000..953c852
--- /dev/null
+++ b/crypto/openssh/authfd.c
@@ -0,0 +1,577 @@
+/*
+ * Author: Tatu Ylonen <ylo@cs.hut.fi>
+ * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
+ *                    All rights reserved
+ * Functions for connecting the local authentication agent.
+ *
+ * As far as I am concerned, the code I have written for this software
+ * can be used freely for any purpose.  Any derived versions of this
+ * software must be clearly marked as such, and if the derived work is
+ * incompatible with the protocol description in the RFC file, it must be
+ * called by a name other than "ssh" or "Secure Shell".
+ *
+ * SSH2 implementation,
+ * Copyright (c) 2000 Markus Friedl.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include "includes.h"
+RCSID("$OpenBSD: authfd.c,v 1.39 2001/04/05 10:42:48 markus Exp $");
+RCSID("$FreeBSD$");
+
+#include <openssl/evp.h>
+
+#include "ssh.h"
+#include "rsa.h"
+#include "buffer.h"
+#include "bufaux.h"
+#include "xmalloc.h"
+#include "getput.h"
+#include "key.h"
+#include "authfd.h"
+#include "cipher.h"
+#include "kex.h"
+#include "compat.h"
+#include "log.h"
+#include "atomicio.h"
+
+/* helper */
+int	decode_reply(int type);
+
+/* macro to check for "agent failure" message */
+#define agent_failed(x) \
+    ((x == SSH_AGENT_FAILURE) || (x == SSH_COM_AGENT2_FAILURE))
+
+/* Returns the number of the authentication fd, or -1 if there is none. */
+
+int
+ssh_get_authentication_socket(void)
+{
+	const char *authsocket;
+	int sock, len;
+	struct sockaddr_un sunaddr;
+
+	authsocket = getenv(SSH_AUTHSOCKET_ENV_NAME);
+	if (!authsocket)
+		return -1;
+
+	sunaddr.sun_family = AF_UNIX;
+	strlcpy(sunaddr.sun_path, authsocket, sizeof(sunaddr.sun_path));
+	len = SUN_LEN(&sunaddr)+1;
+	sunaddr.sun_len = len;
+
+	sock = socket(AF_UNIX, SOCK_STREAM, 0);
+	if (sock < 0)
+		return -1;
+
+	/* close on exec */
+	if (fcntl(sock, F_SETFD, 1) == -1) {
+		close(sock);
+		return -1;
+	}
+	if (connect(sock, (struct sockaddr *) & sunaddr, len) < 0) {
+		close(sock);
+		return -1;
+	}
+	return sock;
+}
+
+int
+ssh_request_reply(AuthenticationConnection *auth, Buffer *request, Buffer *reply)
+{
+	int l, len;
+	char buf[1024];
+
+	/* Get the length of the message, and format it in the buffer. */
+	len = buffer_len(request);
+	PUT_32BIT(buf, len);
+
+	/* Send the length and then the packet to the agent. */
+	if (atomicio(write, auth->fd, buf, 4) != 4 ||
+	    atomicio(write, auth->fd, buffer_ptr(request),
+	    buffer_len(request)) != buffer_len(request)) {
+		error("Error writing to authentication socket.");
+		return 0;
+	}
+	/*
+	 * Wait for response from the agent.  First read the length of the
+	 * response packet.
+	 */
+	len = 4;
+	while (len > 0) {
+		l = read(auth->fd, buf + 4 - len, len);
+		if (l == -1 && (errno == EAGAIN || errno == EINTR))
+			continue;
+		if (l <= 0) {
+			error("Error reading response length from authentication socket.");
+			return 0;
+		}
+		len -= l;
+	}
+
+	/* Extract the length, and check it for sanity. */
+	len = GET_32BIT(buf);
+	if (len > 256 * 1024)
+		fatal("Authentication response too long: %d", len);
+
+	/* Read the rest of the response in to the buffer. */
+	buffer_clear(reply);
+	while (len > 0) {
+		l = len;
+		if (l > sizeof(buf))
+			l = sizeof(buf);
+		l = read(auth->fd, buf, l);
+		if (l == -1 && (errno == EAGAIN || errno == EINTR))
+			continue;
+		if (l <= 0) {
+			error("Error reading response from authentication socket.");
+			return 0;
+		}
+		buffer_append(reply, (char *) buf, l);
+		len -= l;
+	}
+	return 1;
+}
+
+/*
+ * Closes the agent socket if it should be closed (depends on how it was
+ * obtained).  The argument must have been returned by
+ * ssh_get_authentication_socket().
+ */
+
+void
+ssh_close_authentication_socket(int sock)
+{
+	if (getenv(SSH_AUTHSOCKET_ENV_NAME))
+		close(sock);
+}
+
+/*
+ * Opens and connects a private socket for communication with the
+ * authentication agent.  Returns the file descriptor (which must be
+ * shut down and closed by the caller when no longer needed).
+ * Returns NULL if an error occurred and the connection could not be
+ * opened.
+ */
+
+AuthenticationConnection *
+ssh_get_authentication_connection(void)
+{
+	AuthenticationConnection *auth;
+	int sock;
+
+	sock = ssh_get_authentication_socket();
+
+	/*
+	 * Fail if we couldn't obtain a connection.  This happens if we
+	 * exited due to a timeout.
+	 */
+	if (sock < 0)
+		return NULL;
+
+	auth = xmalloc(sizeof(*auth));
+	auth->fd = sock;
+	buffer_init(&auth->identities);
+	auth->howmany = 0;
+
+	return auth;
+}
+
+/*
+ * Closes the connection to the authentication agent and frees any associated
+ * memory.
+ */
+
+void
+ssh_close_authentication_connection(AuthenticationConnection *auth)
+{
+	buffer_free(&auth->identities);
+	close(auth->fd);
+	xfree(auth);
+}
+
+/*
+ * Returns the first authentication identity held by the agent.
+ */
+
+int
+ssh_get_num_identities(AuthenticationConnection *auth, int version)
+{
+	int type, code1 = 0, code2 = 0;
+	Buffer request;
+
+	switch(version){
+	case 1:
+		code1 = SSH_AGENTC_REQUEST_RSA_IDENTITIES;
+		code2 = SSH_AGENT_RSA_IDENTITIES_ANSWER;
+		break;
+	case 2:
+		code1 = SSH2_AGENTC_REQUEST_IDENTITIES;
+		code2 = SSH2_AGENT_IDENTITIES_ANSWER;
+		break;
+	default:
+		return 0;
+	}
+
+	/*
+	 * Send a message to the agent requesting for a list of the
+	 * identities it can represent.
+	 */
+	buffer_init(&request);
+	buffer_put_char(&request, code1);
+
+	buffer_clear(&auth->identities);
+	if (ssh_request_reply(auth, &request, &auth->identities) == 0) {
+		buffer_free(&request);
+		return 0;
+	}
+	buffer_free(&request);
+
+	/* Get message type, and verify that we got a proper answer. */
+	type = buffer_get_char(&auth->identities);
+	if (agent_failed(type)) {
+		return 0;
+	} else if (type != code2) {
+		fatal("Bad authentication reply message type: %d", type);
+	}
+
+	/* Get the number of entries in the response and check it for sanity. */
+	auth->howmany = buffer_get_int(&auth->identities);
+	if (auth->howmany > 1024)
+		fatal("Too many identities in authentication reply: %d",
+		    auth->howmany);
+
+	return auth->howmany;
+}
+
+Key *
+ssh_get_first_identity(AuthenticationConnection *auth, char **comment, int version)
+{
+	/* get number of identities and return the first entry (if any). */
+	if (ssh_get_num_identities(auth, version) > 0)
+		return ssh_get_next_identity(auth, comment, version);
+	return NULL;
+}
+
+Key *
+ssh_get_next_identity(AuthenticationConnection *auth, char **comment, int version)
+{
+	u_int bits;
+	u_char *blob;
+	u_int blen;
+	Key *key = NULL;
+
+	/* Return failure if no more entries. */
+	if (auth->howmany <= 0)
+		return NULL;
+
+	/*
+	 * Get the next entry from the packet.  These will abort with a fatal
+	 * error if the packet is too short or contains corrupt data.
+	 */
+	switch(version){
+	case 1:
+		key = key_new(KEY_RSA1);
+		bits = buffer_get_int(&auth->identities);
+		buffer_get_bignum(&auth->identities, key->rsa->e);
+		buffer_get_bignum(&auth->identities, key->rsa->n);
+		*comment = buffer_get_string(&auth->identities, NULL);
+		if (bits != BN_num_bits(key->rsa->n))
+			log("Warning: identity keysize mismatch: actual %d, announced %u",
+			    BN_num_bits(key->rsa->n), bits);
+		break;
+	case 2:
+		blob = buffer_get_string(&auth->identities, &blen);
+		*comment = buffer_get_string(&auth->identities, NULL);
+		key = key_from_blob(blob, blen);
+		xfree(blob);
+		break;
+	default:
+		return NULL;
+		break;
+	}
+	/* Decrement the number of remaining entries. */
+	auth->howmany--;
+	return key;
+}
+
+/*
+ * Generates a random challenge, sends it to the agent, and waits for
+ * response from the agent.  Returns true (non-zero) if the agent gave the
+ * correct answer, zero otherwise.  Response type selects the style of
+ * response desired, with 0 corresponding to protocol version 1.0 (no longer
+ * supported) and 1 corresponding to protocol version 1.1.
+ */
+
+int
+ssh_decrypt_challenge(AuthenticationConnection *auth,
+    Key* key, BIGNUM *challenge,
+    u_char session_id[16],
+    u_int response_type,
+    u_char response[16])
+{
+	Buffer buffer;
+	int success = 0;
+	int i;
+	int type;
+
+	if (key->type != KEY_RSA1)
+		return 0;
+	if (response_type == 0) {
+		log("Compatibility with ssh protocol version 1.0 no longer supported.");
+		return 0;
+	}
+	buffer_init(&buffer);
+	buffer_put_char(&buffer, SSH_AGENTC_RSA_CHALLENGE);
+	buffer_put_int(&buffer, BN_num_bits(key->rsa->n));
+	buffer_put_bignum(&buffer, key->rsa->e);
+	buffer_put_bignum(&buffer, key->rsa->n);
+	buffer_put_bignum(&buffer, challenge);
+	buffer_append(&buffer, (char *) session_id, 16);
+	buffer_put_int(&buffer, response_type);
+
+	if (ssh_request_reply(auth, &buffer, &buffer) == 0) {
+		buffer_free(&buffer);
+		return 0;
+	}
+	type = buffer_get_char(&buffer);
+
+	if (agent_failed(type)) {
+		log("Agent admitted failure to authenticate using the key.");
+	} else if (type != SSH_AGENT_RSA_RESPONSE) {
+		fatal("Bad authentication response: %d", type);
+	} else {
+		success = 1;
+		/*
+		 * Get the response from the packet.  This will abort with a
+		 * fatal error if the packet is corrupt.
+		 */
+		for (i = 0; i < 16; i++)
+			response[i] = buffer_get_char(&buffer);
+	}
+	buffer_free(&buffer);
+	return success;
+}
+
+/* ask agent to sign data, returns -1 on error, 0 on success */
+int
+ssh_agent_sign(AuthenticationConnection *auth,
+    Key *key,
+    u_char **sigp, int *lenp,
+    u_char *data, int datalen)
+{
+	extern int datafellows;
+	Buffer msg;
+	u_char *blob;
+	u_int blen;
+	int type, flags = 0;
+	int ret = -1;
+
+	if (key_to_blob(key, &blob, &blen) == 0)
+		return -1;
+
+	if (datafellows & SSH_BUG_SIGBLOB)
+		flags = SSH_AGENT_OLD_SIGNATURE;
+
+	buffer_init(&msg);
+	buffer_put_char(&msg, SSH2_AGENTC_SIGN_REQUEST);
+	buffer_put_string(&msg, blob, blen);
+	buffer_put_string(&msg, data, datalen);
+	buffer_put_int(&msg, flags);
+	xfree(blob);
+
+	if (ssh_request_reply(auth, &msg, &msg) == 0) {
+		buffer_free(&msg);
+		return -1;
+	}
+	type = buffer_get_char(&msg);
+	if (agent_failed(type)) {
+		log("Agent admitted failure to sign using the key.");
+	} else if (type != SSH2_AGENT_SIGN_RESPONSE) {
+		fatal("Bad authentication response: %d", type);
+	} else {
+		ret = 0;
+		*sigp = buffer_get_string(&msg, lenp);
+	}
+	buffer_free(&msg);
+	return ret;
+}
+
+/* Encode key for a message to the agent. */
+
+void
+ssh_encode_identity_rsa1(Buffer *b, RSA *key, const char *comment)
+{
+	buffer_clear(b);
+	buffer_put_char(b, SSH_AGENTC_ADD_RSA_IDENTITY);
+	buffer_put_int(b, BN_num_bits(key->n));
+	buffer_put_bignum(b, key->n);
+	buffer_put_bignum(b, key->e);
+	buffer_put_bignum(b, key->d);
+	/* To keep within the protocol: p < q for ssh. in SSL p > q */
+	buffer_put_bignum(b, key->iqmp);	/* ssh key->u */
+	buffer_put_bignum(b, key->q);	/* ssh key->p, SSL key->q */
+	buffer_put_bignum(b, key->p);	/* ssh key->q, SSL key->p */
+	buffer_put_string(b, comment, strlen(comment));
+}
+
+void
+ssh_encode_identity_ssh2(Buffer *b, Key *key, const char *comment)
+{
+	buffer_clear(b);
+	buffer_put_char(b, SSH2_AGENTC_ADD_IDENTITY);
+	buffer_put_cstring(b, key_ssh_name(key));
+	switch(key->type){
+	case KEY_RSA:
+		buffer_put_bignum2(b, key->rsa->n);
+		buffer_put_bignum2(b, key->rsa->e);
+		buffer_put_bignum2(b, key->rsa->d);
+		buffer_put_bignum2(b, key->rsa->iqmp);
+		buffer_put_bignum2(b, key->rsa->p);
+		buffer_put_bignum2(b, key->rsa->q);
+		break;
+	case KEY_DSA:
+		buffer_put_bignum2(b, key->dsa->p);
+		buffer_put_bignum2(b, key->dsa->q);
+		buffer_put_bignum2(b, key->dsa->g);
+		buffer_put_bignum2(b, key->dsa->pub_key);
+		buffer_put_bignum2(b, key->dsa->priv_key);
+		break;
+	}
+	buffer_put_cstring(b, comment);
+}
+
+/*
+ * Adds an identity to the authentication server.  This call is not meant to
+ * be used by normal applications.
+ */
+
+int
+ssh_add_identity(AuthenticationConnection *auth, Key *key, const char *comment)
+{
+	Buffer msg;
+	int type;
+
+	buffer_init(&msg);
+
+	switch (key->type) {
+	case KEY_RSA1:
+		ssh_encode_identity_rsa1(&msg, key->rsa, comment);
+		break;
+	case KEY_RSA:
+	case KEY_DSA:
+		ssh_encode_identity_ssh2(&msg, key, comment);
+		break;
+	default:
+		buffer_free(&msg);
+		return 0;
+		break;
+	}
+	if (ssh_request_reply(auth, &msg, &msg) == 0) {
+		buffer_free(&msg);
+		return 0;
+	}
+	type = buffer_get_char(&msg);
+	buffer_free(&msg);
+	return decode_reply(type);
+}
+
+/*
+ * Removes an identity from the authentication server.  This call is not
+ * meant to be used by normal applications.
+ */
+
+int
+ssh_remove_identity(AuthenticationConnection *auth, Key *key)
+{
+	Buffer msg;
+	int type;
+	u_char *blob;
+	u_int blen;
+
+	buffer_init(&msg);
+
+	if (key->type == KEY_RSA1) {
+		buffer_put_char(&msg, SSH_AGENTC_REMOVE_RSA_IDENTITY);
+		buffer_put_int(&msg, BN_num_bits(key->rsa->n));
+		buffer_put_bignum(&msg, key->rsa->e);
+		buffer_put_bignum(&msg, key->rsa->n);
+	} else if (key->type == KEY_DSA || key->type == KEY_RSA) {
+		key_to_blob(key, &blob, &blen);
+		buffer_put_char(&msg, SSH2_AGENTC_REMOVE_IDENTITY);
+		buffer_put_string(&msg, blob, blen);
+		xfree(blob);
+	} else {
+		buffer_free(&msg);
+		return 0;
+	}
+	if (ssh_request_reply(auth, &msg, &msg) == 0) {
+		buffer_free(&msg);
+		return 0;
+	}
+	type = buffer_get_char(&msg);
+	buffer_free(&msg);
+	return decode_reply(type);
+}
+
+/*
+ * Removes all identities from the agent.  This call is not meant to be used
+ * by normal applications.
+ */
+
+int
+ssh_remove_all_identities(AuthenticationConnection *auth, int version)
+{
+	Buffer msg;
+	int type;
+	int code = (version==1) ?
+		SSH_AGENTC_REMOVE_ALL_RSA_IDENTITIES :
+		SSH2_AGENTC_REMOVE_ALL_IDENTITIES;
+
+	buffer_init(&msg);
+	buffer_put_char(&msg, code);
+
+	if (ssh_request_reply(auth, &msg, &msg) == 0) {
+		buffer_free(&msg);
+		return 0;
+	}
+	type = buffer_get_char(&msg);
+	buffer_free(&msg);
+	return decode_reply(type);
+}
+
+int
+decode_reply(int type)
+{
+	switch (type) {
+	case SSH_AGENT_FAILURE:
+	case SSH_COM_AGENT2_FAILURE:
+		log("SSH_AGENT_FAILURE");
+		return 0;
+	case SSH_AGENT_SUCCESS:
+		return 1;
+	default:
+		fatal("Bad response from authentication agent: %d", type);
+	}
+	/* NOTREACHED */
+	return 0;
+}
diff --git a/crypto/openssh/authfd.h b/crypto/openssh/authfd.h
new file mode 100644
index 0000000..29d1847
--- /dev/null
+++ b/crypto/openssh/authfd.h
@@ -0,0 +1,138 @@
+/*
+ * Author: Tatu Ylonen <ylo@cs.hut.fi>
+ * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
+ *                    All rights reserved
+ * Functions to interface with the SSH_AUTHENTICATION_FD socket.
+ *
+ * As far as I am concerned, the code I have written for this software
+ * can be used freely for any purpose.  Any derived versions of this
+ * software must be clearly marked as such, and if the derived work is
+ * incompatible with the protocol description in the RFC file, it must be
+ * called by a name other than "ssh" or "Secure Shell".
+ */
+
+/* RCSID("$OpenBSD: authfd.h,v 1.16 2000/12/20 19:37:21 markus Exp $"); */
+
+#ifndef AUTHFD_H
+#define AUTHFD_H
+
+#include "buffer.h"
+
+/* Messages for the authentication agent connection. */
+#define SSH_AGENTC_REQUEST_RSA_IDENTITIES	1
+#define SSH_AGENT_RSA_IDENTITIES_ANSWER		2
+#define SSH_AGENTC_RSA_CHALLENGE		3
+#define SSH_AGENT_RSA_RESPONSE			4
+#define SSH_AGENT_FAILURE			5
+#define SSH_AGENT_SUCCESS			6
+#define SSH_AGENTC_ADD_RSA_IDENTITY		7
+#define SSH_AGENTC_REMOVE_RSA_IDENTITY		8
+#define SSH_AGENTC_REMOVE_ALL_RSA_IDENTITIES	9
+
+/* private OpenSSH extensions for SSH2 */
+#define SSH2_AGENTC_REQUEST_IDENTITIES		11
+#define SSH2_AGENT_IDENTITIES_ANSWER		12
+#define SSH2_AGENTC_SIGN_REQUEST		13
+#define SSH2_AGENT_SIGN_RESPONSE		14
+#define SSH2_AGENTC_ADD_IDENTITY		17
+#define SSH2_AGENTC_REMOVE_IDENTITY		18
+#define SSH2_AGENTC_REMOVE_ALL_IDENTITIES	19
+
+/* additional error code for ssh.com's ssh-agent2 */
+#define SSH_COM_AGENT2_FAILURE                   102
+
+#define	SSH_AGENT_OLD_SIGNATURE			0x01
+
+
+typedef struct {
+	int     fd;
+	Buffer  identities;
+	int     howmany;
+}       AuthenticationConnection;
+
+/* Returns the number of the authentication fd, or -1 if there is none. */
+int     ssh_get_authentication_socket(void);
+
+/*
+ * This should be called for any descriptor returned by
+ * ssh_get_authentication_socket().  Depending on the way the descriptor was
+ * obtained, this may close the descriptor.
+ */
+void    ssh_close_authentication_socket(int authfd);
+
+/*
+ * Opens and connects a private socket for communication with the
+ * authentication agent.  Returns NULL if an error occurred and the
+ * connection could not be opened.  The connection should be closed by the
+ * caller by calling ssh_close_authentication_connection().
+ */
+AuthenticationConnection *ssh_get_authentication_connection(void);
+
+/*
+ * Closes the connection to the authentication agent and frees any associated
+ * memory.
+ */
+void    ssh_close_authentication_connection(AuthenticationConnection *auth);
+
+/*
+ * Returns the number authentication identity held by the agent.
+ */
+int	ssh_get_num_identities(AuthenticationConnection *auth, int version);
+
+/*
+ * Returns the first authentication identity held by the agent or NULL if
+ * no identies are available. Caller must free comment and key.
+ * Note that you cannot mix calls with different versions.
+ */
+Key	*ssh_get_first_identity(AuthenticationConnection *auth, char **comment, int version);
+
+/*
+ * Returns the next authentication identity for the agent.  Other functions
+ * can be called between this and ssh_get_first_identity or two calls of this
+ * function.  This returns NULL if there are no more identities.  The caller
+ * must free key and comment after a successful return.
+ */
+Key	*ssh_get_next_identity(AuthenticationConnection *auth, char **comment, int version);
+
+/*
+ * Requests the agent to decrypt the given challenge.  Returns true if the
+ * agent claims it was able to decrypt it.
+ */
+int
+ssh_decrypt_challenge(AuthenticationConnection *auth,
+    Key *key, BIGNUM * challenge,
+    u_char session_id[16],
+    u_int response_type,
+    u_char response[16]);
+
+/* Requests the agent to sign data using key */
+int
+ssh_agent_sign(AuthenticationConnection *auth,
+    Key *key,
+    u_char **sigp, int *lenp,
+    u_char *data, int datalen);
+
+/*
+ * Adds an identity to the authentication server.  This call is not meant to
+ * be used by normal applications.  This returns true if the identity was
+ * successfully added.
+ */
+int
+ssh_add_identity(AuthenticationConnection *auth, Key *key,
+    const char *comment);
+
+/*
+ * Removes the identity from the authentication server.  This call is not
+ * meant to be used by normal applications.  This returns true if the
+ * identity was successfully added.
+ */
+int     ssh_remove_identity(AuthenticationConnection *auth, Key *key);
+
+/*
+ * Removes all identities from the authentication agent.  This call is not
+ * meant to be used by normal applications.  This returns true if the
+ * operation was successful.
+ */
+int     ssh_remove_all_identities(AuthenticationConnection *auth, int version);
+
+#endif				/* AUTHFD_H */
diff --git a/crypto/openssh/authfile.c b/crypto/openssh/authfile.c
new file mode 100644
index 0000000..298b1ed
--- /dev/null
+++ b/crypto/openssh/authfile.c
@@ -0,0 +1,622 @@
+/*
+ * Author: Tatu Ylonen <ylo@cs.hut.fi>
+ * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
+ *                    All rights reserved
+ * This file contains functions for reading and writing identity files, and
+ * for reading the passphrase from the user.
+ *
+ * As far as I am concerned, the code I have written for this software
+ * can be used freely for any purpose.  Any derived versions of this
+ * software must be clearly marked as such, and if the derived work is
+ * incompatible with the protocol description in the RFC file, it must be
+ * called by a name other than "ssh" or "Secure Shell".
+ *
+ *
+ * Copyright (c) 2000 Markus Friedl.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include "includes.h"
+RCSID("$OpenBSD: authfile.c,v 1.32 2001/04/18 23:44:51 markus Exp $");
+RCSID("$FreeBSD$");
+
+#include <openssl/err.h>
+#include <openssl/evp.h>
+#include <openssl/pem.h>
+
+#include "cipher.h"
+#include "xmalloc.h"
+#include "buffer.h"
+#include "bufaux.h"
+#include "key.h"
+#include "ssh.h"
+#include "log.h"
+#include "authfile.h"
+
+/* Version identification string for SSH v1 identity files. */
+static const char authfile_id_string[] =
+    "SSH PRIVATE KEY FILE FORMAT 1.1\n";
+
+/*
+ * Saves the authentication (private) key in a file, encrypting it with
+ * passphrase.  The identification of the file (lowest 64 bits of n) will
+ * precede the key to provide identification of the key without needing a
+ * passphrase.
+ */
+
+int
+key_save_private_rsa1(Key *key, const char *filename, const char *passphrase,
+    const char *comment)
+{
+	Buffer buffer, encrypted;
+	char buf[100], *cp;
+	int fd, i;
+	CipherContext ciphercontext;
+	Cipher *cipher;
+	u_int32_t rand;
+
+	/*
+	 * If the passphrase is empty, use SSH_CIPHER_NONE to ease converting
+	 * to another cipher; otherwise use SSH_AUTHFILE_CIPHER.
+	 */
+	if (strcmp(passphrase, "") == 0)
+		cipher = cipher_by_number(SSH_CIPHER_NONE);
+	else
+		cipher = cipher_by_number(SSH_AUTHFILE_CIPHER);
+	if (cipher == NULL)
+		fatal("save_private_key_rsa: bad cipher");
+
+	/* This buffer is used to built the secret part of the private key. */
+	buffer_init(&buffer);
+
+	/* Put checkbytes for checking passphrase validity. */
+	rand = arc4random();
+	buf[0] = rand & 0xff;
+	buf[1] = (rand >> 8) & 0xff;
+	buf[2] = buf[0];
+	buf[3] = buf[1];
+	buffer_append(&buffer, buf, 4);
+
+	/*
+	 * Store the private key (n and e will not be stored because they
+	 * will be stored in plain text, and storing them also in encrypted
+	 * format would just give known plaintext).
+	 */
+	buffer_put_bignum(&buffer, key->rsa->d);
+	buffer_put_bignum(&buffer, key->rsa->iqmp);
+	buffer_put_bignum(&buffer, key->rsa->q);	/* reverse from SSL p */
+	buffer_put_bignum(&buffer, key->rsa->p);	/* reverse from SSL q */
+
+	/* Pad the part to be encrypted until its size is a multiple of 8. */
+	while (buffer_len(&buffer) % 8 != 0)
+		buffer_put_char(&buffer, 0);
+
+	/* This buffer will be used to contain the data in the file. */
+	buffer_init(&encrypted);
+
+	/* First store keyfile id string. */
+	for (i = 0; authfile_id_string[i]; i++)
+		buffer_put_char(&encrypted, authfile_id_string[i]);
+	buffer_put_char(&encrypted, 0);
+
+	/* Store cipher type. */
+	buffer_put_char(&encrypted, cipher->number);
+	buffer_put_int(&encrypted, 0);	/* For future extension */
+
+	/* Store public key.  This will be in plain text. */
+	buffer_put_int(&encrypted, BN_num_bits(key->rsa->n));
+	buffer_put_bignum(&encrypted, key->rsa->n);
+	buffer_put_bignum(&encrypted, key->rsa->e);
+	buffer_put_string(&encrypted, comment, strlen(comment));
+
+	/* Allocate space for the private part of the key in the buffer. */
+	buffer_append_space(&encrypted, &cp, buffer_len(&buffer));
+
+	cipher_set_key_string(&ciphercontext, cipher, passphrase);
+	cipher_encrypt(&ciphercontext, (u_char *) cp,
+	    (u_char *) buffer_ptr(&buffer), buffer_len(&buffer));
+	memset(&ciphercontext, 0, sizeof(ciphercontext));
+
+	/* Destroy temporary data. */
+	memset(buf, 0, sizeof(buf));
+	buffer_free(&buffer);
+
+	fd = open(filename, O_WRONLY | O_CREAT | O_TRUNC, 0600);
+	if (fd < 0) {
+		error("open %s failed: %s.", filename, strerror(errno));
+		return 0;
+	}
+	if (write(fd, buffer_ptr(&encrypted), buffer_len(&encrypted)) !=
+	    buffer_len(&encrypted)) {
+		error("write to key file %s failed: %s", filename,
+		      strerror(errno));
+		buffer_free(&encrypted);
+		close(fd);
+		unlink(filename);
+		return 0;
+	}
+	close(fd);
+	buffer_free(&encrypted);
+	return 1;
+}
+
+/* save SSH v2 key in OpenSSL PEM format */
+int
+key_save_private_pem(Key *key, const char *filename, const char *_passphrase,
+    const char *comment)
+{
+	FILE *fp;
+	int fd;
+	int success = 0;
+	int len = strlen(_passphrase);
+	char *passphrase = (len > 0) ? (char *)_passphrase : NULL;
+	EVP_CIPHER *cipher = (len > 0) ? EVP_des_ede3_cbc() : NULL;
+
+	if (len > 0 && len <= 4) {
+		error("passphrase too short: have %d bytes, need > 4", len);
+		return 0;
+	}
+	fd = open(filename, O_WRONLY | O_CREAT | O_TRUNC, 0600);
+	if (fd < 0) {
+		error("open %s failed: %s.", filename, strerror(errno));
+		return 0;
+	}
+	fp = fdopen(fd, "w");
+	if (fp == NULL ) {
+		error("fdopen %s failed: %s.", filename, strerror(errno));
+		close(fd);
+		return 0;
+	}
+	switch (key->type) {
+	case KEY_DSA:
+		success = PEM_write_DSAPrivateKey(fp, key->dsa,
+		    cipher, passphrase, len, NULL, NULL);
+		break;
+	case KEY_RSA:
+		success = PEM_write_RSAPrivateKey(fp, key->rsa,
+		    cipher, passphrase, len, NULL, NULL);
+		break;
+	}
+	fclose(fp);
+	return success;
+}
+
+int
+key_save_private(Key *key, const char *filename, const char *passphrase,
+    const char *comment)
+{
+	switch (key->type) {
+	case KEY_RSA1:
+		return key_save_private_rsa1(key, filename, passphrase,
+		    comment);
+		break;
+	case KEY_DSA:
+	case KEY_RSA:
+		return key_save_private_pem(key, filename, passphrase,
+		    comment);
+		break;
+	default:
+		break;
+	}
+	error("key_save_private: cannot save key type %d", key->type);
+	return 0;
+}
+
+/*
+ * Loads the public part of the ssh v1 key file.  Returns NULL if an error was
+ * encountered (the file does not exist or is not readable), and the key
+ * otherwise.
+ */
+
+Key *
+key_load_public_rsa1(int fd, const char *filename, char **commentp)
+{
+	Buffer buffer;
+	Key *pub;
+	char *cp;
+	int i;
+	off_t len;
+
+	len = lseek(fd, (off_t) 0, SEEK_END);
+	lseek(fd, (off_t) 0, SEEK_SET);
+
+	buffer_init(&buffer);
+	buffer_append_space(&buffer, &cp, len);
+
+	if (read(fd, cp, (size_t) len) != (size_t) len) {
+		debug("Read from key file %.200s failed: %.100s", filename,
+		    strerror(errno));
+		buffer_free(&buffer);
+		return NULL;
+	}
+
+	/* Check that it is at least big enough to contain the ID string. */
+	if (len < sizeof(authfile_id_string)) {
+		debug3("No RSA1 key file %.200s.", filename);
+		buffer_free(&buffer);
+		return NULL;
+	}
+	/*
+	 * Make sure it begins with the id string.  Consume the id string
+	 * from the buffer.
+	 */
+	for (i = 0; i < sizeof(authfile_id_string); i++)
+		if (buffer_get_char(&buffer) != authfile_id_string[i]) {
+			debug3("No RSA1 key file %.200s.", filename);
+			buffer_free(&buffer);
+			return NULL;
+		}
+	/* Skip cipher type and reserved data. */
+	(void) buffer_get_char(&buffer);	/* cipher type */
+	(void) buffer_get_int(&buffer);		/* reserved */
+
+	/* Read the public key from the buffer. */
+	buffer_get_int(&buffer);
+	pub = key_new(KEY_RSA1);
+	buffer_get_bignum(&buffer, pub->rsa->n);
+	buffer_get_bignum(&buffer, pub->rsa->e);
+	if (commentp)
+		*commentp = buffer_get_string(&buffer, NULL);
+	/* The encrypted private part is not parsed by this function. */
+
+	buffer_free(&buffer);
+	return pub;
+}
+
+/* load public key from private-key file, works only for SSH v1 */
+Key *
+key_load_public_type(int type, const char *filename, char **commentp)
+{
+	Key *pub;
+	int fd;
+
+	if (type == KEY_RSA1) {
+		fd = open(filename, O_RDONLY);
+		if (fd < 0)
+			return NULL;
+		pub = key_load_public_rsa1(fd, filename, commentp);
+		close(fd);
+		return pub;
+	}
+	return NULL;
+}
+
+/*
+ * Loads the private key from the file.  Returns 0 if an error is encountered
+ * (file does not exist or is not readable, or passphrase is bad). This
+ * initializes the private key.
+ * Assumes we are called under uid of the owner of the file.
+ */
+
+Key *
+key_load_private_rsa1(int fd, const char *filename, const char *passphrase,
+    char **commentp)
+{
+	int i, check1, check2, cipher_type;
+	off_t len;
+	Buffer buffer, decrypted;
+	char *cp;
+	CipherContext ciphercontext;
+	Cipher *cipher;
+	BN_CTX *ctx;
+	BIGNUM *aux;
+	Key *prv = NULL;
+
+	len = lseek(fd, (off_t) 0, SEEK_END);
+	lseek(fd, (off_t) 0, SEEK_SET);
+
+	buffer_init(&buffer);
+	buffer_append_space(&buffer, &cp, len);
+
+	if (read(fd, cp, (size_t) len) != (size_t) len) {
+		debug("Read from key file %.200s failed: %.100s", filename,
+		    strerror(errno));
+		buffer_free(&buffer);
+		close(fd);
+		return NULL;
+	}
+
+	/* Check that it is at least big enough to contain the ID string. */
+	if (len < sizeof(authfile_id_string)) {
+		debug3("No RSA1 key file %.200s.", filename);
+		buffer_free(&buffer);
+		close(fd);
+		return NULL;
+	}
+	/*
+	 * Make sure it begins with the id string.  Consume the id string
+	 * from the buffer.
+	 */
+	for (i = 0; i < sizeof(authfile_id_string); i++)
+		if (buffer_get_char(&buffer) != authfile_id_string[i]) {
+			debug3("No RSA1 key file %.200s.", filename);
+			buffer_free(&buffer);
+			close(fd);
+			return NULL;
+		}
+
+	/* Read cipher type. */
+	cipher_type = buffer_get_char(&buffer);
+	(void) buffer_get_int(&buffer);	/* Reserved data. */
+
+	/* Read the public key from the buffer. */
+	buffer_get_int(&buffer);
+	prv = key_new_private(KEY_RSA1);
+
+	buffer_get_bignum(&buffer, prv->rsa->n);
+	buffer_get_bignum(&buffer, prv->rsa->e);
+	if (commentp)
+		*commentp = buffer_get_string(&buffer, NULL);
+	else
+		xfree(buffer_get_string(&buffer, NULL));
+
+	/* Check that it is a supported cipher. */
+	cipher = cipher_by_number(cipher_type);
+	if (cipher == NULL) {
+		debug("Unsupported cipher %d used in key file %.200s.",
+		    cipher_type, filename);
+		buffer_free(&buffer);
+		goto fail;
+	}
+	/* Initialize space for decrypted data. */
+	buffer_init(&decrypted);
+	buffer_append_space(&decrypted, &cp, buffer_len(&buffer));
+
+	/* Rest of the buffer is encrypted.  Decrypt it using the passphrase. */
+	cipher_set_key_string(&ciphercontext, cipher, passphrase);
+	cipher_decrypt(&ciphercontext, (u_char *) cp,
+	    (u_char *) buffer_ptr(&buffer), buffer_len(&buffer));
+	memset(&ciphercontext, 0, sizeof(ciphercontext));
+	buffer_free(&buffer);
+
+	check1 = buffer_get_char(&decrypted);
+	check2 = buffer_get_char(&decrypted);
+	if (check1 != buffer_get_char(&decrypted) ||
+	    check2 != buffer_get_char(&decrypted)) {
+		if (strcmp(passphrase, "") != 0)
+			debug("Bad passphrase supplied for key file %.200s.",
+			    filename);
+		/* Bad passphrase. */
+		buffer_free(&decrypted);
+		goto fail;
+	}
+	/* Read the rest of the private key. */
+	buffer_get_bignum(&decrypted, prv->rsa->d);
+	buffer_get_bignum(&decrypted, prv->rsa->iqmp);		/* u */
+	/* in SSL and SSH v1 p and q are exchanged */
+	buffer_get_bignum(&decrypted, prv->rsa->q);		/* p */
+	buffer_get_bignum(&decrypted, prv->rsa->p);		/* q */
+
+	/* calculate p-1 and q-1 */
+	ctx = BN_CTX_new();
+	aux = BN_new();
+
+	BN_sub(aux, prv->rsa->q, BN_value_one());
+	BN_mod(prv->rsa->dmq1, prv->rsa->d, aux, ctx);
+
+	BN_sub(aux, prv->rsa->p, BN_value_one());
+	BN_mod(prv->rsa->dmp1, prv->rsa->d, aux, ctx);
+
+	BN_clear_free(aux);
+	BN_CTX_free(ctx);
+
+	buffer_free(&decrypted);
+	close(fd);
+	return prv;
+
+fail:
+	if (commentp)
+		xfree(*commentp);
+	close(fd);
+	key_free(prv);
+	return NULL;
+}
+
+Key *
+key_load_private_pem(int fd, int type, const char *passphrase,
+    char **commentp)
+{
+	FILE *fp;
+	EVP_PKEY *pk = NULL;
+	Key *prv = NULL;
+	char *name = "<no key>";
+
+	fp = fdopen(fd, "r");
+	if (fp == NULL) {
+		error("fdopen failed: %s", strerror(errno));
+		close(fd);
+		return NULL;
+	}
+	pk = PEM_read_PrivateKey(fp, NULL, NULL, (char *)passphrase);
+	if (pk == NULL) {
+		debug("PEM_read_PrivateKey failed");
+		(void)ERR_get_error();
+	} else if (pk->type == EVP_PKEY_RSA &&
+	     (type == KEY_UNSPEC||type==KEY_RSA)) {
+		prv = key_new(KEY_UNSPEC);
+		prv->rsa = EVP_PKEY_get1_RSA(pk);
+		prv->type = KEY_RSA;
+		name = "rsa w/o comment";
+#ifdef DEBUG_PK
+		RSA_print_fp(stderr, prv->rsa, 8);
+#endif
+	} else if (pk->type == EVP_PKEY_DSA &&
+	     (type == KEY_UNSPEC||type==KEY_DSA)) {
+		prv = key_new(KEY_UNSPEC);
+		prv->dsa = EVP_PKEY_get1_DSA(pk);
+		prv->type = KEY_DSA;
+		name = "dsa w/o comment";
+#ifdef DEBUG_PK
+		DSA_print_fp(stderr, prv->dsa, 8);
+#endif
+	} else {
+		error("PEM_read_PrivateKey: mismatch or "
+		    "unknown EVP_PKEY save_type %d", pk->save_type);
+	}
+	fclose(fp);
+	if (pk != NULL)
+		EVP_PKEY_free(pk);
+	if (prv != NULL && commentp)
+		*commentp = xstrdup(name);
+	debug("read PEM private key done: type %s",
+	    prv ? key_type(prv) : "<unknown>");
+	return prv;
+}
+
+int
+key_perm_ok(int fd, const char *filename)
+{
+	struct stat st;
+
+	/* check owner and modes */
+	if (fstat(fd, &st) < 0 ||
+	    (st.st_uid != 0 && getuid() != 0 && st.st_uid != getuid()) ||
+	    (st.st_mode & 077) != 0) {
+		close(fd);
+		error("@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@");
+		error("@         WARNING: UNPROTECTED PRIVATE KEY FILE!          @");
+		error("@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@");
+		error("Bad ownership or mode(0%3.3o) for '%s'.",
+		    st.st_mode & 0777, filename);
+		error("It is recommended that your private key files are NOT accessible by others.");
+		error("This private key will be ignored.");
+		return 0;
+	}
+	return 1;
+}
+
+Key *
+key_load_private_type(int type, const char *filename, const char *passphrase,
+    char **commentp)
+{
+	int fd;
+
+	fd = open(filename, O_RDONLY);
+	if (fd < 0)
+		return NULL;
+	if (!key_perm_ok(fd, filename)) {
+		error("bad permissions: ignore key: %s", filename);
+		close(fd);
+		return NULL;
+	}
+	switch (type) {
+	case KEY_RSA1:
+		return key_load_private_rsa1(fd, filename, passphrase,
+		    commentp);
+		/* closes fd */
+		break;
+	case KEY_DSA:
+	case KEY_RSA:
+	case KEY_UNSPEC:
+		return key_load_private_pem(fd, type, passphrase, commentp);
+		/* closes fd */
+		break;
+	default:
+		close(fd);
+		break;
+	}
+	return NULL;
+}
+
+Key *
+key_load_private(const char *filename, const char *passphrase,
+    char **commentp)
+{
+	Key *pub;
+	int fd;
+
+	fd = open(filename, O_RDONLY);
+	if (fd < 0)
+		return NULL;
+	if (!key_perm_ok(fd, filename)) {
+		error("bad permissions: ignore key: %s", filename);
+		close(fd);
+		return NULL;
+	}
+	pub = key_load_public_rsa1(fd, filename, commentp);
+	lseek(fd, (off_t) 0, SEEK_SET);		/* rewind */
+	if (pub == NULL) {
+		/* closes fd */
+		return key_load_private_pem(fd, KEY_UNSPEC, passphrase, NULL);
+	} else {
+		/* it's a SSH v1 key if the public key part is readable */
+		key_free(pub);
+		/* closes fd */
+		return key_load_private_rsa1(fd, filename, passphrase, NULL);
+	}
+}
+
+int
+key_try_load_public(Key *k, const char *filename, char **commentp)
+{
+	FILE *f;
+	char line[4096];
+	char *cp;
+
+	f = fopen(filename, "r");
+	if (f != NULL) {
+		while (fgets(line, sizeof(line), f)) {
+			line[sizeof(line)-1] = '\0';
+			cp = line;
+			switch(*cp){
+			case '#':
+			case '\n':
+			case '\0':
+				continue;
+			}
+			/* Skip leading whitespace. */
+			for (; *cp && (*cp == ' ' || *cp == '\t'); cp++)
+				;
+			if (*cp) {
+				if (key_read(k, &cp) == 1) {
+					if (commentp)
+						*commentp=xstrdup(filename);
+					fclose(f);
+					return 1;
+				}
+			}
+		}
+		fclose(f);
+	}
+	return 0;
+}
+
+/* load public key from ssh v1 private or any pubkey file */
+Key *
+key_load_public(const char *filename, char **commentp)
+{
+	Key *pub;
+	char file[MAXPATHLEN];
+
+	pub = key_load_public_type(KEY_RSA1, filename, commentp);
+	if (pub != NULL)
+		return pub;
+	pub = key_new(KEY_UNSPEC);
+	if (key_try_load_public(pub, filename, commentp) == 1)
+		return pub;
+	if ((strlcpy(file, filename, sizeof file) < sizeof(file)) &&
+	    (strlcat(file, ".pub", sizeof file) < sizeof(file)) &&
+	    (key_try_load_public(pub, file, commentp) == 1))
+		return pub;
+	key_free(pub);
+	return NULL;
+}
diff --git a/crypto/openssh/authfile.h b/crypto/openssh/authfile.h
new file mode 100644
index 0000000..da90cd9
--- /dev/null
+++ b/crypto/openssh/authfile.h
@@ -0,0 +1,36 @@
+/*
+ * Author: Tatu Ylonen <ylo@cs.hut.fi>
+ * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
+ *                    All rights reserved
+ *
+ * As far as I am concerned, the code I have written for this software
+ * can be used freely for any purpose.  Any derived versions of this
+ * software must be clearly marked as such, and if the derived work is
+ * incompatible with the protocol description in the RFC file, it must be
+ * called by a name other than "ssh" or "Secure Shell".
+ */
+
+/* $OpenBSD: authfile.h,v 1.6 2001/03/26 08:07:08 markus Exp $ */
+
+#ifndef AUTHFILE_H
+#define AUTHFILE_H
+
+int
+key_save_private(Key *key, const char *filename, const char *passphrase,
+    const char *comment);
+
+Key *
+key_load_public(const char *filename, char **commentp);
+
+Key *
+key_load_public_type(int type, const char *filename, char **commentp);
+
+Key *
+key_load_private(const char *filename, const char *passphrase,
+    char **commentp);
+
+Key *
+key_load_private_type(int type, const char *filename, const char *passphrase,
+    char **commentp);
+
+#endif
diff --git a/crypto/openssh/bufaux.c b/crypto/openssh/bufaux.c
new file mode 100644
index 0000000..cf8a170
--- /dev/null
+++ b/crypto/openssh/bufaux.c
@@ -0,0 +1,246 @@
+/*
+ * Author: Tatu Ylonen <ylo@cs.hut.fi>
+ * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
+ *                    All rights reserved
+ * Auxiliary functions for storing and retrieving various data types to/from
+ * Buffers.
+ *
+ * As far as I am concerned, the code I have written for this software
+ * can be used freely for any purpose.  Any derived versions of this
+ * software must be clearly marked as such, and if the derived work is
+ * incompatible with the protocol description in the RFC file, it must be
+ * called by a name other than "ssh" or "Secure Shell".
+ *
+ *
+ * SSH2 packet format added by Markus Friedl
+ * Copyright (c) 2000 Markus Friedl.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include "includes.h"
+RCSID("$OpenBSD: bufaux.c,v 1.17 2001/01/21 19:05:45 markus Exp $");
+RCSID("$FreeBSD$");
+
+#include <openssl/bn.h>
+#include "bufaux.h"
+#include "xmalloc.h"
+#include "getput.h"
+#include "log.h"
+
+/*
+ * Stores an BIGNUM in the buffer with a 2-byte msb first bit count, followed
+ * by (bits+7)/8 bytes of binary data, msb first.
+ */
+void
+buffer_put_bignum(Buffer *buffer, BIGNUM *value)
+{
+	int bits = BN_num_bits(value);
+	int bin_size = (bits + 7) / 8;
+	u_char *buf = xmalloc(bin_size);
+	int oi;
+	char msg[2];
+
+	/* Get the value of in binary */
+	oi = BN_bn2bin(value, buf);
+	if (oi != bin_size)
+		fatal("buffer_put_bignum: BN_bn2bin() failed: oi %d != bin_size %d",
+		      oi, bin_size);
+
+	/* Store the number of bits in the buffer in two bytes, msb first. */
+	PUT_16BIT(msg, bits);
+	buffer_append(buffer, msg, 2);
+	/* Store the binary data. */
+	buffer_append(buffer, (char *)buf, oi);
+
+	memset(buf, 0, bin_size);
+	xfree(buf);
+}
+
+/*
+ * Retrieves an BIGNUM from the buffer.
+ */
+int
+buffer_get_bignum(Buffer *buffer, BIGNUM *value)
+{
+	int bits, bytes;
+	u_char buf[2], *bin;
+
+	/* Get the number for bits. */
+	buffer_get(buffer, (char *) buf, 2);
+	bits = GET_16BIT(buf);
+	/* Compute the number of binary bytes that follow. */
+	bytes = (bits + 7) / 8;
+	if (buffer_len(buffer) < bytes)
+		fatal("buffer_get_bignum: input buffer too small");
+	bin = (u_char *) buffer_ptr(buffer);
+	BN_bin2bn(bin, bytes, value);
+	buffer_consume(buffer, bytes);
+
+	return 2 + bytes;
+}
+
+/*
+ * Stores an BIGNUM in the buffer in SSH2 format.
+ */
+void
+buffer_put_bignum2(Buffer *buffer, BIGNUM *value)
+{
+	int bytes = BN_num_bytes(value) + 1;
+	u_char *buf = xmalloc(bytes);
+	int oi;
+	int hasnohigh = 0;
+	buf[0] = '\0';
+	/* Get the value of in binary */
+	oi = BN_bn2bin(value, buf+1);
+	if (oi != bytes-1)
+		fatal("buffer_put_bignum: BN_bn2bin() failed: oi %d != bin_size %d",
+		      oi, bytes);
+	hasnohigh = (buf[1] & 0x80) ? 0 : 1;
+	if (value->neg) {
+		/**XXX should be two's-complement */
+		int i, carry;
+		u_char *uc = buf;
+		log("negativ!");
+		for(i = bytes-1, carry = 1; i>=0; i--) {
+			uc[i] ^= 0xff;
+			if(carry)
+				carry = !++uc[i];
+		}
+	}
+	buffer_put_string(buffer, buf+hasnohigh, bytes-hasnohigh);
+	memset(buf, 0, bytes);
+	xfree(buf);
+}
+
+int
+buffer_get_bignum2(Buffer *buffer, BIGNUM *value)
+{
+	/**XXX should be two's-complement */
+	int len;
+	u_char *bin = (u_char *)buffer_get_string(buffer, (u_int *)&len);
+	BN_bin2bn(bin, len, value);
+	xfree(bin);
+	return len;
+}
+
+/*
+ * Returns an integer from the buffer (4 bytes, msb first).
+ */
+u_int
+buffer_get_int(Buffer *buffer)
+{
+	u_char buf[4];
+	buffer_get(buffer, (char *) buf, 4);
+	return GET_32BIT(buf);
+}
+
+u_int64_t
+buffer_get_int64(Buffer *buffer)
+{
+	u_char buf[8];
+	buffer_get(buffer, (char *) buf, 8);
+	return GET_64BIT(buf);
+}
+
+/*
+ * Stores an integer in the buffer in 4 bytes, msb first.
+ */
+void
+buffer_put_int(Buffer *buffer, u_int value)
+{
+	char buf[4];
+	PUT_32BIT(buf, value);
+	buffer_append(buffer, buf, 4);
+}
+
+void
+buffer_put_int64(Buffer *buffer, u_int64_t value)
+{
+	char buf[8];
+	PUT_64BIT(buf, value);
+	buffer_append(buffer, buf, 8);
+}
+
+/*
+ * Returns an arbitrary binary string from the buffer.  The string cannot
+ * be longer than 256k.  The returned value points to memory allocated
+ * with xmalloc; it is the responsibility of the calling function to free
+ * the data.  If length_ptr is non-NULL, the length of the returned data
+ * will be stored there.  A null character will be automatically appended
+ * to the returned string, and is not counted in length.
+ */
+char *
+buffer_get_string(Buffer *buffer, u_int *length_ptr)
+{
+	u_int len;
+	char *value;
+	/* Get the length. */
+	len = buffer_get_int(buffer);
+	if (len > 256 * 1024)
+		fatal("Received packet with bad string length %d", len);
+	/* Allocate space for the string.  Add one byte for a null character. */
+	value = xmalloc(len + 1);
+	/* Get the string. */
+	buffer_get(buffer, value, len);
+	/* Append a null character to make processing easier. */
+	value[len] = 0;
+	/* Optionally return the length of the string. */
+	if (length_ptr)
+		*length_ptr = len;
+	return value;
+}
+
+/*
+ * Stores and arbitrary binary string in the buffer.
+ */
+void
+buffer_put_string(Buffer *buffer, const void *buf, u_int len)
+{
+	buffer_put_int(buffer, len);
+	buffer_append(buffer, buf, len);
+}
+void
+buffer_put_cstring(Buffer *buffer, const char *s)
+{
+	buffer_put_string(buffer, s, strlen(s));
+}
+
+/*
+ * Returns a character from the buffer (0 - 255).
+ */
+int
+buffer_get_char(Buffer *buffer)
+{
+	char ch;
+	buffer_get(buffer, &ch, 1);
+	return (u_char) ch;
+}
+
+/*
+ * Stores a character in the buffer.
+ */
+void
+buffer_put_char(Buffer *buffer, int value)
+{
+	char ch = value;
+	buffer_append(buffer, &ch, 1);
+}
diff --git a/crypto/openssh/bufaux.h b/crypto/openssh/bufaux.h
new file mode 100644
index 0000000..8902ec2
--- /dev/null
+++ b/crypto/openssh/bufaux.h
@@ -0,0 +1,60 @@
+/*
+ * Author: Tatu Ylonen <ylo@cs.hut.fi>
+ * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
+ *                    All rights reserved
+ *
+ * As far as I am concerned, the code I have written for this software
+ * can be used freely for any purpose.  Any derived versions of this
+ * software must be clearly marked as such, and if the derived work is
+ * incompatible with the protocol description in the RFC file, it must be
+ * called by a name other than "ssh" or "Secure Shell".
+ */
+
+/* RCSID("$OpenBSD: bufaux.h,v 1.11 2001/01/21 19:05:45 markus Exp $"); */
+
+#ifndef BUFAUX_H
+#define BUFAUX_H
+
+#include "buffer.h"
+#include <openssl/bn.h>
+
+/*
+ * Stores an BIGNUM in the buffer with a 2-byte msb first bit count, followed
+ * by (bits+7)/8 bytes of binary data, msb first.
+ */
+void    buffer_put_bignum(Buffer * buffer, BIGNUM * value);
+void    buffer_put_bignum2(Buffer * buffer, BIGNUM * value);
+
+/* Retrieves an BIGNUM from the buffer. */
+int     buffer_get_bignum(Buffer * buffer, BIGNUM * value);
+int	buffer_get_bignum2(Buffer *buffer, BIGNUM * value);
+
+/* Returns an integer from the buffer (4 bytes, msb first). */
+u_int buffer_get_int(Buffer * buffer);
+u_int64_t buffer_get_int64(Buffer *buffer);
+
+/* Stores an integer in the buffer in 4 bytes, msb first. */
+void    buffer_put_int(Buffer * buffer, u_int value);
+void	buffer_put_int64(Buffer *buffer, u_int64_t value);
+
+/* Returns a character from the buffer (0 - 255). */
+int     buffer_get_char(Buffer * buffer);
+
+/* Stores a character in the buffer. */
+void    buffer_put_char(Buffer * buffer, int value);
+
+/*
+ * Returns an arbitrary binary string from the buffer.  The string cannot be
+ * longer than 256k.  The returned value points to memory allocated with
+ * xmalloc; it is the responsibility of the calling function to free the
+ * data.  If length_ptr is non-NULL, the length of the returned data will be
+ * stored there.  A null character will be automatically appended to the
+ * returned string, and is not counted in length.
+ */
+char   *buffer_get_string(Buffer * buffer, u_int *length_ptr);
+
+/* Stores and arbitrary binary string in the buffer. */
+void    buffer_put_string(Buffer * buffer, const void *buf, u_int len);
+void	buffer_put_cstring(Buffer *buffer, const char *s);
+
+#endif				/* BUFAUX_H */
diff --git a/crypto/openssh/buffer.c b/crypto/openssh/buffer.c
new file mode 100644
index 0000000..044caaf
--- /dev/null
+++ b/crypto/openssh/buffer.c
@@ -0,0 +1,165 @@
+/*
+ * Author: Tatu Ylonen <ylo@cs.hut.fi>
+ * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
+ *                    All rights reserved
+ * Functions for manipulating fifo buffers (that can grow if needed).
+ *
+ * As far as I am concerned, the code I have written for this software
+ * can be used freely for any purpose.  Any derived versions of this
+ * software must be clearly marked as such, and if the derived work is
+ * incompatible with the protocol description in the RFC file, it must be
+ * called by a name other than "ssh" or "Secure Shell".
+ */
+
+#include "includes.h"
+RCSID("$OpenBSD: buffer.c,v 1.13 2001/04/12 19:15:24 markus Exp $");
+
+#include "xmalloc.h"
+#include "buffer.h"
+#include "log.h"
+
+/* Initializes the buffer structure. */
+
+void
+buffer_init(Buffer *buffer)
+{
+	buffer->alloc = 4096;
+	buffer->buf = xmalloc(buffer->alloc);
+	buffer->offset = 0;
+	buffer->end = 0;
+}
+
+/* Frees any memory used for the buffer. */
+
+void
+buffer_free(Buffer *buffer)
+{
+	memset(buffer->buf, 0, buffer->alloc);
+	xfree(buffer->buf);
+}
+
+/*
+ * Clears any data from the buffer, making it empty.  This does not actually
+ * zero the memory.
+ */
+
+void
+buffer_clear(Buffer *buffer)
+{
+	buffer->offset = 0;
+	buffer->end = 0;
+}
+
+/* Appends data to the buffer, expanding it if necessary. */
+
+void
+buffer_append(Buffer *buffer, const char *data, u_int len)
+{
+	char *cp;
+	buffer_append_space(buffer, &cp, len);
+	memcpy(cp, data, len);
+}
+
+/*
+ * Appends space to the buffer, expanding the buffer if necessary. This does
+ * not actually copy the data into the buffer, but instead returns a pointer
+ * to the allocated region.
+ */
+
+void
+buffer_append_space(Buffer *buffer, char **datap, u_int len)
+{
+	/* If the buffer is empty, start using it from the beginning. */
+	if (buffer->offset == buffer->end) {
+		buffer->offset = 0;
+		buffer->end = 0;
+	}
+restart:
+	/* If there is enough space to store all data, store it now. */
+	if (buffer->end + len < buffer->alloc) {
+		*datap = buffer->buf + buffer->end;
+		buffer->end += len;
+		return;
+	}
+	/*
+	 * If the buffer is quite empty, but all data is at the end, move the
+	 * data to the beginning and retry.
+	 */
+	if (buffer->offset > buffer->alloc / 2) {
+		memmove(buffer->buf, buffer->buf + buffer->offset,
+			buffer->end - buffer->offset);
+		buffer->end -= buffer->offset;
+		buffer->offset = 0;
+		goto restart;
+	}
+	/* Increase the size of the buffer and retry. */
+	buffer->alloc += len + 32768;
+	buffer->buf = xrealloc(buffer->buf, buffer->alloc);
+	goto restart;
+}
+
+/* Returns the number of bytes of data in the buffer. */
+
+u_int
+buffer_len(Buffer *buffer)
+{
+	return buffer->end - buffer->offset;
+}
+
+/* Gets data from the beginning of the buffer. */
+
+void
+buffer_get(Buffer *buffer, char *buf, u_int len)
+{
+	if (len > buffer->end - buffer->offset)
+		fatal("buffer_get: trying to get more bytes %d than in buffer %d",
+		    len, buffer->end - buffer->offset);
+	memcpy(buf, buffer->buf + buffer->offset, len);
+	buffer->offset += len;
+}
+
+/* Consumes the given number of bytes from the beginning of the buffer. */
+
+void
+buffer_consume(Buffer *buffer, u_int bytes)
+{
+	if (bytes > buffer->end - buffer->offset)
+		fatal("buffer_consume: trying to get more bytes than in buffer");
+	buffer->offset += bytes;
+}
+
+/* Consumes the given number of bytes from the end of the buffer. */
+
+void
+buffer_consume_end(Buffer *buffer, u_int bytes)
+{
+	if (bytes > buffer->end - buffer->offset)
+		fatal("buffer_consume_end: trying to get more bytes than in buffer");
+	buffer->end -= bytes;
+}
+
+/* Returns a pointer to the first used byte in the buffer. */
+
+char *
+buffer_ptr(Buffer *buffer)
+{
+	return buffer->buf + buffer->offset;
+}
+
+/* Dumps the contents of the buffer to stderr. */
+
+void
+buffer_dump(Buffer *buffer)
+{
+	int i;
+	u_char *ucp = (u_char *) buffer->buf;
+
+	for (i = buffer->offset; i < buffer->end; i++) {
+		fprintf(stderr, "%02x", ucp[i]);
+		if ((i-buffer->offset)%16==15)
+			fprintf(stderr, "\r\n");
+		else if ((i-buffer->offset)%2==1)
+			fprintf(stderr, " ");
+	}
+	fprintf(stderr, "\r\n");
+}
diff --git a/crypto/openssh/buffer.h b/crypto/openssh/buffer.h
new file mode 100644
index 0000000..f3c509d
--- /dev/null
+++ b/crypto/openssh/buffer.h
@@ -0,0 +1,66 @@
+/*
+ * Author: Tatu Ylonen <ylo@cs.hut.fi>
+ * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
+ *                    All rights reserved
+ * Code for manipulating FIFO buffers.
+ *
+ * As far as I am concerned, the code I have written for this software
+ * can be used freely for any purpose.  Any derived versions of this
+ * software must be clearly marked as such, and if the derived work is
+ * incompatible with the protocol description in the RFC file, it must be
+ * called by a name other than "ssh" or "Secure Shell".
+ */
+
+/* RCSID("$OpenBSD: buffer.h,v 1.7 2000/12/19 23:17:55 markus Exp $"); */
+
+#ifndef BUFFER_H
+#define BUFFER_H
+
+typedef struct {
+	char   *buf;		/* Buffer for data. */
+	u_int alloc;	/* Number of bytes allocated for data. */
+	u_int offset;	/* Offset of first byte containing data. */
+	u_int end;	/* Offset of last byte containing data. */
+}       Buffer;
+/* Initializes the buffer structure. */
+void    buffer_init(Buffer * buffer);
+
+/* Frees any memory used for the buffer. */
+void    buffer_free(Buffer * buffer);
+
+/* Clears any data from the buffer, making it empty.  This does not actually
+   zero the memory. */
+void    buffer_clear(Buffer * buffer);
+
+/* Appends data to the buffer, expanding it if necessary. */
+void    buffer_append(Buffer * buffer, const char *data, u_int len);
+
+/*
+ * Appends space to the buffer, expanding the buffer if necessary. This does
+ * not actually copy the data into the buffer, but instead returns a pointer
+ * to the allocated region.
+ */
+void    buffer_append_space(Buffer * buffer, char **datap, u_int len);
+
+/* Returns the number of bytes of data in the buffer. */
+u_int buffer_len(Buffer * buffer);
+
+/* Gets data from the beginning of the buffer. */
+void    buffer_get(Buffer * buffer, char *buf, u_int len);
+
+/* Consumes the given number of bytes from the beginning of the buffer. */
+void    buffer_consume(Buffer * buffer, u_int bytes);
+
+/* Consumes the given number of bytes from the end of the buffer. */
+void    buffer_consume_end(Buffer * buffer, u_int bytes);
+
+/* Returns a pointer to the first used byte in the buffer. */
+char   *buffer_ptr(Buffer * buffer);
+
+/*
+ * Dumps the contents of the buffer to stderr in hex.  This intended for
+ * debugging purposes only.
+ */
+void    buffer_dump(Buffer * buffer);
+
+#endif				/* BUFFER_H */
diff --git a/crypto/openssh/canohost.c b/crypto/openssh/canohost.c
new file mode 100644
index 0000000..b535444
--- /dev/null
+++ b/crypto/openssh/canohost.c
@@ -0,0 +1,335 @@
+/*
+ * Author: Tatu Ylonen <ylo@cs.hut.fi>
+ * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
+ *                    All rights reserved
+ * Functions for returning the canonical host name of the remote site.
+ *
+ * As far as I am concerned, the code I have written for this software
+ * can be used freely for any purpose.  Any derived versions of this
+ * software must be clearly marked as such, and if the derived work is
+ * incompatible with the protocol description in the RFC file, it must be
+ * called by a name other than "ssh" or "Secure Shell".
+ */
+
+#include "includes.h"
+RCSID("$OpenBSD: canohost.c,v 1.26 2001/04/18 14:15:00 markus Exp $");
+RCSID("$FreeBSD$");
+
+#include "packet.h"
+#include "xmalloc.h"
+#include "log.h"
+#include "canohost.h"
+
+void	check_ip_options(int socket, char *ipaddr);
+
+/*
+ * Return the canonical name of the host at the other end of the socket. The
+ * caller should free the returned string with xfree.
+ */
+
+char *
+get_remote_hostname(int socket, int reverse_mapping_check)
+{
+	struct sockaddr_storage from;
+	int i;
+	socklen_t fromlen;
+	struct addrinfo hints, *ai, *aitop;
+	char name[NI_MAXHOST], ntop[NI_MAXHOST], ntop2[NI_MAXHOST];
+
+	/* Get IP address of client. */
+	fromlen = sizeof(from);
+	memset(&from, 0, sizeof(from));
+	if (getpeername(socket, (struct sockaddr *) &from, &fromlen) < 0) {
+		debug("getpeername failed: %.100s", strerror(errno));
+		fatal_cleanup();
+	}
+	if (from.ss_family == AF_INET)
+		check_ip_options(socket, ntop);
+
+	if (getnameinfo((struct sockaddr *)&from, fromlen, ntop, sizeof(ntop),
+	     NULL, 0, NI_NUMERICHOST) != 0)
+		fatal("get_remote_hostname: getnameinfo NI_NUMERICHOST failed");
+
+	debug3("Trying to reverse map address %.100s.", ntop);
+	/* Map the IP address to a host name. */
+	if (getnameinfo((struct sockaddr *)&from, fromlen, name, sizeof(name),
+	     NULL, 0, NI_NAMEREQD) != 0) {
+		/* Host name not found.  Use ip address. */
+		log("Could not reverse map address %.100s.", ntop);
+		return xstrdup(ntop);
+	}
+
+	/* Got host name. */
+	name[sizeof(name) - 1] = '\0';
+	/*
+	 * Convert it to all lowercase (which is expected by the rest
+	 * of this software).
+	 */
+	for (i = 0; name[i]; i++)
+		if (isupper(name[i]))
+			name[i] = tolower(name[i]);
+
+	if (!reverse_mapping_check)
+		return xstrdup(name);
+	/*
+	 * Map it back to an IP address and check that the given
+	 * address actually is an address of this host.  This is
+	 * necessary because anyone with access to a name server can
+	 * define arbitrary names for an IP address. Mapping from
+	 * name to IP address can be trusted better (but can still be
+	 * fooled if the intruder has access to the name server of
+	 * the domain).
+	 */
+	memset(&hints, 0, sizeof(hints));
+	hints.ai_family = from.ss_family;
+	hints.ai_socktype = SOCK_STREAM;
+	if (getaddrinfo(name, NULL, &hints, &aitop) != 0) {
+		log("reverse mapping checking getaddrinfo for %.700s "
+		    "failed - POSSIBLE BREAKIN ATTEMPT!", name);
+		return xstrdup(ntop);
+	}
+	/* Look for the address from the list of addresses. */
+	for (ai = aitop; ai; ai = ai->ai_next) {
+		if (getnameinfo(ai->ai_addr, ai->ai_addrlen, ntop2,
+		    sizeof(ntop2), NULL, 0, NI_NUMERICHOST) == 0 &&
+		    (strcmp(ntop, ntop2) == 0))
+				break;
+	}
+	freeaddrinfo(aitop);
+	/* If we reached the end of the list, the address was not there. */
+	if (!ai) {
+		/* Address not found for the host name. */
+		log("Address %.100s maps to %.600s, but this does not "
+		    "map back to the address - POSSIBLE BREAKIN ATTEMPT!",
+		    ntop, name);
+		return xstrdup(ntop);
+	}
+	return xstrdup(name);
+}
+
+/*
+ * If IP options are supported, make sure there are none (log and
+ * disconnect them if any are found).  Basically we are worried about
+ * source routing; it can be used to pretend you are somebody
+ * (ip-address) you are not. That itself may be "almost acceptable"
+ * under certain circumstances, but rhosts autentication is useless
+ * if source routing is accepted. Notice also that if we just dropped
+ * source routing here, the other side could use IP spoofing to do
+ * rest of the interaction and could still bypass security.  So we
+ * exit here if we detect any IP options.
+ */
+/* IPv4 only */
+void
+check_ip_options(int socket, char *ipaddr)
+{
+	u_char options[200];
+	char text[sizeof(options) * 3 + 1];
+	socklen_t option_size;
+	int i, ipproto;
+	struct protoent *ip;
+
+	if ((ip = getprotobyname("ip")) != NULL)
+		ipproto = ip->p_proto;
+	else
+		ipproto = IPPROTO_IP;
+	option_size = sizeof(options);
+	if (getsockopt(socket, ipproto, IP_OPTIONS, (void *)options,
+	    &option_size) >= 0 && option_size != 0) {
+		text[0] = '\0';
+		for (i = 0; i < option_size; i++)
+			snprintf(text + i*3, sizeof(text) - i*3,
+			    " %2.2x", options[i]);
+		log("Connection from %.100s with IP options:%.800s",
+		    ipaddr, text);
+		packet_disconnect("Connection from %.100s with IP options:%.800s",
+		    ipaddr, text);
+	}
+}
+
+/*
+ * Return the canonical name of the host in the other side of the current
+ * connection.  The host name is cached, so it is efficient to call this
+ * several times.
+ */
+
+const char *
+get_canonical_hostname(int reverse_mapping_check)
+{
+	static char *canonical_host_name = NULL;
+	static int reverse_mapping_checked = 0;
+
+	/* Check if we have previously retrieved name with same option. */
+	if (canonical_host_name != NULL) {
+		if (reverse_mapping_checked != reverse_mapping_check)
+			xfree(canonical_host_name);
+		else
+			return canonical_host_name;
+	}
+
+	/* Get the real hostname if socket; otherwise return UNKNOWN. */
+	if (packet_connection_is_on_socket())
+		canonical_host_name = get_remote_hostname(
+		    packet_get_connection_in(), reverse_mapping_check);
+	else
+		canonical_host_name = xstrdup("UNKNOWN");
+
+	reverse_mapping_checked = reverse_mapping_check;
+	return canonical_host_name;
+}
+
+/*
+ * Returns the remote IP-address of socket as a string.  The returned
+ * string must be freed.
+ */
+char *
+get_socket_address(int socket, int remote, int flags)
+{
+	struct sockaddr_storage addr;
+	socklen_t addrlen;
+	char ntop[NI_MAXHOST];
+
+	/* Get IP address of client. */
+	addrlen = sizeof(addr);
+	memset(&addr, 0, sizeof(addr));
+
+	if (remote) {
+		if (getpeername(socket, (struct sockaddr *)&addr, &addrlen)
+		    < 0) {
+			debug("get_socket_ipaddr: getpeername failed: %.100s",
+			    strerror(errno));
+			return NULL;
+		}
+	} else {
+		if (getsockname(socket, (struct sockaddr *)&addr, &addrlen)
+		    < 0) {
+			debug("get_socket_ipaddr: getsockname failed: %.100s",
+			    strerror(errno));
+			return NULL;
+		}
+	}
+	/* Get the address in ascii. */
+	if (getnameinfo((struct sockaddr *)&addr, addrlen, ntop, sizeof(ntop),
+	     NULL, 0, flags) != 0) {
+		error("get_socket_ipaddr: getnameinfo %d failed", flags);
+		return NULL;
+	}
+	return xstrdup(ntop);
+}
+
+char *
+get_peer_ipaddr(int socket)
+{
+	return get_socket_address(socket, 1, NI_NUMERICHOST);
+}
+
+char *
+get_local_ipaddr(int socket)
+{
+	return get_socket_address(socket, 0, NI_NUMERICHOST);
+}
+
+char *
+get_local_name(int socket)
+{
+	return get_socket_address(socket, 0, NI_NAMEREQD);
+}
+
+/*
+ * Returns the IP-address of the remote host as a string.  The returned
+ * string must not be freed.
+ */
+
+const char *
+get_remote_ipaddr()
+{
+	static char *canonical_host_ip = NULL;
+
+	/* Check whether we have cached the ipaddr. */
+	if (canonical_host_ip == NULL) {
+		if (packet_connection_is_on_socket()) {
+			canonical_host_ip =
+			    get_peer_ipaddr(packet_get_connection_in());
+			if (canonical_host_ip == NULL)
+				fatal_cleanup();
+		} else {
+			/* If not on socket, return UNKNOWN. */
+			canonical_host_ip = xstrdup("UNKNOWN");
+		}
+	}
+	return canonical_host_ip;
+}
+
+const char *
+get_remote_name_or_ip(u_int utmp_len, int reverse_mapping_check)
+{
+	static const char *remote = "";
+	if (utmp_len > 0)
+		remote = get_canonical_hostname(reverse_mapping_check);
+	if (utmp_len == 0 || strlen(remote) > utmp_len)
+		remote = get_remote_ipaddr();
+	return remote;
+}
+
+/* Returns the local/remote port for the socket. */
+
+int
+get_sock_port(int sock, int local)
+{
+	struct sockaddr_storage from;
+	socklen_t fromlen;
+	char strport[NI_MAXSERV];
+
+	/* Get IP address of client. */
+	fromlen = sizeof(from);
+	memset(&from, 0, sizeof(from));
+	if (local) {
+		if (getsockname(sock, (struct sockaddr *)&from, &fromlen) < 0) {
+			error("getsockname failed: %.100s", strerror(errno));
+			return 0;
+		}
+	} else {
+		if (getpeername(sock, (struct sockaddr *) & from, &fromlen) < 0) {
+			debug("getpeername failed: %.100s", strerror(errno));
+			fatal_cleanup();
+		}
+	}
+	/* Return port number. */
+	if (getnameinfo((struct sockaddr *)&from, fromlen, NULL, 0,
+	     strport, sizeof(strport), NI_NUMERICSERV) != 0)
+		fatal("get_sock_port: getnameinfo NI_NUMERICSERV failed");
+	return atoi(strport);
+}
+
+/* Returns remote/local port number for the current connection. */
+
+int
+get_port(int local)
+{
+	/*
+	 * If the connection is not a socket, return 65535.  This is
+	 * intentionally chosen to be an unprivileged port number.
+	 */
+	if (!packet_connection_is_on_socket())
+		return 65535;
+
+	/* Get socket and return the port number. */
+	return get_sock_port(packet_get_connection_in(), local);
+}
+
+int
+get_peer_port(int sock)
+{
+	return get_sock_port(sock, 0);
+}
+
+int
+get_remote_port()
+{
+	return get_port(0);
+}
+
+int
+get_local_port()
+{
+	return get_port(1);
+}
diff --git a/crypto/openssh/canohost.h b/crypto/openssh/canohost.h
new file mode 100644
index 0000000..36fb345
--- /dev/null
+++ b/crypto/openssh/canohost.h
@@ -0,0 +1,38 @@
+/*	$OpenBSD: canohost.h,v 1.6 2001/04/12 19:15:24 markus Exp $	*/
+
+/*
+ * Author: Tatu Ylonen <ylo@cs.hut.fi>
+ * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
+ *                    All rights reserved
+ *
+ * As far as I am concerned, the code I have written for this software
+ * can be used freely for any purpose.  Any derived versions of this
+ * software must be clearly marked as such, and if the derived work is
+ * incompatible with the protocol description in the RFC file, it must be
+ * called by a name other than "ssh" or "Secure Shell".
+ */
+
+/*
+ * Return the canonical name of the host in the other side of the current
+ * connection (as returned by packet_get_connection).  The host name is
+ * cached, so it is efficient to call this several times.
+ */
+const char *get_canonical_hostname(int reverse_mapping_check);
+
+/*
+ * Returns the IP-address of the remote host as a string.  The returned
+ * string is cached and must not be freed.
+ */
+const char *get_remote_ipaddr(void);
+
+const char *get_remote_name_or_ip(u_int utmp_len, int reverse_mapping_check);
+
+/* Returns the ipaddr/port number of the peer of the socket. */
+char *	get_peer_ipaddr(int socket);
+int     get_peer_port(int sock);
+char *	get_local_ipaddr(int socket);
+char *	get_local_name(int socket);
+
+/* Returns the port number of the remote/local host. */
+int     get_remote_port(void);
+int	get_local_port(void);
diff --git a/crypto/openssh/channels.c b/crypto/openssh/channels.c
new file mode 100644
index 0000000..38bec00
--- /dev/null
+++ b/crypto/openssh/channels.c
@@ -0,0 +1,2762 @@
+/*
+ * Author: Tatu Ylonen <ylo@cs.hut.fi>
+ * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
+ *                    All rights reserved
+ * This file contains functions for generic socket connection forwarding.
+ * There is also code for initiating connection forwarding for X11 connections,
+ * arbitrary tcp/ip connections, and the authentication agent connection.
+ *
+ * As far as I am concerned, the code I have written for this software
+ * can be used freely for any purpose.  Any derived versions of this
+ * software must be clearly marked as such, and if the derived work is
+ * incompatible with the protocol description in the RFC file, it must be
+ * called by a name other than "ssh" or "Secure Shell".
+ *
+ *
+ * SSH2 support added by Markus Friedl.
+ * Copyright (c) 1999,2000 Markus Friedl.  All rights reserved.
+ * Copyright (c) 1999 Dug Song.  All rights reserved.
+ * Copyright (c) 1999 Theo de Raadt.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include "includes.h"
+RCSID("$OpenBSD: channels.c,v 1.109 2001/04/17 12:55:03 markus Exp $");
+RCSID("$FreeBSD$");
+
+#include <openssl/rsa.h>
+#include <openssl/dsa.h>
+
+#include "ssh.h"
+#include "ssh1.h"
+#include "ssh2.h"
+#include "packet.h"
+#include "xmalloc.h"
+#include "buffer.h"
+#include "bufaux.h"
+#include "uidswap.h"
+#include "log.h"
+#include "misc.h"
+#include "channels.h"
+#include "nchan.h"
+#include "compat.h"
+#include "canohost.h"
+#include "key.h"
+#include "authfd.h"
+
+/* Maximum number of fake X11 displays to try. */
+#define MAX_DISPLAYS  1000
+
+/* Max len of agent socket */
+#define MAX_SOCKET_NAME 100
+
+/*
+ * Pointer to an array containing all allocated channels.  The array is
+ * dynamically extended as needed.
+ */
+static Channel *channels = NULL;
+
+/*
+ * Size of the channel array.  All slots of the array must always be
+ * initialized (at least the type field); unused slots are marked with type
+ * SSH_CHANNEL_FREE.
+ */
+static int channels_alloc = 0;
+
+/*
+ * Maximum file descriptor value used in any of the channels.  This is
+ * updated in channel_allocate.
+ */
+static int channel_max_fd = 0;
+
+/* Name and directory of socket for authentication agent forwarding. */
+static char *channel_forwarded_auth_socket_name = NULL;
+static char *channel_forwarded_auth_socket_dir = NULL;
+
+/* Saved X11 authentication protocol name. */
+char *x11_saved_proto = NULL;
+
+/* Saved X11 authentication data.  This is the real data. */
+char *x11_saved_data = NULL;
+u_int x11_saved_data_len = 0;
+
+/*
+ * Fake X11 authentication data.  This is what the server will be sending us;
+ * we should replace any occurrences of this by the real data.
+ */
+char *x11_fake_data = NULL;
+u_int x11_fake_data_len;
+
+/*
+ * Data structure for storing which hosts are permitted for forward requests.
+ * The local sides of any remote forwards are stored in this array to prevent
+ * a corrupt remote server from accessing arbitrary TCP/IP ports on our local
+ * network (which might be behind a firewall).
+ */
+typedef struct {
+	char *host_to_connect;		/* Connect to 'host'. */
+	u_short port_to_connect;	/* Connect to 'port'. */
+	u_short listen_port;		/* Remote side should listen port number. */
+} ForwardPermission;
+
+/* List of all permitted host/port pairs to connect. */
+static ForwardPermission permitted_opens[SSH_MAX_FORWARDS_PER_DIRECTION];
+/* Number of permitted host/port pairs in the array. */
+static int num_permitted_opens = 0;
+/*
+ * If this is true, all opens are permitted.  This is the case on the server
+ * on which we have to trust the client anyway, and the user could do
+ * anything after logging in anyway.
+ */
+static int all_opens_permitted = 0;
+
+/* This is set to true if both sides support SSH_PROTOFLAG_HOST_IN_FWD_OPEN. */
+static int have_hostname_in_open = 0;
+
+/* AF_UNSPEC or AF_INET or AF_INET6 */
+extern int IPv4or6;
+
+void	 port_open_helper(Channel *c, char *rtype);
+
+/* Sets specific protocol options. */
+
+void
+channel_set_options(int hostname_in_open)
+{
+	have_hostname_in_open = hostname_in_open;
+}
+
+/* lookup channel by id */
+
+Channel *
+channel_lookup(int id)
+{
+	Channel *c;
+	if (id < 0 || id > channels_alloc) {
+		log("channel_lookup: %d: bad id", id);
+		return NULL;
+	}
+	c = &channels[id];
+	if (c->type == SSH_CHANNEL_FREE) {
+		log("channel_lookup: %d: bad id: channel free", id);
+		return NULL;
+	}
+	return c;
+}
+
+/*
+ * Register filedescriptors for a channel, used when allocating a channel or
+ * when the channel consumer/producer is ready, e.g. shell exec'd
+ */
+
+void
+channel_register_fds(Channel *c, int rfd, int wfd, int efd,
+    int extusage, int nonblock)
+{
+	/* Update the maximum file descriptor value. */
+	channel_max_fd = MAX(channel_max_fd, rfd);
+	channel_max_fd = MAX(channel_max_fd, wfd);
+	channel_max_fd = MAX(channel_max_fd, efd);
+
+	/* XXX set close-on-exec -markus */
+
+	c->rfd = rfd;
+	c->wfd = wfd;
+	c->sock = (rfd == wfd) ? rfd : -1;
+	c->efd = efd;
+	c->extended_usage = extusage;
+
+	/* XXX ugly hack: nonblock is only set by the server */
+	if (nonblock && isatty(c->rfd)) {
+		debug("channel %d: rfd %d isatty", c->self, c->rfd);
+		c->isatty = 1;
+		if (!isatty(c->wfd)) {
+			error("channel %d: wfd %d is not a tty?",
+			    c->self, c->wfd);
+		}
+	} else {
+		c->isatty = 0;
+	}
+
+	/* enable nonblocking mode */
+	if (nonblock) {
+		if (rfd != -1)
+			set_nonblock(rfd);
+		if (wfd != -1)
+			set_nonblock(wfd);
+		if (efd != -1)
+			set_nonblock(efd);
+	}
+}
+
+/*
+ * Allocate a new channel object and set its type and socket. This will cause
+ * remote_name to be freed.
+ */
+
+int
+channel_new(char *ctype, int type, int rfd, int wfd, int efd,
+    int window, int maxpack, int extusage, char *remote_name, int nonblock)
+{
+	int i, found;
+	Channel *c;
+
+	/* Do initial allocation if this is the first call. */
+	if (channels_alloc == 0) {
+		chan_init();
+		channels_alloc = 10;
+		channels = xmalloc(channels_alloc * sizeof(Channel));
+		for (i = 0; i < channels_alloc; i++)
+			channels[i].type = SSH_CHANNEL_FREE;
+		/*
+		 * Kludge: arrange a call to channel_stop_listening if we
+		 * terminate with fatal().
+		 */
+		fatal_add_cleanup((void (*) (void *)) channel_stop_listening, NULL);
+	}
+	/* Try to find a free slot where to put the new channel. */
+	for (found = -1, i = 0; i < channels_alloc; i++)
+		if (channels[i].type == SSH_CHANNEL_FREE) {
+			/* Found a free slot. */
+			found = i;
+			break;
+		}
+	if (found == -1) {
+		/* There are no free slots.  Take last+1 slot and expand the array.  */
+		found = channels_alloc;
+		channels_alloc += 10;
+		debug2("channel: expanding %d", channels_alloc);
+		channels = xrealloc(channels, channels_alloc * sizeof(Channel));
+		for (i = found; i < channels_alloc; i++)
+			channels[i].type = SSH_CHANNEL_FREE;
+	}
+	/* Initialize and return new channel number. */
+	c = &channels[found];
+	buffer_init(&c->input);
+	buffer_init(&c->output);
+	buffer_init(&c->extended);
+	chan_init_iostates(c);
+	channel_register_fds(c, rfd, wfd, efd, extusage, nonblock);
+	c->self = found;
+	c->type = type;
+	c->ctype = ctype;
+	c->local_window = window;
+	c->local_window_max = window;
+	c->local_consumed = 0;
+	c->local_maxpacket = maxpack;
+	c->remote_id = -1;
+	c->remote_name = remote_name;
+	c->remote_window = 0;
+	c->remote_maxpacket = 0;
+	c->cb_fn = NULL;
+	c->cb_arg = NULL;
+	c->cb_event = 0;
+	c->dettach_user = NULL;
+	c->input_filter = NULL;
+	debug("channel %d: new [%s]", found, remote_name);
+	return found;
+}
+/* old interface XXX */
+int
+channel_allocate(int type, int sock, char *remote_name)
+{
+	return channel_new("", type, sock, sock, -1, 0, 0, 0, remote_name, 1);
+}
+
+
+/* Close all channel fd/socket. */
+
+void
+channel_close_fds(Channel *c)
+{
+	if (c->sock != -1) {
+		close(c->sock);
+		c->sock = -1;
+	}
+	if (c->rfd != -1) {
+		close(c->rfd);
+		c->rfd = -1;
+	}
+	if (c->wfd != -1) {
+		close(c->wfd);
+		c->wfd = -1;
+	}
+	if (c->efd != -1) {
+		close(c->efd);
+		c->efd = -1;
+	}
+}
+
+/* Free the channel and close its fd/socket. */
+
+void
+channel_free(int id)
+{
+	Channel *c = channel_lookup(id);
+	char *s = channel_open_message();
+
+	if (c == NULL)
+		packet_disconnect("channel free: bad local channel %d", id);
+	debug("channel_free: channel %d: status: %s", id, s);
+	xfree(s);
+
+	if (c->dettach_user != NULL) {
+		debug("channel_free: channel %d: dettaching channel user", id);
+		c->dettach_user(c->self, NULL);
+	}
+	if (c->sock != -1)
+		shutdown(c->sock, SHUT_RDWR);
+	channel_close_fds(c);
+	buffer_free(&c->input);
+	buffer_free(&c->output);
+	buffer_free(&c->extended);
+	c->type = SSH_CHANNEL_FREE;
+	if (c->remote_name) {
+		xfree(c->remote_name);
+		c->remote_name = NULL;
+	}
+}
+
+/*
+ * 'channel_pre*' are called just before select() to add any bits relevant to
+ * channels in the select bitmasks.
+ */
+/*
+ * 'channel_post*': perform any appropriate operations for channels which
+ * have events pending.
+ */
+typedef void chan_fn(Channel *c, fd_set * readset, fd_set * writeset);
+chan_fn *channel_pre[SSH_CHANNEL_MAX_TYPE];
+chan_fn *channel_post[SSH_CHANNEL_MAX_TYPE];
+
+void
+channel_pre_listener(Channel *c, fd_set * readset, fd_set * writeset)
+{
+	FD_SET(c->sock, readset);
+}
+
+void
+channel_pre_connecting(Channel *c, fd_set * readset, fd_set * writeset)
+{
+	debug3("channel %d: waiting for connection", c->self);
+	FD_SET(c->sock, writeset);
+}
+
+void
+channel_pre_open_13(Channel *c, fd_set * readset, fd_set * writeset)
+{
+	if (buffer_len(&c->input) < packet_get_maxsize())
+		FD_SET(c->sock, readset);
+	if (buffer_len(&c->output) > 0)
+		FD_SET(c->sock, writeset);
+}
+
+void
+channel_pre_open_15(Channel *c, fd_set * readset, fd_set * writeset)
+{
+	/* test whether sockets are 'alive' for read/write */
+	if (c->istate == CHAN_INPUT_OPEN)
+		if (buffer_len(&c->input) < packet_get_maxsize())
+			FD_SET(c->sock, readset);
+	if (c->ostate == CHAN_OUTPUT_OPEN ||
+	    c->ostate == CHAN_OUTPUT_WAIT_DRAIN) {
+		if (buffer_len(&c->output) > 0) {
+			FD_SET(c->sock, writeset);
+		} else if (c->ostate == CHAN_OUTPUT_WAIT_DRAIN) {
+			chan_obuf_empty(c);
+		}
+	}
+}
+
+void
+channel_pre_open_20(Channel *c, fd_set * readset, fd_set * writeset)
+{
+	if (c->istate == CHAN_INPUT_OPEN &&
+	    c->remote_window > 0 &&
+	    buffer_len(&c->input) < c->remote_window)
+		FD_SET(c->rfd, readset);
+	if (c->ostate == CHAN_OUTPUT_OPEN ||
+	    c->ostate == CHAN_OUTPUT_WAIT_DRAIN) {
+		if (buffer_len(&c->output) > 0) {
+			FD_SET(c->wfd, writeset);
+		} else if (c->ostate == CHAN_OUTPUT_WAIT_DRAIN) {
+			chan_obuf_empty(c);
+		}
+	}
+	/** XXX check close conditions, too */
+	if (c->efd != -1) {
+		if (c->extended_usage == CHAN_EXTENDED_WRITE &&
+		    buffer_len(&c->extended) > 0)
+			FD_SET(c->efd, writeset);
+		else if (c->extended_usage == CHAN_EXTENDED_READ &&
+		    buffer_len(&c->extended) < c->remote_window)
+			FD_SET(c->efd, readset);
+	}
+}
+
+void
+channel_pre_input_draining(Channel *c, fd_set * readset, fd_set * writeset)
+{
+	if (buffer_len(&c->input) == 0) {
+		packet_start(SSH_MSG_CHANNEL_CLOSE);
+		packet_put_int(c->remote_id);
+		packet_send();
+		c->type = SSH_CHANNEL_CLOSED;
+		debug("channel %d: closing after input drain.", c->self);
+	}
+}
+
+void
+channel_pre_output_draining(Channel *c, fd_set * readset, fd_set * writeset)
+{
+	if (buffer_len(&c->output) == 0)
+		channel_free(c->self);
+	else
+		FD_SET(c->sock, writeset);
+}
+
+/*
+ * This is a special state for X11 authentication spoofing.  An opened X11
+ * connection (when authentication spoofing is being done) remains in this
+ * state until the first packet has been completely read.  The authentication
+ * data in that packet is then substituted by the real data if it matches the
+ * fake data, and the channel is put into normal mode.
+ * XXX All this happens at the client side.
+ */
+int
+x11_open_helper(Channel *c)
+{
+	u_char *ucp;
+	u_int proto_len, data_len;
+
+	/* Check if the fixed size part of the packet is in buffer. */
+	if (buffer_len(&c->output) < 12)
+		return 0;
+
+	/* Parse the lengths of variable-length fields. */
+	ucp = (u_char *) buffer_ptr(&c->output);
+	if (ucp[0] == 0x42) {	/* Byte order MSB first. */
+		proto_len = 256 * ucp[6] + ucp[7];
+		data_len = 256 * ucp[8] + ucp[9];
+	} else if (ucp[0] == 0x6c) {	/* Byte order LSB first. */
+		proto_len = ucp[6] + 256 * ucp[7];
+		data_len = ucp[8] + 256 * ucp[9];
+	} else {
+		debug("Initial X11 packet contains bad byte order byte: 0x%x",
+		      ucp[0]);
+		return -1;
+	}
+
+	/* Check if the whole packet is in buffer. */
+	if (buffer_len(&c->output) <
+	    12 + ((proto_len + 3) & ~3) + ((data_len + 3) & ~3))
+		return 0;
+
+	/* Check if authentication protocol matches. */
+	if (proto_len != strlen(x11_saved_proto) ||
+	    memcmp(ucp + 12, x11_saved_proto, proto_len) != 0) {
+		debug("X11 connection uses different authentication protocol.");
+		return -1;
+	}
+	/* Check if authentication data matches our fake data. */
+	if (data_len != x11_fake_data_len ||
+	    memcmp(ucp + 12 + ((proto_len + 3) & ~3),
+		x11_fake_data, x11_fake_data_len) != 0) {
+		debug("X11 auth data does not match fake data.");
+		return -1;
+	}
+	/* Check fake data length */
+	if (x11_fake_data_len != x11_saved_data_len) {
+		error("X11 fake_data_len %d != saved_data_len %d",
+		    x11_fake_data_len, x11_saved_data_len);
+		return -1;
+	}
+	/*
+	 * Received authentication protocol and data match
+	 * our fake data. Substitute the fake data with real
+	 * data.
+	 */
+	memcpy(ucp + 12 + ((proto_len + 3) & ~3),
+	    x11_saved_data, x11_saved_data_len);
+	return 1;
+}
+
+void
+channel_pre_x11_open_13(Channel *c, fd_set * readset, fd_set * writeset)
+{
+	int ret = x11_open_helper(c);
+	if (ret == 1) {
+		/* Start normal processing for the channel. */
+		c->type = SSH_CHANNEL_OPEN;
+		channel_pre_open_13(c, readset, writeset);
+	} else if (ret == -1) {
+		/*
+		 * We have received an X11 connection that has bad
+		 * authentication information.
+		 */
+		log("X11 connection rejected because of wrong authentication.");
+		buffer_clear(&c->input);
+		buffer_clear(&c->output);
+		close(c->sock);
+		c->sock = -1;
+		c->type = SSH_CHANNEL_CLOSED;
+		packet_start(SSH_MSG_CHANNEL_CLOSE);
+		packet_put_int(c->remote_id);
+		packet_send();
+	}
+}
+
+void
+channel_pre_x11_open(Channel *c, fd_set * readset, fd_set * writeset)
+{
+	int ret = x11_open_helper(c);
+	if (ret == 1) {
+		c->type = SSH_CHANNEL_OPEN;
+		if (compat20)
+			channel_pre_open_20(c, readset, writeset);
+		else
+			channel_pre_open_15(c, readset, writeset);
+	} else if (ret == -1) {
+		debug("X11 rejected %d i%d/o%d", c->self, c->istate, c->ostate);
+		chan_read_failed(c);	/** force close? */
+		chan_write_failed(c);
+		debug("X11 closed %d i%d/o%d", c->self, c->istate, c->ostate);
+	}
+}
+
+/* try to decode a socks4 header */
+int
+channel_decode_socks4(Channel *c, fd_set * readset, fd_set * writeset)
+{
+	u_char *p, *host;
+	int len, have, i, found;
+	char username[256];	
+	struct {
+		u_int8_t version;
+		u_int8_t command;
+		u_int16_t dest_port;
+		struct in_addr dest_addr;
+	} s4_req, s4_rsp;
+
+	debug2("channel %d: decode socks4", c->self);
+
+	have = buffer_len(&c->input);
+	len = sizeof(s4_req);
+	if (have < len)
+		return 0;
+	p = buffer_ptr(&c->input);
+	for (found = 0, i = len; i < have; i++) {
+		if (p[i] == '\0') {
+			found = 1;
+			break;
+		}
+		if (i > 1024) {
+			/* the peer is probably sending garbage */
+			debug("channel %d: decode socks4: too long",
+			    c->self);
+			return -1;
+		}
+	}
+	if (!found)
+		return 0;
+	buffer_get(&c->input, (char *)&s4_req.version, 1);
+	buffer_get(&c->input, (char *)&s4_req.command, 1);
+	buffer_get(&c->input, (char *)&s4_req.dest_port, 2);
+	buffer_get(&c->input, (char *)&s4_req.dest_addr, 4);
+	have = buffer_len(&c->input);
+	p = buffer_ptr(&c->input);
+	len = strlen(p);
+	debug2("channel %d: decode socks4: user %s/%d", c->self, p, len);
+	if (len > have)
+		fatal("channel %d: decode socks4: len %d > have %d",
+		    c->self, len, have);
+	strlcpy(username, p, sizeof(username));
+	buffer_consume(&c->input, len);
+	buffer_consume(&c->input, 1);		/* trailing '\0' */
+
+	host = inet_ntoa(s4_req.dest_addr);
+	strlcpy(c->path, host, sizeof(c->path));
+	c->host_port = ntohs(s4_req.dest_port);
+	
+	debug("channel %d: dynamic request: socks4 host %s port %u command %u",
+	    c->self, host, c->host_port, s4_req.command);
+
+	if (s4_req.command != 1) {
+		debug("channel %d: cannot handle: socks4 cn %d",
+		    c->self, s4_req.command);
+		return -1;
+	}
+	s4_rsp.version = 0;			/* vn: 0 for reply */
+	s4_rsp.command = 90;			/* cd: req granted */
+	s4_rsp.dest_port = 0;			/* ignored */
+	s4_rsp.dest_addr.s_addr = INADDR_ANY;	/* ignored */
+	buffer_append(&c->output, (char *)&s4_rsp, sizeof(s4_rsp));
+	return 1;
+}
+
+/* dynamic port forwarding */
+void
+channel_pre_dynamic(Channel *c, fd_set * readset, fd_set * writeset)
+{
+	u_char *p;
+	int have, ret;
+
+	have = buffer_len(&c->input);
+
+	debug2("channel %d: pre_dynamic: have %d", c->self, have);
+	/* buffer_dump(&c->input); */
+	/* check if the fixed size part of the packet is in buffer. */
+	if (have < 4) {
+		/* need more */
+		FD_SET(c->sock, readset);
+		return;
+	}
+	/* try to guess the protocol */
+	p = buffer_ptr(&c->input);
+	switch (p[0]) {
+	case 0x04:
+		ret = channel_decode_socks4(c, readset, writeset);
+		break;
+	default:
+		ret = -1;
+		break;
+	}
+	if (ret < 0) {
+		channel_free(c->self);
+	} else if (ret == 0) {
+		debug2("channel %d: pre_dynamic: need more", c->self);
+		/* need more */
+		FD_SET(c->sock, readset);
+	} else {
+		/* switch to the next state */
+		c->type = SSH_CHANNEL_OPENING;
+		port_open_helper(c, "direct-tcpip");
+	}
+}
+
+/* This is our fake X11 server socket. */
+void
+channel_post_x11_listener(Channel *c, fd_set * readset, fd_set * writeset)
+{
+	struct sockaddr addr;
+	int newsock, newch;
+	socklen_t addrlen;
+	char buf[16384], *remote_ipaddr;
+	int remote_port;
+
+	if (FD_ISSET(c->sock, readset)) {
+		debug("X11 connection requested.");
+		addrlen = sizeof(addr);
+		newsock = accept(c->sock, &addr, &addrlen);
+		if (newsock < 0) {
+			error("accept: %.100s", strerror(errno));
+			return;
+		}
+		remote_ipaddr = get_peer_ipaddr(newsock);
+		remote_port = get_peer_port(newsock);
+		snprintf(buf, sizeof buf, "X11 connection from %.200s port %d",
+		    remote_ipaddr, remote_port);
+
+		newch = channel_new("x11",
+		    SSH_CHANNEL_OPENING, newsock, newsock, -1,
+		    c->local_window_max, c->local_maxpacket,
+		    0, xstrdup(buf), 1);
+		if (compat20) {
+			packet_start(SSH2_MSG_CHANNEL_OPEN);
+			packet_put_cstring("x11");
+			packet_put_int(newch);
+			packet_put_int(c->local_window_max);
+			packet_put_int(c->local_maxpacket);
+			/* originator ipaddr and port */
+			packet_put_cstring(remote_ipaddr);
+			if (datafellows & SSH_BUG_X11FWD) {
+				debug("ssh2 x11 bug compat mode");
+			} else {
+				packet_put_int(remote_port);
+			}
+			packet_send();
+		} else {
+			packet_start(SSH_SMSG_X11_OPEN);
+			packet_put_int(newch);
+			if (have_hostname_in_open)
+				packet_put_string(buf, strlen(buf));
+			packet_send();
+		}
+		xfree(remote_ipaddr);
+	}
+}
+
+void
+port_open_helper(Channel *c, char *rtype)
+{
+	int direct;
+	char buf[1024];
+	char *remote_ipaddr = get_peer_ipaddr(c->sock);
+	u_short remote_port = get_peer_port(c->sock);
+
+	direct = (strcmp(rtype, "direct-tcpip") == 0);
+
+	snprintf(buf, sizeof buf,
+	    "%s: listening port %d for %.100s port %d, "
+	    "connect from %.200s port %d",
+	    rtype, c->listening_port, c->path, c->host_port,
+	    remote_ipaddr, remote_port);
+
+	xfree(c->remote_name);
+	c->remote_name = xstrdup(buf);
+
+	if (compat20) {
+		packet_start(SSH2_MSG_CHANNEL_OPEN);
+		packet_put_cstring(rtype);
+		packet_put_int(c->self);
+		packet_put_int(c->local_window_max);
+		packet_put_int(c->local_maxpacket);
+		if (direct) {
+			/* target host, port */
+			packet_put_cstring(c->path);
+			packet_put_int(c->host_port);
+		} else {
+			/* listen address, port */
+			packet_put_cstring(c->path);
+			packet_put_int(c->listening_port);
+		}
+		/* originator host and port */
+		packet_put_cstring(remote_ipaddr);
+		packet_put_int(remote_port);
+		packet_send();
+	} else {
+		packet_start(SSH_MSG_PORT_OPEN);
+		packet_put_int(c->self);
+		packet_put_cstring(c->path);
+		packet_put_int(c->host_port);
+		if (have_hostname_in_open)
+			packet_put_cstring(c->remote_name);
+		packet_send();
+	}
+	xfree(remote_ipaddr);
+}
+
+/*
+ * This socket is listening for connections to a forwarded TCP/IP port.
+ */
+void
+channel_post_port_listener(Channel *c, fd_set * readset, fd_set * writeset)
+{
+	Channel *nc;
+	struct sockaddr addr;
+	int newsock, newch, nextstate;
+	socklen_t addrlen;
+	char *rtype;
+
+	if (FD_ISSET(c->sock, readset)) {
+		debug("Connection to port %d forwarding "
+		    "to %.100s port %d requested.",
+		    c->listening_port, c->path, c->host_port);
+
+		rtype = (c->type == SSH_CHANNEL_RPORT_LISTENER) ?
+		    "forwarded-tcpip" : "direct-tcpip";
+		nextstate = (c->host_port == 0) ? SSH_CHANNEL_DYNAMIC :
+		    SSH_CHANNEL_OPENING;
+
+		addrlen = sizeof(addr);
+		newsock = accept(c->sock, &addr, &addrlen);
+		if (newsock < 0) {
+			error("accept: %.100s", strerror(errno));
+			return;
+		}
+		newch = channel_new(rtype,
+		    nextstate, newsock, newsock, -1,
+		    c->local_window_max, c->local_maxpacket,
+		    0, xstrdup(rtype), 1);
+
+		nc = channel_lookup(newch);
+		if (nc == NULL) {
+			error("xxx: no new channel:");
+			return;
+		}
+		nc->listening_port = c->listening_port;
+		nc->host_port = c->host_port;
+		strlcpy(nc->path, c->path, sizeof(nc->path));
+
+		if (nextstate != SSH_CHANNEL_DYNAMIC)
+			port_open_helper(nc, rtype);
+	}
+}
+
+/*
+ * This is the authentication agent socket listening for connections from
+ * clients.
+ */
+void
+channel_post_auth_listener(Channel *c, fd_set * readset, fd_set * writeset)
+{
+	struct sockaddr addr;
+	int newsock, newch;
+	socklen_t addrlen;
+
+	if (FD_ISSET(c->sock, readset)) {
+		addrlen = sizeof(addr);
+		newsock = accept(c->sock, &addr, &addrlen);
+		if (newsock < 0) {
+			error("accept from auth socket: %.100s", strerror(errno));
+			return;
+		}
+		newch = channel_new("accepted auth socket",
+		    SSH_CHANNEL_OPENING, newsock, newsock, -1,
+		    c->local_window_max, c->local_maxpacket,
+		    0, xstrdup("accepted auth socket"), 1);
+		if (compat20) {
+			packet_start(SSH2_MSG_CHANNEL_OPEN);
+			packet_put_cstring("auth-agent@openssh.com");
+			packet_put_int(newch);
+			packet_put_int(c->local_window_max);
+			packet_put_int(c->local_maxpacket);
+		} else {
+			packet_start(SSH_SMSG_AGENT_OPEN);
+			packet_put_int(newch);
+		}
+		packet_send();
+	}
+}
+
+void
+channel_post_connecting(Channel *c, fd_set * readset, fd_set * writeset)
+{
+	if (FD_ISSET(c->sock, writeset)) {
+		int err = 0;
+		int sz = sizeof(err);
+		c->type = SSH_CHANNEL_OPEN;
+		if (getsockopt(c->sock, SOL_SOCKET, SO_ERROR, (char *)&err, &sz) < 0) {
+			debug("getsockopt SO_ERROR failed");
+		} else {
+			if (err == 0) {
+				debug("channel %d: connected)", c->self);
+			} else {
+				debug("channel %d: not connected: %s",
+				    c->self, strerror(err));
+				chan_read_failed(c);
+				chan_write_failed(c);
+			}
+		}
+	}
+}
+
+int
+channel_handle_rfd(Channel *c, fd_set * readset, fd_set * writeset)
+{
+	char buf[16*1024];
+	int len;
+
+	if (c->rfd != -1 &&
+	    FD_ISSET(c->rfd, readset)) {
+		len = read(c->rfd, buf, sizeof(buf));
+		if (len < 0 && (errno == EINTR || errno == EAGAIN))
+			return 1;
+		if (len <= 0) {
+			debug("channel %d: read<=0 rfd %d len %d",
+			    c->self, c->rfd, len);
+			if (c->type != SSH_CHANNEL_OPEN) {
+				debug("channel %d: not open", c->self);
+				channel_free(c->self);
+				return -1;
+			} else if (compat13) {
+				buffer_consume(&c->output, buffer_len(&c->output));
+				c->type = SSH_CHANNEL_INPUT_DRAINING;
+				debug("channel %d: status set to input draining.", c->self);
+			} else {
+				chan_read_failed(c);
+			}
+			return -1;
+		}
+		if(c->input_filter != NULL) {
+			if (c->input_filter(c, buf, len) == -1) {
+				debug("channel %d: filter stops", c->self);
+				chan_read_failed(c);
+			}
+		} else {
+			buffer_append(&c->input, buf, len);
+		}
+	}
+	return 1;
+}
+int
+channel_handle_wfd(Channel *c, fd_set * readset, fd_set * writeset)
+{
+	struct termios tio;
+	int len;
+
+	/* Send buffered output data to the socket. */
+	if (c->wfd != -1 &&
+	    FD_ISSET(c->wfd, writeset) &&
+	    buffer_len(&c->output) > 0) {
+		len = write(c->wfd, buffer_ptr(&c->output),
+		    buffer_len(&c->output));
+		if (len < 0 && (errno == EINTR || errno == EAGAIN))
+			return 1;
+		if (len <= 0) {
+			if (c->type != SSH_CHANNEL_OPEN) {
+				debug("channel %d: not open", c->self);
+				channel_free(c->self);
+				return -1;
+			} else if (compat13) {
+				buffer_consume(&c->output, buffer_len(&c->output));
+				debug("channel %d: status set to input draining.", c->self);
+				c->type = SSH_CHANNEL_INPUT_DRAINING;
+			} else {
+				chan_write_failed(c);
+			}
+			return -1;
+		}
+		if (compat20 && c->isatty) {
+			if (tcgetattr(c->wfd, &tio) == 0 &&
+			    !(tio.c_lflag & ECHO) && (tio.c_lflag & ICANON)) {
+				/*
+				 * Simulate echo to reduce the impact of
+				 * traffic analysis. We need to match the
+				 * size of a SSH2_MSG_CHANNEL_DATA message
+				 * (4 byte channel id + data)
+				 */
+				packet_send_ignore(4 + len);
+				packet_send();
+			}
+		}
+		buffer_consume(&c->output, len);
+		if (compat20 && len > 0) {
+			c->local_consumed += len;
+		}
+	}
+	return 1;
+}
+int
+channel_handle_efd(Channel *c, fd_set * readset, fd_set * writeset)
+{
+	char buf[16*1024];
+	int len;
+
+/** XXX handle drain efd, too */
+	if (c->efd != -1) {
+		if (c->extended_usage == CHAN_EXTENDED_WRITE &&
+		    FD_ISSET(c->efd, writeset) &&
+		    buffer_len(&c->extended) > 0) {
+			len = write(c->efd, buffer_ptr(&c->extended),
+			    buffer_len(&c->extended));
+			debug2("channel %d: written %d to efd %d",
+			    c->self, len, c->efd);
+			if (len < 0 && (errno == EINTR || errno == EAGAIN))
+				return 1;
+			if (len <= 0) {
+				debug2("channel %d: closing write-efd %d",
+				    c->self, c->efd);
+				close(c->efd);
+				c->efd = -1;
+			} else {
+				buffer_consume(&c->extended, len);
+				c->local_consumed += len;
+			}
+		} else if (c->extended_usage == CHAN_EXTENDED_READ &&
+		    FD_ISSET(c->efd, readset)) {
+			len = read(c->efd, buf, sizeof(buf));
+			debug2("channel %d: read %d from efd %d",
+			     c->self, len, c->efd);
+			if (len < 0 && (errno == EINTR || errno == EAGAIN))
+				return 1;
+			if (len <= 0) {
+				debug2("channel %d: closing read-efd %d",
+				    c->self, c->efd);
+				close(c->efd);
+				c->efd = -1;
+			} else {
+				buffer_append(&c->extended, buf, len);
+			}
+		}
+	}
+	return 1;
+}
+int
+channel_check_window(Channel *c)
+{
+	if (c->type == SSH_CHANNEL_OPEN &&
+	    !(c->flags & (CHAN_CLOSE_SENT|CHAN_CLOSE_RCVD)) &&
+	    c->local_window < c->local_window_max/2 &&
+	    c->local_consumed > 0) {
+		packet_start(SSH2_MSG_CHANNEL_WINDOW_ADJUST);
+		packet_put_int(c->remote_id);
+		packet_put_int(c->local_consumed);
+		packet_send();
+		debug2("channel %d: window %d sent adjust %d",
+		    c->self, c->local_window,
+		    c->local_consumed);
+		c->local_window += c->local_consumed;
+		c->local_consumed = 0;
+	}
+	return 1;
+}
+
+void
+channel_post_open_1(Channel *c, fd_set * readset, fd_set * writeset)
+{
+	channel_handle_rfd(c, readset, writeset);
+	channel_handle_wfd(c, readset, writeset);
+}
+
+void
+channel_post_open_2(Channel *c, fd_set * readset, fd_set * writeset)
+{
+	channel_handle_rfd(c, readset, writeset);
+	channel_handle_wfd(c, readset, writeset);
+	channel_handle_efd(c, readset, writeset);
+
+	channel_check_window(c);
+}
+
+void
+channel_post_output_drain_13(Channel *c, fd_set * readset, fd_set * writeset)
+{
+	int len;
+	/* Send buffered output data to the socket. */
+	if (FD_ISSET(c->sock, writeset) && buffer_len(&c->output) > 0) {
+		len = write(c->sock, buffer_ptr(&c->output),
+			    buffer_len(&c->output));
+		if (len <= 0)
+			buffer_consume(&c->output, buffer_len(&c->output));
+		else
+			buffer_consume(&c->output, len);
+	}
+}
+
+void
+channel_handler_init_20(void)
+{
+	channel_pre[SSH_CHANNEL_OPEN] =			&channel_pre_open_20;
+	channel_pre[SSH_CHANNEL_X11_OPEN] =		&channel_pre_x11_open;
+	channel_pre[SSH_CHANNEL_PORT_LISTENER] =	&channel_pre_listener;
+	channel_pre[SSH_CHANNEL_RPORT_LISTENER] =	&channel_pre_listener;
+	channel_pre[SSH_CHANNEL_X11_LISTENER] =		&channel_pre_listener;
+	channel_pre[SSH_CHANNEL_AUTH_SOCKET] =		&channel_pre_listener;
+	channel_pre[SSH_CHANNEL_CONNECTING] =		&channel_pre_connecting;
+	channel_pre[SSH_CHANNEL_DYNAMIC] =		&channel_pre_dynamic;
+
+	channel_post[SSH_CHANNEL_OPEN] =		&channel_post_open_2;
+	channel_post[SSH_CHANNEL_PORT_LISTENER] =	&channel_post_port_listener;
+	channel_post[SSH_CHANNEL_RPORT_LISTENER] =	&channel_post_port_listener;
+	channel_post[SSH_CHANNEL_X11_LISTENER] =	&channel_post_x11_listener;
+	channel_post[SSH_CHANNEL_AUTH_SOCKET] =		&channel_post_auth_listener;
+	channel_post[SSH_CHANNEL_CONNECTING] =		&channel_post_connecting;
+	channel_post[SSH_CHANNEL_DYNAMIC] =		&channel_post_open_2;
+}
+
+void
+channel_handler_init_13(void)
+{
+	channel_pre[SSH_CHANNEL_OPEN] =			&channel_pre_open_13;
+	channel_pre[SSH_CHANNEL_X11_OPEN] =		&channel_pre_x11_open_13;
+	channel_pre[SSH_CHANNEL_X11_LISTENER] =		&channel_pre_listener;
+	channel_pre[SSH_CHANNEL_PORT_LISTENER] =	&channel_pre_listener;
+	channel_pre[SSH_CHANNEL_AUTH_SOCKET] =		&channel_pre_listener;
+	channel_pre[SSH_CHANNEL_INPUT_DRAINING] =	&channel_pre_input_draining;
+	channel_pre[SSH_CHANNEL_OUTPUT_DRAINING] =	&channel_pre_output_draining;
+	channel_pre[SSH_CHANNEL_CONNECTING] =		&channel_pre_connecting;
+	channel_pre[SSH_CHANNEL_DYNAMIC] =		&channel_pre_dynamic;
+
+	channel_post[SSH_CHANNEL_OPEN] =		&channel_post_open_1;
+	channel_post[SSH_CHANNEL_X11_LISTENER] =	&channel_post_x11_listener;
+	channel_post[SSH_CHANNEL_PORT_LISTENER] =	&channel_post_port_listener;
+	channel_post[SSH_CHANNEL_AUTH_SOCKET] =		&channel_post_auth_listener;
+	channel_post[SSH_CHANNEL_OUTPUT_DRAINING] =	&channel_post_output_drain_13;
+	channel_post[SSH_CHANNEL_CONNECTING] =		&channel_post_connecting;
+	channel_post[SSH_CHANNEL_DYNAMIC] =		&channel_post_open_1;
+}
+
+void
+channel_handler_init_15(void)
+{
+	channel_pre[SSH_CHANNEL_OPEN] =			&channel_pre_open_15;
+	channel_pre[SSH_CHANNEL_X11_OPEN] =		&channel_pre_x11_open;
+	channel_pre[SSH_CHANNEL_X11_LISTENER] =		&channel_pre_listener;
+	channel_pre[SSH_CHANNEL_PORT_LISTENER] =	&channel_pre_listener;
+	channel_pre[SSH_CHANNEL_AUTH_SOCKET] =		&channel_pre_listener;
+	channel_pre[SSH_CHANNEL_CONNECTING] =		&channel_pre_connecting;
+	channel_pre[SSH_CHANNEL_DYNAMIC] =		&channel_pre_dynamic;
+
+	channel_post[SSH_CHANNEL_X11_LISTENER] =	&channel_post_x11_listener;
+	channel_post[SSH_CHANNEL_PORT_LISTENER] =	&channel_post_port_listener;
+	channel_post[SSH_CHANNEL_AUTH_SOCKET] =		&channel_post_auth_listener;
+	channel_post[SSH_CHANNEL_OPEN] =		&channel_post_open_1;
+	channel_post[SSH_CHANNEL_CONNECTING] =		&channel_post_connecting;
+	channel_post[SSH_CHANNEL_DYNAMIC] =		&channel_post_open_1;
+}
+
+void
+channel_handler_init(void)
+{
+	int i;
+	for(i = 0; i < SSH_CHANNEL_MAX_TYPE; i++) {
+		channel_pre[i] = NULL;
+		channel_post[i] = NULL;
+	}
+	if (compat20)
+		channel_handler_init_20();
+	else if (compat13)
+		channel_handler_init_13();
+	else
+		channel_handler_init_15();
+}
+
+void
+channel_handler(chan_fn *ftab[], fd_set * readset, fd_set * writeset)
+{
+	static int did_init = 0;
+	int i;
+	Channel *c;
+
+	if (!did_init) {
+		channel_handler_init();
+		did_init = 1;
+	}
+	for (i = 0; i < channels_alloc; i++) {
+		c = &channels[i];
+		if (c->type == SSH_CHANNEL_FREE)
+			continue;
+		if (ftab[c->type] == NULL)
+			continue;
+		(*ftab[c->type])(c, readset, writeset);
+		if (chan_is_dead(c)) {
+			/*
+			 * we have to remove the fd's from the select mask
+			 * before the channels are free'd and the fd's are
+			 * closed
+			 */
+			if (c->wfd != -1)
+				FD_CLR(c->wfd, writeset);
+			if (c->rfd != -1)
+				FD_CLR(c->rfd, readset);
+			if (c->efd != -1) {
+				if (c->extended_usage == CHAN_EXTENDED_READ)
+					FD_CLR(c->efd, readset);
+				if (c->extended_usage == CHAN_EXTENDED_WRITE)
+					FD_CLR(c->efd, writeset);
+			}
+			channel_free(c->self);
+		}
+	}
+}
+
+void
+channel_prepare_select(fd_set **readsetp, fd_set **writesetp, int *maxfdp,
+    int rekeying)
+{
+	int n;
+	u_int sz;
+
+	n = MAX(*maxfdp, channel_max_fd);
+
+	sz = howmany(n+1, NFDBITS) * sizeof(fd_mask);
+	if (*readsetp == NULL || n > *maxfdp) {
+		if (*readsetp)
+			xfree(*readsetp);
+		if (*writesetp)
+			xfree(*writesetp);
+		*readsetp = xmalloc(sz);
+		*writesetp = xmalloc(sz);
+		*maxfdp = n;
+	}
+	memset(*readsetp, 0, sz);
+	memset(*writesetp, 0, sz);
+
+	if (!rekeying)
+		channel_handler(channel_pre, *readsetp, *writesetp);
+}
+
+void
+channel_after_select(fd_set * readset, fd_set * writeset)
+{
+	channel_handler(channel_post, readset, writeset);
+}
+
+/* If there is data to send to the connection, enqueue some of it now. */
+
+void
+channel_output_poll()
+{
+	int len, i;
+	Channel *c;
+
+	for (i = 0; i < channels_alloc; i++) {
+		c = &channels[i];
+
+		/* We are only interested in channels that can have buffered incoming data. */
+		if (compat13) {
+			if (c->type != SSH_CHANNEL_OPEN &&
+			    c->type != SSH_CHANNEL_INPUT_DRAINING)
+				continue;
+		} else {
+			if (c->type != SSH_CHANNEL_OPEN)
+				continue;
+		}
+		if (compat20 &&
+		    (c->flags & (CHAN_CLOSE_SENT|CHAN_CLOSE_RCVD))) {
+			/* XXX is this true? */
+			debug2("channel %d: no data after CLOSE", c->self);
+			continue;
+		}
+
+		/* Get the amount of buffered data for this channel. */
+		if ((c->istate == CHAN_INPUT_OPEN ||
+		    c->istate == CHAN_INPUT_WAIT_DRAIN) &&
+		    (len = buffer_len(&c->input)) > 0) {
+			/* Send some data for the other side over the secure connection. */
+			if (compat20) {
+				if (len > c->remote_window)
+					len = c->remote_window;
+				if (len > c->remote_maxpacket)
+					len = c->remote_maxpacket;
+			} else {
+				if (packet_is_interactive()) {
+					if (len > 1024)
+						len = 512;
+				} else {
+					/* Keep the packets at reasonable size. */
+					if (len > packet_get_maxsize()/2)
+						len = packet_get_maxsize()/2;
+				}
+			}
+			if (len > 0) {
+				packet_start(compat20 ?
+				    SSH2_MSG_CHANNEL_DATA : SSH_MSG_CHANNEL_DATA);
+				packet_put_int(c->remote_id);
+				packet_put_string(buffer_ptr(&c->input), len);
+				packet_send();
+				buffer_consume(&c->input, len);
+				c->remote_window -= len;
+			}
+		} else if (c->istate == CHAN_INPUT_WAIT_DRAIN) {
+			if (compat13)
+				fatal("cannot happen: istate == INPUT_WAIT_DRAIN for proto 1.3");
+			/*
+			 * input-buffer is empty and read-socket shutdown:
+			 * tell peer, that we will not send more data: send IEOF
+			 */
+			chan_ibuf_empty(c);
+		}
+		/* Send extended data, i.e. stderr */
+		if (compat20 &&
+		    c->remote_window > 0 &&
+		    (len = buffer_len(&c->extended)) > 0 &&
+		    c->extended_usage == CHAN_EXTENDED_READ) {
+			debug2("channel %d: rwin %d elen %d euse %d",
+			    c->self, c->remote_window, buffer_len(&c->extended),
+			    c->extended_usage);
+			if (len > c->remote_window)
+				len = c->remote_window;
+			if (len > c->remote_maxpacket)
+				len = c->remote_maxpacket;
+			packet_start(SSH2_MSG_CHANNEL_EXTENDED_DATA);
+			packet_put_int(c->remote_id);
+			packet_put_int(SSH2_EXTENDED_DATA_STDERR);
+			packet_put_string(buffer_ptr(&c->extended), len);
+			packet_send();
+			buffer_consume(&c->extended, len);
+			c->remote_window -= len;
+			debug2("channel %d: sent ext data %d", c->self, len);
+		}
+	}
+}
+
+/*
+ * This is called when a packet of type CHANNEL_DATA has just been received.
+ * The message type has already been consumed, but channel number and data is
+ * still there.
+ */
+
+void
+channel_input_data(int type, int plen, void *ctxt)
+{
+	int id;
+	char *data;
+	u_int data_len;
+	Channel *c;
+
+	/* Get the channel number and verify it. */
+	id = packet_get_int();
+	c = channel_lookup(id);
+	if (c == NULL)
+		packet_disconnect("Received data for nonexistent channel %d.", id);
+
+	/* Ignore any data for non-open channels (might happen on close) */
+	if (c->type != SSH_CHANNEL_OPEN &&
+	    c->type != SSH_CHANNEL_X11_OPEN)
+		return;
+
+	/* same for protocol 1.5 if output end is no longer open */
+	if (!compat13 && c->ostate != CHAN_OUTPUT_OPEN)
+		return;
+
+	/* Get the data. */
+	data = packet_get_string(&data_len);
+	packet_done();
+
+	if (compat20){
+		if (data_len > c->local_maxpacket) {
+			log("channel %d: rcvd big packet %d, maxpack %d",
+			    c->self, data_len, c->local_maxpacket);
+		}
+		if (data_len > c->local_window) {
+			log("channel %d: rcvd too much data %d, win %d",
+			    c->self, data_len, c->local_window);
+			xfree(data);
+			return;
+		}
+		c->local_window -= data_len;
+	}else{
+		packet_integrity_check(plen, 4 + 4 + data_len, type);
+	}
+	buffer_append(&c->output, data, data_len);
+	xfree(data);
+}
+void
+channel_input_extended_data(int type, int plen, void *ctxt)
+{
+	int id;
+	int tcode;
+	char *data;
+	u_int data_len;
+	Channel *c;
+
+	/* Get the channel number and verify it. */
+	id = packet_get_int();
+	c = channel_lookup(id);
+
+	if (c == NULL)
+		packet_disconnect("Received extended_data for bad channel %d.", id);
+	if (c->type != SSH_CHANNEL_OPEN) {
+		log("channel %d: ext data for non open", id);
+		return;
+	}
+	tcode = packet_get_int();
+	if (c->efd == -1 ||
+	    c->extended_usage != CHAN_EXTENDED_WRITE ||
+	    tcode != SSH2_EXTENDED_DATA_STDERR) {
+		log("channel %d: bad ext data", c->self);
+		return;
+	}
+	data = packet_get_string(&data_len);
+	packet_done();
+	if (data_len > c->local_window) {
+		log("channel %d: rcvd too much extended_data %d, win %d",
+		    c->self, data_len, c->local_window);
+		xfree(data);
+		return;
+	}
+	debug2("channel %d: rcvd ext data %d", c->self, data_len);
+	c->local_window -= data_len;
+	buffer_append(&c->extended, data, data_len);
+	xfree(data);
+}
+
+
+/*
+ * Returns true if no channel has too much buffered data, and false if one or
+ * more channel is overfull.
+ */
+
+int
+channel_not_very_much_buffered_data()
+{
+	u_int i;
+	Channel *c;
+
+	for (i = 0; i < channels_alloc; i++) {
+		c = &channels[i];
+		if (c->type == SSH_CHANNEL_OPEN) {
+			if (!compat20 && buffer_len(&c->input) > packet_get_maxsize()) {
+				debug("channel %d: big input buffer %d",
+				    c->self, buffer_len(&c->input));
+				return 0;
+			}
+			if (buffer_len(&c->output) > packet_get_maxsize()) {
+				debug("channel %d: big output buffer %d",
+				    c->self, buffer_len(&c->output));
+				return 0;
+			}
+		}
+	}
+	return 1;
+}
+
+void
+channel_input_ieof(int type, int plen, void *ctxt)
+{
+	int id;
+	Channel *c;
+
+	packet_integrity_check(plen, 4, type);
+
+	id = packet_get_int();
+	c = channel_lookup(id);
+	if (c == NULL)
+		packet_disconnect("Received ieof for nonexistent channel %d.", id);
+	chan_rcvd_ieof(c);
+}
+
+void
+channel_input_close(int type, int plen, void *ctxt)
+{
+	int id;
+	Channel *c;
+
+	packet_integrity_check(plen, 4, type);
+
+	id = packet_get_int();
+	c = channel_lookup(id);
+	if (c == NULL)
+		packet_disconnect("Received close for nonexistent channel %d.", id);
+
+	/*
+	 * Send a confirmation that we have closed the channel and no more
+	 * data is coming for it.
+	 */
+	packet_start(SSH_MSG_CHANNEL_CLOSE_CONFIRMATION);
+	packet_put_int(c->remote_id);
+	packet_send();
+
+	/*
+	 * If the channel is in closed state, we have sent a close request,
+	 * and the other side will eventually respond with a confirmation.
+	 * Thus, we cannot free the channel here, because then there would be
+	 * no-one to receive the confirmation.  The channel gets freed when
+	 * the confirmation arrives.
+	 */
+	if (c->type != SSH_CHANNEL_CLOSED) {
+		/*
+		 * Not a closed channel - mark it as draining, which will
+		 * cause it to be freed later.
+		 */
+		buffer_consume(&c->input, buffer_len(&c->input));
+		c->type = SSH_CHANNEL_OUTPUT_DRAINING;
+	}
+}
+
+/* proto version 1.5 overloads CLOSE_CONFIRMATION with OCLOSE */
+void
+channel_input_oclose(int type, int plen, void *ctxt)
+{
+	int id = packet_get_int();
+	Channel *c = channel_lookup(id);
+	packet_integrity_check(plen, 4, type);
+	if (c == NULL)
+		packet_disconnect("Received oclose for nonexistent channel %d.", id);
+	chan_rcvd_oclose(c);
+}
+
+void
+channel_input_close_confirmation(int type, int plen, void *ctxt)
+{
+	int id = packet_get_int();
+	Channel *c = channel_lookup(id);
+
+	packet_done();
+	if (c == NULL)
+		packet_disconnect("Received close confirmation for "
+		    "out-of-range channel %d.", id);
+	if (c->type != SSH_CHANNEL_CLOSED)
+		packet_disconnect("Received close confirmation for "
+		    "non-closed channel %d (type %d).", id, c->type);
+	channel_free(c->self);
+}
+
+void
+channel_input_open_confirmation(int type, int plen, void *ctxt)
+{
+	int id, remote_id;
+	Channel *c;
+
+	if (!compat20)
+		packet_integrity_check(plen, 4 + 4, type);
+
+	id = packet_get_int();
+	c = channel_lookup(id);
+
+	if (c==NULL || c->type != SSH_CHANNEL_OPENING)
+		packet_disconnect("Received open confirmation for "
+		    "non-opening channel %d.", id);
+	remote_id = packet_get_int();
+	/* Record the remote channel number and mark that the channel is now open. */
+	c->remote_id = remote_id;
+	c->type = SSH_CHANNEL_OPEN;
+
+	if (compat20) {
+		c->remote_window = packet_get_int();
+		c->remote_maxpacket = packet_get_int();
+		packet_done();
+		if (c->cb_fn != NULL && c->cb_event == type) {
+			debug2("callback start");
+			c->cb_fn(c->self, c->cb_arg);
+			debug2("callback done");
+		}
+		debug("channel %d: open confirm rwindow %d rmax %d", c->self,
+		    c->remote_window, c->remote_maxpacket);
+	}
+}
+
+void
+channel_input_open_failure(int type, int plen, void *ctxt)
+{
+	int id, reason;
+	char *msg = NULL, *lang = NULL;
+	Channel *c;
+
+	if (!compat20)
+		packet_integrity_check(plen, 4, type);
+
+	id = packet_get_int();
+	c = channel_lookup(id);
+
+	if (c==NULL || c->type != SSH_CHANNEL_OPENING)
+		packet_disconnect("Received open failure for "
+		    "non-opening channel %d.", id);
+	if (compat20) {
+		reason = packet_get_int();
+		if (packet_remaining() > 0) {
+			msg  = packet_get_string(NULL);
+			lang = packet_get_string(NULL);
+		}
+		packet_done();
+		log("channel_open_failure: %d: reason %d %s", id,
+		    reason, msg ? msg : "<no additional info>");
+		if (msg != NULL)
+			xfree(msg);
+		if (lang != NULL)
+			xfree(lang);
+	}
+	/* Free the channel.  This will also close the socket. */
+	channel_free(id);
+}
+
+void
+channel_input_channel_request(int type, int plen, void *ctxt)
+{
+	int id;
+	Channel *c;
+
+	id = packet_get_int();
+	c = channel_lookup(id);
+
+	if (c == NULL ||
+	    (c->type != SSH_CHANNEL_OPEN && c->type != SSH_CHANNEL_LARVAL))
+		packet_disconnect("Received request for "
+		    "non-open channel %d.", id);
+	if (c->cb_fn != NULL && c->cb_event == type) {
+		debug2("callback start");
+		c->cb_fn(c->self, c->cb_arg);
+		debug2("callback done");
+	} else {
+		char *service = packet_get_string(NULL);
+		debug("channel %d: rcvd request for %s", c->self, service);
+		debug("cb_fn %p cb_event %d", c->cb_fn , c->cb_event);
+		xfree(service);
+	}
+}
+
+void
+channel_input_window_adjust(int type, int plen, void *ctxt)
+{
+	Channel *c;
+	int id, adjust;
+
+	if (!compat20)
+		return;
+
+	/* Get the channel number and verify it. */
+	id = packet_get_int();
+	c = channel_lookup(id);
+
+	if (c == NULL || c->type != SSH_CHANNEL_OPEN) {
+		log("Received window adjust for "
+		    "non-open channel %d.", id);
+		return;
+	}
+	adjust = packet_get_int();
+	packet_done();
+	debug2("channel %d: rcvd adjust %d", id, adjust);
+	c->remote_window += adjust;
+}
+
+/*
+ * Stops listening for channels, and removes any unix domain sockets that we
+ * might have.
+ */
+
+void
+channel_stop_listening()
+{
+	int i;
+	for (i = 0; i < channels_alloc; i++) {
+		switch (channels[i].type) {
+		case SSH_CHANNEL_AUTH_SOCKET:
+			close(channels[i].sock);
+			/* auth_sock_cleanup_proc deletes the socket */
+			channel_free(i);
+			break;
+		case SSH_CHANNEL_PORT_LISTENER:
+		case SSH_CHANNEL_RPORT_LISTENER:
+		case SSH_CHANNEL_X11_LISTENER:
+			close(channels[i].sock);
+			channel_free(i);
+			break;
+		default:
+			break;
+		}
+	}
+}
+
+/*
+ * Closes the sockets/fds of all channels.  This is used to close extra file
+ * descriptors after a fork.
+ */
+
+void
+channel_close_all()
+{
+	int i;
+	for (i = 0; i < channels_alloc; i++)
+		if (channels[i].type != SSH_CHANNEL_FREE)
+			channel_close_fds(&channels[i]);
+}
+
+/* Returns true if any channel is still open. */
+
+int
+channel_still_open()
+{
+	u_int i;
+	for (i = 0; i < channels_alloc; i++)
+		switch (channels[i].type) {
+		case SSH_CHANNEL_FREE:
+		case SSH_CHANNEL_X11_LISTENER:
+		case SSH_CHANNEL_PORT_LISTENER:
+		case SSH_CHANNEL_RPORT_LISTENER:
+		case SSH_CHANNEL_CLOSED:
+		case SSH_CHANNEL_AUTH_SOCKET:
+		case SSH_CHANNEL_DYNAMIC:
+		case SSH_CHANNEL_CONNECTING: 	/* XXX ??? */
+			continue;
+		case SSH_CHANNEL_LARVAL:
+			if (!compat20)
+				fatal("cannot happen: SSH_CHANNEL_LARVAL");
+			continue;
+		case SSH_CHANNEL_OPENING:
+		case SSH_CHANNEL_OPEN:
+		case SSH_CHANNEL_X11_OPEN:
+			return 1;
+		case SSH_CHANNEL_INPUT_DRAINING:
+		case SSH_CHANNEL_OUTPUT_DRAINING:
+			if (!compat13)
+				fatal("cannot happen: OUT_DRAIN");
+			return 1;
+		default:
+			fatal("channel_still_open: bad channel type %d", channels[i].type);
+			/* NOTREACHED */
+		}
+	return 0;
+}
+
+/* Returns the id of an open channel suitable for keepaliving */
+
+int
+channel_find_open()
+{
+	u_int i;
+	for (i = 0; i < channels_alloc; i++)
+		switch (channels[i].type) {
+		case SSH_CHANNEL_CLOSED:
+		case SSH_CHANNEL_DYNAMIC:
+		case SSH_CHANNEL_FREE:
+		case SSH_CHANNEL_X11_LISTENER:
+		case SSH_CHANNEL_PORT_LISTENER:
+		case SSH_CHANNEL_RPORT_LISTENER:
+		case SSH_CHANNEL_OPENING:
+			continue;
+		case SSH_CHANNEL_LARVAL:
+		case SSH_CHANNEL_AUTH_SOCKET:
+		case SSH_CHANNEL_CONNECTING: 	/* XXX ??? */
+		case SSH_CHANNEL_OPEN:
+		case SSH_CHANNEL_X11_OPEN:
+			return i;
+		case SSH_CHANNEL_INPUT_DRAINING:
+		case SSH_CHANNEL_OUTPUT_DRAINING:
+			if (!compat13)
+				fatal("cannot happen: OUT_DRAIN");
+			return i;
+		default:
+			fatal("channel_find_open: bad channel type %d", channels[i].type);
+			/* NOTREACHED */
+		}
+	return -1;
+}
+
+
+/*
+ * Returns a message describing the currently open forwarded connections,
+ * suitable for sending to the client.  The message contains crlf pairs for
+ * newlines.
+ */
+
+char *
+channel_open_message()
+{
+	Buffer buffer;
+	int i;
+	char buf[512], *cp;
+
+	buffer_init(&buffer);
+	snprintf(buf, sizeof buf, "The following connections are open:\r\n");
+	buffer_append(&buffer, buf, strlen(buf));
+	for (i = 0; i < channels_alloc; i++) {
+		Channel *c = &channels[i];
+		switch (c->type) {
+		case SSH_CHANNEL_FREE:
+		case SSH_CHANNEL_X11_LISTENER:
+		case SSH_CHANNEL_PORT_LISTENER:
+		case SSH_CHANNEL_RPORT_LISTENER:
+		case SSH_CHANNEL_CLOSED:
+		case SSH_CHANNEL_AUTH_SOCKET:
+			continue;
+		case SSH_CHANNEL_LARVAL:
+		case SSH_CHANNEL_OPENING:
+		case SSH_CHANNEL_CONNECTING:
+		case SSH_CHANNEL_DYNAMIC:
+		case SSH_CHANNEL_OPEN:
+		case SSH_CHANNEL_X11_OPEN:
+		case SSH_CHANNEL_INPUT_DRAINING:
+		case SSH_CHANNEL_OUTPUT_DRAINING:
+			snprintf(buf, sizeof buf, "  #%d %.300s (t%d r%d i%d/%d o%d/%d fd %d/%d)\r\n",
+			    c->self, c->remote_name,
+			    c->type, c->remote_id,
+			    c->istate, buffer_len(&c->input),
+			    c->ostate, buffer_len(&c->output),
+			    c->rfd, c->wfd);
+			buffer_append(&buffer, buf, strlen(buf));
+			continue;
+		default:
+			fatal("channel_open_message: bad channel type %d", c->type);
+			/* NOTREACHED */
+		}
+	}
+	buffer_append(&buffer, "\0", 1);
+	cp = xstrdup(buffer_ptr(&buffer));
+	buffer_free(&buffer);
+	return cp;
+}
+
+/*
+ * Initiate forwarding of connections to local port "port" through the secure
+ * channel to host:port from remote side.
+ */
+int
+channel_request_local_forwarding(u_short listen_port, const char *host_to_connect,
+    u_short port_to_connect, int gateway_ports)
+{
+	return channel_request_forwarding(
+	    NULL, listen_port,
+	    host_to_connect, port_to_connect,
+	    gateway_ports, /*remote_fwd*/ 0);
+}
+
+/*
+ * If 'remote_fwd' is true we have a '-R style' listener for protocol 2
+ * (SSH_CHANNEL_RPORT_LISTENER).
+ */
+int
+channel_request_forwarding(
+    const char *listen_address, u_short listen_port,
+    const char *host_to_connect, u_short port_to_connect,
+    int gateway_ports, int remote_fwd)
+{
+	int success, ch, sock, on = 1, ctype;
+	struct addrinfo hints, *ai, *aitop;
+	char ntop[NI_MAXHOST], strport[NI_MAXSERV];
+	const char *host;
+	struct linger linger;
+
+	success = 0;
+
+	if (remote_fwd) {
+		host = listen_address;
+		ctype = SSH_CHANNEL_RPORT_LISTENER;
+	} else {
+		host = host_to_connect;
+		ctype  =SSH_CHANNEL_PORT_LISTENER;
+	}
+
+	if (strlen(host) > sizeof(channels[0].path) - 1) {
+		error("Forward host name too long.");
+		return success;
+	}
+
+	/* XXX listen_address is currently ignored */
+	/*
+	 * getaddrinfo returns a loopback address if the hostname is
+	 * set to NULL and hints.ai_flags is not AI_PASSIVE
+	 */
+	memset(&hints, 0, sizeof(hints));
+	hints.ai_family = IPv4or6;
+	hints.ai_flags = gateway_ports ? AI_PASSIVE : 0;
+	hints.ai_socktype = SOCK_STREAM;
+	snprintf(strport, sizeof strport, "%d", listen_port);
+	if (getaddrinfo(NULL, strport, &hints, &aitop) != 0)
+		packet_disconnect("getaddrinfo: fatal error");
+
+	for (ai = aitop; ai; ai = ai->ai_next) {
+		if (ai->ai_family != AF_INET && ai->ai_family != AF_INET6)
+			continue;
+		if (getnameinfo(ai->ai_addr, ai->ai_addrlen, ntop, sizeof(ntop),
+		    strport, sizeof(strport), NI_NUMERICHOST|NI_NUMERICSERV) != 0) {
+			error("channel_request_forwarding: getnameinfo failed");
+			continue;
+		}
+		/* Create a port to listen for the host. */
+		sock = socket(ai->ai_family, SOCK_STREAM, 0);
+		if (sock < 0) {
+			/* this is no error since kernel may not support ipv6 */
+			verbose("socket: %.100s", strerror(errno));
+			continue;
+		}
+		/*
+		 * Set socket options.  We would like the socket to disappear
+		 * as soon as it has been closed for whatever reason.
+		 */
+		setsockopt(sock, SOL_SOCKET, SO_REUSEADDR, (void *)&on, sizeof(on));
+		linger.l_onoff = 1;
+		linger.l_linger = 5;
+		setsockopt(sock, SOL_SOCKET, SO_LINGER, (void *)&linger, sizeof(linger));
+		debug("Local forwarding listening on %s port %s.", ntop, strport);
+
+		/* Bind the socket to the address. */
+		if (bind(sock, ai->ai_addr, ai->ai_addrlen) < 0) {
+			/* address can be in use ipv6 address is already bound */
+			verbose("bind: %.100s", strerror(errno));
+			close(sock);
+			continue;
+		}
+		/* Start listening for connections on the socket. */
+		if (listen(sock, 5) < 0) {
+			error("listen: %.100s", strerror(errno));
+			close(sock);
+			continue;
+		}
+		/* Allocate a channel number for the socket. */
+		ch = channel_new("port listener", ctype, sock, sock, -1,
+		    CHAN_TCP_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT,
+		    0, xstrdup("port listener"), 1);
+		strlcpy(channels[ch].path, host, sizeof(channels[ch].path));
+		channels[ch].host_port = port_to_connect;
+		channels[ch].listening_port = listen_port;
+		success = 1;
+	}
+	if (success == 0)
+		error("channel_request_forwarding: cannot listen to port: %d",
+		    listen_port);
+	freeaddrinfo(aitop);
+	return success;
+}
+
+/*
+ * Initiate forwarding of connections to port "port" on remote host through
+ * the secure channel to host:port from local side.
+ */
+
+void
+channel_request_remote_forwarding(u_short listen_port,
+    const char *host_to_connect, u_short port_to_connect)
+{
+	int payload_len, type, success = 0;
+
+	/* Record locally that connection to this host/port is permitted. */
+	if (num_permitted_opens >= SSH_MAX_FORWARDS_PER_DIRECTION)
+		fatal("channel_request_remote_forwarding: too many forwards");
+
+	/* Send the forward request to the remote side. */
+	if (compat20) {
+		const char *address_to_bind = "0.0.0.0";
+		packet_start(SSH2_MSG_GLOBAL_REQUEST);
+		packet_put_cstring("tcpip-forward");
+		packet_put_char(0);			/* boolean: want reply */
+		packet_put_cstring(address_to_bind);
+		packet_put_int(listen_port);
+		packet_send();
+		packet_write_wait();
+		/* Assume that server accepts the request */
+		success = 1;
+	} else {
+		packet_start(SSH_CMSG_PORT_FORWARD_REQUEST);
+		packet_put_int(listen_port);
+		packet_put_cstring(host_to_connect);
+		packet_put_int(port_to_connect);
+		packet_send();
+		packet_write_wait();
+
+		/* Wait for response from the remote side. */
+		type = packet_read(&payload_len);
+		switch (type) {
+		case SSH_SMSG_SUCCESS:
+			success = 1;
+			break;
+		case SSH_SMSG_FAILURE:
+			log("Warning: Server denied remote port forwarding.");
+			break;
+		default:
+			/* Unknown packet */
+			packet_disconnect("Protocol error for port forward request:"
+			    "received packet type %d.", type);
+		}
+	}
+	if (success) {
+		permitted_opens[num_permitted_opens].host_to_connect = xstrdup(host_to_connect);
+		permitted_opens[num_permitted_opens].port_to_connect = port_to_connect;
+		permitted_opens[num_permitted_opens].listen_port = listen_port;
+		num_permitted_opens++;
+	}
+}
+
+/*
+ * This is called after receiving CHANNEL_FORWARDING_REQUEST.  This initates
+ * listening for the port, and sends back a success reply (or disconnect
+ * message if there was an error).  This never returns if there was an error.
+ */
+
+void
+channel_input_port_forward_request(int is_root, int gateway_ports)
+{
+	u_short port, host_port;
+	char *hostname;
+
+	/* Get arguments from the packet. */
+	port = packet_get_int();
+	hostname = packet_get_string(NULL);
+	host_port = packet_get_int();
+
+	/*
+	 * Check that an unprivileged user is not trying to forward a
+	 * privileged port.
+	 */
+	if (port < IPPORT_RESERVED && !is_root)
+		packet_disconnect("Requested forwarding of port %d but user is not root.",
+				  port);
+	/* Initiate forwarding */
+	channel_request_local_forwarding(port, hostname, host_port, gateway_ports);
+
+	/* Free the argument string. */
+	xfree(hostname);
+}
+
+/*
+ * Permits opening to any host/port if permitted_opens[] is empty.  This is
+ * usually called by the server, because the user could connect to any port
+ * anyway, and the server has no way to know but to trust the client anyway.
+ */
+void
+channel_permit_all_opens()
+{
+	if (num_permitted_opens == 0)
+		all_opens_permitted = 1;
+}
+
+void
+channel_add_permitted_opens(char *host, int port)
+{
+	if (num_permitted_opens >= SSH_MAX_FORWARDS_PER_DIRECTION)
+		fatal("channel_request_remote_forwarding: too many forwards");
+	debug("allow port forwarding to host %s port %d", host, port);
+
+	permitted_opens[num_permitted_opens].host_to_connect = xstrdup(host);
+	permitted_opens[num_permitted_opens].port_to_connect = port;
+	num_permitted_opens++;
+
+	all_opens_permitted = 0;
+}
+
+void
+channel_clear_permitted_opens(void)
+{
+	int i;
+
+	for (i = 0; i < num_permitted_opens; i++)
+		xfree(permitted_opens[i].host_to_connect);
+	num_permitted_opens = 0;
+
+}
+
+
+/* return socket to remote host, port */
+int
+connect_to(const char *host, u_short port)
+{
+	struct addrinfo hints, *ai, *aitop;
+	char ntop[NI_MAXHOST], strport[NI_MAXSERV];
+	int gaierr;
+	int sock = -1;
+
+	memset(&hints, 0, sizeof(hints));
+	hints.ai_family = IPv4or6;
+	hints.ai_socktype = SOCK_STREAM;
+	snprintf(strport, sizeof strport, "%d", port);
+	if ((gaierr = getaddrinfo(host, strport, &hints, &aitop)) != 0) {
+		error("connect_to %.100s: unknown host (%s)", host,
+		    gai_strerror(gaierr));
+		return -1;
+	}
+	for (ai = aitop; ai; ai = ai->ai_next) {
+		if (ai->ai_family != AF_INET && ai->ai_family != AF_INET6)
+			continue;
+		if (getnameinfo(ai->ai_addr, ai->ai_addrlen, ntop, sizeof(ntop),
+		    strport, sizeof(strport), NI_NUMERICHOST|NI_NUMERICSERV) != 0) {
+			error("connect_to: getnameinfo failed");
+			continue;
+		}
+		sock = socket(ai->ai_family, SOCK_STREAM, 0);
+		if (sock < 0) {
+			error("socket: %.100s", strerror(errno));
+			continue;
+		}
+		if (fcntl(sock, F_SETFL, O_NONBLOCK) < 0)
+			fatal("connect_to: F_SETFL: %s", strerror(errno));
+		if (connect(sock, ai->ai_addr, ai->ai_addrlen) < 0 &&
+		    errno != EINPROGRESS) {
+			error("connect_to %.100s port %s: %.100s", ntop, strport,
+			    strerror(errno));
+			close(sock);
+			continue;	/* fail -- try next */
+		}
+		break; /* success */
+
+	}
+	freeaddrinfo(aitop);
+	if (!ai) {
+		error("connect_to %.100s port %d: failed.", host, port);
+		return -1;
+	}
+	/* success */
+	return sock;
+}
+
+int
+channel_connect_by_listen_adress(u_short listen_port)
+{
+	int i;
+
+	for (i = 0; i < num_permitted_opens; i++)
+		if (permitted_opens[i].listen_port == listen_port)
+			return connect_to(
+			    permitted_opens[i].host_to_connect,
+			    permitted_opens[i].port_to_connect);
+	error("WARNING: Server requests forwarding for unknown listen_port %d",
+	    listen_port);
+	return -1;
+}
+
+/* Check if connecting to that port is permitted and connect. */
+int
+channel_connect_to(const char *host, u_short port)
+{
+	int i, permit;
+
+	permit = all_opens_permitted;
+	if (!permit) {
+		for (i = 0; i < num_permitted_opens; i++)
+			if (permitted_opens[i].port_to_connect == port &&
+			    strcmp(permitted_opens[i].host_to_connect, host) == 0)
+				permit = 1;
+
+	}
+	if (!permit) {
+		log("Received request to connect to host %.100s port %d, "
+		    "but the request was denied.", host, port);
+		return -1;
+	}
+	return connect_to(host, port);
+}
+
+/*
+ * This is called after receiving PORT_OPEN message.  This attempts to
+ * connect to the given host:port, and sends back CHANNEL_OPEN_CONFIRMATION
+ * or CHANNEL_OPEN_FAILURE.
+ */
+
+void
+channel_input_port_open(int type, int plen, void *ctxt)
+{
+	u_short host_port;
+	char *host, *originator_string;
+	int remote_channel, sock = -1, newch;
+
+	remote_channel = packet_get_int();
+	host = packet_get_string(NULL);
+	host_port = packet_get_int();
+
+	if (have_hostname_in_open) {
+		originator_string = packet_get_string(NULL);
+	} else {
+		originator_string = xstrdup("unknown (remote did not supply name)");
+	}
+	packet_done();
+	sock = channel_connect_to(host, host_port);
+	if (sock != -1) {
+		newch = channel_allocate(SSH_CHANNEL_CONNECTING,
+		    sock, originator_string);
+		channels[newch].remote_id = remote_channel;
+
+		/*XXX delay answer? */
+		packet_start(SSH_MSG_CHANNEL_OPEN_CONFIRMATION);
+		packet_put_int(remote_channel);
+		packet_put_int(newch);
+		packet_send();
+	} else {
+		packet_start(SSH_MSG_CHANNEL_OPEN_FAILURE);
+		packet_put_int(remote_channel);
+		packet_send();
+	}
+	xfree(host);
+}
+
+/*
+ * Creates an internet domain socket for listening for X11 connections.
+ * Returns a suitable value for the DISPLAY variable, or NULL if an error
+ * occurs.
+ */
+
+#define	NUM_SOCKS	10
+
+char *
+x11_create_display_inet(int screen_number, int x11_display_offset)
+{
+	int display_number, sock;
+	u_short port;
+	struct addrinfo hints, *ai, *aitop;
+	char strport[NI_MAXSERV];
+	int gaierr, n, num_socks = 0, socks[NUM_SOCKS];
+	char display[512];
+	char hostname[MAXHOSTNAMELEN];
+
+	for (display_number = x11_display_offset;
+	     display_number < MAX_DISPLAYS;
+	     display_number++) {
+		port = 6000 + display_number;
+		memset(&hints, 0, sizeof(hints));
+		hints.ai_family = IPv4or6;
+		hints.ai_flags = AI_PASSIVE;		/* XXX loopback only ? */
+		hints.ai_socktype = SOCK_STREAM;
+		snprintf(strport, sizeof strport, "%d", port);
+		if ((gaierr = getaddrinfo(NULL, strport, &hints, &aitop)) != 0) {
+			error("getaddrinfo: %.100s", gai_strerror(gaierr));
+			return NULL;
+		}
+		for (ai = aitop; ai; ai = ai->ai_next) {
+			if (ai->ai_family != AF_INET && ai->ai_family != AF_INET6)
+				continue;
+			sock = socket(ai->ai_family, SOCK_STREAM, 0);
+			if (sock < 0) {
+				error("socket: %.100s", strerror(errno));
+				return NULL;
+			}
+			if (bind(sock, ai->ai_addr, ai->ai_addrlen) < 0) {
+				debug("bind port %d: %.100s", port, strerror(errno));
+				shutdown(sock, SHUT_RDWR);
+				close(sock);
+				for (n = 0; n < num_socks; n++) {
+					shutdown(socks[n], SHUT_RDWR);
+					close(socks[n]);
+				}
+				num_socks = 0;
+				break;
+			}
+			socks[num_socks++] = sock;
+			if (num_socks == NUM_SOCKS)
+				break;
+		}
+		freeaddrinfo(aitop);
+		if (num_socks > 0)
+			break;
+	}
+	if (display_number >= MAX_DISPLAYS) {
+		error("Failed to allocate internet-domain X11 display socket.");
+		return NULL;
+	}
+	/* Start listening for connections on the socket. */
+	for (n = 0; n < num_socks; n++) {
+		sock = socks[n];
+		if (listen(sock, 5) < 0) {
+			error("listen: %.100s", strerror(errno));
+			shutdown(sock, SHUT_RDWR);
+			close(sock);
+			return NULL;
+		}
+	}
+
+	/* Set up a suitable value for the DISPLAY variable. */
+	if (gethostname(hostname, sizeof(hostname)) < 0)
+		fatal("gethostname: %.100s", strerror(errno));
+	snprintf(display, sizeof display, "%.400s:%d.%d", hostname,
+		 display_number, screen_number);
+
+	/* Allocate a channel for each socket. */
+	for (n = 0; n < num_socks; n++) {
+		sock = socks[n];
+		(void) channel_new("x11 listener",
+		    SSH_CHANNEL_X11_LISTENER, sock, sock, -1,
+		    CHAN_X11_WINDOW_DEFAULT, CHAN_X11_PACKET_DEFAULT,
+		    0, xstrdup("X11 inet listener"), 1);
+	}
+
+	/* Return a suitable value for the DISPLAY environment variable. */
+	return xstrdup(display);
+}
+
+#ifndef X_UNIX_PATH
+#define X_UNIX_PATH "/tmp/.X11-unix/X"
+#endif
+
+static
+int
+connect_local_xsocket(u_int dnr)
+{
+	static const char *const x_sockets[] = {
+		X_UNIX_PATH "%u",
+		"/var/X/.X11-unix/X" "%u",
+		"/usr/spool/sockets/X11/" "%u",
+		NULL
+	};
+	int sock;
+	struct sockaddr_un addr;
+	const char *const * path;
+
+	for (path = x_sockets; *path; ++path) {
+		sock = socket(AF_UNIX, SOCK_STREAM, 0);
+		if (sock < 0)
+			error("socket: %.100s", strerror(errno));
+		memset(&addr, 0, sizeof(addr));
+		addr.sun_family = AF_UNIX;
+		snprintf(addr.sun_path, sizeof addr.sun_path, *path, dnr);
+		if (connect(sock, (struct sockaddr *) & addr, sizeof(addr)) == 0)
+			return sock;
+		close(sock);
+	}
+	error("connect %.100s: %.100s", addr.sun_path, strerror(errno));
+	return -1;
+}
+
+int
+x11_connect_display(void)
+{
+	int display_number, sock = 0;
+	const char *display;
+	char buf[1024], *cp;
+	struct addrinfo hints, *ai, *aitop;
+	char strport[NI_MAXSERV];
+	int gaierr;
+
+	/* Try to open a socket for the local X server. */
+	display = getenv("DISPLAY");
+	if (!display) {
+		error("DISPLAY not set.");
+		return -1;
+	}
+	/*
+	 * Now we decode the value of the DISPLAY variable and make a
+	 * connection to the real X server.
+	 */
+
+	/*
+	 * Check if it is a unix domain socket.  Unix domain displays are in
+	 * one of the following formats: unix:d[.s], :d[.s], ::d[.s]
+	 */
+	if (strncmp(display, "unix:", 5) == 0 ||
+	    display[0] == ':') {
+		/* Connect to the unix domain socket. */
+		if (sscanf(strrchr(display, ':') + 1, "%d", &display_number) != 1) {
+			error("Could not parse display number from DISPLAY: %.100s",
+			      display);
+			return -1;
+		}
+		/* Create a socket. */
+		sock = connect_local_xsocket(display_number);
+		if (sock < 0)
+			return -1;
+
+		/* OK, we now have a connection to the display. */
+		return sock;
+	}
+	/*
+	 * Connect to an inet socket.  The DISPLAY value is supposedly
+	 * hostname:d[.s], where hostname may also be numeric IP address.
+	 */
+	strncpy(buf, display, sizeof(buf));
+	buf[sizeof(buf) - 1] = 0;
+	cp = strchr(buf, ':');
+	if (!cp) {
+		error("Could not find ':' in DISPLAY: %.100s", display);
+		return -1;
+	}
+	*cp = 0;
+	/* buf now contains the host name.  But first we parse the display number. */
+	if (sscanf(cp + 1, "%d", &display_number) != 1) {
+		error("Could not parse display number from DISPLAY: %.100s",
+		      display);
+		return -1;
+	}
+
+	/* Look up the host address */
+	memset(&hints, 0, sizeof(hints));
+	hints.ai_family = IPv4or6;
+	hints.ai_socktype = SOCK_STREAM;
+	snprintf(strport, sizeof strport, "%d", 6000 + display_number);
+	if ((gaierr = getaddrinfo(buf, strport, &hints, &aitop)) != 0) {
+		error("%.100s: unknown host. (%s)", buf, gai_strerror(gaierr));
+		return -1;
+	}
+	for (ai = aitop; ai; ai = ai->ai_next) {
+		/* Create a socket. */
+		sock = socket(ai->ai_family, SOCK_STREAM, 0);
+		if (sock < 0) {
+			debug("socket: %.100s", strerror(errno));
+			continue;
+		}
+		/* Connect it to the display. */
+		if (connect(sock, ai->ai_addr, ai->ai_addrlen) < 0) {
+			debug("connect %.100s port %d: %.100s", buf,
+			    6000 + display_number, strerror(errno));
+			close(sock);
+			continue;
+		}
+		/* Success */
+		break;
+	}
+	freeaddrinfo(aitop);
+	if (!ai) {
+		error("connect %.100s port %d: %.100s", buf, 6000 + display_number,
+		    strerror(errno));
+		return -1;
+	}
+	return sock;
+}
+
+/*
+ * This is called when SSH_SMSG_X11_OPEN is received.  The packet contains
+ * the remote channel number.  We should do whatever we want, and respond
+ * with either SSH_MSG_OPEN_CONFIRMATION or SSH_MSG_OPEN_FAILURE.
+ */
+
+void
+x11_input_open(int type, int plen, void *ctxt)
+{
+	int remote_channel, sock = 0, newch;
+	char *remote_host;
+	u_int remote_len;
+
+	/* Get remote channel number. */
+	remote_channel = packet_get_int();
+
+	/* Get remote originator name. */
+	if (have_hostname_in_open) {
+		remote_host = packet_get_string(&remote_len);
+		remote_len += 4;
+	} else {
+		remote_host = xstrdup("unknown (remote did not supply name)");
+		remote_len = 0;
+	}
+
+	debug("Received X11 open request.");
+	packet_integrity_check(plen, 4 + remote_len, SSH_SMSG_X11_OPEN);
+
+	/* Obtain a connection to the real X display. */
+	sock = x11_connect_display();
+	if (sock == -1) {
+		/* Send refusal to the remote host. */
+		packet_start(SSH_MSG_CHANNEL_OPEN_FAILURE);
+		packet_put_int(remote_channel);
+		packet_send();
+	} else {
+		/* Allocate a channel for this connection. */
+		newch = channel_allocate(
+		     (x11_saved_proto == NULL) ?
+		     SSH_CHANNEL_OPEN : SSH_CHANNEL_X11_OPEN,
+		     sock, remote_host);
+		channels[newch].remote_id = remote_channel;
+
+		/* Send a confirmation to the remote host. */
+		packet_start(SSH_MSG_CHANNEL_OPEN_CONFIRMATION);
+		packet_put_int(remote_channel);
+		packet_put_int(newch);
+		packet_send();
+	}
+}
+
+/* dummy protocol handler that denies SSH-1 requests (agent/x11) */
+void
+deny_input_open(int type, int plen, void *ctxt)
+{
+	int rchan = packet_get_int();
+	switch(type){
+	case SSH_SMSG_AGENT_OPEN:
+		error("Warning: ssh server tried agent forwarding.");
+		break;
+	case SSH_SMSG_X11_OPEN:
+		error("Warning: ssh server tried X11 forwarding.");
+		break;
+	default:
+		error("deny_input_open: type %d plen %d", type, plen);
+		break;
+	}
+	error("Warning: this is probably a break in attempt by a malicious server.");
+	packet_start(SSH_MSG_CHANNEL_OPEN_FAILURE);
+	packet_put_int(rchan);
+	packet_send();
+}
+
+/*
+ * Requests forwarding of X11 connections, generates fake authentication
+ * data, and enables authentication spoofing.
+ */
+
+void
+x11_request_forwarding_with_spoofing(int client_session_id,
+    const char *proto, const char *data)
+{
+	u_int data_len = (u_int) strlen(data) / 2;
+	u_int i, value, len;
+	char *new_data;
+	int screen_number;
+	const char *cp;
+	u_int32_t rand = 0;
+
+	cp = getenv("DISPLAY");
+	if (cp)
+		cp = strchr(cp, ':');
+	if (cp)
+		cp = strchr(cp, '.');
+	if (cp)
+		screen_number = atoi(cp + 1);
+	else
+		screen_number = 0;
+
+	/* Save protocol name. */
+	x11_saved_proto = xstrdup(proto);
+
+	/*
+	 * Extract real authentication data and generate fake data of the
+	 * same length.
+	 */
+	x11_saved_data = xmalloc(data_len);
+	x11_fake_data = xmalloc(data_len);
+	for (i = 0; i < data_len; i++) {
+		if (sscanf(data + 2 * i, "%2x", &value) != 1)
+			fatal("x11_request_forwarding: bad authentication data: %.100s", data);
+		if (i % 4 == 0)
+			rand = arc4random();
+		x11_saved_data[i] = value;
+		x11_fake_data[i] = rand & 0xff;
+		rand >>= 8;
+	}
+	x11_saved_data_len = data_len;
+	x11_fake_data_len = data_len;
+
+	/* Convert the fake data into hex. */
+	len = 2 * data_len + 1;
+	new_data = xmalloc(len);
+	for (i = 0; i < data_len; i++)
+		snprintf(new_data + 2 * i, len - 2 * i,
+		    "%02x", (u_char) x11_fake_data[i]);
+
+	/* Send the request packet. */
+	if (compat20) {
+		channel_request_start(client_session_id, "x11-req", 0);
+		packet_put_char(0);	/* XXX bool single connection */
+	} else {
+		packet_start(SSH_CMSG_X11_REQUEST_FORWARDING);
+	}
+	packet_put_cstring(proto);
+	packet_put_cstring(new_data);
+	packet_put_int(screen_number);
+	packet_send();
+	packet_write_wait();
+	xfree(new_data);
+}
+
+/* Sends a message to the server to request authentication fd forwarding. */
+
+void
+auth_request_forwarding()
+{
+	packet_start(SSH_CMSG_AGENT_REQUEST_FORWARDING);
+	packet_send();
+	packet_write_wait();
+}
+
+/*
+ * Returns the name of the forwarded authentication socket.  Returns NULL if
+ * there is no forwarded authentication socket.  The returned value points to
+ * a static buffer.
+ */
+
+char *
+auth_get_socket_name()
+{
+	return channel_forwarded_auth_socket_name;
+}
+
+/* removes the agent forwarding socket */
+
+void
+auth_sock_cleanup_proc(void *_pw)
+{
+	struct passwd *pw = _pw;
+
+	if (channel_forwarded_auth_socket_name) {
+		temporarily_use_uid(pw);
+		unlink(channel_forwarded_auth_socket_name);
+		rmdir(channel_forwarded_auth_socket_dir);
+		channel_forwarded_auth_socket_name = NULL;
+		restore_uid();
+	}
+}
+
+/*
+ * This is called to process SSH_CMSG_AGENT_REQUEST_FORWARDING on the server.
+ * This starts forwarding authentication requests.
+ */
+
+int
+auth_input_request_forwarding(struct passwd * pw)
+{
+	int sock, newch;
+	struct sockaddr_un sunaddr;
+
+	if (auth_get_socket_name() != NULL)
+		fatal("Protocol error: authentication forwarding requested twice.");
+
+	/* Temporarily drop privileged uid for mkdir/bind. */
+	temporarily_use_uid(pw);
+
+	/* Allocate a buffer for the socket name, and format the name. */
+	channel_forwarded_auth_socket_name = xmalloc(MAX_SOCKET_NAME);
+	channel_forwarded_auth_socket_dir = xmalloc(MAX_SOCKET_NAME);
+	strlcpy(channel_forwarded_auth_socket_dir, "/tmp/ssh-XXXXXXXX", MAX_SOCKET_NAME);
+
+	/* Create private directory for socket */
+	if (mkdtemp(channel_forwarded_auth_socket_dir) == NULL) {
+		packet_send_debug("Agent forwarding disabled: mkdtemp() failed: %.100s",
+		    strerror(errno));
+		restore_uid();
+		xfree(channel_forwarded_auth_socket_name);
+		xfree(channel_forwarded_auth_socket_dir);
+		channel_forwarded_auth_socket_name = NULL;
+		channel_forwarded_auth_socket_dir = NULL;
+		return 0;
+	}
+	snprintf(channel_forwarded_auth_socket_name, MAX_SOCKET_NAME, "%s/agent.%d",
+		 channel_forwarded_auth_socket_dir, (int) getpid());
+
+	/* delete agent socket on fatal() */
+	fatal_add_cleanup(auth_sock_cleanup_proc, pw);
+
+	/* Create the socket. */
+	sock = socket(AF_UNIX, SOCK_STREAM, 0);
+	if (sock < 0)
+		packet_disconnect("socket: %.100s", strerror(errno));
+
+	/* Bind it to the name. */
+	memset(&sunaddr, 0, sizeof(sunaddr));
+	sunaddr.sun_family = AF_UNIX;
+	strncpy(sunaddr.sun_path, channel_forwarded_auth_socket_name,
+		sizeof(sunaddr.sun_path));
+
+	if (bind(sock, (struct sockaddr *) & sunaddr, sizeof(sunaddr)) < 0)
+		packet_disconnect("bind: %.100s", strerror(errno));
+
+	/* Restore the privileged uid. */
+	restore_uid();
+
+	/* Start listening on the socket. */
+	if (listen(sock, 5) < 0)
+		packet_disconnect("listen: %.100s", strerror(errno));
+
+	/* Allocate a channel for the authentication agent socket. */
+	newch = channel_new("auth socket",
+	    SSH_CHANNEL_AUTH_SOCKET, sock, sock, -1,
+	    CHAN_X11_WINDOW_DEFAULT, CHAN_X11_PACKET_DEFAULT,
+	    0, xstrdup("auth socket"), 1);
+
+	strlcpy(channels[newch].path, channel_forwarded_auth_socket_name,
+	    sizeof(channels[newch].path));
+	return 1;
+}
+
+/* This is called to process an SSH_SMSG_AGENT_OPEN message. */
+
+void
+auth_input_open_request(int type, int plen, void *ctxt)
+{
+	int remch, sock, newch;
+	char *dummyname;
+
+	packet_integrity_check(plen, 4, type);
+
+	/* Read the remote channel number from the message. */
+	remch = packet_get_int();
+
+	/*
+	 * Get a connection to the local authentication agent (this may again
+	 * get forwarded).
+	 */
+	sock = ssh_get_authentication_socket();
+
+	/*
+	 * If we could not connect the agent, send an error message back to
+	 * the server. This should never happen unless the agent dies,
+	 * because authentication forwarding is only enabled if we have an
+	 * agent.
+	 */
+	if (sock < 0) {
+		packet_start(SSH_MSG_CHANNEL_OPEN_FAILURE);
+		packet_put_int(remch);
+		packet_send();
+		return;
+	}
+	debug("Forwarding authentication connection.");
+
+	/*
+	 * Dummy host name.  This will be freed when the channel is freed; it
+	 * will still be valid in the packet_put_string below since the
+	 * channel cannot yet be freed at that point.
+	 */
+	dummyname = xstrdup("authentication agent connection");
+
+	newch = channel_allocate(SSH_CHANNEL_OPEN, sock, dummyname);
+	channels[newch].remote_id = remch;
+
+	/* Send a confirmation to the remote host. */
+	packet_start(SSH_MSG_CHANNEL_OPEN_CONFIRMATION);
+	packet_put_int(remch);
+	packet_put_int(newch);
+	packet_send();
+}
+
+void
+channel_start_open(int id)
+{
+	Channel *c = channel_lookup(id);
+	if (c == NULL) {
+		log("channel_open: %d: bad id", id);
+		return;
+	}
+	debug("send channel open %d", id);
+	packet_start(SSH2_MSG_CHANNEL_OPEN);
+	packet_put_cstring(c->ctype);
+	packet_put_int(c->self);
+	packet_put_int(c->local_window);
+	packet_put_int(c->local_maxpacket);
+}
+void
+channel_open(int id)
+{
+	/* XXX REMOVE ME */
+	channel_start_open(id);
+	packet_send();
+}
+void
+channel_request(int id, char *service, int wantconfirm)
+{
+	channel_request_start(id, service, wantconfirm);
+	packet_send();
+	debug("channel request %d: %s", id, service) ;
+}
+void
+channel_request_start(int id, char *service, int wantconfirm)
+{
+	Channel *c = channel_lookup(id);
+	if (c == NULL) {
+		log("channel_request: %d: bad id", id);
+		return;
+	}
+	packet_start(SSH2_MSG_CHANNEL_REQUEST);
+	packet_put_int(c->remote_id);
+	packet_put_cstring(service);
+	packet_put_char(wantconfirm);
+}
+void
+channel_register_callback(int id, int mtype, channel_callback_fn *fn, void *arg)
+{
+	Channel *c = channel_lookup(id);
+	if (c == NULL) {
+		log("channel_register_callback: %d: bad id", id);
+		return;
+	}
+	c->cb_event = mtype;
+	c->cb_fn = fn;
+	c->cb_arg = arg;
+}
+void
+channel_register_cleanup(int id, channel_callback_fn *fn)
+{
+	Channel *c = channel_lookup(id);
+	if (c == NULL) {
+		log("channel_register_cleanup: %d: bad id", id);
+		return;
+	}
+	c->dettach_user = fn;
+}
+void
+channel_cancel_cleanup(int id)
+{
+	Channel *c = channel_lookup(id);
+	if (c == NULL) {
+		log("channel_cancel_cleanup: %d: bad id", id);
+		return;
+	}
+	c->dettach_user = NULL;
+}
+void
+channel_register_filter(int id, channel_filter_fn *fn)
+{
+	Channel *c = channel_lookup(id);
+	if (c == NULL) {
+		log("channel_register_filter: %d: bad id", id);
+		return;
+	}
+	c->input_filter = fn;
+}
+
+void
+channel_set_fds(int id, int rfd, int wfd, int efd,
+    int extusage, int nonblock)
+{
+	Channel *c = channel_lookup(id);
+	if (c == NULL || c->type != SSH_CHANNEL_LARVAL)
+		fatal("channel_activate for non-larval channel %d.", id);
+	channel_register_fds(c, rfd, wfd, efd, extusage, nonblock);
+	c->type = SSH_CHANNEL_OPEN;
+	/* XXX window size? */
+	c->local_window = c->local_window_max = c->local_maxpacket * 2;
+	packet_start(SSH2_MSG_CHANNEL_WINDOW_ADJUST);
+	packet_put_int(c->remote_id);
+	packet_put_int(c->local_window);
+	packet_send();
+}
diff --git a/crypto/openssh/channels.h b/crypto/openssh/channels.h
new file mode 100644
index 0000000..16ddde5
--- /dev/null
+++ b/crypto/openssh/channels.h
@@ -0,0 +1,314 @@
+/*
+ * Author: Tatu Ylonen <ylo@cs.hut.fi>
+ * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
+ *                    All rights reserved
+ *
+ * As far as I am concerned, the code I have written for this software
+ * can be used freely for any purpose.  Any derived versions of this
+ * software must be clearly marked as such, and if the derived work is
+ * incompatible with the protocol description in the RFC file, it must be
+ * called by a name other than "ssh" or "Secure Shell".
+ */
+/*
+ * Copyright (c) 2000 Markus Friedl.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+/* RCSID("$OpenBSD: channels.h,v 1.31 2001/04/13 22:46:53 beck Exp $"); */
+/* RCSID("$FreeBSD$"); */
+
+#ifndef CHANNELS_H
+#define CHANNELS_H
+
+#include "buffer.h"
+
+/* Definitions for channel types. */
+#define SSH_CHANNEL_FREE		0	/* This channel is free (unused). */
+#define SSH_CHANNEL_X11_LISTENER	1	/* Listening for inet X11 conn. */
+#define SSH_CHANNEL_PORT_LISTENER	2	/* Listening on a port. */
+#define SSH_CHANNEL_OPENING		3	/* waiting for confirmation */
+#define SSH_CHANNEL_OPEN		4	/* normal open two-way channel */
+#define SSH_CHANNEL_CLOSED		5	/* waiting for close confirmation */
+#define SSH_CHANNEL_AUTH_SOCKET		6	/* authentication socket */
+#define SSH_CHANNEL_X11_OPEN		7	/* reading first X11 packet */
+#define SSH_CHANNEL_INPUT_DRAINING	8	/* sending remaining data to conn */
+#define SSH_CHANNEL_OUTPUT_DRAINING	9	/* sending remaining data to app */
+#define SSH_CHANNEL_LARVAL		10	/* larval session */
+#define SSH_CHANNEL_RPORT_LISTENER	11	/* Listening to a R-style port  */
+#define SSH_CHANNEL_CONNECTING		12
+#define SSH_CHANNEL_DYNAMIC		13
+#define SSH_CHANNEL_MAX_TYPE		14
+
+/*
+ * Data structure for channel data.  This is iniailized in channel_allocate
+ * and cleared in channel_free.
+ */
+struct Channel;
+typedef struct Channel Channel;
+
+typedef void channel_callback_fn(int id, void *arg);
+typedef int channel_filter_fn(struct Channel *c, char *buf, int len);
+
+struct Channel {
+	int     type;		/* channel type/state */
+	int     self;		/* my own channel identifier */
+	int     remote_id;	/* channel identifier for remote peer */
+	/* peer can be reached over encrypted connection, via packet-sent */
+	int     istate;		/* input from channel (state of receive half) */
+	int     ostate;		/* output to channel  (state of transmit half) */
+	int     flags;		/* close sent/rcvd */
+	int     rfd;		/* read fd */
+	int     wfd;		/* write fd */
+	int     efd;		/* extended fd */
+	int     sock;		/* sock fd */
+	int     isatty;		/* rfd is a tty */
+	Buffer  input;		/* data read from socket, to be sent over
+				 * encrypted connection */
+	Buffer  output;		/* data received over encrypted connection for
+				 * send on socket */
+	Buffer  extended;
+	char    path[200];	/* path for unix domain sockets, or host name
+				 * for forwards */
+	int     listening_port;	/* port being listened for forwards */
+	int     host_port;	/* remote port to connect for forwards */
+	char   *remote_name;	/* remote hostname */
+
+	int	remote_window;
+	int	remote_maxpacket;
+	int	local_window;
+	int	local_window_max;
+	int	local_consumed;
+	int	local_maxpacket;
+	int     extended_usage;
+
+	char   *ctype;		/* type */
+
+	/* callback */
+	channel_callback_fn	*cb_fn;
+	void	*cb_arg;
+	int	cb_event;
+	channel_callback_fn	*dettach_user;
+
+	/* filter */
+	channel_filter_fn	*input_filter;
+};
+
+#define CHAN_EXTENDED_IGNORE		0
+#define CHAN_EXTENDED_READ		1
+#define CHAN_EXTENDED_WRITE		2
+
+/* default window/packet sizes for tcp/x11-fwd-channel */
+#define CHAN_SES_WINDOW_DEFAULT	(32*1024)
+#define CHAN_SES_PACKET_DEFAULT	(CHAN_SES_WINDOW_DEFAULT/2)
+#define CHAN_TCP_WINDOW_DEFAULT	(32*1024)
+#define CHAN_TCP_PACKET_DEFAULT	(CHAN_TCP_WINDOW_DEFAULT/2)
+#define CHAN_X11_WINDOW_DEFAULT	(4*1024)
+#define CHAN_X11_PACKET_DEFAULT	(CHAN_X11_WINDOW_DEFAULT/2)
+
+
+void	channel_open(int id);
+void	channel_request(int id, char *service, int wantconfirm);
+void	channel_request_start(int id, char *service, int wantconfirm);
+void	channel_register_callback(int id, int mtype, channel_callback_fn *fn, void *arg);
+void	channel_register_cleanup(int id, channel_callback_fn *fn);
+void	channel_register_filter(int id, channel_filter_fn *fn);
+void	channel_cancel_cleanup(int id);
+Channel	*channel_lookup(int id);
+
+int
+channel_new(char *ctype, int type, int rfd, int wfd, int efd,
+    int window, int maxpack, int extended_usage, char *remote_name,
+    int nonblock);
+void
+channel_set_fds(int id, int rfd, int wfd, int efd,
+    int extusage, int nonblock);
+
+void	deny_input_open(int type, int plen, void *ctxt);
+
+void	channel_input_channel_request(int type, int plen, void *ctxt);
+void	channel_input_close(int type, int plen, void *ctxt);
+void	channel_input_close_confirmation(int type, int plen, void *ctxt);
+void	channel_input_data(int type, int plen, void *ctxt);
+void	channel_input_extended_data(int type, int plen, void *ctxt);
+void	channel_input_ieof(int type, int plen, void *ctxt);
+void	channel_input_oclose(int type, int plen, void *ctxt);
+void	channel_input_open_confirmation(int type, int plen, void *ctxt);
+void	channel_input_open_failure(int type, int plen, void *ctxt);
+void	channel_input_port_open(int type, int plen, void *ctxt);
+void	channel_input_window_adjust(int type, int plen, void *ctxt);
+
+/* Sets specific protocol options. */
+void    channel_set_options(int hostname_in_open);
+
+/*
+ * Allocate a new channel object and set its type and socket.  Remote_name
+ * must have been allocated with xmalloc; this will free it when the channel
+ * is freed.
+ */
+int     channel_allocate(int type, int sock, char *remote_name);
+
+/* Free the channel and close its socket. */
+void    channel_free(int channel);
+
+/*
+ * Allocate/update select bitmasks and add any bits relevant to channels in
+ * select bitmasks.
+ */
+void
+channel_prepare_select(fd_set **readsetp, fd_set **writesetp, int *maxfdp,
+    int rekeying);
+
+/*
+ * After select, perform any appropriate operations for channels which have
+ * events pending.
+ */
+void    channel_after_select(fd_set * readset, fd_set * writeset);
+
+/* If there is data to send to the connection, send some of it now. */
+void    channel_output_poll(void);
+
+/* Returns true if no channel has too much buffered data. */
+int     channel_not_very_much_buffered_data(void);
+
+/* This closes any sockets that are listening for connections; this removes
+   any unix domain sockets. */
+void    channel_stop_listening(void);
+
+/*
+ * Closes the sockets of all channels.  This is used to close extra file
+ * descriptors after a fork.
+ */
+void    channel_close_all(void);
+
+/* Returns true if there is still an open channel over the connection. */
+int     channel_still_open(void);
+
+/*
+ * Returns a string containing a list of all open channels.  The list is
+ * suitable for displaying to the user.  It uses crlf instead of newlines.
+ * The caller should free the string with xfree.
+ */
+char   *channel_open_message(void);
+
+/*
+ * Initiate forwarding of connections to local port "port" through the secure
+ * channel to host:port from remote side.
+ */
+int
+channel_request_local_forwarding(u_short listen_port,
+    const char *host_to_connect, u_short port_to_connect, int gateway_ports);
+int
+channel_request_forwarding(const char *listen_address, u_short listen_port,
+    const char *host_to_connect, u_short port_to_connect, int gateway_ports,
+    int remote_fwd);
+
+/*
+ * Initiate forwarding of connections to port "port" on remote host through
+ * the secure channel to host:port from local side.  This never returns if
+ * there was an error.  This registers that open requests for that port are
+ * permitted.
+ */
+void
+channel_request_remote_forwarding(u_short port, const char *host,
+    u_short remote_port);
+
+/*
+ * Permits opening to any host/port if permitted_opens[] is empty.  This is
+ * usually called by the server, because the user could connect to any port
+ * anyway, and the server has no way to know but to trust the client anyway.
+ */
+void    channel_permit_all_opens(void);
+
+/* Add host/port to list of allowed targets for port forwarding */
+void	channel_add_permitted_opens(char *host, int port);
+
+/* Flush list */
+void	channel_clear_permitted_opens(void);
+
+/*
+ * This is called after receiving CHANNEL_FORWARDING_REQUEST.  This initates
+ * listening for the port, and sends back a success reply (or disconnect
+ * message if there was an error).  This never returns if there was an error.
+ */
+void    channel_input_port_forward_request(int is_root, int gateway_ports);
+
+/*
+ * Creates a port for X11 connections, and starts listening for it. Returns
+ * the display name, or NULL if an error was encountered.
+ */
+char   *x11_create_display(int screen);
+
+/*
+ * Creates an internet domain socket for listening for X11 connections.
+ * Returns a suitable value for the DISPLAY variable, or NULL if an error
+ * occurs.
+ */
+char   *x11_create_display_inet(int screen, int x11_display_offset);
+
+/*
+ * This is called when SSH_SMSG_X11_OPEN is received.  The packet contains
+ * the remote channel number.  We should do whatever we want, and respond
+ * with either SSH_MSG_OPEN_CONFIRMATION or SSH_MSG_OPEN_FAILURE.
+ */
+void    x11_input_open(int type, int plen, void *ctxt);
+
+/*
+ * Requests forwarding of X11 connections.  This should be called on the
+ * client only.
+ */
+void    x11_request_forwarding(void);
+
+/*
+ * Requests forwarding for X11 connections, with authentication spoofing.
+ * This should be called in the client only.
+ */
+void
+x11_request_forwarding_with_spoofing(int client_session_id,
+    const char *proto, const char *data);
+
+/* Sends a message to the server to request authentication fd forwarding. */
+void    auth_request_forwarding(void);
+
+/*
+ * Returns the name of the forwarded authentication socket.  Returns NULL if
+ * there is no forwarded authentication socket.  The returned value points to
+ * a static buffer.
+ */
+char   *auth_get_socket_name(void);
+
+/*
+ * This is called to process SSH_CMSG_AGENT_REQUEST_FORWARDING on the server.
+ * This starts forwarding authentication requests.
+ */
+int     auth_input_request_forwarding(struct passwd * pw);
+
+/* This is called to process an SSH_SMSG_AGENT_OPEN message. */
+void    auth_input_open_request(int type, int plen, void *ctxt);
+
+/* XXX */
+void	auth_sock_cleanup_proc(void *pw);
+int	channel_connect_to(const char *host, u_short host_port);
+int	channel_connect_by_listen_adress(u_short listen_port);
+int	x11_connect_display(void);
+
+int	channel_find_open(void);
+
+#endif
diff --git a/crypto/openssh/cipher.c b/crypto/openssh/cipher.c
new file mode 100644
index 0000000..07036d4
--- /dev/null
+++ b/crypto/openssh/cipher.c
@@ -0,0 +1,556 @@
+/*
+ * Author: Tatu Ylonen <ylo@cs.hut.fi>
+ * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
+ *                    All rights reserved
+ *
+ * As far as I am concerned, the code I have written for this software
+ * can be used freely for any purpose.  Any derived versions of this
+ * software must be clearly marked as such, and if the derived work is
+ * incompatible with the protocol description in the RFC file, it must be
+ * called by a name other than "ssh" or "Secure Shell".
+ *
+ *
+ * Copyright (c) 1999 Niels Provos.  All rights reserved.
+ * Copyright (c) 1999,2000 Markus Friedl.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include "includes.h"
+RCSID("$OpenBSD: cipher.c,v 1.43 2001/02/04 15:32:23 stevesk Exp $");
+RCSID("$FreeBSD$");
+
+#include "xmalloc.h"
+#include "log.h"
+#include "cipher.h"
+
+#include <openssl/md5.h>
+
+
+/* no encryption */
+void
+none_setkey(CipherContext *cc, const u_char *key, u_int keylen)
+{
+}
+void
+none_setiv(CipherContext *cc, const u_char *iv, u_int ivlen)
+{
+}
+void
+none_crypt(CipherContext *cc, u_char *dest, const u_char *src, u_int len)
+{
+	memcpy(dest, src, len);
+}
+
+/* DES */
+void
+des_ssh1_setkey(CipherContext *cc, const u_char *key, u_int keylen)
+{
+	static int dowarn = 1;
+	if (dowarn) {
+		error("Warning: use of DES is strongly discouraged "
+		    "due to cryptographic weaknesses");
+		dowarn = 0;
+	}
+	des_set_key((void *)key, cc->u.des.key);
+}
+void
+des_ssh1_setiv(CipherContext *cc, const u_char *iv, u_int ivlen)
+{
+	memset(cc->u.des.iv, 0, sizeof(cc->u.des.iv));
+}
+void
+des_ssh1_encrypt(CipherContext *cc, u_char *dest, const u_char *src, u_int len)
+{
+	des_ncbc_encrypt(src, dest, len, cc->u.des.key, &cc->u.des.iv,
+	    DES_ENCRYPT);
+}
+void
+des_ssh1_decrypt(CipherContext *cc, u_char *dest, const u_char *src, u_int len)
+{
+	des_ncbc_encrypt(src, dest, len, cc->u.des.key, &cc->u.des.iv,
+	    DES_DECRYPT);
+}
+
+/* 3DES */
+void
+des3_setkey(CipherContext *cc, const u_char *key, u_int keylen)
+{
+	des_set_key((void *) key, cc->u.des3.key1);
+	des_set_key((void *) (key+8), cc->u.des3.key2);
+	des_set_key((void *) (key+16), cc->u.des3.key3);
+}
+void
+des3_setiv(CipherContext *cc, const u_char *iv, u_int ivlen)
+{
+	memset(cc->u.des3.iv2, 0, sizeof(cc->u.des3.iv2));
+	memset(cc->u.des3.iv3, 0, sizeof(cc->u.des3.iv3));
+	if (iv == NULL)
+		return;
+	memcpy(cc->u.des3.iv3, (char *)iv, 8);
+}
+void
+des3_cbc_encrypt(CipherContext *cc, u_char *dest, const u_char *src, u_int len)
+{
+	des_ede3_cbc_encrypt(src, dest, len,
+	    cc->u.des3.key1, cc->u.des3.key2, cc->u.des3.key3,
+	    &cc->u.des3.iv3, DES_ENCRYPT);
+}
+void
+des3_cbc_decrypt(CipherContext *cc, u_char *dest, const u_char *src, u_int len)
+{
+	des_ede3_cbc_encrypt(src, dest, len,
+	    cc->u.des3.key1, cc->u.des3.key2, cc->u.des3.key3,
+	    &cc->u.des3.iv3, DES_DECRYPT);
+}
+
+/*
+ * This is used by SSH1:
+ *
+ * What kind of triple DES are these 2 routines?
+ *
+ * Why is there a redundant initialization vector?
+ *
+ * If only iv3 was used, then, this would till effect have been
+ * outer-cbc. However, there is also a private iv1 == iv2 which
+ * perhaps makes differential analysis easier. On the other hand, the
+ * private iv1 probably makes the CRC-32 attack ineffective. This is a
+ * result of that there is no longer any known iv1 to use when
+ * choosing the X block.
+ */
+void
+des3_ssh1_setkey(CipherContext *cc, const u_char *key, u_int keylen)
+{
+	des_set_key((void *) key, cc->u.des3.key1);
+	des_set_key((void *) (key+8), cc->u.des3.key2);
+	if (keylen <= 16)
+		des_set_key((void *) key, cc->u.des3.key3);
+	else
+		des_set_key((void *) (key+16), cc->u.des3.key3);
+}
+void
+des3_ssh1_encrypt(CipherContext *cc, u_char *dest, const u_char *src,
+    u_int len)
+{
+	des_cblock iv1;
+	des_cblock *iv2 = &cc->u.des3.iv2;
+	des_cblock *iv3 = &cc->u.des3.iv3;
+
+	memcpy(&iv1, iv2, 8);
+
+	des_ncbc_encrypt(src,  dest, len, cc->u.des3.key1, &iv1, DES_ENCRYPT);
+	des_ncbc_encrypt(dest, dest, len, cc->u.des3.key2, iv2, DES_DECRYPT);
+	des_ncbc_encrypt(dest, dest, len, cc->u.des3.key3, iv3, DES_ENCRYPT);
+}
+void
+des3_ssh1_decrypt(CipherContext *cc, u_char *dest, const u_char *src,
+    u_int len)
+{
+	des_cblock iv1;
+	des_cblock *iv2 = &cc->u.des3.iv2;
+	des_cblock *iv3 = &cc->u.des3.iv3;
+
+	memcpy(&iv1, iv2, 8);
+
+	des_ncbc_encrypt(src,  dest, len, cc->u.des3.key3, iv3, DES_DECRYPT);
+	des_ncbc_encrypt(dest, dest, len, cc->u.des3.key2, iv2, DES_ENCRYPT);
+	des_ncbc_encrypt(dest, dest, len, cc->u.des3.key1, &iv1, DES_DECRYPT);
+}
+
+/* Blowfish */
+void
+blowfish_setkey(CipherContext *cc, const u_char *key, u_int keylen)
+{
+	BF_set_key(&cc->u.bf.key, keylen, (u_char *)key);
+}
+void
+blowfish_setiv(CipherContext *cc, const u_char *iv, u_int ivlen)
+{
+	if (iv == NULL)
+		memset(cc->u.bf.iv, 0, 8);
+	else
+		memcpy(cc->u.bf.iv, (char *)iv, 8);
+}
+void
+blowfish_cbc_encrypt(CipherContext *cc, u_char *dest, const u_char *src,
+     u_int len)
+{
+	BF_cbc_encrypt((void *)src, dest, len, &cc->u.bf.key, cc->u.bf.iv,
+	    BF_ENCRYPT);
+}
+void
+blowfish_cbc_decrypt(CipherContext *cc, u_char *dest, const u_char *src,
+     u_int len)
+{
+	BF_cbc_encrypt((void *)src, dest, len, &cc->u.bf.key, cc->u.bf.iv,
+	    BF_DECRYPT);
+}
+
+/*
+ * SSH1 uses a variation on Blowfish, all bytes must be swapped before
+ * and after encryption/decryption. Thus the swap_bytes stuff (yuk).
+ */
+static void
+swap_bytes(const u_char *src, u_char *dst, int n)
+{
+	char c[4];
+
+	/* Process 4 bytes every lap. */
+	for (n = n / 4; n > 0; n--) {
+		c[3] = *src++;
+		c[2] = *src++;
+		c[1] = *src++;
+		c[0] = *src++;
+
+		*dst++ = c[0];
+		*dst++ = c[1];
+		*dst++ = c[2];
+		*dst++ = c[3];
+	}
+}
+
+void
+blowfish_ssh1_encrypt(CipherContext *cc, u_char *dest, const u_char *src,
+    u_int len)
+{
+	swap_bytes(src, dest, len);
+	BF_cbc_encrypt((void *)dest, dest, len, &cc->u.bf.key, cc->u.bf.iv,
+	    BF_ENCRYPT);
+	swap_bytes(dest, dest, len);
+}
+void
+blowfish_ssh1_decrypt(CipherContext *cc, u_char *dest, const u_char *src,
+    u_int len)
+{
+	swap_bytes(src, dest, len);
+	BF_cbc_encrypt((void *)dest, dest, len, &cc->u.bf.key, cc->u.bf.iv,
+	    BF_DECRYPT);
+	swap_bytes(dest, dest, len);
+}
+
+/* alleged rc4 */
+void
+arcfour_setkey(CipherContext *cc, const u_char *key, u_int keylen)
+{
+	RC4_set_key(&cc->u.rc4, keylen, (u_char *)key);
+}
+void
+arcfour_crypt(CipherContext *cc, u_char *dest, const u_char *src, u_int len)
+{
+	RC4(&cc->u.rc4, len, (u_char *)src, dest);
+}
+
+/* CAST */
+void
+cast_setkey(CipherContext *cc, const u_char *key, u_int keylen)
+{
+	CAST_set_key(&cc->u.cast.key, keylen, (u_char *) key);
+}
+void
+cast_setiv(CipherContext *cc, const u_char *iv, u_int ivlen)
+{
+	if (iv == NULL)
+		fatal("no IV for %s.", cc->cipher->name);
+	memcpy(cc->u.cast.iv, (char *)iv, 8);
+}
+void
+cast_cbc_encrypt(CipherContext *cc, u_char *dest, const u_char *src, u_int len)
+{
+	CAST_cbc_encrypt(src, dest, len, &cc->u.cast.key, cc->u.cast.iv,
+	    CAST_ENCRYPT);
+}
+void
+cast_cbc_decrypt(CipherContext *cc, u_char *dest, const u_char *src, u_int len)
+{
+	CAST_cbc_encrypt(src, dest, len, &cc->u.cast.key, cc->u.cast.iv,
+	    CAST_DECRYPT);
+}
+
+/* RIJNDAEL */
+
+#define RIJNDAEL_BLOCKSIZE 16
+void
+rijndael_setkey(CipherContext *cc, const u_char *key, u_int keylen)
+{
+	rijndael_set_key(&cc->u.rijndael.enc, (u4byte *)key, 8*keylen, 1);
+	rijndael_set_key(&cc->u.rijndael.dec, (u4byte *)key, 8*keylen, 0);
+}
+void
+rijndael_setiv(CipherContext *cc, const u_char *iv, u_int ivlen)
+{
+	if (iv == NULL)
+		fatal("no IV for %s.", cc->cipher->name);
+	memcpy((u_char *)cc->u.rijndael.iv, iv, RIJNDAEL_BLOCKSIZE);
+}
+void
+rijndael_cbc_encrypt(CipherContext *cc, u_char *dest, const u_char *src,
+    u_int len)
+{
+	rijndael_ctx *ctx = &cc->u.rijndael.enc;
+	u4byte *iv = cc->u.rijndael.iv;
+	u4byte in[4];
+	u4byte *cprev, *cnow, *plain;
+	int i, blocks = len / RIJNDAEL_BLOCKSIZE;
+	if (len == 0)
+		return;
+	if (len % RIJNDAEL_BLOCKSIZE)
+		fatal("rijndael_cbc_encrypt: bad len %d", len);
+	cnow  = (u4byte*) dest;
+	plain = (u4byte*) src;
+	cprev = iv;
+	for(i = 0; i < blocks; i++, plain+=4, cnow+=4) {
+		in[0] = plain[0] ^ cprev[0];
+		in[1] = plain[1] ^ cprev[1];
+		in[2] = plain[2] ^ cprev[2];
+		in[3] = plain[3] ^ cprev[3];
+		rijndael_encrypt(ctx, in, cnow);
+		cprev = cnow;
+	}
+	memcpy(iv, cprev, RIJNDAEL_BLOCKSIZE);
+}
+
+void
+rijndael_cbc_decrypt(CipherContext *cc, u_char *dest, const u_char *src,
+    u_int len)
+{
+	rijndael_ctx *ctx = &cc->u.rijndael.dec;
+	u4byte *iv = cc->u.rijndael.iv;
+	u4byte ivsaved[4];
+	u4byte *cnow =  (u4byte*) (src+len-RIJNDAEL_BLOCKSIZE);
+	u4byte *plain = (u4byte*) (dest+len-RIJNDAEL_BLOCKSIZE);
+	u4byte *ivp;
+	int i, blocks = len / RIJNDAEL_BLOCKSIZE;
+	if (len == 0)
+		return;
+	if (len % RIJNDAEL_BLOCKSIZE)
+		fatal("rijndael_cbc_decrypt: bad len %d", len);
+	memcpy(ivsaved, cnow, RIJNDAEL_BLOCKSIZE);
+	for(i = blocks; i > 0; i--, cnow-=4, plain-=4) {
+		rijndael_decrypt(ctx, cnow, plain);
+		ivp =  (i == 1) ? iv : cnow-4;
+		plain[0] ^= ivp[0];
+		plain[1] ^= ivp[1];
+		plain[2] ^= ivp[2];
+		plain[3] ^= ivp[3];
+	}
+	memcpy(iv, ivsaved, RIJNDAEL_BLOCKSIZE);
+}
+
+Cipher ciphers[] = {
+	{ "none",
+		SSH_CIPHER_NONE, 8, 0,
+		none_setkey, none_setiv,
+		none_crypt, none_crypt },
+	{ "des",
+		SSH_CIPHER_DES, 8, 8,
+		des_ssh1_setkey, des_ssh1_setiv,
+		des_ssh1_encrypt, des_ssh1_decrypt },
+	{ "3des",
+		SSH_CIPHER_3DES, 8, 16,
+		des3_ssh1_setkey, des3_setiv,
+		des3_ssh1_encrypt, des3_ssh1_decrypt },
+	{ "blowfish",
+		SSH_CIPHER_BLOWFISH, 8, 16,
+		blowfish_setkey, blowfish_setiv,
+		blowfish_ssh1_encrypt, blowfish_ssh1_decrypt },
+
+	{ "3des-cbc",
+		SSH_CIPHER_SSH2, 8, 24,
+		des3_setkey, des3_setiv,
+		des3_cbc_encrypt, des3_cbc_decrypt },
+	{ "blowfish-cbc",
+		SSH_CIPHER_SSH2, 8, 16,
+		blowfish_setkey, blowfish_setiv,
+		blowfish_cbc_encrypt, blowfish_cbc_decrypt },
+	{ "cast128-cbc",
+		SSH_CIPHER_SSH2, 8, 16,
+		cast_setkey, cast_setiv,
+		cast_cbc_encrypt, cast_cbc_decrypt },
+	{ "arcfour",
+		SSH_CIPHER_SSH2, 8, 16,
+		arcfour_setkey, none_setiv,
+		arcfour_crypt, arcfour_crypt },
+	{ "aes128-cbc",
+		SSH_CIPHER_SSH2, 16, 16,
+		rijndael_setkey, rijndael_setiv,
+		rijndael_cbc_encrypt, rijndael_cbc_decrypt },
+	{ "aes192-cbc",
+		SSH_CIPHER_SSH2, 16, 24,
+		rijndael_setkey, rijndael_setiv,
+		rijndael_cbc_encrypt, rijndael_cbc_decrypt },
+	{ "aes256-cbc",
+		SSH_CIPHER_SSH2, 16, 32,
+		rijndael_setkey, rijndael_setiv,
+		rijndael_cbc_encrypt, rijndael_cbc_decrypt },
+	{ "rijndael128-cbc",
+		SSH_CIPHER_SSH2, 16, 16,
+		rijndael_setkey, rijndael_setiv,
+		rijndael_cbc_encrypt, rijndael_cbc_decrypt },
+	{ "rijndael192-cbc",
+		SSH_CIPHER_SSH2, 16, 24,
+		rijndael_setkey, rijndael_setiv,
+		rijndael_cbc_encrypt, rijndael_cbc_decrypt },
+	{ "rijndael256-cbc",
+		SSH_CIPHER_SSH2, 16, 32,
+		rijndael_setkey, rijndael_setiv,
+		rijndael_cbc_encrypt, rijndael_cbc_decrypt },
+	{ "rijndael-cbc@lysator.liu.se",
+		SSH_CIPHER_SSH2, 16, 32,
+		rijndael_setkey, rijndael_setiv,
+		rijndael_cbc_encrypt, rijndael_cbc_decrypt },
+	{ NULL, SSH_CIPHER_ILLEGAL, 0, 0, NULL, NULL, NULL, NULL }
+};
+
+/*--*/
+
+u_int
+cipher_mask_ssh1(int client)
+{
+	u_int mask = 0;
+	mask |= 1 << SSH_CIPHER_3DES;           /* Mandatory */
+	mask |= 1 << SSH_CIPHER_BLOWFISH;
+	if (client) {
+		mask |= 1 << SSH_CIPHER_DES;
+	}
+	return mask;
+}
+
+Cipher *
+cipher_by_name(const char *name)
+{
+	Cipher *c;
+	for (c = ciphers; c->name != NULL; c++)
+		if (strcasecmp(c->name, name) == 0)
+			return c;
+	return NULL;
+}
+
+Cipher *
+cipher_by_number(int id)
+{
+	Cipher *c;
+	for (c = ciphers; c->name != NULL; c++)
+		if (c->number == id)
+			return c;
+	return NULL;
+}
+
+#define	CIPHER_SEP	","
+int
+ciphers_valid(const char *names)
+{
+	Cipher *c;
+	char *ciphers, *cp;
+	char *p;
+
+	if (names == NULL || strcmp(names, "") == 0)
+		return 0;
+	ciphers = cp = xstrdup(names);
+	for ((p = strsep(&cp, CIPHER_SEP)); p && *p != '\0';
+	     (p = strsep(&cp, CIPHER_SEP))) {
+		c = cipher_by_name(p);
+		if (c == NULL || c->number != SSH_CIPHER_SSH2) {
+			debug("bad cipher %s [%s]", p, names);
+			xfree(ciphers);
+			return 0;
+		} else {
+			debug3("cipher ok: %s [%s]", p, names);
+		}
+	}
+	debug3("ciphers ok: [%s]", names);
+	xfree(ciphers);
+	return 1;
+}
+
+/*
+ * Parses the name of the cipher.  Returns the number of the corresponding
+ * cipher, or -1 on error.
+ */
+
+int
+cipher_number(const char *name)
+{
+	Cipher *c;
+	if (name == NULL)
+		return -1;
+	c = cipher_by_name(name);
+	return (c==NULL) ? -1 : c->number;
+}
+
+char *
+cipher_name(int id)
+{
+	Cipher *c = cipher_by_number(id);
+	return (c==NULL) ? "<unknown>" : c->name;
+}
+
+void
+cipher_init(CipherContext *cc, Cipher *cipher,
+    const u_char *key, u_int keylen, const u_char *iv, u_int ivlen)
+{
+	if (keylen < cipher->key_len)
+		fatal("cipher_init: key length %d is insufficient for %s.",
+		    keylen, cipher->name);
+	if (iv != NULL && ivlen < cipher->block_size)
+		fatal("cipher_init: iv length %d is insufficient for %s.",
+		    ivlen, cipher->name);
+	cc->cipher = cipher;
+	cipher->setkey(cc, key, keylen);
+	cipher->setiv(cc, iv, ivlen);
+}
+
+void
+cipher_encrypt(CipherContext *cc, u_char *dest, const u_char *src, u_int len)
+{
+	if (len % cc->cipher->block_size)
+		fatal("cipher_encrypt: bad plaintext length %d", len);
+	cc->cipher->encrypt(cc, dest, src, len);
+}
+
+void
+cipher_decrypt(CipherContext *cc, u_char *dest, const u_char *src, u_int len)
+{
+	if (len % cc->cipher->block_size)
+		fatal("cipher_decrypt: bad ciphertext length %d", len);
+	cc->cipher->decrypt(cc, dest, src, len);
+}
+
+/*
+ * Selects the cipher, and keys if by computing the MD5 checksum of the
+ * passphrase and using the resulting 16 bytes as the key.
+ */
+
+void
+cipher_set_key_string(CipherContext *cc, Cipher *cipher,
+    const char *passphrase)
+{
+	MD5_CTX md;
+	u_char digest[16];
+
+	MD5_Init(&md);
+	MD5_Update(&md, (const u_char *)passphrase, strlen(passphrase));
+	MD5_Final(digest, &md);
+
+	cipher_init(cc, cipher, digest, 16, NULL, 0);
+
+	memset(digest, 0, sizeof(digest));
+	memset(&md, 0, sizeof(md));
+}
diff --git a/crypto/openssh/cipher.h b/crypto/openssh/cipher.h
new file mode 100644
index 0000000..870d1da
--- /dev/null
+++ b/crypto/openssh/cipher.h
@@ -0,0 +1,118 @@
+/*
+ * Author: Tatu Ylonen <ylo@cs.hut.fi>
+ * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
+ *                    All rights reserved
+ *
+ * As far as I am concerned, the code I have written for this software
+ * can be used freely for any purpose.  Any derived versions of this
+ * software must be clearly marked as such, and if the derived work is
+ * incompatible with the protocol description in the RFC file, it must be
+ * called by a name other than "ssh" or "Secure Shell".
+ *
+ * Copyright (c) 2000 Markus Friedl.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+/* RCSID("$OpenBSD: cipher.h,v 1.25 2000/12/19 23:17:56 markus Exp $"); */
+/* RCSID("$FreeBSD$"); */
+
+#ifndef CIPHER_H
+#define CIPHER_H
+
+#include <openssl/des.h>
+#include <openssl/blowfish.h>
+#include <openssl/rc4.h>
+#include <openssl/cast.h>
+#include "rijndael.h"
+/*
+ * Cipher types for SSH-1.  New types can be added, but old types should not
+ * be removed for compatibility.  The maximum allowed value is 31.
+ */
+#define SSH_CIPHER_SSH2		-3
+#define SSH_CIPHER_ILLEGAL	-2	/* No valid cipher selected. */
+#define SSH_CIPHER_NOT_SET	-1	/* None selected (invalid number). */
+#define SSH_CIPHER_NONE		0	/* no encryption */
+#define SSH_CIPHER_IDEA		1	/* IDEA CFB */
+#define SSH_CIPHER_DES		2	/* DES CBC */
+#define SSH_CIPHER_3DES		3	/* 3DES CBC */
+#define SSH_CIPHER_BROKEN_TSS	4	/* TRI's Simple Stream encryption CBC */
+#define SSH_CIPHER_BROKEN_RC4	5	/* Alleged RC4 */
+#define SSH_CIPHER_BLOWFISH	6
+#define SSH_CIPHER_RESERVED	7
+#define SSH_CIPHER_MAX		31
+
+typedef struct Cipher Cipher;
+typedef struct CipherContext CipherContext;
+
+struct CipherContext {
+	union {
+		struct {
+			des_key_schedule key;
+			des_cblock iv;
+		}	des;
+		struct {
+			des_key_schedule key1;
+			des_key_schedule key2;
+			des_cblock iv2;
+			des_key_schedule key3;
+			des_cblock iv3;
+		}       des3;
+		struct {
+			struct bf_key_st key;
+			u_char iv[8];
+		}       bf;
+		struct {
+			CAST_KEY key;
+			u_char iv[8];
+		} cast;
+		struct {
+			u4byte iv[4];
+			rijndael_ctx enc;
+			rijndael_ctx dec;
+		} rijndael;
+		RC4_KEY rc4;
+	}       u;
+	Cipher *cipher;
+};
+struct Cipher {
+	char	*name;
+	int	number;		/* for ssh1 only */
+	u_int	block_size;
+	u_int	key_len;
+	void	(*setkey)(CipherContext *, const u_char *, u_int);
+	void	(*setiv)(CipherContext *, const u_char *, u_int);
+	void	(*encrypt)(CipherContext *, u_char *, const u_char *, u_int);
+	void	(*decrypt)(CipherContext *, u_char *, const u_char *, u_int);
+};
+
+u_int cipher_mask_ssh1(int client);
+Cipher *cipher_by_name(const char *name);
+Cipher *cipher_by_number(int id);
+int cipher_number(const char *name);
+char *cipher_name(int id);
+int ciphers_valid(const char *names);
+void cipher_init(CipherContext *, Cipher *, const u_char *, u_int, const u_char *, u_int);
+void cipher_encrypt(CipherContext *context, u_char *dest, const u_char *src, u_int len);
+void cipher_decrypt(CipherContext *context, u_char *dest, const u_char *src, u_int len);
+void cipher_set_key_string(CipherContext *context, Cipher *cipher, const char *passphrase);
+
+#endif				/* CIPHER_H */
diff --git a/crypto/openssh/cli.c b/crypto/openssh/cli.c
new file mode 100644
index 0000000..8f0b2b8
--- /dev/null
+++ b/crypto/openssh/cli.c
@@ -0,0 +1,231 @@
+/*	$OpenBSD: cli.c,v 1.11 2001/03/06 00:33:04 deraadt Exp $	*/
+
+/*
+ * Copyright (c) 2000 Markus Friedl.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include "includes.h"
+RCSID("$OpenBSD: cli.c,v 1.11 2001/03/06 00:33:04 deraadt Exp $");
+
+#include "xmalloc.h"
+#include "log.h"
+#include "cli.h"
+
+#include <vis.h>
+
+static int cli_input = -1;
+static int cli_output = -1;
+static int cli_from_stdin = 0;
+
+sigset_t oset;
+sigset_t nset;
+struct sigaction nsa;
+struct sigaction osa;
+struct termios ntio;
+struct termios otio;
+int echo_modified;
+
+volatile int intr;
+
+static int
+cli_open(int from_stdin)
+{
+	if (cli_input >= 0 && cli_output >= 0 && cli_from_stdin == from_stdin)
+		return 1;
+
+	if (from_stdin) {
+		if (!cli_from_stdin && cli_input >= 0) {
+			(void)close(cli_input);
+		}
+		cli_input = STDIN_FILENO;
+		cli_output = STDERR_FILENO;
+	} else {
+		cli_input = cli_output = open(_PATH_TTY, O_RDWR);
+		if (cli_input < 0)
+			fatal("You have no controlling tty.  Cannot read passphrase.");
+	}
+
+	cli_from_stdin = from_stdin;
+
+	return cli_input >= 0 && cli_output >= 0 && cli_from_stdin == from_stdin;
+}
+
+static void
+cli_close(void)
+{
+	if (!cli_from_stdin && cli_input >= 0)
+		close(cli_input);
+	cli_input = -1;
+	cli_output = -1;
+	cli_from_stdin = 0;
+	return;
+}
+
+void
+intrcatch(int sig)
+{
+	intr = 1;
+}
+
+static void
+cli_echo_disable(void)
+{
+	sigemptyset(&nset);
+	sigaddset(&nset, SIGTSTP);
+	(void) sigprocmask(SIG_BLOCK, &nset, &oset);
+
+	intr = 0;
+
+	memset(&nsa, 0, sizeof(nsa));
+	nsa.sa_handler = intrcatch;
+	(void) sigaction(SIGINT, &nsa, &osa);
+
+	echo_modified = 0;
+	if (tcgetattr(cli_input, &otio) == 0 && (otio.c_lflag & ECHO)) {
+		echo_modified = 1;
+		ntio = otio;
+		ntio.c_lflag &= ~(ECHO | ECHOE | ECHOK | ECHONL);
+		(void) tcsetattr(cli_input, TCSANOW, &ntio);
+	}
+	return;
+}
+
+static void
+cli_echo_restore(void)
+{
+	if (echo_modified != 0) {
+		tcsetattr(cli_input, TCSANOW, &otio);
+		echo_modified = 0;
+	}
+
+	(void) sigprocmask(SIG_SETMASK, &oset, NULL);
+	(void) sigaction(SIGINT, &osa, NULL);
+
+	if (intr != 0) {
+		kill(getpid(), SIGINT);
+		sigemptyset(&nset);
+		/* XXX tty has not neccessarily drained by now? */
+		sigsuspend(&nset);
+		intr = 0;
+	}
+	return;
+}
+
+static int
+cli_read(char* buf, int size, int echo)
+{
+	char ch = 0;
+	int i = 0;
+	int n;
+
+	if (!echo)
+		cli_echo_disable();
+
+	while (ch != '\n') {
+		n = read(cli_input, &ch, 1);
+		if (n == -1 && (errno == EAGAIN || errno == EINTR))
+			continue;
+		if (n != 1)
+			break;
+		if (ch == '\n' || intr != 0)
+			break;
+		if (i < size)
+			buf[i++] = ch;
+	}
+	buf[i] = '\0';
+
+	if (!echo)
+		cli_echo_restore();
+	if (!intr && !echo)
+		(void) write(cli_output, "\n", 1);
+	return i;
+}
+
+static int
+cli_write(char* buf, int size)
+{
+	int i, len, pos, ret = 0;
+	char *output, *p;
+
+	output = xmalloc(4*size);
+	for (p = output, i = 0; i < size; i++) {
+		if (buf[i] == '\n' || buf[i] == '\r')
+			*p++ = buf[i];
+		else
+			p = vis(p, buf[i], 0, 0);
+	}
+	len = p - output;
+
+	for (pos = 0; pos < len; pos += ret) {
+		ret = write(cli_output, output + pos, len - pos);
+		if (ret == -1) {
+			xfree(output);
+			return -1;
+		}
+	}
+	xfree(output);
+	return 0;
+}
+
+/*
+ * Presents a prompt and returns the response allocated with xmalloc().
+ * Uses /dev/tty or stdin/out depending on arg.  Optionally disables echo
+ * of response depending on arg.  Tries to ensure that no other userland
+ * buffer is storing the response.
+ */
+char*
+cli_read_passphrase(char* prompt, int from_stdin, int echo_enable)
+{
+	char	buf[BUFSIZ];
+	char*	p;
+
+	if (!cli_open(from_stdin))
+		fatal("Cannot read passphrase.");
+
+	fflush(stdout);
+
+	cli_write(prompt, strlen(prompt));
+	cli_read(buf, sizeof buf, echo_enable);
+
+	cli_close();
+
+	p = xstrdup(buf);
+	memset(buf, 0, sizeof(buf));
+	return (p);
+}
+
+char*
+cli_prompt(char* prompt, int echo_enable)
+{
+	return cli_read_passphrase(prompt, 0, echo_enable);
+}
+
+void
+cli_mesg(char* mesg)
+{
+	cli_open(0);
+	cli_write(mesg, strlen(mesg));
+	cli_write("\n", strlen("\n"));
+	cli_close();
+	return;
+}
diff --git a/crypto/openssh/cli.h b/crypto/openssh/cli.h
new file mode 100644
index 0000000..6f57c9b
--- /dev/null
+++ b/crypto/openssh/cli.h
@@ -0,0 +1,42 @@
+/*	$OpenBSD: cli.h,v 1.4 2001/03/01 03:38:33 deraadt Exp $	*/
+
+/*
+ * Copyright (c) 2000 Markus Friedl.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+/* $OpenBSD: cli.h,v 1.4 2001/03/01 03:38:33 deraadt Exp $ */
+
+#ifndef CLI_H
+#define CLI_H
+
+/*
+ * Presents a prompt and returns the response allocated with xmalloc().
+ * Uses /dev/tty or stdin/out depending on arg.  Optionally disables echo
+ * of response depending on arg.  Tries to ensure that no other userland
+ * buffer is storing the response.
+ */
+char *	cli_read_passphrase(char * prompt, int from_stdin, int echo_enable);
+char *	cli_prompt(char * prompt, int echo_enable);
+void	cli_mesg(char * mesg);
+
+#endif /* CLI_H */
diff --git a/crypto/openssh/clientloop.c b/crypto/openssh/clientloop.c
new file mode 100644
index 0000000..369ffe4
--- /dev/null
+++ b/crypto/openssh/clientloop.c
@@ -0,0 +1,1252 @@
+/*
+ * Author: Tatu Ylonen <ylo@cs.hut.fi>
+ * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
+ *                    All rights reserved
+ * The main loop for the interactive session (client side).
+ *
+ * As far as I am concerned, the code I have written for this software
+ * can be used freely for any purpose.  Any derived versions of this
+ * software must be clearly marked as such, and if the derived work is
+ * incompatible with the protocol description in the RFC file, it must be
+ * called by a name other than "ssh" or "Secure Shell".
+ *
+ *
+ * Copyright (c) 1999 Theo de Raadt.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ *
+ *
+ * SSH2 support added by Markus Friedl.
+ * Copyright (c) 1999,2000 Markus Friedl.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include "includes.h"
+RCSID("$OpenBSD: clientloop.c,v 1.65 2001/04/20 07:17:51 djm Exp $");
+
+#include "ssh.h"
+#include "ssh1.h"
+#include "ssh2.h"
+#include "xmalloc.h"
+#include "packet.h"
+#include "buffer.h"
+#include "compat.h"
+#include "channels.h"
+#include "dispatch.h"
+#include "buffer.h"
+#include "bufaux.h"
+#include "key.h"
+#include "kex.h"
+#include "log.h"
+#include "readconf.h"
+#include "clientloop.h"
+#include "authfd.h"
+#include "atomicio.h"
+#include "sshtty.h"
+#include "misc.h"
+
+/* import options */
+extern Options options;
+
+/* Flag indicating that stdin should be redirected from /dev/null. */
+extern int stdin_null_flag;
+
+/*
+ * Name of the host we are connecting to.  This is the name given on the
+ * command line, or the HostName specified for the user-supplied name in a
+ * configuration file.
+ */
+extern char *host;
+
+/*
+ * Flag to indicate that we have received a window change signal which has
+ * not yet been processed.  This will cause a message indicating the new
+ * window size to be sent to the server a little later.  This is volatile
+ * because this is updated in a signal handler.
+ */
+static volatile int received_window_change_signal = 0;
+
+/* Flag indicating whether the user\'s terminal is in non-blocking mode. */
+static int in_non_blocking_mode = 0;
+
+/* Common data for the client loop code. */
+static int quit_pending;	/* Set to non-zero to quit the client loop. */
+static int escape_char;		/* Escape character. */
+static int escape_pending;	/* Last character was the escape character */
+static int last_was_cr;		/* Last character was a newline. */
+static int exit_status;		/* Used to store the exit status of the command. */
+static int stdin_eof;		/* EOF has been encountered on standard error. */
+static Buffer stdin_buffer;	/* Buffer for stdin data. */
+static Buffer stdout_buffer;	/* Buffer for stdout data. */
+static Buffer stderr_buffer;	/* Buffer for stderr data. */
+static u_long stdin_bytes, stdout_bytes, stderr_bytes;
+static u_int buffer_high;/* Soft max buffer size. */
+static int connection_in;	/* Connection to server (input). */
+static int connection_out;	/* Connection to server (output). */
+static int need_rekeying;	/* Set to non-zero if rekeying is requested. */
+static int session_closed = 0;	/* In SSH2: login session closed. */
+
+void	client_init_dispatch(void);
+int	session_ident = -1;
+
+/*XXX*/
+extern Kex *xxx_kex;
+
+/* Restores stdin to blocking mode. */
+
+void
+leave_non_blocking(void)
+{
+	if (in_non_blocking_mode) {
+		(void) fcntl(fileno(stdin), F_SETFL, 0);
+		in_non_blocking_mode = 0;
+		fatal_remove_cleanup((void (*) (void *)) leave_non_blocking, NULL);
+	}
+}
+
+/* Puts stdin terminal in non-blocking mode. */
+
+void
+enter_non_blocking(void)
+{
+	in_non_blocking_mode = 1;
+	(void) fcntl(fileno(stdin), F_SETFL, O_NONBLOCK);
+	fatal_add_cleanup((void (*) (void *)) leave_non_blocking, NULL);
+}
+
+/*
+ * Signal handler for the window change signal (SIGWINCH).  This just sets a
+ * flag indicating that the window has changed.
+ */
+
+void
+window_change_handler(int sig)
+{
+	received_window_change_signal = 1;
+	signal(SIGWINCH, window_change_handler);
+}
+
+/*
+ * Signal handler for signals that cause the program to terminate.  These
+ * signals must be trapped to restore terminal modes.
+ */
+
+void
+signal_handler(int sig)
+{
+	if (in_raw_mode())
+		leave_raw_mode();
+	if (in_non_blocking_mode)
+		leave_non_blocking();
+	channel_stop_listening();
+	packet_close();
+	fatal("Killed by signal %d.", sig);
+}
+
+/*
+ * Returns current time in seconds from Jan 1, 1970 with the maximum
+ * available resolution.
+ */
+
+double
+get_current_time(void)
+{
+	struct timeval tv;
+	gettimeofday(&tv, NULL);
+	return (double) tv.tv_sec + (double) tv.tv_usec / 1000000.0;
+}
+
+/*
+ * This is called when the interactive is entered.  This checks if there is
+ * an EOF coming on stdin.  We must check this explicitly, as select() does
+ * not appear to wake up when redirecting from /dev/null.
+ */
+
+void
+client_check_initial_eof_on_stdin(void)
+{
+	int len;
+	char buf[1];
+
+	/*
+	 * If standard input is to be "redirected from /dev/null", we simply
+	 * mark that we have seen an EOF and send an EOF message to the
+	 * server. Otherwise, we try to read a single character; it appears
+	 * that for some files, such /dev/null, select() never wakes up for
+	 * read for this descriptor, which means that we never get EOF.  This
+	 * way we will get the EOF if stdin comes from /dev/null or similar.
+	 */
+	if (stdin_null_flag) {
+		/* Fake EOF on stdin. */
+		debug("Sending eof.");
+		stdin_eof = 1;
+		packet_start(SSH_CMSG_EOF);
+		packet_send();
+	} else {
+		enter_non_blocking();
+
+		/* Check for immediate EOF on stdin. */
+		len = read(fileno(stdin), buf, 1);
+		if (len == 0) {
+			/* EOF.  Record that we have seen it and send EOF to server. */
+			debug("Sending eof.");
+			stdin_eof = 1;
+			packet_start(SSH_CMSG_EOF);
+			packet_send();
+		} else if (len > 0) {
+			/*
+			 * Got data.  We must store the data in the buffer,
+			 * and also process it as an escape character if
+			 * appropriate.
+			 */
+			if ((u_char) buf[0] == escape_char)
+				escape_pending = 1;
+			else
+				buffer_append(&stdin_buffer, buf, 1);
+		}
+		leave_non_blocking();
+	}
+}
+
+
+/*
+ * Make packets from buffered stdin data, and buffer them for sending to the
+ * connection.
+ */
+
+void
+client_make_packets_from_stdin_data(void)
+{
+	u_int len;
+
+	/* Send buffered stdin data to the server. */
+	while (buffer_len(&stdin_buffer) > 0 &&
+	       packet_not_very_much_data_to_write()) {
+		len = buffer_len(&stdin_buffer);
+		/* Keep the packets at reasonable size. */
+		if (len > packet_get_maxsize())
+			len = packet_get_maxsize();
+		packet_start(SSH_CMSG_STDIN_DATA);
+		packet_put_string(buffer_ptr(&stdin_buffer), len);
+		packet_send();
+		buffer_consume(&stdin_buffer, len);
+		stdin_bytes += len;
+		/* If we have a pending EOF, send it now. */
+		if (stdin_eof && buffer_len(&stdin_buffer) == 0) {
+			packet_start(SSH_CMSG_EOF);
+			packet_send();
+		}
+	}
+}
+
+/*
+ * Checks if the client window has changed, and sends a packet about it to
+ * the server if so.  The actual change is detected elsewhere (by a software
+ * interrupt on Unix); this just checks the flag and sends a message if
+ * appropriate.
+ */
+
+void
+client_check_window_change(void)
+{
+	struct winsize ws;
+
+	if (! received_window_change_signal)
+		return;
+	/** XXX race */
+	received_window_change_signal = 0;
+
+	if (ioctl(fileno(stdin), TIOCGWINSZ, &ws) < 0)
+		return;
+
+	debug2("client_check_window_change: changed");
+
+	if (compat20) {
+		channel_request_start(session_ident, "window-change", 0);
+		packet_put_int(ws.ws_col);
+		packet_put_int(ws.ws_row);
+		packet_put_int(ws.ws_xpixel);
+		packet_put_int(ws.ws_ypixel);
+		packet_send();
+	} else {
+		packet_start(SSH_CMSG_WINDOW_SIZE);
+		packet_put_int(ws.ws_row);
+		packet_put_int(ws.ws_col);
+		packet_put_int(ws.ws_xpixel);
+		packet_put_int(ws.ws_ypixel);
+		packet_send();
+	}
+}
+
+/*
+ * Waits until the client can do something (some data becomes available on
+ * one of the file descriptors).
+ */
+
+void
+client_wait_until_can_do_something(fd_set **readsetp, fd_set **writesetp,
+    int *maxfdp, int rekeying)
+{
+	/* Add any selections by the channel mechanism. */
+	channel_prepare_select(readsetp, writesetp, maxfdp, rekeying);
+
+	if (!compat20) {
+		/* Read from the connection, unless our buffers are full. */
+		if (buffer_len(&stdout_buffer) < buffer_high &&
+		    buffer_len(&stderr_buffer) < buffer_high &&
+		    channel_not_very_much_buffered_data())
+			FD_SET(connection_in, *readsetp);
+		/*
+		 * Read from stdin, unless we have seen EOF or have very much
+		 * buffered data to send to the server.
+		 */
+		if (!stdin_eof && packet_not_very_much_data_to_write())
+			FD_SET(fileno(stdin), *readsetp);
+
+		/* Select stdout/stderr if have data in buffer. */
+		if (buffer_len(&stdout_buffer) > 0)
+			FD_SET(fileno(stdout), *writesetp);
+		if (buffer_len(&stderr_buffer) > 0)
+			FD_SET(fileno(stderr), *writesetp);
+	} else {
+		FD_SET(connection_in, *readsetp);
+	}
+
+	/* Select server connection if have data to write to the server. */
+	if (packet_have_data_to_write())
+		FD_SET(connection_out, *writesetp);
+
+	/*
+	 * Wait for something to happen.  This will suspend the process until
+	 * some selected descriptor can be read, written, or has some other
+	 * event pending. Note: if you want to implement SSH_MSG_IGNORE
+	 * messages to fool traffic analysis, this might be the place to do
+	 * it: just have a random timeout for the select, and send a random
+	 * SSH_MSG_IGNORE packet when the timeout expires.
+	 */
+
+	if (select((*maxfdp)+1, *readsetp, *writesetp, NULL, NULL) < 0) {
+		char buf[100];
+
+		/*
+		 * We have to clear the select masks, because we return.
+		 * We have to return, because the mainloop checks for the flags
+		 * set by the signal handlers.
+		 */
+		memset(*readsetp, 0, *maxfdp);
+		memset(*writesetp, 0, *maxfdp);
+
+		if (errno == EINTR)
+			return;
+		/* Note: we might still have data in the buffers. */
+		snprintf(buf, sizeof buf, "select: %s\r\n", strerror(errno));
+		buffer_append(&stderr_buffer, buf, strlen(buf));
+		quit_pending = 1;
+	}
+}
+
+void
+client_suspend_self(Buffer *bin, Buffer *bout, Buffer *berr)
+{
+	struct winsize oldws, newws;
+
+	/* Flush stdout and stderr buffers. */
+	if (buffer_len(bout) > 0)
+		atomicio(write, fileno(stdout), buffer_ptr(bout), buffer_len(bout));
+	if (buffer_len(berr) > 0)
+		atomicio(write, fileno(stderr), buffer_ptr(berr), buffer_len(berr));
+
+	leave_raw_mode();
+
+	/*
+	 * Free (and clear) the buffer to reduce the amount of data that gets
+	 * written to swap.
+	 */
+	buffer_free(bin);
+	buffer_free(bout);
+	buffer_free(berr);
+
+	/* Save old window size. */
+	ioctl(fileno(stdin), TIOCGWINSZ, &oldws);
+
+	/* Send the suspend signal to the program itself. */
+	kill(getpid(), SIGTSTP);
+
+	/* Check if the window size has changed. */
+	if (ioctl(fileno(stdin), TIOCGWINSZ, &newws) >= 0 &&
+	    (oldws.ws_row != newws.ws_row ||
+	     oldws.ws_col != newws.ws_col ||
+	     oldws.ws_xpixel != newws.ws_xpixel ||
+	     oldws.ws_ypixel != newws.ws_ypixel))
+		received_window_change_signal = 1;
+
+	/* OK, we have been continued by the user. Reinitialize buffers. */
+	buffer_init(bin);
+	buffer_init(bout);
+	buffer_init(berr);
+
+	enter_raw_mode();
+}
+
+void
+client_process_net_input(fd_set * readset)
+{
+	int len;
+	char buf[8192];
+
+	/*
+	 * Read input from the server, and add any such data to the buffer of
+	 * the packet subsystem.
+	 */
+	if (FD_ISSET(connection_in, readset)) {
+		/* Read as much as possible. */
+		len = read(connection_in, buf, sizeof(buf));
+		if (len == 0) {
+			/* Received EOF.  The remote host has closed the connection. */
+			snprintf(buf, sizeof buf, "Connection to %.300s closed by remote host.\r\n",
+				 host);
+			buffer_append(&stderr_buffer, buf, strlen(buf));
+			quit_pending = 1;
+			return;
+		}
+		/*
+		 * There is a kernel bug on Solaris that causes select to
+		 * sometimes wake up even though there is no data available.
+		 */
+		if (len < 0 && (errno == EAGAIN || errno == EINTR))
+			len = 0;
+
+		if (len < 0) {
+			/* An error has encountered.  Perhaps there is a network problem. */
+			snprintf(buf, sizeof buf, "Read from remote host %.300s: %.100s\r\n",
+				 host, strerror(errno));
+			buffer_append(&stderr_buffer, buf, strlen(buf));
+			quit_pending = 1;
+			return;
+		}
+		packet_process_incoming(buf, len);
+	}
+}
+
+/* process the characters one by one */
+int
+process_escapes(Buffer *bin, Buffer *bout, Buffer *berr, char *buf, int len)
+{
+	char string[1024];
+	pid_t pid;
+	int bytes = 0;
+	u_int i;
+	u_char ch;
+	char *s;
+
+	for (i = 0; i < len; i++) {
+		/* Get one character at a time. */
+		ch = buf[i];
+
+		if (escape_pending) {
+			/* We have previously seen an escape character. */
+			/* Clear the flag now. */
+			escape_pending = 0;
+
+			/* Process the escaped character. */
+			switch (ch) {
+			case '.':
+				/* Terminate the connection. */
+				snprintf(string, sizeof string, "%c.\r\n", escape_char);
+				buffer_append(berr, string, strlen(string));
+
+				quit_pending = 1;
+				return -1;
+
+			case 'Z' - 64:
+				/* Suspend the program. */
+				/* Print a message to that effect to the user. */
+				snprintf(string, sizeof string, "%c^Z [suspend ssh]\r\n", escape_char);
+				buffer_append(berr, string, strlen(string));
+
+				/* Restore terminal modes and suspend. */
+				client_suspend_self(bin, bout, berr);
+
+				/* We have been continued. */
+				continue;
+
+			case 'R':
+				if (compat20) {
+					if (datafellows & SSH_BUG_NOREKEY)
+						log("Server does not support re-keying");
+					else
+						need_rekeying = 1;
+				}
+				continue;
+
+			case '&':
+				/* XXX does not work yet with proto 2 */
+				if (compat20)
+					continue;
+				/*
+				 * Detach the program (continue to serve connections,
+				 * but put in background and no more new connections).
+				 */
+				if (!stdin_eof) {
+					/*
+					 * Sending SSH_CMSG_EOF alone does not always appear
+					 * to be enough.  So we try to send an EOF character
+					 * first.
+					 */
+					packet_start(SSH_CMSG_STDIN_DATA);
+					packet_put_string("\004", 1);
+					packet_send();
+					/* Close stdin. */
+					stdin_eof = 1;
+					if (buffer_len(bin) == 0) {
+						packet_start(SSH_CMSG_EOF);
+						packet_send();
+					}
+				}
+				/* Restore tty modes. */
+				leave_raw_mode();
+
+				/* Stop listening for new connections. */
+				channel_stop_listening();
+
+				printf("%c& [backgrounded]\n", escape_char);
+
+				/* Fork into background. */
+				pid = fork();
+				if (pid < 0) {
+					error("fork: %.100s", strerror(errno));
+					continue;
+				}
+				if (pid != 0) {	/* This is the parent. */
+					/* The parent just exits. */
+					exit(0);
+				}
+				/* The child continues serving connections. */
+				continue; /*XXX ? */
+
+			case '?':
+				snprintf(string, sizeof string,
+"%c?\r\n\
+Supported escape sequences:\r\n\
+~.  - terminate connection\r\n\
+~R - Request rekey (SSH protocol 2 only)\r\n\
+~^Z - suspend ssh\r\n\
+~#  - list forwarded connections\r\n\
+~&  - background ssh (when waiting for connections to terminate)\r\n\
+~?  - this message\r\n\
+~~  - send the escape character by typing it twice\r\n\
+(Note that escapes are only recognized immediately after newline.)\r\n",
+					 escape_char);
+				buffer_append(berr, string, strlen(string));
+				continue;
+
+			case '#':
+				snprintf(string, sizeof string, "%c#\r\n", escape_char);
+				buffer_append(berr, string, strlen(string));
+				s = channel_open_message();
+				buffer_append(berr, s, strlen(s));
+				xfree(s);
+				continue;
+
+			default:
+				if (ch != escape_char) {
+					buffer_put_char(bin, escape_char);
+					bytes++;
+				}
+				/* Escaped characters fall through here */
+				break;
+			}
+		} else {
+			/*
+			 * The previous character was not an escape char. Check if this
+			 * is an escape.
+			 */
+			if (last_was_cr && ch == escape_char) {
+				/* It is. Set the flag and continue to next character. */
+				escape_pending = 1;
+				continue;
+			}
+		}
+
+		/*
+		 * Normal character.  Record whether it was a newline,
+		 * and append it to the buffer.
+		 */
+		last_was_cr = (ch == '\r' || ch == '\n');
+		buffer_put_char(bin, ch);
+		bytes++;
+	}
+	return bytes;
+}
+
+void
+client_process_input(fd_set * readset)
+{
+	int len;
+	char buf[8192];
+
+	/* Read input from stdin. */
+	if (FD_ISSET(fileno(stdin), readset)) {
+		/* Read as much as possible. */
+		len = read(fileno(stdin), buf, sizeof(buf));
+		if (len < 0 && (errno == EAGAIN || errno == EINTR))
+			return;		/* we'll try again later */
+		if (len <= 0) {
+			/*
+			 * Received EOF or error.  They are treated
+			 * similarly, except that an error message is printed
+			 * if it was an error condition.
+			 */
+			if (len < 0) {
+				snprintf(buf, sizeof buf, "read: %.100s\r\n", strerror(errno));
+				buffer_append(&stderr_buffer, buf, strlen(buf));
+			}
+			/* Mark that we have seen EOF. */
+			stdin_eof = 1;
+			/*
+			 * Send an EOF message to the server unless there is
+			 * data in the buffer.  If there is data in the
+			 * buffer, no message will be sent now.  Code
+			 * elsewhere will send the EOF when the buffer
+			 * becomes empty if stdin_eof is set.
+			 */
+			if (buffer_len(&stdin_buffer) == 0) {
+				packet_start(SSH_CMSG_EOF);
+				packet_send();
+			}
+		} else if (escape_char == -1) {
+			/*
+			 * Normal successful read, and no escape character.
+			 * Just append the data to buffer.
+			 */
+			buffer_append(&stdin_buffer, buf, len);
+		} else {
+			/*
+			 * Normal, successful read.  But we have an escape character
+			 * and have to process the characters one by one.
+			 */
+			if (process_escapes(&stdin_buffer, &stdout_buffer,
+			    &stderr_buffer, buf, len) == -1)
+				return;
+		}
+	}
+}
+
+void
+client_process_output(fd_set * writeset)
+{
+	int len;
+	char buf[100];
+
+	/* Write buffered output to stdout. */
+	if (FD_ISSET(fileno(stdout), writeset)) {
+		/* Write as much data as possible. */
+		len = write(fileno(stdout), buffer_ptr(&stdout_buffer),
+		    buffer_len(&stdout_buffer));
+		if (len <= 0) {
+			if (errno == EINTR || errno == EAGAIN)
+				len = 0;
+			else {
+				/*
+				 * An error or EOF was encountered.  Put an
+				 * error message to stderr buffer.
+				 */
+				snprintf(buf, sizeof buf, "write stdout: %.50s\r\n", strerror(errno));
+				buffer_append(&stderr_buffer, buf, strlen(buf));
+				quit_pending = 1;
+				return;
+			}
+		}
+		/* Consume printed data from the buffer. */
+		buffer_consume(&stdout_buffer, len);
+		stdout_bytes += len;
+	}
+	/* Write buffered output to stderr. */
+	if (FD_ISSET(fileno(stderr), writeset)) {
+		/* Write as much data as possible. */
+		len = write(fileno(stderr), buffer_ptr(&stderr_buffer),
+		    buffer_len(&stderr_buffer));
+		if (len <= 0) {
+			if (errno == EINTR || errno == EAGAIN)
+				len = 0;
+			else {
+				/* EOF or error, but can't even print error message. */
+				quit_pending = 1;
+				return;
+			}
+		}
+		/* Consume printed characters from the buffer. */
+		buffer_consume(&stderr_buffer, len);
+		stderr_bytes += len;
+	}
+}
+
+/*
+ * Get packets from the connection input buffer, and process them as long as
+ * there are packets available.
+ *
+ * Any unknown packets received during the actual
+ * session cause the session to terminate.  This is
+ * intended to make debugging easier since no
+ * confirmations are sent.  Any compatible protocol
+ * extensions must be negotiated during the
+ * preparatory phase.
+ */
+
+void
+client_process_buffered_input_packets(void)
+{
+	dispatch_run(DISPATCH_NONBLOCK, &quit_pending, compat20 ? xxx_kex : NULL);
+}
+
+/* scan buf[] for '~' before sending data to the peer */
+
+int
+simple_escape_filter(Channel *c, char *buf, int len)
+{
+	/* XXX we assume c->extended is writeable */
+	return process_escapes(&c->input, &c->output, &c->extended, buf, len);
+}
+
+void
+client_channel_closed(int id, void *arg)
+{
+	if (id != session_ident)
+		error("client_channel_closed: id %d != session_ident %d",
+		    id, session_ident);
+	session_closed = 1;
+	if (in_raw_mode())
+		leave_raw_mode();
+}
+
+/*
+ * Implements the interactive session with the server.  This is called after
+ * the user has been authenticated, and a command has been started on the
+ * remote host.  If escape_char != -1, it is the character used as an escape
+ * character for terminating or suspending the session.
+ */
+
+int
+client_loop(int have_pty, int escape_char_arg, int ssh2_chan_id)
+{
+	fd_set *readset = NULL, *writeset = NULL;
+	double start_time, total_time;
+	int max_fd = 0, len, rekeying = 0;
+	char buf[100];
+
+	debug("Entering interactive session.");
+
+	start_time = get_current_time();
+
+	/* Initialize variables. */
+	escape_pending = 0;
+	last_was_cr = 1;
+	exit_status = -1;
+	stdin_eof = 0;
+	buffer_high = 64 * 1024;
+	connection_in = packet_get_connection_in();
+	connection_out = packet_get_connection_out();
+	max_fd = MAX(connection_in, connection_out);
+
+	if (!compat20) {
+		/* enable nonblocking unless tty */
+		if (!isatty(fileno(stdin)))
+			set_nonblock(fileno(stdin));
+		if (!isatty(fileno(stdout)))
+			set_nonblock(fileno(stdout));
+		if (!isatty(fileno(stderr)))
+			set_nonblock(fileno(stderr));
+		max_fd = MAX(max_fd, fileno(stdin));
+		max_fd = MAX(max_fd, fileno(stdout));
+		max_fd = MAX(max_fd, fileno(stderr));
+	}
+	stdin_bytes = 0;
+	stdout_bytes = 0;
+	stderr_bytes = 0;
+	quit_pending = 0;
+	escape_char = escape_char_arg;
+
+	/* Initialize buffers. */
+	buffer_init(&stdin_buffer);
+	buffer_init(&stdout_buffer);
+	buffer_init(&stderr_buffer);
+
+	client_init_dispatch();
+
+	/* Set signal handlers to restore non-blocking mode.  */
+	signal(SIGINT, signal_handler);
+	signal(SIGQUIT, signal_handler);
+	signal(SIGTERM, signal_handler);
+	signal(SIGPIPE, SIG_IGN);
+	if (have_pty)
+		signal(SIGWINCH, window_change_handler);
+
+	if (have_pty)
+		enter_raw_mode();
+
+	if (compat20) {
+		session_ident = ssh2_chan_id;
+		if (escape_char != -1)
+			channel_register_filter(session_ident,
+			    simple_escape_filter);
+		if (session_ident != -1)
+			channel_register_cleanup(session_ident,
+			    client_channel_closed);
+	} else {
+		/* Check if we should immediately send eof on stdin. */
+		client_check_initial_eof_on_stdin();
+	}
+
+	/* Main loop of the client for the interactive session mode. */
+	while (!quit_pending) {
+
+		/* Process buffered packets sent by the server. */
+		client_process_buffered_input_packets();
+
+		if (compat20 && session_closed && !channel_still_open())
+			break;
+
+		rekeying = (xxx_kex != NULL && !xxx_kex->done);
+
+		if (rekeying) {
+			debug("rekeying in progress");
+		} else {
+			/*
+			 * Make packets of buffered stdin data, and buffer
+			 * them for sending to the server.
+			 */
+			if (!compat20)
+				client_make_packets_from_stdin_data();
+
+			/*
+			 * Make packets from buffered channel data, and
+			 * enqueue them for sending to the server.
+			 */
+			if (packet_not_very_much_data_to_write())
+				channel_output_poll();
+
+			/*
+			 * Check if the window size has changed, and buffer a
+			 * message about it to the server if so.
+			 */
+			client_check_window_change();
+
+			if (quit_pending)
+				break;
+		}
+		/*
+		 * Wait until we have something to do (something becomes
+		 * available on one of the descriptors).
+		 */
+		client_wait_until_can_do_something(&readset, &writeset,
+		    &max_fd, rekeying);
+
+		if (quit_pending)
+			break;
+
+		/* Do channel operations unless rekeying in progress. */
+		if (!rekeying) {
+			channel_after_select(readset, writeset);
+
+			if (need_rekeying) {
+				debug("user requests rekeying");
+				xxx_kex->done = 0;
+				kex_send_kexinit(xxx_kex);
+				need_rekeying = 0;
+			}
+		}
+
+		/* Buffer input from the connection.  */
+		client_process_net_input(readset);
+
+		if (quit_pending)
+			break;
+
+		if (!compat20) {
+			/* Buffer data from stdin */
+			client_process_input(readset);
+			/*
+			 * Process output to stdout and stderr.  Output to
+			 * the connection is processed elsewhere (above).
+			 */
+			client_process_output(writeset);
+		}
+
+		/* Send as much buffered packet data as possible to the sender. */
+		if (FD_ISSET(connection_out, writeset))
+			packet_write_poll();
+	}
+	if (readset)
+		xfree(readset);
+	if (writeset)
+		xfree(writeset);
+
+	/* Terminate the session. */
+
+	/* Stop watching for window change. */
+	if (have_pty)
+		signal(SIGWINCH, SIG_DFL);
+
+	/* Stop listening for connections. */
+	channel_stop_listening();
+
+	/*
+	 * In interactive mode (with pseudo tty) display a message indicating
+	 * that the connection has been closed.
+	 */
+	if (have_pty && options.log_level != SYSLOG_LEVEL_QUIET) {
+		snprintf(buf, sizeof buf, "Connection to %.64s closed.\r\n", host);
+		buffer_append(&stderr_buffer, buf, strlen(buf));
+	}
+	/* Output any buffered data for stdout. */
+	while (buffer_len(&stdout_buffer) > 0) {
+		len = write(fileno(stdout), buffer_ptr(&stdout_buffer),
+		    buffer_len(&stdout_buffer));
+		if (len <= 0) {
+			error("Write failed flushing stdout buffer.");
+			break;
+		}
+		buffer_consume(&stdout_buffer, len);
+		stdout_bytes += len;
+	}
+
+	/* Output any buffered data for stderr. */
+	while (buffer_len(&stderr_buffer) > 0) {
+		len = write(fileno(stderr), buffer_ptr(&stderr_buffer),
+		    buffer_len(&stderr_buffer));
+		if (len <= 0) {
+			error("Write failed flushing stderr buffer.");
+			break;
+		}
+		buffer_consume(&stderr_buffer, len);
+		stderr_bytes += len;
+	}
+
+	if (have_pty)
+		leave_raw_mode();
+
+	/* Clear and free any buffers. */
+	memset(buf, 0, sizeof(buf));
+	buffer_free(&stdin_buffer);
+	buffer_free(&stdout_buffer);
+	buffer_free(&stderr_buffer);
+
+	/* Report bytes transferred, and transfer rates. */
+	total_time = get_current_time() - start_time;
+	debug("Transferred: stdin %lu, stdout %lu, stderr %lu bytes in %.1f seconds",
+	      stdin_bytes, stdout_bytes, stderr_bytes, total_time);
+	if (total_time > 0)
+		debug("Bytes per second: stdin %.1f, stdout %.1f, stderr %.1f",
+		      stdin_bytes / total_time, stdout_bytes / total_time,
+		      stderr_bytes / total_time);
+
+	/* Return the exit status of the program. */
+	debug("Exit status %d", exit_status);
+	return exit_status;
+}
+
+/*********/
+
+void
+client_input_stdout_data(int type, int plen, void *ctxt)
+{
+	u_int data_len;
+	char *data = packet_get_string(&data_len);
+	packet_integrity_check(plen, 4 + data_len, type);
+	buffer_append(&stdout_buffer, data, data_len);
+	memset(data, 0, data_len);
+	xfree(data);
+}
+void
+client_input_stderr_data(int type, int plen, void *ctxt)
+{
+	u_int data_len;
+	char *data = packet_get_string(&data_len);
+	packet_integrity_check(plen, 4 + data_len, type);
+	buffer_append(&stderr_buffer, data, data_len);
+	memset(data, 0, data_len);
+	xfree(data);
+}
+void
+client_input_exit_status(int type, int plen, void *ctxt)
+{
+	packet_integrity_check(plen, 4, type);
+	exit_status = packet_get_int();
+	/* Acknowledge the exit. */
+	packet_start(SSH_CMSG_EXIT_CONFIRMATION);
+	packet_send();
+	/*
+	 * Must wait for packet to be sent since we are
+	 * exiting the loop.
+	 */
+	packet_write_wait();
+	/* Flag that we want to exit. */
+	quit_pending = 1;
+}
+
+Channel *
+client_request_forwarded_tcpip(const char *request_type, int rchan)
+{
+	Channel* c = NULL;
+	char *listen_address, *originator_address;
+	int listen_port, originator_port;
+	int sock, newch;
+
+	/* Get rest of the packet */
+	listen_address = packet_get_string(NULL);
+	listen_port = packet_get_int();
+	originator_address = packet_get_string(NULL);
+	originator_port = packet_get_int();
+	packet_done();
+
+	debug("client_request_forwarded_tcpip: listen %s port %d, originator %s port %d",
+	    listen_address, listen_port, originator_address, originator_port);
+
+	sock = channel_connect_by_listen_adress(listen_port);
+	if (sock >= 0) {
+		newch = channel_new("forwarded-tcpip",
+		    SSH_CHANNEL_CONNECTING, sock, sock, -1,
+		    CHAN_TCP_WINDOW_DEFAULT, CHAN_TCP_WINDOW_DEFAULT, 0,
+		    xstrdup(originator_address), 1);
+		c = channel_lookup(newch);
+	}
+	xfree(originator_address);
+	xfree(listen_address);
+	return c;
+}
+
+Channel*
+client_request_x11(const char *request_type, int rchan)
+{
+	Channel *c = NULL;
+	char *originator;
+	int originator_port;
+	int sock, newch;
+
+	if (!options.forward_x11) {
+		error("Warning: ssh server tried X11 forwarding.");
+		error("Warning: this is probably a break in attempt by a malicious server.");
+		return NULL;
+	}
+	originator = packet_get_string(NULL);
+	if (datafellows & SSH_BUG_X11FWD) {
+		debug2("buggy server: x11 request w/o originator_port");
+		originator_port = 0;
+	} else {
+		originator_port = packet_get_int();
+	}
+	packet_done();
+	/* XXX check permission */
+	debug("client_request_x11: request from %s %d", originator,
+	    originator_port);
+	sock = x11_connect_display();
+	if (sock >= 0) {
+		newch = channel_new("x11",
+		    SSH_CHANNEL_X11_OPEN, sock, sock, -1,
+		    CHAN_TCP_WINDOW_DEFAULT, CHAN_X11_PACKET_DEFAULT, 0,
+		    xstrdup("x11"), 1);
+		c = channel_lookup(newch);
+	}
+	xfree(originator);
+	return c;
+}
+
+Channel*
+client_request_agent(const char *request_type, int rchan)
+{
+	Channel *c = NULL;
+	int sock, newch;
+
+	if (!options.forward_agent) {
+		error("Warning: ssh server tried agent forwarding.");
+		error("Warning: this is probably a break in attempt by a malicious server.");
+		return NULL;
+	}
+	sock =  ssh_get_authentication_socket();
+	if (sock >= 0) {
+		newch = channel_new("authentication agent connection",
+		    SSH_CHANNEL_OPEN, sock, sock, -1,
+		    CHAN_X11_WINDOW_DEFAULT, CHAN_TCP_WINDOW_DEFAULT, 0,
+		    xstrdup("authentication agent connection"), 1);
+		c = channel_lookup(newch);
+	}
+	return c;
+}
+
+/* XXXX move to generic input handler */
+void
+client_input_channel_open(int type, int plen, void *ctxt)
+{
+	Channel *c = NULL;
+	char *ctype;
+	u_int len;
+	int rchan;
+	int rmaxpack;
+	int rwindow;
+
+	ctype = packet_get_string(&len);
+	rchan = packet_get_int();
+	rwindow = packet_get_int();
+	rmaxpack = packet_get_int();
+
+	debug("client_input_channel_open: ctype %s rchan %d win %d max %d",
+	    ctype, rchan, rwindow, rmaxpack);
+
+	if (strcmp(ctype, "forwarded-tcpip") == 0) {
+		c = client_request_forwarded_tcpip(ctype, rchan);
+	} else if (strcmp(ctype, "x11") == 0) {
+		c = client_request_x11(ctype, rchan);
+	} else if (strcmp(ctype, "auth-agent@openssh.com") == 0) {
+		c = client_request_agent(ctype, rchan);
+	}
+/* XXX duplicate : */
+	if (c != NULL) {
+		debug("confirm %s", ctype);
+		c->remote_id = rchan;
+		c->remote_window = rwindow;
+		c->remote_maxpacket = rmaxpack;
+
+		packet_start(SSH2_MSG_CHANNEL_OPEN_CONFIRMATION);
+		packet_put_int(c->remote_id);
+		packet_put_int(c->self);
+		packet_put_int(c->local_window);
+		packet_put_int(c->local_maxpacket);
+		packet_send();
+	} else {
+		debug("failure %s", ctype);
+		packet_start(SSH2_MSG_CHANNEL_OPEN_FAILURE);
+		packet_put_int(rchan);
+		packet_put_int(SSH2_OPEN_ADMINISTRATIVELY_PROHIBITED);
+		packet_put_cstring("bla bla");
+		packet_put_cstring("");
+		packet_send();
+	}
+	xfree(ctype);
+}
+void
+client_input_channel_req(int type, int plen, void *ctxt)
+{
+	Channel *c = NULL;
+	int id, reply, success = 0;
+	char *rtype;
+
+	id = packet_get_int();
+	rtype = packet_get_string(NULL);
+	reply = packet_get_char();
+
+	debug("client_input_channel_req: channel %d rtype %s reply %d",
+	    id, rtype, reply);
+
+	if (session_ident == -1) {
+		error("client_input_channel_req: no channel %d", session_ident);
+	} else if (id != session_ident) {
+		error("client_input_channel_req: channel %d: wrong channel: %d",
+		    session_ident, id);
+	}
+	c = channel_lookup(id);
+	if (c == NULL) {
+		error("client_input_channel_req: channel %d: unknown channel", id);
+	} else if (strcmp(rtype, "exit-status") == 0) {
+		success = 1;
+		exit_status = packet_get_int();
+		packet_done();
+	}
+	if (reply) {
+		packet_start(success ?
+		    SSH2_MSG_CHANNEL_SUCCESS : SSH2_MSG_CHANNEL_FAILURE);
+		packet_put_int(c->remote_id);
+		packet_send();
+	}
+	xfree(rtype);
+}
+
+void
+client_init_dispatch_20(void)
+{
+	dispatch_init(&dispatch_protocol_error);
+	dispatch_set(SSH2_MSG_CHANNEL_CLOSE, &channel_input_oclose);
+	dispatch_set(SSH2_MSG_CHANNEL_DATA, &channel_input_data);
+	dispatch_set(SSH2_MSG_CHANNEL_EOF, &channel_input_ieof);
+	dispatch_set(SSH2_MSG_CHANNEL_EXTENDED_DATA, &channel_input_extended_data);
+	dispatch_set(SSH2_MSG_CHANNEL_OPEN, &client_input_channel_open);
+	dispatch_set(SSH2_MSG_CHANNEL_OPEN_CONFIRMATION, &channel_input_open_confirmation);
+	dispatch_set(SSH2_MSG_CHANNEL_OPEN_FAILURE, &channel_input_open_failure);
+	dispatch_set(SSH2_MSG_CHANNEL_REQUEST, &client_input_channel_req);
+	dispatch_set(SSH2_MSG_CHANNEL_WINDOW_ADJUST, &channel_input_window_adjust);
+
+	/* rekeying */
+	dispatch_set(SSH2_MSG_KEXINIT, &kex_input_kexinit);
+}
+void
+client_init_dispatch_13(void)
+{
+	dispatch_init(NULL);
+	dispatch_set(SSH_MSG_CHANNEL_CLOSE, &channel_input_close);
+	dispatch_set(SSH_MSG_CHANNEL_CLOSE_CONFIRMATION, &channel_input_close_confirmation);
+	dispatch_set(SSH_MSG_CHANNEL_DATA, &channel_input_data);
+	dispatch_set(SSH_MSG_CHANNEL_OPEN_CONFIRMATION, &channel_input_open_confirmation);
+	dispatch_set(SSH_MSG_CHANNEL_OPEN_FAILURE, &channel_input_open_failure);
+	dispatch_set(SSH_MSG_PORT_OPEN, &channel_input_port_open);
+	dispatch_set(SSH_SMSG_EXITSTATUS, &client_input_exit_status);
+	dispatch_set(SSH_SMSG_STDERR_DATA, &client_input_stderr_data);
+	dispatch_set(SSH_SMSG_STDOUT_DATA, &client_input_stdout_data);
+
+	dispatch_set(SSH_SMSG_AGENT_OPEN, options.forward_agent ?
+	    &auth_input_open_request : &deny_input_open);
+	dispatch_set(SSH_SMSG_X11_OPEN, options.forward_x11 ?
+	    &x11_input_open : &deny_input_open);
+}
+void
+client_init_dispatch_15(void)
+{
+	client_init_dispatch_13();
+	dispatch_set(SSH_MSG_CHANNEL_CLOSE, &channel_input_ieof);
+	dispatch_set(SSH_MSG_CHANNEL_CLOSE_CONFIRMATION, & channel_input_oclose);
+}
+void
+client_init_dispatch(void)
+{
+	if (compat20)
+		client_init_dispatch_20();
+	else if (compat13)
+		client_init_dispatch_13();
+	else
+		client_init_dispatch_15();
+}
diff --git a/crypto/openssh/clientloop.h b/crypto/openssh/clientloop.h
new file mode 100644
index 0000000..ee40d87
--- /dev/null
+++ b/crypto/openssh/clientloop.h
@@ -0,0 +1,39 @@
+/*	$OpenBSD: clientloop.h,v 1.4 2001/02/06 22:43:02 markus Exp $	*/
+
+/*
+ * Author: Tatu Ylonen <ylo@cs.hut.fi>
+ * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
+ *                    All rights reserved
+ *
+ * As far as I am concerned, the code I have written for this software
+ * can be used freely for any purpose.  Any derived versions of this
+ * software must be clearly marked as such, and if the derived work is
+ * incompatible with the protocol description in the RFC file, it must be
+ * called by a name other than "ssh" or "Secure Shell".
+ */
+/*
+ * Copyright (c) 2001 Markus Friedl.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+/* Client side main loop for the interactive session. */
+int     client_loop(int have_pty, int escape_char, int id);
diff --git a/crypto/openssh/compat.c b/crypto/openssh/compat.c
new file mode 100644
index 0000000..0fc3518
--- /dev/null
+++ b/crypto/openssh/compat.c
@@ -0,0 +1,191 @@
+/*
+ * Copyright (c) 1999,2000 Markus Friedl.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include "includes.h"
+RCSID("$FreeBSD$");
+RCSID("$OpenBSD: compat.c,v 1.47 2001/04/18 23:43:25 markus Exp $");
+
+#include <regex.h>
+
+#include "packet.h"
+#include "xmalloc.h"
+#include "compat.h"
+#include "log.h"
+
+int compat13 = 0;
+int compat20 = 0;
+int datafellows = 0;
+
+void
+enable_compat20(void)
+{
+	verbose("Enabling compatibility mode for protocol 2.0");
+	compat20 = 1;
+}
+void
+enable_compat13(void)
+{
+	verbose("Enabling compatibility mode for protocol 1.3");
+	compat13 = 1;
+}
+/* datafellows bug compatibility */
+void
+compat_datafellows(const char *version)
+{
+	int i, ret;
+	char ebuf[1024];
+	regex_t reg;
+	static struct {
+		char	*pat;
+		int	bugs;
+	} check[] = {
+		{ "^OpenSSH[-_]2\\.[012]",
+					SSH_OLD_SESSIONID|SSH_BUG_BANNER|
+					SSH_OLD_DHGEX|SSH_BUG_NOREKEY },
+		{ "^OpenSSH_2\\.3\\.0", SSH_BUG_BANNER|SSH_BUG_BIGENDIANAES|
+					SSH_OLD_DHGEX|SSH_BUG_NOREKEY},
+		{ "^OpenSSH_2\\.3\\.",  SSH_BUG_BIGENDIANAES|SSH_OLD_DHGEX|
+					SSH_BUG_NOREKEY},
+		{ "^OpenSSH_2\\.5\\.[01]p1",
+					SSH_BUG_BIGENDIANAES|SSH_OLD_DHGEX|
+					SSH_BUG_NOREKEY },
+		{ "^OpenSSH_2\\.5\\.[012]",
+					SSH_OLD_DHGEX|SSH_BUG_NOREKEY },
+		{ "^OpenSSH_2\\.5\\.3",
+					SSH_BUG_NOREKEY },
+		{ "^OpenSSH",		0 },
+		{ "MindTerm",		0 },
+		{ "^2\\.1\\.0",		SSH_BUG_SIGBLOB|SSH_BUG_HMAC|
+					SSH_OLD_SESSIONID|SSH_BUG_DEBUG|
+					SSH_BUG_RSASIGMD5|SSH_BUG_HBSERVICE },
+		{ "^2\\.1 ",		SSH_BUG_SIGBLOB|SSH_BUG_HMAC|
+					SSH_OLD_SESSIONID|SSH_BUG_DEBUG|
+					SSH_BUG_RSASIGMD5|SSH_BUG_HBSERVICE },
+		{ "^2\\.0\\.1[3-9]",	SSH_BUG_SIGBLOB|SSH_BUG_HMAC|
+					SSH_OLD_SESSIONID|SSH_BUG_DEBUG|
+					SSH_BUG_PKSERVICE|SSH_BUG_X11FWD|
+					SSH_BUG_PKOK|SSH_BUG_RSASIGMD5|
+					SSH_BUG_HBSERVICE },
+		{ "^2\\.0\\.",		SSH_BUG_SIGBLOB|SSH_BUG_HMAC|
+					SSH_OLD_SESSIONID|SSH_BUG_DEBUG|
+					SSH_BUG_PKSERVICE|SSH_BUG_X11FWD|
+					SSH_BUG_PKAUTH|SSH_BUG_PKOK|
+					SSH_BUG_RSASIGMD5 },
+		{ "^2\\.[23]\\.0",	SSH_BUG_HMAC|SSH_BUG_RSASIGMD5 },
+		{ "^2\\.3\\.",		SSH_BUG_RSASIGMD5 },
+		{ "^2\\.[2-9]\\.",	0 },
+		{ "^2\\.4$",		SSH_OLD_SESSIONID },	/* Van Dyke */
+		{ "^3\\.0 SecureCRT",	SSH_OLD_SESSIONID },
+		{ "^1\\.7 SecureFX",	SSH_OLD_SESSIONID },
+		{ "^1\\.2\\.1[89]",	SSH_BUG_IGNOREMSG },
+		{ "^1\\.2\\.2[012]",	SSH_BUG_IGNOREMSG },
+		{ "^1\\.3\\.2",		SSH_BUG_IGNOREMSG },	/* f-secure */
+		{ "^SSH Compatible Server",			/* Netscreen */
+					SSH_BUG_PASSWORDPAD },
+		{ "^OSU_0",		SSH_BUG_PASSWORDPAD },
+		{ "^OSU_1\\.[0-4]",	SSH_BUG_PASSWORDPAD },
+		{ "^OSU_1\\.5alpha[1-3]",
+					SSH_BUG_PASSWORDPAD },
+		{ "^SSH_Version_Mapper",
+					SSH_BUG_SCANNER },
+		{ NULL,			0 }
+	};
+	/* process table, return first match */
+	for (i = 0; check[i].pat; i++) {
+		ret = regcomp(&reg, check[i].pat, REG_EXTENDED|REG_NOSUB);
+		if (ret != 0) {
+			regerror(ret, &reg, ebuf, sizeof(ebuf));
+			ebuf[sizeof(ebuf)-1] = '\0';
+			error("regerror: %s", ebuf);
+			continue;
+		}
+		ret = regexec(&reg, version, 0, NULL, 0);
+		regfree(&reg);
+		if (ret == 0) {
+			debug("match: %s pat %s", version, check[i].pat);
+			datafellows = check[i].bugs;
+			return;
+		}
+	}
+	debug("no match: %s", version);
+}
+
+#define	SEP	","
+int
+proto_spec(const char *spec)
+{
+	char *s, *p, *q;
+	int ret = SSH_PROTO_UNKNOWN;
+
+	if (spec == NULL)
+		return ret;
+	q = s = xstrdup(spec);
+	for ((p = strsep(&q, SEP)); p && *p != '\0'; (p = strsep(&q, SEP))) {
+		switch(atoi(p)) {
+		case 1:
+			if (ret == SSH_PROTO_UNKNOWN)
+				ret |= SSH_PROTO_1_PREFERRED;
+			ret |= SSH_PROTO_1;
+			break;
+		case 2:
+			ret |= SSH_PROTO_2;
+			break;
+		default:
+			log("ignoring bad proto spec: '%s'.", p);
+			break;
+		}
+	}
+	xfree(s);
+	return ret;
+}
+
+char *
+compat_cipher_proposal(char *cipher_prop)
+{
+	char *orig_prop, *fix_ciphers;
+	char *cp, *tmp;
+	size_t len;
+
+	if (!(datafellows & SSH_BUG_BIGENDIANAES))
+		return(cipher_prop);
+
+	len = strlen(cipher_prop) + 1;
+	fix_ciphers = xmalloc(len);
+	*fix_ciphers = '\0';
+	tmp = orig_prop = xstrdup(cipher_prop);
+	while((cp = strsep(&tmp, ",")) != NULL) {
+		if (strncmp(cp, "aes", 3) && strncmp(cp, "rijndael", 8)) {
+			if (*fix_ciphers)
+				strlcat(fix_ciphers, ",", len);
+			strlcat(fix_ciphers, cp, len);
+		}
+	}
+	xfree(orig_prop);
+	debug2("Original cipher proposal: %s", cipher_prop);
+	debug2("Compat cipher proposal: %s", fix_ciphers);
+	if (!*fix_ciphers)
+		fatal("No available ciphers found.");
+
+	return(fix_ciphers);
+}
diff --git a/crypto/openssh/compat.h b/crypto/openssh/compat.h
new file mode 100644
index 0000000..a13234c
--- /dev/null
+++ b/crypto/openssh/compat.h
@@ -0,0 +1,61 @@
+/*
+ * Copyright (c) 1999 Markus Friedl.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+/* RCSID("$FreeBSD$"); */
+/* RCSID("$OpenBSD: compat.h,v 1.23 2001/04/12 19:15:24 markus Exp $"); */
+
+#ifndef COMPAT_H
+#define COMPAT_H
+
+#define	SSH_PROTO_UNKNOWN 	0x00
+#define	SSH_PROTO_1		0x01
+#define	SSH_PROTO_1_PREFERRED	0x02
+#define	SSH_PROTO_2		0x04
+
+#define SSH_BUG_SIGBLOB		0x0001
+#define SSH_BUG_PKSERVICE	0x0002
+#define SSH_BUG_HMAC		0x0004
+#define SSH_BUG_X11FWD		0x0008
+#define SSH_OLD_SESSIONID	0x0010
+#define SSH_BUG_PKAUTH		0x0020
+#define SSH_BUG_DEBUG		0x0040
+#define SSH_BUG_BANNER		0x0080
+#define SSH_BUG_IGNOREMSG	0x0100
+#define SSH_BUG_PKOK		0x0200
+#define SSH_BUG_PASSWORDPAD	0x0400
+#define SSH_BUG_SCANNER		0x0800
+#define SSH_BUG_BIGENDIANAES	0x1000
+#define SSH_BUG_RSASIGMD5	0x2000
+#define SSH_OLD_DHGEX		0x4000
+#define SSH_BUG_NOREKEY		0x8000
+#define SSH_BUG_HBSERVICE	0x10000
+
+void    enable_compat13(void);
+void    enable_compat20(void);
+void    compat_datafellows(const char *s);
+int	proto_spec(const char *spec);
+char	*compat_cipher_proposal(char *cipher_prop);
+extern int compat13;
+extern int compat20;
+extern int datafellows;
+#endif
diff --git a/crypto/openssh/compress.c b/crypto/openssh/compress.c
new file mode 100644
index 0000000..3e41b3d
--- /dev/null
+++ b/crypto/openssh/compress.c
@@ -0,0 +1,156 @@
+/*
+ * Author: Tatu Ylonen <ylo@cs.hut.fi>
+ * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
+ *                    All rights reserved
+ * Interface to packet compression for ssh.
+ *
+ * As far as I am concerned, the code I have written for this software
+ * can be used freely for any purpose.  Any derived versions of this
+ * software must be clearly marked as such, and if the derived work is
+ * incompatible with the protocol description in the RFC file, it must be
+ * called by a name other than "ssh" or "Secure Shell".
+ */
+
+#include "includes.h"
+RCSID("$OpenBSD: compress.c,v 1.14 2001/04/05 10:39:01 markus Exp $");
+
+#include "log.h"
+#include "buffer.h"
+#include "zlib.h"
+#include "compress.h"
+
+static z_stream incoming_stream;
+static z_stream outgoing_stream;
+static int compress_init_send_called = 0;
+static int compress_init_recv_called = 0;
+
+/*
+ * Initializes compression; level is compression level from 1 to 9
+ * (as in gzip).
+ */
+
+void
+buffer_compress_init_send(int level)
+{
+	if (compress_init_send_called == 1)
+		deflateEnd(&incoming_stream);
+	compress_init_send_called = 1;
+	debug("Enabling compression at level %d.", level);
+	if (level < 1 || level > 9)
+		fatal("Bad compression level %d.", level);
+	deflateInit(&outgoing_stream, level);
+}
+void
+buffer_compress_init_recv(void)
+{
+	if (compress_init_recv_called == 1)
+		inflateEnd(&incoming_stream);
+	compress_init_recv_called = 1;
+	inflateInit(&incoming_stream);
+}
+
+/* Frees any data structures allocated for compression. */
+
+void
+buffer_compress_uninit(void)
+{
+	debug("compress outgoing: raw data %lu, compressed %lu, factor %.2f",
+	      outgoing_stream.total_in, outgoing_stream.total_out,
+	      outgoing_stream.total_in == 0 ? 0.0 :
+	      (double) outgoing_stream.total_out / outgoing_stream.total_in);
+	debug("compress incoming: raw data %lu, compressed %lu, factor %.2f",
+	      incoming_stream.total_out, incoming_stream.total_in,
+	      incoming_stream.total_out == 0 ? 0.0 :
+	      (double) incoming_stream.total_in / incoming_stream.total_out);
+	if (compress_init_recv_called == 1)
+		inflateEnd(&incoming_stream);
+	if (compress_init_send_called == 1)
+		deflateEnd(&outgoing_stream);
+}
+
+/*
+ * Compresses the contents of input_buffer into output_buffer.  All packets
+ * compressed using this function will form a single compressed data stream;
+ * however, data will be flushed at the end of every call so that each
+ * output_buffer can be decompressed independently (but in the appropriate
+ * order since they together form a single compression stream) by the
+ * receiver.  This appends the compressed data to the output buffer.
+ */
+
+void
+buffer_compress(Buffer * input_buffer, Buffer * output_buffer)
+{
+	char buf[4096];
+	int status;
+
+	/* This case is not handled below. */
+	if (buffer_len(input_buffer) == 0)
+		return;
+
+	/* Input is the contents of the input buffer. */
+	outgoing_stream.next_in = (u_char *) buffer_ptr(input_buffer);
+	outgoing_stream.avail_in = buffer_len(input_buffer);
+
+	/* Loop compressing until deflate() returns with avail_out != 0. */
+	do {
+		/* Set up fixed-size output buffer. */
+		outgoing_stream.next_out = (u_char *)buf;
+		outgoing_stream.avail_out = sizeof(buf);
+
+		/* Compress as much data into the buffer as possible. */
+		status = deflate(&outgoing_stream, Z_PARTIAL_FLUSH);
+		switch (status) {
+		case Z_OK:
+			/* Append compressed data to output_buffer. */
+			buffer_append(output_buffer, buf,
+			    sizeof(buf) - outgoing_stream.avail_out);
+			break;
+		default:
+			fatal("buffer_compress: deflate returned %d", status);
+			/* NOTREACHED */
+		}
+	} while (outgoing_stream.avail_out == 0);
+}
+
+/*
+ * Uncompresses the contents of input_buffer into output_buffer.  All packets
+ * uncompressed using this function will form a single compressed data
+ * stream; however, data will be flushed at the end of every call so that
+ * each output_buffer.  This must be called for the same size units that the
+ * buffer_compress was called, and in the same order that buffers compressed
+ * with that.  This appends the uncompressed data to the output buffer.
+ */
+
+void
+buffer_uncompress(Buffer * input_buffer, Buffer * output_buffer)
+{
+	char buf[4096];
+	int status;
+
+	incoming_stream.next_in = (u_char *) buffer_ptr(input_buffer);
+	incoming_stream.avail_in = buffer_len(input_buffer);
+
+	for (;;) {
+		/* Set up fixed-size output buffer. */
+		incoming_stream.next_out = (u_char *) buf;
+		incoming_stream.avail_out = sizeof(buf);
+
+		status = inflate(&incoming_stream, Z_PARTIAL_FLUSH);
+		switch (status) {
+		case Z_OK:
+			buffer_append(output_buffer, buf,
+			    sizeof(buf) - incoming_stream.avail_out);
+			break;
+		case Z_BUF_ERROR:
+			/*
+			 * Comments in zlib.h say that we should keep calling
+			 * inflate() until we get an error.  This appears to
+			 * be the error that we get.
+			 */
+			return;
+		default:
+			fatal("buffer_uncompress: inflate returned %d", status);
+			/* NOTREACHED */
+		}
+	}
+}
diff --git a/crypto/openssh/compress.h b/crypto/openssh/compress.h
new file mode 100644
index 0000000..f90932a
--- /dev/null
+++ b/crypto/openssh/compress.h
@@ -0,0 +1,49 @@
+/*
+ * Author: Tatu Ylonen <ylo@cs.hut.fi>
+ * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
+ *                    All rights reserved
+ * Interface to packet compression for ssh.
+ *
+ * As far as I am concerned, the code I have written for this software
+ * can be used freely for any purpose.  Any derived versions of this
+ * software must be clearly marked as such, and if the derived work is
+ * incompatible with the protocol description in the RFC file, it must be
+ * called by a name other than "ssh" or "Secure Shell".
+ */
+
+/* RCSID("$OpenBSD: compress.h,v 1.8 2001/04/05 10:39:02 markus Exp $"); */
+
+#ifndef COMPRESS_H
+#define COMPRESS_H
+
+/*
+ * Initializes compression; level is compression level from 1 to 9 (as in
+ * gzip).
+ */
+void	buffer_compress_init_send(int level);
+void	buffer_compress_init_recv(void);
+
+/* Frees any data structures allocated by buffer_compress_init. */
+void    buffer_compress_uninit(void);
+
+/*
+ * Compresses the contents of input_buffer into output_buffer.  All packets
+ * compressed using this function will form a single compressed data stream;
+ * however, data will be flushed at the end of every call so that each
+ * output_buffer can be decompressed independently (but in the appropriate
+ * order since they together form a single compression stream) by the
+ * receiver.  This appends the compressed data to the output buffer.
+ */
+void    buffer_compress(Buffer * input_buffer, Buffer * output_buffer);
+
+/*
+ * Uncompresses the contents of input_buffer into output_buffer.  All packets
+ * uncompressed using this function will form a single compressed data
+ * stream; however, data will be flushed at the end of every call so that
+ * each output_buffer.  This must be called for the same size units that the
+ * buffer_compress was called, and in the same order that buffers compressed
+ * with that.  This appends the uncompressed data to the output buffer.
+ */
+void    buffer_uncompress(Buffer * input_buffer, Buffer * output_buffer);
+
+#endif				/* COMPRESS_H */
diff --git a/crypto/openssh/crc32.c b/crypto/openssh/crc32.c
new file mode 100644
index 0000000..4774c8b
--- /dev/null
+++ b/crypto/openssh/crc32.c
@@ -0,0 +1,114 @@
+/*
+ *  COPYRIGHT (C) 1986 Gary S. Brown.  You may use this program, or
+ *  code or tables extracted from it, as desired without restriction.
+ *
+ *  First, the polynomial itself and its table of feedback terms.  The
+ *  polynomial is
+ *  X^32+X^26+X^23+X^22+X^16+X^12+X^11+X^10+X^8+X^7+X^5+X^4+X^2+X^1+X^0
+ *
+ *  Note that we take it "backwards" and put the highest-order term in
+ *  the lowest-order bit.  The X^32 term is "implied"; the LSB is the
+ *  X^31 term, etc.  The X^0 term (usually shown as "+1") results in
+ *  the MSB being 1
+ *
+ *  Note that the usual hardware shift register implementation, which
+ *  is what we're using (we're merely optimizing it by doing eight-bit
+ *  chunks at a time) shifts bits into the lowest-order term.  In our
+ *  implementation, that means shifting towards the right.  Why do we
+ *  do it this way?  Because the calculated CRC must be transmitted in
+ *  order from highest-order term to lowest-order term.  UARTs transmit
+ *  characters in order from LSB to MSB.  By storing the CRC this way
+ *  we hand it to the UART in the order low-byte to high-byte; the UART
+ *  sends each low-bit to hight-bit; and the result is transmission bit
+ *  by bit from highest- to lowest-order term without requiring any bit
+ *  shuffling on our part.  Reception works similarly
+ *
+ *  The feedback terms table consists of 256, 32-bit entries.  Notes
+ *
+ *      The table can be generated at runtime if desired; code to do so
+ *      is shown later.  It might not be obvious, but the feedback
+ *      terms simply represent the results of eight shift/xor opera
+ *      tions for all combinations of data and CRC register values
+ *
+ *      The values must be right-shifted by eight bits by the "updcrc
+ *      logic; the shift must be u_(bring in zeroes).  On some
+ *      hardware you could probably optimize the shift in assembler by
+ *      using byte-swap instructions
+ *      polynomial $edb88320
+ */
+
+
+#include "includes.h"
+RCSID("$OpenBSD: crc32.c,v 1.8 2000/12/19 23:17:56 markus Exp $");
+
+#include "crc32.h"
+
+static u_int crc32_tab[] = {
+	0x00000000L, 0x77073096L, 0xee0e612cL, 0x990951baL, 0x076dc419L,
+	0x706af48fL, 0xe963a535L, 0x9e6495a3L, 0x0edb8832L, 0x79dcb8a4L,
+	0xe0d5e91eL, 0x97d2d988L, 0x09b64c2bL, 0x7eb17cbdL, 0xe7b82d07L,
+	0x90bf1d91L, 0x1db71064L, 0x6ab020f2L, 0xf3b97148L, 0x84be41deL,
+	0x1adad47dL, 0x6ddde4ebL, 0xf4d4b551L, 0x83d385c7L, 0x136c9856L,
+	0x646ba8c0L, 0xfd62f97aL, 0x8a65c9ecL, 0x14015c4fL, 0x63066cd9L,
+	0xfa0f3d63L, 0x8d080df5L, 0x3b6e20c8L, 0x4c69105eL, 0xd56041e4L,
+	0xa2677172L, 0x3c03e4d1L, 0x4b04d447L, 0xd20d85fdL, 0xa50ab56bL,
+	0x35b5a8faL, 0x42b2986cL, 0xdbbbc9d6L, 0xacbcf940L, 0x32d86ce3L,
+	0x45df5c75L, 0xdcd60dcfL, 0xabd13d59L, 0x26d930acL, 0x51de003aL,
+	0xc8d75180L, 0xbfd06116L, 0x21b4f4b5L, 0x56b3c423L, 0xcfba9599L,
+	0xb8bda50fL, 0x2802b89eL, 0x5f058808L, 0xc60cd9b2L, 0xb10be924L,
+	0x2f6f7c87L, 0x58684c11L, 0xc1611dabL, 0xb6662d3dL, 0x76dc4190L,
+	0x01db7106L, 0x98d220bcL, 0xefd5102aL, 0x71b18589L, 0x06b6b51fL,
+	0x9fbfe4a5L, 0xe8b8d433L, 0x7807c9a2L, 0x0f00f934L, 0x9609a88eL,
+	0xe10e9818L, 0x7f6a0dbbL, 0x086d3d2dL, 0x91646c97L, 0xe6635c01L,
+	0x6b6b51f4L, 0x1c6c6162L, 0x856530d8L, 0xf262004eL, 0x6c0695edL,
+	0x1b01a57bL, 0x8208f4c1L, 0xf50fc457L, 0x65b0d9c6L, 0x12b7e950L,
+	0x8bbeb8eaL, 0xfcb9887cL, 0x62dd1ddfL, 0x15da2d49L, 0x8cd37cf3L,
+	0xfbd44c65L, 0x4db26158L, 0x3ab551ceL, 0xa3bc0074L, 0xd4bb30e2L,
+	0x4adfa541L, 0x3dd895d7L, 0xa4d1c46dL, 0xd3d6f4fbL, 0x4369e96aL,
+	0x346ed9fcL, 0xad678846L, 0xda60b8d0L, 0x44042d73L, 0x33031de5L,
+	0xaa0a4c5fL, 0xdd0d7cc9L, 0x5005713cL, 0x270241aaL, 0xbe0b1010L,
+	0xc90c2086L, 0x5768b525L, 0x206f85b3L, 0xb966d409L, 0xce61e49fL,
+	0x5edef90eL, 0x29d9c998L, 0xb0d09822L, 0xc7d7a8b4L, 0x59b33d17L,
+	0x2eb40d81L, 0xb7bd5c3bL, 0xc0ba6cadL, 0xedb88320L, 0x9abfb3b6L,
+	0x03b6e20cL, 0x74b1d29aL, 0xead54739L, 0x9dd277afL, 0x04db2615L,
+	0x73dc1683L, 0xe3630b12L, 0x94643b84L, 0x0d6d6a3eL, 0x7a6a5aa8L,
+	0xe40ecf0bL, 0x9309ff9dL, 0x0a00ae27L, 0x7d079eb1L, 0xf00f9344L,
+	0x8708a3d2L, 0x1e01f268L, 0x6906c2feL, 0xf762575dL, 0x806567cbL,
+	0x196c3671L, 0x6e6b06e7L, 0xfed41b76L, 0x89d32be0L, 0x10da7a5aL,
+	0x67dd4accL, 0xf9b9df6fL, 0x8ebeeff9L, 0x17b7be43L, 0x60b08ed5L,
+	0xd6d6a3e8L, 0xa1d1937eL, 0x38d8c2c4L, 0x4fdff252L, 0xd1bb67f1L,
+	0xa6bc5767L, 0x3fb506ddL, 0x48b2364bL, 0xd80d2bdaL, 0xaf0a1b4cL,
+	0x36034af6L, 0x41047a60L, 0xdf60efc3L, 0xa867df55L, 0x316e8eefL,
+	0x4669be79L, 0xcb61b38cL, 0xbc66831aL, 0x256fd2a0L, 0x5268e236L,
+	0xcc0c7795L, 0xbb0b4703L, 0x220216b9L, 0x5505262fL, 0xc5ba3bbeL,
+	0xb2bd0b28L, 0x2bb45a92L, 0x5cb36a04L, 0xc2d7ffa7L, 0xb5d0cf31L,
+	0x2cd99e8bL, 0x5bdeae1dL, 0x9b64c2b0L, 0xec63f226L, 0x756aa39cL,
+	0x026d930aL, 0x9c0906a9L, 0xeb0e363fL, 0x72076785L, 0x05005713L,
+	0x95bf4a82L, 0xe2b87a14L, 0x7bb12baeL, 0x0cb61b38L, 0x92d28e9bL,
+	0xe5d5be0dL, 0x7cdcefb7L, 0x0bdbdf21L, 0x86d3d2d4L, 0xf1d4e242L,
+	0x68ddb3f8L, 0x1fda836eL, 0x81be16cdL, 0xf6b9265bL, 0x6fb077e1L,
+	0x18b74777L, 0x88085ae6L, 0xff0f6a70L, 0x66063bcaL, 0x11010b5cL,
+	0x8f659effL, 0xf862ae69L, 0x616bffd3L, 0x166ccf45L, 0xa00ae278L,
+	0xd70dd2eeL, 0x4e048354L, 0x3903b3c2L, 0xa7672661L, 0xd06016f7L,
+	0x4969474dL, 0x3e6e77dbL, 0xaed16a4aL, 0xd9d65adcL, 0x40df0b66L,
+	0x37d83bf0L, 0xa9bcae53L, 0xdebb9ec5L, 0x47b2cf7fL, 0x30b5ffe9L,
+	0xbdbdf21cL, 0xcabac28aL, 0x53b39330L, 0x24b4a3a6L, 0xbad03605L,
+	0xcdd70693L, 0x54de5729L, 0x23d967bfL, 0xb3667a2eL, 0xc4614ab8L,
+	0x5d681b02L, 0x2a6f2b94L, 0xb40bbe37L, 0xc30c8ea1L, 0x5a05df1bL,
+	0x2d02ef8dL
+};
+
+/* Return a 32-bit CRC of the contents of the buffer. */
+
+u_int
+ssh_crc32(const u_char *s, u_int len)
+{
+	u_int i;
+	u_int crc32val;
+
+	crc32val = 0;
+	for (i = 0;  i < len;  i ++) {
+		crc32val = crc32_tab[(crc32val ^ s[i]) & 0xff] ^ (crc32val >> 8);
+	}
+	return crc32val;
+}
diff --git a/crypto/openssh/crc32.h b/crypto/openssh/crc32.h
new file mode 100644
index 0000000..c469a90
--- /dev/null
+++ b/crypto/openssh/crc32.h
@@ -0,0 +1,25 @@
+/*
+ * Author: Tatu Ylonen <ylo@cs.hut.fi>
+ * Copyright (c) 1992 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
+ *                    All rights reserved
+ * Functions for computing 32-bit CRC.
+ *
+ * As far as I am concerned, the code I have written for this software
+ * can be used freely for any purpose.  Any derived versions of this
+ * software must be clearly marked as such, and if the derived work is
+ * incompatible with the protocol description in the RFC file, it must be
+ * called by a name other than "ssh" or "Secure Shell".
+ */
+
+/* RCSID("$OpenBSD: crc32.h,v 1.10 2001/03/02 18:54:31 deraadt Exp $"); */
+
+#ifndef CRC32_H
+#define CRC32_H
+
+/*
+ * This computes a 32 bit CRC of the data in the buffer, and returns the CRC.
+ * The polynomial used is 0xedb88320.
+ */
+u_int ssh_crc32(const u_char *buf, u_int len);
+
+#endif				/* CRC32_H */
diff --git a/crypto/openssh/deattack.c b/crypto/openssh/deattack.c
new file mode 100644
index 0000000..36023e0
--- /dev/null
+++ b/crypto/openssh/deattack.c
@@ -0,0 +1,156 @@
+/*	$OpenBSD: deattack.c,v 1.13 2001/03/01 02:45:10 deraadt Exp $	*/
+
+/*
+ * Cryptographic attack detector for ssh - source code
+ *
+ * Copyright (c) 1998 CORE SDI S.A., Buenos Aires, Argentina.
+ *
+ * All rights reserved. Redistribution and use in source and binary
+ * forms, with or without modification, are permitted provided that
+ * this copyright notice is retained.
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED
+ * WARRANTIES ARE DISCLAIMED. IN NO EVENT SHALL CORE SDI S.A. BE
+ * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY OR
+ * CONSEQUENTIAL DAMAGES RESULTING FROM THE USE OR MISUSE OF THIS
+ * SOFTWARE.
+ *
+ * Ariel Futoransky <futo@core-sdi.com>
+ * <http://www.core-sdi.com>
+ */
+
+#include "includes.h"
+#include "deattack.h"
+#include "log.h"
+#include "crc32.h"
+#include "getput.h"
+#include "xmalloc.h"
+
+/* SSH Constants */
+#define SSH_MAXBLOCKS	(32 * 1024)
+#define SSH_BLOCKSIZE	(8)
+
+/* Hashing constants */
+#define HASH_MINSIZE	(8 * 1024)
+#define HASH_ENTRYSIZE	(2)
+#define HASH_FACTOR(x)	((x)*3/2)
+#define HASH_UNUSEDCHAR	(0xff)
+#define HASH_UNUSED	(0xffff)
+#define HASH_IV     	(0xfffe)
+
+#define HASH_MINBLOCKS	(7*SSH_BLOCKSIZE)
+
+
+/* Hash function (Input keys are cipher results) */
+#define HASH(x)		GET_32BIT(x)
+
+#define CMP(a, b)	(memcmp(a, b, SSH_BLOCKSIZE))
+
+
+void
+crc_update(u_int32_t *a, u_int32_t b)
+{
+	b ^= *a;
+	*a = ssh_crc32((u_char *) &b, sizeof(b));
+}
+
+/* detect if a block is used in a particular pattern */
+int
+check_crc(u_char *S, u_char *buf, u_int32_t len,
+	  u_char *IV)
+{
+	u_int32_t crc;
+	u_char *c;
+
+	crc = 0;
+	if (IV && !CMP(S, IV)) {
+		crc_update(&crc, 1);
+		crc_update(&crc, 0);
+	}
+	for (c = buf; c < buf + len; c += SSH_BLOCKSIZE) {
+		if (!CMP(S, c)) {
+			crc_update(&crc, 1);
+			crc_update(&crc, 0);
+		} else {
+			crc_update(&crc, 0);
+			crc_update(&crc, 0);
+		}
+	}
+	return (crc == 0);
+}
+
+
+/* Detect a crc32 compensation attack on a packet */
+int
+detect_attack(u_char *buf, u_int32_t len, u_char *IV)
+{
+	static u_int16_t *h = (u_int16_t *) NULL;
+	static u_int32_t n = HASH_MINSIZE / HASH_ENTRYSIZE;
+	register u_int32_t i, j;
+	u_int32_t l;
+	register u_char *c;
+	u_char *d;
+
+	if (len > (SSH_MAXBLOCKS * SSH_BLOCKSIZE) ||
+	    len % SSH_BLOCKSIZE != 0) {
+		fatal("detect_attack: bad length %d", len);
+	}
+	for (l = n; l < HASH_FACTOR(len / SSH_BLOCKSIZE); l = l << 2)
+		;
+
+	if (h == NULL) {
+		debug("Installing crc compensation attack detector.");
+		n = l;
+		h = (u_int16_t *) xmalloc(n * HASH_ENTRYSIZE);
+	} else {
+		if (l > n) {
+			n = l;
+			h = (u_int16_t *) xrealloc(h, n * HASH_ENTRYSIZE);
+		}
+	}
+
+	if (len <= HASH_MINBLOCKS) {
+		for (c = buf; c < buf + len; c += SSH_BLOCKSIZE) {
+			if (IV && (!CMP(c, IV))) {
+				if ((check_crc(c, buf, len, IV)))
+					return (DEATTACK_DETECTED);
+				else
+					break;
+			}
+			for (d = buf; d < c; d += SSH_BLOCKSIZE) {
+				if (!CMP(c, d)) {
+					if ((check_crc(c, buf, len, IV)))
+						return (DEATTACK_DETECTED);
+					else
+						break;
+				}
+			}
+		}
+		return (DEATTACK_OK);
+	}
+	memset(h, HASH_UNUSEDCHAR, n * HASH_ENTRYSIZE);
+
+	if (IV)
+		h[HASH(IV) & (n - 1)] = HASH_IV;
+
+	for (c = buf, j = 0; c < (buf + len); c += SSH_BLOCKSIZE, j++) {
+		for (i = HASH(c) & (n - 1); h[i] != HASH_UNUSED;
+		     i = (i + 1) & (n - 1)) {
+			if (h[i] == HASH_IV) {
+				if (!CMP(c, IV)) {
+					if (check_crc(c, buf, len, IV))
+						return (DEATTACK_DETECTED);
+					else
+						break;
+				}
+			} else if (!CMP(c, buf + h[i] * SSH_BLOCKSIZE)) {
+				if (check_crc(c, buf, len, IV))
+					return (DEATTACK_DETECTED);
+				else
+					break;
+			}
+		}
+		h[i] = j;
+	}
+	return (DEATTACK_OK);
+}
diff --git a/crypto/openssh/deattack.h b/crypto/openssh/deattack.h
new file mode 100644
index 0000000..3907159
--- /dev/null
+++ b/crypto/openssh/deattack.h
@@ -0,0 +1,30 @@
+/*	$OpenBSD: deattack.h,v 1.5 2001/01/29 01:58:15 niklas Exp $	*/
+
+/*
+ * Cryptographic attack detector for ssh - Header file
+ *
+ * Copyright (c) 1998 CORE SDI S.A., Buenos Aires, Argentina.
+ *
+ * All rights reserved. Redistribution and use in source and binary
+ * forms, with or without modification, are permitted provided that
+ * this copyright notice is retained.
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED
+ * WARRANTIES ARE DISCLAIMED. IN NO EVENT SHALL CORE SDI S.A. BE
+ * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY OR
+ * CONSEQUENTIAL DAMAGES RESULTING FROM THE USE OR MISUSE OF THIS
+ * SOFTWARE.
+ *
+ * Ariel Futoransky <futo@core-sdi.com>
+ * <http://www.core-sdi.com>
+ */
+
+#ifndef _DEATTACK_H
+#define _DEATTACK_H
+
+/* Return codes */
+#define DEATTACK_OK		0
+#define DEATTACK_DETECTED	1
+
+int     detect_attack(u_char *buf, u_int32_t len, u_char IV[8]);
+#endif
diff --git a/crypto/openssh/dh.c b/crypto/openssh/dh.c
new file mode 100644
index 0000000..575522d
--- /dev/null
+++ b/crypto/openssh/dh.c
@@ -0,0 +1,294 @@
+/*
+ * Copyright (c) 2000 Niels Provos.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include "includes.h"
+RCSID("$OpenBSD: dh.c,v 1.14 2001/04/15 08:43:45 markus Exp $");
+
+#include "xmalloc.h"
+
+#include <openssl/bn.h>
+#include <openssl/dh.h>
+#include <openssl/evp.h>
+
+#include "buffer.h"
+#include "cipher.h"
+#include "kex.h"
+#include "dh.h"
+#include "pathnames.h"
+#include "log.h"
+#include "misc.h"
+
+int
+parse_prime(int linenum, char *line, struct dhgroup *dhg)
+{
+	char *cp, *arg;
+	char *strsize, *gen, *prime;
+
+	cp = line;
+	arg = strdelim(&cp);
+	/* Ignore leading whitespace */
+	if (*arg == '\0')
+		arg = strdelim(&cp);
+	if (!*arg || *arg == '#')
+		return 0;
+
+	/* time */
+	if (cp == NULL || *arg == '\0')
+		goto fail;
+	arg = strsep(&cp, " "); /* type */
+	if (cp == NULL || *arg == '\0')
+		goto fail;
+	arg = strsep(&cp, " "); /* tests */
+	if (cp == NULL || *arg == '\0')
+		goto fail;
+	arg = strsep(&cp, " "); /* tries */
+	if (cp == NULL || *arg == '\0')
+		goto fail;
+	strsize = strsep(&cp, " "); /* size */
+	if (cp == NULL || *strsize == '\0' ||
+	    (dhg->size = atoi(strsize)) == 0)
+		goto fail;
+	/* The whole group is one bit larger */
+	dhg->size++;
+	gen = strsep(&cp, " "); /* gen */
+	if (cp == NULL || *gen == '\0')
+		goto fail;
+	prime = strsep(&cp, " "); /* prime */
+	if (cp != NULL || *prime == '\0')
+		goto fail;
+
+	dhg->g = BN_new();
+	dhg->p = BN_new();
+	if (BN_hex2bn(&dhg->g, gen) == 0)
+		goto failclean;
+
+	if (BN_hex2bn(&dhg->p, prime) == 0)
+		goto failclean;
+
+	if (BN_num_bits(dhg->p) != dhg->size)
+		goto failclean;
+
+	return (1);
+
+ failclean:
+	BN_free(dhg->g);
+	BN_free(dhg->p);
+ fail:
+	error("Bad prime description in line %d", linenum);
+	return (0);
+}
+
+DH *
+choose_dh(int min, int wantbits, int max)
+{
+	FILE *f;
+	char line[1024];
+	int best, bestcount, which;
+	int linenum;
+	struct dhgroup dhg;
+
+	f = fopen(_PATH_DH_PRIMES, "r");
+	if (!f) {
+		log("WARNING: %s does not exist, using old prime", _PATH_DH_PRIMES);
+		return (dh_new_group1());
+	}
+
+	linenum = 0;
+	best = bestcount = 0;
+	while (fgets(line, sizeof(line), f)) {
+		linenum++;
+		if (!parse_prime(linenum, line, &dhg))
+			continue;
+		BN_free(dhg.g);
+		BN_free(dhg.p);
+
+		if (dhg.size > max || dhg.size < min)
+			continue;
+
+		if ((dhg.size > wantbits && dhg.size < best) ||
+		    (dhg.size > best && best < wantbits)) {
+			best = dhg.size;
+			bestcount = 0;
+		}
+		if (dhg.size == best)
+			bestcount++;
+	}
+	fclose (f);
+
+	if (bestcount == 0) {
+		log("WARNING: no suitable primes in %s", _PATH_DH_PRIMES);
+		return (NULL);
+	}
+
+	f = fopen(_PATH_DH_PRIMES, "r");
+	if (!f) {
+		fatal("WARNING: %s disappeared, giving up", _PATH_DH_PRIMES);
+	}
+
+	linenum = 0;
+	which = arc4random() % bestcount;
+	while (fgets(line, sizeof(line), f)) {
+		if (!parse_prime(linenum, line, &dhg))
+			continue;
+		if ((dhg.size > max || dhg.size < min) ||
+		    dhg.size != best ||
+		    linenum++ != which) {
+			BN_free(dhg.g);
+			BN_free(dhg.p);
+			continue;
+		}
+		break;
+	}
+	fclose(f);
+	if (linenum != which+1)
+		fatal("WARNING: line %d disappeared in %s, giving up",
+		    which, _PATH_DH_PRIMES);
+
+	return (dh_new_group(dhg.g, dhg.p));
+}
+
+/* diffie-hellman-group1-sha1 */
+
+int
+dh_pub_is_valid(DH *dh, BIGNUM *dh_pub)
+{
+	int i;
+	int n = BN_num_bits(dh_pub);
+	int bits_set = 0;
+
+	if (dh_pub->neg) {
+		log("invalid public DH value: negativ");
+		return 0;
+	}
+	for (i = 0; i <= n; i++)
+		if (BN_is_bit_set(dh_pub, i))
+			bits_set++;
+	debug("bits set: %d/%d", bits_set, BN_num_bits(dh->p));
+
+	/* if g==2 and bits_set==1 then computing log_g(dh_pub) is trivial */
+	if (bits_set > 1 && (BN_cmp(dh_pub, dh->p) == -1))
+		return 1;
+	log("invalid public DH value (%d/%d)", bits_set, BN_num_bits(dh->p));
+	return 0;
+}
+
+void
+dh_gen_key(DH *dh, int need)
+{
+	int i, bits_set = 0, tries = 0;
+
+	if (dh->p == NULL)
+		fatal("dh_gen_key: dh->p == NULL");
+	if (2*need >= BN_num_bits(dh->p))
+		fatal("dh_gen_key: group too small: %d (2*need %d)",
+		    BN_num_bits(dh->p), 2*need);
+	do {
+		if (dh->priv_key != NULL)
+			BN_free(dh->priv_key);
+		dh->priv_key = BN_new();
+		if (dh->priv_key == NULL)
+			fatal("dh_gen_key: BN_new failed");
+		/* generate a 2*need bits random private exponent */
+		if (!BN_rand(dh->priv_key, 2*need, 0, 0))
+			fatal("dh_gen_key: BN_rand failed");
+		if (DH_generate_key(dh) == 0)
+			fatal("DH_generate_key");
+		for (i = 0; i <= BN_num_bits(dh->priv_key); i++)
+			if (BN_is_bit_set(dh->priv_key, i))
+				bits_set++;
+		debug("dh_gen_key: priv key bits set: %d/%d",
+		    bits_set, BN_num_bits(dh->priv_key));
+		if (tries++ > 10)
+			fatal("dh_gen_key: too many bad keys: giving up");
+	} while (!dh_pub_is_valid(dh, dh->pub_key));
+}
+
+DH *
+dh_new_group_asc(const char *gen, const char *modulus)
+{
+	DH *dh;
+
+	dh = DH_new();
+	if (dh == NULL)
+		fatal("DH_new");
+
+	if (BN_hex2bn(&dh->p, modulus) == 0)
+		fatal("BN_hex2bn p");
+	if (BN_hex2bn(&dh->g, gen) == 0)
+		fatal("BN_hex2bn g");
+
+	return (dh);
+}
+
+/*
+ * This just returns the group, we still need to generate the exchange
+ * value.
+ */
+
+DH *
+dh_new_group(BIGNUM *gen, BIGNUM *modulus)
+{
+	DH *dh;
+
+	dh = DH_new();
+	if (dh == NULL)
+		fatal("DH_new");
+	dh->p = modulus;
+	dh->g = gen;
+
+	return (dh);
+}
+
+DH *
+dh_new_group1(void)
+{
+	static char *gen = "2", *group1 =
+	    "FFFFFFFF" "FFFFFFFF" "C90FDAA2" "2168C234" "C4C6628B" "80DC1CD1"
+	    "29024E08" "8A67CC74" "020BBEA6" "3B139B22" "514A0879" "8E3404DD"
+	    "EF9519B3" "CD3A431B" "302B0A6D" "F25F1437" "4FE1356D" "6D51C245"
+	    "E485B576" "625E7EC6" "F44C42E9" "A637ED6B" "0BFF5CB6" "F406B7ED"
+	    "EE386BFB" "5A899FA5" "AE9F2411" "7C4B1FE6" "49286651" "ECE65381"
+	    "FFFFFFFF" "FFFFFFFF";
+
+	return (dh_new_group_asc(gen, group1));
+}
+
+/*
+ * Estimates the group order for a Diffie-Hellman group that has an
+ * attack complexity approximately the same as O(2**bits).  Estimate
+ * with:  O(exp(1.9223 * (ln q)^(1/3) (ln ln q)^(2/3)))
+ */
+
+int
+dh_estimate(int bits)
+{
+
+	if (bits < 64)
+		return (512);	/* O(2**63) */
+	if (bits < 128)
+		return (1024);	/* O(2**86) */
+	if (bits < 192)
+		return (2048);	/* O(2**116) */
+	return (4096);		/* O(2**156) */
+}
diff --git a/crypto/openssh/dh.h b/crypto/openssh/dh.h
new file mode 100644
index 0000000..e8b2944
--- /dev/null
+++ b/crypto/openssh/dh.h
@@ -0,0 +1,48 @@
+/*	$OpenBSD: dh.h,v 1.5 2001/04/03 19:53:29 markus Exp $	*/
+
+/*
+ * Copyright (c) 2000 Niels Provos.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+#ifndef DH_H
+#define DH_H
+
+struct dhgroup {
+	int size;
+	BIGNUM *g;
+	BIGNUM *p;
+};
+
+DH	*choose_dh(int min, int nbits, int max);
+DH	*dh_new_group_asc(const char *, const char *);
+DH	*dh_new_group(BIGNUM *, BIGNUM *);
+DH	*dh_new_group1(void);
+
+void	dh_gen_key(DH *, int);
+int	dh_pub_is_valid(DH *dh, BIGNUM *dh_pub);
+
+int	dh_estimate(int bits);
+
+#define DH_GRP_MIN	1024
+#define DH_GRP_MAX	8192
+
+#endif
diff --git a/crypto/openssh/dispatch.c b/crypto/openssh/dispatch.c
new file mode 100644
index 0000000..7168d1c
--- /dev/null
+++ b/crypto/openssh/dispatch.c
@@ -0,0 +1,79 @@
+/*
+ * Copyright (c) 2000 Markus Friedl.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+#include "includes.h"
+RCSID("$OpenBSD: dispatch.c,v 1.10 2001/02/18 18:33:53 markus Exp $");
+
+#include "ssh1.h"
+#include "ssh2.h"
+#include "log.h"
+#include "dispatch.h"
+#include "packet.h"
+#include "compat.h"
+
+#define DISPATCH_MIN	0
+#define DISPATCH_MAX	255
+
+dispatch_fn *dispatch[DISPATCH_MAX];
+
+void
+dispatch_protocol_error(int type, int plen, void *ctxt)
+{
+	error("Hm, dispatch protocol error: type %d plen %d", type, plen);
+	if (compat20 && type == SSH2_MSG_KEXINIT)
+		fatal("dispatch_protocol_error: rekeying is not supported");
+}
+void
+dispatch_init(dispatch_fn *dflt)
+{
+	int i;
+	for (i = 0; i < DISPATCH_MAX; i++)
+		dispatch[i] = dflt;
+}
+void
+dispatch_set(int type, dispatch_fn *fn)
+{
+	dispatch[type] = fn;
+}
+void
+dispatch_run(int mode, int *done, void *ctxt)
+{
+	for (;;) {
+		int plen;
+		int type;
+
+		if (mode == DISPATCH_BLOCK) {
+			type = packet_read(&plen);
+		} else {
+			type = packet_read_poll(&plen);
+			if (type == SSH_MSG_NONE)
+				return;
+		}
+		if (type > 0 && type < DISPATCH_MAX && dispatch[type] != NULL)
+			(*dispatch[type])(type, plen, ctxt);
+		else
+			packet_disconnect("protocol error: rcvd type %d", type);
+		if (done != NULL && *done)
+			return;
+	}
+}
diff --git a/crypto/openssh/dispatch.h b/crypto/openssh/dispatch.h
new file mode 100644
index 0000000..0bee03b
--- /dev/null
+++ b/crypto/openssh/dispatch.h
@@ -0,0 +1,36 @@
+/*	$OpenBSD: dispatch.h,v 1.4 2001/01/29 01:58:15 niklas Exp $	*/
+
+/*
+ * Copyright (c) 2000 Markus Friedl.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+enum {
+	DISPATCH_BLOCK,
+	DISPATCH_NONBLOCK
+};
+
+typedef void dispatch_fn(int type, int plen, void *ctxt);
+
+void	dispatch_init(dispatch_fn *dflt);
+void	dispatch_set(int type, dispatch_fn *fn);
+void	dispatch_run(int mode, int *done, void *ctxt);
+void	dispatch_protocol_error(int type, int plen, void *ctxt);
diff --git a/crypto/openssh/getput.h b/crypto/openssh/getput.h
new file mode 100644
index 0000000..1a19d22
--- /dev/null
+++ b/crypto/openssh/getput.h
@@ -0,0 +1,58 @@
+/*
+ * Author: Tatu Ylonen <ylo@cs.hut.fi>
+ * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
+ *                    All rights reserved
+ * Macros for storing and retrieving data in msb first and lsb first order.
+ *
+ * As far as I am concerned, the code I have written for this software
+ * can be used freely for any purpose.  Any derived versions of this
+ * software must be clearly marked as such, and if the derived work is
+ * incompatible with the protocol description in the RFC file, it must be
+ * called by a name other than "ssh" or "Secure Shell".
+ */
+
+/* RCSID("$OpenBSD: getput.h,v 1.7 2001/01/10 22:56:22 markus Exp $"); */
+
+#ifndef GETPUT_H
+#define GETPUT_H
+
+/*------------ macros for storing/extracting msb first words -------------*/
+
+#define GET_64BIT(cp) (((u_int64_t)(u_char)(cp)[0] << 56) | \
+		       ((u_int64_t)(u_char)(cp)[1] << 48) | \
+		       ((u_int64_t)(u_char)(cp)[2] << 40) | \
+		       ((u_int64_t)(u_char)(cp)[3] << 32) | \
+		       ((u_int64_t)(u_char)(cp)[4] << 24) | \
+		       ((u_int64_t)(u_char)(cp)[5] << 16) | \
+		       ((u_int64_t)(u_char)(cp)[6] << 8) | \
+		       ((u_int64_t)(u_char)(cp)[7]))
+
+#define GET_32BIT(cp) (((u_long)(u_char)(cp)[0] << 24) | \
+		       ((u_long)(u_char)(cp)[1] << 16) | \
+		       ((u_long)(u_char)(cp)[2] << 8) | \
+		       ((u_long)(u_char)(cp)[3]))
+
+#define GET_16BIT(cp) (((u_long)(u_char)(cp)[0] << 8) | \
+		       ((u_long)(u_char)(cp)[1]))
+
+#define PUT_64BIT(cp, value) do { \
+  (cp)[0] = (value) >> 56; \
+  (cp)[1] = (value) >> 48; \
+  (cp)[2] = (value) >> 40; \
+  (cp)[3] = (value) >> 32; \
+  (cp)[4] = (value) >> 24; \
+  (cp)[5] = (value) >> 16; \
+  (cp)[6] = (value) >> 8; \
+  (cp)[7] = (value); } while (0)
+
+#define PUT_32BIT(cp, value) do { \
+  (cp)[0] = (value) >> 24; \
+  (cp)[1] = (value) >> 16; \
+  (cp)[2] = (value) >> 8; \
+  (cp)[3] = (value); } while (0)
+
+#define PUT_16BIT(cp, value) do { \
+  (cp)[0] = (value) >> 8; \
+  (cp)[1] = (value); } while (0)
+
+#endif				/* GETPUT_H */
diff --git a/crypto/openssh/groupaccess.c b/crypto/openssh/groupaccess.c
new file mode 100644
index 0000000..ac9e00ac
--- /dev/null
+++ b/crypto/openssh/groupaccess.c
@@ -0,0 +1,78 @@
+/*	$OpenBSD: groupaccess.c,v 1.3 2001/01/29 01:58:15 niklas Exp $	*/
+
+/*
+ * Copyright (c) 2001 Kevin Steves.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include "includes.h"
+
+#include "groupaccess.h"
+#include "xmalloc.h"
+#include "match.h"
+#include "log.h"
+
+static int ngroups;
+static char *groups_byname[NGROUPS_MAX + 1];	/* +1 for base/primary group */
+
+int
+ga_init(const char *user, gid_t base)
+{
+	gid_t groups_bygid[NGROUPS_MAX + 1];
+	int i, j;
+	struct group *gr;
+
+	if (ngroups > 0)
+		ga_free();
+
+	ngroups = sizeof(groups_bygid) / sizeof(gid_t);
+	if (getgrouplist(user, base, groups_bygid, &ngroups) == -1)
+		log("getgrouplist: groups list too small");
+	for (i = 0, j = 0; i < ngroups; i++)
+		if ((gr = getgrgid(groups_bygid[i])) != NULL)
+			groups_byname[j++] = xstrdup(gr->gr_name);
+	return (ngroups = j);
+}
+
+int
+ga_match(char * const *groups, int n)
+{
+	int i, j;
+
+	for (i = 0; i < ngroups; i++)
+		for (j = 0; j < n; j++)
+			if (match_pattern(groups_byname[i], groups[j]))
+				return 1;
+	return 0;
+}
+
+void
+ga_free(void)
+{
+	int i;
+
+	if (ngroups > 0) {
+		for (i = 0; i < ngroups; i++)
+			xfree(groups_byname[i]);
+		ngroups = 0;
+	}
+}
diff --git a/crypto/openssh/groupaccess.h b/crypto/openssh/groupaccess.h
new file mode 100644
index 0000000..b4e5e42
--- /dev/null
+++ b/crypto/openssh/groupaccess.h
@@ -0,0 +1,49 @@
+/*	$OpenBSD: groupaccess.h,v 1.2 2001/01/29 01:58:15 niklas Exp $	*/
+
+/*
+ * Copyright (c) 2001 Kevin Steves.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#ifndef GROUPACCESS_H
+#define GROUPACCESS_H
+
+#include <grp.h>
+
+/*
+ * Initialize group access list for user with primary (base) and
+ * supplementary groups.  Return the number of groups in the list.
+ */
+int ga_init(const char *user, gid_t base);
+
+/*
+ * Return 1 if one of user's groups is contained in groups.
+ * Return 0 otherwise.  Use match_pattern() for string comparison.
+ */
+int ga_match(char * const *groups, int ngroups);
+
+/*
+ * Free memory allocated for group access list.
+ */
+void ga_free(void);
+
+#endif
diff --git a/crypto/openssh/hostfile.c b/crypto/openssh/hostfile.c
new file mode 100644
index 0000000..fa70d7e
--- /dev/null
+++ b/crypto/openssh/hostfile.c
@@ -0,0 +1,216 @@
+/*
+ * Author: Tatu Ylonen <ylo@cs.hut.fi>
+ * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
+ *                    All rights reserved
+ * Functions for manipulating the known hosts files.
+ *
+ * As far as I am concerned, the code I have written for this software
+ * can be used freely for any purpose.  Any derived versions of this
+ * software must be clearly marked as such, and if the derived work is
+ * incompatible with the protocol description in the RFC file, it must be
+ * called by a name other than "ssh" or "Secure Shell".
+ *
+ *
+ * Copyright (c) 1999,2000 Markus Friedl.  All rights reserved.
+ * Copyright (c) 1999 Niels Provos.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include "includes.h"
+RCSID("$OpenBSD: hostfile.c,v 1.26 2001/04/12 19:15:24 markus Exp $");
+RCSID("$FreeBSD$");
+
+#include "packet.h"
+#include "match.h"
+#include "key.h"
+#include "hostfile.h"
+#include "log.h"
+
+/*
+ * Parses an RSA (number of bits, e, n) or DSA key from a string.  Moves the
+ * pointer over the key.  Skips any whitespace at the beginning and at end.
+ */
+
+int
+hostfile_read_key(char **cpp, u_int *bitsp, Key *ret)
+{
+	char *cp;
+
+	/* Skip leading whitespace. */
+	for (cp = *cpp; *cp == ' ' || *cp == '\t'; cp++)
+		;
+
+	if (key_read(ret, &cp) != 1)
+		return 0;
+
+	/* Skip trailing whitespace. */
+	for (; *cp == ' ' || *cp == '\t'; cp++)
+		;
+
+	/* Return results. */
+	*cpp = cp;
+	*bitsp = key_size(ret);
+	return 1;
+}
+
+int
+auth_rsa_read_key(char **cpp, u_int *bitsp, BIGNUM * e, BIGNUM * n)
+{
+	Key *k = key_new(KEY_RSA1);
+	int ret = hostfile_read_key(cpp, bitsp, k);
+	BN_copy(e, k->rsa->e);
+	BN_copy(n, k->rsa->n);
+	key_free(k);
+	return ret;
+}
+
+int
+hostfile_check_key(int bits, Key *key, const char *host, const char *filename, int linenum)
+{
+	if (key == NULL || key->type != KEY_RSA1 || key->rsa == NULL)
+		return 1;
+	if (bits != BN_num_bits(key->rsa->n)) {
+		log("Warning: %s, line %d: keysize mismatch for host %s: "
+		    "actual %d vs. announced %d.",
+		    filename, linenum, host, BN_num_bits(key->rsa->n), bits);
+		log("Warning: replace %d with %d in %s, line %d.",
+		    bits, BN_num_bits(key->rsa->n), filename, linenum);
+	}
+	return 1;
+}
+
+/*
+ * Checks whether the given host (which must be in all lowercase) is already
+ * in the list of our known hosts. Returns HOST_OK if the host is known and
+ * has the specified key, HOST_NEW if the host is not known, and HOST_CHANGED
+ * if the host is known but used to have a different host key.
+ */
+
+HostStatus
+check_host_in_hostfile(const char *filename, const char *host, Key *key,
+    Key *found, int *numret)
+{
+	FILE *f;
+	char line[8192];
+	int linenum = 0;
+	u_int kbits;
+	char *cp, *cp2;
+	HostStatus end_return;
+
+	debug3("check_host_in_hostfile: filename %s", filename);
+	if (key == NULL)
+		fatal("no key to look up");
+	/* Open the file containing the list of known hosts. */
+	f = fopen(filename, "r");
+	if (!f)
+		return HOST_NEW;
+
+	/*
+	 * Return value when the loop terminates.  This is set to
+	 * HOST_CHANGED if we have seen a different key for the host and have
+	 * not found the proper one.
+	 */
+	end_return = HOST_NEW;
+
+	/* Go through the file. */
+	while (fgets(line, sizeof(line), f)) {
+		cp = line;
+		linenum++;
+
+		/* Skip any leading whitespace, comments and empty lines. */
+		for (; *cp == ' ' || *cp == '\t'; cp++)
+			;
+		if (!*cp || *cp == '#' || *cp == '\n')
+			continue;
+
+		/* Find the end of the host name portion. */
+		for (cp2 = cp; *cp2 && *cp2 != ' ' && *cp2 != '\t'; cp2++)
+			;
+
+		/* Check if the host name matches. */
+		if (match_hostname(host, cp, (u_int) (cp2 - cp)) != 1)
+			continue;
+
+		/* Got a match.  Skip host name. */
+		cp = cp2;
+
+		/*
+		 * Extract the key from the line.  This will skip any leading
+		 * whitespace.  Ignore badly formatted lines.
+		 */
+		if (!hostfile_read_key(&cp, &kbits, found))
+			continue;
+		if (!hostfile_check_key(kbits, found, host, filename, linenum))
+			continue;
+
+		if (numret != NULL)
+			*numret = linenum;
+
+		/* Check if the current key is the same as the given key. */
+		if (key_equal(key, found)) {
+			/* Ok, they match. */
+			debug3("check_host_in_hostfile: match line %d", linenum);
+			fclose(f);
+			return HOST_OK;
+		}
+		/*
+		 * They do not match.  We will continue to go through the
+		 * file; however, we note that we will not return that it is
+		 * new.
+		 */
+		end_return = HOST_CHANGED;
+	}
+	/* Clear variables and close the file. */
+	fclose(f);
+
+	/*
+	 * Return either HOST_NEW or HOST_CHANGED, depending on whether we
+	 * saw a different key for the host.
+	 */
+	return end_return;
+}
+
+/*
+ * Appends an entry to the host file.  Returns false if the entry could not
+ * be appended.
+ */
+
+int
+add_host_to_hostfile(const char *filename, const char *host, Key *key)
+{
+	FILE *f;
+	int success = 0;
+	if (key == NULL)
+		return 1;	/* XXX ? */
+	f = fopen(filename, "a");
+	if (!f)
+		return 0;
+	fprintf(f, "%s ", host);
+	if (key_write(key, f)) {
+		success = 1;
+	} else {
+		error("add_host_to_hostfile: saving key in %s failed", filename);
+	}
+	fprintf(f, "\n");
+	fclose(f);
+	return success;
+}
diff --git a/crypto/openssh/hostfile.h b/crypto/openssh/hostfile.h
new file mode 100644
index 0000000..346bcd9
--- /dev/null
+++ b/crypto/openssh/hostfile.h
@@ -0,0 +1,40 @@
+/*	$OpenBSD: hostfile.h,v 1.7 2001/02/08 19:30:51 itojun Exp $	*/
+
+/*
+ * Author: Tatu Ylonen <ylo@cs.hut.fi>
+ * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
+ *                    All rights reserved
+ *
+ * As far as I am concerned, the code I have written for this software
+ * can be used freely for any purpose.  Any derived versions of this
+ * software must be clearly marked as such, and if the derived work is
+ * incompatible with the protocol description in the RFC file, it must be
+ * called by a name other than "ssh" or "Secure Shell".
+ */
+#ifndef HOSTFILE_H
+#define HOSTFILE_H
+
+int
+auth_rsa_read_key(char **cpp, u_int *bitsp, BIGNUM * e, BIGNUM * n);
+
+/*
+ * Checks whether the given host is already in the list of our known hosts.
+ * Returns HOST_OK if the host is known and has the specified key, HOST_NEW
+ * if the host is not known, and HOST_CHANGED if the host is known but used
+ * to have a different host key.  The host must be in all lowercase.
+ */
+typedef enum {
+	HOST_OK, HOST_NEW, HOST_CHANGED
+}       HostStatus;
+
+HostStatus
+check_host_in_hostfile(const char *filename, const char *host, Key *key,
+    Key *found, int *line);
+
+/*
+ * Appends an entry to the host file.  Returns false if the entry could not
+ * be appended.
+ */
+int	add_host_to_hostfile(const char *filename, const char *host, Key *key);
+
+#endif
diff --git a/crypto/openssh/includes.h b/crypto/openssh/includes.h
new file mode 100644
index 0000000..8cf76f4
--- /dev/null
+++ b/crypto/openssh/includes.h
@@ -0,0 +1,73 @@
+/*	$OpenBSD: includes.h,v 1.14 2001/01/29 01:58:16 niklas Exp $	*/
+
+/*
+ * Author: Tatu Ylonen <ylo@cs.hut.fi>
+ * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
+ *                    All rights reserved
+ * This file includes most of the needed system headers.
+ *
+ * As far as I am concerned, the code I have written for this software
+ * can be used freely for any purpose.  Any derived versions of this
+ * software must be clearly marked as such, and if the derived work is
+ * incompatible with the protocol description in the RFC file, it must be
+ * called by a name other than "ssh" or "Secure Shell".
+ *
+ * $FreeBSD$
+ */
+
+#ifndef INCLUDES_H
+#define INCLUDES_H
+
+#define RCSID(msg) __RCSID(msg)
+
+#include <sys/types.h>
+#include <sys/socket.h>
+#include <sys/select.h>
+#include <sys/param.h>
+#include <sys/ioctl.h>
+#include <sys/stat.h>
+#include <sys/wait.h>
+#include <sys/time.h>
+#include <sys/un.h>
+#include <sys/resource.h>
+#include <machine/endian.h>
+
+#include <netinet/in.h>
+#include <netinet/in_systm.h>
+#include <netinet/tcp.h>
+#include <netinet/ip.h>
+#include <arpa/inet.h>
+#include <netdb.h>
+
+#include <stdio.h>
+#include <ctype.h>
+#include <errno.h>
+#include <fcntl.h>
+#include <signal.h>
+#include <termios.h>
+#include <stdlib.h>
+#include <string.h>
+#include <stdarg.h>
+#include <pwd.h>
+#include <grp.h>
+#include <unistd.h>
+#include <time.h>
+#include <paths.h>
+#include <dirent.h>
+
+#include "version.h"
+
+/* Define this to be the path of the xauth program. */
+#ifndef XAUTH_PATH
+#define XAUTH_PATH "/usr/X11R6/bin/xauth"
+#endif
+
+/*
+ * Define this to use pipes instead of socketpairs for communicating with the
+ * client program.  Socketpairs do not seem to work on all systems.
+ * Although pipes are bi-directional in FreeBSD, using pipes here will
+ * make <stdin> uni-directional !
+ */
+/* #define USE_PIPES 1 */
+
+#endif				/* INCLUDES_H */
diff --git a/crypto/openssh/kex.c b/crypto/openssh/kex.c
new file mode 100644
index 0000000..69ba102
--- /dev/null
+++ b/crypto/openssh/kex.c
@@ -0,0 +1,453 @@
+/*
+ * Copyright (c) 2000 Markus Friedl.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include "includes.h"
+RCSID("$OpenBSD: kex.c,v 1.33 2001/04/05 10:42:50 markus Exp $");
+
+#include <openssl/crypto.h>
+
+#include "ssh2.h"
+#include "xmalloc.h"
+#include "buffer.h"
+#include "bufaux.h"
+#include "packet.h"
+#include "compat.h"
+#include "cipher.h"
+#include "kex.h"
+#include "key.h"
+#include "log.h"
+#include "mac.h"
+#include "match.h"
+#include "dispatch.h"
+
+#define KEX_COOKIE_LEN	16
+
+void	kex_kexinit_finish(Kex *kex);
+void	kex_choose_conf(Kex *k);
+
+/* put algorithm proposal into buffer */
+void
+kex_prop2buf(Buffer *b, char *proposal[PROPOSAL_MAX])
+{
+	u_int32_t rand = 0;
+	int i;
+
+	buffer_clear(b);
+	for (i = 0; i < KEX_COOKIE_LEN; i++) {
+		if (i % 4 == 0)
+			rand = arc4random();
+		buffer_put_char(b, rand & 0xff);
+		rand >>= 8;
+	}
+	for (i = 0; i < PROPOSAL_MAX; i++)
+		buffer_put_cstring(b, proposal[i]);
+	buffer_put_char(b, 0);			/* first_kex_packet_follows */
+	buffer_put_int(b, 0);			/* uint32 reserved */
+}
+
+/* parse buffer and return algorithm proposal */
+char **
+kex_buf2prop(Buffer *raw)
+{
+	Buffer b;
+	int i;
+	char **proposal;
+
+	proposal = xmalloc(PROPOSAL_MAX * sizeof(char *));
+
+	buffer_init(&b);
+	buffer_append(&b, buffer_ptr(raw), buffer_len(raw));
+	/* skip cookie */
+	for (i = 0; i < KEX_COOKIE_LEN; i++)
+		buffer_get_char(&b);
+	/* extract kex init proposal strings */
+	for (i = 0; i < PROPOSAL_MAX; i++) {
+		proposal[i] = buffer_get_string(&b,NULL);
+		debug2("kex_parse_kexinit: %s", proposal[i]);
+	}
+	/* first kex follows / reserved */
+	i = buffer_get_char(&b);
+	debug2("kex_parse_kexinit: first_kex_follows %d ", i);
+	i = buffer_get_int(&b);
+	debug2("kex_parse_kexinit: reserved %d ", i);
+	buffer_free(&b);
+	return proposal;
+}
+
+void
+kex_prop_free(char **proposal)
+{
+	int i;
+
+	for (i = 0; i < PROPOSAL_MAX; i++)
+		xfree(proposal[i]);
+	xfree(proposal);
+}
+
+void
+kex_protocol_error(int type, int plen, void *ctxt)
+{
+	error("Hm, kex protocol error: type %d plen %d", type, plen);
+}
+
+void
+kex_clear_dispatch(void)
+{
+	int i;
+
+	/* Numbers 30-49 are used for kex packets */
+	for (i = 30; i <= 49; i++)
+		dispatch_set(i, &kex_protocol_error);
+}
+
+void
+kex_finish(Kex *kex)
+{
+	int plen;
+
+	kex_clear_dispatch();
+
+	packet_start(SSH2_MSG_NEWKEYS);
+	packet_send();
+	/* packet_write_wait(); */
+	debug("SSH2_MSG_NEWKEYS sent");
+
+	debug("waiting for SSH2_MSG_NEWKEYS");
+	packet_read_expect(&plen, SSH2_MSG_NEWKEYS);
+	debug("SSH2_MSG_NEWKEYS received");
+
+	kex->done = 1;
+	buffer_clear(&kex->peer);
+	/* buffer_clear(&kex->my); */
+	kex->flags &= ~KEX_INIT_SENT;
+	xfree(kex->name);
+	kex->name = NULL;
+}
+
+void
+kex_send_kexinit(Kex *kex)
+{
+	if (kex == NULL) {
+		error("kex_send_kexinit: no kex, cannot rekey");
+		return;
+	}
+	if (kex->flags & KEX_INIT_SENT) {
+		debug("KEX_INIT_SENT");
+		return;
+	}
+	kex->done = 0;
+	packet_start(SSH2_MSG_KEXINIT);
+	packet_put_raw(buffer_ptr(&kex->my), buffer_len(&kex->my));
+	packet_send();
+	debug("SSH2_MSG_KEXINIT sent");
+	kex->flags |= KEX_INIT_SENT;
+}
+
+void
+kex_input_kexinit(int type, int plen, void *ctxt)
+{
+	char *ptr;
+	int dlen;
+	int i;
+	Kex *kex = (Kex *)ctxt;
+
+	debug("SSH2_MSG_KEXINIT received");
+	if (kex == NULL)
+		fatal("kex_input_kexinit: no kex, cannot rekey");
+
+	ptr = packet_get_raw(&dlen);
+	buffer_append(&kex->peer, ptr, dlen);
+
+	/* discard packet */
+	for (i = 0; i < KEX_COOKIE_LEN; i++)
+		packet_get_char();
+	for (i = 0; i < PROPOSAL_MAX; i++)
+		xfree(packet_get_string(NULL));
+	packet_get_char();
+	packet_get_int();
+	packet_done();
+
+	kex_kexinit_finish(kex);
+}
+
+Kex *
+kex_setup(char *proposal[PROPOSAL_MAX])
+{
+	Kex *kex;
+
+	kex = xmalloc(sizeof(*kex));
+	memset(kex, 0, sizeof(*kex));
+	buffer_init(&kex->peer);
+	buffer_init(&kex->my);
+	kex_prop2buf(&kex->my, proposal);
+	kex->done = 0;
+
+	kex_send_kexinit(kex);					/* we start */
+	kex_clear_dispatch();
+	dispatch_set(SSH2_MSG_KEXINIT, &kex_input_kexinit);
+
+	return kex;
+}
+
+void
+kex_kexinit_finish(Kex *kex)
+{
+	if (!(kex->flags & KEX_INIT_SENT))
+		kex_send_kexinit(kex);
+
+	kex_choose_conf(kex);
+
+	switch(kex->kex_type) {
+	case DH_GRP1_SHA1:
+		kexdh(kex);
+		break;
+	case DH_GEX_SHA1:
+		kexgex(kex);
+		break;
+	default:
+		fatal("Unsupported key exchange %d", kex->kex_type);
+	}
+}
+
+void
+choose_enc(Enc *enc, char *client, char *server)
+{
+	char *name = match_list(client, server, NULL);
+	if (name == NULL)
+		fatal("no matching cipher found: client %s server %s", client, server);
+	enc->cipher = cipher_by_name(name);
+	if (enc->cipher == NULL)
+		fatal("matching cipher is not supported: %s", name);
+	enc->name = name;
+	enc->enabled = 0;
+	enc->iv = NULL;
+	enc->key = NULL;
+}
+void
+choose_mac(Mac *mac, char *client, char *server)
+{
+	char *name = match_list(client, server, NULL);
+	if (name == NULL)
+		fatal("no matching mac found: client %s server %s", client, server);
+	if (mac_init(mac, name) < 0)
+		fatal("unsupported mac %s", name);
+	/* truncate the key */
+	if (datafellows & SSH_BUG_HMAC)
+		mac->key_len = 16;
+	mac->name = name;
+	mac->key = NULL;
+	mac->enabled = 0;
+}
+void
+choose_comp(Comp *comp, char *client, char *server)
+{
+	char *name = match_list(client, server, NULL);
+	if (name == NULL)
+		fatal("no matching comp found: client %s server %s", client, server);
+	if (strcmp(name, "zlib") == 0) {
+		comp->type = 1;
+	} else if (strcmp(name, "none") == 0) {
+		comp->type = 0;
+	} else {
+		fatal("unsupported comp %s", name);
+	}
+	comp->name = name;
+}
+void
+choose_kex(Kex *k, char *client, char *server)
+{
+	k->name = match_list(client, server, NULL);
+	if (k->name == NULL)
+		fatal("no kex alg");
+	if (strcmp(k->name, KEX_DH1) == 0) {
+		k->kex_type = DH_GRP1_SHA1;
+	} else if (strcmp(k->name, KEX_DHGEX) == 0) {
+		k->kex_type = DH_GEX_SHA1;
+	} else
+		fatal("bad kex alg %s", k->name);
+}
+void
+choose_hostkeyalg(Kex *k, char *client, char *server)
+{
+	char *hostkeyalg = match_list(client, server, NULL);
+	if (hostkeyalg == NULL)
+		fatal("no hostkey alg");
+	k->hostkey_type = key_type_from_name(hostkeyalg);
+	if (k->hostkey_type == KEY_UNSPEC)
+		fatal("bad hostkey alg '%s'", hostkeyalg);
+	xfree(hostkeyalg);
+}
+
+void
+kex_choose_conf(Kex *kex)
+{
+	Newkeys *newkeys;
+	char **my, **peer;
+	char **cprop, **sprop;
+	int nenc, nmac, ncomp;
+	int mode;
+	int ctos;				/* direction: if true client-to-server */
+	int need;
+
+	my   = kex_buf2prop(&kex->my);
+	peer = kex_buf2prop(&kex->peer);
+
+	if (kex->server) {
+		cprop=peer;
+		sprop=my;
+	} else {
+		cprop=my;
+		sprop=peer;
+	}
+
+	/* Algorithm Negotiation */
+	for (mode = 0; mode < MODE_MAX; mode++) {
+		newkeys = xmalloc(sizeof(*newkeys));
+		memset(newkeys, 0, sizeof(*newkeys));
+		kex->newkeys[mode] = newkeys;
+		ctos = (!kex->server && mode == MODE_OUT) || (kex->server && mode == MODE_IN);
+		nenc  = ctos ? PROPOSAL_ENC_ALGS_CTOS  : PROPOSAL_ENC_ALGS_STOC;
+		nmac  = ctos ? PROPOSAL_MAC_ALGS_CTOS  : PROPOSAL_MAC_ALGS_STOC;
+		ncomp = ctos ? PROPOSAL_COMP_ALGS_CTOS : PROPOSAL_COMP_ALGS_STOC;
+		choose_enc (&newkeys->enc,  cprop[nenc],  sprop[nenc]);
+		choose_mac (&newkeys->mac,  cprop[nmac],  sprop[nmac]);
+		choose_comp(&newkeys->comp, cprop[ncomp], sprop[ncomp]);
+		debug("kex: %s %s %s %s",
+		    ctos ? "client->server" : "server->client",
+		    newkeys->enc.name,
+		    newkeys->mac.name,
+		    newkeys->comp.name);
+	}
+	choose_kex(kex, cprop[PROPOSAL_KEX_ALGS], sprop[PROPOSAL_KEX_ALGS]);
+	choose_hostkeyalg(kex, cprop[PROPOSAL_SERVER_HOST_KEY_ALGS],
+	    sprop[PROPOSAL_SERVER_HOST_KEY_ALGS]);
+	need = 0;
+	for (mode = 0; mode < MODE_MAX; mode++) {
+		newkeys = kex->newkeys[mode];
+		if (need < newkeys->enc.cipher->key_len)
+			need = newkeys->enc.cipher->key_len;
+		if (need < newkeys->enc.cipher->block_size)
+			need = newkeys->enc.cipher->block_size;
+		if (need < newkeys->mac.key_len)
+			need = newkeys->mac.key_len;
+	}
+	/* XXX need runden? */
+	kex->we_need = need;
+
+	kex_prop_free(my);
+	kex_prop_free(peer);
+}
+
+u_char *
+derive_key(Kex *kex, int id, int need, u_char *hash, BIGNUM *shared_secret)
+{
+	Buffer b;
+	EVP_MD *evp_md = EVP_sha1();
+	EVP_MD_CTX md;
+	char c = id;
+	int have;
+	int mdsz = evp_md->md_size;
+	u_char *digest = xmalloc(roundup(need, mdsz));
+
+	buffer_init(&b);
+	buffer_put_bignum2(&b, shared_secret);
+
+	/* K1 = HASH(K || H || "A" || session_id) */
+	EVP_DigestInit(&md, evp_md);
+	EVP_DigestUpdate(&md, buffer_ptr(&b), buffer_len(&b));
+	EVP_DigestUpdate(&md, hash, mdsz);
+	EVP_DigestUpdate(&md, &c, 1);
+	EVP_DigestUpdate(&md, kex->session_id, kex->session_id_len);
+	EVP_DigestFinal(&md, digest, NULL);
+
+	/*
+	 * expand key:
+	 * Kn = HASH(K || H || K1 || K2 || ... || Kn-1)
+	 * Key = K1 || K2 || ... || Kn
+	 */
+	for (have = mdsz; need > have; have += mdsz) {
+		EVP_DigestInit(&md, evp_md);
+		EVP_DigestUpdate(&md, buffer_ptr(&b), buffer_len(&b));
+		EVP_DigestUpdate(&md, hash, mdsz);
+		EVP_DigestUpdate(&md, digest, have);
+		EVP_DigestFinal(&md, digest + have, NULL);
+	}
+	buffer_free(&b);
+#ifdef DEBUG_KEX
+	fprintf(stderr, "key '%c'== ", c);
+	dump_digest("key", digest, need);
+#endif
+	return digest;
+}
+
+Newkeys *current_keys[MODE_MAX];
+
+#define NKEYS	6
+void
+kex_derive_keys(Kex *kex, u_char *hash, BIGNUM *shared_secret)
+{
+	u_char *keys[NKEYS];
+	int i, mode, ctos;
+
+	for (i = 0; i < NKEYS; i++)
+		keys[i] = derive_key(kex, 'A'+i, kex->we_need, hash, shared_secret);
+
+	debug("kex_derive_keys");
+	for (mode = 0; mode < MODE_MAX; mode++) {
+		current_keys[mode] = kex->newkeys[mode];
+		kex->newkeys[mode] = NULL;
+		ctos = (!kex->server && mode == MODE_OUT) || (kex->server && mode == MODE_IN);
+		current_keys[mode]->enc.iv  = keys[ctos ? 0 : 1];
+		current_keys[mode]->enc.key = keys[ctos ? 2 : 3];
+		current_keys[mode]->mac.key = keys[ctos ? 4 : 5];
+	}
+}
+
+Newkeys *
+kex_get_newkeys(int mode)
+{
+	Newkeys *ret;
+
+	ret = current_keys[mode];
+	current_keys[mode] = NULL;
+	return ret;
+}
+
+#if defined(DEBUG_KEX) || defined(DEBUG_KEXDH)
+void
+dump_digest(char *msg, u_char *digest, int len)
+{
+	int i;
+
+	fprintf(stderr, "%s\n", msg);
+	for (i = 0; i< len; i++){
+		fprintf(stderr, "%02x", digest[i]);
+		if (i%32 == 31)
+			fprintf(stderr, "\n");
+		else if (i%8 == 7)
+			fprintf(stderr, " ");
+	}
+	fprintf(stderr, "\n");
+}
+#endif
diff --git a/crypto/openssh/kex.h b/crypto/openssh/kex.h
new file mode 100644
index 0000000..8758804
--- /dev/null
+++ b/crypto/openssh/kex.h
@@ -0,0 +1,130 @@
+/*	$OpenBSD: kex.h,v 1.22 2001/04/04 20:25:37 markus Exp $	*/
+
+/*
+ * Copyright (c) 2000 Markus Friedl.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+#ifndef KEX_H
+#define KEX_H
+
+#include <openssl/evp.h>
+#include "buffer.h"
+#include "cipher.h"
+#include "key.h"
+
+#define	KEX_DH1		"diffie-hellman-group1-sha1"
+#define	KEX_DHGEX	"diffie-hellman-group-exchange-sha1"
+
+enum kex_init_proposals {
+	PROPOSAL_KEX_ALGS,
+	PROPOSAL_SERVER_HOST_KEY_ALGS,
+	PROPOSAL_ENC_ALGS_CTOS,
+	PROPOSAL_ENC_ALGS_STOC,
+	PROPOSAL_MAC_ALGS_CTOS,
+	PROPOSAL_MAC_ALGS_STOC,
+	PROPOSAL_COMP_ALGS_CTOS,
+	PROPOSAL_COMP_ALGS_STOC,
+	PROPOSAL_LANG_CTOS,
+	PROPOSAL_LANG_STOC,
+	PROPOSAL_MAX
+};
+
+enum kex_modes {
+	MODE_IN,
+	MODE_OUT,
+	MODE_MAX
+};
+
+enum kex_exchange {
+	DH_GRP1_SHA1,
+	DH_GEX_SHA1
+};
+
+#define KEX_INIT_SENT	0x0001
+
+typedef struct Kex Kex;
+typedef struct Mac Mac;
+typedef struct Comp Comp;
+typedef struct Enc Enc;
+typedef struct Newkeys Newkeys;
+
+struct Enc {
+	char	*name;
+	Cipher	*cipher;
+	int	enabled;
+	u_char	*key;
+	u_char	*iv;
+};
+struct Mac {
+	char	*name;
+	int	enabled;
+	EVP_MD	*md;
+	int	mac_len;
+	u_char	*key;
+	int	key_len;
+};
+struct Comp {
+	int	type;
+	int	enabled;
+	char	*name;
+};
+struct Newkeys {
+	Enc	enc;
+	Mac	mac;
+	Comp	comp;
+};
+struct Kex {
+	u_char	*session_id;
+	int	session_id_len;
+	Newkeys	*newkeys[MODE_MAX];
+	int	we_need;
+	int	server;
+	char	*name;
+	int	hostkey_type;
+	int	kex_type;
+	Buffer	my;
+	Buffer	peer;
+	int	done;
+	int	flags;
+	char	*client_version_string;
+	char	*server_version_string;
+	int	(*check_host_key)(Key *hostkey);
+	Key	*(*load_host_key)(int type);
+};
+
+Kex	*kex_setup(char *proposal[PROPOSAL_MAX]);
+void	kex_finish(Kex *kex);
+
+void	kex_send_kexinit(Kex *kex);
+void	kex_input_kexinit(int type, int plen, void *ctxt);
+void	kex_derive_keys(Kex *k, u_char *hash, BIGNUM *shared_secret);
+
+void	kexdh(Kex *);
+void	kexgex(Kex *);
+
+Newkeys *kex_get_newkeys(int mode);
+
+#if defined(DEBUG_KEX) || defined(DEBUG_KEXDH)
+void	dump_digest(char *msg, u_char *digest, int len);
+#endif
+
+#endif
diff --git a/crypto/openssh/kexdh.c b/crypto/openssh/kexdh.c
new file mode 100644
index 0000000..7b6a220
--- /dev/null
+++ b/crypto/openssh/kexdh.c
@@ -0,0 +1,304 @@
+/*
+ * Copyright (c) 2001 Markus Friedl.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include "includes.h"
+RCSID("$OpenBSD: kexdh.c,v 1.3 2001/04/04 09:48:34 markus Exp $");
+
+#include <openssl/crypto.h>
+#include <openssl/bn.h>
+
+#include "xmalloc.h"
+#include "buffer.h"
+#include "bufaux.h"
+#include "key.h"
+#include "kex.h"
+#include "log.h"
+#include "packet.h"
+#include "dh.h"
+#include "ssh2.h"
+
+u_char *
+kex_dh_hash(
+    char *client_version_string,
+    char *server_version_string,
+    char *ckexinit, int ckexinitlen,
+    char *skexinit, int skexinitlen,
+    char *serverhostkeyblob, int sbloblen,
+    BIGNUM *client_dh_pub,
+    BIGNUM *server_dh_pub,
+    BIGNUM *shared_secret)
+{
+	Buffer b;
+	static u_char digest[EVP_MAX_MD_SIZE];
+	EVP_MD *evp_md = EVP_sha1();
+	EVP_MD_CTX md;
+
+	buffer_init(&b);
+	buffer_put_string(&b, client_version_string, strlen(client_version_string));
+	buffer_put_string(&b, server_version_string, strlen(server_version_string));
+
+	/* kexinit messages: fake header: len+SSH2_MSG_KEXINIT */
+	buffer_put_int(&b, ckexinitlen+1);
+	buffer_put_char(&b, SSH2_MSG_KEXINIT);
+	buffer_append(&b, ckexinit, ckexinitlen);
+	buffer_put_int(&b, skexinitlen+1);
+	buffer_put_char(&b, SSH2_MSG_KEXINIT);
+	buffer_append(&b, skexinit, skexinitlen);
+
+	buffer_put_string(&b, serverhostkeyblob, sbloblen);
+	buffer_put_bignum2(&b, client_dh_pub);
+	buffer_put_bignum2(&b, server_dh_pub);
+	buffer_put_bignum2(&b, shared_secret);
+
+#ifdef DEBUG_KEX
+	buffer_dump(&b);
+#endif
+	EVP_DigestInit(&md, evp_md);
+	EVP_DigestUpdate(&md, buffer_ptr(&b), buffer_len(&b));
+	EVP_DigestFinal(&md, digest, NULL);
+
+	buffer_free(&b);
+
+#ifdef DEBUG_KEX
+	dump_digest("hash", digest, evp_md->md_size);
+#endif
+	return digest;
+}
+
+/* client */
+
+void
+kexdh_client(Kex *kex)
+{
+	BIGNUM *dh_server_pub = NULL, *shared_secret = NULL;
+	DH *dh;
+	Key *server_host_key;
+	char *server_host_key_blob = NULL, *signature = NULL;
+	u_char *kbuf, *hash;
+	u_int klen, kout, slen, sbloblen;
+	int dlen, plen;
+
+	/* generate and send 'e', client DH public key */
+	dh = dh_new_group1();
+	dh_gen_key(dh, kex->we_need * 8);
+	packet_start(SSH2_MSG_KEXDH_INIT);
+	packet_put_bignum2(dh->pub_key);
+	packet_send();
+
+	debug("sending SSH2_MSG_KEXDH_INIT");
+#ifdef DEBUG_KEXDH
+	DHparams_print_fp(stderr, dh);
+	fprintf(stderr, "pub= ");
+	BN_print_fp(stderr, dh->pub_key);
+	fprintf(stderr, "\n");
+#endif
+
+	debug("expecting SSH2_MSG_KEXDH_REPLY");
+	packet_read_expect(&plen, SSH2_MSG_KEXDH_REPLY);
+
+	/* key, cert */
+	server_host_key_blob = packet_get_string(&sbloblen);
+	server_host_key = key_from_blob(server_host_key_blob, sbloblen);
+	if (server_host_key == NULL)
+		fatal("cannot decode server_host_key_blob");
+
+	if (kex->check_host_key == NULL)
+		fatal("cannot check server_host_key");
+	kex->check_host_key(server_host_key);
+
+	/* DH paramter f, server public DH key */
+	dh_server_pub = BN_new();
+	if (dh_server_pub == NULL)
+		fatal("dh_server_pub == NULL");
+	packet_get_bignum2(dh_server_pub, &dlen);
+
+#ifdef DEBUG_KEXDH
+	fprintf(stderr, "dh_server_pub= ");
+	BN_print_fp(stderr, dh_server_pub);
+	fprintf(stderr, "\n");
+	debug("bits %d", BN_num_bits(dh_server_pub));
+#endif
+
+	/* signed H */
+	signature = packet_get_string(&slen);
+	packet_done();
+
+	if (!dh_pub_is_valid(dh, dh_server_pub))
+		packet_disconnect("bad server public DH value");
+
+	klen = DH_size(dh);
+	kbuf = xmalloc(klen);
+	kout = DH_compute_key(kbuf, dh_server_pub, dh);
+#ifdef DEBUG_KEXDH
+	dump_digest("shared secret", kbuf, kout);
+#endif
+	shared_secret = BN_new();
+	BN_bin2bn(kbuf, kout, shared_secret);
+	memset(kbuf, 0, klen);
+	xfree(kbuf);
+
+	/* calc and verify H */
+	hash = kex_dh_hash(
+	    kex->client_version_string,
+	    kex->server_version_string,
+	    buffer_ptr(&kex->my), buffer_len(&kex->my),
+	    buffer_ptr(&kex->peer), buffer_len(&kex->peer),
+	    server_host_key_blob, sbloblen,
+	    dh->pub_key,
+	    dh_server_pub,
+	    shared_secret
+	);
+	xfree(server_host_key_blob);
+	BN_free(dh_server_pub);
+	DH_free(dh);
+
+	if (key_verify(server_host_key, (u_char *)signature, slen, hash, 20) != 1)
+		fatal("key_verify failed for server_host_key");
+	key_free(server_host_key);
+	xfree(signature);
+
+	/* save session id */
+	if (kex->session_id == NULL) {
+		kex->session_id_len = 20;
+		kex->session_id = xmalloc(kex->session_id_len);
+		memcpy(kex->session_id, hash, kex->session_id_len);
+	}
+
+	kex_derive_keys(kex, hash, shared_secret);
+	BN_clear_free(shared_secret);
+	kex_finish(kex);
+}
+
+/* server */
+
+void
+kexdh_server(Kex *kex)
+{
+	BIGNUM *shared_secret = NULL, *dh_client_pub = NULL;
+	DH *dh;
+	Key *server_host_key;
+	u_char *kbuf, *hash, *signature = NULL, *server_host_key_blob = NULL;
+	u_int sbloblen, klen, kout;
+	int dlen, slen, plen;
+
+	/* generate server DH public key */
+	dh = dh_new_group1();
+	dh_gen_key(dh, kex->we_need * 8);
+
+	debug("expecting SSH2_MSG_KEXDH_INIT");
+	packet_read_expect(&plen, SSH2_MSG_KEXDH_INIT);
+
+	if (kex->load_host_key == NULL)
+		fatal("Cannot load hostkey");
+	server_host_key = kex->load_host_key(kex->hostkey_type);
+	if (server_host_key == NULL)
+		fatal("Unsupported hostkey type %d", kex->hostkey_type);
+
+	/* key, cert */
+	dh_client_pub = BN_new();
+	if (dh_client_pub == NULL)
+		fatal("dh_client_pub == NULL");
+	packet_get_bignum2(dh_client_pub, &dlen);
+
+#ifdef DEBUG_KEXDH
+	fprintf(stderr, "dh_client_pub= ");
+	BN_print_fp(stderr, dh_client_pub);
+	fprintf(stderr, "\n");
+	debug("bits %d", BN_num_bits(dh_client_pub));
+#endif
+
+#ifdef DEBUG_KEXDH
+	DHparams_print_fp(stderr, dh);
+	fprintf(stderr, "pub= ");
+	BN_print_fp(stderr, dh->pub_key);
+	fprintf(stderr, "\n");
+#endif
+	if (!dh_pub_is_valid(dh, dh_client_pub))
+		packet_disconnect("bad client public DH value");
+
+	klen = DH_size(dh);
+	kbuf = xmalloc(klen);
+	kout = DH_compute_key(kbuf, dh_client_pub, dh);
+#ifdef DEBUG_KEXDH
+	dump_digest("shared secret", kbuf, kout);
+#endif
+	shared_secret = BN_new();
+	BN_bin2bn(kbuf, kout, shared_secret);
+	memset(kbuf, 0, klen);
+	xfree(kbuf);
+
+	key_to_blob(server_host_key, &server_host_key_blob, &sbloblen);
+
+	/* calc H */
+	hash = kex_dh_hash(
+	    kex->client_version_string,
+	    kex->server_version_string,
+	    buffer_ptr(&kex->peer), buffer_len(&kex->peer),
+	    buffer_ptr(&kex->my), buffer_len(&kex->my),
+	    (char *)server_host_key_blob, sbloblen,
+	    dh_client_pub,
+	    dh->pub_key,
+	    shared_secret
+	);
+	BN_free(dh_client_pub);
+
+	/* save session id := H */
+	/* XXX hashlen depends on KEX */
+	if (kex->session_id == NULL) {
+		kex->session_id_len = 20;
+		kex->session_id = xmalloc(kex->session_id_len);
+		memcpy(kex->session_id, hash, kex->session_id_len);
+	}
+
+	/* sign H */
+	/* XXX hashlen depends on KEX */
+	key_sign(server_host_key, &signature, &slen, hash, 20);
+
+	/* destroy_sensitive_data(); */
+
+	/* send server hostkey, DH pubkey 'f' and singed H */
+	packet_start(SSH2_MSG_KEXDH_REPLY);
+	packet_put_string((char *)server_host_key_blob, sbloblen);
+	packet_put_bignum2(dh->pub_key);	/* f */
+	packet_put_string((char *)signature, slen);
+	packet_send();
+
+	xfree(signature);
+	xfree(server_host_key_blob);
+	/* have keys, free DH */
+	DH_free(dh);
+
+	kex_derive_keys(kex, hash, shared_secret);
+	BN_clear_free(shared_secret);
+	kex_finish(kex);
+}
+
+void
+kexdh(Kex *kex)
+{
+	if (kex->server)
+		kexdh_server(kex);
+	else
+		kexdh_client(kex);
+}
diff --git a/crypto/openssh/kexgex.c b/crypto/openssh/kexgex.c
new file mode 100644
index 0000000..44f2f5c
--- /dev/null
+++ b/crypto/openssh/kexgex.c
@@ -0,0 +1,408 @@
+/*
+ * Copyright (c) 2000 Niels Provos.  All rights reserved.
+ * Copyright (c) 2001 Markus Friedl.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include "includes.h"
+RCSID("$OpenBSD: kexgex.c,v 1.5 2001/04/05 10:42:50 markus Exp $");
+
+#include <openssl/bn.h>
+
+#include "xmalloc.h"
+#include "buffer.h"
+#include "bufaux.h"
+#include "key.h"
+#include "kex.h"
+#include "log.h"
+#include "packet.h"
+#include "dh.h"
+#include "ssh2.h"
+#include "compat.h"
+
+u_char *
+kexgex_hash(
+    char *client_version_string,
+    char *server_version_string,
+    char *ckexinit, int ckexinitlen,
+    char *skexinit, int skexinitlen,
+    char *serverhostkeyblob, int sbloblen,
+    int min, int wantbits, int max, BIGNUM *prime, BIGNUM *gen,
+    BIGNUM *client_dh_pub,
+    BIGNUM *server_dh_pub,
+    BIGNUM *shared_secret)
+{
+	Buffer b;
+	static u_char digest[EVP_MAX_MD_SIZE];
+	EVP_MD *evp_md = EVP_sha1();
+	EVP_MD_CTX md;
+
+	buffer_init(&b);
+	buffer_put_string(&b, client_version_string, strlen(client_version_string));
+	buffer_put_string(&b, server_version_string, strlen(server_version_string));
+
+	/* kexinit messages: fake header: len+SSH2_MSG_KEXINIT */
+	buffer_put_int(&b, ckexinitlen+1);
+	buffer_put_char(&b, SSH2_MSG_KEXINIT);
+	buffer_append(&b, ckexinit, ckexinitlen);
+	buffer_put_int(&b, skexinitlen+1);
+	buffer_put_char(&b, SSH2_MSG_KEXINIT);
+	buffer_append(&b, skexinit, skexinitlen);
+
+	buffer_put_string(&b, serverhostkeyblob, sbloblen);
+	if (min == -1 || max == -1)
+		buffer_put_int(&b, wantbits);
+	else {
+		buffer_put_int(&b, min);
+		buffer_put_int(&b, wantbits);
+		buffer_put_int(&b, max);
+	}
+	buffer_put_bignum2(&b, prime);
+	buffer_put_bignum2(&b, gen);
+	buffer_put_bignum2(&b, client_dh_pub);
+	buffer_put_bignum2(&b, server_dh_pub);
+	buffer_put_bignum2(&b, shared_secret);
+
+#ifdef DEBUG_KEXDH
+	buffer_dump(&b);
+#endif
+	EVP_DigestInit(&md, evp_md);
+	EVP_DigestUpdate(&md, buffer_ptr(&b), buffer_len(&b));
+	EVP_DigestFinal(&md, digest, NULL);
+
+	buffer_free(&b);
+
+#ifdef DEBUG_KEXDH
+	dump_digest("hash", digest, evp_md->md_size);
+#endif
+	return digest;
+}
+
+/* client */
+
+void
+kexgex_client(Kex *kex)
+{
+	BIGNUM *dh_server_pub = NULL, *shared_secret = NULL;
+	BIGNUM *p = NULL, *g = NULL;
+	Key *server_host_key;
+	u_char *kbuf, *hash, *signature = NULL, *server_host_key_blob = NULL;
+	u_int klen, kout, slen, sbloblen;
+	int dlen, plen, min, max, nbits;
+	DH *dh;
+
+	nbits = dh_estimate(kex->we_need * 8);
+
+	if (datafellows & SSH_OLD_DHGEX) {
+		debug("SSH2_MSG_KEX_DH_GEX_REQUEST_OLD sent");
+
+		/* Old GEX request */
+		packet_start(SSH2_MSG_KEX_DH_GEX_REQUEST_OLD);
+		packet_put_int(nbits);
+		min = DH_GRP_MIN;
+		max = DH_GRP_MAX;
+	} else {
+		debug("SSH2_MSG_KEX_DH_GEX_REQUEST sent");
+
+		/* New GEX request */
+		min = DH_GRP_MIN;
+		max = DH_GRP_MAX;
+		packet_start(SSH2_MSG_KEX_DH_GEX_REQUEST);
+		packet_put_int(min);
+		packet_put_int(nbits);
+		packet_put_int(max);
+	}
+#ifdef DEBUG_KEXDH
+	fprintf(stderr, "\nmin = %d, nbits = %d, max = %d\n",
+	    min, nbits, max);
+#endif
+	packet_send();
+
+	debug("expecting SSH2_MSG_KEX_DH_GEX_GROUP");
+	packet_read_expect(&plen, SSH2_MSG_KEX_DH_GEX_GROUP);
+
+	if ((p = BN_new()) == NULL)
+		fatal("BN_new");
+	packet_get_bignum2(p, &dlen);
+	if ((g = BN_new()) == NULL)
+		fatal("BN_new");
+	packet_get_bignum2(g, &dlen);
+	packet_done();
+
+	if (BN_num_bits(p) < min || BN_num_bits(p) > max)
+		fatal("DH_GEX group out of range: %d !< %d !< %d",
+		    min, BN_num_bits(p), max);
+
+	dh = dh_new_group(g, p);
+	dh_gen_key(dh, kex->we_need * 8);
+
+#ifdef DEBUG_KEXDH
+	DHparams_print_fp(stderr, dh);
+	fprintf(stderr, "pub= ");
+	BN_print_fp(stderr, dh->pub_key);
+	fprintf(stderr, "\n");
+#endif
+
+	debug("SSH2_MSG_KEX_DH_GEX_INIT sent");
+	/* generate and send 'e', client DH public key */
+	packet_start(SSH2_MSG_KEX_DH_GEX_INIT);
+	packet_put_bignum2(dh->pub_key);
+	packet_send();
+
+	debug("expecting SSH2_MSG_KEX_DH_GEX_REPLY");
+	packet_read_expect(&plen, SSH2_MSG_KEX_DH_GEX_REPLY);
+
+	/* key, cert */
+	server_host_key_blob = packet_get_string(&sbloblen);
+	server_host_key = key_from_blob(server_host_key_blob, sbloblen);
+	if (server_host_key == NULL)
+		fatal("cannot decode server_host_key_blob");
+
+	if (kex->check_host_key == NULL)
+		fatal("cannot check server_host_key");
+	kex->check_host_key(server_host_key);
+
+	/* DH paramter f, server public DH key */
+	dh_server_pub = BN_new();
+	if (dh_server_pub == NULL)
+		fatal("dh_server_pub == NULL");
+	packet_get_bignum2(dh_server_pub, &dlen);
+
+#ifdef DEBUG_KEXDH
+	fprintf(stderr, "dh_server_pub= ");
+	BN_print_fp(stderr, dh_server_pub);
+	fprintf(stderr, "\n");
+	debug("bits %d", BN_num_bits(dh_server_pub));
+#endif
+
+	/* signed H */
+	signature = packet_get_string(&slen);
+	packet_done();
+
+	if (!dh_pub_is_valid(dh, dh_server_pub))
+		packet_disconnect("bad server public DH value");
+
+	klen = DH_size(dh);
+	kbuf = xmalloc(klen);
+	kout = DH_compute_key(kbuf, dh_server_pub, dh);
+#ifdef DEBUG_KEXDH
+	dump_digest("shared secret", kbuf, kout);
+#endif
+	shared_secret = BN_new();
+	BN_bin2bn(kbuf, kout, shared_secret);
+	memset(kbuf, 0, klen);
+	xfree(kbuf);
+
+	if (datafellows & SSH_OLD_DHGEX)
+		min = max = -1;
+
+	/* calc and verify H */
+	hash = kexgex_hash(
+	    kex->client_version_string,
+	    kex->server_version_string,
+	    buffer_ptr(&kex->my), buffer_len(&kex->my),
+	    buffer_ptr(&kex->peer), buffer_len(&kex->peer),
+	    server_host_key_blob, sbloblen,
+	    min, nbits, max,
+	    dh->p, dh->g,
+	    dh->pub_key,
+	    dh_server_pub,
+	    shared_secret
+	);
+	/* have keys, free DH */
+	DH_free(dh);
+	xfree(server_host_key_blob);
+	BN_free(dh_server_pub);
+
+	if (key_verify(server_host_key, (u_char *)signature, slen, hash, 20) != 1)
+		fatal("key_verify failed for server_host_key");
+	key_free(server_host_key);
+	xfree(signature);
+
+	/* save session id */
+	if (kex->session_id == NULL) {
+		kex->session_id_len = 20;
+		kex->session_id = xmalloc(kex->session_id_len);
+		memcpy(kex->session_id, hash, kex->session_id_len);
+	}
+	kex_derive_keys(kex, hash, shared_secret);
+	BN_clear_free(shared_secret);
+
+	kex_finish(kex);
+}
+
+/* server */
+
+void
+kexgex_server(Kex *kex)
+{
+	BIGNUM *shared_secret = NULL, *dh_client_pub = NULL;
+	Key *server_host_key;
+	DH *dh = dh;
+	u_char *kbuf, *hash, *signature = NULL, *server_host_key_blob = NULL;
+	u_int sbloblen, klen, kout;
+	int min = -1, max = -1, nbits = -1, type, plen, dlen, slen;
+
+	if (kex->load_host_key == NULL)
+		fatal("Cannot load hostkey");
+	server_host_key = kex->load_host_key(kex->hostkey_type);
+	if (server_host_key == NULL)
+		fatal("Unsupported hostkey type %d", kex->hostkey_type);
+
+	type = packet_read(&plen);
+	switch(type){
+	case SSH2_MSG_KEX_DH_GEX_REQUEST:
+		debug("SSH2_MSG_KEX_DH_GEX_REQUEST received");
+		min = packet_get_int();
+		nbits = packet_get_int();
+		max = packet_get_int();
+		min = MAX(DH_GRP_MIN, min);
+		max = MIN(DH_GRP_MAX, max);
+		break;
+	case SSH2_MSG_KEX_DH_GEX_REQUEST_OLD:
+		debug("SSH2_MSG_KEX_DH_GEX_REQUEST_OLD received");
+		nbits = packet_get_int();
+		min = DH_GRP_MIN;
+		max = DH_GRP_MAX;
+		/* unused for old GEX */
+		break;
+	default:
+		fatal("protocol error during kex, no DH_GEX_REQUEST: %d", type);
+	}
+	packet_done();
+
+	if (max < min || nbits < min || max < nbits)
+		fatal("DH_GEX_REQUEST, bad parameters: %d !< %d !< %d",
+		    min, nbits, max);
+
+	dh = choose_dh(min, nbits, max);
+	if (dh == NULL)
+		packet_disconnect("Protocol error: no matching DH grp found");
+
+	debug("SSH2_MSG_KEX_DH_GEX_GROUP sent");
+	packet_start(SSH2_MSG_KEX_DH_GEX_GROUP);
+	packet_put_bignum2(dh->p);
+	packet_put_bignum2(dh->g);
+	packet_send();
+
+	/* flush */
+	packet_write_wait();
+
+	/* Compute our exchange value in parallel with the client */
+	dh_gen_key(dh, kex->we_need * 8);
+
+	debug("expecting SSH2_MSG_KEX_DH_GEX_INIT");
+	packet_read_expect(&plen, SSH2_MSG_KEX_DH_GEX_INIT);
+
+	/* key, cert */
+	dh_client_pub = BN_new();
+	if (dh_client_pub == NULL)
+		fatal("dh_client_pub == NULL");
+	packet_get_bignum2(dh_client_pub, &dlen);
+
+#ifdef DEBUG_KEXDH
+	fprintf(stderr, "dh_client_pub= ");
+	BN_print_fp(stderr, dh_client_pub);
+	fprintf(stderr, "\n");
+	debug("bits %d", BN_num_bits(dh_client_pub));
+#endif
+
+#ifdef DEBUG_KEXDH
+	DHparams_print_fp(stderr, dh);
+	fprintf(stderr, "pub= ");
+	BN_print_fp(stderr, dh->pub_key);
+	fprintf(stderr, "\n");
+#endif
+	if (!dh_pub_is_valid(dh, dh_client_pub))
+		packet_disconnect("bad client public DH value");
+
+	klen = DH_size(dh);
+	kbuf = xmalloc(klen);
+	kout = DH_compute_key(kbuf, dh_client_pub, dh);
+#ifdef DEBUG_KEXDH
+	dump_digest("shared secret", kbuf, kout);
+#endif
+	shared_secret = BN_new();
+	BN_bin2bn(kbuf, kout, shared_secret);
+	memset(kbuf, 0, klen);
+	xfree(kbuf);
+
+	key_to_blob(server_host_key, &server_host_key_blob, &sbloblen);
+
+	if (type == SSH2_MSG_KEX_DH_GEX_REQUEST_OLD)
+		min = max = -1;
+
+	/* calc H */			/* XXX depends on 'kex' */
+	hash = kexgex_hash(
+	    kex->client_version_string,
+	    kex->server_version_string,
+	    buffer_ptr(&kex->peer), buffer_len(&kex->peer),
+	    buffer_ptr(&kex->my), buffer_len(&kex->my),
+	    (char *)server_host_key_blob, sbloblen,
+	    min, nbits, max,
+	    dh->p, dh->g,
+	    dh_client_pub,
+	    dh->pub_key,
+	    shared_secret
+	);
+	BN_free(dh_client_pub);
+
+	/* save session id := H */
+	/* XXX hashlen depends on KEX */
+	if (kex->session_id == NULL) {
+		kex->session_id_len = 20;
+		kex->session_id = xmalloc(kex->session_id_len);
+		memcpy(kex->session_id, hash, kex->session_id_len);
+	}
+
+	/* sign H */
+	/* XXX hashlen depends on KEX */
+	key_sign(server_host_key, &signature, &slen, hash, 20);
+
+	/* destroy_sensitive_data(); */
+
+	/* send server hostkey, DH pubkey 'f' and singed H */
+	debug("SSH2_MSG_KEX_DH_GEX_REPLY sent");
+	packet_start(SSH2_MSG_KEX_DH_GEX_REPLY);
+	packet_put_string((char *)server_host_key_blob, sbloblen);
+	packet_put_bignum2(dh->pub_key);	/* f */
+	packet_put_string((char *)signature, slen);
+	packet_send();
+	xfree(signature);
+	xfree(server_host_key_blob);
+	/* have keys, free DH */
+	DH_free(dh);
+
+	kex_derive_keys(kex, hash, shared_secret);
+	BN_clear_free(shared_secret);
+
+	kex_finish(kex);
+}
+
+void
+kexgex(Kex *kex)
+{
+	if (kex->server)
+		kexgex_server(kex);
+	else
+		kexgex_client(kex);
+}
diff --git a/crypto/openssh/key.c b/crypto/openssh/key.c
new file mode 100644
index 0000000..e3279c8
--- /dev/null
+++ b/crypto/openssh/key.c
@@ -0,0 +1,784 @@
+/*
+ * read_bignum():
+ * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
+ *
+ * As far as I am concerned, the code I have written for this software
+ * can be used freely for any purpose.  Any derived versions of this
+ * software must be clearly marked as such, and if the derived work is
+ * incompatible with the protocol description in the RFC file, it must be
+ * called by a name other than "ssh" or "Secure Shell".
+ *
+ *
+ * Copyright (c) 2000 Markus Friedl.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+#include "includes.h"
+RCSID("$OpenBSD: key.c,v 1.25 2001/04/17 10:53:24 markus Exp $");
+RCSID("$FreeBSD$");
+
+#include <openssl/evp.h>
+
+#include "xmalloc.h"
+#include "key.h"
+#include "rsa.h"
+#include "ssh-dss.h"
+#include "ssh-rsa.h"
+#include "uuencode.h"
+#include "buffer.h"
+#include "bufaux.h"
+#include "log.h"
+
+Key *
+key_new(int type)
+{
+	Key *k;
+	RSA *rsa;
+	DSA *dsa;
+	k = xmalloc(sizeof(*k));
+	k->type = type;
+	k->dsa = NULL;
+	k->rsa = NULL;
+	switch (k->type) {
+	case KEY_RSA1:
+	case KEY_RSA:
+		rsa = RSA_new();
+		rsa->n = BN_new();
+		rsa->e = BN_new();
+		k->rsa = rsa;
+		break;
+	case KEY_DSA:
+		dsa = DSA_new();
+		dsa->p = BN_new();
+		dsa->q = BN_new();
+		dsa->g = BN_new();
+		dsa->pub_key = BN_new();
+		k->dsa = dsa;
+		break;
+	case KEY_UNSPEC:
+		break;
+	default:
+		fatal("key_new: bad key type %d", k->type);
+		break;
+	}
+	return k;
+}
+Key *
+key_new_private(int type)
+{
+	Key *k = key_new(type);
+	switch (k->type) {
+	case KEY_RSA1:
+	case KEY_RSA:
+		k->rsa->d = BN_new();
+		k->rsa->iqmp = BN_new();
+		k->rsa->q = BN_new();
+		k->rsa->p = BN_new();
+		k->rsa->dmq1 = BN_new();
+		k->rsa->dmp1 = BN_new();
+		break;
+	case KEY_DSA:
+		k->dsa->priv_key = BN_new();
+		break;
+	case KEY_UNSPEC:
+		break;
+	default:
+		break;
+	}
+	return k;
+}
+void
+key_free(Key *k)
+{
+	switch (k->type) {
+	case KEY_RSA1:
+	case KEY_RSA:
+		if (k->rsa != NULL)
+			RSA_free(k->rsa);
+		k->rsa = NULL;
+		break;
+	case KEY_DSA:
+		if (k->dsa != NULL)
+			DSA_free(k->dsa);
+		k->dsa = NULL;
+		break;
+	case KEY_UNSPEC:
+		break;
+	default:
+		fatal("key_free: bad key type %d", k->type);
+		break;
+	}
+	xfree(k);
+}
+int
+key_equal(Key *a, Key *b)
+{
+	if (a == NULL || b == NULL || a->type != b->type)
+		return 0;
+	switch (a->type) {
+	case KEY_RSA1:
+	case KEY_RSA:
+		return a->rsa != NULL && b->rsa != NULL &&
+		    BN_cmp(a->rsa->e, b->rsa->e) == 0 &&
+		    BN_cmp(a->rsa->n, b->rsa->n) == 0;
+		break;
+	case KEY_DSA:
+		return a->dsa != NULL && b->dsa != NULL &&
+		    BN_cmp(a->dsa->p, b->dsa->p) == 0 &&
+		    BN_cmp(a->dsa->q, b->dsa->q) == 0 &&
+		    BN_cmp(a->dsa->g, b->dsa->g) == 0 &&
+		    BN_cmp(a->dsa->pub_key, b->dsa->pub_key) == 0;
+		break;
+	default:
+		fatal("key_equal: bad key type %d", a->type);
+		break;
+	}
+	return 0;
+}
+
+u_char*
+key_fingerprint_raw(Key *k, enum fp_type dgst_type, size_t *dgst_raw_length)
+{
+	EVP_MD *md = NULL;
+	EVP_MD_CTX ctx;
+	u_char *blob = NULL;
+	u_char *retval = NULL;
+	int len = 0;
+	int nlen, elen;
+
+	*dgst_raw_length = 0;
+
+	switch (dgst_type) {
+	case SSH_FP_MD5:
+		md = EVP_md5();
+		break;
+	case SSH_FP_SHA1:
+		md = EVP_sha1();
+		break;
+	default:
+		fatal("key_fingerprint_raw: bad digest type %d",
+		    dgst_type);
+	}
+	switch (k->type) {
+	case KEY_RSA1:
+		nlen = BN_num_bytes(k->rsa->n);
+		elen = BN_num_bytes(k->rsa->e);
+		len = nlen + elen;
+		blob = xmalloc(len);
+		BN_bn2bin(k->rsa->n, blob);
+		BN_bn2bin(k->rsa->e, blob + nlen);
+		break;
+	case KEY_DSA:
+	case KEY_RSA:
+		key_to_blob(k, &blob, &len);
+		break;
+	case KEY_UNSPEC:
+		return retval;
+		break;
+	default:
+		fatal("key_fingerprint_raw: bad key type %d", k->type);
+		break;
+	}
+	if (blob != NULL) {
+		retval = xmalloc(EVP_MAX_MD_SIZE);
+		EVP_DigestInit(&ctx, md);
+		EVP_DigestUpdate(&ctx, blob, len);
+		EVP_DigestFinal(&ctx, retval, NULL);
+		*dgst_raw_length = md->md_size;
+		memset(blob, 0, len);
+		xfree(blob);
+	} else {
+		fatal("key_fingerprint_raw: blob is null");
+	}
+	return retval;
+}
+
+char*
+key_fingerprint_hex(u_char* dgst_raw, size_t dgst_raw_len)
+{
+	char *retval;
+	int i;
+
+	retval = xmalloc(dgst_raw_len * 3 + 1);
+	retval[0] = '\0';
+	for(i = 0; i < dgst_raw_len; i++) {
+		char hex[4];
+		snprintf(hex, sizeof(hex), "%02x:", dgst_raw[i]);
+		strlcat(retval, hex, dgst_raw_len * 3);
+	}
+	retval[(dgst_raw_len * 3) - 1] = '\0';
+	return retval;
+}
+
+char*
+key_fingerprint_bubblebabble(u_char* dgst_raw, size_t dgst_raw_len)
+{
+	char vowels[] = { 'a', 'e', 'i', 'o', 'u', 'y' };
+	char consonants[] = { 'b', 'c', 'd', 'f', 'g', 'h', 'k', 'l', 'm',
+	    'n', 'p', 'r', 's', 't', 'v', 'z', 'x' };
+	u_int i, j = 0, rounds, seed = 1;
+	char *retval;
+
+	rounds = (dgst_raw_len / 2) + 1;
+	retval = xmalloc(sizeof(char) * (rounds*6));
+	retval[j++] = 'x';
+	for (i = 0; i < rounds; i++) {
+		u_int idx0, idx1, idx2, idx3, idx4;
+		if ((i + 1 < rounds) || (dgst_raw_len % 2 != 0)) {
+			idx0 = (((((u_int)(dgst_raw[2 * i])) >> 6) & 3) +
+			    seed) % 6;
+			idx1 = (((u_int)(dgst_raw[2 * i])) >> 2) & 15;
+			idx2 = ((((u_int)(dgst_raw[2 * i])) & 3) +
+			    (seed / 6)) % 6;
+			retval[j++] = vowels[idx0];
+			retval[j++] = consonants[idx1];
+			retval[j++] = vowels[idx2];
+			if ((i + 1) < rounds) {
+				idx3 = (((u_int)(dgst_raw[(2 * i) + 1])) >> 4) & 15;
+				idx4 = (((u_int)(dgst_raw[(2 * i) + 1]))) & 15;
+				retval[j++] = consonants[idx3];
+				retval[j++] = '-';
+				retval[j++] = consonants[idx4];
+				seed = ((seed * 5) +
+				    ((((u_int)(dgst_raw[2 * i])) * 7) +
+				    ((u_int)(dgst_raw[(2 * i) + 1])))) % 36;
+			}
+		} else {
+			idx0 = seed % 6;
+			idx1 = 16;
+			idx2 = seed / 6;
+			retval[j++] = vowels[idx0];
+			retval[j++] = consonants[idx1];
+			retval[j++] = vowels[idx2];
+		}
+	}
+	retval[j++] = 'x';
+	retval[j++] = '\0';
+	return retval;
+}
+
+char*
+key_fingerprint(Key *k, enum fp_type dgst_type, enum fp_rep dgst_rep)
+{
+	char *retval = NULL;
+	u_char *dgst_raw;
+	size_t dgst_raw_len;
+	
+	dgst_raw = key_fingerprint_raw(k, dgst_type, &dgst_raw_len);
+	if (!dgst_raw)
+		fatal("key_fingerprint: null from key_fingerprint_raw()");
+	switch(dgst_rep) {
+	case SSH_FP_HEX:
+		retval = key_fingerprint_hex(dgst_raw, dgst_raw_len);
+		break;
+	case SSH_FP_BUBBLEBABBLE:
+		retval = key_fingerprint_bubblebabble(dgst_raw, dgst_raw_len);
+		break;
+	default:
+		fatal("key_fingerprint_ex: bad digest representation %d",
+		    dgst_rep);
+		break;
+	}
+	memset(dgst_raw, 0, dgst_raw_len);
+	xfree(dgst_raw);
+	return retval;
+}
+
+/*
+ * Reads a multiple-precision integer in decimal from the buffer, and advances
+ * the pointer.  The integer must already be initialized.  This function is
+ * permitted to modify the buffer.  This leaves *cpp to point just beyond the
+ * last processed (and maybe modified) character.  Note that this may modify
+ * the buffer containing the number.
+ */
+int
+read_bignum(char **cpp, BIGNUM * value)
+{
+	char *cp = *cpp;
+	int old;
+
+	/* Skip any leading whitespace. */
+	for (; *cp == ' ' || *cp == '\t'; cp++)
+		;
+
+	/* Check that it begins with a decimal digit. */
+	if (*cp < '0' || *cp > '9')
+		return 0;
+
+	/* Save starting position. */
+	*cpp = cp;
+
+	/* Move forward until all decimal digits skipped. */
+	for (; *cp >= '0' && *cp <= '9'; cp++)
+		;
+
+	/* Save the old terminating character, and replace it by \0. */
+	old = *cp;
+	*cp = 0;
+
+	/* Parse the number. */
+	if (BN_dec2bn(&value, *cpp) == 0)
+		return 0;
+
+	/* Restore old terminating character. */
+	*cp = old;
+
+	/* Move beyond the number and return success. */
+	*cpp = cp;
+	return 1;
+}
+int
+write_bignum(FILE *f, BIGNUM *num)
+{
+	char *buf = BN_bn2dec(num);
+	if (buf == NULL) {
+		error("write_bignum: BN_bn2dec() failed");
+		return 0;
+	}
+	fprintf(f, " %s", buf);
+	xfree(buf);
+	return 1;
+}
+
+/* returns 1 ok, -1 error, 0 type mismatch */
+int
+key_read(Key *ret, char **cpp)
+{
+	Key *k;
+	int success = -1;
+	char *cp, *space;
+	int len, n, type;
+	u_int bits;
+	u_char *blob;
+
+	cp = *cpp;
+
+	switch(ret->type) {
+	case KEY_RSA1:
+		/* Get number of bits. */
+		if (*cp < '0' || *cp > '9')
+			return -1;	/* Bad bit count... */
+		for (bits = 0; *cp >= '0' && *cp <= '9'; cp++)
+			bits = 10 * bits + *cp - '0';
+		if (bits == 0)
+			return -1;
+		*cpp = cp;
+		/* Get public exponent, public modulus. */
+		if (!read_bignum(cpp, ret->rsa->e))
+			return -1;
+		if (!read_bignum(cpp, ret->rsa->n))
+			return -1;
+		success = 1;
+		break;
+	case KEY_UNSPEC:
+	case KEY_RSA:
+	case KEY_DSA:
+		space = strchr(cp, ' ');
+		if (space == NULL) {
+			debug3("key_read: no space");
+			return -1;
+		}
+		*space = '\0';
+		type = key_type_from_name(cp);
+		*space = ' ';
+		if (type == KEY_UNSPEC) {
+			debug3("key_read: no key found");
+			return -1;
+		}
+		cp = space+1;
+		if (*cp == '\0') {
+			debug3("key_read: short string");
+			return -1;
+		}
+		if (ret->type == KEY_UNSPEC) {
+			ret->type = type;
+		} else if (ret->type != type) {
+			/* is a key, but different type */
+			debug3("key_read: type mismatch");
+			return 0;
+		}
+		len = 2*strlen(cp);
+		blob = xmalloc(len);
+		n = uudecode(cp, blob, len);
+		if (n < 0) {
+			error("key_read: uudecode %s failed", cp);
+			return -1;
+		}
+		k = key_from_blob(blob, n);
+		if (k == NULL) {
+			error("key_read: key_from_blob %s failed", cp);
+			return -1;
+		}
+		xfree(blob);
+		if (k->type != type) {
+			error("key_read: type mismatch: encoding error");
+			key_free(k);
+			return -1;
+		}
+/*XXXX*/
+		if (ret->type == KEY_RSA) {
+			if (ret->rsa != NULL)
+				RSA_free(ret->rsa);
+			ret->rsa = k->rsa;
+			k->rsa = NULL;
+			success = 1;
+#ifdef DEBUG_PK
+			RSA_print_fp(stderr, ret->rsa, 8);
+#endif
+		} else {
+			if (ret->dsa != NULL)
+				DSA_free(ret->dsa);
+			ret->dsa = k->dsa;
+			k->dsa = NULL;
+			success = 1;
+#ifdef DEBUG_PK
+			DSA_print_fp(stderr, ret->dsa, 8);
+#endif
+		}
+/*XXXX*/
+		if (success != 1)
+			break;
+		key_free(k);
+		/* advance cp: skip whitespace and data */
+		while (*cp == ' ' || *cp == '\t')
+			cp++;
+		while (*cp != '\0' && *cp != ' ' && *cp != '\t')
+			cp++;
+		*cpp = cp;
+		break;
+	default:
+		fatal("key_read: bad key type: %d", ret->type);
+		break;
+	}
+	return success;
+}
+int
+key_write(Key *key, FILE *f)
+{
+	int success = 0;
+	u_int bits = 0;
+
+	if (key->type == KEY_RSA1 && key->rsa != NULL) {
+		/* size of modulus 'n' */
+		bits = BN_num_bits(key->rsa->n);
+		fprintf(f, "%u", bits);
+		if (write_bignum(f, key->rsa->e) &&
+		    write_bignum(f, key->rsa->n)) {
+			success = 1;
+		} else {
+			error("key_write: failed for RSA key");
+		}
+	} else if ((key->type == KEY_DSA && key->dsa != NULL) ||
+	    (key->type == KEY_RSA && key->rsa != NULL)) {
+		int len, n;
+		u_char *blob, *uu;
+		key_to_blob(key, &blob, &len);
+		uu = xmalloc(2*len);
+		n = uuencode(blob, len, uu, 2*len);
+		if (n > 0) {
+			fprintf(f, "%s %s", key_ssh_name(key), uu);
+			success = 1;
+		}
+		xfree(blob);
+		xfree(uu);
+	}
+	return success;
+}
+char *
+key_type(Key *k)
+{
+	switch (k->type) {
+	case KEY_RSA1:
+		return "RSA1";
+		break;
+	case KEY_RSA:
+		return "RSA";
+		break;
+	case KEY_DSA:
+		return "DSA";
+		break;
+	}
+	return "unknown";
+}
+char *
+key_ssh_name(Key *k)
+{
+	switch (k->type) {
+	case KEY_RSA:
+		return "ssh-rsa";
+		break;
+	case KEY_DSA:
+		return "ssh-dss";
+		break;
+	}
+	return "ssh-unknown";
+}
+u_int
+key_size(Key *k){
+	switch (k->type) {
+	case KEY_RSA1:
+	case KEY_RSA:
+		return BN_num_bits(k->rsa->n);
+		break;
+	case KEY_DSA:
+		return BN_num_bits(k->dsa->p);
+		break;
+	}
+	return 0;
+}
+
+RSA *
+rsa_generate_private_key(u_int bits)
+{
+	RSA *private;
+	private = RSA_generate_key(bits, 35, NULL, NULL);
+	if (private == NULL)
+		fatal("rsa_generate_private_key: key generation failed.");
+	return private;
+}
+
+DSA*
+dsa_generate_private_key(u_int bits)
+{
+	DSA *private = DSA_generate_parameters(bits, NULL, 0, NULL, NULL, NULL, NULL);
+	if (private == NULL)
+		fatal("dsa_generate_private_key: DSA_generate_parameters failed");
+	if (!DSA_generate_key(private))
+		fatal("dsa_generate_private_key: DSA_generate_key failed.");
+	if (private == NULL)
+		fatal("dsa_generate_private_key: NULL.");
+	return private;
+}
+
+Key *
+key_generate(int type, u_int bits)
+{
+	Key *k = key_new(KEY_UNSPEC);
+	switch (type) {
+	case KEY_DSA:
+		k->dsa = dsa_generate_private_key(bits);
+		break;
+	case KEY_RSA:
+	case KEY_RSA1:
+		k->rsa = rsa_generate_private_key(bits);
+		break;
+	default:
+		fatal("key_generate: unknown type %d", type);
+	}
+	k->type = type;
+	return k;
+}
+
+Key *
+key_from_private(Key *k)
+{
+	Key *n = NULL;
+	switch (k->type) {
+	case KEY_DSA:
+		n = key_new(k->type);
+		BN_copy(n->dsa->p, k->dsa->p);
+		BN_copy(n->dsa->q, k->dsa->q);
+		BN_copy(n->dsa->g, k->dsa->g);
+		BN_copy(n->dsa->pub_key, k->dsa->pub_key);
+		break;
+	case KEY_RSA:
+	case KEY_RSA1:
+		n = key_new(k->type);
+		BN_copy(n->rsa->n, k->rsa->n);
+		BN_copy(n->rsa->e, k->rsa->e);
+		break;
+	default:
+		fatal("key_from_private: unknown type %d", k->type);
+		break;
+	}
+	return n;
+}
+
+int
+key_type_from_name(char *name)
+{
+	if (strcmp(name, "rsa1") == 0){
+		return KEY_RSA1;
+	} else if (strcmp(name, "rsa") == 0){
+		return KEY_RSA;
+	} else if (strcmp(name, "dsa") == 0){
+		return KEY_DSA;
+	} else if (strcmp(name, "ssh-rsa") == 0){
+		return KEY_RSA;
+	} else if (strcmp(name, "ssh-dss") == 0){
+		return KEY_DSA;
+	}
+	debug2("key_type_from_name: unknown key type '%s'", name);
+	return KEY_UNSPEC;
+}
+
+int
+key_names_valid2(const char *names)
+{
+	char *s, *cp, *p;
+
+	if (names == NULL || strcmp(names, "") == 0)
+		return 0;
+	s = cp = xstrdup(names);
+	for ((p = strsep(&cp, ",")); p && *p != '\0';
+	     (p = strsep(&cp, ","))) {
+		switch (key_type_from_name(p)) {
+		case KEY_RSA1:
+		case KEY_UNSPEC:
+			xfree(s);
+			return 0;
+		}
+	}
+	debug3("key names ok: [%s]", names);
+	xfree(s);
+	return 1;
+}
+
+Key *
+key_from_blob(char *blob, int blen)
+{
+	Buffer b;
+	char *ktype;
+	int rlen, type;
+	Key *key = NULL;
+
+#ifdef DEBUG_PK
+	dump_base64(stderr, blob, blen);
+#endif
+	buffer_init(&b);
+	buffer_append(&b, blob, blen);
+	ktype = buffer_get_string(&b, NULL);
+	type = key_type_from_name(ktype);
+
+	switch(type){
+	case KEY_RSA:
+		key = key_new(type);
+		buffer_get_bignum2(&b, key->rsa->e);
+		buffer_get_bignum2(&b, key->rsa->n);
+#ifdef DEBUG_PK
+		RSA_print_fp(stderr, key->rsa, 8);
+#endif
+		break;
+	case KEY_DSA:
+		key = key_new(type);
+		buffer_get_bignum2(&b, key->dsa->p);
+		buffer_get_bignum2(&b, key->dsa->q);
+		buffer_get_bignum2(&b, key->dsa->g);
+		buffer_get_bignum2(&b, key->dsa->pub_key);
+#ifdef DEBUG_PK
+		DSA_print_fp(stderr, key->dsa, 8);
+#endif
+		break;
+	case KEY_UNSPEC:
+		key = key_new(type);
+		break;
+	default:
+		error("key_from_blob: cannot handle type %s", ktype);
+		break;
+	}
+	rlen = buffer_len(&b);
+	if (key != NULL && rlen != 0)
+		error("key_from_blob: remaining bytes in key blob %d", rlen);
+	xfree(ktype);
+	buffer_free(&b);
+	return key;
+}
+
+int
+key_to_blob(Key *key, u_char **blobp, u_int *lenp)
+{
+	Buffer b;
+	int len;
+	u_char *buf;
+
+	if (key == NULL) {
+		error("key_to_blob: key == NULL");
+		return 0;
+	}
+	buffer_init(&b);
+	switch(key->type){
+	case KEY_DSA:
+		buffer_put_cstring(&b, key_ssh_name(key));
+		buffer_put_bignum2(&b, key->dsa->p);
+		buffer_put_bignum2(&b, key->dsa->q);
+		buffer_put_bignum2(&b, key->dsa->g);
+		buffer_put_bignum2(&b, key->dsa->pub_key);
+		break;
+	case KEY_RSA:
+		buffer_put_cstring(&b, key_ssh_name(key));
+		buffer_put_bignum2(&b, key->rsa->e);
+		buffer_put_bignum2(&b, key->rsa->n);
+		break;
+	default:
+		error("key_to_blob: illegal key type %d", key->type);
+		break;
+	}
+	len = buffer_len(&b);
+	buf = xmalloc(len);
+	memcpy(buf, buffer_ptr(&b), len);
+	memset(buffer_ptr(&b), 0, len);
+	buffer_free(&b);
+	if (lenp != NULL)
+		*lenp = len;
+	if (blobp != NULL)
+		*blobp = buf;
+	return len;
+}
+
+int
+key_sign(
+    Key *key,
+    u_char **sigp, int *lenp,
+    u_char *data, int datalen)
+{
+	switch(key->type){
+	case KEY_DSA:
+		return ssh_dss_sign(key, sigp, lenp, data, datalen);
+		break;
+	case KEY_RSA:
+		return ssh_rsa_sign(key, sigp, lenp, data, datalen);
+		break;
+	default:
+		error("key_sign: illegal key type %d", key->type);
+		return -1;
+		break;
+	}
+}
+
+int
+key_verify(
+    Key *key,
+    u_char *signature, int signaturelen,
+    u_char *data, int datalen)
+{
+	switch(key->type){
+	case KEY_DSA:
+		return ssh_dss_verify(key, signature, signaturelen, data, datalen);
+		break;
+	case KEY_RSA:
+		return ssh_rsa_verify(key, signature, signaturelen, data, datalen);
+		break;
+	default:
+		error("key_verify: illegal key type %d", key->type);
+		return -1;
+		break;
+	}
+}
diff --git a/crypto/openssh/key.h b/crypto/openssh/key.h
new file mode 100644
index 0000000..cee31c3
--- /dev/null
+++ b/crypto/openssh/key.h
@@ -0,0 +1,84 @@
+/*	$OpenBSD: key.h,v 1.12 2001/04/17 10:53:24 markus Exp $	*/
+
+/*
+ * Copyright (c) 2000 Markus Friedl.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+#ifndef KEY_H
+#define KEY_H
+
+#include <openssl/rsa.h>
+#include <openssl/dsa.h>
+
+typedef struct Key Key;
+enum types {
+	KEY_RSA1,
+	KEY_RSA,
+	KEY_DSA,
+	KEY_UNSPEC
+};
+enum fp_type {
+	SSH_FP_SHA1,
+	SSH_FP_MD5
+};
+enum fp_rep {
+	SSH_FP_HEX,
+	SSH_FP_BUBBLEBABBLE
+};
+struct Key {
+	int	type;
+	RSA	*rsa;
+	DSA	*dsa;
+};
+
+Key	*key_new(int type);
+Key	*key_new_private(int type);
+void	key_free(Key *k);
+int	key_equal(Key *a, Key *b);
+char	*key_fingerprint(Key *k, enum fp_type dgst_type, enum fp_rep dgst_rep);
+char	*key_type(Key *k);
+int	key_write(Key *key, FILE *f);
+int	key_read(Key *key, char **cpp);
+u_int	key_size(Key *k);
+
+Key	*key_generate(int type, u_int bits);
+Key	*key_from_private(Key *k);
+int	key_type_from_name(char *name);
+
+Key	*key_from_blob(char *blob, int blen);
+int	key_to_blob(Key *key, u_char **blobp, u_int *lenp);
+char	*key_ssh_name(Key *k);
+int	key_names_valid2(const char *names);
+
+int
+key_sign(
+    Key *key,
+    u_char **sigp, int *lenp,
+    u_char *data, int datalen);
+
+int
+key_verify(
+    Key *key,
+    u_char *signature, int signaturelen,
+    u_char *data, int datalen);
+
+#endif
diff --git a/crypto/openssh/lib/Makefile b/crypto/openssh/lib/Makefile
new file mode 100644
index 0000000..fbcd66f
--- /dev/null
+++ b/crypto/openssh/lib/Makefile
@@ -0,0 +1,29 @@
+#	$OpenBSD: Makefile,v 1.22 2001/04/03 19:53:30 markus Exp $
+
+.PATH:		${.CURDIR}/..
+
+LIB=	ssh
+SRCS=   authfd.c authfile.c bufaux.c buffer.c canohost.c channels.c \
+	cipher.c compat.c compress.c crc32.c deattack.c \
+	hostfile.c log.c match.c mpaux.c nchan.c packet.c readpass.c \
+	rsa.c tildexpand.c ttymodes.c uidswap.c xmalloc.c atomicio.c \
+	key.c dispatch.c kex.c mac.c uuencode.c misc.c \
+	cli.c rijndael.c ssh-dss.c ssh-rsa.c dh.c kexdh.c kexgex.c
+
+NOPROFILE= yes
+NOPIC=	yes
+
+install:
+	@echo -n
+
+.include <bsd.own.mk>
+
+.if (${KERBEROS:L} == "yes")
+CFLAGS+= -DKRB4 -I${DESTDIR}/usr/include/kerberosIV
+.if (${AFS:L} == "yes")
+CFLAGS+= -DAFS
+SRCS+=  radix.c
+.endif # AFS
+.endif # KERBEROS
+
+.include <bsd.lib.mk>
diff --git a/crypto/openssh/log.c b/crypto/openssh/log.c
new file mode 100644
index 0000000..34b4eb9
--- /dev/null
+++ b/crypto/openssh/log.c
@@ -0,0 +1,379 @@
+/*
+ * Author: Tatu Ylonen <ylo@cs.hut.fi>
+ * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
+ *                    All rights reserved
+ *
+ * As far as I am concerned, the code I have written for this software
+ * can be used freely for any purpose.  Any derived versions of this
+ * software must be clearly marked as such, and if the derived work is
+ * incompatible with the protocol description in the RFC file, it must be
+ * called by a name other than "ssh" or "Secure Shell".
+ */
+/*
+ * Copyright (c) 2000 Markus Friedl.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include "includes.h"
+RCSID("$OpenBSD: log.c,v 1.17 2001/03/04 17:42:28 millert Exp $");
+
+#include "log.h"
+#include "xmalloc.h"
+
+#include <syslog.h>
+
+static LogLevel log_level = SYSLOG_LEVEL_INFO;
+static int log_on_stderr = 1;
+static int log_facility = LOG_AUTH;
+static char *argv0;
+
+extern char *__progname;
+
+/* textual representation of log-facilities/levels */
+
+static struct {
+	const char *name;
+	SyslogFacility val;
+} log_facilities[] = {
+	{ "DAEMON",	SYSLOG_FACILITY_DAEMON },
+	{ "USER",	SYSLOG_FACILITY_USER },
+	{ "AUTH",	SYSLOG_FACILITY_AUTH },
+	{ "LOCAL0",	SYSLOG_FACILITY_LOCAL0 },
+	{ "LOCAL1",	SYSLOG_FACILITY_LOCAL1 },
+	{ "LOCAL2",	SYSLOG_FACILITY_LOCAL2 },
+	{ "LOCAL3",	SYSLOG_FACILITY_LOCAL3 },
+	{ "LOCAL4",	SYSLOG_FACILITY_LOCAL4 },
+	{ "LOCAL5",	SYSLOG_FACILITY_LOCAL5 },
+	{ "LOCAL6",	SYSLOG_FACILITY_LOCAL6 },
+	{ "LOCAL7",	SYSLOG_FACILITY_LOCAL7 },
+	{ NULL, 0 }
+};
+
+static struct {
+	const char *name;
+	LogLevel val;
+} log_levels[] =
+{
+	{ "QUIET",	SYSLOG_LEVEL_QUIET },
+	{ "FATAL",	SYSLOG_LEVEL_FATAL },
+	{ "ERROR",	SYSLOG_LEVEL_ERROR },
+	{ "INFO",	SYSLOG_LEVEL_INFO },
+	{ "VERBOSE",	SYSLOG_LEVEL_VERBOSE },
+	{ "DEBUG",	SYSLOG_LEVEL_DEBUG1 },
+	{ "DEBUG1",	SYSLOG_LEVEL_DEBUG1 },
+	{ "DEBUG2",	SYSLOG_LEVEL_DEBUG2 },
+	{ "DEBUG3",	SYSLOG_LEVEL_DEBUG3 },
+	{ NULL, 0 }
+};
+
+SyslogFacility
+log_facility_number(char *name)
+{
+	int i;
+	if (name != NULL)
+		for (i = 0; log_facilities[i].name; i++)
+			if (strcasecmp(log_facilities[i].name, name) == 0)
+				return log_facilities[i].val;
+	return (SyslogFacility) - 1;
+}
+
+LogLevel
+log_level_number(char *name)
+{
+	int i;
+	if (name != NULL)
+		for (i = 0; log_levels[i].name; i++)
+			if (strcasecmp(log_levels[i].name, name) == 0)
+				return log_levels[i].val;
+	return (LogLevel) - 1;
+}
+/* Fatal messages.  This function never returns. */
+
+void
+fatal(const char *fmt,...)
+{
+	va_list args;
+	va_start(args, fmt);
+	do_log(SYSLOG_LEVEL_FATAL, fmt, args);
+	va_end(args);
+	fatal_cleanup();
+}
+
+/* Error messages that should be logged. */
+
+void
+error(const char *fmt,...)
+{
+	va_list args;
+	va_start(args, fmt);
+	do_log(SYSLOG_LEVEL_ERROR, fmt, args);
+	va_end(args);
+}
+
+/* Log this message (information that usually should go to the log). */
+
+void
+log(const char *fmt,...)
+{
+	va_list args;
+	va_start(args, fmt);
+	do_log(SYSLOG_LEVEL_INFO, fmt, args);
+	va_end(args);
+}
+
+/* More detailed messages (information that does not need to go to the log). */
+
+void
+verbose(const char *fmt,...)
+{
+	va_list args;
+	va_start(args, fmt);
+	do_log(SYSLOG_LEVEL_VERBOSE, fmt, args);
+	va_end(args);
+}
+
+/* Debugging messages that should not be logged during normal operation. */
+
+void
+debug(const char *fmt,...)
+{
+	va_list args;
+	va_start(args, fmt);
+	do_log(SYSLOG_LEVEL_DEBUG1, fmt, args);
+	va_end(args);
+}
+
+void
+debug2(const char *fmt,...)
+{
+	va_list args;
+	va_start(args, fmt);
+	do_log(SYSLOG_LEVEL_DEBUG2, fmt, args);
+	va_end(args);
+}
+
+void
+debug3(const char *fmt,...)
+{
+	va_list args;
+	va_start(args, fmt);
+	do_log(SYSLOG_LEVEL_DEBUG3, fmt, args);
+	va_end(args);
+}
+
+/* Fatal cleanup */
+
+struct fatal_cleanup {
+	struct fatal_cleanup *next;
+	void (*proc) (void *);
+	void *context;
+};
+
+static struct fatal_cleanup *fatal_cleanups = NULL;
+
+/* Registers a cleanup function to be called by fatal() before exiting. */
+
+void
+fatal_add_cleanup(void (*proc) (void *), void *context)
+{
+	struct fatal_cleanup *cu;
+
+	cu = xmalloc(sizeof(*cu));
+	cu->proc = proc;
+	cu->context = context;
+	cu->next = fatal_cleanups;
+	fatal_cleanups = cu;
+}
+
+/* Removes a cleanup frunction to be called at fatal(). */
+
+void
+fatal_remove_cleanup(void (*proc) (void *context), void *context)
+{
+	struct fatal_cleanup **cup, *cu;
+
+	for (cup = &fatal_cleanups; *cup; cup = &cu->next) {
+		cu = *cup;
+		if (cu->proc == proc && cu->context == context) {
+			*cup = cu->next;
+			xfree(cu);
+			return;
+		}
+	}
+	fatal("fatal_remove_cleanup: no such cleanup function: 0x%lx 0x%lx",
+	    (u_long) proc, (u_long) context);
+}
+
+/* Cleanup and exit */
+void
+fatal_cleanup(void)
+{
+	struct fatal_cleanup *cu, *next_cu;
+	static int called = 0;
+
+	if (called)
+		exit(255);
+	called = 1;
+	/* Call cleanup functions. */
+	for (cu = fatal_cleanups; cu; cu = next_cu) {
+		next_cu = cu->next;
+		debug("Calling cleanup 0x%lx(0x%lx)",
+		      (u_long) cu->proc, (u_long) cu->context);
+		(*cu->proc) (cu->context);
+	}
+	exit(255);
+}
+
+
+/*
+ * Initialize the log.
+ */
+
+void
+log_init(char *av0, LogLevel level, SyslogFacility facility, int on_stderr)
+{
+	argv0 = av0;
+
+	switch (level) {
+	case SYSLOG_LEVEL_QUIET:
+	case SYSLOG_LEVEL_FATAL:
+	case SYSLOG_LEVEL_ERROR:
+	case SYSLOG_LEVEL_INFO:
+	case SYSLOG_LEVEL_VERBOSE:
+	case SYSLOG_LEVEL_DEBUG1:
+	case SYSLOG_LEVEL_DEBUG2:
+	case SYSLOG_LEVEL_DEBUG3:
+		log_level = level;
+		break;
+	default:
+		fprintf(stderr, "Unrecognized internal syslog level code %d\n",
+		    (int) level);
+		exit(1);
+	}
+
+	log_on_stderr = on_stderr;
+	if (on_stderr)
+		return;
+
+	switch (facility) {
+	case SYSLOG_FACILITY_DAEMON:
+		log_facility = LOG_DAEMON;
+		break;
+	case SYSLOG_FACILITY_USER:
+		log_facility = LOG_USER;
+		break;
+	case SYSLOG_FACILITY_AUTH:
+		log_facility = LOG_AUTH;
+		break;
+	case SYSLOG_FACILITY_LOCAL0:
+		log_facility = LOG_LOCAL0;
+		break;
+	case SYSLOG_FACILITY_LOCAL1:
+		log_facility = LOG_LOCAL1;
+		break;
+	case SYSLOG_FACILITY_LOCAL2:
+		log_facility = LOG_LOCAL2;
+		break;
+	case SYSLOG_FACILITY_LOCAL3:
+		log_facility = LOG_LOCAL3;
+		break;
+	case SYSLOG_FACILITY_LOCAL4:
+		log_facility = LOG_LOCAL4;
+		break;
+	case SYSLOG_FACILITY_LOCAL5:
+		log_facility = LOG_LOCAL5;
+		break;
+	case SYSLOG_FACILITY_LOCAL6:
+		log_facility = LOG_LOCAL6;
+		break;
+	case SYSLOG_FACILITY_LOCAL7:
+		log_facility = LOG_LOCAL7;
+		break;
+	default:
+		fprintf(stderr,
+		    "Unrecognized internal syslog facility code %d\n",
+		    (int) facility);
+		exit(1);
+	}
+}
+
+#define MSGBUFSIZ 1024
+
+void
+do_log(LogLevel level, const char *fmt, va_list args)
+{
+	char msgbuf[MSGBUFSIZ];
+	char fmtbuf[MSGBUFSIZ];
+	char *txt = NULL;
+	int pri = LOG_INFO;
+
+	if (level > log_level)
+		return;
+
+	switch (level) {
+	case SYSLOG_LEVEL_FATAL:
+		if (!log_on_stderr)
+			txt = "fatal";
+		pri = LOG_CRIT;
+		break;
+	case SYSLOG_LEVEL_ERROR:
+		if (!log_on_stderr)
+			txt = "error";
+		pri = LOG_ERR;
+		break;
+	case SYSLOG_LEVEL_INFO:
+		pri = LOG_INFO;
+		break;
+	case SYSLOG_LEVEL_VERBOSE:
+		pri = LOG_INFO;
+		break;
+	case SYSLOG_LEVEL_DEBUG1:
+		txt = "debug1";
+		pri = LOG_DEBUG;
+		break;
+	case SYSLOG_LEVEL_DEBUG2:
+		txt = "debug2";
+		pri = LOG_DEBUG;
+		break;
+	case SYSLOG_LEVEL_DEBUG3:
+		txt = "debug3";
+		pri = LOG_DEBUG;
+		break;
+	default:
+		txt = "internal error";
+		pri = LOG_ERR;
+		break;
+	}
+	if (txt != NULL) {
+		snprintf(fmtbuf, sizeof(fmtbuf), "%s: %s", txt, fmt);
+		vsnprintf(msgbuf, sizeof(msgbuf), fmtbuf, args);
+	} else {
+		vsnprintf(msgbuf, sizeof(msgbuf), fmt, args);
+	}
+	if (log_on_stderr) {
+		fprintf(stderr, "%s\r\n", msgbuf);
+	} else {
+		openlog(argv0 ? argv0 : __progname, LOG_PID, log_facility);
+		syslog(pri, "%.500s", msgbuf);
+		closelog();
+	}
+}
diff --git a/crypto/openssh/log.h b/crypto/openssh/log.h
new file mode 100644
index 0000000..ad9fa3f
--- /dev/null
+++ b/crypto/openssh/log.h
@@ -0,0 +1,75 @@
+/*	$OpenBSD: log.h,v 1.2 2001/01/29 01:58:16 niklas Exp $	*/
+
+/*
+ * Author: Tatu Ylonen <ylo@cs.hut.fi>
+ * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
+ *                    All rights reserved
+ *
+ * As far as I am concerned, the code I have written for this software
+ * can be used freely for any purpose.  Any derived versions of this
+ * software must be clearly marked as such, and if the derived work is
+ * incompatible with the protocol description in the RFC file, it must be
+ * called by a name other than "ssh" or "Secure Shell".
+ */
+
+#ifndef SSH_LOG_H
+#define SSH_LOG_H
+
+/* Supported syslog facilities and levels. */
+typedef enum {
+	SYSLOG_FACILITY_DAEMON,
+	SYSLOG_FACILITY_USER,
+	SYSLOG_FACILITY_AUTH,
+	SYSLOG_FACILITY_LOCAL0,
+	SYSLOG_FACILITY_LOCAL1,
+	SYSLOG_FACILITY_LOCAL2,
+	SYSLOG_FACILITY_LOCAL3,
+	SYSLOG_FACILITY_LOCAL4,
+	SYSLOG_FACILITY_LOCAL5,
+	SYSLOG_FACILITY_LOCAL6,
+	SYSLOG_FACILITY_LOCAL7
+}       SyslogFacility;
+
+typedef enum {
+	SYSLOG_LEVEL_QUIET,
+	SYSLOG_LEVEL_FATAL,
+	SYSLOG_LEVEL_ERROR,
+	SYSLOG_LEVEL_INFO,
+	SYSLOG_LEVEL_VERBOSE,
+	SYSLOG_LEVEL_DEBUG1,
+	SYSLOG_LEVEL_DEBUG2,
+	SYSLOG_LEVEL_DEBUG3
+}       LogLevel;
+/* Initializes logging. */
+void    log_init(char *av0, LogLevel level, SyslogFacility facility, int on_stderr);
+
+/* Logging implementation, depending on server or client */
+void    do_log(LogLevel level, const char *fmt, va_list args);
+
+/* name to facility/level */
+SyslogFacility log_facility_number(char *name);
+LogLevel log_level_number(char *name);
+
+/* Output a message to syslog or stderr */
+void    fatal(const char *fmt,...) __attribute__((format(printf, 1, 2)));
+void    error(const char *fmt,...) __attribute__((format(printf, 1, 2)));
+void    log(const char *fmt,...) __attribute__((format(printf, 1, 2)));
+void    verbose(const char *fmt,...) __attribute__((format(printf, 1, 2)));
+void    debug(const char *fmt,...) __attribute__((format(printf, 1, 2)));
+void    debug2(const char *fmt,...) __attribute__((format(printf, 1, 2)));
+void    debug3(const char *fmt,...) __attribute__((format(printf, 1, 2)));
+
+/* same as fatal() but w/o logging */
+void    fatal_cleanup(void);
+
+/*
+ * Registers a cleanup function to be called by fatal()/fatal_cleanup()
+ * before exiting. It is permissible to call fatal_remove_cleanup for the
+ * function itself from the function.
+ */
+void    fatal_add_cleanup(void (*proc) (void *context), void *context);
+
+/* Removes a cleanup function to be called at fatal(). */
+void    fatal_remove_cleanup(void (*proc) (void *context), void *context);
+
+#endif
diff --git a/crypto/openssh/mac.c b/crypto/openssh/mac.c
new file mode 100644
index 0000000..e8b4267
--- /dev/null
+++ b/crypto/openssh/mac.c
@@ -0,0 +1,114 @@
+/*
+ * Copyright (c) 2001 Markus Friedl.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include "includes.h"
+RCSID("$OpenBSD: mac.c,v 1.2 2001/04/05 10:42:51 markus Exp $");
+
+#include <openssl/hmac.h>
+
+#include "xmalloc.h"
+#include "getput.h"
+#include "log.h"
+#include "cipher.h"
+#include "kex.h"
+#include "mac.h"
+
+struct {
+	char		*name;
+	EVP_MD *	(*mdfunc)(void);
+	int		truncatebits;	/* truncate digest if != 0 */
+} macs[] = {
+	{ "hmac-sha1",			EVP_sha1, 0, },
+	{ "hmac-sha1-96",		EVP_sha1, 96 },
+	{ "hmac-md5",			EVP_md5, 0 },
+	{ "hmac-md5-96",		EVP_md5, 96 },
+	{ "hmac-ripemd160",		EVP_ripemd160, 0 },
+	{ "hmac-ripemd160@openssh.com",	EVP_ripemd160, 0 },
+	{ NULL,				NULL, 0 }
+};
+
+int
+mac_init(Mac *mac, char *name)
+{
+	int i;
+	for (i = 0; macs[i].name; i++) {
+		if (strcmp(name, macs[i].name) == 0) {
+			if (mac != NULL) {
+				mac->md = (*macs[i].mdfunc)();
+				mac->key_len = mac->mac_len = mac->md->md_size;
+				if (macs[i].truncatebits != 0)
+					mac->mac_len = macs[i].truncatebits/8;
+			}
+			debug2("mac_init: found %s", name);
+			return (0);
+		}
+	}
+	debug2("mac_init: unknown %s", name);
+	return (-1);
+}
+
+u_char *
+mac_compute(Mac *mac, u_int32_t seqno, u_char *data, int datalen)
+{
+	HMAC_CTX c;
+	static u_char m[EVP_MAX_MD_SIZE];
+	u_char b[4];
+
+	if (mac->key == NULL)
+		fatal("mac_compute: no key");
+	if (mac->mac_len > sizeof(m))
+		fatal("mac_compute: mac too long");
+	HMAC_Init(&c, mac->key, mac->key_len, mac->md);
+	PUT_32BIT(b, seqno);
+	HMAC_Update(&c, b, sizeof(b));
+	HMAC_Update(&c, data, datalen);
+	HMAC_Final(&c, m, NULL);
+	HMAC_cleanup(&c);
+	return (m);
+}
+
+/* XXX copied from ciphers_valid */
+#define	MAC_SEP	","
+int
+mac_valid(const char *names)
+{
+	char *maclist, *cp, *p;
+
+	if (names == NULL || strcmp(names, "") == 0)
+		return (0);
+	maclist = cp = xstrdup(names);
+	for ((p = strsep(&cp, MAC_SEP)); p && *p != '\0';
+	     (p = strsep(&cp, MAC_SEP))) {
+		if (mac_init(NULL, p) < 0) {
+			debug("bad mac %s [%s]", p, names);
+			xfree(maclist);
+			return (0);
+		} else {
+			debug3("mac ok: %s [%s]", p, names);
+		}
+	}
+	debug3("macs ok: [%s]", names);
+	xfree(maclist);
+	return (1);
+}
diff --git a/crypto/openssh/mac.h b/crypto/openssh/mac.h
new file mode 100644
index 0000000..6173eaa
--- /dev/null
+++ b/crypto/openssh/mac.h
@@ -0,0 +1,28 @@
+/*      $OpenBSD: mac.h,v 1.1 2001/02/11 12:59:24 markus Exp $   */
+/*
+ * Copyright (c) 2001 Markus Friedl.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+int	mac_valid(const char *names);
+int	mac_init(Mac *mac, char *name);
+u_char	*mac_compute(Mac *mac, u_int32_t seqno, u_char *data, int datalen);
diff --git a/crypto/openssh/match.c b/crypto/openssh/match.c
new file mode 100644
index 0000000..ebb562a
--- /dev/null
+++ b/crypto/openssh/match.c
@@ -0,0 +1,206 @@
+/*
+ * Author: Tatu Ylonen <ylo@cs.hut.fi>
+ * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
+ *                    All rights reserved
+ * Simple pattern matching, with '*' and '?' as wildcards.
+ *
+ * As far as I am concerned, the code I have written for this software
+ * can be used freely for any purpose.  Any derived versions of this
+ * software must be clearly marked as such, and if the derived work is
+ * incompatible with the protocol description in the RFC file, it must be
+ * called by a name other than "ssh" or "Secure Shell".
+ */
+/*
+ * Copyright (c) 2000 Markus Friedl.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include "includes.h"
+RCSID("$OpenBSD: match.c,v 1.12 2001/03/10 17:51:04 markus Exp $");
+
+#include "match.h"
+#include "xmalloc.h"
+
+/*
+ * Returns true if the given string matches the pattern (which may contain ?
+ * and * as wildcards), and zero if it does not match.
+ */
+
+int
+match_pattern(const char *s, const char *pattern)
+{
+	for (;;) {
+		/* If at end of pattern, accept if also at end of string. */
+		if (!*pattern)
+			return !*s;
+
+		if (*pattern == '*') {
+			/* Skip the asterisk. */
+			pattern++;
+
+			/* If at end of pattern, accept immediately. */
+			if (!*pattern)
+				return 1;
+
+			/* If next character in pattern is known, optimize. */
+			if (*pattern != '?' && *pattern != '*') {
+				/*
+				 * Look instances of the next character in
+				 * pattern, and try to match starting from
+				 * those.
+				 */
+				for (; *s; s++)
+					if (*s == *pattern &&
+					    match_pattern(s + 1, pattern + 1))
+						return 1;
+				/* Failed. */
+				return 0;
+			}
+			/*
+			 * Move ahead one character at a time and try to
+			 * match at each position.
+			 */
+			for (; *s; s++)
+				if (match_pattern(s, pattern))
+					return 1;
+			/* Failed. */
+			return 0;
+		}
+		/*
+		 * There must be at least one more character in the string.
+		 * If we are at the end, fail.
+		 */
+		if (!*s)
+			return 0;
+
+		/* Check if the next character of the string is acceptable. */
+		if (*pattern != '?' && *pattern != *s)
+			return 0;
+
+		/* Move to the next character, both in string and in pattern. */
+		s++;
+		pattern++;
+	}
+	/* NOTREACHED */
+}
+
+/*
+ * Tries to match the host name (which must be in all lowercase) against the
+ * comma-separated sequence of subpatterns (each possibly preceded by ! to
+ * indicate negation).  Returns -1 if negation matches, 1 if there is
+ * a positive match, 0 if there is no match at all.
+ */
+
+int
+match_hostname(const char *host, const char *pattern, u_int len)
+{
+	char sub[1024];
+	int negated;
+	int got_positive;
+	u_int i, subi;
+
+	got_positive = 0;
+	for (i = 0; i < len;) {
+		/* Check if the subpattern is negated. */
+		if (pattern[i] == '!') {
+			negated = 1;
+			i++;
+		} else
+			negated = 0;
+
+		/*
+		 * Extract the subpattern up to a comma or end.  Convert the
+		 * subpattern to lowercase.
+		 */
+		for (subi = 0;
+		     i < len && subi < sizeof(sub) - 1 && pattern[i] != ',';
+		     subi++, i++)
+			sub[subi] = isupper(pattern[i]) ? tolower(pattern[i]) : pattern[i];
+		/* If subpattern too long, return failure (no match). */
+		if (subi >= sizeof(sub) - 1)
+			return 0;
+
+		/* If the subpattern was terminated by a comma, skip the comma. */
+		if (i < len && pattern[i] == ',')
+			i++;
+
+		/* Null-terminate the subpattern. */
+		sub[subi] = '\0';
+
+		/* Try to match the subpattern against the host name. */
+		if (match_pattern(host, sub)) {
+			if (negated)
+				return -1;		/* Negative */
+			else
+				got_positive = 1;	/* Positive */
+		}
+	}
+
+	/*
+	 * Return success if got a positive match.  If there was a negative
+	 * match, we have already returned -1 and never get here.
+	 */
+	return got_positive;
+}
+
+
+#define	MAX_PROP	20
+#define	SEP	","
+char *
+match_list(const char *client, const char *server, u_int *next)
+{
+	char *sproposals[MAX_PROP];
+	char *c, *s, *p, *ret, *cp, *sp;
+	int i, j, nproposals;
+
+	c = cp = xstrdup(client);
+	s = sp = xstrdup(server);
+
+	for ((p = strsep(&sp, SEP)), i=0; p && *p != '\0';
+	     (p = strsep(&sp, SEP)), i++) {
+		if (i < MAX_PROP)
+			sproposals[i] = p;
+		else
+			break;
+	}
+	nproposals = i;
+
+	for ((p = strsep(&cp, SEP)), i=0; p && *p != '\0';
+	     (p = strsep(&cp, SEP)), i++) {
+		for (j = 0; j < nproposals; j++) {
+			if (strcmp(p, sproposals[j]) == 0) {
+				ret = xstrdup(p);
+				if (next != NULL)
+					*next = (cp == NULL) ?
+					    strlen(c) : cp - c;
+				xfree(c);
+				xfree(s);
+				return ret;
+			}
+		}
+	}
+	if (next != NULL)
+		*next = strlen(c);
+	xfree(c);
+	xfree(s);
+	return NULL;
+}
diff --git a/crypto/openssh/match.h b/crypto/openssh/match.h
new file mode 100644
index 0000000..09c9311
--- /dev/null
+++ b/crypto/openssh/match.h
@@ -0,0 +1,39 @@
+/*	$OpenBSD: match.h,v 1.7 2001/03/10 17:51:04 markus Exp $	*/
+
+/*
+ * Author: Tatu Ylonen <ylo@cs.hut.fi>
+ * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
+ *                    All rights reserved
+ * This file contains various auxiliary functions related to multiple
+ * precision integers.
+ *
+ * As far as I am concerned, the code I have written for this software
+ * can be used freely for any purpose.  Any derived versions of this
+ * software must be clearly marked as such, and if the derived work is
+ * incompatible with the protocol description in the RFC file, it must be
+ * called by a name other than "ssh" or "Secure Shell".
+ */
+#ifndef MATCH_H
+#define MATCH_H
+
+/*
+ * Returns true if the given string matches the pattern (which may contain ?
+ * and * as wildcards), and zero if it does not match.
+ */
+int     match_pattern(const char *s, const char *pattern);
+
+/*
+ * Tries to match the host name (which must be in all lowercase) against the
+ * comma-separated sequence of subpatterns (each possibly preceded by ! to
+ * indicate negation).  Returns -1 if negation matches, 1 if there is
+ * a positive match, 0 if there is no match at all.
+ */
+int     match_hostname(const char *host, const char *pattern, u_int len);
+
+/*
+ * Returns first item from client-list that is also supported by server-list,
+ * caller must xfree() returned string.
+ */
+char	*match_list(const char *client, const char *server, u_int *next);
+
+#endif
diff --git a/crypto/openssh/misc.c b/crypto/openssh/misc.c
new file mode 100644
index 0000000..b5c0fd1
--- /dev/null
+++ b/crypto/openssh/misc.c
@@ -0,0 +1,130 @@
+/*	$OpenBSD: misc.c,v 1.5 2001/04/12 20:09:37 stevesk Exp $	*/
+
+/*
+ * Copyright (c) 2000 Markus Friedl.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include "includes.h"
+RCSID("$OpenBSD: misc.c,v 1.5 2001/04/12 20:09:37 stevesk Exp $");
+
+#include "misc.h"
+#include "log.h"
+#include "xmalloc.h"
+
+char *
+chop(char *s)
+{
+	char *t = s;
+	while (*t) {
+		if(*t == '\n' || *t == '\r') {
+			*t = '\0';
+			return s;
+		}
+		t++;
+	}
+	return s;
+
+}
+
+void
+set_nonblock(int fd)
+{
+	int val;
+	val = fcntl(fd, F_GETFL, 0);
+	if (val < 0) {
+		error("fcntl(%d, F_GETFL, 0): %s", fd, strerror(errno));
+		return;
+	}
+	if (val & O_NONBLOCK) {
+		debug("fd %d IS O_NONBLOCK", fd);
+		return;
+	}
+	debug("fd %d setting O_NONBLOCK", fd);
+	val |= O_NONBLOCK;
+	if (fcntl(fd, F_SETFL, val) == -1)
+		if (errno != ENODEV)
+			error("fcntl(%d, F_SETFL, O_NONBLOCK): %s",
+			    fd, strerror(errno));
+}
+
+/* Characters considered whitespace in strsep calls. */
+#define WHITESPACE " \t\r\n"
+
+char *
+strdelim(char **s)
+{
+	char *old;
+	int wspace = 0;
+
+	if (*s == NULL)
+		return NULL;
+
+	old = *s;
+
+	*s = strpbrk(*s, WHITESPACE "=");
+	if (*s == NULL)
+		return (old);
+
+	/* Allow only one '=' to be skipped */
+	if (*s[0] == '=')
+		wspace = 1;
+	*s[0] = '\0';
+
+	*s += strspn(*s + 1, WHITESPACE) + 1;
+	if (*s[0] == '=' && !wspace)
+		*s += strspn(*s + 1, WHITESPACE) + 1;
+
+	return (old);
+}
+
+struct passwd *
+pwcopy(struct passwd *pw)
+{
+	struct passwd *copy = xmalloc(sizeof(*copy));
+
+	memset(copy, 0, sizeof(*copy));
+	copy->pw_name = xstrdup(pw->pw_name);
+	copy->pw_passwd = xstrdup(pw->pw_passwd);
+	copy->pw_gecos = xstrdup(pw->pw_gecos);
+	copy->pw_uid = pw->pw_uid;
+	copy->pw_gid = pw->pw_gid;
+	copy->pw_class = xstrdup(pw->pw_class);
+	copy->pw_dir = xstrdup(pw->pw_dir);
+	copy->pw_shell = xstrdup(pw->pw_shell);
+	return copy;
+}
+
+int a2port(const char *s)
+{
+	long port;
+	char *endp;
+
+	errno = 0;
+	port = strtol(s, &endp, 0);
+	if (s == endp || *endp != '\0' ||
+	    (errno == ERANGE && (port == LONG_MIN || port == LONG_MAX)) ||
+	    port <= 0 || port > 65535)
+		return 0;
+
+	return port;
+}
diff --git a/crypto/openssh/misc.h b/crypto/openssh/misc.h
new file mode 100644
index 0000000..9cd4ac1
--- /dev/null
+++ b/crypto/openssh/misc.h
@@ -0,0 +1,30 @@
+/*	$OpenBSD: misc.h,v 1.4 2001/04/12 20:09:36 stevesk Exp $	*/
+
+/*
+ * Author: Tatu Ylonen <ylo@cs.hut.fi>
+ * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
+ *                    All rights reserved
+ *
+ * As far as I am concerned, the code I have written for this software
+ * can be used freely for any purpose.  Any derived versions of this
+ * software must be clearly marked as such, and if the derived work is
+ * incompatible with the protocol description in the RFC file, it must be
+ * called by a name other than "ssh" or "Secure Shell".
+ */
+/* remove newline at end of string */
+char	*chop(char *s);
+
+/* return next token in configuration line */
+char	*strdelim(char **s);
+
+/* set filedescriptor to non-blocking */
+void	set_nonblock(int fd);
+
+struct passwd * pwcopy(struct passwd *pw);
+
+/*
+ * Convert ASCII string to TCP/IP port number.
+ * Port must be >0 and <=65535.
+ * Return 0 if invalid.
+ */
+int a2port(const char *s);
diff --git a/crypto/openssh/mpaux.c b/crypto/openssh/mpaux.c
new file mode 100644
index 0000000..d2ef24f
--- /dev/null
+++ b/crypto/openssh/mpaux.c
@@ -0,0 +1,47 @@
+/*
+ * Author: Tatu Ylonen <ylo@cs.hut.fi>
+ * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
+ *                    All rights reserved
+ * This file contains various auxiliary functions related to multiple
+ * precision integers.
+ *
+ * As far as I am concerned, the code I have written for this software
+ * can be used freely for any purpose.  Any derived versions of this
+ * software must be clearly marked as such, and if the derived work is
+ * incompatible with the protocol description in the RFC file, it must be
+ * called by a name other than "ssh" or "Secure Shell".
+ */
+
+#include "includes.h"
+RCSID("$OpenBSD: mpaux.c,v 1.16 2001/02/08 19:30:52 itojun Exp $");
+RCSID("$FreeBSD$");
+
+#include <openssl/bn.h>
+#include "getput.h"
+#include "xmalloc.h"
+
+#include <openssl/md5.h>
+
+#include "mpaux.h"
+
+void
+compute_session_id(u_char session_id[16],
+    u_char cookie[8],
+    BIGNUM* host_key_n,
+    BIGNUM* session_key_n)
+{
+	u_int host_key_bytes = BN_num_bytes(host_key_n);
+	u_int session_key_bytes = BN_num_bytes(session_key_n);
+	u_int bytes = host_key_bytes + session_key_bytes;
+	u_char *buf = xmalloc(bytes);
+	MD5_CTX md;
+
+	BN_bn2bin(host_key_n, buf);
+	BN_bn2bin(session_key_n, buf + host_key_bytes);
+	MD5_Init(&md);
+	MD5_Update(&md, buf, bytes);
+	MD5_Update(&md, cookie, 8);
+	MD5_Final(session_id, &md);
+	memset(buf, 0, bytes);
+	xfree(buf);
+}
diff --git a/crypto/openssh/mpaux.h b/crypto/openssh/mpaux.h
new file mode 100644
index 0000000..b3f15e4
--- /dev/null
+++ b/crypto/openssh/mpaux.h
@@ -0,0 +1,31 @@
+/*
+ * Author: Tatu Ylonen <ylo@cs.hut.fi>
+ * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
+ *                    All rights reserved
+ * This file contains various auxiliary functions related to multiple
+ * precision integers.
+ *
+ * As far as I am concerned, the code I have written for this software
+ * can be used freely for any purpose.  Any derived versions of this
+ * software must be clearly marked as such, and if the derived work is
+ * incompatible with the protocol description in the RFC file, it must be
+ * called by a name other than "ssh" or "Secure Shell".
+ */
+
+/* RCSID("$OpenBSD: mpaux.h,v 1.9 2000/12/19 23:17:57 markus Exp $"); */
+
+#ifndef MPAUX_H
+#define MPAUX_H
+
+/*
+ * Computes a 16-byte session id in the global variable session_id. The
+ * session id is computed by concatenating the linearized, msb first
+ * representations of host_key_n, session_key_n, and the cookie.
+ */
+void
+compute_session_id(u_char session_id[16],
+    u_char cookie[8],
+    BIGNUM * host_key_n,
+    BIGNUM * session_key_n);
+
+#endif				/* MPAUX_H */
diff --git a/crypto/openssh/myproposal.h b/crypto/openssh/myproposal.h
new file mode 100644
index 0000000..4a9a363
--- /dev/null
+++ b/crypto/openssh/myproposal.h
@@ -0,0 +1,52 @@
+/*	$OpenBSD: myproposal.h,v 1.12 2001/03/05 15:56:16 deraadt Exp $	*/
+
+/*
+ * Copyright (c) 2000 Markus Friedl.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+#define KEX_DEFAULT_KEX		"diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1"
+#define	KEX_DEFAULT_PK_ALG	"ssh-rsa,ssh-dss"
+#define	KEX_DEFAULT_ENCRYPT \
+	"aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour," \
+	"aes192-cbc,aes256-cbc," \
+	"rijndael128-cbc,rijndael192-cbc,rijndael256-cbc," \
+	"rijndael-cbc@lysator.liu.se"
+#define	KEX_DEFAULT_MAC \
+	"hmac-md5,hmac-sha1,hmac-ripemd160," \
+	"hmac-ripemd160@openssh.com," \
+	"hmac-sha1-96,hmac-md5-96"
+#define	KEX_DEFAULT_COMP	"none,zlib"
+#define	KEX_DEFAULT_LANG	""
+
+
+static char *myproposal[PROPOSAL_MAX] = {
+	KEX_DEFAULT_KEX,
+	KEX_DEFAULT_PK_ALG,
+	KEX_DEFAULT_ENCRYPT,
+	KEX_DEFAULT_ENCRYPT,
+	KEX_DEFAULT_MAC,
+	KEX_DEFAULT_MAC,
+	KEX_DEFAULT_COMP,
+	KEX_DEFAULT_COMP,
+	KEX_DEFAULT_LANG,
+	KEX_DEFAULT_LANG
+};
diff --git a/crypto/openssh/nchan.c b/crypto/openssh/nchan.c
new file mode 100644
index 0000000..eb96501
--- /dev/null
+++ b/crypto/openssh/nchan.c
@@ -0,0 +1,498 @@
+/*
+ * Copyright (c) 1999 Markus Friedl.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include "includes.h"
+RCSID("$OpenBSD: nchan.c,v 1.23 2001/02/28 08:54:55 markus Exp $");
+
+#include "ssh1.h"
+#include "ssh2.h"
+#include "buffer.h"
+#include "packet.h"
+#include "channels.h"
+#include "nchan.h"
+#include "compat.h"
+#include "log.h"
+
+/* functions manipulating channel states */
+/*
+ * EVENTS update channel input/output states execute ACTIONS
+ */
+/* events concerning the INPUT from socket for channel (istate) */
+chan_event_fn *chan_rcvd_oclose			= NULL;
+chan_event_fn *chan_read_failed			= NULL;
+chan_event_fn *chan_ibuf_empty			= NULL;
+/* events concerning the OUTPUT from channel for socket (ostate) */
+chan_event_fn *chan_rcvd_ieof			= NULL;
+chan_event_fn *chan_write_failed		= NULL;
+chan_event_fn *chan_obuf_empty			= NULL;
+/*
+ * ACTIONS: should never update the channel states
+ */
+static void	chan_send_ieof1(Channel *c);
+static void	chan_send_oclose1(Channel *c);
+static void	chan_send_close2(Channel *c);
+static void	chan_send_eof2(Channel *c);
+
+/* helper */
+static void	chan_shutdown_write(Channel *c);
+static void	chan_shutdown_read(Channel *c);
+
+/*
+ * SSH1 specific implementation of event functions
+ */
+
+static void
+chan_rcvd_oclose1(Channel *c)
+{
+	debug("channel %d: rcvd oclose", c->self);
+	switch (c->istate) {
+	case CHAN_INPUT_WAIT_OCLOSE:
+		debug("channel %d: input wait_oclose -> closed", c->self);
+		c->istate = CHAN_INPUT_CLOSED;
+		break;
+	case CHAN_INPUT_OPEN:
+		debug("channel %d: input open -> closed", c->self);
+		chan_shutdown_read(c);
+		chan_send_ieof1(c);
+		c->istate = CHAN_INPUT_CLOSED;
+		break;
+	case CHAN_INPUT_WAIT_DRAIN:
+		/* both local read_failed and remote write_failed  */
+		log("channel %d: input drain -> closed", c->self);
+		chan_send_ieof1(c);
+		c->istate = CHAN_INPUT_CLOSED;
+		break;
+	default:
+		error("channel %d: protocol error: chan_rcvd_oclose for istate %d",
+		    c->self, c->istate);
+		return;
+	}
+}
+static void
+chan_read_failed_12(Channel *c)
+{
+	debug("channel %d: read failed", c->self);
+	switch (c->istate) {
+	case CHAN_INPUT_OPEN:
+		debug("channel %d: input open -> drain", c->self);
+		chan_shutdown_read(c);
+		c->istate = CHAN_INPUT_WAIT_DRAIN;
+		if (buffer_len(&c->input) == 0) {
+			debug("channel %d: input: no drain shortcut", c->self);
+			chan_ibuf_empty(c);
+		}
+		break;
+	default:
+		error("channel %d: internal error: we do not read, but chan_read_failed for istate %d",
+		    c->self, c->istate);
+		break;
+	}
+}
+static void
+chan_ibuf_empty1(Channel *c)
+{
+	debug("channel %d: ibuf empty", c->self);
+	if (buffer_len(&c->input)) {
+		error("channel %d: internal error: chan_ibuf_empty for non empty buffer",
+		    c->self);
+		return;
+	}
+	switch (c->istate) {
+	case CHAN_INPUT_WAIT_DRAIN:
+		debug("channel %d: input drain -> wait_oclose", c->self);
+		chan_send_ieof1(c);
+		c->istate = CHAN_INPUT_WAIT_OCLOSE;
+		break;
+	default:
+		error("channel %d: internal error: chan_ibuf_empty for istate %d",
+		    c->self, c->istate);
+		break;
+	}
+}
+static void
+chan_rcvd_ieof1(Channel *c)
+{
+	debug("channel %d: rcvd ieof", c->self);
+	if (c->type != SSH_CHANNEL_OPEN) {
+		debug("channel %d: non-open", c->self);
+		if (c->istate == CHAN_INPUT_OPEN) {
+			debug("channel %d: non-open: input open -> wait_oclose", c->self);
+			chan_shutdown_read(c);
+			chan_send_ieof1(c);
+			c->istate = CHAN_INPUT_WAIT_OCLOSE;
+		} else {
+			error("channel %d: istate %d != open", c->self, c->istate);
+		}
+		if (c->ostate == CHAN_OUTPUT_OPEN) {
+			debug("channel %d: non-open: output open -> closed", c->self);
+			chan_send_oclose1(c);
+			c->ostate = CHAN_OUTPUT_CLOSED;
+		} else {
+			error("channel %d: ostate %d != open", c->self, c->ostate);
+		}
+		return;
+	}
+	switch (c->ostate) {
+	case CHAN_OUTPUT_OPEN:
+		debug("channel %d: output open -> drain", c->self);
+		c->ostate = CHAN_OUTPUT_WAIT_DRAIN;
+		break;
+	case CHAN_OUTPUT_WAIT_IEOF:
+		debug("channel %d: output wait_ieof -> closed", c->self);
+		c->ostate = CHAN_OUTPUT_CLOSED;
+		break;
+	default:
+		error("channel %d: protocol error: chan_rcvd_ieof for ostate %d",
+		    c->self, c->ostate);
+		break;
+	}
+}
+static void
+chan_write_failed1(Channel *c)
+{
+	debug("channel %d: write failed", c->self);
+	switch (c->ostate) {
+	case CHAN_OUTPUT_OPEN:
+		debug("channel %d: output open -> wait_ieof", c->self);
+		chan_send_oclose1(c);
+		c->ostate = CHAN_OUTPUT_WAIT_IEOF;
+		break;
+	case CHAN_OUTPUT_WAIT_DRAIN:
+		debug("channel %d: output wait_drain -> closed", c->self);
+		chan_send_oclose1(c);
+		c->ostate = CHAN_OUTPUT_CLOSED;
+		break;
+	default:
+		error("channel %d: internal error: chan_write_failed for ostate %d",
+		    c->self, c->ostate);
+		break;
+	}
+}
+static void
+chan_obuf_empty1(Channel *c)
+{
+	debug("channel %d: obuf empty", c->self);
+	if (buffer_len(&c->output)) {
+		error("channel %d: internal error: chan_obuf_empty for non empty buffer",
+		    c->self);
+		return;
+	}
+	switch (c->ostate) {
+	case CHAN_OUTPUT_WAIT_DRAIN:
+		debug("channel %d: output drain -> closed", c->self);
+		chan_send_oclose1(c);
+		c->ostate = CHAN_OUTPUT_CLOSED;
+		break;
+	default:
+		error("channel %d: internal error: chan_obuf_empty for ostate %d",
+		    c->self, c->ostate);
+		break;
+	}
+}
+static void
+chan_send_ieof1(Channel *c)
+{
+	debug("channel %d: send ieof", c->self);
+	switch (c->istate) {
+	case CHAN_INPUT_OPEN:
+	case CHAN_INPUT_WAIT_DRAIN:
+		packet_start(SSH_MSG_CHANNEL_INPUT_EOF);
+		packet_put_int(c->remote_id);
+		packet_send();
+		break;
+	default:
+		error("channel %d: internal error: cannot send ieof for istate %d",
+		    c->self, c->istate);
+		break;
+	}
+}
+static void
+chan_send_oclose1(Channel *c)
+{
+	debug("channel %d: send oclose", c->self);
+	switch (c->ostate) {
+	case CHAN_OUTPUT_OPEN:
+	case CHAN_OUTPUT_WAIT_DRAIN:
+		chan_shutdown_write(c);
+		buffer_consume(&c->output, buffer_len(&c->output));
+		packet_start(SSH_MSG_CHANNEL_OUTPUT_CLOSE);
+		packet_put_int(c->remote_id);
+		packet_send();
+		break;
+	default:
+		error("channel %d: internal error: cannot send oclose for ostate %d",
+		     c->self, c->ostate);
+		break;
+	}
+}
+
+/*
+ * the same for SSH2
+ */
+static void
+chan_rcvd_oclose2(Channel *c)
+{
+	debug("channel %d: rcvd close", c->self);
+	if (c->flags & CHAN_CLOSE_RCVD)
+		error("channel %d: protocol error: close rcvd twice", c->self);
+	c->flags |= CHAN_CLOSE_RCVD;
+	if (c->type == SSH_CHANNEL_LARVAL) {
+		/* tear down larval channels immediately */
+		c->ostate = CHAN_OUTPUT_CLOSED;
+		c->istate = CHAN_INPUT_CLOSED;
+		return;
+	}
+	switch (c->ostate) {
+	case CHAN_OUTPUT_OPEN:
+		/* wait until a data from the channel is consumed if a CLOSE is received */
+		debug("channel %d: output open -> drain", c->self);
+		c->ostate = CHAN_OUTPUT_WAIT_DRAIN;
+		break;
+	}
+	switch (c->istate) {
+	case CHAN_INPUT_OPEN:
+		debug("channel %d: input open -> closed", c->self);
+		chan_shutdown_read(c);
+		break;
+	case CHAN_INPUT_WAIT_DRAIN:
+		debug("channel %d: input drain -> closed", c->self);
+		chan_send_eof2(c);
+		break;
+	}
+	c->istate = CHAN_INPUT_CLOSED;
+}
+static void
+chan_ibuf_empty2(Channel *c)
+{
+	debug("channel %d: ibuf empty", c->self);
+	if (buffer_len(&c->input)) {
+		error("channel %d: internal error: chan_ibuf_empty for non empty buffer",
+		     c->self);
+		return;
+	}
+	switch (c->istate) {
+	case CHAN_INPUT_WAIT_DRAIN:
+		debug("channel %d: input drain -> closed", c->self);
+		if (!(c->flags & CHAN_CLOSE_SENT))
+			chan_send_eof2(c);
+		c->istate = CHAN_INPUT_CLOSED;
+		break;
+	default:
+		error("channel %d: internal error: chan_ibuf_empty for istate %d",
+		     c->self, c->istate);
+		break;
+	}
+}
+static void
+chan_rcvd_ieof2(Channel *c)
+{
+	debug("channel %d: rcvd eof", c->self);
+	if (c->ostate == CHAN_OUTPUT_OPEN) {
+		debug("channel %d: output open -> drain", c->self);
+		c->ostate = CHAN_OUTPUT_WAIT_DRAIN;
+	}
+}
+static void
+chan_write_failed2(Channel *c)
+{
+	debug("channel %d: write failed", c->self);
+	switch (c->ostate) {
+	case CHAN_OUTPUT_OPEN:
+		debug("channel %d: output open -> closed", c->self);
+		chan_shutdown_write(c); /* ?? */
+		c->ostate = CHAN_OUTPUT_CLOSED;
+		break;
+	case CHAN_OUTPUT_WAIT_DRAIN:
+		debug("channel %d: output drain -> closed", c->self);
+		chan_shutdown_write(c);
+		c->ostate = CHAN_OUTPUT_CLOSED;
+		break;
+	default:
+		error("channel %d: internal error: chan_write_failed for ostate %d",
+		    c->self, c->ostate);
+		break;
+	}
+}
+static void
+chan_obuf_empty2(Channel *c)
+{
+	debug("channel %d: obuf empty", c->self);
+	if (buffer_len(&c->output)) {
+		error("internal error: chan_obuf_empty %d for non empty buffer",
+		    c->self);
+		return;
+	}
+	switch (c->ostate) {
+	case CHAN_OUTPUT_WAIT_DRAIN:
+		debug("channel %d: output drain -> closed", c->self);
+		chan_shutdown_write(c);
+		c->ostate = CHAN_OUTPUT_CLOSED;
+		break;
+	default:
+		error("channel %d: internal error: chan_obuf_empty for ostate %d",
+		    c->self, c->ostate);
+		break;
+	}
+}
+static void
+chan_send_eof2(Channel *c)
+{
+	debug("channel %d: send eof", c->self);
+	switch (c->istate) {
+	case CHAN_INPUT_WAIT_DRAIN:
+		packet_start(SSH2_MSG_CHANNEL_EOF);
+		packet_put_int(c->remote_id);
+		packet_send();
+		break;
+	default:
+		error("channel %d: internal error: cannot send eof for istate %d",
+		    c->self, c->istate);
+		break;
+	}
+}
+static void
+chan_send_close2(Channel *c)
+{
+	debug("channel %d: send close", c->self);
+	if (c->ostate != CHAN_OUTPUT_CLOSED ||
+	    c->istate != CHAN_INPUT_CLOSED) {
+		error("channel %d: internal error: cannot send close for istate/ostate %d/%d",
+		    c->self, c->istate, c->ostate);
+	} else if (c->flags & CHAN_CLOSE_SENT) {
+		error("channel %d: internal error: already sent close", c->self);
+	} else {
+		packet_start(SSH2_MSG_CHANNEL_CLOSE);
+		packet_put_int(c->remote_id);
+		packet_send();
+		c->flags |= CHAN_CLOSE_SENT;
+	}
+}
+
+/* shared */
+
+int
+chan_is_dead(Channel *c)
+{
+	if (c->istate != CHAN_INPUT_CLOSED || c->ostate != CHAN_OUTPUT_CLOSED)
+		return 0;
+	if (!compat20) {
+		debug("channel %d: is dead", c->self);
+		return 1;
+	}
+	/*
+	 * we have to delay the close message if the efd (for stderr) is
+	 * still active
+	 */
+	if (((c->extended_usage != CHAN_EXTENDED_IGNORE) &&
+	    buffer_len(&c->extended) > 0)
+#if 0
+	    || ((c->extended_usage == CHAN_EXTENDED_READ) &&
+	    c->efd != -1)
+#endif
+	    ) {
+		debug2("channel %d: active efd: %d len %d type %s",
+		    c->self, c->efd, buffer_len(&c->extended),
+		    c->extended_usage==CHAN_EXTENDED_READ ?
+		       "read": "write");
+	} else {
+		if (!(c->flags & CHAN_CLOSE_SENT)) {
+			chan_send_close2(c);
+		}
+		if ((c->flags & CHAN_CLOSE_SENT) &&
+		    (c->flags & CHAN_CLOSE_RCVD)) {
+			debug("channel %d: is dead", c->self);
+			return 1;
+		}
+	}
+	return 0;
+}
+
+void
+chan_init_iostates(Channel *c)
+{
+	c->ostate = CHAN_OUTPUT_OPEN;
+	c->istate = CHAN_INPUT_OPEN;
+	c->flags = 0;
+}
+
+/* init */
+void
+chan_init(void)
+{
+	if (compat20) {
+		chan_rcvd_oclose		= chan_rcvd_oclose2;
+		chan_read_failed		= chan_read_failed_12;
+		chan_ibuf_empty			= chan_ibuf_empty2;
+
+		chan_rcvd_ieof			= chan_rcvd_ieof2;
+		chan_write_failed		= chan_write_failed2;
+		chan_obuf_empty			= chan_obuf_empty2;
+	} else {
+		chan_rcvd_oclose		= chan_rcvd_oclose1;
+		chan_read_failed		= chan_read_failed_12;
+		chan_ibuf_empty			= chan_ibuf_empty1;
+
+		chan_rcvd_ieof			= chan_rcvd_ieof1;
+		chan_write_failed		= chan_write_failed1;
+		chan_obuf_empty			= chan_obuf_empty1;
+	}
+}
+
+/* helper */
+static void
+chan_shutdown_write(Channel *c)
+{
+	buffer_consume(&c->output, buffer_len(&c->output));
+	if (compat20 && c->type == SSH_CHANNEL_LARVAL)
+		return;
+	/* shutdown failure is allowed if write failed already */
+	debug("channel %d: close_write", c->self);
+	if (c->sock != -1) {
+		if (shutdown(c->sock, SHUT_WR) < 0)
+			debug("channel %d: chan_shutdown_write: shutdown() failed for fd%d: %.100s",
+			    c->self, c->sock, strerror(errno));
+	} else {
+		if (close(c->wfd) < 0)
+			log("channel %d: chan_shutdown_write: close() failed for fd%d: %.100s",
+			    c->self, c->wfd, strerror(errno));
+		c->wfd = -1;
+	}
+}
+static void
+chan_shutdown_read(Channel *c)
+{
+	if (compat20 && c->type == SSH_CHANNEL_LARVAL)
+		return;
+	debug("channel %d: close_read", c->self);
+	if (c->sock != -1) {
+		if (shutdown(c->sock, SHUT_RD) < 0)
+			error("channel %d: chan_shutdown_read: shutdown() failed for fd%d [i%d o%d]: %.100s",
+			    c->self, c->sock, c->istate, c->ostate, strerror(errno));
+	} else {
+		if (close(c->rfd) < 0)
+			log("channel %d: chan_shutdown_read: close() failed for fd%d: %.100s",
+			    c->self, c->rfd, strerror(errno));
+		c->rfd = -1;
+	}
+}
diff --git a/crypto/openssh/nchan.h b/crypto/openssh/nchan.h
new file mode 100644
index 0000000..623eccc
--- /dev/null
+++ b/crypto/openssh/nchan.h
@@ -0,0 +1,91 @@
+/*
+ * Copyright (c) 1999 Markus Friedl.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+/* RCSID("$OpenBSD: nchan.h,v 1.10 2001/02/28 08:54:55 markus Exp $"); */
+
+#ifndef NCHAN_H
+#define NCHAN_H
+
+/*
+ * SSH Protocol 1.5 aka New Channel Protocol
+ * Thanks to Martina, Axel and everyone who left Erlangen, leaving me bored.
+ * Written by Markus Friedl in October 1999
+ *
+ * Protocol versions 1.3 and 1.5 differ in the handshake protocol used for the
+ * tear down of channels:
+ *
+ * 1.3:	strict request-ack-protocol:
+ * 	CLOSE	->
+ * 		<-  CLOSE_CONFIRM
+ *
+ * 1.5:	uses variations of:
+ * 	IEOF	->
+ * 		<-  OCLOSE
+ * 		<-  IEOF
+ * 	OCLOSE	->
+ * 	i.e. both sides have to close the channel
+ *
+ * See the debugging output from 'ssh -v' and 'sshd -d' of
+ * ssh-1.2.27 as an example.
+ *
+ */
+
+/* ssh-proto-1.5 overloads prot-1.3-message-types */
+#define SSH_MSG_CHANNEL_INPUT_EOF	SSH_MSG_CHANNEL_CLOSE
+#define SSH_MSG_CHANNEL_OUTPUT_CLOSE	SSH_MSG_CHANNEL_CLOSE_CONFIRMATION
+
+/* possible input states */
+#define CHAN_INPUT_OPEN			0x01
+#define CHAN_INPUT_WAIT_DRAIN		0x02
+#define CHAN_INPUT_WAIT_OCLOSE		0x04
+#define CHAN_INPUT_CLOSED		0x08
+
+/* possible output states */
+#define CHAN_OUTPUT_OPEN		0x10
+#define CHAN_OUTPUT_WAIT_DRAIN		0x20
+#define CHAN_OUTPUT_WAIT_IEOF		0x40
+#define CHAN_OUTPUT_CLOSED		0x80
+
+#define CHAN_CLOSE_SENT			0x01
+#define CHAN_CLOSE_RCVD			0x02
+
+
+/* Channel EVENTS */
+typedef void    chan_event_fn(Channel * c);
+
+/* for the input state */
+extern chan_event_fn	*chan_rcvd_oclose;
+extern chan_event_fn	*chan_read_failed;
+extern chan_event_fn	*chan_ibuf_empty;
+
+/* for the output state */
+extern chan_event_fn	*chan_rcvd_ieof;
+extern chan_event_fn	*chan_write_failed;
+extern chan_event_fn	*chan_obuf_empty;
+
+int chan_is_dead(Channel * c);
+
+void    chan_init_iostates(Channel * c);
+void	chan_init(void);
+#endif
diff --git a/crypto/openssh/nchan.ms b/crypto/openssh/nchan.ms
new file mode 100644
index 0000000..2d08022
--- /dev/null
+++ b/crypto/openssh/nchan.ms
@@ -0,0 +1,99 @@
+.\"	$OpenBSD: nchan.ms,v 1.7 2001/01/29 01:58:17 niklas Exp $
+.\"
+.\" 
+.\" Copyright (c) 1999 Markus Friedl.  All rights reserved.
+.\" 
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\" 1. Redistributions of source code must retain the above copyright
+.\"    notice, this list of conditions and the following disclaimer.
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\"    notice, this list of conditions and the following disclaimer in the
+.\"    documentation and/or other materials provided with the distribution.
+.\" 
+.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
+.\" IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+.\" OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+.\" IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
+.\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+.\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+.\"
+.TL
+OpenSSH Channel Close Protocol 1.5 Implementation
+.SH
+Channel Input State Diagram
+.PS
+reset
+l=1
+s=1.2
+ellipsewid=s*ellipsewid
+boxwid=s*boxwid
+ellipseht=s*ellipseht
+S1: ellipse "INPUT" "OPEN"
+move right 2*l from last ellipse.e
+S4: ellipse "INPUT" "CLOSED"
+move down l from last ellipse.s
+S3: ellipse "INPUT" "WAIT" "OCLOSED"
+move down l from 1st ellipse.s
+S2: ellipse "INPUT" "WAIT" "DRAIN"
+arrow "" "rcvd OCLOSE/" "shutdown_read" "send IEOF" from S1.e to S4.w
+arrow "ibuf_empty/" "send IEOF" from S2.e to S3.w
+arrow from S1.s to S2.n
+box invis "read_failed/" "shutdown_read" with .e at last arrow.c
+arrow  from S3.n to S4.s
+box invis "rcvd OCLOSE/" "-" with .w at last arrow.c
+ellipse wid .9*ellipsewid ht .9*ellipseht at S4
+arrow "start" "" from S1.w+(-0.5,0) to S1.w
+arrow from S2.ne to S4.sw
+box invis "rcvd OCLOSE/     " with .e at last arrow.c
+box invis " send IEOF" with .w at last arrow.c
+.PE
+.SH
+Channel Output State Diagram
+.PS
+S1: ellipse "OUTPUT" "OPEN"
+move right 2*l from last ellipse.e
+S3: ellipse "OUTPUT" "WAIT" "IEOF"
+move down l from last ellipse.s
+S4: ellipse "OUTPUT" "CLOSED"
+move down l from 1st ellipse.s
+S2: ellipse "OUTPUT" "WAIT" "DRAIN"
+arrow "" "write_failed/" "shutdown_write" "send OCLOSE" from S1.e to S3.w
+arrow "obuf_empty ||" "write_failed/" "shutdown_write" "send OCLOSE" from S2.e to S4.w
+arrow from S1.s to S2.n
+box invis "rcvd IEOF/" "-" with .e at last arrow.c
+arrow from S3.s to S4.n
+box invis "rcvd IEOF/" "-" with .w at last arrow.c
+ellipse wid .9*ellipsewid ht .9*ellipseht at S4
+arrow "start" "" from S1.w+(-0.5,0) to S1.w
+.PE
+.SH
+Notes
+.PP
+The input buffer is filled with data from the socket
+(the socket represents the local consumer/producer of the
+forwarded channel).
+The data is then sent over the INPUT-end (transmit-end) of the channel to the
+remote peer.
+Data sent by the peer is received on the OUTPUT-end (receive-end),
+saved in the output buffer and written to the socket.
+.PP
+If the local protocol instance has forwarded all data on the
+INPUT-end of the channel, it sends an IEOF message to the peer.
+If the peer receives the IEOF and has consumed all
+data he replies with an OCLOSE.
+When the local instance receives the OCLOSE
+he considers the INPUT-half of the channel closed.
+The peer has his OUTOUT-half closed.
+.PP
+A channel can be deallocated by a protocol instance
+if both the INPUT- and the OUTOUT-half on his
+side of the channel are closed.
+Note that when an instance is unable to consume the
+received data, he is permitted to send an OCLOSE
+before the matching IEOF is received.
diff --git a/crypto/openssh/nchan2.ms b/crypto/openssh/nchan2.ms
new file mode 100644
index 0000000..1b119d1
--- /dev/null
+++ b/crypto/openssh/nchan2.ms
@@ -0,0 +1,64 @@
+.TL
+OpenSSH Channel Close Protocol 2.0 Implementation
+.SH
+Channel Input State Diagram
+.PS
+reset
+l=1
+s=1.2
+ellipsewid=s*ellipsewid
+boxwid=s*boxwid
+ellipseht=s*ellipseht
+S1: ellipse "INPUT" "OPEN"
+move right 2*l from last ellipse.e
+S3: ellipse invis
+move down l from last ellipse.s
+S4: ellipse "INPUT" "CLOSED"
+move down l from 1st ellipse.s
+S2: ellipse "INPUT" "WAIT" "DRAIN"
+arrow from S1.e to S4.n
+box invis "rcvd CLOSE/" "shutdown_read" with .sw at last arrow.c
+arrow "ibuf_empty ||" "rcvd CLOSE/" "send EOF" "" from S2.e to S4.w
+arrow from S1.s to S2.n
+box invis "read_failed/" "shutdown_read" with .e at last arrow.c
+ellipse wid .9*ellipsewid ht .9*ellipseht at S4
+arrow "start" "" from S1.w+(-0.5,0) to S1.w
+.PE
+.SH
+Channel Output State Diagram
+.PS
+S1: ellipse "OUTPUT" "OPEN"
+move right 2*l from last ellipse.e
+S3: ellipse invis
+move down l from last ellipse.s
+S4: ellipse "OUTPUT" "CLOSED"
+move down l from 1st ellipse.s
+S2: ellipse "OUTPUT" "WAIT" "DRAIN"
+arrow from S1.e to S4.n
+box invis "write_failed/" "shutdown_write" with .sw at last arrow.c
+arrow "obuf_empty ||" "write_failed/" "shutdown_write" "" from S2.e to S4.w
+arrow from S1.s to S2.n
+box invis "rcvd EOF ||" "rcvd CLOSE/" "-" with .e at last arrow.c
+ellipse wid .9*ellipsewid ht .9*ellipseht at S4
+arrow "start" "" from S1.w+(-0.5,0) to S1.w
+.PE
+.SH
+Notes
+.PP
+The input buffer is filled with data from the socket
+(the socket represents the local consumer/producer of the
+forwarded channel).
+The data is then sent over the INPUT-end (transmit-end) of the channel to the
+remote peer.
+Data sent by the peer is received on the OUTPUT-end (receive-end),
+saved in the output buffer and written to the socket.
+.PP
+If the local protocol instance has forwarded all data on the
+INPUT-end of the channel, it sends an EOF message to the peer.
+.PP
+A CLOSE message is sent to the peer if
+both the INPUT- and the OUTOUT-half of the local
+end of the channel are closed.
+.PP
+The channel can be deallocated by a protocol instance
+if a CLOSE message he been both sent and received.
diff --git a/crypto/openssh/packet.c b/crypto/openssh/packet.c
new file mode 100644
index 0000000..00109ea
--- /dev/null
+++ b/crypto/openssh/packet.c
@@ -0,0 +1,1384 @@
+/*
+ * Author: Tatu Ylonen <ylo@cs.hut.fi>
+ * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
+ *                    All rights reserved
+ * This file contains code implementing the packet protocol and communication
+ * with the other side.  This same code is used both on client and server side.
+ *
+ * As far as I am concerned, the code I have written for this software
+ * can be used freely for any purpose.  Any derived versions of this
+ * software must be clearly marked as such, and if the derived work is
+ * incompatible with the protocol description in the RFC file, it must be
+ * called by a name other than "ssh" or "Secure Shell".
+ *
+ *
+ * SSH2 packet format added by Markus Friedl.
+ * Copyright (c) 2000 Markus Friedl.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include "includes.h"
+RCSID("$OpenBSD: packet.c,v 1.61 2001/04/05 10:42:51 markus Exp $");
+
+#include "xmalloc.h"
+#include "buffer.h"
+#include "packet.h"
+#include "bufaux.h"
+#include "crc32.h"
+#include "getput.h"
+
+#include "compress.h"
+#include "deattack.h"
+#include "channels.h"
+
+#include "compat.h"
+#include "ssh1.h"
+#include "ssh2.h"
+
+#include "cipher.h"
+#include "kex.h"
+#include "mac.h"
+#include "log.h"
+#include "canohost.h"
+
+#ifdef PACKET_DEBUG
+#define DBG(x) x
+#else
+#define DBG(x)
+#endif
+
+/*
+ * This variable contains the file descriptors used for communicating with
+ * the other side.  connection_in is used for reading; connection_out for
+ * writing.  These can be the same descriptor, in which case it is assumed to
+ * be a socket.
+ */
+static int connection_in = -1;
+static int connection_out = -1;
+
+/*
+ * Cipher type.  This value is only used to determine whether to pad the
+ * packets with zeroes or random data.
+ */
+static int cipher_type = SSH_CIPHER_NONE;
+
+/* Protocol flags for the remote side. */
+static u_int remote_protocol_flags = 0;
+
+/* Encryption context for receiving data.  This is only used for decryption. */
+static CipherContext receive_context;
+
+/* Encryption context for sending data.  This is only used for encryption. */
+static CipherContext send_context;
+
+/* Buffer for raw input data from the socket. */
+static Buffer input;
+
+/* Buffer for raw output data going to the socket. */
+static Buffer output;
+
+/* Buffer for the partial outgoing packet being constructed. */
+static Buffer outgoing_packet;
+
+/* Buffer for the incoming packet currently being processed. */
+static Buffer incoming_packet;
+
+/* Scratch buffer for packet compression/decompression. */
+static Buffer compression_buffer;
+static int compression_buffer_ready = 0;
+
+/* Flag indicating whether packet compression/decompression is enabled. */
+static int packet_compression = 0;
+
+/* default maximum packet size */
+int max_packet_size = 32768;
+
+/* Flag indicating whether this module has been initialized. */
+static int initialized = 0;
+
+/* Set to true if the connection is interactive. */
+static int interactive_mode = 0;
+
+/* True if SSH2 packet format is used */
+int use_ssh2_packet_format = 0;
+
+/* Session key information for Encryption and MAC */
+Newkeys *newkeys[MODE_MAX];
+
+void
+packet_set_ssh2_format(void)
+{
+	DBG(debug("use_ssh2_packet_format"));
+	use_ssh2_packet_format = 1;
+	newkeys[MODE_IN] = newkeys[MODE_OUT] = NULL;
+}
+
+/*
+ * Sets the descriptors used for communication.  Disables encryption until
+ * packet_set_encryption_key is called.
+ */
+void
+packet_set_connection(int fd_in, int fd_out)
+{
+	Cipher *none = cipher_by_name("none");
+	if (none == NULL)
+		fatal("packet_set_connection: cannot load cipher 'none'");
+	connection_in = fd_in;
+	connection_out = fd_out;
+	cipher_type = SSH_CIPHER_NONE;
+	cipher_init(&send_context, none, (u_char *) "", 0, NULL, 0);
+	cipher_init(&receive_context, none, (u_char *) "", 0, NULL, 0);
+	if (!initialized) {
+		initialized = 1;
+		buffer_init(&input);
+		buffer_init(&output);
+		buffer_init(&outgoing_packet);
+		buffer_init(&incoming_packet);
+	}
+	/* Kludge: arrange the close function to be called from fatal(). */
+	fatal_add_cleanup((void (*) (void *)) packet_close, NULL);
+}
+
+/* Returns 1 if remote host is connected via socket, 0 if not. */
+
+int
+packet_connection_is_on_socket()
+{
+	struct sockaddr_storage from, to;
+	socklen_t fromlen, tolen;
+
+	/* filedescriptors in and out are the same, so it's a socket */
+	if (connection_in == connection_out)
+		return 1;
+	fromlen = sizeof(from);
+	memset(&from, 0, sizeof(from));
+	if (getpeername(connection_in, (struct sockaddr *)&from, &fromlen) < 0)
+		return 0;
+	tolen = sizeof(to);
+	memset(&to, 0, sizeof(to));
+	if (getpeername(connection_out, (struct sockaddr *)&to, &tolen) < 0)
+		return 0;
+	if (fromlen != tolen || memcmp(&from, &to, fromlen) != 0)
+		return 0;
+	if (from.ss_family != AF_INET && from.ss_family != AF_INET6)
+		return 0;
+	return 1;
+}
+
+/* returns 1 if connection is via ipv4 */
+
+int
+packet_connection_is_ipv4()
+{
+	struct sockaddr_storage to;
+	socklen_t tolen = sizeof(to);
+
+	memset(&to, 0, sizeof(to));
+	if (getsockname(connection_out, (struct sockaddr *)&to, &tolen) < 0)
+		return 0;
+	if (to.ss_family != AF_INET)
+		return 0;
+	return 1;
+}
+
+/* Sets the connection into non-blocking mode. */
+
+void
+packet_set_nonblocking()
+{
+	/* Set the socket into non-blocking mode. */
+	if (fcntl(connection_in, F_SETFL, O_NONBLOCK) < 0)
+		error("fcntl O_NONBLOCK: %.100s", strerror(errno));
+
+	if (connection_out != connection_in) {
+		if (fcntl(connection_out, F_SETFL, O_NONBLOCK) < 0)
+			error("fcntl O_NONBLOCK: %.100s", strerror(errno));
+	}
+}
+
+/* Returns the socket used for reading. */
+
+int
+packet_get_connection_in()
+{
+	return connection_in;
+}
+
+/* Returns the descriptor used for writing. */
+
+int
+packet_get_connection_out()
+{
+	return connection_out;
+}
+
+/* Closes the connection and clears and frees internal data structures. */
+
+void
+packet_close()
+{
+	if (!initialized)
+		return;
+	initialized = 0;
+	if (connection_in == connection_out) {
+		shutdown(connection_out, SHUT_RDWR);
+		close(connection_out);
+	} else {
+		close(connection_in);
+		close(connection_out);
+	}
+	buffer_free(&input);
+	buffer_free(&output);
+	buffer_free(&outgoing_packet);
+	buffer_free(&incoming_packet);
+	if (compression_buffer_ready) {
+		buffer_free(&compression_buffer);
+		buffer_compress_uninit();
+	}
+}
+
+/* Sets remote side protocol flags. */
+
+void
+packet_set_protocol_flags(u_int protocol_flags)
+{
+	remote_protocol_flags = protocol_flags;
+	channel_set_options((protocol_flags & SSH_PROTOFLAG_HOST_IN_FWD_OPEN) != 0);
+}
+
+/* Returns the remote protocol flags set earlier by the above function. */
+
+u_int
+packet_get_protocol_flags()
+{
+	return remote_protocol_flags;
+}
+
+/*
+ * Starts packet compression from the next packet on in both directions.
+ * Level is compression level 1 (fastest) - 9 (slow, best) as in gzip.
+ */
+
+void
+packet_init_compression()
+{
+	if (compression_buffer_ready == 1)
+		return;
+	compression_buffer_ready = 1;
+	buffer_init(&compression_buffer);
+}
+
+void
+packet_start_compression(int level)
+{
+	if (packet_compression && !use_ssh2_packet_format)
+		fatal("Compression already enabled.");
+	packet_compression = 1;
+	packet_init_compression();
+	buffer_compress_init_send(level);
+	buffer_compress_init_recv();
+}
+
+/*
+ * Encrypts the given number of bytes, copying from src to dest. bytes is
+ * known to be a multiple of 8.
+ */
+
+void
+packet_encrypt(CipherContext * cc, void *dest, void *src,
+    u_int bytes)
+{
+	cipher_encrypt(cc, dest, src, bytes);
+}
+
+/*
+ * Decrypts the given number of bytes, copying from src to dest. bytes is
+ * known to be a multiple of 8.
+ */
+
+void
+packet_decrypt(CipherContext *context, void *dest, void *src, u_int bytes)
+{
+	/*
+	 * Cryptographic attack detector for ssh - Modifications for packet.c
+	 * (C)1998 CORE-SDI, Buenos Aires Argentina Ariel Futoransky(futo@core-sdi.com)
+	 */
+	if (!compat20 &&
+	    context->cipher->number != SSH_CIPHER_NONE &&
+	    detect_attack(src, bytes, NULL) == DEATTACK_DETECTED)
+		packet_disconnect("crc32 compensation attack: network attack detected");
+
+	cipher_decrypt(context, dest, src, bytes);
+}
+
+/*
+ * Causes any further packets to be encrypted using the given key.  The same
+ * key is used for both sending and reception.  However, both directions are
+ * encrypted independently of each other.
+ */
+
+void
+packet_set_encryption_key(const u_char *key, u_int keylen,
+    int number)
+{
+	Cipher *cipher = cipher_by_number(number);
+	if (cipher == NULL)
+		fatal("packet_set_encryption_key: unknown cipher number %d", number);
+	if (keylen < 20)
+		fatal("packet_set_encryption_key: keylen too small: %d", keylen);
+	cipher_init(&receive_context, cipher, key, keylen, NULL, 0);
+	cipher_init(&send_context, cipher, key, keylen, NULL, 0);
+}
+
+/* Starts constructing a packet to send. */
+
+void
+packet_start1(int type)
+{
+	char buf[9];
+
+	buffer_clear(&outgoing_packet);
+	memset(buf, 0, 8);
+	buf[8] = type;
+	buffer_append(&outgoing_packet, buf, 9);
+}
+
+void
+packet_start2(int type)
+{
+	char buf[4+1+1];
+
+	buffer_clear(&outgoing_packet);
+	memset(buf, 0, sizeof buf);
+	/* buf[0..3] = payload_len; */
+	/* buf[4] =    pad_len; */
+	buf[5] = type & 0xff;
+	buffer_append(&outgoing_packet, buf, sizeof buf);
+}
+
+void
+packet_start(int type)
+{
+	DBG(debug("packet_start[%d]", type));
+	if (use_ssh2_packet_format)
+		packet_start2(type);
+	else
+		packet_start1(type);
+}
+
+/* Appends a character to the packet data. */
+
+void
+packet_put_char(int value)
+{
+	char ch = value;
+	buffer_append(&outgoing_packet, &ch, 1);
+}
+
+/* Appends an integer to the packet data. */
+
+void
+packet_put_int(u_int value)
+{
+	buffer_put_int(&outgoing_packet, value);
+}
+
+/* Appends a string to packet data. */
+
+void
+packet_put_string(const char *buf, u_int len)
+{
+	buffer_put_string(&outgoing_packet, buf, len);
+}
+void
+packet_put_cstring(const char *str)
+{
+	buffer_put_string(&outgoing_packet, str, strlen(str));
+}
+
+void
+packet_put_raw(const char *buf, u_int len)
+{
+	buffer_append(&outgoing_packet, buf, len);
+}
+
+
+/* Appends an arbitrary precision integer to packet data. */
+
+void
+packet_put_bignum(BIGNUM * value)
+{
+	buffer_put_bignum(&outgoing_packet, value);
+}
+void
+packet_put_bignum2(BIGNUM * value)
+{
+	buffer_put_bignum2(&outgoing_packet, value);
+}
+
+/*
+ * Finalizes and sends the packet.  If the encryption key has been set,
+ * encrypts the packet before sending.
+ */
+
+void
+packet_send1(void)
+{
+	char buf[8], *cp;
+	int i, padding, len;
+	u_int checksum;
+	u_int32_t rand = 0;
+
+	/*
+	 * If using packet compression, compress the payload of the outgoing
+	 * packet.
+	 */
+	if (packet_compression) {
+		buffer_clear(&compression_buffer);
+		/* Skip padding. */
+		buffer_consume(&outgoing_packet, 8);
+		/* padding */
+		buffer_append(&compression_buffer, "\0\0\0\0\0\0\0\0", 8);
+		buffer_compress(&outgoing_packet, &compression_buffer);
+		buffer_clear(&outgoing_packet);
+		buffer_append(&outgoing_packet, buffer_ptr(&compression_buffer),
+			      buffer_len(&compression_buffer));
+	}
+	/* Compute packet length without padding (add checksum, remove padding). */
+	len = buffer_len(&outgoing_packet) + 4 - 8;
+
+	/* Insert padding. Initialized to zero in packet_start1() */
+	padding = 8 - len % 8;
+	if (cipher_type != SSH_CIPHER_NONE) {
+		cp = buffer_ptr(&outgoing_packet);
+		for (i = 0; i < padding; i++) {
+			if (i % 4 == 0)
+				rand = arc4random();
+			cp[7 - i] = rand & 0xff;
+			rand >>= 8;
+		}
+	}
+	buffer_consume(&outgoing_packet, 8 - padding);
+
+	/* Add check bytes. */
+	checksum = ssh_crc32((u_char *) buffer_ptr(&outgoing_packet),
+	    buffer_len(&outgoing_packet));
+	PUT_32BIT(buf, checksum);
+	buffer_append(&outgoing_packet, buf, 4);
+
+#ifdef PACKET_DEBUG
+	fprintf(stderr, "packet_send plain: ");
+	buffer_dump(&outgoing_packet);
+#endif
+
+	/* Append to output. */
+	PUT_32BIT(buf, len);
+	buffer_append(&output, buf, 4);
+	buffer_append_space(&output, &cp, buffer_len(&outgoing_packet));
+	packet_encrypt(&send_context, cp, buffer_ptr(&outgoing_packet),
+		       buffer_len(&outgoing_packet));
+
+#ifdef PACKET_DEBUG
+	fprintf(stderr, "encrypted: ");
+	buffer_dump(&output);
+#endif
+
+	buffer_clear(&outgoing_packet);
+
+	/*
+	 * Note that the packet is now only buffered in output.  It won\'t be
+	 * actually sent until packet_write_wait or packet_write_poll is
+	 * called.
+	 */
+}
+
+void
+set_newkeys(int mode)
+{
+	Enc *enc;
+	Mac *mac;
+	Comp *comp;
+	CipherContext *cc;
+
+	debug("newkeys: mode %d", mode);
+
+	cc = (mode == MODE_OUT) ? &send_context : &receive_context;
+	if (newkeys[mode] != NULL) {
+		debug("newkeys: rekeying");
+		/* todo: free old keys, reset compression/cipher-ctxt; */
+		memset(cc, 0, sizeof(*cc));
+		enc  = &newkeys[mode]->enc;
+		mac  = &newkeys[mode]->mac;
+		comp = &newkeys[mode]->comp;
+		memset(mac->key, 0, mac->key_len);
+		xfree(enc->name);
+		xfree(enc->iv);
+		xfree(enc->key);
+		xfree(mac->name);
+		xfree(mac->key);
+		xfree(comp->name);
+		xfree(newkeys[mode]);
+	}
+	newkeys[mode] = kex_get_newkeys(mode);
+	if (newkeys[mode] == NULL)
+		fatal("newkeys: no keys for mode %d", mode);
+	enc  = &newkeys[mode]->enc;
+	mac  = &newkeys[mode]->mac;
+	comp = &newkeys[mode]->comp;
+	if (mac->md != NULL)
+		mac->enabled = 1;
+	DBG(debug("cipher_init_context: %d", mode));
+	cipher_init(cc, enc->cipher, enc->key, enc->cipher->key_len,
+	    enc->iv, enc->cipher->block_size);
+	memset(enc->iv,  0, enc->cipher->block_size);
+	memset(enc->key, 0, enc->cipher->key_len);
+	if (comp->type != 0 && comp->enabled == 0) {
+		packet_init_compression();
+		if (mode == MODE_OUT)
+			buffer_compress_init_send(6);
+		else
+			buffer_compress_init_recv();
+		comp->enabled = 1;
+	}
+}
+
+/*
+ * Finalize packet in SSH2 format (compress, mac, encrypt, enqueue)
+ */
+void
+packet_send2(void)
+{
+	static u_int32_t seqnr = 0;
+	u_char *macbuf = NULL;
+	char *cp;
+	u_int packet_length = 0;
+	u_int i, padlen, len;
+	u_int32_t rand = 0;
+	int type;
+	Enc *enc   = NULL;
+	Mac *mac   = NULL;
+	Comp *comp = NULL;
+	int block_size;
+
+	if (newkeys[MODE_OUT] != NULL) {
+		enc  = &newkeys[MODE_OUT]->enc;
+		mac  = &newkeys[MODE_OUT]->mac;
+		comp = &newkeys[MODE_OUT]->comp;
+	}
+	block_size = enc ? enc->cipher->block_size : 8;
+
+	cp = buffer_ptr(&outgoing_packet);
+	type = cp[5] & 0xff;
+
+#ifdef PACKET_DEBUG
+	fprintf(stderr, "plain:     ");
+	buffer_dump(&outgoing_packet);
+#endif
+
+	if (comp && comp->enabled) {
+		len = buffer_len(&outgoing_packet);
+		/* skip header, compress only payload */
+		buffer_consume(&outgoing_packet, 5);
+		buffer_clear(&compression_buffer);
+		buffer_compress(&outgoing_packet, &compression_buffer);
+		buffer_clear(&outgoing_packet);
+		buffer_append(&outgoing_packet, "\0\0\0\0\0", 5);
+		buffer_append(&outgoing_packet, buffer_ptr(&compression_buffer),
+		    buffer_len(&compression_buffer));
+		DBG(debug("compression: raw %d compressed %d", len,
+		    buffer_len(&outgoing_packet)));
+	}
+
+	/* sizeof (packet_len + pad_len + payload) */
+	len = buffer_len(&outgoing_packet);
+
+	/*
+	 * calc size of padding, alloc space, get random data,
+	 * minimum padding is 4 bytes
+	 */
+	padlen = block_size - (len % block_size);
+	if (padlen < 4)
+		padlen += block_size;
+	buffer_append_space(&outgoing_packet, &cp, padlen);
+	if (enc && enc->cipher->number != SSH_CIPHER_NONE) {
+		/* random padding */
+		for (i = 0; i < padlen; i++) {
+			if (i % 4 == 0)
+				rand = arc4random();
+			cp[i] = rand & 0xff;
+			rand >>= 8;
+		}
+	} else {
+		/* clear padding */
+		memset(cp, 0, padlen);
+	}
+	/* packet_length includes payload, padding and padding length field */
+	packet_length = buffer_len(&outgoing_packet) - 4;
+	cp = buffer_ptr(&outgoing_packet);
+	PUT_32BIT(cp, packet_length);
+	cp[4] = padlen & 0xff;
+	DBG(debug("send: len %d (includes padlen %d)", packet_length+4, padlen));
+
+	/* compute MAC over seqnr and packet(length fields, payload, padding) */
+	if (mac && mac->enabled) {
+		macbuf = mac_compute(mac, seqnr,
+		    (u_char *) buffer_ptr(&outgoing_packet),
+		    buffer_len(&outgoing_packet));
+		DBG(debug("done calc MAC out #%d", seqnr));
+	}
+	/* encrypt packet and append to output buffer. */
+	buffer_append_space(&output, &cp, buffer_len(&outgoing_packet));
+	packet_encrypt(&send_context, cp, buffer_ptr(&outgoing_packet),
+	    buffer_len(&outgoing_packet));
+	/* append unencrypted MAC */
+	if (mac && mac->enabled)
+		buffer_append(&output, (char *)macbuf, mac->mac_len);
+#ifdef PACKET_DEBUG
+	fprintf(stderr, "encrypted: ");
+	buffer_dump(&output);
+#endif
+	/* increment sequence number for outgoing packets */
+	if (++seqnr == 0)
+		log("outgoing seqnr wraps around");
+	buffer_clear(&outgoing_packet);
+
+	if (type == SSH2_MSG_NEWKEYS)
+		set_newkeys(MODE_OUT);
+}
+
+void
+packet_send()
+{
+	if (use_ssh2_packet_format)
+		packet_send2();
+	else
+		packet_send1();
+	DBG(debug("packet_send done"));
+}
+
+/*
+ * Waits until a packet has been received, and returns its type.  Note that
+ * no other data is processed until this returns, so this function should not
+ * be used during the interactive session.
+ */
+
+int
+packet_read(int *payload_len_ptr)
+{
+	int type, len;
+	fd_set *setp;
+	char buf[8192];
+	DBG(debug("packet_read()"));
+
+	setp = (fd_set *)xmalloc(howmany(connection_in+1, NFDBITS) *
+	    sizeof(fd_mask));
+
+	/* Since we are blocking, ensure that all written packets have been sent. */
+	packet_write_wait();
+
+	/* Stay in the loop until we have received a complete packet. */
+	for (;;) {
+		/* Try to read a packet from the buffer. */
+		type = packet_read_poll(payload_len_ptr);
+		if (!use_ssh2_packet_format && (
+		    type == SSH_SMSG_SUCCESS
+		    || type == SSH_SMSG_FAILURE
+		    || type == SSH_CMSG_EOF
+		    || type == SSH_CMSG_EXIT_CONFIRMATION))
+			packet_integrity_check(*payload_len_ptr, 0, type);
+		/* If we got a packet, return it. */
+		if (type != SSH_MSG_NONE) {
+			xfree(setp);
+			return type;
+		}
+		/*
+		 * Otherwise, wait for some data to arrive, add it to the
+		 * buffer, and try again.
+		 */
+		memset(setp, 0, howmany(connection_in + 1, NFDBITS) *
+		    sizeof(fd_mask));
+		FD_SET(connection_in, setp);
+
+		/* Wait for some data to arrive. */
+		while (select(connection_in + 1, setp, NULL, NULL, NULL) == -1 &&
+		    (errno == EAGAIN || errno == EINTR))
+			;
+
+		/* Read data from the socket. */
+		len = read(connection_in, buf, sizeof(buf));
+		if (len == 0) {
+			log("Connection closed by %.200s", get_remote_ipaddr());
+			fatal_cleanup();
+		}
+		if (len < 0)
+			fatal("Read from socket failed: %.100s", strerror(errno));
+		/* Append it to the buffer. */
+		packet_process_incoming(buf, len);
+	}
+	/* NOTREACHED */
+}
+
+/*
+ * Waits until a packet has been received, verifies that its type matches
+ * that given, and gives a fatal error and exits if there is a mismatch.
+ */
+
+void
+packet_read_expect(int *payload_len_ptr, int expected_type)
+{
+	int type;
+
+	type = packet_read(payload_len_ptr);
+	if (type != expected_type)
+		packet_disconnect("Protocol error: expected packet type %d, got %d",
+		    expected_type, type);
+}
+
+/* Checks if a full packet is available in the data received so far via
+ * packet_process_incoming.  If so, reads the packet; otherwise returns
+ * SSH_MSG_NONE.  This does not wait for data from the connection.
+ *
+ * SSH_MSG_DISCONNECT is handled specially here.  Also,
+ * SSH_MSG_IGNORE messages are skipped by this function and are never returned
+ * to higher levels.
+ *
+ * The returned payload_len does include space consumed by:
+ * 	Packet length
+ * 	Padding
+ * 	Packet type
+ * 	Check bytes
+ */
+
+int
+packet_read_poll1(int *payload_len_ptr)
+{
+	u_int len, padded_len;
+	u_char *ucp;
+	char buf[8], *cp;
+	u_int checksum, stored_checksum;
+
+	/* Check if input size is less than minimum packet size. */
+	if (buffer_len(&input) < 4 + 8)
+		return SSH_MSG_NONE;
+	/* Get length of incoming packet. */
+	ucp = (u_char *) buffer_ptr(&input);
+	len = GET_32BIT(ucp);
+	if (len < 1 + 2 + 2 || len > 256 * 1024)
+		packet_disconnect("Bad packet length %d.", len);
+	padded_len = (len + 8) & ~7;
+
+	/* Check if the packet has been entirely received. */
+	if (buffer_len(&input) < 4 + padded_len)
+		return SSH_MSG_NONE;
+
+	/* The entire packet is in buffer. */
+
+	/* Consume packet length. */
+	buffer_consume(&input, 4);
+
+	/* Copy data to incoming_packet. */
+	buffer_clear(&incoming_packet);
+	buffer_append_space(&incoming_packet, &cp, padded_len);
+	packet_decrypt(&receive_context, cp, buffer_ptr(&input), padded_len);
+	buffer_consume(&input, padded_len);
+
+#ifdef PACKET_DEBUG
+	fprintf(stderr, "read_poll plain: ");
+	buffer_dump(&incoming_packet);
+#endif
+
+	/* Compute packet checksum. */
+	checksum = ssh_crc32((u_char *) buffer_ptr(&incoming_packet),
+	    buffer_len(&incoming_packet) - 4);
+
+	/* Skip padding. */
+	buffer_consume(&incoming_packet, 8 - len % 8);
+
+	/* Test check bytes. */
+
+	if (len != buffer_len(&incoming_packet))
+		packet_disconnect("packet_read_poll: len %d != buffer_len %d.",
+		    len, buffer_len(&incoming_packet));
+
+	ucp = (u_char *) buffer_ptr(&incoming_packet) + len - 4;
+	stored_checksum = GET_32BIT(ucp);
+	if (checksum != stored_checksum)
+		packet_disconnect("Corrupted check bytes on input.");
+	buffer_consume_end(&incoming_packet, 4);
+
+	/* If using packet compression, decompress the packet. */
+	if (packet_compression) {
+		buffer_clear(&compression_buffer);
+		buffer_uncompress(&incoming_packet, &compression_buffer);
+		buffer_clear(&incoming_packet);
+		buffer_append(&incoming_packet, buffer_ptr(&compression_buffer),
+		    buffer_len(&compression_buffer));
+	}
+	/* Get packet type. */
+	buffer_get(&incoming_packet, &buf[0], 1);
+
+	/* Return length of payload (without type field). */
+	*payload_len_ptr = buffer_len(&incoming_packet);
+
+	/* Return type. */
+	return (u_char) buf[0];
+}
+
+int
+packet_read_poll2(int *payload_len_ptr)
+{
+	static u_int32_t seqnr = 0;
+	static u_int packet_length = 0;
+	u_int padlen, need;
+	u_char buf[8], *macbuf;
+	u_char *ucp;
+	char *cp;
+	int type;
+	int maclen, block_size;
+	Enc *enc   = NULL;
+	Mac *mac   = NULL;
+	Comp *comp = NULL;
+
+	if (newkeys[MODE_IN] != NULL) {
+		enc  = &newkeys[MODE_IN]->enc;
+		mac  = &newkeys[MODE_IN]->mac;
+		comp = &newkeys[MODE_IN]->comp;
+	}
+	maclen = mac && mac->enabled ? mac->mac_len : 0;
+	block_size = enc ? enc->cipher->block_size : 8;
+
+	if (packet_length == 0) {
+		/*
+		 * check if input size is less than the cipher block size,
+		 * decrypt first block and extract length of incoming packet
+		 */
+		if (buffer_len(&input) < block_size)
+			return SSH_MSG_NONE;
+		buffer_clear(&incoming_packet);
+		buffer_append_space(&incoming_packet, &cp, block_size);
+		packet_decrypt(&receive_context, cp, buffer_ptr(&input),
+		    block_size);
+		ucp = (u_char *) buffer_ptr(&incoming_packet);
+		packet_length = GET_32BIT(ucp);
+		if (packet_length < 1 + 4 || packet_length > 256 * 1024) {
+			buffer_dump(&incoming_packet);
+			packet_disconnect("Bad packet length %d.", packet_length);
+		}
+		DBG(debug("input: packet len %d", packet_length+4));
+		buffer_consume(&input, block_size);
+	}
+	/* we have a partial packet of block_size bytes */
+	need = 4 + packet_length - block_size;
+	DBG(debug("partial packet %d, need %d, maclen %d", block_size,
+	    need, maclen));
+	if (need % block_size != 0)
+		fatal("padding error: need %d block %d mod %d",
+		    need, block_size, need % block_size);
+	/*
+	 * check if the entire packet has been received and
+	 * decrypt into incoming_packet
+	 */
+	if (buffer_len(&input) < need + maclen)
+		return SSH_MSG_NONE;
+#ifdef PACKET_DEBUG
+	fprintf(stderr, "read_poll enc/full: ");
+	buffer_dump(&input);
+#endif
+	buffer_append_space(&incoming_packet, &cp, need);
+	packet_decrypt(&receive_context, cp, buffer_ptr(&input), need);
+	buffer_consume(&input, need);
+	/*
+	 * compute MAC over seqnr and packet,
+	 * increment sequence number for incoming packet
+	 */
+	if (mac && mac->enabled) {
+		macbuf = mac_compute(mac, seqnr,
+		    (u_char *) buffer_ptr(&incoming_packet),
+		    buffer_len(&incoming_packet));
+		if (memcmp(macbuf, buffer_ptr(&input), mac->mac_len) != 0)
+			packet_disconnect("Corrupted MAC on input.");
+		DBG(debug("MAC #%d ok", seqnr));
+		buffer_consume(&input, mac->mac_len);
+	}
+	if (++seqnr == 0)
+		log("incoming seqnr wraps around");
+
+	/* get padlen */
+	cp = buffer_ptr(&incoming_packet) + 4;
+	padlen = *cp & 0xff;
+	DBG(debug("input: padlen %d", padlen));
+	if (padlen < 4)
+		packet_disconnect("Corrupted padlen %d on input.", padlen);
+
+	/* skip packet size + padlen, discard padding */
+	buffer_consume(&incoming_packet, 4 + 1);
+	buffer_consume_end(&incoming_packet, padlen);
+
+	DBG(debug("input: len before de-compress %d", buffer_len(&incoming_packet)));
+	if (comp && comp->enabled) {
+		buffer_clear(&compression_buffer);
+		buffer_uncompress(&incoming_packet, &compression_buffer);
+		buffer_clear(&incoming_packet);
+		buffer_append(&incoming_packet, buffer_ptr(&compression_buffer),
+		    buffer_len(&compression_buffer));
+		DBG(debug("input: len after de-compress %d", buffer_len(&incoming_packet)));
+	}
+	/*
+	 * get packet type, implies consume.
+	 * return length of payload (without type field)
+	 */
+	buffer_get(&incoming_packet, (char *)&buf[0], 1);
+	*payload_len_ptr = buffer_len(&incoming_packet);
+
+	/* reset for next packet */
+	packet_length = 0;
+
+	/* extract packet type */
+	type = (u_char)buf[0];
+
+	if (type == SSH2_MSG_NEWKEYS)
+		set_newkeys(MODE_IN);
+
+#ifdef PACKET_DEBUG
+	fprintf(stderr, "read/plain[%d]:\r\n", type);
+	buffer_dump(&incoming_packet);
+#endif
+	return (u_char)type;
+}
+
+int
+packet_read_poll(int *payload_len_ptr)
+{
+	char *msg;
+	for (;;) {
+		int type = use_ssh2_packet_format ?
+		    packet_read_poll2(payload_len_ptr):
+		    packet_read_poll1(payload_len_ptr);
+
+		if(compat20) {
+			int reason;
+			if (type != 0)
+				DBG(debug("received packet type %d", type));
+			switch(type) {
+			case SSH2_MSG_IGNORE:
+				break;
+			case SSH2_MSG_DEBUG:
+				packet_get_char();
+				msg = packet_get_string(NULL);
+				debug("Remote: %.900s", msg);
+				xfree(msg);
+				msg = packet_get_string(NULL);
+				xfree(msg);
+				break;
+			case SSH2_MSG_DISCONNECT:
+				reason = packet_get_int();
+				msg = packet_get_string(NULL);
+				log("Received disconnect from %s: %d: %.400s", get_remote_ipaddr(),
+					reason, msg);
+				xfree(msg);
+				fatal_cleanup();
+				break;
+			default:
+				return type;
+				break;
+			}
+		} else {
+			switch(type) {
+			case SSH_MSG_IGNORE:
+				break;
+			case SSH_MSG_DEBUG:
+				msg = packet_get_string(NULL);
+				debug("Remote: %.900s", msg);
+				xfree(msg);
+				break;
+			case SSH_MSG_DISCONNECT:
+				msg = packet_get_string(NULL);
+				log("Received disconnect from %s: %.400s", get_remote_ipaddr(),
+					msg);
+				fatal_cleanup();
+				xfree(msg);
+				break;
+			default:
+				if (type != 0)
+					DBG(debug("received packet type %d", type));
+				return type;
+				break;
+			}
+		}
+	}
+}
+
+/*
+ * Buffers the given amount of input characters.  This is intended to be used
+ * together with packet_read_poll.
+ */
+
+void
+packet_process_incoming(const char *buf, u_int len)
+{
+	buffer_append(&input, buf, len);
+}
+
+/* Returns a character from the packet. */
+
+u_int
+packet_get_char()
+{
+	char ch;
+	buffer_get(&incoming_packet, &ch, 1);
+	return (u_char) ch;
+}
+
+/* Returns an integer from the packet data. */
+
+u_int
+packet_get_int()
+{
+	return buffer_get_int(&incoming_packet);
+}
+
+/*
+ * Returns an arbitrary precision integer from the packet data.  The integer
+ * must have been initialized before this call.
+ */
+
+void
+packet_get_bignum(BIGNUM * value, int *length_ptr)
+{
+	*length_ptr = buffer_get_bignum(&incoming_packet, value);
+}
+
+void
+packet_get_bignum2(BIGNUM * value, int *length_ptr)
+{
+	*length_ptr = buffer_get_bignum2(&incoming_packet, value);
+}
+
+char *
+packet_get_raw(int *length_ptr)
+{
+	int bytes = buffer_len(&incoming_packet);
+	if (length_ptr != NULL)
+		*length_ptr = bytes;
+	return buffer_ptr(&incoming_packet);
+}
+
+int
+packet_remaining(void)
+{
+	return buffer_len(&incoming_packet);
+}
+
+/*
+ * Returns a string from the packet data.  The string is allocated using
+ * xmalloc; it is the responsibility of the calling program to free it when
+ * no longer needed.  The length_ptr argument may be NULL, or point to an
+ * integer into which the length of the string is stored.
+ */
+
+char *
+packet_get_string(u_int *length_ptr)
+{
+	return buffer_get_string(&incoming_packet, length_ptr);
+}
+
+/*
+ * Sends a diagnostic message from the server to the client.  This message
+ * can be sent at any time (but not while constructing another message). The
+ * message is printed immediately, but only if the client is being executed
+ * in verbose mode.  These messages are primarily intended to ease debugging
+ * authentication problems.   The length of the formatted message must not
+ * exceed 1024 bytes.  This will automatically call packet_write_wait.
+ */
+
+void
+packet_send_debug(const char *fmt,...)
+{
+	char buf[1024];
+	va_list args;
+
+	if (compat20 && (datafellows & SSH_BUG_DEBUG))
+		return;
+
+	va_start(args, fmt);
+	vsnprintf(buf, sizeof(buf), fmt, args);
+	va_end(args);
+
+	if (compat20) {
+		packet_start(SSH2_MSG_DEBUG);
+		packet_put_char(0);	/* bool: always display */
+		packet_put_cstring(buf);
+		packet_put_cstring("");
+	} else {
+		packet_start(SSH_MSG_DEBUG);
+		packet_put_cstring(buf);
+	}
+	packet_send();
+	packet_write_wait();
+}
+
+/*
+ * Logs the error plus constructs and sends a disconnect packet, closes the
+ * connection, and exits.  This function never returns. The error message
+ * should not contain a newline.  The length of the formatted message must
+ * not exceed 1024 bytes.
+ */
+
+void
+packet_disconnect(const char *fmt,...)
+{
+	char buf[1024];
+	va_list args;
+	static int disconnecting = 0;
+	if (disconnecting)	/* Guard against recursive invocations. */
+		fatal("packet_disconnect called recursively.");
+	disconnecting = 1;
+
+	/*
+	 * Format the message.  Note that the caller must make sure the
+	 * message is of limited size.
+	 */
+	va_start(args, fmt);
+	vsnprintf(buf, sizeof(buf), fmt, args);
+	va_end(args);
+
+	/* Send the disconnect message to the other side, and wait for it to get sent. */
+	if (compat20) {
+		packet_start(SSH2_MSG_DISCONNECT);
+		packet_put_int(SSH2_DISCONNECT_PROTOCOL_ERROR);
+		packet_put_cstring(buf);
+		packet_put_cstring("");
+	} else {
+		packet_start(SSH_MSG_DISCONNECT);
+		packet_put_string(buf, strlen(buf));
+	}
+	packet_send();
+	packet_write_wait();
+
+	/* Stop listening for connections. */
+	channel_stop_listening();
+
+	/* Close the connection. */
+	packet_close();
+
+	/* Display the error locally and exit. */
+	log("Disconnecting: %.100s", buf);
+	fatal_cleanup();
+}
+
+/* Checks if there is any buffered output, and tries to write some of the output. */
+
+void
+packet_write_poll()
+{
+	int len = buffer_len(&output);
+	if (len > 0) {
+		len = write(connection_out, buffer_ptr(&output), len);
+		if (len <= 0) {
+			if (errno == EAGAIN)
+				return;
+			else
+				fatal("Write failed: %.100s", strerror(errno));
+		}
+		buffer_consume(&output, len);
+	}
+}
+
+/*
+ * Calls packet_write_poll repeatedly until all pending output data has been
+ * written.
+ */
+
+void
+packet_write_wait()
+{
+	fd_set *setp;
+
+	setp = (fd_set *)xmalloc(howmany(connection_out + 1, NFDBITS) *
+	    sizeof(fd_mask));
+	packet_write_poll();
+	while (packet_have_data_to_write()) {
+		memset(setp, 0, howmany(connection_out + 1, NFDBITS) *
+		    sizeof(fd_mask));
+		FD_SET(connection_out, setp);
+		while (select(connection_out + 1, NULL, setp, NULL, NULL) == -1 &&
+		    (errno == EAGAIN || errno == EINTR))
+			;
+		packet_write_poll();
+	}
+	xfree(setp);
+}
+
+/* Returns true if there is buffered data to write to the connection. */
+
+int
+packet_have_data_to_write()
+{
+	return buffer_len(&output) != 0;
+}
+
+/* Returns true if there is not too much data to write to the connection. */
+
+int
+packet_not_very_much_data_to_write()
+{
+	if (interactive_mode)
+		return buffer_len(&output) < 16384;
+	else
+		return buffer_len(&output) < 128 * 1024;
+}
+
+/* Informs that the current session is interactive.  Sets IP flags for that. */
+
+void
+packet_set_interactive(int interactive)
+{
+	static int called = 0;
+	int lowdelay = IPTOS_LOWDELAY;
+	int throughput = IPTOS_THROUGHPUT;
+	int on = 1;
+
+	if (called)
+		return;
+	called = 1;
+
+	/* Record that we are in interactive mode. */
+	interactive_mode = interactive;
+
+	/* Only set socket options if using a socket.  */
+	if (!packet_connection_is_on_socket())
+		return;
+	/*
+	 * IPTOS_LOWDELAY and IPTOS_THROUGHPUT are IPv4 only
+	 */
+	if (interactive) {
+		/*
+		 * Set IP options for an interactive connection.  Use
+		 * IPTOS_LOWDELAY and TCP_NODELAY.
+		 */
+		if (packet_connection_is_ipv4()) {
+			if (setsockopt(connection_in, IPPROTO_IP, IP_TOS,
+			    (void *) &lowdelay, sizeof(lowdelay)) < 0)
+				error("setsockopt IPTOS_LOWDELAY: %.100s",
+				    strerror(errno));
+		}
+		if (setsockopt(connection_in, IPPROTO_TCP, TCP_NODELAY, (void *) &on,
+		    sizeof(on)) < 0)
+			error("setsockopt TCP_NODELAY: %.100s", strerror(errno));
+	} else if (packet_connection_is_ipv4()) {
+		/*
+		 * Set IP options for a non-interactive connection.  Use
+		 * IPTOS_THROUGHPUT.
+		 */
+		if (setsockopt(connection_in, IPPROTO_IP, IP_TOS, (void *) &throughput,
+		    sizeof(throughput)) < 0)
+			error("setsockopt IPTOS_THROUGHPUT: %.100s", strerror(errno));
+	}
+}
+
+/* Returns true if the current connection is interactive. */
+
+int
+packet_is_interactive()
+{
+	return interactive_mode;
+}
+
+int
+packet_set_maxsize(int s)
+{
+	static int called = 0;
+	if (called) {
+		log("packet_set_maxsize: called twice: old %d new %d",
+		    max_packet_size, s);
+		return -1;
+	}
+	if (s < 4 * 1024 || s > 1024 * 1024) {
+		log("packet_set_maxsize: bad size %d", s);
+		return -1;
+	}
+	log("packet_set_maxsize: setting to %d", s);
+	max_packet_size = s;
+	return s;
+}
+
+/*
+ * 9.2.  Ignored Data Message
+ *
+ *   byte      SSH_MSG_IGNORE
+ *   string    data
+ *
+ * All implementations MUST understand (and ignore) this message at any
+ * time (after receiving the protocol version). No implementation is
+ * required to send them. This message can be used as an additional
+ * protection measure against advanced traffic analysis techniques.
+ */
+/* size of current + ignore message should be n*sumlen bytes (w/o mac) */
+void
+packet_inject_ignore(int sumlen)
+{
+	int blocksize, padlen, have, need, nb, mini, nbytes;
+	Enc *enc = NULL;
+
+	if (use_ssh2_packet_format == 0)
+		return;
+
+	have = buffer_len(&outgoing_packet);
+	debug2("packet_inject_ignore: current %d", have);
+	if (newkeys[MODE_OUT] != NULL)
+		enc  = &newkeys[MODE_OUT]->enc;
+	blocksize = enc ? enc->cipher->block_size : 8;
+	padlen = blocksize - (have % blocksize);
+	if (padlen < 4)
+		padlen += blocksize;
+	have += padlen;
+	have /= blocksize;	/* # of blocks for current message */
+
+	nb   = roundup(sumlen,  blocksize) / blocksize;	/* blocks for both */
+	mini = roundup(5+1+4+4, blocksize) / blocksize; /* minsize ignore msg */
+	need = nb - (have % nb);			/* blocks for ignore */
+	if (need <= mini)
+		need += nb;
+	nbytes = (need - mini) * blocksize;	/* size of ignore payload */
+	debug2("packet_inject_ignore: block %d have %d nb %d mini %d need %d",
+	    blocksize, have, nb, mini, need);
+
+	/* enqueue current message and append a ignore message */
+	packet_send();
+	packet_send_ignore(nbytes);
+}
+
+void
+packet_send_ignore(int nbytes)
+{
+	u_int32_t rand = 0;
+	int i;
+
+	packet_start(compat20 ? SSH2_MSG_IGNORE : SSH_MSG_IGNORE);
+	packet_put_int(nbytes);
+	for(i = 0; i < nbytes; i++) {
+		if (i % 4 == 0)
+			rand = arc4random();
+		packet_put_char(rand & 0xff);
+		rand >>= 8;
+	}
+}
diff --git a/crypto/openssh/packet.h b/crypto/openssh/packet.h
new file mode 100644
index 0000000..09dd995
--- /dev/null
+++ b/crypto/openssh/packet.h
@@ -0,0 +1,224 @@
+/*
+ * Author: Tatu Ylonen <ylo@cs.hut.fi>
+ * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
+ *                    All rights reserved
+ * Interface for the packet protocol functions.
+ *
+ * As far as I am concerned, the code I have written for this software
+ * can be used freely for any purpose.  Any derived versions of this
+ * software must be clearly marked as such, and if the derived work is
+ * incompatible with the protocol description in the RFC file, it must be
+ * called by a name other than "ssh" or "Secure Shell".
+ */
+
+/* RCSID("$OpenBSD: packet.h,v 1.22 2001/04/14 16:33:20 stevesk Exp $"); */
+/* RCSID("$FreeBSD$"); */
+
+#ifndef PACKET_H
+#define PACKET_H
+
+#include <openssl/bn.h>
+
+/*
+ * Sets the socket used for communication.  Disables encryption until
+ * packet_set_encryption_key is called.  It is permissible that fd_in and
+ * fd_out are the same descriptor; in that case it is assumed to be a socket.
+ */
+void    packet_set_connection(int fd_in, int fd_out);
+
+/* Puts the connection file descriptors into non-blocking mode. */
+void    packet_set_nonblocking(void);
+
+/* Returns the file descriptor used for input. */
+int     packet_get_connection_in(void);
+
+/* Returns the file descriptor used for output. */
+int     packet_get_connection_out(void);
+
+/*
+ * Closes the connection (both descriptors) and clears and frees internal
+ * data structures.
+ */
+void    packet_close(void);
+
+/*
+ * Causes any further packets to be encrypted using the given key.  The same
+ * key is used for both sending and reception.  However, both directions are
+ * encrypted independently of each other.  Cipher types are defined in ssh.h.
+ */
+void
+packet_set_encryption_key(const u_char *key, u_int keylen,
+    int cipher_type);
+
+/*
+ * Sets remote side protocol flags for the current connection.  This can be
+ * called at any time.
+ */
+void    packet_set_protocol_flags(u_int flags);
+
+/* Returns the remote protocol flags set earlier by the above function. */
+u_int packet_get_protocol_flags(void);
+
+/* Enables compression in both directions starting from the next packet. */
+void    packet_start_compression(int level);
+
+/*
+ * Informs that the current session is interactive.  Sets IP flags for
+ * optimal performance in interactive use.
+ */
+void    packet_set_interactive(int interactive);
+
+/* Returns true if the current connection is interactive. */
+int     packet_is_interactive(void);
+
+/* Starts constructing a packet to send. */
+void    packet_start(int type);
+
+/* Appends a character to the packet data. */
+void    packet_put_char(int ch);
+
+/* Appends an integer to the packet data. */
+void    packet_put_int(u_int value);
+
+/* Appends an arbitrary precision integer to packet data. */
+void    packet_put_bignum(BIGNUM * value);
+void    packet_put_bignum2(BIGNUM * value);
+
+/* Appends a string to packet data. */
+void    packet_put_string(const char *buf, u_int len);
+void    packet_put_cstring(const char *str);
+void    packet_put_raw(const char *buf, u_int len);
+
+/*
+ * Finalizes and sends the packet.  If the encryption key has been set,
+ * encrypts the packet before sending.
+ */
+void    packet_send(void);
+
+/* Waits until a packet has been received, and returns its type. */
+int     packet_read(int *payload_len_ptr);
+
+/*
+ * Waits until a packet has been received, verifies that its type matches
+ * that given, and gives a fatal error and exits if there is a mismatch.
+ */
+void    packet_read_expect(int *payload_len_ptr, int type);
+
+/*
+ * Checks if a full packet is available in the data received so far via
+ * packet_process_incoming.  If so, reads the packet; otherwise returns
+ * SSH_MSG_NONE.  This does not wait for data from the connection.
+ * SSH_MSG_DISCONNECT is handled specially here.  Also, SSH_MSG_IGNORE
+ * messages are skipped by this function and are never returned to higher
+ * levels.
+ */
+int     packet_read_poll(int *packet_len_ptr);
+
+/*
+ * Buffers the given amount of input characters.  This is intended to be used
+ * together with packet_read_poll.
+ */
+void    packet_process_incoming(const char *buf, u_int len);
+
+/* Returns a character (0-255) from the packet data. */
+u_int packet_get_char(void);
+
+/* Returns an integer from the packet data. */
+u_int packet_get_int(void);
+
+/*
+ * Returns an arbitrary precision integer from the packet data.  The integer
+ * must have been initialized before this call.
+ */
+void    packet_get_bignum(BIGNUM * value, int *length_ptr);
+void    packet_get_bignum2(BIGNUM * value, int *length_ptr);
+char	*packet_get_raw(int *length_ptr);
+
+/*
+ * Returns a string from the packet data.  The string is allocated using
+ * xmalloc; it is the responsibility of the calling program to free it when
+ * no longer needed.  The length_ptr argument may be NULL, or point to an
+ * integer into which the length of the string is stored.
+ */
+char   *packet_get_string(u_int *length_ptr);
+
+/*
+ * Logs the error in syslog using LOG_INFO, constructs and sends a disconnect
+ * packet, closes the connection, and exits.  This function never returns.
+ * The error message should not contain a newline.  The total length of the
+ * message must not exceed 1024 bytes.
+ */
+void    packet_disconnect(const char *fmt,...) __attribute__((format(printf, 1, 2)));
+
+/*
+ * Sends a diagnostic message to the other side.  This message can be sent at
+ * any time (but not while constructing another message). The message is
+ * printed immediately, but only if the client is being executed in verbose
+ * mode.  These messages are primarily intended to ease debugging
+ * authentication problems.  The total length of the message must not exceed
+ * 1024 bytes.  This will automatically call packet_write_wait.  If the
+ * remote side protocol flags do not indicate that it supports SSH_MSG_DEBUG,
+ * this will do nothing.
+ */
+void    packet_send_debug(const char *fmt,...) __attribute__((format(printf, 1, 2)));
+
+/* Checks if there is any buffered output, and tries to write some of the output. */
+void    packet_write_poll(void);
+
+/* Waits until all pending output data has been written. */
+void    packet_write_wait(void);
+
+/* Returns true if there is buffered data to write to the connection. */
+int     packet_have_data_to_write(void);
+
+/* Returns true if there is not too much data to write to the connection. */
+int     packet_not_very_much_data_to_write(void);
+
+/* maximum packet size, requested by client with SSH_CMSG_MAX_PACKET_SIZE */
+extern int max_packet_size;
+int     packet_set_maxsize(int s);
+#define packet_get_maxsize() max_packet_size
+
+/* Stores tty modes from the fd or tiop into current packet. */
+void    tty_make_modes(int fd, struct termios *tiop);
+
+/* Parses tty modes for the fd from the current packet. */
+void    tty_parse_modes(int fd, int *n_bytes_ptr);
+
+#define packet_integrity_check(payload_len, expected_len, type) \
+do { \
+  int _p = (payload_len), _e = (expected_len); \
+  if (_p != _e) { \
+    log("Packet integrity error (%d != %d) at %s:%d", \
+	_p, _e, __FILE__, __LINE__); \
+    packet_disconnect("Packet integrity error. (%d)", (type)); \
+  } \
+} while (0)
+
+#define packet_done() \
+do { \
+	int _len = packet_remaining(); \
+	if (_len > 0) { \
+		log("Packet integrity error (%d bytes remaining) at %s:%d", \
+		    _len ,__FILE__, __LINE__); \
+		packet_disconnect("Packet integrity error."); \
+	} \
+} while (0)
+
+/* remote host is connected via a socket/ipv4 */
+int	packet_connection_is_on_socket(void);
+int	packet_connection_is_ipv4(void);
+
+/* enable SSH2 packet format */
+void	packet_set_ssh2_format(void);
+
+/* returns remaining payload bytes */
+int	packet_remaining(void);
+
+/* append an ignore message */
+void	packet_send_ignore(int nbytes);
+
+/* add an ignore message and make sure size (current+ignore) = n*sumlen */
+void	packet_inject_ignore(int sumlen);
+
+#endif				/* PACKET_H */
diff --git a/crypto/openssh/pam_ssh/pam_ssh.c b/crypto/openssh/pam_ssh/pam_ssh.c
new file mode 100644
index 0000000..237d6e2
--- /dev/null
+++ b/crypto/openssh/pam_ssh/pam_ssh.c
@@ -0,0 +1,497 @@
+/*-
+ * Copyright (c) 1999, 2000 Andrew J. Korty
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * $FreeBSD$
+ *
+ */
+
+
+#include <sys/param.h>
+#include <sys/queue.h>
+
+#include <fcntl.h>
+#include <paths.h>
+#include <pwd.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+
+#define	PAM_SM_AUTH
+#define	PAM_SM_SESSION
+#include <security/pam_modules.h>
+#include <security/pam_mod_misc.h>
+
+#include <openssl/dsa.h>
+
+#include "includes.h"
+#include "rsa.h"
+#include "key.h"
+#include "ssh.h"
+#include "authfd.h"
+#include "authfile.h"
+
+#define	MODULE_NAME	"pam_ssh"
+#define	NEED_PASSPHRASE	"Need passphrase for %s (%s).\nEnter passphrase: "
+#define	PATH_SSH_AGENT	"/usr/bin/ssh-agent"
+
+
+void
+rsa_cleanup(pam_handle_t *pamh, void *data, int error_status)
+{
+	if (data)
+		RSA_free(data);
+}
+
+
+void
+ssh_cleanup(pam_handle_t *pamh, void *data, int error_status)
+{
+	if (data)
+		free(data);
+}
+
+
+/*
+ * The following set of functions allow the module to manipulate the
+ * environment without calling the putenv() or setenv() stdlib functions.
+ * At least one version of these functions, on the first call, copies
+ * the environment into dynamically-allocated memory and then augments
+ * it.  On subsequent calls, the realloc() call is used to grow the
+ * previously allocated buffer.  Problems arise when the "environ"
+ * variable is changed to point to static memory after putenv()/setenv()
+ * have been called.
+ * 
+ * We don't use putenv() or setenv() in case the application subsequently
+ * manipulates environ, (e.g., to clear the environment by pointing
+ * environ at an array of one element equal to NULL).
+ */
+
+SLIST_HEAD(env_head, env_entry);
+
+struct env_entry {
+	char			*ee_env;
+	SLIST_ENTRY(env_entry)	 ee_entries;
+};
+
+typedef struct env {
+	char		**e_environ_orig;
+	char		**e_environ_new;
+	int		  e_count;
+	struct env_head	  e_head;
+	int		  e_committed;
+} ENV;
+
+extern char **environ;
+
+
+static ENV *
+env_new(void)
+{
+	ENV	*self;
+
+	if (!(self = malloc(sizeof (ENV)))) {
+		syslog(LOG_CRIT, "%m");
+		return NULL;
+	}
+	SLIST_INIT(&self->e_head);
+	self->e_count = 0;
+	self->e_committed = 0;
+	return self;
+}
+
+
+static int
+env_put(ENV *self, char *s)
+{
+	struct env_entry	*env;
+
+	if (!(env = malloc(sizeof (struct env_entry))) ||
+	    !(env->ee_env = strdup(s))) {
+		syslog(LOG_CRIT, "%m");
+		return PAM_SERVICE_ERR;
+	}
+	SLIST_INSERT_HEAD(&self->e_head, env, ee_entries);
+	++self->e_count;
+	return PAM_SUCCESS;
+}
+
+
+static void
+env_swap(ENV *self, int which)
+{
+	environ = which ? self->e_environ_new : self->e_environ_orig;
+}
+
+
+static int
+env_commit(ENV *self)
+{
+	int			  n;
+	struct env_entry	 *p;
+	char 			**v;
+
+	for (v = environ, n = 0; v && *v; v++, n++)
+		;
+	if (!(v = malloc((n + self->e_count + 1) * sizeof (char *)))) {
+		syslog(LOG_CRIT, "%m");
+		return PAM_SERVICE_ERR;
+	}
+	self->e_committed = 1;
+	(void)memcpy(v, environ, n * sizeof (char *));
+	SLIST_FOREACH(p, &self->e_head, ee_entries)
+		v[n++] = p->ee_env;
+	v[n] = NULL;
+	self->e_environ_orig = environ;
+	self->e_environ_new = v;
+	env_swap(self, 1);
+	return PAM_SUCCESS;
+}
+
+
+static void
+env_destroy(ENV *self)
+{
+	struct env_entry	 *p;
+
+	if (self->e_committed)
+		env_swap(self, 0);
+	SLIST_FOREACH(p, &self->e_head, ee_entries) {
+		free(p->ee_env);
+		free(p);
+	}
+	if (self->e_committed)
+		free(self->e_environ_new);
+	free(self);
+}
+
+
+void
+env_cleanup(pam_handle_t *pamh, void *data, int error_status)
+{
+	if (data)
+		env_destroy(data);
+}
+
+
+typedef struct passwd PASSWD;
+
+PAM_EXTERN int
+pam_sm_authenticate(
+	pam_handle_t	 *pamh,
+	int		  flags,
+	int		  argc,
+	const char	**argv)
+{
+	char		*comment_priv;		/* on private key */
+	char		*comment_pub;		/* on public key */
+	char		*identity;		/* user's identity file */
+	Key		 key;			/* user's private key */
+	int		 options;		/* module options */
+	const char	*pass;			/* passphrase */
+	char		*prompt;		/* passphrase prompt */
+	Key		 public_key;		/* user's public key */
+	const PASSWD	*pwent;			/* user's passwd entry */
+	PASSWD		*pwent_keep;		/* our own copy */
+	int		 retval;		/* from calls */
+	uid_t		 saved_uid;		/* caller's uid */
+	const char	*user;			/* username */
+
+	options = 0;
+	while (argc--)
+		pam_std_option(&options, *argv++);
+	if ((retval = pam_get_user(pamh, &user, NULL)) != PAM_SUCCESS)
+		return retval;
+	if (!((pwent = getpwnam(user)) && pwent->pw_dir)) {
+		/* delay? */
+		return PAM_AUTH_ERR;
+	}
+	/* locate the user's private key file */
+	if (!asprintf(&identity, "%s/%s", pwent->pw_dir,
+	    SSH_CLIENT_IDENTITY)) {
+		syslog(LOG_CRIT, "%s: %m", MODULE_NAME);
+		return PAM_SERVICE_ERR;
+	}
+	/*
+	 * Fail unless we can load the public key.  Change to the
+	 * owner's UID to appease load_public_key().
+	 */
+	key.type = KEY_RSA;
+	key.rsa = RSA_new();
+	public_key.type = KEY_RSA;
+	public_key.rsa = RSA_new();
+	saved_uid = getuid();
+	(void)setreuid(pwent->pw_uid, saved_uid);
+	retval = load_public_key(identity, &public_key, &comment_pub);
+	(void)setuid(saved_uid);
+	if (!retval) {
+		free(identity);
+		return PAM_AUTH_ERR;
+	}
+	RSA_free(public_key.rsa);
+	/* build the passphrase prompt */
+	retval = asprintf(&prompt, NEED_PASSPHRASE, identity, comment_pub);
+	free(comment_pub);
+	if (!retval) {
+		syslog(LOG_CRIT, "%s: %m", MODULE_NAME);
+		free(identity);
+		return PAM_SERVICE_ERR;
+	}
+	/* pass prompt message to application and receive passphrase */
+	retval = pam_get_pass(pamh, &pass, prompt, options);
+	free(prompt);
+	if (retval != PAM_SUCCESS) {
+		free(identity);
+		return retval;
+	}
+	/*
+	 * Try to decrypt the private key with the passphrase provided.
+	 * If success, the user is authenticated.
+	 */
+	(void)setreuid(pwent->pw_uid, saved_uid);
+	retval = load_private_key(identity, pass, &key, &comment_priv);
+	free(identity);
+	(void)setuid(saved_uid);
+	if (!retval)
+		return PAM_AUTH_ERR;
+	/*
+	 * Save the key and comment to pass to ssh-agent in the session
+	 * phase.
+	 */
+	if ((retval = pam_set_data(pamh, "ssh_private_key", key.rsa,
+	    rsa_cleanup)) != PAM_SUCCESS) {
+		RSA_free(key.rsa);
+		free(comment_priv);
+		return retval;
+	}
+	if ((retval = pam_set_data(pamh, "ssh_key_comment", comment_priv,
+	    ssh_cleanup)) != PAM_SUCCESS) {
+		free(comment_priv);
+		return retval;
+	}
+	/*
+	 * Copy the passwd entry (in case successive calls are made)
+	 * and save it for the session phase.
+	 */
+	if (!(pwent_keep = malloc(sizeof *pwent))) {
+		syslog(LOG_CRIT, "%m");
+		return PAM_SERVICE_ERR;
+	}
+	(void)memcpy(pwent_keep, pwent, sizeof *pwent_keep);
+	if ((retval = pam_set_data(pamh, "ssh_passwd_entry", pwent_keep,
+	    ssh_cleanup)) != PAM_SUCCESS) {
+		free(pwent_keep);
+		return retval;
+	}
+	return PAM_SUCCESS;
+}
+
+
+PAM_EXTERN int
+pam_sm_setcred(
+	pam_handle_t	 *pamh,
+	int		  flags,
+	int		  argc,
+	const char	**argv)
+{
+	return PAM_SUCCESS;
+}
+
+
+typedef AuthenticationConnection AC;
+
+PAM_EXTERN int
+pam_sm_open_session(
+	pam_handle_t	 *pamh,
+	int		  flags,
+	int		  argc,
+	const char	**argv)
+{
+	AC		*ac;			/* to ssh-agent */
+	char		*comment;		/* on private key */
+	char		*env_end;		/* end of env */
+	char		*env_file;		/* to store env */
+	FILE		*env_fp;		/* env_file handle */
+	Key		 key;			/* user's private key */
+	FILE		*pipe;			/* ssh-agent handle */
+	const PASSWD	*pwent;			/* user's passwd entry */
+	int		 retval;		/* from calls */
+	uid_t		 saved_uid;		/* caller's uid */
+	ENV		*ssh_env;		/* env handle */
+	const char	*tty;			/* tty or display name */
+	char		 hname[MAXHOSTNAMELEN];	/* local hostname */
+	char		 parse[BUFSIZ];		/* commands output */
+
+	/* dump output of ssh-agent in ~/.ssh */
+	if ((retval = pam_get_data(pamh, "ssh_passwd_entry",
+	    (const void **)&pwent)) != PAM_SUCCESS)
+		return retval;
+	/* use the tty or X display name in the filename */
+	if ((retval = pam_get_item(pamh, PAM_TTY, (const void **)&tty))
+	    != PAM_SUCCESS)
+		return retval;
+	if (*tty == ':' && gethostname(hname, sizeof hname) == 0) {
+		if (asprintf(&env_file, "%s/.ssh/agent-%s%s",
+		    pwent->pw_dir, hname, tty) == -1) {
+			syslog(LOG_CRIT, "%s: %m", MODULE_NAME);
+			return PAM_SERVICE_ERR;
+		}
+	} else if (asprintf(&env_file, "%s/.ssh/agent-%s", pwent->pw_dir,
+	    tty) == -1) {
+		syslog(LOG_CRIT, "%s: %m", MODULE_NAME);
+		return PAM_SERVICE_ERR;
+	}
+	/* save the filename so we can delete the file on session close */
+	if ((retval = pam_set_data(pamh, "ssh_agent_env", env_file,
+	    ssh_cleanup)) != PAM_SUCCESS) {
+		free(env_file);
+		return retval;
+	}
+	/* start the agent as the user */
+	saved_uid = geteuid();
+	(void)seteuid(pwent->pw_uid);
+	env_fp = fopen(env_file, "w");
+	pipe = popen(PATH_SSH_AGENT, "r");
+	(void)seteuid(saved_uid);
+	if (!pipe) {
+		syslog(LOG_ERR, "%s: %s: %m", MODULE_NAME, PATH_SSH_AGENT);
+		if (env_fp)
+			(void)fclose(env_fp);
+		return PAM_SESSION_ERR;
+	}
+	if (!(ssh_env = env_new()))
+		return PAM_SESSION_ERR;
+	if ((retval = pam_set_data(pamh, "ssh_env_handle", ssh_env,
+	    env_cleanup)) != PAM_SUCCESS)
+		return retval;
+	while (fgets(parse, sizeof parse, pipe)) {
+		if (env_fp)
+			(void)fputs(parse, env_fp);
+		/*
+		 * Save environment for application with pam_putenv()
+		 * but also with env_* functions for our own call to
+		 * ssh_get_authentication_connection().
+		 */
+		if (strchr(parse, '=') && (env_end = strchr(parse, ';'))) {
+			*env_end = '\0';
+			/* pass to the application ... */
+			if (!((retval = pam_putenv(pamh, parse)) ==
+			    PAM_SUCCESS)) {
+				(void)pclose(pipe);
+				if (env_fp)
+					(void)fclose(env_fp);
+				env_destroy(ssh_env);
+				return PAM_SERVICE_ERR;
+			}
+			env_put(ssh_env, parse);
+		}
+	}
+	if (env_fp)
+		(void)fclose(env_fp);
+	switch (retval = pclose(pipe)) {
+	case -1:
+		syslog(LOG_ERR, "%s: %s: %m", MODULE_NAME, PATH_SSH_AGENT);
+		env_destroy(ssh_env);
+		return PAM_SESSION_ERR;
+	case 0:
+		break;
+	case 127:
+		syslog(LOG_ERR, "%s: cannot execute %s", MODULE_NAME,
+		    PATH_SSH_AGENT);
+		env_destroy(ssh_env);
+		return PAM_SESSION_ERR;
+	default:
+		syslog(LOG_ERR, "%s: %s exited with status %d",
+		    MODULE_NAME, PATH_SSH_AGENT, WEXITSTATUS(retval));
+		env_destroy(ssh_env);
+		return PAM_SESSION_ERR;
+	}
+	key.type = KEY_RSA;
+	/* connect to the agent and hand off the private key */
+	if ((retval = pam_get_data(pamh, "ssh_private_key",
+	    (const void **)&key.rsa)) != PAM_SUCCESS ||
+	    (retval = pam_get_data(pamh, "ssh_key_comment",
+	    (const void **)&comment)) != PAM_SUCCESS ||
+	    (retval = env_commit(ssh_env)) != PAM_SUCCESS) {
+		env_destroy(ssh_env);
+		return retval;
+	}
+	if (!(ac = ssh_get_authentication_connection())) {
+		syslog(LOG_ERR, "%s: could not connect to agent",
+		    MODULE_NAME);
+		env_destroy(ssh_env);
+		return PAM_SESSION_ERR;
+	}
+	retval = ssh_add_identity(ac, &key, comment);
+	ssh_close_authentication_connection(ac);
+	env_swap(ssh_env, 0);
+	return retval ? PAM_SUCCESS : PAM_SESSION_ERR;
+}
+
+
+PAM_EXTERN int
+pam_sm_close_session(
+	pam_handle_t	 *pamh,
+	int		  flags,
+	int		  argc,
+	const char	**argv)
+{
+	const char	*env_file;	/* ssh-agent environment */
+	int	 	 retval;	/* from calls */
+	ENV		*ssh_env;	/* env handle */
+
+	if ((retval = pam_get_data(pamh, "ssh_env_handle",
+	    (const void **)&ssh_env)) != PAM_SUCCESS)
+		return retval;
+	env_swap(ssh_env, 1);
+	/* kill the agent */
+	retval = system(PATH_SSH_AGENT " -k");
+	env_destroy(ssh_env);
+	switch (retval) {
+	case -1:
+		syslog(LOG_ERR, "%s: %s -k: %m", MODULE_NAME,
+		    PATH_SSH_AGENT);
+		return PAM_SESSION_ERR;
+	case 0:
+		break;
+	case 127:
+		syslog(LOG_ERR, "%s: cannot execute %s -k", MODULE_NAME,
+		    PATH_SSH_AGENT);
+		return PAM_SESSION_ERR;
+	default:
+		syslog(LOG_ERR, "%s: %s -k exited with status %d",
+		    MODULE_NAME, PATH_SSH_AGENT, WEXITSTATUS(retval));
+		return PAM_SESSION_ERR;
+	}
+	/* retrieve environment filename, then remove the file */
+	if ((retval = pam_get_data(pamh, "ssh_agent_env",
+	    (const void **)&env_file)) != PAM_SUCCESS)
+		return retval;
+	(void)unlink(env_file);
+	return PAM_SUCCESS;
+}
+
+
+PAM_MODULE_ENTRY(MODULE_NAME);
diff --git a/crypto/openssh/pathnames.h b/crypto/openssh/pathnames.h
new file mode 100644
index 0000000..0b0f2d3
--- /dev/null
+++ b/crypto/openssh/pathnames.h
@@ -0,0 +1,112 @@
+/*	$OpenBSD: pathnames.h,v 1.5 2001/04/12 19:15:24 markus Exp $	*/
+/*	$FreeBSD$	*/
+
+/*
+ * Author: Tatu Ylonen <ylo@cs.hut.fi>
+ * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
+ *                    All rights reserved
+ *
+ * As far as I am concerned, the code I have written for this software
+ * can be used freely for any purpose.  Any derived versions of this
+ * software must be clearly marked as such, and if the derived work is
+ * incompatible with the protocol description in the RFC file, it must be
+ * called by a name other than "ssh" or "Secure Shell".
+ */
+
+#define ETCDIR				"/etc/ssh"
+#define _PATH_SSH_PIDDIR		"/var/run"
+
+/*
+ * System-wide file containing host keys of known hosts.  This file should be
+ * world-readable.
+ */
+#define _PATH_SSH_SYSTEM_HOSTFILE	ETCDIR "/ssh_known_hosts"
+#define _PATH_SSH_SYSTEM_HOSTFILE2	ETCDIR "/ssh_known_hosts2"
+
+/*
+ * Of these, ssh_host_key must be readable only by root, whereas ssh_config
+ * should be world-readable.
+ */
+#define _PATH_SERVER_CONFIG_FILE	ETCDIR "/sshd_config"
+#define _PATH_HOST_CONFIG_FILE		ETCDIR "/ssh_config"
+#define _PATH_HOST_KEY_FILE		ETCDIR "/ssh_host_key"
+#define _PATH_HOST_DSA_KEY_FILE		ETCDIR "/ssh_host_dsa_key"
+#define _PATH_HOST_RSA_KEY_FILE		ETCDIR "/ssh_host_rsa_key"
+#define _PATH_DH_PRIMES			ETCDIR "/primes"
+
+#define _PATH_SSH_PROGRAM		"/usr/bin/ssh"
+
+/*
+ * The process id of the daemon listening for connections is saved here to
+ * make it easier to kill the correct daemon when necessary.
+ */
+#define _PATH_SSH_DAEMON_PID_FILE	_PATH_SSH_PIDDIR "/sshd.pid"
+
+/*
+ * The directory in user\'s home directory in which the files reside. The
+ * directory should be world-readable (though not all files are).
+ */
+#define _PATH_SSH_USER_DIR		".ssh"
+
+/*
+ * Per-user file containing host keys of known hosts.  This file need not be
+ * readable by anyone except the user him/herself, though this does not
+ * contain anything particularly secret.
+ */
+#define _PATH_SSH_USER_HOSTFILE		"~/.ssh/known_hosts"
+#define _PATH_SSH_USER_HOSTFILE2	"~/.ssh/known_hosts2"
+
+/*
+ * Name of the default file containing client-side authentication key. This
+ * file should only be readable by the user him/herself.
+ */
+#define _PATH_SSH_CLIENT_IDENTITY	".ssh/identity"
+#define _PATH_SSH_CLIENT_ID_DSA		".ssh/id_dsa"
+#define _PATH_SSH_CLIENT_ID_RSA		".ssh/id_rsa"
+
+/*
+ * Configuration file in user\'s home directory.  This file need not be
+ * readable by anyone but the user him/herself, but does not contain anything
+ * particularly secret.  If the user\'s home directory resides on an NFS
+ * volume where root is mapped to nobody, this may need to be world-readable.
+ */
+#define _PATH_SSH_USER_CONFFILE		".ssh/config"
+
+/*
+ * File containing a list of those rsa keys that permit logging in as this
+ * user.  This file need not be readable by anyone but the user him/herself,
+ * but does not contain anything particularly secret.  If the user\'s home
+ * directory resides on an NFS volume where root is mapped to nobody, this
+ * may need to be world-readable.  (This file is read by the daemon which is
+ * running as root.)
+ */
+#define _PATH_SSH_USER_PERMITTED_KEYS	".ssh/authorized_keys"
+#define _PATH_SSH_USER_PERMITTED_KEYS2	".ssh/authorized_keys2"
+
+/*
+ * Per-user and system-wide ssh "rc" files.  These files are executed with
+ * /bin/sh before starting the shell or command if they exist.  They will be
+ * passed "proto cookie" as arguments if X11 forwarding with spoofing is in
+ * use.  xauth will be run if neither of these exists.
+ */
+#define _PATH_SSH_USER_RC		".ssh/rc"
+#define _PATH_SSH_SYSTEM_RC		ETCDIR "/sshrc"
+
+/*
+ * Ssh-only version of /etc/hosts.equiv.  Additionally, the daemon may use
+ * ~/.rhosts and /etc/hosts.equiv if rhosts authentication is enabled.
+ */
+#define _PATH_SSH_HOSTS_EQUIV		ETCDIR "/shosts.equiv"
+#define _PATH_RHOSTS_EQUIV		"/etc/hosts.equiv"
+
+/*
+ * Default location of askpass
+ */
+#define _PATH_SSH_ASKPASS_DEFAULT	"/usr/X11R6/bin/ssh-askpass"
+
+/* for scp */
+#define _PATH_CP			"cp"
+
+/* for sftp */
+#define _PATH_SFTP_SERVER		"/usr/libexec/sftp-server"
+#define _PATH_LS			"ls"
diff --git a/crypto/openssh/radix.c b/crypto/openssh/radix.c
new file mode 100644
index 0000000..3b149a8
--- /dev/null
+++ b/crypto/openssh/radix.c
@@ -0,0 +1,212 @@
+/*
+ * Copyright (c) 1999 Dug Song.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include "includes.h"
+#include "uuencode.h"
+
+RCSID("$OpenBSD: radix.c,v 1.15 2001/01/16 23:58:09 deraadt Exp $");
+
+#ifdef AFS
+#include <krb.h>
+
+typedef u_char my_u_char;
+typedef u_int my_u_int32_t;
+typedef u_short my_u_short;
+
+/* Nasty macros from BIND-4.9.2 */
+
+#define GETSHORT(s, cp) { \
+	register my_u_char *t_cp = (my_u_char *)(cp); \
+	(s) = (((my_u_short)t_cp[0]) << 8) \
+	    | (((my_u_short)t_cp[1])) \
+	    ; \
+	(cp) += 2; \
+}
+
+#define GETLONG(l, cp) { \
+	register my_u_char *t_cp = (my_u_char *)(cp); \
+	(l) = (((my_u_int32_t)t_cp[0]) << 24) \
+	    | (((my_u_int32_t)t_cp[1]) << 16) \
+	    | (((my_u_int32_t)t_cp[2]) << 8) \
+	    | (((my_u_int32_t)t_cp[3])) \
+	    ; \
+	(cp) += 4; \
+}
+
+#define PUTSHORT(s, cp) { \
+	register my_u_short t_s = (my_u_short)(s); \
+	register my_u_char *t_cp = (my_u_char *)(cp); \
+	*t_cp++ = t_s >> 8; \
+	*t_cp   = t_s; \
+	(cp) += 2; \
+}
+
+#define PUTLONG(l, cp) { \
+	register my_u_int32_t t_l = (my_u_int32_t)(l); \
+	register my_u_char *t_cp = (my_u_char *)(cp); \
+	*t_cp++ = t_l >> 24; \
+	*t_cp++ = t_l >> 16; \
+	*t_cp++ = t_l >> 8; \
+	*t_cp   = t_l; \
+	(cp) += 4; \
+}
+
+#define GETSTRING(s, p, p_l) {			\
+    register char *p_targ = (p) + p_l;		\
+    register char *s_c = (s);			\
+    register char *p_c = (p);			\
+    while (*p_c && (p_c < p_targ)) {		\
+	*s_c++ = *p_c++;			\
+    }						\
+    if (p_c == p_targ) {			\
+	return 1;				\
+    }						\
+    *s_c = *p_c++;				\
+    (p_l) = (p_l) - (p_c - (p));		\
+    (p) = p_c;					\
+}
+
+
+int
+creds_to_radix(CREDENTIALS *creds, u_char *buf, size_t buflen)
+{
+	char *p, *s;
+	int len;
+	char temp[2048];
+
+	p = temp;
+	*p++ = 1;		/* version */
+	s = creds->service;
+	while (*s)
+		*p++ = *s++;
+	*p++ = *s;
+	s = creds->instance;
+	while (*s)
+		*p++ = *s++;
+	*p++ = *s;
+	s = creds->realm;
+	while (*s)
+		*p++ = *s++;
+	*p++ = *s;
+
+	s = creds->pname;
+	while (*s)
+		*p++ = *s++;
+	*p++ = *s;
+	s = creds->pinst;
+	while (*s)
+		*p++ = *s++;
+	*p++ = *s;
+	/* Null string to repeat the realm. */
+	*p++ = '\0';
+
+	PUTLONG(creds->issue_date, p);
+	{
+		u_int endTime;
+		endTime = (u_int) krb_life_to_time(creds->issue_date,
+							  creds->lifetime);
+		PUTLONG(endTime, p);
+	}
+
+	memcpy(p, &creds->session, sizeof(creds->session));
+	p += sizeof(creds->session);
+
+	PUTSHORT(creds->kvno, p);
+	PUTLONG(creds->ticket_st.length, p);
+
+	memcpy(p, creds->ticket_st.dat, creds->ticket_st.length);
+	p += creds->ticket_st.length;
+	len = p - temp;
+
+	return (uuencode((u_char *)temp, len, (char *)buf, buflen));
+}
+
+int
+radix_to_creds(const char *buf, CREDENTIALS *creds)
+{
+
+	char *p;
+	int len, tl;
+	char version;
+	char temp[2048];
+
+	len = uudecode(buf, (u_char *)temp, sizeof(temp));
+	if (len < 0)
+		return 0;
+
+	p = temp;
+
+	/* check version and length! */
+	if (len < 1)
+		return 0;
+	version = *p;
+	p++;
+	len--;
+
+	GETSTRING(creds->service, p, len);
+	GETSTRING(creds->instance, p, len);
+	GETSTRING(creds->realm, p, len);
+
+	GETSTRING(creds->pname, p, len);
+	GETSTRING(creds->pinst, p, len);
+	/* Ignore possibly different realm. */
+	while (*p && len)
+		p++, len--;
+	if (len == 0)
+		return 0;
+	p++, len--;
+
+	/* Enough space for remaining fixed-length parts? */
+	if (len < (4 + 4 + sizeof(creds->session) + 2 + 4))
+		return 0;
+
+	GETLONG(creds->issue_date, p);
+	len -= 4;
+	{
+		u_int endTime;
+		GETLONG(endTime, p);
+		len -= 4;
+		creds->lifetime = krb_time_to_life(creds->issue_date, endTime);
+	}
+
+	memcpy(&creds->session, p, sizeof(creds->session));
+	p += sizeof(creds->session);
+	len -= sizeof(creds->session);
+
+	GETSHORT(creds->kvno, p);
+	len -= 2;
+	GETLONG(creds->ticket_st.length, p);
+	len -= 4;
+
+	tl = creds->ticket_st.length;
+	if (tl < 0 || tl > len || tl > sizeof(creds->ticket_st.dat))
+		return 0;
+
+	memcpy(creds->ticket_st.dat, p, tl);
+	p += tl;
+	len -= tl;
+
+	return 1;
+}
+#endif /* AFS */
diff --git a/crypto/openssh/radix.h b/crypto/openssh/radix.h
new file mode 100644
index 0000000..57592d8
--- /dev/null
+++ b/crypto/openssh/radix.h
@@ -0,0 +1,28 @@
+/*	$OpenBSD: radix.h,v 1.2 2001/01/29 01:58:17 niklas Exp $	*/
+
+/*
+ * Copyright (c) 1999 Dug Song.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+int     creds_to_radix(CREDENTIALS * creds, u_char *buf, size_t buflen);
+int     radix_to_creds(const char *buf, CREDENTIALS * creds);
diff --git a/crypto/openssh/readconf.c b/crypto/openssh/readconf.c
new file mode 100644
index 0000000..47b4b48
--- /dev/null
+++ b/crypto/openssh/readconf.c
@@ -0,0 +1,901 @@
+/*
+ * Author: Tatu Ylonen <ylo@cs.hut.fi>
+ * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
+ *                    All rights reserved
+ * Functions for reading the configuration files.
+ *
+ * As far as I am concerned, the code I have written for this software
+ * can be used freely for any purpose.  Any derived versions of this
+ * software must be clearly marked as such, and if the derived work is
+ * incompatible with the protocol description in the RFC file, it must be
+ * called by a name other than "ssh" or "Secure Shell".
+ */
+
+#include "includes.h"
+RCSID("$OpenBSD: readconf.c,v 1.76 2001/04/17 10:53:25 markus Exp $");
+RCSID("$FreeBSD$");
+
+#include "ssh.h"
+#include "xmalloc.h"
+#include "compat.h"
+#include "cipher.h"
+#include "pathnames.h"
+#include "log.h"
+#include "readconf.h"
+#include "match.h"
+#include "misc.h"
+#include "kex.h"
+#include "mac.h"
+
+/* Format of the configuration file:
+
+   # Configuration data is parsed as follows:
+   #  1. command line options
+   #  2. user-specific file
+   #  3. system-wide file
+   # Any configuration value is only changed the first time it is set.
+   # Thus, host-specific definitions should be at the beginning of the
+   # configuration file, and defaults at the end.
+
+   # Host-specific declarations.  These may override anything above.  A single
+   # host may match multiple declarations; these are processed in the order
+   # that they are given in.
+
+   Host *.ngs.fi ngs.fi
+     FallBackToRsh no
+
+   Host fake.com
+     HostName another.host.name.real.org
+     User blaah
+     Port 34289
+     ForwardX11 no
+     ForwardAgent no
+
+   Host books.com
+     RemoteForward 9999 shadows.cs.hut.fi:9999
+     Cipher 3des
+
+   Host fascist.blob.com
+     Port 23123
+     User tylonen
+     RhostsAuthentication no
+     PasswordAuthentication no
+
+   Host puukko.hut.fi
+     User t35124p
+     ProxyCommand ssh-proxy %h %p
+
+   Host *.fr
+     UseRsh yes
+
+   Host *.su
+     Cipher none
+     PasswordAuthentication no
+
+   # Defaults for various options
+   Host *
+     ForwardAgent no
+     ForwardX11 no
+     RhostsAuthentication yes
+     PasswordAuthentication yes
+     RSAAuthentication yes
+     RhostsRSAAuthentication yes
+     FallBackToRsh no
+     UseRsh no
+     StrictHostKeyChecking yes
+     KeepAlives no
+     IdentityFile ~/.ssh/identity
+     Port 22
+     EscapeChar ~
+
+*/
+
+/* Keyword tokens. */
+
+typedef enum {
+	oBadOption,
+	oForwardAgent, oForwardX11, oGatewayPorts, oRhostsAuthentication,
+	oPasswordAuthentication, oRSAAuthentication, oFallBackToRsh, oUseRsh,
+	oChallengeResponseAuthentication, oXAuthLocation,
+#if defined(KRB4) || defined(KRB5)
+	oKerberosAuthentication,
+#endif /* KRB4 */
+#ifdef KRB5
+	oKrb5TgtPassing,
+#endif /* KRB5 */
+#ifdef AFS
+	oKrb4TgtPassing, oAFSTokenPassing,
+#endif
+	oIdentityFile, oHostName, oPort, oCipher, oRemoteForward, oLocalForward,
+	oUser, oHost, oEscapeChar, oRhostsRSAAuthentication, oProxyCommand,
+	oGlobalKnownHostsFile, oUserKnownHostsFile, oConnectionAttempts,
+	oBatchMode, oCheckHostIP, oStrictHostKeyChecking, oCompression,
+	oCompressionLevel, oKeepAlives, oNumberOfPasswordPrompts,
+	oUsePrivilegedPort, oLogLevel, oCiphers, oProtocol, oMacs,
+	oGlobalKnownHostsFile2, oUserKnownHostsFile2, oPubkeyAuthentication,
+	oKbdInteractiveAuthentication, oKbdInteractiveDevices, oHostKeyAlias,
+	oDynamicForward, oPreferredAuthentications, oHostbasedAuthentication,
+	oHostKeyAlgorithms
+} OpCodes;
+
+/* Textual representations of the tokens. */
+
+static struct {
+	const char *name;
+	OpCodes opcode;
+} keywords[] = {
+	{ "forwardagent", oForwardAgent },
+	{ "forwardx11", oForwardX11 },
+	{ "xauthlocation", oXAuthLocation },
+	{ "gatewayports", oGatewayPorts },
+	{ "useprivilegedport", oUsePrivilegedPort },
+	{ "rhostsauthentication", oRhostsAuthentication },
+	{ "passwordauthentication", oPasswordAuthentication },
+	{ "kbdinteractiveauthentication", oKbdInteractiveAuthentication },
+	{ "kbdinteractivedevices", oKbdInteractiveDevices },
+	{ "rsaauthentication", oRSAAuthentication },
+	{ "pubkeyauthentication", oPubkeyAuthentication },
+	{ "dsaauthentication", oPubkeyAuthentication },		    /* alias */
+	{ "rhostsrsaauthentication", oRhostsRSAAuthentication },
+	{ "hostbasedauthentication", oHostbasedAuthentication },
+	{ "challengeresponseauthentication", oChallengeResponseAuthentication },
+	{ "skeyauthentication", oChallengeResponseAuthentication }, /* alias */
+	{ "tisauthentication", oChallengeResponseAuthentication },  /* alias */
+#if defined(KRB4) || defined(KRB5)
+	{ "kerberosauthentication", oKerberosAuthentication },
+#endif /* KRB4 || KRB5 */
+#ifdef KRB5
+	{ "kerberos5tgtpassing", oKrb5TgtPassing },
+#endif /* KRB5 */
+#ifdef AFS
+	{ "kerberos4tgtpassing", oKrb4TgtPassing },
+	{ "afstokenpassing", oAFSTokenPassing },
+#endif
+	{ "fallbacktorsh", oFallBackToRsh },
+	{ "usersh", oUseRsh },
+	{ "identityfile", oIdentityFile },
+	{ "identityfile2", oIdentityFile },			/* alias */
+	{ "hostname", oHostName },
+	{ "hostkeyalias", oHostKeyAlias },
+	{ "proxycommand", oProxyCommand },
+	{ "port", oPort },
+	{ "cipher", oCipher },
+	{ "ciphers", oCiphers },
+	{ "macs", oMacs },
+	{ "protocol", oProtocol },
+	{ "remoteforward", oRemoteForward },
+	{ "localforward", oLocalForward },
+	{ "user", oUser },
+	{ "host", oHost },
+	{ "escapechar", oEscapeChar },
+	{ "globalknownhostsfile", oGlobalKnownHostsFile },
+	{ "userknownhostsfile", oUserKnownHostsFile },
+	{ "globalknownhostsfile2", oGlobalKnownHostsFile2 },
+	{ "userknownhostsfile2", oUserKnownHostsFile2 },
+	{ "connectionattempts", oConnectionAttempts },
+	{ "batchmode", oBatchMode },
+	{ "checkhostip", oCheckHostIP },
+	{ "stricthostkeychecking", oStrictHostKeyChecking },
+	{ "compression", oCompression },
+	{ "compressionlevel", oCompressionLevel },
+	{ "keepalive", oKeepAlives },
+	{ "numberofpasswordprompts", oNumberOfPasswordPrompts },
+	{ "loglevel", oLogLevel },
+	{ "dynamicforward", oDynamicForward },
+	{ "preferredauthentications", oPreferredAuthentications },
+	{ "hostkeyalgorithms", oHostKeyAlgorithms },
+	{ NULL, 0 }
+};
+
+/*
+ * Adds a local TCP/IP port forward to options.  Never returns if there is an
+ * error.
+ */
+
+void
+add_local_forward(Options *options, u_short port, const char *host,
+		  u_short host_port)
+{
+	Forward *fwd;
+	extern uid_t original_real_uid;
+	if (port < IPPORT_RESERVED && original_real_uid != 0)
+		fatal("Privileged ports can only be forwarded by root.");
+	if (options->num_local_forwards >= SSH_MAX_FORWARDS_PER_DIRECTION)
+		fatal("Too many local forwards (max %d).", SSH_MAX_FORWARDS_PER_DIRECTION);
+	fwd = &options->local_forwards[options->num_local_forwards++];
+	fwd->port = port;
+	fwd->host = xstrdup(host);
+	fwd->host_port = host_port;
+}
+
+/*
+ * Adds a remote TCP/IP port forward to options.  Never returns if there is
+ * an error.
+ */
+
+void
+add_remote_forward(Options *options, u_short port, const char *host,
+		   u_short host_port)
+{
+	Forward *fwd;
+	if (options->num_remote_forwards >= SSH_MAX_FORWARDS_PER_DIRECTION)
+		fatal("Too many remote forwards (max %d).",
+		      SSH_MAX_FORWARDS_PER_DIRECTION);
+	fwd = &options->remote_forwards[options->num_remote_forwards++];
+	fwd->port = port;
+	fwd->host = xstrdup(host);
+	fwd->host_port = host_port;
+}
+
+/*
+ * Returns the number of the token pointed to by cp or oBadOption.
+ */
+
+static OpCodes
+parse_token(const char *cp, const char *filename, int linenum)
+{
+	u_int i;
+
+	for (i = 0; keywords[i].name; i++)
+		if (strcasecmp(cp, keywords[i].name) == 0)
+			return keywords[i].opcode;
+
+	error("%s: line %d: Bad configuration option: %s",
+	    filename, linenum, cp);
+	return oBadOption;
+}
+
+/*
+ * Processes a single option line as used in the configuration files. This
+ * only sets those values that have not already been set.
+ */
+
+int
+process_config_line(Options *options, const char *host,
+		    char *line, const char *filename, int linenum,
+		    int *activep)
+{
+	char buf[256], *s, *string, **charptr, *endofnumber, *keyword, *arg;
+	int opcode, *intptr, value;
+	u_short fwd_port, fwd_host_port;
+
+	s = line;
+	/* Get the keyword. (Each line is supposed to begin with a keyword). */
+	keyword = strdelim(&s);
+	/* Ignore leading whitespace. */
+	if (*keyword == '\0')
+		keyword = strdelim(&s);
+	if (keyword == NULL || !*keyword || *keyword == '\n' || *keyword == '#')
+		return 0;
+
+	opcode = parse_token(keyword, filename, linenum);
+
+	switch (opcode) {
+	case oBadOption:
+		/* don't panic, but count bad options */
+		return -1;
+		/* NOTREACHED */
+	case oForwardAgent:
+		intptr = &options->forward_agent;
+parse_flag:
+		arg = strdelim(&s);
+		if (!arg || *arg == '\0')
+			fatal("%.200s line %d: Missing yes/no argument.", filename, linenum);
+		value = 0;	/* To avoid compiler warning... */
+		if (strcmp(arg, "yes") == 0 || strcmp(arg, "true") == 0)
+			value = 1;
+		else if (strcmp(arg, "no") == 0 || strcmp(arg, "false") == 0)
+			value = 0;
+		else
+			fatal("%.200s line %d: Bad yes/no argument.", filename, linenum);
+		if (*activep && *intptr == -1)
+			*intptr = value;
+		break;
+
+	case oForwardX11:
+		intptr = &options->forward_x11;
+		goto parse_flag;
+
+	case oGatewayPorts:
+		intptr = &options->gateway_ports;
+		goto parse_flag;
+
+	case oUsePrivilegedPort:
+		intptr = &options->use_privileged_port;
+		goto parse_flag;
+
+	case oRhostsAuthentication:
+		intptr = &options->rhosts_authentication;
+		goto parse_flag;
+
+	case oPasswordAuthentication:
+		intptr = &options->password_authentication;
+		goto parse_flag;
+
+	case oKbdInteractiveAuthentication:
+		intptr = &options->kbd_interactive_authentication;
+		goto parse_flag;
+
+	case oKbdInteractiveDevices:
+		charptr = &options->kbd_interactive_devices;
+		goto parse_string;
+
+	case oPubkeyAuthentication:
+		intptr = &options->pubkey_authentication;
+		goto parse_flag;
+
+	case oRSAAuthentication:
+		intptr = &options->rsa_authentication;
+		goto parse_flag;
+
+	case oRhostsRSAAuthentication:
+		intptr = &options->rhosts_rsa_authentication;
+		goto parse_flag;
+
+	case oHostbasedAuthentication:
+		intptr = &options->hostbased_authentication;
+		goto parse_flag;
+
+#if defined(KRB4) || defined(KRB5)
+	case oKerberosAuthentication:
+		intptr = &options->kerberos_authentication;
+		goto parse_flag;
+#endif /* KRB4 || KRB5 */
+
+	case oChallengeResponseAuthentication:
+		intptr = &options->challenge_reponse_authentication;
+		goto parse_flag;
+
+#ifdef KRB5
+	case oKrb5TgtPassing:
+		intptr = &options->krb5_tgt_passing;
+		goto parse_flag;
+#endif /* KRB5 */
+
+#ifdef AFS
+	case oKrb4TgtPassing:
+		intptr = &options->krb4_tgt_passing;
+		goto parse_flag;
+
+	case oAFSTokenPassing:
+		intptr = &options->afs_token_passing;
+		goto parse_flag;
+#endif
+
+	case oFallBackToRsh:
+		intptr = &options->fallback_to_rsh;
+		goto parse_flag;
+
+	case oUseRsh:
+		intptr = &options->use_rsh;
+		goto parse_flag;
+
+	case oBatchMode:
+		intptr = &options->batch_mode;
+		goto parse_flag;
+
+	case oCheckHostIP:
+		intptr = &options->check_host_ip;
+		goto parse_flag;
+
+	case oStrictHostKeyChecking:
+		intptr = &options->strict_host_key_checking;
+		arg = strdelim(&s);
+		if (!arg || *arg == '\0')
+			fatal("%.200s line %d: Missing yes/no/ask argument.",
+			      filename, linenum);
+		value = 0;	/* To avoid compiler warning... */
+		if (strcmp(arg, "yes") == 0 || strcmp(arg, "true") == 0)
+			value = 1;
+		else if (strcmp(arg, "no") == 0 || strcmp(arg, "false") == 0)
+			value = 0;
+		else if (strcmp(arg, "ask") == 0)
+			value = 2;
+		else
+			fatal("%.200s line %d: Bad yes/no/ask argument.", filename, linenum);
+		if (*activep && *intptr == -1)
+			*intptr = value;
+		break;
+
+	case oCompression:
+		intptr = &options->compression;
+		goto parse_flag;
+
+	case oKeepAlives:
+		intptr = &options->keepalives;
+		goto parse_flag;
+
+	case oNumberOfPasswordPrompts:
+		intptr = &options->number_of_password_prompts;
+		goto parse_int;
+
+	case oCompressionLevel:
+		intptr = &options->compression_level;
+		goto parse_int;
+
+	case oIdentityFile:
+		arg = strdelim(&s);
+		if (!arg || *arg == '\0')
+			fatal("%.200s line %d: Missing argument.", filename, linenum);
+		if (*activep) {
+			intptr = &options->num_identity_files;
+			if (*intptr >= SSH_MAX_IDENTITY_FILES)
+				fatal("%.200s line %d: Too many identity files specified (max %d).",
+				      filename, linenum, SSH_MAX_IDENTITY_FILES);
+			charptr =  &options->identity_files[*intptr];
+			*charptr = xstrdup(arg);
+			*intptr = *intptr + 1;
+		}
+		break;
+
+	case oXAuthLocation:
+		charptr=&options->xauth_location;
+		goto parse_string;
+
+	case oUser:
+		charptr = &options->user;
+parse_string:
+		arg = strdelim(&s);
+		if (!arg || *arg == '\0')
+			fatal("%.200s line %d: Missing argument.", filename, linenum);
+		if (*activep && *charptr == NULL)
+			*charptr = xstrdup(arg);
+		break;
+
+	case oGlobalKnownHostsFile:
+		charptr = &options->system_hostfile;
+		goto parse_string;
+
+	case oUserKnownHostsFile:
+		charptr = &options->user_hostfile;
+		goto parse_string;
+
+	case oGlobalKnownHostsFile2:
+		charptr = &options->system_hostfile2;
+		goto parse_string;
+
+	case oUserKnownHostsFile2:
+		charptr = &options->user_hostfile2;
+		goto parse_string;
+
+	case oHostName:
+		charptr = &options->hostname;
+		goto parse_string;
+
+	case oHostKeyAlias:
+		charptr = &options->host_key_alias;
+		goto parse_string;
+
+	case oPreferredAuthentications:
+		charptr = &options->preferred_authentications;
+		goto parse_string;
+
+	case oProxyCommand:
+		charptr = &options->proxy_command;
+		string = xstrdup("");
+		while ((arg = strdelim(&s)) != NULL && *arg != '\0') {
+			string = xrealloc(string, strlen(string) + strlen(arg) + 2);
+			strcat(string, " ");
+			strcat(string, arg);
+		}
+		if (*activep && *charptr == NULL)
+			*charptr = string;
+		else
+			xfree(string);
+		return 0;
+
+	case oPort:
+		intptr = &options->port;
+parse_int:
+		arg = strdelim(&s);
+		if (!arg || *arg == '\0')
+			fatal("%.200s line %d: Missing argument.", filename, linenum);
+		if (arg[0] < '0' || arg[0] > '9')
+			fatal("%.200s line %d: Bad number.", filename, linenum);
+
+		/* Octal, decimal, or hex format? */
+		value = strtol(arg, &endofnumber, 0);
+		if (arg == endofnumber)
+			fatal("%.200s line %d: Bad number.", filename, linenum);
+		if (*activep && *intptr == -1)
+			*intptr = value;
+		break;
+
+	case oConnectionAttempts:
+		intptr = &options->connection_attempts;
+		goto parse_int;
+
+	case oCipher:
+		intptr = &options->cipher;
+		arg = strdelim(&s);
+		if (!arg || *arg == '\0')
+			fatal("%.200s line %d: Missing argument.", filename, linenum);
+		value = cipher_number(arg);
+		if (value == -1)
+			fatal("%.200s line %d: Bad cipher '%s'.",
+			      filename, linenum, arg ? arg : "<NONE>");
+		if (*activep && *intptr == -1)
+			*intptr = value;
+		break;
+
+	case oCiphers:
+		arg = strdelim(&s);
+		if (!arg || *arg == '\0')
+			fatal("%.200s line %d: Missing argument.", filename, linenum);
+		if (!ciphers_valid(arg))
+			fatal("%.200s line %d: Bad SSH2 cipher spec '%s'.",
+			      filename, linenum, arg ? arg : "<NONE>");
+		if (*activep && options->ciphers == NULL)
+			options->ciphers = xstrdup(arg);
+		break;
+
+	case oMacs:
+		arg = strdelim(&s);
+		if (!arg || *arg == '\0')
+			fatal("%.200s line %d: Missing argument.", filename, linenum);
+		if (!mac_valid(arg))
+			fatal("%.200s line %d: Bad SSH2 Mac spec '%s'.",
+			      filename, linenum, arg ? arg : "<NONE>");
+		if (*activep && options->macs == NULL)
+			options->macs = xstrdup(arg);
+		break;
+
+	case oHostKeyAlgorithms:
+		arg = strdelim(&s);
+		if (!arg || *arg == '\0')
+			fatal("%.200s line %d: Missing argument.", filename, linenum);
+		if (!key_names_valid2(arg))
+			fatal("%.200s line %d: Bad protocol 2 host key algorithms '%s'.",
+			      filename, linenum, arg ? arg : "<NONE>");
+		if (*activep && options->hostkeyalgorithms == NULL)
+			options->hostkeyalgorithms = xstrdup(arg);
+		break;
+
+	case oProtocol:
+		intptr = &options->protocol;
+		arg = strdelim(&s);
+		if (!arg || *arg == '\0')
+			fatal("%.200s line %d: Missing argument.", filename, linenum);
+		value = proto_spec(arg);
+		if (value == SSH_PROTO_UNKNOWN)
+			fatal("%.200s line %d: Bad protocol spec '%s'.",
+			      filename, linenum, arg ? arg : "<NONE>");
+		if (*activep && *intptr == SSH_PROTO_UNKNOWN)
+			*intptr = value;
+		break;
+
+	case oLogLevel:
+		intptr = (int *) &options->log_level;
+		arg = strdelim(&s);
+		value = log_level_number(arg);
+		if (value == (LogLevel) - 1)
+			fatal("%.200s line %d: unsupported log level '%s'",
+			      filename, linenum, arg ? arg : "<NONE>");
+		if (*activep && (LogLevel) * intptr == -1)
+			*intptr = (LogLevel) value;
+		break;
+
+	case oRemoteForward:
+		arg = strdelim(&s);
+		if (!arg || *arg == '\0')
+			fatal("%.200s line %d: Missing argument.", filename, linenum);
+		fwd_port = a2port(arg);
+		if (fwd_port == 0)
+			fatal("%.200s line %d: Badly formatted port number.",
+			      filename, linenum);
+		arg = strdelim(&s);
+		if (!arg || *arg == '\0')
+			fatal("%.200s line %d: Missing second argument.",
+			      filename, linenum);
+		if (sscanf(arg, "%255[^:]:%hu", buf, &fwd_host_port) != 2)
+			fatal("%.200s line %d: Badly formatted host:port.",
+			      filename, linenum);
+		if (*activep)
+			add_remote_forward(options, fwd_port, buf, fwd_host_port);
+		break;
+
+	case oLocalForward:
+		arg = strdelim(&s);
+		if (!arg || *arg == '\0')
+			fatal("%.200s line %d: Missing argument.", filename, linenum);
+		fwd_port = a2port(arg);
+		if (fwd_port == 0)
+			fatal("%.200s line %d: Badly formatted port number.",
+			      filename, linenum);
+		arg = strdelim(&s);
+		if (!arg || *arg == '\0')
+			fatal("%.200s line %d: Missing second argument.",
+			      filename, linenum);
+		if (sscanf(arg, "%255[^:]:%hu", buf, &fwd_host_port) != 2)
+			fatal("%.200s line %d: Badly formatted host:port.",
+			      filename, linenum);
+		if (*activep)
+			add_local_forward(options, fwd_port, buf, fwd_host_port);
+		break;
+
+	case oDynamicForward:
+		arg = strdelim(&s);
+		if (!arg || *arg == '\0')
+			fatal("%.200s line %d: Missing port argument.",
+			    filename, linenum);
+		fwd_port = a2port(arg);
+		if (fwd_port == 0)
+			fatal("%.200s line %d: Badly formatted port number.",
+			    filename, linenum);
+		add_local_forward(options, fwd_port, "socks4", 0);
+		break;
+
+	case oHost:
+		*activep = 0;
+		while ((arg = strdelim(&s)) != NULL && *arg != '\0')
+			if (match_pattern(host, arg)) {
+				debug("Applying options for %.100s", arg);
+				*activep = 1;
+				break;
+			}
+		/* Avoid garbage check below, as strdelim is done. */
+		return 0;
+
+	case oEscapeChar:
+		intptr = &options->escape_char;
+		arg = strdelim(&s);
+		if (!arg || *arg == '\0')
+			fatal("%.200s line %d: Missing argument.", filename, linenum);
+		if (arg[0] == '^' && arg[2] == 0 &&
+		    (u_char) arg[1] >= 64 && (u_char) arg[1] < 128)
+			value = (u_char) arg[1] & 31;
+		else if (strlen(arg) == 1)
+			value = (u_char) arg[0];
+		else if (strcmp(arg, "none") == 0)
+			value = -2;
+		else {
+			fatal("%.200s line %d: Bad escape character.",
+			      filename, linenum);
+			/* NOTREACHED */
+			value = 0;	/* Avoid compiler warning. */
+		}
+		if (*activep && *intptr == -1)
+			*intptr = value;
+		break;
+
+	default:
+		fatal("process_config_line: Unimplemented opcode %d", opcode);
+	}
+
+	/* Check that there is no garbage at end of line. */
+	if ((arg = strdelim(&s)) != NULL && *arg != '\0') {
+		fatal("%.200s line %d: garbage at end of line; \"%.200s\".",
+		      filename, linenum, arg);
+	}
+	return 0;
+}
+
+
+/*
+ * Reads the config file and modifies the options accordingly.  Options
+ * should already be initialized before this call.  This never returns if
+ * there is an error.  If the file does not exist, this returns immediately.
+ */
+
+void
+read_config_file(const char *filename, const char *host, Options *options)
+{
+	FILE *f;
+	char line[1024];
+	int active, linenum;
+	int bad_options = 0;
+
+	/* Open the file. */
+	f = fopen(filename, "r");
+	if (!f)
+		return;
+
+	debug("Reading configuration data %.200s", filename);
+
+	/*
+	 * Mark that we are now processing the options.  This flag is turned
+	 * on/off by Host specifications.
+	 */
+	active = 1;
+	linenum = 0;
+	while (fgets(line, sizeof(line), f)) {
+		/* Update line number counter. */
+		linenum++;
+		if (process_config_line(options, host, line, filename, linenum, &active) != 0)
+			bad_options++;
+	}
+	fclose(f);
+	if (bad_options > 0)
+		fatal("%s: terminating, %d bad configuration options",
+		      filename, bad_options);
+}
+
+/*
+ * Initializes options to special values that indicate that they have not yet
+ * been set.  Read_config_file will only set options with this value. Options
+ * are processed in the following order: command line, user config file,
+ * system config file.  Last, fill_default_options is called.
+ */
+
+void
+initialize_options(Options * options)
+{
+	memset(options, 'X', sizeof(*options));
+	options->forward_agent = -1;
+	options->forward_x11 = -1;
+	options->xauth_location = NULL;
+	options->gateway_ports = -1;
+	options->use_privileged_port = -1;
+	options->rhosts_authentication = -1;
+	options->rsa_authentication = -1;
+	options->pubkey_authentication = -1;
+	options->challenge_reponse_authentication = -1;
+#if defined(KRB4) || defined(KRB5)
+	options->kerberos_authentication = -1;
+#endif
+#ifdef KRB5
+	options->krb5_tgt_passing = -1;
+#endif /* KRB5 */
+#ifdef AFS
+	options->krb4_tgt_passing = -1;
+	options->afs_token_passing = -1;
+#endif
+	options->password_authentication = -1;
+	options->kbd_interactive_authentication = -1;
+	options->kbd_interactive_devices = NULL;
+	options->rhosts_rsa_authentication = -1;
+	options->hostbased_authentication = -1;
+	options->fallback_to_rsh = -1;
+	options->use_rsh = -1;
+	options->batch_mode = -1;
+	options->check_host_ip = -1;
+	options->strict_host_key_checking = -1;
+	options->compression = -1;
+	options->keepalives = -1;
+	options->compression_level = -1;
+	options->port = -1;
+	options->connection_attempts = -1;
+	options->number_of_password_prompts = -1;
+	options->cipher = -1;
+	options->ciphers = NULL;
+	options->macs = NULL;
+	options->hostkeyalgorithms = NULL;
+	options->protocol = SSH_PROTO_UNKNOWN;
+	options->num_identity_files = 0;
+	options->hostname = NULL;
+	options->host_key_alias = NULL;
+	options->proxy_command = NULL;
+	options->user = NULL;
+	options->escape_char = -1;
+	options->system_hostfile = NULL;
+	options->user_hostfile = NULL;
+	options->system_hostfile2 = NULL;
+	options->user_hostfile2 = NULL;
+	options->num_local_forwards = 0;
+	options->num_remote_forwards = 0;
+	options->log_level = (LogLevel) - 1;
+	options->preferred_authentications = NULL;
+}
+
+/*
+ * Called after processing other sources of option data, this fills those
+ * options for which no value has been specified with their default values.
+ */
+
+void
+fill_default_options(Options * options)
+{
+	int len;
+
+	if (options->forward_agent == -1)
+		options->forward_agent = 0;
+	if (options->forward_x11 == -1)
+		options->forward_x11 = 0;
+#ifdef XAUTH_PATH
+	if (options->xauth_location == NULL)
+		options->xauth_location = XAUTH_PATH;
+#endif /* XAUTH_PATH */
+	if (options->gateway_ports == -1)
+		options->gateway_ports = 0;
+	if (options->use_privileged_port == -1)
+		options->use_privileged_port = 0;
+	if (options->rhosts_authentication == -1)
+		options->rhosts_authentication = 1;
+	if (options->rsa_authentication == -1)
+		options->rsa_authentication = 1;
+	if (options->pubkey_authentication == -1)
+		options->pubkey_authentication = 1;
+	if (options->challenge_reponse_authentication == -1)
+		options->challenge_reponse_authentication = 0;
+#if defined(KRB4) || defined(KRB5)
+	if (options->kerberos_authentication == -1)
+		options->kerberos_authentication = 1;
+#endif /* KRB4 || KRB5 */
+#ifdef KRB5
+	if (options->krb5_tgt_passing == -1)
+		options->krb5_tgt_passing = 1;
+#endif /* KRB5 */
+#ifdef AFS
+	if (options->krb4_tgt_passing == -1)
+		options->krb4_tgt_passing = 1;
+	if (options->afs_token_passing == -1)
+		options->afs_token_passing = 1;
+#endif /* AFS */
+	if (options->password_authentication == -1)
+		options->password_authentication = 1;
+	if (options->kbd_interactive_authentication == -1)
+		options->kbd_interactive_authentication = 1;
+	if (options->rhosts_rsa_authentication == -1)
+		options->rhosts_rsa_authentication = 1;
+	if (options->hostbased_authentication == -1)
+		options->hostbased_authentication = 0;
+	if (options->fallback_to_rsh == -1)
+		options->fallback_to_rsh = 0;
+	if (options->use_rsh == -1)
+		options->use_rsh = 0;
+	if (options->batch_mode == -1)
+		options->batch_mode = 0;
+	if (options->check_host_ip == -1)
+		options->check_host_ip = 0;
+	if (options->strict_host_key_checking == -1)
+		options->strict_host_key_checking = 2;	/* 2 is default */
+	if (options->compression == -1)
+		options->compression = 0;
+	if (options->keepalives == -1)
+		options->keepalives = 1;
+	if (options->compression_level == -1)
+		options->compression_level = 6;
+	if (options->port == -1)
+		options->port = 0;	/* Filled in ssh_connect. */
+	if (options->connection_attempts == -1)
+		options->connection_attempts = 4;
+	if (options->number_of_password_prompts == -1)
+		options->number_of_password_prompts = 3;
+	/* Selected in ssh_login(). */
+	if (options->cipher == -1)
+		options->cipher = SSH_CIPHER_NOT_SET;
+	/* options->ciphers, default set in myproposals.h */
+	/* options->macs, default set in myproposals.h */
+	/* options->hostkeyalgorithms, default set in myproposals.h */
+	if (options->protocol == SSH_PROTO_UNKNOWN)
+		options->protocol = SSH_PROTO_1|SSH_PROTO_2;
+	if (options->num_identity_files == 0) {
+		if (options->protocol & SSH_PROTO_1) {
+			len = 2 + strlen(_PATH_SSH_CLIENT_IDENTITY) + 1;
+			options->identity_files[options->num_identity_files] =
+			    xmalloc(len);
+			snprintf(options->identity_files[options->num_identity_files++],
+			    len, "~/%.100s", _PATH_SSH_CLIENT_IDENTITY);
+		}
+		if (options->protocol & SSH_PROTO_2) {
+			len = 2 + strlen(_PATH_SSH_CLIENT_ID_RSA) + 1;
+			options->identity_files[options->num_identity_files] =
+			    xmalloc(len);
+			snprintf(options->identity_files[options->num_identity_files++],
+			    len, "~/%.100s", _PATH_SSH_CLIENT_ID_RSA);
+
+			len = 2 + strlen(_PATH_SSH_CLIENT_ID_DSA) + 1;
+			options->identity_files[options->num_identity_files] =
+			    xmalloc(len);
+			snprintf(options->identity_files[options->num_identity_files++],
+			    len, "~/%.100s", _PATH_SSH_CLIENT_ID_DSA);
+		}
+	}
+	if (options->escape_char == -1)
+		options->escape_char = '~';
+	if (options->system_hostfile == NULL)
+		options->system_hostfile = _PATH_SSH_SYSTEM_HOSTFILE;
+	if (options->user_hostfile == NULL)
+		options->user_hostfile = _PATH_SSH_USER_HOSTFILE;
+	if (options->system_hostfile2 == NULL)
+		options->system_hostfile2 = _PATH_SSH_SYSTEM_HOSTFILE2;
+	if (options->user_hostfile2 == NULL)
+		options->user_hostfile2 = _PATH_SSH_USER_HOSTFILE2;
+	if (options->log_level == (LogLevel) - 1)
+		options->log_level = SYSLOG_LEVEL_INFO;
+	/* options->proxy_command should not be set by default */
+	/* options->user will be set in the main program if appropriate */
+	/* options->hostname will be set in the main program if appropriate */
+	/* options->host_key_alias should not be set by default */
+	/* options->preferred_authentications will be set in ssh */
+}
diff --git a/crypto/openssh/readconf.h b/crypto/openssh/readconf.h
new file mode 100644
index 0000000..f429f76
--- /dev/null
+++ b/crypto/openssh/readconf.h
@@ -0,0 +1,158 @@
+/*
+ * Author: Tatu Ylonen <ylo@cs.hut.fi>
+ * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
+ *                    All rights reserved
+ * Functions for reading the configuration file.
+ *
+ * As far as I am concerned, the code I have written for this software
+ * can be used freely for any purpose.  Any derived versions of this
+ * software must be clearly marked as such, and if the derived work is
+ * incompatible with the protocol description in the RFC file, it must be
+ * called by a name other than "ssh" or "Secure Shell".
+ */
+
+/* RCSID("$OpenBSD: readconf.h,v 1.30 2001/04/17 10:53:25 markus Exp $"); */
+/* RCSID("$FreeBSD$"); */
+
+#ifndef READCONF_H
+#define READCONF_H
+
+#include "key.h"
+
+/* Data structure for representing a forwarding request. */
+
+typedef struct {
+	u_short	  port;		/* Port to forward. */
+	char	 *host;		/* Host to connect. */
+	u_short	  host_port;	/* Port to connect on host. */
+}       Forward;
+/* Data structure for representing option data. */
+
+typedef struct {
+	int     forward_agent;	/* Forward authentication agent. */
+	int     forward_x11;	/* Forward X11 display. */
+	char   *xauth_location;	/* Location for xauth program */
+	int     gateway_ports;	/* Allow remote connects to forwarded ports. */
+	int     use_privileged_port;	/* Don't use privileged port if false. */
+	int     rhosts_authentication;	/* Try rhosts authentication. */
+	int     rhosts_rsa_authentication;	/* Try rhosts with RSA
+						 * authentication. */
+	int     rsa_authentication;	/* Try RSA authentication. */
+	int     pubkey_authentication;	/* Try ssh2 pubkey authentication. */
+	int     hostbased_authentication;	/* ssh2's rhosts_rsa */
+	int     challenge_reponse_authentication;
+					/* Try S/Key or TIS, authentication. */
+#if defined(KRB4) || defined(KRB5)
+	int     kerberos_authentication;	/* Try Kerberos
+						 * authentication. */
+#endif
+
+#ifdef KRB5
+	int	krb5_tgt_passing;
+#endif /* KRB5 */
+
+#ifdef AFS
+	int     krb4_tgt_passing;	/* Try Kerberos v4 tgt passing. */
+	int     afs_token_passing;	/* Try AFS token passing. */
+#endif
+	int     password_authentication;	/* Try password
+						 * authentication. */
+	int     kbd_interactive_authentication; /* Try keyboard-interactive auth. */
+	char	*kbd_interactive_devices; /* Keyboard-interactive auth devices. */
+	int     fallback_to_rsh;/* Use rsh if cannot connect with ssh. */
+	int     use_rsh;	/* Always use rsh (don\'t try ssh). */
+	int     batch_mode;	/* Batch mode: do not ask for passwords. */
+	int     check_host_ip;	/* Also keep track of keys for IP address */
+	int     strict_host_key_checking;	/* Strict host key checking. */
+	int     compression;	/* Compress packets in both directions. */
+	int     compression_level;	/* Compression level 1 (fast) to 9
+					 * (best). */
+	int     keepalives;	/* Set SO_KEEPALIVE. */
+	LogLevel log_level;	/* Level for logging. */
+
+	int     port;		/* Port to connect. */
+	int     connection_attempts;	/* Max attempts (seconds) before
+					 * giving up */
+	int     number_of_password_prompts;	/* Max number of password
+						 * prompts. */
+	int     cipher;		/* Cipher to use. */
+	char   *ciphers;	/* SSH2 ciphers in order of preference. */
+	char   *macs;		/* SSH2 macs in order of preference. */
+	char   *hostkeyalgorithms;	/* SSH2 server key types in order of preference. */
+	int	protocol;	/* Protocol in order of preference. */
+	char   *hostname;	/* Real host to connect. */
+	char   *host_key_alias;	/* hostname alias for .ssh/known_hosts */
+	char   *proxy_command;	/* Proxy command for connecting the host. */
+	char   *user;		/* User to log in as. */
+	int     escape_char;	/* Escape character; -2 = none */
+
+	char   *system_hostfile;/* Path for /etc/ssh_known_hosts. */
+	char   *user_hostfile;	/* Path for $HOME/.ssh/known_hosts. */
+	char   *system_hostfile2;
+	char   *user_hostfile2;
+	char   *preferred_authentications;
+
+	int     num_identity_files;	/* Number of files for RSA/DSA identities. */
+	char   *identity_files[SSH_MAX_IDENTITY_FILES];
+	Key    *identity_keys[SSH_MAX_IDENTITY_FILES];
+
+	/* Local TCP/IP forward requests. */
+	int     num_local_forwards;
+	Forward local_forwards[SSH_MAX_FORWARDS_PER_DIRECTION];
+
+	/* Remote TCP/IP forward requests. */
+	int     num_remote_forwards;
+	Forward remote_forwards[SSH_MAX_FORWARDS_PER_DIRECTION];
+}       Options;
+
+
+/*
+ * Initializes options to special values that indicate that they have not yet
+ * been set.  Read_config_file will only set options with this value. Options
+ * are processed in the following order: command line, user config file,
+ * system config file.  Last, fill_default_options is called.
+ */
+void    initialize_options(Options * options);
+
+/*
+ * Called after processing other sources of option data, this fills those
+ * options for which no value has been specified with their default values.
+ */
+void    fill_default_options(Options * options);
+
+/*
+ * Processes a single option line as used in the configuration files. This
+ * only sets those values that have not already been set. Returns 0 for legal
+ * options
+ */
+int
+process_config_line(Options * options, const char *host,
+    char *line, const char *filename, int linenum,
+    int *activep);
+
+/*
+ * Reads the config file and modifies the options accordingly.  Options
+ * should already be initialized before this call.  This never returns if
+ * there is an error.  If the file does not exist, this returns immediately.
+ */
+void
+read_config_file(const char *filename, const char *host,
+    Options * options);
+
+/*
+ * Adds a local TCP/IP port forward to options.  Never returns if there is an
+ * error.
+ */
+void
+add_local_forward(Options * options, u_short port, const char *host,
+    u_short host_port);
+
+/*
+ * Adds a remote TCP/IP port forward to options.  Never returns if there is
+ * an error.
+ */
+void
+add_remote_forward(Options * options, u_short port, const char *host,
+    u_short host_port);
+
+#endif				/* READCONF_H */
diff --git a/crypto/openssh/readpass.c b/crypto/openssh/readpass.c
new file mode 100644
index 0000000..b5f5971
--- /dev/null
+++ b/crypto/openssh/readpass.c
@@ -0,0 +1,124 @@
+/*
+ * Copyright (c) 1988, 1993
+ *      The Regents of the University of California.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *      This product includes software developed by the University of
+ *      California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#include "includes.h"
+RCSID("$OpenBSD: readpass.c,v 1.15 2001/04/18 21:57:41 markus Exp $");
+
+#include "xmalloc.h"
+#include "cli.h"
+#include "readpass.h"
+#include "pathnames.h"
+#include "log.h"
+#include "atomicio.h"
+#include "ssh.h"
+
+char *
+ssh_askpass(char *askpass, char *msg)
+{
+	pid_t pid;
+	size_t len;
+	char *nl, *pass;
+	int p[2], status;
+	char buf[1024];
+
+	if (fflush(stdout) != 0)
+		error("ssh_askpass: fflush: %s", strerror(errno));
+	if (askpass == NULL)
+		fatal("internal error: askpass undefined");
+	if (pipe(p) < 0)
+		fatal("ssh_askpass: pipe: %s", strerror(errno));
+	if ((pid = fork()) < 0)
+		fatal("ssh_askpass: fork: %s", strerror(errno));
+	if (pid == 0) {
+		seteuid(getuid());
+		setuid(getuid());
+		close(p[0]);
+		if (dup2(p[1], STDOUT_FILENO) < 0)
+			fatal("ssh_askpass: dup2: %s", strerror(errno));
+		execlp(askpass, askpass, msg, (char *) 0);
+		fatal("ssh_askpass: exec(%s): %s", askpass, strerror(errno));
+	}
+	close(p[1]);
+	len = read(p[0], buf, sizeof buf);
+	close(p[0]);
+	while (waitpid(pid, &status, 0) < 0)
+		if (errno != EINTR)
+			break;
+	if (len <= 1)
+		return xstrdup("");
+	nl = strchr(buf, '\n');
+	if (nl)
+		*nl = '\0';
+	pass = xstrdup(buf);
+	memset(buf, 0, sizeof(buf));
+	return pass;
+}
+
+
+/*
+ * Reads a passphrase from /dev/tty with echo turned off.  Returns the
+ * passphrase (allocated with xmalloc), being very careful to ensure that
+ * no other userland buffer is storing the password.
+ */
+/*
+ * Note:  the funcationallity of this routing has been moved to
+ * cli_read_passphrase().  This routing remains to maintain
+ * compatibility with existing code.
+ */
+char *
+read_passphrase(char *prompt, int from_stdin)
+{
+	char *askpass = NULL;
+	int use_askpass = 0, ttyfd;
+
+	if (from_stdin) {
+		if (!isatty(STDIN_FILENO))
+			use_askpass = 1;
+	} else {
+		ttyfd = open("/dev/tty", O_RDWR);
+		if (ttyfd >= 0)
+			close(ttyfd);
+		else
+			use_askpass = 1;
+	}
+
+	if (use_askpass && getenv("DISPLAY")) {
+		if (getenv(SSH_ASKPASS_ENV))
+			askpass = getenv(SSH_ASKPASS_ENV);
+		else
+			askpass = _PATH_SSH_ASKPASS_DEFAULT;
+		return ssh_askpass(askpass, prompt);
+	}
+
+	return cli_read_passphrase(prompt, from_stdin, 0);
+}
diff --git a/crypto/openssh/readpass.h b/crypto/openssh/readpass.h
new file mode 100644
index 0000000..d8da448
--- /dev/null
+++ b/crypto/openssh/readpass.h
@@ -0,0 +1,20 @@
+/*	$OpenBSD: readpass.h,v 1.2 2001/01/29 01:58:17 niklas Exp $	*/
+
+/*
+ * Author: Tatu Ylonen <ylo@cs.hut.fi>
+ * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
+ *                    All rights reserved
+ *
+ * As far as I am concerned, the code I have written for this software
+ * can be used freely for any purpose.  Any derived versions of this
+ * software must be clearly marked as such, and if the derived work is
+ * incompatible with the protocol description in the RFC file, it must be
+ * called by a name other than "ssh" or "Secure Shell".
+ */
+
+/*
+ * Reads a passphrase from /dev/tty with echo turned off.  Returns the
+ * passphrase (allocated with xmalloc).  Exits if EOF is encountered. If
+ * from_stdin is true, the passphrase will be read from stdin instead.
+ */
+char   *read_passphrase(char *prompt, int from_stdin);
diff --git a/crypto/openssh/rijndael.c b/crypto/openssh/rijndael.c
new file mode 100644
index 0000000..98ecb55
--- /dev/null
+++ b/crypto/openssh/rijndael.c
@@ -0,0 +1,412 @@
+/*	$OpenBSD: rijndael.c,v 1.7 2001/02/04 15:32:24 stevesk Exp $	*/
+
+/* This is an independent implementation of the encryption algorithm:   */
+/*                                                                      */
+/*         RIJNDAEL by Joan Daemen and Vincent Rijmen                   */
+/*                                                                      */
+/* which is a candidate algorithm in the Advanced Encryption Standard   */
+/* programme of the US National Institute of Standards and Technology.  */
+/*                                                                      */
+/* Copyright in this implementation is held by Dr B R Gladman but I     */
+/* hereby give permission for its free direct or derivative use subject */
+/* to acknowledgment of its origin and compliance with any conditions   */
+/* that the originators of the algorithm place on its exploitation.     */
+/*                                                                      */
+/* Dr Brian Gladman (gladman@seven77.demon.co.uk) 14th January 1999     */
+
+/* Timing data for Rijndael (rijndael.c)
+
+Algorithm: rijndael (rijndael.c)
+
+128 bit key:
+Key Setup:    305/1389 cycles (encrypt/decrypt)
+Encrypt:       374 cycles =    68.4 mbits/sec
+Decrypt:       352 cycles =    72.7 mbits/sec
+Mean:          363 cycles =    70.5 mbits/sec
+
+192 bit key:
+Key Setup:    277/1595 cycles (encrypt/decrypt)
+Encrypt:       439 cycles =    58.3 mbits/sec
+Decrypt:       425 cycles =    60.2 mbits/sec
+Mean:          432 cycles =    59.3 mbits/sec
+
+256 bit key:
+Key Setup:    374/1960 cycles (encrypt/decrypt)
+Encrypt:       502 cycles =    51.0 mbits/sec
+Decrypt:       498 cycles =    51.4 mbits/sec
+Mean:          500 cycles =    51.2 mbits/sec
+
+*/
+
+#include <sys/types.h>
+#include "rijndael.h"
+
+void gen_tabs	__P((void));
+
+/* 3. Basic macros for speeding up generic operations               */
+
+/* Circular rotate of 32 bit values                                 */
+
+#define rotr(x,n)   (((x) >> ((int)(n))) | ((x) << (32 - (int)(n))))
+#define rotl(x,n)   (((x) << ((int)(n))) | ((x) >> (32 - (int)(n))))
+
+/* Invert byte order in a 32 bit variable                           */
+
+#define bswap(x)    ((rotl(x, 8) & 0x00ff00ff) | (rotr(x, 8) & 0xff00ff00))
+
+/* Extract byte from a 32 bit quantity (little endian notation)     */
+
+#define byte(x,n)   ((u1byte)((x) >> (8 * n)))
+
+#if BYTE_ORDER != LITTLE_ENDIAN
+#define BYTE_SWAP
+#endif
+
+#ifdef  BYTE_SWAP
+#define io_swap(x)  bswap(x)
+#else
+#define io_swap(x)  (x)
+#endif
+
+#define LARGE_TABLES
+
+u1byte  pow_tab[256];
+u1byte  log_tab[256];
+u1byte  sbx_tab[256];
+u1byte  isb_tab[256];
+u4byte  rco_tab[ 10];
+u4byte  ft_tab[4][256];
+u4byte  it_tab[4][256];
+
+#ifdef  LARGE_TABLES
+  u4byte  fl_tab[4][256];
+  u4byte  il_tab[4][256];
+#endif
+
+u4byte  tab_gen = 0;
+
+#define ff_mult(a,b)    (a && b ? pow_tab[(log_tab[a] + log_tab[b]) % 255] : 0)
+
+#define f_rn(bo, bi, n, k)                          \
+    bo[n] =  ft_tab[0][byte(bi[n],0)] ^             \
+	     ft_tab[1][byte(bi[(n + 1) & 3],1)] ^   \
+	     ft_tab[2][byte(bi[(n + 2) & 3],2)] ^   \
+	     ft_tab[3][byte(bi[(n + 3) & 3],3)] ^ *(k + n)
+
+#define i_rn(bo, bi, n, k)                          \
+    bo[n] =  it_tab[0][byte(bi[n],0)] ^             \
+	     it_tab[1][byte(bi[(n + 3) & 3],1)] ^   \
+	     it_tab[2][byte(bi[(n + 2) & 3],2)] ^   \
+	     it_tab[3][byte(bi[(n + 1) & 3],3)] ^ *(k + n)
+
+#ifdef LARGE_TABLES
+
+#define ls_box(x)                \
+    ( fl_tab[0][byte(x, 0)] ^    \
+      fl_tab[1][byte(x, 1)] ^    \
+      fl_tab[2][byte(x, 2)] ^    \
+      fl_tab[3][byte(x, 3)] )
+
+#define f_rl(bo, bi, n, k)                          \
+    bo[n] =  fl_tab[0][byte(bi[n],0)] ^             \
+	     fl_tab[1][byte(bi[(n + 1) & 3],1)] ^   \
+	     fl_tab[2][byte(bi[(n + 2) & 3],2)] ^   \
+	     fl_tab[3][byte(bi[(n + 3) & 3],3)] ^ *(k + n)
+
+#define i_rl(bo, bi, n, k)                          \
+    bo[n] =  il_tab[0][byte(bi[n],0)] ^             \
+	     il_tab[1][byte(bi[(n + 3) & 3],1)] ^   \
+	     il_tab[2][byte(bi[(n + 2) & 3],2)] ^   \
+	     il_tab[3][byte(bi[(n + 1) & 3],3)] ^ *(k + n)
+
+#else
+
+#define ls_box(x)                            \
+    ((u4byte)sbx_tab[byte(x, 0)] <<  0) ^    \
+    ((u4byte)sbx_tab[byte(x, 1)] <<  8) ^    \
+    ((u4byte)sbx_tab[byte(x, 2)] << 16) ^    \
+    ((u4byte)sbx_tab[byte(x, 3)] << 24)
+
+#define f_rl(bo, bi, n, k)                                      \
+    bo[n] = (u4byte)sbx_tab[byte(bi[n],0)] ^                    \
+	rotl(((u4byte)sbx_tab[byte(bi[(n + 1) & 3],1)]),  8) ^  \
+	rotl(((u4byte)sbx_tab[byte(bi[(n + 2) & 3],2)]), 16) ^  \
+	rotl(((u4byte)sbx_tab[byte(bi[(n + 3) & 3],3)]), 24) ^ *(k + n)
+
+#define i_rl(bo, bi, n, k)                                      \
+    bo[n] = (u4byte)isb_tab[byte(bi[n],0)] ^                    \
+	rotl(((u4byte)isb_tab[byte(bi[(n + 3) & 3],1)]),  8) ^  \
+	rotl(((u4byte)isb_tab[byte(bi[(n + 2) & 3],2)]), 16) ^  \
+	rotl(((u4byte)isb_tab[byte(bi[(n + 1) & 3],3)]), 24) ^ *(k + n)
+
+#endif
+
+void
+gen_tabs(void)
+{
+	u4byte  i, t;
+	u1byte  p, q;
+
+	/* log and power tables for GF(2**8) finite field with  */
+	/* 0x11b as modular polynomial - the simplest prmitive  */
+	/* root is 0x11, used here to generate the tables       */
+
+	for(i = 0,p = 1; i < 256; ++i) {
+		pow_tab[i] = (u1byte)p; log_tab[p] = (u1byte)i;
+
+		p = p ^ (p << 1) ^ (p & 0x80 ? 0x01b : 0);
+	}
+
+	log_tab[1] = 0; p = 1;
+
+	for(i = 0; i < 10; ++i) {
+		rco_tab[i] = p;
+
+		p = (p << 1) ^ (p & 0x80 ? 0x1b : 0);
+	}
+
+	/* note that the affine byte transformation matrix in   */
+	/* rijndael specification is in big endian format with  */
+	/* bit 0 as the most significant bit. In the remainder  */
+	/* of the specification the bits are numbered from the  */
+	/* least significant end of a byte.                     */
+
+	for(i = 0; i < 256; ++i) {
+		p = (i ? pow_tab[255 - log_tab[i]] : 0); q = p;
+		q = (q >> 7) | (q << 1); p ^= q;
+		q = (q >> 7) | (q << 1); p ^= q;
+		q = (q >> 7) | (q << 1); p ^= q;
+		q = (q >> 7) | (q << 1); p ^= q ^ 0x63;
+		sbx_tab[i] = (u1byte)p; isb_tab[p] = (u1byte)i;
+	}
+
+	for(i = 0; i < 256; ++i) {
+		p = sbx_tab[i];
+
+#ifdef  LARGE_TABLES
+
+		t = p; fl_tab[0][i] = t;
+		fl_tab[1][i] = rotl(t,  8);
+		fl_tab[2][i] = rotl(t, 16);
+		fl_tab[3][i] = rotl(t, 24);
+#endif
+		t = ((u4byte)ff_mult(2, p)) |
+			((u4byte)p <<  8) |
+			((u4byte)p << 16) |
+			((u4byte)ff_mult(3, p) << 24);
+
+		ft_tab[0][i] = t;
+		ft_tab[1][i] = rotl(t,  8);
+		ft_tab[2][i] = rotl(t, 16);
+		ft_tab[3][i] = rotl(t, 24);
+
+		p = isb_tab[i];
+
+#ifdef  LARGE_TABLES
+
+		t = p; il_tab[0][i] = t;
+		il_tab[1][i] = rotl(t,  8);
+		il_tab[2][i] = rotl(t, 16);
+		il_tab[3][i] = rotl(t, 24);
+#endif
+		t = ((u4byte)ff_mult(14, p)) |
+			((u4byte)ff_mult( 9, p) <<  8) |
+			((u4byte)ff_mult(13, p) << 16) |
+			((u4byte)ff_mult(11, p) << 24);
+
+		it_tab[0][i] = t;
+		it_tab[1][i] = rotl(t,  8);
+		it_tab[2][i] = rotl(t, 16);
+		it_tab[3][i] = rotl(t, 24);
+	}
+
+	tab_gen = 1;
+}
+
+#define star_x(x) (((x) & 0x7f7f7f7f) << 1) ^ ((((x) & 0x80808080) >> 7) * 0x1b)
+
+#define imix_col(y,x)       \
+    u   = star_x(x);        \
+    v   = star_x(u);        \
+    w   = star_x(v);        \
+    t   = w ^ (x);          \
+   (y)  = u ^ v ^ w;        \
+   (y) ^= rotr(u ^ t,  8) ^ \
+	  rotr(v ^ t, 16) ^ \
+	  rotr(t,24)
+
+/* initialise the key schedule from the user supplied key   */
+
+#define loop4(i)                                    \
+{   t = ls_box(rotr(t,  8)) ^ rco_tab[i];           \
+    t ^= e_key[4 * i];     e_key[4 * i + 4] = t;    \
+    t ^= e_key[4 * i + 1]; e_key[4 * i + 5] = t;    \
+    t ^= e_key[4 * i + 2]; e_key[4 * i + 6] = t;    \
+    t ^= e_key[4 * i + 3]; e_key[4 * i + 7] = t;    \
+}
+
+#define loop6(i)                                    \
+{   t = ls_box(rotr(t,  8)) ^ rco_tab[i];           \
+    t ^= e_key[6 * i];     e_key[6 * i + 6] = t;    \
+    t ^= e_key[6 * i + 1]; e_key[6 * i + 7] = t;    \
+    t ^= e_key[6 * i + 2]; e_key[6 * i + 8] = t;    \
+    t ^= e_key[6 * i + 3]; e_key[6 * i + 9] = t;    \
+    t ^= e_key[6 * i + 4]; e_key[6 * i + 10] = t;   \
+    t ^= e_key[6 * i + 5]; e_key[6 * i + 11] = t;   \
+}
+
+#define loop8(i)                                    \
+{   t = ls_box(rotr(t,  8)) ^ rco_tab[i];           \
+    t ^= e_key[8 * i];     e_key[8 * i + 8] = t;    \
+    t ^= e_key[8 * i + 1]; e_key[8 * i + 9] = t;    \
+    t ^= e_key[8 * i + 2]; e_key[8 * i + 10] = t;   \
+    t ^= e_key[8 * i + 3]; e_key[8 * i + 11] = t;   \
+    t  = e_key[8 * i + 4] ^ ls_box(t);              \
+    e_key[8 * i + 12] = t;                          \
+    t ^= e_key[8 * i + 5]; e_key[8 * i + 13] = t;   \
+    t ^= e_key[8 * i + 6]; e_key[8 * i + 14] = t;   \
+    t ^= e_key[8 * i + 7]; e_key[8 * i + 15] = t;   \
+}
+
+rijndael_ctx *
+rijndael_set_key(rijndael_ctx *ctx, const u4byte *in_key, const u4byte key_len,
+		 int encrypt)
+{
+	u4byte  i, t, u, v, w;
+	u4byte *e_key = ctx->e_key;
+	u4byte *d_key = ctx->d_key;
+
+	ctx->decrypt = !encrypt;
+
+	if(!tab_gen)
+		gen_tabs();
+
+	ctx->k_len = (key_len + 31) / 32;
+
+	e_key[0] = io_swap(in_key[0]); e_key[1] = io_swap(in_key[1]);
+	e_key[2] = io_swap(in_key[2]); e_key[3] = io_swap(in_key[3]);
+
+	switch(ctx->k_len) {
+	case 4: t = e_key[3];
+		for(i = 0; i < 10; ++i)
+			loop4(i);
+		break;
+
+	case 6: e_key[4] = io_swap(in_key[4]); t = e_key[5] = io_swap(in_key[5]);
+		for(i = 0; i < 8; ++i)
+			loop6(i);
+		break;
+
+	case 8: e_key[4] = io_swap(in_key[4]); e_key[5] = io_swap(in_key[5]);
+		e_key[6] = io_swap(in_key[6]); t = e_key[7] = io_swap(in_key[7]);
+		for(i = 0; i < 7; ++i)
+			loop8(i);
+		break;
+	}
+
+	if (!encrypt) {
+		d_key[0] = e_key[0]; d_key[1] = e_key[1];
+		d_key[2] = e_key[2]; d_key[3] = e_key[3];
+
+		for(i = 4; i < 4 * ctx->k_len + 24; ++i) {
+			imix_col(d_key[i], e_key[i]);
+		}
+	}
+
+	return ctx;
+}
+
+/* encrypt a block of text  */
+
+#define f_nround(bo, bi, k) \
+    f_rn(bo, bi, 0, k);     \
+    f_rn(bo, bi, 1, k);     \
+    f_rn(bo, bi, 2, k);     \
+    f_rn(bo, bi, 3, k);     \
+    k += 4
+
+#define f_lround(bo, bi, k) \
+    f_rl(bo, bi, 0, k);     \
+    f_rl(bo, bi, 1, k);     \
+    f_rl(bo, bi, 2, k);     \
+    f_rl(bo, bi, 3, k)
+
+void
+rijndael_encrypt(rijndael_ctx *ctx, const u4byte *in_blk, u4byte *out_blk)
+{
+	u4byte k_len = ctx->k_len;
+	u4byte *e_key = ctx->e_key;
+	u4byte  b0[4], b1[4], *kp;
+
+	b0[0] = io_swap(in_blk[0]) ^ e_key[0];
+	b0[1] = io_swap(in_blk[1]) ^ e_key[1];
+	b0[2] = io_swap(in_blk[2]) ^ e_key[2];
+	b0[3] = io_swap(in_blk[3]) ^ e_key[3];
+
+	kp = e_key + 4;
+
+	if(k_len > 6) {
+		f_nround(b1, b0, kp); f_nround(b0, b1, kp);
+	}
+
+	if(k_len > 4) {
+		f_nround(b1, b0, kp); f_nround(b0, b1, kp);
+	}
+
+	f_nround(b1, b0, kp); f_nround(b0, b1, kp);
+	f_nround(b1, b0, kp); f_nround(b0, b1, kp);
+	f_nround(b1, b0, kp); f_nround(b0, b1, kp);
+	f_nround(b1, b0, kp); f_nround(b0, b1, kp);
+	f_nround(b1, b0, kp); f_lround(b0, b1, kp);
+
+	out_blk[0] = io_swap(b0[0]); out_blk[1] = io_swap(b0[1]);
+	out_blk[2] = io_swap(b0[2]); out_blk[3] = io_swap(b0[3]);
+}
+
+/* decrypt a block of text  */
+
+#define i_nround(bo, bi, k) \
+    i_rn(bo, bi, 0, k);     \
+    i_rn(bo, bi, 1, k);     \
+    i_rn(bo, bi, 2, k);     \
+    i_rn(bo, bi, 3, k);     \
+    k -= 4
+
+#define i_lround(bo, bi, k) \
+    i_rl(bo, bi, 0, k);     \
+    i_rl(bo, bi, 1, k);     \
+    i_rl(bo, bi, 2, k);     \
+    i_rl(bo, bi, 3, k)
+
+void
+rijndael_decrypt(rijndael_ctx *ctx, const u4byte *in_blk, u4byte *out_blk)
+{
+	u4byte  b0[4], b1[4], *kp;
+	u4byte k_len = ctx->k_len;
+	u4byte *e_key = ctx->e_key;
+	u4byte *d_key = ctx->d_key;
+
+	b0[0] = io_swap(in_blk[0]) ^ e_key[4 * k_len + 24];
+	b0[1] = io_swap(in_blk[1]) ^ e_key[4 * k_len + 25];
+	b0[2] = io_swap(in_blk[2]) ^ e_key[4 * k_len + 26];
+	b0[3] = io_swap(in_blk[3]) ^ e_key[4 * k_len + 27];
+
+	kp = d_key + 4 * (k_len + 5);
+
+	if(k_len > 6) {
+		i_nround(b1, b0, kp); i_nround(b0, b1, kp);
+	}
+
+	if(k_len > 4) {
+		i_nround(b1, b0, kp); i_nround(b0, b1, kp);
+	}
+
+	i_nround(b1, b0, kp); i_nround(b0, b1, kp);
+	i_nround(b1, b0, kp); i_nround(b0, b1, kp);
+	i_nround(b1, b0, kp); i_nround(b0, b1, kp);
+	i_nround(b1, b0, kp); i_nround(b0, b1, kp);
+	i_nround(b1, b0, kp); i_lround(b0, b1, kp);
+
+	out_blk[0] = io_swap(b0[0]); out_blk[1] = io_swap(b0[1]);
+	out_blk[2] = io_swap(b0[2]); out_blk[3] = io_swap(b0[3]);
+}
diff --git a/crypto/openssh/rijndael.h b/crypto/openssh/rijndael.h
new file mode 100644
index 0000000..66e0bbe
--- /dev/null
+++ b/crypto/openssh/rijndael.h
@@ -0,0 +1,47 @@
+/*	$OpenBSD: rijndael.h,v 1.7 2001/03/01 03:38:33 deraadt Exp $	*/
+
+/* This is an independent implementation of the encryption algorithm:   */
+/*                                                                      */
+/*         RIJNDAEL by Joan Daemen and Vincent Rijmen                   */
+/*                                                                      */
+/* which is a candidate algorithm in the Advanced Encryption Standard   */
+/* programme of the US National Institute of Standards and Technology.  */
+/*                                                                      */
+/* Copyright in this implementation is held by Dr B R Gladman but I     */
+/* hereby give permission for its free direct or derivative use subject */
+/* to acknowledgment of its origin and compliance with any conditions   */
+/* that the originators of the algorithm place on its exploitation.     */
+/*                                                                      */
+/* Dr Brian Gladman (gladman@seven77.demon.co.uk) 14th January 1999     */
+
+#ifndef _RIJNDAEL_H_
+#define _RIJNDAEL_H_
+
+/* 1. Standard types for AES cryptography source code               */
+
+typedef u_int8_t   u1byte; /* an 8 bit unsigned character type */
+typedef u_int16_t  u2byte; /* a 16 bit unsigned integer type   */
+typedef u_int32_t  u4byte; /* a 32 bit unsigned integer type   */
+
+typedef int8_t     s1byte; /* an 8 bit signed character type   */
+typedef int16_t    s2byte; /* a 16 bit signed integer type     */
+typedef int32_t    s4byte; /* a 32 bit signed integer type     */
+
+typedef struct _rijndael_ctx {
+	u4byte  k_len;
+	int decrypt;
+	u4byte  e_key[64];
+	u4byte  d_key[64];
+} rijndael_ctx;
+
+
+/* 2. Standard interface for AES cryptographic routines             */
+
+/* These are all based on 32 bit unsigned values and will therefore */
+/* require endian conversions for big-endian architectures          */
+
+rijndael_ctx *rijndael_set_key  __P((rijndael_ctx *, const u4byte *, u4byte, int));
+void rijndael_encrypt __P((rijndael_ctx *, const u4byte *, u4byte *));
+void rijndael_decrypt __P((rijndael_ctx *, const u4byte *, u4byte *));
+
+#endif /* _RIJNDAEL_H_ */
diff --git a/crypto/openssh/rsa.c b/crypto/openssh/rsa.c
new file mode 100644
index 0000000..357272b
--- /dev/null
+++ b/crypto/openssh/rsa.c
@@ -0,0 +1,142 @@
+/*
+ * Author: Tatu Ylonen <ylo@cs.hut.fi>
+ * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
+ *                    All rights reserved
+ *
+ * As far as I am concerned, the code I have written for this software
+ * can be used freely for any purpose.  Any derived versions of this
+ * software must be clearly marked as such, and if the derived work is
+ * incompatible with the protocol description in the RFC file, it must be
+ * called by a name other than "ssh" or "Secure Shell".
+ *
+ *
+ * Copyright (c) 1999 Niels Provos.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ *
+ *
+ * Description of the RSA algorithm can be found e.g. from the following
+ * sources:
+ *
+ *   Bruce Schneier: Applied Cryptography.  John Wiley & Sons, 1994.
+ *
+ *   Jennifer Seberry and Josed Pieprzyk: Cryptography: An Introduction to
+ *   Computer Security.  Prentice-Hall, 1989.
+ *
+ *   Man Young Rhee: Cryptography and Secure Data Communications.  McGraw-Hill,
+ *   1994.
+ *
+ *   R. Rivest, A. Shamir, and L. M. Adleman: Cryptographic Communications
+ *   System and Method.  US Patent 4,405,829, 1983.
+ *
+ *   Hans Riesel: Prime Numbers and Computer Methods for Factorization.
+ *   Birkhauser, 1994.
+ *
+ *   The RSA Frequently Asked Questions document by RSA Data Security,
+ *   Inc., 1995.
+ *
+ *   RSA in 3 lines of perl by Adam Back <aba@atlax.ex.ac.uk>, 1995, as
+ * included below:
+ *
+ *     [gone - had to be deleted - what a pity]
+ */
+
+#include "includes.h"
+RCSID("$OpenBSD: rsa.c,v 1.22 2001/03/26 23:23:23 markus Exp $");
+RCSID("$FreeBSD$");
+
+#include "rsa.h"
+#include "log.h"
+#include "xmalloc.h"
+
+void
+rsa_public_encrypt(BIGNUM *out, BIGNUM *in, RSA *key)
+{
+	u_char *inbuf, *outbuf;
+	int len, ilen, olen;
+
+	if (BN_num_bits(key->e) < 2 || !BN_is_odd(key->e))
+		fatal("rsa_public_encrypt() exponent too small or not odd");
+
+	olen = BN_num_bytes(key->n);
+	outbuf = xmalloc(olen);
+
+	ilen = BN_num_bytes(in);
+	inbuf = xmalloc(ilen);
+	BN_bn2bin(in, inbuf);
+
+	if ((len = RSA_public_encrypt(ilen, inbuf, outbuf, key,
+	    RSA_PKCS1_PADDING)) <= 0)
+		fatal("rsa_public_encrypt() failed");
+
+	BN_bin2bn(outbuf, len, out);
+
+	memset(outbuf, 0, olen);
+	memset(inbuf, 0, ilen);
+	xfree(outbuf);
+	xfree(inbuf);
+}
+
+int
+rsa_private_decrypt(BIGNUM *out, BIGNUM *in, RSA *key)
+{
+	u_char *inbuf, *outbuf;
+	int len, ilen, olen;
+
+	olen = BN_num_bytes(key->n);
+	outbuf = xmalloc(olen);
+
+	ilen = BN_num_bytes(in);
+	inbuf = xmalloc(ilen);
+	BN_bn2bin(in, inbuf);
+
+	if ((len = RSA_private_decrypt(ilen, inbuf, outbuf, key,
+	    RSA_PKCS1_PADDING)) <= 0) {
+		error("rsa_private_decrypt() failed");
+	} else {
+		BN_bin2bn(outbuf, len, out);
+	}
+	memset(outbuf, 0, olen);
+	memset(inbuf, 0, ilen);
+	xfree(outbuf);
+	xfree(inbuf);
+	return len;
+}
+
+void
+generate_additional_parameters(RSA *rsa)
+{
+	BIGNUM *aux;
+	BN_CTX *ctx;
+	/* Generate additional parameters */
+	aux = BN_new();
+	ctx = BN_CTX_new();
+
+	BN_sub(aux, rsa->q, BN_value_one());
+	BN_mod(rsa->dmq1, rsa->d, aux, ctx);
+
+	BN_sub(aux, rsa->p, BN_value_one());
+	BN_mod(rsa->dmp1, rsa->d, aux, ctx);
+
+	BN_clear_free(aux);
+	BN_CTX_free(ctx);
+}
+
diff --git a/crypto/openssh/rsa.h b/crypto/openssh/rsa.h
new file mode 100644
index 0000000..f5e0c96
--- /dev/null
+++ b/crypto/openssh/rsa.h
@@ -0,0 +1,28 @@
+/*
+ * Author: Tatu Ylonen <ylo@cs.hut.fi>
+ * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
+ *                    All rights reserved
+ * RSA key generation, encryption and decryption.
+ *
+ * As far as I am concerned, the code I have written for this software
+ * can be used freely for any purpose.  Any derived versions of this
+ * software must be clearly marked as such, and if the derived work is
+ * incompatible with the protocol description in the RFC file, it must be
+ * called by a name other than "ssh" or "Secure Shell".
+ */
+
+/* RCSID("$OpenBSD: rsa.h,v 1.11 2001/03/26 23:23:24 markus Exp $"); */
+/* RCSID("$FreeBSD$"); */
+
+#ifndef RSA_H
+#define RSA_H
+
+#include <openssl/bn.h>
+#include <openssl/rsa.h>
+
+void rsa_public_encrypt __P((BIGNUM * out, BIGNUM * in, RSA * prv));
+int rsa_private_decrypt __P((BIGNUM * out, BIGNUM * in, RSA * prv));
+
+void generate_additional_parameters __P((RSA *rsa));
+
+#endif				/* RSA_H */
diff --git a/crypto/openssh/scp-common.c b/crypto/openssh/scp-common.c
new file mode 100644
index 0000000..7e5f09c
--- /dev/null
+++ b/crypto/openssh/scp-common.c
@@ -0,0 +1,98 @@
+/*
+ * Copyright (c) 1999 Theo de Raadt.  All rights reserved.
+ * Copyright (c) 1999 Aaron Campbell.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+/*
+ * Parts from:
+ *
+ * Copyright (c) 1983, 1990, 1992, 1993, 1995
+ *	The Regents of the University of California.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *	This product includes software developed by the University of
+ *	California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ */
+
+#include "includes.h"
+RCSID("$OpenBSD: scp-common.c,v 1.1 2001/04/16 02:31:43 mouring Exp $");
+
+char *
+cleanhostname(host)
+	char *host;
+{
+	if (*host == '[' && host[strlen(host) - 1] == ']') {
+		host[strlen(host) - 1] = '\0';
+		return (host + 1);
+	} else
+		return host;
+}
+
+char *
+colon(cp)
+	char *cp;
+{
+	int flag = 0;
+
+	if (*cp == ':')		/* Leading colon is part of file name. */
+		return (0);
+	if (*cp == '[')
+		flag = 1;
+
+	for (; *cp; ++cp) {
+		if (*cp == '@' && *(cp+1) == '[')
+			flag = 1;
+		if (*cp == ']' && *(cp+1) == ':' && flag)
+			return (cp+1);
+		if (*cp == ':' && !flag)
+			return (cp);
+		if (*cp == '/')
+			return (0);
+	}
+	return (0);
+}
diff --git a/crypto/openssh/scp-common.h b/crypto/openssh/scp-common.h
new file mode 100644
index 0000000..e0ab6ec
--- /dev/null
+++ b/crypto/openssh/scp-common.h
@@ -0,0 +1,64 @@
+/* $OpenBSD: scp-common.h,v 1.1 2001/04/16 02:31:43 mouring Exp $ */
+/*
+ * Copyright (c) 1999 Theo de Raadt.  All rights reserved.
+ * Copyright (c) 1999 Aaron Campbell.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+/*
+ * Parts from:
+ *
+ * Copyright (c) 1983, 1990, 1992, 1993, 1995
+ *	The Regents of the University of California.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *	This product includes software developed by the University of
+ *	California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ */
+
+char *cleanhostname(char *host);
+char *colon(char *cp);
diff --git a/crypto/openssh/scp.1 b/crypto/openssh/scp.1
new file mode 100644
index 0000000..10e67aa3
--- /dev/null
+++ b/crypto/openssh/scp.1
@@ -0,0 +1,137 @@
+.\"  -*- nroff -*-
+.\"
+.\" scp.1
+.\"
+.\" Author: Tatu Ylonen <ylo@cs.hut.fi>
+.\"
+.\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
+.\"                    All rights reserved
+.\"
+.\" Created: Sun May  7 00:14:37 1995 ylo
+.\"
+.\" $OpenBSD: scp.1,v 1.14 2001/02/04 11:11:53 djm Exp $
+.\"
+.Dd September 25, 1999
+.Dt SCP 1
+.Os
+.Sh NAME
+.Nm scp
+.Nd secure copy (remote file copy program)
+.Sh SYNOPSIS
+.Nm scp
+.Op Fl pqrvC46
+.Op Fl S Ar program
+.Op Fl P Ar port
+.Op Fl c Ar cipher
+.Op Fl i Ar identity_file
+.Op Fl o Ar option
+.Sm off
+.Oo
+.Op Ar user@
+.Ar host1 No :
+.Oc Ns Ar file1
+.Sm on
+.Op Ar ...
+.Sm off
+.Oo
+.Op Ar user@
+.Ar host2 No :
+.Oc Ar file2
+.Sm on
+.Sh DESCRIPTION
+.Nm
+copies files between hosts on a network.
+It uses
+.Xr ssh 1
+for data transfer, and uses the same authentication and provides the
+same security as
+.Xr ssh 1 .
+Unlike
+.Xr rcp 1 ,
+.Nm
+will ask for passwords or passphrases if they are needed for
+authentication.
+.Pp
+Any file name may contain a host and user specification to indicate
+that the file is to be copied to/from that host.
+Copies between two remote hosts are permitted.
+.Pp
+The options are as follows:
+.Bl -tag -width Ds
+.It Fl c Ar cipher
+Selects the cipher to use for encrypting the data transfer.
+This option is directly passed to
+.Xr ssh 1 .
+.It Fl i Ar identity_file
+Selects the file from which the identity (private key) for RSA
+authentication is read.
+This option is directly passed to
+.Xr ssh 1 .
+.It Fl p
+Preserves modification times, access times, and modes from the
+original file.
+.It Fl r
+Recursively copy entire directories.
+.It Fl v
+Verbose mode.
+Causes
+.Nm
+and
+.Xr ssh 1
+to print debugging messages about their progress.
+This is helpful in
+debugging connection, authentication, and configuration problems.
+.It Fl B
+Selects batch mode (prevents asking for passwords or passphrases).
+.It Fl q
+Disables the progress meter.
+.It Fl C
+Compression enable.
+Passes the
+.Fl C
+flag to
+.Xr ssh 1
+to enable compression.
+.It Fl P Ar port
+Specifies the port to connect to on the remote host.
+Note that this option is written with a capital
+.Sq P ,
+because
+.Fl p
+is already reserved for preserving the times and modes of the file in
+.Xr rcp 1 .
+.It Fl S Ar program
+Name of
+.Ar program
+to use for the encrypted connection.
+The program must understand
+.Xr ssh 1
+options.
+.It Fl o Ar option
+The given option is directly passed to
+.Xr ssh 1 .
+.It Fl 4
+Forces
+.Nm
+to use IPv4 addresses only.
+.It Fl 6
+Forces
+.Nm
+to use IPv6 addresses only.
+.El
+.Sh AUTHORS
+Timo Rinne <tri@iki.fi> and Tatu Ylonen <ylo@cs.hut.fi>
+.Sh HISTORY
+.Nm
+is based on the
+.Xr rcp 1
+program in BSD source code from the Regents of the University of
+California.
+.Sh SEE ALSO
+.Xr rcp 1 ,
+.Xr sftp 1 ,
+.Xr ssh 1 ,
+.Xr ssh-add 1 ,
+.Xr ssh-agent 1 ,
+.Xr ssh-keygen 1 ,
+.Xr sshd 8
diff --git a/crypto/openssh/scp.c b/crypto/openssh/scp.c
new file mode 100644
index 0000000..81d3b55
--- /dev/null
+++ b/crypto/openssh/scp.c
@@ -0,0 +1,1192 @@
+/*
+ * scp - secure remote copy.  This is basically patched BSD rcp which
+ * uses ssh to do the data transfer (instead of using rcmd).
+ *
+ * NOTE: This version should NOT be suid root.  (This uses ssh to
+ * do the transfer and ssh has the necessary privileges.)
+ *
+ * 1995 Timo Rinne <tri@iki.fi>, Tatu Ylonen <ylo@cs.hut.fi>
+ *
+ * As far as I am concerned, the code I have written for this software
+ * can be used freely for any purpose.  Any derived versions of this
+ * software must be clearly marked as such, and if the derived work is
+ * incompatible with the protocol description in the RFC file, it must be
+ * called by a name other than "ssh" or "Secure Shell".
+ */
+/*
+ * Copyright (c) 1999 Theo de Raadt.  All rights reserved.
+ * Copyright (c) 1999 Aaron Campbell.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+/*
+ * Parts from:
+ *
+ * Copyright (c) 1983, 1990, 1992, 1993, 1995
+ *	The Regents of the University of California.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *	This product includes software developed by the University of
+ *	California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ */
+
+#include "includes.h"
+RCSID("$OpenBSD: scp.c,v 1.68 2001/04/22 12:34:05 markus Exp $");
+
+#include "xmalloc.h"
+#include "atomicio.h"
+#include "pathnames.h"
+#include "log.h"
+#include "scp-common.h"
+
+/* For progressmeter() -- number of seconds before xfer considered "stalled" */
+#define STALLTIME	5
+
+/* Visual statistics about files as they are transferred. */
+void progressmeter(int);
+
+/* Returns width of the terminal (for progress meter calculations). */
+int getttywidth(void);
+int do_cmd(char *host, char *remuser, char *cmd, int *fdin, int *fdout, int argc);
+
+/* setup arguments for the call to ssh */
+void addargs(char *fmt, ...) __attribute__((format(printf, 1, 2)));
+
+/* Time a transfer started. */
+static struct timeval start;
+
+/* Number of bytes of current file transferred so far. */
+volatile off_t statbytes;
+
+/* Total size of current file. */
+off_t totalbytes = 0;
+
+/* Name of current file being transferred. */
+char *curfile;
+
+/* This is set to non-zero to enable verbose mode. */
+int verbose_mode = 0;
+
+/* This is set to zero if the progressmeter is not desired. */
+int showprogress = 1;
+
+/* This is the program to execute for the secured connection. ("ssh" or -S) */
+char *ssh_program = _PATH_SSH_PROGRAM;
+
+/* This is the list of arguments that scp passes to ssh */
+struct {
+	char	**list;
+	int	num;
+	int	nalloc;
+} args;
+
+/*
+ * This function executes the given command as the specified user on the
+ * given host.  This returns < 0 if execution fails, and >= 0 otherwise. This
+ * assigns the input and output file descriptors on success.
+ */
+
+int
+do_cmd(char *host, char *remuser, char *cmd, int *fdin, int *fdout, int argc)
+{
+	int pin[2], pout[2], reserved[2];
+
+	if (verbose_mode)
+		fprintf(stderr, "Executing: program %s host %s, user %s, command %s\n",
+		    ssh_program, host, remuser ? remuser : "(unspecified)", cmd);
+
+	/*
+	 * Reserve two descriptors so that the real pipes won't get
+	 * descriptors 0 and 1 because that will screw up dup2 below.
+	 */
+	pipe(reserved);
+
+	/* Create a socket pair for communicating with ssh. */
+	if (pipe(pin) < 0)
+		fatal("pipe: %s", strerror(errno));
+	if (pipe(pout) < 0)
+		fatal("pipe: %s", strerror(errno));
+
+	/* Free the reserved descriptors. */
+	close(reserved[0]);
+	close(reserved[1]);
+
+	/* For a child to execute the command on the remote host using ssh. */
+	if (fork() == 0)  {
+		/* Child. */
+		close(pin[1]);
+		close(pout[0]);
+		dup2(pin[0], 0);
+		dup2(pout[1], 1);
+		close(pin[0]);
+		close(pout[1]);
+
+		args.list[0] = ssh_program;
+		if (remuser != NULL)
+			addargs("-l%s", remuser);
+		addargs("%s", host);
+		addargs("%s", cmd);
+
+		execvp(ssh_program, args.list);
+		perror(ssh_program);
+		exit(1);
+	}
+	/* Parent.  Close the other side, and return the local side. */
+	close(pin[0]);
+	*fdout = pin[1];
+	close(pout[1]);
+	*fdin = pout[0];
+	return 0;
+}
+
+typedef struct {
+	int cnt;
+	char *buf;
+} BUF;
+
+BUF *allocbuf(BUF *, int, int);
+void lostconn(int);
+void nospace(void);
+int okname(char *);
+void run_err(const char *,...);
+void verifydir(char *);
+
+struct passwd *pwd;
+uid_t userid;
+int errs, remin, remout;
+int pflag, iamremote, iamrecursive, targetshouldbedirectory;
+
+#define	CMDNEEDS	64
+char cmd[CMDNEEDS];		/* must hold "rcp -r -p -d\0" */
+
+int response(void);
+void rsource(char *, struct stat *);
+void sink(int, char *[]);
+void source(int, char *[]);
+void tolocal(int, char *[]);
+void toremote(char *, int, char *[]);
+void usage(void);
+
+int
+main(argc, argv)
+	int argc;
+	char *argv[];
+{
+	int ch, fflag, tflag;
+	char *targ;
+	extern char *optarg;
+	extern int optind;
+
+	args.list = NULL;
+	addargs("ssh");	 	/* overwritten with ssh_program */
+	addargs("-x");
+	addargs("-oFallBackToRsh no");
+
+	fflag = tflag = 0;
+	while ((ch = getopt(argc, argv, "dfprtvBCc:i:P:q46S:o:")) != -1)
+		switch (ch) {
+		/* User-visible flags. */
+		case '4':
+		case '6':
+		case 'C':
+			addargs("-%c", ch);
+			break;
+		case 'o':
+		case 'c':
+		case 'i':
+			addargs("-%c%s", ch, optarg);
+			break;
+		case 'P':
+			addargs("-p%s", optarg);
+			break;
+		case 'B':
+			addargs("-oBatchmode yes");
+			break;
+		case 'p':
+			pflag = 1;
+			break;
+		case 'r':
+			iamrecursive = 1;
+			break;
+		case 'S':
+			ssh_program = xstrdup(optarg);
+			break;
+		case 'v':
+			verbose_mode = 1;
+			break;
+		case 'q':
+			showprogress = 0;
+			break;
+
+		/* Server options. */
+		case 'd':
+			targetshouldbedirectory = 1;
+			break;
+		case 'f':	/* "from" */
+			iamremote = 1;
+			fflag = 1;
+			break;
+		case 't':	/* "to" */
+			iamremote = 1;
+			tflag = 1;
+			break;
+		default:
+			usage();
+		}
+	argc -= optind;
+	argv += optind;
+
+	if ((pwd = getpwuid(userid = getuid())) == NULL)
+		fatal("unknown user %d", (int) userid);
+
+	if (!isatty(STDERR_FILENO))
+		showprogress = 0;
+
+	remin = STDIN_FILENO;
+	remout = STDOUT_FILENO;
+
+	if (fflag) {
+		/* Follow "protocol", send data. */
+		(void) response();
+		source(argc, argv);
+		exit(errs != 0);
+	}
+	if (tflag) {
+		/* Receive data. */
+		sink(argc, argv);
+		exit(errs != 0);
+	}
+	if (argc < 2)
+		usage();
+	if (argc > 2)
+		targetshouldbedirectory = 1;
+
+	remin = remout = -1;
+	/* Command to be executed on remote system using "ssh". */
+	(void) snprintf(cmd, sizeof cmd, "scp%s%s%s%s",
+	    verbose_mode ? " -v" : "",
+	    iamrecursive ? " -r" : "", pflag ? " -p" : "",
+	    targetshouldbedirectory ? " -d" : "");
+
+	(void) signal(SIGPIPE, lostconn);
+
+	if ((targ = colon(argv[argc - 1])))	/* Dest is remote host. */
+		toremote(targ, argc, argv);
+	else {
+		tolocal(argc, argv);	/* Dest is local host. */
+		if (targetshouldbedirectory)
+			verifydir(argv[argc - 1]);
+	}
+	exit(errs != 0);
+}
+
+void
+toremote(targ, argc, argv)
+	char *targ, *argv[];
+	int argc;
+{
+	int i, len;
+	char *bp, *host, *src, *suser, *thost, *tuser;
+
+	*targ++ = 0;
+	if (*targ == 0)
+		targ = ".";
+
+	if ((thost = strchr(argv[argc - 1], '@'))) {
+		/* user@host */
+		*thost++ = 0;
+		tuser = argv[argc - 1];
+		if (*tuser == '\0')
+			tuser = NULL;
+		else if (!okname(tuser))
+			exit(1);
+	} else {
+		thost = argv[argc - 1];
+		tuser = NULL;
+	}
+
+	for (i = 0; i < argc - 1; i++) {
+		src = colon(argv[i]);
+		if (src) {	/* remote to remote */
+			*src++ = 0;
+			if (*src == 0)
+				src = ".";
+			host = strchr(argv[i], '@');
+			len = strlen(ssh_program) + strlen(argv[i]) +
+			    strlen(src) + (tuser ? strlen(tuser) : 0) +
+			    strlen(thost) + strlen(targ) + CMDNEEDS + 32;
+			bp = xmalloc(len);
+			if (host) {
+				*host++ = 0;
+				host = cleanhostname(host);
+				suser = argv[i];
+				if (*suser == '\0')
+					suser = pwd->pw_name;
+				else if (!okname(suser))
+					continue;
+				snprintf(bp, len,
+				    "%s%s -x -o'FallBackToRsh no' -n "
+				    "-l %s %s %s %s '%s%s%s:%s'",
+				    ssh_program, verbose_mode ? " -v" : "",
+				    suser, host, cmd, src,
+				    tuser ? tuser : "", tuser ? "@" : "",
+				    thost, targ);
+			} else {
+				host = cleanhostname(argv[i]);
+				snprintf(bp, len,
+				    "exec %s%s -x -o'FallBackToRsh no' -n %s "
+				    "%s %s '%s%s%s:%s'",
+				    ssh_program, verbose_mode ? " -v" : "",
+				    host, cmd, src,
+				    tuser ? tuser : "", tuser ? "@" : "",
+				    thost, targ);
+			}
+			if (verbose_mode)
+				fprintf(stderr, "Executing: %s\n", bp);
+			(void) system(bp);
+			(void) xfree(bp);
+		} else {	/* local to remote */
+			if (remin == -1) {
+				len = strlen(targ) + CMDNEEDS + 20;
+				bp = xmalloc(len);
+				(void) snprintf(bp, len, "%s -t %s", cmd, targ);
+				host = cleanhostname(thost);
+				if (do_cmd(host, tuser, bp, &remin,
+				    &remout, argc) < 0)
+					exit(1);
+				if (response() < 0)
+					exit(1);
+				(void) xfree(bp);
+			}
+			source(1, argv + i);
+		}
+	}
+}
+
+void
+tolocal(argc, argv)
+	int argc;
+	char *argv[];
+{
+	int i, len;
+	char *bp, *host, *src, *suser;
+
+	for (i = 0; i < argc - 1; i++) {
+		if (!(src = colon(argv[i]))) {	/* Local to local. */
+			len = strlen(_PATH_CP) + strlen(argv[i]) +
+			    strlen(argv[argc - 1]) + 20;
+			bp = xmalloc(len);
+			(void) snprintf(bp, len, "exec %s%s%s %s %s", _PATH_CP,
+			    iamrecursive ? " -r" : "", pflag ? " -p" : "",
+			    argv[i], argv[argc - 1]);
+			if (verbose_mode)
+				fprintf(stderr, "Executing: %s\n", bp);
+			if (system(bp))
+				++errs;
+			(void) xfree(bp);
+			continue;
+		}
+		*src++ = 0;
+		if (*src == 0)
+			src = ".";
+		if ((host = strchr(argv[i], '@')) == NULL) {
+			host = argv[i];
+			suser = NULL;
+		} else {
+			*host++ = 0;
+			suser = argv[i];
+			if (*suser == '\0')
+				suser = pwd->pw_name;
+			else if (!okname(suser))
+				continue;
+		}
+		host = cleanhostname(host);
+		len = strlen(src) + CMDNEEDS + 20;
+		bp = xmalloc(len);
+		(void) snprintf(bp, len, "%s -f %s", cmd, src);
+		if (do_cmd(host, suser, bp, &remin, &remout, argc) < 0) {
+			(void) xfree(bp);
+			++errs;
+			continue;
+		}
+		xfree(bp);
+		sink(1, argv + argc - 1);
+		(void) close(remin);
+		remin = remout = -1;
+	}
+}
+
+void
+source(argc, argv)
+	int argc;
+	char *argv[];
+{
+	struct stat stb;
+	static BUF buffer;
+	BUF *bp;
+	off_t i, amt, result;
+	int fd, haderr, indx;
+	char *last, *name, buf[2048];
+	int len;
+
+	for (indx = 0; indx < argc; ++indx) {
+		name = argv[indx];
+		statbytes = 0;
+		len = strlen(name);
+		while (len > 1 && name[len-1] == '/')
+			name[--len] = '\0';
+		if ((fd = open(name, O_RDONLY, 0)) < 0)
+			goto syserr;
+		if (fstat(fd, &stb) < 0) {
+syserr:			run_err("%s: %s", name, strerror(errno));
+			goto next;
+		}
+		switch (stb.st_mode & S_IFMT) {
+		case S_IFREG:
+			break;
+		case S_IFDIR:
+			if (iamrecursive) {
+				rsource(name, &stb);
+				goto next;
+			}
+			/* FALLTHROUGH */
+		default:
+			run_err("%s: not a regular file", name);
+			goto next;
+		}
+		if ((last = strrchr(name, '/')) == NULL)
+			last = name;
+		else
+			++last;
+		curfile = last;
+		if (pflag) {
+			/*
+			 * Make it compatible with possible future
+			 * versions expecting microseconds.
+			 */
+			(void) snprintf(buf, sizeof buf, "T%lu 0 %lu 0\n",
+			    (u_long) stb.st_mtime,
+			    (u_long) stb.st_atime);
+			(void) atomicio(write, remout, buf, strlen(buf));
+			if (response() < 0)
+				goto next;
+		}
+#define	FILEMODEMASK	(S_ISUID|S_ISGID|S_IRWXU|S_IRWXG|S_IRWXO)
+		snprintf(buf, sizeof buf, "C%04o %lld %s\n",
+		    (u_int) (stb.st_mode & FILEMODEMASK),
+		    (long long)stb.st_size, last);
+		if (verbose_mode) {
+			fprintf(stderr, "Sending file modes: %s", buf);
+			fflush(stderr);
+		}
+		(void) atomicio(write, remout, buf, strlen(buf));
+		if (response() < 0)
+			goto next;
+		if ((bp = allocbuf(&buffer, fd, 2048)) == NULL) {
+next:			(void) close(fd);
+			continue;
+		}
+		if (showprogress) {
+			totalbytes = stb.st_size;
+			progressmeter(-1);
+		}
+		/* Keep writing after an error so that we stay sync'd up. */
+		for (haderr = i = 0; i < stb.st_size; i += bp->cnt) {
+			amt = bp->cnt;
+			if (i + amt > stb.st_size)
+				amt = stb.st_size - i;
+			if (!haderr) {
+				result = atomicio(read, fd, bp->buf, amt);
+				if (result != amt)
+					haderr = result >= 0 ? EIO : errno;
+			}
+			if (haderr)
+				(void) atomicio(write, remout, bp->buf, amt);
+			else {
+				result = atomicio(write, remout, bp->buf, amt);
+				if (result != amt)
+					haderr = result >= 0 ? EIO : errno;
+				statbytes += result;
+			}
+		}
+		if (showprogress)
+			progressmeter(1);
+
+		if (close(fd) < 0 && !haderr)
+			haderr = errno;
+		if (!haderr)
+			(void) atomicio(write, remout, "", 1);
+		else
+			run_err("%s: %s", name, strerror(haderr));
+		(void) response();
+	}
+}
+
+void
+rsource(name, statp)
+	char *name;
+	struct stat *statp;
+{
+	DIR *dirp;
+	struct dirent *dp;
+	char *last, *vect[1], path[1100];
+
+	if (!(dirp = opendir(name))) {
+		run_err("%s: %s", name, strerror(errno));
+		return;
+	}
+	last = strrchr(name, '/');
+	if (last == 0)
+		last = name;
+	else
+		last++;
+	if (pflag) {
+		(void) snprintf(path, sizeof(path), "T%lu 0 %lu 0\n",
+		    (u_long) statp->st_mtime,
+		    (u_long) statp->st_atime);
+		(void) atomicio(write, remout, path, strlen(path));
+		if (response() < 0) {
+			closedir(dirp);
+			return;
+		}
+	}
+	(void) snprintf(path, sizeof path, "D%04o %d %.1024s\n",
+	    (u_int) (statp->st_mode & FILEMODEMASK), 0, last);
+	if (verbose_mode)
+		fprintf(stderr, "Entering directory: %s", path);
+	(void) atomicio(write, remout, path, strlen(path));
+	if (response() < 0) {
+		closedir(dirp);
+		return;
+	}
+	while ((dp = readdir(dirp)) != NULL) {
+		if (dp->d_ino == 0)
+			continue;
+		if (!strcmp(dp->d_name, ".") || !strcmp(dp->d_name, ".."))
+			continue;
+		if (strlen(name) + 1 + strlen(dp->d_name) >= sizeof(path) - 1) {
+			run_err("%s/%s: name too long", name, dp->d_name);
+			continue;
+		}
+		(void) snprintf(path, sizeof path, "%s/%s", name, dp->d_name);
+		vect[0] = path;
+		source(1, vect);
+	}
+	(void) closedir(dirp);
+	(void) atomicio(write, remout, "E\n", 2);
+	(void) response();
+}
+
+void
+sink(argc, argv)
+	int argc;
+	char *argv[];
+{
+	static BUF buffer;
+	struct stat stb;
+	enum {
+		YES, NO, DISPLAYED
+	} wrerr;
+	BUF *bp;
+	off_t i, j;
+	int amt, count, exists, first, mask, mode, ofd, omode;
+	off_t size;
+	int setimes, targisdir, wrerrno = 0;
+	char ch, *cp, *np, *targ, *why, *vect[1], buf[2048];
+	struct timeval tv[2];
+
+#define	atime	tv[0]
+#define	mtime	tv[1]
+#define	SCREWUP(str)	{ why = str; goto screwup; }
+
+	setimes = targisdir = 0;
+	mask = umask(0);
+	if (!pflag)
+		(void) umask(mask);
+	if (argc != 1) {
+		run_err("ambiguous target");
+		exit(1);
+	}
+	targ = *argv;
+	if (targetshouldbedirectory)
+		verifydir(targ);
+
+	(void) atomicio(write, remout, "", 1);
+	if (stat(targ, &stb) == 0 && S_ISDIR(stb.st_mode))
+		targisdir = 1;
+	for (first = 1;; first = 0) {
+		cp = buf;
+		if (atomicio(read, remin, cp, 1) <= 0)
+			return;
+		if (*cp++ == '\n')
+			SCREWUP("unexpected <newline>");
+		do {
+			if (atomicio(read, remin, &ch, sizeof(ch)) != sizeof(ch))
+				SCREWUP("lost connection");
+			*cp++ = ch;
+		} while (cp < &buf[sizeof(buf) - 1] && ch != '\n');
+		*cp = 0;
+
+		if (buf[0] == '\01' || buf[0] == '\02') {
+			if (iamremote == 0)
+				(void) atomicio(write, STDERR_FILENO,
+				    buf + 1, strlen(buf + 1));
+			if (buf[0] == '\02')
+				exit(1);
+			++errs;
+			continue;
+		}
+		if (buf[0] == 'E') {
+			(void) atomicio(write, remout, "", 1);
+			return;
+		}
+		if (ch == '\n')
+			*--cp = 0;
+
+		cp = buf;
+		if (*cp == 'T') {
+			setimes++;
+			cp++;
+			mtime.tv_sec = strtol(cp, &cp, 10);
+			if (!cp || *cp++ != ' ')
+				SCREWUP("mtime.sec not delimited");
+			mtime.tv_usec = strtol(cp, &cp, 10);
+			if (!cp || *cp++ != ' ')
+				SCREWUP("mtime.usec not delimited");
+			atime.tv_sec = strtol(cp, &cp, 10);
+			if (!cp || *cp++ != ' ')
+				SCREWUP("atime.sec not delimited");
+			atime.tv_usec = strtol(cp, &cp, 10);
+			if (!cp || *cp++ != '\0')
+				SCREWUP("atime.usec not delimited");
+			(void) atomicio(write, remout, "", 1);
+			continue;
+		}
+		if (*cp != 'C' && *cp != 'D') {
+			/*
+			 * Check for the case "rcp remote:foo\* local:bar".
+			 * In this case, the line "No match." can be returned
+			 * by the shell before the rcp command on the remote is
+			 * executed so the ^Aerror_message convention isn't
+			 * followed.
+			 */
+			if (first) {
+				run_err("%s", cp);
+				exit(1);
+			}
+			SCREWUP("expected control record");
+		}
+		mode = 0;
+		for (++cp; cp < buf + 5; cp++) {
+			if (*cp < '0' || *cp > '7')
+				SCREWUP("bad mode");
+			mode = (mode << 3) | (*cp - '0');
+		}
+		if (*cp++ != ' ')
+			SCREWUP("mode not delimited");
+
+		for (size = 0; isdigit(*cp);)
+			size = size * 10 + (*cp++ - '0');
+		if (*cp++ != ' ')
+			SCREWUP("size not delimited");
+		if (targisdir) {
+			static char *namebuf;
+			static int cursize;
+			size_t need;
+
+			need = strlen(targ) + strlen(cp) + 250;
+			if (need > cursize) {
+				if (namebuf)
+					xfree(namebuf);
+				namebuf = xmalloc(need);
+				cursize = need;
+			}
+			(void) snprintf(namebuf, need, "%s%s%s", targ,
+			    *targ ? "/" : "", cp);
+			np = namebuf;
+		} else
+			np = targ;
+		curfile = cp;
+		exists = stat(np, &stb) == 0;
+		if (buf[0] == 'D') {
+			int mod_flag = pflag;
+			if (exists) {
+				if (!S_ISDIR(stb.st_mode)) {
+					errno = ENOTDIR;
+					goto bad;
+				}
+				if (pflag)
+					(void) chmod(np, mode);
+			} else {
+				/* Handle copying from a read-only
+				   directory */
+				mod_flag = 1;
+				if (mkdir(np, mode | S_IRWXU) < 0)
+					goto bad;
+			}
+			vect[0] = xstrdup(np);
+			sink(1, vect);
+			if (setimes) {
+				setimes = 0;
+				if (utimes(vect[0], tv) < 0)
+					run_err("%s: set times: %s",
+					    vect[0], strerror(errno));
+			}
+			if (mod_flag)
+				(void) chmod(vect[0], mode);
+			if (vect[0])
+				xfree(vect[0]);
+			continue;
+		}
+		omode = mode;
+		mode |= S_IWRITE;
+		if ((ofd = open(np, O_WRONLY | O_CREAT | O_TRUNC, mode)) < 0) {
+bad:			run_err("%s: %s", np, strerror(errno));
+			continue;
+		}
+		(void) atomicio(write, remout, "", 1);
+		if ((bp = allocbuf(&buffer, ofd, 4096)) == NULL) {
+			(void) close(ofd);
+			continue;
+		}
+		cp = bp->buf;
+		wrerr = NO;
+
+		if (showprogress) {
+			totalbytes = size;
+			progressmeter(-1);
+		}
+		statbytes = 0;
+		for (count = i = 0; i < size; i += 4096) {
+			amt = 4096;
+			if (i + amt > size)
+				amt = size - i;
+			count += amt;
+			do {
+				j = read(remin, cp, amt);
+				if (j == -1 && (errno == EINTR || errno == EAGAIN)) {
+					continue;
+				} else if (j <= 0) {
+					run_err("%s", j ? strerror(errno) :
+					    "dropped connection");
+					exit(1);
+				}
+				amt -= j;
+				cp += j;
+				statbytes += j;
+			} while (amt > 0);
+			if (count == bp->cnt) {
+				/* Keep reading so we stay sync'd up. */
+				if (wrerr == NO) {
+					j = atomicio(write, ofd, bp->buf, count);
+					if (j != count) {
+						wrerr = YES;
+						wrerrno = j >= 0 ? EIO : errno;
+					}
+				}
+				count = 0;
+				cp = bp->buf;
+			}
+		}
+		if (showprogress)
+			progressmeter(1);
+		if (count != 0 && wrerr == NO &&
+		    (j = atomicio(write, ofd, bp->buf, count)) != count) {
+			wrerr = YES;
+			wrerrno = j >= 0 ? EIO : errno;
+		}
+#if 0
+		if (ftruncate(ofd, size)) {
+			run_err("%s: truncate: %s", np, strerror(errno));
+			wrerr = DISPLAYED;
+		}
+#endif
+		if (pflag) {
+			if (exists || omode != mode)
+				if (fchmod(ofd, omode))
+					run_err("%s: set mode: %s",
+					    np, strerror(errno));
+		} else {
+			if (!exists && omode != mode)
+				if (fchmod(ofd, omode & ~mask))
+					run_err("%s: set mode: %s",
+					    np, strerror(errno));
+		}
+		if (close(ofd) == -1) {
+			wrerr = YES;
+			wrerrno = errno;
+		}
+		(void) response();
+		if (setimes && wrerr == NO) {
+			setimes = 0;
+			if (utimes(np, tv) < 0) {
+				run_err("%s: set times: %s",
+				    np, strerror(errno));
+				wrerr = DISPLAYED;
+			}
+		}
+		switch (wrerr) {
+		case YES:
+			run_err("%s: %s", np, strerror(wrerrno));
+			break;
+		case NO:
+			(void) atomicio(write, remout, "", 1);
+			break;
+		case DISPLAYED:
+			break;
+		}
+	}
+screwup:
+	run_err("protocol error: %s", why);
+	exit(1);
+}
+
+int
+response()
+{
+	char ch, *cp, resp, rbuf[2048];
+
+	if (atomicio(read, remin, &resp, sizeof(resp)) != sizeof(resp))
+		lostconn(0);
+
+	cp = rbuf;
+	switch (resp) {
+	case 0:		/* ok */
+		return (0);
+	default:
+		*cp++ = resp;
+		/* FALLTHROUGH */
+	case 1:		/* error, followed by error msg */
+	case 2:		/* fatal error, "" */
+		do {
+			if (atomicio(read, remin, &ch, sizeof(ch)) != sizeof(ch))
+				lostconn(0);
+			*cp++ = ch;
+		} while (cp < &rbuf[sizeof(rbuf) - 1] && ch != '\n');
+
+		if (!iamremote)
+			(void) atomicio(write, STDERR_FILENO, rbuf, cp - rbuf);
+		++errs;
+		if (resp == 1)
+			return (-1);
+		exit(1);
+	}
+	/* NOTREACHED */
+}
+
+void
+usage()
+{
+	(void) fprintf(stderr, "usage: scp "
+	    "[-pqrvBC46] [-S ssh] [-P port] [-c cipher] [-i identity] f1 f2\n"
+	    "   or: scp [options] f1 ... fn directory\n");
+	exit(1);
+}
+
+void
+run_err(const char *fmt,...)
+{
+	static FILE *fp;
+	va_list ap;
+	va_start(ap, fmt);
+
+	++errs;
+	if (fp == NULL && !(fp = fdopen(remout, "w")))
+		return;
+	(void) fprintf(fp, "%c", 0x01);
+	(void) fprintf(fp, "scp: ");
+	(void) vfprintf(fp, fmt, ap);
+	(void) fprintf(fp, "\n");
+	(void) fflush(fp);
+
+	if (!iamremote) {
+		vfprintf(stderr, fmt, ap);
+		fprintf(stderr, "\n");
+	}
+	va_end(ap);
+}
+
+void
+verifydir(cp)
+	char *cp;
+{
+	struct stat stb;
+
+	if (!stat(cp, &stb)) {
+		if (S_ISDIR(stb.st_mode))
+			return;
+		errno = ENOTDIR;
+	}
+	run_err("%s: %s", cp, strerror(errno));
+	exit(1);
+}
+
+int
+okname(cp0)
+	char *cp0;
+{
+	int c;
+	char *cp;
+
+	cp = cp0;
+	do {
+		c = *cp;
+		if (c & 0200)
+			goto bad;
+		if (!isalpha(c) && !isdigit(c) &&
+		    c != '_' && c != '-' && c != '.' && c != '+')
+			goto bad;
+	} while (*++cp);
+	return (1);
+
+bad:	fprintf(stderr, "%s: invalid user name\n", cp0);
+	return (0);
+}
+
+BUF *
+allocbuf(bp, fd, blksize)
+	BUF *bp;
+	int fd, blksize;
+{
+	size_t size;
+	struct stat stb;
+
+	if (fstat(fd, &stb) < 0) {
+		run_err("fstat: %s", strerror(errno));
+		return (0);
+	}
+	if (stb.st_blksize == 0)
+		size = blksize;
+	else
+		size = blksize + (stb.st_blksize - blksize % stb.st_blksize) %
+		    stb.st_blksize;
+	if (bp->cnt >= size)
+		return (bp);
+	if (bp->buf == NULL)
+		bp->buf = xmalloc(size);
+	else
+		bp->buf = xrealloc(bp->buf, size);
+	bp->cnt = size;
+	return (bp);
+}
+
+void
+lostconn(signo)
+	int signo;
+{
+	if (!iamremote)
+		fprintf(stderr, "lost connection\n");
+	exit(1);
+}
+
+
+void
+alarmtimer(int wait)
+{
+	struct itimerval itv;
+
+	itv.it_value.tv_sec = wait;
+	itv.it_value.tv_usec = 0;
+	itv.it_interval = itv.it_value;
+	setitimer(ITIMER_REAL, &itv, NULL);
+}
+
+void
+updateprogressmeter(int ignore)
+{
+	int save_errno = errno;
+
+	progressmeter(0);
+	errno = save_errno;
+}
+
+int
+foregroundproc(void)
+{
+	static pid_t pgrp = -1;
+	int ctty_pgrp;
+
+	if (pgrp == -1)
+		pgrp = getpgrp();
+
+	return ((ioctl(STDOUT_FILENO, TIOCGPGRP, &ctty_pgrp) != -1 &&
+		 ctty_pgrp == pgrp));
+}
+
+void
+progressmeter(int flag)
+{
+	static const char prefixes[] = " KMGTP";
+	static struct timeval lastupdate;
+	static off_t lastsize;
+	struct timeval now, td, wait;
+	off_t cursize, abbrevsize;
+	double elapsed;
+	int ratio, barlength, i, remaining;
+	char buf[256];
+
+	if (flag == -1) {
+		(void) gettimeofday(&start, (struct timezone *) 0);
+		lastupdate = start;
+		lastsize = 0;
+	}
+	if (foregroundproc() == 0)
+		return;
+
+	(void) gettimeofday(&now, (struct timezone *) 0);
+	cursize = statbytes;
+	if (totalbytes != 0) {
+		ratio = 100.0 * cursize / totalbytes;
+		ratio = MAX(ratio, 0);
+		ratio = MIN(ratio, 100);
+	} else
+		ratio = 100;
+
+	snprintf(buf, sizeof(buf), "\r%-20.20s %3d%% ", curfile, ratio);
+
+	barlength = getttywidth() - 51;
+	if (barlength > 0) {
+		i = barlength * ratio / 100;
+		snprintf(buf + strlen(buf), sizeof(buf) - strlen(buf),
+		    "|%.*s%*s|", i,
+		    "*****************************************************************************"
+		    "*****************************************************************************",
+		    barlength - i, "");
+	}
+	i = 0;
+	abbrevsize = cursize;
+	while (abbrevsize >= 100000 && i < sizeof(prefixes)) {
+		i++;
+		abbrevsize >>= 10;
+	}
+	snprintf(buf + strlen(buf), sizeof(buf) - strlen(buf), " %5llu %c%c ",
+	    (unsigned long long) abbrevsize, prefixes[i],
+	    prefixes[i] == ' ' ? ' ' : 'B');
+
+	timersub(&now, &lastupdate, &wait);
+	if (cursize > lastsize) {
+		lastupdate = now;
+		lastsize = cursize;
+		if (wait.tv_sec >= STALLTIME) {
+			start.tv_sec += wait.tv_sec;
+			start.tv_usec += wait.tv_usec;
+		}
+		wait.tv_sec = 0;
+	}
+	timersub(&now, &start, &td);
+	elapsed = td.tv_sec + (td.tv_usec / 1000000.0);
+
+	if (flag != 1 &&
+	    (statbytes <= 0 || elapsed <= 0.0 || cursize > totalbytes)) {
+		snprintf(buf + strlen(buf), sizeof(buf) - strlen(buf),
+		    "   --:-- ETA");
+	} else if (wait.tv_sec >= STALLTIME) {
+		snprintf(buf + strlen(buf), sizeof(buf) - strlen(buf),
+		    " - stalled -");
+	} else {
+		if (flag != 1)
+			remaining = (int)(totalbytes / (statbytes / elapsed) -
+			    elapsed);
+		else
+			remaining = elapsed;
+
+		i = remaining / 3600;
+		if (i)
+			snprintf(buf + strlen(buf), sizeof(buf) - strlen(buf),
+			    "%2d:", i);
+		else
+			snprintf(buf + strlen(buf), sizeof(buf) - strlen(buf),
+			    "   ");
+		i = remaining % 3600;
+		snprintf(buf + strlen(buf), sizeof(buf) - strlen(buf),
+		    "%02d:%02d%s", i / 60, i % 60,
+		    (flag != 1) ? " ETA" : "    ");
+	}
+	atomicio(write, fileno(stdout), buf, strlen(buf));
+
+	if (flag == -1) {
+		signal(SIGALRM, updateprogressmeter);
+		alarmtimer(1);
+	} else if (flag == 1) {
+		alarmtimer(0);
+		atomicio(write, fileno(stdout), "\n", 1);
+		statbytes = 0;
+	}
+}
+
+int
+getttywidth(void)
+{
+	struct winsize winsize;
+
+	if (ioctl(fileno(stdout), TIOCGWINSZ, &winsize) != -1)
+		return (winsize.ws_col ? winsize.ws_col : 80);
+	else
+		return (80);
+}
+
+void
+addargs(char *fmt, ...)
+{
+	va_list ap;
+	char buf[1024];
+
+	va_start(ap, fmt);
+	vsnprintf(buf, sizeof(buf), fmt, ap);
+	va_end(ap);
+
+	if (args.list == NULL) {
+		args.nalloc = 32;
+		args.num = 0;
+		args.list = xmalloc(args.nalloc * sizeof(char *));
+	} else if (args.num+2 >= args.nalloc) {
+		args.nalloc *= 2;
+		args.list = xrealloc(args.list, args.nalloc * sizeof(char *));
+	}
+	args.list[args.num++] = xstrdup(buf);
+	args.list[args.num] = NULL;
+}
diff --git a/crypto/openssh/scp/Makefile b/crypto/openssh/scp/Makefile
new file mode 100644
index 0000000..454682a
--- /dev/null
+++ b/crypto/openssh/scp/Makefile
@@ -0,0 +1,15 @@
+#	$OpenBSD: Makefile,v 1.12 2001/04/16 02:31:48 mouring Exp $
+
+.PATH:		${.CURDIR}/..
+
+PROG=	scp
+BINOWN=	root
+
+BINMODE?=555
+
+BINDIR=	/usr/bin
+MAN=	scp.1
+
+SRCS=	scp.c scp-common.c
+
+.include <bsd.prog.mk>
diff --git a/crypto/openssh/servconf.c b/crypto/openssh/servconf.c
new file mode 100644
index 0000000..17bdbc5
--- /dev/null
+++ b/crypto/openssh/servconf.c
@@ -0,0 +1,868 @@
+/*
+ * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
+ *                    All rights reserved
+ *
+ * As far as I am concerned, the code I have written for this software
+ * can be used freely for any purpose.  Any derived versions of this
+ * software must be clearly marked as such, and if the derived work is
+ * incompatible with the protocol description in the RFC file, it must be
+ * called by a name other than "ssh" or "Secure Shell".
+ */
+
+#include "includes.h"
+RCSID("$OpenBSD: servconf.c,v 1.78 2001/04/15 21:28:35 stevesk Exp $");
+RCSID("$FreeBSD$");
+
+#ifdef KRB4
+#include <krb.h>
+#endif
+#ifdef AFS
+#include <kafs.h>
+#endif
+
+#include "ssh.h"
+#include "log.h"
+#include "servconf.h"
+#include "xmalloc.h"
+#include "compat.h"
+#include "pathnames.h"
+#include "tildexpand.h"
+#include "misc.h"
+#include "cipher.h"
+#include "kex.h"
+#include "mac.h"
+
+void add_listen_addr(ServerOptions *options, char *addr, u_short port);
+void add_one_listen_addr(ServerOptions *options, char *addr, u_short port);
+
+/* AF_UNSPEC or AF_INET or AF_INET6 */
+extern int IPv4or6;
+
+/* Initializes the server options to their default values. */
+
+void
+initialize_server_options(ServerOptions *options)
+{
+	memset(options, 0, sizeof(*options));
+	options->num_ports = 0;
+	options->ports_from_cmdline = 0;
+	options->listen_addrs = NULL;
+	options->num_host_key_files = 0;
+	options->pid_file = NULL;
+	options->server_key_bits = -1;
+	options->login_grace_time = -1;
+	options->key_regeneration_time = -1;
+	options->permit_root_login = PERMIT_NOT_SET;
+	options->ignore_rhosts = -1;
+	options->ignore_user_known_hosts = -1;
+	options->print_motd = -1;
+	options->print_lastlog = -1;
+	options->check_mail = -1;
+	options->x11_forwarding = -1;
+	options->x11_display_offset = -1;
+	options->xauth_location = NULL;
+	options->strict_modes = -1;
+	options->keepalives = -1;
+	options->log_facility = (SyslogFacility) - 1;
+	options->log_level = (LogLevel) - 1;
+	options->rhosts_authentication = -1;
+	options->rhosts_rsa_authentication = -1;
+	options->hostbased_authentication = -1;
+	options->hostbased_uses_name_from_packet_only = -1;
+	options->rsa_authentication = -1;
+	options->pubkey_authentication = -1;
+#if defined(KRB4) || defined(KRB5)
+	options->kerberos_authentication = -1;
+#endif
+#ifdef KRB4
+	options->krb4_or_local_passwd = -1;
+	options->krb4_ticket_cleanup = -1;
+#endif
+#ifdef KRB5
+	options->krb5_tgt_passing = -1;
+#endif /* KRB5 */
+#ifdef AFS
+	options->krb4_tgt_passing = -1;
+	options->afs_token_passing = -1;
+#endif
+	options->password_authentication = -1;
+	options->kbd_interactive_authentication = -1;
+	options->challenge_reponse_authentication = -1;
+	options->permit_empty_passwd = -1;
+	options->use_login = -1;
+	options->allow_tcp_forwarding = -1;
+	options->num_allow_users = 0;
+	options->num_deny_users = 0;
+	options->num_allow_groups = 0;
+	options->num_deny_groups = 0;
+	options->ciphers = NULL;
+	options->macs = NULL;
+	options->protocol = SSH_PROTO_UNKNOWN;
+	options->gateway_ports = -1;
+	options->connections_per_period = 0;
+	options->connections_period = 0;
+	options->num_subsystems = 0;
+	options->max_startups_begin = -1;
+	options->max_startups_rate = -1;
+	options->max_startups = -1;
+	options->banner = NULL;
+	options->reverse_mapping_check = -1;
+	options->client_alive_interval = -1;
+	options->client_alive_count_max = -1;
+}
+
+void
+fill_default_server_options(ServerOptions *options)
+{
+	if (options->protocol == SSH_PROTO_UNKNOWN)
+		options->protocol = SSH_PROTO_1|SSH_PROTO_2;
+	if (options->num_host_key_files == 0) {
+		/* fill default hostkeys for protocols */
+		if (options->protocol & SSH_PROTO_1)
+			options->host_key_files[options->num_host_key_files++] = _PATH_HOST_KEY_FILE;
+		if (options->protocol & SSH_PROTO_2)
+			options->host_key_files[options->num_host_key_files++] = _PATH_HOST_DSA_KEY_FILE;
+	}
+	if (options->num_ports == 0)
+		options->ports[options->num_ports++] = SSH_DEFAULT_PORT;
+	if (options->listen_addrs == NULL)
+		add_listen_addr(options, NULL, 0);
+	if (options->pid_file == NULL)
+		options->pid_file = _PATH_SSH_DAEMON_PID_FILE;
+	if (options->server_key_bits == -1)
+		options->server_key_bits = 768;
+	if (options->login_grace_time == -1)
+		options->login_grace_time = 120;
+	if (options->key_regeneration_time == -1)
+		options->key_regeneration_time = 3600;
+	if (options->permit_root_login == PERMIT_NOT_SET)
+		options->permit_root_login = PERMIT_NO;
+	if (options->ignore_rhosts == -1)
+		options->ignore_rhosts = 1;
+	if (options->ignore_user_known_hosts == -1)
+		options->ignore_user_known_hosts = 0;
+	if (options->check_mail == -1)
+		options->check_mail = 1;
+	if (options->print_motd == -1)
+		options->print_motd = 1;
+	if (options->print_lastlog == -1)
+		options->print_lastlog = 1;
+	if (options->x11_forwarding == -1)
+		options->x11_forwarding = 1;
+	if (options->x11_display_offset == -1)
+		options->x11_display_offset = 10;
+#ifdef XAUTH_PATH
+	if (options->xauth_location == NULL)
+		options->xauth_location = XAUTH_PATH;
+#endif /* XAUTH_PATH */
+	if (options->strict_modes == -1)
+		options->strict_modes = 1;
+	if (options->keepalives == -1)
+		options->keepalives = 1;
+	if (options->log_facility == (SyslogFacility) (-1))
+		options->log_facility = SYSLOG_FACILITY_AUTH;
+	if (options->log_level == (LogLevel) (-1))
+		options->log_level = SYSLOG_LEVEL_INFO;
+	if (options->rhosts_authentication == -1)
+		options->rhosts_authentication = 0;
+	if (options->rhosts_rsa_authentication == -1)
+		options->rhosts_rsa_authentication = 0;
+	if (options->hostbased_authentication == -1)
+		options->hostbased_authentication = 0;
+	if (options->hostbased_uses_name_from_packet_only == -1)
+		options->hostbased_uses_name_from_packet_only = 0;
+	if (options->rsa_authentication == -1)
+		options->rsa_authentication = 1;
+	if (options->pubkey_authentication == -1)
+		options->pubkey_authentication = 1;
+#if defined(KRB4) && defined(KRB5)
+	if (options->kerberos_authentication == -1)
+		options->kerberos_authentication =
+		  (access(KEYFILE, R_OK) == 0) || (access(krb5_defkeyname, R_OK) == 0);
+#elif defined(KRB4)
+	if (options->kerberos_authentication == -1)
+		options->kerberos_authentication = (access(KEYFILE, R_OK) == 0);
+#elif defined(KRB5)
+	if (options->kerberos_authentication == -1)
+	  	options->kerberos_authentication = (access(krb5_defkeyname, R_OK) == 0);
+#endif
+#ifdef KRB4
+	if (options->krb4_or_local_passwd == -1)
+		options->krb4_or_local_passwd = 1;
+	if (options->krb4_ticket_cleanup == -1)
+		options->krb4_ticket_cleanup = 1;
+#endif /* KRB4 */
+#ifdef KRB5
+	if (options->krb5_tgt_passing == -1)
+	  	options->krb5_tgt_passing = 1;
+#endif /* KRB5 */
+#ifdef AFS
+	if (options->krb4_tgt_passing == -1)
+		options->krb4_tgt_passing = 0;
+	if (options->afs_token_passing == -1)
+		options->afs_token_passing = k_hasafs();
+#endif /* AFS */
+	if (options->password_authentication == -1)
+		options->password_authentication = 1;
+	if (options->kbd_interactive_authentication == -1)
+		options->kbd_interactive_authentication = 0;
+	if (options->challenge_reponse_authentication == -1)
+		options->challenge_reponse_authentication = 1;
+	if (options->permit_empty_passwd == -1)
+		options->permit_empty_passwd = 0;
+	if (options->use_login == -1)
+		options->use_login = 0;
+	if (options->allow_tcp_forwarding == -1)
+		options->allow_tcp_forwarding = 1;
+	if (options->gateway_ports == -1)
+		options->gateway_ports = 0;
+	if (options->max_startups == -1)
+		options->max_startups = 10;
+	if (options->max_startups_rate == -1)
+		options->max_startups_rate = 100;		/* 100% */
+	if (options->max_startups_begin == -1)
+		options->max_startups_begin = options->max_startups;
+	if (options->reverse_mapping_check == -1)
+		options->reverse_mapping_check = 0;
+	if (options->client_alive_interval == -1)
+		options->client_alive_interval = 0;  
+	if (options->client_alive_count_max == -1)
+		options->client_alive_count_max = 3;
+}
+
+/* Keyword tokens. */
+typedef enum {
+	sBadOption,		/* == unknown option */
+	sPort, sHostKeyFile, sServerKeyBits, sLoginGraceTime, sKeyRegenerationTime,
+	sPermitRootLogin, sLogFacility, sLogLevel,
+	sRhostsAuthentication, sRhostsRSAAuthentication, sRSAAuthentication,
+#if defined(KRB4) || defined(KRB5)
+	sKerberosAuthentication,
+#endif
+#ifdef KRB4
+	sKrb4OrLocalPasswd, sKrb4TicketCleanup,
+#endif
+#ifdef KRB5
+	sKrb5TgtPassing,
+#endif /* KRB5 */
+#ifdef AFS
+	sKrb4TgtPassing, sAFSTokenPassing,
+#endif
+	sChallengeResponseAuthentication,
+	sPasswordAuthentication, sKbdInteractiveAuthentication, sListenAddress,
+	sPrintMotd, sPrintLastLog, sIgnoreRhosts,
+	sX11Forwarding, sX11DisplayOffset,
+	sStrictModes, sEmptyPasswd, sKeepAlives, sCheckMail,
+	sUseLogin, sAllowTcpForwarding,
+	sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups,
+	sIgnoreUserKnownHosts, sCiphers, sMacs, sProtocol, sPidFile,
+	sGatewayPorts, sPubkeyAuthentication, sXAuthLocation, sSubsystem, sMaxStartups,
+	sBanner, sReverseMappingCheck, sHostbasedAuthentication,
+	sHostbasedUsesNameFromPacketOnly, sClientAliveInterval, 
+	sClientAliveCountMax, sVersionAddendum, sConnectionsPerPeriod
+} ServerOpCodes;
+
+/* Textual representation of the tokens. */
+static struct {
+	const char *name;
+	ServerOpCodes opcode;
+} keywords[] = {
+	{ "port", sPort },
+	{ "hostkey", sHostKeyFile },
+	{ "hostdsakey", sHostKeyFile },					/* alias */
+	{ "pidfile", sPidFile },
+	{ "serverkeybits", sServerKeyBits },
+	{ "logingracetime", sLoginGraceTime },
+	{ "keyregenerationinterval", sKeyRegenerationTime },
+	{ "permitrootlogin", sPermitRootLogin },
+	{ "syslogfacility", sLogFacility },
+	{ "loglevel", sLogLevel },
+	{ "rhostsauthentication", sRhostsAuthentication },
+	{ "rhostsrsaauthentication", sRhostsRSAAuthentication },
+	{ "hostbasedauthentication", sHostbasedAuthentication },
+	{ "hostbasedusesnamefrompacketonly", sHostbasedUsesNameFromPacketOnly },
+	{ "pubkeyauthentication", sPubkeyAuthentication },
+	{ "dsaauthentication", sPubkeyAuthentication },			/* alias */
+	{ "rsaauthentication", sRSAAuthentication },
+#if defined(KRB4) || defined(KRB5)
+	{ "kerberosauthentication", sKerberosAuthentication },
+#endif
+#ifdef KRB4
+	{ "kerberos4orlocalpasswd", sKrb4OrLocalPasswd },
+	{ "kerberos4ticketcleanup", sKrb4TicketCleanup },
+#endif
+#ifdef KRB5
+	{ "kerberos5tgtpassing", sKrb5TgtPassing },
+#endif /* KRB5 */
+#ifdef AFS
+	{ "kerberos4tgtpassing", sKrb4TgtPassing },
+	{ "afstokenpassing", sAFSTokenPassing },
+#endif
+	{ "passwordauthentication", sPasswordAuthentication },
+	{ "kbdinteractiveauthentication", sKbdInteractiveAuthentication },
+	{ "challengeresponseauthentication", sChallengeResponseAuthentication },
+	{ "skeyauthentication", sChallengeResponseAuthentication }, /* alias */
+	{ "checkmail", sCheckMail },
+	{ "listenaddress", sListenAddress },
+	{ "printmotd", sPrintMotd },
+	{ "printlastlog", sPrintLastLog },
+	{ "ignorerhosts", sIgnoreRhosts },
+	{ "ignoreuserknownhosts", sIgnoreUserKnownHosts },
+	{ "x11forwarding", sX11Forwarding },
+	{ "x11displayoffset", sX11DisplayOffset },
+	{ "xauthlocation", sXAuthLocation },
+	{ "strictmodes", sStrictModes },
+	{ "permitemptypasswords", sEmptyPasswd },
+	{ "uselogin", sUseLogin },
+	{ "keepalive", sKeepAlives },
+	{ "allowtcpforwarding", sAllowTcpForwarding },
+	{ "allowusers", sAllowUsers },
+	{ "denyusers", sDenyUsers },
+	{ "allowgroups", sAllowGroups },
+	{ "denygroups", sDenyGroups },
+	{ "ciphers", sCiphers },
+	{ "macs", sMacs },
+	{ "protocol", sProtocol },
+	{ "gatewayports", sGatewayPorts },
+	{ "connectionsperperiod", sConnectionsPerPeriod },
+	{ "subsystem", sSubsystem },
+	{ "maxstartups", sMaxStartups },
+	{ "versionaddendum", sVersionAddendum },
+	{ "banner", sBanner },
+	{ "reversemappingcheck", sReverseMappingCheck },
+	{ "clientaliveinterval", sClientAliveInterval },
+	{ "clientalivecountmax", sClientAliveCountMax },
+	{ NULL, 0 }
+};
+
+/*
+ * Returns the number of the token pointed to by cp or sBadOption.
+ */
+
+static ServerOpCodes
+parse_token(const char *cp, const char *filename,
+	    int linenum)
+{
+	u_int i;
+
+	for (i = 0; keywords[i].name; i++)
+		if (strcasecmp(cp, keywords[i].name) == 0)
+			return keywords[i].opcode;
+
+	error("%s: line %d: Bad configuration option: %s",
+	    filename, linenum, cp);
+	return sBadOption;
+}
+
+void
+add_listen_addr(ServerOptions *options, char *addr, u_short port)
+{
+	int i;
+
+	if (options->num_ports == 0)
+		options->ports[options->num_ports++] = SSH_DEFAULT_PORT;
+	if (port == 0)
+		for (i = 0; i < options->num_ports; i++)
+			add_one_listen_addr(options, addr, options->ports[i]);
+	else
+		add_one_listen_addr(options, addr, port);
+}
+
+void
+add_one_listen_addr(ServerOptions *options, char *addr, u_short port)
+{
+	struct addrinfo hints, *ai, *aitop;
+	char strport[NI_MAXSERV];
+	int gaierr;
+
+	memset(&hints, 0, sizeof(hints));
+	hints.ai_family = IPv4or6;
+	hints.ai_socktype = SOCK_STREAM;
+	hints.ai_flags = (addr == NULL) ? AI_PASSIVE : 0;
+	snprintf(strport, sizeof strport, "%d", port);
+	if ((gaierr = getaddrinfo(addr, strport, &hints, &aitop)) != 0)
+		fatal("bad addr or host: %s (%s)",
+		    addr ? addr : "<NULL>",
+		    gai_strerror(gaierr));
+	for (ai = aitop; ai->ai_next; ai = ai->ai_next)
+		;
+	ai->ai_next = options->listen_addrs;
+	options->listen_addrs = aitop;
+}
+
+/* Reads the server configuration file. */
+
+void
+read_server_config(ServerOptions *options, const char *filename)
+{
+	FILE *f;
+	char line[1024];
+	char *cp, **charptr, *arg, *p;
+	int linenum, *intptr, value;
+	int bad_options = 0;
+	ServerOpCodes opcode;
+	int i;
+
+	f = fopen(filename, "r");
+	if (!f) {
+		perror(filename);
+		exit(1);
+	}
+	linenum = 0;
+	while (fgets(line, sizeof(line), f)) {
+		linenum++;
+		cp = line;
+		arg = strdelim(&cp);
+		/* Ignore leading whitespace */
+		if (*arg == '\0')
+			arg = strdelim(&cp);
+		if (!arg || !*arg || *arg == '#')
+			continue;
+		intptr = NULL;
+		charptr = NULL;
+		opcode = parse_token(arg, filename, linenum);
+		switch (opcode) {
+		case sBadOption:
+			bad_options++;
+			continue;
+		case sPort:
+			/* ignore ports from configfile if cmdline specifies ports */
+			if (options->ports_from_cmdline)
+				continue;
+			if (options->listen_addrs != NULL)
+				fatal("%s line %d: ports must be specified before "
+				    "ListenAdress.\n", filename, linenum);
+			if (options->num_ports >= MAX_PORTS)
+				fatal("%s line %d: too many ports.",
+				    filename, linenum);
+			arg = strdelim(&cp);
+			if (!arg || *arg == '\0')
+				fatal("%s line %d: missing port number.",
+				    filename, linenum);
+			options->ports[options->num_ports++] = a2port(arg);
+			if (options->ports[options->num_ports-1] == 0)
+				fatal("%s line %d: Badly formatted port number.",
+				    filename, linenum);
+			break;
+
+		case sServerKeyBits:
+			intptr = &options->server_key_bits;
+parse_int:
+			arg = strdelim(&cp);
+			if (!arg || *arg == '\0')
+				fatal("%s line %d: missing integer value.",
+				    filename, linenum);
+			value = atoi(arg);
+			if (value == 0) {
+				fprintf(stderr, "%s line %d: invalid integer value.\n",
+					filename, linenum);
+				exit(1);
+			}
+			if (*intptr == -1)
+				*intptr = value;
+			break;
+
+		case sLoginGraceTime:
+			intptr = &options->login_grace_time;
+			goto parse_int;
+
+		case sKeyRegenerationTime:
+			intptr = &options->key_regeneration_time;
+			goto parse_int;
+
+		case sListenAddress:
+			arg = strdelim(&cp);
+			if (!arg || *arg == '\0' || strncmp(arg, "[]", 2) == 0)
+				fatal("%s line %d: missing inet addr.",
+				    filename, linenum);
+			if (*arg == '[') {
+				if ((p = strchr(arg, ']')) == NULL)
+					fatal("%s line %d: bad ipv6 inet addr usage.",
+					    filename, linenum);
+				arg++;
+				memmove(p, p+1, strlen(p+1)+1);
+			} else if (((p = strchr(arg, ':')) == NULL) ||
+				    (strchr(p+1, ':') != NULL)) {
+				add_listen_addr(options, arg, 0);
+				break;
+			}
+			if (*p == ':') {
+				u_short port;
+
+				p++;
+				if (*p == '\0')
+					fatal("%s line %d: bad inet addr:port usage.",
+					    filename, linenum);
+				else {
+					*(p-1) = '\0';
+					if ((port = a2port(p)) == 0)
+						fatal("%s line %d: bad port number.",
+						    filename, linenum);
+					add_listen_addr(options, arg, port);
+				}
+			} else if (*p == '\0')
+				add_listen_addr(options, arg, 0);
+			else
+				fatal("%s line %d: bad inet addr usage.",
+				    filename, linenum);
+			break;
+
+		case sHostKeyFile:
+			intptr = &options->num_host_key_files;
+			if (*intptr >= MAX_HOSTKEYS)
+				fatal("%s line %d: too many host keys specified (max %d).",
+				    filename, linenum, MAX_HOSTKEYS);
+			charptr = &options->host_key_files[*intptr];
+parse_filename:
+			arg = strdelim(&cp);
+			if (!arg || *arg == '\0')
+				fatal("%s line %d: missing file name.",
+				    filename, linenum);
+			if (*charptr == NULL) {
+				*charptr = tilde_expand_filename(arg, getuid());
+				/* increase optional counter */
+				if (intptr != NULL)
+					*intptr = *intptr + 1;
+			}
+			break;
+
+		case sPidFile:
+			charptr = &options->pid_file;
+			goto parse_filename;
+
+		case sPermitRootLogin:
+			intptr = &options->permit_root_login;
+			arg = strdelim(&cp);
+			if (!arg || *arg == '\0')
+				fatal("%s line %d: missing yes/"
+				    "without-password/forced-commands-only/no "
+				    "argument.", filename, linenum);
+			value = 0;	/* silence compiler */
+			if (strcmp(arg, "without-password") == 0)
+				value = PERMIT_NO_PASSWD;
+			else if (strcmp(arg, "forced-commands-only") == 0)
+				value = PERMIT_FORCED_ONLY;
+			else if (strcmp(arg, "yes") == 0)
+				value = PERMIT_YES;
+			else if (strcmp(arg, "no") == 0)
+				value = PERMIT_NO;
+			else
+				fatal("%s line %d: Bad yes/"
+				    "without-password/forced-commands-only/no "
+				    "argument: %s", filename, linenum, arg);
+			if (*intptr == -1)
+				*intptr = value;
+			break;
+
+		case sIgnoreRhosts:
+			intptr = &options->ignore_rhosts;
+parse_flag:
+			arg = strdelim(&cp);
+			if (!arg || *arg == '\0')
+				fatal("%s line %d: missing yes/no argument.",
+				    filename, linenum);
+			value = 0;	/* silence compiler */
+			if (strcmp(arg, "yes") == 0)
+				value = 1;
+			else if (strcmp(arg, "no") == 0)
+				value = 0;
+			else
+				fatal("%s line %d: Bad yes/no argument: %s",
+					filename, linenum, arg);
+			if (*intptr == -1)
+				*intptr = value;
+			break;
+
+		case sIgnoreUserKnownHosts:
+			intptr = &options->ignore_user_known_hosts;
+			goto parse_flag;
+
+		case sRhostsAuthentication:
+			intptr = &options->rhosts_authentication;
+			goto parse_flag;
+
+		case sRhostsRSAAuthentication:
+			intptr = &options->rhosts_rsa_authentication;
+			goto parse_flag;
+
+		case sHostbasedAuthentication:
+			intptr = &options->hostbased_authentication;
+			goto parse_flag;
+
+		case sHostbasedUsesNameFromPacketOnly:
+			intptr = &options->hostbased_uses_name_from_packet_only;
+			goto parse_flag;
+
+		case sRSAAuthentication:
+			intptr = &options->rsa_authentication;
+			goto parse_flag;
+
+		case sPubkeyAuthentication:
+			intptr = &options->pubkey_authentication;
+			goto parse_flag;
+
+#if defined(KRB4) || defined(KRB5)
+		case sKerberosAuthentication:
+			intptr = &options->kerberos_authentication;
+			goto parse_flag;
+#endif
+			
+#ifdef KRB4
+		case sKrb4OrLocalPasswd:
+			intptr = &options->krb4_or_local_passwd;
+			goto parse_flag;
+
+		case sKrb4TicketCleanup:
+			intptr = &options->krb4_ticket_cleanup;
+			goto parse_flag;
+#endif
+
+#ifdef KRB5
+		case sKrb5TgtPassing:
+			intptr = &options->krb5_tgt_passing;
+			goto parse_flag;
+#endif /* KRB5 */
+
+#ifdef AFS
+		case sKrb4TgtPassing:
+			intptr = &options->krb4_tgt_passing;
+			goto parse_flag;
+
+		case sAFSTokenPassing:
+			intptr = &options->afs_token_passing;
+			goto parse_flag;
+#endif
+
+		case sPasswordAuthentication:
+			intptr = &options->password_authentication;
+			goto parse_flag;
+
+		case sKbdInteractiveAuthentication:
+			intptr = &options->kbd_interactive_authentication;
+			goto parse_flag;
+
+		case sCheckMail:
+			intptr = &options->check_mail;
+			goto parse_flag;
+
+		case sChallengeResponseAuthentication:
+			intptr = &options->challenge_reponse_authentication;
+			goto parse_flag;
+
+		case sPrintMotd:
+			intptr = &options->print_motd;
+			goto parse_flag;
+
+		case sPrintLastLog:
+			intptr = &options->print_lastlog;
+			goto parse_flag;
+
+		case sX11Forwarding:
+			intptr = &options->x11_forwarding;
+			goto parse_flag;
+
+		case sX11DisplayOffset:
+			intptr = &options->x11_display_offset;
+			goto parse_int;
+
+		case sXAuthLocation:
+			charptr = &options->xauth_location;
+			goto parse_filename;
+
+		case sStrictModes:
+			intptr = &options->strict_modes;
+			goto parse_flag;
+
+		case sKeepAlives:
+			intptr = &options->keepalives;
+			goto parse_flag;
+
+		case sEmptyPasswd:
+			intptr = &options->permit_empty_passwd;
+			goto parse_flag;
+
+		case sUseLogin:
+			intptr = &options->use_login;
+			goto parse_flag;
+
+		case sGatewayPorts:
+			intptr = &options->gateway_ports;
+			goto parse_flag;
+
+		case sReverseMappingCheck:
+			intptr = &options->reverse_mapping_check;
+			goto parse_flag;
+
+		case sLogFacility:
+			intptr = (int *) &options->log_facility;
+			arg = strdelim(&cp);
+			value = log_facility_number(arg);
+			if (value == (SyslogFacility) - 1)
+				fatal("%.200s line %d: unsupported log facility '%s'",
+				    filename, linenum, arg ? arg : "<NONE>");
+			if (*intptr == -1)
+				*intptr = (SyslogFacility) value;
+			break;
+
+		case sLogLevel:
+			intptr = (int *) &options->log_level;
+			arg = strdelim(&cp);
+			value = log_level_number(arg);
+			if (value == (LogLevel) - 1)
+				fatal("%.200s line %d: unsupported log level '%s'",
+				    filename, linenum, arg ? arg : "<NONE>");
+			if (*intptr == -1)
+				*intptr = (LogLevel) value;
+			break;
+
+		case sAllowTcpForwarding:
+			intptr = &options->allow_tcp_forwarding;
+			goto parse_flag;
+
+		case sAllowUsers:
+			while ((arg = strdelim(&cp)) && *arg != '\0') {
+				if (options->num_allow_users >= MAX_ALLOW_USERS)
+					fatal("%.200s line %d: too many allow users.",
+					    filename, linenum);
+				options->allow_users[options->num_allow_users++] = xstrdup(arg);
+			}
+			break;
+
+		case sDenyUsers:
+			while ((arg = strdelim(&cp)) && *arg != '\0') {
+				if (options->num_deny_users >= MAX_DENY_USERS)
+					fatal(".200%s line %d: too many deny users.",
+					    filename, linenum);
+				options->deny_users[options->num_deny_users++] = xstrdup(arg);
+			}
+			break;
+
+		case sAllowGroups:
+			while ((arg = strdelim(&cp)) && *arg != '\0') {
+				if (options->num_allow_groups >= MAX_ALLOW_GROUPS)
+					fatal("%.200s line %d: too many allow groups.",
+					    filename, linenum);
+				options->allow_groups[options->num_allow_groups++] = xstrdup(arg);
+			}
+			break;
+
+		case sDenyGroups:
+			while ((arg = strdelim(&cp)) && *arg != '\0') {
+				if (options->num_deny_groups >= MAX_DENY_GROUPS)
+					fatal("%.200s line %d: too many deny groups.",
+					    filename, linenum);
+				options->deny_groups[options->num_deny_groups++] = xstrdup(arg);
+			}
+			break;
+
+		case sCiphers:
+			arg = strdelim(&cp);
+			if (!arg || *arg == '\0')
+				fatal("%s line %d: Missing argument.", filename, linenum);
+			if (!ciphers_valid(arg))
+				fatal("%s line %d: Bad SSH2 cipher spec '%s'.",
+				    filename, linenum, arg ? arg : "<NONE>");
+			if (options->ciphers == NULL)
+				options->ciphers = xstrdup(arg);
+			break;
+
+		case sMacs:
+			arg = strdelim(&cp);
+			if (!arg || *arg == '\0')
+				fatal("%s line %d: Missing argument.", filename, linenum);
+			if (!mac_valid(arg))
+				fatal("%s line %d: Bad SSH2 mac spec '%s'.",
+				    filename, linenum, arg ? arg : "<NONE>");
+			if (options->macs == NULL)
+				options->macs = xstrdup(arg);
+			break;
+
+		case sProtocol:
+			intptr = &options->protocol;
+			arg = strdelim(&cp);
+			if (!arg || *arg == '\0')
+				fatal("%s line %d: Missing argument.", filename, linenum);
+			value = proto_spec(arg);
+			if (value == SSH_PROTO_UNKNOWN)
+				fatal("%s line %d: Bad protocol spec '%s'.",
+				      filename, linenum, arg ? arg : "<NONE>");
+			if (*intptr == SSH_PROTO_UNKNOWN)
+				*intptr = value;
+			break;
+
+		case sConnectionsPerPeriod:
+			(void)strdelim(&cp);
+			error("ConnectionsPerPeriod has been deprecated!");
+			break;
+
+		case sSubsystem:
+			if(options->num_subsystems >= MAX_SUBSYSTEMS) {
+				fatal("%s line %d: too many subsystems defined.",
+				      filename, linenum);
+			}
+			arg = strdelim(&cp);
+			if (!arg || *arg == '\0')
+				fatal("%s line %d: Missing subsystem name.",
+				      filename, linenum);
+			for (i = 0; i < options->num_subsystems; i++)
+				if(strcmp(arg, options->subsystem_name[i]) == 0)
+					fatal("%s line %d: Subsystem '%s' already defined.",
+					      filename, linenum, arg);
+			options->subsystem_name[options->num_subsystems] = xstrdup(arg);
+			arg = strdelim(&cp);
+			if (!arg || *arg == '\0')
+				fatal("%s line %d: Missing subsystem command.",
+				      filename, linenum);
+			options->subsystem_command[options->num_subsystems] = xstrdup(arg);
+			options->num_subsystems++;
+			break;
+
+		case sMaxStartups:
+			arg = strdelim(&cp);
+			if (!arg || *arg == '\0')
+				fatal("%s line %d: Missing MaxStartups spec.",
+				      filename, linenum);
+			if (sscanf(arg, "%d:%d:%d",
+			    &options->max_startups_begin,
+			    &options->max_startups_rate,
+			    &options->max_startups) == 3) {
+				if (options->max_startups_begin >
+				    options->max_startups ||
+				    options->max_startups_rate > 100 ||
+				    options->max_startups_rate < 1)
+				fatal("%s line %d: Illegal MaxStartups spec.",
+				      filename, linenum);
+				break;
+			}
+			intptr = &options->max_startups;
+			goto parse_int;
+
+		case sVersionAddendum:
+			ssh_version_set_addendum(strtok(cp, "\n"));
+			do
+				arg = strdelim(&cp);
+			while (arg != NULL && *arg != '\0');
+			break;
+
+		case sBanner:
+			charptr = &options->banner;
+			goto parse_filename;
+		case sClientAliveInterval:
+			intptr = &options->client_alive_interval;
+			goto parse_int;
+		case sClientAliveCountMax:
+			intptr = &options->client_alive_count_max;
+			goto parse_int;
+		default:
+			fatal("%.200s line %d: Missing handler for opcode %s (%d)",
+			    filename, linenum, arg, opcode);
+		}
+		if ((arg = strdelim(&cp)) != NULL && *arg != '\0')
+			fatal("%s line %d: garbage at end of line; \"%.200s\".",
+			    filename, linenum, arg);
+	}
+	fclose(f);
+	if (bad_options > 0)
+		fatal("%.200s: terminating, %d bad configuration options",
+		    filename, bad_options);
+}
diff --git a/crypto/openssh/servconf.h b/crypto/openssh/servconf.h
new file mode 100644
index 0000000..2d84ee4
--- /dev/null
+++ b/crypto/openssh/servconf.h
@@ -0,0 +1,156 @@
+/*
+ * Author: Tatu Ylonen <ylo@cs.hut.fi>
+ * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
+ *                    All rights reserved
+ * Definitions for server configuration data and for the functions reading it.
+ *
+ * As far as I am concerned, the code I have written for this software
+ * can be used freely for any purpose.  Any derived versions of this
+ * software must be clearly marked as such, and if the derived work is
+ * incompatible with the protocol description in the RFC file, it must be
+ * called by a name other than "ssh" or "Secure Shell".
+ */
+
+/* RCSID("$OpenBSD: servconf.h,v 1.41 2001/04/13 22:46:53 beck Exp $"); */
+/* RCSID("$FreeBSD$"); */
+
+#ifndef SERVCONF_H
+#define SERVCONF_H
+
+#define MAX_PORTS		256	/* Max # ports. */
+
+#define MAX_ALLOW_USERS		256	/* Max # users on allow list. */
+#define MAX_DENY_USERS		256	/* Max # users on deny list. */
+#define MAX_ALLOW_GROUPS	256	/* Max # groups on allow list. */
+#define MAX_DENY_GROUPS		256	/* Max # groups on deny list. */
+#define MAX_SUBSYSTEMS		256	/* Max # subsystems. */
+#define MAX_HOSTKEYS		256	/* Max # hostkeys. */
+
+/* permit_root_login */
+#define	PERMIT_NOT_SET		-1
+#define	PERMIT_NO		0
+#define	PERMIT_FORCED_ONLY	1
+#define	PERMIT_NO_PASSWD	2
+#define	PERMIT_YES		3
+
+
+typedef struct {
+	u_int num_ports;
+	u_int ports_from_cmdline;
+	u_short ports[MAX_PORTS];	/* Port number to listen on. */
+	char   *listen_addr;		/* Address on which the server listens. */
+	struct addrinfo *listen_addrs;	/* Addresses on which the server listens. */
+	char   *host_key_files[MAX_HOSTKEYS];	/* Files containing host keys. */
+	int     num_host_key_files;     /* Number of files for host keys. */
+	char   *pid_file;	/* Where to put our pid */
+	int     server_key_bits;/* Size of the server key. */
+	int     login_grace_time;	/* Disconnect if no auth in this time
+					 * (sec). */
+	int     key_regeneration_time;	/* Server key lifetime (seconds). */
+	int     permit_root_login;	/* PERMIT_*, see above */
+	int     ignore_rhosts;	/* Ignore .rhosts and .shosts. */
+	int     ignore_user_known_hosts;	/* Ignore ~/.ssh/known_hosts
+						 * for RhostsRsaAuth */
+	int     print_motd;	/* If true, print /etc/motd. */
+	int	print_lastlog;	/* If true, print lastlog */
+	int     check_mail;	/* If true, check for new mail. */
+	int     x11_forwarding;	/* If true, permit inet (spoofing) X11 fwd. */
+	int     x11_display_offset;	/* What DISPLAY number to start
+					 * searching at */
+	char   *xauth_location;	/* Location of xauth program */
+	int     strict_modes;	/* If true, require string home dir modes. */
+	int     keepalives;	/* If true, set SO_KEEPALIVE. */
+	char   *ciphers;	/* Supported SSH2 ciphers. */
+	char   *macs;		/* Supported SSH2 macs. */
+	int	protocol;	/* Supported protocol versions. */
+	int     gateway_ports;	/* If true, allow remote connects to forwarded ports. */
+	SyslogFacility log_facility;	/* Facility for system logging. */
+	LogLevel log_level;	/* Level for system logging. */
+	int     rhosts_authentication;	/* If true, permit rhosts
+					 * authentication. */
+	int     rhosts_rsa_authentication;	/* If true, permit rhosts RSA
+						 * authentication. */
+	int     hostbased_authentication;	/* If true, permit ssh2 hostbased auth */
+	int     hostbased_uses_name_from_packet_only; /* experimental */
+	int     rsa_authentication;	/* If true, permit RSA authentication. */
+#if defined(KRB4) || defined(KRB5)
+	int     kerberos_authentication; /* If true, permit Kerberos auth. */
+#endif /* KRB4 || KRB5 */
+	int     pubkey_authentication;	/* If true, permit ssh2 pubkey authentication. */
+#ifdef KRB4
+	int     krb4_or_local_passwd;		/* If true, permit kerberos v4
+						 * and any other password
+						 * authentication mechanism,
+						 * such as SecurID or
+						 * /etc/passwd */
+	int     krb4_ticket_cleanup;		/* If true, destroy ticket
+						 * file on logout. */
+#endif
+#ifdef KRB5
+	int     krb5_tgt_passing;
+
+#endif /* KRB5 */
+#ifdef AFS
+	int     krb4_tgt_passing;	/* If true, permit Kerberos v4 tgt
+					 * passing. */
+	int     afs_token_passing;	/* If true, permit AFS token passing. */
+#endif
+	int     password_authentication;	/* If true, permit password
+						 * authentication. */
+	int     kbd_interactive_authentication;	/* If true, permit */
+	int     challenge_reponse_authentication;
+	int     permit_empty_passwd;	/* If false, do not permit empty
+					 * passwords. */
+	int     use_login;	/* If true, login(1) is used */
+	int	allow_tcp_forwarding;
+	u_int num_allow_users;
+	char   *allow_users[MAX_ALLOW_USERS];
+	u_int num_deny_users;
+	char   *deny_users[MAX_DENY_USERS];
+	u_int num_allow_groups;
+	char   *allow_groups[MAX_ALLOW_GROUPS];
+	u_int num_deny_groups;
+	char   *deny_groups[MAX_DENY_GROUPS];
+	unsigned int connections_per_period;	/*
+						 * If not 0, number of sshd
+						 * connections accepted per
+						 * connections_period.
+						 */
+	unsigned int connections_period;
+
+	u_int num_subsystems;
+	char   *subsystem_name[MAX_SUBSYSTEMS];
+	char   *subsystem_command[MAX_SUBSYSTEMS];
+
+	int	max_startups_begin;
+	int	max_startups_rate;
+	int	max_startups;
+	char   *banner;			/* SSH-2 banner message */
+	int	reverse_mapping_check;	/* cross-check ip and dns */
+	int	client_alive_interval;	/*
+					 * poke the client this often to 
+					 * see if it's still there 
+					 */
+	int	client_alive_count_max;	/*
+					 *If the client is unresponsive
+					 * for this many intervals, above
+					 * diconnect the session 
+					 */
+
+}       ServerOptions;
+/*
+ * Initializes the server options to special values that indicate that they
+ * have not yet been set.
+ */
+void    initialize_server_options(ServerOptions * options);
+
+/*
+ * Reads the server configuration file.  This only sets the values for those
+ * options that have the special value indicating they have not been set.
+ */
+void    read_server_config(ServerOptions * options, const char *filename);
+
+/* Sets values for those values that have not yet been set. */
+void    fill_default_server_options(ServerOptions * options);
+
+#endif				/* SERVCONF_H */
diff --git a/crypto/openssh/serverloop.c b/crypto/openssh/serverloop.c
new file mode 100644
index 0000000..02d034e
--- /dev/null
+++ b/crypto/openssh/serverloop.c
@@ -0,0 +1,1008 @@
+/*
+ * Author: Tatu Ylonen <ylo@cs.hut.fi>
+ * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
+ *                    All rights reserved
+ * Server main loop for handling the interactive session.
+ *
+ * As far as I am concerned, the code I have written for this software
+ * can be used freely for any purpose.  Any derived versions of this
+ * software must be clearly marked as such, and if the derived work is
+ * incompatible with the protocol description in the RFC file, it must be
+ * called by a name other than "ssh" or "Secure Shell".
+ *
+ * SSH2 support by Markus Friedl.
+ * Copyright (c) 2000 Markus Friedl.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include "includes.h"
+RCSID("$FreeBSD$");
+RCSID("$OpenBSD: serverloop.c,v 1.61 2001/04/13 22:46:54 beck Exp $");
+
+#include "xmalloc.h"
+#include "packet.h"
+#include "buffer.h"
+#include "log.h"
+#include "servconf.h"
+#include "sshpty.h"
+#include "channels.h"
+#include "compat.h"
+#include "ssh1.h"
+#include "ssh2.h"
+#include "auth.h"
+#include "session.h"
+#include "dispatch.h"
+#include "auth-options.h"
+#include "serverloop.h"
+#include "misc.h"
+#include "kex.h"
+
+extern ServerOptions options;
+
+/* XXX */
+extern Kex *xxx_kex;
+
+static Buffer stdin_buffer;	/* Buffer for stdin data. */
+static Buffer stdout_buffer;	/* Buffer for stdout data. */
+static Buffer stderr_buffer;	/* Buffer for stderr data. */
+static int fdin;		/* Descriptor for stdin (for writing) */
+static int fdout;		/* Descriptor for stdout (for reading);
+				   May be same number as fdin. */
+static int fderr;		/* Descriptor for stderr.  May be -1. */
+static long stdin_bytes = 0;	/* Number of bytes written to stdin. */
+static long stdout_bytes = 0;	/* Number of stdout bytes sent to client. */
+static long stderr_bytes = 0;	/* Number of stderr bytes sent to client. */
+static long fdout_bytes = 0;	/* Number of stdout bytes read from program. */
+static int stdin_eof = 0;	/* EOF message received from client. */
+static int fdout_eof = 0;	/* EOF encountered reading from fdout. */
+static int fderr_eof = 0;	/* EOF encountered readung from fderr. */
+static int fdin_is_tty = 0;	/* fdin points to a tty. */
+static int connection_in;	/* Connection to client (input). */
+static int connection_out;	/* Connection to client (output). */
+static int connection_closed = 0;	/* Connection to client closed. */
+static u_int buffer_high;	/* "Soft" max buffer size. */
+
+/*
+ * This SIGCHLD kludge is used to detect when the child exits.  The server
+ * will exit after that, as soon as forwarded connections have terminated.
+ */
+
+static pid_t child_pid;			/* Pid of the child. */
+static volatile int child_terminated;	/* The child has terminated. */
+static volatile int child_wait_status;	/* Status from wait(). */
+
+void	server_init_dispatch(void);
+
+int client_alive_timeouts = 0;
+
+void
+sigchld_handler(int sig)
+{
+	int save_errno = errno;
+	pid_t wait_pid;
+
+	debug("Received SIGCHLD.");
+	wait_pid = wait((int *) &child_wait_status);
+	if (wait_pid != -1) {
+		if (wait_pid != child_pid)
+			error("Strange, got SIGCHLD and wait returned pid %d but child is %d",
+			      wait_pid, child_pid);
+		if (WIFEXITED(child_wait_status) ||
+		    WIFSIGNALED(child_wait_status))
+			child_terminated = 1;
+	}
+	signal(SIGCHLD, sigchld_handler);
+	errno = save_errno;
+}
+void
+sigchld_handler2(int sig)
+{
+	int save_errno = errno;
+	debug("Received SIGCHLD.");
+	child_terminated = 1;
+	signal(SIGCHLD, sigchld_handler2);
+	errno = save_errno;
+}
+
+/*
+ * Make packets from buffered stderr data, and buffer it for sending
+ * to the client.
+ */
+void
+make_packets_from_stderr_data(void)
+{
+	int len;
+
+	/* Send buffered stderr data to the client. */
+	while (buffer_len(&stderr_buffer) > 0 &&
+	    packet_not_very_much_data_to_write()) {
+		len = buffer_len(&stderr_buffer);
+		if (packet_is_interactive()) {
+			if (len > 512)
+				len = 512;
+		} else {
+			/* Keep the packets at reasonable size. */
+			if (len > packet_get_maxsize())
+				len = packet_get_maxsize();
+		}
+		packet_start(SSH_SMSG_STDERR_DATA);
+		packet_put_string(buffer_ptr(&stderr_buffer), len);
+		packet_send();
+		buffer_consume(&stderr_buffer, len);
+		stderr_bytes += len;
+	}
+}
+
+/*
+ * Make packets from buffered stdout data, and buffer it for sending to the
+ * client.
+ */
+void
+make_packets_from_stdout_data(void)
+{
+	int len;
+
+	/* Send buffered stdout data to the client. */
+	while (buffer_len(&stdout_buffer) > 0 &&
+	    packet_not_very_much_data_to_write()) {
+		len = buffer_len(&stdout_buffer);
+		if (packet_is_interactive()) {
+			if (len > 512)
+				len = 512;
+		} else {
+			/* Keep the packets at reasonable size. */
+			if (len > packet_get_maxsize())
+				len = packet_get_maxsize();
+		}
+		packet_start(SSH_SMSG_STDOUT_DATA);
+		packet_put_string(buffer_ptr(&stdout_buffer), len);
+		packet_send();
+		buffer_consume(&stdout_buffer, len);
+		stdout_bytes += len;
+	}
+}
+
+/*
+ * Sleep in select() until we can do something.  This will initialize the
+ * select masks.  Upon return, the masks will indicate which descriptors
+ * have data or can accept data.  Optionally, a maximum time can be specified
+ * for the duration of the wait (0 = infinite).
+ */
+void
+wait_until_can_do_something(fd_set **readsetp, fd_set **writesetp, int *maxfdp,
+    u_int max_time_milliseconds)
+{
+	struct timeval tv, *tvp;
+	int ret;
+	int client_alive_scheduled = 0;
+
+	/*
+	 * if using client_alive, set the max timeout accordingly, 
+	 * and indicate that this particular timeout was for client
+	 * alive by setting the client_alive_scheduled flag.
+	 *
+	 * this could be randomized somewhat to make traffic
+	 * analysis more difficult, but we're not doing it yet.  
+	 */
+	if (max_time_milliseconds == 0 && options.client_alive_interval) {
+	        client_alive_scheduled = 1;
+		max_time_milliseconds = options.client_alive_interval * 1000;
+	} else 
+	        client_alive_scheduled = 0;
+
+	/* When select fails we restart from here. */
+retry_select:
+
+	/* Allocate and update select() masks for channel descriptors. */
+	channel_prepare_select(readsetp, writesetp, maxfdp, 0);
+
+	if (compat20) {
+		/* wrong: bad condition XXX */
+		if (channel_not_very_much_buffered_data())
+			FD_SET(connection_in, *readsetp);
+	} else {
+		/*
+		 * Read packets from the client unless we have too much
+		 * buffered stdin or channel data.
+		 */
+		if (buffer_len(&stdin_buffer) < buffer_high &&
+		    channel_not_very_much_buffered_data())
+			FD_SET(connection_in, *readsetp);
+		/*
+		 * If there is not too much data already buffered going to
+		 * the client, try to get some more data from the program.
+		 */
+		if (packet_not_very_much_data_to_write()) {
+			if (!fdout_eof)
+				FD_SET(fdout, *readsetp);
+			if (!fderr_eof)
+				FD_SET(fderr, *readsetp);
+		}
+		/*
+		 * If we have buffered data, try to write some of that data
+		 * to the program.
+		 */
+		if (fdin != -1 && buffer_len(&stdin_buffer) > 0)
+			FD_SET(fdin, *writesetp);
+	}
+
+	/*
+	 * If we have buffered packet data going to the client, mark that
+	 * descriptor.
+	 */
+	if (packet_have_data_to_write())
+		FD_SET(connection_out, *writesetp);
+
+	/*
+	 * If child has terminated and there is enough buffer space to read
+	 * from it, then read as much as is available and exit.
+	 */
+	if (child_terminated && packet_not_very_much_data_to_write())
+		if (max_time_milliseconds == 0 || client_alive_scheduled)
+			max_time_milliseconds = 100;
+
+	if (max_time_milliseconds == 0)
+		tvp = NULL;
+	else {
+		tv.tv_sec = max_time_milliseconds / 1000;
+		tv.tv_usec = 1000 * (max_time_milliseconds % 1000);
+		tvp = &tv;
+	}
+	if (tvp!=NULL)
+		debug3("tvp!=NULL kid %d mili %d", child_terminated, max_time_milliseconds);
+
+	/* Wait for something to happen, or the timeout to expire. */
+	ret = select((*maxfdp)+1, *readsetp, *writesetp, NULL, tvp);
+
+	if (ret == -1) {
+		if (errno != EINTR)
+			error("select: %.100s", strerror(errno));
+		else
+			goto retry_select;
+	}
+	if (ret == 0 && client_alive_scheduled) {
+		/* timeout, check to see how many we have had */
+		client_alive_timeouts++;
+
+		if (client_alive_timeouts > options.client_alive_count_max ) {
+			packet_disconnect(
+				"Timeout, your session not responding.");
+		} else {
+			/*
+			 * send a bogus channel request with "wantreply" 
+			 * we should get back a failure
+			 */
+			int id;
+			
+			id = channel_find_open();
+			if (id != -1) {
+				channel_request_start(id,
+				  "keepalive@openssh.com", 1);
+				packet_send();
+			} else 
+				packet_disconnect(
+					"No open channels after timeout!");
+		}
+	} 
+}
+
+/*
+ * Processes input from the client and the program.  Input data is stored
+ * in buffers and processed later.
+ */
+void
+process_input(fd_set * readset)
+{
+	int len;
+	char buf[16384];
+
+	/* Read and buffer any input data from the client. */
+	if (FD_ISSET(connection_in, readset)) {
+		len = read(connection_in, buf, sizeof(buf));
+		if (len == 0) {
+			verbose("Connection closed by remote host.");
+			connection_closed = 1;
+			if (compat20)
+				return;
+			fatal_cleanup();
+		} else if (len < 0) {
+			if (errno != EINTR && errno != EAGAIN) {
+				verbose("Read error from remote host: %.100s", strerror(errno));
+				fatal_cleanup();
+			}
+		} else {
+			/* Buffer any received data. */
+			packet_process_incoming(buf, len);
+		}
+	}
+	if (compat20)
+		return;
+
+	/* Read and buffer any available stdout data from the program. */
+	if (!fdout_eof && FD_ISSET(fdout, readset)) {
+		len = read(fdout, buf, sizeof(buf));
+		if (len < 0 && (errno == EINTR || errno == EAGAIN)) {
+			/* do nothing */
+		} else if (len <= 0) {
+			fdout_eof = 1;
+		} else {
+			buffer_append(&stdout_buffer, buf, len);
+			fdout_bytes += len;
+		}
+	}
+	/* Read and buffer any available stderr data from the program. */
+	if (!fderr_eof && FD_ISSET(fderr, readset)) {
+		len = read(fderr, buf, sizeof(buf));
+		if (len < 0 && (errno == EINTR || errno == EAGAIN)) {
+			/* do nothing */
+		} else if (len <= 0) {
+			fderr_eof = 1;
+		} else {
+			buffer_append(&stderr_buffer, buf, len);
+		}
+	}
+}
+
+/*
+ * Sends data from internal buffers to client program stdin.
+ */
+void
+process_output(fd_set * writeset)
+{
+	struct termios tio;
+	int len;
+
+	/* Write buffered data to program stdin. */
+	if (!compat20 && fdin != -1 && FD_ISSET(fdin, writeset)) {
+		len = write(fdin, buffer_ptr(&stdin_buffer),
+		    buffer_len(&stdin_buffer));
+		if (len < 0 && (errno == EINTR || errno == EAGAIN)) {
+			/* do nothing */
+		} else if (len <= 0) {
+#ifdef USE_PIPES
+			close(fdin);
+#else
+			if (fdin != fdout)
+				close(fdin);
+			else
+				shutdown(fdin, SHUT_WR); /* We will no longer send. */
+#endif
+			fdin = -1;
+		} else {
+			/* Successful write. */
+			if (fdin_is_tty && tcgetattr(fdin, &tio) == 0 &&
+			    !(tio.c_lflag & ECHO) && (tio.c_lflag & ICANON)) {
+				/*
+				 * Simulate echo to reduce the impact of
+				 * traffic analysis
+				 */
+				packet_send_ignore(len);
+				packet_send();
+			}
+			/* Consume the data from the buffer. */
+			buffer_consume(&stdin_buffer, len);
+			/* Update the count of bytes written to the program. */
+			stdin_bytes += len;
+		}
+	}
+	/* Send any buffered packet data to the client. */
+	if (FD_ISSET(connection_out, writeset))
+		packet_write_poll();
+}
+
+/*
+ * Wait until all buffered output has been sent to the client.
+ * This is used when the program terminates.
+ */
+void
+drain_output(void)
+{
+	/* Send any buffered stdout data to the client. */
+	if (buffer_len(&stdout_buffer) > 0) {
+		packet_start(SSH_SMSG_STDOUT_DATA);
+		packet_put_string(buffer_ptr(&stdout_buffer),
+				  buffer_len(&stdout_buffer));
+		packet_send();
+		/* Update the count of sent bytes. */
+		stdout_bytes += buffer_len(&stdout_buffer);
+	}
+	/* Send any buffered stderr data to the client. */
+	if (buffer_len(&stderr_buffer) > 0) {
+		packet_start(SSH_SMSG_STDERR_DATA);
+		packet_put_string(buffer_ptr(&stderr_buffer),
+				  buffer_len(&stderr_buffer));
+		packet_send();
+		/* Update the count of sent bytes. */
+		stderr_bytes += buffer_len(&stderr_buffer);
+	}
+	/* Wait until all buffered data has been written to the client. */
+	packet_write_wait();
+}
+
+void
+process_buffered_input_packets(void)
+{
+	dispatch_run(DISPATCH_NONBLOCK, NULL, compat20 ? xxx_kex : NULL);
+}
+
+/*
+ * Performs the interactive session.  This handles data transmission between
+ * the client and the program.  Note that the notion of stdin, stdout, and
+ * stderr in this function is sort of reversed: this function writes to
+ * stdin (of the child program), and reads from stdout and stderr (of the
+ * child program).
+ */
+void
+server_loop(pid_t pid, int fdin_arg, int fdout_arg, int fderr_arg)
+{
+	fd_set *readset = NULL, *writeset = NULL;
+	int max_fd;
+	int wait_status;	/* Status returned by wait(). */
+	pid_t wait_pid;		/* pid returned by wait(). */
+	int waiting_termination = 0;	/* Have displayed waiting close message. */
+	u_int max_time_milliseconds;
+	u_int previous_stdout_buffer_bytes;
+	u_int stdout_buffer_bytes;
+	int type;
+
+	debug("Entering interactive session.");
+
+	/* Initialize the SIGCHLD kludge. */
+	child_pid = pid;
+	child_terminated = 0;
+	signal(SIGCHLD, sigchld_handler);
+
+	/* Initialize our global variables. */
+	fdin = fdin_arg;
+	fdout = fdout_arg;
+	fderr = fderr_arg;
+
+	/* nonblocking IO */
+	set_nonblock(fdin);
+	set_nonblock(fdout);
+	/* we don't have stderr for interactive terminal sessions, see below */
+	if (fderr != -1)
+		set_nonblock(fderr);
+
+	if (!(datafellows & SSH_BUG_IGNOREMSG) && isatty(fdin))
+		fdin_is_tty = 1;
+
+	connection_in = packet_get_connection_in();
+	connection_out = packet_get_connection_out();
+
+	previous_stdout_buffer_bytes = 0;
+
+	/* Set approximate I/O buffer size. */
+	if (packet_is_interactive())
+		buffer_high = 4096;
+	else
+		buffer_high = 64 * 1024;
+
+	/* Initialize max_fd to the maximum of the known file descriptors. */
+	max_fd = MAX(fdin, fdout);
+	if (fderr != -1)
+		max_fd = MAX(max_fd, fderr);
+	max_fd = MAX(max_fd, connection_in);
+	max_fd = MAX(max_fd, connection_out);
+
+	/* Initialize Initialize buffers. */
+	buffer_init(&stdin_buffer);
+	buffer_init(&stdout_buffer);
+	buffer_init(&stderr_buffer);
+
+	/*
+	 * If we have no separate fderr (which is the case when we have a pty
+	 * - there we cannot make difference between data sent to stdout and
+	 * stderr), indicate that we have seen an EOF from stderr.  This way
+	 * we don\'t need to check the descriptor everywhere.
+	 */
+	if (fderr == -1)
+		fderr_eof = 1;
+
+	server_init_dispatch();
+
+	/* Main loop of the server for the interactive session mode. */
+	for (;;) {
+
+		/* Process buffered packets from the client. */
+		process_buffered_input_packets();
+
+		/*
+		 * If we have received eof, and there is no more pending
+		 * input data, cause a real eof by closing fdin.
+		 */
+		if (stdin_eof && fdin != -1 && buffer_len(&stdin_buffer) == 0) {
+#ifdef USE_PIPES
+			close(fdin);
+#else
+			if (fdin != fdout)
+				close(fdin);
+			else
+				shutdown(fdin, SHUT_WR); /* We will no longer send. */
+#endif
+			fdin = -1;
+		}
+		/* Make packets from buffered stderr data to send to the client. */
+		make_packets_from_stderr_data();
+
+		/*
+		 * Make packets from buffered stdout data to send to the
+		 * client. If there is very little to send, this arranges to
+		 * not send them now, but to wait a short while to see if we
+		 * are getting more data. This is necessary, as some systems
+		 * wake up readers from a pty after each separate character.
+		 */
+		max_time_milliseconds = 0;
+		stdout_buffer_bytes = buffer_len(&stdout_buffer);
+		if (stdout_buffer_bytes != 0 && stdout_buffer_bytes < 256 &&
+		    stdout_buffer_bytes != previous_stdout_buffer_bytes) {
+			/* try again after a while */
+			max_time_milliseconds = 10;
+		} else {
+			/* Send it now. */
+			make_packets_from_stdout_data();
+		}
+		previous_stdout_buffer_bytes = buffer_len(&stdout_buffer);
+
+		/* Send channel data to the client. */
+		if (packet_not_very_much_data_to_write())
+			channel_output_poll();
+
+		/*
+		 * Bail out of the loop if the program has closed its output
+		 * descriptors, and we have no more data to send to the
+		 * client, and there is no pending buffered data.
+		 */
+		if (fdout_eof && fderr_eof && !packet_have_data_to_write() &&
+		    buffer_len(&stdout_buffer) == 0 && buffer_len(&stderr_buffer) == 0) {
+			if (!channel_still_open())
+				break;
+			if (!waiting_termination) {
+				const char *s = "Waiting for forwarded connections to terminate...\r\n";
+				char *cp;
+				waiting_termination = 1;
+				buffer_append(&stderr_buffer, s, strlen(s));
+
+				/* Display list of open channels. */
+				cp = channel_open_message();
+				buffer_append(&stderr_buffer, cp, strlen(cp));
+				xfree(cp);
+			}
+		}
+		/* Sleep in select() until we can do something. */
+		wait_until_can_do_something(&readset, &writeset, &max_fd,
+		    max_time_milliseconds);
+
+		/* Process any channel events. */
+		channel_after_select(readset, writeset);
+
+		/* Process input from the client and from program stdout/stderr. */
+		process_input(readset);
+
+		/* Process output to the client and to program stdin. */
+		process_output(writeset);
+	}
+	if (readset)
+		xfree(readset);
+	if (writeset)
+		xfree(writeset);
+
+	/* Cleanup and termination code. */
+
+	/* Wait until all output has been sent to the client. */
+	drain_output();
+
+	debug("End of interactive session; stdin %ld, stdout (read %ld, sent %ld), stderr %ld bytes.",
+	      stdin_bytes, fdout_bytes, stdout_bytes, stderr_bytes);
+
+	/* Free and clear the buffers. */
+	buffer_free(&stdin_buffer);
+	buffer_free(&stdout_buffer);
+	buffer_free(&stderr_buffer);
+
+	/* Close the file descriptors. */
+	if (fdout != -1)
+		close(fdout);
+	fdout = -1;
+	fdout_eof = 1;
+	if (fderr != -1)
+		close(fderr);
+	fderr = -1;
+	fderr_eof = 1;
+	if (fdin != -1)
+		close(fdin);
+	fdin = -1;
+
+	/* Stop listening for channels; this removes unix domain sockets. */
+	channel_stop_listening();
+
+	/* Wait for the child to exit.  Get its exit status. */
+	wait_pid = wait(&wait_status);
+	if (wait_pid == -1) {
+		/*
+		 * It is possible that the wait was handled by SIGCHLD
+		 * handler.  This may result in either: this call
+		 * returning with EINTR, or: this call returning ECHILD.
+		 */
+		if (child_terminated)
+			wait_status = child_wait_status;
+		else
+			packet_disconnect("wait: %.100s", strerror(errno));
+	} else {
+		/* Check if it matches the process we forked. */
+		if (wait_pid != pid)
+			error("Strange, wait returned pid %d, expected %d",
+			       wait_pid, pid);
+	}
+
+	/* We no longer want our SIGCHLD handler to be called. */
+	signal(SIGCHLD, SIG_DFL);
+
+	/* Check if it exited normally. */
+	if (WIFEXITED(wait_status)) {
+		/* Yes, normal exit.  Get exit status and send it to the client. */
+		debug("Command exited with status %d.", WEXITSTATUS(wait_status));
+		packet_start(SSH_SMSG_EXITSTATUS);
+		packet_put_int(WEXITSTATUS(wait_status));
+		packet_send();
+		packet_write_wait();
+
+		/*
+		 * Wait for exit confirmation.  Note that there might be
+		 * other packets coming before it; however, the program has
+		 * already died so we just ignore them.  The client is
+		 * supposed to respond with the confirmation when it receives
+		 * the exit status.
+		 */
+		do {
+			int plen;
+			type = packet_read(&plen);
+		}
+		while (type != SSH_CMSG_EXIT_CONFIRMATION);
+
+		debug("Received exit confirmation.");
+		return;
+	}
+	/* Check if the program terminated due to a signal. */
+	if (WIFSIGNALED(wait_status))
+		packet_disconnect("Command terminated on signal %d.",
+				  WTERMSIG(wait_status));
+
+	/* Some weird exit cause.  Just exit. */
+	packet_disconnect("wait returned status %04x.", wait_status);
+	/* NOTREACHED */
+}
+
+void
+server_loop2(void)
+{
+	fd_set *readset = NULL, *writeset = NULL;
+	int rekeying = 0, max_fd, status;
+	pid_t pid;
+
+	debug("Entering interactive session for SSH2.");
+
+	signal(SIGCHLD, sigchld_handler2);
+	child_terminated = 0;
+	connection_in = packet_get_connection_in();
+	connection_out = packet_get_connection_out();
+
+	max_fd = MAX(connection_in, connection_out);
+
+	server_init_dispatch();
+
+	for (;;) {
+		process_buffered_input_packets();
+
+		rekeying = (xxx_kex != NULL && !xxx_kex->done);
+
+		if (!rekeying && packet_not_very_much_data_to_write())
+			channel_output_poll();
+		wait_until_can_do_something(&readset, &writeset, &max_fd,
+		    rekeying);
+		if (child_terminated) {
+			while ((pid = waitpid(-1, &status, WNOHANG)) > 0)
+				session_close_by_pid(pid, status);
+			child_terminated = 0;
+		}
+		if (!rekeying)
+			channel_after_select(readset, writeset);
+		process_input(readset);
+		if (connection_closed)
+			break;
+		process_output(writeset);
+	}
+	if (readset)
+		xfree(readset);
+	if (writeset)
+		xfree(writeset);
+
+	signal(SIGCHLD, SIG_DFL);
+	while ((pid = waitpid(-1, &status, WNOHANG)) > 0)
+		session_close_by_pid(pid, status);
+	channel_stop_listening();
+}
+
+void
+server_input_channel_failure(int type, int plen, void *ctxt)
+{
+	debug("Got CHANNEL_FAILURE for keepalive");
+	/* 
+         * reset timeout, since we got a sane answer from the client.
+	 * even if this was generated by something other than
+	 * the bogus CHANNEL_REQUEST we send for keepalives.
+	 */
+	client_alive_timeouts = 0; 
+}
+
+
+void
+server_input_stdin_data(int type, int plen, void *ctxt)
+{
+	char *data;
+	u_int data_len;
+
+	/* Stdin data from the client.  Append it to the buffer. */
+	/* Ignore any data if the client has closed stdin. */
+	if (fdin == -1)
+		return;
+	data = packet_get_string(&data_len);
+	packet_integrity_check(plen, (4 + data_len), type);
+	buffer_append(&stdin_buffer, data, data_len);
+	memset(data, 0, data_len);
+	xfree(data);
+}
+
+void
+server_input_eof(int type, int plen, void *ctxt)
+{
+	/*
+	 * Eof from the client.  The stdin descriptor to the
+	 * program will be closed when all buffered data has
+	 * drained.
+	 */
+	debug("EOF received for stdin.");
+	packet_integrity_check(plen, 0, type);
+	stdin_eof = 1;
+}
+
+void
+server_input_window_size(int type, int plen, void *ctxt)
+{
+	int row = packet_get_int();
+	int col = packet_get_int();
+	int xpixel = packet_get_int();
+	int ypixel = packet_get_int();
+
+	debug("Window change received.");
+	packet_integrity_check(plen, 4 * 4, type);
+	if (fdin != -1)
+		pty_change_window_size(fdin, row, col, xpixel, ypixel);
+}
+
+Channel *
+server_request_direct_tcpip(char *ctype)
+{
+	int sock, newch;
+	char *target, *originator;
+	int target_port, originator_port;
+
+	target = packet_get_string(NULL);
+	target_port = packet_get_int();
+	originator = packet_get_string(NULL);
+	originator_port = packet_get_int();
+	packet_done();
+
+	debug("server_request_direct_tcpip: originator %s port %d, target %s port %d",
+	   originator, originator_port, target, target_port);
+
+	/* XXX check permission */
+	sock = channel_connect_to(target, target_port);
+	xfree(target);
+	xfree(originator);
+	if (sock < 0)
+		return NULL;
+	newch = channel_new(ctype, SSH_CHANNEL_CONNECTING,
+	    sock, sock, -1, CHAN_TCP_WINDOW_DEFAULT,
+	    CHAN_TCP_PACKET_DEFAULT, 0, xstrdup("direct-tcpip"), 1);
+	return (newch >= 0) ? channel_lookup(newch) : NULL;
+}
+
+Channel *
+server_request_session(char *ctype)
+{
+	int newch;
+
+	debug("input_session_request");
+	packet_done();
+	/*
+	 * A server session has no fd to read or write until a
+	 * CHANNEL_REQUEST for a shell is made, so we set the type to
+	 * SSH_CHANNEL_LARVAL.  Additionally, a callback for handling all
+	 * CHANNEL_REQUEST messages is registered.
+	 */
+	newch = channel_new(ctype, SSH_CHANNEL_LARVAL,
+	    -1, -1, -1, 0, CHAN_SES_PACKET_DEFAULT,
+	    0, xstrdup("server-session"), 1);
+	if (session_open(newch) == 1) {
+		channel_register_callback(newch, SSH2_MSG_CHANNEL_REQUEST,
+		    session_input_channel_req, (void *)0);
+		channel_register_cleanup(newch, session_close_by_channel);
+		return channel_lookup(newch);
+	} else {
+		debug("session open failed, free channel %d", newch);
+		channel_free(newch);
+	}
+	return NULL;
+}
+
+void
+server_input_channel_open(int type, int plen, void *ctxt)
+{
+	Channel *c = NULL;
+	char *ctype;
+	u_int len;
+	int rchan;
+	int rmaxpack;
+	int rwindow;
+
+	ctype = packet_get_string(&len);
+	rchan = packet_get_int();
+	rwindow = packet_get_int();
+	rmaxpack = packet_get_int();
+
+	debug("server_input_channel_open: ctype %s rchan %d win %d max %d",
+	    ctype, rchan, rwindow, rmaxpack);
+
+	if (strcmp(ctype, "session") == 0) {
+		c = server_request_session(ctype);
+	} else if (strcmp(ctype, "direct-tcpip") == 0) {
+		c = server_request_direct_tcpip(ctype);
+	}
+	if (c != NULL) {
+		debug("server_input_channel_open: confirm %s", ctype);
+		c->remote_id = rchan;
+		c->remote_window = rwindow;
+		c->remote_maxpacket = rmaxpack;
+
+		packet_start(SSH2_MSG_CHANNEL_OPEN_CONFIRMATION);
+		packet_put_int(c->remote_id);
+		packet_put_int(c->self);
+		packet_put_int(c->local_window);
+		packet_put_int(c->local_maxpacket);
+		packet_send();
+	} else {
+		debug("server_input_channel_open: failure %s", ctype);
+		packet_start(SSH2_MSG_CHANNEL_OPEN_FAILURE);
+		packet_put_int(rchan);
+		packet_put_int(SSH2_OPEN_ADMINISTRATIVELY_PROHIBITED);
+		packet_put_cstring("bla bla");
+		packet_put_cstring("");
+		packet_send();
+	}
+	xfree(ctype);
+}
+
+void
+server_input_global_request(int type, int plen, void *ctxt)
+{
+	char *rtype;
+	int want_reply;
+	int success = 0;
+
+	rtype = packet_get_string(NULL);
+	want_reply = packet_get_char();
+	debug("server_input_global_request: rtype %s want_reply %d", rtype, want_reply);
+
+	/* -R style forwarding */
+	if (strcmp(rtype, "tcpip-forward") == 0) {
+		struct passwd *pw;
+		char *listen_address;
+		u_short listen_port;
+
+		pw = auth_get_user();
+		if (pw == NULL)
+			fatal("server_input_global_request: no user");
+		listen_address = packet_get_string(NULL); /* XXX currently ignored */
+		listen_port = (u_short)packet_get_int();
+		debug("server_input_global_request: tcpip-forward listen %s port %d",
+		    listen_address, listen_port);
+
+		/* check permissions */
+		if (!options.allow_tcp_forwarding ||
+		    no_port_forwarding_flag ||
+		    (listen_port < IPPORT_RESERVED && pw->pw_uid != 0)) {
+			success = 0;
+			packet_send_debug("Server has disabled port forwarding.");
+		} else {
+			/* Start listening on the port */
+			success = channel_request_forwarding(
+			    listen_address, listen_port,
+			    /*unspec host_to_connect*/ "<unspec host>",
+			    /*unspec port_to_connect*/ 0,
+			    options.gateway_ports, /*remote*/ 1);
+		}
+		xfree(listen_address);
+	}
+	if (want_reply) {
+		packet_start(success ?
+		    SSH2_MSG_REQUEST_SUCCESS : SSH2_MSG_REQUEST_FAILURE);
+		packet_send();
+		packet_write_wait();
+	}
+	xfree(rtype);
+}
+
+void
+server_init_dispatch_20(void)
+{
+	debug("server_init_dispatch_20");
+	dispatch_init(&dispatch_protocol_error);
+	dispatch_set(SSH2_MSG_CHANNEL_CLOSE, &channel_input_oclose);
+	dispatch_set(SSH2_MSG_CHANNEL_DATA, &channel_input_data);
+	dispatch_set(SSH2_MSG_CHANNEL_EOF, &channel_input_ieof);
+	dispatch_set(SSH2_MSG_CHANNEL_EXTENDED_DATA, &channel_input_extended_data);
+	dispatch_set(SSH2_MSG_CHANNEL_OPEN, &server_input_channel_open);
+	dispatch_set(SSH2_MSG_CHANNEL_OPEN_CONFIRMATION, &channel_input_open_confirmation);
+	dispatch_set(SSH2_MSG_CHANNEL_OPEN_FAILURE, &channel_input_open_failure);
+	dispatch_set(SSH2_MSG_CHANNEL_REQUEST, &channel_input_channel_request);
+	dispatch_set(SSH2_MSG_CHANNEL_WINDOW_ADJUST, &channel_input_window_adjust);
+	dispatch_set(SSH2_MSG_GLOBAL_REQUEST, &server_input_global_request);
+	/* client_alive */
+	dispatch_set(SSH2_MSG_CHANNEL_FAILURE, &server_input_channel_failure);
+	/* rekeying */
+	dispatch_set(SSH2_MSG_KEXINIT, &kex_input_kexinit);
+}
+void
+server_init_dispatch_13(void)
+{
+	debug("server_init_dispatch_13");
+	dispatch_init(NULL);
+	dispatch_set(SSH_CMSG_EOF, &server_input_eof);
+	dispatch_set(SSH_CMSG_STDIN_DATA, &server_input_stdin_data);
+	dispatch_set(SSH_CMSG_WINDOW_SIZE, &server_input_window_size);
+	dispatch_set(SSH_MSG_CHANNEL_CLOSE, &channel_input_close);
+	dispatch_set(SSH_MSG_CHANNEL_CLOSE_CONFIRMATION, &channel_input_close_confirmation);
+	dispatch_set(SSH_MSG_CHANNEL_DATA, &channel_input_data);
+	dispatch_set(SSH_MSG_CHANNEL_OPEN_CONFIRMATION, &channel_input_open_confirmation);
+	dispatch_set(SSH_MSG_CHANNEL_OPEN_FAILURE, &channel_input_open_failure);
+	dispatch_set(SSH_MSG_PORT_OPEN, &channel_input_port_open);
+}
+void
+server_init_dispatch_15(void)
+{
+	server_init_dispatch_13();
+	debug("server_init_dispatch_15");
+	dispatch_set(SSH_MSG_CHANNEL_CLOSE, &channel_input_ieof);
+	dispatch_set(SSH_MSG_CHANNEL_CLOSE_CONFIRMATION, &channel_input_oclose);
+}
+void
+server_init_dispatch(void)
+{
+	if (compat20)
+		server_init_dispatch_20();
+	else if (compat13)
+		server_init_dispatch_13();
+	else
+		server_init_dispatch_15();
+}
+
diff --git a/crypto/openssh/serverloop.h b/crypto/openssh/serverloop.h
new file mode 100644
index 0000000..652c1d9
--- /dev/null
+++ b/crypto/openssh/serverloop.h
@@ -0,0 +1,22 @@
+/*	$OpenBSD: serverloop.h,v 1.2 2001/01/29 01:58:17 niklas Exp $	*/
+
+/*
+ * Author: Tatu Ylonen <ylo@cs.hut.fi>
+ * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
+ *                    All rights reserved
+ *
+ * As far as I am concerned, the code I have written for this software
+ * can be used freely for any purpose.  Any derived versions of this
+ * software must be clearly marked as such, and if the derived work is
+ * incompatible with the protocol description in the RFC file, it must be
+ * called by a name other than "ssh" or "Secure Shell".
+ */
+/*
+ * Performs the interactive session.  This handles data transmission between
+ * the client and the program.  Note that the notion of stdin, stdout, and
+ * stderr in this function is sort of reversed: this function writes to stdin
+ * (of the child program), and reads from stdout and stderr (of the child
+ * program).
+ */
+void    server_loop(pid_t pid, int fdin, int fdout, int fderr);
+void    server_loop2(void);
diff --git a/crypto/openssh/session.c b/crypto/openssh/session.c
new file mode 100644
index 0000000..fc8aa65
--- /dev/null
+++ b/crypto/openssh/session.c
@@ -0,0 +1,2008 @@
+/*
+ * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
+ *                    All rights reserved
+ *
+ * As far as I am concerned, the code I have written for this software
+ * can be used freely for any purpose.  Any derived versions of this
+ * software must be clearly marked as such, and if the derived work is
+ * incompatible with the protocol description in the RFC file, it must be
+ * called by a name other than "ssh" or "Secure Shell".
+ *
+ * SSH2 support by Markus Friedl.
+ * Copyright (c) 2000 Markus Friedl.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include "includes.h"
+RCSID("$OpenBSD: session.c,v 1.80 2001/06/04 21:59:43 markus Exp $");
+RCSID("$FreeBSD$");
+
+#include "ssh.h"
+#include "ssh1.h"
+#include "ssh2.h"
+#include "xmalloc.h"
+#include "sshpty.h"
+#include "packet.h"
+#include "buffer.h"
+#include "mpaux.h"
+#include "uidswap.h"
+#include "compat.h"
+#include "channels.h"
+#include "nchan.h"
+#include "bufaux.h"
+#include "auth.h"
+#include "auth-options.h"
+#include "pathnames.h"
+#include "log.h"
+#include "servconf.h"
+#include "sshlogin.h"
+#include "serverloop.h"
+#include "canohost.h"
+#include "session.h"
+
+#ifdef __FreeBSD__
+#define _PATH_CHPASS "/usr/bin/passwd"
+#endif /* __FreeBSD__ */
+
+#ifdef HAVE_LOGIN_CAP
+#include <login_cap.h>
+#endif
+
+#ifdef KRB5
+extern krb5_context ssh_context;
+#endif
+
+/* types */
+
+#define TTYSZ 64
+typedef struct Session Session;
+struct Session {
+	int	used;
+	int	self;
+	struct	passwd *pw;
+	pid_t	pid;
+	/* tty */
+	char	*term;
+	int	ptyfd, ttyfd, ptymaster;
+	int	row, col, xpixel, ypixel;
+	char	tty[TTYSZ];
+	/* X11 */
+	char	*display;
+	int	screen;
+	char	*auth_proto;
+	char	*auth_data;
+	int	single_connection;
+	/* proto 2 */
+	int	chanid;
+	int	is_subsystem;
+};
+
+/* func */
+
+Session *session_new(void);
+void	session_set_fds(Session *s, int fdin, int fdout, int fderr);
+void	session_pty_cleanup(Session *s);
+void	session_proctitle(Session *s);
+void	do_exec_pty(Session *s, const char *command);
+void	do_exec_no_pty(Session *s, const char *command);
+void	do_login(Session *s, const char *command);
+void	do_child(Session *s, const char *command);
+void	do_motd(void);
+int	check_quietlogin(Session *s, const char *command);
+void	xauthfile_cleanup_proc(void *pw);
+
+void	do_authenticated1(Authctxt *authctxt);
+void	do_authenticated2(Authctxt *authctxt);
+
+/* import */
+extern ServerOptions options;
+extern char *__progname;
+extern int log_stderr;
+extern int debug_flag;
+extern u_int utmp_len;
+extern int startup_pipe;
+extern void destroy_sensitive_data(void);
+
+/* Local Xauthority file. */
+static char *xauthfile;
+
+/* original command from peer. */
+char *original_command = NULL;
+
+/* data */
+#define MAX_SESSIONS 10
+Session	sessions[MAX_SESSIONS];
+
+#ifdef HAVE_LOGIN_CAP
+static login_cap_t *lc;
+#endif
+
+void
+do_authenticated(Authctxt *authctxt)
+{
+	/*
+	 * Cancel the alarm we set to limit the time taken for
+	 * authentication.
+	 */
+	alarm(0);
+	if (startup_pipe != -1) {
+		close(startup_pipe);
+		startup_pipe = -1;
+	}
+#ifdef HAVE_LOGIN_CAP
+	if ((lc = login_getclass(authctxt->pw->pw_class)) == NULL) {
+		error("unable to get login class");
+		return;
+	}
+#ifdef BSD_AUTH
+	if (auth_approval(NULL, lc, authctxt->pw->pw_name, "ssh") <= 0) {
+		packet_disconnect("Approval failure for %s",
+		    authctxt->pw->pw_name);
+	}
+#endif
+#endif
+	/* setup the channel layer */
+	if (!no_port_forwarding_flag && options.allow_tcp_forwarding)
+		channel_permit_all_opens();
+
+	if (compat20)
+		do_authenticated2(authctxt);
+	else
+		do_authenticated1(authctxt);
+
+	/* remote user's local Xauthority file and agent socket */
+	if (xauthfile)
+		xauthfile_cleanup_proc(authctxt->pw);
+	if (auth_get_socket_name())
+		auth_sock_cleanup_proc(authctxt->pw);
+}
+
+/*
+ * Remove local Xauthority file.
+ */
+void
+xauthfile_cleanup_proc(void *_pw)
+{
+	struct passwd *pw = _pw;
+	char *p;
+
+	debug("xauthfile_cleanup_proc called");
+	if (xauthfile != NULL) {
+		temporarily_use_uid(pw);
+		unlink(xauthfile);
+		p = strrchr(xauthfile, '/');
+		if (p != NULL) {
+			*p = '\0';
+			rmdir(xauthfile);
+		}
+		xfree(xauthfile);
+		xauthfile = NULL;
+		restore_uid();
+	}
+}
+
+/*
+ * Function to perform cleanup if we get aborted abnormally (e.g., due to a
+ * dropped connection).
+ */
+void
+pty_cleanup_proc(void *session)
+{
+	Session *s=session;
+	if (s == NULL)
+		fatal("pty_cleanup_proc: no session");
+	debug("pty_cleanup_proc: %s", s->tty);
+
+	if (s->pid != 0) {
+		/* Record that the user has logged out. */
+		record_logout(s->pid, s->tty);
+	}
+
+	/* Release the pseudo-tty. */
+	pty_release(s->tty);
+}
+
+/*
+ * Prepares for an interactive session.  This is called after the user has
+ * been successfully authenticated.  During this message exchange, pseudo
+ * terminals are allocated, X11, TCP/IP, and authentication agent forwardings
+ * are requested, etc.
+ */
+void
+do_authenticated1(Authctxt *authctxt)
+{
+	Session *s;
+	char *command;
+	int success, type, fd, n_bytes, plen, screen_flag, have_pty = 0;
+	int compression_level = 0, enable_compression_after_reply = 0;
+	u_int proto_len, data_len, dlen;
+	struct stat st;
+
+	s = session_new();
+	s->pw = authctxt->pw;
+
+	/*
+	 * We stay in this loop until the client requests to execute a shell
+	 * or a command.
+	 */
+	for (;;) {
+		success = 0;
+
+		/* Get a packet from the client. */
+		type = packet_read(&plen);
+
+		/* Process the packet. */
+		switch (type) {
+		case SSH_CMSG_REQUEST_COMPRESSION:
+			packet_integrity_check(plen, 4, type);
+			compression_level = packet_get_int();
+			if (compression_level < 1 || compression_level > 9) {
+				packet_send_debug("Received illegal compression level %d.",
+				     compression_level);
+				break;
+			}
+			/* Enable compression after we have responded with SUCCESS. */
+			enable_compression_after_reply = 1;
+			success = 1;
+			break;
+
+		case SSH_CMSG_REQUEST_PTY:
+			if (no_pty_flag) {
+				debug("Allocating a pty not permitted for this authentication.");
+				break;
+			}
+			if (have_pty)
+				packet_disconnect("Protocol error: you already have a pty.");
+
+			debug("Allocating pty.");
+
+			/* Allocate a pty and open it. */
+			if (!pty_allocate(&s->ptyfd, &s->ttyfd, s->tty,
+			    sizeof(s->tty))) {
+				error("Failed to allocate pty.");
+				break;
+			}
+			fatal_add_cleanup(pty_cleanup_proc, (void *)s);
+			pty_setowner(s->pw, s->tty);
+
+			/* Get TERM from the packet.  Note that the value may be of arbitrary length. */
+			s->term = packet_get_string(&dlen);
+			packet_integrity_check(dlen, strlen(s->term), type);
+			/* packet_integrity_check(plen, 4 + dlen + 4*4 + n_bytes, type); */
+			/* Remaining bytes */
+			n_bytes = plen - (4 + dlen + 4 * 4);
+
+			if (strcmp(s->term, "") == 0) {
+				xfree(s->term);
+				s->term = NULL;
+			}
+			/* Get window size from the packet. */
+			s->row = packet_get_int();
+			s->col = packet_get_int();
+			s->xpixel = packet_get_int();
+			s->ypixel = packet_get_int();
+			pty_change_window_size(s->ptyfd, s->row, s->col, s->xpixel, s->ypixel);
+
+			/* Get tty modes from the packet. */
+			tty_parse_modes(s->ttyfd, &n_bytes);
+			packet_integrity_check(plen, 4 + dlen + 4 * 4 + n_bytes, type);
+
+			session_proctitle(s);
+
+			/* Indicate that we now have a pty. */
+			success = 1;
+			have_pty = 1;
+			break;
+
+		case SSH_CMSG_X11_REQUEST_FORWARDING:
+			if (!options.x11_forwarding) {
+				packet_send_debug("X11 forwarding disabled in server configuration file.");
+				break;
+			}
+			if (!options.xauth_location ||
+			    (stat(options.xauth_location, &st) == -1)) {
+				packet_send_debug("No xauth program; cannot forward with spoofing.");
+				break;
+			}
+			if (no_x11_forwarding_flag) {
+				packet_send_debug("X11 forwarding not permitted for this authentication.");
+				break;
+			}
+			debug("Received request for X11 forwarding with auth spoofing.");
+			if (s->display != NULL)
+				packet_disconnect("Protocol error: X11 display already set.");
+
+			s->auth_proto = packet_get_string(&proto_len);
+			s->auth_data = packet_get_string(&data_len);
+
+			screen_flag = packet_get_protocol_flags() &
+			    SSH_PROTOFLAG_SCREEN_NUMBER;
+			debug2("SSH_PROTOFLAG_SCREEN_NUMBER: %d", screen_flag);
+
+			if (packet_remaining() == 4) {
+				if (!screen_flag)
+					debug2("Buggy client: "
+					    "X11 screen flag missing");
+				packet_integrity_check(plen,
+				    4 + proto_len + 4 + data_len + 4, type);
+				s->screen = packet_get_int();
+			} else {
+				packet_integrity_check(plen,
+				    4 + proto_len + 4 + data_len, type);
+				s->screen = 0;
+			}
+			s->display = x11_create_display_inet(s->screen, options.x11_display_offset);
+
+			if (s->display == NULL)
+				break;
+
+			/* Setup to always have a local .Xauthority. */
+			xauthfile = xmalloc(MAXPATHLEN);
+			strlcpy(xauthfile, "/tmp/ssh-XXXXXXXX", MAXPATHLEN);
+			temporarily_use_uid(s->pw);
+			if (mkdtemp(xauthfile) == NULL) {
+				restore_uid();
+				error("private X11 dir: mkdtemp %s failed: %s",
+				    xauthfile, strerror(errno));
+				xfree(xauthfile);
+				xauthfile = NULL;
+				/* XXXX remove listening channels */
+				break;
+			}
+			strlcat(xauthfile, "/cookies", MAXPATHLEN);
+			fd = open(xauthfile, O_RDWR|O_CREAT|O_EXCL, 0600);
+			if (fd >= 0)
+				close(fd);
+			restore_uid();
+			fatal_add_cleanup(xauthfile_cleanup_proc, s->pw);
+			success = 1;
+			break;
+
+		case SSH_CMSG_AGENT_REQUEST_FORWARDING:
+			if (no_agent_forwarding_flag || compat13) {
+				debug("Authentication agent forwarding not permitted for this authentication.");
+				break;
+			}
+			debug("Received authentication agent forwarding request.");
+			success = auth_input_request_forwarding(s->pw);
+			break;
+
+		case SSH_CMSG_PORT_FORWARD_REQUEST:
+			if (no_port_forwarding_flag) {
+				debug("Port forwarding not permitted for this authentication.");
+				break;
+			}
+			if (!options.allow_tcp_forwarding) {
+				debug("Port forwarding not permitted.");
+				break;
+			}
+			debug("Received TCP/IP port forwarding request.");
+			channel_input_port_forward_request(s->pw->pw_uid == 0, options.gateway_ports);
+			success = 1;
+			break;
+
+		case SSH_CMSG_MAX_PACKET_SIZE:
+			if (packet_set_maxsize(packet_get_int()) > 0)
+				success = 1;
+			break;
+
+		case SSH_CMSG_EXEC_SHELL:
+		case SSH_CMSG_EXEC_CMD:
+			if (type == SSH_CMSG_EXEC_CMD) {
+				command = packet_get_string(&dlen);
+				debug("Exec command '%.500s'", command);
+				packet_integrity_check(plen, 4 + dlen, type);
+			} else {
+				command = NULL;
+				packet_integrity_check(plen, 0, type);
+			}
+			if (forced_command != NULL) {
+				original_command = command;
+				command = forced_command;
+				debug("Forced command '%.500s'", forced_command);
+			}
+			if (have_pty)
+				do_exec_pty(s, command);
+			else
+				do_exec_no_pty(s, command);
+
+			if (command != NULL)
+				xfree(command);
+			return;
+
+		default:
+			/*
+			 * Any unknown messages in this phase are ignored,
+			 * and a failure message is returned.
+			 */
+			log("Unknown packet type received after authentication: %d", type);
+		}
+		packet_start(success ? SSH_SMSG_SUCCESS : SSH_SMSG_FAILURE);
+		packet_send();
+		packet_write_wait();
+
+		/* Enable compression now that we have replied if appropriate. */
+		if (enable_compression_after_reply) {
+			enable_compression_after_reply = 0;
+			packet_start_compression(compression_level);
+		}
+	}
+}
+
+/*
+ * This is called to fork and execute a command when we have no tty.  This
+ * will call do_child from the child, and server_loop from the parent after
+ * setting up file descriptors and such.
+ */
+void
+do_exec_no_pty(Session *s, const char *command)
+{
+	int pid;
+
+#ifdef USE_PIPES
+	int pin[2], pout[2], perr[2];
+	/* Allocate pipes for communicating with the program. */
+	if (pipe(pin) < 0 || pipe(pout) < 0 || pipe(perr) < 0)
+		packet_disconnect("Could not create pipes: %.100s",
+				  strerror(errno));
+#else /* USE_PIPES */
+	int inout[2], err[2];
+	/* Uses socket pairs to communicate with the program. */
+	if (socketpair(AF_UNIX, SOCK_STREAM, 0, inout) < 0 ||
+	    socketpair(AF_UNIX, SOCK_STREAM, 0, err) < 0)
+		packet_disconnect("Could not create socket pairs: %.100s",
+				  strerror(errno));
+#endif /* USE_PIPES */
+	if (s == NULL)
+		fatal("do_exec_no_pty: no session");
+
+	session_proctitle(s);
+
+#ifdef USE_PAM
+	do_pam_setcred();
+#endif /* USE_PAM */
+
+	/* Fork the child. */
+	if ((pid = fork()) == 0) {
+		/* Child.  Reinitialize the log since the pid has changed. */
+		log_init(__progname, options.log_level, options.log_facility, log_stderr);
+
+		/*
+		 * Create a new session and process group since the 4.4BSD
+		 * setlogin() affects the entire process group.
+		 */
+		if (setsid() < 0)
+			error("setsid failed: %.100s", strerror(errno));
+
+#ifdef USE_PIPES
+		/*
+		 * Redirect stdin.  We close the parent side of the socket
+		 * pair, and make the child side the standard input.
+		 */
+		close(pin[1]);
+		if (dup2(pin[0], 0) < 0)
+			perror("dup2 stdin");
+		close(pin[0]);
+
+		/* Redirect stdout. */
+		close(pout[0]);
+		if (dup2(pout[1], 1) < 0)
+			perror("dup2 stdout");
+		close(pout[1]);
+
+		/* Redirect stderr. */
+		close(perr[0]);
+		if (dup2(perr[1], 2) < 0)
+			perror("dup2 stderr");
+		close(perr[1]);
+#else /* USE_PIPES */
+		/*
+		 * Redirect stdin, stdout, and stderr.  Stdin and stdout will
+		 * use the same socket, as some programs (particularly rdist)
+		 * seem to depend on it.
+		 */
+		close(inout[1]);
+		close(err[1]);
+		if (dup2(inout[0], 0) < 0)	/* stdin */
+			perror("dup2 stdin");
+		if (dup2(inout[0], 1) < 0)	/* stdout.  Note: same socket as stdin. */
+			perror("dup2 stdout");
+		if (dup2(err[0], 2) < 0)	/* stderr */
+			perror("dup2 stderr");
+#endif /* USE_PIPES */
+
+		/* Do processing for the child (exec command etc). */
+		do_child(s, command);
+		/* NOTREACHED */
+	}
+	if (pid < 0)
+		packet_disconnect("fork failed: %.100s", strerror(errno));
+	s->pid = pid;
+	/* Set interactive/non-interactive mode. */
+	packet_set_interactive(s->display != NULL);
+#ifdef USE_PIPES
+	/* We are the parent.  Close the child sides of the pipes. */
+	close(pin[0]);
+	close(pout[1]);
+	close(perr[1]);
+
+	if (compat20) {
+		session_set_fds(s, pin[1], pout[0], s->is_subsystem ? -1 : perr[0]);
+	} else {
+		/* Enter the interactive session. */
+		server_loop(pid, pin[1], pout[0], perr[0]);
+		/* server_loop has closed pin[1], pout[0], and perr[0]. */
+	}
+#else /* USE_PIPES */
+	/* We are the parent.  Close the child sides of the socket pairs. */
+	close(inout[0]);
+	close(err[0]);
+
+	/*
+	 * Enter the interactive session.  Note: server_loop must be able to
+	 * handle the case that fdin and fdout are the same.
+	 */
+	if (compat20) {
+		session_set_fds(s, inout[1], inout[1], s->is_subsystem ? -1 : err[1]);
+	} else {
+		server_loop(pid, inout[1], inout[1], err[1]);
+		/* server_loop has closed inout[1] and err[1]. */
+	}
+#endif /* USE_PIPES */
+}
+
+/*
+ * This is called to fork and execute a command when we have a tty.  This
+ * will call do_child from the child, and server_loop from the parent after
+ * setting up file descriptors, controlling tty, updating wtmp, utmp,
+ * lastlog, and other such operations.
+ */
+void
+do_exec_pty(Session *s, const char *command)
+{
+	int fdout, ptyfd, ttyfd, ptymaster;
+	pid_t pid;
+
+	if (s == NULL)
+		fatal("do_exec_pty: no session");
+	ptyfd = s->ptyfd;
+	ttyfd = s->ttyfd;
+
+#ifdef USE_PAM
+	do_pam_session(s->pw->pw_name, s->tty);
+	do_pam_setcred();
+#endif /* USE_PAM */
+
+	/* Fork the child. */
+	if ((pid = fork()) == 0) {
+		/* Child.  Reinitialize the log because the pid has changed. */
+		log_init(__progname, options.log_level, options.log_facility, log_stderr);
+
+		/* Close the master side of the pseudo tty. */
+		close(ptyfd);
+
+		/* Make the pseudo tty our controlling tty. */
+		pty_make_controlling_tty(&ttyfd, s->tty);
+
+		/* Redirect stdin from the pseudo tty. */
+		if (dup2(ttyfd, fileno(stdin)) < 0)
+			error("dup2 stdin failed: %.100s", strerror(errno));
+
+		/* Redirect stdout to the pseudo tty. */
+		if (dup2(ttyfd, fileno(stdout)) < 0)
+			error("dup2 stdin failed: %.100s", strerror(errno));
+
+		/* Redirect stderr to the pseudo tty. */
+		if (dup2(ttyfd, fileno(stderr)) < 0)
+			error("dup2 stdin failed: %.100s", strerror(errno));
+
+		/* Close the extra descriptor for the pseudo tty. */
+		close(ttyfd);
+
+		/* record login, etc. similar to login(1) */
+		if (!(options.use_login && command == NULL))
+			do_login(s, command);
+
+		/* Do common processing for the child, such as execing the command. */
+		do_child(s, command);
+		/* NOTREACHED */
+	}
+	if (pid < 0)
+		packet_disconnect("fork failed: %.100s", strerror(errno));
+	s->pid = pid;
+
+	/* Parent.  Close the slave side of the pseudo tty. */
+	close(ttyfd);
+
+	/*
+	 * Create another descriptor of the pty master side for use as the
+	 * standard input.  We could use the original descriptor, but this
+	 * simplifies code in server_loop.  The descriptor is bidirectional.
+	 */
+	fdout = dup(ptyfd);
+	if (fdout < 0)
+		packet_disconnect("dup #1 failed: %.100s", strerror(errno));
+
+	/* we keep a reference to the pty master */
+	ptymaster = dup(ptyfd);
+	if (ptymaster < 0)
+		packet_disconnect("dup #2 failed: %.100s", strerror(errno));
+	s->ptymaster = ptymaster;
+
+	/* Enter interactive session. */
+	packet_set_interactive(1);
+	if (compat20) {
+		session_set_fds(s, ptyfd, fdout, -1);
+	} else {
+		server_loop(pid, ptyfd, fdout, -1);
+		/* server_loop _has_ closed ptyfd and fdout. */
+		session_pty_cleanup(s);
+	}
+}
+
+/* administrative, login(1)-like work */
+void
+do_login(Session *s, const char *command)
+{
+	FILE *f;
+	char *time_string, *newcommand;
+	char buf[256];
+	char hostname[MAXHOSTNAMELEN];
+	socklen_t fromlen;
+	struct sockaddr_storage from;
+	time_t last_login_time;
+	struct passwd * pw = s->pw;
+	pid_t pid = getpid();
+#ifdef HAVE_LOGIN_CAP
+	char *fname;
+#endif /* HAVE_LOGIN_CAP */
+#ifdef __FreeBSD__
+#define DEFAULT_WARN  (2L * 7L * 86400L)  /* Two weeks */
+	struct timeval tv;
+	time_t warntime = DEFAULT_WARN;
+#endif /* __FreeBSD__ */
+
+	/*
+	 * Get IP address of client. If the connection is not a socket, let
+	 * the address be 0.0.0.0.
+	 */
+	memset(&from, 0, sizeof(from));
+	if (packet_connection_is_on_socket()) {
+		fromlen = sizeof(from);
+		if (getpeername(packet_get_connection_in(),
+		     (struct sockaddr *) & from, &fromlen) < 0) {
+			debug("getpeername: %.100s", strerror(errno));
+			fatal_cleanup();
+		}
+	}
+
+	/* Get the time and hostname when the user last logged in. */
+	if (options.print_lastlog) {
+		hostname[0] = '\0';
+		last_login_time = get_last_login_time(pw->pw_uid, pw->pw_name,
+		    hostname, sizeof(hostname));
+	}
+
+	/* Record that there was a login on that tty from the remote host. */
+	record_login(pid, s->tty, pw->pw_name, pw->pw_uid,
+	    get_remote_name_or_ip(utmp_len, options.reverse_mapping_check),
+	    (struct sockaddr *)&from);
+
+#ifdef USE_PAM
+	/*
+	 * If password change is needed, do it now.
+	 * This needs to occur before the ~/.hushlogin check.
+	 */
+	if (pam_password_change_required()) {
+		print_pam_messages();
+		do_pam_chauthtok();
+	}
+#endif
+
+#ifdef USE_PAM
+	if (!check_quietlogin(s, command) && !pam_password_change_required())
+		print_pam_messages();
+#endif /* USE_PAM */
+
+#ifdef __FreeBSD__
+	if (pw->pw_change || pw->pw_expire)
+		(void)gettimeofday(&tv, NULL);
+#ifdef HAVE_LOGIN_CAP
+	warntime = login_getcaptime(lc, "warnpassword",
+				    DEFAULT_WARN, DEFAULT_WARN);
+#endif /* HAVE_LOGIN_CAP */
+	/*
+	 * If the password change time is set and has passed, give the
+	 * user a password expiry notice and chance to change it.
+	 */
+	if (pw->pw_change != 0) {
+		if (tv.tv_sec >= pw->pw_change) {
+			(void)printf(
+			    "Sorry -- your password has expired.\n");
+			log("%s Password expired - forcing change",
+			    pw->pw_name);
+			if (newcommand != NULL)
+				xfree(newcommand);
+			newcommand = xstrdup(_PATH_CHPASS);
+		} else if (pw->pw_change - tv.tv_sec < warntime &&
+			   !check_quietlogin(s, command))
+			(void)printf(
+			    "Warning: your password expires on %s",
+			     ctime(&pw->pw_change));
+	}
+#ifdef HAVE_LOGIN_CAP
+	warntime = login_getcaptime(lc, "warnexpire",
+				    DEFAULT_WARN, DEFAULT_WARN);
+#endif /* HAVE_LOGIN_CAP */
+#ifndef USE_PAM
+	if (pw->pw_expire) {
+		if (tv.tv_sec >= pw->pw_expire) {
+			(void)printf(
+			    "Sorry -- your account has expired.\n");
+			log(
+	   "LOGIN %.200s REFUSED (EXPIRED) FROM %.200s ON TTY %.200s",
+				pw->pw_name, get_remote_name_or_ip(utmp_len,
+				options.reverse_mapping_check), s->tty);
+			exit(254);
+		} else if (pw->pw_expire - tv.tv_sec < warntime &&
+			   !check_quietlogin(s, command))
+			(void)printf(
+			    "Warning: your account expires on %s",
+			     ctime(&pw->pw_expire));
+	}
+#endif /* !USE_PAM */
+#endif /* __FreeBSD__ */
+
+#ifdef HAVE_LOGIN_CAP
+	if (!auth_ttyok(lc, s->tty)) {
+		(void)printf("Permission denied.\n");
+		log(
+	       "LOGIN %.200s REFUSED (TTY) FROM %.200s ON TTY %.200s",
+		    pw->pw_name, get_remote_name_or_ip(utmp_len,
+			options.reverse_mapping_check), s->tty);
+		exit(254);
+	}
+#endif /* HAVE_LOGIN_CAP */
+
+	/*
+	 * If the user has logged in before, display the time of last
+	 * login. However, don't display anything extra if a command
+	 * has been specified (so that ssh can be used to execute
+	 * commands on a remote machine without users knowing they
+	 * are going to another machine). Login(1) will do this for
+	 * us as well, so check if login(1) is used
+	 */
+	if (command == NULL && options.print_lastlog &&
+	    last_login_time != 0 && !check_quietlogin(s, command) &&
+	    !options.use_login) {
+		time_string = ctime(&last_login_time);
+		/* Remove the trailing newline. */
+		if (strchr(time_string, '\n'))
+			*strchr(time_string, '\n') = 0;
+		if (strcmp(hostname, "") == 0)
+			printf("Last login: %s\r\n", time_string);
+		else
+			printf("Last login: %s from %s\r\n", time_string, hostname);
+	}
+
+#ifdef HAVE_LOGIN_CAP
+	if (command == NULL && !check_quietlogin(s, command) &&
+	    !options.use_login) {
+		fname = login_getcapstr(lc, "copyright", NULL, NULL);
+		if (fname != NULL && (f = fopen(fname, "r")) != NULL) {
+			while (fgets(buf, sizeof(buf), f) != NULL)
+				fputs(buf, stdout);
+				fclose(f);
+		} else
+			(void)printf("%s\n\t%s %s\n",
+		"Copyright (c) 1980, 1983, 1986, 1988, 1990, 1991, 1993, 1994",
+		"The Regents of the University of California. ",
+		"All rights reserved.");
+	}
+#endif /* HAVE_LOGIN_CAP */
+
+	/*
+	 * Print /etc/motd unless a command was specified or printing
+	 * it was disabled in server options or login(1) will be
+	 * used.  Note that some machines appear to print it in
+	 * /etc/profile or similar.
+	 */
+	if (command == NULL && !check_quietlogin(s, command) && !options.use_login)
+		do_motd();
+}
+
+/*
+ * Display the message of the day.
+ */
+void
+do_motd(void)
+{
+	FILE *f;
+	char buf[256];
+
+	if (options.print_motd) {
+#ifdef HAVE_LOGIN_CAP
+		f = fopen(login_getcapstr(lc, "welcome", "/etc/motd",
+		    "/etc/motd"), "r");
+#else /* !HAVE_LOGIN_CAP */
+		f = fopen("/etc/motd", "r");
+#endif /* HAVE_LOGIN_CAP */
+		if (f) {
+			while (fgets(buf, sizeof(buf), f))
+				fputs(buf, stdout);
+			fclose(f);
+		}
+	}
+}
+
+/*
+ * Check for quiet login, either .hushlogin or command given.
+ */
+int
+check_quietlogin(Session *s, const char *command)
+{
+	char buf[256];
+	struct passwd * pw = s->pw;
+	struct stat st;
+
+	/* Return 1 if .hushlogin exists or a command given. */
+	if (command != NULL)
+		return 1;
+	snprintf(buf, sizeof(buf), "%.200s/.hushlogin", pw->pw_dir);
+#ifdef HAVE_LOGIN_CAP
+	if (login_getcapbool(lc, "hushlogin", 0) || stat(buf, &st) >= 0)
+		return 1;
+#else
+	if (stat(buf, &st) >= 0)
+		return 1;
+#endif
+	return 0;
+}
+
+/*
+ * Sets the value of the given variable in the environment.  If the variable
+ * already exists, its value is overriden.
+ */
+void
+child_set_env(char ***envp, u_int *envsizep, const char *name,
+	      const char *value)
+{
+	u_int i, namelen;
+	char **env;
+
+	/*
+	 * Find the slot where the value should be stored.  If the variable
+	 * already exists, we reuse the slot; otherwise we append a new slot
+	 * at the end of the array, expanding if necessary.
+	 */
+	env = *envp;
+	namelen = strlen(name);
+	for (i = 0; env[i]; i++)
+		if (strncmp(env[i], name, namelen) == 0 && env[i][namelen] == '=')
+			break;
+	if (env[i]) {
+		/* Reuse the slot. */
+		xfree(env[i]);
+	} else {
+		/* New variable.  Expand if necessary. */
+		if (i >= (*envsizep) - 1) {
+			(*envsizep) += 50;
+			env = (*envp) = xrealloc(env, (*envsizep) * sizeof(char *));
+		}
+		/* Need to set the NULL pointer at end of array beyond the new slot. */
+		env[i + 1] = NULL;
+	}
+
+	/* Allocate space and format the variable in the appropriate slot. */
+	env[i] = xmalloc(strlen(name) + 1 + strlen(value) + 1);
+	snprintf(env[i], strlen(name) + 1 + strlen(value) + 1, "%s=%s", name, value);
+}
+
+/*
+ * Reads environment variables from the given file and adds/overrides them
+ * into the environment.  If the file does not exist, this does nothing.
+ * Otherwise, it must consist of empty lines, comments (line starts with '#')
+ * and assignments of the form name=value.  No other forms are allowed.
+ */
+void
+read_environment_file(char ***env, u_int *envsize,
+		      const char *filename)
+{
+	FILE *f;
+	char buf[4096];
+	char *cp, *value;
+
+	f = fopen(filename, "r");
+	if (!f)
+		return;
+
+	while (fgets(buf, sizeof(buf), f)) {
+		for (cp = buf; *cp == ' ' || *cp == '\t'; cp++)
+			;
+		if (!*cp || *cp == '#' || *cp == '\n')
+			continue;
+		if (strchr(cp, '\n'))
+			*strchr(cp, '\n') = '\0';
+		value = strchr(cp, '=');
+		if (value == NULL) {
+			fprintf(stderr, "Bad line in %.100s: %.200s\n", filename, buf);
+			continue;
+		}
+		/*
+		 * Replace the equals sign by nul, and advance value to
+		 * the value string.
+		 */
+		*value = '\0';
+		value++;
+		child_set_env(env, envsize, cp, value);
+	}
+	fclose(f);
+}
+
+#ifdef USE_PAM
+/*
+ * Sets any environment variables which have been specified by PAM
+ */
+void do_pam_environment(char ***env, int *envsize)
+{
+	char *equals, var_name[512], var_val[512];
+	char **pam_env;
+	int i;
+
+	if ((pam_env = fetch_pam_environment()) == NULL)
+		return;
+	
+	for(i = 0; pam_env[i] != NULL; i++) {
+		if ((equals = strstr(pam_env[i], "=")) == NULL)
+			continue;
+			
+		if (strlen(pam_env[i]) < (sizeof(var_name) - 1)) {
+			memset(var_name, '\0', sizeof(var_name));
+			memset(var_val, '\0', sizeof(var_val));
+
+			strncpy(var_name, pam_env[i], equals - pam_env[i]);
+			strcpy(var_val, equals + 1);
+
+			child_set_env(env, envsize, var_name, var_val);
+		}
+	}
+}
+#endif /* USE_PAM */
+
+
+/*
+ * Performs common processing for the child, such as setting up the
+ * environment, closing extra file descriptors, setting the user and group
+ * ids, and executing the command or shell.
+ */
+void
+do_child(Session *s, const char *command)
+{
+	const char *shell, *hostname = NULL, *cp = NULL;
+	struct passwd * pw = s->pw;
+	char buf[256];
+	char cmd[1024];
+	FILE *f = NULL;
+	u_int envsize, i;
+	char **env;
+	extern char **environ;
+	struct stat st;
+	char *argv[10];
+	int do_xauth = s->auth_proto != NULL && s->auth_data != NULL;
+
+	/* remove hostkey from the child's memory */
+	destroy_sensitive_data();
+
+	/* login(1) is only called if we execute the login shell */
+	if (options.use_login && command != NULL)
+		options.use_login = 0;
+
+#ifndef USE_PAM
+	if (!options.use_login) {
+#ifdef HAVE_LOGIN_CAP
+	if (!login_getcapbool(lc, "ignorenologin", 0) && pw->pw_uid)
+		f = fopen(login_getcapstr(lc, "nologin", _PATH_NOLOGIN,
+		    _PATH_NOLOGIN), "r");
+#else
+		if (pw->pw_uid)
+			f = fopen(_PATH_NOLOGIN, "r");
+#endif
+		if (f) {
+			/* /etc/nologin exists.  Print its contents and exit. */
+			while (fgets(buf, sizeof(buf), f))
+				fputs(buf, stderr);
+			fclose(f);
+			exit(254);
+		}
+	}
+#endif /* !USE_PAM */
+	/* Set login name, uid, gid, and groups. */
+	/* Login(1) does this as well, and it needs uid 0 for the "-h"
+	   switch, so we let login(1) to this for us. */
+	if (!options.use_login) {
+#ifdef HAVE_LOGIN_CAP
+		char **tmpenv;
+
+		/* Initialize temp environment */
+		envsize = 64;
+		env = xmalloc(envsize * sizeof(char *));
+		env[0] = NULL;
+
+		child_set_env(&env, &envsize, "PATH",
+			      (pw->pw_uid == 0) ?
+			      _PATH_STDPATH : _PATH_DEFPATH);
+
+		snprintf(buf, sizeof buf, "%.200s/%.50s",
+			 _PATH_MAILDIR, pw->pw_name);
+		child_set_env(&env, &envsize, "MAIL", buf);
+
+		if (getenv("TZ"))
+			child_set_env(&env, &envsize, "TZ", getenv("TZ"));
+
+		/* Save parent environment */
+		tmpenv = environ;
+		environ = env;
+
+		if (setusercontext(lc, pw, pw->pw_uid, LOGIN_SETALL) < 0)
+			fatal("setusercontext failed: %s", strerror(errno));
+
+		/* Restore parent environment */
+		env = environ;
+		environ = tmpenv;
+
+		for (envsize = 0; env[envsize] != NULL; ++envsize)
+			;
+		envsize = (envsize < 100) ? 100 : envsize + 16;
+		env = xrealloc(env, envsize * sizeof(char *));
+
+#endif /* !HAVE_LOGIN_CAP */
+		if (getuid() == 0 || geteuid() == 0) {
+#ifdef HAVE_LOGIN_CAP
+			if (setusercontext(lc, pw, pw->pw_uid,
+			    (LOGIN_SETALL & ~LOGIN_SETPATH)) < 0) {
+				perror("unable to set user context");
+				exit(1);
+			}
+#else
+			if (setlogin(pw->pw_name) < 0)
+				error("setlogin failed: %s", strerror(errno));
+			if (setgid(pw->pw_gid) < 0) {
+				perror("setgid");
+				exit(1);
+			}
+			/* Initialize the group list. */
+			if (initgroups(pw->pw_name, pw->pw_gid) < 0) {
+				perror("initgroups");
+				exit(1);
+			}
+			endgrent();
+
+			/* Permanently switch to the desired uid. */
+			permanently_set_uid(pw);
+#endif /* HAVE_LOGIN_CAP */
+		}
+		if (getuid() != pw->pw_uid || geteuid() != pw->pw_uid)
+			fatal("Failed to set uids to %u.", (u_int) pw->pw_uid);
+	}
+	/*
+	 * Get the shell from the password data.  An empty shell field is
+	 * legal, and means /bin/sh.
+	 */
+	shell = (pw->pw_shell[0] == '\0') ? _PATH_BSHELL : pw->pw_shell;
+#ifdef HAVE_LOGIN_CAP
+	shell = login_getcapstr(lc, "shell", (char *)shell, (char *)shell);
+#endif
+
+#ifdef AFS
+	/* Try to get AFS tokens for the local cell. */
+	if (k_hasafs()) {
+		char cell[64];
+
+		if (k_afs_cell_of_file(pw->pw_dir, cell, sizeof(cell)) == 0)
+			krb_afslog(cell, 0);
+
+		krb_afslog(0, 0);
+	}
+#endif /* AFS */
+
+	/* Initialize the environment. */
+	if (env == NULL) {
+		envsize = 100;
+		env = xmalloc(envsize * sizeof(char *));
+		env[0] = NULL;
+	}
+
+	if (!options.use_login) {
+		/* Set basic environment. */
+		child_set_env(&env, &envsize, "USER", pw->pw_name);
+		child_set_env(&env, &envsize, "LOGNAME", pw->pw_name);
+		child_set_env(&env, &envsize, "HOME", pw->pw_dir);
+#ifdef HAVE_LOGIN_CAP
+		(void) setusercontext(lc, pw, pw->pw_uid, LOGIN_SETPATH);
+		child_set_env(&env, &envsize, "PATH", getenv("PATH"));
+#else
+		child_set_env(&env, &envsize, "PATH", _PATH_STDPATH);
+#endif
+
+		snprintf(buf, sizeof buf, "%.200s/%.50s",
+			 _PATH_MAILDIR, pw->pw_name);
+		child_set_env(&env, &envsize, "MAIL", buf);
+
+		/* Normal systems set SHELL by default. */
+		child_set_env(&env, &envsize, "SHELL", shell);
+	}
+	if (getenv("TZ"))
+		child_set_env(&env, &envsize, "TZ", getenv("TZ"));
+
+	/* Set custom environment options from RSA authentication. */
+	while (custom_environment) {
+		struct envstring *ce = custom_environment;
+		char *s = ce->s;
+		int i;
+		for (i = 0; s[i] != '=' && s[i]; i++);
+		if (s[i] == '=') {
+			s[i] = 0;
+			child_set_env(&env, &envsize, s, s + i + 1);
+		}
+		custom_environment = ce->next;
+		xfree(ce->s);
+		xfree(ce);
+	}
+
+	snprintf(buf, sizeof buf, "%.50s %d %d",
+		 get_remote_ipaddr(), get_remote_port(), get_local_port());
+	child_set_env(&env, &envsize, "SSH_CLIENT", buf);
+
+	if (s->ttyfd != -1)
+		child_set_env(&env, &envsize, "SSH_TTY", s->tty);
+	if (s->term)
+		child_set_env(&env, &envsize, "TERM", s->term);
+	if (s->display)
+		child_set_env(&env, &envsize, "DISPLAY", s->display);
+	if (original_command)
+		child_set_env(&env, &envsize, "SSH_ORIGINAL_COMMAND",
+		    original_command);
+
+#ifdef KRB4
+	{
+		extern char *ticket;
+
+		if (ticket)
+			child_set_env(&env, &envsize, "KRBTKFILE", ticket);
+	}
+#endif /* KRB4 */
+#ifdef KRB5
+{
+	  extern krb5_ccache mem_ccache;
+
+	   if (mem_ccache) {
+	     krb5_error_code problem;
+	      krb5_ccache ccache;
+#ifdef AFS
+	      if (k_hasafs())
+		krb5_afslog(ssh_context, mem_ccache, NULL, NULL);
+#endif /* AFS */
+
+	      problem = krb5_cc_default(ssh_context, &ccache);
+	      if (problem) {}
+	      else {
+		problem = krb5_cc_copy_cache(ssh_context, mem_ccache, ccache);
+		 if (problem) {}
+	      }
+
+	      krb5_cc_close(ssh_context, ccache);
+	   }
+
+	   krb5_cleanup_proc(NULL);
+	}
+#endif /* KRB5 */
+
+#ifdef USE_PAM
+	/* Pull in any environment variables that may have been set by PAM. */
+	do_pam_environment(&env, &envsize);
+#endif /* USE_PAM */
+
+	if (xauthfile)
+		child_set_env(&env, &envsize, "XAUTHORITY", xauthfile);
+	if (auth_get_socket_name() != NULL)
+		child_set_env(&env, &envsize, SSH_AUTHSOCKET_ENV_NAME,
+			      auth_get_socket_name());
+
+	/* read $HOME/.ssh/environment. */
+	if (!options.use_login) {
+		snprintf(buf, sizeof buf, "%.200s/.ssh/environment",
+		    pw->pw_dir);
+		read_environment_file(&env, &envsize, buf);
+	}
+	if (debug_flag) {
+		/* dump the environment */
+		fprintf(stderr, "Environment:\n");
+		for (i = 0; env[i]; i++)
+			fprintf(stderr, "  %.200s\n", env[i]);
+	}
+	/* we have to stash the hostname before we close our socket. */
+	if (options.use_login)
+		hostname = get_remote_name_or_ip(utmp_len,
+		    options.reverse_mapping_check);
+	/*
+	 * Close the connection descriptors; note that this is the child, and
+	 * the server will still have the socket open, and it is important
+	 * that we do not shutdown it.  Note that the descriptors cannot be
+	 * closed before building the environment, as we call
+	 * get_remote_ipaddr there.
+	 */
+	if (packet_get_connection_in() == packet_get_connection_out())
+		close(packet_get_connection_in());
+	else {
+		close(packet_get_connection_in());
+		close(packet_get_connection_out());
+	}
+	/*
+	 * Close all descriptors related to channels.  They will still remain
+	 * open in the parent.
+	 */
+	/* XXX better use close-on-exec? -markus */
+	channel_close_all();
+
+	/*
+	 * Close any extra file descriptors.  Note that there may still be
+	 * descriptors left by system functions.  They will be closed later.
+	 */
+	endpwent();
+
+	/*
+	 * Restore any signal handlers set by sshd previously that should
+	 * be restored to their initial state.
+	 */
+	signal(SIGPIPE, SIG_DFL);
+
+	/* Change current directory to the user\'s home directory. */
+	if (
+#ifdef __FreeBSD__
+		!*pw->pw_dir ||
+#endif /* __FreeBSD__ */
+		chdir(pw->pw_dir) < 0
+	   ) {
+#ifdef HAVE_LOGIN_CAP
+		if (login_getcapbool(lc, "requirehome", 0)) {
+			(void)printf("Home directory not available\n");
+			log("LOGIN %.200s REFUSED (HOMEDIR) ON TTY %.200s",
+				pw->pw_name, ttyname);
+			exit(254);
+		}
+#endif /* HAVE_LOGIN_CAP */
+#ifdef __FreeBSD__
+		if (chdir("/") < 0) {
+			(void)printf("Cannot find root directory\n");
+			log("LOGIN %.200s REFUSED (ROOTDIR) ON TTY %.200s",
+				pw->pw_name, ttyname);
+			exit(254);
+		}
+		if (!check_quietlogin(s, command) || *pw->pw_dir)
+			(void)printf(
+		       "No home directory.\nLogging in with home = \"/\".\n");
+
+#else /* !__FreeBSD__ */
+
+		fprintf(stderr, "Could not chdir to home directory %s: %s\n",
+			pw->pw_dir, strerror(errno));
+#endif /* __FreeBSD__ */
+	}
+
+	/*
+	 * Close any extra open file descriptors so that we don\'t have them
+	 * hanging around in clients.  Note that we want to do this after
+	 * initgroups, because at least on Solaris 2.3 it leaves file
+	 * descriptors open.
+	 */
+	for (i = 3; i < getdtablesize(); i++)
+		close(i);
+
+	/*
+	 * Must take new environment into use so that .ssh/rc, /etc/sshrc and
+	 * xauth are run in the proper environment.
+	 */
+	environ = env;
+
+	/*
+	 * Run $HOME/.ssh/rc, /etc/sshrc, or xauth (whichever is found first
+	 * in this order).
+	 */
+	if (!options.use_login) {
+		/* ignore _PATH_SSH_USER_RC for subsystems */
+		if (!s->is_subsystem && (stat(_PATH_SSH_USER_RC, &st) >= 0)) {
+			snprintf(cmd, sizeof cmd, "%s -c '%s %s'",
+			    shell, _PATH_BSHELL, _PATH_SSH_USER_RC);
+			if (debug_flag)
+				fprintf(stderr, "Running %s\n", cmd);
+			f = popen(cmd, "w");
+			if (f) {
+				if (do_xauth)
+					fprintf(f, "%s %s\n", s->auth_proto,
+					    s->auth_data);
+				pclose(f);
+			} else
+				fprintf(stderr, "Could not run %s\n",
+				    _PATH_SSH_USER_RC);
+		} else if (stat(_PATH_SSH_SYSTEM_RC, &st) >= 0) {
+			if (debug_flag)
+				fprintf(stderr, "Running %s %s\n", _PATH_BSHELL,
+				    _PATH_SSH_SYSTEM_RC);
+			f = popen(_PATH_BSHELL " " _PATH_SSH_SYSTEM_RC, "w");
+			if (f) {
+				if (do_xauth)
+					fprintf(f, "%s %s\n", s->auth_proto,
+					    s->auth_data);
+				pclose(f);
+			} else
+				fprintf(stderr, "Could not run %s\n",
+				    _PATH_SSH_SYSTEM_RC);
+		} else if (do_xauth && options.xauth_location != NULL) {
+			/* Add authority data to .Xauthority if appropriate. */
+			char *screen = strchr(s->display, ':');
+
+			if (debug_flag) {
+				fprintf(stderr,
+				    "Running %.100s add "
+				    "%.100s %.100s %.100s\n",
+				    options.xauth_location, s->display,
+				    s->auth_proto, s->auth_data);
+				if (screen != NULL)
+					fprintf(stderr,
+					    "Adding %.*s/unix%s %s %s\n",
+					    (int)(screen - s->display),
+					    s->display, screen,
+					    s->auth_proto, s->auth_data);
+			}
+			snprintf(cmd, sizeof cmd, "%s -q -",
+			    options.xauth_location);
+			f = popen(cmd, "w");
+			if (f) {
+				fprintf(f, "add %s %s %s\n", s->display,
+				    s->auth_proto, s->auth_data);
+				if (screen != NULL)
+					fprintf(f, "add %.*s/unix%s %s %s\n",
+					    (int)(screen - s->display),
+					    s->display, screen,
+					    s->auth_proto,
+					    s->auth_data);
+				pclose(f);
+			} else {
+				fprintf(stderr, "Could not run %s\n",
+				    cmd);
+			}
+		}
+		/* Get the last component of the shell name. */
+		cp = strrchr(shell, '/');
+		if (cp)
+			cp++;
+		else
+			cp = shell;
+	}
+
+	/* restore SIGPIPE for child */
+	signal(SIGPIPE,  SIG_DFL);
+
+	/*
+	 * If we have no command, execute the shell.  In this case, the shell
+	 * name to be passed in argv[0] is preceded by '-' to indicate that
+	 * this is a login shell.
+	 */
+	if (!command) {
+		if (!options.use_login) {
+			char buf[256];
+
+			/*
+			 * Check for mail if we have a tty and it was enabled
+			 * in server options.
+			 */
+			if (s->ttyfd != -1 && options.check_mail) {
+				char *mailbox;
+				struct stat mailstat;
+
+				mailbox = getenv("MAIL");
+				if (mailbox != NULL) {
+					if (stat(mailbox, &mailstat) != 0 ||
+					    mailstat.st_size == 0)
+#ifdef __FreeBSD__
+						;
+#else /* !__FreeBSD__ */
+						printf("No mail.\n");
+#endif /* __FreeBSD__ */
+					else if (mailstat.st_mtime < mailstat.st_atime)
+						printf("You have mail.\n");
+					else
+						printf("You have new mail.\n");
+				}
+			}
+			/* Start the shell.  Set initial character to '-'. */
+			buf[0] = '-';
+			strncpy(buf + 1, cp, sizeof(buf) - 1);
+			buf[sizeof(buf) - 1] = 0;
+
+			/* Execute the shell. */
+			argv[0] = buf;
+			argv[1] = NULL;
+			execve(shell, argv, env);
+
+			/* Executing the shell failed. */
+			perror(shell);
+			exit(1);
+
+		} else {
+			/* Launch login(1). */
+
+			execl("/usr/bin/login", "login", "-h", hostname,
+			     "-p", "-f", "--", pw->pw_name, NULL);
+
+			/* Login couldn't be executed, die. */
+
+			perror("login");
+			exit(1);
+		}
+	}
+	/*
+	 * Execute the command using the user's shell.  This uses the -c
+	 * option to execute the command.
+	 */
+	argv[0] = (char *) cp;
+	argv[1] = "-c";
+	argv[2] = (char *) command;
+	argv[3] = NULL;
+	execve(shell, argv, env);
+	perror(shell);
+	exit(1);
+}
+
+Session *
+session_new(void)
+{
+	int i;
+	static int did_init = 0;
+	if (!did_init) {
+		debug("session_new: init");
+		for(i = 0; i < MAX_SESSIONS; i++) {
+			sessions[i].used = 0;
+			sessions[i].self = i;
+		}
+		did_init = 1;
+	}
+	for(i = 0; i < MAX_SESSIONS; i++) {
+		Session *s = &sessions[i];
+		if (! s->used) {
+			memset(s, 0, sizeof(*s));
+			s->chanid = -1;
+			s->ptyfd = -1;
+			s->ttyfd = -1;
+			s->used = 1;
+			debug("session_new: session %d", i);
+			return s;
+		}
+	}
+	return NULL;
+}
+
+void
+session_dump(void)
+{
+	int i;
+	for(i = 0; i < MAX_SESSIONS; i++) {
+		Session *s = &sessions[i];
+		debug("dump: used %d session %d %p channel %d pid %d",
+		    s->used,
+		    s->self,
+		    s,
+		    s->chanid,
+		    s->pid);
+	}
+}
+
+int
+session_open(int chanid)
+{
+	Session *s = session_new();
+	debug("session_open: channel %d", chanid);
+	if (s == NULL) {
+		error("no more sessions");
+		return 0;
+	}
+	s->pw = auth_get_user();
+	if (s->pw == NULL)
+		fatal("no user for session %d", s->self);
+	debug("session_open: session %d: link with channel %d", s->self, chanid);
+	s->chanid = chanid;
+	return 1;
+}
+
+Session *
+session_by_channel(int id)
+{
+	int i;
+	for(i = 0; i < MAX_SESSIONS; i++) {
+		Session *s = &sessions[i];
+		if (s->used && s->chanid == id) {
+			debug("session_by_channel: session %d channel %d", i, id);
+			return s;
+		}
+	}
+	debug("session_by_channel: unknown channel %d", id);
+	session_dump();
+	return NULL;
+}
+
+Session *
+session_by_pid(pid_t pid)
+{
+	int i;
+	debug("session_by_pid: pid %d", pid);
+	for(i = 0; i < MAX_SESSIONS; i++) {
+		Session *s = &sessions[i];
+		if (s->used && s->pid == pid)
+			return s;
+	}
+	error("session_by_pid: unknown pid %d", pid);
+	session_dump();
+	return NULL;
+}
+
+int
+session_window_change_req(Session *s)
+{
+	s->col = packet_get_int();
+	s->row = packet_get_int();
+	s->xpixel = packet_get_int();
+	s->ypixel = packet_get_int();
+	packet_done();
+	pty_change_window_size(s->ptyfd, s->row, s->col, s->xpixel, s->ypixel);
+	return 1;
+}
+
+int
+session_pty_req(Session *s)
+{
+	u_int len;
+	int n_bytes;
+
+	if (no_pty_flag)
+		return 0;
+	if (s->ttyfd != -1)
+		return 0;
+	s->term = packet_get_string(&len);
+	s->col = packet_get_int();
+	s->row = packet_get_int();
+	s->xpixel = packet_get_int();
+	s->ypixel = packet_get_int();
+
+	if (strcmp(s->term, "") == 0) {
+		xfree(s->term);
+		s->term = NULL;
+	}
+	/* Allocate a pty and open it. */
+	if (!pty_allocate(&s->ptyfd, &s->ttyfd, s->tty, sizeof(s->tty))) {
+		xfree(s->term);
+		s->term = NULL;
+		s->ptyfd = -1;
+		s->ttyfd = -1;
+		error("session_pty_req: session %d alloc failed", s->self);
+		return 0;
+	}
+	debug("session_pty_req: session %d alloc %s", s->self, s->tty);
+	/*
+	 * Add a cleanup function to clear the utmp entry and record logout
+	 * time in case we call fatal() (e.g., the connection gets closed).
+	 */
+	fatal_add_cleanup(pty_cleanup_proc, (void *)s);
+	pty_setowner(s->pw, s->tty);
+	/* Get window size from the packet. */
+	pty_change_window_size(s->ptyfd, s->row, s->col, s->xpixel, s->ypixel);
+
+	/* Get tty modes from the packet. */
+	tty_parse_modes(s->ttyfd, &n_bytes);
+	packet_done();
+
+	session_proctitle(s);
+
+	return 1;
+}
+
+int
+session_subsystem_req(Session *s)
+{
+	u_int len;
+	int success = 0;
+	char *subsys = packet_get_string(&len);
+	int i;
+
+	packet_done();
+	log("subsystem request for %s", subsys);
+
+	for (i = 0; i < options.num_subsystems; i++) {
+		if(strcmp(subsys, options.subsystem_name[i]) == 0) {
+			debug("subsystem: exec() %s", options.subsystem_command[i]);
+			s->is_subsystem = 1;
+			do_exec_no_pty(s, options.subsystem_command[i]);
+			success = 1;
+		}
+	}
+
+	if (!success)
+		log("subsystem request for %s failed, subsystem not found", subsys);
+
+	xfree(subsys);
+	return success;
+}
+
+int
+session_x11_req(Session *s)
+{
+	int fd;
+	struct stat st;
+	if (no_x11_forwarding_flag) {
+		debug("X11 forwarding disabled in user configuration file.");
+		return 0;
+	}
+	if (!options.x11_forwarding) {
+		debug("X11 forwarding disabled in server configuration file.");
+		return 0;
+	}
+	if (!options.xauth_location ||
+	    (stat(options.xauth_location, &st) == -1)) {
+		packet_send_debug("No xauth program; cannot forward with spoofing.");
+		return 0;
+	}
+	if (xauthfile != NULL) {
+		debug("X11 fwd already started.");
+		return 0;
+	}
+
+	debug("Received request for X11 forwarding with auth spoofing.");
+	if (s->display != NULL)
+		packet_disconnect("Protocol error: X11 display already set.");
+
+	s->single_connection = packet_get_char();
+	s->auth_proto = packet_get_string(NULL);
+	s->auth_data = packet_get_string(NULL);
+	s->screen = packet_get_int();
+	packet_done();
+
+	s->display = x11_create_display_inet(s->screen, options.x11_display_offset);
+	if (s->display == NULL) {
+		xfree(s->auth_proto);
+		xfree(s->auth_data);
+		return 0;
+	}
+	xauthfile = xmalloc(MAXPATHLEN);
+	strlcpy(xauthfile, "/tmp/ssh-XXXXXXXX", MAXPATHLEN);
+	temporarily_use_uid(s->pw);
+	if (mkdtemp(xauthfile) == NULL) {
+		restore_uid();
+		error("private X11 dir: mkdtemp %s failed: %s",
+		    xauthfile, strerror(errno));
+		xfree(xauthfile);
+		xauthfile = NULL;
+		xfree(s->auth_proto);
+		xfree(s->auth_data);
+		/* XXXX remove listening channels */
+		return 0;
+	}
+	strlcat(xauthfile, "/cookies", MAXPATHLEN);
+	fd = open(xauthfile, O_RDWR|O_CREAT|O_EXCL, 0600);
+	if (fd >= 0)
+		close(fd);
+	restore_uid();
+	fatal_add_cleanup(xauthfile_cleanup_proc, s->pw);
+	return 1;
+}
+
+int
+session_shell_req(Session *s)
+{
+	/* if forced_command == NULL, the shell is execed */
+	char *shell = forced_command;
+	packet_done();
+	if (s->ttyfd == -1)
+		do_exec_no_pty(s, shell);
+	else
+		do_exec_pty(s, shell);
+	return 1;
+}
+
+int
+session_exec_req(Session *s)
+{
+	u_int len;
+	char *command = packet_get_string(&len);
+	packet_done();
+	if (forced_command) {
+		original_command = command;
+		command = forced_command;
+		debug("Forced command '%.500s'", forced_command);
+	}
+	if (s->ttyfd == -1)
+		do_exec_no_pty(s, command);
+	else
+		do_exec_pty(s, command);
+	if (forced_command == NULL)
+		xfree(command);
+	return 1;
+}
+
+int
+session_auth_agent_req(Session *s)
+{
+	static int called = 0;
+	packet_done();
+	if (no_agent_forwarding_flag) {
+		debug("session_auth_agent_req: no_agent_forwarding_flag");
+		return 0;
+	}
+	if (called) {
+		return 0;
+	} else {
+		called = 1;
+		return auth_input_request_forwarding(s->pw);
+	}
+}
+
+void
+session_input_channel_req(int id, void *arg)
+{
+	u_int len;
+	int reply;
+	int success = 0;
+	char *rtype;
+	Session *s;
+	Channel *c;
+
+	rtype = packet_get_string(&len);
+	reply = packet_get_char();
+
+	s = session_by_channel(id);
+	if (s == NULL)
+		fatal("session_input_channel_req: channel %d: no session", id);
+	c = channel_lookup(id);
+	if (c == NULL)
+		fatal("session_input_channel_req: channel %d: bad channel", id);
+
+	debug("session_input_channel_req: session %d channel %d request %s reply %d",
+	    s->self, id, rtype, reply);
+
+	/*
+	 * a session is in LARVAL state until a shell, a command
+	 * or a subsystem is executed
+	 */
+	if (c->type == SSH_CHANNEL_LARVAL) {
+		if (strcmp(rtype, "shell") == 0) {
+			success = session_shell_req(s);
+		} else if (strcmp(rtype, "exec") == 0) {
+			success = session_exec_req(s);
+		} else if (strcmp(rtype, "pty-req") == 0) {
+			success =  session_pty_req(s);
+		} else if (strcmp(rtype, "x11-req") == 0) {
+			success = session_x11_req(s);
+		} else if (strcmp(rtype, "auth-agent-req@openssh.com") == 0) {
+			success = session_auth_agent_req(s);
+		} else if (strcmp(rtype, "subsystem") == 0) {
+			success = session_subsystem_req(s);
+		}
+	}
+	if (strcmp(rtype, "window-change") == 0) {
+		success = session_window_change_req(s);
+	}
+
+	if (reply) {
+		packet_start(success ?
+		    SSH2_MSG_CHANNEL_SUCCESS : SSH2_MSG_CHANNEL_FAILURE);
+		packet_put_int(c->remote_id);
+		packet_send();
+	}
+	xfree(rtype);
+}
+
+void
+session_set_fds(Session *s, int fdin, int fdout, int fderr)
+{
+	if (!compat20)
+		fatal("session_set_fds: called for proto != 2.0");
+	/*
+	 * now that have a child and a pipe to the child,
+	 * we can activate our channel and register the fd's
+	 */
+	if (s->chanid == -1)
+		fatal("no channel for session %d", s->self);
+	channel_set_fds(s->chanid,
+	    fdout, fdin, fderr,
+	    fderr == -1 ? CHAN_EXTENDED_IGNORE : CHAN_EXTENDED_READ,
+	    1);
+}
+
+void
+session_pty_cleanup(Session *s)
+{
+	if (s == NULL || s->ttyfd == -1)
+		return;
+
+	debug("session_pty_cleanup: session %d release %s", s->self, s->tty);
+
+	/* Cancel the cleanup function. */
+	fatal_remove_cleanup(pty_cleanup_proc, (void *)s);
+
+	/* Record that the user has logged out. */
+	record_logout(s->pid, s->tty);
+
+	/* Release the pseudo-tty. */
+	pty_release(s->tty);
+
+	/*
+	 * Close the server side of the socket pairs.  We must do this after
+	 * the pty cleanup, so that another process doesn't get this pty
+	 * while we're still cleaning up.
+	 */
+	if (close(s->ptymaster) < 0)
+		error("close(s->ptymaster): %s", strerror(errno));
+}
+
+void
+session_exit_message(Session *s, int status)
+{
+	Channel *c;
+	if (s == NULL)
+		fatal("session_close: no session");
+	c = channel_lookup(s->chanid);
+	if (c == NULL)
+		fatal("session_close: session %d: no channel %d",
+		    s->self, s->chanid);
+	debug("session_exit_message: session %d channel %d pid %d",
+	    s->self, s->chanid, s->pid);
+
+	if (WIFEXITED(status)) {
+		channel_request_start(s->chanid,
+		    "exit-status", 0);
+		packet_put_int(WEXITSTATUS(status));
+		packet_send();
+	} else if (WIFSIGNALED(status)) {
+		channel_request_start(s->chanid,
+		    "exit-signal", 0);
+		packet_put_int(WTERMSIG(status));
+		packet_put_char(WCOREDUMP(status));
+		packet_put_cstring("");
+		packet_put_cstring("");
+		packet_send();
+	} else {
+		/* Some weird exit cause.  Just exit. */
+		packet_disconnect("wait returned status %04x.", status);
+	}
+
+	/* disconnect channel */
+	debug("session_exit_message: release channel %d", s->chanid);
+	channel_cancel_cleanup(s->chanid);
+	/*
+	 * emulate a write failure with 'chan_write_failed', nobody will be
+	 * interested in data we write.
+	 * Note that we must not call 'chan_read_failed', since there could
+	 * be some more data waiting in the pipe.
+	 */
+	if (c->ostate != CHAN_OUTPUT_CLOSED)
+		chan_write_failed(c);
+	s->chanid = -1;
+}
+
+void
+session_free(Session *s)
+{
+	debug("session_free: session %d pid %d", s->self, s->pid);
+	if (s->term)
+		xfree(s->term);
+	if (s->display)
+		xfree(s->display);
+	if (s->auth_data)
+		xfree(s->auth_data);
+	if (s->auth_proto)
+		xfree(s->auth_proto);
+	s->used = 0;
+}
+
+void
+session_close(Session *s)
+{
+	session_pty_cleanup(s);
+	session_free(s);
+	session_proctitle(s);
+}
+
+void
+session_close_by_pid(pid_t pid, int status)
+{
+	Session *s = session_by_pid(pid);
+	if (s == NULL) {
+		debug("session_close_by_pid: no session for pid %d", s->pid);
+		return;
+	}
+	if (s->chanid != -1)
+		session_exit_message(s, status);
+	session_close(s);
+}
+
+/*
+ * this is called when a channel dies before
+ * the session 'child' itself dies
+ */
+void
+session_close_by_channel(int id, void *arg)
+{
+	Session *s = session_by_channel(id);
+	if (s == NULL) {
+		debug("session_close_by_channel: no session for channel %d", id);
+		return;
+	}
+	/* disconnect channel */
+	channel_cancel_cleanup(s->chanid);
+	s->chanid = -1;
+
+	debug("session_close_by_channel: channel %d kill %d", id, s->pid);
+	if (s->pid == 0) {
+		/* close session immediately */
+		session_close(s);
+	} else {
+		/* notify child, delay session cleanup */
+		if (s->pid <= 1) 
+			fatal("session_close_by_channel: Unsafe s->pid = %d", s->pid);
+		if (kill(s->pid, (s->ttyfd == -1) ? SIGTERM : SIGHUP) < 0)
+			error("session_close_by_channel: kill %d: %s",
+			    s->pid, strerror(errno));
+	}
+}
+
+char *
+session_tty_list(void)
+{
+	static char buf[1024];
+	int i;
+	buf[0] = '\0';
+	for(i = 0; i < MAX_SESSIONS; i++) {
+		Session *s = &sessions[i];
+		if (s->used && s->ttyfd != -1) {
+			if (buf[0] != '\0')
+				strlcat(buf, ",", sizeof buf);
+			strlcat(buf, strrchr(s->tty, '/') + 1, sizeof buf);
+		}
+	}
+	if (buf[0] == '\0')
+		strlcpy(buf, "notty", sizeof buf);
+	return buf;
+}
+
+void
+session_proctitle(Session *s)
+{
+	if (s->pw == NULL)
+		error("no user for session %d", s->self);
+	else
+		setproctitle("%s@%s", s->pw->pw_name, session_tty_list());
+}
+
+void
+do_authenticated2(Authctxt *authctxt)
+{
+
+	server_loop2();
+}
diff --git a/crypto/openssh/session.h b/crypto/openssh/session.h
new file mode 100644
index 0000000..842e941
--- /dev/null
+++ b/crypto/openssh/session.h
@@ -0,0 +1,36 @@
+/*	$OpenBSD: session.h,v 1.6 2001/03/21 11:43:45 markus Exp $	*/
+
+/*
+ * Copyright (c) 2000 Markus Friedl.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+#ifndef SESSION_H
+#define SESSION_H
+
+void	do_authenticated(Authctxt *ac);
+
+int	session_open(int id);
+void	session_input_channel_req(int id, void *arg);
+void	session_close_by_pid(pid_t pid, int status);
+void	session_close_by_channel(int id, void *arg);
+
+#endif
diff --git a/crypto/openssh/sftp-client.c b/crypto/openssh/sftp-client.c
new file mode 100644
index 0000000..b5d2fd3
--- /dev/null
+++ b/crypto/openssh/sftp-client.c
@@ -0,0 +1,930 @@
+/*
+ * Copyright (c) 2001 Damien Miller.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+/* XXX: memleaks */
+/* XXX: signed vs unsigned */
+/* XXX: redesign to allow concurrent overlapped operations */
+/* XXX: we use fatal too much, error may be more appropriate in places */
+/* XXX: copy between two remote sites */
+
+#include "includes.h"
+RCSID("$OpenBSD: sftp-client.c,v 1.16 2001/04/05 10:42:52 markus Exp $");
+
+#include "ssh.h"
+#include "buffer.h"
+#include "bufaux.h"
+#include "getput.h"
+#include "xmalloc.h"
+#include "log.h"
+#include "atomicio.h"
+#include "pathnames.h"
+
+#include "sftp.h"
+#include "sftp-common.h"
+#include "sftp-client.h"
+
+/* How much data to read/write at at time during copies */
+/* XXX: what should this be? */
+#define COPY_SIZE	8192
+
+/* Message ID */
+static u_int msg_id = 1;
+
+void
+send_msg(int fd, Buffer *m)
+{
+	int mlen = buffer_len(m);
+	int len;
+	Buffer oqueue;
+
+	buffer_init(&oqueue);
+	buffer_put_int(&oqueue, mlen);
+	buffer_append(&oqueue, buffer_ptr(m), mlen);
+	buffer_consume(m, mlen);
+
+	len = atomicio(write, fd, buffer_ptr(&oqueue), buffer_len(&oqueue));
+	if (len <= 0)
+		fatal("Couldn't send packet: %s", strerror(errno));
+
+	buffer_free(&oqueue);
+}
+
+void
+get_msg(int fd, Buffer *m)
+{
+	u_int len, msg_len;
+	unsigned char buf[4096];
+
+	len = atomicio(read, fd, buf, 4);
+	if (len == 0)
+		fatal("Connection closed");
+	else if (len == -1)
+		fatal("Couldn't read packet: %s", strerror(errno));
+
+	msg_len = GET_32BIT(buf);
+	if (msg_len > 256 * 1024)
+		fatal("Received message too long %d", msg_len);
+
+	while (msg_len) {
+		len = atomicio(read, fd, buf, MIN(msg_len, sizeof(buf)));
+		if (len == 0)
+			fatal("Connection closed");
+		else if (len == -1)
+			fatal("Couldn't read packet: %s", strerror(errno));
+
+		msg_len -= len;
+		buffer_append(m, buf, len);
+	}
+}
+
+void
+send_string_request(int fd, u_int id, u_int code, char *s,
+    u_int len)
+{
+	Buffer msg;
+
+	buffer_init(&msg);
+	buffer_put_char(&msg, code);
+	buffer_put_int(&msg, id);
+	buffer_put_string(&msg, s, len);
+	send_msg(fd, &msg);
+	debug3("Sent message fd %d T:%d I:%d", fd, code, id);
+	buffer_free(&msg);
+}
+
+void
+send_string_attrs_request(int fd, u_int id, u_int code, char *s,
+    u_int len, Attrib *a)
+{
+	Buffer msg;
+
+	buffer_init(&msg);
+	buffer_put_char(&msg, code);
+	buffer_put_int(&msg, id);
+	buffer_put_string(&msg, s, len);
+	encode_attrib(&msg, a);
+	send_msg(fd, &msg);
+	debug3("Sent message fd %d T:%d I:%d", fd, code, id);
+	buffer_free(&msg);
+}
+
+u_int
+get_status(int fd, int expected_id)
+{
+	Buffer msg;
+	u_int type, id, status;
+
+	buffer_init(&msg);
+	get_msg(fd, &msg);
+	type = buffer_get_char(&msg);
+	id = buffer_get_int(&msg);
+
+	if (id != expected_id)
+		fatal("ID mismatch (%d != %d)", id, expected_id);
+	if (type != SSH2_FXP_STATUS)
+		fatal("Expected SSH2_FXP_STATUS(%d) packet, got %d",
+		    SSH2_FXP_STATUS, type);
+
+	status = buffer_get_int(&msg);
+	buffer_free(&msg);
+
+	debug3("SSH2_FXP_STATUS %d", status);
+
+	return(status);
+}
+
+char *
+get_handle(int fd, u_int expected_id, u_int *len)
+{
+	Buffer msg;
+	u_int type, id;
+	char *handle;
+
+	buffer_init(&msg);
+	get_msg(fd, &msg);
+	type = buffer_get_char(&msg);
+	id = buffer_get_int(&msg);
+
+	if (id != expected_id)
+		fatal("ID mismatch (%d != %d)", id, expected_id);
+	if (type == SSH2_FXP_STATUS) {
+		int status = buffer_get_int(&msg);
+
+		error("Couldn't get handle: %s", fx2txt(status));
+		return(NULL);
+	} else if (type != SSH2_FXP_HANDLE)
+		fatal("Expected SSH2_FXP_HANDLE(%d) packet, got %d",
+		    SSH2_FXP_HANDLE, type);
+
+	handle = buffer_get_string(&msg, len);
+	buffer_free(&msg);
+
+	return(handle);
+}
+
+Attrib *
+get_decode_stat(int fd, u_int expected_id, int quiet)
+{
+	Buffer msg;
+	u_int type, id;
+	Attrib *a;
+
+	buffer_init(&msg);
+	get_msg(fd, &msg);
+
+	type = buffer_get_char(&msg);
+	id = buffer_get_int(&msg);
+
+	debug3("Received stat reply T:%d I:%d", type, id);
+	if (id != expected_id)
+		fatal("ID mismatch (%d != %d)", id, expected_id);
+	if (type == SSH2_FXP_STATUS) {
+		int status = buffer_get_int(&msg);
+
+		if (quiet)
+			debug("Couldn't stat remote file: %s", fx2txt(status));
+		else
+			error("Couldn't stat remote file: %s", fx2txt(status));
+		return(NULL);
+	} else if (type != SSH2_FXP_ATTRS) {
+		fatal("Expected SSH2_FXP_ATTRS(%d) packet, got %d",
+		    SSH2_FXP_ATTRS, type);
+	}
+	a = decode_attrib(&msg);
+	buffer_free(&msg);
+
+	return(a);
+}
+
+int
+do_init(int fd_in, int fd_out)
+{
+	int type, version;
+	Buffer msg;
+
+	buffer_init(&msg);
+	buffer_put_char(&msg, SSH2_FXP_INIT);
+	buffer_put_int(&msg, SSH2_FILEXFER_VERSION);
+	send_msg(fd_out, &msg);
+
+	buffer_clear(&msg);
+
+	get_msg(fd_in, &msg);
+
+	/* Expecting a VERSION reply */
+	if ((type = buffer_get_char(&msg)) != SSH2_FXP_VERSION) {
+		error("Invalid packet back from SSH2_FXP_INIT (type %d)",
+		    type);
+		buffer_free(&msg);
+		return(-1);
+	}
+	version = buffer_get_int(&msg);
+
+	debug2("Remote version: %d", version);
+
+	/* Check for extensions */
+	while (buffer_len(&msg) > 0) {
+		char *name = buffer_get_string(&msg, NULL);
+		char *value = buffer_get_string(&msg, NULL);
+
+		debug2("Init extension: \"%s\"", name);
+		xfree(name);
+		xfree(value);
+	}
+
+	buffer_free(&msg);
+
+	return(version);
+}
+
+int
+do_close(int fd_in, int fd_out, char *handle, u_int handle_len)
+{
+	u_int id, status;
+	Buffer msg;
+
+	buffer_init(&msg);
+
+	id = msg_id++;
+	buffer_put_char(&msg, SSH2_FXP_CLOSE);
+	buffer_put_int(&msg, id);
+	buffer_put_string(&msg, handle, handle_len);
+	send_msg(fd_out, &msg);
+	debug3("Sent message SSH2_FXP_CLOSE I:%d", id);
+
+	status = get_status(fd_in, id);
+	if (status != SSH2_FX_OK)
+		error("Couldn't close file: %s", fx2txt(status));
+
+	buffer_free(&msg);
+
+	return(status);
+}
+
+
+int
+do_lsreaddir(int fd_in, int fd_out, char *path, int printflag,
+    SFTP_DIRENT ***dir)
+{
+	Buffer msg;
+	u_int type, id, handle_len, i, expected_id, ents = 0;
+	char *handle;
+
+	id = msg_id++;
+
+	buffer_init(&msg);
+	buffer_put_char(&msg, SSH2_FXP_OPENDIR);
+	buffer_put_int(&msg, id);
+	buffer_put_cstring(&msg, path);
+	send_msg(fd_out, &msg);
+
+	buffer_clear(&msg);
+
+	handle = get_handle(fd_in, id, &handle_len);
+	if (handle == NULL)
+		return(-1);
+
+	if (dir) {
+		ents = 0;
+		*dir = xmalloc(sizeof(**dir));
+		(*dir)[0] = NULL;
+	}
+	
+
+	for(;;) {
+		int count;
+
+		id = expected_id = msg_id++;
+
+		debug3("Sending SSH2_FXP_READDIR I:%d", id);
+
+		buffer_clear(&msg);
+		buffer_put_char(&msg, SSH2_FXP_READDIR);
+		buffer_put_int(&msg, id);
+		buffer_put_string(&msg, handle, handle_len);
+		send_msg(fd_out, &msg);
+
+		buffer_clear(&msg);
+
+		get_msg(fd_in, &msg);
+
+		type = buffer_get_char(&msg);
+		id = buffer_get_int(&msg);
+
+		debug3("Received reply T:%d I:%d", type, id);
+
+		if (id != expected_id)
+			fatal("ID mismatch (%d != %d)", id, expected_id);
+
+		if (type == SSH2_FXP_STATUS) {
+			int status = buffer_get_int(&msg);
+
+			debug3("Received SSH2_FXP_STATUS %d", status);
+
+			if (status == SSH2_FX_EOF) {
+				break;
+			} else {
+				error("Couldn't read directory: %s",
+				    fx2txt(status));
+				do_close(fd_in, fd_out, handle, handle_len);
+				return(status);
+			}
+		} else if (type != SSH2_FXP_NAME)
+			fatal("Expected SSH2_FXP_NAME(%d) packet, got %d",
+			    SSH2_FXP_NAME, type);
+
+		count = buffer_get_int(&msg);
+		if (count == 0)
+			break;
+		debug3("Received %d SSH2_FXP_NAME responses", count);
+		for(i = 0; i < count; i++) {
+			char *filename, *longname;
+			Attrib *a;
+
+			filename = buffer_get_string(&msg, NULL);
+			longname = buffer_get_string(&msg, NULL);
+			a = decode_attrib(&msg);
+
+			if (printflag)
+				printf("%s\n", longname);
+
+			if (dir) {
+				*dir = xrealloc(*dir, sizeof(**dir) *
+				    (ents + 2));
+				(*dir)[ents] = xmalloc(sizeof(***dir));
+				(*dir)[ents]->filename = xstrdup(filename);
+				(*dir)[ents]->longname = xstrdup(longname);
+				memcpy(&(*dir)[ents]->a, a, sizeof(*a));
+				(*dir)[++ents] = NULL;
+			}
+
+			xfree(filename);
+			xfree(longname);
+		}
+	}
+
+	buffer_free(&msg);
+	do_close(fd_in, fd_out, handle, handle_len);
+	xfree(handle);
+
+	return(0);
+}
+
+int
+do_ls(int fd_in, int fd_out, char *path)
+{
+	return(do_lsreaddir(fd_in, fd_out, path, 1, NULL));
+}
+
+int
+do_readdir(int fd_in, int fd_out, char *path, SFTP_DIRENT ***dir)
+{
+	return(do_lsreaddir(fd_in, fd_out, path, 0, dir));
+}
+
+void free_sftp_dirents(SFTP_DIRENT **s)
+{
+	int i;
+	
+	for(i = 0; s[i]; i++) {
+		xfree(s[i]->filename);
+		xfree(s[i]->longname);
+		xfree(s[i]);
+	}
+	xfree(s);
+}
+
+int
+do_rm(int fd_in, int fd_out, char *path)
+{
+	u_int status, id;
+
+	debug2("Sending SSH2_FXP_REMOVE \"%s\"", path);
+
+	id = msg_id++;
+	send_string_request(fd_out, id, SSH2_FXP_REMOVE, path, strlen(path));
+	status = get_status(fd_in, id);
+	if (status != SSH2_FX_OK)
+		error("Couldn't delete file: %s", fx2txt(status));
+	return(status);
+}
+
+int
+do_mkdir(int fd_in, int fd_out, char *path, Attrib *a)
+{
+	u_int status, id;
+
+	id = msg_id++;
+	send_string_attrs_request(fd_out, id, SSH2_FXP_MKDIR, path,
+	    strlen(path), a);
+
+	status = get_status(fd_in, id);
+	if (status != SSH2_FX_OK)
+		error("Couldn't create directory: %s", fx2txt(status));
+
+	return(status);
+}
+
+int
+do_rmdir(int fd_in, int fd_out, char *path)
+{
+	u_int status, id;
+
+	id = msg_id++;
+	send_string_request(fd_out, id, SSH2_FXP_RMDIR, path, strlen(path));
+
+	status = get_status(fd_in, id);
+	if (status != SSH2_FX_OK)
+		error("Couldn't remove directory: %s", fx2txt(status));
+
+	return(status);
+}
+
+Attrib *
+do_stat(int fd_in, int fd_out, char *path, int quiet)
+{
+	u_int id;
+
+	id = msg_id++;
+	send_string_request(fd_out, id, SSH2_FXP_STAT, path, strlen(path));
+	return(get_decode_stat(fd_in, id, quiet));
+}
+
+Attrib *
+do_lstat(int fd_in, int fd_out, char *path, int quiet)
+{
+	u_int id;
+
+	id = msg_id++;
+	send_string_request(fd_out, id, SSH2_FXP_LSTAT, path, strlen(path));
+	return(get_decode_stat(fd_in, id, quiet));
+}
+
+Attrib *
+do_fstat(int fd_in, int fd_out, char *handle, u_int handle_len, int quiet)
+{
+	u_int id;
+
+	id = msg_id++;
+	send_string_request(fd_out, id, SSH2_FXP_FSTAT, handle, handle_len);
+	return(get_decode_stat(fd_in, id, quiet));
+}
+
+int
+do_setstat(int fd_in, int fd_out, char *path, Attrib *a)
+{
+	u_int status, id;
+
+	id = msg_id++;
+	send_string_attrs_request(fd_out, id, SSH2_FXP_SETSTAT, path,
+	    strlen(path), a);
+
+	status = get_status(fd_in, id);
+	if (status != SSH2_FX_OK)
+		error("Couldn't setstat on \"%s\": %s", path,
+		    fx2txt(status));
+
+	return(status);
+}
+
+int
+do_fsetstat(int fd_in, int fd_out, char *handle, u_int handle_len,
+    Attrib *a)
+{
+	u_int status, id;
+
+	id = msg_id++;
+	send_string_attrs_request(fd_out, id, SSH2_FXP_FSETSTAT, handle,
+	    handle_len, a);
+
+	status = get_status(fd_in, id);
+	if (status != SSH2_FX_OK)
+		error("Couldn't fsetstat: %s", fx2txt(status));
+
+	return(status);
+}
+
+char *
+do_realpath(int fd_in, int fd_out, char *path)
+{
+	Buffer msg;
+	u_int type, expected_id, count, id;
+	char *filename, *longname;
+	Attrib *a;
+
+	expected_id = id = msg_id++;
+	send_string_request(fd_out, id, SSH2_FXP_REALPATH, path, strlen(path));
+
+	buffer_init(&msg);
+
+	get_msg(fd_in, &msg);
+	type = buffer_get_char(&msg);
+	id = buffer_get_int(&msg);
+
+	if (id != expected_id)
+		fatal("ID mismatch (%d != %d)", id, expected_id);
+
+	if (type == SSH2_FXP_STATUS) {
+		u_int status = buffer_get_int(&msg);
+
+		error("Couldn't canonicalise: %s", fx2txt(status));
+		return(NULL);
+	} else if (type != SSH2_FXP_NAME)
+		fatal("Expected SSH2_FXP_NAME(%d) packet, got %d",
+		    SSH2_FXP_NAME, type);
+
+	count = buffer_get_int(&msg);
+	if (count != 1)
+		fatal("Got multiple names (%d) from SSH_FXP_REALPATH", count);
+
+	filename = buffer_get_string(&msg, NULL);
+	longname = buffer_get_string(&msg, NULL);
+	a = decode_attrib(&msg);
+
+	debug3("SSH_FXP_REALPATH %s -> %s", path, filename);
+
+	xfree(longname);
+
+	buffer_free(&msg);
+
+	return(filename);
+}
+
+int
+do_rename(int fd_in, int fd_out, char *oldpath, char *newpath)
+{
+	Buffer msg;
+	u_int status, id;
+
+	buffer_init(&msg);
+
+	/* Send rename request */
+	id = msg_id++;
+	buffer_put_char(&msg, SSH2_FXP_RENAME);
+	buffer_put_int(&msg, id);
+	buffer_put_cstring(&msg, oldpath);
+	buffer_put_cstring(&msg, newpath);
+	send_msg(fd_out, &msg);
+	debug3("Sent message SSH2_FXP_RENAME \"%s\" -> \"%s\"", oldpath,
+	    newpath);
+	buffer_free(&msg);
+
+	status = get_status(fd_in, id);
+	if (status != SSH2_FX_OK)
+		error("Couldn't rename file \"%s\" to \"%s\": %s", oldpath, newpath,
+		    fx2txt(status));
+
+	return(status);
+}
+
+int
+do_symlink(int fd_in, int fd_out, char *oldpath, char *newpath)
+{
+	Buffer msg;
+	u_int status, id;
+
+	buffer_init(&msg);
+
+	/* Send rename request */
+	id = msg_id++;
+	buffer_put_char(&msg, SSH2_FXP_SYMLINK);
+	buffer_put_int(&msg, id);
+	buffer_put_cstring(&msg, oldpath);
+	buffer_put_cstring(&msg, newpath);
+	send_msg(fd_out, &msg);
+	debug3("Sent message SSH2_FXP_SYMLINK \"%s\" -> \"%s\"", oldpath,
+	    newpath);
+	buffer_free(&msg);
+
+	status = get_status(fd_in, id);
+	if (status != SSH2_FX_OK)
+		error("Couldn't rename file \"%s\" to \"%s\": %s", oldpath, newpath,
+		    fx2txt(status));
+
+	return(status);
+}
+
+char *
+do_readlink(int fd_in, int fd_out, char *path)
+{
+	Buffer msg;
+	u_int type, expected_id, count, id;
+	char *filename, *longname;
+	Attrib *a;
+
+	expected_id = id = msg_id++;
+	send_string_request(fd_out, id, SSH2_FXP_READLINK, path, strlen(path));
+
+	buffer_init(&msg);
+
+	get_msg(fd_in, &msg);
+	type = buffer_get_char(&msg);
+	id = buffer_get_int(&msg);
+
+	if (id != expected_id)
+		fatal("ID mismatch (%d != %d)", id, expected_id);
+
+	if (type == SSH2_FXP_STATUS) {
+		u_int status = buffer_get_int(&msg);
+
+		error("Couldn't readlink: %s", fx2txt(status));
+		return(NULL);
+	} else if (type != SSH2_FXP_NAME)
+		fatal("Expected SSH2_FXP_NAME(%d) packet, got %d",
+		    SSH2_FXP_NAME, type);
+
+	count = buffer_get_int(&msg);
+	if (count != 1)
+		fatal("Got multiple names (%d) from SSH_FXP_READLINK", count);
+
+	filename = buffer_get_string(&msg, NULL);
+	longname = buffer_get_string(&msg, NULL);
+	a = decode_attrib(&msg);
+
+	debug3("SSH_FXP_READLINK %s -> %s", path, filename);
+
+	xfree(longname);
+
+	buffer_free(&msg);
+
+	return(filename);
+}
+
+int
+do_download(int fd_in, int fd_out, char *remote_path, char *local_path,
+    int pflag)
+{
+	int local_fd;
+	u_int expected_id, handle_len, mode, type, id;
+	u_int64_t offset;
+	char *handle;
+	Buffer msg;
+	Attrib junk, *a;
+	int status;
+
+	a = do_stat(fd_in, fd_out, remote_path, 0);
+	if (a == NULL)
+		return(-1);
+
+	/* XXX: should we preserve set[ug]id? */
+	if (a->flags & SSH2_FILEXFER_ATTR_PERMISSIONS)
+		mode = S_IWRITE | (a->perm & 0777);
+	else
+		mode = 0666;
+
+	if ((a->flags & SSH2_FILEXFER_ATTR_PERMISSIONS) &&
+	    (a->perm & S_IFDIR)) {
+		error("Cannot download a directory: %s", remote_path);
+		return(-1);
+	}
+
+	local_fd = open(local_path, O_WRONLY | O_CREAT | O_TRUNC, mode);
+	if (local_fd == -1) {
+		error("Couldn't open local file \"%s\" for writing: %s",
+		    local_path, strerror(errno));
+		return(-1);
+	}
+
+	buffer_init(&msg);
+
+	/* Send open request */
+	id = msg_id++;
+	buffer_put_char(&msg, SSH2_FXP_OPEN);
+	buffer_put_int(&msg, id);
+	buffer_put_cstring(&msg, remote_path);
+	buffer_put_int(&msg, SSH2_FXF_READ);
+	attrib_clear(&junk); /* Send empty attributes */
+	encode_attrib(&msg, &junk);
+	send_msg(fd_out, &msg);
+	debug3("Sent message SSH2_FXP_OPEN I:%d P:%s", id, remote_path);
+
+	handle = get_handle(fd_in, id, &handle_len);
+	if (handle == NULL) {
+		buffer_free(&msg);
+		close(local_fd);
+		return(-1);
+	}
+
+	/* Read from remote and write to local */
+	offset = 0;
+	for(;;) {
+		u_int len;
+		char *data;
+
+		id = expected_id = msg_id++;
+
+		buffer_clear(&msg);
+		buffer_put_char(&msg, SSH2_FXP_READ);
+		buffer_put_int(&msg, id);
+		buffer_put_string(&msg, handle, handle_len);
+		buffer_put_int64(&msg, offset);
+		buffer_put_int(&msg, COPY_SIZE);
+		send_msg(fd_out, &msg);
+		debug3("Sent message SSH2_FXP_READ I:%d O:%llu S:%u",
+		    id, (unsigned long long)offset, COPY_SIZE);
+
+		buffer_clear(&msg);
+
+		get_msg(fd_in, &msg);
+		type = buffer_get_char(&msg);
+		id = buffer_get_int(&msg);
+		debug3("Received reply T:%d I:%d", type, id);
+		if (id != expected_id)
+			fatal("ID mismatch (%d != %d)", id, expected_id);
+		if (type == SSH2_FXP_STATUS) {
+			status = buffer_get_int(&msg);
+
+			if (status == SSH2_FX_EOF)
+				break;
+			else {
+				error("Couldn't read from remote "
+				    "file \"%s\" : %s", remote_path,
+				     fx2txt(status));
+				do_close(fd_in, fd_out, handle, handle_len);
+				goto done;
+			}
+		} else if (type != SSH2_FXP_DATA) {
+			fatal("Expected SSH2_FXP_DATA(%d) packet, got %d",
+			    SSH2_FXP_DATA, type);
+		}
+
+		data = buffer_get_string(&msg, &len);
+		if (len > COPY_SIZE)
+			fatal("Received more data than asked for %d > %d",
+			    len, COPY_SIZE);
+
+		debug3("In read loop, got %d offset %llu", len,
+		    (unsigned long long)offset);
+		if (atomicio(write, local_fd, data, len) != len) {
+			error("Couldn't write to \"%s\": %s", local_path,
+			    strerror(errno));
+			do_close(fd_in, fd_out, handle, handle_len);
+			status = -1;
+			xfree(data);
+			goto done;
+		}
+
+		offset += len;
+		xfree(data);
+	}
+	status = do_close(fd_in, fd_out, handle, handle_len);
+
+	/* Override umask and utimes if asked */
+	if (pflag && fchmod(local_fd, mode) == -1)
+		error("Couldn't set mode on \"%s\": %s", local_path,
+		    strerror(errno));
+	if (pflag && (a->flags & SSH2_FILEXFER_ATTR_ACMODTIME)) {
+		struct timeval tv[2];
+		tv[0].tv_sec = a->atime;
+		tv[1].tv_sec = a->mtime;
+		tv[0].tv_usec = tv[1].tv_usec = 0;
+		if (utimes(local_path, tv) == -1)
+			error("Can't set times on \"%s\": %s", local_path,
+			    strerror(errno));
+	}
+
+done:
+	close(local_fd);
+	buffer_free(&msg);
+	xfree(handle);
+	return status;
+}
+
+int
+do_upload(int fd_in, int fd_out, char *local_path, char *remote_path,
+    int pflag)
+{
+	int local_fd;
+	u_int handle_len, id;
+	u_int64_t offset;
+	char *handle;
+	Buffer msg;
+	struct stat sb;
+	Attrib a;
+	int status;
+
+	if ((local_fd = open(local_path, O_RDONLY, 0)) == -1) {
+		error("Couldn't open local file \"%s\" for reading: %s",
+		    local_path, strerror(errno));
+		return(-1);
+	}
+	if (fstat(local_fd, &sb) == -1) {
+		error("Couldn't fstat local file \"%s\": %s",
+		    local_path, strerror(errno));
+		close(local_fd);
+		return(-1);
+	}
+	stat_to_attrib(&sb, &a);
+
+	a.flags &= ~SSH2_FILEXFER_ATTR_SIZE;
+	a.flags &= ~SSH2_FILEXFER_ATTR_UIDGID;
+	a.perm &= 0777;
+	if (!pflag)
+		a.flags &= ~SSH2_FILEXFER_ATTR_ACMODTIME;
+
+	buffer_init(&msg);
+
+	/* Send open request */
+	id = msg_id++;
+	buffer_put_char(&msg, SSH2_FXP_OPEN);
+	buffer_put_int(&msg, id);
+	buffer_put_cstring(&msg, remote_path);
+	buffer_put_int(&msg, SSH2_FXF_WRITE|SSH2_FXF_CREAT|SSH2_FXF_TRUNC);
+	encode_attrib(&msg, &a);
+	send_msg(fd_out, &msg);
+	debug3("Sent message SSH2_FXP_OPEN I:%d P:%s", id, remote_path);
+
+	buffer_clear(&msg);
+
+	handle = get_handle(fd_in, id, &handle_len);
+	if (handle == NULL) {
+		close(local_fd);
+		buffer_free(&msg);
+		return(-1);
+	}
+
+	/* Read from local and write to remote */
+	offset = 0;
+	for(;;) {
+		int len;
+		char data[COPY_SIZE];
+
+		/*
+		 * Can't use atomicio here because it returns 0 on EOF, thus losing
+		 * the last block of the file
+		 */
+		do
+			len = read(local_fd, data, COPY_SIZE);
+		while ((len == -1) && (errno == EINTR || errno == EAGAIN));
+
+		if (len == -1)
+			fatal("Couldn't read from \"%s\": %s", local_path,
+			    strerror(errno));
+		if (len == 0)
+			break;
+
+		buffer_clear(&msg);
+		buffer_put_char(&msg, SSH2_FXP_WRITE);
+		buffer_put_int(&msg, ++id);
+		buffer_put_string(&msg, handle, handle_len);
+		buffer_put_int64(&msg, offset);
+		buffer_put_string(&msg, data, len);
+		send_msg(fd_out, &msg);
+		debug3("Sent message SSH2_FXP_WRITE I:%d O:%llu S:%u",
+		    id, (unsigned long long)offset, len);
+
+		status = get_status(fd_in, id);
+		if (status != SSH2_FX_OK) {
+			error("Couldn't write to remote file \"%s\": %s",
+			    remote_path, fx2txt(status));
+			do_close(fd_in, fd_out, handle, handle_len);
+			close(local_fd);
+			goto done;
+		}
+		debug3("In write loop, got %d offset %llu", len,
+		    (unsigned long long)offset);
+
+		offset += len;
+	}
+
+	if (close(local_fd) == -1) {
+		error("Couldn't close local file \"%s\": %s", local_path,
+		    strerror(errno));
+		do_close(fd_in, fd_out, handle, handle_len);
+		status = -1;
+		goto done;
+	}
+
+	/* Override umask and utimes if asked */
+	if (pflag)
+		do_fsetstat(fd_in, fd_out, handle, handle_len, &a);
+
+	status = do_close(fd_in, fd_out, handle, handle_len);
+
+done:
+	xfree(handle);
+	buffer_free(&msg);
+	return status;
+}
+
diff --git a/crypto/openssh/sftp-client.h b/crypto/openssh/sftp-client.h
new file mode 100644
index 0000000..09ffcc0
--- /dev/null
+++ b/crypto/openssh/sftp-client.h
@@ -0,0 +1,107 @@
+/* $OpenBSD: sftp-client.h,v 1.5 2001/04/05 10:42:52 markus Exp $ */
+
+/*
+ * Copyright (c) 2001 Damien Miller.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+/* Client side of SSH2 filexfer protocol */
+
+typedef struct SFTP_DIRENT SFTP_DIRENT;
+
+struct SFTP_DIRENT {
+	char *filename;
+	char *longname;
+	Attrib a;
+};
+
+/*
+ * Initialiase a SSH filexfer connection. Returns -1 on error or
+ * protocol version on success.
+ */
+int do_init(int fd_in, int fd_out);
+
+/* Close file referred to by 'handle' */
+int do_close(int fd_in, int fd_out, char *handle, u_int handle_len);
+
+/* List contents of directory 'path' to stdout */
+int do_ls(int fd_in, int fd_out, char *path);
+
+/* Read contents of 'path' to NULL-terminated array 'dir' */
+int do_readdir(int fd_in, int fd_out, char *path, SFTP_DIRENT ***dir);
+
+/* Frees a NULL-terminated array of SFTP_DIRENTs (eg. from do_readdir) */
+void free_sftp_dirents(SFTP_DIRENT **s);
+
+/* Delete file 'path' */
+int do_rm(int fd_in, int fd_out, char *path);
+
+/* Create directory 'path' */
+int do_mkdir(int fd_in, int fd_out, char *path, Attrib *a);
+
+/* Remove directory 'path' */
+int do_rmdir(int fd_in, int fd_out, char *path);
+
+/* Get file attributes of 'path' (follows symlinks) */
+Attrib *do_stat(int fd_in, int fd_out, char *path, int quiet);
+
+/* Get file attributes of 'path' (does not follow symlinks) */
+Attrib *do_lstat(int fd_in, int fd_out, char *path, int quiet);
+
+/* Get file attributes of open file 'handle' */
+Attrib *do_fstat(int fd_in, int fd_out, char *handle, u_int handle_len,
+    int quiet);
+
+/* Set file attributes of 'path' */
+int do_setstat(int fd_in, int fd_out, char *path, Attrib *a);
+
+/* Set file attributes of open file 'handle' */
+int do_fsetstat(int fd_in, int fd_out, char *handle,
+    u_int handle_len, Attrib *a);
+
+/* Canonicalise 'path' - caller must free result */
+char *do_realpath(int fd_in, int fd_out, char *path);
+
+/* Rename 'oldpath' to 'newpath' */
+int do_rename(int fd_in, int fd_out, char *oldpath, char *newpath);
+
+/* Rename 'oldpath' to 'newpath' */
+int do_symlink(int fd_in, int fd_out, char *oldpath, char *newpath);
+
+/* Return target of symlink 'path' - caller must free result */
+char *do_readlink(int fd_in, int fd_out, char *path);
+
+/* XXX: add callbacks to do_download/do_upload so we can do progress meter */
+
+/*
+ * Download 'remote_path' to 'local_path'. Preserve permissions and times
+ * if 'pflag' is set
+ */
+int do_download(int fd_in, int fd_out, char *remote_path, char *local_path,
+    int pflag);
+
+/*
+ * Upload 'local_path' to 'remote_path'. Preserve permissions and times
+ * if 'pflag' is set
+ */
+int do_upload(int fd_in, int fd_out, char *local_path, char *remote_path,
+    int pflag);
diff --git a/crypto/openssh/sftp-common.c b/crypto/openssh/sftp-common.c
new file mode 100644
index 0000000..3310eab
--- /dev/null
+++ b/crypto/openssh/sftp-common.c
@@ -0,0 +1,146 @@
+/*
+ * Copyright (c) 2001 Markus Friedl.  All rights reserved.
+ * Copyright (c) 2001 Damien Miller.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include "includes.h"
+RCSID("$OpenBSD: sftp-common.c,v 1.2 2001/02/06 23:50:10 markus Exp $");
+
+#include "buffer.h"
+#include "bufaux.h"
+#include "getput.h"
+#include "log.h"
+#include "xmalloc.h"
+
+#include "sftp.h"
+#include "sftp-common.h"
+
+void
+attrib_clear(Attrib *a)
+{
+	a->flags = 0;
+	a->size = 0;
+	a->uid = 0;
+	a->gid = 0;
+	a->perm = 0;
+	a->atime = 0;
+	a->mtime = 0;
+}
+
+void
+stat_to_attrib(struct stat *st, Attrib *a)
+{
+	attrib_clear(a);
+	a->flags = 0;
+	a->flags |= SSH2_FILEXFER_ATTR_SIZE;
+	a->size = st->st_size;
+	a->flags |= SSH2_FILEXFER_ATTR_UIDGID;
+	a->uid = st->st_uid;
+	a->gid = st->st_gid;
+	a->flags |= SSH2_FILEXFER_ATTR_PERMISSIONS;
+	a->perm = st->st_mode;
+	a->flags |= SSH2_FILEXFER_ATTR_ACMODTIME;
+	a->atime = st->st_atime;
+	a->mtime = st->st_mtime;
+}
+
+Attrib *
+decode_attrib(Buffer *b)
+{
+	static Attrib a;
+	attrib_clear(&a);
+	a.flags = buffer_get_int(b);
+	if (a.flags & SSH2_FILEXFER_ATTR_SIZE)
+		a.size = buffer_get_int64(b);
+	if (a.flags & SSH2_FILEXFER_ATTR_UIDGID) {
+		a.uid = buffer_get_int(b);
+		a.gid = buffer_get_int(b);
+	}
+	if (a.flags & SSH2_FILEXFER_ATTR_PERMISSIONS)
+		a.perm = buffer_get_int(b);
+	if (a.flags & SSH2_FILEXFER_ATTR_ACMODTIME) {
+		a.atime = buffer_get_int(b);
+		a.mtime = buffer_get_int(b);
+	}
+	/* vendor-specific extensions */
+	if (a.flags & SSH2_FILEXFER_ATTR_EXTENDED) {
+		char *type, *data;
+		int i, count;
+		count = buffer_get_int(b);
+		for (i = 0; i < count; i++) {
+			type = buffer_get_string(b, NULL);
+			data = buffer_get_string(b, NULL);
+			debug3("Got file attribute \"%s\"", type);
+			xfree(type);
+			xfree(data);
+		}
+	}
+	return &a;
+}
+
+void
+encode_attrib(Buffer *b, Attrib *a)
+{
+	buffer_put_int(b, a->flags);
+	if (a->flags & SSH2_FILEXFER_ATTR_SIZE)
+		buffer_put_int64(b, a->size);
+	if (a->flags & SSH2_FILEXFER_ATTR_UIDGID) {
+		buffer_put_int(b, a->uid);
+		buffer_put_int(b, a->gid);
+	}
+	if (a->flags & SSH2_FILEXFER_ATTR_PERMISSIONS)
+		buffer_put_int(b, a->perm);
+	if (a->flags & SSH2_FILEXFER_ATTR_ACMODTIME) {
+		buffer_put_int(b, a->atime);
+		buffer_put_int(b, a->mtime);
+	}
+}
+
+const char *
+fx2txt(int status)
+{
+	switch (status) {
+	case SSH2_FX_OK:
+		return("No error");
+	case SSH2_FX_EOF:
+		return("End of file");
+	case SSH2_FX_NO_SUCH_FILE:
+		return("No such file or directory");
+	case SSH2_FX_PERMISSION_DENIED:
+		return("Permission denied");
+	case SSH2_FX_FAILURE:
+		return("Failure");
+	case SSH2_FX_BAD_MESSAGE:
+		return("Bad message");
+	case SSH2_FX_NO_CONNECTION:
+		return("No connection");
+	case SSH2_FX_CONNECTION_LOST:
+		return("Connection lost");
+	case SSH2_FX_OP_UNSUPPORTED:
+		return("Operation unsupported");
+	default:
+		return("Unknown status");
+	};
+	/* NOTREACHED */
+}
+
diff --git a/crypto/openssh/sftp-common.h b/crypto/openssh/sftp-common.h
new file mode 100644
index 0000000..6dc1a32
--- /dev/null
+++ b/crypto/openssh/sftp-common.h
@@ -0,0 +1,55 @@
+/*	$OpenBSD: sftp-common.h,v 1.1 2001/02/04 11:11:54 djm Exp $	*/
+
+/*
+ * Copyright (c) 2001 Markus Friedl.  All rights reserved.
+ * Copyright (c) 2001 Damien Miller.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+typedef struct Attrib Attrib;
+
+/* File attributes */
+struct Attrib {
+	u_int32_t	flags;
+	u_int64_t	size;
+	u_int32_t	uid;
+	u_int32_t	gid;
+	u_int32_t	perm;
+	u_int32_t	atime;
+	u_int32_t	mtime;
+};
+
+/* Clear contents of attributes structure */
+void attrib_clear(Attrib *a);
+
+/* Convert from struct stat to filexfer attribs */
+void stat_to_attrib(struct stat *st, Attrib *a);
+
+/* Decode attributes in buffer */
+Attrib *decode_attrib(Buffer *b);
+
+/* Encode attributes to buffer */
+void encode_attrib(Buffer *b, Attrib *a);
+
+/* Convert from SSH2_FX_ status to text error message */
+const char *fx2txt(int status);
+
diff --git a/crypto/openssh/sftp-glob.c b/crypto/openssh/sftp-glob.c
new file mode 100644
index 0000000..18d81c0
--- /dev/null
+++ b/crypto/openssh/sftp-glob.c
@@ -0,0 +1,146 @@
+/*
+ * Copyright (c) 2001 Damien Miller.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include "includes.h"
+RCSID("$OpenBSD: sftp-glob.c,v 1.5 2001/04/15 08:43:46 markus Exp $");
+
+#include <glob.h>
+
+#include "ssh.h"
+#include "buffer.h"
+#include "bufaux.h"
+#include "getput.h"
+#include "xmalloc.h"
+#include "log.h"
+#include "atomicio.h"
+#include "pathnames.h"
+
+#include "sftp.h"
+#include "sftp-common.h"
+#include "sftp-client.h"
+#include "sftp-glob.h"
+
+struct SFTP_OPENDIR {
+	SFTP_DIRENT **dir;
+	int offset;
+};
+
+static struct {
+	int fd_in;
+	int fd_out;
+} cur;
+
+void *fudge_opendir(const char *path)
+{
+	struct SFTP_OPENDIR *r;
+	
+	r = xmalloc(sizeof(*r));
+	
+	if (do_readdir(cur.fd_in, cur.fd_out, (char*)path, &r->dir))
+		return(NULL);
+
+	r->offset = 0;
+
+	return((void*)r);
+}
+
+struct dirent *fudge_readdir(struct SFTP_OPENDIR *od)
+{
+	static struct dirent ret;
+	
+	if (od->dir[od->offset] == NULL)
+		return(NULL);
+
+	memset(&ret, 0, sizeof(ret));
+	strlcpy(ret.d_name, od->dir[od->offset++]->filename,
+	    sizeof(ret.d_name));
+
+	return(&ret);
+}
+
+void fudge_closedir(struct SFTP_OPENDIR *od)
+{
+	free_sftp_dirents(od->dir);
+	xfree(od);
+}
+
+void attrib_to_stat(Attrib *a, struct stat *st)
+{
+	memset(st, 0, sizeof(*st));
+	
+	if (a->flags & SSH2_FILEXFER_ATTR_SIZE)
+		st->st_size = a->size;
+	if (a->flags & SSH2_FILEXFER_ATTR_UIDGID) {
+		st->st_uid = a->uid;
+		st->st_gid = a->gid;
+	}
+	if (a->flags & SSH2_FILEXFER_ATTR_PERMISSIONS)
+		st->st_mode = a->perm;
+	if (a->flags & SSH2_FILEXFER_ATTR_ACMODTIME) {
+		st->st_atime = a->atime;
+		st->st_mtime = a->mtime;
+	}
+}
+
+int fudge_lstat(const char *path, struct stat *st)
+{
+	Attrib *a;
+	
+	if (!(a = do_lstat(cur.fd_in, cur.fd_out, (char*)path, 0)))
+		return(-1);
+	
+	attrib_to_stat(a, st);
+	
+	return(0);
+}
+
+int fudge_stat(const char *path, struct stat *st)
+{
+	Attrib *a;
+	
+	if (!(a = do_stat(cur.fd_in, cur.fd_out, (char*)path, 0)))
+		return(-1);
+	
+	attrib_to_stat(a, st);
+	
+	return(0);
+}
+
+int
+remote_glob(int fd_in, int fd_out, const char *pattern, int flags,
+    int (*errfunc)(const char *, int), glob_t *pglob)
+{
+	pglob->gl_opendir = (void*)fudge_opendir;
+	pglob->gl_readdir = (void*)fudge_readdir;
+	pglob->gl_closedir = (void*)fudge_closedir;
+	pglob->gl_lstat = fudge_lstat;
+	pglob->gl_stat = fudge_stat;
+	
+	memset(&cur, 0, sizeof(cur));
+	cur.fd_in = fd_in;
+	cur.fd_out = fd_out;
+
+	return(glob(pattern, flags | GLOB_ALTDIRFUNC, (void*)errfunc,
+	    pglob));
+}
diff --git a/crypto/openssh/sftp-glob.h b/crypto/openssh/sftp-glob.h
new file mode 100644
index 0000000..4206af4
--- /dev/null
+++ b/crypto/openssh/sftp-glob.h
@@ -0,0 +1,32 @@
+/* $OpenBSD: sftp-glob.h,v 1.3 2001/04/15 08:43:46 markus Exp $ */
+
+/*
+ * Copyright (c) 2001 Damien Miller.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+/* Remote sftp filename globbing */
+
+int
+remote_glob(int fd_in, int fd_out, const char *pattern, int flags,
+    int (*errfunc)(const char *, int), glob_t *pglob);
+
diff --git a/crypto/openssh/sftp-int.c b/crypto/openssh/sftp-int.c
new file mode 100644
index 0000000..3a71daa
--- /dev/null
+++ b/crypto/openssh/sftp-int.c
@@ -0,0 +1,917 @@
+/*
+ * Copyright (c) 2001 Damien Miller.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+/* XXX: globbed ls */
+/* XXX: recursive operations */
+
+#include "includes.h"
+RCSID("$OpenBSD: sftp-int.c,v 1.36 2001/04/15 08:43:46 markus Exp $");
+
+#include <glob.h>
+
+#include "buffer.h"
+#include "xmalloc.h"
+#include "log.h"
+#include "pathnames.h"
+
+#include "sftp.h"
+#include "sftp-common.h"
+#include "sftp-glob.h"
+#include "sftp-client.h"
+#include "sftp-int.h"
+
+/* File to read commands from */
+extern FILE *infile;
+
+/* Version of server we are speaking to */
+int version;
+
+/* Seperators for interactive commands */
+#define WHITESPACE " \t\r\n"
+
+/* Commands for interactive mode */
+#define I_CHDIR		1
+#define I_CHGRP		2
+#define I_CHMOD		3
+#define I_CHOWN		4
+#define I_GET		5
+#define I_HELP		6
+#define I_LCHDIR	7
+#define I_LLS		8
+#define I_LMKDIR	9
+#define I_LPWD		10
+#define I_LS		11
+#define I_LUMASK	12
+#define I_MKDIR		13
+#define I_PUT		14
+#define I_PWD		15
+#define I_QUIT		16
+#define I_RENAME	17
+#define I_RM		18
+#define I_RMDIR		19
+#define I_SHELL		20
+#define I_SYMLINK	21
+#define I_VERSION	22
+
+struct CMD {
+	const char *c;
+	const int n;
+};
+
+const struct CMD cmds[] = {
+	{ "cd",		I_CHDIR },
+	{ "chdir",	I_CHDIR },
+	{ "chgrp",	I_CHGRP },
+	{ "chmod",	I_CHMOD },
+	{ "chown",	I_CHOWN },
+	{ "dir",	I_LS },
+	{ "exit",	I_QUIT },
+	{ "get",	I_GET },
+	{ "mget",	I_GET },
+	{ "help",	I_HELP },
+	{ "lcd",	I_LCHDIR },
+	{ "lchdir",	I_LCHDIR },
+	{ "lls",	I_LLS },
+	{ "lmkdir",	I_LMKDIR },
+	{ "ln",		I_SYMLINK },
+	{ "lpwd",	I_LPWD },
+	{ "ls",		I_LS },
+	{ "lumask",	I_LUMASK },
+	{ "mkdir",	I_MKDIR },
+	{ "put",	I_PUT },
+	{ "mput",	I_PUT },
+	{ "pwd",	I_PWD },
+	{ "quit",	I_QUIT },
+	{ "rename",	I_RENAME },
+	{ "rm",		I_RM },
+	{ "rmdir",	I_RMDIR },
+	{ "symlink",	I_SYMLINK },
+	{ "version",	I_VERSION },
+	{ "!",		I_SHELL },
+	{ "?",		I_HELP },
+	{ NULL,			-1}
+};
+
+void
+help(void)
+{
+	printf("Available commands:\n");
+	printf("cd path                       Change remote directory to 'path'\n");
+	printf("lcd path                      Change local directory to 'path'\n");
+	printf("chgrp grp path                Change group of file 'path' to 'grp'\n");
+	printf("chmod mode path               Change permissions of file 'path' to 'mode'\n");
+	printf("chown own path                Change owner of file 'path' to 'own'\n");
+	printf("help                          Display this help text\n");
+	printf("get remote-path [local-path]  Download file\n");
+	printf("lls [ls-options [path]]       Display local directory listing\n");
+	printf("ln oldpath newpath            Symlink remote file\n");
+	printf("lmkdir path                   Create local directory\n");
+	printf("lpwd                          Print local working directory\n");
+	printf("ls [path]                     Display remote directory listing\n");
+	printf("lumask umask                  Set local umask to 'umask'\n");
+	printf("mkdir path                    Create remote directory\n");
+	printf("put local-path [remote-path]  Upload file\n");
+	printf("pwd                           Display remote working directory\n");
+	printf("exit                          Quit sftp\n");
+	printf("quit                          Quit sftp\n");
+	printf("rename oldpath newpath        Rename remote file\n");
+	printf("rmdir path                    Remove remote directory\n");
+	printf("rm path                       Delete remote file\n");
+	printf("symlink oldpath newpath       Symlink remote file\n");
+	printf("version                       Show SFTP version\n");
+	printf("!command                      Execute 'command' in local shell\n");
+	printf("!                             Escape to local shell\n");
+	printf("?                             Synonym for help\n");
+}
+
+void
+local_do_shell(const char *args)
+{
+	int status;
+	char *shell;
+	pid_t pid;
+
+	if (!*args)
+		args = NULL;
+
+	if ((shell = getenv("SHELL")) == NULL)
+		shell = _PATH_BSHELL;
+
+	if ((pid = fork()) == -1)
+		fatal("Couldn't fork: %s", strerror(errno));
+
+	if (pid == 0) {
+		/* XXX: child has pipe fds to ssh subproc open - issue? */
+		if (args) {
+			debug3("Executing %s -c \"%s\"", shell, args);
+			execl(shell, shell, "-c", args, NULL);
+		} else {
+			debug3("Executing %s", shell);
+			execl(shell, shell, NULL);
+		}
+		fprintf(stderr, "Couldn't execute \"%s\": %s\n", shell,
+		    strerror(errno));
+		_exit(1);
+	}
+	if (waitpid(pid, &status, 0) == -1)
+		fatal("Couldn't wait for child: %s", strerror(errno));
+	if (!WIFEXITED(status))
+		error("Shell exited abormally");
+	else if (WEXITSTATUS(status))
+		error("Shell exited with status %d", WEXITSTATUS(status));
+}
+
+void
+local_do_ls(const char *args)
+{
+	if (!args || !*args)
+		local_do_shell(_PATH_LS);
+	else {
+		int len = strlen(_PATH_LS " ") + strlen(args) + 1;
+		char *buf = xmalloc(len);
+
+		/* XXX: quoting - rip quoting code from ftp? */
+		snprintf(buf, len, _PATH_LS " %s", args);
+		local_do_shell(buf);
+		xfree(buf);
+	}
+}
+
+char *
+path_append(char *p1, char *p2)
+{
+	char *ret;
+	int len = strlen(p1) + strlen(p2) + 2;
+
+	ret = xmalloc(len);
+	strlcpy(ret, p1, len);
+	strlcat(ret, "/", len);
+	strlcat(ret, p2, len);
+
+	return(ret);
+}
+
+char *
+make_absolute(char *p, char *pwd)
+{
+	char *abs;
+
+	/* Derelativise */
+	if (p && p[0] != '/') {
+		abs = path_append(pwd, p);
+		xfree(p);
+		return(abs);
+	} else
+		return(p);
+}
+
+int
+infer_path(const char *p, char **ifp)
+{
+	char *cp;
+
+	cp = strrchr(p, '/');
+	if (cp == NULL) {
+		*ifp = xstrdup(p);
+		return(0);
+	}
+
+	if (!cp[1]) {
+		error("Invalid path");
+		return(-1);
+	}
+
+	*ifp = xstrdup(cp + 1);
+	return(0);
+}
+
+int
+parse_getput_flags(const char **cpp, int *pflag)
+{
+	const char *cp = *cpp;
+
+	/* Check for flags */
+	if (cp[0] == '-' && cp[1] && strchr(WHITESPACE, cp[2])) {
+		switch (cp[1]) {
+		case 'p':
+		case 'P':
+			*pflag = 1;
+			break;
+		default:
+			error("Invalid flag -%c", cp[1]);
+			return(-1);
+		}
+		cp += 2;
+		*cpp = cp + strspn(cp, WHITESPACE);
+	}
+
+	return(0);
+}
+
+int
+get_pathname(const char **cpp, char **path)
+{
+	const char *cp = *cpp, *end;
+	char quot;
+	int i;
+
+	cp += strspn(cp, WHITESPACE);
+	if (!*cp) {
+		*cpp = cp;
+		*path = NULL;
+		return (0);
+	}
+
+	/* Check for quoted filenames */
+	if (*cp == '\"' || *cp == '\'') {
+		quot = *cp++;
+
+		end = strchr(cp, quot);
+		if (end == NULL) {
+			error("Unterminated quote");
+			goto fail;
+		}
+		if (cp == end) {
+			error("Empty quotes");
+			goto fail;
+		}
+		*cpp = end + 1 + strspn(end + 1, WHITESPACE);
+	} else {
+		/* Read to end of filename */
+		end = strpbrk(cp, WHITESPACE);
+		if (end == NULL)
+			end = strchr(cp, '\0');
+		*cpp = end + strspn(end, WHITESPACE);
+	}
+
+	i = end - cp;
+
+	*path = xmalloc(i + 1);
+	memcpy(*path, cp, i);
+	(*path)[i] = '\0';
+	return(0);
+
+ fail:
+	*path = NULL;
+	return (-1);
+}
+
+int
+is_dir(char *path)
+{
+	struct stat sb;
+
+	/* XXX: report errors? */
+	if (stat(path, &sb) == -1)
+		return(0);
+
+	return(sb.st_mode & S_IFDIR);
+}
+
+int
+remote_is_dir(int in, int out, char *path)
+{
+	Attrib *a;
+
+	/* XXX: report errors? */
+	if ((a = do_stat(in, out, path, 1)) == NULL)
+		return(0);
+	if (!(a->flags & SSH2_FILEXFER_ATTR_PERMISSIONS))
+		return(0);
+	return(a->perm & S_IFDIR);
+}
+
+int
+process_get(int in, int out, char *src, char *dst, char *pwd, int pflag)
+{
+	char *abs_src = NULL;
+	char *abs_dst = NULL;
+	char *tmp;
+	glob_t g;
+	int err = 0;
+	int i;
+
+	abs_src = xstrdup(src);
+	abs_src = make_absolute(abs_src, pwd);
+
+	memset(&g, 0, sizeof(g));
+	debug3("Looking up %s", abs_src);
+	if (remote_glob(in, out, abs_src, 0, NULL, &g)) {
+		error("File \"%s\" not found.", abs_src);
+		err = -1;
+		goto out;
+	}
+
+	/* Only one match, dst may be file, directory or unspecified */
+	if (g.gl_pathv[0] && g.gl_matchc == 1) {
+		if (dst) {
+			/* If directory specified, append filename */
+			if (is_dir(dst)) {
+				if (infer_path(g.gl_pathv[0], &tmp)) {
+					err = 1;
+					goto out;
+				}
+				abs_dst = path_append(dst, tmp);
+				xfree(tmp);
+			} else
+				abs_dst = xstrdup(dst);
+		} else if (infer_path(g.gl_pathv[0], &abs_dst)) {
+			err = -1;
+			goto out;
+		}
+		printf("Fetching %s to %s\n", g.gl_pathv[0], abs_dst);
+		err = do_download(in, out, g.gl_pathv[0], abs_dst, pflag);
+		goto out;
+	}
+
+	/* Multiple matches, dst may be directory or unspecified */
+	if (dst && !is_dir(dst)) {
+		error("Multiple files match, but \"%s\" is not a directory",
+		    dst);
+		err = -1;
+		goto out;
+	}
+
+	for(i = 0; g.gl_pathv[i]; i++) {
+		if (infer_path(g.gl_pathv[i], &tmp)) {
+			err = -1;
+			goto out;
+		}
+		if (dst) {
+			abs_dst = path_append(dst, tmp);
+			xfree(tmp);
+		} else
+			abs_dst = tmp;
+
+		printf("Fetching %s to %s\n", g.gl_pathv[i], abs_dst);
+		if (do_download(in, out, g.gl_pathv[i], abs_dst, pflag) == -1)
+			err = -1;
+		xfree(abs_dst);
+		abs_dst = NULL;
+	}
+
+out:
+	xfree(abs_src);
+	if (abs_dst)
+		xfree(abs_dst);
+	globfree(&g);
+	return(err);
+}
+
+int
+process_put(int in, int out, char *src, char *dst, char *pwd, int pflag)
+{
+	char *tmp_dst = NULL;
+	char *abs_dst = NULL;
+	char *tmp;
+	glob_t g;
+	int err = 0;
+	int i;
+
+	if (dst) {
+		tmp_dst = xstrdup(dst);
+		tmp_dst = make_absolute(tmp_dst, pwd);
+	}
+
+	memset(&g, 0, sizeof(g));
+	debug3("Looking up %s", src);
+	if (glob(src, 0, NULL, &g)) {
+		error("File \"%s\" not found.", src);
+		err = -1;
+		goto out;
+	}
+
+	/* Only one match, dst may be file, directory or unspecified */
+	if (g.gl_pathv[0] && g.gl_matchc == 1) {
+		if (tmp_dst) {
+			/* If directory specified, append filename */
+			if (remote_is_dir(in, out, tmp_dst)) {
+				if (infer_path(g.gl_pathv[0], &tmp)) {
+					err = 1;
+					goto out;
+				}
+				abs_dst = path_append(tmp_dst, tmp);
+				xfree(tmp);
+			} else
+				abs_dst = xstrdup(tmp_dst);
+		} else {
+			if (infer_path(g.gl_pathv[0], &abs_dst)) {
+				err = -1;
+				goto out;
+			}
+			abs_dst = make_absolute(abs_dst, pwd);
+		}
+		printf("Uploading %s to %s\n", g.gl_pathv[0], abs_dst);
+		err = do_upload(in, out, g.gl_pathv[0], abs_dst, pflag);
+		goto out;
+	}
+
+	/* Multiple matches, dst may be directory or unspecified */
+	if (tmp_dst && !remote_is_dir(in, out, tmp_dst)) {
+		error("Multiple files match, but \"%s\" is not a directory",
+		    tmp_dst);
+		err = -1;
+		goto out;
+	}
+
+	for(i = 0; g.gl_pathv[i]; i++) {
+		if (infer_path(g.gl_pathv[i], &tmp)) {
+			err = -1;
+			goto out;
+		}
+		if (tmp_dst) {
+			abs_dst = path_append(tmp_dst, tmp);
+			xfree(tmp);
+		} else
+			abs_dst = make_absolute(tmp, pwd);
+
+		printf("Uploading %s to %s\n", g.gl_pathv[i], abs_dst);
+		if (do_upload(in, out, g.gl_pathv[i], abs_dst, pflag) == -1)
+			err = -1;
+	}
+
+out:
+	if (abs_dst)
+		xfree(abs_dst);
+	if (tmp_dst)
+		xfree(tmp_dst);
+	return(err);
+}
+
+int
+parse_args(const char **cpp, int *pflag, unsigned long *n_arg,
+    char **path1, char **path2)
+{
+	const char *cmd, *cp = *cpp;
+	char *cp2;
+	int base = 0;
+	long l;
+	int i, cmdnum;
+
+	/* Skip leading whitespace */
+	cp = cp + strspn(cp, WHITESPACE);
+
+	/* Ignore blank lines */
+	if (!*cp)
+		return(-1);
+
+	/* Figure out which command we have */
+	for(i = 0; cmds[i].c; i++) {
+		int cmdlen = strlen(cmds[i].c);
+
+		/* Check for command followed by whitespace */
+		if (!strncasecmp(cp, cmds[i].c, cmdlen) &&
+		    strchr(WHITESPACE, cp[cmdlen])) {
+			cp += cmdlen;
+			cp = cp + strspn(cp, WHITESPACE);
+			break;
+		}
+	}
+	cmdnum = cmds[i].n;
+	cmd = cmds[i].c;
+
+	/* Special case */
+	if (*cp == '!') {
+		cp++;
+		cmdnum = I_SHELL;
+	} else if (cmdnum == -1) {
+		error("Invalid command.");
+		return(-1);
+	}
+
+	/* Get arguments and parse flags */
+	*pflag = *n_arg = 0;
+	*path1 = *path2 = NULL;
+	switch (cmdnum) {
+	case I_GET:
+	case I_PUT:
+		if (parse_getput_flags(&cp, pflag))
+			return(-1);
+		/* Get first pathname (mandatory) */
+		if (get_pathname(&cp, path1))
+			return(-1);
+		if (*path1 == NULL) {
+			error("You must specify at least one path after a "
+			    "%s command.", cmd);
+			return(-1);
+		}
+		/* Try to get second pathname (optional) */
+		if (get_pathname(&cp, path2))
+			return(-1);
+		break;
+	case I_RENAME:
+	case I_SYMLINK:
+		if (get_pathname(&cp, path1))
+			return(-1);
+		if (get_pathname(&cp, path2))
+			return(-1);
+		if (!*path1 || !*path2) {
+			error("You must specify two paths after a %s "
+			    "command.", cmd);
+			return(-1);
+		}
+		break;
+	case I_RM:
+	case I_MKDIR:
+	case I_RMDIR:
+	case I_CHDIR:
+	case I_LCHDIR:
+	case I_LMKDIR:
+		/* Get pathname (mandatory) */
+		if (get_pathname(&cp, path1))
+			return(-1);
+		if (*path1 == NULL) {
+			error("You must specify a path after a %s command.",
+			    cmd);
+			return(-1);
+		}
+		break;
+	case I_LS:
+		/* Path is optional */
+		if (get_pathname(&cp, path1))
+			return(-1);
+		break;
+	case I_LLS:
+	case I_SHELL:
+		/* Uses the rest of the line */
+		break;
+	case I_LUMASK:
+		base = 8;
+	case I_CHMOD:
+		base = 8;
+	case I_CHOWN:
+	case I_CHGRP:
+		/* Get numeric arg (mandatory) */
+		l = strtol(cp, &cp2, base);
+		if (cp2 == cp || ((l == LONG_MIN || l == LONG_MAX) &&
+		    errno == ERANGE) || l < 0) {
+			error("You must supply a numeric argument "
+			    "to the %s command.", cmd);
+			return(-1);
+		}
+		cp = cp2;
+		*n_arg = l;
+		if (cmdnum == I_LUMASK && strchr(WHITESPACE, *cp))
+			break;
+		if (cmdnum == I_LUMASK || !strchr(WHITESPACE, *cp)) {
+			error("You must supply a numeric argument "
+			    "to the %s command.", cmd);
+			return(-1);
+		}
+		cp += strspn(cp, WHITESPACE);
+
+		/* Get pathname (mandatory) */
+		if (get_pathname(&cp, path1))
+			return(-1);
+		if (*path1 == NULL) {
+			error("You must specify a path after a %s command.",
+			    cmd);
+			return(-1);
+		}
+		break;
+	case I_QUIT:
+	case I_PWD:
+	case I_LPWD:
+	case I_HELP:
+	case I_VERSION:
+		break;
+	default:
+		fatal("Command not implemented");
+	}
+
+	*cpp = cp;
+	return(cmdnum);
+}
+
+int
+parse_dispatch_command(int in, int out, const char *cmd, char **pwd)
+{
+	char *path1, *path2, *tmp;
+	int pflag, cmdnum, i;
+	unsigned long n_arg;
+	Attrib a, *aa;
+	char path_buf[MAXPATHLEN];
+	int err = 0;
+	glob_t g;
+
+	path1 = path2 = NULL;
+	cmdnum = parse_args(&cmd, &pflag, &n_arg, &path1, &path2);
+
+	memset(&g, 0, sizeof(g));
+
+	/* Perform command */
+	switch (cmdnum) {
+	case -1:
+		break;
+	case I_GET:
+		err = process_get(in, out, path1, path2, *pwd, pflag);
+		break;
+	case I_PUT:
+		err = process_put(in, out, path1, path2, *pwd, pflag);
+		break;
+	case I_RENAME:
+		path1 = make_absolute(path1, *pwd);
+		path2 = make_absolute(path2, *pwd);
+		err = do_rename(in, out, path1, path2);
+		break;
+	case I_SYMLINK:
+		if (version < 3) {
+			error("The server (version %d) does not support "
+			    "this operation", version);
+			err = -1;
+		} else {
+			path2 = make_absolute(path2, *pwd);
+			err = do_symlink(in, out, path1, path2);
+		}
+		break;
+	case I_RM:
+		path1 = make_absolute(path1, *pwd);
+		remote_glob(in, out, path1, GLOB_NOCHECK, NULL, &g);
+		for(i = 0; g.gl_pathv[i]; i++) {
+			printf("Removing %s\n", g.gl_pathv[i]);
+			if (do_rm(in, out, g.gl_pathv[i]) == -1)
+				err = -1;
+		}
+		break;
+	case I_MKDIR:
+		path1 = make_absolute(path1, *pwd);
+		attrib_clear(&a);
+		a.flags |= SSH2_FILEXFER_ATTR_PERMISSIONS;
+		a.perm = 0777;
+		err = do_mkdir(in, out, path1, &a);
+		break;
+	case I_RMDIR:
+		path1 = make_absolute(path1, *pwd);
+		err = do_rmdir(in, out, path1);
+		break;
+	case I_CHDIR:
+		path1 = make_absolute(path1, *pwd);
+		if ((tmp = do_realpath(in, out, path1)) == NULL) {
+			err = 1;
+			break;
+		}
+		if ((aa = do_stat(in, out, tmp, 0)) == NULL) {
+			xfree(tmp);
+			err = 1;
+			break;
+		}
+		if (!(aa->flags & SSH2_FILEXFER_ATTR_PERMISSIONS)) {
+			error("Can't change directory: Can't check target");
+			xfree(tmp);
+			err = 1;
+			break;
+		}
+		if (!S_ISDIR(aa->perm)) {
+			error("Can't change directory: \"%s\" is not "
+			    "a directory", tmp);
+			xfree(tmp);
+			err = 1;
+			break;
+		}
+		xfree(*pwd);
+		*pwd = tmp;
+		break;
+	case I_LS:
+		if (!path1) {
+			do_ls(in, out, *pwd);
+			break;
+		}
+		path1 = make_absolute(path1, *pwd);
+		if ((tmp = do_realpath(in, out, path1)) == NULL)
+			break;
+		xfree(path1);
+		path1 = tmp;
+		if ((aa = do_stat(in, out, path1, 0)) == NULL)
+			break;
+		if ((aa->flags & SSH2_FILEXFER_ATTR_PERMISSIONS) &&
+		    !S_ISDIR(aa->perm)) {
+			error("Can't ls: \"%s\" is not a directory", path1);
+			break;
+		}
+		do_ls(in, out, path1);
+		break;
+	case I_LCHDIR:
+		if (chdir(path1) == -1) {
+			error("Couldn't change local directory to "
+			    "\"%s\": %s", path1, strerror(errno));
+			err = 1;
+		}
+		break;
+	case I_LMKDIR:
+		if (mkdir(path1, 0777) == -1) {
+			error("Couldn't create local directory "
+			    "\"%s\": %s", path1, strerror(errno));
+			err = 1;
+		}
+		break;
+	case I_LLS:
+		local_do_ls(cmd);
+		break;
+	case I_SHELL:
+		local_do_shell(cmd);
+		break;
+	case I_LUMASK:
+		umask(n_arg);
+		printf("Local umask: %03lo\n", n_arg);
+		break;
+	case I_CHMOD:
+		path1 = make_absolute(path1, *pwd);
+		attrib_clear(&a);
+		a.flags |= SSH2_FILEXFER_ATTR_PERMISSIONS;
+		a.perm = n_arg;
+		remote_glob(in, out, path1, GLOB_NOCHECK, NULL, &g);
+		for(i = 0; g.gl_pathv[i]; i++) {
+			printf("Changing mode on %s\n", g.gl_pathv[i]);
+			do_setstat(in, out, g.gl_pathv[i], &a);
+		}
+		break;
+	case I_CHOWN:
+		path1 = make_absolute(path1, *pwd);
+		remote_glob(in, out, path1, GLOB_NOCHECK, NULL, &g);
+		for(i = 0; g.gl_pathv[i]; i++) {
+			if (!(aa = do_stat(in, out, g.gl_pathv[i], 0)))
+				continue;
+			if (!(aa->flags & SSH2_FILEXFER_ATTR_UIDGID)) {
+				error("Can't get current ownership of "
+				    "remote file \"%s\"", g.gl_pathv[i]);
+				continue;
+			}
+			printf("Changing owner on %s\n", g.gl_pathv[i]);
+			aa->flags &= SSH2_FILEXFER_ATTR_UIDGID;
+			aa->uid = n_arg;
+			do_setstat(in, out, g.gl_pathv[i], aa);
+		}
+		break;
+	case I_CHGRP:
+		path1 = make_absolute(path1, *pwd);
+		remote_glob(in, out, path1, GLOB_NOCHECK, NULL, &g);
+		for(i = 0; g.gl_pathv[i]; i++) {
+			if (!(aa = do_stat(in, out, g.gl_pathv[i], 0)))
+				continue;
+			if (!(aa->flags & SSH2_FILEXFER_ATTR_UIDGID)) {
+				error("Can't get current ownership of "
+				    "remote file \"%s\"", g.gl_pathv[i]);
+				continue;
+			}
+			printf("Changing group on %s\n", g.gl_pathv[i]);
+			aa->flags &= SSH2_FILEXFER_ATTR_UIDGID;
+			aa->gid = n_arg;
+			do_setstat(in, out, g.gl_pathv[i], aa);
+		}
+		break;
+	case I_PWD:
+		printf("Remote working directory: %s\n", *pwd);
+		break;
+	case I_LPWD:
+		if (!getcwd(path_buf, sizeof(path_buf)))
+			error("Couldn't get local cwd: %s",
+			    strerror(errno));
+		else
+			printf("Local working directory: %s\n",
+			    path_buf);
+		break;
+	case I_QUIT:
+		return(-1);
+	case I_HELP:
+		help();
+		break;
+	case I_VERSION:
+		printf("SFTP protocol version %d\n", version);
+		break;
+	default:
+		fatal("%d is not implemented", cmdnum);
+	}
+
+	if (g.gl_pathc)
+		globfree(&g);
+	if (path1)
+		xfree(path1);
+	if (path2)
+		xfree(path2);
+
+	/* If an error occurs in batch mode we should abort. */
+	if (infile != stdin && err > 0)
+		return -1;
+
+	return(0);
+}
+
+void
+interactive_loop(int fd_in, int fd_out, char *file1, char *file2)
+{
+	char *pwd;
+	char *dir = NULL;
+	char cmd[2048];
+
+	version = do_init(fd_in, fd_out);
+	if (version == -1)
+		fatal("Couldn't initialise connection to server");
+
+	pwd = do_realpath(fd_in, fd_out, ".");
+	if (pwd == NULL)
+		fatal("Need cwd");
+
+	if (file1 != NULL) {
+		dir = xstrdup(file1);
+		dir = make_absolute(dir, pwd);
+
+		if (remote_is_dir(fd_in, fd_out, dir) && file2 == NULL) {
+			printf("Changing to: %s\n", dir);
+			snprintf(cmd, sizeof cmd, "cd \"%s\"", dir);
+			parse_dispatch_command(fd_in, fd_out, cmd, &pwd);
+		} else {
+			if (file2 == NULL)
+				snprintf(cmd, sizeof cmd, "get %s", dir);
+			else
+				snprintf(cmd, sizeof cmd, "get %s %s", dir,
+				    file2);
+
+			parse_dispatch_command(fd_in, fd_out, cmd, &pwd);
+			return;
+		}
+	}
+	setvbuf(stdout, NULL, _IOLBF, 0);
+	setvbuf(infile, NULL, _IOLBF, 0);
+
+	for(;;) {
+		char *cp;
+
+		printf("sftp> ");
+
+		/* XXX: use libedit */
+		if (fgets(cmd, sizeof(cmd), infile) == NULL) {
+			printf("\n");
+			break;
+		} else if (infile != stdin) /* Bluff typing */
+			printf("%s", cmd);
+
+		cp = strrchr(cmd, '\n');
+		if (cp)
+			*cp = '\0';
+
+		if (parse_dispatch_command(fd_in, fd_out, cmd, &pwd))
+			break;
+	}
+	xfree(pwd);
+}
diff --git a/crypto/openssh/sftp-int.h b/crypto/openssh/sftp-int.h
new file mode 100644
index 0000000..b47f862
--- /dev/null
+++ b/crypto/openssh/sftp-int.h
@@ -0,0 +1,27 @@
+/* $OpenBSD: sftp-int.h,v 1.2 2001/04/12 23:17:54 mouring Exp $ */
+
+/*
+ * Copyright (c) 2001 Damien Miller.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+void interactive_loop(int fd_in, int fd_out, char *file1, char *file2);
diff --git a/crypto/openssh/sftp-server.8 b/crypto/openssh/sftp-server.8
new file mode 100644
index 0000000..afb233e
--- /dev/null
+++ b/crypto/openssh/sftp-server.8
@@ -0,0 +1,63 @@
+.\" $OpenBSD: sftp-server.8,v 1.6 2001/04/22 13:32:26 markus Exp $
+.\"
+.\" Copyright (c) 2000 Markus Friedl.  All rights reserved.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\" 1. Redistributions of source code must retain the above copyright
+.\"    notice, this list of conditions and the following disclaimer.
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\"    notice, this list of conditions and the following disclaimer in the
+.\"    documentation and/or other materials provided with the distribution.
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
+.\" IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+.\" OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+.\" IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
+.\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+.\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+.\"
+.Dd August 30, 2000
+.Dt SFTP-SERVER 8
+.Os
+.Sh NAME
+.Nm sftp-server
+.Nd SFTP server subsystem
+.Sh SYNOPSIS
+.Nm sftp-server
+.Sh DESCRIPTION
+.Nm
+is a program that speaks the server side of SFTP protocol
+to stdout and expects client requests from stdin.
+.Nm
+is not intended to be called directly, but from
+.Xr sshd 8
+using the
+.Cm Subsystem
+option.
+See
+.Xr sshd 8
+for more information.
+.Sh SEE ALSO
+.Xr sftp 1 ,
+.Xr ssh 1 ,
+.Xr sshd 8
+.Rs
+.%A T. Ylonen
+.%A S. Lehtinen
+.%T "SSH File Transfer Protocol"
+.%N draft-ietf-secsh-filexfer-00.txt
+.%D January 2001
+.%O work in progress material
+.Re
+.Sh AUTHORS
+Markus Friedl <markus@openbsd.org>
+.Sh HISTORY
+.Nm
+first appeared in
+.Ox 2.8 .
diff --git a/crypto/openssh/sftp-server.c b/crypto/openssh/sftp-server.c
new file mode 100644
index 0000000..b49f861
--- /dev/null
+++ b/crypto/openssh/sftp-server.c
@@ -0,0 +1,1080 @@
+/*
+ * Copyright (c) 2000 Markus Friedl.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+#include "includes.h"
+RCSID("$OpenBSD: sftp-server.c,v 1.25 2001/04/05 10:42:53 markus Exp $");
+
+#include "buffer.h"
+#include "bufaux.h"
+#include "getput.h"
+#include "log.h"
+#include "xmalloc.h"
+
+#include "sftp.h"
+#include "sftp-common.h"
+
+/* helper */
+#define get_int64()			buffer_get_int64(&iqueue);
+#define get_int()			buffer_get_int(&iqueue);
+#define get_string(lenp)		buffer_get_string(&iqueue, lenp);
+#define TRACE				debug
+
+/* input and output queue */
+Buffer iqueue;
+Buffer oqueue;
+
+/* Version of client */
+int version;
+
+/* portable attibutes, etc. */
+
+typedef struct Stat Stat;
+
+struct Stat {
+	char *name;
+	char *long_name;
+	Attrib attrib;
+};
+
+int
+errno_to_portable(int unixerrno)
+{
+	int ret = 0;
+
+	switch (unixerrno) {
+	case 0:
+		ret = SSH2_FX_OK;
+		break;
+	case ENOENT:
+	case ENOTDIR:
+	case EBADF:
+	case ELOOP:
+		ret = SSH2_FX_NO_SUCH_FILE;
+		break;
+	case EPERM:
+	case EACCES:
+	case EFAULT:
+		ret = SSH2_FX_PERMISSION_DENIED;
+		break;
+	case ENAMETOOLONG:
+	case EINVAL:
+		ret = SSH2_FX_BAD_MESSAGE;
+		break;
+	default:
+		ret = SSH2_FX_FAILURE;
+		break;
+	}
+	return ret;
+}
+
+int
+flags_from_portable(int pflags)
+{
+	int flags = 0;
+
+	if ((pflags & SSH2_FXF_READ) &&
+	    (pflags & SSH2_FXF_WRITE)) {
+		flags = O_RDWR;
+	} else if (pflags & SSH2_FXF_READ) {
+		flags = O_RDONLY;
+	} else if (pflags & SSH2_FXF_WRITE) {
+		flags = O_WRONLY;
+	}
+	if (pflags & SSH2_FXF_CREAT)
+		flags |= O_CREAT;
+	if (pflags & SSH2_FXF_TRUNC)
+		flags |= O_TRUNC;
+	if (pflags & SSH2_FXF_EXCL)
+		flags |= O_EXCL;
+	return flags;
+}
+
+Attrib *
+get_attrib(void)
+{
+	return decode_attrib(&iqueue);
+}
+
+/* handle handles */
+
+typedef struct Handle Handle;
+struct Handle {
+	int use;
+	DIR *dirp;
+	int fd;
+	char *name;
+};
+
+enum {
+	HANDLE_UNUSED,
+	HANDLE_DIR,
+	HANDLE_FILE
+};
+
+Handle	handles[100];
+
+void
+handle_init(void)
+{
+	int i;
+
+	for(i = 0; i < sizeof(handles)/sizeof(Handle); i++)
+		handles[i].use = HANDLE_UNUSED;
+}
+
+int
+handle_new(int use, char *name, int fd, DIR *dirp)
+{
+	int i;
+
+	for(i = 0; i < sizeof(handles)/sizeof(Handle); i++) {
+		if (handles[i].use == HANDLE_UNUSED) {
+			handles[i].use = use;
+			handles[i].dirp = dirp;
+			handles[i].fd = fd;
+			handles[i].name = name;
+			return i;
+		}
+	}
+	return -1;
+}
+
+int
+handle_is_ok(int i, int type)
+{
+	return i >= 0 && i < sizeof(handles)/sizeof(Handle) &&
+	    handles[i].use == type;
+}
+
+int
+handle_to_string(int handle, char **stringp, int *hlenp)
+{
+	if (stringp == NULL || hlenp == NULL)
+		return -1;
+	*stringp = xmalloc(sizeof(int32_t));
+	PUT_32BIT(*stringp, handle);
+	*hlenp = sizeof(int32_t);
+	return 0;
+}
+
+int
+handle_from_string(char *handle, u_int hlen)
+{
+	int val;
+
+	if (hlen != sizeof(int32_t))
+		return -1;
+	val = GET_32BIT(handle);
+	if (handle_is_ok(val, HANDLE_FILE) ||
+	    handle_is_ok(val, HANDLE_DIR))
+		return val;
+	return -1;
+}
+
+char *
+handle_to_name(int handle)
+{
+	if (handle_is_ok(handle, HANDLE_DIR)||
+	    handle_is_ok(handle, HANDLE_FILE))
+		return handles[handle].name;
+	return NULL;
+}
+
+DIR *
+handle_to_dir(int handle)
+{
+	if (handle_is_ok(handle, HANDLE_DIR))
+		return handles[handle].dirp;
+	return NULL;
+}
+
+int
+handle_to_fd(int handle)
+{
+	if (handle_is_ok(handle, HANDLE_FILE))
+		return handles[handle].fd;
+	return -1;
+}
+
+int
+handle_close(int handle)
+{
+	int ret = -1;
+
+	if (handle_is_ok(handle, HANDLE_FILE)) {
+		ret = close(handles[handle].fd);
+		handles[handle].use = HANDLE_UNUSED;
+	} else if (handle_is_ok(handle, HANDLE_DIR)) {
+		ret = closedir(handles[handle].dirp);
+		handles[handle].use = HANDLE_UNUSED;
+	} else {
+		errno = ENOENT;
+	}
+	return ret;
+}
+
+int
+get_handle(void)
+{
+	char *handle;
+	int val = -1;
+	u_int hlen;
+
+	handle = get_string(&hlen);
+	if (hlen < 256)
+		val = handle_from_string(handle, hlen);
+	xfree(handle);
+	return val;
+}
+
+/* send replies */
+
+void
+send_msg(Buffer *m)
+{
+	int mlen = buffer_len(m);
+
+	buffer_put_int(&oqueue, mlen);
+	buffer_append(&oqueue, buffer_ptr(m), mlen);
+	buffer_consume(m, mlen);
+}
+
+void
+send_status(u_int32_t id, u_int32_t error)
+{
+	Buffer msg;
+	const char *status_messages[] = {
+		"Success",			/* SSH_FX_OK */
+		"End of file",			/* SSH_FX_EOF */
+		"No such file",			/* SSH_FX_NO_SUCH_FILE */
+		"Permission denied",		/* SSH_FX_PERMISSION_DENIED */
+		"Failure",			/* SSH_FX_FAILURE */
+		"Bad message",			/* SSH_FX_BAD_MESSAGE */
+		"No connection",		/* SSH_FX_NO_CONNECTION */
+		"Connection lost",		/* SSH_FX_CONNECTION_LOST */
+		"Operation unsupported",	/* SSH_FX_OP_UNSUPPORTED */
+		"Unknown error"			/* Others */
+	};
+
+	TRACE("sent status id %d error %d", id, error);
+	buffer_init(&msg);
+	buffer_put_char(&msg, SSH2_FXP_STATUS);
+	buffer_put_int(&msg, id);
+	buffer_put_int(&msg, error);
+	if (version >= 3) {
+		buffer_put_cstring(&msg,
+		    status_messages[MIN(error,SSH2_FX_MAX)]);
+		buffer_put_cstring(&msg, "");
+	}
+	send_msg(&msg);
+	buffer_free(&msg);
+}
+void
+send_data_or_handle(char type, u_int32_t id, char *data, int dlen)
+{
+	Buffer msg;
+
+	buffer_init(&msg);
+	buffer_put_char(&msg, type);
+	buffer_put_int(&msg, id);
+	buffer_put_string(&msg, data, dlen);
+	send_msg(&msg);
+	buffer_free(&msg);
+}
+
+void
+send_data(u_int32_t id, char *data, int dlen)
+{
+	TRACE("sent data id %d len %d", id, dlen);
+	send_data_or_handle(SSH2_FXP_DATA, id, data, dlen);
+}
+
+void
+send_handle(u_int32_t id, int handle)
+{
+	char *string;
+	int hlen;
+
+	handle_to_string(handle, &string, &hlen);
+	TRACE("sent handle id %d handle %d", id, handle);
+	send_data_or_handle(SSH2_FXP_HANDLE, id, string, hlen);
+	xfree(string);
+}
+
+void
+send_names(u_int32_t id, int count, Stat *stats)
+{
+	Buffer msg;
+	int i;
+
+	buffer_init(&msg);
+	buffer_put_char(&msg, SSH2_FXP_NAME);
+	buffer_put_int(&msg, id);
+	buffer_put_int(&msg, count);
+	TRACE("sent names id %d count %d", id, count);
+	for (i = 0; i < count; i++) {
+		buffer_put_cstring(&msg, stats[i].name);
+		buffer_put_cstring(&msg, stats[i].long_name);
+		encode_attrib(&msg, &stats[i].attrib);
+	}
+	send_msg(&msg);
+	buffer_free(&msg);
+}
+
+void
+send_attrib(u_int32_t id, Attrib *a)
+{
+	Buffer msg;
+
+	TRACE("sent attrib id %d have 0x%x", id, a->flags);
+	buffer_init(&msg);
+	buffer_put_char(&msg, SSH2_FXP_ATTRS);
+	buffer_put_int(&msg, id);
+	encode_attrib(&msg, a);
+	send_msg(&msg);
+	buffer_free(&msg);
+}
+
+/* parse incoming */
+
+void
+process_init(void)
+{
+	Buffer msg;
+
+	version = buffer_get_int(&iqueue);
+	TRACE("client version %d", version);
+	buffer_init(&msg);
+	buffer_put_char(&msg, SSH2_FXP_VERSION);
+	buffer_put_int(&msg, SSH2_FILEXFER_VERSION);
+	send_msg(&msg);
+	buffer_free(&msg);
+}
+
+void
+process_open(void)
+{
+	u_int32_t id, pflags;
+	Attrib *a;
+	char *name;
+	int handle, fd, flags, mode, status = SSH2_FX_FAILURE;
+
+	id = get_int();
+	name = get_string(NULL);
+	pflags = get_int();		/* portable flags */
+	a = get_attrib();
+	flags = flags_from_portable(pflags);
+	mode = (a->flags & SSH2_FILEXFER_ATTR_PERMISSIONS) ? a->perm : 0666;
+	TRACE("open id %d name %s flags %d mode 0%o", id, name, pflags, mode);
+	fd = open(name, flags, mode);
+	if (fd < 0) {
+		status = errno_to_portable(errno);
+	} else {
+		handle = handle_new(HANDLE_FILE, xstrdup(name), fd, NULL);
+		if (handle < 0) {
+			close(fd);
+		} else {
+			send_handle(id, handle);
+			status = SSH2_FX_OK;
+		}
+	}
+	if (status != SSH2_FX_OK)
+		send_status(id, status);
+	xfree(name);
+}
+
+void
+process_close(void)
+{
+	u_int32_t id;
+	int handle, ret, status = SSH2_FX_FAILURE;
+
+	id = get_int();
+	handle = get_handle();
+	TRACE("close id %d handle %d", id, handle);
+	ret = handle_close(handle);
+	status = (ret == -1) ? errno_to_portable(errno) : SSH2_FX_OK;
+	send_status(id, status);
+}
+
+void
+process_read(void)
+{
+	char buf[64*1024];
+	u_int32_t id, len;
+	int handle, fd, ret, status = SSH2_FX_FAILURE;
+	u_int64_t off;
+
+	id = get_int();
+	handle = get_handle();
+	off = get_int64();
+	len = get_int();
+
+	TRACE("read id %d handle %d off %llu len %d", id, handle,
+	    (unsigned long long)off, len);
+	if (len > sizeof buf) {
+		len = sizeof buf;
+		log("read change len %d", len);
+	}
+	fd = handle_to_fd(handle);
+	if (fd >= 0) {
+		if (lseek(fd, off, SEEK_SET) < 0) {
+			error("process_read: seek failed");
+			status = errno_to_portable(errno);
+		} else {
+			ret = read(fd, buf, len);
+			if (ret < 0) {
+				status = errno_to_portable(errno);
+			} else if (ret == 0) {
+				status = SSH2_FX_EOF;
+			} else {
+				send_data(id, buf, ret);
+				status = SSH2_FX_OK;
+			}
+		}
+	}
+	if (status != SSH2_FX_OK)
+		send_status(id, status);
+}
+
+void
+process_write(void)
+{
+	u_int32_t id;
+	u_int64_t off;
+	u_int len;
+	int handle, fd, ret, status = SSH2_FX_FAILURE;
+	char *data;
+
+	id = get_int();
+	handle = get_handle();
+	off = get_int64();
+	data = get_string(&len);
+
+	TRACE("write id %d handle %d off %llu len %d", id, handle,
+	    (unsigned long long)off, len);
+	fd = handle_to_fd(handle);
+	if (fd >= 0) {
+		if (lseek(fd, off, SEEK_SET) < 0) {
+			status = errno_to_portable(errno);
+			error("process_write: seek failed");
+		} else {
+/* XXX ATOMICIO ? */
+			ret = write(fd, data, len);
+			if (ret == -1) {
+				error("process_write: write failed");
+				status = errno_to_portable(errno);
+			} else if (ret == len) {
+				status = SSH2_FX_OK;
+			} else {
+				log("nothing at all written");
+			}
+		}
+	}
+	send_status(id, status);
+	xfree(data);
+}
+
+void
+process_do_stat(int do_lstat)
+{
+	Attrib a;
+	struct stat st;
+	u_int32_t id;
+	char *name;
+	int ret, status = SSH2_FX_FAILURE;
+
+	id = get_int();
+	name = get_string(NULL);
+	TRACE("%sstat id %d name %s", do_lstat ? "l" : "", id, name);
+	ret = do_lstat ? lstat(name, &st) : stat(name, &st);
+	if (ret < 0) {
+		status = errno_to_portable(errno);
+	} else {
+		stat_to_attrib(&st, &a);
+		send_attrib(id, &a);
+		status = SSH2_FX_OK;
+	}
+	if (status != SSH2_FX_OK)
+		send_status(id, status);
+	xfree(name);
+}
+
+void
+process_stat(void)
+{
+	process_do_stat(0);
+}
+
+void
+process_lstat(void)
+{
+	process_do_stat(1);
+}
+
+void
+process_fstat(void)
+{
+	Attrib a;
+	struct stat st;
+	u_int32_t id;
+	int fd, ret, handle, status = SSH2_FX_FAILURE;
+
+	id = get_int();
+	handle = get_handle();
+	TRACE("fstat id %d handle %d", id, handle);
+	fd = handle_to_fd(handle);
+	if (fd  >= 0) {
+		ret = fstat(fd, &st);
+		if (ret < 0) {
+			status = errno_to_portable(errno);
+		} else {
+			stat_to_attrib(&st, &a);
+			send_attrib(id, &a);
+			status = SSH2_FX_OK;
+		}
+	}
+	if (status != SSH2_FX_OK)
+		send_status(id, status);
+}
+
+struct timeval *
+attrib_to_tv(Attrib *a)
+{
+	static struct timeval tv[2];
+
+	tv[0].tv_sec = a->atime;
+	tv[0].tv_usec = 0;
+	tv[1].tv_sec = a->mtime;
+	tv[1].tv_usec = 0;
+	return tv;
+}
+
+void
+process_setstat(void)
+{
+	Attrib *a;
+	u_int32_t id;
+	char *name;
+	int ret;
+	int status = SSH2_FX_OK;
+
+	id = get_int();
+	name = get_string(NULL);
+	a = get_attrib();
+	TRACE("setstat id %d name %s", id, name);
+	if (a->flags & SSH2_FILEXFER_ATTR_PERMISSIONS) {
+		ret = chmod(name, a->perm & 0777);
+		if (ret == -1)
+			status = errno_to_portable(errno);
+	}
+	if (a->flags & SSH2_FILEXFER_ATTR_ACMODTIME) {
+		ret = utimes(name, attrib_to_tv(a));
+		if (ret == -1)
+			status = errno_to_portable(errno);
+	}
+	if (a->flags & SSH2_FILEXFER_ATTR_UIDGID) {
+		ret = chown(name, a->uid, a->gid);
+		if (ret == -1)
+			status = errno_to_portable(errno);
+	}
+	send_status(id, status);
+	xfree(name);
+}
+
+void
+process_fsetstat(void)
+{
+	Attrib *a;
+	u_int32_t id;
+	int handle, fd, ret;
+	int status = SSH2_FX_OK;
+
+	id = get_int();
+	handle = get_handle();
+	a = get_attrib();
+	TRACE("fsetstat id %d handle %d", id, handle);
+	fd = handle_to_fd(handle);
+	if (fd < 0) {
+		status = SSH2_FX_FAILURE;
+	} else {
+		if (a->flags & SSH2_FILEXFER_ATTR_PERMISSIONS) {
+			ret = fchmod(fd, a->perm & 0777);
+			if (ret == -1)
+				status = errno_to_portable(errno);
+		}
+		if (a->flags & SSH2_FILEXFER_ATTR_ACMODTIME) {
+			ret = futimes(fd, attrib_to_tv(a));
+			if (ret == -1)
+				status = errno_to_portable(errno);
+		}
+		if (a->flags & SSH2_FILEXFER_ATTR_UIDGID) {
+			ret = fchown(fd, a->uid, a->gid);
+			if (ret == -1)
+				status = errno_to_portable(errno);
+		}
+	}
+	send_status(id, status);
+}
+
+void
+process_opendir(void)
+{
+	DIR *dirp = NULL;
+	char *path;
+	int handle, status = SSH2_FX_FAILURE;
+	u_int32_t id;
+
+	id = get_int();
+	path = get_string(NULL);
+	TRACE("opendir id %d path %s", id, path);
+	dirp = opendir(path);
+	if (dirp == NULL) {
+		status = errno_to_portable(errno);
+	} else {
+		handle = handle_new(HANDLE_DIR, xstrdup(path), 0, dirp);
+		if (handle < 0) {
+			closedir(dirp);
+		} else {
+			send_handle(id, handle);
+			status = SSH2_FX_OK;
+		}
+
+	}
+	if (status != SSH2_FX_OK)
+		send_status(id, status);
+	xfree(path);
+}
+
+/*
+ * drwxr-xr-x    5 markus   markus       1024 Jan 13 18:39 .ssh
+ */
+char *
+ls_file(char *name, struct stat *st)
+{
+	int sz = 0;
+	struct passwd *pw;
+	struct group *gr;
+	struct tm *ltime = localtime(&st->st_mtime);
+	char *user, *group;
+	char buf[1024], mode[11+1], tbuf[12+1], ubuf[11+1], gbuf[11+1];
+
+	strmode(st->st_mode, mode);
+	if ((pw = getpwuid(st->st_uid)) != NULL) {
+		user = pw->pw_name;
+	} else {
+		snprintf(ubuf, sizeof ubuf, "%d", st->st_uid);
+		user = ubuf;
+	}
+	if ((gr = getgrgid(st->st_gid)) != NULL) {
+		group = gr->gr_name;
+	} else {
+		snprintf(gbuf, sizeof gbuf, "%d", st->st_gid);
+		group = gbuf;
+	}
+	if (ltime != NULL) {
+		if (time(NULL) - st->st_mtime < (365*24*60*60)/2)
+			sz = strftime(tbuf, sizeof tbuf, "%b %e %H:%M", ltime);
+		else
+			sz = strftime(tbuf, sizeof tbuf, "%b %e  %Y", ltime);
+	}
+	if (sz == 0)
+		tbuf[0] = '\0';
+	snprintf(buf, sizeof buf, "%s %3d %-8.8s %-8.8s %8llu %s %s", mode,
+	    st->st_nlink, user, group, (unsigned long long)st->st_size, tbuf, name);
+	return xstrdup(buf);
+}
+
+void
+process_readdir(void)
+{
+	DIR *dirp;
+	struct dirent *dp;
+	char *path;
+	int handle;
+	u_int32_t id;
+
+	id = get_int();
+	handle = get_handle();
+	TRACE("readdir id %d handle %d", id, handle);
+	dirp = handle_to_dir(handle);
+	path = handle_to_name(handle);
+	if (dirp == NULL || path == NULL) {
+		send_status(id, SSH2_FX_FAILURE);
+	} else {
+		struct stat st;
+		char pathname[1024];
+		Stat *stats;
+		int nstats = 10, count = 0, i;
+		stats = xmalloc(nstats * sizeof(Stat));
+		while ((dp = readdir(dirp)) != NULL) {
+			if (count >= nstats) {
+				nstats *= 2;
+				stats = xrealloc(stats, nstats * sizeof(Stat));
+			}
+/* XXX OVERFLOW ? */
+			snprintf(pathname, sizeof pathname,
+			    "%s/%s", path, dp->d_name);
+			if (lstat(pathname, &st) < 0)
+				continue;
+			stat_to_attrib(&st, &(stats[count].attrib));
+			stats[count].name = xstrdup(dp->d_name);
+			stats[count].long_name = ls_file(dp->d_name, &st);
+			count++;
+			/* send up to 100 entries in one message */
+			/* XXX check packet size instead */
+			if (count == 100)
+				break;
+		}
+		if (count > 0) {
+			send_names(id, count, stats);
+			for(i = 0; i < count; i++) {
+				xfree(stats[i].name);
+				xfree(stats[i].long_name);
+			}
+		} else {
+			send_status(id, SSH2_FX_EOF);
+		}
+		xfree(stats);
+	}
+}
+
+void
+process_remove(void)
+{
+	char *name;
+	u_int32_t id;
+	int status = SSH2_FX_FAILURE;
+	int ret;
+
+	id = get_int();
+	name = get_string(NULL);
+	TRACE("remove id %d name %s", id, name);
+	ret = unlink(name);
+	status = (ret == -1) ? errno_to_portable(errno) : SSH2_FX_OK;
+	send_status(id, status);
+	xfree(name);
+}
+
+void
+process_mkdir(void)
+{
+	Attrib *a;
+	u_int32_t id;
+	char *name;
+	int ret, mode, status = SSH2_FX_FAILURE;
+
+	id = get_int();
+	name = get_string(NULL);
+	a = get_attrib();
+	mode = (a->flags & SSH2_FILEXFER_ATTR_PERMISSIONS) ?
+	    a->perm & 0777 : 0777;
+	TRACE("mkdir id %d name %s mode 0%o", id, name, mode);
+	ret = mkdir(name, mode);
+	status = (ret == -1) ? errno_to_portable(errno) : SSH2_FX_OK;
+	send_status(id, status);
+	xfree(name);
+}
+
+void
+process_rmdir(void)
+{
+	u_int32_t id;
+	char *name;
+	int ret, status;
+
+	id = get_int();
+	name = get_string(NULL);
+	TRACE("rmdir id %d name %s", id, name);
+	ret = rmdir(name);
+	status = (ret == -1) ? errno_to_portable(errno) : SSH2_FX_OK;
+	send_status(id, status);
+	xfree(name);
+}
+
+void
+process_realpath(void)
+{
+	char resolvedname[MAXPATHLEN];
+	u_int32_t id;
+	char *path;
+
+	id = get_int();
+	path = get_string(NULL);
+	if (path[0] == '\0') {
+		xfree(path);
+		path = xstrdup(".");
+	}
+	TRACE("realpath id %d path %s", id, path);
+	if (realpath(path, resolvedname) == NULL) {
+		send_status(id, errno_to_portable(errno));
+	} else {
+		Stat s;
+		attrib_clear(&s.attrib);
+		s.name = s.long_name = resolvedname;
+		send_names(id, 1, &s);
+	}
+	xfree(path);
+}
+
+void
+process_rename(void)
+{
+	u_int32_t id;
+	struct stat st;
+	char *oldpath, *newpath;
+	int ret, status = SSH2_FX_FAILURE;
+
+	id = get_int();
+	oldpath = get_string(NULL);
+	newpath = get_string(NULL);
+	TRACE("rename id %d old %s new %s", id, oldpath, newpath);
+	/* fail if 'newpath' exists */
+	if (stat(newpath, &st) == -1) {
+		ret = rename(oldpath, newpath);
+		status = (ret == -1) ? errno_to_portable(errno) : SSH2_FX_OK;
+	}
+	send_status(id, status);
+	xfree(oldpath);
+	xfree(newpath);
+}
+
+void
+process_readlink(void)
+{
+	u_int32_t id;
+	char link[MAXPATHLEN];
+	char *path;
+
+	id = get_int();
+	path = get_string(NULL);
+	TRACE("readlink id %d path %s", id, path);
+	if (readlink(path, link, sizeof(link) - 1) == -1)
+		send_status(id, errno_to_portable(errno));
+	else {
+		Stat s;
+		
+		link[sizeof(link) - 1] = '\0';
+		attrib_clear(&s.attrib);
+		s.name = s.long_name = link;
+		send_names(id, 1, &s);
+	}
+	xfree(path);
+}
+
+void
+process_symlink(void)
+{
+	u_int32_t id;
+	struct stat st;
+	char *oldpath, *newpath;
+	int ret, status = SSH2_FX_FAILURE;
+
+	id = get_int();
+	oldpath = get_string(NULL);
+	newpath = get_string(NULL);
+	TRACE("symlink id %d old %s new %s", id, oldpath, newpath);
+	/* fail if 'newpath' exists */
+	if (stat(newpath, &st) == -1) {
+		ret = symlink(oldpath, newpath);
+		status = (ret == -1) ? errno_to_portable(errno) : SSH2_FX_OK;
+	}
+	send_status(id, status);
+	xfree(oldpath);
+	xfree(newpath);
+}
+
+void
+process_extended(void)
+{
+	u_int32_t id;
+	char *request;
+
+	id = get_int();
+	request = get_string(NULL);
+	send_status(id, SSH2_FX_OP_UNSUPPORTED);		/* MUST */
+	xfree(request);
+}
+
+/* stolen from ssh-agent */
+
+void
+process(void)
+{
+	u_int msg_len;
+	u_int type;
+	u_char *cp;
+
+	if (buffer_len(&iqueue) < 5)
+		return;		/* Incomplete message. */
+	cp = (u_char *) buffer_ptr(&iqueue);
+	msg_len = GET_32BIT(cp);
+	if (msg_len > 256 * 1024) {
+		error("bad message ");
+		exit(11);
+	}
+	if (buffer_len(&iqueue) < msg_len + 4)
+		return;
+	buffer_consume(&iqueue, 4);
+	type = buffer_get_char(&iqueue);
+	switch (type) {
+	case SSH2_FXP_INIT:
+		process_init();
+		break;
+	case SSH2_FXP_OPEN:
+		process_open();
+		break;
+	case SSH2_FXP_CLOSE:
+		process_close();
+		break;
+	case SSH2_FXP_READ:
+		process_read();
+		break;
+	case SSH2_FXP_WRITE:
+		process_write();
+		break;
+	case SSH2_FXP_LSTAT:
+		process_lstat();
+		break;
+	case SSH2_FXP_FSTAT:
+		process_fstat();
+		break;
+	case SSH2_FXP_SETSTAT:
+		process_setstat();
+		break;
+	case SSH2_FXP_FSETSTAT:
+		process_fsetstat();
+		break;
+	case SSH2_FXP_OPENDIR:
+		process_opendir();
+		break;
+	case SSH2_FXP_READDIR:
+		process_readdir();
+		break;
+	case SSH2_FXP_REMOVE:
+		process_remove();
+		break;
+	case SSH2_FXP_MKDIR:
+		process_mkdir();
+		break;
+	case SSH2_FXP_RMDIR:
+		process_rmdir();
+		break;
+	case SSH2_FXP_REALPATH:
+		process_realpath();
+		break;
+	case SSH2_FXP_STAT:
+		process_stat();
+		break;
+	case SSH2_FXP_RENAME:
+		process_rename();
+		break;
+	case SSH2_FXP_READLINK:
+		process_readlink();
+		break;
+	case SSH2_FXP_SYMLINK:
+		process_symlink();
+		break;
+	case SSH2_FXP_EXTENDED:
+		process_extended();
+		break;
+	default:
+		error("Unknown message %d", type);
+		break;
+	}
+}
+
+int
+main(int ac, char **av)
+{
+	fd_set *rset, *wset;
+	int in, out, max;
+	ssize_t len, olen, set_size;
+
+	/* XXX should use getopt */
+
+	handle_init();
+
+#ifdef DEBUG_SFTP_SERVER
+	log_init("sftp-server", SYSLOG_LEVEL_DEBUG1, SYSLOG_FACILITY_AUTH, 0);
+#endif
+
+	in = dup(STDIN_FILENO);
+	out = dup(STDOUT_FILENO);
+
+	max = 0;
+	if (in > max)
+		max = in;
+	if (out > max)
+		max = out;
+
+	buffer_init(&iqueue);
+	buffer_init(&oqueue);
+
+	set_size = howmany(max + 1, NFDBITS) * sizeof(fd_mask);
+	rset = (fd_set *)xmalloc(set_size);
+	wset = (fd_set *)xmalloc(set_size);
+
+	for (;;) {
+		memset(rset, 0, set_size);
+		memset(wset, 0, set_size);
+
+		FD_SET(in, rset);
+		olen = buffer_len(&oqueue);
+		if (olen > 0)
+			FD_SET(out, wset);
+
+		if (select(max+1, rset, wset, NULL, NULL) < 0) {
+			if (errno == EINTR)
+				continue;
+			exit(2);
+		}
+
+		/* copy stdin to iqueue */
+		if (FD_ISSET(in, rset)) {
+			char buf[4*4096];
+			len = read(in, buf, sizeof buf);
+			if (len == 0) {
+				debug("read eof");
+				exit(0);
+			} else if (len < 0) {
+				error("read error");
+				exit(1);
+			} else {
+				buffer_append(&iqueue, buf, len);
+			}
+		}
+		/* send oqueue to stdout */
+		if (FD_ISSET(out, wset)) {
+			len = write(out, buffer_ptr(&oqueue), olen);
+			if (len < 0) {
+				error("write error");
+				exit(1);
+			} else {
+				buffer_consume(&oqueue, len);
+			}
+		}
+		/* process requests from client */
+		process();
+	}
+}
diff --git a/crypto/openssh/sftp-server/Makefile b/crypto/openssh/sftp-server/Makefile
new file mode 100644
index 0000000..e068239
--- /dev/null
+++ b/crypto/openssh/sftp-server/Makefile
@@ -0,0 +1,18 @@
+#	$OpenBSD: Makefile,v 1.5 2001/03/03 23:59:36 markus Exp $
+
+.PATH:		${.CURDIR}/..
+
+PROG=	sftp-server
+BINOWN=	root
+
+BINMODE?=555
+
+BINDIR=	/usr/libexec
+MAN=	sftp-server.8
+
+SRCS=	sftp-server.c sftp-common.c
+
+.include <bsd.prog.mk>
+
+LDADD+=	-lcrypto
+DPADD+=	${LIBCRYPTO}
diff --git a/crypto/openssh/sftp.1 b/crypto/openssh/sftp.1
new file mode 100644
index 0000000..b482996
--- /dev/null
+++ b/crypto/openssh/sftp.1
@@ -0,0 +1,222 @@
+.\" $OpenBSD: sftp.1,v 1.17 2001/04/22 13:32:27 markus Exp $
+.\"
+.\" Copyright (c) 2001 Damien Miller.  All rights reserved.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\" 1. Redistributions of source code must retain the above copyright
+.\"    notice, this list of conditions and the following disclaimer.
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\"    notice, this list of conditions and the following disclaimer in the
+.\"    documentation and/or other materials provided with the distribution.
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
+.\" IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+.\" OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+.\" IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
+.\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+.\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+.\"
+.Dd February 4, 2001
+.Dt SFTP 1
+.Os
+.Sh NAME
+.Nm sftp
+.Nd Secure file transfer program
+.Sh SYNOPSIS
+.Nm sftp
+.Op Fl vC
+.Op Fl b Ar batchfile
+.Op Fl o Ar ssh_option
+.Op Ar host
+.Nm sftp
+.Op [\fIuser\fR@]\fIhost\fR[:\fIfile\fR [\fIfile\fR]]
+.Nm sftp
+.Op [\fIuser\fR@]\fIhost\fR[:\fIdir\fR[\fI/\fR]] 
+.Sh DESCRIPTION
+.Nm
+is an interactive file transfer program, similar to
+.Xr ftp 1 ,
+which performs all operations over an encrypted
+.Xr ssh 1
+transport.
+It may also use many features of ssh, such as public key authentication and
+compression.
+.Nm
+connects and logs into the specified
+.Ar hostname ,
+then enters an interactive command mode.
+.Pp
+The second usage format will fetch files automaticly if a non-interactive 
+authentication is used, else it do so after an interactive authentication 
+is used.
+.Pp
+The last usage format allows the sftp client to start in a remote directory.
+.Pp
+The options are as follows:
+.Bl -tag -width Ds
+.It Fl b Ar batchfile
+Batch mode reads a series of commands from an input
+.Ar batchfile
+instead of
+.Em stdin .
+Since it lacks user interaction it should be used in conjunction with
+non-interactive authentication.
+.Nm
+will abort if any of the following 
+commands fail: 
+.Ic get , put , rename , ln , rm , mkdir , chdir , lchdir
+and
+.Ic lmkdir .
+.It Fl C
+Enables compression (via ssh's 
+.Fl C
+flag)
+.It Fl o Ar ssh_option
+Specify an option to be directly passed to
+.Xr ssh 1 .
+.It Fl v
+Raise logging level. This option is also passed to ssh.
+.El
+.Sh INTERACTIVE COMMANDS
+Once in interactive mode,
+.Nm
+understands a set of commands similar to those of 
+.Xr ftp 1 .
+Commands are case insensitive and pathnames may be enclosed in quotes if they
+contain spaces.
+.Bl -tag -width Ds
+.It Ic cd Ar path
+Change remote directory to 
+.Ar path .
+.It Ic lcd Ar path
+Change local directory to 
+.Ar path .
+.It Ic chgrp Ar grp Ar path
+Change group of file 
+.Ar path
+to
+.Ar grp .
+.Ar grp
+must be a numeric GID.
+.It Ic chmod Ar mode Ar path
+Change permissions of file 
+.Ar path
+to
+.Ar mode .
+.It Ic chown Ar own Ar path
+Change owner of file 
+.Ar path
+to
+.Ar own .
+.Ar own
+must be a numeric UID.
+.It Ic exit
+Quit sftp.
+.It Xo Ic get
+.Op Ar flags
+.Ar remote-path
+.Op Ar local-path
+.Xc
+Retrieve the
+.Ar remote-path
+and store it on the local machine.
+If the local
+path name is not specified, it is given the same name it has on the 
+remote machine. If the 
+.Fl P
+flag is specified, then the file's full permission and access time are
+copied too.
+.It Ic help
+Display help text.
+.It Ic lls Op Ar ls-options Op Ar path
+Display local directory listing of either 
+.Ar path
+or current directory if
+.Ar path
+is not specified.
+.It Ic lmkdir Ar path
+Create local directory specified by
+.Ar path .
+.It Ic ln Ar oldpath Ar newpath
+Create a symbolic link from 
+.Ar oldpath
+to
+.Ar newpath .
+.It Ic lpwd
+Print local working directory.
+.It Ic ls Op Ar path
+Display remote directory listing of either
+.Ar path
+or current directory if
+.Ar path
+is not specified.
+.It Ic lumask Ar umask
+Set local umask to 
+.Ar umask .
+.It Ic mkdir Ar path
+Create remote directory specified by
+.Ar path .
+.It Xo Ic put
+.Op Ar flags
+.Ar local-path
+.Op Ar local-path
+.Xc
+Upload
+.Ar local-path
+and store it on the remote machine. If the remote path name is not 
+specified, it is given the same name it has on the local machine. If the 
+.Fl P
+flag is specified, then the file's full permission and access time are
+copied too.
+.It Ic pwd
+Display remote working directory.
+.It Ic quit
+Quit sftp.
+.It Ic rename Ar oldpath Ar newpath
+Rename remote file from
+.Ar oldpath
+to
+.Ar newpath .
+.It Ic rmdir Ar path
+Remove remote directory specified by
+.Ar path .
+.It Ic rm Ar path
+Delete remote file specified by
+.Ar path .
+.It Ic symlink Ar oldpath Ar newpath
+Create a symbolic link from 
+.Ar oldpath
+to
+.Ar newpath .
+.It Ic ! Ar command
+Execute 
+.Ar command
+in local shell.
+.It Ic !
+Escape to local shell.
+.It Ic ?
+Synonym for help.
+.El
+.Sh AUTHORS
+Damien Miller <djm@mindrot.org>
+.Sh SEE ALSO
+.Xr scp 1 ,
+.Xr ssh 1 ,
+.Xr ssh-add 1 ,
+.Xr ssh-keygen 1 ,
+.Xr sftp-server 8 ,
+.Xr sshd 8
+.Rs
+.%A T. Ylonen
+.%A S. Lehtinen
+.%T "SSH File Transfer Protocol"
+.%N draft-ietf-secsh-filexfer-00.txt
+.%D January 2001
+.%O work in progress material
+.Re
diff --git a/crypto/openssh/sftp.c b/crypto/openssh/sftp.c
new file mode 100644
index 0000000..2c57bef
--- /dev/null
+++ b/crypto/openssh/sftp.c
@@ -0,0 +1,271 @@
+/*
+ * Copyright (c) 2001 Damien Miller.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include "includes.h"
+
+RCSID("$OpenBSD: sftp.c,v 1.15 2001/04/16 02:31:44 mouring Exp $");
+
+/* XXX: commandline mode */
+/* XXX: short-form remote directory listings (like 'ls -C') */
+
+#include "buffer.h"
+#include "xmalloc.h"
+#include "log.h"
+#include "pathnames.h"
+
+#include "sftp.h"
+#include "sftp-common.h"
+#include "sftp-client.h"
+#include "sftp-int.h"
+
+#include "scp-common.h"
+
+int use_ssh1 = 0;
+char *ssh_program = _PATH_SSH_PROGRAM;
+char *sftp_server = NULL;
+FILE* infile;
+
+void
+connect_to_server(char **args, int *in, int *out, pid_t *sshpid)
+{
+	int c_in, c_out;
+#ifdef USE_PIPES
+	int pin[2], pout[2];
+	if ((pipe(pin) == -1) || (pipe(pout) == -1))
+		fatal("pipe: %s", strerror(errno));
+	*in = pin[0];
+	*out = pout[1];
+	c_in = pout[0];
+	c_out = pin[1];
+#else /* USE_PIPES */
+	int inout[2];
+	if (socketpair(AF_UNIX, SOCK_STREAM, 0, inout) == -1)
+		fatal("socketpair: %s", strerror(errno));
+	*in = *out = inout[0];
+	c_in = c_out = inout[1];
+#endif /* USE_PIPES */
+
+	if ((*sshpid = fork()) == -1)
+		fatal("fork: %s", strerror(errno));
+	else if (*sshpid == 0) {
+		if ((dup2(c_in, STDIN_FILENO) == -1) ||
+		    (dup2(c_out, STDOUT_FILENO) == -1)) {
+			fprintf(stderr, "dup2: %s\n", strerror(errno));
+			exit(1);
+		}
+		close(*in);
+		close(*out);
+		close(c_in);
+		close(c_out);
+		execv(ssh_program, args);
+		fprintf(stderr, "exec: %s: %s\n", ssh_program, strerror(errno));
+		exit(1);
+	}
+
+	close(c_in);
+	close(c_out);
+}
+
+char **
+make_ssh_args(char *add_arg)
+{
+	static char **args = NULL;
+	static int nargs = 0;
+	char debug_buf[4096];
+	int i;
+
+	/* Init args array */
+	if (args == NULL) {
+		nargs = 2;
+		i = 0;
+		args = xmalloc(sizeof(*args) * nargs);
+		args[i++] = "ssh";
+		args[i++] = NULL;
+	}
+
+	/* If asked to add args, then do so and return */
+	if (add_arg) {
+		i = nargs++ - 1;
+		args = xrealloc(args, sizeof(*args) * nargs);
+		args[i++] = add_arg;
+		args[i++] = NULL;
+		return(NULL);
+	}
+
+	/* no subsystem if the server-spec contains a '/' */
+	if (sftp_server == NULL || strchr(sftp_server, '/') == NULL)
+		make_ssh_args("-s");
+	make_ssh_args("-oForwardX11=no");
+	make_ssh_args("-oForwardAgent=no");
+	make_ssh_args(use_ssh1 ? "-oProtocol=1" : "-oProtocol=2");
+
+	/* Otherwise finish up and return the arg array */
+	if (sftp_server != NULL)
+		make_ssh_args(sftp_server);
+	else
+		make_ssh_args("sftp");
+
+	/* XXX: overflow - doesn't grow debug_buf */
+	debug_buf[0] = '\0';
+	for(i = 0; args[i]; i++) {
+		if (i)
+			strlcat(debug_buf, " ", sizeof(debug_buf));
+
+		strlcat(debug_buf, args[i], sizeof(debug_buf));
+	}
+	debug("SSH args \"%s\"", debug_buf);
+
+	return(args);
+}
+
+void
+usage(void)
+{
+	fprintf(stderr, "usage: sftp [-1vC] [-b batchfile] [-osshopt=value] [user@]host[:file [file]]\n");
+	exit(1);
+}
+
+int
+main(int argc, char **argv)
+{
+	int in, out, ch, debug_level, compress_flag;
+	pid_t sshpid;
+	char *file1 = NULL;
+	char *host, *userhost, *cp, *file2;
+	LogLevel ll;
+	extern int optind;
+	extern char *optarg;
+
+	infile = stdin;		/* Read from STDIN unless changed by -b */
+	debug_level = compress_flag = 0;
+
+	while ((ch = getopt(argc, argv, "1hvCo:s:S:b:")) != -1) {
+		switch (ch) {
+		case 'C':
+			compress_flag = 1;
+			break;
+		case 'v':
+			debug_level = MIN(3, debug_level + 1);
+			break;
+		case 'o':
+			make_ssh_args("-o");
+			make_ssh_args(optarg);
+			break;
+		case '1':
+			use_ssh1 = 1;
+			if (sftp_server == NULL)
+				sftp_server = _PATH_SFTP_SERVER;
+			break;
+		case 's':
+			sftp_server = optarg;
+			break;
+		case 'S':
+			ssh_program = optarg;
+			break;
+		case 'b':
+			if (infile == stdin) {
+				infile = fopen(optarg, "r");
+				if (infile == NULL)
+					fatal("%s (%s).", strerror(errno), optarg);
+			} else
+				fatal("Filename already specified.");
+			break;
+		case 'h':
+		default:
+			usage();
+		}
+	}
+
+	if (optind == argc || argc > (optind + 2))
+		usage();
+
+	userhost = xstrdup(argv[optind]);
+	file2 = argv[optind+1];
+
+	if ((cp = colon(userhost)) != NULL) {
+		*cp++ = '\0';
+		file1 = cp;
+	}
+
+	if ((host = strchr(userhost, '@')) == NULL)
+		host = userhost;
+	else {
+		*host++ = '\0';
+		if (!userhost[0]) {
+			fprintf(stderr, "Missing username\n");
+			usage();
+		}
+		make_ssh_args("-l");
+		make_ssh_args(userhost);
+	}
+
+	host = cleanhostname(host);
+	if (!*host) {
+		fprintf(stderr, "Missing hostname\n");
+		usage();
+	}
+
+	/* Set up logging and debug '-d' arguments to ssh */
+	ll = SYSLOG_LEVEL_INFO;
+	switch (debug_level) {
+	case 1:
+		ll = SYSLOG_LEVEL_DEBUG1;
+		make_ssh_args("-v");
+		break;
+	case 2:
+		ll = SYSLOG_LEVEL_DEBUG2;
+		make_ssh_args("-v");
+		make_ssh_args("-v");
+		break;
+	case 3:
+		ll = SYSLOG_LEVEL_DEBUG3;
+		make_ssh_args("-v");
+		make_ssh_args("-v");
+		make_ssh_args("-v");
+		break;
+	}
+
+	if (compress_flag)
+		make_ssh_args("-C");
+
+	log_init(argv[0], ll, SYSLOG_FACILITY_USER, 1);
+
+	make_ssh_args(host);
+
+	fprintf(stderr, "Connecting to %s...\n", host);
+
+	connect_to_server(make_ssh_args(NULL), &in, &out, &sshpid);
+
+	interactive_loop(in, out, file1, file2);
+
+	close(in);
+	close(out);
+	if (infile != stdin)
+		fclose(infile);
+
+	if (waitpid(sshpid, NULL, 0) == -1)
+		fatal("Couldn't wait for ssh process: %s", strerror(errno));
+
+	exit(0);
+}
diff --git a/crypto/openssh/sftp.h b/crypto/openssh/sftp.h
new file mode 100644
index 0000000..2ad9586
--- /dev/null
+++ b/crypto/openssh/sftp.h
@@ -0,0 +1,91 @@
+/*	$OpenBSD: sftp.h,v 1.3 2001/03/07 10:11:23 djm Exp $	*/
+
+/*
+ * Copyright (c) 2001 Markus Friedl.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+/*
+ * draft-ietf-secsh-filexfer-01.txt
+ */
+
+/* version */
+#define	SSH2_FILEXFER_VERSION		3
+
+/* client to server */
+#define SSH2_FXP_INIT			1
+#define SSH2_FXP_OPEN			3
+#define SSH2_FXP_CLOSE			4
+#define SSH2_FXP_READ			5
+#define SSH2_FXP_WRITE			6
+#define SSH2_FXP_LSTAT			7
+#define SSH2_FXP_FSTAT			8
+#define SSH2_FXP_SETSTAT		9
+#define SSH2_FXP_FSETSTAT		10
+#define SSH2_FXP_OPENDIR		11
+#define SSH2_FXP_READDIR		12
+#define SSH2_FXP_REMOVE			13
+#define SSH2_FXP_MKDIR			14
+#define SSH2_FXP_RMDIR			15
+#define SSH2_FXP_REALPATH		16
+#define SSH2_FXP_STAT			17
+#define SSH2_FXP_RENAME			18
+#define SSH2_FXP_READLINK		19
+#define SSH2_FXP_SYMLINK		20
+
+/* server to client */
+#define SSH2_FXP_VERSION		2
+#define SSH2_FXP_STATUS			101
+#define SSH2_FXP_HANDLE			102
+#define SSH2_FXP_DATA			103
+#define SSH2_FXP_NAME			104
+#define SSH2_FXP_ATTRS			105
+
+#define SSH2_FXP_EXTENDED		200
+#define SSH2_FXP_EXTENDED_REPLY		201
+
+/* attributes */
+#define SSH2_FILEXFER_ATTR_SIZE		0x00000001
+#define SSH2_FILEXFER_ATTR_UIDGID	0x00000002
+#define SSH2_FILEXFER_ATTR_PERMISSIONS	0x00000004
+#define SSH2_FILEXFER_ATTR_ACMODTIME	0x00000008
+#define SSH2_FILEXFER_ATTR_EXTENDED	0x80000000
+
+/* portable open modes */
+#define SSH2_FXF_READ			0x00000001
+#define SSH2_FXF_WRITE			0x00000002
+#define SSH2_FXF_APPEND			0x00000004
+#define SSH2_FXF_CREAT			0x00000008
+#define SSH2_FXF_TRUNC			0x00000010
+#define SSH2_FXF_EXCL			0x00000020
+
+/* status messages */
+#define SSH2_FX_OK			0
+#define SSH2_FX_EOF			1
+#define SSH2_FX_NO_SUCH_FILE		2
+#define SSH2_FX_PERMISSION_DENIED	3
+#define SSH2_FX_FAILURE			4
+#define SSH2_FX_BAD_MESSAGE		5
+#define SSH2_FX_NO_CONNECTION		6
+#define SSH2_FX_CONNECTION_LOST		7
+#define SSH2_FX_OP_UNSUPPORTED		8
+#define SSH2_FX_MAX			8
diff --git a/crypto/openssh/sftp/Makefile b/crypto/openssh/sftp/Makefile
new file mode 100644
index 0000000..83fa8dc
--- /dev/null
+++ b/crypto/openssh/sftp/Makefile
@@ -0,0 +1,19 @@
+#	$OpenBSD: Makefile,v 1.4 2001/04/16 02:31:52 mouring Exp $
+
+.PATH:		${.CURDIR}/..
+
+PROG=	sftp
+BINOWN=	root
+
+BINMODE?=555
+
+BINDIR=	/usr/bin
+MAN=	sftp.1
+
+SRCS=	sftp.c sftp-client.c sftp-int.c sftp-common.c sftp-glob.c scp-common.c
+
+.include <bsd.prog.mk>
+
+LDADD+=	-lcrypto
+DPADD+=	${LIBCRYPTO}
+
diff --git a/crypto/openssh/ssh-add.1 b/crypto/openssh/ssh-add.1
new file mode 100644
index 0000000..d7725c6
--- /dev/null
+++ b/crypto/openssh/ssh-add.1
@@ -0,0 +1,138 @@
+.\"	$OpenBSD: ssh-add.1,v 1.24 2001/04/10 09:13:21 itojun Exp $
+.\"
+.\"  -*- nroff -*-
+.\"
+.\" Author: Tatu Ylonen <ylo@cs.hut.fi>
+.\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
+.\"                    All rights reserved
+.\"
+.\" As far as I am concerned, the code I have written for this software
+.\" can be used freely for any purpose.  Any derived versions of this
+.\" software must be clearly marked as such, and if the derived work is
+.\" incompatible with the protocol description in the RFC file, it must be
+.\" called by a name other than "ssh" or "Secure Shell".
+.\"
+.\"
+.\" Copyright (c) 1999,2000 Markus Friedl.  All rights reserved.
+.\" Copyright (c) 1999 Aaron Campbell.  All rights reserved.
+.\" Copyright (c) 1999 Theo de Raadt.  All rights reserved.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\" 1. Redistributions of source code must retain the above copyright
+.\"    notice, this list of conditions and the following disclaimer.
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\"    notice, this list of conditions and the following disclaimer in the
+.\"    documentation and/or other materials provided with the distribution.
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
+.\" IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+.\" OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+.\" IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
+.\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+.\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+.\"
+.Dd September 25, 1999
+.Dt SSH-ADD 1
+.Os
+.Sh NAME
+.Nm ssh-add
+.Nd adds RSA or DSA identities for the authentication agent
+.Sh SYNOPSIS
+.Nm ssh-add
+.Op Fl lLdD
+.Op Ar
+.Sh DESCRIPTION
+.Nm
+adds RSA or DSA identities to the authentication agent,
+.Xr ssh-agent 1 .
+When run without arguments, it adds the file
+.Pa $HOME/.ssh/identity .
+Alternative file names can be given on the command line.
+If any file requires a passphrase,
+.Nm
+asks for the passphrase from the user.
+The Passphrase it is read from the user's tty.
+.Nm
+retries the last passphrase if multiple identity files are given.
+.Pp
+The authentication agent must be running and must be an ancestor of
+the current process for
+.Nm
+to work.
+.Pp
+The options are as follows:
+.Bl -tag -width Ds
+.It Fl l
+Lists fingerprints of all identities currently represented by the agent.
+.It Fl L
+Lists public key parameters of all identities currently represented by the agent.
+.It Fl d
+Instead of adding the identity, removes the identity from the agent.
+.It Fl D
+Deletes all identities from the agent.
+.El
+.Sh FILES
+.Bl -tag -width Ds
+.It Pa $HOME/.ssh/identity
+Contains the protocol version 1 RSA authentication identity of the user.
+This file should not be readable by anyone but the user.
+Note that
+.Nm
+ignores this file if it is accessible by others.
+It is possible to
+specify a passphrase when generating the key; that passphrase will be
+used to encrypt the private part of this file.
+This is the default file added by
+.Nm
+when no other files have been specified.
+.It Pa $HOME/.ssh/id_dsa
+Contains the protocol version 2 DSA authentication identity of the user.
+.It Pa $HOME/.ssh/id_rsa
+Contains the protocol version 2 RSA authentication identity of the user.
+.El
+.Sh ENVIRONMENT
+.Bl -tag -width Ds
+.It Ev "DISPLAY" and "SSH_ASKPASS"
+If
+.Nm
+needs a passphrase, it will read the passphrase from the current
+terminal if it was run from a terminal.
+If
+.Nm
+does not have a terminal associated with it but
+.Ev DISPLAY
+and
+.Ev SSH_ASKPASS
+are set, it will execute the program specified by
+.Ev SSH_ASKPASS
+and open an X11 window to read the passphrase.
+This is particularly useful when calling
+.Nm
+from a
+.Pa .Xsession
+or related script.
+(Note that on some machines it
+may be necessary to redirect the input from
+.Pa /dev/null
+to make this work.)
+.El
+.Sh AUTHORS
+OpenSSH is a derivative of the original and free
+ssh 1.2.12 release by Tatu Ylonen.
+Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos,
+Theo de Raadt and Dug Song
+removed many bugs, re-added newer features and
+created OpenSSH.
+Markus Friedl contributed the support for SSH
+protocol versions 1.5 and 2.0.
+.Sh SEE ALSO
+.Xr ssh 1 ,
+.Xr ssh-agent 1 ,
+.Xr ssh-keygen 1 ,
+.Xr sshd 8
diff --git a/crypto/openssh/ssh-add.c b/crypto/openssh/ssh-add.c
new file mode 100644
index 0000000..82a67a8
--- /dev/null
+++ b/crypto/openssh/ssh-add.c
@@ -0,0 +1,238 @@
+/*
+ * Author: Tatu Ylonen <ylo@cs.hut.fi>
+ * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
+ *                    All rights reserved
+ * Adds an identity to the authentication server, or removes an identity.
+ *
+ * As far as I am concerned, the code I have written for this software
+ * can be used freely for any purpose.  Any derived versions of this
+ * software must be clearly marked as such, and if the derived work is
+ * incompatible with the protocol description in the RFC file, it must be
+ * called by a name other than "ssh" or "Secure Shell".
+ *
+ * SSH2 implementation,
+ * Copyright (c) 2000 Markus Friedl.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include "includes.h"
+RCSID("$FreeBSD$");
+RCSID("$OpenBSD: ssh-add.c,v 1.36 2001/04/18 21:57:42 markus Exp $");
+
+#include <openssl/evp.h>
+
+#include "ssh.h"
+#include "rsa.h"
+#include "log.h"
+#include "xmalloc.h"
+#include "key.h"
+#include "authfd.h"
+#include "authfile.h"
+#include "pathnames.h"
+#include "readpass.h"
+
+/* we keep a cache of one passphrases */
+static char *pass = NULL;
+void
+clear_pass(void)
+{
+	if (pass) {
+		memset(pass, 0, strlen(pass));
+		xfree(pass);
+		pass = NULL;
+	}
+}
+
+void
+delete_file(AuthenticationConnection *ac, const char *filename)
+{
+	Key *public;
+	char *comment = NULL;
+
+	public = key_load_public(filename, &comment);
+	if (public == NULL) {
+		printf("Bad key file %s\n", filename);
+		return;
+	}
+	if (ssh_remove_identity(ac, public))
+		fprintf(stderr, "Identity removed: %s (%s)\n", filename, comment);
+	else
+		fprintf(stderr, "Could not remove identity: %s\n", filename);
+	key_free(public);
+	xfree(comment);
+}
+
+/* Send a request to remove all identities. */
+void
+delete_all(AuthenticationConnection *ac)
+{
+	int success = 1;
+
+	if (!ssh_remove_all_identities(ac, 1))
+		success = 0;
+	/* ignore error-code for ssh2 */
+	ssh_remove_all_identities(ac, 2);
+
+	if (success)
+		fprintf(stderr, "All identities removed.\n");
+	else
+		fprintf(stderr, "Failed to remove all identities.\n");
+}
+
+void
+add_file(AuthenticationConnection *ac, const char *filename)
+{
+	struct stat st;
+	Key *private;
+	char *comment = NULL;
+	char msg[1024];
+
+	if (stat(filename, &st) < 0) {
+		perror(filename);
+		exit(1);
+	}
+	/* At first, try empty passphrase */
+	private = key_load_private(filename, "", &comment);
+	if (comment == NULL)
+		comment = xstrdup(filename);
+	/* try last */
+	if (private == NULL && pass != NULL)
+		private = key_load_private(filename, pass, NULL);
+	if (private == NULL) {
+		/* clear passphrase since it did not work */
+		clear_pass();
+		printf("Need passphrase for %.200s\n", filename);
+		snprintf(msg, sizeof msg, "Enter passphrase for %.200s: ",
+		   comment);
+		for (;;) {
+			pass = read_passphrase(msg, 1);
+			if (strcmp(pass, "") == 0) {
+				clear_pass();
+				xfree(comment);
+				return;
+			}
+			private = key_load_private(filename, pass, &comment);
+			if (private != NULL)
+				break;
+			clear_pass();
+			strlcpy(msg, "Bad passphrase, try again: ", sizeof msg);
+		}
+	}
+	if (ssh_add_identity(ac, private, comment))
+		fprintf(stderr, "Identity added: %s (%s)\n", filename, comment);
+	else
+		fprintf(stderr, "Could not add identity: %s\n", filename);
+	xfree(comment);
+	key_free(private);
+}
+
+void
+list_identities(AuthenticationConnection *ac, int do_fp)
+{
+	Key *key;
+	char *comment, *fp;
+	int had_identities = 0;
+	int version;
+
+	for (version = 1; version <= 2; version++) {
+		for (key = ssh_get_first_identity(ac, &comment, version);
+		     key != NULL;
+		     key = ssh_get_next_identity(ac, &comment, version)) {
+			had_identities = 1;
+			if (do_fp) {
+				fp = key_fingerprint(key, SSH_FP_MD5,
+				    SSH_FP_HEX);
+				printf("%d %s %s (%s)\n",
+				    key_size(key), fp, comment, key_type(key));
+				xfree(fp);
+			} else {
+				if (!key_write(key, stdout))
+					fprintf(stderr, "key_write failed");
+				fprintf(stdout, " %s\n", comment);
+			}
+			key_free(key);
+			xfree(comment);
+		}
+	}
+	if (!had_identities)
+		printf("The agent has no identities.\n");
+}
+
+int
+main(int argc, char **argv)
+{
+	AuthenticationConnection *ac = NULL;
+	struct passwd *pw;
+	char buf[1024];
+	int no_files = 1;
+	int i;
+	int deleting = 0;
+
+	SSLeay_add_all_algorithms();
+
+	/* At first, get a connection to the authentication agent. */
+	ac = ssh_get_authentication_connection();
+	if (ac == NULL) {
+		fprintf(stderr, "Could not open a connection to your authentication agent.\n");
+		exit(1);
+	}
+	for (i = 1; i < argc; i++) {
+		if ((strcmp(argv[i], "-l") == 0) ||
+		    (strcmp(argv[i], "-L") == 0)) {
+			list_identities(ac, argv[i][1] == 'l' ? 1 : 0);
+			/* Don't default-add/delete if -l. */
+			no_files = 0;
+			continue;
+		}
+		if (strcmp(argv[i], "-d") == 0) {
+			deleting = 1;
+			continue;
+		}
+		if (strcmp(argv[i], "-D") == 0) {
+			delete_all(ac);
+			no_files = 0;
+			continue;
+		}
+		no_files = 0;
+		if (deleting)
+			delete_file(ac, argv[i]);
+		else
+			add_file(ac, argv[i]);
+	}
+	if (no_files) {
+		pw = getpwuid(getuid());
+		if (!pw) {
+			fprintf(stderr, "No user found with uid %u\n",
+			    (u_int)getuid());
+			ssh_close_authentication_connection(ac);
+			exit(1);
+		}
+		snprintf(buf, sizeof buf, "%s/%s", pw->pw_dir, _PATH_SSH_CLIENT_IDENTITY);
+		if (deleting)
+			delete_file(ac, buf);
+		else
+			add_file(ac, buf);
+	}
+	clear_pass();
+	ssh_close_authentication_connection(ac);
+	exit(0);
+}
diff --git a/crypto/openssh/ssh-add/Makefile b/crypto/openssh/ssh-add/Makefile
new file mode 100644
index 0000000..2f7bf42
--- /dev/null
+++ b/crypto/openssh/ssh-add/Makefile
@@ -0,0 +1,18 @@
+#	$OpenBSD: Makefile,v 1.20 2001/03/04 00:51:25 markus Exp $
+
+.PATH:		${.CURDIR}/..
+
+PROG=	ssh-add
+BINOWN=	root
+
+BINMODE?=555
+
+BINDIR=	/usr/bin
+MAN=	ssh-add.1
+
+SRCS=	ssh-add.c
+
+.include <bsd.prog.mk>
+
+LDADD+=	-lcrypto
+DPADD+= ${LIBCRYPTO}
diff --git a/crypto/openssh/ssh-agent.1 b/crypto/openssh/ssh-agent.1
new file mode 100644
index 0000000..1d21469
--- /dev/null
+++ b/crypto/openssh/ssh-agent.1
@@ -0,0 +1,178 @@
+.\" $OpenBSD: ssh-agent.1,v 1.24 2001/04/10 09:13:21 itojun Exp $
+.\"
+.\" Author: Tatu Ylonen <ylo@cs.hut.fi>
+.\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
+.\"                    All rights reserved
+.\"
+.\" As far as I am concerned, the code I have written for this software
+.\" can be used freely for any purpose.  Any derived versions of this
+.\" software must be clearly marked as such, and if the derived work is
+.\" incompatible with the protocol description in the RFC file, it must be
+.\" called by a name other than "ssh" or "Secure Shell".
+.\"
+.\" Copyright (c) 1999,2000 Markus Friedl.  All rights reserved.
+.\" Copyright (c) 1999 Aaron Campbell.  All rights reserved.
+.\" Copyright (c) 1999 Theo de Raadt.  All rights reserved.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\" 1. Redistributions of source code must retain the above copyright
+.\"    notice, this list of conditions and the following disclaimer.
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\"    notice, this list of conditions and the following disclaimer in the
+.\"    documentation and/or other materials provided with the distribution.
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
+.\" IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+.\" OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+.\" IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
+.\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+.\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+.\"
+.Dd September 25, 1999
+.Dt SSH-AGENT 1
+.Os
+.Sh NAME
+.Nm ssh-agent
+.Nd authentication agent
+.Sh SYNOPSIS
+.Nm ssh-agent
+.Ar command
+.Ar args ...
+.Nm ssh-agent
+.Op Fl c Li | Fl s
+.Nm ssh-agent
+.Fl k
+.Sh DESCRIPTION
+.Nm
+is a program to hold private keys used for public key authentication
+(RSA, DSA).
+The idea is that
+.Nm
+is started in the beginning of an X-session or a login session, and
+all other windows or programs are started as clients to the ssh-agent
+program.
+Through use of environment variables the agent can be located
+and automatically used for authentication when logging in to other
+machines using
+.Xr ssh 1 .
+.Pp
+The options are as follows:
+.Bl -tag -width Ds
+.It Fl c
+Generate C-shell commands on
+.Dv stdout .
+This is the default if
+.Ev SHELL
+looks like it's a csh style of shell.
+.It Fl s
+Generate Bourne shell commands on
+.Dv stdout .
+This is the default if
+.Ev SHELL
+does not look like it's a csh style of shell.
+.It Fl k
+Kill the current agent (given by the
+.Ev SSH_AGENT_PID
+environment variable).
+.El
+.Pp
+If a commandline is given, this is executed as a subprocess of the agent.
+When the command dies, so does the agent.
+.Pp
+The agent initially does not have any private keys.
+Keys are added using
+.Xr ssh-add 1 .
+When executed without arguments,
+.Xr ssh-add 1
+adds the
+.Pa $HOME/.ssh/identity
+file.
+If the identity has a passphrase,
+.Xr ssh-add 1
+asks for the passphrase (using a small X11 application if running
+under X11, or from the terminal if running without X).
+It then sends the identity to the agent.
+Several identities can be stored in the
+agent; the agent can automatically use any of these identities.
+.Ic ssh-add -l
+displays the identities currently held by the agent.
+.Pp
+The idea is that the agent is run in the user's local PC, laptop, or
+terminal.
+Authentication data need not be stored on any other
+machine, and authentication passphrases never go over the network.
+However, the connection to the agent is forwarded over SSH
+remote logins, and the user can thus use the privileges given by the
+identities anywhere in the network in a secure way.
+.Pp
+There are two main ways to get an agent setup:
+Either you let the agent
+start a new subcommand into which some environment variables are exported, or
+you let the agent print the needed shell commands (either
+.Xr sh 1
+or
+.Xr csh 1
+syntax can be generated) which can be evalled in the calling shell.
+Later
+.Xr ssh 1
+looks at these variables and uses them to establish a connection to the agent.
+.Pp
+A unix-domain socket is created
+.Pq Pa /tmp/ssh-XXXXXXXX/agent.<pid> ,
+and the name of this socket is stored in the
+.Ev SSH_AUTH_SOCK
+environment
+variable.
+The socket is made accessible only to the current user.
+This method is easily abused by root or another instance of the same
+user.
+.Pp
+The
+.Ev SSH_AGENT_PID
+environment variable holds the agent's PID.
+.Pp
+The agent exits automatically when the command given on the command
+line terminates.
+.Sh FILES
+.Bl -tag -width Ds
+.It Pa $HOME/.ssh/identity
+Contains the protocol version 1 RSA authentication identity of the user.
+This file should not be readable by anyone but the user.
+It is possible to
+specify a passphrase when generating the key; that passphrase will be
+used to encrypt the private part of this file.
+This file is not used by
+.Nm
+but is normally added to the agent using
+.Xr ssh-add 1
+at login time.
+.It Pa $HOME/.ssh/id_dsa
+Contains the protocol version 2 DSA authentication identity of the user.
+.It Pa $HOME/.ssh/id_rsa
+Contains the protocol version 2 RSA authentication identity of the user.
+.It Pa /tmp/ssh-XXXXXXXX/agent.<pid>
+Unix-domain sockets used to contain the connection to the
+authentication agent.
+These sockets should only be readable by the owner.
+The sockets should get automatically removed when the agent exits.
+.El
+.Sh AUTHORS
+OpenSSH is a derivative of the original and free
+ssh 1.2.12 release by Tatu Ylonen.
+Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos,
+Theo de Raadt and Dug Song
+removed many bugs, re-added newer features and
+created OpenSSH.
+Markus Friedl contributed the support for SSH
+protocol versions 1.5 and 2.0.
+.Sh SEE ALSO
+.Xr ssh 1 ,
+.Xr ssh-add 1 ,
+.Xr ssh-keygen 1 ,
+.Xr sshd 8
diff --git a/crypto/openssh/ssh-agent.c b/crypto/openssh/ssh-agent.c
new file mode 100644
index 0000000..ae0f044
--- /dev/null
+++ b/crypto/openssh/ssh-agent.c
@@ -0,0 +1,873 @@
+/*	$OpenBSD: ssh-agent.c,v 1.54 2001/04/03 13:56:11 stevesk Exp $	*/
+
+/*
+ * Author: Tatu Ylonen <ylo@cs.hut.fi>
+ * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
+ *                    All rights reserved
+ * The authentication agent program.
+ *
+ * As far as I am concerned, the code I have written for this software
+ * can be used freely for any purpose.  Any derived versions of this
+ * software must be clearly marked as such, and if the derived work is
+ * incompatible with the protocol description in the RFC file, it must be
+ * called by a name other than "ssh" or "Secure Shell".
+ *
+ * SSH2 implementation,
+ * Copyright (c) 2000 Markus Friedl.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include "includes.h"
+RCSID("$OpenBSD: ssh-agent.c,v 1.54 2001/04/03 13:56:11 stevesk Exp $");
+RCSID("$FreeBSD$");
+
+#include <openssl/evp.h>
+#include <openssl/md5.h>
+
+#include "ssh.h"
+#include "rsa.h"
+#include "buffer.h"
+#include "bufaux.h"
+#include "xmalloc.h"
+#include "packet.h"
+#include "getput.h"
+#include "mpaux.h"
+#include "key.h"
+#include "authfd.h"
+#include "cipher.h"
+#include "kex.h"
+#include "compat.h"
+#include "log.h"
+
+typedef struct {
+	int fd;
+	enum {
+		AUTH_UNUSED, AUTH_SOCKET, AUTH_CONNECTION
+	} type;
+	Buffer input;
+	Buffer output;
+} SocketEntry;
+
+u_int sockets_alloc = 0;
+SocketEntry *sockets = NULL;
+
+typedef struct {
+	Key *key;
+	char *comment;
+} Identity;
+
+typedef struct {
+	int nentries;
+	Identity *identities;
+} Idtab;
+
+/* private key table, one per protocol version */
+Idtab idtable[3];
+
+int max_fd = 0;
+
+/* pid of shell == parent of agent */
+pid_t parent_pid = -1;
+
+/* pathname and directory for AUTH_SOCKET */
+char socket_name[1024];
+char socket_dir[1024];
+
+extern char *__progname;
+
+int	prepare_select(fd_set **, fd_set **, int *);
+
+void
+idtab_init(void)
+{
+	int i;
+	for (i = 0; i <=2; i++){
+		idtable[i].identities = NULL;
+		idtable[i].nentries = 0;
+	}
+}
+
+/* return private key table for requested protocol version */
+Idtab *
+idtab_lookup(int version)
+{
+	if (version < 1 || version > 2)
+		fatal("internal error, bad protocol version %d", version);
+	return &idtable[version];
+}
+
+/* return matching private key for given public key */
+Key *
+lookup_private_key(Key *key, int *idx, int version)
+{
+	int i;
+	Idtab *tab = idtab_lookup(version);
+	for (i = 0; i < tab->nentries; i++) {
+		if (key_equal(key, tab->identities[i].key)) {
+			if (idx != NULL)
+				*idx = i;
+			return tab->identities[i].key;
+		}
+	}
+	return NULL;
+}
+
+/* send list of supported public keys to 'client' */
+void
+process_request_identities(SocketEntry *e, int version)
+{
+	Idtab *tab = idtab_lookup(version);
+	Buffer msg;
+	int i;
+
+	buffer_init(&msg);
+	buffer_put_char(&msg, (version == 1) ?
+	    SSH_AGENT_RSA_IDENTITIES_ANSWER : SSH2_AGENT_IDENTITIES_ANSWER);
+	buffer_put_int(&msg, tab->nentries);
+	for (i = 0; i < tab->nentries; i++) {
+		Identity *id = &tab->identities[i];
+		if (id->key->type == KEY_RSA1) {
+			buffer_put_int(&msg, BN_num_bits(id->key->rsa->n));
+			buffer_put_bignum(&msg, id->key->rsa->e);
+			buffer_put_bignum(&msg, id->key->rsa->n);
+		} else {
+			u_char *blob;
+			u_int blen;
+			key_to_blob(id->key, &blob, &blen);
+			buffer_put_string(&msg, blob, blen);
+			xfree(blob);
+		}
+		buffer_put_cstring(&msg, id->comment);
+	}
+	buffer_put_int(&e->output, buffer_len(&msg));
+	buffer_append(&e->output, buffer_ptr(&msg), buffer_len(&msg));
+	buffer_free(&msg);
+}
+
+/* ssh1 only */
+void
+process_authentication_challenge1(SocketEntry *e)
+{
+	Key *key, *private;
+	BIGNUM *challenge;
+	int i, len;
+	Buffer msg;
+	MD5_CTX md;
+	u_char buf[32], mdbuf[16], session_id[16];
+	u_int response_type;
+
+	buffer_init(&msg);
+	key = key_new(KEY_RSA1);
+	challenge = BN_new();
+
+	buffer_get_int(&e->input);				/* ignored */
+	buffer_get_bignum(&e->input, key->rsa->e);
+	buffer_get_bignum(&e->input, key->rsa->n);
+	buffer_get_bignum(&e->input, challenge);
+
+	/* Only protocol 1.1 is supported */
+	if (buffer_len(&e->input) == 0)
+		goto failure;
+	buffer_get(&e->input, (char *) session_id, 16);
+	response_type = buffer_get_int(&e->input);
+	if (response_type != 1)
+		goto failure;
+
+	private = lookup_private_key(key, NULL, 1);
+	if (private != NULL) {
+		/* Decrypt the challenge using the private key. */
+		if (rsa_private_decrypt(challenge, challenge, private->rsa) <= 0)
+			goto failure;
+
+		/* The response is MD5 of decrypted challenge plus session id. */
+		len = BN_num_bytes(challenge);
+		if (len <= 0 || len > 32) {
+			log("process_authentication_challenge: bad challenge length %d", len);
+			goto failure;
+		}
+		memset(buf, 0, 32);
+		BN_bn2bin(challenge, buf + 32 - len);
+		MD5_Init(&md);
+		MD5_Update(&md, buf, 32);
+		MD5_Update(&md, session_id, 16);
+		MD5_Final(mdbuf, &md);
+
+		/* Send the response. */
+		buffer_put_char(&msg, SSH_AGENT_RSA_RESPONSE);
+		for (i = 0; i < 16; i++)
+			buffer_put_char(&msg, mdbuf[i]);
+		goto send;
+	}
+
+failure:
+	/* Unknown identity or protocol error.  Send failure. */
+	buffer_put_char(&msg, SSH_AGENT_FAILURE);
+send:
+	buffer_put_int(&e->output, buffer_len(&msg));
+	buffer_append(&e->output, buffer_ptr(&msg), buffer_len(&msg));
+	key_free(key);
+	BN_clear_free(challenge);
+	buffer_free(&msg);
+}
+
+/* ssh2 only */
+void
+process_sign_request2(SocketEntry *e)
+{
+	extern int datafellows;
+	Key *key, *private;
+	u_char *blob, *data, *signature = NULL;
+	u_int blen, dlen, slen = 0;
+	int flags;
+	Buffer msg;
+	int ok = -1;
+
+	datafellows = 0;
+
+	blob = buffer_get_string(&e->input, &blen);
+	data = buffer_get_string(&e->input, &dlen);
+
+	flags = buffer_get_int(&e->input);
+	if (flags & SSH_AGENT_OLD_SIGNATURE)
+		datafellows = SSH_BUG_SIGBLOB;
+
+	key = key_from_blob(blob, blen);
+	if (key != NULL) {
+		private = lookup_private_key(key, NULL, 2);
+		if (private != NULL)
+			ok = key_sign(private, &signature, &slen, data, dlen);
+	}
+	key_free(key);
+	buffer_init(&msg);
+	if (ok == 0) {
+		buffer_put_char(&msg, SSH2_AGENT_SIGN_RESPONSE);
+		buffer_put_string(&msg, signature, slen);
+	} else {
+		buffer_put_char(&msg, SSH_AGENT_FAILURE);
+	}
+	buffer_put_int(&e->output, buffer_len(&msg));
+	buffer_append(&e->output, buffer_ptr(&msg),
+	    buffer_len(&msg));
+	buffer_free(&msg);
+	xfree(data);
+	xfree(blob);
+	if (signature != NULL)
+		xfree(signature);
+}
+
+/* shared */
+void
+process_remove_identity(SocketEntry *e, int version)
+{
+	Key *key = NULL, *private;
+	u_char *blob;
+	u_int blen;
+	u_int bits;
+	int success = 0;
+
+	switch(version){
+	case 1:
+		key = key_new(KEY_RSA1);
+		bits = buffer_get_int(&e->input);
+		buffer_get_bignum(&e->input, key->rsa->e);
+		buffer_get_bignum(&e->input, key->rsa->n);
+
+		if (bits != key_size(key))
+			log("Warning: identity keysize mismatch: actual %d, announced %d",
+			    key_size(key), bits);
+		break;
+	case 2:
+		blob = buffer_get_string(&e->input, &blen);
+		key = key_from_blob(blob, blen);
+		xfree(blob);
+		break;
+	}
+	if (key != NULL) {
+		int idx;
+		private = lookup_private_key(key, &idx, version);
+		if (private != NULL) {
+			/*
+			 * We have this key.  Free the old key.  Since we
+			 * don\'t want to leave empty slots in the middle of
+			 * the array, we actually free the key there and move
+			 * all the entries between the empty slot and the end
+			 * of the array.
+			 */
+			Idtab *tab = idtab_lookup(version);
+			key_free(tab->identities[idx].key);
+			xfree(tab->identities[idx].comment);
+			if (tab->nentries < 1)
+				fatal("process_remove_identity: "
+				    "internal error: tab->nentries %d",
+				    tab->nentries);
+			if (idx != tab->nentries - 1) {
+				int i;
+				for (i = idx; i < tab->nentries - 1; i++)
+					tab->identities[i] = tab->identities[i+1];
+			}
+			tab->identities[tab->nentries - 1].key = NULL;
+			tab->identities[tab->nentries - 1].comment = NULL;
+			tab->nentries--;
+			success = 1;
+		}
+		key_free(key);
+	}
+	buffer_put_int(&e->output, 1);
+	buffer_put_char(&e->output,
+	    success ? SSH_AGENT_SUCCESS : SSH_AGENT_FAILURE);
+}
+
+void
+process_remove_all_identities(SocketEntry *e, int version)
+{
+	u_int i;
+	Idtab *tab = idtab_lookup(version);
+
+	/* Loop over all identities and clear the keys. */
+	for (i = 0; i < tab->nentries; i++) {
+		key_free(tab->identities[i].key);
+		xfree(tab->identities[i].comment);
+	}
+
+	/* Mark that there are no identities. */
+	tab->nentries = 0;
+
+	/* Send success. */
+	buffer_put_int(&e->output, 1);
+	buffer_put_char(&e->output, SSH_AGENT_SUCCESS);
+	return;
+}
+
+void
+process_add_identity(SocketEntry *e, int version)
+{
+	Key *k = NULL;
+	char *type_name;
+	char *comment;
+	int type, success = 0;
+	Idtab *tab = idtab_lookup(version);
+
+	switch (version) {
+	case 1:
+		k = key_new_private(KEY_RSA1);
+		buffer_get_int(&e->input);			/* ignored */
+		buffer_get_bignum(&e->input, k->rsa->n);
+		buffer_get_bignum(&e->input, k->rsa->e);
+		buffer_get_bignum(&e->input, k->rsa->d);
+		buffer_get_bignum(&e->input, k->rsa->iqmp);
+
+		/* SSH and SSL have p and q swapped */
+		buffer_get_bignum(&e->input, k->rsa->q);	/* p */
+		buffer_get_bignum(&e->input, k->rsa->p);	/* q */
+
+		/* Generate additional parameters */
+		generate_additional_parameters(k->rsa);
+		break;
+	case 2:
+		type_name = buffer_get_string(&e->input, NULL);
+		type = key_type_from_name(type_name);
+		xfree(type_name);
+		switch(type) {
+		case KEY_DSA:
+			k = key_new_private(type);
+			buffer_get_bignum2(&e->input, k->dsa->p);
+			buffer_get_bignum2(&e->input, k->dsa->q);
+			buffer_get_bignum2(&e->input, k->dsa->g);
+			buffer_get_bignum2(&e->input, k->dsa->pub_key);
+			buffer_get_bignum2(&e->input, k->dsa->priv_key);
+			break;
+		case KEY_RSA:
+			k = key_new_private(type);
+			buffer_get_bignum2(&e->input, k->rsa->n);
+			buffer_get_bignum2(&e->input, k->rsa->e);
+			buffer_get_bignum2(&e->input, k->rsa->d);
+			buffer_get_bignum2(&e->input, k->rsa->iqmp);
+			buffer_get_bignum2(&e->input, k->rsa->p);
+			buffer_get_bignum2(&e->input, k->rsa->q);
+
+			/* Generate additional parameters */
+			generate_additional_parameters(k->rsa);
+			break;
+		default:
+			buffer_clear(&e->input);
+			goto send;
+		}
+		break;
+	}
+	comment = buffer_get_string(&e->input, NULL);
+	if (k == NULL) {
+		xfree(comment);
+		goto send;
+	}
+	success = 1;
+	if (lookup_private_key(k, NULL, version) == NULL) {
+		if (tab->nentries == 0)
+			tab->identities = xmalloc(sizeof(Identity));
+		else
+			tab->identities = xrealloc(tab->identities,
+			    (tab->nentries + 1) * sizeof(Identity));
+		tab->identities[tab->nentries].key = k;
+		tab->identities[tab->nentries].comment = comment;
+		/* Increment the number of identities. */
+		tab->nentries++;
+	} else {
+		key_free(k);
+		xfree(comment);
+	}
+send:
+	buffer_put_int(&e->output, 1);
+	buffer_put_char(&e->output,
+	    success ? SSH_AGENT_SUCCESS : SSH_AGENT_FAILURE);
+}
+
+/* dispatch incoming messages */
+
+void
+process_message(SocketEntry *e)
+{
+	u_int msg_len;
+	u_int type;
+	u_char *cp;
+	if (buffer_len(&e->input) < 5)
+		return;		/* Incomplete message. */
+	cp = (u_char *) buffer_ptr(&e->input);
+	msg_len = GET_32BIT(cp);
+	if (msg_len > 256 * 1024) {
+		shutdown(e->fd, SHUT_RDWR);
+		close(e->fd);
+		e->type = AUTH_UNUSED;
+		return;
+	}
+	if (buffer_len(&e->input) < msg_len + 4)
+		return;
+	buffer_consume(&e->input, 4);
+	type = buffer_get_char(&e->input);
+
+	switch (type) {
+	/* ssh1 */
+	case SSH_AGENTC_RSA_CHALLENGE:
+		process_authentication_challenge1(e);
+		break;
+	case SSH_AGENTC_REQUEST_RSA_IDENTITIES:
+		process_request_identities(e, 1);
+		break;
+	case SSH_AGENTC_ADD_RSA_IDENTITY:
+		process_add_identity(e, 1);
+		break;
+	case SSH_AGENTC_REMOVE_RSA_IDENTITY:
+		process_remove_identity(e, 1);
+		break;
+	case SSH_AGENTC_REMOVE_ALL_RSA_IDENTITIES:
+		process_remove_all_identities(e, 1);
+		break;
+	/* ssh2 */
+	case SSH2_AGENTC_SIGN_REQUEST:
+		process_sign_request2(e);
+		break;
+	case SSH2_AGENTC_REQUEST_IDENTITIES:
+		process_request_identities(e, 2);
+		break;
+	case SSH2_AGENTC_ADD_IDENTITY:
+		process_add_identity(e, 2);
+		break;
+	case SSH2_AGENTC_REMOVE_IDENTITY:
+		process_remove_identity(e, 2);
+		break;
+	case SSH2_AGENTC_REMOVE_ALL_IDENTITIES:
+		process_remove_all_identities(e, 2);
+		break;
+	default:
+		/* Unknown message.  Respond with failure. */
+		error("Unknown message %d", type);
+		buffer_clear(&e->input);
+		buffer_put_int(&e->output, 1);
+		buffer_put_char(&e->output, SSH_AGENT_FAILURE);
+		break;
+	}
+}
+
+void
+new_socket(int type, int fd)
+{
+	u_int i, old_alloc;
+	if (fcntl(fd, F_SETFL, O_NONBLOCK) < 0)
+		error("fcntl O_NONBLOCK: %s", strerror(errno));
+
+	if (fd > max_fd)
+		max_fd = fd;
+
+	for (i = 0; i < sockets_alloc; i++)
+		if (sockets[i].type == AUTH_UNUSED) {
+			sockets[i].fd = fd;
+			sockets[i].type = type;
+			buffer_init(&sockets[i].input);
+			buffer_init(&sockets[i].output);
+			return;
+		}
+	old_alloc = sockets_alloc;
+	sockets_alloc += 10;
+	if (sockets)
+		sockets = xrealloc(sockets, sockets_alloc * sizeof(sockets[0]));
+	else
+		sockets = xmalloc(sockets_alloc * sizeof(sockets[0]));
+	for (i = old_alloc; i < sockets_alloc; i++)
+		sockets[i].type = AUTH_UNUSED;
+	sockets[old_alloc].type = type;
+	sockets[old_alloc].fd = fd;
+	buffer_init(&sockets[old_alloc].input);
+	buffer_init(&sockets[old_alloc].output);
+}
+
+int
+prepare_select(fd_set **fdrp, fd_set **fdwp, int *fdl)
+{
+	u_int i, sz;
+	int n = 0;
+
+	for (i = 0; i < sockets_alloc; i++) {
+		switch (sockets[i].type) {
+		case AUTH_SOCKET:
+		case AUTH_CONNECTION:
+			n = MAX(n, sockets[i].fd);
+			break;
+		case AUTH_UNUSED:
+			break;
+		default:
+			fatal("Unknown socket type %d", sockets[i].type);
+			break;
+		}
+	}
+
+	sz = howmany(n+1, NFDBITS) * sizeof(fd_mask);
+	if (*fdrp == NULL || n > *fdl) {
+		if (*fdrp)
+			xfree(*fdrp);
+		if (*fdwp)
+			xfree(*fdwp);
+		*fdrp = xmalloc(sz);
+		*fdwp = xmalloc(sz);
+		*fdl = n;
+	}
+	memset(*fdrp, 0, sz);
+	memset(*fdwp, 0, sz);
+
+	for (i = 0; i < sockets_alloc; i++) {
+		switch (sockets[i].type) {
+		case AUTH_SOCKET:
+		case AUTH_CONNECTION:
+			FD_SET(sockets[i].fd, *fdrp);
+			if (buffer_len(&sockets[i].output) > 0)
+				FD_SET(sockets[i].fd, *fdwp);
+			break;
+		default:
+			break;
+		}
+	}
+	return (1);
+}
+
+void
+after_select(fd_set *readset, fd_set *writeset)
+{
+	u_int i;
+	int len, sock;
+	socklen_t slen;
+	char buf[1024];
+	struct sockaddr_un sunaddr;
+
+	for (i = 0; i < sockets_alloc; i++)
+		switch (sockets[i].type) {
+		case AUTH_UNUSED:
+			break;
+		case AUTH_SOCKET:
+			if (FD_ISSET(sockets[i].fd, readset)) {
+				slen = sizeof(sunaddr);
+				sock = accept(sockets[i].fd,
+				    (struct sockaddr *) &sunaddr, &slen);
+				if (sock < 0) {
+					perror("accept from AUTH_SOCKET");
+					break;
+				}
+				new_socket(AUTH_CONNECTION, sock);
+			}
+			break;
+		case AUTH_CONNECTION:
+			if (buffer_len(&sockets[i].output) > 0 &&
+			    FD_ISSET(sockets[i].fd, writeset)) {
+				do {
+					len = write(sockets[i].fd,
+					    buffer_ptr(&sockets[i].output),
+					    buffer_len(&sockets[i].output));
+					if (len == -1 && (errno == EAGAIN ||
+					    errno == EINTR))
+						continue;
+					break;
+				} while (1);
+				if (len <= 0) {
+					shutdown(sockets[i].fd, SHUT_RDWR);
+					close(sockets[i].fd);
+					sockets[i].type = AUTH_UNUSED;
+					buffer_free(&sockets[i].input);
+					buffer_free(&sockets[i].output);
+					break;
+				}
+				buffer_consume(&sockets[i].output, len);
+			}
+			if (FD_ISSET(sockets[i].fd, readset)) {
+				do {
+					len = read(sockets[i].fd, buf, sizeof(buf));
+					if (len == -1 && (errno == EAGAIN ||
+					    errno == EINTR))
+						continue;
+					break;
+				} while (1);
+				if (len <= 0) {
+					shutdown(sockets[i].fd, SHUT_RDWR);
+					close(sockets[i].fd);
+					sockets[i].type = AUTH_UNUSED;
+					buffer_free(&sockets[i].input);
+					buffer_free(&sockets[i].output);
+					break;
+				}
+				buffer_append(&sockets[i].input, buf, len);
+				process_message(&sockets[i]);
+			}
+			break;
+		default:
+			fatal("Unknown type %d", sockets[i].type);
+		}
+}
+
+void
+check_parent_exists(int sig)
+{
+	int save_errno = errno;
+
+	if (parent_pid != -1 && kill(parent_pid, 0) < 0) {
+		/* printf("Parent has died - Authentication agent exiting.\n"); */
+		exit(1);
+	}
+	signal(SIGALRM, check_parent_exists);
+	alarm(10);
+	errno = save_errno;
+}
+
+void
+cleanup_socket(void)
+{
+	if (socket_name[0])
+		unlink(socket_name);
+	if (socket_dir[0])
+		rmdir(socket_dir);
+}
+
+void
+cleanup_exit(int i)
+{
+	cleanup_socket();
+	exit(i);
+}
+
+void
+cleanup_handler(int sig)
+{
+	cleanup_socket();
+	_exit(2);
+}
+
+void
+usage(void)
+{
+	fprintf(stderr, "ssh-agent version %s\n", SSH_VERSION);
+	fprintf(stderr, "Usage: %s [-c | -s] [-k] [command {args...]]\n",
+	    __progname);
+	exit(1);
+}
+
+int
+main(int ac, char **av)
+{
+	int sock, c_flag = 0, k_flag = 0, s_flag = 0, ch;
+	struct sockaddr_un sunaddr;
+	struct rlimit rlim;
+	pid_t pid;
+	char *shell, *format, *pidstr, pidstrbuf[1 + 3 * sizeof pid];
+	extern int optind;
+	fd_set *readsetp = NULL, *writesetp = NULL;
+
+	SSLeay_add_all_algorithms();
+
+	while ((ch = getopt(ac, av, "cks")) != -1) {
+		switch (ch) {
+		case 'c':
+			if (s_flag)
+				usage();
+			c_flag++;
+			break;
+		case 'k':
+			k_flag++;
+			break;
+		case 's':
+			if (c_flag)
+				usage();
+			s_flag++;
+			break;
+		default:
+			usage();
+		}
+	}
+	ac -= optind;
+	av += optind;
+
+	if (ac > 0 && (c_flag || k_flag || s_flag))
+		usage();
+
+	if (ac == 0 && !c_flag && !k_flag && !s_flag) {
+		shell = getenv("SHELL");
+		if (shell != NULL && strncmp(shell + strlen(shell) - 3, "csh", 3) == 0)
+			c_flag = 1;
+	}
+	if (k_flag) {
+		pidstr = getenv(SSH_AGENTPID_ENV_NAME);
+		if (pidstr == NULL) {
+			fprintf(stderr, "%s not set, cannot kill agent\n",
+			    SSH_AGENTPID_ENV_NAME);
+			exit(1);
+		}
+		pid = atoi(pidstr);
+		if (pid < 1) {
+			fprintf(stderr, "%s=\"%s\", which is not a good PID\n",
+			    SSH_AGENTPID_ENV_NAME, pidstr);
+			exit(1);
+		}
+		if (kill(pid, SIGTERM) == -1) {
+			perror("kill");
+			exit(1);
+		}
+		format = c_flag ? "unsetenv %s;\n" : "unset %s;\n";
+		printf(format, SSH_AUTHSOCKET_ENV_NAME);
+		printf(format, SSH_AGENTPID_ENV_NAME);
+		printf("echo Agent pid %d killed;\n", pid);
+		exit(0);
+	}
+	parent_pid = getpid();
+
+	/* Create private directory for agent socket */
+	strlcpy(socket_dir, "/tmp/ssh-XXXXXXXX", sizeof socket_dir);
+	if (mkdtemp(socket_dir) == NULL) {
+		perror("mkdtemp: private socket dir");
+		exit(1);
+	}
+	snprintf(socket_name, sizeof socket_name, "%s/agent.%d", socket_dir,
+	    parent_pid);
+
+	/*
+	 * Create socket early so it will exist before command gets run from
+	 * the parent.
+	 */
+	sock = socket(AF_UNIX, SOCK_STREAM, 0);
+	if (sock < 0) {
+		perror("socket");
+		cleanup_exit(1);
+	}
+	memset(&sunaddr, 0, sizeof(sunaddr));
+	sunaddr.sun_family = AF_UNIX;
+	strlcpy(sunaddr.sun_path, socket_name, sizeof(sunaddr.sun_path));
+	sunaddr.sun_len = SUN_LEN(&sunaddr) + 1;
+	if (bind(sock, (struct sockaddr *)&sunaddr, sunaddr.sun_len) < 0) {
+		perror("bind");
+		cleanup_exit(1);
+	}
+	if (listen(sock, 5) < 0) {
+		perror("listen");
+		cleanup_exit(1);
+	}
+
+	/*
+	 * Fork, and have the parent execute the command, if any, or present
+	 * the socket data.  The child continues as the authentication agent.
+	 */
+	pid = fork();
+	if (pid == -1) {
+		perror("fork");
+		exit(1);
+	}
+	if (pid != 0) {		/* Parent - execute the given command. */
+		close(sock);
+		snprintf(pidstrbuf, sizeof pidstrbuf, "%d", pid);
+		if (ac == 0) {
+			format = c_flag ? "setenv %s %s;\n" : "%s=%s; export %s;\n";
+			printf(format, SSH_AUTHSOCKET_ENV_NAME, socket_name,
+			    SSH_AUTHSOCKET_ENV_NAME);
+			printf(format, SSH_AGENTPID_ENV_NAME, pidstrbuf,
+			    SSH_AGENTPID_ENV_NAME);
+			printf("echo Agent pid %d;\n", pid);
+			exit(0);
+		}
+		if (setenv(SSH_AUTHSOCKET_ENV_NAME, socket_name, 1) == -1 ||
+		    setenv(SSH_AGENTPID_ENV_NAME, pidstrbuf, 1) == -1) {
+			perror("setenv");
+			exit(1);
+		}
+		execvp(av[0], av);
+		perror(av[0]);
+		exit(1);
+	}
+	close(0);
+	close(1);
+	close(2);
+
+	/* deny core dumps, since memory contains unencrypted private keys */
+	rlim.rlim_cur = rlim.rlim_max = 0;
+	if (setrlimit(RLIMIT_CORE, &rlim) < 0) {
+		perror("setrlimit rlimit_core failed");
+		cleanup_exit(1);
+	}
+	if (setsid() == -1) {
+		perror("setsid");
+		cleanup_exit(1);
+	}
+	if (atexit(cleanup_socket) < 0) {
+		perror("atexit");
+		cleanup_exit(1);
+	}
+	new_socket(AUTH_SOCKET, sock);
+	if (ac > 0) {
+		signal(SIGALRM, check_parent_exists);
+		alarm(10);
+	}
+	idtab_init();
+	signal(SIGINT, SIG_IGN);
+	signal(SIGPIPE, SIG_IGN);
+	signal(SIGHUP, cleanup_handler);
+	signal(SIGTERM, cleanup_handler);
+	while (1) {
+		prepare_select(&readsetp, &writesetp, &max_fd);
+		if (select(max_fd + 1, readsetp, writesetp, NULL, NULL) < 0) {
+			if (errno == EINTR)
+				continue;
+			exit(1);
+		}
+		after_select(readsetp, writesetp);
+	}
+	/* NOTREACHED */
+}
diff --git a/crypto/openssh/ssh-agent/Makefile b/crypto/openssh/ssh-agent/Makefile
new file mode 100644
index 0000000..e1a2e2c
--- /dev/null
+++ b/crypto/openssh/ssh-agent/Makefile
@@ -0,0 +1,18 @@
+#	$OpenBSD: Makefile,v 1.17 2001/03/04 00:51:25 markus Exp $
+
+.PATH:		${.CURDIR}/..
+
+PROG=	ssh-agent
+BINOWN=	root
+
+BINMODE?=555
+
+BINDIR=	/usr/bin
+MAN=	ssh-agent.1
+
+SRCS=	ssh-agent.c
+
+.include <bsd.prog.mk>
+
+LDADD+=	-lcrypto
+DPADD+=	${LIBCRYPTO}
diff --git a/crypto/openssh/ssh-dss.c b/crypto/openssh/ssh-dss.c
new file mode 100644
index 0000000..adc8f98
--- /dev/null
+++ b/crypto/openssh/ssh-dss.c
@@ -0,0 +1,217 @@
+/*
+ * Copyright (c) 2000 Markus Friedl.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include "includes.h"
+RCSID("$OpenBSD: ssh-dss.c,v 1.6 2001/02/08 19:30:52 itojun Exp $");
+
+#include <openssl/bn.h>
+#include <openssl/evp.h>
+
+#include "xmalloc.h"
+#include "buffer.h"
+#include "bufaux.h"
+#include "compat.h"
+#include "log.h"
+#include "key.h"
+#include "ssh-dss.h"
+
+#define INTBLOB_LEN	20
+#define SIGBLOB_LEN	(2*INTBLOB_LEN)
+
+int
+ssh_dss_sign(
+    Key *key,
+    u_char **sigp, int *lenp,
+    u_char *data, int datalen)
+{
+	u_char *digest;
+	u_char *ret;
+	DSA_SIG *sig;
+	EVP_MD *evp_md = EVP_sha1();
+	EVP_MD_CTX md;
+	u_int rlen;
+	u_int slen;
+	u_int len, dlen;
+	u_char sigblob[SIGBLOB_LEN];
+	Buffer b;
+
+	if (key == NULL || key->type != KEY_DSA || key->dsa == NULL) {
+		error("ssh_dss_sign: no DSA key");
+		return -1;
+	}
+	dlen = evp_md->md_size;
+	digest = xmalloc(dlen);
+	EVP_DigestInit(&md, evp_md);
+	EVP_DigestUpdate(&md, data, datalen);
+	EVP_DigestFinal(&md, digest, NULL);
+
+	sig = DSA_do_sign(digest, dlen, key->dsa);
+	if (sig == NULL) {
+		fatal("ssh_dss_sign: cannot sign");
+	}
+	memset(digest, 0, dlen);
+	xfree(digest);
+
+	rlen = BN_num_bytes(sig->r);
+	slen = BN_num_bytes(sig->s);
+	if (rlen > INTBLOB_LEN || slen > INTBLOB_LEN) {
+		error("bad sig size %d %d", rlen, slen);
+		DSA_SIG_free(sig);
+		return -1;
+	}
+	debug("sig size %d %d", rlen, slen);
+
+	memset(sigblob, 0, SIGBLOB_LEN);
+	BN_bn2bin(sig->r, sigblob+ SIGBLOB_LEN - INTBLOB_LEN - rlen);
+	BN_bn2bin(sig->s, sigblob+ SIGBLOB_LEN - slen);
+	DSA_SIG_free(sig);
+
+	if (datafellows & SSH_BUG_SIGBLOB) {
+		debug("datafellows");
+		ret = xmalloc(SIGBLOB_LEN);
+		memcpy(ret, sigblob, SIGBLOB_LEN);
+		if (lenp != NULL)
+			*lenp = SIGBLOB_LEN;
+		if (sigp != NULL)
+			*sigp = ret;
+	} else {
+		/* ietf-drafts */
+		buffer_init(&b);
+		buffer_put_cstring(&b, "ssh-dss");
+		buffer_put_string(&b, sigblob, SIGBLOB_LEN);
+		len = buffer_len(&b);
+		ret = xmalloc(len);
+		memcpy(ret, buffer_ptr(&b), len);
+		buffer_free(&b);
+		if (lenp != NULL)
+			*lenp = len;
+		if (sigp != NULL)
+			*sigp = ret;
+	}
+	return 0;
+}
+int
+ssh_dss_verify(
+    Key *key,
+    u_char *signature, int signaturelen,
+    u_char *data, int datalen)
+{
+	Buffer b;
+	u_char *digest;
+	DSA_SIG *sig;
+	EVP_MD *evp_md = EVP_sha1();
+	EVP_MD_CTX md;
+	u_char *sigblob;
+	char *txt;
+	u_int len, dlen;
+	int rlen;
+	int ret;
+
+	if (key == NULL || key->type != KEY_DSA || key->dsa == NULL) {
+		error("ssh_dss_verify: no DSA key");
+		return -1;
+	}
+
+	if (!(datafellows & SSH_BUG_SIGBLOB) &&
+	    signaturelen == SIGBLOB_LEN) {
+		datafellows |= ~SSH_BUG_SIGBLOB;
+		log("autodetect SSH_BUG_SIGBLOB");
+	} else if ((datafellows & SSH_BUG_SIGBLOB) &&
+	    signaturelen != SIGBLOB_LEN) {
+		log("autoremove SSH_BUG_SIGBLOB");
+		datafellows &= ~SSH_BUG_SIGBLOB;
+	}
+
+	debug("len %d datafellows %d", signaturelen, datafellows);
+
+	/* fetch signature */
+	if (datafellows & SSH_BUG_SIGBLOB) {
+		sigblob = signature;
+		len = signaturelen;
+	} else {
+		/* ietf-drafts */
+		char *ktype;
+		buffer_init(&b);
+		buffer_append(&b, (char *) signature, signaturelen);
+		ktype = buffer_get_string(&b, NULL);
+		if (strcmp("ssh-dss", ktype) != 0) {
+			error("ssh_dss_verify: cannot handle type %s", ktype);
+			buffer_free(&b);
+			return -1;
+		}
+		sigblob = (u_char *)buffer_get_string(&b, &len);
+		rlen = buffer_len(&b);
+		if(rlen != 0) {
+			error("remaining bytes in signature %d", rlen);
+			buffer_free(&b);
+			return -1;
+		}
+		buffer_free(&b);
+		xfree(ktype);
+	}
+
+	if (len != SIGBLOB_LEN) {
+		fatal("bad sigbloblen %d != SIGBLOB_LEN", len);
+	}
+
+	/* parse signature */
+	sig = DSA_SIG_new();
+	sig->r = BN_new();
+	sig->s = BN_new();
+	BN_bin2bn(sigblob, INTBLOB_LEN, sig->r);
+	BN_bin2bn(sigblob+ INTBLOB_LEN, INTBLOB_LEN, sig->s);
+
+	if (!(datafellows & SSH_BUG_SIGBLOB)) {
+		memset(sigblob, 0, len);
+		xfree(sigblob);
+	}
+
+	/* sha1 the data */
+	dlen = evp_md->md_size;
+	digest = xmalloc(dlen);
+	EVP_DigestInit(&md, evp_md);
+	EVP_DigestUpdate(&md, data, datalen);
+	EVP_DigestFinal(&md, digest, NULL);
+
+	ret = DSA_do_verify(digest, dlen, sig, key->dsa);
+
+	memset(digest, 0, dlen);
+	xfree(digest);
+	DSA_SIG_free(sig);
+
+	switch (ret) {
+	case 1:
+		txt = "correct";
+		break;
+	case 0:
+		txt = "incorrect";
+		break;
+	case -1:
+	default:
+		txt = "error";
+		break;
+	}
+	debug("ssh_dss_verify: signature %s", txt);
+	return ret;
+}
diff --git a/crypto/openssh/ssh-dss.h b/crypto/openssh/ssh-dss.h
new file mode 100644
index 0000000..0e6a20a
--- /dev/null
+++ b/crypto/openssh/ssh-dss.h
@@ -0,0 +1,41 @@
+/*	$OpenBSD: ssh-dss.h,v 1.3 2001/01/29 01:58:18 niklas Exp $	*/
+
+/*
+ * Copyright (c) 2000 Markus Friedl.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+#ifndef DSA_H
+#define DSA_H
+
+int
+ssh_dss_sign(
+    Key *key,
+    u_char **sigp, int *lenp,
+    u_char *data, int datalen);
+
+int
+ssh_dss_verify(
+    Key *key,
+    u_char *signature, int signaturelen,
+    u_char *data, int datalen);
+
+#endif
diff --git a/crypto/openssh/ssh-keygen.1 b/crypto/openssh/ssh-keygen.1
new file mode 100644
index 0000000..371fc5f
--- /dev/null
+++ b/crypto/openssh/ssh-keygen.1
@@ -0,0 +1,280 @@
+.\"	$OpenBSD: ssh-keygen.1,v 1.40 2001/04/23 21:57:07 markus Exp $
+.\"
+.\"  -*- nroff -*-
+.\"
+.\" Author: Tatu Ylonen <ylo@cs.hut.fi>
+.\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
+.\"                    All rights reserved
+.\"
+.\" As far as I am concerned, the code I have written for this software
+.\" can be used freely for any purpose.  Any derived versions of this
+.\" software must be clearly marked as such, and if the derived work is
+.\" incompatible with the protocol description in the RFC file, it must be
+.\" called by a name other than "ssh" or "Secure Shell".
+.\"
+.\"
+.\" Copyright (c) 1999,2000 Markus Friedl.  All rights reserved.
+.\" Copyright (c) 1999 Aaron Campbell.  All rights reserved.
+.\" Copyright (c) 1999 Theo de Raadt.  All rights reserved.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\" 1. Redistributions of source code must retain the above copyright
+.\"    notice, this list of conditions and the following disclaimer.
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\"    notice, this list of conditions and the following disclaimer in the
+.\"    documentation and/or other materials provided with the distribution.
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
+.\" IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+.\" OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+.\" IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
+.\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+.\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+.\"
+.Dd September 25, 1999
+.Dt SSH-KEYGEN 1
+.Os
+.Sh NAME
+.Nm ssh-keygen
+.Nd authentication key generation, management and conversion
+.Sh SYNOPSIS
+.Nm ssh-keygen
+.Op Fl q
+.Op Fl b Ar bits
+.Op Fl t Ar type
+.Op Fl N Ar new_passphrase
+.Op Fl C Ar comment
+.Op Fl f Ar output_keyfile
+.Nm ssh-keygen
+.Fl p
+.Op Fl P Ar old_passphrase
+.Op Fl N Ar new_passphrase
+.Op Fl f Ar keyfile
+.Nm ssh-keygen
+.Fl i
+.Op Fl f Ar input_keyfile
+.Nm ssh-keygen
+.Fl e
+.Op Fl f Ar input_keyfile
+.Nm ssh-keygen
+.Fl y
+.Op Fl f Ar input_keyfile
+.Nm ssh-keygen
+.Fl c
+.Op Fl P Ar passphrase
+.Op Fl C Ar comment
+.Op Fl f Ar keyfile
+.Nm ssh-keygen
+.Fl l
+.Op Fl f Ar input_keyfile
+.Nm ssh-keygen
+.Fl B
+.Op Fl f Ar input_keyfile
+.Sh DESCRIPTION
+.Nm
+generates, manages and converts authentication keys for
+.Xr ssh 1 .
+.Nm
+defaults to generating a RSA1 key for use by SSH protocol version 1.
+specifying the
+.Fl t
+option allows you to create a key for use by SSH protocol version 2.
+.Pp
+Normally each user wishing to use SSH
+with RSA or DSA authentication runs this once to create the authentication
+key in
+.Pa $HOME/.ssh/identity ,
+.Pa $HOME/.ssh/id_dsa
+or
+.Pa $HOME/.ssh/id_rsa .
+Additionally, the system administrator may use this to generate host keys,
+as seen in
+.Pa /etc/rc .
+.Pp
+Normally this program generates the key and asks for a file in which
+to store the private key.
+The public key is stored in a file with the same name but
+.Dq .pub
+appended.
+The program also asks for a passphrase.
+The passphrase may be empty to indicate no passphrase
+(host keys must have an empty passphrase), or it may be a string of
+arbitrary length.
+Good passphrases are 10-30 characters long and are
+not simple sentences or otherwise easily guessable (English
+prose has only 1-2 bits of entropy per word, and provides very bad
+passphrases).
+The passphrase can be changed later by using the
+.Fl p
+option.
+.Pp
+There is no way to recover a lost passphrase.
+If the passphrase is
+lost or forgotten, you will have to generate a new key and copy the
+corresponding public key to other machines.
+.Pp
+For RSA1 keys,
+there is also a comment field in the key file that is only for
+convenience to the user to help identify the key.
+The comment can tell what the key is for, or whatever is useful.
+The comment is initialized to
+.Dq user@host
+when the key is created, but can be changed using the
+.Fl c
+option.
+.Pp
+After a key is generated, instructions below detail where the keys
+should be placed to be activated.
+.Pp
+The options are as follows:
+.Bl -tag -width Ds
+.It Fl b Ar bits
+Specifies the number of bits in the key to create.
+Minimum is 512 bits.
+Generally 1024 bits is considered sufficient, and key sizes
+above that no longer improve security but make things slower.
+The default is 1024 bits.
+.It Fl c
+Requests changing the comment in the private and public key files.
+The program will prompt for the file containing the private keys, for
+passphrase if the key has one, and for the new comment.
+.It Fl e
+This option will read a private or public OpenSSH key file and
+print the key in a
+.Sq SECSH Public Key File Format
+to stdout.
+This option allows exporting keys for use by several commercial
+SSH implementations.
+.It Fl f
+Specifies the filename of the key file.
+.It Fl i
+This option will read an unencrypted private (or public) key file
+in SSH2-compatible format and print an OpenSSH compatible private
+(or public) key to stdout.
+.Nm
+also reads the
+.Sq SECSH Public Key File Format .
+This option allows importing keys from several commercial
+SSH implementations.
+.It Fl l
+Show fingerprint of specified private or public key file.
+.It Fl p
+Requests changing the passphrase of a private key file instead of
+creating a new private key.
+The program will prompt for the file
+containing the private key, for the old passphrase, and twice for the
+new passphrase.
+.It Fl q
+Silence
+.Nm ssh-keygen .
+Used by
+.Pa /etc/rc
+when creating a new key.
+.It Fl y
+This option will read a private
+OpenSSH format file and print an OpenSSH public key to stdout.
+.It Fl t Ar type
+Specifies the type of the key to create.
+The possible values are
+.Dq rsa1
+for protocol version 1 and
+.Dq rsa
+or
+.Dq dsa
+for protocol version 2.
+The default is
+.Dq rsa1 .
+.It Fl B
+Show the bubblebabble digest of specified private or public key file.
+.It Fl C Ar comment
+Provides the new comment.
+.It Fl N Ar new_passphrase
+Provides the new passphrase.
+.It Fl P Ar passphrase
+Provides the (old) passphrase.
+.El
+.Sh FILES
+.Bl -tag -width Ds
+.It Pa $HOME/.ssh/identity
+Contains the protocol version 1 RSA authentication identity of the user.
+This file should not be readable by anyone but the user.
+It is possible to
+specify a passphrase when generating the key; that passphrase will be
+used to encrypt the private part of this file using 3DES.
+This file is not automatically accessed by
+.Nm
+but it is offered as the default file for the private key.
+.Xr sshd 8
+will read this file when a login attempt is made.
+.It Pa $HOME/.ssh/identity.pub
+Contains the protocol version 1 RSA public key for authentication.
+The contents of this file should be added to
+.Pa $HOME/.ssh/authorized_keys
+on all machines
+where you wish to log in using RSA authentication.
+There is no need to keep the contents of this file secret.
+.It Pa $HOME/.ssh/id_dsa
+Contains the protocol version 2 DSA authentication identity of the user.
+This file should not be readable by anyone but the user.
+It is possible to
+specify a passphrase when generating the key; that passphrase will be
+used to encrypt the private part of this file using 3DES.
+This file is not automatically accessed by
+.Nm
+but it is offered as the default file for the private key.
+.Xr sshd 8
+will read this file when a login attempt is made.
+.It Pa $HOME/.ssh/id_dsa.pub
+Contains the protocol version 2 DSA public key for authentication.
+The contents of this file should be added to
+.Pa $HOME/.ssh/authorized_keys2
+on all machines
+where you wish to log in using public key authentication.
+There is no need to keep the contents of this file secret.
+.It Pa $HOME/.ssh/id_rsa
+Contains the protocol version 2 RSA authentication identity of the user.
+This file should not be readable by anyone but the user.
+It is possible to
+specify a passphrase when generating the key; that passphrase will be
+used to encrypt the private part of this file using 3DES.
+This file is not automatically accessed by
+.Nm
+but it is offered as the default file for the private key.
+.Xr sshd 8
+will read this file when a login attempt is made.
+.It Pa $HOME/.ssh/id_rsa.pub
+Contains the protocol version 2 RSA public key for authentication.
+The contents of this file should be added to
+.Pa $HOME/.ssh/authorized_keys2
+on all machines
+where you wish to log in using public key authentication.
+There is no need to keep the contents of this file secret.
+.El
+.Sh AUTHORS
+OpenSSH is a derivative of the original and free
+ssh 1.2.12 release by Tatu Ylonen.
+Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos,
+Theo de Raadt and Dug Song
+removed many bugs, re-added newer features and
+created OpenSSH.
+Markus Friedl contributed the support for SSH
+protocol versions 1.5 and 2.0.
+.Sh SEE ALSO
+.Xr ssh 1 ,
+.Xr ssh-add 1 ,
+.Xr ssh-agent 1 ,
+.Xr sshd 8
+.Rs
+.%A J. Galbraith
+.%A R. Thayer
+.%T "SECSH Public Key File Format"
+.%N draft-ietf-secsh-publickeyfile-01.txt
+.%D March 2001
+.%O work in progress material
+.Re
diff --git a/crypto/openssh/ssh-keygen.c b/crypto/openssh/ssh-keygen.c
new file mode 100644
index 0000000..90d5ffa
--- /dev/null
+++ b/crypto/openssh/ssh-keygen.c
@@ -0,0 +1,879 @@
+/*
+ * Author: Tatu Ylonen <ylo@cs.hut.fi>
+ * Copyright (c) 1994 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
+ *                    All rights reserved
+ * Identity and host key generation and maintenance.
+ *
+ * As far as I am concerned, the code I have written for this software
+ * can be used freely for any purpose.  Any derived versions of this
+ * software must be clearly marked as such, and if the derived work is
+ * incompatible with the protocol description in the RFC file, it must be
+ * called by a name other than "ssh" or "Secure Shell".
+ */
+
+#include "includes.h"
+RCSID("$OpenBSD: ssh-keygen.c,v 1.60 2001/04/23 22:14:13 markus Exp $");
+
+#include <openssl/evp.h>
+#include <openssl/pem.h>
+
+#include "xmalloc.h"
+#include "key.h"
+#include "rsa.h"
+#include "authfile.h"
+#include "uuencode.h"
+#include "buffer.h"
+#include "bufaux.h"
+#include "pathnames.h"
+#include "log.h"
+#include "readpass.h"
+
+/* Number of bits in the RSA/DSA key.  This value can be changed on the command line. */
+int bits = 1024;
+
+/*
+ * Flag indicating that we just want to change the passphrase.  This can be
+ * set on the command line.
+ */
+int change_passphrase = 0;
+
+/*
+ * Flag indicating that we just want to change the comment.  This can be set
+ * on the command line.
+ */
+int change_comment = 0;
+
+int quiet = 0;
+
+/* Flag indicating that we just want to see the key fingerprint */
+int print_fingerprint = 0;
+int print_bubblebabble = 0;
+
+/* The identity file name, given on the command line or entered by the user. */
+char identity_file[1024];
+int have_identity = 0;
+
+/* This is set to the passphrase if given on the command line. */
+char *identity_passphrase = NULL;
+
+/* This is set to the new passphrase if given on the command line. */
+char *identity_new_passphrase = NULL;
+
+/* This is set to the new comment if given on the command line. */
+char *identity_comment = NULL;
+
+/* Dump public key file in format used by real and the original SSH 2 */
+int convert_to_ssh2 = 0;
+int convert_from_ssh2 = 0;
+int print_public = 0;
+
+/* default to RSA for SSH-1 */
+char *key_type_name = "rsa1";
+
+/* argv0 */
+extern char *__progname;
+
+char hostname[MAXHOSTNAMELEN];
+
+void
+ask_filename(struct passwd *pw, const char *prompt)
+{
+	char buf[1024];
+	char *name = NULL;
+
+	switch (key_type_from_name(key_type_name)) {
+	case KEY_RSA1:
+		name = _PATH_SSH_CLIENT_IDENTITY;
+		break;
+	case KEY_DSA:
+		name = _PATH_SSH_CLIENT_ID_DSA;
+		break;
+	case KEY_RSA:
+		name = _PATH_SSH_CLIENT_ID_RSA;
+		break;
+	default:
+		fprintf(stderr, "bad key type");
+		exit(1);
+		break;
+	}
+	snprintf(identity_file, sizeof(identity_file), "%s/%s", pw->pw_dir, name);
+	fprintf(stderr, "%s (%s): ", prompt, identity_file);
+	fflush(stderr);
+	if (fgets(buf, sizeof(buf), stdin) == NULL)
+		exit(1);
+	if (strchr(buf, '\n'))
+		*strchr(buf, '\n') = 0;
+	if (strcmp(buf, "") != 0)
+		strlcpy(identity_file, buf, sizeof(identity_file));
+	have_identity = 1;
+}
+
+Key *
+try_load_pem_key(char *filename)
+{
+	char *pass;
+	Key *prv;
+
+	prv = key_load_private(filename, "", NULL);
+	if (prv == NULL) {
+		pass = read_passphrase("Enter passphrase: ", 1);
+		prv = key_load_private(filename, pass, NULL);
+		memset(pass, 0, strlen(pass));
+		xfree(pass);
+	}
+	return prv;
+}
+
+#define SSH_COM_PUBLIC_BEGIN		"---- BEGIN SSH2 PUBLIC KEY ----"
+#define SSH_COM_PUBLIC_END  		"---- END SSH2 PUBLIC KEY ----"
+#define SSH_COM_PRIVATE_BEGIN		"---- BEGIN SSH2 ENCRYPTED PRIVATE KEY ----"
+#define	SSH_COM_PRIVATE_KEY_MAGIC	0x3f6ff9eb
+
+void
+do_convert_to_ssh2(struct passwd *pw)
+{
+	Key *k;
+	int len;
+	u_char *blob;
+	struct stat st;
+
+	if (!have_identity)
+		ask_filename(pw, "Enter file in which the key is");
+	if (stat(identity_file, &st) < 0) {
+		perror(identity_file);
+		exit(1);
+	}
+	if ((k = key_load_public(identity_file, NULL)) == NULL) {
+		if ((k = try_load_pem_key(identity_file)) == NULL) {
+			fprintf(stderr, "load failed\n");
+			exit(1);
+		}
+	}
+	key_to_blob(k, &blob, &len);
+	fprintf(stdout, "%s\n", SSH_COM_PUBLIC_BEGIN);
+	fprintf(stdout,
+	    "Comment: \"%d-bit %s, converted from OpenSSH by %s@%s\"\n",
+	    key_size(k), key_type(k),
+	    pw->pw_name, hostname);
+	dump_base64(stdout, blob, len);
+	fprintf(stdout, "%s\n", SSH_COM_PUBLIC_END);
+	key_free(k);
+	xfree(blob);
+	exit(0);
+}
+
+void
+buffer_get_bignum_bits(Buffer *b, BIGNUM *value)
+{
+	int bits = buffer_get_int(b);
+	int bytes = (bits + 7) / 8;
+
+	if (buffer_len(b) < bytes)
+		fatal("buffer_get_bignum_bits: input buffer too small: "
+		    "need %d have %d", bytes, buffer_len(b));
+	BN_bin2bn((u_char *)buffer_ptr(b), bytes, value);
+	buffer_consume(b, bytes);
+}
+
+Key *
+do_convert_private_ssh2_from_blob(char *blob, int blen)
+{
+	Buffer b;
+	Key *key = NULL;
+	int ignore, magic, rlen, ktype;
+	char *type, *cipher;
+
+	buffer_init(&b);
+	buffer_append(&b, blob, blen);
+
+	magic  = buffer_get_int(&b);
+	if (magic != SSH_COM_PRIVATE_KEY_MAGIC) {
+		error("bad magic 0x%x != 0x%x", magic, SSH_COM_PRIVATE_KEY_MAGIC);
+		buffer_free(&b);
+		return NULL;
+	}
+	ignore = buffer_get_int(&b);
+	type   = buffer_get_string(&b, NULL);
+	cipher = buffer_get_string(&b, NULL);
+	ignore = buffer_get_int(&b);
+	ignore = buffer_get_int(&b);
+	ignore = buffer_get_int(&b);
+
+	if (strcmp(cipher, "none") != 0) {
+		error("unsupported cipher %s", cipher);
+		xfree(cipher);
+		buffer_free(&b);
+		xfree(type);
+		return NULL;
+	}
+	xfree(cipher);
+
+	if (strstr(type, "dsa")) {
+		ktype = KEY_DSA;
+	} else if (strstr(type, "rsa")) {
+		ktype = KEY_RSA;
+	} else {
+		xfree(type);
+		return NULL;
+	}
+	key = key_new_private(ktype);
+	xfree(type);
+
+	switch (key->type) {
+	case KEY_DSA:
+		buffer_get_bignum_bits(&b, key->dsa->p);
+		buffer_get_bignum_bits(&b, key->dsa->g);
+		buffer_get_bignum_bits(&b, key->dsa->q);
+		buffer_get_bignum_bits(&b, key->dsa->pub_key);
+		buffer_get_bignum_bits(&b, key->dsa->priv_key);
+		break;
+	case KEY_RSA:
+		if (!BN_set_word(key->rsa->e, (u_long) buffer_get_char(&b))) {
+			buffer_free(&b);
+			key_free(key);
+			return NULL;
+		}
+		buffer_get_bignum_bits(&b, key->rsa->d);
+		buffer_get_bignum_bits(&b, key->rsa->n);
+		buffer_get_bignum_bits(&b, key->rsa->iqmp);
+		buffer_get_bignum_bits(&b, key->rsa->q);
+		buffer_get_bignum_bits(&b, key->rsa->p);
+		generate_additional_parameters(key->rsa);
+		break;
+	}
+	rlen = buffer_len(&b);
+	if(rlen != 0)
+		error("do_convert_private_ssh2_from_blob: "
+		    "remaining bytes in key blob %d", rlen);
+	buffer_free(&b);
+#ifdef DEBUG_PK
+	{
+		u_int slen;
+		u_char *sig, data[10] = "abcde12345";
+
+		key_sign(key, &sig, &slen, data, sizeof data);
+		key_verify(key, sig, slen, data, sizeof data);
+		xfree(sig);
+	}
+#endif
+	return key;
+}
+
+void
+do_convert_from_ssh2(struct passwd *pw)
+{
+	Key *k;
+	int blen;
+	char line[1024], *p;
+	char blob[8096];
+	char encoded[8096];
+	struct stat st;
+	int escaped = 0, private = 0, ok;
+	FILE *fp;
+
+	if (!have_identity)
+		ask_filename(pw, "Enter file in which the key is");
+	if (stat(identity_file, &st) < 0) {
+		perror(identity_file);
+		exit(1);
+	}
+	fp = fopen(identity_file, "r");
+	if (fp == NULL) {
+		perror(identity_file);
+		exit(1);
+	}
+	encoded[0] = '\0';
+	while (fgets(line, sizeof(line), fp)) {
+		if (!(p = strchr(line, '\n'))) {
+			fprintf(stderr, "input line too long.\n");
+			exit(1);
+		}
+		if (p > line && p[-1] == '\\')
+			escaped++;
+		if (strncmp(line, "----", 4) == 0 ||
+		    strstr(line, ": ") != NULL) {
+			if (strstr(line, SSH_COM_PRIVATE_BEGIN) != NULL)
+				private = 1;
+			/* fprintf(stderr, "ignore: %s", line); */
+			continue;
+		}
+		if (escaped) {
+			escaped--;
+			/* fprintf(stderr, "escaped: %s", line); */
+			continue;
+		}
+		*p = '\0';
+		strlcat(encoded, line, sizeof(encoded));
+	}
+	blen = uudecode(encoded, (u_char *)blob, sizeof(blob));
+	if (blen < 0) {
+		fprintf(stderr, "uudecode failed.\n");
+		exit(1);
+	}
+	k = private ?
+	    do_convert_private_ssh2_from_blob(blob, blen) :
+	    key_from_blob(blob, blen);
+	if (k == NULL) {
+		fprintf(stderr, "decode blob failed.\n");
+		exit(1);
+	}
+	ok = private ?
+	    (k->type == KEY_DSA ?
+		 PEM_write_DSAPrivateKey(stdout, k->dsa, NULL, NULL, 0, NULL, NULL) :
+		 PEM_write_RSAPrivateKey(stdout, k->rsa, NULL, NULL, 0, NULL, NULL)) :
+	    key_write(k, stdout);
+	if (!ok) {
+		fprintf(stderr, "key write failed");
+		exit(1);
+	}
+	key_free(k);
+	fprintf(stdout, "\n");
+	fclose(fp);
+	exit(0);
+}
+
+void
+do_print_public(struct passwd *pw)
+{
+	Key *prv;
+	struct stat st;
+
+	if (!have_identity)
+		ask_filename(pw, "Enter file in which the key is");
+	if (stat(identity_file, &st) < 0) {
+		perror(identity_file);
+		exit(1);
+	}
+	prv = try_load_pem_key(identity_file);
+	if (prv == NULL) {
+		fprintf(stderr, "load failed\n");
+		exit(1);
+	}
+	if (!key_write(prv, stdout))
+		fprintf(stderr, "key_write failed");
+	key_free(prv);
+	fprintf(stdout, "\n");
+	exit(0);
+}
+
+void
+do_fingerprint(struct passwd *pw)
+{
+	FILE *f;
+	Key *public;
+	char *comment = NULL, *cp, *ep, line[16*1024], *fp;
+	int i, skip = 0, num = 1, invalid = 1, rep, fptype;
+	struct stat st;
+
+	fptype = print_bubblebabble ? SSH_FP_SHA1 : SSH_FP_MD5;
+	rep =    print_bubblebabble ? SSH_FP_BUBBLEBABBLE : SSH_FP_HEX;
+
+	if (!have_identity)
+		ask_filename(pw, "Enter file in which the key is");
+	if (stat(identity_file, &st) < 0) {
+		perror(identity_file);
+		exit(1);
+	}
+	public = key_load_public(identity_file, &comment);
+	if (public != NULL) {
+		fp = key_fingerprint(public, fptype, rep);
+		printf("%d %s %s\n", key_size(public), fp, comment);
+		key_free(public);
+		xfree(comment);
+		xfree(fp);
+		exit(0);
+	}
+	if (comment)
+		xfree(comment);
+
+	f = fopen(identity_file, "r");
+	if (f != NULL) {
+		while (fgets(line, sizeof(line), f)) {
+			i = strlen(line) - 1;
+			if (line[i] != '\n') {
+				error("line %d too long: %.40s...", num, line);
+				skip = 1;
+				continue;
+			}
+			num++;
+			if (skip) {
+				skip = 0;
+				continue;
+			}
+			line[i] = '\0';
+
+			/* Skip leading whitespace, empty and comment lines. */
+			for (cp = line; *cp == ' ' || *cp == '\t'; cp++)
+				;
+			if (!*cp || *cp == '\n' || *cp == '#')
+				continue ;
+			i = strtol(cp, &ep, 10);
+			if (i == 0 || ep == NULL || (*ep != ' ' && *ep != '\t')) {
+				int quoted = 0;
+				comment = cp;
+				for (; *cp && (quoted || (*cp != ' ' && *cp != '\t')); cp++) {
+					if (*cp == '\\' && cp[1] == '"')
+						cp++;	/* Skip both */
+					else if (*cp == '"')
+						quoted = !quoted;
+				}
+				if (!*cp)
+					continue;
+				*cp++ = '\0';
+			}
+			ep = cp;
+			public = key_new(KEY_RSA1);
+			if (key_read(public, &cp) != 1) {
+				cp = ep;
+				key_free(public);
+				public = key_new(KEY_UNSPEC);
+				if (key_read(public, &cp) != 1) {
+					key_free(public);
+					continue;
+				}
+			}
+			comment = *cp ? cp : comment;
+			fp = key_fingerprint(public, fptype, rep);
+			printf("%d %s %s\n", key_size(public), fp,
+			    comment ? comment : "no comment");
+			xfree(fp);
+			key_free(public);
+			invalid = 0;
+		}
+		fclose(f);
+	}
+	if (invalid) {
+		printf("%s is not a valid key file.\n", identity_file);
+		exit(1);
+	}
+	exit(0);
+}
+
+/*
+ * Perform changing a passphrase.  The argument is the passwd structure
+ * for the current user.
+ */
+void
+do_change_passphrase(struct passwd *pw)
+{
+	char *comment;
+	char *old_passphrase, *passphrase1, *passphrase2;
+	struct stat st;
+	Key *private;
+
+	if (!have_identity)
+		ask_filename(pw, "Enter file in which the key is");
+	if (stat(identity_file, &st) < 0) {
+		perror(identity_file);
+		exit(1);
+	}
+	/* Try to load the file with empty passphrase. */
+	private = key_load_private(identity_file, "", &comment);
+	if (private == NULL) {
+		if (identity_passphrase)
+			old_passphrase = xstrdup(identity_passphrase);
+		else
+			old_passphrase = read_passphrase("Enter old passphrase: ", 1);
+		private = key_load_private(identity_file, old_passphrase , &comment);
+		memset(old_passphrase, 0, strlen(old_passphrase));
+		xfree(old_passphrase);
+		if (private == NULL) {
+			printf("Bad passphrase.\n");
+			exit(1);
+		}
+	}
+	printf("Key has comment '%s'\n", comment);
+
+	/* Ask the new passphrase (twice). */
+	if (identity_new_passphrase) {
+		passphrase1 = xstrdup(identity_new_passphrase);
+		passphrase2 = NULL;
+	} else {
+		passphrase1 =
+			read_passphrase("Enter new passphrase (empty for no passphrase): ", 1);
+		passphrase2 = read_passphrase("Enter same passphrase again: ", 1);
+
+		/* Verify that they are the same. */
+		if (strcmp(passphrase1, passphrase2) != 0) {
+			memset(passphrase1, 0, strlen(passphrase1));
+			memset(passphrase2, 0, strlen(passphrase2));
+			xfree(passphrase1);
+			xfree(passphrase2);
+			printf("Pass phrases do not match.  Try again.\n");
+			exit(1);
+		}
+		/* Destroy the other copy. */
+		memset(passphrase2, 0, strlen(passphrase2));
+		xfree(passphrase2);
+	}
+
+	/* Save the file using the new passphrase. */
+	if (!key_save_private(private, identity_file, passphrase1, comment)) {
+		printf("Saving the key failed: %s.\n", identity_file);
+		memset(passphrase1, 0, strlen(passphrase1));
+		xfree(passphrase1);
+		key_free(private);
+		xfree(comment);
+		exit(1);
+	}
+	/* Destroy the passphrase and the copy of the key in memory. */
+	memset(passphrase1, 0, strlen(passphrase1));
+	xfree(passphrase1);
+	key_free(private);		 /* Destroys contents */
+	xfree(comment);
+
+	printf("Your identification has been saved with the new passphrase.\n");
+	exit(0);
+}
+
+/*
+ * Change the comment of a private key file.
+ */
+void
+do_change_comment(struct passwd *pw)
+{
+	char new_comment[1024], *comment, *passphrase;
+	Key *private;
+	Key *public;
+	struct stat st;
+	FILE *f;
+	int fd;
+
+	if (!have_identity)
+		ask_filename(pw, "Enter file in which the key is");
+	if (stat(identity_file, &st) < 0) {
+		perror(identity_file);
+		exit(1);
+	}
+	private = key_load_private(identity_file, "", &comment);
+	if (private == NULL) {
+		if (identity_passphrase)
+			passphrase = xstrdup(identity_passphrase);
+		else if (identity_new_passphrase)
+			passphrase = xstrdup(identity_new_passphrase);
+		else
+			passphrase = read_passphrase("Enter passphrase: ", 1);
+		/* Try to load using the passphrase. */
+		private = key_load_private(identity_file, passphrase, &comment);
+		if (private == NULL) {
+			memset(passphrase, 0, strlen(passphrase));
+			xfree(passphrase);
+			printf("Bad passphrase.\n");
+			exit(1);
+		}
+	} else {
+		passphrase = xstrdup("");
+	}
+	if (private->type != KEY_RSA1) {
+		fprintf(stderr, "Comments are only supported for RSA1 keys.\n");
+		key_free(private);
+		exit(1);
+	}	
+	printf("Key now has comment '%s'\n", comment);
+
+	if (identity_comment) {
+		strlcpy(new_comment, identity_comment, sizeof(new_comment));
+	} else {
+		printf("Enter new comment: ");
+		fflush(stdout);
+		if (!fgets(new_comment, sizeof(new_comment), stdin)) {
+			memset(passphrase, 0, strlen(passphrase));
+			key_free(private);
+			exit(1);
+		}
+		if (strchr(new_comment, '\n'))
+			*strchr(new_comment, '\n') = 0;
+	}
+
+	/* Save the file using the new passphrase. */
+	if (!key_save_private(private, identity_file, passphrase, new_comment)) {
+		printf("Saving the key failed: %s.\n", identity_file);
+		memset(passphrase, 0, strlen(passphrase));
+		xfree(passphrase);
+		key_free(private);
+		xfree(comment);
+		exit(1);
+	}
+	memset(passphrase, 0, strlen(passphrase));
+	xfree(passphrase);
+	public = key_from_private(private);
+	key_free(private);
+
+	strlcat(identity_file, ".pub", sizeof(identity_file));
+	fd = open(identity_file, O_WRONLY | O_CREAT | O_TRUNC, 0644);
+	if (fd == -1) {
+		printf("Could not save your public key in %s\n", identity_file);
+		exit(1);
+	}
+	f = fdopen(fd, "w");
+	if (f == NULL) {
+		printf("fdopen %s failed", identity_file);
+		exit(1);
+	}
+	if (!key_write(public, f))
+		fprintf(stderr, "write key failed");
+	key_free(public);
+	fprintf(f, " %s\n", new_comment);
+	fclose(f);
+
+	xfree(comment);
+
+	printf("The comment in your key file has been changed.\n");
+	exit(0);
+}
+
+void
+usage(void)
+{
+	printf("Usage: %s [-ceilpqyB] [-t type] [-b bits] [-f file] [-C comment] "
+	    "[-N new-pass] [-P pass]\n", __progname);
+	exit(1);
+}
+
+/*
+ * Main program for key management.
+ */
+int
+main(int ac, char **av)
+{
+	char dotsshdir[16 * 1024], comment[1024], *passphrase1, *passphrase2;
+	Key *private, *public;
+	struct passwd *pw;
+	int opt, type, fd;
+	struct stat st;
+	FILE *f;
+
+	extern int optind;
+	extern char *optarg;
+
+	SSLeay_add_all_algorithms();
+
+	/* we need this for the home * directory.  */
+	pw = getpwuid(getuid());
+	if (!pw) {
+		printf("You don't exist, go away!\n");
+		exit(1);
+	}
+	if (gethostname(hostname, sizeof(hostname)) < 0) {
+		perror("gethostname");
+		exit(1);
+	}
+
+	while ((opt = getopt(ac, av, "deiqpclBRxXyb:f:t:P:N:C:")) != -1) {
+		switch (opt) {
+		case 'b':
+			bits = atoi(optarg);
+			if (bits < 512 || bits > 32768) {
+				printf("Bits has bad value.\n");
+				exit(1);
+			}
+			break;
+
+		case 'l':
+			print_fingerprint = 1;
+			break;
+
+		case 'B':
+			print_bubblebabble = 1;
+			break;
+
+		case 'p':
+			change_passphrase = 1;
+			break;
+
+		case 'c':
+			change_comment = 1;
+			break;
+
+		case 'f':
+			strlcpy(identity_file, optarg, sizeof(identity_file));
+			have_identity = 1;
+			break;
+
+		case 'P':
+			identity_passphrase = optarg;
+			break;
+
+		case 'N':
+			identity_new_passphrase = optarg;
+			break;
+
+		case 'C':
+			identity_comment = optarg;
+			break;
+
+		case 'q':
+			quiet = 1;
+			break;
+
+		case 'R':
+			/* unused */
+			exit(0);
+			break;
+
+		case 'e':
+		case 'x':
+			/* export key */
+			convert_to_ssh2 = 1;
+			break;
+
+		case 'i':
+		case 'X':
+			/* import key */
+			convert_from_ssh2 = 1;
+			break;
+
+		case 'y':
+			print_public = 1;
+			break;
+
+		case 'd':
+			key_type_name = "dsa";
+			break;
+
+		case 't':
+			key_type_name = optarg;
+			break;
+
+		case '?':
+		default:
+			usage();
+		}
+	}
+	if (optind < ac) {
+		printf("Too many arguments.\n");
+		usage();
+	}
+	if (change_passphrase && change_comment) {
+		printf("Can only have one of -p and -c.\n");
+		usage();
+	}
+	if (print_fingerprint || print_bubblebabble)
+		do_fingerprint(pw);
+	if (change_passphrase)
+		do_change_passphrase(pw);
+	if (change_comment)
+		do_change_comment(pw);
+	if (convert_to_ssh2)
+		do_convert_to_ssh2(pw);
+	if (convert_from_ssh2)
+		do_convert_from_ssh2(pw);
+	if (print_public)
+		do_print_public(pw);
+
+	arc4random_stir();
+
+	type = key_type_from_name(key_type_name);
+	if (type == KEY_UNSPEC) {
+		fprintf(stderr, "unknown key type %s\n", key_type_name);
+		exit(1);
+	}
+	if (!quiet)
+		printf("Generating public/private %s key pair.\n", key_type_name);
+	private = key_generate(type, bits);
+	if (private == NULL) {
+		fprintf(stderr, "key_generate failed");
+		exit(1);
+	}
+	public  = key_from_private(private);
+
+	if (!have_identity)
+		ask_filename(pw, "Enter file in which to save the key");
+
+	/* Create ~/.ssh directory if it doesn\'t already exist. */
+	snprintf(dotsshdir, sizeof dotsshdir, "%s/%s", pw->pw_dir, _PATH_SSH_USER_DIR);
+	if (strstr(identity_file, dotsshdir) != NULL &&
+	    stat(dotsshdir, &st) < 0) {
+		if (mkdir(dotsshdir, 0700) < 0)
+			error("Could not create directory '%s'.", dotsshdir);
+		else if (!quiet)
+			printf("Created directory '%s'.\n", dotsshdir);
+	}
+	/* If the file already exists, ask the user to confirm. */
+	if (stat(identity_file, &st) >= 0) {
+		char yesno[3];
+		printf("%s already exists.\n", identity_file);
+		printf("Overwrite (y/n)? ");
+		fflush(stdout);
+		if (fgets(yesno, sizeof(yesno), stdin) == NULL)
+			exit(1);
+		if (yesno[0] != 'y' && yesno[0] != 'Y')
+			exit(1);
+	}
+	/* Ask for a passphrase (twice). */
+	if (identity_passphrase)
+		passphrase1 = xstrdup(identity_passphrase);
+	else if (identity_new_passphrase)
+		passphrase1 = xstrdup(identity_new_passphrase);
+	else {
+passphrase_again:
+		passphrase1 =
+			read_passphrase("Enter passphrase (empty for no passphrase): ", 1);
+		passphrase2 = read_passphrase("Enter same passphrase again: ", 1);
+		if (strcmp(passphrase1, passphrase2) != 0) {
+			/* The passphrases do not match.  Clear them and retry. */
+			memset(passphrase1, 0, strlen(passphrase1));
+			memset(passphrase2, 0, strlen(passphrase2));
+			xfree(passphrase1);
+			xfree(passphrase2);
+			printf("Passphrases do not match.  Try again.\n");
+			goto passphrase_again;
+		}
+		/* Clear the other copy of the passphrase. */
+		memset(passphrase2, 0, strlen(passphrase2));
+		xfree(passphrase2);
+	}
+
+	if (identity_comment) {
+		strlcpy(comment, identity_comment, sizeof(comment));
+	} else {
+		/* Create default commend field for the passphrase. */
+		snprintf(comment, sizeof comment, "%s@%s", pw->pw_name, hostname);
+	}
+
+	/* Save the key with the given passphrase and comment. */
+	if (!key_save_private(private, identity_file, passphrase1, comment)) {
+		printf("Saving the key failed: %s.\n", identity_file);
+		memset(passphrase1, 0, strlen(passphrase1));
+		xfree(passphrase1);
+		exit(1);
+	}
+	/* Clear the passphrase. */
+	memset(passphrase1, 0, strlen(passphrase1));
+	xfree(passphrase1);
+
+	/* Clear the private key and the random number generator. */
+	key_free(private);
+	arc4random_stir();
+
+	if (!quiet)
+		printf("Your identification has been saved in %s.\n", identity_file);
+
+	strlcat(identity_file, ".pub", sizeof(identity_file));
+	fd = open(identity_file, O_WRONLY | O_CREAT | O_TRUNC, 0644);
+	if (fd == -1) {
+		printf("Could not save your public key in %s\n", identity_file);
+		exit(1);
+	}
+	f = fdopen(fd, "w");
+	if (f == NULL) {
+		printf("fdopen %s failed", identity_file);
+		exit(1);
+	}
+	if (!key_write(public, f))
+		fprintf(stderr, "write key failed");
+	fprintf(f, " %s\n", comment);
+	fclose(f);
+
+	if (!quiet) {
+		char *fp = key_fingerprint(public, SSH_FP_MD5, SSH_FP_HEX);
+		printf("Your public key has been saved in %s.\n",
+		    identity_file);
+		printf("The key fingerprint is:\n");
+		printf("%s %s\n", fp, comment);
+		xfree(fp);
+	}
+
+	key_free(public);
+	exit(0);
+}
diff --git a/crypto/openssh/ssh-keygen/Makefile b/crypto/openssh/ssh-keygen/Makefile
new file mode 100644
index 0000000..b7c1151
--- /dev/null
+++ b/crypto/openssh/ssh-keygen/Makefile
@@ -0,0 +1,18 @@
+#	$OpenBSD: Makefile,v 1.17 2001/03/04 00:51:26 markus Exp $
+
+.PATH:		${.CURDIR}/..
+
+PROG=	ssh-keygen
+BINOWN=	root
+
+BINMODE?=555
+
+BINDIR=	/usr/bin
+MAN=	ssh-keygen.1
+
+SRCS=	ssh-keygen.c
+
+.include <bsd.prog.mk>
+
+LDADD+=	-lcrypto
+DPADD+=	${LIBCRYPTO}
diff --git a/crypto/openssh/ssh-keyscan.1 b/crypto/openssh/ssh-keyscan.1
new file mode 100644
index 0000000..4db8c5f
--- /dev/null
+++ b/crypto/openssh/ssh-keyscan.1
@@ -0,0 +1,104 @@
+.\"	$OpenBSD: ssh-keyscan.1,v 1.5 2001/04/18 16:21:05 ian Exp $
+.\"
+.\" Copyright 1995, 1996 by David Mazieres <dm@lcs.mit.edu>.
+.\"
+.\" Modification and redistribution in source and binary forms is
+.\" permitted provided that due credit is given to the author and the
+.\" OpenBSD project (for instance by leaving this copyright notice
+.\" intact).
+.\"
+.Dd January 1, 1996
+.Dt SSH-KEYSCAN 1
+.Os
+.Sh NAME
+.Nm ssh-keyscan
+.Nd gather ssh public keys
+.Sh SYNOPSIS
+.Nm ssh-keyscan
+.Op Fl t Ar timeout
+.Op Ar -- | host | addrlist namelist
+.Op Fl f Ar files ...
+.Sh DESCRIPTION
+.Nm
+is a utility for gathering the public ssh host keys of a number of
+hosts.  It was designed to aid in building and verifying
+.Pa ssh_known_hosts
+files.
+.Nm
+provides a minimal interface suitable for use by shell and perl
+scripts.
+.Pp
+.Nm
+uses non-blocking socket I/O to contact as many hosts as possible in
+parallel, so it is very efficient.  The keys from a domain of 1,000
+hosts can be collected in tens of seconds, even when some of those
+hosts are down or do not run ssh.  You do not need login access to the
+machines you are scanning, nor does the scanning process involve
+any encryption.
+.Sh SECURITY
+If you make an ssh_known_hosts file using
+.Nm
+without verifying the keys, you will be vulnerable to
+.I man in the middle
+attacks.
+On the other hand, if your security model allows such a risk,
+.Nm
+can help you detect tampered keyfiles or man in the middle attacks which
+have begun after you created your ssh_known_hosts file.
+.Sh OPTIONS
+.Bl -tag -width Ds
+.It Fl t
+Set the timeout for connection attempts.  If 
+.Pa timeout
+seconds have elapsed since a connection was initiated to a host or since the
+last time anything was read from that host, then the connection is
+closed and the host in question considered unavailable.  Default is 5
+seconds.
+.It Fl f
+Read hosts or 
+.Pa addrlist namelist
+pairs from this file, one per line.
+If
+.Pa -
+is supplied instead of a filename,
+.Nm
+will read hosts or 
+.Pa addrlist namelist
+pairs from the standard input.
+.El
+.Sh EXAMPLES
+.Pp
+Print the host key for machine
+.Pa hostname :
+.Bd -literal
+ssh-keyscan hostname
+.Ed
+.Pp
+Find all hosts from the file
+.Pa ssh_hosts
+which have new or different keys from those in the sorted file
+.Pa ssh_known_hosts :
+.Bd -literal
+$ ssh-keyscan -f ssh_hosts | sort -u - ssh_known_hosts | \e\ 
+	diff ssh_known_hosts -
+.Ed
+.Pp
+.Sh FILES
+.Pp
+.Pa Input format:
+1.2.3.4,1.2.4.4 name.my.domain,name,n.my.domain,n,1.2.3.4,1.2.4.4
+.Pp
+.Pa Output format:
+host-or-namelist bits exponent modulus
+.Pp
+.Pa /etc/ssh_known_hosts
+.Sh BUGS
+It generates "Connection closed by remote host" messages on the consoles
+of all the machines it scans.
+This is because it opens a connection to the ssh port, reads the public
+key, and drops the connection as soon as it gets the key.
+.Sh SEE ALSO
+.Xr ssh 1 ,
+.Xr sshd 8
+.Sh AUTHOR
+David Mazieres <dm@lcs.mit.edu>
diff --git a/crypto/openssh/ssh-keyscan.c b/crypto/openssh/ssh-keyscan.c
new file mode 100644
index 0000000..dba2d83
--- /dev/null
+++ b/crypto/openssh/ssh-keyscan.c
@@ -0,0 +1,625 @@
+/*
+ * Copyright 1995, 1996 by David Mazieres <dm@lcs.mit.edu>.
+ *
+ * Modification and redistribution in source and binary forms is
+ * permitted provided that due credit is given to the author and the
+ * OpenBSD project (for instance by leaving this copyright notice
+ * intact).
+ */
+
+#include "includes.h"
+RCSID("$OpenBSD: ssh-keyscan.c,v 1.22 2001/03/06 06:11:18 deraadt Exp $");
+
+#include <sys/queue.h>
+#include <errno.h>
+
+#include <openssl/bn.h>
+
+#include "xmalloc.h"
+#include "ssh.h"
+#include "ssh1.h"
+#include "key.h"
+#include "buffer.h"
+#include "bufaux.h"
+#include "log.h"
+#include "atomicio.h"
+
+static int argno = 1;		/* Number of argument currently being parsed */
+
+int family = AF_UNSPEC;		/* IPv4, IPv6 or both */
+
+#define MAXMAXFD 256
+
+/* The number of seconds after which to give up on a TCP connection */
+int timeout = 5;
+
+int maxfd;
+#define MAXCON (maxfd - 10)
+
+extern char *__progname;
+fd_set *read_wait;
+size_t read_wait_size;
+int ncon;
+
+/*
+ * Keep a connection structure for each file descriptor.  The state
+ * associated with file descriptor n is held in fdcon[n].
+ */
+typedef struct Connection {
+	u_char c_status;	/* State of connection on this file desc. */
+#define CS_UNUSED 0		/* File descriptor unused */
+#define CS_CON 1		/* Waiting to connect/read greeting */
+#define CS_SIZE 2		/* Waiting to read initial packet size */
+#define CS_KEYS 3		/* Waiting to read public key packet */
+	int c_fd;		/* Quick lookup: c->c_fd == c - fdcon */
+	int c_plen;		/* Packet length field for ssh packet */
+	int c_len;		/* Total bytes which must be read. */
+	int c_off;		/* Length of data read so far. */
+	char *c_namebase;	/* Address to free for c_name and c_namelist */
+	char *c_name;		/* Hostname of connection for errors */
+	char *c_namelist;	/* Pointer to other possible addresses */
+	char *c_output_name;	/* Hostname of connection for output */
+	char *c_data;		/* Data read from this fd */
+	struct timeval c_tv;	/* Time at which connection gets aborted */
+	TAILQ_ENTRY(Connection) c_link;	/* List of connections in timeout order. */
+} con;
+
+TAILQ_HEAD(conlist, Connection) tq;	/* Timeout Queue */
+con *fdcon;
+
+/*
+ *  This is just a wrapper around fgets() to make it usable.
+ */
+
+/* Stress-test.  Increase this later. */
+#define LINEBUF_SIZE 16
+
+typedef struct {
+	char *buf;
+	u_int size;
+	int lineno;
+	const char *filename;
+	FILE *stream;
+	void (*errfun) (const char *,...);
+} Linebuf;
+
+Linebuf *
+Linebuf_alloc(const char *filename, void (*errfun) (const char *,...))
+{
+	Linebuf *lb;
+
+	if (!(lb = malloc(sizeof(*lb)))) {
+		if (errfun)
+			(*errfun) ("linebuf (%s): malloc failed\n", lb->filename);
+		return (NULL);
+	}
+	if (filename) {
+		lb->filename = filename;
+		if (!(lb->stream = fopen(filename, "r"))) {
+			xfree(lb);
+			if (errfun)
+				(*errfun) ("%s: %s\n", filename, strerror(errno));
+			return (NULL);
+		}
+	} else {
+		lb->filename = "(stdin)";
+		lb->stream = stdin;
+	}
+
+	if (!(lb->buf = malloc(lb->size = LINEBUF_SIZE))) {
+		if (errfun)
+			(*errfun) ("linebuf (%s): malloc failed\n", lb->filename);
+		xfree(lb);
+		return (NULL);
+	}
+	lb->errfun = errfun;
+	lb->lineno = 0;
+	return (lb);
+}
+
+void
+Linebuf_free(Linebuf * lb)
+{
+	fclose(lb->stream);
+	xfree(lb->buf);
+	xfree(lb);
+}
+
+void
+Linebuf_restart(Linebuf * lb)
+{
+	clearerr(lb->stream);
+	rewind(lb->stream);
+	lb->lineno = 0;
+}
+
+int
+Linebuf_lineno(Linebuf * lb)
+{
+	return (lb->lineno);
+}
+
+char *
+Linebuf_getline(Linebuf * lb)
+{
+	int n = 0;
+
+	lb->lineno++;
+	for (;;) {
+		/* Read a line */
+		if (!fgets(&lb->buf[n], lb->size - n, lb->stream)) {
+			if (ferror(lb->stream) && lb->errfun)
+				(*lb->errfun) ("%s: %s\n", lb->filename,
+				    strerror(errno));
+			return (NULL);
+		}
+		n = strlen(lb->buf);
+
+		/* Return it or an error if it fits */
+		if (n > 0 && lb->buf[n - 1] == '\n') {
+			lb->buf[n - 1] = '\0';
+			return (lb->buf);
+		}
+		if (n != lb->size - 1) {
+			if (lb->errfun)
+				(*lb->errfun) ("%s: skipping incomplete last line\n",
+				    lb->filename);
+			return (NULL);
+		}
+		/* Double the buffer if we need more space */
+		if (!(lb->buf = realloc(lb->buf, (lb->size *= 2)))) {
+			if (lb->errfun)
+				(*lb->errfun) ("linebuf (%s): realloc failed\n",
+				    lb->filename);
+			return (NULL);
+		}
+	}
+}
+
+int
+fdlim_get(int hard)
+{
+	struct rlimit rlfd;
+
+	if (getrlimit(RLIMIT_NOFILE, &rlfd) < 0)
+		return (-1);
+	if ((hard ? rlfd.rlim_max : rlfd.rlim_cur) == RLIM_INFINITY)
+		return 10000;
+	else
+		return hard ? rlfd.rlim_max : rlfd.rlim_cur;
+}
+
+int
+fdlim_set(int lim)
+{
+	struct rlimit rlfd;
+	if (lim <= 0)
+		return (-1);
+	if (getrlimit(RLIMIT_NOFILE, &rlfd) < 0)
+		return (-1);
+	rlfd.rlim_cur = lim;
+	if (setrlimit(RLIMIT_NOFILE, &rlfd) < 0)
+		return (-1);
+	return (0);
+}
+
+/*
+ * This is an strsep function that returns a null field for adjacent
+ * separators.  This is the same as the 4.4BSD strsep, but different from the
+ * one in the GNU libc.
+ */
+char *
+xstrsep(char **str, const char *delim)
+{
+	char *s, *e;
+
+	if (!**str)
+		return (NULL);
+
+	s = *str;
+	e = s + strcspn(s, delim);
+
+	if (*e != '\0')
+		*e++ = '\0';
+	*str = e;
+
+	return (s);
+}
+
+/*
+ * Get the next non-null token (like GNU strsep).  Strsep() will return a
+ * null token for two adjacent separators, so we may have to loop.
+ */
+char *
+strnnsep(char **stringp, char *delim)
+{
+	char *tok;
+
+	do {
+		tok = xstrsep(stringp, delim);
+	} while (tok && *tok == '\0');
+	return (tok);
+}
+
+void
+keyprint(char *host, char *output_name, char *kd, int len)
+{
+	static Key *rsa;
+	static Buffer msg;
+
+	if (rsa == NULL) {
+		buffer_init(&msg);
+		rsa = key_new(KEY_RSA1);
+	}
+	buffer_append(&msg, kd, len);
+	buffer_consume(&msg, 8 - (len & 7));	/* padding */
+	if (buffer_get_char(&msg) != (int) SSH_SMSG_PUBLIC_KEY) {
+		error("%s: invalid packet type", host);
+		buffer_clear(&msg);
+		return;
+	}
+	buffer_consume(&msg, 8);		/* cookie */
+
+	/* server key */
+	(void) buffer_get_int(&msg);
+	buffer_get_bignum(&msg, rsa->rsa->e);
+	buffer_get_bignum(&msg, rsa->rsa->n);
+
+	/* host key */
+	(void) buffer_get_int(&msg);
+	buffer_get_bignum(&msg, rsa->rsa->e);
+	buffer_get_bignum(&msg, rsa->rsa->n);
+	buffer_clear(&msg);
+
+	fprintf(stdout, "%s ", output_name ? output_name : host);
+	key_write(rsa, stdout);
+	fputs("\n", stdout);
+}
+
+int
+tcpconnect(char *host)
+{
+	struct addrinfo hints, *ai, *aitop;
+	char strport[NI_MAXSERV];
+	int gaierr, s = -1;
+
+	snprintf(strport, sizeof strport, "%d", SSH_DEFAULT_PORT);
+	memset(&hints, 0, sizeof(hints));
+	hints.ai_family = family;
+	hints.ai_socktype = SOCK_STREAM;
+	if ((gaierr = getaddrinfo(host, strport, &hints, &aitop)) != 0)
+		fatal("getaddrinfo %s: %s", host, gai_strerror(gaierr));
+	for (ai = aitop; ai; ai = ai->ai_next) {
+		s = socket(ai->ai_family, SOCK_STREAM, 0);
+		if (s < 0) {
+			error("socket: %s", strerror(errno));
+			continue;
+		}
+		if (fcntl(s, F_SETFL, O_NONBLOCK) < 0)
+			fatal("F_SETFL: %s", strerror(errno));
+		if (connect(s, ai->ai_addr, ai->ai_addrlen) < 0 &&
+		    errno != EINPROGRESS)
+			error("connect (`%s'): %s", host, strerror(errno));
+		else
+			break;
+		close(s);
+		s = -1;
+	}
+	freeaddrinfo(aitop);
+	return s;
+}
+
+int
+conalloc(char *iname, char *oname)
+{
+	int s;
+	char *namebase, *name, *namelist;
+
+	namebase = namelist = xstrdup(iname);
+
+	do {
+		name = xstrsep(&namelist, ",");
+		if (!name) {
+			xfree(namebase);
+			return (-1);
+		}
+	} while ((s = tcpconnect(name)) < 0);
+
+	if (s >= maxfd)
+		fatal("conalloc: fdno %d too high", s);
+	if (fdcon[s].c_status)
+		fatal("conalloc: attempt to reuse fdno %d", s);
+
+	fdcon[s].c_fd = s;
+	fdcon[s].c_status = CS_CON;
+	fdcon[s].c_namebase = namebase;
+	fdcon[s].c_name = name;
+	fdcon[s].c_namelist = namelist;
+	fdcon[s].c_output_name = xstrdup(oname);
+	fdcon[s].c_data = (char *) &fdcon[s].c_plen;
+	fdcon[s].c_len = 4;
+	fdcon[s].c_off = 0;
+	gettimeofday(&fdcon[s].c_tv, NULL);
+	fdcon[s].c_tv.tv_sec += timeout;
+	TAILQ_INSERT_TAIL(&tq, &fdcon[s], c_link);
+	FD_SET(s, read_wait);
+	ncon++;
+	return (s);
+}
+
+void
+confree(int s)
+{
+	if (s >= maxfd || fdcon[s].c_status == CS_UNUSED)
+		fatal("confree: attempt to free bad fdno %d", s);
+	close(s);
+	xfree(fdcon[s].c_namebase);
+	xfree(fdcon[s].c_output_name);
+	if (fdcon[s].c_status == CS_KEYS)
+		xfree(fdcon[s].c_data);
+	fdcon[s].c_status = CS_UNUSED;
+	TAILQ_REMOVE(&tq, &fdcon[s], c_link);
+	FD_CLR(s, read_wait);
+	ncon--;
+}
+
+void
+contouch(int s)
+{
+	TAILQ_REMOVE(&tq, &fdcon[s], c_link);
+	gettimeofday(&fdcon[s].c_tv, NULL);
+	fdcon[s].c_tv.tv_sec += timeout;
+	TAILQ_INSERT_TAIL(&tq, &fdcon[s], c_link);
+}
+
+int
+conrecycle(int s)
+{
+	int ret;
+	con *c = &fdcon[s];
+	char *iname, *oname;
+
+	iname = xstrdup(c->c_namelist);
+	oname = xstrdup(c->c_output_name);
+	confree(s);
+	ret = conalloc(iname, oname);
+	xfree(iname);
+	xfree(oname);
+	return (ret);
+}
+
+void
+congreet(int s)
+{
+	char buf[80], *cp;
+	size_t bufsiz;
+	int n = 0;
+	con *c = &fdcon[s];
+
+	bufsiz = sizeof(buf);
+	cp = buf;
+	while (bufsiz-- && (n = read(s, cp, 1)) == 1 && *cp != '\n' && *cp != '\r')
+		cp++;
+	if (n < 0) {
+		if (errno != ECONNREFUSED)
+			error("read (%s): %s", c->c_name, strerror(errno));
+		conrecycle(s);
+		return;
+	}
+	if (*cp != '\n' && *cp != '\r') {
+		error("%s: bad greeting", c->c_name);
+		confree(s);
+		return;
+	}
+	*cp = '\0';
+	fprintf(stderr, "# %s %s\n", c->c_name, buf);
+	n = snprintf(buf, sizeof buf, "SSH-1.5-OpenSSH-keyscan\r\n");
+	if (atomicio(write, s, buf, n) != n) {
+		error("write (%s): %s", c->c_name, strerror(errno));
+		confree(s);
+		return;
+	}
+	c->c_status = CS_SIZE;
+	contouch(s);
+}
+
+void
+conread(int s)
+{
+	int n;
+	con *c = &fdcon[s];
+
+	if (c->c_status == CS_CON) {
+		congreet(s);
+		return;
+	}
+	n = read(s, c->c_data + c->c_off, c->c_len - c->c_off);
+	if (n < 0) {
+		error("read (%s): %s", c->c_name, strerror(errno));
+		confree(s);
+		return;
+	}
+	c->c_off += n;
+
+	if (c->c_off == c->c_len)
+		switch (c->c_status) {
+		case CS_SIZE:
+			c->c_plen = htonl(c->c_plen);
+			c->c_len = c->c_plen + 8 - (c->c_plen & 7);
+			c->c_off = 0;
+			c->c_data = xmalloc(c->c_len);
+			c->c_status = CS_KEYS;
+			break;
+		case CS_KEYS:
+			keyprint(c->c_name, c->c_output_name, c->c_data, c->c_plen);
+			confree(s);
+			return;
+			break;
+		default:
+			fatal("conread: invalid status %d", c->c_status);
+			break;
+		}
+
+	contouch(s);
+}
+
+void
+conloop(void)
+{
+	fd_set *r, *e;
+	struct timeval seltime, now;
+	int i;
+	con *c;
+
+	gettimeofday(&now, NULL);
+	c = tq.tqh_first;
+
+	if (c && (c->c_tv.tv_sec > now.tv_sec ||
+	    (c->c_tv.tv_sec == now.tv_sec && c->c_tv.tv_usec > now.tv_usec))) {
+		seltime = c->c_tv;
+		seltime.tv_sec -= now.tv_sec;
+		seltime.tv_usec -= now.tv_usec;
+		if (seltime.tv_usec < 0) {
+			seltime.tv_usec += 1000000;
+			seltime.tv_sec--;
+		}
+	} else
+		seltime.tv_sec = seltime.tv_usec = 0;
+
+	r = xmalloc(read_wait_size);
+	memcpy(r, read_wait, read_wait_size);
+	e = xmalloc(read_wait_size);
+	memcpy(e, read_wait, read_wait_size);
+
+	while (select(maxfd, r, NULL, e, &seltime) == -1 &&
+	    (errno == EAGAIN || errno == EINTR))
+		;
+
+	for (i = 0; i < maxfd; i++) {
+		if (FD_ISSET(i, e)) {
+			error("%s: exception!", fdcon[i].c_name);
+			confree(i);
+		} else if (FD_ISSET(i, r))
+			conread(i);
+	}
+	xfree(r);
+	xfree(e);
+
+	c = tq.tqh_first;
+	while (c && (c->c_tv.tv_sec < now.tv_sec ||
+	    (c->c_tv.tv_sec == now.tv_sec && c->c_tv.tv_usec < now.tv_usec))) {
+		int s = c->c_fd;
+
+		c = c->c_link.tqe_next;
+		conrecycle(s);
+	}
+}
+
+char *
+nexthost(int argc, char **argv)
+{
+	static Linebuf *lb;
+
+	for (;;) {
+		if (!lb) {
+			if (argno >= argc)
+				return (NULL);
+			if (argv[argno][0] != '-')
+				return (argv[argno++]);
+			if (!strcmp(argv[argno], "--")) {
+				if (++argno >= argc)
+					return (NULL);
+				return (argv[argno++]);
+			} else if (!strncmp(argv[argno], "-f", 2)) {
+				char *fname;
+
+				if (argv[argno][2])
+					fname = &argv[argno++][2];
+				else if (++argno >= argc) {
+					error("missing filename for `-f'");
+					return (NULL);
+				} else
+					fname = argv[argno++];
+				if (!strcmp(fname, "-"))
+					fname = NULL;
+				lb = Linebuf_alloc(fname, error);
+			} else
+				error("ignoring invalid/misplaced option `%s'",
+				    argv[argno++]);
+		} else {
+			char *line;
+
+			line = Linebuf_getline(lb);
+			if (line)
+				return (line);
+			Linebuf_free(lb);
+			lb = NULL;
+		}
+	}
+}
+
+void
+usage(void)
+{
+	fatal("usage: %s [-t timeout] { [--] host | -f file } ...", __progname);
+	return;
+}
+
+int
+main(int argc, char **argv)
+{
+	char *host = NULL;
+
+	TAILQ_INIT(&tq);
+
+	if (argc <= argno)
+		usage();
+
+	if (argv[1][0] == '-' && argv[1][1] == 't') {
+		argno++;
+		if (argv[1][2])
+			timeout = atoi(&argv[1][2]);
+		else {
+			if (argno >= argc)
+				usage();
+			timeout = atoi(argv[argno++]);
+		}
+		if (timeout <= 0)
+			usage();
+	}
+	if (argc <= argno)
+		usage();
+
+	maxfd = fdlim_get(1);
+	if (maxfd < 0)
+		fatal("%s: fdlim_get: bad value", __progname);
+	if (maxfd > MAXMAXFD)
+		maxfd = MAXMAXFD;
+	if (MAXCON <= 0)
+		fatal("%s: not enough file descriptors", __progname);
+	if (maxfd > fdlim_get(0))
+		fdlim_set(maxfd);
+	fdcon = xmalloc(maxfd * sizeof(con));
+	memset(fdcon, 0, maxfd * sizeof(con));
+
+	read_wait_size = howmany(maxfd, NFDBITS) * sizeof(fd_mask);
+	read_wait = xmalloc(read_wait_size);
+	memset(read_wait, 0, read_wait_size);
+
+	do {
+		while (ncon < MAXCON) {
+			char *name;
+
+			host = nexthost(argc, argv);
+			if (host == NULL)
+				break;
+			name = strnnsep(&host, " \t\n");
+			conalloc(name, *host ? host : name);
+		}
+		conloop();
+	} while (host);
+	while (ncon > 0)
+		conloop();
+
+	return (0);
+}
diff --git a/crypto/openssh/ssh-keyscan/Makefile b/crypto/openssh/ssh-keyscan/Makefile
new file mode 100644
index 0000000..6748ed7
--- /dev/null
+++ b/crypto/openssh/ssh-keyscan/Makefile
@@ -0,0 +1,18 @@
+#	$OpenBSD: Makefile,v 1.3 2001/03/03 23:59:39 markus Exp $
+
+.PATH:		${.CURDIR}/..
+
+PROG=	ssh-keyscan
+BINOWN=	root
+
+BINMODE?=555
+
+BINDIR=	/usr/bin
+MAN=	ssh-keyscan.1
+
+SRCS=	ssh-keyscan.c
+
+.include <bsd.prog.mk>
+
+LDADD+=	-lcrypto
+DPADD+=	${LIBCRYPTO}
diff --git a/crypto/openssh/ssh-rsa.c b/crypto/openssh/ssh-rsa.c
new file mode 100644
index 0000000..b502ddb
--- /dev/null
+++ b/crypto/openssh/ssh-rsa.c
@@ -0,0 +1,174 @@
+/*
+ * Copyright (c) 2000 Markus Friedl.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include "includes.h"
+RCSID("$OpenBSD: ssh-rsa.c,v 1.8 2001/03/27 10:57:00 markus Exp $");
+
+#include <openssl/evp.h>
+#include <openssl/err.h>
+
+#include "xmalloc.h"
+#include "log.h"
+#include "buffer.h"
+#include "bufaux.h"
+#include "key.h"
+#include "ssh-rsa.h"
+#include "compat.h"
+
+/* RSASSA-PKCS1-v1_5 (PKCS #1 v2.0 signature) with SHA1 */
+int
+ssh_rsa_sign(
+    Key *key,
+    u_char **sigp, int *lenp,
+    u_char *data, int datalen)
+{
+	const EVP_MD *evp_md;
+	EVP_MD_CTX md;
+	u_char *digest, *sig, *ret;
+	u_int slen, dlen, len;
+	int ok, nid;
+	Buffer b;
+
+	if (key == NULL || key->type != KEY_RSA || key->rsa == NULL) {
+		error("ssh_rsa_sign: no RSA key");
+		return -1;
+	}
+	nid = (datafellows & SSH_BUG_RSASIGMD5) ? NID_md5 : NID_sha1;
+	if ((evp_md = EVP_get_digestbynid(nid)) == NULL) {
+		error("ssh_rsa_sign: EVP_get_digestbynid %d failed", nid);
+		return -1;
+	}
+	dlen = evp_md->md_size;
+	digest = xmalloc(dlen);
+	EVP_DigestInit(&md, evp_md);
+	EVP_DigestUpdate(&md, data, datalen);
+	EVP_DigestFinal(&md, digest, NULL);
+
+	slen = RSA_size(key->rsa);
+	sig = xmalloc(slen);
+
+	ok = RSA_sign(nid, digest, dlen, sig, &len, key->rsa);
+	memset(digest, 'd', dlen);
+	xfree(digest);
+
+	if (ok != 1) {
+		int ecode = ERR_get_error();
+		error("ssh_rsa_sign: RSA_sign failed: %s", ERR_error_string(ecode, NULL));
+		xfree(sig);
+		return -1;
+	}
+	if (len < slen) {
+		int diff = slen - len;
+		debug("slen %d > len %d", slen, len);
+		memmove(sig + diff, sig, len);
+		memset(sig, 0, diff);
+	} else if (len > slen) {
+		error("ssh_rsa_sign: slen %d slen2 %d", slen, len);
+		xfree(sig);
+		return -1;
+	}
+	/* encode signature */
+	buffer_init(&b);
+	buffer_put_cstring(&b, "ssh-rsa");
+	buffer_put_string(&b, sig, slen);
+	len = buffer_len(&b);
+	ret = xmalloc(len);
+	memcpy(ret, buffer_ptr(&b), len);
+	buffer_free(&b);
+	memset(sig, 's', slen);
+	xfree(sig);
+
+	if (lenp != NULL)
+		*lenp = len;
+	if (sigp != NULL)
+		*sigp = ret;
+	debug2("ssh_rsa_sign: done");
+	return 0;
+}
+
+int
+ssh_rsa_verify(
+    Key *key,
+    u_char *signature, int signaturelen,
+    u_char *data, int datalen)
+{
+	Buffer b;
+	const EVP_MD *evp_md;
+	EVP_MD_CTX md;
+	char *ktype;
+	u_char *sigblob, *digest;
+	u_int len, dlen;
+	int rlen, ret, nid;
+
+	if (key == NULL || key->type != KEY_RSA || key->rsa == NULL) {
+		error("ssh_rsa_verify: no RSA key");
+		return -1;
+	}
+	if (BN_num_bits(key->rsa->n) < 768) {
+		error("ssh_rsa_verify: n too small: %d bits",
+		    BN_num_bits(key->rsa->n));
+		return -1;
+	}
+	buffer_init(&b);
+	buffer_append(&b, (char *) signature, signaturelen);
+	ktype = buffer_get_string(&b, NULL);
+	if (strcmp("ssh-rsa", ktype) != 0) {
+		error("ssh_rsa_verify: cannot handle type %s", ktype);
+		buffer_free(&b);
+		xfree(ktype);
+		return -1;
+	}
+	xfree(ktype);
+	sigblob = (u_char *)buffer_get_string(&b, &len);
+	rlen = buffer_len(&b);
+	buffer_free(&b);
+	if(rlen != 0) {
+		xfree(sigblob);
+		error("ssh_rsa_verify: remaining bytes in signature %d", rlen);
+		return -1;
+	}
+	nid = (datafellows & SSH_BUG_RSASIGMD5) ? NID_md5 : NID_sha1;
+	if ((evp_md = EVP_get_digestbynid(nid)) == NULL) {
+		xfree(sigblob);
+		error("ssh_rsa_verify: EVP_get_digestbynid %d failed", nid);
+		return -1;
+	}
+	dlen = evp_md->md_size;
+	digest = xmalloc(dlen);
+	EVP_DigestInit(&md, evp_md);
+	EVP_DigestUpdate(&md, data, datalen);
+	EVP_DigestFinal(&md, digest, NULL);
+
+	ret = RSA_verify(nid, digest, dlen, sigblob, len, key->rsa);
+	memset(digest, 'd', dlen);
+	xfree(digest);
+	memset(sigblob, 's', len);
+	xfree(sigblob);
+	if (ret == 0) {
+		int ecode = ERR_get_error();
+		error("ssh_rsa_verify: RSA_verify failed: %s", ERR_error_string(ecode, NULL));
+	}
+	debug("ssh_rsa_verify: signature %scorrect", (ret==0) ? "in" : "");
+	return ret;
+}
diff --git a/crypto/openssh/ssh-rsa.h b/crypto/openssh/ssh-rsa.h
new file mode 100644
index 0000000..af2b2fe
--- /dev/null
+++ b/crypto/openssh/ssh-rsa.h
@@ -0,0 +1,41 @@
+/*	$OpenBSD: ssh-rsa.h,v 1.3 2001/01/29 01:58:18 niklas Exp $	*/
+
+/*
+ * Copyright (c) 2000 Markus Friedl.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+#ifndef SSH_RSA_H
+#define SSH_RSA_H
+
+int
+ssh_rsa_sign(
+    Key *key,
+    u_char **sigp, int *lenp,
+    u_char *data, int datalen);
+
+int
+ssh_rsa_verify(
+    Key *key,
+    u_char *signature, int signaturelen,
+    u_char *data, int datalen);
+
+#endif
diff --git a/crypto/openssh/ssh.1 b/crypto/openssh/ssh.1
new file mode 100644
index 0000000..f2b74ea
--- /dev/null
+++ b/crypto/openssh/ssh.1
@@ -0,0 +1,1393 @@
+.\"  -*- nroff -*-
+.\"
+.\" Author: Tatu Ylonen <ylo@cs.hut.fi>
+.\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
+.\"                    All rights reserved
+.\"
+.\" As far as I am concerned, the code I have written for this software
+.\" can be used freely for any purpose.  Any derived versions of this
+.\" software must be clearly marked as such, and if the derived work is
+.\" incompatible with the protocol description in the RFC file, it must be
+.\" called by a name other than "ssh" or "Secure Shell".
+.\"
+.\" Copyright (c) 1999,2000 Markus Friedl.  All rights reserved.
+.\" Copyright (c) 1999 Aaron Campbell.  All rights reserved.
+.\" Copyright (c) 1999 Theo de Raadt.  All rights reserved.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\" 1. Redistributions of source code must retain the above copyright
+.\"    notice, this list of conditions and the following disclaimer.
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\"    notice, this list of conditions and the following disclaimer in the
+.\"    documentation and/or other materials provided with the distribution.
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
+.\" IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+.\" OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+.\" IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
+.\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+.\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+.\"
+.\" $OpenBSD: ssh.1,v 1.107 2001/04/22 23:58:36 markus Exp $
+.\" $FreeBSD$
+.\"
+.Dd September 25, 1999
+.Dt SSH 1
+.Os
+.Sh NAME
+.Nm ssh
+.Nd OpenSSH SSH client (remote login program)
+.Sh SYNOPSIS
+.Nm ssh
+.Op Fl l Ar login_name
+.Op Ar hostname | user@hostname
+.Op Ar command
+.Pp
+.Nm ssh
+.Op Fl afgknqstvxACNPTX1246
+.Op Fl c Ar cipher_spec
+.Op Fl e Ar escape_char
+.Op Fl i Ar identity_file
+.Op Fl l Ar login_name
+.Op Fl m Ar mac_spec
+.Op Fl o Ar option
+.Op Fl p Ar port
+.Oo Fl L Xo
+.Sm off
+.Ar port :
+.Ar host :
+.Ar hostport
+.Sm on
+.Xc
+.Oc
+.Oo Fl R Xo
+.Sm off
+.Ar port :
+.Ar host :
+.Ar hostport
+.Sm on
+.Xc
+.Oc
+.Op Ar hostname | user@hostname
+.Op Ar command
+.Sh DESCRIPTION
+.Nm
+(SSH client) is a program for logging into a remote machine and for
+executing commands on a remote machine.
+It is intended to replace
+rlogin and rsh, and provide secure encrypted communications between
+two untrusted hosts over an insecure network.
+X11 connections and
+arbitrary TCP/IP ports can also be forwarded over the secure channel.
+.Pp
+.Nm
+connects and logs into the specified
+.Ar hostname .
+The user must prove
+his/her identity to the remote machine using one of several methods
+depending on the protocol version used:
+.Pp
+.Ss SSH protocol version 1
+.Pp
+First, if the machine the user logs in from is listed in
+.Pa /etc/hosts.equiv
+or
+.Pa /etc/ssh/shosts.equiv
+on the remote machine, and the user names are
+the same on both sides, the user is immediately permitted to log in.
+Second, if
+.Pa \&.rhosts
+or
+.Pa \&.shosts
+exists in the user's home directory on the
+remote machine and contains a line containing the name of the client
+machine and the name of the user on that machine, the user is
+permitted to log in.
+This form of authentication alone is normally not
+allowed by the server because it is not secure.
+.Pp
+The second authentication method is the
+.Pa rhosts
+or
+.Pa hosts.equiv
+method combined with RSA-based host authentication.
+It means that if the login would be permitted by
+.Pa $HOME/.rhosts ,
+.Pa $HOME/.shosts ,
+.Pa /etc/hosts.equiv ,
+or
+.Pa /etc/ssh/shosts.equiv ,
+and if additionally the server can verify the client's
+host key (see
+.Pa /etc/ssh/ssh_known_hosts
+and
+.Pa $HOME/.ssh/known_hosts
+in the
+.Sx FILES
+section), only then login is permitted.
+This authentication method closes security holes due to IP
+spoofing, DNS spoofing and routing spoofing.
+[Note to the administrator:
+.Pa /etc/hosts.equiv ,
+.Pa $HOME/.rhosts ,
+and the rlogin/rsh protocol in general, are inherently insecure and should be
+disabled if security is desired.]
+.Pp
+As a third authentication method,
+.Nm
+supports RSA based authentication.
+The scheme is based on public-key cryptography: there are cryptosystems
+where encryption and decryption are done using separate keys, and it
+is not possible to derive the decryption key from the encryption key.
+RSA is one such system.
+The idea is that each user creates a public/private
+key pair for authentication purposes.
+The server knows the public key, and only the user knows the private key.
+The file
+.Pa $HOME/.ssh/authorized_keys
+lists the public keys that are permitted for logging
+in.
+When the user logs in, the
+.Nm
+program tells the server which key pair it would like to use for
+authentication.
+The server checks if this key is permitted, and if
+so, sends the user (actually the
+.Nm
+program running on behalf of the user) a challenge, a random number,
+encrypted by the user's public key.
+The challenge can only be
+decrypted using the proper private key.
+The user's client then decrypts the
+challenge using the private key, proving that he/she knows the private
+key but without disclosing it to the server.
+.Pp
+.Nm
+implements the RSA authentication protocol automatically.
+The user creates his/her RSA key pair by running
+.Xr ssh-keygen 1 .
+This stores the private key in
+.Pa $HOME/.ssh/identity
+and the public key in
+.Pa $HOME/.ssh/identity.pub
+in the user's home directory.
+The user should then copy the
+.Pa identity.pub
+to
+.Pa $HOME/.ssh/authorized_keys
+in his/her home directory on the remote machine (the
+.Pa authorized_keys
+file corresponds to the conventional
+.Pa $HOME/.rhosts
+file, and has one key
+per line, though the lines can be very long).
+After this, the user can log in without giving the password.
+RSA authentication is much
+more secure than rhosts authentication.
+.Pp
+The most convenient way to use RSA authentication may be with an
+authentication agent.
+See
+.Xr ssh-agent 1
+for more information.
+.Pp
+If other authentication methods fail,
+.Nm
+prompts the user for a password.
+The password is sent to the remote
+host for checking; however, since all communications are encrypted,
+the password cannot be seen by someone listening on the network.
+.Pp
+.Ss SSH protocol version 2
+.Pp
+When a user connects using the protocol version 2
+different authentication methods are available.
+Using the default values for
+.Cm PreferredAuthentications ,
+the client will try to authenticate first using the public key method;
+if this method fails password authentication is attempted,
+and finally if this method fails keyboard-interactive authentication
+is attempted.
+If this method fails password authentication is
+tried.
+.Pp
+The public key method is similar to RSA authentication described
+in the previous section and allows the RSA or DSA algorithm to be used:
+The client uses his private key,
+.Pa $HOME/.ssh/id_dsa
+or
+.Pa $HOME/.ssh/id_rsa ,
+to sign the session identifier and sends the result to the server.
+The server checks whether the matching public key is listed in
+.Pa $HOME/.ssh/authorized_keys2
+and grants access if both the key is found and the signature is correct.
+The session identifier is derived from a shared Diffie-Hellman value
+and is only known to the client and the server.
+.Pp
+If public key authentication fails or is not available a password
+can be sent encrypted to the remote host for proving the user's identity.
+.Pp
+Additionally,
+.Nm
+supports hostbased or challenge response authentication.
+.Pp
+Protocol 2 provides additional mechanisms for confidentiality
+(the traffic is encrypted using 3DES, Blowfish, CAST128 or Arcfour)
+and integrity (hmac-md5, hmac-sha1).
+Note that protocol 1 lacks a strong mechanism for ensuring the
+integrity of the connection.
+.Pp
+.Ss Login session and remote execution
+.Pp
+When the user's identity has been accepted by the server, the server
+either executes the given command, or logs into the machine and gives
+the user a normal shell on the remote machine.
+All communication with
+the remote command or shell will be automatically encrypted.
+.Pp
+If a pseudo-terminal has been allocated (normal login session), the
+user may use the escape characters noted below.
+.Pp
+If no pseudo tty has been allocated, the
+session is transparent and can be used to reliably transfer binary
+data.
+On most systems, setting the escape character to
+.Dq none
+will also make the session transparent even if a tty is used.
+.Pp
+The session terminates when the command or shell on the remote
+machine exits and all X11 and TCP/IP connections have been closed.
+The exit status of the remote program is returned as the exit status
+of
+.Nm ssh .
+.Pp
+.Ss Escape Characters
+.Pp
+When a pseudo terminal has been requested, ssh supports a number of functions
+through the use of an escape character. 
+.Pp
+A single tilde character can be sent as
+.Ic ~~
+(or by following the tilde by a character other than those described above).
+The escape character must always follow a newline to be interpreted as
+special.
+The escape character can be changed in configuration files using the
+.Cm EscapeChar
+configuration directive or on the command line by the 
+.Fl e
+option.
+.Pp
+The supported escapes (assuming the default
+.Ql ~ )
+are:
+.Bl -tag -width Ds
+.It Cm ~.
+Disconnect
+.It Cm ~^Z
+Background ssh
+.It Cm ~#
+List forwarded connections
+.It Cm ~&
+Background ssh at logout when waiting for forwarded connection / X11 sessions
+to terminate (protocol version 1 only)
+.It Cm ~?
+Display a list of escape characters
+.It Cm ~R
+Request rekeying of the connection (only useful for SSH protocol version 2
+and if the peer supports it)
+.El
+.Pp
+.Ss X11 and TCP forwarding
+.Pp
+If the user is using X11 (the
+.Ev DISPLAY
+environment variable is set), the connection to the X11 display can
+be forwarded to the remote side in such a way that any X11
+programs started from the shell (or command) will go through the
+encrypted channel, and the connection to the real X server will be made
+from the local machine.
+The user should not manually set
+.Ev DISPLAY .
+Forwarding of X11 connections weakens the security of ssh and is
+disabled by default.  X11 forwarding can be enabled on the command line
+or in configuration files.
+.Pp
+The
+.Ev DISPLAY
+value set by
+.Nm
+will point to the server machine, but with a display number greater
+than zero.
+This is normal, and happens because
+.Nm
+creates a
+.Dq proxy
+X server on the server machine for forwarding the
+connections over the encrypted channel.
+.Pp
+.Nm
+will also automatically set up Xauthority data on the server machine.
+For this purpose, it will generate a random authorization cookie,
+store it in Xauthority on the server, and verify that any forwarded
+connections carry this cookie and replace it by the real cookie when
+the connection is opened.
+The real authentication cookie is never
+sent to the server machine (and no cookies are sent in the plain).
+.Pp
+If the user is using an authentication agent, the connection to the agent
+is automatically forwarded to the remote side unless disabled on
+command line or in a configuration file.
+.Pp
+Forwarding of arbitrary TCP/IP connections over the secure channel can
+be specified either on command line or in a configuration file.
+One possible application of TCP/IP forwarding is a secure connection to an
+electronic purse; another is going through firewalls.
+.Pp
+.Ss Server authentication
+.Pp
+.Nm
+automatically maintains and checks a database containing
+identifications for all hosts it has ever been used with.
+RSA host keys are stored in
+.Pa $HOME/.ssh/known_hosts
+and
+host keys used in the protocol version 2 are stored in
+.Pa $HOME/.ssh/known_hosts2
+in the user's home directory.
+Additionally, the files
+.Pa /etc/ssh/ssh_known_hosts
+and
+.Pa /etc/ssh/ssh_known_hosts2
+are automatically checked for known hosts.
+Any new hosts are automatically added to the user's file.
+If a host's identification
+ever changes,
+.Nm
+warns about this and disables password authentication to prevent a
+trojan horse from getting the user's password.
+Another purpose of
+this mechanism is to prevent man-in-the-middle attacks which could
+otherwise be used to circumvent the encryption.
+The
+.Cm StrictHostKeyChecking
+option (see below) can be used to prevent logins to machines whose
+host key is not known or has changed.
+.Pp
+The options are as follows:
+.Bl -tag -width Ds
+.It Fl a
+Disables forwarding of the authentication agent connection.
+.It Fl A
+Enables forwarding of the authentication agent connection.
+This can also be specified on a per-host basis in a configuration file.
+.It Fl c Ar blowfish|3des
+Selects the cipher to use for encrypting the session.
+.Ar 3des
+is used by default.
+It is believed to be secure.
+.Ar 3des
+(triple-des) is an encrypt-decrypt-encrypt triple with three different keys.
+It is presumably more secure than the
+.Ar des
+cipher which is no longer fully supported in
+.Nm ssh .
+.Ar blowfish
+is a fast block cipher, it appears very secure and is much faster than
+.Ar 3des .
+.It Fl c Ar cipher_spec
+Additionally, for protocol version 2 a comma-separated list of ciphers can
+be specified in order of preference.
+See
+.Cm Ciphers
+for more information.
+.It Fl e Ar ch|^ch|none
+Sets the escape character for sessions with a pty (default:
+.Ql ~ ) .
+The escape character is only recognized at the beginning of a line.
+The escape character followed by a dot
+.Pq Ql \&.
+closes the connection, followed
+by control-Z suspends the connection, and followed by itself sends the
+escape character once.
+Setting the character to
+.Dq none
+disables any escapes and makes the session fully transparent.
+.It Fl f
+Requests
+.Nm
+to go to background just before command execution.
+This is useful if
+.Nm
+is going to ask for passwords or passphrases, but the user
+wants it in the background.
+This implies
+.Fl n .
+The recommended way to start X11 programs at a remote site is with
+something like
+.Ic ssh -f host xterm .
+.It Fl g
+Allows remote hosts to connect to local forwarded ports.
+.It Fl i Ar identity_file
+Selects the file from which the identity (private key) for
+RSA or DSA authentication is read.
+Default is
+.Pa $HOME/.ssh/identity
+in the user's home directory.
+Identity files may also be specified on
+a per-host basis in the configuration file.
+It is possible to have multiple
+.Fl i
+options (and multiple identities specified in
+configuration files).
+.It Fl k
+Disables forwarding of Kerberos tickets and AFS tokens.
+This may also be specified on a per-host basis in the configuration file.
+.It Fl l Ar login_name
+Specifies the user to log in as on the remote machine.
+This also may be specified on a per-host basis in the configuration file.
+.It Fl m Ar mac_spec
+Additionally, for protocol version 2 a comma-separated list of MAC
+(message authentication code) algorithms can
+be specified in order of preference.
+See the
+.Cm MACs
+keyword for more information.
+.It Fl n
+Redirects stdin from
+.Pa /dev/null
+(actually, prevents reading from stdin).
+This must be used when
+.Nm
+is run in the background.
+A common trick is to use this to run X11 programs on a remote machine.
+For example,
+.Ic ssh -n shadows.cs.hut.fi emacs &
+will start an emacs on shadows.cs.hut.fi, and the X11
+connection will be automatically forwarded over an encrypted channel.
+The
+.Nm
+program will be put in the background.
+(This does not work if
+.Nm
+needs to ask for a password or passphrase; see also the
+.Fl f
+option.)
+.It Fl N
+Do not execute a remote command.
+This is useful if you just want to forward ports
+(protocol version 2 only).
+.It Fl o Ar option
+Can be used to give options in the format used in the config file.
+This is useful for specifying options for which there is no separate
+command-line flag.
+The option has the same format as a line in the configuration file.
+.It Fl p Ar port
+Port to connect to on the remote host.
+This can be specified on a
+per-host basis in the configuration file.
+.It Fl P
+Use a non-privileged port for outgoing connections.
+This can be used if your firewall does
+not permit connections from privileged ports.
+Note that this option turns off
+.Cm RhostsAuthentication
+and
+.Cm RhostsRSAAuthentication
+for older servers.
+.It Fl q
+Quiet mode.
+Causes all warning and diagnostic messages to be suppressed.
+Only fatal errors are displayed.
+.It Fl s
+May be used to request invocation of a subsystem on the remote system. Subsystems are a feature of the SSH2 protocol which facilitate the use 
+of SSH as a secure transport for other application (eg. sftp). The 
+subsystem is specified as the remote command.
+.It Fl t
+Force pseudo-tty allocation.
+This can be used to execute arbitrary
+screen-based programs on a remote machine, which can be very useful,
+e.g., when implementing menu services.
+Multiple
+.Fl t
+options force tty allocation, even if
+.Nm
+has no local tty.
+.It Fl T
+Disable pseudo-tty allocation.
+.It Fl v
+Verbose mode.
+Causes
+.Nm
+to print debugging messages about its progress.
+This is helpful in
+debugging connection, authentication, and configuration problems.
+Multiple
+.Fl v
+options increases the verbosity.
+Maximum is 3.
+.It Fl x
+Disables X11 forwarding.
+.It Fl X
+Enables X11 forwarding.
+This can also be specified on a per-host basis in a configuration file.
+.It Fl C
+Requests compression of all data (including stdin, stdout, stderr, and
+data for forwarded X11 and TCP/IP connections).
+The compression algorithm is the same used by
+.Xr gzip 1 ,
+and the
+.Dq level
+can be controlled by the
+.Cm CompressionLevel
+option (see below).
+Compression is desirable on modem lines and other
+slow connections, but will only slow down things on fast networks.
+The default value can be set on a host-by-host basis in the
+configuration files; see the
+.Cm Compress
+option below.
+.It Fl L Ar port:host:hostport
+Specifies that the given port on the local (client) host is to be
+forwarded to the given host and port on the remote side.
+This works by allocating a socket to listen to
+.Ar port
+on the local side, and whenever a connection is made to this port, the
+connection is forwarded over the secure channel, and a connection is
+made to
+.Ar host
+port
+.Ar hostport
+from the remote machine.
+Port forwardings can also be specified in the configuration file.
+Only root can forward privileged ports.
+IPv6 addresses can be specified with an alternative syntax:
+.Ar port/host/hostport
+.It Fl R Ar port:host:hostport
+Specifies that the given port on the remote (server) host is to be
+forwarded to the given host and port on the local side.
+This works by allocating a socket to listen to
+.Ar port
+on the remote side, and whenever a connection is made to this port, the
+connection is forwarded over the secure channel, and a connection is
+made to
+.Ar host
+port
+.Ar hostport
+from the local machine.
+Port forwardings can also be specified in the configuration file.
+Privileged ports can be forwarded only when
+logging in as root on the remote machine.
+IPv6 addresses can be specified with an alternative syntax:
+.Ar port/host/hostport
+.It Fl 1
+Forces
+.Nm
+to try protocol version 1 only.
+.It Fl 2
+Forces
+.Nm
+to try protocol version 2 only.
+.It Fl 4
+Forces
+.Nm
+to use IPv4 addresses only.
+.It Fl 6
+Forces
+.Nm
+to use IPv6 addresses only.
+.El
+.Sh CONFIGURATION FILES
+.Nm
+obtains configuration data from the following sources (in this order):
+command line options, user's configuration file
+.Pq Pa $HOME/.ssh/config ,
+and system-wide configuration file
+.Pq Pa /etc/ssh/ssh_config .
+For each parameter, the first obtained value
+will be used.
+The configuration files contain sections bracketed by
+.Dq Host
+specifications, and that section is only applied for hosts that
+match one of the patterns given in the specification.
+The matched host name is the one given on the command line.
+.Pp
+Since the first obtained value for each parameter is used, more
+host-specific declarations should be given near the beginning of the
+file, and general defaults at the end.
+.Pp
+The configuration file has the following format:
+.Pp
+Empty lines and lines starting with
+.Ql #
+are comments.
+.Pp
+Otherwise a line is of the format
+.Dq keyword arguments .
+The possible
+keywords and their meanings are as follows (note that the
+configuration files are case-sensitive):
+.Bl -tag -width Ds
+.It Cm Host
+Restricts the following declarations (up to the next
+.Cm Host
+keyword) to be only for those hosts that match one of the patterns
+given after the keyword.
+.Ql \&*
+and
+.Ql ?
+can be used as wildcards in the
+patterns.
+A single
+.Ql \&*
+as a pattern can be used to provide global
+defaults for all hosts.
+The host is the
+.Ar hostname
+argument given on the command line (i.e., the name is not converted to
+a canonicalized host name before matching).
+.It Cm AFSTokenPassing
+Specifies whether to pass AFS tokens to remote host.
+The argument to this keyword must be
+.Dq yes
+or
+.Dq no .
+This option applies to protocol version 1 only.
+.It Cm BatchMode
+If set to
+.Dq yes ,
+passphrase/password querying will be disabled.
+This option is useful in scripts and other batch jobs where you have no
+user to supply the password.
+The argument must be
+.Dq yes
+or
+.Dq no .
+The default is
+.Dq no .
+.It Cm CheckHostIP
+If this flag is set to
+.Dq yes ,
+ssh will additionally check the host IP address in the
+.Pa known_hosts
+file.
+This allows ssh to detect if a host key changed due to DNS spoofing.
+If the option is set to
+.Dq no ,
+the check will not be executed.
+The default is
+.Dq yes .
+.It Cm Cipher
+Specifies the cipher to use for encrypting the session
+in protocol version 1.
+Currently,
+.Dq blowfish 
+and
+.Dq 3des
+are supported.
+The default is
+.Dq 3des .
+.It Cm Ciphers
+Specifies the ciphers allowed for protocol version 2
+in order of preference.
+Multiple ciphers must be comma-separated.
+The default is
+.Pp
+.Bd -literal
+  ``aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,
+    aes192-cbc,aes256-cbc''
+.Ed
+.It Cm Compression
+Specifies whether to use compression.
+The argument must be
+.Dq yes
+or
+.Dq no .
+The default is
+.Dq no .
+.It Cm CompressionLevel
+Specifies the compression level to use if compression is enabled.
+The argument must be an integer from 1 (fast) to 9 (slow, best).
+The default level is 6, which is good for most applications.
+The meaning of the values is the same as in
+.Xr gzip 1 .
+Note that this option applies to protocol version 1 only.
+.It Cm ConnectionAttempts
+Specifies the number of tries (one per second) to make before falling
+back to rsh or exiting.
+The argument must be an integer.
+This may be useful in scripts if the connection sometimes fails.
+The default is 4.
+.It Cm EscapeChar
+Sets the escape character (default:
+.Ql ~ ) .
+The escape character can also
+be set on the command line.
+The argument should be a single character,
+.Ql ^
+followed by a letter, or
+.Dq none
+to disable the escape
+character entirely (making the connection transparent for binary
+data).
+.It Cm FallBackToRsh
+Specifies that if connecting via
+.Nm
+fails due to a connection refused error (there is no
+.Xr sshd 8
+listening on the remote host),
+.Xr rsh 1
+should automatically be used instead (after a suitable warning about
+the session being unencrypted).
+The argument must be
+.Dq yes
+or
+.Dq no .
+The default is
+.Dq no .
+.It Cm ForwardAgent
+Specifies whether the connection to the authentication agent (if any)
+will be forwarded to the remote machine.
+The argument must be
+.Dq yes
+or
+.Dq no .
+The default is
+.Dq no .
+.It Cm ForwardX11
+Specifies whether X11 connections will be automatically redirected
+over the secure channel and
+.Ev DISPLAY
+set.
+The argument must be
+.Dq yes
+or
+.Dq no .
+The default is
+.Dq no .
+.It Cm GatewayPorts
+Specifies whether remote hosts are allowed to connect to local
+forwarded ports.
+The argument must be
+.Dq yes
+or
+.Dq no .
+The default is
+.Dq no .
+.It Cm GlobalKnownHostsFile
+Specifies a file to use for the protocol version 1 global
+host key database instead of
+.Pa /etc/ssh/ssh_known_hosts .
+.It Cm GlobalKnownHostsFile2
+Specifies a file to use for the protocol version 2 global
+host key database instead of
+.Pa /etc/ssh/ssh_known_hosts2 .
+.It Cm HostbasedAuthentication
+Specifies whether to try rhosts based authentication with public key
+authentication.
+The argument must be
+.Dq yes
+or
+.Dq no .
+The default is
+.Dq yes .
+This option applies to protocol version 2 only and
+is similar to
+.Cm RhostsRSAAuthentication .
+.It Cm HostKeyAlgorithms
+Specfies the protocol version 2 host key algorithms
+that the client wants to use in order of preference.
+The default for this option is:
+.Dq ssh-rsa,ssh-dss
+.It Cm HostKeyAlias
+Specifies an alias that should be used instead of the
+real host name when looking up or saving the host key
+in the host key database files.
+This option is useful for tunneling ssh connections
+or if you have multiple servers running on a single host.
+.It Cm HostName
+Specifies the real host name to log into.
+This can be used to specify nicknames or abbreviations for hosts.
+Default is the name given on the command line.
+Numeric IP addresses are also permitted (both on the command line and in
+.Cm HostName
+specifications).
+.It Cm IdentityFile
+Specifies the file from which the user's RSA or DSA authentication identity
+is read (default
+.Pa $HOME/.ssh/identity
+in the user's home directory).
+Additionally, any identities represented by the authentication agent
+will be used for authentication.
+The file name may use the tilde
+syntax to refer to a user's home directory.
+It is possible to have
+multiple identity files specified in configuration files; all these
+identities will be tried in sequence.
+.It Cm KeepAlive
+Specifies whether the system should send keepalive messages to the
+other side.
+If they are sent, death of the connection or crash of one
+of the machines will be properly noticed.
+However, this means that
+connections will die if the route is down temporarily, and some people
+find it annoying.
+.Pp
+The default is
+.Dq yes
+(to send keepalives), and the client will notice
+if the network goes down or the remote host dies.
+This is important in scripts, and many users want it too.
+.Pp
+To disable keepalives, the value should be set to
+.Dq no
+in both the server and the client configuration files.
+.It Cm KerberosAuthentication
+Specifies whether Kerberos authentication will be used.
+The argument to this keyword must be
+.Dq yes
+or
+.Dq no .
+.It Cm KerberosTgtPassing
+Specifies whether a Kerberos TGT will be forwarded to the server.
+This will only work if the Kerberos server is actually an AFS kaserver.
+The argument to this keyword must be
+.Dq yes
+or
+.Dq no .
+.It Cm LocalForward
+Specifies that a TCP/IP port on the local machine be forwarded over
+the secure channel to given host:port from the remote machine.
+The first argument must be a port number, and the second must be
+host:port.
+Multiple forwardings may be specified, and additional
+forwardings can be given on the command line.
+Only the superuser can forward privileged ports.
+.It Cm LogLevel
+Gives the verbosity level that is used when logging messages from
+.Nm ssh .
+The possible values are:
+QUIET, FATAL, ERROR, INFO, VERBOSE and DEBUG.
+The default is INFO.
+.It Cm MACs
+Specifies the MAC (message authentication code) algorithms 
+in order of preference.
+The MAC algorithm is used in protocol version 2
+for data integrity protection.
+Multiple algorithms must be comma-separated.
+The default is
+.Pp
+.Bd -literal
+  ``hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,
+    hmac-sha1-96,hmac-md5-96''
+.Ed
+.It Cm NumberOfPasswordPrompts
+Specifies the number of password prompts before giving up.
+The argument to this keyword must be an integer.
+Default is 3.
+.It Cm PasswordAuthentication
+Specifies whether to use password authentication.
+The argument to this keyword must be
+.Dq yes
+or
+.Dq no .
+The default is
+.Dq yes .
+.It Cm Port
+Specifies the port number to connect on the remote host.
+Default is 22.
+.It Cm PreferredAuthentications
+Specifies the order in which the client should try protocol 2 
+authentication methods. This allows a client to prefer one method (e.g. 
+.Cm keyboard-interactive )
+over another method (e.g.
+.Cm password )
+The default for this option is:
+.Dq publickey, password, keyboard-interactive
+.It Cm Protocol
+Specifies the protocol versions
+.Nm
+should support in order of preference.
+The possible values are
+.Dq 1
+and
+.Dq 2 .
+Multiple versions must be comma-separated.
+The default is
+.Dq 2,1 .
+This means that
+.Nm
+tries version 2 and falls back to version 1
+if version 2 is not available.
+.It Cm ProxyCommand
+Specifies the command to use to connect to the server.
+The command
+string extends to the end of the line, and is executed with
+.Pa /bin/sh .
+In the command string,
+.Ql %h
+will be substituted by the host name to
+connect and
+.Ql %p
+by the port.
+The command can be basically anything,
+and should read from its standard input and write to its standard output.
+It should eventually connect an
+.Xr sshd 8
+server running on some machine, or execute
+.Ic sshd -i
+somewhere.
+Host key management will be done using the
+HostName of the host being connected (defaulting to the name typed by
+the user).
+Note that
+.Cm CheckHostIP
+is not available for connects with a proxy command.
+.Pp
+.It Cm PubkeyAuthentication
+Specifies whether to try public key authentication.
+The argument to this keyword must be
+.Dq yes
+or
+.Dq no .
+The default is
+.Dq yes .
+This option applies to protocol version 2 only.
+.It Cm RemoteForward
+Specifies that a TCP/IP port on the remote machine be forwarded over
+the secure channel to given host:port from the local machine.
+The first argument must be a port number, and the second must be
+host:port.
+Multiple forwardings may be specified, and additional
+forwardings can be given on the command line.
+Only the superuser can forward privileged ports.
+.It Cm RhostsAuthentication
+Specifies whether to try rhosts based authentication.
+Note that this
+declaration only affects the client side and has no effect whatsoever
+on security.
+Disabling rhosts authentication may reduce
+authentication time on slow connections when rhosts authentication is
+not used.
+Most servers do not permit RhostsAuthentication because it
+is not secure (see 
+.Cm RhostsRSAAuthentication ).
+The argument to this keyword must be
+.Dq yes
+or
+.Dq no .
+The default is
+.Dq yes .
+This option applies to protocol version 1 only.
+.It Cm RhostsRSAAuthentication
+Specifies whether to try rhosts based authentication with RSA host
+authentication.
+The argument must be
+.Dq yes
+or
+.Dq no .
+The default is
+.Dq yes .
+This option applies to protocol version 1 only.
+.It Cm RSAAuthentication
+Specifies whether to try RSA authentication.
+The argument to this keyword must be
+.Dq yes
+or
+.Dq no .
+RSA authentication will only be
+attempted if the identity file exists, or an authentication agent is
+running.
+The default is
+.Dq yes .
+Note that this option applies to protocol version 1 only.
+.It Cm ChallengeResponseAuthentication
+Specifies whether to use challenge response authentication.
+Currently there is only support for
+.Xr skey 1
+authentication.
+The argument to this keyword must be
+.Dq yes
+or
+.Dq no .
+The default is
+.Dq no .
+.It Cm StrictHostKeyChecking
+If this flag is set to
+.Dq yes ,
+.Nm
+will never automatically add host keys to the
+.Pa $HOME/.ssh/known_hosts
+and
+.Pa $HOME/.ssh/known_hosts2
+files, and refuses to connect to hosts whose host key has changed.
+This provides maximum protection against trojan horse attacks.
+However, it can be somewhat annoying if you don't have good
+.Pa /etc/ssh/ssh_known_hosts
+and
+.Pa /etc/ssh/ssh_known_hosts2
+files installed and frequently
+connect to new hosts.
+This option forces the user to manually
+add all new hosts.
+If this flag is set to
+.Dq no ,
+.Nm
+will automatically add new host keys to the
+user known hosts files.
+If this flag is set to
+.Dq ask ,
+new host keys
+will be added to the user known host files only after the user
+has confirmed that is what they really want to do, and
+.Nm
+will refuse to connect to hosts whose host key has changed.
+The host keys of
+known hosts will be verified automatically in all cases.
+The argument must be
+.Dq yes ,
+.Dq no
+or
+.Dq ask .
+The default is
+.Dq ask .
+.It Cm UsePrivilegedPort
+Specifies whether to use a privileged port for outgoing connections.
+The argument must be
+.Dq yes
+or
+.Dq no .
+The default is
+.Dq no .
+Note that you need to set this option to
+.Dq yes
+if you want to use
+.Cm RhostsAuthentication
+and
+.Cm RhostsRSAAuthentication
+with older servers.
+.It Cm User
+Specifies the user to log in as.
+This can be useful if you have a different user name on different machines.
+This saves the trouble of
+having to remember to give the user name on the command line.
+.It Cm UserKnownHostsFile
+Specifies a file to use for the protocol version 1 user
+host key database instead of
+.Pa $HOME/.ssh/known_hosts .
+.It Cm UserKnownHostsFile2
+Specifies a file to use for the protocol version 2 user
+host key database instead of
+.Pa $HOME/.ssh/known_hosts2 .
+.It Cm UseRsh
+Specifies that rlogin/rsh should be used for this host.
+It is possible that the host does not at all support the
+.Nm
+protocol.
+This causes
+.Nm
+to immediately execute
+.Xr rsh 1 .
+All other options (except
+.Cm HostName )
+are ignored if this has been specified.
+The argument must be
+.Dq yes
+or
+.Dq no .
+.It Cm XAuthLocation
+Specifies the location of the
+.Xr xauth 1
+program.
+The default is
+.Pa /usr/X11R6/bin/xauth .
+.El
+.Sh ENVIRONMENT
+.Nm
+will normally set the following environment variables:
+.Bl -tag -width Ds
+.It Ev DISPLAY
+The
+.Ev DISPLAY
+variable indicates the location of the X11 server.
+It is automatically set by
+.Nm
+to point to a value of the form
+.Dq hostname:n
+where hostname indicates
+the host where the shell runs, and n is an integer \*(>= 1.
+.Nm
+uses this special value to forward X11 connections over the secure
+channel.
+The user should normally not set
+.Ev DISPLAY
+explicitly, as that
+will render the X11 connection insecure (and will require the user to
+manually copy any required authorization cookies).
+.It Ev HOME
+Set to the path of the user's home directory.
+.It Ev LOGNAME
+Synonym for
+.Ev USER ;
+set for compatibility with systems that use this variable.
+.It Ev MAIL
+Set to point the user's mailbox.
+.It Ev PATH
+Set to the default
+.Ev PATH ,
+as specified when compiling
+.Nm ssh .
+.It Ev SSH_AUTH_SOCK
+indicates the path of a unix-domain socket used to communicate with the
+agent.
+.It Ev SSH_CLIENT
+Identifies the client end of the connection.
+The variable contains
+three space-separated values: client ip-address, client port number,
+and server port number.
+.It Ev SSH_ORIGINAL_COMMAND
+The variable contains the original command line if a forced command
+is executed.
+It can be used to extract the original arguments.
+.It Ev SSH_TTY
+This is set to the name of the tty (path to the device) associated
+with the current shell or command.
+If the current session has no tty,
+this variable is not set.
+.It Ev TZ
+The timezone variable is set to indicate the present timezone if it
+was set when the daemon was started (i.e., the daemon passes the value
+on to new connections).
+.It Ev USER
+Set to the name of the user logging in.
+.El
+.Pp
+Additionally,
+.Nm
+reads
+.Pa $HOME/.ssh/environment ,
+and adds lines of the format
+.Dq VARNAME=value
+to the environment.
+.Sh FILES
+.Bl -tag -width Ds
+.It Pa $HOME/.ssh/known_hosts, $HOME/.ssh/known_hosts2
+Records host keys for all hosts the user has logged into (that are not
+in
+.Pa /etc/ssh/ssh_known_hosts
+for protocol version 1 or
+.Pa /etc/ssh/ssh_known_hosts2
+for protocol version 2).
+See
+.Xr sshd 8 .
+.It Pa $HOME/.ssh/identity, $HOME/.ssh/id_dsa, $HOME/.ssh/id_rsa
+Contains the authentication identity of the user.
+They are for protocol 1 RSA, protocol 2 DSA, and protocol 2 RSA, respectively.
+These files
+contain sensitive data and should be readable by the user but not
+accessible by others (read/write/execute).
+Note that
+.Nm
+ignores a private key file if it is accessible by others.
+It is possible to specify a passphrase when
+generating the key; the passphrase will be used to encrypt the
+sensitive part of this file using 3DES.
+.It Pa $HOME/.ssh/identity.pub, $HOME/.ssh/id_dsa.pub, $HOME/.ssh/id_rsa.pub
+Contains the public key for authentication (public part of the
+identity file in human-readable form).
+The contents of the
+.Pa $HOME/.ssh/identity.pub
+file should be added to
+.Pa $HOME/.ssh/authorized_keys
+on all machines
+where you wish to log in using protocol version 1 RSA authentication.
+The contents of the
+.Pa $HOME/.ssh/id_dsa.pub
+and
+.Pa $HOME/.ssh/id_rsa.pub
+file should be added to
+.Pa $HOME/.ssh/authorized_keys2
+on all machines
+where you wish to log in using protocol version 2 DSA/RSA authentication.
+These files are not
+sensitive and can (but need not) be readable by anyone.
+These files are
+never used automatically and are not necessary; they are only provided for
+the convenience of the user.
+.It Pa $HOME/.ssh/config
+This is the per-user configuration file.
+The format of this file is described above.
+This file is used by the
+.Nm
+client.
+This file does not usually contain any sensitive information,
+but the recommended permissions are read/write for the user, and not
+accessible by others.
+.It Pa $HOME/.ssh/authorized_keys
+Lists the RSA keys that can be used for logging in as this user.
+The format of this file is described in the
+.Xr sshd 8
+manual page.
+In the simplest form the format is the same as the .pub
+identity files (that is, each line contains the number of bits in
+modulus, public exponent, modulus, and comment fields, separated by
+spaces).
+This file is not highly sensitive, but the recommended
+permissions are read/write for the user, and not accessible by others.
+.It Pa $HOME/.ssh/authorized_keys2
+Lists the public keys (RSA/DSA) that can be used for logging in as this user.
+This file is not highly sensitive, but the recommended
+permissions are read/write for the user, and not accessible by others.
+.It Pa /etc/ssh/ssh_known_hosts, /etc/ssh/ssh_known_hosts2
+Systemwide list of known host keys.
+.Pa /etc/ssh/ssh_known_hosts
+contains RSA and
+.Pa /etc/ssh/ssh_known_hosts2
+contains RSA or DSA keys for protocol version 2.
+These files should be prepared by the
+system administrator to contain the public host keys of all machines in the
+organization.
+This file should be world-readable.
+This file contains
+public keys, one per line, in the following format (fields separated
+by spaces): system name, number of bits in modulus, public exponent,
+modulus, and optional comment field.
+When different names are used
+for the same machine, all such names should be listed, separated by
+commas.
+The format is described on the
+.Xr sshd 8
+manual page.
+.Pp
+The canonical system name (as returned by name servers) is used by
+.Xr sshd 8
+to verify the client host when logging in; other names are needed because
+.Nm
+does not convert the user-supplied name to a canonical name before
+checking the key, because someone with access to the name servers
+would then be able to fool host authentication.
+.It Pa /etc/ssh/ssh_config
+Systemwide configuration file.
+This file provides defaults for those
+values that are not specified in the user's configuration file, and
+for those users who do not have a configuration file.
+This file must be world-readable.
+.It Pa $HOME/.rhosts
+This file is used in
+.Pa \&.rhosts
+authentication to list the
+host/user pairs that are permitted to log in.
+(Note that this file is
+also used by rlogin and rsh, which makes using this file insecure.)
+Each line of the file contains a host name (in the canonical form
+returned by name servers), and then a user name on that host,
+separated by a space.
+On some machines this file may need to be
+world-readable if the user's home directory is on a NFS partition,
+because
+.Xr sshd 8
+reads it as root.
+Additionally, this file must be owned by the user,
+and must not have write permissions for anyone else.
+The recommended
+permission for most machines is read/write for the user, and not
+accessible by others.
+.Pp
+Note that by default
+.Xr sshd 8
+will be installed so that it requires successful RSA host
+authentication before permitting \s+2.\s0rhosts authentication.
+If your server machine does not have the client's host key in
+.Pa /etc/ssh/ssh_known_hosts ,
+you can store it in
+.Pa $HOME/.ssh/known_hosts .
+The easiest way to do this is to
+connect back to the client from the server machine using ssh; this
+will automatically add the host key to
+.Pa $HOME/.ssh/known_hosts .
+.It Pa $HOME/.shosts
+This file is used exactly the same way as
+.Pa \&.rhosts .
+The purpose for
+having this file is to be able to use rhosts authentication with
+.Nm
+without permitting login with
+.Xr rlogin 1
+or
+.Xr rsh 1 .
+.It Pa /etc/hosts.equiv
+This file is used during
+.Pa \&.rhosts
+authentication.
+It contains
+canonical hosts names, one per line (the full format is described on
+the
+.Xr sshd 8
+manual page).
+If the client host is found in this file, login is
+automatically permitted provided client and server user names are the
+same.
+Additionally, successful RSA host authentication is normally
+required.
+This file should only be writable by root.
+.It Pa /etc/ssh/shosts.equiv
+This file is processed exactly as
+.Pa /etc/hosts.equiv .
+This file may be useful to permit logins using
+.Nm
+but not using rsh/rlogin.
+.It Pa /etc/ssh/sshrc
+Commands in this file are executed by
+.Nm
+when the user logs in just before the user's shell (or command) is started.
+See the
+.Xr sshd 8
+manual page for more information.
+.It Pa $HOME/.ssh/rc
+Commands in this file are executed by
+.Nm
+when the user logs in just before the user's shell (or command) is
+started.
+See the
+.Xr sshd 8
+manual page for more information.
+.It Pa $HOME/.ssh/environment
+Contains additional definitions for environment variables, see section
+.Sx ENVIRONMENT
+above.
+.El
+.Sh AUTHORS
+OpenSSH is a derivative of the original and free
+ssh 1.2.12 release by Tatu Ylonen.
+Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos,
+Theo de Raadt and Dug Song
+removed many bugs, re-added newer features and
+created OpenSSH.
+Markus Friedl contributed the support for SSH
+protocol versions 1.5 and 2.0.
+.Sh SEE ALSO
+.Xr rlogin 1 ,
+.Xr rsh 1 ,
+.Xr scp 1 ,
+.Xr sftp 1 ,
+.Xr ssh-add 1 ,
+.Xr ssh-agent 1 ,
+.Xr ssh-keygen 1 ,
+.Xr telnet 1 ,
+.Xr sshd 8
+.Rs
+.%A T. Ylonen
+.%A T. Kivinen
+.%A M. Saarinen
+.%A T. Rinne
+.%A S. Lehtinen
+.%T "SSH Protocol Architecture"
+.%N draft-ietf-secsh-architecture-07.txt
+.%D January 2001
+.%O work in progress material
+.Re
diff --git a/crypto/openssh/ssh.c b/crypto/openssh/ssh.c
new file mode 100644
index 0000000..49c383a
--- /dev/null
+++ b/crypto/openssh/ssh.c
@@ -0,0 +1,1134 @@
+/*
+ * Author: Tatu Ylonen <ylo@cs.hut.fi>
+ * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
+ *                    All rights reserved
+ * Ssh client program.  This program can be used to log into a remote machine.
+ * The software supports strong authentication, encryption, and forwarding
+ * of X11, TCP/IP, and authentication connections.
+ *
+ * As far as I am concerned, the code I have written for this software
+ * can be used freely for any purpose.  Any derived versions of this
+ * software must be clearly marked as such, and if the derived work is
+ * incompatible with the protocol description in the RFC file, it must be
+ * called by a name other than "ssh" or "Secure Shell".
+ *
+ * Copyright (c) 1999 Niels Provos.  All rights reserved.
+ *
+ * Modified to work with SSL by Niels Provos <provos@citi.umich.edu>
+ * in Canada (German citizen).
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include "includes.h"
+RCSID("$OpenBSD: ssh.c,v 1.116 2001/04/17 12:55:04 markus Exp $");
+RCSID("$FreeBSD$");
+
+#include <openssl/evp.h>
+#include <openssl/err.h>
+
+#include "ssh.h"
+#include "ssh1.h"
+#include "ssh2.h"
+#include "compat.h"
+#include "cipher.h"
+#include "xmalloc.h"
+#include "packet.h"
+#include "buffer.h"
+#include "uidswap.h"
+#include "channels.h"
+#include "key.h"
+#include "authfd.h"
+#include "authfile.h"
+#include "pathnames.h"
+#include "clientloop.h"
+#include "log.h"
+#include "readconf.h"
+#include "sshconnect.h"
+#include "tildexpand.h"
+#include "dispatch.h"
+#include "misc.h"
+#include "kex.h"
+#include "mac.h"
+#include "sshtty.h"
+
+extern char *__progname;
+
+/* Flag indicating whether IPv4 or IPv6.  This can be set on the command line.
+   Default value is AF_UNSPEC means both IPv4 and IPv6. */
+int IPv4or6 = AF_UNSPEC;
+
+/* Flag indicating whether debug mode is on.  This can be set on the command line. */
+int debug_flag = 0;
+
+/* Flag indicating whether a tty should be allocated */
+int tty_flag = 0;
+int no_tty_flag = 0;
+int force_tty_flag = 0;
+
+/* don't exec a shell */
+int no_shell_flag = 0;
+
+/*
+ * Flag indicating that nothing should be read from stdin.  This can be set
+ * on the command line.
+ */
+int stdin_null_flag = 0;
+
+/*
+ * Flag indicating that ssh should fork after authentication.  This is useful
+ * so that the pasphrase can be entered manually, and then ssh goes to the
+ * background.
+ */
+int fork_after_authentication_flag = 0;
+
+/*
+ * General data structure for command line options and options configurable
+ * in configuration files.  See readconf.h.
+ */
+Options options;
+
+/*
+ * Name of the host we are connecting to.  This is the name given on the
+ * command line, or the HostName specified for the user-supplied name in a
+ * configuration file.
+ */
+char *host;
+
+/* socket address the host resolves to */
+struct sockaddr_storage hostaddr;
+
+/*
+ * Flag to indicate that we have received a window change signal which has
+ * not yet been processed.  This will cause a message indicating the new
+ * window size to be sent to the server a little later.  This is volatile
+ * because this is updated in a signal handler.
+ */
+volatile int received_window_change_signal = 0;
+
+/* Private host keys. */
+struct {
+	Key     **keys;
+	int	nkeys;
+} sensitive_data;
+
+/* Original real UID. */
+uid_t original_real_uid;
+
+/* command to be executed */
+Buffer command;
+
+/* Should we execute a command or invoke a subsystem? */
+int subsystem_flag = 0;
+
+/* Prints a help message to the user.  This function never returns. */
+
+void
+usage(void)
+{
+	fprintf(stderr, "Usage: %s [options] host [command]\n", __progname);
+	fprintf(stderr, "Options:\n");
+	fprintf(stderr, "  -l user     Log in using this user name.\n");
+	fprintf(stderr, "  -n          Redirect input from " _PATH_DEVNULL ".\n");
+	fprintf(stderr, "  -A          Enable authentication agent forwarding.\n");
+	fprintf(stderr, "  -a          Disable authentication agent forwarding.\n");
+#ifdef AFS
+	fprintf(stderr, "  -k          Disable Kerberos ticket and AFS token forwarding.\n");
+#endif				/* AFS */
+	fprintf(stderr, "  -X          Enable X11 connection forwarding.\n");
+	fprintf(stderr, "  -x          Disable X11 connection forwarding.\n");
+	fprintf(stderr, "  -i file     Identity for public key authentication "
+	    "(default: ~/.ssh/identity)\n");
+	fprintf(stderr, "  -t          Tty; allocate a tty even if command is given.\n");
+	fprintf(stderr, "  -T          Do not allocate a tty.\n");
+	fprintf(stderr, "  -v          Verbose; display verbose debugging messages.\n");
+	fprintf(stderr, "              Multiple -v increases verbosity.\n");
+	fprintf(stderr, "  -V          Display version number only.\n");
+	fprintf(stderr, "  -P          Don't allocate a privileged port.\n");
+	fprintf(stderr, "  -q          Quiet; don't display any warning messages.\n");
+	fprintf(stderr, "  -f          Fork into background after authentication.\n");
+	fprintf(stderr, "  -e char     Set escape character; ``none'' = disable (default: ~).\n");
+
+	fprintf(stderr, "  -c cipher   Select encryption algorithm: "
+	    "``3des'', ``blowfish''\n");
+	fprintf(stderr, "  -m macs     Specify MAC algorithms for protocol version 2.\n");
+	fprintf(stderr, "  -p port     Connect to this port.  Server must be on the same port.\n");
+	fprintf(stderr, "  -L listen-port:host:port   Forward local port to remote address\n");
+	fprintf(stderr, "  -R listen-port:host:port   Forward remote port to local address\n");
+	fprintf(stderr, "              These cause %s to listen for connections on a port, and\n", __progname);
+	fprintf(stderr, "              forward them to the other side by connecting to host:port.\n");
+	fprintf(stderr, "  -C          Enable compression.\n");
+	fprintf(stderr, "  -N          Do not execute a shell or command.\n");
+	fprintf(stderr, "  -g          Allow remote hosts to connect to forwarded ports.\n");
+	fprintf(stderr, "  -1          Force protocol version 1.\n");
+	fprintf(stderr, "  -2          Force protocol version 2.\n");
+	fprintf(stderr, "  -4          Use IPv4 only.\n");
+	fprintf(stderr, "  -6          Use IPv6 only.\n");
+	fprintf(stderr, "  -o 'option' Process the option as if it was read from a configuration file.\n");
+	fprintf(stderr, "  -s          Invoke command (mandatory) as SSH2 subsystem.\n");
+	exit(1);
+}
+
+/*
+ * Connects to the given host using rsh (or prints an error message and exits
+ * if rsh is not available).  This function never returns.
+ */
+void
+rsh_connect(char *host, char *user, Buffer * command)
+{
+	char *args[10];
+	int i;
+
+	log("Using rsh.  WARNING: Connection will not be encrypted.");
+	/* Build argument list for rsh. */
+	i = 0;
+#ifndef	_PATH_RSH
+#define	_PATH_RSH	"/usr/bin/rsh"
+#endif
+	args[i++] = _PATH_RSH;
+	/* host may have to come after user on some systems */
+	args[i++] = host;
+	if (user) {
+		args[i++] = "-l";
+		args[i++] = user;
+	}
+	if (buffer_len(command) > 0) {
+		buffer_append(command, "\0", 1);
+		args[i++] = buffer_ptr(command);
+	}
+	args[i++] = NULL;
+	if (debug_flag) {
+		for (i = 0; args[i]; i++) {
+			if (i != 0)
+				fprintf(stderr, " ");
+			fprintf(stderr, "%s", args[i]);
+		}
+		fprintf(stderr, "\n");
+	}
+	execv(_PATH_RSH, args);
+	perror(_PATH_RSH);
+	exit(1);
+}
+
+int	ssh_session(void);
+int	ssh_session2(void);
+void	load_public_identity_files(void);
+
+/*
+ * Main program for the ssh client.
+ */
+int
+main(int ac, char **av)
+{
+	int i, opt, optind, exit_status, ok;
+	u_short fwd_port, fwd_host_port;
+	char *optarg, *cp, buf[256];
+	struct stat st;
+	struct passwd *pw;
+	int dummy;
+	uid_t original_effective_uid;
+
+	/*
+	 * Save the original real uid.  It will be needed later (uid-swapping
+	 * may clobber the real uid).
+	 */
+	original_real_uid = getuid();
+	original_effective_uid = geteuid();
+
+	/* If we are installed setuid root be careful to not drop core. */
+	if (original_real_uid != original_effective_uid) {
+		struct rlimit rlim;
+		rlim.rlim_cur = rlim.rlim_max = 0;
+		if (setrlimit(RLIMIT_CORE, &rlim) < 0)
+			fatal("setrlimit failed: %.100s", strerror(errno));
+	}
+	/* Get user data. */
+	pw = getpwuid(original_real_uid);
+	if (!pw) {
+		log("You don't exist, go away!");
+		exit(1);
+	}
+	/* Take a copy of the returned structure. */
+	pw = pwcopy(pw);
+
+	/*
+	 * Use uid-swapping to give up root privileges for the duration of
+	 * option processing.  We will re-instantiate the rights when we are
+	 * ready to create the privileged port, and will permanently drop
+	 * them when the port has been created (actually, when the connection
+	 * has been made, as we may need to create the port several times).
+	 */
+	temporarily_use_uid(pw);
+
+	/*
+	 * Set our umask to something reasonable, as some files are created
+	 * with the default umask.  This will make them world-readable but
+	 * writable only by the owner, which is ok for all files for which we
+	 * don't set the modes explicitly.
+	 */
+	umask(022);
+
+	/* Initialize option structure to indicate that no values have been set. */
+	initialize_options(&options);
+
+	/* Parse command-line arguments. */
+	host = NULL;
+
+	for (optind = 1; optind < ac; optind++) {
+		if (av[optind][0] != '-') {
+			if (host)
+				break;
+			if ((cp = strchr(av[optind], '@'))) {
+				if(cp == av[optind])
+					usage();
+				options.user = av[optind];
+				*cp = '\0';
+				host = ++cp;
+			} else
+				host = av[optind];
+			continue;
+		}
+		opt = av[optind][1];
+		if (!opt)
+			usage();
+		if (strchr("eilcmpLRDo", opt)) {   /* options with arguments */
+			optarg = av[optind] + 2;
+			if (strcmp(optarg, "") == 0) {
+				if (optind >= ac - 1)
+					usage();
+				optarg = av[++optind];
+			}
+		} else {
+			if (av[optind][2])
+				usage();
+			optarg = NULL;
+		}
+		switch (opt) {
+		case '1':
+			options.protocol = SSH_PROTO_1;
+			break;
+		case '2':
+			options.protocol = SSH_PROTO_2;
+			break;
+		case '4':
+			IPv4or6 = AF_INET;
+			break;
+		case '6':
+			IPv4or6 = AF_INET6;
+			break;
+		case 'n':
+			stdin_null_flag = 1;
+			break;
+		case 'f':
+			fork_after_authentication_flag = 1;
+			stdin_null_flag = 1;
+			break;
+		case 'x':
+			options.forward_x11 = 0;
+			break;
+		case 'X':
+			options.forward_x11 = 1;
+			break;
+		case 'g':
+			options.gateway_ports = 1;
+			break;
+		case 'P':
+			options.use_privileged_port = 0;
+			break;
+		case 'a':
+			options.forward_agent = 0;
+			break;
+		case 'A':
+			options.forward_agent = 1;
+			break;
+#ifdef AFS
+		case 'k':
+			options.krb4_tgt_passing = 0;
+			options.krb5_tgt_passing = 0;
+			options.afs_token_passing = 0;
+			break;
+#endif
+		case 'i':
+			if (stat(optarg, &st) < 0) {
+				fprintf(stderr, "Warning: Identity file %s does not exist.\n",
+				    optarg);
+				break;
+			}
+			if (options.num_identity_files >= SSH_MAX_IDENTITY_FILES)
+				fatal("Too many identity files specified (max %d)",
+				    SSH_MAX_IDENTITY_FILES);
+			options.identity_files[options.num_identity_files++] = xstrdup(optarg);
+			break;
+		case 't':
+			if (tty_flag)
+				force_tty_flag = 1;
+			tty_flag = 1;
+			break;
+		case 'v':
+			if (0 == debug_flag) {
+				debug_flag = 1;
+				options.log_level = SYSLOG_LEVEL_DEBUG1;
+			} else if (options.log_level < SYSLOG_LEVEL_DEBUG3) {
+				options.log_level++;
+				break;
+			} else {
+				fatal("Too high debugging level.");
+			}
+			/* fallthrough */
+		case 'V':
+			fprintf(stderr,
+			    "%s, SSH protocols %d.%d/%d.%d, OpenSSL 0x%8.8lx\n",
+			    SSH_VERSION,
+			    PROTOCOL_MAJOR_1, PROTOCOL_MINOR_1,
+			    PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2,
+			    SSLeay());
+			if (opt == 'V')
+				exit(0);
+			break;
+		case 'q':
+			options.log_level = SYSLOG_LEVEL_QUIET;
+			break;
+		case 'e':
+			if (optarg[0] == '^' && optarg[2] == 0 &&
+			    (u_char) optarg[1] >= 64 && (u_char) optarg[1] < 128)
+				options.escape_char = (u_char) optarg[1] & 31;
+			else if (strlen(optarg) == 1)
+				options.escape_char = (u_char) optarg[0];
+			else if (strcmp(optarg, "none") == 0)
+				options.escape_char = -2;
+			else {
+				fprintf(stderr, "Bad escape character '%s'.\n", optarg);
+				exit(1);
+			}
+			break;
+		case 'c':
+			if (ciphers_valid(optarg)) {
+				/* SSH2 only */
+				options.ciphers = xstrdup(optarg);
+				options.cipher = SSH_CIPHER_ILLEGAL;
+			} else {
+				/* SSH1 only */
+				options.cipher = cipher_number(optarg);
+				if (options.cipher == -1) {
+					fprintf(stderr, "Unknown cipher type '%s'\n", optarg);
+					exit(1);
+				}
+				if (options.cipher == SSH_CIPHER_3DES) {
+					options.ciphers = "3des-cbc";
+				} else if (options.cipher == SSH_CIPHER_BLOWFISH) {
+					options.ciphers = "blowfish-cbc";
+				} else {
+					options.ciphers = (char *)-1;
+				}
+			}
+			break;
+		case 'm':
+			if (mac_valid(optarg))
+				options.macs = xstrdup(optarg);
+			else {
+				fprintf(stderr, "Unknown mac type '%s'\n", optarg);
+				exit(1);
+			}
+			break;
+		case 'p':
+			options.port = a2port(optarg);
+			if (options.port == 0) {
+				fprintf(stderr, "Bad port '%s'\n", optarg);
+				exit(1);
+			}
+			break;
+		case 'l':
+			options.user = optarg;
+			break;
+		case 'R':
+			if (sscanf(optarg, "%hu/%255[^/]/%hu", &fwd_port, buf,
+			    &fwd_host_port) != 3 &&
+			    sscanf(optarg, "%hu:%255[^:]:%hu", &fwd_port, buf,
+			    &fwd_host_port) != 3) {
+				fprintf(stderr, "Bad forwarding specification '%s'.\n", optarg);
+				usage();
+				/* NOTREACHED */
+			}
+			add_remote_forward(&options, fwd_port, buf, fwd_host_port);
+			break;
+		case 'L':
+			if (sscanf(optarg, "%hu/%255[^/]/%hu", &fwd_port, buf,
+			    &fwd_host_port) != 3 &&
+			    sscanf(optarg, "%hu:%255[^:]:%hu", &fwd_port, buf,
+			    &fwd_host_port) != 3) {
+				fprintf(stderr, "Bad forwarding specification '%s'.\n", optarg);
+				usage();
+				/* NOTREACHED */
+			}
+			add_local_forward(&options, fwd_port, buf, fwd_host_port);
+			break;
+
+		case 'D':
+			fwd_port = a2port(optarg);
+			if (fwd_port == 0) {
+				fprintf(stderr, "Bad dynamic port '%s'\n", optarg);
+				exit(1);
+			}
+			add_local_forward(&options, fwd_port, "socks4", 0);
+			break;
+
+		case 'C':
+			options.compression = 1;
+			break;
+		case 'N':
+			no_shell_flag = 1;
+			no_tty_flag = 1;
+			break;
+		case 'T':
+			no_tty_flag = 1;
+			break;
+		case 'o':
+			dummy = 1;
+			if (process_config_line(&options, host ? host : "", optarg,
+					 "command-line", 0, &dummy) != 0)
+				exit(1);
+			break;
+		case 's':
+			subsystem_flag = 1;
+			break;
+		default:
+			usage();
+		}
+	}
+
+	/* Check that we got a host name. */
+	if (!host)
+		usage();
+
+	SSLeay_add_all_algorithms();
+	ERR_load_crypto_strings();
+
+	/* Initialize the command to execute on remote host. */
+	buffer_init(&command);
+
+	/*
+	 * Save the command to execute on the remote host in a buffer. There
+	 * is no limit on the length of the command, except by the maximum
+	 * packet size.  Also sets the tty flag if there is no command.
+	 */
+	if (optind == ac) {
+		/* No command specified - execute shell on a tty. */
+		tty_flag = 1;
+		if (subsystem_flag) {
+			fprintf(stderr, "You must specify a subsystem to invoke.\n");
+			usage();
+		}
+	} else {
+		/* A command has been specified.  Store it into the
+		   buffer. */
+		for (i = optind; i < ac; i++) {
+			if (i > optind)
+				buffer_append(&command, " ", 1);
+			buffer_append(&command, av[i], strlen(av[i]));
+		}
+	}
+
+	/* Cannot fork to background if no command. */
+	if (fork_after_authentication_flag && buffer_len(&command) == 0 && !no_shell_flag)
+		fatal("Cannot fork into background without a command to execute.");
+
+	/* Allocate a tty by default if no command specified. */
+	if (buffer_len(&command) == 0)
+		tty_flag = 1;
+
+	/* Force no tty*/
+	if (no_tty_flag)
+		tty_flag = 0;
+	/* Do not allocate a tty if stdin is not a tty. */
+	if (!isatty(fileno(stdin)) && !force_tty_flag) {
+		if (tty_flag)
+			log("Pseudo-terminal will not be allocated because stdin is not a terminal.");
+		tty_flag = 0;
+	}
+
+	/*
+	 * Initialize "log" output.  Since we are the client all output
+	 * actually goes to stderr.
+	 */
+	log_init(av[0], options.log_level == -1 ? SYSLOG_LEVEL_INFO : options.log_level,
+	    SYSLOG_FACILITY_USER, 1);
+
+	/* Read per-user configuration file. */
+	snprintf(buf, sizeof buf, "%.100s/%.100s", pw->pw_dir, _PATH_SSH_USER_CONFFILE);
+	read_config_file(buf, host, &options);
+
+	/* Read systemwide configuration file. */
+	read_config_file(_PATH_HOST_CONFIG_FILE, host, &options);
+
+	/* Fill configuration defaults. */
+	fill_default_options(&options);
+
+	/* reinit */
+	log_init(av[0], options.log_level, SYSLOG_FACILITY_USER, 1);
+
+	if (options.user == NULL)
+		options.user = xstrdup(pw->pw_name);
+
+	if (options.hostname != NULL)
+		host = options.hostname;
+
+	/* Find canonic host name. */
+	if (strchr(host, '.') == 0) {
+		struct addrinfo hints;
+		struct addrinfo *ai = NULL;
+		int errgai;
+		memset(&hints, 0, sizeof(hints));
+		hints.ai_family = IPv4or6;
+		hints.ai_flags = AI_CANONNAME;
+		hints.ai_socktype = SOCK_STREAM;
+		errgai = getaddrinfo(host, NULL, &hints, &ai);
+		if (errgai == 0) {
+			if (ai->ai_canonname != NULL)
+				host = xstrdup(ai->ai_canonname);
+			freeaddrinfo(ai);
+		}
+	}
+	/* Disable rhosts authentication if not running as root. */
+	if (original_effective_uid != 0 || !options.use_privileged_port) {
+		debug("Rhosts Authentication disabled, "
+		    "originating port will not be trusted.");
+		options.rhosts_authentication = 0;
+	}
+	/*
+	 * If using rsh has been selected, exec it now (without trying
+	 * anything else).  Note that we must release privileges first.
+	 */
+	if (options.use_rsh) {
+		/*
+		 * Restore our superuser privileges.  This must be done
+		 * before permanently setting the uid.
+		 */
+		restore_uid();
+
+		/* Switch to the original uid permanently. */
+		permanently_set_uid(pw);
+
+		/* Execute rsh. */
+		rsh_connect(host, options.user, &command);
+		fatal("rsh_connect returned");
+	}
+	/* Restore our superuser privileges. */
+	restore_uid();
+
+	/* Open a connection to the remote host. */
+
+	ok = ssh_connect(host, &hostaddr, options.port,
+	    options.connection_attempts,
+	    original_effective_uid != 0 || !options.use_privileged_port,
+	    pw, options.proxy_command);
+
+	/*
+	 * If we successfully made the connection, load the host private key
+	 * in case we will need it later for combined rsa-rhosts
+	 * authentication. This must be done before releasing extra
+	 * privileges, because the file is only readable by root.
+	 */
+	sensitive_data.nkeys = 0;
+	sensitive_data.keys = NULL;
+	if (ok && (options.rhosts_rsa_authentication ||
+	    options.hostbased_authentication)) {
+		sensitive_data.nkeys = 3;
+		sensitive_data.keys = xmalloc(sensitive_data.nkeys*sizeof(Key));
+		sensitive_data.keys[0] = key_load_private_type(KEY_RSA1,
+		    _PATH_HOST_KEY_FILE, "", NULL);
+		sensitive_data.keys[1] = key_load_private_type(KEY_DSA,
+		    _PATH_HOST_DSA_KEY_FILE, "", NULL);
+		sensitive_data.keys[2] = key_load_private_type(KEY_RSA,
+		    _PATH_HOST_RSA_KEY_FILE, "", NULL);
+	}
+	/*
+	 * Get rid of any extra privileges that we may have.  We will no
+	 * longer need them.  Also, extra privileges could make it very hard
+	 * to read identity files and other non-world-readable files from the
+	 * user's home directory if it happens to be on a NFS volume where
+	 * root is mapped to nobody.
+	 */
+
+	/*
+	 * Note that some legacy systems need to postpone the following call
+	 * to permanently_set_uid() until the private hostkey is destroyed
+	 * with RSA_free().  Otherwise the calling user could ptrace() the
+	 * process, read the private hostkey and impersonate the host.
+	 * OpenBSD does not allow ptracing of setuid processes.
+	 */
+	permanently_set_uid(pw);
+
+	/*
+	 * Now that we are back to our own permissions, create ~/.ssh
+	 * directory if it doesn\'t already exist.
+	 */
+	snprintf(buf, sizeof buf, "%.100s/%.100s", pw->pw_dir, _PATH_SSH_USER_DIR);
+	if (stat(buf, &st) < 0)
+		if (mkdir(buf, 0700) < 0)
+			error("Could not create directory '%.200s'.", buf);
+
+	/* Check if the connection failed, and try "rsh" if appropriate. */
+	if (!ok) {
+		if (options.port != 0)
+			log("Secure connection to %.100s on port %hu refused%.100s.",
+			    host, options.port,
+			    options.fallback_to_rsh ? "; reverting to insecure method" : "");
+		else
+			log("Secure connection to %.100s refused%.100s.", host,
+			    options.fallback_to_rsh ? "; reverting to insecure method" : "");
+
+		if (options.fallback_to_rsh) {
+			rsh_connect(host, options.user, &command);
+			fatal("rsh_connect returned");
+		}
+		exit(1);
+	}
+	/* load options.identity_files */
+	load_public_identity_files();
+
+	/* Expand ~ in known host file names. */
+	/* XXX mem-leaks: */
+	options.system_hostfile =
+	    tilde_expand_filename(options.system_hostfile, original_real_uid);
+	options.user_hostfile =
+	    tilde_expand_filename(options.user_hostfile, original_real_uid);
+	options.system_hostfile2 =
+	    tilde_expand_filename(options.system_hostfile2, original_real_uid);
+	options.user_hostfile2 =
+	    tilde_expand_filename(options.user_hostfile2, original_real_uid);
+
+	/* Log into the remote system.  This never returns if the login fails. */
+	ssh_login(sensitive_data.keys, sensitive_data.nkeys,
+	    host, (struct sockaddr *)&hostaddr, pw);
+
+	/* We no longer need the private host keys.  Clear them now. */
+	if (sensitive_data.nkeys != 0) {
+		for (i = 0; i < sensitive_data.nkeys; i++) {
+			if (sensitive_data.keys[i] != NULL) {
+				/* Destroys contents safely */
+				debug3("clear hostkey %d", i);
+				key_free(sensitive_data.keys[i]);
+				sensitive_data.keys[i] = NULL;
+			}
+		}
+		xfree(sensitive_data.keys);
+	}
+
+	exit_status = compat20 ? ssh_session2() : ssh_session();
+	packet_close();
+	return exit_status;
+}
+
+void
+x11_get_proto(char *proto, int proto_len, char *data, int data_len)
+{
+	char line[512];
+	FILE *f;
+	int got_data = 0, i;
+
+	if (options.xauth_location) {
+		/* Try to get Xauthority information for the display. */
+		snprintf(line, sizeof line, "%.100s list %.200s 2>" _PATH_DEVNULL,
+		    options.xauth_location, getenv("DISPLAY"));
+		f = popen(line, "r");
+		if (f && fgets(line, sizeof(line), f) &&
+		    sscanf(line, "%*s %s %s", proto, data) == 2)
+			got_data = 1;
+		if (f)
+			pclose(f);
+	}
+	/*
+	 * If we didn't get authentication data, just make up some
+	 * data.  The forwarding code will check the validity of the
+	 * response anyway, and substitute this data.  The X11
+	 * server, however, will ignore this fake data and use
+	 * whatever authentication mechanisms it was using otherwise
+	 * for the local connection.
+	 */
+	if (!got_data) {
+		u_int32_t rand = 0;
+
+		strlcpy(proto, "MIT-MAGIC-COOKIE-1", proto_len);
+		for (i = 0; i < 16; i++) {
+			if (i % 4 == 0)
+				rand = arc4random();
+			snprintf(data + 2 * i, data_len - 2 * i, "%02x", rand & 0xff);
+			rand >>= 8;
+		}
+	}
+}
+
+void
+ssh_init_forwarding(void)
+{
+	int success = 0;
+	int i;
+
+	/* Initiate local TCP/IP port forwardings. */
+	for (i = 0; i < options.num_local_forwards; i++) {
+		debug("Connections to local port %d forwarded to remote address %.200s:%d",
+		    options.local_forwards[i].port,
+		    options.local_forwards[i].host,
+		    options.local_forwards[i].host_port);
+		success += channel_request_local_forwarding(
+		    options.local_forwards[i].port,
+		    options.local_forwards[i].host,
+		    options.local_forwards[i].host_port,
+		    options.gateway_ports);
+	}
+	if (i > 0 && success == 0)
+		error("Could not request local forwarding.");
+
+	/* Initiate remote TCP/IP port forwardings. */
+	for (i = 0; i < options.num_remote_forwards; i++) {
+		debug("Connections to remote port %d forwarded to local address %.200s:%d",
+		    options.remote_forwards[i].port,
+		    options.remote_forwards[i].host,
+		    options.remote_forwards[i].host_port);
+		channel_request_remote_forwarding(
+		    options.remote_forwards[i].port,
+		    options.remote_forwards[i].host,
+		    options.remote_forwards[i].host_port);
+	}
+}
+
+void
+check_agent_present(void)
+{
+	if (options.forward_agent) {
+		/* Clear agent forwarding if we don\'t have an agent. */
+		int authfd = ssh_get_authentication_socket();
+		if (authfd < 0)
+			options.forward_agent = 0;
+		else
+			ssh_close_authentication_socket(authfd);
+	}
+}
+
+int
+ssh_session(void)
+{
+	int type;
+	int plen;
+	int interactive = 0;
+	int have_tty = 0;
+	struct winsize ws;
+	char *cp;
+
+	/* Enable compression if requested. */
+	if (options.compression) {
+		debug("Requesting compression at level %d.", options.compression_level);
+
+		if (options.compression_level < 1 || options.compression_level > 9)
+			fatal("Compression level must be from 1 (fast) to 9 (slow, best).");
+
+		/* Send the request. */
+		packet_start(SSH_CMSG_REQUEST_COMPRESSION);
+		packet_put_int(options.compression_level);
+		packet_send();
+		packet_write_wait();
+		type = packet_read(&plen);
+		if (type == SSH_SMSG_SUCCESS)
+			packet_start_compression(options.compression_level);
+		else if (type == SSH_SMSG_FAILURE)
+			log("Warning: Remote host refused compression.");
+		else
+			packet_disconnect("Protocol error waiting for compression response.");
+	}
+	/* Allocate a pseudo tty if appropriate. */
+	if (tty_flag) {
+		debug("Requesting pty.");
+
+		/* Start the packet. */
+		packet_start(SSH_CMSG_REQUEST_PTY);
+
+		/* Store TERM in the packet.  There is no limit on the
+		   length of the string. */
+		cp = getenv("TERM");
+		if (!cp)
+			cp = "";
+		packet_put_string(cp, strlen(cp));
+
+		/* Store window size in the packet. */
+		if (ioctl(fileno(stdin), TIOCGWINSZ, &ws) < 0)
+			memset(&ws, 0, sizeof(ws));
+		packet_put_int(ws.ws_row);
+		packet_put_int(ws.ws_col);
+		packet_put_int(ws.ws_xpixel);
+		packet_put_int(ws.ws_ypixel);
+
+		/* Store tty modes in the packet. */
+		tty_make_modes(fileno(stdin), NULL);
+
+		/* Send the packet, and wait for it to leave. */
+		packet_send();
+		packet_write_wait();
+
+		/* Read response from the server. */
+		type = packet_read(&plen);
+		if (type == SSH_SMSG_SUCCESS) {
+			interactive = 1;
+			have_tty = 1;
+		} else if (type == SSH_SMSG_FAILURE)
+			log("Warning: Remote host failed or refused to allocate a pseudo tty.");
+		else
+			packet_disconnect("Protocol error waiting for pty request response.");
+	}
+	/* Request X11 forwarding if enabled and DISPLAY is set. */
+	if (options.forward_x11 && getenv("DISPLAY") != NULL) {
+		char proto[512], data[512];
+		/* Get reasonable local authentication information. */
+		x11_get_proto(proto, sizeof proto, data, sizeof data);
+		/* Request forwarding with authentication spoofing. */
+		debug("Requesting X11 forwarding with authentication spoofing.");
+		x11_request_forwarding_with_spoofing(0, proto, data);
+
+		/* Read response from the server. */
+		type = packet_read(&plen);
+		if (type == SSH_SMSG_SUCCESS) {
+			interactive = 1;
+		} else if (type == SSH_SMSG_FAILURE) {
+			log("Warning: Remote host denied X11 forwarding.");
+		} else {
+			packet_disconnect("Protocol error waiting for X11 forwarding");
+		}
+	}
+	/* Tell the packet module whether this is an interactive session. */
+	packet_set_interactive(interactive);
+
+	/* Request authentication agent forwarding if appropriate. */
+	check_agent_present();
+
+	if (options.forward_agent) {
+		debug("Requesting authentication agent forwarding.");
+		auth_request_forwarding();
+
+		/* Read response from the server. */
+		type = packet_read(&plen);
+		packet_integrity_check(plen, 0, type);
+		if (type != SSH_SMSG_SUCCESS)
+			log("Warning: Remote host denied authentication agent forwarding.");
+	}
+
+	/* Initiate port forwardings. */
+	ssh_init_forwarding();
+
+	/* If requested, let ssh continue in the background. */
+	if (fork_after_authentication_flag)
+		if (daemon(1, 1) < 0)
+			fatal("daemon() failed: %.200s", strerror(errno));
+
+	/*
+	 * If a command was specified on the command line, execute the
+	 * command now. Otherwise request the server to start a shell.
+	 */
+	if (buffer_len(&command) > 0) {
+		int len = buffer_len(&command);
+		if (len > 900)
+			len = 900;
+		debug("Sending command: %.*s", len, buffer_ptr(&command));
+		packet_start(SSH_CMSG_EXEC_CMD);
+		packet_put_string(buffer_ptr(&command), buffer_len(&command));
+		packet_send();
+		packet_write_wait();
+	} else {
+		debug("Requesting shell.");
+		packet_start(SSH_CMSG_EXEC_SHELL);
+		packet_send();
+		packet_write_wait();
+	}
+
+	/* Enter the interactive session. */
+	return client_loop(have_tty, tty_flag ? options.escape_char : -1, 0);
+}
+
+void
+client_subsystem_reply(int type, int plen, void *ctxt)
+{
+	int id, len;
+
+	id = packet_get_int();
+	len = buffer_len(&command);
+	if (len > 900)
+		len = 900;
+	packet_done();
+	if (type == SSH2_MSG_CHANNEL_FAILURE)
+		fatal("Request for subsystem '%.*s' failed on channel %d",
+		    len, buffer_ptr(&command), id);
+}
+
+void
+ssh_session2_callback(int id, void *arg)
+{
+	int len;
+	int interactive = 0;
+	struct termios tio;
+
+	debug("client_init id %d arg %ld", id, (long)arg);
+
+	if (tty_flag) {
+		struct winsize ws;
+		char *cp;
+		cp = getenv("TERM");
+		if (!cp)
+			cp = "";
+		/* Store window size in the packet. */
+		if (ioctl(fileno(stdin), TIOCGWINSZ, &ws) < 0)
+			memset(&ws, 0, sizeof(ws));
+
+		channel_request_start(id, "pty-req", 0);
+		packet_put_cstring(cp);
+		packet_put_int(ws.ws_col);
+		packet_put_int(ws.ws_row);
+		packet_put_int(ws.ws_xpixel);
+		packet_put_int(ws.ws_ypixel);
+		tio = get_saved_tio();
+		tty_make_modes(/*ignored*/ 0, &tio);
+		packet_send();
+		interactive = 1;
+		/* XXX wait for reply */
+	}
+	if (options.forward_x11 &&
+	    getenv("DISPLAY") != NULL) {
+		char proto[512], data[512];
+		/* Get reasonable local authentication information. */
+		x11_get_proto(proto, sizeof proto, data, sizeof data);
+		/* Request forwarding with authentication spoofing. */
+		debug("Requesting X11 forwarding with authentication spoofing.");
+		x11_request_forwarding_with_spoofing(id, proto, data);
+		interactive = 1;
+		/* XXX wait for reply */
+	}
+
+	check_agent_present();
+	if (options.forward_agent) {
+		debug("Requesting authentication agent forwarding.");
+		channel_request_start(id, "auth-agent-req@openssh.com", 0);
+		packet_send();
+	}
+
+	len = buffer_len(&command);
+	if (len > 0) {
+		if (len > 900)
+			len = 900;
+		if (subsystem_flag) {
+			debug("Sending subsystem: %.*s", len, buffer_ptr(&command));
+			channel_request_start(id, "subsystem", /*want reply*/ 1);
+			/* register callback for reply */
+			/* XXX we asume that client_loop has already been called */
+			dispatch_set(SSH2_MSG_CHANNEL_FAILURE, &client_subsystem_reply);
+			dispatch_set(SSH2_MSG_CHANNEL_SUCCESS, &client_subsystem_reply);
+		} else {
+			debug("Sending command: %.*s", len, buffer_ptr(&command));
+			channel_request_start(id, "exec", 0);
+		}
+		packet_put_string(buffer_ptr(&command), buffer_len(&command));
+		packet_send();
+	} else {
+		channel_request(id, "shell", 0);
+	}
+	/* channel_callback(id, SSH2_MSG_OPEN_CONFIGMATION, client_init, 0); */
+
+	/* register different callback, etc. XXX */
+	packet_set_interactive(interactive);
+}
+
+int
+ssh_session2_command(void)
+{
+	int id, window, packetmax;
+	int in, out, err;
+
+	if (stdin_null_flag) {
+		in = open(_PATH_DEVNULL, O_RDONLY);
+	} else {
+		in = dup(STDIN_FILENO);
+	}
+	out = dup(STDOUT_FILENO);
+	err = dup(STDERR_FILENO);
+
+	if (in < 0 || out < 0 || err < 0)
+		fatal("dup() in/out/err failed");
+
+	/* enable nonblocking unless tty */
+	if (!isatty(in))
+		set_nonblock(in);
+	if (!isatty(out))
+		set_nonblock(out);
+	if (!isatty(err))
+		set_nonblock(err);
+
+	window = CHAN_SES_WINDOW_DEFAULT;
+	packetmax = CHAN_SES_PACKET_DEFAULT;
+	if (!tty_flag) {
+		window *= 2;
+		packetmax *=2;
+	}
+	id = channel_new(
+	    "session", SSH_CHANNEL_OPENING, in, out, err,
+	    window, packetmax, CHAN_EXTENDED_WRITE,
+	    xstrdup("client-session"), /*nonblock*/0);
+
+debug("channel_new: %d", id);
+
+	channel_open(id);
+	channel_register_callback(id, SSH2_MSG_CHANNEL_OPEN_CONFIRMATION,
+	     ssh_session2_callback, (void *)0);
+
+	return id;
+}
+
+int
+ssh_session2(void)
+{
+	int id;
+
+	/* XXX should be pre-session */
+	ssh_init_forwarding();
+
+	id = no_shell_flag ? -1 : ssh_session2_command();
+
+	/* If requested, let ssh continue in the background. */
+	if (fork_after_authentication_flag)
+		if (daemon(1, 1) < 0)
+			fatal("daemon() failed: %.200s", strerror(errno));
+
+	return client_loop(tty_flag, tty_flag ? options.escape_char : -1, id);
+}
+
+void
+load_public_identity_files(void)
+{
+	char *filename;
+	Key *public;
+	int i;
+
+	for (i = 0; i < options.num_identity_files; i++) {
+		filename = tilde_expand_filename(options.identity_files[i],
+		    original_real_uid);
+		public = key_load_public(filename, NULL);
+		debug("identity file %s type %d", filename,
+		    public ? public->type : -1);
+		xfree(options.identity_files[i]);
+		options.identity_files[i] = filename;
+		options.identity_keys[i] = public;
+	}
+}
diff --git a/crypto/openssh/ssh.h b/crypto/openssh/ssh.h
new file mode 100644
index 0000000..7485fb8
--- /dev/null
+++ b/crypto/openssh/ssh.h
@@ -0,0 +1,93 @@
+/*
+ * Author: Tatu Ylonen <ylo@cs.hut.fi>
+ * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
+ *                    All rights reserved
+ *
+ * As far as I am concerned, the code I have written for this software
+ * can be used freely for any purpose.  Any derived versions of this
+ * software must be clearly marked as such, and if the derived work is
+ * incompatible with the protocol description in the RFC file, it must be
+ * called by a name other than "ssh" or "Secure Shell".
+ */
+
+/* RCSID("$OpenBSD: ssh.h,v 1.62 2001/01/23 10:45:10 markus Exp $"); */
+/* RCSID("$FreeBSD$"); */
+
+#ifndef SSH_H
+#define SSH_H
+
+/* Cipher used for encrypting authentication files. */
+#define SSH_AUTHFILE_CIPHER	SSH_CIPHER_3DES
+
+/* Default port number. */
+#define SSH_DEFAULT_PORT	22
+
+/* Maximum number of TCP/IP ports forwarded per direction. */
+#define SSH_MAX_FORWARDS_PER_DIRECTION	100
+
+/*
+ * Maximum number of RSA authentication identity files that can be specified
+ * in configuration files or on the command line.
+ */
+#define SSH_MAX_IDENTITY_FILES		100
+
+/*
+ * Major protocol version.  Different version indicates major incompatiblity
+ * that prevents communication.
+ *
+ * Minor protocol version.  Different version indicates minor incompatibility
+ * that does not prevent interoperation.
+ */
+#define PROTOCOL_MAJOR_1	1
+#define PROTOCOL_MINOR_1	5
+
+/* We support both SSH1 and SSH2 */
+#define PROTOCOL_MAJOR_2	2
+#define PROTOCOL_MINOR_2	0
+
+/*
+ * Name for the service.  The port named by this service overrides the
+ * default port if present.
+ */
+#define SSH_SERVICE_NAME	"ssh"
+
+/*
+ * Name of the environment variable containing the pathname of the
+ * authentication socket.
+ */
+#define SSH_AGENTPID_ENV_NAME	"SSH_AGENT_PID"
+
+/*
+ * Name of the environment variable containing the pathname of the
+ * authentication socket.
+ */
+#define SSH_AUTHSOCKET_ENV_NAME "SSH_AUTH_SOCK"
+
+/*
+ * Environment variable for overwriting the default location of askpass
+ */
+#define SSH_ASKPASS_ENV		"SSH_ASKPASS"
+
+/*
+ * Force host key length and server key length to differ by at least this
+ * many bits.  This is to make double encryption with rsaref work.
+ */
+#define SSH_KEY_BITS_RESERVED		128
+
+/*
+ * Length of the session key in bytes.  (Specified as 256 bits in the
+ * protocol.)
+ */
+#define SSH_SESSION_KEY_LENGTH		32
+
+/* Name of Kerberos service for SSH to use. */
+#define KRB4_SERVICE_NAME		"rcmd"
+
+/* Kerberos IV tickets can't be forwarded. This is an AFS hack! */ 
+#define SSH_CMSG_HAVE_KRB4_TGT SSH_CMSG_HAVE_KERBEROS_TGT /* credentials (s) */
+
+#ifdef USE_PAM
+#include "auth-pam.h"
+#endif /* USE_PAM */
+
+#endif				/* SSH_H */
diff --git a/crypto/openssh/ssh/Makefile b/crypto/openssh/ssh/Makefile
new file mode 100644
index 0000000..2cf80e1
--- /dev/null
+++ b/crypto/openssh/ssh/Makefile
@@ -0,0 +1,34 @@
+#	$OpenBSD: Makefile,v 1.30 2001/04/14 16:33:20 stevesk Exp $
+
+.PATH:		${.CURDIR}/..
+
+PROG=	ssh
+BINOWN=	root
+
+BINMODE?=4555
+
+BINDIR=	/usr/bin
+MAN=	ssh.1
+LINKS=	${BINDIR}/ssh ${BINDIR}/slogin
+MLINKS=	ssh.1 slogin.1
+
+SRCS=	ssh.c readconf.c clientloop.c sshtty.c \
+	sshconnect.c sshconnect1.c sshconnect2.c
+
+.include <bsd.own.mk> # for AFS
+
+.if (${KERBEROS:L} == "yes")
+CFLAGS+= -DKRB4 -I${DESTDIR}/usr/include/kerberosIV
+LDADD+=	 -lkrb
+DPADD+=	 ${LIBKRB}
+.if (${AFS:L} == "yes")
+CFLAGS+= -DAFS
+LDADD+=  -lkafs
+DPADD+=  ${LIBKRBAFS}
+.endif # AFS
+.endif # KERBEROS
+
+.include <bsd.prog.mk>
+
+LDADD+=	-lcrypto -lz
+DPADD+=	${LIBCRYPTO} ${LIBZ}
diff --git a/crypto/openssh/ssh1.h b/crypto/openssh/ssh1.h
new file mode 100644
index 0000000..770c5e4
--- /dev/null
+++ b/crypto/openssh/ssh1.h
@@ -0,0 +1,86 @@
+/*	$OpenBSD: ssh1.h,v 1.2 2001/01/29 01:58:18 niklas Exp $	*/
+
+/*
+ * Author: Tatu Ylonen <ylo@cs.hut.fi>
+ * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
+ *                    All rights reserved
+ *
+ * As far as I am concerned, the code I have written for this software
+ * can be used freely for any purpose.  Any derived versions of this
+ * software must be clearly marked as such, and if the derived work is
+ * incompatible with the protocol description in the RFC file, it must be
+ * called by a name other than "ssh" or "Secure Shell".
+ */
+
+/*
+ * Definition of message types.  New values can be added, but old values
+ * should not be removed or without careful consideration of the consequences
+ * for compatibility.  The maximum value is 254; value 255 is reserved for
+ * future extension.
+ */
+/* Message name */			/* msg code */	/* arguments */
+#define SSH_MSG_NONE				0	/* no message */
+#define SSH_MSG_DISCONNECT			1	/* cause (string) */
+#define SSH_SMSG_PUBLIC_KEY			2	/* ck,msk,srvk,hostk */
+#define SSH_CMSG_SESSION_KEY			3	/* key (BIGNUM) */
+#define SSH_CMSG_USER				4	/* user (string) */
+#define SSH_CMSG_AUTH_RHOSTS			5	/* user (string) */
+#define SSH_CMSG_AUTH_RSA			6	/* modulus (BIGNUM) */
+#define SSH_SMSG_AUTH_RSA_CHALLENGE		7	/* int (BIGNUM) */
+#define SSH_CMSG_AUTH_RSA_RESPONSE		8	/* int (BIGNUM) */
+#define SSH_CMSG_AUTH_PASSWORD			9	/* pass (string) */
+#define SSH_CMSG_REQUEST_PTY		        10	/* TERM, tty modes */
+#define SSH_CMSG_WINDOW_SIZE		        11	/* row,col,xpix,ypix */
+#define SSH_CMSG_EXEC_SHELL			12	/* */
+#define SSH_CMSG_EXEC_CMD			13	/* cmd (string) */
+#define SSH_SMSG_SUCCESS			14	/* */
+#define SSH_SMSG_FAILURE			15	/* */
+#define SSH_CMSG_STDIN_DATA			16	/* data (string) */
+#define SSH_SMSG_STDOUT_DATA			17	/* data (string) */
+#define SSH_SMSG_STDERR_DATA			18	/* data (string) */
+#define SSH_CMSG_EOF				19	/* */
+#define SSH_SMSG_EXITSTATUS			20	/* status (int) */
+#define SSH_MSG_CHANNEL_OPEN_CONFIRMATION	21	/* channel (int) */
+#define SSH_MSG_CHANNEL_OPEN_FAILURE		22	/* channel (int) */
+#define SSH_MSG_CHANNEL_DATA			23	/* ch,data (int,str) */
+#define SSH_MSG_CHANNEL_CLOSE			24	/* channel (int) */
+#define SSH_MSG_CHANNEL_CLOSE_CONFIRMATION	25	/* channel (int) */
+/*      SSH_CMSG_X11_REQUEST_FORWARDING         26         OBSOLETE */
+#define SSH_SMSG_X11_OPEN			27	/* channel (int) */
+#define SSH_CMSG_PORT_FORWARD_REQUEST		28	/* p,host,hp (i,s,i) */
+#define SSH_MSG_PORT_OPEN			29	/* ch,h,p (i,s,i) */
+#define SSH_CMSG_AGENT_REQUEST_FORWARDING	30	/* */
+#define SSH_SMSG_AGENT_OPEN			31	/* port (int) */
+#define SSH_MSG_IGNORE				32	/* string */
+#define SSH_CMSG_EXIT_CONFIRMATION		33	/* */
+#define SSH_CMSG_X11_REQUEST_FORWARDING		34	/* proto,data (s,s) */
+#define SSH_CMSG_AUTH_RHOSTS_RSA		35	/* user,mod (s,mpi) */
+#define SSH_MSG_DEBUG				36	/* string */
+#define SSH_CMSG_REQUEST_COMPRESSION		37	/* level 1-9 (int) */
+#define SSH_CMSG_MAX_PACKET_SIZE		38	/* size 4k-1024k (int) */
+#define SSH_CMSG_AUTH_TIS			39	/* we use this for s/key */
+#define SSH_SMSG_AUTH_TIS_CHALLENGE		40	/* challenge (string) */
+#define SSH_CMSG_AUTH_TIS_RESPONSE		41	/* response (string) */
+#define SSH_CMSG_AUTH_KERBEROS			42	/* (KTEXT) */
+#define SSH_SMSG_AUTH_KERBEROS_RESPONSE		43	/* (KTEXT) */
+#define SSH_CMSG_HAVE_KERBEROS_TGT		44	/* credentials (s) */
+#define SSH_CMSG_HAVE_AFS_TOKEN			65	/* token (s) */
+
+/*
+ * Authentication methods.  New types can be added, but old types should not
+ * be removed for compatibility.  The maximum allowed value is 31.
+ */
+#define SSH_AUTH_RHOSTS		1
+#define SSH_AUTH_RSA		2
+#define SSH_AUTH_PASSWORD	3
+#define SSH_AUTH_RHOSTS_RSA	4
+#define SSH_AUTH_TIS		5
+#define SSH_AUTH_KERBEROS	6
+#define SSH_PASS_KERBEROS_TGT	7
+				/* 8 to 15 are reserved */
+#define SSH_PASS_AFS_TOKEN	21
+
+/* Protocol flags.  These are bit masks. */
+#define SSH_PROTOFLAG_SCREEN_NUMBER	1	/* X11 forwarding includes screen */
+#define SSH_PROTOFLAG_HOST_IN_FWD_OPEN	2	/* forwarding opens contain host */
+
diff --git a/crypto/openssh/ssh2.h b/crypto/openssh/ssh2.h
new file mode 100644
index 0000000..e45aef2
--- /dev/null
+++ b/crypto/openssh/ssh2.h
@@ -0,0 +1,143 @@
+/*
+ * Copyright (c) 2000 Markus Friedl.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+/*
+ * draft-ietf-secsh-architecture-05.txt
+ *
+ *   Transport layer protocol:
+ *
+ *     1-19     Transport layer generic (e.g. disconnect, ignore, debug,
+ *              etc)
+ *     20-29    Algorithm negotiation
+ *     30-49    Key exchange method specific (numbers can be reused for
+ *              different authentication methods)
+ *
+ *   User authentication protocol:
+ *
+ *     50-59    User authentication generic
+ *     60-79    User authentication method specific (numbers can be reused
+ *              for different authentication methods)
+ *
+ *   Connection protocol:
+ *
+ *     80-89    Connection protocol generic
+ *     90-127   Channel related messages
+ *
+ *   Reserved for client protocols:
+ *
+ *     128-191  Reserved
+ *
+ *   Local extensions:
+ *
+ *     192-255  Local extensions
+ */
+/* RCSID("$OpenBSD: ssh2.h,v 1.6 2001/03/27 17:46:49 provos Exp $"); */
+
+/* transport layer: generic */
+
+#define SSH2_MSG_DISCONNECT				1
+#define SSH2_MSG_IGNORE					2
+#define SSH2_MSG_UNIMPLEMENTED				3
+#define SSH2_MSG_DEBUG					4
+#define SSH2_MSG_SERVICE_REQUEST			5
+#define SSH2_MSG_SERVICE_ACCEPT				6
+
+/* transport layer: alg negotiation */
+
+#define SSH2_MSG_KEXINIT				20
+#define SSH2_MSG_NEWKEYS				21
+
+/* transport layer: kex specific messages, can be reused */
+
+#define SSH2_MSG_KEXDH_INIT				30
+#define SSH2_MSG_KEXDH_REPLY				31
+
+/* dh-group-exchange */
+#define SSH2_MSG_KEX_DH_GEX_REQUEST_OLD			30
+#define SSH2_MSG_KEX_DH_GEX_GROUP			31
+#define SSH2_MSG_KEX_DH_GEX_INIT			32
+#define SSH2_MSG_KEX_DH_GEX_REPLY			33
+#define SSH2_MSG_KEX_DH_GEX_REQUEST			34
+
+/* user authentication: generic */
+
+#define SSH2_MSG_USERAUTH_REQUEST			50
+#define SSH2_MSG_USERAUTH_FAILURE			51
+#define SSH2_MSG_USERAUTH_SUCCESS			52
+#define SSH2_MSG_USERAUTH_BANNER			53
+
+/* user authentication: method specific, can be reused */
+
+#define SSH2_MSG_USERAUTH_PK_OK				60
+#define SSH2_MSG_USERAUTH_PASSWD_CHANGEREQ		60
+#define SSH2_MSG_USERAUTH_INFO_REQUEST			60
+#define SSH2_MSG_USERAUTH_INFO_RESPONSE			61
+
+/* connection protocol: generic */
+
+#define SSH2_MSG_GLOBAL_REQUEST				80
+#define SSH2_MSG_REQUEST_SUCCESS			81
+#define SSH2_MSG_REQUEST_FAILURE			82
+
+/* channel related messages */
+
+#define SSH2_MSG_CHANNEL_OPEN				90
+#define SSH2_MSG_CHANNEL_OPEN_CONFIRMATION		91
+#define SSH2_MSG_CHANNEL_OPEN_FAILURE			92
+#define SSH2_MSG_CHANNEL_WINDOW_ADJUST			93
+#define SSH2_MSG_CHANNEL_DATA				94
+#define SSH2_MSG_CHANNEL_EXTENDED_DATA			95
+#define SSH2_MSG_CHANNEL_EOF				96
+#define SSH2_MSG_CHANNEL_CLOSE				97
+#define SSH2_MSG_CHANNEL_REQUEST			98
+#define SSH2_MSG_CHANNEL_SUCCESS			99
+#define SSH2_MSG_CHANNEL_FAILURE			100
+
+/* disconnect reason code */
+
+#define SSH2_DISCONNECT_HOST_NOT_ALLOWED_TO_CONNECT	1
+#define SSH2_DISCONNECT_PROTOCOL_ERROR			2
+#define SSH2_DISCONNECT_KEY_EXCHANGE_FAILED		3
+#define SSH2_DISCONNECT_HOST_AUTHENTICATION_FAILED	4
+#define SSH2_DISCONNECT_RESERVED			4
+#define SSH2_DISCONNECT_MAC_ERROR			5
+#define SSH2_DISCONNECT_COMPRESSION_ERROR		6
+#define SSH2_DISCONNECT_SERVICE_NOT_AVAILABLE		7
+#define SSH2_DISCONNECT_PROTOCOL_VERSION_NOT_SUPPORTED	8
+#define SSH2_DISCONNECT_HOST_KEY_NOT_VERIFIABLE		9
+#define SSH2_DISCONNECT_CONNECTION_LOST			10
+#define SSH2_DISCONNECT_BY_APPLICATION			11
+#define SSH2_DISCONNECT_TOO_MANY_CONNECTIONS		12
+#define SSH2_DISCONNECT_AUTH_CANCELLED_BY_USER		13
+#define SSH2_DISCONNECT_NO_MORE_AUTH_METHODS_AVAILABLE	14
+#define SSH2_DISCONNECT_ILLEGAL_USER_NAME		15
+
+/* misc */
+
+#define SSH2_OPEN_ADMINISTRATIVELY_PROHIBITED		1
+#define SSH2_OPEN_CONNECT_FAILED			2
+#define SSH2_OPEN_UNKNOWN_CHANNEL_TYPE			3
+#define SSH2_OPEN_RESOURCE_SHORTAGE			4
+
+#define SSH2_EXTENDED_DATA_STDERR			1
diff --git a/crypto/openssh/ssh_config b/crypto/openssh/ssh_config
new file mode 100644
index 0000000..a02ad7d
--- /dev/null
+++ b/crypto/openssh/ssh_config
@@ -0,0 +1,40 @@
+# This is ssh client systemwide configuration file.  This file provides 
+# defaults for users, and the values can be changed in per-user configuration
+# files or on the command line.
+#
+#	$OpenBSD: ssh_config,v 1.10 2001/04/03 21:19:38 todd Exp $
+# $FreeBSD$
+
+# This is ssh client systemwide configuration file.  See ssh(1) for more
+# information.  This file provides defaults for users, and the values can
+# be changed in per-user configuration files or on the command line.
+
+# Configuration data is parsed as follows:
+#  1. command line options
+#  2. user-specific file
+#  3. system-wide file
+# Any configuration value is only changed the first time it is set.
+# Thus, host-specific definitions should be at the beginning of the
+# configuration file, and defaults at the end.
+
+# Site-wide defaults for various options
+
+# Host *
+#   ForwardAgent no
+#   ForwardX11 no
+#   RhostsAuthentication no
+#   RhostsRSAAuthentication yes
+#   RSAAuthentication yes
+#   PasswordAuthentication yes
+#   FallBackToRsh no
+#   UseRsh no
+#   BatchMode no
+#   CheckHostIP yes
+#   StrictHostKeyChecking yes
+#   IdentityFile ~/.ssh/identity
+#   IdentityFile ~/.ssh/id_dsa
+#   IdentityFile ~/.ssh/id_rsa
+#   Port 22
+#   Protocol 2,1
+#   Cipher blowfish
+#   EscapeChar ~
diff --git a/crypto/openssh/sshconnect.c b/crypto/openssh/sshconnect.c
new file mode 100644
index 0000000..679660f
--- /dev/null
+++ b/crypto/openssh/sshconnect.c
@@ -0,0 +1,985 @@
+/*
+ * Author: Tatu Ylonen <ylo@cs.hut.fi>
+ * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
+ *                    All rights reserved
+ * Code to connect to a remote host, and to perform the client side of the
+ * login (authentication) dialog.
+ *
+ * As far as I am concerned, the code I have written for this software
+ * can be used freely for any purpose.  Any derived versions of this
+ * software must be clearly marked as such, and if the derived work is
+ * incompatible with the protocol description in the RFC file, it must be
+ * called by a name other than "ssh" or "Secure Shell".
+ */
+
+#include "includes.h"
+RCSID("$OpenBSD: sshconnect.c,v 1.104 2001/04/12 19:15:25 markus Exp $");
+RCSID("$FreeBSD$");
+
+#include <openssl/bn.h>
+
+#include "ssh.h"
+#include "xmalloc.h"
+#include "rsa.h"
+#include "buffer.h"
+#include "packet.h"
+#include "uidswap.h"
+#include "compat.h"
+#include "key.h"
+#include "sshconnect.h"
+#include "hostfile.h"
+#include "log.h"
+#include "readconf.h"
+#include "atomicio.h"
+#include "misc.h"
+#include "auth.h"
+#include "ssh1.h"
+#include "canohost.h"
+
+char *client_version_string = NULL;
+char *server_version_string = NULL;
+
+extern Options options;
+extern char *__progname;
+
+/* AF_UNSPEC or AF_INET or AF_INET6 */
+extern int IPv4or6;
+
+/*
+ * Connect to the given ssh server using a proxy command.
+ */
+int
+ssh_proxy_connect(const char *host, u_short port, struct passwd *pw,
+		  const char *proxy_command)
+{
+	Buffer command;
+	const char *cp;
+	char *command_string;
+	int pin[2], pout[2];
+	pid_t pid;
+	char strport[NI_MAXSERV];
+
+	/* Convert the port number into a string. */
+	snprintf(strport, sizeof strport, "%hu", port);
+
+	/* Build the final command string in the buffer by making the
+	   appropriate substitutions to the given proxy command. */
+	buffer_init(&command);
+	for (cp = proxy_command; *cp; cp++) {
+		if (cp[0] == '%' && cp[1] == '%') {
+			buffer_append(&command, "%", 1);
+			cp++;
+			continue;
+		}
+		if (cp[0] == '%' && cp[1] == 'h') {
+			buffer_append(&command, host, strlen(host));
+			cp++;
+			continue;
+		}
+		if (cp[0] == '%' && cp[1] == 'p') {
+			buffer_append(&command, strport, strlen(strport));
+			cp++;
+			continue;
+		}
+		buffer_append(&command, cp, 1);
+	}
+	buffer_append(&command, "\0", 1);
+
+	/* Get the final command string. */
+	command_string = buffer_ptr(&command);
+
+	/* Create pipes for communicating with the proxy. */
+	if (pipe(pin) < 0 || pipe(pout) < 0)
+		fatal("Could not create pipes to communicate with the proxy: %.100s",
+		      strerror(errno));
+
+	debug("Executing proxy command: %.500s", command_string);
+
+	/* Fork and execute the proxy command. */
+	if ((pid = fork()) == 0) {
+		char *argv[10];
+
+		/* Child.  Permanently give up superuser privileges. */
+		permanently_set_uid(pw);
+
+		/* Redirect stdin and stdout. */
+		close(pin[1]);
+		if (pin[0] != 0) {
+			if (dup2(pin[0], 0) < 0)
+				perror("dup2 stdin");
+			close(pin[0]);
+		}
+		close(pout[0]);
+		if (dup2(pout[1], 1) < 0)
+			perror("dup2 stdout");
+		/* Cannot be 1 because pin allocated two descriptors. */
+		close(pout[1]);
+
+		/* Stderr is left as it is so that error messages get
+		   printed on the user's terminal. */
+		argv[0] = _PATH_BSHELL;
+		argv[1] = "-c";
+		argv[2] = command_string;
+		argv[3] = NULL;
+
+		/* Execute the proxy command.  Note that we gave up any
+		   extra privileges above. */
+		execv(argv[0], argv);
+		perror(argv[0]);
+		exit(1);
+	}
+	/* Parent. */
+	if (pid < 0)
+		fatal("fork failed: %.100s", strerror(errno));
+
+	/* Close child side of the descriptors. */
+	close(pin[0]);
+	close(pout[1]);
+
+	/* Free the command name. */
+	buffer_free(&command);
+
+	/* Set the connection file descriptors. */
+	packet_set_connection(pout[0], pin[1]);
+
+	return 1;
+}
+
+/*
+ * Creates a (possibly privileged) socket for use as the ssh connection.
+ */
+int
+ssh_create_socket(struct passwd *pw, int privileged, int family)
+{
+	int sock;
+
+	/*
+	 * If we are running as root and want to connect to a privileged
+	 * port, bind our own socket to a privileged port.
+	 */
+	if (privileged) {
+		int p = IPPORT_RESERVED - 1;
+		sock = rresvport_af(&p, family);
+		if (sock < 0)
+			error("rresvport: af=%d %.100s", family, strerror(errno));
+		else
+			debug("Allocated local port %d.", p);
+	} else {
+		/*
+		 * Just create an ordinary socket on arbitrary port.  We use
+		 * the user's uid to create the socket.
+		 */
+		temporarily_use_uid(pw);
+		sock = socket(family, SOCK_STREAM, 0);
+		if (sock < 0)
+			error("socket: %.100s", strerror(errno));
+		restore_uid();
+	}
+	return sock;
+}
+
+/*
+ * Opens a TCP/IP connection to the remote server on the given host.
+ * The address of the remote host will be returned in hostaddr.
+ * If port is 0, the default port will be used.  If anonymous is zero,
+ * a privileged port will be allocated to make the connection.
+ * This requires super-user privileges if anonymous is false.
+ * Connection_attempts specifies the maximum number of tries (one per
+ * second).  If proxy_command is non-NULL, it specifies the command (with %h
+ * and %p substituted for host and port, respectively) to use to contact
+ * the daemon.
+ */
+int
+ssh_connect(const char *host, struct sockaddr_storage * hostaddr,
+	    u_short port, int connection_attempts,
+	    int anonymous, struct passwd *pw,
+	    const char *proxy_command)
+{
+	int gaierr;
+	int on = 1;
+	int sock = -1, attempt;
+	char ntop[NI_MAXHOST], strport[NI_MAXSERV];
+	struct addrinfo hints, *ai, *aitop;
+	struct linger linger;
+	struct servent *sp;
+
+	debug("ssh_connect: getuid %u geteuid %u anon %d",
+	      (u_int) getuid(), (u_int) geteuid(), anonymous);
+
+	/* Get default port if port has not been set. */
+	if (port == 0) {
+		sp = getservbyname(SSH_SERVICE_NAME, "tcp");
+		if (sp)
+			port = ntohs(sp->s_port);
+		else
+			port = SSH_DEFAULT_PORT;
+	}
+	/* If a proxy command is given, connect using it. */
+	if (proxy_command != NULL)
+		return ssh_proxy_connect(host, port, pw, proxy_command);
+
+	/* No proxy command. */
+
+	memset(&hints, 0, sizeof(hints));
+	hints.ai_family = IPv4or6;
+	hints.ai_socktype = SOCK_STREAM;
+	snprintf(strport, sizeof strport, "%d", port);
+	if ((gaierr = getaddrinfo(host, strport, &hints, &aitop)) != 0)
+		fatal("%s: %.100s: %s", __progname, host,
+		    gai_strerror(gaierr));
+
+	/*
+	 * Try to connect several times.  On some machines, the first time
+	 * will sometimes fail.  In general socket code appears to behave
+	 * quite magically on many machines.
+	 */
+	for (attempt = 0; attempt < connection_attempts; attempt++) {
+		if (attempt > 0)
+			debug("Trying again...");
+
+		/* Loop through addresses for this host, and try each one in
+		   sequence until the connection succeeds. */
+		for (ai = aitop; ai; ai = ai->ai_next) {
+			if (ai->ai_family != AF_INET && ai->ai_family != AF_INET6)
+				continue;
+			if (getnameinfo(ai->ai_addr, ai->ai_addrlen,
+			    ntop, sizeof(ntop), strport, sizeof(strport),
+			    NI_NUMERICHOST|NI_NUMERICSERV) != 0) {
+				error("ssh_connect: getnameinfo failed");
+				continue;
+			}
+			debug("Connecting to %.200s [%.100s] port %s.",
+				host, ntop, strport);
+
+			/* Create a socket for connecting. */
+			sock = ssh_create_socket(pw,
+			    !anonymous && geteuid() == 0,
+			    ai->ai_family);
+			if (sock < 0)
+				continue;
+
+			/* Connect to the host.  We use the user's uid in the
+			 * hope that it will help with tcp_wrappers showing
+			 * the remote uid as root.
+			 */
+			temporarily_use_uid(pw);
+			if (connect(sock, ai->ai_addr, ai->ai_addrlen) >= 0) {
+				/* Successful connection. */
+				memcpy(hostaddr, ai->ai_addr, ai->ai_addrlen);
+				restore_uid();
+				break;
+			} else {
+				debug("connect: %.100s", strerror(errno));
+				restore_uid();
+				/*
+				 * Close the failed socket; there appear to
+				 * be some problems when reusing a socket for
+				 * which connect() has already returned an
+				 * error.
+				 */
+				shutdown(sock, SHUT_RDWR);
+				close(sock);
+			}
+		}
+		if (ai)
+			break;	/* Successful connection. */
+
+		/* Sleep a moment before retrying. */
+		sleep(1);
+	}
+
+	freeaddrinfo(aitop);
+
+	/* Return failure if we didn't get a successful connection. */
+	if (attempt >= connection_attempts)
+		return 0;
+
+	debug("Connection established.");
+
+	/*
+	 * Set socket options.  We would like the socket to disappear as soon
+	 * as it has been closed for whatever reason.
+	 */
+	/* setsockopt(sock, SOL_SOCKET, SO_REUSEADDR, (void *)&on, sizeof(on)); */
+	linger.l_onoff = 1;
+	linger.l_linger = 5;
+	setsockopt(sock, SOL_SOCKET, SO_LINGER, (void *)&linger, sizeof(linger));
+
+	/* Set keepalives if requested. */
+	if (options.keepalives &&
+	    setsockopt(sock, SOL_SOCKET, SO_KEEPALIVE, (void *)&on,
+	    sizeof(on)) < 0)
+		error("setsockopt SO_KEEPALIVE: %.100s", strerror(errno));
+
+	/* Set the connection. */
+	packet_set_connection(sock, sock);
+
+	return 1;
+}
+
+/*
+ * Waits for the server identification string, and sends our own
+ * identification string.
+ */
+void
+ssh_exchange_identification(void)
+{
+	char buf[256], remote_version[256];	/* must be same size! */
+	int remote_major, remote_minor, i, mismatch;
+	int connection_in = packet_get_connection_in();
+	int connection_out = packet_get_connection_out();
+	int minor1 = PROTOCOL_MINOR_1;
+
+	/* Read other side\'s version identification. */
+	for (;;) {
+		for (i = 0; i < sizeof(buf) - 1; i++) {
+			int len = atomicio(read, connection_in, &buf[i], 1);
+			if (len < 0)
+				fatal("ssh_exchange_identification: read: %.100s", strerror(errno));
+			if (len != 1)
+				fatal("ssh_exchange_identification: Connection closed by remote host");
+			if (buf[i] == '\r') {
+				buf[i] = '\n';
+				buf[i + 1] = 0;
+				continue;		/**XXX wait for \n */
+			}
+			if (buf[i] == '\n') {
+				buf[i + 1] = 0;
+				break;
+			}
+		}
+		buf[sizeof(buf) - 1] = 0;
+		if (strncmp(buf, "SSH-", 4) == 0)
+			break;
+		debug("ssh_exchange_identification: %s", buf);
+	}
+	server_version_string = xstrdup(buf);
+
+	/*
+	 * Check that the versions match.  In future this might accept
+	 * several versions and set appropriate flags to handle them.
+	 */
+	if (sscanf(server_version_string, "SSH-%d.%d-%[^\n]\n",
+	    &remote_major, &remote_minor, remote_version) != 3)
+		fatal("Bad remote protocol version identification: '%.100s'", buf);
+	debug("Remote protocol version %d.%d, remote software version %.100s",
+	      remote_major, remote_minor, remote_version);
+
+	compat_datafellows(remote_version);
+	mismatch = 0;
+
+	switch(remote_major) {
+	case 1:
+		if (remote_minor == 99 &&
+		    (options.protocol & SSH_PROTO_2) &&
+		    !(options.protocol & SSH_PROTO_1_PREFERRED)) {
+			enable_compat20();
+			break;
+		}
+		if (!(options.protocol & SSH_PROTO_1)) {
+			mismatch = 1;
+			break;
+		}
+		if (remote_minor < 3) {
+			fatal("Remote machine has too old SSH software version.");
+		} else if (remote_minor == 3 || remote_minor == 4) {
+			/* We speak 1.3, too. */
+			enable_compat13();
+			minor1 = 3;
+			if (options.forward_agent) {
+				log("Agent forwarding disabled for protocol 1.3");
+				options.forward_agent = 0;
+			}
+		}
+		break;
+	case 2:
+		if (options.protocol & SSH_PROTO_2) {
+			enable_compat20();
+			break;
+		}
+		/* FALLTHROUGH */
+	default:
+		mismatch = 1;
+		break;
+	}
+	if (mismatch)
+		fatal("Protocol major versions differ: %d vs. %d",
+		    (options.protocol & SSH_PROTO_2) ? PROTOCOL_MAJOR_2 : PROTOCOL_MAJOR_1,
+		    remote_major);
+	if (compat20)
+		packet_set_ssh2_format();
+	/* Send our own protocol version identification. */
+	snprintf(buf, sizeof buf, "SSH-%d.%d-%.100s\n",
+	    compat20 ? PROTOCOL_MAJOR_2 : PROTOCOL_MAJOR_1,
+	    compat20 ? PROTOCOL_MINOR_2 : minor1,
+	    SSH_VERSION);
+	if (atomicio(write, connection_out, buf, strlen(buf)) != strlen(buf))
+		fatal("write: %.100s", strerror(errno));
+	client_version_string = xstrdup(buf);
+	chop(client_version_string);
+	chop(server_version_string);
+	debug("Local version string %.100s", client_version_string);
+}
+
+/* defaults to 'no' */
+int
+read_yes_or_no(const char *prompt, int defval)
+{
+	char buf[1024];
+	FILE *f;
+	int retval = -1;
+
+	if (options.batch_mode)
+		return 0;
+
+	if (isatty(STDIN_FILENO))
+		f = stdin;
+	else
+		f = fopen(_PATH_TTY, "rw");
+
+	if (f == NULL)
+		return 0;
+
+	fflush(stdout);
+
+	while (1) {
+		fprintf(stderr, "%s", prompt);
+		if (fgets(buf, sizeof(buf), f) == NULL) {
+			/* Print a newline (the prompt probably didn\'t have one). */
+			fprintf(stderr, "\n");
+			strlcpy(buf, "no", sizeof buf);
+		}
+		/* Remove newline from response. */
+		if (strchr(buf, '\n'))
+			*strchr(buf, '\n') = 0;
+
+		if (buf[0] == 0)
+			retval = defval;
+		if (strcmp(buf, "yes") == 0)
+			retval = 1;
+		else if (strcmp(buf, "no") == 0)
+			retval = 0;
+		else
+			fprintf(stderr, "Please type 'yes' or 'no'.\n");
+
+		if (retval != -1) {
+			if (f != stdin)
+				fclose(f);
+			return retval;
+		}
+	}
+}
+
+/*
+ * check whether the supplied host key is valid, return only if ok.
+ */
+
+void
+check_host_key(char *host, struct sockaddr *hostaddr, Key *host_key,
+	const char *user_hostfile, const char *system_hostfile)
+{
+	Key *file_key;
+	char *type = key_type(host_key);
+	char *ip = NULL;
+	char hostline[1000], *hostp, *fp;
+	HostStatus host_status;
+	HostStatus ip_status;
+	int local = 0, host_ip_differ = 0;
+	char ntop[NI_MAXHOST];
+	int host_line, ip_line;
+	const char *host_file = NULL, *ip_file = NULL;
+
+	/*
+	 * Force accepting of the host key for loopback/localhost. The
+	 * problem is that if the home directory is NFS-mounted to multiple
+	 * machines, localhost will refer to a different machine in each of
+	 * them, and the user will get bogus HOST_CHANGED warnings.  This
+	 * essentially disables host authentication for localhost; however,
+	 * this is probably not a real problem.
+	 */
+	/**  hostaddr == 0! */
+	switch (hostaddr->sa_family) {
+	case AF_INET:
+		local = (ntohl(((struct sockaddr_in *)hostaddr)->sin_addr.s_addr) >> 24) == IN_LOOPBACKNET;
+		break;
+	case AF_INET6:
+		local = IN6_IS_ADDR_LOOPBACK(&(((struct sockaddr_in6 *)hostaddr)->sin6_addr));
+		break;
+	default:
+		local = 0;
+		break;
+	}
+	if (local && options.host_key_alias == NULL) {
+		debug("Forcing accepting of host key for "
+		    "loopback/localhost.");
+		return;
+	}
+
+	/*
+	 * We don't have the remote ip-address for connections
+	 * using a proxy command
+	 */
+	if (options.proxy_command == NULL) {
+		if (getnameinfo(hostaddr, hostaddr->sa_len, ntop, sizeof(ntop),
+		    NULL, 0, NI_NUMERICHOST) != 0)
+			fatal("check_host_key: getnameinfo failed");
+		ip = xstrdup(ntop);
+	} else {
+		ip = xstrdup("<no hostip for proxy command>");
+	}
+	/*
+	 * Turn off check_host_ip if the connection is to localhost, via proxy
+	 * command or if we don't have a hostname to compare with
+	 */
+	if (options.check_host_ip &&
+	    (local || strcmp(host, ip) == 0 || options.proxy_command != NULL))
+		options.check_host_ip = 0;
+
+	/*
+	 * Allow the user to record the key under a different name. This is
+	 * useful for ssh tunneling over forwarded connections or if you run
+	 * multiple sshd's on different ports on the same machine.
+	 */
+	if (options.host_key_alias != NULL) {
+		host = options.host_key_alias;
+		debug("using hostkeyalias: %s", host);
+	}
+
+	/*
+	 * Store the host key from the known host file in here so that we can
+	 * compare it with the key for the IP address.
+	 */
+	file_key = key_new(host_key->type);
+
+	/*
+	 * Check if the host key is present in the user\'s list of known
+	 * hosts or in the systemwide list.
+	 */
+	host_file = user_hostfile;
+	host_status = check_host_in_hostfile(host_file, host, host_key, file_key, &host_line);
+	if (host_status == HOST_NEW) {
+		host_file = system_hostfile;
+		host_status = check_host_in_hostfile(host_file, host, host_key, file_key, &host_line);
+	}
+	/*
+	 * Also perform check for the ip address, skip the check if we are
+	 * localhost or the hostname was an ip address to begin with
+	 */
+	if (options.check_host_ip) {
+		Key *ip_key = key_new(host_key->type);
+
+		ip_file = user_hostfile;
+		ip_status = check_host_in_hostfile(ip_file, ip, host_key, ip_key, &ip_line);
+		if (ip_status == HOST_NEW) {
+			ip_file = system_hostfile;
+			ip_status = check_host_in_hostfile(ip_file, ip, host_key, ip_key, &ip_line);
+		}
+		if (host_status == HOST_CHANGED &&
+		    (ip_status != HOST_CHANGED || !key_equal(ip_key, file_key)))
+			host_ip_differ = 1;
+
+		key_free(ip_key);
+	} else
+		ip_status = host_status;
+
+	key_free(file_key);
+
+	switch (host_status) {
+	case HOST_OK:
+		/* The host is known and the key matches. */
+		debug("Host '%.200s' is known and matches the %s host key.",
+		    host, type);
+		debug("Found key in %s:%d", host_file, host_line);
+		if (options.check_host_ip && ip_status == HOST_NEW) {
+			if (!add_host_to_hostfile(user_hostfile, ip, host_key))
+				log("Failed to add the %s host key for IP address '%.128s' to the list of known hosts (%.30s).",
+				    type, ip, user_hostfile);
+			else
+				log("Warning: Permanently added the %s host key for IP address '%.128s' to the list of known hosts.",
+				    type, ip);
+		}
+		break;
+	case HOST_NEW:
+		/* The host is new. */
+		if (options.strict_host_key_checking == 1) {
+			/* User has requested strict host key checking.  We will not add the host key
+			   automatically.  The only alternative left is to abort. */
+			fatal("No %s host key is known for %.200s and you have requested strict checking.", type, host);
+		} else if (options.strict_host_key_checking == 2) {
+			/* The default */
+			char prompt[1024];
+			fp = key_fingerprint(host_key, SSH_FP_MD5, SSH_FP_HEX);
+			snprintf(prompt, sizeof(prompt),
+			    "The authenticity of host '%.200s (%s)' can't be established.\n"
+			    "%s key fingerprint is %s.\n"
+			    "Are you sure you want to continue connecting (yes/no)? ",
+			    host, ip, type, fp);
+			xfree(fp);
+			if (!read_yes_or_no(prompt, -1))
+				fatal("Aborted by user!");
+		}
+		if (options.check_host_ip && ip_status == HOST_NEW) {
+			snprintf(hostline, sizeof(hostline), "%s,%s", host, ip);
+			hostp = hostline;
+		} else
+			hostp = host;
+
+		/* If not in strict mode, add the key automatically to the local known_hosts file. */
+		if (!add_host_to_hostfile(user_hostfile, hostp, host_key))
+			log("Failed to add the host to the list of known hosts (%.500s).",
+			    user_hostfile);
+		else
+			log("Warning: Permanently added '%.200s' (%s) to the list of known hosts.",
+			    hostp, type);
+		break;
+	case HOST_CHANGED:
+		if (options.check_host_ip && host_ip_differ) {
+			char *msg;
+			if (ip_status == HOST_NEW)
+				msg = "is unknown";
+			else if (ip_status == HOST_OK)
+				msg = "is unchanged";
+			else
+				msg = "has a different value";
+			error("@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@");
+			error("@       WARNING: POSSIBLE DNS SPOOFING DETECTED!          @");
+			error("@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@");
+			error("The %s host key for %s has changed,", type, host);
+			error("and the key for the according IP address %s", ip);
+			error("%s. This could either mean that", msg);
+			error("DNS SPOOFING is happening or the IP address for the host");
+			error("and its host key have changed at the same time.");
+			if (ip_status != HOST_NEW)
+				error("Offending key for IP in %s:%d", ip_file, ip_line);
+		}
+		/* The host key has changed. */
+		fp = key_fingerprint(host_key, SSH_FP_MD5, SSH_FP_HEX);
+		error("@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@");
+		error("@    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @");
+		error("@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@");
+		error("IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!");
+		error("Someone could be eavesdropping on you right now (man-in-the-middle attack)!");
+		error("It is also possible that the %s host key has just been changed.", type);
+		error("The fingerprint for the %s key sent by the remote host is\n%s.",
+		    type, fp);
+		error("Please contact your system administrator.");
+		error("Add correct host key in %.100s to get rid of this message.",
+		    user_hostfile);
+		error("Offending key in %s:%d", host_file, host_line);
+		xfree(fp);
+
+		/*
+		 * If strict host key checking is in use, the user will have
+		 * to edit the key manually and we can only abort.
+		 */
+		if (options.strict_host_key_checking)
+			fatal("%s host key for %.200s has changed and you have requested strict checking.", type, host);
+
+		/*
+		 * If strict host key checking has not been requested, allow
+		 * the connection but without password authentication or
+		 * agent forwarding.
+		 */
+		if (options.password_authentication) {
+			error("Password authentication is disabled to avoid trojan horses.");
+			options.password_authentication = 0;
+		}
+		if (options.forward_agent) {
+			error("Agent forwarding is disabled to avoid trojan horses.");
+			options.forward_agent = 0;
+		}
+		if (options.forward_x11) {
+			error("X11 forwarding is disabled to avoid trojan horses.");
+			options.forward_x11 = 0;
+		}
+		if (options.num_local_forwards > 0 || options.num_remote_forwards > 0) {
+			error("Port forwarding is disabled to avoid trojan horses.");
+			options.num_local_forwards = options.num_remote_forwards = 0;
+		}
+		/*
+		 * XXX Should permit the user to change to use the new id.
+		 * This could be done by converting the host key to an
+		 * identifying sentence, tell that the host identifies itself
+		 * by that sentence, and ask the user if he/she whishes to
+		 * accept the authentication.
+		 */
+		break;
+	}
+
+	if (options.check_host_ip && host_status != HOST_CHANGED &&
+	    ip_status == HOST_CHANGED) {
+		log("Warning: the %s host key for '%.200s' "
+		    "differs from the key for the IP address '%.128s'",
+		    type, host, ip);
+		if (host_status == HOST_OK)
+			log("Matching host key in %s:%d", host_file, host_line);
+		log("Offending key for IP in %s:%d", ip_file, ip_line);
+		if (options.strict_host_key_checking == 1) {
+			fatal("Exiting, you have requested strict checking.");
+		} else if (options.strict_host_key_checking == 2) {
+			if (!read_yes_or_no("Are you sure you want " \
+			    "to continue connecting (yes/no)? ", -1))
+				fatal("Aborted by user!");
+		}
+	}
+
+	xfree(ip);
+}
+
+#ifdef KRB5
+int
+try_krb5_authentication(krb5_context *context, krb5_auth_context *auth_context)
+{
+  krb5_error_code problem;
+  const char *tkfile; 
+  struct stat buf;
+  krb5_ccache ccache = NULL;
+  const char *remotehost;
+  krb5_data ap;
+  int type, payload_len;
+  krb5_ap_rep_enc_part *reply = NULL; 
+  int ret;
+
+  memset(&ap, 0, sizeof(ap));
+  
+  problem = krb5_init_context(context);
+  if (problem) {
+     ret = 0;
+     goto out;
+  }
+  
+  tkfile = krb5_cc_default_name(*context);
+  if (strncmp(tkfile, "FILE:", 5) == 0)
+     tkfile += 5;
+  
+  if (stat(tkfile, &buf) == 0 && getuid() != buf.st_uid) {
+    debug("Kerberos V5: could not get default ccache (permission denied).");
+    ret = 0;
+    goto out;
+  }
+  
+  problem = krb5_cc_default(*context, &ccache);
+  if (problem) { 
+     ret = 0; 
+     goto out;
+  }
+  
+  remotehost = get_canonical_hostname(1);
+  
+  problem = krb5_mk_req(*context, auth_context, AP_OPTS_MUTUAL_REQUIRED,
+			"host", remotehost, NULL, ccache, &ap);
+  if (problem) { 
+     ret = 0;
+     goto out;
+  }
+  
+  packet_start(SSH_CMSG_AUTH_KERBEROS);
+  packet_put_string((char *) ap.data, ap.length);
+  packet_send();
+  packet_write_wait();
+
+  xfree(ap.data);
+  ap.length = 0;
+
+  type = packet_read(&payload_len);
+   switch (type) {
+        case SSH_SMSG_FAILURE:
+                /* Should really be SSH_SMSG_AUTH_KERBEROS_FAILURE */
+                debug("Kerberos V5 authentication failed.");
+                ret = 0;
+                break;
+
+         case SSH_SMSG_AUTH_KERBEROS_RESPONSE:
+                /* SSH_SMSG_AUTH_KERBEROS_SUCCESS */
+                debug("Kerberos V5 authentication accepted.");
+
+                /* Get server's response. */
+                ap.data = packet_get_string((unsigned int *) &ap.length);
+
+                packet_integrity_check(payload_len, 4 + ap.length, type);
+                /* XXX je to dobre? */
+
+                problem = krb5_rd_rep(*context, *auth_context, &ap, &reply);
+                if (problem) { 
+		   ret = 0;
+		   goto out;
+                } 
+		ret = 1;
+		break;
+	
+	default:
+		packet_disconnect("Protocol error on Kerberos V5 response: %d", type);
+		ret = 0; 
+		break;
+
+   }
+ 
+out:  
+   if (ccache != NULL) 
+       krb5_cc_close(*context, ccache);
+   if (reply != NULL)
+      krb5_free_ap_rep_enc_part(*context, reply); 
+   if (ap.length > 0)
+      krb5_data_free(&ap);
+	
+   return ret;
+  
+}
+
+void
+send_krb5_tgt(krb5_context context, krb5_auth_context auth_context) 
+{
+  int fd; 
+  int type, payload_len;
+  krb5_error_code problem; 
+  krb5_data outbuf;
+  krb5_ccache ccache = NULL;
+  krb5_creds creds; 
+  krb5_kdc_flags flags; 
+  const char *remotehost = get_canonical_hostname(1);
+ 
+  memset(&creds, 0, sizeof(creds)); 
+  memset(&outbuf, 0, sizeof(outbuf));
+  
+  fd = packet_get_connection_in(); 
+  problem = krb5_auth_con_setaddrs_from_fd(context, auth_context, &fd);
+  if (problem) {
+     goto out;
+  }
+  
+#if 0
+  tkfile = krb5_cc_default_name(context);
+  if (strncmp(tkfile, "FILE:", 5) == 0)
+     tkfile += 5;
+  
+  if (stat(tkfile, &buf) == 0 && getuid() != buf.st_uid) {
+     debug("Kerberos V5: could not get default ccache (permission denied).");
+     goto out;
+  }
+#endif
+  
+  problem = krb5_cc_default(context, &ccache);  
+  if (problem) {
+     goto out;
+  }
+  
+  problem = krb5_cc_get_principal(context, ccache, &creds.client);
+  if (problem) {
+     goto out;
+  }
+  
+  problem = krb5_build_principal(context, &creds.server,
+	                         strlen(creds.client->realm),
+				 creds.client->realm,
+				 "krbtgt",
+				 creds.client->realm,
+				 NULL);
+  if (problem) {
+     goto out;
+  }
+  
+  creds.times.endtime = 0;
+  
+  flags.i = 0;
+  flags.b.forwarded = 1;
+  flags.b.forwardable = krb5_config_get_bool(context,  NULL,
+	                  "libdefaults", "forwardable", NULL);
+  
+  problem = krb5_get_forwarded_creds (context,
+	                              auth_context,
+				      ccache,
+				      flags.i,
+				      remotehost,
+				      &creds,
+				      &outbuf);
+  if (problem) {
+     goto out;
+  }
+  
+  packet_start(SSH_CMSG_HAVE_KERBEROS_TGT);
+  packet_put_string((char *)outbuf.data, outbuf.length);
+  packet_send();
+  packet_write_wait();
+  
+  type = packet_read(&payload_len);
+  switch (type) {
+     case SSH_SMSG_SUCCESS:
+	break;
+     case SSH_SMSG_FAILURE:
+	break;
+     default:
+	break;
+  }
+
+out:
+  if (creds.client)
+     krb5_free_principal(context, creds.client);
+  if (creds.server)
+     krb5_free_principal(context, creds.server);
+  if (ccache)
+     krb5_cc_close(context, ccache); 
+  if (outbuf.data)
+     xfree(outbuf.data);
+  
+  return;
+}
+#endif /* KRB5 */
+
+/*
+ * Starts a dialog with the server, and authenticates the current user on the
+ * server.  This does not need any extra privileges.  The basic connection
+ * to the server must already have been established before this is called.
+ * If login fails, this function prints an error and never returns.
+ * This function does not require super-user privileges.
+ */
+void
+ssh_login(Key **keys, int nkeys, const char *orighost,
+    struct sockaddr *hostaddr, struct passwd *pw)
+{
+	char *host, *cp;
+	char *server_user, *local_user;
+
+	local_user = xstrdup(pw->pw_name);
+	server_user = options.user ? options.user : local_user;
+
+	/* Convert the user-supplied hostname into all lowercase. */
+	host = xstrdup(orighost);
+	for (cp = host; *cp; cp++)
+		if (isupper(*cp))
+			*cp = tolower(*cp);
+
+	/* Exchange protocol version identification strings with the server. */
+	ssh_exchange_identification();
+
+	/* Put the connection into non-blocking mode. */
+	packet_set_nonblocking();
+
+	/* key exchange */
+	/* authenticate user */
+	if (compat20) {
+		ssh_kex2(host, hostaddr);
+		ssh_userauth2(local_user, server_user, host, keys, nkeys);
+	} else {
+		ssh_kex(host, hostaddr);
+		ssh_userauth1(local_user, server_user, host, keys, nkeys);
+	}
+}
+
+void
+ssh_put_password(char *password)
+{
+	int size;
+	char *padded;
+
+	if (datafellows & SSH_BUG_PASSWORDPAD) {
+		packet_put_string(password, strlen(password));
+		return;
+	}
+	size = roundup(strlen(password) + 1, 32);
+	padded = xmalloc(size);
+	memset(padded, 0, size);
+	strlcpy(padded, password, size);
+	packet_put_string(padded, size);
+	memset(padded, 0, size);
+	xfree(padded);
+}
diff --git a/crypto/openssh/sshconnect.h b/crypto/openssh/sshconnect.h
new file mode 100644
index 0000000..575827d
--- /dev/null
+++ b/crypto/openssh/sshconnect.h
@@ -0,0 +1,56 @@
+/*	$OpenBSD: sshconnect.h,v 1.9 2001/04/12 19:15:25 markus Exp $	*/
+/*	$FreeBSD$	*/
+
+/*
+ * Copyright (c) 2000 Markus Friedl.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+#ifndef SSHCONNECT_H
+#define SSHCONNECT_H
+
+int
+ssh_connect(const char *host, struct sockaddr_storage * hostaddr,
+    u_short port, int connection_attempts,
+    int anonymous, struct passwd *pw,
+    const char *proxy_command);
+
+void
+ssh_login(Key **keys, int nkeys, const char *orighost,
+    struct sockaddr *hostaddr, struct passwd *pw);
+
+void
+check_host_key(char *host, struct sockaddr *hostaddr, Key *host_key,
+    const char *user_hostfile, const char *system_hostfile);
+
+void	ssh_kex(char *host, struct sockaddr *hostaddr);
+void	ssh_kex2(char *host, struct sockaddr *hostaddr);
+
+void
+ssh_userauth1(const char *local_user, const char *server_user, char *host,
+    Key **keys, int nkeys);
+void
+ssh_userauth2(const char *local_user, const char *server_user, char *host,
+    Key **keys, int nkeys);
+
+void	ssh_put_password(char *password);
+
+#endif
diff --git a/crypto/openssh/sshconnect1.c b/crypto/openssh/sshconnect1.c
new file mode 100644
index 0000000..c324aaf
--- /dev/null
+++ b/crypto/openssh/sshconnect1.c
@@ -0,0 +1,1076 @@
+/*
+ * Author: Tatu Ylonen <ylo@cs.hut.fi>
+ * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
+ *                    All rights reserved
+ * Code to connect to a remote host, and to perform the client side of the
+ * login (authentication) dialog.
+ *
+ * As far as I am concerned, the code I have written for this software
+ * can be used freely for any purpose.  Any derived versions of this
+ * software must be clearly marked as such, and if the derived work is
+ * incompatible with the protocol description in the RFC file, it must be
+ * called by a name other than "ssh" or "Secure Shell".
+ */
+
+#include "includes.h"
+RCSID("$OpenBSD: sshconnect1.c,v 1.31 2001/04/17 08:14:01 markus Exp $");
+RCSID("$FreeBSD$");
+
+#include <openssl/bn.h>
+#include <openssl/evp.h>
+
+#ifdef KRB4
+#include <krb.h>
+#endif
+#ifdef AFS
+#include <kafs.h>
+#include "radix.h"
+#endif
+
+#include "ssh.h"
+#include "ssh1.h"
+#include "xmalloc.h"
+#include "rsa.h"
+#include "buffer.h"
+#include "packet.h"
+#include "mpaux.h"
+#include "uidswap.h"
+#include "log.h"
+#include "readconf.h"
+#include "key.h"
+#include "authfd.h"
+#include "sshconnect.h"
+#include "authfile.h"
+#include "readpass.h"
+#include "cipher.h"
+#include "canohost.h"
+#include "auth.h"
+
+/* Session id for the current session. */
+u_char session_id[16];
+u_int supported_authentications = 0;
+
+extern Options options;
+extern char *__progname;
+
+/*
+ * Checks if the user has an authentication agent, and if so, tries to
+ * authenticate using the agent.
+ */
+int
+try_agent_authentication(void)
+{
+	int type;
+	char *comment;
+	AuthenticationConnection *auth;
+	u_char response[16];
+	u_int i;
+	int plen, clen;
+	Key *key;
+	BIGNUM *challenge;
+
+	/* Get connection to the agent. */
+	auth = ssh_get_authentication_connection();
+	if (!auth)
+		return 0;
+
+	challenge = BN_new();
+
+	/* Loop through identities served by the agent. */
+	for (key = ssh_get_first_identity(auth, &comment, 1);
+	     key != NULL;
+	     key = ssh_get_next_identity(auth, &comment, 1)) {
+
+		/* Try this identity. */
+		debug("Trying RSA authentication via agent with '%.100s'", comment);
+		xfree(comment);
+
+		/* Tell the server that we are willing to authenticate using this key. */
+		packet_start(SSH_CMSG_AUTH_RSA);
+		packet_put_bignum(key->rsa->n);
+		packet_send();
+		packet_write_wait();
+
+		/* Wait for server's response. */
+		type = packet_read(&plen);
+
+		/* The server sends failure if it doesn\'t like our key or
+		   does not support RSA authentication. */
+		if (type == SSH_SMSG_FAILURE) {
+			debug("Server refused our key.");
+			key_free(key);
+			continue;
+		}
+		/* Otherwise it should have sent a challenge. */
+		if (type != SSH_SMSG_AUTH_RSA_CHALLENGE)
+			packet_disconnect("Protocol error during RSA authentication: %d",
+					  type);
+
+		packet_get_bignum(challenge, &clen);
+
+		packet_integrity_check(plen, clen, type);
+
+		debug("Received RSA challenge from server.");
+
+		/* Ask the agent to decrypt the challenge. */
+		if (!ssh_decrypt_challenge(auth, key, challenge, session_id, 1, response)) {
+			/*
+			 * The agent failed to authenticate this identifier
+			 * although it advertised it supports this.  Just
+			 * return a wrong value.
+			 */
+			log("Authentication agent failed to decrypt challenge.");
+			memset(response, 0, sizeof(response));
+		}
+		key_free(key);
+		debug("Sending response to RSA challenge.");
+
+		/* Send the decrypted challenge back to the server. */
+		packet_start(SSH_CMSG_AUTH_RSA_RESPONSE);
+		for (i = 0; i < 16; i++)
+			packet_put_char(response[i]);
+		packet_send();
+		packet_write_wait();
+
+		/* Wait for response from the server. */
+		type = packet_read(&plen);
+
+		/* The server returns success if it accepted the authentication. */
+		if (type == SSH_SMSG_SUCCESS) {
+			ssh_close_authentication_connection(auth);
+			BN_clear_free(challenge);
+			debug("RSA authentication accepted by server.");
+			return 1;
+		}
+		/* Otherwise it should return failure. */
+		if (type != SSH_SMSG_FAILURE)
+			packet_disconnect("Protocol error waiting RSA auth response: %d",
+					  type);
+	}
+	ssh_close_authentication_connection(auth);
+	BN_clear_free(challenge);
+	debug("RSA authentication using agent refused.");
+	return 0;
+}
+
+/*
+ * Computes the proper response to a RSA challenge, and sends the response to
+ * the server.
+ */
+void
+respond_to_rsa_challenge(BIGNUM * challenge, RSA * prv)
+{
+	u_char buf[32], response[16];
+	MD5_CTX md;
+	int i, len;
+
+	/* Decrypt the challenge using the private key. */
+	/* XXX think about Bleichenbacher, too */
+	if (rsa_private_decrypt(challenge, challenge, prv) <= 0)
+		packet_disconnect(
+		    "respond_to_rsa_challenge: rsa_private_decrypt failed");
+
+	/* Compute the response. */
+	/* The response is MD5 of decrypted challenge plus session id. */
+	len = BN_num_bytes(challenge);
+	if (len <= 0 || len > sizeof(buf))
+		packet_disconnect(
+		    "respond_to_rsa_challenge: bad challenge length %d", len);
+
+	memset(buf, 0, sizeof(buf));
+	BN_bn2bin(challenge, buf + sizeof(buf) - len);
+	MD5_Init(&md);
+	MD5_Update(&md, buf, 32);
+	MD5_Update(&md, session_id, 16);
+	MD5_Final(response, &md);
+
+	debug("Sending response to host key RSA challenge.");
+
+	/* Send the response back to the server. */
+	packet_start(SSH_CMSG_AUTH_RSA_RESPONSE);
+	for (i = 0; i < 16; i++)
+		packet_put_char(response[i]);
+	packet_send();
+	packet_write_wait();
+
+	memset(buf, 0, sizeof(buf));
+	memset(response, 0, sizeof(response));
+	memset(&md, 0, sizeof(md));
+}
+
+/*
+ * Checks if the user has authentication file, and if so, tries to authenticate
+ * the user using it.
+ */
+int
+try_rsa_authentication(const char *authfile)
+{
+	BIGNUM *challenge;
+	Key *public;
+	Key *private;
+	char *passphrase, *comment;
+	int type, i;
+	int plen, clen;
+
+	/* Try to load identification for the authentication key. */
+	/* XXKEYLOAD */
+	public = key_load_public_type(KEY_RSA1, authfile, &comment);
+	if (public == NULL) {
+		/* Could not load it.  Fail. */
+		return 0;
+	}
+	debug("Trying RSA authentication with key '%.100s'", comment);
+
+	/* Tell the server that we are willing to authenticate using this key. */
+	packet_start(SSH_CMSG_AUTH_RSA);
+	packet_put_bignum(public->rsa->n);
+	packet_send();
+	packet_write_wait();
+
+	/* We no longer need the public key. */
+	key_free(public);
+
+	/* Wait for server's response. */
+	type = packet_read(&plen);
+
+	/*
+	 * The server responds with failure if it doesn\'t like our key or
+	 * doesn\'t support RSA authentication.
+	 */
+	if (type == SSH_SMSG_FAILURE) {
+		debug("Server refused our key.");
+		xfree(comment);
+		return 0;
+	}
+	/* Otherwise, the server should respond with a challenge. */
+	if (type != SSH_SMSG_AUTH_RSA_CHALLENGE)
+		packet_disconnect("Protocol error during RSA authentication: %d", type);
+
+	/* Get the challenge from the packet. */
+	challenge = BN_new();
+	packet_get_bignum(challenge, &clen);
+
+	packet_integrity_check(plen, clen, type);
+
+	debug("Received RSA challenge from server.");
+
+	/*
+	 * Load the private key.  Try first with empty passphrase; if it
+	 * fails, ask for a passphrase.
+	 */
+	private = key_load_private_type(KEY_RSA1, authfile, "", NULL);
+	if (private == NULL) {
+		char buf[300];
+		snprintf(buf, sizeof buf, "Enter passphrase for RSA key '%.100s': ",
+		    comment);
+		if (!options.batch_mode)
+			passphrase = read_passphrase(buf, 0);
+		else {
+			debug("Will not query passphrase for %.100s in batch mode.",
+			      comment);
+			passphrase = xstrdup("");
+		}
+
+		/* Load the authentication file using the pasphrase. */
+		private = key_load_private_type(KEY_RSA1, authfile, passphrase, NULL);
+		if (private == NULL) {
+			memset(passphrase, 0, strlen(passphrase));
+			xfree(passphrase);
+			error("Bad passphrase.");
+
+			/* Send a dummy response packet to avoid protocol error. */
+			packet_start(SSH_CMSG_AUTH_RSA_RESPONSE);
+			for (i = 0; i < 16; i++)
+				packet_put_char(0);
+			packet_send();
+			packet_write_wait();
+
+			/* Expect the server to reject it... */
+			packet_read_expect(&plen, SSH_SMSG_FAILURE);
+			xfree(comment);
+			BN_clear_free(challenge);
+			return 0;
+		}
+		/* Destroy the passphrase. */
+		memset(passphrase, 0, strlen(passphrase));
+		xfree(passphrase);
+	}
+	/* We no longer need the comment. */
+	xfree(comment);
+
+	/* Compute and send a response to the challenge. */
+	respond_to_rsa_challenge(challenge, private->rsa);
+
+	/* Destroy the private key. */
+	key_free(private);
+
+	/* We no longer need the challenge. */
+	BN_clear_free(challenge);
+
+	/* Wait for response from the server. */
+	type = packet_read(&plen);
+	if (type == SSH_SMSG_SUCCESS) {
+		debug("RSA authentication accepted by server.");
+		return 1;
+	}
+	if (type != SSH_SMSG_FAILURE)
+		packet_disconnect("Protocol error waiting RSA auth response: %d", type);
+	debug("RSA authentication refused.");
+	return 0;
+}
+
+/*
+ * Tries to authenticate the user using combined rhosts or /etc/hosts.equiv
+ * authentication and RSA host authentication.
+ */
+int
+try_rhosts_rsa_authentication(const char *local_user, Key * host_key)
+{
+	int type;
+	BIGNUM *challenge;
+	int plen, clen;
+
+	debug("Trying rhosts or /etc/hosts.equiv with RSA host authentication.");
+
+	/* Tell the server that we are willing to authenticate using this key. */
+	packet_start(SSH_CMSG_AUTH_RHOSTS_RSA);
+	packet_put_string(local_user, strlen(local_user));
+	packet_put_int(BN_num_bits(host_key->rsa->n));
+	packet_put_bignum(host_key->rsa->e);
+	packet_put_bignum(host_key->rsa->n);
+	packet_send();
+	packet_write_wait();
+
+	/* Wait for server's response. */
+	type = packet_read(&plen);
+
+	/* The server responds with failure if it doesn't admit our
+	   .rhosts authentication or doesn't know our host key. */
+	if (type == SSH_SMSG_FAILURE) {
+		debug("Server refused our rhosts authentication or host key.");
+		return 0;
+	}
+	/* Otherwise, the server should respond with a challenge. */
+	if (type != SSH_SMSG_AUTH_RSA_CHALLENGE)
+		packet_disconnect("Protocol error during RSA authentication: %d", type);
+
+	/* Get the challenge from the packet. */
+	challenge = BN_new();
+	packet_get_bignum(challenge, &clen);
+
+	packet_integrity_check(plen, clen, type);
+
+	debug("Received RSA challenge for host key from server.");
+
+	/* Compute a response to the challenge. */
+	respond_to_rsa_challenge(challenge, host_key->rsa);
+
+	/* We no longer need the challenge. */
+	BN_clear_free(challenge);
+
+	/* Wait for response from the server. */
+	type = packet_read(&plen);
+	if (type == SSH_SMSG_SUCCESS) {
+		debug("Rhosts or /etc/hosts.equiv with RSA host authentication accepted by server.");
+		return 1;
+	}
+	if (type != SSH_SMSG_FAILURE)
+		packet_disconnect("Protocol error waiting RSA auth response: %d", type);
+	debug("Rhosts or /etc/hosts.equiv with RSA host authentication refused.");
+	return 0;
+}
+
+#ifdef KRB4
+int
+try_krb4_authentication(void)
+{
+	KTEXT_ST auth;		/* Kerberos data */
+	char *reply;
+	char inst[INST_SZ];
+	char *realm;
+	CREDENTIALS cred;
+	int r, type, plen;
+	socklen_t slen;
+	Key_schedule schedule;
+	u_long checksum, cksum;
+	MSG_DAT msg_data;
+	struct sockaddr_in local, foreign;
+	struct stat st;
+
+	/* Don't do anything if we don't have any tickets. */
+	if (stat(tkt_string(), &st) < 0)
+		return 0;
+
+	strncpy(inst, (char *) krb_get_phost(get_canonical_hostname(1)), INST_SZ);
+
+	realm = (char *) krb_realmofhost(get_canonical_hostname(1));
+	if (!realm) {
+		debug("Kerberos V4: no realm for %s", get_canonical_hostname(1));
+		return 0;
+	}
+	/* This can really be anything. */
+	checksum = (u_long) getpid();
+
+	r = krb_mk_req(&auth, KRB4_SERVICE_NAME, inst, realm, checksum);
+	if (r != KSUCCESS) {
+		debug("Kerberos V4 krb_mk_req failed: %s", krb_err_txt[r]);
+		return 0;
+	}
+	/* Get session key to decrypt the server's reply with. */
+	r = krb_get_cred(KRB4_SERVICE_NAME, inst, realm, &cred);
+	if (r != KSUCCESS) {
+		debug("get_cred failed: %s", krb_err_txt[r]);
+		return 0;
+	}
+	des_key_sched((des_cblock *) cred.session, schedule);
+
+	/* Send authentication info to server. */
+	packet_start(SSH_CMSG_AUTH_KERBEROS);
+	packet_put_string((char *) auth.dat, auth.length);
+	packet_send();
+	packet_write_wait();
+
+	/* Zero the buffer. */
+	(void) memset(auth.dat, 0, MAX_KTXT_LEN);
+
+	slen = sizeof(local);
+	memset(&local, 0, sizeof(local));
+	if (getsockname(packet_get_connection_in(),
+			(struct sockaddr *) & local, &slen) < 0)
+		debug("getsockname failed: %s", strerror(errno));
+
+	slen = sizeof(foreign);
+	memset(&foreign, 0, sizeof(foreign));
+	if (getpeername(packet_get_connection_in(),
+			(struct sockaddr *) & foreign, &slen) < 0) {
+		debug("getpeername failed: %s", strerror(errno));
+		fatal_cleanup();
+	}
+	/* Get server reply. */
+	type = packet_read(&plen);
+	switch (type) {
+	case SSH_SMSG_FAILURE:
+		/* Should really be SSH_SMSG_AUTH_KERBEROS_FAILURE */
+		debug("Kerberos V4 authentication failed.");
+		return 0;
+		break;
+
+	case SSH_SMSG_AUTH_KERBEROS_RESPONSE:
+		/* SSH_SMSG_AUTH_KERBEROS_SUCCESS */
+		debug("Kerberos V4 authentication accepted.");
+
+		/* Get server's response. */
+		reply = packet_get_string((u_int *) &auth.length);
+		memcpy(auth.dat, reply, auth.length);
+		xfree(reply);
+
+		packet_integrity_check(plen, 4 + auth.length, type);
+
+		/*
+		 * If his response isn't properly encrypted with the session
+		 * key, and the decrypted checksum fails to match, he's
+		 * bogus. Bail out.
+		 */
+		r = krb_rd_priv(auth.dat, auth.length, schedule, &cred.session,
+				&foreign, &local, &msg_data);
+		if (r != KSUCCESS) {
+			debug("Kerberos V4 krb_rd_priv failed: %s", krb_err_txt[r]);
+			packet_disconnect("Kerberos V4 challenge failed!");
+		}
+		/* Fetch the (incremented) checksum that we supplied in the request. */
+		(void) memcpy((char *) &cksum, (char *) msg_data.app_data, sizeof(cksum));
+		cksum = ntohl(cksum);
+
+		/* If it matches, we're golden. */
+		if (cksum == checksum + 1) {
+			debug("Kerberos V4 challenge successful.");
+			return 1;
+		} else
+			packet_disconnect("Kerberos V4 challenge failed!");
+		break;
+
+	default:
+		packet_disconnect("Protocol error on Kerberos V4 response: %d", type);
+	}
+	return 0;
+}
+
+#endif /* KRB4 */
+
+#ifdef AFS
+int
+send_krb4_tgt(void)
+{
+	CREDENTIALS *creds;
+	char pname[ANAME_SZ], pinst[INST_SZ], prealm[REALM_SZ];
+	int r, type, plen;
+	char buffer[8192];
+	struct stat st;
+
+	/* Don't do anything if we don't have any tickets. */
+	if (stat(tkt_string(), &st) < 0)
+		return 0;
+
+	creds = xmalloc(sizeof(*creds));
+
+	if ((r = krb_get_tf_fullname(TKT_FILE, pname, pinst, prealm)) != KSUCCESS) {
+		debug("Kerberos V4 tf_fullname failed: %s", krb_err_txt[r]);
+		return 0;
+	}
+	if ((r = krb_get_cred("krbtgt", prealm, prealm, creds)) != GC_OK) {
+		debug("Kerberos V4 get_cred failed: %s", krb_err_txt[r]);
+		return 0;
+	}
+	if (time(0) > krb_life_to_time(creds->issue_date, creds->lifetime)) {
+		debug("Kerberos V4 ticket expired: %s", TKT_FILE);
+		return 0;
+	}
+	creds_to_radix(creds, (u_char *)buffer, sizeof buffer);
+	xfree(creds);
+
+	packet_start(SSH_CMSG_HAVE_KRB4_TGT);
+	packet_put_string(buffer, strlen(buffer));
+	packet_send();
+	packet_write_wait();
+
+	type = packet_read(&plen);
+
+	if (type == SSH_SMSG_FAILURE)
+		debug("Kerberos TGT for realm %s rejected.", prealm);
+	else if (type != SSH_SMSG_SUCCESS)
+		packet_disconnect("Protocol error on Kerberos TGT response: %d", type);
+
+	return 1;
+}
+
+void
+send_afs_tokens(void)
+{
+	CREDENTIALS creds;
+	struct ViceIoctl parms;
+	struct ClearToken ct;
+	int i, type, len, plen;
+	char buf[2048], *p, *server_cell;
+	char buffer[8192];
+
+	/* Move over ktc_GetToken, here's something leaner. */
+	for (i = 0; i < 100; i++) {	/* just in case */
+		parms.in = (char *) &i;
+		parms.in_size = sizeof(i);
+		parms.out = buf;
+		parms.out_size = sizeof(buf);
+		if (k_pioctl(0, VIOCGETTOK, &parms, 0) != 0)
+			break;
+		p = buf;
+
+		/* Get secret token. */
+		memcpy(&creds.ticket_st.length, p, sizeof(u_int));
+		if (creds.ticket_st.length > MAX_KTXT_LEN)
+			break;
+		p += sizeof(u_int);
+		memcpy(creds.ticket_st.dat, p, creds.ticket_st.length);
+		p += creds.ticket_st.length;
+
+		/* Get clear token. */
+		memcpy(&len, p, sizeof(len));
+		if (len != sizeof(struct ClearToken))
+			break;
+		p += sizeof(len);
+		memcpy(&ct, p, len);
+		p += len;
+		p += sizeof(len);	/* primary flag */
+		server_cell = p;
+
+		/* Flesh out our credentials. */
+		strlcpy(creds.service, "afs", sizeof creds.service);
+		creds.instance[0] = '\0';
+		strlcpy(creds.realm, server_cell, REALM_SZ);
+		memcpy(creds.session, ct.HandShakeKey, DES_KEY_SZ);
+		creds.issue_date = ct.BeginTimestamp;
+		creds.lifetime = krb_time_to_life(creds.issue_date, ct.EndTimestamp);
+		creds.kvno = ct.AuthHandle;
+		snprintf(creds.pname, sizeof(creds.pname), "AFS ID %d", ct.ViceId);
+		creds.pinst[0] = '\0';
+
+		/* Encode token, ship it off. */
+		if (creds_to_radix(&creds, (u_char *) buffer, sizeof buffer) <= 0)
+			break;
+		packet_start(SSH_CMSG_HAVE_AFS_TOKEN);
+		packet_put_string(buffer, strlen(buffer));
+		packet_send();
+		packet_write_wait();
+
+		/* Roger, Roger. Clearance, Clarence. What's your vector,
+		   Victor? */
+		type = packet_read(&plen);
+
+		if (type == SSH_SMSG_FAILURE)
+			debug("AFS token for cell %s rejected.", server_cell);
+		else if (type != SSH_SMSG_SUCCESS)
+			packet_disconnect("Protocol error on AFS token response: %d", type);
+	}
+}
+
+#endif /* AFS */
+
+/*
+ * Tries to authenticate with any string-based challenge/response system.
+ * Note that the client code is not tied to s/key or TIS.
+ */
+int
+try_challenge_reponse_authentication(void)
+{
+	int type, i;
+	int payload_len;
+	u_int clen;
+	char prompt[1024];
+	char *challenge, *response;
+
+	debug("Doing challenge reponse authentication.");
+
+	/* request a challenge */
+	packet_start(SSH_CMSG_AUTH_TIS);
+	packet_send();
+	packet_write_wait();
+
+	type = packet_read(&payload_len);
+	if (type != SSH_SMSG_FAILURE &&
+	    type != SSH_SMSG_AUTH_TIS_CHALLENGE) {
+		packet_disconnect("Protocol error: got %d in response "
+				  "to skey-auth", type);
+	}
+	if (type != SSH_SMSG_AUTH_TIS_CHALLENGE) {
+		debug("No challenge for skey authentication.");
+		return 0;
+	}
+	challenge = packet_get_string(&clen);
+	packet_integrity_check(payload_len, (4 + clen), type);
+	snprintf(prompt, sizeof prompt, "%s%s", challenge,
+		 strchr(challenge, '\n') ? "" : "\nResponse: ");
+	xfree(challenge);
+	for (i = 0; i < options.number_of_password_prompts; i++) {
+		if (i != 0)
+			error("Permission denied, please try again.");
+		if (options.cipher == SSH_CIPHER_NONE)
+			log("WARNING: Encryption is disabled! "
+			    "Reponse will be transmitted in clear text.");
+		response = read_passphrase(prompt, 0);
+		if (strcmp(response, "") == 0) {
+			xfree(response);
+			break;
+		}
+		packet_start(SSH_CMSG_AUTH_TIS_RESPONSE);
+		ssh_put_password(response);
+		memset(response, 0, strlen(response));
+		xfree(response);
+		packet_send();
+		packet_write_wait();
+		type = packet_read(&payload_len);
+		if (type == SSH_SMSG_SUCCESS)
+			return 1;
+		if (type != SSH_SMSG_FAILURE)
+			packet_disconnect("Protocol error: got %d in response "
+			    "to SSH_CMSG_AUTH_TIS_RESPONSE", type);
+	}
+	/* failure */
+	return 0;
+}
+
+/*
+ * Tries to authenticate with plain passwd authentication.
+ */
+int
+try_password_authentication(char *prompt)
+{
+	int type, i, payload_len;
+	char *password;
+
+	debug("Doing password authentication.");
+	if (options.cipher == SSH_CIPHER_NONE)
+		log("WARNING: Encryption is disabled! Password will be transmitted in clear text.");
+	for (i = 0; i < options.number_of_password_prompts; i++) {
+		if (i != 0)
+			error("Permission denied, please try again.");
+		password = read_passphrase(prompt, 0);
+		packet_start(SSH_CMSG_AUTH_PASSWORD);
+		ssh_put_password(password);
+		memset(password, 0, strlen(password));
+		xfree(password);
+		packet_send();
+		packet_write_wait();
+
+		type = packet_read(&payload_len);
+		if (type == SSH_SMSG_SUCCESS)
+			return 1;
+		if (type != SSH_SMSG_FAILURE)
+			packet_disconnect("Protocol error: got %d in response to passwd auth", type);
+	}
+	/* failure */
+	return 0;
+}
+
+/*
+ * SSH1 key exchange
+ */
+void
+ssh_kex(char *host, struct sockaddr *hostaddr)
+{
+	int i;
+	BIGNUM *key;
+	RSA *host_key;
+	RSA *public_key;
+	Key k;
+	int bits, rbits;
+	int ssh_cipher_default = SSH_CIPHER_3DES;
+	u_char session_key[SSH_SESSION_KEY_LENGTH];
+	u_char cookie[8];
+	u_int supported_ciphers;
+	u_int server_flags, client_flags;
+	int payload_len, clen, sum_len = 0;
+	u_int32_t rand = 0;
+
+	debug("Waiting for server public key.");
+
+	/* Wait for a public key packet from the server. */
+	packet_read_expect(&payload_len, SSH_SMSG_PUBLIC_KEY);
+
+	/* Get cookie from the packet. */
+	for (i = 0; i < 8; i++)
+		cookie[i] = packet_get_char();
+
+	/* Get the public key. */
+	public_key = RSA_new();
+	bits = packet_get_int();/* bits */
+	public_key->e = BN_new();
+	packet_get_bignum(public_key->e, &clen);
+	sum_len += clen;
+	public_key->n = BN_new();
+	packet_get_bignum(public_key->n, &clen);
+	sum_len += clen;
+
+	rbits = BN_num_bits(public_key->n);
+	if (bits != rbits) {
+		log("Warning: Server lies about size of server public key: "
+		    "actual size is %d bits vs. announced %d.", rbits, bits);
+		log("Warning: This may be due to an old implementation of ssh.");
+	}
+	/* Get the host key. */
+	host_key = RSA_new();
+	bits = packet_get_int();/* bits */
+	host_key->e = BN_new();
+	packet_get_bignum(host_key->e, &clen);
+	sum_len += clen;
+	host_key->n = BN_new();
+	packet_get_bignum(host_key->n, &clen);
+	sum_len += clen;
+
+	rbits = BN_num_bits(host_key->n);
+	if (bits != rbits) {
+		log("Warning: Server lies about size of server host key: "
+		    "actual size is %d bits vs. announced %d.", rbits, bits);
+		log("Warning: This may be due to an old implementation of ssh.");
+	}
+
+	/* Get protocol flags. */
+	server_flags = packet_get_int();
+	packet_set_protocol_flags(server_flags);
+
+	supported_ciphers = packet_get_int();
+	supported_authentications = packet_get_int();
+
+	debug("Received server public key (%d bits) and host key (%d bits).",
+	      BN_num_bits(public_key->n), BN_num_bits(host_key->n));
+
+	packet_integrity_check(payload_len,
+			       8 + 4 + sum_len + 0 + 4 + 0 + 0 + 4 + 4 + 4,
+			       SSH_SMSG_PUBLIC_KEY);
+	k.type = KEY_RSA1;
+	k.rsa = host_key;
+	check_host_key(host, hostaddr, &k,
+	    options.user_hostfile, options.system_hostfile);
+
+	client_flags = SSH_PROTOFLAG_SCREEN_NUMBER | SSH_PROTOFLAG_HOST_IN_FWD_OPEN;
+
+	compute_session_id(session_id, cookie, host_key->n, public_key->n);
+
+	/* Generate a session key. */
+	arc4random_stir();
+
+	/*
+	 * Generate an encryption key for the session.   The key is a 256 bit
+	 * random number, interpreted as a 32-byte key, with the least
+	 * significant 8 bits being the first byte of the key.
+	 */
+	for (i = 0; i < 32; i++) {
+		if (i % 4 == 0)
+			rand = arc4random();
+		session_key[i] = rand & 0xff;
+		rand >>= 8;
+	}
+
+	/*
+	 * According to the protocol spec, the first byte of the session key
+	 * is the highest byte of the integer.  The session key is xored with
+	 * the first 16 bytes of the session id.
+	 */
+	key = BN_new();
+	BN_set_word(key, 0);
+	for (i = 0; i < SSH_SESSION_KEY_LENGTH; i++) {
+		BN_lshift(key, key, 8);
+		if (i < 16)
+			BN_add_word(key, session_key[i] ^ session_id[i]);
+		else
+			BN_add_word(key, session_key[i]);
+	}
+
+	/*
+	 * Encrypt the integer using the public key and host key of the
+	 * server (key with smaller modulus first).
+	 */
+	if (BN_cmp(public_key->n, host_key->n) < 0) {
+		/* Public key has smaller modulus. */
+		if (BN_num_bits(host_key->n) <
+		    BN_num_bits(public_key->n) + SSH_KEY_BITS_RESERVED) {
+			fatal("respond_to_rsa_challenge: host_key %d < public_key %d + "
+			      "SSH_KEY_BITS_RESERVED %d",
+			      BN_num_bits(host_key->n),
+			      BN_num_bits(public_key->n),
+			      SSH_KEY_BITS_RESERVED);
+		}
+		rsa_public_encrypt(key, key, public_key);
+		rsa_public_encrypt(key, key, host_key);
+	} else {
+		/* Host key has smaller modulus (or they are equal). */
+		if (BN_num_bits(public_key->n) <
+		    BN_num_bits(host_key->n) + SSH_KEY_BITS_RESERVED) {
+			fatal("respond_to_rsa_challenge: public_key %d < host_key %d + "
+			      "SSH_KEY_BITS_RESERVED %d",
+			      BN_num_bits(public_key->n),
+			      BN_num_bits(host_key->n),
+			      SSH_KEY_BITS_RESERVED);
+		}
+		rsa_public_encrypt(key, key, host_key);
+		rsa_public_encrypt(key, key, public_key);
+	}
+
+	/* Destroy the public keys since we no longer need them. */
+	RSA_free(public_key);
+	RSA_free(host_key);
+
+	if (options.cipher == SSH_CIPHER_NOT_SET) {
+		if (cipher_mask_ssh1(1) & supported_ciphers & (1 << ssh_cipher_default))
+			options.cipher = ssh_cipher_default;
+	} else if (options.cipher == SSH_CIPHER_ILLEGAL ||
+	    !(cipher_mask_ssh1(1) & (1 << options.cipher))) {
+		log("No valid SSH1 cipher, using %.100s instead.",
+		    cipher_name(ssh_cipher_default));
+		options.cipher = ssh_cipher_default;
+	}
+	/* Check that the selected cipher is supported. */
+	if (!(supported_ciphers & (1 << options.cipher)))
+		fatal("Selected cipher type %.100s not supported by server.",
+		      cipher_name(options.cipher));
+
+	debug("Encryption type: %.100s", cipher_name(options.cipher));
+
+	/* Send the encrypted session key to the server. */
+	packet_start(SSH_CMSG_SESSION_KEY);
+	packet_put_char(options.cipher);
+
+	/* Send the cookie back to the server. */
+	for (i = 0; i < 8; i++)
+		packet_put_char(cookie[i]);
+
+	/* Send and destroy the encrypted encryption key integer. */
+	packet_put_bignum(key);
+	BN_clear_free(key);
+
+	/* Send protocol flags. */
+	packet_put_int(client_flags);
+
+	/* Send the packet now. */
+	packet_send();
+	packet_write_wait();
+
+	debug("Sent encrypted session key.");
+
+	/* Set the encryption key. */
+	packet_set_encryption_key(session_key, SSH_SESSION_KEY_LENGTH, options.cipher);
+
+	/* We will no longer need the session key here.  Destroy any extra copies. */
+	memset(session_key, 0, sizeof(session_key));
+
+	/*
+	 * Expect a success message from the server.  Note that this message
+	 * will be received in encrypted form.
+	 */
+	packet_read_expect(&payload_len, SSH_SMSG_SUCCESS);
+
+	debug("Received encrypted confirmation.");
+}
+
+/*
+ * Authenticate user
+ */
+void
+ssh_userauth1(const char *local_user, const char *server_user, char *host,
+    Key **keys, int nkeys)
+{
+	int i, type;
+	int payload_len;
+
+	if (supported_authentications == 0)
+		fatal("ssh_userauth1: server supports no auth methods");
+
+	/* Send the name of the user to log in as on the server. */
+	packet_start(SSH_CMSG_USER);
+	packet_put_string(server_user, strlen(server_user));
+	packet_send();
+	packet_write_wait();
+
+	/*
+	 * The server should respond with success if no authentication is
+	 * needed (the user has no password).  Otherwise the server responds
+	 * with failure.
+	 */
+	type = packet_read(&payload_len);
+
+	/* check whether the connection was accepted without authentication. */
+	if (type == SSH_SMSG_SUCCESS)
+		return;
+	if (type != SSH_SMSG_FAILURE)
+		packet_disconnect("Protocol error: got %d in response to SSH_CMSG_USER",
+				  type);
+
+#ifdef KRB5
+	if ((supported_authentications & (1 << SSH_AUTH_KERBEROS)) &&
+	     options.kerberos_authentication){
+		krb5_context ssh_context = NULL;
+		krb5_auth_context auth_context = NULL;
+
+		debug("Trying Kerberos V5 authentication.");
+
+	if (try_krb5_authentication(&ssh_context, &auth_context)) {
+	  type = packet_read(&payload_len);
+	  if (type == SSH_SMSG_SUCCESS) {
+	     if ((supported_authentications & (1 << SSH_PASS_KERBEROS_TGT)) &&
+	          options.krb5_tgt_passing) {
+   	                if (options.cipher == SSH_CIPHER_NONE)
+      				log("WARNING: Encryption is disabled! Ticket will be transmitted in the clear!");
+   			send_krb5_tgt(ssh_context, auth_context);
+
+	     } 
+	     krb5_auth_con_free(ssh_context, auth_context); 
+	     krb5_free_context(ssh_context); 
+	     return;
+	  }
+	  if (type != SSH_SMSG_FAILURE)
+               	packet_disconnect("Protocol error: got %d in response to Kerberos5 auth", type);
+
+	}
+        }
+#endif /* KRB5 */
+
+#ifdef AFS
+	/* Try Kerberos tgt passing if the server supports it. */
+	if ((supported_authentications & (1 << SSH_PASS_KRB4_TGT)) &&
+	    options.krb4_tgt_passing) {
+		if (options.cipher == SSH_CIPHER_NONE)
+			log("WARNING: Encryption is disabled! Ticket will be transmitted in the clear!");
+		(void) send_krb4_tgt();
+	}
+	/* Try AFS token passing if the server supports it. */
+	if ((supported_authentications & (1 << SSH_PASS_AFS_TOKEN)) &&
+	    options.afs_token_passing && k_hasafs()) {
+		if (options.cipher == SSH_CIPHER_NONE)
+			log("WARNING: Encryption is disabled! Token will be transmitted in the clear!");
+		send_afs_tokens();
+	}
+#endif /* AFS */
+
+#ifdef KRB4
+	if ((supported_authentications & (1 << SSH_AUTH_KERBEROS)) &&
+	    options.kerberos_authentication) {
+		debug("Trying Kerberos authentication.");
+		if (try_krb4_authentication()) {
+			/* The server should respond with success or failure. */
+			type = packet_read(&payload_len);
+			if (type == SSH_SMSG_SUCCESS)
+				return;
+			if (type != SSH_SMSG_FAILURE)
+				packet_disconnect("Protocol error: got %d in response to Kerberos auth", type);
+		}
+	}
+#endif /* KRB4 */
+
+
+	/*
+	 * Use rhosts authentication if running in privileged socket and we
+	 * do not wish to remain anonymous.
+	 */
+	if ((supported_authentications & (1 << SSH_AUTH_RHOSTS)) &&
+	    options.rhosts_authentication) {
+		debug("Trying rhosts authentication.");
+		packet_start(SSH_CMSG_AUTH_RHOSTS);
+		packet_put_string(local_user, strlen(local_user));
+		packet_send();
+		packet_write_wait();
+
+		/* The server should respond with success or failure. */
+		type = packet_read(&payload_len);
+		if (type == SSH_SMSG_SUCCESS)
+			return;
+		if (type != SSH_SMSG_FAILURE)
+			packet_disconnect("Protocol error: got %d in response to rhosts auth",
+					  type);
+	}
+	/*
+	 * Try .rhosts or /etc/hosts.equiv authentication with RSA host
+	 * authentication.
+	 */
+	if ((supported_authentications & (1 << SSH_AUTH_RHOSTS_RSA)) &&
+	    options.rhosts_rsa_authentication) {
+		for (i = 0; i < nkeys; i++) {
+			if (keys[i] != NULL && keys[i]->type == KEY_RSA1 &&
+			    try_rhosts_rsa_authentication(local_user, keys[i]))
+				return;
+		}
+	}
+	/* Try RSA authentication if the server supports it. */
+	if ((supported_authentications & (1 << SSH_AUTH_RSA)) &&
+	    options.rsa_authentication) {
+		/*
+		 * Try RSA authentication using the authentication agent. The
+		 * agent is tried first because no passphrase is needed for
+		 * it, whereas identity files may require passphrases.
+		 */
+		if (try_agent_authentication())
+			return;
+
+		/* Try RSA authentication for each identity. */
+		for (i = 0; i < options.num_identity_files; i++)
+			if (options.identity_keys[i] != NULL &&
+			    options.identity_keys[i]->type == KEY_RSA1 &&
+			    try_rsa_authentication(options.identity_files[i]))
+				return;
+	}
+	/* Try challenge response authentication if the server supports it. */
+	if ((supported_authentications & (1 << SSH_AUTH_TIS)) &&
+	    options.challenge_reponse_authentication && !options.batch_mode) {
+		if (try_challenge_reponse_authentication())
+			return;
+	}
+	/* Try password authentication if the server supports it. */
+	if ((supported_authentications & (1 << SSH_AUTH_PASSWORD)) &&
+	    options.password_authentication && !options.batch_mode) {
+		char prompt[80];
+
+		snprintf(prompt, sizeof(prompt), "%.30s@%.128s's password: ",
+		    server_user, host);
+		if (try_password_authentication(prompt))
+			return;
+	}
+	/* All authentication methods have failed.  Exit with an error message. */
+	fatal("Permission denied.");
+	/* NOTREACHED */
+}
diff --git a/crypto/openssh/sshconnect2.c b/crypto/openssh/sshconnect2.c
new file mode 100644
index 0000000..4f76bd0
--- /dev/null
+++ b/crypto/openssh/sshconnect2.c
@@ -0,0 +1,995 @@
+/*
+ * Copyright (c) 2000 Markus Friedl.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include "includes.h"
+RCSID("$FreeBSD$");
+RCSID("$OpenBSD: sshconnect2.c,v 1.72 2001/04/18 23:43:26 markus Exp $");
+
+#include <openssl/bn.h>
+#include <openssl/md5.h>
+#include <openssl/dh.h>
+#include <openssl/hmac.h>
+
+#include "ssh.h"
+#include "ssh2.h"
+#include "xmalloc.h"
+#include "rsa.h"
+#include "buffer.h"
+#include "packet.h"
+#include "uidswap.h"
+#include "compat.h"
+#include "bufaux.h"
+#include "cipher.h"
+#include "kex.h"
+#include "myproposal.h"
+#include "key.h"
+#include "sshconnect.h"
+#include "authfile.h"
+#include "cli.h"
+#include "dh.h"
+#include "authfd.h"
+#include "log.h"
+#include "readconf.h"
+#include "readpass.h"
+#include "match.h"
+#include "dispatch.h"
+#include "canohost.h"
+
+/* import */
+extern char *client_version_string;
+extern char *server_version_string;
+extern Options options;
+
+/*
+ * SSH2 key exchange
+ */
+
+u_char *session_id2 = NULL;
+int session_id2_len = 0;
+
+char *xxx_host;
+struct sockaddr *xxx_hostaddr;
+
+Kex *xxx_kex = NULL;
+
+int
+check_host_key_callback(Key *hostkey)
+{
+	check_host_key(xxx_host, xxx_hostaddr, hostkey,
+	    options.user_hostfile2, options.system_hostfile2);
+	return 0;
+}
+
+void
+ssh_kex2(char *host, struct sockaddr *hostaddr)
+{
+	Kex *kex;
+
+	xxx_host = host;
+	xxx_hostaddr = hostaddr;
+
+	if (options.ciphers == (char *)-1) {
+		log("No valid ciphers for protocol version 2 given, using defaults.");
+		options.ciphers = NULL;
+	}
+	if (options.ciphers != NULL) {
+		myproposal[PROPOSAL_ENC_ALGS_CTOS] =
+		myproposal[PROPOSAL_ENC_ALGS_STOC] = options.ciphers;
+	}
+	myproposal[PROPOSAL_ENC_ALGS_CTOS] =
+	    compat_cipher_proposal(myproposal[PROPOSAL_ENC_ALGS_CTOS]);
+	myproposal[PROPOSAL_ENC_ALGS_STOC] =
+	    compat_cipher_proposal(myproposal[PROPOSAL_ENC_ALGS_STOC]);
+	if (options.compression) {
+		myproposal[PROPOSAL_COMP_ALGS_CTOS] =
+		myproposal[PROPOSAL_COMP_ALGS_STOC] = "zlib";
+	} else {
+		myproposal[PROPOSAL_COMP_ALGS_CTOS] =
+		myproposal[PROPOSAL_COMP_ALGS_STOC] = "none";
+	}
+	if (options.macs != NULL) {
+		myproposal[PROPOSAL_MAC_ALGS_CTOS] =
+		myproposal[PROPOSAL_MAC_ALGS_STOC] = options.macs;
+	}
+	if (options.hostkeyalgorithms != NULL)
+	        myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] =
+		    options.hostkeyalgorithms;
+
+	/* start key exchange */
+	kex = kex_setup(myproposal);
+	kex->client_version_string=client_version_string;
+	kex->server_version_string=server_version_string;
+	kex->check_host_key=&check_host_key_callback;
+
+	xxx_kex = kex;
+
+	dispatch_run(DISPATCH_BLOCK, &kex->done, kex);
+
+	session_id2 = kex->session_id;
+	session_id2_len = kex->session_id_len;
+
+#ifdef DEBUG_KEXDH
+	/* send 1st encrypted/maced/compressed message */
+	packet_start(SSH2_MSG_IGNORE);
+	packet_put_cstring("markus");
+	packet_send();
+	packet_write_wait();
+#endif
+	debug("done: ssh_kex2.");
+}
+
+/*
+ * Authenticate user
+ */
+
+typedef struct Authctxt Authctxt;
+typedef struct Authmethod Authmethod;
+
+typedef int sign_cb_fn(
+    Authctxt *authctxt, Key *key,
+    u_char **sigp, int *lenp, u_char *data, int datalen);
+
+struct Authctxt {
+	const char *server_user;
+	const char *local_user;
+	const char *host;
+	const char *service;
+	Authmethod *method;
+	int success;
+	char *authlist;
+	/* pubkey */
+	Key *last_key;
+	sign_cb_fn *last_key_sign;
+	int last_key_hint;
+	AuthenticationConnection *agent;
+	/* hostbased */
+	Key **keys;
+	int nkeys;
+};
+struct Authmethod {
+	char	*name;		/* string to compare against server's list */
+	int	(*userauth)(Authctxt *authctxt);
+	int	*enabled;	/* flag in option struct that enables method */
+	int	*batch_flag;	/* flag in option struct that disables method */
+};
+
+void	input_userauth_success(int type, int plen, void *ctxt);
+void	input_userauth_failure(int type, int plen, void *ctxt);
+void	input_userauth_banner(int type, int plen, void *ctxt);
+void	input_userauth_error(int type, int plen, void *ctxt);
+void	input_userauth_info_req(int type, int plen, void *ctxt);
+void	input_userauth_pk_ok(int type, int plen, void *ctxt);
+
+int	userauth_none(Authctxt *authctxt);
+int	userauth_pubkey(Authctxt *authctxt);
+int	userauth_passwd(Authctxt *authctxt);
+int	userauth_kbdint(Authctxt *authctxt);
+int	userauth_hostbased(Authctxt *authctxt);
+
+void	userauth(Authctxt *authctxt, char *authlist);
+
+int
+sign_and_send_pubkey(Authctxt *authctxt, Key *k,
+    sign_cb_fn *sign_callback);
+void	clear_auth_state(Authctxt *authctxt);
+
+Authmethod *authmethod_get(char *authlist);
+Authmethod *authmethod_lookup(const char *name);
+char *authmethods_get(void);
+
+Authmethod authmethods[] = {
+	{"publickey",
+		userauth_pubkey,
+		&options.pubkey_authentication,
+		NULL},
+	{"password",
+		userauth_passwd,
+		&options.password_authentication,
+		&options.batch_mode},
+	{"keyboard-interactive",
+		userauth_kbdint,
+		&options.kbd_interactive_authentication,
+		&options.batch_mode},
+	{"hostbased",
+		userauth_hostbased,
+		&options.hostbased_authentication,
+		NULL},
+	{"none",
+		userauth_none,
+		NULL,
+		NULL},
+	{NULL, NULL, NULL, NULL}
+};
+
+void
+ssh_userauth2(const char *local_user, const char *server_user, char *host,
+    Key **keys, int nkeys)
+{
+	Authctxt authctxt;
+	int type;
+	int plen;
+
+	if (options.challenge_reponse_authentication)
+		options.kbd_interactive_authentication = 1;
+
+	debug("send SSH2_MSG_SERVICE_REQUEST");
+	packet_start(SSH2_MSG_SERVICE_REQUEST);
+	packet_put_cstring("ssh-userauth");
+	packet_send();
+	packet_write_wait();
+	type = packet_read(&plen);
+	if (type != SSH2_MSG_SERVICE_ACCEPT) {
+		fatal("denied SSH2_MSG_SERVICE_ACCEPT: %d", type);
+	}
+	if (packet_remaining() > 0) {
+		char *reply = packet_get_string(&plen);
+		debug("service_accept: %s", reply);
+		xfree(reply);
+	} else {
+		debug("buggy server: service_accept w/o service");
+	}
+	packet_done();
+	debug("got SSH2_MSG_SERVICE_ACCEPT");
+
+	if (options.preferred_authentications == NULL)
+		options.preferred_authentications = authmethods_get();
+
+	/* setup authentication context */
+	authctxt.agent = ssh_get_authentication_connection();
+	authctxt.server_user = server_user;
+	authctxt.local_user = local_user;
+	authctxt.host = host;
+	authctxt.service = "ssh-connection";		/* service name */
+	authctxt.success = 0;
+	authctxt.method = authmethod_lookup("none");
+	authctxt.authlist = NULL;
+	authctxt.keys = keys;
+	authctxt.nkeys = nkeys;
+	if (authctxt.method == NULL)
+		fatal("ssh_userauth2: internal error: cannot send userauth none request");
+
+	/* initial userauth request */
+	userauth_none(&authctxt);
+
+	dispatch_init(&input_userauth_error);
+	dispatch_set(SSH2_MSG_USERAUTH_SUCCESS, &input_userauth_success);
+	dispatch_set(SSH2_MSG_USERAUTH_FAILURE, &input_userauth_failure);
+	dispatch_set(SSH2_MSG_USERAUTH_BANNER, &input_userauth_banner);
+	dispatch_run(DISPATCH_BLOCK, &authctxt.success, &authctxt);	/* loop until success */
+
+	if (authctxt.agent != NULL)
+		ssh_close_authentication_connection(authctxt.agent);
+
+	debug("ssh-userauth2 successful: method %s", authctxt.method->name);
+}
+void
+userauth(Authctxt *authctxt, char *authlist)
+{
+	if (authlist == NULL) {
+		authlist = authctxt->authlist;
+	} else {
+		if (authctxt->authlist)
+			xfree(authctxt->authlist);
+		authctxt->authlist = authlist;
+	}
+	for (;;) {
+		Authmethod *method = authmethod_get(authlist);
+		if (method == NULL)
+			fatal("Permission denied (%s).", authlist);
+		authctxt->method = method;
+		if (method->userauth(authctxt) != 0) {
+			debug2("we sent a %s packet, wait for reply", method->name);
+			break;
+		} else {
+			debug2("we did not send a packet, disable method");
+			method->enabled = NULL;
+		}
+	}
+}
+void
+input_userauth_error(int type, int plen, void *ctxt)
+{
+	fatal("input_userauth_error: bad message during authentication: "
+	   "type %d", type);
+}
+void
+input_userauth_banner(int type, int plen, void *ctxt)
+{
+	char *msg, *lang;
+	debug3("input_userauth_banner");
+	msg = packet_get_string(NULL);
+	lang = packet_get_string(NULL);
+	fprintf(stderr, "%s", msg);
+	xfree(msg);
+	xfree(lang);
+}
+void
+input_userauth_success(int type, int plen, void *ctxt)
+{
+	Authctxt *authctxt = ctxt;
+	if (authctxt == NULL)
+		fatal("input_userauth_success: no authentication context");
+	if (authctxt->authlist)
+		xfree(authctxt->authlist);
+	clear_auth_state(authctxt);
+	authctxt->success = 1;			/* break out */
+}
+void
+input_userauth_failure(int type, int plen, void *ctxt)
+{
+	Authctxt *authctxt = ctxt;
+	char *authlist = NULL;
+	int partial;
+
+	if (authctxt == NULL)
+		fatal("input_userauth_failure: no authentication context");
+
+	authlist = packet_get_string(NULL);
+	partial = packet_get_char();
+	packet_done();
+
+	if (partial != 0)
+		log("Authenticated with partial success.");
+	debug("authentications that can continue: %s", authlist);
+
+	clear_auth_state(authctxt);
+	userauth(authctxt, authlist);
+}
+void
+input_userauth_pk_ok(int type, int plen, void *ctxt)
+{
+	Authctxt *authctxt = ctxt;
+	Key *key = NULL;
+	Buffer b;
+	int alen, blen, sent = 0;
+	char *pkalg, *pkblob, *fp;
+
+	if (authctxt == NULL)
+		fatal("input_userauth_pk_ok: no authentication context");
+	if (datafellows & SSH_BUG_PKOK) {
+		/* this is similar to SSH_BUG_PKAUTH */
+		debug2("input_userauth_pk_ok: SSH_BUG_PKOK");
+		pkblob = packet_get_string(&blen);
+		buffer_init(&b);
+		buffer_append(&b, pkblob, blen);
+		pkalg = buffer_get_string(&b, &alen);
+		buffer_free(&b);
+	} else {
+		pkalg = packet_get_string(&alen);
+		pkblob = packet_get_string(&blen);
+	}
+	packet_done();
+
+	debug("input_userauth_pk_ok: pkalg %s blen %d lastkey %p hint %d",
+	    pkalg, blen, authctxt->last_key, authctxt->last_key_hint);
+
+	do {
+		if (authctxt->last_key == NULL ||
+		    authctxt->last_key_sign == NULL) {
+			debug("no last key or no sign cb");
+			break;
+		}
+		if (key_type_from_name(pkalg) == KEY_UNSPEC) {
+			debug("unknown pkalg %s", pkalg);
+			break;
+		}
+		if ((key = key_from_blob(pkblob, blen)) == NULL) {
+			debug("no key from blob. pkalg %s", pkalg);
+			break;
+		}
+		fp = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX);
+		debug2("input_userauth_pk_ok: fp %s", fp);
+		xfree(fp);
+		if (!key_equal(key, authctxt->last_key)) {
+			debug("key != last_key");
+			break;
+		}
+		sent = sign_and_send_pubkey(authctxt, key,
+		   authctxt->last_key_sign);
+	} while(0);
+
+	if (key != NULL)
+		key_free(key);
+	xfree(pkalg);
+	xfree(pkblob);
+
+	/* unregister */
+	clear_auth_state(authctxt);
+	dispatch_set(SSH2_MSG_USERAUTH_PK_OK, NULL);
+
+	/* try another method if we did not send a packet*/
+	if (sent == 0)
+		userauth(authctxt, NULL);
+
+}
+
+int
+userauth_none(Authctxt *authctxt)
+{
+	/* initial userauth request */
+	packet_start(SSH2_MSG_USERAUTH_REQUEST);
+	packet_put_cstring(authctxt->server_user);
+	packet_put_cstring(authctxt->service);
+	packet_put_cstring(authctxt->method->name);
+	packet_send();
+	return 1;
+}
+
+int
+userauth_passwd(Authctxt *authctxt)
+{
+	static int attempt = 0;
+	char prompt[80];
+	char *password;
+
+	if (attempt++ >= options.number_of_password_prompts)
+		return 0;
+
+	if(attempt != 1)
+		error("Permission denied, please try again.");
+
+	snprintf(prompt, sizeof(prompt), "%.30s@%.128s's password: ",
+	    authctxt->server_user, authctxt->host);
+	password = read_passphrase(prompt, 0);
+	packet_start(SSH2_MSG_USERAUTH_REQUEST);
+	packet_put_cstring(authctxt->server_user);
+	packet_put_cstring(authctxt->service);
+	packet_put_cstring(authctxt->method->name);
+	packet_put_char(0);
+	ssh_put_password(password);
+	memset(password, 0, strlen(password));
+	xfree(password);
+	packet_inject_ignore(64);
+	packet_send();
+	return 1;
+}
+
+void
+clear_auth_state(Authctxt *authctxt)
+{
+	/* XXX clear authentication state */
+	if (authctxt->last_key != NULL && authctxt->last_key_hint == -1) {
+		debug3("clear_auth_state: key_free %p", authctxt->last_key);
+		key_free(authctxt->last_key);
+	}
+	authctxt->last_key = NULL;
+	authctxt->last_key_hint = -2;
+	authctxt->last_key_sign = NULL;
+}
+
+int
+sign_and_send_pubkey(Authctxt *authctxt, Key *k, sign_cb_fn *sign_callback)
+{
+	Buffer b;
+	u_char *blob, *signature;
+	int bloblen, slen;
+	int skip = 0;
+	int ret = -1;
+	int have_sig = 1;
+
+	debug3("sign_and_send_pubkey");
+
+	if (key_to_blob(k, &blob, &bloblen) == 0) {
+		/* we cannot handle this key */
+		debug3("sign_and_send_pubkey: cannot handle key");
+		return 0;
+	}
+	/* data to be signed */
+	buffer_init(&b);
+	if (datafellows & SSH_OLD_SESSIONID) {
+		buffer_append(&b, session_id2, session_id2_len);
+		skip = session_id2_len;
+	} else {
+		buffer_put_string(&b, session_id2, session_id2_len);
+		skip = buffer_len(&b);
+	}
+	buffer_put_char(&b, SSH2_MSG_USERAUTH_REQUEST);
+	buffer_put_cstring(&b, authctxt->server_user);
+	buffer_put_cstring(&b,
+	    datafellows & SSH_BUG_PKSERVICE ?
+	    "ssh-userauth" :
+	    authctxt->service);
+	if (datafellows & SSH_BUG_PKAUTH) {
+		buffer_put_char(&b, have_sig);
+	} else {
+		buffer_put_cstring(&b, authctxt->method->name);
+		buffer_put_char(&b, have_sig);
+		buffer_put_cstring(&b, key_ssh_name(k));
+	}
+	buffer_put_string(&b, blob, bloblen);
+
+	/* generate signature */
+	ret = (*sign_callback)(authctxt, k, &signature, &slen,
+	    buffer_ptr(&b), buffer_len(&b));
+	if (ret == -1) {
+		xfree(blob);
+		buffer_free(&b);
+		return 0;
+	}
+#ifdef DEBUG_PK
+	buffer_dump(&b);
+#endif
+	if (datafellows & SSH_BUG_PKSERVICE) {
+		buffer_clear(&b);
+		buffer_append(&b, session_id2, session_id2_len);
+		skip = session_id2_len;
+		buffer_put_char(&b, SSH2_MSG_USERAUTH_REQUEST);
+		buffer_put_cstring(&b, authctxt->server_user);
+		buffer_put_cstring(&b, authctxt->service);
+		buffer_put_cstring(&b, authctxt->method->name);
+		buffer_put_char(&b, have_sig);
+		if (!(datafellows & SSH_BUG_PKAUTH))
+			buffer_put_cstring(&b, key_ssh_name(k));
+		buffer_put_string(&b, blob, bloblen);
+	}
+	xfree(blob);
+
+	/* append signature */
+	buffer_put_string(&b, signature, slen);
+	xfree(signature);
+
+	/* skip session id and packet type */
+	if (buffer_len(&b) < skip + 1)
+		fatal("userauth_pubkey: internal error");
+	buffer_consume(&b, skip + 1);
+
+	/* put remaining data from buffer into packet */
+	packet_start(SSH2_MSG_USERAUTH_REQUEST);
+	packet_put_raw(buffer_ptr(&b), buffer_len(&b));
+	buffer_free(&b);
+	packet_send();
+
+	return 1;
+}
+
+int
+send_pubkey_test(Authctxt *authctxt, Key *k, sign_cb_fn *sign_callback,
+    int hint)
+{
+	u_char *blob;
+	int bloblen, have_sig = 0;
+
+	debug3("send_pubkey_test");
+
+	if (key_to_blob(k, &blob, &bloblen) == 0) {
+		/* we cannot handle this key */
+		debug3("send_pubkey_test: cannot handle key");
+		return 0;
+	}
+	/* register callback for USERAUTH_PK_OK message */
+	authctxt->last_key_sign = sign_callback;
+	authctxt->last_key_hint = hint;
+	authctxt->last_key = k;
+	dispatch_set(SSH2_MSG_USERAUTH_PK_OK, &input_userauth_pk_ok);
+
+	packet_start(SSH2_MSG_USERAUTH_REQUEST);
+	packet_put_cstring(authctxt->server_user);
+	packet_put_cstring(authctxt->service);
+	packet_put_cstring(authctxt->method->name);
+	packet_put_char(have_sig);
+	if (!(datafellows & SSH_BUG_PKAUTH))
+		packet_put_cstring(key_ssh_name(k));
+	packet_put_string(blob, bloblen);
+	xfree(blob);
+	packet_send();
+	return 1;
+}
+
+Key *
+load_identity_file(char *filename)
+{
+	Key *private;
+	char prompt[300], *passphrase;
+	int quit, i;
+	struct stat st;
+
+	if (stat(filename, &st) < 0) {
+		debug3("no such identity: %s", filename);
+		return NULL;
+	}
+	private = key_load_private_type(KEY_UNSPEC, filename, "", NULL);
+	if (private == NULL) {
+		if (options.batch_mode)
+			return NULL;
+		snprintf(prompt, sizeof prompt,
+		     "Enter passphrase for key '%.100s': ", filename);
+		for (i = 0; i < options.number_of_password_prompts; i++) {
+			passphrase = read_passphrase(prompt, 0);
+			if (strcmp(passphrase, "") != 0) {
+				private = key_load_private_type(KEY_UNSPEC, filename,
+				    passphrase, NULL);
+				quit = 0;
+			} else {
+				debug2("no passphrase given, try next key");
+				quit = 1;
+			}
+			memset(passphrase, 0, strlen(passphrase));
+			xfree(passphrase);
+			if (private != NULL || quit)
+				break;
+			debug2("bad passphrase given, try again...");
+		}
+	}
+	return private;
+}
+
+int
+identity_sign_cb(Authctxt *authctxt, Key *key, u_char **sigp, int *lenp,
+    u_char *data, int datalen)
+{
+	Key *private;
+	int idx, ret;
+
+	idx = authctxt->last_key_hint;
+	if (idx < 0)
+		return -1;
+	private = load_identity_file(options.identity_files[idx]);
+	if (private == NULL)
+		return -1;
+	ret = key_sign(private, sigp, lenp, data, datalen);
+	key_free(private);
+	return ret;
+}
+
+int agent_sign_cb(Authctxt *authctxt, Key *key, u_char **sigp, int *lenp,
+    u_char *data, int datalen)
+{
+	return ssh_agent_sign(authctxt->agent, key, sigp, lenp, data, datalen);
+}
+
+int key_sign_cb(Authctxt *authctxt, Key *key, u_char **sigp, int *lenp,
+    u_char *data, int datalen)
+{
+	return key_sign(key, sigp, lenp, data, datalen);
+}
+
+int
+userauth_pubkey_agent(Authctxt *authctxt)
+{
+	static int called = 0;
+	int ret = 0;
+	char *comment;
+	Key *k;
+
+	if (called == 0) {
+		if (ssh_get_num_identities(authctxt->agent, 2) == 0)
+			debug2("userauth_pubkey_agent: no keys at all");
+		called = 1;
+	}
+	k = ssh_get_next_identity(authctxt->agent, &comment, 2);
+	if (k == NULL) {
+		debug2("userauth_pubkey_agent: no more keys");
+	} else {
+		debug("userauth_pubkey_agent: testing agent key %s", comment);
+		xfree(comment);
+		ret = send_pubkey_test(authctxt, k, agent_sign_cb, -1);
+		if (ret == 0)
+			key_free(k);
+	}
+	if (ret == 0)
+		debug2("userauth_pubkey_agent: no message sent");
+	return ret;
+}
+
+int
+userauth_pubkey(Authctxt *authctxt)
+{
+	static int idx = 0;
+	int sent = 0;
+	Key *key;
+	char *filename;
+
+	if (authctxt->agent != NULL) {
+		do {
+			sent = userauth_pubkey_agent(authctxt);
+		} while(!sent && authctxt->agent->howmany > 0);
+	}
+	while (!sent && idx < options.num_identity_files) {
+		key = options.identity_keys[idx];
+		filename = options.identity_files[idx];
+		if (key == NULL) {
+			debug("try privkey: %s", filename);
+			key = load_identity_file(filename);
+			if (key != NULL) {
+				sent = sign_and_send_pubkey(authctxt, key,
+				    key_sign_cb);
+				key_free(key);
+			}
+		} else if (key->type != KEY_RSA1) {
+			debug("try pubkey: %s", filename);
+			sent = send_pubkey_test(authctxt, key,
+			    identity_sign_cb, idx);
+		}
+		idx++;
+	}
+	return sent;
+}
+
+/*
+ * Send userauth request message specifying keyboard-interactive method.
+ */
+int
+userauth_kbdint(Authctxt *authctxt)
+{
+	static int attempt = 0;
+
+	if (attempt++ >= options.number_of_password_prompts)
+		return 0;
+
+	debug2("userauth_kbdint");
+	packet_start(SSH2_MSG_USERAUTH_REQUEST);
+	packet_put_cstring(authctxt->server_user);
+	packet_put_cstring(authctxt->service);
+	packet_put_cstring(authctxt->method->name);
+	packet_put_cstring("");					/* lang */
+	packet_put_cstring(options.kbd_interactive_devices ?
+	    options.kbd_interactive_devices : "");
+	packet_send();
+
+	dispatch_set(SSH2_MSG_USERAUTH_INFO_REQUEST, &input_userauth_info_req);
+	return 1;
+}
+
+/*
+ * parse INFO_REQUEST, prompt user and send INFO_RESPONSE
+ */
+void
+input_userauth_info_req(int type, int plen, void *ctxt)
+{
+	Authctxt *authctxt = ctxt;
+	char *name, *inst, *lang, *prompt, *response;
+	u_int num_prompts, i;
+	int echo = 0;
+
+	debug2("input_userauth_info_req");
+
+	if (authctxt == NULL)
+		fatal("input_userauth_info_req: no authentication context");
+
+	name = packet_get_string(NULL);
+	inst = packet_get_string(NULL);
+	lang = packet_get_string(NULL);
+	if (strlen(name) > 0)
+		cli_mesg(name);
+	if (strlen(inst) > 0)
+		cli_mesg(inst);
+	xfree(name);
+	xfree(inst);
+	xfree(lang);
+
+	num_prompts = packet_get_int();
+	/*
+	 * Begin to build info response packet based on prompts requested.
+	 * We commit to providing the correct number of responses, so if
+	 * further on we run into a problem that prevents this, we have to
+	 * be sure and clean this up and send a correct error response.
+	 */
+	packet_start(SSH2_MSG_USERAUTH_INFO_RESPONSE);
+	packet_put_int(num_prompts);
+
+	for (i = 0; i < num_prompts; i++) {
+		prompt = packet_get_string(NULL);
+		echo = packet_get_char();
+
+		response = cli_prompt(prompt, echo);
+
+		ssh_put_password(response);
+		memset(response, 0, strlen(response));
+		xfree(response);
+		xfree(prompt);
+	}
+	packet_done(); /* done with parsing incoming message. */
+
+	packet_inject_ignore(64);
+	packet_send();
+}
+
+/*
+ * this will be move to an external program (ssh-keysign) ASAP. ssh-keysign
+ * will be setuid-root and the sbit can be removed from /usr/bin/ssh.
+ */
+int
+userauth_hostbased(Authctxt *authctxt)
+{
+	Key *private = NULL;
+	Buffer b;
+	u_char *signature, *blob;
+	char *chost, *pkalg, *p;
+	const char *service;
+	u_int blen, slen;
+	int ok, i, len, found = 0;
+
+	p = get_local_name(packet_get_connection_in());
+	if (p == NULL) {
+		error("userauth_hostbased: cannot get local ipaddr/name");
+		return 0;
+	}
+	len = strlen(p) + 2;
+	chost = xmalloc(len);
+	strlcpy(chost, p, len);
+	strlcat(chost, ".", len);
+	debug2("userauth_hostbased: chost %s", chost);
+	/* check for a useful key */
+	for (i = 0; i < authctxt->nkeys; i++) {
+		private = authctxt->keys[i];
+		if (private && private->type != KEY_RSA1) {
+			found = 1;
+			/* we take and free the key */
+			authctxt->keys[i] = NULL;
+			break;
+		}
+	}
+	if (!found) {
+		xfree(chost);
+		return 0;
+	}
+	if (key_to_blob(private, &blob, &blen) == 0) {
+		key_free(private);
+		xfree(chost);
+		return 0;
+	}
+	service = datafellows & SSH_BUG_HBSERVICE ? "ssh-userauth" :
+	    authctxt->service;
+	pkalg = xstrdup(key_ssh_name(private));
+	buffer_init(&b);
+	/* construct data */
+	buffer_put_string(&b, session_id2, session_id2_len);
+	buffer_put_char(&b, SSH2_MSG_USERAUTH_REQUEST);
+	buffer_put_cstring(&b, authctxt->server_user);
+	buffer_put_cstring(&b, service);
+	buffer_put_cstring(&b, authctxt->method->name);
+	buffer_put_cstring(&b, pkalg);
+	buffer_put_string(&b, blob, blen);
+	buffer_put_cstring(&b, chost);
+	buffer_put_cstring(&b, authctxt->local_user);
+#ifdef DEBUG_PK
+	buffer_dump(&b);
+#endif
+	debug2("xxx: chost %s", chost);
+	ok = key_sign(private, &signature, &slen, buffer_ptr(&b), buffer_len(&b));
+	key_free(private);
+	buffer_free(&b);
+	if (ok != 0) {
+		error("key_sign failed");
+		xfree(chost);
+		xfree(pkalg);
+		return 0;
+	}
+	packet_start(SSH2_MSG_USERAUTH_REQUEST);
+	packet_put_cstring(authctxt->server_user);
+	packet_put_cstring(authctxt->service);
+	packet_put_cstring(authctxt->method->name);
+	packet_put_cstring(pkalg);
+	packet_put_string(blob, blen);
+	packet_put_cstring(chost);
+	packet_put_cstring(authctxt->local_user);
+	packet_put_string(signature, slen);
+	memset(signature, 's', slen);
+	xfree(signature);
+	xfree(chost);
+	xfree(pkalg);
+
+	packet_send();
+	return 1;
+}
+
+/* find auth method */
+
+/*
+ * given auth method name, if configurable options permit this method fill
+ * in auth_ident field and return true, otherwise return false.
+ */
+int
+authmethod_is_enabled(Authmethod *method)
+{
+	if (method == NULL)
+		return 0;
+	/* return false if options indicate this method is disabled */
+	if  (method->enabled == NULL || *method->enabled == 0)
+		return 0;
+	/* return false if batch mode is enabled but method needs interactive mode */
+	if  (method->batch_flag != NULL && *method->batch_flag != 0)
+		return 0;
+	return 1;
+}
+
+Authmethod *
+authmethod_lookup(const char *name)
+{
+	Authmethod *method = NULL;
+	if (name != NULL)
+		for (method = authmethods; method->name != NULL; method++)
+			if (strcmp(name, method->name) == 0)
+				return method;
+	debug2("Unrecognized authentication method name: %s", name ? name : "NULL");
+	return NULL;
+}
+
+/* XXX internal state */
+static Authmethod *current = NULL;
+static char *supported = NULL;
+static char *preferred = NULL;
+/*
+ * Given the authentication method list sent by the server, return the
+ * next method we should try.  If the server initially sends a nil list,
+ * use a built-in default list.
+ */
+Authmethod *
+authmethod_get(char *authlist)
+{
+
+	char *name = NULL;
+	int next;
+
+	/* Use a suitable default if we're passed a nil list.  */
+	if (authlist == NULL || strlen(authlist) == 0)
+		authlist = options.preferred_authentications;
+
+	if (supported == NULL || strcmp(authlist, supported) != 0) {
+		debug3("start over, passed a different list %s", authlist);
+		if (supported != NULL)
+			xfree(supported);
+		supported = xstrdup(authlist);
+		preferred = options.preferred_authentications;
+		debug3("preferred %s", preferred);
+		current = NULL;
+	} else if (current != NULL && authmethod_is_enabled(current))
+		return current;
+
+	for (;;) {
+		if ((name = match_list(preferred, supported, &next)) == NULL) {
+			debug("no more auth methods to try");
+			current = NULL;
+			return NULL;
+		}
+		preferred += next;
+		debug3("authmethod_lookup %s", name);
+		debug3("remaining preferred: %s", preferred);
+		if ((current = authmethod_lookup(name)) != NULL &&
+		    authmethod_is_enabled(current)) {
+			debug3("authmethod_is_enabled %s", name);
+			debug("next auth method to try is %s", name);
+			return current;
+		}
+	}
+}
+
+
+#define	DELIM	","
+char *
+authmethods_get(void)
+{
+	Authmethod *method = NULL;
+	char buf[1024];
+
+	buf[0] = '\0';
+	for (method = authmethods; method->name != NULL; method++) {
+		if (authmethod_is_enabled(method)) {
+			if (buf[0] != '\0')
+				strlcat(buf, DELIM, sizeof buf);
+			strlcat(buf, method->name, sizeof buf);
+		}
+	}
+	return xstrdup(buf);
+}
diff --git a/crypto/openssh/sshd.8 b/crypto/openssh/sshd.8
new file mode 100644
index 0000000..0292473
--- /dev/null
+++ b/crypto/openssh/sshd.8
@@ -0,0 +1,1272 @@
+.\"  -*- nroff -*-
+.\"
+.\" Author: Tatu Ylonen <ylo@cs.hut.fi>
+.\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
+.\"                    All rights reserved
+.\"
+.\" As far as I am concerned, the code I have written for this software
+.\" can be used freely for any purpose.  Any derived versions of this
+.\" software must be clearly marked as such, and if the derived work is
+.\" incompatible with the protocol description in the RFC file, it must be
+.\" called by a name other than "ssh" or "Secure Shell".
+.\"
+.\" Copyright (c) 1999,2000 Markus Friedl.  All rights reserved.
+.\" Copyright (c) 1999 Aaron Campbell.  All rights reserved.
+.\" Copyright (c) 1999 Theo de Raadt.  All rights reserved.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\" 1. Redistributions of source code must retain the above copyright
+.\"    notice, this list of conditions and the following disclaimer.
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\"    notice, this list of conditions and the following disclaimer in the
+.\"    documentation and/or other materials provided with the distribution.
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
+.\" IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+.\" OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+.\" IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
+.\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+.\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+.\"
+.\" $OpenBSD: sshd.8,v 1.120 2001/04/22 23:58:36 markus Exp $
+.\" $FreeBSD$
+.\"
+.Dd September 25, 1999
+.Dt SSHD 8
+.Os
+.Sh NAME
+.Nm sshd
+.Nd OpenSSH SSH daemon
+.Sh SYNOPSIS
+.Nm sshd
+.Op Fl deiqD46
+.Op Fl b Ar bits
+.Op Fl f Ar config_file
+.Op Fl g Ar login_grace_time
+.Op Fl h Ar host_key_file
+.Op Fl k Ar key_gen_time
+.Op Fl p Ar port
+.Op Fl u Ar len
+.Op Fl V Ar client_protocol_id
+.Sh DESCRIPTION
+.Nm
+(SSH Daemon) is the daemon program for
+.Xr ssh 1 .
+Together these programs replace rlogin and rsh, and
+provide secure encrypted communications between two untrusted hosts
+over an insecure network.
+The programs are intended to be as easy to
+install and use as possible.
+.Pp
+.Nm
+is the daemon that listens for connections from clients.
+It is normally started at boot from 
+.Pa /etc/rc.network .
+It forks a new
+daemon for each incoming connection.
+The forked daemons handle
+key exchange, encryption, authentication, command execution,
+and data exchange.
+This implementation of
+.Nm
+supports both SSH protocol version 1 and 2 simultaneously.
+.Nm
+works as follows.
+.Pp
+.Ss SSH protocol version 1
+.Pp
+Each host has a host-specific RSA key
+(normally 1024 bits) used to identify the host.
+Additionally, when
+the daemon starts, it generates a server RSA key (normally 768 bits).
+This key is normally regenerated every hour if it has been used, and
+is never stored on disk.
+.Pp
+Whenever a client connects the daemon responds with its public
+host and server keys.
+The client compares the
+RSA host key against its own database to verify that it has not changed.
+The client then generates a 256 bit random number.
+It encrypts this
+random number using both the host key and the server key, and sends
+the encrypted number to the server.
+Both sides then use this
+random number as a session key which is used to encrypt all further
+communications in the session.
+The rest of the session is encrypted
+using a conventional cipher, currently Blowfish or 3DES, with 3DES
+being used by default.
+The client selects the encryption algorithm
+to use from those offered by the server.
+.Pp
+Next, the server and the client enter an authentication dialog.
+The client tries to authenticate itself using
+.Pa .rhosts
+authentication,
+.Pa .rhosts
+authentication combined with RSA host
+authentication, RSA challenge-response authentication, or password
+based authentication.
+.Pp
+Rhosts authentication is normally disabled
+because it is fundamentally insecure, but can be enabled in the server
+configuration file if desired.
+System security is not improved unless
+.Xr rshd 8 ,
+.Xr rlogind 8 ,
+.Xr rexecd 8 ,
+and
+.Xr rexd 8
+are disabled (thus completely disabling
+.Xr rlogin 1
+and
+.Xr rsh 1
+into the machine).
+.Pp
+.Ss SSH protocol version 2
+.Pp
+Version 2 works similarly:
+Each host has a host-specific DSA key used to identify the host.
+However, when the daemon starts, it does not generate a server key.
+Forward security is provided through a Diffie-Hellman key agreement.
+This key agreement results in a shared session key.
+.Pp
+The rest of the session is encrypted using a symmetric cipher, currently
+128 bit AES, Blowfish, 3DES, CAST128, Arcfour, 192 bit AES, or 256 bit AES.
+The client selects the encryption algorithm
+to use from those offered by the server.
+Additionally, session integrity is provided
+through a cryptographic message authentication code
+(hmac-sha1 or hmac-md5).
+.Pp
+Protocol version 2 provides a public key based
+user (PubkeyAuthentication) or
+client host (HostbasedAuthentication) authentication method,
+conventional password authentication and challenge response based methods.
+.Pp
+.Ss Command execution and data forwarding
+.Pp
+If the client successfully authenticates itself, a dialog for
+preparing the session is entered.
+At this time the client may request
+things like allocating a pseudo-tty, forwarding X11 connections,
+forwarding TCP/IP connections, or forwarding the authentication agent
+connection over the secure channel.
+.Pp
+Finally, the client either requests a shell or execution of a command.
+The sides then enter session mode.
+In this mode, either side may send
+data at any time, and such data is forwarded to/from the shell or
+command on the server side, and the user terminal in the client side.
+.Pp
+When the user program terminates and all forwarded X11 and other
+connections have been closed, the server sends command exit status to
+the client, and both sides exit.
+.Pp
+.Nm
+can be configured using command-line options or a configuration
+file.
+Command-line options override values specified in the
+configuration file.
+.Pp
+.Nm
+rereads its configuration file when it receives a hangup signal,
+.Dv SIGHUP ,
+by executing itself with the name it was started as, ie.
+.Pa /usr/sbin/sshd .
+.Pp
+The options are as follows:
+.Bl -tag -width Ds
+.It Fl b Ar bits
+Specifies the number of bits in the ephemeral protocol version 1
+server key (default 768).
+.Pp
+.It Fl d
+Debug mode.
+The server sends verbose debug output to the system
+log, and does not put itself in the background.
+The server also will not fork and will only process one connection.
+This option is only intended for debugging for the server.
+Multiple -d options increase the debugging level.
+Maximum is 3.
+.It Fl e
+When this option is specified,
+.Nm
+will send the output to the standard error instead of the system log.
+.It Fl f Ar configuration_file
+Specifies the name of the configuration file.
+The default is
+.Pa /etc/ssh/sshd_config .
+.Nm
+refuses to start if there is no configuration file.
+.It Fl g Ar login_grace_time
+Gives the grace time for clients to authenticate themselves (default
+600 seconds).
+If the client fails to authenticate the user within
+this many seconds, the server disconnects and exits.
+A value of zero indicates no limit.
+.It Fl h Ar host_key_file
+Specifies the file from which the host key is read (default
+.Pa /etc/ssh/ssh_host_key ) .
+This option must be given if
+.Nm
+is not run as root (as the normal
+host file is normally not readable by anyone but root).
+It is possible to have multiple host key files for
+the different protocol versions and host key algorithms.
+.It Fl i
+Specifies that
+.Nm
+is being run from inetd.
+.Nm
+is normally not run
+from inetd because it needs to generate the server key before it can
+respond to the client, and this may take tens of seconds.
+Clients would have to wait too long if the key was regenerated every time.
+However, with small key sizes (e.g., 512) using
+.Nm
+from inetd may
+be feasible.
+.It Fl k Ar key_gen_time
+Specifies how often the ephemeral protocol version 1 server key is
+regenerated (default 3600 seconds, or one hour).
+The motivation for regenerating the key fairly
+often is that the key is not stored anywhere, and after about an hour,
+it becomes impossible to recover the key for decrypting intercepted
+communications even if the machine is cracked into or physically
+seized.
+A value of zero indicates that the key will never be regenerated.
+.It Fl p Ar port
+Specifies the port on which the server listens for connections
+(default 22).
+.It Fl q
+Quiet mode.
+Nothing is sent to the system log.
+Normally the beginning,
+authentication, and termination of each connection is logged.
+.It Fl u Ar len
+This option is used to specify the size of the field
+in the
+.Li utmp
+structure that holds the remote host name.
+If the resolved host name is longer than
+.Ar len ,
+the dotted decimal value will be used instead.
+This allows hosts with very long host names that
+overflow this field to still be uniquely identified.
+Specifying
+.Fl u0
+indicates that only dotted decimal addresses
+should be put into the
+.Pa utmp
+file.
+.It Fl D
+When this option is specified
+.Nm
+will not detach and does not become a daemon.
+This allows easy monitoring of
+.Nm sshd .
+.It Fl 4
+Forces
+.Nm
+to use IPv4 addresses only.
+.It Fl 6
+Forces
+.Nm
+to use IPv6 addresses only.
+.El
+.Sh CONFIGURATION FILE
+.Nm
+reads configuration data from
+.Pa /etc/ssh/sshd_config
+(or the file specified with
+.Fl f
+on the command line).
+The file contains keyword-value pairs, one per line.
+Lines starting with
+.Ql #
+and empty lines are interpreted as comments.
+.Pp
+The following keywords are possible.
+.Bl -tag -width Ds
+.It Cm AFSTokenPassing
+Specifies whether an AFS token may be forwarded to the server.
+Default is
+.Dq yes .
+.It Cm AllowGroups
+This keyword can be followed by a list of group names, separated
+by spaces.
+If specified, login is allowed only for users whose primary
+group or supplementary group list matches one of the patterns.
+.Ql \&*
+and
+.Ql ?
+can be used as
+wildcards in the patterns.
+Only group names are valid; a numerical group ID isn't recognized.
+By default login is allowed regardless of the group list.
+.Pp
+.It Cm AllowTcpForwarding
+Specifies whether TCP forwarding is permitted.
+The default is
+.Dq yes .
+Note that disabling TCP forwarding does not improve security unless
+users are also denied shell access, as they can always install their
+own forwarders.
+.Pp
+.It Cm AllowUsers
+This keyword can be followed by a list of user names, separated
+by spaces.
+If specified, login is allowed only for users names that
+match one of the patterns.
+.Ql \&*
+and
+.Ql ?
+can be used as
+wildcards in the patterns.
+Only user names are valid; a numerical user ID isn't recognized.
+By default login is allowed regardless of the user name.
+.Pp
+.It Cm Banner
+In some jurisdictions, sending a warning message before authentication
+may be relevant for getting legal protection.
+The contents of the specified file are sent to the remote user before
+authentication is allowed.
+This option is only available for protocol version 2.
+.Pp
+.It Cm ChallengeResponseAuthentication
+Specifies whether
+challenge response
+authentication is allowed.
+Currently there is only support for
+.Xr skey 1
+authentication.
+The default is
+.Dq yes .
+.It Cm Ciphers
+Specifies the ciphers allowed for protocol version 2.
+Multiple ciphers must be comma-separated.
+The default is
+.Dq aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour.
+.It Cm CheckMail
+Specifies whether
+.Nm
+should check for new mail for interactive logins.
+The default is
+.Dq yes .
+.It Cm ClientAliveInterval
+Sets a timeout interval in seconds after which if no data has been received
+from the client, 
+.Nm
+will send a message through the encrypted
+channel to request a response from the client.
+The default
+is 0, indicating that these messages will not be sent to the client.
+This option applies to protocol version 2 only.
+.It Cm ClientAliveCountMax
+Sets the number of client alive messages (see above) which may be
+sent without
+.Nm
+receiving any messages back from the client. If this threshold is
+reached while client alive messages are being sent, 
+.Nm
+will disconnect the client, terminating the session. It is important
+to note that the use of client alive messages is very different from 
+.Cm Keepalive
+(below). The client alive messages are sent through the
+encrypted channel and therefore will not be spoofable. The TCP keepalive
+option enabled by
+.Cm Keepalive
+is spoofable. You want to use the client
+alive mechanism when you are basing something important on
+clients having an active connection to the server.
+.Pp
+The default value is 3. If you set
+.Cm ClientAliveInterval
+(above) to 15, and leave this value at the default, unresponsive ssh clients
+will be disconnected after approximately 45 seconds. 
+.It Cm DenyGroups
+This keyword can be followed by a number of group names, separated
+by spaces.
+Users whose primary group or supplementary group list matches
+one of the patterns aren't allowed to log in.
+.Ql \&*
+and
+.Ql ?
+can be used as
+wildcards in the patterns.
+Only group names are valid; a numerical group ID isn't recognized.
+By default login is allowed regardless of the group list.
+.Pp
+.It Cm DenyUsers
+This keyword can be followed by a number of user names, separated
+by spaces.
+Login is disallowed for user names that match one of the patterns.
+.Ql \&*
+and
+.Ql ?
+can be used as wildcards in the patterns.
+Only user names are valid; a numerical user ID isn't recognized.
+By default login is allowed regardless of the user name.
+.It Cm GatewayPorts
+Specifies whether remote hosts are allowed to connect to ports
+forwarded for the client.
+The argument must be
+.Dq yes
+or
+.Dq no .
+The default is
+.Dq no .
+.It Cm HostbasedAuthentication
+Specifies whether rhosts or /etc/hosts.equiv authentication together
+with successful public key client host authentication is allowed
+(hostbased authentication).
+This option is similar to
+.Cm RhostsRSAAuthentication
+and applies to protocol version 2 only.
+The default is
+.Dq no .
+.It Cm HostKey
+Specifies the file containing the private host keys (default
+.Pa /etc/ssh/ssh_host_key )
+used by SSH protocol versions 1 and 2.
+Note that
+.Nm
+will refuse to use a file if it is group/world-accessible.
+It is possible to have multiple host key files.
+.Dq rsa1
+keys are used for version 1 and
+.Dq dsa
+or
+.Dq rsa
+are used for version 2 of the SSH protocol.
+.It Cm IgnoreRhosts
+Specifies that
+.Pa .rhosts
+and
+.Pa .shosts
+files will not be used in
+.Cm RhostsAuthentication ,
+.Cm RhostsRSAAuthentication
+or
+.Cm HostbasedAuthentication .
+.Pp
+.Pa /etc/hosts.equiv
+and
+.Pa /etc/ssh/shosts.equiv 
+are still used.
+The default is
+.Dq yes .
+.It Cm IgnoreUserKnownHosts
+Specifies whether
+.Nm
+should ignore the user's
+.Pa $HOME/.ssh/known_hosts
+during
+.Cm RhostsRSAAuthentication
+or
+.Cm HostbasedAuthentication .
+The default is
+.Dq no .
+.It Cm KeepAlive
+Specifies whether the system should send keepalive messages to the
+other side.
+If they are sent, death of the connection or crash of one
+of the machines will be properly noticed.
+However, this means that
+connections will die if the route is down temporarily, and some people
+find it annoying.
+On the other hand, if keepalives are not sent,
+sessions may hang indefinitely on the server, leaving
+.Dq ghost
+users and consuming server resources.
+.Pp
+The default is
+.Dq yes
+(to send keepalives), and the server will notice
+if the network goes down or the client host reboots.
+This avoids infinitely hanging sessions.
+.Pp
+To disable keepalives, the value should be set to
+.Dq no
+in both the server and the client configuration files.
+.It Cm KerberosAuthentication
+Specifies whether Kerberos authentication is allowed.
+This can be in the form of a Kerberos ticket, or if
+.Cm PasswordAuthentication
+is yes, the password provided by the user will be validated through
+the Kerberos KDC.
+To use this option, the server needs a
+Kerberos servtab which allows the verification of the KDC's identity.
+Default is
+.Dq yes .
+.It Cm KerberosOrLocalPasswd
+If set then if password authentication through Kerberos fails then
+the password will be validated via any additional local mechanism
+such as
+.Pa /etc/passwd .
+Default is
+.Dq yes .
+.It Cm KerberosTgtPassing
+Specifies whether a Kerberos TGT may be forwarded to the server.
+Default is
+.Dq no ,
+as this only works when the Kerberos KDC is actually an AFS kaserver.
+.It Cm KerberosTicketCleanup
+Specifies whether to automatically destroy the user's ticket cache
+file on logout.
+Default is
+.Dq yes .
+.It Cm KeyRegenerationInterval
+In protocol version 1, the ephemeral server key is automatically regenerated
+after this many seconds (if it has been used).
+The purpose of regeneration is to prevent
+decrypting captured sessions by later breaking into the machine and
+stealing the keys.
+The key is never stored anywhere.
+If the value is 0, the key is never regenerated.
+The default is 3600 (seconds).
+.It Cm ListenAddress
+Specifies the local addresses
+.Nm
+should listen on.
+The following forms may be used:
+.Pp
+.Bl -item -offset indent -compact
+.It
+.Cm ListenAddress
+.Sm off
+.Ar host No | Ar IPv4_addr No | Ar IPv6_addr
+.Sm on
+.It
+.Cm ListenAddress
+.Sm off
+.Ar host No | Ar IPv4_addr No : Ar port
+.Sm on
+.It
+.Cm ListenAddress
+.Sm off
+.Oo
+.Ar host No | Ar IPv6_addr Oc : Ar port
+.Sm on
+.El
+.Pp
+If
+.Ar port
+is not specified,
+.Nm
+will listen on the address and all prior
+.Cm Port
+options specified. The default is to listen on all local
+addresses.  Multiple
+.Cm ListenAddress
+options are permitted. Additionally, any
+.Cm Port
+options must precede this option for non port qualified addresses.
+.It Cm LoginGraceTime
+The server disconnects after this time if the user has not
+successfully logged in.
+If the value is 0, there is no time limit.
+The default is 120 (seconds).
+.It Cm LogLevel
+Gives the verbosity level that is used when logging messages from
+.Nm sshd .
+The possible values are:
+QUIET, FATAL, ERROR, INFO, VERBOSE and DEBUG.
+The default is INFO.
+Logging with level DEBUG violates the privacy of users
+and is not recommended.
+.It Cm MACs
+Specifies the available MAC (message authentication code) algorithms.
+The MAC algorithm is used in protocol version 2
+for data integrity protection.
+Multiple algorithms must be comma-separated.
+The default is
+.Pp
+.Bd -literal
+  ``hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,
+    hmac-sha1-96,hmac-md5-96''
+.Ed
+.It Cm MaxStartups
+Specifies the maximum number of concurrent unauthenticated connections to the
+.Nm
+daemon.
+Additional connections will be dropped until authentication succeeds or the
+.Cm LoginGraceTime
+expires for a connection.
+The default is 10.
+.Pp
+Alternatively, random early drop can be enabled by specifying
+the three colon separated values
+.Dq start:rate:full
+(e.g., "10:30:60").
+.Nm
+will refuse connection attempts with a probability of
+.Dq rate/100
+(30%)
+if there are currently
+.Dq start
+(10)
+unauthenticated connections.
+The probability increases linearly and all connection attempts
+are refused if the number of unauthenticated connections reaches
+.Dq full
+(60).
+.It Cm PasswordAuthentication
+Specifies whether password authentication is allowed.
+The default is
+.Dq yes .
+.It Cm PermitEmptyPasswords
+When password authentication is allowed, it specifies whether the
+server allows login to accounts with empty password strings.
+The default is
+.Dq no .
+.It Cm PermitRootLogin
+Specifies whether root can login using
+.Xr ssh 1 .
+The argument must be
+.Dq yes ,
+.Dq without-password ,
+.Dq forced-commands-only
+or
+.Dq no .
+The default is
+.Dq no .
+.Pp
+If this option is set to
+.Dq without-password
+password authentication is disabled for root.
+.Pp
+If this option is set to
+.Dq forced-commands-only
+root login with public key authentication will be allowed,
+but only if the
+.Ar command
+option has been specified
+(which may be useful for taking remote backups even if root login is
+normally not allowed). All other authentication methods are disabled
+for root.
+.Pp
+If this option is set to
+.Dq no
+root is not allowed to login.
+.It Cm PidFile
+Specifies the file that contains the process identifier of the
+.Nm
+daemon.
+The default is
+.Pa /var/run/sshd.pid .
+.It Cm Port
+Specifies the port number that
+.Nm
+listens on.
+The default is 22.
+Multiple options of this type are permitted.
+See also
+.Cm ListenAddress .
+.It Cm PrintLastLog
+Specifies whether
+.Nm
+should print the date and time when the user last logged in.
+The default is
+.Dq yes .
+.It Cm PrintMotd
+Specifies whether
+.Nm
+should print
+.Pa /etc/motd
+when a user logs in interactively.
+(On some systems it is also printed by the shell,
+.Pa /etc/profile ,
+or equivalent.)
+The default is
+.Dq yes .
+.It Cm Protocol
+Specifies the protocol versions
+.Nm
+should support.
+The possible values are
+.Dq 1
+and
+.Dq 2 .
+Multiple versions must be comma-separated.
+The default is
+.Dq 2,1 .
+.It Cm PubkeyAuthentication
+Specifies whether public key authentication is allowed.
+The default is
+.Dq yes .
+Note that this option applies to protocol version 2 only.
+.It Cm ReverseMappingCheck
+Specifies whether
+.Nm
+should try to verify the remote host name and check that
+the resolved host name for the remote IP address maps back to the
+very same IP address.
+The default is
+.Dq no .
+.It Cm RhostsAuthentication
+Specifies whether authentication using rhosts or
+.Pa /etc/hosts.equiv
+files is sufficient.
+Normally, this method should not be permitted because it is insecure.
+.Cm RhostsRSAAuthentication
+should be used
+instead, because it performs RSA-based host authentication in addition
+to normal rhosts or
+.Pa /etc/hosts.equiv
+authentication.
+The default is
+.Dq no .
+This option applies to protocol version 1 only.
+.It Cm RhostsRSAAuthentication
+Specifies whether rhosts or
+.Pa /etc/hosts.equiv
+authentication together
+with successful RSA host authentication is allowed.
+The default is
+.Dq no .
+This option applies to protocol version 1 only.
+.It Cm RSAAuthentication
+Specifies whether pure RSA authentication is allowed.
+The default is
+.Dq yes .
+This option applies to protocol version 1 only.
+.It Cm ServerKeyBits
+Defines the number of bits in the ephemeral protocol version 1 server key.
+The minimum value is 512, and the default is 768.
+.It Cm SkeyAuthentication
+Specifies whether
+.Xr skey 1
+authentication is allowed.
+The default is
+.Dq yes .
+Note that OPIE authentication is enabled only if
+.Cm PasswordAuthentication
+is allowed, too.
+.It Cm StrictModes
+Specifies whether
+.Nm
+should check file modes and ownership of the
+user's files and home directory before accepting login.
+This is normally desirable because novices sometimes accidentally leave their
+directory or files world-writable.
+The default is
+.Dq yes .
+.It Cm Subsystem
+Configures an external subsystem (e.g., file transfer daemon).
+Arguments should be a subsystem name and a command to execute upon subsystem
+request.
+The command
+.Xr sftp-server 8
+implements the
+.Dq sftp
+file transfer subsystem.
+By default no subsystems are defined.
+Note that this option applies to protocol version 2 only.
+.It Cm SyslogFacility
+Gives the facility code that is used when logging messages from
+.Nm sshd .
+The possible values are: DAEMON, USER, AUTH, LOCAL0, LOCAL1, LOCAL2,
+LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7.
+The default is AUTH.
+.It Cm UseLogin
+Specifies whether
+.Xr login 1
+is used for interactive login sessions.
+Note that
+.Xr login 1
+is never used for remote command execution.
+The default is
+.Dq no .
+.It Cm X11DisplayOffset
+Specifies the first display number available for
+.Nm sshd Ns 's
+X11 forwarding.
+This prevents
+.Nm
+from interfering with real X11 servers.
+The default is 10.
+.It Cm X11Forwarding
+Specifies whether X11 forwarding is permitted.
+The default is
+.Dq no .
+Note that disabling X11 forwarding does not improve security in any
+way, as users can always install their own forwarders.
+.It Cm XAuthLocation
+Specifies the location of the
+.Xr xauth 1
+program.
+The default is
+.Pa /usr/X11R6/bin/xauth .
+.El
+.Sh LOGIN PROCESS
+When a user successfully logs in,
+.Nm
+does the following:
+.Bl -enum -offset indent
+.It
+If the login is on a tty, and no command has been specified,
+prints last login time and
+.Pa /etc/motd
+(unless prevented in the configuration file or by
+.Pa $HOME/.hushlogin ;
+see the
+.Sx FILES
+section).
+.It
+If the login is on a tty, records login time.
+.It
+Checks
+.Pa /etc/nologin and
+.Pa /var/run/nologin ;
+if one exists, it prints the contents and quits
+(unless root).
+.It
+Changes to run with normal user privileges.
+.It
+Sets up basic environment.
+.It
+Reads
+.Pa $HOME/.ssh/environment
+if it exists.
+.It
+Changes to user's home directory.
+.It
+If
+.Pa $HOME/.ssh/rc
+exists, runs it; else if
+.Pa /etc/ssh/sshrc
+exists, runs
+it; otherwise runs
+.Xr xauth 1 .
+The
+.Dq rc
+files are given the X11
+authentication protocol and cookie (if applicable) in standard input.
+.It
+Runs user's shell or command.
+.El
+.Sh AUTHORIZED_KEYS FILE FORMAT
+The
+.Pa $HOME/.ssh/authorized_keys
+file lists the RSA keys that are
+permitted for RSA authentication in protocol version 1
+Similarly, the
+.Pa $HOME/.ssh/authorized_keys2
+file lists the DSA and RSA keys that are
+permitted for public key authentication (PubkeyAuthentication)
+in protocol version 2.
+.Pp
+Each line of the file contains one
+key (empty lines and lines starting with a
+.Ql #
+are ignored as
+comments).
+Each RSA public key consists of the following fields, separated by
+spaces: options, bits, exponent, modulus, comment.
+Each protocol version 2 public key consists of:
+options, keytype, base64 encoded key, comment.
+The options fields
+are optional; its presence is determined by whether the line starts
+with a number or not (the option field never starts with a number).
+The bits, exponent, modulus and comment fields give the RSA key for
+protocol version 1; the
+comment field is not used for anything (but may be convenient for the
+user to identify the key).
+For protocol version 2 the keytype is
+.Dq ssh-dss
+or
+.Dq ssh-rsa .
+.Pp
+Note that lines in this file are usually several hundred bytes long
+(because of the size of the RSA key modulus).
+You don't want to type them in; instead, copy the
+.Pa identity.pub ,
+.Pa id_dsa.pub
+or the
+.Pa id_rsa.pub
+file and edit it.
+.Pp
+The options (if present) consist of comma-separated option
+specifications.
+No spaces are permitted, except within double quotes.
+The following option specifications are supported:
+.Bl -tag -width Ds
+.It Cm from="pattern-list"
+Specifies that in addition to RSA authentication, the canonical name
+of the remote host must be present in the comma-separated list of
+patterns
+.Pf ( Ql *
+and
+.Ql ?
+serve as wildcards).
+The list may also contain
+patterns negated by prefixing them with
+.Ql ! ;
+if the canonical host name matches a negated pattern, the key is not accepted.
+The purpose
+of this option is to optionally increase security: RSA authentication
+by itself does not trust the network or name servers or anything (but
+the key); however, if somebody somehow steals the key, the key
+permits an intruder to log in from anywhere in the world.
+This additional option makes using a stolen key more difficult (name
+servers and/or routers would have to be compromised in addition to
+just the key).
+.It Cm command="command"
+Specifies that the command is executed whenever this key is used for
+authentication.
+The command supplied by the user (if any) is ignored.
+The command is run on a pty if the connection requests a pty;
+otherwise it is run without a tty.
+Note that if you want a 8-bit clean channel,
+you must not request a pty or should specify
+.Cm no-pty .
+A quote may be included in the command by quoting it with a backslash.
+This option might be useful
+to restrict certain RSA keys to perform just a specific operation.
+An example might be a key that permits remote backups but nothing else.
+Note that the client may specify TCP/IP and/or X11
+forwarding unless they are explicitly prohibited.
+.It Cm environment="NAME=value"
+Specifies that the string is to be added to the environment when
+logging in using this key.
+Environment variables set this way
+override other default environment values.
+Multiple options of this type are permitted.
+.It Cm no-port-forwarding
+Forbids TCP/IP forwarding when this key is used for authentication.
+Any port forward requests by the client will return an error.
+This might be used, e.g., in connection with the
+.Cm command
+option.
+.It Cm no-X11-forwarding
+Forbids X11 forwarding when this key is used for authentication.
+Any X11 forward requests by the client will return an error.
+.It Cm no-agent-forwarding
+Forbids authentication agent forwarding when this key is used for
+authentication.
+.It Cm no-pty
+Prevents tty allocation (a request to allocate a pty will fail).
+.It Cm permitopen="host:port"
+Limit local 
+.Li ``ssh -L''
+port forwarding such that it may only connect to the specified host and
+port. Multiple 
+.Cm permitopen
+options may be applied separated by commas. No pattern matching is 
+performed on the specified hostnames, they must be literal domains or 
+addresses.
+.El
+.Ss Examples
+1024 33 12121.\|.\|.\|312314325 ylo@foo.bar
+.Pp
+from="*.niksula.hut.fi,!pc.niksula.hut.fi" 1024 35 23.\|.\|.\|2334 ylo@niksula
+.Pp
+command="dump /home",no-pty,no-port-forwarding 1024 33 23.\|.\|.\|2323 backup.hut.fi
+.Pp
+permitopen="10.2.1.55:80",permitopen="10.2.1.56:25" 1024 33 23.\|.\|.\|2323
+.Sh SSH_KNOWN_HOSTS FILE FORMAT
+The
+.Pa /etc/ssh/ssh_known_hosts ,
+.Pa /etc/ssh/ssh_known_hosts2 ,
+.Pa $HOME/.ssh/known_hosts ,
+and
+.Pa $HOME/.ssh/known_hosts2
+files contain host public keys for all known hosts.
+The global file should
+be prepared by the administrator (optional), and the per-user file is
+maintained automatically: whenever the user connects from an unknown host
+its key is added to the per-user file.
+.Pp
+Each line in these files contains the following fields: hostnames,
+bits, exponent, modulus, comment.
+The fields are separated by spaces.
+.Pp
+Hostnames is a comma-separated list of patterns ('*' and '?' act as
+wildcards); each pattern in turn is matched against the canonical host
+name (when authenticating a client) or against the user-supplied
+name (when authenticating a server).
+A pattern may also be preceded by
+.Ql !
+to indicate negation: if the host name matches a negated
+pattern, it is not accepted (by that line) even if it matched another
+pattern on the line.
+.Pp
+Bits, exponent, and modulus are taken directly from the RSA host key; they
+can be obtained, e.g., from
+.Pa /etc/ssh/ssh_host_key.pub .
+The optional comment field continues to the end of the line, and is not used.
+.Pp
+Lines starting with
+.Ql #
+and empty lines are ignored as comments.
+.Pp
+When performing host authentication, authentication is accepted if any
+matching line has the proper key.
+It is thus permissible (but not
+recommended) to have several lines or different host keys for the same
+names.
+This will inevitably happen when short forms of host names
+from different domains are put in the file.
+It is possible
+that the files contain conflicting information; authentication is
+accepted if valid information can be found from either file.
+.Pp
+Note that the lines in these files are typically hundreds of characters
+long, and you definitely don't want to type in the host keys by hand.
+Rather, generate them by a script
+or by taking
+.Pa /etc/ssh/ssh_host_key.pub
+and adding the host names at the front.
+.Ss Examples
+.Bd -literal
+closenet,.\|.\|.\|,130.233.208.41 1024 37 159.\|.\|.93 closenet.hut.fi
+cvs.openbsd.org,199.185.137.3 ssh-rsa AAAA1234.....=
+.Ed
+.Sh FILES
+.Bl -tag -width Ds
+.It Pa /etc/ssh/sshd_config
+Contains configuration data for
+.Nm sshd .
+This file should be writable by root only, but it is recommended
+(though not necessary) that it be world-readable.
+.It Pa /etc/ssh/ssh_host_key, /etc/ssh/ssh_host_dsa_key, /etc/ssh/ssh_host_rsa_key
+These three files contain the private parts of the host keys.
+These files should only be owned by root, readable only by root, and not
+accessible to others.
+Note that
+.Nm
+does not start if this file is group/world-accessible.
+.It Pa /etc/ssh/ssh_host_key.pub, /etc/ssh/ssh_host_dsa_key.pub, /etc/ssh/ssh_host_rsa_key.pub
+These three files contain the public parts of the host keys.
+These files should be world-readable but writable only by
+root.
+Their contents should match the respective private parts.
+These files are not
+really used for anything; they are provided for the convenience of
+the user so their contents can be copied to known hosts files.
+These files are created using
+.Xr ssh-keygen 1 .
+.It Pa /etc/primes
+Contains Diffie-Hellman groups used for the "Diffie-Hellman Group Exchange".
+.It Pa /var/run/sshd.pid
+Contains the process ID of the
+.Nm
+listening for connections (if there are several daemons running
+concurrently for different ports, this contains the pid of the one
+started last).
+The content of this file is not sensitive; it can be world-readable.
+.It Pa $HOME/.ssh/authorized_keys
+Lists the RSA keys that can be used to log into the user's account.
+This file must be readable by root (which may on some machines imply
+it being world-readable if the user's home directory resides on an NFS
+volume).
+It is recommended that it not be accessible by others.
+The format of this file is described above.
+Users will place the contents of their
+.Pa identity.pub
+files into this file, as described in
+.Xr ssh-keygen 1 .
+.It Pa $HOME/.ssh/authorized_keys2
+Lists the public keys (RSA or DSA) that can be used to log into the user's account.
+This file must be readable by root (which may on some machines imply
+it being world-readable if the user's home directory resides on an NFS
+volume).
+It is recommended that it not be accessible by others.
+The format of this file is described above.
+Users will place the contents of their
+.Pa id_dsa.pub
+and/or
+.Pa id_rsa.pub
+files into this file, as described in
+.Xr ssh-keygen 1 .
+.It Pa "/etc/ssh/ssh_known_hosts" and "$HOME/.ssh/known_hosts"
+These files are consulted when using rhosts with RSA host
+authentication to check the public key of the host.
+The key must be listed in one of these files to be accepted.
+The client uses the same files
+to verify that it is connecting to the correct remote host.
+These files should be writable only by root/the owner.
+.Pa /etc/ssh/ssh_known_hosts
+should be world-readable, and
+.Pa $HOME/.ssh/known_hosts
+can but need not be world-readable.
+.It Pa "/etc/ssh_known_hosts2" and "$HOME/.ssh/known_hosts2"
+These files are consulted when using protocol version 2 hostbased
+authentication to check the public key of the host.
+The key must be listed in one of these files to be accepted.
+The client uses the same files
+to verify that it is connecting to the correct remote host.
+These files should be writable only by root/the owner.
+.Pa /etc/ssh_known_hosts2
+should be world-readable, and
+.Pa $HOME/.ssh/known_hosts2
+can but need not be world-readable.
+.It Pa /etc/nologin
+If this file exists,
+.Nm
+refuses to let anyone except root log in.
+The contents of the file
+are displayed to anyone trying to log in, and non-root connections are
+refused.
+The file should be world-readable.
+.It Pa /etc/hosts.allow
+If compiled with
+.Sy LIBWRAP
+support, tcp-wrappers access controls may be defined here as described in
+.Xr hosts_access 5 .
+.It Pa $HOME/.rhosts
+This file contains host-username pairs, separated by a space, one per
+line.
+The given user on the corresponding host is permitted to log in
+without password.
+The same file is used by rlogind and rshd.
+The file must
+be writable only by the user; it is recommended that it not be
+accessible by others.
+.Pp
+If is also possible to use netgroups in the file.
+Either host or user
+name may be of the form +@groupname to specify all hosts or all users
+in the group.
+.It Pa $HOME/.shosts
+For ssh,
+this file is exactly the same as for
+.Pa .rhosts .
+However, this file is
+not used by rlogin and rshd, so using this permits access using SSH only.
+.It Pa /etc/hosts.equiv
+This file is used during
+.Pa .rhosts
+authentication.
+In the simplest form, this file contains host names, one per line.
+Users on
+those hosts are permitted to log in without a password, provided they
+have the same user name on both machines.
+The host name may also be
+followed by a user name; such users are permitted to log in as
+.Em any
+user on this machine (except root).
+Additionally, the syntax
+.Dq +@group
+can be used to specify netgroups.
+Negated entries start with
+.Ql \&- .
+.Pp
+If the client host/user is successfully matched in this file, login is
+automatically permitted provided the client and server user names are the
+same.
+Additionally, successful RSA host authentication is normally required.
+This file must be writable only by root; it is recommended
+that it be world-readable.
+.Pp
+.Sy "Warning: It is almost never a good idea to use user names in"
+.Pa hosts.equiv .
+Beware that it really means that the named user(s) can log in as
+.Em anybody ,
+which includes bin, daemon, adm, and other accounts that own critical
+binaries and directories.
+Using a user name practically grants the user root access.
+The only valid use for user names that I can think
+of is in negative entries.
+.Pp
+Note that this warning also applies to rsh/rlogin.
+.It Pa /etc/ssh/shosts.equiv
+This is processed exactly as
+.Pa /etc/hosts.equiv .
+However, this file may be useful in environments that want to run both
+rsh/rlogin and ssh.
+.It Pa $HOME/.ssh/environment
+This file is read into the environment at login (if it exists).
+It can only contain empty lines, comment lines (that start with
+.Ql # ) ,
+and assignment lines of the form name=value.
+The file should be writable
+only by the user; it need not be readable by anyone else.
+.It Pa $HOME/.ssh/rc
+If this file exists, it is run with
+.Pa /bin/sh
+after reading the
+environment files but before starting the user's shell or command.
+If X11 spoofing is in use, this will receive the "proto cookie" pair in
+standard input (and
+.Ev DISPLAY
+in environment).
+This must call
+.Xr xauth 1
+in that case.
+.Pp
+The primary purpose of this file is to run any initialization routines
+which may be needed before the user's home directory becomes
+accessible; AFS is a particular example of such an environment.
+.Pp
+This file will probably contain some initialization code followed by
+something similar to:
+.Bd -literal -offset indent
+if [ -n "$DISPLAY" ] && read proto cookie; then
+    echo add "$DISPLAY" "$proto" "$cookie" | xauth -q -
+fi
+.Ed
+.Pp
+If this file does not exist,
+.Pa /etc/ssh/sshrc
+is run, and if that
+does not exist either,
+.Xr xauth 1
+is used to store the cookie.
+.Pp
+This file should be writable only by the user, and need not be
+readable by anyone else.
+.It Pa /etc/ssh/sshrc
+Like
+.Pa $HOME/.ssh/rc .
+This can be used to specify
+machine-specific login-time initializations globally.
+This file should be writable only by root, and should be world-readable.
+.El
+.Sh AUTHORS
+OpenSSH is a derivative of the original and free
+ssh 1.2.12 release by Tatu Ylonen.
+Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos,
+Theo de Raadt and Dug Song
+removed many bugs, re-added newer features and
+created OpenSSH.
+Markus Friedl contributed the support for SSH
+protocol versions 1.5 and 2.0.
+.Sh SEE ALSO
+.Xr scp 1 ,
+.Xr sftp 1 ,
+.Xr sftp-server 8 ,
+.Xr ssh 1 ,
+.Xr ssh-add 1 ,
+.Xr ssh-agent 1 ,
+.Xr ssh-keygen 1 ,
+.Xr rlogin 1 ,
+.Xr rsh 1
+.Rs
+.%A T. Ylonen
+.%A T. Kivinen
+.%A M. Saarinen
+.%A T. Rinne
+.%A S. Lehtinen
+.%T "SSH Protocol Architecture"
+.%N draft-ietf-secsh-architecture-07.txt
+.%D January 2001
+.%O work in progress material
+.Re
+.Rs
+.%A M. Friedl
+.%A N. Provos
+.%A W. A. Simpson
+.%T "Diffie-Hellman Group Exchange for the SSH Transport Layer Protocol"
+.%N draft-ietf-secsh-dh-group-exchange-00.txt
+.%D January 2001
+.%O work in progress material
+.Re
diff --git a/crypto/openssh/sshd.c b/crypto/openssh/sshd.c
new file mode 100644
index 0000000..61dbf06
--- /dev/null
+++ b/crypto/openssh/sshd.c
@@ -0,0 +1,1452 @@
+/*
+ * Author: Tatu Ylonen <ylo@cs.hut.fi>
+ * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
+ *                    All rights reserved
+ * This program is the ssh daemon.  It listens for connections from clients,
+ * and performs authentication, executes use commands or shell, and forwards
+ * information to/from the application to the user client over an encrypted
+ * connection.  This can also handle forwarding of X11, TCP/IP, and
+ * authentication agent connections.
+ *
+ * As far as I am concerned, the code I have written for this software
+ * can be used freely for any purpose.  Any derived versions of this
+ * software must be clearly marked as such, and if the derived work is
+ * incompatible with the protocol description in the RFC file, it must be
+ * called by a name other than "ssh" or "Secure Shell".
+ *
+ * SSH2 implementation:
+ *
+ * Copyright (c) 2000 Markus Friedl.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include "includes.h"
+RCSID("$OpenBSD: sshd.c,v 1.195 2001/04/15 16:58:03 markus Exp $");
+RCSID("$FreeBSD$");
+
+#include <openssl/dh.h>
+#include <openssl/bn.h>
+#include <openssl/hmac.h>
+
+#include "ssh.h"
+#include "ssh1.h"
+#include "ssh2.h"
+#include "xmalloc.h"
+#include "rsa.h"
+#include "sshpty.h"
+#include "packet.h"
+#include "mpaux.h"
+#include "log.h"
+#include "servconf.h"
+#include "uidswap.h"
+#include "compat.h"
+#include "buffer.h"
+#include <poll.h>
+#include <time.h>
+
+#include "cipher.h"
+#include "kex.h"
+#include "key.h"
+#include "dh.h"
+#include "myproposal.h"
+#include "authfile.h"
+#include "pathnames.h"
+#include "atomicio.h"
+#include "canohost.h"
+#include "auth.h"
+#include "misc.h"
+#include "dispatch.h"
+
+#ifdef LIBWRAP
+#include <tcpd.h>
+#include <syslog.h>
+int allow_severity = LOG_INFO;
+int deny_severity = LOG_WARNING;
+#endif /* LIBWRAP */
+
+#ifndef O_NOCTTY
+#define O_NOCTTY	0
+#endif
+
+#ifdef KRB5
+#include <krb5.h>
+#endif /* KRB5 */
+
+extern char *__progname;
+
+/* Server configuration options. */
+ServerOptions options;
+
+/* Name of the server configuration file. */
+char *config_file_name = _PATH_SERVER_CONFIG_FILE;
+
+/*
+ * Flag indicating whether IPv4 or IPv6.  This can be set on the command line.
+ * Default value is AF_UNSPEC means both IPv4 and IPv6.
+ */
+int IPv4or6 = AF_UNSPEC;
+
+/*
+ * Debug mode flag.  This can be set on the command line.  If debug
+ * mode is enabled, extra debugging output will be sent to the system
+ * log, the daemon will not go to background, and will exit after processing
+ * the first connection.
+ */
+int debug_flag = 0;
+
+/* Flag indicating that the daemon is being started from inetd. */
+int inetd_flag = 0;
+
+/* Flag indicating that sshd should not detach and become a daemon. */
+int no_daemon_flag = 0;
+
+/* debug goes to stderr unless inetd_flag is set */
+int log_stderr = 0;
+
+/* Saved arguments to main(). */
+char **saved_argv;
+
+/*
+ * The sockets that the server is listening; this is used in the SIGHUP
+ * signal handler.
+ */
+#define	MAX_LISTEN_SOCKS	16
+int listen_socks[MAX_LISTEN_SOCKS];
+int num_listen_socks = 0;
+
+/*
+ * the client's version string, passed by sshd2 in compat mode. if != NULL,
+ * sshd will skip the version-number exchange
+ */
+char *client_version_string = NULL;
+char *server_version_string = NULL;
+
+/* for rekeying XXX fixme */
+Kex *xxx_kex;
+
+/*
+ * Any really sensitive data in the application is contained in this
+ * structure. The idea is that this structure could be locked into memory so
+ * that the pages do not get written into swap.  However, there are some
+ * problems. The private key contains BIGNUMs, and we do not (in principle)
+ * have access to the internals of them, and locking just the structure is
+ * not very useful.  Currently, memory locking is not implemented.
+ */
+struct {
+	Key	*server_key;		/* ephemeral server key */
+	Key	*ssh1_host_key;		/* ssh1 host key */
+	Key	**host_keys;		/* all private host keys */
+	int	have_ssh1_key;
+	int	have_ssh2_key;
+	u_char	ssh1_cookie[SSH_SESSION_KEY_LENGTH];
+} sensitive_data;
+
+/*
+ * Flag indicating whether the RSA server key needs to be regenerated.
+ * Is set in the SIGALRM handler and cleared when the key is regenerated.
+ */
+int key_do_regen = 0;
+
+/* This is set to true when SIGHUP is received. */
+int received_sighup = 0;
+
+/* session identifier, used by RSA-auth */
+u_char session_id[16];
+
+/* same for ssh2 */
+u_char *session_id2 = NULL;
+int session_id2_len = 0;
+
+/* record remote hostname or ip */
+u_int utmp_len = MAXHOSTNAMELEN;
+
+/* Prototypes for various functions defined later in this file. */
+void do_ssh1_kex(void);
+void do_ssh2_kex(void);
+
+void ssh_dh1_server(Kex *, Buffer *_kexinit, Buffer *);
+void ssh_dhgex_server(Kex *, Buffer *_kexinit, Buffer *);
+
+/*
+ * Close all listening sockets
+ */
+void
+close_listen_socks(void)
+{
+	int i;
+	for (i = 0; i < num_listen_socks; i++)
+		close(listen_socks[i]);
+	num_listen_socks = -1;
+}
+
+/*
+ * Signal handler for SIGHUP.  Sshd execs itself when it receives SIGHUP;
+ * the effect is to reread the configuration file (and to regenerate
+ * the server key).
+ */
+void
+sighup_handler(int sig)
+{
+	received_sighup = 1;
+	signal(SIGHUP, sighup_handler);
+}
+
+/*
+ * Called from the main program after receiving SIGHUP.
+ * Restarts the server.
+ */
+void
+sighup_restart(void)
+{
+	log("Received SIGHUP; restarting.");
+	close_listen_socks();
+	execv(saved_argv[0], saved_argv);
+	log("RESTART FAILED: av[0]='%.100s', error: %.100s.", saved_argv[0], strerror(errno));
+	exit(1);
+}
+
+/*
+ * Generic signal handler for terminating signals in the master daemon.
+ * These close the listen socket; not closing it seems to cause "Address
+ * already in use" problems on some machines, which is inconvenient.
+ */
+void
+sigterm_handler(int sig)
+{
+	log("Received signal %d; terminating.", sig);
+	close_listen_socks();
+	unlink(options.pid_file);
+	exit(255);
+}
+
+/*
+ * SIGCHLD handler.  This is called whenever a child dies.  This will then
+ * reap any zombies left by exited c.
+ */
+void
+main_sigchld_handler(int sig)
+{
+	int save_errno = errno;
+	int status;
+
+	while (waitpid(-1, &status, WNOHANG) > 0)
+		;
+
+	signal(SIGCHLD, main_sigchld_handler);
+	errno = save_errno;
+}
+
+/*
+ * Signal handler for the alarm after the login grace period has expired.
+ */
+void
+grace_alarm_handler(int sig)
+{
+	/* Close the connection. */
+	packet_close();
+
+	/* Log error and exit. */
+	fatal("Timeout before authentication for %s.", get_remote_ipaddr());
+}
+
+/*
+ * Signal handler for the key regeneration alarm.  Note that this
+ * alarm only occurs in the daemon waiting for connections, and it does not
+ * do anything with the private key or random state before forking.
+ * Thus there should be no concurrency control/asynchronous execution
+ * problems.
+ */
+void
+generate_ephemeral_server_key(void)
+{
+	u_int32_t rand = 0;
+	int i;
+
+	verbose("Generating %s%d bit RSA key.",
+	    sensitive_data.server_key ? "new " : "", options.server_key_bits);
+	if (sensitive_data.server_key != NULL)
+		key_free(sensitive_data.server_key);
+	sensitive_data.server_key = key_generate(KEY_RSA1,
+	    options.server_key_bits);
+	verbose("RSA key generation complete.");
+
+	for (i = 0; i < SSH_SESSION_KEY_LENGTH; i++) {
+		if (i % 4 == 0)
+			rand = arc4random();
+		sensitive_data.ssh1_cookie[i] = rand & 0xff;
+		rand >>= 8;
+	}
+	arc4random_stir();
+}
+
+void
+key_regeneration_alarm(int sig)
+{
+	int save_errno = errno;
+	signal(SIGALRM, SIG_DFL);
+	errno = save_errno;
+	key_do_regen = 1;
+}
+
+void
+sshd_exchange_identification(int sock_in, int sock_out)
+{
+	int i, mismatch;
+	int remote_major, remote_minor;
+	int major, minor;
+	char *s;
+	char buf[256];			/* Must not be larger than remote_version. */
+	char remote_version[256];	/* Must be at least as big as buf. */
+
+	if ((options.protocol & SSH_PROTO_1) &&
+	    (options.protocol & SSH_PROTO_2)) {
+		major = PROTOCOL_MAJOR_1;
+		minor = 99;
+	} else if (options.protocol & SSH_PROTO_2) {
+		major = PROTOCOL_MAJOR_2;
+		minor = PROTOCOL_MINOR_2;
+	} else {
+		major = PROTOCOL_MAJOR_1;
+		minor = PROTOCOL_MINOR_1;
+	}
+	snprintf(buf, sizeof buf, "SSH-%d.%d-%.100s\n", major, minor, SSH_VERSION);
+	server_version_string = xstrdup(buf);
+
+	if (client_version_string == NULL) {
+		/* Send our protocol version identification. */
+		if (atomicio(write, sock_out, server_version_string, strlen(server_version_string))
+		    != strlen(server_version_string)) {
+			log("Could not write ident string to %s.", get_remote_ipaddr());
+			fatal_cleanup();
+		}
+
+		/* Read other side's version identification. */
+		memset(buf, 0, sizeof(buf));
+		for (i = 0; i < sizeof(buf) - 1; i++) {
+			if (atomicio(read, sock_in, &buf[i], 1) != 1) {
+				log("Did not receive identification string from %s.",
+				    get_remote_ipaddr());
+				fatal_cleanup();
+			}
+			if (buf[i] == '\r') {
+				buf[i] = 0;
+				/* Kludge for F-Secure Macintosh < 1.0.2 */
+				if (i == 12 &&
+				    strncmp(buf, "SSH-1.5-W1.0", 12) == 0)
+					break;
+				continue;
+			}
+			if (buf[i] == '\n') {
+				buf[i] = 0;
+				break;
+			}
+		}
+		buf[sizeof(buf) - 1] = 0;
+		client_version_string = xstrdup(buf);
+	}
+
+	/*
+	 * Check that the versions match.  In future this might accept
+	 * several versions and set appropriate flags to handle them.
+	 */
+	if (sscanf(client_version_string, "SSH-%d.%d-%[^\n]\n",
+	    &remote_major, &remote_minor, remote_version) != 3) {
+		s = "Protocol mismatch.\n";
+		(void) atomicio(write, sock_out, s, strlen(s));
+		close(sock_in);
+		close(sock_out);
+		log("Bad protocol version identification '%.100s' from %s",
+		    client_version_string, get_remote_ipaddr());
+		fatal_cleanup();
+	}
+	debug("Client protocol version %d.%d; client software version %.100s",
+	      remote_major, remote_minor, remote_version);
+
+	compat_datafellows(remote_version);
+
+	if (datafellows & SSH_BUG_SCANNER) {
+		log("scanned from %s with %s.  Don't panic.",
+		    get_remote_ipaddr(), client_version_string);
+		fatal_cleanup();
+	}
+
+	mismatch = 0;
+	switch(remote_major) {
+	case 1:
+		if (remote_minor == 99) {
+			if (options.protocol & SSH_PROTO_2)
+				enable_compat20();
+			else
+				mismatch = 1;
+			break;
+		}
+		if (!(options.protocol & SSH_PROTO_1)) {
+			mismatch = 1;
+			break;
+		}
+		if (remote_minor < 3) {
+			packet_disconnect("Your ssh version is too old and "
+			    "is no longer supported.  Please install a newer version.");
+		} else if (remote_minor == 3) {
+			/* note that this disables agent-forwarding */
+			enable_compat13();
+		}
+		break;
+	case 2:
+		if (options.protocol & SSH_PROTO_2) {
+			enable_compat20();
+			break;
+		}
+		/* FALLTHROUGH */
+	default:
+		mismatch = 1;
+		break;
+	}
+	chop(server_version_string);
+	debug("Local version string %.200s", server_version_string);
+
+	if (mismatch) {
+		s = "Protocol major versions differ.\n";
+		(void) atomicio(write, sock_out, s, strlen(s));
+		close(sock_in);
+		close(sock_out);
+		log("Protocol major versions differ for %s: %.200s vs. %.200s",
+		    get_remote_ipaddr(),
+		    server_version_string, client_version_string);
+		fatal_cleanup();
+	}
+	if (compat20)
+		packet_set_ssh2_format();
+}
+
+
+/* Destroy the host and server keys.  They will no longer be needed. */
+void
+destroy_sensitive_data(void)
+{
+	int i;
+
+	if (sensitive_data.server_key) {
+		key_free(sensitive_data.server_key);
+		sensitive_data.server_key = NULL;
+	}
+	for(i = 0; i < options.num_host_key_files; i++) {
+		if (sensitive_data.host_keys[i]) {
+			key_free(sensitive_data.host_keys[i]);
+			sensitive_data.host_keys[i] = NULL;
+		}
+	}
+	sensitive_data.ssh1_host_key = NULL;
+	memset(sensitive_data.ssh1_cookie, 0, SSH_SESSION_KEY_LENGTH);
+}
+
+char *
+list_hostkey_types(void)
+{
+	static char buf[1024];
+	int i;
+	buf[0] = '\0';
+	for(i = 0; i < options.num_host_key_files; i++) {
+		Key *key = sensitive_data.host_keys[i];
+		if (key == NULL)
+			continue;
+		switch(key->type) {
+		case KEY_RSA:
+		case KEY_DSA:
+			strlcat(buf, key_ssh_name(key), sizeof buf);
+			strlcat(buf, ",", sizeof buf);
+			break;
+		}
+	}
+	i = strlen(buf);
+	if (i > 0 && buf[i-1] == ',')
+		buf[i-1] = '\0';
+	debug("list_hostkey_types: %s", buf);
+	return buf;
+}
+
+Key *
+get_hostkey_by_type(int type)
+{
+	int i;
+	for(i = 0; i < options.num_host_key_files; i++) {
+		Key *key = sensitive_data.host_keys[i];
+		if (key != NULL && key->type == type)
+			return key;
+	}
+	return NULL;
+}
+
+/*
+ * returns 1 if connection should be dropped, 0 otherwise.
+ * dropping starts at connection #max_startups_begin with a probability
+ * of (max_startups_rate/100). the probability increases linearly until
+ * all connections are dropped for startups > max_startups
+ */
+int
+drop_connection(int startups)
+{
+	double p, r;
+
+	if (startups < options.max_startups_begin)
+		return 0;
+	if (startups >= options.max_startups)
+		return 1;
+	if (options.max_startups_rate == 100)
+		return 1;
+
+	p  = 100 - options.max_startups_rate;
+	p *= startups - options.max_startups_begin;
+	p /= (double) (options.max_startups - options.max_startups_begin);
+	p += options.max_startups_rate;
+	p /= 100.0;
+	r = arc4random() / (double) UINT_MAX;
+
+	debug("drop_connection: p %g, r %g", p, r);
+	return (r < p) ? 1 : 0;
+}
+
+int *startup_pipes = NULL;	/* options.max_startup sized array of fd ints */
+int startup_pipe;		/* in child */
+
+/*
+ * Main program for the daemon.
+ */
+int
+main(int ac, char **av)
+{
+	extern char *optarg;
+	extern int optind;
+	int opt, sock_in = 0, sock_out = 0, newsock, j, i, fdsetsz, on = 1;
+	pid_t pid;
+	socklen_t fromlen;
+	fd_set *fdset;
+	struct sockaddr_storage from;
+	const char *remote_ip;
+	int remote_port;
+	FILE *f;
+	struct linger linger;
+	struct addrinfo *ai;
+	char ntop[NI_MAXHOST], strport[NI_MAXSERV];
+	int listen_sock, maxfd;
+	int startup_p[2];
+	int startups = 0;
+	Key *key;
+	int ret, key_used = 0;
+
+	/* Save argv. */
+	saved_argv = av;
+
+	/* Initialize configuration options to their default values. */
+	initialize_server_options(&options);
+
+	/* Parse command-line arguments. */
+	while ((opt = getopt(ac, av, "f:p:b:k:h:g:V:u:dDeiqQ46")) != -1) {
+		switch (opt) {
+		case '4':
+			IPv4or6 = AF_INET;
+			break;
+		case '6':
+			IPv4or6 = AF_INET6;
+			break;
+		case 'f':
+			config_file_name = optarg;
+			break;
+		case 'd':
+			if (0 == debug_flag) {
+				debug_flag = 1;
+				options.log_level = SYSLOG_LEVEL_DEBUG1;
+			} else if (options.log_level < SYSLOG_LEVEL_DEBUG3) {
+				options.log_level++;
+			} else {
+				fprintf(stderr, "Too high debugging level.\n");
+				exit(1);
+			}
+			break;
+		case 'D':
+			no_daemon_flag = 1;
+			break;
+		case 'e':
+			log_stderr = 1;
+			break;
+		case 'i':
+			inetd_flag = 1;
+			break;
+		case 'Q':
+			/* ignored */
+			break;
+		case 'q':
+			options.log_level = SYSLOG_LEVEL_QUIET;
+			break;
+		case 'b':
+			options.server_key_bits = atoi(optarg);
+			break;
+		case 'p':
+			options.ports_from_cmdline = 1;
+			if (options.num_ports >= MAX_PORTS) {
+				fprintf(stderr, "too many ports.\n");
+				exit(1);
+			}
+			options.ports[options.num_ports++] = a2port(optarg);
+			if (options.ports[options.num_ports-1] == 0) {
+				fprintf(stderr, "Bad port number.\n");
+				exit(1);
+			}
+			break;
+		case 'g':
+			options.login_grace_time = atoi(optarg);
+			break;
+		case 'k':
+			options.key_regeneration_time = atoi(optarg);
+			break;
+		case 'h':
+			if (options.num_host_key_files >= MAX_HOSTKEYS) {
+				fprintf(stderr, "too many host keys.\n");
+				exit(1);
+			}
+			options.host_key_files[options.num_host_key_files++] = optarg;
+			break;
+		case 'V':
+			client_version_string = optarg;
+			/* only makes sense with inetd_flag, i.e. no listen() */
+			inetd_flag = 1;
+			break;
+		case 'u':
+			utmp_len = atoi(optarg);
+			break;
+		case '?':
+		default:
+			fprintf(stderr, "sshd version %s\n", SSH_VERSION);
+			fprintf(stderr, "Usage: %s [options]\n", __progname);
+			fprintf(stderr, "Options:\n");
+			fprintf(stderr, "  -f file    Configuration file (default %s)\n", _PATH_SERVER_CONFIG_FILE);
+			fprintf(stderr, "  -d         Debugging mode (multiple -d means more debugging)\n");
+			fprintf(stderr, "  -i         Started from inetd\n");
+			fprintf(stderr, "  -D         Do not fork into daemon mode\n");
+			fprintf(stderr, "  -q         Quiet (no logging)\n");
+			fprintf(stderr, "  -p port    Listen on the specified port (default: 22)\n");
+			fprintf(stderr, "  -k seconds Regenerate server key every this many seconds (default: 3600)\n");
+			fprintf(stderr, "  -g seconds Grace period for authentication (default: 600)\n");
+			fprintf(stderr, "  -b bits    Size of server RSA key (default: 768 bits)\n");
+			fprintf(stderr, "  -h file    File from which to read host key (default: %s)\n",
+			    _PATH_HOST_KEY_FILE);
+			fprintf(stderr, "  -u len     Maximum hostname length for utmp recording\n");
+			fprintf(stderr, "  -4         Use IPv4 only\n");
+			fprintf(stderr, "  -6         Use IPv6 only\n");
+			exit(1);
+		}
+	}
+	SSLeay_add_all_algorithms();
+
+	/*
+	 * Force logging to stderr until we have loaded the private host
+	 * key (unless started from inetd)
+	 */
+	log_init(__progname,
+	    options.log_level == -1 ? SYSLOG_LEVEL_INFO : options.log_level,
+	    options.log_facility == -1 ? SYSLOG_FACILITY_AUTH : options.log_facility,
+	    !inetd_flag);
+
+	/* Read server configuration options from the configuration file. */
+	read_server_config(&options, config_file_name);
+
+	/* Fill in default values for those options not explicitly set. */
+	fill_default_server_options(&options);
+
+	/* Check that there are no remaining arguments. */
+	if (optind < ac) {
+		fprintf(stderr, "Extra argument %s.\n", av[optind]);
+		exit(1);
+	}
+
+	debug("sshd version %.100s", SSH_VERSION);
+
+	/* load private host keys */
+	sensitive_data.host_keys = xmalloc(options.num_host_key_files*sizeof(Key*));
+	for(i = 0; i < options.num_host_key_files; i++)
+		sensitive_data.host_keys[i] = NULL;
+	sensitive_data.server_key = NULL;
+	sensitive_data.ssh1_host_key = NULL;
+	sensitive_data.have_ssh1_key = 0;
+	sensitive_data.have_ssh2_key = 0;
+
+	for(i = 0; i < options.num_host_key_files; i++) {
+		key = key_load_private(options.host_key_files[i], "", NULL);
+		sensitive_data.host_keys[i] = key;
+		if (key == NULL) {
+			error("Could not load host key: %s",
+			    options.host_key_files[i]);
+			sensitive_data.host_keys[i] = NULL;
+			continue;
+		}
+		switch(key->type){
+		case KEY_RSA1:
+			sensitive_data.ssh1_host_key = key;
+			sensitive_data.have_ssh1_key = 1;
+			break;
+		case KEY_RSA:
+		case KEY_DSA:
+			sensitive_data.have_ssh2_key = 1;
+			break;
+		}
+		debug("private host key: #%d type %d %s", i, key->type,
+		    key_type(key));
+	}
+	if ((options.protocol & SSH_PROTO_1) && !sensitive_data.have_ssh1_key) {
+		log("Disabling protocol version 1. Could not load host key");
+		options.protocol &= ~SSH_PROTO_1;
+	}
+	if ((options.protocol & SSH_PROTO_2) && !sensitive_data.have_ssh2_key) {
+		log("Disabling protocol version 2. Could not load host key");
+		options.protocol &= ~SSH_PROTO_2;
+	}
+	if (!(options.protocol & (SSH_PROTO_1|SSH_PROTO_2))) {
+		log("sshd: no hostkeys available -- exiting.");
+		exit(1);
+	}
+
+	/* Check certain values for sanity. */
+	if (options.protocol & SSH_PROTO_1) {
+		if (options.server_key_bits < 512 ||
+		    options.server_key_bits > 32768) {
+			fprintf(stderr, "Bad server key size.\n");
+			exit(1);
+		}
+		/*
+		 * Check that server and host key lengths differ sufficiently. This
+		 * is necessary to make double encryption work with rsaref. Oh, I
+		 * hate software patents. I dont know if this can go? Niels
+		 */
+		if (options.server_key_bits >
+		    BN_num_bits(sensitive_data.ssh1_host_key->rsa->n) - SSH_KEY_BITS_RESERVED &&
+		    options.server_key_bits <
+		    BN_num_bits(sensitive_data.ssh1_host_key->rsa->n) + SSH_KEY_BITS_RESERVED) {
+			options.server_key_bits =
+			    BN_num_bits(sensitive_data.ssh1_host_key->rsa->n) + SSH_KEY_BITS_RESERVED;
+			debug("Forcing server key to %d bits to make it differ from host key.",
+			    options.server_key_bits);
+		}
+	}
+
+	/* Initialize the log (it is reinitialized below in case we forked). */
+	if (debug_flag && !inetd_flag)
+		log_stderr = 1;
+	log_init(__progname, options.log_level, options.log_facility, log_stderr);
+
+	/*
+	 * If not in debugging mode, and not started from inetd, disconnect
+	 * from the controlling terminal, and fork.  The original process
+	 * exits.
+	 */
+	if (!(debug_flag || inetd_flag || no_daemon_flag)) {
+#ifdef TIOCNOTTY
+		int fd;
+#endif /* TIOCNOTTY */
+		if (daemon(0, 0) < 0)
+			fatal("daemon() failed: %.200s", strerror(errno));
+
+		/* Disconnect from the controlling tty. */
+#ifdef TIOCNOTTY
+		fd = open(_PATH_TTY, O_RDWR | O_NOCTTY);
+		if (fd >= 0) {
+			(void) ioctl(fd, TIOCNOTTY, NULL);
+			close(fd);
+		}
+#endif /* TIOCNOTTY */
+	}
+	/* Reinitialize the log (because of the fork above). */
+	log_init(__progname, options.log_level, options.log_facility, log_stderr);
+
+	/* Initialize the random number generator. */
+	arc4random_stir();
+
+	/* Chdir to the root directory so that the current disk can be
+	   unmounted if desired. */
+	chdir("/");
+	
+	/* ignore SIGPIPE */
+	signal(SIGPIPE, SIG_IGN);
+
+	/* Start listening for a socket, unless started from inetd. */
+	if (inetd_flag) {
+		int s1;
+		s1 = dup(0);	/* Make sure descriptors 0, 1, and 2 are in use. */
+		dup(s1);
+		sock_in = dup(0);
+		sock_out = dup(1);
+		startup_pipe = -1;
+		/*
+		 * We intentionally do not close the descriptors 0, 1, and 2
+		 * as our code for setting the descriptors won\'t work if
+		 * ttyfd happens to be one of those.
+		 */
+		debug("inetd sockets after dupping: %d, %d", sock_in, sock_out);
+		if (options.protocol & SSH_PROTO_1)
+			generate_ephemeral_server_key();
+	} else {
+		for (ai = options.listen_addrs; ai; ai = ai->ai_next) {
+			if (ai->ai_family != AF_INET && ai->ai_family != AF_INET6)
+				continue;
+			if (num_listen_socks >= MAX_LISTEN_SOCKS)
+				fatal("Too many listen sockets. "
+				    "Enlarge MAX_LISTEN_SOCKS");
+			if (getnameinfo(ai->ai_addr, ai->ai_addrlen,
+			    ntop, sizeof(ntop), strport, sizeof(strport),
+			    NI_NUMERICHOST|NI_NUMERICSERV) != 0) {
+				error("getnameinfo failed");
+				continue;
+			}
+			/* Create socket for listening. */
+			listen_sock = socket(ai->ai_family, SOCK_STREAM, 0);
+			if (listen_sock < 0) {
+				/* kernel may not support ipv6 */
+				verbose("socket: %.100s", strerror(errno));
+				continue;
+			}
+			if (fcntl(listen_sock, F_SETFL, O_NONBLOCK) < 0) {
+				error("listen_sock O_NONBLOCK: %s", strerror(errno));
+				close(listen_sock);
+				continue;
+			}
+			/*
+			 * Set socket options.  We try to make the port
+			 * reusable and have it close as fast as possible
+			 * without waiting in unnecessary wait states on
+			 * close.
+			 */
+			setsockopt(listen_sock, SOL_SOCKET, SO_REUSEADDR,
+			    (void *) &on, sizeof(on));
+			linger.l_onoff = 1;
+			linger.l_linger = 5;
+			setsockopt(listen_sock, SOL_SOCKET, SO_LINGER,
+			    (void *) &linger, sizeof(linger));
+
+			debug("Bind to port %s on %s.", strport, ntop);
+
+			/* Bind the socket to the desired port. */
+			if (bind(listen_sock, ai->ai_addr, ai->ai_addrlen) < 0) {
+				error("Bind to port %s on %s failed: %.200s.",
+				    strport, ntop, strerror(errno));
+				close(listen_sock);
+				continue;
+			}
+			listen_socks[num_listen_socks] = listen_sock;
+			num_listen_socks++;
+
+			/* Start listening on the port. */
+			log("Server listening on %s port %s.", ntop, strport);
+			if (listen(listen_sock, 5) < 0)
+				fatal("listen: %.100s", strerror(errno));
+
+		}
+		freeaddrinfo(options.listen_addrs);
+
+		if (!num_listen_socks)
+			fatal("Cannot bind any address.");
+
+		if (!debug_flag) {
+			/*
+			 * Record our pid in /var/run/sshd.pid to make it
+			 * easier to kill the correct sshd.  We don't want to
+			 * do this before the bind above because the bind will
+			 * fail if there already is a daemon, and this will
+			 * overwrite any old pid in the file.
+			 */
+			f = fopen(options.pid_file, "w");
+			if (f) {
+				fprintf(f, "%u\n", (u_int) getpid());
+				fclose(f);
+			}
+		}
+		if (options.protocol & SSH_PROTO_1)
+			generate_ephemeral_server_key();
+
+		/* Arrange to restart on SIGHUP.  The handler needs listen_sock. */
+		signal(SIGHUP, sighup_handler);
+
+		signal(SIGTERM, sigterm_handler);
+		signal(SIGQUIT, sigterm_handler);
+
+		/* Arrange SIGCHLD to be caught. */
+		signal(SIGCHLD, main_sigchld_handler);
+
+		/* setup fd set for listen */
+		fdset = NULL;
+		maxfd = 0;
+		for (i = 0; i < num_listen_socks; i++)
+			if (listen_socks[i] > maxfd)
+				maxfd = listen_socks[i];
+		/* pipes connected to unauthenticated childs */
+		startup_pipes = xmalloc(options.max_startups * sizeof(int));
+		for (i = 0; i < options.max_startups; i++)
+			startup_pipes[i] = -1;
+
+		/*
+		 * Stay listening for connections until the system crashes or
+		 * the daemon is killed with a signal.
+		 */
+		for (;;) {
+			if (received_sighup)
+				sighup_restart();
+			if (fdset != NULL)
+				xfree(fdset);
+			fdsetsz = howmany(maxfd+1, NFDBITS) * sizeof(fd_mask);
+			fdset = (fd_set *)xmalloc(fdsetsz);
+			memset(fdset, 0, fdsetsz);
+
+			for (i = 0; i < num_listen_socks; i++)
+				FD_SET(listen_socks[i], fdset);
+			for (i = 0; i < options.max_startups; i++)
+				if (startup_pipes[i] != -1)
+					FD_SET(startup_pipes[i], fdset);
+
+			/* Wait in select until there is a connection. */
+			ret = select(maxfd+1, fdset, NULL, NULL, NULL);
+			if (ret < 0 && errno != EINTR)
+				error("select: %.100s", strerror(errno));
+			if (key_used && key_do_regen) {
+				generate_ephemeral_server_key();
+				key_used = 0;
+				key_do_regen = 0;
+			}
+			if (ret < 0)
+				continue;
+
+			for (i = 0; i < options.max_startups; i++)
+				if (startup_pipes[i] != -1 &&
+				    FD_ISSET(startup_pipes[i], fdset)) {
+					/*
+					 * the read end of the pipe is ready
+					 * if the child has closed the pipe
+					 * after successful authentication
+					 * or if the child has died
+					 */
+					close(startup_pipes[i]);
+					startup_pipes[i] = -1;
+					startups--;
+				}
+			for (i = 0; i < num_listen_socks; i++) {
+				if (!FD_ISSET(listen_socks[i], fdset))
+					continue;
+				fromlen = sizeof(from);
+				newsock = accept(listen_socks[i], (struct sockaddr *)&from,
+				    &fromlen);
+				if (newsock < 0) {
+					if (errno != EINTR && errno != EWOULDBLOCK)
+						error("accept: %.100s", strerror(errno));
+					continue;
+				}
+				if (fcntl(newsock, F_SETFL, 0) < 0) {
+					error("newsock del O_NONBLOCK: %s", strerror(errno));
+					continue;
+				}
+				if (drop_connection(startups) == 1) {
+					debug("drop connection #%d", startups);
+					close(newsock);
+					continue;
+				}
+				if (pipe(startup_p) == -1) {
+					close(newsock);
+					continue;
+				}
+
+				for (j = 0; j < options.max_startups; j++)
+					if (startup_pipes[j] == -1) {
+						startup_pipes[j] = startup_p[0];
+						if (maxfd < startup_p[0])
+							maxfd = startup_p[0];
+						startups++;
+						break;
+					}
+
+				/*
+				 * Got connection.  Fork a child to handle it, unless
+				 * we are in debugging mode.
+				 */
+				if (debug_flag) {
+					/*
+					 * In debugging mode.  Close the listening
+					 * socket, and start processing the
+					 * connection without forking.
+					 */
+					debug("Server will not fork when running in debugging mode.");
+					close_listen_socks();
+					sock_in = newsock;
+					sock_out = newsock;
+					startup_pipe = -1;
+					pid = getpid();
+					break;
+				} else {
+					/*
+					 * Normal production daemon.  Fork, and have
+					 * the child process the connection. The
+					 * parent continues listening.
+					 */
+					if ((pid = fork()) == 0) {
+						/*
+						 * Child.  Close the listening and max_startup
+						 * sockets.  Start using the accepted socket.
+						 * Reinitialize logging (since our pid has
+						 * changed).  We break out of the loop to handle
+						 * the connection.
+						 */
+						startup_pipe = startup_p[1];
+						for (j = 0; j < options.max_startups; j++)
+							if (startup_pipes[j] != -1)
+								close(startup_pipes[j]);
+						close_listen_socks();
+						sock_in = newsock;
+						sock_out = newsock;
+						log_init(__progname, options.log_level, options.log_facility, log_stderr);
+						break;
+					}
+				}
+
+				/* Parent.  Stay in the loop. */
+				if (pid < 0)
+					error("fork: %.100s", strerror(errno));
+				else
+					debug("Forked child %d.", pid);
+
+				close(startup_p[1]);
+
+				/* Mark that the key has been used (it was "given" to the child). */
+				if ((options.protocol & SSH_PROTO_1) &&
+				    key_used == 0) {
+					/* Schedule server key regeneration alarm. */
+					signal(SIGALRM, key_regeneration_alarm);
+					alarm(options.key_regeneration_time);
+					key_used = 1;
+				}
+
+				arc4random_stir();
+
+				/* Close the new socket (the child is now taking care of it). */
+				close(newsock);
+			}
+			/* child process check (or debug mode) */
+			if (num_listen_socks < 0)
+				break;
+		}
+	}
+
+	/* This is the child processing a new connection. */
+
+	/*
+	 * Disable the key regeneration alarm.  We will not regenerate the
+	 * key since we are no longer in a position to give it to anyone. We
+	 * will not restart on SIGHUP since it no longer makes sense.
+	 */
+	alarm(0);
+	signal(SIGALRM, SIG_DFL);
+	signal(SIGHUP, SIG_DFL);
+	signal(SIGTERM, SIG_DFL);
+	signal(SIGQUIT, SIG_DFL);
+	signal(SIGCHLD, SIG_DFL);
+	signal(SIGPIPE, SIG_IGN);
+
+	/*
+	 * Set socket options for the connection.  We want the socket to
+	 * close as fast as possible without waiting for anything.  If the
+	 * connection is not a socket, these will do nothing.
+	 */
+	/* setsockopt(sock_in, SOL_SOCKET, SO_REUSEADDR, (void *)&on, sizeof(on)); */
+	linger.l_onoff = 1;
+	linger.l_linger = 5;
+	setsockopt(sock_in, SOL_SOCKET, SO_LINGER, (void *) &linger, sizeof(linger));
+
+	/* Set keepalives if requested. */
+	if (options.keepalives &&
+	    setsockopt(sock_in, SOL_SOCKET, SO_KEEPALIVE, (void *)&on,
+	    sizeof(on)) < 0)
+		error("setsockopt SO_KEEPALIVE: %.100s", strerror(errno));
+
+	/*
+	 * Register our connection.  This turns encryption off because we do
+	 * not have a key.
+	 */
+	packet_set_connection(sock_in, sock_out);
+
+	remote_port = get_remote_port();
+	remote_ip = get_remote_ipaddr();
+
+	/* Check whether logins are denied from this host. */
+#ifdef LIBWRAP
+	{
+		struct request_info req;
+
+		request_init(&req, RQ_DAEMON, __progname, RQ_FILE, sock_in, NULL);
+		fromhost(&req);
+
+		if (!hosts_access(&req)) {
+			refuse(&req);
+			close(sock_in);
+			close(sock_out);
+		}
+		verbose("Connection from %.500s port %d", eval_client(&req), remote_port);
+	}
+#endif /* LIBWRAP */
+	/* Log the connection. */
+	verbose("Connection from %.500s port %d", remote_ip, remote_port);
+
+	/*
+	 * We don\'t want to listen forever unless the other side
+	 * successfully authenticates itself.  So we set up an alarm which is
+	 * cleared after successful authentication.  A limit of zero
+	 * indicates no limit. Note that we don\'t set the alarm in debugging
+	 * mode; it is just annoying to have the server exit just when you
+	 * are about to discover the bug.
+	 */
+	signal(SIGALRM, grace_alarm_handler);
+	if (!debug_flag)
+		alarm(options.login_grace_time);
+
+	sshd_exchange_identification(sock_in, sock_out);
+	/*
+	 * Check that the connection comes from a privileged port.
+	 * Rhosts-Authentication only makes sense from priviledged
+	 * programs.  Of course, if the intruder has root access on his local
+	 * machine, he can connect from any port.  So do not use these
+	 * authentication methods from machines that you do not trust.
+	 */
+	if (remote_port >= IPPORT_RESERVED ||
+	    remote_port < IPPORT_RESERVED / 2) {
+		debug("Rhosts Authentication disabled, "
+		    "originating port not trusted.");
+		options.rhosts_authentication = 0;
+	}
+#if defined(KRB4) && !defined(KRB5)
+	if (!packet_connection_is_ipv4() &&
+	    options.kerberos_authentication) {
+		debug("Kerberos Authentication disabled, only available for IPv4.");
+		options.kerberos_authentication = 0;
+	}
+#endif /* KRB4 */
+#ifdef AFS
+	/* If machine has AFS, set process authentication group. */
+	if (k_hasafs()) {
+		k_setpag();
+		k_unlog();
+	}
+#endif /* AFS */
+
+	packet_set_nonblocking();
+
+	/* perform the key exchange */
+	/* authenticate user and start session */
+	if (compat20) {
+		do_ssh2_kex();
+		do_authentication2();
+	} else {
+		do_ssh1_kex();
+		do_authentication();
+	}
+
+#ifdef KRB4
+	/* Cleanup user's ticket cache file. */
+	if (options.krb4_ticket_cleanup)
+		(void) dest_tkt();
+#endif /* KRB4 */
+
+	/* The connection has been terminated. */
+	verbose("Closing connection to %.100s", remote_ip);
+
+#ifdef USE_PAM
+	finish_pam();
+#endif /* USE_PAM */
+
+	packet_close();
+	exit(0);
+}
+
+/*
+ * SSH1 key exchange
+ */
+void
+do_ssh1_kex(void)
+{
+	int i, len;
+	int plen, slen;
+	int rsafail = 0;
+	BIGNUM *session_key_int;
+	u_char session_key[SSH_SESSION_KEY_LENGTH];
+	u_char cookie[8];
+	u_int cipher_type, auth_mask, protocol_flags;
+	u_int32_t rand = 0;
+
+	/*
+	 * Generate check bytes that the client must send back in the user
+	 * packet in order for it to be accepted; this is used to defy ip
+	 * spoofing attacks.  Note that this only works against somebody
+	 * doing IP spoofing from a remote machine; any machine on the local
+	 * network can still see outgoing packets and catch the random
+	 * cookie.  This only affects rhosts authentication, and this is one
+	 * of the reasons why it is inherently insecure.
+	 */
+	for (i = 0; i < 8; i++) {
+		if (i % 4 == 0)
+			rand = arc4random();
+		cookie[i] = rand & 0xff;
+		rand >>= 8;
+	}
+
+	/*
+	 * Send our public key.  We include in the packet 64 bits of random
+	 * data that must be matched in the reply in order to prevent IP
+	 * spoofing.
+	 */
+	packet_start(SSH_SMSG_PUBLIC_KEY);
+	for (i = 0; i < 8; i++)
+		packet_put_char(cookie[i]);
+
+	/* Store our public server RSA key. */
+	packet_put_int(BN_num_bits(sensitive_data.server_key->rsa->n));
+	packet_put_bignum(sensitive_data.server_key->rsa->e);
+	packet_put_bignum(sensitive_data.server_key->rsa->n);
+
+	/* Store our public host RSA key. */
+	packet_put_int(BN_num_bits(sensitive_data.ssh1_host_key->rsa->n));
+	packet_put_bignum(sensitive_data.ssh1_host_key->rsa->e);
+	packet_put_bignum(sensitive_data.ssh1_host_key->rsa->n);
+
+	/* Put protocol flags. */
+	packet_put_int(SSH_PROTOFLAG_HOST_IN_FWD_OPEN);
+
+	/* Declare which ciphers we support. */
+	packet_put_int(cipher_mask_ssh1(0));
+
+	/* Declare supported authentication types. */
+	auth_mask = 0;
+	if (options.rhosts_authentication)
+		auth_mask |= 1 << SSH_AUTH_RHOSTS;
+	if (options.rhosts_rsa_authentication)
+		auth_mask |= 1 << SSH_AUTH_RHOSTS_RSA;
+	if (options.rsa_authentication)
+		auth_mask |= 1 << SSH_AUTH_RSA;
+#if defined(KRB4) || defined(KRB5)
+	if (options.kerberos_authentication)
+		auth_mask |= 1 << SSH_AUTH_KERBEROS;
+#endif
+#ifdef KRB5
+	if (options.krb5_tgt_passing)
+	  	auth_mask |= 1 << SSH_PASS_KERBEROS_TGT;
+#endif /* KRB5 */
+
+#ifdef AFS
+	if (options.krb4_tgt_passing)
+		auth_mask |= 1 << SSH_PASS_KRB4_TGT;
+	if (options.afs_token_passing)
+		auth_mask |= 1 << SSH_PASS_AFS_TOKEN;
+#endif
+	if (options.challenge_reponse_authentication == 1)
+		auth_mask |= 1 << SSH_AUTH_TIS;
+	if (options.password_authentication)
+		auth_mask |= 1 << SSH_AUTH_PASSWORD;
+	packet_put_int(auth_mask);
+
+	/* Send the packet and wait for it to be sent. */
+	packet_send();
+	packet_write_wait();
+
+	debug("Sent %d bit server key and %d bit host key.",
+	    BN_num_bits(sensitive_data.server_key->rsa->n),
+	    BN_num_bits(sensitive_data.ssh1_host_key->rsa->n));
+
+	/* Read clients reply (cipher type and session key). */
+	packet_read_expect(&plen, SSH_CMSG_SESSION_KEY);
+
+	/* Get cipher type and check whether we accept this. */
+	cipher_type = packet_get_char();
+
+	if (!(cipher_mask_ssh1(0) & (1 << cipher_type)))
+		packet_disconnect("Warning: client selects unsupported cipher.");
+
+	/* Get check bytes from the packet.  These must match those we
+	   sent earlier with the public key packet. */
+	for (i = 0; i < 8; i++)
+		if (cookie[i] != packet_get_char())
+			packet_disconnect("IP Spoofing check bytes do not match.");
+
+	debug("Encryption type: %.200s", cipher_name(cipher_type));
+
+	/* Get the encrypted integer. */
+	session_key_int = BN_new();
+	packet_get_bignum(session_key_int, &slen);
+
+	protocol_flags = packet_get_int();
+	packet_set_protocol_flags(protocol_flags);
+
+	packet_integrity_check(plen, 1 + 8 + slen + 4, SSH_CMSG_SESSION_KEY);
+
+	/*
+	 * Decrypt it using our private server key and private host key (key
+	 * with larger modulus first).
+	 */
+	if (BN_cmp(sensitive_data.server_key->rsa->n, sensitive_data.ssh1_host_key->rsa->n) > 0) {
+		/* Server key has bigger modulus. */
+		if (BN_num_bits(sensitive_data.server_key->rsa->n) <
+		    BN_num_bits(sensitive_data.ssh1_host_key->rsa->n) + SSH_KEY_BITS_RESERVED) {
+			fatal("do_connection: %s: server_key %d < host_key %d + SSH_KEY_BITS_RESERVED %d",
+			    get_remote_ipaddr(),
+			    BN_num_bits(sensitive_data.server_key->rsa->n),
+			    BN_num_bits(sensitive_data.ssh1_host_key->rsa->n),
+			    SSH_KEY_BITS_RESERVED);
+		}
+		if (rsa_private_decrypt(session_key_int, session_key_int,
+		    sensitive_data.server_key->rsa) <= 0)
+			rsafail++;
+		if (rsa_private_decrypt(session_key_int, session_key_int,
+		    sensitive_data.ssh1_host_key->rsa) <= 0)
+			rsafail++;
+	} else {
+		/* Host key has bigger modulus (or they are equal). */
+		if (BN_num_bits(sensitive_data.ssh1_host_key->rsa->n) <
+		    BN_num_bits(sensitive_data.server_key->rsa->n) + SSH_KEY_BITS_RESERVED) {
+			fatal("do_connection: %s: host_key %d < server_key %d + SSH_KEY_BITS_RESERVED %d",
+			    get_remote_ipaddr(),
+			    BN_num_bits(sensitive_data.ssh1_host_key->rsa->n),
+			    BN_num_bits(sensitive_data.server_key->rsa->n),
+			    SSH_KEY_BITS_RESERVED);
+		}
+		if (rsa_private_decrypt(session_key_int, session_key_int,
+		    sensitive_data.ssh1_host_key->rsa) < 0)
+			rsafail++;
+		if (rsa_private_decrypt(session_key_int, session_key_int,
+		    sensitive_data.server_key->rsa) < 0)
+			rsafail++;
+	}
+	/*
+	 * Extract session key from the decrypted integer.  The key is in the
+	 * least significant 256 bits of the integer; the first byte of the
+	 * key is in the highest bits.
+	 */
+	if (!rsafail) {
+		BN_mask_bits(session_key_int, sizeof(session_key) * 8);
+		len = BN_num_bytes(session_key_int);
+		if (len < 0 || len > sizeof(session_key)) {
+			error("do_connection: bad session key len from %s: "
+			    "session_key_int %d > sizeof(session_key) %lu",
+			    get_remote_ipaddr(), len, (u_long)sizeof(session_key));
+			rsafail++;
+		} else {
+			memset(session_key, 0, sizeof(session_key));
+			BN_bn2bin(session_key_int,
+			    session_key + sizeof(session_key) - len);
+
+			compute_session_id(session_id, cookie,
+			    sensitive_data.ssh1_host_key->rsa->n,
+			    sensitive_data.server_key->rsa->n);
+			/*
+			 * Xor the first 16 bytes of the session key with the
+			 * session id.
+			 */
+			for (i = 0; i < 16; i++)
+				session_key[i] ^= session_id[i];
+		}
+	}
+	if (rsafail) {
+		int bytes = BN_num_bytes(session_key_int);
+		char *buf = xmalloc(bytes);
+		MD5_CTX md;
+
+		log("do_connection: generating a fake encryption key");
+		BN_bn2bin(session_key_int, buf);
+		MD5_Init(&md);
+		MD5_Update(&md, buf, bytes);
+		MD5_Update(&md, sensitive_data.ssh1_cookie, SSH_SESSION_KEY_LENGTH);
+		MD5_Final(session_key, &md);
+		MD5_Init(&md);
+		MD5_Update(&md, session_key, 16);
+		MD5_Update(&md, buf, bytes);
+		MD5_Update(&md, sensitive_data.ssh1_cookie, SSH_SESSION_KEY_LENGTH);
+		MD5_Final(session_key + 16, &md);
+		memset(buf, 0, bytes);
+		xfree(buf);
+		for (i = 0; i < 16; i++)
+			session_id[i] = session_key[i] ^ session_key[i + 16];
+	}
+	/* Destroy the private and public keys.  They will no longer be needed. */
+	destroy_sensitive_data();
+
+	/* Destroy the decrypted integer.  It is no longer needed. */
+	BN_clear_free(session_key_int);
+
+	/* Set the session key.  From this on all communications will be encrypted. */
+	packet_set_encryption_key(session_key, SSH_SESSION_KEY_LENGTH, cipher_type);
+
+	/* Destroy our copy of the session key.  It is no longer needed. */
+	memset(session_key, 0, sizeof(session_key));
+
+	debug("Received session key; encryption turned on.");
+
+	/* Send an acknowledgement packet.  Note that this packet is sent encrypted. */
+	packet_start(SSH_SMSG_SUCCESS);
+	packet_send();
+	packet_write_wait();
+}
+
+/*
+ * SSH2 key exchange: diffie-hellman-group1-sha1
+ */
+void
+do_ssh2_kex(void)
+{
+	Kex *kex;
+
+	if (options.ciphers != NULL) {
+		myproposal[PROPOSAL_ENC_ALGS_CTOS] =
+		myproposal[PROPOSAL_ENC_ALGS_STOC] = options.ciphers;
+	}
+	myproposal[PROPOSAL_ENC_ALGS_CTOS] =
+	    compat_cipher_proposal(myproposal[PROPOSAL_ENC_ALGS_CTOS]);
+	myproposal[PROPOSAL_ENC_ALGS_STOC] =
+	    compat_cipher_proposal(myproposal[PROPOSAL_ENC_ALGS_STOC]);
+
+	if (options.macs != NULL) {
+		myproposal[PROPOSAL_MAC_ALGS_CTOS] =
+		myproposal[PROPOSAL_MAC_ALGS_STOC] = options.macs;
+	}
+	myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = list_hostkey_types();
+
+	/* start key exchange */
+	kex = kex_setup(myproposal);
+	kex->server = 1;
+	kex->client_version_string=client_version_string;
+	kex->server_version_string=server_version_string;
+	kex->load_host_key=&get_hostkey_by_type;
+
+	xxx_kex = kex;
+
+	dispatch_run(DISPATCH_BLOCK, &kex->done, kex);
+
+	session_id2 = kex->session_id;
+	session_id2_len = kex->session_id_len;
+
+#ifdef DEBUG_KEXDH
+	/* send 1st encrypted/maced/compressed message */
+	packet_start(SSH2_MSG_IGNORE);
+	packet_put_cstring("markus");
+	packet_send();
+	packet_write_wait();
+#endif
+	debug("KEX done");
+}
diff --git a/crypto/openssh/sshd/Makefile b/crypto/openssh/sshd/Makefile
new file mode 100644
index 0000000..5ccce8d
--- /dev/null
+++ b/crypto/openssh/sshd/Makefile
@@ -0,0 +1,46 @@
+#	$OpenBSD: Makefile,v 1.38 2001/03/29 21:17:40 markus Exp $
+
+.PATH:		${.CURDIR}/..
+
+PROG=	sshd
+BINOWN=	root
+BINMODE=555
+BINDIR=	/usr/sbin
+MAN=	sshd.8
+CFLAGS+=-DHAVE_LOGIN_CAP
+
+SRCS=	sshd.c auth-rhosts.c auth-passwd.c auth-rsa.c auth-rh-rsa.c \
+	sshpty.c sshlogin.c servconf.c serverloop.c \
+	auth.c auth1.c auth2.c auth-options.c session.c \
+	auth-chall.c auth2-chall.c groupaccess.c
+
+.include <bsd.own.mk> # for KERBEROS and AFS
+
+.if (${KERBEROS:L} == "yes")
+.if (${AFS:L} == "yes")
+CFLAGS+= -DAFS
+LDADD+=  -lkafs
+DPADD+=  ${LIBKRBAFS}
+.endif # AFS
+CFLAGS+= -DKRB4 -I${DESTDIR}/usr/include/kerberosIV
+SRCS+=	auth-krb4.c
+LDADD+=	 -lkrb
+DPADD+=	 ${LIBKRB}
+.endif # KERBEROS
+
+.include <bsd.prog.mk>
+
+LDADD+=	-lcrypto -lutil -lz
+DPADD+=	${LIBCRYPTO} ${LIBUTIL} ${LIBZ}
+
+.if (${TCP_WRAPPERS:L} == "yes")
+CFLAGS+= -DLIBWRAP
+LDADD+= -lwrap
+DPADD+= ${LIBWRAP}
+.endif
+
+.if (${SKEY:L} == "yes")
+CFLAGS+= -DSKEY
+LDADD+= -lskey
+DPADD+= ${SKEY}
+.endif
diff --git a/crypto/openssh/sshd_config b/crypto/openssh/sshd_config
new file mode 100644
index 0000000..854311f
--- /dev/null
+++ b/crypto/openssh/sshd_config
@@ -0,0 +1,70 @@
+#	$OpenBSD: sshd_config,v 1.38 2001/04/15 21:41:29 deraadt Exp $
+# $FreeBSD$
+
+# This is the sshd server system-wide configuration file.  See sshd(8)
+# for more information.
+
+Port 22
+#Protocol 2,1
+#ListenAddress 0.0.0.0
+#ListenAddress ::
+HostKey /etc/ssh/ssh_host_key
+HostKey /etc/ssh/ssh_host_dsa_key
+ServerKeyBits 768
+LoginGraceTime 120
+KeyRegenerationInterval 3600
+PermitRootLogin no
+# ConnectionsPerPeriod has been deprecated completely
+
+# After 10 unauthenticated connections, refuse 30% of the new ones, and
+# refuse any more than 60 total.
+MaxStartups 10:30:60
+# Don't read ~/.rhosts and ~/.shosts files
+IgnoreRhosts yes
+# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
+#IgnoreUserKnownHosts yes
+StrictModes yes
+X11Forwarding yes
+X11DisplayOffset 10
+PrintMotd yes
+#PrintLastLog no
+KeepAlive yes
+
+# Logging
+SyslogFacility AUTH
+LogLevel INFO
+#obsoletes QuietMode and FascistLogging
+
+RhostsAuthentication no
+#
+# For this to work you will also need host keys in /etc/ssh_known_hosts
+RhostsRSAAuthentication no
+# similar for protocol version 2
+HostbasedAuthentication no
+#
+RSAAuthentication yes
+
+# To disable tunneled clear text passwords, change to no here!
+PasswordAuthentication yes
+PermitEmptyPasswords no
+
+# Uncomment to disable s/key passwords 
+#ChallengeResponseAuthentication no
+
+# To change Kerberos options
+#KerberosAuthentication no
+#KerberosOrLocalPasswd yes
+#AFSTokenPassing no
+#KerberosTicketCleanup no
+
+# Kerberos TGT Passing does only work with the AFS kaserver
+#KerberosTgtPassing yes
+
+CheckMail yes
+#UseLogin no
+
+#MaxStartups 10:30:60
+#Banner /etc/issue.net
+#ReverseMappingCheck yes
+
+Subsystem	sftp	/usr/libexec/sftp-server
diff --git a/crypto/openssh/sshlogin.c b/crypto/openssh/sshlogin.c
new file mode 100644
index 0000000..b8536c0
--- /dev/null
+++ b/crypto/openssh/sshlogin.c
@@ -0,0 +1,137 @@
+/*
+ * Author: Tatu Ylonen <ylo@cs.hut.fi>
+ * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
+ *                    All rights reserved
+ * This file performs some of the things login(1) normally does.  We cannot
+ * easily use something like login -p -h host -f user, because there are
+ * several different logins around, and it is hard to determined what kind of
+ * login the current system has.  Also, we want to be able to execute commands
+ * on a tty.
+ *
+ * As far as I am concerned, the code I have written for this software
+ * can be used freely for any purpose.  Any derived versions of this
+ * software must be clearly marked as such, and if the derived work is
+ * incompatible with the protocol description in the RFC file, it must be
+ * called by a name other than "ssh" or "Secure Shell".
+ *
+ * Copyright (c) 1999 Theo de Raadt.  All rights reserved.
+ * Copyright (c) 1999 Markus Friedl.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include "includes.h"
+RCSID("$OpenBSD: sshlogin.c,v 1.2 2001/03/24 16:43:27 stevesk Exp $");
+RCSID("$FreeBSD$");
+
+#include <libutil.h>
+#include <utmp.h>
+#include "sshlogin.h"
+#include "log.h"
+
+/*
+ * Returns the time when the user last logged in.  Returns 0 if the
+ * information is not available.  This must be called before record_login.
+ * The host the user logged in from will be returned in buf.
+ */
+
+u_long
+get_last_login_time(uid_t uid, const char *logname,
+		    char *buf, u_int bufsize)
+{
+	struct lastlog ll;
+	char *lastlog;
+	int fd;
+
+	lastlog = _PATH_LASTLOG;
+	buf[0] = '\0';
+
+	fd = open(lastlog, O_RDONLY);
+	if (fd < 0)
+		return 0;
+	lseek(fd, (off_t) ((long) uid * sizeof(ll)), SEEK_SET);
+	if (read(fd, &ll, sizeof(ll)) != sizeof(ll)) {
+		close(fd);
+		return 0;
+	}
+	close(fd);
+	if (bufsize > sizeof(ll.ll_host) + 1)
+		bufsize = sizeof(ll.ll_host) + 1;
+	strncpy(buf, ll.ll_host, bufsize - 1);
+	buf[bufsize - 1] = 0;
+	return ll.ll_time;
+}
+
+/*
+ * Records that the user has logged in.  I these parts of operating systems
+ * were more standardized.
+ */
+
+void
+record_login(pid_t pid, const char *ttyname, const char *user, uid_t uid,
+	     const char *host, struct sockaddr * addr)
+{
+	int fd;
+	struct lastlog ll;
+	char *lastlog;
+	struct utmp u;
+
+	/* Construct an utmp/wtmp entry. */
+	memset(&u, 0, sizeof(u));
+	strncpy(u.ut_line, ttyname + 5, sizeof(u.ut_line));
+	u.ut_time = time(NULL);
+	strncpy(u.ut_name, user, sizeof(u.ut_name));
+	realhostname_sa(u.ut_host, sizeof(u.ut_host), addr, addr->sa_len);
+
+	login(&u);
+	lastlog = _PATH_LASTLOG;
+
+	/* Update lastlog unless actually recording a logout. */
+	if (strcmp(user, "") != 0) {
+		/*
+		 * It is safer to bzero the lastlog structure first because
+		 * some systems might have some extra fields in it (e.g. SGI)
+		 */
+		memset(&ll, 0, sizeof(ll));
+
+		/* Update lastlog. */
+		ll.ll_time = time(NULL);
+		strncpy(ll.ll_line, ttyname + 5, sizeof(ll.ll_line));
+		strncpy(ll.ll_host, host, sizeof(ll.ll_host));
+		fd = open(lastlog, O_RDWR);
+		if (fd >= 0) {
+			lseek(fd, (off_t) ((long) uid * sizeof(ll)), SEEK_SET);
+			if (write(fd, &ll, sizeof(ll)) != sizeof(ll))
+				log("Could not write %.100s: %.100s", lastlog, strerror(errno));
+			close(fd);
+		}
+	}
+}
+
+/* Records that the user has logged out. */
+
+void
+record_logout(pid_t pid, const char *ttyname)
+{
+	const char *line = ttyname + 5;	/* /dev/ttyq8 -> ttyq8 */
+	if (logout(line))
+		logwtmp(line, "", "");
+}
diff --git a/crypto/openssh/sshlogin.h b/crypto/openssh/sshlogin.h
new file mode 100644
index 0000000..7285bc2
--- /dev/null
+++ b/crypto/openssh/sshlogin.h
@@ -0,0 +1,40 @@
+/*	$OpenBSD: sshlogin.h,v 1.1 2001/03/04 01:46:30 djm Exp $	*/
+
+/*
+ * Author: Tatu Ylonen <ylo@cs.hut.fi>
+ * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
+ *                    All rights reserved
+ *
+ * As far as I am concerned, the code I have written for this software
+ * can be used freely for any purpose.  Any derived versions of this
+ * software must be clearly marked as such, and if the derived work is
+ * incompatible with the protocol description in the RFC file, it must be
+ * called by a name other than "ssh" or "Secure Shell".
+ */
+#ifndef SSHLOGIN_H
+#define SSHLOGIN_H
+
+/*
+ * Returns the time when the user last logged in.  Returns 0 if the
+ * information is not available.  This must be called before record_login.
+ * The host from which the user logged in is stored in buf.
+ */
+u_long
+get_last_login_time(uid_t uid, const char *logname,
+    char *buf, u_int bufsize);
+
+/*
+ * Records that the user has logged in.  This does many things normally done
+ * by login(1).
+ */
+void
+record_login(pid_t pid, const char *ttyname, const char *user, uid_t uid,
+    const char *host, struct sockaddr *addr);
+
+/*
+ * Records that the user has logged out.  This does many thigs normally done
+ * by login(1) or init.
+ */
+void    record_logout(pid_t pid, const char *ttyname);
+
+#endif
diff --git a/crypto/openssh/sshpty.c b/crypto/openssh/sshpty.c
new file mode 100644
index 0000000..1544ac6
--- /dev/null
+++ b/crypto/openssh/sshpty.c
@@ -0,0 +1,298 @@
+/*
+ * Author: Tatu Ylonen <ylo@cs.hut.fi>
+ * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
+ *                    All rights reserved
+ * Allocating a pseudo-terminal, and making it the controlling tty.
+ *
+ * As far as I am concerned, the code I have written for this software
+ * can be used freely for any purpose.  Any derived versions of this
+ * software must be clearly marked as such, and if the derived work is
+ * incompatible with the protocol description in the RFC file, it must be
+ * called by a name other than "ssh" or "Secure Shell".
+ */
+
+#include "includes.h"
+RCSID("$OpenBSD: sshpty.c,v 1.1 2001/03/04 01:46:30 djm Exp $");
+RCSID("$FreeBSD$");
+
+#include <libutil.h>
+#include "sshpty.h"
+#include "log.h"
+
+/* Pty allocated with _getpty gets broken if we do I_PUSH:es to it. */
+#if defined(HAVE__GETPTY) || defined(HAVE_OPENPTY)
+#undef HAVE_DEV_PTMX
+#endif
+
+#ifndef O_NOCTTY
+#define O_NOCTTY 0
+#endif
+
+/*
+ * Allocates and opens a pty.  Returns 0 if no pty could be allocated, or
+ * nonzero if a pty was successfully allocated.  On success, open file
+ * descriptors for the pty and tty sides and the name of the tty side are
+ * returned (the buffer must be able to hold at least 64 characters).
+ */
+
+int
+pty_allocate(int *ptyfd, int *ttyfd, char *namebuf, int namebuflen)
+{
+#if defined(HAVE_OPENPTY) || defined(BSD4_4)
+	/* openpty(3) exists in OSF/1 and some other os'es */
+	char buf[64];
+	int i;
+
+	i = openpty(ptyfd, ttyfd, buf, NULL, NULL);
+	if (i < 0) {
+		error("openpty: %.100s", strerror(errno));
+		return 0;
+	}
+	strlcpy(namebuf, buf, namebuflen);	/* possible truncation */
+	return 1;
+#else /* HAVE_OPENPTY */
+#ifdef HAVE__GETPTY
+	/*
+	 * _getpty(3) exists in SGI Irix 4.x, 5.x & 6.x -- it generates more
+	 * pty's automagically when needed
+	 */
+	char *slave;
+
+	slave = _getpty(ptyfd, O_RDWR, 0622, 0);
+	if (slave == NULL) {
+		error("_getpty: %.100s", strerror(errno));
+		return 0;
+	}
+	strlcpy(namebuf, slave, namebuflen);
+	/* Open the slave side. */
+	*ttyfd = open(namebuf, O_RDWR | O_NOCTTY);
+	if (*ttyfd < 0) {
+		error("%.200s: %.100s", namebuf, strerror(errno));
+		close(*ptyfd);
+		return 0;
+	}
+	return 1;
+#else /* HAVE__GETPTY */
+#ifdef HAVE_DEV_PTMX
+	/*
+	 * This code is used e.g. on Solaris 2.x.  (Note that Solaris 2.3
+	 * also has bsd-style ptys, but they simply do not work.)
+	 */
+	int ptm;
+	char *pts;
+
+	ptm = open("/dev/ptmx", O_RDWR | O_NOCTTY);
+	if (ptm < 0) {
+		error("/dev/ptmx: %.100s", strerror(errno));
+		return 0;
+	}
+	if (grantpt(ptm) < 0) {
+		error("grantpt: %.100s", strerror(errno));
+		return 0;
+	}
+	if (unlockpt(ptm) < 0) {
+		error("unlockpt: %.100s", strerror(errno));
+		return 0;
+	}
+	pts = ptsname(ptm);
+	if (pts == NULL)
+		error("Slave pty side name could not be obtained.");
+	strlcpy(namebuf, pts, namebuflen);
+	*ptyfd = ptm;
+
+	/* Open the slave side. */
+	*ttyfd = open(namebuf, O_RDWR | O_NOCTTY);
+	if (*ttyfd < 0) {
+		error("%.100s: %.100s", namebuf, strerror(errno));
+		close(*ptyfd);
+		return 0;
+	}
+	/* Push the appropriate streams modules, as described in Solaris pts(7). */
+	if (ioctl(*ttyfd, I_PUSH, "ptem") < 0)
+		error("ioctl I_PUSH ptem: %.100s", strerror(errno));
+	if (ioctl(*ttyfd, I_PUSH, "ldterm") < 0)
+		error("ioctl I_PUSH ldterm: %.100s", strerror(errno));
+	if (ioctl(*ttyfd, I_PUSH, "ttcompat") < 0)
+		error("ioctl I_PUSH ttcompat: %.100s", strerror(errno));
+	return 1;
+#else /* HAVE_DEV_PTMX */
+#ifdef HAVE_DEV_PTS_AND_PTC
+	/* AIX-style pty code. */
+	const char *name;
+
+	*ptyfd = open("/dev/ptc", O_RDWR | O_NOCTTY);
+	if (*ptyfd < 0) {
+		error("Could not open /dev/ptc: %.100s", strerror(errno));
+		return 0;
+	}
+	name = ttyname(*ptyfd);
+	if (!name)
+		fatal("Open of /dev/ptc returns device for which ttyname fails.");
+	strlcpy(namebuf, name, namebuflen);
+	*ttyfd = open(name, O_RDWR | O_NOCTTY);
+	if (*ttyfd < 0) {
+		error("Could not open pty slave side %.100s: %.100s",
+		      name, strerror(errno));
+		close(*ptyfd);
+		return 0;
+	}
+	return 1;
+#else /* HAVE_DEV_PTS_AND_PTC */
+	/* BSD-style pty code. */
+	char buf[64];
+	int i;
+	const char *ptymajors = "pqrstuvwxyzabcdefghijklmnoABCDEFGHIJKLMNOPQRSTUVWXYZ";
+	const char *ptyminors = "0123456789abcdef";
+	int num_minors = strlen(ptyminors);
+	int num_ptys = strlen(ptymajors) * num_minors;
+
+	for (i = 0; i < num_ptys; i++) {
+		snprintf(buf, sizeof buf, "/dev/pty%c%c", ptymajors[i / num_minors],
+			 ptyminors[i % num_minors]);
+		*ptyfd = open(buf, O_RDWR | O_NOCTTY);
+		if (*ptyfd < 0)
+			continue;
+		snprintf(namebuf, namebuflen, "/dev/tty%c%c",
+		    ptymajors[i / num_minors], ptyminors[i % num_minors]);
+
+		/* Open the slave side. */
+		*ttyfd = open(namebuf, O_RDWR | O_NOCTTY);
+		if (*ttyfd < 0) {
+			error("%.100s: %.100s", namebuf, strerror(errno));
+			close(*ptyfd);
+			return 0;
+		}
+		return 1;
+	}
+	return 0;
+#endif /* HAVE_DEV_PTS_AND_PTC */
+#endif /* HAVE_DEV_PTMX */
+#endif /* HAVE__GETPTY */
+#endif /* HAVE_OPENPTY */
+}
+
+/* Releases the tty.  Its ownership is returned to root, and permissions to 0666. */
+
+void
+pty_release(const char *ttyname)
+{
+	if (chown(ttyname, (uid_t) 0, (gid_t) 0) < 0)
+		error("chown %.100s 0 0 failed: %.100s", ttyname, strerror(errno));
+	if (chmod(ttyname, (mode_t) 0666) < 0)
+		error("chmod %.100s 0666 failed: %.100s", ttyname, strerror(errno));
+}
+
+/* Makes the tty the processes controlling tty and sets it to sane modes. */
+
+void
+pty_make_controlling_tty(int *ttyfd, const char *ttyname)
+{
+	int fd;
+
+	/* First disconnect from the old controlling tty. */
+#ifdef TIOCNOTTY
+	fd = open(_PATH_TTY, O_RDWR | O_NOCTTY);
+	if (fd >= 0) {
+		(void) ioctl(fd, TIOCNOTTY, NULL);
+		close(fd);
+	}
+#endif /* TIOCNOTTY */
+	if (setsid() < 0)
+		error("setsid: %.100s", strerror(errno));
+
+	/*
+	 * Verify that we are successfully disconnected from the controlling
+	 * tty.
+	 */
+	fd = open(_PATH_TTY, O_RDWR | O_NOCTTY);
+	if (fd >= 0) {
+		error("Failed to disconnect from controlling tty.");
+		close(fd);
+	}
+	/* Make it our controlling tty. */
+#ifdef TIOCSCTTY
+	debug("Setting controlling tty using TIOCSCTTY.");
+	if (ioctl(*ttyfd, TIOCSCTTY, NULL) < 0)
+		error("ioctl(TIOCSCTTY): %.100s", strerror(errno));
+#endif /* TIOCSCTTY */
+	fd = open(ttyname, O_RDWR);
+	if (fd < 0)
+		error("%.100s: %.100s", ttyname, strerror(errno));
+	else
+		close(fd);
+
+	/* Verify that we now have a controlling tty. */
+	fd = open(_PATH_TTY, O_WRONLY);
+	if (fd < 0)
+		error("open /dev/tty failed - could not set controlling tty: %.100s",
+		      strerror(errno));
+	else {
+		close(fd);
+	}
+}
+
+/* Changes the window size associated with the pty. */
+
+void
+pty_change_window_size(int ptyfd, int row, int col,
+		       int xpixel, int ypixel)
+{
+	struct winsize w;
+	w.ws_row = row;
+	w.ws_col = col;
+	w.ws_xpixel = xpixel;
+	w.ws_ypixel = ypixel;
+	(void) ioctl(ptyfd, TIOCSWINSZ, &w);
+}
+
+void
+pty_setowner(struct passwd *pw, const char *ttyname)
+{
+	struct group *grp;
+	gid_t gid;
+	mode_t mode;
+	struct stat st;
+
+	/* Determine the group to make the owner of the tty. */
+	grp = getgrnam("tty");
+	if (grp) {
+		gid = grp->gr_gid;
+		mode = S_IRUSR | S_IWUSR | S_IWGRP;
+	} else {
+		gid = pw->pw_gid;
+		mode = S_IRUSR | S_IWUSR | S_IWGRP | S_IWOTH;
+	}
+
+	/*
+	 * Change owner and mode of the tty as required.
+	 * Warn but continue if filesystem is read-only and the uids match.
+	 */
+	if (stat(ttyname, &st))
+		fatal("stat(%.100s) failed: %.100s", ttyname,
+		    strerror(errno));
+
+	if (st.st_uid != pw->pw_uid || st.st_gid != gid) {
+		if (chown(ttyname, pw->pw_uid, gid) < 0) {
+			if (errno == EROFS && st.st_uid == pw->pw_uid)
+				error("chown(%.100s, %d, %d) failed: %.100s",
+				      ttyname, pw->pw_uid, gid,
+				      strerror(errno));
+			else
+				fatal("chown(%.100s, %d, %d) failed: %.100s",
+				      ttyname, pw->pw_uid, gid,
+				      strerror(errno));
+		}
+	}
+
+	if ((st.st_mode & (S_IRWXU|S_IRWXG|S_IRWXO)) != mode) {
+		if (chmod(ttyname, mode) < 0) {
+			if (errno == EROFS &&
+			    (st.st_mode & (S_IRGRP | S_IROTH)) == 0)
+				error("chmod(%.100s, 0%o) failed: %.100s",
+				      ttyname, mode, strerror(errno));
+			else
+				fatal("chmod(%.100s, 0%o) failed: %.100s",
+				      ttyname, mode, strerror(errno));
+		}
+	}
+}
diff --git a/crypto/openssh/sshpty.h b/crypto/openssh/sshpty.h
new file mode 100644
index 0000000..d7aac0f
--- /dev/null
+++ b/crypto/openssh/sshpty.h
@@ -0,0 +1,47 @@
+/*
+ * Author: Tatu Ylonen <ylo@cs.hut.fi>
+ * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
+ *                    All rights reserved
+ * Functions for allocating a pseudo-terminal and making it the controlling
+ * tty.
+ *
+ * As far as I am concerned, the code I have written for this software
+ * can be used freely for any purpose.  Any derived versions of this
+ * software must be clearly marked as such, and if the derived work is
+ * incompatible with the protocol description in the RFC file, it must be
+ * called by a name other than "ssh" or "Secure Shell".
+ */
+
+/* RCSID("$OpenBSD: sshpty.h,v 1.1 2001/03/04 01:46:30 djm Exp $"); */
+
+#ifndef SSHPTY_H
+#define SSHPTY_H
+
+/*
+ * Allocates and opens a pty.  Returns 0 if no pty could be allocated, or
+ * nonzero if a pty was successfully allocated.  On success, open file
+ * descriptors for the pty and tty sides and the name of the tty side are
+ * returned (the buffer must be able to hold at least 64 characters).
+ */
+int     pty_allocate(int *ptyfd, int *ttyfd, char *ttyname, int ttynamelen);
+
+/*
+ * Releases the tty.  Its ownership is returned to root, and permissions to
+ * 0666.
+ */
+void    pty_release(const char *ttyname);
+
+/*
+ * Makes the tty the processes controlling tty and sets it to sane modes.
+ * This may need to reopen the tty to get rid of possible eavesdroppers.
+ */
+void    pty_make_controlling_tty(int *ttyfd, const char *ttyname);
+
+/* Changes the window size associated with the pty. */
+void
+pty_change_window_size(int ptyfd, int row, int col,
+    int xpixel, int ypixel);
+
+void	pty_setowner(struct passwd *pw, const char *ttyname);
+
+#endif				/* SSHPTY_H */
diff --git a/crypto/openssh/sshtty.c b/crypto/openssh/sshtty.c
new file mode 100644
index 0000000..7849890
--- /dev/null
+++ b/crypto/openssh/sshtty.c
@@ -0,0 +1,96 @@
+/* $OpenBSD: sshtty.c,v 1.1 2001/04/14 16:33:20 stevesk Exp $ */
+/*
+ * Author: Tatu Ylonen <ylo@cs.hut.fi>
+ * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
+ *                    All rights reserved
+ *
+ * As far as I am concerned, the code I have written for this software
+ * can be used freely for any purpose.  Any derived versions of this
+ * software must be clearly marked as such, and if the derived work is
+ * incompatible with the protocol description in the RFC file, it must be
+ * called by a name other than "ssh" or "Secure Shell".
+ */
+/*
+ * Copyright (c) 2001 Markus Friedl.  All rights reserved.
+ * Copyright (c) 2001 Kevin Steves.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include "includes.h"
+
+#include "sshtty.h"
+#include "log.h"
+
+static struct termios _saved_tio;
+static int _in_raw_mode = 0;
+
+int
+in_raw_mode(void)
+{
+	return _in_raw_mode;	
+}
+
+struct termios
+get_saved_tio(void)
+{
+	return _saved_tio;
+}
+
+void
+leave_raw_mode(void)
+{
+	if (!_in_raw_mode)
+		return;
+	if (tcsetattr(fileno(stdin), TCSADRAIN, &_saved_tio) == -1)
+		perror("tcsetattr");
+	else
+		_in_raw_mode = 0;
+
+	fatal_remove_cleanup((void (*) (void *)) leave_raw_mode, NULL);
+}
+
+void
+enter_raw_mode(void)
+{
+	struct termios tio;
+
+	if (tcgetattr(fileno(stdin), &tio) == -1) {
+		perror("tcgetattr");
+		return;
+	}
+	_saved_tio = tio;
+	tio.c_iflag |= IGNPAR;
+	tio.c_iflag &= ~(ISTRIP | INLCR | IGNCR | ICRNL | IXON | IXANY | IXOFF);
+	tio.c_lflag &= ~(ISIG | ICANON | ECHO | ECHOE | ECHOK | ECHONL);
+#ifdef IEXTEN
+	tio.c_lflag &= ~IEXTEN;
+#endif
+	tio.c_oflag &= ~OPOST;
+	tio.c_cc[VMIN] = 1;
+	tio.c_cc[VTIME] = 0;
+	if (tcsetattr(fileno(stdin), TCSADRAIN, &tio) == -1)
+		perror("tcsetattr");
+	else
+		_in_raw_mode = 1;
+
+	fatal_add_cleanup((void (*) (void *)) leave_raw_mode, NULL);
+}
diff --git a/crypto/openssh/sshtty.h b/crypto/openssh/sshtty.h
new file mode 100644
index 0000000..e29385e
--- /dev/null
+++ b/crypto/openssh/sshtty.h
@@ -0,0 +1,65 @@
+/* $OpenBSD: sshtty.h,v 1.1 2001/04/14 16:33:20 stevesk Exp $ */
+/*
+ * Author: Tatu Ylonen <ylo@cs.hut.fi>
+ * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
+ *                    All rights reserved
+ *
+ * As far as I am concerned, the code I have written for this software
+ * can be used freely for any purpose.  Any derived versions of this
+ * software must be clearly marked as such, and if the derived work is
+ * incompatible with the protocol description in the RFC file, it must be
+ * called by a name other than "ssh" or "Secure Shell".
+ */
+/*
+ * Copyright (c) 2001 Markus Friedl.  All rights reserved.
+ * Copyright (c) 2001 Kevin Steves.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#ifndef SSHTTY_H
+#define SSHTTY_H
+
+#include <termios.h>
+
+/*
+ * Accessor function indicating whether we are in raw mode.  Set by
+ * enter_raw_mode() and leave_raw_mode().
+ */
+int in_raw_mode(void);
+
+/*
+ * Return terminal modes, as saved by enter_raw_mode().
+ */
+struct termios get_saved_tio(void);
+
+/*
+ * Returns the user's terminal to normal mode if it had been
+ * put in raw mode.
+ */
+void leave_raw_mode(void);
+
+/*
+ * Puts the user's terminal in raw mode.
+ */
+void enter_raw_mode(void);
+
+#endif
diff --git a/crypto/openssh/tildexpand.c b/crypto/openssh/tildexpand.c
new file mode 100644
index 0000000..46bdaae
--- /dev/null
+++ b/crypto/openssh/tildexpand.c
@@ -0,0 +1,72 @@
+/*
+ * Author: Tatu Ylonen <ylo@cs.hut.fi>
+ * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
+ *                    All rights reserved
+ *
+ * As far as I am concerned, the code I have written for this software
+ * can be used freely for any purpose.  Any derived versions of this
+ * software must be clearly marked as such, and if the derived work is
+ * incompatible with the protocol description in the RFC file, it must be
+ * called by a name other than "ssh" or "Secure Shell".
+ */
+
+#include "includes.h"
+RCSID("$OpenBSD: tildexpand.c,v 1.11 2001/02/08 19:30:53 itojun Exp $");
+
+#include "xmalloc.h"
+#include "log.h"
+#include "tildexpand.h"
+
+/*
+ * Expands tildes in the file name.  Returns data allocated by xmalloc.
+ * Warning: this calls getpw*.
+ */
+char *
+tilde_expand_filename(const char *filename, uid_t my_uid)
+{
+	const char *cp;
+	u_int userlen;
+	char *expanded;
+	struct passwd *pw;
+	char user[100];
+	int len;
+
+	/* Return immediately if no tilde. */
+	if (filename[0] != '~')
+		return xstrdup(filename);
+
+	/* Skip the tilde. */
+	filename++;
+
+	/* Find where the username ends. */
+	cp = strchr(filename, '/');
+	if (cp)
+		userlen = cp - filename;	/* Something after username. */
+	else
+		userlen = strlen(filename);	/* Nothing after username. */
+	if (userlen == 0)
+		pw = getpwuid(my_uid);		/* Own home directory. */
+	else {
+		/* Tilde refers to someone elses home directory. */
+		if (userlen > sizeof(user) - 1)
+			fatal("User name after tilde too long.");
+		memcpy(user, filename, userlen);
+		user[userlen] = 0;
+		pw = getpwnam(user);
+	}
+	if (!pw)
+		fatal("Unknown user %100s.", user);
+
+	/* If referring to someones home directory, return it now. */
+	if (!cp) {
+		/* Only home directory specified */
+		return xstrdup(pw->pw_dir);
+	}
+	/* Build a path combining the specified directory and path. */
+	len = strlen(pw->pw_dir) + strlen(cp + 1) + 2;
+	if (len > MAXPATHLEN)
+		fatal("Home directory too long (%d > %d", len-1, MAXPATHLEN-1);
+	expanded = xmalloc(len);
+	snprintf(expanded, len, "%s/%s", pw->pw_dir, cp + 1);
+	return expanded;
+}
diff --git a/crypto/openssh/tildexpand.h b/crypto/openssh/tildexpand.h
new file mode 100644
index 0000000..88734f4
--- /dev/null
+++ b/crypto/openssh/tildexpand.h
@@ -0,0 +1,19 @@
+/*	$OpenBSD: tildexpand.h,v 1.2 2001/01/29 01:58:19 niklas Exp $	*/
+
+/*
+ * Author: Tatu Ylonen <ylo@cs.hut.fi>
+ * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
+ *                    All rights reserved
+ *
+ * As far as I am concerned, the code I have written for this software
+ * can be used freely for any purpose.  Any derived versions of this
+ * software must be clearly marked as such, and if the derived work is
+ * incompatible with the protocol description in the RFC file, it must be
+ * called by a name other than "ssh" or "Secure Shell".
+ */
+
+/*
+ * Expands tildes in the file name.  Returns data allocated by xmalloc.
+ * Warning: this calls getpw*.
+ */
+char   *tilde_expand_filename(const char *filename, uid_t my_uid);
diff --git a/crypto/openssh/ttymodes.c b/crypto/openssh/ttymodes.c
new file mode 100644
index 0000000..6124cb4
--- /dev/null
+++ b/crypto/openssh/ttymodes.c
@@ -0,0 +1,462 @@
+/*
+ * Author: Tatu Ylonen <ylo@cs.hut.fi>
+ * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
+ *                    All rights reserved
+ *
+ * As far as I am concerned, the code I have written for this software
+ * can be used freely for any purpose.  Any derived versions of this
+ * software must be clearly marked as such, and if the derived work is
+ * incompatible with the protocol description in the RFC file, it must be
+ * called by a name other than "ssh" or "Secure Shell".
+ */
+
+/*
+ * SSH2 tty modes support by Kevin Steves.
+ * Copyright (c) 2001 Kevin Steves.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+/*
+ * Encoding and decoding of terminal modes in a portable way.
+ * Much of the format is defined in ttymodes.h; it is included multiple times
+ * into this file with the appropriate macro definitions to generate the
+ * suitable code.
+ */
+
+#include "includes.h"
+RCSID("$OpenBSD: ttymodes.c,v 1.13 2001/04/15 01:35:22 stevesk Exp $");
+
+#include "packet.h"
+#include "log.h"
+#include "ssh1.h"
+#include "compat.h"
+#include "buffer.h"
+#include "bufaux.h"
+
+#define TTY_OP_END		0
+/*
+ * uint32 (u_int) follows speed in SSH1 and SSH2
+ */
+#define TTY_OP_ISPEED_PROTO1	192
+#define TTY_OP_OSPEED_PROTO1	193
+#define TTY_OP_ISPEED_PROTO2	128
+#define TTY_OP_OSPEED_PROTO2	129
+
+/*
+ * Converts POSIX speed_t to a baud rate.  The values of the
+ * constants for speed_t are not themselves portable.
+ */
+static int
+speed_to_baud(speed_t speed)
+{
+	switch (speed) {
+	case B0:
+		return 0;
+	case B50:
+		return 50;
+	case B75:
+		return 75;
+	case B110:
+		return 110;
+	case B134:
+		return 134;
+	case B150:
+		return 150;
+	case B200:
+		return 200;
+	case B300:
+		return 300;
+	case B600:
+		return 600;
+	case B1200:
+		return 1200;
+	case B1800:
+		return 1800;
+	case B2400:
+		return 2400;
+	case B4800:
+		return 4800;
+	case B9600:
+		return 9600;
+
+#ifdef B19200
+	case B19200:
+		return 19200;
+#else /* B19200 */
+#ifdef EXTA
+	case EXTA:
+		return 19200;
+#endif /* EXTA */
+#endif /* B19200 */
+
+#ifdef B38400
+	case B38400:
+		return 38400;
+#else /* B38400 */
+#ifdef EXTB
+	case EXTB:
+		return 38400;
+#endif /* EXTB */
+#endif /* B38400 */
+
+#ifdef B7200
+	case B7200:
+		return 7200;
+#endif /* B7200 */
+#ifdef B14400
+	case B14400:
+		return 14400;
+#endif /* B14400 */
+#ifdef B28800
+	case B28800:
+		return 28800;
+#endif /* B28800 */
+#ifdef B57600
+	case B57600:
+		return 57600;
+#endif /* B57600 */
+#ifdef B76800
+	case B76800:
+		return 76800;
+#endif /* B76800 */
+#ifdef B115200
+	case B115200:
+		return 115200;
+#endif /* B115200 */
+#ifdef B230400
+	case B230400:
+		return 230400;
+#endif /* B230400 */
+	default:
+		return 9600;
+	}
+}
+
+/*
+ * Converts a numeric baud rate to a POSIX speed_t.
+ */
+static speed_t
+baud_to_speed(int baud)
+{
+	switch (baud) {
+	case 0:
+		return B0;
+	case 50:
+		return B50;
+	case 75:
+		return B75;
+	case 110:
+		return B110;
+	case 134:
+		return B134;
+	case 150:
+		return B150;
+	case 200:
+		return B200;
+	case 300:
+		return B300;
+	case 600:
+		return B600;
+	case 1200:
+		return B1200;
+	case 1800:
+		return B1800;
+	case 2400:
+		return B2400;
+	case 4800:
+		return B4800;
+	case 9600:
+		return B9600;
+
+#ifdef B19200
+	case 19200:
+		return B19200;
+#else /* B19200 */
+#ifdef EXTA
+	case 19200:
+		return EXTA;
+#endif /* EXTA */
+#endif /* B19200 */
+
+#ifdef B38400
+	case 38400:
+		return B38400;
+#else /* B38400 */
+#ifdef EXTB
+	case 38400:
+		return EXTB;
+#endif /* EXTB */
+#endif /* B38400 */
+
+#ifdef B7200
+	case 7200:
+		return B7200;
+#endif /* B7200 */
+#ifdef B14400
+	case 14400:
+		return B14400;
+#endif /* B14400 */
+#ifdef B28800
+	case 28800:
+		return B28800;
+#endif /* B28800 */
+#ifdef B57600
+	case 57600:
+		return B57600;
+#endif /* B57600 */
+#ifdef B76800
+	case 76800:
+		return B76800;
+#endif /* B76800 */
+#ifdef B115200
+	case 115200:
+		return B115200;
+#endif /* B115200 */
+#ifdef B230400
+	case 230400:
+		return B230400;
+#endif /* B230400 */
+	default:
+		return B9600;
+	}
+}
+
+/*
+ * Encodes terminal modes for the terminal referenced by fd
+ * or tiop in a portable manner, and appends the modes to a packet
+ * being constructed.
+ */
+void
+tty_make_modes(int fd, struct termios *tiop)
+{
+	struct termios tio;
+	int baud;
+	Buffer buf;
+	int tty_op_ospeed, tty_op_ispeed;
+	void (*put_arg)(Buffer *, u_int);
+
+	buffer_init(&buf);
+	if (compat20) {
+		tty_op_ospeed = TTY_OP_OSPEED_PROTO2;
+		tty_op_ispeed = TTY_OP_ISPEED_PROTO2;
+		put_arg = buffer_put_int;
+	} else {
+		tty_op_ospeed = TTY_OP_OSPEED_PROTO1;
+		tty_op_ispeed = TTY_OP_ISPEED_PROTO1;
+		put_arg = (void (*)(Buffer *, u_int)) buffer_put_char;
+	}
+
+	if (tiop == NULL) {
+		if (tcgetattr(fd, &tio) == -1) {
+			log("tcgetattr: %.100s", strerror(errno));
+			goto end;
+		}
+	} else
+		tio = *tiop;
+
+	/* Store input and output baud rates. */
+	baud = speed_to_baud(cfgetospeed(&tio));
+	debug2("tty_make_modes: ospeed %d", baud);
+	buffer_put_char(&buf, tty_op_ospeed);
+	buffer_put_int(&buf, baud);
+	baud = speed_to_baud(cfgetispeed(&tio));
+	debug2("tty_make_modes: ispeed %d", baud);
+	buffer_put_char(&buf, tty_op_ispeed);
+	buffer_put_int(&buf, baud);
+
+	/* Store values of mode flags. */
+#define TTYCHAR(NAME, OP) \
+	debug2("tty_make_modes: %d %d", OP, tio.c_cc[NAME]); \
+	buffer_put_char(&buf, OP); \
+	put_arg(&buf, tio.c_cc[NAME]);
+
+#define TTYMODE(NAME, FIELD, OP) \
+	debug2("tty_make_modes: %d %d", OP, ((tio.FIELD & NAME) != 0)); \
+	buffer_put_char(&buf, OP); \
+	put_arg(&buf, ((tio.FIELD & NAME) != 0));
+
+#include "ttymodes.h"
+
+#undef TTYCHAR
+#undef TTYMODE
+
+end:
+	/* Mark end of mode data. */
+	buffer_put_char(&buf, TTY_OP_END);
+	if (compat20)
+		packet_put_string(buffer_ptr(&buf), buffer_len(&buf));
+	else
+		packet_put_raw(buffer_ptr(&buf), buffer_len(&buf));
+	buffer_free(&buf);
+	return;
+}
+
+/*
+ * Decodes terminal modes for the terminal referenced by fd in a portable
+ * manner from a packet being read.
+ */
+void
+tty_parse_modes(int fd, int *n_bytes_ptr)
+{
+	struct termios tio;
+	int opcode, baud;
+	int n_bytes = 0;
+	int failure = 0;
+	u_int (*get_arg)(void);
+	int arg, arg_size;
+
+	if (compat20) {
+		*n_bytes_ptr = packet_get_int();
+		debug2("tty_parse_modes: SSH2 n_bytes %d", *n_bytes_ptr);
+		if (*n_bytes_ptr == 0)
+			return;
+		get_arg = packet_get_int;
+		arg_size = 4;
+	} else {
+		get_arg = packet_get_char;
+		arg_size = 1;
+	}
+
+	/*
+	 * Get old attributes for the terminal.  We will modify these
+	 * flags. I am hoping that if there are any machine-specific
+	 * modes, they will initially have reasonable values.
+	 */
+	if (tcgetattr(fd, &tio) == -1) {
+		log("tcgetattr: %.100s", strerror(errno));
+		failure = -1;
+	}
+
+	for (;;) {
+		n_bytes += 1;
+		opcode = packet_get_char();
+		switch (opcode) {
+		case TTY_OP_END:
+			goto set;
+
+		/* XXX: future conflict possible */
+		case TTY_OP_ISPEED_PROTO1:
+		case TTY_OP_ISPEED_PROTO2:
+			n_bytes += 4;
+			baud = packet_get_int();
+			debug2("tty_parse_modes: ispeed %d", baud);
+			if (failure != -1 && cfsetispeed(&tio, baud_to_speed(baud)) == -1)
+				error("cfsetispeed failed for %d", baud);
+			break;
+
+		/* XXX: future conflict possible */
+		case TTY_OP_OSPEED_PROTO1:
+		case TTY_OP_OSPEED_PROTO2:
+			n_bytes += 4;
+			baud = packet_get_int();
+			debug2("tty_parse_modes: ospeed %d", baud);
+			if (failure != -1 && cfsetospeed(&tio, baud_to_speed(baud)) == -1)
+				error("cfsetospeed failed for %d", baud);
+			break;
+
+#define TTYCHAR(NAME, OP) \
+	case OP: \
+	  n_bytes += arg_size; \
+	  tio.c_cc[NAME] = get_arg(); \
+	  debug2("tty_parse_modes: %d %d", OP, tio.c_cc[NAME]); \
+	  break;
+#define TTYMODE(NAME, FIELD, OP) \
+	case OP: \
+	  n_bytes += arg_size; \
+	  if ((arg = get_arg())) \
+	    tio.FIELD |= NAME; \
+	  else \
+	    tio.FIELD &= ~NAME;	\
+	  debug2("tty_parse_modes: %d %d", OP, arg); \
+	  break;
+
+#include "ttymodes.h"
+
+#undef TTYCHAR
+#undef TTYMODE
+
+		default:
+			debug("Ignoring unsupported tty mode opcode %d (0x%x)",
+			      opcode, opcode);
+			if (!compat20) {
+				/*
+				 * SSH1:
+				 * Opcodes 1 to 127 are defined to have
+				 * a one-byte argument.
+  				 * Opcodes 128 to 159 are defined to have
+  				 * an integer argument.
+  				 */
+				if (opcode > 0 && opcode < 128) {
+					n_bytes += 1;
+					(void) packet_get_char();
+					break;
+				} else if (opcode >= 128 && opcode < 160) {
+  					n_bytes += 4;
+  					(void) packet_get_int();
+  					break;
+				} else {
+					/*
+					 * It is a truly undefined opcode (160 to 255).
+					 * We have no idea about its arguments.  So we
+					 * must stop parsing.  Note that some data may be
+					 * left in the packet; hopefully there is nothing
+					 * more coming after the mode data.
+					 */
+					log("parse_tty_modes: unknown opcode %d", opcode);
+					packet_integrity_check(0, 1, SSH_CMSG_REQUEST_PTY);
+					goto set;
+  				}
+			} else {
+				/*
+				 * SSH2:
+				 * Opcodes 1 to 159 are defined to have
+				 * a uint32 argument.
+				 * Opcodes 160 to 255 are undefined and
+				 * cause parsing to stop.
+				 */
+				if (opcode > 0 && opcode < 160) {
+					n_bytes += 4;
+					(void) packet_get_int();
+					break;
+				} else {
+					log("parse_tty_modes: unknown opcode %d", opcode);
+					goto set;
+				}
+  			}
+		}
+	}
+
+set:
+	if (*n_bytes_ptr != n_bytes) {
+		*n_bytes_ptr = n_bytes;
+		log("parse_tty_modes: n_bytes_ptr != n_bytes: %d %d",
+		    *n_bytes_ptr, n_bytes);
+		return;		/* Don't process bytes passed */
+	}
+	if (failure == -1)
+		return;		/* Packet parsed ok but tcgetattr() failed */
+
+	/* Set the new modes for the terminal. */
+	if (tcsetattr(fd, TCSANOW, &tio) == -1)
+		log("Setting tty modes failed: %.100s", strerror(errno));
+	return;
+}
diff --git a/crypto/openssh/ttymodes.h b/crypto/openssh/ttymodes.h
new file mode 100644
index 0000000..ad980e9
--- /dev/null
+++ b/crypto/openssh/ttymodes.h
@@ -0,0 +1,172 @@
+/* RCSID("$OpenBSD: ttymodes.h,v 1.11 2001/04/14 16:33:20 stevesk Exp $"); */
+/*
+ * Author: Tatu Ylonen <ylo@cs.hut.fi>
+ * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
+ *                    All rights reserved
+ *
+ * As far as I am concerned, the code I have written for this software
+ * can be used freely for any purpose.  Any derived versions of this
+ * software must be clearly marked as such, and if the derived work is
+ * incompatible with the protocol description in the RFC file, it must be
+ * called by a name other than "ssh" or "Secure Shell".
+ */
+
+/*
+ * SSH2 tty modes support by Kevin Steves.
+ * Copyright (c) 2001 Kevin Steves.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+/*
+ * SSH1:
+ * The tty mode description is a stream of bytes.  The stream consists of
+ * opcode-arguments pairs.  It is terminated by opcode TTY_OP_END (0).
+ * Opcodes 1-127 have one-byte arguments.  Opcodes 128-159 have integer
+ * arguments.  Opcodes 160-255 are not yet defined, and cause parsing to
+ * stop (they should only be used after any other data).
+ *
+ * SSH2:
+ * Differences between SSH1 and SSH2 terminal mode encoding include:
+ * 1. Encoded terminal modes are represented as a string, and a stream
+ *    of bytes within that string.
+ * 2. Opcode arguments are uint32 (1-159); 160-255 remain undefined.
+ * 3. The values for TTY_OP_ISPEED and TTY_OP_OSPEED are different;
+ *    128 and 129 vs. 192 and 193 respectively.
+ *
+ * The client puts in the stream any modes it knows about, and the
+ * server ignores any modes it does not know about.  This allows some degree
+ * of machine-independence, at least between systems that use a posix-like
+ * tty interface.  The protocol can support other systems as well, but might
+ * require reimplementing as mode names would likely be different.
+ */
+
+/*
+ * Some constants and prototypes are defined in packet.h; this file
+ * is only intended for including from ttymodes.c.
+ */
+
+/* termios macro */
+/* name, op */
+TTYCHAR(VINTR, 1)
+TTYCHAR(VQUIT, 2)
+TTYCHAR(VERASE, 3)
+#if defined(VKILL)
+TTYCHAR(VKILL, 4)
+#endif /* VKILL */
+TTYCHAR(VEOF, 5)
+#if defined(VEOL)
+TTYCHAR(VEOL, 6)
+#endif /* VEOL */
+#ifdef VEOL2
+TTYCHAR(VEOL2, 7)
+#endif /* VEOL2 */
+TTYCHAR(VSTART, 8)
+TTYCHAR(VSTOP, 9)
+#if defined(VSUSP)
+TTYCHAR(VSUSP, 10)
+#endif /* VSUSP */
+#if defined(VDSUSP)
+TTYCHAR(VDSUSP, 11)
+#endif /* VDSUSP */
+#if defined(VREPRINT)
+TTYCHAR(VREPRINT, 12)
+#endif /* VREPRINT */
+#if defined(VWERASE)
+TTYCHAR(VWERASE, 13)
+#endif /* VWERASE */
+#if defined(VLNEXT)
+TTYCHAR(VLNEXT, 14)
+#endif /* VLNEXT */
+#if defined(VFLUSH)
+TTYCHAR(VFLUSH, 15)
+#endif /* VFLUSH */
+#ifdef VSWTCH
+TTYCHAR(VSWTCH, 16)
+#endif /* VSWTCH */
+#if defined(VSTATUS)
+TTYCHAR(VSTATUS, 17)
+#endif /* VSTATUS */
+#ifdef VDISCARD
+TTYCHAR(VDISCARD, 18)
+#endif /* VDISCARD */
+
+/* name, field, op */
+TTYMODE(IGNPAR,	c_iflag, 30)
+TTYMODE(PARMRK,	c_iflag, 31)
+TTYMODE(INPCK, 	c_iflag, 32)
+TTYMODE(ISTRIP,	c_iflag, 33)
+TTYMODE(INLCR, 	c_iflag, 34)
+TTYMODE(IGNCR, 	c_iflag, 35)
+TTYMODE(ICRNL, 	c_iflag, 36)
+#if defined(IUCLC)
+TTYMODE(IUCLC, 	c_iflag, 37)
+#endif
+TTYMODE(IXON,  	c_iflag, 38)
+TTYMODE(IXANY, 	c_iflag, 39)
+TTYMODE(IXOFF, 	c_iflag, 40)
+#ifdef IMAXBEL
+TTYMODE(IMAXBEL,c_iflag, 41)
+#endif /* IMAXBEL */
+
+TTYMODE(ISIG,	c_lflag, 50)
+TTYMODE(ICANON,	c_lflag, 51)
+#ifdef XCASE
+TTYMODE(XCASE,	c_lflag, 52)
+#endif
+TTYMODE(ECHO,	c_lflag, 53)
+TTYMODE(ECHOE,	c_lflag, 54)
+TTYMODE(ECHOK,	c_lflag, 55)
+TTYMODE(ECHONL,	c_lflag, 56)
+TTYMODE(NOFLSH,	c_lflag, 57)
+TTYMODE(TOSTOP,	c_lflag, 58)
+#ifdef IEXTEN
+TTYMODE(IEXTEN, c_lflag, 59)
+#endif /* IEXTEN */
+#if defined(ECHOCTL)
+TTYMODE(ECHOCTL,c_lflag, 60)
+#endif /* ECHOCTL */
+#ifdef ECHOKE
+TTYMODE(ECHOKE,	c_lflag, 61)
+#endif /* ECHOKE */
+#if defined(PENDIN)
+TTYMODE(PENDIN,	c_lflag, 62)
+#endif /* PENDIN */
+
+TTYMODE(OPOST,	c_oflag, 70)
+#if defined(OLCUC)
+TTYMODE(OLCUC,	c_oflag, 71)
+#endif
+TTYMODE(ONLCR,	c_oflag, 72)
+#ifdef OCRNL
+TTYMODE(OCRNL,	c_oflag, 73)
+#endif
+#ifdef ONOCR
+TTYMODE(ONOCR,	c_oflag, 74)
+#endif
+#ifdef ONLRET
+TTYMODE(ONLRET,	c_oflag, 75)
+#endif
+
+TTYMODE(CS7,	c_cflag, 90)
+TTYMODE(CS8,	c_cflag, 91)
+TTYMODE(PARENB,	c_cflag, 92)
+TTYMODE(PARODD,	c_cflag, 93)
diff --git a/crypto/openssh/uidswap.c b/crypto/openssh/uidswap.c
new file mode 100644
index 0000000..39952e2
--- /dev/null
+++ b/crypto/openssh/uidswap.c
@@ -0,0 +1,118 @@
+/*
+ * Author: Tatu Ylonen <ylo@cs.hut.fi>
+ * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
+ *                    All rights reserved
+ * Code for uid-swapping.
+ *
+ * As far as I am concerned, the code I have written for this software
+ * can be used freely for any purpose.  Any derived versions of this
+ * software must be clearly marked as such, and if the derived work is
+ * incompatible with the protocol description in the RFC file, it must be
+ * called by a name other than "ssh" or "Secure Shell".
+ */
+
+#include "includes.h"
+RCSID("$OpenBSD: uidswap.c,v 1.16 2001/04/20 16:32:22 markus Exp $");
+
+#include "log.h"
+#include "uidswap.h"
+
+/*
+ * Note: all these functions must work in all of the following cases:
+ *    1. euid=0, ruid=0
+ *    2. euid=0, ruid!=0
+ *    3. euid!=0, ruid!=0
+ * Additionally, they must work regardless of whether the system has
+ * POSIX saved uids or not.
+ */
+
+/* Lets assume that posix saved ids also work with seteuid, even though that
+   is not part of the posix specification. */
+
+/* Saved effective uid. */
+static int	privileged = 0;
+static int	temporarily_use_uid_effective = 0;
+static uid_t	saved_euid = 0;
+static gid_t	saved_egid;
+static gid_t	saved_egroups[NGROUPS_MAX], user_groups[NGROUPS_MAX];
+static int	saved_egroupslen = -1, user_groupslen = -1;
+
+/*
+ * Temporarily changes to the given uid.  If the effective user
+ * id is not root, this does nothing.  This call cannot be nested.
+ */
+void
+temporarily_use_uid(struct passwd *pw)
+{
+	/* Save the current euid, and egroups. */
+	saved_euid = geteuid();
+	debug("temporarily_use_uid: %d/%d (e=%d)",
+	    pw->pw_uid, pw->pw_gid, saved_euid);
+	if (saved_euid != 0) {
+		privileged = 0;
+		return;
+	}
+	privileged = 1;
+	temporarily_use_uid_effective = 1;
+	saved_egid = getegid();                                                       
+	saved_egroupslen = getgroups(NGROUPS_MAX, saved_egroups);                           
+	if (saved_egroupslen < 0)
+		fatal("getgroups: %.100s", strerror(errno));
+
+	/* set and save the user's groups */
+	if (user_groupslen == -1) {
+		if (initgroups(pw->pw_name, pw->pw_gid) < 0)
+			fatal("initgroups: %s: %.100s", pw->pw_name,
+			    strerror(errno));
+		user_groupslen = getgroups(NGROUPS_MAX, user_groups);                           
+		if (user_groupslen < 0)
+			fatal("getgroups: %.100s", strerror(errno));
+	}
+	/* Set the effective uid to the given (unprivileged) uid. */
+	if (setgroups(user_groupslen, user_groups) < 0)
+		fatal("setgroups: %.100s", strerror(errno));
+	pw->pw_gid = pw->pw_gid;
+	if (setegid(pw->pw_gid) < 0)
+		fatal("setegid %u: %.100s", (u_int) pw->pw_gid,
+		    strerror(errno));
+	if (seteuid(pw->pw_uid) == -1)
+		fatal("seteuid %u: %.100s", (u_int) pw->pw_uid,
+		    strerror(errno));
+}
+
+/*
+ * Restores to the original (privileged) uid.
+ */
+void
+restore_uid(void)
+{
+	debug("restore_uid");
+	/* it's a no-op unless privileged */
+	if (!privileged)
+		return;
+	if (!temporarily_use_uid_effective)
+		fatal("restore_uid: temporarily_use_uid not effective");
+	/* Set the effective uid back to the saved privileged uid. */
+	if (seteuid(saved_euid) < 0)
+		fatal("seteuid %u: %.100s", (u_int) saved_euid, strerror(errno));
+	if (setgroups(saved_egroupslen, saved_egroups) < 0)
+		fatal("setgroups: %.100s", strerror(errno));
+	if (setegid(saved_egid) < 0)
+		fatal("setegid %u: %.100s", (u_int) saved_egid, strerror(errno));
+	temporarily_use_uid_effective = 0;
+}
+
+/*
+ * Permanently sets all uids to the given uid.  This cannot be
+ * called while temporarily_use_uid is effective.
+ */
+void
+permanently_set_uid(struct passwd *pw)
+{
+	if (temporarily_use_uid_effective)
+		fatal("restore_uid: temporarily_use_uid effective");
+	if (setgid(pw->pw_gid) < 0)
+		fatal("setgid %u: %.100s", (u_int) pw->pw_gid, strerror(errno));
+	if (setuid(pw->pw_uid) < 0)
+		fatal("setuid %u: %.100s", (u_int) pw->pw_uid, strerror(errno));
+}
diff --git a/crypto/openssh/uidswap.h b/crypto/openssh/uidswap.h
new file mode 100644
index 0000000..228e5a5
--- /dev/null
+++ b/crypto/openssh/uidswap.h
@@ -0,0 +1,36 @@
+/*	$OpenBSD: uidswap.h,v 1.7 2001/04/06 21:00:17 markus Exp $	*/
+
+/*
+ * Author: Tatu Ylonen <ylo@cs.hut.fi>
+ * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
+ *                    All rights reserved
+ *
+ * As far as I am concerned, the code I have written for this software
+ * can be used freely for any purpose.  Any derived versions of this
+ * software must be clearly marked as such, and if the derived work is
+ * incompatible with the protocol description in the RFC file, it must be
+ * called by a name other than "ssh" or "Secure Shell".
+ */
+
+#ifndef UIDSWAP_H
+#define UIDSWAP_H
+
+/*
+ * Temporarily changes to the given uid.  If the effective user id is not
+ * root, this does nothing.  This call cannot be nested.
+ */
+void    temporarily_use_uid(struct passwd *pw);
+
+/*
+ * Restores the original effective user id after temporarily_use_uid().
+ * This should only be called while temporarily_use_uid is effective.
+ */
+void    restore_uid(void);
+
+/*
+ * Permanently sets all uids to the given uid.  This cannot be called while
+ * temporarily_use_uid is effective.  This must also clear any saved uids.
+ */
+void    permanently_set_uid(struct passwd *pw);
+
+#endif				/* UIDSWAP_H */
diff --git a/crypto/openssh/uuencode.c b/crypto/openssh/uuencode.c
new file mode 100644
index 0000000..1be975a
--- /dev/null
+++ b/crypto/openssh/uuencode.c
@@ -0,0 +1,77 @@
+/*	$OpenBSD: uuencode.c,v 1.12 2001/03/01 02:27:18 deraadt Exp $	*/
+
+/*
+ * Copyright (c) 2000 Markus Friedl.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include "includes.h"
+#include "xmalloc.h"
+#include "uuencode.h"
+
+#include <resolv.h>
+
+RCSID("$OpenBSD: uuencode.c,v 1.12 2001/03/01 02:27:18 deraadt Exp $");
+
+int
+uuencode(u_char *src, u_int srclength,
+    char *target, size_t targsize)
+{
+	return __b64_ntop(src, srclength, target, targsize);
+}
+
+int
+uudecode(const char *src, u_char *target, size_t targsize)
+{
+	int len;
+	char *encoded, *p;
+
+	/* copy the 'readonly' source */
+	encoded = xstrdup(src);
+	/* skip whitespace and data */
+	for (p = encoded; *p == ' ' || *p == '\t'; p++)
+		;
+	for (; *p != '\0' && *p != ' ' && *p != '\t'; p++)
+		;
+	/* and remote trailing whitespace because __b64_pton needs this */
+	*p = '\0';
+	len = __b64_pton(encoded, target, targsize);
+	xfree(encoded);
+	return len;
+}
+
+void
+dump_base64(FILE *fp, u_char *data, int len)
+{
+	u_char *buf = xmalloc(2*len);
+	int i, n;
+
+	n = uuencode(data, len, buf, 2*len);
+	for (i = 0; i < n; i++) {
+		fprintf(fp, "%c", buf[i]);
+		if (i % 70 == 69)
+			fprintf(fp, "\n");
+	}
+	if (i % 70 != 69)
+		fprintf(fp, "\n");
+	xfree(buf);
+}
diff --git a/crypto/openssh/uuencode.h b/crypto/openssh/uuencode.h
new file mode 100644
index 0000000..42f83c2
--- /dev/null
+++ b/crypto/openssh/uuencode.h
@@ -0,0 +1,32 @@
+/*	$OpenBSD: uuencode.h,v 1.5 2001/01/29 01:58:19 niklas Exp $	*/
+
+/*
+ * Copyright (c) 1999 Markus Friedl.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#ifndef UUENCODE_H
+#define UUENCODE_H
+int	uuencode(u_char *src, u_int srclength, char *target, size_t targsize);
+int	uudecode(const char *src, u_char *target, size_t targsize);
+void	dump_base64(FILE *fp, u_char *data, int len);
+#endif
diff --git a/crypto/openssh/version.c b/crypto/openssh/version.c
new file mode 100644
index 0000000..392f5ea
--- /dev/null
+++ b/crypto/openssh/version.c
@@ -0,0 +1,59 @@
+/*-
+ * Copyright (c) 2001 Brian Fundakowski Feldman
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ */
+
+#include "includes.h"
+#include "version.h"
+#include "xmalloc.h"
+
+RCSID("$FreeBSD$");
+
+static char *version = NULL;
+
+const char *
+ssh_version_get(void) {
+
+	if (version == NULL)
+		version = xstrdup(SSH_VERSION_BASE " " SSH_VERSION_ADDENDUM);
+	return (version);
+}
+
+void
+ssh_version_set_addendum(const char *add) {
+	char *newvers;
+	size_t size;
+
+	if (add != NULL) {
+		size = strlen(SSH_VERSION_BASE) + 1 + strlen(add) + 1;
+		newvers = xmalloc(size);
+		snprintf(newvers, size, "%s %s", SSH_VERSION_BASE, add);
+	} else {
+		newvers = xstrdup(SSH_VERSION_BASE);
+	}
+	if (version != NULL)
+		xfree(version);
+	version = newvers;
+}
diff --git a/crypto/openssh/version.h b/crypto/openssh/version.h
new file mode 100644
index 0000000..78193d4
--- /dev/null
+++ b/crypto/openssh/version.h
@@ -0,0 +1,12 @@
+/* $FreeBSD$ */
+/* $OpenBSD: version.h,v 1.23 2001/04/24 16:43:16 markus Exp $ */
+
+#ifndef	SSH_VERSION
+
+#define SSH_VERSION		(ssh_version_get())
+#define SSH_VERSION_BASE	"OpenSSH_2.9"
+#define	SSH_VERSION_ADDENDUM	"green@FreeBSD.org 20010608"
+
+const char *ssh_version_get(void);
+void ssh_version_set_addendum(const char *add);
+#endif /* SSH_VERSION */
diff --git a/crypto/openssh/xmalloc.c b/crypto/openssh/xmalloc.c
new file mode 100644
index 0000000..5046627
--- /dev/null
+++ b/crypto/openssh/xmalloc.c
@@ -0,0 +1,69 @@
+/*
+ * Author: Tatu Ylonen <ylo@cs.hut.fi>
+ * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
+ *                    All rights reserved
+ * Versions of malloc and friends that check their results, and never return
+ * failure (they call fatal if they encounter an error).
+ *
+ * As far as I am concerned, the code I have written for this software
+ * can be used freely for any purpose.  Any derived versions of this
+ * software must be clearly marked as such, and if the derived work is
+ * incompatible with the protocol description in the RFC file, it must be
+ * called by a name other than "ssh" or "Secure Shell".
+ */
+
+#include "includes.h"
+RCSID("$OpenBSD: xmalloc.c,v 1.15 2001/04/16 08:05:34 deraadt Exp $");
+
+#include "xmalloc.h"
+#include "log.h"
+
+void *
+xmalloc(size_t size)
+{
+	void *ptr;
+
+	if (size == 0)
+		fatal("xmalloc: zero size");
+	ptr = malloc(size);
+	if (ptr == NULL)
+		fatal("xmalloc: out of memory (allocating %lu bytes)", (u_long) size);
+	return ptr;
+}
+
+void *
+xrealloc(void *ptr, size_t new_size)
+{
+	void *new_ptr;
+
+	if (new_size == 0)
+		fatal("xrealloc: zero size");
+	if (ptr == NULL)
+		new_ptr = malloc(new_size);
+	else
+		new_ptr = realloc(ptr, new_size);
+	if (new_ptr == NULL)
+		fatal("xrealloc: out of memory (new_size %lu bytes)", (u_long) new_size);
+	return new_ptr;
+}
+
+void
+xfree(void *ptr)
+{
+	if (ptr == NULL)
+		fatal("xfree: NULL pointer given as argument");
+	free(ptr);
+}
+
+char *
+xstrdup(const char *str)
+{
+	size_t len = strlen(str) + 1;
+	char *cp;
+
+	if (len == 0)
+		fatal("xstrdup: zero size");
+	cp = xmalloc(len);
+	strlcpy(cp, str, len);
+	return cp;
+}
diff --git a/crypto/openssh/xmalloc.h b/crypto/openssh/xmalloc.h
new file mode 100644
index 0000000..59a598e
--- /dev/null
+++ b/crypto/openssh/xmalloc.h
@@ -0,0 +1,34 @@
+/*
+ * Author: Tatu Ylonen <ylo@cs.hut.fi>
+ * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
+ *                    All rights reserved
+ * Created: Mon Mar 20 22:09:17 1995 ylo
+ *
+ * Versions of malloc and friends that check their results, and never return
+ * failure (they call fatal if they encounter an error).
+ *
+ * As far as I am concerned, the code I have written for this software
+ * can be used freely for any purpose.  Any derived versions of this
+ * software must be clearly marked as such, and if the derived work is
+ * incompatible with the protocol description in the RFC file, it must be
+ * called by a name other than "ssh" or "Secure Shell".
+ */
+
+/* RCSID("$OpenBSD: xmalloc.h,v 1.5 2000/09/07 20:27:56 deraadt Exp $"); */
+
+#ifndef XMALLOC_H
+#define XMALLOC_H
+
+/* Like malloc, but calls fatal() if out of memory. */
+void   *xmalloc(size_t size);
+
+/* Like realloc, but calls fatal() if out of memory. */
+void   *xrealloc(void *ptr, size_t new_size);
+
+/* Frees memory allocated using xmalloc or xrealloc. */
+void    xfree(void *ptr);
+
+/* Allocates memory using xmalloc, and copies the string into that memory. */
+char   *xstrdup(const char *str);
+
+#endif				/* XMALLOC_H */
diff --git a/crypto/openssl/FREEBSD-Xlist b/crypto/openssl/FREEBSD-Xlist
index 2721c7a..251b224 100644
--- a/crypto/openssl/FREEBSD-Xlist
+++ b/crypto/openssl/FREEBSD-Xlist
@@ -1,25 +1,39 @@
 $FreeBSD$
-*INSTALL.VMS
-*INSTALL.W32
-*VMS/
+INSTALL.MacOS
+INSTALL.VMS
+INSTALL.W32
+MacOS/
+VMS/
 *.bat
 *.com
 */*.bat
 */*.com
-*apps/openssl-vms.cnf
-*crypto/bf/asm/b-win32.asm
-*crypto/bn/asm/bn-win32.asm
-*crypto/bn/asm/vms.mar
-*crypto/bn/asm/x86w16.asm
-*crypto/bn/asm/x86w32.asm
-*crypto/bn/vms-helper.c
-*crypto/cast/asm/c-win32.asm
-*crypto/des/asm/d-win32.asm
-*crypto/des/asm/y-win32.asm
-*crypto/des/des-lib.com
-*crypto/md5/asm/m5-win32.asm
-*crypto/rc4/asm/r4-win32.asm
-*crypto/rc5/asm/r5-win32.asm
-*crypto/ripemd/asm/rm-win32.asm
-*crypto/sha/asm/s1-win32.asm
-*ms/
+*/*/*.bat
+*/*/*.com
+apps/openssl-vms.cnf
+crypto/bf/asm/b-win32.asm
+crypto/bn/asm/bn-win32.asm
+crypto/bn/asm/vms.mar
+crypto/bn/asm/x86w16.asm
+crypto/bn/asm/x86w32.asm
+crypto/bn/vms-helper.c
+crypto/cast/asm/c-win32.asm
+crypto/des/asm/d-win32.asm
+crypto/des/asm/y-win32.asm
+crypto/des/des-lib.com
+crypto/dso/dso_vms.c
+crypto/dso/dso_win32.c
+crypto/md5/asm/m5-win32.asm
+crypto/rc4/asm/r4-win32.asm
+crypto/rc5/asm/r5-win32.asm
+crypto/ripemd/asm/rm-win32.asm
+crypto/sha/asm/s1-win32.asm
+crypto/threads/solaris.sh
+ms/
+shlib/Makefile.hpux10-cc
+shlib/hpux10-cc.sh
+shlib/irix.sh
+shlib/solaris-sc4.sh
+shlib/solaris.sh
+shlib/sun.sh
+vms/
diff --git a/crypto/openssl/apps/openssl.cnf b/crypto/openssl/apps/openssl.cnf
index dbe8cbe..2ba3b2a 100644
--- a/crypto/openssl/apps/openssl.cnf
+++ b/crypto/openssl/apps/openssl.cnf
@@ -2,6 +2,7 @@
 # OpenSSL example configuration file.
 # This is mostly being used for generation of certificate requests.
 #
+# $FreeBSD$
 
 # This definition stops the following lines choking if HOME isn't
 # defined.
diff --git a/crypto/openssl/apps/speed.c b/crypto/openssl/apps/speed.c
index 2900470..4a42aeb 100644
--- a/crypto/openssl/apps/speed.c
+++ b/crypto/openssl/apps/speed.c
@@ -54,6 +54,8 @@
  * derivative of this code cannot be changed.  i.e. this code cannot simply be
  * copied and put under another distribution licence
  * [including the GNU Public Licence.]
+ *
+ * $FreeBSD$
  */
 
 /* most of this code has been pilfered from my libdes speed.c program */
@@ -82,12 +84,12 @@
 #include <openssl/rand.h>
 #include <openssl/err.h>
 
-#if defined(__FreeBSD__) || defined(__NetBSD__) || defined(__OpenBSD__)
+#if defined(__FreeBSD__)
 # define USE_TOD
 #elif !defined(MSDOS) && (!defined(VMS) || defined(__DECC))
 # define TIMES
 #endif
-#if !defined(_UNICOS) && !defined(__OpenBSD__) && !defined(sgi) && !defined(__FreeBSD__) && !(defined(__bsdi) || defined(__bsdi__)) && !defined(_AIX) && !defined(MPE) && !defined(__NetBSD__)
+#if !defined(_UNICOS) && !defined(__OpenBSD__) && !defined(sgi) && !defined(__FreeBSD__) && !(defined(__bsdi) || defined(__bsdi__)) && !defined(_AIX) && !defined(MPE)
 # define TIMEB
 #endif
 
diff --git a/crypto/openssl/crypto/des/des.h b/crypto/openssl/crypto/des/des.h
index 6b8a7ee..6207e08 100644
--- a/crypto/openssl/crypto/des/des.h
+++ b/crypto/openssl/crypto/des/des.h
@@ -54,6 +54,7 @@
  * derivative of this code cannot be changed.  i.e. this code cannot simply be
  * copied and put under another distribution licence
  * [including the GNU Public Licence.]
+ * $FreeBSD$
  */
 
 #ifndef HEADER_DES_H
@@ -200,6 +201,9 @@ void des_pcbc_encrypt(const unsigned char *input,unsigned char *output,
 DES_LONG des_quad_cksum(const unsigned char *input,des_cblock output[],
 			long length,int out_count,des_cblock *seed);
 void des_random_seed(des_cblock *key);
+int des_new_random_key(des_cblock *key);
+void des_init_random_number_generator(des_cblock *seed);
+void des_rand_data(unsigned char *data, int size);
 int des_random_key(des_cblock *ret);
 int des_read_password(des_cblock *key,const char *prompt,int verify);
 int des_read_2passwords(des_cblock *key1,des_cblock *key2,
diff --git a/crypto/openssl/crypto/des/des_crypt.man b/crypto/openssl/crypto/des/des_crypt.man
index 0ecc416..ed12ff9 100644
--- a/crypto/openssl/crypto/des/des_crypt.man
+++ b/crypto/openssl/crypto/des/des_crypt.man
@@ -1,3 +1,4 @@
+.\" $FreeBSD$
 .TH DES_CRYPT 3 
 .SH NAME
 des_read_password, des_read_2password,
@@ -13,7 +14,7 @@ des_is_weak_key, crypt \- (non USA) DES encryption
 .nf
 .nj
 .ft B
-#include <des.h>
+#include <openssl/des.h>
 .PP
 .B int des_read_password(key,prompt,verify)
 des_cblock *key;
@@ -461,9 +462,9 @@ is a replacement for the normal system crypt.
 It is much faster than the system crypt.
 .PP
 .SH FILES
-/usr/include/des.h
+/usr/include/openssl/des.h
 .br
-/usr/lib/libdes.a
+/usr/lib/libcrypto.a
 .PP
 The encryption routines have been tested on 16bit, 32bit and 64bit
 machines of various endian and even works under VMS.
diff --git a/crypto/openssl/crypto/des/rnd_keys.c b/crypto/openssl/crypto/des/rnd_keys.c
new file mode 100644
index 0000000..c2626c4
--- /dev/null
+++ b/crypto/openssl/crypto/des/rnd_keys.c
@@ -0,0 +1,444 @@
+/*
+ * Copyright (c) 1995, 1996, 1997, 1999 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *      This product includes software developed by the Kungliga Tekniska
+ *      Högskolan and its contributors.
+ * 
+ * 4. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ *	$Id$
+ * $FreeBSD$
+ */
+
+#include <openssl/des.h>
+#include <sys/types.h>
+#include <sys/wait.h>
+#include <sys/time.h>
+#include <sys/resource.h>
+#include <fcntl.h>
+#include <signal.h>
+#include <string.h>
+#include <time.h>
+#include <unistd.h>
+
+#ifndef RETSIGTYPE
+#define RETSIGTYPE void
+#define SIGRETURN(x) return
+#else
+#define SIGRETURN(x) return (RETSIGTYPE)(x)
+#endif
+
+/*
+ * Generate "random" data by checksumming a file.
+ *
+ * Returns -1 if there were any problems with permissions or I/O
+ * errors.
+ */
+static
+int
+sumFile (const char *name, int len, void *res)
+{
+  u_int32_t sum[2];
+  u_int32_t buf[1024*2];
+  int fd, i;
+
+  fd = open (name, 0);
+  if (fd < 0)
+    return -1;
+
+  while (len > 0)
+    {
+      int n = read(fd, buf, sizeof(buf));
+      if (n < 0)
+	{
+	  close(fd);
+	  return n;
+	}
+      for (i = 0; i < (n/sizeof(buf[0])); i++)
+	{
+	  sum[0] += buf[i];
+	  i++;
+	  sum[1] += buf[i];
+	}
+      len -= n;
+    }
+  close (fd);
+  memcpy (res, &sum, sizeof(sum));
+  return 0;
+}
+
+/*
+ * Create a sequence of random 64 bit blocks.
+ * The sequence is indexed with a long long and 
+ * based on an initial des key used as a seed.
+ */
+static des_key_schedule sequence_seed;
+static u_int32_t sequence_index[2];
+
+/* 
+ * Random number generator based on ideas from truerand in cryptolib
+ * as described on page 424 in Applied Cryptography 2 ed. by Bruce
+ * Schneier.
+ */
+
+static volatile int counter;
+static volatile unsigned char *gdata; /* Global data */
+static volatile int igdata;	/* Index into global data */
+static int gsize;
+
+#if !defined(WIN32) && !defined(__EMX__) && !defined(__OS2__) && !defined(__CYGWIN32__)
+/* Visual C++ 4.0 (Windows95/NT) */
+
+static
+RETSIGTYPE
+sigALRM(int sig)
+{
+    if (igdata < gsize)
+	gdata[igdata++] ^= counter & 0xff;
+
+#ifndef HAVE_SIGACTION
+    signal(SIGALRM, sigALRM); /* Reinstall SysV signal handler */
+#endif
+    SIGRETURN(0);
+}
+
+#endif
+
+#if !defined(HAVE_RANDOM) && defined(HAVE_RAND)
+#ifndef srandom
+#define srandom srand
+#endif
+#ifndef random
+#define random rand
+#endif
+#endif
+
+static void
+des_not_rand_data(unsigned char *data, int size)
+{
+  int i;
+
+  srandom (time (NULL));
+
+  for(i = 0; i < size; ++i)
+    data[i] ^= random() % 0x100;
+}
+
+#if !defined(WIN32) && !defined(__EMX__) && !defined(__OS2__) && !defined(__CYGWIN32__)
+
+#ifndef HAVE_SETITIMER
+static void
+pacemaker(struct timeval *tv)
+{
+    fd_set fds;
+    pid_t pid;
+    pid = getppid();
+    while(1){
+	FD_ZERO(&fds);
+	FD_SET(0, &fds);
+	select(1, &fds, NULL, NULL, tv);
+	kill(pid, SIGALRM);
+    }
+}
+#endif
+
+#ifdef HAVE_SIGACTION
+/* XXX ugly hack, should perhaps use function from roken */
+static RETSIGTYPE 
+(*fake_signal(int sig, RETSIGTYPE (*f)(int)))(int)
+{
+    struct sigaction sa, osa;
+    sa.sa_handler = f;
+    sa.sa_flags = 0;
+    sigemptyset(&sa.sa_mask);
+    sigaction(sig, &sa, &osa);
+    return osa.sa_handler;
+}
+#define signal(S, F) fake_signal((S), (F))
+#endif
+
+/*
+ * Generate size bytes of "random" data using timed interrupts.
+ * It takes about 40ms/byte random data.
+ * It's not neccessary to be root to run it.
+ */
+void
+des_rand_data(unsigned char *data, int size)
+{
+    struct itimerval tv;
+#ifdef HAVE_SETITIMER
+    struct itimerval otv;
+#endif
+    RETSIGTYPE (*osa)(int);
+    int i, j;
+#ifndef HAVE_SETITIMER 
+    RETSIGTYPE (*ochld)(int);
+    pid_t pid;
+#endif
+    char *rnd_devices[] = {"/dev/random",
+			   "/dev/srandom",
+			   "/dev/urandom",
+			   NULL};
+    char **p;
+
+    for(p = rnd_devices; *p; p++) {
+      int fd = open(*p, O_RDONLY | O_NDELAY);
+      
+      if(fd >= 0 && read(fd, data, size) == size) {
+	close(fd);
+	return;
+      }
+      close(fd);
+    }
+
+    /* Paranoia? Initialize data from /dev/mem if we can read it. */
+    if (size >= 8)
+      sumFile("/dev/mem", (1024*1024*2), data);
+
+    gdata = data;
+    gsize = size;
+    igdata = 0;
+
+    osa = signal(SIGALRM, sigALRM);
+  
+    /* Start timer */
+    tv.it_value.tv_sec = 0;
+    tv.it_value.tv_usec = 10 * 1000; /* 10 ms */
+    tv.it_interval = tv.it_value;
+#ifdef HAVE_SETITIMER
+    setitimer(ITIMER_REAL, &tv, &otv);
+#else
+    ochld = signal(SIGCHLD, SIG_IGN);
+    pid = fork();
+    if(pid == -1){
+	signal(SIGCHLD, ochld != SIG_ERR ? ochld : SIG_DFL);
+	des_not_rand_data(data, size);
+	return;
+    }
+    if(pid == 0)
+	pacemaker(&tv.it_interval);
+#endif
+
+    for(i = 0; i < 4; i++) {
+	for (igdata = 0; igdata < size;) /* igdata++ in sigALRM */
+	    counter++;
+	for (j = 0; j < size; j++) /* Only use 2 bits each lap */
+	    gdata[j] = (gdata[j]>>2) | (gdata[j]<<6);
+    }
+#ifdef HAVE_SETITIMER
+    setitimer(ITIMER_REAL, &otv, 0);
+#else
+    kill(pid, SIGKILL);
+    while(waitpid(pid, NULL, 0) != pid);
+    signal(SIGCHLD, ochld != SIG_ERR ? ochld : SIG_DFL);
+#endif
+    signal(SIGALRM, osa != SIG_ERR ? osa : SIG_DFL);
+}
+#else
+void
+des_rand_data(unsigned char *p, int s)
+{
+  des_not_rand_data (p, s);
+}
+#endif
+
+void
+des_generate_random_block(des_cblock *block)
+{
+  des_rand_data((unsigned char *)block, sizeof(*block));
+}
+
+/*
+ * Generate a "random" DES key.
+ */
+void
+des_rand_data_key(des_cblock *key)
+{
+    unsigned char data[8];
+    des_key_schedule sched;
+    do {
+	des_rand_data(data, sizeof(data));
+	des_rand_data((unsigned char*)key, sizeof(des_cblock));
+	des_set_odd_parity(key);
+	des_key_sched(key, sched);
+	des_ecb_encrypt(&data, key, sched, DES_ENCRYPT);
+	memset(&data, 0, sizeof(data));
+	memset(&sched, 0, sizeof(sched));
+	des_set_odd_parity(key);
+    } while(des_is_weak_key(key));
+}
+
+/*
+ * Generate "random" data by checksumming /dev/mem
+ *
+ * It's neccessary to be root to run it. Returns -1 if there were any
+ * problems with permissions.
+ */
+int
+des_mem_rand8(unsigned char *data)
+{
+  return 1;
+}
+
+/*
+ * In case the generator does not get initialized use this as fallback.
+ */
+static int initialized;
+
+static void
+do_initialize(void)
+{
+    des_cblock default_seed;
+    do {
+	des_generate_random_block(&default_seed);
+	des_set_odd_parity(&default_seed);
+    } while (des_is_weak_key(&default_seed));
+    des_init_random_number_generator(&default_seed);
+}
+
+#define zero_long_long(ll) do { ll[0] = ll[1] = 0; } while (0)
+
+#define incr_long_long(ll) do { if (++ll[0] == 0) ++ll[1]; } while (0)
+
+#define set_sequence_number(ll) \
+memcpy((char *)sequence_index, (ll), sizeof(sequence_index));
+
+/*
+ * Set the sequnce number to this value (a long long).
+ */
+void
+des_set_sequence_number(unsigned char *ll)
+{
+    set_sequence_number(ll);
+}
+
+/*
+ * Set the generator seed and reset the sequence number to 0.
+ */
+void
+des_set_random_generator_seed(des_cblock *seed)
+{
+    des_key_sched(seed, sequence_seed);
+    zero_long_long(sequence_index);
+    initialized = 1;
+}
+
+/*
+ * Generate a sequence of random des keys
+ * using the random block sequence, fixup
+ * parity and skip weak keys.
+ */
+int
+des_new_random_key(des_cblock *key)
+{
+    if (!initialized)
+	do_initialize();
+
+    do {
+	des_ecb_encrypt((des_cblock *) sequence_index,
+			key,
+			sequence_seed,
+			DES_ENCRYPT);
+	incr_long_long(sequence_index);
+	/* random key must have odd parity and not be weak */
+	des_set_odd_parity(key);
+    } while (des_is_weak_key(key));
+    return(0);
+}
+
+/*
+ * des_init_random_number_generator:
+ *
+ * Initialize the sequence of random 64 bit blocks.  The input seed
+ * can be a secret key since it should be well hidden and is also not
+ * kept.
+ *
+ */
+void 
+des_init_random_number_generator(des_cblock *seed)
+{
+    struct timeval now;
+    des_cblock uniq;
+    des_cblock new_key;
+
+    gettimeofday(&now, (struct timezone *)0);
+    des_generate_random_block(&uniq);
+
+    /* Pick a unique random key from the shared sequence. */
+    des_set_random_generator_seed(seed);
+    set_sequence_number((unsigned char *)&uniq);
+    des_new_random_key(&new_key);
+
+    /* Select a new nonshared sequence, */
+    des_set_random_generator_seed(&new_key);
+
+    /* and use the current time to pick a key for the new sequence. */
+    set_sequence_number((unsigned char *)&now);
+    des_new_random_key(&new_key);
+    des_set_random_generator_seed(&new_key);
+}
+
+#ifdef TESTRUN
+int
+main()
+{
+    unsigned char data[8];
+    int i;
+
+    while (1)
+        {
+	    if (sumFile("/dev/mem", (1024*1024*8), data) != 0)
+	      { perror("sumFile"); exit(1); }
+            for (i = 0; i < 8; i++)
+                printf("%02x", data[i]);
+            printf("\n");
+        }
+}
+#endif
+
+#ifdef TESTRUN2
+int
+main()
+{
+    des_cblock data;
+    int i;
+
+    while (1)
+        {
+	    do_initialize();
+            des_random_key(data);
+            for (i = 0; i < 8; i++)
+                printf("%02x", data[i]);
+            printf("\n");
+        }
+}
+#endif
diff --git a/crypto/openssl/crypto/err/err_all.c b/crypto/openssl/crypto/err/err_all.c
index 638ed3f..5449a31 100644
--- a/crypto/openssl/crypto/err/err_all.c
+++ b/crypto/openssl/crypto/err/err_all.c
@@ -1,4 +1,5 @@
 /* crypto/err/err_all.c */
+/* $FreeBSD$ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
diff --git a/crypto/openssl/crypto/evp/evp.h b/crypto/openssl/crypto/evp/evp.h
index 0f27df4..b7820be 100644
--- a/crypto/openssl/crypto/evp/evp.h
+++ b/crypto/openssl/crypto/evp/evp.h
@@ -54,6 +54,8 @@
  * derivative of this code cannot be changed.  i.e. this code cannot simply be
  * copied and put under another distribution licence
  * [including the GNU Public Licence.]
+ *
+ * $FreeBSD$
  */
 
 #ifndef HEADER_ENVELOPE_H
@@ -554,9 +556,9 @@ int	EVP_read_pw_string(char *buf,int length,const char *prompt,int verify);
 void	EVP_set_pw_prompt(char *prompt);
 char *	EVP_get_pw_prompt(void);
 
-int     EVP_BytesToKey(const EVP_CIPHER *type, EVP_MD *md,
-		const unsigned char *salt, const unsigned char *data, int datal,
-       		int count, unsigned char *key, unsigned char *iv);
+int	EVP_BytesToKey(const EVP_CIPHER *type,EVP_MD *md,unsigned char *salt,
+		unsigned char *data, int datal, int count,
+		unsigned char *key,unsigned char *iv);
 
 int	EVP_EncryptInit(EVP_CIPHER_CTX *ctx,const EVP_CIPHER *type,
 		unsigned char *key, unsigned char *iv);
diff --git a/crypto/openssl/crypto/idea/Makefile.save b/crypto/openssl/crypto/idea/Makefile.save
index d29bcd6..ac32f13 100644
--- a/crypto/openssl/crypto/idea/Makefile.save
+++ b/crypto/openssl/crypto/idea/Makefile.save
@@ -1,5 +1,6 @@
 #
 # SSLeay/crypto/idea/Makefile
+# $FreeBSD$
 #
 
 DIR=	idea
@@ -39,8 +40,7 @@ all:	lib
 
 lib:	$(LIBOBJ)
 	$(AR) $(LIB) $(LIBOBJ)
-	@echo You may get an error following this line.  Please ignore.
-	- $(RANLIB) $(LIB)
+	$(RANLIB) $(LIB)
 	@touch lib
 
 files:
diff --git a/crypto/openssl/crypto/idea/Makefile.ssl b/crypto/openssl/crypto/idea/Makefile.ssl
index d29bcd6..8923d7d 100644
--- a/crypto/openssl/crypto/idea/Makefile.ssl
+++ b/crypto/openssl/crypto/idea/Makefile.ssl
@@ -1,5 +1,6 @@
 #
 # SSLeay/crypto/idea/Makefile
+# $FreeBSD$
 #
 
 DIR=	idea
diff --git a/crypto/openssl/crypto/idea/Makefile.uni b/crypto/openssl/crypto/idea/Makefile.uni
index c83339a..d7c9844 100644
--- a/crypto/openssl/crypto/idea/Makefile.uni
+++ b/crypto/openssl/crypto/idea/Makefile.uni
@@ -2,6 +2,7 @@
 # make          - twidle the options yourself :-)
 # make cc       - standard cc options
 # make gcc      - standard gcc options
+# $FreeBSD$
 
 DIR=    cast
 TOP=    .
diff --git a/crypto/openssl/crypto/idea/i_cbc.c b/crypto/openssl/crypto/idea/i_cbc.c
index ecb9cb8..d141cc2 100644
--- a/crypto/openssl/crypto/idea/i_cbc.c
+++ b/crypto/openssl/crypto/idea/i_cbc.c
@@ -54,6 +54,7 @@
  * derivative of this code cannot be changed.  i.e. this code cannot simply be
  * copied and put under another distribution licence
  * [including the GNU Public Licence.]
+ * $FreeBSD$
  */
 
 #include <openssl/idea.h>
diff --git a/crypto/openssl/crypto/idea/i_cfb64.c b/crypto/openssl/crypto/idea/i_cfb64.c
index 66d49d5..6f7e364 100644
--- a/crypto/openssl/crypto/idea/i_cfb64.c
+++ b/crypto/openssl/crypto/idea/i_cfb64.c
@@ -54,6 +54,7 @@
  * derivative of this code cannot be changed.  i.e. this code cannot simply be
  * copied and put under another distribution licence
  * [including the GNU Public Licence.]
+ * $FreeBSD$
  */
 
 #include <openssl/idea.h>
diff --git a/crypto/openssl/crypto/idea/i_ecb.c b/crypto/openssl/crypto/idea/i_ecb.c
index fb613db..3789cb5 100644
--- a/crypto/openssl/crypto/idea/i_ecb.c
+++ b/crypto/openssl/crypto/idea/i_ecb.c
@@ -54,6 +54,7 @@
  * derivative of this code cannot be changed.  i.e. this code cannot simply be
  * copied and put under another distribution licence
  * [including the GNU Public Licence.]
+ * $FreeBSD$
  */
 
 #include <openssl/idea.h>
diff --git a/crypto/openssl/crypto/idea/i_ofb64.c b/crypto/openssl/crypto/idea/i_ofb64.c
index e749e88..b3397f9 100644
--- a/crypto/openssl/crypto/idea/i_ofb64.c
+++ b/crypto/openssl/crypto/idea/i_ofb64.c
@@ -54,6 +54,7 @@
  * derivative of this code cannot be changed.  i.e. this code cannot simply be
  * copied and put under another distribution licence
  * [including the GNU Public Licence.]
+ * $FreeBSD$
  */
 
 #include <openssl/idea.h>
diff --git a/crypto/openssl/crypto/idea/i_skey.c b/crypto/openssl/crypto/idea/i_skey.c
index 1c95bc9..5fea5cc 100644
--- a/crypto/openssl/crypto/idea/i_skey.c
+++ b/crypto/openssl/crypto/idea/i_skey.c
@@ -54,6 +54,7 @@
  * derivative of this code cannot be changed.  i.e. this code cannot simply be
  * copied and put under another distribution licence
  * [including the GNU Public Licence.]
+ * $FreeBSD$
  */
 
 #include <openssl/idea.h>
diff --git a/crypto/openssl/crypto/idea/idea.h b/crypto/openssl/crypto/idea/idea.h
index f14adf8..31d3c89 100644
--- a/crypto/openssl/crypto/idea/idea.h
+++ b/crypto/openssl/crypto/idea/idea.h
@@ -54,6 +54,7 @@
  * derivative of this code cannot be changed.  i.e. this code cannot simply be
  * copied and put under another distribution licence
  * [including the GNU Public Licence.]
+ * $FreeBSD$
  */
 
 #ifndef HEADER_IDEA_H
diff --git a/crypto/openssl/crypto/idea/idea_lcl.h b/crypto/openssl/crypto/idea/idea_lcl.h
index 463aa36..0190599 100644
--- a/crypto/openssl/crypto/idea/idea_lcl.h
+++ b/crypto/openssl/crypto/idea/idea_lcl.h
@@ -54,6 +54,7 @@
  * derivative of this code cannot be changed.  i.e. this code cannot simply be
  * copied and put under another distribution licence
  * [including the GNU Public Licence.]
+ * $FreeBSD$
  */
 
 /* The new form of this macro (check if the a*b == 0) was suggested by 
diff --git a/crypto/openssl/crypto/idea/idea_spd.c b/crypto/openssl/crypto/idea/idea_spd.c
index 301946b..aefe178 100644
--- a/crypto/openssl/crypto/idea/idea_spd.c
+++ b/crypto/openssl/crypto/idea/idea_spd.c
@@ -54,6 +54,7 @@
  * derivative of this code cannot be changed.  i.e. this code cannot simply be
  * copied and put under another distribution licence
  * [including the GNU Public Licence.]
+ * $FreeBSD$
  */
 
 /* 11-Sep-92 Andrew Daviel   Support for Silicon Graphics IRIX added */
diff --git a/crypto/openssl/crypto/idea/ideatest.c b/crypto/openssl/crypto/idea/ideatest.c
index 64b9353..810f351 100644
--- a/crypto/openssl/crypto/idea/ideatest.c
+++ b/crypto/openssl/crypto/idea/ideatest.c
@@ -54,6 +54,7 @@
  * derivative of this code cannot be changed.  i.e. this code cannot simply be
  * copied and put under another distribution licence
  * [including the GNU Public Licence.]
+ * $FreeBSD$
  */
 
 #include <stdio.h>
diff --git a/crypto/openssl/crypto/idea/version b/crypto/openssl/crypto/idea/version
index 3f22293..c269d85 100644
--- a/crypto/openssl/crypto/idea/version
+++ b/crypto/openssl/crypto/idea/version
@@ -1,3 +1,4 @@
+# $FreeBSD$
 1.1 07/12/95 - eay
 	Many thanks to Rhys Weatherley <rweather@us.oracle.com>
 	for pointing out that I was assuming little endian byte
diff --git a/crypto/openssl/crypto/rsa/rsa.h b/crypto/openssl/crypto/rsa/rsa.h
index fef4ef5..880ebfe 100644
--- a/crypto/openssl/crypto/rsa/rsa.h
+++ b/crypto/openssl/crypto/rsa/rsa.h
@@ -1,4 +1,5 @@
 /* crypto/rsa/rsa.h */
+/* $FreeBSD$ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
diff --git a/crypto/openssl/crypto/rsa/rsa_eay.c b/crypto/openssl/crypto/rsa/rsa_eay.c
index 3e38320..90771dc 100644
--- a/crypto/openssl/crypto/rsa/rsa_eay.c
+++ b/crypto/openssl/crypto/rsa/rsa_eay.c
@@ -1,4 +1,5 @@
 /* crypto/rsa/rsa_eay.c */
+/* $FreeBSD$ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
diff --git a/crypto/openssl/crypto/rsa/rsa_lib.c b/crypto/openssl/crypto/rsa/rsa_lib.c
index 422643e..5220f5f 100644
--- a/crypto/openssl/crypto/rsa/rsa_lib.c
+++ b/crypto/openssl/crypto/rsa/rsa_lib.c
@@ -1,4 +1,5 @@
 /* crypto/rsa/rsa_lib.c */
+/* $FreeBSD$ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
diff --git a/crypto/openssl/rsaref/Makefile.save b/crypto/openssl/rsaref/Makefile.save
deleted file mode 100644
index 8f27c48..0000000
--- a/crypto/openssl/rsaref/Makefile.save
+++ /dev/null
@@ -1,102 +0,0 @@
-#
-# SSLeay/rsaref/Makefile
-#
-
-DIR=	rsaref
-TOP=	..
-CC=	cc
-INCLUDES= -I../crypto -I../include
-CFLAG=-g
-INSTALL_PREFIX=
-OPENSSLDIR=     /usr/local/ssl
-INSTALLTOP=/usr/local/ssl
-MAKE=		make -f Makefile.ssl
-MAKEDEPEND=	$(TOP)/util/domd $(TOP)
-MAKEFILE=	Makefile.ssl
-AR=		ar r
-
-CFLAGS= $(INCLUDES) $(CFLAG)
-
-GENERAL=Makefile rsaref-lib.com install.com
-TEST=
-APPS=
-
-LIB=$(TOP)/libRSAglue.a
-LIBSRC=	rsaref.c rsar_err.c
-LIBOBJ= rsaref.o rsar_err.o
-
-SRC= $(LIBSRC)
-
-EXHEADER=	rsaref.h
-HEADER=	$(EXHEADER)
-
-ALL=    $(GENERAL) $(SRC) $(HEADER)
-
-top:
-	(cd ..; $(MAKE) DIRS=rsaref all)
-
-all:	lib
-
-lib:	$(LIBOBJ)
-	$(AR) $(LIB) $(LIBOBJ)
-	@echo You may get an error following this line.  Please ignore.
-	- $(RANLIB) $(LIB)
-	@touch lib
-
-files:
-	$(PERL) $(TOP)/util/files.pl Makefile.ssl >> $(TOP)/MINFO
-
-links:
-	@$(TOP)/util/point.sh Makefile.ssl Makefile
-	@$(PERL) $(TOP)/util/mklink.pl ../include/openssl $(EXHEADER)
-	@$(PERL) $(TOP)/util/mklink.pl ../test $(TEST)
-	@$(PERL) $(TOP)/util/mklink.pl ../apps $(APPS)
-
-install:
-	-@if [ "x`echo x $(EX_LIBS) | grep RSAglue`" != x ]; then \
-	    echo "installing libRSAglue.a"; \
-	    cp $(LIB) $(INSTALL_PREFIX)$(INSTALLTOP)/lib/libRSAglue.a; \
-	    $(RANLIB) $(INSTALL_PREFIX)$(INSTALLTOP)/lib/libRSAglue.a; \
-	    chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/lib/libRSAglue.a; \
-	fi
-
-#	@for i in $(EXHEADER) ; \
-#	do  \
-#	(cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i; \
-#	chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i ); \
-#	done;
-
-tags:
-	ctags $(SRC)
-
-tests:
-
-lint:
-	lint -DLINT $(INCLUDES) $(SRC)>fluff
-
-depend:
-	$(MAKEDEPEND) $(INCLUDES) $(PROGS) $(LIBSRC)
-
-dclean:
-	$(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new
-	mv -f Makefile.new $(MAKEFILE)
-
-clean:
-	rm -f *.o *.obj lib tags core .pure .nfs* *.old *.bak fluff
-
-# DO NOT DELETE THIS LINE -- make depend depends on it.
-
-rsar_err.o: ../include/openssl/bio.h ../include/openssl/bn.h
-rsar_err.o: ../include/openssl/crypto.h ../include/openssl/err.h
-rsar_err.o: ../include/openssl/lhash.h ../include/openssl/opensslconf.h
-rsar_err.o: ../include/openssl/opensslv.h ../include/openssl/rsa.h
-rsar_err.o: ../include/openssl/rsaref.h ../include/openssl/safestack.h
-rsar_err.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
-rsaref.o: ../crypto/cryptlib.h ../include/openssl/bio.h ../include/openssl/bn.h
-rsaref.o: ../include/openssl/buffer.h ../include/openssl/crypto.h
-rsaref.o: ../include/openssl/e_os.h ../include/openssl/e_os2.h
-rsaref.o: ../include/openssl/err.h ../include/openssl/lhash.h
-rsaref.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
-rsaref.o: ../include/openssl/rand.h ../include/openssl/rsa.h
-rsaref.o: ../include/openssl/rsaref.h ../include/openssl/safestack.h
-rsaref.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
diff --git a/crypto/openssl/rsaref/Makefile.ssl b/crypto/openssl/rsaref/Makefile.ssl
deleted file mode 100644
index 8f27c48..0000000
--- a/crypto/openssl/rsaref/Makefile.ssl
+++ /dev/null
@@ -1,102 +0,0 @@
-#
-# SSLeay/rsaref/Makefile
-#
-
-DIR=	rsaref
-TOP=	..
-CC=	cc
-INCLUDES= -I../crypto -I../include
-CFLAG=-g
-INSTALL_PREFIX=
-OPENSSLDIR=     /usr/local/ssl
-INSTALLTOP=/usr/local/ssl
-MAKE=		make -f Makefile.ssl
-MAKEDEPEND=	$(TOP)/util/domd $(TOP)
-MAKEFILE=	Makefile.ssl
-AR=		ar r
-
-CFLAGS= $(INCLUDES) $(CFLAG)
-
-GENERAL=Makefile rsaref-lib.com install.com
-TEST=
-APPS=
-
-LIB=$(TOP)/libRSAglue.a
-LIBSRC=	rsaref.c rsar_err.c
-LIBOBJ= rsaref.o rsar_err.o
-
-SRC= $(LIBSRC)
-
-EXHEADER=	rsaref.h
-HEADER=	$(EXHEADER)
-
-ALL=    $(GENERAL) $(SRC) $(HEADER)
-
-top:
-	(cd ..; $(MAKE) DIRS=rsaref all)
-
-all:	lib
-
-lib:	$(LIBOBJ)
-	$(AR) $(LIB) $(LIBOBJ)
-	@echo You may get an error following this line.  Please ignore.
-	- $(RANLIB) $(LIB)
-	@touch lib
-
-files:
-	$(PERL) $(TOP)/util/files.pl Makefile.ssl >> $(TOP)/MINFO
-
-links:
-	@$(TOP)/util/point.sh Makefile.ssl Makefile
-	@$(PERL) $(TOP)/util/mklink.pl ../include/openssl $(EXHEADER)
-	@$(PERL) $(TOP)/util/mklink.pl ../test $(TEST)
-	@$(PERL) $(TOP)/util/mklink.pl ../apps $(APPS)
-
-install:
-	-@if [ "x`echo x $(EX_LIBS) | grep RSAglue`" != x ]; then \
-	    echo "installing libRSAglue.a"; \
-	    cp $(LIB) $(INSTALL_PREFIX)$(INSTALLTOP)/lib/libRSAglue.a; \
-	    $(RANLIB) $(INSTALL_PREFIX)$(INSTALLTOP)/lib/libRSAglue.a; \
-	    chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/lib/libRSAglue.a; \
-	fi
-
-#	@for i in $(EXHEADER) ; \
-#	do  \
-#	(cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i; \
-#	chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i ); \
-#	done;
-
-tags:
-	ctags $(SRC)
-
-tests:
-
-lint:
-	lint -DLINT $(INCLUDES) $(SRC)>fluff
-
-depend:
-	$(MAKEDEPEND) $(INCLUDES) $(PROGS) $(LIBSRC)
-
-dclean:
-	$(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new
-	mv -f Makefile.new $(MAKEFILE)
-
-clean:
-	rm -f *.o *.obj lib tags core .pure .nfs* *.old *.bak fluff
-
-# DO NOT DELETE THIS LINE -- make depend depends on it.
-
-rsar_err.o: ../include/openssl/bio.h ../include/openssl/bn.h
-rsar_err.o: ../include/openssl/crypto.h ../include/openssl/err.h
-rsar_err.o: ../include/openssl/lhash.h ../include/openssl/opensslconf.h
-rsar_err.o: ../include/openssl/opensslv.h ../include/openssl/rsa.h
-rsar_err.o: ../include/openssl/rsaref.h ../include/openssl/safestack.h
-rsar_err.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
-rsaref.o: ../crypto/cryptlib.h ../include/openssl/bio.h ../include/openssl/bn.h
-rsaref.o: ../include/openssl/buffer.h ../include/openssl/crypto.h
-rsaref.o: ../include/openssl/e_os.h ../include/openssl/e_os2.h
-rsaref.o: ../include/openssl/err.h ../include/openssl/lhash.h
-rsaref.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
-rsaref.o: ../include/openssl/rand.h ../include/openssl/rsa.h
-rsaref.o: ../include/openssl/rsaref.h ../include/openssl/safestack.h
-rsaref.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
diff --git a/crypto/openssl/rsaref/rsar_err.c b/crypto/openssl/rsaref/rsar_err.c
deleted file mode 100644
index 5e7871f..0000000
--- a/crypto/openssl/rsaref/rsar_err.c
+++ /dev/null
@@ -1,119 +0,0 @@
-/* rsaref/rsar_err.c */
-/* ====================================================================
- * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- *
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer. 
- *
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in
- *    the documentation and/or other materials provided with the
- *    distribution.
- *
- * 3. All advertising materials mentioning features or use of this
- *    software must display the following acknowledgment:
- *    "This product includes software developed by the OpenSSL Project
- *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
- *
- * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
- *    endorse or promote products derived from this software without
- *    prior written permission. For written permission, please contact
- *    openssl-core@OpenSSL.org.
- *
- * 5. Products derived from this software may not be called "OpenSSL"
- *    nor may "OpenSSL" appear in their names without prior written
- *    permission of the OpenSSL Project.
- *
- * 6. Redistributions of any form whatsoever must retain the following
- *    acknowledgment:
- *    "This product includes software developed by the OpenSSL Project
- *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
- *
- * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
- * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
- * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
- * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
- * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
- * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
- * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
- * OF THE POSSIBILITY OF SUCH DAMAGE.
- * ====================================================================
- *
- * This product includes cryptographic software written by Eric Young
- * (eay@cryptsoft.com).  This product includes software written by Tim
- * Hudson (tjh@cryptsoft.com).
- *
- */
-
-/* NOTE: this file was auto generated by the mkerr.pl script: any changes
- * made to it will be overwritten when the script next updates this file,
- * only reason strings will be preserved.
- */
-
-#include <stdio.h>
-#include <openssl/err.h>
-#include <openssl/rsaref.h>
-
-/* BEGIN ERROR CODES */
-#ifndef NO_ERR
-static ERR_STRING_DATA RSAREF_str_functs[]=
-	{
-{ERR_PACK(0,RSAREF_F_BN_REF_MOD_EXP,0),	"BN_REF_MOD_EXP"},
-{ERR_PACK(0,RSAREF_F_RSAREF_BN2BIN,0),	"RSAREF_BN2BIN"},
-{ERR_PACK(0,RSAREF_F_RSA_BN2BIN,0),	"RSA_BN2BIN"},
-{ERR_PACK(0,RSAREF_F_RSA_PRIVATE_DECRYPT,0),	"RSA_private_decrypt"},
-{ERR_PACK(0,RSAREF_F_RSA_PRIVATE_ENCRYPT,0),	"RSA_private_encrypt"},
-{ERR_PACK(0,RSAREF_F_RSA_PUBLIC_DECRYPT,0),	"RSA_public_decrypt"},
-{ERR_PACK(0,RSAREF_F_RSA_PUBLIC_ENCRYPT,0),	"RSA_public_encrypt"},
-{ERR_PACK(0,RSAREF_F_RSA_REF_BN2BIN,0),	"RSA_REF_BN2BIN"},
-{ERR_PACK(0,RSAREF_F_RSA_REF_MOD_EXP,0),	"RSA_REF_MOD_EXP"},
-{ERR_PACK(0,RSAREF_F_RSA_REF_PRIVATE_DECRYPT,0),	"RSA_REF_PRIVATE_DECRYPT"},
-{ERR_PACK(0,RSAREF_F_RSA_REF_PRIVATE_ENCRYPT,0),	"RSA_REF_PRIVATE_ENCRYPT"},
-{ERR_PACK(0,RSAREF_F_RSA_REF_PUBLIC_DECRYPT,0),	"RSA_REF_PUBLIC_DECRYPT"},
-{ERR_PACK(0,RSAREF_F_RSA_REF_PUBLIC_ENCRYPT,0),	"RSA_REF_PUBLIC_ENCRYPT"},
-{0,NULL}
-	};
-
-static ERR_STRING_DATA RSAREF_str_reasons[]=
-	{
-{RSAREF_R_CONTENT_ENCODING               ,"content encoding"},
-{RSAREF_R_DATA                           ,"data"},
-{RSAREF_R_DIGEST_ALGORITHM               ,"digest algorithm"},
-{RSAREF_R_ENCODING                       ,"encoding"},
-{RSAREF_R_ENCRYPTION_ALGORITHM           ,"encryption algorithm"},
-{RSAREF_R_KEY                            ,"key"},
-{RSAREF_R_KEY_ENCODING                   ,"key encoding"},
-{RSAREF_R_LEN                            ,"len"},
-{RSAREF_R_MODULUS_LEN                    ,"modulus len"},
-{RSAREF_R_NEED_RANDOM                    ,"need random"},
-{RSAREF_R_PRIVATE_KEY                    ,"private key"},
-{RSAREF_R_PUBLIC_KEY                     ,"public key"},
-{RSAREF_R_SIGNATURE                      ,"signature"},
-{RSAREF_R_SIGNATURE_ENCODING             ,"signature encoding"},
-{0,NULL}
-	};
-
-#endif
-
-void ERR_load_RSAREF_strings(void)
-	{
-	static int init=1;
-
-	if (init)
-		{
-		init=0;
-#ifndef NO_ERR
-		ERR_load_strings(ERR_LIB_RSAREF,RSAREF_str_functs);
-		ERR_load_strings(ERR_LIB_RSAREF,RSAREF_str_reasons);
-#endif
-
-		}
-	}
diff --git a/crypto/openssl/rsaref/rsaref.c b/crypto/openssl/rsaref/rsaref.c
deleted file mode 100644
index ae70feb..0000000
--- a/crypto/openssl/rsaref/rsaref.c
+++ /dev/null
@@ -1,308 +0,0 @@
-/* rsaref/rsaref.c */
-/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
- * All rights reserved.
- *
- * This package is an SSL implementation written
- * by Eric Young (eay@cryptsoft.com).
- * The implementation was written so as to conform with Netscapes SSL.
- * 
- * This library is free for commercial and non-commercial use as long as
- * the following conditions are aheared to.  The following conditions
- * apply to all code found in this distribution, be it the RC4, RSA,
- * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
- * included with this distribution is covered by the same copyright terms
- * except that the holder is Tim Hudson (tjh@cryptsoft.com).
- * 
- * Copyright remains Eric Young's, and as such any Copyright notices in
- * the code are not to be removed.
- * If this package is used in a product, Eric Young should be given attribution
- * as the author of the parts of the library used.
- * This can be in the form of a textual message at program startup or
- * in documentation (online or textual) provided with the package.
- * 
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- * 3. All advertising materials mentioning features or use of this software
- *    must display the following acknowledgement:
- *    "This product includes cryptographic software written by
- *     Eric Young (eay@cryptsoft.com)"
- *    The word 'cryptographic' can be left out if the rouines from the library
- *    being used are not cryptographic related :-).
- * 4. If you include any Windows specific code (or a derivative thereof) from 
- *    the apps directory (application code) you must include an acknowledgement:
- *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
- * 
- * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- * 
- * The licence and distribution terms for any publically available version or
- * derivative of this code cannot be changed.  i.e. this code cannot simply be
- * copied and put under another distribution licence
- * [including the GNU Public Licence.]
- */
-
-#ifndef NO_RSA
-#include <stdio.h>
-#include "cryptlib.h"
-#include <openssl/bn.h>
-#include <openssl/rsa.h>
-#include <openssl/rsaref.h>
-#include <openssl/rand.h>
-
-static int RSAref_bn2bin(BIGNUM * from, unsigned char* to, int max);
-#ifdef undef
-static BIGNUM* RSAref_bin2bn(unsigned char* from, BIGNUM * to, int max);
-#endif
-static int RSAref_Public_eay2ref(RSA * from, RSArefPublicKey * to);
-static int RSAref_Private_eay2ref(RSA * from, RSArefPrivateKey * to);
-int RSA_ref_private_decrypt(int len, unsigned char *from,
-	unsigned char *to, RSA *rsa, int padding);
-int RSA_ref_private_encrypt(int len, unsigned char *from,
-	unsigned char *to, RSA *rsa, int padding);
-int RSA_ref_public_encrypt(int len, unsigned char *from,
-	unsigned char *to, RSA *rsa, int padding);
-int RSA_ref_public_decrypt(int len, unsigned char *from,
-	unsigned char *to, RSA *rsa, int padding);
-static int BN_ref_mod_exp(BIGNUM *r,BIGNUM *a,const BIGNUM *p,const BIGNUM *m,
-			  BN_CTX *ctx, BN_MONT_CTX *m_ctx);
-static int RSA_ref_mod_exp(BIGNUM *r0, BIGNUM *I, RSA *rsa);
-static RSA_METHOD rsa_pkcs1_ref_meth={
-	"RSAref PKCS#1 RSA",
-	RSA_ref_public_encrypt,
-	RSA_ref_public_decrypt,
-	RSA_ref_private_encrypt,
-	RSA_ref_private_decrypt,
-	RSA_ref_mod_exp,
-	BN_ref_mod_exp,
-	NULL,
-	NULL,
-	0,
-	NULL,
-	};
-
-RSA_METHOD *RSA_PKCS1_RSAref(void)
-	{
-	return(&rsa_pkcs1_ref_meth);
-	}
-
-static int RSA_ref_mod_exp(BIGNUM *r0, BIGNUM *I, RSA *rsa)
-	{
-	RSAREFerr(RSAREF_F_RSA_REF_MOD_EXP,ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
-	return(0);
-	}
-
-static int BN_ref_mod_exp(BIGNUM *r, BIGNUM *a, const BIGNUM *p,
-			  const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx)
-	{
-	RSAREFerr(RSAREF_F_BN_REF_MOD_EXP,ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
-	return(0);
-	}
-
-/* unsigned char *to:  [max]    */
-static int RSAref_bn2bin(BIGNUM *from, unsigned char *to, int max)
-	{
-	int i;
-
-	i=BN_num_bytes(from);
-	if (i > max)
-		{
-		RSAREFerr(RSAREF_F_RSAREF_BN2BIN,RSAREF_R_LEN);
-		return(0);
-		}
-
-	memset(to,0,(unsigned int)max);
-	if (!BN_bn2bin(from,&(to[max-i])))
-		return(0);
-	return(1);
-	}
-
-#ifdef undef
-/* unsigned char *from:  [max]    */
-static BIGNUM *RSAref_bin2bn(unsigned char *from, BIGNUM *to, int max)
-	{
-	int i;
-	BIGNUM *ret;
-
-	for (i=0; i<max; i++)
-		if (from[i]) break;
-
-	ret=BN_bin2bn(&(from[i]),max-i,to);
-	return(ret);
-	}
-
-static int RSAref_Public_ref2eay(RSArefPublicKey *from, RSA *to)
-	{
-	to->n=RSAref_bin2bn(from->m,NULL,RSAref_MAX_LEN);
-	to->e=RSAref_bin2bn(from->e,NULL,RSAref_MAX_LEN);
-	if ((to->n == NULL) || (to->e == NULL)) return(0);
-	return(1);
-	}
-#endif
-
-static int RSAref_Public_eay2ref(RSA *from, RSArefPublicKey *to)
-	{
-	to->bits=BN_num_bits(from->n);
-	if (!RSAref_bn2bin(from->n,to->m,RSAref_MAX_LEN)) return(0);
-	if (!RSAref_bn2bin(from->e,to->e,RSAref_MAX_LEN)) return(0);
-	return(1);
-	}
-
-#ifdef undef
-static int RSAref_Private_ref2eay(RSArefPrivateKey *from, RSA *to)
-	{
-	if ((to->n=RSAref_bin2bn(from->m,NULL,RSAref_MAX_LEN)) == NULL)
-		return(0);
-	if ((to->e=RSAref_bin2bn(from->e,NULL,RSAref_MAX_LEN)) == NULL)
-		return(0);
-	if ((to->d=RSAref_bin2bn(from->d,NULL,RSAref_MAX_LEN)) == NULL)
-		return(0);
-	if ((to->p=RSAref_bin2bn(from->prime[0],NULL,RSAref_MAX_PLEN)) == NULL)
-		return(0);
-	if ((to->q=RSAref_bin2bn(from->prime[1],NULL,RSAref_MAX_PLEN)) == NULL)
-		return(0);
-	if ((to->dmp1=RSAref_bin2bn(from->pexp[0],NULL,RSAref_MAX_PLEN))
-		== NULL)
-		return(0);
-	if ((to->dmq1=RSAref_bin2bn(from->pexp[1],NULL,RSAref_MAX_PLEN))
-		== NULL)
-		return(0);
-	if ((to->iqmp=RSAref_bin2bn(from->coef,NULL,RSAref_MAX_PLEN)) == NULL)
-		return(0);
-	return(1);
-	}
-#endif
-
-static int RSAref_Private_eay2ref(RSA *from, RSArefPrivateKey *to)
-	{
-	to->bits=BN_num_bits(from->n);
-	if (!RSAref_bn2bin(from->n,to->m,RSAref_MAX_LEN)) return(0);
-	if (!RSAref_bn2bin(from->e,to->e,RSAref_MAX_LEN)) return(0);
-	if (!RSAref_bn2bin(from->d,to->d,RSAref_MAX_LEN)) return(0);
-	if (!RSAref_bn2bin(from->p,to->prime[0],RSAref_MAX_PLEN)) return(0);
-	if (!RSAref_bn2bin(from->q,to->prime[1],RSAref_MAX_PLEN)) return(0);
-	if (!RSAref_bn2bin(from->dmp1,to->pexp[0],RSAref_MAX_PLEN)) return(0);
-	if (!RSAref_bn2bin(from->dmq1,to->pexp[1],RSAref_MAX_PLEN)) return(0);
-	if (!RSAref_bn2bin(from->iqmp,to->coef,RSAref_MAX_PLEN)) return(0);
-	return(1);
-	}
-
-int RSA_ref_private_decrypt(int len, unsigned char *from, unsigned char *to,
-	     RSA *rsa, int padding)
-	{
-	int i,outlen= -1;
-	RSArefPrivateKey RSAkey;
-
-	if (!RSAref_Private_eay2ref(rsa,&RSAkey))
-		goto err;
-	if ((i=RSAPrivateDecrypt(to,&outlen,from,len,&RSAkey)) != 0)
-		{
-		RSAREFerr(RSAREF_F_RSA_REF_PRIVATE_DECRYPT,i);
-		outlen= -1;
-		}
-err:
-	memset(&RSAkey,0,sizeof(RSAkey));
-	return(outlen);
-	}
-
-int RSA_ref_private_encrypt(int len, unsigned char *from, unsigned char *to,
-	     RSA *rsa, int padding)
-	{
-	int i,outlen= -1;
-	RSArefPrivateKey RSAkey;
-
-	if (padding != RSA_PKCS1_PADDING)
-		{
-		RSAREFerr(RSAREF_F_RSA_REF_PRIVATE_ENCRYPT, RSA_R_UNKNOWN_PADDING_TYPE);
-		goto err;
-	}
-	if (!RSAref_Private_eay2ref(rsa,&RSAkey))
-		goto err;
-	if ((i=RSAPrivateEncrypt(to,&outlen,from,len,&RSAkey)) != 0)
-		{
-		RSAREFerr(RSAREF_F_RSA_REF_PRIVATE_ENCRYPT,i);
-		outlen= -1;
-		}
-err:
-	memset(&RSAkey,0,sizeof(RSAkey));
-	return(outlen);
-	}
-
-int RSA_ref_public_decrypt(int len, unsigned char *from, unsigned char *to,
-	     RSA *rsa, int padding)
-	{
-	int i,outlen= -1;
-	RSArefPublicKey RSAkey;
-
-	if (!RSAref_Public_eay2ref(rsa,&RSAkey))
-		goto err;
-	if ((i=RSAPublicDecrypt(to,&outlen,from,len,&RSAkey)) != 0)
-		{
-		RSAREFerr(RSAREF_F_RSA_REF_PUBLIC_DECRYPT,i);
-		outlen= -1;
-		}
-err:
-	memset(&RSAkey,0,sizeof(RSAkey));
-	return(outlen);
-	}
-
-int RSA_ref_public_encrypt(int len, unsigned char *from, unsigned char *to,
-	     RSA *rsa, int padding)
-	{
-	int outlen= -1;
-	int i;
-	RSArefPublicKey RSAkey;
-	RSARandomState rnd;
-	unsigned char buf[16];
-
-	if (padding != RSA_PKCS1_PADDING && padding != RSA_SSLV23_PADDING) 
-		{
-		RSAREFerr(RSAREF_F_RSA_REF_PUBLIC_ENCRYPT, RSA_R_UNKNOWN_PADDING_TYPE);
-		goto err;
-		}
-	
-	R_RandomInit(&rnd);
-	R_GetRandomBytesNeeded((unsigned int *)&i,&rnd);
-	while (i > 0)
-		{
-		if (RAND_bytes(buf,16) <= 0)
-			goto err;
-		R_RandomUpdate(&rnd,buf,(unsigned int)((i>16)?16:i));
-		i-=16;
-		}
-
-	if (!RSAref_Public_eay2ref(rsa,&RSAkey))
-		goto err;
-	if ((i=RSAPublicEncrypt(to,&outlen,from,len,&RSAkey,&rnd)) != 0)
-		{
-		RSAREFerr(RSAREF_F_RSA_REF_PUBLIC_ENCRYPT,i);
-		outlen= -1;
-		goto err;
-		}
-err:
-	memset(&RSAkey,0,sizeof(RSAkey));
-	R_RandomFinal(&rnd);
-	memset(&rnd,0,sizeof(rnd));
-	return(outlen);
-	}
-#else /* !NO_RSA */
-
-# if PEDANTIC
-static void *dummy=&dummy;
-# endif
-
-#endif
diff --git a/crypto/openssl/rsaref/rsaref.h b/crypto/openssl/rsaref/rsaref.h
deleted file mode 100644
index 498449f..0000000
--- a/crypto/openssl/rsaref/rsaref.h
+++ /dev/null
@@ -1,180 +0,0 @@
-/* rsaref/rsaref.h */
-/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
- * All rights reserved.
- *
- * This package is an SSL implementation written
- * by Eric Young (eay@cryptsoft.com).
- * The implementation was written so as to conform with Netscapes SSL.
- * 
- * This library is free for commercial and non-commercial use as long as
- * the following conditions are aheared to.  The following conditions
- * apply to all code found in this distribution, be it the RC4, RSA,
- * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
- * included with this distribution is covered by the same copyright terms
- * except that the holder is Tim Hudson (tjh@cryptsoft.com).
- * 
- * Copyright remains Eric Young's, and as such any Copyright notices in
- * the code are not to be removed.
- * If this package is used in a product, Eric Young should be given attribution
- * as the author of the parts of the library used.
- * This can be in the form of a textual message at program startup or
- * in documentation (online or textual) provided with the package.
- * 
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- * 3. All advertising materials mentioning features or use of this software
- *    must display the following acknowledgement:
- *    "This product includes cryptographic software written by
- *     Eric Young (eay@cryptsoft.com)"
- *    The word 'cryptographic' can be left out if the rouines from the library
- *    being used are not cryptographic related :-).
- * 4. If you include any Windows specific code (or a derivative thereof) from 
- *    the apps directory (application code) you must include an acknowledgement:
- *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
- * 
- * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- * 
- * The licence and distribution terms for any publically available version or
- * derivative of this code cannot be changed.  i.e. this code cannot simply be
- * copied and put under another distribution licence
- * [including the GNU Public Licence.]
- */
-
-#ifndef HEADER_RSAREF_H
-#define HEADER_RSAREF_H
-
-#ifndef NO_RSA
-#include <openssl/rsa.h>
-
-#ifdef __cplusplus
-extern "C" {
-#endif
- 
-/* RSAeuro */
-/*#define  RSAref_MAX_BITS		2048*/
-
-/* RSAref */
-#define  RSAref_MAX_BITS		1024
-
-#define RSAref_MIN_BITS		508
-#define RSAref_MAX_LEN		((RSAref_MAX_BITS+7)/8)
-#define RSAref_MAX_PBITS	(RSAref_MAX_BITS+1)/2
-#define RSAref_MAX_PLEN		((RSAref_MAX_PBITS+7)/8)
-
-typedef struct RSArefPublicKey_st
-	{
-	unsigned int bits;
-	unsigned char m[RSAref_MAX_LEN];
-	unsigned char e[RSAref_MAX_LEN];
-	} RSArefPublicKey;
-
-typedef struct RSArefPrivateKey_st
-	{
-	unsigned int bits;
-	unsigned char m[RSAref_MAX_LEN];
-	unsigned char e[RSAref_MAX_LEN];
-	unsigned char d[RSAref_MAX_LEN];
-	unsigned char prime[2][RSAref_MAX_PLEN];/* p & q */
-	unsigned char pexp[2][RSAref_MAX_PLEN];	/* dmp1 & dmq1 */
-	unsigned char coef[RSAref_MAX_PLEN];	/* iqmp */
-	} RSArefPrivateKey;
-
-typedef struct RSARandomState_st
-	{
-	unsigned int needed;
-	unsigned char state[16];
-	unsigned int outputnum;
-	unsigned char output[16];
-	} RSARandomState;
-
-#define RE_CONTENT_ENCODING 0x0400
-#define RE_DATA 0x0401
-#define RE_DIGEST_ALGORITHM 0x0402
-#define RE_ENCODING 0x0403
-#define RE_KEY 0x0404
-#define RE_KEY_ENCODING 0x0405
-#define RE_LEN 0x0406
-#define RE_MODULUS_LEN 0x0407
-#define RE_NEED_RANDOM 0x0408
-#define RE_PRIVATE_KEY 0x0409
-#define RE_PUBLIC_KEY 0x040a
-#define RE_SIGNATURE 0x040b
-#define RE_SIGNATURE_ENCODING 0x040c
-#define RE_ENCRYPTION_ALGORITHM 0x040d
-
-int RSAPrivateDecrypt(unsigned char *to, int *outlen, unsigned char *from,
-	int len, RSArefPrivateKey *RSAkey);
-int RSAPrivateEncrypt(unsigned char *to, int *outlen, unsigned char *from,
-	int len, RSArefPrivateKey *RSAkey);
-int RSAPublicDecrypt(unsigned char *to, int *outlen, unsigned char *from,
-	int len, RSArefPublicKey *RSAkey);
-int RSAPublicEncrypt(unsigned char *to, int *outlen, unsigned char *from,
-	int len, RSArefPublicKey *RSAkey,RSARandomState *rnd);
-int R_RandomInit(RSARandomState *rnd);
-int R_GetRandomBytesNeeded(unsigned int *,RSARandomState *rnd);
-int R_RandomUpdate(RSARandomState *rnd, unsigned char *data, unsigned int n);
-int R_RandomFinal(RSARandomState *rnd);
-
-void ERR_load_RSAREF_strings(void );
-RSA_METHOD *RSA_PKCS1_RSAref(void );
-
-#ifdef  __cplusplus
-}
-#endif
-#endif
-
-/* BEGIN ERROR CODES */
-/* The following lines are auto generated by the script mkerr.pl. Any changes
- * made after this point may be overwritten when the script is next run.
- */
-
-/* Error codes for the RSAREF functions. */
-
-/* Function codes. */
-#define RSAREF_F_BN_REF_MOD_EXP				 100
-#define RSAREF_F_RSAREF_BN2BIN				 101
-#define RSAREF_F_RSA_BN2BIN				 102
-#define RSAREF_F_RSA_PRIVATE_DECRYPT			 103
-#define RSAREF_F_RSA_PRIVATE_ENCRYPT			 104
-#define RSAREF_F_RSA_PUBLIC_DECRYPT			 105
-#define RSAREF_F_RSA_PUBLIC_ENCRYPT			 106
-#define RSAREF_F_RSA_REF_BN2BIN				 107
-#define RSAREF_F_RSA_REF_MOD_EXP			 108
-#define RSAREF_F_RSA_REF_PRIVATE_DECRYPT		 109
-#define RSAREF_F_RSA_REF_PRIVATE_ENCRYPT		 110
-#define RSAREF_F_RSA_REF_PUBLIC_DECRYPT			 111
-#define RSAREF_F_RSA_REF_PUBLIC_ENCRYPT			 112
-
-/* Reason codes. */
-#define RSAREF_R_CONTENT_ENCODING			 0x0400
-#define RSAREF_R_DATA					 0x0401
-#define RSAREF_R_DIGEST_ALGORITHM			 0x0402
-#define RSAREF_R_ENCODING				 0x0403
-#define RSAREF_R_ENCRYPTION_ALGORITHM			 0x040d
-#define RSAREF_R_KEY					 0x0404
-#define RSAREF_R_KEY_ENCODING				 0x0405
-#define RSAREF_R_LEN					 0x0406
-#define RSAREF_R_MODULUS_LEN				 0x0407
-#define RSAREF_R_NEED_RANDOM				 0x0408
-#define RSAREF_R_PRIVATE_KEY				 0x0409
-#define RSAREF_R_PUBLIC_KEY				 0x040a
-#define RSAREF_R_SIGNATURE				 0x040b
-#define RSAREF_R_SIGNATURE_ENCODING			 0x040c
-
-#endif
diff --git a/crypto/openssl/ssl/s23_clnt.c b/crypto/openssl/ssl/s23_clnt.c
index 5050a13..8a3daaf 100644
--- a/crypto/openssl/ssl/s23_clnt.c
+++ b/crypto/openssl/ssl/s23_clnt.c
@@ -54,6 +54,8 @@
  * derivative of this code cannot be changed.  i.e. this code cannot simply be
  * copied and put under another distribution licence
  * [including the GNU Public Licence.]
+ *
+ * $FreeBSD$
  */
 
 #include <stdio.h>
diff --git a/crypto/openssl/ssl/s23_lib.c b/crypto/openssl/ssl/s23_lib.c
index ad2d8da..fe7e2d1 100644
--- a/crypto/openssl/ssl/s23_lib.c
+++ b/crypto/openssl/ssl/s23_lib.c
@@ -54,6 +54,8 @@
  * derivative of this code cannot be changed.  i.e. this code cannot simply be
  * copied and put under another distribution licence
  * [including the GNU Public Licence.]
+ *
+ * $FreeBSD$
  */
 
 #include <stdio.h>
diff --git a/crypto/openssl/ssl/s23_srvr.c b/crypto/openssl/ssl/s23_srvr.c
index 0506182..2dbf614 100644
--- a/crypto/openssl/ssl/s23_srvr.c
+++ b/crypto/openssl/ssl/s23_srvr.c
@@ -54,6 +54,8 @@
  * derivative of this code cannot be changed.  i.e. this code cannot simply be
  * copied and put under another distribution licence
  * [including the GNU Public Licence.]
+ *
+ * $FreeBSD$
  */
 
 #include <stdio.h>
diff --git a/crypto/openssl/ssl/s2_clnt.c b/crypto/openssl/ssl/s2_clnt.c
index 28d6d65..3ddc231 100644
--- a/crypto/openssl/ssl/s2_clnt.c
+++ b/crypto/openssl/ssl/s2_clnt.c
@@ -54,6 +54,8 @@
  * derivative of this code cannot be changed.  i.e. this code cannot simply be
  * copied and put under another distribution licence
  * [including the GNU Public Licence.]
+ *
+ * $FreeBSD$
  */
 
 #include "ssl_locl.h"
diff --git a/crypto/openssl/ssl/s2_enc.c b/crypto/openssl/ssl/s2_enc.c
index 35acdf8..7643f96 100644
--- a/crypto/openssl/ssl/s2_enc.c
+++ b/crypto/openssl/ssl/s2_enc.c
@@ -54,6 +54,8 @@
  * derivative of this code cannot be changed.  i.e. this code cannot simply be
  * copied and put under another distribution licence
  * [including the GNU Public Licence.]
+ *
+ * $FreeBSD$
  */
 
 #include "ssl_locl.h"
diff --git a/crypto/openssl/ssl/s2_lib.c b/crypto/openssl/ssl/s2_lib.c
index a590dbf..a524dab 100644
--- a/crypto/openssl/ssl/s2_lib.c
+++ b/crypto/openssl/ssl/s2_lib.c
@@ -54,6 +54,8 @@
  * derivative of this code cannot be changed.  i.e. this code cannot simply be
  * copied and put under another distribution licence
  * [including the GNU Public Licence.]
+ *
+ * $FreeBSD$
  */
 
 #include "ssl_locl.h"
diff --git a/crypto/openssl/ssl/s2_meth.c b/crypto/openssl/ssl/s2_meth.c
index deb9e1d..01cc05f 100644
--- a/crypto/openssl/ssl/s2_meth.c
+++ b/crypto/openssl/ssl/s2_meth.c
@@ -54,6 +54,8 @@
  * derivative of this code cannot be changed.  i.e. this code cannot simply be
  * copied and put under another distribution licence
  * [including the GNU Public Licence.]
+ *
+ * $FreeBSD$
  */
 
 #include "ssl_locl.h"
diff --git a/crypto/openssl/ssl/s2_pkt.c b/crypto/openssl/ssl/s2_pkt.c
index f2f46ff..6e37903 100644
--- a/crypto/openssl/ssl/s2_pkt.c
+++ b/crypto/openssl/ssl/s2_pkt.c
@@ -107,6 +107,7 @@
  * (eay@cryptsoft.com).  This product includes software written by Tim
  * Hudson (tjh@cryptsoft.com).
  *
+ * $FreeBSD$
  */
 
 #include "ssl_locl.h"
diff --git a/crypto/openssl/ssl/s2_srvr.c b/crypto/openssl/ssl/s2_srvr.c
index 2fa2f31..2f3ec61 100644
--- a/crypto/openssl/ssl/s2_srvr.c
+++ b/crypto/openssl/ssl/s2_srvr.c
@@ -54,6 +54,8 @@
  * derivative of this code cannot be changed.  i.e. this code cannot simply be
  * copied and put under another distribution licence
  * [including the GNU Public Licence.]
+ *
+ * $FreeBSD$
  */
 
 #include "ssl_locl.h"
@@ -405,13 +407,12 @@ static int get_client_master_key(SSL *s)
 	/* bad decrypt */
 #if 1
 	/* If a bad decrypt, continue with protocol but with a
-	 * random master secret (Bleichenbacher attack) */
+	 * dud master secret */
 	if ((i < 0) ||
 		((!is_export && (i != EVP_CIPHER_key_length(c)))
 		|| (is_export && ((i != ek) || (s->s2->tmp.clear+i !=
 			EVP_CIPHER_key_length(c))))))
 		{
-		ERR_clear_error();
 		if (is_export)
 			i=ek;
 		else
diff --git a/crypto/openssl/util/pl/Mingw32.pl b/crypto/openssl/util/pl/Mingw32.pl
index 37f3612..02a5086 100644
--- a/crypto/openssl/util/pl/Mingw32.pl
+++ b/crypto/openssl/util/pl/Mingw32.pl
@@ -1,6 +1,7 @@
 #!/usr/local/bin/perl
 #
 # Mingw32.pl -- Mingw32 with GNU cp (Mingw32f.pl uses DOS tools) 
+# $FreeBSD$
 #
 
 $o='/';
diff --git a/crypto/telnet/arpa/telnet.h b/crypto/telnet/arpa/telnet.h
new file mode 100644
index 0000000..b8d3856
--- /dev/null
+++ b/crypto/telnet/arpa/telnet.h
@@ -0,0 +1,342 @@
+/*
+ * Copyright (c) 1983, 1993
+ *	The Regents of the University of California.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *	This product includes software developed by the University of
+ *	California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ *	@(#)telnet.h	8.2 (Berkeley) 12/15/93
+ * $FreeBSD$
+ */
+
+#ifndef _ARPA_TELNET_H_
+#define	_ARPA_TELNET_H_
+
+/*
+ * Definitions for the TELNET protocol.
+ */
+#define	IAC	255		/* interpret as command: */
+#define	DONT	254		/* you are not to use option */
+#define	DO	253		/* please, you use option */
+#define	WONT	252		/* I won't use option */
+#define	WILL	251		/* I will use option */
+#define	SB	250		/* interpret as subnegotiation */
+#define	GA	249		/* you may reverse the line */
+#define	EL	248		/* erase the current line */
+#define	EC	247		/* erase the current character */
+#define	AYT	246		/* are you there */
+#define	AO	245		/* abort output--but let prog finish */
+#define	IP	244		/* interrupt process--permanently */
+#define	BREAK	243		/* break */
+#define	DM	242		/* data mark--for connect. cleaning */
+#define	NOP	241		/* nop */
+#define	SE	240		/* end sub negotiation */
+#define EOR     239             /* end of record (transparent mode) */
+#define	ABORT	238		/* Abort process */
+#define	SUSP	237		/* Suspend process */
+#define	xEOF	236		/* End of file: EOF is already used... */
+
+#define SYNCH	242		/* for telfunc calls */
+
+#ifdef TELCMDS
+char *telcmds[] = {
+	"EOF", "SUSP", "ABORT", "EOR",
+	"SE", "NOP", "DMARK", "BRK", "IP", "AO", "AYT", "EC",
+	"EL", "GA", "SB", "WILL", "WONT", "DO", "DONT", "IAC",
+	0
+};
+#else
+extern char *telcmds[];
+#endif
+
+#define	TELCMD_FIRST	xEOF
+#define	TELCMD_LAST	IAC
+#define	TELCMD_OK(x)	((unsigned int)(x) <= TELCMD_LAST && \
+			 (unsigned int)(x) >= TELCMD_FIRST)
+#define	TELCMD(x)	telcmds[(x)-TELCMD_FIRST]
+
+/* telnet options */
+#define TELOPT_BINARY	0	/* 8-bit data path */
+#define TELOPT_ECHO	1	/* echo */
+#define	TELOPT_RCP	2	/* prepare to reconnect */
+#define	TELOPT_SGA	3	/* suppress go ahead */
+#define	TELOPT_NAMS	4	/* approximate message size */
+#define	TELOPT_STATUS	5	/* give status */
+#define	TELOPT_TM	6	/* timing mark */
+#define	TELOPT_RCTE	7	/* remote controlled transmission and echo */
+#define TELOPT_NAOL 	8	/* negotiate about output line width */
+#define TELOPT_NAOP 	9	/* negotiate about output page size */
+#define TELOPT_NAOCRD	10	/* negotiate about CR disposition */
+#define TELOPT_NAOHTS	11	/* negotiate about horizontal tabstops */
+#define TELOPT_NAOHTD	12	/* negotiate about horizontal tab disposition */
+#define TELOPT_NAOFFD	13	/* negotiate about formfeed disposition */
+#define TELOPT_NAOVTS	14	/* negotiate about vertical tab stops */
+#define TELOPT_NAOVTD	15	/* negotiate about vertical tab disposition */
+#define TELOPT_NAOLFD	16	/* negotiate about output LF disposition */
+#define TELOPT_XASCII	17	/* extended ascic character set */
+#define	TELOPT_LOGOUT	18	/* force logout */
+#define	TELOPT_BM	19	/* byte macro */
+#define	TELOPT_DET	20	/* data entry terminal */
+#define	TELOPT_SUPDUP	21	/* supdup protocol */
+#define	TELOPT_SUPDUPOUTPUT 22	/* supdup output */
+#define	TELOPT_SNDLOC	23	/* send location */
+#define	TELOPT_TTYPE	24	/* terminal type */
+#define	TELOPT_EOR	25	/* end or record */
+#define	TELOPT_TUID	26	/* TACACS user identification */
+#define	TELOPT_OUTMRK	27	/* output marking */
+#define	TELOPT_TTYLOC	28	/* terminal location number */
+#define	TELOPT_3270REGIME 29	/* 3270 regime */
+#define	TELOPT_X3PAD	30	/* X.3 PAD */
+#define	TELOPT_NAWS	31	/* window size */
+#define	TELOPT_TSPEED	32	/* terminal speed */
+#define	TELOPT_LFLOW	33	/* remote flow control */
+#define TELOPT_LINEMODE	34	/* Linemode option */
+#define TELOPT_XDISPLOC	35	/* X Display Location */
+#define TELOPT_OLD_ENVIRON 36	/* Old - Environment variables */
+#define	TELOPT_AUTHENTICATION 37/* Authenticate */
+#define	TELOPT_ENCRYPT	38	/* Encryption option */
+#define TELOPT_NEW_ENVIRON 39	/* New - Environment variables */
+#define	TELOPT_EXOPL	255	/* extended-options-list */
+
+
+#define	NTELOPTS	(1+TELOPT_NEW_ENVIRON)
+#ifdef TELOPTS
+char *telopts[NTELOPTS+1] = {
+	"BINARY", "ECHO", "RCP", "SUPPRESS GO AHEAD", "NAME",
+	"STATUS", "TIMING MARK", "RCTE", "NAOL", "NAOP",
+	"NAOCRD", "NAOHTS", "NAOHTD", "NAOFFD", "NAOVTS",
+	"NAOVTD", "NAOLFD", "EXTEND ASCII", "LOGOUT", "BYTE MACRO",
+	"DATA ENTRY TERMINAL", "SUPDUP", "SUPDUP OUTPUT",
+	"SEND LOCATION", "TERMINAL TYPE", "END OF RECORD",
+	"TACACS UID", "OUTPUT MARKING", "TTYLOC",
+	"3270 REGIME", "X.3 PAD", "NAWS", "TSPEED", "LFLOW",
+	"LINEMODE", "XDISPLOC", "OLD-ENVIRON", "AUTHENTICATION",
+	"ENCRYPT", "NEW-ENVIRON",
+	0
+};
+#define	TELOPT_FIRST	TELOPT_BINARY
+#define	TELOPT_LAST	TELOPT_NEW_ENVIRON
+#define	TELOPT_OK(x)	((unsigned int)(x) <= TELOPT_LAST)
+#define	TELOPT(x)	telopts[(x)-TELOPT_FIRST]
+#endif
+
+/* sub-option qualifiers */
+#define	TELQUAL_IS	0	/* option is... */
+#define	TELQUAL_SEND	1	/* send option */
+#define	TELQUAL_INFO	2	/* ENVIRON: informational version of IS */
+#define	TELQUAL_REPLY	2	/* AUTHENTICATION: client version of IS */
+#define	TELQUAL_NAME	3	/* AUTHENTICATION: client version of IS */
+
+#define	LFLOW_OFF		0	/* Disable remote flow control */
+#define	LFLOW_ON		1	/* Enable remote flow control */
+#define	LFLOW_RESTART_ANY	2	/* Restart output on any char */
+#define	LFLOW_RESTART_XON	3	/* Restart output only on XON */
+
+/*
+ * LINEMODE suboptions
+ */
+
+#define	LM_MODE		1
+#define	LM_FORWARDMASK	2
+#define	LM_SLC		3
+
+#define	MODE_EDIT	0x01
+#define	MODE_TRAPSIG	0x02
+#define	MODE_ACK	0x04
+#define MODE_SOFT_TAB	0x08
+#define MODE_LIT_ECHO	0x10
+
+#define	MODE_MASK	0x1f
+
+/* Not part of protocol, but needed to simplify things... */
+#define MODE_FLOW		0x0100
+#define MODE_ECHO		0x0200
+#define MODE_INBIN		0x0400
+#define MODE_OUTBIN		0x0800
+#define MODE_FORCE		0x1000
+
+#define	SLC_SYNCH	1
+#define	SLC_BRK		2
+#define	SLC_IP		3
+#define	SLC_AO		4
+#define	SLC_AYT		5
+#define	SLC_EOR		6
+#define	SLC_ABORT	7
+#define	SLC_EOF		8
+#define	SLC_SUSP	9
+#define	SLC_EC		10
+#define	SLC_EL		11
+#define	SLC_EW		12
+#define	SLC_RP		13
+#define	SLC_LNEXT	14
+#define	SLC_XON		15
+#define	SLC_XOFF	16
+#define	SLC_FORW1	17
+#define	SLC_FORW2	18
+#define SLC_MCL         19
+#define SLC_MCR         20
+#define SLC_MCWL        21
+#define SLC_MCWR        22
+#define SLC_MCBOL       23
+#define SLC_MCEOL       24
+#define SLC_INSRT       25
+#define SLC_OVER        26
+#define SLC_ECR         27
+#define SLC_EWR         28
+#define SLC_EBOL        29
+#define SLC_EEOL        30
+
+#define	NSLC		30
+
+/*
+ * For backwards compatibility, we define SLC_NAMES to be the
+ * list of names if SLC_NAMES is not defined.
+ */
+#define	SLC_NAMELIST	"0", "SYNCH", "BRK", "IP", "AO", "AYT", "EOR", \
+			"ABORT", "EOF", "SUSP", "EC", "EL", "EW", "RP", \
+			"LNEXT", "XON", "XOFF", "FORW1", "FORW2",	\
+			"MCL", "MCR", "MCWL", "MCWR", "MCBOL",		\
+			"MCEOL", "INSRT", "OVER", "ECR", "EWR",		\
+			"EBOL", "EEOL",					\
+			0
+
+#ifdef	SLC_NAMES
+char *slc_names[] = {
+	SLC_NAMELIST
+};
+#else
+extern char *slc_names[];
+#define	SLC_NAMES SLC_NAMELIST
+#endif
+
+#define	SLC_NAME_OK(x)	((unsigned int)(x) <= NSLC)
+#define SLC_NAME(x)	slc_names[x]
+
+#define	SLC_NOSUPPORT	0
+#define	SLC_CANTCHANGE	1
+#define	SLC_VARIABLE	2
+#define	SLC_DEFAULT	3
+#define	SLC_LEVELBITS	0x03
+
+#define	SLC_FUNC	0
+#define	SLC_FLAGS	1
+#define	SLC_VALUE	2
+
+#define	SLC_ACK		0x80
+#define	SLC_FLUSHIN	0x40
+#define	SLC_FLUSHOUT	0x20
+
+#define	OLD_ENV_VAR	1
+#define	OLD_ENV_VALUE	0
+#define	NEW_ENV_VAR	0
+#define	NEW_ENV_VALUE	1
+#define	ENV_ESC		2
+#define ENV_USERVAR	3
+
+/*
+ * AUTHENTICATION suboptions
+ */
+
+/*
+ * Who is authenticating who ...
+ */
+#define	AUTH_WHO_CLIENT		0	/* Client authenticating server */
+#define	AUTH_WHO_SERVER		1	/* Server authenticating client */
+#define	AUTH_WHO_MASK		1
+
+/*
+ * amount of authentication done
+ */
+#define	AUTH_HOW_ONE_WAY	0
+#define	AUTH_HOW_MUTUAL		2
+#define	AUTH_HOW_MASK		2
+
+#define	AUTHTYPE_NULL		0
+#define	AUTHTYPE_KERBEROS_V4	1
+#define	AUTHTYPE_KERBEROS_V5	2
+#define	AUTHTYPE_SPX		3
+#define	AUTHTYPE_MINK		4
+#define AUTHTYPE_SRA		6
+#define	AUTHTYPE_CNT		7
+
+#define	AUTHTYPE_TEST		99
+
+#ifdef	AUTH_NAMES
+char *authtype_names[] = {
+	"NULL", "KERBEROS_V4", "KERBEROS_V5", "SPX", "MINK", NULL, "SRA",
+	0
+};
+#else
+extern char *authtype_names[];
+#endif
+
+#define	AUTHTYPE_NAME_OK(x)	((unsigned int)(x) < AUTHTYPE_CNT)
+#define	AUTHTYPE_NAME(x)	authtype_names[x]
+
+/*
+ * ENCRYPTion suboptions
+ */
+#define	ENCRYPT_IS		0	/* I pick encryption type ... */
+#define	ENCRYPT_SUPPORT		1	/* I support encryption types ... */
+#define	ENCRYPT_REPLY		2	/* Initial setup response */
+#define	ENCRYPT_START		3	/* Am starting to send encrypted */
+#define	ENCRYPT_END		4	/* Am ending encrypted */
+#define	ENCRYPT_REQSTART	5	/* Request you start encrypting */
+#define	ENCRYPT_REQEND		6	/* Request you end encrypting */
+#define	ENCRYPT_ENC_KEYID	7
+#define	ENCRYPT_DEC_KEYID	8
+#define	ENCRYPT_CNT		9
+
+#define	ENCTYPE_ANY		0
+#define	ENCTYPE_DES_CFB64	1
+#define	ENCTYPE_DES_OFB64	2
+#define	ENCTYPE_CNT		3
+
+#ifdef	ENCRYPT_NAMES
+char *encrypt_names[] = {
+	"IS", "SUPPORT", "REPLY", "START", "END",
+	"REQUEST-START", "REQUEST-END", "ENC-KEYID", "DEC-KEYID",
+	0
+};
+char *enctype_names[] = {
+	"ANY", "DES_CFB64",  "DES_OFB64",
+	0
+};
+#else
+extern char *encrypt_names[];
+extern char *enctype_names[];
+#endif
+
+
+#define	ENCRYPT_NAME_OK(x)	((unsigned int)(x) < ENCRYPT_CNT)
+#define	ENCRYPT_NAME(x)		encrypt_names[x]
+
+#define	ENCTYPE_NAME_OK(x)	((unsigned int)(x) < ENCTYPE_CNT)
+#define	ENCTYPE_NAME(x)		enctype_names[x]
+
+#endif /* !_TELNET_H_ */
diff --git a/crypto/telnet/libtelnet/auth-proto.h b/crypto/telnet/libtelnet/auth-proto.h
new file mode 100644
index 0000000..e6b8481
--- /dev/null
+++ b/crypto/telnet/libtelnet/auth-proto.h
@@ -0,0 +1,109 @@
+/*-
+ * Copyright (c) 1991, 1993
+ *	The Regents of the University of California.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *	This product includes software developed by the University of
+ *	California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ *	@(#)auth-proto.h	8.1 (Berkeley) 6/4/93
+ * $FreeBSD$
+ */
+
+/*
+ * Copyright (C) 1990 by the Massachusetts Institute of Technology
+ *
+ * Export of this software from the United States of America is assumed
+ * to require a specific license from the United States Government.
+ * It is the responsibility of any person or organization contemplating
+ * export to obtain such a license before exporting.
+ * 
+ * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
+ * distribute this software and its documentation for any purpose and
+ * without fee is hereby granted, provided that the above copyright
+ * notice appear in all copies and that both that copyright notice and
+ * this permission notice appear in supporting documentation, and that
+ * the name of M.I.T. not be used in advertising or publicity pertaining
+ * to distribution of the software without specific, written prior
+ * permission.  M.I.T. makes no representations about the suitability of
+ * this software for any purpose.  It is provided "as is" without express
+ * or implied warranty.
+ */
+
+#if	!defined(P)
+#ifdef	__STDC__
+#define	P(x)	x
+#else
+#define	P(x)	()
+#endif
+#endif
+
+#if	defined(AUTHENTICATION)
+Authenticator *findauthenticator P((int, int));
+
+void auth_init P((char *, int));
+int auth_cmd P((int, char **));
+void auth_request P((void));
+void auth_send P((unsigned char *, int));
+void auth_send_retry P((void));
+void auth_is P((unsigned char *, int));
+void auth_reply P((unsigned char *, int));
+void auth_finished P((Authenticator *, int));
+int auth_wait P((char *));
+void auth_disable_name P((char *));
+void auth_gen_printsub P((unsigned char *, int, unsigned char *, int));
+void auth_name P((unsigned char *, int));
+void auth_printsub P((unsigned char *, int, unsigned char *, int));
+int auth_sendname P((unsigned char *, int));
+void auth_encrypt_user P((char *));
+
+#ifdef	KRB4
+int kerberos4_init P((Authenticator *, int));
+int kerberos4_send P((Authenticator *));
+void kerberos4_is P((Authenticator *, unsigned char *, int));
+void kerberos4_reply P((Authenticator *, unsigned char *, int));
+int kerberos4_status P((Authenticator *, char *, int));
+void kerberos4_printsub P((unsigned char *, int, unsigned char *, int));
+#endif
+
+#ifdef	KRB5
+int kerberos5_init P((Authenticator *, int));
+int kerberos5_send P((Authenticator *));
+void kerberos5_is P((Authenticator *, unsigned char *, int));
+void kerberos5_reply P((Authenticator *, unsigned char *, int));
+int kerberos5_status P((Authenticator *, char *, int));
+void kerberos5_printsub P((unsigned char *, int, unsigned char *, int));
+#endif
+#ifdef SRA
+int sra_init P((Authenticator *, int));
+int sra_send P((Authenticator *));
+void sra_is P((Authenticator *, unsigned char *, int));
+void sra_reply P((Authenticator *, unsigned char *, int));
+int sra_status P((Authenticator *, char *, int));
+void sra_printsub P((unsigned char *, int, unsigned char *, int));
+#endif
+#endif
diff --git a/crypto/telnet/libtelnet/auth.c b/crypto/telnet/libtelnet/auth.c
new file mode 100644
index 0000000..7140499
--- /dev/null
+++ b/crypto/telnet/libtelnet/auth.c
@@ -0,0 +1,686 @@
+/*-
+ * Copyright (c) 1991, 1993
+ *	The Regents of the University of California.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *	This product includes software developed by the University of
+ *	California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * $FreeBSD$
+ */
+
+#ifndef lint
+static const char sccsid[] = "@(#)auth.c	8.3 (Berkeley) 5/30/95";
+#endif /* not lint */
+
+/*
+ * Copyright (C) 1990 by the Massachusetts Institute of Technology
+ *
+ * Export of this software from the United States of America is assumed
+ * to require a specific license from the United States Government.
+ * It is the responsibility of any person or organization contemplating
+ * export to obtain such a license before exporting.
+ *
+ * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
+ * distribute this software and its documentation for any purpose and
+ * without fee is hereby granted, provided that the above copyright
+ * notice appear in all copies and that both that copyright notice and
+ * this permission notice appear in supporting documentation, and that
+ * the name of M.I.T. not be used in advertising or publicity pertaining
+ * to distribution of the software without specific, written prior
+ * permission.  M.I.T. makes no representations about the suitability of
+ * this software for any purpose.  It is provided "as is" without express
+ * or implied warranty.
+ */
+
+
+#if	defined(AUTHENTICATION)
+#include <stdio.h>
+#include <sys/types.h>
+#include <signal.h>
+#define	AUTH_NAMES
+#include <arpa/telnet.h>
+#ifdef	__STDC__
+#include <stdlib.h>
+#include <unistd.h>
+#endif
+#ifdef	NO_STRING_H
+#include <strings.h>
+#else
+#include <string.h>
+#endif
+
+#include "encrypt.h"
+#include "auth.h"
+#include "misc-proto.h"
+#include "auth-proto.h"
+
+#define	typemask(x)		(1<<((x)-1))
+
+#ifdef	KRB4_ENCPWD
+extern krb4encpwd_init();
+extern krb4encpwd_send();
+extern krb4encpwd_is();
+extern krb4encpwd_reply();
+extern krb4encpwd_status();
+extern krb4encpwd_printsub();
+#endif
+
+#ifdef	RSA_ENCPWD
+extern rsaencpwd_init();
+extern rsaencpwd_send();
+extern rsaencpwd_is();
+extern rsaencpwd_reply();
+extern rsaencpwd_status();
+extern rsaencpwd_printsub();
+#endif
+
+int auth_debug_mode = 0;
+static 	char	*Name = "Noname";
+static	int	Server = 0;
+static	Authenticator	*authenticated = 0;
+static	int	authenticating = 0;
+static	int	validuser = 0;
+static	unsigned char	_auth_send_data[256];
+static	unsigned char	*auth_send_data;
+static	int	auth_send_cnt = 0;
+
+int auth_onoff(char *type, int on);
+void auth_encrypt_user(char *name);
+
+/*
+ * Authentication types supported.  Plese note that these are stored
+ * in priority order, i.e. try the first one first.
+ */
+Authenticator authenticators[] = {
+#ifdef	SPX
+	{ AUTHTYPE_SPX, AUTH_WHO_CLIENT|AUTH_HOW_MUTUAL,
+				spx_init,
+				spx_send,
+				spx_is,
+				spx_reply,
+				spx_status,
+				spx_printsub },
+	{ AUTHTYPE_SPX, AUTH_WHO_CLIENT|AUTH_HOW_ONE_WAY,
+				spx_init,
+				spx_send,
+				spx_is,
+				spx_reply,
+				spx_status,
+				spx_printsub },
+#endif
+#ifdef	KRB5
+# ifdef	ENCRYPTION
+	{ AUTHTYPE_KERBEROS_V5, AUTH_WHO_CLIENT|AUTH_HOW_MUTUAL,
+				kerberos5_init,
+				kerberos5_send,
+				kerberos5_is,
+				kerberos5_reply,
+				kerberos5_status,
+				kerberos5_printsub },
+# endif	/* ENCRYPTION */
+	{ AUTHTYPE_KERBEROS_V5, AUTH_WHO_CLIENT|AUTH_HOW_ONE_WAY,
+				kerberos5_init,
+				kerberos5_send,
+				kerberos5_is,
+				kerberos5_reply,
+				kerberos5_status,
+				kerberos5_printsub },
+#endif
+#ifdef	KRB4
+# ifdef ENCRYPTION
+	{ AUTHTYPE_KERBEROS_V4, AUTH_WHO_CLIENT|AUTH_HOW_MUTUAL,
+				kerberos4_init,
+				kerberos4_send,
+				kerberos4_is,
+				kerberos4_reply,
+				kerberos4_status,
+				kerberos4_printsub },
+# endif	/* ENCRYPTION */
+	{ AUTHTYPE_KERBEROS_V4, AUTH_WHO_CLIENT|AUTH_HOW_ONE_WAY,
+				kerberos4_init,
+				kerberos4_send,
+				kerberos4_is,
+				kerberos4_reply,
+				kerberos4_status,
+				kerberos4_printsub },
+#endif
+#ifdef	KRB4_ENCPWD
+	{ AUTHTYPE_KRB4_ENCPWD, AUTH_WHO_CLIENT|AUTH_HOW_MUTUAL,
+				krb4encpwd_init,
+				krb4encpwd_send,
+				krb4encpwd_is,
+				krb4encpwd_reply,
+				krb4encpwd_status,
+				krb4encpwd_printsub },
+#endif
+#ifdef	RSA_ENCPWD
+	{ AUTHTYPE_RSA_ENCPWD, AUTH_WHO_CLIENT|AUTH_HOW_ONE_WAY,
+				rsaencpwd_init,
+				rsaencpwd_send,
+				rsaencpwd_is,
+				rsaencpwd_reply,
+				rsaencpwd_status,
+				rsaencpwd_printsub },
+#endif
+#ifdef SRA
+	{ AUTHTYPE_SRA, AUTH_WHO_CLIENT|AUTH_HOW_ONE_WAY,
+				sra_init,
+				sra_send,
+				sra_is,
+				sra_reply,
+				sra_status,
+				sra_printsub },
+
+#endif
+	{ 0, },
+};
+
+static Authenticator NoAuth = { 0 };
+
+static int	i_support = 0;
+static int	i_wont_support = 0;
+
+	Authenticator *
+findauthenticator(type, way)
+	int type;
+	int way;
+{
+	Authenticator *ap = authenticators;
+
+	while (ap->type && (ap->type != type || ap->way != way))
+		++ap;
+	return(ap->type ? ap : 0);
+}
+
+	void
+auth_init(name, server)
+	char *name;
+	int server;
+{
+	Authenticator *ap = authenticators;
+
+	Server = server;
+	Name = name;
+
+	i_support = 0;
+	authenticated = 0;
+	authenticating = 0;
+	while (ap->type) {
+		if (!ap->init || (*ap->init)(ap, server)) {
+			i_support |= typemask(ap->type);
+			if (auth_debug_mode)
+				printf(">>>%s: I support auth type %d %d\r\n",
+					Name,
+					ap->type, ap->way);
+		}
+		else if (auth_debug_mode)
+			printf(">>>%s: Init failed: auth type %d %d\r\n",
+				Name, ap->type, ap->way);
+		++ap;
+	}
+}
+
+	void
+auth_disable_name(name)
+	char *name;
+{
+	int x;
+	for (x = 0; x < AUTHTYPE_CNT; ++x) {
+		if (AUTHTYPE_NAME(x) && !strcasecmp(name, AUTHTYPE_NAME(x))) {
+			i_wont_support |= typemask(x);
+			break;
+		}
+	}
+}
+
+	int
+getauthmask(type, maskp)
+	char *type;
+	int *maskp;
+{
+	register int x;
+
+	if (AUTHTYPE_NAME(0) && !strcasecmp(type, AUTHTYPE_NAME(0))) {
+		*maskp = -1;
+		return(1);
+	}
+
+	for (x = 1; x < AUTHTYPE_CNT; ++x) {
+		if (AUTHTYPE_NAME(x) && !strcasecmp(type, AUTHTYPE_NAME(x))) {
+			*maskp = typemask(x);
+			return(1);
+		}
+	}
+	return(0);
+}
+
+	int
+auth_enable(type)
+	char *type;
+{
+	return(auth_onoff(type, 1));
+}
+
+	int
+auth_disable(type)
+	char *type;
+{
+	return(auth_onoff(type, 0));
+}
+
+	int
+auth_onoff(type, on)
+	char *type;
+	int on;
+{
+	int i, mask = -1;
+	Authenticator *ap;
+
+	if (!strcasecmp(type, "?") || !strcasecmp(type, "help")) {
+		printf("auth %s 'type'\n", on ? "enable" : "disable");
+		printf("Where 'type' is one of:\n");
+		printf("\t%s\n", AUTHTYPE_NAME(0));
+		mask = 0;
+		for (ap = authenticators; ap->type; ap++) {
+			if ((mask & (i = typemask(ap->type))) != 0)
+				continue;
+			mask |= i;
+			printf("\t%s\n", AUTHTYPE_NAME(ap->type));
+		}
+		return(0);
+	}
+
+	if (!getauthmask(type, &mask)) {
+		printf("%s: invalid authentication type\n", type);
+		return(0);
+	}
+	if (on)
+		i_wont_support &= ~mask;
+	else
+		i_wont_support |= mask;
+	return(1);
+}
+
+	int
+auth_togdebug(on)
+	int on;
+{
+	if (on < 0)
+		auth_debug_mode ^= 1;
+	else
+		auth_debug_mode = on;
+	printf("auth debugging %s\n", auth_debug_mode ? "enabled" : "disabled");
+	return(1);
+}
+
+	int
+auth_status()
+{
+	Authenticator *ap;
+	int i, mask;
+
+	if (i_wont_support == -1)
+		printf("Authentication disabled\n");
+	else
+		printf("Authentication enabled\n");
+
+	mask = 0;
+	for (ap = authenticators; ap->type; ap++) {
+		if ((mask & (i = typemask(ap->type))) != 0)
+			continue;
+		mask |= i;
+		printf("%s: %s\n", AUTHTYPE_NAME(ap->type),
+			(i_wont_support & typemask(ap->type)) ?
+					"disabled" : "enabled");
+	}
+	return(1);
+}
+
+/*
+ * This routine is called by the server to start authentication
+ * negotiation.
+ */
+	void
+auth_request()
+{
+	static unsigned char str_request[64] = { IAC, SB,
+						 TELOPT_AUTHENTICATION,
+						 TELQUAL_SEND, };
+	Authenticator *ap = authenticators;
+	unsigned char *e = str_request + 4;
+
+	if (!authenticating) {
+		authenticating = 1;
+		while (ap->type) {
+			if (i_support & ~i_wont_support & typemask(ap->type)) {
+				if (auth_debug_mode) {
+					printf(">>>%s: Sending type %d %d\r\n",
+						Name, ap->type, ap->way);
+				}
+				*e++ = ap->type;
+				*e++ = ap->way;
+			}
+			++ap;
+		}
+		*e++ = IAC;
+		*e++ = SE;
+		net_write(str_request, e - str_request);
+		printsub('>', &str_request[2], e - str_request - 2);
+	}
+}
+
+/*
+ * This is called when an AUTH SEND is received.
+ * It should never arrive on the server side (as only the server can
+ * send an AUTH SEND).
+ * You should probably respond to it if you can...
+ *
+ * If you want to respond to the types out of order (i.e. even
+ * if he sends  LOGIN KERBEROS and you support both, you respond
+ * with KERBEROS instead of LOGIN (which is against what the
+ * protocol says)) you will have to hack this code...
+ */
+	void
+auth_send(data, cnt)
+	unsigned char *data;
+	int cnt;
+{
+	Authenticator *ap;
+	static unsigned char str_none[] = { IAC, SB, TELOPT_AUTHENTICATION,
+					    TELQUAL_IS, AUTHTYPE_NULL, 0,
+					    IAC, SE };
+	if (Server) {
+		if (auth_debug_mode) {
+			printf(">>>%s: auth_send called!\r\n", Name);
+		}
+		return;
+	}
+
+	if (auth_debug_mode) {
+		printf(">>>%s: auth_send got:", Name);
+		printd(data, cnt); printf("\r\n");
+	}
+
+	/*
+	 * Save the data, if it is new, so that we can continue looking
+	 * at it if the authorization we try doesn't work
+	 */
+	if (data < _auth_send_data ||
+	    data > _auth_send_data + sizeof(_auth_send_data)) {
+		auth_send_cnt = cnt > sizeof(_auth_send_data)
+					? sizeof(_auth_send_data)
+					: cnt;
+		memmove((void *)_auth_send_data, (void *)data, auth_send_cnt);
+		auth_send_data = _auth_send_data;
+	} else {
+		/*
+		 * This is probably a no-op, but we just make sure
+		 */
+		auth_send_data = data;
+		auth_send_cnt = cnt;
+	}
+	while ((auth_send_cnt -= 2) >= 0) {
+		if (auth_debug_mode)
+			printf(">>>%s: He supports %d\r\n",
+				Name, *auth_send_data);
+		if ((i_support & ~i_wont_support) & typemask(*auth_send_data)) {
+			ap = findauthenticator(auth_send_data[0],
+					       auth_send_data[1]);
+			if (ap && ap->send) {
+				if (auth_debug_mode)
+					printf(">>>%s: Trying %d %d\r\n",
+						Name, auth_send_data[0],
+							auth_send_data[1]);
+				if ((*ap->send)(ap)) {
+					/*
+					 * Okay, we found one we like
+					 * and did it.
+					 * we can go home now.
+					 */
+					if (auth_debug_mode)
+						printf(">>>%s: Using type %d\r\n",
+							Name, *auth_send_data);
+					auth_send_data += 2;
+					return;
+				}
+			}
+			/* else
+			 *	just continue on and look for the
+			 *	next one if we didn't do anything.
+			 */
+		}
+		auth_send_data += 2;
+	}
+	net_write(str_none, sizeof(str_none));
+	printsub('>', &str_none[2], sizeof(str_none) - 2);
+	if (auth_debug_mode)
+		printf(">>>%s: Sent failure message\r\n", Name);
+	auth_finished(0, AUTH_REJECT);
+#ifdef KANNAN
+	/*
+	 *  We requested strong authentication, however no mechanisms worked.
+	 *  Therefore, exit on client end.
+	 */
+	printf("Unable to securely authenticate user ... exit\n");
+	exit(0);
+#endif /* KANNAN */
+}
+
+	void
+auth_send_retry()
+{
+	/*
+	 * if auth_send_cnt <= 0 then auth_send will end up rejecting
+	 * the authentication and informing the other side of this.
+	 */
+	auth_send(auth_send_data, auth_send_cnt);
+}
+
+	void
+auth_is(data, cnt)
+	unsigned char *data;
+	int cnt;
+{
+	Authenticator *ap;
+
+	if (cnt < 2)
+		return;
+
+	if (data[0] == AUTHTYPE_NULL) {
+		auth_finished(0, AUTH_REJECT);
+		return;
+	}
+
+	if ((ap = findauthenticator(data[0], data[1]))) {
+		if (ap->is)
+			(*ap->is)(ap, data+2, cnt-2);
+	} else if (auth_debug_mode)
+		printf(">>>%s: Invalid authentication in IS: %d\r\n",
+			Name, *data);
+}
+
+	void
+auth_reply(data, cnt)
+	unsigned char *data;
+	int cnt;
+{
+	Authenticator *ap;
+
+	if (cnt < 2)
+		return;
+
+	if ((ap = findauthenticator(data[0], data[1]))) {
+		if (ap->reply)
+			(*ap->reply)(ap, data+2, cnt-2);
+	} else if (auth_debug_mode)
+		printf(">>>%s: Invalid authentication in SEND: %d\r\n",
+			Name, *data);
+}
+
+	void
+auth_name(data, cnt)
+	unsigned char *data;
+	int cnt;
+{
+	unsigned char savename[256];
+
+	if (cnt < 1) {
+		if (auth_debug_mode)
+			printf(">>>%s: Empty name in NAME\r\n", Name);
+		return;
+	}
+	if (cnt > sizeof(savename) - 1) {
+		if (auth_debug_mode)
+			printf(">>>%s: Name in NAME (%d) exceeds %d length\r\n",
+					Name, cnt, sizeof(savename)-1);
+		return;
+	}
+	memmove((void *)savename, (void *)data, cnt);
+	savename[cnt] = '\0';	/* Null terminate */
+	if (auth_debug_mode)
+		printf(">>>%s: Got NAME [%s]\r\n", Name, savename);
+	auth_encrypt_user(savename);
+}
+
+	int
+auth_sendname(cp, len)
+	unsigned char *cp;
+	int len;
+{
+	static unsigned char str_request[256+6]
+			= { IAC, SB, TELOPT_AUTHENTICATION, TELQUAL_NAME, };
+	register unsigned char *e = str_request + 4;
+	register unsigned char *ee = &str_request[sizeof(str_request)-2];
+
+	while (--len >= 0) {
+		if ((*e++ = *cp++) == IAC)
+			*e++ = IAC;
+		if (e >= ee)
+			return(0);
+	}
+	*e++ = IAC;
+	*e++ = SE;
+	net_write(str_request, e - str_request);
+	printsub('>', &str_request[2], e - &str_request[2]);
+	return(1);
+}
+
+	void
+auth_finished(ap, result)
+	Authenticator *ap;
+	int result;
+{
+	if (!(authenticated = ap))
+		authenticated = &NoAuth;
+	validuser = result;
+}
+
+	/* ARGSUSED */
+	static void
+auth_intr(sig)
+	int sig;
+{
+	auth_finished(0, AUTH_REJECT);
+}
+
+	int
+auth_wait(name)
+	char *name;
+{
+	if (auth_debug_mode)
+		printf(">>>%s: in auth_wait.\r\n", Name);
+
+	if (Server && !authenticating)
+		return(0);
+
+	(void) signal(SIGALRM, auth_intr);
+	alarm(30);
+	while (!authenticated)
+		if (telnet_spin())
+			break;
+	alarm(0);
+	(void) signal(SIGALRM, SIG_DFL);
+
+	/*
+	 * Now check to see if the user is valid or not
+	 */
+	if (!authenticated || authenticated == &NoAuth)
+		return(AUTH_REJECT);
+
+	if (validuser == AUTH_VALID)
+		validuser = AUTH_USER;
+
+	if (authenticated->status)
+		validuser = (*authenticated->status)(authenticated,
+						     name, validuser);
+	return(validuser);
+}
+
+	void
+auth_debug(mode)
+	int mode;
+{
+	auth_debug_mode = mode;
+}
+
+	void
+auth_printsub(data, cnt, buf, buflen)
+	unsigned char *data, *buf;
+	int cnt, buflen;
+{
+	Authenticator *ap;
+
+	if ((ap = findauthenticator(data[1], data[2])) && ap->printsub)
+		(*ap->printsub)(data, cnt, buf, buflen);
+	else
+		auth_gen_printsub(data, cnt, buf, buflen);
+}
+
+	void
+auth_gen_printsub(data, cnt, buf, buflen)
+	unsigned char *data, *buf;
+	int cnt, buflen;
+{
+	register unsigned char *cp;
+	unsigned char tbuf[16];
+
+	cnt -= 3;
+	data += 3;
+	buf[buflen-1] = '\0';
+	buf[buflen-2] = '*';
+	buflen -= 2;
+	for (; cnt > 0; cnt--, data++) {
+		sprintf((char *)tbuf, " %d", *data);
+		for (cp = tbuf; *cp && buflen > 0; --buflen)
+			*buf++ = *cp++;
+		if (buflen <= 0)
+			return;
+	}
+	*buf = '\0';
+}
+#endif
diff --git a/crypto/telnet/libtelnet/auth.h b/crypto/telnet/libtelnet/auth.h
new file mode 100644
index 0000000..615e8a0
--- /dev/null
+++ b/crypto/telnet/libtelnet/auth.h
@@ -0,0 +1,87 @@
+/*-
+ * Copyright (c) 1991, 1993
+ *	The Regents of the University of California.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *	This product includes software developed by the University of
+ *	California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ *	@(#)auth.h	8.1 (Berkeley) 6/4/93
+ */
+
+/*
+ * Copyright (C) 1990 by the Massachusetts Institute of Technology
+ *
+ * Export of this software from the United States of America is assumed
+ * to require a specific license from the United States Government.
+ * It is the responsibility of any person or organization contemplating
+ * export to obtain such a license before exporting.
+ *
+ * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
+ * distribute this software and its documentation for any purpose and
+ * without fee is hereby granted, provided that the above copyright
+ * notice appear in all copies and that both that copyright notice and
+ * this permission notice appear in supporting documentation, and that
+ * the name of M.I.T. not be used in advertising or publicity pertaining
+ * to distribution of the software without specific, written prior
+ * permission.  M.I.T. makes no representations about the suitability of
+ * this software for any purpose.  It is provided "as is" without express
+ * or implied warranty.
+ */
+
+#ifndef	__AUTH__
+#define	__AUTH__
+
+#define	AUTH_REJECT	0	/* Rejected */
+#define	AUTH_UNKNOWN	1	/* We don't know who he is, but he's okay */
+#define	AUTH_OTHER	2	/* We know him, but not his name */
+#define	AUTH_USER	3	/* We know he name */
+#define	AUTH_VALID	4	/* We know him, and he needs no password */
+
+#if	!defined(P)
+#ifdef	__STDC__
+#define P(x)	x
+#else
+#define P(x)	()
+#endif
+#endif
+
+typedef struct XauthP {
+	int	type;
+	int	way;
+	int	(*init) P((struct XauthP *, int));
+	int	(*send) P((struct XauthP *));
+	void	(*is) P((struct XauthP *, unsigned char *, int));
+	void	(*reply) P((struct XauthP *, unsigned char *, int));
+	int	(*status) P((struct XauthP *, char *, int));
+	void	(*printsub) P((unsigned char *, int, unsigned char *, int));
+} Authenticator;
+
+#include "auth-proto.h"
+
+extern auth_debug_mode;
+#endif
diff --git a/crypto/telnet/libtelnet/enc-proto.h b/crypto/telnet/libtelnet/enc-proto.h
new file mode 100644
index 0000000..bbbc07c
--- /dev/null
+++ b/crypto/telnet/libtelnet/enc-proto.h
@@ -0,0 +1,129 @@
+/*-
+ * Copyright (c) 1991, 1993
+ *	The Regents of the University of California.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *	This product includes software developed by the University of
+ *	California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ *	@(#)enc-proto.h	8.1 (Berkeley) 6/4/93
+ * $FreeBSD$
+ */
+
+/*
+ * Copyright (C) 1990 by the Massachusetts Institute of Technology
+ *
+ * Export of this software from the United States of America is assumed
+ * to require a specific license from the United States Government.
+ * It is the responsibility of any person or organization contemplating
+ * export to obtain such a license before exporting.
+ *
+ * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
+ * distribute this software and its documentation for any purpose and
+ * without fee is hereby granted, provided that the above copyright
+ * notice appear in all copies and that both that copyright notice and
+ * this permission notice appear in supporting documentation, and that
+ * the name of M.I.T. not be used in advertising or publicity pertaining
+ * to distribution of the software without specific, written prior
+ * permission.  M.I.T. makes no representations about the suitability of
+ * this software for any purpose.  It is provided "as is" without express
+ * or implied warranty.
+ */
+#if	!defined(P)
+#ifdef	__STDC__
+#define	P(x)	x
+#else
+#define	P(x)	()
+#endif
+#endif
+
+#ifdef	ENCRYPTION
+void encrypt_init P((char *, int));
+Encryptions *findencryption P((int));
+void encrypt_send_supprt P((void));
+void encrypt_auto P((int));
+void decrypt_auto P((int));
+void encrypt_is P((unsigned char *, int));
+void encrypt_reply P((unsigned char *, int));
+void encrypt_start_input P((int));
+void encrypt_session_key P((Session_Key *, int));
+void encrypt_end_input P((void));
+void encrypt_start_output P((int));
+void encrypt_end_output P((void));
+void encrypt_send_request_start P((void));
+void encrypt_send_request_end P((void));
+void encrypt_send_end P((void));
+void encrypt_wait P((void));
+void encrypt_send_support P((void));
+void encrypt_send_keyid P((int, unsigned char *, int, int));
+void encrypt_start P((unsigned char *, int));
+void encrypt_end P((void));
+void encrypt_support P((unsigned char *, int));
+void encrypt_request_start P((unsigned char *, int));
+void encrypt_request_end P((void));
+void encrypt_enc_keyid P((unsigned char *, int));
+void encrypt_dec_keyid P((unsigned char *, int));
+void encrypt_printsub P((unsigned char *, int, unsigned char *, int));
+int net_write P((unsigned char *, int));
+
+#ifndef	TELENTD
+int encrypt_cmd P((int, char **));
+void encrypt_display P((void));
+#endif
+
+#ifdef DES_ENCRYPTION
+void krbdes_encrypt P((unsigned char *, int));
+int krbdes_decrypt P((int));
+int krbdes_is P((unsigned char *, int));
+int krbdes_reply P((unsigned char *, int));
+void krbdes_init P((int));
+int krbdes_start P((int, int));
+void krbdes_session P((Session_Key *, int));
+void krbdes_printsub P((unsigned char *, int, unsigned char *, int));
+
+void cfb64_encrypt P((unsigned char *, int));
+int cfb64_decrypt P((int));
+void cfb64_init P((int));
+int cfb64_start P((int, int));
+int cfb64_is P((unsigned char *, int));
+int cfb64_reply P((unsigned char *, int));
+void cfb64_session P((Session_Key *, int));
+int cfb64_keyid P((int, unsigned char *, int *));
+void cfb64_printsub P((unsigned char *, int, unsigned char *, int));
+
+void ofb64_encrypt P((unsigned char *, int));
+int ofb64_decrypt P((int));
+void ofb64_init P((int));
+int ofb64_start P((int, int));
+int ofb64_is P((unsigned char *, int));
+int ofb64_reply P((unsigned char *, int));
+void ofb64_session P((Session_Key *, int));
+int ofb64_keyid P((int, unsigned char *, int *));
+void ofb64_printsub P((unsigned char *, int, unsigned char *, int));
+#endif /* DES_ENCRYPTION */
+
+#endif	/* ENCRYPTION */
diff --git a/crypto/telnet/libtelnet/enc_des.c b/crypto/telnet/libtelnet/enc_des.c
new file mode 100644
index 0000000..c0f669b
--- /dev/null
+++ b/crypto/telnet/libtelnet/enc_des.c
@@ -0,0 +1,722 @@
+/*-
+ * Copyright (c) 1991, 1993
+ *	The Regents of the University of California.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *	This product includes software developed by the University of
+ *	California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * $FreeBSD$
+ */
+
+#ifndef lint
+static const char sccsid[] = "@(#)enc_des.c	8.3 (Berkeley) 5/30/95";
+#endif /* not lint */
+
+#ifdef	ENCRYPTION
+# ifdef	AUTHENTICATION
+#  ifdef DES_ENCRYPTION
+#include <arpa/telnet.h>
+#include <stdio.h>
+#ifdef	__STDC__
+#include <stdlib.h>
+#endif
+
+#include <openssl/des.h>
+#include <string.h>
+#include "encrypt.h"
+#include "key-proto.h"
+#include "misc-proto.h"
+
+extern encrypt_debug_mode;
+
+#define	CFB	0
+#define	OFB	1
+
+#define	NO_SEND_IV	1
+#define	NO_RECV_IV	2
+#define	NO_KEYID	4
+#define	IN_PROGRESS	(NO_SEND_IV|NO_RECV_IV|NO_KEYID)
+#define	SUCCESS		0
+#define	FAILED		-1
+
+
+struct fb {
+	Block krbdes_key;
+	Schedule krbdes_sched;
+	Block temp_feed;
+	unsigned char fb_feed[64];
+	int need_start;
+	int state[2];
+	int keyid[2];
+	int once;
+	struct stinfo {
+		Block		str_output;
+		Block		str_feed;
+		Block		str_iv;
+		Block		str_ikey;
+		Schedule	str_sched;
+		int		str_index;
+		int		str_flagshift;
+	} streams[2];
+};
+
+static struct fb fb[2];
+
+struct keyidlist {
+	char	*keyid;
+	int	keyidlen;
+	char	*key;
+	int	keylen;
+	int	flags;
+} keyidlist [] = {
+	{ "\0", 1, 0, 0, 0 },		/* default key of zero */
+	{ 0, 0, 0, 0, 0 }
+};
+
+#define	KEYFLAG_MASK	03
+
+#define	KEYFLAG_NOINIT	00
+#define	KEYFLAG_INIT	01
+#define	KEYFLAG_OK	02
+#define	KEYFLAG_BAD	03
+
+#define	KEYFLAG_SHIFT	2
+
+#define	SHIFT_VAL(a,b)	(KEYFLAG_SHIFT*((a)+((b)*2)))
+
+#define	FB64_IV		1
+#define	FB64_IV_OK	2
+#define	FB64_IV_BAD	3
+
+
+void fb64_stream_iv P((Block, struct stinfo *));
+void fb64_init P((struct fb *));
+static int fb64_start P((struct fb *, int, int));
+int fb64_is P((unsigned char *, int, struct fb *));
+int fb64_reply P((unsigned char *, int, struct fb *));
+static void fb64_session P((Session_Key *, int, struct fb *));
+void fb64_stream_key P((Block, struct stinfo *));
+int fb64_keyid P((int, unsigned char *, int *, struct fb *));
+
+	void
+cfb64_init(server)
+	int server;
+{
+	fb64_init(&fb[CFB]);
+	fb[CFB].fb_feed[4] = ENCTYPE_DES_CFB64;
+	fb[CFB].streams[0].str_flagshift = SHIFT_VAL(0, CFB);
+	fb[CFB].streams[1].str_flagshift = SHIFT_VAL(1, CFB);
+}
+
+	void
+ofb64_init(server)
+	int server;
+{
+	fb64_init(&fb[OFB]);
+	fb[OFB].fb_feed[4] = ENCTYPE_DES_OFB64;
+	fb[CFB].streams[0].str_flagshift = SHIFT_VAL(0, OFB);
+	fb[CFB].streams[1].str_flagshift = SHIFT_VAL(1, OFB);
+}
+
+	void
+fb64_init(fbp)
+	register struct fb *fbp;
+{
+	memset((void *)fbp, 0, sizeof(*fbp));
+	fbp->state[0] = fbp->state[1] = FAILED;
+	fbp->fb_feed[0] = IAC;
+	fbp->fb_feed[1] = SB;
+	fbp->fb_feed[2] = TELOPT_ENCRYPT;
+	fbp->fb_feed[3] = ENCRYPT_IS;
+}
+
+/*
+ * Returns:
+ *	-1: some error.  Negotiation is done, encryption not ready.
+ *	 0: Successful, initial negotiation all done.
+ *	 1: successful, negotiation not done yet.
+ *	 2: Not yet.  Other things (like getting the key from
+ *	    Kerberos) have to happen before we can continue.
+ */
+	int
+cfb64_start(dir, server)
+	int dir;
+	int server;
+{
+	return(fb64_start(&fb[CFB], dir, server));
+}
+	int
+ofb64_start(dir, server)
+	int dir;
+	int server;
+{
+	return(fb64_start(&fb[OFB], dir, server));
+}
+
+	static int
+fb64_start(fbp, dir, server)
+	struct fb *fbp;
+	int dir;
+	int server;
+{
+	int x;
+	unsigned char *p;
+	register int state;
+
+	switch (dir) {
+	case DIR_DECRYPT:
+		/*
+		 * This is simply a request to have the other side
+		 * start output (our input).  He will negotiate an
+		 * IV so we need not look for it.
+		 */
+		state = fbp->state[dir-1];
+		if (state == FAILED)
+			state = IN_PROGRESS;
+		break;
+
+	case DIR_ENCRYPT:
+		state = fbp->state[dir-1];
+		if (state == FAILED)
+			state = IN_PROGRESS;
+		else if ((state & NO_SEND_IV) == 0)
+			break;
+
+		if (!VALIDKEY(fbp->krbdes_key)) {
+			fbp->need_start = 1;
+			break;
+		}
+		state &= ~NO_SEND_IV;
+		state |= NO_RECV_IV;
+		if (encrypt_debug_mode)
+			printf("Creating new feed\r\n");
+		/*
+		 * Create a random feed and send it over.
+		 */
+		des_new_random_key((Block *)fbp->temp_feed);
+		des_ecb_encrypt((Block *)fbp->temp_feed, (Block *)fbp->temp_feed,
+				fbp->krbdes_sched, 1);
+		p = fbp->fb_feed + 3;
+		*p++ = ENCRYPT_IS;
+		p++;
+		*p++ = FB64_IV;
+		for (x = 0; x < sizeof(Block); ++x) {
+			if ((*p++ = fbp->temp_feed[x]) == IAC)
+				*p++ = IAC;
+		}
+		*p++ = IAC;
+		*p++ = SE;
+		printsub('>', &fbp->fb_feed[2], p - &fbp->fb_feed[2]);
+		net_write(fbp->fb_feed, p - fbp->fb_feed);
+		break;
+	default:
+		return(FAILED);
+	}
+	return(fbp->state[dir-1] = state);
+}
+
+/*
+ * Returns:
+ *	-1: some error.  Negotiation is done, encryption not ready.
+ *	 0: Successful, initial negotiation all done.
+ *	 1: successful, negotiation not done yet.
+ */
+	int
+cfb64_is(data, cnt)
+	unsigned char *data;
+	int cnt;
+{
+	return(fb64_is(data, cnt, &fb[CFB]));
+}
+	int
+ofb64_is(data, cnt)
+	unsigned char *data;
+	int cnt;
+{
+	return(fb64_is(data, cnt, &fb[OFB]));
+}
+
+	int
+fb64_is(data, cnt, fbp)
+	unsigned char *data;
+	int cnt;
+	struct fb *fbp;
+{
+	unsigned char *p;
+	register int state = fbp->state[DIR_DECRYPT-1];
+
+	if (cnt-- < 1)
+		goto failure;
+
+	switch (*data++) {
+	case FB64_IV:
+		if (cnt != sizeof(Block)) {
+			if (encrypt_debug_mode)
+				printf("CFB64: initial vector failed on size\r\n");
+			state = FAILED;
+			goto failure;
+		}
+
+		if (encrypt_debug_mode)
+			printf("CFB64: initial vector received\r\n");
+
+		if (encrypt_debug_mode)
+			printf("Initializing Decrypt stream\r\n");
+
+		fb64_stream_iv((void *)data, &fbp->streams[DIR_DECRYPT-1]);
+
+		p = fbp->fb_feed + 3;
+		*p++ = ENCRYPT_REPLY;
+		p++;
+		*p++ = FB64_IV_OK;
+		*p++ = IAC;
+		*p++ = SE;
+		printsub('>', &fbp->fb_feed[2], p - &fbp->fb_feed[2]);
+		net_write(fbp->fb_feed, p - fbp->fb_feed);
+
+		state = fbp->state[DIR_DECRYPT-1] = IN_PROGRESS;
+		break;
+
+	default:
+		if (encrypt_debug_mode) {
+			printf("Unknown option type: %d\r\n", *(data-1));
+			printd(data, cnt);
+			printf("\r\n");
+		}
+		/* FALL THROUGH */
+	failure:
+		/*
+		 * We failed.  Send an FB64_IV_BAD option
+		 * to the other side so it will know that
+		 * things failed.
+		 */
+		p = fbp->fb_feed + 3;
+		*p++ = ENCRYPT_REPLY;
+		p++;
+		*p++ = FB64_IV_BAD;
+		*p++ = IAC;
+		*p++ = SE;
+		printsub('>', &fbp->fb_feed[2], p - &fbp->fb_feed[2]);
+		net_write(fbp->fb_feed, p - fbp->fb_feed);
+
+		break;
+	}
+	return(fbp->state[DIR_DECRYPT-1] = state);
+}
+
+/*
+ * Returns:
+ *	-1: some error.  Negotiation is done, encryption not ready.
+ *	 0: Successful, initial negotiation all done.
+ *	 1: successful, negotiation not done yet.
+ */
+	int
+cfb64_reply(data, cnt)
+	unsigned char *data;
+	int cnt;
+{
+	return(fb64_reply(data, cnt, &fb[CFB]));
+}
+	int
+ofb64_reply(data, cnt)
+	unsigned char *data;
+	int cnt;
+{
+	return(fb64_reply(data, cnt, &fb[OFB]));
+}
+
+
+	int
+fb64_reply(data, cnt, fbp)
+	unsigned char *data;
+	int cnt;
+	struct fb *fbp;
+{
+	register int state = fbp->state[DIR_ENCRYPT-1];
+
+	if (cnt-- < 1)
+		goto failure;
+
+	switch (*data++) {
+	case FB64_IV_OK:
+		fb64_stream_iv(fbp->temp_feed, &fbp->streams[DIR_ENCRYPT-1]);
+		if (state == FAILED)
+			state = IN_PROGRESS;
+		state &= ~NO_RECV_IV;
+		encrypt_send_keyid(DIR_ENCRYPT, (unsigned char *)"\0", 1, 1);
+		break;
+
+	case FB64_IV_BAD:
+		memset(fbp->temp_feed, 0, sizeof(Block));
+		fb64_stream_iv(fbp->temp_feed, &fbp->streams[DIR_ENCRYPT-1]);
+		state = FAILED;
+		break;
+
+	default:
+		if (encrypt_debug_mode) {
+			printf("Unknown option type: %d\r\n", data[-1]);
+			printd(data, cnt);
+			printf("\r\n");
+		}
+		/* FALL THROUGH */
+	failure:
+		state = FAILED;
+		break;
+	}
+	return(fbp->state[DIR_ENCRYPT-1] = state);
+}
+
+	void
+cfb64_session(key, server)
+	Session_Key *key;
+	int server;
+{
+	fb64_session(key, server, &fb[CFB]);
+}
+
+	void
+ofb64_session(key, server)
+	Session_Key *key;
+	int server;
+{
+	fb64_session(key, server, &fb[OFB]);
+}
+
+	static void
+fb64_session(key, server, fbp)
+	Session_Key *key;
+	int server;
+	struct fb *fbp;
+{
+
+	if (!key || key->type != SK_DES) {
+		if (encrypt_debug_mode)
+			printf("Can't set krbdes's session key (%d != %d)\r\n",
+				key ? key->type : -1, SK_DES);
+		return;
+	}
+	memmove((void *)fbp->krbdes_key, (void *)key->data, sizeof(Block));
+
+	fb64_stream_key(fbp->krbdes_key, &fbp->streams[DIR_ENCRYPT-1]);
+	fb64_stream_key(fbp->krbdes_key, &fbp->streams[DIR_DECRYPT-1]);
+
+	if (fbp->once == 0) {
+		des_set_random_generator_seed((Block *)fbp->krbdes_key);
+		fbp->once = 1;
+	}
+	des_key_sched((Block *)fbp->krbdes_key, fbp->krbdes_sched);
+	/*
+	 * Now look to see if krbdes_start() was was waiting for
+	 * the key to show up.  If so, go ahead an call it now
+	 * that we have the key.
+	 */
+	if (fbp->need_start) {
+		fbp->need_start = 0;
+		fb64_start(fbp, DIR_ENCRYPT, server);
+	}
+}
+
+/*
+ * We only accept a keyid of 0.  If we get a keyid of
+ * 0, then mark the state as SUCCESS.
+ */
+	int
+cfb64_keyid(dir, kp, lenp)
+	int dir, *lenp;
+	unsigned char *kp;
+{
+	return(fb64_keyid(dir, kp, lenp, &fb[CFB]));
+}
+
+	int
+ofb64_keyid(dir, kp, lenp)
+	int dir, *lenp;
+	unsigned char *kp;
+{
+	return(fb64_keyid(dir, kp, lenp, &fb[OFB]));
+}
+
+	int
+fb64_keyid(dir, kp, lenp, fbp)
+	int dir, *lenp;
+	unsigned char *kp;
+	struct fb *fbp;
+{
+	register int state = fbp->state[dir-1];
+
+	if (*lenp != 1 || (*kp != '\0')) {
+		*lenp = 0;
+		return(state);
+	}
+
+	if (state == FAILED)
+		state = IN_PROGRESS;
+
+	state &= ~NO_KEYID;
+
+	return(fbp->state[dir-1] = state);
+}
+
+	void
+fb64_printsub(data, cnt, buf, buflen, type)
+	unsigned char *data, *buf, *type;
+	int cnt, buflen;
+{
+	char lbuf[32];
+	register int i;
+	char *cp;
+
+	buf[buflen-1] = '\0';		/* make sure it's NULL terminated */
+	buflen -= 1;
+
+	switch(data[2]) {
+	case FB64_IV:
+		sprintf(lbuf, "%s_IV", type);
+		cp = lbuf;
+		goto common;
+
+	case FB64_IV_OK:
+		sprintf(lbuf, "%s_IV_OK", type);
+		cp = lbuf;
+		goto common;
+
+	case FB64_IV_BAD:
+		sprintf(lbuf, "%s_IV_BAD", type);
+		cp = lbuf;
+		goto common;
+
+	default:
+		sprintf(lbuf, " %d (unknown)", data[2]);
+		cp = lbuf;
+	common:
+		for (; (buflen > 0) && (*buf = *cp++); buf++)
+			buflen--;
+		for (i = 3; i < cnt; i++) {
+			sprintf(lbuf, " %d", data[i]);
+			for (cp = lbuf; (buflen > 0) && (*buf = *cp++); buf++)
+				buflen--;
+		}
+		break;
+	}
+}
+
+	void
+cfb64_printsub(data, cnt, buf, buflen)
+	unsigned char *data, *buf;
+	int cnt, buflen;
+{
+	fb64_printsub(data, cnt, buf, buflen, "CFB64");
+}
+
+	void
+ofb64_printsub(data, cnt, buf, buflen)
+	unsigned char *data, *buf;
+	int cnt, buflen;
+{
+	fb64_printsub(data, cnt, buf, buflen, "OFB64");
+}
+
+	void
+fb64_stream_iv(seed, stp)
+	Block seed;
+	register struct stinfo *stp;
+{
+
+	memmove((void *)stp->str_iv, (void *)seed, sizeof(Block));
+	memmove((void *)stp->str_output, (void *)seed, sizeof(Block));
+
+	des_key_sched((Block *)stp->str_ikey, stp->str_sched);
+
+	stp->str_index = sizeof(Block);
+}
+
+	void
+fb64_stream_key(key, stp)
+	Block key;
+	register struct stinfo *stp;
+{
+	memmove((void *)stp->str_ikey, (void *)key, sizeof(Block));
+	des_key_sched((Block *)key, stp->str_sched);
+
+	memmove((void *)stp->str_output, (void *)stp->str_iv, sizeof(Block));
+
+	stp->str_index = sizeof(Block);
+}
+
+/*
+ * DES 64 bit Cipher Feedback
+ *
+ *     key --->+-----+
+ *          +->| DES |--+
+ *          |  +-----+  |
+ *	    |           v
+ *  INPUT --(--------->(+)+---> DATA
+ *          |             |
+ *	    +-------------+
+ *
+ *
+ * Given:
+ *	iV: Initial vector, 64 bits (8 bytes) long.
+ *	Dn: the nth chunk of 64 bits (8 bytes) of data to encrypt (decrypt).
+ *	On: the nth chunk of 64 bits (8 bytes) of encrypted (decrypted) output.
+ *
+ *	V0 = DES(iV, key)
+ *	On = Dn ^ Vn
+ *	V(n+1) = DES(On, key)
+ */
+
+	void
+cfb64_encrypt(s, c)
+	register unsigned char *s;
+	int c;
+{
+	register struct stinfo *stp = &fb[CFB].streams[DIR_ENCRYPT-1];
+	register int index;
+
+	index = stp->str_index;
+	while (c-- > 0) {
+		if (index == sizeof(Block)) {
+			Block b;
+			des_ecb_encrypt((Block *)stp->str_output, (Block *)b, stp->str_sched, 1);
+			memmove((void *)stp->str_feed, (void *)b, sizeof(Block));
+			index = 0;
+		}
+
+		/* On encryption, we store (feed ^ data) which is cypher */
+		*s = stp->str_output[index] = (stp->str_feed[index] ^ *s);
+		s++;
+		index++;
+	}
+	stp->str_index = index;
+}
+
+	int
+cfb64_decrypt(data)
+	int data;
+{
+	register struct stinfo *stp = &fb[CFB].streams[DIR_DECRYPT-1];
+	int index;
+
+	if (data == -1) {
+		/*
+		 * Back up one byte.  It is assumed that we will
+		 * never back up more than one byte.  If we do, this
+		 * may or may not work.
+		 */
+		if (stp->str_index)
+			--stp->str_index;
+		return(0);
+	}
+
+	index = stp->str_index++;
+	if (index == sizeof(Block)) {
+		Block b;
+		des_ecb_encrypt((Block *)stp->str_output, (Block *)b, stp->str_sched, 1);
+		memmove((void *)stp->str_feed, (void *)b, sizeof(Block));
+		stp->str_index = 1;	/* Next time will be 1 */
+		index = 0;		/* But now use 0 */
+	}
+
+	/* On decryption we store (data) which is cypher. */
+	stp->str_output[index] = data;
+	return(data ^ stp->str_feed[index]);
+}
+
+/*
+ * DES 64 bit Output Feedback
+ *
+ * key --->+-----+
+ *	+->| DES |--+
+ *	|  +-----+  |
+ *	+-----------+
+ *	            v
+ *  INPUT -------->(+) ----> DATA
+ *
+ * Given:
+ *	iV: Initial vector, 64 bits (8 bytes) long.
+ *	Dn: the nth chunk of 64 bits (8 bytes) of data to encrypt (decrypt).
+ *	On: the nth chunk of 64 bits (8 bytes) of encrypted (decrypted) output.
+ *
+ *	V0 = DES(iV, key)
+ *	V(n+1) = DES(Vn, key)
+ *	On = Dn ^ Vn
+ */
+	void
+ofb64_encrypt(s, c)
+	register unsigned char *s;
+	int c;
+{
+	register struct stinfo *stp = &fb[OFB].streams[DIR_ENCRYPT-1];
+	register int index;
+
+	index = stp->str_index;
+	while (c-- > 0) {
+		if (index == sizeof(Block)) {
+			Block b;
+			des_ecb_encrypt((Block *)stp->str_feed, (Block *)b, stp->str_sched, 1);
+			memmove((void *)stp->str_feed, (void *)b, sizeof(Block));
+			index = 0;
+		}
+		*s++ ^= stp->str_feed[index];
+		index++;
+	}
+	stp->str_index = index;
+}
+
+	int
+ofb64_decrypt(data)
+	int data;
+{
+	register struct stinfo *stp = &fb[OFB].streams[DIR_DECRYPT-1];
+	int index;
+
+	if (data == -1) {
+		/*
+		 * Back up one byte.  It is assumed that we will
+		 * never back up more than one byte.  If we do, this
+		 * may or may not work.
+		 */
+		if (stp->str_index)
+			--stp->str_index;
+		return(0);
+	}
+
+	index = stp->str_index++;
+	if (index == sizeof(Block)) {
+		Block b;
+		des_ecb_encrypt((Block *)stp->str_feed, (Block *)b, stp->str_sched, 1);
+		memmove((void *)stp->str_feed, (void *)b, sizeof(Block));
+		stp->str_index = 1;	/* Next time will be 1 */
+		index = 0;		/* But now use 0 */
+	}
+
+	return(data ^ stp->str_feed[index]);
+}
+#  endif /* DES_ENCRYPTION */
+# endif	/* AUTHENTICATION */
+#endif	/* ENCRYPTION */
diff --git a/crypto/telnet/libtelnet/encrypt.c b/crypto/telnet/libtelnet/encrypt.c
new file mode 100644
index 0000000..bb3a43c
--- /dev/null
+++ b/crypto/telnet/libtelnet/encrypt.c
@@ -0,0 +1,1028 @@
+/*-
+ * Copyright (c) 1991, 1993
+ *	The Regents of the University of California.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *	This product includes software developed by the University of
+ *	California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#ifndef lint
+#if 0
+static const char sccsid[] = "@(#)encrypt.c	8.2 (Berkeley) 5/30/95";
+#else
+static const char rcsid[] =
+ "$FreeBSD$";
+#endif
+#endif /* not lint */
+
+/*
+ * Copyright (C) 1990 by the Massachusetts Institute of Technology
+ *
+ * Export of this software from the United States of America is assumed
+ * to require a specific license from the United States Government.
+ * It is the responsibility of any person or organization contemplating
+ * export to obtain such a license before exporting.
+ *
+ * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
+ * distribute this software and its documentation for any purpose and
+ * without fee is hereby granted, provided that the above copyright
+ * notice appear in all copies and that both that copyright notice and
+ * this permission notice appear in supporting documentation, and that
+ * the name of M.I.T. not be used in advertising or publicity pertaining
+ * to distribution of the software without specific, written prior
+ * permission.  M.I.T. makes no representations about the suitability of
+ * this software for any purpose.  It is provided "as is" without express
+ * or implied warranty.
+ */
+
+#ifdef	ENCRYPTION
+
+#define	ENCRYPT_NAMES
+#include <stdio.h>
+#include <arpa/telnet.h>
+
+#include "encrypt.h"
+#include "misc.h"
+
+#ifdef	__STDC__
+#include <stdlib.h>
+#endif
+#ifdef	NO_STRING_H
+#include <strings.h>
+#else
+#include <string.h>
+#endif
+
+/*
+ * These functions pointers point to the current routines
+ * for encrypting and decrypting data.
+ */
+void	(*encrypt_output) P((unsigned char *, int));
+int	(*decrypt_input) P((int));
+
+int EncryptType(char *type, char *mode);
+int EncryptStart(char *mode);
+int EncryptStop(char *mode);
+int EncryptStartInput(void);
+int EncryptStartOutput(void);
+int EncryptStopInput(void);
+int EncryptStopOutput(void);
+
+int Ambiguous(char **s);
+int isprefix(char *s1, char *s2);
+char **genget(char *name, char **table, int stlen);
+
+int encrypt_debug_mode = 0;
+static int decrypt_mode = 0;
+static int encrypt_mode = 0;
+static int encrypt_verbose = 0;
+static int autoencrypt = 0;
+static int autodecrypt = 0;
+static int havesessionkey = 0;
+static int Server = 0;
+static char *Name = "Noname";
+
+#define	typemask(x)	((x) > 0 ? 1 << ((x)-1) : 0)
+
+static long i_support_encrypt = 0
+#ifdef DES_ENCRYPTION
+ | typemask(ENCTYPE_DES_CFB64) | typemask(ENCTYPE_DES_OFB64)
+#endif
+ |0;
+static long i_support_decrypt = 0
+#ifdef DES_ENCRYPTION
+ | typemask(ENCTYPE_DES_CFB64) | typemask(ENCTYPE_DES_OFB64)
+#endif
+ |0;
+
+static long i_wont_support_encrypt = 0;
+static long i_wont_support_decrypt = 0;
+#define	I_SUPPORT_ENCRYPT	(i_support_encrypt & ~i_wont_support_encrypt)
+#define	I_SUPPORT_DECRYPT	(i_support_decrypt & ~i_wont_support_decrypt)
+
+static long remote_supports_encrypt = 0;
+static long remote_supports_decrypt = 0;
+
+static Encryptions encryptions[] = {
+#ifdef	DES_ENCRYPTION
+    { "DES_CFB64",	ENCTYPE_DES_CFB64,
+			cfb64_encrypt,
+			cfb64_decrypt,
+			cfb64_init,
+			cfb64_start,
+			cfb64_is,
+			cfb64_reply,
+			cfb64_session,
+			cfb64_keyid,
+			cfb64_printsub },
+    { "DES_OFB64",	ENCTYPE_DES_OFB64,
+			ofb64_encrypt,
+			ofb64_decrypt,
+			ofb64_init,
+			ofb64_start,
+			ofb64_is,
+			ofb64_reply,
+			ofb64_session,
+			ofb64_keyid,
+			ofb64_printsub },
+#endif	/* DES_ENCRYPTION */
+    { 0, },
+};
+
+static unsigned char str_send[64] = { IAC, SB, TELOPT_ENCRYPT,
+					 ENCRYPT_SUPPORT };
+static unsigned char str_suplen = 0;
+static unsigned char str_start[72] = { IAC, SB, TELOPT_ENCRYPT };
+static unsigned char str_end[] = { IAC, SB, TELOPT_ENCRYPT, 0, IAC, SE };
+
+	Encryptions *
+findencryption(type)
+	int type;
+{
+	Encryptions *ep = encryptions;
+
+	if (!(I_SUPPORT_ENCRYPT & remote_supports_decrypt & typemask(type)))
+		return(0);
+	while (ep->type && ep->type != type)
+		++ep;
+	return(ep->type ? ep : 0);
+}
+
+	Encryptions *
+finddecryption(type)
+	int type;
+{
+	Encryptions *ep = encryptions;
+
+	if (!(I_SUPPORT_DECRYPT & remote_supports_encrypt & typemask(type)))
+		return(0);
+	while (ep->type && ep->type != type)
+		++ep;
+	return(ep->type ? ep : 0);
+}
+
+#define	MAXKEYLEN 64
+
+static struct key_info {
+	unsigned char keyid[MAXKEYLEN];
+	int keylen;
+	int dir;
+	int *modep;
+	Encryptions *(*getcrypt)();
+} ki[2] = {
+	{ { 0 }, 0, DIR_ENCRYPT, &encrypt_mode, findencryption },
+	{ { 0 }, 0, DIR_DECRYPT, &decrypt_mode, finddecryption },
+};
+
+static void encrypt_keyid(struct key_info *kp, unsigned char *keyid, int len);
+
+	void
+encrypt_init(name, server)
+	char *name;
+	int server;
+{
+	Encryptions *ep = encryptions;
+
+	Name = name;
+	Server = server;
+	i_support_encrypt = i_support_decrypt = 0;
+	remote_supports_encrypt = remote_supports_decrypt = 0;
+	encrypt_mode = 0;
+	decrypt_mode = 0;
+	encrypt_output = 0;
+	decrypt_input = 0;
+#ifdef notdef
+	encrypt_verbose = !server;
+#endif
+
+	str_suplen = 4;
+
+	while (ep->type) {
+		if (encrypt_debug_mode)
+			printf(">>>%s: I will support %s\r\n",
+				Name, ENCTYPE_NAME(ep->type));
+		i_support_encrypt |= typemask(ep->type);
+		i_support_decrypt |= typemask(ep->type);
+		if ((i_wont_support_decrypt & typemask(ep->type)) == 0)
+			if ((str_send[str_suplen++] = ep->type) == IAC)
+				str_send[str_suplen++] = IAC;
+		if (ep->init)
+			(*ep->init)(Server);
+		++ep;
+	}
+	str_send[str_suplen++] = IAC;
+	str_send[str_suplen++] = SE;
+}
+
+	void
+encrypt_list_types()
+{
+	Encryptions *ep = encryptions;
+
+	printf("Valid encryption types:\n");
+	while (ep->type) {
+		printf("\t%s (%d)\r\n", ENCTYPE_NAME(ep->type), ep->type);
+		++ep;
+	}
+}
+
+	int
+EncryptEnable(type, mode)
+	char *type, *mode;
+{
+	if (isprefix(type, "help") || isprefix(type, "?")) {
+		printf("Usage: encrypt enable <type> [input|output]\n");
+		encrypt_list_types();
+		return(0);
+	}
+	if (EncryptType(type, mode))
+		return(EncryptStart(mode));
+	return(0);
+}
+
+	int
+EncryptDisable(type, mode)
+	char *type, *mode;
+{
+	register Encryptions *ep;
+	int ret = 0;
+
+	if (isprefix(type, "help") || isprefix(type, "?")) {
+		printf("Usage: encrypt disable <type> [input|output]\n");
+		encrypt_list_types();
+	} else if ((ep = (Encryptions *)genget(type, (char **)encryptions,
+						sizeof(Encryptions))) == 0) {
+		printf("%s: invalid encryption type\n", type);
+	} else if (Ambiguous((char **)ep)) {
+		printf("Ambiguous type '%s'\n", type);
+	} else {
+		if ((mode == 0) || (isprefix(mode, "input") ? 1 : 0)) {
+			if (decrypt_mode == ep->type)
+				EncryptStopInput();
+			i_wont_support_decrypt |= typemask(ep->type);
+			ret = 1;
+		}
+		if ((mode == 0) || (isprefix(mode, "output"))) {
+			if (encrypt_mode == ep->type)
+				EncryptStopOutput();
+			i_wont_support_encrypt |= typemask(ep->type);
+			ret = 1;
+		}
+		if (ret == 0)
+			printf("%s: invalid encryption mode\n", mode);
+	}
+	return(ret);
+}
+
+	int
+EncryptType(type, mode)
+	char *type;
+	char *mode;
+{
+	register Encryptions *ep;
+	int ret = 0;
+
+	if (isprefix(type, "help") || isprefix(type, "?")) {
+		printf("Usage: encrypt type <type> [input|output]\n");
+		encrypt_list_types();
+	} else if ((ep = (Encryptions *)genget(type, (char **)encryptions,
+						sizeof(Encryptions))) == 0) {
+		printf("%s: invalid encryption type\n", type);
+	} else if (Ambiguous((char **)ep)) {
+		printf("Ambiguous type '%s'\n", type);
+	} else {
+		if ((mode == 0) || isprefix(mode, "input")) {
+			decrypt_mode = ep->type;
+			i_wont_support_decrypt &= ~typemask(ep->type);
+			ret = 1;
+		}
+		if ((mode == 0) || isprefix(mode, "output")) {
+			encrypt_mode = ep->type;
+			i_wont_support_encrypt &= ~typemask(ep->type);
+			ret = 1;
+		}
+		if (ret == 0)
+			printf("%s: invalid encryption mode\n", mode);
+	}
+	return(ret);
+}
+
+	int
+EncryptStart(mode)
+	char *mode;
+{
+	register int ret = 0;
+	if (mode) {
+		if (isprefix(mode, "input"))
+			return(EncryptStartInput());
+		if (isprefix(mode, "output"))
+			return(EncryptStartOutput());
+		if (isprefix(mode, "help") || isprefix(mode, "?")) {
+			printf("Usage: encrypt start [input|output]\n");
+			return(0);
+		}
+		printf("%s: invalid encryption mode 'encrypt start ?' for help\n", mode);
+		return(0);
+	}
+	ret += EncryptStartInput();
+	ret += EncryptStartOutput();
+	return(ret);
+}
+
+	int
+EncryptStartInput()
+{
+	if (decrypt_mode) {
+		encrypt_send_request_start();
+		return(1);
+	}
+	printf("No previous decryption mode, decryption not enabled\r\n");
+	return(0);
+}
+
+	int
+EncryptStartOutput()
+{
+	if (encrypt_mode) {
+		encrypt_start_output(encrypt_mode);
+		return(1);
+	}
+	printf("No previous encryption mode, encryption not enabled\r\n");
+	return(0);
+}
+
+	int
+EncryptStop(mode)
+	char *mode;
+{
+	int ret = 0;
+	if (mode) {
+		if (isprefix(mode, "input"))
+			return(EncryptStopInput());
+		if (isprefix(mode, "output"))
+			return(EncryptStopOutput());
+		if (isprefix(mode, "help") || isprefix(mode, "?")) {
+			printf("Usage: encrypt stop [input|output]\n");
+			return(0);
+		}
+		printf("%s: invalid encryption mode 'encrypt stop ?' for help\n", mode);
+		return(0);
+	}
+	ret += EncryptStopInput();
+	ret += EncryptStopOutput();
+	return(ret);
+}
+
+	int
+EncryptStopInput()
+{
+	encrypt_send_request_end();
+	return(1);
+}
+
+	int
+EncryptStopOutput()
+{
+	encrypt_send_end();
+	return(1);
+}
+
+	void
+encrypt_display()
+{
+	if (encrypt_output)
+		printf("Currently encrypting output with %s\r\n",
+			ENCTYPE_NAME(encrypt_mode));
+	if (decrypt_input)
+		printf("Currently decrypting input with %s\r\n",
+			ENCTYPE_NAME(decrypt_mode));
+}
+
+	int
+EncryptStatus()
+{
+	if (encrypt_output)
+		printf("Currently encrypting output with %s\r\n",
+			ENCTYPE_NAME(encrypt_mode));
+	else if (encrypt_mode) {
+		printf("Currently output is clear text.\r\n");
+		printf("Last encryption mode was %s\r\n",
+			ENCTYPE_NAME(encrypt_mode));
+	}
+	if (decrypt_input) {
+		printf("Currently decrypting input with %s\r\n",
+			ENCTYPE_NAME(decrypt_mode));
+	} else if (decrypt_mode) {
+		printf("Currently input is clear text.\r\n");
+		printf("Last decryption mode was %s\r\n",
+			ENCTYPE_NAME(decrypt_mode));
+	}
+	return 1;
+}
+
+	void
+encrypt_send_support()
+{
+	if (str_suplen) {
+		/*
+		 * If the user has requested that decryption start
+		 * immediatly, then send a "REQUEST START" before
+		 * we negotiate the type.
+		 */
+		if (!Server && autodecrypt)
+			encrypt_send_request_start();
+		net_write(str_send, str_suplen);
+		printsub('>', &str_send[2], str_suplen - 2);
+		str_suplen = 0;
+	}
+}
+
+	int
+EncryptDebug(on)
+	int on;
+{
+	if (on < 0)
+		encrypt_debug_mode ^= 1;
+	else
+		encrypt_debug_mode = on;
+	printf("Encryption debugging %s\r\n",
+		encrypt_debug_mode ? "enabled" : "disabled");
+	return(1);
+}
+
+	int
+EncryptVerbose(on)
+	int on;
+{
+	if (on < 0)
+		encrypt_verbose ^= 1;
+	else
+		encrypt_verbose = on;
+	printf("Encryption %s verbose\r\n",
+		encrypt_verbose ? "is" : "is not");
+	return(1);
+}
+
+	int
+EncryptAutoEnc(on)
+	int on;
+{
+	encrypt_auto(on);
+	printf("Automatic encryption of output is %s\r\n",
+		autoencrypt ? "enabled" : "disabled");
+	return(1);
+}
+
+	int
+EncryptAutoDec(on)
+	int on;
+{
+	decrypt_auto(on);
+	printf("Automatic decryption of input is %s\r\n",
+		autodecrypt ? "enabled" : "disabled");
+	return(1);
+}
+
+/*
+ * Called when ENCRYPT SUPPORT is received.
+ */
+	void
+encrypt_support(typelist, cnt)
+	unsigned char *typelist;
+	int cnt;
+{
+	register int type, use_type = 0;
+	Encryptions *ep;
+
+	/*
+	 * Forget anything the other side has previously told us.
+	 */
+	remote_supports_decrypt = 0;
+
+	while (cnt-- > 0) {
+		type = *typelist++;
+		if (encrypt_debug_mode)
+			printf(">>>%s: He is supporting %s (%d)\r\n",
+				Name,
+				ENCTYPE_NAME(type), type);
+		if ((type < ENCTYPE_CNT) &&
+		    (I_SUPPORT_ENCRYPT & typemask(type))) {
+			remote_supports_decrypt |= typemask(type);
+			if (use_type == 0)
+				use_type = type;
+		}
+	}
+	if (use_type) {
+		ep = findencryption(use_type);
+		if (!ep)
+			return;
+		type = ep->start ? (*ep->start)(DIR_ENCRYPT, Server) : 0;
+		if (encrypt_debug_mode)
+			printf(">>>%s: (*ep->start)() returned %d\r\n",
+					Name, type);
+		if (type < 0)
+			return;
+		encrypt_mode = use_type;
+		if (type == 0)
+			encrypt_start_output(use_type);
+	}
+}
+
+	void
+encrypt_is(data, cnt)
+	unsigned char *data;
+	int cnt;
+{
+	Encryptions *ep;
+	register int type, ret;
+
+	if (--cnt < 0)
+		return;
+	type = *data++;
+	if (type < ENCTYPE_CNT)
+		remote_supports_encrypt |= typemask(type);
+	if (!(ep = finddecryption(type))) {
+		if (encrypt_debug_mode)
+			printf(">>>%s: Can't find type %s (%d) for initial negotiation\r\n",
+				Name,
+				ENCTYPE_NAME_OK(type)
+					? ENCTYPE_NAME(type) : "(unknown)",
+				type);
+		return;
+	}
+	if (!ep->is) {
+		if (encrypt_debug_mode)
+			printf(">>>%s: No initial negotiation needed for type %s (%d)\r\n",
+				Name,
+				ENCTYPE_NAME_OK(type)
+					? ENCTYPE_NAME(type) : "(unknown)",
+				type);
+		ret = 0;
+	} else {
+		ret = (*ep->is)(data, cnt);
+		if (encrypt_debug_mode)
+			printf("(*ep->is)(%p, %d) returned %s(%d)\n", data, cnt,
+				(ret < 0) ? "FAIL " :
+				(ret == 0) ? "SUCCESS " : "MORE_TO_DO ", ret);
+	}
+	if (ret < 0) {
+		autodecrypt = 0;
+	} else {
+		decrypt_mode = type;
+		if (ret == 0 && autodecrypt)
+			encrypt_send_request_start();
+	}
+}
+
+	void
+encrypt_reply(data, cnt)
+	unsigned char *data;
+	int cnt;
+{
+	Encryptions *ep;
+	register int ret, type;
+
+	if (--cnt < 0)
+		return;
+	type = *data++;
+	if (!(ep = findencryption(type))) {
+		if (encrypt_debug_mode)
+			printf(">>>%s: Can't find type %s (%d) for initial negotiation\r\n",
+				Name,
+				ENCTYPE_NAME_OK(type)
+					? ENCTYPE_NAME(type) : "(unknown)",
+				type);
+		return;
+	}
+	if (!ep->reply) {
+		if (encrypt_debug_mode)
+			printf(">>>%s: No initial negotiation needed for type %s (%d)\r\n",
+				Name,
+				ENCTYPE_NAME_OK(type)
+					? ENCTYPE_NAME(type) : "(unknown)",
+				type);
+		ret = 0;
+	} else {
+		ret = (*ep->reply)(data, cnt);
+		if (encrypt_debug_mode)
+			printf("(*ep->reply)(%p, %d) returned %s(%d)\n",
+				data, cnt,
+				(ret < 0) ? "FAIL " :
+				(ret == 0) ? "SUCCESS " : "MORE_TO_DO ", ret);
+	}
+	if (encrypt_debug_mode)
+		printf(">>>%s: encrypt_reply returned %d\n", Name, ret);
+	if (ret < 0) {
+		autoencrypt = 0;
+	} else {
+		encrypt_mode = type;
+		if (ret == 0 && autoencrypt)
+			encrypt_start_output(type);
+	}
+}
+
+/*
+ * Called when a ENCRYPT START command is received.
+ */
+	void
+encrypt_start(data, cnt)
+	unsigned char *data;
+	int cnt;
+{
+	Encryptions *ep;
+
+	if (!decrypt_mode) {
+		/*
+		 * Something is wrong.  We should not get a START
+		 * command without having already picked our
+		 * decryption scheme.  Send a REQUEST-END to
+		 * attempt to clear the channel...
+		 */
+		printf("%s: Warning, Cannot decrypt input stream!!!\r\n", Name);
+		encrypt_send_request_end();
+		return;
+	}
+
+	if ((ep = finddecryption(decrypt_mode))) {
+		decrypt_input = ep->input;
+		if (encrypt_verbose)
+			printf("[ Input is now decrypted with type %s ]\r\n",
+				ENCTYPE_NAME(decrypt_mode));
+		if (encrypt_debug_mode)
+			printf(">>>%s: Start to decrypt input with type %s\r\n",
+				Name, ENCTYPE_NAME(decrypt_mode));
+	} else {
+		printf("%s: Warning, Cannot decrypt type %s (%d)!!!\r\n",
+				Name,
+				ENCTYPE_NAME_OK(decrypt_mode)
+					? ENCTYPE_NAME(decrypt_mode)
+					: "(unknown)",
+				decrypt_mode);
+		encrypt_send_request_end();
+	}
+}
+
+	void
+encrypt_session_key(key, server)
+	Session_Key *key;
+	int server;
+{
+	Encryptions *ep = encryptions;
+
+	havesessionkey = 1;
+
+	while (ep->type) {
+		if (ep->session)
+			(*ep->session)(key, server);
+#ifdef notdef
+		if (!encrypt_output && autoencrypt && !server)
+			encrypt_start_output(ep->type);
+		if (!decrypt_input && autodecrypt && !server)
+			encrypt_send_request_start();
+#endif
+		++ep;
+	}
+}
+
+/*
+ * Called when ENCRYPT END is received.
+ */
+	void
+encrypt_end()
+{
+	decrypt_input = 0;
+	if (encrypt_debug_mode)
+		printf(">>>%s: Input is back to clear text\r\n", Name);
+	if (encrypt_verbose)
+		printf("[ Input is now clear text ]\r\n");
+}
+
+/*
+ * Called when ENCRYPT REQUEST-END is received.
+ */
+	void
+encrypt_request_end()
+{
+	encrypt_send_end();
+}
+
+/*
+ * Called when ENCRYPT REQUEST-START is received.  If we receive
+ * this before a type is picked, then that indicates that the
+ * other side wants us to start encrypting data as soon as we
+ * can.
+ */
+	void
+encrypt_request_start(data, cnt)
+	unsigned char *data;
+	int cnt;
+{
+	if (encrypt_mode == 0)  {
+		if (Server)
+			autoencrypt = 1;
+		return;
+	}
+	encrypt_start_output(encrypt_mode);
+}
+
+static unsigned char str_keyid[(MAXKEYLEN*2)+5] = { IAC, SB, TELOPT_ENCRYPT };
+
+	void
+encrypt_enc_keyid(keyid, len)
+	unsigned char *keyid;
+	int len;
+{
+	encrypt_keyid(&ki[1], keyid, len);
+}
+
+	void
+encrypt_dec_keyid(keyid, len)
+	unsigned char *keyid;
+	int len;
+{
+	encrypt_keyid(&ki[0], keyid, len);
+}
+
+	void
+encrypt_keyid(kp, keyid, len)
+	struct key_info *kp;
+	unsigned char *keyid;
+	int len;
+{
+	Encryptions *ep;
+	int dir = kp->dir;
+	register int ret = 0;
+
+	if (!(ep = (*kp->getcrypt)(*kp->modep))) {
+		if (len == 0)
+			return;
+		kp->keylen = 0;
+	} else if (len == 0) {
+		/*
+		 * Empty option, indicates a failure.
+		 */
+		if (kp->keylen == 0)
+			return;
+		kp->keylen = 0;
+		if (ep->keyid)
+			(void)(*ep->keyid)(dir, kp->keyid, &kp->keylen);
+
+	} else if ((len != kp->keylen) ||
+		   (memcmp(keyid, kp->keyid, len) != 0)) {
+		/*
+		 * Length or contents are different
+		 */
+		kp->keylen = len;
+		memmove(kp->keyid, keyid, len);
+		if (ep->keyid)
+			(void)(*ep->keyid)(dir, kp->keyid, &kp->keylen);
+	} else {
+		if (ep->keyid)
+			ret = (*ep->keyid)(dir, kp->keyid, &kp->keylen);
+		if ((ret == 0) && (dir == DIR_ENCRYPT) && autoencrypt)
+			encrypt_start_output(*kp->modep);
+		return;
+	}
+
+	encrypt_send_keyid(dir, kp->keyid, kp->keylen, 0);
+}
+
+	void
+encrypt_send_keyid(dir, keyid, keylen, saveit)
+	int dir;
+	unsigned char *keyid;
+	int keylen;
+	int saveit;
+{
+	unsigned char *strp;
+
+	str_keyid[3] = (dir == DIR_ENCRYPT)
+			? ENCRYPT_ENC_KEYID : ENCRYPT_DEC_KEYID;
+	if (saveit) {
+		struct key_info *kp = &ki[(dir == DIR_ENCRYPT) ? 0 : 1];
+		memmove(kp->keyid, keyid, keylen);
+		kp->keylen = keylen;
+	}
+
+	for (strp = &str_keyid[4]; keylen > 0; --keylen) {
+		if ((*strp++ = *keyid++) == IAC)
+			*strp++ = IAC;
+	}
+	*strp++ = IAC;
+	*strp++ = SE;
+	net_write(str_keyid, strp - str_keyid);
+	printsub('>', &str_keyid[2], strp - str_keyid - 2);
+}
+
+	void
+encrypt_auto(on)
+	int on;
+{
+	if (on < 0)
+		autoencrypt ^= 1;
+	else
+		autoencrypt = on ? 1 : 0;
+}
+
+	void
+decrypt_auto(on)
+	int on;
+{
+	if (on < 0)
+		autodecrypt ^= 1;
+	else
+		autodecrypt = on ? 1 : 0;
+}
+
+	void
+encrypt_start_output(type)
+	int type;
+{
+	Encryptions *ep;
+	register unsigned char *p;
+	register int i;
+
+	if (!(ep = findencryption(type))) {
+		if (encrypt_debug_mode) {
+			printf(">>>%s: Can't encrypt with type %s (%d)\r\n",
+				Name,
+				ENCTYPE_NAME_OK(type)
+					? ENCTYPE_NAME(type) : "(unknown)",
+				type);
+		}
+		return;
+	}
+	if (ep->start) {
+		i = (*ep->start)(DIR_ENCRYPT, Server);
+		if (encrypt_debug_mode) {
+			printf(">>>%s: Encrypt start: %s (%d) %s\r\n",
+				Name,
+				(i < 0) ? "failed" :
+					"initial negotiation in progress",
+				i, ENCTYPE_NAME(type));
+		}
+		if (i)
+			return;
+	}
+	p = str_start + 3;
+	*p++ = ENCRYPT_START;
+	for (i = 0; i < ki[0].keylen; ++i) {
+		if ((*p++ = ki[0].keyid[i]) == IAC)
+			*p++ = IAC;
+	}
+	*p++ = IAC;
+	*p++ = SE;
+	net_write(str_start, p - str_start);
+	net_encrypt();
+	printsub('>', &str_start[2], p - &str_start[2]);
+	/*
+	 * If we are already encrypting in some mode, then
+	 * encrypt the ring (which includes our request) in
+	 * the old mode, mark it all as "clear text" and then
+	 * switch to the new mode.
+	 */
+	encrypt_output = ep->output;
+	encrypt_mode = type;
+	if (encrypt_debug_mode)
+		printf(">>>%s: Started to encrypt output with type %s\r\n",
+			Name, ENCTYPE_NAME(type));
+	if (encrypt_verbose)
+		printf("[ Output is now encrypted with type %s ]\r\n",
+			ENCTYPE_NAME(type));
+}
+
+	void
+encrypt_send_end()
+{
+	if (!encrypt_output)
+		return;
+
+	str_end[3] = ENCRYPT_END;
+	net_write(str_end, sizeof(str_end));
+	net_encrypt();
+	printsub('>', &str_end[2], sizeof(str_end) - 2);
+	/*
+	 * Encrypt the output buffer now because it will not be done by
+	 * netflush...
+	 */
+	encrypt_output = 0;
+	if (encrypt_debug_mode)
+		printf(">>>%s: Output is back to clear text\r\n", Name);
+	if (encrypt_verbose)
+		printf("[ Output is now clear text ]\r\n");
+}
+
+	void
+encrypt_send_request_start()
+{
+	register unsigned char *p;
+	register int i;
+
+	p = &str_start[3];
+	*p++ = ENCRYPT_REQSTART;
+	for (i = 0; i < ki[1].keylen; ++i) {
+		if ((*p++ = ki[1].keyid[i]) == IAC)
+			*p++ = IAC;
+	}
+	*p++ = IAC;
+	*p++ = SE;
+	net_write(str_start, p - str_start);
+	printsub('>', &str_start[2], p - &str_start[2]);
+	if (encrypt_debug_mode)
+		printf(">>>%s: Request input to be encrypted\r\n", Name);
+}
+
+	void
+encrypt_send_request_end()
+{
+	str_end[3] = ENCRYPT_REQEND;
+	net_write(str_end, sizeof(str_end));
+	printsub('>', &str_end[2], sizeof(str_end) - 2);
+
+	if (encrypt_debug_mode)
+		printf(">>>%s: Request input to be clear text\r\n", Name);
+}
+
+	void
+encrypt_wait()
+{
+	if (encrypt_debug_mode)
+		printf(">>>%s: in encrypt_wait\r\n", Name);
+	if (!havesessionkey || !(I_SUPPORT_ENCRYPT & remote_supports_decrypt))
+		return;
+	while (autoencrypt && !encrypt_output)
+		if (telnet_spin())
+			return;
+}
+
+	void
+encrypt_debug(mode)
+	int mode;
+{
+	encrypt_debug_mode = mode;
+}
+
+	void
+encrypt_gen_printsub(data, cnt, buf, buflen)
+	unsigned char *data, *buf;
+	int cnt, buflen;
+{
+	char tbuf[16], *cp;
+
+	cnt -= 2;
+	data += 2;
+	buf[buflen-1] = '\0';
+	buf[buflen-2] = '*';
+	buflen -= 2;;
+	for (; cnt > 0; cnt--, data++) {
+		sprintf(tbuf, " %d", *data);
+		for (cp = tbuf; *cp && buflen > 0; --buflen)
+			*buf++ = *cp++;
+		if (buflen <= 0)
+			return;
+	}
+	*buf = '\0';
+}
+
+	void
+encrypt_printsub(data, cnt, buf, buflen)
+	unsigned char *data, *buf;
+	int cnt, buflen;
+{
+	Encryptions *ep;
+	register int type = data[1];
+
+	for (ep = encryptions; ep->type && ep->type != type; ep++)
+		;
+
+	if (ep->printsub)
+		(*ep->printsub)(data, cnt, buf, buflen);
+	else
+		encrypt_gen_printsub(data, cnt, buf, buflen);
+}
+#endif	/* ENCRYPTION */
diff --git a/crypto/telnet/libtelnet/encrypt.h b/crypto/telnet/libtelnet/encrypt.h
new file mode 100644
index 0000000..869ad75
--- /dev/null
+++ b/crypto/telnet/libtelnet/encrypt.h
@@ -0,0 +1,114 @@
+/*-
+ * Copyright (c) 1991, 1993
+ *	The Regents of the University of California.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *	This product includes software developed by the University of
+ *	California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ *	@(#)encrypt.h	8.1 (Berkeley) 6/4/93
+ * $FreeBSD$
+ */
+
+/*
+ * Copyright (C) 1990 by the Massachusetts Institute of Technology
+ *
+ * Export of this software from the United States of America is assumed
+ * to require a specific license from the United States Government.
+ * It is the responsibility of any person or organization contemplating
+ * export to obtain such a license before exporting.
+ *
+ * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
+ * distribute this software and its documentation for any purpose and
+ * without fee is hereby granted, provided that the above copyright
+ * notice appear in all copies and that both that copyright notice and
+ * this permission notice appear in supporting documentation, and that
+ * the name of M.I.T. not be used in advertising or publicity pertaining
+ * to distribution of the software without specific, written prior
+ * permission.  M.I.T. makes no representations about the suitability of
+ * this software for any purpose.  It is provided "as is" without express
+ * or implied warranty.
+ */
+
+#ifdef	ENCRYPTION
+# ifndef __ENCRYPTION__
+# define __ENCRYPTION__
+
+#define	DIR_DECRYPT		1
+#define	DIR_ENCRYPT		2
+
+#include <openssl/des.h>
+typedef	unsigned char Block[8];
+typedef unsigned char *BlockT;
+#if 0
+typedef struct { Block __; } Schedule[16];
+#else
+#define Schedule des_key_schedule
+#endif
+
+#define	VALIDKEY(key)	( key[0] | key[1] | key[2] | key[3] | \
+			  key[4] | key[5] | key[6] | key[7])
+
+#define	SAMEKEY(k1, k2)	(!bcmp((void *)k1, (void *)k2, sizeof(Block)))
+
+typedef	struct {
+	short		type;
+	int		length;
+	unsigned char	*data;
+} Session_Key;
+
+# if !defined(P)
+#  ifdef __STDC__
+#   define P(x)	x
+#  else
+#   define P(x)	()
+#  endif
+# endif
+
+typedef struct {
+	char	*name;
+	int	type;
+	void	(*output) P((unsigned char *, int));
+	int	(*input) P((int));
+	void	(*init) P((int));
+	int	(*start) P((int, int));
+	int	(*is) P((unsigned char *, int));
+	int	(*reply) P((unsigned char *, int));
+	void	(*session) P((Session_Key *, int));
+	int	(*keyid) P((int, unsigned char *, int *));
+	void	(*printsub) P((unsigned char *, int, unsigned char *, int));
+} Encryptions;
+
+#define	SK_DES		1	/* Matched Kerberos v5 KEYTYPE_DES */
+
+#include "enc-proto.h"
+
+extern int encrypt_debug_mode;
+extern int (*decrypt_input) P((int));
+extern void (*encrypt_output) P((unsigned char *, int));
+# endif /* __ENCRYPTION__ */
+#endif /* ENCRYPTION */
diff --git a/crypto/telnet/libtelnet/genget.c b/crypto/telnet/libtelnet/genget.c
new file mode 100644
index 0000000..9f56ab0
--- /dev/null
+++ b/crypto/telnet/libtelnet/genget.c
@@ -0,0 +1,109 @@
+/*-
+ * Copyright (c) 1991, 1993
+ *	The Regents of the University of California.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *	This product includes software developed by the University of
+ *	California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#ifndef lint
+#if 0
+static const char sccsid[] = "@(#)genget.c	8.2 (Berkeley) 5/30/95";
+#else
+static const char rcsid[] =
+ "$FreeBSD$";
+#endif
+#endif /* not lint */
+
+
+#include <ctype.h>
+
+#define	LOWER(x) (isupper(x) ? tolower(x) : (x))
+/*
+ * The prefix function returns 0 if *s1 is not a prefix
+ * of *s2.  If *s1 exactly matches *s2, the negative of
+ * the length is returned.  If *s1 is a prefix of *s2,
+ * the length of *s1 is returned.
+ */
+	int
+isprefix(s1, s2)
+	register char *s1, *s2;
+{
+	char *os1;
+	register char c1, c2;
+
+	if (*s1 == '\0')
+		return(-1);
+	os1 = s1;
+	c1 = *s1;
+	c2 = *s2;
+	while (LOWER(c1) == LOWER(c2)) {
+		if (c1 == '\0')
+			break;
+		c1 = *++s1;
+		c2 = *++s2;
+	}
+	return(*s1 ? 0 : (*s2 ? (s1 - os1) : (os1 - s1)));
+}
+
+static char *ambiguous;		/* special return value for command routines */
+
+	char **
+genget(name, table, stlen)
+	char	*name;		/* name to match */
+	char	**table;	/* name entry in table */
+	int	stlen;
+{
+	register char **c, **found;
+	register int n;
+
+	if (name == 0)
+	    return 0;
+
+	found = 0;
+	for (c = table; *c != 0; c = (char **)((char *)c + stlen)) {
+		if ((n = isprefix(name, *c)) == 0)
+			continue;
+		if (n < 0)		/* exact match */
+			return(c);
+		if (found)
+			return(&ambiguous);
+		found = c;
+	}
+	return(found);
+}
+
+/*
+ * Function call version of Ambiguous()
+ */
+	int
+Ambiguous(s)
+	char **s;
+{
+	return(s == &ambiguous);
+}
diff --git a/crypto/telnet/libtelnet/getent.c b/crypto/telnet/libtelnet/getent.c
new file mode 100644
index 0000000..7d43a8e
--- /dev/null
+++ b/crypto/telnet/libtelnet/getent.c
@@ -0,0 +1,73 @@
+/*-
+ * Copyright (c) 1991, 1993
+ *	The Regents of the University of California.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *	This product includes software developed by the University of
+ *	California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#ifndef lint
+#if 0
+static char sccsid[] = "@(#)getent.c	8.2 (Berkeley) 12/15/93";
+#else
+static const char rcsid[] =
+ "$FreeBSD$";
+#endif
+#endif /* not lint */
+
+static char *area;
+
+/*ARGSUSED*/
+getent(cp, name)
+char *cp, *name;
+{
+#ifdef	HAS_CGETENT
+	char *dba[2];
+
+	dba[0] = "/etc/gettytab";
+	dba[1] = 0;
+	return((cgetent(&area, dba, name) == 0) ? 1 : 0);
+#else
+	return(0);
+#endif
+}
+
+#ifndef	SOLARIS
+/*ARGSUSED*/
+char *
+Getstr(id, cpp)
+char *id, **cpp;
+{
+# ifdef	HAS_CGETENT
+	char *answer;
+	return((cgetstr(area, id, &answer) > 0) ? answer : 0);
+# else
+	return(0);
+# endif
+}
+#endif
diff --git a/crypto/telnet/libtelnet/kerberos.c b/crypto/telnet/libtelnet/kerberos.c
new file mode 100644
index 0000000..3b6155e
--- /dev/null
+++ b/crypto/telnet/libtelnet/kerberos.c
@@ -0,0 +1,552 @@
+/*-
+ * Copyright (c) 1991, 1993
+ *	The Regents of the University of California.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *	This product includes software developed by the University of
+ *	California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * $FreeBSD$
+ */
+
+#ifndef lint
+static const char sccsid[] = "@(#)kerberos.c	8.3 (Berkeley) 5/30/95";
+#endif /* not lint */
+
+/*
+ * Copyright (C) 1990 by the Massachusetts Institute of Technology
+ *
+ * Export of this software from the United States of America is assumed
+ * to require a specific license from the United States Government.
+ * It is the responsibility of any person or organization contemplating
+ * export to obtain such a license before exporting.
+ *
+ * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
+ * distribute this software and its documentation for any purpose and
+ * without fee is hereby granted, provided that the above copyright
+ * notice appear in all copies and that both that copyright notice and
+ * this permission notice appear in supporting documentation, and that
+ * the name of M.I.T. not be used in advertising or publicity pertaining
+ * to distribution of the software without specific, written prior
+ * permission.  M.I.T. makes no representations about the suitability of
+ * this software for any purpose.  It is provided "as is" without express
+ * or implied warranty.
+ */
+
+#ifdef	KRB4
+#include <sys/types.h>
+#include <arpa/telnet.h>
+#include <stdio.h>
+#include <openssl/des.h>	/* BSD wont include this in krb.h, so we do it here */
+#include <krb.h>
+#ifdef	__STDC__
+#include <stdlib.h>
+#endif
+#ifdef	NO_STRING_H
+#include <strings.h>
+#else
+#include <string.h>
+#endif
+
+#include "encrypt.h"
+#include "auth.h"
+#include "misc.h"
+
+int kerberos4_cksum P((unsigned char *, int));
+int kuserok P((AUTH_DAT *, char *));
+
+extern auth_debug_mode;
+
+static unsigned char str_data[1024] = { IAC, SB, TELOPT_AUTHENTICATION, 0,
+			  		AUTHTYPE_KERBEROS_V4, };
+
+#define	KRB_AUTH	0		/* Authentication data follows */
+#define	KRB_REJECT	1		/* Rejected (reason might follow) */
+#define	KRB_ACCEPT	2		/* Accepted */
+#define	KRB_CHALLENGE	3		/* Challenge for mutual auth. */
+#define	KRB_RESPONSE	4		/* Response for mutual auth. */
+
+#define KRB_SERVICE_NAME   "rcmd"
+
+static	KTEXT_ST auth;
+static	char name[ANAME_SZ];
+static	AUTH_DAT adat = { 0 };
+#ifdef	ENCRYPTION
+static Block	session_key	= { 0 };
+static des_key_schedule sched;
+static Block	challenge	= { 0 };
+#endif	/* ENCRYPTION */
+
+	static int
+Data(ap, type, d, c)
+	Authenticator *ap;
+	int type;
+	void *d;
+	int c;
+{
+	unsigned char *p = str_data + 4;
+	unsigned char *cd = (unsigned char *)d;
+
+	if (c == -1)
+		c = strlen((char *)cd);
+
+	if (auth_debug_mode) {
+		printf("%s:%d: [%d] (%d)",
+			str_data[3] == TELQUAL_IS ? ">>>IS" : ">>>REPLY",
+			str_data[3],
+			type, c);
+		printd(d, c);
+		printf("\r\n");
+	}
+	*p++ = ap->type;
+	*p++ = ap->way;
+	*p++ = type;
+	while (c-- > 0) {
+		if ((*p++ = *cd++) == IAC)
+			*p++ = IAC;
+	}
+	*p++ = IAC;
+	*p++ = SE;
+	if (str_data[3] == TELQUAL_IS)
+		printsub('>', &str_data[2], p - (&str_data[2]));
+	return(net_write(str_data, p - str_data));
+}
+
+	int
+kerberos4_init(ap, server)
+	Authenticator *ap;
+	int server;
+{
+	FILE *fp;
+
+	if (server) {
+		str_data[3] = TELQUAL_REPLY;
+		if ((fp = fopen(KEYFILE, "r")) == NULL)
+			return(0);
+		fclose(fp);
+	} else {
+		str_data[3] = TELQUAL_IS;
+	}
+	return(1);
+}
+
+char dst_realm_buf[REALM_SZ], *dest_realm = NULL;
+int dst_realm_sz = REALM_SZ;
+
+	int
+kerberos4_send(ap)
+	Authenticator *ap;
+{
+	KTEXT_ST auth;
+	char instance[INST_SZ];
+	char *realm;
+	char *krb_realmofhost();
+	char *krb_get_phost();
+	CREDENTIALS cred;
+	int r;
+
+	printf("[ Trying KERBEROS4 ... ]\n");
+	if (!UserNameRequested) {
+		if (auth_debug_mode) {
+			printf("Kerberos V4: no user name supplied\r\n");
+		}
+		return(0);
+	}
+
+	memset(instance, 0, sizeof(instance));
+
+	if ((realm = krb_get_phost(RemoteHostName)))
+		strncpy(instance, realm, sizeof(instance));
+
+	instance[sizeof(instance)-1] = '\0';
+
+	realm = dest_realm ? dest_realm : krb_realmofhost(RemoteHostName);
+
+	if (!realm) {
+		printf("Kerberos V4: no realm for %s\r\n", RemoteHostName);
+		return(0);
+	}
+	if ((r = krb_mk_req(&auth, KRB_SERVICE_NAME, instance, realm, 0L))) {
+		printf("mk_req failed: %s\r\n", krb_err_txt[r]);
+		return(0);
+	}
+	if ((r = krb_get_cred(KRB_SERVICE_NAME, instance, realm, &cred))) {
+		printf("get_cred failed: %s\r\n", krb_err_txt[r]);
+		return(0);
+	}
+	if (!auth_sendname(UserNameRequested, strlen(UserNameRequested))) {
+		if (auth_debug_mode)
+			printf("Not enough room for user name\r\n");
+		return(0);
+	}
+	if (auth_debug_mode)
+		printf("Sent %d bytes of authentication data\r\n", auth.length);
+	if (!Data(ap, KRB_AUTH, (void *)auth.dat, auth.length)) {
+		if (auth_debug_mode)
+			printf("Not enough room for authentication data\r\n");
+		return(0);
+	}
+#ifdef	ENCRYPTION
+	/*
+	 * If we are doing mutual authentication, get set up to send
+	 * the challenge, and verify it when the response comes back.
+	 */
+	if ((ap->way & AUTH_HOW_MASK) == AUTH_HOW_MUTUAL) {
+		register int i;
+
+		des_key_sched(&cred.session, sched);
+		des_init_random_number_generator(&cred.session);
+		des_new_random_key(&session_key);
+		des_ecb_encrypt(&session_key, &session_key, sched, 0);
+		des_ecb_encrypt(&session_key, &challenge, sched, 0);
+		/*
+		 * Increment the challenge by 1, and encrypt it for
+		 * later comparison.
+		 */
+		for (i = 7; i >= 0; --i) {
+			register int x;
+			x = (unsigned int)challenge[i] + 1;
+			challenge[i] = x;	/* ignore overflow */
+			if (x < 256)		/* if no overflow, all done */
+				break;
+		}
+		des_ecb_encrypt(&challenge, &challenge, sched, 1);
+	}
+#endif	/* ENCRYPTION */
+
+	if (auth_debug_mode) {
+		printf("CK: %d:", kerberos4_cksum(auth.dat, auth.length));
+		printd(auth.dat, auth.length);
+		printf("\r\n");
+		printf("Sent Kerberos V4 credentials to server\r\n");
+	}
+	return(1);
+}
+
+	void
+kerberos4_is(ap, data, cnt)
+	Authenticator *ap;
+	unsigned char *data;
+	int cnt;
+{
+#ifdef	ENCRYPTION
+	Session_Key skey;
+	Block datablock;
+#endif	/* ENCRYPTION */
+	char realm[REALM_SZ];
+	char instance[INST_SZ];
+	int r;
+
+	if (cnt-- < 1)
+		return;
+	switch (*data++) {
+	case KRB_AUTH:
+		if (krb_get_lrealm(realm, 1) != KSUCCESS) {
+			Data(ap, KRB_REJECT, (void *)"No local V4 Realm.", -1);
+			auth_finished(ap, AUTH_REJECT);
+			if (auth_debug_mode)
+				printf("No local realm\r\n");
+			return;
+		}
+		memmove((void *)auth.dat, (void *)data, auth.length = cnt);
+		if (auth_debug_mode) {
+			printf("Got %d bytes of authentication data\r\n", cnt);
+			printf("CK: %d:", kerberos4_cksum(auth.dat, auth.length));
+			printd(auth.dat, auth.length);
+			printf("\r\n");
+		}
+		instance[0] = '*'; instance[1] = 0;
+		if ((r = krb_rd_req(&auth, KRB_SERVICE_NAME,
+				   instance, 0, &adat, ""))) {
+			if (auth_debug_mode)
+				printf("Kerberos failed him as %s\r\n", name);
+			Data(ap, KRB_REJECT, (void *)krb_err_txt[r], -1);
+			auth_finished(ap, AUTH_REJECT);
+			return;
+		}
+#ifdef	ENCRYPTION
+		memmove((void *)session_key, (void *)adat.session, sizeof(Block));
+#endif	/* ENCRYPTION */
+		krb_kntoln(&adat, name);
+
+		if (UserNameRequested && !kuserok(&adat, UserNameRequested))
+			Data(ap, KRB_ACCEPT, (void *)0, 0);
+		else
+			Data(ap, KRB_REJECT,
+				(void *)"user is not authorized", -1);
+		auth_finished(ap, AUTH_USER);
+		break;
+
+	case KRB_CHALLENGE:
+#ifndef	ENCRYPTION
+		Data(ap, KRB_RESPONSE, (void *)0, 0);
+#else	/* ENCRYPTION */
+		if (!VALIDKEY(session_key)) {
+			/*
+			 * We don't have a valid session key, so just
+			 * send back a response with an empty session
+			 * key.
+			 */
+			Data(ap, KRB_RESPONSE, (void *)0, 0);
+			break;
+		}
+
+		/*
+		 * Initialize the random number generator since it's
+		 * used later on by the encryption routine.
+		 */
+		des_init_random_number_generator(&session_key);
+		des_key_sched(&session_key, sched);
+		memmove((void *)datablock, (void *)data, sizeof(Block));
+		/*
+		 * Take the received encrypted challenge, and encrypt
+		 * it again to get a unique session_key for the
+		 * ENCRYPT option.
+		 */
+		des_ecb_encrypt(&datablock, &session_key, sched, 1);
+		skey.type = SK_DES;
+		skey.length = 8;
+		skey.data = session_key;
+		encrypt_session_key(&skey, 1);
+		/*
+		 * Now decrypt the received encrypted challenge,
+		 * increment by one, re-encrypt it and send it back.
+		 */
+		des_ecb_encrypt(&datablock, &challenge, sched, 0);
+		for (r = 7; r >= 0; r--) {
+			register int t;
+			t = (unsigned int)challenge[r] + 1;
+			challenge[r] = t;	/* ignore overflow */
+			if (t < 256)		/* if no overflow, all done */
+				break;
+		}
+		des_ecb_encrypt(&challenge, &challenge, sched, 1);
+		Data(ap, KRB_RESPONSE, (void *)challenge, sizeof(challenge));
+#endif	/* ENCRYPTION */
+		break;
+
+	default:
+		if (auth_debug_mode)
+			printf("Unknown Kerberos option %d\r\n", data[-1]);
+		Data(ap, KRB_REJECT, 0, 0);
+		break;
+	}
+}
+
+	void
+kerberos4_reply(ap, data, cnt)
+	Authenticator *ap;
+	unsigned char *data;
+	int cnt;
+{
+#ifdef	ENCRYPTION
+	Session_Key skey;
+#endif	/* ENCRYPTION */
+
+	if (cnt-- < 1)
+		return;
+	switch (*data++) {
+	case KRB_REJECT:
+		if (cnt > 0) {
+			printf("[ Kerberos V4 refuses authentication because %.*s ]\r\n",
+				cnt, data);
+		} else
+			printf("[ Kerberos V4 refuses authentication ]\r\n");
+		auth_send_retry();
+		return;
+	case KRB_ACCEPT:
+		printf("[ Kerberos V4 accepts you ]\n");
+		if ((ap->way & AUTH_HOW_MASK) == AUTH_HOW_MUTUAL) {
+			/*
+			 * Send over the encrypted challenge.
+		 	 */
+#ifndef	ENCRYPTION
+			Data(ap, KRB_CHALLENGE, (void *)0, 0);
+#else	/* ENCRYPTION */
+			Data(ap, KRB_CHALLENGE, (void *)session_key,
+						sizeof(session_key));
+			des_ecb_encrypt(&session_key, &session_key, sched, 1);
+			skey.type = SK_DES;
+			skey.length = 8;
+			skey.data = session_key;
+			encrypt_session_key(&skey, 0);
+#endif	/* ENCRYPTION */
+			return;
+		}
+		auth_finished(ap, AUTH_USER);
+		return;
+	case KRB_RESPONSE:
+#ifdef	ENCRYPTION
+		/*
+		 * Verify that the response to the challenge is correct.
+		 */
+		if ((cnt != sizeof(Block)) ||
+		    (0 != memcmp((void *)data, (void *)challenge,
+						sizeof(challenge))))
+		{
+#endif	/* ENCRYPTION */
+			printf("[ Kerberos V4 challenge failed!!! ]\r\n");
+			auth_send_retry();
+			return;
+#ifdef	ENCRYPTION
+		}
+		printf("[ Kerberos V4 challenge successful ]\r\n");
+		auth_finished(ap, AUTH_USER);
+#endif	/* ENCRYPTION */
+		break;
+	default:
+		if (auth_debug_mode)
+			printf("Unknown Kerberos option %d\r\n", data[-1]);
+		return;
+	}
+}
+
+	int
+kerberos4_status(ap, name, level)
+	Authenticator *ap;
+	char *name;
+	int level;
+{
+	if (level < AUTH_USER)
+		return(level);
+
+	if (UserNameRequested && !kuserok(&adat, UserNameRequested)) {
+		strcpy(name, UserNameRequested);
+		return(AUTH_VALID);
+	} else
+		return(AUTH_USER);
+}
+
+#define	BUMP(buf, len)		while (*(buf)) {++(buf), --(len);}
+#define	ADDC(buf, len, c)	if ((len) > 0) {*(buf)++ = (c); --(len);}
+
+	void
+kerberos4_printsub(data, cnt, buf, buflen)
+	unsigned char *data, *buf;
+	int cnt, buflen;
+{
+	char lbuf[32];
+	register int i;
+
+	buf[buflen-1] = '\0';		/* make sure its NULL terminated */
+	buflen -= 1;
+
+	switch(data[3]) {
+	case KRB_REJECT:		/* Rejected (reason might follow) */
+		strncpy((char *)buf, " REJECT ", buflen);
+		goto common;
+
+	case KRB_ACCEPT:		/* Accepted (name might follow) */
+		strncpy((char *)buf, " ACCEPT ", buflen);
+	common:
+		BUMP(buf, buflen);
+		if (cnt <= 4)
+			break;
+		ADDC(buf, buflen, '"');
+		for (i = 4; i < cnt; i++)
+			ADDC(buf, buflen, data[i]);
+		ADDC(buf, buflen, '"');
+		ADDC(buf, buflen, '\0');
+		break;
+
+	case KRB_AUTH:			/* Authentication data follows */
+		strncpy((char *)buf, " AUTH", buflen);
+		goto common2;
+
+	case KRB_CHALLENGE:
+		strncpy((char *)buf, " CHALLENGE", buflen);
+		goto common2;
+
+	case KRB_RESPONSE:
+		strncpy((char *)buf, " RESPONSE", buflen);
+		goto common2;
+
+	default:
+		sprintf(lbuf, " %d (unknown)", data[3]);
+		strncpy((char *)buf, lbuf, buflen);
+	common2:
+		BUMP(buf, buflen);
+		for (i = 4; i < cnt; i++) {
+			sprintf(lbuf, " %d", data[i]);
+			strncpy((char *)buf, lbuf, buflen);
+			BUMP(buf, buflen);
+		}
+		break;
+	}
+}
+
+	int
+kerberos4_cksum(d, n)
+	unsigned char *d;
+	int n;
+{
+	int ck = 0;
+
+	/*
+	 * A comment is probably needed here for those not
+	 * well versed in the "C" language.  Yes, this is
+	 * supposed to be a "switch" with the body of the
+	 * "switch" being a "while" statement.  The whole
+	 * purpose of the switch is to allow us to jump into
+	 * the middle of the while() loop, and then not have
+	 * to do any more switch()s.
+	 *
+	 * Some compilers will spit out a warning message
+	 * about the loop not being entered at the top.
+	 */
+	switch (n&03)
+	while (n > 0) {
+	case 0:
+		ck ^= (int)*d++ << 24;
+		--n;
+	case 3:
+		ck ^= (int)*d++ << 16;
+		--n;
+	case 2:
+		ck ^= (int)*d++ << 8;
+		--n;
+	case 1:
+		ck ^= (int)*d++;
+		--n;
+	}
+	return(ck);
+}
+#endif
+
+#ifdef notdef
+
+prkey(msg, key)
+	char *msg;
+	unsigned char *key;
+{
+	register int i;
+	printf("%s:", msg);
+	for (i = 0; i < 8; i++)
+		printf(" %3d", key[i]);
+	printf("\r\n");
+}
+#endif
diff --git a/crypto/telnet/libtelnet/kerberos5.c b/crypto/telnet/libtelnet/kerberos5.c
new file mode 100644
index 0000000..bcf1a9f
--- /dev/null
+++ b/crypto/telnet/libtelnet/kerberos5.c
@@ -0,0 +1,764 @@
+/*
+ *	$Source: /mit/krb5/.cvsroot/src/appl/telnet/libtelnet/kerberos5.c,v $
+ *	$Author: tytso $
+ *	$Id: kerberos5.c,v 1.1 1997/09/04 06:11:15 markm Exp $
+ */
+
+#if !defined(lint) && !defined(SABER)
+static
+#ifdef __STDC__
+const
+#endif
+char rcsid_kerberos5_c[] = "$Id: kerberos5.c,v 1.1 1997/09/04 06:11:15 markm Exp $";
+#endif /* lint */
+
+/*-
+ * Copyright (c) 1991, 1993
+ *	The Regents of the University of California.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *	This product includes software developed by the University of
+ *	California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#ifndef lint
+static char sccsid[] = "@(#)kerberos5.c	8.3 (Berkeley) 5/30/95";
+#endif /* not lint */
+
+/*
+ * Copyright (C) 1990 by the Massachusetts Institute of Technology
+ *
+ * Export of this software from the United States of America may
+ * require a specific license from the United States Government.
+ * It is the responsibility of any person or organization contemplating
+ * export to obtain such a license before exporting.
+ *
+ * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
+ * distribute this software and its documentation for any purpose and
+ * without fee is hereby granted, provided that the above copyright
+ * notice appear in all copies and that both that copyright notice and
+ * this permission notice appear in supporting documentation, and that
+ * the name of M.I.T. not be used in advertising or publicity pertaining
+ * to distribution of the software without specific, written prior
+ * permission.  M.I.T. makes no representations about the suitability of
+ * this software for any purpose.  It is provided "as is" without express
+ * or implied warranty.
+ */
+
+
+#ifdef	KRB5
+#include <arpa/telnet.h>
+#include <stdio.h>
+#include <krb5/krb5.h>
+#include <krb5/asn1.h>
+#include <krb5/crc-32.h>
+#include <krb5/los-proto.h>
+#include <krb5/ext-proto.h>
+#include <com_err.h>
+#include <netdb.h>
+#include <ctype.h>
+
+/* kerberos 5 include files (ext-proto.h) will get an appropriate stdlib.h
+   and string.h/strings.h */
+
+#include "encrypt.h"
+#include "auth.h"
+#include "misc.h"
+
+extern auth_debug_mode;
+
+#ifdef	FORWARD
+int forward_flags = 0;  /* Flags get set in telnet/main.c on -f and -F */
+
+/* These values need to be the same as those defined in telnet/main.c. */
+/* Either define them in both places, or put in some common header file. */
+#define OPTS_FORWARD_CREDS	0x00000002
+#define OPTS_FORWARDABLE_CREDS	0x00000001
+
+void kerberos5_forward();
+
+#endif	/* FORWARD */
+
+static unsigned char str_data[1024] = { IAC, SB, TELOPT_AUTHENTICATION, 0,
+			  		AUTHTYPE_KERBEROS_V5, };
+/*static unsigned char str_name[1024] = { IAC, SB, TELOPT_AUTHENTICATION,
+					TELQUAL_NAME, };*/
+
+#define	KRB_AUTH		0	/* Authentication data follows */
+#define	KRB_REJECT		1	/* Rejected (reason might follow) */
+#define	KRB_ACCEPT		2	/* Accepted */
+#define	KRB_RESPONSE		3	/* Response for mutual auth. */
+
+#ifdef	FORWARD
+#define KRB_FORWARD     	4       /* Forwarded credentials follow */
+#define KRB_FORWARD_ACCEPT     	5       /* Forwarded credentials accepted */
+#define KRB_FORWARD_REJECT     	6       /* Forwarded credentials rejected */
+#endif	/* FORWARD */
+
+static	krb5_data auth;
+	/* telnetd gets session key from here */
+static	krb5_tkt_authent *authdat = NULL;
+/* telnet matches the AP_REQ and AP_REP with this */
+static	krb5_authenticator authenticator;
+
+/* some compilers can't hack void *, so we use the Kerberos krb5_pointer,
+   which is either void * or char *, depending on the compiler. */
+
+#define Voidptr krb5_pointer
+
+Block	session_key;
+
+	static int
+Data(ap, type, d, c)
+	Authenticator *ap;
+	int type;
+	Voidptr d;
+	int c;
+{
+	unsigned char *p = str_data + 4;
+	unsigned char *cd = (unsigned char *)d;
+
+	if (c == -1)
+		c = strlen((char *)cd);
+
+	if (auth_debug_mode) {
+		printf("%s:%d: [%d] (%d)",
+			str_data[3] == TELQUAL_IS ? ">>>IS" : ">>>REPLY",
+			str_data[3],
+			type, c);
+		printd(d, c);
+		printf("\r\n");
+	}
+	*p++ = ap->type;
+	*p++ = ap->way;
+	*p++ = type;
+	while (c-- > 0) {
+		if ((*p++ = *cd++) == IAC)
+			*p++ = IAC;
+	}
+	*p++ = IAC;
+	*p++ = SE;
+	if (str_data[3] == TELQUAL_IS)
+		printsub('>', &str_data[2], p - &str_data[2]);
+	return(net_write(str_data, p - str_data));
+}
+
+	int
+kerberos5_init(ap, server)
+	Authenticator *ap;
+	int server;
+{
+	if (server)
+		str_data[3] = TELQUAL_REPLY;
+	else
+		str_data[3] = TELQUAL_IS;
+	krb5_init_ets();
+	return(1);
+}
+
+	int
+kerberos5_send(ap)
+	Authenticator *ap;
+{
+	char **realms;
+	char *name;
+	char *p1, *p2;
+	krb5_checksum ksum;
+	krb5_octet sum[CRC32_CKSUM_LENGTH];
+ 	krb5_principal server;
+	krb5_error_code r;
+	krb5_ccache ccache;
+	krb5_creds creds;		/* telnet gets session key from here */
+	extern krb5_flags krb5_kdc_default_options;
+	int ap_opts;
+
+#ifdef	ENCRYPTION
+	krb5_keyblock *newkey = 0;
+#endif	/* ENCRYPTION */
+
+	ksum.checksum_type = CKSUMTYPE_CRC32;
+	ksum.contents = sum;
+	ksum.length = sizeof(sum);
+	memset((Voidptr )sum, 0, sizeof(sum));
+
+	if (!UserNameRequested) {
+		if (auth_debug_mode) {
+			printf("Kerberos V5: no user name supplied\r\n");
+		}
+		return(0);
+	}
+
+	if (r = krb5_cc_default(&ccache)) {
+		if (auth_debug_mode) {
+			printf("Kerberos V5: could not get default ccache\r\n");
+		}
+		return(0);
+	}
+
+	if ((name = malloc(strlen(RemoteHostName)+1)) == NULL) {
+		if (auth_debug_mode)
+			printf("Out of memory for hostname in Kerberos V5\r\n");
+		return(0);
+	}
+
+	if (r = krb5_get_host_realm(RemoteHostName, &realms)) {
+		if (auth_debug_mode)
+			printf("Kerberos V5: no realm for %s\r\n", RemoteHostName);
+		free(name);
+		return(0);
+	}
+
+	p1 = RemoteHostName;
+	p2 = name;
+
+	while (*p2 = *p1++) {
+		if (isupper(*p2))
+			*p2 |= 040;
+		++p2;
+	}
+
+	if (r = krb5_build_principal_ext(&server,
+					 strlen(realms[0]), realms[0],
+					 4, "host",
+					 p2 - name, name,
+					 0)) {
+		if (auth_debug_mode) {
+			printf("Kerberos V5: failure setting up principal (%s)\r\n",
+			       error_message(r));
+		}
+		free(name);
+		krb5_free_host_realm(realms);
+		return(0);
+	}
+
+
+	memset((char *)&creds, 0, sizeof(creds));
+	creds.server = server;
+
+	if (r = krb5_cc_get_principal(ccache, &creds.client)) {
+		if (auth_debug_mode) {
+			printf("Kerberos V5: failure on principal (%s)\r\n",
+				error_message(r));
+		}
+		free(name);
+		krb5_free_principal(server);
+		krb5_free_host_realm(realms);
+		return(0);
+	}
+
+	if (r = krb5_get_credentials(krb5_kdc_default_options, ccache, &creds)) {
+		if (auth_debug_mode) {
+			printf("Kerberos V5: failure on credentials(%d)\r\n",r);
+		}
+		free(name);
+		krb5_free_host_realm(realms);
+		krb5_free_principal(server);
+		return(0);
+	}
+
+	if ((ap->way & AUTH_HOW_MASK) == AUTH_HOW_MUTUAL)
+	    ap_opts = AP_OPTS_MUTUAL_REQUIRED;
+	else
+	    ap_opts = 0;
+
+	r = krb5_mk_req_extended(ap_opts, &ksum, krb5_kdc_default_options, 0,
+#ifdef	ENCRYPTION
+				 &newkey,
+#else	/* ENCRYPTION */
+				 0,
+#endif	/* ENCRYPTION */
+				 ccache, &creds, &authenticator, &auth);
+	/* don't let the key get freed if we clean up the authenticator */
+	authenticator.subkey = 0;
+
+	free(name);
+	krb5_free_host_realm(realms);
+	krb5_free_principal(server);
+#ifdef	ENCRYPTION
+	if (newkey) {
+	    /* keep the key in our private storage, but don't use it
+	       yet---see kerberos5_reply() below */
+	    if (newkey->keytype != KEYTYPE_DES) {
+		if (creds.keyblock.keytype == KEYTYPE_DES)
+		    /* use the session key in credentials instead */
+		    memmove((char *)session_key,
+			   (char *)creds.keyblock.contents, sizeof(Block));
+		else
+		    /* XXX ? */;
+	    } else {
+		memmove((char *)session_key, (char *)newkey->contents,
+		       sizeof(Block));
+	    }
+	    krb5_free_keyblock(newkey);
+	}
+#endif	/* ENCRYPTION */
+	if (r) {
+		if (auth_debug_mode) {
+			printf("Kerberos V5: mk_req failed (%s)\r\n",
+			       error_message(r));
+		}
+		return(0);
+	}
+
+	if (!auth_sendname(UserNameRequested, strlen(UserNameRequested))) {
+		if (auth_debug_mode)
+			printf("Not enough room for user name\r\n");
+		return(0);
+	}
+	if (!Data(ap, KRB_AUTH, auth.data, auth.length)) {
+		if (auth_debug_mode)
+			printf("Not enough room for authentication data\r\n");
+		return(0);
+	}
+	if (auth_debug_mode) {
+		printf("Sent Kerberos V5 credentials to server\r\n");
+	}
+	return(1);
+}
+
+	void
+kerberos5_is(ap, data, cnt)
+	Authenticator *ap;
+	unsigned char *data;
+	int cnt;
+{
+	int r;
+	struct hostent *hp;
+	char *p1, *p2;
+	static char *realm = NULL;
+	krb5_principal server;
+	krb5_ap_rep_enc_part reply;
+	krb5_data outbuf;
+#ifdef ENCRYPTION
+	Session_Key skey;
+#endif	/* ENCRYPTION */
+	char *name;
+	char *getenv();
+	krb5_data inbuf;
+
+	if (cnt-- < 1)
+		return;
+	switch (*data++) {
+	case KRB_AUTH:
+		auth.data = (char *)data;
+		auth.length = cnt;
+
+		if (!(hp = gethostbyname(LocalHostName))) {
+			if (auth_debug_mode)
+				printf("Cannot resolve local host name\r\n");
+			Data(ap, KRB_REJECT, "Unknown local hostname.", -1);
+			auth_finished(ap, AUTH_REJECT);
+			return;
+		}
+
+		if (!realm && (krb5_get_default_realm(&realm))) {
+			if (auth_debug_mode)
+				printf("Could not get default realm\r\n");
+			Data(ap, KRB_REJECT, "Could not get default realm.", -1);
+			auth_finished(ap, AUTH_REJECT);
+			return;
+		}
+
+		if ((name = malloc(strlen(hp->h_name)+1)) == NULL) {
+			if (auth_debug_mode)
+				printf("Out of memory for hostname in Kerberos V5\r\n");
+			Data(ap, KRB_REJECT, "Out of memory.", -1);
+			auth_finished(ap, AUTH_REJECT);
+			return;
+		}
+
+		p1 = hp->h_name;
+		p2 = name;
+
+		while (*p2 = *p1++) {
+			if (isupper(*p2))
+				*p2 |= 040;
+			++p2;
+		}
+
+		if (authdat)
+			krb5_free_tkt_authent(authdat);
+
+		r = krb5_build_principal_ext(&server,
+					     strlen(realm), realm,
+					     4, "host",
+					     p2 - name, name,
+					     0);
+		if (!r) {
+		    r = krb5_rd_req_simple(&auth, server, 0, &authdat);
+		    krb5_free_principal(server);
+		}
+		if (r) {
+			char errbuf[128];
+
+		    errout:
+			authdat = 0;
+			(void) strcpy(errbuf, "Read req failed: ");
+			(void) strcat(errbuf, error_message(r));
+			Data(ap, KRB_REJECT, errbuf, -1);
+			if (auth_debug_mode)
+				printf("%s\r\n", errbuf);
+			return;
+		}
+		free(name);
+		if ((ap->way & AUTH_HOW_MASK) == AUTH_HOW_MUTUAL) {
+		    /* do ap_rep stuff here */
+		    reply.ctime = authdat->authenticator->ctime;
+		    reply.cusec = authdat->authenticator->cusec;
+		    reply.subkey = 0;	/* use the one he gave us, so don't
+					   need to return one here */
+		    reply.seq_number = 0; /* we don't do seq #'s. */
+
+		    if (r = krb5_mk_rep(&reply,
+					authdat->authenticator->subkey ?
+					authdat->authenticator->subkey :
+					authdat->ticket->enc_part2->session,
+					&outbuf)) {
+			goto errout;
+		    }
+		    Data(ap, KRB_RESPONSE, outbuf.data, outbuf.length);
+		}
+		if (krb5_unparse_name(authdat->ticket->enc_part2 ->client,
+				      					&name))
+			name = 0;
+		Data(ap, KRB_ACCEPT, name, name ? -1 : 0);
+		if (auth_debug_mode) {
+			printf("Kerberos5 identifies him as ``%s''\r\n",
+							name ? name : "");
+		}
+		auth_finished(ap, AUTH_USER);
+
+		free(name);
+	    	if (authdat->authenticator->subkey &&
+		    authdat->authenticator->subkey->keytype == KEYTYPE_DES) {
+		    memmove((Voidptr )session_key,
+			   (Voidptr )authdat->authenticator->subkey->contents,
+			   sizeof(Block));
+		} else if (authdat->ticket->enc_part2->session->keytype ==
+			   KEYTYPE_DES) {
+		    memmove((Voidptr )session_key,
+			(Voidptr )authdat->ticket->enc_part2->session->contents,
+			sizeof(Block));
+		} else
+		    break;
+
+#ifdef ENCRYPTION
+		skey.type = SK_DES;
+		skey.length = 8;
+		skey.data = session_key;
+		encrypt_session_key(&skey, 1);
+#endif	/* ENCRYPTION */
+		break;
+#ifdef	FORWARD
+	case KRB_FORWARD:
+		inbuf.data = (char *)data;
+		inbuf.length = cnt;
+		if (r = rd_and_store_for_creds(&inbuf, authdat->ticket,
+					       UserNameRequested)) {
+		    char errbuf[128];
+
+		    (void) strcpy(errbuf, "Read forwarded creds failed: ");
+		    (void) strcat(errbuf, error_message(r));
+		    Data(ap, KRB_FORWARD_REJECT, errbuf, -1);
+		    if (auth_debug_mode)
+		      printf("Could not read forwarded credentials\r\n");
+		}
+		else
+		  Data(ap, KRB_FORWARD_ACCEPT, 0, 0);
+		  if (auth_debug_mode)
+		    printf("Forwarded credentials obtained\r\n");
+		break;
+#endif	/* FORWARD */
+	default:
+		if (auth_debug_mode)
+			printf("Unknown Kerberos option %d\r\n", data[-1]);
+		Data(ap, KRB_REJECT, 0, 0);
+		break;
+	}
+}
+
+	void
+kerberos5_reply(ap, data, cnt)
+	Authenticator *ap;
+	unsigned char *data;
+	int cnt;
+{
+	Session_Key skey;
+	static int mutual_complete = 0;
+
+	if (cnt-- < 1)
+		return;
+	switch (*data++) {
+	case KRB_REJECT:
+		if (cnt > 0) {
+			printf("[ Kerberos V5 refuses authentication because %.*s ]\r\n",
+				cnt, data);
+		} else
+			printf("[ Kerberos V5 refuses authentication ]\r\n");
+		auth_send_retry();
+		return;
+	case KRB_ACCEPT:
+		if ((ap->way & AUTH_HOW_MASK) == AUTH_HOW_MUTUAL &&
+		    !mutual_complete) {
+		    printf("[ Kerberos V5 accepted you, but didn't provide mutual authentication! ]\n");
+		    auth_send_retry();
+		    return;
+		}
+		if (cnt)
+		    printf("[ Kerberos V5 accepts you as ``%.*s'' ]\n", cnt, data);
+		else
+		    printf("[ Kerberos V5 accepts you ]\n");
+		auth_finished(ap, AUTH_USER);
+#ifdef	FORWARD
+		if (forward_flags & OPTS_FORWARD_CREDS)
+		  kerberos5_forward(ap);
+#endif	/* FORWARD */
+		break;
+	case KRB_RESPONSE:
+		if ((ap->way & AUTH_HOW_MASK) == AUTH_HOW_MUTUAL) {
+		    /* the rest of the reply should contain a krb_ap_rep */
+		    krb5_ap_rep_enc_part *reply;
+		    krb5_data inbuf;
+		    krb5_error_code r;
+		    krb5_keyblock tmpkey;
+
+		    inbuf.length = cnt;
+		    inbuf.data = (char *)data;
+
+		    tmpkey.keytype = KEYTYPE_DES;
+		    tmpkey.contents = session_key;
+		    tmpkey.length = sizeof(Block);
+
+		    if (r = krb5_rd_rep(&inbuf, &tmpkey, &reply)) {
+			printf("[ Mutual authentication failed: %s ]\n",
+			       error_message(r));
+			auth_send_retry();
+			return;
+		    }
+		    if (reply->ctime != authenticator.ctime ||
+			reply->cusec != authenticator.cusec) {
+			printf("[ Mutual authentication failed (mismatched KRB_AP_REP) ]\n");
+			auth_send_retry();
+			return;
+		    }
+		    krb5_free_ap_rep_enc_part(reply);
+#ifdef	ENCRYPTION
+			skey.type = SK_DES;
+			skey.length = 8;
+			skey.data = session_key;
+			encrypt_session_key(&skey, 0);
+#endif	/* ENCRYPTION */
+		    mutual_complete = 1;
+		}
+		return;
+#ifdef	FORWARD
+	case KRB_FORWARD_ACCEPT:
+		printf("[ Kerberos V5 accepted forwarded credentials ]\n");
+		return;
+	case KRB_FORWARD_REJECT:
+		printf("[ Kerberos V5 refuses forwarded credentials because %.*s ]\r\n",
+				cnt, data);
+		return;
+#endif	/* FORWARD */
+	default:
+		if (auth_debug_mode)
+			printf("Unknown Kerberos option %d\r\n", data[-1]);
+		return;
+	}
+}
+
+	int
+kerberos5_status(ap, name, level)
+	Authenticator *ap;
+	char *name;
+	int level;
+{
+	if (level < AUTH_USER)
+		return(level);
+
+	if (UserNameRequested &&
+	    krb5_kuserok(authdat->ticket->enc_part2->client, UserNameRequested))
+	{
+		strcpy(name, UserNameRequested);
+		return(AUTH_VALID);
+	} else
+		return(AUTH_USER);
+}
+
+#define	BUMP(buf, len)		while (*(buf)) {++(buf), --(len);}
+#define	ADDC(buf, len, c)	if ((len) > 0) {*(buf)++ = (c); --(len);}
+
+	void
+kerberos5_printsub(data, cnt, buf, buflen)
+	unsigned char *data, *buf;
+	int cnt, buflen;
+{
+	char lbuf[32];
+	register int i;
+
+	buf[buflen-1] = '\0';		/* make sure its NULL terminated */
+	buflen -= 1;
+
+	switch(data[3]) {
+	case KRB_REJECT:		/* Rejected (reason might follow) */
+		strncpy((char *)buf, " REJECT ", buflen);
+		goto common;
+
+	case KRB_ACCEPT:		/* Accepted (name might follow) */
+		strncpy((char *)buf, " ACCEPT ", buflen);
+	common:
+		BUMP(buf, buflen);
+		if (cnt <= 4)
+			break;
+		ADDC(buf, buflen, '"');
+		for (i = 4; i < cnt; i++)
+			ADDC(buf, buflen, data[i]);
+		ADDC(buf, buflen, '"');
+		ADDC(buf, buflen, '\0');
+		break;
+
+
+	case KRB_AUTH:			/* Authentication data follows */
+		strncpy((char *)buf, " AUTH", buflen);
+		goto common2;
+
+	case KRB_RESPONSE:
+		strncpy((char *)buf, " RESPONSE", buflen);
+		goto common2;
+
+#ifdef	FORWARD
+	case KRB_FORWARD:		/* Forwarded credentials follow */
+		strncpy((char *)buf, " FORWARD", buflen);
+		goto common2;
+
+	case KRB_FORWARD_ACCEPT:	/* Forwarded credentials accepted */
+		strncpy((char *)buf, " FORWARD_ACCEPT", buflen);
+		goto common2;
+
+	case KRB_FORWARD_REJECT:	/* Forwarded credentials rejected */
+					       /* (reason might follow) */
+		strncpy((char *)buf, " FORWARD_REJECT", buflen);
+		goto common2;
+#endif	/* FORWARD */
+
+	default:
+		sprintf(lbuf, " %d (unknown)", data[3]);
+		strncpy((char *)buf, lbuf, buflen);
+	common2:
+		BUMP(buf, buflen);
+		for (i = 4; i < cnt; i++) {
+			sprintf(lbuf, " %d", data[i]);
+			strncpy((char *)buf, lbuf, buflen);
+			BUMP(buf, buflen);
+		}
+		break;
+	}
+}
+
+#ifdef	FORWARD
+	void
+kerberos5_forward(ap)
+     Authenticator *ap;
+{
+    struct hostent *hp;
+    krb5_creds *local_creds;
+    krb5_error_code r;
+    krb5_data forw_creds;
+    extern krb5_cksumtype krb5_kdc_req_sumtype;
+    krb5_ccache ccache;
+    int i;
+
+    if (!(local_creds = (krb5_creds *)
+	  calloc(1, sizeof(*local_creds)))) {
+	if (auth_debug_mode)
+	  printf("Kerberos V5: could not allocate memory for credentials\r\n");
+	return;
+    }
+
+    if (r = krb5_sname_to_principal(RemoteHostName, "host", 1,
+				    &local_creds->server)) {
+	if (auth_debug_mode)
+	  printf("Kerberos V5: could not build server name - %s\r\n",
+		 error_message(r));
+	krb5_free_creds(local_creds);
+	return;
+    }
+
+    if (r = krb5_cc_default(&ccache)) {
+	if (auth_debug_mode)
+	  printf("Kerberos V5: could not get default ccache - %s\r\n",
+		 error_message(r));
+	krb5_free_creds(local_creds);
+	return;
+    }
+
+    if (r = krb5_cc_get_principal(ccache, &local_creds->client)) {
+	if (auth_debug_mode)
+	  printf("Kerberos V5: could not get default principal - %s\r\n",
+		 error_message(r));
+	krb5_free_creds(local_creds);
+	return;
+    }
+
+    /* Get ticket from credentials cache */
+    if (r = krb5_get_credentials(KRB5_GC_CACHED, ccache, local_creds)) {
+	if (auth_debug_mode)
+	  printf("Kerberos V5: could not obtain credentials - %s\r\n",
+		 error_message(r));
+	krb5_free_creds(local_creds);
+	return;
+    }
+
+    if (r = get_for_creds(ETYPE_DES_CBC_CRC,
+			  krb5_kdc_req_sumtype,
+			  RemoteHostName,
+			  local_creds->client,
+			  &local_creds->keyblock,
+			  forward_flags & OPTS_FORWARDABLE_CREDS,
+			  &forw_creds)) {
+	if (auth_debug_mode)
+	  printf("Kerberos V5: error getting forwarded creds - %s\r\n",
+		 error_message(r));
+	krb5_free_creds(local_creds);
+	return;
+    }
+
+    /* Send forwarded credentials */
+    if (!Data(ap, KRB_FORWARD, forw_creds.data, forw_creds.length)) {
+	if (auth_debug_mode)
+	  printf("Not enough room for authentication data\r\n");
+    }
+    else {
+	if (auth_debug_mode)
+	  printf("Forwarded local Kerberos V5 credentials to server\r\n");
+    }
+
+    krb5_free_creds(local_creds);
+}
+#endif	/* FORWARD */
+
+#endif /* KRB5 */
diff --git a/crypto/telnet/libtelnet/key-proto.h b/crypto/telnet/libtelnet/key-proto.h
new file mode 100644
index 0000000..9668a77
--- /dev/null
+++ b/crypto/telnet/libtelnet/key-proto.h
@@ -0,0 +1,71 @@
+/*-
+ * Copyright (c) 1991, 1993
+ *	The Regents of the University of California.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *	This product includes software developed by the University of
+ *	California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ *	@(#)key-proto.h	8.1 (Berkeley) 6/4/93
+ */
+
+/*
+ * Copyright (C) 1990 by the Massachusetts Institute of Technology
+ *
+ * Export of this software from the United States of America is assumed
+ * to require a specific license from the United States Government.
+ * It is the responsibility of any person or organization contemplating
+ * export to obtain such a license before exporting.
+ *
+ * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
+ * distribute this software and its documentation for any purpose and
+ * without fee is hereby granted, provided that the above copyright
+ * notice appear in all copies and that both that copyright notice and
+ * this permission notice appear in supporting documentation, and that
+ * the name of M.I.T. not be used in advertising or publicity pertaining
+ * to distribution of the software without specific, written prior
+ * permission.  M.I.T. makes no representations about the suitability of
+ * this software for any purpose.  It is provided "as is" without express
+ * or implied warranty.
+ */
+
+#ifndef	__KEY_PROTO__
+#define	__KEY_PROTO__
+
+#if	!defined(P)
+#ifdef	__STDC__
+#define	P(x)	x
+#else
+#define	P(x)	()
+#endif
+#endif
+
+int key_file_exists P((void));
+void key_lookup P((unsigned char *, Block));
+void key_stream_init P((Block, Block, int));
+unsigned char key_stream P((int, int));
+#endif
diff --git a/crypto/telnet/libtelnet/krb4encpwd.c b/crypto/telnet/libtelnet/krb4encpwd.c
new file mode 100644
index 0000000..3184a52
--- /dev/null
+++ b/crypto/telnet/libtelnet/krb4encpwd.c
@@ -0,0 +1,447 @@
+/*-
+ * Copyright (c) 1992, 1993
+ *	The Regents of the University of California.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *	This product includes software developed by the University of
+ *	California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * $FreeBSD$
+ */
+
+#ifndef lint
+static char sccsid[] = "@(#)krb4encpwd.c	8.3 (Berkeley) 5/30/95";
+#endif /* not lint */
+
+
+#ifdef	KRB4_ENCPWD
+/*
+ * COPYRIGHT (C) 1990 DIGITAL EQUIPMENT CORPORATION
+ * ALL RIGHTS RESERVED
+ *
+ * "Digital Equipment Corporation authorizes the reproduction,
+ * distribution and modification of this software subject to the following
+ * restrictions:
+ *
+ * 1.  Any partial or whole copy of this software, or any modification
+ * thereof, must include this copyright notice in its entirety.
+ *
+ * 2.  This software is supplied "as is" with no warranty of any kind,
+ * expressed or implied, for any purpose, including any warranty of fitness
+ * or merchantibility.  DIGITAL assumes no responsibility for the use or
+ * reliability of this software, nor promises to provide any form of
+ * support for it on any basis.
+ *
+ * 3.  Distribution of this software is authorized only if no profit or
+ * remuneration of any kind is received in exchange for such distribution.
+ *
+ * 4.  This software produces public key authentication certificates
+ * bearing an expiration date established by DIGITAL and RSA Data
+ * Security, Inc.  It may cease to generate certificates after the expiration
+ * date.  Any modification of this software that changes or defeats
+ * the expiration date or its effect is unauthorized.
+ *
+ * 5.  Software that will renew or extend the expiration date of
+ * authentication certificates produced by this software may be obtained
+ * from RSA Data Security, Inc., 10 Twin Dolphin Drive, Redwood City, CA
+ * 94065, (415)595-8782, or from DIGITAL"
+ *
+ */
+
+#include <sys/types.h>
+#include <arpa/telnet.h>
+#include <pwd.h>
+#include <stdio.h>
+
+#include <openssl/des.h>
+#include <krb.h>
+#ifdef	__STDC__
+#include <stdlib.h>
+#endif
+#ifdef	NO_STRING_H
+#include <strings.h>
+#else
+#include <string.h>
+#endif
+
+#include "encrypt.h"
+#include "auth.h"
+#include "misc.h"
+
+int krb_mk_encpwd_req P((KTEXT, char *, char *, char *, char *, char *, char *));
+int krb_rd_encpwd_req P((KTEXT, char *, char *, u_long, AUTH_DAT *, char *, char *, char *, char *));
+
+extern auth_debug_mode;
+
+static unsigned char str_data[1024] = { IAC, SB, TELOPT_AUTHENTICATION, 0,
+			  		AUTHTYPE_KRB4_ENCPWD, };
+static unsigned char str_name[1024] = { IAC, SB, TELOPT_AUTHENTICATION,
+					TELQUAL_NAME, };
+
+#define	KRB4_ENCPWD_AUTH	0	/* Authentication data follows */
+#define	KRB4_ENCPWD_REJECT	1	/* Rejected (reason might follow) */
+#define KRB4_ENCPWD_ACCEPT	2	/* Accepted */
+#define	KRB4_ENCPWD_CHALLENGE	3	/* Challenge for mutual auth. */
+#define	KRB4_ENCPWD_ACK		4	/* Acknowledge */
+
+#define KRB_SERVICE_NAME    "rcmd"
+
+static	KTEXT_ST auth;
+static	char name[ANAME_SZ];
+static	char user_passwd[ANAME_SZ];
+static	AUTH_DAT adat = { 0 };
+#ifdef	ENCRYPTION
+static Block	session_key	= { 0 };
+#endif	/* ENCRYPTION */
+static char  challenge[REALM_SZ];
+
+	static int
+Data(ap, type, d, c)
+	Authenticator *ap;
+	int type;
+	void *d;
+	int c;
+{
+	unsigned char *p = str_data + 4;
+	unsigned char *cd = (unsigned char *)d;
+
+	if (c == -1)
+		c = strlen((char *)cd);
+
+	if (0) {
+		printf("%s:%d: [%d] (%d)",
+			str_data[3] == TELQUAL_IS ? ">>>IS" : ">>>REPLY",
+			str_data[3],
+			type, c);
+		printd(d, c);
+		printf("\r\n");
+	}
+	*p++ = ap->type;
+	*p++ = ap->way;
+	*p++ = type;
+	while (c-- > 0) {
+		if ((*p++ = *cd++) == IAC)
+			*p++ = IAC;
+	}
+	*p++ = IAC;
+	*p++ = SE;
+	if (str_data[3] == TELQUAL_IS)
+		printsub('>', &str_data[2], p - (&str_data[2]));
+	return(net_write(str_data, p - str_data));
+}
+
+	int
+krb4encpwd_init(ap, server)
+	Authenticator *ap;
+	int server;
+{
+	char hostname[80], *cp, *realm;
+	C_Block skey;
+
+	if (server) {
+		str_data[3] = TELQUAL_REPLY;
+	} else {
+		str_data[3] = TELQUAL_IS;
+		gethostname(hostname, sizeof(hostname));
+		realm = krb_realmofhost(hostname);
+		cp = strchr(hostname, '.');
+		if (*cp != NULL) *cp = NULL;
+		if (read_service_key(KRB_SERVICE_NAME, hostname, realm, 0,
+					KEYFILE, (char *)skey)) {
+		  return(0);
+		}
+	}
+	return(1);
+}
+
+	int
+krb4encpwd_send(ap)
+	Authenticator *ap;
+{
+
+	printf("[ Trying KRB4ENCPWD ... ]\n");
+	if (!UserNameRequested) {
+		return(0);
+	}
+	if (!auth_sendname(UserNameRequested, strlen(UserNameRequested))) {
+		return(0);
+	}
+
+	if (!Data(ap, KRB4_ENCPWD_ACK, (void *)NULL, 0)) {
+		return(0);
+	}
+
+	return(1);
+}
+
+	void
+krb4encpwd_is(ap, data, cnt)
+	Authenticator *ap;
+	unsigned char *data;
+	int cnt;
+{
+	Session_Key skey;
+	Block datablock;
+	char  r_passwd[ANAME_SZ], r_user[ANAME_SZ];
+	char  lhostname[ANAME_SZ], *cp;
+	int r;
+	time_t now;
+
+	if (cnt-- < 1)
+		return;
+	switch (*data++) {
+	case KRB4_ENCPWD_AUTH:
+		memmove((void *)auth.dat, (void *)data, auth.length = cnt);
+
+		gethostname(lhostname, sizeof(lhostname));
+		if ((cp = strchr(lhostname, '.')) != 0)  *cp = '\0';
+
+		if (r = krb_rd_encpwd_req(&auth, KRB_SERVICE_NAME, lhostname, 0, &adat, NULL, challenge, r_user, r_passwd)) {
+			Data(ap, KRB4_ENCPWD_REJECT, (void *)"Auth failed", -1);
+			auth_finished(ap, AUTH_REJECT);
+			return;
+		}
+		auth_encrypt_userpwd(r_passwd);
+		if (passwdok(UserNameRequested, UserPassword) == 0) {
+		  /*
+		   *  illegal username and password
+		   */
+		  Data(ap, KRB4_ENCPWD_REJECT, (void *)"Illegal password", -1);
+		  auth_finished(ap, AUTH_REJECT);
+		  return;
+		}
+
+		memmove((void *)session_key, (void *)adat.session, sizeof(Block));
+		Data(ap, KRB4_ENCPWD_ACCEPT, (void *)0, 0);
+		auth_finished(ap, AUTH_USER);
+		break;
+
+	case KRB4_ENCPWD_CHALLENGE:
+		/*
+		 *  Take the received random challenge text and save
+		 *  for future authentication.
+		 */
+		memmove((void *)challenge, (void *)data, sizeof(Block));
+		break;
+
+
+	case KRB4_ENCPWD_ACK:
+		/*
+		 *  Receive ack, if mutual then send random challenge
+		 */
+
+		/*
+		 * If we are doing mutual authentication, get set up to send
+		 * the challenge, and verify it when the response comes back.
+		 */
+
+		if ((ap->way & AUTH_HOW_MASK) == AUTH_HOW_MUTUAL) {
+		  register int i;
+
+		  time(&now);
+		  sprintf(challenge, "%x", now);
+		  Data(ap, KRB4_ENCPWD_CHALLENGE, (void *)challenge, strlen(challenge));
+		}
+		break;
+
+	default:
+		Data(ap, KRB4_ENCPWD_REJECT, 0, 0);
+		break;
+	}
+}
+
+
+	void
+krb4encpwd_reply(ap, data, cnt)
+	Authenticator *ap;
+	unsigned char *data;
+	int cnt;
+{
+	Session_Key skey;
+	KTEXT_ST krb_token;
+	Block enckey;
+	CREDENTIALS cred;
+	int r;
+	char	randchal[REALM_SZ], instance[ANAME_SZ], *cp;
+	char	hostname[80], *realm;
+
+	if (cnt-- < 1)
+		return;
+	switch (*data++) {
+	case KRB4_ENCPWD_REJECT:
+		if (cnt > 0) {
+			printf("[ KRB4_ENCPWD refuses authentication because %.*s ]\r\n",
+				cnt, data);
+		} else
+			printf("[ KRB4_ENCPWD refuses authentication ]\r\n");
+		auth_send_retry();
+		return;
+	case KRB4_ENCPWD_ACCEPT:
+		printf("[ KRB4_ENCPWD accepts you ]\n");
+		auth_finished(ap, AUTH_USER);
+		return;
+	case KRB4_ENCPWD_CHALLENGE:
+		/*
+		 * Verify that the response to the challenge is correct.
+		 */
+
+		gethostname(hostname, sizeof(hostname));
+		realm = krb_realmofhost(hostname);
+		memmove((void *)challenge, (void *)data, cnt);
+		memset(user_passwd, 0, sizeof(user_passwd));
+		local_des_read_pw_string(user_passwd, sizeof(user_passwd)-1, "Password: ", 0);
+		UserPassword = user_passwd;
+		Challenge = challenge;
+		strcpy(instance, RemoteHostName);
+		if ((cp = strchr(instance, '.')) != 0)  *cp = '\0';
+
+		if (r = krb_mk_encpwd_req(&krb_token, KRB_SERVICE_NAME, instance, realm, Challenge, UserNameRequested, user_passwd)) {
+		  krb_token.length = 0;
+		}
+
+		if (!Data(ap, KRB4_ENCPWD_AUTH, (void *)krb_token.dat, krb_token.length)) {
+		  return;
+		}
+
+		break;
+
+	default:
+		return;
+	}
+}
+
+	int
+krb4encpwd_status(ap, name, level)
+	Authenticator *ap;
+	char *name;
+	int level;
+{
+
+	if (level < AUTH_USER)
+		return(level);
+
+	if (UserNameRequested && passwdok(UserNameRequested, UserPassword)) {
+		strcpy(name, UserNameRequested);
+		return(AUTH_VALID);
+	} else {
+		return(AUTH_USER);
+	}
+}
+
+#define	BUMP(buf, len)		while (*(buf)) {++(buf), --(len);}
+#define	ADDC(buf, len, c)	if ((len) > 0) {*(buf)++ = (c); --(len);}
+
+	void
+krb4encpwd_printsub(data, cnt, buf, buflen)
+	unsigned char *data, *buf;
+	int cnt, buflen;
+{
+	char lbuf[32];
+	register int i;
+
+	buf[buflen-1] = '\0';		/* make sure its NULL terminated */
+	buflen -= 1;
+
+	switch(data[3]) {
+	case KRB4_ENCPWD_REJECT:	/* Rejected (reason might follow) */
+		strncpy((char *)buf, " REJECT ", buflen);
+		goto common;
+
+	case KRB4_ENCPWD_ACCEPT:	/* Accepted (name might follow) */
+		strncpy((char *)buf, " ACCEPT ", buflen);
+	common:
+		BUMP(buf, buflen);
+		if (cnt <= 4)
+			break;
+		ADDC(buf, buflen, '"');
+		for (i = 4; i < cnt; i++)
+			ADDC(buf, buflen, data[i]);
+		ADDC(buf, buflen, '"');
+		ADDC(buf, buflen, '\0');
+		break;
+
+	case KRB4_ENCPWD_AUTH:		/* Authentication data follows */
+		strncpy((char *)buf, " AUTH", buflen);
+		goto common2;
+
+	case KRB4_ENCPWD_CHALLENGE:
+		strncpy((char *)buf, " CHALLENGE", buflen);
+		goto common2;
+
+	case KRB4_ENCPWD_ACK:
+		strncpy((char *)buf, " ACK", buflen);
+		goto common2;
+
+	default:
+		sprintf(lbuf, " %d (unknown)", data[3]);
+		strncpy((char *)buf, lbuf, buflen);
+	common2:
+		BUMP(buf, buflen);
+		for (i = 4; i < cnt; i++) {
+			sprintf(lbuf, " %d", data[i]);
+			strncpy((char *)buf, lbuf, buflen);
+			BUMP(buf, buflen);
+		}
+		break;
+	}
+}
+
+int passwdok(name, passwd)
+char *name, *passwd;
+{
+  char *crypt();
+  char *salt, *p;
+  struct passwd *pwd;
+  int   passwdok_status = 0;
+
+  if (pwd = getpwnam(name))
+    salt = pwd->pw_passwd;
+  else salt = "xx";
+
+  p = crypt(passwd, salt);
+
+  if (pwd && !strcmp(p, pwd->pw_passwd)) {
+    passwdok_status = 1;
+  } else passwdok_status = 0;
+  return(passwdok_status);
+}
+
+#endif
+
+#ifdef notdef
+
+prkey(msg, key)
+	char *msg;
+	unsigned char *key;
+{
+	register int i;
+	printf("%s:", msg);
+	for (i = 0; i < 8; i++)
+		printf(" %3d", key[i]);
+	printf("\r\n");
+}
+#endif
diff --git a/crypto/telnet/libtelnet/misc-proto.h b/crypto/telnet/libtelnet/misc-proto.h
new file mode 100644
index 0000000..e5f334a
--- /dev/null
+++ b/crypto/telnet/libtelnet/misc-proto.h
@@ -0,0 +1,79 @@
+/*-
+ * Copyright (c) 1991, 1993
+ *	The Regents of the University of California.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *	This product includes software developed by the University of
+ *	California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ *	@(#)misc-proto.h	8.1 (Berkeley) 6/4/93
+ */
+
+/*
+ * Copyright (C) 1990 by the Massachusetts Institute of Technology
+ *
+ * Export of this software from the United States of America is assumed
+ * to require a specific license from the United States Government.
+ * It is the responsibility of any person or organization contemplating
+ * export to obtain such a license before exporting.
+ *
+ * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
+ * distribute this software and its documentation for any purpose and
+ * without fee is hereby granted, provided that the above copyright
+ * notice appear in all copies and that both that copyright notice and
+ * this permission notice appear in supporting documentation, and that
+ * the name of M.I.T. not be used in advertising or publicity pertaining
+ * to distribution of the software without specific, written prior
+ * permission.  M.I.T. makes no representations about the suitability of
+ * this software for any purpose.  It is provided "as is" without express
+ * or implied warranty.
+ */
+
+#ifndef	__MISC_PROTO__
+#define	__MISC_PROTO__
+
+#if	!defined(P)
+#ifdef	__STDC__
+#define	P(x)	x
+#else
+#define	P(x)	()
+#endif
+#endif
+
+void auth_encrypt_init P((char *, char *, char *, int));
+void auth_encrypt_connect P((int));
+void printd P((unsigned char *, int));
+
+/*
+ * These functions are imported from the application
+ */
+int net_write P((unsigned char *, int));
+void net_encrypt P((void));
+int telnet_spin P((void));
+char *telnet_getenv P((char *));
+char *telnet_gets P((char *, char *, int, int));
+#endif
diff --git a/crypto/telnet/libtelnet/misc.c b/crypto/telnet/libtelnet/misc.c
new file mode 100644
index 0000000..c486418
--- /dev/null
+++ b/crypto/telnet/libtelnet/misc.c
@@ -0,0 +1,103 @@
+/*-
+ * Copyright (c) 1991, 1993
+ *	The Regents of the University of California.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *	This product includes software developed by the University of
+ *	California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#ifndef lint
+#if 0
+static const char sccsid[] = "@(#)misc.c	8.1 (Berkeley) 6/4/93";
+#else
+static const char rcsid[] =
+ "$FreeBSD$";
+#endif
+#endif /* not lint */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include "misc.h"
+#include "auth.h"
+#include "encrypt.h"
+
+char *RemoteHostName;
+char *LocalHostName;
+char *UserNameRequested = 0;
+int ConnectedCount = 0;
+
+	void
+auth_encrypt_init(local, remote, name, server)
+	char *local;
+	char *remote;
+	char *name;
+	int server;
+{
+	RemoteHostName = remote;
+	LocalHostName = local;
+#if	defined(AUTHENTICATION)
+	auth_init(name, server);
+#endif
+#ifdef	ENCRYPTION
+	encrypt_init(name, server);
+#endif	/* ENCRYPTION */
+	if (UserNameRequested) {
+		free(UserNameRequested);
+		UserNameRequested = 0;
+	}
+}
+
+	void
+auth_encrypt_user(name)
+	char *name;
+{
+	extern char *strdup();
+
+	if (UserNameRequested)
+		free(UserNameRequested);
+	UserNameRequested = name ? strdup(name) : 0;
+}
+
+	void
+auth_encrypt_connect(cnt)
+	int cnt;
+{
+}
+
+	void
+printd(data, cnt)
+	unsigned char *data;
+	int cnt;
+{
+	if (cnt > 16)
+		cnt = 16;
+	while (cnt-- > 0) {
+		printf(" %02x", *data);
+		++data;
+	}
+}
diff --git a/crypto/telnet/libtelnet/misc.h b/crypto/telnet/libtelnet/misc.h
new file mode 100644
index 0000000..41ffa7f
--- /dev/null
+++ b/crypto/telnet/libtelnet/misc.h
@@ -0,0 +1,42 @@
+/*-
+ * Copyright (c) 1991, 1993
+ *	The Regents of the University of California.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *	This product includes software developed by the University of
+ *	California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ *	@(#)misc.h	8.1 (Berkeley) 6/4/93
+ */
+
+extern char *UserNameRequested;
+extern char *LocalHostName;
+extern char *RemoteHostName;
+extern int ConnectedCount;
+extern int ReservedPort;
+
+#include "misc-proto.h"
diff --git a/crypto/telnet/libtelnet/pk.c b/crypto/telnet/libtelnet/pk.c
new file mode 100644
index 0000000..9fe5441
--- /dev/null
+++ b/crypto/telnet/libtelnet/pk.c
@@ -0,0 +1,274 @@
+/* public key routines */
+/* $FreeBSD$ */
+/* functions:
+	genkeys(char *public, char *secret)
+	common_key(char *secret, char *public, desData *deskey)
+        pk_encode(char *in, *out, DesData *deskey);
+        pk_decode(char *in, *out, DesData *deskey);
+      where
+	char public[HEXKEYBYTES + 1];
+	char secret[HEXKEYBYTES + 1];
+ */
+
+#include <stdio.h>
+#include <sys/time.h>
+#include <string.h>
+#include <fcntl.h>
+#include <openssl/des.h>
+#include "mp.h"
+#include "pk.h"
+#if defined(SOLARIS2) || defined(LINUX)
+#include <stdlib.h>
+#endif
+ 
+/*
+ * Choose top 128 bits of the common key to use as our idea key.
+ */
+static
+extractideakey(ck, ideakey)
+        MINT *ck;
+        IdeaData *ideakey;
+{
+        MINT *a;
+        MINT *z;
+        short r;
+        int i;
+        short base = (1 << 8);
+        char *k;
+
+        z = itom(0);
+        a = itom(0);
+        madd(ck, z, a);
+        for (i = 0; i < ((KEYSIZE - 128) / 8); i++) {
+                sdiv(a, base, a, &r);
+        }
+        k = (char *)ideakey;
+        for (i = 0; i < 16; i++) {
+                sdiv(a, base, a, &r);
+                *k++ = r;
+        }
+	mfree(z);
+        mfree(a);
+}
+
+/*
+ * Choose middle 64 bits of the common key to use as our des key, possibly
+ * overwriting the lower order bits by setting parity. 
+ */
+static
+extractdeskey(ck, deskey)
+        MINT *ck;
+        DesData *deskey;
+{
+        MINT *a;
+        MINT *z;
+        short r;
+        int i;
+        short base = (1 << 8);
+        char *k;
+
+        z = itom(0);
+        a = itom(0);
+        madd(ck, z, a);
+        for (i = 0; i < ((KEYSIZE - 64) / 2) / 8; i++) {
+                sdiv(a, base, a, &r);
+        }
+        k = (char *)deskey;
+        for (i = 0; i < 8; i++) {
+                sdiv(a, base, a, &r);
+                *k++ = r;
+        }
+	mfree(z);
+        mfree(a);
+}
+
+/*
+ * get common key from my secret key and his public key
+ */
+void common_key(char *xsecret, char *xpublic, IdeaData *ideakey, DesData *deskey)
+{
+        MINT *public;
+        MINT *secret;
+        MINT *common;
+	MINT *modulus = xtom(HEXMODULUS);
+
+        public = xtom(xpublic);
+        secret = xtom(xsecret);
+        common = itom(0);
+        pow(public, secret, modulus, common);
+        extractdeskey(common, deskey);
+        extractideakey(common, ideakey);
+#if DES_OSTHOLM
+	des_fixup_key_parity(deskey);
+#else
+	des_set_odd_parity(deskey);
+#endif
+        mfree(common);
+        mfree(secret);
+        mfree(public);
+	mfree(modulus);
+}
+
+
+/*
+ * Generate a seed
+ */
+void getseed(seed, seedsize)
+        char *seed;
+        int seedsize;
+{
+#if 0
+        int i,f;
+        int rseed;
+        struct timeval tv;
+	long devrand;
+
+        (void)gettimeofday(&tv, (struct timezone *)NULL);
+        rseed = tv.tv_sec + tv.tv_usec;
+/* XXX What the hell is this?! */
+        for (i = 0; i < 8; i++) {
+                rseed ^= (rseed << 8);
+        }
+
+	f=open("/dev/random",O_NONBLOCK|O_RDONLY);
+	if (f>=0)
+	{
+		read(f,&devrand,sizeof(devrand));
+		close(f);
+	}
+        srand48((long)rseed^devrand);
+
+        for (i = 0; i < seedsize; i++) {
+                seed[i] = (lrand48() & 0xff);
+        }
+#else
+	int i;
+
+	srandomdev();
+	for (i = 0; i < seedsize; i++) {
+		seed[i] = random() & 0xff;
+	}
+#endif
+}
+
+
+/*
+ * Generate a random public/secret key pair
+ */
+void genkeys(public, secret)
+        char *public;
+        char *secret;
+{
+        int i;
+ 
+#       define BASEBITS (8*sizeof(short) - 1)
+#       define BASE (1 << BASEBITS)
+ 
+        MINT *pk = itom(0);
+        MINT *sk = itom(0);
+        MINT *tmp;
+        MINT *base = itom(BASE);
+        MINT *root = itom(PROOT);
+        MINT *modulus = xtom(HEXMODULUS);
+        short r;
+        unsigned short seed[KEYSIZE/BASEBITS + 1];
+        char *xkey;
+
+        getseed((char *)seed, sizeof(seed));    
+        for (i = 0; i < KEYSIZE/BASEBITS + 1; i++) {
+                r = seed[i] % BASE;
+                tmp = itom(r);
+                mult(sk, base, sk);
+                madd(sk, tmp, sk);
+                mfree(tmp);  
+        }
+        tmp = itom(0);
+        mdiv(sk, modulus, tmp, sk);
+        mfree(tmp);
+        pow(root, sk, modulus, pk); 
+        xkey = mtox(sk);   
+        adjust(secret, xkey);
+        xkey = mtox(pk);
+        adjust(public, xkey);
+        mfree(sk);
+        mfree(base);
+        mfree(pk);
+        mfree(root);
+        mfree(modulus);
+} 
+
+/*
+ * Adjust the input key so that it is 0-filled on the left
+ */
+adjust(keyout, keyin)
+        char keyout[HEXKEYBYTES+1];
+        char *keyin;
+{
+        char *p;
+        char *s;
+
+        for (p = keyin; *p; p++) 
+                ;
+        for (s = keyout + HEXKEYBYTES; p >= keyin; p--, s--) {
+                *s = *p;
+        }
+        while (s >= keyout) {
+                *s-- = '0';
+        }
+}
+
+static char hextab[17] = "0123456789ABCDEF";
+
+/* given a DES key, cbc encrypt and translate input to terminated hex */
+void pk_encode(in, out, key)
+char *in,*out;
+DesData *key;
+{
+	char buf[256];
+	DesData i;
+	des_key_schedule k;
+	int l,op,deslen;
+
+	memset(&i,0,sizeof(i));
+	memset(buf,0,sizeof(buf));
+	deslen = ((strlen(in) + 7)/8)*8;
+	des_key_sched(key, k);
+	des_cbc_encrypt(in,buf,deslen, k,&i,DES_ENCRYPT);
+	for (l=0,op=0;l<deslen;l++) {
+		out[op++] = hextab[(buf[l] & 0xf0) >> 4];
+		out[op++] = hextab[(buf[l] & 0x0f)];
+	}
+	out[op] = '\0';
+}
+
+/* given a DES key, translate input from hex and decrypt */
+void pk_decode(in, out, key)
+char *in,*out;
+DesData *key;
+{
+	char buf[256];
+	DesData i;
+	des_key_schedule k;
+	int l,n1,n2,op;
+
+	memset(&i,0,sizeof(i));
+	memset(buf,0,sizeof(buf));
+	for (l=0,op=0;l<strlen(in)/2;l++,op+=2) {
+		if(in[op] == '0' && in[op+1] == '0') {
+			buf[l] = '\0';
+			break;
+		}
+		if (in[op] > '9')
+			n1 = in[op] - 'A' + 10;
+		else
+			n1 = in[op] - '0';
+		if (in[op+1] > '9')
+			n2 = in[op+1] - 'A' + 10;
+		else
+			n2 = in[op+1] - '0';
+		buf[l] = n1*16 +n2;
+	}
+	des_key_sched(key, k);
+	des_cbc_encrypt(buf,out,strlen(in)/2, k,&i,DES_DECRYPT);
+	out[strlen(in)/2] = '\0';
+}
diff --git a/crypto/telnet/libtelnet/pk.h b/crypto/telnet/libtelnet/pk.h
new file mode 100644
index 0000000..6a84ac5
--- /dev/null
+++ b/crypto/telnet/libtelnet/pk.h
@@ -0,0 +1,42 @@
+/* header for the des routines that we will use */
+/* $FreeBSD$ */
+
+typedef unsigned char byte, DesData[ 8], IdeaData[16];
+#if 0
+typedef unsigned long word, DesKeys[32];
+#else
+#define DesKeys des_key_schedule
+#endif
+
+#define DES_DECRYPT 0
+#define DES_ENCRYPT 1
+
+#if 0
+extern void des_fixup_key_parity();	/* (DesData *key) */
+extern int des_key_sched(); 	/* (DesData *key, DesKeys *m) */
+extern int des_ecb_encrypt();	/* (DesData *src, *dst, DesKeys *m, int mode) */
+extern int des_cbc_encrypt();   /* (char *src, *dst, int length,
+				    DesKeys *m, DesData *init, int mode) */
+#endif
+
+/* public key routines */
+/* functions:
+	genkeys(char *public, char *secret)
+	common_key(char *secret, char *public, desData *deskey)
+      where
+	char public[HEXKEYBYTES + 1];
+	char secret[HEXKEYBYTES + 1];
+ */
+
+#define HEXMODULUS "d4a0ba0250b6fd2ec626e7efd637df76c716e22d0944b88b"
+#define HEXKEYBYTES 48
+#define KEYSIZE 192
+#define KEYBYTES 24
+#define PROOT 3
+
+extern void genkeys(char *public, char *secret);
+extern void common_key(char *secret, char *public, IdeaData *common,
+  DesData *deskey);
+extern void pk_encode(char *in, char *out, DesData *deskey);
+extern void pk_decode(char *in, char *out, DesData *deskey);
+
diff --git a/crypto/telnet/libtelnet/read_password.c b/crypto/telnet/libtelnet/read_password.c
new file mode 100644
index 0000000..f977290
--- /dev/null
+++ b/crypto/telnet/libtelnet/read_password.c
@@ -0,0 +1,149 @@
+/*-
+ * Copyright (c) 1992, 1993
+ *	The Regents of the University of California.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *	This product includes software developed by the University of
+ *	California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#ifndef lint
+#if 0
+static char sccsid[] = "@(#)read_password.c	8.3 (Berkeley) 5/30/95";
+#endif
+static const char rcsid[] =
+  "$FreeBSD$";
+#endif /* not lint */
+
+/*
+ * $Source: /mit/kerberos/src/lib/des/RCS/read_password.c,v $
+ * $Author: jon $
+ *
+ * Copyright 1985, 1986, 1987, 1988 by the Massachusetts Institute
+ * of Technology.
+ *
+ * For copying and distribution information, please see the file
+ * <mit-copyright.h>.
+ *
+ * This routine prints the supplied string to standard
+ * output as a prompt, and reads a password string without
+ * echoing.
+ */
+
+#if	defined(RSA_ENCPWD) || defined(KRB4_ENCPWD)
+
+#include <stdio.h>
+#include <strings.h>
+#include <sys/ioctl.h>
+#include <signal.h>
+#include <setjmp.h>
+
+static jmp_buf env;
+
+/*** Routines ****************************************************** */
+/*
+ * This version just returns the string, doesn't map to key.
+ *
+ * Returns 0 on success, non-zero on failure.
+ */
+
+int
+local_des_read_pw_string(s,max,prompt,verify)
+    char *s;
+    int	max;
+    char *prompt;
+    int	verify;
+{
+    int ok = 0;
+    char *ptr;
+
+    jmp_buf old_env;
+    struct sgttyb tty_state;
+    char key_string[BUFSIZ];
+
+    if (max > BUFSIZ) {
+	return -1;
+    }
+
+    /* XXX assume jmp_buf is typedef'ed to an array */
+    memmove((char *)env, (char *)old_env, sizeof(env));
+    if (setjmp(env))
+	goto lose;
+
+    /* save terminal state*/
+    if (ioctl(0,TIOCGETP,(char *)&tty_state) == -1)
+	return -1;
+/*
+    push_signals();
+*/
+    /* Turn off echo */
+    tty_state.sg_flags &= ~ECHO;
+    if (ioctl(0,TIOCSETP,(char *)&tty_state) == -1)
+	return -1;
+    while (!ok) {
+	(void) printf("%s", prompt);
+	(void) fflush(stdout);
+	while (!fgets(s, max, stdin));
+
+	if ((ptr = strchr(s, '\n')))
+	    *ptr = '\0';
+	if (verify) {
+	    printf("\nVerifying, please re-enter %s",prompt);
+	    (void) fflush(stdout);
+	    if (!fgets(key_string, sizeof(key_string), stdin)) {
+		clearerr(stdin);
+		continue;
+	    }
+	    if ((ptr = strchr(key_string, '\n')))
+	    *ptr = '\0';
+	    if (strcmp(s,key_string)) {
+		printf("\n\07\07Mismatch - try again\n");
+		(void) fflush(stdout);
+		continue;
+	    }
+	}
+	ok = 1;
+    }
+
+lose:
+    if (!ok)
+	memset(s, 0, max);
+    printf("\n");
+    /* turn echo back on */
+    tty_state.sg_flags |= ECHO;
+    if (ioctl(0,TIOCSETP,(char *)&tty_state))
+	ok = 0;
+/*
+    pop_signals();
+*/
+    memmove((char *)old_env, (char *)env, sizeof(env));
+    if (verify)
+	memset(key_string, 0, sizeof (key_string));
+    s[max-1] = 0;		/* force termination */
+    return !ok;			/* return nonzero if not okay */
+}
+#endif	/* defined(RSA_ENCPWD) || defined(KRB4_ENCPWD) */
diff --git a/crypto/telnet/libtelnet/rsaencpwd.c b/crypto/telnet/libtelnet/rsaencpwd.c
new file mode 100644
index 0000000..5906d99
--- /dev/null
+++ b/crypto/telnet/libtelnet/rsaencpwd.c
@@ -0,0 +1,492 @@
+/*-
+ * Copyright (c) 1992, 1993
+ *	The Regents of the University of California.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *	This product includes software developed by the University of
+ *	California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#ifndef lint
+static char sccsid[] = "@(#)rsaencpwd.c	8.3 (Berkeley) 5/30/95";
+#endif /* not lint */
+
+
+#ifdef	RSA_ENCPWD
+/*
+ * COPYRIGHT (C) 1990 DIGITAL EQUIPMENT CORPORATION
+ * ALL RIGHTS RESERVED
+ *
+ * "Digital Equipment Corporation authorizes the reproduction,
+ * distribution and modification of this software subject to the following
+ * restrictions:
+ *
+ * 1.  Any partial or whole copy of this software, or any modification
+ * thereof, must include this copyright notice in its entirety.
+ *
+ * 2.  This software is supplied "as is" with no warranty of any kind,
+ * expressed or implied, for any purpose, including any warranty of fitness
+ * or merchantibility.  DIGITAL assumes no responsibility for the use or
+ * reliability of this software, nor promises to provide any form of
+ * support for it on any basis.
+ *
+ * 3.  Distribution of this software is authorized only if no profit or
+ * remuneration of any kind is received in exchange for such distribution.
+ *
+ * 4.  This software produces public key authentication certificates
+ * bearing an expiration date established by DIGITAL and RSA Data
+ * Security, Inc.  It may cease to generate certificates after the expiration
+ * date.  Any modification of this software that changes or defeats
+ * the expiration date or its effect is unauthorized.
+ *
+ * 5.  Software that will renew or extend the expiration date of
+ * authentication certificates produced by this software may be obtained
+ * from RSA Data Security, Inc., 10 Twin Dolphin Drive, Redwood City, CA
+ * 94065, (415)595-8782, or from DIGITAL"
+ *
+ */
+
+#include <sys/types.h>
+#include <arpa/telnet.h>
+#include <pwd.h>
+#include <stdio.h>
+
+#ifdef	__STDC__
+#include <stdlib.h>
+#endif
+#ifdef	NO_STRING_H
+#include <strings.h>
+#else
+#include <string.h>
+#endif
+
+#include "encrypt.h"
+#include "auth.h"
+#include "misc.h"
+#include "cdc.h"
+
+extern auth_debug_mode;
+
+static unsigned char str_data[1024] = { IAC, SB, TELOPT_AUTHENTICATION, 0,
+			  		AUTHTYPE_RSA_ENCPWD, };
+static unsigned char str_name[1024] = { IAC, SB, TELOPT_AUTHENTICATION,
+					TELQUAL_NAME, };
+
+#define	RSA_ENCPWD_AUTH	0	/* Authentication data follows */
+#define	RSA_ENCPWD_REJECT	1	/* Rejected (reason might follow) */
+#define RSA_ENCPWD_ACCEPT	2	/* Accepted */
+#define	RSA_ENCPWD_CHALLENGEKEY	3	/* Challenge and public key */
+
+#define NAME_SZ   40
+#define CHAL_SZ   20
+#define PWD_SZ    40
+
+static	KTEXT_ST auth;
+static	char name[NAME_SZ];
+static	char user_passwd[PWD_SZ];
+static  char key_file[2*NAME_SZ];
+static  char lhostname[NAME_SZ];
+static char  challenge[CHAL_SZ];
+static int   challenge_len;
+
+	static int
+Data(ap, type, d, c)
+	Authenticator *ap;
+	int type;
+	void *d;
+	int c;
+{
+	unsigned char *p = str_data + 4;
+	unsigned char *cd = (unsigned char *)d;
+
+	if (c == -1)
+		c = strlen((char *)cd);
+
+	if (0) {
+		printf("%s:%d: [%d] (%d)",
+			str_data[3] == TELQUAL_IS ? ">>>IS" : ">>>REPLY",
+			str_data[3],
+			type, c);
+		printd(d, c);
+		printf("\r\n");
+	}
+	*p++ = ap->type;
+	*p++ = ap->way;
+	if (type != NULL) *p++ = type;
+	while (c-- > 0) {
+		if ((*p++ = *cd++) == IAC)
+			*p++ = IAC;
+	}
+	*p++ = IAC;
+	*p++ = SE;
+	if (str_data[3] == TELQUAL_IS)
+		printsub('>', &str_data[2], p - (&str_data[2]));
+	return(net_write(str_data, p - str_data));
+}
+
+	int
+rsaencpwd_init(ap, server)
+	Authenticator *ap;
+	int server;
+{
+	char  *cp;
+	FILE  *fp;
+
+	if (server) {
+		str_data[3] = TELQUAL_REPLY;
+		memset(key_file, 0, sizeof(key_file));
+		gethostname(lhostname, sizeof(lhostname));
+		if ((cp = strchr(lhostname, '.')) != 0)  *cp = '\0';
+		strcpy(key_file, "/etc/.");
+		strcat(key_file, lhostname);
+		strcat(key_file, "_privkey");
+		if ((fp=fopen(key_file, "r"))==NULL) return(0);
+		fclose(fp);
+	} else {
+		str_data[3] = TELQUAL_IS;
+	}
+	return(1);
+}
+
+	int
+rsaencpwd_send(ap)
+	Authenticator *ap;
+{
+
+	printf("[ Trying RSAENCPWD ... ]\n");
+	if (!UserNameRequested) {
+		return(0);
+	}
+	if (!auth_sendname(UserNameRequested, strlen(UserNameRequested))) {
+		return(0);
+	}
+	if (!Data(ap, NULL, (void *)NULL, 0)) {
+		return(0);
+	}
+
+
+	return(1);
+}
+
+	void
+rsaencpwd_is(ap, data, cnt)
+	Authenticator *ap;
+	unsigned char *data;
+	int cnt;
+{
+	Session_Key skey;
+	Block datablock;
+	char  r_passwd[PWD_SZ], r_user[NAME_SZ];
+	char  *cp, key[160];
+	char  chalkey[160], *ptr;
+	FILE  *fp;
+	int r, i, j, chalkey_len, len;
+	time_t now;
+
+	cnt--;
+	switch (*data++) {
+	case RSA_ENCPWD_AUTH:
+		memmove((void *)auth.dat, (void *)data, auth.length = cnt);
+
+		if ((fp=fopen(key_file, "r"))==NULL) {
+		  Data(ap, RSA_ENCPWD_REJECT, (void *)"Auth failed", -1);
+		  auth_finished(ap, AUTH_REJECT);
+		  return;
+		}
+		/*
+		 *  get privkey
+		 */
+		fscanf(fp, "%x;", &len);
+		for (i=0;i<len;i++) {
+		  j = getc(fp);  key[i]=j;
+		}
+		fclose(fp);
+
+		r = accept_rsa_encpwd(&auth, key, challenge,
+				      challenge_len, r_passwd);
+		if (r < 0) {
+		  Data(ap, RSA_ENCPWD_REJECT, (void *)"Auth failed", -1);
+		  auth_finished(ap, AUTH_REJECT);
+		  return;
+		}
+		auth_encrypt_userpwd(r_passwd);
+		if (rsaencpwd_passwdok(UserNameRequested, UserPassword) == 0) {
+		  /*
+		   *  illegal username and password
+		   */
+		  Data(ap, RSA_ENCPWD_REJECT, (void *)"Illegal password", -1);
+		  auth_finished(ap, AUTH_REJECT);
+		  return;
+		}
+
+		Data(ap, RSA_ENCPWD_ACCEPT, (void *)0, 0);
+		auth_finished(ap, AUTH_USER);
+		break;
+
+
+	case IAC:
+
+		/*
+		 * If we are doing mutual authentication, get set up to send
+		 * the challenge, and verify it when the response comes back.
+		 */
+		if ((ap->way & AUTH_HOW_MASK) == AUTH_HOW_ONE_WAY) {
+		  register int i;
+
+
+		  time(&now);
+		  if ((now % 2) == 0) {
+		    sprintf(challenge, "%x", now);
+		    challenge_len = strlen(challenge);
+		  } else {
+		    strcpy(challenge, "randchal");
+		    challenge_len = 8;
+		  }
+
+		  if ((fp=fopen(key_file, "r"))==NULL) {
+		    Data(ap, RSA_ENCPWD_REJECT, (void *)"Auth failed", -1);
+		    auth_finished(ap, AUTH_REJECT);
+		    return;
+		  }
+		  /*
+		   *  skip privkey
+		   */
+		  fscanf(fp, "%x;", &len);
+		  for (i=0;i<len;i++) {
+		    j = getc(fp);
+		  }
+		  /*
+		   * get pubkey
+		   */
+		  fscanf(fp, "%x;", &len);
+		  for (i=0;i<len;i++) {
+		    j = getc(fp);  key[i]=j;
+		  }
+		  fclose(fp);
+		  chalkey[0] = 0x30;
+		  ptr = (char *) &chalkey[1];
+		  chalkey_len = 1+NumEncodeLengthOctets(i)+i+1+NumEncodeLengthOctets(challenge_len)+challenge_len;
+		  EncodeLength(ptr, chalkey_len);
+		  ptr +=NumEncodeLengthOctets(chalkey_len);
+		  *ptr++ = 0x04;  /* OCTET STRING */
+		  *ptr++ = challenge_len;
+		  memmove(ptr, challenge, challenge_len);
+		  ptr += challenge_len;
+		  *ptr++ = 0x04;  /* OCTET STRING */
+		  EncodeLength(ptr, i);
+		  ptr += NumEncodeLengthOctets(i);
+		  memmove(ptr, key, i);
+		  chalkey_len = 1+NumEncodeLengthOctets(chalkey_len)+chalkey_len;
+		  Data(ap, RSA_ENCPWD_CHALLENGEKEY, (void *)chalkey, chalkey_len);
+		}
+		break;
+
+	default:
+		Data(ap, RSA_ENCPWD_REJECT, 0, 0);
+		break;
+	}
+}
+
+
+	void
+rsaencpwd_reply(ap, data, cnt)
+	Authenticator *ap;
+	unsigned char *data;
+	int cnt;
+{
+	Session_Key skey;
+	KTEXT_ST token;
+	Block enckey;
+	int r, pubkey_len;
+	char	randchal[CHAL_SZ], *cp;
+	char	chalkey[160], pubkey[128], *ptr;
+
+	if (cnt-- < 1)
+		return;
+	switch (*data++) {
+	case RSA_ENCPWD_REJECT:
+		if (cnt > 0) {
+			printf("[ RSA_ENCPWD refuses authentication because %.*s ]\r\n",
+				cnt, data);
+		} else
+			printf("[ RSA_ENCPWD refuses authentication ]\r\n");
+		auth_send_retry();
+		return;
+	case RSA_ENCPWD_ACCEPT:
+		printf("[ RSA_ENCPWD accepts you ]\n");
+		auth_finished(ap, AUTH_USER);
+		return;
+	case RSA_ENCPWD_CHALLENGEKEY:
+		/*
+		 * Verify that the response to the challenge is correct.
+		 */
+
+		memmove((void *)chalkey, (void *)data, cnt);
+		ptr = (char *) &chalkey[0];
+		ptr += DecodeHeaderLength(chalkey);
+		if (*ptr != 0x04) {
+		  return;
+		}
+		*ptr++;
+		challenge_len = DecodeValueLength(ptr);
+		ptr += NumEncodeLengthOctets(challenge_len);
+		memmove(challenge, ptr, challenge_len);
+		ptr += challenge_len;
+		if (*ptr != 0x04) {
+		  return;
+		}
+		*ptr++;
+		pubkey_len = DecodeValueLength(ptr);
+		ptr += NumEncodeLengthOctets(pubkey_len);
+		memmove(pubkey, ptr, pubkey_len);
+		memset(user_passwd, 0, sizeof(user_passwd));
+		local_des_read_pw_string(user_passwd, sizeof(user_passwd)-1, "Password: ", 0);
+		UserPassword = user_passwd;
+		Challenge = challenge;
+		r = init_rsa_encpwd(&token, user_passwd, challenge, challenge_len, pubkey);
+		if (r < 0) {
+		  token.length = 1;
+		}
+
+		if (!Data(ap, RSA_ENCPWD_AUTH, (void *)token.dat, token.length)) {
+		  return;
+		}
+
+		break;
+
+	default:
+		return;
+	}
+}
+
+	int
+rsaencpwd_status(ap, name, level)
+	Authenticator *ap;
+	char *name;
+	int level;
+{
+
+	if (level < AUTH_USER)
+		return(level);
+
+	if (UserNameRequested && rsaencpwd_passwdok(UserNameRequested, UserPassword)) {
+		strcpy(name, UserNameRequested);
+		return(AUTH_VALID);
+	} else {
+		return(AUTH_USER);
+	}
+}
+
+#define	BUMP(buf, len)		while (*(buf)) {++(buf), --(len);}
+#define	ADDC(buf, len, c)	if ((len) > 0) {*(buf)++ = (c); --(len);}
+
+	void
+rsaencpwd_printsub(data, cnt, buf, buflen)
+	unsigned char *data, *buf;
+	int cnt, buflen;
+{
+	char lbuf[32];
+	register int i;
+
+	buf[buflen-1] = '\0';		/* make sure its NULL terminated */
+	buflen -= 1;
+
+	switch(data[3]) {
+	case RSA_ENCPWD_REJECT:	/* Rejected (reason might follow) */
+		strncpy((char *)buf, " REJECT ", buflen);
+		goto common;
+
+	case RSA_ENCPWD_ACCEPT:	/* Accepted (name might follow) */
+		strncpy((char *)buf, " ACCEPT ", buflen);
+	common:
+		BUMP(buf, buflen);
+		if (cnt <= 4)
+			break;
+		ADDC(buf, buflen, '"');
+		for (i = 4; i < cnt; i++)
+			ADDC(buf, buflen, data[i]);
+		ADDC(buf, buflen, '"');
+		ADDC(buf, buflen, '\0');
+		break;
+
+	case RSA_ENCPWD_AUTH:		/* Authentication data follows */
+		strncpy((char *)buf, " AUTH", buflen);
+		goto common2;
+
+	case RSA_ENCPWD_CHALLENGEKEY:
+		strncpy((char *)buf, " CHALLENGEKEY", buflen);
+		goto common2;
+
+	default:
+		sprintf(lbuf, " %d (unknown)", data[3]);
+		strncpy((char *)buf, lbuf, buflen);
+	common2:
+		BUMP(buf, buflen);
+		for (i = 4; i < cnt; i++) {
+			sprintf(lbuf, " %d", data[i]);
+			strncpy((char *)buf, lbuf, buflen);
+			BUMP(buf, buflen);
+		}
+		break;
+	}
+}
+
+int rsaencpwd_passwdok(name, passwd)
+char *name, *passwd;
+{
+  char *crypt();
+  char *salt, *p;
+  struct passwd *pwd;
+  int   passwdok_status = 0;
+
+  if (pwd = getpwnam(name))
+    salt = pwd->pw_passwd;
+  else salt = "xx";
+
+  p = crypt(passwd, salt);
+
+  if (pwd && !strcmp(p, pwd->pw_passwd)) {
+    passwdok_status = 1;
+  } else passwdok_status = 0;
+  return(passwdok_status);
+}
+
+#endif
+
+#ifdef notdef
+
+prkey(msg, key)
+	char *msg;
+	unsigned char *key;
+{
+	register int i;
+	printf("%s:", msg);
+	for (i = 0; i < 8; i++)
+		printf(" %3d", key[i]);
+	printf("\r\n");
+}
+#endif
diff --git a/crypto/telnet/libtelnet/spx.c b/crypto/telnet/libtelnet/spx.c
new file mode 100644
index 0000000..75d6e3e
--- /dev/null
+++ b/crypto/telnet/libtelnet/spx.c
@@ -0,0 +1,592 @@
+/*-
+ * Copyright (c) 1992, 1993
+ *	The Regents of the University of California.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *	This product includes software developed by the University of
+ *	California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#ifndef lint
+#if 0
+static char sccsid[] = "@(#)spx.c	8.2 (Berkeley) 5/30/95";
+#else
+static const char rcsid[] =
+ "$FreeBSD$";
+#endif
+#endif /* not lint */
+
+#ifdef	SPX
+/*
+ * COPYRIGHT (C) 1990 DIGITAL EQUIPMENT CORPORATION
+ * ALL RIGHTS RESERVED
+ *
+ * "Digital Equipment Corporation authorizes the reproduction,
+ * distribution and modification of this software subject to the following
+ * restrictions:
+ *
+ * 1.  Any partial or whole copy of this software, or any modification
+ * thereof, must include this copyright notice in its entirety.
+ *
+ * 2.  This software is supplied "as is" with no warranty of any kind,
+ * expressed or implied, for any purpose, including any warranty of fitness
+ * or merchantibility.  DIGITAL assumes no responsibility for the use or
+ * reliability of this software, nor promises to provide any form of
+ * support for it on any basis.
+ *
+ * 3.  Distribution of this software is authorized only if no profit or
+ * remuneration of any kind is received in exchange for such distribution.
+ *
+ * 4.  This software produces public key authentication certificates
+ * bearing an expiration date established by DIGITAL and RSA Data
+ * Security, Inc.  It may cease to generate certificates after the expiration
+ * date.  Any modification of this software that changes or defeats
+ * the expiration date or its effect is unauthorized.
+ *
+ * 5.  Software that will renew or extend the expiration date of
+ * authentication certificates produced by this software may be obtained
+ * from RSA Data Security, Inc., 10 Twin Dolphin Drive, Redwood City, CA
+ * 94065, (415)595-8782, or from DIGITAL"
+ *
+ */
+
+#include <sys/types.h>
+#include <arpa/telnet.h>
+#include <stdio.h>
+#include "gssapi_defs.h"
+#ifdef	__STDC__
+#include <stdlib.h>
+#endif
+#ifdef	NO_STRING_H
+#include <strings.h>
+#else
+#include <string.h>
+#endif
+
+#include <pwd.h>
+#include "encrypt.h"
+#include "auth.h"
+#include "misc.h"
+
+extern auth_debug_mode;
+
+static unsigned char str_data[1024] = { IAC, SB, TELOPT_AUTHENTICATION, 0,
+			  		AUTHTYPE_SPX, };
+static unsigned char str_name[1024] = { IAC, SB, TELOPT_AUTHENTICATION,
+					TELQUAL_NAME, };
+
+#define	SPX_AUTH	0		/* Authentication data follows */
+#define	SPX_REJECT	1		/* Rejected (reason might follow) */
+#define SPX_ACCEPT	2		/* Accepted */
+
+#ifdef	ENCRYPTION
+static Block	session_key	= { 0 };
+#endif	/* ENCRYPTION */
+static Block	challenge	= { 0 };
+
+
+/*******************************************************************/
+
+gss_OID_set		actual_mechs;
+gss_OID			actual_mech_type, output_name_type;
+int			major_status, status, msg_ctx = 0, new_status;
+int			req_flags = 0, ret_flags, lifetime_rec;
+gss_cred_id_t		gss_cred_handle;
+gss_ctx_id_t		actual_ctxhandle, context_handle;
+gss_buffer_desc		output_token, input_token, input_name_buffer;
+gss_buffer_desc		status_string;
+gss_name_t		desired_targname, src_name;
+gss_channel_bindings	input_chan_bindings;
+char			lhostname[GSS_C_MAX_PRINTABLE_NAME];
+char			targ_printable[GSS_C_MAX_PRINTABLE_NAME];
+int			to_addr=0, from_addr=0;
+char			*address;
+gss_buffer_desc		fullname_buffer;
+gss_OID			fullname_type;
+gss_cred_id_t		gss_delegated_cred_handle;
+
+/*******************************************************************/
+
+
+
+	static int
+Data(ap, type, d, c)
+	Authenticator *ap;
+	int type;
+	void *d;
+	int c;
+{
+	unsigned char *p = str_data + 4;
+	unsigned char *cd = (unsigned char *)d;
+
+	if (c == -1)
+		c = strlen((char *)cd);
+
+	if (0) {
+		printf("%s:%d: [%d] (%d)",
+			str_data[3] == TELQUAL_IS ? ">>>IS" : ">>>REPLY",
+			str_data[3],
+			type, c);
+		printd(d, c);
+		printf("\r\n");
+	}
+	*p++ = ap->type;
+	*p++ = ap->way;
+	*p++ = type;
+	while (c-- > 0) {
+		if ((*p++ = *cd++) == IAC)
+			*p++ = IAC;
+	}
+	*p++ = IAC;
+	*p++ = SE;
+	if (str_data[3] == TELQUAL_IS)
+		printsub('>', &str_data[2], p - (&str_data[2]));
+	return(net_write(str_data, p - str_data));
+}
+
+	int
+spx_init(ap, server)
+	Authenticator *ap;
+	int server;
+{
+	gss_cred_id_t	tmp_cred_handle;
+
+	if (server) {
+		str_data[3] = TELQUAL_REPLY;
+		gethostname(lhostname, sizeof(lhostname));
+		strcpy(targ_printable, "SERVICE:rcmd@");
+		strcat(targ_printable, lhostname);
+		input_name_buffer.length = strlen(targ_printable);
+		input_name_buffer.value = targ_printable;
+		major_status = gss_import_name(&status,
+					&input_name_buffer,
+					GSS_C_NULL_OID,
+					&desired_targname);
+		major_status = gss_acquire_cred(&status,
+					desired_targname,
+					0,
+					GSS_C_NULL_OID_SET,
+					GSS_C_ACCEPT,
+					&tmp_cred_handle,
+					&actual_mechs,
+					&lifetime_rec);
+		if (major_status != GSS_S_COMPLETE) return(0);
+	} else {
+		str_data[3] = TELQUAL_IS;
+	}
+	return(1);
+}
+
+	int
+spx_send(ap)
+	Authenticator *ap;
+{
+	Block enckey;
+	int r;
+
+	gss_OID	actual_mech_type, output_name_type;
+	int	msg_ctx = 0, new_status, status;
+	int	req_flags = 0, ret_flags, lifetime_rec, major_status;
+	gss_buffer_desc  output_token, input_token, input_name_buffer;
+	gss_buffer_desc  output_name_buffer, status_string;
+	gss_name_t    desired_targname;
+	gss_channel_bindings  input_chan_bindings;
+	char targ_printable[GSS_C_MAX_PRINTABLE_NAME];
+	int  from_addr=0, to_addr=0, myhostlen, j;
+	int  deleg_flag=1, mutual_flag=0, replay_flag=0, seq_flag=0;
+	char *address;
+
+	printf("[ Trying SPX ... ]\n");
+	strcpy(targ_printable, "SERVICE:rcmd@");
+	strcat(targ_printable, RemoteHostName);
+
+	input_name_buffer.length = strlen(targ_printable);
+	input_name_buffer.value = targ_printable;
+
+	if (!UserNameRequested) {
+		return(0);
+	}
+
+	major_status = gss_import_name(&status,
+					&input_name_buffer,
+					GSS_C_NULL_OID,
+					&desired_targname);
+
+
+	major_status = gss_display_name(&status,
+					desired_targname,
+					&output_name_buffer,
+					&output_name_type);
+
+	printf("target is '%s'\n", output_name_buffer.value); fflush(stdout);
+
+	major_status = gss_release_buffer(&status, &output_name_buffer);
+
+	input_chan_bindings = (gss_channel_bindings)
+	  malloc(sizeof(gss_channel_bindings_desc));
+
+	input_chan_bindings->initiator_addrtype = GSS_C_AF_INET;
+	input_chan_bindings->initiator_address.length = 4;
+	address = (char *) malloc(4);
+	input_chan_bindings->initiator_address.value = (char *) address;
+	address[0] = ((from_addr & 0xff000000) >> 24);
+	address[1] = ((from_addr & 0xff0000) >> 16);
+	address[2] = ((from_addr & 0xff00) >> 8);
+	address[3] = (from_addr & 0xff);
+	input_chan_bindings->acceptor_addrtype = GSS_C_AF_INET;
+	input_chan_bindings->acceptor_address.length = 4;
+	address = (char *) malloc(4);
+	input_chan_bindings->acceptor_address.value = (char *) address;
+	address[0] = ((to_addr & 0xff000000) >> 24);
+	address[1] = ((to_addr & 0xff0000) >> 16);
+	address[2] = ((to_addr & 0xff00) >> 8);
+	address[3] = (to_addr & 0xff);
+	input_chan_bindings->application_data.length = 0;
+
+	req_flags = 0;
+	if (deleg_flag)  req_flags = req_flags | 1;
+	if (mutual_flag) req_flags = req_flags | 2;
+	if (replay_flag) req_flags = req_flags | 4;
+	if (seq_flag)    req_flags = req_flags | 8;
+
+	major_status = gss_init_sec_context(&status,         /* minor status */
+					GSS_C_NO_CREDENTIAL, /* cred handle */
+					&actual_ctxhandle,   /* ctx handle */
+					desired_targname,    /* target name */
+					GSS_C_NULL_OID,      /* mech type */
+					req_flags,           /* req flags */
+					0,                   /* time req */
+					input_chan_bindings, /* chan binding */
+					GSS_C_NO_BUFFER,     /* input token */
+					&actual_mech_type,   /* actual mech */
+					&output_token,       /* output token */
+					&ret_flags,          /* ret flags */
+					&lifetime_rec);      /* time rec */
+
+	if ((major_status != GSS_S_COMPLETE) &&
+	    (major_status != GSS_S_CONTINUE_NEEDED)) {
+	  gss_display_status(&new_status,
+				status,
+				GSS_C_MECH_CODE,
+				GSS_C_NULL_OID,
+				&msg_ctx,
+				&status_string);
+	  printf("%s\n", status_string.value);
+	  return(0);
+	}
+
+	if (!auth_sendname(UserNameRequested, strlen(UserNameRequested))) {
+		return(0);
+	}
+
+	if (!Data(ap, SPX_AUTH, (void *)output_token.value, output_token.length)) {
+		return(0);
+	}
+
+	return(1);
+}
+
+	void
+spx_is(ap, data, cnt)
+	Authenticator *ap;
+	unsigned char *data;
+	int cnt;
+{
+	Session_Key skey;
+	Block datablock;
+	int r;
+
+	if (cnt-- < 1)
+		return;
+	switch (*data++) {
+	case SPX_AUTH:
+		input_token.length = cnt;
+		input_token.value = (char *) data;
+
+		gethostname(lhostname, sizeof(lhostname));
+
+		strcpy(targ_printable, "SERVICE:rcmd@");
+		strcat(targ_printable, lhostname);
+
+		input_name_buffer.length = strlen(targ_printable);
+		input_name_buffer.value = targ_printable;
+
+		major_status = gss_import_name(&status,
+					&input_name_buffer,
+					GSS_C_NULL_OID,
+					&desired_targname);
+
+		major_status = gss_acquire_cred(&status,
+					desired_targname,
+					0,
+					GSS_C_NULL_OID_SET,
+					GSS_C_ACCEPT,
+					&gss_cred_handle,
+					&actual_mechs,
+					&lifetime_rec);
+
+		major_status = gss_release_name(&status, desired_targname);
+
+		input_chan_bindings = (gss_channel_bindings)
+		  malloc(sizeof(gss_channel_bindings_desc));
+
+		input_chan_bindings->initiator_addrtype = GSS_C_AF_INET;
+		input_chan_bindings->initiator_address.length = 4;
+		address = (char *) malloc(4);
+		input_chan_bindings->initiator_address.value = (char *) address;
+		address[0] = ((from_addr & 0xff000000) >> 24);
+		address[1] = ((from_addr & 0xff0000) >> 16);
+		address[2] = ((from_addr & 0xff00) >> 8);
+		address[3] = (from_addr & 0xff);
+		input_chan_bindings->acceptor_addrtype = GSS_C_AF_INET;
+		input_chan_bindings->acceptor_address.length = 4;
+		address = (char *) malloc(4);
+		input_chan_bindings->acceptor_address.value = (char *) address;
+		address[0] = ((to_addr & 0xff000000) >> 24);
+		address[1] = ((to_addr & 0xff0000) >> 16);
+		address[2] = ((to_addr & 0xff00) >> 8);
+		address[3] = (to_addr & 0xff);
+		input_chan_bindings->application_data.length = 0;
+
+		major_status = gss_accept_sec_context(&status,
+						&context_handle,
+						gss_cred_handle,
+						&input_token,
+						input_chan_bindings,
+						&src_name,
+						&actual_mech_type,
+						&output_token,
+						&ret_flags,
+						&lifetime_rec,
+						&gss_delegated_cred_handle);
+
+
+		if (major_status != GSS_S_COMPLETE) {
+
+		  major_status = gss_display_name(&status,
+					src_name,
+					&fullname_buffer,
+					&fullname_type);
+			Data(ap, SPX_REJECT, (void *)"auth failed", -1);
+			auth_finished(ap, AUTH_REJECT);
+			return;
+		}
+
+		major_status = gss_display_name(&status,
+					src_name,
+					&fullname_buffer,
+					&fullname_type);
+
+
+		Data(ap, SPX_ACCEPT, (void *)output_token.value, output_token.length);
+		auth_finished(ap, AUTH_USER);
+		break;
+
+	default:
+		Data(ap, SPX_REJECT, 0, 0);
+		break;
+	}
+}
+
+
+	void
+spx_reply(ap, data, cnt)
+	Authenticator *ap;
+	unsigned char *data;
+	int cnt;
+{
+	Session_Key skey;
+
+	if (cnt-- < 1)
+		return;
+	switch (*data++) {
+	case SPX_REJECT:
+		if (cnt > 0) {
+			printf("[ SPX refuses authentication because %.*s ]\r\n",
+				cnt, data);
+		} else
+			printf("[ SPX refuses authentication ]\r\n");
+		auth_send_retry();
+		return;
+	case SPX_ACCEPT:
+		printf("[ SPX accepts you ]\n");
+		if ((ap->way & AUTH_HOW_MASK) == AUTH_HOW_MUTUAL) {
+			/*
+			 * Send over the encrypted challenge.
+		 	 */
+		  input_token.value = (char *) data;
+		  input_token.length = cnt;
+
+		  major_status = gss_init_sec_context(&status, /* minor stat */
+					GSS_C_NO_CREDENTIAL, /* cred handle */
+					&actual_ctxhandle,   /* ctx handle */
+					desired_targname,    /* target name */
+					GSS_C_NULL_OID,      /* mech type */
+					req_flags,           /* req flags */
+					0,                   /* time req */
+					input_chan_bindings, /* chan binding */
+					&input_token,        /* input token */
+					&actual_mech_type,   /* actual mech */
+					&output_token,       /* output token */
+					&ret_flags,          /* ret flags */
+					&lifetime_rec);      /* time rec */
+
+		  if (major_status != GSS_S_COMPLETE) {
+		    gss_display_status(&new_status,
+					status,
+					GSS_C_MECH_CODE,
+					GSS_C_NULL_OID,
+					&msg_ctx,
+					&status_string);
+		    printf("[ SPX mutual response fails ... '%s' ]\r\n",
+			 status_string.value);
+		    auth_send_retry();
+		    return;
+		  }
+		}
+		auth_finished(ap, AUTH_USER);
+		return;
+
+	default:
+		return;
+	}
+}
+
+	int
+spx_status(ap, name, level)
+	Authenticator *ap;
+	char *name;
+	int level;
+{
+
+	gss_buffer_desc  fullname_buffer, acl_file_buffer;
+	gss_OID          fullname_type;
+	char acl_file[160], fullname[160];
+	int major_status, status = 0;
+	struct passwd  *pwd;
+
+	/*
+	 * hard code fullname to
+	 *   "SPX:/C=US/O=Digital/OU=LKG/OU=Sphinx/OU=Users/CN=Kannan Alagappan"
+	 * and acl_file to "~kannan/.sphinx"
+	 */
+
+	pwd = getpwnam(UserNameRequested);
+	if (pwd == NULL) {
+	  return(AUTH_USER);   /*  not authenticated  */
+	}
+
+	strcpy(acl_file, pwd->pw_dir);
+	strcat(acl_file, "/.sphinx");
+	acl_file_buffer.value = acl_file;
+	acl_file_buffer.length = strlen(acl_file);
+
+	major_status = gss_display_name(&status,
+					src_name,
+					&fullname_buffer,
+					&fullname_type);
+
+	if (level < AUTH_USER)
+		return(level);
+
+	major_status = gss__check_acl(&status, &fullname_buffer,
+					&acl_file_buffer);
+
+	if (major_status == GSS_S_COMPLETE) {
+	  strcpy(name, UserNameRequested);
+	  return(AUTH_VALID);
+	} else {
+	   return(AUTH_USER);
+	}
+
+}
+
+#define	BUMP(buf, len)		while (*(buf)) {++(buf), --(len);}
+#define	ADDC(buf, len, c)	if ((len) > 0) {*(buf)++ = (c); --(len);}
+
+	void
+spx_printsub(data, cnt, buf, buflen)
+	unsigned char *data, *buf;
+	int cnt, buflen;
+{
+	char lbuf[32];
+	register int i;
+
+	buf[buflen-1] = '\0';		/* make sure its NULL terminated */
+	buflen -= 1;
+
+	switch(data[3]) {
+	case SPX_REJECT:		/* Rejected (reason might follow) */
+		strncpy((char *)buf, " REJECT ", buflen);
+		goto common;
+
+	case SPX_ACCEPT:		/* Accepted (name might follow) */
+		strncpy((char *)buf, " ACCEPT ", buflen);
+	common:
+		BUMP(buf, buflen);
+		if (cnt <= 4)
+			break;
+		ADDC(buf, buflen, '"');
+		for (i = 4; i < cnt; i++)
+			ADDC(buf, buflen, data[i]);
+		ADDC(buf, buflen, '"');
+		ADDC(buf, buflen, '\0');
+		break;
+
+	case SPX_AUTH:			/* Authentication data follows */
+		strncpy((char *)buf, " AUTH", buflen);
+		goto common2;
+
+	default:
+		sprintf(lbuf, " %d (unknown)", data[3]);
+		strncpy((char *)buf, lbuf, buflen);
+	common2:
+		BUMP(buf, buflen);
+		for (i = 4; i < cnt; i++) {
+			sprintf(lbuf, " %d", data[i]);
+			strncpy((char *)buf, lbuf, buflen);
+			BUMP(buf, buflen);
+		}
+		break;
+	}
+}
+
+#endif
+
+#ifdef notdef
+
+prkey(msg, key)
+	char *msg;
+	unsigned char *key;
+{
+	register int i;
+	printf("%s:", msg);
+	for (i = 0; i < 8; i++)
+		printf(" %3d", key[i]);
+	printf("\r\n");
+}
+#endif
diff --git a/crypto/telnet/libtelnet/sra.c b/crypto/telnet/libtelnet/sra.c
new file mode 100644
index 0000000..9c033c9
--- /dev/null
+++ b/crypto/telnet/libtelnet/sra.c
@@ -0,0 +1,658 @@
+/* $FreeBSD$ */
+
+#ifdef	SRA
+#include <sys/types.h>
+#include <arpa/telnet.h>
+#include <stdio.h>
+#ifdef	__STDC__
+#include <stdlib.h>
+#endif
+#ifdef	NO_STRING_H
+#include <strings.h>
+#else
+#include <string.h>
+#endif
+
+#if !defined(NOPAM)
+#include <security/pam_appl.h>
+#endif
+
+#include <ttyent.h>
+
+#include "auth.h"
+#include "misc.h"
+#include "encrypt.h"
+#include "pk.h"
+
+char pka[HEXKEYBYTES+1], ska[HEXKEYBYTES+1], pkb[HEXKEYBYTES+1];
+char *user,*pass,*xuser,*xpass;
+DesData ck;
+IdeaData ik;
+
+extern int auth_debug_mode;
+extern char *line;
+
+static sra_valid = 0;
+static passwd_sent = 0;
+
+static unsigned char str_data[1024] = { IAC, SB, TELOPT_AUTHENTICATION, 0,
+			  		AUTHTYPE_SRA, };
+
+#define SRA_KEY	0
+#define SRA_USER 1
+#define SRA_CONTINUE 2
+#define SRA_PASS 3
+#define SRA_ACCEPT 4
+#define SRA_REJECT 5
+
+/* support routine to send out authentication message */
+static int Data(ap, type, d, c)
+Authenticator *ap;
+int type;
+void *d;
+int c;
+{
+        unsigned char *p = str_data + 4;
+	unsigned char *cd = (unsigned char *)d;
+
+	if (c == -1)
+		c = strlen((char *)cd);
+
+        if (auth_debug_mode) {
+                printf("%s:%d: [%d] (%d)",
+                        str_data[3] == TELQUAL_IS ? ">>>IS" : ">>>REPLY",
+                        str_data[3],
+                        type, c);
+                printd(d, c);
+                printf("\r\n");
+        }
+	*p++ = ap->type;
+	*p++ = ap->way;
+	*p++ = type;
+        while (c-- > 0) {
+                if ((*p++ = *cd++) == IAC)
+                        *p++ = IAC;
+        }
+        *p++ = IAC;
+        *p++ = SE;
+	if (str_data[3] == TELQUAL_IS)
+		printsub('>', &str_data[2], p - (&str_data[2]));
+        return(net_write(str_data, p - str_data));
+}
+
+int sra_init(ap, server)
+Authenticator *ap;
+int server;
+{
+	if (server)
+		str_data[3] = TELQUAL_REPLY;
+	else
+		str_data[3] = TELQUAL_IS;
+
+	user = (char *)malloc(256);
+	xuser = (char *)malloc(513);
+	pass = (char *)malloc(256);
+	xpass = (char *)malloc(513);
+
+	if (user == NULL || xuser == NULL || pass == NULL || xpass ==
+	NULL)
+		return 0; /* malloc failed */
+
+	passwd_sent = 0;
+	
+	genkeys(pka,ska);
+	return(1);
+}
+
+/* client received a go-ahead for sra */
+int sra_send(ap)
+Authenticator *ap;
+{
+	/* send PKA */
+
+	if (auth_debug_mode)
+		printf("Sent PKA to server.\r\n" );
+	printf("Trying SRA secure login:\r\n");
+	if (!Data(ap, SRA_KEY, (void *)pka, HEXKEYBYTES)) {
+		if (auth_debug_mode)
+			printf("Not enough room for authentication data\r\n");
+		return(0);
+	}
+
+	return(1);
+}
+
+/* server received an IS -- could be SRA KEY, USER, or PASS */
+void sra_is(ap, data, cnt)
+Authenticator *ap;
+unsigned char *data;
+int cnt;
+{
+	int valid;
+	Session_Key skey;
+
+	if (cnt-- < 1)
+		goto bad;
+	switch (*data++) {
+
+	case SRA_KEY:
+		if (cnt < HEXKEYBYTES) {
+			Data(ap, SRA_REJECT, (void *)0, 0);
+			auth_finished(ap, AUTH_USER);
+			if (auth_debug_mode) {
+				printf("SRA user rejected for bad PKB\r\n");
+			}
+			return;
+		}
+		if (auth_debug_mode)
+			printf("Sent pka\r\n");
+		if (!Data(ap, SRA_KEY, (void *)pka, HEXKEYBYTES)) {
+			if (auth_debug_mode)
+				printf("Not enough room\r\n");
+			return;
+		}
+		memcpy(pkb,data,HEXKEYBYTES);
+		pkb[HEXKEYBYTES] = '\0';
+		common_key(ska,pkb,&ik,&ck);
+		return;
+
+	case SRA_USER:
+		/* decode KAB(u) */
+		if (cnt > 512) /* Attempted buffer overflow */
+			break;
+		memcpy(xuser,data,cnt);
+		xuser[cnt] = '\0';
+		pk_decode(xuser,user,&ck);
+		auth_encrypt_user(user);
+		Data(ap, SRA_CONTINUE, (void *)0, 0);
+
+		return;
+
+	case SRA_PASS:
+		if (cnt > 512) /* Attempted buffer overflow */
+			break;
+		/* decode KAB(P) */
+		memcpy(xpass,data,cnt);
+		xpass[cnt] = '\0';
+		pk_decode(xpass,pass,&ck);
+
+		/* check user's password */
+		valid = check_user(user,pass);
+
+		if(valid) {
+			Data(ap, SRA_ACCEPT, (void *)0, 0);
+#ifdef DES_ENCRYPTION
+			skey.data = ck;
+			skey.type = SK_DES;
+			skey.length = 8;
+			encrypt_session_key(&skey, 1);
+#endif
+
+			sra_valid = 1;
+			auth_finished(ap, AUTH_VALID);
+			if (auth_debug_mode) {
+				printf("SRA user accepted\r\n");
+			}
+		}
+		else {
+			Data(ap, SRA_CONTINUE, (void *)0, 0);
+/*
+			Data(ap, SRA_REJECT, (void *)0, 0);
+			sra_valid = 0;
+			auth_finished(ap, AUTH_REJECT);
+*/
+			if (auth_debug_mode) {
+				printf("SRA user failed\r\n");
+			}
+		}
+		return;
+
+	default:
+		if (auth_debug_mode)
+			printf("Unknown SRA option %d\r\n", data[-1]);
+	}
+bad:
+	Data(ap, SRA_REJECT, 0, 0);
+	sra_valid = 0;
+	auth_finished(ap, AUTH_REJECT);
+}
+
+extern char *getpass();
+
+/* client received REPLY -- could be SRA KEY, CONTINUE, ACCEPT, or REJECT */
+void sra_reply(ap, data, cnt)
+Authenticator *ap;
+unsigned char *data;
+int cnt;
+{
+	extern char *telnet_gets();
+	char uprompt[256],tuser[256];
+	Session_Key skey;
+	int i;
+
+	if (cnt-- < 1)
+		return;
+	switch (*data++) {
+
+	case SRA_KEY:
+		/* calculate common key */
+		if (cnt < HEXKEYBYTES) {
+			if (auth_debug_mode) {
+				printf("SRA user rejected for bad PKB\r\n");
+			}
+			return;
+		}
+		memcpy(pkb,data,HEXKEYBYTES);
+		pkb[HEXKEYBYTES] = '\0';		
+
+		common_key(ska,pkb,&ik,&ck);
+
+	enc_user:
+
+		/* encode user */
+		memset(tuser,0,sizeof(tuser));
+		sprintf(uprompt,"User (%s): ",UserNameRequested);
+		telnet_gets(uprompt,tuser,255,1);
+		if (tuser[0] == '\n' || tuser[0] == '\r' )
+			strcpy(user,UserNameRequested);
+		else {
+			/* telnet_gets leaves the newline on */
+			for(i=0;i<sizeof(tuser);i++) {
+				if (tuser[i] == '\n') {
+					tuser[i] = '\0';
+					break;
+				}
+			}
+			strcpy(user,tuser);
+		}
+		pk_encode(user,xuser,&ck);
+
+		/* send it off */
+		if (auth_debug_mode)
+			printf("Sent KAB(U)\r\n");
+		if (!Data(ap, SRA_USER, (void *)xuser, strlen(xuser))) {
+			if (auth_debug_mode)
+				printf("Not enough room\r\n");
+			return;
+		}
+		break;
+
+	case SRA_CONTINUE:
+		if (passwd_sent) {
+			passwd_sent = 0;
+			printf("[ SRA login failed ]\r\n");
+			goto enc_user;
+		}
+		/* encode password */
+		memset(pass,0,sizeof(pass));
+		telnet_gets("Password: ",pass,255,0);
+		pk_encode(pass,xpass,&ck);
+		/* send it off */
+		if (auth_debug_mode)
+			printf("Sent KAB(P)\r\n");
+		if (!Data(ap, SRA_PASS, (void *)xpass, strlen(xpass))) {
+			if (auth_debug_mode)
+				printf("Not enough room\r\n");
+			return;
+		}
+		passwd_sent = 1;
+		break;
+
+	case SRA_REJECT:
+		printf("[ SRA refuses authentication ]\r\n");
+		printf("Trying plaintext login:\r\n");
+		auth_finished(0,AUTH_REJECT);
+		return;
+
+	case SRA_ACCEPT:
+		printf("[ SRA accepts you ]\r\n");
+#ifdef DES_ENCRYPTION
+		skey.data = ck;
+		skey.type = SK_DES;
+		skey.length = 8;
+		encrypt_session_key(&skey, 0);
+#endif
+
+		auth_finished(ap, AUTH_VALID);
+		return;
+	default:
+		if (auth_debug_mode)
+			printf("Unknown SRA option %d\r\n", data[-1]);
+		return;
+	}
+}
+
+int sra_status(ap, name, level)
+Authenticator *ap;
+char *name;
+int level;
+{
+	if (level < AUTH_USER)
+		return(level);
+	if (UserNameRequested && sra_valid) {
+		strcpy(name, UserNameRequested);
+		return(AUTH_VALID);
+	} else
+		return(AUTH_USER);
+}
+
+#define	BUMP(buf, len)		while (*(buf)) {++(buf), --(len);}
+#define	ADDC(buf, len, c)	if ((len) > 0) {*(buf)++ = (c); --(len);}
+
+void sra_printsub(data, cnt, buf, buflen)
+unsigned char *data, *buf;
+int cnt, buflen;
+{
+	char lbuf[32];
+	register int i;
+
+	buf[buflen-1] = '\0';		/* make sure its NULL terminated */
+	buflen -= 1;
+
+	switch(data[3]) {
+
+	case SRA_CONTINUE:
+		strncpy((char *)buf, " CONTINUE ", buflen);
+		goto common;
+
+	case SRA_REJECT:		/* Rejected (reason might follow) */
+		strncpy((char *)buf, " REJECT ", buflen);
+		goto common;
+
+	case SRA_ACCEPT:		/* Accepted (name might follow) */
+		strncpy((char *)buf, " ACCEPT ", buflen);
+
+	common:
+		BUMP(buf, buflen);
+		if (cnt <= 4)
+			break;
+		ADDC(buf, buflen, '"');
+		for (i = 4; i < cnt; i++)
+			ADDC(buf, buflen, data[i]);
+		ADDC(buf, buflen, '"');
+		ADDC(buf, buflen, '\0');
+		break;
+
+	case SRA_KEY:			/* Authentication data follows */
+		strncpy((char *)buf, " KEY ", buflen);
+		goto common2;
+
+	case SRA_USER:
+		strncpy((char *)buf, " USER ", buflen);
+		goto common2;
+
+	case SRA_PASS:
+		strncpy((char *)buf, " PASS ", buflen);
+		goto common2;
+
+	default:
+		sprintf(lbuf, " %d (unknown)", data[3]);
+		strncpy((char *)buf, lbuf, buflen);
+	common2:
+		BUMP(buf, buflen);
+		for (i = 4; i < cnt; i++) {
+			sprintf(lbuf, " %d", data[i]);
+			strncpy((char *)buf, lbuf, buflen);
+			BUMP(buf, buflen);
+		}
+		break;
+	}
+}
+
+struct	passwd *pw;
+
+/*
+ * Helper function for sgetpwnam().
+ */
+char *
+sgetsave(s)
+	char *s;
+{
+	char *new = malloc((unsigned) strlen(s) + 1);
+
+	if (new == NULL) {
+		return(NULL);
+	}
+	(void) strcpy(new, s);
+	return (new);
+}
+
+#include <pwd.h>
+#include <syslog.h>
+#ifdef USE_SHADOW
+#include <shadow.h>
+#endif
+
+
+struct passwd *
+sgetpwnam(name)
+	char *name;
+{
+	static struct passwd save;
+	register struct passwd *p;
+	char *sgetsave();
+
+	if ((p = getpwnam(name)) == NULL)
+		return (p);
+	if (save.pw_name) {
+		free(save.pw_name);
+		free(save.pw_passwd);
+		free(save.pw_gecos);
+		free(save.pw_dir);
+		free(save.pw_shell);
+	}
+	save = *p;
+	save.pw_name = sgetsave(p->pw_name);
+	save.pw_passwd = sgetsave(p->pw_passwd);
+	save.pw_gecos = sgetsave(p->pw_gecos);
+	save.pw_dir = sgetsave(p->pw_dir);
+	save.pw_shell = sgetsave(p->pw_shell);
+#if 0
+syslog(LOG_WARNING,"%s\n",save.pw_name);
+syslog(LOG_WARNING,"%s\n",save.pw_passwd);
+syslog(LOG_WARNING,"%s\n",save.pw_gecos);
+syslog(LOG_WARNING,"%s\n",save.pw_dir);
+#endif
+#ifdef USE_SHADOW
+        {
+                struct spwd *sp;
+                sp = getspnam(name);
+                free(save.pw_passwd);
+                save.pw_passwd  = sgetsave(sp->sp_pwdp);
+        }
+#endif 
+	return (&save);
+}
+
+static int
+isroot(user)
+char *user;
+{
+	struct passwd *pw;
+
+	if ((pw=getpwnam(user))==NULL)
+		return 0;
+	return (!pw->pw_uid);
+}
+
+static int
+rootterm(ttyn)
+char *ttyn;
+{
+	struct ttyent *t;
+
+	return ((t = getttynam(ttyn)) && t->ty_status & TTY_SECURE);
+}
+
+#ifdef NOPAM
+char *crypt();
+
+int check_user(name, pass)
+char *name;
+char *pass;
+{
+	register char *cp;
+	char *xpasswd, *salt;
+
+	if (isroot(name) && !rootterm(line))
+	{
+		crypt("AA","*"); /* Waste some time to simulate success */
+		return(0);
+	}
+
+	if (pw = sgetpwnam(name)) {
+		if (pw->pw_shell == NULL) {
+			pw = (struct passwd *) NULL;
+			return(0);
+		}
+
+		salt = pw->pw_passwd;
+		xpasswd = crypt(pass, salt);
+		/* The strcmp does not catch null passwords! */
+		if (pw == NULL || *pw->pw_passwd == '\0' ||
+			strcmp(xpasswd, pw->pw_passwd)) {
+			pw = (struct passwd *) NULL;
+			return(0);
+		}
+		return(1);
+	}
+	return(0);
+}
+#else
+
+/*
+ * The following is stolen from ftpd, which stole it from the imap-uw
+ * PAM module and login.c. It is needed because we can't really
+ * "converse" with the user, having already gone to the trouble of
+ * getting their username and password through an encrypted channel.
+ */
+
+#define COPY_STRING(s) (s ? strdup(s):NULL)
+
+struct cred_t {
+	const char *uname;
+	const char *pass;
+};
+typedef struct cred_t cred_t;
+
+auth_conv(int num_msg, const struct pam_message **msg,
+	struct pam_response **resp, void *appdata)
+{
+	int i;
+	cred_t *cred = (cred_t *) appdata;
+	struct pam_response *reply =
+		malloc(sizeof(struct pam_response) * num_msg);
+
+	if (reply == NULL)
+		return PAM_BUF_ERR;
+
+	for (i = 0; i < num_msg; i++) {
+		switch (msg[i]->msg_style) {
+		case PAM_PROMPT_ECHO_ON:        /* assume want user name */
+			reply[i].resp_retcode = PAM_SUCCESS;
+			reply[i].resp = COPY_STRING(cred->uname);
+			/* PAM frees resp. */
+			break;
+		case PAM_PROMPT_ECHO_OFF:       /* assume want password */
+			reply[i].resp_retcode = PAM_SUCCESS;
+			reply[i].resp = COPY_STRING(cred->pass);
+			/* PAM frees resp. */
+			break;
+		case PAM_TEXT_INFO:
+		case PAM_ERROR_MSG:
+			reply[i].resp_retcode = PAM_SUCCESS;
+			reply[i].resp = NULL;
+			break;
+		default:                        /* unknown message style */
+			free(reply);
+			return PAM_CONV_ERR;
+		}
+	}
+
+	*resp = reply;
+	return PAM_SUCCESS;
+}
+
+/*
+ * The PAM version as a side effect may put a new username in *name.
+ */
+int check_user(const char *name, const char *pass)
+{
+	pam_handle_t *pamh = NULL;
+	const char *tmpl_user;
+	const void *item;
+	int rval;
+	int e;
+	cred_t auth_cred = { name, pass };
+	struct pam_conv conv = { &auth_conv, &auth_cred };
+
+	e = pam_start("telnetd", name, &conv, &pamh);
+	if (e != PAM_SUCCESS) {
+		syslog(LOG_ERR, "pam_start: %s", pam_strerror(pamh, e));
+		return 0;
+	}
+
+#if 0 /* Where can we find this value? */
+	e = pam_set_item(pamh, PAM_RHOST, remotehost);
+	if (e != PAM_SUCCESS) {
+		syslog(LOG_ERR, "pam_set_item(PAM_RHOST): %s",
+			pam_strerror(pamh, e));
+		return 0;
+	}
+#endif
+
+	e = pam_authenticate(pamh, 0);
+	switch (e) {
+	case PAM_SUCCESS:
+		/*
+		 * With PAM we support the concept of a "template"
+		 * user.  The user enters a login name which is
+		 * authenticated by PAM, usually via a remote service
+		 * such as RADIUS or TACACS+.  If authentication
+		 * succeeds, a different but related "template" name
+		 * is used for setting the credentials, shell, and
+		 * home directory.  The name the user enters need only
+		 * exist on the remote authentication server, but the
+		 * template name must be present in the local password
+		 * database.
+		 *
+		 * This is supported by two various mechanisms in the
+		 * individual modules.  However, from the application's
+		 * point of view, the template user is always passed
+		 * back as a changed value of the PAM_USER item.
+		 */
+		if ((e = pam_get_item(pamh, PAM_USER, &item)) ==
+		    PAM_SUCCESS) {
+			strcpy(name, (const char *) item);
+		} else
+			syslog(LOG_ERR, "Couldn't get PAM_USER: %s",
+			pam_strerror(pamh, e));
+		if (isroot(name) && !rootterm(line))
+			rval = 0;
+		else
+			rval = 1;
+		break;
+
+	case PAM_AUTH_ERR:
+	case PAM_USER_UNKNOWN:
+	case PAM_MAXTRIES:
+		rval = 0;
+	break;
+
+	default:
+		syslog(LOG_ERR, "auth_pam: %s", pam_strerror(pamh, e));
+		rval = 0;
+		break;
+	}
+
+	if ((e = pam_end(pamh, e)) != PAM_SUCCESS) {
+		syslog(LOG_ERR, "pam_end: %s", pam_strerror(pamh, e));
+		rval = 0;
+	}
+	return rval;
+}
+
+#endif
+
+#endif
+
diff --git a/crypto/telnet/telnet/authenc.c b/crypto/telnet/telnet/authenc.c
new file mode 100644
index 0000000..47b242f
--- /dev/null
+++ b/crypto/telnet/telnet/authenc.c
@@ -0,0 +1,116 @@
+/*-
+ * Copyright (c) 1991, 1993
+ *	The Regents of the University of California.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *	This product includes software developed by the University of
+ *	California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#ifndef lint
+#if 0
+static const char sccsid[] = "@(#)authenc.c	8.1 (Berkeley) 6/6/93";
+#else
+static const char rcsid[] =
+ "$FreeBSD$";
+#endif
+#endif /* not lint */
+
+#if	defined(AUTHENTICATION) || defined(ENCRYPTION)
+#include <sys/types.h>
+#include <arpa/telnet.h>
+#include <libtelnet/encrypt.h>
+#include <libtelnet/misc.h>
+
+#include "general.h"
+#include "ring.h"
+#include "externs.h"
+#include "defines.h"
+#include "types.h"
+
+	int
+net_write(str, len)
+	unsigned char *str;
+	int len;
+{
+	if (NETROOM() > len) {
+		ring_supply_data(&netoring, str, len);
+		if (str[0] == IAC && str[1] == SE)
+			printsub('>', &str[2], len-2);
+		return(len);
+	}
+	return(0);
+}
+
+	void
+net_encrypt()
+{
+#ifdef	ENCRYPTION
+	if (encrypt_output)
+		ring_encrypt(&netoring, encrypt_output);
+	else
+		ring_clearto(&netoring);
+#endif	/* ENCRYPTION */
+}
+
+	int
+telnet_spin()
+{
+	return(-1);
+}
+
+	char *
+telnet_getenv(val)
+	char *val;
+{
+	return((char *)env_getvalue((unsigned char *)val));
+}
+
+	char *
+telnet_gets(prompt, result, length, echo)
+	char *prompt;
+	char *result;
+	int length;
+	int echo;
+{
+	extern char *getpass();
+	extern int globalmode;
+	int om = globalmode;
+	char *res;
+
+	TerminalNewMode(-1);
+	if (echo) {
+		printf("%s", prompt);
+		res = fgets(result, length, stdin);
+	} else if ((res = getpass(prompt))) {
+		strncpy(result, res, length);
+		res = result;
+	}
+	TerminalNewMode(om);
+	return(res);
+}
+#endif	/* defined(AUTHENTICATION) || defined(ENCRYPTION) */
diff --git a/crypto/telnet/telnet/commands.c b/crypto/telnet/telnet/commands.c
new file mode 100644
index 0000000..ab25963
--- /dev/null
+++ b/crypto/telnet/telnet/commands.c
@@ -0,0 +1,3265 @@
+/*
+ * Copyright (c) 1988, 1990, 1993
+ *	The Regents of the University of California.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *	This product includes software developed by the University of
+ *	California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * $FreeBSD$
+ */
+
+#ifndef lint
+static const char sccsid[] = "@(#)commands.c	8.4 (Berkeley) 5/30/95";
+#endif /* not lint */
+
+#if	defined(unix)
+#include <sys/param.h>
+#include <sys/un.h>
+#if	defined(CRAY) || defined(sysV88)
+#include <sys/types.h>
+#endif
+#include <sys/file.h>
+#else
+#include <sys/types.h>
+#endif	/* defined(unix) */
+#include <sys/socket.h>
+#include <netinet/in.h>
+#ifdef	CRAY
+#include <fcntl.h>
+#endif	/* CRAY */
+
+#include <signal.h>
+#include <netdb.h>
+#include <ctype.h>
+#include <pwd.h>
+#include <varargs.h>
+#include <errno.h>
+#include <unistd.h>
+#include <stdlib.h>
+
+#include <arpa/telnet.h>
+
+#include "general.h"
+
+#include "ring.h"
+
+#include "externs.h"
+#include "defines.h"
+#include "types.h"
+
+#if	defined(AUTHENTICATION)
+#include <libtelnet/auth.h>
+#endif
+#if	defined(ENCRYPTION)
+#include <libtelnet/encrypt.h>
+#endif
+
+#if !defined(CRAY) && !defined(sysV88)
+#include <netinet/in_systm.h>
+# if (defined(vax) || defined(tahoe) || defined(hp300)) && !defined(ultrix)
+# include <machine/endian.h>
+# endif /* vax */
+#endif /* !defined(CRAY) && !defined(sysV88) */
+#include <netinet/ip.h>
+#include <netinet/ip6.h>
+
+
+#ifndef	MAXHOSTNAMELEN
+#define	MAXHOSTNAMELEN 256
+#endif	MAXHOSTNAMELEN
+
+#if	defined(IPPROTO_IP) && defined(IP_TOS)
+int tos = -1;
+#endif	/* defined(IPPROTO_IP) && defined(IP_TOS) */
+
+char	*hostname;
+static char _hostname[MAXHOSTNAMELEN];
+
+extern char *getenv();
+
+extern int isprefix();
+extern char **genget();
+extern int Ambiguous();
+
+static int help(int argc, char *argv[]);
+static int call();
+static void cmdrc(char *m1, char *m2);
+static int switch_af(struct addrinfo **aip);
+
+int quit(void);
+
+typedef struct {
+	char	*name;		/* command name */
+	char	*help;		/* help string (NULL for no help) */
+	int	(*handler)();	/* routine which executes command */
+	int	needconnect;	/* Do we need to be connected to execute? */
+} Command;
+
+static char line[256];
+static char saveline[256];
+static int margc;
+static char *margv[20];
+
+#if	defined(SKEY)
+#include <sys/wait.h>
+#define PATH_SKEY	"/usr/bin/key"
+    int
+skey_calc(argc, argv)
+	int argc;
+	char **argv;
+{
+	int status;
+
+	if(argc != 3) {
+		printf("%s sequence challenge\n", argv[0]);
+		return;
+	}
+
+	switch(fork()) {
+	case 0:
+		execv(PATH_SKEY, argv);
+		exit (1);
+	case -1:
+		perror("fork");
+		break;
+	default:
+		(void) wait(&status);
+		if (WIFEXITED(status))
+			return (WEXITSTATUS(status));
+		return (0);
+	}
+}
+#endif
+
+    static void
+makeargv()
+{
+    register char *cp, *cp2, c;
+    register char **argp = margv;
+
+    margc = 0;
+    cp = line;
+    if (*cp == '!') {		/* Special case shell escape */
+	strcpy(saveline, line);	/* save for shell command */
+	*argp++ = "!";		/* No room in string to get this */
+	margc++;
+	cp++;
+    }
+    while ((c = *cp)) {
+	register int inquote = 0;
+	while (isspace(c))
+	    c = *++cp;
+	if (c == '\0')
+	    break;
+	*argp++ = cp;
+	margc += 1;
+	for (cp2 = cp; c != '\0'; c = *++cp) {
+	    if (inquote) {
+		if (c == inquote) {
+		    inquote = 0;
+		    continue;
+		}
+	    } else {
+		if (c == '\\') {
+		    if ((c = *++cp) == '\0')
+			break;
+		} else if (c == '"') {
+		    inquote = '"';
+		    continue;
+		} else if (c == '\'') {
+		    inquote = '\'';
+		    continue;
+		} else if (isspace(c))
+		    break;
+	    }
+	    *cp2++ = c;
+	}
+	*cp2 = '\0';
+	if (c == '\0')
+	    break;
+	cp++;
+    }
+    *argp++ = 0;
+}
+
+/*
+ * Make a character string into a number.
+ *
+ * Todo:  1.  Could take random integers (12, 0x12, 012, 0b1).
+ */
+
+	static int
+special(s)
+	register char *s;
+{
+	register char c;
+	char b;
+
+	switch (*s) {
+	case '^':
+		b = *++s;
+		if (b == '?') {
+		    c = b | 0x40;		/* DEL */
+		} else {
+		    c = b & 0x1f;
+		}
+		break;
+	default:
+		c = *s;
+		break;
+	}
+	return c;
+}
+
+/*
+ * Construct a control character sequence
+ * for a special character.
+ */
+	static char *
+control(c)
+	register cc_t c;
+{
+	static char buf[5];
+	/*
+	 * The only way I could get the Sun 3.5 compiler
+	 * to shut up about
+	 *	if ((unsigned int)c >= 0x80)
+	 * was to assign "c" to an unsigned int variable...
+	 * Arggg....
+	 */
+	register unsigned int uic = (unsigned int)c;
+
+	if (uic == 0x7f)
+		return ("^?");
+	if (c == (cc_t)_POSIX_VDISABLE) {
+		return "off";
+	}
+	if (uic >= 0x80) {
+		buf[0] = '\\';
+		buf[1] = ((c>>6)&07) + '0';
+		buf[2] = ((c>>3)&07) + '0';
+		buf[3] = (c&07) + '0';
+		buf[4] = 0;
+	} else if (uic >= 0x20) {
+		buf[0] = c;
+		buf[1] = 0;
+	} else {
+		buf[0] = '^';
+		buf[1] = '@'+c;
+		buf[2] = 0;
+	}
+	return (buf);
+}
+
+
+
+/*
+ *	The following are data structures and routines for
+ *	the "send" command.
+ *
+ */
+
+struct sendlist {
+    char	*name;		/* How user refers to it (case independent) */
+    char	*help;		/* Help information (0 ==> no help) */
+    int		needconnect;	/* Need to be connected */
+    int		narg;		/* Number of arguments */
+    int		(*handler)();	/* Routine to perform (for special ops) */
+    int		nbyte;		/* Number of bytes to send this command */
+    int		what;		/* Character to be sent (<0 ==> special) */
+};
+
+
+static int
+	send_esc P((void)),
+	send_help P((void)),
+	send_docmd P((char *)),
+	send_dontcmd P((char *)),
+	send_willcmd P((char *)),
+	send_wontcmd P((char *));
+
+static struct sendlist Sendlist[] = {
+    { "ao",	"Send Telnet Abort output",		1, 0, 0, 2, AO },
+    { "ayt",	"Send Telnet 'Are You There'",		1, 0, 0, 2, AYT },
+    { "brk",	"Send Telnet Break",			1, 0, 0, 2, BREAK },
+    { "break",	0,					1, 0, 0, 2, BREAK },
+    { "ec",	"Send Telnet Erase Character",		1, 0, 0, 2, EC },
+    { "el",	"Send Telnet Erase Line",		1, 0, 0, 2, EL },
+    { "escape",	"Send current escape character",	1, 0, send_esc, 1, 0 },
+    { "ga",	"Send Telnet 'Go Ahead' sequence",	1, 0, 0, 2, GA },
+    { "ip",	"Send Telnet Interrupt Process",	1, 0, 0, 2, IP },
+    { "intp",	0,					1, 0, 0, 2, IP },
+    { "interrupt", 0,					1, 0, 0, 2, IP },
+    { "intr",	0,					1, 0, 0, 2, IP },
+    { "nop",	"Send Telnet 'No operation'",		1, 0, 0, 2, NOP },
+    { "eor",	"Send Telnet 'End of Record'",		1, 0, 0, 2, EOR },
+    { "abort",	"Send Telnet 'Abort Process'",		1, 0, 0, 2, ABORT },
+    { "susp",	"Send Telnet 'Suspend Process'",	1, 0, 0, 2, SUSP },
+    { "eof",	"Send Telnet End of File Character",	1, 0, 0, 2, xEOF },
+    { "synch",	"Perform Telnet 'Synch operation'",	1, 0, dosynch, 2, 0 },
+    { "getstatus", "Send request for STATUS",		1, 0, get_status, 6, 0 },
+    { "?",	"Display send options",			0, 0, send_help, 0, 0 },
+    { "help",	0,					0, 0, send_help, 0, 0 },
+    { "do",	0,					0, 1, send_docmd, 3, 0 },
+    { "dont",	0,					0, 1, send_dontcmd, 3, 0 },
+    { "will",	0,					0, 1, send_willcmd, 3, 0 },
+    { "wont",	0,					0, 1, send_wontcmd, 3, 0 },
+    { 0 }
+};
+
+#define	GETSEND(name) ((struct sendlist *) genget(name, (char **) Sendlist, \
+				sizeof(struct sendlist)))
+
+    static int
+sendcmd(argc, argv)
+    int  argc;
+    char **argv;
+{
+    int count;		/* how many bytes we are going to need to send */
+    int i;
+    struct sendlist *s;	/* pointer to current command */
+    int success = 0;
+    int needconnect = 0;
+
+    if (argc < 2) {
+	printf("need at least one argument for 'send' command\n");
+	printf("'send ?' for help\n");
+	return 0;
+    }
+    /*
+     * First, validate all the send arguments.
+     * In addition, we see how much space we are going to need, and
+     * whether or not we will be doing a "SYNCH" operation (which
+     * flushes the network queue).
+     */
+    count = 0;
+    for (i = 1; i < argc; i++) {
+	s = GETSEND(argv[i]);
+	if (s == 0) {
+	    printf("Unknown send argument '%s'\n'send ?' for help.\n",
+			argv[i]);
+	    return 0;
+	} else if (Ambiguous(s)) {
+	    printf("Ambiguous send argument '%s'\n'send ?' for help.\n",
+			argv[i]);
+	    return 0;
+	}
+	if (i + s->narg >= argc) {
+	    fprintf(stderr,
+	    "Need %d argument%s to 'send %s' command.  'send %s ?' for help.\n",
+		s->narg, s->narg == 1 ? "" : "s", s->name, s->name);
+	    return 0;
+	}
+	count += s->nbyte;
+	if (s->handler == send_help) {
+	    send_help();
+	    return 0;
+	}
+
+	i += s->narg;
+	needconnect += s->needconnect;
+    }
+    if (!connected && needconnect) {
+	printf("?Need to be connected first.\n");
+	printf("'send ?' for help\n");
+	return 0;
+    }
+    /* Now, do we have enough room? */
+    if (NETROOM() < count) {
+	printf("There is not enough room in the buffer TO the network\n");
+	printf("to process your request.  Nothing will be done.\n");
+	printf("('send synch' will throw away most data in the network\n");
+	printf("buffer, if this might help.)\n");
+	return 0;
+    }
+    /* OK, they are all OK, now go through again and actually send */
+    count = 0;
+    for (i = 1; i < argc; i++) {
+	if ((s = GETSEND(argv[i])) == 0) {
+	    fprintf(stderr, "Telnet 'send' error - argument disappeared!\n");
+	    (void) quit();
+	    /*NOTREACHED*/
+	}
+	if (s->handler) {
+	    count++;
+	    success += (*s->handler)((s->narg > 0) ? argv[i+1] : 0,
+				  (s->narg > 1) ? argv[i+2] : 0);
+	    i += s->narg;
+	} else {
+	    NET2ADD(IAC, s->what);
+	    printoption("SENT", IAC, s->what);
+	}
+    }
+    return (count == success);
+}
+
+    static int
+send_esc()
+{
+    NETADD(escape);
+    return 1;
+}
+
+    static int
+send_docmd(name)
+    char *name;
+{
+    return(send_tncmd(send_do, "do", name));
+}
+
+    static int
+send_dontcmd(name)
+    char *name;
+{
+    return(send_tncmd(send_dont, "dont", name));
+}
+    static int
+send_willcmd(name)
+    char *name;
+{
+    return(send_tncmd(send_will, "will", name));
+}
+    static int
+send_wontcmd(name)
+    char *name;
+{
+    return(send_tncmd(send_wont, "wont", name));
+}
+
+    int
+send_tncmd(func, cmd, name)
+    void	(*func)();
+    char	*cmd, *name;
+{
+    char **cpp;
+    extern char *telopts[];
+    register int val = 0;
+
+    if (isprefix(name, "help") || isprefix(name, "?")) {
+	register int col, len;
+
+	printf("Usage: send %s <value|option>\n", cmd);
+	printf("\"value\" must be from 0 to 255\n");
+	printf("Valid options are:\n\t");
+
+	col = 8;
+	for (cpp = telopts; *cpp; cpp++) {
+	    len = strlen(*cpp) + 3;
+	    if (col + len > 65) {
+		printf("\n\t");
+		col = 8;
+	    }
+	    printf(" \"%s\"", *cpp);
+	    col += len;
+	}
+	printf("\n");
+	return 0;
+    }
+    cpp = (char **)genget(name, telopts, sizeof(char *));
+    if (Ambiguous(cpp)) {
+	fprintf(stderr,"'%s': ambiguous argument ('send %s ?' for help).\n",
+					name, cmd);
+	return 0;
+    }
+    if (cpp) {
+	val = cpp - telopts;
+    } else {
+	register char *cp = name;
+
+	while (*cp >= '0' && *cp <= '9') {
+	    val *= 10;
+	    val += *cp - '0';
+	    cp++;
+	}
+	if (*cp != 0) {
+	    fprintf(stderr, "'%s': unknown argument ('send %s ?' for help).\n",
+					name, cmd);
+	    return 0;
+	} else if (val < 0 || val > 255) {
+	    fprintf(stderr, "'%s': bad value ('send %s ?' for help).\n",
+					name, cmd);
+	    return 0;
+	}
+    }
+    if (!connected) {
+	printf("?Need to be connected first.\n");
+	return 0;
+    }
+    (*func)(val, 1);
+    return 1;
+}
+
+    static int
+send_help()
+{
+    struct sendlist *s;	/* pointer to current command */
+    for (s = Sendlist; s->name; s++) {
+	if (s->help)
+	    printf("%-15s %s\n", s->name, s->help);
+    }
+    return(0);
+}
+
+/*
+ * The following are the routines and data structures referred
+ * to by the arguments to the "toggle" command.
+ */
+
+    static int
+lclchars()
+{
+    donelclchars = 1;
+    return 1;
+}
+
+    static int
+togdebug()
+{
+#ifndef	NOT43
+    if (net > 0 &&
+	(SetSockOpt(net, SOL_SOCKET, SO_DEBUG, debug)) < 0) {
+	    perror("setsockopt (SO_DEBUG)");
+    }
+#else	/* NOT43 */
+    if (debug) {
+	if (net > 0 && SetSockOpt(net, SOL_SOCKET, SO_DEBUG, 1) < 0)
+	    perror("setsockopt (SO_DEBUG)");
+    } else
+	printf("Cannot turn off socket debugging\n");
+#endif	/* NOT43 */
+    return 1;
+}
+
+
+    static int
+togcrlf()
+{
+    if (crlf) {
+	printf("Will send carriage returns as telnet <CR><LF>.\n");
+    } else {
+	printf("Will send carriage returns as telnet <CR><NUL>.\n");
+    }
+    return 1;
+}
+
+int binmode;
+
+    static int
+togbinary(val)
+    int val;
+{
+    donebinarytoggle = 1;
+
+    if (val >= 0) {
+	binmode = val;
+    } else {
+	if (my_want_state_is_will(TELOPT_BINARY) &&
+				my_want_state_is_do(TELOPT_BINARY)) {
+	    binmode = 1;
+	} else if (my_want_state_is_wont(TELOPT_BINARY) &&
+				my_want_state_is_dont(TELOPT_BINARY)) {
+	    binmode = 0;
+	}
+	val = binmode ? 0 : 1;
+    }
+
+    if (val == 1) {
+	if (my_want_state_is_will(TELOPT_BINARY) &&
+					my_want_state_is_do(TELOPT_BINARY)) {
+	    printf("Already operating in binary mode with remote host.\n");
+	} else {
+	    printf("Negotiating binary mode with remote host.\n");
+	    tel_enter_binary(3);
+	}
+    } else {
+	if (my_want_state_is_wont(TELOPT_BINARY) &&
+					my_want_state_is_dont(TELOPT_BINARY)) {
+	    printf("Already in network ascii mode with remote host.\n");
+	} else {
+	    printf("Negotiating network ascii mode with remote host.\n");
+	    tel_leave_binary(3);
+	}
+    }
+    return 1;
+}
+
+    static int
+togrbinary(val)
+    int val;
+{
+    donebinarytoggle = 1;
+
+    if (val == -1)
+	val = my_want_state_is_do(TELOPT_BINARY) ? 0 : 1;
+
+    if (val == 1) {
+	if (my_want_state_is_do(TELOPT_BINARY)) {
+	    printf("Already receiving in binary mode.\n");
+	} else {
+	    printf("Negotiating binary mode on input.\n");
+	    tel_enter_binary(1);
+	}
+    } else {
+	if (my_want_state_is_dont(TELOPT_BINARY)) {
+	    printf("Already receiving in network ascii mode.\n");
+	} else {
+	    printf("Negotiating network ascii mode on input.\n");
+	    tel_leave_binary(1);
+	}
+    }
+    return 1;
+}
+
+    static int
+togxbinary(val)
+    int val;
+{
+    donebinarytoggle = 1;
+
+    if (val == -1)
+	val = my_want_state_is_will(TELOPT_BINARY) ? 0 : 1;
+
+    if (val == 1) {
+	if (my_want_state_is_will(TELOPT_BINARY)) {
+	    printf("Already transmitting in binary mode.\n");
+	} else {
+	    printf("Negotiating binary mode on output.\n");
+	    tel_enter_binary(2);
+	}
+    } else {
+	if (my_want_state_is_wont(TELOPT_BINARY)) {
+	    printf("Already transmitting in network ascii mode.\n");
+	} else {
+	    printf("Negotiating network ascii mode on output.\n");
+	    tel_leave_binary(2);
+	}
+    }
+    return 1;
+}
+
+
+static int togglehelp P((void));
+#if	defined(AUTHENTICATION)
+extern int auth_togdebug P((int));
+#endif
+#ifdef	ENCRYPTION
+extern int EncryptAutoEnc P((int));
+extern int EncryptAutoDec P((int));
+extern int EncryptDebug P((int));
+extern int EncryptVerbose P((int));
+#endif	/* ENCRYPTION */
+
+struct togglelist {
+    char	*name;		/* name of toggle */
+    char	*help;		/* help message */
+    int		(*handler)();	/* routine to do actual setting */
+    int		*variable;
+    char	*actionexplanation;
+};
+
+static struct togglelist Togglelist[] = {
+    { "autoflush",
+	"flushing of output when sending interrupt characters",
+	    0,
+		&autoflush,
+		    "flush output when sending interrupt characters" },
+    { "autosynch",
+	"automatic sending of interrupt characters in urgent mode",
+	    0,
+		&autosynch,
+		    "send interrupt characters in urgent mode" },
+#if	defined(AUTHENTICATION)
+    { "autologin",
+	"automatic sending of login and/or authentication info",
+	    0,
+		&autologin,
+		    "send login name and/or authentication information" },
+    { "authdebug",
+	"Toggle authentication debugging",
+	    auth_togdebug,
+		0,
+		     "print authentication debugging information" },
+#endif
+#ifdef	ENCRYPTION
+    { "autoencrypt",
+	"automatic encryption of data stream",
+	    EncryptAutoEnc,
+		0,
+		    "automatically encrypt output" },
+    { "autodecrypt",
+	"automatic decryption of data stream",
+	    EncryptAutoDec,
+		0,
+		    "automatically decrypt input" },
+    { "verbose_encrypt",
+	"Toggle verbose encryption output",
+	    EncryptVerbose,
+		0,
+		    "print verbose encryption output" },
+    { "encdebug",
+	"Toggle encryption debugging",
+	    EncryptDebug,
+		0,
+		    "print encryption debugging information" },
+#endif	/* ENCRYPTION */
+    { "skiprc",
+	"don't read ~/.telnetrc file",
+	    0,
+		&skiprc,
+		    "skip reading of ~/.telnetrc file" },
+    { "binary",
+	"sending and receiving of binary data",
+	    togbinary,
+		0,
+		    0 },
+    { "inbinary",
+	"receiving of binary data",
+	    togrbinary,
+		0,
+		    0 },
+    { "outbinary",
+	"sending of binary data",
+	    togxbinary,
+		0,
+		    0 },
+    { "crlf",
+	"sending carriage returns as telnet <CR><LF>",
+	    togcrlf,
+		&crlf,
+		    0 },
+    { "crmod",
+	"mapping of received carriage returns",
+	    0,
+		&crmod,
+		    "map carriage return on output" },
+    { "localchars",
+	"local recognition of certain control characters",
+	    lclchars,
+		&localchars,
+		    "recognize certain control characters" },
+    { " ", "", 0 },		/* empty line */
+#if	defined(unix) && defined(TN3270)
+    { "apitrace",
+	"(debugging) toggle tracing of API transactions",
+	    0,
+		&apitrace,
+		    "trace API transactions" },
+    { "cursesdata",
+	"(debugging) toggle printing of hexadecimal curses data",
+	    0,
+		&cursesdata,
+		    "print hexadecimal representation of curses data" },
+#endif	/* defined(unix) && defined(TN3270) */
+    { "debug",
+	"debugging",
+	    togdebug,
+		&debug,
+		    "turn on socket level debugging" },
+    { "netdata",
+	"printing of hexadecimal network data (debugging)",
+	    0,
+		&netdata,
+		    "print hexadecimal representation of network traffic" },
+    { "prettydump",
+	"output of \"netdata\" to user readable format (debugging)",
+	    0,
+		&prettydump,
+		    "print user readable output for \"netdata\"" },
+    { "options",
+	"viewing of options processing (debugging)",
+	    0,
+		&showoptions,
+		    "show option processing" },
+#if	defined(unix)
+    { "termdata",
+	"(debugging) toggle printing of hexadecimal terminal data",
+	    0,
+		&termdata,
+		    "print hexadecimal representation of terminal traffic" },
+#endif	/* defined(unix) */
+    { "?",
+	0,
+	    togglehelp },
+    { "help",
+	0,
+	    togglehelp },
+    { 0 }
+};
+
+    static int
+togglehelp()
+{
+    struct togglelist *c;
+
+    for (c = Togglelist; c->name; c++) {
+	if (c->help) {
+	    if (*c->help)
+		printf("%-15s toggle %s\n", c->name, c->help);
+	    else
+		printf("\n");
+	}
+    }
+    printf("\n");
+    printf("%-15s %s\n", "?", "display help information");
+    return 0;
+}
+
+    static void
+settogglehelp(set)
+    int set;
+{
+    struct togglelist *c;
+
+    for (c = Togglelist; c->name; c++) {
+	if (c->help) {
+	    if (*c->help)
+		printf("%-15s %s %s\n", c->name, set ? "enable" : "disable",
+						c->help);
+	    else
+		printf("\n");
+	}
+    }
+}
+
+#define	GETTOGGLE(name) (struct togglelist *) \
+		genget(name, (char **) Togglelist, sizeof(struct togglelist))
+
+    static int
+toggle(argc, argv)
+    int  argc;
+    char *argv[];
+{
+    int retval = 1;
+    char *name;
+    struct togglelist *c;
+
+    if (argc < 2) {
+	fprintf(stderr,
+	    "Need an argument to 'toggle' command.  'toggle ?' for help.\n");
+	return 0;
+    }
+    argc--;
+    argv++;
+    while (argc--) {
+	name = *argv++;
+	c = GETTOGGLE(name);
+	if (Ambiguous(c)) {
+	    fprintf(stderr, "'%s': ambiguous argument ('toggle ?' for help).\n",
+					name);
+	    return 0;
+	} else if (c == 0) {
+	    fprintf(stderr, "'%s': unknown argument ('toggle ?' for help).\n",
+					name);
+	    return 0;
+	} else {
+	    if (c->variable) {
+		*c->variable = !*c->variable;		/* invert it */
+		if (c->actionexplanation) {
+		    printf("%s %s.\n", *c->variable? "Will" : "Won't",
+							c->actionexplanation);
+		}
+	    }
+	    if (c->handler) {
+		retval &= (*c->handler)(-1);
+	    }
+	}
+    }
+    return retval;
+}
+
+/*
+ * The following perform the "set" command.
+ */
+
+#ifdef	USE_TERMIO
+struct termio new_tc = { 0 };
+#endif
+
+struct setlist {
+    char *name;				/* name */
+    char *help;				/* help information */
+    void (*handler)();
+    cc_t *charp;			/* where it is located at */
+};
+
+static struct setlist Setlist[] = {
+#ifdef	KLUDGELINEMODE
+    { "echo", 	"character to toggle local echoing on/off", 0, &echoc },
+#endif
+    { "escape",	"character to escape back to telnet command mode", 0, &escape },
+    { "rlogin", "rlogin escape character", 0, &rlogin },
+    { "tracefile", "file to write trace information to", SetNetTrace, (cc_t *)NetTraceFile},
+    { " ", "" },
+    { " ", "The following need 'localchars' to be toggled true", 0, 0 },
+    { "flushoutput", "character to cause an Abort Output", 0, termFlushCharp },
+    { "interrupt", "character to cause an Interrupt Process", 0, termIntCharp },
+    { "quit",	"character to cause an Abort process", 0, termQuitCharp },
+    { "eof",	"character to cause an EOF ", 0, termEofCharp },
+    { " ", "" },
+    { " ", "The following are for local editing in linemode", 0, 0 },
+    { "erase",	"character to use to erase a character", 0, termEraseCharp },
+    { "kill",	"character to use to erase a line", 0, termKillCharp },
+    { "lnext",	"character to use for literal next", 0, termLiteralNextCharp },
+    { "susp",	"character to cause a Suspend Process", 0, termSuspCharp },
+    { "reprint", "character to use for line reprint", 0, termRprntCharp },
+    { "worderase", "character to use to erase a word", 0, termWerasCharp },
+    { "start",	"character to use for XON", 0, termStartCharp },
+    { "stop",	"character to use for XOFF", 0, termStopCharp },
+    { "forw1",	"alternate end of line character", 0, termForw1Charp },
+    { "forw2",	"alternate end of line character", 0, termForw2Charp },
+    { "ayt",	"alternate AYT character", 0, termAytCharp },
+    { 0 }
+};
+
+#if	defined(CRAY) && !defined(__STDC__)
+/* Work around compiler bug in pcc 4.1.5 */
+    void
+_setlist_init()
+{
+#ifndef	KLUDGELINEMODE
+#define	N 5
+#else
+#define	N 6
+#endif
+	Setlist[N+0].charp = &termFlushChar;
+	Setlist[N+1].charp = &termIntChar;
+	Setlist[N+2].charp = &termQuitChar;
+	Setlist[N+3].charp = &termEofChar;
+	Setlist[N+6].charp = &termEraseChar;
+	Setlist[N+7].charp = &termKillChar;
+	Setlist[N+8].charp = &termLiteralNextChar;
+	Setlist[N+9].charp = &termSuspChar;
+	Setlist[N+10].charp = &termRprntChar;
+	Setlist[N+11].charp = &termWerasChar;
+	Setlist[N+12].charp = &termStartChar;
+	Setlist[N+13].charp = &termStopChar;
+	Setlist[N+14].charp = &termForw1Char;
+	Setlist[N+15].charp = &termForw2Char;
+	Setlist[N+16].charp = &termAytChar;
+#undef	N
+}
+#endif	/* defined(CRAY) && !defined(__STDC__) */
+
+    static struct setlist *
+getset(name)
+    char *name;
+{
+    return (struct setlist *)
+		genget(name, (char **) Setlist, sizeof(struct setlist));
+}
+
+    void
+set_escape_char(s)
+    char *s;
+{
+	if (rlogin != _POSIX_VDISABLE) {
+		rlogin = (s && *s) ? special(s) : _POSIX_VDISABLE;
+		printf("Telnet rlogin escape character is '%s'.\n",
+					control(rlogin));
+	} else {
+		escape = (s && *s) ? special(s) : _POSIX_VDISABLE;
+		printf("Telnet escape character is '%s'.\n", control(escape));
+	}
+}
+
+    static int
+setcmd(argc, argv)
+    int  argc;
+    char *argv[];
+{
+    int value;
+    struct setlist *ct;
+    struct togglelist *c;
+
+    if (argc < 2 || argc > 3) {
+	printf("Format is 'set Name Value'\n'set ?' for help.\n");
+	return 0;
+    }
+    if ((argc == 2) && (isprefix(argv[1], "?") || isprefix(argv[1], "help"))) {
+	for (ct = Setlist; ct->name; ct++)
+	    printf("%-15s %s\n", ct->name, ct->help);
+	printf("\n");
+	settogglehelp(1);
+	printf("%-15s %s\n", "?", "display help information");
+	return 0;
+    }
+
+    ct = getset(argv[1]);
+    if (ct == 0) {
+	c = GETTOGGLE(argv[1]);
+	if (c == 0) {
+	    fprintf(stderr, "'%s': unknown argument ('set ?' for help).\n",
+			argv[1]);
+	    return 0;
+	} else if (Ambiguous(c)) {
+	    fprintf(stderr, "'%s': ambiguous argument ('set ?' for help).\n",
+			argv[1]);
+	    return 0;
+	}
+	if (c->variable) {
+	    if ((argc == 2) || (strcmp("on", argv[2]) == 0))
+		*c->variable = 1;
+	    else if (strcmp("off", argv[2]) == 0)
+		*c->variable = 0;
+	    else {
+		printf("Format is 'set togglename [on|off]'\n'set ?' for help.\n");
+		return 0;
+	    }
+	    if (c->actionexplanation) {
+		printf("%s %s.\n", *c->variable? "Will" : "Won't",
+							c->actionexplanation);
+	    }
+	}
+	if (c->handler)
+	    (*c->handler)(1);
+    } else if (argc != 3) {
+	printf("Format is 'set Name Value'\n'set ?' for help.\n");
+	return 0;
+    } else if (Ambiguous(ct)) {
+	fprintf(stderr, "'%s': ambiguous argument ('set ?' for help).\n",
+			argv[1]);
+	return 0;
+    } else if (ct->handler) {
+	(*ct->handler)(argv[2]);
+	printf("%s set to \"%s\".\n", ct->name, (char *)ct->charp);
+    } else {
+	if (strcmp("off", argv[2])) {
+	    value = special(argv[2]);
+	} else {
+	    value = _POSIX_VDISABLE;
+	}
+	*(ct->charp) = (cc_t)value;
+	printf("%s character is '%s'.\n", ct->name, control(*(ct->charp)));
+    }
+    slc_check();
+    return 1;
+}
+
+    static int
+unsetcmd(argc, argv)
+    int  argc;
+    char *argv[];
+{
+    struct setlist *ct;
+    struct togglelist *c;
+    register char *name;
+
+    if (argc < 2) {
+	fprintf(stderr,
+	    "Need an argument to 'unset' command.  'unset ?' for help.\n");
+	return 0;
+    }
+    if (isprefix(argv[1], "?") || isprefix(argv[1], "help")) {
+	for (ct = Setlist; ct->name; ct++)
+	    printf("%-15s %s\n", ct->name, ct->help);
+	printf("\n");
+	settogglehelp(0);
+	printf("%-15s %s\n", "?", "display help information");
+	return 0;
+    }
+
+    argc--;
+    argv++;
+    while (argc--) {
+	name = *argv++;
+	ct = getset(name);
+	if (ct == 0) {
+	    c = GETTOGGLE(name);
+	    if (c == 0) {
+		fprintf(stderr, "'%s': unknown argument ('unset ?' for help).\n",
+			name);
+		return 0;
+	    } else if (Ambiguous(c)) {
+		fprintf(stderr, "'%s': ambiguous argument ('unset ?' for help).\n",
+			name);
+		return 0;
+	    }
+	    if (c->variable) {
+		*c->variable = 0;
+		if (c->actionexplanation) {
+		    printf("%s %s.\n", *c->variable? "Will" : "Won't",
+							c->actionexplanation);
+		}
+	    }
+	    if (c->handler)
+		(*c->handler)(0);
+	} else if (Ambiguous(ct)) {
+	    fprintf(stderr, "'%s': ambiguous argument ('unset ?' for help).\n",
+			name);
+	    return 0;
+	} else if (ct->handler) {
+	    (*ct->handler)(0);
+	    printf("%s reset to \"%s\".\n", ct->name, (char *)ct->charp);
+	} else {
+	    *(ct->charp) = _POSIX_VDISABLE;
+	    printf("%s character is '%s'.\n", ct->name, control(*(ct->charp)));
+	}
+    }
+    return 1;
+}
+
+/*
+ * The following are the data structures and routines for the
+ * 'mode' command.
+ */
+#ifdef	KLUDGELINEMODE
+extern int kludgelinemode;
+
+    static int
+dokludgemode()
+{
+    kludgelinemode = 1;
+    send_wont(TELOPT_LINEMODE, 1);
+    send_dont(TELOPT_SGA, 1);
+    send_dont(TELOPT_ECHO, 1);
+    return 1;
+}
+#endif
+
+    static int
+dolinemode()
+{
+#ifdef	KLUDGELINEMODE
+    if (kludgelinemode)
+	send_dont(TELOPT_SGA, 1);
+#endif
+    send_will(TELOPT_LINEMODE, 1);
+    send_dont(TELOPT_ECHO, 1);
+    return 1;
+}
+
+    static int
+docharmode()
+{
+#ifdef	KLUDGELINEMODE
+    if (kludgelinemode)
+	send_do(TELOPT_SGA, 1);
+    else
+#endif
+    send_wont(TELOPT_LINEMODE, 1);
+    send_do(TELOPT_ECHO, 1);
+    return 1;
+}
+
+    static int
+dolmmode(bit, on)
+    int bit, on;
+{
+    unsigned char c;
+    extern int linemode;
+
+    if (my_want_state_is_wont(TELOPT_LINEMODE)) {
+	printf("?Need to have LINEMODE option enabled first.\n");
+	printf("'mode ?' for help.\n");
+	return 0;
+    }
+
+    if (on)
+	c = (linemode | bit);
+    else
+	c = (linemode & ~bit);
+    lm_mode(&c, 1, 1);
+    return 1;
+}
+
+    int
+setmod(bit)
+{
+    return dolmmode(bit, 1);
+}
+
+    int
+clearmode(bit)
+{
+    return dolmmode(bit, 0);
+}
+
+struct modelist {
+	char	*name;		/* command name */
+	char	*help;		/* help string */
+	int	(*handler)();	/* routine which executes command */
+	int	needconnect;	/* Do we need to be connected to execute? */
+	int	arg1;
+};
+
+extern int modehelp();
+
+static struct modelist ModeList[] = {
+    { "character", "Disable LINEMODE option",	docharmode, 1 },
+#ifdef	KLUDGELINEMODE
+    { "",	"(or disable obsolete line-by-line mode)", 0 },
+#endif
+    { "line",	"Enable LINEMODE option",	dolinemode, 1 },
+#ifdef	KLUDGELINEMODE
+    { "",	"(or enable obsolete line-by-line mode)", 0 },
+#endif
+    { "", "", 0 },
+    { "",	"These require the LINEMODE option to be enabled", 0 },
+    { "isig",	"Enable signal trapping",	setmod, 1, MODE_TRAPSIG },
+    { "+isig",	0,				setmod, 1, MODE_TRAPSIG },
+    { "-isig",	"Disable signal trapping",	clearmode, 1, MODE_TRAPSIG },
+    { "edit",	"Enable character editing",	setmod, 1, MODE_EDIT },
+    { "+edit",	0,				setmod, 1, MODE_EDIT },
+    { "-edit",	"Disable character editing",	clearmode, 1, MODE_EDIT },
+    { "softtabs", "Enable tab expansion",	setmod, 1, MODE_SOFT_TAB },
+    { "+softtabs", 0,				setmod, 1, MODE_SOFT_TAB },
+    { "-softtabs", "Disable character editing",	clearmode, 1, MODE_SOFT_TAB },
+    { "litecho", "Enable literal character echo", setmod, 1, MODE_LIT_ECHO },
+    { "+litecho", 0,				setmod, 1, MODE_LIT_ECHO },
+    { "-litecho", "Disable literal character echo", clearmode, 1, MODE_LIT_ECHO },
+    { "help",	0,				modehelp, 0 },
+#ifdef	KLUDGELINEMODE
+    { "kludgeline", 0,				dokludgemode, 1 },
+#endif
+    { "", "", 0 },
+    { "?",	"Print help information",	modehelp, 0 },
+    { 0 },
+};
+
+
+    int
+modehelp()
+{
+    struct modelist *mt;
+
+    printf("format is:  'mode Mode', where 'Mode' is one of:\n\n");
+    for (mt = ModeList; mt->name; mt++) {
+	if (mt->help) {
+	    if (*mt->help)
+		printf("%-15s %s\n", mt->name, mt->help);
+	    else
+		printf("\n");
+	}
+    }
+    return 0;
+}
+
+#define	GETMODECMD(name) (struct modelist *) \
+		genget(name, (char **) ModeList, sizeof(struct modelist))
+
+    static int
+modecmd(argc, argv)
+    int  argc;
+    char *argv[];
+{
+    struct modelist *mt;
+
+    if (argc != 2) {
+	printf("'mode' command requires an argument\n");
+	printf("'mode ?' for help.\n");
+    } else if ((mt = GETMODECMD(argv[1])) == 0) {
+	fprintf(stderr, "Unknown mode '%s' ('mode ?' for help).\n", argv[1]);
+    } else if (Ambiguous(mt)) {
+	fprintf(stderr, "Ambiguous mode '%s' ('mode ?' for help).\n", argv[1]);
+    } else if (mt->needconnect && !connected) {
+	printf("?Need to be connected first.\n");
+	printf("'mode ?' for help.\n");
+    } else if (mt->handler) {
+	return (*mt->handler)(mt->arg1);
+    }
+    return 0;
+}
+
+/*
+ * The following data structures and routines implement the
+ * "display" command.
+ */
+
+    static int
+display(argc, argv)
+    int  argc;
+    char *argv[];
+{
+    struct togglelist *tl;
+    struct setlist *sl;
+
+#define	dotog(tl)	if (tl->variable && tl->actionexplanation) { \
+			    if (*tl->variable) { \
+				printf("will"); \
+			    } else { \
+				printf("won't"); \
+			    } \
+			    printf(" %s.\n", tl->actionexplanation); \
+			}
+
+#define	doset(sl)   if (sl->name && *sl->name != ' ') { \
+			if (sl->handler == 0) \
+			    printf("%-15s [%s]\n", sl->name, control(*sl->charp)); \
+			else \
+			    printf("%-15s \"%s\"\n", sl->name, (char *)sl->charp); \
+		    }
+
+    if (argc == 1) {
+	for (tl = Togglelist; tl->name; tl++) {
+	    dotog(tl);
+	}
+	printf("\n");
+	for (sl = Setlist; sl->name; sl++) {
+	    doset(sl);
+	}
+    } else {
+	int i;
+
+	for (i = 1; i < argc; i++) {
+	    sl = getset(argv[i]);
+	    tl = GETTOGGLE(argv[i]);
+	    if (Ambiguous(sl) || Ambiguous(tl)) {
+		printf("?Ambiguous argument '%s'.\n", argv[i]);
+		return 0;
+	    } else if (!sl && !tl) {
+		printf("?Unknown argument '%s'.\n", argv[i]);
+		return 0;
+	    } else {
+		if (tl) {
+		    dotog(tl);
+		}
+		if (sl) {
+		    doset(sl);
+		}
+	    }
+	}
+    }
+/*@*/optionstatus();
+#ifdef	ENCRYPTION
+    EncryptStatus();
+#endif	/* ENCRYPTION */
+    return 1;
+#undef	doset
+#undef	dotog
+}
+
+/*
+ * The following are the data structures, and many of the routines,
+ * relating to command processing.
+ */
+
+/*
+ * Set the escape character.
+ */
+	static int
+setescape(argc, argv)
+	int argc;
+	char *argv[];
+{
+	register char *arg;
+	char buf[50];
+
+	printf(
+	    "Deprecated usage - please use 'set escape%s%s' in the future.\n",
+				(argc > 2)? " ":"", (argc > 2)? argv[1]: "");
+	if (argc > 2)
+		arg = argv[1];
+	else {
+		printf("new escape character: ");
+		(void) fgets(buf, sizeof(buf), stdin);
+		arg = buf;
+	}
+	if (arg[0] != '\0')
+		escape = arg[0];
+	if (!In3270) {
+		printf("Escape character is '%s'.\n", control(escape));
+	}
+	(void) fflush(stdout);
+	return 1;
+}
+
+    /*VARARGS*/
+    static int
+togcrmod()
+{
+    crmod = !crmod;
+    printf("Deprecated usage - please use 'toggle crmod' in the future.\n");
+    printf("%s map carriage return on output.\n", crmod ? "Will" : "Won't");
+    (void) fflush(stdout);
+    return 1;
+}
+
+    /*VARARGS*/
+    int
+suspend()
+{
+#ifdef	SIGTSTP
+    setcommandmode();
+    {
+	long oldrows, oldcols, newrows, newcols, err;
+
+	err = (TerminalWindowSize(&oldrows, &oldcols) == 0) ? 1 : 0;
+	(void) kill(0, SIGTSTP);
+	/*
+	 * If we didn't get the window size before the SUSPEND, but we
+	 * can get them now (?), then send the NAWS to make sure that
+	 * we are set up for the right window size.
+	 */
+	if (TerminalWindowSize(&newrows, &newcols) && connected &&
+	    (err || ((oldrows != newrows) || (oldcols != newcols)))) {
+		sendnaws();
+	}
+    }
+    /* reget parameters in case they were changed */
+    TerminalSaveState();
+    setconnmode(0);
+#else
+    printf("Suspend is not supported.  Try the '!' command instead\n");
+#endif
+    return 1;
+}
+
+#if	!defined(TN3270)
+    /*ARGSUSED*/
+    int
+shell(argc, argv)
+    int argc;
+    char *argv[];
+{
+    long oldrows, oldcols, newrows, newcols, err;
+
+    setcommandmode();
+
+    err = (TerminalWindowSize(&oldrows, &oldcols) == 0) ? 1 : 0;
+    switch(vfork()) {
+    case -1:
+	perror("Fork failed\n");
+	break;
+
+    case 0:
+	{
+	    /*
+	     * Fire up the shell in the child.
+	     */
+	    register char *shellp, *shellname;
+	    extern char *strrchr();
+
+	    shellp = getenv("SHELL");
+	    if (shellp == NULL)
+		shellp = "/bin/sh";
+	    if ((shellname = strrchr(shellp, '/')) == 0)
+		shellname = shellp;
+	    else
+		shellname++;
+	    if (argc > 1)
+		execl(shellp, shellname, "-c", &saveline[1], 0);
+	    else
+		execl(shellp, shellname, 0);
+	    perror("Execl");
+	    _exit(1);
+	}
+    default:
+	    (void)wait((int *)0);	/* Wait for the shell to complete */
+
+	    if (TerminalWindowSize(&newrows, &newcols) && connected &&
+		(err || ((oldrows != newrows) || (oldcols != newcols)))) {
+		    sendnaws();
+	    }
+	    break;
+    }
+    return 1;
+}
+#else	/* !defined(TN3270) */
+extern int shell();
+#endif	/* !defined(TN3270) */
+
+    /*VARARGS*/
+    static int
+bye(argc, argv)
+    int  argc;		/* Number of arguments */
+    char *argv[];	/* arguments */
+{
+    extern int resettermname;
+
+    if (connected) {
+	(void) shutdown(net, 2);
+	printf("Connection closed.\n");
+	(void) NetClose(net);
+	connected = 0;
+	resettermname = 1;
+#if	defined(AUTHENTICATION) || defined(ENCRYPTION)
+	auth_encrypt_connect(connected);
+#endif	/* defined(AUTHENTICATION) || defined(ENCRYPTION) */
+	/* reset options */
+	tninit();
+#if	defined(TN3270)
+	SetIn3270();		/* Get out of 3270 mode */
+#endif	/* defined(TN3270) */
+    }
+    if ((argc != 2) || (strcmp(argv[1], "fromquit") != 0)) {
+	longjmp(toplevel, 1);
+	/* NOTREACHED */
+    }
+    return 1;			/* Keep lint, etc., happy */
+}
+
+/*VARARGS*/
+	int
+quit()
+{
+	(void) call(bye, "bye", "fromquit", 0);
+	Exit(0);
+	/*NOTREACHED*/
+}
+
+/*VARARGS*/
+	int
+logout()
+{
+	send_do(TELOPT_LOGOUT, 1);
+	(void) netflush();
+	return 1;
+}
+
+
+/*
+ * The SLC command.
+ */
+
+struct slclist {
+	char	*name;
+	char	*help;
+	void	(*handler)();
+	int	arg;
+};
+
+static void slc_help();
+
+struct slclist SlcList[] = {
+    { "export",	"Use local special character definitions",
+						slc_mode_export,	0 },
+    { "import",	"Use remote special character definitions",
+						slc_mode_import,	1 },
+    { "check",	"Verify remote special character definitions",
+						slc_mode_import,	0 },
+    { "help",	0,				slc_help,		0 },
+    { "?",	"Print help information",	slc_help,		0 },
+    { 0 },
+};
+
+    static void
+slc_help()
+{
+    struct slclist *c;
+
+    for (c = SlcList; c->name; c++) {
+	if (c->help) {
+	    if (*c->help)
+		printf("%-15s %s\n", c->name, c->help);
+	    else
+		printf("\n");
+	}
+    }
+}
+
+    static struct slclist *
+getslc(name)
+    char *name;
+{
+    return (struct slclist *)
+		genget(name, (char **) SlcList, sizeof(struct slclist));
+}
+
+    static int
+slccmd(argc, argv)
+    int  argc;
+    char *argv[];
+{
+    struct slclist *c;
+
+    if (argc != 2) {
+	fprintf(stderr,
+	    "Need an argument to 'slc' command.  'slc ?' for help.\n");
+	return 0;
+    }
+    c = getslc(argv[1]);
+    if (c == 0) {
+	fprintf(stderr, "'%s': unknown argument ('slc ?' for help).\n",
+    				argv[1]);
+	return 0;
+    }
+    if (Ambiguous(c)) {
+	fprintf(stderr, "'%s': ambiguous argument ('slc ?' for help).\n",
+    				argv[1]);
+	return 0;
+    }
+    (*c->handler)(c->arg);
+    slcstate();
+    return 1;
+}
+
+/*
+ * The ENVIRON command.
+ */
+
+struct envlist {
+	char	*name;
+	char	*help;
+	void	(*handler)();
+	int	narg;
+};
+
+extern struct env_lst *
+	env_define P((unsigned char *, unsigned char *));
+extern void
+	env_undefine P((unsigned char *)),
+	env_export P((unsigned char *)),
+	env_unexport P((unsigned char *)),
+	env_send P((unsigned char *)),
+#if defined(OLD_ENVIRON) && defined(ENV_HACK)
+	env_varval P((unsigned char *)),
+#endif
+	env_list P((void));
+static void
+	env_help P((void));
+
+struct envlist EnvList[] = {
+    { "define",	"Define an environment variable",
+						(void (*)())env_define,	2 },
+    { "undefine", "Undefine an environment variable",
+						env_undefine,	1 },
+    { "export",	"Mark an environment variable for automatic export",
+						env_export,	1 },
+    { "unexport", "Don't mark an environment variable for automatic export",
+						env_unexport,	1 },
+    { "send",	"Send an environment variable", env_send,	1 },
+    { "list",	"List the current environment variables",
+						env_list,	0 },
+#if defined(OLD_ENVIRON) && defined(ENV_HACK)
+    { "varval", "Reverse VAR and VALUE (auto, right, wrong, status)",
+						env_varval,    1 },
+#endif
+    { "help",	0,				env_help,		0 },
+    { "?",	"Print help information",	env_help,		0 },
+    { 0 },
+};
+
+    static void
+env_help()
+{
+    struct envlist *c;
+
+    for (c = EnvList; c->name; c++) {
+	if (c->help) {
+	    if (*c->help)
+		printf("%-15s %s\n", c->name, c->help);
+	    else
+		printf("\n");
+	}
+    }
+}
+
+    static struct envlist *
+getenvcmd(name)
+    char *name;
+{
+    return (struct envlist *)
+		genget(name, (char **) EnvList, sizeof(struct envlist));
+}
+
+	int
+env_cmd(argc, argv)
+    int  argc;
+    char *argv[];
+{
+    struct envlist *c;
+
+    if (argc < 2) {
+	fprintf(stderr,
+	    "Need an argument to 'environ' command.  'environ ?' for help.\n");
+	return 0;
+    }
+    c = getenvcmd(argv[1]);
+    if (c == 0) {
+	fprintf(stderr, "'%s': unknown argument ('environ ?' for help).\n",
+    				argv[1]);
+	return 0;
+    }
+    if (Ambiguous(c)) {
+	fprintf(stderr, "'%s': ambiguous argument ('environ ?' for help).\n",
+    				argv[1]);
+	return 0;
+    }
+    if (c->narg + 2 != argc) {
+	fprintf(stderr,
+	    "Need %s%d argument%s to 'environ %s' command.  'environ ?' for help.\n",
+		c->narg < argc + 2 ? "only " : "",
+		c->narg, c->narg == 1 ? "" : "s", c->name);
+	return 0;
+    }
+    (*c->handler)(argv[2], argv[3]);
+    return 1;
+}
+
+struct env_lst {
+	struct env_lst *next;	/* pointer to next structure */
+	struct env_lst *prev;	/* pointer to previous structure */
+	unsigned char *var;	/* pointer to variable name */
+	unsigned char *value;	/* pointer to variable value */
+	int export;		/* 1 -> export with default list of variables */
+	int welldefined;	/* A well defined variable */
+};
+
+struct env_lst envlisthead;
+
+	struct env_lst *
+env_find(var)
+	unsigned char *var;
+{
+	register struct env_lst *ep;
+
+	for (ep = envlisthead.next; ep; ep = ep->next) {
+		if (strcmp((char *)ep->var, (char *)var) == 0)
+			return(ep);
+	}
+	return(NULL);
+}
+
+	void
+env_init()
+{
+	extern char **environ;
+	register char **epp, *cp;
+	register struct env_lst *ep;
+	extern char *strchr();
+
+	for (epp = environ; *epp; epp++) {
+		if ((cp = strchr(*epp, '='))) {
+			*cp = '\0';
+			ep = env_define((unsigned char *)*epp,
+					(unsigned char *)cp+1);
+			ep->export = 0;
+			*cp = '=';
+		}
+	}
+	/*
+	 * Special case for DISPLAY variable.  If it is ":0.0" or
+	 * "unix:0.0", we have to get rid of "unix" and insert our
+	 * hostname.
+	 */
+	if ((ep = env_find("DISPLAY"))
+	    && ((*ep->value == ':')
+		|| (strncmp((char *)ep->value, "unix:", 5) == 0))) {
+		char hbuf[256+1];
+		char *cp2 = strchr((char *)ep->value, ':');
+
+		gethostname(hbuf, 256);
+		hbuf[256] = '\0';
+		cp = (char *)malloc(strlen(hbuf) + strlen(cp2) + 1);
+		sprintf((char *)cp, "%s%s", hbuf, cp2);
+		free(ep->value);
+		ep->value = (unsigned char *)cp;
+	}
+	/*
+	 * If USER is not defined, but LOGNAME is, then add
+	 * USER with the value from LOGNAME.  By default, we
+	 * don't export the USER variable.
+	 */
+	if ((env_find("USER") == NULL) && (ep = env_find("LOGNAME"))) {
+		env_define((unsigned char *)"USER", ep->value);
+		env_unexport((unsigned char *)"USER");
+	}
+	env_export((unsigned char *)"DISPLAY");
+	env_export((unsigned char *)"PRINTER");
+}
+
+	struct env_lst *
+env_define(var, value)
+	unsigned char *var, *value;
+{
+	register struct env_lst *ep;
+
+	if ((ep = env_find(var))) {
+		if (ep->var)
+			free(ep->var);
+		if (ep->value)
+			free(ep->value);
+	} else {
+		ep = (struct env_lst *)malloc(sizeof(struct env_lst));
+		ep->next = envlisthead.next;
+		envlisthead.next = ep;
+		ep->prev = &envlisthead;
+		if (ep->next)
+			ep->next->prev = ep;
+	}
+	ep->welldefined = opt_welldefined(var);
+	ep->export = 1;
+	ep->var = (unsigned char *)strdup((char *)var);
+	ep->value = (unsigned char *)strdup((char *)value);
+	return(ep);
+}
+
+	void
+env_undefine(var)
+	unsigned char *var;
+{
+	register struct env_lst *ep;
+
+	if ((ep = env_find(var))) {
+		ep->prev->next = ep->next;
+		if (ep->next)
+			ep->next->prev = ep->prev;
+		if (ep->var)
+			free(ep->var);
+		if (ep->value)
+			free(ep->value);
+		free(ep);
+	}
+}
+
+	void
+env_export(var)
+	unsigned char *var;
+{
+	register struct env_lst *ep;
+
+	if ((ep = env_find(var)))
+		ep->export = 1;
+}
+
+	void
+env_unexport(var)
+	unsigned char *var;
+{
+	register struct env_lst *ep;
+
+	if ((ep = env_find(var)))
+		ep->export = 0;
+}
+
+	void
+env_send(var)
+	unsigned char *var;
+{
+	register struct env_lst *ep;
+
+	if (my_state_is_wont(TELOPT_NEW_ENVIRON)
+#ifdef	OLD_ENVIRON
+	    && my_state_is_wont(TELOPT_OLD_ENVIRON)
+#endif
+		) {
+		fprintf(stderr,
+		    "Cannot send '%s': Telnet ENVIRON option not enabled\n",
+									var);
+		return;
+	}
+	ep = env_find(var);
+	if (ep == 0) {
+		fprintf(stderr, "Cannot send '%s': variable not defined\n",
+									var);
+		return;
+	}
+	env_opt_start_info();
+	env_opt_add(ep->var);
+	env_opt_end(0);
+}
+
+	void
+env_list()
+{
+	register struct env_lst *ep;
+
+	for (ep = envlisthead.next; ep; ep = ep->next) {
+		printf("%c %-20s %s\n", ep->export ? '*' : ' ',
+					ep->var, ep->value);
+	}
+}
+
+	unsigned char *
+env_default(init, welldefined)
+	int init;
+{
+	static struct env_lst *nep = NULL;
+
+	if (init) {
+		nep = &envlisthead;
+		return(NULL);
+	}
+	if (nep) {
+		while ((nep = nep->next)) {
+			if (nep->export && (nep->welldefined == welldefined))
+				return(nep->var);
+		}
+	}
+	return(NULL);
+}
+
+	unsigned char *
+env_getvalue(var)
+	unsigned char *var;
+{
+	register struct env_lst *ep;
+
+	if ((ep = env_find(var)))
+		return(ep->value);
+	return(NULL);
+}
+
+#if defined(OLD_ENVIRON) && defined(ENV_HACK)
+	void
+env_varval(what)
+	unsigned char *what;
+{
+	extern int old_env_var, old_env_value, env_auto;
+	int len = strlen((char *)what);
+
+	if (len == 0)
+		goto unknown;
+
+	if (strncasecmp((char *)what, "status", len) == 0) {
+		if (env_auto)
+			printf("%s%s", "VAR and VALUE are/will be ",
+					"determined automatically\n");
+		if (old_env_var == OLD_ENV_VAR)
+			printf("VAR and VALUE set to correct definitions\n");
+		else
+			printf("VAR and VALUE definitions are reversed\n");
+	} else if (strncasecmp((char *)what, "auto", len) == 0) {
+		env_auto = 1;
+		old_env_var = OLD_ENV_VALUE;
+		old_env_value = OLD_ENV_VAR;
+	} else if (strncasecmp((char *)what, "right", len) == 0) {
+		env_auto = 0;
+		old_env_var = OLD_ENV_VAR;
+		old_env_value = OLD_ENV_VALUE;
+	} else if (strncasecmp((char *)what, "wrong", len) == 0) {
+		env_auto = 0;
+		old_env_var = OLD_ENV_VALUE;
+		old_env_value = OLD_ENV_VAR;
+	} else {
+unknown:
+		printf("Unknown \"varval\" command. (\"auto\", \"right\", \"wrong\", \"status\")\n");
+	}
+}
+#endif
+
+#if	defined(AUTHENTICATION)
+/*
+ * The AUTHENTICATE command.
+ */
+
+struct authlist {
+	char	*name;
+	char	*help;
+	int	(*handler)();
+	int	narg;
+};
+
+extern int
+	auth_enable P((char *)),
+	auth_disable P((char *)),
+	auth_status P((void));
+static int
+	auth_help P((void));
+
+struct authlist AuthList[] = {
+    { "status",	"Display current status of authentication information",
+						auth_status,	0 },
+    { "disable", "Disable an authentication type ('auth disable ?' for more)",
+						auth_disable,	1 },
+    { "enable", "Enable an authentication type ('auth enable ?' for more)",
+						auth_enable,	1 },
+    { "help",	0,				auth_help,		0 },
+    { "?",	"Print help information",	auth_help,		0 },
+    { 0 },
+};
+
+    static int
+auth_help()
+{
+    struct authlist *c;
+
+    for (c = AuthList; c->name; c++) {
+	if (c->help) {
+	    if (*c->help)
+		printf("%-15s %s\n", c->name, c->help);
+	    else
+		printf("\n");
+	}
+    }
+    return 0;
+}
+
+	int
+auth_cmd(argc, argv)
+    int  argc;
+    char *argv[];
+{
+    struct authlist *c;
+
+    if (argc < 2) {
+	fprintf(stderr,
+	    "Need an argument to 'auth' command.  'auth ?' for help.\n");
+	return 0;
+    }
+
+    c = (struct authlist *)
+		genget(argv[1], (char **) AuthList, sizeof(struct authlist));
+    if (c == 0) {
+	fprintf(stderr, "'%s': unknown argument ('auth ?' for help).\n",
+    				argv[1]);
+	return 0;
+    }
+    if (Ambiguous(c)) {
+	fprintf(stderr, "'%s': ambiguous argument ('auth ?' for help).\n",
+    				argv[1]);
+	return 0;
+    }
+    if (c->narg + 2 != argc) {
+	fprintf(stderr,
+	    "Need %s%d argument%s to 'auth %s' command.  'auth ?' for help.\n",
+		c->narg < argc + 2 ? "only " : "",
+		c->narg, c->narg == 1 ? "" : "s", c->name);
+	return 0;
+    }
+    return((*c->handler)(argv[2], argv[3]));
+}
+#endif
+
+#ifdef	ENCRYPTION
+/*
+ * The ENCRYPT command.
+ */
+
+struct encryptlist {
+	char	*name;
+	char	*help;
+	int	(*handler)();
+	int	needconnect;
+	int	minarg;
+	int	maxarg;
+};
+
+extern int
+	EncryptEnable P((char *, char *)),
+	EncryptDisable P((char *, char *)),
+	EncryptType P((char *, char *)),
+	EncryptStart P((char *)),
+	EncryptStartInput P((void)),
+	EncryptStartOutput P((void)),
+	EncryptStop P((char *)),
+	EncryptStopInput P((void)),
+	EncryptStopOutput P((void)),
+	EncryptStatus P((void));
+static int
+	EncryptHelp P((void));
+
+struct encryptlist EncryptList[] = {
+    { "enable", "Enable encryption. ('encrypt enable ?' for more)",
+						EncryptEnable, 1, 1, 2 },
+    { "disable", "Disable encryption. ('encrypt enable ?' for more)",
+						EncryptDisable, 0, 1, 2 },
+    { "type", "Set encryption type. ('encrypt type ?' for more)",
+						EncryptType, 0, 1, 1 },
+    { "start", "Start encryption. ('encrypt start ?' for more)",
+						EncryptStart, 1, 0, 1 },
+    { "stop", "Stop encryption. ('encrypt stop ?' for more)",
+						EncryptStop, 1, 0, 1 },
+    { "input", "Start encrypting the input stream",
+						EncryptStartInput, 1, 0, 0 },
+    { "-input", "Stop encrypting the input stream",
+						EncryptStopInput, 1, 0, 0 },
+    { "output", "Start encrypting the output stream",
+						EncryptStartOutput, 1, 0, 0 },
+    { "-output", "Stop encrypting the output stream",
+						EncryptStopOutput, 1, 0, 0 },
+
+    { "status",	"Display current status of authentication information",
+						EncryptStatus,	0, 0, 0 },
+    { "help",	0,				EncryptHelp,	0, 0, 0 },
+    { "?",	"Print help information",	EncryptHelp,	0, 0, 0 },
+    { 0 },
+};
+
+    static int
+EncryptHelp()
+{
+    struct encryptlist *c;
+
+    for (c = EncryptList; c->name; c++) {
+	if (c->help) {
+	    if (*c->help)
+		printf("%-15s %s\n", c->name, c->help);
+	    else
+		printf("\n");
+	}
+    }
+    return 0;
+}
+
+	int
+encrypt_cmd(argc, argv)
+    int  argc;
+    char *argv[];
+{
+    struct encryptlist *c;
+
+    if (argc < 2) {
+	fprintf(stderr,
+	    "Need an argument to 'encrypt' command.  'encrypt ?' for help.\n");
+	return 0;
+    }
+
+    c = (struct encryptlist *)
+		genget(argv[1], (char **) EncryptList, sizeof(struct encryptlist));
+    if (c == 0) {
+	fprintf(stderr, "'%s': unknown argument ('encrypt ?' for help).\n",
+    				argv[1]);
+	return 0;
+    }
+    if (Ambiguous(c)) {
+	fprintf(stderr, "'%s': ambiguous argument ('encrypt ?' for help).\n",
+    				argv[1]);
+	return 0;
+    }
+    argc -= 2;
+    if (argc < c->minarg || argc > c->maxarg) {
+	if (c->minarg == c->maxarg) {
+	    fprintf(stderr, "Need %s%d argument%s ",
+		c->minarg < argc ? "only " : "", c->minarg,
+		c->minarg == 1 ? "" : "s");
+	} else {
+	    fprintf(stderr, "Need %s%d-%d arguments ",
+		c->maxarg < argc ? "only " : "", c->minarg, c->maxarg);
+	}
+	fprintf(stderr, "to 'encrypt %s' command.  'encrypt ?' for help.\n",
+		c->name);
+	return 0;
+    }
+    if (c->needconnect && !connected) {
+	if (!(argc && (isprefix(argv[2], "help") || isprefix(argv[2], "?")))) {
+	    printf("?Need to be connected first.\n");
+	    return 0;
+	}
+    }
+    return ((*c->handler)(argc > 0 ? argv[2] : 0,
+			argc > 1 ? argv[3] : 0,
+			argc > 2 ? argv[4] : 0));
+}
+#endif	/* ENCRYPTION */
+
+#if	defined(unix) && defined(TN3270)
+    static void
+filestuff(fd)
+    int fd;
+{
+    int res;
+
+#ifdef	F_GETOWN
+    setconnmode(0);
+    res = fcntl(fd, F_GETOWN, 0);
+    setcommandmode();
+
+    if (res == -1) {
+	perror("fcntl");
+	return;
+    }
+    printf("\tOwner is %d.\n", res);
+#endif
+
+    setconnmode(0);
+    res = fcntl(fd, F_GETFL, 0);
+    setcommandmode();
+
+    if (res == -1) {
+	perror("fcntl");
+	return;
+    }
+#ifdef notdef
+    printf("\tFlags are 0x%x: %s\n", res, decodeflags(res));
+#endif
+}
+#endif /* defined(unix) && defined(TN3270) */
+
+/*
+ * Print status about the connection.
+ */
+    /*ARGSUSED*/
+    static int
+status(argc, argv)
+    int	 argc;
+    char *argv[];
+{
+    if (connected) {
+	printf("Connected to %s.\n", hostname);
+	if ((argc < 2) || strcmp(argv[1], "notmuch")) {
+	    int mode = getconnmode();
+
+	    if (my_want_state_is_will(TELOPT_LINEMODE)) {
+		printf("Operating with LINEMODE option\n");
+		printf("%s line editing\n", (mode&MODE_EDIT) ? "Local" : "No");
+		printf("%s catching of signals\n",
+					(mode&MODE_TRAPSIG) ? "Local" : "No");
+		slcstate();
+#ifdef	KLUDGELINEMODE
+	    } else if (kludgelinemode && my_want_state_is_dont(TELOPT_SGA)) {
+		printf("Operating in obsolete linemode\n");
+#endif
+	    } else {
+		printf("Operating in single character mode\n");
+		if (localchars)
+		    printf("Catching signals locally\n");
+	    }
+	    printf("%s character echo\n", (mode&MODE_ECHO) ? "Local" : "Remote");
+	    if (my_want_state_is_will(TELOPT_LFLOW))
+		printf("%s flow control\n", (mode&MODE_FLOW) ? "Local" : "No");
+#ifdef	ENCRYPTION
+	    encrypt_display();
+#endif	/* ENCRYPTION */
+	}
+    } else {
+	printf("No connection.\n");
+    }
+#   if !defined(TN3270)
+    printf("Escape character is '%s'.\n", control(escape));
+    (void) fflush(stdout);
+#   else /* !defined(TN3270) */
+    if ((!In3270) && ((argc < 2) || strcmp(argv[1], "notmuch"))) {
+	printf("Escape character is '%s'.\n", control(escape));
+    }
+#   if defined(unix)
+    if ((argc >= 2) && !strcmp(argv[1], "everything")) {
+	printf("SIGIO received %d time%s.\n",
+				sigiocount, (sigiocount == 1)? "":"s");
+	if (In3270) {
+	    printf("Process ID %d, process group %d.\n",
+					    getpid(), getpgrp(getpid()));
+	    printf("Terminal input:\n");
+	    filestuff(tin);
+	    printf("Terminal output:\n");
+	    filestuff(tout);
+	    printf("Network socket:\n");
+	    filestuff(net);
+	}
+    }
+    if (In3270 && transcom) {
+       printf("Transparent mode command is '%s'.\n", transcom);
+    }
+#   endif /* defined(unix) */
+    (void) fflush(stdout);
+    if (In3270) {
+	return 0;
+    }
+#   endif /* defined(TN3270) */
+    return 1;
+}
+
+#ifdef	SIGINFO
+/*
+ * Function that gets called when SIGINFO is received.
+ */
+	void
+ayt_status()
+{
+    (void) call(status, "status", "notmuch", 0);
+}
+#endif
+
+static const char *
+sockaddr_ntop(sa)
+    struct sockaddr *sa;
+{
+    void *addr;
+    static char addrbuf[INET6_ADDRSTRLEN];
+
+    switch (sa->sa_family) {
+    case AF_INET:
+	addr = &((struct sockaddr_in *)sa)->sin_addr;
+	break;
+    case AF_UNIX:
+	addr = &((struct sockaddr_un *)sa)->sun_path;
+	break;
+#ifdef INET6
+    case AF_INET6:
+	addr = &((struct sockaddr_in6 *)sa)->sin6_addr;
+	break;
+#endif
+    default:
+	return NULL;
+    }
+    inet_ntop(sa->sa_family, addr, addrbuf, sizeof(addrbuf));
+    return addrbuf;
+}
+
+#if defined(IPSEC) && defined(IPSEC_POLICY_IPSEC)
+static int
+setpolicy(net, res, policy)
+	int net;
+	struct addrinfo *res;
+	char *policy;
+{
+	char *buf;
+	int level;
+	int optname;
+
+	if (policy == NULL)
+		return 0;
+
+	buf = ipsec_set_policy(policy, strlen(policy));
+	if (buf == NULL) {
+		printf("%s\n", ipsec_strerror());
+		return -1;
+	}
+	level = res->ai_family == AF_INET ? IPPROTO_IP : IPPROTO_IPV6;
+	optname = res->ai_family == AF_INET ? IP_IPSEC_POLICY : IPV6_IPSEC_POLICY;
+	if (setsockopt(net, level, optname, buf, ipsec_get_policylen(buf)) < 0){
+		perror("setsockopt");
+		return -1;
+	}
+
+	free(buf);
+}
+#endif
+
+#ifdef INET6
+/*
+ * When an Address Family related error happend, check if retry with
+ * another AF is possible or not.
+ * Return 1, if retry with another af is OK. Else, return 0.
+ */
+static int
+switch_af(aip)
+    struct addrinfo **aip;
+{
+    int nextaf;
+    struct addrinfo *ai;
+
+    ai = *aip;
+    nextaf = (ai->ai_family == AF_INET) ? AF_INET6 : AF_INET;
+    do
+        ai=ai->ai_next;
+    while (ai != NULL && ai->ai_family != nextaf);
+    *aip = ai;
+    if (*aip != NULL) {
+        return 1;
+    }
+    return 0;
+}
+#endif
+
+    int
+tn(argc, argv)
+    int argc;
+    char *argv[];
+{
+    char *srp = 0, *strrchr();
+    int proto, opt;
+    int sourceroute(), srlen;
+    int srcroute = 0, result;
+    char *cmd, *hostp = 0, *portp = 0, *user = 0;
+    char *src_addr = NULL;
+    struct addrinfo hints, *res, *res0 = NULL, *src_res, *src_res0 = NULL;
+    int error = 0, af_error = 0;
+
+    if (connected) {
+	printf("?Already connected to %s\n", hostname);
+	setuid(getuid());
+	return 0;
+    }
+    if (argc < 2) {
+	(void) strcpy(line, "open ");
+	printf("(to) ");
+	(void) fgets(&line[strlen(line)], sizeof(line) - strlen(line), stdin);
+	makeargv();
+	argc = margc;
+	argv = margv;
+    }
+    cmd = *argv;
+    --argc; ++argv;
+    while (argc) {
+	if (strcmp(*argv, "help") == 0 || isprefix(*argv, "?"))
+	    goto usage;
+	if (strcmp(*argv, "-l") == 0) {
+	    --argc; ++argv;
+	    if (argc == 0)
+		goto usage;
+	    user = *argv++;
+	    --argc;
+	    continue;
+	}
+	if (strcmp(*argv, "-a") == 0) {
+	    --argc; ++argv;
+	    autologin = 1;
+	    continue;
+	}
+	if (strcmp(*argv, "-s") == 0) {
+	    --argc; ++argv;
+	    if (argc == 0)
+		goto usage;
+	    src_addr = *argv++;
+	    --argc;
+	    continue;
+	}
+	if (hostp == 0) {
+	    hostp = *argv++;
+	    --argc;
+	    continue;
+	}
+	if (portp == 0) {
+	    portp = *argv++;
+	    --argc;
+	    continue;
+	}
+    usage:
+	printf("usage: %s [-l user] [-a] [-s src_addr] host-name [port]\n", cmd);
+	setuid(getuid());
+	return 0;
+    }
+    if (hostp == 0)
+	goto usage;
+
+    if (src_addr != NULL) {
+	memset(&hints, 0, sizeof(hints));
+	hints.ai_flags = AI_NUMERICHOST;
+	hints.ai_family = family;
+	hints.ai_socktype = SOCK_STREAM;
+	error = getaddrinfo(src_addr, 0, &hints, &src_res);
+	if (error == EAI_NODATA) {
+		hints.ai_flags = 0;
+		error = getaddrinfo(src_addr, 0, &hints, &src_res);
+	}
+	if (error != 0) {
+		fprintf(stderr, "%s: %s\n", src_addr, gai_strerror(error));
+		if (error == EAI_SYSTEM)
+			fprintf(stderr, "%s: %s\n", src_addr, strerror(errno));
+		setuid(getuid());
+		return 0;
+	}
+	src_res0 = src_res;
+    }
+    if (hostp[0] == '/') {
+	struct sockaddr_un su;
+	
+	if (strlen(hostp) >= sizeof(su.sun_path)) {
+	    fprintf(stderr, "hostname too long for unix domain socket: %s",
+		    hostp);
+		goto fail;
+	}
+	memset(&su, 0, sizeof su);
+	su.sun_family = AF_UNIX;
+	strncpy(su.sun_path, hostp, sizeof su.sun_path);
+	printf("Trying %s...\n", &su.sun_path);
+	net = socket(PF_UNIX, SOCK_STREAM, 0);
+	if ( net < 0) {
+	    perror("socket");
+	    goto fail;
+	}
+	if (connect(net, (struct sockaddr *)&su, sizeof su) == -1) {
+	    perror(su.sun_path);
+	    (void) NetClose(net);
+	    goto fail;
+	}
+	goto af_unix;
+    } else if (hostp[0] == '@' || hostp[0] == '!') {
+	if (
+#ifdef INET6
+	    family == AF_INET6 ||
+#endif
+	    (hostname = strrchr(hostp, ':')) == NULL)
+	    hostname = strrchr(hostp, '@');
+	hostname++;
+	srcroute = 1;
+    } else
+        hostname = hostp;
+    if (!portp) {
+      telnetport = 1;
+      portp = "telnet";
+    } else if (*portp == '-') {
+      portp++;
+      telnetport = 1;
+    } else
+      telnetport = 0;
+
+    memset(&hints, 0, sizeof(hints));
+    hints.ai_flags = AI_NUMERICHOST;
+    hints.ai_family = family;
+    hints.ai_socktype = SOCK_STREAM;
+    error = getaddrinfo(hostname, portp, &hints, &res);
+    if (error) {
+        hints.ai_flags = AI_CANONNAME;
+	error = getaddrinfo(hostname, portp, &hints, &res);
+    }
+    if (error != 0) {
+	fprintf(stderr, "%s: %s\n", hostname, gai_strerror(error));
+	if (error == EAI_SYSTEM)
+	    fprintf(stderr, "%s: %s\n", hostname, strerror(errno));
+	setuid(getuid());
+	goto fail;
+    }
+    if (hints.ai_flags == AI_NUMERICHOST) {
+	/* hostname has numeric */
+        int gni_err = 1;
+
+	if (doaddrlookup)
+	    gni_err = getnameinfo(res->ai_addr, res->ai_addr->sa_len,
+				  _hostname, sizeof(_hostname) - 1, NULL, 0,
+				  NI_NAMEREQD);
+	if (gni_err != 0)
+	    (void) strncpy(_hostname, hostp, sizeof(_hostname) - 1);
+	_hostname[sizeof(_hostname)-1] = '\0';
+	hostname = _hostname;
+    } else {
+	/* hostname has FQDN */
+	if (srcroute != 0)
+	    (void) strncpy(_hostname, hostname, sizeof(_hostname) - 1);
+	else if (res->ai_canonname != NULL)
+	  strcpy(_hostname, res->ai_canonname);
+	else
+	  (void) strncpy(_hostname, hostp, sizeof(_hostname) - 1);
+	_hostname[sizeof(_hostname)-1] = '\0';
+	hostname = _hostname;
+    }
+    res0 = res;
+ af_again:
+    if (srcroute != 0) {
+        static char hostbuf[BUFSIZ];
+
+	if (af_error == 0) { /* save intermediate hostnames for retry */
+		strncpy(hostbuf, hostp, BUFSIZ - 1);
+		hostbuf[BUFSIZ - 1] = '\0';
+	} else
+		hostp = hostbuf;
+	srp = 0;
+	result = sourceroute(res, hostp, &srp, &srlen, &proto, &opt);
+	if (result == 0) {
+#ifdef INET6
+	    if (family == AF_UNSPEC && af_error == 0 &&
+		switch_af(&res) == 1) {
+	        af_error = 1;
+		goto af_again;
+	    }
+#endif
+	    setuid(getuid());
+	    goto fail;
+	} else if (result == -1) {
+	    printf("Bad source route option: %s\n", hostp);
+	    setuid(getuid());
+	    goto fail;
+	}
+    }
+    do {
+        printf("Trying %s...\n", sockaddr_ntop(res->ai_addr));
+	net = socket(res->ai_family, res->ai_socktype, res->ai_protocol);
+	setuid(getuid());
+	if (net < 0) {
+#ifdef INET6
+	    if (family == AF_UNSPEC && af_error == 0 &&
+		switch_af(&res) == 1) {
+	        af_error = 1;
+		goto af_again;
+	    }
+#endif
+	    perror("telnet: socket");
+	    goto fail;
+	}
+	if (srp && setsockopt(net, proto, opt, (char *)srp, srlen) < 0)
+		perror("setsockopt (source route)");
+#if	defined(IPPROTO_IP) && defined(IP_TOS)
+	if (res->ai_family == PF_INET) {
+# if	defined(HAS_GETTOS)
+	    struct tosent *tp;
+	    if (tos < 0 && (tp = gettosbyname("telnet", "tcp")))
+		tos = tp->t_tos;
+# endif
+	    if (tos < 0)
+		tos = 020;	/* Low Delay bit */
+	    if (tos
+		&& (setsockopt(net, IPPROTO_IP, IP_TOS,
+		    (char *)&tos, sizeof(int)) < 0)
+		&& (errno != ENOPROTOOPT))
+		    perror("telnet: setsockopt (IP_TOS) (ignored)");
+	}
+#endif	/* defined(IPPROTO_IP) && defined(IP_TOS) */
+
+	if (debug && SetSockOpt(net, SOL_SOCKET, SO_DEBUG, 1) < 0) {
+		perror("setsockopt (SO_DEBUG)");
+	}
+
+	if (src_addr != NULL) {
+	    for (src_res = src_res0; src_res != 0; src_res = src_res->ai_next)
+	        if (src_res->ai_family == res->ai_family)
+		    break;
+	    if (src_res == NULL)
+		src_res = src_res0;
+	    if (bind(net, src_res->ai_addr, src_res->ai_addrlen) == -1) {
+#ifdef INET6
+	        if (family == AF_UNSPEC && af_error == 0 &&
+		    switch_af(&res) == 1) {
+		    af_error = 1;
+		    (void) NetClose(net);
+		    goto af_again;
+		}
+#endif
+		perror("bind");
+		(void) NetClose(net);
+		goto fail;
+	    }
+	}
+#if defined(IPSEC) && defined(IPSEC_POLICY_IPSEC)
+	if (setpolicy(net, res, ipsec_policy_in) < 0) {
+		(void) NetClose(net);
+		goto fail;
+	}
+	if (setpolicy(net, res, ipsec_policy_out) < 0) {
+		(void) NetClose(net);
+		goto fail;
+	}
+#endif
+
+	if (connect(net, res->ai_addr, res->ai_addrlen) < 0) {
+	    struct addrinfo *next;
+
+	    next = res->ai_next;
+	    /* If already an af failed, only try same af. */
+	    if (af_error != 0)
+		while (next != NULL && next->ai_family != res->ai_family)
+		    next = next->ai_next;
+	    warn("connect to address %s", sockaddr_ntop(res->ai_addr));
+	    if (next != NULL) {
+		res = next;
+		(void) NetClose(net);
+		continue;
+	    }
+	    warnx("Unable to connect to remote host");
+	    (void) NetClose(net);
+	    goto fail;
+	}
+	connected++;
+#if	defined(AUTHENTICATION) || defined(ENCRYPTION)
+	auth_encrypt_connect(connected);
+#endif	/* defined(AUTHENTICATION) || defined(ENCRYPTION) */
+    } while (connected == 0);
+    freeaddrinfo(res0);
+    if (src_res0 != NULL)
+        freeaddrinfo(src_res0);
+    cmdrc(hostp, hostname);
+ af_unix:    
+    if (autologin && user == NULL) {
+	struct passwd *pw;
+
+	user = getenv("USER");
+	if (user == NULL ||
+	    ((pw = getpwnam(user)) && pw->pw_uid != getuid())) {
+		if ((pw = getpwuid(getuid())))
+			user = pw->pw_name;
+		else
+			user = NULL;
+	}
+    }
+    if (user) {
+	env_define((unsigned char *)"USER", (unsigned char *)user);
+	env_export((unsigned char *)"USER");
+    }
+    (void) call(status, "status", "notmuch", 0);
+    if (setjmp(peerdied) == 0)
+	telnet(user);
+    (void) NetClose(net);
+    ExitString("Connection closed by foreign host.\n",1);
+    /*NOTREACHED*/
+ fail:
+    if (res0 != NULL)
+        freeaddrinfo(res0);
+    if (src_res0 != NULL)
+        freeaddrinfo(src_res0);
+    return 0;
+}
+
+#define HELPINDENT (sizeof ("connect"))
+
+static char
+	openhelp[] =	"connect to a site",
+	closehelp[] =	"close current connection",
+	logouthelp[] =	"forcibly logout remote user and close the connection",
+	quithelp[] =	"exit telnet",
+	statushelp[] =	"print status information",
+	helphelp[] =	"print help information",
+	sendhelp[] =	"transmit special characters ('send ?' for more)",
+	sethelp[] = 	"set operating parameters ('set ?' for more)",
+	unsethelp[] = 	"unset operating parameters ('unset ?' for more)",
+	togglestring[] ="toggle operating parameters ('toggle ?' for more)",
+	slchelp[] =	"change state of special charaters ('slc ?' for more)",
+	displayhelp[] =	"display operating parameters",
+#if	defined(TN3270) && defined(unix)
+	transcomhelp[] = "specify Unix command for transparent mode pipe",
+#endif	/* defined(TN3270) && defined(unix) */
+#if	defined(AUTHENTICATION)
+	authhelp[] =	"turn on (off) authentication ('auth ?' for more)",
+#endif
+#ifdef	ENCRYPTION
+	encrypthelp[] =	"turn on (off) encryption ('encrypt ?' for more)",
+#endif	/* ENCRYPTION */
+#if	defined(unix)
+	zhelp[] =	"suspend telnet",
+#endif	/* defined(unix) */
+#if	defined(SKEY)
+	skeyhelp[] =    "compute response to s/key challenge",
+#endif
+	shellhelp[] =	"invoke a subshell",
+	envhelp[] =	"change environment variables ('environ ?' for more)",
+	modestring[] = "try to enter line or character mode ('mode ?' for more)";
+
+static Command cmdtab[] = {
+	{ "close",	closehelp,	bye,		1 },
+	{ "logout",	logouthelp,	logout,		1 },
+	{ "display",	displayhelp,	display,	0 },
+	{ "mode",	modestring,	modecmd,	0 },
+	{ "open",	openhelp,	tn,		0 },
+	{ "quit",	quithelp,	quit,		0 },
+	{ "send",	sendhelp,	sendcmd,	0 },
+	{ "set",	sethelp,	setcmd,		0 },
+	{ "unset",	unsethelp,	unsetcmd,	0 },
+	{ "status",	statushelp,	status,		0 },
+	{ "toggle",	togglestring,	toggle,		0 },
+	{ "slc",	slchelp,	slccmd,		0 },
+#if	defined(TN3270) && defined(unix)
+	{ "transcom",	transcomhelp,	settranscom,	0 },
+#endif	/* defined(TN3270) && defined(unix) */
+#if	defined(AUTHENTICATION)
+	{ "auth",	authhelp,	auth_cmd,	0 },
+#endif
+#ifdef	ENCRYPTION
+	{ "encrypt",	encrypthelp,	encrypt_cmd,	0 },
+#endif	/* ENCRYPTION */
+#if	defined(unix)
+	{ "z",		zhelp,		suspend,	0 },
+#endif	/* defined(unix) */
+#if	defined(TN3270)
+	{ "!",		shellhelp,	shell,		1 },
+#else
+	{ "!",		shellhelp,	shell,		0 },
+#endif
+	{ "environ",	envhelp,	env_cmd,	0 },
+	{ "?",		helphelp,	help,		0 },
+#if	defined(SKEY)
+	{ "skey",       skeyhelp,       skey_calc,      0 },
+#endif		
+	{ 0, 0, 0, 0 }
+};
+
+static char	crmodhelp[] =	"deprecated command -- use 'toggle crmod' instead";
+static char	escapehelp[] =	"deprecated command -- use 'set escape' instead";
+
+static Command cmdtab2[] = {
+	{ "help",	0,		help,		0 },
+	{ "escape",	escapehelp,	setescape,	0 },
+	{ "crmod",	crmodhelp,	togcrmod,	0 },
+	{ 0, 0, 0, 0 }
+};
+
+
+/*
+ * Call routine with argc, argv set from args (terminated by 0).
+ */
+
+    /*VARARGS1*/
+    static int
+call(va_alist)
+    va_dcl
+{
+    va_list ap;
+    typedef int (*intrtn_t)();
+    intrtn_t routine;
+    char *args[100];
+    int argno = 0;
+
+    va_start(ap);
+    routine = (va_arg(ap, intrtn_t));
+    while ((args[argno++] = va_arg(ap, char *)) != 0) {
+	;
+    }
+    va_end(ap);
+    return (*routine)(argno-1, args);
+}
+
+
+    static Command *
+getcmd(name)
+    char *name;
+{
+    Command *cm;
+
+    if ((cm = (Command *) genget(name, (char **) cmdtab, sizeof(Command))))
+	return cm;
+    return (Command *) genget(name, (char **) cmdtab2, sizeof(Command));
+}
+
+    void
+command(top, tbuf, cnt)
+    int top;
+    char *tbuf;
+    int cnt;
+{
+    register Command *c;
+
+    setcommandmode();
+    if (!top) {
+	putchar('\n');
+#if	defined(unix)
+    } else {
+	(void) signal(SIGINT, SIG_DFL);
+	(void) signal(SIGQUIT, SIG_DFL);
+#endif	/* defined(unix) */
+    }
+    for (;;) {
+	if (rlogin == _POSIX_VDISABLE)
+		printf("%s> ", prompt);
+	if (tbuf) {
+	    register char *cp;
+	    cp = line;
+	    while (cnt > 0 && (*cp++ = *tbuf++) != '\n')
+		cnt--;
+	    tbuf = 0;
+	    if (cp == line || *--cp != '\n' || cp == line)
+		goto getline;
+	    *cp = '\0';
+	    if (rlogin == _POSIX_VDISABLE)
+		printf("%s\n", line);
+	} else {
+	getline:
+	    if (rlogin != _POSIX_VDISABLE)
+		printf("%s> ", prompt);
+	    if (fgets(line, sizeof(line), stdin) == NULL) {
+		if (feof(stdin) || ferror(stdin)) {
+		    (void) quit();
+		    /*NOTREACHED*/
+		}
+		break;
+	    }
+	}
+	if (line[0] == 0)
+	    break;
+	makeargv();
+	if (margv[0] == 0) {
+	    break;
+	}
+	c = getcmd(margv[0]);
+	if (Ambiguous(c)) {
+	    printf("?Ambiguous command\n");
+	    continue;
+	}
+	if (c == 0) {
+	    printf("?Invalid command\n");
+	    continue;
+	}
+	if (c->needconnect && !connected) {
+	    printf("?Need to be connected first.\n");
+	    continue;
+	}
+	if ((*c->handler)(margc, margv)) {
+	    break;
+	}
+    }
+    if (!top) {
+	if (!connected) {
+	    longjmp(toplevel, 1);
+	    /*NOTREACHED*/
+	}
+#if	defined(TN3270)
+	if (shell_active == 0) {
+	    setconnmode(0);
+	}
+#else	/* defined(TN3270) */
+	setconnmode(0);
+#endif	/* defined(TN3270) */
+    }
+}
+
+/*
+ * Help command.
+ */
+	static int
+help(argc, argv)
+	int argc;
+	char *argv[];
+{
+	register Command *c;
+
+	if (argc == 1) {
+		printf("Commands may be abbreviated.  Commands are:\n\n");
+		for (c = cmdtab; c->name; c++)
+			if (c->help) {
+				printf("%-*s\t%s\n", HELPINDENT, c->name,
+								    c->help);
+			}
+	}
+	else while (--argc > 0) {
+		register char *arg;
+		arg = *++argv;
+		c = getcmd(arg);
+		if (Ambiguous(c))
+			printf("?Ambiguous help command %s\n", arg);
+		else if (c == (Command *)0)
+			printf("?Invalid help command %s\n", arg);
+		else
+			printf("%s\n", c->help);
+	}
+	return(0);
+}
+
+static char *rcname = 0;
+static char rcbuf[128];
+
+	void
+cmdrc(m1, m2)
+	char *m1, *m2;
+{
+    register Command *c;
+    FILE *rcfile;
+    int gotmachine = 0;
+    int l1 = strlen(m1);
+    int l2 = strlen(m2);
+    char m1save[MAXHOSTNAMELEN];
+
+    if (skiprc)
+	return;
+
+    strlcpy(m1save, m1, sizeof(m1save));
+    m1 = m1save;
+
+    if (rcname == 0) {
+	rcname = getenv("HOME");
+	if (rcname && (strlen(rcname) + 10) < sizeof(rcbuf))
+	    strcpy(rcbuf, rcname);
+	else
+	    rcbuf[0] = '\0';
+	strcat(rcbuf, "/.telnetrc");
+	rcname = rcbuf;
+    }
+
+    if ((rcfile = fopen(rcname, "r")) == 0) {
+	return;
+    }
+
+    for (;;) {
+	if (fgets(line, sizeof(line), rcfile) == NULL)
+	    break;
+	if (line[0] == 0)
+	    break;
+	if (line[0] == '#')
+	    continue;
+	if (gotmachine) {
+	    if (!isspace(line[0]))
+		gotmachine = 0;
+	}
+	if (gotmachine == 0) {
+	    if (isspace(line[0]))
+		continue;
+	    if (strncasecmp(line, m1, l1) == 0)
+		strncpy(line, &line[l1], sizeof(line) - l1);
+	    else if (strncasecmp(line, m2, l2) == 0)
+		strncpy(line, &line[l2], sizeof(line) - l2);
+	    else if (strncasecmp(line, "DEFAULT", 7) == 0)
+		strncpy(line, &line[7], sizeof(line) - 7);
+	    else
+		continue;
+	    if (line[0] != ' ' && line[0] != '\t' && line[0] != '\n')
+		continue;
+	    gotmachine = 1;
+	}
+	makeargv();
+	if (margv[0] == 0)
+	    continue;
+	c = getcmd(margv[0]);
+	if (Ambiguous(c)) {
+	    printf("?Ambiguous command: %s\n", margv[0]);
+	    continue;
+	}
+	if (c == 0) {
+	    printf("?Invalid command: %s\n", margv[0]);
+	    continue;
+	}
+	/*
+	 * This should never happen...
+	 */
+	if (c->needconnect && !connected) {
+	    printf("?Need to be connected first for %s.\n", margv[0]);
+	    continue;
+	}
+	(*c->handler)(margc, margv);
+    }
+    fclose(rcfile);
+}
+
+/*
+ * Source route is handed in as
+ *	[!]@hop1@hop2...[@|:]dst
+ * If the leading ! is present, it is a
+ * strict source route, otherwise it is
+ * assmed to be a loose source route.
+ *
+ * We fill in the source route option as
+ *	hop1,hop2,hop3...dest
+ * and return a pointer to hop1, which will
+ * be the address to connect() to.
+ *
+ * Arguments:
+ *
+ *	res:	ponter to addrinfo structure which contains sockaddr to
+ *		the host to connect to.
+ *
+ *	arg:	pointer to route list to decipher
+ *
+ *	cpp: 	If *cpp is not equal to NULL, this is a
+ *		pointer to a pointer to a character array
+ *		that should be filled in with the option.
+ *
+ *	lenp:	pointer to an integer that contains the
+ *		length of *cpp if *cpp != NULL.
+ *
+ *	protop:	pointer to an integer that should be filled in with
+ *		appropriate protocol for setsockopt, as socket 
+ *		protocol family.
+ *
+ *	optp:	pointer to an integer that should be filled in with
+ *		appropriate option for setsockopt, as socket protocol
+ *		family.
+ *
+ * Return values:
+ *
+ *	If the return value is 1, then all operations are
+ *	successful. If the
+ *	return value is -1, there was a syntax error in the
+ *	option, either unknown characters, or too many hosts.
+ *	If the return value is 0, one of the hostnames in the
+ *	path is unknown, and *cpp is set to point to the bad
+ *	hostname.
+ *
+ *	*cpp:	If *cpp was equal to NULL, it will be filled
+ *		in with a pointer to our static area that has
+ *		the option filled in.  This will be 32bit aligned.
+ *
+ *	*lenp:	This will be filled in with how long the option
+ *		pointed to by *cpp is.
+ *
+ *	*protop: This will be filled in with appropriate protocol for
+ *		 setsockopt, as socket protocol family.
+ *
+ *	*optp:	This will be filled in with appropriate option for
+ *		setsockopt, as socket protocol family.
+ */
+int
+sourceroute(ai, arg, cpp, lenp, protop, optp)
+	struct addrinfo *ai;
+	char	*arg;
+	char	**cpp;
+	int	*lenp;
+	int	*protop;
+	int	*optp;
+{
+	static char buf[1024 + ALIGNBYTES];	/*XXX*/
+	struct cmsghdr *cmsg;
+#ifdef	sysV88
+	static IOPTN ipopt;
+#endif
+	char *cp, *cp2, *lsrp, *ep;
+	register int tmp;
+	struct sockaddr_in *sin;
+	struct sockaddr_in6 *sin6;
+	struct addrinfo hints, *res;
+	int error;
+	register char c;
+
+	/*
+	 * Verify the arguments, and make sure we have
+	 * at least 7 bytes for the option.
+	 */
+	if (cpp == NULL || lenp == NULL)
+		return -1;
+	if (*cpp != NULL) {
+		switch (res->ai_family) {
+		case AF_INET:
+			if (*lenp < 7)
+				return -1;
+			break;
+#ifdef INET6
+		case AF_INET6:
+			if (*lenp < CMSG_SPACE(sizeof(struct ip6_rthdr) +
+				               sizeof(struct in6_addr)))
+				return -1;
+			break;
+#endif
+		}
+	}
+	/*
+	 * Decide whether we have a buffer passed to us,
+	 * or if we need to use our own static buffer.
+	 */
+	if (*cpp) {
+		lsrp = *cpp;
+		ep = lsrp + *lenp;
+	} else {
+		*cpp = lsrp = (char *)ALIGN(buf);
+		ep = lsrp + 1024;
+	}
+
+	cp = arg;
+
+#ifdef INET6
+	if (ai->ai_family == AF_INET6) {
+		cmsg = inet6_rthdr_init(*cpp, IPV6_RTHDR_TYPE_0);
+		if (*cp != '@')
+			return -1;
+		*protop = IPPROTO_IPV6;
+		*optp = IPV6_PKTOPTIONS;
+	} else
+#endif
+      {
+	/*
+	 * Next, decide whether we have a loose source
+	 * route or a strict source route, and fill in
+	 * the begining of the option.
+	 */
+#ifndef	sysV88
+	if (*cp == '!') {
+		cp++;
+		*lsrp++ = IPOPT_SSRR;
+	} else
+		*lsrp++ = IPOPT_LSRR;
+#else
+	if (*cp == '!') {
+		cp++;
+		ipopt.io_type = IPOPT_SSRR;
+	} else
+		ipopt.io_type = IPOPT_LSRR;
+#endif
+
+	if (*cp != '@')
+		return -1;
+
+#ifndef	sysV88
+	lsrp++;		/* skip over length, we'll fill it in later */
+	*lsrp++ = 4;
+#endif
+	*protop = IPPROTO_IP;
+	*optp = IP_OPTIONS;
+      }
+
+	cp++;
+	memset(&hints, 0, sizeof(hints));
+	hints.ai_family = ai->ai_family;
+	hints.ai_socktype = SOCK_STREAM;
+	for (c = 0;;) {
+		if (
+#ifdef INET6
+		    ai->ai_family != AF_INET6 &&
+#endif
+		    c == ':')
+			cp2 = 0;
+		else for (cp2 = cp; (c = *cp2); cp2++) {
+			if (c == ',') {
+				*cp2++ = '\0';
+				if (*cp2 == '@')
+					cp2++;
+			} else if (c == '@') {
+				*cp2++ = '\0';
+			} else if (
+#ifdef INET6
+				   ai->ai_family != AF_INET6 &&
+#endif
+				   c == ':') {
+				*cp2++ = '\0';
+			} else
+				continue;
+			break;
+		}
+		if (!c)
+			cp2 = 0;
+
+		hints.ai_flags = AI_NUMERICHOST;
+ 		error = getaddrinfo(cp, NULL, &hints, &res);
+		if (error == EAI_NODATA) {
+			hints.ai_flags = 0;
+			error = getaddrinfo(cp, NULL, &hints, &res);
+		}
+		if (error != 0) {
+			fprintf(stderr, "%s: %s\n", cp, gai_strerror(error));
+			if (error == EAI_SYSTEM)
+				fprintf(stderr, "%s: %s\n", cp,
+					strerror(errno));
+			*cpp = cp;
+			return(0);
+		}
+#ifdef INET6
+		if (res->ai_family == AF_INET6) {
+			sin6 = (struct sockaddr_in6 *)res->ai_addr;
+			inet6_rthdr_add(cmsg, &sin6->sin6_addr,
+					IPV6_RTHDR_LOOSE);
+		} else
+#endif
+	      {
+		sin = (struct sockaddr_in *)res->ai_addr;
+		memcpy(lsrp, (char *)&sin->sin_addr, 4);
+		lsrp += 4;
+	      }
+		if (cp2)
+			cp = cp2;
+		else
+			break;
+		/*
+		 * Check to make sure there is space for next address
+		 */
+#ifdef INET6
+		if (res->ai_family == AF_INET6) {
+			if (((char *)CMSG_DATA(cmsg) +
+			     sizeof(struct ip6_rthdr) +
+			     ((inet6_rthdr_segments(cmsg) + 1) *
+			      sizeof(struct in6_addr))) > ep)
+			return -1;
+		} else
+#endif
+		if (lsrp + 4 > ep)
+			return -1;
+		freeaddrinfo(res);
+	}
+#ifdef INET6
+	if (res->ai_family == AF_INET6) {
+		inet6_rthdr_lasthop(cmsg, IPV6_RTHDR_LOOSE);
+		*lenp = cmsg->cmsg_len;
+	} else
+#endif
+      {
+#ifndef	sysV88
+	if ((*(*cpp+IPOPT_OLEN) = lsrp - *cpp) <= 7) {
+		*cpp = 0;
+		*lenp = 0;
+		return -1;
+	}
+	*lsrp++ = IPOPT_NOP; /* 32 bit word align it */
+	*lenp = lsrp - *cpp;
+#else
+	ipopt.io_len = lsrp - *cpp;
+	if (ipopt.io_len <= 5) {		/* Is 3 better ? */
+		*cpp = 0;
+		*lenp = 0;
+		return -1;
+	}
+	*lenp = sizeof(ipopt);
+	*cpp = (char *) &ipopt;
+#endif
+      }
+	freeaddrinfo(res);
+	return 1;
+}
+
+
+
diff --git a/crypto/telnet/telnet/defines.h b/crypto/telnet/telnet/defines.h
new file mode 100644
index 0000000..0978173
--- /dev/null
+++ b/crypto/telnet/telnet/defines.h
@@ -0,0 +1,61 @@
+/*
+ * Copyright (c) 1988, 1993
+ *	The Regents of the University of California.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *	This product includes software developed by the University of
+ *	California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ *	@(#)defines.h	8.1 (Berkeley) 6/6/93
+ */
+
+#define	settimer(x)	clocks.x = clocks.system++
+
+#if	!defined(TN3270)
+
+#define	SetIn3270()
+
+#endif	/* !defined(TN3270) */
+
+#define	NETADD(c)	{ *netoring.supply = c; ring_supplied(&netoring, 1); }
+#define	NET2ADD(c1,c2)	{ NETADD(c1); NETADD(c2); }
+#define	NETBYTES()	(ring_full_count(&netoring))
+#define	NETROOM()	(ring_empty_count(&netoring))
+
+#define	TTYADD(c)	if (!(SYNCHing||flushout)) { \
+				*ttyoring.supply = c; \
+				ring_supplied(&ttyoring, 1); \
+			}
+#define	TTYBYTES()	(ring_full_count(&ttyoring))
+#define	TTYROOM()	(ring_empty_count(&ttyoring))
+
+/*	Various modes */
+#define	MODE_LOCAL_CHARS(m)	((m)&(MODE_EDIT|MODE_TRAPSIG))
+#define	MODE_LOCAL_ECHO(m)	((m)&MODE_ECHO)
+#define	MODE_COMMAND_LINE(m)	((m)==-1)
+
+#define	CONTROL(x)	((x)&0x1f)		/* CTRL(x) is not portable */
diff --git a/crypto/telnet/telnet/externs.h b/crypto/telnet/telnet/externs.h
new file mode 100644
index 0000000..d6fc5c9
--- /dev/null
+++ b/crypto/telnet/telnet/externs.h
@@ -0,0 +1,502 @@
+/*
+ * Copyright (c) 1988, 1990, 1993
+ *	The Regents of the University of California.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *	This product includes software developed by the University of
+ *	California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ *	@(#)externs.h	8.3 (Berkeley) 5/30/95
+ *	$FreeBSD$
+ */
+
+#ifndef	BSD
+# define BSD 43
+#endif
+
+/*
+ * ucb stdio.h defines BSD as something weird
+ */
+#if defined(sun) && defined(__svr4__)
+#define BSD 43
+#endif
+
+#ifndef	USE_TERMIO
+# if BSD > 43 || defined(SYSV_TERMIO)
+#  define USE_TERMIO
+# endif
+#endif
+
+#include <stdio.h>
+#include <setjmp.h>
+#if defined(CRAY) && !defined(NO_BSD_SETJMP)
+#include <bsdsetjmp.h>
+#endif
+#ifndef	FILIO_H
+#include <sys/ioctl.h>
+#else
+#include <sys/filio.h>
+#endif
+#ifdef CRAY
+# include <errno.h>
+#endif /* CRAY */
+#ifdef	USE_TERMIO
+# ifndef	VINTR
+#  ifdef SYSV_TERMIO
+#   include <sys/termio.h>
+#  else
+#   include <sys/termios.h>
+#   define termio termios
+#  endif
+# endif
+#endif
+#if defined(NO_CC_T) || !defined(USE_TERMIO)
+# if !defined(USE_TERMIO)
+typedef char cc_t;
+# else
+typedef unsigned char cc_t;
+# endif
+#endif
+
+#ifndef	NO_STRING_H
+#include <string.h>
+#else
+#include <strings.h>
+#endif
+
+#if defined(IPSEC)
+#include <netinet6/ipsec.h>
+#if defined(IPSEC_POLICY_IPSEC)
+extern char *ipsec_policy_in;
+extern char *ipsec_policy_out;
+#endif
+#endif
+
+#ifndef	_POSIX_VDISABLE
+# ifdef sun
+#  include <sys/param.h>	/* pick up VDISABLE definition, mayby */
+# endif
+# ifdef VDISABLE
+#  define _POSIX_VDISABLE VDISABLE
+# else
+#  define _POSIX_VDISABLE ((cc_t)'\377')
+# endif
+#endif
+
+#define	SUBBUFSIZE	256
+
+#ifndef CRAY
+extern int errno;		/* outside this world */
+#endif /* !CRAY */
+
+#if	!defined(P)
+# ifdef	__STDC__
+#  define	P(x)	x
+# else
+#  define	P(x)	()
+# endif
+#endif
+
+extern int
+    autologin,		/* Autologin enabled */
+    skiprc,		/* Don't process the ~/.telnetrc file */
+    eight,		/* use eight bit mode (binary in and/or out */
+    family,		/* address family of peer */
+    flushout,		/* flush output */
+    connected,		/* Are we connected to the other side? */
+    globalmode,		/* Mode tty should be in */
+    In3270,		/* Are we in 3270 mode? */
+    telnetport,		/* Are we connected to the telnet port? */
+    localflow,		/* Flow control handled locally */
+    restartany,		/* If flow control, restart output on any character */
+    localchars,		/* we recognize interrupt/quit */
+    donelclchars,	/* the user has set "localchars" */
+    showoptions,
+    net,		/* Network file descriptor */
+    tin,		/* Terminal input file descriptor */
+    tout,		/* Terminal output file descriptor */
+    crlf,		/* Should '\r' be mapped to <CR><LF> (or <CR><NUL>)? */
+    autoflush,		/* flush output when interrupting? */
+    autosynch,		/* send interrupt characters with SYNCH? */
+    SYNCHing,		/* Is the stream in telnet SYNCH mode? */
+    donebinarytoggle,	/* the user has put us in binary */
+    dontlecho,		/* do we suppress local echoing right now? */
+    crmod,
+    netdata,		/* Print out network data flow */
+    prettydump,		/* Print "netdata" output in user readable format */
+#if	defined(unix)
+#if	defined(TN3270)
+    cursesdata,		/* Print out curses data flow */
+    apitrace,		/* Trace API transactions */
+#endif	/* defined(TN3270) */
+    termdata,		/* Print out terminal data flow */
+#endif	/* defined(unix) */
+    debug,		/* Debug level */
+    doaddrlookup,	/* do a reverse lookup? */
+    clienteof;		/* Client received EOF */
+
+extern cc_t escape;	/* Escape to command mode */
+extern cc_t rlogin;	/* Rlogin mode escape character */
+#ifdef	KLUDGELINEMODE
+extern cc_t echoc;	/* Toggle local echoing */
+#endif
+
+extern char
+    *prompt;		/* Prompt for command. */
+
+extern char
+    doopt[],
+    dont[],
+    will[],
+    wont[],
+    options[],		/* All the little options */
+    *hostname;		/* Who are we connected to? */
+#ifdef	ENCRYPTION
+extern void (*encrypt_output) P((unsigned char *, int));
+extern int (*decrypt_input) P((int));
+#endif	/* ENCRYPTION */
+
+/*
+ * We keep track of each side of the option negotiation.
+ */
+
+#define	MY_STATE_WILL		0x01
+#define	MY_WANT_STATE_WILL	0x02
+#define	MY_STATE_DO		0x04
+#define	MY_WANT_STATE_DO	0x08
+
+/*
+ * Macros to check the current state of things
+ */
+
+#define	my_state_is_do(opt)		(options[opt]&MY_STATE_DO)
+#define	my_state_is_will(opt)		(options[opt]&MY_STATE_WILL)
+#define my_want_state_is_do(opt)	(options[opt]&MY_WANT_STATE_DO)
+#define my_want_state_is_will(opt)	(options[opt]&MY_WANT_STATE_WILL)
+
+#define	my_state_is_dont(opt)		(!my_state_is_do(opt))
+#define	my_state_is_wont(opt)		(!my_state_is_will(opt))
+#define my_want_state_is_dont(opt)	(!my_want_state_is_do(opt))
+#define my_want_state_is_wont(opt)	(!my_want_state_is_will(opt))
+
+#define	set_my_state_do(opt)		{options[opt] |= MY_STATE_DO;}
+#define	set_my_state_will(opt)		{options[opt] |= MY_STATE_WILL;}
+#define	set_my_want_state_do(opt)	{options[opt] |= MY_WANT_STATE_DO;}
+#define	set_my_want_state_will(opt)	{options[opt] |= MY_WANT_STATE_WILL;}
+
+#define	set_my_state_dont(opt)		{options[opt] &= ~MY_STATE_DO;}
+#define	set_my_state_wont(opt)		{options[opt] &= ~MY_STATE_WILL;}
+#define	set_my_want_state_dont(opt)	{options[opt] &= ~MY_WANT_STATE_DO;}
+#define	set_my_want_state_wont(opt)	{options[opt] &= ~MY_WANT_STATE_WILL;}
+
+/*
+ * Make everything symetrical
+ */
+
+#define	HIS_STATE_WILL			MY_STATE_DO
+#define	HIS_WANT_STATE_WILL		MY_WANT_STATE_DO
+#define HIS_STATE_DO			MY_STATE_WILL
+#define HIS_WANT_STATE_DO		MY_WANT_STATE_WILL
+
+#define	his_state_is_do			my_state_is_will
+#define	his_state_is_will		my_state_is_do
+#define his_want_state_is_do		my_want_state_is_will
+#define his_want_state_is_will		my_want_state_is_do
+
+#define	his_state_is_dont		my_state_is_wont
+#define	his_state_is_wont		my_state_is_dont
+#define his_want_state_is_dont		my_want_state_is_wont
+#define his_want_state_is_wont		my_want_state_is_dont
+
+#define	set_his_state_do		set_my_state_will
+#define	set_his_state_will		set_my_state_do
+#define	set_his_want_state_do		set_my_want_state_will
+#define	set_his_want_state_will		set_my_want_state_do
+
+#define	set_his_state_dont		set_my_state_wont
+#define	set_his_state_wont		set_my_state_dont
+#define	set_his_want_state_dont		set_my_want_state_wont
+#define	set_his_want_state_wont		set_my_want_state_dont
+
+
+extern FILE
+    *NetTrace;		/* Where debugging output goes */
+extern unsigned char
+    NetTraceFile[];	/* Name of file where debugging output goes */
+extern void
+    SetNetTrace P((char *));	/* Function to change where debugging goes */
+
+extern jmp_buf
+    peerdied,
+    toplevel;		/* For error conditions. */
+
+extern void
+    command P((int, char *, int)),
+    Dump P((int, unsigned char *, int)),
+    ExitString P((char *, int)),
+    init_3270 P((void)),
+    printoption P((char *, int, int)),
+    printsub P((int, unsigned char *, int)),
+    sendnaws P((void)),
+    setconnmode P((int)),
+    setcommandmode P((void)),
+    setneturg P((void)),
+    sys_telnet_init P((void)),
+    telnet P((char *)),
+    tel_enter_binary P((int)),
+    TerminalFlushOutput P((void)),
+    TerminalNewMode P((int)),
+    TerminalRestoreState P((void)),
+    TerminalSaveState P((void)),
+    tninit P((void)),
+    upcase P((char *)),
+    willoption P((int)),
+    wontoption P((int));
+
+extern void
+    send_do P((int, int)),
+    send_dont P((int, int)),
+    send_will P((int, int)),
+    send_wont P((int, int));
+
+extern void
+    lm_will P((unsigned char *, int)),
+    lm_wont P((unsigned char *, int)),
+    lm_do P((unsigned char *, int)),
+    lm_dont P((unsigned char *, int)),
+    lm_mode P((unsigned char *, int, int));
+
+extern void
+    slc_init P((void)),
+    slcstate P((void)),
+    slc_mode_export P((void)),
+    slc_mode_import P((int)),
+    slc_import P((int)),
+    slc_export P((void)),
+    slc P((unsigned char *, int)),
+    slc_check P((void)),
+    slc_start_reply P((void)),
+    slc_add_reply P((int, int, int)),
+    slc_end_reply P((void));
+extern int
+    NetClose P((int)),
+    netflush P((void)),
+    SetSockOpt P((int, int, int, int)),
+    slc_update P((void)),
+    telrcv P((void)),
+    TerminalWrite P((char *, int)),
+    TerminalAutoFlush P((void)),
+    ttyflush P((int));
+
+extern void
+    env_opt P((unsigned char *, int)),
+    env_opt_start P((void)),
+    env_opt_start_info P((void)),
+    env_opt_add P((unsigned char *)),
+    env_opt_end P((int));
+
+extern unsigned char
+    *env_default P((int, int)),
+    *env_getvalue P((unsigned char *));
+
+extern int
+    get_status P((void)),
+    dosynch P((void));
+
+extern cc_t
+    *tcval P((int));
+
+#ifndef	USE_TERMIO
+
+extern struct	tchars ntc;
+extern struct	ltchars nltc;
+extern struct	sgttyb nttyb;
+
+# define termEofChar		ntc.t_eofc
+# define termEraseChar		nttyb.sg_erase
+# define termFlushChar		nltc.t_flushc
+# define termIntChar		ntc.t_intrc
+# define termKillChar		nttyb.sg_kill
+# define termLiteralNextChar	nltc.t_lnextc
+# define termQuitChar		ntc.t_quitc
+# define termSuspChar		nltc.t_suspc
+# define termRprntChar		nltc.t_rprntc
+# define termWerasChar		nltc.t_werasc
+# define termStartChar		ntc.t_startc
+# define termStopChar		ntc.t_stopc
+# define termForw1Char		ntc.t_brkc
+extern cc_t termForw2Char;
+extern cc_t termAytChar;
+
+# define termEofCharp		(cc_t *)&ntc.t_eofc
+# define termEraseCharp		(cc_t *)&nttyb.sg_erase
+# define termFlushCharp		(cc_t *)&nltc.t_flushc
+# define termIntCharp		(cc_t *)&ntc.t_intrc
+# define termKillCharp		(cc_t *)&nttyb.sg_kill
+# define termLiteralNextCharp	(cc_t *)&nltc.t_lnextc
+# define termQuitCharp		(cc_t *)&ntc.t_quitc
+# define termSuspCharp		(cc_t *)&nltc.t_suspc
+# define termRprntCharp		(cc_t *)&nltc.t_rprntc
+# define termWerasCharp		(cc_t *)&nltc.t_werasc
+# define termStartCharp		(cc_t *)&ntc.t_startc
+# define termStopCharp		(cc_t *)&ntc.t_stopc
+# define termForw1Charp		(cc_t *)&ntc.t_brkc
+# define termForw2Charp		(cc_t *)&termForw2Char
+# define termAytCharp		(cc_t *)&termAytChar
+
+# else
+
+extern struct	termio new_tc;
+
+# define termEofChar		new_tc.c_cc[VEOF]
+# define termEraseChar		new_tc.c_cc[VERASE]
+# define termIntChar		new_tc.c_cc[VINTR]
+# define termKillChar		new_tc.c_cc[VKILL]
+# define termQuitChar		new_tc.c_cc[VQUIT]
+
+# ifndef	VSUSP
+extern cc_t termSuspChar;
+# else
+#  define termSuspChar		new_tc.c_cc[VSUSP]
+# endif
+# if	defined(VFLUSHO) && !defined(VDISCARD)
+#  define VDISCARD VFLUSHO
+# endif
+# ifndef	VDISCARD
+extern cc_t termFlushChar;
+# else
+#  define termFlushChar		new_tc.c_cc[VDISCARD]
+# endif
+# ifndef VWERASE
+extern cc_t termWerasChar;
+# else
+#  define termWerasChar		new_tc.c_cc[VWERASE]
+# endif
+# ifndef	VREPRINT
+extern cc_t termRprntChar;
+# else
+#  define termRprntChar		new_tc.c_cc[VREPRINT]
+# endif
+# ifndef	VLNEXT
+extern cc_t termLiteralNextChar;
+# else
+#  define termLiteralNextChar	new_tc.c_cc[VLNEXT]
+# endif
+# ifndef	VSTART
+extern cc_t termStartChar;
+# else
+#  define termStartChar		new_tc.c_cc[VSTART]
+# endif
+# ifndef	VSTOP
+extern cc_t termStopChar;
+# else
+#  define termStopChar		new_tc.c_cc[VSTOP]
+# endif
+# ifndef	VEOL
+extern cc_t termForw1Char;
+# else
+#  define termForw1Char		new_tc.c_cc[VEOL]
+# endif
+# ifndef	VEOL2
+extern cc_t termForw2Char;
+# else
+#  define termForw2Char		new_tc.c_cc[VEOL]
+# endif
+# ifndef	VSTATUS
+extern cc_t termAytChar;
+#else
+#  define termAytChar		new_tc.c_cc[VSTATUS]
+#endif
+
+# if !defined(CRAY) || defined(__STDC__)
+#  define termEofCharp		&termEofChar
+#  define termEraseCharp	&termEraseChar
+#  define termIntCharp		&termIntChar
+#  define termKillCharp		&termKillChar
+#  define termQuitCharp		&termQuitChar
+#  define termSuspCharp		&termSuspChar
+#  define termFlushCharp	&termFlushChar
+#  define termWerasCharp	&termWerasChar
+#  define termRprntCharp	&termRprntChar
+#  define termLiteralNextCharp	&termLiteralNextChar
+#  define termStartCharp	&termStartChar
+#  define termStopCharp		&termStopChar
+#  define termForw1Charp	&termForw1Char
+#  define termForw2Charp	&termForw2Char
+#  define termAytCharp		&termAytChar
+# else
+	/* Work around a compiler bug */
+#  define termEofCharp		0
+#  define termEraseCharp	0
+#  define termIntCharp		0
+#  define termKillCharp		0
+#  define termQuitCharp		0
+#  define termSuspCharp		0
+#  define termFlushCharp	0
+#  define termWerasCharp	0
+#  define termRprntCharp	0
+#  define termLiteralNextCharp	0
+#  define termStartCharp	0
+#  define termStopCharp		0
+#  define termForw1Charp	0
+#  define termForw2Charp	0
+#  define termAytCharp		0
+# endif
+#endif
+
+
+/* Ring buffer structures which are shared */
+
+extern Ring
+    netoring,
+    netiring,
+    ttyoring,
+    ttyiring;
+
+/* Tn3270 section */
+#if	defined(TN3270)
+
+extern int
+    HaveInput,		/* Whether an asynchronous I/O indication came in */
+    noasynchtty,	/* Don't do signals on I/O (SIGURG, SIGIO) */
+    noasynchnet,	/* Don't do signals on I/O (SIGURG, SIGIO) */
+    sigiocount,		/* Count of SIGIO receptions */
+    shell_active;	/* Subshell is active */
+
+extern char
+    *Ibackp,		/* Oldest byte of 3270 data */
+    Ibuf[],		/* 3270 buffer */
+    *Ifrontp,		/* Where next 3270 byte goes */
+    tline[],
+    *transcom;		/* Transparent command */
+
+extern int
+    settranscom P((int, char**));
+
+extern void
+    inputAvailable P((int));
+#endif	/* defined(TN3270) */
diff --git a/crypto/telnet/telnet/fdset.h b/crypto/telnet/telnet/fdset.h
new file mode 100644
index 0000000..045bb72
--- /dev/null
+++ b/crypto/telnet/telnet/fdset.h
@@ -0,0 +1,49 @@
+/*
+ * Copyright (c) 1988, 1993
+ *	The Regents of the University of California.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *	This product includes software developed by the University of
+ *	California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ *	@(#)fdset.h	8.1 (Berkeley) 6/6/93
+ */
+
+/*
+ * The following is defined just in case someone should want to run
+ * this telnet on a 4.2 system.
+ *
+ */
+
+#ifndef	FD_SETSIZE
+
+#define	FD_SET(n, p)	((p)->fds_bits[0] |= (1<<(n)))
+#define	FD_CLR(n, p)	((p)->fds_bits[0] &= ~(1<<(n)))
+#define	FD_ISSET(n, p)	((p)->fds_bits[0] & (1<<(n)))
+#define FD_ZERO(p)	((p)->fds_bits[0] = 0)
+
+#endif
diff --git a/crypto/telnet/telnet/general.h b/crypto/telnet/telnet/general.h
new file mode 100644
index 0000000..4efa951
--- /dev/null
+++ b/crypto/telnet/telnet/general.h
@@ -0,0 +1,45 @@
+/*
+ * Copyright (c) 1988, 1993
+ *	The Regents of the University of California.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *	This product includes software developed by the University of
+ *	California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ *	@(#)general.h	8.1 (Berkeley) 6/6/93
+ */
+
+/*
+ * Some general definitions.
+ */
+
+
+#define	numberof(x)	(sizeof x/sizeof x[0])
+#define	highestof(x)	(numberof(x)-1)
+
+#define	ClearElement(x)		memset((char *)&x, 0, sizeof x)
+#define	ClearArray(x)		memset((char *)x, 0, sizeof x)
diff --git a/crypto/telnet/telnet/main.c b/crypto/telnet/telnet/main.c
new file mode 100644
index 0000000..b3b1e55
--- /dev/null
+++ b/crypto/telnet/telnet/main.c
@@ -0,0 +1,393 @@
+/*
+ * Copyright (c) 1988, 1990, 1993
+ *	The Regents of the University of California.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *	This product includes software developed by the University of
+ *	California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ *	$FreeBSD$
+ */
+
+#ifndef lint
+static const char copyright[] =
+"@(#) Copyright (c) 1988, 1990, 1993\n\
+	The Regents of the University of California.  All rights reserved.\n";
+#endif /* not lint */
+
+#ifndef lint
+static const char sccsid[] = "@(#)main.c	8.3 (Berkeley) 5/30/95";
+#endif /* not lint */
+
+#include <sys/types.h>
+#include <sys/socket.h>
+#include <stdlib.h>
+
+#include "ring.h"
+#include "externs.h"
+#include "defines.h"
+
+#if	defined(AUTHENTICATION)
+#include <libtelnet/auth.h>
+#endif
+#if	defined(ENCRYPTION)
+#include <libtelnet/encrypt.h>
+#endif
+
+/* These values need to be the same as defined in libtelnet/kerberos5.c */
+/* Either define them in both places, or put in some common header file. */
+#define OPTS_FORWARD_CREDS	0x00000002
+#define OPTS_FORWARDABLE_CREDS	0x00000001
+
+#if 0
+#define FORWARD
+#endif
+
+void init_terminal(void);
+void init_network(void);
+void init_telnet(void);
+void init_sys(void);
+void init_3270(void);
+
+#if defined(IPSEC) && defined(IPSEC_POLICY_IPSEC)
+char *ipsec_policy_in = NULL;
+char *ipsec_policy_out = NULL;
+#endif
+
+int family = AF_UNSPEC;
+
+/*
+ * Initialize variables.
+ */
+    void
+tninit()
+{
+    init_terminal();
+
+    init_network();
+
+    init_telnet();
+
+    init_sys();
+
+#if defined(TN3270)
+    init_3270();
+#endif
+}
+
+	void
+usage()
+{
+	fprintf(stderr, "Usage: %s %s%s%s%s\n",
+	    prompt,
+#ifdef	AUTHENTICATION
+	    "[-4] [-6] [-8] [-E] [-K] [-L] [-N] [-S tos] [-X atype] [-c] [-d]",
+	    "\n\t[-e char] [-k realm] [-l user] [-f/-F] [-n tracefile] ",
+#else
+	    "[-4] [-6] [-8] [-E] [-L] [-N] [-S tos] [-c] [-d]",
+	    "\n\t[-e char] [-l user] [-n tracefile] ",
+#endif
+#if defined(TN3270) && defined(unix)
+# ifdef AUTHENTICATION
+	    "[-noasynch] [-noasynctty]\n\t"
+	    "[-noasyncnet] [-r] [-s src_addr] [-t transcom] ",
+# else
+	    "[-noasynch] [-noasynctty] [-noasyncnet] [-r]\n\t"
+	    "[-s src_addr] [-t transcom] ",
+# endif
+#else
+	    "[-r] [-s src_addr] [-u] ",
+#endif
+#if defined(IPSEC) && defined(IPSEC_POLICY_IPSEC)
+	    "[-P policy] "
+#endif
+#ifdef	ENCRYPTION
+	    "[-y] [host-name [port]]"
+#else	/* ENCRYPTION */
+	    "[host-name [port]]"
+#endif	/* ENCRYPTION */
+	);
+	exit(1);
+}
+
+/*
+ * main.  Parse arguments, invoke the protocol or command parser.
+ */
+
+	int
+main(argc, argv)
+	int argc;
+	char *argv[];
+{
+	extern char *optarg;
+	extern int optind;
+	int ch;
+	char *user, *strrchr();
+	char *src_addr = NULL;
+#ifdef	FORWARD
+	extern int forward_flags;
+#endif	/* FORWARD */
+
+	tninit();		/* Clear out things */
+#if	defined(CRAY) && !defined(__STDC__)
+	_setlist_init();	/* Work around compiler bug */
+#endif
+
+	TerminalSaveState();
+
+	if ((prompt = strrchr(argv[0], '/')))
+		++prompt;
+	else
+		prompt = argv[0];
+
+	user = NULL;
+
+	rlogin = (strncmp(prompt, "rlog", 4) == 0) ? '~' : _POSIX_VDISABLE;
+	autologin = 1;
+
+#if defined(ENCRYPTION)
+	encrypt_auto(1);
+	decrypt_auto(1);
+#endif
+
+#if defined(IPSEC) && defined(IPSEC_POLICY_IPSEC)
+#define IPSECOPT	"P:"
+#else
+#define IPSECOPT
+#endif
+	while ((ch = getopt(argc, argv,
+			    "468EKLNS:X:acde:fFk:l:n:rs:t:uxy" IPSECOPT)) != -1)
+#undef IPSECOPT
+	{
+		switch(ch) {
+		case '4':
+			family = AF_INET;
+			break;
+#ifdef INET6
+		case '6':
+			family = AF_INET6;
+			break;
+#endif
+		case '8':
+			eight = 3;	/* binary output and input */
+			break;
+		case 'E':
+			rlogin = escape = _POSIX_VDISABLE;
+			break;
+		case 'K':
+#ifdef	AUTHENTICATION
+			autologin = 0;
+#endif
+			break;
+		case 'L':
+			eight |= 2;	/* binary output only */
+			break;
+		case 'N':
+			doaddrlookup = 0;
+			break;
+		case 'S':
+		    {
+#ifdef	HAS_GETTOS
+			extern int tos;
+
+			if ((tos = parsetos(optarg, "tcp")) < 0)
+				fprintf(stderr, "%s%s%s%s\n",
+					prompt, ": Bad TOS argument '",
+					optarg,
+					"; will try to use default TOS");
+#else
+			fprintf(stderr,
+			   "%s: Warning: -S ignored, no parsetos() support.\n",
+								prompt);
+#endif
+		    }
+			break;
+		case 'X':
+#ifdef	AUTHENTICATION
+			auth_disable_name(optarg);
+#endif
+			break;
+		case 'a':
+			/* It's the default now, so ignore */
+			break;
+		case 'c':
+			skiprc = 1;
+			break;
+		case 'd':
+			debug = 1;
+			break;
+		case 'e':
+			set_escape_char(optarg);
+			break;
+		case 'f':
+#if defined(AUTHENTICATION) && defined(KRB5) && defined(FORWARD)
+			if (forward_flags & OPTS_FORWARD_CREDS) {
+			    fprintf(stderr,
+				    "%s: Only one of -f and -F allowed.\n",
+				    prompt);
+			    usage();
+			}
+			forward_flags |= OPTS_FORWARD_CREDS;
+#else
+			fprintf(stderr,
+			 "%s: Warning: -f ignored, no Kerberos V5 support.\n",
+				prompt);
+#endif
+			break;
+		case 'F':
+#if defined(AUTHENTICATION) && defined(KRB5) && defined(FORWARD)
+			if (forward_flags & OPTS_FORWARD_CREDS) {
+			    fprintf(stderr,
+				    "%s: Only one of -f and -F allowed.\n",
+				    prompt);
+			    usage();
+			}
+			forward_flags |= OPTS_FORWARD_CREDS;
+			forward_flags |= OPTS_FORWARDABLE_CREDS;
+#else
+			fprintf(stderr,
+			 "%s: Warning: -F ignored, no Kerberos V5 support.\n",
+				prompt);
+#endif
+			break;
+		case 'k':
+#if defined(AUTHENTICATION) && defined(KRB4)
+		    {
+			extern char *dest_realm, dst_realm_buf[], dst_realm_sz;
+			dest_realm = dst_realm_buf;
+			(void)strncpy(dest_realm, optarg, dst_realm_sz);
+		    }
+#else
+			fprintf(stderr,
+			   "%s: Warning: -k ignored, no Kerberos V4 support.\n",
+								prompt);
+#endif
+			break;
+		case 'l':
+			user = optarg;
+			break;
+		case 'n':
+#if defined(TN3270) && defined(unix)
+			/* distinguish between "-n oasynch" and "-noasynch" */
+			if (argv[optind - 1][0] == '-' && argv[optind - 1][1]
+			    == 'n' && argv[optind - 1][2] == 'o') {
+				if (!strcmp(optarg, "oasynch")) {
+					noasynchtty = 1;
+					noasynchnet = 1;
+				} else if (!strcmp(optarg, "oasynchtty"))
+					noasynchtty = 1;
+				else if (!strcmp(optarg, "oasynchnet"))
+					noasynchnet = 1;
+			} else
+#endif	/* defined(TN3270) && defined(unix) */
+				SetNetTrace(optarg);
+			break;
+		case 'r':
+			rlogin = '~';
+			break;
+		case 's':
+			src_addr = optarg;
+			break;
+		case 't':
+#if defined(TN3270) && defined(unix)
+			transcom = tline;
+			(void)strcpy(transcom, optarg);
+#else
+			fprintf(stderr,
+			   "%s: Warning: -t ignored, no TN3270 support.\n",
+								prompt);
+#endif
+			break;
+		case 'u':
+			family = AF_UNIX;
+			break;
+		case 'x':
+			/* This is the default now, so ignore it */
+			break;
+		case 'y':
+#ifdef	ENCRYPTION
+			encrypt_auto(0);
+			decrypt_auto(0);
+#endif	/* ENCRYPTION */
+			break;
+#if defined(IPSEC) && defined(IPSEC_POLICY_IPSEC)
+		case 'P':
+			if (!strncmp("in", optarg, 2))
+				ipsec_policy_in = strdup(optarg);
+			else if (!strncmp("out", optarg, 3))
+				ipsec_policy_out = strdup(optarg);
+			else
+				usage();
+			break;
+#endif
+		case '?':
+		default:
+			usage();
+			/* NOTREACHED */
+		}
+	}
+
+	argc -= optind;
+	argv += optind;
+
+	if (argc) {
+		char *args[9], **argp = args;
+
+		if (argc > 2)
+			usage();
+		*argp++ = prompt;
+		if (user) {
+			*argp++ = "-l";
+			*argp++ = user;
+		}
+		if (src_addr) {
+			*argp++ = "-s";
+			*argp++ = src_addr;
+		}
+		*argp++ = argv[0];		/* host */
+		if (argc > 1)
+			*argp++ = argv[1];	/* port */
+		*argp = 0;
+
+		if (setjmp(toplevel) != 0)
+			Exit(0);
+		if (tn(argp - args, args) == 1)
+			return (0);
+		else
+			return (1);
+	}
+	(void)setjmp(toplevel);
+	for (;;) {
+#ifdef TN3270
+		if (shell_active)
+			shell_continue();
+		else
+#endif
+			command(1, 0, 0);
+	}
+	return 0;
+}
diff --git a/crypto/telnet/telnet/network.c b/crypto/telnet/telnet/network.c
new file mode 100644
index 0000000..17fff47
--- /dev/null
+++ b/crypto/telnet/telnet/network.c
@@ -0,0 +1,183 @@
+/*
+ * Copyright (c) 1988, 1993
+ *	The Regents of the University of California.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *	This product includes software developed by the University of
+ *	California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#ifndef lint
+#if 0
+static const char sccsid[] = "@(#)network.c	8.2 (Berkeley) 12/15/93";
+#else
+static const char rcsid[] =
+ "$FreeBSD$";
+#endif
+#endif /* not lint */
+
+#include <sys/types.h>
+#include <sys/socket.h>
+#include <sys/time.h>
+
+#include <errno.h>
+
+#include <arpa/telnet.h>
+#include <unistd.h>
+
+#include "ring.h"
+
+#include "defines.h"
+#include "externs.h"
+#include "fdset.h"
+
+Ring		netoring, netiring;
+unsigned char	netobuf[2*BUFSIZ], netibuf[BUFSIZ];
+
+/*
+ * Initialize internal network data structures.
+ */
+
+    void
+init_network()
+{
+    if (ring_init(&netoring, netobuf, sizeof netobuf) != 1) {
+	exit(1);
+    }
+    if (ring_init(&netiring, netibuf, sizeof netibuf) != 1) {
+	exit(1);
+    }
+    NetTrace = stdout;
+}
+
+
+/*
+ * Check to see if any out-of-band data exists on a socket (for
+ * Telnet "synch" processing).
+ */
+
+    int
+stilloob()
+{
+    static struct timeval timeout = { 0 };
+    fd_set	excepts;
+    int value;
+
+    do {
+	FD_ZERO(&excepts);
+	FD_SET(net, &excepts);
+	value = select(net+1, (fd_set *)0, (fd_set *)0, &excepts, &timeout);
+    } while ((value == -1) && (errno == EINTR));
+
+    if (value < 0) {
+	perror("select");
+	(void) quit();
+	/* NOTREACHED */
+    }
+    if (FD_ISSET(net, &excepts)) {
+	return 1;
+    } else {
+	return 0;
+    }
+}
+
+
+/*
+ *  setneturg()
+ *
+ *	Sets "neturg" to the current location.
+ */
+
+    void
+setneturg()
+{
+    ring_mark(&netoring);
+}
+
+
+/*
+ *  netflush
+ *		Send as much data as possible to the network,
+ *	handling requests for urgent data.
+ *
+ *		The return value indicates whether we did any
+ *	useful work.
+ */
+
+
+    int
+netflush()
+{
+    register int n, n1;
+
+#ifdef	ENCRYPTION
+    if (encrypt_output)
+	ring_encrypt(&netoring, encrypt_output);
+#endif	/* ENCRYPTION */
+    if ((n1 = n = ring_full_consecutive(&netoring)) > 0) {
+	if (!ring_at_mark(&netoring)) {
+	    n = send(net, (char *)netoring.consume, n, 0); /* normal write */
+	} else {
+	    /*
+	     * In 4.2 (and 4.3) systems, there is some question about
+	     * what byte in a sendOOB operation is the "OOB" data.
+	     * To make ourselves compatible, we only send ONE byte
+	     * out of band, the one WE THINK should be OOB (though
+	     * we really have more the TCP philosophy of urgent data
+	     * rather than the Unix philosophy of OOB data).
+	     */
+	    n = send(net, (char *)netoring.consume, 1, MSG_OOB);/* URGENT data */
+	}
+    }
+    if (n < 0) {
+	if (errno != ENOBUFS && errno != EWOULDBLOCK) {
+	    setcommandmode();
+	    perror(hostname);
+	    (void)NetClose(net);
+	    ring_clear_mark(&netoring);
+	    longjmp(peerdied, -1);
+	    /*NOTREACHED*/
+	}
+	n = 0;
+    }
+    if (netdata && n) {
+	Dump('>', netoring.consume, n);
+    }
+    if (n) {
+	ring_consumed(&netoring, n);
+	/*
+	 * If we sent all, and more to send, then recurse to pick
+	 * up the other half.
+	 */
+	if ((n1 == n) && ring_full_consecutive(&netoring)) {
+	    (void) netflush();
+	}
+	return 1;
+    } else {
+	return 0;
+    }
+}
diff --git a/crypto/telnet/telnet/ring.c b/crypto/telnet/telnet/ring.c
new file mode 100644
index 0000000..268a418
--- /dev/null
+++ b/crypto/telnet/telnet/ring.c
@@ -0,0 +1,369 @@
+/*
+ * Copyright (c) 1988, 1993
+ *	The Regents of the University of California.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *	This product includes software developed by the University of
+ *	California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#ifndef lint
+#if 0
+static const char sccsid[] = "@(#)ring.c	8.2 (Berkeley) 5/30/95";
+#else
+static const char rcsid[] =
+ "$FreeBSD$";
+#endif
+#endif /* not lint */
+
+/*
+ * This defines a structure for a ring buffer.
+ *
+ * The circular buffer has two parts:
+ *(((
+ *	full:	[consume, supply)
+ *	empty:	[supply, consume)
+ *]]]
+ *
+ */
+
+#include	<stdio.h>
+#include	<errno.h>
+#include	<string.h>
+
+#ifdef	size_t
+#undef	size_t
+#endif
+
+#include	<sys/types.h>
+#ifndef	FILIO_H
+#include	<sys/ioctl.h>
+#endif
+#include	<sys/socket.h>
+
+#include	"ring.h"
+#include	"general.h"
+
+/* Internal macros */
+
+#if	!defined(MIN)
+#define	MIN(a,b)	(((a)<(b))? (a):(b))
+#endif	/* !defined(MIN) */
+
+#define	ring_subtract(d,a,b)	(((a)-(b) >= 0)? \
+					(a)-(b): (((a)-(b))+(d)->size))
+
+#define	ring_increment(d,a,c)	(((a)+(c) < (d)->top)? \
+					(a)+(c) : (((a)+(c))-(d)->size))
+
+#define	ring_decrement(d,a,c)	(((a)-(c) >= (d)->bottom)? \
+					(a)-(c) : (((a)-(c))-(d)->size))
+
+
+/*
+ * The following is a clock, used to determine full, empty, etc.
+ *
+ * There is some trickiness here.  Since the ring buffers are initialized
+ * to ZERO on allocation, we need to make sure, when interpreting the
+ * clock, that when the times are EQUAL, then the buffer is FULL.
+ */
+static u_long ring_clock = 0;
+
+
+#define	ring_empty(d) (((d)->consume == (d)->supply) && \
+				((d)->consumetime >= (d)->supplytime))
+#define	ring_full(d) (((d)->supply == (d)->consume) && \
+				((d)->supplytime > (d)->consumetime))
+
+
+
+
+
+/* Buffer state transition routines */
+
+	int
+    ring_init(ring, buffer, count)
+Ring *ring;
+    unsigned char *buffer;
+    int count;
+{
+    memset((char *)ring, 0, sizeof *ring);
+
+    ring->size = count;
+
+    ring->supply = ring->consume = ring->bottom = buffer;
+
+    ring->top = ring->bottom+ring->size;
+
+#ifdef	ENCRYPTION
+    ring->clearto = 0;
+#endif	/* ENCRYPTION */
+
+    return 1;
+}
+
+/* Mark routines */
+
+/*
+ * Mark the most recently supplied byte.
+ */
+
+    void
+ring_mark(ring)
+    Ring *ring;
+{
+    ring->mark = ring_decrement(ring, ring->supply, 1);
+}
+
+/*
+ * Is the ring pointing to the mark?
+ */
+
+    int
+ring_at_mark(ring)
+    Ring *ring;
+{
+    if (ring->mark == ring->consume) {
+	return 1;
+    } else {
+	return 0;
+    }
+}
+
+/*
+ * Clear any mark set on the ring.
+ */
+
+    void
+ring_clear_mark(ring)
+    Ring *ring;
+{
+    ring->mark = 0;
+}
+
+/*
+ * Add characters from current segment to ring buffer.
+ */
+    void
+ring_supplied(ring, count)
+    Ring *ring;
+    int count;
+{
+    ring->supply = ring_increment(ring, ring->supply, count);
+    ring->supplytime = ++ring_clock;
+}
+
+/*
+ * We have just consumed "c" bytes.
+ */
+    void
+ring_consumed(ring, count)
+    Ring *ring;
+    int count;
+{
+    if (count == 0)	/* don't update anything */
+	return;
+
+    if (ring->mark &&
+		(ring_subtract(ring, ring->mark, ring->consume) < count)) {
+	ring->mark = 0;
+    }
+#ifdef	ENCRYPTION
+    if (ring->consume < ring->clearto &&
+		ring->clearto <= ring->consume + count)
+	ring->clearto = 0;
+    else if (ring->consume + count > ring->top &&
+		ring->bottom <= ring->clearto &&
+		ring->bottom + ((ring->consume + count) - ring->top))
+	ring->clearto = 0;
+#endif	/* ENCRYPTION */
+    ring->consume = ring_increment(ring, ring->consume, count);
+    ring->consumetime = ++ring_clock;
+    /*
+     * Try to encourage "ring_empty_consecutive()" to be large.
+     */
+    if (ring_empty(ring)) {
+	ring->consume = ring->supply = ring->bottom;
+    }
+}
+
+
+
+/* Buffer state query routines */
+
+
+/* Number of bytes that may be supplied */
+    int
+ring_empty_count(ring)
+    Ring *ring;
+{
+    if (ring_empty(ring)) {	/* if empty */
+	    return ring->size;
+    } else {
+	return ring_subtract(ring, ring->consume, ring->supply);
+    }
+}
+
+/* number of CONSECUTIVE bytes that may be supplied */
+    int
+ring_empty_consecutive(ring)
+    Ring *ring;
+{
+    if ((ring->consume < ring->supply) || ring_empty(ring)) {
+			    /*
+			     * if consume is "below" supply, or empty, then
+			     * return distance to the top
+			     */
+	return ring_subtract(ring, ring->top, ring->supply);
+    } else {
+				    /*
+				     * else, return what we may.
+				     */
+	return ring_subtract(ring, ring->consume, ring->supply);
+    }
+}
+
+/* Return the number of bytes that are available for consuming
+ * (but don't give more than enough to get to cross over set mark)
+ */
+
+    int
+ring_full_count(ring)
+    Ring *ring;
+{
+    if ((ring->mark == 0) || (ring->mark == ring->consume)) {
+	if (ring_full(ring)) {
+	    return ring->size;	/* nothing consumed, but full */
+	} else {
+	    return ring_subtract(ring, ring->supply, ring->consume);
+	}
+    } else {
+	return ring_subtract(ring, ring->mark, ring->consume);
+    }
+}
+
+/*
+ * Return the number of CONSECUTIVE bytes available for consuming.
+ * However, don't return more than enough to cross over set mark.
+ */
+    int
+ring_full_consecutive(ring)
+    Ring *ring;
+{
+    if ((ring->mark == 0) || (ring->mark == ring->consume)) {
+	if ((ring->supply < ring->consume) || ring_full(ring)) {
+	    return ring_subtract(ring, ring->top, ring->consume);
+	} else {
+	    return ring_subtract(ring, ring->supply, ring->consume);
+	}
+    } else {
+	if (ring->mark < ring->consume) {
+	    return ring_subtract(ring, ring->top, ring->consume);
+	} else {	/* Else, distance to mark */
+	    return ring_subtract(ring, ring->mark, ring->consume);
+	}
+    }
+}
+
+/*
+ * Move data into the "supply" portion of of the ring buffer.
+ */
+    void
+ring_supply_data(ring, buffer, count)
+    Ring *ring;
+    unsigned char *buffer;
+    int count;
+{
+    int i;
+
+    while (count) {
+	i = MIN(count, ring_empty_consecutive(ring));
+	memmove(ring->supply, buffer, i);
+	ring_supplied(ring, i);
+	count -= i;
+	buffer += i;
+    }
+}
+
+#ifdef notdef
+
+/*
+ * Move data from the "consume" portion of the ring buffer
+ */
+    void
+ring_consume_data(ring, buffer, count)
+    Ring *ring;
+    unsigned char *buffer;
+    int count;
+{
+    int i;
+
+    while (count) {
+	i = MIN(count, ring_full_consecutive(ring));
+	memmove(buffer, ring->consume, i);
+	ring_consumed(ring, i);
+	count -= i;
+	buffer += i;
+    }
+}
+#endif
+
+#ifdef	ENCRYPTION
+    void
+ring_encrypt(ring, encryptor)
+    Ring *ring;
+    void (*encryptor)();
+{
+    unsigned char *s, *c;
+
+    if (ring_empty(ring) || ring->clearto == ring->supply)
+	return;
+
+    if (!(c = ring->clearto))
+	c = ring->consume;
+
+    s = ring->supply;
+
+    if (s <= c) {
+	(*encryptor)(c, ring->top - c);
+	(*encryptor)(ring->bottom, s - ring->bottom);
+    } else
+	(*encryptor)(c, s - c);
+
+    ring->clearto = ring->supply;
+}
+
+    void
+ring_clearto(ring)
+    Ring *ring;
+{
+    if (!ring_empty(ring))
+	ring->clearto = ring->supply;
+    else
+	ring->clearto = 0;
+}
+#endif	/* ENCRYPTION */
diff --git a/crypto/telnet/telnet/ring.h b/crypto/telnet/telnet/ring.h
new file mode 100644
index 0000000..2a36781
--- /dev/null
+++ b/crypto/telnet/telnet/ring.h
@@ -0,0 +1,105 @@
+/*
+ * Copyright (c) 1988, 1993
+ *	The Regents of the University of California.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *	This product includes software developed by the University of
+ *	California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ *	@(#)ring.h	8.1 (Berkeley) 6/6/93
+ */
+
+#if defined(P)
+# undef P
+#endif
+
+#if defined(__STDC__) || defined(LINT_ARGS)
+# define	P(x)	x
+#else
+# define	P(x)	()
+#endif
+
+/*
+ * This defines a structure for a ring buffer.
+ *
+ * The circular buffer has two parts:
+ *(((
+ *	full:	[consume, supply)
+ *	empty:	[supply, consume)
+ *]]]
+ *
+ */
+typedef struct {
+    unsigned char	*consume,	/* where data comes out of */
+			*supply,	/* where data comes in to */
+			*bottom,	/* lowest address in buffer */
+			*top,		/* highest address+1 in buffer */
+			*mark;		/* marker (user defined) */
+#ifdef	ENCRYPTION
+    unsigned char	*clearto;	/* Data to this point is clear text */
+    unsigned char	*encryyptedto;	/* Data is encrypted to here */
+#endif	/* ENCRYPTION */
+    int		size;		/* size in bytes of buffer */
+    u_long	consumetime,	/* help us keep straight full, empty, etc. */
+		supplytime;
+} Ring;
+
+/* Here are some functions and macros to deal with the ring buffer */
+
+/* Initialization routine */
+extern int
+	ring_init P((Ring *ring, unsigned char *buffer, int count));
+
+/* Data movement routines */
+extern void
+	ring_supply_data P((Ring *ring, unsigned char *buffer, int count));
+#ifdef notdef
+extern void
+	ring_consume_data P((Ring *ring, unsigned char *buffer, int count));
+#endif
+
+/* Buffer state transition routines */
+extern void
+	ring_supplied P((Ring *ring, int count)),
+	ring_consumed P((Ring *ring, int count));
+
+/* Buffer state query routines */
+extern int
+	ring_empty_count P((Ring *ring)),
+	ring_empty_consecutive P((Ring *ring)),
+	ring_full_count P((Ring *ring)),
+	ring_full_consecutive P((Ring *ring));
+
+#ifdef	ENCRYPTION
+extern void
+	ring_encrypt P((Ring *ring, void (*func)())),
+	ring_clearto P((Ring *ring));
+#endif	/* ENCRYPTION */
+
+extern void
+    ring_clear_mark(),
+    ring_mark();
diff --git a/crypto/telnet/telnet/sys_bsd.c b/crypto/telnet/telnet/sys_bsd.c
new file mode 100644
index 0000000..1d63c22
--- /dev/null
+++ b/crypto/telnet/telnet/sys_bsd.c
@@ -0,0 +1,1244 @@
+/*
+ * Copyright (c) 1988, 1990, 1993
+ *	The Regents of the University of California.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *	This product includes software developed by the University of
+ *	California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#ifndef lint
+#if 0
+static const char sccsid[] = "@(#)sys_bsd.c	8.4 (Berkeley) 5/30/95";
+#else
+static const char rcsid[] =
+ "$FreeBSD$";
+#endif
+#endif /* not lint */
+
+/*
+ * The following routines try to encapsulate what is system dependent
+ * (at least between 4.x and dos) which is used in telnet.c.
+ */
+
+
+#include <fcntl.h>
+#include <sys/types.h>
+#include <sys/time.h>
+#include <sys/socket.h>
+#include <signal.h>
+#include <errno.h>
+#include <arpa/telnet.h>
+#include <unistd.h>
+
+#include "ring.h"
+
+#include "fdset.h"
+
+#include "defines.h"
+#include "externs.h"
+#include "types.h"
+
+#if	defined(CRAY) || (defined(USE_TERMIO) && !defined(SYSV_TERMIO))
+#define	SIG_FUNC_RET	void
+#else
+#define	SIG_FUNC_RET	int
+#endif
+
+#ifdef	SIGINFO
+extern SIG_FUNC_RET ayt_status();
+#endif
+
+int
+	tout,			/* Output file descriptor */
+	tin,			/* Input file descriptor */
+	net;
+
+#ifndef	USE_TERMIO
+struct	tchars otc = { 0 }, ntc = { 0 };
+struct	ltchars oltc = { 0 }, nltc = { 0 };
+struct	sgttyb ottyb = { 0 }, nttyb = { 0 };
+int	olmode = 0;
+# define cfgetispeed(ptr)	(ptr)->sg_ispeed
+# define cfgetospeed(ptr)	(ptr)->sg_ospeed
+# define old_tc ottyb
+
+#else	/* USE_TERMIO */
+struct	termio old_tc = { 0 };
+extern struct termio new_tc;
+
+# ifndef	TCSANOW
+#  ifdef TCSETS
+#   define	TCSANOW		TCSETS
+#   define	TCSADRAIN	TCSETSW
+#   define	tcgetattr(f, t) ioctl(f, TCGETS, (char *)t)
+#  else
+#   ifdef TCSETA
+#    define	TCSANOW		TCSETA
+#    define	TCSADRAIN	TCSETAW
+#    define	tcgetattr(f, t) ioctl(f, TCGETA, (char *)t)
+#   else
+#    define	TCSANOW		TIOCSETA
+#    define	TCSADRAIN	TIOCSETAW
+#    define	tcgetattr(f, t) ioctl(f, TIOCGETA, (char *)t)
+#   endif
+#  endif
+#  define	tcsetattr(f, a, t) ioctl(f, a, (char *)t)
+#  define	cfgetospeed(ptr)	((ptr)->c_cflag&CBAUD)
+#  ifdef CIBAUD
+#   define	cfgetispeed(ptr)	(((ptr)->c_cflag&CIBAUD) >> IBSHIFT)
+#  else
+#   define	cfgetispeed(ptr)	cfgetospeed(ptr)
+#  endif
+# endif /* TCSANOW */
+# ifdef	sysV88
+# define TIOCFLUSH TC_PX_DRAIN
+# endif
+#endif	/* USE_TERMIO */
+
+static fd_set ibits, obits, xbits;
+
+
+    void
+init_sys()
+{
+    tout = fileno(stdout);
+    tin = fileno(stdin);
+    FD_ZERO(&ibits);
+    FD_ZERO(&obits);
+    FD_ZERO(&xbits);
+
+    errno = 0;
+}
+
+
+    int
+TerminalWrite(buf, n)
+    char *buf;
+    int  n;
+{
+    return write(tout, buf, n);
+}
+
+    int
+TerminalRead(buf, n)
+    char *buf;
+    int  n;
+{
+    return read(tin, buf, n);
+}
+
+/*
+ *
+ */
+
+    int
+TerminalAutoFlush()
+{
+#if	defined(LNOFLSH)
+    int flush;
+
+    ioctl(0, TIOCLGET, (char *)&flush);
+    return !(flush&LNOFLSH);	/* if LNOFLSH, no autoflush */
+#else	/* LNOFLSH */
+    return 1;
+#endif	/* LNOFLSH */
+}
+
+#ifdef	KLUDGELINEMODE
+extern int kludgelinemode;
+#endif
+/*
+ * TerminalSpecialChars()
+ *
+ * Look at an input character to see if it is a special character
+ * and decide what to do.
+ *
+ * Output:
+ *
+ *	0	Don't add this character.
+ *	1	Do add this character
+ */
+
+extern void xmitAO(), xmitEL(), xmitEC(), intp(), sendbrk();
+
+    int
+TerminalSpecialChars(c)
+    int	c;
+{
+    if (c == termIntChar) {
+	intp();
+	return 0;
+    } else if (c == termQuitChar) {
+#ifdef	KLUDGELINEMODE
+	if (kludgelinemode)
+	    sendbrk();
+	else
+#endif
+	    sendabort();
+	return 0;
+    } else if (c == termEofChar) {
+	if (my_want_state_is_will(TELOPT_LINEMODE)) {
+	    sendeof();
+	    return 0;
+	}
+	return 1;
+    } else if (c == termSuspChar) {
+	sendsusp();
+	return(0);
+    } else if (c == termFlushChar) {
+	xmitAO();		/* Transmit Abort Output */
+	return 0;
+    } else if (!MODE_LOCAL_CHARS(globalmode)) {
+	if (c == termKillChar) {
+	    xmitEL();
+	    return 0;
+	} else if (c == termEraseChar) {
+	    xmitEC();		/* Transmit Erase Character */
+	    return 0;
+	}
+    }
+    return 1;
+}
+
+
+/*
+ * Flush output to the terminal
+ */
+
+    void
+TerminalFlushOutput()
+{
+#ifdef	TIOCFLUSH
+    (void) ioctl(fileno(stdout), TIOCFLUSH, (char *) 0);
+#else
+    (void) ioctl(fileno(stdout), TCFLSH, (char *) 0);
+#endif
+}
+
+    void
+TerminalSaveState()
+{
+#ifndef	USE_TERMIO
+    ioctl(0, TIOCGETP, (char *)&ottyb);
+    ioctl(0, TIOCGETC, (char *)&otc);
+    ioctl(0, TIOCGLTC, (char *)&oltc);
+    ioctl(0, TIOCLGET, (char *)&olmode);
+
+    ntc = otc;
+    nltc = oltc;
+    nttyb = ottyb;
+
+#else	/* USE_TERMIO */
+    tcgetattr(0, &old_tc);
+
+    new_tc = old_tc;
+
+#ifndef	VDISCARD
+    termFlushChar = CONTROL('O');
+#endif
+#ifndef	VWERASE
+    termWerasChar = CONTROL('W');
+#endif
+#ifndef	VREPRINT
+    termRprntChar = CONTROL('R');
+#endif
+#ifndef	VLNEXT
+    termLiteralNextChar = CONTROL('V');
+#endif
+#ifndef	VSTART
+    termStartChar = CONTROL('Q');
+#endif
+#ifndef	VSTOP
+    termStopChar = CONTROL('S');
+#endif
+#ifndef	VSTATUS
+    termAytChar = CONTROL('T');
+#endif
+#endif	/* USE_TERMIO */
+}
+
+    cc_t *
+tcval(func)
+    register int func;
+{
+    switch(func) {
+    case SLC_IP:	return(&termIntChar);
+    case SLC_ABORT:	return(&termQuitChar);
+    case SLC_EOF:	return(&termEofChar);
+    case SLC_EC:	return(&termEraseChar);
+    case SLC_EL:	return(&termKillChar);
+    case SLC_XON:	return(&termStartChar);
+    case SLC_XOFF:	return(&termStopChar);
+    case SLC_FORW1:	return(&termForw1Char);
+#ifdef	USE_TERMIO
+    case SLC_FORW2:	return(&termForw2Char);
+# ifdef	VDISCARD
+    case SLC_AO:	return(&termFlushChar);
+# endif
+# ifdef	VSUSP
+    case SLC_SUSP:	return(&termSuspChar);
+# endif
+# ifdef	VWERASE
+    case SLC_EW:	return(&termWerasChar);
+# endif
+# ifdef	VREPRINT
+    case SLC_RP:	return(&termRprntChar);
+# endif
+# ifdef	VLNEXT
+    case SLC_LNEXT:	return(&termLiteralNextChar);
+# endif
+# ifdef	VSTATUS
+    case SLC_AYT:	return(&termAytChar);
+# endif
+#endif
+
+    case SLC_SYNCH:
+    case SLC_BRK:
+    case SLC_EOR:
+    default:
+	return((cc_t *)0);
+    }
+}
+
+    void
+TerminalDefaultChars()
+{
+#ifndef	USE_TERMIO
+    ntc = otc;
+    nltc = oltc;
+    nttyb.sg_kill = ottyb.sg_kill;
+    nttyb.sg_erase = ottyb.sg_erase;
+#else	/* USE_TERMIO */
+    memmove(new_tc.c_cc, old_tc.c_cc, sizeof(old_tc.c_cc));
+# ifndef	VDISCARD
+    termFlushChar = CONTROL('O');
+# endif
+# ifndef	VWERASE
+    termWerasChar = CONTROL('W');
+# endif
+# ifndef	VREPRINT
+    termRprntChar = CONTROL('R');
+# endif
+# ifndef	VLNEXT
+    termLiteralNextChar = CONTROL('V');
+# endif
+# ifndef	VSTART
+    termStartChar = CONTROL('Q');
+# endif
+# ifndef	VSTOP
+    termStopChar = CONTROL('S');
+# endif
+# ifndef	VSTATUS
+    termAytChar = CONTROL('T');
+# endif
+#endif	/* USE_TERMIO */
+}
+
+#ifdef notdef
+void
+TerminalRestoreState()
+{
+}
+#endif
+
+/*
+ * TerminalNewMode - set up terminal to a specific mode.
+ *	MODE_ECHO: do local terminal echo
+ *	MODE_FLOW: do local flow control
+ *	MODE_TRAPSIG: do local mapping to TELNET IAC sequences
+ *	MODE_EDIT: do local line editing
+ *
+ *	Command mode:
+ *		MODE_ECHO|MODE_EDIT|MODE_FLOW|MODE_TRAPSIG
+ *		local echo
+ *		local editing
+ *		local xon/xoff
+ *		local signal mapping
+ *
+ *	Linemode:
+ *		local/no editing
+ *	Both Linemode and Single Character mode:
+ *		local/remote echo
+ *		local/no xon/xoff
+ *		local/no signal mapping
+ */
+
+
+    void
+TerminalNewMode(f)
+    register int f;
+{
+    static int prevmode = 0;
+#ifndef	USE_TERMIO
+    struct tchars tc;
+    struct ltchars ltc;
+    struct sgttyb sb;
+    int lmode;
+#else	/* USE_TERMIO */
+    struct termio tmp_tc;
+#endif	/* USE_TERMIO */
+    int onoff;
+    int old;
+    cc_t esc;
+
+    globalmode = f&~MODE_FORCE;
+    if (prevmode == f)
+	return;
+
+    /*
+     * Write any outstanding data before switching modes
+     * ttyflush() returns 0 only when there is no more data
+     * left to write out, it returns -1 if it couldn't do
+     * anything at all, otherwise it returns 1 + the number
+     * of characters left to write.
+#ifndef	USE_TERMIO
+     * We would really like ask the kernel to wait for the output
+     * to drain, like we can do with the TCSADRAIN, but we don't have
+     * that option.  The only ioctl that waits for the output to
+     * drain, TIOCSETP, also flushes the input queue, which is NOT
+     * what we want (TIOCSETP is like TCSADFLUSH).
+#endif
+     */
+    old = ttyflush(SYNCHing|flushout);
+    if (old < 0 || old > 1) {
+#ifdef	USE_TERMIO
+	tcgetattr(tin, &tmp_tc);
+#endif	/* USE_TERMIO */
+	do {
+	    /*
+	     * Wait for data to drain, then flush again.
+	     */
+#ifdef	USE_TERMIO
+	    tcsetattr(tin, TCSADRAIN, &tmp_tc);
+#endif	/* USE_TERMIO */
+	    old = ttyflush(SYNCHing|flushout);
+	} while (old < 0 || old > 1);
+    }
+
+    old = prevmode;
+    prevmode = f&~MODE_FORCE;
+#ifndef	USE_TERMIO
+    sb = nttyb;
+    tc = ntc;
+    ltc = nltc;
+    lmode = olmode;
+#else
+    tmp_tc = new_tc;
+#endif
+
+    if (f&MODE_ECHO) {
+#ifndef	USE_TERMIO
+	sb.sg_flags |= ECHO;
+#else
+	tmp_tc.c_lflag |= ECHO;
+	tmp_tc.c_oflag |= ONLCR;
+	if (crlf)
+		tmp_tc.c_iflag |= ICRNL;
+#endif
+    } else {
+#ifndef	USE_TERMIO
+	sb.sg_flags &= ~ECHO;
+#else
+	tmp_tc.c_lflag &= ~ECHO;
+	tmp_tc.c_oflag &= ~ONLCR;
+# ifdef notdef
+	if (crlf)
+		tmp_tc.c_iflag &= ~ICRNL;
+# endif
+#endif
+    }
+
+    if ((f&MODE_FLOW) == 0) {
+#ifndef	USE_TERMIO
+	tc.t_startc = _POSIX_VDISABLE;
+	tc.t_stopc = _POSIX_VDISABLE;
+#else
+	tmp_tc.c_iflag &= ~(IXOFF|IXON);	/* Leave the IXANY bit alone */
+    } else {
+	if (restartany < 0) {
+		tmp_tc.c_iflag |= IXOFF|IXON;	/* Leave the IXANY bit alone */
+	} else if (restartany > 0) {
+		tmp_tc.c_iflag |= IXOFF|IXON|IXANY;
+	} else {
+		tmp_tc.c_iflag |= IXOFF|IXON;
+		tmp_tc.c_iflag &= ~IXANY;
+	}
+#endif
+    }
+
+    if ((f&MODE_TRAPSIG) == 0) {
+#ifndef	USE_TERMIO
+	tc.t_intrc = _POSIX_VDISABLE;
+	tc.t_quitc = _POSIX_VDISABLE;
+	tc.t_eofc = _POSIX_VDISABLE;
+	ltc.t_suspc = _POSIX_VDISABLE;
+	ltc.t_dsuspc = _POSIX_VDISABLE;
+#else
+	tmp_tc.c_lflag &= ~ISIG;
+#endif
+	localchars = 0;
+    } else {
+#ifdef	USE_TERMIO
+	tmp_tc.c_lflag |= ISIG;
+#endif
+	localchars = 1;
+    }
+
+    if (f&MODE_EDIT) {
+#ifndef	USE_TERMIO
+	sb.sg_flags &= ~CBREAK;
+	sb.sg_flags |= CRMOD;
+#else
+	tmp_tc.c_lflag |= ICANON;
+#endif
+    } else {
+#ifndef	USE_TERMIO
+	sb.sg_flags |= CBREAK;
+	if (f&MODE_ECHO)
+	    sb.sg_flags |= CRMOD;
+	else
+	    sb.sg_flags &= ~CRMOD;
+#else
+	tmp_tc.c_lflag &= ~ICANON;
+	tmp_tc.c_iflag &= ~ICRNL;
+	tmp_tc.c_cc[VMIN] = 1;
+	tmp_tc.c_cc[VTIME] = 0;
+#endif
+    }
+
+    if ((f&(MODE_EDIT|MODE_TRAPSIG)) == 0) {
+#ifndef	USE_TERMIO
+	ltc.t_lnextc = _POSIX_VDISABLE;
+#else
+# ifdef VLNEXT
+	tmp_tc.c_cc[VLNEXT] = (cc_t)(_POSIX_VDISABLE);
+# endif
+#endif
+    }
+
+    if (f&MODE_SOFT_TAB) {
+#ifndef USE_TERMIO
+	sb.sg_flags |= XTABS;
+#else
+# ifdef	OXTABS
+	tmp_tc.c_oflag |= OXTABS;
+# endif
+# ifdef	TABDLY
+	tmp_tc.c_oflag &= ~TABDLY;
+	tmp_tc.c_oflag |= TAB3;
+# endif
+#endif
+    } else {
+#ifndef USE_TERMIO
+	sb.sg_flags &= ~XTABS;
+#else
+# ifdef	OXTABS
+	tmp_tc.c_oflag &= ~OXTABS;
+# endif
+# ifdef	TABDLY
+	tmp_tc.c_oflag &= ~TABDLY;
+# endif
+#endif
+    }
+
+    if (f&MODE_LIT_ECHO) {
+#ifndef USE_TERMIO
+	lmode &= ~LCTLECH;
+#else
+# ifdef	ECHOCTL
+	tmp_tc.c_lflag &= ~ECHOCTL;
+# endif
+#endif
+    } else {
+#ifndef USE_TERMIO
+	lmode |= LCTLECH;
+#else
+# ifdef	ECHOCTL
+	tmp_tc.c_lflag |= ECHOCTL;
+# endif
+#endif
+    }
+
+    if (f == -1) {
+	onoff = 0;
+    } else {
+#ifndef	USE_TERMIO
+	if (f & MODE_OUTBIN)
+		lmode |= LLITOUT;
+	else
+		lmode &= ~LLITOUT;
+
+	if (f & MODE_INBIN)
+		lmode |= LPASS8;
+	else
+		lmode &= ~LPASS8;
+#else
+	if (f & MODE_INBIN)
+		tmp_tc.c_iflag &= ~ISTRIP;
+	else
+		tmp_tc.c_iflag |= ISTRIP;
+	if (f & MODE_OUTBIN) {
+		tmp_tc.c_cflag &= ~(CSIZE|PARENB);
+		tmp_tc.c_cflag |= CS8;
+		tmp_tc.c_oflag &= ~OPOST;
+	} else {
+		tmp_tc.c_cflag &= ~(CSIZE|PARENB);
+		tmp_tc.c_cflag |= old_tc.c_cflag & (CSIZE|PARENB);
+		tmp_tc.c_oflag |= OPOST;
+	}
+#endif
+	onoff = 1;
+    }
+
+    if (f != -1) {
+#ifdef	SIGINT
+	SIG_FUNC_RET intr();
+#endif	/* SIGINT */
+#ifdef	SIGQUIT
+	SIG_FUNC_RET intr2();
+#endif	/* SIGQUIT */
+#ifdef	SIGTSTP
+	SIG_FUNC_RET susp();
+#endif	/* SIGTSTP */
+#ifdef	SIGINFO
+	SIG_FUNC_RET ayt();
+#endif
+
+#ifdef  SIGINT
+	(void) signal(SIGINT, intr);
+#endif
+#ifdef  SIGQUIT
+        (void) signal(SIGQUIT, intr2);
+#endif
+#ifdef	SIGTSTP
+	(void) signal(SIGTSTP, susp);
+#endif	/* SIGTSTP */
+#ifdef	SIGINFO
+	(void) signal(SIGINFO, ayt);
+#endif
+#if	defined(USE_TERMIO) && defined(NOKERNINFO)
+	tmp_tc.c_lflag |= NOKERNINFO;
+#endif
+	/*
+	 * We don't want to process ^Y here.  It's just another
+	 * character that we'll pass on to the back end.  It has
+	 * to process it because it will be processed when the
+	 * user attempts to read it, not when we send it.
+	 */
+#ifndef	USE_TERMIO
+	ltc.t_dsuspc = _POSIX_VDISABLE;
+#else
+# ifdef	VDSUSP
+	tmp_tc.c_cc[VDSUSP] = (cc_t)(_POSIX_VDISABLE);
+# endif
+#endif
+#ifdef	USE_TERMIO
+	/*
+	 * If the VEOL character is already set, then use VEOL2,
+	 * otherwise use VEOL.
+	 */
+	esc = (rlogin != _POSIX_VDISABLE) ? rlogin : escape;
+	if ((tmp_tc.c_cc[VEOL] != esc)
+# ifdef	VEOL2
+	    && (tmp_tc.c_cc[VEOL2] != esc)
+# endif
+	    ) {
+		if (tmp_tc.c_cc[VEOL] == (cc_t)(_POSIX_VDISABLE))
+		    tmp_tc.c_cc[VEOL] = esc;
+# ifdef	VEOL2
+		else if (tmp_tc.c_cc[VEOL2] == (cc_t)(_POSIX_VDISABLE))
+		    tmp_tc.c_cc[VEOL2] = esc;
+# endif
+	}
+#else
+	if (tc.t_brkc == (cc_t)(_POSIX_VDISABLE))
+		tc.t_brkc = esc;
+#endif
+    } else {
+#ifdef	SIGINFO
+	SIG_FUNC_RET ayt_status();
+
+	(void) signal(SIGINFO, ayt_status);
+#endif
+#ifdef  SIGINT
+	(void) signal(SIGINT, SIG_DFL);
+#endif
+#ifdef  SIGQUIT
+	(void) signal(SIGQUIT, SIG_DFL);
+#endif
+#ifdef	SIGTSTP
+	(void) signal(SIGTSTP, SIG_DFL);
+# ifndef SOLARIS
+	(void) sigsetmask(sigblock(0) & ~(1<<(SIGTSTP-1)));
+# else	SOLARIS
+	(void) sigrelse(SIGTSTP);
+# endif	SOLARIS
+#endif	/* SIGTSTP */
+#ifndef USE_TERMIO
+	ltc = oltc;
+	tc = otc;
+	sb = ottyb;
+	lmode = olmode;
+#else
+	tmp_tc = old_tc;
+#endif
+    }
+#ifndef USE_TERMIO
+    ioctl(tin, TIOCLSET, (char *)&lmode);
+    ioctl(tin, TIOCSLTC, (char *)&ltc);
+    ioctl(tin, TIOCSETC, (char *)&tc);
+    ioctl(tin, TIOCSETN, (char *)&sb);
+#else
+    if (tcsetattr(tin, TCSADRAIN, &tmp_tc) < 0)
+	tcsetattr(tin, TCSANOW, &tmp_tc);
+#endif
+
+#if	(!defined(TN3270)) || ((!defined(NOT43)) || defined(PUTCHAR))
+# if	!defined(sysV88)
+    ioctl(tin, FIONBIO, (char *)&onoff);
+    ioctl(tout, FIONBIO, (char *)&onoff);
+# endif
+#endif	/* (!defined(TN3270)) || ((!defined(NOT43)) || defined(PUTCHAR)) */
+#if	defined(TN3270)
+    if (noasynchtty == 0) {
+	ioctl(tin, FIOASYNC, (char *)&onoff);
+    }
+#endif	/* defined(TN3270) */
+
+}
+
+/*
+ * Try to guess whether speeds are "encoded" (4.2BSD) or just numeric (4.4BSD).
+ */
+#if B4800 != 4800
+#define	DECODE_BAUD
+#endif
+
+#ifdef	DECODE_BAUD
+#ifndef	B7200
+#define B7200   B4800
+#endif
+
+#ifndef	B14400
+#define B14400  B9600
+#endif
+
+#ifndef	B19200
+# define B19200 B14400
+#endif
+
+#ifndef	B28800
+#define B28800  B19200
+#endif
+
+#ifndef	B38400
+# define B38400 B28800
+#endif
+
+#ifndef B57600
+#define B57600  B38400
+#endif
+
+#ifndef B76800
+#define B76800  B57600
+#endif
+
+#ifndef B115200
+#define B115200 B76800
+#endif
+
+#ifndef B230400
+#define B230400 B115200
+#endif
+
+
+/*
+ * This code assumes that the values B0, B50, B75...
+ * are in ascending order.  They do not have to be
+ * contiguous.
+ */
+struct termspeeds {
+	long speed;
+	long value;
+} termspeeds[] = {
+	{ 0,      B0 },      { 50,    B50 },    { 75,     B75 },
+	{ 110,    B110 },    { 134,   B134 },   { 150,    B150 },
+	{ 200,    B200 },    { 300,   B300 },   { 600,    B600 },
+	{ 1200,   B1200 },   { 1800,  B1800 },  { 2400,   B2400 },
+	{ 4800,   B4800 },   { 7200,  B7200 },  { 9600,   B9600 },
+	{ 14400,  B14400 },  { 19200, B19200 }, { 28800,  B28800 },
+	{ 38400,  B38400 },  { 57600, B57600 }, { 115200, B115200 },
+	{ 230400, B230400 }, { -1,    B230400 }
+};
+#endif	/* DECODE_BAUD */
+
+    void
+TerminalSpeeds(ispeed, ospeed)
+    long *ispeed;
+    long *ospeed;
+{
+#ifdef	DECODE_BAUD
+    register struct termspeeds *tp;
+#endif	/* DECODE_BAUD */
+    register long in, out;
+
+    out = cfgetospeed(&old_tc);
+    in = cfgetispeed(&old_tc);
+    if (in == 0)
+	in = out;
+
+#ifdef	DECODE_BAUD
+    tp = termspeeds;
+    while ((tp->speed != -1) && (tp->value < in))
+	tp++;
+    *ispeed = tp->speed;
+
+    tp = termspeeds;
+    while ((tp->speed != -1) && (tp->value < out))
+	tp++;
+    *ospeed = tp->speed;
+#else	/* DECODE_BAUD */
+	*ispeed = in;
+	*ospeed = out;
+#endif	/* DECODE_BAUD */
+}
+
+    int
+TerminalWindowSize(rows, cols)
+    long *rows, *cols;
+{
+#ifdef	TIOCGWINSZ
+    struct winsize ws;
+
+    if (ioctl(fileno(stdin), TIOCGWINSZ, (char *)&ws) >= 0) {
+	*rows = ws.ws_row;
+	*cols = ws.ws_col;
+	return 1;
+    }
+#endif	/* TIOCGWINSZ */
+    return 0;
+}
+
+    int
+NetClose(fd)
+    int	fd;
+{
+    return close(fd);
+}
+
+
+    void
+NetNonblockingIO(fd, onoff)
+    int fd;
+    int onoff;
+{
+    ioctl(fd, FIONBIO, (char *)&onoff);
+}
+
+#if	defined(TN3270)
+    void
+NetSigIO(fd, onoff)
+    int fd;
+    int onoff;
+{
+    ioctl(fd, FIOASYNC, (char *)&onoff);	/* hear about input */
+}
+
+    void
+NetSetPgrp(fd)
+    int fd;
+{
+    int myPid;
+
+    myPid = getpid();
+    fcntl(fd, F_SETOWN, myPid);
+}
+#endif	/*defined(TN3270)*/
+
+/*
+ * Various signal handling routines.
+ */
+
+    /* ARGSUSED */
+    SIG_FUNC_RET
+deadpeer(sig)
+    int sig;
+{
+	setcommandmode();
+	longjmp(peerdied, -1);
+}
+
+    /* ARGSUSED */
+    SIG_FUNC_RET
+intr(sig)
+    int sig;
+{
+    if (localchars) {
+	intp();
+	return;
+    }
+    setcommandmode();
+    longjmp(toplevel, -1);
+}
+
+    /* ARGSUSED */
+    SIG_FUNC_RET
+intr2(sig)
+    int sig;
+{
+    if (localchars) {
+#ifdef	KLUDGELINEMODE
+	if (kludgelinemode)
+	    sendbrk();
+	else
+#endif
+	    sendabort();
+	return;
+    }
+}
+
+#ifdef	SIGTSTP
+    /* ARGSUSED */
+    SIG_FUNC_RET
+susp(sig)
+    int sig;
+{
+    if ((rlogin != _POSIX_VDISABLE) && rlogin_susp())
+	return;
+    if (localchars)
+	sendsusp();
+}
+#endif
+
+#ifdef	SIGWINCH
+    /* ARGSUSED */
+    SIG_FUNC_RET
+sendwin(sig)
+    int sig;
+{
+    if (connected) {
+	sendnaws();
+    }
+}
+#endif
+
+#ifdef	SIGINFO
+    /* ARGSUSED */
+    SIG_FUNC_RET
+ayt(sig)
+    int sig;
+{
+    if (connected)
+	sendayt();
+    else
+	ayt_status();
+}
+#endif
+
+
+    void
+sys_telnet_init()
+{
+    (void) signal(SIGINT, intr);
+    (void) signal(SIGQUIT, intr2);
+    (void) signal(SIGPIPE, deadpeer);
+#ifdef	SIGWINCH
+    (void) signal(SIGWINCH, sendwin);
+#endif
+#ifdef	SIGTSTP
+    (void) signal(SIGTSTP, susp);
+#endif
+#ifdef	SIGINFO
+    (void) signal(SIGINFO, ayt);
+#endif
+
+    setconnmode(0);
+
+    NetNonblockingIO(net, 1);
+
+#if	defined(TN3270)
+    if (noasynchnet == 0) {			/* DBX can't handle! */
+	NetSigIO(net, 1);
+	NetSetPgrp(net);
+    }
+#endif	/* defined(TN3270) */
+
+#if	defined(SO_OOBINLINE)
+    if (SetSockOpt(net, SOL_SOCKET, SO_OOBINLINE, 1) == -1) {
+	perror("SetSockOpt");
+    }
+#endif	/* defined(SO_OOBINLINE) */
+}
+
+/*
+ * Process rings -
+ *
+ *	This routine tries to fill up/empty our various rings.
+ *
+ *	The parameter specifies whether this is a poll operation,
+ *	or a block-until-something-happens operation.
+ *
+ *	The return value is 1 if something happened, 0 if not.
+ */
+
+    int
+process_rings(netin, netout, netex, ttyin, ttyout, poll)
+    int poll;		/* If 0, then block until something to do */
+{
+    register int c;
+		/* One wants to be a bit careful about setting returnValue
+		 * to one, since a one implies we did some useful work,
+		 * and therefore probably won't be called to block next
+		 * time (TN3270 mode only).
+		 */
+    int returnValue = 0;
+    static struct timeval TimeValue = { 0 };
+
+    if (netout) {
+	FD_SET(net, &obits);
+    }
+    if (ttyout) {
+	FD_SET(tout, &obits);
+    }
+#if	defined(TN3270)
+    if (ttyin) {
+	FD_SET(tin, &ibits);
+    }
+#else	/* defined(TN3270) */
+    if (ttyin) {
+	FD_SET(tin, &ibits);
+    }
+#endif	/* defined(TN3270) */
+#if	defined(TN3270)
+    if (netin) {
+	FD_SET(net, &ibits);
+    }
+#   else /* !defined(TN3270) */
+    if (netin) {
+	FD_SET(net, &ibits);
+    }
+#   endif /* !defined(TN3270) */
+    if (netex) {
+	FD_SET(net, &xbits);
+    }
+    if ((c = select(16, &ibits, &obits, &xbits,
+			(poll == 0)? (struct timeval *)0 : &TimeValue)) < 0) {
+	if (c == -1) {
+		    /*
+		     * we can get EINTR if we are in line mode,
+		     * and the user does an escape (TSTP), or
+		     * some other signal generator.
+		     */
+	    if (errno == EINTR) {
+		return 0;
+	    }
+#	    if defined(TN3270)
+		    /*
+		     * we can get EBADF if we were in transparent
+		     * mode, and the transcom process died.
+		    */
+	    if (errno == EBADF) {
+			/*
+			 * zero the bits (even though kernel does it)
+			 * to make sure we are selecting on the right
+			 * ones.
+			*/
+		FD_ZERO(&ibits);
+		FD_ZERO(&obits);
+		FD_ZERO(&xbits);
+		return 0;
+	    }
+#	    endif /* defined(TN3270) */
+		    /* I don't like this, does it ever happen? */
+	    printf("sleep(5) from telnet, after select: %s\r\n", strerror(errno));
+	    sleep(5);
+	}
+	return 0;
+    }
+
+    /*
+     * Any urgent data?
+     */
+    if (FD_ISSET(net, &xbits)) {
+	FD_CLR(net, &xbits);
+	SYNCHing = 1;
+	(void) ttyflush(1);	/* flush already enqueued data */
+    }
+
+    /*
+     * Something to read from the network...
+     */
+    if (FD_ISSET(net, &ibits)) {
+	int canread;
+
+	FD_CLR(net, &ibits);
+	canread = ring_empty_consecutive(&netiring);
+#if	!defined(SO_OOBINLINE)
+	    /*
+	     * In 4.2 (and some early 4.3) systems, the
+	     * OOB indication and data handling in the kernel
+	     * is such that if two separate TCP Urgent requests
+	     * come in, one byte of TCP data will be overlaid.
+	     * This is fatal for Telnet, but we try to live
+	     * with it.
+	     *
+	     * In addition, in 4.2 (and...), a special protocol
+	     * is needed to pick up the TCP Urgent data in
+	     * the correct sequence.
+	     *
+	     * What we do is:  if we think we are in urgent
+	     * mode, we look to see if we are "at the mark".
+	     * If we are, we do an OOB receive.  If we run
+	     * this twice, we will do the OOB receive twice,
+	     * but the second will fail, since the second
+	     * time we were "at the mark", but there wasn't
+	     * any data there (the kernel doesn't reset
+	     * "at the mark" until we do a normal read).
+	     * Once we've read the OOB data, we go ahead
+	     * and do normal reads.
+	     *
+	     * There is also another problem, which is that
+	     * since the OOB byte we read doesn't put us
+	     * out of OOB state, and since that byte is most
+	     * likely the TELNET DM (data mark), we would
+	     * stay in the TELNET SYNCH (SYNCHing) state.
+	     * So, clocks to the rescue.  If we've "just"
+	     * received a DM, then we test for the
+	     * presence of OOB data when the receive OOB
+	     * fails (and AFTER we did the normal mode read
+	     * to clear "at the mark").
+	     */
+	if (SYNCHing) {
+	    int atmark;
+	    static int bogus_oob = 0, first = 1;
+
+	    ioctl(net, SIOCATMARK, (char *)&atmark);
+	    if (atmark) {
+		c = recv(net, netiring.supply, canread, MSG_OOB);
+		if ((c == -1) && (errno == EINVAL)) {
+		    c = recv(net, netiring.supply, canread, 0);
+		    if (clocks.didnetreceive < clocks.gotDM) {
+			SYNCHing = stilloob(net);
+		    }
+		} else if (first && c > 0) {
+		    /*
+		     * Bogosity check.  Systems based on 4.2BSD
+		     * do not return an error if you do a second
+		     * recv(MSG_OOB).  So, we do one.  If it
+		     * succeeds and returns exactly the same
+		     * data, then assume that we are running
+		     * on a broken system and set the bogus_oob
+		     * flag.  (If the data was different, then
+		     * we probably got some valid new data, so
+		     * increment the count...)
+		     */
+		    int i;
+		    i = recv(net, netiring.supply + c, canread - c, MSG_OOB);
+		    if (i == c &&
+			 memcmp(netiring.supply, netiring.supply + c, i) == 0) {
+			bogus_oob = 1;
+			first = 0;
+		    } else if (i < 0) {
+			bogus_oob = 0;
+			first = 0;
+		    } else
+			c += i;
+		}
+		if (bogus_oob && c > 0) {
+		    int i;
+		    /*
+		     * Bogosity.  We have to do the read
+		     * to clear the atmark to get out of
+		     * an infinate loop.
+		     */
+		    i = read(net, netiring.supply + c, canread - c);
+		    if (i > 0)
+			c += i;
+		}
+	    } else {
+		c = recv(net, netiring.supply, canread, 0);
+	    }
+	} else {
+	    c = recv(net, netiring.supply, canread, 0);
+	}
+	settimer(didnetreceive);
+#else	/* !defined(SO_OOBINLINE) */
+	c = recv(net, (char *)netiring.supply, canread, 0);
+#endif	/* !defined(SO_OOBINLINE) */
+	if (c < 0 && errno == EWOULDBLOCK) {
+	    c = 0;
+	} else if (c <= 0) {
+	    return -1;
+	}
+	if (netdata) {
+	    Dump('<', netiring.supply, c);
+	}
+	if (c)
+	    ring_supplied(&netiring, c);
+	returnValue = 1;
+    }
+
+    /*
+     * Something to read from the tty...
+     */
+    if (FD_ISSET(tin, &ibits)) {
+	FD_CLR(tin, &ibits);
+	c = TerminalRead(ttyiring.supply, ring_empty_consecutive(&ttyiring));
+	if (c < 0 && errno == EIO)
+	    c = 0;
+	if (c < 0 && errno == EWOULDBLOCK) {
+	    c = 0;
+	} else {
+	    /* EOF detection for line mode!!!! */
+	    if ((c == 0) && MODE_LOCAL_CHARS(globalmode) && isatty(tin)) {
+			/* must be an EOF... */
+		*ttyiring.supply = termEofChar;
+		c = 1;
+	    }
+	    if (c <= 0) {
+		return -1;
+	    }
+	    if (termdata) {
+		Dump('<', ttyiring.supply, c);
+	    }
+	    ring_supplied(&ttyiring, c);
+	}
+	returnValue = 1;		/* did something useful */
+    }
+
+    if (FD_ISSET(net, &obits)) {
+	FD_CLR(net, &obits);
+	returnValue |= netflush();
+    }
+    if (FD_ISSET(tout, &obits)) {
+	FD_CLR(tout, &obits);
+	returnValue |= (ttyflush(SYNCHing|flushout) > 0);
+    }
+
+    return returnValue;
+}
diff --git a/crypto/telnet/telnet/telnet.1 b/crypto/telnet/telnet/telnet.1
new file mode 100644
index 0000000..20d0e23
--- /dev/null
+++ b/crypto/telnet/telnet/telnet.1
@@ -0,0 +1,1435 @@
+.\" Copyright (c) 1983, 1990, 1993
+.\"	The Regents of the University of California.  All rights reserved.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\" 1. Redistributions of source code must retain the above copyright
+.\"    notice, this list of conditions and the following disclaimer.
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\"    notice, this list of conditions and the following disclaimer in the
+.\"    documentation and/or other materials provided with the distribution.
+.\" 3. All advertising materials mentioning features or use of this software
+.\"    must display the following acknowledgement:
+.\"	This product includes software developed by the University of
+.\"	California, Berkeley and its contributors.
+.\" 4. Neither the name of the University nor the names of its contributors
+.\"    may be used to endorse or promote products derived from this software
+.\"    without specific prior written permission.
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+.\" SUCH DAMAGE.
+.\"
+.\"	@(#)telnet.1	8.6 (Berkeley) 6/1/94
+.\" $FreeBSD$
+.\"
+.Dd January 27, 2000
+.Dt TELNET 1
+.Os
+.Sh NAME
+.Nm telnet
+.Nd user interface to the 
+.Tn TELNET
+protocol
+.Sh SYNOPSIS
+.Nm
+.Op Fl 468EFKLNcdfruy
+.Op Fl S Ar tos
+.Op Fl X Ar authtype
+.Op Fl e Ar escapechar
+.Op Fl k Ar realm
+.Op Fl l Ar user
+.Op Fl n Ar tracefile
+.Op Fl s Ar src_addr
+.Oo
+.Ar host
+.Op Ar port
+.Oc
+.Sh DESCRIPTION
+The
+.Nm
+command
+is used to communicate with another host using the 
+.Tn TELNET
+protocol.
+If
+.Nm
+is invoked without the
+.Ar host
+argument, it enters command mode,
+indicated by its prompt
+.Pq Dq Li telnet\&> .
+In this mode, it accepts and executes the commands listed below.
+If it is invoked with arguments, it performs an
+.Ic open
+command with those arguments.
+.Pp
+Options:
+.Bl -tag -width indent
+.It Fl 4
+Forces
+.Nm
+to use IPv4 addresses only.
+.It Fl 6
+Forces
+.Nm
+to use IPv6 addresses only.
+.It Fl 8
+Specifies an 8-bit data path.  This causes an attempt to
+negotiate the
+.Dv TELNET BINARY
+option on both input and output.
+.It Fl E
+Stops any character from being recognized as an escape character.
+.It Fl F
+If Kerberos V5 authentication is being used, the
+.Fl F
+option allows the local credentials to be forwarded
+to the remote system, including any credentials that
+have already been forwarded into the local environment.
+.It Fl K
+Specifies no automatic login to the remote system.
+.It Fl L
+Specifies an 8-bit data path on output.  This causes the
+.Dv BINARY
+option to be negotiated on output.
+.It Fl N
+Prevents IP address to name lookup when destination host is given
+as an IP address.
+.It Fl S Ar tos
+Sets the IP type-of-service (TOS) option for the telnet
+connection to the value
+.Ar tos ,
+which can be a numeric TOS value
+or, on systems that support it, a symbolic
+TOS name found in the
+.Pa /etc/iptos
+file.
+.It Fl X Ar atype 
+Disables the
+.Ar atype
+type of authentication.
+.It Fl a
+Attempt automatic login.
+This is now the default, so this option is ignored.
+Currently, this sends the user name via the
+.Ev USER
+variable
+of the
+.Ev ENVIRON
+option if supported by the remote system.
+The name used is that of the current user as returned by
+.Xr getlogin 2
+if it agrees with the current user ID,
+otherwise it is the name associated with the user ID.
+.It Fl c
+Disables the reading of the user's
+.Pa \&.telnetrc
+file.  (See the
+.Ic toggle skiprc
+command on this man page.)
+.It Fl d
+Sets the initial value of the
+.Ic debug
+toggle to
+.Dv TRUE .
+.It Fl e Ar escapechar 
+Sets the initial
+.Nm
+escape character to
+.Ar escapechar .
+If
+.Ar escapechar
+is omitted, then
+there will be no escape character.
+.It Fl f
+If Kerberos V5 authentication is being used, the
+.Fl f
+option allows the local credentials to be forwarded to the remote system.
+.It Fl k Ar realm
+If Kerberos authentication is being used, the
+.Fl k
+option requests that
+.Nm
+obtain tickets for the remote host in
+realm
+.Ar realm
+instead of the remote host's realm, as determined by
+.Xr krb_realmofhost 3 .
+.It Fl l Ar user 
+When connecting to the remote system, if the remote system
+understands the
+.Ev ENVIRON
+option, then
+.Ar user
+will be sent to the remote system as the value for the variable
+.Ev USER .
+This option implies the
+.Fl a
+option.
+This option may also be used with the
+.Ic open
+command.
+.It Fl n Ar tracefile 
+Opens
+.Ar tracefile
+for recording trace information.
+See the
+.Ic set tracefile
+command below.
+.It Fl r
+Specifies a user interface similar to
+.Xr rlogin 1 .
+In this
+mode, the escape character is set to the tilde (~) character,
+unless modified by the
+.Fl e
+option.
+.It Fl s Ar src_addr
+Set the source IP address for the
+.Nm
+connection to
+.Ar src_addr ,
+which can be an IP address or a host name.
+.It Fl u
+Forces
+.Nm
+to use
+.Dv AF_UNIX
+addresses only (e.g.,
+.Ux
+domain sockets, accessed with a file path).
+.It Fl x
+Turns on encryption of the data stream if possible.
+This is now the default, so this option is ignored.
+.It Fl y
+Suppresses encryption of the data stream.
+.It Ar host
+Indicates the official name, an alias, or the Internet address
+of a remote host.
+If
+.Ar host
+starts with a
+.Ql / ,
+.Nm
+establishes a connection to the corresponding named socket.
+.It Ar port
+Indicates a port number (address of an application).  If a number is
+not specified, the default
+.Nm
+port is used.
+.El
+.Pp
+When in rlogin mode, a line of the form ~.  disconnects from the
+remote host; ~ is the
+.Nm
+escape character.
+Similarly, the line ~^Z suspends the
+.Nm
+session.
+The line ~^] escapes to the normal
+.Nm
+escape prompt.
+.Pp
+Once a connection has been opened,
+.Nm
+will attempt to enable the
+.Dv TELNET LINEMODE
+option.
+If this fails, then
+.Nm
+will revert to one of two input modes:
+either \*(Lqcharacter at a time\*(Rq
+or \*(Lqold line by line\*(Rq
+depending on what the remote system supports.
+.Pp
+When 
+.Dv LINEMODE
+is enabled, character processing is done on the
+local system, under the control of the remote system.  When input
+editing or character echoing is to be disabled, the remote system
+will relay that information.  The remote system will also relay
+changes to any special characters that happen on the remote
+system, so that they can take effect on the local system.
+.Pp
+In \*(Lqcharacter at a time\*(Rq mode, most
+text typed is immediately sent to the remote host for processing.
+.Pp
+In \*(Lqold line by line\*(Rq mode, all text is echoed locally,
+and (normally) only completed lines are sent to the remote host.
+The \*(Lqlocal echo character\*(Rq (initially \*(Lq^E\*(Rq) may be used
+to turn off and on the local echo
+(this would mostly be used to enter passwords
+without the password being echoed).
+.Pp
+If the 
+.Dv LINEMODE
+option is enabled, or if the
+.Ic localchars
+toggle is
+.Dv TRUE
+(the default for \*(Lqold line by line\*(Rq; see below),
+the user's
+.Ic quit  ,
+.Ic intr ,
+and
+.Ic flush
+characters are trapped locally, and sent as
+.Tn TELNET
+protocol sequences to the remote side.
+If 
+.Dv LINEMODE
+has ever been enabled, then the user's
+.Ic susp
+and
+.Ic eof
+are also sent as
+.Tn TELNET
+protocol sequences,
+and
+.Ic quit
+is sent as a 
+.Dv TELNET ABORT
+instead of 
+.Dv BREAK .
+There are options (see
+.Ic toggle
+.Ic autoflush
+and
+.Ic toggle
+.Ic autosynch
+below)
+which cause this action to flush subsequent output to the terminal
+(until the remote host acknowledges the
+.Tn TELNET
+sequence) and flush previous terminal input
+(in the case of
+.Ic quit
+and
+.Ic intr  ) .
+.Pp
+While connected to a remote host,
+.Nm
+command mode may be entered by typing the
+.Nm
+\*(Lqescape character\*(Rq (initially \*(Lq^]\*(Rq).
+When in command mode, the normal terminal editing conventions are available.
+.Pp
+The following
+.Nm
+commands are available.
+Only enough of each command to uniquely identify it need be typed
+(this is also true for arguments to the
+.Ic mode  ,
+.Ic set ,
+.Ic toggle  ,
+.Ic unset ,
+.Ic slc  ,
+.Ic environ ,
+and
+.Ic display
+commands).
+.Pp
+.Bl -tag -width "mode type"
+.It Ic auth Ar argument ... 
+The auth command manipulates the information sent through the
+.Dv TELNET AUTHENTICATE
+option.  Valid arguments for the
+.Ic auth
+command are:
+.Bl -tag -width "disable type"
+.It Ic disable Ar type
+Disables the specified type of authentication.  To
+obtain a list of available types, use the
+.Ic auth disable ?\&
+command.
+.It Ic enable Ar type
+Enables the specified type of authentication.  To
+obtain a list of available types, use the
+.Ic auth enable ?\&
+command.
+.It Ic status
+Lists the current status of the various types of
+authentication.
+.El
+.It Ic close
+Close a
+.Tn TELNET
+session and return to command mode.
+.It Ic display Ar argument ... 
+Displays all, or some, of the
+.Ic set
+and
+.Ic toggle
+values (see below).
+.It Ic encrypt Ar argument ...
+The encrypt command manipulates the information sent through the
+.Dv TELNET ENCRYPT
+option.
+.Pp
+Note:  Because of export controls, the
+.Dv TELNET ENCRYPT
+option is not supported outside of the United States and Canada.
+.Pp
+Valid arguments for the
+.Ic encrypt
+command are:
+.Bl -tag -width Ar
+.It Ic disable Ar type Xo
+.Op Cm input | output
+.Xc
+Disables the specified type of encryption.  If you
+omit the input and output, both input and output
+are disabled.  To obtain a list of available
+types, use the
+.Ic encrypt disable ?\&
+command.
+.It Ic enable Ar type Xo
+.Op Cm input | output
+.Xc
+Enables the specified type of encryption.  If you
+omit input and output, both input and output are
+enabled.  To obtain a list of available types, use the
+.Ic encrypt enable ?\&
+command.
+.It Ic input
+This is the same as the
+.Ic encrypt start input
+command.
+.It Ic -input
+This is the same as the
+.Ic encrypt stop input
+command.
+.It Ic output
+This is the same as the
+.Ic encrypt start output
+command.
+.It Ic -output
+This is the same as the
+.Ic encrypt stop output
+command.
+.It Ic start Op Cm input | output
+Attempts to start encryption.  If you omit
+.Ic input
+and
+.Ic output ,
+both input and output are enabled.  To
+obtain a list of available types, use the
+.Ic encrypt enable ?\&
+command.
+.It Ic status
+Lists the current status of encryption.
+.It Ic stop Op Cm input | output
+Stops encryption.  If you omit input and output,
+encryption is on both input and output.
+.It Ic type Ar type
+Sets the default type of encryption to be used
+with later
+.Ic encrypt start
+or
+.Ic encrypt stop
+commands.
+.El
+.It Ic environ Ar arguments ...
+The
+.Ic environ
+command is used to manipulate the
+variables that may be sent through the
+.Dv TELNET ENVIRON
+option.
+The initial set of variables is taken from the users
+environment, with only the
+.Ev DISPLAY
+and
+.Ev PRINTER
+variables being exported by default.
+The
+.Ev USER
+variable is also exported if the
+.Fl a
+or
+.Fl l
+options are used.
+.Pp
+Valid arguments for the
+.Ic environ
+command are:
+.Bl -tag -width Fl
+.It Ic define Ar variable value 
+Define the variable
+.Ar variable
+to have a value of
+.Ar value .
+Any variables defined by this command are automatically exported.
+The
+.Ar value
+may be enclosed in single or double quotes so
+that tabs and spaces may be included.
+.It Ic undefine Ar variable 
+Remove
+.Ar variable
+from the list of environment variables.
+.It Ic export Ar variable 
+Mark the variable
+.Ar variable
+to be exported to the remote side.
+.It Ic unexport Ar variable 
+Mark the variable
+.Ar variable
+to not be exported unless
+explicitly asked for by the remote side.
+.It Ic list
+List the current set of environment variables.
+Those marked with a
+.Cm *
+will be sent automatically,
+other variables will only be sent if explicitly requested.
+.It Ic ?\&
+Prints out help information for the
+.Ic environ
+command.
+.El
+.It Ic logout
+Sends the
+.Dv TELNET LOGOUT
+option to the remote side.
+This command is similar to a
+.Ic close
+command; however, if the remote side does not support the
+.Dv LOGOUT
+option, nothing happens.
+If, however, the remote side does support the
+.Dv LOGOUT
+option, this command should cause the remote side to close the
+.Tn TELNET
+connection.
+If the remote side also supports the concept of
+suspending a user's session for later reattachment,
+the logout argument indicates that you
+should terminate the session immediately.
+.It Ic mode Ar type 
+.Ar Type
+is one of several options, depending on the state of the
+.Tn TELNET
+session.
+The remote host is asked for permission to go into the requested mode.
+If the remote host is capable of entering that mode, the requested
+mode will be entered.
+.Bl -tag -width Ar
+.It Ic character
+Disable the
+.Dv TELNET LINEMODE
+option, or, if the remote side does not understand the
+.Dv LINEMODE
+option, then enter \*(Lqcharacter at a time\*(Rq mode.
+.It Ic line
+Enable the
+.Dv TELNET LINEMODE
+option, or, if the remote side does not understand the
+.Dv LINEMODE
+option, then attempt to enter \*(Lqold-line-by-line\*(Rq mode.
+.It Ic isig Pq Ic \-isig 
+Attempt to enable (disable) the 
+.Dv TRAPSIG
+mode of the 
+.Dv LINEMODE
+option.
+This requires that the 
+.Dv LINEMODE
+option be enabled.
+.It Ic edit Pq Ic \-edit 
+Attempt to enable (disable) the 
+.Dv EDIT
+mode of the 
+.Dv LINEMODE
+option.
+This requires that the 
+.Dv LINEMODE
+option be enabled.
+.It Ic softtabs Pq Ic \-softtabs 
+Attempt to enable (disable) the 
+.Dv SOFT_TAB
+mode of the 
+.Dv LINEMODE
+option.
+This requires that the 
+.Dv LINEMODE
+option be enabled.
+.It Ic litecho Pq Ic \-litecho 
+Attempt to enable (disable) the 
+.Dv LIT_ECHO
+mode of the 
+.Dv LINEMODE
+option.
+This requires that the 
+.Dv LINEMODE
+option be enabled.
+.It Ic ?\&
+Prints out help information for the
+.Ic mode
+command.
+.El
+.It Xo
+.Ic open Ar host
+.Op Fl l Ar user
+.Op Oo Fl Oc Ns Ar port
+.Xc
+Open a connection to the named host.
+If no port number
+is specified,
+.Nm
+will attempt to contact a
+.Tn TELNET
+server at the default port.
+The host specification may be either a host name (see
+.Xr hosts  5  ) ,
+an Internet address specified in the \*(Lqdot notation\*(Rq (see
+.Xr inet 3 ) ,
+or IPv6 host name or IPv6 coloned-hexadecimal addreess.
+The
+.Fl l
+option may be used to specify the user name
+to be passed to the remote system via the
+.Ev ENVIRON
+option.
+When connecting to a non-standard port,
+.Nm
+omits any automatic initiation of
+.Tn TELNET
+options.  When the port number is preceded by a minus sign,
+the initial option negotiation is done.
+After establishing a connection, the file
+.Pa \&.telnetrc
+in the
+users home directory is opened.  Lines beginning with a # are
+comment lines.  Blank lines are ignored.  Lines that begin
+without white space are the start of a machine entry.  The
+first thing on the line is the name of the machine that is
+being connected to.  The rest of the line, and successive
+lines that begin with white space are assumed to be
+.Nm
+commands and are processed as if they had been typed
+in manually to the
+.Nm
+command prompt.
+.It Ic quit
+Close any open
+.Tn TELNET
+session and exit
+.Nm .
+An end of file (in command mode) will also close a session and exit.
+.It Ic send Ar arguments 
+Sends one or more special character sequences to the remote host.
+The following are the arguments which may be specified
+(more than one argument may be specified at a time):
+.Pp
+.Bl -tag -width escape
+.It Ic abort
+Sends the
+.Dv TELNET ABORT
+(Abort
+processes)
+sequence.
+.It Ic ao
+Sends the
+.Dv TELNET AO
+(Abort Output) sequence, which should cause the remote system to flush
+all output
+.Em from
+the remote system
+.Em to
+the user's terminal.
+.It Ic ayt
+Sends the
+.Dv TELNET AYT
+(Are You There)
+sequence, to which the remote system may or may not choose to respond.
+.It Ic brk
+Sends the
+.Dv TELNET BRK
+(Break) sequence, which may have significance to the remote
+system.
+.It Ic ec
+Sends the
+.Dv TELNET EC
+(Erase Character)
+sequence, which should cause the remote system to erase the last character
+entered.
+.It Ic el
+Sends the
+.Dv TELNET EL
+(Erase Line)
+sequence, which should cause the remote system to erase the line currently
+being entered.
+.It Ic eof
+Sends the
+.Dv TELNET EOF
+(End Of File)
+sequence.
+.It Ic eor
+Sends the
+.Dv TELNET EOR
+(End of Record)
+sequence.
+.It Ic escape
+Sends the current
+.Nm
+escape character (initially \*(Lq^\*(Rq).
+.It Ic ga
+Sends the
+.Dv TELNET GA
+(Go Ahead)
+sequence, which likely has no significance to the remote system.
+.It Ic getstatus
+If the remote side supports the
+.Dv TELNET STATUS
+command,
+.Ic getstatus
+will send the subnegotiation to request that the server send
+its current option status.
+.It Ic ip
+Sends the
+.Dv TELNET IP
+(Interrupt Process) sequence, which should cause the remote
+system to abort the currently running process.
+.It Ic nop
+Sends the
+.Dv TELNET NOP
+(No OPeration)
+sequence.
+.It Ic susp
+Sends the
+.Dv TELNET SUSP
+(SUSPend process)
+sequence.
+.It Ic synch
+Sends the
+.Dv TELNET SYNCH
+sequence.
+This sequence causes the remote system to discard all previously typed
+(but not yet read) input.
+This sequence is sent as
+.Tn TCP
+urgent
+data (and may not work if the remote system is a
+.Bx 4.2
+system -- if
+it doesn't work, a lower case \*(Lqr\*(Rq may be echoed on the terminal).
+.It Ic do Ar cmd
+.It Ic dont Ar cmd
+.It Ic will Ar cmd
+.It Ic wont Ar cmd
+Sends the
+.Dv TELNET DO
+.Ar cmd
+sequence.
+.Ar Cmd
+can be either a decimal number between 0 and 255,
+or a symbolic name for a specific
+.Dv TELNET
+command.
+.Ar Cmd
+can also be either
+.Ic help
+or
+.Ic ?\&
+to print out help information, including
+a list of known symbolic names.
+.It Ic ?\&
+Prints out help information for the
+.Ic send
+command.
+.El
+.It Ic set Ar argument value 
+.It Ic unset Ar argument value 
+The
+.Ic set
+command will set any one of a number of
+.Nm
+variables to a specific value or to
+.Dv TRUE .
+The special value
+.Ic off
+turns off the function associated with
+the variable, this is equivalent to using the
+.Ic unset
+command.
+The
+.Ic unset
+command will disable or set to
+.Dv FALSE
+any of the specified functions.
+The values of variables may be interrogated with the
+.Ic display
+command.
+The variables which may be set or unset, but not toggled, are
+listed here.  In addition, any of the variables for the
+.Ic toggle
+command may be explicitly set or unset using
+the
+.Ic set
+and
+.Ic unset
+commands.
+.Bl -tag -width escape
+.It Ic ayt
+If
+.Tn TELNET
+is in localchars mode, or
+.Dv LINEMODE
+is enabled, and the status character is typed, a
+.Dv TELNET AYT
+sequence (see
+.Ic send ayt
+preceding) is sent to the
+remote host.  The initial value for the \*(LqAre You There\*(Rq
+character is the terminal's status character.
+.It Ic echo
+This is the value (initially \*(Lq^E\*(Rq) which, when in
+\*(Lqline by line\*(Rq mode, toggles between doing local echoing
+of entered characters (for normal processing), and suppressing
+echoing of entered characters (for entering, say, a password).
+.It Ic eof
+If
+.Nm
+is operating in
+.Dv LINEMODE
+or \*(Lqold line by line\*(Rq mode, entering this character
+as the first character on a line will cause this character to be
+sent to the remote system.
+The initial value of the eof character is taken to be the terminal's
+.Ic eof
+character.
+.It Ic erase
+If
+.Nm
+is in
+.Ic localchars
+mode (see
+.Ic toggle
+.Ic localchars
+below),
+.Sy and
+if
+.Nm
+is operating in \*(Lqcharacter at a time\*(Rq mode, then when this
+character is typed, a
+.Dv TELNET EC
+sequence (see
+.Ic send
+.Ic ec
+above)
+is sent to the remote system.
+The initial value for the erase character is taken to be
+the terminal's
+.Ic erase
+character.
+.It Ic escape
+This is the
+.Nm
+escape character (initially \*(Lq^[\*(Rq) which causes entry
+into
+.Nm
+command mode (when connected to a remote system).
+.It Ic flushoutput
+If
+.Nm
+is in
+.Ic localchars
+mode (see
+.Ic toggle
+.Ic localchars
+below)
+and the
+.Ic flushoutput
+character is typed, a
+.Dv TELNET AO
+sequence (see
+.Ic send
+.Ic ao
+above)
+is sent to the remote host.
+The initial value for the flush character is taken to be
+the terminal's
+.Ic flush
+character.
+.It Ic forw1
+.It Ic forw2
+If
+.Nm
+is operating in
+.Dv LINEMODE ,
+these are the
+characters that, when typed, cause partial lines to be
+forwarded to the remote system.  The initial value for
+the forwarding characters are taken from the terminal's
+eol and eol2 characters.
+.It Ic interrupt
+If
+.Nm
+is in
+.Ic localchars
+mode (see
+.Ic toggle
+.Ic localchars
+below)
+and the
+.Ic interrupt
+character is typed, a
+.Dv TELNET IP
+sequence (see
+.Ic send
+.Ic ip
+above)
+is sent to the remote host.
+The initial value for the interrupt character is taken to be
+the terminal's
+.Ic intr
+character.
+.It Ic kill
+If
+.Nm
+is in
+.Ic localchars
+mode (see
+.Ic toggle
+.Ic localchars
+below),
+.Ic and
+if
+.Nm
+is operating in \*(Lqcharacter at a time\*(Rq mode, then when this
+character is typed, a
+.Dv TELNET EL
+sequence (see
+.Ic send
+.Ic el
+above)
+is sent to the remote system.
+The initial value for the kill character is taken to be
+the terminal's
+.Ic kill
+character.
+.It Ic lnext
+If
+.Nm
+is operating in
+.Dv LINEMODE
+or \*(Lqold line by line\*(Rq mode, then this character is taken to
+be the terminal's
+.Ic lnext
+character.
+The initial value for the lnext character is taken to be
+the terminal's
+.Ic lnext
+character.
+.It Ic quit
+If
+.Nm
+is in
+.Ic localchars
+mode (see
+.Ic toggle
+.Ic localchars
+below)
+and the
+.Ic quit
+character is typed, a
+.Dv TELNET BRK
+sequence (see
+.Ic send
+.Ic brk
+above)
+is sent to the remote host.
+The initial value for the quit character is taken to be
+the terminal's
+.Ic quit
+character.
+.It Ic reprint
+If
+.Nm
+is operating in
+.Dv LINEMODE
+or \*(Lqold line by line\*(Rq mode, then this character is taken to
+be the terminal's
+.Ic reprint
+character.
+The initial value for the reprint character is taken to be
+the terminal's
+.Ic reprint
+character.
+.It Ic rlogin
+This is the rlogin escape character.
+If set, the normal
+.Nm
+escape character is ignored unless it is
+preceded by this character at the beginning of a line.
+This character, at the beginning of a line followed by
+a "."  closes the connection; when followed by a ^Z it
+suspends the
+.Nm
+command.  The initial state is to
+disable the
+.Nm rlogin
+escape character.
+.It Ic start
+If the
+.Dv TELNET TOGGLE-FLOW-CONTROL
+option has been enabled,
+then this character is taken to
+be the terminal's
+.Ic start
+character.
+The initial value for the start character is taken to be
+the terminal's
+.Ic start
+character.
+.It Ic stop
+If the
+.Dv TELNET TOGGLE-FLOW-CONTROL
+option has been enabled,
+then this character is taken to
+be the terminal's
+.Ic stop
+character.
+The initial value for the stop character is taken to be
+the terminal's
+.Ic stop
+character.
+.It Ic susp
+If
+.Nm
+is in
+.Ic localchars
+mode, or
+.Dv LINEMODE
+is enabled, and the
+.Ic suspend
+character is typed, a
+.Dv TELNET SUSP
+sequence (see
+.Ic send
+.Ic susp
+above)
+is sent to the remote host.
+The initial value for the suspend character is taken to be
+the terminal's
+.Ic suspend
+character.
+.It Ic tracefile
+This is the file to which the output, caused by
+.Ic netdata
+or
+.Ic option
+tracing being
+.Dv TRUE ,
+will be written.  If it is set to
+.Dq Fl ,
+then tracing information will be written to standard output (the default).
+.It Ic worderase
+If
+.Nm
+is operating in
+.Dv LINEMODE
+or \*(Lqold line by line\*(Rq mode, then this character is taken to
+be the terminal's
+.Ic worderase
+character.
+The initial value for the worderase character is taken to be
+the terminal's
+.Ic worderase
+character.
+.It Ic ?\&
+Displays the legal
+.Ic set
+.Pq Ic unset
+commands.
+.El
+.It Ic skey Ar sequence challenge 
+The
+.Ic skey
+command computes a response to the S/Key challenge.
+.It Ic slc Ar state 
+The
+.Ic slc
+command (Set Local Characters) is used to set
+or change the state of the special
+characters when the 
+.Dv TELNET LINEMODE
+option has
+been enabled.  Special characters are characters that get
+mapped to 
+.Tn TELNET
+commands sequences (like
+.Ic ip
+or
+.Ic quit  )
+or line editing characters (like
+.Ic erase
+and
+.Ic kill  ) .
+By default, the local special characters are exported.
+.Bl -tag -width Fl
+.It Ic check
+Verify the current settings for the current special characters.
+The remote side is requested to send all the current special
+character settings, and if there are any discrepancies with
+the local side, the local side will switch to the remote value.
+.It Ic export
+Switch to the local defaults for the special characters.  The
+local default characters are those of the local terminal at
+the time when
+.Nm
+was started.
+.It Ic import
+Switch to the remote defaults for the special characters.
+The remote default characters are those of the remote system
+at the time when the 
+.Tn TELNET
+connection was established.
+.It Ic ?\&
+Prints out help information for the
+.Ic slc
+command.
+.El
+.It Ic status
+Show the current status of
+.Nm .
+This includes the peer one is connected to, as well
+as the current mode.
+.It Ic toggle Ar arguments ... 
+Toggle (between
+.Dv TRUE
+and
+.Dv FALSE )
+various flags that control how
+.Nm
+responds to events.
+These flags may be set explicitly to
+.Dv TRUE
+or
+.Dv FALSE
+using the
+.Ic set
+and
+.Ic unset
+commands listed above.
+More than one argument may be specified.
+The state of these flags may be interrogated with the
+.Ic display
+command.
+Valid arguments are:
+.Bl -tag -width Ar
+.It Ic authdebug
+Turns on debugging information for the authentication code.
+.It Ic autoflush
+If
+.Ic autoflush
+and
+.Ic localchars
+are both
+.Dv TRUE ,
+then when the
+.Ic ao  ,
+or
+.Ic quit
+characters are recognized (and transformed into
+.Tn TELNET
+sequences; see
+.Ic set
+above for details),
+.Nm
+refuses to display any data on the user's terminal
+until the remote system acknowledges (via a
+.Dv TELNET TIMING MARK
+option)
+that it has processed those
+.Tn TELNET
+sequences.
+The initial value for this toggle is
+.Dv TRUE
+if the terminal user had not
+done an "stty noflsh", otherwise
+.Dv FALSE
+(see
+.Xr stty  1  ) .
+.It Ic autodecrypt
+When the
+.Dv TELNET ENCRYPT
+option is negotiated, by
+default the actual encryption (decryption) of the data
+stream does not start automatically.  The autoencrypt
+(autodecrypt) command states that encryption of the
+output (input) stream should be enabled as soon as
+possible.
+.Pp
+Note:  Because of export controls, the
+.Dv TELNET ENCRYPT
+option is not supported outside the United States and Canada.
+.It Ic autologin
+If the remote side supports the
+.Dv TELNET AUTHENTICATION
+option
+.Nm
+attempts to use it to perform automatic authentication.  If the
+.Dv AUTHENTICATION
+option is not supported, the user's login
+name are propagated through the
+.Dv TELNET ENVIRON
+option.
+This command is the same as specifying
+.Fl a
+option on the
+.Ic open
+command.
+.It Ic autosynch
+If
+.Ic autosynch
+and
+.Ic localchars
+are both
+.Dv TRUE ,
+then when either the
+.Ic intr
+or
+.Ic quit
+characters is typed (see
+.Ic set
+above for descriptions of the
+.Ic intr
+and
+.Ic quit
+characters), the resulting
+.Tn TELNET
+sequence sent is followed by the
+.Dv TELNET SYNCH
+sequence.
+This procedure
+.Ic should
+cause the remote system to begin throwing away all previously
+typed input until both of the
+.Tn TELNET
+sequences have been read and acted upon.
+The initial value of this toggle is
+.Dv FALSE .
+.It Ic binary
+Enable or disable the
+.Dv TELNET BINARY
+option on both input and output.
+.It Ic inbinary
+Enable or disable the
+.Dv TELNET BINARY
+option on input.
+.It Ic outbinary
+Enable or disable the
+.Dv TELNET BINARY
+option on output.
+.It Ic crlf
+If this is
+.Dv TRUE ,
+then carriage returns will be sent as
+.Li <CR><LF> .
+If this is
+.Dv FALSE ,
+then carriage returns will be send as
+.Li <CR><NUL> .
+The initial value for this toggle is
+.Dv FALSE .
+.It Ic crmod
+Toggle carriage return mode.
+When this mode is enabled, most carriage return characters received from
+the remote host will be mapped into a carriage return followed by
+a line feed.
+This mode does not affect those characters typed by the user, only
+those received from the remote host.
+This mode is not very useful unless the remote host
+only sends carriage return, but never line feed.
+The initial value for this toggle is
+.Dv FALSE .
+.It Ic debug
+Toggles socket level debugging (useful only to the
+.Ic super user  ) .
+The initial value for this toggle is
+.Dv FALSE .
+.It Ic encdebug
+Turns on debugging information for the encryption code.
+.It Ic localchars
+If this is
+.Dv TRUE ,
+then the
+.Ic flush  ,
+.Ic interrupt ,
+.Ic quit  ,
+.Ic erase ,
+and
+.Ic kill
+characters (see
+.Ic set
+above) are recognized locally, and transformed into (hopefully) appropriate
+.Tn TELNET
+control sequences
+(respectively
+.Ic ao  ,
+.Ic ip ,
+.Ic brk  ,
+.Ic ec ,
+and
+.Ic el  ;
+see
+.Ic send
+above).
+The initial value for this toggle is
+.Dv TRUE
+in \*(Lqold line by line\*(Rq mode,
+and
+.Dv FALSE
+in \*(Lqcharacter at a time\*(Rq mode.
+When the
+.Dv LINEMODE
+option is enabled, the value of
+.Ic localchars
+is ignored, and assumed to always be
+.Dv TRUE .
+If
+.Dv LINEMODE
+has ever been enabled, then
+.Ic quit
+is sent as
+.Ic abort  ,
+and
+.Ic eof
+and
+.Ic suspend
+are sent as
+.Ic eof
+and
+.Ic susp
+(see
+.Ic send
+above).
+.It Ic netdata
+Toggles the display of all network data (in hexadecimal format).
+The initial value for this toggle is
+.Dv FALSE .
+.It Ic options
+Toggles the display of some internal
+.Nm
+protocol processing (having to do with
+.Tn TELNET
+options).
+The initial value for this toggle is
+.Dv FALSE .
+.It Ic prettydump
+When the
+.Ic netdata
+toggle is enabled, if
+.Ic prettydump
+is enabled the output from the
+.Ic netdata
+command will be formatted in a more user readable format.
+Spaces are put between each character in the output, and the
+beginning of any
+.Nm
+escape sequence is preceded by a '*' to aid in locating them.
+.It Ic skiprc
+When the skiprc toggle is
+.Dv TRUE ,
+.Nm
+skips the reading of the
+.Pa \&.telnetrc
+file in the users home
+directory when connections are opened.  The initial
+value for this toggle is
+.Dv FALSE .
+.It Ic termdata
+Toggles the display of all terminal data (in hexadecimal format).
+The initial value for this toggle is
+.Dv FALSE .
+.It Ic verbose_encrypt
+When the
+.Ic verbose_encrypt
+toggle is
+.Dv TRUE ,
+.Nm
+prints out a message each time encryption is enabled or
+disabled.  The initial value for this toggle is
+.Dv FALSE .
+Note:  Because of export controls, data encryption
+is not supported outside of the United States and Canada.
+.It Ic ?\&
+Displays the legal
+.Ic toggle
+commands.
+.El
+.It Ic z
+Suspend
+.Nm .
+This command only works when the user is using the
+.Xr csh  1  .
+.It Ic \&! Op Ar command 
+Execute a single command in a subshell on the local
+system.  If
+.Ar command
+is omitted, then an interactive
+subshell is invoked.
+.It Ic ?\& Op Ar command 
+Get help.  With no arguments,
+.Nm
+prints a help summary.
+If 
+.Ar command
+is specified,
+.Nm
+will print the help information for just that command.
+.El
+.Sh ENVIRONMENT
+.Nm
+uses at least the
+.Ev HOME ,
+.Ev SHELL ,
+.Ev DISPLAY ,
+and
+.Ev TERM
+environment variables.
+Other environment variables may be propagated
+to the other side via the
+.Dv TELNET ENVIRON
+option.
+.Sh SEE ALSO
+.Xr rlogin 1 ,
+.Xr rsh 1 ,
+.Xr hosts 5 ,
+.Xr nologin 5 ,
+.Xr telnetd 8
+.Sh FILES
+.Bl -tag -width ~/.telnetrc -compact
+.It Pa ~/.telnetrc
+user customized telnet startup values
+.El
+.Sh HISTORY
+The
+.Nm
+command appeared in
+.Bx 4.2 .
+.Pp
+IPv6 support was added by WIDE/KAME project.
+.Sh NOTES
+.Pp
+On some remote systems, echo has to be turned off manually when in
+\*(Lqold line by line\*(Rq mode.
+.Pp
+In \*(Lqold line by line\*(Rq mode or 
+.Dv LINEMODE
+the terminal's
+.Ic eof
+character is only recognized (and sent to the remote system)
+when it is the first character on a line.
diff --git a/crypto/telnet/telnet/telnet.c b/crypto/telnet/telnet/telnet.c
new file mode 100644
index 0000000..68555b7
--- /dev/null
+++ b/crypto/telnet/telnet/telnet.c
@@ -0,0 +1,2671 @@
+/*
+ * Copyright (c) 1988, 1990, 1993
+ *	The Regents of the University of California.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *	This product includes software developed by the University of
+ *	California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * $FreeBSD$
+ */
+
+#ifndef lint
+#if 0
+static const char sccsid[] = "@(#)telnet.c	8.4 (Berkeley) 5/30/95";
+#else
+static const char rcsid[] =
+ "$FreeBSD$";
+#endif
+#endif /* not lint */
+
+#include <sys/types.h>
+
+#if	defined(unix)
+#include <signal.h>
+/* By the way, we need to include curses.h before telnet.h since,
+ * among other things, telnet.h #defines 'DO', which is a variable
+ * declared in curses.h.
+ */
+#endif	/* defined(unix) */
+
+#include <arpa/telnet.h>
+
+#include <ctype.h>
+
+#include <stdlib.h>
+#include <unistd.h>
+
+#include "ring.h"
+
+#include "defines.h"
+#include "externs.h"
+#include "types.h"
+#include "general.h"
+
+#if	defined(AUTHENTICATION)
+#include <libtelnet/auth.h>
+#endif
+#if	defined(ENCRYPTION)
+#include <libtelnet/encrypt.h>
+#endif
+#include <libtelnet/misc.h>
+
+#define	strip(x) ((my_want_state_is_wont(TELOPT_BINARY)) ? ((x)&0x7f) : (x))
+
+static unsigned char	subbuffer[SUBBUFSIZE],
+			*subpointer, *subend;	 /* buffer for sub-options */
+#define	SB_CLEAR()	subpointer = subbuffer;
+#define	SB_TERM()	{ subend = subpointer; SB_CLEAR(); }
+#define	SB_ACCUM(c)	if (subpointer < (subbuffer+sizeof subbuffer)) { \
+				*subpointer++ = (c); \
+			}
+
+#define	SB_GET()	((*subpointer++)&0xff)
+#define	SB_PEEK()	((*subpointer)&0xff)
+#define	SB_EOF()	(subpointer >= subend)
+#define	SB_LEN()	(subend - subpointer)
+
+char	options[256];		/* The combined options */
+char	do_dont_resp[256];
+char	will_wont_resp[256];
+
+int
+	eight = 0,
+	autologin = 0,	/* Autologin anyone? */
+	skiprc = 0,
+	connected,
+	showoptions,
+	In3270,		/* Are we in 3270 mode? */
+	ISend,		/* trying to send network data in */
+	debug = 0,
+	crmod,
+	netdata,	/* Print out network data flow */
+	crlf,		/* Should '\r' be mapped to <CR><LF> (or <CR><NUL>)? */
+#if	defined(TN3270)
+	noasynchtty = 0,/* User specified "-noasynch" on command line */
+	noasynchnet = 0,/* User specified "-noasynch" on command line */
+	askedSGA = 0,	/* We have talked about suppress go ahead */
+#endif	/* defined(TN3270) */
+	telnetport,
+	SYNCHing,	/* we are in TELNET SYNCH mode */
+	flushout,	/* flush output */
+	autoflush = 0,	/* flush output when interrupting? */
+	autosynch,	/* send interrupt characters with SYNCH? */
+	localflow,	/* we handle flow control locally */
+	restartany,	/* if flow control enabled, restart on any character */
+	localchars,	/* we recognize interrupt/quit */
+	donelclchars,	/* the user has set "localchars" */
+	donebinarytoggle,	/* the user has put us in binary */
+	dontlecho,	/* do we suppress local echoing right now? */
+	globalmode,
+	doaddrlookup = 1, /* do a reverse address lookup? */
+	clienteof = 0;
+
+char *prompt = 0;
+char *line;		/* hack around breakage in sra.c :-( !! */
+
+cc_t escape;
+cc_t rlogin;
+#ifdef	KLUDGELINEMODE
+cc_t echoc;
+#endif
+
+/*
+ * Telnet receiver states for fsm
+ */
+#define	TS_DATA		0
+#define	TS_IAC		1
+#define	TS_WILL		2
+#define	TS_WONT		3
+#define	TS_DO		4
+#define	TS_DONT		5
+#define	TS_CR		6
+#define	TS_SB		7		/* sub-option collection */
+#define	TS_SE		8		/* looking for sub-option end */
+
+static int	telrcv_state;
+#ifdef	OLD_ENVIRON
+unsigned char telopt_environ = TELOPT_NEW_ENVIRON;
+#else
+# define telopt_environ TELOPT_NEW_ENVIRON
+#endif
+
+jmp_buf	toplevel = { 0 };
+jmp_buf	peerdied;
+
+int	flushline;
+int	linemode;
+
+#ifdef	KLUDGELINEMODE
+int	kludgelinemode = 1;
+#endif
+
+/*
+ * The following are some clocks used to decide how to interpret
+ * the relationship between various variables.
+ */
+
+Clocks clocks;
+
+#ifdef	notdef
+Modelist modelist[] = {
+	{ "telnet command mode", COMMAND_LINE },
+	{ "character-at-a-time mode", 0 },
+	{ "character-at-a-time mode (local echo)", LOCAL_ECHO|LOCAL_CHARS },
+	{ "line-by-line mode (remote echo)", LINE | LOCAL_CHARS },
+	{ "line-by-line mode", LINE | LOCAL_ECHO | LOCAL_CHARS },
+	{ "line-by-line mode (local echoing suppressed)", LINE | LOCAL_CHARS },
+	{ "3270 mode", 0 },
+};
+#endif
+
+
+/*
+ * Initialize telnet environment.
+ */
+
+    void
+init_telnet()
+{
+    env_init();
+
+    SB_CLEAR();
+    ClearArray(options);
+
+    connected = In3270 = ISend = localflow = donebinarytoggle = 0;
+#if	defined(AUTHENTICATION) || defined(ENCRYPTION)
+    auth_encrypt_connect(connected);
+#endif	/* defined(AUTHENTICATION) || defined(ENCRYPTION)  */
+    restartany = -1;
+
+    SYNCHing = 0;
+
+    /* Don't change NetTrace */
+
+    escape = CONTROL(']');
+    rlogin = _POSIX_VDISABLE;
+#ifdef	KLUDGELINEMODE
+    echoc = CONTROL('E');
+#endif
+
+    flushline = 1;
+    telrcv_state = TS_DATA;
+}
+
+
+#ifdef	notdef
+#include <varargs.h>
+
+    /*VARARGS*/
+    static void
+printring(va_alist)
+    va_dcl
+{
+    va_list ap;
+    char buffer[100];		/* where things go */
+    char *ptr;
+    char *format;
+    char *string;
+    Ring *ring;
+    int i;
+
+    va_start(ap);
+
+    ring = va_arg(ap, Ring *);
+    format = va_arg(ap, char *);
+    ptr = buffer;
+
+    while ((i = *format++) != 0) {
+	if (i == '%') {
+	    i = *format++;
+	    switch (i) {
+	    case 'c':
+		*ptr++ = va_arg(ap, int);
+		break;
+	    case 's':
+		string = va_arg(ap, char *);
+		ring_supply_data(ring, buffer, ptr-buffer);
+		ring_supply_data(ring, string, strlen(string));
+		ptr = buffer;
+		break;
+	    case 0:
+		ExitString("printring: trailing %%.\n", 1);
+		/*NOTREACHED*/
+	    default:
+		ExitString("printring: unknown format character.\n", 1);
+		/*NOTREACHED*/
+	    }
+	} else {
+	    *ptr++ = i;
+	}
+    }
+    ring_supply_data(ring, buffer, ptr-buffer);
+}
+#endif
+
+/*
+ * These routines are in charge of sending option negotiations
+ * to the other side.
+ *
+ * The basic idea is that we send the negotiation if either side
+ * is in disagreement as to what the current state should be.
+ */
+
+    void
+send_do(c, init)
+    register int c, init;
+{
+    if (init) {
+	if (((do_dont_resp[c] == 0) && my_state_is_do(c)) ||
+				my_want_state_is_do(c))
+	    return;
+	set_my_want_state_do(c);
+	do_dont_resp[c]++;
+    }
+    NET2ADD(IAC, DO);
+    NETADD(c);
+    printoption("SENT", DO, c);
+}
+
+    void
+send_dont(c, init)
+    register int c, init;
+{
+    if (init) {
+	if (((do_dont_resp[c] == 0) && my_state_is_dont(c)) ||
+				my_want_state_is_dont(c))
+	    return;
+	set_my_want_state_dont(c);
+	do_dont_resp[c]++;
+    }
+    NET2ADD(IAC, DONT);
+    NETADD(c);
+    printoption("SENT", DONT, c);
+}
+
+    void
+send_will(c, init)
+    register int c, init;
+{
+    if (init) {
+	if (((will_wont_resp[c] == 0) && my_state_is_will(c)) ||
+				my_want_state_is_will(c))
+	    return;
+	set_my_want_state_will(c);
+	will_wont_resp[c]++;
+    }
+    NET2ADD(IAC, WILL);
+    NETADD(c);
+    printoption("SENT", WILL, c);
+}
+
+    void
+send_wont(c, init)
+    register int c, init;
+{
+    if (init) {
+	if (((will_wont_resp[c] == 0) && my_state_is_wont(c)) ||
+				my_want_state_is_wont(c))
+	    return;
+	set_my_want_state_wont(c);
+	will_wont_resp[c]++;
+    }
+    NET2ADD(IAC, WONT);
+    NETADD(c);
+    printoption("SENT", WONT, c);
+}
+
+
+	void
+willoption(option)
+	int option;
+{
+	int new_state_ok = 0;
+
+	if (do_dont_resp[option]) {
+	    --do_dont_resp[option];
+	    if (do_dont_resp[option] && my_state_is_do(option))
+		--do_dont_resp[option];
+	}
+
+	if ((do_dont_resp[option] == 0) && my_want_state_is_dont(option)) {
+
+	    switch (option) {
+
+	    case TELOPT_ECHO:
+#	    if defined(TN3270)
+		/*
+		 * The following is a pain in the rear-end.
+		 * Various IBM servers (some versions of Wiscnet,
+		 * possibly Fibronics/Spartacus, and who knows who
+		 * else) will NOT allow us to send "DO SGA" too early
+		 * in the setup proceedings.  On the other hand,
+		 * 4.2 servers (telnetd) won't set SGA correctly.
+		 * So, we are stuck.  Empirically (but, based on
+		 * a VERY small sample), the IBM servers don't send
+		 * out anything about ECHO, so we postpone our sending
+		 * "DO SGA" until we see "WILL ECHO" (which 4.2 servers
+		 * DO send).
+		  */
+		{
+		    if (askedSGA == 0) {
+			askedSGA = 1;
+			if (my_want_state_is_dont(TELOPT_SGA))
+			    send_do(TELOPT_SGA, 1);
+		    }
+		}
+		    /* Fall through */
+	    case TELOPT_EOR:
+#endif	    /* defined(TN3270) */
+	    case TELOPT_BINARY:
+	    case TELOPT_SGA:
+		settimer(modenegotiated);
+		/* FALL THROUGH */
+	    case TELOPT_STATUS:
+#if	defined(AUTHENTICATION)
+	    case TELOPT_AUTHENTICATION:
+#endif
+#ifdef	ENCRYPTION
+	    case TELOPT_ENCRYPT:
+#endif /* ENCRYPTION */
+		new_state_ok = 1;
+		break;
+
+	    case TELOPT_TM:
+		if (flushout)
+		    flushout = 0;
+		/*
+		 * Special case for TM.  If we get back a WILL,
+		 * pretend we got back a WONT.
+		 */
+		set_my_want_state_dont(option);
+		set_my_state_dont(option);
+		return;			/* Never reply to TM will's/wont's */
+
+	    case TELOPT_LINEMODE:
+	    default:
+		break;
+	    }
+
+	    if (new_state_ok) {
+		set_my_want_state_do(option);
+		send_do(option, 0);
+		setconnmode(0);		/* possibly set new tty mode */
+	    } else {
+		do_dont_resp[option]++;
+		send_dont(option, 0);
+	    }
+	}
+	set_my_state_do(option);
+#ifdef	ENCRYPTION
+	if (option == TELOPT_ENCRYPT)
+		encrypt_send_support();
+#endif	/* ENCRYPTION */
+}
+
+	void
+wontoption(option)
+	int option;
+{
+	if (do_dont_resp[option]) {
+	    --do_dont_resp[option];
+	    if (do_dont_resp[option] && my_state_is_dont(option))
+		--do_dont_resp[option];
+	}
+
+	if ((do_dont_resp[option] == 0) && my_want_state_is_do(option)) {
+
+	    switch (option) {
+
+#ifdef	KLUDGELINEMODE
+	    case TELOPT_SGA:
+		if (!kludgelinemode)
+		    break;
+		/* FALL THROUGH */
+#endif
+	    case TELOPT_ECHO:
+		settimer(modenegotiated);
+		break;
+
+	    case TELOPT_TM:
+		if (flushout)
+		    flushout = 0;
+		set_my_want_state_dont(option);
+		set_my_state_dont(option);
+		return;		/* Never reply to TM will's/wont's */
+
+	    default:
+		break;
+	    }
+	    set_my_want_state_dont(option);
+	    if (my_state_is_do(option))
+		send_dont(option, 0);
+	    setconnmode(0);			/* Set new tty mode */
+	} else if (option == TELOPT_TM) {
+	    /*
+	     * Special case for TM.
+	     */
+	    if (flushout)
+		flushout = 0;
+	    set_my_want_state_dont(option);
+	}
+	set_my_state_dont(option);
+}
+
+	static void
+dooption(option)
+	int option;
+{
+	int new_state_ok = 0;
+
+	if (will_wont_resp[option]) {
+	    --will_wont_resp[option];
+	    if (will_wont_resp[option] && my_state_is_will(option))
+		--will_wont_resp[option];
+	}
+
+	if (will_wont_resp[option] == 0) {
+	  if (my_want_state_is_wont(option)) {
+
+	    switch (option) {
+
+	    case TELOPT_TM:
+		/*
+		 * Special case for TM.  We send a WILL, but pretend
+		 * we sent WONT.
+		 */
+		send_will(option, 0);
+		set_my_want_state_wont(TELOPT_TM);
+		set_my_state_wont(TELOPT_TM);
+		return;
+
+#	if defined(TN3270)
+	    case TELOPT_EOR:		/* end of record */
+#	endif	/* defined(TN3270) */
+	    case TELOPT_BINARY:		/* binary mode */
+	    case TELOPT_NAWS:		/* window size */
+	    case TELOPT_TSPEED:		/* terminal speed */
+	    case TELOPT_LFLOW:		/* local flow control */
+	    case TELOPT_TTYPE:		/* terminal type option */
+	    case TELOPT_SGA:		/* no big deal */
+#ifdef	ENCRYPTION
+	    case TELOPT_ENCRYPT:	/* encryption variable option */
+#endif	/* ENCRYPTION */
+		new_state_ok = 1;
+		break;
+
+	    case TELOPT_NEW_ENVIRON:	/* New environment variable option */
+#ifdef	OLD_ENVIRON
+		if (my_state_is_will(TELOPT_OLD_ENVIRON))
+			send_wont(TELOPT_OLD_ENVIRON, 1); /* turn off the old */
+		goto env_common;
+	    case TELOPT_OLD_ENVIRON:	/* Old environment variable option */
+		if (my_state_is_will(TELOPT_NEW_ENVIRON))
+			break;		/* Don't enable if new one is in use! */
+	    env_common:
+		telopt_environ = option;
+#endif
+		new_state_ok = 1;
+		break;
+
+#if	defined(AUTHENTICATION)
+	    case TELOPT_AUTHENTICATION:
+		if (autologin)
+			new_state_ok = 1;
+		break;
+#endif
+
+	    case TELOPT_XDISPLOC:	/* X Display location */
+		if (env_getvalue((unsigned char *)"DISPLAY"))
+		    new_state_ok = 1;
+		break;
+
+	    case TELOPT_LINEMODE:
+#ifdef	KLUDGELINEMODE
+		kludgelinemode = 0;
+		send_do(TELOPT_SGA, 1);
+#endif
+		set_my_want_state_will(TELOPT_LINEMODE);
+		send_will(option, 0);
+		set_my_state_will(TELOPT_LINEMODE);
+		slc_init();
+		return;
+
+	    case TELOPT_ECHO:		/* We're never going to echo... */
+	    default:
+		break;
+	    }
+
+	    if (new_state_ok) {
+		set_my_want_state_will(option);
+		send_will(option, 0);
+		setconnmode(0);			/* Set new tty mode */
+	    } else {
+		will_wont_resp[option]++;
+		send_wont(option, 0);
+	    }
+	  } else {
+	    /*
+	     * Handle options that need more things done after the
+	     * other side has acknowledged the option.
+	     */
+	    switch (option) {
+	    case TELOPT_LINEMODE:
+#ifdef	KLUDGELINEMODE
+		kludgelinemode = 0;
+		send_do(TELOPT_SGA, 1);
+#endif
+		set_my_state_will(option);
+		slc_init();
+		send_do(TELOPT_SGA, 0);
+		return;
+	    }
+	  }
+	}
+	set_my_state_will(option);
+}
+
+	static void
+dontoption(option)
+	int option;
+{
+
+	if (will_wont_resp[option]) {
+	    --will_wont_resp[option];
+	    if (will_wont_resp[option] && my_state_is_wont(option))
+		--will_wont_resp[option];
+	}
+
+	if ((will_wont_resp[option] == 0) && my_want_state_is_will(option)) {
+	    switch (option) {
+	    case TELOPT_LINEMODE:
+		linemode = 0;	/* put us back to the default state */
+		break;
+#ifdef	OLD_ENVIRON
+	    case TELOPT_NEW_ENVIRON:
+		/*
+		 * The new environ option wasn't recognized, try
+		 * the old one.
+		 */
+		send_will(TELOPT_OLD_ENVIRON, 1);
+		telopt_environ = TELOPT_OLD_ENVIRON;
+		break;
+#endif
+	    }
+	    /* we always accept a DONT */
+	    set_my_want_state_wont(option);
+	    if (my_state_is_will(option))
+		send_wont(option, 0);
+	    setconnmode(0);			/* Set new tty mode */
+	}
+	set_my_state_wont(option);
+}
+
+/*
+ * Given a buffer returned by tgetent(), this routine will turn
+ * the pipe separated list of names in the buffer into an array
+ * of pointers to null terminated names.  We toss out any bad,
+ * duplicate, or verbose names (names with spaces).
+ */
+
+static char *name_unknown = "UNKNOWN";
+static char *unknown[] = { 0, 0 };
+
+	char **
+mklist(buf, name)
+	char *buf, *name;
+{
+	register int n;
+	register char c, *cp, **argvp, *cp2, **argv, **avt;
+
+	if (name) {
+		if ((int)strlen(name) > 40) {
+			name = 0;
+			unknown[0] = name_unknown;
+		} else {
+			unknown[0] = name;
+			upcase(name);
+		}
+	} else
+		unknown[0] = name_unknown;
+	/*
+	 * Count up the number of names.
+	 */
+	for (n = 1, cp = buf; *cp && *cp != ':'; cp++) {
+		if (*cp == '|')
+			n++;
+	}
+	/*
+	 * Allocate an array to put the name pointers into
+	 */
+	argv = (char **)malloc((n+3)*sizeof(char *));
+	if (argv == 0)
+		return(unknown);
+
+	/*
+	 * Fill up the array of pointers to names.
+	 */
+	*argv = 0;
+	argvp = argv+1;
+	n = 0;
+	for (cp = cp2 = buf; (c = *cp);  cp++) {
+		if (c == '|' || c == ':') {
+			*cp++ = '\0';
+			/*
+			 * Skip entries that have spaces or are over 40
+			 * characters long.  If this is our environment
+			 * name, then put it up front.  Otherwise, as
+			 * long as this is not a duplicate name (case
+			 * insensitive) add it to the list.
+			 */
+			if (n || (cp - cp2 > 41))
+				;
+			else if (name && (strncasecmp(name, cp2, cp-cp2) == 0))
+				*argv = cp2;
+			else if (is_unique(cp2, argv+1, argvp))
+				*argvp++ = cp2;
+			if (c == ':')
+				break;
+			/*
+			 * Skip multiple delimiters. Reset cp2 to
+			 * the beginning of the next name. Reset n,
+			 * the flag for names with spaces.
+			 */
+			while ((c = *cp) == '|')
+				cp++;
+			cp2 = cp;
+			n = 0;
+		}
+		/*
+		 * Skip entries with spaces or non-ascii values.
+		 * Convert lower case letters to upper case.
+		 */
+		if ((c == ' ') || !isascii(c))
+			n = 1;
+		else if (islower(c))
+			*cp = toupper(c);
+	}
+
+	/*
+	 * Check for an old V6 2 character name.  If the second
+	 * name points to the beginning of the buffer, and is
+	 * only 2 characters long, move it to the end of the array.
+	 */
+	if ((argv[1] == buf) && (strlen(argv[1]) == 2)) {
+		--argvp;
+		for (avt = &argv[1]; avt < argvp; avt++)
+			*avt = *(avt+1);
+		*argvp++ = buf;
+	}
+
+	/*
+	 * Duplicate last name, for TTYPE option, and null
+	 * terminate the array.  If we didn't find a match on
+	 * our terminal name, put that name at the beginning.
+	 */
+	cp = *(argvp-1);
+	*argvp++ = cp;
+	*argvp = 0;
+
+	if (*argv == 0) {
+		if (name)
+			*argv = name;
+		else {
+			--argvp;
+			for (avt = argv; avt < argvp; avt++)
+				*avt = *(avt+1);
+		}
+	}
+	if (*argv)
+		return(argv);
+	else
+		return(unknown);
+}
+
+	int
+is_unique(name, as, ae)
+	register char *name, **as, **ae;
+{
+	register char **ap;
+	register int n;
+
+	n = strlen(name) + 1;
+	for (ap = as; ap < ae; ap++)
+		if (strncasecmp(*ap, name, n) == 0)
+			return(0);
+	return (1);
+}
+
+#ifdef	TERMCAP
+char termbuf[1024];
+
+	/*ARGSUSED*/
+	int
+setupterm(tname, fd, errp)
+	char *tname;
+	int fd, *errp;
+{
+	if (tgetent(termbuf, tname) == 1) {
+		termbuf[1023] = '\0';
+		if (errp)
+			*errp = 1;
+		return(0);
+	}
+	if (errp)
+		*errp = 0;
+	return(-1);
+}
+#else
+#define	termbuf	ttytype
+extern char ttytype[];
+#endif
+
+int resettermname = 1;
+
+	char *
+gettermname()
+{
+	char *tname;
+	static char **tnamep = 0;
+	static char **next;
+	int err;
+
+	if (resettermname) {
+		resettermname = 0;
+		if (tnamep && tnamep != unknown)
+			free(tnamep);
+		if ((tname = (char *)env_getvalue((unsigned char *)"TERM")) &&
+				(setupterm(tname, 1, &err) == 0)) {
+			tnamep = mklist(termbuf, tname);
+		} else {
+			if (tname && ((int)strlen(tname) <= 40)) {
+				unknown[0] = tname;
+				upcase(tname);
+			} else
+				unknown[0] = name_unknown;
+			tnamep = unknown;
+		}
+		next = tnamep;
+	}
+	if (*next == 0)
+		next = tnamep;
+	return(*next++);
+}
+/*
+ * suboption()
+ *
+ *	Look at the sub-option buffer, and try to be helpful to the other
+ * side.
+ *
+ *	Currently we recognize:
+ *
+ *		Terminal type, send request.
+ *		Terminal speed (send request).
+ *		Local flow control (is request).
+ *		Linemode
+ */
+
+    static void
+suboption()
+{
+    unsigned char subchar;
+
+    printsub('<', subbuffer, SB_LEN()+2);
+    switch (subchar = SB_GET()) {
+    case TELOPT_TTYPE:
+	if (my_want_state_is_wont(TELOPT_TTYPE))
+	    return;
+	if (SB_EOF() || SB_GET() != TELQUAL_SEND) {
+	    return;
+	} else {
+	    char *name;
+	    unsigned char temp[50];
+	    int len;
+
+#if	defined(TN3270)
+	    if (tn3270_ttype()) {
+		return;
+	    }
+#endif	/* defined(TN3270) */
+	    name = gettermname();
+	    len = strlen(name) + 4 + 2;
+	    if (len < NETROOM()) {
+		sprintf((char *)temp, "%c%c%c%c%s%c%c", IAC, SB, TELOPT_TTYPE,
+				TELQUAL_IS, name, IAC, SE);
+		ring_supply_data(&netoring, temp, len);
+		printsub('>', &temp[2], len-2);
+	    } else {
+		ExitString("No room in buffer for terminal type.\n", 1);
+		/*NOTREACHED*/
+	    }
+	}
+	break;
+    case TELOPT_TSPEED:
+	if (my_want_state_is_wont(TELOPT_TSPEED))
+	    return;
+	if (SB_EOF())
+	    return;
+	if (SB_GET() == TELQUAL_SEND) {
+	    long ospeed, ispeed;
+	    unsigned char temp[50];
+	    int len;
+
+	    TerminalSpeeds(&ispeed, &ospeed);
+
+	    sprintf((char *)temp, "%c%c%c%c%ld,%ld%c%c", IAC, SB, TELOPT_TSPEED,
+		    TELQUAL_IS, ospeed, ispeed, IAC, SE);
+	    len = strlen((char *)temp+4) + 4;	/* temp[3] is 0 ... */
+
+	    if (len < NETROOM()) {
+		ring_supply_data(&netoring, temp, len);
+		printsub('>', temp+2, len - 2);
+	    }
+/*@*/	    else printf("lm_will: not enough room in buffer\n");
+	}
+	break;
+    case TELOPT_LFLOW:
+	if (my_want_state_is_wont(TELOPT_LFLOW))
+	    return;
+	if (SB_EOF())
+	    return;
+	switch(SB_GET()) {
+	case LFLOW_RESTART_ANY:
+	    restartany = 1;
+	    break;
+	case LFLOW_RESTART_XON:
+	    restartany = 0;
+	    break;
+	case LFLOW_ON:
+	    localflow = 1;
+	    break;
+	case LFLOW_OFF:
+	    localflow = 0;
+	    break;
+	default:
+	    return;
+	}
+	setcommandmode();
+	setconnmode(0);
+	break;
+
+    case TELOPT_LINEMODE:
+	if (my_want_state_is_wont(TELOPT_LINEMODE))
+	    return;
+	if (SB_EOF())
+	    return;
+	switch (SB_GET()) {
+	case WILL:
+	    lm_will(subpointer, SB_LEN());
+	    break;
+	case WONT:
+	    lm_wont(subpointer, SB_LEN());
+	    break;
+	case DO:
+	    lm_do(subpointer, SB_LEN());
+	    break;
+	case DONT:
+	    lm_dont(subpointer, SB_LEN());
+	    break;
+	case LM_SLC:
+	    slc(subpointer, SB_LEN());
+	    break;
+	case LM_MODE:
+	    lm_mode(subpointer, SB_LEN(), 0);
+	    break;
+	default:
+	    break;
+	}
+	break;
+
+#ifdef	OLD_ENVIRON
+    case TELOPT_OLD_ENVIRON:
+#endif
+    case TELOPT_NEW_ENVIRON:
+	if (SB_EOF())
+	    return;
+	switch(SB_PEEK()) {
+	case TELQUAL_IS:
+	case TELQUAL_INFO:
+	    if (my_want_state_is_dont(subchar))
+		return;
+	    break;
+	case TELQUAL_SEND:
+	    if (my_want_state_is_wont(subchar)) {
+		return;
+	    }
+	    break;
+	default:
+	    return;
+	}
+	env_opt(subpointer, SB_LEN());
+	break;
+
+    case TELOPT_XDISPLOC:
+	if (my_want_state_is_wont(TELOPT_XDISPLOC))
+	    return;
+	if (SB_EOF())
+	    return;
+	if (SB_GET() == TELQUAL_SEND) {
+	    unsigned char temp[50], *dp;
+	    int len;
+
+	    if ((dp = env_getvalue((unsigned char *)"DISPLAY")) == NULL ||
+		strlen(dp) > sizeof(temp) - 7) {
+		/*
+		 * Something happened, we no longer have a DISPLAY
+		 * variable.  Or it is too long.  So, turn off the option.
+		 */
+		send_wont(TELOPT_XDISPLOC, 1);
+		break;
+	    }
+	    snprintf((char *)temp, sizeof(temp), "%c%c%c%c%s%c%c", IAC, SB,
+		    TELOPT_XDISPLOC, TELQUAL_IS, dp, IAC, SE);
+	    len = strlen((char *)temp+4) + 4;	/* temp[3] is 0 ... */
+
+	    if (len < NETROOM()) {
+		ring_supply_data(&netoring, temp, len);
+		printsub('>', temp+2, len - 2);
+	    }
+/*@*/	    else printf("lm_will: not enough room in buffer\n");
+	}
+	break;
+
+#if	defined(AUTHENTICATION)
+	case TELOPT_AUTHENTICATION: {
+		if (!autologin)
+			break;
+		if (SB_EOF())
+			return;
+		switch(SB_GET()) {
+		case TELQUAL_IS:
+			if (my_want_state_is_dont(TELOPT_AUTHENTICATION))
+				return;
+			auth_is(subpointer, SB_LEN());
+			break;
+		case TELQUAL_SEND:
+			if (my_want_state_is_wont(TELOPT_AUTHENTICATION))
+				return;
+			auth_send(subpointer, SB_LEN());
+			break;
+		case TELQUAL_REPLY:
+			if (my_want_state_is_wont(TELOPT_AUTHENTICATION))
+				return;
+			auth_reply(subpointer, SB_LEN());
+			break;
+		case TELQUAL_NAME:
+			if (my_want_state_is_dont(TELOPT_AUTHENTICATION))
+				return;
+			auth_name(subpointer, SB_LEN());
+			break;
+		}
+	}
+	break;
+#endif
+#ifdef	ENCRYPTION
+	case TELOPT_ENCRYPT:
+		if (SB_EOF())
+			return;
+		switch(SB_GET()) {
+		case ENCRYPT_START:
+			if (my_want_state_is_dont(TELOPT_ENCRYPT))
+				return;
+			encrypt_start(subpointer, SB_LEN());
+			break;
+		case ENCRYPT_END:
+			if (my_want_state_is_dont(TELOPT_ENCRYPT))
+				return;
+			encrypt_end();
+			break;
+		case ENCRYPT_SUPPORT:
+			if (my_want_state_is_wont(TELOPT_ENCRYPT))
+				return;
+			encrypt_support(subpointer, SB_LEN());
+			break;
+		case ENCRYPT_REQSTART:
+			if (my_want_state_is_wont(TELOPT_ENCRYPT))
+				return;
+			encrypt_request_start(subpointer, SB_LEN());
+			break;
+		case ENCRYPT_REQEND:
+			if (my_want_state_is_wont(TELOPT_ENCRYPT))
+				return;
+			/*
+			 * We can always send an REQEND so that we cannot
+			 * get stuck encrypting.  We should only get this
+			 * if we have been able to get in the correct mode
+			 * anyhow.
+			 */
+			encrypt_request_end();
+			break;
+		case ENCRYPT_IS:
+			if (my_want_state_is_dont(TELOPT_ENCRYPT))
+				return;
+			encrypt_is(subpointer, SB_LEN());
+			break;
+		case ENCRYPT_REPLY:
+			if (my_want_state_is_wont(TELOPT_ENCRYPT))
+				return;
+			encrypt_reply(subpointer, SB_LEN());
+			break;
+		case ENCRYPT_ENC_KEYID:
+			if (my_want_state_is_dont(TELOPT_ENCRYPT))
+				return;
+			encrypt_enc_keyid(subpointer, SB_LEN());
+			break;
+		case ENCRYPT_DEC_KEYID:
+			if (my_want_state_is_wont(TELOPT_ENCRYPT))
+				return;
+			encrypt_dec_keyid(subpointer, SB_LEN());
+			break;
+		default:
+			break;
+		}
+		break;
+#endif	/* ENCRYPTION */
+    default:
+	break;
+    }
+}
+
+static unsigned char str_lm[] = { IAC, SB, TELOPT_LINEMODE, 0, 0, IAC, SE };
+
+    void
+lm_will(cmd, len)
+    unsigned char *cmd;
+    int len;
+{
+    if (len < 1) {
+/*@*/	printf("lm_will: no command!!!\n");	/* Should not happen... */
+	return;
+    }
+    switch(cmd[0]) {
+    case LM_FORWARDMASK:	/* We shouldn't ever get this... */
+    default:
+	str_lm[3] = DONT;
+	str_lm[4] = cmd[0];
+	if (NETROOM() > sizeof(str_lm)) {
+	    ring_supply_data(&netoring, str_lm, sizeof(str_lm));
+	    printsub('>', &str_lm[2], sizeof(str_lm)-2);
+	}
+/*@*/	else printf("lm_will: not enough room in buffer\n");
+	break;
+    }
+}
+
+    void
+lm_wont(cmd, len)
+    unsigned char *cmd;
+    int len;
+{
+    if (len < 1) {
+/*@*/	printf("lm_wont: no command!!!\n");	/* Should not happen... */
+	return;
+    }
+    switch(cmd[0]) {
+    case LM_FORWARDMASK:	/* We shouldn't ever get this... */
+    default:
+	/* We are always DONT, so don't respond */
+	return;
+    }
+}
+
+    void
+lm_do(cmd, len)
+    unsigned char *cmd;
+    int len;
+{
+    if (len < 1) {
+/*@*/	printf("lm_do: no command!!!\n");	/* Should not happen... */
+	return;
+    }
+    switch(cmd[0]) {
+    case LM_FORWARDMASK:
+    default:
+	str_lm[3] = WONT;
+	str_lm[4] = cmd[0];
+	if (NETROOM() > sizeof(str_lm)) {
+	    ring_supply_data(&netoring, str_lm, sizeof(str_lm));
+	    printsub('>', &str_lm[2], sizeof(str_lm)-2);
+	}
+/*@*/	else printf("lm_do: not enough room in buffer\n");
+	break;
+    }
+}
+
+    void
+lm_dont(cmd, len)
+    unsigned char *cmd;
+    int len;
+{
+    if (len < 1) {
+/*@*/	printf("lm_dont: no command!!!\n");	/* Should not happen... */
+	return;
+    }
+    switch(cmd[0]) {
+    case LM_FORWARDMASK:
+    default:
+	/* we are always WONT, so don't respond */
+	break;
+    }
+}
+
+static unsigned char str_lm_mode[] = {
+	IAC, SB, TELOPT_LINEMODE, LM_MODE, 0, IAC, SE
+};
+
+	void
+lm_mode(cmd, len, init)
+	unsigned char *cmd;
+	int len, init;
+{
+	if (len != 1)
+		return;
+	if ((linemode&MODE_MASK&~MODE_ACK) == *cmd)
+		return;
+	if (*cmd&MODE_ACK)
+		return;
+	linemode = *cmd&(MODE_MASK&~MODE_ACK);
+	str_lm_mode[4] = linemode;
+	if (!init)
+	    str_lm_mode[4] |= MODE_ACK;
+	if (NETROOM() > sizeof(str_lm_mode)) {
+	    ring_supply_data(&netoring, str_lm_mode, sizeof(str_lm_mode));
+	    printsub('>', &str_lm_mode[2], sizeof(str_lm_mode)-2);
+	}
+/*@*/	else printf("lm_mode: not enough room in buffer\n");
+	setconnmode(0);	/* set changed mode */
+}
+
+
+
+/*
+ * slc()
+ * Handle special character suboption of LINEMODE.
+ */
+
+struct spc {
+	cc_t val;
+	cc_t *valp;
+	char flags;	/* Current flags & level */
+	char mylevel;	/* Maximum level & flags */
+} spc_data[NSLC+1];
+
+#define SLC_IMPORT	0
+#define	SLC_EXPORT	1
+#define SLC_RVALUE	2
+static int slc_mode = SLC_EXPORT;
+
+	void
+slc_init()
+{
+	register struct spc *spcp;
+
+	localchars = 1;
+	for (spcp = spc_data; spcp < &spc_data[NSLC+1]; spcp++) {
+		spcp->val = 0;
+		spcp->valp = 0;
+		spcp->flags = spcp->mylevel = SLC_NOSUPPORT;
+	}
+
+#define	initfunc(func, flags) { \
+					spcp = &spc_data[func]; \
+					if ((spcp->valp = tcval(func))) { \
+					    spcp->val = *spcp->valp; \
+					    spcp->mylevel = SLC_VARIABLE|flags; \
+					} else { \
+					    spcp->val = 0; \
+					    spcp->mylevel = SLC_DEFAULT; \
+					} \
+				    }
+
+	initfunc(SLC_SYNCH, 0);
+	/* No BRK */
+	initfunc(SLC_AO, 0);
+	initfunc(SLC_AYT, 0);
+	/* No EOR */
+	initfunc(SLC_ABORT, SLC_FLUSHIN|SLC_FLUSHOUT);
+	initfunc(SLC_EOF, 0);
+#ifndef	SYSV_TERMIO
+	initfunc(SLC_SUSP, SLC_FLUSHIN);
+#endif
+	initfunc(SLC_EC, 0);
+	initfunc(SLC_EL, 0);
+#ifndef	SYSV_TERMIO
+	initfunc(SLC_EW, 0);
+	initfunc(SLC_RP, 0);
+	initfunc(SLC_LNEXT, 0);
+#endif
+	initfunc(SLC_XON, 0);
+	initfunc(SLC_XOFF, 0);
+#ifdef	SYSV_TERMIO
+	spc_data[SLC_XON].mylevel = SLC_CANTCHANGE;
+	spc_data[SLC_XOFF].mylevel = SLC_CANTCHANGE;
+#endif
+	initfunc(SLC_FORW1, 0);
+#ifdef	USE_TERMIO
+	initfunc(SLC_FORW2, 0);
+	/* No FORW2 */
+#endif
+
+	initfunc(SLC_IP, SLC_FLUSHIN|SLC_FLUSHOUT);
+#undef	initfunc
+
+	if (slc_mode == SLC_EXPORT)
+		slc_export();
+	else
+		slc_import(1);
+
+}
+
+    void
+slcstate()
+{
+    printf("Special characters are %s values\n",
+		slc_mode == SLC_IMPORT ? "remote default" :
+		slc_mode == SLC_EXPORT ? "local" :
+					 "remote");
+}
+
+    void
+slc_mode_export()
+{
+    slc_mode = SLC_EXPORT;
+    if (my_state_is_will(TELOPT_LINEMODE))
+	slc_export();
+}
+
+    void
+slc_mode_import(def)
+    int def;
+{
+    slc_mode = def ? SLC_IMPORT : SLC_RVALUE;
+    if (my_state_is_will(TELOPT_LINEMODE))
+	slc_import(def);
+}
+
+unsigned char slc_import_val[] = {
+	IAC, SB, TELOPT_LINEMODE, LM_SLC, 0, SLC_VARIABLE, 0, IAC, SE
+};
+unsigned char slc_import_def[] = {
+	IAC, SB, TELOPT_LINEMODE, LM_SLC, 0, SLC_DEFAULT, 0, IAC, SE
+};
+
+    void
+slc_import(def)
+    int def;
+{
+    if (NETROOM() > sizeof(slc_import_val)) {
+	if (def) {
+	    ring_supply_data(&netoring, slc_import_def, sizeof(slc_import_def));
+	    printsub('>', &slc_import_def[2], sizeof(slc_import_def)-2);
+	} else {
+	    ring_supply_data(&netoring, slc_import_val, sizeof(slc_import_val));
+	    printsub('>', &slc_import_val[2], sizeof(slc_import_val)-2);
+	}
+    }
+/*@*/ else printf("slc_import: not enough room\n");
+}
+
+    void
+slc_export()
+{
+    register struct spc *spcp;
+
+    TerminalDefaultChars();
+
+    slc_start_reply();
+    for (spcp = &spc_data[1]; spcp < &spc_data[NSLC+1]; spcp++) {
+	if (spcp->mylevel != SLC_NOSUPPORT) {
+	    if (spcp->val == (cc_t)(_POSIX_VDISABLE))
+		spcp->flags = SLC_NOSUPPORT;
+	    else
+		spcp->flags = spcp->mylevel;
+	    if (spcp->valp)
+		spcp->val = *spcp->valp;
+	    slc_add_reply(spcp - spc_data, spcp->flags, spcp->val);
+	}
+    }
+    slc_end_reply();
+    (void)slc_update();
+    setconnmode(1);	/* Make sure the character values are set */
+}
+
+	void
+slc(cp, len)
+	register unsigned char *cp;
+	int len;
+{
+	register struct spc *spcp;
+	register int func,level;
+
+	slc_start_reply();
+
+	for (; len >= 3; len -=3, cp +=3) {
+
+		func = cp[SLC_FUNC];
+
+		if (func == 0) {
+			/*
+			 * Client side: always ignore 0 function.
+			 */
+			continue;
+		}
+		if (func > NSLC) {
+			if ((cp[SLC_FLAGS] & SLC_LEVELBITS) != SLC_NOSUPPORT)
+				slc_add_reply(func, SLC_NOSUPPORT, 0);
+			continue;
+		}
+
+		spcp = &spc_data[func];
+
+		level = cp[SLC_FLAGS]&(SLC_LEVELBITS|SLC_ACK);
+
+		if ((cp[SLC_VALUE] == (unsigned char)spcp->val) &&
+		    ((level&SLC_LEVELBITS) == (spcp->flags&SLC_LEVELBITS))) {
+			continue;
+		}
+
+		if (level == (SLC_DEFAULT|SLC_ACK)) {
+			/*
+			 * This is an error condition, the SLC_ACK
+			 * bit should never be set for the SLC_DEFAULT
+			 * level.  Our best guess to recover is to
+			 * ignore the SLC_ACK bit.
+			 */
+			cp[SLC_FLAGS] &= ~SLC_ACK;
+		}
+
+		if (level == ((spcp->flags&SLC_LEVELBITS)|SLC_ACK)) {
+			spcp->val = (cc_t)cp[SLC_VALUE];
+			spcp->flags = cp[SLC_FLAGS];	/* include SLC_ACK */
+			continue;
+		}
+
+		level &= ~SLC_ACK;
+
+		if (level <= (spcp->mylevel&SLC_LEVELBITS)) {
+			spcp->flags = cp[SLC_FLAGS]|SLC_ACK;
+			spcp->val = (cc_t)cp[SLC_VALUE];
+		}
+		if (level == SLC_DEFAULT) {
+			if ((spcp->mylevel&SLC_LEVELBITS) != SLC_DEFAULT)
+				spcp->flags = spcp->mylevel;
+			else
+				spcp->flags = SLC_NOSUPPORT;
+		}
+		slc_add_reply(func, spcp->flags, spcp->val);
+	}
+	slc_end_reply();
+	if (slc_update())
+		setconnmode(1);	/* set the  new character values */
+}
+
+    void
+slc_check()
+{
+    register struct spc *spcp;
+
+    slc_start_reply();
+    for (spcp = &spc_data[1]; spcp < &spc_data[NSLC+1]; spcp++) {
+	if (spcp->valp && spcp->val != *spcp->valp) {
+	    spcp->val = *spcp->valp;
+	    if (spcp->val == (cc_t)(_POSIX_VDISABLE))
+		spcp->flags = SLC_NOSUPPORT;
+	    else
+		spcp->flags = spcp->mylevel;
+	    slc_add_reply(spcp - spc_data, spcp->flags, spcp->val);
+	}
+    }
+    slc_end_reply();
+    setconnmode(1);
+}
+
+
+unsigned char slc_reply[128];
+unsigned char *slc_replyp;
+
+	void
+slc_start_reply()
+{
+	slc_replyp = slc_reply;
+	*slc_replyp++ = IAC;
+	*slc_replyp++ = SB;
+	*slc_replyp++ = TELOPT_LINEMODE;
+	*slc_replyp++ = LM_SLC;
+}
+
+	void
+slc_add_reply(func, flags, value)
+	unsigned char func;
+	unsigned char flags;
+	cc_t value;
+{
+	if ((*slc_replyp++ = func) == IAC)
+		*slc_replyp++ = IAC;
+	if ((*slc_replyp++ = flags) == IAC)
+		*slc_replyp++ = IAC;
+	if ((*slc_replyp++ = (unsigned char)value) == IAC)
+		*slc_replyp++ = IAC;
+}
+
+    void
+slc_end_reply()
+{
+    register int len;
+
+    *slc_replyp++ = IAC;
+    *slc_replyp++ = SE;
+    len = slc_replyp - slc_reply;
+    if (len <= 6)
+	return;
+    if (NETROOM() > len) {
+	ring_supply_data(&netoring, slc_reply, slc_replyp - slc_reply);
+	printsub('>', &slc_reply[2], slc_replyp - slc_reply - 2);
+    }
+/*@*/else printf("slc_end_reply: not enough room\n");
+}
+
+	int
+slc_update()
+{
+	register struct spc *spcp;
+	int need_update = 0;
+
+	for (spcp = &spc_data[1]; spcp < &spc_data[NSLC+1]; spcp++) {
+		if (!(spcp->flags&SLC_ACK))
+			continue;
+		spcp->flags &= ~SLC_ACK;
+		if (spcp->valp && (*spcp->valp != spcp->val)) {
+			*spcp->valp = spcp->val;
+			need_update = 1;
+		}
+	}
+	return(need_update);
+}
+
+#ifdef	OLD_ENVIRON
+# ifdef	ENV_HACK
+/*
+ * Earlier version of telnet/telnetd from the BSD code had
+ * the definitions of VALUE and VAR reversed.  To ensure
+ * maximum interoperability, we assume that the server is
+ * an older BSD server, until proven otherwise.  The newer
+ * BSD servers should be able to handle either definition,
+ * so it is better to use the wrong values if we don't
+ * know what type of server it is.
+ */
+int env_auto = 1;
+int old_env_var = OLD_ENV_VAR;
+int old_env_value = OLD_ENV_VALUE;
+# else
+#  define old_env_var OLD_ENV_VAR
+#  define old_env_value OLD_ENV_VALUE
+# endif
+#endif
+
+	void
+env_opt(buf, len)
+	register unsigned char *buf;
+	register int len;
+{
+	register unsigned char *ep = 0, *epc = 0;
+	register int i;
+
+	switch(buf[0]&0xff) {
+	case TELQUAL_SEND:
+		env_opt_start();
+		if (len == 1) {
+			env_opt_add(NULL);
+		} else for (i = 1; i < len; i++) {
+			switch (buf[i]&0xff) {
+#ifdef	OLD_ENVIRON
+			case OLD_ENV_VAR:
+# ifdef	ENV_HACK
+				if (telopt_environ == TELOPT_OLD_ENVIRON
+				    && env_auto) {
+					/* Server has the same definitions */
+					old_env_var = OLD_ENV_VAR;
+					old_env_value = OLD_ENV_VALUE;
+				}
+				/* FALL THROUGH */
+# endif
+			case OLD_ENV_VALUE:
+				/*
+				 * Although OLD_ENV_VALUE is not legal, we will
+				 * still recognize it, just in case it is an
+				 * old server that has VAR & VALUE mixed up...
+				 */
+				/* FALL THROUGH */
+#else
+			case NEW_ENV_VAR:
+#endif
+			case ENV_USERVAR:
+				if (ep) {
+					*epc = 0;
+					env_opt_add(ep);
+				}
+				ep = epc = &buf[i+1];
+				break;
+			case ENV_ESC:
+				i++;
+				/*FALL THROUGH*/
+			default:
+				if (epc)
+					*epc++ = buf[i];
+				break;
+			}
+		}
+		if (ep) {
+			*epc = 0;
+			env_opt_add(ep);
+		}
+		env_opt_end(1);
+		break;
+
+	case TELQUAL_IS:
+	case TELQUAL_INFO:
+		/* Ignore for now.  We shouldn't get it anyway. */
+		break;
+
+	default:
+		break;
+	}
+}
+
+#define	OPT_REPLY_SIZE	256
+unsigned char *opt_reply;
+unsigned char *opt_replyp;
+unsigned char *opt_replyend;
+
+	void
+env_opt_start()
+{
+	if (opt_reply)
+		opt_reply = (unsigned char *)realloc(opt_reply, OPT_REPLY_SIZE);
+	else
+		opt_reply = (unsigned char *)malloc(OPT_REPLY_SIZE);
+	if (opt_reply == NULL) {
+/*@*/		printf("env_opt_start: malloc()/realloc() failed!!!\n");
+		opt_reply = opt_replyp = opt_replyend = NULL;
+		return;
+	}
+	opt_replyp = opt_reply;
+	opt_replyend = opt_reply + OPT_REPLY_SIZE;
+	*opt_replyp++ = IAC;
+	*opt_replyp++ = SB;
+	*opt_replyp++ = telopt_environ;
+	*opt_replyp++ = TELQUAL_IS;
+}
+
+	void
+env_opt_start_info()
+{
+	env_opt_start();
+	if (opt_replyp)
+	    opt_replyp[-1] = TELQUAL_INFO;
+}
+
+	void
+env_opt_add(ep)
+	register unsigned char *ep;
+{
+	register unsigned char *vp, c;
+
+	if (opt_reply == NULL)		/*XXX*/
+		return;			/*XXX*/
+
+	if (ep == NULL || *ep == '\0') {
+		/* Send user defined variables first. */
+		env_default(1, 0);
+		while ((ep = env_default(0, 0)))
+			env_opt_add(ep);
+
+		/* Now add the list of well know variables.  */
+		env_default(1, 1);
+		while ((ep = env_default(0, 1)))
+			env_opt_add(ep);
+		return;
+	}
+	vp = env_getvalue(ep);
+	if (opt_replyp + (vp ? strlen((char *)vp) : 0) +
+				strlen((char *)ep) + 6 > opt_replyend)
+	{
+		register int len;
+		opt_replyend += OPT_REPLY_SIZE;
+		len = opt_replyend - opt_reply;
+		opt_reply = (unsigned char *)realloc(opt_reply, len);
+		if (opt_reply == NULL) {
+/*@*/			printf("env_opt_add: realloc() failed!!!\n");
+			opt_reply = opt_replyp = opt_replyend = NULL;
+			return;
+		}
+		opt_replyp = opt_reply + len - (opt_replyend - opt_replyp);
+		opt_replyend = opt_reply + len;
+	}
+	if (opt_welldefined(ep))
+#ifdef	OLD_ENVIRON
+		if (telopt_environ == TELOPT_OLD_ENVIRON)
+			*opt_replyp++ = old_env_var;
+		else
+#endif
+			*opt_replyp++ = NEW_ENV_VAR;
+	else
+		*opt_replyp++ = ENV_USERVAR;
+	for (;;) {
+		while ((c = *ep++)) {
+			switch(c&0xff) {
+			case IAC:
+				*opt_replyp++ = IAC;
+				break;
+			case NEW_ENV_VAR:
+			case NEW_ENV_VALUE:
+			case ENV_ESC:
+			case ENV_USERVAR:
+				*opt_replyp++ = ENV_ESC;
+				break;
+			}
+			*opt_replyp++ = c;
+		}
+		if ((ep = vp)) {
+#ifdef	OLD_ENVIRON
+			if (telopt_environ == TELOPT_OLD_ENVIRON)
+				*opt_replyp++ = old_env_value;
+			else
+#endif
+				*opt_replyp++ = NEW_ENV_VALUE;
+			vp = NULL;
+		} else
+			break;
+	}
+}
+
+	int
+opt_welldefined(ep)
+	char *ep;
+{
+	if ((strcmp(ep, "USER") == 0) ||
+	    (strcmp(ep, "DISPLAY") == 0) ||
+	    (strcmp(ep, "PRINTER") == 0) ||
+	    (strcmp(ep, "SYSTEMTYPE") == 0) ||
+	    (strcmp(ep, "JOB") == 0) ||
+	    (strcmp(ep, "ACCT") == 0))
+		return(1);
+	return(0);
+}
+	void
+env_opt_end(emptyok)
+	register int emptyok;
+{
+	register int len;
+
+	len = opt_replyp - opt_reply + 2;
+	if (emptyok || len > 6) {
+		*opt_replyp++ = IAC;
+		*opt_replyp++ = SE;
+		if (NETROOM() > len) {
+			ring_supply_data(&netoring, opt_reply, len);
+			printsub('>', &opt_reply[2], len - 2);
+		}
+/*@*/		else printf("slc_end_reply: not enough room\n");
+	}
+	if (opt_reply) {
+		free(opt_reply);
+		opt_reply = opt_replyp = opt_replyend = NULL;
+	}
+}
+
+
+
+    int
+telrcv()
+{
+    register int c;
+    register int scc;
+    register unsigned char *sbp;
+    int count;
+    int returnValue = 0;
+
+    scc = 0;
+    count = 0;
+    while (TTYROOM() > 2) {
+	if (scc == 0) {
+	    if (count) {
+		ring_consumed(&netiring, count);
+		returnValue = 1;
+		count = 0;
+	    }
+	    sbp = netiring.consume;
+	    scc = ring_full_consecutive(&netiring);
+	    if (scc == 0) {
+		/* No more data coming in */
+		break;
+	    }
+	}
+
+	c = *sbp++ & 0xff, scc--; count++;
+#ifdef	ENCRYPTION
+	if (decrypt_input)
+		c = (*decrypt_input)(c);
+#endif	/* ENCRYPTION */
+
+	switch (telrcv_state) {
+
+	case TS_CR:
+	    telrcv_state = TS_DATA;
+	    if (c == '\0') {
+		break;	/* Ignore \0 after CR */
+	    }
+	    else if ((c == '\n') && my_want_state_is_dont(TELOPT_ECHO) && !crmod) {
+		TTYADD(c);
+		break;
+	    }
+	    /* Else, fall through */
+
+	case TS_DATA:
+	    if (c == IAC) {
+		telrcv_state = TS_IAC;
+		break;
+	    }
+#	    if defined(TN3270)
+	    if (In3270) {
+		*Ifrontp++ = c;
+		while (scc > 0) {
+		    c = *sbp++ & 0377, scc--; count++;
+#ifdef	ENCRYPTION
+		    if (decrypt_input)
+			c = (*decrypt_input)(c);
+#endif	/* ENCRYPTION */
+		    if (c == IAC) {
+			telrcv_state = TS_IAC;
+			break;
+		    }
+		    *Ifrontp++ = c;
+		}
+	    } else
+#	    endif /* defined(TN3270) */
+		    /*
+		     * The 'crmod' hack (see following) is needed
+		     * since we can't * set CRMOD on output only.
+		     * Machines like MULTICS like to send \r without
+		     * \n; since we must turn off CRMOD to get proper
+		     * input, the mapping is done here (sigh).
+		     */
+	    if ((c == '\r') && my_want_state_is_dont(TELOPT_BINARY)) {
+		if (scc > 0) {
+		    c = *sbp&0xff;
+#ifdef	ENCRYPTION
+		    if (decrypt_input)
+			c = (*decrypt_input)(c);
+#endif	/* ENCRYPTION */
+		    if (c == 0) {
+			sbp++, scc--; count++;
+			/* a "true" CR */
+			TTYADD('\r');
+		    } else if (my_want_state_is_dont(TELOPT_ECHO) &&
+					(c == '\n')) {
+			sbp++, scc--; count++;
+			TTYADD('\n');
+		    } else {
+#ifdef	ENCRYPTION
+			if (decrypt_input)
+			    (*decrypt_input)(-1);
+#endif	/* ENCRYPTION */
+
+			TTYADD('\r');
+			if (crmod) {
+				TTYADD('\n');
+			}
+		    }
+		} else {
+		    telrcv_state = TS_CR;
+		    TTYADD('\r');
+		    if (crmod) {
+			    TTYADD('\n');
+		    }
+		}
+	    } else {
+		TTYADD(c);
+	    }
+	    continue;
+
+	case TS_IAC:
+process_iac:
+	    switch (c) {
+
+	    case WILL:
+		telrcv_state = TS_WILL;
+		continue;
+
+	    case WONT:
+		telrcv_state = TS_WONT;
+		continue;
+
+	    case DO:
+		telrcv_state = TS_DO;
+		continue;
+
+	    case DONT:
+		telrcv_state = TS_DONT;
+		continue;
+
+	    case DM:
+		    /*
+		     * We may have missed an urgent notification,
+		     * so make sure we flush whatever is in the
+		     * buffer currently.
+		     */
+		printoption("RCVD", IAC, DM);
+		SYNCHing = 1;
+		(void) ttyflush(1);
+		SYNCHing = stilloob();
+		settimer(gotDM);
+		break;
+
+	    case SB:
+		SB_CLEAR();
+		telrcv_state = TS_SB;
+		continue;
+
+#	    if defined(TN3270)
+	    case EOR:
+		if (In3270) {
+		    if (Ibackp == Ifrontp) {
+			Ibackp = Ifrontp = Ibuf;
+			ISend = 0;	/* should have been! */
+		    } else {
+			Ibackp += DataFromNetwork(Ibackp, Ifrontp-Ibackp, 1);
+			ISend = 1;
+		    }
+		}
+		printoption("RCVD", IAC, EOR);
+		break;
+#	    endif /* defined(TN3270) */
+
+	    case IAC:
+#	    if !defined(TN3270)
+		TTYADD(IAC);
+#	    else /* !defined(TN3270) */
+		if (In3270) {
+		    *Ifrontp++ = IAC;
+		} else {
+		    TTYADD(IAC);
+		}
+#	    endif /* !defined(TN3270) */
+		break;
+
+	    case NOP:
+	    case GA:
+	    default:
+		printoption("RCVD", IAC, c);
+		break;
+	    }
+	    telrcv_state = TS_DATA;
+	    continue;
+
+	case TS_WILL:
+	    printoption("RCVD", WILL, c);
+	    willoption(c);
+	    SetIn3270();
+	    telrcv_state = TS_DATA;
+	    continue;
+
+	case TS_WONT:
+	    printoption("RCVD", WONT, c);
+	    wontoption(c);
+	    SetIn3270();
+	    telrcv_state = TS_DATA;
+	    continue;
+
+	case TS_DO:
+	    printoption("RCVD", DO, c);
+	    dooption(c);
+	    SetIn3270();
+	    if (c == TELOPT_NAWS) {
+		sendnaws();
+	    } else if (c == TELOPT_LFLOW) {
+		localflow = 1;
+		setcommandmode();
+		setconnmode(0);
+	    }
+	    telrcv_state = TS_DATA;
+	    continue;
+
+	case TS_DONT:
+	    printoption("RCVD", DONT, c);
+	    dontoption(c);
+	    flushline = 1;
+	    setconnmode(0);	/* set new tty mode (maybe) */
+	    SetIn3270();
+	    telrcv_state = TS_DATA;
+	    continue;
+
+	case TS_SB:
+	    if (c == IAC) {
+		telrcv_state = TS_SE;
+	    } else {
+		SB_ACCUM(c);
+	    }
+	    continue;
+
+	case TS_SE:
+	    if (c != SE) {
+		if (c != IAC) {
+		    /*
+		     * This is an error.  We only expect to get
+		     * "IAC IAC" or "IAC SE".  Several things may
+		     * have happend.  An IAC was not doubled, the
+		     * IAC SE was left off, or another option got
+		     * inserted into the suboption are all possibilities.
+		     * If we assume that the IAC was not doubled,
+		     * and really the IAC SE was left off, we could
+		     * get into an infinate loop here.  So, instead,
+		     * we terminate the suboption, and process the
+		     * partial suboption if we can.
+		     */
+		    SB_ACCUM(IAC);
+		    SB_ACCUM(c);
+		    subpointer -= 2;
+		    SB_TERM();
+
+		    printoption("In SUBOPTION processing, RCVD", IAC, c);
+		    suboption();	/* handle sub-option */
+		    SetIn3270();
+		    telrcv_state = TS_IAC;
+		    goto process_iac;
+		}
+		SB_ACCUM(c);
+		telrcv_state = TS_SB;
+	    } else {
+		SB_ACCUM(IAC);
+		SB_ACCUM(SE);
+		subpointer -= 2;
+		SB_TERM();
+		suboption();	/* handle sub-option */
+		SetIn3270();
+		telrcv_state = TS_DATA;
+	    }
+	}
+    }
+    if (count)
+	ring_consumed(&netiring, count);
+    return returnValue||count;
+}
+
+static int bol = 1, local = 0;
+
+    int
+rlogin_susp()
+{
+    if (local) {
+	local = 0;
+	bol = 1;
+	command(0, "z\n", 2);
+	return(1);
+    }
+    return(0);
+}
+
+    static int
+telsnd()
+{
+    int tcc;
+    int count;
+    int returnValue = 0;
+    unsigned char *tbp;
+
+    tcc = 0;
+    count = 0;
+    while (NETROOM() > 2) {
+	register int sc;
+	register int c;
+
+	if (tcc == 0) {
+	    if (count) {
+		ring_consumed(&ttyiring, count);
+		returnValue = 1;
+		count = 0;
+	    }
+	    tbp = ttyiring.consume;
+	    tcc = ring_full_consecutive(&ttyiring);
+	    if (tcc == 0) {
+		break;
+	    }
+	}
+	c = *tbp++ & 0xff, sc = strip(c), tcc--; count++;
+	if (rlogin != _POSIX_VDISABLE) {
+		if (bol) {
+			bol = 0;
+			if (sc == rlogin) {
+				local = 1;
+				continue;
+			}
+		} else if (local) {
+			local = 0;
+			if (sc == '.' || c == termEofChar) {
+				bol = 1;
+				command(0, "close\n", 6);
+				continue;
+			}
+			if (sc == termSuspChar) {
+				bol = 1;
+				command(0, "z\n", 2);
+				continue;
+			}
+			if (sc == escape) {
+				command(0, (char *)tbp, tcc);
+				bol = 1;
+				count += tcc;
+				tcc = 0;
+				flushline = 1;
+				break;
+			}
+			if (sc != rlogin) {
+				++tcc;
+				--tbp;
+				--count;
+				c = sc = rlogin;
+			}
+		}
+		if ((sc == '\n') || (sc == '\r'))
+			bol = 1;
+	} else if (escape != _POSIX_VDISABLE && sc == escape) {
+	    /*
+	     * Double escape is a pass through of a single escape character.
+	     */
+	    if (tcc && strip(*tbp) == escape) {
+		tbp++;
+		tcc--;
+		count++;
+		bol = 0;
+	    } else {
+		command(0, (char *)tbp, tcc);
+		bol = 1;
+		count += tcc;
+		tcc = 0;
+		flushline = 1;
+		break;
+	    }
+	} else
+	    bol = 0;
+#ifdef	KLUDGELINEMODE
+	if (kludgelinemode && (globalmode&MODE_EDIT) && (sc == echoc)) {
+	    if (tcc > 0 && strip(*tbp) == echoc) {
+		tcc--; tbp++; count++;
+	    } else {
+		dontlecho = !dontlecho;
+		settimer(echotoggle);
+		setconnmode(0);
+		flushline = 1;
+		break;
+	    }
+	}
+#endif
+	if (MODE_LOCAL_CHARS(globalmode)) {
+	    if (TerminalSpecialChars(sc) == 0) {
+		bol = 1;
+		break;
+	    }
+	}
+	if (my_want_state_is_wont(TELOPT_BINARY)) {
+	    switch (c) {
+	    case '\n':
+		    /*
+		     * If we are in CRMOD mode (\r ==> \n)
+		     * on our local machine, then probably
+		     * a newline (unix) is CRLF (TELNET).
+		     */
+		if (MODE_LOCAL_CHARS(globalmode)) {
+		    NETADD('\r');
+		}
+		NETADD('\n');
+		bol = flushline = 1;
+		break;
+	    case '\r':
+		if (!crlf) {
+		    NET2ADD('\r', '\0');
+		} else {
+		    NET2ADD('\r', '\n');
+		}
+		bol = flushline = 1;
+		break;
+	    case IAC:
+		NET2ADD(IAC, IAC);
+		break;
+	    default:
+		NETADD(c);
+		break;
+	    }
+	} else if (c == IAC) {
+	    NET2ADD(IAC, IAC);
+	} else {
+	    NETADD(c);
+	}
+    }
+    if (count)
+	ring_consumed(&ttyiring, count);
+    return returnValue||count;		/* Non-zero if we did anything */
+}
+
+/*
+ * Scheduler()
+ *
+ * Try to do something.
+ *
+ * If we do something useful, return 1; else return 0.
+ *
+ */
+
+
+    int
+Scheduler(block)
+    int	block;			/* should we block in the select ? */
+{
+		/* One wants to be a bit careful about setting returnValue
+		 * to one, since a one implies we did some useful work,
+		 * and therefore probably won't be called to block next
+		 * time (TN3270 mode only).
+		 */
+    int returnValue;
+    int netin, netout, netex, ttyin, ttyout;
+
+    /* Decide which rings should be processed */
+
+    netout = ring_full_count(&netoring) &&
+	    (flushline ||
+		(my_want_state_is_wont(TELOPT_LINEMODE)
+#ifdef	KLUDGELINEMODE
+			&& (!kludgelinemode || my_want_state_is_do(TELOPT_SGA))
+#endif
+		) ||
+			my_want_state_is_will(TELOPT_BINARY));
+    ttyout = ring_full_count(&ttyoring);
+
+#if	defined(TN3270)
+    ttyin = ring_empty_count(&ttyiring) && (clienteof == 0) && (shell_active == 0);
+#else	/* defined(TN3270) */
+    ttyin = ring_empty_count(&ttyiring) && (clienteof == 0);
+#endif	/* defined(TN3270) */
+
+#if	defined(TN3270)
+    netin = ring_empty_count(&netiring);
+#   else /* !defined(TN3270) */
+    netin = !ISend && ring_empty_count(&netiring);
+#   endif /* !defined(TN3270) */
+
+    netex = !SYNCHing;
+
+    /* If we have seen a signal recently, reset things */
+#   if defined(TN3270) && defined(unix)
+    if (HaveInput) {
+	HaveInput = 0;
+	(void) signal(SIGIO, inputAvailable);
+    }
+#endif	/* defined(TN3270) && defined(unix) */
+
+    /* Call to system code to process rings */
+
+    returnValue = process_rings(netin, netout, netex, ttyin, ttyout, !block);
+
+    /* Now, look at the input rings, looking for work to do. */
+
+    if (ring_full_count(&ttyiring)) {
+#   if defined(TN3270)
+	if (In3270) {
+	    int c;
+
+	    c = DataFromTerminal(ttyiring.consume,
+					ring_full_consecutive(&ttyiring));
+	    if (c) {
+		returnValue = 1;
+		ring_consumed(&ttyiring, c);
+	    }
+	} else {
+#   endif /* defined(TN3270) */
+	    returnValue |= telsnd();
+#   if defined(TN3270)
+	}
+#   endif /* defined(TN3270) */
+    }
+
+    if (ring_full_count(&netiring)) {
+#	if !defined(TN3270)
+	returnValue |= telrcv();
+#	else /* !defined(TN3270) */
+	returnValue = Push3270();
+#	endif /* !defined(TN3270) */
+    }
+    return returnValue;
+}
+
+/*
+ * Select from tty and network...
+ */
+    void
+telnet(user)
+    char *user;
+{
+    sys_telnet_init();
+
+#if	defined(AUTHENTICATION) || defined(ENCRYPTION)
+    {
+	static char local_host[256] = { 0 };
+
+	if (!local_host[0]) {
+		gethostname(local_host, sizeof(local_host));
+		local_host[sizeof(local_host)-1] = 0;
+	}
+	auth_encrypt_init(local_host, hostname, "TELNET", 0);
+	auth_encrypt_user(user);
+    }
+#endif	/* defined(AUTHENTICATION) || defined(ENCRYPTION)  */
+#   if !defined(TN3270)
+    if (telnetport) {
+#if	defined(AUTHENTICATION)
+	if (autologin)
+		send_will(TELOPT_AUTHENTICATION, 1);
+#endif
+#ifdef	ENCRYPTION
+	send_do(TELOPT_ENCRYPT, 1);
+	send_will(TELOPT_ENCRYPT, 1);
+#endif	/* ENCRYPTION */
+	send_do(TELOPT_SGA, 1);
+	send_will(TELOPT_TTYPE, 1);
+	send_will(TELOPT_NAWS, 1);
+	send_will(TELOPT_TSPEED, 1);
+	send_will(TELOPT_LFLOW, 1);
+	send_will(TELOPT_LINEMODE, 1);
+	send_will(TELOPT_NEW_ENVIRON, 1);
+	send_do(TELOPT_STATUS, 1);
+	if (env_getvalue((unsigned char *)"DISPLAY"))
+	    send_will(TELOPT_XDISPLOC, 1);
+	if (eight)
+	    tel_enter_binary(eight);
+    }
+#   endif /* !defined(TN3270) */
+
+#   if !defined(TN3270)
+    for (;;) {
+	int schedValue;
+
+	while ((schedValue = Scheduler(0)) != 0) {
+	    if (schedValue == -1) {
+		setcommandmode();
+		return;
+	    }
+	}
+
+	if (Scheduler(1) == -1) {
+	    setcommandmode();
+	    return;
+	}
+    }
+#   else /* !defined(TN3270) */
+    for (;;) {
+	int schedValue;
+
+	while (!In3270 && !shell_active) {
+	    if (Scheduler(1) == -1) {
+		setcommandmode();
+		return;
+	    }
+	}
+
+	while ((schedValue = Scheduler(0)) != 0) {
+	    if (schedValue == -1) {
+		setcommandmode();
+		return;
+	    }
+	}
+		/* If there is data waiting to go out to terminal, don't
+		 * schedule any more data for the terminal.
+		 */
+	if (ring_full_count(&ttyoring)) {
+	    schedValue = 1;
+	} else {
+	    if (shell_active) {
+		if (shell_continue() == 0) {
+		    ConnectScreen();
+		}
+	    } else if (In3270) {
+		schedValue = DoTerminalOutput();
+	    }
+	}
+	if (schedValue && (shell_active == 0)) {
+	    if (Scheduler(1) == -1) {
+		setcommandmode();
+		return;
+	    }
+	}
+    }
+#   endif /* !defined(TN3270) */
+}
+
+#if	0	/* XXX - this not being in is a bug */
+/*
+ * nextitem()
+ *
+ *	Return the address of the next "item" in the TELNET data
+ * stream.  This will be the address of the next character if
+ * the current address is a user data character, or it will
+ * be the address of the character following the TELNET command
+ * if the current address is a TELNET IAC ("I Am a Command")
+ * character.
+ */
+
+    static char *
+nextitem(current)
+    char *current;
+{
+    if ((*current&0xff) != IAC) {
+	return current+1;
+    }
+    switch (*(current+1)&0xff) {
+    case DO:
+    case DONT:
+    case WILL:
+    case WONT:
+	return current+3;
+    case SB:		/* loop forever looking for the SE */
+	{
+	    register char *look = current+2;
+
+	    for (;;) {
+		if ((*look++&0xff) == IAC) {
+		    if ((*look++&0xff) == SE) {
+			return look;
+		    }
+		}
+	    }
+	}
+    default:
+	return current+2;
+    }
+}
+#endif	/* 0 */
+
+/*
+ * netclear()
+ *
+ *	We are about to do a TELNET SYNCH operation.  Clear
+ * the path to the network.
+ *
+ *	Things are a bit tricky since we may have sent the first
+ * byte or so of a previous TELNET command into the network.
+ * So, we have to scan the network buffer from the beginning
+ * until we are up to where we want to be.
+ *
+ *	A side effect of what we do, just to keep things
+ * simple, is to clear the urgent data pointer.  The principal
+ * caller should be setting the urgent data pointer AFTER calling
+ * us in any case.
+ */
+
+    static void
+netclear()
+{
+#if	0	/* XXX */
+    register char *thisitem, *next;
+    char *good;
+#define	wewant(p)	((nfrontp > p) && ((*p&0xff) == IAC) && \
+				((*(p+1)&0xff) != EC) && ((*(p+1)&0xff) != EL))
+
+    thisitem = netobuf;
+
+    while ((next = nextitem(thisitem)) <= netobuf.send) {
+	thisitem = next;
+    }
+
+    /* Now, thisitem is first before/at boundary. */
+
+    good = netobuf;	/* where the good bytes go */
+
+    while (netoring.add > thisitem) {
+	if (wewant(thisitem)) {
+	    int length;
+
+	    next = thisitem;
+	    do {
+		next = nextitem(next);
+	    } while (wewant(next) && (nfrontp > next));
+	    length = next-thisitem;
+	    memmove(good, thisitem, length);
+	    good += length;
+	    thisitem = next;
+	} else {
+	    thisitem = nextitem(thisitem);
+	}
+    }
+
+#endif	/* 0 */
+}
+
+/*
+ * These routines add various telnet commands to the data stream.
+ */
+
+    static void
+doflush()
+{
+    NET2ADD(IAC, DO);
+    NETADD(TELOPT_TM);
+    flushline = 1;
+    flushout = 1;
+    (void) ttyflush(1);			/* Flush/drop output */
+    /* do printoption AFTER flush, otherwise the output gets tossed... */
+    printoption("SENT", DO, TELOPT_TM);
+}
+
+    void
+xmitAO()
+{
+    NET2ADD(IAC, AO);
+    printoption("SENT", IAC, AO);
+    if (autoflush) {
+	doflush();
+    }
+}
+
+
+    void
+xmitEL()
+{
+    NET2ADD(IAC, EL);
+    printoption("SENT", IAC, EL);
+}
+
+    void
+xmitEC()
+{
+    NET2ADD(IAC, EC);
+    printoption("SENT", IAC, EC);
+}
+
+
+    int
+dosynch()
+{
+    netclear();			/* clear the path to the network */
+    NETADD(IAC);
+    setneturg();
+    NETADD(DM);
+    printoption("SENT", IAC, DM);
+    return 1;
+}
+
+int want_status_response = 0;
+
+    int
+get_status()
+{
+    unsigned char tmp[16];
+    register unsigned char *cp;
+
+    if (my_want_state_is_dont(TELOPT_STATUS)) {
+	printf("Remote side does not support STATUS option\n");
+	return 0;
+    }
+    cp = tmp;
+
+    *cp++ = IAC;
+    *cp++ = SB;
+    *cp++ = TELOPT_STATUS;
+    *cp++ = TELQUAL_SEND;
+    *cp++ = IAC;
+    *cp++ = SE;
+    if (NETROOM() >= cp - tmp) {
+	ring_supply_data(&netoring, tmp, cp-tmp);
+	printsub('>', tmp+2, cp - tmp - 2);
+    }
+    ++want_status_response;
+    return 1;
+}
+
+    void
+intp()
+{
+    NET2ADD(IAC, IP);
+    printoption("SENT", IAC, IP);
+    flushline = 1;
+    if (autoflush) {
+	doflush();
+    }
+    if (autosynch) {
+	dosynch();
+    }
+}
+
+    void
+sendbrk()
+{
+    NET2ADD(IAC, BREAK);
+    printoption("SENT", IAC, BREAK);
+    flushline = 1;
+    if (autoflush) {
+	doflush();
+    }
+    if (autosynch) {
+	dosynch();
+    }
+}
+
+    void
+sendabort()
+{
+    NET2ADD(IAC, ABORT);
+    printoption("SENT", IAC, ABORT);
+    flushline = 1;
+    if (autoflush) {
+	doflush();
+    }
+    if (autosynch) {
+	dosynch();
+    }
+}
+
+    void
+sendsusp()
+{
+    NET2ADD(IAC, SUSP);
+    printoption("SENT", IAC, SUSP);
+    flushline = 1;
+    if (autoflush) {
+	doflush();
+    }
+    if (autosynch) {
+	dosynch();
+    }
+}
+
+    void
+sendeof()
+{
+    NET2ADD(IAC, xEOF);
+    printoption("SENT", IAC, xEOF);
+}
+
+    void
+sendayt()
+{
+    NET2ADD(IAC, AYT);
+    printoption("SENT", IAC, AYT);
+}
+
+/*
+ * Send a window size update to the remote system.
+ */
+
+    void
+sendnaws()
+{
+    long rows, cols;
+    unsigned char tmp[16];
+    register unsigned char *cp;
+
+    if (my_state_is_wont(TELOPT_NAWS))
+	return;
+
+#define	PUTSHORT(cp, x) { if ((*cp++ = ((x)>>8)&0xff) == IAC) *cp++ = IAC; \
+			    if ((*cp++ = ((x))&0xff) == IAC) *cp++ = IAC; }
+
+    if (TerminalWindowSize(&rows, &cols) == 0) {	/* Failed */
+	return;
+    }
+
+    cp = tmp;
+
+    *cp++ = IAC;
+    *cp++ = SB;
+    *cp++ = TELOPT_NAWS;
+    PUTSHORT(cp, cols);
+    PUTSHORT(cp, rows);
+    *cp++ = IAC;
+    *cp++ = SE;
+    if (NETROOM() >= cp - tmp) {
+	ring_supply_data(&netoring, tmp, cp-tmp);
+	printsub('>', tmp+2, cp - tmp - 2);
+    }
+}
+
+    void
+tel_enter_binary(rw)
+    int rw;
+{
+    if (rw&1)
+	send_do(TELOPT_BINARY, 1);
+    if (rw&2)
+	send_will(TELOPT_BINARY, 1);
+}
+
+    void
+tel_leave_binary(rw)
+    int rw;
+{
+    if (rw&1)
+	send_dont(TELOPT_BINARY, 1);
+    if (rw&2)
+	send_wont(TELOPT_BINARY, 1);
+}
diff --git a/crypto/telnet/telnet/terminal.c b/crypto/telnet/telnet/terminal.c
new file mode 100644
index 0000000..2069396
--- /dev/null
+++ b/crypto/telnet/telnet/terminal.c
@@ -0,0 +1,249 @@
+/*
+ * Copyright (c) 1988, 1990, 1993
+ *	The Regents of the University of California.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *	This product includes software developed by the University of
+ *	California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#ifndef lint
+#if 0
+static const char sccsid[] = "@(#)terminal.c	8.2 (Berkeley) 2/16/95";
+#else
+static const char rcsid[] =
+ "$FreeBSD$";
+#endif
+#endif /* not lint */
+
+#include <arpa/telnet.h>
+#include <sys/types.h>
+
+#include "ring.h"
+
+#include "externs.h"
+#include "types.h"
+
+#if	defined(ENCRYPTION)
+#include <libtelnet/encrypt.h>
+#endif
+
+Ring		ttyoring, ttyiring;
+unsigned char	ttyobuf[2*BUFSIZ], ttyibuf[BUFSIZ];
+
+int termdata;			/* Debugging flag */
+
+#ifdef	USE_TERMIO
+# ifndef VDISCARD
+cc_t termFlushChar;
+# endif
+# ifndef VLNEXT
+cc_t termLiteralNextChar;
+# endif
+# ifndef VSUSP
+cc_t termSuspChar;
+# endif
+# ifndef VWERASE
+cc_t termWerasChar;
+# endif
+# ifndef VREPRINT
+cc_t termRprntChar;
+# endif
+# ifndef VSTART
+cc_t termStartChar;
+# endif
+# ifndef VSTOP
+cc_t termStopChar;
+# endif
+# ifndef VEOL
+cc_t termForw1Char;
+# endif
+# ifndef VEOL2
+cc_t termForw2Char;
+# endif
+# ifndef VSTATUS
+cc_t termAytChar;
+# endif
+#else
+cc_t termForw2Char;
+cc_t termAytChar;
+#endif
+
+/*
+ * initialize the terminal data structures.
+ */
+
+    void
+init_terminal()
+{
+    if (ring_init(&ttyoring, ttyobuf, sizeof ttyobuf) != 1) {
+	exit(1);
+    }
+    if (ring_init(&ttyiring, ttyibuf, sizeof ttyibuf) != 1) {
+	exit(1);
+    }
+    autoflush = TerminalAutoFlush();
+}
+
+
+/*
+ *		Send as much data as possible to the terminal.
+ *
+ *		Return value:
+ *			-1: No useful work done, data waiting to go out.
+ *			 0: No data was waiting, so nothing was done.
+ *			 1: All waiting data was written out.
+ *			 n: All data - n was written out.
+ */
+
+
+    int
+ttyflush(drop)
+    int drop;
+{
+    register int n, n0, n1;
+
+    n0 = ring_full_count(&ttyoring);
+    if ((n1 = n = ring_full_consecutive(&ttyoring)) > 0) {
+	if (drop) {
+	    TerminalFlushOutput();
+	    /* we leave 'n' alone! */
+	} else {
+	    n = TerminalWrite(ttyoring.consume, n);
+	}
+    }
+    if (n > 0) {
+	if (termdata && n) {
+	    Dump('>', ttyoring.consume, n);
+	}
+	/*
+	 * If we wrote everything, and the full count is
+	 * larger than what we wrote, then write the
+	 * rest of the buffer.
+	 */
+	if (n1 == n && n0 > n) {
+		n1 = n0 - n;
+		if (!drop)
+			n1 = TerminalWrite(ttyoring.bottom, n1);
+		if (n1 > 0)
+			n += n1;
+	}
+	ring_consumed(&ttyoring, n);
+    }
+    if (n < 0)
+	return -1;
+    if (n == n0) {
+	if (n0)
+	    return -1;
+	return 0;
+    }
+    return n0 - n + 1;
+}
+
+
+/*
+ * These routines decides on what the mode should be (based on the values
+ * of various global variables).
+ */
+
+
+    int
+getconnmode()
+{
+    extern int linemode;
+    int mode = 0;
+#ifdef	KLUDGELINEMODE
+    extern int kludgelinemode;
+#endif
+
+    if (In3270)
+	return(MODE_FLOW);
+
+    if (my_want_state_is_dont(TELOPT_ECHO))
+	mode |= MODE_ECHO;
+
+    if (localflow)
+	mode |= MODE_FLOW;
+
+    if (my_want_state_is_will(TELOPT_BINARY))
+	mode |= MODE_INBIN;
+
+    if (his_want_state_is_will(TELOPT_BINARY))
+	mode |= MODE_OUTBIN;
+
+#ifdef	KLUDGELINEMODE
+    if (kludgelinemode) {
+	if (my_want_state_is_dont(TELOPT_SGA)) {
+	    mode |= (MODE_TRAPSIG|MODE_EDIT);
+	    if (dontlecho && (clocks.echotoggle > clocks.modenegotiated)) {
+		mode &= ~MODE_ECHO;
+	    }
+	}
+	return(mode);
+    }
+#endif
+    if (my_want_state_is_will(TELOPT_LINEMODE))
+	mode |= linemode;
+    return(mode);
+}
+
+    void
+setconnmode(force)
+    int force;
+{
+#ifdef	ENCRYPTION
+    static int enc_passwd = 0;
+#endif	/* ENCRYPTION */
+    register int newmode;
+
+    newmode = getconnmode()|(force?MODE_FORCE:0);
+
+    TerminalNewMode(newmode);
+
+#ifdef  ENCRYPTION
+    if ((newmode & (MODE_ECHO|MODE_EDIT)) == MODE_EDIT) {
+	if (my_want_state_is_will(TELOPT_ENCRYPT)
+				&& (enc_passwd == 0) && !encrypt_output) {
+	    encrypt_request_start(0, 0);
+	    enc_passwd = 1;
+	}
+    } else {
+	if (enc_passwd) {
+	    encrypt_request_end();
+	    enc_passwd = 0;
+	}
+    }
+#endif	/* ENCRYPTION */
+
+}
+
+
+    void
+setcommandmode()
+{
+    TerminalNewMode(-1);
+}
diff --git a/crypto/telnet/telnet/tn3270.c b/crypto/telnet/telnet/tn3270.c
new file mode 100644
index 0000000..92219b7
--- /dev/null
+++ b/crypto/telnet/telnet/tn3270.c
@@ -0,0 +1,416 @@
+/*
+ * Copyright (c) 1988, 1993
+ *	The Regents of the University of California.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *	This product includes software developed by the University of
+ *	California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#ifndef lint
+#if 0
+static const char sccsid[] = "@(#)tn3270.c	8.2 (Berkeley) 5/30/95";
+#else
+static const char rcsid[] =
+ "$FreeBSD$";
+#endif
+#endif /* not lint */
+
+#include <sys/types.h>
+#include <arpa/telnet.h>
+
+#include "general.h"
+
+#include "defines.h"
+#include "ring.h"
+#include "externs.h"
+#include "fdset.h"
+
+#if	defined(TN3270)
+
+#include "../ctlr/screen.h"
+#include "../general/globals.h"
+
+#include "../sys_curses/telextrn.h"
+#include "../ctlr/externs.h"
+
+#if	defined(unix)
+int
+	HaveInput,		/* There is input available to scan */
+	cursesdata,		/* Do we dump curses data? */
+	sigiocount;		/* Number of times we got a SIGIO */
+
+char	tline[200];
+char	*transcom = 0;	/* transparent mode command (default: none) */
+#endif	/* defined(unix) */
+
+char	Ibuf[8*BUFSIZ], *Ifrontp, *Ibackp;
+
+static char	sb_terminal[] = { IAC, SB,
+			TELOPT_TTYPE, TELQUAL_IS,
+			'I', 'B', 'M', '-', '3', '2', '7', '8', '-', '2',
+			IAC, SE };
+#define	SBTERMMODEL	13
+
+static int
+	Sent3270TerminalType;	/* Have we said we are a 3270? */
+
+#endif	/* defined(TN3270) */
+
+
+    void
+init_3270()
+{
+#if	defined(TN3270)
+#if	defined(unix)
+    HaveInput = 0;
+    sigiocount = 0;
+#endif	/* defined(unix) */
+    Sent3270TerminalType = 0;
+    Ifrontp = Ibackp = Ibuf;
+    init_ctlr();		/* Initialize some things */
+    init_keyboard();
+    init_screen();
+    init_system();
+#endif	/* defined(TN3270) */
+}
+
+
+#if	defined(TN3270)
+
+/*
+ * DataToNetwork - queue up some data to go to network.  If "done" is set,
+ * then when last byte is queued, we add on an IAC EOR sequence (so,
+ * don't call us with "done" until you want that done...)
+ *
+ * We actually do send all the data to the network buffer, since our
+ * only client needs for us to do that.
+ */
+
+    int
+DataToNetwork(buffer, count, done)
+    register char *buffer;	/* where the data is */
+    register int  count;	/* how much to send */
+    int		  done;		/* is this the last of a logical block */
+{
+    register int loop, c;
+    int origCount;
+
+    origCount = count;
+
+    while (count) {
+	/* If not enough room for EORs, IACs, etc., wait */
+	if (NETROOM() < 6) {
+	    fd_set o;
+
+	    FD_ZERO(&o);
+	    netflush();
+	    while (NETROOM() < 6) {
+		FD_SET(net, &o);
+		(void) select(net+1, (fd_set *) 0, &o, (fd_set *) 0,
+						(struct timeval *) 0);
+		netflush();
+	    }
+	}
+	c = ring_empty_count(&netoring);
+	if (c > count) {
+	    c = count;
+	}
+	loop = c;
+	while (loop) {
+	    if (((unsigned char)*buffer) == IAC) {
+		break;
+	    }
+	    buffer++;
+	    loop--;
+	}
+	if ((c = c-loop)) {
+	    ring_supply_data(&netoring, buffer-c, c);
+	    count -= c;
+	}
+	if (loop) {
+	    NET2ADD(IAC, IAC);
+	    count--;
+	    buffer++;
+	}
+    }
+
+    if (done) {
+	NET2ADD(IAC, EOR);
+	netflush();		/* try to move along as quickly as ... */
+    }
+    return(origCount - count);
+}
+
+
+#if	defined(unix)
+    void
+inputAvailable(signo)
+	int signo;
+{
+    HaveInput = 1;
+    sigiocount++;
+}
+#endif	/* defined(unix) */
+
+    void
+outputPurge()
+{
+    (void) ttyflush(1);
+}
+
+
+/*
+ * The following routines are places where the various tn3270
+ * routines make calls into telnet.c.
+ */
+
+/*
+ * DataToTerminal - queue up some data to go to terminal.
+ *
+ * Note: there are people who call us and depend on our processing
+ * *all* the data at one time (thus the select).
+ */
+
+    int
+DataToTerminal(buffer, count)
+    register char	*buffer;		/* where the data is */
+    register int	count;			/* how much to send */
+{
+    register int c;
+    int origCount;
+
+    origCount = count;
+
+    while (count) {
+	if (TTYROOM() == 0) {
+#if	defined(unix)
+	    fd_set o;
+
+	    FD_ZERO(&o);
+#endif	/* defined(unix) */
+	    (void) ttyflush(0);
+	    while (TTYROOM() == 0) {
+#if	defined(unix)
+		FD_SET(tout, &o);
+		(void) select(tout+1, (fd_set *) 0, &o, (fd_set *) 0,
+						(struct timeval *) 0);
+#endif	/* defined(unix) */
+		(void) ttyflush(0);
+	    }
+	}
+	c = TTYROOM();
+	if (c > count) {
+	    c = count;
+	}
+	ring_supply_data(&ttyoring, buffer, c);
+	count -= c;
+	buffer += c;
+    }
+    return(origCount);
+}
+
+
+/*
+ * Push3270 - Try to send data along the 3270 output (to screen) direction.
+ */
+
+    int
+Push3270()
+{
+    int save = ring_full_count(&netiring);
+
+    if (save) {
+	if (Ifrontp+save > Ibuf+sizeof Ibuf) {
+	    if (Ibackp != Ibuf) {
+		memmove(Ibuf, Ibackp, Ifrontp-Ibackp);
+		Ifrontp -= (Ibackp-Ibuf);
+		Ibackp = Ibuf;
+	    }
+	}
+	if (Ifrontp+save < Ibuf+sizeof Ibuf) {
+	    (void)telrcv();
+	}
+    }
+    return save != ring_full_count(&netiring);
+}
+
+
+/*
+ * Finish3270 - get the last dregs of 3270 data out to the terminal
+ *		before quitting.
+ */
+
+    void
+Finish3270()
+{
+    while (Push3270() || !DoTerminalOutput()) {
+#if	defined(unix)
+	HaveInput = 0;
+#endif	/* defined(unix) */
+	;
+    }
+}
+
+
+/* StringToTerminal - output a null terminated string to the terminal */
+
+    void
+StringToTerminal(s)
+    char *s;
+{
+    int count;
+
+    count = strlen(s);
+    if (count) {
+	(void) DataToTerminal(s, count);	/* we know it always goes... */
+    }
+}
+
+
+#if	((!defined(NOT43)) || defined(PUTCHAR))
+/* _putchar - output a single character to the terminal.  This name is so that
+ *	curses(3x) can call us to send out data.
+ */
+
+    void
+_putchar(c)
+    char c;
+{
+#if	defined(sun)		/* SunOS 4.0 bug */
+    c &= 0x7f;
+#endif	/* defined(sun) */
+    if (cursesdata) {
+	Dump('>', &c, 1);
+    }
+    if (!TTYROOM()) {
+	(void) DataToTerminal(&c, 1);
+    } else {
+	TTYADD(c);
+    }
+}
+#endif	/* ((!defined(NOT43)) || defined(PUTCHAR)) */
+
+    void
+SetIn3270()
+{
+    if (Sent3270TerminalType && my_want_state_is_will(TELOPT_BINARY)
+		&& my_want_state_is_do(TELOPT_BINARY) && !donebinarytoggle) {
+	if (!In3270) {
+	    In3270 = 1;
+	    Init3270();		/* Initialize 3270 functions */
+	    /* initialize terminal key mapping */
+	    InitTerminal();	/* Start terminal going */
+	    setconnmode(0);
+	}
+    } else {
+	if (In3270) {
+	    StopScreen(1);
+	    In3270 = 0;
+	    Stop3270();		/* Tell 3270 we aren't here anymore */
+	    setconnmode(0);
+	}
+    }
+}
+
+/*
+ * tn3270_ttype()
+ *
+ *	Send a response to a terminal type negotiation.
+ *
+ *	Return '0' if no more responses to send; '1' if a response sent.
+ */
+
+    int
+tn3270_ttype()
+{
+    /*
+     * Try to send a 3270 type terminal name.  Decide which one based
+     * on the format of our screen, and (in the future) color
+     * capaiblities.
+     */
+    InitTerminal();		/* Sets MaxNumberColumns, MaxNumberLines */
+    if ((MaxNumberLines >= 24) && (MaxNumberColumns >= 80)) {
+	Sent3270TerminalType = 1;
+	if ((MaxNumberLines >= 27) && (MaxNumberColumns >= 132)) {
+	    MaxNumberLines = 27;
+	    MaxNumberColumns = 132;
+	    sb_terminal[SBTERMMODEL] = '5';
+	} else if (MaxNumberLines >= 43) {
+	    MaxNumberLines = 43;
+	    MaxNumberColumns = 80;
+	    sb_terminal[SBTERMMODEL] = '4';
+	} else if (MaxNumberLines >= 32) {
+	    MaxNumberLines = 32;
+	    MaxNumberColumns = 80;
+	    sb_terminal[SBTERMMODEL] = '3';
+	} else {
+	    MaxNumberLines = 24;
+	    MaxNumberColumns = 80;
+	    sb_terminal[SBTERMMODEL] = '2';
+	}
+	NumberLines = 24;		/* before we start out... */
+	NumberColumns = 80;
+	ScreenSize = NumberLines*NumberColumns;
+	if ((MaxNumberLines*MaxNumberColumns) > MAXSCREENSIZE) {
+	    ExitString("Programming error:  MAXSCREENSIZE too small.\n",
+								1);
+	    /*NOTREACHED*/
+	}
+	printsub('>', sb_terminal+2, sizeof sb_terminal-2);
+	ring_supply_data(&netoring, sb_terminal, sizeof sb_terminal);
+	return 1;
+    } else {
+	return 0;
+    }
+}
+
+#if	defined(unix)
+	int
+settranscom(argc, argv)
+	int argc;
+	char *argv[];
+{
+	int i;
+
+	if (argc == 1 && transcom) {
+	   transcom = 0;
+	}
+	if (argc == 1) {
+	   return 1;
+	}
+	transcom = tline;
+	(void) strcpy(transcom, argv[1]);
+	for (i = 2; i < argc; ++i) {
+	    (void) strcat(transcom, " ");
+	    (void) strcat(transcom, argv[i]);
+	}
+	return 1;
+}
+#endif	/* defined(unix) */
+
+#endif	/* defined(TN3270) */
diff --git a/crypto/telnet/telnet/types.h b/crypto/telnet/telnet/types.h
new file mode 100644
index 0000000..191d311
--- /dev/null
+++ b/crypto/telnet/telnet/types.h
@@ -0,0 +1,52 @@
+/*
+ * Copyright (c) 1988, 1993
+ *	The Regents of the University of California.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *	This product includes software developed by the University of
+ *	California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ *	@(#)types.h	8.1 (Berkeley) 6/6/93
+ */
+
+typedef struct {
+    char *modedescriptions;
+    char modetype;
+} Modelist;
+
+extern Modelist modelist[];
+
+typedef struct {
+    int
+	system,			/* what the current time is */
+	echotoggle,		/* last time user entered echo character */
+	modenegotiated,		/* last time operating mode negotiated */
+	didnetreceive,		/* last time we read data from network */
+	gotDM;			/* when did we last see a data mark */
+} Clocks;
+
+extern Clocks clocks;
diff --git a/crypto/telnet/telnet/utilities.c b/crypto/telnet/telnet/utilities.c
new file mode 100644
index 0000000..fd9f5c9
--- /dev/null
+++ b/crypto/telnet/telnet/utilities.c
@@ -0,0 +1,951 @@
+/*
+ * Copyright (c) 1988, 1993
+ *	The Regents of the University of California.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *	This product includes software developed by the University of
+ *	California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#ifndef lint
+#if 0
+static const char sccsid[] = "@(#)utilities.c	8.3 (Berkeley) 5/30/95";
+#else
+static const char rcsid[] =
+ "$FreeBSD$";
+#endif
+#endif /* not lint */
+
+#define	TELOPTS
+#define	TELCMDS
+#define	SLC_NAMES
+#include <arpa/telnet.h>
+#include <sys/types.h>
+#include <sys/socket.h>
+#include <sys/time.h>
+#include <unistd.h>
+
+#include <ctype.h>
+
+#include "general.h"
+
+#include "fdset.h"
+
+#include "ring.h"
+
+#include "defines.h"
+
+#include "externs.h"
+
+#if	defined(AUTHENTICATION)
+#include <libtelnet/auth.h>
+#endif
+#if	defined(ENCRYPTION)
+#include <libtelnet/encrypt.h>
+#endif
+
+FILE	*NetTrace = 0;		/* Not in bss, since needs to stay */
+int	prettydump;
+
+/*
+ * upcase()
+ *
+ *	Upcase (in place) the argument.
+ */
+
+    void
+upcase(argument)
+    register char *argument;
+{
+    register int c;
+
+    while ((c = *argument) != 0) {
+	if (islower(c)) {
+	    *argument = toupper(c);
+	}
+	argument++;
+    }
+}
+
+/*
+ * SetSockOpt()
+ *
+ * Compensate for differences in 4.2 and 4.3 systems.
+ */
+
+    int
+SetSockOpt(fd, level, option, yesno)
+    int fd, level, option, yesno;
+{
+#ifndef	NOT43
+    return setsockopt(fd, level, option,
+				(char *)&yesno, sizeof yesno);
+#else	/* NOT43 */
+    if (yesno == 0) {		/* Can't do that in 4.2! */
+	fprintf(stderr, "Error: attempt to turn off an option 0x%x.\n",
+				option);
+	return -1;
+    }
+    return setsockopt(fd, level, option, 0, 0);
+#endif	/* NOT43 */
+}
+
+/*
+ * The following are routines used to print out debugging information.
+ */
+
+unsigned char NetTraceFile[256] = "(standard output)";
+
+    void
+SetNetTrace(file)
+    register char *file;
+{
+    if (NetTrace && NetTrace != stdout)
+	fclose(NetTrace);
+    if (file  && (strcmp(file, "-") != 0)) {
+	NetTrace = fopen(file, "w");
+	if (NetTrace) {
+	    strcpy((char *)NetTraceFile, file);
+	    return;
+	}
+	fprintf(stderr, "Cannot open %s.\n", file);
+    }
+    NetTrace = stdout;
+    strcpy((char *)NetTraceFile, "(standard output)");
+}
+
+    void
+Dump(direction, buffer, length)
+    char direction;
+    unsigned char *buffer;
+    int length;
+{
+#   define BYTES_PER_LINE	32
+#   define min(x,y)	((x<y)? x:y)
+    unsigned char *pThis;
+    int offset;
+
+    offset = 0;
+
+    while (length) {
+	/* print one line */
+	fprintf(NetTrace, "%c 0x%x\t", direction, offset);
+	pThis = buffer;
+	if (prettydump) {
+	    buffer = buffer + min(length, BYTES_PER_LINE/2);
+	    while (pThis < buffer) {
+		fprintf(NetTrace, "%c%.2x",
+		    (((*pThis)&0xff) == 0xff) ? '*' : ' ',
+		    (*pThis)&0xff);
+		pThis++;
+	    }
+	    length -= BYTES_PER_LINE/2;
+	    offset += BYTES_PER_LINE/2;
+	} else {
+	    buffer = buffer + min(length, BYTES_PER_LINE);
+	    while (pThis < buffer) {
+		fprintf(NetTrace, "%.2x", (*pThis)&0xff);
+		pThis++;
+	    }
+	    length -= BYTES_PER_LINE;
+	    offset += BYTES_PER_LINE;
+	}
+	if (NetTrace == stdout) {
+	    fprintf(NetTrace, "\r\n");
+	} else {
+	    fprintf(NetTrace, "\n");
+	}
+	if (length < 0) {
+	    fflush(NetTrace);
+	    return;
+	}
+	/* find next unique line */
+    }
+    fflush(NetTrace);
+}
+
+
+	void
+printoption(direction, cmd, option)
+	char *direction;
+	int cmd, option;
+{
+	if (!showoptions)
+		return;
+	if (cmd == IAC) {
+		if (TELCMD_OK(option))
+		    fprintf(NetTrace, "%s IAC %s", direction, TELCMD(option));
+		else
+		    fprintf(NetTrace, "%s IAC %d", direction, option);
+	} else {
+		register char *fmt;
+		fmt = (cmd == WILL) ? "WILL" : (cmd == WONT) ? "WONT" :
+			(cmd == DO) ? "DO" : (cmd == DONT) ? "DONT" : 0;
+		if (fmt) {
+		    fprintf(NetTrace, "%s %s ", direction, fmt);
+		    if (TELOPT_OK(option))
+			fprintf(NetTrace, "%s", TELOPT(option));
+		    else if (option == TELOPT_EXOPL)
+			fprintf(NetTrace, "EXOPL");
+		    else
+			fprintf(NetTrace, "%d", option);
+		} else
+		    fprintf(NetTrace, "%s %d %d", direction, cmd, option);
+	}
+	if (NetTrace == stdout) {
+	    fprintf(NetTrace, "\r\n");
+	    fflush(NetTrace);
+	} else {
+	    fprintf(NetTrace, "\n");
+	}
+	return;
+}
+
+    void
+optionstatus()
+{
+    register int i;
+    extern char will_wont_resp[], do_dont_resp[];
+
+    for (i = 0; i < 256; i++) {
+	if (do_dont_resp[i]) {
+	    if (TELOPT_OK(i))
+		printf("resp DO_DONT %s: %d\n", TELOPT(i), do_dont_resp[i]);
+	    else if (TELCMD_OK(i))
+		printf("resp DO_DONT %s: %d\n", TELCMD(i), do_dont_resp[i]);
+	    else
+		printf("resp DO_DONT %d: %d\n", i,
+				do_dont_resp[i]);
+	    if (my_want_state_is_do(i)) {
+		if (TELOPT_OK(i))
+		    printf("want DO   %s\n", TELOPT(i));
+		else if (TELCMD_OK(i))
+		    printf("want DO   %s\n", TELCMD(i));
+		else
+		    printf("want DO   %d\n", i);
+	    } else {
+		if (TELOPT_OK(i))
+		    printf("want DONT %s\n", TELOPT(i));
+		else if (TELCMD_OK(i))
+		    printf("want DONT %s\n", TELCMD(i));
+		else
+		    printf("want DONT %d\n", i);
+	    }
+	} else {
+	    if (my_state_is_do(i)) {
+		if (TELOPT_OK(i))
+		    printf("     DO   %s\n", TELOPT(i));
+		else if (TELCMD_OK(i))
+		    printf("     DO   %s\n", TELCMD(i));
+		else
+		    printf("     DO   %d\n", i);
+	    }
+	}
+	if (will_wont_resp[i]) {
+	    if (TELOPT_OK(i))
+		printf("resp WILL_WONT %s: %d\n", TELOPT(i), will_wont_resp[i]);
+	    else if (TELCMD_OK(i))
+		printf("resp WILL_WONT %s: %d\n", TELCMD(i), will_wont_resp[i]);
+	    else
+		printf("resp WILL_WONT %d: %d\n",
+				i, will_wont_resp[i]);
+	    if (my_want_state_is_will(i)) {
+		if (TELOPT_OK(i))
+		    printf("want WILL %s\n", TELOPT(i));
+		else if (TELCMD_OK(i))
+		    printf("want WILL %s\n", TELCMD(i));
+		else
+		    printf("want WILL %d\n", i);
+	    } else {
+		if (TELOPT_OK(i))
+		    printf("want WONT %s\n", TELOPT(i));
+		else if (TELCMD_OK(i))
+		    printf("want WONT %s\n", TELCMD(i));
+		else
+		    printf("want WONT %d\n", i);
+	    }
+	} else {
+	    if (my_state_is_will(i)) {
+		if (TELOPT_OK(i))
+		    printf("     WILL %s\n", TELOPT(i));
+		else if (TELCMD_OK(i))
+		    printf("     WILL %s\n", TELCMD(i));
+		else
+		    printf("     WILL %d\n", i);
+	    }
+	}
+    }
+
+}
+
+    void
+printsub(direction, pointer, length)
+    char direction;	/* '<' or '>' */
+    unsigned char *pointer;	/* where suboption data sits */
+    int		  length;	/* length of suboption data */
+{
+    register int i;
+    char buf[512];
+    extern int want_status_response;
+
+    if (showoptions || direction == 0 ||
+	(want_status_response && (pointer[0] == TELOPT_STATUS))) {
+	if (direction) {
+	    fprintf(NetTrace, "%s IAC SB ",
+				(direction == '<')? "RCVD":"SENT");
+	    if (length >= 3) {
+		register int j;
+
+		i = pointer[length-2];
+		j = pointer[length-1];
+
+		if (i != IAC || j != SE) {
+		    fprintf(NetTrace, "(terminated by ");
+		    if (TELOPT_OK(i))
+			fprintf(NetTrace, "%s ", TELOPT(i));
+		    else if (TELCMD_OK(i))
+			fprintf(NetTrace, "%s ", TELCMD(i));
+		    else
+			fprintf(NetTrace, "%d ", i);
+		    if (TELOPT_OK(j))
+			fprintf(NetTrace, "%s", TELOPT(j));
+		    else if (TELCMD_OK(j))
+			fprintf(NetTrace, "%s", TELCMD(j));
+		    else
+			fprintf(NetTrace, "%d", j);
+		    fprintf(NetTrace, ", not IAC SE!) ");
+		}
+	    }
+	    length -= 2;
+	}
+	if (length < 1) {
+	    fprintf(NetTrace, "(Empty suboption??\?)");
+	    if (NetTrace == stdout)
+		fflush(NetTrace);
+	    return;
+	}
+	switch (pointer[0]) {
+	case TELOPT_TTYPE:
+	    fprintf(NetTrace, "TERMINAL-TYPE ");
+	    switch (pointer[1]) {
+	    case TELQUAL_IS:
+		fprintf(NetTrace, "IS \"%.*s\"", length-2, (char *)pointer+2);
+		break;
+	    case TELQUAL_SEND:
+		fprintf(NetTrace, "SEND");
+		break;
+	    default:
+		fprintf(NetTrace,
+				"- unknown qualifier %d (0x%x).",
+				pointer[1], pointer[1]);
+	    }
+	    break;
+	case TELOPT_TSPEED:
+	    fprintf(NetTrace, "TERMINAL-SPEED");
+	    if (length < 2) {
+		fprintf(NetTrace, " (empty suboption??\?)");
+		break;
+	    }
+	    switch (pointer[1]) {
+	    case TELQUAL_IS:
+		fprintf(NetTrace, " IS ");
+		fprintf(NetTrace, "%.*s", length-2, (char *)pointer+2);
+		break;
+	    default:
+		if (pointer[1] == 1)
+		    fprintf(NetTrace, " SEND");
+		else
+		    fprintf(NetTrace, " %d (unknown)", pointer[1]);
+		for (i = 2; i < length; i++)
+		    fprintf(NetTrace, " ?%d?", pointer[i]);
+		break;
+	    }
+	    break;
+
+	case TELOPT_LFLOW:
+	    fprintf(NetTrace, "TOGGLE-FLOW-CONTROL");
+	    if (length < 2) {
+		fprintf(NetTrace, " (empty suboption??\?)");
+		break;
+	    }
+	    switch (pointer[1]) {
+	    case LFLOW_OFF:
+		fprintf(NetTrace, " OFF"); break;
+	    case LFLOW_ON:
+		fprintf(NetTrace, " ON"); break;
+	    case LFLOW_RESTART_ANY:
+		fprintf(NetTrace, " RESTART-ANY"); break;
+	    case LFLOW_RESTART_XON:
+		fprintf(NetTrace, " RESTART-XON"); break;
+	    default:
+		fprintf(NetTrace, " %d (unknown)", pointer[1]);
+	    }
+	    for (i = 2; i < length; i++)
+		fprintf(NetTrace, " ?%d?", pointer[i]);
+	    break;
+
+	case TELOPT_NAWS:
+	    fprintf(NetTrace, "NAWS");
+	    if (length < 2) {
+		fprintf(NetTrace, " (empty suboption??\?)");
+		break;
+	    }
+	    if (length == 2) {
+		fprintf(NetTrace, " ?%d?", pointer[1]);
+		break;
+	    }
+	    fprintf(NetTrace, " %d %d (%d)",
+		pointer[1], pointer[2],
+		(int)((((unsigned int)pointer[1])<<8)|((unsigned int)pointer[2])));
+	    if (length == 4) {
+		fprintf(NetTrace, " ?%d?", pointer[3]);
+		break;
+	    }
+	    fprintf(NetTrace, " %d %d (%d)",
+		pointer[3], pointer[4],
+		(int)((((unsigned int)pointer[3])<<8)|((unsigned int)pointer[4])));
+	    for (i = 5; i < length; i++)
+		fprintf(NetTrace, " ?%d?", pointer[i]);
+	    break;
+
+#if	defined(AUTHENTICATION)
+	case TELOPT_AUTHENTICATION:
+	    fprintf(NetTrace, "AUTHENTICATION");
+	    if (length < 2) {
+		fprintf(NetTrace, " (empty suboption??\?)");
+		break;
+	    }
+	    switch (pointer[1]) {
+	    case TELQUAL_REPLY:
+	    case TELQUAL_IS:
+		fprintf(NetTrace, " %s ", (pointer[1] == TELQUAL_IS) ?
+							"IS" : "REPLY");
+		if (AUTHTYPE_NAME_OK(pointer[2]))
+		    fprintf(NetTrace, "%s ", AUTHTYPE_NAME(pointer[2]));
+		else
+		    fprintf(NetTrace, "%d ", pointer[2]);
+		if (length < 3) {
+		    fprintf(NetTrace, "(partial suboption??\?)");
+		    break;
+		}
+		fprintf(NetTrace, "%s|%s",
+			((pointer[3] & AUTH_WHO_MASK) == AUTH_WHO_CLIENT) ?
+			"CLIENT" : "SERVER",
+			((pointer[3] & AUTH_HOW_MASK) == AUTH_HOW_MUTUAL) ?
+			"MUTUAL" : "ONE-WAY");
+
+		auth_printsub(&pointer[1], length - 1, buf, sizeof(buf));
+		fprintf(NetTrace, "%s", buf);
+		break;
+
+	    case TELQUAL_SEND:
+		i = 2;
+		fprintf(NetTrace, " SEND ");
+		while (i < length) {
+		    if (AUTHTYPE_NAME_OK(pointer[i]))
+			fprintf(NetTrace, "%s ", AUTHTYPE_NAME(pointer[i]));
+		    else
+			fprintf(NetTrace, "%d ", pointer[i]);
+		    if (++i >= length) {
+			fprintf(NetTrace, "(partial suboption??\?)");
+			break;
+		    }
+		    fprintf(NetTrace, "%s|%s ",
+			((pointer[i] & AUTH_WHO_MASK) == AUTH_WHO_CLIENT) ?
+							"CLIENT" : "SERVER",
+			((pointer[i] & AUTH_HOW_MASK) == AUTH_HOW_MUTUAL) ?
+							"MUTUAL" : "ONE-WAY");
+		    ++i;
+		}
+		break;
+
+	    case TELQUAL_NAME:
+		i = 2;
+		fprintf(NetTrace, " NAME \"");
+		while (i < length)
+		    putc(pointer[i++], NetTrace);
+		putc('"', NetTrace);
+		break;
+
+	    default:
+		    for (i = 2; i < length; i++)
+			fprintf(NetTrace, " ?%d?", pointer[i]);
+		    break;
+	    }
+	    break;
+#endif
+
+#ifdef	ENCRYPTION
+	case TELOPT_ENCRYPT:
+	    fprintf(NetTrace, "ENCRYPT");
+	    if (length < 2) {
+		fprintf(NetTrace, " (empty suboption??\?)");
+		break;
+	    }
+	    switch (pointer[1]) {
+	    case ENCRYPT_START:
+		fprintf(NetTrace, " START");
+		break;
+
+	    case ENCRYPT_END:
+		fprintf(NetTrace, " END");
+		break;
+
+	    case ENCRYPT_REQSTART:
+		fprintf(NetTrace, " REQUEST-START");
+		break;
+
+	    case ENCRYPT_REQEND:
+		fprintf(NetTrace, " REQUEST-END");
+		break;
+
+	    case ENCRYPT_IS:
+	    case ENCRYPT_REPLY:
+		fprintf(NetTrace, " %s ", (pointer[1] == ENCRYPT_IS) ?
+							"IS" : "REPLY");
+		if (length < 3) {
+		    fprintf(NetTrace, " (partial suboption??\?)");
+		    break;
+		}
+		if (ENCTYPE_NAME_OK(pointer[2]))
+		    fprintf(NetTrace, "%s ", ENCTYPE_NAME(pointer[2]));
+		else
+		    fprintf(NetTrace, " %d (unknown)", pointer[2]);
+
+		encrypt_printsub(&pointer[1], length - 1, buf, sizeof(buf));
+		fprintf(NetTrace, "%s", buf);
+		break;
+
+	    case ENCRYPT_SUPPORT:
+		i = 2;
+		fprintf(NetTrace, " SUPPORT ");
+		while (i < length) {
+		    if (ENCTYPE_NAME_OK(pointer[i]))
+			fprintf(NetTrace, "%s ", ENCTYPE_NAME(pointer[i]));
+		    else
+			fprintf(NetTrace, "%d ", pointer[i]);
+		    i++;
+		}
+		break;
+
+	    case ENCRYPT_ENC_KEYID:
+		fprintf(NetTrace, " ENC_KEYID ");
+		goto encommon;
+
+	    case ENCRYPT_DEC_KEYID:
+		fprintf(NetTrace, " DEC_KEYID ");
+		goto encommon;
+
+	    default:
+		fprintf(NetTrace, " %d (unknown)", pointer[1]);
+	    encommon:
+		for (i = 2; i < length; i++)
+		    fprintf(NetTrace, " %d", pointer[i]);
+		break;
+	    }
+	    break;
+#endif	/* ENCRYPTION */
+
+	case TELOPT_LINEMODE:
+	    fprintf(NetTrace, "LINEMODE ");
+	    if (length < 2) {
+		fprintf(NetTrace, " (empty suboption??\?)");
+		break;
+	    }
+	    switch (pointer[1]) {
+	    case WILL:
+		fprintf(NetTrace, "WILL ");
+		goto common;
+	    case WONT:
+		fprintf(NetTrace, "WONT ");
+		goto common;
+	    case DO:
+		fprintf(NetTrace, "DO ");
+		goto common;
+	    case DONT:
+		fprintf(NetTrace, "DONT ");
+	    common:
+		if (length < 3) {
+		    fprintf(NetTrace, "(no option??\?)");
+		    break;
+		}
+		switch (pointer[2]) {
+		case LM_FORWARDMASK:
+		    fprintf(NetTrace, "Forward Mask");
+		    for (i = 3; i < length; i++)
+			fprintf(NetTrace, " %x", pointer[i]);
+		    break;
+		default:
+		    fprintf(NetTrace, "%d (unknown)", pointer[2]);
+		    for (i = 3; i < length; i++)
+			fprintf(NetTrace, " %d", pointer[i]);
+		    break;
+		}
+		break;
+
+	    case LM_SLC:
+		fprintf(NetTrace, "SLC");
+		for (i = 2; i < length - 2; i += 3) {
+		    if (SLC_NAME_OK(pointer[i+SLC_FUNC]))
+			fprintf(NetTrace, " %s", SLC_NAME(pointer[i+SLC_FUNC]));
+		    else
+			fprintf(NetTrace, " %d", pointer[i+SLC_FUNC]);
+		    switch (pointer[i+SLC_FLAGS]&SLC_LEVELBITS) {
+		    case SLC_NOSUPPORT:
+			fprintf(NetTrace, " NOSUPPORT"); break;
+		    case SLC_CANTCHANGE:
+			fprintf(NetTrace, " CANTCHANGE"); break;
+		    case SLC_VARIABLE:
+			fprintf(NetTrace, " VARIABLE"); break;
+		    case SLC_DEFAULT:
+			fprintf(NetTrace, " DEFAULT"); break;
+		    }
+		    fprintf(NetTrace, "%s%s%s",
+			pointer[i+SLC_FLAGS]&SLC_ACK ? "|ACK" : "",
+			pointer[i+SLC_FLAGS]&SLC_FLUSHIN ? "|FLUSHIN" : "",
+			pointer[i+SLC_FLAGS]&SLC_FLUSHOUT ? "|FLUSHOUT" : "");
+		    if (pointer[i+SLC_FLAGS]& ~(SLC_ACK|SLC_FLUSHIN|
+						SLC_FLUSHOUT| SLC_LEVELBITS))
+			fprintf(NetTrace, "(0x%x)", pointer[i+SLC_FLAGS]);
+		    fprintf(NetTrace, " %d;", pointer[i+SLC_VALUE]);
+		    if ((pointer[i+SLC_VALUE] == IAC) &&
+			(pointer[i+SLC_VALUE+1] == IAC))
+				i++;
+		}
+		for (; i < length; i++)
+		    fprintf(NetTrace, " ?%d?", pointer[i]);
+		break;
+
+	    case LM_MODE:
+		fprintf(NetTrace, "MODE ");
+		if (length < 3) {
+		    fprintf(NetTrace, "(no mode??\?)");
+		    break;
+		}
+		{
+		    char tbuf[64];
+		    sprintf(tbuf, "%s%s%s%s%s",
+			pointer[2]&MODE_EDIT ? "|EDIT" : "",
+			pointer[2]&MODE_TRAPSIG ? "|TRAPSIG" : "",
+			pointer[2]&MODE_SOFT_TAB ? "|SOFT_TAB" : "",
+			pointer[2]&MODE_LIT_ECHO ? "|LIT_ECHO" : "",
+			pointer[2]&MODE_ACK ? "|ACK" : "");
+		    fprintf(NetTrace, "%s", tbuf[1] ? &tbuf[1] : "0");
+		}
+		if (pointer[2]&~(MODE_MASK))
+		    fprintf(NetTrace, " (0x%x)", pointer[2]);
+		for (i = 3; i < length; i++)
+		    fprintf(NetTrace, " ?0x%x?", pointer[i]);
+		break;
+	    default:
+		fprintf(NetTrace, "%d (unknown)", pointer[1]);
+		for (i = 2; i < length; i++)
+		    fprintf(NetTrace, " %d", pointer[i]);
+	    }
+	    break;
+
+	case TELOPT_STATUS: {
+	    register char *cp;
+	    register int j, k;
+
+	    fprintf(NetTrace, "STATUS");
+
+	    switch (pointer[1]) {
+	    default:
+		if (pointer[1] == TELQUAL_SEND)
+		    fprintf(NetTrace, " SEND");
+		else
+		    fprintf(NetTrace, " %d (unknown)", pointer[1]);
+		for (i = 2; i < length; i++)
+		    fprintf(NetTrace, " ?%d?", pointer[i]);
+		break;
+	    case TELQUAL_IS:
+		if (--want_status_response < 0)
+		    want_status_response = 0;
+		if (NetTrace == stdout)
+		    fprintf(NetTrace, " IS\r\n");
+		else
+		    fprintf(NetTrace, " IS\n");
+
+		for (i = 2; i < length; i++) {
+		    switch(pointer[i]) {
+		    case DO:	cp = "DO"; goto common2;
+		    case DONT:	cp = "DONT"; goto common2;
+		    case WILL:	cp = "WILL"; goto common2;
+		    case WONT:	cp = "WONT"; goto common2;
+		    common2:
+			i++;
+			if (TELOPT_OK((int)pointer[i]))
+			    fprintf(NetTrace, " %s %s", cp, TELOPT(pointer[i]));
+			else
+			    fprintf(NetTrace, " %s %d", cp, pointer[i]);
+
+			if (NetTrace == stdout)
+			    fprintf(NetTrace, "\r\n");
+			else
+			    fprintf(NetTrace, "\n");
+			break;
+
+		    case SB:
+			fprintf(NetTrace, " SB ");
+			i++;
+			j = k = i;
+			while (j < length) {
+			    if (pointer[j] == SE) {
+				if (j+1 == length)
+				    break;
+				if (pointer[j+1] == SE)
+				    j++;
+				else
+				    break;
+			    }
+			    pointer[k++] = pointer[j++];
+			}
+			printsub(0, &pointer[i], k - i);
+			if (i < length) {
+			    fprintf(NetTrace, " SE");
+			    i = j;
+			} else
+			    i = j - 1;
+
+			if (NetTrace == stdout)
+			    fprintf(NetTrace, "\r\n");
+			else
+			    fprintf(NetTrace, "\n");
+
+			break;
+
+		    default:
+			fprintf(NetTrace, " %d", pointer[i]);
+			break;
+		    }
+		}
+		break;
+	    }
+	    break;
+	  }
+
+	case TELOPT_XDISPLOC:
+	    fprintf(NetTrace, "X-DISPLAY-LOCATION ");
+	    switch (pointer[1]) {
+	    case TELQUAL_IS:
+		fprintf(NetTrace, "IS \"%.*s\"", length-2, (char *)pointer+2);
+		break;
+	    case TELQUAL_SEND:
+		fprintf(NetTrace, "SEND");
+		break;
+	    default:
+		fprintf(NetTrace, "- unknown qualifier %d (0x%x).",
+				pointer[1], pointer[1]);
+	    }
+	    break;
+
+	case TELOPT_NEW_ENVIRON:
+	    fprintf(NetTrace, "NEW-ENVIRON ");
+#ifdef	OLD_ENVIRON
+	    goto env_common1;
+	case TELOPT_OLD_ENVIRON:
+	    fprintf(NetTrace, "OLD-ENVIRON");
+	env_common1:
+#endif
+	    switch (pointer[1]) {
+	    case TELQUAL_IS:
+		fprintf(NetTrace, "IS ");
+		goto env_common;
+	    case TELQUAL_SEND:
+		fprintf(NetTrace, "SEND ");
+		goto env_common;
+	    case TELQUAL_INFO:
+		fprintf(NetTrace, "INFO ");
+	    env_common:
+		{
+		    register int noquote = 2;
+#if defined(ENV_HACK) && defined(OLD_ENVIRON)
+		    extern int old_env_var, old_env_value;
+#endif
+		    for (i = 2; i < length; i++ ) {
+			switch (pointer[i]) {
+			case NEW_ENV_VALUE:
+#ifdef OLD_ENVIRON
+		     /*	case NEW_ENV_OVAR: */
+			    if (pointer[0] == TELOPT_OLD_ENVIRON) {
+# ifdef	ENV_HACK
+				if (old_env_var == OLD_ENV_VALUE)
+				    fprintf(NetTrace, "\" (VALUE) " + noquote);
+				else
+# endif
+				    fprintf(NetTrace, "\" VAR " + noquote);
+			    } else
+#endif /* OLD_ENVIRON */
+				fprintf(NetTrace, "\" VALUE " + noquote);
+			    noquote = 2;
+			    break;
+
+			case NEW_ENV_VAR:
+#ifdef OLD_ENVIRON
+		     /* case OLD_ENV_VALUE: */
+			    if (pointer[0] == TELOPT_OLD_ENVIRON) {
+# ifdef	ENV_HACK
+				if (old_env_value == OLD_ENV_VAR)
+				    fprintf(NetTrace, "\" (VAR) " + noquote);
+				else
+# endif
+				    fprintf(NetTrace, "\" VALUE " + noquote);
+			    } else
+#endif /* OLD_ENVIRON */
+				fprintf(NetTrace, "\" VAR " + noquote);
+			    noquote = 2;
+			    break;
+
+			case ENV_ESC:
+			    fprintf(NetTrace, "\" ESC " + noquote);
+			    noquote = 2;
+			    break;
+
+			case ENV_USERVAR:
+			    fprintf(NetTrace, "\" USERVAR " + noquote);
+			    noquote = 2;
+			    break;
+
+			default:
+			    if (isprint(pointer[i]) && pointer[i] != '"') {
+				if (noquote) {
+				    putc('"', NetTrace);
+				    noquote = 0;
+				}
+				putc(pointer[i], NetTrace);
+			    } else {
+				fprintf(NetTrace, "\" %03o " + noquote,
+							pointer[i]);
+				noquote = 2;
+			    }
+			    break;
+			}
+		    }
+		    if (!noquote)
+			putc('"', NetTrace);
+		    break;
+		}
+	    }
+	    break;
+
+	default:
+	    if (TELOPT_OK(pointer[0]))
+		fprintf(NetTrace, "%s (unknown)", TELOPT(pointer[0]));
+	    else
+		fprintf(NetTrace, "%d (unknown)", pointer[0]);
+	    for (i = 1; i < length; i++)
+		fprintf(NetTrace, " %d", pointer[i]);
+	    break;
+	}
+	if (direction) {
+	    if (NetTrace == stdout)
+		fprintf(NetTrace, "\r\n");
+	    else
+		fprintf(NetTrace, "\n");
+	}
+	if (NetTrace == stdout)
+	    fflush(NetTrace);
+    }
+}
+
+/* EmptyTerminal - called to make sure that the terminal buffer is empty.
+ *			Note that we consider the buffer to run all the
+ *			way to the kernel (thus the select).
+ */
+
+    void
+EmptyTerminal()
+{
+#if	defined(unix)
+    fd_set	o;
+
+    FD_ZERO(&o);
+#endif	/* defined(unix) */
+
+    if (TTYBYTES() == 0) {
+#if	defined(unix)
+	FD_SET(tout, &o);
+	(void) select(tout+1, (fd_set *) 0, &o, (fd_set *) 0,
+			(struct timeval *) 0);	/* wait for TTLOWAT */
+#endif	/* defined(unix) */
+    } else {
+	while (TTYBYTES()) {
+	    (void) ttyflush(0);
+#if	defined(unix)
+	    FD_SET(tout, &o);
+	    (void) select(tout+1, (fd_set *) 0, &o, (fd_set *) 0,
+				(struct timeval *) 0);	/* wait for TTLOWAT */
+#endif	/* defined(unix) */
+	}
+    }
+}
+
+    void
+SetForExit()
+{
+    setconnmode(0);
+#if	defined(TN3270)
+    if (In3270) {
+	Finish3270();
+    }
+#else	/* defined(TN3270) */
+    do {
+	(void)telrcv();			/* Process any incoming data */
+	EmptyTerminal();
+    } while (ring_full_count(&netiring));	/* While there is any */
+#endif	/* defined(TN3270) */
+    setcommandmode();
+    fflush(stdout);
+    fflush(stderr);
+#if	defined(TN3270)
+    if (In3270) {
+	StopScreen(1);
+    }
+#endif	/* defined(TN3270) */
+    setconnmode(0);
+    EmptyTerminal();			/* Flush the path to the tty */
+    setcommandmode();
+}
+
+    void
+Exit(returnCode)
+    int returnCode;
+{
+    SetForExit();
+    exit(returnCode);
+}
+
+    void
+ExitString(string, returnCode)
+    char *string;
+    int returnCode;
+{
+    SetForExit();
+    fwrite(string, 1, strlen(string), stderr);
+    exit(returnCode);
+}
diff --git a/crypto/telnet/telnetd/authenc.c b/crypto/telnet/telnetd/authenc.c
new file mode 100644
index 0000000..26a85d2
--- /dev/null
+++ b/crypto/telnet/telnetd/authenc.c
@@ -0,0 +1,93 @@
+/*-
+ * Copyright (c) 1991, 1993
+ *	The Regents of the University of California.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *	This product includes software developed by the University of
+ *	California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#ifndef lint
+#if 0
+static const char sccsid[] = "@(#)authenc.c	8.2 (Berkeley) 5/30/95";
+#endif
+static const char rcsid[] =
+  "$FreeBSD$";
+#endif /* not lint */
+
+#if	defined(AUTHENTICATION) || defined(ENCRYPTION)
+#include "telnetd.h"
+#include <libtelnet/misc.h>
+
+	int
+net_write(str, len)
+	unsigned char *str;
+	int len;
+{
+	if (nfrontp + len < netobuf + BUFSIZ) {
+		output_datalen(str, len);
+		return(len);
+	}
+	return(0);
+}
+
+	void
+net_encrypt()
+{
+#ifdef	ENCRYPTION
+	char *s = (nclearto > nbackp) ? nclearto : nbackp;
+	if (s < nfrontp && encrypt_output) {
+		(*encrypt_output)((unsigned char *)s, nfrontp - s);
+	}
+	nclearto = nfrontp;
+#endif /* ENCRYPTION */
+}
+
+	int
+telnet_spin()
+{
+	ttloop();
+	return(0);
+}
+
+	char *
+telnet_getenv(val)
+	char *val;
+{
+	return(getenv(val));
+}
+
+	char *
+telnet_gets(prompt, result, length, echo)
+	char *prompt;
+	char *result;
+	int length;
+	int echo;
+{
+	return((char *)0);
+}
+#endif	/* defined(AUTHENTICATION) || defined(ENCRYPTION) */
diff --git a/crypto/telnet/telnetd/defs.h b/crypto/telnet/telnetd/defs.h
new file mode 100644
index 0000000..a73d4a6
--- /dev/null
+++ b/crypto/telnet/telnetd/defs.h
@@ -0,0 +1,296 @@
+/*
+ * Copyright (c) 1989, 1993
+ *	The Regents of the University of California.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *	This product includes software developed by the University of
+ *	California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ *	@(#)defs.h	8.1 (Berkeley) 6/4/93
+ */
+
+/*
+ * Telnet server defines
+ */
+#include <sys/types.h>
+#include <sys/param.h>
+
+#ifndef	BSD
+# define	BSD 43
+#endif
+
+#if	defined(CRAY) && !defined(LINEMODE)
+# define SYSV_TERMIO
+# define LINEMODE
+# define KLUDGELINEMODE
+# define DIAGNOSTICS
+# if defined(UNICOS50) && !defined(UNICOS5)
+#  define UNICOS5
+# endif
+# if !defined(UNICOS5)
+#  define BFTPDAEMON
+#  define HAS_IP_TOS
+# endif
+#endif /* CRAY */
+#if defined(UNICOS5) && !defined(NO_SETSID)
+# define NO_SETSID
+#endif
+
+#if defined(PRINTOPTIONS) && defined(DIAGNOSTICS)
+#define TELOPTS
+#define TELCMDS
+#define	SLC_NAMES
+#endif
+
+#if	defined(SYSV_TERMIO) && !defined(USE_TERMIO)
+# define	USE_TERMIO
+#endif
+
+#include <sys/socket.h>
+#ifndef	CRAY
+#include <sys/wait.h>
+#endif	/* CRAY */
+#include <fcntl.h>
+#include <sys/file.h>
+#include <sys/stat.h>
+#include <sys/time.h>
+#ifndef	FILIO_H
+#include <sys/ioctl.h>
+#else
+#include <sys/filio.h>
+#endif
+
+#include <netinet/in.h>
+
+#include <arpa/telnet.h>
+
+#include <stdio.h>
+#ifdef	__STDC__
+#include <stdlib.h>
+#endif
+#include <signal.h>
+#include <errno.h>
+#include <netdb.h>
+#include <syslog.h>
+#ifndef	LOG_DAEMON
+#define	LOG_DAEMON	0
+#endif
+#ifndef	LOG_ODELAY
+#define	LOG_ODELAY	0
+#endif
+#include <ctype.h>
+#ifndef NO_STRING_H
+#include <string.h>
+#else
+#include <strings.h>
+#endif
+
+#ifndef	USE_TERMIO
+#include <sgtty.h>
+#else
+# ifdef	SYSV_TERMIO
+# include <termio.h>
+# else
+# include <termios.h>
+# endif
+#endif
+#if !defined(USE_TERMIO) || defined(NO_CC_T)
+typedef unsigned char cc_t;
+#endif
+
+#ifdef	__STDC__
+#include <unistd.h>
+#endif
+
+#ifndef _POSIX_VDISABLE
+# ifdef VDISABLE
+#  define _POSIX_VDISABLE VDISABLE
+# else
+#  define _POSIX_VDISABLE ((unsigned char)'\377')
+# endif
+#endif
+
+
+#ifdef	CRAY
+# ifdef	CRAY1
+# include <sys/pty.h>
+#  ifndef FD_ZERO
+# include <sys/select.h>
+#  endif /* FD_ZERO */
+# endif	/* CRAY1 */
+
+#include <memory.h>
+#endif	/* CRAY */
+
+#ifdef __hpux
+#include <sys/ptyio.h>
+#endif
+
+#if	!defined(TIOCSCTTY) && defined(TCSETCTTY)
+# define	TIOCSCTTY TCSETCTTY
+#endif
+
+#ifndef	FD_SET
+#ifndef	HAVE_fd_set
+typedef struct fd_set { int fds_bits[1]; } fd_set;
+#endif
+
+#define	FD_SET(n, p)	((p)->fds_bits[0] |= (1<<(n)))
+#define	FD_CLR(n, p)	((p)->fds_bits[0] &= ~(1<<(n)))
+#define	FD_ISSET(n, p)	((p)->fds_bits[0] & (1<<(n)))
+#define FD_ZERO(p)	((p)->fds_bits[0] = 0)
+#endif	/* FD_SET */
+
+/*
+ * I/O data buffers defines
+ */
+#define	NETSLOP	64
+#ifdef CRAY
+#undef BUFSIZ
+#define BUFSIZ  2048
+#endif
+
+#define	NIACCUM(c)	{   *netip++ = c; \
+			    ncc++; \
+			}
+
+/* clock manipulations */
+#define	settimer(x)	(clocks.x = ++clocks.system)
+#define	sequenceIs(x,y)	(clocks.x < clocks.y)
+
+/*
+ * Linemode support states, in decreasing order of importance
+ */
+#define REAL_LINEMODE	0x04
+#define KLUDGE_OK	0x03
+#define	NO_AUTOKLUDGE	0x02
+#define KLUDGE_LINEMODE	0x01
+#define NO_LINEMODE	0x00
+
+/*
+ * Structures of information for each special character function.
+ */
+typedef struct {
+	unsigned char	flag;		/* the flags for this function */
+	cc_t		val;		/* the value of the special character */
+} slcent, *Slcent;
+
+typedef struct {
+	slcent		defset;		/* the default settings */
+	slcent		current;	/* the current settings */
+	cc_t		*sptr;		/* a pointer to the char in */
+					/* system data structures */
+} slcfun, *Slcfun;
+
+#ifdef DIAGNOSTICS
+/*
+ * Diagnostics capabilities
+ */
+#define	TD_REPORT	0x01	/* Report operations to client */
+#define TD_EXERCISE	0x02	/* Exercise client's implementation */
+#define TD_NETDATA	0x04	/* Display received data stream */
+#define TD_PTYDATA	0x08	/* Display data passed to pty */
+#define	TD_OPTIONS	0x10	/* Report just telnet options */
+#endif /* DIAGNOSTICS */
+
+/*
+ * We keep track of each side of the option negotiation.
+ */
+
+#define	MY_STATE_WILL		0x01
+#define	MY_WANT_STATE_WILL	0x02
+#define	MY_STATE_DO		0x04
+#define	MY_WANT_STATE_DO	0x08
+
+/*
+ * Macros to check the current state of things
+ */
+
+#define	my_state_is_do(opt)		(options[opt]&MY_STATE_DO)
+#define	my_state_is_will(opt)		(options[opt]&MY_STATE_WILL)
+#define my_want_state_is_do(opt)	(options[opt]&MY_WANT_STATE_DO)
+#define my_want_state_is_will(opt)	(options[opt]&MY_WANT_STATE_WILL)
+
+#define	my_state_is_dont(opt)		(!my_state_is_do(opt))
+#define	my_state_is_wont(opt)		(!my_state_is_will(opt))
+#define my_want_state_is_dont(opt)	(!my_want_state_is_do(opt))
+#define my_want_state_is_wont(opt)	(!my_want_state_is_will(opt))
+
+#define	set_my_state_do(opt)		(options[opt] |= MY_STATE_DO)
+#define	set_my_state_will(opt)		(options[opt] |= MY_STATE_WILL)
+#define	set_my_want_state_do(opt)	(options[opt] |= MY_WANT_STATE_DO)
+#define	set_my_want_state_will(opt)	(options[opt] |= MY_WANT_STATE_WILL)
+
+#define	set_my_state_dont(opt)		(options[opt] &= ~MY_STATE_DO)
+#define	set_my_state_wont(opt)		(options[opt] &= ~MY_STATE_WILL)
+#define	set_my_want_state_dont(opt)	(options[opt] &= ~MY_WANT_STATE_DO)
+#define	set_my_want_state_wont(opt)	(options[opt] &= ~MY_WANT_STATE_WILL)
+
+/*
+ * Tricky code here.  What we want to know is if the MY_STATE_WILL
+ * and MY_WANT_STATE_WILL bits have the same value.  Since the two
+ * bits are adjacent, a little arithmatic will show that by adding
+ * in the lower bit, the upper bit will be set if the two bits were
+ * different, and clear if they were the same.
+ */
+#define my_will_wont_is_changing(opt) \
+			((options[opt]+MY_STATE_WILL) & MY_WANT_STATE_WILL)
+
+#define my_do_dont_is_changing(opt) \
+			((options[opt]+MY_STATE_DO) & MY_WANT_STATE_DO)
+
+/*
+ * Make everything symetrical
+ */
+
+#define	HIS_STATE_WILL			MY_STATE_DO
+#define	HIS_WANT_STATE_WILL		MY_WANT_STATE_DO
+#define HIS_STATE_DO			MY_STATE_WILL
+#define HIS_WANT_STATE_DO		MY_WANT_STATE_WILL
+
+#define	his_state_is_do			my_state_is_will
+#define	his_state_is_will		my_state_is_do
+#define his_want_state_is_do		my_want_state_is_will
+#define his_want_state_is_will		my_want_state_is_do
+
+#define	his_state_is_dont		my_state_is_wont
+#define	his_state_is_wont		my_state_is_dont
+#define his_want_state_is_dont		my_want_state_is_wont
+#define his_want_state_is_wont		my_want_state_is_dont
+
+#define	set_his_state_do		set_my_state_will
+#define	set_his_state_will		set_my_state_do
+#define	set_his_want_state_do		set_my_want_state_will
+#define	set_his_want_state_will		set_my_want_state_do
+
+#define	set_his_state_dont		set_my_state_wont
+#define	set_his_state_wont		set_my_state_dont
+#define	set_his_want_state_dont		set_my_want_state_wont
+#define	set_his_want_state_wont		set_my_want_state_dont
+
+#define his_will_wont_is_changing	my_do_dont_is_changing
+#define his_do_dont_is_changing		my_will_wont_is_changing
diff --git a/crypto/telnet/telnetd/ext.h b/crypto/telnet/telnetd/ext.h
new file mode 100644
index 0000000..f1bb02a
--- /dev/null
+++ b/crypto/telnet/telnetd/ext.h
@@ -0,0 +1,246 @@
+/*
+ * Copyright (c) 1989, 1993
+ *	The Regents of the University of California.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *	This product includes software developed by the University of
+ *	California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ *	@(#)ext.h	8.2 (Berkeley) 12/15/93
+ * $FreeBSD$
+ */
+
+/*
+ * Telnet server variable declarations
+ */
+extern char	options[256];
+extern char	do_dont_resp[256];
+extern char	will_wont_resp[256];
+extern int	linemode;	/* linemode on/off */
+#ifdef	LINEMODE
+extern int	uselinemode;	/* what linemode to use (on/off) */
+extern int	editmode;	/* edit modes in use */
+extern int	useeditmode;	/* edit modes to use */
+extern int	alwayslinemode;	/* command line option */
+extern int	lmodetype;	/* Client support for linemode */
+#endif	/* LINEMODE */
+extern int	flowmode;	/* current flow control state */
+extern int	restartany;	/* restart output on any character state */
+#ifdef DIAGNOSTICS
+extern int	diagnostic;	/* telnet diagnostic capabilities */
+#endif /* DIAGNOSTICS */
+#ifdef BFTPDAEMON
+extern int	bftpd;		/* behave as bftp daemon */
+#endif /* BFTPDAEMON */
+#if	defined(SecurID)
+extern int	require_SecurID;
+#endif
+#if	defined(AUTHENTICATION)
+extern int	auth_level;
+#endif
+
+extern slcfun	slctab[NSLC + 1];	/* slc mapping table */
+
+char	*terminaltype;
+
+/*
+ * I/O data buffers, pointers, and counters.
+ */
+extern char	ptyobuf[BUFSIZ+NETSLOP], *pfrontp, *pbackp;
+
+extern char	netibuf[BUFSIZ], *netip;
+
+extern char	netobuf[BUFSIZ+NETSLOP], *nfrontp, *nbackp;
+extern char	*neturg;		/* one past last bye of urgent data */
+
+extern int	pcc, ncc;
+
+#if defined(CRAY2) && defined(UNICOS5)
+extern int unpcc;  /* characters left unprocessed by CRAY-2 terminal routine */
+extern char *unptyip;  /* pointer to remaining characters in buffer */
+#endif
+
+extern int	pty, net;
+extern char	*line;
+extern int	SYNCHing;		/* we are in TELNET SYNCH mode */
+
+#ifndef	P
+# ifdef	__STDC__
+#  define P(x)	x
+# else
+#  define P(x)	()
+# endif
+#endif
+
+extern void
+	_termstat P((void)),
+	add_slc P((int, int, int)),
+	check_slc P((void)),
+	change_slc P((int, int, int)),
+	cleanup P((int)),
+	clientstat P((int, int, int)),
+	copy_termbuf P((char *, int)),
+	deferslc P((void)),
+	defer_terminit P((void)),
+	do_opt_slc P((unsigned char *, int)),
+	doeof P((void)),
+	dooption P((int)),
+	dontoption P((int)),
+	edithost P((char *, char *)),
+	fatal P((int, char *)),
+	fatalperror P((int, char *)),
+	get_slc_defaults P((void)),
+	init_env P((void)),
+	init_termbuf P((void)),
+	interrupt P((void)),
+	localstat P((void)),
+	flowstat P((void)),
+	netclear P((void)),
+	netflush P((void)),
+#ifdef DIAGNOSTICS
+	printoption P((char *, int)),
+	printdata P((char *, char *, int)),
+	printsub P((int, unsigned char *, int)),
+#endif
+	ptyflush P((void)),
+	putchr P((int)),
+	putf P((char *, char *)),
+	recv_ayt P((void)),
+	send_do P((int, int)),
+	send_dont P((int, int)),
+	send_slc P((void)),
+	send_status P((void)),
+	send_will P((int, int)),
+	send_wont P((int, int)),
+	sendbrk P((void)),
+	sendsusp P((void)),
+	set_termbuf P((void)),
+	start_login P((char *, int, char *)),
+	start_slc P((int)),
+#if	defined(AUTHENTICATION)
+	start_slave P((char *)),
+#else
+	start_slave P((char *, int, char *)),
+#endif
+	suboption P((void)),
+	telrcv P((void)),
+	ttloop P((void)),
+	tty_binaryin P((int)),
+	tty_binaryout P((int));
+
+extern int
+	end_slc P((unsigned char **)),
+	getnpty P((void)),
+#ifndef convex
+	getpty P((int *)),
+#endif
+	login_tty P((int)),
+	spcset P((int, cc_t *, cc_t **)),
+	stilloob P((int)),
+	terminit P((void)),
+	termstat P((void)),
+	tty_flowmode P((void)),
+	tty_restartany P((void)),
+	tty_isbinaryin P((void)),
+	tty_isbinaryout P((void)),
+	tty_iscrnl P((void)),
+	tty_isecho P((void)),
+	tty_isediting P((void)),
+	tty_islitecho P((void)),
+	tty_isnewmap P((void)),
+	tty_israw P((void)),
+	tty_issofttab P((void)),
+	tty_istrapsig P((void)),
+	tty_linemode P((void));
+
+extern void
+	tty_rspeed P((int)),
+	tty_setecho P((int)),
+	tty_setedit P((int)),
+	tty_setlinemode P((int)),
+	tty_setlitecho P((int)),
+	tty_setsig P((int)),
+	tty_setsofttab P((int)),
+	tty_tspeed P((int)),
+	willoption P((int)),
+	wontoption P((int)),
+	writenet P((unsigned char *, int));
+
+int	output_data __P((const char *, ...)) __printflike(1, 2);
+int	output_datalen __P((const char *, size_t));
+
+#ifdef	ENCRYPTION
+extern void	(*encrypt_output) P((unsigned char *, int));
+extern int	(*decrypt_input) P((int));
+extern char	*nclearto;
+#endif	/* ENCRYPTION */
+
+
+/*
+ * The following are some clocks used to decide how to interpret
+ * the relationship between various variables.
+ */
+
+extern struct {
+    int
+	system,			/* what the current time is */
+	echotoggle,		/* last time user entered echo character */
+	modenegotiated,		/* last time operating mode negotiated */
+	didnetreceive,		/* last time we read data from network */
+	ttypesubopt,		/* ttype subopt is received */
+	tspeedsubopt,		/* tspeed subopt is received */
+	environsubopt,		/* environ subopt is received */
+	oenvironsubopt,		/* old environ subopt is received */
+	xdisplocsubopt,		/* xdisploc subopt is received */
+	baseline,		/* time started to do timed action */
+	gotDM;			/* when did we last see a data mark */
+} clocks;
+
+
+#if	defined(CRAY2) && defined(UNICOS5)
+extern int	needtermstat;
+#endif
+
+#ifndef	DEFAULT_IM
+# ifdef CRAY
+#  define DEFAULT_IM	"\r\n\r\nCray UNICOS (%h) (%t)\r\n\r\r\n\r"
+# else
+#  ifdef sun
+#   define DEFAULT_IM	"\r\n\r\nSunOS UNIX (%h) (%t)\r\n\r\r\n\r"
+#  else
+#   ifdef ultrix
+#    define DEFAULT_IM	"\r\n\r\nULTRIX (%h) (%t)\r\n\r\r\n\r"
+#   else
+#    ifdef __FreeBSD__
+#     define DEFAULT_IM  "\r\n\r\nFreeBSD (%h) (%t)\r\n\r\r\n\r"
+#    else
+#    define DEFAULT_IM	"\r\n\r\n4.4 BSD UNIX (%h) (%t)\r\n\r\r\n\r"
+#    endif
+#   endif
+#  endif
+# endif
+#endif
diff --git a/crypto/telnet/telnetd/global.c b/crypto/telnet/telnetd/global.c
new file mode 100644
index 0000000..0cf95db
--- /dev/null
+++ b/crypto/telnet/telnetd/global.c
@@ -0,0 +1,52 @@
+/*
+ * Copyright (c) 1989, 1993
+ *	The Regents of the University of California.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *	This product includes software developed by the University of
+ *	California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#ifndef lint
+#if 0
+static const char sccsid[] = "@(#)global.c	8.1 (Berkeley) 6/4/93";
+#endif
+static const char rcsid[] =
+  "$FreeBSD$";
+#endif /* not lint */
+
+/*
+ * Allocate global variables.  We do this
+ * by including the header file that defines
+ * them all as externs, but first we define
+ * the keyword "extern" to be nothing, so that
+ * we will actually allocate the space.
+ */
+
+#include "defs.h"
+#define extern
+#include "ext.h"
diff --git a/crypto/telnet/telnetd/pathnames.h b/crypto/telnet/telnetd/pathnames.h
new file mode 100644
index 0000000..b4ce9ce
--- /dev/null
+++ b/crypto/telnet/telnetd/pathnames.h
@@ -0,0 +1,56 @@
+/*
+ * Copyright (c) 1989, 1993
+ *	The Regents of the University of California.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *	This product includes software developed by the University of
+ *	California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ *	@(#)pathnames.h	8.1 (Berkeley) 6/4/93
+ * $FreeBSD$
+ */
+
+#if BSD > 43
+
+# include <paths.h>
+
+# ifndef _PATH_LOGIN
+#  define	_PATH_LOGIN	"/usr/bin/login"
+# endif
+
+#else
+ 
+# define	_PATH_TTY	"/dev/tty"
+# ifndef _PATH_LOGIN
+#  define	_PATH_LOGIN	"/bin/login"
+# endif
+
+#endif
+
+#ifdef BFTPDAEMON
+#define		BFTPPATH	"/usr/ucb/bftp"
+#endif  /* BFTPDAEMON */
diff --git a/crypto/telnet/telnetd/slc.c b/crypto/telnet/telnetd/slc.c
new file mode 100644
index 0000000..65dc689
--- /dev/null
+++ b/crypto/telnet/telnetd/slc.c
@@ -0,0 +1,495 @@
+/*
+ * Copyright (c) 1989, 1993
+ *	The Regents of the University of California.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *	This product includes software developed by the University of
+ *	California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#ifndef lint
+#if 0
+static const char sccsid[] = "@(#)slc.c	8.2 (Berkeley) 5/30/95";
+#endif
+static const char rcsid[] =
+  "$FreeBSD$";
+#endif /* not lint */
+
+#include "telnetd.h"
+
+#ifdef	LINEMODE
+/*
+ * local variables
+ */
+static unsigned char	*def_slcbuf = (unsigned char *)0;
+static int		def_slclen = 0;
+static int		slcchange;	/* change to slc is requested */
+static unsigned char	*slcptr;	/* pointer into slc buffer */
+static unsigned char	slcbuf[NSLC*6];	/* buffer for slc negotiation */
+
+/*
+ * send_slc
+ *
+ * Write out the current special characters to the client.
+ */
+	void
+send_slc()
+{
+	register int i;
+
+	/*
+	 * Send out list of triplets of special characters
+	 * to client.  We only send info on the characters
+	 * that are currently supported.
+	 */
+	for (i = 1; i <= NSLC; i++) {
+		if ((slctab[i].defset.flag & SLC_LEVELBITS) == SLC_NOSUPPORT)
+			continue;
+		add_slc((unsigned char)i, slctab[i].current.flag,
+							slctab[i].current.val);
+	}
+
+}  /* end of send_slc */
+
+/*
+ * default_slc
+ *
+ * Set pty special characters to all the defaults.
+ */
+	void
+default_slc()
+{
+	register int i;
+
+	for (i = 1; i <= NSLC; i++) {
+		slctab[i].current.val = slctab[i].defset.val;
+		if (slctab[i].current.val == (cc_t)(_POSIX_VDISABLE))
+			slctab[i].current.flag = SLC_NOSUPPORT;
+		else
+			slctab[i].current.flag = slctab[i].defset.flag;
+		if (slctab[i].sptr) {
+			*(slctab[i].sptr) = slctab[i].defset.val;
+		}
+	}
+	slcchange = 1;
+
+}  /* end of default_slc */
+#endif	/* LINEMODE */
+
+/*
+ * get_slc_defaults
+ *
+ * Initialize the slc mapping table.
+ */
+	void
+get_slc_defaults()
+{
+	register int i;
+
+	init_termbuf();
+
+	for (i = 1; i <= NSLC; i++) {
+		slctab[i].defset.flag =
+			spcset(i, &slctab[i].defset.val, &slctab[i].sptr);
+		slctab[i].current.flag = SLC_NOSUPPORT;
+		slctab[i].current.val = 0;
+	}
+
+}  /* end of get_slc_defaults */
+
+#ifdef	LINEMODE
+/*
+ * add_slc
+ *
+ * Add an slc triplet to the slc buffer.
+ */
+	void
+add_slc(func, flag, val)
+	register char func, flag;
+	register cc_t val;
+{
+
+	if ((*slcptr++ = (unsigned char)func) == 0xff)
+		*slcptr++ = 0xff;
+
+	if ((*slcptr++ = (unsigned char)flag) == 0xff)
+		*slcptr++ = 0xff;
+
+	if ((*slcptr++ = (unsigned char)val) == 0xff)
+		*slcptr++ = 0xff;
+
+}  /* end of add_slc */
+
+/*
+ * start_slc
+ *
+ * Get ready to process incoming slc's and respond to them.
+ *
+ * The parameter getit is non-zero if it is necessary to grab a copy
+ * of the terminal control structures.
+ */
+	void
+start_slc(getit)
+	register int getit;
+{
+
+	slcchange = 0;
+	if (getit)
+		init_termbuf();
+	(void) sprintf((char *)slcbuf, "%c%c%c%c",
+					IAC, SB, TELOPT_LINEMODE, LM_SLC);
+	slcptr = slcbuf + 4;
+
+}  /* end of start_slc */
+
+/*
+ * end_slc
+ *
+ * Finish up the slc negotiation.  If something to send, then send it.
+ */
+	int
+end_slc(bufp)
+	register unsigned char **bufp;
+{
+	register int len;
+	void netflush();
+
+	/*
+	 * If a change has occured, store the new terminal control
+	 * structures back to the terminal driver.
+	 */
+	if (slcchange) {
+		set_termbuf();
+	}
+
+	/*
+	 * If the pty state has not yet been fully processed and there is a
+	 * deferred slc request from the client, then do not send any
+	 * sort of slc negotiation now.  We will respond to the client's
+	 * request very soon.
+	 */
+	if (def_slcbuf && (terminit() == 0)) {
+		return(0);
+	}
+
+	if (slcptr > (slcbuf + 4)) {
+		if (bufp) {
+			*bufp = &slcbuf[4];
+			return(slcptr - slcbuf - 4);
+		} else {
+			(void) sprintf((char *)slcptr, "%c%c", IAC, SE);
+			slcptr += 2;
+			len = slcptr - slcbuf;
+			writenet(slcbuf, len);
+			netflush();  /* force it out immediately */
+			DIAG(TD_OPTIONS, printsub('>', slcbuf+2, len-2););
+		}
+	}
+	return (0);
+
+}  /* end of end_slc */
+
+/*
+ * process_slc
+ *
+ * Figure out what to do about the client's slc
+ */
+	void
+process_slc(func, flag, val)
+	register unsigned char func, flag;
+	register cc_t val;
+{
+	register int hislevel, mylevel, ack;
+
+	/*
+	 * Ensure that we know something about this function
+	 */
+	if (func > NSLC) {
+		add_slc(func, SLC_NOSUPPORT, 0);
+		return;
+	}
+
+	/*
+	 * Process the special case requests of 0 SLC_DEFAULT 0
+	 * and 0 SLC_VARIABLE 0.  Be a little forgiving here, don't
+	 * worry about whether the value is actually 0 or not.
+	 */
+	if (func == 0) {
+		if ((flag = flag & SLC_LEVELBITS) == SLC_DEFAULT) {
+			default_slc();
+			send_slc();
+		} else if (flag == SLC_VARIABLE) {
+			send_slc();
+		}
+		return;
+	}
+
+	/*
+	 * Appears to be a function that we know something about.  So
+	 * get on with it and see what we know.
+	 */
+
+	hislevel = flag & SLC_LEVELBITS;
+	mylevel = slctab[func].current.flag & SLC_LEVELBITS;
+	ack = flag & SLC_ACK;
+	/*
+	 * ignore the command if:
+	 * the function value and level are the same as what we already have;
+	 * or the level is the same and the ack bit is set
+	 */
+	if (hislevel == mylevel && (val == slctab[func].current.val || ack)) {
+		return;
+	} else if (ack) {
+		/*
+		 * If we get here, we got an ack, but the levels don't match.
+		 * This shouldn't happen.  If it does, it is probably because
+		 * we have sent two requests to set a variable without getting
+		 * a response between them, and this is the first response.
+		 * So, ignore it, and wait for the next response.
+		 */
+		return;
+	} else {
+		change_slc(func, flag, val);
+	}
+
+}  /* end of process_slc */
+
+/*
+ * change_slc
+ *
+ * Process a request to change one of our special characters.
+ * Compare client's request with what we are capable of supporting.
+ */
+	void
+change_slc(func, flag, val)
+	register char func, flag;
+	register cc_t val;
+{
+	register int hislevel, mylevel;
+
+	hislevel = flag & SLC_LEVELBITS;
+	mylevel = slctab[(int)func].defset.flag & SLC_LEVELBITS;
+	/*
+	 * If client is setting a function to NOSUPPORT
+	 * or DEFAULT, then we can easily and directly
+	 * accomodate the request.
+	 */
+	if (hislevel == SLC_NOSUPPORT) {
+		slctab[(int)func].current.flag = flag;
+		slctab[(int)func].current.val = (cc_t)_POSIX_VDISABLE;
+		flag |= SLC_ACK;
+		add_slc(func, flag, val);
+		return;
+	}
+	if (hislevel == SLC_DEFAULT) {
+		/*
+		 * Special case here.  If client tells us to use
+		 * the default on a function we don't support, then
+		 * return NOSUPPORT instead of what we may have as a
+		 * default level of DEFAULT.
+		 */
+		if (mylevel == SLC_DEFAULT) {
+			slctab[(int)func].current.flag = SLC_NOSUPPORT;
+		} else {
+			slctab[(int)func].current.flag = slctab[(int)func].defset.flag;
+		}
+		slctab[(int)func].current.val = slctab[(int)func].defset.val;
+		add_slc(func, slctab[(int)func].current.flag,
+						slctab[(int)func].current.val);
+		return;
+	}
+
+	/*
+	 * Client wants us to change to a new value or he
+	 * is telling us that he can't change to our value.
+	 * Some of the slc's we support and can change,
+	 * some we do support but can't change,
+	 * and others we don't support at all.
+	 * If we can change it then we have a pointer to
+	 * the place to put the new value, so change it,
+	 * otherwise, continue the negotiation.
+	 */
+	if (slctab[(int)func].sptr) {
+		/*
+		 * We can change this one.
+		 */
+		slctab[(int)func].current.val = val;
+		*(slctab[(int)func].sptr) = val;
+		slctab[(int)func].current.flag = flag;
+		flag |= SLC_ACK;
+		slcchange = 1;
+		add_slc(func, flag, val);
+	} else {
+		/*
+		* It is not possible for us to support this
+		* request as he asks.
+		*
+		* If our level is DEFAULT, then just ack whatever was
+		* sent.
+		*
+		* If he can't change and we can't change,
+		* then degenerate to NOSUPPORT.
+		*
+		* Otherwise we send our level back to him, (CANTCHANGE
+		* or NOSUPPORT) and if CANTCHANGE, send
+		* our value as well.
+		*/
+		if (mylevel == SLC_DEFAULT) {
+			slctab[(int)func].current.flag = flag;
+			slctab[(int)func].current.val = val;
+			flag |= SLC_ACK;
+		} else if (hislevel == SLC_CANTCHANGE &&
+				    mylevel == SLC_CANTCHANGE) {
+			flag &= ~SLC_LEVELBITS;
+			flag |= SLC_NOSUPPORT;
+			slctab[(int)func].current.flag = flag;
+		} else {
+			flag &= ~SLC_LEVELBITS;
+			flag |= mylevel;
+			slctab[(int)func].current.flag = flag;
+			if (mylevel == SLC_CANTCHANGE) {
+				slctab[(int)func].current.val =
+					slctab[(int)func].defset.val;
+				val = slctab[(int)func].current.val;
+			}
+		}
+		add_slc(func, flag, val);
+	}
+
+}  /* end of change_slc */
+
+#if	defined(USE_TERMIO) && (VEOF == VMIN)
+cc_t oldeofc = '\004';
+#endif
+
+/*
+ * check_slc
+ *
+ * Check the special characters in use and notify the client if any have
+ * changed.  Only those characters that are capable of being changed are
+ * likely to have changed.  If a local change occurs, kick the support level
+ * and flags up to the defaults.
+ */
+	void
+check_slc()
+{
+	register int i;
+
+	for (i = 1; i <= NSLC; i++) {
+#if	defined(USE_TERMIO) && (VEOF == VMIN)
+		/*
+		 * In a perfect world this would be a neat little
+		 * function.  But in this world, we should not notify
+		 * client of changes to the VEOF char when
+		 * ICANON is off, because it is not representing
+		 * a special character.
+		 */
+		if (i == SLC_EOF) {
+			if (!tty_isediting())
+				continue;
+			else if (slctab[i].sptr)
+				oldeofc = *(slctab[i].sptr);
+		}
+#endif	/* defined(USE_TERMIO) && defined(SYSV_TERMIO) */
+		if (slctab[i].sptr &&
+				(*(slctab[i].sptr) != slctab[i].current.val)) {
+			slctab[i].current.val = *(slctab[i].sptr);
+			if (*(slctab[i].sptr) == (cc_t)_POSIX_VDISABLE)
+				slctab[i].current.flag = SLC_NOSUPPORT;
+			else
+				slctab[i].current.flag = slctab[i].defset.flag;
+			add_slc((unsigned char)i, slctab[i].current.flag,
+						slctab[i].current.val);
+		}
+	}
+}  /* check_slc */
+
+/*
+ * do_opt_slc
+ *
+ * Process an slc option buffer.  Defer processing of incoming slc's
+ * until after the terminal state has been processed.  Save the first slc
+ * request that comes along, but discard all others.
+ *
+ * ptr points to the beginning of the buffer, len is the length.
+ */
+	void
+do_opt_slc(ptr, len)
+	register unsigned char *ptr;
+	register int len;
+{
+	register unsigned char func, flag;
+	cc_t val;
+	register unsigned char *end = ptr + len;
+
+	if (terminit()) {  /* go ahead */
+		while (ptr < end) {
+			func = *ptr++;
+			if (ptr >= end) break;
+			flag = *ptr++;
+			if (ptr >= end) break;
+			val = (cc_t)*ptr++;
+
+			process_slc(func, flag, val);
+
+		}
+	} else {
+		/*
+		 * save this slc buffer if it is the first, otherwise dump
+		 * it.
+		 */
+		if (def_slcbuf == (unsigned char *)0) {
+			def_slclen = len;
+			def_slcbuf = (unsigned char *)malloc((unsigned)len);
+			if (def_slcbuf == (unsigned char *)0)
+				return;  /* too bad */
+			memmove(def_slcbuf, ptr, len);
+		}
+	}
+
+}  /* end of do_opt_slc */
+
+/*
+ * deferslc
+ *
+ * Do slc stuff that was deferred.
+ */
+	void
+deferslc()
+{
+	if (def_slcbuf) {
+		start_slc(1);
+		do_opt_slc(def_slcbuf, def_slclen);
+		(void) end_slc(0);
+		free(def_slcbuf);
+		def_slcbuf = (unsigned char *)0;
+		def_slclen = 0;
+	}
+
+}  /* end of deferslc */
+
+#endif	/* LINEMODE */
diff --git a/crypto/telnet/telnetd/state.c b/crypto/telnet/telnetd/state.c
new file mode 100644
index 0000000..1346c95
--- /dev/null
+++ b/crypto/telnet/telnetd/state.c
@@ -0,0 +1,1654 @@
+/*
+ * Copyright (c) 1989, 1993
+ *	The Regents of the University of California.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *	This product includes software developed by the University of
+ *	California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#ifndef lint
+#if 0
+static const char sccsid[] = "@(#)state.c	8.5 (Berkeley) 5/30/95";
+#endif
+static const char rcsid[] =
+  "$FreeBSD$";
+#endif /* not lint */
+
+#include <stdarg.h>
+#include "telnetd.h"
+#if	defined(AUTHENTICATION)
+#include <libtelnet/auth.h>
+#endif
+#if	defined(ENCRYPTION)
+#include <libtelnet/encrypt.h>
+#endif
+
+unsigned char	doopt[] = { IAC, DO, '%', 'c', 0 };
+unsigned char	dont[] = { IAC, DONT, '%', 'c', 0 };
+unsigned char	will[] = { IAC, WILL, '%', 'c', 0 };
+unsigned char	wont[] = { IAC, WONT, '%', 'c', 0 };
+int	not42 = 1;
+
+/*
+ * Buffer for sub-options, and macros
+ * for suboptions buffer manipulations
+ */
+unsigned char subbuffer[512], *subpointer= subbuffer, *subend= subbuffer;
+
+#define	SB_CLEAR()	subpointer = subbuffer
+#define	SB_TERM()	{ subend = subpointer; SB_CLEAR(); }
+#define	SB_ACCUM(c)	if (subpointer < (subbuffer+sizeof subbuffer)) { \
+				*subpointer++ = (c); \
+			}
+#define	SB_GET()	((*subpointer++)&0xff)
+#define	SB_EOF()	(subpointer >= subend)
+#define	SB_LEN()	(subend - subpointer)
+
+#ifdef	ENV_HACK
+unsigned char *subsave;
+#define SB_SAVE()	subsave = subpointer;
+#define	SB_RESTORE()	subpointer = subsave;
+#endif
+
+
+/*
+ * State for recv fsm
+ */
+#define	TS_DATA		0	/* base state */
+#define	TS_IAC		1	/* look for double IAC's */
+#define	TS_CR		2	/* CR-LF ->'s CR */
+#define	TS_SB		3	/* throw away begin's... */
+#define	TS_SE		4	/* ...end's (suboption negotiation) */
+#define	TS_WILL		5	/* will option negotiation */
+#define	TS_WONT		6	/* wont " */
+#define	TS_DO		7	/* do " */
+#define	TS_DONT		8	/* dont " */
+
+	void
+telrcv()
+{
+	register int c;
+	static int state = TS_DATA;
+#if	defined(CRAY2) && defined(UNICOS5)
+	char *opfrontp = pfrontp;
+#endif
+
+	while (ncc > 0) {
+		if ((&ptyobuf[BUFSIZ] - pfrontp) < 2)
+			break;
+		c = *netip++ & 0377, ncc--;
+#ifdef	ENCRYPTION
+		if (decrypt_input)
+			c = (*decrypt_input)(c);
+#endif	/* ENCRYPTION */
+		switch (state) {
+
+		case TS_CR:
+			state = TS_DATA;
+			/* Strip off \n or \0 after a \r */
+			if ((c == 0) || (c == '\n')) {
+				break;
+			}
+			/* FALL THROUGH */
+
+		case TS_DATA:
+			if (c == IAC) {
+				state = TS_IAC;
+				break;
+			}
+			/*
+			 * We now map \r\n ==> \r for pragmatic reasons.
+			 * Many client implementations send \r\n when
+			 * the user hits the CarriageReturn key.
+			 *
+			 * We USED to map \r\n ==> \n, since \r\n says
+			 * that we want to be in column 1 of the next
+			 * printable line, and \n is the standard
+			 * unix way of saying that (\r is only good
+			 * if CRMOD is set, which it normally is).
+			 */
+			if ((c == '\r') && his_state_is_wont(TELOPT_BINARY)) {
+				int nc = *netip;
+#ifdef	ENCRYPTION
+				if (decrypt_input)
+					nc = (*decrypt_input)(nc & 0xff);
+#endif	/* ENCRYPTION */
+#ifdef	LINEMODE
+				/*
+				 * If we are operating in linemode,
+				 * convert to local end-of-line.
+				 */
+				if (linemode && (ncc > 0) && (('\n' == nc) ||
+					 ((0 == nc) && tty_iscrnl())) ) {
+					netip++; ncc--;
+					c = '\n';
+				} else
+#endif
+				{
+#ifdef	ENCRYPTION
+					if (decrypt_input)
+						(void)(*decrypt_input)(-1);
+#endif	/* ENCRYPTION */
+					state = TS_CR;
+				}
+			}
+			*pfrontp++ = c;
+			break;
+
+		case TS_IAC:
+gotiac:			switch (c) {
+
+			/*
+			 * Send the process on the pty side an
+			 * interrupt.  Do this with a NULL or
+			 * interrupt char; depending on the tty mode.
+			 */
+			case IP:
+				DIAG(TD_OPTIONS,
+					printoption("td: recv IAC", c));
+				interrupt();
+				break;
+
+			case BREAK:
+				DIAG(TD_OPTIONS,
+					printoption("td: recv IAC", c));
+				sendbrk();
+				break;
+
+			/*
+			 * Are You There?
+			 */
+			case AYT:
+				DIAG(TD_OPTIONS,
+					printoption("td: recv IAC", c));
+				recv_ayt();
+				break;
+
+			/*
+			 * Abort Output
+			 */
+			case AO:
+			    {
+				DIAG(TD_OPTIONS,
+					printoption("td: recv IAC", c));
+				ptyflush();	/* half-hearted */
+				init_termbuf();
+
+				if (slctab[SLC_AO].sptr &&
+				    *slctab[SLC_AO].sptr != (cc_t)(_POSIX_VDISABLE)) {
+				    *pfrontp++ =
+					(unsigned char)*slctab[SLC_AO].sptr;
+				}
+
+				netclear();	/* clear buffer back */
+				output_data("%c%c", IAC, DM);
+				neturg = nfrontp-1; /* off by one XXX */
+				DIAG(TD_OPTIONS,
+					printoption("td: send IAC", DM));
+				break;
+			    }
+
+			/*
+			 * Erase Character and
+			 * Erase Line
+			 */
+			case EC:
+			case EL:
+			    {
+				cc_t ch;
+
+				DIAG(TD_OPTIONS,
+					printoption("td: recv IAC", c));
+				ptyflush();	/* half-hearted */
+				init_termbuf();
+				if (c == EC)
+					ch = *slctab[SLC_EC].sptr;
+				else
+					ch = *slctab[SLC_EL].sptr;
+				if (ch != (cc_t)(_POSIX_VDISABLE))
+					*pfrontp++ = (unsigned char)ch;
+				break;
+			    }
+
+			/*
+			 * Check for urgent data...
+			 */
+			case DM:
+				DIAG(TD_OPTIONS,
+					printoption("td: recv IAC", c));
+				SYNCHing = stilloob(net);
+				settimer(gotDM);
+				break;
+
+
+			/*
+			 * Begin option subnegotiation...
+			 */
+			case SB:
+				state = TS_SB;
+				SB_CLEAR();
+				continue;
+
+			case WILL:
+				state = TS_WILL;
+				continue;
+
+			case WONT:
+				state = TS_WONT;
+				continue;
+
+			case DO:
+				state = TS_DO;
+				continue;
+
+			case DONT:
+				state = TS_DONT;
+				continue;
+			case EOR:
+				if (his_state_is_will(TELOPT_EOR))
+					doeof();
+				break;
+
+			/*
+			 * Handle RFC 10xx Telnet linemode option additions
+			 * to command stream (EOF, SUSP, ABORT).
+			 */
+			case xEOF:
+				doeof();
+				break;
+
+			case SUSP:
+				sendsusp();
+				break;
+
+			case ABORT:
+				sendbrk();
+				break;
+
+			case IAC:
+				*pfrontp++ = c;
+				break;
+			}
+			state = TS_DATA;
+			break;
+
+		case TS_SB:
+			if (c == IAC) {
+				state = TS_SE;
+			} else {
+				SB_ACCUM(c);
+			}
+			break;
+
+		case TS_SE:
+			if (c != SE) {
+				if (c != IAC) {
+					/*
+					 * bad form of suboption negotiation.
+					 * handle it in such a way as to avoid
+					 * damage to local state.  Parse
+					 * suboption buffer found so far,
+					 * then treat remaining stream as
+					 * another command sequence.
+					 */
+
+					/* for DIAGNOSTICS */
+					SB_ACCUM(IAC);
+					SB_ACCUM(c);
+					subpointer -= 2;
+
+					SB_TERM();
+					suboption();
+					state = TS_IAC;
+					goto gotiac;
+				}
+				SB_ACCUM(c);
+				state = TS_SB;
+			} else {
+				/* for DIAGNOSTICS */
+				SB_ACCUM(IAC);
+				SB_ACCUM(SE);
+				subpointer -= 2;
+
+				SB_TERM();
+				suboption();	/* handle sub-option */
+				state = TS_DATA;
+			}
+			break;
+
+		case TS_WILL:
+			willoption(c);
+			state = TS_DATA;
+			continue;
+
+		case TS_WONT:
+			wontoption(c);
+			state = TS_DATA;
+			continue;
+
+		case TS_DO:
+			dooption(c);
+			state = TS_DATA;
+			continue;
+
+		case TS_DONT:
+			dontoption(c);
+			state = TS_DATA;
+			continue;
+
+		default:
+			syslog(LOG_ERR, "panic state=%d", state);
+			printf("telnetd: panic state=%d\n", state);
+			exit(1);
+		}
+	}
+#if	defined(CRAY2) && defined(UNICOS5)
+	if (!linemode) {
+		char	xptyobuf[BUFSIZ+NETSLOP];
+		char	xbuf2[BUFSIZ];
+		register char *cp;
+		int n = pfrontp - opfrontp, oc;
+		memmove(xptyobuf, opfrontp, n);
+		pfrontp = opfrontp;
+		pfrontp += term_input(xptyobuf, pfrontp, n, BUFSIZ+NETSLOP,
+					xbuf2, &oc, BUFSIZ);
+		for (cp = xbuf2; oc > 0; --oc)
+			if ((*nfrontp++ = *cp++) == IAC)
+				*nfrontp++ = IAC;
+	}
+#endif	/* defined(CRAY2) && defined(UNICOS5) */
+}  /* end of telrcv */
+
+/*
+ * The will/wont/do/dont state machines are based on Dave Borman's
+ * Telnet option processing state machine.
+ *
+ * These correspond to the following states:
+ *	my_state = the last negotiated state
+ *	want_state = what I want the state to go to
+ *	want_resp = how many requests I have sent
+ * All state defaults are negative, and resp defaults to 0.
+ *
+ * When initiating a request to change state to new_state:
+ *
+ * if ((want_resp == 0 && new_state == my_state) || want_state == new_state) {
+ *	do nothing;
+ * } else {
+ *	want_state = new_state;
+ *	send new_state;
+ *	want_resp++;
+ * }
+ *
+ * When receiving new_state:
+ *
+ * if (want_resp) {
+ *	want_resp--;
+ *	if (want_resp && (new_state == my_state))
+ *		want_resp--;
+ * }
+ * if ((want_resp == 0) && (new_state != want_state)) {
+ *	if (ok_to_switch_to new_state)
+ *		want_state = new_state;
+ *	else
+ *		want_resp++;
+ *	send want_state;
+ * }
+ * my_state = new_state;
+ *
+ * Note that new_state is implied in these functions by the function itself.
+ * will and do imply positive new_state, wont and dont imply negative.
+ *
+ * Finally, there is one catch.  If we send a negative response to a
+ * positive request, my_state will be the positive while want_state will
+ * remain negative.  my_state will revert to negative when the negative
+ * acknowlegment arrives from the peer.  Thus, my_state generally tells
+ * us not only the last negotiated state, but also tells us what the peer
+ * wants to be doing as well.  It is important to understand this difference
+ * as we may wish to be processing data streams based on our desired state
+ * (want_state) or based on what the peer thinks the state is (my_state).
+ *
+ * This all works fine because if the peer sends a positive request, the data
+ * that we receive prior to negative acknowlegment will probably be affected
+ * by the positive state, and we can process it as such (if we can; if we
+ * can't then it really doesn't matter).  If it is that important, then the
+ * peer probably should be buffering until this option state negotiation
+ * is complete.
+ *
+ */
+	void
+send_do(option, init)
+	int option, init;
+{
+	if (init) {
+		if ((do_dont_resp[option] == 0 && his_state_is_will(option)) ||
+		    his_want_state_is_will(option))
+			return;
+		/*
+		 * Special case for TELOPT_TM:  We send a DO, but pretend
+		 * that we sent a DONT, so that we can send more DOs if
+		 * we want to.
+		 */
+		if (option == TELOPT_TM)
+			set_his_want_state_wont(option);
+		else
+			set_his_want_state_will(option);
+		do_dont_resp[option]++;
+	}
+	output_data((const char *)doopt, option);
+
+	DIAG(TD_OPTIONS, printoption("td: send do", option));
+}
+
+#ifdef	AUTHENTICATION
+extern void auth_request();
+#endif
+#ifdef	LINEMODE
+extern void doclientstat();
+#endif
+#ifdef	ENCRYPTION
+extern void encrypt_send_support();
+#endif	/* ENCRYPTION */
+
+	void
+willoption(option)
+	int option;
+{
+	int changeok = 0;
+	void (*func)() = 0;
+
+	/*
+	 * process input from peer.
+	 */
+
+	DIAG(TD_OPTIONS, printoption("td: recv will", option));
+
+	if (do_dont_resp[option]) {
+		do_dont_resp[option]--;
+		if (do_dont_resp[option] && his_state_is_will(option))
+			do_dont_resp[option]--;
+	}
+	if (do_dont_resp[option] == 0) {
+	    if (his_want_state_is_wont(option)) {
+		switch (option) {
+
+		case TELOPT_BINARY:
+			init_termbuf();
+			tty_binaryin(1);
+			set_termbuf();
+			changeok++;
+			break;
+
+		case TELOPT_ECHO:
+			/*
+			 * See comments below for more info.
+			 */
+			not42 = 0;	/* looks like a 4.2 system */
+			break;
+
+		case TELOPT_TM:
+#if	defined(LINEMODE) && defined(KLUDGELINEMODE)
+			/*
+			 * This telnetd implementation does not really
+			 * support timing marks, it just uses them to
+			 * support the kludge linemode stuff.  If we
+			 * receive a will or wont TM in response to our
+			 * do TM request that may have been sent to
+			 * determine kludge linemode support, process
+			 * it, otherwise TM should get a negative
+			 * response back.
+			 */
+			/*
+			 * Handle the linemode kludge stuff.
+			 * If we are not currently supporting any
+			 * linemode at all, then we assume that this
+			 * is the client telling us to use kludge
+			 * linemode in response to our query.  Set the
+			 * linemode type that is to be supported, note
+			 * that the client wishes to use linemode, and
+			 * eat the will TM as though it never arrived.
+			 */
+			if (lmodetype < KLUDGE_LINEMODE) {
+				lmodetype = KLUDGE_LINEMODE;
+				clientstat(TELOPT_LINEMODE, WILL, 0);
+				send_wont(TELOPT_SGA, 1);
+			} else if (lmodetype == NO_AUTOKLUDGE) {
+				lmodetype = KLUDGE_OK;
+			}
+#endif	/* defined(LINEMODE) && defined(KLUDGELINEMODE) */
+			/*
+			 * We never respond to a WILL TM, and
+			 * we leave the state WONT.
+			 */
+			return;
+
+		case TELOPT_LFLOW:
+			/*
+			 * If we are going to support flow control
+			 * option, then don't worry peer that we can't
+			 * change the flow control characters.
+			 */
+			slctab[SLC_XON].defset.flag &= ~SLC_LEVELBITS;
+			slctab[SLC_XON].defset.flag |= SLC_DEFAULT;
+			slctab[SLC_XOFF].defset.flag &= ~SLC_LEVELBITS;
+			slctab[SLC_XOFF].defset.flag |= SLC_DEFAULT;
+		case TELOPT_TTYPE:
+		case TELOPT_SGA:
+		case TELOPT_NAWS:
+		case TELOPT_TSPEED:
+		case TELOPT_XDISPLOC:
+		case TELOPT_NEW_ENVIRON:
+		case TELOPT_OLD_ENVIRON:
+			changeok++;
+			break;
+
+#ifdef	LINEMODE
+		case TELOPT_LINEMODE:
+# ifdef	KLUDGELINEMODE
+			/*
+			 * Note client's desire to use linemode.
+			 */
+			lmodetype = REAL_LINEMODE;
+# endif	/* KLUDGELINEMODE */
+			func = doclientstat;
+			changeok++;
+			break;
+#endif	/* LINEMODE */
+
+#ifdef	AUTHENTICATION
+		case TELOPT_AUTHENTICATION:
+			func = auth_request;
+			changeok++;
+			break;
+#endif
+
+#ifdef	ENCRYPTION
+		case TELOPT_ENCRYPT:
+			func = encrypt_send_support;
+			changeok++;
+			break;
+#endif	/* ENCRYPTION */
+
+		default:
+			break;
+		}
+		if (changeok) {
+			set_his_want_state_will(option);
+			send_do(option, 0);
+		} else {
+			do_dont_resp[option]++;
+			send_dont(option, 0);
+		}
+	    } else {
+		/*
+		 * Option processing that should happen when
+		 * we receive conformation of a change in
+		 * state that we had requested.
+		 */
+		switch (option) {
+		case TELOPT_ECHO:
+			not42 = 0;	/* looks like a 4.2 system */
+			/*
+			 * Egads, he responded "WILL ECHO".  Turn
+			 * it off right now!
+			 */
+			send_dont(option, 1);
+			/*
+			 * "WILL ECHO".  Kludge upon kludge!
+			 * A 4.2 client is now echoing user input at
+			 * the tty.  This is probably undesireable and
+			 * it should be stopped.  The client will
+			 * respond WONT TM to the DO TM that we send to
+			 * check for kludge linemode.  When the WONT TM
+			 * arrives, linemode will be turned off and a
+			 * change propogated to the pty.  This change
+			 * will cause us to process the new pty state
+			 * in localstat(), which will notice that
+			 * linemode is off and send a WILL ECHO
+			 * so that we are properly in character mode and
+			 * all is well.
+			 */
+			break;
+#ifdef	LINEMODE
+		case TELOPT_LINEMODE:
+# ifdef	KLUDGELINEMODE
+			/*
+			 * Note client's desire to use linemode.
+			 */
+			lmodetype = REAL_LINEMODE;
+# endif	/* KLUDGELINEMODE */
+			func = doclientstat;
+			break;
+#endif	/* LINEMODE */
+
+#ifdef	AUTHENTICATION
+		case TELOPT_AUTHENTICATION:
+			func = auth_request;
+			break;
+#endif
+
+#ifdef	ENCRYPTION
+		case TELOPT_ENCRYPT:
+			func = encrypt_send_support;
+			break;
+#endif	/* ENCRYPTION */
+		case TELOPT_LFLOW:
+			func = flowstat;
+			break;
+		}
+	    }
+	}
+	set_his_state_will(option);
+	if (func)
+		(*func)();
+}  /* end of willoption */
+
+	void
+send_dont(option, init)
+	int option, init;
+{
+	if (init) {
+		if ((do_dont_resp[option] == 0 && his_state_is_wont(option)) ||
+		    his_want_state_is_wont(option))
+			return;
+		set_his_want_state_wont(option);
+		do_dont_resp[option]++;
+	}
+	output_data((const char *)dont, option);
+
+	DIAG(TD_OPTIONS, printoption("td: send dont", option));
+}
+
+	void
+wontoption(option)
+	int option;
+{
+	/*
+	 * Process client input.
+	 */
+
+	DIAG(TD_OPTIONS, printoption("td: recv wont", option));
+
+	if (do_dont_resp[option]) {
+		do_dont_resp[option]--;
+		if (do_dont_resp[option] && his_state_is_wont(option))
+			do_dont_resp[option]--;
+	}
+	if (do_dont_resp[option] == 0) {
+	    if (his_want_state_is_will(option)) {
+		/* it is always ok to change to negative state */
+		switch (option) {
+		case TELOPT_ECHO:
+			not42 = 1; /* doesn't seem to be a 4.2 system */
+			break;
+
+		case TELOPT_BINARY:
+			init_termbuf();
+			tty_binaryin(0);
+			set_termbuf();
+			break;
+
+#ifdef	LINEMODE
+		case TELOPT_LINEMODE:
+# ifdef	KLUDGELINEMODE
+			/*
+			 * If real linemode is supported, then client is
+			 * asking to turn linemode off.
+			 */
+			if (lmodetype != REAL_LINEMODE)
+				break;
+# endif	/* KLUDGELINEMODE */
+			clientstat(TELOPT_LINEMODE, WONT, 0);
+			break;
+#endif	/* LINEMODE */
+
+		case TELOPT_TM:
+			/*
+			 * If we get a WONT TM, and had sent a DO TM,
+			 * don't respond with a DONT TM, just leave it
+			 * as is.  Short circut the state machine to
+			 * achive this.
+			 */
+			set_his_want_state_wont(TELOPT_TM);
+			return;
+
+		case TELOPT_LFLOW:
+			/*
+			 * If we are not going to support flow control
+			 * option, then let peer know that we can't
+			 * change the flow control characters.
+			 */
+			slctab[SLC_XON].defset.flag &= ~SLC_LEVELBITS;
+			slctab[SLC_XON].defset.flag |= SLC_CANTCHANGE;
+			slctab[SLC_XOFF].defset.flag &= ~SLC_LEVELBITS;
+			slctab[SLC_XOFF].defset.flag |= SLC_CANTCHANGE;
+			break;
+
+#if	defined(AUTHENTICATION)
+		case TELOPT_AUTHENTICATION:
+			auth_finished(0, AUTH_REJECT);
+			break;
+#endif
+
+		/*
+		 * For options that we might spin waiting for
+		 * sub-negotiation, if the client turns off the
+		 * option rather than responding to the request,
+		 * we have to treat it here as if we got a response
+		 * to the sub-negotiation, (by updating the timers)
+		 * so that we'll break out of the loop.
+		 */
+		case TELOPT_TTYPE:
+			settimer(ttypesubopt);
+			break;
+
+		case TELOPT_TSPEED:
+			settimer(tspeedsubopt);
+			break;
+
+		case TELOPT_XDISPLOC:
+			settimer(xdisplocsubopt);
+			break;
+
+		case TELOPT_OLD_ENVIRON:
+			settimer(oenvironsubopt);
+			break;
+
+		case TELOPT_NEW_ENVIRON:
+			settimer(environsubopt);
+			break;
+
+		default:
+			break;
+		}
+		set_his_want_state_wont(option);
+		if (his_state_is_will(option))
+			send_dont(option, 0);
+	    } else {
+		switch (option) {
+		case TELOPT_TM:
+#if	defined(LINEMODE) && defined(KLUDGELINEMODE)
+			if (lmodetype < NO_AUTOKLUDGE) {
+				lmodetype = NO_LINEMODE;
+				clientstat(TELOPT_LINEMODE, WONT, 0);
+				send_will(TELOPT_SGA, 1);
+				send_will(TELOPT_ECHO, 1);
+			}
+#endif	/* defined(LINEMODE) && defined(KLUDGELINEMODE) */
+			break;
+
+#if	defined(AUTHENTICATION)
+		case TELOPT_AUTHENTICATION:
+			auth_finished(0, AUTH_REJECT);
+			break;
+#endif
+		default:
+			break;
+		}
+	    }
+	}
+	set_his_state_wont(option);
+
+}  /* end of wontoption */
+
+	void
+send_will(option, init)
+	int option, init;
+{
+	if (init) {
+		if ((will_wont_resp[option] == 0 && my_state_is_will(option))||
+		    my_want_state_is_will(option))
+			return;
+		set_my_want_state_will(option);
+		will_wont_resp[option]++;
+	}
+	output_data((const char *)will, option);
+
+	DIAG(TD_OPTIONS, printoption("td: send will", option));
+}
+
+#if	!defined(LINEMODE) || !defined(KLUDGELINEMODE)
+/*
+ * When we get a DONT SGA, we will try once to turn it
+ * back on.  If the other side responds DONT SGA, we
+ * leave it at that.  This is so that when we talk to
+ * clients that understand KLUDGELINEMODE but not LINEMODE,
+ * we'll keep them in char-at-a-time mode.
+ */
+int turn_on_sga = 0;
+#endif
+
+	void
+dooption(option)
+	int option;
+{
+	int changeok = 0;
+
+	/*
+	 * Process client input.
+	 */
+
+	DIAG(TD_OPTIONS, printoption("td: recv do", option));
+
+	if (will_wont_resp[option]) {
+		will_wont_resp[option]--;
+		if (will_wont_resp[option] && my_state_is_will(option))
+			will_wont_resp[option]--;
+	}
+	if ((will_wont_resp[option] == 0) && (my_want_state_is_wont(option))) {
+		switch (option) {
+		case TELOPT_ECHO:
+#ifdef	LINEMODE
+# ifdef	KLUDGELINEMODE
+			if (lmodetype == NO_LINEMODE)
+# else
+			if (his_state_is_wont(TELOPT_LINEMODE))
+# endif
+#endif
+			{
+				init_termbuf();
+				tty_setecho(1);
+				set_termbuf();
+			}
+			changeok++;
+			break;
+
+		case TELOPT_BINARY:
+			init_termbuf();
+			tty_binaryout(1);
+			set_termbuf();
+			changeok++;
+			break;
+
+		case TELOPT_SGA:
+#if	defined(LINEMODE) && defined(KLUDGELINEMODE)
+			/*
+			 * If kludge linemode is in use, then we must
+			 * process an incoming do SGA for linemode
+			 * purposes.
+			 */
+			if (lmodetype == KLUDGE_LINEMODE) {
+				/*
+				 * Receipt of "do SGA" in kludge
+				 * linemode is the peer asking us to
+				 * turn off linemode.  Make note of
+				 * the request.
+				 */
+				clientstat(TELOPT_LINEMODE, WONT, 0);
+				/*
+				 * If linemode did not get turned off
+				 * then don't tell peer that we did.
+				 * Breaking here forces a wont SGA to
+				 * be returned.
+				 */
+				if (linemode)
+					break;
+			}
+#else
+			turn_on_sga = 0;
+#endif	/* defined(LINEMODE) && defined(KLUDGELINEMODE) */
+			changeok++;
+			break;
+
+		case TELOPT_STATUS:
+			changeok++;
+			break;
+
+		case TELOPT_TM:
+			/*
+			 * Special case for TM.  We send a WILL, but
+			 * pretend we sent a WONT.
+			 */
+			send_will(option, 0);
+			set_my_want_state_wont(option);
+			set_my_state_wont(option);
+			return;
+
+		case TELOPT_LOGOUT:
+			/*
+			 * When we get a LOGOUT option, respond
+			 * with a WILL LOGOUT, make sure that
+			 * it gets written out to the network,
+			 * and then just go away...
+			 */
+			set_my_want_state_will(TELOPT_LOGOUT);
+			send_will(TELOPT_LOGOUT, 0);
+			set_my_state_will(TELOPT_LOGOUT);
+			(void)netflush();
+			cleanup(0);
+			/* NOT REACHED */
+			break;
+
+#ifdef	ENCRYPTION
+		case TELOPT_ENCRYPT:
+			changeok++;
+			break;
+#endif	/* ENCRYPTION */
+		case TELOPT_LINEMODE:
+		case TELOPT_TTYPE:
+		case TELOPT_NAWS:
+		case TELOPT_TSPEED:
+		case TELOPT_LFLOW:
+		case TELOPT_XDISPLOC:
+#ifdef	TELOPT_ENVIRON
+		case TELOPT_NEW_ENVIRON:
+#endif
+		case TELOPT_OLD_ENVIRON:
+		default:
+			break;
+		}
+		if (changeok) {
+			set_my_want_state_will(option);
+			send_will(option, 0);
+		} else {
+			will_wont_resp[option]++;
+			send_wont(option, 0);
+		}
+	}
+	set_my_state_will(option);
+
+}  /* end of dooption */
+
+	void
+send_wont(option, init)
+	int option, init;
+{
+	if (init) {
+		if ((will_wont_resp[option] == 0 && my_state_is_wont(option)) ||
+		    my_want_state_is_wont(option))
+			return;
+		set_my_want_state_wont(option);
+		will_wont_resp[option]++;
+	}
+	output_data((const char *)wont, option);
+
+	DIAG(TD_OPTIONS, printoption("td: send wont", option));
+}
+
+	void
+dontoption(option)
+	int option;
+{
+	/*
+	 * Process client input.
+	 */
+
+
+	DIAG(TD_OPTIONS, printoption("td: recv dont", option));
+
+	if (will_wont_resp[option]) {
+		will_wont_resp[option]--;
+		if (will_wont_resp[option] && my_state_is_wont(option))
+			will_wont_resp[option]--;
+	}
+	if ((will_wont_resp[option] == 0) && (my_want_state_is_will(option))) {
+		switch (option) {
+		case TELOPT_BINARY:
+			init_termbuf();
+			tty_binaryout(0);
+			set_termbuf();
+			break;
+
+		case TELOPT_ECHO:	/* we should stop echoing */
+#ifdef	LINEMODE
+# ifdef	KLUDGELINEMODE
+			if ((lmodetype != REAL_LINEMODE) &&
+			    (lmodetype != KLUDGE_LINEMODE))
+# else
+			if (his_state_is_wont(TELOPT_LINEMODE))
+# endif
+#endif
+			{
+				init_termbuf();
+				tty_setecho(0);
+				set_termbuf();
+			}
+			break;
+
+		case TELOPT_SGA:
+#if	defined(LINEMODE) && defined(KLUDGELINEMODE)
+			/*
+			 * If kludge linemode is in use, then we
+			 * must process an incoming do SGA for
+			 * linemode purposes.
+			 */
+			if ((lmodetype == KLUDGE_LINEMODE) ||
+			    (lmodetype == KLUDGE_OK)) {
+				/*
+				 * The client is asking us to turn
+				 * linemode on.
+				 */
+				lmodetype = KLUDGE_LINEMODE;
+				clientstat(TELOPT_LINEMODE, WILL, 0);
+				/*
+				 * If we did not turn line mode on,
+				 * then what do we say?  Will SGA?
+				 * This violates design of telnet.
+				 * Gross.  Very Gross.
+				 */
+			}
+			break;
+#else
+			set_my_want_state_wont(option);
+			if (my_state_is_will(option))
+				send_wont(option, 0);
+			set_my_state_wont(option);
+			if (turn_on_sga ^= 1)
+				send_will(option, 1);
+			return;
+#endif	/* defined(LINEMODE) && defined(KLUDGELINEMODE) */
+
+		default:
+			break;
+		}
+
+		set_my_want_state_wont(option);
+		if (my_state_is_will(option))
+			send_wont(option, 0);
+	}
+	set_my_state_wont(option);
+
+}  /* end of dontoption */
+
+#ifdef	ENV_HACK
+int env_ovar = -1;
+int env_ovalue = -1;
+#else	/* ENV_HACK */
+# define env_ovar OLD_ENV_VAR
+# define env_ovalue OLD_ENV_VALUE
+#endif	/* ENV_HACK */
+
+/*
+ * suboption()
+ *
+ *	Look at the sub-option buffer, and try to be helpful to the other
+ * side.
+ *
+ *	Currently we recognize:
+ *
+ *	Terminal type is
+ *	Linemode
+ *	Window size
+ *	Terminal speed
+ */
+	void
+suboption()
+{
+    register int subchar;
+
+    DIAG(TD_OPTIONS, {netflush(); printsub('<', subpointer, SB_LEN()+2);});
+
+    subchar = SB_GET();
+    switch (subchar) {
+    case TELOPT_TSPEED: {
+	register int xspeed, rspeed;
+
+	if (his_state_is_wont(TELOPT_TSPEED))	/* Ignore if option disabled */
+		break;
+
+	settimer(tspeedsubopt);
+
+	if (SB_EOF() || SB_GET() != TELQUAL_IS)
+		return;
+
+	xspeed = atoi((char *)subpointer);
+
+	while (SB_GET() != ',' && !SB_EOF());
+	if (SB_EOF())
+		return;
+
+	rspeed = atoi((char *)subpointer);
+	clientstat(TELOPT_TSPEED, xspeed, rspeed);
+
+	break;
+
+    }  /* end of case TELOPT_TSPEED */
+
+    case TELOPT_TTYPE: {		/* Yaaaay! */
+	static char terminalname[41];
+
+	if (his_state_is_wont(TELOPT_TTYPE))	/* Ignore if option disabled */
+		break;
+	settimer(ttypesubopt);
+
+	if (SB_EOF() || SB_GET() != TELQUAL_IS) {
+	    return;		/* ??? XXX but, this is the most robust */
+	}
+
+	terminaltype = terminalname;
+
+	while ((terminaltype < (terminalname + sizeof terminalname-1)) &&
+								    !SB_EOF()) {
+	    register int c;
+
+	    c = SB_GET();
+	    if (isupper(c)) {
+		c = tolower(c);
+	    }
+	    *terminaltype++ = c;    /* accumulate name */
+	}
+	*terminaltype = 0;
+	terminaltype = terminalname;
+	break;
+    }  /* end of case TELOPT_TTYPE */
+
+    case TELOPT_NAWS: {
+	register int xwinsize, ywinsize;
+
+	if (his_state_is_wont(TELOPT_NAWS))	/* Ignore if option disabled */
+		break;
+
+	if (SB_EOF())
+		return;
+	xwinsize = SB_GET() << 8;
+	if (SB_EOF())
+		return;
+	xwinsize |= SB_GET();
+	if (SB_EOF())
+		return;
+	ywinsize = SB_GET() << 8;
+	if (SB_EOF())
+		return;
+	ywinsize |= SB_GET();
+	clientstat(TELOPT_NAWS, xwinsize, ywinsize);
+
+	break;
+
+    }  /* end of case TELOPT_NAWS */
+
+#ifdef	LINEMODE
+    case TELOPT_LINEMODE: {
+	register int request;
+
+	if (his_state_is_wont(TELOPT_LINEMODE))	/* Ignore if option disabled */
+		break;
+	/*
+	 * Process linemode suboptions.
+	 */
+	if (SB_EOF())
+	    break;		/* garbage was sent */
+	request = SB_GET();	/* get will/wont */
+
+	if (SB_EOF())
+	    break;		/* another garbage check */
+
+	if (request == LM_SLC) {  /* SLC is not preceeded by WILL or WONT */
+		/*
+		 * Process suboption buffer of slc's
+		 */
+		start_slc(1);
+		do_opt_slc(subpointer, subend - subpointer);
+		(void) end_slc(0);
+		break;
+	} else if (request == LM_MODE) {
+		if (SB_EOF())
+		    return;
+		useeditmode = SB_GET();  /* get mode flag */
+		clientstat(LM_MODE, 0, 0);
+		break;
+	}
+
+	if (SB_EOF())
+	    break;
+	switch (SB_GET()) {  /* what suboption? */
+	case LM_FORWARDMASK:
+		/*
+		 * According to spec, only server can send request for
+		 * forwardmask, and client can only return a positive response.
+		 * So don't worry about it.
+		 */
+
+	default:
+		break;
+	}
+	break;
+    }  /* end of case TELOPT_LINEMODE */
+#endif
+    case TELOPT_STATUS: {
+	int mode;
+
+	if (SB_EOF())
+	    break;
+	mode = SB_GET();
+	switch (mode) {
+	case TELQUAL_SEND:
+	    if (my_state_is_will(TELOPT_STATUS))
+		send_status();
+	    break;
+
+	case TELQUAL_IS:
+	    break;
+
+	default:
+	    break;
+	}
+	break;
+    }  /* end of case TELOPT_STATUS */
+
+    case TELOPT_XDISPLOC: {
+	if (SB_EOF() || SB_GET() != TELQUAL_IS)
+		return;
+	settimer(xdisplocsubopt);
+	subpointer[SB_LEN()] = '\0';
+	(void)setenv("DISPLAY", (char *)subpointer, 1);
+	break;
+    }  /* end of case TELOPT_XDISPLOC */
+
+#ifdef	TELOPT_NEW_ENVIRON
+    case TELOPT_NEW_ENVIRON:
+#endif
+    case TELOPT_OLD_ENVIRON: {
+	register int c;
+	register char *cp, *varp, *valp;
+
+	if (SB_EOF())
+		return;
+	c = SB_GET();
+	if (c == TELQUAL_IS) {
+		if (subchar == TELOPT_OLD_ENVIRON)
+			settimer(oenvironsubopt);
+		else
+			settimer(environsubopt);
+	} else if (c != TELQUAL_INFO) {
+		return;
+	}
+
+#ifdef	TELOPT_NEW_ENVIRON
+	if (subchar == TELOPT_NEW_ENVIRON) {
+	    while (!SB_EOF()) {
+		c = SB_GET();
+		if ((c == NEW_ENV_VAR) || (c == ENV_USERVAR))
+			break;
+	    }
+	} else
+#endif
+	{
+#ifdef	ENV_HACK
+	    /*
+	     * We only want to do this if we haven't already decided
+	     * whether or not the other side has its VALUE and VAR
+	     * reversed.
+	     */
+	    if (env_ovar < 0) {
+		register int last = -1;		/* invalid value */
+		int empty = 0;
+		int got_var = 0, got_value = 0, got_uservar = 0;
+
+		/*
+		 * The other side might have its VALUE and VAR values
+		 * reversed.  To be interoperable, we need to determine
+		 * which way it is.  If the first recognized character
+		 * is a VAR or VALUE, then that will tell us what
+		 * type of client it is.  If the fist recognized
+		 * character is a USERVAR, then we continue scanning
+		 * the suboption looking for two consecutive
+		 * VAR or VALUE fields.  We should not get two
+		 * consecutive VALUE fields, so finding two
+		 * consecutive VALUE or VAR fields will tell us
+		 * what the client is.
+		 */
+		SB_SAVE();
+		while (!SB_EOF()) {
+			c = SB_GET();
+			switch(c) {
+			case OLD_ENV_VAR:
+				if (last < 0 || last == OLD_ENV_VAR
+				    || (empty && (last == OLD_ENV_VALUE)))
+					goto env_ovar_ok;
+				got_var++;
+				last = OLD_ENV_VAR;
+				break;
+			case OLD_ENV_VALUE:
+				if (last < 0 || last == OLD_ENV_VALUE
+				    || (empty && (last == OLD_ENV_VAR)))
+					goto env_ovar_wrong;
+				got_value++;
+				last = OLD_ENV_VALUE;
+				break;
+			case ENV_USERVAR:
+				/* count strings of USERVAR as one */
+				if (last != ENV_USERVAR)
+					got_uservar++;
+				if (empty) {
+					if (last == OLD_ENV_VALUE)
+						goto env_ovar_ok;
+					if (last == OLD_ENV_VAR)
+						goto env_ovar_wrong;
+				}
+				last = ENV_USERVAR;
+				break;
+			case ENV_ESC:
+				if (!SB_EOF())
+					c = SB_GET();
+				/* FALL THROUGH */
+			default:
+				empty = 0;
+				continue;
+			}
+			empty = 1;
+		}
+		if (empty) {
+			if (last == OLD_ENV_VALUE)
+				goto env_ovar_ok;
+			if (last == OLD_ENV_VAR)
+				goto env_ovar_wrong;
+		}
+		/*
+		 * Ok, the first thing was a USERVAR, and there
+		 * are not two consecutive VAR or VALUE commands,
+		 * and none of the VAR or VALUE commands are empty.
+		 * If the client has sent us a well-formed option,
+		 * then the number of VALUEs received should always
+		 * be less than or equal to the number of VARs and
+		 * USERVARs received.
+		 *
+		 * If we got exactly as many VALUEs as VARs and
+		 * USERVARs, the client has the same definitions.
+		 *
+		 * If we got exactly as many VARs as VALUEs and
+		 * USERVARS, the client has reversed definitions.
+		 */
+		if (got_uservar + got_var == got_value) {
+	    env_ovar_ok:
+			env_ovar = OLD_ENV_VAR;
+			env_ovalue = OLD_ENV_VALUE;
+		} else if (got_uservar + got_value == got_var) {
+	    env_ovar_wrong:
+			env_ovar = OLD_ENV_VALUE;
+			env_ovalue = OLD_ENV_VAR;
+			DIAG(TD_OPTIONS,
+			    output_data("ENVIRON VALUE and VAR are reversed!\r\n"));
+
+		}
+	    }
+	    SB_RESTORE();
+#endif
+
+	    while (!SB_EOF()) {
+		c = SB_GET();
+		if ((c == env_ovar) || (c == ENV_USERVAR))
+			break;
+	    }
+	}
+
+	if (SB_EOF())
+		return;
+
+	cp = varp = (char *)subpointer;
+	valp = 0;
+
+	while (!SB_EOF()) {
+		c = SB_GET();
+		if (subchar == TELOPT_OLD_ENVIRON) {
+			if (c == env_ovar)
+				c = NEW_ENV_VAR;
+			else if (c == env_ovalue)
+				c = NEW_ENV_VALUE;
+		}
+		switch (c) {
+
+		case NEW_ENV_VALUE:
+			*cp = '\0';
+			cp = valp = (char *)subpointer;
+			break;
+
+		case NEW_ENV_VAR:
+		case ENV_USERVAR:
+			*cp = '\0';
+			if (valp)
+				(void)setenv(varp, valp, 1);
+			else
+				unsetenv(varp);
+			cp = varp = (char *)subpointer;
+			valp = 0;
+			break;
+
+		case ENV_ESC:
+			if (SB_EOF())
+				break;
+			c = SB_GET();
+			/* FALL THROUGH */
+		default:
+			*cp++ = c;
+			break;
+		}
+	}
+	*cp = '\0';
+	if (valp)
+		(void)setenv(varp, valp, 1);
+	else
+		unsetenv(varp);
+	break;
+    }  /* end of case TELOPT_NEW_ENVIRON */
+#if	defined(AUTHENTICATION)
+    case TELOPT_AUTHENTICATION:
+	if (SB_EOF())
+		break;
+	switch(SB_GET()) {
+	case TELQUAL_SEND:
+	case TELQUAL_REPLY:
+		/*
+		 * These are sent by us and cannot be sent by
+		 * the client.
+		 */
+		break;
+	case TELQUAL_IS:
+		auth_is(subpointer, SB_LEN());
+		break;
+	case TELQUAL_NAME:
+		auth_name(subpointer, SB_LEN());
+		break;
+	}
+	break;
+#endif
+#ifdef	ENCRYPTION
+    case TELOPT_ENCRYPT:
+	if (SB_EOF())
+		break;
+	switch(SB_GET()) {
+	case ENCRYPT_SUPPORT:
+		encrypt_support(subpointer, SB_LEN());
+		break;
+	case ENCRYPT_IS:
+		encrypt_is(subpointer, SB_LEN());
+		break;
+	case ENCRYPT_REPLY:
+		encrypt_reply(subpointer, SB_LEN());
+		break;
+	case ENCRYPT_START:
+		encrypt_start(subpointer, SB_LEN());
+		break;
+	case ENCRYPT_END:
+		encrypt_end();
+		break;
+	case ENCRYPT_REQSTART:
+		encrypt_request_start(subpointer, SB_LEN());
+		break;
+	case ENCRYPT_REQEND:
+		/*
+		 * We can always send an REQEND so that we cannot
+		 * get stuck encrypting.  We should only get this
+		 * if we have been able to get in the correct mode
+		 * anyhow.
+		 */
+		encrypt_request_end();
+		break;
+	case ENCRYPT_ENC_KEYID:
+		encrypt_enc_keyid(subpointer, SB_LEN());
+		break;
+	case ENCRYPT_DEC_KEYID:
+		encrypt_dec_keyid(subpointer, SB_LEN());
+		break;
+	default:
+		break;
+	}
+	break;
+#endif	/* ENCRYPTION */
+
+    default:
+	break;
+    }  /* end of switch */
+
+}  /* end of suboption */
+
+	void
+doclientstat()
+{
+	clientstat(TELOPT_LINEMODE, WILL, 0);
+}
+
+#define	ADD(c)	 *ncp++ = c
+#define	ADD_DATA(c) { *ncp++ = c; if (c == SE || c == IAC) *ncp++ = c; }
+	void
+send_status()
+{
+	unsigned char statusbuf[256];
+	register unsigned char *ncp;
+	register unsigned char i;
+
+	ncp = statusbuf;
+
+	netflush();	/* get rid of anything waiting to go out */
+
+	ADD(IAC);
+	ADD(SB);
+	ADD(TELOPT_STATUS);
+	ADD(TELQUAL_IS);
+
+	/*
+	 * We check the want_state rather than the current state,
+	 * because if we received a DO/WILL for an option that we
+	 * don't support, and the other side didn't send a DONT/WONT
+	 * in response to our WONT/DONT, then the "state" will be
+	 * WILL/DO, and the "want_state" will be WONT/DONT.  We
+	 * need to go by the latter.
+	 */
+	for (i = 0; i < (unsigned char)NTELOPTS; i++) {
+		if (my_want_state_is_will(i)) {
+			ADD(WILL);
+			ADD_DATA(i);
+		}
+		if (his_want_state_is_will(i)) {
+			ADD(DO);
+			ADD_DATA(i);
+		}
+	}
+
+	if (his_want_state_is_will(TELOPT_LFLOW)) {
+		ADD(SB);
+		ADD(TELOPT_LFLOW);
+		if (flowmode) {
+			ADD(LFLOW_ON);
+		} else {
+			ADD(LFLOW_OFF);
+		}
+		ADD(SE);
+
+		if (restartany >= 0) {
+			ADD(SB);
+			ADD(TELOPT_LFLOW);
+			if (restartany) {
+				ADD(LFLOW_RESTART_ANY);
+			} else {
+				ADD(LFLOW_RESTART_XON);
+			}
+			ADD(SE);
+		}
+	}
+
+#ifdef	LINEMODE
+	if (his_want_state_is_will(TELOPT_LINEMODE)) {
+		unsigned char *cp, *cpe;
+		int len;
+
+		ADD(SB);
+		ADD(TELOPT_LINEMODE);
+		ADD(LM_MODE);
+		ADD_DATA(editmode);
+		ADD(SE);
+
+		ADD(SB);
+		ADD(TELOPT_LINEMODE);
+		ADD(LM_SLC);
+		start_slc(0);
+		send_slc();
+		len = end_slc(&cp);
+		for (cpe = cp + len; cp < cpe; cp++)
+			ADD_DATA(*cp);
+		ADD(SE);
+	}
+#endif	/* LINEMODE */
+
+	ADD(IAC);
+	ADD(SE);
+
+	writenet(statusbuf, ncp - statusbuf);
+	netflush();	/* Send it on its way */
+
+	DIAG(TD_OPTIONS,
+		{printsub('>', statusbuf, ncp - statusbuf); netflush();});
+}
+
+/*
+ * This function appends data to nfrontp and advances nfrontp.
+ */
+
+int
+output_data(const char *format, ...)
+{
+	va_list args;
+	size_t remaining, ret;
+
+	va_start(args, format);
+	remaining = BUFSIZ - (nfrontp - netobuf);
+	/* try a netflush() if the room is too low */
+	if (strlen(format) > remaining || BUFSIZ / 4 > remaining) {
+		netflush();
+		remaining = BUFSIZ - (nfrontp - netobuf);
+	}
+	ret = vsnprintf(nfrontp, remaining, format, args);
+	nfrontp += ((ret < remaining - 1) ? ret : remaining - 1);
+	va_end(args);
+	return ret;
+}
+
+int
+output_datalen(const char *buf, size_t len)
+{
+	size_t remaining;
+
+	remaining = BUFSIZ - (nfrontp - netobuf);
+	if (remaining < len) {
+		netflush();
+		remaining = BUFSIZ - (nfrontp - netobuf);
+	}
+	if (remaining < len)
+		return -1;
+	memmove(nfrontp, buf, len);
+	nfrontp += len;
+	return (len);
+}
diff --git a/crypto/telnet/telnetd/sys_term.c b/crypto/telnet/telnetd/sys_term.c
new file mode 100644
index 0000000..7d0811f
--- /dev/null
+++ b/crypto/telnet/telnetd/sys_term.c
@@ -0,0 +1,2354 @@
+/*
+ * Copyright (c) 1989, 1993
+ *	The Regents of the University of California.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *	This product includes software developed by the University of
+ *	California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#ifndef lint
+#if 0
+static const char sccsid[] = "@(#)sys_term.c	8.4+1 (Berkeley) 5/30/95";
+#endif
+static const char rcsid[] =
+  "$FreeBSD$";
+#endif /* not lint */
+
+#include "telnetd.h"
+#include "pathnames.h"
+
+#if	defined(AUTHENTICATION)
+#include <libtelnet/auth.h>
+#endif
+
+extern char *altlogin;
+int cleanopen(char *line);
+void scrub_env(void);
+
+#if defined(CRAY) || defined(__hpux)
+# define PARENT_DOES_UTMP
+#endif
+
+#ifdef	NEWINIT
+#include <initreq.h>
+#else	/* NEWINIT*/
+# ifdef	UTMPX
+# include <utmpx.h>
+struct	utmpx wtmp;
+# else
+# include <utmp.h>
+struct	utmp wtmp;
+# endif /* UTMPX */
+
+# ifndef PARENT_DOES_UTMP
+#ifdef _PATH_WTMP
+char    wtmpf[] = _PATH_WTMP;
+#else
+char	wtmpf[]	= "/usr/adm/wtmp";
+#endif
+#ifdef _PATH_UTMP
+char    utmpf[] = _PATH_UTMP;
+#else
+char	utmpf[] = "/etc/utmp";
+#endif
+# else /* PARENT_DOES_UTMP */
+char	wtmpf[]	= "/etc/wtmp";
+# endif /* PARENT_DOES_UTMP */
+
+#include <libutil.h>
+
+# ifdef CRAY
+#include <tmpdir.h>
+#include <sys/wait.h>
+#  if (UNICOS_LVL == '7.0') || (UNICOS_LVL == '7.1')
+#   define UNICOS7x
+#  endif
+
+#  ifdef UNICOS7x
+#include <sys/sysv.h>
+#include <sys/secstat.h>
+extern int secflag;
+extern struct sysv sysv;
+#  endif /* UNICOS7x */
+# endif	/* CRAY */
+#endif	/* NEWINIT */
+
+#ifdef	STREAMSPTY
+#include <sac.h>
+#include <sys/stropts.h>
+#endif
+
+#define SCPYN(a, b)	(void) strncpy(a, b, sizeof(a))
+#define SCMPN(a, b)	strncmp(a, b, sizeof(a))
+
+#ifdef	STREAMS
+#include <sys/stream.h>
+#endif
+#ifdef __hpux
+#include <sys/resource.h>
+#include <sys/proc.h>
+#endif
+#include <sys/tty.h>
+#ifdef	t_erase
+#undef	t_erase
+#undef	t_kill
+#undef	t_intrc
+#undef	t_quitc
+#undef	t_startc
+#undef	t_stopc
+#undef	t_eofc
+#undef	t_brkc
+#undef	t_suspc
+#undef	t_dsuspc
+#undef	t_rprntc
+#undef	t_flushc
+#undef	t_werasc
+#undef	t_lnextc
+#endif
+
+#if defined(UNICOS5) && defined(CRAY2) && !defined(EXTPROC)
+# define EXTPROC 0400
+#endif
+
+#ifndef	USE_TERMIO
+struct termbuf {
+	struct sgttyb sg;
+	struct tchars tc;
+	struct ltchars ltc;
+	int state;
+	int lflags;
+} termbuf, termbuf2;
+# define	cfsetospeed(tp, val)	(tp)->sg.sg_ospeed = (val)
+# define	cfsetispeed(tp, val)	(tp)->sg.sg_ispeed = (val)
+# define	cfgetospeed(tp)		(tp)->sg.sg_ospeed
+# define	cfgetispeed(tp)		(tp)->sg.sg_ispeed
+#else	/* USE_TERMIO */
+# ifdef	SYSV_TERMIO
+#	define termios termio
+# endif
+# ifndef	TCSANOW
+#  ifdef TCSETS
+#   define	TCSANOW		TCSETS
+#   define	TCSADRAIN	TCSETSW
+#   define	tcgetattr(f, t)	ioctl(f, TCGETS, (char *)t)
+#  else
+#   ifdef TCSETA
+#    define	TCSANOW		TCSETA
+#    define	TCSADRAIN	TCSETAW
+#    define	tcgetattr(f, t)	ioctl(f, TCGETA, (char *)t)
+#   else
+#    define	TCSANOW		TIOCSETA
+#    define	TCSADRAIN	TIOCSETAW
+#    define	tcgetattr(f, t)	ioctl(f, TIOCGETA, (char *)t)
+#   endif
+#  endif
+#  define	tcsetattr(f, a, t)	ioctl(f, a, t)
+#  define	cfsetospeed(tp, val)	(tp)->c_cflag &= ~CBAUD; \
+					(tp)->c_cflag |= (val)
+#  define	cfgetospeed(tp)		((tp)->c_cflag & CBAUD)
+#  ifdef CIBAUD
+#   define	cfsetispeed(tp, val)	(tp)->c_cflag &= ~CIBAUD; \
+					(tp)->c_cflag |= ((val)<<IBSHIFT)
+#   define	cfgetispeed(tp)		(((tp)->c_cflag & CIBAUD)>>IBSHIFT)
+#  else
+#   define	cfsetispeed(tp, val)	(tp)->c_cflag &= ~CBAUD; \
+					(tp)->c_cflag |= (val)
+#   define	cfgetispeed(tp)		((tp)->c_cflag & CBAUD)
+#  endif
+# endif /* TCSANOW */
+struct termios termbuf, termbuf2;	/* pty control structure */
+# ifdef  STREAMSPTY
+int ttyfd = -1;
+# endif
+#endif	/* USE_TERMIO */
+
+#include <sys/types.h>
+#include <libutil.h>
+
+int cleanopen __P((char *));
+void scrub_env __P((void));
+
+/*
+ * init_termbuf()
+ * copy_termbuf(cp)
+ * set_termbuf()
+ *
+ * These three routines are used to get and set the "termbuf" structure
+ * to and from the kernel.  init_termbuf() gets the current settings.
+ * copy_termbuf() hands in a new "termbuf" to write to the kernel, and
+ * set_termbuf() writes the structure into the kernel.
+ */
+
+	void
+init_termbuf()
+{
+#ifndef	USE_TERMIO
+	(void) ioctl(pty, TIOCGETP, (char *)&termbuf.sg);
+	(void) ioctl(pty, TIOCGETC, (char *)&termbuf.tc);
+	(void) ioctl(pty, TIOCGLTC, (char *)&termbuf.ltc);
+# ifdef	TIOCGSTATE
+	(void) ioctl(pty, TIOCGSTATE, (char *)&termbuf.state);
+# endif
+#else
+# ifdef  STREAMSPTY
+	(void) tcgetattr(ttyfd, &termbuf);
+# else
+	(void) tcgetattr(pty, &termbuf);
+# endif
+#endif
+	termbuf2 = termbuf;
+}
+
+#if	defined(LINEMODE) && defined(TIOCPKT_IOCTL)
+	void
+copy_termbuf(cp, len)
+	char *cp;
+	int len;
+{
+	if (len > sizeof(termbuf))
+		len = sizeof(termbuf);
+	memmove((char *)&termbuf, cp, len);
+	termbuf2 = termbuf;
+}
+#endif	/* defined(LINEMODE) && defined(TIOCPKT_IOCTL) */
+
+	void
+set_termbuf()
+{
+	/*
+	 * Only make the necessary changes.
+	 */
+#ifndef	USE_TERMIO
+	if (memcmp((char *)&termbuf.sg, (char *)&termbuf2.sg,
+							sizeof(termbuf.sg)))
+		(void) ioctl(pty, TIOCSETN, (char *)&termbuf.sg);
+	if (memcmp((char *)&termbuf.tc, (char *)&termbuf2.tc,
+							sizeof(termbuf.tc)))
+		(void) ioctl(pty, TIOCSETC, (char *)&termbuf.tc);
+	if (memcmp((char *)&termbuf.ltc, (char *)&termbuf2.ltc,
+							sizeof(termbuf.ltc)))
+		(void) ioctl(pty, TIOCSLTC, (char *)&termbuf.ltc);
+	if (termbuf.lflags != termbuf2.lflags)
+		(void) ioctl(pty, TIOCLSET, (char *)&termbuf.lflags);
+#else	/* USE_TERMIO */
+	if (memcmp((char *)&termbuf, (char *)&termbuf2, sizeof(termbuf)))
+# ifdef  STREAMSPTY
+		(void) tcsetattr(ttyfd, TCSANOW, &termbuf);
+# else
+		(void) tcsetattr(pty, TCSANOW, &termbuf);
+# endif
+# if	defined(CRAY2) && defined(UNICOS5)
+	needtermstat = 1;
+# endif
+#endif	/* USE_TERMIO */
+}
+
+
+/*
+ * spcset(func, valp, valpp)
+ *
+ * This function takes various special characters (func), and
+ * sets *valp to the current value of that character, and
+ * *valpp to point to where in the "termbuf" structure that
+ * value is kept.
+ *
+ * It returns the SLC_ level of support for this function.
+ */
+
+#ifndef	USE_TERMIO
+	int
+spcset(func, valp, valpp)
+	int func;
+	cc_t *valp;
+	cc_t **valpp;
+{
+	switch(func) {
+	case SLC_EOF:
+		*valp = termbuf.tc.t_eofc;
+		*valpp = (cc_t *)&termbuf.tc.t_eofc;
+		return(SLC_VARIABLE);
+	case SLC_EC:
+		*valp = termbuf.sg.sg_erase;
+		*valpp = (cc_t *)&termbuf.sg.sg_erase;
+		return(SLC_VARIABLE);
+	case SLC_EL:
+		*valp = termbuf.sg.sg_kill;
+		*valpp = (cc_t *)&termbuf.sg.sg_kill;
+		return(SLC_VARIABLE);
+	case SLC_IP:
+		*valp = termbuf.tc.t_intrc;
+		*valpp = (cc_t *)&termbuf.tc.t_intrc;
+		return(SLC_VARIABLE|SLC_FLUSHIN|SLC_FLUSHOUT);
+	case SLC_ABORT:
+		*valp = termbuf.tc.t_quitc;
+		*valpp = (cc_t *)&termbuf.tc.t_quitc;
+		return(SLC_VARIABLE|SLC_FLUSHIN|SLC_FLUSHOUT);
+	case SLC_XON:
+		*valp = termbuf.tc.t_startc;
+		*valpp = (cc_t *)&termbuf.tc.t_startc;
+		return(SLC_VARIABLE);
+	case SLC_XOFF:
+		*valp = termbuf.tc.t_stopc;
+		*valpp = (cc_t *)&termbuf.tc.t_stopc;
+		return(SLC_VARIABLE);
+	case SLC_AO:
+		*valp = termbuf.ltc.t_flushc;
+		*valpp = (cc_t *)&termbuf.ltc.t_flushc;
+		return(SLC_VARIABLE);
+	case SLC_SUSP:
+		*valp = termbuf.ltc.t_suspc;
+		*valpp = (cc_t *)&termbuf.ltc.t_suspc;
+		return(SLC_VARIABLE);
+	case SLC_EW:
+		*valp = termbuf.ltc.t_werasc;
+		*valpp = (cc_t *)&termbuf.ltc.t_werasc;
+		return(SLC_VARIABLE);
+	case SLC_RP:
+		*valp = termbuf.ltc.t_rprntc;
+		*valpp = (cc_t *)&termbuf.ltc.t_rprntc;
+		return(SLC_VARIABLE);
+	case SLC_LNEXT:
+		*valp = termbuf.ltc.t_lnextc;
+		*valpp = (cc_t *)&termbuf.ltc.t_lnextc;
+		return(SLC_VARIABLE);
+	case SLC_FORW1:
+		*valp = termbuf.tc.t_brkc;
+		*valpp = (cc_t *)&termbuf.ltc.t_lnextc;
+		return(SLC_VARIABLE);
+	case SLC_BRK:
+	case SLC_SYNCH:
+	case SLC_AYT:
+	case SLC_EOR:
+		*valp = (cc_t)0;
+		*valpp = (cc_t *)0;
+		return(SLC_DEFAULT);
+	default:
+		*valp = (cc_t)0;
+		*valpp = (cc_t *)0;
+		return(SLC_NOSUPPORT);
+	}
+}
+
+#else	/* USE_TERMIO */
+
+	int
+spcset(func, valp, valpp)
+	int func;
+	cc_t *valp;
+	cc_t **valpp;
+{
+
+#define	setval(a, b)	*valp = termbuf.c_cc[a]; \
+			*valpp = &termbuf.c_cc[a]; \
+			return(b);
+#define	defval(a) *valp = ((cc_t)a); *valpp = (cc_t *)0; return(SLC_DEFAULT);
+
+	switch(func) {
+	case SLC_EOF:
+		setval(VEOF, SLC_VARIABLE);
+	case SLC_EC:
+		setval(VERASE, SLC_VARIABLE);
+	case SLC_EL:
+		setval(VKILL, SLC_VARIABLE);
+	case SLC_IP:
+		setval(VINTR, SLC_VARIABLE|SLC_FLUSHIN|SLC_FLUSHOUT);
+	case SLC_ABORT:
+		setval(VQUIT, SLC_VARIABLE|SLC_FLUSHIN|SLC_FLUSHOUT);
+	case SLC_XON:
+#ifdef	VSTART
+		setval(VSTART, SLC_VARIABLE);
+#else
+		defval(0x13);
+#endif
+	case SLC_XOFF:
+#ifdef	VSTOP
+		setval(VSTOP, SLC_VARIABLE);
+#else
+		defval(0x11);
+#endif
+	case SLC_EW:
+#ifdef	VWERASE
+		setval(VWERASE, SLC_VARIABLE);
+#else
+		defval(0);
+#endif
+	case SLC_RP:
+#ifdef	VREPRINT
+		setval(VREPRINT, SLC_VARIABLE);
+#else
+		defval(0);
+#endif
+	case SLC_LNEXT:
+#ifdef	VLNEXT
+		setval(VLNEXT, SLC_VARIABLE);
+#else
+		defval(0);
+#endif
+	case SLC_AO:
+#if	!defined(VDISCARD) && defined(VFLUSHO)
+# define VDISCARD VFLUSHO
+#endif
+#ifdef	VDISCARD
+		setval(VDISCARD, SLC_VARIABLE|SLC_FLUSHOUT);
+#else
+		defval(0);
+#endif
+	case SLC_SUSP:
+#ifdef	VSUSP
+		setval(VSUSP, SLC_VARIABLE|SLC_FLUSHIN);
+#else
+		defval(0);
+#endif
+#ifdef	VEOL
+	case SLC_FORW1:
+		setval(VEOL, SLC_VARIABLE);
+#endif
+#ifdef	VEOL2
+	case SLC_FORW2:
+		setval(VEOL2, SLC_VARIABLE);
+#endif
+	case SLC_AYT:
+#ifdef	VSTATUS
+		setval(VSTATUS, SLC_VARIABLE);
+#else
+		defval(0);
+#endif
+
+	case SLC_BRK:
+	case SLC_SYNCH:
+	case SLC_EOR:
+		defval(0);
+
+	default:
+		*valp = 0;
+		*valpp = 0;
+		return(SLC_NOSUPPORT);
+	}
+}
+#endif	/* USE_TERMIO */
+
+#ifdef CRAY
+/*
+ * getnpty()
+ *
+ * Return the number of pty's configured into the system.
+ */
+	int
+getnpty()
+{
+#ifdef _SC_CRAY_NPTY
+	int numptys;
+
+	if ((numptys = sysconf(_SC_CRAY_NPTY)) != -1)
+		return numptys;
+	else
+#endif /* _SC_CRAY_NPTY */
+		return 128;
+}
+#endif /* CRAY */
+
+#ifndef	convex
+/*
+ * getpty()
+ *
+ * Allocate a pty.  As a side effect, the external character
+ * array "line" contains the name of the slave side.
+ *
+ * Returns the file descriptor of the opened pty.
+ */
+#ifndef	__GNUC__
+char *line = "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0";
+#else
+static char Xline[] = "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0";
+char *line = Xline;
+#endif
+#ifdef	CRAY
+char *myline = "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0";
+#endif	/* CRAY */
+
+	int
+getpty(ptynum)
+int *ptynum;
+{
+	register int p;
+#ifdef	STREAMSPTY
+	int t;
+	char *ptsname();
+
+	p = open("/dev/ptmx", 2);
+	if (p > 0) {
+		grantpt(p);
+		unlockpt(p);
+		strcpy(line, ptsname(p));
+		return(p);
+	}
+
+#else	/* ! STREAMSPTY */
+#ifndef CRAY
+	register char *cp, *p1, *p2;
+	register int i;
+#if defined(sun) && defined(TIOCGPGRP) && BSD < 199207
+	int dummy;
+#endif
+
+#ifndef	__hpux
+	(void) strcpy(line, "/dev/ptyXX");
+	p1 = &line[8];
+	p2 = &line[9];
+#else
+	(void) strcpy(line, "/dev/ptym/ptyXX");
+	p1 = &line[13];
+	p2 = &line[14];
+#endif
+
+	for (cp = "pqrsPQRS"; *cp; cp++) {
+		struct stat stb;
+
+		*p1 = *cp;
+		*p2 = '0';
+		/*
+		 * This stat() check is just to keep us from
+		 * looping through all 256 combinations if there
+		 * aren't that many ptys available.
+		 */
+		if (stat(line, &stb) < 0)
+			break;
+		for (i = 0; i < 32; i++) {
+			*p2 = "0123456789abcdefghijklmnopqrstuv"[i];
+			p = open(line, 2);
+			if (p > 0) {
+#ifndef	__hpux
+				line[5] = 't';
+#else
+				for (p1 = &line[8]; *p1; p1++)
+					*p1 = *(p1+1);
+				line[9] = 't';
+#endif
+				chown(line, 0, 0);
+				chmod(line, 0600);
+#if defined(sun) && defined(TIOCGPGRP) && BSD < 199207
+				if (ioctl(p, TIOCGPGRP, &dummy) == 0
+				    || errno != EIO) {
+					chmod(line, 0666);
+					close(p);
+					line[5] = 'p';
+				} else
+#endif /* defined(sun) && defined(TIOCGPGRP) && BSD < 199207 */
+					return(p);
+			}
+		}
+	}
+#else	/* CRAY */
+	extern lowpty, highpty;
+	struct stat sb;
+
+	for (*ptynum = lowpty; *ptynum <= highpty; (*ptynum)++) {
+		(void) sprintf(myline, "/dev/pty/%03d", *ptynum);
+		p = open(myline, 2);
+		if (p < 0)
+			continue;
+		(void) sprintf(line, "/dev/ttyp%03d", *ptynum);
+		/*
+		 * Here are some shenanigans to make sure that there
+		 * are no listeners lurking on the line.
+		 */
+		if(stat(line, &sb) < 0) {
+			(void) close(p);
+			continue;
+		}
+		if(sb.st_uid || sb.st_gid || sb.st_mode != 0600) {
+			chown(line, 0, 0);
+			chmod(line, 0600);
+			(void)close(p);
+			p = open(myline, 2);
+			if (p < 0)
+				continue;
+		}
+		/*
+		 * Now it should be safe...check for accessability.
+		 */
+		if (access(line, 6) == 0)
+			return(p);
+		else {
+			/* no tty side to pty so skip it */
+			(void) close(p);
+		}
+	}
+#endif	/* CRAY */
+#endif	/* STREAMSPTY */
+	return(-1);
+}
+#endif	/* convex */
+
+#ifdef	LINEMODE
+/*
+ * tty_flowmode()	Find out if flow control is enabled or disabled.
+ * tty_linemode()	Find out if linemode (external processing) is enabled.
+ * tty_setlinemod(on)	Turn on/off linemode.
+ * tty_isecho()		Find out if echoing is turned on.
+ * tty_setecho(on)	Enable/disable character echoing.
+ * tty_israw()		Find out if terminal is in RAW mode.
+ * tty_binaryin(on)	Turn on/off BINARY on input.
+ * tty_binaryout(on)	Turn on/off BINARY on output.
+ * tty_isediting()	Find out if line editing is enabled.
+ * tty_istrapsig()	Find out if signal trapping is enabled.
+ * tty_setedit(on)	Turn on/off line editing.
+ * tty_setsig(on)	Turn on/off signal trapping.
+ * tty_issofttab()	Find out if tab expansion is enabled.
+ * tty_setsofttab(on)	Turn on/off soft tab expansion.
+ * tty_islitecho()	Find out if typed control chars are echoed literally
+ * tty_setlitecho()	Turn on/off literal echo of control chars
+ * tty_tspeed(val)	Set transmit speed to val.
+ * tty_rspeed(val)	Set receive speed to val.
+ */
+
+#ifdef convex
+static int linestate;
+#endif
+
+	int
+tty_linemode()
+{
+#ifndef convex
+#ifndef	USE_TERMIO
+	return(termbuf.state & TS_EXTPROC);
+#else
+	return(termbuf.c_lflag & EXTPROC);
+#endif
+#else
+	return(linestate);
+#endif
+}
+
+	void
+tty_setlinemode(on)
+	int on;
+{
+#ifdef	TIOCEXT
+# ifndef convex
+	set_termbuf();
+# else
+	linestate = on;
+# endif
+	(void) ioctl(pty, TIOCEXT, (char *)&on);
+# ifndef convex
+	init_termbuf();
+# endif
+#else	/* !TIOCEXT */
+# ifdef	EXTPROC
+	if (on)
+		termbuf.c_lflag |= EXTPROC;
+	else
+		termbuf.c_lflag &= ~EXTPROC;
+# endif
+#endif	/* TIOCEXT */
+}
+#endif	/* LINEMODE */
+
+	int
+tty_isecho()
+{
+#ifndef USE_TERMIO
+	return (termbuf.sg.sg_flags & ECHO);
+#else
+	return (termbuf.c_lflag & ECHO);
+#endif
+}
+
+	int
+tty_flowmode()
+{
+#ifndef USE_TERMIO
+	return(((termbuf.tc.t_startc) > 0 && (termbuf.tc.t_stopc) > 0) ? 1 : 0);
+#else
+	return((termbuf.c_iflag & IXON) ? 1 : 0);
+#endif
+}
+
+	int
+tty_restartany()
+{
+#ifndef USE_TERMIO
+# ifdef	DECCTQ
+	return((termbuf.lflags & DECCTQ) ? 0 : 1);
+# else
+	return(-1);
+# endif
+#else
+	return((termbuf.c_iflag & IXANY) ? 1 : 0);
+#endif
+}
+
+	void
+tty_setecho(on)
+	int on;
+{
+#ifndef	USE_TERMIO
+	if (on)
+		termbuf.sg.sg_flags |= ECHO|CRMOD;
+	else
+		termbuf.sg.sg_flags &= ~(ECHO|CRMOD);
+#else
+	if (on)
+		termbuf.c_lflag |= ECHO;
+	else
+		termbuf.c_lflag &= ~ECHO;
+#endif
+}
+
+	int
+tty_israw()
+{
+#ifndef USE_TERMIO
+	return(termbuf.sg.sg_flags & RAW);
+#else
+	return(!(termbuf.c_lflag & ICANON));
+#endif
+}
+
+#if	defined (AUTHENTICATION) && defined(NO_LOGIN_F) && defined(LOGIN_R)
+	int
+tty_setraw(on)
+{
+#  ifndef USE_TERMIO
+	if (on)
+		termbuf.sg.sg_flags |= RAW;
+	else
+		termbuf.sg.sg_flags &= ~RAW;
+#  else
+	if (on)
+		termbuf.c_lflag &= ~ICANON;
+	else
+		termbuf.c_lflag |= ICANON;
+#  endif
+}
+#endif
+
+	void
+tty_binaryin(on)
+	int on;
+{
+#ifndef	USE_TERMIO
+	if (on)
+		termbuf.lflags |= LPASS8;
+	else
+		termbuf.lflags &= ~LPASS8;
+#else
+	if (on) {
+		termbuf.c_iflag &= ~ISTRIP;
+	} else {
+		termbuf.c_iflag |= ISTRIP;
+	}
+#endif
+}
+
+	void
+tty_binaryout(on)
+	int on;
+{
+#ifndef	USE_TERMIO
+	if (on)
+		termbuf.lflags |= LLITOUT;
+	else
+		termbuf.lflags &= ~LLITOUT;
+#else
+	if (on) {
+		termbuf.c_cflag &= ~(CSIZE|PARENB);
+		termbuf.c_cflag |= CS8;
+		termbuf.c_oflag &= ~OPOST;
+	} else {
+		termbuf.c_cflag &= ~CSIZE;
+		termbuf.c_cflag |= CS7|PARENB;
+		termbuf.c_oflag |= OPOST;
+	}
+#endif
+}
+
+	int
+tty_isbinaryin()
+{
+#ifndef	USE_TERMIO
+	return(termbuf.lflags & LPASS8);
+#else
+	return(!(termbuf.c_iflag & ISTRIP));
+#endif
+}
+
+	int
+tty_isbinaryout()
+{
+#ifndef	USE_TERMIO
+	return(termbuf.lflags & LLITOUT);
+#else
+	return(!(termbuf.c_oflag&OPOST));
+#endif
+}
+
+#ifdef	LINEMODE
+	int
+tty_isediting()
+{
+#ifndef USE_TERMIO
+	return(!(termbuf.sg.sg_flags & (CBREAK|RAW)));
+#else
+	return(termbuf.c_lflag & ICANON);
+#endif
+}
+
+	int
+tty_istrapsig()
+{
+#ifndef USE_TERMIO
+	return(!(termbuf.sg.sg_flags&RAW));
+#else
+	return(termbuf.c_lflag & ISIG);
+#endif
+}
+
+	void
+tty_setedit(on)
+	int on;
+{
+#ifndef USE_TERMIO
+	if (on)
+		termbuf.sg.sg_flags &= ~CBREAK;
+	else
+		termbuf.sg.sg_flags |= CBREAK;
+#else
+	if (on)
+		termbuf.c_lflag |= ICANON;
+	else
+		termbuf.c_lflag &= ~ICANON;
+#endif
+}
+
+	void
+tty_setsig(on)
+	int on;
+{
+#ifndef	USE_TERMIO
+	if (on)
+		;
+#else
+	if (on)
+		termbuf.c_lflag |= ISIG;
+	else
+		termbuf.c_lflag &= ~ISIG;
+#endif
+}
+#endif	/* LINEMODE */
+
+	int
+tty_issofttab()
+{
+#ifndef	USE_TERMIO
+	return (termbuf.sg.sg_flags & XTABS);
+#else
+# ifdef	OXTABS
+	return (termbuf.c_oflag & OXTABS);
+# endif
+# ifdef	TABDLY
+	return ((termbuf.c_oflag & TABDLY) == TAB3);
+# endif
+#endif
+}
+
+	void
+tty_setsofttab(on)
+	int on;
+{
+#ifndef	USE_TERMIO
+	if (on)
+		termbuf.sg.sg_flags |= XTABS;
+	else
+		termbuf.sg.sg_flags &= ~XTABS;
+#else
+	if (on) {
+# ifdef	OXTABS
+		termbuf.c_oflag |= OXTABS;
+# endif
+# ifdef	TABDLY
+		termbuf.c_oflag &= ~TABDLY;
+		termbuf.c_oflag |= TAB3;
+# endif
+	} else {
+# ifdef	OXTABS
+		termbuf.c_oflag &= ~OXTABS;
+# endif
+# ifdef	TABDLY
+		termbuf.c_oflag &= ~TABDLY;
+		termbuf.c_oflag |= TAB0;
+# endif
+	}
+#endif
+}
+
+	int
+tty_islitecho()
+{
+#ifndef	USE_TERMIO
+	return (!(termbuf.lflags & LCTLECH));
+#else
+# ifdef	ECHOCTL
+	return (!(termbuf.c_lflag & ECHOCTL));
+# endif
+# ifdef	TCTLECH
+	return (!(termbuf.c_lflag & TCTLECH));
+# endif
+# if	!defined(ECHOCTL) && !defined(TCTLECH)
+	return (0);	/* assumes ctl chars are echoed '^x' */
+# endif
+#endif
+}
+
+	void
+tty_setlitecho(on)
+	int on;
+{
+#ifndef	USE_TERMIO
+	if (on)
+		termbuf.lflags &= ~LCTLECH;
+	else
+		termbuf.lflags |= LCTLECH;
+#else
+# ifdef	ECHOCTL
+	if (on)
+		termbuf.c_lflag &= ~ECHOCTL;
+	else
+		termbuf.c_lflag |= ECHOCTL;
+# endif
+# ifdef	TCTLECH
+	if (on)
+		termbuf.c_lflag &= ~TCTLECH;
+	else
+		termbuf.c_lflag |= TCTLECH;
+# endif
+#endif
+}
+
+	int
+tty_iscrnl()
+{
+#ifndef	USE_TERMIO
+	return (termbuf.sg.sg_flags & CRMOD);
+#else
+	return (termbuf.c_iflag & ICRNL);
+#endif
+}
+
+/*
+ * Try to guess whether speeds are "encoded" (4.2BSD) or just numeric (4.4BSD).
+ */
+#if B4800 != 4800
+#define	DECODE_BAUD
+#endif
+
+#ifdef	DECODE_BAUD
+
+/*
+ * A table of available terminal speeds
+ */
+struct termspeeds {
+	int	speed;
+	int	value;
+} termspeeds[] = {
+	{ 0,      B0 },      { 50,    B50 },    { 75,     B75 },
+	{ 110,    B110 },    { 134,   B134 },   { 150,    B150 },
+	{ 200,    B200 },    { 300,   B300 },   { 600,    B600 },
+	{ 1200,   B1200 },   { 1800,  B1800 },  { 2400,   B2400 },
+	{ 4800,   B4800 },
+#ifdef	B7200
+	{ 7200,  B7200 },
+#endif
+	{ 9600,   B9600 },
+#ifdef	B14400
+	{ 14400,  B14400 },
+#endif
+#ifdef	B19200
+	{ 19200,  B19200 },
+#endif
+#ifdef	B28800
+	{ 28800,  B28800 },
+#endif
+#ifdef	B38400
+	{ 38400,  B38400 },
+#endif
+#ifdef	B57600
+	{ 57600,  B57600 },
+#endif
+#ifdef	B115200
+	{ 115200, B115200 },
+#endif
+#ifdef	B230400
+	{ 230400, B230400 },
+#endif
+	{ -1,     0 }
+};
+#endif	/* DECODE_BAUD */
+
+	void
+tty_tspeed(val)
+	int val;
+{
+#ifdef	DECODE_BAUD
+	register struct termspeeds *tp;
+
+	for (tp = termspeeds; (tp->speed != -1) && (val > tp->speed); tp++)
+		;
+	if (tp->speed == -1)	/* back up to last valid value */
+		--tp;
+	cfsetospeed(&termbuf, tp->value);
+#else	/* DECODE_BAUD */
+	cfsetospeed(&termbuf, val);
+#endif	/* DECODE_BAUD */
+}
+
+	void
+tty_rspeed(val)
+	int val;
+{
+#ifdef	DECODE_BAUD
+	register struct termspeeds *tp;
+
+	for (tp = termspeeds; (tp->speed != -1) && (val > tp->speed); tp++)
+		;
+	if (tp->speed == -1)	/* back up to last valid value */
+		--tp;
+	cfsetispeed(&termbuf, tp->value);
+#else	/* DECODE_BAUD */
+	cfsetispeed(&termbuf, val);
+#endif	/* DECODE_BAUD */
+}
+
+#if	defined(CRAY2) && defined(UNICOS5)
+	int
+tty_isnewmap()
+{
+	return((termbuf.c_oflag & OPOST) && (termbuf.c_oflag & ONLCR) &&
+			!(termbuf.c_oflag & ONLRET));
+}
+#endif
+
+#ifdef PARENT_DOES_UTMP
+# ifndef NEWINIT
+extern	struct utmp wtmp;
+extern char wtmpf[];
+# else	/* NEWINIT */
+int	gotalarm;
+
+	/* ARGSUSED */
+	void
+nologinproc(sig)
+	int sig;
+{
+	gotalarm++;
+}
+# endif	/* NEWINIT */
+#endif /* PARENT_DOES_UTMP */
+
+#ifndef	NEWINIT
+# ifdef PARENT_DOES_UTMP
+extern void utmp_sig_init P((void));
+extern void utmp_sig_reset P((void));
+extern void utmp_sig_wait P((void));
+extern void utmp_sig_notify P((int));
+# endif /* PARENT_DOES_UTMP */
+#endif
+
+/*
+ * getptyslave()
+ *
+ * Open the slave side of the pty, and do any initialization
+ * that is necessary.
+ */
+	void
+getptyslave()
+{
+	register int t = -1;
+	char erase;
+
+#if	!defined(CRAY) || !defined(NEWINIT)
+# ifdef	LINEMODE
+	int waslm;
+# endif
+# ifdef	TIOCGWINSZ
+	struct winsize ws;
+	extern int def_row, def_col;
+# endif
+	extern int def_tspeed, def_rspeed;
+	/*
+	 * Opening the slave side may cause initilization of the
+	 * kernel tty structure.  We need remember the state of
+	 * 	if linemode was turned on
+	 *	terminal window size
+	 *	terminal speed
+	 *	erase character
+	 * so that we can re-set them if we need to.
+	 */
+# ifdef	LINEMODE
+	waslm = tty_linemode();
+# endif
+	erase = termbuf.c_cc[VERASE];
+
+	/*
+	 * Make sure that we don't have a controlling tty, and
+	 * that we are the session (process group) leader.
+	 */
+# ifdef	TIOCNOTTY
+	t = open(_PATH_TTY, O_RDWR);
+	if (t >= 0) {
+		(void) ioctl(t, TIOCNOTTY, (char *)0);
+		(void) close(t);
+	}
+# endif
+
+
+# ifdef PARENT_DOES_UTMP
+	/*
+	 * Wait for our parent to get the utmp stuff to get done.
+	 */
+	utmp_sig_wait();
+# endif
+
+	t = cleanopen(line);
+	if (t < 0)
+		fatalperror(net, line);
+
+#ifdef  STREAMSPTY
+#ifdef	USE_TERMIO
+	ttyfd = t;
+#endif
+	if (ioctl(t, I_PUSH, "ptem") < 0)
+		fatal(net, "I_PUSH ptem");
+	if (ioctl(t, I_PUSH, "ldterm") < 0)
+		fatal(net, "I_PUSH ldterm");
+	if (ioctl(t, I_PUSH, "ttcompat") < 0)
+		fatal(net, "I_PUSH ttcompat");
+	if (ioctl(pty, I_PUSH, "pckt") < 0)
+		fatal(net, "I_PUSH pckt");
+#endif
+
+	/*
+	 * set up the tty modes as we like them to be.
+	 */
+	init_termbuf();
+# ifdef	TIOCGWINSZ
+	if (def_row || def_col) {
+		memset((char *)&ws, 0, sizeof(ws));
+		ws.ws_col = def_col;
+		ws.ws_row = def_row;
+		(void)ioctl(t, TIOCSWINSZ, (char *)&ws);
+	}
+# endif
+
+	/*
+	 * Settings for sgtty based systems
+	 */
+# ifndef	USE_TERMIO
+	termbuf.sg.sg_flags |= CRMOD|ANYP|ECHO|XTABS;
+# endif	/* USE_TERMIO */
+
+	/*
+	 * Settings for UNICOS (and HPUX)
+	 */
+# if defined(CRAY) || defined(__hpux)
+	termbuf.c_oflag = OPOST|ONLCR|TAB3;
+	termbuf.c_iflag = IGNPAR|ISTRIP|ICRNL|IXON;
+	termbuf.c_lflag = ISIG|ICANON|ECHO|ECHOE|ECHOK;
+	termbuf.c_cflag = EXTB|HUPCL|CS8;
+# endif
+
+	/*
+	 * Settings for all other termios/termio based
+	 * systems, other than 4.4BSD.  In 4.4BSD the
+	 * kernel does the initial terminal setup.
+	 */
+# if defined(USE_TERMIO) && !(defined(CRAY) || defined(__hpux)) && (BSD <= 43)
+#  ifndef	OXTABS
+#   define OXTABS	0
+#  endif
+	termbuf.c_lflag |= ECHO;
+	termbuf.c_oflag |= ONLCR|OXTABS;
+	termbuf.c_iflag |= ICRNL;
+	termbuf.c_iflag &= ~IXOFF;
+# endif /* defined(USE_TERMIO) && !defined(CRAY) && (BSD <= 43) */
+	tty_rspeed((def_rspeed > 0) ? def_rspeed : 9600);
+	tty_tspeed((def_tspeed > 0) ? def_tspeed : 9600);
+	if (erase)
+		termbuf.c_cc[VERASE] = erase;
+# ifdef	LINEMODE
+	if (waslm)
+		tty_setlinemode(1);
+# endif	/* LINEMODE */
+
+	/*
+	 * Set the tty modes, and make this our controlling tty.
+	 */
+	set_termbuf();
+	if (login_tty(t) == -1)
+		fatalperror(net, "login_tty");
+#endif	/* !defined(CRAY) || !defined(NEWINIT) */
+	if (net > 2)
+		(void) close(net);
+#if	defined(AUTHENTICATION) && defined(NO_LOGIN_F) && defined(LOGIN_R)
+	/*
+	 * Leave the pty open so that we can write out the rlogin
+	 * protocol for /bin/login, if the authentication works.
+	 */
+#else
+	if (pty > 2) {
+		(void) close(pty);
+		pty = -1;
+	}
+#endif
+}
+
+#if	!defined(CRAY) || !defined(NEWINIT)
+#ifndef	O_NOCTTY
+#define	O_NOCTTY	0
+#endif
+/*
+ * Open the specified slave side of the pty,
+ * making sure that we have a clean tty.
+ */
+	int
+cleanopen(line)
+	char *line;
+{
+	register int t;
+#ifdef	UNICOS7x
+	struct secstat secbuf;
+#endif	/* UNICOS7x */
+
+#ifndef STREAMSPTY
+	/*
+	 * Make sure that other people can't open the
+	 * slave side of the connection.
+	 */
+	(void) chown(line, 0, 0);
+	(void) chmod(line, 0600);
+#endif
+
+# if !defined(CRAY) && (BSD > 43)
+	(void) revoke(line);
+# endif
+#ifdef	UNICOS7x
+	if (secflag) {
+		if (secstat(line, &secbuf) < 0)
+			return(-1);
+		if (setulvl(secbuf.st_slevel) < 0)
+			return(-1);
+		if (setucmp(secbuf.st_compart) < 0)
+			return(-1);
+	}
+#endif	/* UNICOS7x */
+
+	t = open(line, O_RDWR|O_NOCTTY);
+
+#ifdef	UNICOS7x
+	if (secflag) {
+		if (setulvl(sysv.sy_minlvl) < 0)
+			return(-1);
+		if (setucmp(0) < 0)
+			return(-1);
+	}
+#endif	/* UNICOS7x */
+
+	if (t < 0)
+		return(-1);
+
+	/*
+	 * Hangup anybody else using this ttyp, then reopen it for
+	 * ourselves.
+	 */
+# if !(defined(CRAY) || defined(__hpux)) && (BSD <= 43) && !defined(STREAMSPTY)
+	(void) signal(SIGHUP, SIG_IGN);
+	vhangup();
+	(void) signal(SIGHUP, SIG_DFL);
+	t = open(line, O_RDWR|O_NOCTTY);
+	if (t < 0)
+		return(-1);
+# endif
+# if	defined(CRAY) && defined(TCVHUP)
+	{
+		register int i;
+		(void) signal(SIGHUP, SIG_IGN);
+		(void) ioctl(t, TCVHUP, (char *)0);
+		(void) signal(SIGHUP, SIG_DFL);
+
+#ifdef	UNICOS7x
+		if (secflag) {
+			if (secstat(line, &secbuf) < 0)
+				return(-1);
+			if (setulvl(secbuf.st_slevel) < 0)
+				return(-1);
+			if (setucmp(secbuf.st_compart) < 0)
+				return(-1);
+		}
+#endif	/* UNICOS7x */
+
+		i = open(line, O_RDWR);
+
+#ifdef	UNICOS7x
+		if (secflag) {
+			if (setulvl(sysv.sy_minlvl) < 0)
+				return(-1);
+			if (setucmp(0) < 0)
+				return(-1);
+		}
+#endif	/* UNICOS7x */
+
+		if (i < 0)
+			return(-1);
+		(void) close(t);
+		t = i;
+	}
+# endif	/* defined(CRAY) && defined(TCVHUP) */
+	return(t);
+}
+#endif	/* !defined(CRAY) || !defined(NEWINIT) */
+
+#if BSD <= 43
+
+	int
+login_tty(t)
+	int t;
+{
+	if (setsid() < 0) {
+#ifdef ultrix
+		/*
+		 * The setsid() may have failed because we
+		 * already have a pgrp == pid.  Zero out
+		 * our pgrp and try again...
+		 */
+		if ((setpgrp(0, 0) < 0) || (setsid() < 0))
+#endif
+			fatalperror(net, "setsid()");
+	}
+# ifdef	TIOCSCTTY
+	if (ioctl(t, TIOCSCTTY, (char *)0) < 0)
+		fatalperror(net, "ioctl(sctty)");
+#  if defined(CRAY)
+	/*
+	 * Close the hard fd to /dev/ttypXXX, and re-open through
+	 * the indirect /dev/tty interface.
+	 */
+	close(t);
+	if ((t = open("/dev/tty", O_RDWR)) < 0)
+		fatalperror(net, "open(/dev/tty)");
+#  endif
+# else
+	/*
+	 * We get our controlling tty assigned as a side-effect
+	 * of opening up a tty device.  But on BSD based systems,
+	 * this only happens if our process group is zero.  The
+	 * setsid() call above may have set our pgrp, so clear
+	 * it out before opening the tty...
+	 */
+#  ifndef SOLARIS
+	(void) setpgrp(0, 0);
+#  else
+	(void) setpgrp();
+#  endif
+	close(open(line, O_RDWR));
+# endif
+	if (t != 0)
+		(void) dup2(t, 0);
+	if (t != 1)
+		(void) dup2(t, 1);
+	if (t != 2)
+		(void) dup2(t, 2);
+	if (t > 2)
+		close(t);
+	return(0);
+}
+#endif	/* BSD <= 43 */
+
+#ifdef	NEWINIT
+char *gen_id = "fe";
+#endif
+
+/*
+ * startslave(host)
+ *
+ * Given a hostname, do whatever
+ * is necessary to startup the login process on the slave side of the pty.
+ */
+
+/* ARGSUSED */
+	void
+startslave(host, autologin, autoname)
+	char *host;
+	int autologin;
+	char *autoname;
+{
+	register int i;
+#ifdef	NEWINIT
+	extern char *ptyip;
+	struct init_request request;
+	void nologinproc();
+	register int n;
+#endif	/* NEWINIT */
+
+#if	defined(AUTHENTICATION)
+	if (!autoname || !autoname[0])
+		autologin = 0;
+
+	if (autologin < auth_level) {
+		fatal(net, "Authorization failed");
+		exit(1);
+	}
+#endif
+
+#ifndef	NEWINIT
+# ifdef	PARENT_DOES_UTMP
+	utmp_sig_init();
+# endif	/* PARENT_DOES_UTMP */
+
+	if ((i = fork()) < 0)
+		fatalperror(net, "fork");
+	if (i) {
+# ifdef PARENT_DOES_UTMP
+		/*
+		 * Cray parent will create utmp entry for child and send
+		 * signal to child to tell when done.  Child waits for signal
+		 * before doing anything important.
+		 */
+		register int pid = i;
+		void sigjob P((int));
+
+		setpgrp();
+		utmp_sig_reset();		/* reset handler to default */
+		/*
+		 * Create utmp entry for child
+		 */
+		(void) time(&wtmp.ut_time);
+		wtmp.ut_type = LOGIN_PROCESS;
+		wtmp.ut_pid = pid;
+		SCPYN(wtmp.ut_user, "LOGIN");
+		SCPYN(wtmp.ut_host, host);
+		SCPYN(wtmp.ut_line, line + sizeof("/dev/") - 1);
+#ifndef	__hpux
+		SCPYN(wtmp.ut_id, wtmp.ut_line+3);
+#else
+		SCPYN(wtmp.ut_id, wtmp.ut_line+7);
+#endif
+		pututline(&wtmp);
+		endutent();
+		if ((i = open(wtmpf, O_WRONLY|O_APPEND)) >= 0) {
+			(void) write(i, (char *)&wtmp, sizeof(struct utmp));
+			(void) close(i);
+		}
+#ifdef	CRAY
+		(void) signal(WJSIGNAL, sigjob);
+#endif
+		utmp_sig_notify(pid);
+# endif	/* PARENT_DOES_UTMP */
+	} else {
+		getptyslave(autologin);
+		start_login(host, autologin, autoname);
+		/*NOTREACHED*/
+	}
+#else	/* NEWINIT */
+
+	/*
+	 * Init will start up login process if we ask nicely.  We only wait
+	 * for it to start up and begin normal telnet operation.
+	 */
+	if ((i = open(INIT_FIFO, O_WRONLY)) < 0) {
+		char tbuf[128];
+		(void) snprintf(tbuf, sizeof(tbuf), "Can't open %s\n", INIT_FIFO);
+		fatalperror(net, tbuf);
+	}
+	memset((char *)&request, 0, sizeof(request));
+	request.magic = INIT_MAGIC;
+	SCPYN(request.gen_id, gen_id);
+	SCPYN(request.tty_id, &line[8]);
+	SCPYN(request.host, host);
+	SCPYN(request.term_type, terminaltype ? terminaltype : "network");
+#if	!defined(UNICOS5)
+	request.signal = SIGCLD;
+	request.pid = getpid();
+#endif
+#ifdef BFTPDAEMON
+	/*
+	 * Are we working as the bftp daemon?
+	 */
+	if (bftpd) {
+		SCPYN(request.exec_name, BFTPPATH);
+	}
+#endif /* BFTPDAEMON */
+	if (write(i, (char *)&request, sizeof(request)) < 0) {
+		char tbuf[128];
+		(void) snprintf(tbuf, sizeof(tbuf), "Can't write to %s\n", INIT_FIFO);
+		fatalperror(net, tbuf);
+	}
+	(void) close(i);
+	(void) signal(SIGALRM, nologinproc);
+	for (i = 0; ; i++) {
+		char tbuf[128];
+		alarm(15);
+		n = read(pty, ptyip, BUFSIZ);
+		if (i == 3 || n >= 0 || !gotalarm)
+			break;
+		gotalarm = 0;
+		snprintf(tbuf, sizeof(tbuf), "telnetd: waiting for /etc/init to start login process on %s\r\n", line);
+		(void) write(net, tbuf, strlen(tbuf));
+	}
+	if (n < 0 && gotalarm)
+		fatal(net, "/etc/init didn't start login process");
+	pcc += n;
+	alarm(0);
+	(void) signal(SIGALRM, SIG_DFL);
+
+	return;
+#endif	/* NEWINIT */
+}
+
+char	*envinit[3];
+extern char **environ;
+
+	void
+init_env()
+{
+	extern char *getenv();
+	char **envp;
+
+	envp = envinit;
+	if ((*envp = getenv("TZ")))
+		*envp++ -= 3;
+#if	defined(CRAY) || defined(__hpux)
+	else
+		*envp++ = "TZ=GMT0";
+#endif
+	*envp = 0;
+	environ = envinit;
+}
+
+#ifndef	NEWINIT
+
+/*
+ * start_login(host)
+ *
+ * Assuming that we are now running as a child processes, this
+ * function will turn us into the login process.
+ */
+
+	void
+start_login(host, autologin, name)
+	char *host;
+	int autologin;
+	char *name;
+{
+	register char **argv;
+	char **addarg(), *user;
+	extern char *getenv();
+#ifdef	UTMPX
+	register int pid = getpid();
+	struct utmpx utmpx;
+#endif
+#ifdef SOLARIS
+	char *term;
+	char termbuf[64];
+#endif
+
+#ifdef	UTMPX
+	/*
+	 * Create utmp entry for child
+	 */
+
+	memset(&utmpx, 0, sizeof(utmpx));
+	SCPYN(utmpx.ut_user, ".telnet");
+	SCPYN(utmpx.ut_line, line + sizeof("/dev/") - 1);
+	utmpx.ut_pid = pid;
+	utmpx.ut_id[0] = 't';
+	utmpx.ut_id[1] = 'n';
+	utmpx.ut_id[2] = SC_WILDC;
+	utmpx.ut_id[3] = SC_WILDC;
+	utmpx.ut_type = LOGIN_PROCESS;
+	(void) time(&utmpx.ut_tv.tv_sec);
+	if (makeutx(&utmpx) == NULL)
+		fatal(net, "makeutx failed");
+#endif
+
+	scrub_env();
+
+	/*
+	 * -h : pass on name of host.
+	 *		WARNING:  -h is accepted by login if and only if
+	 *			getuid() == 0.
+	 * -p : don't clobber the environment (so terminal type stays set).
+	 *
+	 * -f : force this login, he has already been authenticated
+	 */
+	argv = addarg(0, "login");
+
+#if	!defined(NO_LOGIN_H)
+
+# if	defined (AUTHENTICATION) && defined(NO_LOGIN_F) && defined(LOGIN_R)
+	/*
+	 * Don't add the "-h host" option if we are going
+	 * to be adding the "-r host" option down below...
+	 */
+	if ((auth_level < 0) || (autologin != AUTH_VALID))
+# endif
+	{
+		argv = addarg(argv, "-h");
+		argv = addarg(argv, host);
+#ifdef	SOLARIS
+		/*
+		 * SVR4 version of -h takes TERM= as second arg, or -
+		 */
+		term = getenv("TERM");
+		if (term == NULL || term[0] == 0) {
+			term = "-";
+		} else {
+			strcpy(termbuf, "TERM=");
+			strncat(termbuf, term, sizeof(termbuf) - 6);
+			term = termbuf;
+		}
+		argv = addarg(argv, term);
+#endif
+	}
+#endif
+#if	!defined(NO_LOGIN_P)
+	argv = addarg(argv, "-p");
+#endif
+#ifdef	LINEMODE
+	/*
+	 * Set the environment variable "LINEMODE" to either
+	 * "real" or "kludge" if we are operating in either
+	 * real or kludge linemode.
+	 */
+	if (lmodetype == REAL_LINEMODE)
+		setenv("LINEMODE", "real", 1);
+# ifdef KLUDGELINEMODE
+	else if (lmodetype == KLUDGE_LINEMODE || lmodetype == KLUDGE_OK)
+		setenv("LINEMODE", "kludge", 1);
+# endif
+#endif
+#ifdef	BFTPDAEMON
+	/*
+	 * Are we working as the bftp daemon?  If so, then ask login
+	 * to start bftp instead of shell.
+	 */
+	if (bftpd) {
+		argv = addarg(argv, "-e");
+		argv = addarg(argv, BFTPPATH);
+	} else
+#endif
+#if	defined (SecurID)
+	/*
+	 * don't worry about the -f that might get sent.
+	 * A -s is supposed to override it anyhow.
+	 */
+	if (require_SecurID)
+		argv = addarg(argv, "-s");
+#endif
+#if	defined (AUTHENTICATION)
+	if (auth_level >= 0 && autologin == AUTH_VALID) {
+# if	!defined(NO_LOGIN_F)
+		argv = addarg(argv, "-f");
+		argv = addarg(argv, "--");
+		argv = addarg(argv, name);
+# else
+#  if defined(LOGIN_R)
+		/*
+		 * We don't have support for "login -f", but we
+		 * can fool /bin/login into thinking that we are
+		 * rlogind, and allow us to log in without a
+		 * password.  The rlogin protocol expects
+		 *	local-user\0remote-user\0term/speed\0
+		 */
+
+		if (pty > 2) {
+			register char *cp;
+			char speed[128];
+			int isecho, israw, xpty, len;
+			extern int def_rspeed;
+#  ifndef LOGIN_HOST
+			/*
+			 * Tell login that we are coming from "localhost".
+			 * If we passed in the real host name, then the
+			 * user would have to allow .rhost access from
+			 * every machine that they want authenticated
+			 * access to work from, which sort of defeats
+			 * the purpose of an authenticated login...
+			 * So, we tell login that the session is coming
+			 * from "localhost", and the user will only have
+			 * to have "localhost" in their .rhost file.
+			 */
+#			define LOGIN_HOST "localhost"
+#  endif
+			argv = addarg(argv, "-r");
+			argv = addarg(argv, LOGIN_HOST);
+
+			xpty = pty;
+# ifndef  STREAMSPTY
+			pty = 0;
+# else
+			ttyfd = 0;
+# endif
+			init_termbuf();
+			isecho = tty_isecho();
+			israw = tty_israw();
+			if (isecho || !israw) {
+				tty_setecho(0);		/* Turn off echo */
+				tty_setraw(1);		/* Turn on raw */
+				set_termbuf();
+			}
+			len = strlen(name)+1;
+			write(xpty, name, len);
+			write(xpty, name, len);
+			snprintf(speed, sizeof(speed),
+				"%s/%d", (cp = getenv("TERM")) ? cp : "",
+				(def_rspeed > 0) ? def_rspeed : 9600);
+			len = strlen(speed)+1;
+			write(xpty, speed, len);
+
+			if (isecho || !israw) {
+				init_termbuf();
+				tty_setecho(isecho);
+				tty_setraw(israw);
+				set_termbuf();
+				if (!israw) {
+					/*
+					 * Write a newline to ensure
+					 * that login will be able to
+					 * read the line...
+					 */
+					write(xpty, "\n", 1);
+				}
+			}
+			pty = xpty;
+		}
+#  else
+		argv = addarg(argv, "--");
+		argv = addarg(argv, name);
+#  endif
+# endif
+	} else
+#endif
+	if (getenv("USER")) {
+ 		argv = addarg(argv, "--");
+		argv = addarg(argv, getenv("USER"));
+#if	defined(LOGIN_ARGS) && defined(NO_LOGIN_P)
+		{
+			register char **cpp;
+			for (cpp = environ; *cpp; cpp++)
+				argv = addarg(argv, *cpp);
+		}
+#endif
+		/*
+		 * Assume that login will set the USER variable
+		 * correctly.  For SysV systems, this means that
+		 * USER will no longer be set, just LOGNAME by
+		 * login.  (The problem is that if the auto-login
+		 * fails, and the user then specifies a different
+		 * account name, he can get logged in with both
+		 * LOGNAME and USER in his environment, but the
+		 * USER value will be wrong.
+		 */
+		unsetenv("USER");
+	}
+#ifdef	SOLARIS
+	else {
+		char **p;
+
+		argv = addarg(argv, "");	/* no login name */
+		for (p = environ; *p; p++) {
+			argv = addarg(argv, *p);
+		}
+	}
+#endif	/* SOLARIS */
+#if	defined(AUTHENTICATION) && defined(NO_LOGIN_F) && defined(LOGIN_R)
+	if (pty > 2)
+		close(pty);
+#endif
+	closelog();
+
+	if (altlogin == NULL) {
+		altlogin = _PATH_LOGIN;
+	}
+	execv(altlogin, argv);
+
+	syslog(LOG_ERR, "%s: %m", altlogin);
+	fatalperror(net, altlogin);
+	/*NOTREACHED*/
+}
+
+	char **
+addarg(argv, val)
+	register char **argv;
+	register char *val;
+{
+	register char **cpp;
+
+	if (argv == NULL) {
+		/*
+		 * 10 entries, a leading length, and a null
+		 */
+		argv = (char **)malloc(sizeof(*argv) * 12);
+		if (argv == NULL)
+			return(NULL);
+		*argv++ = (char *)10;
+		*argv = (char *)0;
+	}
+	for (cpp = argv; *cpp; cpp++)
+		;
+	if (cpp == &argv[(int)argv[-1]]) {
+		--argv;
+		*argv = (char *)((int)(*argv) + 10);
+		argv = (char **)realloc(argv, sizeof(*argv)*((int)(*argv) + 2));
+		if (argv == NULL)
+			return(NULL);
+		argv++;
+		cpp = &argv[(int)argv[-1] - 10];
+	}
+	*cpp++ = val;
+	*cpp = 0;
+	return(argv);
+}
+#endif	/* NEWINIT */
+
+/*
+ * scrub_env()
+ *
+ * We only accept the environment variables listed below.
+ */
+	void
+scrub_env()
+{
+	static const char *reject[] = {
+		"TERMCAP=/",
+		NULL
+	};
+
+	static const char *accept[] = {
+		"XAUTH=", "XAUTHORITY=", "DISPLAY=",
+		"TERM=",
+		"EDITOR=",
+		"PAGER=",
+		"LOGNAME=",
+		"POSIXLY_CORRECT=",
+		"PRINTER=",
+		NULL
+	};
+
+	char **cpp, **cpp2;
+	const char **p;
+ 
+ 	for (cpp2 = cpp = environ; *cpp; cpp++) {
+		int reject_it = 0;
+
+		for(p = reject; *p; p++)
+			if(strncmp(*cpp, *p, strlen(*p)) == 0) {
+				reject_it = 1;
+				break;
+			}
+		if (reject_it)
+			continue;
+
+		for(p = accept; *p; p++)
+			if(strncmp(*cpp, *p, strlen(*p)) == 0)
+				break;
+		if(*p != NULL)
+ 			*cpp2++ = *cpp;
+ 	}
+	*cpp2 = NULL;
+}
+
+/*
+ * cleanup()
+ *
+ * This is the routine to call when we are all through, to
+ * clean up anything that needs to be cleaned up.
+ */
+	/* ARGSUSED */
+	void
+cleanup(sig)
+	int sig;
+{
+#ifndef	PARENT_DOES_UTMP
+# if (BSD > 43) || defined(convex)
+	char *p;
+
+	p = line + sizeof("/dev/") - 1;
+	if (logout(p))
+		logwtmp(p, "", "");
+	(void)chmod(line, 0666);
+	(void)chown(line, 0, 0);
+	*p = 'p';
+	(void)chmod(line, 0666);
+	(void)chown(line, 0, 0);
+	(void) shutdown(net, 2);
+	exit(1);
+# else
+	void rmut();
+
+	rmut();
+	vhangup();	/* XXX */
+	(void) shutdown(net, 2);
+	exit(1);
+# endif
+#else	/* PARENT_DOES_UTMP */
+# ifdef	NEWINIT
+	(void) shutdown(net, 2);
+	exit(1);
+# else	/* NEWINIT */
+#  ifdef CRAY
+	static int incleanup = 0;
+	register int t;
+	int child_status; /* status of child process as returned by waitpid */
+	int flags = WNOHANG|WUNTRACED;
+
+	/*
+	 * 1: Pick up the zombie, if we are being called
+	 *    as the signal handler.
+	 * 2: If we are a nested cleanup(), return.
+	 * 3: Try to clean up TMPDIR.
+	 * 4: Fill in utmp with shutdown of process.
+	 * 5: Close down the network and pty connections.
+	 * 6: Finish up the TMPDIR cleanup, if needed.
+	 */
+	if (sig == SIGCHLD) {
+		while (waitpid(-1, &child_status, flags) > 0)
+			;	/* VOID */
+		/* Check if the child process was stopped
+		 * rather than exited.  We want cleanup only if
+		 * the child has died.
+		 */
+		if (WIFSTOPPED(child_status)) {
+			return;
+		}
+	}
+	t = sigblock(sigmask(SIGCHLD));
+	if (incleanup) {
+		sigsetmask(t);
+		return;
+	}
+	incleanup = 1;
+	sigsetmask(t);
+#ifdef	UNICOS7x
+	if (secflag) {
+		/*
+		 *	We need to set ourselves back to a null
+		 *	label to clean up.
+		 */
+
+		setulvl(sysv.sy_minlvl);
+		setucmp((long)0);
+	}
+#endif	/* UNICOS7x */
+
+	t = cleantmp(&wtmp);
+	setutent();	/* just to make sure */
+#  endif /* CRAY */
+	rmut(line);
+	close(pty);
+	(void) shutdown(net, 2);
+#  ifdef CRAY
+	if (t == 0)
+		cleantmp(&wtmp);
+#  endif /* CRAY */
+	exit(1);
+# endif	/* NEWINT */
+#endif	/* PARENT_DOES_UTMP */
+}
+
+#if defined(PARENT_DOES_UTMP) && !defined(NEWINIT)
+/*
+ * _utmp_sig_rcv
+ * utmp_sig_init
+ * utmp_sig_wait
+ *	These three functions are used to coordinate the handling of
+ *	the utmp file between the server and the soon-to-be-login shell.
+ *	The server actually creates the utmp structure, the child calls
+ *	utmp_sig_wait(), until the server calls utmp_sig_notify() and
+ *	signals the future-login shell to proceed.
+ */
+static int caught=0;		/* NZ when signal intercepted */
+static void (*func)();		/* address of previous handler */
+
+	void
+_utmp_sig_rcv(sig)
+	int sig;
+{
+	caught = 1;
+	(void) signal(SIGUSR1, func);
+}
+
+	void
+utmp_sig_init()
+{
+	/*
+	 * register signal handler for UTMP creation
+	 */
+	if ((int)(func = signal(SIGUSR1, _utmp_sig_rcv)) == -1)
+		fatalperror(net, "telnetd/signal");
+}
+
+	void
+utmp_sig_reset()
+{
+	(void) signal(SIGUSR1, func);	/* reset handler to default */
+}
+
+# ifdef __hpux
+# define sigoff() /* do nothing */
+# define sigon() /* do nothing */
+# endif
+
+	void
+utmp_sig_wait()
+{
+	/*
+	 * Wait for parent to write our utmp entry.
+	 */
+	sigoff();
+	while (caught == 0) {
+		pause();	/* wait until we get a signal (sigon) */
+		sigoff();	/* turn off signals while we check caught */
+	}
+	sigon();		/* turn on signals again */
+}
+
+	void
+utmp_sig_notify(pid)
+{
+	kill(pid, SIGUSR1);
+}
+
+# ifdef CRAY
+static int gotsigjob = 0;
+
+	/*ARGSUSED*/
+	void
+sigjob(sig)
+	int sig;
+{
+	register int jid;
+	register struct jobtemp *jp;
+
+	while ((jid = waitjob(NULL)) != -1) {
+		if (jid == 0) {
+			return;
+		}
+		gotsigjob++;
+		jobend(jid, NULL, NULL);
+	}
+}
+
+/*
+ *	jid_getutid:
+ *		called by jobend() before calling cleantmp()
+ *		to find the correct $TMPDIR to cleanup.
+ */
+
+	struct utmp *
+jid_getutid(jid)
+	int jid;
+{
+	struct utmp *cur = NULL;
+
+	setutent();	/* just to make sure */
+	while (cur = getutent()) {
+		if ( (cur->ut_type != NULL) && (jid == cur->ut_jid) ) {
+			return(cur);
+		}
+	}
+
+	return(0);
+}
+
+/*
+ * Clean up the TMPDIR that login created.
+ * The first time this is called we pick up the info
+ * from the utmp.  If the job has already gone away,
+ * then we'll clean up and be done.  If not, then
+ * when this is called the second time it will wait
+ * for the signal that the job is done.
+ */
+	int
+cleantmp(wtp)
+	register struct utmp *wtp;
+{
+	struct utmp *utp;
+	static int first = 1;
+	register int mask, omask, ret;
+	extern struct utmp *getutid P((const struct utmp *_Id));
+
+
+	mask = sigmask(WJSIGNAL);
+
+	if (first == 0) {
+		omask = sigblock(mask);
+		while (gotsigjob == 0)
+			sigpause(omask);
+		return(1);
+	}
+	first = 0;
+	setutent();	/* just to make sure */
+
+	utp = getutid(wtp);
+	if (utp == 0) {
+		syslog(LOG_ERR, "can't get /etc/utmp entry to clean TMPDIR");
+		return(-1);
+	}
+	/*
+	 * Nothing to clean up if the user shell was never started.
+	 */
+	if (utp->ut_type != USER_PROCESS || utp->ut_jid == 0)
+		return(1);
+
+	/*
+	 * Block the WJSIGNAL while we are in jobend().
+	 */
+	omask = sigblock(mask);
+	ret = jobend(utp->ut_jid, utp->ut_tpath, utp->ut_user);
+	sigsetmask(omask);
+	return(ret);
+}
+
+	int
+jobend(jid, path, user)
+	register int jid;
+	register char *path;
+	register char *user;
+{
+	static int saved_jid = 0;
+	static int pty_saved_jid = 0;
+	static char saved_path[sizeof(wtmp.ut_tpath)+1];
+	static char saved_user[sizeof(wtmp.ut_user)+1];
+
+	/*
+	 * this little piece of code comes into play
+	 * only when ptyreconnect is used to reconnect
+	 * to an previous session.
+	 *
+	 * this is the only time when the
+	 * "saved_jid != jid" code is executed.
+	 */
+
+	if ( saved_jid && saved_jid != jid ) {
+		if (!path) {	/* called from signal handler */
+			pty_saved_jid = jid;
+		} else {
+			pty_saved_jid = saved_jid;
+		}
+	}
+
+	if (path) {
+		strncpy(saved_path, path, sizeof(wtmp.ut_tpath));
+		strncpy(saved_user, user, sizeof(wtmp.ut_user));
+		saved_path[sizeof(saved_path)] = '\0';
+		saved_user[sizeof(saved_user)] = '\0';
+	}
+	if (saved_jid == 0) {
+		saved_jid = jid;
+		return(0);
+	}
+
+	/* if the jid has changed, get the correct entry from the utmp file */
+
+	if ( saved_jid != jid ) {
+		struct utmp *utp = NULL;
+		struct utmp *jid_getutid();
+
+		utp = jid_getutid(pty_saved_jid);
+
+		if (utp == 0) {
+			syslog(LOG_ERR, "Can't get /etc/utmp entry to clean TMPDIR");
+			return(-1);
+		}
+
+		cleantmpdir(jid, utp->ut_tpath, utp->ut_user);
+		return(1);
+	}
+
+	cleantmpdir(jid, saved_path, saved_user);
+	return(1);
+}
+
+/*
+ * Fork a child process to clean up the TMPDIR
+ */
+cleantmpdir(jid, tpath, user)
+	register int jid;
+	register char *tpath;
+	register char *user;
+{
+	switch(fork()) {
+	case -1:
+		syslog(LOG_ERR, "TMPDIR cleanup(%s): fork() failed: %m",
+							tpath);
+		break;
+	case 0:
+		execl(CLEANTMPCMD, CLEANTMPCMD, user, tpath, 0);
+		syslog(LOG_ERR, "TMPDIR cleanup(%s): execl(%s) failed: %m",
+							tpath, CLEANTMPCMD);
+		exit(1);
+	default:
+		/*
+		 * Forget about child.  We will exit, and
+		 * /etc/init will pick it up.
+		 */
+		break;
+	}
+}
+# endif /* CRAY */
+#endif	/* defined(PARENT_DOES_UTMP) && !defined(NEWINIT) */
+
+/*
+ * rmut()
+ *
+ * This is the function called by cleanup() to
+ * remove the utmp entry for this person.
+ */
+
+#ifdef	UTMPX
+	void
+rmut()
+{
+	register f;
+	int found = 0;
+	struct utmp *u, *utmp;
+	int nutmp;
+	struct stat statbf;
+
+	struct utmpx *utxp, utmpx;
+
+	/*
+	 * This updates the utmpx and utmp entries and make a wtmp/x entry
+	 */
+
+	SCPYN(utmpx.ut_line, line + sizeof("/dev/") - 1);
+	utxp = getutxline(&utmpx);
+	if (utxp) {
+		utxp->ut_type = DEAD_PROCESS;
+		utxp->ut_exit.e_termination = 0;
+		utxp->ut_exit.e_exit = 0;
+		(void) time(&utmpx.ut_tv.tv_sec);
+		utmpx.ut_tv.tv_usec = 0;
+		modutx(utxp);
+	}
+	endutxent();
+}  /* end of rmut */
+#endif
+
+#if	!defined(UTMPX) && !(defined(CRAY) || defined(__hpux)) && BSD <= 43
+	void
+rmut()
+{
+	register f;
+	int found = 0;
+	struct utmp *u, *utmp;
+	int nutmp;
+	struct stat statbf;
+
+	f = open(utmpf, O_RDWR);
+	if (f >= 0) {
+		(void) fstat(f, &statbf);
+		utmp = (struct utmp *)malloc((unsigned)statbf.st_size);
+		if (!utmp)
+			syslog(LOG_ERR, "utmp malloc failed");
+		if (statbf.st_size && utmp) {
+			nutmp = read(f, (char *)utmp, (int)statbf.st_size);
+			nutmp /= sizeof(struct utmp);
+
+			for (u = utmp ; u < &utmp[nutmp] ; u++) {
+				if (SCMPN(u->ut_line, line+5) ||
+				    u->ut_name[0]==0)
+					continue;
+				(void) lseek(f, ((long)u)-((long)utmp), L_SET);
+				SCPYN(u->ut_name, "");
+				SCPYN(u->ut_host, "");
+				(void) time(&u->ut_time);
+				(void) write(f, (char *)u, sizeof(wtmp));
+				found++;
+			}
+		}
+		(void) close(f);
+	}
+	if (found) {
+		f = open(wtmpf, O_WRONLY|O_APPEND);
+		if (f >= 0) {
+			SCPYN(wtmp.ut_line, line+5);
+			SCPYN(wtmp.ut_name, "");
+			SCPYN(wtmp.ut_host, "");
+			(void) time(&wtmp.ut_time);
+			(void) write(f, (char *)&wtmp, sizeof(wtmp));
+			(void) close(f);
+		}
+	}
+	(void) chmod(line, 0666);
+	(void) chown(line, 0, 0);
+	line[strlen("/dev/")] = 'p';
+	(void) chmod(line, 0666);
+	(void) chown(line, 0, 0);
+}  /* end of rmut */
+#endif	/* CRAY */
+
+#ifdef __hpux
+rmut (line)
+char *line;
+{
+	struct utmp utmp;
+	struct utmp *utptr;
+	int fd;			/* for /etc/wtmp */
+
+	utmp.ut_type = USER_PROCESS;
+	(void) strncpy(utmp.ut_id, line+12, sizeof(utmp.ut_id));
+	(void) setutent();
+	utptr = getutid(&utmp);
+	/* write it out only if it exists */
+	if (utptr) {
+		utptr->ut_type = DEAD_PROCESS;
+		utptr->ut_time = time((long *) 0);
+		(void) pututline(utptr);
+		/* set wtmp entry if wtmp file exists */
+		if ((fd = open(wtmpf, O_WRONLY | O_APPEND)) >= 0) {
+			(void) write(fd, utptr, sizeof(utmp));
+			(void) close(fd);
+		}
+	}
+	(void) endutent();
+
+	(void) chmod(line, 0666);
+	(void) chown(line, 0, 0);
+	line[14] = line[13];
+	line[13] = line[12];
+	line[8] = 'm';
+	line[9] = '/';
+	line[10] = 'p';
+	line[11] = 't';
+	line[12] = 'y';
+	(void) chmod(line, 0666);
+	(void) chown(line, 0, 0);
+}
+#endif
diff --git a/crypto/telnet/telnetd/telnetd.8 b/crypto/telnet/telnetd/telnetd.8
new file mode 100644
index 0000000..684f8a4
--- /dev/null
+++ b/crypto/telnet/telnetd/telnetd.8
@@ -0,0 +1,616 @@
+.\" Copyright (c) 1983, 1993
+.\"	The Regents of the University of California.  All rights reserved.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\" 1. Redistributions of source code must retain the above copyright
+.\"    notice, this list of conditions and the following disclaimer.
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\"    notice, this list of conditions and the following disclaimer in the
+.\"    documentation and/or other materials provided with the distribution.
+.\" 3. All advertising materials mentioning features or use of this software
+.\"    must display the following acknowledgement:
+.\"	This product includes software developed by the University of
+.\"	California, Berkeley and its contributors.
+.\" 4. Neither the name of the University nor the names of its contributors
+.\"    may be used to endorse or promote products derived from this software
+.\"    without specific prior written permission.
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+.\" SUCH DAMAGE.
+.\"
+.\"	@(#)telnetd.8	8.4 (Berkeley) 6/1/94
+.\" $FreeBSD$
+.\"
+.Dd January 27, 2000
+.Dt TELNETD 8
+.Os
+.Sh NAME
+.Nm telnetd
+.Nd DARPA
+.Tn TELNET
+protocol server
+.Sh SYNOPSIS
+.Nm /usr/libexec/telnetd
+.Op Fl BUhlkns
+.Op Fl D Ar debugmode
+.Op Fl I Ns Ar initid
+.Op Fl S Ar tos
+.Op Fl X Ar authtype
+.Op Fl a Ar authmode
+.Op Fl edebug
+.Op Fl p Ar loginprog
+.Op Fl r Ns Ar lowpty-highpty
+.Op Fl u Ar len
+.Op Fl debug Op Ar port
+.Sh DESCRIPTION
+The
+.Nm
+command is a server which supports the
+.Tn DARPA
+standard
+.Tn TELNET
+virtual terminal protocol.
+.Nm Telnetd
+is normally invoked by the internet server (see
+.Xr inetd 8 )
+for requests to connect to the
+.Tn TELNET
+port as indicated by the
+.Pa /etc/services
+file (see
+.Xr services 5 ) .
+The
+.Fl debug
+option may be used to start up
+.Nm
+manually, instead of through
+.Xr inetd 8 .
+If started up this way, 
+.Ar port
+may be specified to run
+.Nm
+on an alternate
+.Tn TCP
+port number.
+.Pp
+The
+.Nm
+command accepts the following options:
+.Bl -tag -width indent
+.It Fl a Ar authmode
+This option may be used for specifying what mode should
+be used for authentication.
+Note that this option is only useful if
+.Nm
+has been compiled with support for the
+.Dv AUTHENTICATION
+option.
+There are several valid values for
+.Ar authmode :
+.Bl -tag -width debug
+.It Cm debug
+Turn on authentication debugging code.
+.It Cm user
+Only allow connections when the remote user
+can provide valid authentication information
+to identify the remote user,
+and is allowed access to the specified account
+without providing a password.
+.It Cm valid
+Only allow connections when the remote user
+can provide valid authentication information
+to identify the remote user.
+The
+.Xr login 1
+command will provide any additional user verification
+needed if the remote user is not allowed automatic
+access to the specified account.
+.It Cm other
+Only allow connections that supply some authentication information.
+This option is currently not supported
+by any of the existing authentication mechanisms,
+and is thus the same as specifying
+.Fl a
+.Cm valid .
+.It Cm none
+This is the default state.
+Authentication information is not required.
+If no or insufficient authentication information
+is provided, then the
+.Xr login 1
+program will provide the necessary user
+verification.
+.It Cm off
+Disable the authentication code.
+All user verification will happen through the
+.Xr login 1
+program.
+.El
+.It Fl B
+Specify bftp server mode.  In this mode,
+.Nm
+causes login to start a
+.Xr bftp 1
+session rather than the user's
+normal shell.  In bftp daemon mode normal
+logins are not supported, and it must be used
+on a port other than the normal
+.Tn TELNET
+port.
+.It Fl D Ar debugmode
+This option may be used for debugging purposes.
+This allows
+.Nm
+to print out debugging information
+to the connection, allowing the user to see what
+.Nm
+is doing.
+There are several possible values for 
+.Ar debugmode :
+.Bl -tag -width exercise
+.It Cm options
+Print information about the negotiation of
+.Tn TELNET
+options.
+.It Cm report
+Print the 
+.Cm options
+information, plus some additional information
+about what processing is going on.
+.It Cm netdata
+Display the data stream received by
+.Nm .
+.It Cm ptydata
+Display data written to the pty.
+.It Cm exercise
+Has not been implemented yet.
+.El
+.It Fl debug
+Enable debugging on each socket created by
+.Nm
+(see
+.Dv SO_DEBUG
+in
+.Xr socket 2 ) .
+.It Fl edebug
+If
+.Nm
+has been compiled with support for data encryption, then the
+.Fl edebug
+option may be used to enable encryption debugging code.
+.It Fl p Ar loginprog
+Specify an alternate
+.Xr login 1
+command to run to complete the login.  The alternate command must
+understand the same command arguments as the standard login.
+.It Fl h
+Disable the printing of host-specific information before
+login has been completed.
+.It Fl I Ar initid
+This option is only applicable to
+.Tn UNICOS
+systems prior to 7.0.
+It specifies the
+.Dv ID
+from
+.Pa /etc/inittab
+to use when init starts login sessions.  The default
+.Dv ID
+is
+.Dv fe .
+.It Fl k
+This option is only useful if
+.Nm
+has been compiled with both linemode and kludge linemode
+support.  If the
+.Fl k
+option is specified, then if the remote client does not
+support the
+.Dv LINEMODE
+option, then
+.Nm
+will operate in character at a time mode.
+It will still support kludge linemode, but will only
+go into kludge linemode if the remote client requests
+it.
+(This is done by the client sending
+.Dv DONT SUPPRESS-GO-AHEAD
+and
+.Dv DONT ECHO . )
+The
+.Fl k
+option is most useful when there are remote clients
+that do not support kludge linemode, but pass the heuristic
+(if they respond with
+.Dv WILL TIMING-MARK
+in response to a
+.Dv DO TIMING-MARK )
+for kludge linemode support.
+.It Fl l
+Specify line mode. Try to force clients to use line-
+at-a-time mode.
+If the
+.Dv LINEMODE
+option is not supported, it will go
+into kludge linemode.
+.It Fl n
+Disable
+.Dv TCP
+keep-alives.  Normally
+.Nm
+enables the
+.Tn TCP
+keep-alive mechanism to probe connections that
+have been idle for some period of time to determine
+if the client is still there, so that idle connections
+from machines that have crashed or can no longer
+be reached may be cleaned up.
+.It Fl r Ar lowpty-highpty
+This option is only enabled when
+.Nm
+is compiled for
+.Dv UNICOS .
+It specifies an inclusive range of pseudo-terminal devices to
+use.  If the system has sysconf variable
+.Dv _SC_CRAY_NPTY
+configured, the default pty search range is 0 to
+.Dv _SC_CRAY_NPTY ;
+otherwise, the default range is 0 to 128.  Either
+.Ar lowpty
+or
+.Ar highpty
+may be omitted to allow changing
+either end of the search range.  If
+.Ar lowpty
+is omitted, the - character is still required so that
+.Nm
+can differentiate
+.Ar highpty
+from
+.Ar lowpty .
+.It Fl s
+This option is only enabled if
+.Nm
+is compiled with support for
+.Tn SecurID
+cards.
+It causes the
+.Fl s
+option to be passed on to
+.Xr login 1 ,
+and thus is only useful if
+.Xr login 1
+supports the
+.Fl s
+flag to indicate that only
+.Tn SecurID
+validated logins are allowed, and is
+usually useful for controlling remote logins
+from outside of a firewall.
+.It Fl S Ar tos
+.It Fl u Ar len
+This option is used to specify the size of the field
+in the
+.Dv utmp
+structure that holds the remote host name.
+If the resolved host name is longer than
+.Ar len ,
+the dotted decimal value will be used instead.
+This allows hosts with very long host names that
+overflow this field to still be uniquely identified.
+Specifying
+.Fl u0
+indicates that only dotted decimal addresses
+should be put into the
+.Pa utmp
+file.
+.It Fl U
+This option causes
+.Nm
+to refuse connections from addresses that
+cannot be mapped back into a symbolic name
+via the
+.Xr gethostbyaddr 3
+routine.
+.It Fl X Ar authtype
+This option is only valid if
+.Nm
+has been built with support for the authentication option.
+It disables the use of
+.Ar authtype
+authentication, and
+can be used to temporarily disable
+a specific authentication type without having to recompile
+.Nm .
+.El
+.Pp
+.Nm Telnetd
+operates by allocating a pseudo-terminal device (see
+.Xr pty 4 )
+for a client, then creating a login process which has
+the slave side of the pseudo-terminal as 
+.Dv stdin ,
+.Dv stdout
+and
+.Dv stderr .
+.Nm Telnetd
+manipulates the master side of the pseudo-terminal,
+implementing the
+.Tn TELNET
+protocol and passing characters
+between the remote client and the login process.
+.Pp
+When a
+.Tn TELNET
+session is started up, 
+.Nm
+sends
+.Tn TELNET
+options to the client side indicating
+a willingness to do the
+following
+.Tn TELNET
+options, which are described in more detail below:
+.Bd -literal -offset indent
+DO AUTHENTICATION
+WILL ENCRYPT
+DO TERMINAL TYPE
+DO TSPEED
+DO XDISPLOC
+DO NEW-ENVIRON
+DO ENVIRON
+WILL SUPPRESS GO AHEAD
+DO ECHO
+DO LINEMODE
+DO NAWS
+WILL STATUS
+DO LFLOW
+DO TIMING-MARK
+.Ed
+.Pp
+The pseudo-terminal allocated to the client is configured
+to operate in
+.Dq cooked
+mode, and with
+.Dv XTABS and
+.Dv CRMOD
+enabled (see
+.Xr tty 4 ) .
+.Pp
+.Nm Telnetd
+has support for enabling locally the following
+.Tn TELNET
+options:
+.Bl -tag -width "DO AUTHENTICATION"
+.It "WILL ECHO"
+When the
+.Dv LINEMODE
+option is enabled, a
+.Dv WILL ECHO
+or
+.Dv WONT ECHO
+will be sent to the client to indicate the
+current state of terminal echoing.
+When terminal echo is not desired, a
+.Dv WILL ECHO
+is sent to indicate that
+.Nm
+will take care of echoing any data that needs to be
+echoed to the terminal, and then nothing is echoed.
+When terminal echo is desired, a
+.Dv WONT ECHO
+is sent to indicate that
+.Nm
+will not be doing any terminal echoing, so the
+client should do any terminal echoing that is needed.
+.It "WILL BINARY"
+Indicate that the client is willing to send a
+8 bits of data, rather than the normal 7 bits
+of the Network Virtual Terminal.
+.It "WILL SGA"
+Indicate that it will not be sending
+.Dv IAC GA ,
+go ahead, commands.
+.It "WILL STATUS"
+Indicate a willingness to send the client, upon
+request, of the current status of all
+.Tn TELNET
+options.
+.It "WILL TIMING-MARK"
+Whenever a
+.Dv DO TIMING-MARK
+command is received, it is always responded
+to with a
+.Dv WILL TIMING-MARK
+.It "WILL LOGOUT"
+When a
+.Dv DO LOGOUT
+is received, a
+.Dv WILL LOGOUT
+is sent in response, and the
+.Tn TELNET
+session is shut down.
+.It "WILL ENCRYPT"
+Only sent if
+.Nm
+is compiled with support for data encryption, and
+indicates a willingness to decrypt
+the data stream.
+.El
+.Pp
+.Nm Telnetd
+has support for enabling remotely the following
+.Tn TELNET
+options:
+.Bl -tag -width "DO AUTHENTICATION"
+.It "DO BINARY"
+Sent to indicate that
+.Nm
+is willing to receive an 8 bit data stream.
+.It "DO LFLOW"
+Requests that the client handle flow control
+characters remotely.
+.It "DO ECHO"
+This is not really supported, but is sent to identify a 4.2BSD
+.Xr telnet 1
+client, which will improperly respond with
+.Dv WILL ECHO .
+If a
+.Dv WILL ECHO
+is received, a
+.Dv DONT ECHO
+will be sent in response.
+.It "DO TERMINAL-TYPE"
+Indicate a desire to be able to request the
+name of the type of terminal that is attached
+to the client side of the connection.
+.It "DO SGA"
+Indicate that it does not need to receive
+.Dv IAC GA ,
+the go ahead command.
+.It "DO NAWS"
+Requests that the client inform the server when
+the window (display) size changes.
+.It "DO TERMINAL-SPEED"
+Indicate a desire to be able to request information
+about the speed of the serial line to which
+the client is attached.
+.It "DO XDISPLOC"
+Indicate a desire to be able to request the name
+of the X Window System display that is associated with
+the telnet client.
+.It "DO NEW-ENVIRON"
+Indicate a desire to be able to request environment
+variable information, as described in RFC 1572.
+.It "DO ENVIRON"
+Indicate a desire to be able to request environment
+variable information, as described in RFC 1408.
+.It "DO LINEMODE"
+Only sent if
+.Nm
+is compiled with support for linemode, and
+requests that the client do line by line processing.
+.It "DO TIMING-MARK"
+Only sent if
+.Nm
+is compiled with support for both linemode and
+kludge linemode, and the client responded with
+.Dv WONT LINEMODE .
+If the client responds with
+.Dv WILL TM ,
+the it is assumed that the client supports
+kludge linemode.
+Note that the
+.Op Fl k
+option can be used to disable this.
+.It "DO AUTHENTICATION"
+Only sent if
+.Nm
+is compiled with support for authentication, and
+indicates a willingness to receive authentication
+information for automatic login.
+.It "DO ENCRYPT"
+Only sent if
+.Nm
+is compiled with support for data encryption, and
+indicates a willingness to decrypt
+the data stream.
+.El
+.Sh FILES
+.Bl -tag -width /usr/ucb/bftp -compact
+.It Pa /etc/services
+.It Pa /etc/inittab
+(UNICOS systems only)
+.It Pa /etc/iptos
+(if supported)
+.It Pa /usr/ucb/bftp
+(if supported)
+.El
+.Sh "SEE ALSO"
+.Xr bftp 1 ,
+.Xr login 1 ,
+.Xr telnet 1
+(if supported)
+.Sh STANDARDS
+.Bl -tag -compact -width RFC-1572
+.It Cm RFC-854
+.Tn TELNET
+PROTOCOL SPECIFICATION
+.It Cm RFC-855
+TELNET OPTION SPECIFICATIONS
+.It Cm RFC-856
+TELNET BINARY TRANSMISSION
+.It Cm RFC-857
+TELNET ECHO OPTION
+.It Cm RFC-858
+TELNET SUPPRESS GO AHEAD OPTION
+.It Cm RFC-859
+TELNET STATUS OPTION
+.It Cm RFC-860
+TELNET TIMING MARK OPTION
+.It Cm RFC-861
+TELNET EXTENDED OPTIONS - LIST OPTION
+.It Cm RFC-885
+TELNET END OF RECORD OPTION
+.It Cm RFC-1073
+Telnet Window Size Option
+.It Cm RFC-1079
+Telnet Terminal Speed Option
+.It Cm RFC-1091
+Telnet Terminal-Type Option
+.It Cm RFC-1096
+Telnet X Display Location Option
+.It Cm RFC-1123
+Requirements for Internet Hosts -- Application and Support
+.It Cm RFC-1184
+Telnet Linemode Option
+.It Cm RFC-1372
+Telnet Remote Flow Control Option
+.It Cm RFC-1416
+Telnet Authentication Option
+.It Cm RFC-1411
+Telnet Authentication: Kerberos Version 4
+.It Cm RFC-1412
+Telnet Authentication: SPX
+.It Cm RFC-1571
+Telnet Environment Option Interoperability Issues
+.It Cm RFC-1572
+Telnet Environment Option
+.El
+.Sh BUGS
+Some
+.Tn TELNET
+commands are only partially implemented.
+.Pp
+Because of bugs in the original 4.2 BSD
+.Xr telnet 1 ,
+.Nm
+performs some dubious protocol exchanges to try to discover if the remote
+client is, in fact, a 4.2 BSD
+.Xr telnet 1 .
+.Pp
+Binary mode
+has no common interpretation except between similar operating systems
+(Unix in this case).
+.Pp
+The terminal type name received from the remote client is converted to
+lower case.
+.Pp
+.Nm Telnetd
+never sends
+.Tn TELNET
+.Dv IAC GA
+(go ahead) commands.
+.Sh HISTORY
+IPv6 support was added by WIDE/KAME project.
diff --git a/crypto/telnet/telnetd/telnetd.c b/crypto/telnet/telnetd/telnetd.c
new file mode 100644
index 0000000..60353d6
--- /dev/null
+++ b/crypto/telnet/telnetd/telnetd.c
@@ -0,0 +1,1619 @@
+/*
+ * Copyright (c) 1989, 1993
+ *	The Regents of the University of California.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *	This product includes software developed by the University of
+ *	California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#ifndef lint
+static const char copyright[] =
+"@(#) Copyright (c) 1989, 1993\n\
+	The Regents of the University of California.  All rights reserved.\n";
+#endif /* not lint */
+
+#ifndef lint
+#if 0
+static const char sccsid[] = "@(#)telnetd.c	8.4 (Berkeley) 5/30/95";
+#endif
+static const char rcsid[] =
+  "$FreeBSD$";
+#endif /* not lint */
+
+#include "telnetd.h"
+#include "pathnames.h"
+
+#if	defined(_SC_CRAY_SECURE_SYS) && !defined(SCM_SECURITY)
+/*
+ * UNICOS 6.0/6.1 do not have SCM_SECURITY defined, so we can
+ * use it to tell us to turn off all the socket security code,
+ * since that is only used in UNICOS 7.0 and later.
+ */
+# undef _SC_CRAY_SECURE_SYS
+#endif
+
+#include <err.h>
+#include <arpa/inet.h>
+
+#include <libutil.h>
+#include <utmp.h>
+
+#if	defined(_SC_CRAY_SECURE_SYS)
+#include <sys/sysv.h>
+#include <sys/secdev.h>
+# ifdef SO_SEC_MULTI		/* 8.0 code */
+#include <sys/secparm.h>
+#include <sys/usrv.h>
+# endif /* SO_SEC_MULTI */
+
+/* wrapper for KAME-special getnameinfo() */
+#ifndef NI_WITHSCOPEID
+#define	NI_WITHSCOPEID	0
+#endif
+
+int	secflag;
+char	tty_dev[16];
+struct	secdev dv;
+struct	sysv sysv;
+# ifdef SO_SEC_MULTI		/* 8.0 code */
+struct	socksec ss;
+# else /* SO_SEC_MULTI */	/* 7.0 code */
+struct	socket_security ss;
+# endif /* SO_SEC_MULTI */
+#endif	/* _SC_CRAY_SECURE_SYS */
+
+#if	defined(AUTHENTICATION)
+#include <libtelnet/auth.h>
+int	auth_level = 0;
+#endif
+#if	defined(ENCRYPTION)
+#include <libtelnet/encrypt.h>
+#endif
+#include <libtelnet/misc.h>
+#if	defined(SecurID)
+int	require_SecurID = 0;
+#endif
+
+char	remote_hostname[MAXHOSTNAMELEN];
+int	utmp_len = sizeof(remote_hostname) - 1;
+int	registerd_host_only = 0;
+
+#ifdef	STREAMSPTY
+# include <stropts.h>
+# include <termio.h>
+/* make sure we don't get the bsd version */
+# include "/usr/include/sys/tty.h"
+# include <sys/ptyvar.h>
+
+/*
+ * Because of the way ptyibuf is used with streams messages, we need
+ * ptyibuf+1 to be on a full-word boundary.  The following weirdness
+ * is simply to make that happen.
+ */
+long	ptyibufbuf[BUFSIZ/sizeof(long)+1];
+char	*ptyibuf = ((char *)&ptyibufbuf[1])-1;
+char	*ptyip = ((char *)&ptyibufbuf[1])-1;
+char	ptyibuf2[BUFSIZ];
+unsigned char ctlbuf[BUFSIZ];
+struct	strbuf strbufc, strbufd;
+
+#else	/* ! STREAMPTY */
+
+/*
+ * I/O data buffers,
+ * pointers, and counters.
+ */
+char	ptyibuf[BUFSIZ], *ptyip = ptyibuf;
+char	ptyibuf2[BUFSIZ];
+
+# include <termcap.h>
+
+int readstream(int p, char *ibuf, int bufsize);
+void doit(struct sockaddr *who);
+int terminaltypeok(char *s);
+void startslave(char *host, int autologin, char *autoname);
+
+#endif /* ! STREAMPTY */
+
+int	hostinfo = 1;			/* do we print login banner? */
+
+#ifdef	CRAY
+extern int      newmap; /* nonzero if \n maps to ^M^J */
+int	lowpty = 0, highpty;	/* low, high pty numbers */
+#endif /* CRAY */
+
+int debug = 0;
+int keepalive = 1;
+char *altlogin;
+
+void doit __P((struct sockaddr *));
+int terminaltypeok __P((char *));
+void startslave __P((char *, int, char *));
+extern void usage P((void));
+
+/*
+ * The string to pass to getopt().  We do it this way so
+ * that only the actual options that we support will be
+ * passed off to getopt().
+ */
+char valid_opts[] = {
+	'd', ':', 'h', 'k', 'n', 'p', ':', 'S', ':', 'u', ':', 'U',
+	'4', '6',
+#ifdef	AUTHENTICATION
+	'a', ':', 'X', ':',
+#endif
+#ifdef BFTPDAEMON
+	'B',
+#endif
+#ifdef DIAGNOSTICS
+	'D', ':',
+#endif
+#ifdef	ENCRYPTION
+	'e', ':',
+#endif
+#if	defined(CRAY) && defined(NEWINIT)
+	'I', ':',
+#endif
+#ifdef	LINEMODE
+	'l',
+#endif
+#ifdef CRAY
+	'r', ':',
+#endif
+#ifdef	SecurID
+	's',
+#endif
+	'\0'
+};
+
+int family = AF_INET;
+
+int
+main(argc, argv)
+	char *argv[];
+{
+	struct sockaddr_storage from;
+	int on = 1, fromlen;
+	register int ch;
+#if	defined(IPPROTO_IP) && defined(IP_TOS)
+	int tos = -1;
+#endif
+
+	pfrontp = pbackp = ptyobuf;
+	netip = netibuf;
+	nfrontp = nbackp = netobuf;
+#ifdef	ENCRYPTION
+	nclearto = 0;
+#endif	/* ENCRYPTION */
+
+	/*
+	 * This initialization causes linemode to default to a configuration
+	 * that works on all telnet clients, including the FreeBSD client.
+	 * This is not quite the same as the telnet client issuing a "mode
+	 * character" command, but has most of the same benefits, and is
+	 * preferable since some clients (like usofts) don't have the
+	 * mode character command anyway and linemode breaks things.
+	 * The most notable symptom of fix is that csh "set filec" operations
+	 * like <ESC> (filename completion) and ^D (choices) keys now work
+	 * in telnet sessions and can be used more than once on the same line.
+	 * CR/LF handling is also corrected in some termio modes.  This 
+	 * change resolves problem reports bin/771 and bin/1037.
+	 */
+
+	linemode=1;	/*Default to mode that works on bulk of clients*/
+
+#ifdef CRAY
+	/*
+	 * Get number of pty's before trying to process options,
+	 * which may include changing pty range.
+	 */
+	highpty = getnpty();
+#endif /* CRAY */
+
+	while ((ch = getopt(argc, argv, valid_opts)) != -1) {
+		switch(ch) {
+
+#ifdef	AUTHENTICATION
+		case 'a':
+			/*
+			 * Check for required authentication level
+			 */
+			if (strcmp(optarg, "debug") == 0) {
+				extern int auth_debug_mode;
+				auth_debug_mode = 1;
+			} else if (strcasecmp(optarg, "none") == 0) {
+				auth_level = 0;
+			} else if (strcasecmp(optarg, "other") == 0) {
+				auth_level = AUTH_OTHER;
+			} else if (strcasecmp(optarg, "user") == 0) {
+				auth_level = AUTH_USER;
+			} else if (strcasecmp(optarg, "valid") == 0) {
+				auth_level = AUTH_VALID;
+			} else if (strcasecmp(optarg, "off") == 0) {
+				/*
+				 * This hack turns off authentication
+				 */
+				auth_level = -1;
+			} else {
+				warnx("unknown authorization level for -a");
+			}
+			break;
+#endif	/* AUTHENTICATION */
+
+#ifdef BFTPDAEMON
+		case 'B':
+			bftpd++;
+			break;
+#endif /* BFTPDAEMON */
+
+		case 'd':
+			if (strcmp(optarg, "ebug") == 0) {
+				debug++;
+				break;
+			}
+			usage();
+			/* NOTREACHED */
+			break;
+
+#ifdef DIAGNOSTICS
+		case 'D':
+			/*
+			 * Check for desired diagnostics capabilities.
+			 */
+			if (!strcmp(optarg, "report")) {
+				diagnostic |= TD_REPORT|TD_OPTIONS;
+			} else if (!strcmp(optarg, "exercise")) {
+				diagnostic |= TD_EXERCISE;
+			} else if (!strcmp(optarg, "netdata")) {
+				diagnostic |= TD_NETDATA;
+			} else if (!strcmp(optarg, "ptydata")) {
+				diagnostic |= TD_PTYDATA;
+			} else if (!strcmp(optarg, "options")) {
+				diagnostic |= TD_OPTIONS;
+			} else {
+				usage();
+				/* NOT REACHED */
+			}
+			break;
+#endif /* DIAGNOSTICS */
+
+#ifdef	ENCRYPTION
+		case 'e':
+			if (strcmp(optarg, "debug") == 0) {
+				extern int encrypt_debug_mode;
+				encrypt_debug_mode = 1;
+				break;
+			}
+			usage();
+			/* NOTREACHED */
+			break;
+#endif	/* ENCRYPTION */
+
+		case 'h':
+			hostinfo = 0;
+			break;
+
+#if	defined(CRAY) && defined(NEWINIT)
+		case 'I':
+		    {
+			extern char *gen_id;
+			gen_id = optarg;
+			break;
+		    }
+#endif	/* defined(CRAY) && defined(NEWINIT) */
+
+#ifdef	LINEMODE
+		case 'l':
+			alwayslinemode = 1;
+			break;
+#endif	/* LINEMODE */
+
+		case 'k':
+#if	defined(LINEMODE) && defined(KLUDGELINEMODE)
+			lmodetype = NO_AUTOKLUDGE;
+#else
+			/* ignore -k option if built without kludge linemode */
+#endif	/* defined(LINEMODE) && defined(KLUDGELINEMODE) */
+			break;
+
+		case 'n':
+			keepalive = 0;
+			break;
+
+		case 'p':
+			altlogin = optarg;
+			break;
+
+#ifdef CRAY
+		case 'r':
+		    {
+			char *strchr();
+			char *c;
+
+			/*
+			 * Allow the specification of alterations
+			 * to the pty search range.  It is legal to
+			 * specify only one, and not change the
+			 * other from its default.
+			 */
+			c = strchr(optarg, '-');
+			if (c) {
+				*c++ = '\0';
+				highpty = atoi(c);
+			}
+			if (*optarg != '\0')
+				lowpty = atoi(optarg);
+			if ((lowpty > highpty) || (lowpty < 0) ||
+							(highpty > 32767)) {
+				usage();
+				/* NOT REACHED */
+			}
+			break;
+		    }
+#endif	/* CRAY */
+
+#ifdef	SecurID
+		case 's':
+			/* SecurID required */
+			require_SecurID = 1;
+			break;
+#endif	/* SecurID */
+		case 'S':
+#ifdef	HAS_GETTOS
+			if ((tos = parsetos(optarg, "tcp")) < 0)
+				warnx("%s%s%s",
+					"bad TOS argument '", optarg,
+					"'; will try to use default TOS");
+#else
+			warnx("TOS option unavailable; -S flag not supported");
+#endif
+			break;
+
+		case 'u':
+			utmp_len = atoi(optarg);
+			if (utmp_len < 0)
+				utmp_len = -utmp_len;
+			if (utmp_len >= sizeof(remote_hostname))
+				utmp_len = sizeof(remote_hostname) - 1;
+			break;
+
+		case 'U':
+			registerd_host_only = 1;
+			break;
+
+#ifdef	AUTHENTICATION
+		case 'X':
+			/*
+			 * Check for invalid authentication types
+			 */
+			auth_disable_name(optarg);
+			break;
+#endif	/* AUTHENTICATION */
+
+		case '4':
+			family = AF_INET;
+			break;
+
+#ifdef INET6
+		case '6':
+			family = AF_INET6;
+			break;
+#endif
+
+		default:
+			warnx("%c: unknown option", ch);
+			/* FALLTHROUGH */
+		case '?':
+			usage();
+			/* NOTREACHED */
+		}
+	}
+
+	argc -= optind;
+	argv += optind;
+
+	if (debug) {
+	    int s, ns, foo, error;
+	    char *service = "telnet";
+	    struct addrinfo hints, *res;
+
+	    if (argc > 1) {
+		usage();
+		/* NOT REACHED */
+	    } else if (argc == 1)
+		service = *argv;
+
+	    memset(&hints, 0, sizeof(hints));
+	    hints.ai_flags = AI_PASSIVE;
+	    hints.ai_family = family;
+	    hints.ai_socktype = SOCK_STREAM;
+	    hints.ai_protocol = 0;
+	    error = getaddrinfo(NULL, service, &hints, &res);
+
+	    if (error) {
+		errx(1, "tcp/%s: %s\n", service, gai_strerror(error));
+		if (error == EAI_SYSTEM)
+		    errx(1, "tcp/%s: %s\n", service, strerror(errno));
+		usage();
+	    }
+
+	    s = socket(res->ai_family, res->ai_socktype, res->ai_protocol);
+	    if (s < 0)
+		    err(1, "socket");
+	    (void) setsockopt(s, SOL_SOCKET, SO_REUSEADDR,
+				(char *)&on, sizeof(on));
+	    if (bind(s, res->ai_addr, res->ai_addrlen) < 0)
+		err(1, "bind");
+	    if (listen(s, 1) < 0)
+		err(1, "listen");
+	    foo = res->ai_addrlen;
+	    ns = accept(s, res->ai_addr, &foo);
+	    if (ns < 0)
+		err(1, "accept");
+	    (void) dup2(ns, 0);
+	    (void) close(ns);
+	    (void) close(s);
+#ifdef convex
+	} else if (argc == 1) {
+		; /* VOID*/		/* Just ignore the host/port name */
+#endif
+	} else if (argc > 0) {
+		usage();
+		/* NOT REACHED */
+	}
+
+#if	defined(_SC_CRAY_SECURE_SYS)
+	secflag = sysconf(_SC_CRAY_SECURE_SYS);
+
+	/*
+	 *	Get socket's security label
+	 */
+	if (secflag)  {
+		int szss = sizeof(ss);
+#ifdef SO_SEC_MULTI			/* 8.0 code */
+		int sock_multi;
+		int szi = sizeof(int);
+#endif /* SO_SEC_MULTI */
+
+		memset((char *)&dv, 0, sizeof(dv));
+
+		if (getsysv(&sysv, sizeof(struct sysv)) != 0)
+			err(1, "getsysv");
+
+		/*
+		 *	Get socket security label and set device values
+		 *	   {security label to be set on ttyp device}
+		 */
+#ifdef SO_SEC_MULTI			/* 8.0 code */
+		if ((getsockopt(0, SOL_SOCKET, SO_SECURITY,
+			       (char *)&ss, &szss) < 0) ||
+		    (getsockopt(0, SOL_SOCKET, SO_SEC_MULTI,
+				(char *)&sock_multi, &szi) < 0)) {
+			err(1, "getsockopt");
+		} else {
+			dv.dv_actlvl = ss.ss_actlabel.lt_level;
+			dv.dv_actcmp = ss.ss_actlabel.lt_compart;
+			if (!sock_multi) {
+				dv.dv_minlvl = dv.dv_maxlvl = dv.dv_actlvl;
+				dv.dv_valcmp = dv.dv_actcmp;
+			} else {
+				dv.dv_minlvl = ss.ss_minlabel.lt_level;
+				dv.dv_maxlvl = ss.ss_maxlabel.lt_level;
+				dv.dv_valcmp = ss.ss_maxlabel.lt_compart;
+			}
+			dv.dv_devflg = 0;
+		}
+#else /* SO_SEC_MULTI */		/* 7.0 code */
+		if (getsockopt(0, SOL_SOCKET, SO_SECURITY,
+				(char *)&ss, &szss) >= 0) {
+			dv.dv_actlvl = ss.ss_slevel;
+			dv.dv_actcmp = ss.ss_compart;
+			dv.dv_minlvl = ss.ss_minlvl;
+			dv.dv_maxlvl = ss.ss_maxlvl;
+			dv.dv_valcmp = ss.ss_maxcmp;
+		}
+#endif /* SO_SEC_MULTI */
+	}
+#endif	/* _SC_CRAY_SECURE_SYS */
+
+	openlog("telnetd", LOG_PID | LOG_ODELAY, LOG_DAEMON);
+	fromlen = sizeof (from);
+	if (getpeername(0, (struct sockaddr *)&from, &fromlen) < 0) {
+		warn("getpeername");
+		_exit(1);
+	}
+	if (keepalive &&
+	    setsockopt(0, SOL_SOCKET, SO_KEEPALIVE,
+			(char *)&on, sizeof (on)) < 0) {
+		syslog(LOG_WARNING, "setsockopt (SO_KEEPALIVE): %m");
+	}
+
+#if	defined(IPPROTO_IP) && defined(IP_TOS)
+	if (from.ss_family == AF_INET) {
+# if	defined(HAS_GETTOS)
+		struct tosent *tp;
+		if (tos < 0 && (tp = gettosbyname("telnet", "tcp")))
+			tos = tp->t_tos;
+# endif
+		if (tos < 0)
+			tos = 020;	/* Low Delay bit */
+		if (tos
+		   && (setsockopt(0, IPPROTO_IP, IP_TOS,
+				  (char *)&tos, sizeof(tos)) < 0)
+		   && (errno != ENOPROTOOPT) )
+			syslog(LOG_WARNING, "setsockopt (IP_TOS): %m");
+	}
+#endif	/* defined(IPPROTO_IP) && defined(IP_TOS) */
+	net = 0;
+	doit((struct sockaddr *)&from);
+	/* NOTREACHED */
+	return(0);
+}  /* end of main */
+
+	void
+usage()
+{
+	fprintf(stderr, "usage: telnetd");
+#ifdef	AUTHENTICATION
+	fprintf(stderr, " [-a (debug|other|user|valid|off|none)]\n\t");
+#endif
+#ifdef BFTPDAEMON
+	fprintf(stderr, " [-B]");
+#endif
+	fprintf(stderr, " [-debug]");
+#ifdef DIAGNOSTICS
+	fprintf(stderr, " [-D (options|report|exercise|netdata|ptydata)]\n\t");
+#endif
+#ifdef	AUTHENTICATION
+	fprintf(stderr, " [-edebug]");
+#endif
+	fprintf(stderr, " [-h]");
+#if	defined(CRAY) && defined(NEWINIT)
+	fprintf(stderr, " [-Iinitid]");
+#endif
+#if	defined(LINEMODE) && defined(KLUDGELINEMODE)
+	fprintf(stderr, " [-k]");
+#endif
+#ifdef LINEMODE
+	fprintf(stderr, " [-l]");
+#endif
+	fprintf(stderr, " [-n]");
+#ifdef	CRAY
+	fprintf(stderr, " [-r[lowpty]-[highpty]]");
+#endif
+	fprintf(stderr, "\n\t");
+#ifdef	SecurID
+	fprintf(stderr, " [-s]");
+#endif
+#ifdef	HAS_GETTOS
+	fprintf(stderr, " [-S tos]");
+#endif
+#ifdef	AUTHENTICATION
+	fprintf(stderr, " [-X auth-type]");
+#endif
+	fprintf(stderr, " [-u utmp_hostname_length] [-U]");
+	fprintf(stderr, " [port]\n");
+	exit(1);
+}
+
+/*
+ * getterminaltype
+ *
+ *	Ask the other end to send along its terminal type and speed.
+ * Output is the variable terminaltype filled in.
+ */
+static unsigned char ttytype_sbbuf[] = {
+	IAC, SB, TELOPT_TTYPE, TELQUAL_SEND, IAC, SE
+};
+
+    int
+getterminaltype(name)
+    char *name;
+{
+    int retval = -1;
+    void _gettermname();
+
+    settimer(baseline);
+#if	defined(AUTHENTICATION)
+    /*
+     * Handle the Authentication option before we do anything else.
+     */
+    send_do(TELOPT_AUTHENTICATION, 1);
+    while (his_will_wont_is_changing(TELOPT_AUTHENTICATION))
+	ttloop();
+    if (his_state_is_will(TELOPT_AUTHENTICATION)) {
+	retval = auth_wait(name);
+    }
+#endif
+
+#ifdef	ENCRYPTION
+    send_will(TELOPT_ENCRYPT, 1);
+#endif	/* ENCRYPTION */
+    send_do(TELOPT_TTYPE, 1);
+    send_do(TELOPT_TSPEED, 1);
+    send_do(TELOPT_XDISPLOC, 1);
+    send_do(TELOPT_NEW_ENVIRON, 1);
+    send_do(TELOPT_OLD_ENVIRON, 1);
+    while (
+#ifdef	ENCRYPTION
+	   his_do_dont_is_changing(TELOPT_ENCRYPT) ||
+#endif	/* ENCRYPTION */
+	   his_will_wont_is_changing(TELOPT_TTYPE) ||
+	   his_will_wont_is_changing(TELOPT_TSPEED) ||
+	   his_will_wont_is_changing(TELOPT_XDISPLOC) ||
+	   his_will_wont_is_changing(TELOPT_NEW_ENVIRON) ||
+	   his_will_wont_is_changing(TELOPT_OLD_ENVIRON)) {
+	ttloop();
+    }
+#ifdef	ENCRYPTION
+    /*
+     * Wait for the negotiation of what type of encryption we can
+     * send with.  If autoencrypt is not set, this will just return.
+     */
+    if (his_state_is_will(TELOPT_ENCRYPT)) {
+	encrypt_wait();
+    }
+#endif	/* ENCRYPTION */
+    if (his_state_is_will(TELOPT_TSPEED)) {
+	static unsigned char sb[] =
+			{ IAC, SB, TELOPT_TSPEED, TELQUAL_SEND, IAC, SE };
+
+	output_datalen(sb, sizeof sb);
+	DIAG(TD_OPTIONS, printsub('>', sb + 2, sizeof sb - 2););
+    }
+    if (his_state_is_will(TELOPT_XDISPLOC)) {
+	static unsigned char sb[] =
+			{ IAC, SB, TELOPT_XDISPLOC, TELQUAL_SEND, IAC, SE };
+
+	output_datalen(sb, sizeof sb);
+	DIAG(TD_OPTIONS, printsub('>', sb + 2, sizeof sb - 2););
+    }
+    if (his_state_is_will(TELOPT_NEW_ENVIRON)) {
+	static unsigned char sb[] =
+			{ IAC, SB, TELOPT_NEW_ENVIRON, TELQUAL_SEND, IAC, SE };
+
+	output_datalen(sb, sizeof sb);
+	DIAG(TD_OPTIONS, printsub('>', sb + 2, sizeof sb - 2););
+    }
+    else if (his_state_is_will(TELOPT_OLD_ENVIRON)) {
+	static unsigned char sb[] =
+			{ IAC, SB, TELOPT_OLD_ENVIRON, TELQUAL_SEND, IAC, SE };
+
+	output_datalen(sb, sizeof sb);
+	DIAG(TD_OPTIONS, printsub('>', sb + 2, sizeof sb - 2););
+    }
+    if (his_state_is_will(TELOPT_TTYPE)) {
+
+	output_datalen(ttytype_sbbuf, sizeof ttytype_sbbuf);
+	DIAG(TD_OPTIONS, printsub('>', ttytype_sbbuf + 2,
+					sizeof ttytype_sbbuf - 2););
+    }
+    if (his_state_is_will(TELOPT_TSPEED)) {
+	while (sequenceIs(tspeedsubopt, baseline))
+	    ttloop();
+    }
+    if (his_state_is_will(TELOPT_XDISPLOC)) {
+	while (sequenceIs(xdisplocsubopt, baseline))
+	    ttloop();
+    }
+    if (his_state_is_will(TELOPT_NEW_ENVIRON)) {
+	while (sequenceIs(environsubopt, baseline))
+	    ttloop();
+    }
+    if (his_state_is_will(TELOPT_OLD_ENVIRON)) {
+	while (sequenceIs(oenvironsubopt, baseline))
+	    ttloop();
+    }
+    if (his_state_is_will(TELOPT_TTYPE)) {
+	char first[256], last[256];
+
+	while (sequenceIs(ttypesubopt, baseline))
+	    ttloop();
+
+	/*
+	 * If the other side has already disabled the option, then
+	 * we have to just go with what we (might) have already gotten.
+	 */
+	if (his_state_is_will(TELOPT_TTYPE) && !terminaltypeok(terminaltype)) {
+	    (void) strncpy(first, terminaltype, sizeof(first)-1);
+	    first[sizeof(first)-1] = '\0';
+	    for(;;) {
+		/*
+		 * Save the unknown name, and request the next name.
+		 */
+		(void) strncpy(last, terminaltype, sizeof(last)-1);
+		last[sizeof(last)-1] = '\0';
+		_gettermname();
+		if (terminaltypeok(terminaltype))
+		    break;
+		if ((strncmp(last, terminaltype, sizeof(last)) == 0) ||
+		    his_state_is_wont(TELOPT_TTYPE)) {
+		    /*
+		     * We've hit the end.  If this is the same as
+		     * the first name, just go with it.
+		     */
+		    if (strncmp(first, terminaltype, sizeof(first)) == 0)
+			break;
+		    /*
+		     * Get the terminal name one more time, so that
+		     * RFC1091 compliant telnets will cycle back to
+		     * the start of the list.
+		     */
+		     _gettermname();
+		    if (strncmp(first, terminaltype, sizeof(first)) != 0) {
+			(void) strncpy(terminaltype, first, sizeof(terminaltype)-1);
+			terminaltype[sizeof(terminaltype)-1] = '\0';
+		    }
+		    break;
+		}
+	    }
+	}
+    }
+    return(retval);
+}  /* end of getterminaltype */
+
+    void
+_gettermname()
+{
+    /*
+     * If the client turned off the option,
+     * we can't send another request, so we
+     * just return.
+     */
+    if (his_state_is_wont(TELOPT_TTYPE))
+	return;
+    settimer(baseline);
+    output_datalen(ttytype_sbbuf, sizeof ttytype_sbbuf);
+    DIAG(TD_OPTIONS, printsub('>', ttytype_sbbuf + 2,
+					sizeof ttytype_sbbuf - 2););
+    while (sequenceIs(ttypesubopt, baseline))
+	ttloop();
+}
+
+    int
+terminaltypeok(s)
+    char *s;
+{
+    char buf[1024];
+
+    if (terminaltype == NULL)
+	return(1);
+
+    /*
+     * tgetent() will return 1 if the type is known, and
+     * 0 if it is not known.  If it returns -1, it couldn't
+     * open the database.  But if we can't open the database,
+     * it won't help to say we failed, because we won't be
+     * able to verify anything else.  So, we treat -1 like 1.
+     */
+    if (tgetent(buf, s) == 0)
+	return(0);
+    return(1);
+}
+
+#ifndef	MAXHOSTNAMELEN
+#define	MAXHOSTNAMELEN 256
+#endif	/* MAXHOSTNAMELEN */
+
+char *hostname;
+char host_name[MAXHOSTNAMELEN];
+
+extern void telnet P((int, int, char *));
+
+int level;
+char user_name[256];
+/*
+ * Get a pty, scan input lines.
+ */
+	void
+doit(who)
+	struct sockaddr *who;
+{
+	int err;
+	int ptynum;
+
+	/*
+	 * Find an available pty to use.
+	 */
+#ifndef	convex
+	pty = getpty(&ptynum);
+	if (pty < 0)
+		fatal(net, "All network ports in use");
+#else
+	for (;;) {
+		char *lp;
+		extern char *line, *getpty();
+
+		if ((lp = getpty()) == NULL)
+			fatal(net, "Out of ptys");
+
+		if ((pty = open(lp, 2)) >= 0) {
+			strlcpy(line,lp,sizeof(line));
+			line[5] = 't';
+			break;
+		}
+	}
+#endif
+
+#if	defined(_SC_CRAY_SECURE_SYS)
+	/*
+	 *	set ttyp line security label
+	 */
+	if (secflag) {
+		char slave_dev[16];
+
+		sprintf(tty_dev, "/dev/pty/%03d", ptynum);
+		if (setdevs(tty_dev, &dv) < 0)
+		 	fatal(net, "cannot set pty security");
+		sprintf(slave_dev, "/dev/ttyp%03d", ptynum);
+		if (setdevs(slave_dev, &dv) < 0)
+		 	fatal(net, "cannot set tty security");
+	}
+#endif	/* _SC_CRAY_SECURE_SYS */
+
+	/* get name of connected client */
+	if (realhostname_sa(remote_hostname, sizeof(remote_hostname) - 1,
+	    who, who->sa_len) == HOSTNAME_INVALIDADDR && registerd_host_only)
+		fatal(net, "Couldn't resolve your address into a host name.\r\n\
+	 Please contact your net administrator");
+	remote_hostname[sizeof(remote_hostname) - 1] = '\0';
+
+	trimdomain(remote_hostname, UT_HOSTSIZE);
+	if (!isdigit(remote_hostname[0]) && strlen(remote_hostname) > utmp_len)
+		err = getnameinfo(who, who->sa_len, remote_hostname,
+				  sizeof(remote_hostname), NULL, 0,
+				  NI_NUMERICHOST|NI_WITHSCOPEID);
+		/* XXX: do 'err' check */
+
+	(void) gethostname(host_name, sizeof(host_name) - 1);
+	host_name[sizeof(host_name) - 1] = '\0';
+	hostname = host_name;
+
+#if	defined(AUTHENTICATION) || defined(ENCRYPTION)
+	auth_encrypt_init(hostname, remote_hostname, "TELNETD", 1);
+#endif
+
+	init_env();
+	/*
+	 * get terminal type.
+	 */
+	*user_name = 0;
+	level = getterminaltype(user_name);
+	setenv("TERM", terminaltype ? terminaltype : "network", 1);
+
+#if	defined(_SC_CRAY_SECURE_SYS)
+	if (secflag) {
+		if (setulvl(dv.dv_actlvl) < 0)
+			fatal(net,"cannot setulvl()");
+		if (setucmp(dv.dv_actcmp) < 0)
+			fatal(net, "cannot setucmp()");
+	}
+#endif	/* _SC_CRAY_SECURE_SYS */
+
+	telnet(net, pty, remote_hostname);	/* begin server process */
+
+	/*NOTREACHED*/
+}  /* end of doit */
+
+#if	defined(CRAY2) && defined(UNICOS5) && defined(UNICOS50)
+	int
+Xterm_output(ibufp, obuf, icountp, ocount)
+	char **ibufp, *obuf;
+	int *icountp, ocount;
+{
+	int ret;
+	ret = term_output(*ibufp, obuf, *icountp, ocount);
+	*ibufp += *icountp;
+	*icountp = 0;
+	return(ret);
+}
+#define	term_output	Xterm_output
+#endif	/* defined(CRAY2) && defined(UNICOS5) && defined(UNICOS50) */
+
+/*
+ * Main loop.  Select from pty and network, and
+ * hand data to telnet receiver finite state machine.
+ */
+	void
+telnet(f, p, host)
+	int f, p;
+	char *host;
+{
+	int on = 1;
+#define	TABBUFSIZ	512
+	char	defent[TABBUFSIZ];
+	char	defstrs[TABBUFSIZ];
+#undef	TABBUFSIZ
+	char *HE;
+	char *HN;
+	char *IM;
+	void netflush();
+	int nfd;
+
+	/*
+	 * Initialize the slc mapping table.
+	 */
+	get_slc_defaults();
+
+	/*
+	 * Do some tests where it is desireable to wait for a response.
+	 * Rather than doing them slowly, one at a time, do them all
+	 * at once.
+	 */
+	if (my_state_is_wont(TELOPT_SGA))
+		send_will(TELOPT_SGA, 1);
+	/*
+	 * Is the client side a 4.2 (NOT 4.3) system?  We need to know this
+	 * because 4.2 clients are unable to deal with TCP urgent data.
+	 *
+	 * To find out, we send out a "DO ECHO".  If the remote system
+	 * answers "WILL ECHO" it is probably a 4.2 client, and we note
+	 * that fact ("WILL ECHO" ==> that the client will echo what
+	 * WE, the server, sends it; it does NOT mean that the client will
+	 * echo the terminal input).
+	 */
+	send_do(TELOPT_ECHO, 1);
+
+#ifdef	LINEMODE
+	if (his_state_is_wont(TELOPT_LINEMODE)) {
+		/* Query the peer for linemode support by trying to negotiate
+		 * the linemode option.
+		 */
+		linemode = 0;
+		editmode = 0;
+		send_do(TELOPT_LINEMODE, 1);  /* send do linemode */
+	}
+#endif	/* LINEMODE */
+
+	/*
+	 * Send along a couple of other options that we wish to negotiate.
+	 */
+	send_do(TELOPT_NAWS, 1);
+	send_will(TELOPT_STATUS, 1);
+	flowmode = 1;		/* default flow control state */
+	restartany = -1;	/* uninitialized... */
+	send_do(TELOPT_LFLOW, 1);
+
+	/*
+	 * Spin, waiting for a response from the DO ECHO.  However,
+	 * some REALLY DUMB telnets out there might not respond
+	 * to the DO ECHO.  So, we spin looking for NAWS, (most dumb
+	 * telnets so far seem to respond with WONT for a DO that
+	 * they don't understand...) because by the time we get the
+	 * response, it will already have processed the DO ECHO.
+	 * Kludge upon kludge.
+	 */
+	while (his_will_wont_is_changing(TELOPT_NAWS))
+		ttloop();
+
+	/*
+	 * But...
+	 * The client might have sent a WILL NAWS as part of its
+	 * startup code; if so, we'll be here before we get the
+	 * response to the DO ECHO.  We'll make the assumption
+	 * that any implementation that understands about NAWS
+	 * is a modern enough implementation that it will respond
+	 * to our DO ECHO request; hence we'll do another spin
+	 * waiting for the ECHO option to settle down, which is
+	 * what we wanted to do in the first place...
+	 */
+	if (his_want_state_is_will(TELOPT_ECHO) &&
+	    his_state_is_will(TELOPT_NAWS)) {
+		while (his_will_wont_is_changing(TELOPT_ECHO))
+			ttloop();
+	}
+	/*
+	 * On the off chance that the telnet client is broken and does not
+	 * respond to the DO ECHO we sent, (after all, we did send the
+	 * DO NAWS negotiation after the DO ECHO, and we won't get here
+	 * until a response to the DO NAWS comes back) simulate the
+	 * receipt of a will echo.  This will also send a WONT ECHO
+	 * to the client, since we assume that the client failed to
+	 * respond because it believes that it is already in DO ECHO
+	 * mode, which we do not want.
+	 */
+	if (his_want_state_is_will(TELOPT_ECHO)) {
+		DIAG(TD_OPTIONS, output_data("td: simulating recv\r\n"));
+		willoption(TELOPT_ECHO);
+	}
+
+	/*
+	 * Finally, to clean things up, we turn on our echo.  This
+	 * will break stupid 4.2 telnets out of local terminal echo.
+	 */
+
+	if (my_state_is_wont(TELOPT_ECHO))
+		send_will(TELOPT_ECHO, 1);
+
+#ifndef	STREAMSPTY
+	/*
+	 * Turn on packet mode
+	 */
+	(void) ioctl(p, TIOCPKT, (char *)&on);
+#endif
+
+#if	defined(LINEMODE) && defined(KLUDGELINEMODE)
+	/*
+	 * Continuing line mode support.  If client does not support
+	 * real linemode, attempt to negotiate kludge linemode by sending
+	 * the do timing mark sequence.
+	 */
+	if (lmodetype < REAL_LINEMODE)
+		send_do(TELOPT_TM, 1);
+#endif	/* defined(LINEMODE) && defined(KLUDGELINEMODE) */
+
+	/*
+	 * Call telrcv() once to pick up anything received during
+	 * terminal type negotiation, 4.2/4.3 determination, and
+	 * linemode negotiation.
+	 */
+	telrcv();
+
+	(void) ioctl(f, FIONBIO, (char *)&on);
+	(void) ioctl(p, FIONBIO, (char *)&on);
+#if	defined(CRAY2) && defined(UNICOS5)
+	init_termdriver(f, p, interrupt, sendbrk);
+#endif
+
+#if	defined(SO_OOBINLINE)
+	(void) setsockopt(net, SOL_SOCKET, SO_OOBINLINE,
+				(char *)&on, sizeof on);
+#endif	/* defined(SO_OOBINLINE) */
+
+#ifdef	SIGTSTP
+	(void) signal(SIGTSTP, SIG_IGN);
+#endif
+#ifdef	SIGTTOU
+	/*
+	 * Ignoring SIGTTOU keeps the kernel from blocking us
+	 * in ttioct() in /sys/tty.c.
+	 */
+	(void) signal(SIGTTOU, SIG_IGN);
+#endif
+
+	(void) signal(SIGCHLD, cleanup);
+
+#if	defined(CRAY2) && defined(UNICOS5)
+	/*
+	 * Cray-2 will send a signal when pty modes are changed by slave
+	 * side.  Set up signal handler now.
+	 */
+	if ((int)signal(SIGUSR1, termstat) < 0)
+		warn("signal");
+	else if (ioctl(p, TCSIGME, (char *)SIGUSR1) < 0)
+		warn("ioctl:TCSIGME");
+	/*
+	 * Make processing loop check terminal characteristics early on.
+	 */
+	termstat();
+#endif
+
+#ifdef  TIOCNOTTY
+	{
+		register int t;
+		t = open(_PATH_TTY, O_RDWR);
+		if (t >= 0) {
+			(void) ioctl(t, TIOCNOTTY, (char *)0);
+			(void) close(t);
+		}
+	}
+#endif
+
+#if	defined(CRAY) && defined(NEWINIT) && defined(TIOCSCTTY)
+	(void) setsid();
+	ioctl(p, TIOCSCTTY, 0);
+#endif
+
+	/*
+	 * Show banner that getty never gave.
+	 *
+	 * We put the banner in the pty input buffer.  This way, it
+	 * gets carriage return null processing, etc., just like all
+	 * other pty --> client data.
+	 */
+
+#if	!defined(CRAY) || !defined(NEWINIT)
+	if (getenv("USER"))
+		hostinfo = 0;
+#endif
+
+	if (getent(defent, "default") == 1) {
+		char *Getstr();
+		char *cp=defstrs;
+
+		HE = Getstr("he", &cp);
+		HN = Getstr("hn", &cp);
+		IM = Getstr("im", &cp);
+		if (HN && *HN)
+			(void) strlcpy(host_name, HN, sizeof(host_name));
+		if (IM == 0)
+			IM = "";
+	} else {
+		IM = DEFAULT_IM;
+		HE = 0;
+	}
+	edithost(HE, host_name);
+	if (hostinfo && *IM)
+		putf(IM, ptyibuf2);
+
+	if (pcc)
+		(void) strncat(ptyibuf2, ptyip, pcc+1);
+	ptyip = ptyibuf2;
+	pcc = strlen(ptyip);
+#ifdef	LINEMODE
+	/*
+	 * Last check to make sure all our states are correct.
+	 */
+	init_termbuf();
+	localstat();
+#endif	/* LINEMODE */
+
+	DIAG(TD_REPORT, output_data("td: Entering processing loop\r\n"));
+
+	/*
+	 * Startup the login process on the slave side of the terminal
+	 * now.  We delay this until here to insure option negotiation
+	 * is complete.
+	 */
+	startslave(host, level, user_name);
+
+	nfd = ((f > p) ? f : p) + 1;
+	for (;;) {
+		fd_set ibits, obits, xbits;
+		register int c;
+
+		if (ncc < 0 && pcc < 0)
+			break;
+
+#if	defined(CRAY2) && defined(UNICOS5)
+		if (needtermstat)
+			_termstat();
+#endif	/* defined(CRAY2) && defined(UNICOS5) */
+		FD_ZERO(&ibits);
+		FD_ZERO(&obits);
+		FD_ZERO(&xbits);
+		/*
+		 * Never look for input if there's still
+		 * stuff in the corresponding output buffer
+		 */
+		if (nfrontp - nbackp || pcc > 0) {
+			FD_SET(f, &obits);
+		} else {
+			FD_SET(p, &ibits);
+		}
+		if (pfrontp - pbackp || ncc > 0) {
+			FD_SET(p, &obits);
+		} else {
+			FD_SET(f, &ibits);
+		}
+		if (!SYNCHing) {
+			FD_SET(f, &xbits);
+		}
+		if ((c = select(nfd, &ibits, &obits, &xbits,
+						(struct timeval *)0)) < 1) {
+			if (c == -1) {
+				if (errno == EINTR) {
+					continue;
+				}
+			}
+			sleep(5);
+			continue;
+		}
+
+		/*
+		 * Any urgent data?
+		 */
+		if (FD_ISSET(net, &xbits)) {
+		    SYNCHing = 1;
+		}
+
+		/*
+		 * Something to read from the network...
+		 */
+		if (FD_ISSET(net, &ibits)) {
+#if	!defined(SO_OOBINLINE)
+			/*
+			 * In 4.2 (and 4.3 beta) systems, the
+			 * OOB indication and data handling in the kernel
+			 * is such that if two separate TCP Urgent requests
+			 * come in, one byte of TCP data will be overlaid.
+			 * This is fatal for Telnet, but we try to live
+			 * with it.
+			 *
+			 * In addition, in 4.2 (and...), a special protocol
+			 * is needed to pick up the TCP Urgent data in
+			 * the correct sequence.
+			 *
+			 * What we do is:  if we think we are in urgent
+			 * mode, we look to see if we are "at the mark".
+			 * If we are, we do an OOB receive.  If we run
+			 * this twice, we will do the OOB receive twice,
+			 * but the second will fail, since the second
+			 * time we were "at the mark", but there wasn't
+			 * any data there (the kernel doesn't reset
+			 * "at the mark" until we do a normal read).
+			 * Once we've read the OOB data, we go ahead
+			 * and do normal reads.
+			 *
+			 * There is also another problem, which is that
+			 * since the OOB byte we read doesn't put us
+			 * out of OOB state, and since that byte is most
+			 * likely the TELNET DM (data mark), we would
+			 * stay in the TELNET SYNCH (SYNCHing) state.
+			 * So, clocks to the rescue.  If we've "just"
+			 * received a DM, then we test for the
+			 * presence of OOB data when the receive OOB
+			 * fails (and AFTER we did the normal mode read
+			 * to clear "at the mark").
+			 */
+		    if (SYNCHing) {
+			int atmark;
+
+			(void) ioctl(net, SIOCATMARK, (char *)&atmark);
+			if (atmark) {
+			    ncc = recv(net, netibuf, sizeof (netibuf), MSG_OOB);
+			    if ((ncc == -1) && (errno == EINVAL)) {
+				ncc = read(net, netibuf, sizeof (netibuf));
+				if (sequenceIs(didnetreceive, gotDM)) {
+				    SYNCHing = stilloob(net);
+				}
+			    }
+			} else {
+			    ncc = read(net, netibuf, sizeof (netibuf));
+			}
+		    } else {
+			ncc = read(net, netibuf, sizeof (netibuf));
+		    }
+		    settimer(didnetreceive);
+#else	/* !defined(SO_OOBINLINE)) */
+		    ncc = read(net, netibuf, sizeof (netibuf));
+#endif	/* !defined(SO_OOBINLINE)) */
+		    if (ncc < 0 && errno == EWOULDBLOCK)
+			ncc = 0;
+		    else {
+			if (ncc <= 0) {
+			    break;
+			}
+			netip = netibuf;
+		    }
+		    DIAG((TD_REPORT | TD_NETDATA),
+			output_data("td: netread %d chars\r\n", ncc));
+		    DIAG(TD_NETDATA, printdata("nd", netip, ncc));
+		}
+
+		/*
+		 * Something to read from the pty...
+		 */
+		if (FD_ISSET(p, &ibits)) {
+#ifndef	STREAMSPTY
+			pcc = read(p, ptyibuf, BUFSIZ);
+#else
+			pcc = readstream(p, ptyibuf, BUFSIZ);
+#endif
+			/*
+			 * On some systems, if we try to read something
+			 * off the master side before the slave side is
+			 * opened, we get EIO.
+			 */
+			if (pcc < 0 && (errno == EWOULDBLOCK ||
+#ifdef	EAGAIN
+					errno == EAGAIN ||
+#endif
+					errno == EIO)) {
+				pcc = 0;
+			} else {
+				if (pcc <= 0)
+					break;
+#if	!defined(CRAY2) || !defined(UNICOS5)
+#ifdef	LINEMODE
+				/*
+				 * If ioctl from pty, pass it through net
+				 */
+				if (ptyibuf[0] & TIOCPKT_IOCTL) {
+					copy_termbuf(ptyibuf+1, pcc-1);
+					localstat();
+					pcc = 1;
+				}
+#endif	/* LINEMODE */
+				if (ptyibuf[0] & TIOCPKT_FLUSHWRITE) {
+					netclear();	/* clear buffer back */
+#ifndef	NO_URGENT
+					/*
+					 * There are client telnets on some
+					 * operating systems get screwed up
+					 * royally if we send them urgent
+					 * mode data.
+					 */
+					output_data("%c%c", IAC, DM);
+					neturg = nfrontp-1; /* off by one XXX */
+					DIAG(TD_OPTIONS,
+					    printoption("td: send IAC", DM));
+
+#endif
+				}
+				if (his_state_is_will(TELOPT_LFLOW) &&
+				    (ptyibuf[0] &
+				     (TIOCPKT_NOSTOP|TIOCPKT_DOSTOP))) {
+					int newflow =
+					    ptyibuf[0] & TIOCPKT_DOSTOP ? 1 : 0;
+					if (newflow != flowmode) {
+						flowmode = newflow;
+						output_data("%c%c%c%c%c%c",
+							IAC, SB, TELOPT_LFLOW,
+							flowmode ? LFLOW_ON
+								 : LFLOW_OFF,
+							IAC, SE);
+						DIAG(TD_OPTIONS, printsub('>',
+						    (unsigned char *)nfrontp-4,
+						    4););
+					}
+				}
+				pcc--;
+				ptyip = ptyibuf+1;
+#else	/* defined(CRAY2) && defined(UNICOS5) */
+				if (!uselinemode) {
+					unpcc = pcc;
+					unptyip = ptyibuf;
+					pcc = term_output(&unptyip, ptyibuf2,
+								&unpcc, BUFSIZ);
+					ptyip = ptyibuf2;
+				} else
+					ptyip = ptyibuf;
+#endif	/* defined(CRAY2) && defined(UNICOS5) */
+			}
+		}
+
+		while (pcc > 0) {
+			if ((&netobuf[BUFSIZ] - nfrontp) < 2)
+				break;
+			c = *ptyip++ & 0377, pcc--;
+			if (c == IAC)
+				output_data("%c", c);
+#if	defined(CRAY2) && defined(UNICOS5)
+			else if (c == '\n' &&
+				     my_state_is_wont(TELOPT_BINARY) && newmap)
+				output_data("\r");
+#endif	/* defined(CRAY2) && defined(UNICOS5) */
+			output_data("%c", c);
+			if ((c == '\r') && (my_state_is_wont(TELOPT_BINARY))) {
+				if (pcc > 0 && ((*ptyip & 0377) == '\n')) {
+					output_data("%c", *ptyip++ & 0377);
+					pcc--;
+				} else
+					output_data("%c", '\0');
+			}
+		}
+#if	defined(CRAY2) && defined(UNICOS5)
+		/*
+		 * If chars were left over from the terminal driver,
+		 * note their existence.
+		 */
+		if (!uselinemode && unpcc) {
+			pcc = unpcc;
+			unpcc = 0;
+			ptyip = unptyip;
+		}
+#endif	/* defined(CRAY2) && defined(UNICOS5) */
+
+		if (FD_ISSET(f, &obits) && (nfrontp - nbackp) > 0)
+			netflush();
+		if (ncc > 0)
+			telrcv();
+		if (FD_ISSET(p, &obits) && (pfrontp - pbackp) > 0)
+			ptyflush();
+	}
+	cleanup(0);
+}  /* end of telnet */
+
+#ifndef	TCSIG
+# ifdef	TIOCSIG
+#  define TCSIG TIOCSIG
+# endif
+#endif
+
+#ifdef	STREAMSPTY
+
+int flowison = -1;  /* current state of flow: -1 is unknown */
+
+int readstream(p, ibuf, bufsize)
+	int p;
+	char *ibuf;
+	int bufsize;
+{
+	int flags = 0;
+	int ret = 0;
+	struct termios *tsp;
+	struct termio *tp;
+	struct iocblk *ip;
+	char vstop, vstart;
+	int ixon;
+	int newflow;
+
+	strbufc.maxlen = BUFSIZ;
+	strbufc.buf = (char *)ctlbuf;
+	strbufd.maxlen = bufsize-1;
+	strbufd.len = 0;
+	strbufd.buf = ibuf+1;
+	ibuf[0] = 0;
+
+	ret = getmsg(p, &strbufc, &strbufd, &flags);
+	if (ret < 0)  /* error of some sort -- probably EAGAIN */
+		return(-1);
+
+	if (strbufc.len <= 0 || ctlbuf[0] == M_DATA) {
+		/* data message */
+		if (strbufd.len > 0) {			/* real data */
+			return(strbufd.len + 1);	/* count header char */
+		} else {
+			/* nothing there */
+			errno = EAGAIN;
+			return(-1);
+		}
+	}
+
+	/*
+	 * It's a control message.  Return 1, to look at the flag we set
+	 */
+
+	switch (ctlbuf[0]) {
+	case M_FLUSH:
+		if (ibuf[1] & FLUSHW)
+			ibuf[0] = TIOCPKT_FLUSHWRITE;
+		return(1);
+
+	case M_IOCTL:
+		ip = (struct iocblk *) (ibuf+1);
+
+		switch (ip->ioc_cmd) {
+		case TCSETS:
+		case TCSETSW:
+		case TCSETSF:
+			tsp = (struct termios *)
+					(ibuf+1 + sizeof(struct iocblk));
+			vstop = tsp->c_cc[VSTOP];
+			vstart = tsp->c_cc[VSTART];
+			ixon = tsp->c_iflag & IXON;
+			break;
+		case TCSETA:
+		case TCSETAW:
+		case TCSETAF:
+			tp = (struct termio *) (ibuf+1 + sizeof(struct iocblk));
+			vstop = tp->c_cc[VSTOP];
+			vstart = tp->c_cc[VSTART];
+			ixon = tp->c_iflag & IXON;
+			break;
+		default:
+			errno = EAGAIN;
+			return(-1);
+		}
+
+		newflow =  (ixon && (vstart == 021) && (vstop == 023)) ? 1 : 0;
+		if (newflow != flowison) {  /* it's a change */
+			flowison = newflow;
+			ibuf[0] = newflow ? TIOCPKT_DOSTOP : TIOCPKT_NOSTOP;
+			return(1);
+		}
+	}
+
+	/* nothing worth doing anything about */
+	errno = EAGAIN;
+	return(-1);
+}
+#endif /* STREAMSPTY */
+
+/*
+ * Send interrupt to process on other side of pty.
+ * If it is in raw mode, just write NULL;
+ * otherwise, write intr char.
+ */
+	void
+interrupt()
+{
+	ptyflush();	/* half-hearted */
+
+#if defined(STREAMSPTY) && defined(TIOCSIGNAL)
+	/* Streams PTY style ioctl to post a signal */
+	{
+		int sig = SIGINT;
+		(void) ioctl(pty, TIOCSIGNAL, &sig);
+		(void) ioctl(pty, I_FLUSH, FLUSHR);
+	}
+#else
+#ifdef	TCSIG
+	(void) ioctl(pty, TCSIG, (char *)SIGINT);
+#else	/* TCSIG */
+	init_termbuf();
+	*pfrontp++ = slctab[SLC_IP].sptr ?
+			(unsigned char)*slctab[SLC_IP].sptr : '\177';
+#endif	/* TCSIG */
+#endif
+}
+
+/*
+ * Send quit to process on other side of pty.
+ * If it is in raw mode, just write NULL;
+ * otherwise, write quit char.
+ */
+	void
+sendbrk()
+{
+	ptyflush();	/* half-hearted */
+#ifdef	TCSIG
+	(void) ioctl(pty, TCSIG, (char *)SIGQUIT);
+#else	/* TCSIG */
+	init_termbuf();
+	*pfrontp++ = slctab[SLC_ABORT].sptr ?
+			(unsigned char)*slctab[SLC_ABORT].sptr : '\034';
+#endif	/* TCSIG */
+}
+
+	void
+sendsusp()
+{
+#ifdef	SIGTSTP
+	ptyflush();	/* half-hearted */
+# ifdef	TCSIG
+	(void) ioctl(pty, TCSIG, (char *)SIGTSTP);
+# else	/* TCSIG */
+	*pfrontp++ = slctab[SLC_SUSP].sptr ?
+			(unsigned char)*slctab[SLC_SUSP].sptr : '\032';
+# endif	/* TCSIG */
+#endif	/* SIGTSTP */
+}
+
+/*
+ * When we get an AYT, if ^T is enabled, use that.  Otherwise,
+ * just send back "[Yes]".
+ */
+	void
+recv_ayt()
+{
+#if	defined(SIGINFO) && defined(TCSIG)
+	if (slctab[SLC_AYT].sptr && *slctab[SLC_AYT].sptr != _POSIX_VDISABLE) {
+		(void) ioctl(pty, TCSIG, (char *)SIGINFO);
+		return;
+	}
+#endif
+	output_data("\r\n[Yes]\r\n");
+}
+
+	void
+doeof()
+{
+	init_termbuf();
+
+#if	defined(LINEMODE) && defined(USE_TERMIO) && (VEOF == VMIN)
+	if (!tty_isediting()) {
+		extern char oldeofc;
+		*pfrontp++ = oldeofc;
+		return;
+	}
+#endif
+	*pfrontp++ = slctab[SLC_EOF].sptr ?
+			(unsigned char)*slctab[SLC_EOF].sptr : '\004';
+}
diff --git a/crypto/telnet/telnetd/telnetd.h b/crypto/telnet/telnetd/telnetd.h
new file mode 100644
index 0000000..234b973
--- /dev/null
+++ b/crypto/telnet/telnetd/telnetd.h
@@ -0,0 +1,49 @@
+/*
+ * Copyright (c) 1989, 1993
+ *	The Regents of the University of California.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *	This product includes software developed by the University of
+ *	California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ *	@(#)telnetd.h	8.1 (Berkeley) 6/4/93
+ */
+
+
+#include "defs.h"
+#include "ext.h"
+
+#ifdef	DIAGNOSTICS
+#define	DIAG(a,b)	if (diagnostic & (a)) b
+#else
+#define	DIAG(a,b)
+#endif
+
+/* other external variables */
+extern	char **environ;
+extern	int errno;
+
diff --git a/crypto/telnet/telnetd/termstat.c b/crypto/telnet/telnetd/termstat.c
new file mode 100644
index 0000000..30230d4
--- /dev/null
+++ b/crypto/telnet/telnetd/termstat.c
@@ -0,0 +1,671 @@
+/*
+ * Copyright (c) 1989, 1993
+ *	The Regents of the University of California.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *	This product includes software developed by the University of
+ *	California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#ifndef lint
+#if 0
+static const char sccsid[] = "@(#)termstat.c	8.2 (Berkeley) 5/30/95";
+#endif
+static const char rcsid[] =
+  "$FreeBSD$";
+#endif /* not lint */
+
+#include "telnetd.h"
+
+#if	defined(ENCRYPTION)
+#include <libtelnet/encrypt.h>
+#endif
+
+/*
+ * local variables
+ */
+int def_tspeed = -1, def_rspeed = -1;
+#ifdef	TIOCSWINSZ
+int def_row = 0, def_col = 0;
+#endif
+#ifdef	LINEMODE
+static int _terminit = 0;
+#endif	/* LINEMODE */
+
+#if	defined(CRAY2) && defined(UNICOS5)
+int	newmap = 1;	/* nonzero if \n maps to ^M^J */
+#endif
+
+#ifdef	LINEMODE
+/*
+ * localstat
+ *
+ * This function handles all management of linemode.
+ *
+ * Linemode allows the client to do the local editing of data
+ * and send only complete lines to the server.  Linemode state is
+ * based on the state of the pty driver.  If the pty is set for
+ * external processing, then we can use linemode.  Further, if we
+ * can use real linemode, then we can look at the edit control bits
+ * in the pty to determine what editing the client should do.
+ *
+ * Linemode support uses the following state flags to keep track of
+ * current and desired linemode state.
+ *	alwayslinemode : true if -l was specified on the telnetd
+ * 	command line.  It means to have linemode on as much as
+ *	possible.
+ *
+ * 	lmodetype: signifies whether the client can
+ *	handle real linemode, or if use of kludgeomatic linemode
+ *	is preferred.  It will be set to one of the following:
+ *		REAL_LINEMODE : use linemode option
+ *		NO_KLUDGE : don't initiate kludge linemode.
+ *		KLUDGE_LINEMODE : use kludge linemode
+ *		NO_LINEMODE : client is ignorant of linemode
+ *
+ *	linemode, uselinemode : linemode is true if linemode
+ *	is currently on, uselinemode is the state that we wish
+ *	to be in.  If another function wishes to turn linemode
+ *	on or off, it sets or clears uselinemode.
+ *
+ *	editmode, useeditmode : like linemode/uselinemode, but
+ *	these contain the edit mode states (edit and trapsig).
+ *
+ * The state variables correspond to some of the state information
+ * in the pty.
+ *	linemode:
+ *		In real linemode, this corresponds to whether the pty
+ *		expects external processing of incoming data.
+ *		In kludge linemode, this more closely corresponds to the
+ *		whether normal processing is on or not.  (ICANON in
+ *		system V, or COOKED mode in BSD.)
+ *		If the -l option was specified (alwayslinemode), then
+ *		an attempt is made to force external processing on at
+ *		all times.
+ *
+ * The following heuristics are applied to determine linemode
+ * handling within the server.
+ *	1) Early on in starting up the server, an attempt is made
+ *	   to negotiate the linemode option.  If this succeeds
+ *	   then lmodetype is set to REAL_LINEMODE and all linemode
+ *	   processing occurs in the context of the linemode option.
+ *	2) If the attempt to negotiate the linemode option failed,
+ *	   and the "-k" (don't initiate kludge linemode) isn't set,
+ *	   then we try to use kludge linemode.  We test for this
+ *	   capability by sending "do Timing Mark".  If a positive
+ *	   response comes back, then we assume that the client
+ *	   understands kludge linemode (ech!) and the
+ *	   lmodetype flag is set to KLUDGE_LINEMODE.
+ *	3) Otherwise, linemode is not supported at all and
+ *	   lmodetype remains set to NO_LINEMODE (which happens
+ *	   to be 0 for convenience).
+ *	4) At any time a command arrives that implies a higher
+ *	   state of linemode support in the client, we move to that
+ *	   linemode support.
+ *
+ * A short explanation of kludge linemode is in order here.
+ *	1) The heuristic to determine support for kludge linemode
+ *	   is to send a do timing mark.  We assume that a client
+ *	   that supports timing marks also supports kludge linemode.
+ *	   A risky proposition at best.
+ *	2) Further negotiation of linemode is done by changing the
+ *	   the server's state regarding SGA.  If server will SGA,
+ *	   then linemode is off, if server won't SGA, then linemode
+ *	   is on.
+ */
+	void
+localstat()
+{
+	void netflush();
+	int need_will_echo = 0;
+
+#if	defined(CRAY2) && defined(UNICOS5)
+	/*
+	 * Keep track of that ol' CR/NL mapping while we're in the
+	 * neighborhood.
+	 */
+	newmap = tty_isnewmap();
+#endif	/* defined(CRAY2) && defined(UNICOS5) */
+
+	/*
+	 * Check for changes to flow control if client supports it.
+	 */
+	flowstat();
+
+	/*
+	 * Check linemode on/off state
+	 */
+	uselinemode = tty_linemode();
+
+	/*
+	 * If alwayslinemode is on, and pty is changing to turn it off, then
+	 * force linemode back on.
+	 */
+	if (alwayslinemode && linemode && !uselinemode) {
+		uselinemode = 1;
+		tty_setlinemode(uselinemode);
+	}
+
+	if (uselinemode) {
+		/*
+	 * Check for state of BINARY options.
+		 *
+		 * We only need to do the binary dance if we are actually going
+		 * to use linemode.  As this confuses some telnet clients
+		 * that don't support linemode, and doesn't gain us
+		 * anything, we don't do it unless we're doing linemode.
+		 * -Crh (henrich@msu.edu)
+	 */
+
+	if (tty_isbinaryin()) {
+		if (his_want_state_is_wont(TELOPT_BINARY))
+			send_do(TELOPT_BINARY, 1);
+	} else {
+		if (his_want_state_is_will(TELOPT_BINARY))
+			send_dont(TELOPT_BINARY, 1);
+	}
+
+	if (tty_isbinaryout()) {
+		if (my_want_state_is_wont(TELOPT_BINARY))
+			send_will(TELOPT_BINARY, 1);
+	} else {
+		if (my_want_state_is_will(TELOPT_BINARY))
+			send_wont(TELOPT_BINARY, 1);
+	}
+	}
+
+#ifdef	ENCRYPTION
+	/*
+	 * If the terminal is not echoing, but editing is enabled,
+	 * something like password input is going to happen, so
+	 * if we the other side is not currently sending encrypted
+	 * data, ask the other side to start encrypting.
+	 */
+	if (his_state_is_will(TELOPT_ENCRYPT)) {
+		static int enc_passwd = 0;
+		if (uselinemode && !tty_isecho() && tty_isediting()
+		    && (enc_passwd == 0) && !decrypt_input) {
+			encrypt_send_request_start();
+			enc_passwd = 1;
+		} else if (enc_passwd) {
+			encrypt_send_request_end();
+			enc_passwd = 0;
+		}
+	}
+#endif	/* ENCRYPTION */
+
+	/*
+	 * Do echo mode handling as soon as we know what the
+	 * linemode is going to be.
+	 * If the pty has echo turned off, then tell the client that
+	 * the server will echo.  If echo is on, then the server
+	 * will echo if in character mode, but in linemode the
+	 * client should do local echoing.  The state machine will
+	 * not send anything if it is unnecessary, so don't worry
+	 * about that here.
+	 *
+	 * If we need to send the WILL ECHO (because echo is off),
+	 * then delay that until after we have changed the MODE.
+	 * This way, when the user is turning off both editing
+	 * and echo, the client will get editing turned off first.
+	 * This keeps the client from going into encryption mode
+	 * and then right back out if it is doing auto-encryption
+	 * when passwords are being typed.
+	 */
+	if (uselinemode) {
+		if (tty_isecho())
+			send_wont(TELOPT_ECHO, 1);
+		else
+			need_will_echo = 1;
+#ifdef	KLUDGELINEMODE
+		if (lmodetype == KLUDGE_OK)
+			lmodetype = KLUDGE_LINEMODE;
+#endif
+	}
+
+	/*
+	 * If linemode is being turned off, send appropriate
+	 * command and then we're all done.
+	 */
+	 if (!uselinemode && linemode) {
+# ifdef	KLUDGELINEMODE
+		if (lmodetype == REAL_LINEMODE) {
+# endif	/* KLUDGELINEMODE */
+			send_dont(TELOPT_LINEMODE, 1);
+# ifdef	KLUDGELINEMODE
+		} else if (lmodetype == KLUDGE_LINEMODE)
+			send_will(TELOPT_SGA, 1);
+# endif	/* KLUDGELINEMODE */
+		send_will(TELOPT_ECHO, 1);
+		linemode = uselinemode;
+		goto done;
+	}
+
+# ifdef	KLUDGELINEMODE
+	/*
+	 * If using real linemode check edit modes for possible later use.
+	 * If we are in kludge linemode, do the SGA negotiation.
+	 */
+	if (lmodetype == REAL_LINEMODE) {
+# endif	/* KLUDGELINEMODE */
+		useeditmode = 0;
+		if (tty_isediting())
+			useeditmode |= MODE_EDIT;
+		if (tty_istrapsig())
+			useeditmode |= MODE_TRAPSIG;
+		if (tty_issofttab())
+			useeditmode |= MODE_SOFT_TAB;
+		if (tty_islitecho())
+			useeditmode |= MODE_LIT_ECHO;
+# ifdef	KLUDGELINEMODE
+	} else if (lmodetype == KLUDGE_LINEMODE) {
+		if (tty_isediting() && uselinemode)
+			send_wont(TELOPT_SGA, 1);
+		else
+			send_will(TELOPT_SGA, 1);
+	}
+# endif	/* KLUDGELINEMODE */
+
+	/*
+	 * Negotiate linemode on if pty state has changed to turn it on.
+	 * Send appropriate command and send along edit mode, then all done.
+	 */
+	if (uselinemode && !linemode) {
+# ifdef	KLUDGELINEMODE
+		if (lmodetype == KLUDGE_LINEMODE) {
+			send_wont(TELOPT_SGA, 1);
+		} else if (lmodetype == REAL_LINEMODE) {
+# endif	/* KLUDGELINEMODE */
+			send_do(TELOPT_LINEMODE, 1);
+			/* send along edit modes */
+			output_data("%c%c%c%c%c%c%c", IAC, SB,
+				TELOPT_LINEMODE, LM_MODE, useeditmode,
+				IAC, SE);
+			editmode = useeditmode;
+# ifdef	KLUDGELINEMODE
+		}
+# endif	/* KLUDGELINEMODE */
+		linemode = uselinemode;
+		goto done;
+	}
+
+# ifdef	KLUDGELINEMODE
+	/*
+	 * None of what follows is of any value if not using
+	 * real linemode.
+	 */
+	if (lmodetype < REAL_LINEMODE)
+		goto done;
+# endif	/* KLUDGELINEMODE */
+
+	if (linemode && his_state_is_will(TELOPT_LINEMODE)) {
+		/*
+		 * If edit mode changed, send edit mode.
+		 */
+		 if (useeditmode != editmode) {
+			/*
+			 * Send along appropriate edit mode mask.
+			 */
+			output_data("%c%c%c%c%c%c%c", IAC, SB,
+				TELOPT_LINEMODE, LM_MODE, useeditmode,
+				IAC, SE);
+			editmode = useeditmode;
+		}
+
+
+		/*
+		 * Check for changes to special characters in use.
+		 */
+		start_slc(0);
+		check_slc();
+		(void) end_slc(0);
+	}
+
+done:
+	if (need_will_echo)
+		send_will(TELOPT_ECHO, 1);
+	/*
+	 * Some things should be deferred until after the pty state has
+	 * been set by the local process.  Do those things that have been
+	 * deferred now.  This only happens once.
+	 */
+	if (_terminit == 0) {
+		_terminit = 1;
+		defer_terminit();
+	}
+
+	netflush();
+	set_termbuf();
+	return;
+
+}  /* end of localstat */
+#endif	/* LINEMODE */
+
+/*
+ * flowstat
+ *
+ * Check for changes to flow control
+ */
+	void
+flowstat()
+{
+	if (his_state_is_will(TELOPT_LFLOW)) {
+		if (tty_flowmode() != flowmode) {
+			flowmode = tty_flowmode();
+			output_data("%c%c%c%c%c%c",
+					IAC, SB, TELOPT_LFLOW,
+					flowmode ? LFLOW_ON : LFLOW_OFF,
+					IAC, SE);
+		}
+		if (tty_restartany() != restartany) {
+			restartany = tty_restartany();
+			output_data("%c%c%c%c%c%c",
+					IAC, SB, TELOPT_LFLOW,
+					restartany ? LFLOW_RESTART_ANY
+						   : LFLOW_RESTART_XON,
+					IAC, SE);
+		}
+	}
+}
+
+/*
+ * clientstat
+ *
+ * Process linemode related requests from the client.
+ * Client can request a change to only one of linemode, editmode or slc's
+ * at a time, and if using kludge linemode, then only linemode may be
+ * affected.
+ */
+	void
+clientstat(code, parm1, parm2)
+	register int code, parm1, parm2;
+{
+	void netflush();
+
+	/*
+	 * Get a copy of terminal characteristics.
+	 */
+	init_termbuf();
+
+	/*
+	 * Process request from client. code tells what it is.
+	 */
+	switch (code) {
+#ifdef	LINEMODE
+	case TELOPT_LINEMODE:
+		/*
+		 * Don't do anything unless client is asking us to change
+		 * modes.
+		 */
+		uselinemode = (parm1 == WILL);
+		if (uselinemode != linemode) {
+# ifdef	KLUDGELINEMODE
+			/*
+			 * If using kludge linemode, make sure that
+			 * we can do what the client asks.
+			 * We can not turn off linemode if alwayslinemode
+			 * and the ICANON bit is set.
+			 */
+			if (lmodetype == KLUDGE_LINEMODE) {
+				if (alwayslinemode && tty_isediting()) {
+					uselinemode = 1;
+				}
+			}
+
+			/*
+			 * Quit now if we can't do it.
+			 */
+			if (uselinemode == linemode)
+				return;
+
+			/*
+			 * If using real linemode and linemode is being
+			 * turned on, send along the edit mode mask.
+			 */
+			if (lmodetype == REAL_LINEMODE && uselinemode)
+# else	/* KLUDGELINEMODE */
+			if (uselinemode)
+# endif	/* KLUDGELINEMODE */
+			{
+				useeditmode = 0;
+				if (tty_isediting())
+					useeditmode |= MODE_EDIT;
+				if (tty_istrapsig)
+					useeditmode |= MODE_TRAPSIG;
+				if (tty_issofttab())
+					useeditmode |= MODE_SOFT_TAB;
+				if (tty_islitecho())
+					useeditmode |= MODE_LIT_ECHO;
+				output_data("%c%c%c%c%c%c%c", IAC,
+					SB, TELOPT_LINEMODE, LM_MODE,
+							useeditmode, IAC, SE);
+				editmode = useeditmode;
+			}
+
+
+			tty_setlinemode(uselinemode);
+
+			linemode = uselinemode;
+
+			if (!linemode)
+				send_will(TELOPT_ECHO, 1);
+		}
+		break;
+
+	case LM_MODE:
+	    {
+		register int ack, changed;
+
+		/*
+		 * Client has sent along a mode mask.  If it agrees with
+		 * what we are currently doing, ignore it; if not, it could
+		 * be viewed as a request to change.  Note that the server
+		 * will change to the modes in an ack if it is different from
+		 * what we currently have, but we will not ack the ack.
+		 */
+		 useeditmode &= MODE_MASK;
+		 ack = (useeditmode & MODE_ACK);
+		 useeditmode &= ~MODE_ACK;
+
+		 if ((changed = (useeditmode ^ editmode))) {
+			/*
+			 * This check is for a timing problem.  If the
+			 * state of the tty has changed (due to the user
+			 * application) we need to process that info
+			 * before we write in the state contained in the
+			 * ack!!!  This gets out the new MODE request,
+			 * and when the ack to that command comes back
+			 * we'll set it and be in the right mode.
+			 */
+			if (ack)
+				localstat();
+			if (changed & MODE_EDIT)
+				tty_setedit(useeditmode & MODE_EDIT);
+
+			if (changed & MODE_TRAPSIG)
+				tty_setsig(useeditmode & MODE_TRAPSIG);
+
+			if (changed & MODE_SOFT_TAB)
+				tty_setsofttab(useeditmode & MODE_SOFT_TAB);
+
+			if (changed & MODE_LIT_ECHO)
+				tty_setlitecho(useeditmode & MODE_LIT_ECHO);
+
+			set_termbuf();
+
+ 			if (!ack) {
+				output_data("%c%c%c%c%c%c%c", IAC,
+					SB, TELOPT_LINEMODE, LM_MODE,
+ 					useeditmode|MODE_ACK,
+ 					IAC, SE);
+ 			}
+
+			editmode = useeditmode;
+		}
+
+		break;
+
+	    }  /* end of case LM_MODE */
+#endif	/* LINEMODE */
+
+	case TELOPT_NAWS:
+#ifdef	TIOCSWINSZ
+	    {
+		struct winsize ws;
+
+		def_col = parm1;
+		def_row = parm2;
+#ifdef	LINEMODE
+		/*
+		 * Defer changing window size until after terminal is
+		 * initialized.
+		 */
+		if (terminit() == 0)
+			return;
+#endif	/* LINEMODE */
+
+		/*
+		 * Change window size as requested by client.
+		 */
+
+		ws.ws_col = parm1;
+		ws.ws_row = parm2;
+		(void) ioctl(pty, TIOCSWINSZ, (char *)&ws);
+	    }
+#endif	/* TIOCSWINSZ */
+
+		break;
+
+	case TELOPT_TSPEED:
+	    {
+		def_tspeed = parm1;
+		def_rspeed = parm2;
+#ifdef	LINEMODE
+		/*
+		 * Defer changing the terminal speed.
+		 */
+		if (terminit() == 0)
+			return;
+#endif	/* LINEMODE */
+		/*
+		 * Change terminal speed as requested by client.
+		 * We set the receive speed first, so that if we can't
+		 * store separate receive and transmit speeds, the transmit
+		 * speed will take precedence.
+		 */
+		tty_rspeed(parm2);
+		tty_tspeed(parm1);
+		set_termbuf();
+
+		break;
+
+	    }  /* end of case TELOPT_TSPEED */
+
+	default:
+		/* What? */
+		break;
+	}  /* end of switch */
+
+#if	defined(CRAY2) && defined(UNICOS5)
+	/*
+	 * Just in case of the likely event that we changed the pty state.
+	 */
+	rcv_ioctl();
+#endif	/* defined(CRAY2) && defined(UNICOS5) */
+
+	netflush();
+
+}  /* end of clientstat */
+
+#if	defined(CRAY2) && defined(UNICOS5)
+	void
+termstat()
+{
+	needtermstat = 1;
+}
+
+	void
+_termstat()
+{
+	needtermstat = 0;
+	init_termbuf();
+	localstat();
+	rcv_ioctl();
+}
+#endif	/* defined(CRAY2) && defined(UNICOS5) */
+
+#ifdef	LINEMODE
+/*
+ * defer_terminit
+ *
+ * Some things should not be done until after the login process has started
+ * and all the pty modes are set to what they are supposed to be.  This
+ * function is called when the pty state has been processed for the first time.
+ * It calls other functions that do things that were deferred in each module.
+ */
+	void
+defer_terminit()
+{
+
+	/*
+	 * local stuff that got deferred.
+	 */
+	if (def_tspeed != -1) {
+		clientstat(TELOPT_TSPEED, def_tspeed, def_rspeed);
+		def_tspeed = def_rspeed = 0;
+	}
+
+#ifdef	TIOCSWINSZ
+	if (def_col || def_row) {
+		struct winsize ws;
+
+		memset((char *)&ws, 0, sizeof(ws));
+		ws.ws_col = def_col;
+		ws.ws_row = def_row;
+		(void) ioctl(pty, TIOCSWINSZ, (char *)&ws);
+	}
+#endif
+
+	/*
+	 * The only other module that currently defers anything.
+	 */
+	deferslc();
+
+}  /* end of defer_terminit */
+
+/*
+ * terminit
+ *
+ * Returns true if the pty state has been processed yet.
+ */
+	int
+terminit()
+{
+	return(_terminit);
+
+}  /* end of terminit */
+#endif	/* LINEMODE */
diff --git a/crypto/telnet/telnetd/utility.c b/crypto/telnet/telnetd/utility.c
new file mode 100644
index 0000000..aa85d7a
--- /dev/null
+++ b/crypto/telnet/telnetd/utility.c
@@ -0,0 +1,1135 @@
+/*
+ * Copyright (c) 1989, 1993
+ *	The Regents of the University of California.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *	This product includes software developed by the University of
+ *	California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#ifndef lint
+#if 0
+static const char sccsid[] = "@(#)utility.c	8.4 (Berkeley) 5/30/95";
+#endif
+static const char rcsid[] =
+  "$FreeBSD$";
+#endif /* not lint */
+
+#ifdef __FreeBSD__
+#include <locale.h>
+#include <sys/utsname.h>
+#endif
+#define PRINTOPTIONS
+#include "telnetd.h"
+
+#if	defined(AUTHENTICATION)
+#include <libtelnet/auth.h>
+#endif
+#if	defined(ENCRYPTION)
+#include <libtelnet/encrypt.h>
+#endif
+
+/*
+ * utility functions performing io related tasks
+ */
+
+/*
+ * ttloop
+ *
+ *	A small subroutine to flush the network output buffer, get some data
+ * from the network, and pass it through the telnet state machine.  We
+ * also flush the pty input buffer (by dropping its data) if it becomes
+ * too full.
+ */
+
+    void
+ttloop()
+{
+    void netflush();
+
+    DIAG(TD_REPORT, output_data("td: ttloop\r\n"));
+    if (nfrontp-nbackp) {
+	netflush();
+    }
+    ncc = read(net, netibuf, sizeof netibuf);
+    if (ncc < 0) {
+	syslog(LOG_INFO, "ttloop:  read: %m");
+	exit(1);
+    } else if (ncc == 0) {
+	syslog(LOG_INFO, "ttloop:  peer died: %m");
+	exit(1);
+    }
+    DIAG(TD_REPORT, output_data("td: ttloop read %d chars\r\n", ncc));
+    netip = netibuf;
+    telrcv();			/* state machine */
+    if (ncc > 0) {
+	pfrontp = pbackp = ptyobuf;
+	telrcv();
+    }
+}  /* end of ttloop */
+
+/*
+ * Check a descriptor to see if out of band data exists on it.
+ */
+    int
+stilloob(s)
+    int	s;		/* socket number */
+{
+    static struct timeval timeout = { 0 };
+    fd_set	excepts;
+    int value;
+
+    do {
+	FD_ZERO(&excepts);
+	FD_SET(s, &excepts);
+	memset((char *)&timeout, 0, sizeof timeout);
+	value = select(s+1, (fd_set *)0, (fd_set *)0, &excepts, &timeout);
+    } while ((value == -1) && (errno == EINTR));
+
+    if (value < 0) {
+	fatalperror(pty, "select");
+    }
+    if (FD_ISSET(s, &excepts)) {
+	return 1;
+    } else {
+	return 0;
+    }
+}
+
+	void
+ptyflush()
+{
+	int n;
+
+	if ((n = pfrontp - pbackp) > 0) {
+		DIAG(TD_REPORT | TD_PTYDATA,
+		    output_data("td: ptyflush %d chars\r\n", n));
+		DIAG(TD_PTYDATA, printdata("pd", pbackp, n));
+		n = write(pty, pbackp, n);
+	}
+	if (n < 0) {
+		if (errno == EWOULDBLOCK || errno == EINTR)
+			return;
+		cleanup(0);
+	}
+	pbackp += n;
+	if (pbackp == pfrontp)
+		pbackp = pfrontp = ptyobuf;
+}
+
+/*
+ * nextitem()
+ *
+ *	Return the address of the next "item" in the TELNET data
+ * stream.  This will be the address of the next character if
+ * the current address is a user data character, or it will
+ * be the address of the character following the TELNET command
+ * if the current address is a TELNET IAC ("I Am a Command")
+ * character.
+ */
+    char *
+nextitem(current)
+    char	*current;
+{
+    if ((*current&0xff) != IAC) {
+	return current+1;
+    }
+    switch (*(current+1)&0xff) {
+    case DO:
+    case DONT:
+    case WILL:
+    case WONT:
+	return current+3;
+    case SB:		/* loop forever looking for the SE */
+	{
+	    register char *look = current+2;
+
+	    for (;;) {
+		if ((*look++&0xff) == IAC) {
+		    if ((*look++&0xff) == SE) {
+			return look;
+		    }
+		}
+	    }
+	}
+    default:
+	return current+2;
+    }
+}  /* end of nextitem */
+
+
+/*
+ * netclear()
+ *
+ *	We are about to do a TELNET SYNCH operation.  Clear
+ * the path to the network.
+ *
+ *	Things are a bit tricky since we may have sent the first
+ * byte or so of a previous TELNET command into the network.
+ * So, we have to scan the network buffer from the beginning
+ * until we are up to where we want to be.
+ *
+ *	A side effect of what we do, just to keep things
+ * simple, is to clear the urgent data pointer.  The principal
+ * caller should be setting the urgent data pointer AFTER calling
+ * us in any case.
+ */
+    void
+netclear()
+{
+    register char *thisitem, *next;
+    char *good;
+#define	wewant(p)	((nfrontp > p) && ((*p&0xff) == IAC) && \
+				((*(p+1)&0xff) != EC) && ((*(p+1)&0xff) != EL))
+
+#ifdef	ENCRYPTION
+    thisitem = nclearto > netobuf ? nclearto : netobuf;
+#else	/* ENCRYPTION */
+    thisitem = netobuf;
+#endif	/* ENCRYPTION */
+
+    while ((next = nextitem(thisitem)) <= nbackp) {
+	thisitem = next;
+    }
+
+    /* Now, thisitem is first before/at boundary. */
+
+#ifdef	ENCRYPTION
+    good = nclearto > netobuf ? nclearto : netobuf;
+#else	/* ENCRYPTION */
+    good = netobuf;	/* where the good bytes go */
+#endif	/* ENCRYPTION */
+
+    while (nfrontp > thisitem) {
+	if (wewant(thisitem)) {
+	    int length;
+
+	    next = thisitem;
+	    do {
+		next = nextitem(next);
+	    } while (wewant(next) && (nfrontp > next));
+	    length = next-thisitem;
+	    memmove(good, thisitem, length);
+	    good += length;
+	    thisitem = next;
+	} else {
+	    thisitem = nextitem(thisitem);
+	}
+    }
+
+    nbackp = netobuf;
+    nfrontp = good;		/* next byte to be sent */
+    neturg = 0;
+}  /* end of netclear */
+
+/*
+ *  netflush
+ *		Send as much data as possible to the network,
+ *	handling requests for urgent data.
+ */
+    void
+netflush()
+{
+    int n;
+    extern int not42;
+
+    if ((n = nfrontp - nbackp) > 0) {
+	DIAG(TD_REPORT, {
+	    n += output_data("td: netflush %d chars\r\n", n);
+	});
+#ifdef	ENCRYPTION
+	if (encrypt_output) {
+		char *s = nclearto ? nclearto : nbackp;
+		if (nfrontp - s > 0) {
+			(*encrypt_output)((unsigned char *)s, nfrontp-s);
+			nclearto = nfrontp;
+		}
+	}
+#endif	/* ENCRYPTION */
+	/*
+	 * if no urgent data, or if the other side appears to be an
+	 * old 4.2 client (and thus unable to survive TCP urgent data),
+	 * write the entire buffer in non-OOB mode.
+	 */
+	if ((neturg == 0) || (not42 == 0)) {
+	    n = write(net, nbackp, n);	/* normal write */
+	} else {
+	    n = neturg - nbackp;
+	    /*
+	     * In 4.2 (and 4.3) systems, there is some question about
+	     * what byte in a sendOOB operation is the "OOB" data.
+	     * To make ourselves compatible, we only send ONE byte
+	     * out of band, the one WE THINK should be OOB (though
+	     * we really have more the TCP philosophy of urgent data
+	     * rather than the Unix philosophy of OOB data).
+	     */
+	    if (n > 1) {
+		n = send(net, nbackp, n-1, 0);	/* send URGENT all by itself */
+	    } else {
+		n = send(net, nbackp, n, MSG_OOB);	/* URGENT data */
+	    }
+	}
+    }
+    if (n < 0) {
+	if (errno == EWOULDBLOCK || errno == EINTR)
+		return;
+	cleanup(0);
+    }
+    nbackp += n;
+#ifdef	ENCRYPTION
+    if (nbackp > nclearto)
+	nclearto = 0;
+#endif	/* ENCRYPTION */
+    if (nbackp >= neturg) {
+	neturg = 0;
+    }
+    if (nbackp == nfrontp) {
+	nbackp = nfrontp = netobuf;
+#ifdef	ENCRYPTION
+	nclearto = 0;
+#endif	/* ENCRYPTION */
+    }
+    return;
+}  /* end of netflush */
+
+
+/*
+ * writenet
+ *
+ * Just a handy little function to write a bit of raw data to the net.
+ * It will force a transmit of the buffer if necessary
+ *
+ * arguments
+ *    ptr - A pointer to a character string to write
+ *    len - How many bytes to write
+ */
+	void
+writenet(ptr, len)
+	register unsigned char *ptr;
+	register int len;
+{
+	/* flush buffer if no room for new data) */
+	if ((&netobuf[BUFSIZ] - nfrontp) < len) {
+		/* if this fails, don't worry, buffer is a little big */
+		netflush();
+	}
+
+	memmove(nfrontp, ptr, len);
+	nfrontp += len;
+
+}  /* end of writenet */
+
+
+/*
+ * miscellaneous functions doing a variety of little jobs follow ...
+ */
+
+
+	void
+fatal(f, msg)
+	int f;
+	char *msg;
+{
+	char buf[BUFSIZ];
+
+	(void) snprintf(buf, sizeof(buf), "telnetd: %s.\r\n", msg);
+#ifdef	ENCRYPTION
+	if (encrypt_output) {
+		/*
+		 * Better turn off encryption first....
+		 * Hope it flushes...
+		 */
+		encrypt_send_end();
+		netflush();
+	}
+#endif	/* ENCRYPTION */
+	(void) write(f, buf, (int)strlen(buf));
+	sleep(1);	/*XXX*/
+	exit(1);
+}
+
+	void
+fatalperror(f, msg)
+	int f;
+	char *msg;
+{
+	char buf[BUFSIZ], *strerror();
+
+	(void) snprintf(buf, sizeof(buf), "%s: %s", msg, strerror(errno));
+	fatal(f, buf);
+}
+
+char editedhost[32];
+
+	void
+edithost(pat, host)
+	register char *pat;
+	register char *host;
+{
+	register char *res = editedhost;
+
+	if (!pat)
+		pat = "";
+	while (*pat) {
+		switch (*pat) {
+
+		case '#':
+			if (*host)
+				host++;
+			break;
+
+		case '@':
+			if (*host)
+				*res++ = *host++;
+			break;
+
+		default:
+			*res++ = *pat;
+			break;
+		}
+		if (res == &editedhost[sizeof editedhost - 1]) {
+			*res = '\0';
+			return;
+		}
+		pat++;
+	}
+	if (*host)
+		(void) strncpy(res, host,
+				sizeof editedhost - (res - editedhost) -1);
+	else
+		*res = '\0';
+	editedhost[sizeof editedhost - 1] = '\0';
+}
+
+static char *putlocation;
+
+	void
+putstr(s)
+	register char *s;
+{
+
+	while (*s)
+		putchr(*s++);
+}
+
+	void
+putchr(cc)
+	int cc;
+{
+	*putlocation++ = cc;
+}
+
+#ifdef __FreeBSD__
+static char fmtstr[] = { "%+" };
+#else
+/*
+ * This is split on two lines so that SCCS will not see the M
+ * between two % signs and expand it...
+ */
+static char fmtstr[] = { "%l:%M\
+%P on %A, %d %B %Y" };
+#endif
+
+	void
+putf(cp, where)
+	register char *cp;
+	char *where;
+{
+	char *slash;
+	time_t t;
+	char db[100];
+#ifdef	STREAMSPTY
+	extern char *strchr();
+#else
+	extern char *strrchr();
+#endif
+#ifdef __FreeBSD__
+	static struct utsname kerninfo;
+
+	if (!*kerninfo.sysname)
+		uname(&kerninfo);
+#endif
+
+	putlocation = where;
+
+	while (*cp) {
+		if (*cp =='\n') {
+			putstr("\r\n");
+			cp++;
+			continue;
+		} else if (*cp != '%') {
+			putchr(*cp++);
+			continue;
+		}
+		switch (*++cp) {
+
+		case 't':
+#ifdef	STREAMSPTY
+			/* names are like /dev/pts/2 -- we want pts/2 */
+			slash = strchr(line+1, '/');
+#else
+			slash = strrchr(line, '/');
+#endif
+			if (slash == (char *) 0)
+				putstr(line);
+			else
+				putstr(&slash[1]);
+			break;
+
+		case 'h':
+			putstr(editedhost);
+			break;
+
+		case 'd':
+#ifdef __FreeBSD__
+			setlocale(LC_TIME, "");
+#endif
+			(void)time(&t);
+			(void)strftime(db, sizeof(db), fmtstr, localtime(&t));
+			putstr(db);
+			break;
+
+#ifdef __FreeBSD__
+		case 's':
+			putstr(kerninfo.sysname);
+			break;
+
+		case 'm':
+			putstr(kerninfo.machine);
+			break;
+
+		case 'r':
+			putstr(kerninfo.release);
+			break;
+
+		case 'v':
+			putstr(kerninfo.version);
+			break;
+#endif
+
+		case '%':
+			putchr('%');
+			break;
+		}
+		cp++;
+	}
+}
+
+#ifdef DIAGNOSTICS
+/*
+ * Print telnet options and commands in plain text, if possible.
+ */
+	void
+printoption(fmt, option)
+	register char *fmt;
+	register int option;
+{
+	if (TELOPT_OK(option))
+		output_data("%s %s\r\n", fmt, TELOPT(option));
+	else if (TELCMD_OK(option))
+		output_data("%s %s\r\n", fmt, TELCMD(option));
+	else
+		output_data("%s %d\r\n", fmt, option);
+	return;
+}
+
+    void
+printsub(direction, pointer, length)
+    char		direction;	/* '<' or '>' */
+    unsigned char	*pointer;	/* where suboption data sits */
+    int			length;		/* length of suboption data */
+{
+    register int i = 0;
+
+	if (!(diagnostic & TD_OPTIONS))
+		return;
+
+	if (direction) {
+	    output_data("td: %s suboption ",
+					direction == '<' ? "recv" : "send");
+	    if (length >= 3) {
+		register int j;
+
+		i = pointer[length-2];
+		j = pointer[length-1];
+
+		if (i != IAC || j != SE) {
+		    output_data("(terminated by ");
+		    if (TELOPT_OK(i))
+			output_data("%s ", TELOPT(i));
+		    else if (TELCMD_OK(i))
+			output_data("%s ", TELCMD(i));
+		    else
+			output_data("%d ", i);
+		    if (TELOPT_OK(j))
+			output_data("%s", TELOPT(j));
+		    else if (TELCMD_OK(j))
+			output_data("%s", TELCMD(j));
+		    else
+			output_data("%d", j);
+		    output_data(", not IAC SE!) ");
+		}
+	    }
+	    length -= 2;
+	}
+	if (length < 1) {
+	    output_data("(Empty suboption??\?)");
+	    return;
+	}
+	switch (pointer[0]) {
+	case TELOPT_TTYPE:
+	    output_data("TERMINAL-TYPE ");
+	    switch (pointer[1]) {
+	    case TELQUAL_IS:
+		output_data("IS \"%.*s\"", length-2, (char *)pointer+2);
+		break;
+	    case TELQUAL_SEND:
+		output_data("SEND");
+		break;
+	    default:
+		output_data(
+				"- unknown qualifier %d (0x%x).",
+				pointer[1], pointer[1]);
+	    }
+	    break;
+	case TELOPT_TSPEED:
+	    output_data("TERMINAL-SPEED");
+	    if (length < 2) {
+		output_data(" (empty suboption??\?)");
+		break;
+	    }
+	    switch (pointer[1]) {
+	    case TELQUAL_IS:
+		output_data(" IS %.*s", length-2, (char *)pointer+2);
+		break;
+	    default:
+		if (pointer[1] == 1)
+		    output_data(" SEND");
+		else
+		    output_data(" %d (unknown)", pointer[1]);
+		for (i = 2; i < length; i++) {
+		    output_data(" ?%d?", pointer[i]);
+		}
+		break;
+	    }
+	    break;
+
+	case TELOPT_LFLOW:
+	    output_data("TOGGLE-FLOW-CONTROL");
+	    if (length < 2) {
+		output_data(" (empty suboption??\?)");
+		break;
+	    }
+	    switch (pointer[1]) {
+	    case LFLOW_OFF:
+		output_data(" OFF"); break;
+	    case LFLOW_ON:
+		output_data(" ON"); break;
+	    case LFLOW_RESTART_ANY:
+		output_data(" RESTART-ANY"); break;
+	    case LFLOW_RESTART_XON:
+		output_data(" RESTART-XON"); break;
+	    default:
+		output_data(" %d (unknown)", pointer[1]);
+	    }
+	    for (i = 2; i < length; i++) {
+		output_data(" ?%d?", pointer[i]);
+	    }
+	    break;
+
+	case TELOPT_NAWS:
+	    output_data("NAWS");
+	    if (length < 2) {
+		output_data(" (empty suboption??\?)");
+		break;
+	    }
+	    if (length == 2) {
+		output_data(" ?%d?", pointer[1]);
+		break;
+	    }
+	    output_data(" %d %d (%d)",
+		pointer[1], pointer[2],
+		(int)((((unsigned int)pointer[1])<<8)|((unsigned int)pointer[2])));
+	    if (length == 4) {
+		output_data(" ?%d?", pointer[3]);
+		break;
+	    }
+	    output_data(" %d %d (%d)",
+		pointer[3], pointer[4],
+		(int)((((unsigned int)pointer[3])<<8)|((unsigned int)pointer[4])));
+	    for (i = 5; i < length; i++) {
+		output_data(" ?%d?", pointer[i]);
+	    }
+	    break;
+
+	case TELOPT_LINEMODE:
+	    output_data("LINEMODE ");
+	    if (length < 2) {
+		output_data(" (empty suboption??\?)");
+		break;
+	    }
+	    switch (pointer[1]) {
+	    case WILL:
+		output_data("WILL ");
+		goto common;
+	    case WONT:
+		output_data("WONT ");
+		goto common;
+	    case DO:
+		output_data("DO ");
+		goto common;
+	    case DONT:
+		output_data("DONT ");
+	    common:
+		if (length < 3) {
+		    output_data("(no option??\?)");
+		    break;
+		}
+		switch (pointer[2]) {
+		case LM_FORWARDMASK:
+		    output_data("Forward Mask");
+		    for (i = 3; i < length; i++) {
+			output_data(" %x", pointer[i]);
+		    }
+		    break;
+		default:
+		    output_data("%d (unknown)", pointer[2]);
+		    for (i = 3; i < length; i++) {
+			output_data(" %d", pointer[i]);
+		    }
+		    break;
+		}
+		break;
+
+	    case LM_SLC:
+		output_data("SLC");
+		for (i = 2; i < length - 2; i += 3) {
+		    if (SLC_NAME_OK(pointer[i+SLC_FUNC]))
+			output_data(" %s", SLC_NAME(pointer[i+SLC_FUNC]));
+		    else
+			output_data(" %d", pointer[i+SLC_FUNC]);
+		    switch (pointer[i+SLC_FLAGS]&SLC_LEVELBITS) {
+		    case SLC_NOSUPPORT:
+			output_data(" NOSUPPORT"); break;
+		    case SLC_CANTCHANGE:
+			output_data(" CANTCHANGE"); break;
+		    case SLC_VARIABLE:
+			output_data(" VARIABLE"); break;
+		    case SLC_DEFAULT:
+			output_data(" DEFAULT"); break;
+		    }
+		    output_data("%s%s%s",
+			pointer[i+SLC_FLAGS]&SLC_ACK ? "|ACK" : "",
+			pointer[i+SLC_FLAGS]&SLC_FLUSHIN ? "|FLUSHIN" : "",
+			pointer[i+SLC_FLAGS]&SLC_FLUSHOUT ? "|FLUSHOUT" : "");
+		    if (pointer[i+SLC_FLAGS]& ~(SLC_ACK|SLC_FLUSHIN|
+						SLC_FLUSHOUT| SLC_LEVELBITS)) {
+			output_data("(0x%x)", pointer[i+SLC_FLAGS]);
+		    }
+		    output_data(" %d;", pointer[i+SLC_VALUE]);
+		    if ((pointer[i+SLC_VALUE] == IAC) &&
+			(pointer[i+SLC_VALUE+1] == IAC))
+				i++;
+		}
+		for (; i < length; i++) {
+		    output_data(" ?%d?", pointer[i]);
+		}
+		break;
+
+	    case LM_MODE:
+		output_data("MODE ");
+		if (length < 3) {
+		    output_data("(no mode??\?)");
+		    break;
+		}
+		{
+		    char tbuf[32];
+		    sprintf(tbuf, "%s%s%s%s%s",
+			pointer[2]&MODE_EDIT ? "|EDIT" : "",
+			pointer[2]&MODE_TRAPSIG ? "|TRAPSIG" : "",
+			pointer[2]&MODE_SOFT_TAB ? "|SOFT_TAB" : "",
+			pointer[2]&MODE_LIT_ECHO ? "|LIT_ECHO" : "",
+			pointer[2]&MODE_ACK ? "|ACK" : "");
+		    output_data("%s", tbuf[1] ? &tbuf[1] : "0");
+		}
+		if (pointer[2]&~(MODE_EDIT|MODE_TRAPSIG|MODE_ACK)) {
+		    output_data(" (0x%x)", pointer[2]);
+		}
+		for (i = 3; i < length; i++) {
+		    output_data(" ?0x%x?", pointer[i]);
+		}
+		break;
+	    default:
+		output_data("%d (unknown)", pointer[1]);
+		for (i = 2; i < length; i++) {
+		    output_data(" %d", pointer[i]);
+		}
+	    }
+	    break;
+
+	case TELOPT_STATUS: {
+	    register char *cp;
+	    register int j, k;
+
+	    output_data("STATUS");
+
+	    switch (pointer[1]) {
+	    default:
+		if (pointer[1] == TELQUAL_SEND)
+		    output_data(" SEND");
+		else
+		    output_data(" %d (unknown)", pointer[1]);
+		for (i = 2; i < length; i++) {
+		    output_data(" ?%d?", pointer[i]);
+		}
+		break;
+	    case TELQUAL_IS:
+		output_data(" IS\r\n");
+
+		for (i = 2; i < length; i++) {
+		    switch(pointer[i]) {
+		    case DO:	cp = "DO"; goto common2;
+		    case DONT:	cp = "DONT"; goto common2;
+		    case WILL:	cp = "WILL"; goto common2;
+		    case WONT:	cp = "WONT"; goto common2;
+		    common2:
+			i++;
+			if (TELOPT_OK(pointer[i]))
+			    output_data(" %s %s", cp, TELOPT(pointer[i]));
+			else
+			    output_data(" %s %d", cp, pointer[i]);
+
+			output_data("\r\n");
+			break;
+
+		    case SB:
+			output_data(" SB ");
+			i++;
+			j = k = i;
+			while (j < length) {
+			    if (pointer[j] == SE) {
+				if (j+1 == length)
+				    break;
+				if (pointer[j+1] == SE)
+				    j++;
+				else
+				    break;
+			    }
+			    pointer[k++] = pointer[j++];
+			}
+			printsub(0, &pointer[i], k - i);
+			if (i < length) {
+			    output_data(" SE");
+			    i = j;
+			} else
+			    i = j - 1;
+
+			output_data("\r\n");
+
+			break;
+
+		    default:
+			output_data(" %d", pointer[i]);
+			break;
+		    }
+		}
+		break;
+	    }
+	    break;
+	  }
+
+	case TELOPT_XDISPLOC:
+	    output_data("X-DISPLAY-LOCATION ");
+	    switch (pointer[1]) {
+	    case TELQUAL_IS:
+		output_data("IS \"%.*s\"", length-2, (char *)pointer+2);
+		break;
+	    case TELQUAL_SEND:
+		output_data("SEND");
+		break;
+	    default:
+		output_data("- unknown qualifier %d (0x%x).",
+				pointer[1], pointer[1]);
+	    }
+	    break;
+
+	case TELOPT_NEW_ENVIRON:
+	    output_data("NEW-ENVIRON ");
+	    goto env_common1;
+	case TELOPT_OLD_ENVIRON:
+	    output_data("OLD-ENVIRON");
+	env_common1:
+	    switch (pointer[1]) {
+	    case TELQUAL_IS:
+		output_data("IS ");
+		goto env_common;
+	    case TELQUAL_SEND:
+		output_data("SEND ");
+		goto env_common;
+	    case TELQUAL_INFO:
+		output_data("INFO ");
+	    env_common:
+		{
+		    register int noquote = 2;
+		    for (i = 2; i < length; i++ ) {
+			switch (pointer[i]) {
+			case NEW_ENV_VAR:
+			    output_data("\" VAR " + noquote);
+			    noquote = 2;
+			    break;
+
+			case NEW_ENV_VALUE:
+			    output_data("\" VALUE " + noquote);
+			    noquote = 2;
+			    break;
+
+			case ENV_ESC:
+			    output_data("\" ESC " + noquote);
+			    noquote = 2;
+			    break;
+
+			case ENV_USERVAR:
+			    output_data("\" USERVAR " + noquote);
+			    noquote = 2;
+			    break;
+
+			default:
+			    if (isprint(pointer[i]) && pointer[i] != '"') {
+				if (noquote) {
+				    output_data("\"");
+				    noquote = 0;
+				}
+				output_data("%c", pointer[i]);
+			    } else {
+				output_data("\" %03o " + noquote,
+							pointer[i]);
+				noquote = 2;
+			    }
+			    break;
+			}
+		    }
+		    if (!noquote)
+			output_data("\"");
+		    break;
+		}
+	    }
+	    break;
+
+#if	defined(AUTHENTICATION)
+	case TELOPT_AUTHENTICATION:
+	    output_data("AUTHENTICATION");
+
+	    if (length < 2) {
+		output_data(" (empty suboption??\?)");
+		break;
+	    }
+	    switch (pointer[1]) {
+	    case TELQUAL_REPLY:
+	    case TELQUAL_IS:
+		output_data(" %s ", (pointer[1] == TELQUAL_IS) ?
+							"IS" : "REPLY");
+		if (AUTHTYPE_NAME_OK(pointer[2]))
+		    output_data("%s ", AUTHTYPE_NAME(pointer[2]));
+		else
+		    output_data("%d ", pointer[2]);
+		if (length < 3) {
+		    output_data("(partial suboption??\?)");
+		    break;
+		}
+		output_data("%s|%s",
+			((pointer[3] & AUTH_WHO_MASK) == AUTH_WHO_CLIENT) ?
+			"CLIENT" : "SERVER",
+			((pointer[3] & AUTH_HOW_MASK) == AUTH_HOW_MUTUAL) ?
+			"MUTUAL" : "ONE-WAY");
+
+    		{
+		    char buf[512];
+		    auth_printsub(&pointer[1], length - 1, buf, sizeof(buf));
+		    output_data("%s", buf);
+		}
+		break;
+
+	    case TELQUAL_SEND:
+		i = 2;
+		output_data(" SEND ");
+		while (i < length) {
+		    if (AUTHTYPE_NAME_OK(pointer[i]))
+			output_data("%s ", AUTHTYPE_NAME(pointer[i]));
+		    else
+			output_data("%d ", pointer[i]);
+		    if (++i >= length) {
+			output_data("(partial suboption??\?)");
+			break;
+		    }
+		    output_data("%s|%s ",
+			((pointer[i] & AUTH_WHO_MASK) == AUTH_WHO_CLIENT) ?
+							"CLIENT" : "SERVER",
+			((pointer[i] & AUTH_HOW_MASK) == AUTH_HOW_MUTUAL) ?
+							"MUTUAL" : "ONE-WAY");
+		    ++i;
+		}
+		break;
+
+	    case TELQUAL_NAME:
+		output_data(" NAME \"%.*s\"", length - 2, pointer + 2);
+		break;
+
+	    default:
+		    for (i = 2; i < length; i++) {
+			output_data(" ?%d?", pointer[i]);
+		    }
+		    break;
+	    }
+	    break;
+#endif
+
+#ifdef	ENCRYPTION
+	case TELOPT_ENCRYPT:
+	    output_data("ENCRYPT");
+	    if (length < 2) {
+		output_data(" (empty suboption??\?)");
+		break;
+	    }
+	    switch (pointer[1]) {
+	    case ENCRYPT_START:
+		output_data(" START");
+		break;
+
+	    case ENCRYPT_END:
+		output_data(" END");
+		break;
+
+	    case ENCRYPT_REQSTART:
+		output_data(" REQUEST-START");
+		break;
+
+	    case ENCRYPT_REQEND:
+		output_data(" REQUEST-END");
+		break;
+
+	    case ENCRYPT_IS:
+	    case ENCRYPT_REPLY:
+		output_data(" %s ", (pointer[1] == ENCRYPT_IS) ?
+							"IS" : "REPLY");
+		if (length < 3) {
+		    output_data(" (partial suboption??\?)");
+		    break;
+		}
+		if (ENCTYPE_NAME_OK(pointer[2]))
+		    output_data("%s ", ENCTYPE_NAME(pointer[2]));
+		else
+		    output_data(" %d (unknown)", pointer[2]);
+
+		{
+		    char buf[512];
+		    encrypt_printsub(&pointer[1], length - 1, buf, sizeof(buf));
+		    output_data("%s", buf);
+		}
+		break;
+
+	    case ENCRYPT_SUPPORT:
+		i = 2;
+		output_data(" SUPPORT ");
+		while (i < length) {
+		    if (ENCTYPE_NAME_OK(pointer[i]))
+			output_data("%s ", ENCTYPE_NAME(pointer[i]));
+		    else
+			output_data("%d ", pointer[i]);
+		    i++;
+		}
+		break;
+
+	    case ENCRYPT_ENC_KEYID:
+		output_data(" ENC_KEYID");
+		goto encommon;
+
+	    case ENCRYPT_DEC_KEYID:
+		output_data(" DEC_KEYID");
+		goto encommon;
+
+	    default:
+		output_data(" %d (unknown)", pointer[1]);
+	    encommon:
+		for (i = 2; i < length; i++) {
+		    output_data(" %d", pointer[i]);
+		}
+		break;
+	    }
+	    break;
+#endif	/* ENCRYPTION */
+
+	default:
+	    if (TELOPT_OK(pointer[0]))
+		output_data("%s (unknown)", TELOPT(pointer[0]));
+	    else
+		output_data("%d (unknown)", pointer[i]);
+	    for (i = 1; i < length; i++) {
+		output_data(" %d", pointer[i]);
+	    }
+	    break;
+	}
+	output_data("\r\n");
+}
+
+/*
+ * Dump a data buffer in hex and ascii to the output data stream.
+ */
+	void
+printdata(tag, ptr, cnt)
+	register char *tag;
+	register char *ptr;
+	register int cnt;
+{
+	register int i;
+	char xbuf[30];
+
+	while (cnt) {
+		/* flush net output buffer if no room for new data) */
+		if ((&netobuf[BUFSIZ] - nfrontp) < 80) {
+			netflush();
+		}
+
+		/* add a line of output */
+		output_data("%s: ", tag);
+		for (i = 0; i < 20 && cnt; i++) {
+			output_data("%02x", *ptr);
+			if (isprint(*ptr)) {
+				xbuf[i] = *ptr;
+			} else {
+				xbuf[i] = '.';
+			}
+			if (i % 2) {
+				output_data(" ");
+			}
+			cnt--;
+			ptr++;
+		}
+		xbuf[i] = '\0';
+		output_data(" %s\r\n", xbuf );
+	}
+}
+#endif /* DIAGNOSTICS */